]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/grsecurity-3.1-4.2.3-201510072230.patch
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-3.1-4.2.3-201510072230.patch
CommitLineData
afe359a8
PK		 1diff --git a/Documentation/dontdiff b/Documentation/dontdiff
2index 9de9813..1462492 100644
3--- a/Documentation/dontdiff
4+++ b/Documentation/dontdiff
5@@ -3,9 +3,11 @@
6 *.bc
7 *.bin
8 *.bz2
9+*.c.[012]*.*
10 *.cis
11 *.cpio
12 *.csp
13+*.dbg
14 *.dsp
15 *.dvi
16 *.elf
17@@ -15,6 +17,7 @@
18 *.gcov
19 *.gen.S
20 *.gif
21+*.gmo
22 *.grep
23 *.grp
24 *.gz
25@@ -51,14 +54,17 @@
26 *.tab.h
27 *.tex
28 *.ver
29+*.vim
30 *.xml
31 *.xz
32 *_MODULES
33+*_reg_safe.h
34 *_vga16.c
35 *~
36 \#*#
37 *.9
38-.*
39+.[^g]*
40+.gen*
41 .*.d
42 .mm
43 53c700_d.h
44@@ -72,9 +78,11 @@ Image
45 Module.markers
46 Module.symvers
47 PENDING
48+PERF*
49 SCCS
50 System.map*
51 TAGS
52+TRACEEVENT-CFLAGS
53 aconf
54 af_names.h
55 aic7*reg.h*
56@@ -83,6 +91,7 @@ aic7*seq.h*
57 aicasm
58 aicdb.h*
59 altivec*.c
60+ashldi3.S
61 asm-offsets.h
62 asm_offsets.h
63 autoconf.h*
64@@ -95,32 +104,40 @@ bounds.h
65 bsetup
66 btfixupprep
67 build
68+builtin-policy.h
69 bvmlinux
70 bzImage*
71 capability_names.h
72 capflags.c
73 classlist.h*
74+clut_vga16.c
75+common-cmds.h
76 comp*.log
77 compile.h*
78 conf
79 config
80 config-*
81 config_data.h*
82+config.c
83 config.mak
84 config.mak.autogen
85+config.tmp
86 conmakehash
87 consolemap_deftbl.c*
88 cpustr.h
89 crc32table.h*
90 cscope.*
91 defkeymap.c
92+devicetable-offsets.h
93 devlist.h*
94 dnotify_test
95 docproc
96 dslm
97+dtc-lexer.lex.c
98 elf2ecoff
99 elfconfig.h*
100 evergreen_reg_safe.h
101+exception_policy.conf
102 fixdep
103 flask.h
104 fore200e_mkfirm
105@@ -128,12 +145,15 @@ fore200e_pca_fw.c*
106 gconf
107 gconf.glade.h
108 gen-devlist
109+gen-kdb_cmds.c
110 gen_crc32table
111 gen_init_cpio
112 generated
113 genheaders
114 genksyms
115 *_gray256.c
116+hash
117+hid-example
118 hpet_example
119 hugepage-mmap
120 hugepage-shm
121@@ -148,14 +168,14 @@ int32.c
122 int4.c
123 int8.c
124 kallsyms
125-kconfig
126+kern_constants.h
127 keywords.c
128 ksym.c*
129 ksym.h*
130 kxgettext
131 lex.c
132 lex.*.c
133-linux
134+lib1funcs.S
135 logo_*.c
136 logo_*_clut224.c
137 logo_*_mono.c
138@@ -165,14 +185,15 @@ mach-types.h
139 machtypes.h
140 map
141 map_hugetlb
142-media
143 mconf
144+mdp
145 miboot*
146 mk_elfconfig
147 mkboot
148 mkbugboot
149 mkcpustr
150 mkdep
151+mkpiggy
152 mkprep
153 mkregtable
154 mktables
155@@ -188,6 +209,8 @@ oui.c*
156 page-types
157 parse.c
158 parse.h
159+parse-events*
160+pasyms.h
161 patches*
162 pca200e.bin
163 pca200e_ecd.bin2
164@@ -197,6 +220,7 @@ perf-archive
165 piggyback
166 piggy.gzip
167 piggy.S
168+pmu-*
169 pnmtologo
170 ppc_defs.h*
171 pss_boot.h
172@@ -206,7 +230,12 @@ r200_reg_safe.h
173 r300_reg_safe.h
174 r420_reg_safe.h
175 r600_reg_safe.h
176+randomize_layout_hash.h
177+randomize_layout_seed.h
178+realmode.lds
179+realmode.relocs
180 recordmcount
181+regdb.c
182 relocs
183 rlim_names.h
184 rn50_reg_safe.h
185@@ -216,8 +245,12 @@ series
186 setup
187 setup.bin
188 setup.elf
189+signing_key*
190+size_overflow_hash.h
191 sImage
192+slabinfo
193 sm_tbl*
194+sortextable
195 split-include
196 syscalltab.h
197 tables.c
198@@ -227,6 +260,7 @@ tftpboot.img
199 timeconst.h
200 times.h*
201 trix_boot.h
202+user_constants.h
203 utsrelease.h*
204 vdso-syms.lds
205 vdso.lds
206@@ -238,13 +272,17 @@ vdso32.lds
207 vdso32.so.dbg
208 vdso64.lds
209 vdso64.so.dbg
210+vdsox32.lds
211+vdsox32-syms.lds
212 version.h*
213 vmImage
214 vmlinux
215 vmlinux-*
216 vmlinux.aout
217 vmlinux.bin.all
218+vmlinux.bin.bz2
219 vmlinux.lds
220+vmlinux.relocs
221 vmlinuz
222 voffset.h
223 vsyscall.lds
224@@ -252,9 +290,12 @@ vsyscall_32.lds
225 wanxlfw.inc
226 uImage
227 unifdef
228+utsrelease.h
229 wakeup.bin
230 wakeup.elf
231 wakeup.lds
232+x509*
233 zImage*
234 zconf.hash.c
235+zconf.lex.c
236 zoffset.h
237diff --git a/Documentation/kbuild/makefiles.txt b/Documentation/kbuild/makefiles.txt
238index 13f888a..250729b 100644
239--- a/Documentation/kbuild/makefiles.txt
240+++ b/Documentation/kbuild/makefiles.txt
241@@ -23,10 +23,11 @@ This document describes the Linux kernel Makefiles.
242 === 4 Host Program support
243 --- 4.1 Simple Host Program
244 --- 4.2 Composite Host Programs
245- --- 4.3 Using C++ for host programs
246- --- 4.4 Controlling compiler options for host programs
247- --- 4.5 When host programs are actually built
248- --- 4.6 Using hostprogs-$(CONFIG_FOO)
249+ --- 4.3 Defining shared libraries
250+ --- 4.4 Using C++ for host programs
251+ --- 4.5 Controlling compiler options for host programs
252+ --- 4.6 When host programs are actually built
253+ --- 4.7 Using hostprogs-$(CONFIG_FOO)
254
255 === 5 Kbuild clean infrastructure
256
257@@ -643,7 +644,29 @@ Both possibilities are described in the following.
258 Finally, the two .o files are linked to the executable, lxdialog.
259 Note: The syntax <executable>-y is not permitted for host-programs.
260
261---- 4.3 Using C++ for host programs
262+--- 4.3 Defining shared libraries
263+
264+ Objects with extension .so are considered shared libraries, and
265+ will be compiled as position independent objects.
266+ Kbuild provides support for shared libraries, but the usage
267+ shall be restricted.
268+ In the following example the libkconfig.so shared library is used
269+ to link the executable conf.
270+
271+ Example:
272+ #scripts/kconfig/Makefile
273+ hostprogs-y := conf
274+ conf-objs := conf.o libkconfig.so
275+ libkconfig-objs := expr.o type.o
276+
277+ Shared libraries always require a corresponding -objs line, and
278+ in the example above the shared library libkconfig is composed by
279+ the two objects expr.o and type.o.
280+ expr.o and type.o will be built as position independent code and
281+ linked as a shared library libkconfig.so. C++ is not supported for
282+ shared libraries.
283+
284+--- 4.4 Using C++ for host programs
285
286 kbuild offers support for host programs written in C++. This was
287 introduced solely to support kconfig, and is not recommended
288@@ -666,7 +689,7 @@ Both possibilities are described in the following.
289 qconf-cxxobjs := qconf.o
290 qconf-objs := check.o
291
292---- 4.4 Controlling compiler options for host programs
293+--- 4.5 Controlling compiler options for host programs
294
295 When compiling host programs, it is possible to set specific flags.
296 The programs will always be compiled utilising $(HOSTCC) passed
297@@ -694,7 +717,7 @@ Both possibilities are described in the following.
298 When linking qconf, it will be passed the extra option
299 "-L$(QTDIR)/lib".
300
301---- 4.5 When host programs are actually built
302+--- 4.6 When host programs are actually built
303
304 Kbuild will only build host-programs when they are referenced
305 as a prerequisite.
306@@ -725,7 +748,7 @@ Both possibilities are described in the following.
307 This will tell kbuild to build lxdialog even if not referenced in
308 any rule.
309
310---- 4.6 Using hostprogs-$(CONFIG_FOO)
311+--- 4.7 Using hostprogs-$(CONFIG_FOO)
312
313 A typical pattern in a Kbuild file looks like this:
314
315diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
316index 1d6f045..2714987 100644
317--- a/Documentation/kernel-parameters.txt
318+++ b/Documentation/kernel-parameters.txt
319@@ -1244,6 +1244,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
320 Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0.
321 Default: 1024
322
323+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
324+ ignore grsecurity's /proc restrictions
325+
326+ grsec_sysfs_restrict= Format: 0 | 1
327+ Default: 1
328+ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
329+
330 hashdist= [KNL,NUMA] Large hashes allocated during boot
331 are distributed across NUMA nodes. Defaults on
332 for 64-bit NUMA, off otherwise.
333@@ -2364,6 +2371,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
334 noexec=on: enable non-executable mappings (default)
335 noexec=off: disable non-executable mappings
336
337+ nopcid [X86-64]
338+ Disable PCID (Process-Context IDentifier) even if it
339+ is supported by the processor.
340+
341 nosmap [X86]
342 Disable SMAP (Supervisor Mode Access Prevention)
343 even if it is supported by processor.
344@@ -2662,6 +2673,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
345 the specified number of seconds. This is to be used if
346 your oopses keep scrolling off the screen.
347
348+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
349+ virtualization environments that don't cope well with the
350+ expand down segment used by UDEREF on X86-32 or the frequent
351+ page table updates on X86-64.
352+
353+ pax_sanitize_slab=
354+ Format: { 0 | 1 | off | fast | full }
355+ Options '0' and '1' are only provided for backward
356+ compatibility, 'off' or 'fast' should be used instead.
357+ 0|off : disable slab object sanitization
358+ 1|fast: enable slab object sanitization excluding
359+ whitelisted slabs (default)
360+ full : sanitize all slabs, even the whitelisted ones
361+
362+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
363+
364+ pax_extra_latent_entropy
365+ Enable a very simple form of latent entropy extraction
366+ from the first 4GB of memory as the bootmem allocator
367+ passes the memory pages to the buddy allocator.
368+
369+ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF
370+ when the processor supports PCID.
371+
372 pcbit= [HW,ISDN]
373
374 pcd. [PARIDE]
375diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
376index 6fccb69..60c7c7a 100644
377--- a/Documentation/sysctl/kernel.txt
378+++ b/Documentation/sysctl/kernel.txt
379@@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
380 - kptr_restrict
381 - kstack_depth_to_print [ X86 only ]
382 - l2cr [ PPC only ]
383+- modify_ldt [ X86 only ]
384 - modprobe ==> Documentation/debugging-modules.txt
385 - modules_disabled
386 - msg_next_id [ sysv ipc ]
387@@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If
388
389 ==============================================================
390
391+modify_ldt: (X86 only)
392+
393+Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
394+(Local Descriptor Table) may be needed to run a 16-bit or segmented code
395+such as Dosemu or Wine. This is done via a system call which is not needed
396+to run portable applications, and which can sometimes be abused to exploit
397+some weaknesses of the architecture, opening new vulnerabilities.
398+
399+This sysctl allows one to increase the system's security by disabling the
400+system call, or to restore compatibility with specific applications when it
401+was already disabled.
402+
403+==============================================================
404+
405 modules_disabled:
406
407 A toggle value indicating if modules are allowed to be loaded
408diff --git a/Makefile b/Makefile
409index a6edbb1..5ac7686 100644
410--- a/Makefile
411+++ b/Makefile
412@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
413 HOSTCC = gcc
414 HOSTCXX = g++
415 HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89
416-HOSTCXXFLAGS = -O2
417+HOSTCFLAGS = -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
418+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
419+HOSTCXXFLAGS = -O2 -Wall -W -Wno-array-bounds
420
421 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1)
422 HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \
423@@ -434,8 +436,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \
424 # Rules shared between *config targets and build targets
425
426 # Basic helpers built in scripts/
427-PHONY += scripts_basic
428-scripts_basic:
429+PHONY += scripts_basic gcc-plugins
430+scripts_basic: gcc-plugins
431 $(Q)$(MAKE) $(build)=scripts/basic
432 $(Q)rm -f .tmp_quiet_recordmcount
433
434@@ -615,6 +617,74 @@ endif
435 # Tell gcc to never replace conditional load with a non-conditional one
436 KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
437
438+ifndef DISABLE_PAX_PLUGINS
439+ifeq ($(call cc-ifversion, -ge, 0408, y), y)
440+PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCXX)" "$(HOSTCXX)" "$(CC)")
441+else
442+PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(HOSTCXX)" "$(CC)")
443+endif
444+ifneq ($(PLUGINCC),)
445+ifdef CONFIG_PAX_CONSTIFY_PLUGIN
446+CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
447+endif
448+ifdef CONFIG_PAX_MEMORY_STACKLEAK
449+STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
450+STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
451+endif
452+ifdef CONFIG_KALLOCSTAT_PLUGIN
453+KALLOCSTAT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
454+endif
455+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
456+KERNEXEC_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
457+KERNEXEC_PLUGIN_CFLAGS += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) -DKERNEXEC_PLUGIN
458+KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN
459+endif
460+ifdef CONFIG_GRKERNSEC_RANDSTRUCT
461+RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN
462+ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
463+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode
464+endif
465+endif
466+ifdef CONFIG_CHECKER_PLUGIN
467+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
468+CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
469+endif
470+endif
471+COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
472+ifdef CONFIG_PAX_SIZE_OVERFLOW
473+SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN
474+endif
475+ifdef CONFIG_PAX_LATENT_ENTROPY
476+LATENT_ENTROPY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/latent_entropy_plugin.so -DLATENT_ENTROPY_PLUGIN
477+endif
478+ifdef CONFIG_PAX_MEMORY_STRUCTLEAK
479+STRUCTLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/structleak_plugin.so -DSTRUCTLEAK_PLUGIN
480+endif
481+INITIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/initify_plugin.so -DINITIFY_PLUGIN
482+GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS)
483+GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS)
484+GCC_PLUGINS_CFLAGS += $(SIZE_OVERFLOW_PLUGIN_CFLAGS) $(LATENT_ENTROPY_PLUGIN_CFLAGS) $(STRUCTLEAK_PLUGIN_CFLAGS)
485+GCC_PLUGINS_CFLAGS += $(INITIFY_PLUGIN_CFLAGS)
486+GCC_PLUGINS_CFLAGS += $(RANDSTRUCT_PLUGIN_CFLAGS)
487+GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS)
488+export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS CONSTIFY_PLUGIN LATENT_ENTROPY_PLUGIN_CFLAGS
489+ifeq ($(KBUILD_EXTMOD),)
490+gcc-plugins:
491+ $(Q)$(MAKE) $(build)=tools/gcc
492+else
493+gcc-plugins: ;
494+endif
495+else
496+gcc-plugins:
497+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
498+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.))
499+else
500+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
501+endif
502+ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
503+endif
504+endif
505+
506 ifdef CONFIG_READABLE_ASM
507 # Disable optimizations that make assembler listings hard to read.
508 # reorder blocks reorders the control in the function
509@@ -714,7 +784,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
510 else
511 KBUILD_CFLAGS += -g
512 endif
513-KBUILD_AFLAGS += -Wa,-gdwarf-2
514+KBUILD_AFLAGS += -Wa,--gdwarf-2
515 endif
516 ifdef CONFIG_DEBUG_INFO_DWARF4
517 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
518@@ -886,7 +956,7 @@ export mod_sign_cmd
519
520
521 ifeq ($(KBUILD_EXTMOD),)
522-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
523+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
524
525 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
526 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
527@@ -936,6 +1006,8 @@ endif
528
529 # The actual objects are generated when descending,
530 # make sure no implicit rule kicks in
531+$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
532+$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
533 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
534
535 # Handle descending into subdirectories listed in $(vmlinux-dirs)
536@@ -945,7 +1017,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
537 # Error messages still appears in the original language
538
539 PHONY += $(vmlinux-dirs)
540-$(vmlinux-dirs): prepare scripts
541+$(vmlinux-dirs): gcc-plugins prepare scripts
542 $(Q)$(MAKE) $(build)=$@
543
544 define filechk_kernel.release
545@@ -988,10 +1060,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
546
547 archprepare: archheaders archscripts prepare1 scripts_basic
548
549+prepare0: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
550+prepare0: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
551 prepare0: archprepare FORCE
552 $(Q)$(MAKE) $(build)=.
553
554 # All the preparing..
555+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
556 prepare: prepare0
557
558 # Generate some files
559@@ -1099,6 +1174,8 @@ all: modules
560 # using awk while concatenating to the final file.
561
562 PHONY += modules
563+modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
564+modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
565 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
566 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
567 @$(kecho) ' Building modules, stage 2.';
568@@ -1114,7 +1191,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
569
570 # Target to prepare building external modules
571 PHONY += modules_prepare
572-modules_prepare: prepare scripts
573+modules_prepare: gcc-plugins prepare scripts
574
575 # Target to install modules
576 PHONY += modules_install
577@@ -1180,7 +1257,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
578 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
579 signing_key.priv signing_key.x509 x509.genkey \
580 extra_certificates signing_key.x509.keyid \
581- signing_key.x509.signer vmlinux-gdb.py
582+ signing_key.x509.signer vmlinux-gdb.py \
583+ tools/gcc/size_overflow_plugin/size_overflow_hash_aux.h \
584+ tools/gcc/size_overflow_plugin/size_overflow_hash.h \
585+ tools/gcc/randomize_layout_seed.h
586
587 # clean - Delete most, but leave enough to build external modules
588 #
589@@ -1219,7 +1299,7 @@ distclean: mrproper
590 @find $(srctree) $(RCS_FIND_IGNORE) \
591 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
592 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
593- -o -name '.*.rej' -o -name '*%' -o -name 'core' \) \
594+ -o -name '.*.rej' -o -name '*.so' -o -name '*%' -o -name 'core' \) \
595 -type f -print | xargs rm -f
596
597
598@@ -1385,6 +1465,8 @@ PHONY += $(module-dirs) modules
599 $(module-dirs): crmodverdir $(objtree)/Module.symvers
600 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
601
602+modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
603+modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
604 modules: $(module-dirs)
605 @$(kecho) ' Building modules, stage 2.';
606 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
607@@ -1525,17 +1607,21 @@ else
608 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
609 endif
610
611-%.s: %.c prepare scripts FORCE
612+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
613+%.s: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
614+%.s: %.c gcc-plugins prepare scripts FORCE
615 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
616 %.i: %.c prepare scripts FORCE
617 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
618-%.o: %.c prepare scripts FORCE
619+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
620+%.o: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
621+%.o: %.c gcc-plugins prepare scripts FORCE
622 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
623 %.lst: %.c prepare scripts FORCE
624 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
625-%.s: %.S prepare scripts FORCE
626+%.s: %.S gcc-plugins prepare scripts FORCE
627 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
628-%.o: %.S prepare scripts FORCE
629+%.o: %.S gcc-plugins prepare scripts FORCE
630 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
631 %.symtypes: %.c prepare scripts FORCE
632 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
633@@ -1547,11 +1633,15 @@ endif
634 $(build)=$(build-dir)
635 # Make sure the latest headers are built for Documentation
636 Documentation/: headers_install
637-%/: prepare scripts FORCE
638+%/: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
639+%/: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
640+%/: gcc-plugins prepare scripts FORCE
641 $(cmd_crmodverdir)
642 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
643 $(build)=$(build-dir)
644-%.ko: prepare scripts FORCE
645+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
646+%.ko: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
647+%.ko: gcc-plugins prepare scripts FORCE
648 $(cmd_crmodverdir)
649 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
650 $(build)=$(build-dir) $(@:.ko=.o)
651diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h
652index 8f8eafb..3405f46 100644
653--- a/arch/alpha/include/asm/atomic.h
654+++ b/arch/alpha/include/asm/atomic.h
655@@ -239,4 +239,14 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
656 #define atomic_dec(v) atomic_sub(1,(v))
657 #define atomic64_dec(v) atomic64_sub(1,(v))
658
659+#define atomic64_read_unchecked(v) atomic64_read(v)
660+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
661+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
662+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
663+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
664+#define atomic64_inc_unchecked(v) atomic64_inc(v)
665+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
666+#define atomic64_dec_unchecked(v) atomic64_dec(v)
667+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
668+
669 #endif /* _ALPHA_ATOMIC_H */
670diff --git a/arch/alpha/include/asm/cache.h b/arch/alpha/include/asm/cache.h
671index ad368a9..fbe0f25 100644
672--- a/arch/alpha/include/asm/cache.h
673+++ b/arch/alpha/include/asm/cache.h
674@@ -4,19 +4,19 @@
675 #ifndef __ARCH_ALPHA_CACHE_H
676 #define __ARCH_ALPHA_CACHE_H
677
678+#include <linux/const.h>
679
680 /* Bytes per L1 (data) cache line. */
681 #if defined(CONFIG_ALPHA_GENERIC) || defined(CONFIG_ALPHA_EV6)
682-# define L1_CACHE_BYTES 64
683 # define L1_CACHE_SHIFT 6
684 #else
685 /* Both EV4 and EV5 are write-through, read-allocate,
686 direct-mapped, physical.
687 */
688-# define L1_CACHE_BYTES 32
689 # define L1_CACHE_SHIFT 5
690 #endif
691
692+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
693 #define SMP_CACHE_BYTES L1_CACHE_BYTES
694
695 #endif
696diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h
697index 968d999..d36b2df 100644
698--- a/arch/alpha/include/asm/elf.h
699+++ b/arch/alpha/include/asm/elf.h
700@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
701
702 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
703
704+#ifdef CONFIG_PAX_ASLR
705+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
706+
707+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
708+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
709+#endif
710+
711 /* $0 is set by ld.so to a pointer to a function which might be
712 registered using atexit. This provides a mean for the dynamic
713 linker to call DT_FINI functions for shared libraries that have
714diff --git a/arch/alpha/include/asm/pgalloc.h b/arch/alpha/include/asm/pgalloc.h
715index aab14a0..b4fa3e7 100644
716--- a/arch/alpha/include/asm/pgalloc.h
717+++ b/arch/alpha/include/asm/pgalloc.h
718@@ -29,6 +29,12 @@ pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
719 pgd_set(pgd, pmd);
720 }
721
722+static inline void
723+pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
724+{
725+ pgd_populate(mm, pgd, pmd);
726+}
727+
728 extern pgd_t *pgd_alloc(struct mm_struct *mm);
729
730 static inline void
731diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h
732index a9a1195..e9b8417 100644
733--- a/arch/alpha/include/asm/pgtable.h
734+++ b/arch/alpha/include/asm/pgtable.h
735@@ -101,6 +101,17 @@ struct vm_area_struct;
736 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
737 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
738 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
739+
740+#ifdef CONFIG_PAX_PAGEEXEC
741+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
742+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
743+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
744+#else
745+# define PAGE_SHARED_NOEXEC PAGE_SHARED
746+# define PAGE_COPY_NOEXEC PAGE_COPY
747+# define PAGE_READONLY_NOEXEC PAGE_READONLY
748+#endif
749+
750 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
751
752 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
753diff --git a/arch/alpha/kernel/module.c b/arch/alpha/kernel/module.c
754index 2fd00b7..cfd5069 100644
755--- a/arch/alpha/kernel/module.c
756+++ b/arch/alpha/kernel/module.c
757@@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab,
758
759 /* The small sections were sorted to the end of the segment.
760 The following should definitely cover them. */
761- gp = (u64)me->module_core + me->core_size - 0x8000;
762+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
763 got = sechdrs[me->arch.gotsecindex].sh_addr;
764
765 for (i = 0; i < n; i++) {
766diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
767index 36dc91a..6769cb0 100644
768--- a/arch/alpha/kernel/osf_sys.c
769+++ b/arch/alpha/kernel/osf_sys.c
770@@ -1295,10 +1295,11 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)
771 generic version except that we know how to honor ADDR_LIMIT_32BIT. */
772
773 static unsigned long
774-arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
775- unsigned long limit)
776+arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len,
777+ unsigned long limit, unsigned long flags)
778 {
779 struct vm_unmapped_area_info info;
780+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
781
782 info.flags = 0;
783 info.length = len;
784@@ -1306,6 +1307,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
785 info.high_limit = limit;
786 info.align_mask = 0;
787 info.align_offset = 0;
788+ info.threadstack_offset = offset;
789 return vm_unmapped_area(&info);
790 }
791
792@@ -1338,20 +1340,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
793 merely specific addresses, but regions of memory -- perhaps
794 this feature should be incorporated into all ports? */
795
796+#ifdef CONFIG_PAX_RANDMMAP
797+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
798+#endif
799+
800 if (addr) {
801- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
802+ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags);
803 if (addr != (unsigned long) -ENOMEM)
804 return addr;
805 }
806
807 /* Next, try allocating at TASK_UNMAPPED_BASE. */
808- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
809- len, limit);
810+ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags);
811+
812 if (addr != (unsigned long) -ENOMEM)
813 return addr;
814
815 /* Finally, try allocating in low memory. */
816- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit);
817+ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags);
818
819 return addr;
820 }
821diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
822index 4a905bd..0a4da53 100644
823--- a/arch/alpha/mm/fault.c
824+++ b/arch/alpha/mm/fault.c
825@@ -52,6 +52,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
826 __reload_thread(pcb);
827 }
828
829+#ifdef CONFIG_PAX_PAGEEXEC
830+/*
831+ * PaX: decide what to do with offenders (regs->pc = fault address)
832+ *
833+ * returns 1 when task should be killed
834+ * 2 when patched PLT trampoline was detected
835+ * 3 when unpatched PLT trampoline was detected
836+ */
837+static int pax_handle_fetch_fault(struct pt_regs *regs)
838+{
839+
840+#ifdef CONFIG_PAX_EMUPLT
841+ int err;
842+
843+ do { /* PaX: patched PLT emulation #1 */
844+ unsigned int ldah, ldq, jmp;
845+
846+ err = get_user(ldah, (unsigned int *)regs->pc);
847+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
848+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
849+
850+ if (err)
851+ break;
852+
853+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
854+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
855+ jmp == 0x6BFB0000U)
856+ {
857+ unsigned long r27, addr;
858+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
859+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
860+
861+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
862+ err = get_user(r27, (unsigned long *)addr);
863+ if (err)
864+ break;
865+
866+ regs->r27 = r27;
867+ regs->pc = r27;
868+ return 2;
869+ }
870+ } while (0);
871+
872+ do { /* PaX: patched PLT emulation #2 */
873+ unsigned int ldah, lda, br;
874+
875+ err = get_user(ldah, (unsigned int *)regs->pc);
876+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
877+ err |= get_user(br, (unsigned int *)(regs->pc+8));
878+
879+ if (err)
880+ break;
881+
882+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
883+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
884+ (br & 0xFFE00000U) == 0xC3E00000U)
885+ {
886+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
887+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
888+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
889+
890+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
891+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
892+ return 2;
893+ }
894+ } while (0);
895+
896+ do { /* PaX: unpatched PLT emulation */
897+ unsigned int br;
898+
899+ err = get_user(br, (unsigned int *)regs->pc);
900+
901+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
902+ unsigned int br2, ldq, nop, jmp;
903+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
904+
905+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
906+ err = get_user(br2, (unsigned int *)addr);
907+ err |= get_user(ldq, (unsigned int *)(addr+4));
908+ err |= get_user(nop, (unsigned int *)(addr+8));
909+ err |= get_user(jmp, (unsigned int *)(addr+12));
910+ err |= get_user(resolver, (unsigned long *)(addr+16));
911+
912+ if (err)
913+ break;
914+
915+ if (br2 == 0xC3600000U &&
916+ ldq == 0xA77B000CU &&
917+ nop == 0x47FF041FU &&
918+ jmp == 0x6B7B0000U)
919+ {
920+ regs->r28 = regs->pc+4;
921+ regs->r27 = addr+16;
922+ regs->pc = resolver;
923+ return 3;
924+ }
925+ }
926+ } while (0);
927+#endif
928+
929+ return 1;
930+}
931+
932+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
933+{
934+ unsigned long i;
935+
936+ printk(KERN_ERR "PAX: bytes at PC: ");
937+ for (i = 0; i < 5; i++) {
938+ unsigned int c;
939+ if (get_user(c, (unsigned int *)pc+i))
940+ printk(KERN_CONT "???????? ");
941+ else
942+ printk(KERN_CONT "%08x ", c);
943+ }
944+ printk("\n");
945+}
946+#endif
947
948 /*
949 * This routine handles page faults. It determines the address,
950@@ -132,8 +250,29 @@ retry:
951 good_area:
952 si_code = SEGV_ACCERR;
953 if (cause < 0) {
954- if (!(vma->vm_flags & VM_EXEC))
955+ if (!(vma->vm_flags & VM_EXEC)) {
956+
957+#ifdef CONFIG_PAX_PAGEEXEC
958+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
959+ goto bad_area;
960+
961+ up_read(&mm->mmap_sem);
962+ switch (pax_handle_fetch_fault(regs)) {
963+
964+#ifdef CONFIG_PAX_EMUPLT
965+ case 2:
966+ case 3:
967+ return;
968+#endif
969+
970+ }
971+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
972+ do_group_exit(SIGKILL);
973+#else
974 goto bad_area;
975+#endif
976+
977+ }
978 } else if (!cause) {
979 /* Allow reads even for write-only mappings */
980 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
981diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
982index ede2526..9e12300 100644
983--- a/arch/arm/Kconfig
984+++ b/arch/arm/Kconfig
985@@ -1770,7 +1770,7 @@ config ALIGNMENT_TRAP
986
987 config UACCESS_WITH_MEMCPY
988 bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
989- depends on MMU
990+ depends on MMU && !PAX_MEMORY_UDEREF
991 default y if CPU_FEROCEON
992 help
993 Implement faster copy_to_user and clear_user methods for CPU
994@@ -2006,6 +2006,7 @@ config KEXEC
995 bool "Kexec system call (EXPERIMENTAL)"
996 depends on (!SMP || PM_SLEEP_SMP)
997 depends on !CPU_V7M
998+ depends on !GRKERNSEC_KMEM
999 help
1000 kexec is a system call that implements the ability to shutdown your
1001 current kernel, and to start another kernel. It is like a reboot
1002diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
1003index e22c119..abe7041 100644
1004--- a/arch/arm/include/asm/atomic.h
1005+++ b/arch/arm/include/asm/atomic.h
1006@@ -18,17 +18,41 @@
1007 #include <asm/barrier.h>
1008 #include <asm/cmpxchg.h>
1009
1010+#ifdef CONFIG_GENERIC_ATOMIC64
1011+#include <asm-generic/atomic64.h>
1012+#endif
1013+
1014 #define ATOMIC_INIT(i) { (i) }
1015
1016 #ifdef __KERNEL__
1017
1018+#ifdef CONFIG_THUMB2_KERNEL
1019+#define REFCOUNT_TRAP_INSN "bkpt 0xf1"
1020+#else
1021+#define REFCOUNT_TRAP_INSN "bkpt 0xf103"
1022+#endif
1023+
1024+#define _ASM_EXTABLE(from, to) \
1025+" .pushsection __ex_table,\"a\"\n"\
1026+" .align 3\n" \
1027+" .long " #from ", " #to"\n" \
1028+" .popsection"
1029+
1030 /*
1031 * On ARM, ordinary assignment (str instruction) doesn't clear the local
1032 * strex/ldrex monitor on some implementations. The reason we can use it for
1033 * atomic_set() is the clrex or dummy strex done on every exception return.
1034 */
1035 #define atomic_read(v) ACCESS_ONCE((v)->counter)
1036+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
1037+{
1038+ return ACCESS_ONCE(v->counter);
1039+}
1040 #define atomic_set(v,i) (((v)->counter) = (i))
1041+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
1042+{
1043+ v->counter = i;
1044+}
1045
1046 #if __LINUX_ARM_ARCH__ >= 6
1047
1048@@ -38,26 +62,50 @@
1049 * to ensure that the update happens.
1050 */
1051
1052-#define ATOMIC_OP(op, c_op, asm_op) \
1053-static inline void atomic_##op(int i, atomic_t *v) \
1054+#ifdef CONFIG_PAX_REFCOUNT
1055+#define __OVERFLOW_POST \
1056+ " bvc 3f\n" \
1057+ "2: " REFCOUNT_TRAP_INSN "\n"\
1058+ "3:\n"
1059+#define __OVERFLOW_POST_RETURN \
1060+ " bvc 3f\n" \
1061+" mov %0, %1\n" \
1062+ "2: " REFCOUNT_TRAP_INSN "\n"\
1063+ "3:\n"
1064+#define __OVERFLOW_EXTABLE \
1065+ "4:\n" \
1066+ _ASM_EXTABLE(2b, 4b)
1067+#else
1068+#define __OVERFLOW_POST
1069+#define __OVERFLOW_POST_RETURN
1070+#define __OVERFLOW_EXTABLE
1071+#endif
1072+
1073+#define __ATOMIC_OP(op, suffix, c_op, asm_op, post_op, extable) \
1074+static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
1075 { \
1076 unsigned long tmp; \
1077 int result; \
1078 \
1079 prefetchw(&v->counter); \
1080- __asm__ __volatile__("@ atomic_" #op "\n" \
1081+ __asm__ __volatile__("@ atomic_" #op #suffix "\n" \
1082 "1: ldrex %0, [%3]\n" \
1083 " " #asm_op " %0, %0, %4\n" \
1084+ post_op \
1085 " strex %1, %0, [%3]\n" \
1086 " teq %1, #0\n" \
1087-" bne 1b" \
1088+" bne 1b\n" \
1089+ extable \
1090 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1091 : "r" (&v->counter), "Ir" (i) \
1092 : "cc"); \
1093 } \
1094
1095-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
1096-static inline int atomic_##op##_return(int i, atomic_t *v) \
1097+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, _unchecked, c_op, asm_op, , )\
1098+ __ATOMIC_OP(op, , c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
1099+
1100+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op, post_op, extable) \
1101+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
1102 { \
1103 unsigned long tmp; \
1104 int result; \
1105@@ -65,12 +113,14 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1106 smp_mb(); \
1107 prefetchw(&v->counter); \
1108 \
1109- __asm__ __volatile__("@ atomic_" #op "_return\n" \
1110+ __asm__ __volatile__("@ atomic_" #op "_return" #suffix "\n" \
1111 "1: ldrex %0, [%3]\n" \
1112 " " #asm_op " %0, %0, %4\n" \
1113+ post_op \
1114 " strex %1, %0, [%3]\n" \
1115 " teq %1, #0\n" \
1116-" bne 1b" \
1117+" bne 1b\n" \
1118+ extable \
1119 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1120 : "r" (&v->counter), "Ir" (i) \
1121 : "cc"); \
1122@@ -80,6 +130,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1123 return result; \
1124 }
1125
1126+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op, , )\
1127+ __ATOMIC_OP_RETURN(op, , c_op, asm_op##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
1128+
1129 static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new)
1130 {
1131 int oldval;
1132@@ -115,12 +168,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1133 __asm__ __volatile__ ("@ atomic_add_unless\n"
1134 "1: ldrex %0, [%4]\n"
1135 " teq %0, %5\n"
1136-" beq 2f\n"
1137-" add %1, %0, %6\n"
1138+" beq 4f\n"
1139+" adds %1, %0, %6\n"
1140+
1141+#ifdef CONFIG_PAX_REFCOUNT
1142+" bvc 3f\n"
1143+"2: " REFCOUNT_TRAP_INSN "\n"
1144+"3:\n"
1145+#endif
1146+
1147 " strex %2, %1, [%4]\n"
1148 " teq %2, #0\n"
1149 " bne 1b\n"
1150-"2:"
1151+"4:"
1152+
1153+#ifdef CONFIG_PAX_REFCOUNT
1154+ _ASM_EXTABLE(2b, 4b)
1155+#endif
1156+
1157 : "=&r" (oldval), "=&r" (newval), "=&r" (tmp), "+Qo" (v->counter)
1158 : "r" (&v->counter), "r" (u), "r" (a)
1159 : "cc");
1160@@ -131,14 +196,36 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1161 return oldval;
1162 }
1163
1164+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *ptr, int old, int new)
1165+{
1166+ unsigned long oldval, res;
1167+
1168+ smp_mb();
1169+
1170+ do {
1171+ __asm__ __volatile__("@ atomic_cmpxchg_unchecked\n"
1172+ "ldrex %1, [%3]\n"
1173+ "mov %0, #0\n"
1174+ "teq %1, %4\n"
1175+ "strexeq %0, %5, [%3]\n"
1176+ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1177+ : "r" (&ptr->counter), "Ir" (old), "r" (new)
1178+ : "cc");
1179+ } while (res);
1180+
1181+ smp_mb();
1182+
1183+ return oldval;
1184+}
1185+
1186 #else /* ARM_ARCH_6 */
1187
1188 #ifdef CONFIG_SMP
1189 #error SMP not supported on pre-ARMv6 CPUs
1190 #endif
1191
1192-#define ATOMIC_OP(op, c_op, asm_op) \
1193-static inline void atomic_##op(int i, atomic_t *v) \
1194+#define __ATOMIC_OP(op, suffix, c_op, asm_op) \
1195+static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
1196 { \
1197 unsigned long flags; \
1198 \
1199@@ -147,8 +234,11 @@ static inline void atomic_##op(int i, atomic_t *v) \
1200 raw_local_irq_restore(flags); \
1201 } \
1202
1203-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
1204-static inline int atomic_##op##_return(int i, atomic_t *v) \
1205+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op) \
1206+ __ATOMIC_OP(op, _unchecked, c_op, asm_op)
1207+
1208+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op) \
1209+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
1210 { \
1211 unsigned long flags; \
1212 int val; \
1213@@ -161,6 +251,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1214 return val; \
1215 }
1216
1217+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op)\
1218+ __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op)
1219+
1220 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1221 {
1222 int ret;
1223@@ -175,6 +268,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1224 return ret;
1225 }
1226
1227+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
1228+{
1229+ return atomic_cmpxchg((atomic_t *)v, old, new);
1230+}
1231+
1232 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1233 {
1234 int c, old;
1235@@ -196,16 +294,38 @@ ATOMIC_OPS(sub, -=, sub)
1236
1237 #undef ATOMIC_OPS
1238 #undef ATOMIC_OP_RETURN
1239+#undef __ATOMIC_OP_RETURN
1240 #undef ATOMIC_OP
1241+#undef __ATOMIC_OP
1242
1243 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
1244+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
1245+{
1246+ return xchg(&v->counter, new);
1247+}
1248
1249 #define atomic_inc(v) atomic_add(1, v)
1250+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
1251+{
1252+ atomic_add_unchecked(1, v);
1253+}
1254 #define atomic_dec(v) atomic_sub(1, v)
1255+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
1256+{
1257+ atomic_sub_unchecked(1, v);
1258+}
1259
1260 #define atomic_inc_and_test(v) (atomic_add_return(1, v) == 0)
1261+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
1262+{
1263+ return atomic_add_return_unchecked(1, v) == 0;
1264+}
1265 #define atomic_dec_and_test(v) (atomic_sub_return(1, v) == 0)
1266 #define atomic_inc_return(v) (atomic_add_return(1, v))
1267+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
1268+{
1269+ return atomic_add_return_unchecked(1, v);
1270+}
1271 #define atomic_dec_return(v) (atomic_sub_return(1, v))
1272 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
1273
1274@@ -216,6 +336,14 @@ typedef struct {
1275 long long counter;
1276 } atomic64_t;
1277
1278+#ifdef CONFIG_PAX_REFCOUNT
1279+typedef struct {
1280+ long long counter;
1281+} atomic64_unchecked_t;
1282+#else
1283+typedef atomic64_t atomic64_unchecked_t;
1284+#endif
1285+
1286 #define ATOMIC64_INIT(i) { (i) }
1287
1288 #ifdef CONFIG_ARM_LPAE
1289@@ -232,6 +360,19 @@ static inline long long atomic64_read(const atomic64_t *v)
1290 return result;
1291 }
1292
1293+static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
1294+{
1295+ long long result;
1296+
1297+ __asm__ __volatile__("@ atomic64_read_unchecked\n"
1298+" ldrd %0, %H0, [%1]"
1299+ : "=&r" (result)
1300+ : "r" (&v->counter), "Qo" (v->counter)
1301+ );
1302+
1303+ return result;
1304+}
1305+
1306 static inline void atomic64_set(atomic64_t *v, long long i)
1307 {
1308 __asm__ __volatile__("@ atomic64_set\n"
1309@@ -240,6 +381,15 @@ static inline void atomic64_set(atomic64_t *v, long long i)
1310 : "r" (&v->counter), "r" (i)
1311 );
1312 }
1313+
1314+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
1315+{
1316+ __asm__ __volatile__("@ atomic64_set_unchecked\n"
1317+" strd %2, %H2, [%1]"
1318+ : "=Qo" (v->counter)
1319+ : "r" (&v->counter), "r" (i)
1320+ );
1321+}
1322 #else
1323 static inline long long atomic64_read(const atomic64_t *v)
1324 {
1325@@ -254,6 +404,19 @@ static inline long long atomic64_read(const atomic64_t *v)
1326 return result;
1327 }
1328
1329+static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
1330+{
1331+ long long result;
1332+
1333+ __asm__ __volatile__("@ atomic64_read_unchecked\n"
1334+" ldrexd %0, %H0, [%1]"
1335+ : "=&r" (result)
1336+ : "r" (&v->counter), "Qo" (v->counter)
1337+ );
1338+
1339+ return result;
1340+}
1341+
1342 static inline void atomic64_set(atomic64_t *v, long long i)
1343 {
1344 long long tmp;
1345@@ -268,29 +431,57 @@ static inline void atomic64_set(atomic64_t *v, long long i)
1346 : "r" (&v->counter), "r" (i)
1347 : "cc");
1348 }
1349+
1350+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
1351+{
1352+ long long tmp;
1353+
1354+ prefetchw(&v->counter);
1355+ __asm__ __volatile__("@ atomic64_set_unchecked\n"
1356+"1: ldrexd %0, %H0, [%2]\n"
1357+" strexd %0, %3, %H3, [%2]\n"
1358+" teq %0, #0\n"
1359+" bne 1b"
1360+ : "=&r" (tmp), "=Qo" (v->counter)
1361+ : "r" (&v->counter), "r" (i)
1362+ : "cc");
1363+}
1364 #endif
1365
1366-#define ATOMIC64_OP(op, op1, op2) \
1367-static inline void atomic64_##op(long long i, atomic64_t *v) \
1368+#undef __OVERFLOW_POST_RETURN
1369+#define __OVERFLOW_POST_RETURN \
1370+ " bvc 3f\n" \
1371+" mov %0, %1\n" \
1372+" mov %H0, %H1\n" \
1373+ "2: " REFCOUNT_TRAP_INSN "\n"\
1374+ "3:\n"
1375+
1376+#define __ATOMIC64_OP(op, suffix, op1, op2, post_op, extable) \
1377+static inline void atomic64_##op##suffix(long long i, atomic64##suffix##_t *v)\
1378 { \
1379 long long result; \
1380 unsigned long tmp; \
1381 \
1382 prefetchw(&v->counter); \
1383- __asm__ __volatile__("@ atomic64_" #op "\n" \
1384+ __asm__ __volatile__("@ atomic64_" #op #suffix "\n" \
1385 "1: ldrexd %0, %H0, [%3]\n" \
1386 " " #op1 " %Q0, %Q0, %Q4\n" \
1387 " " #op2 " %R0, %R0, %R4\n" \
1388+ post_op \
1389 " strexd %1, %0, %H0, [%3]\n" \
1390 " teq %1, #0\n" \
1391-" bne 1b" \
1392+" bne 1b\n" \
1393+ extable \
1394 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1395 : "r" (&v->counter), "r" (i) \
1396 : "cc"); \
1397 } \
1398
1399-#define ATOMIC64_OP_RETURN(op, op1, op2) \
1400-static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1401+#define ATOMIC64_OP(op, op1, op2) __ATOMIC64_OP(op, _unchecked, op1, op2, , ) \
1402+ __ATOMIC64_OP(op, , op1, op2##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
1403+
1404+#define __ATOMIC64_OP_RETURN(op, suffix, op1, op2, post_op, extable) \
1405+static inline long long atomic64_##op##_return##suffix(long long i, atomic64##suffix##_t *v) \
1406 { \
1407 long long result; \
1408 unsigned long tmp; \
1409@@ -298,13 +489,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1410 smp_mb(); \
1411 prefetchw(&v->counter); \
1412 \
1413- __asm__ __volatile__("@ atomic64_" #op "_return\n" \
1414+ __asm__ __volatile__("@ atomic64_" #op "_return" #suffix "\n" \
1415 "1: ldrexd %0, %H0, [%3]\n" \
1416 " " #op1 " %Q0, %Q0, %Q4\n" \
1417 " " #op2 " %R0, %R0, %R4\n" \
1418+ post_op \
1419 " strexd %1, %0, %H0, [%3]\n" \
1420 " teq %1, #0\n" \
1421-" bne 1b" \
1422+" bne 1b\n" \
1423+ extable \
1424 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1425 : "r" (&v->counter), "r" (i) \
1426 : "cc"); \
1427@@ -314,6 +507,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1428 return result; \
1429 }
1430
1431+#define ATOMIC64_OP_RETURN(op, op1, op2) __ATOMIC64_OP_RETURN(op, _unchecked, op1, op2, , ) \
1432+ __ATOMIC64_OP_RETURN(op, , op1, op2##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
1433+
1434 #define ATOMIC64_OPS(op, op1, op2) \
1435 ATOMIC64_OP(op, op1, op2) \
1436 ATOMIC64_OP_RETURN(op, op1, op2)
1437@@ -323,7 +519,12 @@ ATOMIC64_OPS(sub, subs, sbc)
1438
1439 #undef ATOMIC64_OPS
1440 #undef ATOMIC64_OP_RETURN
1441+#undef __ATOMIC64_OP_RETURN
1442 #undef ATOMIC64_OP
1443+#undef __ATOMIC64_OP
1444+#undef __OVERFLOW_EXTABLE
1445+#undef __OVERFLOW_POST_RETURN
1446+#undef __OVERFLOW_POST
1447
1448 static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
1449 long long new)
1450@@ -351,6 +552,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
1451 return oldval;
1452 }
1453
1454+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, long long old,
1455+ long long new)
1456+{
1457+ long long oldval;
1458+ unsigned long res;
1459+
1460+ smp_mb();
1461+
1462+ do {
1463+ __asm__ __volatile__("@ atomic64_cmpxchg_unchecked\n"
1464+ "ldrexd %1, %H1, [%3]\n"
1465+ "mov %0, #0\n"
1466+ "teq %1, %4\n"
1467+ "teqeq %H1, %H4\n"
1468+ "strexdeq %0, %5, %H5, [%3]"
1469+ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1470+ : "r" (&ptr->counter), "r" (old), "r" (new)
1471+ : "cc");
1472+ } while (res);
1473+
1474+ smp_mb();
1475+
1476+ return oldval;
1477+}
1478+
1479 static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
1480 {
1481 long long result;
1482@@ -376,21 +602,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
1483 static inline long long atomic64_dec_if_positive(atomic64_t *v)
1484 {
1485 long long result;
1486- unsigned long tmp;
1487+ u64 tmp;
1488
1489 smp_mb();
1490 prefetchw(&v->counter);
1491
1492 __asm__ __volatile__("@ atomic64_dec_if_positive\n"
1493-"1: ldrexd %0, %H0, [%3]\n"
1494-" subs %Q0, %Q0, #1\n"
1495-" sbc %R0, %R0, #0\n"
1496+"1: ldrexd %1, %H1, [%3]\n"
1497+" subs %Q0, %Q1, #1\n"
1498+" sbcs %R0, %R1, #0\n"
1499+
1500+#ifdef CONFIG_PAX_REFCOUNT
1501+" bvc 3f\n"
1502+" mov %Q0, %Q1\n"
1503+" mov %R0, %R1\n"
1504+"2: " REFCOUNT_TRAP_INSN "\n"
1505+"3:\n"
1506+#endif
1507+
1508 " teq %R0, #0\n"
1509-" bmi 2f\n"
1510+" bmi 4f\n"
1511 " strexd %1, %0, %H0, [%3]\n"
1512 " teq %1, #0\n"
1513 " bne 1b\n"
1514-"2:"
1515+"4:\n"
1516+
1517+#ifdef CONFIG_PAX_REFCOUNT
1518+ _ASM_EXTABLE(2b, 4b)
1519+#endif
1520+
1521 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1522 : "r" (&v->counter)
1523 : "cc");
1524@@ -414,13 +654,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
1525 " teq %0, %5\n"
1526 " teqeq %H0, %H5\n"
1527 " moveq %1, #0\n"
1528-" beq 2f\n"
1529+" beq 4f\n"
1530 " adds %Q0, %Q0, %Q6\n"
1531-" adc %R0, %R0, %R6\n"
1532+" adcs %R0, %R0, %R6\n"
1533+
1534+#ifdef CONFIG_PAX_REFCOUNT
1535+" bvc 3f\n"
1536+"2: " REFCOUNT_TRAP_INSN "\n"
1537+"3:\n"
1538+#endif
1539+
1540 " strexd %2, %0, %H0, [%4]\n"
1541 " teq %2, #0\n"
1542 " bne 1b\n"
1543-"2:"
1544+"4:\n"
1545+
1546+#ifdef CONFIG_PAX_REFCOUNT
1547+ _ASM_EXTABLE(2b, 4b)
1548+#endif
1549+
1550 : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
1551 : "r" (&v->counter), "r" (u), "r" (a)
1552 : "cc");
1553@@ -433,10 +685,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
1554
1555 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
1556 #define atomic64_inc(v) atomic64_add(1LL, (v))
1557+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1LL, (v))
1558 #define atomic64_inc_return(v) atomic64_add_return(1LL, (v))
1559+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1LL, (v))
1560 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
1561 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
1562 #define atomic64_dec(v) atomic64_sub(1LL, (v))
1563+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1LL, (v))
1564 #define atomic64_dec_return(v) atomic64_sub_return(1LL, (v))
1565 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
1566 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
1567diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h
1568index 6c2327e..85beac4 100644
1569--- a/arch/arm/include/asm/barrier.h
1570+++ b/arch/arm/include/asm/barrier.h
1571@@ -67,7 +67,7 @@
1572 do { \
1573 compiletime_assert_atomic_type(*p); \
1574 smp_mb(); \
1575- ACCESS_ONCE(*p) = (v); \
1576+ ACCESS_ONCE_RW(*p) = (v); \
1577 } while (0)
1578
1579 #define smp_load_acquire(p) \
1580diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h
1581index 75fe66b..ba3dee4 100644
1582--- a/arch/arm/include/asm/cache.h
1583+++ b/arch/arm/include/asm/cache.h
1584@@ -4,8 +4,10 @@
1585 #ifndef __ASMARM_CACHE_H
1586 #define __ASMARM_CACHE_H
1587
1588+#include <linux/const.h>
1589+
1590 #define L1_CACHE_SHIFT CONFIG_ARM_L1_CACHE_SHIFT
1591-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
1592+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
1593
1594 /*
1595 * Memory returned by kmalloc() may be used for DMA, so we must make
1596@@ -24,5 +26,6 @@
1597 #endif
1598
1599 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
1600+#define __read_only __attribute__ ((__section__(".data..read_only")))
1601
1602 #endif
1603diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
1604index 4812cda..9da8116 100644
1605--- a/arch/arm/include/asm/cacheflush.h
1606+++ b/arch/arm/include/asm/cacheflush.h
1607@@ -116,7 +116,7 @@ struct cpu_cache_fns {
1608 void (*dma_unmap_area)(const void *, size_t, int);
1609
1610 void (*dma_flush_range)(const void *, const void *);
1611-};
1612+} __no_const;
1613
1614 /*
1615 * Select the calling method
1616diff --git a/arch/arm/include/asm/checksum.h b/arch/arm/include/asm/checksum.h
1617index 5233151..87a71fa 100644
1618--- a/arch/arm/include/asm/checksum.h
1619+++ b/arch/arm/include/asm/checksum.h
1620@@ -37,7 +37,19 @@ __wsum
1621 csum_partial_copy_nocheck(const void *src, void *dst, int len, __wsum sum);
1622
1623 __wsum
1624-csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1625+__csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1626+
1627+static inline __wsum
1628+csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr)
1629+{
1630+ __wsum ret;
1631+ pax_open_userland();
1632+ ret = __csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
1633+ pax_close_userland();
1634+ return ret;
1635+}
1636+
1637+
1638
1639 /*
1640 * Fold a partial checksum without adding pseudo headers
1641diff --git a/arch/arm/include/asm/cmpxchg.h b/arch/arm/include/asm/cmpxchg.h
1642index 1692a05..1835802 100644
1643--- a/arch/arm/include/asm/cmpxchg.h
1644+++ b/arch/arm/include/asm/cmpxchg.h
1645@@ -107,6 +107,10 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size
1646 (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), \
1647 sizeof(*(ptr))); \
1648 })
1649+#define xchg_unchecked(ptr, x) ({ \
1650+ (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), \
1651+ sizeof(*(ptr))); \
1652+})
1653
1654 #include <asm-generic/cmpxchg-local.h>
1655
1656diff --git a/arch/arm/include/asm/cpuidle.h b/arch/arm/include/asm/cpuidle.h
1657index 0f84249..8e83c55 100644
1658--- a/arch/arm/include/asm/cpuidle.h
1659+++ b/arch/arm/include/asm/cpuidle.h
1660@@ -32,7 +32,7 @@ struct device_node;
1661 struct cpuidle_ops {
1662 int (*suspend)(int cpu, unsigned long arg);
1663 int (*init)(struct device_node *, int cpu);
1664-};
1665+} __no_const;
1666
1667 struct of_cpuidle_method {
1668 const char *method;
1669diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h
1670index 6ddbe44..b5e38b1a 100644
1671--- a/arch/arm/include/asm/domain.h
1672+++ b/arch/arm/include/asm/domain.h
1673@@ -48,18 +48,37 @@
1674 * Domain types
1675 */
1676 #define DOMAIN_NOACCESS 0
1677-#define DOMAIN_CLIENT 1
1678 #ifdef CONFIG_CPU_USE_DOMAINS
1679+#define DOMAIN_USERCLIENT 1
1680+#define DOMAIN_KERNELCLIENT 1
1681 #define DOMAIN_MANAGER 3
1682+#define DOMAIN_VECTORS DOMAIN_USER
1683 #else
1684+
1685+#ifdef CONFIG_PAX_KERNEXEC
1686 #define DOMAIN_MANAGER 1
1687+#define DOMAIN_KERNEXEC 3
1688+#else
1689+#define DOMAIN_MANAGER 1
1690+#endif
1691+
1692+#ifdef CONFIG_PAX_MEMORY_UDEREF
1693+#define DOMAIN_USERCLIENT 0
1694+#define DOMAIN_UDEREF 1
1695+#define DOMAIN_VECTORS DOMAIN_KERNEL
1696+#else
1697+#define DOMAIN_USERCLIENT 1
1698+#define DOMAIN_VECTORS DOMAIN_USER
1699+#endif
1700+#define DOMAIN_KERNELCLIENT 1
1701+
1702 #endif
1703
1704 #define domain_val(dom,type) ((type) << (2*(dom)))
1705
1706 #ifndef __ASSEMBLY__
1707
1708-#ifdef CONFIG_CPU_USE_DOMAINS
1709+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1710 static inline void set_domain(unsigned val)
1711 {
1712 asm volatile(
1713@@ -68,15 +87,7 @@ static inline void set_domain(unsigned val)
1714 isb();
1715 }
1716
1717-#define modify_domain(dom,type) \
1718- do { \
1719- struct thread_info *thread = current_thread_info(); \
1720- unsigned int domain = thread->cpu_domain; \
1721- domain &= ~domain_val(dom, DOMAIN_MANAGER); \
1722- thread->cpu_domain = domain | domain_val(dom, type); \
1723- set_domain(thread->cpu_domain); \
1724- } while (0)
1725-
1726+extern void modify_domain(unsigned int dom, unsigned int type);
1727 #else
1728 static inline void set_domain(unsigned val) { }
1729 static inline void modify_domain(unsigned dom, unsigned type) { }
1730diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
1731index d2315ff..f60b47b 100644
1732--- a/arch/arm/include/asm/elf.h
1733+++ b/arch/arm/include/asm/elf.h
1734@@ -117,7 +117,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
1735 the loader. We need to make sure that it is out of the way of the program
1736 that it will "exec", and that there is sufficient room for the brk. */
1737
1738-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1739+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1740+
1741+#ifdef CONFIG_PAX_ASLR
1742+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
1743+
1744+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1745+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1746+#endif
1747
1748 /* When the program starts, a1 contains a pointer to a function to be
1749 registered with atexit, as per the SVR4 ABI. A value of 0 means we
1750diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h
1751index de53547..52b9a28 100644
1752--- a/arch/arm/include/asm/fncpy.h
1753+++ b/arch/arm/include/asm/fncpy.h
1754@@ -81,7 +81,9 @@
1755 BUG_ON((uintptr_t)(dest_buf) & (FNCPY_ALIGN - 1) || \
1756 (__funcp_address & ~(uintptr_t)1 & (FNCPY_ALIGN - 1))); \
1757 \
1758+ pax_open_kernel(); \
1759 memcpy(dest_buf, (void const *)(__funcp_address & ~1), size); \
1760+ pax_close_kernel(); \
1761 flush_icache_range((unsigned long)(dest_buf), \
1762 (unsigned long)(dest_buf) + (size)); \
1763 \
1764diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
1765index 5eed828..365e018 100644
1766--- a/arch/arm/include/asm/futex.h
1767+++ b/arch/arm/include/asm/futex.h
1768@@ -46,6 +46,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1769 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
1770 return -EFAULT;
1771
1772+ pax_open_userland();
1773+
1774 smp_mb();
1775 /* Prefetching cannot fault */
1776 prefetchw(uaddr);
1777@@ -63,6 +65,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1778 : "cc", "memory");
1779 smp_mb();
1780
1781+ pax_close_userland();
1782+
1783 *uval = val;
1784 return ret;
1785 }
1786@@ -94,6 +98,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1787 return -EFAULT;
1788
1789 preempt_disable();
1790+ pax_open_userland();
1791+
1792 __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
1793 "1: " TUSER(ldr) " %1, [%4]\n"
1794 " teq %1, %2\n"
1795@@ -104,6 +110,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1796 : "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT)
1797 : "cc", "memory");
1798
1799+ pax_close_userland();
1800+
1801 *uval = val;
1802 preempt_enable();
1803
1804@@ -131,6 +139,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1805 preempt_disable();
1806 #endif
1807 pagefault_disable();
1808+ pax_open_userland();
1809
1810 switch (op) {
1811 case FUTEX_OP_SET:
1812@@ -152,6 +161,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1813 ret = -ENOSYS;
1814 }
1815
1816+ pax_close_userland();
1817 pagefault_enable();
1818 #ifndef CONFIG_SMP
1819 preempt_enable();
1820diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h
1821index 83eb2f7..ed77159 100644
1822--- a/arch/arm/include/asm/kmap_types.h
1823+++ b/arch/arm/include/asm/kmap_types.h
1824@@ -4,6 +4,6 @@
1825 /*
1826 * This is the "bare minimum". AIO seems to require this.
1827 */
1828-#define KM_TYPE_NR 16
1829+#define KM_TYPE_NR 17
1830
1831 #endif
1832diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h
1833index 9e614a1..3302cca 100644
1834--- a/arch/arm/include/asm/mach/dma.h
1835+++ b/arch/arm/include/asm/mach/dma.h
1836@@ -22,7 +22,7 @@ struct dma_ops {
1837 int (*residue)(unsigned int, dma_t *); /* optional */
1838 int (*setspeed)(unsigned int, dma_t *, int); /* optional */
1839 const char *type;
1840-};
1841+} __do_const;
1842
1843 struct dma_struct {
1844 void *addr; /* single DMA address */
1845diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h
1846index f98c7f3..e5c626d 100644
1847--- a/arch/arm/include/asm/mach/map.h
1848+++ b/arch/arm/include/asm/mach/map.h
1849@@ -23,17 +23,19 @@ struct map_desc {
1850
1851 /* types 0-3 are defined in asm/io.h */
1852 enum {
1853- MT_UNCACHED = 4,
1854- MT_CACHECLEAN,
1855- MT_MINICLEAN,
1856+ MT_UNCACHED_RW = 4,
1857+ MT_CACHECLEAN_RO,
1858+ MT_MINICLEAN_RO,
1859 MT_LOW_VECTORS,
1860 MT_HIGH_VECTORS,
1861- MT_MEMORY_RWX,
1862+ __MT_MEMORY_RWX,
1863 MT_MEMORY_RW,
1864- MT_ROM,
1865- MT_MEMORY_RWX_NONCACHED,
1866+ MT_MEMORY_RX,
1867+ MT_ROM_RX,
1868+ MT_MEMORY_RW_NONCACHED,
1869+ MT_MEMORY_RX_NONCACHED,
1870 MT_MEMORY_RW_DTCM,
1871- MT_MEMORY_RWX_ITCM,
1872+ MT_MEMORY_RX_ITCM,
1873 MT_MEMORY_RW_SO,
1874 MT_MEMORY_DMA_READY,
1875 };
1876diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h
1877index 563b92f..689d58e 100644
1878--- a/arch/arm/include/asm/outercache.h
1879+++ b/arch/arm/include/asm/outercache.h
1880@@ -39,7 +39,7 @@ struct outer_cache_fns {
1881 /* This is an ARM L2C thing */
1882 void (*write_sec)(unsigned long, unsigned);
1883 void (*configure)(const struct l2x0_regs *);
1884-};
1885+} __no_const;
1886
1887 extern struct outer_cache_fns outer_cache;
1888
1889diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
1890index 4355f0e..cd9168e 100644
1891--- a/arch/arm/include/asm/page.h
1892+++ b/arch/arm/include/asm/page.h
1893@@ -23,6 +23,7 @@
1894
1895 #else
1896
1897+#include <linux/compiler.h>
1898 #include <asm/glue.h>
1899
1900 /*
1901@@ -114,7 +115,7 @@ struct cpu_user_fns {
1902 void (*cpu_clear_user_highpage)(struct page *page, unsigned long vaddr);
1903 void (*cpu_copy_user_highpage)(struct page *to, struct page *from,
1904 unsigned long vaddr, struct vm_area_struct *vma);
1905-};
1906+} __no_const;
1907
1908 #ifdef MULTI_USER
1909 extern struct cpu_user_fns cpu_user;
1910diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h
1911index 19cfab5..3f5c7e9 100644
1912--- a/arch/arm/include/asm/pgalloc.h
1913+++ b/arch/arm/include/asm/pgalloc.h
1914@@ -17,6 +17,7 @@
1915 #include <asm/processor.h>
1916 #include <asm/cacheflush.h>
1917 #include <asm/tlbflush.h>
1918+#include <asm/system_info.h>
1919
1920 #define check_pgt_cache() do { } while (0)
1921
1922@@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1923 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
1924 }
1925
1926+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1927+{
1928+ pud_populate(mm, pud, pmd);
1929+}
1930+
1931 #else /* !CONFIG_ARM_LPAE */
1932
1933 /*
1934@@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1935 #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); })
1936 #define pmd_free(mm, pmd) do { } while (0)
1937 #define pud_populate(mm,pmd,pte) BUG()
1938+#define pud_populate_kernel(mm,pmd,pte) BUG()
1939
1940 #endif /* CONFIG_ARM_LPAE */
1941
1942@@ -128,6 +135,19 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte)
1943 __free_page(pte);
1944 }
1945
1946+static inline void __section_update(pmd_t *pmdp, unsigned long addr, pmdval_t prot)
1947+{
1948+#ifdef CONFIG_ARM_LPAE
1949+ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1950+#else
1951+ if (addr & SECTION_SIZE)
1952+ pmdp[1] = __pmd(pmd_val(pmdp[1]) | prot);
1953+ else
1954+ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1955+#endif
1956+ flush_pmd_entry(pmdp);
1957+}
1958+
1959 static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte,
1960 pmdval_t prot)
1961 {
1962diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h
1963index 5e68278..1869bae 100644
1964--- a/arch/arm/include/asm/pgtable-2level-hwdef.h
1965+++ b/arch/arm/include/asm/pgtable-2level-hwdef.h
1966@@ -27,7 +27,7 @@
1967 /*
1968 * - section
1969 */
1970-#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1971+#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1972 #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2)
1973 #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3)
1974 #define PMD_SECT_XN (_AT(pmdval_t, 1) << 4) /* v6 */
1975@@ -39,6 +39,7 @@
1976 #define PMD_SECT_nG (_AT(pmdval_t, 1) << 17) /* v6 */
1977 #define PMD_SECT_SUPER (_AT(pmdval_t, 1) << 18) /* v6 */
1978 #define PMD_SECT_AF (_AT(pmdval_t, 0))
1979+#define PMD_SECT_RDONLY (_AT(pmdval_t, 0))
1980
1981 #define PMD_SECT_UNCACHED (_AT(pmdval_t, 0))
1982 #define PMD_SECT_BUFFERED (PMD_SECT_BUFFERABLE)
1983@@ -68,6 +69,7 @@
1984 * - extended small page/tiny page
1985 */
1986 #define PTE_EXT_XN (_AT(pteval_t, 1) << 0) /* v6 */
1987+#define PTE_EXT_PXN (_AT(pteval_t, 1) << 2) /* v7 */
1988 #define PTE_EXT_AP_MASK (_AT(pteval_t, 3) << 4)
1989 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4)
1990 #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4)
1991diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
1992index aeddd28..207745c 100644
1993--- a/arch/arm/include/asm/pgtable-2level.h
1994+++ b/arch/arm/include/asm/pgtable-2level.h
1995@@ -127,6 +127,9 @@
1996 #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */
1997 #define L_PTE_NONE (_AT(pteval_t, 1) << 11)
1998
1999+/* Two-level page tables only have PXN in the PGD, not in the PTE. */
2000+#define L_PTE_PXN (_AT(pteval_t, 0))
2001+
2002 /*
2003 * These are the memory types, defined to be compatible with
2004 * pre-ARMv6 CPUs cacheable and bufferable bits: n/a,n/a,C,B
2005diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
2006index a745a2a..481350a 100644
2007--- a/arch/arm/include/asm/pgtable-3level.h
2008+++ b/arch/arm/include/asm/pgtable-3level.h
2009@@ -80,6 +80,7 @@
2010 #define L_PTE_USER (_AT(pteval_t, 1) << 6) /* AP[1] */
2011 #define L_PTE_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
2012 #define L_PTE_YOUNG (_AT(pteval_t, 1) << 10) /* AF */
2013+#define L_PTE_PXN (_AT(pteval_t, 1) << 53) /* PXN */
2014 #define L_PTE_XN (_AT(pteval_t, 1) << 54) /* XN */
2015 #define L_PTE_DIRTY (_AT(pteval_t, 1) << 55)
2016 #define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56)
2017@@ -91,10 +92,12 @@
2018 #define L_PMD_SECT_SPLITTING (_AT(pmdval_t, 1) << 56)
2019 #define L_PMD_SECT_NONE (_AT(pmdval_t, 1) << 57)
2020 #define L_PMD_SECT_RDONLY (_AT(pteval_t, 1) << 58)
2021+#define PMD_SECT_RDONLY PMD_SECT_AP2
2022
2023 /*
2024 * To be used in assembly code with the upper page attributes.
2025 */
2026+#define L_PTE_PXN_HIGH (1 << (53 - 32))
2027 #define L_PTE_XN_HIGH (1 << (54 - 32))
2028 #define L_PTE_DIRTY_HIGH (1 << (55 - 32))
2029
2030diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
2031index f403541..b10df68 100644
2032--- a/arch/arm/include/asm/pgtable.h
2033+++ b/arch/arm/include/asm/pgtable.h
2034@@ -33,6 +33,9 @@
2035 #include <asm/pgtable-2level.h>
2036 #endif
2037
2038+#define ktla_ktva(addr) (addr)
2039+#define ktva_ktla(addr) (addr)
2040+
2041 /*
2042 * Just any arbitrary offset to the start of the vmalloc VM area: the
2043 * current 8MB value just means that there will be a 8MB "hole" after the
2044@@ -48,6 +51,9 @@
2045 #define LIBRARY_TEXT_START 0x0c000000
2046
2047 #ifndef __ASSEMBLY__
2048+extern pteval_t __supported_pte_mask;
2049+extern pmdval_t __supported_pmd_mask;
2050+
2051 extern void __pte_error(const char *file, int line, pte_t);
2052 extern void __pmd_error(const char *file, int line, pmd_t);
2053 extern void __pgd_error(const char *file, int line, pgd_t);
2054@@ -56,6 +62,48 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2055 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd)
2056 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd)
2057
2058+#define __HAVE_ARCH_PAX_OPEN_KERNEL
2059+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
2060+
2061+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2062+#include <asm/domain.h>
2063+#include <linux/thread_info.h>
2064+#include <linux/preempt.h>
2065+
2066+static inline int test_domain(int domain, int domaintype)
2067+{
2068+ return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
2069+}
2070+#endif
2071+
2072+#ifdef CONFIG_PAX_KERNEXEC
2073+static inline unsigned long pax_open_kernel(void) {
2074+#ifdef CONFIG_ARM_LPAE
2075+ /* TODO */
2076+#else
2077+ preempt_disable();
2078+ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC));
2079+ modify_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC);
2080+#endif
2081+ return 0;
2082+}
2083+
2084+static inline unsigned long pax_close_kernel(void) {
2085+#ifdef CONFIG_ARM_LPAE
2086+ /* TODO */
2087+#else
2088+ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_MANAGER));
2089+ /* DOMAIN_MANAGER = "client" under KERNEXEC */
2090+ modify_domain(DOMAIN_KERNEL, DOMAIN_MANAGER);
2091+ preempt_enable_no_resched();
2092+#endif
2093+ return 0;
2094+}
2095+#else
2096+static inline unsigned long pax_open_kernel(void) { return 0; }
2097+static inline unsigned long pax_close_kernel(void) { return 0; }
2098+#endif
2099+
2100 /*
2101 * This is the lowest virtual address we can permit any user space
2102 * mapping to be mapped at. This is particularly important for
2103@@ -75,8 +123,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2104 /*
2105 * The pgprot_* and protection_map entries will be fixed up in runtime
2106 * to include the cachable and bufferable bits based on memory policy,
2107- * as well as any architecture dependent bits like global/ASID and SMP
2108- * shared mapping bits.
2109+ * as well as any architecture dependent bits like global/ASID, PXN,
2110+ * and SMP shared mapping bits.
2111 */
2112 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
2113
2114@@ -307,7 +355,7 @@ static inline pte_t pte_mknexec(pte_t pte)
2115 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
2116 {
2117 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
2118- L_PTE_NONE | L_PTE_VALID;
2119+ L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
2120 pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
2121 return pte;
2122 }
2123diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
2124index c25ef3e..735f14b 100644
2125--- a/arch/arm/include/asm/psci.h
2126+++ b/arch/arm/include/asm/psci.h
2127@@ -32,7 +32,7 @@ struct psci_operations {
2128 int (*affinity_info)(unsigned long target_affinity,
2129 unsigned long lowest_affinity_level);
2130 int (*migrate_info_type)(void);
2131-};
2132+} __no_const;
2133
2134 extern struct psci_operations psci_ops;
2135 extern struct smp_operations psci_smp_ops;
2136diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
2137index 2f3ac1b..67182ae0 100644
2138--- a/arch/arm/include/asm/smp.h
2139+++ b/arch/arm/include/asm/smp.h
2140@@ -108,7 +108,7 @@ struct smp_operations {
2141 int (*cpu_disable)(unsigned int cpu);
2142 #endif
2143 #endif
2144-};
2145+} __no_const;
2146
2147 struct of_cpu_method {
2148 const char *method;
2149diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
2150index bd32ede..bd90a0b 100644
2151--- a/arch/arm/include/asm/thread_info.h
2152+++ b/arch/arm/include/asm/thread_info.h
2153@@ -74,9 +74,9 @@ struct thread_info {
2154 .flags = 0, \
2155 .preempt_count = INIT_PREEMPT_COUNT, \
2156 .addr_limit = KERNEL_DS, \
2157- .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2158- domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2159- domain_val(DOMAIN_IO, DOMAIN_CLIENT), \
2160+ .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
2161+ domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \
2162+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \
2163 }
2164
2165 #define init_thread_info (init_thread_union.thread_info)
2166@@ -152,7 +152,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2167 #define TIF_SYSCALL_AUDIT 9
2168 #define TIF_SYSCALL_TRACEPOINT 10
2169 #define TIF_SECCOMP 11 /* seccomp syscall filtering active */
2170-#define TIF_NOHZ 12 /* in adaptive nohz mode */
2171+/* within 8 bits of TIF_SYSCALL_TRACE
2172+ * to meet flexible second operand requirements
2173+ */
2174+#define TIF_GRSEC_SETXID 12
2175+#define TIF_NOHZ 13 /* in adaptive nohz mode */
2176 #define TIF_USING_IWMMXT 17
2177 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
2178 #define TIF_RESTORE_SIGMASK 20
2179@@ -166,10 +170,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2180 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
2181 #define _TIF_SECCOMP (1 << TIF_SECCOMP)
2182 #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
2183+#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
2184
2185 /* Checks for any syscall work in entry-common.S */
2186 #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
2187- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
2188+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | _TIF_GRSEC_SETXID)
2189
2190 /*
2191 * Change these and you break ASM code in entry-common.S
2192diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
2193index 5f833f7..76e6644 100644
2194--- a/arch/arm/include/asm/tls.h
2195+++ b/arch/arm/include/asm/tls.h
2196@@ -3,6 +3,7 @@
2197
2198 #include <linux/compiler.h>
2199 #include <asm/thread_info.h>
2200+#include <asm/pgtable.h>
2201
2202 #ifdef __ASSEMBLY__
2203 #include <asm/asm-offsets.h>
2204@@ -89,7 +90,9 @@ static inline void set_tls(unsigned long val)
2205 * at 0xffff0fe0 must be used instead. (see
2206 * entry-armv.S for details)
2207 */
2208+ pax_open_kernel();
2209 *((unsigned int *)0xffff0ff0) = val;
2210+ pax_close_kernel();
2211 #endif
2212 }
2213
2214diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
2215index 74b17d0..7e6da4b 100644
2216--- a/arch/arm/include/asm/uaccess.h
2217+++ b/arch/arm/include/asm/uaccess.h
2218@@ -18,6 +18,7 @@
2219 #include <asm/domain.h>
2220 #include <asm/unified.h>
2221 #include <asm/compiler.h>
2222+#include <asm/pgtable.h>
2223
2224 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2225 #include <asm-generic/uaccess-unaligned.h>
2226@@ -70,11 +71,38 @@ extern int __put_user_bad(void);
2227 static inline void set_fs(mm_segment_t fs)
2228 {
2229 current_thread_info()->addr_limit = fs;
2230- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
2231+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
2232 }
2233
2234 #define segment_eq(a, b) ((a) == (b))
2235
2236+#define __HAVE_ARCH_PAX_OPEN_USERLAND
2237+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
2238+
2239+static inline void pax_open_userland(void)
2240+{
2241+
2242+#ifdef CONFIG_PAX_MEMORY_UDEREF
2243+ if (segment_eq(get_fs(), USER_DS)) {
2244+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF));
2245+ modify_domain(DOMAIN_USER, DOMAIN_UDEREF);
2246+ }
2247+#endif
2248+
2249+}
2250+
2251+static inline void pax_close_userland(void)
2252+{
2253+
2254+#ifdef CONFIG_PAX_MEMORY_UDEREF
2255+ if (segment_eq(get_fs(), USER_DS)) {
2256+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS));
2257+ modify_domain(DOMAIN_USER, DOMAIN_NOACCESS);
2258+ }
2259+#endif
2260+
2261+}
2262+
2263 #define __addr_ok(addr) ({ \
2264 unsigned long flag; \
2265 __asm__("cmp %2, %0; movlo %0, #0" \
2266@@ -198,8 +226,12 @@ extern int __get_user_64t_4(void *);
2267
2268 #define get_user(x, p) \
2269 ({ \
2270+ int __e; \
2271 might_fault(); \
2272- __get_user_check(x, p); \
2273+ pax_open_userland(); \
2274+ __e = __get_user_check((x), (p)); \
2275+ pax_close_userland(); \
2276+ __e; \
2277 })
2278
2279 extern int __put_user_1(void *, unsigned int);
2280@@ -244,8 +276,12 @@ extern int __put_user_8(void *, unsigned long long);
2281
2282 #define put_user(x, p) \
2283 ({ \
2284+ int __e; \
2285 might_fault(); \
2286- __put_user_check(x, p); \
2287+ pax_open_userland(); \
2288+ __e = __put_user_check((x), (p)); \
2289+ pax_close_userland(); \
2290+ __e; \
2291 })
2292
2293 #else /* CONFIG_MMU */
2294@@ -269,6 +305,7 @@ static inline void set_fs(mm_segment_t fs)
2295
2296 #endif /* CONFIG_MMU */
2297
2298+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
2299 #define access_ok(type, addr, size) (__range_ok(addr, size) == 0)
2300
2301 #define user_addr_max() \
2302@@ -286,13 +323,17 @@ static inline void set_fs(mm_segment_t fs)
2303 #define __get_user(x, ptr) \
2304 ({ \
2305 long __gu_err = 0; \
2306+ pax_open_userland(); \
2307 __get_user_err((x), (ptr), __gu_err); \
2308+ pax_close_userland(); \
2309 __gu_err; \
2310 })
2311
2312 #define __get_user_error(x, ptr, err) \
2313 ({ \
2314+ pax_open_userland(); \
2315 __get_user_err((x), (ptr), err); \
2316+ pax_close_userland(); \
2317 (void) 0; \
2318 })
2319
2320@@ -368,13 +409,17 @@ do { \
2321 #define __put_user(x, ptr) \
2322 ({ \
2323 long __pu_err = 0; \
2324+ pax_open_userland(); \
2325 __put_user_err((x), (ptr), __pu_err); \
2326+ pax_close_userland(); \
2327 __pu_err; \
2328 })
2329
2330 #define __put_user_error(x, ptr, err) \
2331 ({ \
2332+ pax_open_userland(); \
2333 __put_user_err((x), (ptr), err); \
2334+ pax_close_userland(); \
2335 (void) 0; \
2336 })
2337
2338@@ -474,11 +519,44 @@ do { \
2339
2340
2341 #ifdef CONFIG_MMU
2342-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
2343-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
2344-extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2345-extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
2346-extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
2347+extern unsigned long __must_check __size_overflow(3) ___copy_from_user(void *to, const void __user *from, unsigned long n);
2348+extern unsigned long __must_check __size_overflow(3) ___copy_to_user(void __user *to, const void *from, unsigned long n);
2349+
2350+static inline unsigned long __must_check __size_overflow(3) __copy_from_user(void *to, const void __user *from, unsigned long n)
2351+{
2352+ unsigned long ret;
2353+
2354+ check_object_size(to, n, false);
2355+ pax_open_userland();
2356+ ret = ___copy_from_user(to, from, n);
2357+ pax_close_userland();
2358+ return ret;
2359+}
2360+
2361+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
2362+{
2363+ unsigned long ret;
2364+
2365+ check_object_size(from, n, true);
2366+ pax_open_userland();
2367+ ret = ___copy_to_user(to, from, n);
2368+ pax_close_userland();
2369+ return ret;
2370+}
2371+
2372+extern unsigned long __must_check __size_overflow(3) __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2373+extern unsigned long __must_check __size_overflow(2) ___clear_user(void __user *addr, unsigned long n);
2374+extern unsigned long __must_check __size_overflow(2) __clear_user_std(void __user *addr, unsigned long n);
2375+
2376+static inline unsigned long __must_check __clear_user(void __user *addr, unsigned long n)
2377+{
2378+ unsigned long ret;
2379+ pax_open_userland();
2380+ ret = ___clear_user(addr, n);
2381+ pax_close_userland();
2382+ return ret;
2383+}
2384+
2385 #else
2386 #define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0)
2387 #define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0)
2388@@ -487,6 +565,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l
2389
2390 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2391 {
2392+ if ((long)n < 0)
2393+ return n;
2394+
2395 if (access_ok(VERIFY_READ, from, n))
2396 n = __copy_from_user(to, from, n);
2397 else /* security hole - plug it */
2398@@ -496,6 +577,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
2399
2400 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2401 {
2402+ if ((long)n < 0)
2403+ return n;
2404+
2405 if (access_ok(VERIFY_WRITE, to, n))
2406 n = __copy_to_user(to, from, n);
2407 return n;
2408diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h
2409index 5af0ed1..cea83883 100644
2410--- a/arch/arm/include/uapi/asm/ptrace.h
2411+++ b/arch/arm/include/uapi/asm/ptrace.h
2412@@ -92,7 +92,7 @@
2413 * ARMv7 groups of PSR bits
2414 */
2415 #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */
2416-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */
2417+#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */
2418 #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */
2419 #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */
2420
2421diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c
2422index 5e5a51a..b21eeef 100644
2423--- a/arch/arm/kernel/armksyms.c
2424+++ b/arch/arm/kernel/armksyms.c
2425@@ -58,7 +58,7 @@ EXPORT_SYMBOL(arm_delay_ops);
2426
2427 /* networking */
2428 EXPORT_SYMBOL(csum_partial);
2429-EXPORT_SYMBOL(csum_partial_copy_from_user);
2430+EXPORT_SYMBOL(__csum_partial_copy_from_user);
2431 EXPORT_SYMBOL(csum_partial_copy_nocheck);
2432 EXPORT_SYMBOL(__csum_ipv6_magic);
2433
2434@@ -97,9 +97,9 @@ EXPORT_SYMBOL(mmiocpy);
2435 #ifdef CONFIG_MMU
2436 EXPORT_SYMBOL(copy_page);
2437
2438-EXPORT_SYMBOL(__copy_from_user);
2439-EXPORT_SYMBOL(__copy_to_user);
2440-EXPORT_SYMBOL(__clear_user);
2441+EXPORT_SYMBOL(___copy_from_user);
2442+EXPORT_SYMBOL(___copy_to_user);
2443+EXPORT_SYMBOL(___clear_user);
2444
2445 EXPORT_SYMBOL(__get_user_1);
2446 EXPORT_SYMBOL(__get_user_2);
2447diff --git a/arch/arm/kernel/cpuidle.c b/arch/arm/kernel/cpuidle.c
2448index 318da33..373689f 100644
2449--- a/arch/arm/kernel/cpuidle.c
2450+++ b/arch/arm/kernel/cpuidle.c
2451@@ -19,7 +19,7 @@ extern struct of_cpuidle_method __cpuidle_method_of_table[];
2452 static const struct of_cpuidle_method __cpuidle_method_of_table_sentinel
2453 __used __section(__cpuidle_method_of_table_end);
2454
2455-static struct cpuidle_ops cpuidle_ops[NR_CPUS];
2456+static struct cpuidle_ops cpuidle_ops[NR_CPUS] __read_only;
2457
2458 /**
2459 * arm_cpuidle_simple_enter() - a wrapper to cpu_do_idle()
2460diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
2461index cb4fb1e..dc7fcaf 100644
2462--- a/arch/arm/kernel/entry-armv.S
2463+++ b/arch/arm/kernel/entry-armv.S
2464@@ -50,6 +50,87 @@
2465 9997:
2466 .endm
2467
2468+ .macro pax_enter_kernel
2469+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2470+ @ make aligned space for saved DACR
2471+ sub sp, sp, #8
2472+ @ save regs
2473+ stmdb sp!, {r1, r2}
2474+ @ read DACR from cpu_domain into r1
2475+ mov r2, sp
2476+ @ assume 8K pages, since we have to split the immediate in two
2477+ bic r2, r2, #(0x1fc0)
2478+ bic r2, r2, #(0x3f)
2479+ ldr r1, [r2, #TI_CPU_DOMAIN]
2480+ @ store old DACR on stack
2481+ str r1, [sp, #8]
2482+#ifdef CONFIG_PAX_KERNEXEC
2483+ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2484+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2485+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2486+#endif
2487+#ifdef CONFIG_PAX_MEMORY_UDEREF
2488+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2489+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2490+#endif
2491+ @ write r1 to current_thread_info()->cpu_domain
2492+ str r1, [r2, #TI_CPU_DOMAIN]
2493+ @ write r1 to DACR
2494+ mcr p15, 0, r1, c3, c0, 0
2495+ @ instruction sync
2496+ instr_sync
2497+ @ restore regs
2498+ ldmia sp!, {r1, r2}
2499+#endif
2500+ .endm
2501+
2502+ .macro pax_open_userland
2503+#ifdef CONFIG_PAX_MEMORY_UDEREF
2504+ @ save regs
2505+ stmdb sp!, {r0, r1}
2506+ @ read DACR from cpu_domain into r1
2507+ mov r0, sp
2508+ @ assume 8K pages, since we have to split the immediate in two
2509+ bic r0, r0, #(0x1fc0)
2510+ bic r0, r0, #(0x3f)
2511+ ldr r1, [r0, #TI_CPU_DOMAIN]
2512+ @ set current DOMAIN_USER to DOMAIN_CLIENT
2513+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2514+ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2515+ @ write r1 to current_thread_info()->cpu_domain
2516+ str r1, [r0, #TI_CPU_DOMAIN]
2517+ @ write r1 to DACR
2518+ mcr p15, 0, r1, c3, c0, 0
2519+ @ instruction sync
2520+ instr_sync
2521+ @ restore regs
2522+ ldmia sp!, {r0, r1}
2523+#endif
2524+ .endm
2525+
2526+ .macro pax_close_userland
2527+#ifdef CONFIG_PAX_MEMORY_UDEREF
2528+ @ save regs
2529+ stmdb sp!, {r0, r1}
2530+ @ read DACR from cpu_domain into r1
2531+ mov r0, sp
2532+ @ assume 8K pages, since we have to split the immediate in two
2533+ bic r0, r0, #(0x1fc0)
2534+ bic r0, r0, #(0x3f)
2535+ ldr r1, [r0, #TI_CPU_DOMAIN]
2536+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2537+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2538+ @ write r1 to current_thread_info()->cpu_domain
2539+ str r1, [r0, #TI_CPU_DOMAIN]
2540+ @ write r1 to DACR
2541+ mcr p15, 0, r1, c3, c0, 0
2542+ @ instruction sync
2543+ instr_sync
2544+ @ restore regs
2545+ ldmia sp!, {r0, r1}
2546+#endif
2547+ .endm
2548+
2549 .macro pabt_helper
2550 @ PABORT handler takes pt_regs in r2, fault address in r4 and psr in r5
2551 #ifdef MULTI_PABORT
2552@@ -92,11 +173,15 @@
2553 * Invalid mode handlers
2554 */
2555 .macro inv_entry, reason
2556+
2557+ pax_enter_kernel
2558+
2559 sub sp, sp, #S_FRAME_SIZE
2560 ARM( stmib sp, {r1 - lr} )
2561 THUMB( stmia sp, {r0 - r12} )
2562 THUMB( str sp, [sp, #S_SP] )
2563 THUMB( str lr, [sp, #S_LR] )
2564+
2565 mov r1, #\reason
2566 .endm
2567
2568@@ -152,7 +237,11 @@ ENDPROC(__und_invalid)
2569 .macro svc_entry, stack_hole=0, trace=1
2570 UNWIND(.fnstart )
2571 UNWIND(.save {r0 - pc} )
2572+
2573+ pax_enter_kernel
2574+
2575 sub sp, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2576+
2577 #ifdef CONFIG_THUMB2_KERNEL
2578 SPFIX( str r0, [sp] ) @ temporarily saved
2579 SPFIX( mov r0, sp )
2580@@ -167,7 +256,12 @@ ENDPROC(__und_invalid)
2581 ldmia r0, {r3 - r5}
2582 add r7, sp, #S_SP - 4 @ here for interlock avoidance
2583 mov r6, #-1 @ "" "" "" ""
2584+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2585+ @ offset sp by 8 as done in pax_enter_kernel
2586+ add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4)
2587+#else
2588 add r2, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2589+#endif
2590 SPFIX( addeq r2, r2, #4 )
2591 str r3, [sp, #-4]! @ save the "real" r0 copied
2592 @ from the exception stack
2593@@ -371,6 +465,9 @@ ENDPROC(__fiq_abt)
2594 .macro usr_entry, trace=1
2595 UNWIND(.fnstart )
2596 UNWIND(.cantunwind ) @ don't unwind the user space
2597+
2598+ pax_enter_kernel_user
2599+
2600 sub sp, sp, #S_FRAME_SIZE
2601 ARM( stmib sp, {r1 - r12} )
2602 THUMB( stmia sp, {r0 - r12} )
2603@@ -481,7 +578,9 @@ __und_usr:
2604 tst r3, #PSR_T_BIT @ Thumb mode?
2605 bne __und_usr_thumb
2606 sub r4, r2, #4 @ ARM instr at LR - 4
2607+ pax_open_userland
2608 1: ldrt r0, [r4]
2609+ pax_close_userland
2610 ARM_BE8(rev r0, r0) @ little endian instruction
2611
2612 @ r0 = 32-bit ARM instruction which caused the exception
2613@@ -515,11 +614,15 @@ __und_usr_thumb:
2614 */
2615 .arch armv6t2
2616 #endif
2617+ pax_open_userland
2618 2: ldrht r5, [r4]
2619+ pax_close_userland
2620 ARM_BE8(rev16 r5, r5) @ little endian instruction
2621 cmp r5, #0xe800 @ 32bit instruction if xx != 0
2622 blo __und_usr_fault_16 @ 16bit undefined instruction
2623+ pax_open_userland
2624 3: ldrht r0, [r2]
2625+ pax_close_userland
2626 ARM_BE8(rev16 r0, r0) @ little endian instruction
2627 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4
2628 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update
2629@@ -549,7 +652,8 @@ ENDPROC(__und_usr)
2630 */
2631 .pushsection .text.fixup, "ax"
2632 .align 2
2633-4: str r4, [sp, #S_PC] @ retry current instruction
2634+4: pax_close_userland
2635+ str r4, [sp, #S_PC] @ retry current instruction
2636 ret r9
2637 .popsection
2638 .pushsection __ex_table,"a"
2639@@ -769,7 +873,7 @@ ENTRY(__switch_to)
2640 THUMB( str lr, [ip], #4 )
2641 ldr r4, [r2, #TI_TP_VALUE]
2642 ldr r5, [r2, #TI_TP_VALUE + 4]
2643-#ifdef CONFIG_CPU_USE_DOMAINS
2644+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2645 ldr r6, [r2, #TI_CPU_DOMAIN]
2646 #endif
2647 switch_tls r1, r4, r5, r3, r7
2648@@ -778,7 +882,7 @@ ENTRY(__switch_to)
2649 ldr r8, =__stack_chk_guard
2650 ldr r7, [r7, #TSK_STACK_CANARY]
2651 #endif
2652-#ifdef CONFIG_CPU_USE_DOMAINS
2653+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2654 mcr p15, 0, r6, c3, c0, 0 @ Set domain register
2655 #endif
2656 mov r5, r0
2657diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
2658index b48dd4f..9f9a72f 100644
2659--- a/arch/arm/kernel/entry-common.S
2660+++ b/arch/arm/kernel/entry-common.S
2661@@ -11,18 +11,46 @@
2662 #include <asm/assembler.h>
2663 #include <asm/unistd.h>
2664 #include <asm/ftrace.h>
2665+#include <asm/domain.h>
2666 #include <asm/unwind.h>
2667
2668+#include "entry-header.S"
2669+
2670 #ifdef CONFIG_NEED_RET_TO_USER
2671 #include <mach/entry-macro.S>
2672 #else
2673 .macro arch_ret_to_user, tmp1, tmp2
2674+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2675+ @ save regs
2676+ stmdb sp!, {r1, r2}
2677+ @ read DACR from cpu_domain into r1
2678+ mov r2, sp
2679+ @ assume 8K pages, since we have to split the immediate in two
2680+ bic r2, r2, #(0x1fc0)
2681+ bic r2, r2, #(0x3f)
2682+ ldr r1, [r2, #TI_CPU_DOMAIN]
2683+#ifdef CONFIG_PAX_KERNEXEC
2684+ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2685+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2686+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2687+#endif
2688+#ifdef CONFIG_PAX_MEMORY_UDEREF
2689+ @ set current DOMAIN_USER to DOMAIN_UDEREF
2690+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2691+ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2692+#endif
2693+ @ write r1 to current_thread_info()->cpu_domain
2694+ str r1, [r2, #TI_CPU_DOMAIN]
2695+ @ write r1 to DACR
2696+ mcr p15, 0, r1, c3, c0, 0
2697+ @ instruction sync
2698+ instr_sync
2699+ @ restore regs
2700+ ldmia sp!, {r1, r2}
2701+#endif
2702 .endm
2703 #endif
2704
2705-#include "entry-header.S"
2706-
2707-
2708 .align 5
2709 /*
2710 * This is the fast syscall return path. We do as little as
2711@@ -174,6 +202,12 @@ ENTRY(vector_swi)
2712 USER( ldr scno, [lr, #-4] ) @ get SWI instruction
2713 #endif
2714
2715+ /*
2716+ * do this here to avoid a performance hit of wrapping the code above
2717+ * that directly dereferences userland to parse the SWI instruction
2718+ */
2719+ pax_enter_kernel_user
2720+
2721 adr tbl, sys_call_table @ load syscall table pointer
2722
2723 #if defined(CONFIG_OABI_COMPAT)
2724diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
2725index 1a0045a..9b4f34d 100644
2726--- a/arch/arm/kernel/entry-header.S
2727+++ b/arch/arm/kernel/entry-header.S
2728@@ -196,6 +196,60 @@
2729 msr cpsr_c, \rtemp @ switch back to the SVC mode
2730 .endm
2731
2732+ .macro pax_enter_kernel_user
2733+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2734+ @ save regs
2735+ stmdb sp!, {r0, r1}
2736+ @ read DACR from cpu_domain into r1
2737+ mov r0, sp
2738+ @ assume 8K pages, since we have to split the immediate in two
2739+ bic r0, r0, #(0x1fc0)
2740+ bic r0, r0, #(0x3f)
2741+ ldr r1, [r0, #TI_CPU_DOMAIN]
2742+#ifdef CONFIG_PAX_MEMORY_UDEREF
2743+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2744+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2745+#endif
2746+#ifdef CONFIG_PAX_KERNEXEC
2747+ @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2748+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2749+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2750+#endif
2751+ @ write r1 to current_thread_info()->cpu_domain
2752+ str r1, [r0, #TI_CPU_DOMAIN]
2753+ @ write r1 to DACR
2754+ mcr p15, 0, r1, c3, c0, 0
2755+ @ instruction sync
2756+ instr_sync
2757+ @ restore regs
2758+ ldmia sp!, {r0, r1}
2759+#endif
2760+ .endm
2761+
2762+ .macro pax_exit_kernel
2763+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2764+ @ save regs
2765+ stmdb sp!, {r0, r1}
2766+ @ read old DACR from stack into r1
2767+ ldr r1, [sp, #(8 + S_SP)]
2768+ sub r1, r1, #8
2769+ ldr r1, [r1]
2770+
2771+ @ write r1 to current_thread_info()->cpu_domain
2772+ mov r0, sp
2773+ @ assume 8K pages, since we have to split the immediate in two
2774+ bic r0, r0, #(0x1fc0)
2775+ bic r0, r0, #(0x3f)
2776+ str r1, [r0, #TI_CPU_DOMAIN]
2777+ @ write r1 to DACR
2778+ mcr p15, 0, r1, c3, c0, 0
2779+ @ instruction sync
2780+ instr_sync
2781+ @ restore regs
2782+ ldmia sp!, {r0, r1}
2783+#endif
2784+ .endm
2785+
2786 #ifndef CONFIG_THUMB2_KERNEL
2787 .macro svc_exit, rpsr, irq = 0
2788 .if \irq != 0
2789@@ -215,6 +269,9 @@
2790 blne trace_hardirqs_off
2791 #endif
2792 .endif
2793+
2794+ pax_exit_kernel
2795+
2796 msr spsr_cxsf, \rpsr
2797 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
2798 @ We must avoid clrex due to Cortex-A15 erratum #830321
2799@@ -291,6 +348,9 @@
2800 blne trace_hardirqs_off
2801 #endif
2802 .endif
2803+
2804+ pax_exit_kernel
2805+
2806 ldr lr, [sp, #S_SP] @ top of the stack
2807 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc
2808
2809diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
2810index 059c3da..8e45cfc 100644
2811--- a/arch/arm/kernel/fiq.c
2812+++ b/arch/arm/kernel/fiq.c
2813@@ -95,7 +95,10 @@ void set_fiq_handler(void *start, unsigned int length)
2814 void *base = vectors_page;
2815 unsigned offset = FIQ_OFFSET;
2816
2817+ pax_open_kernel();
2818 memcpy(base + offset, start, length);
2819+ pax_close_kernel();
2820+
2821 if (!cache_is_vipt_nonaliasing())
2822 flush_icache_range((unsigned long)base + offset, offset +
2823 length);
2824diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
2825index 29e2991..7bc5757 100644
2826--- a/arch/arm/kernel/head.S
2827+++ b/arch/arm/kernel/head.S
2828@@ -467,7 +467,7 @@ __enable_mmu:
2829 mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2830 domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2831 domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \
2832- domain_val(DOMAIN_IO, DOMAIN_CLIENT))
2833+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT))
2834 mcr p15, 0, r5, c3, c0, 0 @ load domain access register
2835 mcr p15, 0, r4, c2, c0, 0 @ load page table pointer
2836 #endif
2837diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
2838index efdddcb..35e58f6 100644
2839--- a/arch/arm/kernel/module.c
2840+++ b/arch/arm/kernel/module.c
2841@@ -38,17 +38,47 @@
2842 #endif
2843
2844 #ifdef CONFIG_MMU
2845-void *module_alloc(unsigned long size)
2846+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
2847 {
2848- void *p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2849- GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
2850+ void *p;
2851+
2852+ if (!size || (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) && PAGE_ALIGN(size) > MODULES_END - MODULES_VADDR))
2853+ return NULL;
2854+
2855+ p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2856+ GFP_KERNEL, prot, 0, NUMA_NO_NODE,
2857 __builtin_return_address(0));
2858 if (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) || p)
2859 return p;
2860 return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END,
2861- GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
2862+ GFP_KERNEL, prot, 0, NUMA_NO_NODE,
2863 __builtin_return_address(0));
2864 }
2865+
2866+void *module_alloc(unsigned long size)
2867+{
2868+
2869+#ifdef CONFIG_PAX_KERNEXEC
2870+ return __module_alloc(size, PAGE_KERNEL);
2871+#else
2872+ return __module_alloc(size, PAGE_KERNEL_EXEC);
2873+#endif
2874+
2875+}
2876+
2877+#ifdef CONFIG_PAX_KERNEXEC
2878+void module_memfree_exec(void *module_region)
2879+{
2880+ module_memfree(module_region);
2881+}
2882+EXPORT_SYMBOL(module_memfree_exec);
2883+
2884+void *module_alloc_exec(unsigned long size)
2885+{
2886+ return __module_alloc(size, PAGE_KERNEL_EXEC);
2887+}
2888+EXPORT_SYMBOL(module_alloc_exec);
2889+#endif
2890 #endif
2891
2892 int
2893diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
2894index 69bda1a..755113a 100644
2895--- a/arch/arm/kernel/patch.c
2896+++ b/arch/arm/kernel/patch.c
2897@@ -66,6 +66,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
2898 else
2899 __acquire(&patch_lock);
2900
2901+ pax_open_kernel();
2902 if (thumb2 && __opcode_is_thumb16(insn)) {
2903 *(u16 *)waddr = __opcode_to_mem_thumb16(insn);
2904 size = sizeof(u16);
2905@@ -97,6 +98,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
2906 *(u32 *)waddr = insn;
2907 size = sizeof(u32);
2908 }
2909+ pax_close_kernel();
2910
2911 if (waddr != addr) {
2912 flush_kernel_vmap_range(waddr, twopage ? size / 2 : size);
2913diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
2914index f192a2a..1a40523 100644
2915--- a/arch/arm/kernel/process.c
2916+++ b/arch/arm/kernel/process.c
2917@@ -105,8 +105,8 @@ void __show_regs(struct pt_regs *regs)
2918
2919 show_regs_print_info(KERN_DEFAULT);
2920
2921- print_symbol("PC is at %s\n", instruction_pointer(regs));
2922- print_symbol("LR is at %s\n", regs->ARM_lr);
2923+ printk("PC is at %pA\n", (void *)instruction_pointer(regs));
2924+ printk("LR is at %pA\n", (void *)regs->ARM_lr);
2925 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
2926 "sp : %08lx ip : %08lx fp : %08lx\n",
2927 regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
2928@@ -283,12 +283,6 @@ unsigned long get_wchan(struct task_struct *p)
2929 return 0;
2930 }
2931
2932-unsigned long arch_randomize_brk(struct mm_struct *mm)
2933-{
2934- unsigned long range_end = mm->brk + 0x02000000;
2935- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
2936-}
2937-
2938 #ifdef CONFIG_MMU
2939 #ifdef CONFIG_KUSER_HELPERS
2940 /*
2941@@ -304,7 +298,7 @@ static struct vm_area_struct gate_vma = {
2942
2943 static int __init gate_vma_init(void)
2944 {
2945- gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
2946+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
2947 return 0;
2948 }
2949 arch_initcall(gate_vma_init);
2950@@ -333,91 +327,13 @@ const char *arch_vma_name(struct vm_area_struct *vma)
2951 return is_gate_vma(vma) ? "[vectors]" : NULL;
2952 }
2953
2954-/* If possible, provide a placement hint at a random offset from the
2955- * stack for the sigpage and vdso pages.
2956- */
2957-static unsigned long sigpage_addr(const struct mm_struct *mm,
2958- unsigned int npages)
2959-{
2960- unsigned long offset;
2961- unsigned long first;
2962- unsigned long last;
2963- unsigned long addr;
2964- unsigned int slots;
2965-
2966- first = PAGE_ALIGN(mm->start_stack);
2967-
2968- last = TASK_SIZE - (npages << PAGE_SHIFT);
2969-
2970- /* No room after stack? */
2971- if (first > last)
2972- return 0;
2973-
2974- /* Just enough room? */
2975- if (first == last)
2976- return first;
2977-
2978- slots = ((last - first) >> PAGE_SHIFT) + 1;
2979-
2980- offset = get_random_int() % slots;
2981-
2982- addr = first + (offset << PAGE_SHIFT);
2983-
2984- return addr;
2985-}
2986-
2987-static struct page *signal_page;
2988-extern struct page *get_signal_page(void);
2989-
2990-static const struct vm_special_mapping sigpage_mapping = {
2991- .name = "[sigpage]",
2992- .pages = &signal_page,
2993-};
2994-
2995 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
2996 {
2997 struct mm_struct *mm = current->mm;
2998- struct vm_area_struct *vma;
2999- unsigned long npages;
3000- unsigned long addr;
3001- unsigned long hint;
3002- int ret = 0;
3003-
3004- if (!signal_page)
3005- signal_page = get_signal_page();
3006- if (!signal_page)
3007- return -ENOMEM;
3008-
3009- npages = 1; /* for sigpage */
3010- npages += vdso_total_pages;
3011
3012 down_write(&mm->mmap_sem);
3013- hint = sigpage_addr(mm, npages);
3014- addr = get_unmapped_area(NULL, hint, npages << PAGE_SHIFT, 0, 0);
3015- if (IS_ERR_VALUE(addr)) {
3016- ret = addr;
3017- goto up_fail;
3018- }
3019-
3020- vma = _install_special_mapping(mm, addr, PAGE_SIZE,
3021- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
3022- &sigpage_mapping);
3023-
3024- if (IS_ERR(vma)) {
3025- ret = PTR_ERR(vma);
3026- goto up_fail;
3027- }
3028-
3029- mm->context.sigpage = addr;
3030-
3031- /* Unlike the sigpage, failure to install the vdso is unlikely
3032- * to be fatal to the process, so no error check needed
3033- * here.
3034- */
3035- arm_install_vdso(mm, addr + PAGE_SIZE);
3036-
3037- up_fail:
3038+ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC;
3039 up_write(&mm->mmap_sem);
3040- return ret;
3041+ return 0;
3042 }
3043 #endif
3044diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c
3045index f90fdf4..24e8c84 100644
3046--- a/arch/arm/kernel/psci.c
3047+++ b/arch/arm/kernel/psci.c
3048@@ -26,7 +26,7 @@
3049 #include <asm/psci.h>
3050 #include <asm/system_misc.h>
3051
3052-struct psci_operations psci_ops;
3053+struct psci_operations psci_ops __read_only;
3054
3055 static int (*invoke_psci_fn)(u32, u32, u32, u32);
3056 typedef int (*psci_initcall_t)(const struct device_node *);
3057diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
3058index ef9119f..31995a3 100644
3059--- a/arch/arm/kernel/ptrace.c
3060+++ b/arch/arm/kernel/ptrace.c
3061@@ -928,10 +928,19 @@ static void tracehook_report_syscall(struct pt_regs *regs,
3062 regs->ARM_ip = ip;
3063 }
3064
3065+#ifdef CONFIG_GRKERNSEC_SETXID
3066+extern void gr_delayed_cred_worker(void);
3067+#endif
3068+
3069 asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
3070 {
3071 current_thread_info()->syscall = scno;
3072
3073+#ifdef CONFIG_GRKERNSEC_SETXID
3074+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
3075+ gr_delayed_cred_worker();
3076+#endif
3077+
3078 /* Do the secure computing check first; failures should be fast. */
3079 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
3080 if (secure_computing() == -1)
3081diff --git a/arch/arm/kernel/reboot.c b/arch/arm/kernel/reboot.c
3082index 3826935..8ed63ed 100644
3083--- a/arch/arm/kernel/reboot.c
3084+++ b/arch/arm/kernel/reboot.c
3085@@ -122,6 +122,7 @@ void machine_power_off(void)
3086
3087 if (pm_power_off)
3088 pm_power_off();
3089+ while (1);
3090 }
3091
3092 /*
3093diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
3094index 36c18b7..0d78292 100644
3095--- a/arch/arm/kernel/setup.c
3096+++ b/arch/arm/kernel/setup.c
3097@@ -108,21 +108,23 @@ EXPORT_SYMBOL(elf_hwcap);
3098 unsigned int elf_hwcap2 __read_mostly;
3099 EXPORT_SYMBOL(elf_hwcap2);
3100
3101+pteval_t __supported_pte_mask __read_only;
3102+pmdval_t __supported_pmd_mask __read_only;
3103
3104 #ifdef MULTI_CPU
3105-struct processor processor __read_mostly;
3106+struct processor processor __read_only;
3107 #endif
3108 #ifdef MULTI_TLB
3109-struct cpu_tlb_fns cpu_tlb __read_mostly;
3110+struct cpu_tlb_fns cpu_tlb __read_only;
3111 #endif
3112 #ifdef MULTI_USER
3113-struct cpu_user_fns cpu_user __read_mostly;
3114+struct cpu_user_fns cpu_user __read_only;
3115 #endif
3116 #ifdef MULTI_CACHE
3117-struct cpu_cache_fns cpu_cache __read_mostly;
3118+struct cpu_cache_fns cpu_cache __read_only;
3119 #endif
3120 #ifdef CONFIG_OUTER_CACHE
3121-struct outer_cache_fns outer_cache __read_mostly;
3122+struct outer_cache_fns outer_cache __read_only;
3123 EXPORT_SYMBOL(outer_cache);
3124 #endif
3125
3126@@ -253,9 +255,13 @@ static int __get_cpu_architecture(void)
3127 * Register 0 and check for VMSAv7 or PMSAv7 */
3128 unsigned int mmfr0 = read_cpuid_ext(CPUID_EXT_MMFR0);
3129 if ((mmfr0 & 0x0000000f) >= 0x00000003 ||
3130- (mmfr0 & 0x000000f0) >= 0x00000030)
3131+ (mmfr0 & 0x000000f0) >= 0x00000030) {
3132 cpu_arch = CPU_ARCH_ARMv7;
3133- else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3134+ if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) {
3135+ __supported_pte_mask |= L_PTE_PXN;
3136+ __supported_pmd_mask |= PMD_PXNTABLE;
3137+ }
3138+ } else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3139 (mmfr0 & 0x000000f0) == 0x00000020)
3140 cpu_arch = CPU_ARCH_ARMv6;
3141 else
3142diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
3143index 423663e..bfeb0ff 100644
3144--- a/arch/arm/kernel/signal.c
3145+++ b/arch/arm/kernel/signal.c
3146@@ -24,8 +24,6 @@
3147
3148 extern const unsigned long sigreturn_codes[7];
3149
3150-static unsigned long signal_return_offset;
3151-
3152 #ifdef CONFIG_CRUNCH
3153 static int preserve_crunch_context(struct crunch_sigframe __user *frame)
3154 {
3155@@ -385,8 +383,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig,
3156 * except when the MPU has protected the vectors
3157 * page from PL0
3158 */
3159- retcode = mm->context.sigpage + signal_return_offset +
3160- (idx << 2) + thumb;
3161+ retcode = mm->context.sigpage + (idx << 2) + thumb;
3162 } else
3163 #endif
3164 {
3165@@ -592,33 +589,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
3166 } while (thread_flags & _TIF_WORK_MASK);
3167 return 0;
3168 }
3169-
3170-struct page *get_signal_page(void)
3171-{
3172- unsigned long ptr;
3173- unsigned offset;
3174- struct page *page;
3175- void *addr;
3176-
3177- page = alloc_pages(GFP_KERNEL, 0);
3178-
3179- if (!page)
3180- return NULL;
3181-
3182- addr = page_address(page);
3183-
3184- /* Give the signal return code some randomness */
3185- offset = 0x200 + (get_random_int() & 0x7fc);
3186- signal_return_offset = offset;
3187-
3188- /*
3189- * Copy signal return handlers into the vector page, and
3190- * set sigreturn to be a pointer to these.
3191- */
3192- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
3193-
3194- ptr = (unsigned long)addr + offset;
3195- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
3196-
3197- return page;
3198-}
3199diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
3200index 3d6b782..8b3baeb 100644
3201--- a/arch/arm/kernel/smp.c
3202+++ b/arch/arm/kernel/smp.c
3203@@ -76,7 +76,7 @@ enum ipi_msg_type {
3204
3205 static DECLARE_COMPLETION(cpu_running);
3206
3207-static struct smp_operations smp_ops;
3208+static struct smp_operations smp_ops __read_only;
3209
3210 void __init smp_set_ops(struct smp_operations *ops)
3211 {
3212diff --git a/arch/arm/kernel/tcm.c b/arch/arm/kernel/tcm.c
3213index b10e136..cb5edf9 100644
3214--- a/arch/arm/kernel/tcm.c
3215+++ b/arch/arm/kernel/tcm.c
3216@@ -64,7 +64,7 @@ static struct map_desc itcm_iomap[] __initdata = {
3217 .virtual = ITCM_OFFSET,
3218 .pfn = __phys_to_pfn(ITCM_OFFSET),
3219 .length = 0,
3220- .type = MT_MEMORY_RWX_ITCM,
3221+ .type = MT_MEMORY_RX_ITCM,
3222 }
3223 };
3224
3225@@ -362,7 +362,9 @@ no_dtcm:
3226 start = &__sitcm_text;
3227 end = &__eitcm_text;
3228 ram = &__itcm_start;
3229+ pax_open_kernel();
3230 memcpy(start, ram, itcm_code_sz);
3231+ pax_close_kernel();
3232 pr_debug("CPU ITCM: copied code from %p - %p\n",
3233 start, end);
3234 itcm_present = true;
3235diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
3236index d358226..bfd4019 100644
3237--- a/arch/arm/kernel/traps.c
3238+++ b/arch/arm/kernel/traps.c
3239@@ -65,7 +65,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
3240 void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
3241 {
3242 #ifdef CONFIG_KALLSYMS
3243- printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from);
3244+ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from);
3245 #else
3246 printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
3247 #endif
3248@@ -267,6 +267,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
3249 static int die_owner = -1;
3250 static unsigned int die_nest_count;
3251
3252+extern void gr_handle_kernel_exploit(void);
3253+
3254 static unsigned long oops_begin(void)
3255 {
3256 int cpu;
3257@@ -309,6 +311,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
3258 panic("Fatal exception in interrupt");
3259 if (panic_on_oops)
3260 panic("Fatal exception");
3261+
3262+ gr_handle_kernel_exploit();
3263+
3264 if (signr)
3265 do_exit(signr);
3266 }
3267@@ -870,7 +875,11 @@ void __init early_trap_init(void *vectors_base)
3268 kuser_init(vectors_base);
3269
3270 flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
3271- modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
3272+
3273+#ifndef CONFIG_PAX_MEMORY_UDEREF
3274+ modify_domain(DOMAIN_USER, DOMAIN_USERCLIENT);
3275+#endif
3276+
3277 #else /* ifndef CONFIG_CPU_V7M */
3278 /*
3279 * on V7-M there is no need to copy the vector table to a dedicated
3280diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
3281index 8b60fde..8d986dd 100644
3282--- a/arch/arm/kernel/vmlinux.lds.S
3283+++ b/arch/arm/kernel/vmlinux.lds.S
3284@@ -37,7 +37,7 @@
3285 #endif
3286
3287 #if (defined(CONFIG_SMP_ON_UP) && !defined(CONFIG_DEBUG_SPINLOCK)) || \
3288- defined(CONFIG_GENERIC_BUG)
3289+ defined(CONFIG_GENERIC_BUG) || defined(CONFIG_PAX_REFCOUNT)
3290 #define ARM_EXIT_KEEP(x) x
3291 #define ARM_EXIT_DISCARD(x)
3292 #else
3293@@ -120,6 +120,8 @@ SECTIONS
3294 #ifdef CONFIG_DEBUG_RODATA
3295 . = ALIGN(1<<SECTION_SHIFT);
3296 #endif
3297+ _etext = .; /* End of text section */
3298+
3299 RO_DATA(PAGE_SIZE)
3300
3301 . = ALIGN(4);
3302@@ -150,8 +152,6 @@ SECTIONS
3303
3304 NOTES
3305
3306- _etext = .; /* End of text and rodata section */
3307-
3308 #ifndef CONFIG_XIP_KERNEL
3309 # ifdef CONFIG_ARM_KERNMEM_PERMS
3310 . = ALIGN(1<<SECTION_SHIFT);
3311diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
3312index f9c341c..7430436 100644
3313--- a/arch/arm/kvm/arm.c
3314+++ b/arch/arm/kvm/arm.c
3315@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
3316 static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
3317
3318 /* The VMID used in the VTTBR */
3319-static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
3320+static atomic64_unchecked_t kvm_vmid_gen = ATOMIC64_INIT(1);
3321 static u8 kvm_next_vmid;
3322 static DEFINE_SPINLOCK(kvm_vmid_lock);
3323
3324@@ -372,7 +372,7 @@ void force_vm_exit(const cpumask_t *mask)
3325 */
3326 static bool need_new_vmid_gen(struct kvm *kvm)
3327 {
3328- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
3329+ return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen));
3330 }
3331
3332 /**
3333@@ -405,7 +405,7 @@ static void update_vttbr(struct kvm *kvm)
3334
3335 /* First user of a new VMID generation? */
3336 if (unlikely(kvm_next_vmid == 0)) {
3337- atomic64_inc(&kvm_vmid_gen);
3338+ atomic64_inc_unchecked(&kvm_vmid_gen);
3339 kvm_next_vmid = 1;
3340
3341 /*
3342@@ -422,7 +422,7 @@ static void update_vttbr(struct kvm *kvm)
3343 kvm_call_hyp(__kvm_flush_vm_context);
3344 }
3345
3346- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
3347+ kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen);
3348 kvm->arch.vmid = kvm_next_vmid;
3349 kvm_next_vmid++;
3350
3351@@ -1110,7 +1110,7 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr)
3352 /**
3353 * Initialize Hyp-mode and memory mappings on all CPUs.
3354 */
3355-int kvm_arch_init(void *opaque)
3356+int kvm_arch_init(const void *opaque)
3357 {
3358 int err;
3359 int ret, cpu;
3360diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S
3361index 1710fd7..ec3e014 100644
3362--- a/arch/arm/lib/clear_user.S
3363+++ b/arch/arm/lib/clear_user.S
3364@@ -12,14 +12,14 @@
3365
3366 .text
3367
3368-/* Prototype: int __clear_user(void *addr, size_t sz)
3369+/* Prototype: int ___clear_user(void *addr, size_t sz)
3370 * Purpose : clear some user memory
3371 * Params : addr - user memory address to clear
3372 * : sz - number of bytes to clear
3373 * Returns : number of bytes NOT cleared
3374 */
3375 ENTRY(__clear_user_std)
3376-WEAK(__clear_user)
3377+WEAK(___clear_user)
3378 stmfd sp!, {r1, lr}
3379 mov r2, #0
3380 cmp r1, #4
3381@@ -44,7 +44,7 @@ WEAK(__clear_user)
3382 USER( strnebt r2, [r0])
3383 mov r0, #0
3384 ldmfd sp!, {r1, pc}
3385-ENDPROC(__clear_user)
3386+ENDPROC(___clear_user)
3387 ENDPROC(__clear_user_std)
3388
3389 .pushsection .text.fixup,"ax"
3390diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
3391index 7a235b9..73a0556 100644
3392--- a/arch/arm/lib/copy_from_user.S
3393+++ b/arch/arm/lib/copy_from_user.S
3394@@ -17,7 +17,7 @@
3395 /*
3396 * Prototype:
3397 *
3398- * size_t __copy_from_user(void *to, const void *from, size_t n)
3399+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
3400 *
3401 * Purpose:
3402 *
3403@@ -89,11 +89,11 @@
3404
3405 .text
3406
3407-ENTRY(__copy_from_user)
3408+ENTRY(___copy_from_user)
3409
3410 #include "copy_template.S"
3411
3412-ENDPROC(__copy_from_user)
3413+ENDPROC(___copy_from_user)
3414
3415 .pushsection .fixup,"ax"
3416 .align 0
3417diff --git a/arch/arm/lib/copy_page.S b/arch/arm/lib/copy_page.S
3418index 6ee2f67..d1cce76 100644
3419--- a/arch/arm/lib/copy_page.S
3420+++ b/arch/arm/lib/copy_page.S
3421@@ -10,6 +10,7 @@
3422 * ASM optimised string functions
3423 */
3424 #include <linux/linkage.h>
3425+#include <linux/const.h>
3426 #include <asm/assembler.h>
3427 #include <asm/asm-offsets.h>
3428 #include <asm/cache.h>
3429diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S
3430index 9648b06..19c333c 100644
3431--- a/arch/arm/lib/copy_to_user.S
3432+++ b/arch/arm/lib/copy_to_user.S
3433@@ -17,7 +17,7 @@
3434 /*
3435 * Prototype:
3436 *
3437- * size_t __copy_to_user(void *to, const void *from, size_t n)
3438+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
3439 *
3440 * Purpose:
3441 *
3442@@ -93,11 +93,11 @@
3443 .text
3444
3445 ENTRY(__copy_to_user_std)
3446-WEAK(__copy_to_user)
3447+WEAK(___copy_to_user)
3448
3449 #include "copy_template.S"
3450
3451-ENDPROC(__copy_to_user)
3452+ENDPROC(___copy_to_user)
3453 ENDPROC(__copy_to_user_std)
3454
3455 .pushsection .text.fixup,"ax"
3456diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
3457index 1d0957e..f708846 100644
3458--- a/arch/arm/lib/csumpartialcopyuser.S
3459+++ b/arch/arm/lib/csumpartialcopyuser.S
3460@@ -57,8 +57,8 @@
3461 * Returns : r0 = checksum, [[sp, #0], #0] = 0 or -EFAULT
3462 */
3463
3464-#define FN_ENTRY ENTRY(csum_partial_copy_from_user)
3465-#define FN_EXIT ENDPROC(csum_partial_copy_from_user)
3466+#define FN_ENTRY ENTRY(__csum_partial_copy_from_user)
3467+#define FN_EXIT ENDPROC(__csum_partial_copy_from_user)
3468
3469 #include "csumpartialcopygeneric.S"
3470
3471diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
3472index 8044591..c9b2609 100644
3473--- a/arch/arm/lib/delay.c
3474+++ b/arch/arm/lib/delay.c
3475@@ -29,7 +29,7 @@
3476 /*
3477 * Default to the loop-based delay implementation.
3478 */
3479-struct arm_delay_ops arm_delay_ops = {
3480+struct arm_delay_ops arm_delay_ops __read_only = {
3481 .delay = __loop_delay,
3482 .const_udelay = __loop_const_udelay,
3483 .udelay = __loop_udelay,
3484diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
3485index 4b39af2..9ae747d 100644
3486--- a/arch/arm/lib/uaccess_with_memcpy.c
3487+++ b/arch/arm/lib/uaccess_with_memcpy.c
3488@@ -85,7 +85,7 @@ pin_page_for_write(const void __user *_addr, pte_t **ptep, spinlock_t **ptlp)
3489 return 1;
3490 }
3491
3492-static unsigned long noinline
3493+static unsigned long noinline __size_overflow(3)
3494 __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
3495 {
3496 int atomic;
3497@@ -136,7 +136,7 @@ out:
3498 }
3499
3500 unsigned long
3501-__copy_to_user(void __user *to, const void *from, unsigned long n)
3502+___copy_to_user(void __user *to, const void *from, unsigned long n)
3503 {
3504 /*
3505 * This test is stubbed out of the main function above to keep
3506@@ -150,7 +150,7 @@ __copy_to_user(void __user *to, const void *from, unsigned long n)
3507 return __copy_to_user_memcpy(to, from, n);
3508 }
3509
3510-static unsigned long noinline
3511+static unsigned long noinline __size_overflow(2)
3512 __clear_user_memset(void __user *addr, unsigned long n)
3513 {
3514 if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
3515@@ -190,7 +190,7 @@ out:
3516 return n;
3517 }
3518
3519-unsigned long __clear_user(void __user *addr, unsigned long n)
3520+unsigned long ___clear_user(void __user *addr, unsigned long n)
3521 {
3522 /* See rational for this in __copy_to_user() above. */
3523 if (n < 64)
3524diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
3525index f572219..2cf36d5 100644
3526--- a/arch/arm/mach-exynos/suspend.c
3527+++ b/arch/arm/mach-exynos/suspend.c
3528@@ -732,8 +732,10 @@ void __init exynos_pm_init(void)
3529 tmp |= pm_data->wake_disable_mask;
3530 pmu_raw_writel(tmp, S5P_WAKEUP_MASK);
3531
3532- exynos_pm_syscore_ops.suspend = pm_data->pm_suspend;
3533- exynos_pm_syscore_ops.resume = pm_data->pm_resume;
3534+ pax_open_kernel();
3535+ *(void **)&exynos_pm_syscore_ops.suspend = pm_data->pm_suspend;
3536+ *(void **)&exynos_pm_syscore_ops.resume = pm_data->pm_resume;
3537+ pax_close_kernel();
3538
3539 register_syscore_ops(&exynos_pm_syscore_ops);
3540 suspend_set_ops(&exynos_suspend_ops);
3541diff --git a/arch/arm/mach-mvebu/coherency.c b/arch/arm/mach-mvebu/coherency.c
3542index e46e9ea..9141c83 100644
3543--- a/arch/arm/mach-mvebu/coherency.c
3544+++ b/arch/arm/mach-mvebu/coherency.c
3545@@ -117,7 +117,7 @@ static void __init armada_370_coherency_init(struct device_node *np)
3546
3547 /*
3548 * This ioremap hook is used on Armada 375/38x to ensure that PCIe
3549- * memory areas are mapped as MT_UNCACHED instead of MT_DEVICE. This
3550+ * memory areas are mapped as MT_UNCACHED_RW instead of MT_DEVICE. This
3551 * is needed as a workaround for a deadlock issue between the PCIe
3552 * interface and the cache controller.
3553 */
3554@@ -130,7 +130,7 @@ armada_pcie_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
3555 mvebu_mbus_get_pcie_mem_aperture(&pcie_mem);
3556
3557 if (pcie_mem.start <= phys_addr && (phys_addr + size) <= pcie_mem.end)
3558- mtype = MT_UNCACHED;
3559+ mtype = MT_UNCACHED_RW;
3560
3561 return __arm_ioremap_caller(phys_addr, size, mtype, caller);
3562 }
3563diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
3564index b6443a4..20a0b74 100644
3565--- a/arch/arm/mach-omap2/board-n8x0.c
3566+++ b/arch/arm/mach-omap2/board-n8x0.c
3567@@ -569,7 +569,7 @@ static int n8x0_menelaus_late_init(struct device *dev)
3568 }
3569 #endif
3570
3571-struct menelaus_platform_data n8x0_menelaus_platform_data __initdata = {
3572+struct menelaus_platform_data n8x0_menelaus_platform_data __initconst = {
3573 .late_init = n8x0_menelaus_late_init,
3574 };
3575
3576diff --git a/arch/arm/mach-omap2/omap-mpuss-lowpower.c b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3577index 79f49d9..70bf184 100644
3578--- a/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3579+++ b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3580@@ -86,7 +86,7 @@ struct cpu_pm_ops {
3581 void (*resume)(void);
3582 void (*scu_prepare)(unsigned int cpu_id, unsigned int cpu_state);
3583 void (*hotplug_restart)(void);
3584-};
3585+} __no_const;
3586
3587 static DEFINE_PER_CPU(struct omap4_cpu_pm_info, omap4_pm_info);
3588 static struct powerdomain *mpuss_pd;
3589@@ -105,7 +105,7 @@ static void dummy_cpu_resume(void)
3590 static void dummy_scu_prepare(unsigned int cpu_id, unsigned int cpu_state)
3591 {}
3592
3593-struct cpu_pm_ops omap_pm_ops = {
3594+static struct cpu_pm_ops omap_pm_ops __read_only = {
3595 .finish_suspend = default_finish_suspend,
3596 .resume = dummy_cpu_resume,
3597 .scu_prepare = dummy_scu_prepare,
3598diff --git a/arch/arm/mach-omap2/omap-smp.c b/arch/arm/mach-omap2/omap-smp.c
3599index 5305ec7..6d74045 100644
3600--- a/arch/arm/mach-omap2/omap-smp.c
3601+++ b/arch/arm/mach-omap2/omap-smp.c
3602@@ -19,6 +19,7 @@
3603 #include <linux/device.h>
3604 #include <linux/smp.h>
3605 #include <linux/io.h>
3606+#include <linux/irq.h>
3607 #include <linux/irqchip/arm-gic.h>
3608
3609 #include <asm/smp_scu.h>
3610diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
3611index e1d2e99..d9b3177 100644
3612--- a/arch/arm/mach-omap2/omap-wakeupgen.c
3613+++ b/arch/arm/mach-omap2/omap-wakeupgen.c
3614@@ -330,7 +330,7 @@ static int irq_cpu_hotplug_notify(struct notifier_block *self,
3615 return NOTIFY_OK;
3616 }
3617
3618-static struct notifier_block __refdata irq_hotplug_notifier = {
3619+static struct notifier_block irq_hotplug_notifier = {
3620 .notifier_call = irq_cpu_hotplug_notify,
3621 };
3622
3623diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
3624index 4cb8fd9..5ce65bc 100644
3625--- a/arch/arm/mach-omap2/omap_device.c
3626+++ b/arch/arm/mach-omap2/omap_device.c
3627@@ -504,7 +504,7 @@ void omap_device_delete(struct omap_device *od)
3628 struct platform_device __init *omap_device_build(const char *pdev_name,
3629 int pdev_id,
3630 struct omap_hwmod *oh,
3631- void *pdata, int pdata_len)
3632+ const void *pdata, int pdata_len)
3633 {
3634 struct omap_hwmod *ohs[] = { oh };
3635
3636@@ -532,7 +532,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name,
3637 struct platform_device __init *omap_device_build_ss(const char *pdev_name,
3638 int pdev_id,
3639 struct omap_hwmod **ohs,
3640- int oh_cnt, void *pdata,
3641+ int oh_cnt, const void *pdata,
3642 int pdata_len)
3643 {
3644 int ret = -ENOMEM;
3645diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
3646index 78c02b3..c94109a 100644
3647--- a/arch/arm/mach-omap2/omap_device.h
3648+++ b/arch/arm/mach-omap2/omap_device.h
3649@@ -72,12 +72,12 @@ int omap_device_idle(struct platform_device *pdev);
3650 /* Core code interface */
3651
3652 struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
3653- struct omap_hwmod *oh, void *pdata,
3654+ struct omap_hwmod *oh, const void *pdata,
3655 int pdata_len);
3656
3657 struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
3658 struct omap_hwmod **oh, int oh_cnt,
3659- void *pdata, int pdata_len);
3660+ const void *pdata, int pdata_len);
3661
3662 struct omap_device *omap_device_alloc(struct platform_device *pdev,
3663 struct omap_hwmod **ohs, int oh_cnt);
3664diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
3665index 486cc4d..8d1a0b7 100644
3666--- a/arch/arm/mach-omap2/omap_hwmod.c
3667+++ b/arch/arm/mach-omap2/omap_hwmod.c
3668@@ -199,10 +199,10 @@ struct omap_hwmod_soc_ops {
3669 int (*init_clkdm)(struct omap_hwmod *oh);
3670 void (*update_context_lost)(struct omap_hwmod *oh);
3671 int (*get_context_lost)(struct omap_hwmod *oh);
3672-};
3673+} __no_const;
3674
3675 /* soc_ops: adapts the omap_hwmod code to the currently-booted SoC */
3676-static struct omap_hwmod_soc_ops soc_ops;
3677+static struct omap_hwmod_soc_ops soc_ops __read_only;
3678
3679 /* omap_hwmod_list contains all registered struct omap_hwmods */
3680 static LIST_HEAD(omap_hwmod_list);
3681diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c
3682index 95fee54..cfa9cf1 100644
3683--- a/arch/arm/mach-omap2/powerdomains43xx_data.c
3684+++ b/arch/arm/mach-omap2/powerdomains43xx_data.c
3685@@ -10,6 +10,7 @@
3686
3687 #include <linux/kernel.h>
3688 #include <linux/init.h>
3689+#include <asm/pgtable.h>
3690
3691 #include "powerdomain.h"
3692
3693@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void)
3694
3695 void __init am43xx_powerdomains_init(void)
3696 {
3697- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
3698+ pax_open_kernel();
3699+ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
3700+ pax_close_kernel();
3701 pwrdm_register_platform_funcs(&omap4_pwrdm_operations);
3702 pwrdm_register_pwrdms(powerdomains_am43xx);
3703 pwrdm_complete_init();
3704diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c
3705index ff0a68c..b312aa0 100644
3706--- a/arch/arm/mach-omap2/wd_timer.c
3707+++ b/arch/arm/mach-omap2/wd_timer.c
3708@@ -110,7 +110,9 @@ static int __init omap_init_wdt(void)
3709 struct omap_hwmod *oh;
3710 char *oh_name = "wd_timer2";
3711 char *dev_name = "omap_wdt";
3712- struct omap_wd_timer_platform_data pdata;
3713+ static struct omap_wd_timer_platform_data pdata = {
3714+ .read_reset_sources = prm_read_reset_sources
3715+ };
3716
3717 if (!cpu_class_is_omap2() || of_have_populated_dt())
3718 return 0;
3719@@ -121,8 +123,6 @@ static int __init omap_init_wdt(void)
3720 return -EINVAL;
3721 }
3722
3723- pdata.read_reset_sources = prm_read_reset_sources;
3724-
3725 pdev = omap_device_build(dev_name, id, oh, &pdata,
3726 sizeof(struct omap_wd_timer_platform_data));
3727 WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
3728diff --git a/arch/arm/mach-shmobile/platsmp-apmu.c b/arch/arm/mach-shmobile/platsmp-apmu.c
3729index b0790fc..71eb21f 100644
3730--- a/arch/arm/mach-shmobile/platsmp-apmu.c
3731+++ b/arch/arm/mach-shmobile/platsmp-apmu.c
3732@@ -22,6 +22,7 @@
3733 #include <asm/proc-fns.h>
3734 #include <asm/smp_plat.h>
3735 #include <asm/suspend.h>
3736+#include <asm/pgtable.h>
3737 #include "common.h"
3738 #include "platsmp-apmu.h"
3739
3740@@ -233,6 +234,8 @@ static int shmobile_smp_apmu_enter_suspend(suspend_state_t state)
3741
3742 void __init shmobile_smp_apmu_suspend_init(void)
3743 {
3744- shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
3745+ pax_open_kernel();
3746+ *(void **)&shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
3747+ pax_close_kernel();
3748 }
3749 #endif
3750diff --git a/arch/arm/mach-shmobile/pm-r8a7740.c b/arch/arm/mach-shmobile/pm-r8a7740.c
3751index 34608fc..344d7c0 100644
3752--- a/arch/arm/mach-shmobile/pm-r8a7740.c
3753+++ b/arch/arm/mach-shmobile/pm-r8a7740.c
3754@@ -11,6 +11,7 @@
3755 #include <linux/console.h>
3756 #include <linux/io.h>
3757 #include <linux/suspend.h>
3758+#include <asm/pgtable.h>
3759
3760 #include "common.h"
3761 #include "pm-rmobile.h"
3762@@ -117,7 +118,9 @@ static int r8a7740_enter_suspend(suspend_state_t suspend_state)
3763
3764 static void r8a7740_suspend_init(void)
3765 {
3766- shmobile_suspend_ops.enter = r8a7740_enter_suspend;
3767+ pax_open_kernel();
3768+ *(void **)&shmobile_suspend_ops.enter = r8a7740_enter_suspend;
3769+ pax_close_kernel();
3770 }
3771 #else
3772 static void r8a7740_suspend_init(void) {}
3773diff --git a/arch/arm/mach-shmobile/pm-sh73a0.c b/arch/arm/mach-shmobile/pm-sh73a0.c
3774index a7e4668..83334f33 100644
3775--- a/arch/arm/mach-shmobile/pm-sh73a0.c
3776+++ b/arch/arm/mach-shmobile/pm-sh73a0.c
3777@@ -9,6 +9,7 @@
3778 */
3779
3780 #include <linux/suspend.h>
3781+#include <asm/pgtable.h>
3782 #include "common.h"
3783
3784 #ifdef CONFIG_SUSPEND
3785@@ -20,7 +21,9 @@ static int sh73a0_enter_suspend(suspend_state_t suspend_state)
3786
3787 static void sh73a0_suspend_init(void)
3788 {
3789- shmobile_suspend_ops.enter = sh73a0_enter_suspend;
3790+ pax_open_kernel();
3791+ *(void **)&shmobile_suspend_ops.enter = sh73a0_enter_suspend;
3792+ pax_close_kernel();
3793 }
3794 #else
3795 static void sh73a0_suspend_init(void) {}
3796diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
3797index 7469347..1ecc350 100644
3798--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
3799+++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
3800@@ -177,7 +177,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
3801 bool entered_lp2 = false;
3802
3803 if (tegra_pending_sgi())
3804- ACCESS_ONCE(abort_flag) = true;
3805+ ACCESS_ONCE_RW(abort_flag) = true;
3806
3807 cpuidle_coupled_parallel_barrier(dev, &abort_barrier);
3808
3809diff --git a/arch/arm/mach-tegra/irq.c b/arch/arm/mach-tegra/irq.c
3810index 3b9098d..15b390f 100644
3811--- a/arch/arm/mach-tegra/irq.c
3812+++ b/arch/arm/mach-tegra/irq.c
3813@@ -20,6 +20,7 @@
3814 #include <linux/cpu_pm.h>
3815 #include <linux/interrupt.h>
3816 #include <linux/io.h>
3817+#include <linux/irq.h>
3818 #include <linux/irqchip/arm-gic.h>
3819 #include <linux/irq.h>
3820 #include <linux/kernel.h>
3821diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
3822index 8538910..2f39bc4 100644
3823--- a/arch/arm/mach-ux500/pm.c
3824+++ b/arch/arm/mach-ux500/pm.c
3825@@ -10,6 +10,7 @@
3826 */
3827
3828 #include <linux/kernel.h>
3829+#include <linux/irq.h>
3830 #include <linux/irqchip/arm-gic.h>
3831 #include <linux/delay.h>
3832 #include <linux/io.h>
3833diff --git a/arch/arm/mach-zynq/platsmp.c b/arch/arm/mach-zynq/platsmp.c
3834index f66816c..228b951 100644
3835--- a/arch/arm/mach-zynq/platsmp.c
3836+++ b/arch/arm/mach-zynq/platsmp.c
3837@@ -24,6 +24,7 @@
3838 #include <linux/io.h>
3839 #include <asm/cacheflush.h>
3840 #include <asm/smp_scu.h>
3841+#include <linux/irq.h>
3842 #include <linux/irqchip/arm-gic.h>
3843 #include "common.h"
3844
3845diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
3846index 7c6b976..055db09 100644
3847--- a/arch/arm/mm/Kconfig
3848+++ b/arch/arm/mm/Kconfig
3849@@ -446,6 +446,7 @@ config CPU_32v5
3850
3851 config CPU_32v6
3852 bool
3853+ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3854 select TLS_REG_EMUL if !CPU_32v6K && !MMU
3855
3856 config CPU_32v6K
3857@@ -600,6 +601,7 @@ config CPU_CP15_MPU
3858
3859 config CPU_USE_DOMAINS
3860 bool
3861+ depends on !ARM_LPAE && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3862 help
3863 This option enables or disables the use of domain switching
3864 via the set_fs() function.
3865@@ -818,7 +820,7 @@ config NEED_KUSER_HELPERS
3866
3867 config KUSER_HELPERS
3868 bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
3869- depends on MMU
3870+ depends on MMU && (!(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND)
3871 default y
3872 help
3873 Warning: disabling this option may break user programs.
3874@@ -832,7 +834,7 @@ config KUSER_HELPERS
3875 See Documentation/arm/kernel_user_helpers.txt for details.
3876
3877 However, the fixed address nature of these helpers can be used
3878- by ROP (return orientated programming) authors when creating
3879+ by ROP (Return Oriented Programming) authors when creating
3880 exploits.
3881
3882 If all of the binaries and libraries which run on your platform
3883diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
3884index 9769f1e..16aaa55 100644
3885--- a/arch/arm/mm/alignment.c
3886+++ b/arch/arm/mm/alignment.c
3887@@ -216,10 +216,12 @@ union offset_union {
3888 #define __get16_unaligned_check(ins,val,addr) \
3889 do { \
3890 unsigned int err = 0, v, a = addr; \
3891+ pax_open_userland(); \
3892 __get8_unaligned_check(ins,v,a,err); \
3893 val = v << ((BE) ? 8 : 0); \
3894 __get8_unaligned_check(ins,v,a,err); \
3895 val |= v << ((BE) ? 0 : 8); \
3896+ pax_close_userland(); \
3897 if (err) \
3898 goto fault; \
3899 } while (0)
3900@@ -233,6 +235,7 @@ union offset_union {
3901 #define __get32_unaligned_check(ins,val,addr) \
3902 do { \
3903 unsigned int err = 0, v, a = addr; \
3904+ pax_open_userland(); \
3905 __get8_unaligned_check(ins,v,a,err); \
3906 val = v << ((BE) ? 24 : 0); \
3907 __get8_unaligned_check(ins,v,a,err); \
3908@@ -241,6 +244,7 @@ union offset_union {
3909 val |= v << ((BE) ? 8 : 16); \
3910 __get8_unaligned_check(ins,v,a,err); \
3911 val |= v << ((BE) ? 0 : 24); \
3912+ pax_close_userland(); \
3913 if (err) \
3914 goto fault; \
3915 } while (0)
3916@@ -254,6 +258,7 @@ union offset_union {
3917 #define __put16_unaligned_check(ins,val,addr) \
3918 do { \
3919 unsigned int err = 0, v = val, a = addr; \
3920+ pax_open_userland(); \
3921 __asm__( FIRST_BYTE_16 \
3922 ARM( "1: "ins" %1, [%2], #1\n" ) \
3923 THUMB( "1: "ins" %1, [%2]\n" ) \
3924@@ -273,6 +278,7 @@ union offset_union {
3925 " .popsection\n" \
3926 : "=r" (err), "=&r" (v), "=&r" (a) \
3927 : "0" (err), "1" (v), "2" (a)); \
3928+ pax_close_userland(); \
3929 if (err) \
3930 goto fault; \
3931 } while (0)
3932@@ -286,6 +292,7 @@ union offset_union {
3933 #define __put32_unaligned_check(ins,val,addr) \
3934 do { \
3935 unsigned int err = 0, v = val, a = addr; \
3936+ pax_open_userland(); \
3937 __asm__( FIRST_BYTE_32 \
3938 ARM( "1: "ins" %1, [%2], #1\n" ) \
3939 THUMB( "1: "ins" %1, [%2]\n" ) \
3940@@ -315,6 +322,7 @@ union offset_union {
3941 " .popsection\n" \
3942 : "=r" (err), "=&r" (v), "=&r" (a) \
3943 : "0" (err), "1" (v), "2" (a)); \
3944+ pax_close_userland(); \
3945 if (err) \
3946 goto fault; \
3947 } while (0)
3948diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
3949index 71b3d33..8af9ade 100644
3950--- a/arch/arm/mm/cache-l2x0.c
3951+++ b/arch/arm/mm/cache-l2x0.c
3952@@ -44,7 +44,7 @@ struct l2c_init_data {
3953 void (*configure)(void __iomem *);
3954 void (*unlock)(void __iomem *, unsigned);
3955 struct outer_cache_fns outer_cache;
3956-};
3957+} __do_const;
3958
3959 #define CACHE_LINE_SIZE 32
3960
3961diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
3962index 845769e..4278fd7 100644
3963--- a/arch/arm/mm/context.c
3964+++ b/arch/arm/mm/context.c
3965@@ -43,7 +43,7 @@
3966 #define NUM_USER_ASIDS ASID_FIRST_VERSION
3967
3968 static DEFINE_RAW_SPINLOCK(cpu_asid_lock);
3969-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
3970+static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
3971 static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
3972
3973 static DEFINE_PER_CPU(atomic64_t, active_asids);
3974@@ -178,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
3975 {
3976 static u32 cur_idx = 1;
3977 u64 asid = atomic64_read(&mm->context.id);
3978- u64 generation = atomic64_read(&asid_generation);
3979+ u64 generation = atomic64_read_unchecked(&asid_generation);
3980
3981 if (asid != 0) {
3982 /*
3983@@ -208,7 +208,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
3984 */
3985 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
3986 if (asid == NUM_USER_ASIDS) {
3987- generation = atomic64_add_return(ASID_FIRST_VERSION,
3988+ generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION,
3989 &asid_generation);
3990 flush_context(cpu);
3991 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
3992@@ -240,14 +240,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
3993 cpu_set_reserved_ttbr0();
3994
3995 asid = atomic64_read(&mm->context.id);
3996- if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS)
3997+ if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS)
3998 && atomic64_xchg(&per_cpu(active_asids, cpu), asid))
3999 goto switch_mm_fastpath;
4000
4001 raw_spin_lock_irqsave(&cpu_asid_lock, flags);
4002 /* Check that our ASID belongs to the current generation. */
4003 asid = atomic64_read(&mm->context.id);
4004- if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) {
4005+ if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) {
4006 asid = new_context(mm, cpu);
4007 atomic64_set(&mm->context.id, asid);
4008 }
4009diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
4010index 0d629b8..01867c8 100644
4011--- a/arch/arm/mm/fault.c
4012+++ b/arch/arm/mm/fault.c
4013@@ -25,6 +25,7 @@
4014 #include <asm/system_misc.h>
4015 #include <asm/system_info.h>
4016 #include <asm/tlbflush.h>
4017+#include <asm/sections.h>
4018
4019 #include "fault.h"
4020
4021@@ -138,6 +139,31 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
4022 if (fixup_exception(regs))
4023 return;
4024
4025+#ifdef CONFIG_PAX_MEMORY_UDEREF
4026+ if (addr < TASK_SIZE) {
4027+ if (current->signal->curr_ip)
4028+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4029+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4030+ else
4031+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
4032+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4033+ }
4034+#endif
4035+
4036+#ifdef CONFIG_PAX_KERNEXEC
4037+ if ((fsr & FSR_WRITE) &&
4038+ (((unsigned long)_stext <= addr && addr < init_mm.end_code) ||
4039+ (MODULES_VADDR <= addr && addr < MODULES_END)))
4040+ {
4041+ if (current->signal->curr_ip)
4042+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4043+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
4044+ else
4045+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
4046+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
4047+ }
4048+#endif
4049+
4050 /*
4051 * No handler, we'll have to terminate things with extreme prejudice.
4052 */
4053@@ -173,6 +199,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr,
4054 }
4055 #endif
4056
4057+#ifdef CONFIG_PAX_PAGEEXEC
4058+ if (fsr & FSR_LNX_PF) {
4059+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
4060+ do_group_exit(SIGKILL);
4061+ }
4062+#endif
4063+
4064 tsk->thread.address = addr;
4065 tsk->thread.error_code = fsr;
4066 tsk->thread.trap_no = 14;
4067@@ -400,6 +433,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
4068 }
4069 #endif /* CONFIG_MMU */
4070
4071+#ifdef CONFIG_PAX_PAGEEXEC
4072+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4073+{
4074+ long i;
4075+
4076+ printk(KERN_ERR "PAX: bytes at PC: ");
4077+ for (i = 0; i < 20; i++) {
4078+ unsigned char c;
4079+ if (get_user(c, (__force unsigned char __user *)pc+i))
4080+ printk(KERN_CONT "?? ");
4081+ else
4082+ printk(KERN_CONT "%02x ", c);
4083+ }
4084+ printk("\n");
4085+
4086+ printk(KERN_ERR "PAX: bytes at SP-4: ");
4087+ for (i = -1; i < 20; i++) {
4088+ unsigned long c;
4089+ if (get_user(c, (__force unsigned long __user *)sp+i))
4090+ printk(KERN_CONT "???????? ");
4091+ else
4092+ printk(KERN_CONT "%08lx ", c);
4093+ }
4094+ printk("\n");
4095+}
4096+#endif
4097+
4098 /*
4099 * First Level Translation Fault Handler
4100 *
4101@@ -547,9 +607,22 @@ do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
4102 const struct fsr_info *inf = fsr_info + fsr_fs(fsr);
4103 struct siginfo info;
4104
4105+#ifdef CONFIG_PAX_MEMORY_UDEREF
4106+ if (addr < TASK_SIZE && is_domain_fault(fsr)) {
4107+ if (current->signal->curr_ip)
4108+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4109+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4110+ else
4111+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
4112+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4113+ goto die;
4114+ }
4115+#endif
4116+
4117 if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
4118 return;
4119
4120+die:
4121 pr_alert("Unhandled fault: %s (0x%03x) at 0x%08lx\n",
4122 inf->name, fsr, addr);
4123 show_pte(current->mm, addr);
4124@@ -574,15 +647,104 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
4125 ifsr_info[nr].name = name;
4126 }
4127
4128+asmlinkage int sys_sigreturn(struct pt_regs *regs);
4129+asmlinkage int sys_rt_sigreturn(struct pt_regs *regs);
4130+
4131 asmlinkage void __exception
4132 do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
4133 {
4134 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
4135 struct siginfo info;
4136+ unsigned long pc = instruction_pointer(regs);
4137+
4138+ if (user_mode(regs)) {
4139+ unsigned long sigpage = current->mm->context.sigpage;
4140+
4141+ if (sigpage <= pc && pc < sigpage + 7*4) {
4142+ if (pc < sigpage + 3*4)
4143+ sys_sigreturn(regs);
4144+ else
4145+ sys_rt_sigreturn(regs);
4146+ return;
4147+ }
4148+ if (pc == 0xffff0f60UL) {
4149+ /*
4150+ * PaX: __kuser_cmpxchg64 emulation
4151+ */
4152+ // TODO
4153+ //regs->ARM_pc = regs->ARM_lr;
4154+ //return;
4155+ }
4156+ if (pc == 0xffff0fa0UL) {
4157+ /*
4158+ * PaX: __kuser_memory_barrier emulation
4159+ */
4160+ // dmb(); implied by the exception
4161+ regs->ARM_pc = regs->ARM_lr;
4162+ return;
4163+ }
4164+ if (pc == 0xffff0fc0UL) {
4165+ /*
4166+ * PaX: __kuser_cmpxchg emulation
4167+ */
4168+ // TODO
4169+ //long new;
4170+ //int op;
4171+
4172+ //op = FUTEX_OP_SET << 28;
4173+ //new = futex_atomic_op_inuser(op, regs->ARM_r2);
4174+ //regs->ARM_r0 = old != new;
4175+ //regs->ARM_pc = regs->ARM_lr;
4176+ //return;
4177+ }
4178+ if (pc == 0xffff0fe0UL) {
4179+ /*
4180+ * PaX: __kuser_get_tls emulation
4181+ */
4182+ regs->ARM_r0 = current_thread_info()->tp_value[0];
4183+ regs->ARM_pc = regs->ARM_lr;
4184+ return;
4185+ }
4186+ }
4187+
4188+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4189+ else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) {
4190+ if (current->signal->curr_ip)
4191+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4192+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
4193+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
4194+ else
4195+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
4196+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
4197+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
4198+ goto die;
4199+ }
4200+#endif
4201+
4202+#ifdef CONFIG_PAX_REFCOUNT
4203+ if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
4204+#ifdef CONFIG_THUMB2_KERNEL
4205+ unsigned short bkpt;
4206+
4207+ if (!probe_kernel_address(pc, bkpt) && cpu_to_le16(bkpt) == 0xbef1) {
4208+#else
4209+ unsigned int bkpt;
4210+
4211+ if (!probe_kernel_address(pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
4212+#endif
4213+ current->thread.error_code = ifsr;
4214+ current->thread.trap_no = 0;
4215+ pax_report_refcount_overflow(regs);
4216+ fixup_exception(regs);
4217+ return;
4218+ }
4219+ }
4220+#endif
4221
4222 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
4223 return;
4224
4225+die:
4226 pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
4227 inf->name, ifsr, addr);
4228
4229diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h
4230index cf08bdf..772656c 100644
4231--- a/arch/arm/mm/fault.h
4232+++ b/arch/arm/mm/fault.h
4233@@ -3,6 +3,7 @@
4234
4235 /*
4236 * Fault status register encodings. We steal bit 31 for our own purposes.
4237+ * Set when the FSR value is from an instruction fault.
4238 */
4239 #define FSR_LNX_PF (1 << 31)
4240 #define FSR_WRITE (1 << 11)
4241@@ -22,6 +23,17 @@ static inline int fsr_fs(unsigned int fsr)
4242 }
4243 #endif
4244
4245+/* valid for LPAE and !LPAE */
4246+static inline int is_xn_fault(unsigned int fsr)
4247+{
4248+ return ((fsr_fs(fsr) & 0x3c) == 0xc);
4249+}
4250+
4251+static inline int is_domain_fault(unsigned int fsr)
4252+{
4253+ return ((fsr_fs(fsr) & 0xD) == 0x9);
4254+}
4255+
4256 void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs);
4257 unsigned long search_exception_table(unsigned long addr);
4258
4259diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
4260index 8a63b4c..6b04370 100644
4261--- a/arch/arm/mm/init.c
4262+++ b/arch/arm/mm/init.c
4263@@ -710,7 +710,46 @@ void free_tcmmem(void)
4264 {
4265 #ifdef CONFIG_HAVE_TCM
4266 extern char __tcm_start, __tcm_end;
4267+#endif
4268
4269+#ifdef CONFIG_PAX_KERNEXEC
4270+ unsigned long addr;
4271+ pgd_t *pgd;
4272+ pud_t *pud;
4273+ pmd_t *pmd;
4274+ int cpu_arch = cpu_architecture();
4275+ unsigned int cr = get_cr();
4276+
4277+ if (cpu_arch >= CPU_ARCH_ARMv6 && (cr & CR_XP)) {
4278+ /* make pages tables, etc before .text NX */
4279+ for (addr = PAGE_OFFSET; addr < (unsigned long)_stext; addr += SECTION_SIZE) {
4280+ pgd = pgd_offset_k(addr);
4281+ pud = pud_offset(pgd, addr);
4282+ pmd = pmd_offset(pud, addr);
4283+ __section_update(pmd, addr, PMD_SECT_XN);
4284+ }
4285+ /* make init NX */
4286+ for (addr = (unsigned long)__init_begin; addr < (unsigned long)_sdata; addr += SECTION_SIZE) {
4287+ pgd = pgd_offset_k(addr);
4288+ pud = pud_offset(pgd, addr);
4289+ pmd = pmd_offset(pud, addr);
4290+ __section_update(pmd, addr, PMD_SECT_XN);
4291+ }
4292+ /* make kernel code/rodata RX */
4293+ for (addr = (unsigned long)_stext; addr < (unsigned long)__init_begin; addr += SECTION_SIZE) {
4294+ pgd = pgd_offset_k(addr);
4295+ pud = pud_offset(pgd, addr);
4296+ pmd = pmd_offset(pud, addr);
4297+#ifdef CONFIG_ARM_LPAE
4298+ __section_update(pmd, addr, PMD_SECT_RDONLY);
4299+#else
4300+ __section_update(pmd, addr, PMD_SECT_APX|PMD_SECT_AP_WRITE);
4301+#endif
4302+ }
4303+ }
4304+#endif
4305+
4306+#ifdef CONFIG_HAVE_TCM
4307 poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start);
4308 free_reserved_area(&__tcm_start, &__tcm_end, -1, "TCM link");
4309 #endif
4310diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
4311index 0c81056..97279f7 100644
4312--- a/arch/arm/mm/ioremap.c
4313+++ b/arch/arm/mm/ioremap.c
4314@@ -405,9 +405,9 @@ __arm_ioremap_exec(phys_addr_t phys_addr, size_t size, bool cached)
4315 unsigned int mtype;
4316
4317 if (cached)
4318- mtype = MT_MEMORY_RWX;
4319+ mtype = MT_MEMORY_RX;
4320 else
4321- mtype = MT_MEMORY_RWX_NONCACHED;
4322+ mtype = MT_MEMORY_RX_NONCACHED;
4323
4324 return __arm_ioremap_caller(phys_addr, size, mtype,
4325 __builtin_return_address(0));
4326diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
4327index 407dc78..047ce9d 100644
4328--- a/arch/arm/mm/mmap.c
4329+++ b/arch/arm/mm/mmap.c
4330@@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4331 struct vm_area_struct *vma;
4332 int do_align = 0;
4333 int aliasing = cache_is_vipt_aliasing();
4334+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4335 struct vm_unmapped_area_info info;
4336
4337 /*
4338@@ -81,6 +82,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4339 if (len > TASK_SIZE)
4340 return -ENOMEM;
4341
4342+#ifdef CONFIG_PAX_RANDMMAP
4343+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4344+#endif
4345+
4346 if (addr) {
4347 if (do_align)
4348 addr = COLOUR_ALIGN(addr, pgoff);
4349@@ -88,8 +93,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4350 addr = PAGE_ALIGN(addr);
4351
4352 vma = find_vma(mm, addr);
4353- if (TASK_SIZE - len >= addr &&
4354- (!vma || addr + len <= vma->vm_start))
4355+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4356 return addr;
4357 }
4358
4359@@ -99,6 +103,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4360 info.high_limit = TASK_SIZE;
4361 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4362 info.align_offset = pgoff << PAGE_SHIFT;
4363+ info.threadstack_offset = offset;
4364 return vm_unmapped_area(&info);
4365 }
4366
4367@@ -112,6 +117,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4368 unsigned long addr = addr0;
4369 int do_align = 0;
4370 int aliasing = cache_is_vipt_aliasing();
4371+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4372 struct vm_unmapped_area_info info;
4373
4374 /*
4375@@ -132,6 +138,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4376 return addr;
4377 }
4378
4379+#ifdef CONFIG_PAX_RANDMMAP
4380+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4381+#endif
4382+
4383 /* requesting a specific address */
4384 if (addr) {
4385 if (do_align)
4386@@ -139,8 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4387 else
4388 addr = PAGE_ALIGN(addr);
4389 vma = find_vma(mm, addr);
4390- if (TASK_SIZE - len >= addr &&
4391- (!vma || addr + len <= vma->vm_start))
4392+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4393 return addr;
4394 }
4395
4396@@ -150,6 +159,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4397 info.high_limit = mm->mmap_base;
4398 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4399 info.align_offset = pgoff << PAGE_SHIFT;
4400+ info.threadstack_offset = offset;
4401 addr = vm_unmapped_area(&info);
4402
4403 /*
4404@@ -183,14 +193,30 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
4405 {
4406 unsigned long random_factor = 0UL;
4407
4408+#ifdef CONFIG_PAX_RANDMMAP
4409+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4410+#endif
4411+
4412 if (current->flags & PF_RANDOMIZE)
4413 random_factor = arch_mmap_rnd();
4414
4415 if (mmap_is_legacy()) {
4416 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4417+
4418+#ifdef CONFIG_PAX_RANDMMAP
4419+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4420+ mm->mmap_base += mm->delta_mmap;
4421+#endif
4422+
4423 mm->get_unmapped_area = arch_get_unmapped_area;
4424 } else {
4425 mm->mmap_base = mmap_base(random_factor);
4426+
4427+#ifdef CONFIG_PAX_RANDMMAP
4428+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4429+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4430+#endif
4431+
4432 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4433 }
4434 }
4435diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
4436index 870838a..070df1d 100644
4437--- a/arch/arm/mm/mmu.c
4438+++ b/arch/arm/mm/mmu.c
4439@@ -41,6 +41,22 @@
4440 #include "mm.h"
4441 #include "tcm.h"
4442
4443+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4444+void modify_domain(unsigned int dom, unsigned int type)
4445+{
4446+ struct thread_info *thread = current_thread_info();
4447+ unsigned int domain = thread->cpu_domain;
4448+ /*
4449+ * DOMAIN_MANAGER might be defined to some other value,
4450+ * use the arch-defined constant
4451+ */
4452+ domain &= ~domain_val(dom, 3);
4453+ thread->cpu_domain = domain | domain_val(dom, type);
4454+ set_domain(thread->cpu_domain);
4455+}
4456+EXPORT_SYMBOL(modify_domain);
4457+#endif
4458+
4459 /*
4460 * empty_zero_page is a special page that is used for
4461 * zero-initialized data and COW.
4462@@ -242,7 +258,15 @@ __setup("noalign", noalign_setup);
4463 #define PROT_PTE_S2_DEVICE PROT_PTE_DEVICE
4464 #define PROT_SECT_DEVICE PMD_TYPE_SECT|PMD_SECT_AP_WRITE
4465
4466-static struct mem_type mem_types[] = {
4467+#ifdef CONFIG_PAX_KERNEXEC
4468+#define L_PTE_KERNEXEC L_PTE_RDONLY
4469+#define PMD_SECT_KERNEXEC PMD_SECT_RDONLY
4470+#else
4471+#define L_PTE_KERNEXEC L_PTE_DIRTY
4472+#define PMD_SECT_KERNEXEC PMD_SECT_AP_WRITE
4473+#endif
4474+
4475+static struct mem_type mem_types[] __read_only = {
4476 [MT_DEVICE] = { /* Strongly ordered / ARMv6 shared device */
4477 .prot_pte = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED |
4478 L_PTE_SHARED,
4479@@ -271,19 +295,19 @@ static struct mem_type mem_types[] = {
4480 .prot_sect = PROT_SECT_DEVICE,
4481 .domain = DOMAIN_IO,
4482 },
4483- [MT_UNCACHED] = {
4484+ [MT_UNCACHED_RW] = {
4485 .prot_pte = PROT_PTE_DEVICE,
4486 .prot_l1 = PMD_TYPE_TABLE,
4487 .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4488 .domain = DOMAIN_IO,
4489 },
4490- [MT_CACHECLEAN] = {
4491- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4492+ [MT_CACHECLEAN_RO] = {
4493+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_RDONLY,
4494 .domain = DOMAIN_KERNEL,
4495 },
4496 #ifndef CONFIG_ARM_LPAE
4497- [MT_MINICLEAN] = {
4498- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_MINICACHE,
4499+ [MT_MINICLEAN_RO] = {
4500+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_MINICACHE | PMD_SECT_XN | PMD_SECT_RDONLY,
4501 .domain = DOMAIN_KERNEL,
4502 },
4503 #endif
4504@@ -291,15 +315,15 @@ static struct mem_type mem_types[] = {
4505 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4506 L_PTE_RDONLY,
4507 .prot_l1 = PMD_TYPE_TABLE,
4508- .domain = DOMAIN_USER,
4509+ .domain = DOMAIN_VECTORS,
4510 },
4511 [MT_HIGH_VECTORS] = {
4512 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4513 L_PTE_USER | L_PTE_RDONLY,
4514 .prot_l1 = PMD_TYPE_TABLE,
4515- .domain = DOMAIN_USER,
4516+ .domain = DOMAIN_VECTORS,
4517 },
4518- [MT_MEMORY_RWX] = {
4519+ [__MT_MEMORY_RWX] = {
4520 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4521 .prot_l1 = PMD_TYPE_TABLE,
4522 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4523@@ -312,17 +336,30 @@ static struct mem_type mem_types[] = {
4524 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4525 .domain = DOMAIN_KERNEL,
4526 },
4527- [MT_ROM] = {
4528- .prot_sect = PMD_TYPE_SECT,
4529+ [MT_MEMORY_RX] = {
4530+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4531+ .prot_l1 = PMD_TYPE_TABLE,
4532+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4533+ .domain = DOMAIN_KERNEL,
4534+ },
4535+ [MT_ROM_RX] = {
4536+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
4537 .domain = DOMAIN_KERNEL,
4538 },
4539- [MT_MEMORY_RWX_NONCACHED] = {
4540+ [MT_MEMORY_RW_NONCACHED] = {
4541 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4542 L_PTE_MT_BUFFERABLE,
4543 .prot_l1 = PMD_TYPE_TABLE,
4544 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4545 .domain = DOMAIN_KERNEL,
4546 },
4547+ [MT_MEMORY_RX_NONCACHED] = {
4548+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC |
4549+ L_PTE_MT_BUFFERABLE,
4550+ .prot_l1 = PMD_TYPE_TABLE,
4551+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4552+ .domain = DOMAIN_KERNEL,
4553+ },
4554 [MT_MEMORY_RW_DTCM] = {
4555 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4556 L_PTE_XN,
4557@@ -330,9 +367,10 @@ static struct mem_type mem_types[] = {
4558 .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4559 .domain = DOMAIN_KERNEL,
4560 },
4561- [MT_MEMORY_RWX_ITCM] = {
4562- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4563+ [MT_MEMORY_RX_ITCM] = {
4564+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4565 .prot_l1 = PMD_TYPE_TABLE,
4566+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4567 .domain = DOMAIN_KERNEL,
4568 },
4569 [MT_MEMORY_RW_SO] = {
4570@@ -544,9 +582,14 @@ static void __init build_mem_type_table(void)
4571 * Mark cache clean areas and XIP ROM read only
4572 * from SVC mode and no access from userspace.
4573 */
4574- mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4575- mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4576- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4577+ mem_types[MT_ROM_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4578+#ifdef CONFIG_PAX_KERNEXEC
4579+ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4580+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4581+ mem_types[MT_MEMORY_RX_ITCM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4582+#endif
4583+ mem_types[MT_MINICLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4584+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4585 #endif
4586
4587 /*
4588@@ -563,13 +606,17 @@ static void __init build_mem_type_table(void)
4589 mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
4590 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
4591 mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
4592- mem_types[MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4593- mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4594+ mem_types[__MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4595+ mem_types[__MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4596 mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S;
4597 mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED;
4598+ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_S;
4599+ mem_types[MT_MEMORY_RX].prot_pte |= L_PTE_SHARED;
4600 mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED;
4601- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_S;
4602- mem_types[MT_MEMORY_RWX_NONCACHED].prot_pte |= L_PTE_SHARED;
4603+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_S;
4604+ mem_types[MT_MEMORY_RW_NONCACHED].prot_pte |= L_PTE_SHARED;
4605+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_S;
4606+ mem_types[MT_MEMORY_RX_NONCACHED].prot_pte |= L_PTE_SHARED;
4607 }
4608 }
4609
4610@@ -580,15 +627,20 @@ static void __init build_mem_type_table(void)
4611 if (cpu_arch >= CPU_ARCH_ARMv6) {
4612 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4613 /* Non-cacheable Normal is XCB = 001 */
4614- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
4615+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
4616+ PMD_SECT_BUFFERED;
4617+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
4618 PMD_SECT_BUFFERED;
4619 } else {
4620 /* For both ARMv6 and non-TEX-remapping ARMv7 */
4621- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
4622+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
4623+ PMD_SECT_TEX(1);
4624+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
4625 PMD_SECT_TEX(1);
4626 }
4627 } else {
4628- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4629+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4630+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4631 }
4632
4633 #ifdef CONFIG_ARM_LPAE
4634@@ -609,6 +661,8 @@ static void __init build_mem_type_table(void)
4635 user_pgprot |= PTE_EXT_PXN;
4636 #endif
4637
4638+ user_pgprot |= __supported_pte_mask;
4639+
4640 for (i = 0; i < 16; i++) {
4641 pteval_t v = pgprot_val(protection_map[i]);
4642 protection_map[i] = __pgprot(v | user_pgprot);
4643@@ -626,21 +680,24 @@ static void __init build_mem_type_table(void)
4644
4645 mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
4646 mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
4647- mem_types[MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4648- mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4649+ mem_types[__MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4650+ mem_types[__MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4651 mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd;
4652 mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot;
4653+ mem_types[MT_MEMORY_RX].prot_sect |= ecc_mask | cp->pmd;
4654+ mem_types[MT_MEMORY_RX].prot_pte |= kern_pgprot;
4655 mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot;
4656- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ecc_mask;
4657- mem_types[MT_ROM].prot_sect |= cp->pmd;
4658+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ecc_mask;
4659+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= ecc_mask;
4660+ mem_types[MT_ROM_RX].prot_sect |= cp->pmd;
4661
4662 switch (cp->pmd) {
4663 case PMD_SECT_WT:
4664- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WT;
4665+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WT;
4666 break;
4667 case PMD_SECT_WB:
4668 case PMD_SECT_WBWA:
4669- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WB;
4670+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WB;
4671 break;
4672 }
4673 pr_info("Memory policy: %sData cache %s\n",
4674@@ -854,7 +911,7 @@ static void __init create_mapping(struct map_desc *md)
4675 return;
4676 }
4677
4678- if ((md->type == MT_DEVICE || md->type == MT_ROM) &&
4679+ if ((md->type == MT_DEVICE || md->type == MT_ROM_RX) &&
4680 md->virtual >= PAGE_OFFSET &&
4681 (md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) {
4682 pr_warn("BUG: mapping for 0x%08llx at 0x%08lx out of vmalloc space\n",
4683@@ -1224,18 +1281,15 @@ void __init arm_mm_memblock_reserve(void)
4684 * called function. This means you can't use any function or debugging
4685 * method which may touch any device, otherwise the kernel _will_ crash.
4686 */
4687+
4688+static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE);
4689+
4690 static void __init devicemaps_init(const struct machine_desc *mdesc)
4691 {
4692 struct map_desc map;
4693 unsigned long addr;
4694- void *vectors;
4695
4696- /*
4697- * Allocate the vector page early.
4698- */
4699- vectors = early_alloc(PAGE_SIZE * 2);
4700-
4701- early_trap_init(vectors);
4702+ early_trap_init(&vectors);
4703
4704 for (addr = VMALLOC_START; addr; addr += PMD_SIZE)
4705 pmd_clear(pmd_off_k(addr));
4706@@ -1248,7 +1302,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4707 map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK);
4708 map.virtual = MODULES_VADDR;
4709 map.length = ((unsigned long)_etext - map.virtual + ~SECTION_MASK) & SECTION_MASK;
4710- map.type = MT_ROM;
4711+ map.type = MT_ROM_RX;
4712 create_mapping(&map);
4713 #endif
4714
4715@@ -1259,14 +1313,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4716 map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS);
4717 map.virtual = FLUSH_BASE;
4718 map.length = SZ_1M;
4719- map.type = MT_CACHECLEAN;
4720+ map.type = MT_CACHECLEAN_RO;
4721 create_mapping(&map);
4722 #endif
4723 #ifdef FLUSH_BASE_MINICACHE
4724 map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS + SZ_1M);
4725 map.virtual = FLUSH_BASE_MINICACHE;
4726 map.length = SZ_1M;
4727- map.type = MT_MINICLEAN;
4728+ map.type = MT_MINICLEAN_RO;
4729 create_mapping(&map);
4730 #endif
4731
4732@@ -1275,7 +1329,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4733 * location (0xffff0000). If we aren't using high-vectors, also
4734 * create a mapping at the low-vectors virtual address.
4735 */
4736- map.pfn = __phys_to_pfn(virt_to_phys(vectors));
4737+ map.pfn = __phys_to_pfn(virt_to_phys(&vectors));
4738 map.virtual = 0xffff0000;
4739 map.length = PAGE_SIZE;
4740 #ifdef CONFIG_KUSER_HELPERS
4741@@ -1335,8 +1389,10 @@ static void __init kmap_init(void)
4742 static void __init map_lowmem(void)
4743 {
4744 struct memblock_region *reg;
4745+#ifndef CONFIG_PAX_KERNEXEC
4746 phys_addr_t kernel_x_start = round_down(__pa(_stext), SECTION_SIZE);
4747 phys_addr_t kernel_x_end = round_up(__pa(__init_end), SECTION_SIZE);
4748+#endif
4749
4750 /* Map all the lowmem memory banks. */
4751 for_each_memblock(memory, reg) {
4752@@ -1349,11 +1405,48 @@ static void __init map_lowmem(void)
4753 if (start >= end)
4754 break;
4755
4756+#ifdef CONFIG_PAX_KERNEXEC
4757+ map.pfn = __phys_to_pfn(start);
4758+ map.virtual = __phys_to_virt(start);
4759+ map.length = end - start;
4760+
4761+ if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) {
4762+ struct map_desc kernel;
4763+ struct map_desc initmap;
4764+
4765+ /* when freeing initmem we will make this RW */
4766+ initmap.pfn = __phys_to_pfn(__pa(__init_begin));
4767+ initmap.virtual = (unsigned long)__init_begin;
4768+ initmap.length = _sdata - __init_begin;
4769+ initmap.type = __MT_MEMORY_RWX;
4770+ create_mapping(&initmap);
4771+
4772+ /* when freeing initmem we will make this RX */
4773+ kernel.pfn = __phys_to_pfn(__pa(_stext));
4774+ kernel.virtual = (unsigned long)_stext;
4775+ kernel.length = __init_begin - _stext;
4776+ kernel.type = __MT_MEMORY_RWX;
4777+ create_mapping(&kernel);
4778+
4779+ if (map.virtual < (unsigned long)_stext) {
4780+ map.length = (unsigned long)_stext - map.virtual;
4781+ map.type = __MT_MEMORY_RWX;
4782+ create_mapping(&map);
4783+ }
4784+
4785+ map.pfn = __phys_to_pfn(__pa(_sdata));
4786+ map.virtual = (unsigned long)_sdata;
4787+ map.length = end - __pa(_sdata);
4788+ }
4789+
4790+ map.type = MT_MEMORY_RW;
4791+ create_mapping(&map);
4792+#else
4793 if (end < kernel_x_start) {
4794 map.pfn = __phys_to_pfn(start);
4795 map.virtual = __phys_to_virt(start);
4796 map.length = end - start;
4797- map.type = MT_MEMORY_RWX;
4798+ map.type = __MT_MEMORY_RWX;
4799
4800 create_mapping(&map);
4801 } else if (start >= kernel_x_end) {
4802@@ -1377,7 +1470,7 @@ static void __init map_lowmem(void)
4803 map.pfn = __phys_to_pfn(kernel_x_start);
4804 map.virtual = __phys_to_virt(kernel_x_start);
4805 map.length = kernel_x_end - kernel_x_start;
4806- map.type = MT_MEMORY_RWX;
4807+ map.type = __MT_MEMORY_RWX;
4808
4809 create_mapping(&map);
4810
4811@@ -1390,6 +1483,7 @@ static void __init map_lowmem(void)
4812 create_mapping(&map);
4813 }
4814 }
4815+#endif
4816 }
4817 }
4818
4819diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
4820index c011e22..92a0260 100644
4821--- a/arch/arm/net/bpf_jit_32.c
4822+++ b/arch/arm/net/bpf_jit_32.c
4823@@ -20,6 +20,7 @@
4824 #include <asm/cacheflush.h>
4825 #include <asm/hwcap.h>
4826 #include <asm/opcodes.h>
4827+#include <asm/pgtable.h>
4828
4829 #include "bpf_jit_32.h"
4830
4831@@ -72,54 +73,38 @@ struct jit_ctx {
4832 #endif
4833 };
4834
4835+#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
4836+int bpf_jit_enable __read_only;
4837+#else
4838 int bpf_jit_enable __read_mostly;
4839+#endif
4840
4841-static inline int call_neg_helper(struct sk_buff *skb, int offset, void *ret,
4842- unsigned int size)
4843-{
4844- void *ptr = bpf_internal_load_pointer_neg_helper(skb, offset, size);
4845-
4846- if (!ptr)
4847- return -EFAULT;
4848- memcpy(ret, ptr, size);
4849- return 0;
4850-}
4851-
4852-static u64 jit_get_skb_b(struct sk_buff *skb, int offset)
4853+static u64 jit_get_skb_b(struct sk_buff *skb, unsigned offset)
4854 {
4855 u8 ret;
4856 int err;
4857
4858- if (offset < 0)
4859- err = call_neg_helper(skb, offset, &ret, 1);
4860- else
4861- err = skb_copy_bits(skb, offset, &ret, 1);
4862+ err = skb_copy_bits(skb, offset, &ret, 1);
4863
4864 return (u64)err << 32 | ret;
4865 }
4866
4867-static u64 jit_get_skb_h(struct sk_buff *skb, int offset)
4868+static u64 jit_get_skb_h(struct sk_buff *skb, unsigned offset)
4869 {
4870 u16 ret;
4871 int err;
4872
4873- if (offset < 0)
4874- err = call_neg_helper(skb, offset, &ret, 2);
4875- else
4876- err = skb_copy_bits(skb, offset, &ret, 2);
4877+ err = skb_copy_bits(skb, offset, &ret, 2);
4878
4879 return (u64)err << 32 | ntohs(ret);
4880 }
4881
4882-static u64 jit_get_skb_w(struct sk_buff *skb, int offset)
4883+static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
4884 {
4885 u32 ret;
4886 int err;
4887
4888- if (offset < 0)
4889- err = call_neg_helper(skb, offset, &ret, 4);
4890- else
4891- err = skb_copy_bits(skb, offset, &ret, 4);
4892+ err = skb_copy_bits(skb, offset, &ret, 4);
4893
4894 return (u64)err << 32 | ntohl(ret);
4895 }
4896@@ -199,8 +184,10 @@ static void jit_fill_hole(void *area, unsigned int size)
4897 {
4898 u32 *ptr;
4899 /* We are guaranteed to have aligned memory. */
4900+ pax_open_kernel();
4901 for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
4902 *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
4903+ pax_close_kernel();
4904 }
4905
4906 static void build_prologue(struct jit_ctx *ctx)
4907@@ -556,6 +543,9 @@ static int build_body(struct jit_ctx *ctx)
4908 case BPF_LD | BPF_B | BPF_ABS:
4909 load_order = 0;
4910 load:
4911+ /* the interpreter will deal with the negative K */
4912+ if ((int)k < 0)
4913+ return -ENOTSUPP;
4914 emit_mov_i(r_off, k, ctx);
4915 load_common:
4916 ctx->seen |= SEEN_DATA | SEEN_CALL;
4917@@ -570,18 +560,6 @@ load_common:
4918 condt = ARM_COND_HI;
4919 }
4920
4921- /*
4922- * test for negative offset, only if we are
4923- * currently scheduled to take the fast
4924- * path. this will update the flags so that
4925- * the slowpath instruction are ignored if the
4926- * offset is negative.
4927- *
4928- * for loard_order == 0 the HI condition will
4929- * make loads at offset 0 take the slow path too.
4930- */
4931- _emit(condt, ARM_CMP_I(r_off, 0), ctx);
4932-
4933 _emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data),
4934 ctx);
4935
4936diff --git a/arch/arm/plat-iop/setup.c b/arch/arm/plat-iop/setup.c
4937index 5b217f4..c23f40e 100644
4938--- a/arch/arm/plat-iop/setup.c
4939+++ b/arch/arm/plat-iop/setup.c
4940@@ -24,7 +24,7 @@ static struct map_desc iop3xx_std_desc[] __initdata = {
4941 .virtual = IOP3XX_PERIPHERAL_VIRT_BASE,
4942 .pfn = __phys_to_pfn(IOP3XX_PERIPHERAL_PHYS_BASE),
4943 .length = IOP3XX_PERIPHERAL_SIZE,
4944- .type = MT_UNCACHED,
4945+ .type = MT_UNCACHED_RW,
4946 },
4947 };
4948
4949diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c
4950index a5bc92d..0bb4730 100644
4951--- a/arch/arm/plat-omap/sram.c
4952+++ b/arch/arm/plat-omap/sram.c
4953@@ -93,6 +93,8 @@ void __init omap_map_sram(unsigned long start, unsigned long size,
4954 * Looks like we need to preserve some bootloader code at the
4955 * beginning of SRAM for jumping to flash for reboot to work...
4956 */
4957+ pax_open_kernel();
4958 memset_io(omap_sram_base + omap_sram_skip, 0,
4959 omap_sram_size - omap_sram_skip);
4960+ pax_close_kernel();
4961 }
4962diff --git a/arch/arm64/include/asm/atomic.h b/arch/arm64/include/asm/atomic.h
4963index 7047051..44e8675 100644
4964--- a/arch/arm64/include/asm/atomic.h
4965+++ b/arch/arm64/include/asm/atomic.h
4966@@ -252,5 +252,15 @@ static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
4967 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
4968 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
4969
4970+#define atomic64_read_unchecked(v) atomic64_read(v)
4971+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
4972+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
4973+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
4974+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
4975+#define atomic64_inc_unchecked(v) atomic64_inc(v)
4976+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
4977+#define atomic64_dec_unchecked(v) atomic64_dec(v)
4978+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
4979+
4980 #endif
4981 #endif
4982diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h
4983index 0fa47c4..b167938 100644
4984--- a/arch/arm64/include/asm/barrier.h
4985+++ b/arch/arm64/include/asm/barrier.h
4986@@ -44,7 +44,7 @@
4987 do { \
4988 compiletime_assert_atomic_type(*p); \
4989 barrier(); \
4990- ACCESS_ONCE(*p) = (v); \
4991+ ACCESS_ONCE_RW(*p) = (v); \
4992 } while (0)
4993
4994 #define smp_load_acquire(p) \
4995diff --git a/arch/arm64/include/asm/percpu.h b/arch/arm64/include/asm/percpu.h
4996index 4fde8c1..441f84f 100644
4997--- a/arch/arm64/include/asm/percpu.h
4998+++ b/arch/arm64/include/asm/percpu.h
4999@@ -135,16 +135,16 @@ static inline void __percpu_write(void *ptr, unsigned long val, int size)
5000 {
5001 switch (size) {
5002 case 1:
5003- ACCESS_ONCE(*(u8 *)ptr) = (u8)val;
5004+ ACCESS_ONCE_RW(*(u8 *)ptr) = (u8)val;
5005 break;
5006 case 2:
5007- ACCESS_ONCE(*(u16 *)ptr) = (u16)val;
5008+ ACCESS_ONCE_RW(*(u16 *)ptr) = (u16)val;
5009 break;
5010 case 4:
5011- ACCESS_ONCE(*(u32 *)ptr) = (u32)val;
5012+ ACCESS_ONCE_RW(*(u32 *)ptr) = (u32)val;
5013 break;
5014 case 8:
5015- ACCESS_ONCE(*(u64 *)ptr) = (u64)val;
5016+ ACCESS_ONCE_RW(*(u64 *)ptr) = (u64)val;
5017 break;
5018 default:
5019 BUILD_BUG();
5020diff --git a/arch/arm64/include/asm/pgalloc.h b/arch/arm64/include/asm/pgalloc.h
5021index 7642056..bffc904 100644
5022--- a/arch/arm64/include/asm/pgalloc.h
5023+++ b/arch/arm64/include/asm/pgalloc.h
5024@@ -46,6 +46,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5025 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
5026 }
5027
5028+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5029+{
5030+ pud_populate(mm, pud, pmd);
5031+}
5032+
5033 #endif /* CONFIG_PGTABLE_LEVELS > 2 */
5034
5035 #if CONFIG_PGTABLE_LEVELS > 3
5036diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
5037index 07e1ba44..ec8cbbb 100644
5038--- a/arch/arm64/include/asm/uaccess.h
5039+++ b/arch/arm64/include/asm/uaccess.h
5040@@ -99,6 +99,7 @@ static inline void set_fs(mm_segment_t fs)
5041 flag; \
5042 })
5043
5044+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
5045 #define access_ok(type, addr, size) __range_ok(addr, size)
5046 #define user_addr_max get_fs
5047
5048diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
5049index d16a1ce..a5acc60 100644
5050--- a/arch/arm64/mm/dma-mapping.c
5051+++ b/arch/arm64/mm/dma-mapping.c
5052@@ -134,7 +134,7 @@ static void __dma_free_coherent(struct device *dev, size_t size,
5053 phys_to_page(paddr),
5054 size >> PAGE_SHIFT);
5055 if (!freed)
5056- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
5057+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
5058 }
5059
5060 static void *__dma_alloc(struct device *dev, size_t size,
5061diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
5062index c3a58a1..78fbf54 100644
5063--- a/arch/avr32/include/asm/cache.h
5064+++ b/arch/avr32/include/asm/cache.h
5065@@ -1,8 +1,10 @@
5066 #ifndef __ASM_AVR32_CACHE_H
5067 #define __ASM_AVR32_CACHE_H
5068
5069+#include <linux/const.h>
5070+
5071 #define L1_CACHE_SHIFT 5
5072-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5073+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5074
5075 /*
5076 * Memory returned by kmalloc() may be used for DMA, so we must make
5077diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h
5078index 0388ece..87c8df1 100644
5079--- a/arch/avr32/include/asm/elf.h
5080+++ b/arch/avr32/include/asm/elf.h
5081@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t;
5082 the loader. We need to make sure that it is out of the way of the program
5083 that it will "exec", and that there is sufficient room for the brk. */
5084
5085-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5086+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5087
5088+#ifdef CONFIG_PAX_ASLR
5089+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
5090+
5091+#define PAX_DELTA_MMAP_LEN 15
5092+#define PAX_DELTA_STACK_LEN 15
5093+#endif
5094
5095 /* This yields a mask that user programs can use to figure out what
5096 instruction set this CPU supports. This could be done in user space,
5097diff --git a/arch/avr32/include/asm/kmap_types.h b/arch/avr32/include/asm/kmap_types.h
5098index 479330b..53717a8 100644
5099--- a/arch/avr32/include/asm/kmap_types.h
5100+++ b/arch/avr32/include/asm/kmap_types.h
5101@@ -2,9 +2,9 @@
5102 #define __ASM_AVR32_KMAP_TYPES_H
5103
5104 #ifdef CONFIG_DEBUG_HIGHMEM
5105-# define KM_TYPE_NR 29
5106+# define KM_TYPE_NR 30
5107 #else
5108-# define KM_TYPE_NR 14
5109+# define KM_TYPE_NR 15
5110 #endif
5111
5112 #endif /* __ASM_AVR32_KMAP_TYPES_H */
5113diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
5114index c035339..e1fa594 100644
5115--- a/arch/avr32/mm/fault.c
5116+++ b/arch/avr32/mm/fault.c
5117@@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
5118
5119 int exception_trace = 1;
5120
5121+#ifdef CONFIG_PAX_PAGEEXEC
5122+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5123+{
5124+ unsigned long i;
5125+
5126+ printk(KERN_ERR "PAX: bytes at PC: ");
5127+ for (i = 0; i < 20; i++) {
5128+ unsigned char c;
5129+ if (get_user(c, (unsigned char *)pc+i))
5130+ printk(KERN_CONT "???????? ");
5131+ else
5132+ printk(KERN_CONT "%02x ", c);
5133+ }
5134+ printk("\n");
5135+}
5136+#endif
5137+
5138 /*
5139 * This routine handles page faults. It determines the address and the
5140 * problem, and then passes it off to one of the appropriate routines.
5141@@ -178,6 +195,16 @@ bad_area:
5142 up_read(&mm->mmap_sem);
5143
5144 if (user_mode(regs)) {
5145+
5146+#ifdef CONFIG_PAX_PAGEEXEC
5147+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
5148+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
5149+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
5150+ do_group_exit(SIGKILL);
5151+ }
5152+ }
5153+#endif
5154+
5155 if (exception_trace && printk_ratelimit())
5156 printk("%s%s[%d]: segfault at %08lx pc %08lx "
5157 "sp %08lx ecr %lu\n",
5158diff --git a/arch/blackfin/include/asm/cache.h b/arch/blackfin/include/asm/cache.h
5159index 568885a..f8008df 100644
5160--- a/arch/blackfin/include/asm/cache.h
5161+++ b/arch/blackfin/include/asm/cache.h
5162@@ -7,6 +7,7 @@
5163 #ifndef __ARCH_BLACKFIN_CACHE_H
5164 #define __ARCH_BLACKFIN_CACHE_H
5165
5166+#include <linux/const.h>
5167 #include <linux/linkage.h> /* for asmlinkage */
5168
5169 /*
5170@@ -14,7 +15,7 @@
5171 * Blackfin loads 32 bytes for cache
5172 */
5173 #define L1_CACHE_SHIFT 5
5174-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5175+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5176 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5177
5178 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5179diff --git a/arch/cris/include/arch-v10/arch/cache.h b/arch/cris/include/arch-v10/arch/cache.h
5180index aea2718..3639a60 100644
5181--- a/arch/cris/include/arch-v10/arch/cache.h
5182+++ b/arch/cris/include/arch-v10/arch/cache.h
5183@@ -1,8 +1,9 @@
5184 #ifndef _ASM_ARCH_CACHE_H
5185 #define _ASM_ARCH_CACHE_H
5186
5187+#include <linux/const.h>
5188 /* Etrax 100LX have 32-byte cache-lines. */
5189-#define L1_CACHE_BYTES 32
5190 #define L1_CACHE_SHIFT 5
5191+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5192
5193 #endif /* _ASM_ARCH_CACHE_H */
5194diff --git a/arch/cris/include/arch-v32/arch/cache.h b/arch/cris/include/arch-v32/arch/cache.h
5195index 7caf25d..ee65ac5 100644
5196--- a/arch/cris/include/arch-v32/arch/cache.h
5197+++ b/arch/cris/include/arch-v32/arch/cache.h
5198@@ -1,11 +1,12 @@
5199 #ifndef _ASM_CRIS_ARCH_CACHE_H
5200 #define _ASM_CRIS_ARCH_CACHE_H
5201
5202+#include <linux/const.h>
5203 #include <arch/hwregs/dma.h>
5204
5205 /* A cache-line is 32 bytes. */
5206-#define L1_CACHE_BYTES 32
5207 #define L1_CACHE_SHIFT 5
5208+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5209
5210 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
5211
5212diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h
5213index 102190a..5334cea 100644
5214--- a/arch/frv/include/asm/atomic.h
5215+++ b/arch/frv/include/asm/atomic.h
5216@@ -181,6 +181,16 @@ static inline void atomic64_dec(atomic64_t *v)
5217 #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter))
5218 #define atomic64_xchg(v, new) (__xchg_64(new, &(v)->counter))
5219
5220+#define atomic64_read_unchecked(v) atomic64_read(v)
5221+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5222+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5223+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5224+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5225+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5226+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5227+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5228+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5229+
5230 static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5231 {
5232 int c, old;
5233diff --git a/arch/frv/include/asm/cache.h b/arch/frv/include/asm/cache.h
5234index 2797163..c2a401df9 100644
5235--- a/arch/frv/include/asm/cache.h
5236+++ b/arch/frv/include/asm/cache.h
5237@@ -12,10 +12,11 @@
5238 #ifndef __ASM_CACHE_H
5239 #define __ASM_CACHE_H
5240
5241+#include <linux/const.h>
5242
5243 /* bytes per L1 cache line */
5244 #define L1_CACHE_SHIFT (CONFIG_FRV_L1_CACHE_SHIFT)
5245-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5246+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5247
5248 #define __cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
5249 #define ____cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
5250diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h
5251index 43901f2..0d8b865 100644
5252--- a/arch/frv/include/asm/kmap_types.h
5253+++ b/arch/frv/include/asm/kmap_types.h
5254@@ -2,6 +2,6 @@
5255 #ifndef _ASM_KMAP_TYPES_H
5256 #define _ASM_KMAP_TYPES_H
5257
5258-#define KM_TYPE_NR 17
5259+#define KM_TYPE_NR 18
5260
5261 #endif
5262diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
5263index 836f147..4cf23f5 100644
5264--- a/arch/frv/mm/elf-fdpic.c
5265+++ b/arch/frv/mm/elf-fdpic.c
5266@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5267 {
5268 struct vm_area_struct *vma;
5269 struct vm_unmapped_area_info info;
5270+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
5271
5272 if (len > TASK_SIZE)
5273 return -ENOMEM;
5274@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5275 if (addr) {
5276 addr = PAGE_ALIGN(addr);
5277 vma = find_vma(current->mm, addr);
5278- if (TASK_SIZE - len >= addr &&
5279- (!vma || addr + len <= vma->vm_start))
5280+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
5281 goto success;
5282 }
5283
5284@@ -85,6 +85,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5285 info.high_limit = (current->mm->start_stack - 0x00200000);
5286 info.align_mask = 0;
5287 info.align_offset = 0;
5288+ info.threadstack_offset = offset;
5289 addr = vm_unmapped_area(&info);
5290 if (!(addr & ~PAGE_MASK))
5291 goto success;
5292diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h
5293index 69952c18..4fa2908 100644
5294--- a/arch/hexagon/include/asm/cache.h
5295+++ b/arch/hexagon/include/asm/cache.h
5296@@ -21,9 +21,11 @@
5297 #ifndef __ASM_CACHE_H
5298 #define __ASM_CACHE_H
5299
5300+#include <linux/const.h>
5301+
5302 /* Bytes per L1 cache line */
5303-#define L1_CACHE_SHIFT (5)
5304-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5305+#define L1_CACHE_SHIFT 5
5306+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5307
5308 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5309
5310diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
5311index 42a91a7..29d446e 100644
5312--- a/arch/ia64/Kconfig
5313+++ b/arch/ia64/Kconfig
5314@@ -518,6 +518,7 @@ source "drivers/sn/Kconfig"
5315 config KEXEC
5316 bool "kexec system call"
5317 depends on !IA64_HP_SIM && (!SMP || HOTPLUG_CPU)
5318+ depends on !GRKERNSEC_KMEM
5319 help
5320 kexec is a system call that implements the ability to shutdown your
5321 current kernel, and to start another kernel. It is like a reboot
5322diff --git a/arch/ia64/Makefile b/arch/ia64/Makefile
5323index 970d0bd..e750b9b 100644
5324--- a/arch/ia64/Makefile
5325+++ b/arch/ia64/Makefile
5326@@ -98,5 +98,6 @@ endef
5327 archprepare: make_nr_irqs_h FORCE
5328 PHONY += make_nr_irqs_h FORCE
5329
5330+make_nr_irqs_h: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
5331 make_nr_irqs_h: FORCE
5332 $(Q)$(MAKE) $(build)=arch/ia64/kernel include/generated/nr-irqs.h
5333diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
5334index 0bf0350..2ad1957 100644
5335--- a/arch/ia64/include/asm/atomic.h
5336+++ b/arch/ia64/include/asm/atomic.h
5337@@ -193,4 +193,14 @@ atomic64_add_negative (__s64 i, atomic64_t *v)
5338 #define atomic64_inc(v) atomic64_add(1, (v))
5339 #define atomic64_dec(v) atomic64_sub(1, (v))
5340
5341+#define atomic64_read_unchecked(v) atomic64_read(v)
5342+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5343+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5344+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5345+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5346+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5347+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5348+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5349+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5350+
5351 #endif /* _ASM_IA64_ATOMIC_H */
5352diff --git a/arch/ia64/include/asm/barrier.h b/arch/ia64/include/asm/barrier.h
5353index 843ba43..fa118fb 100644
5354--- a/arch/ia64/include/asm/barrier.h
5355+++ b/arch/ia64/include/asm/barrier.h
5356@@ -66,7 +66,7 @@
5357 do { \
5358 compiletime_assert_atomic_type(*p); \
5359 barrier(); \
5360- ACCESS_ONCE(*p) = (v); \
5361+ ACCESS_ONCE_RW(*p) = (v); \
5362 } while (0)
5363
5364 #define smp_load_acquire(p) \
5365diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h
5366index 988254a..e1ee885 100644
5367--- a/arch/ia64/include/asm/cache.h
5368+++ b/arch/ia64/include/asm/cache.h
5369@@ -1,6 +1,7 @@
5370 #ifndef _ASM_IA64_CACHE_H
5371 #define _ASM_IA64_CACHE_H
5372
5373+#include <linux/const.h>
5374
5375 /*
5376 * Copyright (C) 1998-2000 Hewlett-Packard Co
5377@@ -9,7 +10,7 @@
5378
5379 /* Bytes per L1 (data) cache line. */
5380 #define L1_CACHE_SHIFT CONFIG_IA64_L1_CACHE_SHIFT
5381-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5382+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5383
5384 #ifdef CONFIG_SMP
5385 # define SMP_CACHE_SHIFT L1_CACHE_SHIFT
5386diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h
5387index 5a83c5c..4d7f553 100644
5388--- a/arch/ia64/include/asm/elf.h
5389+++ b/arch/ia64/include/asm/elf.h
5390@@ -42,6 +42,13 @@
5391 */
5392 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
5393
5394+#ifdef CONFIG_PAX_ASLR
5395+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
5396+
5397+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
5398+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
5399+#endif
5400+
5401 #define PT_IA_64_UNWIND 0x70000001
5402
5403 /* IA-64 relocations: */
5404diff --git a/arch/ia64/include/asm/pgalloc.h b/arch/ia64/include/asm/pgalloc.h
5405index f5e70e9..624fad5 100644
5406--- a/arch/ia64/include/asm/pgalloc.h
5407+++ b/arch/ia64/include/asm/pgalloc.h
5408@@ -39,6 +39,12 @@ pgd_populate(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
5409 pgd_val(*pgd_entry) = __pa(pud);
5410 }
5411
5412+static inline void
5413+pgd_populate_kernel(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
5414+{
5415+ pgd_populate(mm, pgd_entry, pud);
5416+}
5417+
5418 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
5419 {
5420 return quicklist_alloc(0, GFP_KERNEL, NULL);
5421@@ -57,6 +63,12 @@ pud_populate(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
5422 pud_val(*pud_entry) = __pa(pmd);
5423 }
5424
5425+static inline void
5426+pud_populate_kernel(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
5427+{
5428+ pud_populate(mm, pud_entry, pmd);
5429+}
5430+
5431 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
5432 {
5433 return quicklist_alloc(0, GFP_KERNEL, NULL);
5434diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h
5435index 9f3ed9e..c99b418 100644
5436--- a/arch/ia64/include/asm/pgtable.h
5437+++ b/arch/ia64/include/asm/pgtable.h
5438@@ -12,7 +12,7 @@
5439 * David Mosberger-Tang <davidm@hpl.hp.com>
5440 */
5441
5442-
5443+#include <linux/const.h>
5444 #include <asm/mman.h>
5445 #include <asm/page.h>
5446 #include <asm/processor.h>
5447@@ -139,6 +139,17 @@
5448 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5449 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5450 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
5451+
5452+#ifdef CONFIG_PAX_PAGEEXEC
5453+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
5454+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5455+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5456+#else
5457+# define PAGE_SHARED_NOEXEC PAGE_SHARED
5458+# define PAGE_READONLY_NOEXEC PAGE_READONLY
5459+# define PAGE_COPY_NOEXEC PAGE_COPY
5460+#endif
5461+
5462 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
5463 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
5464 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
5465diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
5466index 45698cd..e8e2dbc 100644
5467--- a/arch/ia64/include/asm/spinlock.h
5468+++ b/arch/ia64/include/asm/spinlock.h
5469@@ -71,7 +71,7 @@ static __always_inline void __ticket_spin_unlock(arch_spinlock_t *lock)
5470 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
5471
5472 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
5473- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
5474+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
5475 }
5476
5477 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
5478diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
5479index 4f3fb6cc..254055e 100644
5480--- a/arch/ia64/include/asm/uaccess.h
5481+++ b/arch/ia64/include/asm/uaccess.h
5482@@ -70,6 +70,7 @@
5483 && ((segment).seg == KERNEL_DS.seg \
5484 || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT))); \
5485 })
5486+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
5487 #define access_ok(type, addr, size) __access_ok((addr), (size), get_fs())
5488
5489 /*
5490@@ -241,12 +242,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
5491 static inline unsigned long
5492 __copy_to_user (void __user *to, const void *from, unsigned long count)
5493 {
5494+ if (count > INT_MAX)
5495+ return count;
5496+
5497+ if (!__builtin_constant_p(count))
5498+ check_object_size(from, count, true);
5499+
5500 return __copy_user(to, (__force void __user *) from, count);
5501 }
5502
5503 static inline unsigned long
5504 __copy_from_user (void *to, const void __user *from, unsigned long count)
5505 {
5506+ if (count > INT_MAX)
5507+ return count;
5508+
5509+ if (!__builtin_constant_p(count))
5510+ check_object_size(to, count, false);
5511+
5512 return __copy_user((__force void __user *) to, from, count);
5513 }
5514
5515@@ -256,10 +269,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
5516 ({ \
5517 void __user *__cu_to = (to); \
5518 const void *__cu_from = (from); \
5519- long __cu_len = (n); \
5520+ unsigned long __cu_len = (n); \
5521 \
5522- if (__access_ok(__cu_to, __cu_len, get_fs())) \
5523+ if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) { \
5524+ if (!__builtin_constant_p(n)) \
5525+ check_object_size(__cu_from, __cu_len, true); \
5526 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
5527+ } \
5528 __cu_len; \
5529 })
5530
5531@@ -267,11 +283,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
5532 ({ \
5533 void *__cu_to = (to); \
5534 const void __user *__cu_from = (from); \
5535- long __cu_len = (n); \
5536+ unsigned long __cu_len = (n); \
5537 \
5538 __chk_user_ptr(__cu_from); \
5539- if (__access_ok(__cu_from, __cu_len, get_fs())) \
5540+ if (__cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) { \
5541+ if (!__builtin_constant_p(n)) \
5542+ check_object_size(__cu_to, __cu_len, false); \
5543 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
5544+ } \
5545 __cu_len; \
5546 })
5547
5548diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
5549index b15933c..098b1c8 100644
5550--- a/arch/ia64/kernel/module.c
5551+++ b/arch/ia64/kernel/module.c
5552@@ -484,15 +484,39 @@ module_frob_arch_sections (Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, char *secstrings,
5553 }
5554
5555 static inline int
5556+in_init_rx (const struct module *mod, uint64_t addr)
5557+{
5558+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
5559+}
5560+
5561+static inline int
5562+in_init_rw (const struct module *mod, uint64_t addr)
5563+{
5564+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
5565+}
5566+
5567+static inline int
5568 in_init (const struct module *mod, uint64_t addr)
5569 {
5570- return addr - (uint64_t) mod->module_init < mod->init_size;
5571+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
5572+}
5573+
5574+static inline int
5575+in_core_rx (const struct module *mod, uint64_t addr)
5576+{
5577+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
5578+}
5579+
5580+static inline int
5581+in_core_rw (const struct module *mod, uint64_t addr)
5582+{
5583+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
5584 }
5585
5586 static inline int
5587 in_core (const struct module *mod, uint64_t addr)
5588 {
5589- return addr - (uint64_t) mod->module_core < mod->core_size;
5590+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
5591 }
5592
5593 static inline int
5594@@ -675,7 +699,14 @@ do_reloc (struct module *mod, uint8_t r_type, Elf64_Sym *sym, uint64_t addend,
5595 break;
5596
5597 case RV_BDREL:
5598- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
5599+ if (in_init_rx(mod, val))
5600+ val -= (uint64_t) mod->module_init_rx;
5601+ else if (in_init_rw(mod, val))
5602+ val -= (uint64_t) mod->module_init_rw;
5603+ else if (in_core_rx(mod, val))
5604+ val -= (uint64_t) mod->module_core_rx;
5605+ else if (in_core_rw(mod, val))
5606+ val -= (uint64_t) mod->module_core_rw;
5607 break;
5608
5609 case RV_LTV:
5610@@ -810,15 +841,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, const char *strtab, unsigned int symind
5611 * addresses have been selected...
5612 */
5613 uint64_t gp;
5614- if (mod->core_size > MAX_LTOFF)
5615+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
5616 /*
5617 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
5618 * at the end of the module.
5619 */
5620- gp = mod->core_size - MAX_LTOFF / 2;
5621+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
5622 else
5623- gp = mod->core_size / 2;
5624- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
5625+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
5626+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
5627 mod->arch.gp = gp;
5628 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
5629 }
5630diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
5631index c39c3cd..3c77738 100644
5632--- a/arch/ia64/kernel/palinfo.c
5633+++ b/arch/ia64/kernel/palinfo.c
5634@@ -980,7 +980,7 @@ static int palinfo_cpu_callback(struct notifier_block *nfb,
5635 return NOTIFY_OK;
5636 }
5637
5638-static struct notifier_block __refdata palinfo_cpu_notifier =
5639+static struct notifier_block palinfo_cpu_notifier =
5640 {
5641 .notifier_call = palinfo_cpu_callback,
5642 .priority = 0,
5643diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
5644index 41e33f8..65180b2a 100644
5645--- a/arch/ia64/kernel/sys_ia64.c
5646+++ b/arch/ia64/kernel/sys_ia64.c
5647@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5648 unsigned long align_mask = 0;
5649 struct mm_struct *mm = current->mm;
5650 struct vm_unmapped_area_info info;
5651+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
5652
5653 if (len > RGN_MAP_LIMIT)
5654 return -ENOMEM;
5655@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5656 if (REGION_NUMBER(addr) == RGN_HPAGE)
5657 addr = 0;
5658 #endif
5659+
5660+#ifdef CONFIG_PAX_RANDMMAP
5661+ if (mm->pax_flags & MF_PAX_RANDMMAP)
5662+ addr = mm->free_area_cache;
5663+ else
5664+#endif
5665+
5666 if (!addr)
5667 addr = TASK_UNMAPPED_BASE;
5668
5669@@ -61,6 +69,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5670 info.high_limit = TASK_SIZE;
5671 info.align_mask = align_mask;
5672 info.align_offset = 0;
5673+ info.threadstack_offset = offset;
5674 return vm_unmapped_area(&info);
5675 }
5676
5677diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
5678index dc506b0..39baade 100644
5679--- a/arch/ia64/kernel/vmlinux.lds.S
5680+++ b/arch/ia64/kernel/vmlinux.lds.S
5681@@ -171,7 +171,7 @@ SECTIONS {
5682 /* Per-cpu data: */
5683 . = ALIGN(PERCPU_PAGE_SIZE);
5684 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
5685- __phys_per_cpu_start = __per_cpu_load;
5686+ __phys_per_cpu_start = per_cpu_load;
5687 /*
5688 * ensure percpu data fits
5689 * into percpu page size
5690diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
5691index 70b40d1..01a9a28 100644
5692--- a/arch/ia64/mm/fault.c
5693+++ b/arch/ia64/mm/fault.c
5694@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address)
5695 return pte_present(pte);
5696 }
5697
5698+#ifdef CONFIG_PAX_PAGEEXEC
5699+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5700+{
5701+ unsigned long i;
5702+
5703+ printk(KERN_ERR "PAX: bytes at PC: ");
5704+ for (i = 0; i < 8; i++) {
5705+ unsigned int c;
5706+ if (get_user(c, (unsigned int *)pc+i))
5707+ printk(KERN_CONT "???????? ");
5708+ else
5709+ printk(KERN_CONT "%08x ", c);
5710+ }
5711+ printk("\n");
5712+}
5713+#endif
5714+
5715 # define VM_READ_BIT 0
5716 # define VM_WRITE_BIT 1
5717 # define VM_EXEC_BIT 2
5718@@ -151,8 +168,21 @@ retry:
5719 if (((isr >> IA64_ISR_R_BIT) & 1UL) && (!(vma->vm_flags & (VM_READ | VM_WRITE))))
5720 goto bad_area;
5721
5722- if ((vma->vm_flags & mask) != mask)
5723+ if ((vma->vm_flags & mask) != mask) {
5724+
5725+#ifdef CONFIG_PAX_PAGEEXEC
5726+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
5727+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
5728+ goto bad_area;
5729+
5730+ up_read(&mm->mmap_sem);
5731+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
5732+ do_group_exit(SIGKILL);
5733+ }
5734+#endif
5735+
5736 goto bad_area;
5737+ }
5738
5739 /*
5740 * If for any reason at all we couldn't handle the fault, make
5741diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c
5742index f50d4b3..c7975ee 100644
5743--- a/arch/ia64/mm/hugetlbpage.c
5744+++ b/arch/ia64/mm/hugetlbpage.c
5745@@ -138,6 +138,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5746 unsigned long pgoff, unsigned long flags)
5747 {
5748 struct vm_unmapped_area_info info;
5749+ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags);
5750
5751 if (len > RGN_MAP_LIMIT)
5752 return -ENOMEM;
5753@@ -161,6 +162,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5754 info.high_limit = HPAGE_REGION_BASE + RGN_MAP_LIMIT;
5755 info.align_mask = PAGE_MASK & (HPAGE_SIZE - 1);
5756 info.align_offset = 0;
5757+ info.threadstack_offset = offset;
5758 return vm_unmapped_area(&info);
5759 }
5760
5761diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
5762index 97e48b0..fc59c36 100644
5763--- a/arch/ia64/mm/init.c
5764+++ b/arch/ia64/mm/init.c
5765@@ -119,6 +119,19 @@ ia64_init_addr_space (void)
5766 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
5767 vma->vm_end = vma->vm_start + PAGE_SIZE;
5768 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
5769+
5770+#ifdef CONFIG_PAX_PAGEEXEC
5771+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
5772+ vma->vm_flags &= ~VM_EXEC;
5773+
5774+#ifdef CONFIG_PAX_MPROTECT
5775+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
5776+ vma->vm_flags &= ~VM_MAYEXEC;
5777+#endif
5778+
5779+ }
5780+#endif
5781+
5782 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5783 down_write(&current->mm->mmap_sem);
5784 if (insert_vm_struct(current->mm, vma)) {
5785@@ -279,7 +292,7 @@ static int __init gate_vma_init(void)
5786 gate_vma.vm_start = FIXADDR_USER_START;
5787 gate_vma.vm_end = FIXADDR_USER_END;
5788 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
5789- gate_vma.vm_page_prot = __P101;
5790+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
5791
5792 return 0;
5793 }
5794diff --git a/arch/m32r/include/asm/cache.h b/arch/m32r/include/asm/cache.h
5795index 40b3ee98..8c2c112 100644
5796--- a/arch/m32r/include/asm/cache.h
5797+++ b/arch/m32r/include/asm/cache.h
5798@@ -1,8 +1,10 @@
5799 #ifndef _ASM_M32R_CACHE_H
5800 #define _ASM_M32R_CACHE_H
5801
5802+#include <linux/const.h>
5803+
5804 /* L1 cache line size */
5805 #define L1_CACHE_SHIFT 4
5806-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5807+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5808
5809 #endif /* _ASM_M32R_CACHE_H */
5810diff --git a/arch/m32r/lib/usercopy.c b/arch/m32r/lib/usercopy.c
5811index 82abd15..d95ae5d 100644
5812--- a/arch/m32r/lib/usercopy.c
5813+++ b/arch/m32r/lib/usercopy.c
5814@@ -14,6 +14,9 @@
5815 unsigned long
5816 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5817 {
5818+ if ((long)n < 0)
5819+ return n;
5820+
5821 prefetch(from);
5822 if (access_ok(VERIFY_WRITE, to, n))
5823 __copy_user(to,from,n);
5824@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5825 unsigned long
5826 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
5827 {
5828+ if ((long)n < 0)
5829+ return n;
5830+
5831 prefetchw(to);
5832 if (access_ok(VERIFY_READ, from, n))
5833 __copy_user_zeroing(to,from,n);
5834diff --git a/arch/m68k/include/asm/cache.h b/arch/m68k/include/asm/cache.h
5835index 0395c51..5f26031 100644
5836--- a/arch/m68k/include/asm/cache.h
5837+++ b/arch/m68k/include/asm/cache.h
5838@@ -4,9 +4,11 @@
5839 #ifndef __ARCH_M68K_CACHE_H
5840 #define __ARCH_M68K_CACHE_H
5841
5842+#include <linux/const.h>
5843+
5844 /* bytes per L1 cache line */
5845 #define L1_CACHE_SHIFT 4
5846-#define L1_CACHE_BYTES (1<< L1_CACHE_SHIFT)
5847+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5848
5849 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5850
5851diff --git a/arch/metag/include/asm/barrier.h b/arch/metag/include/asm/barrier.h
5852index 5a696e5..070490d 100644
5853--- a/arch/metag/include/asm/barrier.h
5854+++ b/arch/metag/include/asm/barrier.h
5855@@ -90,7 +90,7 @@ static inline void fence(void)
5856 do { \
5857 compiletime_assert_atomic_type(*p); \
5858 smp_mb(); \
5859- ACCESS_ONCE(*p) = (v); \
5860+ ACCESS_ONCE_RW(*p) = (v); \
5861 } while (0)
5862
5863 #define smp_load_acquire(p) \
5864diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c
5865index 53f0f6c..2dc07fd 100644
5866--- a/arch/metag/mm/hugetlbpage.c
5867+++ b/arch/metag/mm/hugetlbpage.c
5868@@ -189,6 +189,7 @@ hugetlb_get_unmapped_area_new_pmd(unsigned long len)
5869 info.high_limit = TASK_SIZE;
5870 info.align_mask = PAGE_MASK & HUGEPT_MASK;
5871 info.align_offset = 0;
5872+ info.threadstack_offset = 0;
5873 return vm_unmapped_area(&info);
5874 }
5875
5876diff --git a/arch/microblaze/include/asm/cache.h b/arch/microblaze/include/asm/cache.h
5877index 4efe96a..60e8699 100644
5878--- a/arch/microblaze/include/asm/cache.h
5879+++ b/arch/microblaze/include/asm/cache.h
5880@@ -13,11 +13,12 @@
5881 #ifndef _ASM_MICROBLAZE_CACHE_H
5882 #define _ASM_MICROBLAZE_CACHE_H
5883
5884+#include <linux/const.h>
5885 #include <asm/registers.h>
5886
5887 #define L1_CACHE_SHIFT 5
5888 /* word-granular cache in microblaze */
5889-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5890+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5891
5892 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5893
5894diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
5895index 199a835..822b487 100644
5896--- a/arch/mips/Kconfig
5897+++ b/arch/mips/Kconfig
5898@@ -2591,6 +2591,7 @@ source "kernel/Kconfig.preempt"
5899
5900 config KEXEC
5901 bool "Kexec system call"
5902+ depends on !GRKERNSEC_KMEM
5903 help
5904 kexec is a system call that implements the ability to shutdown your
5905 current kernel, and to start another kernel. It is like a reboot
5906diff --git a/arch/mips/cavium-octeon/dma-octeon.c b/arch/mips/cavium-octeon/dma-octeon.c
5907index d8960d4..77dbd31 100644
5908--- a/arch/mips/cavium-octeon/dma-octeon.c
5909+++ b/arch/mips/cavium-octeon/dma-octeon.c
5910@@ -199,7 +199,7 @@ static void octeon_dma_free_coherent(struct device *dev, size_t size,
5911 if (dma_release_from_coherent(dev, order, vaddr))
5912 return;
5913
5914- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
5915+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
5916 }
5917
5918 static dma_addr_t octeon_unity_phys_to_dma(struct device *dev, phys_addr_t paddr)
5919diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
5920index 26d4363..3c9a82e 100644
5921--- a/arch/mips/include/asm/atomic.h
5922+++ b/arch/mips/include/asm/atomic.h
5923@@ -22,15 +22,39 @@
5924 #include <asm/cmpxchg.h>
5925 #include <asm/war.h>
5926
5927+#ifdef CONFIG_GENERIC_ATOMIC64
5928+#include <asm-generic/atomic64.h>
5929+#endif
5930+
5931 #define ATOMIC_INIT(i) { (i) }
5932
5933+#ifdef CONFIG_64BIT
5934+#define _ASM_EXTABLE(from, to) \
5935+" .section __ex_table,\"a\"\n" \
5936+" .dword " #from ", " #to"\n" \
5937+" .previous\n"
5938+#else
5939+#define _ASM_EXTABLE(from, to) \
5940+" .section __ex_table,\"a\"\n" \
5941+" .word " #from ", " #to"\n" \
5942+" .previous\n"
5943+#endif
5944+
5945 /*
5946 * atomic_read - read atomic variable
5947 * @v: pointer of type atomic_t
5948 *
5949 * Atomically reads the value of @v.
5950 */
5951-#define atomic_read(v) ACCESS_ONCE((v)->counter)
5952+static inline int atomic_read(const atomic_t *v)
5953+{
5954+ return ACCESS_ONCE(v->counter);
5955+}
5956+
5957+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5958+{
5959+ return ACCESS_ONCE(v->counter);
5960+}
5961
5962 /*
5963 * atomic_set - set atomic variable
5964@@ -39,47 +63,77 @@
5965 *
5966 * Atomically sets the value of @v to @i.
5967 */
5968-#define atomic_set(v, i) ((v)->counter = (i))
5969+static inline void atomic_set(atomic_t *v, int i)
5970+{
5971+ v->counter = i;
5972+}
5973
5974-#define ATOMIC_OP(op, c_op, asm_op) \
5975-static __inline__ void atomic_##op(int i, atomic_t * v) \
5976+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5977+{
5978+ v->counter = i;
5979+}
5980+
5981+#ifdef CONFIG_PAX_REFCOUNT
5982+#define __OVERFLOW_POST \
5983+ " b 4f \n" \
5984+ " .set noreorder \n" \
5985+ "3: b 5f \n" \
5986+ " move %0, %1 \n" \
5987+ " .set reorder \n"
5988+#define __OVERFLOW_EXTABLE \
5989+ "3:\n" \
5990+ _ASM_EXTABLE(2b, 3b)
5991+#else
5992+#define __OVERFLOW_POST
5993+#define __OVERFLOW_EXTABLE
5994+#endif
5995+
5996+#define __ATOMIC_OP(op, suffix, asm_op, extable) \
5997+static inline void atomic_##op##suffix(int i, atomic##suffix##_t * v) \
5998 { \
5999 if (kernel_uses_llsc && R10000_LLSC_WAR) { \
6000 int temp; \
6001 \
6002 __asm__ __volatile__( \
6003- " .set arch=r4000 \n" \
6004- "1: ll %0, %1 # atomic_" #op " \n" \
6005- " " #asm_op " %0, %2 \n" \
6006+ " .set mips3 \n" \
6007+ "1: ll %0, %1 # atomic_" #op #suffix "\n" \
6008+ "2: " #asm_op " %0, %2 \n" \
6009 " sc %0, %1 \n" \
6010 " beqzl %0, 1b \n" \
6011+ extable \
6012 " .set mips0 \n" \
6013 : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6014 : "Ir" (i)); \
6015 } else if (kernel_uses_llsc) { \
6016 int temp; \
6017 \
6018- do { \
6019- __asm__ __volatile__( \
6020- " .set "MIPS_ISA_LEVEL" \n" \
6021- " ll %0, %1 # atomic_" #op "\n" \
6022- " " #asm_op " %0, %2 \n" \
6023- " sc %0, %1 \n" \
6024- " .set mips0 \n" \
6025- : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6026- : "Ir" (i)); \
6027- } while (unlikely(!temp)); \
6028+ __asm__ __volatile__( \
6029+ " .set "MIPS_ISA_LEVEL" \n" \
6030+ "1: ll %0, %1 # atomic_" #op #suffix "\n" \
6031+ "2: " #asm_op " %0, %2 \n" \
6032+ " sc %0, %1 \n" \
6033+ " beqz %0, 1b \n" \
6034+ extable \
6035+ " .set mips0 \n" \
6036+ : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6037+ : "Ir" (i)); \
6038 } else { \
6039 unsigned long flags; \
6040 \
6041 raw_local_irq_save(flags); \
6042- v->counter c_op i; \
6043+ __asm__ __volatile__( \
6044+ "2: " #asm_op " %0, %1 \n" \
6045+ extable \
6046+ : "+r" (v->counter) : "Ir" (i)); \
6047 raw_local_irq_restore(flags); \
6048 } \
6049 }
6050
6051-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
6052-static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6053+#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, _unchecked, asm_op##u, ) \
6054+ __ATOMIC_OP(op, , asm_op, __OVERFLOW_EXTABLE)
6055+
6056+#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op, extable) \
6057+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t * v) \
6058 { \
6059 int result; \
6060 \
6061@@ -89,12 +143,15 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6062 int temp; \
6063 \
6064 __asm__ __volatile__( \
6065- " .set arch=r4000 \n" \
6066- "1: ll %1, %2 # atomic_" #op "_return \n" \
6067- " " #asm_op " %0, %1, %3 \n" \
6068+ " .set mips3 \n" \
6069+ "1: ll %1, %2 # atomic_" #op "_return" #suffix"\n" \
6070+ "2: " #asm_op " %0, %1, %3 \n" \
6071 " sc %0, %2 \n" \
6072 " beqzl %0, 1b \n" \
6073- " " #asm_op " %0, %1, %3 \n" \
6074+ post_op \
6075+ extable \
6076+ "4: " #asm_op " %0, %1, %3 \n" \
6077+ "5: \n" \
6078 " .set mips0 \n" \
6079 : "=&r" (result), "=&r" (temp), \
6080 "+" GCC_OFF_SMALL_ASM() (v->counter) \
6081@@ -102,26 +159,33 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6082 } else if (kernel_uses_llsc) { \
6083 int temp; \
6084 \
6085- do { \
6086- __asm__ __volatile__( \
6087- " .set "MIPS_ISA_LEVEL" \n" \
6088- " ll %1, %2 # atomic_" #op "_return \n" \
6089- " " #asm_op " %0, %1, %3 \n" \
6090- " sc %0, %2 \n" \
6091- " .set mips0 \n" \
6092- : "=&r" (result), "=&r" (temp), \
6093- "+" GCC_OFF_SMALL_ASM() (v->counter) \
6094- : "Ir" (i)); \
6095- } while (unlikely(!result)); \
6096+ __asm__ __volatile__( \
6097+ " .set "MIPS_ISA_LEVEL" \n" \
6098+ "1: ll %1, %2 # atomic_" #op "_return" #suffix "\n" \
6099+ "2: " #asm_op " %0, %1, %3 \n" \
6100+ " sc %0, %2 \n" \
6101+ post_op \
6102+ extable \
6103+ "4: " #asm_op " %0, %1, %3 \n" \
6104+ "5: \n" \
6105+ " .set mips0 \n" \
6106+ : "=&r" (result), "=&r" (temp), \
6107+ "+" GCC_OFF_SMALL_ASM() (v->counter) \
6108+ : "Ir" (i)); \
6109 \
6110 result = temp; result c_op i; \
6111 } else { \
6112 unsigned long flags; \
6113 \
6114 raw_local_irq_save(flags); \
6115- result = v->counter; \
6116- result c_op i; \
6117- v->counter = result; \
6118+ __asm__ __volatile__( \
6119+ " lw %0, %1 \n" \
6120+ "2: " #asm_op " %0, %1, %2 \n" \
6121+ " sw %0, %1 \n" \
6122+ "3: \n" \
6123+ extable \
6124+ : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6125+ : "Ir" (i)); \
6126 raw_local_irq_restore(flags); \
6127 } \
6128 \
6129@@ -130,16 +194,21 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6130 return result; \
6131 }
6132
6133-#define ATOMIC_OPS(op, c_op, asm_op) \
6134- ATOMIC_OP(op, c_op, asm_op) \
6135- ATOMIC_OP_RETURN(op, c_op, asm_op)
6136+#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, asm_op##u, , ) \
6137+ __ATOMIC_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
6138
6139-ATOMIC_OPS(add, +=, addu)
6140-ATOMIC_OPS(sub, -=, subu)
6141+#define ATOMIC_OPS(op, asm_op) \
6142+ ATOMIC_OP(op, asm_op) \
6143+ ATOMIC_OP_RETURN(op, asm_op)
6144+
6145+ATOMIC_OPS(add, add)
6146+ATOMIC_OPS(sub, sub)
6147
6148 #undef ATOMIC_OPS
6149 #undef ATOMIC_OP_RETURN
6150+#undef __ATOMIC_OP_RETURN
6151 #undef ATOMIC_OP
6152+#undef __ATOMIC_OP
6153
6154 /*
6155 * atomic_sub_if_positive - conditionally subtract integer from atomic variable
6156@@ -149,7 +218,7 @@ ATOMIC_OPS(sub, -=, subu)
6157 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6158 * The function returns the old value of @v minus @i.
6159 */
6160-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6161+static __inline__ int atomic_sub_if_positive(int i, atomic_t *v)
6162 {
6163 int result;
6164
6165@@ -159,7 +228,7 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6166 int temp;
6167
6168 __asm__ __volatile__(
6169- " .set arch=r4000 \n"
6170+ " .set "MIPS_ISA_LEVEL" \n"
6171 "1: ll %1, %2 # atomic_sub_if_positive\n"
6172 " subu %0, %1, %3 \n"
6173 " bltz %0, 1f \n"
6174@@ -208,8 +277,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6175 return result;
6176 }
6177
6178-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
6179-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new)))
6180+static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6181+{
6182+ return cmpxchg(&v->counter, old, new);
6183+}
6184+
6185+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old,
6186+ int new)
6187+{
6188+ return cmpxchg(&(v->counter), old, new);
6189+}
6190+
6191+static inline int atomic_xchg(atomic_t *v, int new)
6192+{
6193+ return xchg(&v->counter, new);
6194+}
6195+
6196+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6197+{
6198+ return xchg(&(v->counter), new);
6199+}
6200
6201 /**
6202 * __atomic_add_unless - add unless the number is a given value
6203@@ -237,6 +324,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6204
6205 #define atomic_dec_return(v) atomic_sub_return(1, (v))
6206 #define atomic_inc_return(v) atomic_add_return(1, (v))
6207+static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6208+{
6209+ return atomic_add_return_unchecked(1, v);
6210+}
6211
6212 /*
6213 * atomic_sub_and_test - subtract value from variable and test result
6214@@ -258,6 +349,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6215 * other cases.
6216 */
6217 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
6218+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6219+{
6220+ return atomic_add_return_unchecked(1, v) == 0;
6221+}
6222
6223 /*
6224 * atomic_dec_and_test - decrement by 1 and test
6225@@ -282,6 +377,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6226 * Atomically increments @v by 1.
6227 */
6228 #define atomic_inc(v) atomic_add(1, (v))
6229+static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v)
6230+{
6231+ atomic_add_unchecked(1, v);
6232+}
6233
6234 /*
6235 * atomic_dec - decrement and test
6236@@ -290,6 +389,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6237 * Atomically decrements @v by 1.
6238 */
6239 #define atomic_dec(v) atomic_sub(1, (v))
6240+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
6241+{
6242+ atomic_sub_unchecked(1, v);
6243+}
6244
6245 /*
6246 * atomic_add_negative - add and test if negative
6247@@ -311,54 +414,77 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6248 * @v: pointer of type atomic64_t
6249 *
6250 */
6251-#define atomic64_read(v) ACCESS_ONCE((v)->counter)
6252+static inline long atomic64_read(const atomic64_t *v)
6253+{
6254+ return ACCESS_ONCE(v->counter);
6255+}
6256+
6257+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6258+{
6259+ return ACCESS_ONCE(v->counter);
6260+}
6261
6262 /*
6263 * atomic64_set - set atomic variable
6264 * @v: pointer of type atomic64_t
6265 * @i: required value
6266 */
6267-#define atomic64_set(v, i) ((v)->counter = (i))
6268+static inline void atomic64_set(atomic64_t *v, long i)
6269+{
6270+ v->counter = i;
6271+}
6272
6273-#define ATOMIC64_OP(op, c_op, asm_op) \
6274-static __inline__ void atomic64_##op(long i, atomic64_t * v) \
6275+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6276+{
6277+ v->counter = i;
6278+}
6279+
6280+#define __ATOMIC64_OP(op, suffix, asm_op, extable) \
6281+static inline void atomic64_##op##suffix(long i, atomic64##suffix##_t * v) \
6282 { \
6283 if (kernel_uses_llsc && R10000_LLSC_WAR) { \
6284 long temp; \
6285 \
6286 __asm__ __volatile__( \
6287- " .set arch=r4000 \n" \
6288- "1: lld %0, %1 # atomic64_" #op " \n" \
6289- " " #asm_op " %0, %2 \n" \
6290+ " .set "MIPS_ISA_LEVEL" \n" \
6291+ "1: lld %0, %1 # atomic64_" #op #suffix "\n" \
6292+ "2: " #asm_op " %0, %2 \n" \
6293 " scd %0, %1 \n" \
6294 " beqzl %0, 1b \n" \
6295+ extable \
6296 " .set mips0 \n" \
6297 : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6298 : "Ir" (i)); \
6299 } else if (kernel_uses_llsc) { \
6300 long temp; \
6301 \
6302- do { \
6303- __asm__ __volatile__( \
6304- " .set "MIPS_ISA_LEVEL" \n" \
6305- " lld %0, %1 # atomic64_" #op "\n" \
6306- " " #asm_op " %0, %2 \n" \
6307- " scd %0, %1 \n" \
6308- " .set mips0 \n" \
6309- : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6310- : "Ir" (i)); \
6311- } while (unlikely(!temp)); \
6312+ __asm__ __volatile__( \
6313+ " .set "MIPS_ISA_LEVEL" \n" \
6314+ "1: lld %0, %1 # atomic64_" #op #suffix "\n" \
6315+ "2: " #asm_op " %0, %2 \n" \
6316+ " scd %0, %1 \n" \
6317+ " beqz %0, 1b \n" \
6318+ extable \
6319+ " .set mips0 \n" \
6320+ : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6321+ : "Ir" (i)); \
6322 } else { \
6323 unsigned long flags; \
6324 \
6325 raw_local_irq_save(flags); \
6326- v->counter c_op i; \
6327+ __asm__ __volatile__( \
6328+ "2: " #asm_op " %0, %1 \n" \
6329+ extable \
6330+ : "+" GCC_OFF_SMALL_ASM() (v->counter) : "Ir" (i)); \
6331 raw_local_irq_restore(flags); \
6332 } \
6333 }
6334
6335-#define ATOMIC64_OP_RETURN(op, c_op, asm_op) \
6336-static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6337+#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, _unchecked, asm_op##u, ) \
6338+ __ATOMIC64_OP(op, , asm_op, __OVERFLOW_EXTABLE)
6339+
6340+#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op, extable) \
6341+static inline long atomic64_##op##_return##suffix(long i, atomic64##suffix##_t * v)\
6342 { \
6343 long result; \
6344 \
6345@@ -368,12 +494,15 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6346 long temp; \
6347 \
6348 __asm__ __volatile__( \
6349- " .set arch=r4000 \n" \
6350+ " .set mips3 \n" \
6351 "1: lld %1, %2 # atomic64_" #op "_return\n" \
6352- " " #asm_op " %0, %1, %3 \n" \
6353+ "2: " #asm_op " %0, %1, %3 \n" \
6354 " scd %0, %2 \n" \
6355 " beqzl %0, 1b \n" \
6356- " " #asm_op " %0, %1, %3 \n" \
6357+ post_op \
6358+ extable \
6359+ "4: " #asm_op " %0, %1, %3 \n" \
6360+ "5: \n" \
6361 " .set mips0 \n" \
6362 : "=&r" (result), "=&r" (temp), \
6363 "+" GCC_OFF_SMALL_ASM() (v->counter) \
6364@@ -381,27 +510,35 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6365 } else if (kernel_uses_llsc) { \
6366 long temp; \
6367 \
6368- do { \
6369- __asm__ __volatile__( \
6370- " .set "MIPS_ISA_LEVEL" \n" \
6371- " lld %1, %2 # atomic64_" #op "_return\n" \
6372- " " #asm_op " %0, %1, %3 \n" \
6373- " scd %0, %2 \n" \
6374- " .set mips0 \n" \
6375- : "=&r" (result), "=&r" (temp), \
6376- "=" GCC_OFF_SMALL_ASM() (v->counter) \
6377- : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter) \
6378- : "memory"); \
6379- } while (unlikely(!result)); \
6380+ __asm__ __volatile__( \
6381+ " .set "MIPS_ISA_LEVEL" \n" \
6382+ "1: lld %1, %2 # atomic64_" #op "_return" #suffix "\n"\
6383+ "2: " #asm_op " %0, %1, %3 \n" \
6384+ " scd %0, %2 \n" \
6385+ " beqz %0, 1b \n" \
6386+ post_op \
6387+ extable \
6388+ "4: " #asm_op " %0, %1, %3 \n" \
6389+ "5: \n" \
6390+ " .set mips0 \n" \
6391+ : "=&r" (result), "=&r" (temp), \
6392+ "=" GCC_OFF_SMALL_ASM() (v->counter) \
6393+ : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter) \
6394+ : "memory"); \
6395 \
6396 result = temp; result c_op i; \
6397 } else { \
6398 unsigned long flags; \
6399 \
6400 raw_local_irq_save(flags); \
6401- result = v->counter; \
6402- result c_op i; \
6403- v->counter = result; \
6404+ __asm__ __volatile__( \
6405+ " ld %0, %1 \n" \
6406+ "2: " #asm_op " %0, %1, %2 \n" \
6407+ " sd %0, %1 \n" \
6408+ "3: \n" \
6409+ extable \
6410+ : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6411+ : "Ir" (i)); \
6412 raw_local_irq_restore(flags); \
6413 } \
6414 \
6415@@ -410,16 +547,23 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6416 return result; \
6417 }
6418
6419-#define ATOMIC64_OPS(op, c_op, asm_op) \
6420- ATOMIC64_OP(op, c_op, asm_op) \
6421- ATOMIC64_OP_RETURN(op, c_op, asm_op)
6422+#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, _unchecked, asm_op##u, , ) \
6423+ __ATOMIC64_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
6424
6425-ATOMIC64_OPS(add, +=, daddu)
6426-ATOMIC64_OPS(sub, -=, dsubu)
6427+#define ATOMIC64_OPS(op, asm_op) \
6428+ ATOMIC64_OP(op, asm_op) \
6429+ ATOMIC64_OP_RETURN(op, asm_op)
6430+
6431+ATOMIC64_OPS(add, dadd)
6432+ATOMIC64_OPS(sub, dsub)
6433
6434 #undef ATOMIC64_OPS
6435 #undef ATOMIC64_OP_RETURN
6436+#undef __ATOMIC64_OP_RETURN
6437 #undef ATOMIC64_OP
6438+#undef __ATOMIC64_OP
6439+#undef __OVERFLOW_EXTABLE
6440+#undef __OVERFLOW_POST
6441
6442 /*
6443 * atomic64_sub_if_positive - conditionally subtract integer from atomic
6444@@ -430,7 +574,7 @@ ATOMIC64_OPS(sub, -=, dsubu)
6445 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6446 * The function returns the old value of @v minus @i.
6447 */
6448-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6449+static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v)
6450 {
6451 long result;
6452
6453@@ -440,7 +584,7 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6454 long temp;
6455
6456 __asm__ __volatile__(
6457- " .set arch=r4000 \n"
6458+ " .set "MIPS_ISA_LEVEL" \n"
6459 "1: lld %1, %2 # atomic64_sub_if_positive\n"
6460 " dsubu %0, %1, %3 \n"
6461 " bltz %0, 1f \n"
6462@@ -489,9 +633,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6463 return result;
6464 }
6465
6466-#define atomic64_cmpxchg(v, o, n) \
6467- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
6468-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new)))
6469+static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6470+{
6471+ return cmpxchg(&v->counter, old, new);
6472+}
6473+
6474+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old,
6475+ long new)
6476+{
6477+ return cmpxchg(&(v->counter), old, new);
6478+}
6479+
6480+static inline long atomic64_xchg(atomic64_t *v, long new)
6481+{
6482+ return xchg(&v->counter, new);
6483+}
6484+
6485+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
6486+{
6487+ return xchg(&(v->counter), new);
6488+}
6489
6490 /**
6491 * atomic64_add_unless - add unless the number is a given value
6492@@ -521,6 +682,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6493
6494 #define atomic64_dec_return(v) atomic64_sub_return(1, (v))
6495 #define atomic64_inc_return(v) atomic64_add_return(1, (v))
6496+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v))
6497
6498 /*
6499 * atomic64_sub_and_test - subtract value from variable and test result
6500@@ -542,6 +704,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6501 * other cases.
6502 */
6503 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
6504+#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0)
6505
6506 /*
6507 * atomic64_dec_and_test - decrement by 1 and test
6508@@ -566,6 +729,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6509 * Atomically increments @v by 1.
6510 */
6511 #define atomic64_inc(v) atomic64_add(1, (v))
6512+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v))
6513
6514 /*
6515 * atomic64_dec - decrement and test
6516@@ -574,6 +738,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6517 * Atomically decrements @v by 1.
6518 */
6519 #define atomic64_dec(v) atomic64_sub(1, (v))
6520+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v))
6521
6522 /*
6523 * atomic64_add_negative - add and test if negative
6524diff --git a/arch/mips/include/asm/barrier.h b/arch/mips/include/asm/barrier.h
6525index 7ecba84..21774af 100644
6526--- a/arch/mips/include/asm/barrier.h
6527+++ b/arch/mips/include/asm/barrier.h
6528@@ -133,7 +133,7 @@
6529 do { \
6530 compiletime_assert_atomic_type(*p); \
6531 smp_mb(); \
6532- ACCESS_ONCE(*p) = (v); \
6533+ ACCESS_ONCE_RW(*p) = (v); \
6534 } while (0)
6535
6536 #define smp_load_acquire(p) \
6537diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
6538index b4db69f..8f3b093 100644
6539--- a/arch/mips/include/asm/cache.h
6540+++ b/arch/mips/include/asm/cache.h
6541@@ -9,10 +9,11 @@
6542 #ifndef _ASM_CACHE_H
6543 #define _ASM_CACHE_H
6544
6545+#include <linux/const.h>
6546 #include <kmalloc.h>
6547
6548 #define L1_CACHE_SHIFT CONFIG_MIPS_L1_CACHE_SHIFT
6549-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6550+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
6551
6552 #define SMP_CACHE_SHIFT L1_CACHE_SHIFT
6553 #define SMP_CACHE_BYTES L1_CACHE_BYTES
6554diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h
6555index f19e890..a4f8177 100644
6556--- a/arch/mips/include/asm/elf.h
6557+++ b/arch/mips/include/asm/elf.h
6558@@ -417,6 +417,13 @@ extern const char *__elf_platform;
6559 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6560 #endif
6561
6562+#ifdef CONFIG_PAX_ASLR
6563+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6564+
6565+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6566+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6567+#endif
6568+
6569 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
6570 struct linux_binprm;
6571 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
6572diff --git a/arch/mips/include/asm/exec.h b/arch/mips/include/asm/exec.h
6573index c1f6afa..38cc6e9 100644
6574--- a/arch/mips/include/asm/exec.h
6575+++ b/arch/mips/include/asm/exec.h
6576@@ -12,6 +12,6 @@
6577 #ifndef _ASM_EXEC_H
6578 #define _ASM_EXEC_H
6579
6580-extern unsigned long arch_align_stack(unsigned long sp);
6581+#define arch_align_stack(x) ((x) & ~0xfUL)
6582
6583 #endif /* _ASM_EXEC_H */
6584diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h
6585index 9e8ef59..1139d6b 100644
6586--- a/arch/mips/include/asm/hw_irq.h
6587+++ b/arch/mips/include/asm/hw_irq.h
6588@@ -10,7 +10,7 @@
6589
6590 #include <linux/atomic.h>
6591
6592-extern atomic_t irq_err_count;
6593+extern atomic_unchecked_t irq_err_count;
6594
6595 /*
6596 * interrupt-retrigger: NOP for now. This may not be appropriate for all
6597diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
6598index 8feaed6..1bd8a64 100644
6599--- a/arch/mips/include/asm/local.h
6600+++ b/arch/mips/include/asm/local.h
6601@@ -13,15 +13,25 @@ typedef struct
6602 atomic_long_t a;
6603 } local_t;
6604
6605+typedef struct {
6606+ atomic_long_unchecked_t a;
6607+} local_unchecked_t;
6608+
6609 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
6610
6611 #define local_read(l) atomic_long_read(&(l)->a)
6612+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
6613 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
6614+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
6615
6616 #define local_add(i, l) atomic_long_add((i), (&(l)->a))
6617+#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a))
6618 #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
6619+#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a))
6620 #define local_inc(l) atomic_long_inc(&(l)->a)
6621+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
6622 #define local_dec(l) atomic_long_dec(&(l)->a)
6623+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
6624
6625 /*
6626 * Same as above, but return the result value
6627@@ -71,6 +81,51 @@ static __inline__ long local_add_return(long i, local_t * l)
6628 return result;
6629 }
6630
6631+static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l)
6632+{
6633+ unsigned long result;
6634+
6635+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6636+ unsigned long temp;
6637+
6638+ __asm__ __volatile__(
6639+ " .set mips3 \n"
6640+ "1:" __LL "%1, %2 # local_add_return \n"
6641+ " addu %0, %1, %3 \n"
6642+ __SC "%0, %2 \n"
6643+ " beqzl %0, 1b \n"
6644+ " addu %0, %1, %3 \n"
6645+ " .set mips0 \n"
6646+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6647+ : "Ir" (i), "m" (l->a.counter)
6648+ : "memory");
6649+ } else if (kernel_uses_llsc) {
6650+ unsigned long temp;
6651+
6652+ __asm__ __volatile__(
6653+ " .set mips3 \n"
6654+ "1:" __LL "%1, %2 # local_add_return \n"
6655+ " addu %0, %1, %3 \n"
6656+ __SC "%0, %2 \n"
6657+ " beqz %0, 1b \n"
6658+ " addu %0, %1, %3 \n"
6659+ " .set mips0 \n"
6660+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6661+ : "Ir" (i), "m" (l->a.counter)
6662+ : "memory");
6663+ } else {
6664+ unsigned long flags;
6665+
6666+ local_irq_save(flags);
6667+ result = l->a.counter;
6668+ result += i;
6669+ l->a.counter = result;
6670+ local_irq_restore(flags);
6671+ }
6672+
6673+ return result;
6674+}
6675+
6676 static __inline__ long local_sub_return(long i, local_t * l)
6677 {
6678 unsigned long result;
6679@@ -118,6 +173,8 @@ static __inline__ long local_sub_return(long i, local_t * l)
6680
6681 #define local_cmpxchg(l, o, n) \
6682 ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6683+#define local_cmpxchg_unchecked(l, o, n) \
6684+ ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6685 #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
6686
6687 /**
6688diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
6689index 89dd7fe..a123c97 100644
6690--- a/arch/mips/include/asm/page.h
6691+++ b/arch/mips/include/asm/page.h
6692@@ -118,7 +118,7 @@ extern void copy_user_highpage(struct page *to, struct page *from,
6693 #ifdef CONFIG_CPU_MIPS32
6694 typedef struct { unsigned long pte_low, pte_high; } pte_t;
6695 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
6696- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
6697+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
6698 #else
6699 typedef struct { unsigned long long pte; } pte_t;
6700 #define pte_val(x) ((x).pte)
6701diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
6702index b336037..5b874cc 100644
6703--- a/arch/mips/include/asm/pgalloc.h
6704+++ b/arch/mips/include/asm/pgalloc.h
6705@@ -37,6 +37,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6706 {
6707 set_pud(pud, __pud((unsigned long)pmd));
6708 }
6709+
6710+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6711+{
6712+ pud_populate(mm, pud, pmd);
6713+}
6714 #endif
6715
6716 /*
6717diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
6718index ae85694..4cdbba8 100644
6719--- a/arch/mips/include/asm/pgtable.h
6720+++ b/arch/mips/include/asm/pgtable.h
6721@@ -20,6 +20,9 @@
6722 #include <asm/io.h>
6723 #include <asm/pgtable-bits.h>
6724
6725+#define ktla_ktva(addr) (addr)
6726+#define ktva_ktla(addr) (addr)
6727+
6728 struct mm_struct;
6729 struct vm_area_struct;
6730
6731diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
6732index 9c0014e..5101ef5 100644
6733--- a/arch/mips/include/asm/thread_info.h
6734+++ b/arch/mips/include/asm/thread_info.h
6735@@ -100,6 +100,9 @@ static inline struct thread_info *current_thread_info(void)
6736 #define TIF_SECCOMP 4 /* secure computing */
6737 #define TIF_NOTIFY_RESUME 5 /* callback before returning to user */
6738 #define TIF_RESTORE_SIGMASK 9 /* restore signal mask in do_signal() */
6739+/* li takes a 32bit immediate */
6740+#define TIF_GRSEC_SETXID 10 /* update credentials on syscall entry/exit */
6741+
6742 #define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
6743 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
6744 #define TIF_NOHZ 19 /* in adaptive nohz mode */
6745@@ -135,14 +138,16 @@ static inline struct thread_info *current_thread_info(void)
6746 #define _TIF_USEDMSA (1<<TIF_USEDMSA)
6747 #define _TIF_MSA_CTX_LIVE (1<<TIF_MSA_CTX_LIVE)
6748 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
6749+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
6750
6751 #define _TIF_WORK_SYSCALL_ENTRY (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
6752 _TIF_SYSCALL_AUDIT | \
6753- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
6754+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | \
6755+ _TIF_GRSEC_SETXID)
6756
6757 /* work to do in syscall_trace_leave() */
6758 #define _TIF_WORK_SYSCALL_EXIT (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
6759- _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
6760+ _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
6761
6762 /* work to do on interrupt/exception return */
6763 #define _TIF_WORK_MASK \
6764@@ -150,7 +155,7 @@ static inline struct thread_info *current_thread_info(void)
6765 /* work to do on any return to u-space */
6766 #define _TIF_ALLWORK_MASK (_TIF_NOHZ | _TIF_WORK_MASK | \
6767 _TIF_WORK_SYSCALL_EXIT | \
6768- _TIF_SYSCALL_TRACEPOINT)
6769+ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
6770
6771 /*
6772 * We stash processor id into a COP0 register to retrieve it fast
6773diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
6774index 5305d69..1da2bf5 100644
6775--- a/arch/mips/include/asm/uaccess.h
6776+++ b/arch/mips/include/asm/uaccess.h
6777@@ -146,6 +146,7 @@ static inline bool eva_kernel_access(void)
6778 __ok == 0; \
6779 })
6780
6781+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
6782 #define access_ok(type, addr, size) \
6783 likely(__access_ok((addr), (size), __access_mask))
6784
6785diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
6786index 1188e00..41cf144 100644
6787--- a/arch/mips/kernel/binfmt_elfn32.c
6788+++ b/arch/mips/kernel/binfmt_elfn32.c
6789@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
6790 #undef ELF_ET_DYN_BASE
6791 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
6792
6793+#ifdef CONFIG_PAX_ASLR
6794+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6795+
6796+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6797+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6798+#endif
6799+
6800 #include <asm/processor.h>
6801 #include <linux/module.h>
6802 #include <linux/elfcore.h>
6803diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c
6804index 9287678..f870e47 100644
6805--- a/arch/mips/kernel/binfmt_elfo32.c
6806+++ b/arch/mips/kernel/binfmt_elfo32.c
6807@@ -70,6 +70,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
6808 #undef ELF_ET_DYN_BASE
6809 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
6810
6811+#ifdef CONFIG_PAX_ASLR
6812+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6813+
6814+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6815+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6816+#endif
6817+
6818 #include <asm/processor.h>
6819
6820 #include <linux/module.h>
6821diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c
6822index 74f6752..f3d7a47 100644
6823--- a/arch/mips/kernel/i8259.c
6824+++ b/arch/mips/kernel/i8259.c
6825@@ -205,7 +205,7 @@ spurious_8259A_irq:
6826 printk(KERN_DEBUG "spurious 8259A interrupt: IRQ%d.\n", irq);
6827 spurious_irq_mask |= irqmask;
6828 }
6829- atomic_inc(&irq_err_count);
6830+ atomic_inc_unchecked(&irq_err_count);
6831 /*
6832 * Theoretically we do not have to handle this IRQ,
6833 * but in Linux this does not cause problems and is
6834diff --git a/arch/mips/kernel/irq-gt641xx.c b/arch/mips/kernel/irq-gt641xx.c
6835index 44a1f79..2bd6aa3 100644
6836--- a/arch/mips/kernel/irq-gt641xx.c
6837+++ b/arch/mips/kernel/irq-gt641xx.c
6838@@ -110,7 +110,7 @@ void gt641xx_irq_dispatch(void)
6839 }
6840 }
6841
6842- atomic_inc(&irq_err_count);
6843+ atomic_inc_unchecked(&irq_err_count);
6844 }
6845
6846 void __init gt641xx_irq_init(void)
6847diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
6848index 8eb5af8..2baf465 100644
6849--- a/arch/mips/kernel/irq.c
6850+++ b/arch/mips/kernel/irq.c
6851@@ -34,17 +34,17 @@ void ack_bad_irq(unsigned int irq)
6852 printk("unexpected IRQ # %d\n", irq);
6853 }
6854
6855-atomic_t irq_err_count;
6856+atomic_unchecked_t irq_err_count;
6857
6858 int arch_show_interrupts(struct seq_file *p, int prec)
6859 {
6860- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
6861+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
6862 return 0;
6863 }
6864
6865 asmlinkage void spurious_interrupt(void)
6866 {
6867- atomic_inc(&irq_err_count);
6868+ atomic_inc_unchecked(&irq_err_count);
6869 }
6870
6871 void __init init_IRQ(void)
6872@@ -58,6 +58,8 @@ void __init init_IRQ(void)
6873 }
6874
6875 #ifdef CONFIG_DEBUG_STACKOVERFLOW
6876+
6877+extern void gr_handle_kernel_exploit(void);
6878 static inline void check_stack_overflow(void)
6879 {
6880 unsigned long sp;
6881@@ -73,6 +75,7 @@ static inline void check_stack_overflow(void)
6882 printk("do_IRQ: stack overflow: %ld\n",
6883 sp - sizeof(struct thread_info));
6884 dump_stack();
6885+ gr_handle_kernel_exploit();
6886 }
6887 }
6888 #else
6889diff --git a/arch/mips/kernel/pm-cps.c b/arch/mips/kernel/pm-cps.c
6890index 0614717..002fa43 100644
6891--- a/arch/mips/kernel/pm-cps.c
6892+++ b/arch/mips/kernel/pm-cps.c
6893@@ -172,7 +172,7 @@ int cps_pm_enter_state(enum cps_pm_state state)
6894 nc_core_ready_count = nc_addr;
6895
6896 /* Ensure ready_count is zero-initialised before the assembly runs */
6897- ACCESS_ONCE(*nc_core_ready_count) = 0;
6898+ ACCESS_ONCE_RW(*nc_core_ready_count) = 0;
6899 coupled_barrier(&per_cpu(pm_barrier, core), online);
6900
6901 /* Run the generated entry code */
6902diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
6903index f2975d4..f61d355 100644
6904--- a/arch/mips/kernel/process.c
6905+++ b/arch/mips/kernel/process.c
6906@@ -541,18 +541,6 @@ out:
6907 return pc;
6908 }
6909
6910-/*
6911- * Don't forget that the stack pointer must be aligned on a 8 bytes
6912- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
6913- */
6914-unsigned long arch_align_stack(unsigned long sp)
6915-{
6916- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6917- sp -= get_random_int() & ~PAGE_MASK;
6918-
6919- return sp & ALMASK;
6920-}
6921-
6922 static void arch_dump_stack(void *info)
6923 {
6924 struct pt_regs *regs;
6925diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
6926index e933a30..0d02625 100644
6927--- a/arch/mips/kernel/ptrace.c
6928+++ b/arch/mips/kernel/ptrace.c
6929@@ -785,6 +785,10 @@ long arch_ptrace(struct task_struct *child, long request,
6930 return ret;
6931 }
6932
6933+#ifdef CONFIG_GRKERNSEC_SETXID
6934+extern void gr_delayed_cred_worker(void);
6935+#endif
6936+
6937 /*
6938 * Notification of system call entry/exit
6939 * - triggered by current->work.syscall_trace
6940@@ -803,6 +807,11 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
6941 tracehook_report_syscall_entry(regs))
6942 ret = -1;
6943
6944+#ifdef CONFIG_GRKERNSEC_SETXID
6945+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
6946+ gr_delayed_cred_worker();
6947+#endif
6948+
6949 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
6950 trace_sys_enter(regs, regs->regs[2]);
6951
6952diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c
6953index 2242bdd..b284048 100644
6954--- a/arch/mips/kernel/sync-r4k.c
6955+++ b/arch/mips/kernel/sync-r4k.c
6956@@ -18,8 +18,8 @@
6957 #include <asm/mipsregs.h>
6958
6959 static atomic_t count_start_flag = ATOMIC_INIT(0);
6960-static atomic_t count_count_start = ATOMIC_INIT(0);
6961-static atomic_t count_count_stop = ATOMIC_INIT(0);
6962+static atomic_unchecked_t count_count_start = ATOMIC_INIT(0);
6963+static atomic_unchecked_t count_count_stop = ATOMIC_INIT(0);
6964 static atomic_t count_reference = ATOMIC_INIT(0);
6965
6966 #define COUNTON 100
6967@@ -58,13 +58,13 @@ void synchronise_count_master(int cpu)
6968
6969 for (i = 0; i < NR_LOOPS; i++) {
6970 /* slaves loop on '!= 2' */
6971- while (atomic_read(&count_count_start) != 1)
6972+ while (atomic_read_unchecked(&count_count_start) != 1)
6973 mb();
6974- atomic_set(&count_count_stop, 0);
6975+ atomic_set_unchecked(&count_count_stop, 0);
6976 smp_wmb();
6977
6978 /* this lets the slaves write their count register */
6979- atomic_inc(&count_count_start);
6980+ atomic_inc_unchecked(&count_count_start);
6981
6982 /*
6983 * Everyone initialises count in the last loop:
6984@@ -75,11 +75,11 @@ void synchronise_count_master(int cpu)
6985 /*
6986 * Wait for all slaves to leave the synchronization point:
6987 */
6988- while (atomic_read(&count_count_stop) != 1)
6989+ while (atomic_read_unchecked(&count_count_stop) != 1)
6990 mb();
6991- atomic_set(&count_count_start, 0);
6992+ atomic_set_unchecked(&count_count_start, 0);
6993 smp_wmb();
6994- atomic_inc(&count_count_stop);
6995+ atomic_inc_unchecked(&count_count_stop);
6996 }
6997 /* Arrange for an interrupt in a short while */
6998 write_c0_compare(read_c0_count() + COUNTON);
6999@@ -112,8 +112,8 @@ void synchronise_count_slave(int cpu)
7000 initcount = atomic_read(&count_reference);
7001
7002 for (i = 0; i < NR_LOOPS; i++) {
7003- atomic_inc(&count_count_start);
7004- while (atomic_read(&count_count_start) != 2)
7005+ atomic_inc_unchecked(&count_count_start);
7006+ while (atomic_read_unchecked(&count_count_start) != 2)
7007 mb();
7008
7009 /*
7010@@ -122,8 +122,8 @@ void synchronise_count_slave(int cpu)
7011 if (i == NR_LOOPS-1)
7012 write_c0_count(initcount);
7013
7014- atomic_inc(&count_count_stop);
7015- while (atomic_read(&count_count_stop) != 2)
7016+ atomic_inc_unchecked(&count_count_stop);
7017+ while (atomic_read_unchecked(&count_count_stop) != 2)
7018 mb();
7019 }
7020 /* Arrange for an interrupt in a short while */
7021diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
7022index 8ea28e6..c8873d5 100644
7023--- a/arch/mips/kernel/traps.c
7024+++ b/arch/mips/kernel/traps.c
7025@@ -697,7 +697,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
7026 siginfo_t info;
7027
7028 prev_state = exception_enter();
7029- die_if_kernel("Integer overflow", regs);
7030+ if (unlikely(!user_mode(regs))) {
7031+
7032+#ifdef CONFIG_PAX_REFCOUNT
7033+ if (fixup_exception(regs)) {
7034+ pax_report_refcount_overflow(regs);
7035+ exception_exit(prev_state);
7036+ return;
7037+ }
7038+#endif
7039+
7040+ die("Integer overflow", regs);
7041+ }
7042
7043 info.si_code = FPE_INTOVF;
7044 info.si_signo = SIGFPE;
7045diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
7046index cd4c129..290c518 100644
7047--- a/arch/mips/kvm/mips.c
7048+++ b/arch/mips/kvm/mips.c
7049@@ -1016,7 +1016,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
7050 return r;
7051 }
7052
7053-int kvm_arch_init(void *opaque)
7054+int kvm_arch_init(const void *opaque)
7055 {
7056 if (kvm_mips_callbacks) {
7057 kvm_err("kvm: module already exists\n");
7058diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
7059index 852a41c..75b9d38 100644
7060--- a/arch/mips/mm/fault.c
7061+++ b/arch/mips/mm/fault.c
7062@@ -31,6 +31,23 @@
7063
7064 int show_unhandled_signals = 1;
7065
7066+#ifdef CONFIG_PAX_PAGEEXEC
7067+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7068+{
7069+ unsigned long i;
7070+
7071+ printk(KERN_ERR "PAX: bytes at PC: ");
7072+ for (i = 0; i < 5; i++) {
7073+ unsigned int c;
7074+ if (get_user(c, (unsigned int *)pc+i))
7075+ printk(KERN_CONT "???????? ");
7076+ else
7077+ printk(KERN_CONT "%08x ", c);
7078+ }
7079+ printk("\n");
7080+}
7081+#endif
7082+
7083 /*
7084 * This routine handles page faults. It determines the address,
7085 * and the problem, and then passes it off to one of the appropriate
7086@@ -207,6 +224,14 @@ bad_area:
7087 bad_area_nosemaphore:
7088 /* User mode accesses just cause a SIGSEGV */
7089 if (user_mode(regs)) {
7090+
7091+#ifdef CONFIG_PAX_PAGEEXEC
7092+ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) {
7093+ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs));
7094+ do_group_exit(SIGKILL);
7095+ }
7096+#endif
7097+
7098 tsk->thread.cp0_badvaddr = address;
7099 tsk->thread.error_code = write;
7100 if (show_unhandled_signals &&
7101diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
7102index 5c81fdd..db158d3 100644
7103--- a/arch/mips/mm/mmap.c
7104+++ b/arch/mips/mm/mmap.c
7105@@ -59,6 +59,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7106 struct vm_area_struct *vma;
7107 unsigned long addr = addr0;
7108 int do_color_align;
7109+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
7110 struct vm_unmapped_area_info info;
7111
7112 if (unlikely(len > TASK_SIZE))
7113@@ -84,6 +85,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7114 do_color_align = 1;
7115
7116 /* requesting a specific address */
7117+
7118+#ifdef CONFIG_PAX_RANDMMAP
7119+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
7120+#endif
7121+
7122 if (addr) {
7123 if (do_color_align)
7124 addr = COLOUR_ALIGN(addr, pgoff);
7125@@ -91,14 +97,14 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7126 addr = PAGE_ALIGN(addr);
7127
7128 vma = find_vma(mm, addr);
7129- if (TASK_SIZE - len >= addr &&
7130- (!vma || addr + len <= vma->vm_start))
7131+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
7132 return addr;
7133 }
7134
7135 info.length = len;
7136 info.align_mask = do_color_align ? (PAGE_MASK & shm_align_mask) : 0;
7137 info.align_offset = pgoff << PAGE_SHIFT;
7138+ info.threadstack_offset = offset;
7139
7140 if (dir == DOWN) {
7141 info.flags = VM_UNMAPPED_AREA_TOPDOWN;
7142@@ -160,45 +166,34 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7143 {
7144 unsigned long random_factor = 0UL;
7145
7146+#ifdef CONFIG_PAX_RANDMMAP
7147+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7148+#endif
7149+
7150 if (current->flags & PF_RANDOMIZE)
7151 random_factor = arch_mmap_rnd();
7152
7153 if (mmap_is_legacy()) {
7154 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
7155+
7156+#ifdef CONFIG_PAX_RANDMMAP
7157+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7158+ mm->mmap_base += mm->delta_mmap;
7159+#endif
7160+
7161 mm->get_unmapped_area = arch_get_unmapped_area;
7162 } else {
7163 mm->mmap_base = mmap_base(random_factor);
7164+
7165+#ifdef CONFIG_PAX_RANDMMAP
7166+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7167+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7168+#endif
7169+
7170 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7171 }
7172 }
7173
7174-static inline unsigned long brk_rnd(void)
7175-{
7176- unsigned long rnd = get_random_int();
7177-
7178- rnd = rnd << PAGE_SHIFT;
7179- /* 8MB for 32bit, 256MB for 64bit */
7180- if (TASK_IS_32BIT_ADDR)
7181- rnd = rnd & 0x7ffffful;
7182- else
7183- rnd = rnd & 0xffffffful;
7184-
7185- return rnd;
7186-}
7187-
7188-unsigned long arch_randomize_brk(struct mm_struct *mm)
7189-{
7190- unsigned long base = mm->brk;
7191- unsigned long ret;
7192-
7193- ret = PAGE_ALIGN(base + brk_rnd());
7194-
7195- if (ret < mm->brk)
7196- return mm->brk;
7197-
7198- return ret;
7199-}
7200-
7201 int __virt_addr_valid(const volatile void *kaddr)
7202 {
7203 return pfn_valid(PFN_DOWN(virt_to_phys(kaddr)));
7204diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c
7205index a2358b4..7cead4f 100644
7206--- a/arch/mips/sgi-ip27/ip27-nmi.c
7207+++ b/arch/mips/sgi-ip27/ip27-nmi.c
7208@@ -187,9 +187,9 @@ void
7209 cont_nmi_dump(void)
7210 {
7211 #ifndef REAL_NMI_SIGNAL
7212- static atomic_t nmied_cpus = ATOMIC_INIT(0);
7213+ static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0);
7214
7215- atomic_inc(&nmied_cpus);
7216+ atomic_inc_unchecked(&nmied_cpus);
7217 #endif
7218 /*
7219 * Only allow 1 cpu to proceed
7220@@ -233,7 +233,7 @@ cont_nmi_dump(void)
7221 udelay(10000);
7222 }
7223 #else
7224- while (atomic_read(&nmied_cpus) != num_online_cpus());
7225+ while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus());
7226 #endif
7227
7228 /*
7229diff --git a/arch/mips/sni/rm200.c b/arch/mips/sni/rm200.c
7230index a046b30..6799527 100644
7231--- a/arch/mips/sni/rm200.c
7232+++ b/arch/mips/sni/rm200.c
7233@@ -270,7 +270,7 @@ spurious_8259A_irq:
7234 "spurious RM200 8259A interrupt: IRQ%d.\n", irq);
7235 spurious_irq_mask |= irqmask;
7236 }
7237- atomic_inc(&irq_err_count);
7238+ atomic_inc_unchecked(&irq_err_count);
7239 /*
7240 * Theoretically we do not have to handle this IRQ,
7241 * but in Linux this does not cause problems and is
7242diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c
7243index 41e873b..34d33a7 100644
7244--- a/arch/mips/vr41xx/common/icu.c
7245+++ b/arch/mips/vr41xx/common/icu.c
7246@@ -653,7 +653,7 @@ static int icu_get_irq(unsigned int irq)
7247
7248 printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2);
7249
7250- atomic_inc(&irq_err_count);
7251+ atomic_inc_unchecked(&irq_err_count);
7252
7253 return -1;
7254 }
7255diff --git a/arch/mips/vr41xx/common/irq.c b/arch/mips/vr41xx/common/irq.c
7256index ae0e4ee..e8f0692 100644
7257--- a/arch/mips/vr41xx/common/irq.c
7258+++ b/arch/mips/vr41xx/common/irq.c
7259@@ -64,7 +64,7 @@ static void irq_dispatch(unsigned int irq)
7260 irq_cascade_t *cascade;
7261
7262 if (irq >= NR_IRQS) {
7263- atomic_inc(&irq_err_count);
7264+ atomic_inc_unchecked(&irq_err_count);
7265 return;
7266 }
7267
7268@@ -84,7 +84,7 @@ static void irq_dispatch(unsigned int irq)
7269 ret = cascade->get_irq(irq);
7270 irq = ret;
7271 if (ret < 0)
7272- atomic_inc(&irq_err_count);
7273+ atomic_inc_unchecked(&irq_err_count);
7274 else
7275 irq_dispatch(irq);
7276 if (!irqd_irq_disabled(idata) && chip->irq_unmask)
7277diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h
7278index 967d144..db12197 100644
7279--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h
7280+++ b/arch/mn10300/proc-mn103e010/include/proc/cache.h
7281@@ -11,12 +11,14 @@
7282 #ifndef _ASM_PROC_CACHE_H
7283 #define _ASM_PROC_CACHE_H
7284
7285+#include <linux/const.h>
7286+
7287 /* L1 cache */
7288
7289 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
7290 #define L1_CACHE_NENTRIES 256 /* number of entries in each way */
7291-#define L1_CACHE_BYTES 16 /* bytes per entry */
7292 #define L1_CACHE_SHIFT 4 /* shift for bytes per entry */
7293+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
7294 #define L1_CACHE_WAYDISP 0x1000 /* displacement of one way from the next */
7295
7296 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
7297diff --git a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7298index bcb5df2..84fabd2 100644
7299--- a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7300+++ b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7301@@ -16,13 +16,15 @@
7302 #ifndef _ASM_PROC_CACHE_H
7303 #define _ASM_PROC_CACHE_H
7304
7305+#include <linux/const.h>
7306+
7307 /*
7308 * L1 cache
7309 */
7310 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
7311 #define L1_CACHE_NENTRIES 128 /* number of entries in each way */
7312-#define L1_CACHE_BYTES 32 /* bytes per entry */
7313 #define L1_CACHE_SHIFT 5 /* shift for bytes per entry */
7314+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
7315 #define L1_CACHE_WAYDISP 0x1000 /* distance from one way to the next */
7316
7317 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
7318diff --git a/arch/openrisc/include/asm/cache.h b/arch/openrisc/include/asm/cache.h
7319index 4ce7a01..449202a 100644
7320--- a/arch/openrisc/include/asm/cache.h
7321+++ b/arch/openrisc/include/asm/cache.h
7322@@ -19,11 +19,13 @@
7323 #ifndef __ASM_OPENRISC_CACHE_H
7324 #define __ASM_OPENRISC_CACHE_H
7325
7326+#include <linux/const.h>
7327+
7328 /* FIXME: How can we replace these with values from the CPU...
7329 * they shouldn't be hard-coded!
7330 */
7331
7332-#define L1_CACHE_BYTES 16
7333 #define L1_CACHE_SHIFT 4
7334+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7335
7336 #endif /* __ASM_OPENRISC_CACHE_H */
7337diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
7338index 226f8ca9..9d9b87d 100644
7339--- a/arch/parisc/include/asm/atomic.h
7340+++ b/arch/parisc/include/asm/atomic.h
7341@@ -273,6 +273,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
7342 return dec;
7343 }
7344
7345+#define atomic64_read_unchecked(v) atomic64_read(v)
7346+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
7347+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
7348+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
7349+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
7350+#define atomic64_inc_unchecked(v) atomic64_inc(v)
7351+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
7352+#define atomic64_dec_unchecked(v) atomic64_dec(v)
7353+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
7354+
7355 #endif /* !CONFIG_64BIT */
7356
7357
7358diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h
7359index 47f11c7..3420df2 100644
7360--- a/arch/parisc/include/asm/cache.h
7361+++ b/arch/parisc/include/asm/cache.h
7362@@ -5,6 +5,7 @@
7363 #ifndef __ARCH_PARISC_CACHE_H
7364 #define __ARCH_PARISC_CACHE_H
7365
7366+#include <linux/const.h>
7367
7368 /*
7369 * PA 2.0 processors have 64-byte cachelines; PA 1.1 processors have
7370@@ -15,13 +16,13 @@
7371 * just ruin performance.
7372 */
7373 #ifdef CONFIG_PA20
7374-#define L1_CACHE_BYTES 64
7375 #define L1_CACHE_SHIFT 6
7376 #else
7377-#define L1_CACHE_BYTES 32
7378 #define L1_CACHE_SHIFT 5
7379 #endif
7380
7381+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7382+
7383 #ifndef __ASSEMBLY__
7384
7385 #define SMP_CACHE_BYTES L1_CACHE_BYTES
7386diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h
7387index 78c9fd3..42fa66a 100644
7388--- a/arch/parisc/include/asm/elf.h
7389+++ b/arch/parisc/include/asm/elf.h
7390@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration... */
7391
7392 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
7393
7394+#ifdef CONFIG_PAX_ASLR
7395+#define PAX_ELF_ET_DYN_BASE 0x10000UL
7396+
7397+#define PAX_DELTA_MMAP_LEN 16
7398+#define PAX_DELTA_STACK_LEN 16
7399+#endif
7400+
7401 /* This yields a mask that user programs can use to figure out what
7402 instruction set this CPU supports. This could be done in user space,
7403 but it's not easy, and we've already done it here. */
7404diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h
7405index 3edbb9f..08fef28 100644
7406--- a/arch/parisc/include/asm/pgalloc.h
7407+++ b/arch/parisc/include/asm/pgalloc.h
7408@@ -61,6 +61,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
7409 (__u32)(__pa((unsigned long)pmd) >> PxD_VALUE_SHIFT));
7410 }
7411
7412+static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
7413+{
7414+ pgd_populate(mm, pgd, pmd);
7415+}
7416+
7417 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
7418 {
7419 pmd_t *pmd = (pmd_t *)__get_free_pages(GFP_KERNEL|__GFP_REPEAT,
7420@@ -97,6 +102,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
7421 #define pmd_alloc_one(mm, addr) ({ BUG(); ((pmd_t *)2); })
7422 #define pmd_free(mm, x) do { } while (0)
7423 #define pgd_populate(mm, pmd, pte) BUG()
7424+#define pgd_populate_kernel(mm, pmd, pte) BUG()
7425
7426 #endif
7427
7428diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
7429index f93c4a4..cfd5663 100644
7430--- a/arch/parisc/include/asm/pgtable.h
7431+++ b/arch/parisc/include/asm/pgtable.h
7432@@ -231,6 +231,17 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
7433 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
7434 #define PAGE_COPY PAGE_EXECREAD
7435 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
7436+
7437+#ifdef CONFIG_PAX_PAGEEXEC
7438+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
7439+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
7440+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
7441+#else
7442+# define PAGE_SHARED_NOEXEC PAGE_SHARED
7443+# define PAGE_COPY_NOEXEC PAGE_COPY
7444+# define PAGE_READONLY_NOEXEC PAGE_READONLY
7445+#endif
7446+
7447 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
7448 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
7449 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
7450diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
7451index 0abdd4c..1af92f0 100644
7452--- a/arch/parisc/include/asm/uaccess.h
7453+++ b/arch/parisc/include/asm/uaccess.h
7454@@ -243,10 +243,10 @@ static inline unsigned long __must_check copy_from_user(void *to,
7455 const void __user *from,
7456 unsigned long n)
7457 {
7458- int sz = __compiletime_object_size(to);
7459+ size_t sz = __compiletime_object_size(to);
7460 int ret = -EFAULT;
7461
7462- if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
7463+ if (likely(sz == (size_t)-1 || !__builtin_constant_p(n) || sz >= n))
7464 ret = __copy_from_user(to, from, n);
7465 else
7466 copy_from_user_overflow();
7467diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
7468index 3c63a82..b1d6ee9 100644
7469--- a/arch/parisc/kernel/module.c
7470+++ b/arch/parisc/kernel/module.c
7471@@ -98,16 +98,38 @@
7472
7473 /* three functions to determine where in the module core
7474 * or init pieces the location is */
7475+static inline int in_init_rx(struct module *me, void *loc)
7476+{
7477+ return (loc >= me->module_init_rx &&
7478+ loc < (me->module_init_rx + me->init_size_rx));
7479+}
7480+
7481+static inline int in_init_rw(struct module *me, void *loc)
7482+{
7483+ return (loc >= me->module_init_rw &&
7484+ loc < (me->module_init_rw + me->init_size_rw));
7485+}
7486+
7487 static inline int in_init(struct module *me, void *loc)
7488 {
7489- return (loc >= me->module_init &&
7490- loc <= (me->module_init + me->init_size));
7491+ return in_init_rx(me, loc) || in_init_rw(me, loc);
7492+}
7493+
7494+static inline int in_core_rx(struct module *me, void *loc)
7495+{
7496+ return (loc >= me->module_core_rx &&
7497+ loc < (me->module_core_rx + me->core_size_rx));
7498+}
7499+
7500+static inline int in_core_rw(struct module *me, void *loc)
7501+{
7502+ return (loc >= me->module_core_rw &&
7503+ loc < (me->module_core_rw + me->core_size_rw));
7504 }
7505
7506 static inline int in_core(struct module *me, void *loc)
7507 {
7508- return (loc >= me->module_core &&
7509- loc <= (me->module_core + me->core_size));
7510+ return in_core_rx(me, loc) || in_core_rw(me, loc);
7511 }
7512
7513 static inline int in_local(struct module *me, void *loc)
7514@@ -367,13 +389,13 @@ int module_frob_arch_sections(CONST Elf_Ehdr *hdr,
7515 }
7516
7517 /* align things a bit */
7518- me->core_size = ALIGN(me->core_size, 16);
7519- me->arch.got_offset = me->core_size;
7520- me->core_size += gots * sizeof(struct got_entry);
7521+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
7522+ me->arch.got_offset = me->core_size_rw;
7523+ me->core_size_rw += gots * sizeof(struct got_entry);
7524
7525- me->core_size = ALIGN(me->core_size, 16);
7526- me->arch.fdesc_offset = me->core_size;
7527- me->core_size += fdescs * sizeof(Elf_Fdesc);
7528+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
7529+ me->arch.fdesc_offset = me->core_size_rw;
7530+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
7531
7532 me->arch.got_max = gots;
7533 me->arch.fdesc_max = fdescs;
7534@@ -391,7 +413,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
7535
7536 BUG_ON(value == 0);
7537
7538- got = me->module_core + me->arch.got_offset;
7539+ got = me->module_core_rw + me->arch.got_offset;
7540 for (i = 0; got[i].addr; i++)
7541 if (got[i].addr == value)
7542 goto out;
7543@@ -409,7 +431,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
7544 #ifdef CONFIG_64BIT
7545 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
7546 {
7547- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
7548+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
7549
7550 if (!value) {
7551 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
7552@@ -427,7 +449,7 @@ static Elf_Addr get_fdesc(struct module *me, unsigned long value)
7553
7554 /* Create new one */
7555 fdesc->addr = value;
7556- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
7557+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
7558 return (Elf_Addr)fdesc;
7559 }
7560 #endif /* CONFIG_64BIT */
7561@@ -839,7 +861,7 @@ register_unwind_table(struct module *me,
7562
7563 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
7564 end = table + sechdrs[me->arch.unwind_section].sh_size;
7565- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
7566+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
7567
7568 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
7569 me->arch.unwind_section, table, end, gp);
7570diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
7571index 5aba01a..47cdd5a 100644
7572--- a/arch/parisc/kernel/sys_parisc.c
7573+++ b/arch/parisc/kernel/sys_parisc.c
7574@@ -92,6 +92,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7575 unsigned long task_size = TASK_SIZE;
7576 int do_color_align, last_mmap;
7577 struct vm_unmapped_area_info info;
7578+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
7579
7580 if (len > task_size)
7581 return -ENOMEM;
7582@@ -109,6 +110,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7583 goto found_addr;
7584 }
7585
7586+#ifdef CONFIG_PAX_RANDMMAP
7587+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7588+#endif
7589+
7590 if (addr) {
7591 if (do_color_align && last_mmap)
7592 addr = COLOR_ALIGN(addr, last_mmap, pgoff);
7593@@ -127,6 +132,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7594 info.high_limit = mmap_upper_limit();
7595 info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
7596 info.align_offset = shared_align_offset(last_mmap, pgoff);
7597+ info.threadstack_offset = offset;
7598 addr = vm_unmapped_area(&info);
7599
7600 found_addr:
7601@@ -146,6 +152,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7602 unsigned long addr = addr0;
7603 int do_color_align, last_mmap;
7604 struct vm_unmapped_area_info info;
7605+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
7606
7607 #ifdef CONFIG_64BIT
7608 /* This should only ever run for 32-bit processes. */
7609@@ -170,6 +177,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7610 }
7611
7612 /* requesting a specific address */
7613+#ifdef CONFIG_PAX_RANDMMAP
7614+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7615+#endif
7616+
7617 if (addr) {
7618 if (do_color_align && last_mmap)
7619 addr = COLOR_ALIGN(addr, last_mmap, pgoff);
7620@@ -187,6 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7621 info.high_limit = mm->mmap_base;
7622 info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
7623 info.align_offset = shared_align_offset(last_mmap, pgoff);
7624+ info.threadstack_offset = offset;
7625 addr = vm_unmapped_area(&info);
7626 if (!(addr & ~PAGE_MASK))
7627 goto found_addr;
7628@@ -252,6 +264,13 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7629 mm->mmap_legacy_base = mmap_legacy_base();
7630 mm->mmap_base = mmap_upper_limit();
7631
7632+#ifdef CONFIG_PAX_RANDMMAP
7633+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
7634+ mm->mmap_legacy_base += mm->delta_mmap;
7635+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7636+ }
7637+#endif
7638+
7639 if (mmap_is_legacy()) {
7640 mm->mmap_base = mm->mmap_legacy_base;
7641 mm->get_unmapped_area = arch_get_unmapped_area;
7642diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
7643index b99b39f..e3915ae 100644
7644--- a/arch/parisc/kernel/traps.c
7645+++ b/arch/parisc/kernel/traps.c
7646@@ -722,9 +722,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
7647
7648 down_read(&current->mm->mmap_sem);
7649 vma = find_vma(current->mm,regs->iaoq[0]);
7650- if (vma && (regs->iaoq[0] >= vma->vm_start)
7651- && (vma->vm_flags & VM_EXEC)) {
7652-
7653+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
7654 fault_address = regs->iaoq[0];
7655 fault_space = regs->iasq[0];
7656
7657diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
7658index 15503ad..4b1b8b6 100644
7659--- a/arch/parisc/mm/fault.c
7660+++ b/arch/parisc/mm/fault.c
7661@@ -16,6 +16,7 @@
7662 #include <linux/interrupt.h>
7663 #include <linux/module.h>
7664 #include <linux/uaccess.h>
7665+#include <linux/unistd.h>
7666
7667 #include <asm/traps.h>
7668
7669@@ -50,7 +51,7 @@ int show_unhandled_signals = 1;
7670 static unsigned long
7671 parisc_acctyp(unsigned long code, unsigned int inst)
7672 {
7673- if (code == 6 || code == 16)
7674+ if (code == 6 || code == 7 || code == 16)
7675 return VM_EXEC;
7676
7677 switch (inst & 0xf0000000) {
7678@@ -136,6 +137,116 @@ parisc_acctyp(unsigned long code, unsigned int inst)
7679 }
7680 #endif
7681
7682+#ifdef CONFIG_PAX_PAGEEXEC
7683+/*
7684+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
7685+ *
7686+ * returns 1 when task should be killed
7687+ * 2 when rt_sigreturn trampoline was detected
7688+ * 3 when unpatched PLT trampoline was detected
7689+ */
7690+static int pax_handle_fetch_fault(struct pt_regs *regs)
7691+{
7692+
7693+#ifdef CONFIG_PAX_EMUPLT
7694+ int err;
7695+
7696+ do { /* PaX: unpatched PLT emulation */
7697+ unsigned int bl, depwi;
7698+
7699+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
7700+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
7701+
7702+ if (err)
7703+ break;
7704+
7705+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
7706+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
7707+
7708+ err = get_user(ldw, (unsigned int *)addr);
7709+ err |= get_user(bv, (unsigned int *)(addr+4));
7710+ err |= get_user(ldw2, (unsigned int *)(addr+8));
7711+
7712+ if (err)
7713+ break;
7714+
7715+ if (ldw == 0x0E801096U &&
7716+ bv == 0xEAC0C000U &&
7717+ ldw2 == 0x0E881095U)
7718+ {
7719+ unsigned int resolver, map;
7720+
7721+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
7722+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
7723+ if (err)
7724+ break;
7725+
7726+ regs->gr[20] = instruction_pointer(regs)+8;
7727+ regs->gr[21] = map;
7728+ regs->gr[22] = resolver;
7729+ regs->iaoq[0] = resolver | 3UL;
7730+ regs->iaoq[1] = regs->iaoq[0] + 4;
7731+ return 3;
7732+ }
7733+ }
7734+ } while (0);
7735+#endif
7736+
7737+#ifdef CONFIG_PAX_EMUTRAMP
7738+
7739+#ifndef CONFIG_PAX_EMUSIGRT
7740+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
7741+ return 1;
7742+#endif
7743+
7744+ do { /* PaX: rt_sigreturn emulation */
7745+ unsigned int ldi1, ldi2, bel, nop;
7746+
7747+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
7748+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
7749+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
7750+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
7751+
7752+ if (err)
7753+ break;
7754+
7755+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
7756+ ldi2 == 0x3414015AU &&
7757+ bel == 0xE4008200U &&
7758+ nop == 0x08000240U)
7759+ {
7760+ regs->gr[25] = (ldi1 & 2) >> 1;
7761+ regs->gr[20] = __NR_rt_sigreturn;
7762+ regs->gr[31] = regs->iaoq[1] + 16;
7763+ regs->sr[0] = regs->iasq[1];
7764+ regs->iaoq[0] = 0x100UL;
7765+ regs->iaoq[1] = regs->iaoq[0] + 4;
7766+ regs->iasq[0] = regs->sr[2];
7767+ regs->iasq[1] = regs->sr[2];
7768+ return 2;
7769+ }
7770+ } while (0);
7771+#endif
7772+
7773+ return 1;
7774+}
7775+
7776+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7777+{
7778+ unsigned long i;
7779+
7780+ printk(KERN_ERR "PAX: bytes at PC: ");
7781+ for (i = 0; i < 5; i++) {
7782+ unsigned int c;
7783+ if (get_user(c, (unsigned int *)pc+i))
7784+ printk(KERN_CONT "???????? ");
7785+ else
7786+ printk(KERN_CONT "%08x ", c);
7787+ }
7788+ printk("\n");
7789+}
7790+#endif
7791+
7792 int fixup_exception(struct pt_regs *regs)
7793 {
7794 const struct exception_table_entry *fix;
7795@@ -234,8 +345,33 @@ retry:
7796
7797 good_area:
7798
7799- if ((vma->vm_flags & acc_type) != acc_type)
7800+ if ((vma->vm_flags & acc_type) != acc_type) {
7801+
7802+#ifdef CONFIG_PAX_PAGEEXEC
7803+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
7804+ (address & ~3UL) == instruction_pointer(regs))
7805+ {
7806+ up_read(&mm->mmap_sem);
7807+ switch (pax_handle_fetch_fault(regs)) {
7808+
7809+#ifdef CONFIG_PAX_EMUPLT
7810+ case 3:
7811+ return;
7812+#endif
7813+
7814+#ifdef CONFIG_PAX_EMUTRAMP
7815+ case 2:
7816+ return;
7817+#endif
7818+
7819+ }
7820+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
7821+ do_group_exit(SIGKILL);
7822+ }
7823+#endif
7824+
7825 goto bad_area;
7826+ }
7827
7828 /*
7829 * If for any reason at all we couldn't handle the fault, make
7830diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
7831index 5ef2711..21be2c3 100644
7832--- a/arch/powerpc/Kconfig
7833+++ b/arch/powerpc/Kconfig
7834@@ -415,6 +415,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE
7835 config KEXEC
7836 bool "kexec system call"
7837 depends on (PPC_BOOK3S || FSL_BOOKE || (44x && !SMP))
7838+ depends on !GRKERNSEC_KMEM
7839 help
7840 kexec is a system call that implements the ability to shutdown your
7841 current kernel, and to start another kernel. It is like a reboot
7842diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
7843index 512d278..d31fadd 100644
7844--- a/arch/powerpc/include/asm/atomic.h
7845+++ b/arch/powerpc/include/asm/atomic.h
7846@@ -12,6 +12,11 @@
7847
7848 #define ATOMIC_INIT(i) { (i) }
7849
7850+#define _ASM_EXTABLE(from, to) \
7851+" .section __ex_table,\"a\"\n" \
7852+ PPC_LONG" " #from ", " #to"\n" \
7853+" .previous\n"
7854+
7855 static __inline__ int atomic_read(const atomic_t *v)
7856 {
7857 int t;
7858@@ -21,39 +26,80 @@ static __inline__ int atomic_read(const atomic_t *v)
7859 return t;
7860 }
7861
7862+static __inline__ int atomic_read_unchecked(const atomic_unchecked_t *v)
7863+{
7864+ int t;
7865+
7866+ __asm__ __volatile__("lwz%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
7867+
7868+ return t;
7869+}
7870+
7871 static __inline__ void atomic_set(atomic_t *v, int i)
7872 {
7873 __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
7874 }
7875
7876-#define ATOMIC_OP(op, asm_op) \
7877-static __inline__ void atomic_##op(int a, atomic_t *v) \
7878+static __inline__ void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7879+{
7880+ __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
7881+}
7882+
7883+#ifdef CONFIG_PAX_REFCOUNT
7884+#define __REFCOUNT_OP(op) op##o.
7885+#define __OVERFLOW_PRE \
7886+ " mcrxr cr0\n"
7887+#define __OVERFLOW_POST \
7888+ " bf 4*cr0+so, 3f\n" \
7889+ "2: .long 0x00c00b00\n" \
7890+ "3:\n"
7891+#define __OVERFLOW_EXTABLE \
7892+ "\n4:\n"
7893+ _ASM_EXTABLE(2b, 4b)
7894+#else
7895+#define __REFCOUNT_OP(op) op
7896+#define __OVERFLOW_PRE
7897+#define __OVERFLOW_POST
7898+#define __OVERFLOW_EXTABLE
7899+#endif
7900+
7901+#define __ATOMIC_OP(op, suffix, pre_op, asm_op, post_op, extable) \
7902+static inline void atomic_##op##suffix(int a, atomic##suffix##_t *v) \
7903 { \
7904 int t; \
7905 \
7906 __asm__ __volatile__( \
7907-"1: lwarx %0,0,%3 # atomic_" #op "\n" \
7908+"1: lwarx %0,0,%3 # atomic_" #op #suffix "\n" \
7909+ pre_op \
7910 #asm_op " %0,%2,%0\n" \
7911+ post_op \
7912 PPC405_ERR77(0,%3) \
7913 " stwcx. %0,0,%3 \n" \
7914 " bne- 1b\n" \
7915+ extable \
7916 : "=&r" (t), "+m" (v->counter) \
7917 : "r" (a), "r" (&v->counter) \
7918 : "cc"); \
7919 } \
7920
7921-#define ATOMIC_OP_RETURN(op, asm_op) \
7922-static __inline__ int atomic_##op##_return(int a, atomic_t *v) \
7923+#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, , , asm_op, , ) \
7924+ __ATOMIC_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
7925+
7926+#define __ATOMIC_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
7927+static inline int atomic_##op##_return##suffix(int a, atomic##suffix##_t *v)\
7928 { \
7929 int t; \
7930 \
7931 __asm__ __volatile__( \
7932 PPC_ATOMIC_ENTRY_BARRIER \
7933-"1: lwarx %0,0,%2 # atomic_" #op "_return\n" \
7934+"1: lwarx %0,0,%2 # atomic_" #op "_return" #suffix "\n" \
7935+ pre_op \
7936 #asm_op " %0,%1,%0\n" \
7937+ post_op \
7938 PPC405_ERR77(0,%2) \
7939 " stwcx. %0,0,%2 \n" \
7940 " bne- 1b\n" \
7941+ extable \
7942 PPC_ATOMIC_EXIT_BARRIER \
7943 : "=&r" (t) \
7944 : "r" (a), "r" (&v->counter) \
7945@@ -62,6 +108,9 @@ static __inline__ int atomic_##op##_return(int a, atomic_t *v) \
7946 return t; \
7947 }
7948
7949+#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, , , asm_op, , )\
7950+ __ATOMIC_OP_RETURN(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
7951+
7952 #define ATOMIC_OPS(op, asm_op) ATOMIC_OP(op, asm_op) ATOMIC_OP_RETURN(op, asm_op)
7953
7954 ATOMIC_OPS(add, add)
7955@@ -69,42 +118,29 @@ ATOMIC_OPS(sub, subf)
7956
7957 #undef ATOMIC_OPS
7958 #undef ATOMIC_OP_RETURN
7959+#undef __ATOMIC_OP_RETURN
7960 #undef ATOMIC_OP
7961+#undef __ATOMIC_OP
7962
7963 #define atomic_add_negative(a, v) (atomic_add_return((a), (v)) < 0)
7964
7965-static __inline__ void atomic_inc(atomic_t *v)
7966-{
7967- int t;
7968+/*
7969+ * atomic_inc - increment atomic variable
7970+ * @v: pointer of type atomic_t
7971+ *
7972+ * Automatically increments @v by 1
7973+ */
7974+#define atomic_inc(v) atomic_add(1, (v))
7975+#define atomic_inc_return(v) atomic_add_return(1, (v))
7976
7977- __asm__ __volatile__(
7978-"1: lwarx %0,0,%2 # atomic_inc\n\
7979- addic %0,%0,1\n"
7980- PPC405_ERR77(0,%2)
7981-" stwcx. %0,0,%2 \n\
7982- bne- 1b"
7983- : "=&r" (t), "+m" (v->counter)
7984- : "r" (&v->counter)
7985- : "cc", "xer");
7986+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7987+{
7988+ atomic_add_unchecked(1, v);
7989 }
7990
7991-static __inline__ int atomic_inc_return(atomic_t *v)
7992+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7993 {
7994- int t;
7995-
7996- __asm__ __volatile__(
7997- PPC_ATOMIC_ENTRY_BARRIER
7998-"1: lwarx %0,0,%1 # atomic_inc_return\n\
7999- addic %0,%0,1\n"
8000- PPC405_ERR77(0,%1)
8001-" stwcx. %0,0,%1 \n\
8002- bne- 1b"
8003- PPC_ATOMIC_EXIT_BARRIER
8004- : "=&r" (t)
8005- : "r" (&v->counter)
8006- : "cc", "xer", "memory");
8007-
8008- return t;
8009+ return atomic_add_return_unchecked(1, v);
8010 }
8011
8012 /*
8013@@ -117,43 +153,38 @@ static __inline__ int atomic_inc_return(atomic_t *v)
8014 */
8015 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
8016
8017-static __inline__ void atomic_dec(atomic_t *v)
8018+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8019 {
8020- int t;
8021-
8022- __asm__ __volatile__(
8023-"1: lwarx %0,0,%2 # atomic_dec\n\
8024- addic %0,%0,-1\n"
8025- PPC405_ERR77(0,%2)\
8026-" stwcx. %0,0,%2\n\
8027- bne- 1b"
8028- : "=&r" (t), "+m" (v->counter)
8029- : "r" (&v->counter)
8030- : "cc", "xer");
8031+ return atomic_add_return_unchecked(1, v) == 0;
8032 }
8033
8034-static __inline__ int atomic_dec_return(atomic_t *v)
8035+/*
8036+ * atomic_dec - decrement atomic variable
8037+ * @v: pointer of type atomic_t
8038+ *
8039+ * Atomically decrements @v by 1
8040+ */
8041+#define atomic_dec(v) atomic_sub(1, (v))
8042+#define atomic_dec_return(v) atomic_sub_return(1, (v))
8043+
8044+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
8045 {
8046- int t;
8047-
8048- __asm__ __volatile__(
8049- PPC_ATOMIC_ENTRY_BARRIER
8050-"1: lwarx %0,0,%1 # atomic_dec_return\n\
8051- addic %0,%0,-1\n"
8052- PPC405_ERR77(0,%1)
8053-" stwcx. %0,0,%1\n\
8054- bne- 1b"
8055- PPC_ATOMIC_EXIT_BARRIER
8056- : "=&r" (t)
8057- : "r" (&v->counter)
8058- : "cc", "xer", "memory");
8059-
8060- return t;
8061+ atomic_sub_unchecked(1, v);
8062 }
8063
8064 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8065 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
8066
8067+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8068+{
8069+ return cmpxchg(&(v->counter), old, new);
8070+}
8071+
8072+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8073+{
8074+ return xchg(&(v->counter), new);
8075+}
8076+
8077 /**
8078 * __atomic_add_unless - add unless the number is a given value
8079 * @v: pointer of type atomic_t
8080@@ -171,11 +202,27 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
8081 PPC_ATOMIC_ENTRY_BARRIER
8082 "1: lwarx %0,0,%1 # __atomic_add_unless\n\
8083 cmpw 0,%0,%3 \n\
8084- beq- 2f \n\
8085- add %0,%2,%0 \n"
8086+ beq- 2f \n"
8087+
8088+#ifdef CONFIG_PAX_REFCOUNT
8089+" mcrxr cr0\n"
8090+" addo. %0,%2,%0\n"
8091+" bf 4*cr0+so, 4f\n"
8092+"3:.long " "0x00c00b00""\n"
8093+"4:\n"
8094+#else
8095+ "add %0,%2,%0 \n"
8096+#endif
8097+
8098 PPC405_ERR77(0,%2)
8099 " stwcx. %0,0,%1 \n\
8100 bne- 1b \n"
8101+"5:"
8102+
8103+#ifdef CONFIG_PAX_REFCOUNT
8104+ _ASM_EXTABLE(3b, 5b)
8105+#endif
8106+
8107 PPC_ATOMIC_EXIT_BARRIER
8108 " subf %0,%2,%0 \n\
8109 2:"
8110@@ -248,6 +295,11 @@ static __inline__ int atomic_dec_if_positive(atomic_t *v)
8111 }
8112 #define atomic_dec_if_positive atomic_dec_if_positive
8113
8114+#define smp_mb__before_atomic_dec() smp_mb()
8115+#define smp_mb__after_atomic_dec() smp_mb()
8116+#define smp_mb__before_atomic_inc() smp_mb()
8117+#define smp_mb__after_atomic_inc() smp_mb()
8118+
8119 #ifdef __powerpc64__
8120
8121 #define ATOMIC64_INIT(i) { (i) }
8122@@ -261,37 +313,60 @@ static __inline__ long atomic64_read(const atomic64_t *v)
8123 return t;
8124 }
8125
8126+static __inline__ long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8127+{
8128+ long t;
8129+
8130+ __asm__ __volatile__("ld%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
8131+
8132+ return t;
8133+}
8134+
8135 static __inline__ void atomic64_set(atomic64_t *v, long i)
8136 {
8137 __asm__ __volatile__("std%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
8138 }
8139
8140-#define ATOMIC64_OP(op, asm_op) \
8141-static __inline__ void atomic64_##op(long a, atomic64_t *v) \
8142+static __inline__ void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8143+{
8144+ __asm__ __volatile__("std%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
8145+}
8146+
8147+#define __ATOMIC64_OP(op, suffix, pre_op, asm_op, post_op, extable) \
8148+static inline void atomic64_##op##suffix(long a, atomic64##suffix##_t *v)\
8149 { \
8150 long t; \
8151 \
8152 __asm__ __volatile__( \
8153 "1: ldarx %0,0,%3 # atomic64_" #op "\n" \
8154+ pre_op \
8155 #asm_op " %0,%2,%0\n" \
8156+ post_op \
8157 " stdcx. %0,0,%3 \n" \
8158 " bne- 1b\n" \
8159+ extable \
8160 : "=&r" (t), "+m" (v->counter) \
8161 : "r" (a), "r" (&v->counter) \
8162 : "cc"); \
8163 }
8164
8165-#define ATOMIC64_OP_RETURN(op, asm_op) \
8166-static __inline__ long atomic64_##op##_return(long a, atomic64_t *v) \
8167+#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, , , asm_op, , ) \
8168+ __ATOMIC64_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8169+
8170+#define __ATOMIC64_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
8171+static inline long atomic64_##op##_return##suffix(long a, atomic64##suffix##_t *v)\
8172 { \
8173 long t; \
8174 \
8175 __asm__ __volatile__( \
8176 PPC_ATOMIC_ENTRY_BARRIER \
8177 "1: ldarx %0,0,%2 # atomic64_" #op "_return\n" \
8178+ pre_op \
8179 #asm_op " %0,%1,%0\n" \
8180+ post_op \
8181 " stdcx. %0,0,%2 \n" \
8182 " bne- 1b\n" \
8183+ extable \
8184 PPC_ATOMIC_EXIT_BARRIER \
8185 : "=&r" (t) \
8186 : "r" (a), "r" (&v->counter) \
8187@@ -300,6 +375,9 @@ static __inline__ long atomic64_##op##_return(long a, atomic64_t *v) \
8188 return t; \
8189 }
8190
8191+#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, , , asm_op, , )\
8192+ __ATOMIC64_OP_RETURN(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8193+
8194 #define ATOMIC64_OPS(op, asm_op) ATOMIC64_OP(op, asm_op) ATOMIC64_OP_RETURN(op, asm_op)
8195
8196 ATOMIC64_OPS(add, add)
8197@@ -307,40 +385,33 @@ ATOMIC64_OPS(sub, subf)
8198
8199 #undef ATOMIC64_OPS
8200 #undef ATOMIC64_OP_RETURN
8201+#undef __ATOMIC64_OP_RETURN
8202 #undef ATOMIC64_OP
8203+#undef __ATOMIC64_OP
8204+#undef __OVERFLOW_EXTABLE
8205+#undef __OVERFLOW_POST
8206+#undef __OVERFLOW_PRE
8207+#undef __REFCOUNT_OP
8208
8209 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
8210
8211-static __inline__ void atomic64_inc(atomic64_t *v)
8212-{
8213- long t;
8214+/*
8215+ * atomic64_inc - increment atomic variable
8216+ * @v: pointer of type atomic64_t
8217+ *
8218+ * Automatically increments @v by 1
8219+ */
8220+#define atomic64_inc(v) atomic64_add(1, (v))
8221+#define atomic64_inc_return(v) atomic64_add_return(1, (v))
8222
8223- __asm__ __volatile__(
8224-"1: ldarx %0,0,%2 # atomic64_inc\n\
8225- addic %0,%0,1\n\
8226- stdcx. %0,0,%2 \n\
8227- bne- 1b"
8228- : "=&r" (t), "+m" (v->counter)
8229- : "r" (&v->counter)
8230- : "cc", "xer");
8231+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8232+{
8233+ atomic64_add_unchecked(1, v);
8234 }
8235
8236-static __inline__ long atomic64_inc_return(atomic64_t *v)
8237+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8238 {
8239- long t;
8240-
8241- __asm__ __volatile__(
8242- PPC_ATOMIC_ENTRY_BARRIER
8243-"1: ldarx %0,0,%1 # atomic64_inc_return\n\
8244- addic %0,%0,1\n\
8245- stdcx. %0,0,%1 \n\
8246- bne- 1b"
8247- PPC_ATOMIC_EXIT_BARRIER
8248- : "=&r" (t)
8249- : "r" (&v->counter)
8250- : "cc", "xer", "memory");
8251-
8252- return t;
8253+ return atomic64_add_return_unchecked(1, v);
8254 }
8255
8256 /*
8257@@ -353,36 +424,18 @@ static __inline__ long atomic64_inc_return(atomic64_t *v)
8258 */
8259 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
8260
8261-static __inline__ void atomic64_dec(atomic64_t *v)
8262+/*
8263+ * atomic64_dec - decrement atomic variable
8264+ * @v: pointer of type atomic64_t
8265+ *
8266+ * Atomically decrements @v by 1
8267+ */
8268+#define atomic64_dec(v) atomic64_sub(1, (v))
8269+#define atomic64_dec_return(v) atomic64_sub_return(1, (v))
8270+
8271+static __inline__ void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8272 {
8273- long t;
8274-
8275- __asm__ __volatile__(
8276-"1: ldarx %0,0,%2 # atomic64_dec\n\
8277- addic %0,%0,-1\n\
8278- stdcx. %0,0,%2\n\
8279- bne- 1b"
8280- : "=&r" (t), "+m" (v->counter)
8281- : "r" (&v->counter)
8282- : "cc", "xer");
8283-}
8284-
8285-static __inline__ long atomic64_dec_return(atomic64_t *v)
8286-{
8287- long t;
8288-
8289- __asm__ __volatile__(
8290- PPC_ATOMIC_ENTRY_BARRIER
8291-"1: ldarx %0,0,%1 # atomic64_dec_return\n\
8292- addic %0,%0,-1\n\
8293- stdcx. %0,0,%1\n\
8294- bne- 1b"
8295- PPC_ATOMIC_EXIT_BARRIER
8296- : "=&r" (t)
8297- : "r" (&v->counter)
8298- : "cc", "xer", "memory");
8299-
8300- return t;
8301+ atomic64_sub_unchecked(1, v);
8302 }
8303
8304 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
8305@@ -415,6 +468,16 @@ static __inline__ long atomic64_dec_if_positive(atomic64_t *v)
8306 #define atomic64_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8307 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
8308
8309+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8310+{
8311+ return cmpxchg(&(v->counter), old, new);
8312+}
8313+
8314+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8315+{
8316+ return xchg(&(v->counter), new);
8317+}
8318+
8319 /**
8320 * atomic64_add_unless - add unless the number is a given value
8321 * @v: pointer of type atomic64_t
8322@@ -430,13 +493,29 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
8323
8324 __asm__ __volatile__ (
8325 PPC_ATOMIC_ENTRY_BARRIER
8326-"1: ldarx %0,0,%1 # __atomic_add_unless\n\
8327+"1: ldarx %0,0,%1 # atomic64_add_unless\n\
8328 cmpd 0,%0,%3 \n\
8329- beq- 2f \n\
8330- add %0,%2,%0 \n"
8331+ beq- 2f \n"
8332+
8333+#ifdef CONFIG_PAX_REFCOUNT
8334+" mcrxr cr0\n"
8335+" addo. %0,%2,%0\n"
8336+" bf 4*cr0+so, 4f\n"
8337+"3:.long " "0x00c00b00""\n"
8338+"4:\n"
8339+#else
8340+ "add %0,%2,%0 \n"
8341+#endif
8342+
8343 " stdcx. %0,0,%1 \n\
8344 bne- 1b \n"
8345 PPC_ATOMIC_EXIT_BARRIER
8346+"5:"
8347+
8348+#ifdef CONFIG_PAX_REFCOUNT
8349+ _ASM_EXTABLE(3b, 5b)
8350+#endif
8351+
8352 " subf %0,%2,%0 \n\
8353 2:"
8354 : "=&r" (t)
8355diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
8356index 51ccc72..35de789 100644
8357--- a/arch/powerpc/include/asm/barrier.h
8358+++ b/arch/powerpc/include/asm/barrier.h
8359@@ -76,7 +76,7 @@
8360 do { \
8361 compiletime_assert_atomic_type(*p); \
8362 smp_lwsync(); \
8363- ACCESS_ONCE(*p) = (v); \
8364+ ACCESS_ONCE_RW(*p) = (v); \
8365 } while (0)
8366
8367 #define smp_load_acquire(p) \
8368diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h
8369index 0dc42c5..b80a3a1 100644
8370--- a/arch/powerpc/include/asm/cache.h
8371+++ b/arch/powerpc/include/asm/cache.h
8372@@ -4,6 +4,7 @@
8373 #ifdef __KERNEL__
8374
8375 #include <asm/reg.h>
8376+#include <linux/const.h>
8377
8378 /* bytes per L1 cache line */
8379 #if defined(CONFIG_8xx) || defined(CONFIG_403GCX)
8380@@ -23,7 +24,7 @@
8381 #define L1_CACHE_SHIFT 7
8382 #endif
8383
8384-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8385+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8386
8387 #define SMP_CACHE_BYTES L1_CACHE_BYTES
8388
8389diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h
8390index ee46ffe..b36c98c 100644
8391--- a/arch/powerpc/include/asm/elf.h
8392+++ b/arch/powerpc/include/asm/elf.h
8393@@ -30,6 +30,18 @@
8394
8395 #define ELF_ET_DYN_BASE 0x20000000
8396
8397+#ifdef CONFIG_PAX_ASLR
8398+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
8399+
8400+#ifdef __powerpc64__
8401+#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
8402+#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
8403+#else
8404+#define PAX_DELTA_MMAP_LEN 15
8405+#define PAX_DELTA_STACK_LEN 15
8406+#endif
8407+#endif
8408+
8409 #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0)
8410
8411 /*
8412diff --git a/arch/powerpc/include/asm/exec.h b/arch/powerpc/include/asm/exec.h
8413index 8196e9c..d83a9f3 100644
8414--- a/arch/powerpc/include/asm/exec.h
8415+++ b/arch/powerpc/include/asm/exec.h
8416@@ -4,6 +4,6 @@
8417 #ifndef _ASM_POWERPC_EXEC_H
8418 #define _ASM_POWERPC_EXEC_H
8419
8420-extern unsigned long arch_align_stack(unsigned long sp);
8421+#define arch_align_stack(x) ((x) & ~0xfUL)
8422
8423 #endif /* _ASM_POWERPC_EXEC_H */
8424diff --git a/arch/powerpc/include/asm/kmap_types.h b/arch/powerpc/include/asm/kmap_types.h
8425index 5acabbd..7ea14fa 100644
8426--- a/arch/powerpc/include/asm/kmap_types.h
8427+++ b/arch/powerpc/include/asm/kmap_types.h
8428@@ -10,7 +10,7 @@
8429 * 2 of the License, or (at your option) any later version.
8430 */
8431
8432-#define KM_TYPE_NR 16
8433+#define KM_TYPE_NR 17
8434
8435 #endif /* __KERNEL__ */
8436 #endif /* _ASM_POWERPC_KMAP_TYPES_H */
8437diff --git a/arch/powerpc/include/asm/local.h b/arch/powerpc/include/asm/local.h
8438index b8da913..c02b593 100644
8439--- a/arch/powerpc/include/asm/local.h
8440+++ b/arch/powerpc/include/asm/local.h
8441@@ -9,21 +9,65 @@ typedef struct
8442 atomic_long_t a;
8443 } local_t;
8444
8445+typedef struct
8446+{
8447+ atomic_long_unchecked_t a;
8448+} local_unchecked_t;
8449+
8450 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
8451
8452 #define local_read(l) atomic_long_read(&(l)->a)
8453+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
8454 #define local_set(l,i) atomic_long_set(&(l)->a, (i))
8455+#define local_set_unchecked(l,i) atomic_long_set_unchecked(&(l)->a, (i))
8456
8457 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
8458+#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
8459 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
8460+#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
8461 #define local_inc(l) atomic_long_inc(&(l)->a)
8462+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
8463 #define local_dec(l) atomic_long_dec(&(l)->a)
8464+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
8465
8466 static __inline__ long local_add_return(long a, local_t *l)
8467 {
8468 long t;
8469
8470 __asm__ __volatile__(
8471+"1:" PPC_LLARX(%0,0,%2,0) " # local_add_return\n"
8472+
8473+#ifdef CONFIG_PAX_REFCOUNT
8474+" mcrxr cr0\n"
8475+" addo. %0,%1,%0\n"
8476+" bf 4*cr0+so, 3f\n"
8477+"2:.long " "0x00c00b00""\n"
8478+#else
8479+" add %0,%1,%0\n"
8480+#endif
8481+
8482+"3:\n"
8483+ PPC405_ERR77(0,%2)
8484+ PPC_STLCX "%0,0,%2 \n\
8485+ bne- 1b"
8486+
8487+#ifdef CONFIG_PAX_REFCOUNT
8488+"\n4:\n"
8489+ _ASM_EXTABLE(2b, 4b)
8490+#endif
8491+
8492+ : "=&r" (t)
8493+ : "r" (a), "r" (&(l->a.counter))
8494+ : "cc", "memory");
8495+
8496+ return t;
8497+}
8498+
8499+static __inline__ long local_add_return_unchecked(long a, local_unchecked_t *l)
8500+{
8501+ long t;
8502+
8503+ __asm__ __volatile__(
8504 "1:" PPC_LLARX(%0,0,%2,0) " # local_add_return\n\
8505 add %0,%1,%0\n"
8506 PPC405_ERR77(0,%2)
8507@@ -101,6 +145,8 @@ static __inline__ long local_dec_return(local_t *l)
8508
8509 #define local_cmpxchg(l, o, n) \
8510 (cmpxchg_local(&((l)->a.counter), (o), (n)))
8511+#define local_cmpxchg_unchecked(l, o, n) \
8512+ (cmpxchg_local(&((l)->a.counter), (o), (n)))
8513 #define local_xchg(l, n) (xchg_local(&((l)->a.counter), (n)))
8514
8515 /**
8516diff --git a/arch/powerpc/include/asm/mman.h b/arch/powerpc/include/asm/mman.h
8517index 8565c25..2865190 100644
8518--- a/arch/powerpc/include/asm/mman.h
8519+++ b/arch/powerpc/include/asm/mman.h
8520@@ -24,7 +24,7 @@ static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot)
8521 }
8522 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
8523
8524-static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
8525+static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
8526 {
8527 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
8528 }
8529diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
8530index 71294a6..9e40aca 100644
8531--- a/arch/powerpc/include/asm/page.h
8532+++ b/arch/powerpc/include/asm/page.h
8533@@ -227,8 +227,9 @@ extern long long virt_phys_offset;
8534 * and needs to be executable. This means the whole heap ends
8535 * up being executable.
8536 */
8537-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
8538- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8539+#define VM_DATA_DEFAULT_FLAGS32 \
8540+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
8541+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8542
8543 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
8544 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8545@@ -256,6 +257,9 @@ extern long long virt_phys_offset;
8546 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
8547 #endif
8548
8549+#define ktla_ktva(addr) (addr)
8550+#define ktva_ktla(addr) (addr)
8551+
8552 #ifndef CONFIG_PPC_BOOK3S_64
8553 /*
8554 * Use the top bit of the higher-level page table entries to indicate whether
8555diff --git a/arch/powerpc/include/asm/page_64.h b/arch/powerpc/include/asm/page_64.h
8556index d908a46..3753f71 100644
8557--- a/arch/powerpc/include/asm/page_64.h
8558+++ b/arch/powerpc/include/asm/page_64.h
8559@@ -172,15 +172,18 @@ do { \
8560 * stack by default, so in the absence of a PT_GNU_STACK program header
8561 * we turn execute permission off.
8562 */
8563-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
8564- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8565+#define VM_STACK_DEFAULT_FLAGS32 \
8566+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
8567+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8568
8569 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
8570 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8571
8572+#ifndef CONFIG_PAX_PAGEEXEC
8573 #define VM_STACK_DEFAULT_FLAGS \
8574 (is_32bit_task() ? \
8575 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
8576+#endif
8577
8578 #include <asm-generic/getorder.h>
8579
8580diff --git a/arch/powerpc/include/asm/pgalloc-64.h b/arch/powerpc/include/asm/pgalloc-64.h
8581index 4b0be20..c15a27d 100644
8582--- a/arch/powerpc/include/asm/pgalloc-64.h
8583+++ b/arch/powerpc/include/asm/pgalloc-64.h
8584@@ -54,6 +54,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd)
8585 #ifndef CONFIG_PPC_64K_PAGES
8586
8587 #define pgd_populate(MM, PGD, PUD) pgd_set(PGD, PUD)
8588+#define pgd_populate_kernel(MM, PGD, PUD) pgd_populate((MM), (PGD), (PUD))
8589
8590 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
8591 {
8592@@ -71,6 +72,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
8593 pud_set(pud, (unsigned long)pmd);
8594 }
8595
8596+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
8597+{
8598+ pud_populate(mm, pud, pmd);
8599+}
8600+
8601 #define pmd_populate(mm, pmd, pte_page) \
8602 pmd_populate_kernel(mm, pmd, page_address(pte_page))
8603 #define pmd_populate_kernel(mm, pmd, pte) pmd_set(pmd, (unsigned long)(pte))
8604@@ -173,6 +179,7 @@ extern void __tlb_remove_table(void *_table);
8605 #endif
8606
8607 #define pud_populate(mm, pud, pmd) pud_set(pud, (unsigned long)pmd)
8608+#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
8609
8610 static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd,
8611 pte_t *pte)
8612diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
8613index 11a3863..108f194 100644
8614--- a/arch/powerpc/include/asm/pgtable.h
8615+++ b/arch/powerpc/include/asm/pgtable.h
8616@@ -2,6 +2,7 @@
8617 #define _ASM_POWERPC_PGTABLE_H
8618 #ifdef __KERNEL__
8619
8620+#include <linux/const.h>
8621 #ifndef __ASSEMBLY__
8622 #include <linux/mmdebug.h>
8623 #include <linux/mmzone.h>
8624diff --git a/arch/powerpc/include/asm/pte-hash32.h b/arch/powerpc/include/asm/pte-hash32.h
8625index 62cfb0c..50c6402 100644
8626--- a/arch/powerpc/include/asm/pte-hash32.h
8627+++ b/arch/powerpc/include/asm/pte-hash32.h
8628@@ -20,6 +20,7 @@
8629 #define _PAGE_HASHPTE 0x002 /* hash_page has made an HPTE for this pte */
8630 #define _PAGE_USER 0x004 /* usermode access allowed */
8631 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
8632+#define _PAGE_EXEC _PAGE_GUARDED
8633 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
8634 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
8635 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
8636diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
8637index af56b5c..f86f3f6 100644
8638--- a/arch/powerpc/include/asm/reg.h
8639+++ b/arch/powerpc/include/asm/reg.h
8640@@ -253,6 +253,7 @@
8641 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
8642 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
8643 #define DSISR_NOHPTE 0x40000000 /* no translation found */
8644+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
8645 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
8646 #define DSISR_ISSTORE 0x02000000 /* access was a store */
8647 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
8648diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h
8649index 825663c..f9e9134 100644
8650--- a/arch/powerpc/include/asm/smp.h
8651+++ b/arch/powerpc/include/asm/smp.h
8652@@ -51,7 +51,7 @@ struct smp_ops_t {
8653 int (*cpu_disable)(void);
8654 void (*cpu_die)(unsigned int nr);
8655 int (*cpu_bootable)(unsigned int nr);
8656-};
8657+} __no_const;
8658
8659 extern void smp_send_debugger_break(void);
8660 extern void start_secondary_resume(void);
8661diff --git a/arch/powerpc/include/asm/spinlock.h b/arch/powerpc/include/asm/spinlock.h
8662index 4dbe072..b803275 100644
8663--- a/arch/powerpc/include/asm/spinlock.h
8664+++ b/arch/powerpc/include/asm/spinlock.h
8665@@ -204,13 +204,29 @@ static inline long __arch_read_trylock(arch_rwlock_t *rw)
8666 __asm__ __volatile__(
8667 "1: " PPC_LWARX(%0,0,%1,1) "\n"
8668 __DO_SIGN_EXTEND
8669-" addic. %0,%0,1\n\
8670- ble- 2f\n"
8671+
8672+#ifdef CONFIG_PAX_REFCOUNT
8673+" mcrxr cr0\n"
8674+" addico. %0,%0,1\n"
8675+" bf 4*cr0+so, 3f\n"
8676+"2:.long " "0x00c00b00""\n"
8677+#else
8678+" addic. %0,%0,1\n"
8679+#endif
8680+
8681+"3:\n"
8682+ "ble- 4f\n"
8683 PPC405_ERR77(0,%1)
8684 " stwcx. %0,0,%1\n\
8685 bne- 1b\n"
8686 PPC_ACQUIRE_BARRIER
8687-"2:" : "=&r" (tmp)
8688+"4:"
8689+
8690+#ifdef CONFIG_PAX_REFCOUNT
8691+ _ASM_EXTABLE(2b,4b)
8692+#endif
8693+
8694+ : "=&r" (tmp)
8695 : "r" (&rw->lock)
8696 : "cr0", "xer", "memory");
8697
8698@@ -286,11 +302,27 @@ static inline void arch_read_unlock(arch_rwlock_t *rw)
8699 __asm__ __volatile__(
8700 "# read_unlock\n\t"
8701 PPC_RELEASE_BARRIER
8702-"1: lwarx %0,0,%1\n\
8703- addic %0,%0,-1\n"
8704+"1: lwarx %0,0,%1\n"
8705+
8706+#ifdef CONFIG_PAX_REFCOUNT
8707+" mcrxr cr0\n"
8708+" addico. %0,%0,-1\n"
8709+" bf 4*cr0+so, 3f\n"
8710+"2:.long " "0x00c00b00""\n"
8711+#else
8712+" addic. %0,%0,-1\n"
8713+#endif
8714+
8715+"3:\n"
8716 PPC405_ERR77(0,%1)
8717 " stwcx. %0,0,%1\n\
8718 bne- 1b"
8719+
8720+#ifdef CONFIG_PAX_REFCOUNT
8721+"\n4:\n"
8722+ _ASM_EXTABLE(2b, 4b)
8723+#endif
8724+
8725 : "=&r"(tmp)
8726 : "r"(&rw->lock)
8727 : "cr0", "xer", "memory");
8728diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
8729index 7efee4a..48d47cc 100644
8730--- a/arch/powerpc/include/asm/thread_info.h
8731+++ b/arch/powerpc/include/asm/thread_info.h
8732@@ -101,6 +101,8 @@ static inline struct thread_info *current_thread_info(void)
8733 #if defined(CONFIG_PPC64)
8734 #define TIF_ELF2ABI 18 /* function descriptors must die! */
8735 #endif
8736+/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
8737+#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */
8738
8739 /* as above, but as bit values */
8740 #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
8741@@ -119,9 +121,10 @@ static inline struct thread_info *current_thread_info(void)
8742 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
8743 #define _TIF_EMULATE_STACK_STORE (1<<TIF_EMULATE_STACK_STORE)
8744 #define _TIF_NOHZ (1<<TIF_NOHZ)
8745+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
8746 #define _TIF_SYSCALL_DOTRACE (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
8747 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT | \
8748- _TIF_NOHZ)
8749+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
8750
8751 #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
8752 _TIF_NOTIFY_RESUME | _TIF_UPROBE | \
8753diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
8754index 2a8ebae..5643c6f 100644
8755--- a/arch/powerpc/include/asm/uaccess.h
8756+++ b/arch/powerpc/include/asm/uaccess.h
8757@@ -58,6 +58,7 @@
8758
8759 #endif
8760
8761+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
8762 #define access_ok(type, addr, size) \
8763 (__chk_user_ptr(addr), \
8764 __access_ok((__force unsigned long)(addr), (size), get_fs()))
8765@@ -318,52 +319,6 @@ do { \
8766 extern unsigned long __copy_tofrom_user(void __user *to,
8767 const void __user *from, unsigned long size);
8768
8769-#ifndef __powerpc64__
8770-
8771-static inline unsigned long copy_from_user(void *to,
8772- const void __user *from, unsigned long n)
8773-{
8774- unsigned long over;
8775-
8776- if (access_ok(VERIFY_READ, from, n))
8777- return __copy_tofrom_user((__force void __user *)to, from, n);
8778- if ((unsigned long)from < TASK_SIZE) {
8779- over = (unsigned long)from + n - TASK_SIZE;
8780- return __copy_tofrom_user((__force void __user *)to, from,
8781- n - over) + over;
8782- }
8783- return n;
8784-}
8785-
8786-static inline unsigned long copy_to_user(void __user *to,
8787- const void *from, unsigned long n)
8788-{
8789- unsigned long over;
8790-
8791- if (access_ok(VERIFY_WRITE, to, n))
8792- return __copy_tofrom_user(to, (__force void __user *)from, n);
8793- if ((unsigned long)to < TASK_SIZE) {
8794- over = (unsigned long)to + n - TASK_SIZE;
8795- return __copy_tofrom_user(to, (__force void __user *)from,
8796- n - over) + over;
8797- }
8798- return n;
8799-}
8800-
8801-#else /* __powerpc64__ */
8802-
8803-#define __copy_in_user(to, from, size) \
8804- __copy_tofrom_user((to), (from), (size))
8805-
8806-extern unsigned long copy_from_user(void *to, const void __user *from,
8807- unsigned long n);
8808-extern unsigned long copy_to_user(void __user *to, const void *from,
8809- unsigned long n);
8810-extern unsigned long copy_in_user(void __user *to, const void __user *from,
8811- unsigned long n);
8812-
8813-#endif /* __powerpc64__ */
8814-
8815 static inline unsigned long __copy_from_user_inatomic(void *to,
8816 const void __user *from, unsigned long n)
8817 {
8818@@ -387,6 +342,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
8819 if (ret == 0)
8820 return 0;
8821 }
8822+
8823+ if (!__builtin_constant_p(n))
8824+ check_object_size(to, n, false);
8825+
8826 return __copy_tofrom_user((__force void __user *)to, from, n);
8827 }
8828
8829@@ -413,6 +372,10 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
8830 if (ret == 0)
8831 return 0;
8832 }
8833+
8834+ if (!__builtin_constant_p(n))
8835+ check_object_size(from, n, true);
8836+
8837 return __copy_tofrom_user(to, (__force const void __user *)from, n);
8838 }
8839
8840@@ -430,6 +393,92 @@ static inline unsigned long __copy_to_user(void __user *to,
8841 return __copy_to_user_inatomic(to, from, size);
8842 }
8843
8844+#ifndef __powerpc64__
8845+
8846+static inline unsigned long __must_check copy_from_user(void *to,
8847+ const void __user *from, unsigned long n)
8848+{
8849+ unsigned long over;
8850+
8851+ if ((long)n < 0)
8852+ return n;
8853+
8854+ if (access_ok(VERIFY_READ, from, n)) {
8855+ if (!__builtin_constant_p(n))
8856+ check_object_size(to, n, false);
8857+ return __copy_tofrom_user((__force void __user *)to, from, n);
8858+ }
8859+ if ((unsigned long)from < TASK_SIZE) {
8860+ over = (unsigned long)from + n - TASK_SIZE;
8861+ if (!__builtin_constant_p(n - over))
8862+ check_object_size(to, n - over, false);
8863+ return __copy_tofrom_user((__force void __user *)to, from,
8864+ n - over) + over;
8865+ }
8866+ return n;
8867+}
8868+
8869+static inline unsigned long __must_check copy_to_user(void __user *to,
8870+ const void *from, unsigned long n)
8871+{
8872+ unsigned long over;
8873+
8874+ if ((long)n < 0)
8875+ return n;
8876+
8877+ if (access_ok(VERIFY_WRITE, to, n)) {
8878+ if (!__builtin_constant_p(n))
8879+ check_object_size(from, n, true);
8880+ return __copy_tofrom_user(to, (__force void __user *)from, n);
8881+ }
8882+ if ((unsigned long)to < TASK_SIZE) {
8883+ over = (unsigned long)to + n - TASK_SIZE;
8884+ if (!__builtin_constant_p(n))
8885+ check_object_size(from, n - over, true);
8886+ return __copy_tofrom_user(to, (__force void __user *)from,
8887+ n - over) + over;
8888+ }
8889+ return n;
8890+}
8891+
8892+#else /* __powerpc64__ */
8893+
8894+#define __copy_in_user(to, from, size) \
8895+ __copy_tofrom_user((to), (from), (size))
8896+
8897+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
8898+{
8899+ if ((long)n < 0 || n > INT_MAX)
8900+ return n;
8901+
8902+ if (!__builtin_constant_p(n))
8903+ check_object_size(to, n, false);
8904+
8905+ if (likely(access_ok(VERIFY_READ, from, n)))
8906+ n = __copy_from_user(to, from, n);
8907+ else
8908+ memset(to, 0, n);
8909+ return n;
8910+}
8911+
8912+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
8913+{
8914+ if ((long)n < 0 || n > INT_MAX)
8915+ return n;
8916+
8917+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
8918+ if (!__builtin_constant_p(n))
8919+ check_object_size(from, n, true);
8920+ n = __copy_to_user(to, from, n);
8921+ }
8922+ return n;
8923+}
8924+
8925+extern unsigned long copy_in_user(void __user *to, const void __user *from,
8926+ unsigned long n);
8927+
8928+#endif /* __powerpc64__ */
8929+
8930 extern unsigned long __clear_user(void __user *addr, unsigned long size);
8931
8932 static inline unsigned long clear_user(void __user *addr, unsigned long size)
8933diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
8934index 12868b1..5155667 100644
8935--- a/arch/powerpc/kernel/Makefile
8936+++ b/arch/powerpc/kernel/Makefile
8937@@ -14,6 +14,11 @@ CFLAGS_prom_init.o += -fPIC
8938 CFLAGS_btext.o += -fPIC
8939 endif
8940
8941+CFLAGS_REMOVE_cputable.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
8942+CFLAGS_REMOVE_prom_init.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
8943+CFLAGS_REMOVE_btext.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
8944+CFLAGS_REMOVE_prom.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
8945+
8946 ifdef CONFIG_FUNCTION_TRACER
8947 # Do not trace early boot code
8948 CFLAGS_REMOVE_cputable.o = -pg -mno-sched-epilog
8949@@ -26,6 +31,8 @@ CFLAGS_REMOVE_ftrace.o = -pg -mno-sched-epilog
8950 CFLAGS_REMOVE_time.o = -pg -mno-sched-epilog
8951 endif
8952
8953+CFLAGS_REMOVE_prom_init.o += $(LATENT_ENTROPY_PLUGIN_CFLAGS)
8954+
8955 obj-y := cputable.o ptrace.o syscalls.o \
8956 irq.o align.o signal_32.o pmc.o vdso.o \
8957 process.o systbl.o idle.o \
8958diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
8959index 3e68d1c..72a5ee6 100644
8960--- a/arch/powerpc/kernel/exceptions-64e.S
8961+++ b/arch/powerpc/kernel/exceptions-64e.S
8962@@ -1010,6 +1010,7 @@ storage_fault_common:
8963 std r14,_DAR(r1)
8964 std r15,_DSISR(r1)
8965 addi r3,r1,STACK_FRAME_OVERHEAD
8966+ bl save_nvgprs
8967 mr r4,r14
8968 mr r5,r15
8969 ld r14,PACA_EXGEN+EX_R14(r13)
8970@@ -1018,8 +1019,7 @@ storage_fault_common:
8971 cmpdi r3,0
8972 bne- 1f
8973 b ret_from_except_lite
8974-1: bl save_nvgprs
8975- mr r5,r3
8976+1: mr r5,r3
8977 addi r3,r1,STACK_FRAME_OVERHEAD
8978 ld r4,_DAR(r1)
8979 bl bad_page_fault
8980diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
8981index 0a0399c2..262a2e6 100644
8982--- a/arch/powerpc/kernel/exceptions-64s.S
8983+++ b/arch/powerpc/kernel/exceptions-64s.S
8984@@ -1591,10 +1591,10 @@ handle_page_fault:
8985 11: ld r4,_DAR(r1)
8986 ld r5,_DSISR(r1)
8987 addi r3,r1,STACK_FRAME_OVERHEAD
8988+ bl save_nvgprs
8989 bl do_page_fault
8990 cmpdi r3,0
8991 beq+ 12f
8992- bl save_nvgprs
8993 mr r5,r3
8994 addi r3,r1,STACK_FRAME_OVERHEAD
8995 lwz r4,_DAR(r1)
8996diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
8997index 4509603..cdb491f 100644
8998--- a/arch/powerpc/kernel/irq.c
8999+++ b/arch/powerpc/kernel/irq.c
9000@@ -460,6 +460,8 @@ void migrate_irqs(void)
9001 }
9002 #endif
9003
9004+extern void gr_handle_kernel_exploit(void);
9005+
9006 static inline void check_stack_overflow(void)
9007 {
9008 #ifdef CONFIG_DEBUG_STACKOVERFLOW
9009@@ -472,6 +474,7 @@ static inline void check_stack_overflow(void)
9010 pr_err("do_IRQ: stack overflow: %ld\n",
9011 sp - sizeof(struct thread_info));
9012 dump_stack();
9013+ gr_handle_kernel_exploit();
9014 }
9015 #endif
9016 }
9017diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
9018index c94d2e0..992a9ce 100644
9019--- a/arch/powerpc/kernel/module_32.c
9020+++ b/arch/powerpc/kernel/module_32.c
9021@@ -158,7 +158,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr,
9022 me->arch.core_plt_section = i;
9023 }
9024 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
9025- pr_err("Module doesn't contain .plt or .init.plt sections.\n");
9026+ pr_err("Module $s doesn't contain .plt or .init.plt sections.\n", me->name);
9027 return -ENOEXEC;
9028 }
9029
9030@@ -188,11 +188,16 @@ static uint32_t do_plt_call(void *location,
9031
9032 pr_debug("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
9033 /* Init, or core PLT? */
9034- if (location >= mod->module_core
9035- && location < mod->module_core + mod->core_size)
9036+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
9037+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
9038 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
9039- else
9040+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
9041+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
9042 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
9043+ else {
9044+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
9045+ return ~0UL;
9046+ }
9047
9048 /* Find this entry, or if that fails, the next avail. entry */
9049 while (entry->jump[0]) {
9050@@ -296,7 +301,7 @@ int apply_relocate_add(Elf32_Shdr *sechdrs,
9051 }
9052 #ifdef CONFIG_DYNAMIC_FTRACE
9053 module->arch.tramp =
9054- do_plt_call(module->module_core,
9055+ do_plt_call(module->module_core_rx,
9056 (unsigned long)ftrace_caller,
9057 sechdrs, module);
9058 #endif
9059diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
9060index 64e6e9d..cf90ed5 100644
9061--- a/arch/powerpc/kernel/process.c
9062+++ b/arch/powerpc/kernel/process.c
9063@@ -1033,8 +1033,8 @@ void show_regs(struct pt_regs * regs)
9064 * Lookup NIP late so we have the best change of getting the
9065 * above info out without failing
9066 */
9067- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
9068- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
9069+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
9070+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
9071 #endif
9072 show_stack(current, (unsigned long *) regs->gpr[1]);
9073 if (!user_mode(regs))
9074@@ -1550,10 +1550,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
9075 newsp = stack[0];
9076 ip = stack[STACK_FRAME_LR_SAVE];
9077 if (!firstframe || ip != lr) {
9078- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
9079+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
9080 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
9081 if ((ip == rth) && curr_frame >= 0) {
9082- printk(" (%pS)",
9083+ printk(" (%pA)",
9084 (void *)current->ret_stack[curr_frame].ret);
9085 curr_frame--;
9086 }
9087@@ -1573,7 +1573,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
9088 struct pt_regs *regs = (struct pt_regs *)
9089 (sp + STACK_FRAME_OVERHEAD);
9090 lr = regs->link;
9091- printk("--- interrupt: %lx at %pS\n LR = %pS\n",
9092+ printk("--- interrupt: %lx at %pA\n LR = %pA\n",
9093 regs->trap, (void *)regs->nip, (void *)lr);
9094 firstframe = 1;
9095 }
9096@@ -1609,49 +1609,3 @@ void notrace __ppc64_runlatch_off(void)
9097 mtspr(SPRN_CTRLT, ctrl);
9098 }
9099 #endif /* CONFIG_PPC64 */
9100-
9101-unsigned long arch_align_stack(unsigned long sp)
9102-{
9103- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
9104- sp -= get_random_int() & ~PAGE_MASK;
9105- return sp & ~0xf;
9106-}
9107-
9108-static inline unsigned long brk_rnd(void)
9109-{
9110- unsigned long rnd = 0;
9111-
9112- /* 8MB for 32bit, 1GB for 64bit */
9113- if (is_32bit_task())
9114- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
9115- else
9116- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
9117-
9118- return rnd << PAGE_SHIFT;
9119-}
9120-
9121-unsigned long arch_randomize_brk(struct mm_struct *mm)
9122-{
9123- unsigned long base = mm->brk;
9124- unsigned long ret;
9125-
9126-#ifdef CONFIG_PPC_STD_MMU_64
9127- /*
9128- * If we are using 1TB segments and we are allowed to randomise
9129- * the heap, we can put it above 1TB so it is backed by a 1TB
9130- * segment. Otherwise the heap will be in the bottom 1TB
9131- * which always uses 256MB segments and this may result in a
9132- * performance penalty.
9133- */
9134- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
9135- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
9136-#endif
9137-
9138- ret = PAGE_ALIGN(base + brk_rnd());
9139-
9140- if (ret < mm->brk)
9141- return mm->brk;
9142-
9143- return ret;
9144-}
9145-
9146diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
9147index f21897b..28c0428 100644
9148--- a/arch/powerpc/kernel/ptrace.c
9149+++ b/arch/powerpc/kernel/ptrace.c
9150@@ -1762,6 +1762,10 @@ long arch_ptrace(struct task_struct *child, long request,
9151 return ret;
9152 }
9153
9154+#ifdef CONFIG_GRKERNSEC_SETXID
9155+extern void gr_delayed_cred_worker(void);
9156+#endif
9157+
9158 /*
9159 * We must return the syscall number to actually look up in the table.
9160 * This can be -1L to skip running any syscall at all.
9161@@ -1774,6 +1778,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
9162
9163 secure_computing_strict(regs->gpr[0]);
9164
9165+#ifdef CONFIG_GRKERNSEC_SETXID
9166+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
9167+ gr_delayed_cred_worker();
9168+#endif
9169+
9170 if (test_thread_flag(TIF_SYSCALL_TRACE) &&
9171 tracehook_report_syscall_entry(regs))
9172 /*
9173@@ -1805,6 +1814,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
9174 {
9175 int step;
9176
9177+#ifdef CONFIG_GRKERNSEC_SETXID
9178+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
9179+ gr_delayed_cred_worker();
9180+#endif
9181+
9182 audit_syscall_exit(regs);
9183
9184 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
9185diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
9186index da50e0c..5ff6307 100644
9187--- a/arch/powerpc/kernel/signal_32.c
9188+++ b/arch/powerpc/kernel/signal_32.c
9189@@ -1009,7 +1009,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
9190 /* Save user registers on the stack */
9191 frame = &rt_sf->uc.uc_mcontext;
9192 addr = frame;
9193- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
9194+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9195 sigret = 0;
9196 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
9197 } else {
9198diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
9199index c7c24d2..1bf7039 100644
9200--- a/arch/powerpc/kernel/signal_64.c
9201+++ b/arch/powerpc/kernel/signal_64.c
9202@@ -754,7 +754,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
9203 current->thread.fp_state.fpscr = 0;
9204
9205 /* Set up to return from userspace. */
9206- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
9207+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9208 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
9209 } else {
9210 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
9211diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
9212index 37de90f..12472ac 100644
9213--- a/arch/powerpc/kernel/traps.c
9214+++ b/arch/powerpc/kernel/traps.c
9215@@ -36,6 +36,7 @@
9216 #include <linux/debugfs.h>
9217 #include <linux/ratelimit.h>
9218 #include <linux/context_tracking.h>
9219+#include <linux/uaccess.h>
9220
9221 #include <asm/emulated_ops.h>
9222 #include <asm/pgtable.h>
9223@@ -142,6 +143,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
9224 return flags;
9225 }
9226
9227+extern void gr_handle_kernel_exploit(void);
9228+
9229 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
9230 int signr)
9231 {
9232@@ -191,6 +194,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
9233 panic("Fatal exception in interrupt");
9234 if (panic_on_oops)
9235 panic("Fatal exception");
9236+
9237+ gr_handle_kernel_exploit();
9238+
9239 do_exit(signr);
9240 }
9241
9242@@ -1139,6 +1145,26 @@ void __kprobes program_check_exception(struct pt_regs *regs)
9243 enum ctx_state prev_state = exception_enter();
9244 unsigned int reason = get_reason(regs);
9245
9246+#ifdef CONFIG_PAX_REFCOUNT
9247+ unsigned int bkpt;
9248+ const struct exception_table_entry *entry;
9249+
9250+ if (reason & REASON_ILLEGAL) {
9251+ /* Check if PaX bad instruction */
9252+ if (!probe_kernel_address(regs->nip, bkpt) && bkpt == 0xc00b00) {
9253+ current->thread.trap_nr = 0;
9254+ pax_report_refcount_overflow(regs);
9255+ /* fixup_exception() for PowerPC does not exist, simulate its job */
9256+ if ((entry = search_exception_tables(regs->nip)) != NULL) {
9257+ regs->nip = entry->fixup;
9258+ return;
9259+ }
9260+ /* fixup_exception() could not handle */
9261+ goto bail;
9262+ }
9263+ }
9264+#endif
9265+
9266 /* We can now get here via a FP Unavailable exception if the core
9267 * has no FPU, in that case the reason flags will be 0 */
9268
9269diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
9270index b457bfa..9018cde 100644
9271--- a/arch/powerpc/kernel/vdso.c
9272+++ b/arch/powerpc/kernel/vdso.c
9273@@ -34,6 +34,7 @@
9274 #include <asm/vdso.h>
9275 #include <asm/vdso_datapage.h>
9276 #include <asm/setup.h>
9277+#include <asm/mman.h>
9278
9279 #undef DEBUG
9280
9281@@ -179,7 +180,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
9282 vdso_base = VDSO32_MBASE;
9283 #endif
9284
9285- current->mm->context.vdso_base = 0;
9286+ current->mm->context.vdso_base = ~0UL;
9287
9288 /* vDSO has a problem and was disabled, just don't "enable" it for the
9289 * process
9290@@ -199,7 +200,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
9291 vdso_base = get_unmapped_area(NULL, vdso_base,
9292 (vdso_pages << PAGE_SHIFT) +
9293 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
9294- 0, 0);
9295+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
9296 if (IS_ERR_VALUE(vdso_base)) {
9297 rc = vdso_base;
9298 goto fail_mmapsem;
9299diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
9300index e5dde32..557af3d 100644
9301--- a/arch/powerpc/kvm/powerpc.c
9302+++ b/arch/powerpc/kvm/powerpc.c
9303@@ -1404,7 +1404,7 @@ void kvmppc_init_lpid(unsigned long nr_lpids_param)
9304 }
9305 EXPORT_SYMBOL_GPL(kvmppc_init_lpid);
9306
9307-int kvm_arch_init(void *opaque)
9308+int kvm_arch_init(const void *opaque)
9309 {
9310 return 0;
9311 }
9312diff --git a/arch/powerpc/lib/usercopy_64.c b/arch/powerpc/lib/usercopy_64.c
9313index 5eea6f3..5d10396 100644
9314--- a/arch/powerpc/lib/usercopy_64.c
9315+++ b/arch/powerpc/lib/usercopy_64.c
9316@@ -9,22 +9,6 @@
9317 #include <linux/module.h>
9318 #include <asm/uaccess.h>
9319
9320-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
9321-{
9322- if (likely(access_ok(VERIFY_READ, from, n)))
9323- n = __copy_from_user(to, from, n);
9324- else
9325- memset(to, 0, n);
9326- return n;
9327-}
9328-
9329-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
9330-{
9331- if (likely(access_ok(VERIFY_WRITE, to, n)))
9332- n = __copy_to_user(to, from, n);
9333- return n;
9334-}
9335-
9336 unsigned long copy_in_user(void __user *to, const void __user *from,
9337 unsigned long n)
9338 {
9339@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *to, const void __user *from,
9340 return n;
9341 }
9342
9343-EXPORT_SYMBOL(copy_from_user);
9344-EXPORT_SYMBOL(copy_to_user);
9345 EXPORT_SYMBOL(copy_in_user);
9346
9347diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
9348index a67c6d7..a662e6d 100644
9349--- a/arch/powerpc/mm/fault.c
9350+++ b/arch/powerpc/mm/fault.c
9351@@ -34,6 +34,10 @@
9352 #include <linux/context_tracking.h>
9353 #include <linux/hugetlb.h>
9354 #include <linux/uaccess.h>
9355+#include <linux/slab.h>
9356+#include <linux/pagemap.h>
9357+#include <linux/compiler.h>
9358+#include <linux/unistd.h>
9359
9360 #include <asm/firmware.h>
9361 #include <asm/page.h>
9362@@ -68,6 +72,33 @@ static inline int notify_page_fault(struct pt_regs *regs)
9363 }
9364 #endif
9365
9366+#ifdef CONFIG_PAX_PAGEEXEC
9367+/*
9368+ * PaX: decide what to do with offenders (regs->nip = fault address)
9369+ *
9370+ * returns 1 when task should be killed
9371+ */
9372+static int pax_handle_fetch_fault(struct pt_regs *regs)
9373+{
9374+ return 1;
9375+}
9376+
9377+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
9378+{
9379+ unsigned long i;
9380+
9381+ printk(KERN_ERR "PAX: bytes at PC: ");
9382+ for (i = 0; i < 5; i++) {
9383+ unsigned int c;
9384+ if (get_user(c, (unsigned int __user *)pc+i))
9385+ printk(KERN_CONT "???????? ");
9386+ else
9387+ printk(KERN_CONT "%08x ", c);
9388+ }
9389+ printk("\n");
9390+}
9391+#endif
9392+
9393 /*
9394 * Check whether the instruction at regs->nip is a store using
9395 * an update addressing form which will update r1.
9396@@ -227,7 +258,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
9397 * indicate errors in DSISR but can validly be set in SRR1.
9398 */
9399 if (trap == 0x400)
9400- error_code &= 0x48200000;
9401+ error_code &= 0x58200000;
9402 else
9403 is_write = error_code & DSISR_ISSTORE;
9404 #else
9405@@ -384,12 +415,16 @@ good_area:
9406 * "undefined". Of those that can be set, this is the only
9407 * one which seems bad.
9408 */
9409- if (error_code & 0x10000000)
9410+ if (error_code & DSISR_GUARDED)
9411 /* Guarded storage error. */
9412 goto bad_area;
9413 #endif /* CONFIG_8xx */
9414
9415 if (is_exec) {
9416+#ifdef CONFIG_PPC_STD_MMU
9417+ if (error_code & DSISR_GUARDED)
9418+ goto bad_area;
9419+#endif
9420 /*
9421 * Allow execution from readable areas if the MMU does not
9422 * provide separate controls over reading and executing.
9423@@ -484,6 +519,23 @@ bad_area:
9424 bad_area_nosemaphore:
9425 /* User mode accesses cause a SIGSEGV */
9426 if (user_mode(regs)) {
9427+
9428+#ifdef CONFIG_PAX_PAGEEXEC
9429+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9430+#ifdef CONFIG_PPC_STD_MMU
9431+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
9432+#else
9433+ if (is_exec && regs->nip == address) {
9434+#endif
9435+ switch (pax_handle_fetch_fault(regs)) {
9436+ }
9437+
9438+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
9439+ do_group_exit(SIGKILL);
9440+ }
9441+ }
9442+#endif
9443+
9444 _exception(SIGSEGV, regs, code, address);
9445 goto bail;
9446 }
9447diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
9448index 0f0502e..bc3e7a3 100644
9449--- a/arch/powerpc/mm/mmap.c
9450+++ b/arch/powerpc/mm/mmap.c
9451@@ -86,6 +86,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9452 {
9453 unsigned long random_factor = 0UL;
9454
9455+#ifdef CONFIG_PAX_RANDMMAP
9456+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9457+#endif
9458+
9459 if (current->flags & PF_RANDOMIZE)
9460 random_factor = arch_mmap_rnd();
9461
9462@@ -95,9 +99,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9463 */
9464 if (mmap_is_legacy()) {
9465 mm->mmap_base = TASK_UNMAPPED_BASE;
9466+
9467+#ifdef CONFIG_PAX_RANDMMAP
9468+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9469+ mm->mmap_base += mm->delta_mmap;
9470+#endif
9471+
9472 mm->get_unmapped_area = arch_get_unmapped_area;
9473 } else {
9474 mm->mmap_base = mmap_base(random_factor);
9475+
9476+#ifdef CONFIG_PAX_RANDMMAP
9477+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9478+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9479+#endif
9480+
9481 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
9482 }
9483 }
9484diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
9485index 0f432a7..abfe841 100644
9486--- a/arch/powerpc/mm/slice.c
9487+++ b/arch/powerpc/mm/slice.c
9488@@ -105,7 +105,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
9489 if ((mm->task_size - len) < addr)
9490 return 0;
9491 vma = find_vma(mm, addr);
9492- return (!vma || (addr + len) <= vma->vm_start);
9493+ return check_heap_stack_gap(vma, addr, len, 0);
9494 }
9495
9496 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
9497@@ -277,6 +277,12 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm,
9498 info.align_offset = 0;
9499
9500 addr = TASK_UNMAPPED_BASE;
9501+
9502+#ifdef CONFIG_PAX_RANDMMAP
9503+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9504+ addr += mm->delta_mmap;
9505+#endif
9506+
9507 while (addr < TASK_SIZE) {
9508 info.low_limit = addr;
9509 if (!slice_scan_available(addr, available, 1, &addr))
9510@@ -410,6 +416,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len,
9511 if (fixed && addr > (mm->task_size - len))
9512 return -ENOMEM;
9513
9514+#ifdef CONFIG_PAX_RANDMMAP
9515+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
9516+ addr = 0;
9517+#endif
9518+
9519 /* If hint, make sure it matches our alignment restrictions */
9520 if (!fixed && addr) {
9521 addr = _ALIGN_UP(addr, 1ul << pshift);
9522diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
9523index d966bbe..372124a 100644
9524--- a/arch/powerpc/platforms/cell/spufs/file.c
9525+++ b/arch/powerpc/platforms/cell/spufs/file.c
9526@@ -280,9 +280,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
9527 return VM_FAULT_NOPAGE;
9528 }
9529
9530-static int spufs_mem_mmap_access(struct vm_area_struct *vma,
9531+static ssize_t spufs_mem_mmap_access(struct vm_area_struct *vma,
9532 unsigned long address,
9533- void *buf, int len, int write)
9534+ void *buf, size_t len, int write)
9535 {
9536 struct spu_context *ctx = vma->vm_file->private_data;
9537 unsigned long offset = address - vma->vm_start;
9538diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h
9539index adbe380..adb7516 100644
9540--- a/arch/s390/include/asm/atomic.h
9541+++ b/arch/s390/include/asm/atomic.h
9542@@ -317,4 +317,14 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v)
9543 #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0)
9544 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
9545
9546+#define atomic64_read_unchecked(v) atomic64_read(v)
9547+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
9548+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
9549+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
9550+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
9551+#define atomic64_inc_unchecked(v) atomic64_inc(v)
9552+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
9553+#define atomic64_dec_unchecked(v) atomic64_dec(v)
9554+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
9555+
9556 #endif /* __ARCH_S390_ATOMIC__ */
9557diff --git a/arch/s390/include/asm/barrier.h b/arch/s390/include/asm/barrier.h
9558index e6f8615..4a66339 100644
9559--- a/arch/s390/include/asm/barrier.h
9560+++ b/arch/s390/include/asm/barrier.h
9561@@ -42,7 +42,7 @@
9562 do { \
9563 compiletime_assert_atomic_type(*p); \
9564 barrier(); \
9565- ACCESS_ONCE(*p) = (v); \
9566+ ACCESS_ONCE_RW(*p) = (v); \
9567 } while (0)
9568
9569 #define smp_load_acquire(p) \
9570diff --git a/arch/s390/include/asm/cache.h b/arch/s390/include/asm/cache.h
9571index 4d7ccac..d03d0ad 100644
9572--- a/arch/s390/include/asm/cache.h
9573+++ b/arch/s390/include/asm/cache.h
9574@@ -9,8 +9,10 @@
9575 #ifndef __ARCH_S390_CACHE_H
9576 #define __ARCH_S390_CACHE_H
9577
9578-#define L1_CACHE_BYTES 256
9579+#include <linux/const.h>
9580+
9581 #define L1_CACHE_SHIFT 8
9582+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9583 #define NET_SKB_PAD 32
9584
9585 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9586diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
9587index 3ad48f2..64cc6f3 100644
9588--- a/arch/s390/include/asm/elf.h
9589+++ b/arch/s390/include/asm/elf.h
9590@@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
9591 (STACK_TOP / 3 * 2) : \
9592 (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1))
9593
9594+#ifdef CONFIG_PAX_ASLR
9595+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
9596+
9597+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
9598+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
9599+#endif
9600+
9601 /* This yields a mask that user programs can use to figure out what
9602 instruction set this CPU supports. */
9603
9604diff --git a/arch/s390/include/asm/exec.h b/arch/s390/include/asm/exec.h
9605index c4a93d6..4d2a9b4 100644
9606--- a/arch/s390/include/asm/exec.h
9607+++ b/arch/s390/include/asm/exec.h
9608@@ -7,6 +7,6 @@
9609 #ifndef __ASM_EXEC_H
9610 #define __ASM_EXEC_H
9611
9612-extern unsigned long arch_align_stack(unsigned long sp);
9613+#define arch_align_stack(x) ((x) & ~0xfUL)
9614
9615 #endif /* __ASM_EXEC_H */
9616diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
9617index 9dd4cc4..36f4b84 100644
9618--- a/arch/s390/include/asm/uaccess.h
9619+++ b/arch/s390/include/asm/uaccess.h
9620@@ -59,6 +59,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size)
9621 __range_ok((unsigned long)(addr), (size)); \
9622 })
9623
9624+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
9625 #define access_ok(type, addr, size) __access_ok(addr, size)
9626
9627 /*
9628@@ -278,6 +279,10 @@ static inline unsigned long __must_check
9629 copy_to_user(void __user *to, const void *from, unsigned long n)
9630 {
9631 might_fault();
9632+
9633+ if ((long)n < 0)
9634+ return n;
9635+
9636 return __copy_to_user(to, from, n);
9637 }
9638
9639@@ -307,10 +312,14 @@ __compiletime_warning("copy_from_user() buffer size is not provably correct")
9640 static inline unsigned long __must_check
9641 copy_from_user(void *to, const void __user *from, unsigned long n)
9642 {
9643- unsigned int sz = __compiletime_object_size(to);
9644+ size_t sz = __compiletime_object_size(to);
9645
9646 might_fault();
9647- if (unlikely(sz != -1 && sz < n)) {
9648+
9649+ if ((long)n < 0)
9650+ return n;
9651+
9652+ if (unlikely(sz != (size_t)-1 && sz < n)) {
9653 copy_from_user_overflow();
9654 return n;
9655 }
9656diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
9657index 0c1a679..e1df357 100644
9658--- a/arch/s390/kernel/module.c
9659+++ b/arch/s390/kernel/module.c
9660@@ -159,11 +159,11 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
9661
9662 /* Increase core size by size of got & plt and set start
9663 offsets for got and plt. */
9664- me->core_size = ALIGN(me->core_size, 4);
9665- me->arch.got_offset = me->core_size;
9666- me->core_size += me->arch.got_size;
9667- me->arch.plt_offset = me->core_size;
9668- me->core_size += me->arch.plt_size;
9669+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
9670+ me->arch.got_offset = me->core_size_rw;
9671+ me->core_size_rw += me->arch.got_size;
9672+ me->arch.plt_offset = me->core_size_rx;
9673+ me->core_size_rx += me->arch.plt_size;
9674 return 0;
9675 }
9676
9677@@ -279,7 +279,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9678 if (info->got_initialized == 0) {
9679 Elf_Addr *gotent;
9680
9681- gotent = me->module_core + me->arch.got_offset +
9682+ gotent = me->module_core_rw + me->arch.got_offset +
9683 info->got_offset;
9684 *gotent = val;
9685 info->got_initialized = 1;
9686@@ -302,7 +302,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9687 rc = apply_rela_bits(loc, val, 0, 64, 0);
9688 else if (r_type == R_390_GOTENT ||
9689 r_type == R_390_GOTPLTENT) {
9690- val += (Elf_Addr) me->module_core - loc;
9691+ val += (Elf_Addr) me->module_core_rw - loc;
9692 rc = apply_rela_bits(loc, val, 1, 32, 1);
9693 }
9694 break;
9695@@ -315,7 +315,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9696 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
9697 if (info->plt_initialized == 0) {
9698 unsigned int *ip;
9699- ip = me->module_core + me->arch.plt_offset +
9700+ ip = me->module_core_rx + me->arch.plt_offset +
9701 info->plt_offset;
9702 ip[0] = 0x0d10e310; /* basr 1,0; lg 1,10(1); br 1 */
9703 ip[1] = 0x100a0004;
9704@@ -334,7 +334,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9705 val - loc + 0xffffUL < 0x1ffffeUL) ||
9706 (r_type == R_390_PLT32DBL &&
9707 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
9708- val = (Elf_Addr) me->module_core +
9709+ val = (Elf_Addr) me->module_core_rx +
9710 me->arch.plt_offset +
9711 info->plt_offset;
9712 val += rela->r_addend - loc;
9713@@ -356,7 +356,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9714 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
9715 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
9716 val = val + rela->r_addend -
9717- ((Elf_Addr) me->module_core + me->arch.got_offset);
9718+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
9719 if (r_type == R_390_GOTOFF16)
9720 rc = apply_rela_bits(loc, val, 0, 16, 0);
9721 else if (r_type == R_390_GOTOFF32)
9722@@ -366,7 +366,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9723 break;
9724 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
9725 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
9726- val = (Elf_Addr) me->module_core + me->arch.got_offset +
9727+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
9728 rela->r_addend - loc;
9729 if (r_type == R_390_GOTPC)
9730 rc = apply_rela_bits(loc, val, 1, 32, 0);
9731diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
9732index 8f587d8..0642516b 100644
9733--- a/arch/s390/kernel/process.c
9734+++ b/arch/s390/kernel/process.c
9735@@ -200,27 +200,3 @@ unsigned long get_wchan(struct task_struct *p)
9736 }
9737 return 0;
9738 }
9739-
9740-unsigned long arch_align_stack(unsigned long sp)
9741-{
9742- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
9743- sp -= get_random_int() & ~PAGE_MASK;
9744- return sp & ~0xf;
9745-}
9746-
9747-static inline unsigned long brk_rnd(void)
9748-{
9749- /* 8MB for 32bit, 1GB for 64bit */
9750- if (is_32bit_task())
9751- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
9752- else
9753- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
9754-}
9755-
9756-unsigned long arch_randomize_brk(struct mm_struct *mm)
9757-{
9758- unsigned long ret;
9759-
9760- ret = PAGE_ALIGN(mm->brk + brk_rnd());
9761- return (ret > mm->brk) ? ret : mm->brk;
9762-}
9763diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c
9764index 6e552af..3e608a1 100644
9765--- a/arch/s390/mm/mmap.c
9766+++ b/arch/s390/mm/mmap.c
9767@@ -239,6 +239,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9768 {
9769 unsigned long random_factor = 0UL;
9770
9771+#ifdef CONFIG_PAX_RANDMMAP
9772+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9773+#endif
9774+
9775 if (current->flags & PF_RANDOMIZE)
9776 random_factor = arch_mmap_rnd();
9777
9778@@ -248,9 +252,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9779 */
9780 if (mmap_is_legacy()) {
9781 mm->mmap_base = mmap_base_legacy(random_factor);
9782+
9783+#ifdef CONFIG_PAX_RANDMMAP
9784+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9785+ mm->mmap_base += mm->delta_mmap;
9786+#endif
9787+
9788 mm->get_unmapped_area = s390_get_unmapped_area;
9789 } else {
9790 mm->mmap_base = mmap_base(random_factor);
9791+
9792+#ifdef CONFIG_PAX_RANDMMAP
9793+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9794+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9795+#endif
9796+
9797 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
9798 }
9799 }
9800diff --git a/arch/score/include/asm/cache.h b/arch/score/include/asm/cache.h
9801index ae3d59f..f65f075 100644
9802--- a/arch/score/include/asm/cache.h
9803+++ b/arch/score/include/asm/cache.h
9804@@ -1,7 +1,9 @@
9805 #ifndef _ASM_SCORE_CACHE_H
9806 #define _ASM_SCORE_CACHE_H
9807
9808+#include <linux/const.h>
9809+
9810 #define L1_CACHE_SHIFT 4
9811-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9812+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9813
9814 #endif /* _ASM_SCORE_CACHE_H */
9815diff --git a/arch/score/include/asm/exec.h b/arch/score/include/asm/exec.h
9816index f9f3cd5..58ff438 100644
9817--- a/arch/score/include/asm/exec.h
9818+++ b/arch/score/include/asm/exec.h
9819@@ -1,6 +1,6 @@
9820 #ifndef _ASM_SCORE_EXEC_H
9821 #define _ASM_SCORE_EXEC_H
9822
9823-extern unsigned long arch_align_stack(unsigned long sp);
9824+#define arch_align_stack(x) (x)
9825
9826 #endif /* _ASM_SCORE_EXEC_H */
9827diff --git a/arch/score/kernel/process.c b/arch/score/kernel/process.c
9828index a1519ad3..e8ac1ff 100644
9829--- a/arch/score/kernel/process.c
9830+++ b/arch/score/kernel/process.c
9831@@ -116,8 +116,3 @@ unsigned long get_wchan(struct task_struct *task)
9832
9833 return task_pt_regs(task)->cp0_epc;
9834 }
9835-
9836-unsigned long arch_align_stack(unsigned long sp)
9837-{
9838- return sp;
9839-}
9840diff --git a/arch/sh/include/asm/cache.h b/arch/sh/include/asm/cache.h
9841index ef9e555..331bd29 100644
9842--- a/arch/sh/include/asm/cache.h
9843+++ b/arch/sh/include/asm/cache.h
9844@@ -9,10 +9,11 @@
9845 #define __ASM_SH_CACHE_H
9846 #ifdef __KERNEL__
9847
9848+#include <linux/const.h>
9849 #include <linux/init.h>
9850 #include <cpu/cache.h>
9851
9852-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9853+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9854
9855 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9856
9857diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
9858index 6777177..cb5e44f 100644
9859--- a/arch/sh/mm/mmap.c
9860+++ b/arch/sh/mm/mmap.c
9861@@ -36,6 +36,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9862 struct mm_struct *mm = current->mm;
9863 struct vm_area_struct *vma;
9864 int do_colour_align;
9865+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
9866 struct vm_unmapped_area_info info;
9867
9868 if (flags & MAP_FIXED) {
9869@@ -55,6 +56,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9870 if (filp || (flags & MAP_SHARED))
9871 do_colour_align = 1;
9872
9873+#ifdef CONFIG_PAX_RANDMMAP
9874+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9875+#endif
9876+
9877 if (addr) {
9878 if (do_colour_align)
9879 addr = COLOUR_ALIGN(addr, pgoff);
9880@@ -62,14 +67,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9881 addr = PAGE_ALIGN(addr);
9882
9883 vma = find_vma(mm, addr);
9884- if (TASK_SIZE - len >= addr &&
9885- (!vma || addr + len <= vma->vm_start))
9886+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
9887 return addr;
9888 }
9889
9890 info.flags = 0;
9891 info.length = len;
9892- info.low_limit = TASK_UNMAPPED_BASE;
9893+ info.low_limit = mm->mmap_base;
9894 info.high_limit = TASK_SIZE;
9895 info.align_mask = do_colour_align ? (PAGE_MASK & shm_align_mask) : 0;
9896 info.align_offset = pgoff << PAGE_SHIFT;
9897@@ -85,6 +89,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
9898 struct mm_struct *mm = current->mm;
9899 unsigned long addr = addr0;
9900 int do_colour_align;
9901+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
9902 struct vm_unmapped_area_info info;
9903
9904 if (flags & MAP_FIXED) {
9905@@ -104,6 +109,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
9906 if (filp || (flags & MAP_SHARED))
9907 do_colour_align = 1;
9908
9909+#ifdef CONFIG_PAX_RANDMMAP
9910+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9911+#endif
9912+
9913 /* requesting a specific address */
9914 if (addr) {
9915 if (do_colour_align)
9916@@ -112,8 +121,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
9917 addr = PAGE_ALIGN(addr);
9918
9919 vma = find_vma(mm, addr);
9920- if (TASK_SIZE - len >= addr &&
9921- (!vma || addr + len <= vma->vm_start))
9922+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
9923 return addr;
9924 }
9925
9926@@ -135,6 +143,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
9927 VM_BUG_ON(addr != -ENOMEM);
9928 info.flags = 0;
9929 info.low_limit = TASK_UNMAPPED_BASE;
9930+
9931+#ifdef CONFIG_PAX_RANDMMAP
9932+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9933+ info.low_limit += mm->delta_mmap;
9934+#endif
9935+
9936 info.high_limit = TASK_SIZE;
9937 addr = vm_unmapped_area(&info);
9938 }
9939diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
9940index 4082749..fd97781 100644
9941--- a/arch/sparc/include/asm/atomic_64.h
9942+++ b/arch/sparc/include/asm/atomic_64.h
9943@@ -15,18 +15,38 @@
9944 #define ATOMIC64_INIT(i) { (i) }
9945
9946 #define atomic_read(v) ACCESS_ONCE((v)->counter)
9947+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
9948+{
9949+ return ACCESS_ONCE(v->counter);
9950+}
9951 #define atomic64_read(v) ACCESS_ONCE((v)->counter)
9952+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
9953+{
9954+ return ACCESS_ONCE(v->counter);
9955+}
9956
9957 #define atomic_set(v, i) (((v)->counter) = i)
9958+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
9959+{
9960+ v->counter = i;
9961+}
9962 #define atomic64_set(v, i) (((v)->counter) = i)
9963+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
9964+{
9965+ v->counter = i;
9966+}
9967
9968-#define ATOMIC_OP(op) \
9969-void atomic_##op(int, atomic_t *); \
9970-void atomic64_##op(long, atomic64_t *);
9971+#define __ATOMIC_OP(op, suffix) \
9972+void atomic_##op##suffix(int, atomic##suffix##_t *); \
9973+void atomic64_##op##suffix(long, atomic64##suffix##_t *);
9974
9975-#define ATOMIC_OP_RETURN(op) \
9976-int atomic_##op##_return(int, atomic_t *); \
9977-long atomic64_##op##_return(long, atomic64_t *);
9978+#define ATOMIC_OP(op) __ATOMIC_OP(op, ) __ATOMIC_OP(op, _unchecked)
9979+
9980+#define __ATOMIC_OP_RETURN(op, suffix) \
9981+int atomic_##op##_return##suffix(int, atomic##suffix##_t *); \
9982+long atomic64_##op##_return##suffix(long, atomic64##suffix##_t *);
9983+
9984+#define ATOMIC_OP_RETURN(op) __ATOMIC_OP_RETURN(op, ) __ATOMIC_OP_RETURN(op, _unchecked)
9985
9986 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
9987
9988@@ -35,13 +55,23 @@ ATOMIC_OPS(sub)
9989
9990 #undef ATOMIC_OPS
9991 #undef ATOMIC_OP_RETURN
9992+#undef __ATOMIC_OP_RETURN
9993 #undef ATOMIC_OP
9994+#undef __ATOMIC_OP
9995
9996 #define atomic_dec_return(v) atomic_sub_return(1, v)
9997 #define atomic64_dec_return(v) atomic64_sub_return(1, v)
9998
9999 #define atomic_inc_return(v) atomic_add_return(1, v)
10000+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
10001+{
10002+ return atomic_add_return_unchecked(1, v);
10003+}
10004 #define atomic64_inc_return(v) atomic64_add_return(1, v)
10005+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
10006+{
10007+ return atomic64_add_return_unchecked(1, v);
10008+}
10009
10010 /*
10011 * atomic_inc_and_test - increment and test
10012@@ -52,6 +82,10 @@ ATOMIC_OPS(sub)
10013 * other cases.
10014 */
10015 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
10016+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
10017+{
10018+ return atomic_inc_return_unchecked(v) == 0;
10019+}
10020 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
10021
10022 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
10023@@ -61,25 +95,60 @@ ATOMIC_OPS(sub)
10024 #define atomic64_dec_and_test(v) (atomic64_sub_return(1, v) == 0)
10025
10026 #define atomic_inc(v) atomic_add(1, v)
10027+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
10028+{
10029+ atomic_add_unchecked(1, v);
10030+}
10031 #define atomic64_inc(v) atomic64_add(1, v)
10032+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
10033+{
10034+ atomic64_add_unchecked(1, v);
10035+}
10036
10037 #define atomic_dec(v) atomic_sub(1, v)
10038+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
10039+{
10040+ atomic_sub_unchecked(1, v);
10041+}
10042 #define atomic64_dec(v) atomic64_sub(1, v)
10043+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
10044+{
10045+ atomic64_sub_unchecked(1, v);
10046+}
10047
10048 #define atomic_add_negative(i, v) (atomic_add_return(i, v) < 0)
10049 #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
10050
10051 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
10052+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
10053+{
10054+ return cmpxchg(&v->counter, old, new);
10055+}
10056 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
10057+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
10058+{
10059+ return xchg(&v->counter, new);
10060+}
10061
10062 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
10063 {
10064- int c, old;
10065+ int c, old, new;
10066 c = atomic_read(v);
10067 for (;;) {
10068- if (unlikely(c == (u)))
10069+ if (unlikely(c == u))
10070 break;
10071- old = atomic_cmpxchg((v), c, c + (a));
10072+
10073+ asm volatile("addcc %2, %0, %0\n"
10074+
10075+#ifdef CONFIG_PAX_REFCOUNT
10076+ "tvs %%icc, 6\n"
10077+#endif
10078+
10079+ : "=r" (new)
10080+ : "0" (c), "ir" (a)
10081+ : "cc");
10082+
10083+ old = atomic_cmpxchg(v, c, new);
10084 if (likely(old == c))
10085 break;
10086 c = old;
10087@@ -90,20 +159,35 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
10088 #define atomic64_cmpxchg(v, o, n) \
10089 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
10090 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
10091+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
10092+{
10093+ return xchg(&v->counter, new);
10094+}
10095
10096 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
10097 {
10098- long c, old;
10099+ long c, old, new;
10100 c = atomic64_read(v);
10101 for (;;) {
10102- if (unlikely(c == (u)))
10103+ if (unlikely(c == u))
10104 break;
10105- old = atomic64_cmpxchg((v), c, c + (a));
10106+
10107+ asm volatile("addcc %2, %0, %0\n"
10108+
10109+#ifdef CONFIG_PAX_REFCOUNT
10110+ "tvs %%xcc, 6\n"
10111+#endif
10112+
10113+ : "=r" (new)
10114+ : "0" (c), "ir" (a)
10115+ : "cc");
10116+
10117+ old = atomic64_cmpxchg(v, c, new);
10118 if (likely(old == c))
10119 break;
10120 c = old;
10121 }
10122- return c != (u);
10123+ return c != u;
10124 }
10125
10126 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
10127diff --git a/arch/sparc/include/asm/barrier_64.h b/arch/sparc/include/asm/barrier_64.h
10128index 809941e..b443309 100644
10129--- a/arch/sparc/include/asm/barrier_64.h
10130+++ b/arch/sparc/include/asm/barrier_64.h
10131@@ -60,7 +60,7 @@ do { __asm__ __volatile__("ba,pt %%xcc, 1f\n\t" \
10132 do { \
10133 compiletime_assert_atomic_type(*p); \
10134 barrier(); \
10135- ACCESS_ONCE(*p) = (v); \
10136+ ACCESS_ONCE_RW(*p) = (v); \
10137 } while (0)
10138
10139 #define smp_load_acquire(p) \
10140diff --git a/arch/sparc/include/asm/cache.h b/arch/sparc/include/asm/cache.h
10141index 5bb6991..5c2132e 100644
10142--- a/arch/sparc/include/asm/cache.h
10143+++ b/arch/sparc/include/asm/cache.h
10144@@ -7,10 +7,12 @@
10145 #ifndef _SPARC_CACHE_H
10146 #define _SPARC_CACHE_H
10147
10148+#include <linux/const.h>
10149+
10150 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
10151
10152 #define L1_CACHE_SHIFT 5
10153-#define L1_CACHE_BYTES 32
10154+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
10155
10156 #ifdef CONFIG_SPARC32
10157 #define SMP_CACHE_BYTES_SHIFT 5
10158diff --git a/arch/sparc/include/asm/elf_32.h b/arch/sparc/include/asm/elf_32.h
10159index a24e41f..47677ff 100644
10160--- a/arch/sparc/include/asm/elf_32.h
10161+++ b/arch/sparc/include/asm/elf_32.h
10162@@ -114,6 +114,13 @@ typedef struct {
10163
10164 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
10165
10166+#ifdef CONFIG_PAX_ASLR
10167+#define PAX_ELF_ET_DYN_BASE 0x10000UL
10168+
10169+#define PAX_DELTA_MMAP_LEN 16
10170+#define PAX_DELTA_STACK_LEN 16
10171+#endif
10172+
10173 /* This yields a mask that user programs can use to figure out what
10174 instruction set this cpu supports. This can NOT be done in userspace
10175 on Sparc. */
10176diff --git a/arch/sparc/include/asm/elf_64.h b/arch/sparc/include/asm/elf_64.h
10177index 370ca1e..d4f4a98 100644
10178--- a/arch/sparc/include/asm/elf_64.h
10179+++ b/arch/sparc/include/asm/elf_64.h
10180@@ -189,6 +189,13 @@ typedef struct {
10181 #define ELF_ET_DYN_BASE 0x0000010000000000UL
10182 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
10183
10184+#ifdef CONFIG_PAX_ASLR
10185+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
10186+
10187+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
10188+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
10189+#endif
10190+
10191 extern unsigned long sparc64_elf_hwcap;
10192 #define ELF_HWCAP sparc64_elf_hwcap
10193
10194diff --git a/arch/sparc/include/asm/pgalloc_32.h b/arch/sparc/include/asm/pgalloc_32.h
10195index a3890da..f6a408e 100644
10196--- a/arch/sparc/include/asm/pgalloc_32.h
10197+++ b/arch/sparc/include/asm/pgalloc_32.h
10198@@ -35,6 +35,7 @@ static inline void pgd_set(pgd_t * pgdp, pmd_t * pmdp)
10199 }
10200
10201 #define pgd_populate(MM, PGD, PMD) pgd_set(PGD, PMD)
10202+#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
10203
10204 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm,
10205 unsigned long address)
10206diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h
10207index 5e31871..13469c6 100644
10208--- a/arch/sparc/include/asm/pgalloc_64.h
10209+++ b/arch/sparc/include/asm/pgalloc_64.h
10210@@ -21,6 +21,7 @@ static inline void __pgd_populate(pgd_t *pgd, pud_t *pud)
10211 }
10212
10213 #define pgd_populate(MM, PGD, PUD) __pgd_populate(PGD, PUD)
10214+#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
10215
10216 static inline pgd_t *pgd_alloc(struct mm_struct *mm)
10217 {
10218@@ -38,6 +39,7 @@ static inline void __pud_populate(pud_t *pud, pmd_t *pmd)
10219 }
10220
10221 #define pud_populate(MM, PUD, PMD) __pud_populate(PUD, PMD)
10222+#define pud_populate_kernel(MM, PUD, PMD) pud_populate((MM), (PUD), (PMD))
10223
10224 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
10225 {
10226diff --git a/arch/sparc/include/asm/pgtable.h b/arch/sparc/include/asm/pgtable.h
10227index 59ba6f6..4518128 100644
10228--- a/arch/sparc/include/asm/pgtable.h
10229+++ b/arch/sparc/include/asm/pgtable.h
10230@@ -5,4 +5,8 @@
10231 #else
10232 #include <asm/pgtable_32.h>
10233 #endif
10234+
10235+#define ktla_ktva(addr) (addr)
10236+#define ktva_ktla(addr) (addr)
10237+
10238 #endif
10239diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
10240index f06b36a..bca3189 100644
10241--- a/arch/sparc/include/asm/pgtable_32.h
10242+++ b/arch/sparc/include/asm/pgtable_32.h
10243@@ -51,6 +51,9 @@ unsigned long __init bootmem_init(unsigned long *pages_avail);
10244 #define PAGE_SHARED SRMMU_PAGE_SHARED
10245 #define PAGE_COPY SRMMU_PAGE_COPY
10246 #define PAGE_READONLY SRMMU_PAGE_RDONLY
10247+#define PAGE_SHARED_NOEXEC SRMMU_PAGE_SHARED_NOEXEC
10248+#define PAGE_COPY_NOEXEC SRMMU_PAGE_COPY_NOEXEC
10249+#define PAGE_READONLY_NOEXEC SRMMU_PAGE_RDONLY_NOEXEC
10250 #define PAGE_KERNEL SRMMU_PAGE_KERNEL
10251
10252 /* Top-level page directory - dummy used by init-mm.
10253@@ -63,18 +66,18 @@ extern unsigned long ptr_in_current_pgd;
10254
10255 /* xwr */
10256 #define __P000 PAGE_NONE
10257-#define __P001 PAGE_READONLY
10258-#define __P010 PAGE_COPY
10259-#define __P011 PAGE_COPY
10260+#define __P001 PAGE_READONLY_NOEXEC
10261+#define __P010 PAGE_COPY_NOEXEC
10262+#define __P011 PAGE_COPY_NOEXEC
10263 #define __P100 PAGE_READONLY
10264 #define __P101 PAGE_READONLY
10265 #define __P110 PAGE_COPY
10266 #define __P111 PAGE_COPY
10267
10268 #define __S000 PAGE_NONE
10269-#define __S001 PAGE_READONLY
10270-#define __S010 PAGE_SHARED
10271-#define __S011 PAGE_SHARED
10272+#define __S001 PAGE_READONLY_NOEXEC
10273+#define __S010 PAGE_SHARED_NOEXEC
10274+#define __S011 PAGE_SHARED_NOEXEC
10275 #define __S100 PAGE_READONLY
10276 #define __S101 PAGE_READONLY
10277 #define __S110 PAGE_SHARED
10278diff --git a/arch/sparc/include/asm/pgtsrmmu.h b/arch/sparc/include/asm/pgtsrmmu.h
10279index ae51a11..eadfd03 100644
10280--- a/arch/sparc/include/asm/pgtsrmmu.h
10281+++ b/arch/sparc/include/asm/pgtsrmmu.h
10282@@ -111,6 +111,11 @@
10283 SRMMU_EXEC | SRMMU_REF)
10284 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
10285 SRMMU_EXEC | SRMMU_REF)
10286+
10287+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
10288+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
10289+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
10290+
10291 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
10292 SRMMU_DIRTY | SRMMU_REF)
10293
10294diff --git a/arch/sparc/include/asm/setup.h b/arch/sparc/include/asm/setup.h
10295index 29d64b1..4272fe8 100644
10296--- a/arch/sparc/include/asm/setup.h
10297+++ b/arch/sparc/include/asm/setup.h
10298@@ -55,8 +55,8 @@ int handle_ldf_stq(u32 insn, struct pt_regs *regs);
10299 void handle_ld_nf(u32 insn, struct pt_regs *regs);
10300
10301 /* init_64.c */
10302-extern atomic_t dcpage_flushes;
10303-extern atomic_t dcpage_flushes_xcall;
10304+extern atomic_unchecked_t dcpage_flushes;
10305+extern atomic_unchecked_t dcpage_flushes_xcall;
10306
10307 extern int sysctl_tsb_ratio;
10308 #endif
10309diff --git a/arch/sparc/include/asm/spinlock_64.h b/arch/sparc/include/asm/spinlock_64.h
10310index 9689176..63c18ea 100644
10311--- a/arch/sparc/include/asm/spinlock_64.h
10312+++ b/arch/sparc/include/asm/spinlock_64.h
10313@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *lock, unsigned long fla
10314
10315 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
10316
10317-static void inline arch_read_lock(arch_rwlock_t *lock)
10318+static inline void arch_read_lock(arch_rwlock_t *lock)
10319 {
10320 unsigned long tmp1, tmp2;
10321
10322 __asm__ __volatile__ (
10323 "1: ldsw [%2], %0\n"
10324 " brlz,pn %0, 2f\n"
10325-"4: add %0, 1, %1\n"
10326+"4: addcc %0, 1, %1\n"
10327+
10328+#ifdef CONFIG_PAX_REFCOUNT
10329+" tvs %%icc, 6\n"
10330+#endif
10331+
10332 " cas [%2], %0, %1\n"
10333 " cmp %0, %1\n"
10334 " bne,pn %%icc, 1b\n"
10335@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_rwlock_t *lock)
10336 " .previous"
10337 : "=&r" (tmp1), "=&r" (tmp2)
10338 : "r" (lock)
10339- : "memory");
10340+ : "memory", "cc");
10341 }
10342
10343-static int inline arch_read_trylock(arch_rwlock_t *lock)
10344+static inline int arch_read_trylock(arch_rwlock_t *lock)
10345 {
10346 int tmp1, tmp2;
10347
10348@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
10349 "1: ldsw [%2], %0\n"
10350 " brlz,a,pn %0, 2f\n"
10351 " mov 0, %0\n"
10352-" add %0, 1, %1\n"
10353+" addcc %0, 1, %1\n"
10354+
10355+#ifdef CONFIG_PAX_REFCOUNT
10356+" tvs %%icc, 6\n"
10357+#endif
10358+
10359 " cas [%2], %0, %1\n"
10360 " cmp %0, %1\n"
10361 " bne,pn %%icc, 1b\n"
10362@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
10363 return tmp1;
10364 }
10365
10366-static void inline arch_read_unlock(arch_rwlock_t *lock)
10367+static inline void arch_read_unlock(arch_rwlock_t *lock)
10368 {
10369 unsigned long tmp1, tmp2;
10370
10371 __asm__ __volatile__(
10372 "1: lduw [%2], %0\n"
10373-" sub %0, 1, %1\n"
10374+" subcc %0, 1, %1\n"
10375+
10376+#ifdef CONFIG_PAX_REFCOUNT
10377+" tvs %%icc, 6\n"
10378+#endif
10379+
10380 " cas [%2], %0, %1\n"
10381 " cmp %0, %1\n"
10382 " bne,pn %%xcc, 1b\n"
10383@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch_rwlock_t *lock)
10384 : "memory");
10385 }
10386
10387-static void inline arch_write_lock(arch_rwlock_t *lock)
10388+static inline void arch_write_lock(arch_rwlock_t *lock)
10389 {
10390 unsigned long mask, tmp1, tmp2;
10391
10392@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_rwlock_t *lock)
10393 : "memory");
10394 }
10395
10396-static void inline arch_write_unlock(arch_rwlock_t *lock)
10397+static inline void arch_write_unlock(arch_rwlock_t *lock)
10398 {
10399 __asm__ __volatile__(
10400 " stw %%g0, [%0]"
10401@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arch_rwlock_t *lock)
10402 : "memory");
10403 }
10404
10405-static int inline arch_write_trylock(arch_rwlock_t *lock)
10406+static inline int arch_write_trylock(arch_rwlock_t *lock)
10407 {
10408 unsigned long mask, tmp1, tmp2, result;
10409
10410diff --git a/arch/sparc/include/asm/thread_info_32.h b/arch/sparc/include/asm/thread_info_32.h
10411index 229475f..2fca9163 100644
10412--- a/arch/sparc/include/asm/thread_info_32.h
10413+++ b/arch/sparc/include/asm/thread_info_32.h
10414@@ -48,6 +48,7 @@ struct thread_info {
10415 struct reg_window32 reg_window[NSWINS]; /* align for ldd! */
10416 unsigned long rwbuf_stkptrs[NSWINS];
10417 unsigned long w_saved;
10418+ unsigned long lowest_stack;
10419 };
10420
10421 /*
10422diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
10423index bde5982..9cbb56d 100644
10424--- a/arch/sparc/include/asm/thread_info_64.h
10425+++ b/arch/sparc/include/asm/thread_info_64.h
10426@@ -59,6 +59,8 @@ struct thread_info {
10427 struct pt_regs *kern_una_regs;
10428 unsigned int kern_una_insn;
10429
10430+ unsigned long lowest_stack;
10431+
10432 unsigned long fpregs[(7 * 256) / sizeof(unsigned long)]
10433 __attribute__ ((aligned(64)));
10434 };
10435@@ -180,12 +182,13 @@ register struct thread_info *current_thread_info_reg asm("g6");
10436 #define TIF_NEED_RESCHED 3 /* rescheduling necessary */
10437 /* flag bit 4 is available */
10438 #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */
10439-/* flag bit 6 is available */
10440+#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */
10441 #define TIF_32BIT 7 /* 32-bit binary */
10442 #define TIF_NOHZ 8 /* in adaptive nohz mode */
10443 #define TIF_SECCOMP 9 /* secure computing */
10444 #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */
10445 #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */
10446+
10447 /* NOTE: Thread flags >= 12 should be ones we have no interest
10448 * in using in assembly, else we can't use the mask as
10449 * an immediate value in instructions such as andcc.
10450@@ -205,12 +208,17 @@ register struct thread_info *current_thread_info_reg asm("g6");
10451 #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
10452 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
10453 #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
10454+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
10455
10456 #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \
10457 _TIF_DO_NOTIFY_RESUME_MASK | \
10458 _TIF_NEED_RESCHED)
10459 #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
10460
10461+#define _TIF_WORK_SYSCALL \
10462+ (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
10463+ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
10464+
10465 #define is_32bit_task() (test_thread_flag(TIF_32BIT))
10466
10467 /*
10468diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
10469index bd56c28..4b63d83 100644
10470--- a/arch/sparc/include/asm/uaccess.h
10471+++ b/arch/sparc/include/asm/uaccess.h
10472@@ -1,5 +1,6 @@
10473 #ifndef ___ASM_SPARC_UACCESS_H
10474 #define ___ASM_SPARC_UACCESS_H
10475+
10476 #if defined(__sparc__) && defined(__arch64__)
10477 #include <asm/uaccess_64.h>
10478 #else
10479diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
10480index 64ee103..388aef0 100644
10481--- a/arch/sparc/include/asm/uaccess_32.h
10482+++ b/arch/sparc/include/asm/uaccess_32.h
10483@@ -47,6 +47,7 @@
10484 #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
10485 #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
10486 #define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size)))
10487+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
10488 #define access_ok(type, addr, size) \
10489 ({ (void)(type); __access_ok((unsigned long)(addr), size); })
10490
10491@@ -313,27 +314,46 @@ unsigned long __copy_user(void __user *to, const void __user *from, unsigned lon
10492
10493 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
10494 {
10495- if (n && __access_ok((unsigned long) to, n))
10496+ if ((long)n < 0)
10497+ return n;
10498+
10499+ if (n && __access_ok((unsigned long) to, n)) {
10500+ if (!__builtin_constant_p(n))
10501+ check_object_size(from, n, true);
10502 return __copy_user(to, (__force void __user *) from, n);
10503- else
10504+ } else
10505 return n;
10506 }
10507
10508 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
10509 {
10510+ if ((long)n < 0)
10511+ return n;
10512+
10513+ if (!__builtin_constant_p(n))
10514+ check_object_size(from, n, true);
10515+
10516 return __copy_user(to, (__force void __user *) from, n);
10517 }
10518
10519 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
10520 {
10521- if (n && __access_ok((unsigned long) from, n))
10522+ if ((long)n < 0)
10523+ return n;
10524+
10525+ if (n && __access_ok((unsigned long) from, n)) {
10526+ if (!__builtin_constant_p(n))
10527+ check_object_size(to, n, false);
10528 return __copy_user((__force void __user *) to, from, n);
10529- else
10530+ } else
10531 return n;
10532 }
10533
10534 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
10535 {
10536+ if ((long)n < 0)
10537+ return n;
10538+
10539 return __copy_user((__force void __user *) to, from, n);
10540 }
10541
10542diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
10543index ea6e9a2..5703598 100644
10544--- a/arch/sparc/include/asm/uaccess_64.h
10545+++ b/arch/sparc/include/asm/uaccess_64.h
10546@@ -10,6 +10,7 @@
10547 #include <linux/compiler.h>
10548 #include <linux/string.h>
10549 #include <linux/thread_info.h>
10550+#include <linux/kernel.h>
10551 #include <asm/asi.h>
10552 #include <asm/spitfire.h>
10553 #include <asm-generic/uaccess-unaligned.h>
10554@@ -76,6 +77,11 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
10555 return 1;
10556 }
10557
10558+static inline int access_ok_noprefault(int type, const void __user * addr, unsigned long size)
10559+{
10560+ return 1;
10561+}
10562+
10563 static inline int access_ok(int type, const void __user * addr, unsigned long size)
10564 {
10565 return 1;
10566@@ -250,8 +256,15 @@ unsigned long copy_from_user_fixup(void *to, const void __user *from,
10567 static inline unsigned long __must_check
10568 copy_from_user(void *to, const void __user *from, unsigned long size)
10569 {
10570- unsigned long ret = ___copy_from_user(to, from, size);
10571+ unsigned long ret;
10572
10573+ if ((long)size < 0 || size > INT_MAX)
10574+ return size;
10575+
10576+ if (!__builtin_constant_p(size))
10577+ check_object_size(to, size, false);
10578+
10579+ ret = ___copy_from_user(to, from, size);
10580 if (unlikely(ret))
10581 ret = copy_from_user_fixup(to, from, size);
10582
10583@@ -267,8 +280,15 @@ unsigned long copy_to_user_fixup(void __user *to, const void *from,
10584 static inline unsigned long __must_check
10585 copy_to_user(void __user *to, const void *from, unsigned long size)
10586 {
10587- unsigned long ret = ___copy_to_user(to, from, size);
10588+ unsigned long ret;
10589
10590+ if ((long)size < 0 || size > INT_MAX)
10591+ return size;
10592+
10593+ if (!__builtin_constant_p(size))
10594+ check_object_size(from, size, true);
10595+
10596+ ret = ___copy_to_user(to, from, size);
10597 if (unlikely(ret))
10598 ret = copy_to_user_fixup(to, from, size);
10599 return ret;
10600diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
10601index 7cf9c6e..6206648 100644
10602--- a/arch/sparc/kernel/Makefile
10603+++ b/arch/sparc/kernel/Makefile
10604@@ -4,7 +4,7 @@
10605 #
10606
10607 asflags-y := -ansi
10608-ccflags-y := -Werror
10609+#ccflags-y := -Werror
10610
10611 extra-y := head_$(BITS).o
10612
10613diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c
10614index 50e7b62..79fae35 100644
10615--- a/arch/sparc/kernel/process_32.c
10616+++ b/arch/sparc/kernel/process_32.c
10617@@ -123,14 +123,14 @@ void show_regs(struct pt_regs *r)
10618
10619 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
10620 r->psr, r->pc, r->npc, r->y, print_tainted());
10621- printk("PC: <%pS>\n", (void *) r->pc);
10622+ printk("PC: <%pA>\n", (void *) r->pc);
10623 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10624 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
10625 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
10626 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10627 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
10628 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
10629- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
10630+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
10631
10632 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10633 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
10634@@ -167,7 +167,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
10635 rw = (struct reg_window32 *) fp;
10636 pc = rw->ins[7];
10637 printk("[%08lx : ", pc);
10638- printk("%pS ] ", (void *) pc);
10639+ printk("%pA ] ", (void *) pc);
10640 fp = rw->ins[6];
10641 } while (++count < 16);
10642 printk("\n");
10643diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c
10644index 46a5964..a35c62c 100644
10645--- a/arch/sparc/kernel/process_64.c
10646+++ b/arch/sparc/kernel/process_64.c
10647@@ -161,7 +161,7 @@ static void show_regwindow(struct pt_regs *regs)
10648 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
10649 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
10650 if (regs->tstate & TSTATE_PRIV)
10651- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
10652+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
10653 }
10654
10655 void show_regs(struct pt_regs *regs)
10656@@ -170,7 +170,7 @@ void show_regs(struct pt_regs *regs)
10657
10658 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
10659 regs->tpc, regs->tnpc, regs->y, print_tainted());
10660- printk("TPC: <%pS>\n", (void *) regs->tpc);
10661+ printk("TPC: <%pA>\n", (void *) regs->tpc);
10662 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
10663 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
10664 regs->u_regs[3]);
10665@@ -183,7 +183,7 @@ void show_regs(struct pt_regs *regs)
10666 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
10667 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
10668 regs->u_regs[15]);
10669- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
10670+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
10671 show_regwindow(regs);
10672 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
10673 }
10674@@ -278,7 +278,7 @@ void arch_trigger_all_cpu_backtrace(bool include_self)
10675 ((tp && tp->task) ? tp->task->pid : -1));
10676
10677 if (gp->tstate & TSTATE_PRIV) {
10678- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
10679+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
10680 (void *) gp->tpc,
10681 (void *) gp->o7,
10682 (void *) gp->i7,
10683diff --git a/arch/sparc/kernel/prom_common.c b/arch/sparc/kernel/prom_common.c
10684index 79cc0d1..ec62734 100644
10685--- a/arch/sparc/kernel/prom_common.c
10686+++ b/arch/sparc/kernel/prom_common.c
10687@@ -144,7 +144,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf)
10688
10689 unsigned int prom_early_allocated __initdata;
10690
10691-static struct of_pdt_ops prom_sparc_ops __initdata = {
10692+static struct of_pdt_ops prom_sparc_ops __initconst = {
10693 .nextprop = prom_common_nextprop,
10694 .getproplen = prom_getproplen,
10695 .getproperty = prom_getproperty,
10696diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
10697index 9ddc492..27a5619 100644
10698--- a/arch/sparc/kernel/ptrace_64.c
10699+++ b/arch/sparc/kernel/ptrace_64.c
10700@@ -1060,6 +1060,10 @@ long arch_ptrace(struct task_struct *child, long request,
10701 return ret;
10702 }
10703
10704+#ifdef CONFIG_GRKERNSEC_SETXID
10705+extern void gr_delayed_cred_worker(void);
10706+#endif
10707+
10708 asmlinkage int syscall_trace_enter(struct pt_regs *regs)
10709 {
10710 int ret = 0;
10711@@ -1070,6 +1074,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
10712 if (test_thread_flag(TIF_NOHZ))
10713 user_exit();
10714
10715+#ifdef CONFIG_GRKERNSEC_SETXID
10716+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
10717+ gr_delayed_cred_worker();
10718+#endif
10719+
10720 if (test_thread_flag(TIF_SYSCALL_TRACE))
10721 ret = tracehook_report_syscall_entry(regs);
10722
10723@@ -1088,6 +1097,11 @@ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
10724 if (test_thread_flag(TIF_NOHZ))
10725 user_exit();
10726
10727+#ifdef CONFIG_GRKERNSEC_SETXID
10728+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
10729+ gr_delayed_cred_worker();
10730+#endif
10731+
10732 audit_syscall_exit(regs);
10733
10734 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
10735diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
10736index 19cd08d..ff21e99 100644
10737--- a/arch/sparc/kernel/smp_64.c
10738+++ b/arch/sparc/kernel/smp_64.c
10739@@ -891,7 +891,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
10740 return;
10741
10742 #ifdef CONFIG_DEBUG_DCFLUSH
10743- atomic_inc(&dcpage_flushes);
10744+ atomic_inc_unchecked(&dcpage_flushes);
10745 #endif
10746
10747 this_cpu = get_cpu();
10748@@ -915,7 +915,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
10749 xcall_deliver(data0, __pa(pg_addr),
10750 (u64) pg_addr, cpumask_of(cpu));
10751 #ifdef CONFIG_DEBUG_DCFLUSH
10752- atomic_inc(&dcpage_flushes_xcall);
10753+ atomic_inc_unchecked(&dcpage_flushes_xcall);
10754 #endif
10755 }
10756 }
10757@@ -934,7 +934,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
10758 preempt_disable();
10759
10760 #ifdef CONFIG_DEBUG_DCFLUSH
10761- atomic_inc(&dcpage_flushes);
10762+ atomic_inc_unchecked(&dcpage_flushes);
10763 #endif
10764 data0 = 0;
10765 pg_addr = page_address(page);
10766@@ -951,7 +951,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
10767 xcall_deliver(data0, __pa(pg_addr),
10768 (u64) pg_addr, cpu_online_mask);
10769 #ifdef CONFIG_DEBUG_DCFLUSH
10770- atomic_inc(&dcpage_flushes_xcall);
10771+ atomic_inc_unchecked(&dcpage_flushes_xcall);
10772 #endif
10773 }
10774 __local_flush_dcache_page(page);
10775diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
10776index 646988d..b88905f 100644
10777--- a/arch/sparc/kernel/sys_sparc_32.c
10778+++ b/arch/sparc/kernel/sys_sparc_32.c
10779@@ -54,7 +54,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10780 if (len > TASK_SIZE - PAGE_SIZE)
10781 return -ENOMEM;
10782 if (!addr)
10783- addr = TASK_UNMAPPED_BASE;
10784+ addr = current->mm->mmap_base;
10785
10786 info.flags = 0;
10787 info.length = len;
10788diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
10789index 30e7ddb..266a3b0 100644
10790--- a/arch/sparc/kernel/sys_sparc_64.c
10791+++ b/arch/sparc/kernel/sys_sparc_64.c
10792@@ -89,13 +89,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10793 struct vm_area_struct * vma;
10794 unsigned long task_size = TASK_SIZE;
10795 int do_color_align;
10796+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10797 struct vm_unmapped_area_info info;
10798
10799 if (flags & MAP_FIXED) {
10800 /* We do not accept a shared mapping if it would violate
10801 * cache aliasing constraints.
10802 */
10803- if ((flags & MAP_SHARED) &&
10804+ if ((filp || (flags & MAP_SHARED)) &&
10805 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10806 return -EINVAL;
10807 return addr;
10808@@ -110,6 +111,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10809 if (filp || (flags & MAP_SHARED))
10810 do_color_align = 1;
10811
10812+#ifdef CONFIG_PAX_RANDMMAP
10813+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10814+#endif
10815+
10816 if (addr) {
10817 if (do_color_align)
10818 addr = COLOR_ALIGN(addr, pgoff);
10819@@ -117,22 +122,28 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10820 addr = PAGE_ALIGN(addr);
10821
10822 vma = find_vma(mm, addr);
10823- if (task_size - len >= addr &&
10824- (!vma || addr + len <= vma->vm_start))
10825+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10826 return addr;
10827 }
10828
10829 info.flags = 0;
10830 info.length = len;
10831- info.low_limit = TASK_UNMAPPED_BASE;
10832+ info.low_limit = mm->mmap_base;
10833 info.high_limit = min(task_size, VA_EXCLUDE_START);
10834 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
10835 info.align_offset = pgoff << PAGE_SHIFT;
10836+ info.threadstack_offset = offset;
10837 addr = vm_unmapped_area(&info);
10838
10839 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
10840 VM_BUG_ON(addr != -ENOMEM);
10841 info.low_limit = VA_EXCLUDE_END;
10842+
10843+#ifdef CONFIG_PAX_RANDMMAP
10844+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10845+ info.low_limit += mm->delta_mmap;
10846+#endif
10847+
10848 info.high_limit = task_size;
10849 addr = vm_unmapped_area(&info);
10850 }
10851@@ -150,6 +161,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10852 unsigned long task_size = STACK_TOP32;
10853 unsigned long addr = addr0;
10854 int do_color_align;
10855+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10856 struct vm_unmapped_area_info info;
10857
10858 /* This should only ever run for 32-bit processes. */
10859@@ -159,7 +171,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10860 /* We do not accept a shared mapping if it would violate
10861 * cache aliasing constraints.
10862 */
10863- if ((flags & MAP_SHARED) &&
10864+ if ((filp || (flags & MAP_SHARED)) &&
10865 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10866 return -EINVAL;
10867 return addr;
10868@@ -172,6 +184,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10869 if (filp || (flags & MAP_SHARED))
10870 do_color_align = 1;
10871
10872+#ifdef CONFIG_PAX_RANDMMAP
10873+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10874+#endif
10875+
10876 /* requesting a specific address */
10877 if (addr) {
10878 if (do_color_align)
10879@@ -180,8 +196,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10880 addr = PAGE_ALIGN(addr);
10881
10882 vma = find_vma(mm, addr);
10883- if (task_size - len >= addr &&
10884- (!vma || addr + len <= vma->vm_start))
10885+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10886 return addr;
10887 }
10888
10889@@ -191,6 +206,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10890 info.high_limit = mm->mmap_base;
10891 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
10892 info.align_offset = pgoff << PAGE_SHIFT;
10893+ info.threadstack_offset = offset;
10894 addr = vm_unmapped_area(&info);
10895
10896 /*
10897@@ -203,6 +219,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10898 VM_BUG_ON(addr != -ENOMEM);
10899 info.flags = 0;
10900 info.low_limit = TASK_UNMAPPED_BASE;
10901+
10902+#ifdef CONFIG_PAX_RANDMMAP
10903+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10904+ info.low_limit += mm->delta_mmap;
10905+#endif
10906+
10907 info.high_limit = STACK_TOP32;
10908 addr = vm_unmapped_area(&info);
10909 }
10910@@ -259,10 +281,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u
10911 EXPORT_SYMBOL(get_fb_unmapped_area);
10912
10913 /* Essentially the same as PowerPC. */
10914-static unsigned long mmap_rnd(void)
10915+static unsigned long mmap_rnd(struct mm_struct *mm)
10916 {
10917 unsigned long rnd = 0UL;
10918
10919+#ifdef CONFIG_PAX_RANDMMAP
10920+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10921+#endif
10922+
10923 if (current->flags & PF_RANDOMIZE) {
10924 unsigned long val = get_random_int();
10925 if (test_thread_flag(TIF_32BIT))
10926@@ -275,7 +301,7 @@ static unsigned long mmap_rnd(void)
10927
10928 void arch_pick_mmap_layout(struct mm_struct *mm)
10929 {
10930- unsigned long random_factor = mmap_rnd();
10931+ unsigned long random_factor = mmap_rnd(mm);
10932 unsigned long gap;
10933
10934 /*
10935@@ -288,6 +314,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
10936 gap == RLIM_INFINITY ||
10937 sysctl_legacy_va_layout) {
10938 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
10939+
10940+#ifdef CONFIG_PAX_RANDMMAP
10941+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10942+ mm->mmap_base += mm->delta_mmap;
10943+#endif
10944+
10945 mm->get_unmapped_area = arch_get_unmapped_area;
10946 } else {
10947 /* We know it's 32-bit */
10948@@ -299,6 +331,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
10949 gap = (task_size / 6 * 5);
10950
10951 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
10952+
10953+#ifdef CONFIG_PAX_RANDMMAP
10954+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10955+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
10956+#endif
10957+
10958 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
10959 }
10960 }
10961diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
10962index bb00089..e0ea580 100644
10963--- a/arch/sparc/kernel/syscalls.S
10964+++ b/arch/sparc/kernel/syscalls.S
10965@@ -62,7 +62,7 @@ sys32_rt_sigreturn:
10966 #endif
10967 .align 32
10968 1: ldx [%g6 + TI_FLAGS], %l5
10969- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
10970+ andcc %l5, _TIF_WORK_SYSCALL, %g0
10971 be,pt %icc, rtrap
10972 nop
10973 call syscall_trace_leave
10974@@ -194,7 +194,7 @@ linux_sparc_syscall32:
10975
10976 srl %i3, 0, %o3 ! IEU0
10977 srl %i2, 0, %o2 ! IEU0 Group
10978- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
10979+ andcc %l0, _TIF_WORK_SYSCALL, %g0
10980 bne,pn %icc, linux_syscall_trace32 ! CTI
10981 mov %i0, %l5 ! IEU1
10982 5: call %l7 ! CTI Group brk forced
10983@@ -218,7 +218,7 @@ linux_sparc_syscall:
10984
10985 mov %i3, %o3 ! IEU1
10986 mov %i4, %o4 ! IEU0 Group
10987- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
10988+ andcc %l0, _TIF_WORK_SYSCALL, %g0
10989 bne,pn %icc, linux_syscall_trace ! CTI Group
10990 mov %i0, %l5 ! IEU0
10991 2: call %l7 ! CTI Group brk forced
10992@@ -233,7 +233,7 @@ ret_sys_call:
10993
10994 cmp %o0, -ERESTART_RESTARTBLOCK
10995 bgeu,pn %xcc, 1f
10996- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
10997+ andcc %l0, _TIF_WORK_SYSCALL, %g0
10998 ldx [%sp + PTREGS_OFF + PT_V9_TNPC], %l1 ! pc = npc
10999
11000 2:
11001diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
11002index 4f21df7..0a374da 100644
11003--- a/arch/sparc/kernel/traps_32.c
11004+++ b/arch/sparc/kernel/traps_32.c
11005@@ -44,6 +44,8 @@ static void instruction_dump(unsigned long *pc)
11006 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
11007 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
11008
11009+extern void gr_handle_kernel_exploit(void);
11010+
11011 void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11012 {
11013 static int die_counter;
11014@@ -76,15 +78,17 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11015 count++ < 30 &&
11016 (((unsigned long) rw) >= PAGE_OFFSET) &&
11017 !(((unsigned long) rw) & 0x7)) {
11018- printk("Caller[%08lx]: %pS\n", rw->ins[7],
11019+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
11020 (void *) rw->ins[7]);
11021 rw = (struct reg_window32 *)rw->ins[6];
11022 }
11023 }
11024 printk("Instruction DUMP:");
11025 instruction_dump ((unsigned long *) regs->pc);
11026- if(regs->psr & PSR_PS)
11027+ if(regs->psr & PSR_PS) {
11028+ gr_handle_kernel_exploit();
11029 do_exit(SIGKILL);
11030+ }
11031 do_exit(SIGSEGV);
11032 }
11033
11034diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c
11035index d21cd62..00a4a17 100644
11036--- a/arch/sparc/kernel/traps_64.c
11037+++ b/arch/sparc/kernel/traps_64.c
11038@@ -79,7 +79,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p)
11039 i + 1,
11040 p->trapstack[i].tstate, p->trapstack[i].tpc,
11041 p->trapstack[i].tnpc, p->trapstack[i].tt);
11042- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
11043+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
11044 }
11045 }
11046
11047@@ -99,6 +99,12 @@ void bad_trap(struct pt_regs *regs, long lvl)
11048
11049 lvl -= 0x100;
11050 if (regs->tstate & TSTATE_PRIV) {
11051+
11052+#ifdef CONFIG_PAX_REFCOUNT
11053+ if (lvl == 6)
11054+ pax_report_refcount_overflow(regs);
11055+#endif
11056+
11057 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
11058 die_if_kernel(buffer, regs);
11059 }
11060@@ -117,11 +123,16 @@ void bad_trap(struct pt_regs *regs, long lvl)
11061 void bad_trap_tl1(struct pt_regs *regs, long lvl)
11062 {
11063 char buffer[32];
11064-
11065+
11066 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
11067 0, lvl, SIGTRAP) == NOTIFY_STOP)
11068 return;
11069
11070+#ifdef CONFIG_PAX_REFCOUNT
11071+ if (lvl == 6)
11072+ pax_report_refcount_overflow(regs);
11073+#endif
11074+
11075 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
11076
11077 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
11078@@ -1151,7 +1162,7 @@ static void cheetah_log_errors(struct pt_regs *regs, struct cheetah_err_info *in
11079 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
11080 printk("%s" "ERROR(%d): ",
11081 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
11082- printk("TPC<%pS>\n", (void *) regs->tpc);
11083+ printk("TPC<%pA>\n", (void *) regs->tpc);
11084 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
11085 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
11086 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
11087@@ -1758,7 +1769,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
11088 smp_processor_id(),
11089 (type & 0x1) ? 'I' : 'D',
11090 regs->tpc);
11091- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
11092+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
11093 panic("Irrecoverable Cheetah+ parity error.");
11094 }
11095
11096@@ -1766,7 +1777,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
11097 smp_processor_id(),
11098 (type & 0x1) ? 'I' : 'D',
11099 regs->tpc);
11100- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
11101+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
11102 }
11103
11104 struct sun4v_error_entry {
11105@@ -1839,8 +1850,8 @@ struct sun4v_error_entry {
11106 /*0x38*/u64 reserved_5;
11107 };
11108
11109-static atomic_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
11110-static atomic_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
11111+static atomic_unchecked_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
11112+static atomic_unchecked_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
11113
11114 static const char *sun4v_err_type_to_str(u8 type)
11115 {
11116@@ -1932,7 +1943,7 @@ static void sun4v_report_real_raddr(const char *pfx, struct pt_regs *regs)
11117 }
11118
11119 static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
11120- int cpu, const char *pfx, atomic_t *ocnt)
11121+ int cpu, const char *pfx, atomic_unchecked_t *ocnt)
11122 {
11123 u64 *raw_ptr = (u64 *) ent;
11124 u32 attrs;
11125@@ -1990,8 +2001,8 @@ static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
11126
11127 show_regs(regs);
11128
11129- if ((cnt = atomic_read(ocnt)) != 0) {
11130- atomic_set(ocnt, 0);
11131+ if ((cnt = atomic_read_unchecked(ocnt)) != 0) {
11132+ atomic_set_unchecked(ocnt, 0);
11133 wmb();
11134 printk("%s: Queue overflowed %d times.\n",
11135 pfx, cnt);
11136@@ -2048,7 +2059,7 @@ out:
11137 */
11138 void sun4v_resum_overflow(struct pt_regs *regs)
11139 {
11140- atomic_inc(&sun4v_resum_oflow_cnt);
11141+ atomic_inc_unchecked(&sun4v_resum_oflow_cnt);
11142 }
11143
11144 /* We run with %pil set to PIL_NORMAL_MAX and PSTATE_IE enabled in %pstate.
11145@@ -2101,7 +2112,7 @@ void sun4v_nonresum_overflow(struct pt_regs *regs)
11146 /* XXX Actually even this can make not that much sense. Perhaps
11147 * XXX we should just pull the plug and panic directly from here?
11148 */
11149- atomic_inc(&sun4v_nonresum_oflow_cnt);
11150+ atomic_inc_unchecked(&sun4v_nonresum_oflow_cnt);
11151 }
11152
11153 static void sun4v_tlb_error(struct pt_regs *regs)
11154@@ -2120,9 +2131,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl)
11155
11156 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
11157 regs->tpc, tl);
11158- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
11159+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
11160 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
11161- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
11162+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
11163 (void *) regs->u_regs[UREG_I7]);
11164 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
11165 "pte[%lx] error[%lx]\n",
11166@@ -2143,9 +2154,9 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl)
11167
11168 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
11169 regs->tpc, tl);
11170- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
11171+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
11172 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
11173- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
11174+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
11175 (void *) regs->u_regs[UREG_I7]);
11176 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
11177 "pte[%lx] error[%lx]\n",
11178@@ -2362,13 +2373,13 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
11179 fp = (unsigned long)sf->fp + STACK_BIAS;
11180 }
11181
11182- printk(" [%016lx] %pS\n", pc, (void *) pc);
11183+ printk(" [%016lx] %pA\n", pc, (void *) pc);
11184 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
11185 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
11186 int index = tsk->curr_ret_stack;
11187 if (tsk->ret_stack && index >= graph) {
11188 pc = tsk->ret_stack[index - graph].ret;
11189- printk(" [%016lx] %pS\n", pc, (void *) pc);
11190+ printk(" [%016lx] %pA\n", pc, (void *) pc);
11191 graph++;
11192 }
11193 }
11194@@ -2386,6 +2397,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw)
11195 return (struct reg_window *) (fp + STACK_BIAS);
11196 }
11197
11198+extern void gr_handle_kernel_exploit(void);
11199+
11200 void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11201 {
11202 static int die_counter;
11203@@ -2414,7 +2427,7 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11204 while (rw &&
11205 count++ < 30 &&
11206 kstack_valid(tp, (unsigned long) rw)) {
11207- printk("Caller[%016lx]: %pS\n", rw->ins[7],
11208+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
11209 (void *) rw->ins[7]);
11210
11211 rw = kernel_stack_up(rw);
11212@@ -2429,8 +2442,10 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11213 }
11214 if (panic_on_oops)
11215 panic("Fatal exception");
11216- if (regs->tstate & TSTATE_PRIV)
11217+ if (regs->tstate & TSTATE_PRIV) {
11218+ gr_handle_kernel_exploit();
11219 do_exit(SIGKILL);
11220+ }
11221 do_exit(SIGSEGV);
11222 }
11223 EXPORT_SYMBOL(die_if_kernel);
11224diff --git a/arch/sparc/kernel/unaligned_64.c b/arch/sparc/kernel/unaligned_64.c
11225index 62098a8..547ab2c 100644
11226--- a/arch/sparc/kernel/unaligned_64.c
11227+++ b/arch/sparc/kernel/unaligned_64.c
11228@@ -297,7 +297,7 @@ static void log_unaligned(struct pt_regs *regs)
11229 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
11230
11231 if (__ratelimit(&ratelimit)) {
11232- printk("Kernel unaligned access at TPC[%lx] %pS\n",
11233+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
11234 regs->tpc, (void *) regs->tpc);
11235 }
11236 }
11237diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile
11238index 3269b02..64f5231 100644
11239--- a/arch/sparc/lib/Makefile
11240+++ b/arch/sparc/lib/Makefile
11241@@ -2,7 +2,7 @@
11242 #
11243
11244 asflags-y := -ansi -DST_DIV0=0x02
11245-ccflags-y := -Werror
11246+#ccflags-y := -Werror
11247
11248 lib-$(CONFIG_SPARC32) += ashrdi3.o
11249 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
11250diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S
11251index 05dac43..76f8ed4 100644
11252--- a/arch/sparc/lib/atomic_64.S
11253+++ b/arch/sparc/lib/atomic_64.S
11254@@ -15,11 +15,22 @@
11255 * a value and does the barriers.
11256 */
11257
11258-#define ATOMIC_OP(op) \
11259-ENTRY(atomic_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11260+#ifdef CONFIG_PAX_REFCOUNT
11261+#define __REFCOUNT_OP(op) op##cc
11262+#define __OVERFLOW_IOP tvs %icc, 6;
11263+#define __OVERFLOW_XOP tvs %xcc, 6;
11264+#else
11265+#define __REFCOUNT_OP(op) op
11266+#define __OVERFLOW_IOP
11267+#define __OVERFLOW_XOP
11268+#endif
11269+
11270+#define __ATOMIC_OP(op, suffix, asm_op, post_op) \
11271+ENTRY(atomic_##op##suffix) /* %o0 = increment, %o1 = atomic_ptr */ \
11272 BACKOFF_SETUP(%o2); \
11273 1: lduw [%o1], %g1; \
11274- op %g1, %o0, %g7; \
11275+ asm_op %g1, %o0, %g7; \
11276+ post_op \
11277 cas [%o1], %g1, %g7; \
11278 cmp %g1, %g7; \
11279 bne,pn %icc, BACKOFF_LABEL(2f, 1b); \
11280@@ -29,11 +40,15 @@ ENTRY(atomic_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11281 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11282 ENDPROC(atomic_##op); \
11283
11284-#define ATOMIC_OP_RETURN(op) \
11285-ENTRY(atomic_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11286+#define ATOMIC_OP(op) __ATOMIC_OP(op, , op, ) \
11287+ __ATOMIC_OP(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_IOP)
11288+
11289+#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op) \
11290+ENTRY(atomic_##op##_return##suffix) /* %o0 = increment, %o1 = atomic_ptr */\
11291 BACKOFF_SETUP(%o2); \
11292 1: lduw [%o1], %g1; \
11293- op %g1, %o0, %g7; \
11294+ asm_op %g1, %o0, %g7; \
11295+ post_op \
11296 cas [%o1], %g1, %g7; \
11297 cmp %g1, %g7; \
11298 bne,pn %icc, BACKOFF_LABEL(2f, 1b); \
11299@@ -43,6 +58,9 @@ ENTRY(atomic_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11300 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11301 ENDPROC(atomic_##op##_return);
11302
11303+#define ATOMIC_OP_RETURN(op) __ATOMIC_OP_RETURN(op, , op, ) \
11304+ __ATOMIC_OP_RETURN(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_IOP)
11305+
11306 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
11307
11308 ATOMIC_OPS(add)
11309@@ -50,13 +68,16 @@ ATOMIC_OPS(sub)
11310
11311 #undef ATOMIC_OPS
11312 #undef ATOMIC_OP_RETURN
11313+#undef __ATOMIC_OP_RETURN
11314 #undef ATOMIC_OP
11315+#undef __ATOMIC_OP
11316
11317-#define ATOMIC64_OP(op) \
11318-ENTRY(atomic64_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11319+#define __ATOMIC64_OP(op, suffix, asm_op, post_op) \
11320+ENTRY(atomic64_##op##suffix) /* %o0 = increment, %o1 = atomic_ptr */ \
11321 BACKOFF_SETUP(%o2); \
11322 1: ldx [%o1], %g1; \
11323- op %g1, %o0, %g7; \
11324+ asm_op %g1, %o0, %g7; \
11325+ post_op \
11326 casx [%o1], %g1, %g7; \
11327 cmp %g1, %g7; \
11328 bne,pn %xcc, BACKOFF_LABEL(2f, 1b); \
11329@@ -66,11 +87,15 @@ ENTRY(atomic64_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11330 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11331 ENDPROC(atomic64_##op); \
11332
11333-#define ATOMIC64_OP_RETURN(op) \
11334-ENTRY(atomic64_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11335+#define ATOMIC64_OP(op) __ATOMIC64_OP(op, , op, ) \
11336+ __ATOMIC64_OP(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_XOP)
11337+
11338+#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op) \
11339+ENTRY(atomic64_##op##_return##suffix) /* %o0 = increment, %o1 = atomic_ptr */\
11340 BACKOFF_SETUP(%o2); \
11341 1: ldx [%o1], %g1; \
11342- op %g1, %o0, %g7; \
11343+ asm_op %g1, %o0, %g7; \
11344+ post_op \
11345 casx [%o1], %g1, %g7; \
11346 cmp %g1, %g7; \
11347 bne,pn %xcc, BACKOFF_LABEL(2f, 1b); \
11348@@ -80,6 +105,9 @@ ENTRY(atomic64_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11349 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11350 ENDPROC(atomic64_##op##_return);
11351
11352+#define ATOMIC64_OP_RETURN(op) __ATOMIC64_OP_RETURN(op, , op, ) \
11353+i __ATOMIC64_OP_RETURN(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_XOP)
11354+
11355 #define ATOMIC64_OPS(op) ATOMIC64_OP(op) ATOMIC64_OP_RETURN(op)
11356
11357 ATOMIC64_OPS(add)
11358@@ -87,7 +115,12 @@ ATOMIC64_OPS(sub)
11359
11360 #undef ATOMIC64_OPS
11361 #undef ATOMIC64_OP_RETURN
11362+#undef __ATOMIC64_OP_RETURN
11363 #undef ATOMIC64_OP
11364+#undef __ATOMIC64_OP
11365+#undef __OVERFLOW_XOP
11366+#undef __OVERFLOW_IOP
11367+#undef __REFCOUNT_OP
11368
11369 ENTRY(atomic64_dec_if_positive) /* %o0 = atomic_ptr */
11370 BACKOFF_SETUP(%o2)
11371diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
11372index 8069ce1..c2e23c4 100644
11373--- a/arch/sparc/lib/ksyms.c
11374+++ b/arch/sparc/lib/ksyms.c
11375@@ -101,7 +101,9 @@ EXPORT_SYMBOL(__clear_user);
11376 /* Atomic counter implementation. */
11377 #define ATOMIC_OP(op) \
11378 EXPORT_SYMBOL(atomic_##op); \
11379-EXPORT_SYMBOL(atomic64_##op);
11380+EXPORT_SYMBOL(atomic_##op##_unchecked); \
11381+EXPORT_SYMBOL(atomic64_##op); \
11382+EXPORT_SYMBOL(atomic64_##op##_unchecked);
11383
11384 #define ATOMIC_OP_RETURN(op) \
11385 EXPORT_SYMBOL(atomic_##op##_return); \
11386@@ -110,6 +112,8 @@ EXPORT_SYMBOL(atomic64_##op##_return);
11387 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
11388
11389 ATOMIC_OPS(add)
11390+EXPORT_SYMBOL(atomic_add_ret_unchecked);
11391+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
11392 ATOMIC_OPS(sub)
11393
11394 #undef ATOMIC_OPS
11395diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile
11396index 30c3ecc..736f015 100644
11397--- a/arch/sparc/mm/Makefile
11398+++ b/arch/sparc/mm/Makefile
11399@@ -2,7 +2,7 @@
11400 #
11401
11402 asflags-y := -ansi
11403-ccflags-y := -Werror
11404+#ccflags-y := -Werror
11405
11406 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o
11407 obj-y += fault_$(BITS).o
11408diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
11409index c399e7b..2387414 100644
11410--- a/arch/sparc/mm/fault_32.c
11411+++ b/arch/sparc/mm/fault_32.c
11412@@ -22,6 +22,9 @@
11413 #include <linux/interrupt.h>
11414 #include <linux/kdebug.h>
11415 #include <linux/uaccess.h>
11416+#include <linux/slab.h>
11417+#include <linux/pagemap.h>
11418+#include <linux/compiler.h>
11419
11420 #include <asm/page.h>
11421 #include <asm/pgtable.h>
11422@@ -156,6 +159,277 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault)
11423 return safe_compute_effective_address(regs, insn);
11424 }
11425
11426+#ifdef CONFIG_PAX_PAGEEXEC
11427+#ifdef CONFIG_PAX_DLRESOLVE
11428+static void pax_emuplt_close(struct vm_area_struct *vma)
11429+{
11430+ vma->vm_mm->call_dl_resolve = 0UL;
11431+}
11432+
11433+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
11434+{
11435+ unsigned int *kaddr;
11436+
11437+ vmf->page = alloc_page(GFP_HIGHUSER);
11438+ if (!vmf->page)
11439+ return VM_FAULT_OOM;
11440+
11441+ kaddr = kmap(vmf->page);
11442+ memset(kaddr, 0, PAGE_SIZE);
11443+ kaddr[0] = 0x9DE3BFA8U; /* save */
11444+ flush_dcache_page(vmf->page);
11445+ kunmap(vmf->page);
11446+ return VM_FAULT_MAJOR;
11447+}
11448+
11449+static const struct vm_operations_struct pax_vm_ops = {
11450+ .close = pax_emuplt_close,
11451+ .fault = pax_emuplt_fault
11452+};
11453+
11454+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
11455+{
11456+ int ret;
11457+
11458+ INIT_LIST_HEAD(&vma->anon_vma_chain);
11459+ vma->vm_mm = current->mm;
11460+ vma->vm_start = addr;
11461+ vma->vm_end = addr + PAGE_SIZE;
11462+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
11463+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
11464+ vma->vm_ops = &pax_vm_ops;
11465+
11466+ ret = insert_vm_struct(current->mm, vma);
11467+ if (ret)
11468+ return ret;
11469+
11470+ ++current->mm->total_vm;
11471+ return 0;
11472+}
11473+#endif
11474+
11475+/*
11476+ * PaX: decide what to do with offenders (regs->pc = fault address)
11477+ *
11478+ * returns 1 when task should be killed
11479+ * 2 when patched PLT trampoline was detected
11480+ * 3 when unpatched PLT trampoline was detected
11481+ */
11482+static int pax_handle_fetch_fault(struct pt_regs *regs)
11483+{
11484+
11485+#ifdef CONFIG_PAX_EMUPLT
11486+ int err;
11487+
11488+ do { /* PaX: patched PLT emulation #1 */
11489+ unsigned int sethi1, sethi2, jmpl;
11490+
11491+ err = get_user(sethi1, (unsigned int *)regs->pc);
11492+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
11493+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
11494+
11495+ if (err)
11496+ break;
11497+
11498+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
11499+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
11500+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
11501+ {
11502+ unsigned int addr;
11503+
11504+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
11505+ addr = regs->u_regs[UREG_G1];
11506+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11507+ regs->pc = addr;
11508+ regs->npc = addr+4;
11509+ return 2;
11510+ }
11511+ } while (0);
11512+
11513+ do { /* PaX: patched PLT emulation #2 */
11514+ unsigned int ba;
11515+
11516+ err = get_user(ba, (unsigned int *)regs->pc);
11517+
11518+ if (err)
11519+ break;
11520+
11521+ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
11522+ unsigned int addr;
11523+
11524+ if ((ba & 0xFFC00000U) == 0x30800000U)
11525+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
11526+ else
11527+ addr = regs->pc + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11528+ regs->pc = addr;
11529+ regs->npc = addr+4;
11530+ return 2;
11531+ }
11532+ } while (0);
11533+
11534+ do { /* PaX: patched PLT emulation #3 */
11535+ unsigned int sethi, bajmpl, nop;
11536+
11537+ err = get_user(sethi, (unsigned int *)regs->pc);
11538+ err |= get_user(bajmpl, (unsigned int *)(regs->pc+4));
11539+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
11540+
11541+ if (err)
11542+ break;
11543+
11544+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11545+ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
11546+ nop == 0x01000000U)
11547+ {
11548+ unsigned int addr;
11549+
11550+ addr = (sethi & 0x003FFFFFU) << 10;
11551+ regs->u_regs[UREG_G1] = addr;
11552+ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
11553+ addr += (((bajmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11554+ else
11555+ addr = regs->pc + ((((bajmpl | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11556+ regs->pc = addr;
11557+ regs->npc = addr+4;
11558+ return 2;
11559+ }
11560+ } while (0);
11561+
11562+ do { /* PaX: unpatched PLT emulation step 1 */
11563+ unsigned int sethi, ba, nop;
11564+
11565+ err = get_user(sethi, (unsigned int *)regs->pc);
11566+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
11567+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
11568+
11569+ if (err)
11570+ break;
11571+
11572+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11573+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
11574+ nop == 0x01000000U)
11575+ {
11576+ unsigned int addr, save, call;
11577+
11578+ if ((ba & 0xFFC00000U) == 0x30800000U)
11579+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
11580+ else
11581+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11582+
11583+ err = get_user(save, (unsigned int *)addr);
11584+ err |= get_user(call, (unsigned int *)(addr+4));
11585+ err |= get_user(nop, (unsigned int *)(addr+8));
11586+ if (err)
11587+ break;
11588+
11589+#ifdef CONFIG_PAX_DLRESOLVE
11590+ if (save == 0x9DE3BFA8U &&
11591+ (call & 0xC0000000U) == 0x40000000U &&
11592+ nop == 0x01000000U)
11593+ {
11594+ struct vm_area_struct *vma;
11595+ unsigned long call_dl_resolve;
11596+
11597+ down_read(&current->mm->mmap_sem);
11598+ call_dl_resolve = current->mm->call_dl_resolve;
11599+ up_read(&current->mm->mmap_sem);
11600+ if (likely(call_dl_resolve))
11601+ goto emulate;
11602+
11603+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
11604+
11605+ down_write(&current->mm->mmap_sem);
11606+ if (current->mm->call_dl_resolve) {
11607+ call_dl_resolve = current->mm->call_dl_resolve;
11608+ up_write(&current->mm->mmap_sem);
11609+ if (vma)
11610+ kmem_cache_free(vm_area_cachep, vma);
11611+ goto emulate;
11612+ }
11613+
11614+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
11615+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
11616+ up_write(&current->mm->mmap_sem);
11617+ if (vma)
11618+ kmem_cache_free(vm_area_cachep, vma);
11619+ return 1;
11620+ }
11621+
11622+ if (pax_insert_vma(vma, call_dl_resolve)) {
11623+ up_write(&current->mm->mmap_sem);
11624+ kmem_cache_free(vm_area_cachep, vma);
11625+ return 1;
11626+ }
11627+
11628+ current->mm->call_dl_resolve = call_dl_resolve;
11629+ up_write(&current->mm->mmap_sem);
11630+
11631+emulate:
11632+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
11633+ regs->pc = call_dl_resolve;
11634+ regs->npc = addr+4;
11635+ return 3;
11636+ }
11637+#endif
11638+
11639+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
11640+ if ((save & 0xFFC00000U) == 0x05000000U &&
11641+ (call & 0xFFFFE000U) == 0x85C0A000U &&
11642+ nop == 0x01000000U)
11643+ {
11644+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
11645+ regs->u_regs[UREG_G2] = addr + 4;
11646+ addr = (save & 0x003FFFFFU) << 10;
11647+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11648+ regs->pc = addr;
11649+ regs->npc = addr+4;
11650+ return 3;
11651+ }
11652+ }
11653+ } while (0);
11654+
11655+ do { /* PaX: unpatched PLT emulation step 2 */
11656+ unsigned int save, call, nop;
11657+
11658+ err = get_user(save, (unsigned int *)(regs->pc-4));
11659+ err |= get_user(call, (unsigned int *)regs->pc);
11660+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
11661+ if (err)
11662+ break;
11663+
11664+ if (save == 0x9DE3BFA8U &&
11665+ (call & 0xC0000000U) == 0x40000000U &&
11666+ nop == 0x01000000U)
11667+ {
11668+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
11669+
11670+ regs->u_regs[UREG_RETPC] = regs->pc;
11671+ regs->pc = dl_resolve;
11672+ regs->npc = dl_resolve+4;
11673+ return 3;
11674+ }
11675+ } while (0);
11676+#endif
11677+
11678+ return 1;
11679+}
11680+
11681+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
11682+{
11683+ unsigned long i;
11684+
11685+ printk(KERN_ERR "PAX: bytes at PC: ");
11686+ for (i = 0; i < 8; i++) {
11687+ unsigned int c;
11688+ if (get_user(c, (unsigned int *)pc+i))
11689+ printk(KERN_CONT "???????? ");
11690+ else
11691+ printk(KERN_CONT "%08x ", c);
11692+ }
11693+ printk("\n");
11694+}
11695+#endif
11696+
11697 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
11698 int text_fault)
11699 {
11700@@ -226,6 +500,24 @@ good_area:
11701 if (!(vma->vm_flags & VM_WRITE))
11702 goto bad_area;
11703 } else {
11704+
11705+#ifdef CONFIG_PAX_PAGEEXEC
11706+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
11707+ up_read(&mm->mmap_sem);
11708+ switch (pax_handle_fetch_fault(regs)) {
11709+
11710+#ifdef CONFIG_PAX_EMUPLT
11711+ case 2:
11712+ case 3:
11713+ return;
11714+#endif
11715+
11716+ }
11717+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
11718+ do_group_exit(SIGKILL);
11719+ }
11720+#endif
11721+
11722 /* Allow reads even for write-only mappings */
11723 if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
11724 goto bad_area;
11725diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
11726index dbabe57..d34d315 100644
11727--- a/arch/sparc/mm/fault_64.c
11728+++ b/arch/sparc/mm/fault_64.c
11729@@ -23,6 +23,9 @@
11730 #include <linux/percpu.h>
11731 #include <linux/context_tracking.h>
11732 #include <linux/uaccess.h>
11733+#include <linux/slab.h>
11734+#include <linux/pagemap.h>
11735+#include <linux/compiler.h>
11736
11737 #include <asm/page.h>
11738 #include <asm/pgtable.h>
11739@@ -76,7 +79,7 @@ static void __kprobes bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr)
11740 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
11741 regs->tpc);
11742 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
11743- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
11744+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
11745 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
11746 dump_stack();
11747 unhandled_fault(regs->tpc, current, regs);
11748@@ -279,6 +282,466 @@ static void noinline __kprobes bogus_32bit_fault_tpc(struct pt_regs *regs)
11749 show_regs(regs);
11750 }
11751
11752+#ifdef CONFIG_PAX_PAGEEXEC
11753+#ifdef CONFIG_PAX_DLRESOLVE
11754+static void pax_emuplt_close(struct vm_area_struct *vma)
11755+{
11756+ vma->vm_mm->call_dl_resolve = 0UL;
11757+}
11758+
11759+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
11760+{
11761+ unsigned int *kaddr;
11762+
11763+ vmf->page = alloc_page(GFP_HIGHUSER);
11764+ if (!vmf->page)
11765+ return VM_FAULT_OOM;
11766+
11767+ kaddr = kmap(vmf->page);
11768+ memset(kaddr, 0, PAGE_SIZE);
11769+ kaddr[0] = 0x9DE3BFA8U; /* save */
11770+ flush_dcache_page(vmf->page);
11771+ kunmap(vmf->page);
11772+ return VM_FAULT_MAJOR;
11773+}
11774+
11775+static const struct vm_operations_struct pax_vm_ops = {
11776+ .close = pax_emuplt_close,
11777+ .fault = pax_emuplt_fault
11778+};
11779+
11780+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
11781+{
11782+ int ret;
11783+
11784+ INIT_LIST_HEAD(&vma->anon_vma_chain);
11785+ vma->vm_mm = current->mm;
11786+ vma->vm_start = addr;
11787+ vma->vm_end = addr + PAGE_SIZE;
11788+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
11789+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
11790+ vma->vm_ops = &pax_vm_ops;
11791+
11792+ ret = insert_vm_struct(current->mm, vma);
11793+ if (ret)
11794+ return ret;
11795+
11796+ ++current->mm->total_vm;
11797+ return 0;
11798+}
11799+#endif
11800+
11801+/*
11802+ * PaX: decide what to do with offenders (regs->tpc = fault address)
11803+ *
11804+ * returns 1 when task should be killed
11805+ * 2 when patched PLT trampoline was detected
11806+ * 3 when unpatched PLT trampoline was detected
11807+ */
11808+static int pax_handle_fetch_fault(struct pt_regs *regs)
11809+{
11810+
11811+#ifdef CONFIG_PAX_EMUPLT
11812+ int err;
11813+
11814+ do { /* PaX: patched PLT emulation #1 */
11815+ unsigned int sethi1, sethi2, jmpl;
11816+
11817+ err = get_user(sethi1, (unsigned int *)regs->tpc);
11818+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
11819+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
11820+
11821+ if (err)
11822+ break;
11823+
11824+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
11825+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
11826+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
11827+ {
11828+ unsigned long addr;
11829+
11830+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
11831+ addr = regs->u_regs[UREG_G1];
11832+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
11833+
11834+ if (test_thread_flag(TIF_32BIT))
11835+ addr &= 0xFFFFFFFFUL;
11836+
11837+ regs->tpc = addr;
11838+ regs->tnpc = addr+4;
11839+ return 2;
11840+ }
11841+ } while (0);
11842+
11843+ do { /* PaX: patched PLT emulation #2 */
11844+ unsigned int ba;
11845+
11846+ err = get_user(ba, (unsigned int *)regs->tpc);
11847+
11848+ if (err)
11849+ break;
11850+
11851+ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
11852+ unsigned long addr;
11853+
11854+ if ((ba & 0xFFC00000U) == 0x30800000U)
11855+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
11856+ else
11857+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
11858+
11859+ if (test_thread_flag(TIF_32BIT))
11860+ addr &= 0xFFFFFFFFUL;
11861+
11862+ regs->tpc = addr;
11863+ regs->tnpc = addr+4;
11864+ return 2;
11865+ }
11866+ } while (0);
11867+
11868+ do { /* PaX: patched PLT emulation #3 */
11869+ unsigned int sethi, bajmpl, nop;
11870+
11871+ err = get_user(sethi, (unsigned int *)regs->tpc);
11872+ err |= get_user(bajmpl, (unsigned int *)(regs->tpc+4));
11873+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
11874+
11875+ if (err)
11876+ break;
11877+
11878+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11879+ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
11880+ nop == 0x01000000U)
11881+ {
11882+ unsigned long addr;
11883+
11884+ addr = (sethi & 0x003FFFFFU) << 10;
11885+ regs->u_regs[UREG_G1] = addr;
11886+ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
11887+ addr += (((bajmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
11888+ else
11889+ addr = regs->tpc + ((((bajmpl | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
11890+
11891+ if (test_thread_flag(TIF_32BIT))
11892+ addr &= 0xFFFFFFFFUL;
11893+
11894+ regs->tpc = addr;
11895+ regs->tnpc = addr+4;
11896+ return 2;
11897+ }
11898+ } while (0);
11899+
11900+ do { /* PaX: patched PLT emulation #4 */
11901+ unsigned int sethi, mov1, call, mov2;
11902+
11903+ err = get_user(sethi, (unsigned int *)regs->tpc);
11904+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
11905+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
11906+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
11907+
11908+ if (err)
11909+ break;
11910+
11911+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11912+ mov1 == 0x8210000FU &&
11913+ (call & 0xC0000000U) == 0x40000000U &&
11914+ mov2 == 0x9E100001U)
11915+ {
11916+ unsigned long addr;
11917+
11918+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
11919+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
11920+
11921+ if (test_thread_flag(TIF_32BIT))
11922+ addr &= 0xFFFFFFFFUL;
11923+
11924+ regs->tpc = addr;
11925+ regs->tnpc = addr+4;
11926+ return 2;
11927+ }
11928+ } while (0);
11929+
11930+ do { /* PaX: patched PLT emulation #5 */
11931+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
11932+
11933+ err = get_user(sethi, (unsigned int *)regs->tpc);
11934+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
11935+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
11936+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
11937+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
11938+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
11939+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
11940+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
11941+
11942+ if (err)
11943+ break;
11944+
11945+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11946+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
11947+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
11948+ (or1 & 0xFFFFE000U) == 0x82106000U &&
11949+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
11950+ sllx == 0x83287020U &&
11951+ jmpl == 0x81C04005U &&
11952+ nop == 0x01000000U)
11953+ {
11954+ unsigned long addr;
11955+
11956+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
11957+ regs->u_regs[UREG_G1] <<= 32;
11958+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
11959+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
11960+ regs->tpc = addr;
11961+ regs->tnpc = addr+4;
11962+ return 2;
11963+ }
11964+ } while (0);
11965+
11966+ do { /* PaX: patched PLT emulation #6 */
11967+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
11968+
11969+ err = get_user(sethi, (unsigned int *)regs->tpc);
11970+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
11971+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
11972+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
11973+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
11974+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
11975+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
11976+
11977+ if (err)
11978+ break;
11979+
11980+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11981+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
11982+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
11983+ sllx == 0x83287020U &&
11984+ (or & 0xFFFFE000U) == 0x8A116000U &&
11985+ jmpl == 0x81C04005U &&
11986+ nop == 0x01000000U)
11987+ {
11988+ unsigned long addr;
11989+
11990+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
11991+ regs->u_regs[UREG_G1] <<= 32;
11992+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
11993+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
11994+ regs->tpc = addr;
11995+ regs->tnpc = addr+4;
11996+ return 2;
11997+ }
11998+ } while (0);
11999+
12000+ do { /* PaX: unpatched PLT emulation step 1 */
12001+ unsigned int sethi, ba, nop;
12002+
12003+ err = get_user(sethi, (unsigned int *)regs->tpc);
12004+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
12005+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12006+
12007+ if (err)
12008+ break;
12009+
12010+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12011+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
12012+ nop == 0x01000000U)
12013+ {
12014+ unsigned long addr;
12015+ unsigned int save, call;
12016+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
12017+
12018+ if ((ba & 0xFFC00000U) == 0x30800000U)
12019+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
12020+ else
12021+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12022+
12023+ if (test_thread_flag(TIF_32BIT))
12024+ addr &= 0xFFFFFFFFUL;
12025+
12026+ err = get_user(save, (unsigned int *)addr);
12027+ err |= get_user(call, (unsigned int *)(addr+4));
12028+ err |= get_user(nop, (unsigned int *)(addr+8));
12029+ if (err)
12030+ break;
12031+
12032+#ifdef CONFIG_PAX_DLRESOLVE
12033+ if (save == 0x9DE3BFA8U &&
12034+ (call & 0xC0000000U) == 0x40000000U &&
12035+ nop == 0x01000000U)
12036+ {
12037+ struct vm_area_struct *vma;
12038+ unsigned long call_dl_resolve;
12039+
12040+ down_read(&current->mm->mmap_sem);
12041+ call_dl_resolve = current->mm->call_dl_resolve;
12042+ up_read(&current->mm->mmap_sem);
12043+ if (likely(call_dl_resolve))
12044+ goto emulate;
12045+
12046+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
12047+
12048+ down_write(&current->mm->mmap_sem);
12049+ if (current->mm->call_dl_resolve) {
12050+ call_dl_resolve = current->mm->call_dl_resolve;
12051+ up_write(&current->mm->mmap_sem);
12052+ if (vma)
12053+ kmem_cache_free(vm_area_cachep, vma);
12054+ goto emulate;
12055+ }
12056+
12057+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
12058+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
12059+ up_write(&current->mm->mmap_sem);
12060+ if (vma)
12061+ kmem_cache_free(vm_area_cachep, vma);
12062+ return 1;
12063+ }
12064+
12065+ if (pax_insert_vma(vma, call_dl_resolve)) {
12066+ up_write(&current->mm->mmap_sem);
12067+ kmem_cache_free(vm_area_cachep, vma);
12068+ return 1;
12069+ }
12070+
12071+ current->mm->call_dl_resolve = call_dl_resolve;
12072+ up_write(&current->mm->mmap_sem);
12073+
12074+emulate:
12075+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12076+ regs->tpc = call_dl_resolve;
12077+ regs->tnpc = addr+4;
12078+ return 3;
12079+ }
12080+#endif
12081+
12082+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
12083+ if ((save & 0xFFC00000U) == 0x05000000U &&
12084+ (call & 0xFFFFE000U) == 0x85C0A000U &&
12085+ nop == 0x01000000U)
12086+ {
12087+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12088+ regs->u_regs[UREG_G2] = addr + 4;
12089+ addr = (save & 0x003FFFFFU) << 10;
12090+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
12091+
12092+ if (test_thread_flag(TIF_32BIT))
12093+ addr &= 0xFFFFFFFFUL;
12094+
12095+ regs->tpc = addr;
12096+ regs->tnpc = addr+4;
12097+ return 3;
12098+ }
12099+
12100+ /* PaX: 64-bit PLT stub */
12101+ err = get_user(sethi1, (unsigned int *)addr);
12102+ err |= get_user(sethi2, (unsigned int *)(addr+4));
12103+ err |= get_user(or1, (unsigned int *)(addr+8));
12104+ err |= get_user(or2, (unsigned int *)(addr+12));
12105+ err |= get_user(sllx, (unsigned int *)(addr+16));
12106+ err |= get_user(add, (unsigned int *)(addr+20));
12107+ err |= get_user(jmpl, (unsigned int *)(addr+24));
12108+ err |= get_user(nop, (unsigned int *)(addr+28));
12109+ if (err)
12110+ break;
12111+
12112+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
12113+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12114+ (or1 & 0xFFFFE000U) == 0x88112000U &&
12115+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
12116+ sllx == 0x89293020U &&
12117+ add == 0x8A010005U &&
12118+ jmpl == 0x89C14000U &&
12119+ nop == 0x01000000U)
12120+ {
12121+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12122+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
12123+ regs->u_regs[UREG_G4] <<= 32;
12124+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
12125+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
12126+ regs->u_regs[UREG_G4] = addr + 24;
12127+ addr = regs->u_regs[UREG_G5];
12128+ regs->tpc = addr;
12129+ regs->tnpc = addr+4;
12130+ return 3;
12131+ }
12132+ }
12133+ } while (0);
12134+
12135+#ifdef CONFIG_PAX_DLRESOLVE
12136+ do { /* PaX: unpatched PLT emulation step 2 */
12137+ unsigned int save, call, nop;
12138+
12139+ err = get_user(save, (unsigned int *)(regs->tpc-4));
12140+ err |= get_user(call, (unsigned int *)regs->tpc);
12141+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
12142+ if (err)
12143+ break;
12144+
12145+ if (save == 0x9DE3BFA8U &&
12146+ (call & 0xC0000000U) == 0x40000000U &&
12147+ nop == 0x01000000U)
12148+ {
12149+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
12150+
12151+ if (test_thread_flag(TIF_32BIT))
12152+ dl_resolve &= 0xFFFFFFFFUL;
12153+
12154+ regs->u_regs[UREG_RETPC] = regs->tpc;
12155+ regs->tpc = dl_resolve;
12156+ regs->tnpc = dl_resolve+4;
12157+ return 3;
12158+ }
12159+ } while (0);
12160+#endif
12161+
12162+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
12163+ unsigned int sethi, ba, nop;
12164+
12165+ err = get_user(sethi, (unsigned int *)regs->tpc);
12166+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
12167+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12168+
12169+ if (err)
12170+ break;
12171+
12172+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12173+ (ba & 0xFFF00000U) == 0x30600000U &&
12174+ nop == 0x01000000U)
12175+ {
12176+ unsigned long addr;
12177+
12178+ addr = (sethi & 0x003FFFFFU) << 10;
12179+ regs->u_regs[UREG_G1] = addr;
12180+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12181+
12182+ if (test_thread_flag(TIF_32BIT))
12183+ addr &= 0xFFFFFFFFUL;
12184+
12185+ regs->tpc = addr;
12186+ regs->tnpc = addr+4;
12187+ return 2;
12188+ }
12189+ } while (0);
12190+
12191+#endif
12192+
12193+ return 1;
12194+}
12195+
12196+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
12197+{
12198+ unsigned long i;
12199+
12200+ printk(KERN_ERR "PAX: bytes at PC: ");
12201+ for (i = 0; i < 8; i++) {
12202+ unsigned int c;
12203+ if (get_user(c, (unsigned int *)pc+i))
12204+ printk(KERN_CONT "???????? ");
12205+ else
12206+ printk(KERN_CONT "%08x ", c);
12207+ }
12208+ printk("\n");
12209+}
12210+#endif
12211+
12212 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
12213 {
12214 enum ctx_state prev_state = exception_enter();
12215@@ -353,6 +816,29 @@ retry:
12216 if (!vma)
12217 goto bad_area;
12218
12219+#ifdef CONFIG_PAX_PAGEEXEC
12220+ /* PaX: detect ITLB misses on non-exec pages */
12221+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
12222+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
12223+ {
12224+ if (address != regs->tpc)
12225+ goto good_area;
12226+
12227+ up_read(&mm->mmap_sem);
12228+ switch (pax_handle_fetch_fault(regs)) {
12229+
12230+#ifdef CONFIG_PAX_EMUPLT
12231+ case 2:
12232+ case 3:
12233+ return;
12234+#endif
12235+
12236+ }
12237+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
12238+ do_group_exit(SIGKILL);
12239+ }
12240+#endif
12241+
12242 /* Pure DTLB misses do not tell us whether the fault causing
12243 * load/store/atomic was a write or not, it only says that there
12244 * was no match. So in such a case we (carefully) read the
12245diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
12246index 131eaf4..285ea31 100644
12247--- a/arch/sparc/mm/hugetlbpage.c
12248+++ b/arch/sparc/mm/hugetlbpage.c
12249@@ -25,8 +25,10 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
12250 unsigned long addr,
12251 unsigned long len,
12252 unsigned long pgoff,
12253- unsigned long flags)
12254+ unsigned long flags,
12255+ unsigned long offset)
12256 {
12257+ struct mm_struct *mm = current->mm;
12258 unsigned long task_size = TASK_SIZE;
12259 struct vm_unmapped_area_info info;
12260
12261@@ -35,15 +37,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
12262
12263 info.flags = 0;
12264 info.length = len;
12265- info.low_limit = TASK_UNMAPPED_BASE;
12266+ info.low_limit = mm->mmap_base;
12267 info.high_limit = min(task_size, VA_EXCLUDE_START);
12268 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
12269 info.align_offset = 0;
12270+ info.threadstack_offset = offset;
12271 addr = vm_unmapped_area(&info);
12272
12273 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
12274 VM_BUG_ON(addr != -ENOMEM);
12275 info.low_limit = VA_EXCLUDE_END;
12276+
12277+#ifdef CONFIG_PAX_RANDMMAP
12278+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12279+ info.low_limit += mm->delta_mmap;
12280+#endif
12281+
12282 info.high_limit = task_size;
12283 addr = vm_unmapped_area(&info);
12284 }
12285@@ -55,7 +64,8 @@ static unsigned long
12286 hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12287 const unsigned long len,
12288 const unsigned long pgoff,
12289- const unsigned long flags)
12290+ const unsigned long flags,
12291+ const unsigned long offset)
12292 {
12293 struct mm_struct *mm = current->mm;
12294 unsigned long addr = addr0;
12295@@ -70,6 +80,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12296 info.high_limit = mm->mmap_base;
12297 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
12298 info.align_offset = 0;
12299+ info.threadstack_offset = offset;
12300 addr = vm_unmapped_area(&info);
12301
12302 /*
12303@@ -82,6 +93,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12304 VM_BUG_ON(addr != -ENOMEM);
12305 info.flags = 0;
12306 info.low_limit = TASK_UNMAPPED_BASE;
12307+
12308+#ifdef CONFIG_PAX_RANDMMAP
12309+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12310+ info.low_limit += mm->delta_mmap;
12311+#endif
12312+
12313 info.high_limit = STACK_TOP32;
12314 addr = vm_unmapped_area(&info);
12315 }
12316@@ -96,6 +113,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
12317 struct mm_struct *mm = current->mm;
12318 struct vm_area_struct *vma;
12319 unsigned long task_size = TASK_SIZE;
12320+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
12321
12322 if (test_thread_flag(TIF_32BIT))
12323 task_size = STACK_TOP32;
12324@@ -111,19 +129,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
12325 return addr;
12326 }
12327
12328+#ifdef CONFIG_PAX_RANDMMAP
12329+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12330+#endif
12331+
12332 if (addr) {
12333 addr = ALIGN(addr, HPAGE_SIZE);
12334 vma = find_vma(mm, addr);
12335- if (task_size - len >= addr &&
12336- (!vma || addr + len <= vma->vm_start))
12337+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
12338 return addr;
12339 }
12340 if (mm->get_unmapped_area == arch_get_unmapped_area)
12341 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
12342- pgoff, flags);
12343+ pgoff, flags, offset);
12344 else
12345 return hugetlb_get_unmapped_area_topdown(file, addr, len,
12346- pgoff, flags);
12347+ pgoff, flags, offset);
12348 }
12349
12350 pte_t *huge_pte_alloc(struct mm_struct *mm,
12351diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
12352index 4ac88b7..bac6cb2 100644
12353--- a/arch/sparc/mm/init_64.c
12354+++ b/arch/sparc/mm/init_64.c
12355@@ -187,9 +187,9 @@ unsigned long sparc64_kern_sec_context __read_mostly;
12356 int num_kernel_image_mappings;
12357
12358 #ifdef CONFIG_DEBUG_DCFLUSH
12359-atomic_t dcpage_flushes = ATOMIC_INIT(0);
12360+atomic_unchecked_t dcpage_flushes = ATOMIC_INIT(0);
12361 #ifdef CONFIG_SMP
12362-atomic_t dcpage_flushes_xcall = ATOMIC_INIT(0);
12363+atomic_unchecked_t dcpage_flushes_xcall = ATOMIC_INIT(0);
12364 #endif
12365 #endif
12366
12367@@ -197,7 +197,7 @@ inline void flush_dcache_page_impl(struct page *page)
12368 {
12369 BUG_ON(tlb_type == hypervisor);
12370 #ifdef CONFIG_DEBUG_DCFLUSH
12371- atomic_inc(&dcpage_flushes);
12372+ atomic_inc_unchecked(&dcpage_flushes);
12373 #endif
12374
12375 #ifdef DCACHE_ALIASING_POSSIBLE
12376@@ -469,10 +469,10 @@ void mmu_info(struct seq_file *m)
12377
12378 #ifdef CONFIG_DEBUG_DCFLUSH
12379 seq_printf(m, "DCPageFlushes\t: %d\n",
12380- atomic_read(&dcpage_flushes));
12381+ atomic_read_unchecked(&dcpage_flushes));
12382 #ifdef CONFIG_SMP
12383 seq_printf(m, "DCPageFlushesXC\t: %d\n",
12384- atomic_read(&dcpage_flushes_xcall));
12385+ atomic_read_unchecked(&dcpage_flushes_xcall));
12386 #endif /* CONFIG_SMP */
12387 #endif /* CONFIG_DEBUG_DCFLUSH */
12388 }
12389diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
12390index 9def1f5..cf0cabc 100644
12391--- a/arch/tile/Kconfig
12392+++ b/arch/tile/Kconfig
12393@@ -204,6 +204,7 @@ source "kernel/Kconfig.hz"
12394
12395 config KEXEC
12396 bool "kexec system call"
12397+ depends on !GRKERNSEC_KMEM
12398 ---help---
12399 kexec is a system call that implements the ability to shutdown your
12400 current kernel, and to start another kernel. It is like a reboot
12401diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h
12402index 0496970..1a57e5f 100644
12403--- a/arch/tile/include/asm/atomic_64.h
12404+++ b/arch/tile/include/asm/atomic_64.h
12405@@ -105,6 +105,16 @@ static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
12406
12407 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
12408
12409+#define atomic64_read_unchecked(v) atomic64_read(v)
12410+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
12411+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
12412+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
12413+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
12414+#define atomic64_inc_unchecked(v) atomic64_inc(v)
12415+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
12416+#define atomic64_dec_unchecked(v) atomic64_dec(v)
12417+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
12418+
12419 #endif /* !__ASSEMBLY__ */
12420
12421 #endif /* _ASM_TILE_ATOMIC_64_H */
12422diff --git a/arch/tile/include/asm/cache.h b/arch/tile/include/asm/cache.h
12423index 6160761..00cac88 100644
12424--- a/arch/tile/include/asm/cache.h
12425+++ b/arch/tile/include/asm/cache.h
12426@@ -15,11 +15,12 @@
12427 #ifndef _ASM_TILE_CACHE_H
12428 #define _ASM_TILE_CACHE_H
12429
12430+#include <linux/const.h>
12431 #include <arch/chip.h>
12432
12433 /* bytes per L1 data cache line */
12434 #define L1_CACHE_SHIFT CHIP_L1D_LOG_LINE_SIZE()
12435-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12436+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12437
12438 /* bytes per L2 cache line */
12439 #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE()
12440diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h
12441index 0a9c4265..bfb62d1 100644
12442--- a/arch/tile/include/asm/uaccess.h
12443+++ b/arch/tile/include/asm/uaccess.h
12444@@ -429,9 +429,9 @@ static inline unsigned long __must_check copy_from_user(void *to,
12445 const void __user *from,
12446 unsigned long n)
12447 {
12448- int sz = __compiletime_object_size(to);
12449+ size_t sz = __compiletime_object_size(to);
12450
12451- if (likely(sz == -1 || sz >= n))
12452+ if (likely(sz == (size_t)-1 || sz >= n))
12453 n = _copy_from_user(to, from, n);
12454 else
12455 copy_from_user_overflow();
12456diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
12457index c034dc3..cf1cc96 100644
12458--- a/arch/tile/mm/hugetlbpage.c
12459+++ b/arch/tile/mm/hugetlbpage.c
12460@@ -174,6 +174,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
12461 info.high_limit = TASK_SIZE;
12462 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
12463 info.align_offset = 0;
12464+ info.threadstack_offset = 0;
12465 return vm_unmapped_area(&info);
12466 }
12467
12468@@ -191,6 +192,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
12469 info.high_limit = current->mm->mmap_base;
12470 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
12471 info.align_offset = 0;
12472+ info.threadstack_offset = 0;
12473 addr = vm_unmapped_area(&info);
12474
12475 /*
12476diff --git a/arch/um/Makefile b/arch/um/Makefile
12477index 098ab33..fc54a33 100644
12478--- a/arch/um/Makefile
12479+++ b/arch/um/Makefile
12480@@ -73,6 +73,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -I%,,$(KBUILD_CFLAGS))) \
12481 -D_FILE_OFFSET_BITS=64 -idirafter include \
12482 -D__KERNEL__ -D__UM_HOST__
12483
12484+ifdef CONSTIFY_PLUGIN
12485+USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify
12486+endif
12487+
12488 #This will adjust *FLAGS accordingly to the platform.
12489 include $(ARCH_DIR)/Makefile-os-$(OS)
12490
12491diff --git a/arch/um/include/asm/cache.h b/arch/um/include/asm/cache.h
12492index 19e1bdd..3665b77 100644
12493--- a/arch/um/include/asm/cache.h
12494+++ b/arch/um/include/asm/cache.h
12495@@ -1,6 +1,7 @@
12496 #ifndef __UM_CACHE_H
12497 #define __UM_CACHE_H
12498
12499+#include <linux/const.h>
12500
12501 #if defined(CONFIG_UML_X86) && !defined(CONFIG_64BIT)
12502 # define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
12503@@ -12,6 +13,6 @@
12504 # define L1_CACHE_SHIFT 5
12505 #endif
12506
12507-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12508+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12509
12510 #endif
12511diff --git a/arch/um/include/asm/kmap_types.h b/arch/um/include/asm/kmap_types.h
12512index 2e0a6b1..a64d0f5 100644
12513--- a/arch/um/include/asm/kmap_types.h
12514+++ b/arch/um/include/asm/kmap_types.h
12515@@ -8,6 +8,6 @@
12516
12517 /* No more #include "asm/arch/kmap_types.h" ! */
12518
12519-#define KM_TYPE_NR 14
12520+#define KM_TYPE_NR 15
12521
12522 #endif
12523diff --git a/arch/um/include/asm/page.h b/arch/um/include/asm/page.h
12524index 71c5d13..4c7b9f1 100644
12525--- a/arch/um/include/asm/page.h
12526+++ b/arch/um/include/asm/page.h
12527@@ -14,6 +14,9 @@
12528 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
12529 #define PAGE_MASK (~(PAGE_SIZE-1))
12530
12531+#define ktla_ktva(addr) (addr)
12532+#define ktva_ktla(addr) (addr)
12533+
12534 #ifndef __ASSEMBLY__
12535
12536 struct page;
12537diff --git a/arch/um/include/asm/pgtable-3level.h b/arch/um/include/asm/pgtable-3level.h
12538index 2b4274e..754fe06 100644
12539--- a/arch/um/include/asm/pgtable-3level.h
12540+++ b/arch/um/include/asm/pgtable-3level.h
12541@@ -58,6 +58,7 @@
12542 #define pud_present(x) (pud_val(x) & _PAGE_PRESENT)
12543 #define pud_populate(mm, pud, pmd) \
12544 set_pud(pud, __pud(_PAGE_TABLE + __pa(pmd)))
12545+#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
12546
12547 #ifdef CONFIG_64BIT
12548 #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval))
12549diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
12550index 68b9119..f72353c 100644
12551--- a/arch/um/kernel/process.c
12552+++ b/arch/um/kernel/process.c
12553@@ -345,22 +345,6 @@ int singlestepping(void * t)
12554 return 2;
12555 }
12556
12557-/*
12558- * Only x86 and x86_64 have an arch_align_stack().
12559- * All other arches have "#define arch_align_stack(x) (x)"
12560- * in their asm/exec.h
12561- * As this is included in UML from asm-um/system-generic.h,
12562- * we can use it to behave as the subarch does.
12563- */
12564-#ifndef arch_align_stack
12565-unsigned long arch_align_stack(unsigned long sp)
12566-{
12567- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
12568- sp -= get_random_int() % 8192;
12569- return sp & ~0xf;
12570-}
12571-#endif
12572-
12573 unsigned long get_wchan(struct task_struct *p)
12574 {
12575 unsigned long stack_page, sp, ip;
12576diff --git a/arch/unicore32/include/asm/cache.h b/arch/unicore32/include/asm/cache.h
12577index ad8f795..2c7eec6 100644
12578--- a/arch/unicore32/include/asm/cache.h
12579+++ b/arch/unicore32/include/asm/cache.h
12580@@ -12,8 +12,10 @@
12581 #ifndef __UNICORE_CACHE_H__
12582 #define __UNICORE_CACHE_H__
12583
12584-#define L1_CACHE_SHIFT (5)
12585-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12586+#include <linux/const.h>
12587+
12588+#define L1_CACHE_SHIFT 5
12589+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12590
12591 /*
12592 * Memory returned by kmalloc() may be used for DMA, so we must make
12593diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
12594index b3a1a5d..8dbc2d6 100644
12595--- a/arch/x86/Kconfig
12596+++ b/arch/x86/Kconfig
12597@@ -35,13 +35,12 @@ config X86
12598 select ARCH_MIGHT_HAVE_PC_SERIO
12599 select ARCH_SUPPORTS_ATOMIC_RMW
12600 select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT
12601- select ARCH_SUPPORTS_INT128 if X86_64
12602+ select ARCH_SUPPORTS_INT128 if X86_64 && !PAX_SIZE_OVERFLOW
12603 select ARCH_SUPPORTS_NUMA_BALANCING if X86_64
12604 select ARCH_USE_BUILTIN_BSWAP
12605 select ARCH_USE_CMPXCHG_LOCKREF if X86_64
12606 select ARCH_USE_QUEUED_RWLOCKS
12607 select ARCH_USE_QUEUED_SPINLOCKS
12608- select ARCH_WANTS_DYNAMIC_TASK_STRUCT
12609 select ARCH_WANT_FRAME_POINTERS
12610 select ARCH_WANT_IPC_PARSE_VERSION if X86_32
12611 select ARCH_WANT_OPTIONAL_GPIOLIB
12612@@ -85,7 +84,7 @@ config X86
12613 select HAVE_ARCH_TRACEHOOK
12614 select HAVE_ARCH_TRANSPARENT_HUGEPAGE
12615 select HAVE_BPF_JIT if X86_64
12616- select HAVE_CC_STACKPROTECTOR
12617+ select HAVE_CC_STACKPROTECTOR if X86_64 || !PAX_MEMORY_UDEREF
12618 select HAVE_CMPXCHG_DOUBLE
12619 select HAVE_CMPXCHG_LOCAL
12620 select HAVE_CONTEXT_TRACKING if X86_64
12621@@ -274,7 +273,7 @@ config X86_64_SMP
12622
12623 config X86_32_LAZY_GS
12624 def_bool y
12625- depends on X86_32 && !CC_STACKPROTECTOR
12626+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12627
12628 config ARCH_HWEIGHT_CFLAGS
12629 string
12630@@ -646,6 +645,7 @@ config SCHED_OMIT_FRAME_POINTER
12631
12632 menuconfig HYPERVISOR_GUEST
12633 bool "Linux guest support"
12634+ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_GUEST || (GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_XEN)
12635 ---help---
12636 Say Y here to enable options for running Linux under various hyper-
12637 visors. This option enables basic hypervisor detection and platform
12638@@ -1014,6 +1014,7 @@ config VM86
12639
12640 config X86_16BIT
12641 bool "Enable support for 16-bit segments" if EXPERT
12642+ depends on !GRKERNSEC
12643 default y
12644 ---help---
12645 This option is required by programs like Wine to run 16-bit
12646@@ -1182,6 +1183,7 @@ choice
12647
12648 config NOHIGHMEM
12649 bool "off"
12650+ depends on !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12651 ---help---
12652 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12653 However, the address space of 32-bit x86 processors is only 4
12654@@ -1218,6 +1220,7 @@ config NOHIGHMEM
12655
12656 config HIGHMEM4G
12657 bool "4GB"
12658+ depends on !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12659 ---help---
12660 Select this if you have a 32-bit processor and between 1 and 4
12661 gigabytes of physical RAM.
12662@@ -1270,7 +1273,7 @@ config PAGE_OFFSET
12663 hex
12664 default 0xB0000000 if VMSPLIT_3G_OPT
12665 default 0x80000000 if VMSPLIT_2G
12666- default 0x78000000 if VMSPLIT_2G_OPT
12667+ default 0x70000000 if VMSPLIT_2G_OPT
12668 default 0x40000000 if VMSPLIT_1G
12669 default 0xC0000000
12670 depends on X86_32
12671@@ -1290,7 +1293,6 @@ config X86_PAE
12672
12673 config ARCH_PHYS_ADDR_T_64BIT
12674 def_bool y
12675- depends on X86_64 || X86_PAE
12676
12677 config ARCH_DMA_ADDR_T_64BIT
12678 def_bool y
12679@@ -1724,6 +1726,7 @@ source kernel/Kconfig.hz
12680
12681 config KEXEC
12682 bool "kexec system call"
12683+ depends on !GRKERNSEC_KMEM
12684 ---help---
12685 kexec is a system call that implements the ability to shutdown your
12686 current kernel, and to start another kernel. It is like a reboot
12687@@ -1906,7 +1909,9 @@ config X86_NEED_RELOCS
12688
12689 config PHYSICAL_ALIGN
12690 hex "Alignment value to which kernel should be aligned"
12691- default "0x200000"
12692+ default "0x1000000"
12693+ range 0x200000 0x1000000 if PAX_KERNEXEC && X86_PAE
12694+ range 0x400000 0x1000000 if PAX_KERNEXEC && !X86_PAE
12695 range 0x2000 0x1000000 if X86_32
12696 range 0x200000 0x1000000 if X86_64
12697 ---help---
12698@@ -1989,6 +1994,7 @@ config COMPAT_VDSO
12699 def_bool n
12700 prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
12701 depends on X86_32 || IA32_EMULATION
12702+ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
12703 ---help---
12704 Certain buggy versions of glibc will crash if they are
12705 presented with a 32-bit vDSO that is not mapped at the address
12706@@ -2053,6 +2059,22 @@ config CMDLINE_OVERRIDE
12707 This is used to work around broken boot loaders. This should
12708 be set to 'N' under normal conditions.
12709
12710+config DEFAULT_MODIFY_LDT_SYSCALL
12711+ bool "Allow userspace to modify the LDT by default"
12712+ default y
12713+
12714+ ---help---
12715+ Modifying the LDT (Local Descriptor Table) may be needed to run a
12716+ 16-bit or segmented code such as Dosemu or Wine. This is done via
12717+ a system call which is not needed to run portable applications,
12718+ and which can sometimes be abused to exploit some weaknesses of
12719+ the architecture, opening new vulnerabilities.
12720+
12721+ For this reason this option allows one to enable or disable the
12722+ feature at runtime. It is recommended to say 'N' here to leave
12723+ the system protected, and to enable it at runtime only if needed
12724+ by setting the sys.kernel.modify_ldt sysctl.
12725+
12726 source "kernel/livepatch/Kconfig"
12727
12728 endmenu
12729diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
12730index 6983314..54ad7e8 100644
12731--- a/arch/x86/Kconfig.cpu
12732+++ b/arch/x86/Kconfig.cpu
12733@@ -319,7 +319,7 @@ config X86_PPRO_FENCE
12734
12735 config X86_F00F_BUG
12736 def_bool y
12737- depends on M586MMX || M586TSC || M586 || M486
12738+ depends on (M586MMX || M586TSC || M586 || M486) && !PAX_KERNEXEC
12739
12740 config X86_INVD_BUG
12741 def_bool y
12742@@ -327,7 +327,7 @@ config X86_INVD_BUG
12743
12744 config X86_ALIGNMENT_16
12745 def_bool y
12746- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12747+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12748
12749 config X86_INTEL_USERCOPY
12750 def_bool y
12751@@ -369,7 +369,7 @@ config X86_CMPXCHG64
12752 # generates cmov.
12753 config X86_CMOV
12754 def_bool y
12755- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12756+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12757
12758 config X86_MINIMUM_CPU_FAMILY
12759 int
12760diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
12761index d8c0d32..4ea2bb0 100644
12762--- a/arch/x86/Kconfig.debug
12763+++ b/arch/x86/Kconfig.debug
12764@@ -89,7 +89,7 @@ config EFI_PGT_DUMP
12765 config DEBUG_RODATA
12766 bool "Write protect kernel read-only data structures"
12767 default y
12768- depends on DEBUG_KERNEL
12769+ depends on DEBUG_KERNEL && BROKEN
12770 ---help---
12771 Mark the kernel read-only data as write-protected in the pagetables,
12772 in order to catch accidental (and incorrect) writes to such const
12773@@ -107,7 +107,7 @@ config DEBUG_RODATA_TEST
12774
12775 config DEBUG_SET_MODULE_RONX
12776 bool "Set loadable kernel module data as NX and text as RO"
12777- depends on MODULES
12778+ depends on MODULES && BROKEN
12779 ---help---
12780 This option helps catch unintended modifications to loadable
12781 kernel module's text and read-only data. It also prevents execution
12782diff --git a/arch/x86/Makefile b/arch/x86/Makefile
12783index 118e6de..e02efff 100644
12784--- a/arch/x86/Makefile
12785+++ b/arch/x86/Makefile
12786@@ -65,9 +65,6 @@ ifeq ($(CONFIG_X86_32),y)
12787 # CPU-specific tuning. Anything which can be shared with UML should go here.
12788 include arch/x86/Makefile_32.cpu
12789 KBUILD_CFLAGS += $(cflags-y)
12790-
12791- # temporary until string.h is fixed
12792- KBUILD_CFLAGS += -ffreestanding
12793 else
12794 BITS := 64
12795 UTS_MACHINE := x86_64
12796@@ -116,6 +113,9 @@ else
12797 KBUILD_CFLAGS += $(call cc-option,-maccumulate-outgoing-args)
12798 endif
12799
12800+# temporary until string.h is fixed
12801+KBUILD_CFLAGS += -ffreestanding
12802+
12803 # Make sure compiler does not have buggy stack-protector support.
12804 ifdef CONFIG_CC_STACKPROTECTOR
12805 cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
12806@@ -184,6 +184,7 @@ archheaders:
12807 $(Q)$(MAKE) $(build)=arch/x86/entry/syscalls all
12808
12809 archprepare:
12810+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
12811 ifeq ($(CONFIG_KEXEC_FILE),y)
12812 $(Q)$(MAKE) $(build)=arch/x86/purgatory arch/x86/purgatory/kexec-purgatory.c
12813 endif
12814@@ -267,3 +268,9 @@ define archhelp
12815 echo ' FDARGS="..." arguments for the booted kernel'
12816 echo ' FDINITRD=file initrd for the booted kernel'
12817 endef
12818+
12819+define OLD_LD
12820+
12821+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
12822+*** Please upgrade your binutils to 2.18 or newer
12823+endef
12824diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
12825index 57bbf2f..b100fce 100644
12826--- a/arch/x86/boot/Makefile
12827+++ b/arch/x86/boot/Makefile
12828@@ -58,6 +58,9 @@ clean-files += cpustr.h
12829 # ---------------------------------------------------------------------------
12830
12831 KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP
12832+ifdef CONSTIFY_PLUGIN
12833+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
12834+endif
12835 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12836 GCOV_PROFILE := n
12837
12838diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h
12839index 878e4b9..20537ab 100644
12840--- a/arch/x86/boot/bitops.h
12841+++ b/arch/x86/boot/bitops.h
12842@@ -26,7 +26,7 @@ static inline int variable_test_bit(int nr, const void *addr)
12843 u8 v;
12844 const u32 *p = (const u32 *)addr;
12845
12846- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
12847+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
12848 return v;
12849 }
12850
12851@@ -37,7 +37,7 @@ static inline int variable_test_bit(int nr, const void *addr)
12852
12853 static inline void set_bit(int nr, void *addr)
12854 {
12855- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
12856+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
12857 }
12858
12859 #endif /* BOOT_BITOPS_H */
12860diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h
12861index bd49ec6..94c7f58 100644
12862--- a/arch/x86/boot/boot.h
12863+++ b/arch/x86/boot/boot.h
12864@@ -84,7 +84,7 @@ static inline void io_delay(void)
12865 static inline u16 ds(void)
12866 {
12867 u16 seg;
12868- asm("movw %%ds,%0" : "=rm" (seg));
12869+ asm volatile("movw %%ds,%0" : "=rm" (seg));
12870 return seg;
12871 }
12872
12873diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
12874index 0a291cd..9686efc 100644
12875--- a/arch/x86/boot/compressed/Makefile
12876+++ b/arch/x86/boot/compressed/Makefile
12877@@ -30,6 +30,9 @@ KBUILD_CFLAGS += $(cflags-y)
12878 KBUILD_CFLAGS += -mno-mmx -mno-sse
12879 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
12880 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
12881+ifdef CONSTIFY_PLUGIN
12882+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
12883+endif
12884
12885 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12886 GCOV_PROFILE := n
12887diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
12888index a53440e..c3dbf1e 100644
12889--- a/arch/x86/boot/compressed/efi_stub_32.S
12890+++ b/arch/x86/boot/compressed/efi_stub_32.S
12891@@ -46,16 +46,13 @@ ENTRY(efi_call_phys)
12892 * parameter 2, ..., param n. To make things easy, we save the return
12893 * address of efi_call_phys in a global variable.
12894 */
12895- popl %ecx
12896- movl %ecx, saved_return_addr(%edx)
12897- /* get the function pointer into ECX*/
12898- popl %ecx
12899- movl %ecx, efi_rt_function_ptr(%edx)
12900+ popl saved_return_addr(%edx)
12901+ popl efi_rt_function_ptr(%edx)
12902
12903 /*
12904 * 3. Call the physical function.
12905 */
12906- call *%ecx
12907+ call *efi_rt_function_ptr(%edx)
12908
12909 /*
12910 * 4. Balance the stack. And because EAX contain the return value,
12911@@ -67,15 +64,12 @@ ENTRY(efi_call_phys)
12912 1: popl %edx
12913 subl $1b, %edx
12914
12915- movl efi_rt_function_ptr(%edx), %ecx
12916- pushl %ecx
12917+ pushl efi_rt_function_ptr(%edx)
12918
12919 /*
12920 * 10. Push the saved return address onto the stack and return.
12921 */
12922- movl saved_return_addr(%edx), %ecx
12923- pushl %ecx
12924- ret
12925+ jmpl *saved_return_addr(%edx)
12926 ENDPROC(efi_call_phys)
12927 .previous
12928
12929diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
12930index 630384a..278e788 100644
12931--- a/arch/x86/boot/compressed/efi_thunk_64.S
12932+++ b/arch/x86/boot/compressed/efi_thunk_64.S
12933@@ -189,8 +189,8 @@ efi_gdt64:
12934 .long 0 /* Filled out by user */
12935 .word 0
12936 .quad 0x0000000000000000 /* NULL descriptor */
12937- .quad 0x00af9a000000ffff /* __KERNEL_CS */
12938- .quad 0x00cf92000000ffff /* __KERNEL_DS */
12939+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
12940+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
12941 .quad 0x0080890000000000 /* TS descriptor */
12942 .quad 0x0000000000000000 /* TS continued */
12943 efi_gdt64_end:
12944diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
12945index 8ef964d..fcfb8aa 100644
12946--- a/arch/x86/boot/compressed/head_32.S
12947+++ b/arch/x86/boot/compressed/head_32.S
12948@@ -141,10 +141,10 @@ preferred_addr:
12949 addl %eax, %ebx
12950 notl %eax
12951 andl %eax, %ebx
12952- cmpl $LOAD_PHYSICAL_ADDR, %ebx
12953+ cmpl $____LOAD_PHYSICAL_ADDR, %ebx
12954 jge 1f
12955 #endif
12956- movl $LOAD_PHYSICAL_ADDR, %ebx
12957+ movl $____LOAD_PHYSICAL_ADDR, %ebx
12958 1:
12959
12960 /* Target address to relocate to for decompression */
12961diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
12962index b0c0d16..3b44ff8 100644
12963--- a/arch/x86/boot/compressed/head_64.S
12964+++ b/arch/x86/boot/compressed/head_64.S
12965@@ -95,10 +95,10 @@ ENTRY(startup_32)
12966 addl %eax, %ebx
12967 notl %eax
12968 andl %eax, %ebx
12969- cmpl $LOAD_PHYSICAL_ADDR, %ebx
12970+ cmpl $____LOAD_PHYSICAL_ADDR, %ebx
12971 jge 1f
12972 #endif
12973- movl $LOAD_PHYSICAL_ADDR, %ebx
12974+ movl $____LOAD_PHYSICAL_ADDR, %ebx
12975 1:
12976
12977 /* Target address to relocate to for decompression */
12978@@ -323,10 +323,10 @@ preferred_addr:
12979 addq %rax, %rbp
12980 notq %rax
12981 andq %rax, %rbp
12982- cmpq $LOAD_PHYSICAL_ADDR, %rbp
12983+ cmpq $____LOAD_PHYSICAL_ADDR, %rbp
12984 jge 1f
12985 #endif
12986- movq $LOAD_PHYSICAL_ADDR, %rbp
12987+ movq $____LOAD_PHYSICAL_ADDR, %rbp
12988 1:
12989
12990 /* Target address to relocate to for decompression */
12991@@ -435,8 +435,8 @@ gdt:
12992 .long gdt
12993 .word 0
12994 .quad 0x0000000000000000 /* NULL descriptor */
12995- .quad 0x00af9a000000ffff /* __KERNEL_CS */
12996- .quad 0x00cf92000000ffff /* __KERNEL_DS */
12997+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
12998+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
12999 .quad 0x0080890000000000 /* TS descriptor */
13000 .quad 0x0000000000000000 /* TS continued */
13001 gdt_end:
13002diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
13003index e28437e..6a17460 100644
13004--- a/arch/x86/boot/compressed/misc.c
13005+++ b/arch/x86/boot/compressed/misc.c
13006@@ -242,7 +242,7 @@ static void handle_relocations(void *output, unsigned long output_len)
13007 * Calculate the delta between where vmlinux was linked to load
13008 * and where it was actually loaded.
13009 */
13010- delta = min_addr - LOAD_PHYSICAL_ADDR;
13011+ delta = min_addr - ____LOAD_PHYSICAL_ADDR;
13012 if (!delta) {
13013 debug_putstr("No relocation needed... ");
13014 return;
13015@@ -324,7 +324,7 @@ static void parse_elf(void *output)
13016 Elf32_Ehdr ehdr;
13017 Elf32_Phdr *phdrs, *phdr;
13018 #endif
13019- void *dest;
13020+ void *dest, *prev;
13021 int i;
13022
13023 memcpy(&ehdr, output, sizeof(ehdr));
13024@@ -351,13 +351,16 @@ static void parse_elf(void *output)
13025 case PT_LOAD:
13026 #ifdef CONFIG_RELOCATABLE
13027 dest = output;
13028- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
13029+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
13030 #else
13031 dest = (void *)(phdr->p_paddr);
13032 #endif
13033 memcpy(dest,
13034 output + phdr->p_offset,
13035 phdr->p_filesz);
13036+ if (i)
13037+ memset(prev, 0xff, dest - prev);
13038+ prev = dest + phdr->p_filesz;
13039 break;
13040 default: /* Ignore other PT_* */ break;
13041 }
13042@@ -419,7 +422,7 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
13043 error("Destination address too large");
13044 #endif
13045 #ifndef CONFIG_RELOCATABLE
13046- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
13047+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
13048 error("Wrong destination address");
13049 #endif
13050
13051diff --git a/arch/x86/boot/cpucheck.c b/arch/x86/boot/cpucheck.c
13052index 1fd7d57..0f7d096 100644
13053--- a/arch/x86/boot/cpucheck.c
13054+++ b/arch/x86/boot/cpucheck.c
13055@@ -125,9 +125,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13056 u32 ecx = MSR_K7_HWCR;
13057 u32 eax, edx;
13058
13059- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13060+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13061 eax &= ~(1 << 15);
13062- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13063+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13064
13065 get_cpuflags(); /* Make sure it really did something */
13066 err = check_cpuflags();
13067@@ -140,9 +140,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13068 u32 ecx = MSR_VIA_FCR;
13069 u32 eax, edx;
13070
13071- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13072+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13073 eax |= (1<<1)|(1<<7);
13074- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13075+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13076
13077 set_bit(X86_FEATURE_CX8, cpu.flags);
13078 err = check_cpuflags();
13079@@ -153,12 +153,12 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13080 u32 eax, edx;
13081 u32 level = 1;
13082
13083- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13084- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
13085- asm("cpuid"
13086+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13087+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
13088+ asm volatile("cpuid"
13089 : "+a" (level), "=d" (cpu.flags[0])
13090 : : "ecx", "ebx");
13091- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13092+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13093
13094 err = check_cpuflags();
13095 } else if (err == 0x01 &&
13096diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
13097index 16ef025..91e033b 100644
13098--- a/arch/x86/boot/header.S
13099+++ b/arch/x86/boot/header.S
13100@@ -438,10 +438,14 @@ setup_data: .quad 0 # 64-bit physical pointer to
13101 # single linked list of
13102 # struct setup_data
13103
13104-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
13105+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
13106
13107 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
13108+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13109+#define VO_INIT_SIZE (VO__end - VO__text - __PAGE_OFFSET - ____LOAD_PHYSICAL_ADDR)
13110+#else
13111 #define VO_INIT_SIZE (VO__end - VO__text)
13112+#endif
13113 #if ZO_INIT_SIZE > VO_INIT_SIZE
13114 #define INIT_SIZE ZO_INIT_SIZE
13115 #else
13116diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c
13117index db75d07..8e6d0af 100644
13118--- a/arch/x86/boot/memory.c
13119+++ b/arch/x86/boot/memory.c
13120@@ -19,7 +19,7 @@
13121
13122 static int detect_memory_e820(void)
13123 {
13124- int count = 0;
13125+ unsigned int count = 0;
13126 struct biosregs ireg, oreg;
13127 struct e820entry *desc = boot_params.e820_map;
13128 static struct e820entry buf; /* static so it is zeroed */
13129diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c
13130index ba3e100..6501b8f 100644
13131--- a/arch/x86/boot/video-vesa.c
13132+++ b/arch/x86/boot/video-vesa.c
13133@@ -201,6 +201,7 @@ static void vesa_store_pm_info(void)
13134
13135 boot_params.screen_info.vesapm_seg = oreg.es;
13136 boot_params.screen_info.vesapm_off = oreg.di;
13137+ boot_params.screen_info.vesapm_size = oreg.cx;
13138 }
13139
13140 /*
13141diff --git a/arch/x86/boot/video.c b/arch/x86/boot/video.c
13142index 05111bb..a1ae1f0 100644
13143--- a/arch/x86/boot/video.c
13144+++ b/arch/x86/boot/video.c
13145@@ -98,7 +98,7 @@ static void store_mode_params(void)
13146 static unsigned int get_entry(void)
13147 {
13148 char entry_buf[4];
13149- int i, len = 0;
13150+ unsigned int i, len = 0;
13151 int key;
13152 unsigned int v;
13153
13154diff --git a/arch/x86/crypto/aes-x86_64-asm_64.S b/arch/x86/crypto/aes-x86_64-asm_64.S
13155index 9105655..41779c1 100644
13156--- a/arch/x86/crypto/aes-x86_64-asm_64.S
13157+++ b/arch/x86/crypto/aes-x86_64-asm_64.S
13158@@ -8,6 +8,8 @@
13159 * including this sentence is retained in full.
13160 */
13161
13162+#include <asm/alternative-asm.h>
13163+
13164 .extern crypto_ft_tab
13165 .extern crypto_it_tab
13166 .extern crypto_fl_tab
13167@@ -70,6 +72,8 @@
13168 je B192; \
13169 leaq 32(r9),r9;
13170
13171+#define ret pax_force_retaddr; ret
13172+
13173 #define epilogue(FUNC,r1,r2,r3,r4,r5,r6,r7,r8,r9) \
13174 movq r1,r2; \
13175 movq r3,r4; \
13176diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S
13177index 6bd2c6c..368c93e 100644
13178--- a/arch/x86/crypto/aesni-intel_asm.S
13179+++ b/arch/x86/crypto/aesni-intel_asm.S
13180@@ -31,6 +31,7 @@
13181
13182 #include <linux/linkage.h>
13183 #include <asm/inst.h>
13184+#include <asm/alternative-asm.h>
13185
13186 /*
13187 * The following macros are used to move an (un)aligned 16 byte value to/from
13188@@ -217,7 +218,7 @@ enc: .octa 0x2
13189 * num_initial_blocks = b mod 4
13190 * encrypt the initial num_initial_blocks blocks and apply ghash on
13191 * the ciphertext
13192-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13193+* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13194 * are clobbered
13195 * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified
13196 */
13197@@ -227,8 +228,8 @@ enc: .octa 0x2
13198 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
13199 MOVADQ SHUF_MASK(%rip), %xmm14
13200 mov arg7, %r10 # %r10 = AAD
13201- mov arg8, %r12 # %r12 = aadLen
13202- mov %r12, %r11
13203+ mov arg8, %r15 # %r15 = aadLen
13204+ mov %r15, %r11
13205 pxor %xmm\i, %xmm\i
13206
13207 _get_AAD_loop\num_initial_blocks\operation:
13208@@ -237,17 +238,17 @@ _get_AAD_loop\num_initial_blocks\operation:
13209 psrldq $4, %xmm\i
13210 pxor \TMP1, %xmm\i
13211 add $4, %r10
13212- sub $4, %r12
13213+ sub $4, %r15
13214 jne _get_AAD_loop\num_initial_blocks\operation
13215
13216 cmp $16, %r11
13217 je _get_AAD_loop2_done\num_initial_blocks\operation
13218
13219- mov $16, %r12
13220+ mov $16, %r15
13221 _get_AAD_loop2\num_initial_blocks\operation:
13222 psrldq $4, %xmm\i
13223- sub $4, %r12
13224- cmp %r11, %r12
13225+ sub $4, %r15
13226+ cmp %r11, %r15
13227 jne _get_AAD_loop2\num_initial_blocks\operation
13228
13229 _get_AAD_loop2_done\num_initial_blocks\operation:
13230@@ -442,7 +443,7 @@ _initial_blocks_done\num_initial_blocks\operation:
13231 * num_initial_blocks = b mod 4
13232 * encrypt the initial num_initial_blocks blocks and apply ghash on
13233 * the ciphertext
13234-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13235+* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13236 * are clobbered
13237 * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified
13238 */
13239@@ -452,8 +453,8 @@ _initial_blocks_done\num_initial_blocks\operation:
13240 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
13241 MOVADQ SHUF_MASK(%rip), %xmm14
13242 mov arg7, %r10 # %r10 = AAD
13243- mov arg8, %r12 # %r12 = aadLen
13244- mov %r12, %r11
13245+ mov arg8, %r15 # %r15 = aadLen
13246+ mov %r15, %r11
13247 pxor %xmm\i, %xmm\i
13248 _get_AAD_loop\num_initial_blocks\operation:
13249 movd (%r10), \TMP1
13250@@ -461,15 +462,15 @@ _get_AAD_loop\num_initial_blocks\operation:
13251 psrldq $4, %xmm\i
13252 pxor \TMP1, %xmm\i
13253 add $4, %r10
13254- sub $4, %r12
13255+ sub $4, %r15
13256 jne _get_AAD_loop\num_initial_blocks\operation
13257 cmp $16, %r11
13258 je _get_AAD_loop2_done\num_initial_blocks\operation
13259- mov $16, %r12
13260+ mov $16, %r15
13261 _get_AAD_loop2\num_initial_blocks\operation:
13262 psrldq $4, %xmm\i
13263- sub $4, %r12
13264- cmp %r11, %r12
13265+ sub $4, %r15
13266+ cmp %r11, %r15
13267 jne _get_AAD_loop2\num_initial_blocks\operation
13268 _get_AAD_loop2_done\num_initial_blocks\operation:
13269 PSHUFB_XMM %xmm14, %xmm\i # byte-reflect the AAD data
13270@@ -1280,7 +1281,7 @@ _esb_loop_\@:
13271 *
13272 *****************************************************************************/
13273 ENTRY(aesni_gcm_dec)
13274- push %r12
13275+ push %r15
13276 push %r13
13277 push %r14
13278 mov %rsp, %r14
13279@@ -1290,8 +1291,8 @@ ENTRY(aesni_gcm_dec)
13280 */
13281 sub $VARIABLE_OFFSET, %rsp
13282 and $~63, %rsp # align rsp to 64 bytes
13283- mov %arg6, %r12
13284- movdqu (%r12), %xmm13 # %xmm13 = HashKey
13285+ mov %arg6, %r15
13286+ movdqu (%r15), %xmm13 # %xmm13 = HashKey
13287 movdqa SHUF_MASK(%rip), %xmm2
13288 PSHUFB_XMM %xmm2, %xmm13
13289
13290@@ -1319,10 +1320,10 @@ ENTRY(aesni_gcm_dec)
13291 movdqa %xmm13, HashKey(%rsp) # store HashKey<<1 (mod poly)
13292 mov %arg4, %r13 # save the number of bytes of plaintext/ciphertext
13293 and $-16, %r13 # %r13 = %r13 - (%r13 mod 16)
13294- mov %r13, %r12
13295- and $(3<<4), %r12
13296+ mov %r13, %r15
13297+ and $(3<<4), %r15
13298 jz _initial_num_blocks_is_0_decrypt
13299- cmp $(2<<4), %r12
13300+ cmp $(2<<4), %r15
13301 jb _initial_num_blocks_is_1_decrypt
13302 je _initial_num_blocks_is_2_decrypt
13303 _initial_num_blocks_is_3_decrypt:
13304@@ -1372,16 +1373,16 @@ _zero_cipher_left_decrypt:
13305 sub $16, %r11
13306 add %r13, %r11
13307 movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte block
13308- lea SHIFT_MASK+16(%rip), %r12
13309- sub %r13, %r12
13310+ lea SHIFT_MASK+16(%rip), %r15
13311+ sub %r13, %r15
13312 # adjust the shuffle mask pointer to be able to shift 16-%r13 bytes
13313 # (%r13 is the number of bytes in plaintext mod 16)
13314- movdqu (%r12), %xmm2 # get the appropriate shuffle mask
13315+ movdqu (%r15), %xmm2 # get the appropriate shuffle mask
13316 PSHUFB_XMM %xmm2, %xmm1 # right shift 16-%r13 butes
13317
13318 movdqa %xmm1, %xmm2
13319 pxor %xmm1, %xmm0 # Ciphertext XOR E(K, Yn)
13320- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
13321+ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1
13322 # get the appropriate mask to mask out top 16-%r13 bytes of %xmm0
13323 pand %xmm1, %xmm0 # mask out top 16-%r13 bytes of %xmm0
13324 pand %xmm1, %xmm2
13325@@ -1410,9 +1411,9 @@ _less_than_8_bytes_left_decrypt:
13326 sub $1, %r13
13327 jne _less_than_8_bytes_left_decrypt
13328 _multiple_of_16_bytes_decrypt:
13329- mov arg8, %r12 # %r13 = aadLen (number of bytes)
13330- shl $3, %r12 # convert into number of bits
13331- movd %r12d, %xmm15 # len(A) in %xmm15
13332+ mov arg8, %r15 # %r13 = aadLen (number of bytes)
13333+ shl $3, %r15 # convert into number of bits
13334+ movd %r15d, %xmm15 # len(A) in %xmm15
13335 shl $3, %arg4 # len(C) in bits (*128)
13336 MOVQ_R64_XMM %arg4, %xmm1
13337 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
13338@@ -1451,7 +1452,8 @@ _return_T_done_decrypt:
13339 mov %r14, %rsp
13340 pop %r14
13341 pop %r13
13342- pop %r12
13343+ pop %r15
13344+ pax_force_retaddr
13345 ret
13346 ENDPROC(aesni_gcm_dec)
13347
13348@@ -1540,7 +1542,7 @@ ENDPROC(aesni_gcm_dec)
13349 * poly = x^128 + x^127 + x^126 + x^121 + 1
13350 ***************************************************************************/
13351 ENTRY(aesni_gcm_enc)
13352- push %r12
13353+ push %r15
13354 push %r13
13355 push %r14
13356 mov %rsp, %r14
13357@@ -1550,8 +1552,8 @@ ENTRY(aesni_gcm_enc)
13358 #
13359 sub $VARIABLE_OFFSET, %rsp
13360 and $~63, %rsp
13361- mov %arg6, %r12
13362- movdqu (%r12), %xmm13
13363+ mov %arg6, %r15
13364+ movdqu (%r15), %xmm13
13365 movdqa SHUF_MASK(%rip), %xmm2
13366 PSHUFB_XMM %xmm2, %xmm13
13367
13368@@ -1575,13 +1577,13 @@ ENTRY(aesni_gcm_enc)
13369 movdqa %xmm13, HashKey(%rsp)
13370 mov %arg4, %r13 # %xmm13 holds HashKey<<1 (mod poly)
13371 and $-16, %r13
13372- mov %r13, %r12
13373+ mov %r13, %r15
13374
13375 # Encrypt first few blocks
13376
13377- and $(3<<4), %r12
13378+ and $(3<<4), %r15
13379 jz _initial_num_blocks_is_0_encrypt
13380- cmp $(2<<4), %r12
13381+ cmp $(2<<4), %r15
13382 jb _initial_num_blocks_is_1_encrypt
13383 je _initial_num_blocks_is_2_encrypt
13384 _initial_num_blocks_is_3_encrypt:
13385@@ -1634,14 +1636,14 @@ _zero_cipher_left_encrypt:
13386 sub $16, %r11
13387 add %r13, %r11
13388 movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte blocks
13389- lea SHIFT_MASK+16(%rip), %r12
13390- sub %r13, %r12
13391+ lea SHIFT_MASK+16(%rip), %r15
13392+ sub %r13, %r15
13393 # adjust the shuffle mask pointer to be able to shift 16-r13 bytes
13394 # (%r13 is the number of bytes in plaintext mod 16)
13395- movdqu (%r12), %xmm2 # get the appropriate shuffle mask
13396+ movdqu (%r15), %xmm2 # get the appropriate shuffle mask
13397 PSHUFB_XMM %xmm2, %xmm1 # shift right 16-r13 byte
13398 pxor %xmm1, %xmm0 # Plaintext XOR Encrypt(K, Yn)
13399- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
13400+ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1
13401 # get the appropriate mask to mask out top 16-r13 bytes of xmm0
13402 pand %xmm1, %xmm0 # mask out top 16-r13 bytes of xmm0
13403 movdqa SHUF_MASK(%rip), %xmm10
13404@@ -1674,9 +1676,9 @@ _less_than_8_bytes_left_encrypt:
13405 sub $1, %r13
13406 jne _less_than_8_bytes_left_encrypt
13407 _multiple_of_16_bytes_encrypt:
13408- mov arg8, %r12 # %r12 = addLen (number of bytes)
13409- shl $3, %r12
13410- movd %r12d, %xmm15 # len(A) in %xmm15
13411+ mov arg8, %r15 # %r15 = addLen (number of bytes)
13412+ shl $3, %r15
13413+ movd %r15d, %xmm15 # len(A) in %xmm15
13414 shl $3, %arg4 # len(C) in bits (*128)
13415 MOVQ_R64_XMM %arg4, %xmm1
13416 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
13417@@ -1715,7 +1717,8 @@ _return_T_done_encrypt:
13418 mov %r14, %rsp
13419 pop %r14
13420 pop %r13
13421- pop %r12
13422+ pop %r15
13423+ pax_force_retaddr
13424 ret
13425 ENDPROC(aesni_gcm_enc)
13426
13427@@ -1733,6 +1736,7 @@ _key_expansion_256a:
13428 pxor %xmm1, %xmm0
13429 movaps %xmm0, (TKEYP)
13430 add $0x10, TKEYP
13431+ pax_force_retaddr
13432 ret
13433 ENDPROC(_key_expansion_128)
13434 ENDPROC(_key_expansion_256a)
13435@@ -1759,6 +1763,7 @@ _key_expansion_192a:
13436 shufps $0b01001110, %xmm2, %xmm1
13437 movaps %xmm1, 0x10(TKEYP)
13438 add $0x20, TKEYP
13439+ pax_force_retaddr
13440 ret
13441 ENDPROC(_key_expansion_192a)
13442
13443@@ -1779,6 +1784,7 @@ _key_expansion_192b:
13444
13445 movaps %xmm0, (TKEYP)
13446 add $0x10, TKEYP
13447+ pax_force_retaddr
13448 ret
13449 ENDPROC(_key_expansion_192b)
13450
13451@@ -1792,6 +1798,7 @@ _key_expansion_256b:
13452 pxor %xmm1, %xmm2
13453 movaps %xmm2, (TKEYP)
13454 add $0x10, TKEYP
13455+ pax_force_retaddr
13456 ret
13457 ENDPROC(_key_expansion_256b)
13458
13459@@ -1905,6 +1912,7 @@ ENTRY(aesni_set_key)
13460 #ifndef __x86_64__
13461 popl KEYP
13462 #endif
13463+ pax_force_retaddr
13464 ret
13465 ENDPROC(aesni_set_key)
13466
13467@@ -1927,6 +1935,7 @@ ENTRY(aesni_enc)
13468 popl KLEN
13469 popl KEYP
13470 #endif
13471+ pax_force_retaddr
13472 ret
13473 ENDPROC(aesni_enc)
13474
13475@@ -1985,6 +1994,7 @@ _aesni_enc1:
13476 AESENC KEY STATE
13477 movaps 0x70(TKEYP), KEY
13478 AESENCLAST KEY STATE
13479+ pax_force_retaddr
13480 ret
13481 ENDPROC(_aesni_enc1)
13482
13483@@ -2094,6 +2104,7 @@ _aesni_enc4:
13484 AESENCLAST KEY STATE2
13485 AESENCLAST KEY STATE3
13486 AESENCLAST KEY STATE4
13487+ pax_force_retaddr
13488 ret
13489 ENDPROC(_aesni_enc4)
13490
13491@@ -2117,6 +2128,7 @@ ENTRY(aesni_dec)
13492 popl KLEN
13493 popl KEYP
13494 #endif
13495+ pax_force_retaddr
13496 ret
13497 ENDPROC(aesni_dec)
13498
13499@@ -2175,6 +2187,7 @@ _aesni_dec1:
13500 AESDEC KEY STATE
13501 movaps 0x70(TKEYP), KEY
13502 AESDECLAST KEY STATE
13503+ pax_force_retaddr
13504 ret
13505 ENDPROC(_aesni_dec1)
13506
13507@@ -2284,6 +2297,7 @@ _aesni_dec4:
13508 AESDECLAST KEY STATE2
13509 AESDECLAST KEY STATE3
13510 AESDECLAST KEY STATE4
13511+ pax_force_retaddr
13512 ret
13513 ENDPROC(_aesni_dec4)
13514
13515@@ -2342,6 +2356,7 @@ ENTRY(aesni_ecb_enc)
13516 popl KEYP
13517 popl LEN
13518 #endif
13519+ pax_force_retaddr
13520 ret
13521 ENDPROC(aesni_ecb_enc)
13522
13523@@ -2401,6 +2416,7 @@ ENTRY(aesni_ecb_dec)
13524 popl KEYP
13525 popl LEN
13526 #endif
13527+ pax_force_retaddr
13528 ret
13529 ENDPROC(aesni_ecb_dec)
13530
13531@@ -2443,6 +2459,7 @@ ENTRY(aesni_cbc_enc)
13532 popl LEN
13533 popl IVP
13534 #endif
13535+ pax_force_retaddr
13536 ret
13537 ENDPROC(aesni_cbc_enc)
13538
13539@@ -2534,6 +2551,7 @@ ENTRY(aesni_cbc_dec)
13540 popl LEN
13541 popl IVP
13542 #endif
13543+ pax_force_retaddr
13544 ret
13545 ENDPROC(aesni_cbc_dec)
13546
13547@@ -2561,6 +2579,7 @@ _aesni_inc_init:
13548 mov $1, TCTR_LOW
13549 MOVQ_R64_XMM TCTR_LOW INC
13550 MOVQ_R64_XMM CTR TCTR_LOW
13551+ pax_force_retaddr
13552 ret
13553 ENDPROC(_aesni_inc_init)
13554
13555@@ -2590,6 +2609,7 @@ _aesni_inc:
13556 .Linc_low:
13557 movaps CTR, IV
13558 PSHUFB_XMM BSWAP_MASK IV
13559+ pax_force_retaddr
13560 ret
13561 ENDPROC(_aesni_inc)
13562
13563@@ -2651,6 +2671,7 @@ ENTRY(aesni_ctr_enc)
13564 .Lctr_enc_ret:
13565 movups IV, (IVP)
13566 .Lctr_enc_just_ret:
13567+ pax_force_retaddr
13568 ret
13569 ENDPROC(aesni_ctr_enc)
13570
13571@@ -2777,6 +2798,7 @@ ENTRY(aesni_xts_crypt8)
13572 pxor INC, STATE4
13573 movdqu STATE4, 0x70(OUTP)
13574
13575+ pax_force_retaddr
13576 ret
13577 ENDPROC(aesni_xts_crypt8)
13578
13579diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S
13580index 246c670..466e2d6 100644
13581--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S
13582+++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S
13583@@ -21,6 +21,7 @@
13584 */
13585
13586 #include <linux/linkage.h>
13587+#include <asm/alternative-asm.h>
13588
13589 .file "blowfish-x86_64-asm.S"
13590 .text
13591@@ -149,9 +150,11 @@ ENTRY(__blowfish_enc_blk)
13592 jnz .L__enc_xor;
13593
13594 write_block();
13595+ pax_force_retaddr
13596 ret;
13597 .L__enc_xor:
13598 xor_block();
13599+ pax_force_retaddr
13600 ret;
13601 ENDPROC(__blowfish_enc_blk)
13602
13603@@ -183,6 +186,7 @@ ENTRY(blowfish_dec_blk)
13604
13605 movq %r11, %rbp;
13606
13607+ pax_force_retaddr
13608 ret;
13609 ENDPROC(blowfish_dec_blk)
13610
13611@@ -334,6 +338,7 @@ ENTRY(__blowfish_enc_blk_4way)
13612
13613 popq %rbx;
13614 popq %rbp;
13615+ pax_force_retaddr
13616 ret;
13617
13618 .L__enc_xor4:
13619@@ -341,6 +346,7 @@ ENTRY(__blowfish_enc_blk_4way)
13620
13621 popq %rbx;
13622 popq %rbp;
13623+ pax_force_retaddr
13624 ret;
13625 ENDPROC(__blowfish_enc_blk_4way)
13626
13627@@ -375,5 +381,6 @@ ENTRY(blowfish_dec_blk_4way)
13628 popq %rbx;
13629 popq %rbp;
13630
13631+ pax_force_retaddr
13632 ret;
13633 ENDPROC(blowfish_dec_blk_4way)
13634diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13635index ce71f92..1dce7ec 100644
13636--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13637+++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13638@@ -16,6 +16,7 @@
13639 */
13640
13641 #include <linux/linkage.h>
13642+#include <asm/alternative-asm.h>
13643
13644 #define CAMELLIA_TABLE_BYTE_LEN 272
13645
13646@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
13647 roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
13648 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15,
13649 %rcx, (%r9));
13650+ pax_force_retaddr
13651 ret;
13652 ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
13653
13654@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
13655 roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3,
13656 %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11,
13657 %rax, (%r9));
13658+ pax_force_retaddr
13659 ret;
13660 ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
13661
13662@@ -780,6 +783,7 @@ __camellia_enc_blk16:
13663 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
13664 %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax));
13665
13666+ pax_force_retaddr
13667 ret;
13668
13669 .align 8
13670@@ -865,6 +869,7 @@ __camellia_dec_blk16:
13671 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
13672 %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax));
13673
13674+ pax_force_retaddr
13675 ret;
13676
13677 .align 8
13678@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way)
13679 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13680 %xmm8, %rsi);
13681
13682+ pax_force_retaddr
13683 ret;
13684 ENDPROC(camellia_ecb_enc_16way)
13685
13686@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way)
13687 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13688 %xmm8, %rsi);
13689
13690+ pax_force_retaddr
13691 ret;
13692 ENDPROC(camellia_ecb_dec_16way)
13693
13694@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way)
13695 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13696 %xmm8, %rsi);
13697
13698+ pax_force_retaddr
13699 ret;
13700 ENDPROC(camellia_cbc_dec_16way)
13701
13702@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way)
13703 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13704 %xmm8, %rsi);
13705
13706+ pax_force_retaddr
13707 ret;
13708 ENDPROC(camellia_ctr_16way)
13709
13710@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way:
13711 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13712 %xmm8, %rsi);
13713
13714+ pax_force_retaddr
13715 ret;
13716 ENDPROC(camellia_xts_crypt_16way)
13717
13718diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13719index 0e0b886..5a3123c 100644
13720--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13721+++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13722@@ -11,6 +11,7 @@
13723 */
13724
13725 #include <linux/linkage.h>
13726+#include <asm/alternative-asm.h>
13727
13728 #define CAMELLIA_TABLE_BYTE_LEN 272
13729
13730@@ -230,6 +231,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
13731 roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
13732 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15,
13733 %rcx, (%r9));
13734+ pax_force_retaddr
13735 ret;
13736 ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
13737
13738@@ -238,6 +240,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
13739 roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3,
13740 %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11,
13741 %rax, (%r9));
13742+ pax_force_retaddr
13743 ret;
13744 ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
13745
13746@@ -820,6 +823,7 @@ __camellia_enc_blk32:
13747 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
13748 %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax));
13749
13750+ pax_force_retaddr
13751 ret;
13752
13753 .align 8
13754@@ -905,6 +909,7 @@ __camellia_dec_blk32:
13755 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
13756 %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax));
13757
13758+ pax_force_retaddr
13759 ret;
13760
13761 .align 8
13762@@ -948,6 +953,7 @@ ENTRY(camellia_ecb_enc_32way)
13763
13764 vzeroupper;
13765
13766+ pax_force_retaddr
13767 ret;
13768 ENDPROC(camellia_ecb_enc_32way)
13769
13770@@ -980,6 +986,7 @@ ENTRY(camellia_ecb_dec_32way)
13771
13772 vzeroupper;
13773
13774+ pax_force_retaddr
13775 ret;
13776 ENDPROC(camellia_ecb_dec_32way)
13777
13778@@ -1046,6 +1053,7 @@ ENTRY(camellia_cbc_dec_32way)
13779
13780 vzeroupper;
13781
13782+ pax_force_retaddr
13783 ret;
13784 ENDPROC(camellia_cbc_dec_32way)
13785
13786@@ -1184,6 +1192,7 @@ ENTRY(camellia_ctr_32way)
13787
13788 vzeroupper;
13789
13790+ pax_force_retaddr
13791 ret;
13792 ENDPROC(camellia_ctr_32way)
13793
13794@@ -1349,6 +1358,7 @@ camellia_xts_crypt_32way:
13795
13796 vzeroupper;
13797
13798+ pax_force_retaddr
13799 ret;
13800 ENDPROC(camellia_xts_crypt_32way)
13801
13802diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S
13803index 310319c..db3d7b5 100644
13804--- a/arch/x86/crypto/camellia-x86_64-asm_64.S
13805+++ b/arch/x86/crypto/camellia-x86_64-asm_64.S
13806@@ -21,6 +21,7 @@
13807 */
13808
13809 #include <linux/linkage.h>
13810+#include <asm/alternative-asm.h>
13811
13812 .file "camellia-x86_64-asm_64.S"
13813 .text
13814@@ -228,12 +229,14 @@ ENTRY(__camellia_enc_blk)
13815 enc_outunpack(mov, RT1);
13816
13817 movq RRBP, %rbp;
13818+ pax_force_retaddr
13819 ret;
13820
13821 .L__enc_xor:
13822 enc_outunpack(xor, RT1);
13823
13824 movq RRBP, %rbp;
13825+ pax_force_retaddr
13826 ret;
13827 ENDPROC(__camellia_enc_blk)
13828
13829@@ -272,6 +275,7 @@ ENTRY(camellia_dec_blk)
13830 dec_outunpack();
13831
13832 movq RRBP, %rbp;
13833+ pax_force_retaddr
13834 ret;
13835 ENDPROC(camellia_dec_blk)
13836
13837@@ -463,6 +467,7 @@ ENTRY(__camellia_enc_blk_2way)
13838
13839 movq RRBP, %rbp;
13840 popq %rbx;
13841+ pax_force_retaddr
13842 ret;
13843
13844 .L__enc2_xor:
13845@@ -470,6 +475,7 @@ ENTRY(__camellia_enc_blk_2way)
13846
13847 movq RRBP, %rbp;
13848 popq %rbx;
13849+ pax_force_retaddr
13850 ret;
13851 ENDPROC(__camellia_enc_blk_2way)
13852
13853@@ -510,5 +516,6 @@ ENTRY(camellia_dec_blk_2way)
13854
13855 movq RRBP, %rbp;
13856 movq RXOR, %rbx;
13857+ pax_force_retaddr
13858 ret;
13859 ENDPROC(camellia_dec_blk_2way)
13860diff --git a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
13861index c35fd5d..2d8c7db 100644
13862--- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
13863+++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
13864@@ -24,6 +24,7 @@
13865 */
13866
13867 #include <linux/linkage.h>
13868+#include <asm/alternative-asm.h>
13869
13870 .file "cast5-avx-x86_64-asm_64.S"
13871
13872@@ -281,6 +282,7 @@ __cast5_enc_blk16:
13873 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
13874 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
13875
13876+ pax_force_retaddr
13877 ret;
13878 ENDPROC(__cast5_enc_blk16)
13879
13880@@ -352,6 +354,7 @@ __cast5_dec_blk16:
13881 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
13882 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
13883
13884+ pax_force_retaddr
13885 ret;
13886
13887 .L__skip_dec:
13888@@ -388,6 +391,7 @@ ENTRY(cast5_ecb_enc_16way)
13889 vmovdqu RR4, (6*4*4)(%r11);
13890 vmovdqu RL4, (7*4*4)(%r11);
13891
13892+ pax_force_retaddr
13893 ret;
13894 ENDPROC(cast5_ecb_enc_16way)
13895
13896@@ -420,6 +424,7 @@ ENTRY(cast5_ecb_dec_16way)
13897 vmovdqu RR4, (6*4*4)(%r11);
13898 vmovdqu RL4, (7*4*4)(%r11);
13899
13900+ pax_force_retaddr
13901 ret;
13902 ENDPROC(cast5_ecb_dec_16way)
13903
13904@@ -430,10 +435,10 @@ ENTRY(cast5_cbc_dec_16way)
13905 * %rdx: src
13906 */
13907
13908- pushq %r12;
13909+ pushq %r14;
13910
13911 movq %rsi, %r11;
13912- movq %rdx, %r12;
13913+ movq %rdx, %r14;
13914
13915 vmovdqu (0*16)(%rdx), RL1;
13916 vmovdqu (1*16)(%rdx), RR1;
13917@@ -447,16 +452,16 @@ ENTRY(cast5_cbc_dec_16way)
13918 call __cast5_dec_blk16;
13919
13920 /* xor with src */
13921- vmovq (%r12), RX;
13922+ vmovq (%r14), RX;
13923 vpshufd $0x4f, RX, RX;
13924 vpxor RX, RR1, RR1;
13925- vpxor 0*16+8(%r12), RL1, RL1;
13926- vpxor 1*16+8(%r12), RR2, RR2;
13927- vpxor 2*16+8(%r12), RL2, RL2;
13928- vpxor 3*16+8(%r12), RR3, RR3;
13929- vpxor 4*16+8(%r12), RL3, RL3;
13930- vpxor 5*16+8(%r12), RR4, RR4;
13931- vpxor 6*16+8(%r12), RL4, RL4;
13932+ vpxor 0*16+8(%r14), RL1, RL1;
13933+ vpxor 1*16+8(%r14), RR2, RR2;
13934+ vpxor 2*16+8(%r14), RL2, RL2;
13935+ vpxor 3*16+8(%r14), RR3, RR3;
13936+ vpxor 4*16+8(%r14), RL3, RL3;
13937+ vpxor 5*16+8(%r14), RR4, RR4;
13938+ vpxor 6*16+8(%r14), RL4, RL4;
13939
13940 vmovdqu RR1, (0*16)(%r11);
13941 vmovdqu RL1, (1*16)(%r11);
13942@@ -467,8 +472,9 @@ ENTRY(cast5_cbc_dec_16way)
13943 vmovdqu RR4, (6*16)(%r11);
13944 vmovdqu RL4, (7*16)(%r11);
13945
13946- popq %r12;
13947+ popq %r14;
13948
13949+ pax_force_retaddr
13950 ret;
13951 ENDPROC(cast5_cbc_dec_16way)
13952
13953@@ -480,10 +486,10 @@ ENTRY(cast5_ctr_16way)
13954 * %rcx: iv (big endian, 64bit)
13955 */
13956
13957- pushq %r12;
13958+ pushq %r14;
13959
13960 movq %rsi, %r11;
13961- movq %rdx, %r12;
13962+ movq %rdx, %r14;
13963
13964 vpcmpeqd RTMP, RTMP, RTMP;
13965 vpsrldq $8, RTMP, RTMP; /* low: -1, high: 0 */
13966@@ -523,14 +529,14 @@ ENTRY(cast5_ctr_16way)
13967 call __cast5_enc_blk16;
13968
13969 /* dst = src ^ iv */
13970- vpxor (0*16)(%r12), RR1, RR1;
13971- vpxor (1*16)(%r12), RL1, RL1;
13972- vpxor (2*16)(%r12), RR2, RR2;
13973- vpxor (3*16)(%r12), RL2, RL2;
13974- vpxor (4*16)(%r12), RR3, RR3;
13975- vpxor (5*16)(%r12), RL3, RL3;
13976- vpxor (6*16)(%r12), RR4, RR4;
13977- vpxor (7*16)(%r12), RL4, RL4;
13978+ vpxor (0*16)(%r14), RR1, RR1;
13979+ vpxor (1*16)(%r14), RL1, RL1;
13980+ vpxor (2*16)(%r14), RR2, RR2;
13981+ vpxor (3*16)(%r14), RL2, RL2;
13982+ vpxor (4*16)(%r14), RR3, RR3;
13983+ vpxor (5*16)(%r14), RL3, RL3;
13984+ vpxor (6*16)(%r14), RR4, RR4;
13985+ vpxor (7*16)(%r14), RL4, RL4;
13986 vmovdqu RR1, (0*16)(%r11);
13987 vmovdqu RL1, (1*16)(%r11);
13988 vmovdqu RR2, (2*16)(%r11);
13989@@ -540,7 +546,8 @@ ENTRY(cast5_ctr_16way)
13990 vmovdqu RR4, (6*16)(%r11);
13991 vmovdqu RL4, (7*16)(%r11);
13992
13993- popq %r12;
13994+ popq %r14;
13995
13996+ pax_force_retaddr
13997 ret;
13998 ENDPROC(cast5_ctr_16way)
13999diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14000index e3531f8..e123f35 100644
14001--- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14002+++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14003@@ -24,6 +24,7 @@
14004 */
14005
14006 #include <linux/linkage.h>
14007+#include <asm/alternative-asm.h>
14008 #include "glue_helper-asm-avx.S"
14009
14010 .file "cast6-avx-x86_64-asm_64.S"
14011@@ -295,6 +296,7 @@ __cast6_enc_blk8:
14012 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
14013 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
14014
14015+ pax_force_retaddr
14016 ret;
14017 ENDPROC(__cast6_enc_blk8)
14018
14019@@ -340,6 +342,7 @@ __cast6_dec_blk8:
14020 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
14021 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
14022
14023+ pax_force_retaddr
14024 ret;
14025 ENDPROC(__cast6_dec_blk8)
14026
14027@@ -358,6 +361,7 @@ ENTRY(cast6_ecb_enc_8way)
14028
14029 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14030
14031+ pax_force_retaddr
14032 ret;
14033 ENDPROC(cast6_ecb_enc_8way)
14034
14035@@ -376,6 +380,7 @@ ENTRY(cast6_ecb_dec_8way)
14036
14037 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14038
14039+ pax_force_retaddr
14040 ret;
14041 ENDPROC(cast6_ecb_dec_8way)
14042
14043@@ -386,19 +391,20 @@ ENTRY(cast6_cbc_dec_8way)
14044 * %rdx: src
14045 */
14046
14047- pushq %r12;
14048+ pushq %r14;
14049
14050 movq %rsi, %r11;
14051- movq %rdx, %r12;
14052+ movq %rdx, %r14;
14053
14054 load_8way(%rdx, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14055
14056 call __cast6_dec_blk8;
14057
14058- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14059+ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14060
14061- popq %r12;
14062+ popq %r14;
14063
14064+ pax_force_retaddr
14065 ret;
14066 ENDPROC(cast6_cbc_dec_8way)
14067
14068@@ -410,20 +416,21 @@ ENTRY(cast6_ctr_8way)
14069 * %rcx: iv (little endian, 128bit)
14070 */
14071
14072- pushq %r12;
14073+ pushq %r14;
14074
14075 movq %rsi, %r11;
14076- movq %rdx, %r12;
14077+ movq %rdx, %r14;
14078
14079 load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2,
14080 RD2, RX, RKR, RKM);
14081
14082 call __cast6_enc_blk8;
14083
14084- store_ctr_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14085+ store_ctr_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14086
14087- popq %r12;
14088+ popq %r14;
14089
14090+ pax_force_retaddr
14091 ret;
14092 ENDPROC(cast6_ctr_8way)
14093
14094@@ -446,6 +453,7 @@ ENTRY(cast6_xts_enc_8way)
14095 /* dst <= regs xor IVs(in dst) */
14096 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14097
14098+ pax_force_retaddr
14099 ret;
14100 ENDPROC(cast6_xts_enc_8way)
14101
14102@@ -468,5 +476,6 @@ ENTRY(cast6_xts_dec_8way)
14103 /* dst <= regs xor IVs(in dst) */
14104 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14105
14106+ pax_force_retaddr
14107 ret;
14108 ENDPROC(cast6_xts_dec_8way)
14109diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14110index 225be06..2885e731 100644
14111--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14112+++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14113@@ -45,6 +45,7 @@
14114
14115 #include <asm/inst.h>
14116 #include <linux/linkage.h>
14117+#include <asm/alternative-asm.h>
14118
14119 ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
14120
14121@@ -309,6 +310,7 @@ do_return:
14122 popq %rsi
14123 popq %rdi
14124 popq %rbx
14125+ pax_force_retaddr
14126 ret
14127
14128 ################################################################
14129@@ -330,7 +332,7 @@ ENDPROC(crc_pcl)
14130 ## PCLMULQDQ tables
14131 ## Table is 128 entries x 2 words (8 bytes) each
14132 ################################################################
14133-.section .rotata, "a", %progbits
14134+.section .rodata, "a", %progbits
14135 .align 8
14136 K_table:
14137 .long 0x493c7d27, 0x00000001
14138diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S
14139index 5d1e007..098cb4f 100644
14140--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S
14141+++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S
14142@@ -18,6 +18,7 @@
14143
14144 #include <linux/linkage.h>
14145 #include <asm/inst.h>
14146+#include <asm/alternative-asm.h>
14147
14148 .data
14149
14150@@ -89,6 +90,7 @@ __clmul_gf128mul_ble:
14151 psrlq $1, T2
14152 pxor T2, T1
14153 pxor T1, DATA
14154+ pax_force_retaddr
14155 ret
14156 ENDPROC(__clmul_gf128mul_ble)
14157
14158@@ -101,6 +103,7 @@ ENTRY(clmul_ghash_mul)
14159 call __clmul_gf128mul_ble
14160 PSHUFB_XMM BSWAP DATA
14161 movups DATA, (%rdi)
14162+ pax_force_retaddr
14163 ret
14164 ENDPROC(clmul_ghash_mul)
14165
14166@@ -128,5 +131,6 @@ ENTRY(clmul_ghash_update)
14167 PSHUFB_XMM BSWAP DATA
14168 movups DATA, (%rdi)
14169 .Lupdate_just_ret:
14170+ pax_force_retaddr
14171 ret
14172 ENDPROC(clmul_ghash_update)
14173diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S
14174index 9279e0b..c4b3d2c 100644
14175--- a/arch/x86/crypto/salsa20-x86_64-asm_64.S
14176+++ b/arch/x86/crypto/salsa20-x86_64-asm_64.S
14177@@ -1,4 +1,5 @@
14178 #include <linux/linkage.h>
14179+#include <asm/alternative-asm.h>
14180
14181 # enter salsa20_encrypt_bytes
14182 ENTRY(salsa20_encrypt_bytes)
14183@@ -789,6 +790,7 @@ ENTRY(salsa20_encrypt_bytes)
14184 add %r11,%rsp
14185 mov %rdi,%rax
14186 mov %rsi,%rdx
14187+ pax_force_retaddr
14188 ret
14189 # bytesatleast65:
14190 ._bytesatleast65:
14191@@ -889,6 +891,7 @@ ENTRY(salsa20_keysetup)
14192 add %r11,%rsp
14193 mov %rdi,%rax
14194 mov %rsi,%rdx
14195+ pax_force_retaddr
14196 ret
14197 ENDPROC(salsa20_keysetup)
14198
14199@@ -914,5 +917,6 @@ ENTRY(salsa20_ivsetup)
14200 add %r11,%rsp
14201 mov %rdi,%rax
14202 mov %rsi,%rdx
14203+ pax_force_retaddr
14204 ret
14205 ENDPROC(salsa20_ivsetup)
14206diff --git a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14207index 2f202f4..d9164d6 100644
14208--- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14209+++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14210@@ -24,6 +24,7 @@
14211 */
14212
14213 #include <linux/linkage.h>
14214+#include <asm/alternative-asm.h>
14215 #include "glue_helper-asm-avx.S"
14216
14217 .file "serpent-avx-x86_64-asm_64.S"
14218@@ -618,6 +619,7 @@ __serpent_enc_blk8_avx:
14219 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14220 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14221
14222+ pax_force_retaddr
14223 ret;
14224 ENDPROC(__serpent_enc_blk8_avx)
14225
14226@@ -672,6 +674,7 @@ __serpent_dec_blk8_avx:
14227 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14228 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14229
14230+ pax_force_retaddr
14231 ret;
14232 ENDPROC(__serpent_dec_blk8_avx)
14233
14234@@ -688,6 +691,7 @@ ENTRY(serpent_ecb_enc_8way_avx)
14235
14236 store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14237
14238+ pax_force_retaddr
14239 ret;
14240 ENDPROC(serpent_ecb_enc_8way_avx)
14241
14242@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_8way_avx)
14243
14244 store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14245
14246+ pax_force_retaddr
14247 ret;
14248 ENDPROC(serpent_ecb_dec_8way_avx)
14249
14250@@ -720,6 +725,7 @@ ENTRY(serpent_cbc_dec_8way_avx)
14251
14252 store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14253
14254+ pax_force_retaddr
14255 ret;
14256 ENDPROC(serpent_cbc_dec_8way_avx)
14257
14258@@ -738,6 +744,7 @@ ENTRY(serpent_ctr_8way_avx)
14259
14260 store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14261
14262+ pax_force_retaddr
14263 ret;
14264 ENDPROC(serpent_ctr_8way_avx)
14265
14266@@ -758,6 +765,7 @@ ENTRY(serpent_xts_enc_8way_avx)
14267 /* dst <= regs xor IVs(in dst) */
14268 store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14269
14270+ pax_force_retaddr
14271 ret;
14272 ENDPROC(serpent_xts_enc_8way_avx)
14273
14274@@ -778,5 +786,6 @@ ENTRY(serpent_xts_dec_8way_avx)
14275 /* dst <= regs xor IVs(in dst) */
14276 store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14277
14278+ pax_force_retaddr
14279 ret;
14280 ENDPROC(serpent_xts_dec_8way_avx)
14281diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S
14282index b222085..abd483c 100644
14283--- a/arch/x86/crypto/serpent-avx2-asm_64.S
14284+++ b/arch/x86/crypto/serpent-avx2-asm_64.S
14285@@ -15,6 +15,7 @@
14286 */
14287
14288 #include <linux/linkage.h>
14289+#include <asm/alternative-asm.h>
14290 #include "glue_helper-asm-avx2.S"
14291
14292 .file "serpent-avx2-asm_64.S"
14293@@ -610,6 +611,7 @@ __serpent_enc_blk16:
14294 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14295 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14296
14297+ pax_force_retaddr
14298 ret;
14299 ENDPROC(__serpent_enc_blk16)
14300
14301@@ -664,6 +666,7 @@ __serpent_dec_blk16:
14302 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14303 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14304
14305+ pax_force_retaddr
14306 ret;
14307 ENDPROC(__serpent_dec_blk16)
14308
14309@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way)
14310
14311 vzeroupper;
14312
14313+ pax_force_retaddr
14314 ret;
14315 ENDPROC(serpent_ecb_enc_16way)
14316
14317@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way)
14318
14319 vzeroupper;
14320
14321+ pax_force_retaddr
14322 ret;
14323 ENDPROC(serpent_ecb_dec_16way)
14324
14325@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way)
14326
14327 vzeroupper;
14328
14329+ pax_force_retaddr
14330 ret;
14331 ENDPROC(serpent_cbc_dec_16way)
14332
14333@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way)
14334
14335 vzeroupper;
14336
14337+ pax_force_retaddr
14338 ret;
14339 ENDPROC(serpent_ctr_16way)
14340
14341@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way)
14342
14343 vzeroupper;
14344
14345+ pax_force_retaddr
14346 ret;
14347 ENDPROC(serpent_xts_enc_16way)
14348
14349@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way)
14350
14351 vzeroupper;
14352
14353+ pax_force_retaddr
14354 ret;
14355 ENDPROC(serpent_xts_dec_16way)
14356diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14357index acc066c..1559cc4 100644
14358--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14359+++ b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14360@@ -25,6 +25,7 @@
14361 */
14362
14363 #include <linux/linkage.h>
14364+#include <asm/alternative-asm.h>
14365
14366 .file "serpent-sse2-x86_64-asm_64.S"
14367 .text
14368@@ -690,12 +691,14 @@ ENTRY(__serpent_enc_blk_8way)
14369 write_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14370 write_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14371
14372+ pax_force_retaddr
14373 ret;
14374
14375 .L__enc_xor8:
14376 xor_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14377 xor_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14378
14379+ pax_force_retaddr
14380 ret;
14381 ENDPROC(__serpent_enc_blk_8way)
14382
14383@@ -750,5 +753,6 @@ ENTRY(serpent_dec_blk_8way)
14384 write_blocks(%rsi, RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14385 write_blocks(%rax, RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14386
14387+ pax_force_retaddr
14388 ret;
14389 ENDPROC(serpent_dec_blk_8way)
14390diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/arch/x86/crypto/sha1_ssse3_asm.S
14391index a410950..9dfe7ad 100644
14392--- a/arch/x86/crypto/sha1_ssse3_asm.S
14393+++ b/arch/x86/crypto/sha1_ssse3_asm.S
14394@@ -29,6 +29,7 @@
14395 */
14396
14397 #include <linux/linkage.h>
14398+#include <asm/alternative-asm.h>
14399
14400 #define CTX %rdi // arg1
14401 #define BUF %rsi // arg2
14402@@ -75,9 +76,9 @@
14403
14404 push %rbx
14405 push %rbp
14406- push %r12
14407+ push %r14
14408
14409- mov %rsp, %r12
14410+ mov %rsp, %r14
14411 sub $64, %rsp # allocate workspace
14412 and $~15, %rsp # align stack
14413
14414@@ -99,11 +100,12 @@
14415 xor %rax, %rax
14416 rep stosq
14417
14418- mov %r12, %rsp # deallocate workspace
14419+ mov %r14, %rsp # deallocate workspace
14420
14421- pop %r12
14422+ pop %r14
14423 pop %rbp
14424 pop %rbx
14425+ pax_force_retaddr
14426 ret
14427
14428 ENDPROC(\name)
14429diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S
14430index 92b3b5d..0dc1dcb 100644
14431--- a/arch/x86/crypto/sha256-avx-asm.S
14432+++ b/arch/x86/crypto/sha256-avx-asm.S
14433@@ -49,6 +49,7 @@
14434
14435 #ifdef CONFIG_AS_AVX
14436 #include <linux/linkage.h>
14437+#include <asm/alternative-asm.h>
14438
14439 ## assume buffers not aligned
14440 #define VMOVDQ vmovdqu
14441@@ -460,6 +461,7 @@ done_hash:
14442 popq %r13
14443 popq %rbp
14444 popq %rbx
14445+ pax_force_retaddr
14446 ret
14447 ENDPROC(sha256_transform_avx)
14448
14449diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
14450index 570ec5e..cf2b625 100644
14451--- a/arch/x86/crypto/sha256-avx2-asm.S
14452+++ b/arch/x86/crypto/sha256-avx2-asm.S
14453@@ -50,6 +50,7 @@
14454
14455 #ifdef CONFIG_AS_AVX2
14456 #include <linux/linkage.h>
14457+#include <asm/alternative-asm.h>
14458
14459 ## assume buffers not aligned
14460 #define VMOVDQ vmovdqu
14461@@ -720,6 +721,7 @@ done_hash:
14462 popq %r12
14463 popq %rbp
14464 popq %rbx
14465+ pax_force_retaddr
14466 ret
14467 ENDPROC(sha256_transform_rorx)
14468
14469diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S
14470index 2cedc44..5144899 100644
14471--- a/arch/x86/crypto/sha256-ssse3-asm.S
14472+++ b/arch/x86/crypto/sha256-ssse3-asm.S
14473@@ -47,6 +47,7 @@
14474 ########################################################################
14475
14476 #include <linux/linkage.h>
14477+#include <asm/alternative-asm.h>
14478
14479 ## assume buffers not aligned
14480 #define MOVDQ movdqu
14481@@ -471,6 +472,7 @@ done_hash:
14482 popq %rbp
14483 popq %rbx
14484
14485+ pax_force_retaddr
14486 ret
14487 ENDPROC(sha256_transform_ssse3)
14488
14489diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S
14490index 565274d..af6bc08 100644
14491--- a/arch/x86/crypto/sha512-avx-asm.S
14492+++ b/arch/x86/crypto/sha512-avx-asm.S
14493@@ -49,6 +49,7 @@
14494
14495 #ifdef CONFIG_AS_AVX
14496 #include <linux/linkage.h>
14497+#include <asm/alternative-asm.h>
14498
14499 .text
14500
14501@@ -364,6 +365,7 @@ updateblock:
14502 mov frame_RSPSAVE(%rsp), %rsp
14503
14504 nowork:
14505+ pax_force_retaddr
14506 ret
14507 ENDPROC(sha512_transform_avx)
14508
14509diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S
14510index 1f20b35..f25c8c1 100644
14511--- a/arch/x86/crypto/sha512-avx2-asm.S
14512+++ b/arch/x86/crypto/sha512-avx2-asm.S
14513@@ -51,6 +51,7 @@
14514
14515 #ifdef CONFIG_AS_AVX2
14516 #include <linux/linkage.h>
14517+#include <asm/alternative-asm.h>
14518
14519 .text
14520
14521@@ -678,6 +679,7 @@ done_hash:
14522
14523 # Restore Stack Pointer
14524 mov frame_RSPSAVE(%rsp), %rsp
14525+ pax_force_retaddr
14526 ret
14527 ENDPROC(sha512_transform_rorx)
14528
14529diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S
14530index e610e29..ffcb5ed 100644
14531--- a/arch/x86/crypto/sha512-ssse3-asm.S
14532+++ b/arch/x86/crypto/sha512-ssse3-asm.S
14533@@ -48,6 +48,7 @@
14534 ########################################################################
14535
14536 #include <linux/linkage.h>
14537+#include <asm/alternative-asm.h>
14538
14539 .text
14540
14541@@ -363,6 +364,7 @@ updateblock:
14542 mov frame_RSPSAVE(%rsp), %rsp
14543
14544 nowork:
14545+ pax_force_retaddr
14546 ret
14547 ENDPROC(sha512_transform_ssse3)
14548
14549diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14550index 0505813..b067311 100644
14551--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14552+++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14553@@ -24,6 +24,7 @@
14554 */
14555
14556 #include <linux/linkage.h>
14557+#include <asm/alternative-asm.h>
14558 #include "glue_helper-asm-avx.S"
14559
14560 .file "twofish-avx-x86_64-asm_64.S"
14561@@ -284,6 +285,7 @@ __twofish_enc_blk8:
14562 outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2);
14563 outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2);
14564
14565+ pax_force_retaddr
14566 ret;
14567 ENDPROC(__twofish_enc_blk8)
14568
14569@@ -324,6 +326,7 @@ __twofish_dec_blk8:
14570 outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2);
14571 outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2);
14572
14573+ pax_force_retaddr
14574 ret;
14575 ENDPROC(__twofish_dec_blk8)
14576
14577@@ -342,6 +345,7 @@ ENTRY(twofish_ecb_enc_8way)
14578
14579 store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14580
14581+ pax_force_retaddr
14582 ret;
14583 ENDPROC(twofish_ecb_enc_8way)
14584
14585@@ -360,6 +364,7 @@ ENTRY(twofish_ecb_dec_8way)
14586
14587 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14588
14589+ pax_force_retaddr
14590 ret;
14591 ENDPROC(twofish_ecb_dec_8way)
14592
14593@@ -370,19 +375,20 @@ ENTRY(twofish_cbc_dec_8way)
14594 * %rdx: src
14595 */
14596
14597- pushq %r12;
14598+ pushq %r14;
14599
14600 movq %rsi, %r11;
14601- movq %rdx, %r12;
14602+ movq %rdx, %r14;
14603
14604 load_8way(%rdx, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14605
14606 call __twofish_dec_blk8;
14607
14608- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14609+ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14610
14611- popq %r12;
14612+ popq %r14;
14613
14614+ pax_force_retaddr
14615 ret;
14616 ENDPROC(twofish_cbc_dec_8way)
14617
14618@@ -394,20 +400,21 @@ ENTRY(twofish_ctr_8way)
14619 * %rcx: iv (little endian, 128bit)
14620 */
14621
14622- pushq %r12;
14623+ pushq %r14;
14624
14625 movq %rsi, %r11;
14626- movq %rdx, %r12;
14627+ movq %rdx, %r14;
14628
14629 load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2,
14630 RD2, RX0, RX1, RY0);
14631
14632 call __twofish_enc_blk8;
14633
14634- store_ctr_8way(%r12, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14635+ store_ctr_8way(%r14, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14636
14637- popq %r12;
14638+ popq %r14;
14639
14640+ pax_force_retaddr
14641 ret;
14642 ENDPROC(twofish_ctr_8way)
14643
14644@@ -430,6 +437,7 @@ ENTRY(twofish_xts_enc_8way)
14645 /* dst <= regs xor IVs(in dst) */
14646 store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14647
14648+ pax_force_retaddr
14649 ret;
14650 ENDPROC(twofish_xts_enc_8way)
14651
14652@@ -452,5 +460,6 @@ ENTRY(twofish_xts_dec_8way)
14653 /* dst <= regs xor IVs(in dst) */
14654 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14655
14656+ pax_force_retaddr
14657 ret;
14658 ENDPROC(twofish_xts_dec_8way)
14659diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14660index 1c3b7ce..02f578d 100644
14661--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14662+++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14663@@ -21,6 +21,7 @@
14664 */
14665
14666 #include <linux/linkage.h>
14667+#include <asm/alternative-asm.h>
14668
14669 .file "twofish-x86_64-asm-3way.S"
14670 .text
14671@@ -258,6 +259,7 @@ ENTRY(__twofish_enc_blk_3way)
14672 popq %r13;
14673 popq %r14;
14674 popq %r15;
14675+ pax_force_retaddr
14676 ret;
14677
14678 .L__enc_xor3:
14679@@ -269,6 +271,7 @@ ENTRY(__twofish_enc_blk_3way)
14680 popq %r13;
14681 popq %r14;
14682 popq %r15;
14683+ pax_force_retaddr
14684 ret;
14685 ENDPROC(__twofish_enc_blk_3way)
14686
14687@@ -308,5 +311,6 @@ ENTRY(twofish_dec_blk_3way)
14688 popq %r13;
14689 popq %r14;
14690 popq %r15;
14691+ pax_force_retaddr
14692 ret;
14693 ENDPROC(twofish_dec_blk_3way)
14694diff --git a/arch/x86/crypto/twofish-x86_64-asm_64.S b/arch/x86/crypto/twofish-x86_64-asm_64.S
14695index a350c99..c1bac24 100644
14696--- a/arch/x86/crypto/twofish-x86_64-asm_64.S
14697+++ b/arch/x86/crypto/twofish-x86_64-asm_64.S
14698@@ -22,6 +22,7 @@
14699
14700 #include <linux/linkage.h>
14701 #include <asm/asm-offsets.h>
14702+#include <asm/alternative-asm.h>
14703
14704 #define a_offset 0
14705 #define b_offset 4
14706@@ -265,6 +266,7 @@ ENTRY(twofish_enc_blk)
14707
14708 popq R1
14709 movl $1,%eax
14710+ pax_force_retaddr
14711 ret
14712 ENDPROC(twofish_enc_blk)
14713
14714@@ -317,5 +319,6 @@ ENTRY(twofish_dec_blk)
14715
14716 popq R1
14717 movl $1,%eax
14718+ pax_force_retaddr
14719 ret
14720 ENDPROC(twofish_dec_blk)
14721diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
14722index f4e6308..7ba29a1 100644
14723--- a/arch/x86/entry/calling.h
14724+++ b/arch/x86/entry/calling.h
14725@@ -93,23 +93,26 @@ For 32-bit we have the following conventions - kernel is built with
14726 .endm
14727
14728 .macro SAVE_C_REGS_HELPER offset=0 rax=1 rcx=1 r8910=1 r11=1
14729+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14730+ movq %r12, R12+\offset(%rsp)
14731+#endif
14732 .if \r11
14733- movq %r11, 6*8+\offset(%rsp)
14734+ movq %r11, R11+\offset(%rsp)
14735 .endif
14736 .if \r8910
14737- movq %r10, 7*8+\offset(%rsp)
14738- movq %r9, 8*8+\offset(%rsp)
14739- movq %r8, 9*8+\offset(%rsp)
14740+ movq %r10, R10+\offset(%rsp)
14741+ movq %r9, R9+\offset(%rsp)
14742+ movq %r8, R8+\offset(%rsp)
14743 .endif
14744 .if \rax
14745- movq %rax, 10*8+\offset(%rsp)
14746+ movq %rax, RAX+\offset(%rsp)
14747 .endif
14748 .if \rcx
14749- movq %rcx, 11*8+\offset(%rsp)
14750+ movq %rcx, RCX+\offset(%rsp)
14751 .endif
14752- movq %rdx, 12*8+\offset(%rsp)
14753- movq %rsi, 13*8+\offset(%rsp)
14754- movq %rdi, 14*8+\offset(%rsp)
14755+ movq %rdx, RDX+\offset(%rsp)
14756+ movq %rsi, RSI+\offset(%rsp)
14757+ movq %rdi, RDI+\offset(%rsp)
14758 .endm
14759 .macro SAVE_C_REGS offset=0
14760 SAVE_C_REGS_HELPER \offset, 1, 1, 1, 1
14761@@ -128,76 +131,87 @@ For 32-bit we have the following conventions - kernel is built with
14762 .endm
14763
14764 .macro SAVE_EXTRA_REGS offset=0
14765- movq %r15, 0*8+\offset(%rsp)
14766- movq %r14, 1*8+\offset(%rsp)
14767- movq %r13, 2*8+\offset(%rsp)
14768- movq %r12, 3*8+\offset(%rsp)
14769- movq %rbp, 4*8+\offset(%rsp)
14770- movq %rbx, 5*8+\offset(%rsp)
14771+ movq %r15, R15+\offset(%rsp)
14772+ movq %r14, R14+\offset(%rsp)
14773+ movq %r13, R13+\offset(%rsp)
14774+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14775+ movq %r12, R12+\offset(%rsp)
14776+#endif
14777+ movq %rbp, RBP+\offset(%rsp)
14778+ movq %rbx, RBX+\offset(%rsp)
14779 .endm
14780 .macro SAVE_EXTRA_REGS_RBP offset=0
14781- movq %rbp, 4*8+\offset(%rsp)
14782+ movq %rbp, RBP+\offset(%rsp)
14783 .endm
14784
14785 .macro RESTORE_EXTRA_REGS offset=0
14786- movq 0*8+\offset(%rsp), %r15
14787- movq 1*8+\offset(%rsp), %r14
14788- movq 2*8+\offset(%rsp), %r13
14789- movq 3*8+\offset(%rsp), %r12
14790- movq 4*8+\offset(%rsp), %rbp
14791- movq 5*8+\offset(%rsp), %rbx
14792+ movq R15+\offset(%rsp), %r15
14793+ movq R14+\offset(%rsp), %r14
14794+ movq R13+\offset(%rsp), %r13
14795+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14796+ movq R12+\offset(%rsp), %r12
14797+#endif
14798+ movq RBP+\offset(%rsp), %rbp
14799+ movq RBX+\offset(%rsp), %rbx
14800 .endm
14801
14802 .macro ZERO_EXTRA_REGS
14803 xorl %r15d, %r15d
14804 xorl %r14d, %r14d
14805 xorl %r13d, %r13d
14806+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14807 xorl %r12d, %r12d
14808+#endif
14809 xorl %ebp, %ebp
14810 xorl %ebx, %ebx
14811 .endm
14812
14813- .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1
14814+ .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1, rstor_r12=1
14815+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14816+ .if \rstor_r12
14817+ movq R12(%rsp), %r12
14818+ .endif
14819+#endif
14820 .if \rstor_r11
14821- movq 6*8(%rsp), %r11
14822+ movq R11(%rsp), %r11
14823 .endif
14824 .if \rstor_r8910
14825- movq 7*8(%rsp), %r10
14826- movq 8*8(%rsp), %r9
14827- movq 9*8(%rsp), %r8
14828+ movq R10(%rsp), %r10
14829+ movq R9(%rsp), %r9
14830+ movq R8(%rsp), %r8
14831 .endif
14832 .if \rstor_rax
14833- movq 10*8(%rsp), %rax
14834+ movq RAX(%rsp), %rax
14835 .endif
14836 .if \rstor_rcx
14837- movq 11*8(%rsp), %rcx
14838+ movq RCX(%rsp), %rcx
14839 .endif
14840 .if \rstor_rdx
14841- movq 12*8(%rsp), %rdx
14842+ movq RDX(%rsp), %rdx
14843 .endif
14844- movq 13*8(%rsp), %rsi
14845- movq 14*8(%rsp), %rdi
14846+ movq RSI(%rsp), %rsi
14847+ movq RDI(%rsp), %rdi
14848 .endm
14849 .macro RESTORE_C_REGS
14850- RESTORE_C_REGS_HELPER 1,1,1,1,1
14851+ RESTORE_C_REGS_HELPER 1,1,1,1,1,1
14852 .endm
14853 .macro RESTORE_C_REGS_EXCEPT_RAX
14854- RESTORE_C_REGS_HELPER 0,1,1,1,1
14855+ RESTORE_C_REGS_HELPER 0,1,1,1,1,0
14856 .endm
14857 .macro RESTORE_C_REGS_EXCEPT_RCX
14858- RESTORE_C_REGS_HELPER 1,0,1,1,1
14859+ RESTORE_C_REGS_HELPER 1,0,1,1,1,0
14860 .endm
14861 .macro RESTORE_C_REGS_EXCEPT_R11
14862- RESTORE_C_REGS_HELPER 1,1,0,1,1
14863+ RESTORE_C_REGS_HELPER 1,1,0,1,1,1
14864 .endm
14865 .macro RESTORE_C_REGS_EXCEPT_RCX_R11
14866- RESTORE_C_REGS_HELPER 1,0,0,1,1
14867+ RESTORE_C_REGS_HELPER 1,0,0,1,1,1
14868 .endm
14869 .macro RESTORE_RSI_RDI
14870- RESTORE_C_REGS_HELPER 0,0,0,0,0
14871+ RESTORE_C_REGS_HELPER 0,0,0,0,0,1
14872 .endm
14873 .macro RESTORE_RSI_RDI_RDX
14874- RESTORE_C_REGS_HELPER 0,0,0,0,1
14875+ RESTORE_C_REGS_HELPER 0,0,0,0,1,1
14876 .endm
14877
14878 .macro REMOVE_PT_GPREGS_FROM_STACK addskip=0
14879diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
14880index 21dc60a..844def1 100644
14881--- a/arch/x86/entry/entry_32.S
14882+++ b/arch/x86/entry/entry_32.S
14883@@ -157,13 +157,154 @@
14884 movl \reg, PT_GS(%esp)
14885 .endm
14886 .macro SET_KERNEL_GS reg
14887+
14888+#ifdef CONFIG_CC_STACKPROTECTOR
14889 movl $(__KERNEL_STACK_CANARY), \reg
14890+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
14891+ movl $(__USER_DS), \reg
14892+#else
14893+ xorl \reg, \reg
14894+#endif
14895+
14896 movl \reg, %gs
14897 .endm
14898
14899 #endif /* CONFIG_X86_32_LAZY_GS */
14900
14901-.macro SAVE_ALL
14902+.macro pax_enter_kernel
14903+#ifdef CONFIG_PAX_KERNEXEC
14904+ call pax_enter_kernel
14905+#endif
14906+.endm
14907+
14908+.macro pax_exit_kernel
14909+#ifdef CONFIG_PAX_KERNEXEC
14910+ call pax_exit_kernel
14911+#endif
14912+.endm
14913+
14914+#ifdef CONFIG_PAX_KERNEXEC
14915+ENTRY(pax_enter_kernel)
14916+#ifdef CONFIG_PARAVIRT
14917+ pushl %eax
14918+ pushl %ecx
14919+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
14920+ mov %eax, %esi
14921+#else
14922+ mov %cr0, %esi
14923+#endif
14924+ bts $X86_CR0_WP_BIT, %esi
14925+ jnc 1f
14926+ mov %cs, %esi
14927+ cmp $__KERNEL_CS, %esi
14928+ jz 3f
14929+ ljmp $__KERNEL_CS, $3f
14930+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
14931+2:
14932+#ifdef CONFIG_PARAVIRT
14933+ mov %esi, %eax
14934+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
14935+#else
14936+ mov %esi, %cr0
14937+#endif
14938+3:
14939+#ifdef CONFIG_PARAVIRT
14940+ popl %ecx
14941+ popl %eax
14942+#endif
14943+ ret
14944+ENDPROC(pax_enter_kernel)
14945+
14946+ENTRY(pax_exit_kernel)
14947+#ifdef CONFIG_PARAVIRT
14948+ pushl %eax
14949+ pushl %ecx
14950+#endif
14951+ mov %cs, %esi
14952+ cmp $__KERNEXEC_KERNEL_CS, %esi
14953+ jnz 2f
14954+#ifdef CONFIG_PARAVIRT
14955+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
14956+ mov %eax, %esi
14957+#else
14958+ mov %cr0, %esi
14959+#endif
14960+ btr $X86_CR0_WP_BIT, %esi
14961+ ljmp $__KERNEL_CS, $1f
14962+1:
14963+#ifdef CONFIG_PARAVIRT
14964+ mov %esi, %eax
14965+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
14966+#else
14967+ mov %esi, %cr0
14968+#endif
14969+2:
14970+#ifdef CONFIG_PARAVIRT
14971+ popl %ecx
14972+ popl %eax
14973+#endif
14974+ ret
14975+ENDPROC(pax_exit_kernel)
14976+#endif
14977+
14978+ .macro pax_erase_kstack
14979+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14980+ call pax_erase_kstack
14981+#endif
14982+ .endm
14983+
14984+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14985+/*
14986+ * ebp: thread_info
14987+ */
14988+ENTRY(pax_erase_kstack)
14989+ pushl %edi
14990+ pushl %ecx
14991+ pushl %eax
14992+
14993+ mov TI_lowest_stack(%ebp), %edi
14994+ mov $-0xBEEF, %eax
14995+ std
14996+
14997+1: mov %edi, %ecx
14998+ and $THREAD_SIZE_asm - 1, %ecx
14999+ shr $2, %ecx
15000+ repne scasl
15001+ jecxz 2f
15002+
15003+ cmp $2*16, %ecx
15004+ jc 2f
15005+
15006+ mov $2*16, %ecx
15007+ repe scasl
15008+ jecxz 2f
15009+ jne 1b
15010+
15011+2: cld
15012+ or $2*4, %edi
15013+ mov %esp, %ecx
15014+ sub %edi, %ecx
15015+
15016+ cmp $THREAD_SIZE_asm, %ecx
15017+ jb 3f
15018+ ud2
15019+3:
15020+
15021+ shr $2, %ecx
15022+ rep stosl
15023+
15024+ mov TI_task_thread_sp0(%ebp), %edi
15025+ sub $128, %edi
15026+ mov %edi, TI_lowest_stack(%ebp)
15027+
15028+ popl %eax
15029+ popl %ecx
15030+ popl %edi
15031+ ret
15032+ENDPROC(pax_erase_kstack)
15033+#endif
15034+
15035+.macro __SAVE_ALL _DS
15036 cld
15037 PUSH_GS
15038 pushl %fs
15039@@ -176,7 +317,7 @@
15040 pushl %edx
15041 pushl %ecx
15042 pushl %ebx
15043- movl $(__USER_DS), %edx
15044+ movl $\_DS, %edx
15045 movl %edx, %ds
15046 movl %edx, %es
15047 movl $(__KERNEL_PERCPU), %edx
15048@@ -184,6 +325,15 @@
15049 SET_KERNEL_GS %edx
15050 .endm
15051
15052+.macro SAVE_ALL
15053+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15054+ __SAVE_ALL __KERNEL_DS
15055+ pax_enter_kernel
15056+#else
15057+ __SAVE_ALL __USER_DS
15058+#endif
15059+.endm
15060+
15061 .macro RESTORE_INT_REGS
15062 popl %ebx
15063 popl %ecx
15064@@ -222,7 +372,7 @@ ENTRY(ret_from_fork)
15065 pushl $0x0202 # Reset kernel eflags
15066 popfl
15067 jmp syscall_exit
15068-END(ret_from_fork)
15069+ENDPROC(ret_from_fork)
15070
15071 ENTRY(ret_from_kernel_thread)
15072 pushl %eax
15073@@ -262,7 +412,15 @@ ret_from_intr:
15074 andl $SEGMENT_RPL_MASK, %eax
15075 #endif
15076 cmpl $USER_RPL, %eax
15077+
15078+#ifdef CONFIG_PAX_KERNEXEC
15079+ jae resume_userspace
15080+
15081+ pax_exit_kernel
15082+ jmp resume_kernel
15083+#else
15084 jb resume_kernel # not returning to v8086 or userspace
15085+#endif
15086
15087 ENTRY(resume_userspace)
15088 LOCKDEP_SYS_EXIT
15089@@ -274,8 +432,8 @@ ENTRY(resume_userspace)
15090 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
15091 # int/exception return?
15092 jne work_pending
15093- jmp restore_all
15094-END(ret_from_exception)
15095+ jmp restore_all_pax
15096+ENDPROC(ret_from_exception)
15097
15098 #ifdef CONFIG_PREEMPT
15099 ENTRY(resume_kernel)
15100@@ -287,7 +445,7 @@ need_resched:
15101 jz restore_all
15102 call preempt_schedule_irq
15103 jmp need_resched
15104-END(resume_kernel)
15105+ENDPROC(resume_kernel)
15106 #endif
15107
15108 /*
15109@@ -312,32 +470,44 @@ sysenter_past_esp:
15110 pushl $__USER_CS
15111 /*
15112 * Push current_thread_info()->sysenter_return to the stack.
15113- * A tiny bit of offset fixup is necessary: TI_sysenter_return
15114- * is relative to thread_info, which is at the bottom of the
15115- * kernel stack page. 4*4 means the 4 words pushed above;
15116- * TOP_OF_KERNEL_STACK_PADDING takes us to the top of the stack;
15117- * and THREAD_SIZE takes us to the bottom.
15118 */
15119- pushl ((TI_sysenter_return) - THREAD_SIZE + TOP_OF_KERNEL_STACK_PADDING + 4*4)(%esp)
15120+ pushl $0
15121
15122 pushl %eax
15123 SAVE_ALL
15124+ GET_THREAD_INFO(%ebp)
15125+ movl TI_sysenter_return(%ebp), %ebp
15126+ movl %ebp, PT_EIP(%esp)
15127 ENABLE_INTERRUPTS(CLBR_NONE)
15128
15129 /*
15130 * Load the potential sixth argument from user stack.
15131 * Careful about security.
15132 */
15133+ movl PT_OLDESP(%esp),%ebp
15134+
15135+#ifdef CONFIG_PAX_MEMORY_UDEREF
15136+ mov PT_OLDSS(%esp), %ds
15137+1: movl %ds:(%ebp), %ebp
15138+ push %ss
15139+ pop %ds
15140+#else
15141 cmpl $__PAGE_OFFSET-3, %ebp
15142 jae syscall_fault
15143 ASM_STAC
15144 1: movl (%ebp), %ebp
15145 ASM_CLAC
15146+#endif
15147+
15148 movl %ebp, PT_EBP(%esp)
15149 _ASM_EXTABLE(1b, syscall_fault)
15150
15151 GET_THREAD_INFO(%ebp)
15152
15153+#ifdef CONFIG_PAX_RANDKSTACK
15154+ pax_erase_kstack
15155+#endif
15156+
15157 testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%ebp)
15158 jnz sysenter_audit
15159 sysenter_do_call:
15160@@ -353,12 +523,24 @@ sysenter_after_call:
15161 testl $_TIF_ALLWORK_MASK, %ecx
15162 jnz sysexit_audit
15163 sysenter_exit:
15164+
15165+#ifdef CONFIG_PAX_RANDKSTACK
15166+ pushl %eax
15167+ movl %esp, %eax
15168+ call pax_randomize_kstack
15169+ popl %eax
15170+#endif
15171+
15172+ pax_erase_kstack
15173+
15174 /* if something modifies registers it must also disable sysexit */
15175 movl PT_EIP(%esp), %edx
15176 movl PT_OLDESP(%esp), %ecx
15177 xorl %ebp, %ebp
15178 TRACE_IRQS_ON
15179 1: mov PT_FS(%esp), %fs
15180+2: mov PT_DS(%esp), %ds
15181+3: mov PT_ES(%esp), %es
15182 PTGS_TO_GS
15183 ENABLE_INTERRUPTS_SYSEXIT
15184
15185@@ -372,6 +554,9 @@ sysenter_audit:
15186 pushl PT_ESI(%esp) /* a3: 5th arg */
15187 pushl PT_EDX+4(%esp) /* a2: 4th arg */
15188 call __audit_syscall_entry
15189+
15190+ pax_erase_kstack
15191+
15192 popl %ecx /* get that remapped edx off the stack */
15193 popl %ecx /* get that remapped esi off the stack */
15194 movl PT_EAX(%esp), %eax /* reload syscall number */
15195@@ -397,10 +582,16 @@ sysexit_audit:
15196 #endif
15197
15198 .pushsection .fixup, "ax"
15199-2: movl $0, PT_FS(%esp)
15200+4: movl $0, PT_FS(%esp)
15201+ jmp 1b
15202+5: movl $0, PT_DS(%esp)
15203+ jmp 1b
15204+6: movl $0, PT_ES(%esp)
15205 jmp 1b
15206 .popsection
15207- _ASM_EXTABLE(1b, 2b)
15208+ _ASM_EXTABLE(1b, 4b)
15209+ _ASM_EXTABLE(2b, 5b)
15210+ _ASM_EXTABLE(3b, 6b)
15211 PTGS_TO_GS_EX
15212 ENDPROC(entry_SYSENTER_32)
15213
15214@@ -410,6 +601,11 @@ ENTRY(entry_INT80_32)
15215 pushl %eax # save orig_eax
15216 SAVE_ALL
15217 GET_THREAD_INFO(%ebp)
15218+
15219+#ifdef CONFIG_PAX_RANDKSTACK
15220+ pax_erase_kstack
15221+#endif
15222+
15223 # system call tracing in operation / emulation
15224 testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%ebp)
15225 jnz syscall_trace_entry
15226@@ -429,6 +625,15 @@ syscall_exit:
15227 testl $_TIF_ALLWORK_MASK, %ecx # current->work
15228 jnz syscall_exit_work
15229
15230+restore_all_pax:
15231+
15232+#ifdef CONFIG_PAX_RANDKSTACK
15233+ movl %esp, %eax
15234+ call pax_randomize_kstack
15235+#endif
15236+
15237+ pax_erase_kstack
15238+
15239 restore_all:
15240 TRACE_IRQS_IRET
15241 restore_all_notrace:
15242@@ -483,14 +688,34 @@ ldt_ss:
15243 * compensating for the offset by changing to the ESPFIX segment with
15244 * a base address that matches for the difference.
15245 */
15246-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
15247+#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
15248 mov %esp, %edx /* load kernel esp */
15249 mov PT_OLDESP(%esp), %eax /* load userspace esp */
15250 mov %dx, %ax /* eax: new kernel esp */
15251 sub %eax, %edx /* offset (low word is 0) */
15252+#ifdef CONFIG_SMP
15253+ movl PER_CPU_VAR(cpu_number), %ebx
15254+ shll $PAGE_SHIFT_asm, %ebx
15255+ addl $cpu_gdt_table, %ebx
15256+#else
15257+ movl $cpu_gdt_table, %ebx
15258+#endif
15259 shr $16, %edx
15260- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
15261- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
15262+
15263+#ifdef CONFIG_PAX_KERNEXEC
15264+ mov %cr0, %esi
15265+ btr $X86_CR0_WP_BIT, %esi
15266+ mov %esi, %cr0
15267+#endif
15268+
15269+ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
15270+ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
15271+
15272+#ifdef CONFIG_PAX_KERNEXEC
15273+ bts $X86_CR0_WP_BIT, %esi
15274+ mov %esi, %cr0
15275+#endif
15276+
15277 pushl $__ESPFIX_SS
15278 pushl %eax /* new kernel esp */
15279 /*
15280@@ -519,20 +744,18 @@ work_resched:
15281 movl TI_flags(%ebp), %ecx
15282 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
15283 # than syscall tracing?
15284- jz restore_all
15285+ jz restore_all_pax
15286 testb $_TIF_NEED_RESCHED, %cl
15287 jnz work_resched
15288
15289 work_notifysig: # deal with pending signals and
15290 # notify-resume requests
15291+ movl %esp, %eax
15292 #ifdef CONFIG_VM86
15293 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
15294- movl %esp, %eax
15295 jnz work_notifysig_v86 # returning to kernel-space or
15296 # vm86-space
15297 1:
15298-#else
15299- movl %esp, %eax
15300 #endif
15301 TRACE_IRQS_ON
15302 ENABLE_INTERRUPTS(CLBR_NONE)
15303@@ -553,7 +776,7 @@ work_notifysig_v86:
15304 movl %eax, %esp
15305 jmp 1b
15306 #endif
15307-END(work_pending)
15308+ENDPROC(work_pending)
15309
15310 # perform syscall exit tracing
15311 ALIGN
15312@@ -561,11 +784,14 @@ syscall_trace_entry:
15313 movl $-ENOSYS, PT_EAX(%esp)
15314 movl %esp, %eax
15315 call syscall_trace_enter
15316+
15317+ pax_erase_kstack
15318+
15319 /* What it returned is what we'll actually use. */
15320 cmpl $(NR_syscalls), %eax
15321 jnae syscall_call
15322 jmp syscall_exit
15323-END(syscall_trace_entry)
15324+ENDPROC(syscall_trace_entry)
15325
15326 # perform syscall exit tracing
15327 ALIGN
15328@@ -578,24 +804,28 @@ syscall_exit_work:
15329 movl %esp, %eax
15330 call syscall_trace_leave
15331 jmp resume_userspace
15332-END(syscall_exit_work)
15333+ENDPROC(syscall_exit_work)
15334
15335 syscall_fault:
15336+#ifdef CONFIG_PAX_MEMORY_UDEREF
15337+ push %ss
15338+ pop %ds
15339+#endif
15340 ASM_CLAC
15341 GET_THREAD_INFO(%ebp)
15342 movl $-EFAULT, PT_EAX(%esp)
15343 jmp resume_userspace
15344-END(syscall_fault)
15345+ENDPROC(syscall_fault)
15346
15347 syscall_badsys:
15348 movl $-ENOSYS, %eax
15349 jmp syscall_after_call
15350-END(syscall_badsys)
15351+ENDPROC(syscall_badsys)
15352
15353 sysenter_badsys:
15354 movl $-ENOSYS, %eax
15355 jmp sysenter_after_call
15356-END(sysenter_badsys)
15357+ENDPROC(sysenter_badsys)
15358
15359 .macro FIXUP_ESPFIX_STACK
15360 /*
15361@@ -607,8 +837,15 @@ END(sysenter_badsys)
15362 */
15363 #ifdef CONFIG_X86_ESPFIX32
15364 /* fixup the stack */
15365- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
15366- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
15367+#ifdef CONFIG_SMP
15368+ movl PER_CPU_VAR(cpu_number), %ebx
15369+ shll $PAGE_SHIFT_asm, %ebx
15370+ addl $cpu_gdt_table, %ebx
15371+#else
15372+ movl $cpu_gdt_table, %ebx
15373+#endif
15374+ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
15375+ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
15376 shl $16, %eax
15377 addl %esp, %eax /* the adjusted stack pointer */
15378 pushl $__KERNEL_DS
15379@@ -644,7 +881,7 @@ ENTRY(irq_entries_start)
15380 jmp common_interrupt
15381 .align 8
15382 .endr
15383-END(irq_entries_start)
15384+ENDPROC(irq_entries_start)
15385
15386 /*
15387 * the CPU automatically disables interrupts when executing an IRQ vector,
15388@@ -691,7 +928,7 @@ ENTRY(coprocessor_error)
15389 pushl $0
15390 pushl $do_coprocessor_error
15391 jmp error_code
15392-END(coprocessor_error)
15393+ENDPROC(coprocessor_error)
15394
15395 ENTRY(simd_coprocessor_error)
15396 ASM_CLAC
15397@@ -705,25 +942,25 @@ ENTRY(simd_coprocessor_error)
15398 pushl $do_simd_coprocessor_error
15399 #endif
15400 jmp error_code
15401-END(simd_coprocessor_error)
15402+ENDPROC(simd_coprocessor_error)
15403
15404 ENTRY(device_not_available)
15405 ASM_CLAC
15406 pushl $-1 # mark this as an int
15407 pushl $do_device_not_available
15408 jmp error_code
15409-END(device_not_available)
15410+ENDPROC(device_not_available)
15411
15412 #ifdef CONFIG_PARAVIRT
15413 ENTRY(native_iret)
15414 iret
15415 _ASM_EXTABLE(native_iret, iret_exc)
15416-END(native_iret)
15417+ENDPROC(native_iret)
15418
15419 ENTRY(native_irq_enable_sysexit)
15420 sti
15421 sysexit
15422-END(native_irq_enable_sysexit)
15423+ENDPROC(native_irq_enable_sysexit)
15424 #endif
15425
15426 ENTRY(overflow)
15427@@ -731,59 +968,59 @@ ENTRY(overflow)
15428 pushl $0
15429 pushl $do_overflow
15430 jmp error_code
15431-END(overflow)
15432+ENDPROC(overflow)
15433
15434 ENTRY(bounds)
15435 ASM_CLAC
15436 pushl $0
15437 pushl $do_bounds
15438 jmp error_code
15439-END(bounds)
15440+ENDPROC(bounds)
15441
15442 ENTRY(invalid_op)
15443 ASM_CLAC
15444 pushl $0
15445 pushl $do_invalid_op
15446 jmp error_code
15447-END(invalid_op)
15448+ENDPROC(invalid_op)
15449
15450 ENTRY(coprocessor_segment_overrun)
15451 ASM_CLAC
15452 pushl $0
15453 pushl $do_coprocessor_segment_overrun
15454 jmp error_code
15455-END(coprocessor_segment_overrun)
15456+ENDPROC(coprocessor_segment_overrun)
15457
15458 ENTRY(invalid_TSS)
15459 ASM_CLAC
15460 pushl $do_invalid_TSS
15461 jmp error_code
15462-END(invalid_TSS)
15463+ENDPROC(invalid_TSS)
15464
15465 ENTRY(segment_not_present)
15466 ASM_CLAC
15467 pushl $do_segment_not_present
15468 jmp error_code
15469-END(segment_not_present)
15470+ENDPROC(segment_not_present)
15471
15472 ENTRY(stack_segment)
15473 ASM_CLAC
15474 pushl $do_stack_segment
15475 jmp error_code
15476-END(stack_segment)
15477+ENDPROC(stack_segment)
15478
15479 ENTRY(alignment_check)
15480 ASM_CLAC
15481 pushl $do_alignment_check
15482 jmp error_code
15483-END(alignment_check)
15484+ENDPROC(alignment_check)
15485
15486 ENTRY(divide_error)
15487 ASM_CLAC
15488 pushl $0 # no error code
15489 pushl $do_divide_error
15490 jmp error_code
15491-END(divide_error)
15492+ENDPROC(divide_error)
15493
15494 #ifdef CONFIG_X86_MCE
15495 ENTRY(machine_check)
15496@@ -791,7 +1028,7 @@ ENTRY(machine_check)
15497 pushl $0
15498 pushl machine_check_vector
15499 jmp error_code
15500-END(machine_check)
15501+ENDPROC(machine_check)
15502 #endif
15503
15504 ENTRY(spurious_interrupt_bug)
15505@@ -799,7 +1036,7 @@ ENTRY(spurious_interrupt_bug)
15506 pushl $0
15507 pushl $do_spurious_interrupt_bug
15508 jmp error_code
15509-END(spurious_interrupt_bug)
15510+ENDPROC(spurious_interrupt_bug)
15511
15512 #ifdef CONFIG_XEN
15513 /*
15514@@ -906,7 +1143,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR,
15515
15516 ENTRY(mcount)
15517 ret
15518-END(mcount)
15519+ENDPROC(mcount)
15520
15521 ENTRY(ftrace_caller)
15522 pushl %eax
15523@@ -936,7 +1173,7 @@ ftrace_graph_call:
15524 .globl ftrace_stub
15525 ftrace_stub:
15526 ret
15527-END(ftrace_caller)
15528+ENDPROC(ftrace_caller)
15529
15530 ENTRY(ftrace_regs_caller)
15531 pushf /* push flags before compare (in cs location) */
15532@@ -1034,7 +1271,7 @@ trace:
15533 popl %ecx
15534 popl %eax
15535 jmp ftrace_stub
15536-END(mcount)
15537+ENDPROC(mcount)
15538 #endif /* CONFIG_DYNAMIC_FTRACE */
15539 #endif /* CONFIG_FUNCTION_TRACER */
15540
15541@@ -1052,7 +1289,7 @@ ENTRY(ftrace_graph_caller)
15542 popl %ecx
15543 popl %eax
15544 ret
15545-END(ftrace_graph_caller)
15546+ENDPROC(ftrace_graph_caller)
15547
15548 .globl return_to_handler
15549 return_to_handler:
15550@@ -1100,14 +1337,17 @@ error_code:
15551 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
15552 REG_TO_PTGS %ecx
15553 SET_KERNEL_GS %ecx
15554- movl $(__USER_DS), %ecx
15555+ movl $(__KERNEL_DS), %ecx
15556 movl %ecx, %ds
15557 movl %ecx, %es
15558+
15559+ pax_enter_kernel
15560+
15561 TRACE_IRQS_OFF
15562 movl %esp, %eax # pt_regs pointer
15563 call *%edi
15564 jmp ret_from_exception
15565-END(page_fault)
15566+ENDPROC(page_fault)
15567
15568 /*
15569 * Debug traps and NMI can happen at the one SYSENTER instruction
15570@@ -1145,7 +1385,7 @@ debug_stack_correct:
15571 movl %esp, %eax # pt_regs pointer
15572 call do_debug
15573 jmp ret_from_exception
15574-END(debug)
15575+ENDPROC(debug)
15576
15577 /*
15578 * NMI is doubly nasty. It can happen _while_ we're handling
15579@@ -1184,6 +1424,9 @@ nmi_stack_correct:
15580 xorl %edx, %edx # zero error code
15581 movl %esp, %eax # pt_regs pointer
15582 call do_nmi
15583+
15584+ pax_exit_kernel
15585+
15586 jmp restore_all_notrace
15587
15588 nmi_stack_fixup:
15589@@ -1217,11 +1460,14 @@ nmi_espfix_stack:
15590 FIXUP_ESPFIX_STACK # %eax == %esp
15591 xorl %edx, %edx # zero error code
15592 call do_nmi
15593+
15594+ pax_exit_kernel
15595+
15596 RESTORE_REGS
15597 lss 12+4(%esp), %esp # back to espfix stack
15598 jmp irq_return
15599 #endif
15600-END(nmi)
15601+ENDPROC(nmi)
15602
15603 ENTRY(int3)
15604 ASM_CLAC
15605@@ -1232,17 +1478,17 @@ ENTRY(int3)
15606 movl %esp, %eax # pt_regs pointer
15607 call do_int3
15608 jmp ret_from_exception
15609-END(int3)
15610+ENDPROC(int3)
15611
15612 ENTRY(general_protection)
15613 pushl $do_general_protection
15614 jmp error_code
15615-END(general_protection)
15616+ENDPROC(general_protection)
15617
15618 #ifdef CONFIG_KVM_GUEST
15619 ENTRY(async_page_fault)
15620 ASM_CLAC
15621 pushl $do_async_page_fault
15622 jmp error_code
15623-END(async_page_fault)
15624+ENDPROC(async_page_fault)
15625 #endif
15626diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
15627index 8cb3e43..a497278 100644
15628--- a/arch/x86/entry/entry_64.S
15629+++ b/arch/x86/entry/entry_64.S
15630@@ -37,6 +37,8 @@
15631 #include <asm/smap.h>
15632 #include <asm/pgtable_types.h>
15633 #include <linux/err.h>
15634+#include <asm/pgtable.h>
15635+#include <asm/alternative-asm.h>
15636
15637 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
15638 #include <linux/elf-em.h>
15639@@ -54,6 +56,402 @@ ENTRY(native_usergs_sysret64)
15640 ENDPROC(native_usergs_sysret64)
15641 #endif /* CONFIG_PARAVIRT */
15642
15643+ .macro ljmpq sel, off
15644+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
15645+ .byte 0x48; ljmp *1234f(%rip)
15646+ .pushsection .rodata
15647+ .align 16
15648+ 1234: .quad \off; .word \sel
15649+ .popsection
15650+#else
15651+ pushq $\sel
15652+ pushq $\off
15653+ lretq
15654+#endif
15655+ .endm
15656+
15657+ .macro pax_enter_kernel
15658+ pax_set_fptr_mask
15659+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15660+ call pax_enter_kernel
15661+#endif
15662+ .endm
15663+
15664+ .macro pax_exit_kernel
15665+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15666+ call pax_exit_kernel
15667+#endif
15668+ .endm
15669+
15670+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15671+ENTRY(pax_enter_kernel)
15672+ pushq %rdi
15673+
15674+#ifdef CONFIG_PARAVIRT
15675+ PV_SAVE_REGS(CLBR_RDI)
15676+#endif
15677+
15678+#ifdef CONFIG_PAX_KERNEXEC
15679+ GET_CR0_INTO_RDI
15680+ bts $X86_CR0_WP_BIT,%rdi
15681+ jnc 3f
15682+ mov %cs,%edi
15683+ cmp $__KERNEL_CS,%edi
15684+ jnz 2f
15685+1:
15686+#endif
15687+
15688+#ifdef CONFIG_PAX_MEMORY_UDEREF
15689+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15690+ GET_CR3_INTO_RDI
15691+ cmp $0,%dil
15692+ jnz 112f
15693+ mov $__KERNEL_DS,%edi
15694+ mov %edi,%ss
15695+ jmp 111f
15696+112: cmp $1,%dil
15697+ jz 113f
15698+ ud2
15699+113: sub $4097,%rdi
15700+ bts $63,%rdi
15701+ SET_RDI_INTO_CR3
15702+ mov $__UDEREF_KERNEL_DS,%edi
15703+ mov %edi,%ss
15704+111:
15705+#endif
15706+
15707+#ifdef CONFIG_PARAVIRT
15708+ PV_RESTORE_REGS(CLBR_RDI)
15709+#endif
15710+
15711+ popq %rdi
15712+ pax_force_retaddr
15713+ retq
15714+
15715+#ifdef CONFIG_PAX_KERNEXEC
15716+2: ljmpq __KERNEL_CS,1b
15717+3: ljmpq __KERNEXEC_KERNEL_CS,4f
15718+4: SET_RDI_INTO_CR0
15719+ jmp 1b
15720+#endif
15721+ENDPROC(pax_enter_kernel)
15722+
15723+ENTRY(pax_exit_kernel)
15724+ pushq %rdi
15725+
15726+#ifdef CONFIG_PARAVIRT
15727+ PV_SAVE_REGS(CLBR_RDI)
15728+#endif
15729+
15730+#ifdef CONFIG_PAX_KERNEXEC
15731+ mov %cs,%rdi
15732+ cmp $__KERNEXEC_KERNEL_CS,%edi
15733+ jz 2f
15734+ GET_CR0_INTO_RDI
15735+ bts $X86_CR0_WP_BIT,%rdi
15736+ jnc 4f
15737+1:
15738+#endif
15739+
15740+#ifdef CONFIG_PAX_MEMORY_UDEREF
15741+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15742+ mov %ss,%edi
15743+ cmp $__UDEREF_KERNEL_DS,%edi
15744+ jnz 111f
15745+ GET_CR3_INTO_RDI
15746+ cmp $0,%dil
15747+ jz 112f
15748+ ud2
15749+112: add $4097,%rdi
15750+ bts $63,%rdi
15751+ SET_RDI_INTO_CR3
15752+ mov $__KERNEL_DS,%edi
15753+ mov %edi,%ss
15754+111:
15755+#endif
15756+
15757+#ifdef CONFIG_PARAVIRT
15758+ PV_RESTORE_REGS(CLBR_RDI);
15759+#endif
15760+
15761+ popq %rdi
15762+ pax_force_retaddr
15763+ retq
15764+
15765+#ifdef CONFIG_PAX_KERNEXEC
15766+2: GET_CR0_INTO_RDI
15767+ btr $X86_CR0_WP_BIT,%rdi
15768+ jnc 4f
15769+ ljmpq __KERNEL_CS,3f
15770+3: SET_RDI_INTO_CR0
15771+ jmp 1b
15772+4: ud2
15773+ jmp 4b
15774+#endif
15775+ENDPROC(pax_exit_kernel)
15776+#endif
15777+
15778+ .macro pax_enter_kernel_user
15779+ pax_set_fptr_mask
15780+#ifdef CONFIG_PAX_MEMORY_UDEREF
15781+ call pax_enter_kernel_user
15782+#endif
15783+ .endm
15784+
15785+ .macro pax_exit_kernel_user
15786+#ifdef CONFIG_PAX_MEMORY_UDEREF
15787+ call pax_exit_kernel_user
15788+#endif
15789+#ifdef CONFIG_PAX_RANDKSTACK
15790+ pushq %rax
15791+ pushq %r11
15792+ call pax_randomize_kstack
15793+ popq %r11
15794+ popq %rax
15795+#endif
15796+ .endm
15797+
15798+#ifdef CONFIG_PAX_MEMORY_UDEREF
15799+ENTRY(pax_enter_kernel_user)
15800+ pushq %rdi
15801+ pushq %rbx
15802+
15803+#ifdef CONFIG_PARAVIRT
15804+ PV_SAVE_REGS(CLBR_RDI)
15805+#endif
15806+
15807+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15808+ GET_CR3_INTO_RDI
15809+ cmp $1,%dil
15810+ jnz 4f
15811+ sub $4097,%rdi
15812+ bts $63,%rdi
15813+ SET_RDI_INTO_CR3
15814+ jmp 3f
15815+111:
15816+
15817+ GET_CR3_INTO_RDI
15818+ mov %rdi,%rbx
15819+ add $__START_KERNEL_map,%rbx
15820+ sub phys_base(%rip),%rbx
15821+
15822+#ifdef CONFIG_PARAVIRT
15823+ cmpl $0, pv_info+PARAVIRT_enabled
15824+ jz 1f
15825+ pushq %rdi
15826+ i = 0
15827+ .rept USER_PGD_PTRS
15828+ mov i*8(%rbx),%rsi
15829+ mov $0,%sil
15830+ lea i*8(%rbx),%rdi
15831+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
15832+ i = i + 1
15833+ .endr
15834+ popq %rdi
15835+ jmp 2f
15836+1:
15837+#endif
15838+
15839+ i = 0
15840+ .rept USER_PGD_PTRS
15841+ movb $0,i*8(%rbx)
15842+ i = i + 1
15843+ .endr
15844+
15845+2: SET_RDI_INTO_CR3
15846+
15847+#ifdef CONFIG_PAX_KERNEXEC
15848+ GET_CR0_INTO_RDI
15849+ bts $X86_CR0_WP_BIT,%rdi
15850+ SET_RDI_INTO_CR0
15851+#endif
15852+
15853+3:
15854+
15855+#ifdef CONFIG_PARAVIRT
15856+ PV_RESTORE_REGS(CLBR_RDI)
15857+#endif
15858+
15859+ popq %rbx
15860+ popq %rdi
15861+ pax_force_retaddr
15862+ retq
15863+4: ud2
15864+ENDPROC(pax_enter_kernel_user)
15865+
15866+ENTRY(pax_exit_kernel_user)
15867+ pushq %rdi
15868+ pushq %rbx
15869+
15870+#ifdef CONFIG_PARAVIRT
15871+ PV_SAVE_REGS(CLBR_RDI)
15872+#endif
15873+
15874+ GET_CR3_INTO_RDI
15875+ ALTERNATIVE "jmp 1f", "", X86_FEATURE_PCID
15876+ cmp $0,%dil
15877+ jnz 3f
15878+ add $4097,%rdi
15879+ bts $63,%rdi
15880+ SET_RDI_INTO_CR3
15881+ jmp 2f
15882+1:
15883+
15884+ mov %rdi,%rbx
15885+
15886+#ifdef CONFIG_PAX_KERNEXEC
15887+ GET_CR0_INTO_RDI
15888+ btr $X86_CR0_WP_BIT,%rdi
15889+ jnc 3f
15890+ SET_RDI_INTO_CR0
15891+#endif
15892+
15893+ add $__START_KERNEL_map,%rbx
15894+ sub phys_base(%rip),%rbx
15895+
15896+#ifdef CONFIG_PARAVIRT
15897+ cmpl $0, pv_info+PARAVIRT_enabled
15898+ jz 1f
15899+ i = 0
15900+ .rept USER_PGD_PTRS
15901+ mov i*8(%rbx),%rsi
15902+ mov $0x67,%sil
15903+ lea i*8(%rbx),%rdi
15904+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
15905+ i = i + 1
15906+ .endr
15907+ jmp 2f
15908+1:
15909+#endif
15910+
15911+ i = 0
15912+ .rept USER_PGD_PTRS
15913+ movb $0x67,i*8(%rbx)
15914+ i = i + 1
15915+ .endr
15916+2:
15917+
15918+#ifdef CONFIG_PARAVIRT
15919+ PV_RESTORE_REGS(CLBR_RDI)
15920+#endif
15921+
15922+ popq %rbx
15923+ popq %rdi
15924+ pax_force_retaddr
15925+ retq
15926+3: ud2
15927+ENDPROC(pax_exit_kernel_user)
15928+#endif
15929+
15930+ .macro pax_enter_kernel_nmi
15931+ pax_set_fptr_mask
15932+
15933+#ifdef CONFIG_PAX_KERNEXEC
15934+ GET_CR0_INTO_RDI
15935+ bts $X86_CR0_WP_BIT,%rdi
15936+ jc 110f
15937+ SET_RDI_INTO_CR0
15938+ or $2,%ebx
15939+110:
15940+#endif
15941+
15942+#ifdef CONFIG_PAX_MEMORY_UDEREF
15943+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15944+ GET_CR3_INTO_RDI
15945+ cmp $0,%dil
15946+ jz 111f
15947+ sub $4097,%rdi
15948+ or $4,%ebx
15949+ bts $63,%rdi
15950+ SET_RDI_INTO_CR3
15951+ mov $__UDEREF_KERNEL_DS,%edi
15952+ mov %edi,%ss
15953+111:
15954+#endif
15955+ .endm
15956+
15957+ .macro pax_exit_kernel_nmi
15958+#ifdef CONFIG_PAX_KERNEXEC
15959+ btr $1,%ebx
15960+ jnc 110f
15961+ GET_CR0_INTO_RDI
15962+ btr $X86_CR0_WP_BIT,%rdi
15963+ SET_RDI_INTO_CR0
15964+110:
15965+#endif
15966+
15967+#ifdef CONFIG_PAX_MEMORY_UDEREF
15968+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15969+ btr $2,%ebx
15970+ jnc 111f
15971+ GET_CR3_INTO_RDI
15972+ add $4097,%rdi
15973+ bts $63,%rdi
15974+ SET_RDI_INTO_CR3
15975+ mov $__KERNEL_DS,%edi
15976+ mov %edi,%ss
15977+111:
15978+#endif
15979+ .endm
15980+
15981+ .macro pax_erase_kstack
15982+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15983+ call pax_erase_kstack
15984+#endif
15985+ .endm
15986+
15987+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15988+ENTRY(pax_erase_kstack)
15989+ pushq %rdi
15990+ pushq %rcx
15991+ pushq %rax
15992+ pushq %r11
15993+
15994+ GET_THREAD_INFO(%r11)
15995+ mov TI_lowest_stack(%r11), %rdi
15996+ mov $-0xBEEF, %rax
15997+ std
15998+
15999+1: mov %edi, %ecx
16000+ and $THREAD_SIZE_asm - 1, %ecx
16001+ shr $3, %ecx
16002+ repne scasq
16003+ jecxz 2f
16004+
16005+ cmp $2*8, %ecx
16006+ jc 2f
16007+
16008+ mov $2*8, %ecx
16009+ repe scasq
16010+ jecxz 2f
16011+ jne 1b
16012+
16013+2: cld
16014+ or $2*8, %rdi
16015+ mov %esp, %ecx
16016+ sub %edi, %ecx
16017+
16018+ cmp $THREAD_SIZE_asm, %rcx
16019+ jb 3f
16020+ ud2
16021+3:
16022+
16023+ shr $3, %ecx
16024+ rep stosq
16025+
16026+ mov TI_task_thread_sp0(%r11), %rdi
16027+ sub $256, %rdi
16028+ mov %rdi, TI_lowest_stack(%r11)
16029+
16030+ popq %r11
16031+ popq %rax
16032+ popq %rcx
16033+ popq %rdi
16034+ pax_force_retaddr
16035+ ret
16036+ENDPROC(pax_erase_kstack)
16037+#endif
16038+
16039 .macro TRACE_IRQS_IRETQ
16040 #ifdef CONFIG_TRACE_IRQFLAGS
16041 bt $9, EFLAGS(%rsp) /* interrupts off? */
16042@@ -89,7 +487,7 @@ ENDPROC(native_usergs_sysret64)
16043 .endm
16044
16045 .macro TRACE_IRQS_IRETQ_DEBUG
16046- bt $9, EFLAGS(%rsp) /* interrupts off? */
16047+ bt $X86_EFLAGS_IF_BIT, EFLAGS(%rsp) /* interrupts off? */
16048 jnc 1f
16049 TRACE_IRQS_ON_DEBUG
16050 1:
16051@@ -149,14 +547,6 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
16052 /* Construct struct pt_regs on stack */
16053 pushq $__USER_DS /* pt_regs->ss */
16054 pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
16055- /*
16056- * Re-enable interrupts.
16057- * We use 'rsp_scratch' as a scratch space, hence irq-off block above
16058- * must execute atomically in the face of possible interrupt-driven
16059- * task preemption. We must enable interrupts only after we're done
16060- * with using rsp_scratch:
16061- */
16062- ENABLE_INTERRUPTS(CLBR_NONE)
16063 pushq %r11 /* pt_regs->flags */
16064 pushq $__USER_CS /* pt_regs->cs */
16065 pushq %rcx /* pt_regs->ip */
16066@@ -172,7 +562,27 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
16067 pushq %r11 /* pt_regs->r11 */
16068 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
16069
16070- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16071+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16072+ movq %r12, R12(%rsp)
16073+#endif
16074+
16075+ pax_enter_kernel_user
16076+
16077+#ifdef CONFIG_PAX_RANDKSTACK
16078+ pax_erase_kstack
16079+#endif
16080+
16081+ /*
16082+ * Re-enable interrupts.
16083+ * We use 'rsp_scratch' as a scratch space, hence irq-off block above
16084+ * must execute atomically in the face of possible interrupt-driven
16085+ * task preemption. We must enable interrupts only after we're done
16086+ * with using rsp_scratch:
16087+ */
16088+ ENABLE_INTERRUPTS(CLBR_NONE)
16089+
16090+ GET_THREAD_INFO(%rcx)
16091+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%rcx)
16092 jnz tracesys
16093 entry_SYSCALL_64_fastpath:
16094 #if __SYSCALL_MASK == ~0
16095@@ -205,9 +615,13 @@ entry_SYSCALL_64_fastpath:
16096 * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is
16097 * very bad.
16098 */
16099- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16100+ GET_THREAD_INFO(%rcx)
16101+ testl $_TIF_ALLWORK_MASK, TI_flags(%rcx)
16102 jnz int_ret_from_sys_call_irqs_off /* Go to the slow path */
16103
16104+ pax_exit_kernel_user
16105+ pax_erase_kstack
16106+
16107 RESTORE_C_REGS_EXCEPT_RCX_R11
16108 movq RIP(%rsp), %rcx
16109 movq EFLAGS(%rsp), %r11
16110@@ -236,6 +650,9 @@ tracesys:
16111 call syscall_trace_enter_phase1
16112 test %rax, %rax
16113 jnz tracesys_phase2 /* if needed, run the slow path */
16114+
16115+ pax_erase_kstack
16116+
16117 RESTORE_C_REGS_EXCEPT_RAX /* else restore clobbered regs */
16118 movq ORIG_RAX(%rsp), %rax
16119 jmp entry_SYSCALL_64_fastpath /* and return to the fast path */
16120@@ -247,6 +664,8 @@ tracesys_phase2:
16121 movq %rax, %rdx
16122 call syscall_trace_enter_phase2
16123
16124+ pax_erase_kstack
16125+
16126 /*
16127 * Reload registers from stack in case ptrace changed them.
16128 * We don't reload %rax because syscall_trace_entry_phase2() returned
16129@@ -284,6 +703,8 @@ GLOBAL(int_with_check)
16130 andl %edi, %edx
16131 jnz int_careful
16132 andl $~TS_COMPAT, TI_status(%rcx)
16133+ pax_exit_kernel_user
16134+ pax_erase_kstack
16135 jmp syscall_return
16136
16137 /*
16138@@ -407,14 +828,14 @@ syscall_return_via_sysret:
16139 opportunistic_sysret_failed:
16140 SWAPGS
16141 jmp restore_c_regs_and_iret
16142-END(entry_SYSCALL_64)
16143+ENDPROC(entry_SYSCALL_64)
16144
16145
16146 .macro FORK_LIKE func
16147 ENTRY(stub_\func)
16148 SAVE_EXTRA_REGS 8
16149 jmp sys_\func
16150-END(stub_\func)
16151+ENDPROC(stub_\func)
16152 .endm
16153
16154 FORK_LIKE clone
16155@@ -434,7 +855,7 @@ return_from_execve:
16156 ZERO_EXTRA_REGS
16157 movq %rax, RAX(%rsp)
16158 jmp int_ret_from_sys_call
16159-END(stub_execve)
16160+ENDPROC(stub_execve)
16161 /*
16162 * Remaining execve stubs are only 7 bytes long.
16163 * ENTRY() often aligns to 16 bytes, which in this case has no benefits.
16164@@ -443,7 +864,7 @@ END(stub_execve)
16165 GLOBAL(stub_execveat)
16166 call sys_execveat
16167 jmp return_from_execve
16168-END(stub_execveat)
16169+ENDPROC(stub_execveat)
16170
16171 #if defined(CONFIG_X86_X32_ABI) || defined(CONFIG_IA32_EMULATION)
16172 .align 8
16173@@ -451,15 +872,15 @@ GLOBAL(stub_x32_execve)
16174 GLOBAL(stub32_execve)
16175 call compat_sys_execve
16176 jmp return_from_execve
16177-END(stub32_execve)
16178-END(stub_x32_execve)
16179+ENDPROC(stub32_execve)
16180+ENDPROC(stub_x32_execve)
16181 .align 8
16182 GLOBAL(stub_x32_execveat)
16183 GLOBAL(stub32_execveat)
16184 call compat_sys_execveat
16185 jmp return_from_execve
16186-END(stub32_execveat)
16187-END(stub_x32_execveat)
16188+ENDPROC(stub32_execveat)
16189+ENDPROC(stub_x32_execveat)
16190 #endif
16191
16192 /*
16193@@ -488,7 +909,7 @@ ENTRY(stub_x32_rt_sigreturn)
16194 SAVE_EXTRA_REGS 8
16195 call sys32_x32_rt_sigreturn
16196 jmp return_from_stub
16197-END(stub_x32_rt_sigreturn)
16198+ENDPROC(stub_x32_rt_sigreturn)
16199 #endif
16200
16201 /*
16202@@ -527,7 +948,7 @@ ENTRY(ret_from_fork)
16203 movl $0, RAX(%rsp)
16204 RESTORE_EXTRA_REGS
16205 jmp int_ret_from_sys_call
16206-END(ret_from_fork)
16207+ENDPROC(ret_from_fork)
16208
16209 /*
16210 * Build the entry stubs with some assembler magic.
16211@@ -542,7 +963,7 @@ ENTRY(irq_entries_start)
16212 jmp common_interrupt
16213 .align 8
16214 .endr
16215-END(irq_entries_start)
16216+ENDPROC(irq_entries_start)
16217
16218 /*
16219 * Interrupt entry/exit.
16220@@ -555,21 +976,13 @@ END(irq_entries_start)
16221 /* 0(%rsp): ~(interrupt number) */
16222 .macro interrupt func
16223 cld
16224- /*
16225- * Since nothing in interrupt handling code touches r12...r15 members
16226- * of "struct pt_regs", and since interrupts can nest, we can save
16227- * four stack slots and simultaneously provide
16228- * an unwind-friendly stack layout by saving "truncated" pt_regs
16229- * exactly up to rbp slot, without these members.
16230- */
16231- ALLOC_PT_GPREGS_ON_STACK -RBP
16232- SAVE_C_REGS -RBP
16233- /* this goes to 0(%rsp) for unwinder, not for saving the value: */
16234- SAVE_EXTRA_REGS_RBP -RBP
16235+ ALLOC_PT_GPREGS_ON_STACK
16236+ SAVE_C_REGS
16237+ SAVE_EXTRA_REGS
16238
16239- leaq -RBP(%rsp), %rdi /* arg1 for \func (pointer to pt_regs) */
16240+ movq %rsp, %rdi /* arg1 for \func (pointer to pt_regs) */
16241
16242- testb $3, CS-RBP(%rsp)
16243+ testb $3, CS(%rsp)
16244 jz 1f
16245 SWAPGS
16246 1:
16247@@ -584,6 +997,18 @@ END(irq_entries_start)
16248 incl PER_CPU_VAR(irq_count)
16249 cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp
16250 pushq %rsi
16251+
16252+#ifdef CONFIG_PAX_MEMORY_UDEREF
16253+ testb $3, CS(%rdi)
16254+ jnz 1f
16255+ pax_enter_kernel
16256+ jmp 2f
16257+1: pax_enter_kernel_user
16258+2:
16259+#else
16260+ pax_enter_kernel
16261+#endif
16262+
16263 /* We entered an interrupt context - irqs are off: */
16264 TRACE_IRQS_OFF
16265
16266@@ -608,7 +1033,7 @@ ret_from_intr:
16267 /* Restore saved previous stack */
16268 popq %rsi
16269 /* return code expects complete pt_regs - adjust rsp accordingly: */
16270- leaq -RBP(%rsi), %rsp
16271+ movq %rsi, %rsp
16272
16273 testb $3, CS(%rsp)
16274 jz retint_kernel
16275@@ -630,6 +1055,8 @@ retint_swapgs: /* return to user-space */
16276 * The iretq could re-enable interrupts:
16277 */
16278 DISABLE_INTERRUPTS(CLBR_ANY)
16279+ pax_exit_kernel_user
16280+# pax_erase_kstack
16281 TRACE_IRQS_IRETQ
16282
16283 SWAPGS
16284@@ -648,6 +1075,21 @@ retint_kernel:
16285 jmp 0b
16286 1:
16287 #endif
16288+
16289+ pax_exit_kernel
16290+
16291+#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
16292+ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
16293+ * namely calling EFI runtime services with a phys mapping. We're
16294+ * starting off with NOPs and patch in the real instrumentation
16295+ * (BTS/OR) before starting any userland process; even before starting
16296+ * up the APs.
16297+ */
16298+ ALTERNATIVE "", "pax_force_retaddr 16*8", X86_FEATURE_ALWAYS
16299+#else
16300+ pax_force_retaddr RIP
16301+#endif
16302+
16303 /*
16304 * The iretq could re-enable interrupts:
16305 */
16306@@ -689,15 +1131,15 @@ native_irq_return_ldt:
16307 SWAPGS
16308 movq PER_CPU_VAR(espfix_waddr), %rdi
16309 movq %rax, (0*8)(%rdi) /* RAX */
16310- movq (2*8)(%rsp), %rax /* RIP */
16311+ movq (2*8 + RIP-RIP)(%rsp), %rax /* RIP */
16312 movq %rax, (1*8)(%rdi)
16313- movq (3*8)(%rsp), %rax /* CS */
16314+ movq (2*8 + CS-RIP)(%rsp), %rax /* CS */
16315 movq %rax, (2*8)(%rdi)
16316- movq (4*8)(%rsp), %rax /* RFLAGS */
16317+ movq (2*8 + EFLAGS-RIP)(%rsp), %rax /* RFLAGS */
16318 movq %rax, (3*8)(%rdi)
16319- movq (6*8)(%rsp), %rax /* SS */
16320+ movq (2*8 + SS-RIP)(%rsp), %rax /* SS */
16321 movq %rax, (5*8)(%rdi)
16322- movq (5*8)(%rsp), %rax /* RSP */
16323+ movq (2*8 + RSP-RIP)(%rsp), %rax /* RSP */
16324 movq %rax, (4*8)(%rdi)
16325 andl $0xffff0000, %eax
16326 popq %rdi
16327@@ -738,7 +1180,7 @@ retint_signal:
16328 GET_THREAD_INFO(%rcx)
16329 jmp retint_with_reschedule
16330
16331-END(common_interrupt)
16332+ENDPROC(common_interrupt)
16333
16334 /*
16335 * APIC interrupts.
16336@@ -750,7 +1192,7 @@ ENTRY(\sym)
16337 .Lcommon_\sym:
16338 interrupt \do_sym
16339 jmp ret_from_intr
16340-END(\sym)
16341+ENDPROC(\sym)
16342 .endm
16343
16344 #ifdef CONFIG_TRACING
16345@@ -815,7 +1257,7 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt
16346 /*
16347 * Exception entry points.
16348 */
16349-#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss) + (TSS_ist + ((x) - 1) * 8)
16350+#define CPU_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r13)
16351
16352 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
16353 ENTRY(\sym)
16354@@ -862,6 +1304,12 @@ ENTRY(\sym)
16355 .endif
16356
16357 .if \shift_ist != -1
16358+#ifdef CONFIG_SMP
16359+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r13d
16360+ lea cpu_tss(%r13), %r13
16361+#else
16362+ lea cpu_tss(%rip), %r13
16363+#endif
16364 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
16365 .endif
16366
16367@@ -905,7 +1353,7 @@ ENTRY(\sym)
16368
16369 jmp error_exit /* %ebx: no swapgs flag */
16370 .endif
16371-END(\sym)
16372+ENDPROC(\sym)
16373 .endm
16374
16375 #ifdef CONFIG_TRACING
16376@@ -947,8 +1395,9 @@ gs_change:
16377 2: mfence /* workaround */
16378 SWAPGS
16379 popfq
16380+ pax_force_retaddr
16381 ret
16382-END(native_load_gs_index)
16383+ENDPROC(native_load_gs_index)
16384
16385 _ASM_EXTABLE(gs_change, bad_gs)
16386 .section .fixup, "ax"
16387@@ -970,8 +1419,9 @@ ENTRY(do_softirq_own_stack)
16388 call __do_softirq
16389 leaveq
16390 decl PER_CPU_VAR(irq_count)
16391+ pax_force_retaddr
16392 ret
16393-END(do_softirq_own_stack)
16394+ENDPROC(do_softirq_own_stack)
16395
16396 #ifdef CONFIG_XEN
16397 idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
16398@@ -1007,7 +1457,7 @@ ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */
16399 call xen_maybe_preempt_hcall
16400 #endif
16401 jmp error_exit
16402-END(xen_do_hypervisor_callback)
16403+ENDPROC(xen_do_hypervisor_callback)
16404
16405 /*
16406 * Hypervisor uses this for application faults while it executes.
16407@@ -1052,7 +1502,7 @@ ENTRY(xen_failsafe_callback)
16408 SAVE_C_REGS
16409 SAVE_EXTRA_REGS
16410 jmp error_exit
16411-END(xen_failsafe_callback)
16412+ENDPROC(xen_failsafe_callback)
16413
16414 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
16415 xen_hvm_callback_vector xen_evtchn_do_upcall
16416@@ -1101,8 +1551,36 @@ ENTRY(paranoid_entry)
16417 js 1f /* negative -> in kernel */
16418 SWAPGS
16419 xorl %ebx, %ebx
16420-1: ret
16421-END(paranoid_entry)
16422+1:
16423+#ifdef CONFIG_PAX_MEMORY_UDEREF
16424+ testb $3, CS+8(%rsp)
16425+ jnz 1f
16426+ pax_enter_kernel
16427+ jmp 2f
16428+1: pax_enter_kernel_user
16429+2:
16430+#else
16431+ pax_enter_kernel
16432+#endif
16433+ pax_force_retaddr
16434+ ret
16435+ENDPROC(paranoid_entry)
16436+
16437+ENTRY(paranoid_entry_nmi)
16438+ cld
16439+ SAVE_C_REGS 8
16440+ SAVE_EXTRA_REGS 8
16441+ movl $1, %ebx
16442+ movl $MSR_GS_BASE, %ecx
16443+ rdmsr
16444+ testl %edx, %edx
16445+ js 1f /* negative -> in kernel */
16446+ SWAPGS
16447+ xorl %ebx, %ebx
16448+1: pax_enter_kernel_nmi
16449+ pax_force_retaddr
16450+ ret
16451+ENDPROC(paranoid_entry_nmi)
16452
16453 /*
16454 * "Paranoid" exit path from exception stack. This is invoked
16455@@ -1119,19 +1597,26 @@ END(paranoid_entry)
16456 ENTRY(paranoid_exit)
16457 DISABLE_INTERRUPTS(CLBR_NONE)
16458 TRACE_IRQS_OFF_DEBUG
16459- testl %ebx, %ebx /* swapgs needed? */
16460+ testl $1, %ebx /* swapgs needed? */
16461 jnz paranoid_exit_no_swapgs
16462+#ifdef CONFIG_PAX_MEMORY_UDEREF
16463+ pax_exit_kernel_user
16464+#else
16465+ pax_exit_kernel
16466+#endif
16467 TRACE_IRQS_IRETQ
16468 SWAPGS_UNSAFE_STACK
16469 jmp paranoid_exit_restore
16470 paranoid_exit_no_swapgs:
16471+ pax_exit_kernel
16472 TRACE_IRQS_IRETQ_DEBUG
16473 paranoid_exit_restore:
16474 RESTORE_EXTRA_REGS
16475 RESTORE_C_REGS
16476 REMOVE_PT_GPREGS_FROM_STACK 8
16477+ pax_force_retaddr_bts
16478 INTERRUPT_RETURN
16479-END(paranoid_exit)
16480+ENDPROC(paranoid_exit)
16481
16482 /*
16483 * Save all registers in pt_regs, and switch gs if needed.
16484@@ -1149,7 +1634,18 @@ ENTRY(error_entry)
16485 SWAPGS
16486
16487 error_entry_done:
16488+#ifdef CONFIG_PAX_MEMORY_UDEREF
16489+ testb $3, CS+8(%rsp)
16490+ jnz 1f
16491+ pax_enter_kernel
16492+ jmp 2f
16493+1: pax_enter_kernel_user
16494+2:
16495+#else
16496+ pax_enter_kernel
16497+#endif
16498 TRACE_IRQS_OFF
16499+ pax_force_retaddr
16500 ret
16501
16502 /*
16503@@ -1199,7 +1695,7 @@ error_bad_iret:
16504 mov %rax, %rsp
16505 decl %ebx
16506 jmp error_entry_done
16507-END(error_entry)
16508+ENDPROC(error_entry)
16509
16510
16511 /*
16512@@ -1212,10 +1708,10 @@ ENTRY(error_exit)
16513 RESTORE_EXTRA_REGS
16514 DISABLE_INTERRUPTS(CLBR_NONE)
16515 TRACE_IRQS_OFF
16516- testl %eax, %eax
16517+ testl $1, %eax
16518 jnz retint_kernel
16519 jmp retint_user
16520-END(error_exit)
16521+ENDPROC(error_exit)
16522
16523 /* Runs on exception stack */
16524 ENTRY(nmi)
16525@@ -1258,6 +1754,8 @@ ENTRY(nmi)
16526 * other IST entries.
16527 */
16528
16529+ ASM_CLAC
16530+
16531 /* Use %rdx as our temp variable throughout */
16532 pushq %rdx
16533
16534@@ -1298,6 +1796,12 @@ ENTRY(nmi)
16535 pushq %r14 /* pt_regs->r14 */
16536 pushq %r15 /* pt_regs->r15 */
16537
16538+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
16539+ xorl %ebx, %ebx
16540+#endif
16541+
16542+ pax_enter_kernel_nmi
16543+
16544 /*
16545 * At this point we no longer need to worry about stack damage
16546 * due to nesting -- we're on the normal thread stack and we're
16547@@ -1308,12 +1812,19 @@ ENTRY(nmi)
16548 movq $-1, %rsi
16549 call do_nmi
16550
16551+ pax_exit_kernel_nmi
16552+
16553 /*
16554 * Return back to user mode. We must *not* do the normal exit
16555 * work, because we don't want to enable interrupts. Fortunately,
16556 * do_nmi doesn't modify pt_regs.
16557 */
16558 SWAPGS
16559+
16560+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
16561+ movq RBX(%rsp), %rbx
16562+#endif
16563+
16564 jmp restore_c_regs_and_iret
16565
16566 .Lnmi_from_kernel:
16567@@ -1435,6 +1946,7 @@ nested_nmi_out:
16568 popq %rdx
16569
16570 /* We are returning to kernel mode, so this cannot result in a fault. */
16571+# pax_force_retaddr_bts
16572 INTERRUPT_RETURN
16573
16574 first_nmi:
16575@@ -1508,20 +2020,22 @@ end_repeat_nmi:
16576 ALLOC_PT_GPREGS_ON_STACK
16577
16578 /*
16579- * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
16580+ * Use paranoid_entry_nmi to handle SWAPGS, but no need to use paranoid_exit
16581 * as we should not be calling schedule in NMI context.
16582 * Even with normal interrupts enabled. An NMI should not be
16583 * setting NEED_RESCHED or anything that normal interrupts and
16584 * exceptions might do.
16585 */
16586- call paranoid_entry
16587+ call paranoid_entry_nmi
16588
16589 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
16590 movq %rsp, %rdi
16591 movq $-1, %rsi
16592 call do_nmi
16593
16594- testl %ebx, %ebx /* swapgs needed? */
16595+ pax_exit_kernel_nmi
16596+
16597+ testl $1, %ebx /* swapgs needed? */
16598 jnz nmi_restore
16599 nmi_swapgs:
16600 SWAPGS_UNSAFE_STACK
16601@@ -1532,6 +2046,8 @@ nmi_restore:
16602 /* Point RSP at the "iret" frame. */
16603 REMOVE_PT_GPREGS_FROM_STACK 6*8
16604
16605+ pax_force_retaddr_bts
16606+
16607 /*
16608 * Clear "NMI executing". Set DF first so that we can easily
16609 * distinguish the remaining code between here and IRET from
16610@@ -1549,9 +2065,9 @@ nmi_restore:
16611 * mode, so this cannot result in a fault.
16612 */
16613 INTERRUPT_RETURN
16614-END(nmi)
16615+ENDPROC(nmi)
16616
16617 ENTRY(ignore_sysret)
16618 mov $-ENOSYS, %eax
16619 sysret
16620-END(ignore_sysret)
16621+ENDPROC(ignore_sysret)
16622diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
16623index a7e257d..3a6ad23 100644
16624--- a/arch/x86/entry/entry_64_compat.S
16625+++ b/arch/x86/entry/entry_64_compat.S
16626@@ -13,8 +13,10 @@
16627 #include <asm/irqflags.h>
16628 #include <asm/asm.h>
16629 #include <asm/smap.h>
16630+#include <asm/pgtable.h>
16631 #include <linux/linkage.h>
16632 #include <linux/err.h>
16633+#include <asm/alternative-asm.h>
16634
16635 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
16636 #include <linux/elf-em.h>
16637@@ -35,6 +37,32 @@ ENTRY(native_usergs_sysret32)
16638 ENDPROC(native_usergs_sysret32)
16639 #endif
16640
16641+ .macro pax_enter_kernel_user
16642+ pax_set_fptr_mask
16643+#ifdef CONFIG_PAX_MEMORY_UDEREF
16644+ call pax_enter_kernel_user
16645+#endif
16646+ .endm
16647+
16648+ .macro pax_exit_kernel_user
16649+#ifdef CONFIG_PAX_MEMORY_UDEREF
16650+ call pax_exit_kernel_user
16651+#endif
16652+#ifdef CONFIG_PAX_RANDKSTACK
16653+ pushq %rax
16654+ pushq %r11
16655+ call pax_randomize_kstack
16656+ popq %r11
16657+ popq %rax
16658+#endif
16659+ .endm
16660+
16661+ .macro pax_erase_kstack
16662+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16663+ call pax_erase_kstack
16664+#endif
16665+ .endm
16666+
16667 /*
16668 * 32-bit SYSENTER instruction entry.
16669 *
16670@@ -65,20 +93,21 @@ ENTRY(entry_SYSENTER_compat)
16671 */
16672 SWAPGS_UNSAFE_STACK
16673 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
16674- ENABLE_INTERRUPTS(CLBR_NONE)
16675
16676 /* Zero-extending 32-bit regs, do not remove */
16677 movl %ebp, %ebp
16678 movl %eax, %eax
16679
16680- movl ASM_THREAD_INFO(TI_sysenter_return, %rsp, 0), %r10d
16681+ GET_THREAD_INFO(%r11)
16682+ movl TI_sysenter_return(%r11), %r11d
16683
16684 /* Construct struct pt_regs on stack */
16685 pushq $__USER32_DS /* pt_regs->ss */
16686 pushq %rbp /* pt_regs->sp */
16687 pushfq /* pt_regs->flags */
16688+ orl $X86_EFLAGS_IF,(%rsp)
16689 pushq $__USER32_CS /* pt_regs->cs */
16690- pushq %r10 /* pt_regs->ip = thread_info->sysenter_return */
16691+ pushq %r11 /* pt_regs->ip = thread_info->sysenter_return */
16692 pushq %rax /* pt_regs->orig_ax */
16693 pushq %rdi /* pt_regs->di */
16694 pushq %rsi /* pt_regs->si */
16695@@ -88,15 +117,37 @@ ENTRY(entry_SYSENTER_compat)
16696 cld
16697 sub $(10*8), %rsp /* pt_regs->r8-11, bp, bx, r12-15 not saved */
16698
16699+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16700+ movq %r12, R12(%rsp)
16701+#endif
16702+
16703+ pax_enter_kernel_user
16704+
16705+#ifdef CONFIG_PAX_RANDKSTACK
16706+ pax_erase_kstack
16707+#endif
16708+
16709+ ENABLE_INTERRUPTS(CLBR_NONE)
16710+
16711 /*
16712 * no need to do an access_ok check here because rbp has been
16713 * 32-bit zero extended
16714 */
16715+
16716+#ifdef CONFIG_PAX_MEMORY_UDEREF
16717+ addq pax_user_shadow_base, %rbp
16718+ ASM_PAX_OPEN_USERLAND
16719+#endif
16720+
16721 ASM_STAC
16722 1: movl (%rbp), %ebp
16723 _ASM_EXTABLE(1b, ia32_badarg)
16724 ASM_CLAC
16725
16726+#ifdef CONFIG_PAX_MEMORY_UDEREF
16727+ ASM_PAX_CLOSE_USERLAND
16728+#endif
16729+
16730 /*
16731 * Sysenter doesn't filter flags, so we need to clear NT
16732 * ourselves. To save a few cycles, we can check whether
16733@@ -106,8 +157,9 @@ ENTRY(entry_SYSENTER_compat)
16734 jnz sysenter_fix_flags
16735 sysenter_flags_fixed:
16736
16737- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16738- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16739+ GET_THREAD_INFO(%r11)
16740+ orl $TS_COMPAT, TI_status(%r11)
16741+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%r11)
16742 jnz sysenter_tracesys
16743
16744 sysenter_do_call:
16745@@ -123,9 +175,10 @@ sysenter_dispatch:
16746 call *ia32_sys_call_table(, %rax, 8)
16747 movq %rax, RAX(%rsp)
16748 1:
16749+ GET_THREAD_INFO(%r11)
16750 DISABLE_INTERRUPTS(CLBR_NONE)
16751 TRACE_IRQS_OFF
16752- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16753+ testl $_TIF_ALLWORK_MASK, TI_flags(%r11)
16754 jnz sysexit_audit
16755 sysexit_from_sys_call:
16756 /*
16757@@ -138,7 +191,9 @@ sysexit_from_sys_call:
16758 * This code path is still called 'sysexit' because it pairs
16759 * with 'sysenter' and it uses the SYSENTER calling convention.
16760 */
16761- andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16762+ pax_exit_kernel_user
16763+ pax_erase_kstack
16764+ andl $~TS_COMPAT, TI_status(%r11)
16765 movl RIP(%rsp), %ecx /* User %eip */
16766 movq RAX(%rsp), %rax
16767 RESTORE_RSI_RDI
16768@@ -194,6 +249,8 @@ sysexit_from_sys_call:
16769 movl %eax, %edi /* arg1 (RDI) <= syscall number (EAX) */
16770 call __audit_syscall_entry
16771
16772+ pax_erase_kstack
16773+
16774 /*
16775 * We are going to jump back to the syscall dispatch code.
16776 * Prepare syscall args as required by the 64-bit C ABI.
16777@@ -209,7 +266,7 @@ sysexit_from_sys_call:
16778 .endm
16779
16780 .macro auditsys_exit exit
16781- testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16782+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16783 jnz ia32_ret_from_sys_call
16784 TRACE_IRQS_ON
16785 ENABLE_INTERRUPTS(CLBR_NONE)
16786@@ -220,10 +277,11 @@ sysexit_from_sys_call:
16787 1: setbe %al /* 1 if error, 0 if not */
16788 movzbl %al, %edi /* zero-extend that into %edi */
16789 call __audit_syscall_exit
16790+ GET_THREAD_INFO(%r11)
16791 movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %edi
16792 DISABLE_INTERRUPTS(CLBR_NONE)
16793 TRACE_IRQS_OFF
16794- testl %edi, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16795+ testl %edi, TI_flags(%r11)
16796 jz \exit
16797 xorl %eax, %eax /* Do not leak kernel information */
16798 movq %rax, R11(%rsp)
16799@@ -249,7 +307,7 @@ sysenter_fix_flags:
16800
16801 sysenter_tracesys:
16802 #ifdef CONFIG_AUDITSYSCALL
16803- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16804+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16805 jz sysenter_auditsys
16806 #endif
16807 SAVE_EXTRA_REGS
16808@@ -269,6 +327,9 @@ sysenter_tracesys:
16809 movl %eax, %eax /* zero extension */
16810
16811 RESTORE_EXTRA_REGS
16812+
16813+ pax_erase_kstack
16814+
16815 jmp sysenter_do_call
16816 ENDPROC(entry_SYSENTER_compat)
16817
16818@@ -311,7 +372,6 @@ ENTRY(entry_SYSCALL_compat)
16819 SWAPGS_UNSAFE_STACK
16820 movl %esp, %r8d
16821 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
16822- ENABLE_INTERRUPTS(CLBR_NONE)
16823
16824 /* Zero-extending 32-bit regs, do not remove */
16825 movl %eax, %eax
16826@@ -331,16 +391,41 @@ ENTRY(entry_SYSCALL_compat)
16827 pushq $-ENOSYS /* pt_regs->ax */
16828 sub $(10*8), %rsp /* pt_regs->r8-11, bp, bx, r12-15 not saved */
16829
16830+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16831+ movq %r12, R12(%rsp)
16832+#endif
16833+
16834+ pax_enter_kernel_user
16835+
16836+#ifdef CONFIG_PAX_RANDKSTACK
16837+ pax_erase_kstack
16838+#endif
16839+
16840+ ENABLE_INTERRUPTS(CLBR_NONE)
16841+
16842 /*
16843 * No need to do an access_ok check here because r8 has been
16844 * 32-bit zero extended:
16845 */
16846+
16847+#ifdef CONFIG_PAX_MEMORY_UDEREF
16848+ ASM_PAX_OPEN_USERLAND
16849+ movq pax_user_shadow_base, %r8
16850+ addq RSP(%rsp), %r8
16851+#endif
16852+
16853 ASM_STAC
16854 1: movl (%r8), %r9d
16855 _ASM_EXTABLE(1b, ia32_badarg)
16856 ASM_CLAC
16857- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16858- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16859+
16860+#ifdef CONFIG_PAX_MEMORY_UDEREF
16861+ ASM_PAX_CLOSE_USERLAND
16862+#endif
16863+
16864+ GET_THREAD_INFO(%r11)
16865+ orl $TS_COMPAT,TI_status(%r11)
16866+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
16867 jnz cstar_tracesys
16868
16869 cstar_do_call:
16870@@ -358,13 +443,16 @@ cstar_dispatch:
16871 call *ia32_sys_call_table(, %rax, 8)
16872 movq %rax, RAX(%rsp)
16873 1:
16874+ GET_THREAD_INFO(%r11)
16875 DISABLE_INTERRUPTS(CLBR_NONE)
16876 TRACE_IRQS_OFF
16877- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16878+ testl $_TIF_ALLWORK_MASK, TI_flags(%r11)
16879 jnz sysretl_audit
16880
16881 sysretl_from_sys_call:
16882- andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16883+ pax_exit_kernel_user
16884+ pax_erase_kstack
16885+ andl $~TS_COMPAT, TI_status(%r11)
16886 RESTORE_RSI_RDI_RDX
16887 movl RIP(%rsp), %ecx
16888 movl EFLAGS(%rsp), %r11d
16889@@ -403,7 +491,7 @@ sysretl_audit:
16890
16891 cstar_tracesys:
16892 #ifdef CONFIG_AUDITSYSCALL
16893- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16894+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16895 jz cstar_auditsys
16896 #endif
16897 xchgl %r9d, %ebp
16898@@ -426,11 +514,19 @@ cstar_tracesys:
16899
16900 RESTORE_EXTRA_REGS
16901 xchgl %ebp, %r9d
16902+
16903+ pax_erase_kstack
16904+
16905 jmp cstar_do_call
16906 END(entry_SYSCALL_compat)
16907
16908 ia32_badarg:
16909 ASM_CLAC
16910+
16911+#ifdef CONFIG_PAX_MEMORY_UDEREF
16912+ ASM_PAX_CLOSE_USERLAND
16913+#endif
16914+
16915 movq $-EFAULT, RAX(%rsp)
16916 ia32_ret_from_sys_call:
16917 xorl %eax, %eax /* Do not leak kernel information */
16918@@ -462,14 +558,8 @@ ia32_ret_from_sys_call:
16919 */
16920
16921 ENTRY(entry_INT80_compat)
16922- /*
16923- * Interrupts are off on entry.
16924- * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
16925- * it is too small to ever cause noticeable irq latency.
16926- */
16927 PARAVIRT_ADJUST_EXCEPTION_FRAME
16928 SWAPGS
16929- ENABLE_INTERRUPTS(CLBR_NONE)
16930
16931 /* Zero-extending 32-bit regs, do not remove */
16932 movl %eax, %eax
16933@@ -488,8 +578,26 @@ ENTRY(entry_INT80_compat)
16934 cld
16935 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
16936
16937- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16938- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16939+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16940+ movq %r12, R12(%rsp)
16941+#endif
16942+
16943+ pax_enter_kernel_user
16944+
16945+#ifdef CONFIG_PAX_RANDKSTACK
16946+ pax_erase_kstack
16947+#endif
16948+
16949+ /*
16950+ * Interrupts are off on entry.
16951+ * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
16952+ * it is too small to ever cause noticeable irq latency.
16953+ */
16954+ ENABLE_INTERRUPTS(CLBR_NONE)
16955+
16956+ GET_THREAD_INFO(%r11)
16957+ orl $TS_COMPAT, TI_status(%r11)
16958+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%r11)
16959 jnz ia32_tracesys
16960
16961 ia32_do_call:
16962@@ -524,6 +632,9 @@ ia32_tracesys:
16963 movl RDI(%rsp), %edi
16964 movl %eax, %eax /* zero extension */
16965 RESTORE_EXTRA_REGS
16966+
16967+ pax_erase_kstack
16968+
16969 jmp ia32_do_call
16970 END(entry_INT80_compat)
16971
16972diff --git a/arch/x86/entry/thunk_64.S b/arch/x86/entry/thunk_64.S
16973index efb2b93..8a9cb8e 100644
16974--- a/arch/x86/entry/thunk_64.S
16975+++ b/arch/x86/entry/thunk_64.S
16976@@ -8,6 +8,7 @@
16977 #include <linux/linkage.h>
16978 #include "calling.h"
16979 #include <asm/asm.h>
16980+#include <asm/alternative-asm.h>
16981
16982 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
16983 .macro THUNK name, func, put_ret_addr_in_rdi=0
16984@@ -62,6 +63,7 @@ restore:
16985 popq %rdx
16986 popq %rsi
16987 popq %rdi
16988+ pax_force_retaddr
16989 ret
16990 _ASM_NOKPROBE(restore)
16991 #endif
16992diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
16993index e970320..c006fea 100644
16994--- a/arch/x86/entry/vdso/Makefile
16995+++ b/arch/x86/entry/vdso/Makefile
16996@@ -175,7 +175,7 @@ quiet_cmd_vdso = VDSO $@
16997 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
16998 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
16999
17000-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
17001+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
17002 $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
17003 GCOV_PROFILE := n
17004
17005diff --git a/arch/x86/entry/vdso/vdso2c.h b/arch/x86/entry/vdso/vdso2c.h
17006index 0224987..8deb742 100644
17007--- a/arch/x86/entry/vdso/vdso2c.h
17008+++ b/arch/x86/entry/vdso/vdso2c.h
17009@@ -12,7 +12,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
17010 unsigned long load_size = -1; /* Work around bogus warning */
17011 unsigned long mapping_size;
17012 ELF(Ehdr) *hdr = (ELF(Ehdr) *)raw_addr;
17013- int i;
17014+ unsigned int i;
17015 unsigned long j;
17016 ELF(Shdr) *symtab_hdr = NULL, *strtab_hdr, *secstrings_hdr,
17017 *alt_sec = NULL;
17018@@ -83,7 +83,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
17019 for (i = 0;
17020 i < GET_LE(&symtab_hdr->sh_size) / GET_LE(&symtab_hdr->sh_entsize);
17021 i++) {
17022- int k;
17023+ unsigned int k;
17024 ELF(Sym) *sym = raw_addr + GET_LE(&symtab_hdr->sh_offset) +
17025 GET_LE(&symtab_hdr->sh_entsize) * i;
17026 const char *name = raw_addr + GET_LE(&strtab_hdr->sh_offset) +
17027diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
17028index 1c9f750..cfddb1a 100644
17029--- a/arch/x86/entry/vdso/vma.c
17030+++ b/arch/x86/entry/vdso/vma.c
17031@@ -19,10 +19,7 @@
17032 #include <asm/page.h>
17033 #include <asm/hpet.h>
17034 #include <asm/desc.h>
17035-
17036-#if defined(CONFIG_X86_64)
17037-unsigned int __read_mostly vdso64_enabled = 1;
17038-#endif
17039+#include <asm/mman.h>
17040
17041 void __init init_vdso_image(const struct vdso_image *image)
17042 {
17043@@ -101,6 +98,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17044 .pages = no_pages,
17045 };
17046
17047+#ifdef CONFIG_PAX_RANDMMAP
17048+ if (mm->pax_flags & MF_PAX_RANDMMAP)
17049+ calculate_addr = false;
17050+#endif
17051+
17052 if (calculate_addr) {
17053 addr = vdso_addr(current->mm->start_stack,
17054 image->size - image->sym_vvar_start);
17055@@ -111,14 +113,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17056 down_write(&mm->mmap_sem);
17057
17058 addr = get_unmapped_area(NULL, addr,
17059- image->size - image->sym_vvar_start, 0, 0);
17060+ image->size - image->sym_vvar_start, 0, MAP_EXECUTABLE);
17061 if (IS_ERR_VALUE(addr)) {
17062 ret = addr;
17063 goto up_fail;
17064 }
17065
17066 text_start = addr - image->sym_vvar_start;
17067- current->mm->context.vdso = (void __user *)text_start;
17068+ mm->context.vdso = text_start;
17069
17070 /*
17071 * MAYWRITE to allow gdb to COW and set breakpoints
17072@@ -163,15 +165,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17073 hpet_address >> PAGE_SHIFT,
17074 PAGE_SIZE,
17075 pgprot_noncached(PAGE_READONLY));
17076-
17077- if (ret)
17078- goto up_fail;
17079 }
17080 #endif
17081
17082 up_fail:
17083 if (ret)
17084- current->mm->context.vdso = NULL;
17085+ current->mm->context.vdso = 0;
17086
17087 up_write(&mm->mmap_sem);
17088 return ret;
17089@@ -191,8 +190,8 @@ static int load_vdso32(void)
17090
17091 if (selected_vdso32->sym_VDSO32_SYSENTER_RETURN)
17092 current_thread_info()->sysenter_return =
17093- current->mm->context.vdso +
17094- selected_vdso32->sym_VDSO32_SYSENTER_RETURN;
17095+ (void __force_user *)(current->mm->context.vdso +
17096+ selected_vdso32->sym_VDSO32_SYSENTER_RETURN);
17097
17098 return 0;
17099 }
17100@@ -201,9 +200,6 @@ static int load_vdso32(void)
17101 #ifdef CONFIG_X86_64
17102 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
17103 {
17104- if (!vdso64_enabled)
17105- return 0;
17106-
17107 return map_vdso(&vdso_image_64, true);
17108 }
17109
17110@@ -212,12 +208,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm,
17111 int uses_interp)
17112 {
17113 #ifdef CONFIG_X86_X32_ABI
17114- if (test_thread_flag(TIF_X32)) {
17115- if (!vdso64_enabled)
17116- return 0;
17117-
17118+ if (test_thread_flag(TIF_X32))
17119 return map_vdso(&vdso_image_x32, true);
17120- }
17121 #endif
17122
17123 return load_vdso32();
17124@@ -231,15 +223,6 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
17125 #endif
17126
17127 #ifdef CONFIG_X86_64
17128-static __init int vdso_setup(char *s)
17129-{
17130- vdso64_enabled = simple_strtoul(s, NULL, 0);
17131- return 0;
17132-}
17133-__setup("vdso=", vdso_setup);
17134-#endif
17135-
17136-#ifdef CONFIG_X86_64
17137 static void vgetcpu_cpu_init(void *arg)
17138 {
17139 int cpu = smp_processor_id();
17140diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
17141index 2dcc6ff..082dc7a 100644
17142--- a/arch/x86/entry/vsyscall/vsyscall_64.c
17143+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
17144@@ -38,15 +38,13 @@
17145 #define CREATE_TRACE_POINTS
17146 #include "vsyscall_trace.h"
17147
17148-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
17149+static enum { EMULATE, NONE } vsyscall_mode = EMULATE;
17150
17151 static int __init vsyscall_setup(char *str)
17152 {
17153 if (str) {
17154 if (!strcmp("emulate", str))
17155 vsyscall_mode = EMULATE;
17156- else if (!strcmp("native", str))
17157- vsyscall_mode = NATIVE;
17158 else if (!strcmp("none", str))
17159 vsyscall_mode = NONE;
17160 else
17161@@ -264,8 +262,7 @@ do_ret:
17162 return true;
17163
17164 sigsegv:
17165- force_sig(SIGSEGV, current);
17166- return true;
17167+ do_group_exit(SIGKILL);
17168 }
17169
17170 /*
17171@@ -283,8 +280,8 @@ static struct vm_operations_struct gate_vma_ops = {
17172 static struct vm_area_struct gate_vma = {
17173 .vm_start = VSYSCALL_ADDR,
17174 .vm_end = VSYSCALL_ADDR + PAGE_SIZE,
17175- .vm_page_prot = PAGE_READONLY_EXEC,
17176- .vm_flags = VM_READ | VM_EXEC,
17177+ .vm_page_prot = PAGE_READONLY,
17178+ .vm_flags = VM_READ,
17179 .vm_ops = &gate_vma_ops,
17180 };
17181
17182@@ -325,10 +322,7 @@ void __init map_vsyscall(void)
17183 unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
17184
17185 if (vsyscall_mode != NONE)
17186- __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall,
17187- vsyscall_mode == NATIVE
17188- ? PAGE_KERNEL_VSYSCALL
17189- : PAGE_KERNEL_VVAR);
17190+ __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR);
17191
17192 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
17193 (unsigned long)VSYSCALL_ADDR);
17194diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
17195index ae6aad1..719d6d9 100644
17196--- a/arch/x86/ia32/ia32_aout.c
17197+++ b/arch/x86/ia32/ia32_aout.c
17198@@ -153,6 +153,8 @@ static int aout_core_dump(struct coredump_params *cprm)
17199 unsigned long dump_start, dump_size;
17200 struct user32 dump;
17201
17202+ memset(&dump, 0, sizeof(dump));
17203+
17204 fs = get_fs();
17205 set_fs(KERNEL_DS);
17206 has_dumped = 1;
17207diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
17208index ae3a29a..cea65e9 100644
17209--- a/arch/x86/ia32/ia32_signal.c
17210+++ b/arch/x86/ia32/ia32_signal.c
17211@@ -216,7 +216,7 @@ asmlinkage long sys32_sigreturn(void)
17212 if (__get_user(set.sig[0], &frame->sc.oldmask)
17213 || (_COMPAT_NSIG_WORDS > 1
17214 && __copy_from_user((((char *) &set.sig) + 4),
17215- &frame->extramask,
17216+ frame->extramask,
17217 sizeof(frame->extramask))))
17218 goto badframe;
17219
17220@@ -336,7 +336,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
17221 sp -= frame_size;
17222 /* Align the stack pointer according to the i386 ABI,
17223 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
17224- sp = ((sp + 4) & -16ul) - 4;
17225+ sp = ((sp - 12) & -16ul) - 4;
17226 return (void __user *) sp;
17227 }
17228
17229@@ -381,10 +381,10 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
17230 } else {
17231 /* Return stub is in 32bit vsyscall page */
17232 if (current->mm->context.vdso)
17233- restorer = current->mm->context.vdso +
17234- selected_vdso32->sym___kernel_sigreturn;
17235+ restorer = (void __force_user *)(current->mm->context.vdso +
17236+ selected_vdso32->sym___kernel_sigreturn);
17237 else
17238- restorer = &frame->retcode;
17239+ restorer = frame->retcode;
17240 }
17241
17242 put_user_try {
17243@@ -394,7 +394,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
17244 * These are actually not used anymore, but left because some
17245 * gdb versions depend on them as a marker.
17246 */
17247- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
17248+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
17249 } put_user_catch(err);
17250
17251 if (err)
17252@@ -436,7 +436,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
17253 0xb8,
17254 __NR_ia32_rt_sigreturn,
17255 0x80cd,
17256- 0,
17257+ 0
17258 };
17259
17260 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
17261@@ -459,16 +459,19 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
17262
17263 if (ksig->ka.sa.sa_flags & SA_RESTORER)
17264 restorer = ksig->ka.sa.sa_restorer;
17265+ else if (current->mm->context.vdso)
17266+ /* Return stub is in 32bit vsyscall page */
17267+ restorer = (void __force_user *)(current->mm->context.vdso +
17268+ selected_vdso32->sym___kernel_rt_sigreturn);
17269 else
17270- restorer = current->mm->context.vdso +
17271- selected_vdso32->sym___kernel_rt_sigreturn;
17272+ restorer = frame->retcode;
17273 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
17274
17275 /*
17276 * Not actually used anymore, but left because some gdb
17277 * versions need it.
17278 */
17279- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
17280+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
17281 } put_user_catch(err);
17282
17283 err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
17284diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
17285index 719cd70..72af944 100644
17286--- a/arch/x86/ia32/sys_ia32.c
17287+++ b/arch/x86/ia32/sys_ia32.c
17288@@ -49,18 +49,26 @@
17289
17290 #define AA(__x) ((unsigned long)(__x))
17291
17292+static inline loff_t compose_loff(unsigned int high, unsigned int low)
17293+{
17294+ loff_t retval = low;
17295+
17296+ BUILD_BUG_ON(sizeof retval != sizeof low + sizeof high);
17297+ __builtin_memcpy((unsigned char *)&retval + sizeof low, &high, sizeof high);
17298+ return retval;
17299+}
17300
17301 asmlinkage long sys32_truncate64(const char __user *filename,
17302- unsigned long offset_low,
17303- unsigned long offset_high)
17304+ unsigned int offset_low,
17305+ unsigned int offset_high)
17306 {
17307- return sys_truncate(filename, ((loff_t) offset_high << 32) | offset_low);
17308+ return sys_truncate(filename, compose_loff(offset_high, offset_low));
17309 }
17310
17311-asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
17312- unsigned long offset_high)
17313+asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned int offset_low,
17314+ unsigned int offset_high)
17315 {
17316- return sys_ftruncate(fd, ((loff_t) offset_high << 32) | offset_low);
17317+ return sys_ftruncate(fd, ((unsigned long) offset_high << 32) | offset_low);
17318 }
17319
17320 /*
17321@@ -69,8 +77,8 @@ asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
17322 */
17323 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
17324 {
17325- typeof(ubuf->st_uid) uid = 0;
17326- typeof(ubuf->st_gid) gid = 0;
17327+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
17328+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
17329 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
17330 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
17331 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
17332@@ -196,29 +204,29 @@ long sys32_fadvise64_64(int fd, __u32 offset_low, __u32 offset_high,
17333 __u32 len_low, __u32 len_high, int advice)
17334 {
17335 return sys_fadvise64_64(fd,
17336- (((u64)offset_high)<<32) | offset_low,
17337- (((u64)len_high)<<32) | len_low,
17338+ compose_loff(offset_high, offset_low),
17339+ compose_loff(len_high, len_low),
17340 advice);
17341 }
17342
17343 asmlinkage ssize_t sys32_readahead(int fd, unsigned off_lo, unsigned off_hi,
17344 size_t count)
17345 {
17346- return sys_readahead(fd, ((u64)off_hi << 32) | off_lo, count);
17347+ return sys_readahead(fd, compose_loff(off_hi, off_lo), count);
17348 }
17349
17350 asmlinkage long sys32_sync_file_range(int fd, unsigned off_low, unsigned off_hi,
17351 unsigned n_low, unsigned n_hi, int flags)
17352 {
17353 return sys_sync_file_range(fd,
17354- ((u64)off_hi << 32) | off_low,
17355- ((u64)n_hi << 32) | n_low, flags);
17356+ compose_loff(off_hi, off_low),
17357+ compose_loff(n_hi, n_low), flags);
17358 }
17359
17360 asmlinkage long sys32_fadvise64(int fd, unsigned offset_lo, unsigned offset_hi,
17361- size_t len, int advice)
17362+ int len, int advice)
17363 {
17364- return sys_fadvise64_64(fd, ((u64)offset_hi << 32) | offset_lo,
17365+ return sys_fadvise64_64(fd, compose_loff(offset_hi, offset_lo),
17366 len, advice);
17367 }
17368
17369@@ -226,6 +234,6 @@ asmlinkage long sys32_fallocate(int fd, int mode, unsigned offset_lo,
17370 unsigned offset_hi, unsigned len_lo,
17371 unsigned len_hi)
17372 {
17373- return sys_fallocate(fd, mode, ((u64)offset_hi << 32) | offset_lo,
17374- ((u64)len_hi << 32) | len_lo);
17375+ return sys_fallocate(fd, mode, compose_loff(offset_hi, offset_lo),
17376+ compose_loff(len_hi, len_lo));
17377 }
17378diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h
17379index e7636ba..e1fb78a 100644
17380--- a/arch/x86/include/asm/alternative-asm.h
17381+++ b/arch/x86/include/asm/alternative-asm.h
17382@@ -18,6 +18,45 @@
17383 .endm
17384 #endif
17385
17386+#ifdef KERNEXEC_PLUGIN
17387+ .macro pax_force_retaddr_bts rip=0
17388+ btsq $63,\rip(%rsp)
17389+ .endm
17390+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
17391+ .macro pax_force_retaddr rip=0, reload=0
17392+ btsq $63,\rip(%rsp)
17393+ .endm
17394+ .macro pax_force_fptr ptr
17395+ btsq $63,\ptr
17396+ .endm
17397+ .macro pax_set_fptr_mask
17398+ .endm
17399+#endif
17400+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
17401+ .macro pax_force_retaddr rip=0, reload=0
17402+ .if \reload
17403+ pax_set_fptr_mask
17404+ .endif
17405+ orq %r12,\rip(%rsp)
17406+ .endm
17407+ .macro pax_force_fptr ptr
17408+ orq %r12,\ptr
17409+ .endm
17410+ .macro pax_set_fptr_mask
17411+ movabs $0x8000000000000000,%r12
17412+ .endm
17413+#endif
17414+#else
17415+ .macro pax_force_retaddr rip=0, reload=0
17416+ .endm
17417+ .macro pax_force_fptr ptr
17418+ .endm
17419+ .macro pax_force_retaddr_bts rip=0
17420+ .endm
17421+ .macro pax_set_fptr_mask
17422+ .endm
17423+#endif
17424+
17425 /*
17426 * Issue one struct alt_instr descriptor entry (need to put it into
17427 * the section .altinstructions, see below). This entry contains
17428@@ -50,7 +89,7 @@
17429 altinstruction_entry 140b,143f,\feature,142b-140b,144f-143f,142b-141b
17430 .popsection
17431
17432- .pushsection .altinstr_replacement,"ax"
17433+ .pushsection .altinstr_replacement,"a"
17434 143:
17435 \newinstr
17436 144:
17437@@ -86,7 +125,7 @@
17438 altinstruction_entry 140b,144f,\feature2,142b-140b,145f-144f,142b-141b
17439 .popsection
17440
17441- .pushsection .altinstr_replacement,"ax"
17442+ .pushsection .altinstr_replacement,"a"
17443 143:
17444 \newinstr1
17445 144:
17446diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
17447index 7bfc85b..65d1ec4 100644
17448--- a/arch/x86/include/asm/alternative.h
17449+++ b/arch/x86/include/asm/alternative.h
17450@@ -136,7 +136,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
17451 ".pushsection .altinstructions,\"a\"\n" \
17452 ALTINSTR_ENTRY(feature, 1) \
17453 ".popsection\n" \
17454- ".pushsection .altinstr_replacement, \"ax\"\n" \
17455+ ".pushsection .altinstr_replacement, \"a\"\n" \
17456 ALTINSTR_REPLACEMENT(newinstr, feature, 1) \
17457 ".popsection"
17458
17459@@ -146,7 +146,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
17460 ALTINSTR_ENTRY(feature1, 1) \
17461 ALTINSTR_ENTRY(feature2, 2) \
17462 ".popsection\n" \
17463- ".pushsection .altinstr_replacement, \"ax\"\n" \
17464+ ".pushsection .altinstr_replacement, \"a\"\n" \
17465 ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \
17466 ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \
17467 ".popsection"
17468diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
17469index c839363..b9a8c43 100644
17470--- a/arch/x86/include/asm/apic.h
17471+++ b/arch/x86/include/asm/apic.h
17472@@ -45,7 +45,7 @@ static inline void generic_apic_probe(void)
17473
17474 #ifdef CONFIG_X86_LOCAL_APIC
17475
17476-extern unsigned int apic_verbosity;
17477+extern int apic_verbosity;
17478 extern int local_apic_timer_c2_ok;
17479
17480 extern int disable_apic;
17481diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
17482index 20370c6..a2eb9b0 100644
17483--- a/arch/x86/include/asm/apm.h
17484+++ b/arch/x86/include/asm/apm.h
17485@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
17486 __asm__ __volatile__(APM_DO_ZERO_SEGS
17487 "pushl %%edi\n\t"
17488 "pushl %%ebp\n\t"
17489- "lcall *%%cs:apm_bios_entry\n\t"
17490+ "lcall *%%ss:apm_bios_entry\n\t"
17491 "setc %%al\n\t"
17492 "popl %%ebp\n\t"
17493 "popl %%edi\n\t"
17494@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
17495 __asm__ __volatile__(APM_DO_ZERO_SEGS
17496 "pushl %%edi\n\t"
17497 "pushl %%ebp\n\t"
17498- "lcall *%%cs:apm_bios_entry\n\t"
17499+ "lcall *%%ss:apm_bios_entry\n\t"
17500 "setc %%bl\n\t"
17501 "popl %%ebp\n\t"
17502 "popl %%edi\n\t"
17503diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
17504index e916895..42d729d 100644
17505--- a/arch/x86/include/asm/atomic.h
17506+++ b/arch/x86/include/asm/atomic.h
17507@@ -28,6 +28,17 @@ static __always_inline int atomic_read(const atomic_t *v)
17508 }
17509
17510 /**
17511+ * atomic_read_unchecked - read atomic variable
17512+ * @v: pointer of type atomic_unchecked_t
17513+ *
17514+ * Atomically reads the value of @v.
17515+ */
17516+static __always_inline int __intentional_overflow(-1) atomic_read_unchecked(const atomic_unchecked_t *v)
17517+{
17518+ return ACCESS_ONCE((v)->counter);
17519+}
17520+
17521+/**
17522 * atomic_set - set atomic variable
17523 * @v: pointer of type atomic_t
17524 * @i: required value
17525@@ -40,6 +51,18 @@ static __always_inline void atomic_set(atomic_t *v, int i)
17526 }
17527
17528 /**
17529+ * atomic_set_unchecked - set atomic variable
17530+ * @v: pointer of type atomic_unchecked_t
17531+ * @i: required value
17532+ *
17533+ * Atomically sets the value of @v to @i.
17534+ */
17535+static __always_inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
17536+{
17537+ v->counter = i;
17538+}
17539+
17540+/**
17541 * atomic_add - add integer to atomic variable
17542 * @i: integer value to add
17543 * @v: pointer of type atomic_t
17544@@ -48,7 +71,29 @@ static __always_inline void atomic_set(atomic_t *v, int i)
17545 */
17546 static __always_inline void atomic_add(int i, atomic_t *v)
17547 {
17548- asm volatile(LOCK_PREFIX "addl %1,%0"
17549+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
17550+
17551+#ifdef CONFIG_PAX_REFCOUNT
17552+ "jno 0f\n"
17553+ LOCK_PREFIX "subl %1,%0\n"
17554+ "int $4\n0:\n"
17555+ _ASM_EXTABLE(0b, 0b)
17556+#endif
17557+
17558+ : "+m" (v->counter)
17559+ : "ir" (i));
17560+}
17561+
17562+/**
17563+ * atomic_add_unchecked - add integer to atomic variable
17564+ * @i: integer value to add
17565+ * @v: pointer of type atomic_unchecked_t
17566+ *
17567+ * Atomically adds @i to @v.
17568+ */
17569+static __always_inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
17570+{
17571+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
17572 : "+m" (v->counter)
17573 : "ir" (i));
17574 }
17575@@ -62,7 +107,29 @@ static __always_inline void atomic_add(int i, atomic_t *v)
17576 */
17577 static __always_inline void atomic_sub(int i, atomic_t *v)
17578 {
17579- asm volatile(LOCK_PREFIX "subl %1,%0"
17580+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
17581+
17582+#ifdef CONFIG_PAX_REFCOUNT
17583+ "jno 0f\n"
17584+ LOCK_PREFIX "addl %1,%0\n"
17585+ "int $4\n0:\n"
17586+ _ASM_EXTABLE(0b, 0b)
17587+#endif
17588+
17589+ : "+m" (v->counter)
17590+ : "ir" (i));
17591+}
17592+
17593+/**
17594+ * atomic_sub_unchecked - subtract integer from atomic variable
17595+ * @i: integer value to subtract
17596+ * @v: pointer of type atomic_unchecked_t
17597+ *
17598+ * Atomically subtracts @i from @v.
17599+ */
17600+static __always_inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
17601+{
17602+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
17603 : "+m" (v->counter)
17604 : "ir" (i));
17605 }
17606@@ -78,7 +145,7 @@ static __always_inline void atomic_sub(int i, atomic_t *v)
17607 */
17608 static __always_inline int atomic_sub_and_test(int i, atomic_t *v)
17609 {
17610- GEN_BINARY_RMWcc(LOCK_PREFIX "subl", v->counter, "er", i, "%0", "e");
17611+ GEN_BINARY_RMWcc(LOCK_PREFIX "subl", LOCK_PREFIX "addl", v->counter, "er", i, "%0", "e");
17612 }
17613
17614 /**
17615@@ -89,7 +156,27 @@ static __always_inline int atomic_sub_and_test(int i, atomic_t *v)
17616 */
17617 static __always_inline void atomic_inc(atomic_t *v)
17618 {
17619- asm volatile(LOCK_PREFIX "incl %0"
17620+ asm volatile(LOCK_PREFIX "incl %0\n"
17621+
17622+#ifdef CONFIG_PAX_REFCOUNT
17623+ "jno 0f\n"
17624+ LOCK_PREFIX "decl %0\n"
17625+ "int $4\n0:\n"
17626+ _ASM_EXTABLE(0b, 0b)
17627+#endif
17628+
17629+ : "+m" (v->counter));
17630+}
17631+
17632+/**
17633+ * atomic_inc_unchecked - increment atomic variable
17634+ * @v: pointer of type atomic_unchecked_t
17635+ *
17636+ * Atomically increments @v by 1.
17637+ */
17638+static __always_inline void atomic_inc_unchecked(atomic_unchecked_t *v)
17639+{
17640+ asm volatile(LOCK_PREFIX "incl %0\n"
17641 : "+m" (v->counter));
17642 }
17643
17644@@ -101,7 +188,27 @@ static __always_inline void atomic_inc(atomic_t *v)
17645 */
17646 static __always_inline void atomic_dec(atomic_t *v)
17647 {
17648- asm volatile(LOCK_PREFIX "decl %0"
17649+ asm volatile(LOCK_PREFIX "decl %0\n"
17650+
17651+#ifdef CONFIG_PAX_REFCOUNT
17652+ "jno 0f\n"
17653+ LOCK_PREFIX "incl %0\n"
17654+ "int $4\n0:\n"
17655+ _ASM_EXTABLE(0b, 0b)
17656+#endif
17657+
17658+ : "+m" (v->counter));
17659+}
17660+
17661+/**
17662+ * atomic_dec_unchecked - decrement atomic variable
17663+ * @v: pointer of type atomic_unchecked_t
17664+ *
17665+ * Atomically decrements @v by 1.
17666+ */
17667+static __always_inline void atomic_dec_unchecked(atomic_unchecked_t *v)
17668+{
17669+ asm volatile(LOCK_PREFIX "decl %0\n"
17670 : "+m" (v->counter));
17671 }
17672
17673@@ -115,7 +222,7 @@ static __always_inline void atomic_dec(atomic_t *v)
17674 */
17675 static __always_inline int atomic_dec_and_test(atomic_t *v)
17676 {
17677- GEN_UNARY_RMWcc(LOCK_PREFIX "decl", v->counter, "%0", "e");
17678+ GEN_UNARY_RMWcc(LOCK_PREFIX "decl", LOCK_PREFIX "incl", v->counter, "%0", "e");
17679 }
17680
17681 /**
17682@@ -128,7 +235,20 @@ static __always_inline int atomic_dec_and_test(atomic_t *v)
17683 */
17684 static __always_inline int atomic_inc_and_test(atomic_t *v)
17685 {
17686- GEN_UNARY_RMWcc(LOCK_PREFIX "incl", v->counter, "%0", "e");
17687+ GEN_UNARY_RMWcc(LOCK_PREFIX "incl", LOCK_PREFIX "decl", v->counter, "%0", "e");
17688+}
17689+
17690+/**
17691+ * atomic_inc_and_test_unchecked - increment and test
17692+ * @v: pointer of type atomic_unchecked_t
17693+ *
17694+ * Atomically increments @v by 1
17695+ * and returns true if the result is zero, or false for all
17696+ * other cases.
17697+ */
17698+static __always_inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
17699+{
17700+ GEN_UNARY_RMWcc_unchecked(LOCK_PREFIX "incl", v->counter, "%0", "e");
17701 }
17702
17703 /**
17704@@ -142,7 +262,7 @@ static __always_inline int atomic_inc_and_test(atomic_t *v)
17705 */
17706 static __always_inline int atomic_add_negative(int i, atomic_t *v)
17707 {
17708- GEN_BINARY_RMWcc(LOCK_PREFIX "addl", v->counter, "er", i, "%0", "s");
17709+ GEN_BINARY_RMWcc(LOCK_PREFIX "addl", LOCK_PREFIX "subl", v->counter, "er", i, "%0", "s");
17710 }
17711
17712 /**
17713@@ -152,7 +272,19 @@ static __always_inline int atomic_add_negative(int i, atomic_t *v)
17714 *
17715 * Atomically adds @i to @v and returns @i + @v
17716 */
17717-static __always_inline int atomic_add_return(int i, atomic_t *v)
17718+static __always_inline int __intentional_overflow(-1) atomic_add_return(int i, atomic_t *v)
17719+{
17720+ return i + xadd_check_overflow(&v->counter, i);
17721+}
17722+
17723+/**
17724+ * atomic_add_return_unchecked - add integer and return
17725+ * @i: integer value to add
17726+ * @v: pointer of type atomi_uncheckedc_t
17727+ *
17728+ * Atomically adds @i to @v and returns @i + @v
17729+ */
17730+static __always_inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
17731 {
17732 return i + xadd(&v->counter, i);
17733 }
17734@@ -164,15 +296,24 @@ static __always_inline int atomic_add_return(int i, atomic_t *v)
17735 *
17736 * Atomically subtracts @i from @v and returns @v - @i
17737 */
17738-static __always_inline int atomic_sub_return(int i, atomic_t *v)
17739+static __always_inline int __intentional_overflow(-1) atomic_sub_return(int i, atomic_t *v)
17740 {
17741 return atomic_add_return(-i, v);
17742 }
17743
17744 #define atomic_inc_return(v) (atomic_add_return(1, v))
17745+static __always_inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
17746+{
17747+ return atomic_add_return_unchecked(1, v);
17748+}
17749 #define atomic_dec_return(v) (atomic_sub_return(1, v))
17750
17751-static __always_inline int atomic_cmpxchg(atomic_t *v, int old, int new)
17752+static __always_inline int __intentional_overflow(-1) atomic_cmpxchg(atomic_t *v, int old, int new)
17753+{
17754+ return cmpxchg(&v->counter, old, new);
17755+}
17756+
17757+static __always_inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
17758 {
17759 return cmpxchg(&v->counter, old, new);
17760 }
17761@@ -182,6 +323,11 @@ static inline int atomic_xchg(atomic_t *v, int new)
17762 return xchg(&v->counter, new);
17763 }
17764
17765+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
17766+{
17767+ return xchg(&v->counter, new);
17768+}
17769+
17770 /**
17771 * __atomic_add_unless - add unless the number is already a given value
17772 * @v: pointer of type atomic_t
17773@@ -193,12 +339,25 @@ static inline int atomic_xchg(atomic_t *v, int new)
17774 */
17775 static __always_inline int __atomic_add_unless(atomic_t *v, int a, int u)
17776 {
17777- int c, old;
17778+ int c, old, new;
17779 c = atomic_read(v);
17780 for (;;) {
17781- if (unlikely(c == (u)))
17782+ if (unlikely(c == u))
17783 break;
17784- old = atomic_cmpxchg((v), c, c + (a));
17785+
17786+ asm volatile("addl %2,%0\n"
17787+
17788+#ifdef CONFIG_PAX_REFCOUNT
17789+ "jno 0f\n"
17790+ "subl %2,%0\n"
17791+ "int $4\n0:\n"
17792+ _ASM_EXTABLE(0b, 0b)
17793+#endif
17794+
17795+ : "=r" (new)
17796+ : "0" (c), "ir" (a));
17797+
17798+ old = atomic_cmpxchg(v, c, new);
17799 if (likely(old == c))
17800 break;
17801 c = old;
17802@@ -207,6 +366,49 @@ static __always_inline int __atomic_add_unless(atomic_t *v, int a, int u)
17803 }
17804
17805 /**
17806+ * atomic_inc_not_zero_hint - increment if not null
17807+ * @v: pointer of type atomic_t
17808+ * @hint: probable value of the atomic before the increment
17809+ *
17810+ * This version of atomic_inc_not_zero() gives a hint of probable
17811+ * value of the atomic. This helps processor to not read the memory
17812+ * before doing the atomic read/modify/write cycle, lowering
17813+ * number of bus transactions on some arches.
17814+ *
17815+ * Returns: 0 if increment was not done, 1 otherwise.
17816+ */
17817+#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
17818+static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
17819+{
17820+ int val, c = hint, new;
17821+
17822+ /* sanity test, should be removed by compiler if hint is a constant */
17823+ if (!hint)
17824+ return __atomic_add_unless(v, 1, 0);
17825+
17826+ do {
17827+ asm volatile("incl %0\n"
17828+
17829+#ifdef CONFIG_PAX_REFCOUNT
17830+ "jno 0f\n"
17831+ "decl %0\n"
17832+ "int $4\n0:\n"
17833+ _ASM_EXTABLE(0b, 0b)
17834+#endif
17835+
17836+ : "=r" (new)
17837+ : "0" (c));
17838+
17839+ val = atomic_cmpxchg(v, c, new);
17840+ if (val == c)
17841+ return 1;
17842+ c = val;
17843+ } while (c);
17844+
17845+ return 0;
17846+}
17847+
17848+/**
17849 * atomic_inc_short - increment of a short integer
17850 * @v: pointer to type int
17851 *
17852@@ -220,14 +422,37 @@ static __always_inline short int atomic_inc_short(short int *v)
17853 }
17854
17855 /* These are x86-specific, used by some header files */
17856-#define atomic_clear_mask(mask, addr) \
17857- asm volatile(LOCK_PREFIX "andl %0,%1" \
17858- : : "r" (~(mask)), "m" (*(addr)) : "memory")
17859+static inline void atomic_clear_mask(unsigned int mask, atomic_t *v)
17860+{
17861+ asm volatile(LOCK_PREFIX "andl %1,%0"
17862+ : "+m" (v->counter)
17863+ : "r" (~(mask))
17864+ : "memory");
17865+}
17866
17867-#define atomic_set_mask(mask, addr) \
17868- asm volatile(LOCK_PREFIX "orl %0,%1" \
17869- : : "r" ((unsigned)(mask)), "m" (*(addr)) \
17870- : "memory")
17871+static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
17872+{
17873+ asm volatile(LOCK_PREFIX "andl %1,%0"
17874+ : "+m" (v->counter)
17875+ : "r" (~(mask))
17876+ : "memory");
17877+}
17878+
17879+static inline void atomic_set_mask(unsigned int mask, atomic_t *v)
17880+{
17881+ asm volatile(LOCK_PREFIX "orl %1,%0"
17882+ : "+m" (v->counter)
17883+ : "r" (mask)
17884+ : "memory");
17885+}
17886+
17887+static inline void atomic_set_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
17888+{
17889+ asm volatile(LOCK_PREFIX "orl %1,%0"
17890+ : "+m" (v->counter)
17891+ : "r" (mask)
17892+ : "memory");
17893+}
17894
17895 #ifdef CONFIG_X86_32
17896 # include <asm/atomic64_32.h>
17897diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
17898index b154de7..3dc335d 100644
17899--- a/arch/x86/include/asm/atomic64_32.h
17900+++ b/arch/x86/include/asm/atomic64_32.h
17901@@ -12,6 +12,14 @@ typedef struct {
17902 u64 __aligned(8) counter;
17903 } atomic64_t;
17904
17905+#ifdef CONFIG_PAX_REFCOUNT
17906+typedef struct {
17907+ u64 __aligned(8) counter;
17908+} atomic64_unchecked_t;
17909+#else
17910+typedef atomic64_t atomic64_unchecked_t;
17911+#endif
17912+
17913 #define ATOMIC64_INIT(val) { (val) }
17914
17915 #define __ATOMIC64_DECL(sym) void atomic64_##sym(atomic64_t *, ...)
17916@@ -37,21 +45,31 @@ typedef struct {
17917 ATOMIC64_DECL_ONE(sym##_386)
17918
17919 ATOMIC64_DECL_ONE(add_386);
17920+ATOMIC64_DECL_ONE(add_unchecked_386);
17921 ATOMIC64_DECL_ONE(sub_386);
17922+ATOMIC64_DECL_ONE(sub_unchecked_386);
17923 ATOMIC64_DECL_ONE(inc_386);
17924+ATOMIC64_DECL_ONE(inc_unchecked_386);
17925 ATOMIC64_DECL_ONE(dec_386);
17926+ATOMIC64_DECL_ONE(dec_unchecked_386);
17927 #endif
17928
17929 #define alternative_atomic64(f, out, in...) \
17930 __alternative_atomic64(f, f, ASM_OUTPUT2(out), ## in)
17931
17932 ATOMIC64_DECL(read);
17933+ATOMIC64_DECL(read_unchecked);
17934 ATOMIC64_DECL(set);
17935+ATOMIC64_DECL(set_unchecked);
17936 ATOMIC64_DECL(xchg);
17937 ATOMIC64_DECL(add_return);
17938+ATOMIC64_DECL(add_return_unchecked);
17939 ATOMIC64_DECL(sub_return);
17940+ATOMIC64_DECL(sub_return_unchecked);
17941 ATOMIC64_DECL(inc_return);
17942+ATOMIC64_DECL(inc_return_unchecked);
17943 ATOMIC64_DECL(dec_return);
17944+ATOMIC64_DECL(dec_return_unchecked);
17945 ATOMIC64_DECL(dec_if_positive);
17946 ATOMIC64_DECL(inc_not_zero);
17947 ATOMIC64_DECL(add_unless);
17948@@ -77,6 +95,21 @@ static inline long long atomic64_cmpxchg(atomic64_t *v, long long o, long long n
17949 }
17950
17951 /**
17952+ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
17953+ * @p: pointer to type atomic64_unchecked_t
17954+ * @o: expected value
17955+ * @n: new value
17956+ *
17957+ * Atomically sets @v to @n if it was equal to @o and returns
17958+ * the old value.
17959+ */
17960+
17961+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
17962+{
17963+ return cmpxchg64(&v->counter, o, n);
17964+}
17965+
17966+/**
17967 * atomic64_xchg - xchg atomic64 variable
17968 * @v: pointer to type atomic64_t
17969 * @n: value to assign
17970@@ -112,6 +145,22 @@ static inline void atomic64_set(atomic64_t *v, long long i)
17971 }
17972
17973 /**
17974+ * atomic64_set_unchecked - set atomic64 variable
17975+ * @v: pointer to type atomic64_unchecked_t
17976+ * @n: value to assign
17977+ *
17978+ * Atomically sets the value of @v to @n.
17979+ */
17980+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
17981+{
17982+ unsigned high = (unsigned)(i >> 32);
17983+ unsigned low = (unsigned)i;
17984+ alternative_atomic64(set, /* no output */,
17985+ "S" (v), "b" (low), "c" (high)
17986+ : "eax", "edx", "memory");
17987+}
17988+
17989+/**
17990 * atomic64_read - read atomic64 variable
17991 * @v: pointer to type atomic64_t
17992 *
17993@@ -125,6 +174,19 @@ static inline long long atomic64_read(const atomic64_t *v)
17994 }
17995
17996 /**
17997+ * atomic64_read_unchecked - read atomic64 variable
17998+ * @v: pointer to type atomic64_unchecked_t
17999+ *
18000+ * Atomically reads the value of @v and returns it.
18001+ */
18002+static inline long long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v)
18003+{
18004+ long long r;
18005+ alternative_atomic64(read, "=&A" (r), "c" (v) : "memory");
18006+ return r;
18007+ }
18008+
18009+/**
18010 * atomic64_add_return - add and return
18011 * @i: integer value to add
18012 * @v: pointer to type atomic64_t
18013@@ -139,6 +201,21 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v)
18014 return i;
18015 }
18016
18017+/**
18018+ * atomic64_add_return_unchecked - add and return
18019+ * @i: integer value to add
18020+ * @v: pointer to type atomic64_unchecked_t
18021+ *
18022+ * Atomically adds @i to @v and returns @i + *@v
18023+ */
18024+static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
18025+{
18026+ alternative_atomic64(add_return_unchecked,
18027+ ASM_OUTPUT2("+A" (i), "+c" (v)),
18028+ ASM_NO_INPUT_CLOBBER("memory"));
18029+ return i;
18030+}
18031+
18032 /*
18033 * Other variants with different arithmetic operators:
18034 */
18035@@ -158,6 +235,14 @@ static inline long long atomic64_inc_return(atomic64_t *v)
18036 return a;
18037 }
18038
18039+static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
18040+{
18041+ long long a;
18042+ alternative_atomic64(inc_return_unchecked, "=&A" (a),
18043+ "S" (v) : "memory", "ecx");
18044+ return a;
18045+}
18046+
18047 static inline long long atomic64_dec_return(atomic64_t *v)
18048 {
18049 long long a;
18050@@ -182,6 +267,21 @@ static inline long long atomic64_add(long long i, atomic64_t *v)
18051 }
18052
18053 /**
18054+ * atomic64_add_unchecked - add integer to atomic64 variable
18055+ * @i: integer value to add
18056+ * @v: pointer to type atomic64_unchecked_t
18057+ *
18058+ * Atomically adds @i to @v.
18059+ */
18060+static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
18061+{
18062+ __alternative_atomic64(add_unchecked, add_return_unchecked,
18063+ ASM_OUTPUT2("+A" (i), "+c" (v)),
18064+ ASM_NO_INPUT_CLOBBER("memory"));
18065+ return i;
18066+}
18067+
18068+/**
18069 * atomic64_sub - subtract the atomic64 variable
18070 * @i: integer value to subtract
18071 * @v: pointer to type atomic64_t
18072diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
18073index b965f9e..8e22dd3 100644
18074--- a/arch/x86/include/asm/atomic64_64.h
18075+++ b/arch/x86/include/asm/atomic64_64.h
18076@@ -22,6 +22,18 @@ static inline long atomic64_read(const atomic64_t *v)
18077 }
18078
18079 /**
18080+ * atomic64_read_unchecked - read atomic64 variable
18081+ * @v: pointer of type atomic64_unchecked_t
18082+ *
18083+ * Atomically reads the value of @v.
18084+ * Doesn't imply a read memory barrier.
18085+ */
18086+static inline long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v)
18087+{
18088+ return ACCESS_ONCE((v)->counter);
18089+}
18090+
18091+/**
18092 * atomic64_set - set atomic64 variable
18093 * @v: pointer to type atomic64_t
18094 * @i: required value
18095@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64_t *v, long i)
18096 }
18097
18098 /**
18099+ * atomic64_set_unchecked - set atomic64 variable
18100+ * @v: pointer to type atomic64_unchecked_t
18101+ * @i: required value
18102+ *
18103+ * Atomically sets the value of @v to @i.
18104+ */
18105+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
18106+{
18107+ v->counter = i;
18108+}
18109+
18110+/**
18111 * atomic64_add - add integer to atomic64 variable
18112 * @i: integer value to add
18113 * @v: pointer to type atomic64_t
18114@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64_t *v, long i)
18115 */
18116 static __always_inline void atomic64_add(long i, atomic64_t *v)
18117 {
18118+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
18119+
18120+#ifdef CONFIG_PAX_REFCOUNT
18121+ "jno 0f\n"
18122+ LOCK_PREFIX "subq %1,%0\n"
18123+ "int $4\n0:\n"
18124+ _ASM_EXTABLE(0b, 0b)
18125+#endif
18126+
18127+ : "=m" (v->counter)
18128+ : "er" (i), "m" (v->counter));
18129+}
18130+
18131+/**
18132+ * atomic64_add_unchecked - add integer to atomic64 variable
18133+ * @i: integer value to add
18134+ * @v: pointer to type atomic64_unchecked_t
18135+ *
18136+ * Atomically adds @i to @v.
18137+ */
18138+static __always_inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
18139+{
18140 asm volatile(LOCK_PREFIX "addq %1,%0"
18141 : "=m" (v->counter)
18142 : "er" (i), "m" (v->counter));
18143@@ -56,7 +102,29 @@ static __always_inline void atomic64_add(long i, atomic64_t *v)
18144 */
18145 static inline void atomic64_sub(long i, atomic64_t *v)
18146 {
18147- asm volatile(LOCK_PREFIX "subq %1,%0"
18148+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
18149+
18150+#ifdef CONFIG_PAX_REFCOUNT
18151+ "jno 0f\n"
18152+ LOCK_PREFIX "addq %1,%0\n"
18153+ "int $4\n0:\n"
18154+ _ASM_EXTABLE(0b, 0b)
18155+#endif
18156+
18157+ : "=m" (v->counter)
18158+ : "er" (i), "m" (v->counter));
18159+}
18160+
18161+/**
18162+ * atomic64_sub_unchecked - subtract the atomic64 variable
18163+ * @i: integer value to subtract
18164+ * @v: pointer to type atomic64_unchecked_t
18165+ *
18166+ * Atomically subtracts @i from @v.
18167+ */
18168+static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
18169+{
18170+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
18171 : "=m" (v->counter)
18172 : "er" (i), "m" (v->counter));
18173 }
18174@@ -72,7 +140,7 @@ static inline void atomic64_sub(long i, atomic64_t *v)
18175 */
18176 static inline int atomic64_sub_and_test(long i, atomic64_t *v)
18177 {
18178- GEN_BINARY_RMWcc(LOCK_PREFIX "subq", v->counter, "er", i, "%0", "e");
18179+ GEN_BINARY_RMWcc(LOCK_PREFIX "subq", LOCK_PREFIX "addq", v->counter, "er", i, "%0", "e");
18180 }
18181
18182 /**
18183@@ -83,6 +151,27 @@ static inline int atomic64_sub_and_test(long i, atomic64_t *v)
18184 */
18185 static __always_inline void atomic64_inc(atomic64_t *v)
18186 {
18187+ asm volatile(LOCK_PREFIX "incq %0\n"
18188+
18189+#ifdef CONFIG_PAX_REFCOUNT
18190+ "jno 0f\n"
18191+ LOCK_PREFIX "decq %0\n"
18192+ "int $4\n0:\n"
18193+ _ASM_EXTABLE(0b, 0b)
18194+#endif
18195+
18196+ : "=m" (v->counter)
18197+ : "m" (v->counter));
18198+}
18199+
18200+/**
18201+ * atomic64_inc_unchecked - increment atomic64 variable
18202+ * @v: pointer to type atomic64_unchecked_t
18203+ *
18204+ * Atomically increments @v by 1.
18205+ */
18206+static __always_inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
18207+{
18208 asm volatile(LOCK_PREFIX "incq %0"
18209 : "=m" (v->counter)
18210 : "m" (v->counter));
18211@@ -96,7 +185,28 @@ static __always_inline void atomic64_inc(atomic64_t *v)
18212 */
18213 static __always_inline void atomic64_dec(atomic64_t *v)
18214 {
18215- asm volatile(LOCK_PREFIX "decq %0"
18216+ asm volatile(LOCK_PREFIX "decq %0\n"
18217+
18218+#ifdef CONFIG_PAX_REFCOUNT
18219+ "jno 0f\n"
18220+ LOCK_PREFIX "incq %0\n"
18221+ "int $4\n0:\n"
18222+ _ASM_EXTABLE(0b, 0b)
18223+#endif
18224+
18225+ : "=m" (v->counter)
18226+ : "m" (v->counter));
18227+}
18228+
18229+/**
18230+ * atomic64_dec_unchecked - decrement atomic64 variable
18231+ * @v: pointer to type atomic64_t
18232+ *
18233+ * Atomically decrements @v by 1.
18234+ */
18235+static __always_inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
18236+{
18237+ asm volatile(LOCK_PREFIX "decq %0\n"
18238 : "=m" (v->counter)
18239 : "m" (v->counter));
18240 }
18241@@ -111,7 +221,7 @@ static __always_inline void atomic64_dec(atomic64_t *v)
18242 */
18243 static inline int atomic64_dec_and_test(atomic64_t *v)
18244 {
18245- GEN_UNARY_RMWcc(LOCK_PREFIX "decq", v->counter, "%0", "e");
18246+ GEN_UNARY_RMWcc(LOCK_PREFIX "decq", LOCK_PREFIX "incq", v->counter, "%0", "e");
18247 }
18248
18249 /**
18250@@ -124,7 +234,7 @@ static inline int atomic64_dec_and_test(atomic64_t *v)
18251 */
18252 static inline int atomic64_inc_and_test(atomic64_t *v)
18253 {
18254- GEN_UNARY_RMWcc(LOCK_PREFIX "incq", v->counter, "%0", "e");
18255+ GEN_UNARY_RMWcc(LOCK_PREFIX "incq", LOCK_PREFIX "decq", v->counter, "%0", "e");
18256 }
18257
18258 /**
18259@@ -138,7 +248,7 @@ static inline int atomic64_inc_and_test(atomic64_t *v)
18260 */
18261 static inline int atomic64_add_negative(long i, atomic64_t *v)
18262 {
18263- GEN_BINARY_RMWcc(LOCK_PREFIX "addq", v->counter, "er", i, "%0", "s");
18264+ GEN_BINARY_RMWcc(LOCK_PREFIX "addq", LOCK_PREFIX "subq", v->counter, "er", i, "%0", "s");
18265 }
18266
18267 /**
18268@@ -150,6 +260,18 @@ static inline int atomic64_add_negative(long i, atomic64_t *v)
18269 */
18270 static __always_inline long atomic64_add_return(long i, atomic64_t *v)
18271 {
18272+ return i + xadd_check_overflow(&v->counter, i);
18273+}
18274+
18275+/**
18276+ * atomic64_add_return_unchecked - add and return
18277+ * @i: integer value to add
18278+ * @v: pointer to type atomic64_unchecked_t
18279+ *
18280+ * Atomically adds @i to @v and returns @i + @v
18281+ */
18282+static __always_inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
18283+{
18284 return i + xadd(&v->counter, i);
18285 }
18286
18287@@ -159,6 +281,10 @@ static inline long atomic64_sub_return(long i, atomic64_t *v)
18288 }
18289
18290 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
18291+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
18292+{
18293+ return atomic64_add_return_unchecked(1, v);
18294+}
18295 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
18296
18297 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
18298@@ -166,6 +292,11 @@ static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
18299 return cmpxchg(&v->counter, old, new);
18300 }
18301
18302+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
18303+{
18304+ return cmpxchg(&v->counter, old, new);
18305+}
18306+
18307 static inline long atomic64_xchg(atomic64_t *v, long new)
18308 {
18309 return xchg(&v->counter, new);
18310@@ -182,17 +313,30 @@ static inline long atomic64_xchg(atomic64_t *v, long new)
18311 */
18312 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
18313 {
18314- long c, old;
18315+ long c, old, new;
18316 c = atomic64_read(v);
18317 for (;;) {
18318- if (unlikely(c == (u)))
18319+ if (unlikely(c == u))
18320 break;
18321- old = atomic64_cmpxchg((v), c, c + (a));
18322+
18323+ asm volatile("add %2,%0\n"
18324+
18325+#ifdef CONFIG_PAX_REFCOUNT
18326+ "jno 0f\n"
18327+ "sub %2,%0\n"
18328+ "int $4\n0:\n"
18329+ _ASM_EXTABLE(0b, 0b)
18330+#endif
18331+
18332+ : "=r" (new)
18333+ : "0" (c), "ir" (a));
18334+
18335+ old = atomic64_cmpxchg(v, c, new);
18336 if (likely(old == c))
18337 break;
18338 c = old;
18339 }
18340- return c != (u);
18341+ return c != u;
18342 }
18343
18344 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
18345diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
18346index e51a8f8..ee075df 100644
18347--- a/arch/x86/include/asm/barrier.h
18348+++ b/arch/x86/include/asm/barrier.h
18349@@ -57,7 +57,7 @@
18350 do { \
18351 compiletime_assert_atomic_type(*p); \
18352 smp_mb(); \
18353- ACCESS_ONCE(*p) = (v); \
18354+ ACCESS_ONCE_RW(*p) = (v); \
18355 } while (0)
18356
18357 #define smp_load_acquire(p) \
18358@@ -74,7 +74,7 @@ do { \
18359 do { \
18360 compiletime_assert_atomic_type(*p); \
18361 barrier(); \
18362- ACCESS_ONCE(*p) = (v); \
18363+ ACCESS_ONCE_RW(*p) = (v); \
18364 } while (0)
18365
18366 #define smp_load_acquire(p) \
18367diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
18368index cfe3b95..d01b118 100644
18369--- a/arch/x86/include/asm/bitops.h
18370+++ b/arch/x86/include/asm/bitops.h
18371@@ -50,7 +50,7 @@
18372 * a mask operation on a byte.
18373 */
18374 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
18375-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
18376+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
18377 #define CONST_MASK(nr) (1 << ((nr) & 7))
18378
18379 /**
18380@@ -203,7 +203,7 @@ static inline void change_bit(long nr, volatile unsigned long *addr)
18381 */
18382 static inline int test_and_set_bit(long nr, volatile unsigned long *addr)
18383 {
18384- GEN_BINARY_RMWcc(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c");
18385+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c");
18386 }
18387
18388 /**
18389@@ -249,7 +249,7 @@ static inline int __test_and_set_bit(long nr, volatile unsigned long *addr)
18390 */
18391 static inline int test_and_clear_bit(long nr, volatile unsigned long *addr)
18392 {
18393- GEN_BINARY_RMWcc(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c");
18394+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c");
18395 }
18396
18397 /**
18398@@ -302,7 +302,7 @@ static inline int __test_and_change_bit(long nr, volatile unsigned long *addr)
18399 */
18400 static inline int test_and_change_bit(long nr, volatile unsigned long *addr)
18401 {
18402- GEN_BINARY_RMWcc(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c");
18403+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c");
18404 }
18405
18406 static __always_inline int constant_test_bit(long nr, const volatile unsigned long *addr)
18407@@ -343,7 +343,7 @@ static int test_bit(int nr, const volatile unsigned long *addr);
18408 *
18409 * Undefined if no bit exists, so code should check against 0 first.
18410 */
18411-static inline unsigned long __ffs(unsigned long word)
18412+static inline unsigned long __intentional_overflow(-1) __ffs(unsigned long word)
18413 {
18414 asm("rep; bsf %1,%0"
18415 : "=r" (word)
18416@@ -357,7 +357,7 @@ static inline unsigned long __ffs(unsigned long word)
18417 *
18418 * Undefined if no zero exists, so code should check against ~0UL first.
18419 */
18420-static inline unsigned long ffz(unsigned long word)
18421+static inline unsigned long __intentional_overflow(-1) ffz(unsigned long word)
18422 {
18423 asm("rep; bsf %1,%0"
18424 : "=r" (word)
18425@@ -371,7 +371,7 @@ static inline unsigned long ffz(unsigned long word)
18426 *
18427 * Undefined if no set bit exists, so code should check against 0 first.
18428 */
18429-static inline unsigned long __fls(unsigned long word)
18430+static inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
18431 {
18432 asm("bsr %1,%0"
18433 : "=r" (word)
18434@@ -434,7 +434,7 @@ static inline int ffs(int x)
18435 * set bit if value is nonzero. The last (most significant) bit is
18436 * at position 32.
18437 */
18438-static inline int fls(int x)
18439+static inline int __intentional_overflow(-1) fls(int x)
18440 {
18441 int r;
18442
18443@@ -476,7 +476,7 @@ static inline int fls(int x)
18444 * at position 64.
18445 */
18446 #ifdef CONFIG_X86_64
18447-static __always_inline int fls64(__u64 x)
18448+static __always_inline __intentional_overflow(-1) int fls64(__u64 x)
18449 {
18450 int bitpos = -1;
18451 /*
18452diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
18453index 4fa687a..4ca636f 100644
18454--- a/arch/x86/include/asm/boot.h
18455+++ b/arch/x86/include/asm/boot.h
18456@@ -6,7 +6,7 @@
18457 #include <uapi/asm/boot.h>
18458
18459 /* Physical address where kernel should be loaded. */
18460-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
18461+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
18462 + (CONFIG_PHYSICAL_ALIGN - 1)) \
18463 & ~(CONFIG_PHYSICAL_ALIGN - 1))
18464
18465diff --git a/arch/x86/include/asm/cache.h b/arch/x86/include/asm/cache.h
18466index 48f99f1..d78ebf9 100644
18467--- a/arch/x86/include/asm/cache.h
18468+++ b/arch/x86/include/asm/cache.h
18469@@ -5,12 +5,13 @@
18470
18471 /* L1 cache line size */
18472 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
18473-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
18474+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
18475
18476 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
18477+#define __read_only __attribute__((__section__(".data..read_only")))
18478
18479 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
18480-#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
18481+#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
18482
18483 #ifdef CONFIG_X86_VSMP
18484 #ifdef CONFIG_SMP
18485diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
18486index f50de69..2b0a458 100644
18487--- a/arch/x86/include/asm/checksum_32.h
18488+++ b/arch/x86/include/asm/checksum_32.h
18489@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
18490 int len, __wsum sum,
18491 int *src_err_ptr, int *dst_err_ptr);
18492
18493+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
18494+ int len, __wsum sum,
18495+ int *src_err_ptr, int *dst_err_ptr);
18496+
18497+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
18498+ int len, __wsum sum,
18499+ int *src_err_ptr, int *dst_err_ptr);
18500+
18501 /*
18502 * Note: when you get a NULL pointer exception here this means someone
18503 * passed in an incorrect kernel address to one of these functions.
18504@@ -53,7 +61,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
18505
18506 might_sleep();
18507 stac();
18508- ret = csum_partial_copy_generic((__force void *)src, dst,
18509+ ret = csum_partial_copy_generic_from_user((__force void *)src, dst,
18510 len, sum, err_ptr, NULL);
18511 clac();
18512
18513@@ -187,7 +195,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
18514 might_sleep();
18515 if (access_ok(VERIFY_WRITE, dst, len)) {
18516 stac();
18517- ret = csum_partial_copy_generic(src, (__force void *)dst,
18518+ ret = csum_partial_copy_generic_to_user(src, (__force void *)dst,
18519 len, sum, NULL, err_ptr);
18520 clac();
18521 return ret;
18522diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
18523index ad19841..0784041 100644
18524--- a/arch/x86/include/asm/cmpxchg.h
18525+++ b/arch/x86/include/asm/cmpxchg.h
18526@@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void)
18527 __compiletime_error("Bad argument size for cmpxchg");
18528 extern void __xadd_wrong_size(void)
18529 __compiletime_error("Bad argument size for xadd");
18530+extern void __xadd_check_overflow_wrong_size(void)
18531+ __compiletime_error("Bad argument size for xadd_check_overflow");
18532 extern void __add_wrong_size(void)
18533 __compiletime_error("Bad argument size for add");
18534+extern void __add_check_overflow_wrong_size(void)
18535+ __compiletime_error("Bad argument size for add_check_overflow");
18536
18537 /*
18538 * Constants for operation sizes. On 32-bit, the 64-bit size it set to
18539@@ -67,6 +71,38 @@ extern void __add_wrong_size(void)
18540 __ret; \
18541 })
18542
18543+#ifdef CONFIG_PAX_REFCOUNT
18544+#define __xchg_op_check_overflow(ptr, arg, op, lock) \
18545+ ({ \
18546+ __typeof__ (*(ptr)) __ret = (arg); \
18547+ switch (sizeof(*(ptr))) { \
18548+ case __X86_CASE_L: \
18549+ asm volatile (lock #op "l %0, %1\n" \
18550+ "jno 0f\n" \
18551+ "mov %0,%1\n" \
18552+ "int $4\n0:\n" \
18553+ _ASM_EXTABLE(0b, 0b) \
18554+ : "+r" (__ret), "+m" (*(ptr)) \
18555+ : : "memory", "cc"); \
18556+ break; \
18557+ case __X86_CASE_Q: \
18558+ asm volatile (lock #op "q %q0, %1\n" \
18559+ "jno 0f\n" \
18560+ "mov %0,%1\n" \
18561+ "int $4\n0:\n" \
18562+ _ASM_EXTABLE(0b, 0b) \
18563+ : "+r" (__ret), "+m" (*(ptr)) \
18564+ : : "memory", "cc"); \
18565+ break; \
18566+ default: \
18567+ __ ## op ## _check_overflow_wrong_size(); \
18568+ } \
18569+ __ret; \
18570+ })
18571+#else
18572+#define __xchg_op_check_overflow(ptr, arg, op, lock) __xchg_op(ptr, arg, op, lock)
18573+#endif
18574+
18575 /*
18576 * Note: no "lock" prefix even on SMP: xchg always implies lock anyway.
18577 * Since this is generally used to protect other memory information, we
18578@@ -165,6 +201,9 @@ extern void __add_wrong_size(void)
18579 #define xadd_sync(ptr, inc) __xadd((ptr), (inc), "lock; ")
18580 #define xadd_local(ptr, inc) __xadd((ptr), (inc), "")
18581
18582+#define __xadd_check_overflow(ptr, inc, lock) __xchg_op_check_overflow((ptr), (inc), xadd, lock)
18583+#define xadd_check_overflow(ptr, inc) __xadd_check_overflow((ptr), (inc), LOCK_PREFIX)
18584+
18585 #define __add(ptr, inc, lock) \
18586 ({ \
18587 __typeof__ (*(ptr)) __ret = (inc); \
18588diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
18589index acdee09..a553db3 100644
18590--- a/arch/x86/include/asm/compat.h
18591+++ b/arch/x86/include/asm/compat.h
18592@@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
18593 typedef u32 compat_uint_t;
18594 typedef u32 compat_ulong_t;
18595 typedef u64 __attribute__((aligned(4))) compat_u64;
18596-typedef u32 compat_uptr_t;
18597+typedef u32 __user compat_uptr_t;
18598
18599 struct compat_timespec {
18600 compat_time_t tv_sec;
18601diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
18602index 3d6606f..300641d 100644
18603--- a/arch/x86/include/asm/cpufeature.h
18604+++ b/arch/x86/include/asm/cpufeature.h
18605@@ -214,7 +214,8 @@
18606 #define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */
18607 #define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */
18608 #define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */
18609-
18610+#define X86_FEATURE_PCIDUDEREF ( 8*32+30) /* PaX PCID based UDEREF */
18611+#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */
18612
18613 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
18614 #define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
18615@@ -222,7 +223,7 @@
18616 #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */
18617 #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */
18618 #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */
18619-#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */
18620+#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Prevention */
18621 #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */
18622 #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
18623 #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */
18624@@ -401,6 +402,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
18625 #define cpu_has_eager_fpu boot_cpu_has(X86_FEATURE_EAGER_FPU)
18626 #define cpu_has_topoext boot_cpu_has(X86_FEATURE_TOPOEXT)
18627 #define cpu_has_bpext boot_cpu_has(X86_FEATURE_BPEXT)
18628+#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID)
18629
18630 #if __GNUC__ >= 4
18631 extern void warn_pre_alternatives(void);
18632@@ -454,7 +456,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
18633
18634 #ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
18635 t_warn:
18636- warn_pre_alternatives();
18637+ if (bit != X86_FEATURE_PCID && bit != X86_FEATURE_INVPCID && bit != X86_FEATURE_PCIDUDEREF)
18638+ warn_pre_alternatives();
18639 return false;
18640 #endif
18641
18642@@ -475,7 +478,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
18643 ".section .discard,\"aw\",@progbits\n"
18644 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
18645 ".previous\n"
18646- ".section .altinstr_replacement,\"ax\"\n"
18647+ ".section .altinstr_replacement,\"a\"\n"
18648 "3: movb $1,%0\n"
18649 "4:\n"
18650 ".previous\n"
18651@@ -510,7 +513,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18652 " .byte 5f - 4f\n" /* repl len */
18653 " .byte 3b - 2b\n" /* pad len */
18654 ".previous\n"
18655- ".section .altinstr_replacement,\"ax\"\n"
18656+ ".section .altinstr_replacement,\"a\"\n"
18657 "4: jmp %l[t_no]\n"
18658 "5:\n"
18659 ".previous\n"
18660@@ -545,7 +548,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18661 ".section .discard,\"aw\",@progbits\n"
18662 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
18663 ".previous\n"
18664- ".section .altinstr_replacement,\"ax\"\n"
18665+ ".section .altinstr_replacement,\"a\"\n"
18666 "3: movb $0,%0\n"
18667 "4:\n"
18668 ".previous\n"
18669@@ -560,7 +563,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18670 ".section .discard,\"aw\",@progbits\n"
18671 " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */
18672 ".previous\n"
18673- ".section .altinstr_replacement,\"ax\"\n"
18674+ ".section .altinstr_replacement,\"a\"\n"
18675 "5: movb $1,%0\n"
18676 "6:\n"
18677 ".previous\n"
18678diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
18679index 4e10d73..7319a47 100644
18680--- a/arch/x86/include/asm/desc.h
18681+++ b/arch/x86/include/asm/desc.h
18682@@ -4,6 +4,7 @@
18683 #include <asm/desc_defs.h>
18684 #include <asm/ldt.h>
18685 #include <asm/mmu.h>
18686+#include <asm/pgtable.h>
18687
18688 #include <linux/smp.h>
18689 #include <linux/percpu.h>
18690@@ -17,6 +18,7 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
18691
18692 desc->type = (info->read_exec_only ^ 1) << 1;
18693 desc->type |= info->contents << 2;
18694+ desc->type |= info->seg_not_present ^ 1;
18695
18696 desc->s = 1;
18697 desc->dpl = 0x3;
18698@@ -35,19 +37,14 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
18699 }
18700
18701 extern struct desc_ptr idt_descr;
18702-extern gate_desc idt_table[];
18703-extern struct desc_ptr debug_idt_descr;
18704-extern gate_desc debug_idt_table[];
18705-
18706-struct gdt_page {
18707- struct desc_struct gdt[GDT_ENTRIES];
18708-} __attribute__((aligned(PAGE_SIZE)));
18709-
18710-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
18711+extern gate_desc idt_table[IDT_ENTRIES];
18712+extern const struct desc_ptr debug_idt_descr;
18713+extern gate_desc debug_idt_table[IDT_ENTRIES];
18714
18715+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
18716 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
18717 {
18718- return per_cpu(gdt_page, cpu).gdt;
18719+ return cpu_gdt_table[cpu];
18720 }
18721
18722 #ifdef CONFIG_X86_64
18723@@ -72,8 +69,14 @@ static inline void pack_gate(gate_desc *gate, unsigned char type,
18724 unsigned long base, unsigned dpl, unsigned flags,
18725 unsigned short seg)
18726 {
18727- gate->a = (seg << 16) | (base & 0xffff);
18728- gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
18729+ gate->gate.offset_low = base;
18730+ gate->gate.seg = seg;
18731+ gate->gate.reserved = 0;
18732+ gate->gate.type = type;
18733+ gate->gate.s = 0;
18734+ gate->gate.dpl = dpl;
18735+ gate->gate.p = 1;
18736+ gate->gate.offset_high = base >> 16;
18737 }
18738
18739 #endif
18740@@ -118,12 +121,16 @@ static inline void paravirt_free_ldt(struct desc_struct *ldt, unsigned entries)
18741
18742 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
18743 {
18744+ pax_open_kernel();
18745 memcpy(&idt[entry], gate, sizeof(*gate));
18746+ pax_close_kernel();
18747 }
18748
18749 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
18750 {
18751+ pax_open_kernel();
18752 memcpy(&ldt[entry], desc, 8);
18753+ pax_close_kernel();
18754 }
18755
18756 static inline void
18757@@ -137,7 +144,9 @@ native_write_gdt_entry(struct desc_struct *gdt, int entry, const void *desc, int
18758 default: size = sizeof(*gdt); break;
18759 }
18760
18761+ pax_open_kernel();
18762 memcpy(&gdt[entry], desc, size);
18763+ pax_close_kernel();
18764 }
18765
18766 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
18767@@ -210,7 +219,9 @@ static inline void native_set_ldt(const void *addr, unsigned int entries)
18768
18769 static inline void native_load_tr_desc(void)
18770 {
18771+ pax_open_kernel();
18772 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
18773+ pax_close_kernel();
18774 }
18775
18776 static inline void native_load_gdt(const struct desc_ptr *dtr)
18777@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
18778 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
18779 unsigned int i;
18780
18781+ pax_open_kernel();
18782 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
18783 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
18784+ pax_close_kernel();
18785 }
18786
18787 /* This intentionally ignores lm, since 32-bit apps don't have that field. */
18788@@ -280,7 +293,7 @@ static inline void clear_LDT(void)
18789 set_ldt(NULL, 0);
18790 }
18791
18792-static inline unsigned long get_desc_base(const struct desc_struct *desc)
18793+static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc)
18794 {
18795 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
18796 }
18797@@ -304,7 +317,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
18798 }
18799
18800 #ifdef CONFIG_X86_64
18801-static inline void set_nmi_gate(int gate, void *addr)
18802+static inline void set_nmi_gate(int gate, const void *addr)
18803 {
18804 gate_desc s;
18805
18806@@ -314,14 +327,14 @@ static inline void set_nmi_gate(int gate, void *addr)
18807 #endif
18808
18809 #ifdef CONFIG_TRACING
18810-extern struct desc_ptr trace_idt_descr;
18811-extern gate_desc trace_idt_table[];
18812+extern const struct desc_ptr trace_idt_descr;
18813+extern gate_desc trace_idt_table[IDT_ENTRIES];
18814 static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
18815 {
18816 write_idt_entry(trace_idt_table, entry, gate);
18817 }
18818
18819-static inline void _trace_set_gate(int gate, unsigned type, void *addr,
18820+static inline void _trace_set_gate(int gate, unsigned type, const void *addr,
18821 unsigned dpl, unsigned ist, unsigned seg)
18822 {
18823 gate_desc s;
18824@@ -341,7 +354,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
18825 #define _trace_set_gate(gate, type, addr, dpl, ist, seg)
18826 #endif
18827
18828-static inline void _set_gate(int gate, unsigned type, void *addr,
18829+static inline void _set_gate(int gate, unsigned type, const void *addr,
18830 unsigned dpl, unsigned ist, unsigned seg)
18831 {
18832 gate_desc s;
18833@@ -364,14 +377,14 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
18834 #define set_intr_gate_notrace(n, addr) \
18835 do { \
18836 BUG_ON((unsigned)n > 0xFF); \
18837- _set_gate(n, GATE_INTERRUPT, (void *)addr, 0, 0, \
18838+ _set_gate(n, GATE_INTERRUPT, (const void *)addr, 0, 0, \
18839 __KERNEL_CS); \
18840 } while (0)
18841
18842 #define set_intr_gate(n, addr) \
18843 do { \
18844 set_intr_gate_notrace(n, addr); \
18845- _trace_set_gate(n, GATE_INTERRUPT, (void *)trace_##addr,\
18846+ _trace_set_gate(n, GATE_INTERRUPT, (const void *)trace_##addr,\
18847 0, 0, __KERNEL_CS); \
18848 } while (0)
18849
18850@@ -399,19 +412,19 @@ static inline void alloc_system_vector(int vector)
18851 /*
18852 * This routine sets up an interrupt gate at directory privilege level 3.
18853 */
18854-static inline void set_system_intr_gate(unsigned int n, void *addr)
18855+static inline void set_system_intr_gate(unsigned int n, const void *addr)
18856 {
18857 BUG_ON((unsigned)n > 0xFF);
18858 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
18859 }
18860
18861-static inline void set_system_trap_gate(unsigned int n, void *addr)
18862+static inline void set_system_trap_gate(unsigned int n, const void *addr)
18863 {
18864 BUG_ON((unsigned)n > 0xFF);
18865 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
18866 }
18867
18868-static inline void set_trap_gate(unsigned int n, void *addr)
18869+static inline void set_trap_gate(unsigned int n, const void *addr)
18870 {
18871 BUG_ON((unsigned)n > 0xFF);
18872 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
18873@@ -420,16 +433,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
18874 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
18875 {
18876 BUG_ON((unsigned)n > 0xFF);
18877- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
18878+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
18879 }
18880
18881-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
18882+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
18883 {
18884 BUG_ON((unsigned)n > 0xFF);
18885 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
18886 }
18887
18888-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
18889+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
18890 {
18891 BUG_ON((unsigned)n > 0xFF);
18892 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
18893@@ -501,4 +514,17 @@ static inline void load_current_idt(void)
18894 else
18895 load_idt((const struct desc_ptr *)&idt_descr);
18896 }
18897+
18898+#ifdef CONFIG_X86_32
18899+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
18900+{
18901+ struct desc_struct d;
18902+
18903+ if (likely(limit))
18904+ limit = (limit - 1UL) >> PAGE_SHIFT;
18905+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
18906+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
18907+}
18908+#endif
18909+
18910 #endif /* _ASM_X86_DESC_H */
18911diff --git a/arch/x86/include/asm/desc_defs.h b/arch/x86/include/asm/desc_defs.h
18912index 278441f..b95a174 100644
18913--- a/arch/x86/include/asm/desc_defs.h
18914+++ b/arch/x86/include/asm/desc_defs.h
18915@@ -31,6 +31,12 @@ struct desc_struct {
18916 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
18917 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
18918 };
18919+ struct {
18920+ u16 offset_low;
18921+ u16 seg;
18922+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
18923+ unsigned offset_high: 16;
18924+ } gate;
18925 };
18926 } __attribute__((packed));
18927
18928diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h
18929index ced283a..ffe04cc 100644
18930--- a/arch/x86/include/asm/div64.h
18931+++ b/arch/x86/include/asm/div64.h
18932@@ -39,7 +39,7 @@
18933 __mod; \
18934 })
18935
18936-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
18937+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
18938 {
18939 union {
18940 u64 v64;
18941diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
18942index f161c18..97d43e8 100644
18943--- a/arch/x86/include/asm/elf.h
18944+++ b/arch/x86/include/asm/elf.h
18945@@ -75,9 +75,6 @@ typedef struct user_fxsr_struct elf_fpxregset_t;
18946
18947 #include <asm/vdso.h>
18948
18949-#ifdef CONFIG_X86_64
18950-extern unsigned int vdso64_enabled;
18951-#endif
18952 #if defined(CONFIG_X86_32) || defined(CONFIG_COMPAT)
18953 extern unsigned int vdso32_enabled;
18954 #endif
18955@@ -250,7 +247,25 @@ extern int force_personality32;
18956 the loader. We need to make sure that it is out of the way of the program
18957 that it will "exec", and that there is sufficient room for the brk. */
18958
18959+#ifdef CONFIG_PAX_SEGMEXEC
18960+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
18961+#else
18962 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
18963+#endif
18964+
18965+#ifdef CONFIG_PAX_ASLR
18966+#ifdef CONFIG_X86_32
18967+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
18968+
18969+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
18970+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
18971+#else
18972+#define PAX_ELF_ET_DYN_BASE 0x400000UL
18973+
18974+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
18975+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
18976+#endif
18977+#endif
18978
18979 /* This yields a mask that user programs can use to figure out what
18980 instruction set this CPU supports. This could be done in user space,
18981@@ -299,17 +314,13 @@ do { \
18982
18983 #define ARCH_DLINFO \
18984 do { \
18985- if (vdso64_enabled) \
18986- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
18987- (unsigned long __force)current->mm->context.vdso); \
18988+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
18989 } while (0)
18990
18991 /* As a historical oddity, the x32 and x86_64 vDSOs are controlled together. */
18992 #define ARCH_DLINFO_X32 \
18993 do { \
18994- if (vdso64_enabled) \
18995- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
18996- (unsigned long __force)current->mm->context.vdso); \
18997+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
18998 } while (0)
18999
19000 #define AT_SYSINFO 32
19001@@ -324,10 +335,10 @@ else \
19002
19003 #endif /* !CONFIG_X86_32 */
19004
19005-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
19006+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
19007
19008 #define VDSO_ENTRY \
19009- ((unsigned long)current->mm->context.vdso + \
19010+ (current->mm->context.vdso + \
19011 selected_vdso32->sym___kernel_vsyscall)
19012
19013 struct linux_binprm;
19014diff --git a/arch/x86/include/asm/emergency-restart.h b/arch/x86/include/asm/emergency-restart.h
19015index 77a99ac..39ff7f5 100644
19016--- a/arch/x86/include/asm/emergency-restart.h
19017+++ b/arch/x86/include/asm/emergency-restart.h
19018@@ -1,6 +1,6 @@
19019 #ifndef _ASM_X86_EMERGENCY_RESTART_H
19020 #define _ASM_X86_EMERGENCY_RESTART_H
19021
19022-extern void machine_emergency_restart(void);
19023+extern void machine_emergency_restart(void) __noreturn;
19024
19025 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
19026diff --git a/arch/x86/include/asm/floppy.h b/arch/x86/include/asm/floppy.h
19027index 1c7eefe..d0e4702 100644
19028--- a/arch/x86/include/asm/floppy.h
19029+++ b/arch/x86/include/asm/floppy.h
19030@@ -229,18 +229,18 @@ static struct fd_routine_l {
19031 int (*_dma_setup)(char *addr, unsigned long size, int mode, int io);
19032 } fd_routine[] = {
19033 {
19034- request_dma,
19035- free_dma,
19036- get_dma_residue,
19037- dma_mem_alloc,
19038- hard_dma_setup
19039+ ._request_dma = request_dma,
19040+ ._free_dma = free_dma,
19041+ ._get_dma_residue = get_dma_residue,
19042+ ._dma_mem_alloc = dma_mem_alloc,
19043+ ._dma_setup = hard_dma_setup
19044 },
19045 {
19046- vdma_request_dma,
19047- vdma_nop,
19048- vdma_get_dma_residue,
19049- vdma_mem_alloc,
19050- vdma_dma_setup
19051+ ._request_dma = vdma_request_dma,
19052+ ._free_dma = vdma_nop,
19053+ ._get_dma_residue = vdma_get_dma_residue,
19054+ ._dma_mem_alloc = vdma_mem_alloc,
19055+ ._dma_setup = vdma_dma_setup
19056 }
19057 };
19058
19059diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
19060index 3c3550c..995858d 100644
19061--- a/arch/x86/include/asm/fpu/internal.h
19062+++ b/arch/x86/include/asm/fpu/internal.h
19063@@ -97,8 +97,11 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
19064 #define user_insn(insn, output, input...) \
19065 ({ \
19066 int err; \
19067+ pax_open_userland(); \
19068 asm volatile(ASM_STAC "\n" \
19069- "1:" #insn "\n\t" \
19070+ "1:" \
19071+ __copyuser_seg \
19072+ #insn "\n\t" \
19073 "2: " ASM_CLAC "\n" \
19074 ".section .fixup,\"ax\"\n" \
19075 "3: movl $-1,%[err]\n" \
19076@@ -107,6 +110,7 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
19077 _ASM_EXTABLE(1b, 3b) \
19078 : [err] "=r" (err), output \
19079 : "0"(0), input); \
19080+ pax_close_userland(); \
19081 err; \
19082 })
19083
19084@@ -186,9 +190,9 @@ static inline int copy_user_to_fregs(struct fregs_state __user *fx)
19085 static inline void copy_fxregs_to_kernel(struct fpu *fpu)
19086 {
19087 if (config_enabled(CONFIG_X86_32))
19088- asm volatile( "fxsave %[fx]" : [fx] "=m" (fpu->state.fxsave));
19089+ asm volatile( "fxsave %[fx]" : [fx] "=m" (fpu->state->fxsave));
19090 else if (config_enabled(CONFIG_AS_FXSAVEQ))
19091- asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state.fxsave));
19092+ asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state->fxsave));
19093 else {
19094 /* Using "rex64; fxsave %0" is broken because, if the memory
19095 * operand uses any extended registers for addressing, a second
19096@@ -212,8 +216,8 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
19097 * registers.
19098 */
19099 asm volatile( "rex64/fxsave (%[fx])"
19100- : "=m" (fpu->state.fxsave)
19101- : [fx] "R" (&fpu->state.fxsave));
19102+ : "=m" (fpu->state->fxsave)
19103+ : [fx] "R" (&fpu->state->fxsave));
19104 }
19105 }
19106
19107@@ -388,12 +392,16 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
19108 if (unlikely(err))
19109 return -EFAULT;
19110
19111+ pax_open_userland();
19112 __asm__ __volatile__(ASM_STAC "\n"
19113- "1:"XSAVE"\n"
19114+ "1:"
19115+ __copyuser_seg
19116+ XSAVE"\n"
19117 "2: " ASM_CLAC "\n"
19118 xstate_fault(err)
19119 : "D" (buf), "a" (-1), "d" (-1), "0" (err)
19120 : "memory");
19121+ pax_close_userland();
19122 return err;
19123 }
19124
19125@@ -402,17 +410,21 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
19126 */
19127 static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
19128 {
19129- struct xregs_state *xstate = ((__force struct xregs_state *)buf);
19130+ struct xregs_state *xstate = ((__force_kernel struct xregs_state *)buf);
19131 u32 lmask = mask;
19132 u32 hmask = mask >> 32;
19133 int err = 0;
19134
19135+ pax_open_userland();
19136 __asm__ __volatile__(ASM_STAC "\n"
19137- "1:"XRSTOR"\n"
19138+ "1:"
19139+ __copyuser_seg
19140+ XRSTOR"\n"
19141 "2: " ASM_CLAC "\n"
19142 xstate_fault(err)
19143 : "D" (xstate), "a" (lmask), "d" (hmask), "0" (err)
19144 : "memory"); /* memory required? */
19145+ pax_close_userland();
19146 return err;
19147 }
19148
19149@@ -429,7 +441,7 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
19150 static inline int copy_fpregs_to_fpstate(struct fpu *fpu)
19151 {
19152 if (likely(use_xsave())) {
19153- copy_xregs_to_kernel(&fpu->state.xsave);
19154+ copy_xregs_to_kernel(&fpu->state->xsave);
19155 return 1;
19156 }
19157
19158@@ -442,7 +454,7 @@ static inline int copy_fpregs_to_fpstate(struct fpu *fpu)
19159 * Legacy FPU register saving, FNSAVE always clears FPU registers,
19160 * so we have to mark them inactive:
19161 */
19162- asm volatile("fnsave %[fp]; fwait" : [fp] "=m" (fpu->state.fsave));
19163+ asm volatile("fnsave %[fp]; fwait" : [fp] "=m" (fpu->state->fsave));
19164
19165 return 0;
19166 }
19167@@ -471,7 +483,7 @@ static inline void copy_kernel_to_fpregs(union fpregs_state *fpstate)
19168 "fnclex\n\t"
19169 "emms\n\t"
19170 "fildl %P[addr]" /* set F?P to defined value */
19171- : : [addr] "m" (fpstate));
19172+ : : [addr] "m" (cpu_tss[raw_smp_processor_id()].x86_tss.sp0));
19173 }
19174
19175 __copy_kernel_to_fpregs(fpstate);
19176@@ -643,7 +655,7 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu)
19177 static inline void switch_fpu_finish(struct fpu *new_fpu, fpu_switch_t fpu_switch)
19178 {
19179 if (fpu_switch.preload)
19180- copy_kernel_to_fpregs(&new_fpu->state);
19181+ copy_kernel_to_fpregs(new_fpu->state);
19182 }
19183
19184 /*
19185diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h
19186index c49c517..55ff1d0 100644
19187--- a/arch/x86/include/asm/fpu/types.h
19188+++ b/arch/x86/include/asm/fpu/types.h
19189@@ -287,10 +287,9 @@ struct fpu {
19190 * logic, which unconditionally saves/restores all FPU state
19191 * across context switches. (if FPU state exists.)
19192 */
19193- union fpregs_state state;
19194+ union fpregs_state *state;
19195 /*
19196- * WARNING: 'state' is dynamically-sized. Do not put
19197- * anything after it here.
19198+ * WARNING: 'state' is dynamically-sized.
19199 */
19200 };
19201
19202diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
19203index b4c1f54..e290c08 100644
19204--- a/arch/x86/include/asm/futex.h
19205+++ b/arch/x86/include/asm/futex.h
19206@@ -12,6 +12,7 @@
19207 #include <asm/smap.h>
19208
19209 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
19210+ typecheck(u32 __user *, uaddr); \
19211 asm volatile("\t" ASM_STAC "\n" \
19212 "1:\t" insn "\n" \
19213 "2:\t" ASM_CLAC "\n" \
19214@@ -20,15 +21,16 @@
19215 "\tjmp\t2b\n" \
19216 "\t.previous\n" \
19217 _ASM_EXTABLE(1b, 3b) \
19218- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
19219+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr)) \
19220 : "i" (-EFAULT), "0" (oparg), "1" (0))
19221
19222 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
19223+ typecheck(u32 __user *, uaddr); \
19224 asm volatile("\t" ASM_STAC "\n" \
19225 "1:\tmovl %2, %0\n" \
19226 "\tmovl\t%0, %3\n" \
19227 "\t" insn "\n" \
19228- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \
19229+ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \
19230 "\tjnz\t1b\n" \
19231 "3:\t" ASM_CLAC "\n" \
19232 "\t.section .fixup,\"ax\"\n" \
19233@@ -38,7 +40,7 @@
19234 _ASM_EXTABLE(1b, 4b) \
19235 _ASM_EXTABLE(2b, 4b) \
19236 : "=&a" (oldval), "=&r" (ret), \
19237- "+m" (*uaddr), "=&r" (tem) \
19238+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
19239 : "r" (oparg), "i" (-EFAULT), "1" (0))
19240
19241 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19242@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19243
19244 pagefault_disable();
19245
19246+ pax_open_userland();
19247 switch (op) {
19248 case FUTEX_OP_SET:
19249- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
19250+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
19251 break;
19252 case FUTEX_OP_ADD:
19253- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
19254+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
19255 uaddr, oparg);
19256 break;
19257 case FUTEX_OP_OR:
19258@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19259 default:
19260 ret = -ENOSYS;
19261 }
19262+ pax_close_userland();
19263
19264 pagefault_enable();
19265
19266diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
19267index 6615032..9c233be 100644
19268--- a/arch/x86/include/asm/hw_irq.h
19269+++ b/arch/x86/include/asm/hw_irq.h
19270@@ -158,8 +158,8 @@ static inline void unlock_vector_lock(void) {}
19271 #endif /* CONFIG_X86_LOCAL_APIC */
19272
19273 /* Statistics */
19274-extern atomic_t irq_err_count;
19275-extern atomic_t irq_mis_count;
19276+extern atomic_unchecked_t irq_err_count;
19277+extern atomic_unchecked_t irq_mis_count;
19278
19279 extern void elcr_set_level_irq(unsigned int irq);
19280
19281diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h
19282index ccffa53..3c90c87 100644
19283--- a/arch/x86/include/asm/i8259.h
19284+++ b/arch/x86/include/asm/i8259.h
19285@@ -62,7 +62,7 @@ struct legacy_pic {
19286 void (*init)(int auto_eoi);
19287 int (*irq_pending)(unsigned int irq);
19288 void (*make_irq)(unsigned int irq);
19289-};
19290+} __do_const;
19291
19292 extern struct legacy_pic *legacy_pic;
19293 extern struct legacy_pic null_legacy_pic;
19294diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
19295index cc9c61b..7b17f40 100644
19296--- a/arch/x86/include/asm/io.h
19297+++ b/arch/x86/include/asm/io.h
19298@@ -42,6 +42,7 @@
19299 #include <asm/page.h>
19300 #include <asm/early_ioremap.h>
19301 #include <asm/pgtable_types.h>
19302+#include <asm/processor.h>
19303
19304 #define build_mmio_read(name, size, type, reg, barrier) \
19305 static inline type name(const volatile void __iomem *addr) \
19306@@ -54,12 +55,12 @@ static inline void name(type val, volatile void __iomem *addr) \
19307 "m" (*(volatile type __force *)addr) barrier); }
19308
19309 build_mmio_read(readb, "b", unsigned char, "=q", :"memory")
19310-build_mmio_read(readw, "w", unsigned short, "=r", :"memory")
19311-build_mmio_read(readl, "l", unsigned int, "=r", :"memory")
19312+build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory")
19313+build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory")
19314
19315 build_mmio_read(__readb, "b", unsigned char, "=q", )
19316-build_mmio_read(__readw, "w", unsigned short, "=r", )
19317-build_mmio_read(__readl, "l", unsigned int, "=r", )
19318+build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", )
19319+build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", )
19320
19321 build_mmio_write(writeb, "b", unsigned char, "q", :"memory")
19322 build_mmio_write(writew, "w", unsigned short, "r", :"memory")
19323@@ -115,7 +116,7 @@ build_mmio_write(writeq, "q", unsigned long, "r", :"memory")
19324 * this function
19325 */
19326
19327-static inline phys_addr_t virt_to_phys(volatile void *address)
19328+static inline phys_addr_t __intentional_overflow(-1) virt_to_phys(volatile void *address)
19329 {
19330 return __pa(address);
19331 }
19332@@ -192,7 +193,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size)
19333 return ioremap_nocache(offset, size);
19334 }
19335
19336-extern void iounmap(volatile void __iomem *addr);
19337+extern void iounmap(const volatile void __iomem *addr);
19338
19339 extern void set_iounmap_nonlazy(void);
19340
19341@@ -200,6 +201,17 @@ extern void set_iounmap_nonlazy(void);
19342
19343 #include <asm-generic/iomap.h>
19344
19345+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
19346+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
19347+{
19348+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
19349+}
19350+
19351+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
19352+{
19353+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
19354+}
19355+
19356 /*
19357 * Convert a virtual cached pointer to an uncached pointer
19358 */
19359diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
19360index b77f5ed..a2f791e 100644
19361--- a/arch/x86/include/asm/irqflags.h
19362+++ b/arch/x86/include/asm/irqflags.h
19363@@ -137,6 +137,11 @@ static inline notrace unsigned long arch_local_irq_save(void)
19364 swapgs; \
19365 sysretl
19366
19367+#define GET_CR0_INTO_RDI mov %cr0, %rdi
19368+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
19369+#define GET_CR3_INTO_RDI mov %cr3, %rdi
19370+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
19371+
19372 #else
19373 #define INTERRUPT_RETURN iret
19374 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
19375diff --git a/arch/x86/include/asm/kprobes.h b/arch/x86/include/asm/kprobes.h
19376index 4421b5d..8543006 100644
19377--- a/arch/x86/include/asm/kprobes.h
19378+++ b/arch/x86/include/asm/kprobes.h
19379@@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
19380 #define RELATIVEJUMP_SIZE 5
19381 #define RELATIVECALL_OPCODE 0xe8
19382 #define RELATIVE_ADDR_SIZE 4
19383-#define MAX_STACK_SIZE 64
19384-#define MIN_STACK_SIZE(ADDR) \
19385- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
19386- THREAD_SIZE - (unsigned long)(ADDR))) \
19387- ? (MAX_STACK_SIZE) \
19388- : (((unsigned long)current_thread_info()) + \
19389- THREAD_SIZE - (unsigned long)(ADDR)))
19390+#define MAX_STACK_SIZE 64UL
19391+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
19392
19393 #define flush_insn_slot(p) do { } while (0)
19394
19395diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
19396index 4ad6560..75c7bdd 100644
19397--- a/arch/x86/include/asm/local.h
19398+++ b/arch/x86/include/asm/local.h
19399@@ -10,33 +10,97 @@ typedef struct {
19400 atomic_long_t a;
19401 } local_t;
19402
19403+typedef struct {
19404+ atomic_long_unchecked_t a;
19405+} local_unchecked_t;
19406+
19407 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
19408
19409 #define local_read(l) atomic_long_read(&(l)->a)
19410+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
19411 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
19412+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
19413
19414 static inline void local_inc(local_t *l)
19415 {
19416- asm volatile(_ASM_INC "%0"
19417+ asm volatile(_ASM_INC "%0\n"
19418+
19419+#ifdef CONFIG_PAX_REFCOUNT
19420+ "jno 0f\n"
19421+ _ASM_DEC "%0\n"
19422+ "int $4\n0:\n"
19423+ _ASM_EXTABLE(0b, 0b)
19424+#endif
19425+
19426+ : "+m" (l->a.counter));
19427+}
19428+
19429+static inline void local_inc_unchecked(local_unchecked_t *l)
19430+{
19431+ asm volatile(_ASM_INC "%0\n"
19432 : "+m" (l->a.counter));
19433 }
19434
19435 static inline void local_dec(local_t *l)
19436 {
19437- asm volatile(_ASM_DEC "%0"
19438+ asm volatile(_ASM_DEC "%0\n"
19439+
19440+#ifdef CONFIG_PAX_REFCOUNT
19441+ "jno 0f\n"
19442+ _ASM_INC "%0\n"
19443+ "int $4\n0:\n"
19444+ _ASM_EXTABLE(0b, 0b)
19445+#endif
19446+
19447+ : "+m" (l->a.counter));
19448+}
19449+
19450+static inline void local_dec_unchecked(local_unchecked_t *l)
19451+{
19452+ asm volatile(_ASM_DEC "%0\n"
19453 : "+m" (l->a.counter));
19454 }
19455
19456 static inline void local_add(long i, local_t *l)
19457 {
19458- asm volatile(_ASM_ADD "%1,%0"
19459+ asm volatile(_ASM_ADD "%1,%0\n"
19460+
19461+#ifdef CONFIG_PAX_REFCOUNT
19462+ "jno 0f\n"
19463+ _ASM_SUB "%1,%0\n"
19464+ "int $4\n0:\n"
19465+ _ASM_EXTABLE(0b, 0b)
19466+#endif
19467+
19468+ : "+m" (l->a.counter)
19469+ : "ir" (i));
19470+}
19471+
19472+static inline void local_add_unchecked(long i, local_unchecked_t *l)
19473+{
19474+ asm volatile(_ASM_ADD "%1,%0\n"
19475 : "+m" (l->a.counter)
19476 : "ir" (i));
19477 }
19478
19479 static inline void local_sub(long i, local_t *l)
19480 {
19481- asm volatile(_ASM_SUB "%1,%0"
19482+ asm volatile(_ASM_SUB "%1,%0\n"
19483+
19484+#ifdef CONFIG_PAX_REFCOUNT
19485+ "jno 0f\n"
19486+ _ASM_ADD "%1,%0\n"
19487+ "int $4\n0:\n"
19488+ _ASM_EXTABLE(0b, 0b)
19489+#endif
19490+
19491+ : "+m" (l->a.counter)
19492+ : "ir" (i));
19493+}
19494+
19495+static inline void local_sub_unchecked(long i, local_unchecked_t *l)
19496+{
19497+ asm volatile(_ASM_SUB "%1,%0\n"
19498 : "+m" (l->a.counter)
19499 : "ir" (i));
19500 }
19501@@ -52,7 +116,7 @@ static inline void local_sub(long i, local_t *l)
19502 */
19503 static inline int local_sub_and_test(long i, local_t *l)
19504 {
19505- GEN_BINARY_RMWcc(_ASM_SUB, l->a.counter, "er", i, "%0", "e");
19506+ GEN_BINARY_RMWcc(_ASM_SUB, _ASM_ADD, l->a.counter, "er", i, "%0", "e");
19507 }
19508
19509 /**
19510@@ -65,7 +129,7 @@ static inline int local_sub_and_test(long i, local_t *l)
19511 */
19512 static inline int local_dec_and_test(local_t *l)
19513 {
19514- GEN_UNARY_RMWcc(_ASM_DEC, l->a.counter, "%0", "e");
19515+ GEN_UNARY_RMWcc(_ASM_DEC, _ASM_INC, l->a.counter, "%0", "e");
19516 }
19517
19518 /**
19519@@ -78,7 +142,7 @@ static inline int local_dec_and_test(local_t *l)
19520 */
19521 static inline int local_inc_and_test(local_t *l)
19522 {
19523- GEN_UNARY_RMWcc(_ASM_INC, l->a.counter, "%0", "e");
19524+ GEN_UNARY_RMWcc(_ASM_INC, _ASM_DEC, l->a.counter, "%0", "e");
19525 }
19526
19527 /**
19528@@ -92,7 +156,7 @@ static inline int local_inc_and_test(local_t *l)
19529 */
19530 static inline int local_add_negative(long i, local_t *l)
19531 {
19532- GEN_BINARY_RMWcc(_ASM_ADD, l->a.counter, "er", i, "%0", "s");
19533+ GEN_BINARY_RMWcc(_ASM_ADD, _ASM_SUB, l->a.counter, "er", i, "%0", "s");
19534 }
19535
19536 /**
19537@@ -105,6 +169,30 @@ static inline int local_add_negative(long i, local_t *l)
19538 static inline long local_add_return(long i, local_t *l)
19539 {
19540 long __i = i;
19541+ asm volatile(_ASM_XADD "%0, %1\n"
19542+
19543+#ifdef CONFIG_PAX_REFCOUNT
19544+ "jno 0f\n"
19545+ _ASM_MOV "%0,%1\n"
19546+ "int $4\n0:\n"
19547+ _ASM_EXTABLE(0b, 0b)
19548+#endif
19549+
19550+ : "+r" (i), "+m" (l->a.counter)
19551+ : : "memory");
19552+ return i + __i;
19553+}
19554+
19555+/**
19556+ * local_add_return_unchecked - add and return
19557+ * @i: integer value to add
19558+ * @l: pointer to type local_unchecked_t
19559+ *
19560+ * Atomically adds @i to @l and returns @i + @l
19561+ */
19562+static inline long local_add_return_unchecked(long i, local_unchecked_t *l)
19563+{
19564+ long __i = i;
19565 asm volatile(_ASM_XADD "%0, %1;"
19566 : "+r" (i), "+m" (l->a.counter)
19567 : : "memory");
19568@@ -121,6 +209,8 @@ static inline long local_sub_return(long i, local_t *l)
19569
19570 #define local_cmpxchg(l, o, n) \
19571 (cmpxchg_local(&((l)->a.counter), (o), (n)))
19572+#define local_cmpxchg_unchecked(l, o, n) \
19573+ (cmpxchg_local(&((l)->a.counter), (o), (n)))
19574 /* Always has a lock prefix */
19575 #define local_xchg(l, n) (xchg(&((l)->a.counter), (n)))
19576
19577diff --git a/arch/x86/include/asm/mman.h b/arch/x86/include/asm/mman.h
19578new file mode 100644
19579index 0000000..2bfd3ba
19580--- /dev/null
19581+++ b/arch/x86/include/asm/mman.h
19582@@ -0,0 +1,15 @@
19583+#ifndef _X86_MMAN_H
19584+#define _X86_MMAN_H
19585+
19586+#include <uapi/asm/mman.h>
19587+
19588+#ifdef __KERNEL__
19589+#ifndef __ASSEMBLY__
19590+#ifdef CONFIG_X86_32
19591+#define arch_mmap_check i386_mmap_check
19592+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags);
19593+#endif
19594+#endif
19595+#endif
19596+
19597+#endif /* X86_MMAN_H */
19598diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
19599index 364d274..e51b4bc 100644
19600--- a/arch/x86/include/asm/mmu.h
19601+++ b/arch/x86/include/asm/mmu.h
19602@@ -17,7 +17,19 @@ typedef struct {
19603 #endif
19604
19605 struct mutex lock;
19606- void __user *vdso;
19607+ unsigned long vdso;
19608+
19609+#ifdef CONFIG_X86_32
19610+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19611+ unsigned long user_cs_base;
19612+ unsigned long user_cs_limit;
19613+
19614+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
19615+ cpumask_t cpu_user_cs_mask;
19616+#endif
19617+
19618+#endif
19619+#endif
19620
19621 atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */
19622 } mm_context_t;
19623diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
19624index 984abfe..f9bac8b 100644
19625--- a/arch/x86/include/asm/mmu_context.h
19626+++ b/arch/x86/include/asm/mmu_context.h
19627@@ -45,7 +45,7 @@ struct ldt_struct {
19628 * allocations, but it's not worth trying to optimize.
19629 */
19630 struct desc_struct *entries;
19631- int size;
19632+ unsigned int size;
19633 };
19634
19635 static inline void load_mm_ldt(struct mm_struct *mm)
19636@@ -86,6 +86,20 @@ void destroy_context(struct mm_struct *mm);
19637
19638 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
19639 {
19640+
19641+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19642+ if (!(static_cpu_has(X86_FEATURE_PCIDUDEREF))) {
19643+ unsigned int i;
19644+ pgd_t *pgd;
19645+
19646+ pax_open_kernel();
19647+ pgd = get_cpu_pgd(smp_processor_id(), kernel);
19648+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
19649+ set_pgd_batched(pgd+i, native_make_pgd(0));
19650+ pax_close_kernel();
19651+ }
19652+#endif
19653+
19654 #ifdef CONFIG_SMP
19655 if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
19656 this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
19657@@ -96,16 +110,59 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19658 struct task_struct *tsk)
19659 {
19660 unsigned cpu = smp_processor_id();
19661+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19662+ int tlbstate = TLBSTATE_OK;
19663+#endif
19664
19665 if (likely(prev != next)) {
19666 #ifdef CONFIG_SMP
19667+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19668+ tlbstate = this_cpu_read(cpu_tlbstate.state);
19669+#endif
19670 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
19671 this_cpu_write(cpu_tlbstate.active_mm, next);
19672 #endif
19673 cpumask_set_cpu(cpu, mm_cpumask(next));
19674
19675 /* Re-load page tables */
19676+#ifdef CONFIG_PAX_PER_CPU_PGD
19677+ pax_open_kernel();
19678+
19679+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19680+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF))
19681+ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
19682+ else
19683+#endif
19684+
19685+ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
19686+ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
19687+ pax_close_kernel();
19688+ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
19689+
19690+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19691+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
19692+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
19693+ u64 descriptor[2];
19694+ descriptor[0] = PCID_USER;
19695+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19696+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) {
19697+ descriptor[0] = PCID_KERNEL;
19698+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19699+ }
19700+ } else {
19701+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
19702+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
19703+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
19704+ else
19705+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
19706+ }
19707+ } else
19708+#endif
19709+
19710+ load_cr3(get_cpu_pgd(cpu, kernel));
19711+#else
19712 load_cr3(next->pgd);
19713+#endif
19714 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
19715
19716 /* Stop flush ipis for the previous mm */
19717@@ -128,9 +185,67 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19718 */
19719 if (unlikely(prev->context.ldt != next->context.ldt))
19720 load_mm_ldt(next);
19721+
19722+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
19723+ if (!(__supported_pte_mask & _PAGE_NX)) {
19724+ smp_mb__before_atomic();
19725+ cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
19726+ smp_mb__after_atomic();
19727+ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
19728+ }
19729+#endif
19730+
19731+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19732+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
19733+ prev->context.user_cs_limit != next->context.user_cs_limit))
19734+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19735+#ifdef CONFIG_SMP
19736+ else if (unlikely(tlbstate != TLBSTATE_OK))
19737+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19738+#endif
19739+#endif
19740+
19741 }
19742+ else {
19743+
19744+#ifdef CONFIG_PAX_PER_CPU_PGD
19745+ pax_open_kernel();
19746+
19747+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19748+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF))
19749+ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
19750+ else
19751+#endif
19752+
19753+ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
19754+ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
19755+ pax_close_kernel();
19756+ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
19757+
19758+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19759+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
19760+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
19761+ u64 descriptor[2];
19762+ descriptor[0] = PCID_USER;
19763+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19764+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) {
19765+ descriptor[0] = PCID_KERNEL;
19766+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19767+ }
19768+ } else {
19769+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
19770+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
19771+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
19772+ else
19773+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
19774+ }
19775+ } else
19776+#endif
19777+
19778+ load_cr3(get_cpu_pgd(cpu, kernel));
19779+#endif
19780+
19781 #ifdef CONFIG_SMP
19782- else {
19783 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
19784 BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
19785
19786@@ -147,13 +262,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19787 * tlb flush IPI delivery. We must reload CR3
19788 * to make sure to use no freed page tables.
19789 */
19790+
19791+#ifndef CONFIG_PAX_PER_CPU_PGD
19792 load_cr3(next->pgd);
19793 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
19794+#endif
19795+
19796 load_mm_cr4(next);
19797 load_mm_ldt(next);
19798+
19799+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
19800+ if (!(__supported_pte_mask & _PAGE_NX))
19801+ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
19802+#endif
19803+
19804+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19805+#ifdef CONFIG_PAX_PAGEEXEC
19806+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
19807+#endif
19808+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19809+#endif
19810+
19811 }
19812+#endif
19813 }
19814-#endif
19815 }
19816
19817 #define activate_mm(prev, next) \
19818diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h
19819index e3b7819..b257c64 100644
19820--- a/arch/x86/include/asm/module.h
19821+++ b/arch/x86/include/asm/module.h
19822@@ -5,6 +5,7 @@
19823
19824 #ifdef CONFIG_X86_64
19825 /* X86_64 does not define MODULE_PROC_FAMILY */
19826+#define MODULE_PROC_FAMILY ""
19827 #elif defined CONFIG_M486
19828 #define MODULE_PROC_FAMILY "486 "
19829 #elif defined CONFIG_M586
19830@@ -57,8 +58,20 @@
19831 #error unknown processor family
19832 #endif
19833
19834-#ifdef CONFIG_X86_32
19835-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
19836+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
19837+#define MODULE_PAX_KERNEXEC "KERNEXEC_BTS "
19838+#elif defined(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR)
19839+#define MODULE_PAX_KERNEXEC "KERNEXEC_OR "
19840+#else
19841+#define MODULE_PAX_KERNEXEC ""
19842 #endif
19843
19844+#ifdef CONFIG_PAX_MEMORY_UDEREF
19845+#define MODULE_PAX_UDEREF "UDEREF "
19846+#else
19847+#define MODULE_PAX_UDEREF ""
19848+#endif
19849+
19850+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
19851+
19852 #endif /* _ASM_X86_MODULE_H */
19853diff --git a/arch/x86/include/asm/nmi.h b/arch/x86/include/asm/nmi.h
19854index 5f2fc44..106caa6 100644
19855--- a/arch/x86/include/asm/nmi.h
19856+++ b/arch/x86/include/asm/nmi.h
19857@@ -36,26 +36,35 @@ enum {
19858
19859 typedef int (*nmi_handler_t)(unsigned int, struct pt_regs *);
19860
19861+struct nmiaction;
19862+
19863+struct nmiwork {
19864+ const struct nmiaction *action;
19865+ u64 max_duration;
19866+ struct irq_work irq_work;
19867+};
19868+
19869 struct nmiaction {
19870 struct list_head list;
19871 nmi_handler_t handler;
19872- u64 max_duration;
19873- struct irq_work irq_work;
19874 unsigned long flags;
19875 const char *name;
19876-};
19877+ struct nmiwork *work;
19878+} __do_const;
19879
19880 #define register_nmi_handler(t, fn, fg, n, init...) \
19881 ({ \
19882- static struct nmiaction init fn##_na = { \
19883+ static struct nmiwork fn##_nw; \
19884+ static const struct nmiaction init fn##_na = { \
19885 .handler = (fn), \
19886 .name = (n), \
19887 .flags = (fg), \
19888+ .work = &fn##_nw, \
19889 }; \
19890 __register_nmi_handler((t), &fn##_na); \
19891 })
19892
19893-int __register_nmi_handler(unsigned int, struct nmiaction *);
19894+int __register_nmi_handler(unsigned int, const struct nmiaction *);
19895
19896 void unregister_nmi_handler(unsigned int, const char *);
19897
19898diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
19899index 802dde3..9183e68 100644
19900--- a/arch/x86/include/asm/page.h
19901+++ b/arch/x86/include/asm/page.h
19902@@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
19903 __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x)))
19904
19905 #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))
19906+#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base))
19907
19908 #define __boot_va(x) __va(x)
19909 #define __boot_pa(x) __pa(x)
19910@@ -60,11 +61,21 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
19911 * virt_to_page(kaddr) returns a valid pointer if and only if
19912 * virt_addr_valid(kaddr) returns true.
19913 */
19914-#define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
19915 #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT)
19916 extern bool __virt_addr_valid(unsigned long kaddr);
19917 #define virt_addr_valid(kaddr) __virt_addr_valid((unsigned long) (kaddr))
19918
19919+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
19920+#define virt_to_page(kaddr) \
19921+ ({ \
19922+ const void *__kaddr = (const void *)(kaddr); \
19923+ BUG_ON(!virt_addr_valid(__kaddr)); \
19924+ pfn_to_page(__pa(__kaddr) >> PAGE_SHIFT); \
19925+ })
19926+#else
19927+#define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
19928+#endif
19929+
19930 #endif /* __ASSEMBLY__ */
19931
19932 #include <asm-generic/memory_model.h>
19933diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h
19934index 904f528..b4d0d24 100644
19935--- a/arch/x86/include/asm/page_32.h
19936+++ b/arch/x86/include/asm/page_32.h
19937@@ -7,11 +7,17 @@
19938
19939 #define __phys_addr_nodebug(x) ((x) - PAGE_OFFSET)
19940 #ifdef CONFIG_DEBUG_VIRTUAL
19941-extern unsigned long __phys_addr(unsigned long);
19942+extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
19943 #else
19944-#define __phys_addr(x) __phys_addr_nodebug(x)
19945+static inline unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
19946+{
19947+ return __phys_addr_nodebug(x);
19948+}
19949 #endif
19950-#define __phys_addr_symbol(x) __phys_addr(x)
19951+static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
19952+{
19953+ return __phys_addr(x);
19954+}
19955 #define __phys_reloc_hide(x) RELOC_HIDE((x), 0)
19956
19957 #ifdef CONFIG_FLATMEM
19958diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
19959index b3bebf9..cb419e7 100644
19960--- a/arch/x86/include/asm/page_64.h
19961+++ b/arch/x86/include/asm/page_64.h
19962@@ -7,9 +7,9 @@
19963
19964 /* duplicated to the one in bootmem.h */
19965 extern unsigned long max_pfn;
19966-extern unsigned long phys_base;
19967+extern const unsigned long phys_base;
19968
19969-static inline unsigned long __phys_addr_nodebug(unsigned long x)
19970+static inline unsigned long __intentional_overflow(-1) __phys_addr_nodebug(unsigned long x)
19971 {
19972 unsigned long y = x - __START_KERNEL_map;
19973
19974@@ -20,12 +20,14 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x)
19975 }
19976
19977 #ifdef CONFIG_DEBUG_VIRTUAL
19978-extern unsigned long __phys_addr(unsigned long);
19979-extern unsigned long __phys_addr_symbol(unsigned long);
19980+extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
19981+extern unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long);
19982 #else
19983 #define __phys_addr(x) __phys_addr_nodebug(x)
19984-#define __phys_addr_symbol(x) \
19985- ((unsigned long)(x) - __START_KERNEL_map + phys_base)
19986+static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
19987+{
19988+ return x - __START_KERNEL_map + phys_base;
19989+}
19990 #endif
19991
19992 #define __phys_reloc_hide(x) (x)
19993diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
19994index d143bfa..30d1f41 100644
19995--- a/arch/x86/include/asm/paravirt.h
19996+++ b/arch/x86/include/asm/paravirt.h
19997@@ -560,7 +560,7 @@ static inline pmd_t __pmd(pmdval_t val)
19998 return (pmd_t) { ret };
19999 }
20000
20001-static inline pmdval_t pmd_val(pmd_t pmd)
20002+static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd)
20003 {
20004 pmdval_t ret;
20005
20006@@ -626,6 +626,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
20007 val);
20008 }
20009
20010+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
20011+{
20012+ pgdval_t val = native_pgd_val(pgd);
20013+
20014+ if (sizeof(pgdval_t) > sizeof(long))
20015+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
20016+ val, (u64)val >> 32);
20017+ else
20018+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
20019+ val);
20020+}
20021+
20022 static inline void pgd_clear(pgd_t *pgdp)
20023 {
20024 set_pgd(pgdp, __pgd(0));
20025@@ -710,6 +722,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx,
20026 pv_mmu_ops.set_fixmap(idx, phys, flags);
20027 }
20028
20029+#ifdef CONFIG_PAX_KERNEXEC
20030+static inline unsigned long pax_open_kernel(void)
20031+{
20032+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
20033+}
20034+
20035+static inline unsigned long pax_close_kernel(void)
20036+{
20037+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
20038+}
20039+#else
20040+static inline unsigned long pax_open_kernel(void) { return 0; }
20041+static inline unsigned long pax_close_kernel(void) { return 0; }
20042+#endif
20043+
20044 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
20045
20046 #ifdef CONFIG_QUEUED_SPINLOCKS
20047@@ -933,7 +960,7 @@ extern void default_banner(void);
20048
20049 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
20050 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
20051-#define PARA_INDIRECT(addr) *%cs:addr
20052+#define PARA_INDIRECT(addr) *%ss:addr
20053 #endif
20054
20055 #define INTERRUPT_RETURN \
20056@@ -1003,6 +1030,21 @@ extern void default_banner(void);
20057 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64), \
20058 CLBR_NONE, \
20059 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64))
20060+
20061+#define GET_CR0_INTO_RDI \
20062+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
20063+ mov %rax,%rdi
20064+
20065+#define SET_RDI_INTO_CR0 \
20066+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
20067+
20068+#define GET_CR3_INTO_RDI \
20069+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
20070+ mov %rax,%rdi
20071+
20072+#define SET_RDI_INTO_CR3 \
20073+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
20074+
20075 #endif /* CONFIG_X86_32 */
20076
20077 #endif /* __ASSEMBLY__ */
20078diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
20079index a6b8f9f..fd61ef7 100644
20080--- a/arch/x86/include/asm/paravirt_types.h
20081+++ b/arch/x86/include/asm/paravirt_types.h
20082@@ -84,7 +84,7 @@ struct pv_init_ops {
20083 */
20084 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
20085 unsigned long addr, unsigned len);
20086-};
20087+} __no_const __no_randomize_layout;
20088
20089
20090 struct pv_lazy_ops {
20091@@ -92,13 +92,13 @@ struct pv_lazy_ops {
20092 void (*enter)(void);
20093 void (*leave)(void);
20094 void (*flush)(void);
20095-};
20096+} __no_randomize_layout;
20097
20098 struct pv_time_ops {
20099 unsigned long long (*sched_clock)(void);
20100 unsigned long long (*steal_clock)(int cpu);
20101 unsigned long (*get_tsc_khz)(void);
20102-};
20103+} __no_const __no_randomize_layout;
20104
20105 struct pv_cpu_ops {
20106 /* hooks for various privileged instructions */
20107@@ -193,7 +193,7 @@ struct pv_cpu_ops {
20108
20109 void (*start_context_switch)(struct task_struct *prev);
20110 void (*end_context_switch)(struct task_struct *next);
20111-};
20112+} __no_const __no_randomize_layout;
20113
20114 struct pv_irq_ops {
20115 /*
20116@@ -216,7 +216,7 @@ struct pv_irq_ops {
20117 #ifdef CONFIG_X86_64
20118 void (*adjust_exception_frame)(void);
20119 #endif
20120-};
20121+} __no_randomize_layout;
20122
20123 struct pv_apic_ops {
20124 #ifdef CONFIG_X86_LOCAL_APIC
20125@@ -224,7 +224,7 @@ struct pv_apic_ops {
20126 unsigned long start_eip,
20127 unsigned long start_esp);
20128 #endif
20129-};
20130+} __no_const __no_randomize_layout;
20131
20132 struct pv_mmu_ops {
20133 unsigned long (*read_cr2)(void);
20134@@ -314,6 +314,7 @@ struct pv_mmu_ops {
20135 struct paravirt_callee_save make_pud;
20136
20137 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
20138+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
20139 #endif /* CONFIG_PGTABLE_LEVELS == 4 */
20140 #endif /* CONFIG_PGTABLE_LEVELS >= 3 */
20141
20142@@ -325,7 +326,13 @@ struct pv_mmu_ops {
20143 an mfn. We can tell which is which from the index. */
20144 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
20145 phys_addr_t phys, pgprot_t flags);
20146-};
20147+
20148+#ifdef CONFIG_PAX_KERNEXEC
20149+ unsigned long (*pax_open_kernel)(void);
20150+ unsigned long (*pax_close_kernel)(void);
20151+#endif
20152+
20153+} __no_randomize_layout;
20154
20155 struct arch_spinlock;
20156 #ifdef CONFIG_SMP
20157@@ -347,11 +354,14 @@ struct pv_lock_ops {
20158 struct paravirt_callee_save lock_spinning;
20159 void (*unlock_kick)(struct arch_spinlock *lock, __ticket_t ticket);
20160 #endif /* !CONFIG_QUEUED_SPINLOCKS */
20161-};
20162+} __no_randomize_layout;
20163
20164 /* This contains all the paravirt structures: we get a convenient
20165 * number for each function using the offset which we use to indicate
20166- * what to patch. */
20167+ * what to patch.
20168+ * shouldn't be randomized due to the "NEAT TRICK" in paravirt.c
20169+ */
20170+
20171 struct paravirt_patch_template {
20172 struct pv_init_ops pv_init_ops;
20173 struct pv_time_ops pv_time_ops;
20174@@ -360,7 +370,7 @@ struct paravirt_patch_template {
20175 struct pv_apic_ops pv_apic_ops;
20176 struct pv_mmu_ops pv_mmu_ops;
20177 struct pv_lock_ops pv_lock_ops;
20178-};
20179+} __no_randomize_layout;
20180
20181 extern struct pv_info pv_info;
20182 extern struct pv_init_ops pv_init_ops;
20183diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h
20184index bf7f8b5..ca5799d 100644
20185--- a/arch/x86/include/asm/pgalloc.h
20186+++ b/arch/x86/include/asm/pgalloc.h
20187@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(struct mm_struct *mm,
20188 pmd_t *pmd, pte_t *pte)
20189 {
20190 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
20191+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
20192+}
20193+
20194+static inline void pmd_populate_user(struct mm_struct *mm,
20195+ pmd_t *pmd, pte_t *pte)
20196+{
20197+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
20198 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
20199 }
20200
20201@@ -108,12 +115,22 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmd,
20202
20203 #ifdef CONFIG_X86_PAE
20204 extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd);
20205+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
20206+{
20207+ pud_populate(mm, pudp, pmd);
20208+}
20209 #else /* !CONFIG_X86_PAE */
20210 static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
20211 {
20212 paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
20213 set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)));
20214 }
20215+
20216+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
20217+{
20218+ paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
20219+ set_pud(pud, __pud(_KERNPG_TABLE | __pa(pmd)));
20220+}
20221 #endif /* CONFIG_X86_PAE */
20222
20223 #if CONFIG_PGTABLE_LEVELS > 3
20224@@ -123,6 +140,12 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
20225 set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(pud)));
20226 }
20227
20228+static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
20229+{
20230+ paravirt_alloc_pud(mm, __pa(pud) >> PAGE_SHIFT);
20231+ set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(pud)));
20232+}
20233+
20234 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
20235 {
20236 return (pud_t *)get_zeroed_page(GFP_KERNEL|__GFP_REPEAT);
20237diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
20238index fd74a11..98bd591 100644
20239--- a/arch/x86/include/asm/pgtable-2level.h
20240+++ b/arch/x86/include/asm/pgtable-2level.h
20241@@ -13,12 +13,16 @@
20242 */
20243 static inline void native_set_pte(pte_t *ptep , pte_t pte)
20244 {
20245+ pax_open_kernel();
20246 *ptep = pte;
20247+ pax_close_kernel();
20248 }
20249
20250 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20251 {
20252+ pax_open_kernel();
20253 *pmdp = pmd;
20254+ pax_close_kernel();
20255 }
20256
20257 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20258@@ -34,13 +38,20 @@ static inline void native_pmd_clear(pmd_t *pmdp)
20259 static inline void native_pte_clear(struct mm_struct *mm,
20260 unsigned long addr, pte_t *xp)
20261 {
20262+ pax_open_kernel();
20263 *xp = native_make_pte(0);
20264+ pax_close_kernel();
20265 }
20266
20267 #ifdef CONFIG_SMP
20268 static inline pte_t native_ptep_get_and_clear(pte_t *xp)
20269 {
20270- return __pte(xchg(&xp->pte_low, 0));
20271+ pte_t pte;
20272+
20273+ pax_open_kernel();
20274+ pte = __pte(xchg(&xp->pte_low, 0));
20275+ pax_close_kernel();
20276+ return pte;
20277 }
20278 #else
20279 #define native_ptep_get_and_clear(xp) native_local_ptep_get_and_clear(xp)
20280@@ -49,7 +60,12 @@ static inline pte_t native_ptep_get_and_clear(pte_t *xp)
20281 #ifdef CONFIG_SMP
20282 static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
20283 {
20284- return __pmd(xchg((pmdval_t *)xp, 0));
20285+ pmd_t pmd;
20286+
20287+ pax_open_kernel();
20288+ pmd = __pmd(xchg((pmdval_t *)xp, 0));
20289+ pax_close_kernel();
20290+ return pmd;
20291 }
20292 #else
20293 #define native_pmdp_get_and_clear(xp) native_local_pmdp_get_and_clear(xp)
20294diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h
20295index cdaa58c..4038692 100644
20296--- a/arch/x86/include/asm/pgtable-3level.h
20297+++ b/arch/x86/include/asm/pgtable-3level.h
20298@@ -26,9 +26,11 @@
20299 */
20300 static inline void native_set_pte(pte_t *ptep, pte_t pte)
20301 {
20302+ pax_open_kernel();
20303 ptep->pte_high = pte.pte_high;
20304 smp_wmb();
20305 ptep->pte_low = pte.pte_low;
20306+ pax_close_kernel();
20307 }
20308
20309 #define pmd_read_atomic pmd_read_atomic
20310@@ -87,17 +89,23 @@ static inline pmd_t pmd_read_atomic(pmd_t *pmdp)
20311
20312 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20313 {
20314+ pax_open_kernel();
20315 set_64bit((unsigned long long *)(ptep), native_pte_val(pte));
20316+ pax_close_kernel();
20317 }
20318
20319 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20320 {
20321+ pax_open_kernel();
20322 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
20323+ pax_close_kernel();
20324 }
20325
20326 static inline void native_set_pud(pud_t *pudp, pud_t pud)
20327 {
20328+ pax_open_kernel();
20329 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
20330+ pax_close_kernel();
20331 }
20332
20333 /*
20334@@ -108,17 +116,22 @@ static inline void native_set_pud(pud_t *pudp, pud_t pud)
20335 static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
20336 pte_t *ptep)
20337 {
20338+ pax_open_kernel();
20339 ptep->pte_low = 0;
20340 smp_wmb();
20341 ptep->pte_high = 0;
20342+ pax_close_kernel();
20343 }
20344
20345 static inline void native_pmd_clear(pmd_t *pmd)
20346 {
20347 u32 *tmp = (u32 *)pmd;
20348+
20349+ pax_open_kernel();
20350 *tmp = 0;
20351 smp_wmb();
20352 *(tmp + 1) = 0;
20353+ pax_close_kernel();
20354 }
20355
20356 static inline void pud_clear(pud_t *pudp)
20357@@ -143,9 +156,11 @@ static inline pte_t native_ptep_get_and_clear(pte_t *ptep)
20358 pte_t res;
20359
20360 /* xchg acts as a barrier before the setting of the high bits */
20361+ pax_open_kernel();
20362 res.pte_low = xchg(&ptep->pte_low, 0);
20363 res.pte_high = ptep->pte_high;
20364 ptep->pte_high = 0;
20365+ pax_close_kernel();
20366
20367 return res;
20368 }
20369@@ -166,9 +181,11 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *pmdp)
20370 union split_pmd res, *orig = (union split_pmd *)pmdp;
20371
20372 /* xchg acts as a barrier before setting of the high bits */
20373+ pax_open_kernel();
20374 res.pmd_low = xchg(&orig->pmd_low, 0);
20375 res.pmd_high = orig->pmd_high;
20376 orig->pmd_high = 0;
20377+ pax_close_kernel();
20378
20379 return res.pmd;
20380 }
20381diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
20382index 867da5b..7ec083d 100644
20383--- a/arch/x86/include/asm/pgtable.h
20384+++ b/arch/x86/include/asm/pgtable.h
20385@@ -47,6 +47,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
20386
20387 #ifndef __PAGETABLE_PUD_FOLDED
20388 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
20389+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
20390 #define pgd_clear(pgd) native_pgd_clear(pgd)
20391 #endif
20392
20393@@ -84,12 +85,53 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
20394
20395 #define arch_end_context_switch(prev) do {} while(0)
20396
20397+#define pax_open_kernel() native_pax_open_kernel()
20398+#define pax_close_kernel() native_pax_close_kernel()
20399 #endif /* CONFIG_PARAVIRT */
20400
20401+#define __HAVE_ARCH_PAX_OPEN_KERNEL
20402+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
20403+
20404+#ifdef CONFIG_PAX_KERNEXEC
20405+static inline unsigned long native_pax_open_kernel(void)
20406+{
20407+ unsigned long cr0;
20408+
20409+ preempt_disable();
20410+ barrier();
20411+ cr0 = read_cr0() ^ X86_CR0_WP;
20412+ BUG_ON(cr0 & X86_CR0_WP);
20413+ write_cr0(cr0);
20414+ barrier();
20415+ return cr0 ^ X86_CR0_WP;
20416+}
20417+
20418+static inline unsigned long native_pax_close_kernel(void)
20419+{
20420+ unsigned long cr0;
20421+
20422+ barrier();
20423+ cr0 = read_cr0() ^ X86_CR0_WP;
20424+ BUG_ON(!(cr0 & X86_CR0_WP));
20425+ write_cr0(cr0);
20426+ barrier();
20427+ preempt_enable_no_resched();
20428+ return cr0 ^ X86_CR0_WP;
20429+}
20430+#else
20431+static inline unsigned long native_pax_open_kernel(void) { return 0; }
20432+static inline unsigned long native_pax_close_kernel(void) { return 0; }
20433+#endif
20434+
20435 /*
20436 * The following only work if pte_present() is true.
20437 * Undefined behaviour if not..
20438 */
20439+static inline int pte_user(pte_t pte)
20440+{
20441+ return pte_val(pte) & _PAGE_USER;
20442+}
20443+
20444 static inline int pte_dirty(pte_t pte)
20445 {
20446 return pte_flags(pte) & _PAGE_DIRTY;
20447@@ -150,6 +192,11 @@ static inline unsigned long pud_pfn(pud_t pud)
20448 return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT;
20449 }
20450
20451+static inline unsigned long pgd_pfn(pgd_t pgd)
20452+{
20453+ return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT;
20454+}
20455+
20456 #define pte_page(pte) pfn_to_page(pte_pfn(pte))
20457
20458 static inline int pmd_large(pmd_t pte)
20459@@ -203,9 +250,29 @@ static inline pte_t pte_wrprotect(pte_t pte)
20460 return pte_clear_flags(pte, _PAGE_RW);
20461 }
20462
20463+static inline pte_t pte_mkread(pte_t pte)
20464+{
20465+ return __pte(pte_val(pte) | _PAGE_USER);
20466+}
20467+
20468 static inline pte_t pte_mkexec(pte_t pte)
20469 {
20470- return pte_clear_flags(pte, _PAGE_NX);
20471+#ifdef CONFIG_X86_PAE
20472+ if (__supported_pte_mask & _PAGE_NX)
20473+ return pte_clear_flags(pte, _PAGE_NX);
20474+ else
20475+#endif
20476+ return pte_set_flags(pte, _PAGE_USER);
20477+}
20478+
20479+static inline pte_t pte_exprotect(pte_t pte)
20480+{
20481+#ifdef CONFIG_X86_PAE
20482+ if (__supported_pte_mask & _PAGE_NX)
20483+ return pte_set_flags(pte, _PAGE_NX);
20484+ else
20485+#endif
20486+ return pte_clear_flags(pte, _PAGE_USER);
20487 }
20488
20489 static inline pte_t pte_mkdirty(pte_t pte)
20490@@ -426,6 +493,16 @@ pte_t *populate_extra_pte(unsigned long vaddr);
20491 #endif
20492
20493 #ifndef __ASSEMBLY__
20494+
20495+#ifdef CONFIG_PAX_PER_CPU_PGD
20496+extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD];
20497+enum cpu_pgd_type {kernel = 0, user = 1};
20498+static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type)
20499+{
20500+ return cpu_pgd[cpu][type];
20501+}
20502+#endif
20503+
20504 #include <linux/mm_types.h>
20505 #include <linux/mmdebug.h>
20506 #include <linux/log2.h>
20507@@ -577,7 +654,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud)
20508 * Currently stuck as a macro due to indirect forward reference to
20509 * linux/mmzone.h's __section_mem_map_addr() definition:
20510 */
20511-#define pud_page(pud) pfn_to_page(pud_val(pud) >> PAGE_SHIFT)
20512+#define pud_page(pud) pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT)
20513
20514 /* Find an entry in the second-level page table.. */
20515 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
20516@@ -617,7 +694,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd)
20517 * Currently stuck as a macro due to indirect forward reference to
20518 * linux/mmzone.h's __section_mem_map_addr() definition:
20519 */
20520-#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT)
20521+#define pgd_page(pgd) pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT)
20522
20523 /* to find an entry in a page-table-directory. */
20524 static inline unsigned long pud_index(unsigned long address)
20525@@ -632,7 +709,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
20526
20527 static inline int pgd_bad(pgd_t pgd)
20528 {
20529- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
20530+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
20531 }
20532
20533 static inline int pgd_none(pgd_t pgd)
20534@@ -655,7 +732,12 @@ static inline int pgd_none(pgd_t pgd)
20535 * pgd_offset() returns a (pgd_t *)
20536 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
20537 */
20538-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
20539+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
20540+
20541+#ifdef CONFIG_PAX_PER_CPU_PGD
20542+#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address))
20543+#endif
20544+
20545 /*
20546 * a shortcut which implies the use of the kernel's pgd, instead
20547 * of a process's
20548@@ -666,6 +748,25 @@ static inline int pgd_none(pgd_t pgd)
20549 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
20550 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
20551
20552+#ifdef CONFIG_X86_32
20553+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
20554+#else
20555+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
20556+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
20557+
20558+#ifdef CONFIG_PAX_MEMORY_UDEREF
20559+#ifdef __ASSEMBLY__
20560+#define pax_user_shadow_base pax_user_shadow_base(%rip)
20561+#else
20562+extern unsigned long pax_user_shadow_base;
20563+extern pgdval_t clone_pgd_mask;
20564+#endif
20565+#else
20566+#define pax_user_shadow_base (0UL)
20567+#endif
20568+
20569+#endif
20570+
20571 #ifndef __ASSEMBLY__
20572
20573 extern int direct_gbpages;
20574@@ -832,11 +933,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
20575 * dst and src can be on the same page, but the range must not overlap,
20576 * and must not cross a page boundary.
20577 */
20578-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
20579+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
20580 {
20581- memcpy(dst, src, count * sizeof(pgd_t));
20582+ pax_open_kernel();
20583+ while (count--)
20584+ *dst++ = *src++;
20585+ pax_close_kernel();
20586 }
20587
20588+#ifdef CONFIG_PAX_PER_CPU_PGD
20589+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src);
20590+#endif
20591+
20592+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20593+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src);
20594+#else
20595+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {}
20596+#endif
20597+
20598 #define PTE_SHIFT ilog2(PTRS_PER_PTE)
20599 static inline int page_level_shift(enum pg_level level)
20600 {
20601diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
20602index b6c0b40..7b497ea 100644
20603--- a/arch/x86/include/asm/pgtable_32.h
20604+++ b/arch/x86/include/asm/pgtable_32.h
20605@@ -25,9 +25,6 @@
20606 struct mm_struct;
20607 struct vm_area_struct;
20608
20609-extern pgd_t swapper_pg_dir[1024];
20610-extern pgd_t initial_page_table[1024];
20611-
20612 static inline void pgtable_cache_init(void) { }
20613 static inline void check_pgt_cache(void) { }
20614 void paging_init(void);
20615@@ -45,6 +42,12 @@ void paging_init(void);
20616 # include <asm/pgtable-2level.h>
20617 #endif
20618
20619+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
20620+extern pgd_t initial_page_table[PTRS_PER_PGD];
20621+#ifdef CONFIG_X86_PAE
20622+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
20623+#endif
20624+
20625 #if defined(CONFIG_HIGHPTE)
20626 #define pte_offset_map(dir, address) \
20627 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
20628@@ -65,6 +68,9 @@ do { \
20629
20630 #endif /* !__ASSEMBLY__ */
20631
20632+#define HAVE_ARCH_UNMAPPED_AREA
20633+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
20634+
20635 /*
20636 * kern_addr_valid() is (1) for FLATMEM and (0) for
20637 * SPARSEMEM and DISCONTIGMEM
20638diff --git a/arch/x86/include/asm/pgtable_32_types.h b/arch/x86/include/asm/pgtable_32_types.h
20639index 9fb2f2b..8e18c70 100644
20640--- a/arch/x86/include/asm/pgtable_32_types.h
20641+++ b/arch/x86/include/asm/pgtable_32_types.h
20642@@ -8,7 +8,7 @@
20643 */
20644 #ifdef CONFIG_X86_PAE
20645 # include <asm/pgtable-3level_types.h>
20646-# define PMD_SIZE (1UL << PMD_SHIFT)
20647+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
20648 # define PMD_MASK (~(PMD_SIZE - 1))
20649 #else
20650 # include <asm/pgtable-2level_types.h>
20651@@ -46,6 +46,28 @@ extern bool __vmalloc_start_set; /* set once high_memory is set */
20652 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
20653 #endif
20654
20655+#ifdef CONFIG_PAX_KERNEXEC
20656+#ifndef __ASSEMBLY__
20657+extern unsigned char MODULES_EXEC_VADDR[];
20658+extern unsigned char MODULES_EXEC_END[];
20659+
20660+extern unsigned char __LOAD_PHYSICAL_ADDR[];
20661+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
20662+static inline unsigned long __intentional_overflow(-1) ktla_ktva(unsigned long addr)
20663+{
20664+ return addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET;
20665+
20666+}
20667+static inline unsigned long __intentional_overflow(-1) ktva_ktla(unsigned long addr)
20668+{
20669+ return addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET;
20670+}
20671+#endif
20672+#else
20673+#define ktla_ktva(addr) (addr)
20674+#define ktva_ktla(addr) (addr)
20675+#endif
20676+
20677 #define MODULES_VADDR VMALLOC_START
20678 #define MODULES_END VMALLOC_END
20679 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
20680diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
20681index 2ee7811..c985cfd 100644
20682--- a/arch/x86/include/asm/pgtable_64.h
20683+++ b/arch/x86/include/asm/pgtable_64.h
20684@@ -16,11 +16,17 @@
20685
20686 extern pud_t level3_kernel_pgt[512];
20687 extern pud_t level3_ident_pgt[512];
20688+extern pud_t level3_vmalloc_start_pgt[512];
20689+extern pud_t level3_vmalloc_end_pgt[512];
20690+extern pud_t level3_vmemmap_pgt[512];
20691+extern pud_t level2_vmemmap_pgt[512];
20692 extern pmd_t level2_kernel_pgt[512];
20693 extern pmd_t level2_fixmap_pgt[512];
20694-extern pmd_t level2_ident_pgt[512];
20695-extern pte_t level1_fixmap_pgt[512];
20696-extern pgd_t init_level4_pgt[];
20697+extern pmd_t level2_ident_pgt[2][512];
20698+extern pte_t level1_modules_pgt[4][512];
20699+extern pte_t level1_fixmap_pgt[3][512];
20700+extern pte_t level1_vsyscall_pgt[512];
20701+extern pgd_t init_level4_pgt[512];
20702
20703 #define swapper_pg_dir init_level4_pgt
20704
20705@@ -47,12 +53,16 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte);
20706 static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
20707 pte_t *ptep)
20708 {
20709+ pax_open_kernel();
20710 *ptep = native_make_pte(0);
20711+ pax_close_kernel();
20712 }
20713
20714 static inline void native_set_pte(pte_t *ptep, pte_t pte)
20715 {
20716+ pax_open_kernel();
20717 *ptep = pte;
20718+ pax_close_kernel();
20719 }
20720
20721 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20722@@ -62,7 +72,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20723
20724 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20725 {
20726+ pax_open_kernel();
20727 *pmdp = pmd;
20728+ pax_close_kernel();
20729 }
20730
20731 static inline void native_pmd_clear(pmd_t *pmd)
20732@@ -73,7 +85,12 @@ static inline void native_pmd_clear(pmd_t *pmd)
20733 static inline pte_t native_ptep_get_and_clear(pte_t *xp)
20734 {
20735 #ifdef CONFIG_SMP
20736- return native_make_pte(xchg(&xp->pte, 0));
20737+ pte_t pte;
20738+
20739+ pax_open_kernel();
20740+ pte = native_make_pte(xchg(&xp->pte, 0));
20741+ pax_close_kernel();
20742+ return pte;
20743 #else
20744 /* native_local_ptep_get_and_clear,
20745 but duplicated because of cyclic dependency */
20746@@ -86,7 +103,12 @@ static inline pte_t native_ptep_get_and_clear(pte_t *xp)
20747 static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
20748 {
20749 #ifdef CONFIG_SMP
20750- return native_make_pmd(xchg(&xp->pmd, 0));
20751+ pmd_t pmd;
20752+
20753+ pax_open_kernel();
20754+ pmd = native_make_pmd(xchg(&xp->pmd, 0));
20755+ pax_close_kernel();
20756+ return pmd;
20757 #else
20758 /* native_local_pmdp_get_and_clear,
20759 but duplicated because of cyclic dependency */
20760@@ -98,7 +120,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
20761
20762 static inline void native_set_pud(pud_t *pudp, pud_t pud)
20763 {
20764+ pax_open_kernel();
20765 *pudp = pud;
20766+ pax_close_kernel();
20767 }
20768
20769 static inline void native_pud_clear(pud_t *pud)
20770@@ -108,6 +132,13 @@ static inline void native_pud_clear(pud_t *pud)
20771
20772 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
20773 {
20774+ pax_open_kernel();
20775+ *pgdp = pgd;
20776+ pax_close_kernel();
20777+}
20778+
20779+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
20780+{
20781 *pgdp = pgd;
20782 }
20783
20784diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
20785index e6844df..432b56e 100644
20786--- a/arch/x86/include/asm/pgtable_64_types.h
20787+++ b/arch/x86/include/asm/pgtable_64_types.h
20788@@ -60,11 +60,16 @@ typedef struct { pteval_t pte; } pte_t;
20789 #define MODULES_VADDR (__START_KERNEL_map + KERNEL_IMAGE_SIZE)
20790 #define MODULES_END _AC(0xffffffffff000000, UL)
20791 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
20792+#define MODULES_EXEC_VADDR MODULES_VADDR
20793+#define MODULES_EXEC_END MODULES_END
20794 #define ESPFIX_PGD_ENTRY _AC(-2, UL)
20795 #define ESPFIX_BASE_ADDR (ESPFIX_PGD_ENTRY << PGDIR_SHIFT)
20796 #define EFI_VA_START ( -4 * (_AC(1, UL) << 30))
20797 #define EFI_VA_END (-68 * (_AC(1, UL) << 30))
20798
20799+#define ktla_ktva(addr) (addr)
20800+#define ktva_ktla(addr) (addr)
20801+
20802 #define EARLY_DYNAMIC_PAGE_TABLES 64
20803
20804 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
20805diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
20806index 13f310b..f0ef42e 100644
20807--- a/arch/x86/include/asm/pgtable_types.h
20808+++ b/arch/x86/include/asm/pgtable_types.h
20809@@ -85,8 +85,10 @@
20810
20811 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20812 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
20813-#else
20814+#elif defined(CONFIG_KMEMCHECK) || defined(CONFIG_MEM_SOFT_DIRTY)
20815 #define _PAGE_NX (_AT(pteval_t, 0))
20816+#else
20817+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
20818 #endif
20819
20820 #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
20821@@ -141,6 +143,9 @@ enum page_cache_mode {
20822 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
20823 _PAGE_ACCESSED)
20824
20825+#define PAGE_READONLY_NOEXEC PAGE_READONLY
20826+#define PAGE_SHARED_NOEXEC PAGE_SHARED
20827+
20828 #define __PAGE_KERNEL_EXEC \
20829 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
20830 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
20831@@ -148,7 +153,7 @@ enum page_cache_mode {
20832 #define __PAGE_KERNEL_RO (__PAGE_KERNEL & ~_PAGE_RW)
20833 #define __PAGE_KERNEL_RX (__PAGE_KERNEL_EXEC & ~_PAGE_RW)
20834 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_NOCACHE)
20835-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
20836+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
20837 #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER)
20838 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
20839 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
20840@@ -194,7 +199,7 @@ enum page_cache_mode {
20841 #ifdef CONFIG_X86_64
20842 #define __PAGE_KERNEL_IDENT_LARGE_EXEC __PAGE_KERNEL_LARGE_EXEC
20843 #else
20844-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
20845+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
20846 #define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
20847 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
20848 #endif
20849@@ -233,7 +238,17 @@ static inline pgdval_t pgd_flags(pgd_t pgd)
20850 {
20851 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
20852 }
20853+#endif
20854
20855+#if CONFIG_PGTABLE_LEVELS == 3
20856+#include <asm-generic/pgtable-nopud.h>
20857+#endif
20858+
20859+#if CONFIG_PGTABLE_LEVELS == 2
20860+#include <asm-generic/pgtable-nopmd.h>
20861+#endif
20862+
20863+#ifndef __ASSEMBLY__
20864 #if CONFIG_PGTABLE_LEVELS > 3
20865 typedef struct { pudval_t pud; } pud_t;
20866
20867@@ -247,8 +262,6 @@ static inline pudval_t native_pud_val(pud_t pud)
20868 return pud.pud;
20869 }
20870 #else
20871-#include <asm-generic/pgtable-nopud.h>
20872-
20873 static inline pudval_t native_pud_val(pud_t pud)
20874 {
20875 return native_pgd_val(pud.pgd);
20876@@ -268,8 +281,6 @@ static inline pmdval_t native_pmd_val(pmd_t pmd)
20877 return pmd.pmd;
20878 }
20879 #else
20880-#include <asm-generic/pgtable-nopmd.h>
20881-
20882 static inline pmdval_t native_pmd_val(pmd_t pmd)
20883 {
20884 return native_pgd_val(pmd.pud.pgd);
20885@@ -362,7 +373,6 @@ typedef struct page *pgtable_t;
20886
20887 extern pteval_t __supported_pte_mask;
20888 extern void set_nx(void);
20889-extern int nx_enabled;
20890
20891 #define pgprot_writecombine pgprot_writecombine
20892 extern pgprot_t pgprot_writecombine(pgprot_t prot);
20893diff --git a/arch/x86/include/asm/preempt.h b/arch/x86/include/asm/preempt.h
20894index dca71714..919d4e1 100644
20895--- a/arch/x86/include/asm/preempt.h
20896+++ b/arch/x86/include/asm/preempt.h
20897@@ -84,7 +84,7 @@ static __always_inline void __preempt_count_sub(int val)
20898 */
20899 static __always_inline bool __preempt_count_dec_and_test(void)
20900 {
20901- GEN_UNARY_RMWcc("decl", __preempt_count, __percpu_arg(0), "e");
20902+ GEN_UNARY_RMWcc("decl", "incl", __preempt_count, __percpu_arg(0), "e");
20903 }
20904
20905 /*
20906diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
20907index 944f178..37097a3 100644
20908--- a/arch/x86/include/asm/processor.h
20909+++ b/arch/x86/include/asm/processor.h
20910@@ -102,7 +102,7 @@ struct cpuinfo_x86 {
20911 int x86_tlbsize;
20912 #endif
20913 __u8 x86_virt_bits;
20914- __u8 x86_phys_bits;
20915+ __u8 x86_phys_bits __intentional_overflow(-1);
20916 /* CPUID returned core id bits: */
20917 __u8 x86_coreid_bits;
20918 /* Max extended CPUID function supported: */
20919@@ -136,7 +136,7 @@ struct cpuinfo_x86 {
20920 /* Index into per_cpu list: */
20921 u16 cpu_index;
20922 u32 microcode;
20923-};
20924+} __randomize_layout;
20925
20926 #define X86_VENDOR_INTEL 0
20927 #define X86_VENDOR_CYRIX 1
20928@@ -206,9 +206,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
20929 : "memory");
20930 }
20931
20932+/* invpcid (%rdx),%rax */
20933+#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02"
20934+
20935+#define INVPCID_SINGLE_ADDRESS 0UL
20936+#define INVPCID_SINGLE_CONTEXT 1UL
20937+#define INVPCID_ALL_GLOBAL 2UL
20938+#define INVPCID_ALL_NONGLOBAL 3UL
20939+
20940+#define PCID_KERNEL 0UL
20941+#define PCID_USER 1UL
20942+#define PCID_NOFLUSH (1UL << 63)
20943+
20944 static inline void load_cr3(pgd_t *pgdir)
20945 {
20946- write_cr3(__pa(pgdir));
20947+ write_cr3(__pa(pgdir) | PCID_KERNEL);
20948 }
20949
20950 #ifdef CONFIG_X86_32
20951@@ -305,11 +317,9 @@ struct tss_struct {
20952
20953 } ____cacheline_aligned;
20954
20955-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
20956+extern struct tss_struct cpu_tss[NR_CPUS];
20957
20958-#ifdef CONFIG_X86_32
20959 DECLARE_PER_CPU(unsigned long, cpu_current_top_of_stack);
20960-#endif
20961
20962 /*
20963 * Save the original ist values for checking stack pointers during debugging
20964@@ -381,6 +391,7 @@ struct thread_struct {
20965 unsigned short ds;
20966 unsigned short fsindex;
20967 unsigned short gsindex;
20968+ unsigned short ss;
20969 #endif
20970 #ifdef CONFIG_X86_32
20971 unsigned long ip;
20972@@ -463,10 +474,10 @@ static inline void native_swapgs(void)
20973 #endif
20974 }
20975
20976-static inline unsigned long current_top_of_stack(void)
20977+static inline unsigned long current_top_of_stack(unsigned int cpu)
20978 {
20979 #ifdef CONFIG_X86_64
20980- return this_cpu_read_stable(cpu_tss.x86_tss.sp0);
20981+ return cpu_tss[cpu].x86_tss.sp0;
20982 #else
20983 /* sp0 on x86_32 is special in and around vm86 mode. */
20984 return this_cpu_read_stable(cpu_current_top_of_stack);
20985@@ -709,20 +720,30 @@ static inline void spin_lock_prefetch(const void *x)
20986 #define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \
20987 TOP_OF_KERNEL_STACK_PADDING)
20988
20989+extern union fpregs_state init_fpregs_state;
20990+
20991 #ifdef CONFIG_X86_32
20992 /*
20993 * User space process size: 3GB (default).
20994 */
20995 #define TASK_SIZE PAGE_OFFSET
20996 #define TASK_SIZE_MAX TASK_SIZE
20997+
20998+#ifdef CONFIG_PAX_SEGMEXEC
20999+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
21000+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
21001+#else
21002 #define STACK_TOP TASK_SIZE
21003-#define STACK_TOP_MAX STACK_TOP
21004+#endif
21005+
21006+#define STACK_TOP_MAX TASK_SIZE
21007
21008 #define INIT_THREAD { \
21009 .sp0 = TOP_OF_INIT_STACK, \
21010 .vm86_info = NULL, \
21011 .sysenter_cs = __KERNEL_CS, \
21012 .io_bitmap_ptr = NULL, \
21013+ .fpu.state = &init_fpregs_state, \
21014 }
21015
21016 extern unsigned long thread_saved_pc(struct task_struct *tsk);
21017@@ -737,12 +758,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21018 * "struct pt_regs" is possible, but they may contain the
21019 * completely wrong values.
21020 */
21021-#define task_pt_regs(task) \
21022-({ \
21023- unsigned long __ptr = (unsigned long)task_stack_page(task); \
21024- __ptr += THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING; \
21025- ((struct pt_regs *)__ptr) - 1; \
21026-})
21027+#define task_pt_regs(tsk) ((struct pt_regs *)(tsk)->thread.sp0 - 1)
21028
21029 #define KSTK_ESP(task) (task_pt_regs(task)->sp)
21030
21031@@ -756,13 +772,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21032 * particular problem by preventing anything from being mapped
21033 * at the maximum canonical address.
21034 */
21035-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
21036+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
21037
21038 /* This decides where the kernel will search for a free chunk of vm
21039 * space during mmap's.
21040 */
21041 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
21042- 0xc0000000 : 0xFFFFe000)
21043+ 0xc0000000 : 0xFFFFf000)
21044
21045 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
21046 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
21047@@ -773,7 +789,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21048 #define STACK_TOP_MAX TASK_SIZE_MAX
21049
21050 #define INIT_THREAD { \
21051- .sp0 = TOP_OF_INIT_STACK \
21052+ .sp0 = TOP_OF_INIT_STACK, \
21053+ .fpu.state = &init_fpregs_state, \
21054 }
21055
21056 /*
21057@@ -796,6 +813,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
21058 */
21059 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
21060
21061+#ifdef CONFIG_PAX_SEGMEXEC
21062+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
21063+#endif
21064+
21065 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
21066
21067 /* Get/set a process' ability to use the timestamp counter instruction */
21068@@ -841,7 +862,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
21069 return 0;
21070 }
21071
21072-extern unsigned long arch_align_stack(unsigned long sp);
21073+#define arch_align_stack(x) ((x) & ~0xfUL)
21074 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
21075
21076 void default_idle(void);
21077@@ -851,6 +872,6 @@ bool xen_set_default_idle(void);
21078 #define xen_set_default_idle 0
21079 #endif
21080
21081-void stop_this_cpu(void *dummy);
21082+void stop_this_cpu(void *dummy) __noreturn;
21083 void df_debug(struct pt_regs *regs, long error_code);
21084 #endif /* _ASM_X86_PROCESSOR_H */
21085diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
21086index 5fabf13..7f90572 100644
21087--- a/arch/x86/include/asm/ptrace.h
21088+++ b/arch/x86/include/asm/ptrace.h
21089@@ -21,10 +21,10 @@ struct pt_regs {
21090 unsigned long fs;
21091 unsigned long gs;
21092 unsigned long orig_ax;
21093- unsigned long ip;
21094+ unsigned long ip __intentional_overflow(-1);
21095 unsigned long cs;
21096 unsigned long flags;
21097- unsigned long sp;
21098+ unsigned long sp __intentional_overflow(-1);
21099 unsigned long ss;
21100 };
21101
21102@@ -57,10 +57,10 @@ struct pt_regs {
21103 */
21104 unsigned long orig_ax;
21105 /* Return frame for iretq */
21106- unsigned long ip;
21107+ unsigned long ip __intentional_overflow(-1);
21108 unsigned long cs;
21109 unsigned long flags;
21110- unsigned long sp;
21111+ unsigned long sp __intentional_overflow(-1);
21112 unsigned long ss;
21113 /* top of stack page */
21114 };
21115@@ -125,15 +125,16 @@ static inline int v8086_mode(struct pt_regs *regs)
21116 #ifdef CONFIG_X86_64
21117 static inline bool user_64bit_mode(struct pt_regs *regs)
21118 {
21119+ unsigned long cs = regs->cs & 0xffff;
21120 #ifndef CONFIG_PARAVIRT
21121 /*
21122 * On non-paravirt systems, this is the only long mode CPL 3
21123 * selector. We do not allow long mode selectors in the LDT.
21124 */
21125- return regs->cs == __USER_CS;
21126+ return cs == __USER_CS;
21127 #else
21128 /* Headers are too twisted for this to go in paravirt.h. */
21129- return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
21130+ return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs;
21131 #endif
21132 }
21133
21134@@ -180,9 +181,11 @@ static inline unsigned long regs_get_register(struct pt_regs *regs,
21135 * Traps from the kernel do not save sp and ss.
21136 * Use the helper function to retrieve sp.
21137 */
21138- if (offset == offsetof(struct pt_regs, sp) &&
21139- regs->cs == __KERNEL_CS)
21140- return kernel_stack_pointer(regs);
21141+ if (offset == offsetof(struct pt_regs, sp)) {
21142+ unsigned long cs = regs->cs & 0xffff;
21143+ if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS)
21144+ return kernel_stack_pointer(regs);
21145+ }
21146 #endif
21147 return *(unsigned long *)((unsigned long)regs + offset);
21148 }
21149diff --git a/arch/x86/include/asm/qrwlock.h b/arch/x86/include/asm/qrwlock.h
21150index ae0e241..e80b10b 100644
21151--- a/arch/x86/include/asm/qrwlock.h
21152+++ b/arch/x86/include/asm/qrwlock.h
21153@@ -7,8 +7,8 @@
21154 #define queue_write_unlock queue_write_unlock
21155 static inline void queue_write_unlock(struct qrwlock *lock)
21156 {
21157- barrier();
21158- ACCESS_ONCE(*(u8 *)&lock->cnts) = 0;
21159+ barrier();
21160+ ACCESS_ONCE_RW(*(u8 *)&lock->cnts) = 0;
21161 }
21162 #endif
21163
21164diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
21165index 9c6b890..5305f53 100644
21166--- a/arch/x86/include/asm/realmode.h
21167+++ b/arch/x86/include/asm/realmode.h
21168@@ -22,16 +22,14 @@ struct real_mode_header {
21169 #endif
21170 /* APM/BIOS reboot */
21171 u32 machine_real_restart_asm;
21172-#ifdef CONFIG_X86_64
21173 u32 machine_real_restart_seg;
21174-#endif
21175 };
21176
21177 /* This must match data at trampoline_32/64.S */
21178 struct trampoline_header {
21179 #ifdef CONFIG_X86_32
21180 u32 start;
21181- u16 gdt_pad;
21182+ u16 boot_cs;
21183 u16 gdt_limit;
21184 u32 gdt_base;
21185 #else
21186diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h
21187index a82c4f1..ac45053 100644
21188--- a/arch/x86/include/asm/reboot.h
21189+++ b/arch/x86/include/asm/reboot.h
21190@@ -6,13 +6,13 @@
21191 struct pt_regs;
21192
21193 struct machine_ops {
21194- void (*restart)(char *cmd);
21195- void (*halt)(void);
21196- void (*power_off)(void);
21197+ void (* __noreturn restart)(char *cmd);
21198+ void (* __noreturn halt)(void);
21199+ void (* __noreturn power_off)(void);
21200 void (*shutdown)(void);
21201 void (*crash_shutdown)(struct pt_regs *);
21202- void (*emergency_restart)(void);
21203-};
21204+ void (* __noreturn emergency_restart)(void);
21205+} __no_const;
21206
21207 extern struct machine_ops machine_ops;
21208
21209diff --git a/arch/x86/include/asm/rmwcc.h b/arch/x86/include/asm/rmwcc.h
21210index 8f7866a..e442f20 100644
21211--- a/arch/x86/include/asm/rmwcc.h
21212+++ b/arch/x86/include/asm/rmwcc.h
21213@@ -3,7 +3,34 @@
21214
21215 #ifdef CC_HAVE_ASM_GOTO
21216
21217-#define __GEN_RMWcc(fullop, var, cc, ...) \
21218+#ifdef CONFIG_PAX_REFCOUNT
21219+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21220+do { \
21221+ asm_volatile_goto (fullop \
21222+ ";jno 0f\n" \
21223+ fullantiop \
21224+ ";int $4\n0:\n" \
21225+ _ASM_EXTABLE(0b, 0b) \
21226+ ";j" cc " %l[cc_label]" \
21227+ : : "m" (var), ## __VA_ARGS__ \
21228+ : "memory" : cc_label); \
21229+ return 0; \
21230+cc_label: \
21231+ return 1; \
21232+} while (0)
21233+#else
21234+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21235+do { \
21236+ asm_volatile_goto (fullop ";j" cc " %l[cc_label]" \
21237+ : : "m" (var), ## __VA_ARGS__ \
21238+ : "memory" : cc_label); \
21239+ return 0; \
21240+cc_label: \
21241+ return 1; \
21242+} while (0)
21243+#endif
21244+
21245+#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \
21246 do { \
21247 asm_volatile_goto (fullop "; j" cc " %l[cc_label]" \
21248 : : "m" (var), ## __VA_ARGS__ \
21249@@ -13,15 +40,46 @@ cc_label: \
21250 return 1; \
21251 } while (0)
21252
21253-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \
21254- __GEN_RMWcc(op " " arg0, var, cc)
21255+#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \
21256+ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc)
21257
21258-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \
21259- __GEN_RMWcc(op " %1, " arg0, var, cc, vcon (val))
21260+#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \
21261+ __GEN_RMWcc_unchecked(op " " arg0, var, cc)
21262+
21263+#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \
21264+ __GEN_RMWcc(op " %1, " arg0, antiop " %1, " arg0, var, cc, vcon (val))
21265+
21266+#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \
21267+ __GEN_RMWcc_unchecked(op " %1, " arg0, var, cc, vcon (val))
21268
21269 #else /* !CC_HAVE_ASM_GOTO */
21270
21271-#define __GEN_RMWcc(fullop, var, cc, ...) \
21272+#ifdef CONFIG_PAX_REFCOUNT
21273+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21274+do { \
21275+ char c; \
21276+ asm volatile (fullop \
21277+ ";jno 0f\n" \
21278+ fullantiop \
21279+ ";int $4\n0:\n" \
21280+ _ASM_EXTABLE(0b, 0b) \
21281+ "; set" cc " %1" \
21282+ : "+m" (var), "=qm" (c) \
21283+ : __VA_ARGS__ : "memory"); \
21284+ return c != 0; \
21285+} while (0)
21286+#else
21287+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21288+do { \
21289+ char c; \
21290+ asm volatile (fullop "; set" cc " %1" \
21291+ : "+m" (var), "=qm" (c) \
21292+ : __VA_ARGS__ : "memory"); \
21293+ return c != 0; \
21294+} while (0)
21295+#endif
21296+
21297+#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \
21298 do { \
21299 char c; \
21300 asm volatile (fullop "; set" cc " %1" \
21301@@ -30,11 +88,17 @@ do { \
21302 return c != 0; \
21303 } while (0)
21304
21305-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \
21306- __GEN_RMWcc(op " " arg0, var, cc)
21307+#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \
21308+ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc)
21309+
21310+#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \
21311+ __GEN_RMWcc_unchecked(op " " arg0, var, cc)
21312+
21313+#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \
21314+ __GEN_RMWcc(op " %2, " arg0, antiop " %2, " arg0, var, cc, vcon (val))
21315
21316-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \
21317- __GEN_RMWcc(op " %2, " arg0, var, cc, vcon (val))
21318+#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \
21319+ __GEN_RMWcc_unchecked(op " %2, " arg0, var, cc, vcon (val))
21320
21321 #endif /* CC_HAVE_ASM_GOTO */
21322
21323diff --git a/arch/x86/include/asm/rwsem.h b/arch/x86/include/asm/rwsem.h
21324index cad82c9..2e5c5c1 100644
21325--- a/arch/x86/include/asm/rwsem.h
21326+++ b/arch/x86/include/asm/rwsem.h
21327@@ -64,6 +64,14 @@ static inline void __down_read(struct rw_semaphore *sem)
21328 {
21329 asm volatile("# beginning down_read\n\t"
21330 LOCK_PREFIX _ASM_INC "(%1)\n\t"
21331+
21332+#ifdef CONFIG_PAX_REFCOUNT
21333+ "jno 0f\n"
21334+ LOCK_PREFIX _ASM_DEC "(%1)\n"
21335+ "int $4\n0:\n"
21336+ _ASM_EXTABLE(0b, 0b)
21337+#endif
21338+
21339 /* adds 0x00000001 */
21340 " jns 1f\n"
21341 " call call_rwsem_down_read_failed\n"
21342@@ -85,6 +93,14 @@ static inline int __down_read_trylock(struct rw_semaphore *sem)
21343 "1:\n\t"
21344 " mov %1,%2\n\t"
21345 " add %3,%2\n\t"
21346+
21347+#ifdef CONFIG_PAX_REFCOUNT
21348+ "jno 0f\n"
21349+ "sub %3,%2\n"
21350+ "int $4\n0:\n"
21351+ _ASM_EXTABLE(0b, 0b)
21352+#endif
21353+
21354 " jle 2f\n\t"
21355 LOCK_PREFIX " cmpxchg %2,%0\n\t"
21356 " jnz 1b\n\t"
21357@@ -104,6 +120,14 @@ static inline void __down_write_nested(struct rw_semaphore *sem, int subclass)
21358 long tmp;
21359 asm volatile("# beginning down_write\n\t"
21360 LOCK_PREFIX " xadd %1,(%2)\n\t"
21361+
21362+#ifdef CONFIG_PAX_REFCOUNT
21363+ "jno 0f\n"
21364+ "mov %1,(%2)\n"
21365+ "int $4\n0:\n"
21366+ _ASM_EXTABLE(0b, 0b)
21367+#endif
21368+
21369 /* adds 0xffff0001, returns the old value */
21370 " test " __ASM_SEL(%w1,%k1) "," __ASM_SEL(%w1,%k1) "\n\t"
21371 /* was the active mask 0 before? */
21372@@ -155,6 +179,14 @@ static inline void __up_read(struct rw_semaphore *sem)
21373 long tmp;
21374 asm volatile("# beginning __up_read\n\t"
21375 LOCK_PREFIX " xadd %1,(%2)\n\t"
21376+
21377+#ifdef CONFIG_PAX_REFCOUNT
21378+ "jno 0f\n"
21379+ "mov %1,(%2)\n"
21380+ "int $4\n0:\n"
21381+ _ASM_EXTABLE(0b, 0b)
21382+#endif
21383+
21384 /* subtracts 1, returns the old value */
21385 " jns 1f\n\t"
21386 " call call_rwsem_wake\n" /* expects old value in %edx */
21387@@ -173,6 +205,14 @@ static inline void __up_write(struct rw_semaphore *sem)
21388 long tmp;
21389 asm volatile("# beginning __up_write\n\t"
21390 LOCK_PREFIX " xadd %1,(%2)\n\t"
21391+
21392+#ifdef CONFIG_PAX_REFCOUNT
21393+ "jno 0f\n"
21394+ "mov %1,(%2)\n"
21395+ "int $4\n0:\n"
21396+ _ASM_EXTABLE(0b, 0b)
21397+#endif
21398+
21399 /* subtracts 0xffff0001, returns the old value */
21400 " jns 1f\n\t"
21401 " call call_rwsem_wake\n" /* expects old value in %edx */
21402@@ -190,6 +230,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
21403 {
21404 asm volatile("# beginning __downgrade_write\n\t"
21405 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
21406+
21407+#ifdef CONFIG_PAX_REFCOUNT
21408+ "jno 0f\n"
21409+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
21410+ "int $4\n0:\n"
21411+ _ASM_EXTABLE(0b, 0b)
21412+#endif
21413+
21414 /*
21415 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
21416 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
21417@@ -208,7 +256,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
21418 */
21419 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
21420 {
21421- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
21422+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
21423+
21424+#ifdef CONFIG_PAX_REFCOUNT
21425+ "jno 0f\n"
21426+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
21427+ "int $4\n0:\n"
21428+ _ASM_EXTABLE(0b, 0b)
21429+#endif
21430+
21431 : "+m" (sem->count)
21432 : "er" (delta));
21433 }
21434@@ -218,7 +274,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
21435 */
21436 static inline long rwsem_atomic_update(long delta, struct rw_semaphore *sem)
21437 {
21438- return delta + xadd(&sem->count, delta);
21439+ return delta + xadd_check_overflow(&sem->count, delta);
21440 }
21441
21442 #endif /* __KERNEL__ */
21443diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
21444index 7d5a192..23ef1aa 100644
21445--- a/arch/x86/include/asm/segment.h
21446+++ b/arch/x86/include/asm/segment.h
21447@@ -82,14 +82,20 @@
21448 * 26 - ESPFIX small SS
21449 * 27 - per-cpu [ offset to per-cpu data area ]
21450 * 28 - stack_canary-20 [ for stack protector ] <=== cacheline #8
21451- * 29 - unused
21452- * 30 - unused
21453+ * 29 - PCI BIOS CS
21454+ * 30 - PCI BIOS DS
21455 * 31 - TSS for double fault handler
21456 */
21457+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
21458+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
21459+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
21460+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
21461+
21462 #define GDT_ENTRY_TLS_MIN 6
21463 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
21464
21465 #define GDT_ENTRY_KERNEL_CS 12
21466+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 4
21467 #define GDT_ENTRY_KERNEL_DS 13
21468 #define GDT_ENTRY_DEFAULT_USER_CS 14
21469 #define GDT_ENTRY_DEFAULT_USER_DS 15
21470@@ -106,6 +112,12 @@
21471 #define GDT_ENTRY_PERCPU 27
21472 #define GDT_ENTRY_STACK_CANARY 28
21473
21474+#define GDT_ENTRY_PCIBIOS_CS 29
21475+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
21476+
21477+#define GDT_ENTRY_PCIBIOS_DS 30
21478+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
21479+
21480 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
21481
21482 /*
21483@@ -118,6 +130,7 @@
21484 */
21485
21486 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
21487+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
21488 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
21489 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3)
21490 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8 + 3)
21491@@ -129,7 +142,7 @@
21492 #define PNP_CS16 (GDT_ENTRY_PNPBIOS_CS16*8)
21493
21494 /* "Is this PNP code selector (PNP_CS32 or PNP_CS16)?" */
21495-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == PNP_CS32)
21496+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
21497
21498 /* data segment for BIOS: */
21499 #define PNP_DS (GDT_ENTRY_PNPBIOS_DS*8)
21500@@ -176,6 +189,8 @@
21501 #define GDT_ENTRY_DEFAULT_USER_DS 5
21502 #define GDT_ENTRY_DEFAULT_USER_CS 6
21503
21504+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
21505+
21506 /* Needs two entries */
21507 #define GDT_ENTRY_TSS 8
21508 /* Needs two entries */
21509@@ -187,10 +202,12 @@
21510 /* Abused to load per CPU data from limit */
21511 #define GDT_ENTRY_PER_CPU 15
21512
21513+#define GDT_ENTRY_UDEREF_KERNEL_DS 16
21514+
21515 /*
21516 * Number of entries in the GDT table:
21517 */
21518-#define GDT_ENTRIES 16
21519+#define GDT_ENTRIES 17
21520
21521 /*
21522 * Segment selector values corresponding to the above entries:
21523@@ -200,7 +217,9 @@
21524 */
21525 #define __KERNEL32_CS (GDT_ENTRY_KERNEL32_CS*8)
21526 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
21527+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
21528 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
21529+#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8)
21530 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8 + 3)
21531 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3)
21532 #define __USER32_DS __USER_DS
21533diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
21534index ba665eb..0f72938 100644
21535--- a/arch/x86/include/asm/smap.h
21536+++ b/arch/x86/include/asm/smap.h
21537@@ -25,6 +25,18 @@
21538
21539 #include <asm/alternative-asm.h>
21540
21541+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21542+#define ASM_PAX_OPEN_USERLAND \
21543+ ALTERNATIVE "", "call __pax_open_userland", X86_FEATURE_STRONGUDEREF
21544+
21545+#define ASM_PAX_CLOSE_USERLAND \
21546+ ALTERNATIVE "", "call __pax_close_userland", X86_FEATURE_STRONGUDEREF
21547+
21548+#else
21549+#define ASM_PAX_OPEN_USERLAND
21550+#define ASM_PAX_CLOSE_USERLAND
21551+#endif
21552+
21553 #ifdef CONFIG_X86_SMAP
21554
21555 #define ASM_CLAC \
21556@@ -44,6 +56,37 @@
21557
21558 #include <asm/alternative.h>
21559
21560+#define __HAVE_ARCH_PAX_OPEN_USERLAND
21561+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
21562+
21563+extern void __pax_open_userland(void);
21564+static __always_inline unsigned long pax_open_userland(void)
21565+{
21566+
21567+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21568+ asm volatile(ALTERNATIVE("", "call %P[open]", X86_FEATURE_STRONGUDEREF)
21569+ :
21570+ : [open] "i" (__pax_open_userland)
21571+ : "memory", "rax");
21572+#endif
21573+
21574+ return 0;
21575+}
21576+
21577+extern void __pax_close_userland(void);
21578+static __always_inline unsigned long pax_close_userland(void)
21579+{
21580+
21581+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21582+ asm volatile(ALTERNATIVE("", "call %P[close]", X86_FEATURE_STRONGUDEREF)
21583+ :
21584+ : [close] "i" (__pax_close_userland)
21585+ : "memory", "rax");
21586+#endif
21587+
21588+ return 0;
21589+}
21590+
21591 #ifdef CONFIG_X86_SMAP
21592
21593 static __always_inline void clac(void)
21594diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
21595index 222a6a3..839da8d 100644
21596--- a/arch/x86/include/asm/smp.h
21597+++ b/arch/x86/include/asm/smp.h
21598@@ -35,7 +35,7 @@ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map);
21599 /* cpus sharing the last level cache: */
21600 DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_llc_shared_map);
21601 DECLARE_PER_CPU_READ_MOSTLY(u16, cpu_llc_id);
21602-DECLARE_PER_CPU_READ_MOSTLY(int, cpu_number);
21603+DECLARE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
21604
21605 static inline struct cpumask *cpu_llc_shared_mask(int cpu)
21606 {
21607@@ -68,7 +68,7 @@ struct smp_ops {
21608
21609 void (*send_call_func_ipi)(const struct cpumask *mask);
21610 void (*send_call_func_single_ipi)(int cpu);
21611-};
21612+} __no_const;
21613
21614 /* Globals due to paravirt */
21615 extern void set_cpu_sibling_map(int cpu);
21616@@ -182,14 +182,8 @@ extern unsigned disabled_cpus;
21617 extern int safe_smp_processor_id(void);
21618
21619 #elif defined(CONFIG_X86_64_SMP)
21620-#define raw_smp_processor_id() (this_cpu_read(cpu_number))
21621-
21622-#define stack_smp_processor_id() \
21623-({ \
21624- struct thread_info *ti; \
21625- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
21626- ti->cpu; \
21627-})
21628+#define raw_smp_processor_id() (this_cpu_read(cpu_number))
21629+#define stack_smp_processor_id() raw_smp_processor_id()
21630 #define safe_smp_processor_id() smp_processor_id()
21631
21632 #endif
21633diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h
21634index c2e00bb..a10266e 100644
21635--- a/arch/x86/include/asm/stackprotector.h
21636+++ b/arch/x86/include/asm/stackprotector.h
21637@@ -49,7 +49,7 @@
21638 * head_32 for boot CPU and setup_per_cpu_areas() for others.
21639 */
21640 #define GDT_STACK_CANARY_INIT \
21641- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
21642+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
21643
21644 /*
21645 * Initialize the stackprotector canary value.
21646@@ -114,7 +114,7 @@ static inline void setup_stack_canary_segment(int cpu)
21647
21648 static inline void load_stack_canary_segment(void)
21649 {
21650-#ifdef CONFIG_X86_32
21651+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
21652 asm volatile ("mov %0, %%gs" : : "r" (0));
21653 #endif
21654 }
21655diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h
21656index 70bbe39..4ae2bd4 100644
21657--- a/arch/x86/include/asm/stacktrace.h
21658+++ b/arch/x86/include/asm/stacktrace.h
21659@@ -11,28 +11,20 @@
21660
21661 extern int kstack_depth_to_print;
21662
21663-struct thread_info;
21664+struct task_struct;
21665 struct stacktrace_ops;
21666
21667-typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
21668- unsigned long *stack,
21669- unsigned long bp,
21670- const struct stacktrace_ops *ops,
21671- void *data,
21672- unsigned long *end,
21673- int *graph);
21674+typedef unsigned long walk_stack_t(struct task_struct *task,
21675+ void *stack_start,
21676+ unsigned long *stack,
21677+ unsigned long bp,
21678+ const struct stacktrace_ops *ops,
21679+ void *data,
21680+ unsigned long *end,
21681+ int *graph);
21682
21683-extern unsigned long
21684-print_context_stack(struct thread_info *tinfo,
21685- unsigned long *stack, unsigned long bp,
21686- const struct stacktrace_ops *ops, void *data,
21687- unsigned long *end, int *graph);
21688-
21689-extern unsigned long
21690-print_context_stack_bp(struct thread_info *tinfo,
21691- unsigned long *stack, unsigned long bp,
21692- const struct stacktrace_ops *ops, void *data,
21693- unsigned long *end, int *graph);
21694+extern walk_stack_t print_context_stack;
21695+extern walk_stack_t print_context_stack_bp;
21696
21697 /* Generic stack tracer with callbacks */
21698
21699@@ -40,7 +32,7 @@ struct stacktrace_ops {
21700 void (*address)(void *data, unsigned long address, int reliable);
21701 /* On negative return stop dumping */
21702 int (*stack)(void *data, char *name);
21703- walk_stack_t walk_stack;
21704+ walk_stack_t *walk_stack;
21705 };
21706
21707 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
21708diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
21709index d7f3b3b..3cc39f1 100644
21710--- a/arch/x86/include/asm/switch_to.h
21711+++ b/arch/x86/include/asm/switch_to.h
21712@@ -108,7 +108,7 @@ do { \
21713 "call __switch_to\n\t" \
21714 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
21715 __switch_canary \
21716- "movq %P[thread_info](%%rsi),%%r8\n\t" \
21717+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
21718 "movq %%rax,%%rdi\n\t" \
21719 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
21720 "jnz ret_from_fork\n\t" \
21721@@ -119,7 +119,7 @@ do { \
21722 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
21723 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
21724 [_tif_fork] "i" (_TIF_FORK), \
21725- [thread_info] "i" (offsetof(struct task_struct, stack)), \
21726+ [thread_info] "m" (current_tinfo), \
21727 [current_task] "m" (current_task) \
21728 __switch_canary_iparam \
21729 : "memory", "cc" __EXTRA_CLOBBER)
21730diff --git a/arch/x86/include/asm/sys_ia32.h b/arch/x86/include/asm/sys_ia32.h
21731index 82c34ee..940fa40 100644
21732--- a/arch/x86/include/asm/sys_ia32.h
21733+++ b/arch/x86/include/asm/sys_ia32.h
21734@@ -20,8 +20,8 @@
21735 #include <asm/ia32.h>
21736
21737 /* ia32/sys_ia32.c */
21738-asmlinkage long sys32_truncate64(const char __user *, unsigned long, unsigned long);
21739-asmlinkage long sys32_ftruncate64(unsigned int, unsigned long, unsigned long);
21740+asmlinkage long sys32_truncate64(const char __user *, unsigned int, unsigned int);
21741+asmlinkage long sys32_ftruncate64(unsigned int, unsigned int, unsigned int);
21742
21743 asmlinkage long sys32_stat64(const char __user *, struct stat64 __user *);
21744 asmlinkage long sys32_lstat64(const char __user *, struct stat64 __user *);
21745@@ -42,7 +42,7 @@ long sys32_vm86_warning(void);
21746 asmlinkage ssize_t sys32_readahead(int, unsigned, unsigned, size_t);
21747 asmlinkage long sys32_sync_file_range(int, unsigned, unsigned,
21748 unsigned, unsigned, int);
21749-asmlinkage long sys32_fadvise64(int, unsigned, unsigned, size_t, int);
21750+asmlinkage long sys32_fadvise64(int, unsigned, unsigned, int, int);
21751 asmlinkage long sys32_fallocate(int, int, unsigned,
21752 unsigned, unsigned, unsigned);
21753
21754diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
21755index 225ee54..fae4566 100644
21756--- a/arch/x86/include/asm/thread_info.h
21757+++ b/arch/x86/include/asm/thread_info.h
21758@@ -36,7 +36,7 @@
21759 #ifdef CONFIG_X86_32
21760 # define TOP_OF_KERNEL_STACK_PADDING 8
21761 #else
21762-# define TOP_OF_KERNEL_STACK_PADDING 0
21763+# define TOP_OF_KERNEL_STACK_PADDING 16
21764 #endif
21765
21766 /*
21767@@ -50,27 +50,26 @@ struct task_struct;
21768 #include <linux/atomic.h>
21769
21770 struct thread_info {
21771- struct task_struct *task; /* main task structure */
21772 __u32 flags; /* low level flags */
21773 __u32 status; /* thread synchronous flags */
21774 __u32 cpu; /* current CPU */
21775 int saved_preempt_count;
21776 mm_segment_t addr_limit;
21777 void __user *sysenter_return;
21778+ unsigned long lowest_stack;
21779 unsigned int sig_on_uaccess_error:1;
21780 unsigned int uaccess_err:1; /* uaccess failed */
21781 };
21782
21783-#define INIT_THREAD_INFO(tsk) \
21784+#define INIT_THREAD_INFO \
21785 { \
21786- .task = &tsk, \
21787 .flags = 0, \
21788 .cpu = 0, \
21789 .saved_preempt_count = INIT_PREEMPT_COUNT, \
21790 .addr_limit = KERNEL_DS, \
21791 }
21792
21793-#define init_thread_info (init_thread_union.thread_info)
21794+#define init_thread_info (init_thread_union.stack)
21795 #define init_stack (init_thread_union.stack)
21796
21797 #else /* !__ASSEMBLY__ */
21798@@ -110,6 +109,7 @@ struct thread_info {
21799 #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */
21800 #define TIF_ADDR32 29 /* 32-bit address space on 64 bits */
21801 #define TIF_X32 30 /* 32-bit native x86-64 binary */
21802+#define TIF_GRSEC_SETXID 31 /* update credentials on syscall entry/exit */
21803
21804 #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
21805 #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
21806@@ -133,17 +133,18 @@ struct thread_info {
21807 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
21808 #define _TIF_ADDR32 (1 << TIF_ADDR32)
21809 #define _TIF_X32 (1 << TIF_X32)
21810+#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
21811
21812 /* work to do in syscall_trace_enter() */
21813 #define _TIF_WORK_SYSCALL_ENTRY \
21814 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \
21815 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | \
21816- _TIF_NOHZ)
21817+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
21818
21819 /* work to do in syscall_trace_leave() */
21820 #define _TIF_WORK_SYSCALL_EXIT \
21821 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \
21822- _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ)
21823+ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
21824
21825 /* work to do on interrupt/exception return */
21826 #define _TIF_WORK_MASK \
21827@@ -154,7 +155,7 @@ struct thread_info {
21828 /* work to do on any return to user space */
21829 #define _TIF_ALLWORK_MASK \
21830 ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \
21831- _TIF_NOHZ)
21832+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
21833
21834 /* Only used for 64 bit */
21835 #define _TIF_DO_NOTIFY_MASK \
21836@@ -177,9 +178,11 @@ struct thread_info {
21837 */
21838 #ifndef __ASSEMBLY__
21839
21840+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
21841+
21842 static inline struct thread_info *current_thread_info(void)
21843 {
21844- return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE);
21845+ return this_cpu_read_stable(current_tinfo);
21846 }
21847
21848 static inline unsigned long current_stack_pointer(void)
21849@@ -195,14 +198,9 @@ static inline unsigned long current_stack_pointer(void)
21850
21851 #else /* !__ASSEMBLY__ */
21852
21853-#ifdef CONFIG_X86_64
21854-# define cpu_current_top_of_stack (cpu_tss + TSS_sp0)
21855-#endif
21856-
21857 /* Load thread_info address into "reg" */
21858 #define GET_THREAD_INFO(reg) \
21859- _ASM_MOV PER_CPU_VAR(cpu_current_top_of_stack),reg ; \
21860- _ASM_SUB $(THREAD_SIZE),reg ;
21861+ _ASM_MOV PER_CPU_VAR(current_tinfo),reg ;
21862
21863 /*
21864 * ASM operand which evaluates to a 'thread_info' address of
21865@@ -295,5 +293,12 @@ static inline bool is_ia32_task(void)
21866 extern void arch_task_cache_init(void);
21867 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
21868 extern void arch_release_task_struct(struct task_struct *tsk);
21869+
21870+#define __HAVE_THREAD_FUNCTIONS
21871+#define task_thread_info(task) (&(task)->tinfo)
21872+#define task_stack_page(task) ((task)->stack)
21873+#define setup_thread_stack(p, org) do {} while (0)
21874+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
21875+
21876 #endif
21877 #endif /* _ASM_X86_THREAD_INFO_H */
21878diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
21879index cd79194..6a9956f 100644
21880--- a/arch/x86/include/asm/tlbflush.h
21881+++ b/arch/x86/include/asm/tlbflush.h
21882@@ -86,18 +86,44 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
21883
21884 static inline void __native_flush_tlb(void)
21885 {
21886+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21887+ u64 descriptor[2];
21888+
21889+ descriptor[0] = PCID_KERNEL;
21890+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_NONGLOBAL) : "memory");
21891+ return;
21892+ }
21893+
21894+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21895+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21896+ unsigned int cpu = raw_get_cpu();
21897+
21898+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
21899+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
21900+ raw_put_cpu_no_resched();
21901+ return;
21902+ }
21903+#endif
21904+
21905 native_write_cr3(native_read_cr3());
21906 }
21907
21908 static inline void __native_flush_tlb_global_irq_disabled(void)
21909 {
21910- unsigned long cr4;
21911+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21912+ u64 descriptor[2];
21913
21914- cr4 = this_cpu_read(cpu_tlbstate.cr4);
21915- /* clear PGE */
21916- native_write_cr4(cr4 & ~X86_CR4_PGE);
21917- /* write old PGE again and flush TLBs */
21918- native_write_cr4(cr4);
21919+ descriptor[0] = PCID_KERNEL;
21920+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
21921+ } else {
21922+ unsigned long cr4;
21923+
21924+ cr4 = this_cpu_read(cpu_tlbstate.cr4);
21925+ /* clear PGE */
21926+ native_write_cr4(cr4 & ~X86_CR4_PGE);
21927+ /* write old PGE again and flush TLBs */
21928+ native_write_cr4(cr4);
21929+ }
21930 }
21931
21932 static inline void __native_flush_tlb_global(void)
21933@@ -118,6 +144,43 @@ static inline void __native_flush_tlb_global(void)
21934
21935 static inline void __native_flush_tlb_single(unsigned long addr)
21936 {
21937+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21938+ u64 descriptor[2];
21939+
21940+ descriptor[0] = PCID_KERNEL;
21941+ descriptor[1] = addr;
21942+
21943+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21944+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21945+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) {
21946+ if (addr < TASK_SIZE_MAX)
21947+ descriptor[1] += pax_user_shadow_base;
21948+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
21949+ }
21950+
21951+ descriptor[0] = PCID_USER;
21952+ descriptor[1] = addr;
21953+ }
21954+#endif
21955+
21956+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
21957+ return;
21958+ }
21959+
21960+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21961+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21962+ unsigned int cpu = raw_get_cpu();
21963+
21964+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
21965+ asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
21966+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
21967+ raw_put_cpu_no_resched();
21968+
21969+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX)
21970+ addr += pax_user_shadow_base;
21971+ }
21972+#endif
21973+
21974 asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
21975 }
21976
21977diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
21978index a8df874..ef0e34f 100644
21979--- a/arch/x86/include/asm/uaccess.h
21980+++ b/arch/x86/include/asm/uaccess.h
21981@@ -7,6 +7,7 @@
21982 #include <linux/compiler.h>
21983 #include <linux/thread_info.h>
21984 #include <linux/string.h>
21985+#include <linux/spinlock.h>
21986 #include <asm/asm.h>
21987 #include <asm/page.h>
21988 #include <asm/smap.h>
21989@@ -29,7 +30,12 @@
21990
21991 #define get_ds() (KERNEL_DS)
21992 #define get_fs() (current_thread_info()->addr_limit)
21993+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
21994+void __set_fs(mm_segment_t x);
21995+void set_fs(mm_segment_t x);
21996+#else
21997 #define set_fs(x) (current_thread_info()->addr_limit = (x))
21998+#endif
21999
22000 #define segment_eq(a, b) ((a).seg == (b).seg)
22001
22002@@ -86,8 +92,36 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
22003 * checks that the pointer is in the user space range - after calling
22004 * this function, memory access functions may still return -EFAULT.
22005 */
22006-#define access_ok(type, addr, size) \
22007- likely(!__range_not_ok(addr, size, user_addr_max()))
22008+extern int _cond_resched(void);
22009+#define access_ok_noprefault(type, addr, size) (likely(!__range_not_ok(addr, size, user_addr_max())))
22010+#define access_ok(type, addr, size) \
22011+({ \
22012+ unsigned long __size = size; \
22013+ unsigned long __addr = (unsigned long)addr; \
22014+ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
22015+ if (__ret_ao && __size) { \
22016+ unsigned long __addr_ao = __addr & PAGE_MASK; \
22017+ unsigned long __end_ao = __addr + __size - 1; \
22018+ if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
22019+ while (__addr_ao <= __end_ao) { \
22020+ char __c_ao; \
22021+ __addr_ao += PAGE_SIZE; \
22022+ if (__size > PAGE_SIZE) \
22023+ _cond_resched(); \
22024+ if (__get_user(__c_ao, (char __user *)__addr)) \
22025+ break; \
22026+ if (type != VERIFY_WRITE) { \
22027+ __addr = __addr_ao; \
22028+ continue; \
22029+ } \
22030+ if (__put_user(__c_ao, (char __user *)__addr)) \
22031+ break; \
22032+ __addr = __addr_ao; \
22033+ } \
22034+ } \
22035+ } \
22036+ __ret_ao; \
22037+})
22038
22039 /*
22040 * The exception table consists of pairs of addresses relative to the
22041@@ -135,11 +169,13 @@ extern int __get_user_8(void);
22042 extern int __get_user_bad(void);
22043
22044 /*
22045- * This is a type: either unsigned long, if the argument fits into
22046- * that type, or otherwise unsigned long long.
22047+ * This is a type: either (un)signed int, if the argument fits into
22048+ * that type, or otherwise (un)signed long long.
22049 */
22050 #define __inttype(x) \
22051-__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22052+__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0U), \
22053+ __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0ULL, 0LL),\
22054+ __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0U, 0)))
22055
22056 /**
22057 * get_user: - Get a simple variable from user space.
22058@@ -178,10 +214,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22059 register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
22060 __chk_user_ptr(ptr); \
22061 might_fault(); \
22062+ pax_open_userland(); \
22063 asm volatile("call __get_user_%P3" \
22064 : "=a" (__ret_gu), "=r" (__val_gu) \
22065 : "0" (ptr), "i" (sizeof(*(ptr)))); \
22066 (x) = (__force __typeof__(*(ptr))) __val_gu; \
22067+ pax_close_userland(); \
22068 __ret_gu; \
22069 })
22070
22071@@ -189,13 +227,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22072 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
22073 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
22074
22075-
22076+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
22077+#define __copyuser_seg "gs;"
22078+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
22079+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
22080+#else
22081+#define __copyuser_seg
22082+#define __COPYUSER_SET_ES
22083+#define __COPYUSER_RESTORE_ES
22084+#endif
22085
22086 #ifdef CONFIG_X86_32
22087 #define __put_user_asm_u64(x, addr, err, errret) \
22088 asm volatile(ASM_STAC "\n" \
22089- "1: movl %%eax,0(%2)\n" \
22090- "2: movl %%edx,4(%2)\n" \
22091+ "1: "__copyuser_seg"movl %%eax,0(%2)\n" \
22092+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
22093 "3: " ASM_CLAC "\n" \
22094 ".section .fixup,\"ax\"\n" \
22095 "4: movl %3,%0\n" \
22096@@ -208,8 +254,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22097
22098 #define __put_user_asm_ex_u64(x, addr) \
22099 asm volatile(ASM_STAC "\n" \
22100- "1: movl %%eax,0(%1)\n" \
22101- "2: movl %%edx,4(%1)\n" \
22102+ "1: "__copyuser_seg"movl %%eax,0(%1)\n" \
22103+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
22104 "3: " ASM_CLAC "\n" \
22105 _ASM_EXTABLE_EX(1b, 2b) \
22106 _ASM_EXTABLE_EX(2b, 3b) \
22107@@ -260,7 +306,8 @@ extern void __put_user_8(void);
22108 __typeof__(*(ptr)) __pu_val; \
22109 __chk_user_ptr(ptr); \
22110 might_fault(); \
22111- __pu_val = x; \
22112+ __pu_val = (x); \
22113+ pax_open_userland(); \
22114 switch (sizeof(*(ptr))) { \
22115 case 1: \
22116 __put_user_x(1, __pu_val, ptr, __ret_pu); \
22117@@ -278,6 +325,7 @@ extern void __put_user_8(void);
22118 __put_user_x(X, __pu_val, ptr, __ret_pu); \
22119 break; \
22120 } \
22121+ pax_close_userland(); \
22122 __ret_pu; \
22123 })
22124
22125@@ -358,8 +406,10 @@ do { \
22126 } while (0)
22127
22128 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
22129+do { \
22130+ pax_open_userland(); \
22131 asm volatile(ASM_STAC "\n" \
22132- "1: mov"itype" %2,%"rtype"1\n" \
22133+ "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
22134 "2: " ASM_CLAC "\n" \
22135 ".section .fixup,\"ax\"\n" \
22136 "3: mov %3,%0\n" \
22137@@ -367,8 +417,10 @@ do { \
22138 " jmp 2b\n" \
22139 ".previous\n" \
22140 _ASM_EXTABLE(1b, 3b) \
22141- : "=r" (err), ltype(x) \
22142- : "m" (__m(addr)), "i" (errret), "0" (err))
22143+ : "=r" (err), ltype (x) \
22144+ : "m" (__m(addr)), "i" (errret), "0" (err)); \
22145+ pax_close_userland(); \
22146+} while (0)
22147
22148 #define __get_user_size_ex(x, ptr, size) \
22149 do { \
22150@@ -392,7 +444,7 @@ do { \
22151 } while (0)
22152
22153 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
22154- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
22155+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
22156 "2:\n" \
22157 _ASM_EXTABLE_EX(1b, 2b) \
22158 : ltype(x) : "m" (__m(addr)))
22159@@ -409,13 +461,24 @@ do { \
22160 int __gu_err; \
22161 unsigned long __gu_val; \
22162 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
22163- (x) = (__force __typeof__(*(ptr)))__gu_val; \
22164+ (x) = (__typeof__(*(ptr)))__gu_val; \
22165 __gu_err; \
22166 })
22167
22168 /* FIXME: this hack is definitely wrong -AK */
22169 struct __large_struct { unsigned long buf[100]; };
22170-#define __m(x) (*(struct __large_struct __user *)(x))
22171+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22172+#define ____m(x) \
22173+({ \
22174+ unsigned long ____x = (unsigned long)(x); \
22175+ if (____x < pax_user_shadow_base) \
22176+ ____x += pax_user_shadow_base; \
22177+ (typeof(x))____x; \
22178+})
22179+#else
22180+#define ____m(x) (x)
22181+#endif
22182+#define __m(x) (*(struct __large_struct __user *)____m(x))
22183
22184 /*
22185 * Tell gcc we read from memory instead of writing: this is because
22186@@ -423,8 +486,10 @@ struct __large_struct { unsigned long buf[100]; };
22187 * aliasing issues.
22188 */
22189 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
22190+do { \
22191+ pax_open_userland(); \
22192 asm volatile(ASM_STAC "\n" \
22193- "1: mov"itype" %"rtype"1,%2\n" \
22194+ "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
22195 "2: " ASM_CLAC "\n" \
22196 ".section .fixup,\"ax\"\n" \
22197 "3: mov %3,%0\n" \
22198@@ -432,10 +497,12 @@ struct __large_struct { unsigned long buf[100]; };
22199 ".previous\n" \
22200 _ASM_EXTABLE(1b, 3b) \
22201 : "=r"(err) \
22202- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
22203+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\
22204+ pax_close_userland(); \
22205+} while (0)
22206
22207 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
22208- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
22209+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
22210 "2:\n" \
22211 _ASM_EXTABLE_EX(1b, 2b) \
22212 : : ltype(x), "m" (__m(addr)))
22213@@ -445,11 +512,13 @@ struct __large_struct { unsigned long buf[100]; };
22214 */
22215 #define uaccess_try do { \
22216 current_thread_info()->uaccess_err = 0; \
22217+ pax_open_userland(); \
22218 stac(); \
22219 barrier();
22220
22221 #define uaccess_catch(err) \
22222 clac(); \
22223+ pax_close_userland(); \
22224 (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
22225 } while (0)
22226
22227@@ -475,8 +544,12 @@ struct __large_struct { unsigned long buf[100]; };
22228 * On error, the variable @x is set to zero.
22229 */
22230
22231+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22232+#define __get_user(x, ptr) get_user((x), (ptr))
22233+#else
22234 #define __get_user(x, ptr) \
22235 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
22236+#endif
22237
22238 /**
22239 * __put_user: - Write a simple value into user space, with less checking.
22240@@ -499,8 +572,12 @@ struct __large_struct { unsigned long buf[100]; };
22241 * Returns zero on success, or -EFAULT on error.
22242 */
22243
22244+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22245+#define __put_user(x, ptr) put_user((x), (ptr))
22246+#else
22247 #define __put_user(x, ptr) \
22248 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
22249+#endif
22250
22251 #define __get_user_unaligned __get_user
22252 #define __put_user_unaligned __put_user
22253@@ -518,7 +595,7 @@ struct __large_struct { unsigned long buf[100]; };
22254 #define get_user_ex(x, ptr) do { \
22255 unsigned long __gue_val; \
22256 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
22257- (x) = (__force __typeof__(*(ptr)))__gue_val; \
22258+ (x) = (__typeof__(*(ptr)))__gue_val; \
22259 } while (0)
22260
22261 #define put_user_try uaccess_try
22262@@ -536,7 +613,7 @@ extern __must_check long strlen_user(const char __user *str);
22263 extern __must_check long strnlen_user(const char __user *str, long n);
22264
22265 unsigned long __must_check clear_user(void __user *mem, unsigned long len);
22266-unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
22267+unsigned long __must_check __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
22268
22269 extern void __cmpxchg_wrong_size(void)
22270 __compiletime_error("Bad argument size for cmpxchg");
22271@@ -547,18 +624,19 @@ extern void __cmpxchg_wrong_size(void)
22272 __typeof__(ptr) __uval = (uval); \
22273 __typeof__(*(ptr)) __old = (old); \
22274 __typeof__(*(ptr)) __new = (new); \
22275+ pax_open_userland(); \
22276 switch (size) { \
22277 case 1: \
22278 { \
22279 asm volatile("\t" ASM_STAC "\n" \
22280- "1:\t" LOCK_PREFIX "cmpxchgb %4, %2\n" \
22281+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgb %4, %2\n"\
22282 "2:\t" ASM_CLAC "\n" \
22283 "\t.section .fixup, \"ax\"\n" \
22284 "3:\tmov %3, %0\n" \
22285 "\tjmp 2b\n" \
22286 "\t.previous\n" \
22287 _ASM_EXTABLE(1b, 3b) \
22288- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22289+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22290 : "i" (-EFAULT), "q" (__new), "1" (__old) \
22291 : "memory" \
22292 ); \
22293@@ -567,14 +645,14 @@ extern void __cmpxchg_wrong_size(void)
22294 case 2: \
22295 { \
22296 asm volatile("\t" ASM_STAC "\n" \
22297- "1:\t" LOCK_PREFIX "cmpxchgw %4, %2\n" \
22298+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgw %4, %2\n"\
22299 "2:\t" ASM_CLAC "\n" \
22300 "\t.section .fixup, \"ax\"\n" \
22301 "3:\tmov %3, %0\n" \
22302 "\tjmp 2b\n" \
22303 "\t.previous\n" \
22304 _ASM_EXTABLE(1b, 3b) \
22305- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22306+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22307 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22308 : "memory" \
22309 ); \
22310@@ -583,14 +661,14 @@ extern void __cmpxchg_wrong_size(void)
22311 case 4: \
22312 { \
22313 asm volatile("\t" ASM_STAC "\n" \
22314- "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" \
22315+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"\
22316 "2:\t" ASM_CLAC "\n" \
22317 "\t.section .fixup, \"ax\"\n" \
22318 "3:\tmov %3, %0\n" \
22319 "\tjmp 2b\n" \
22320 "\t.previous\n" \
22321 _ASM_EXTABLE(1b, 3b) \
22322- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22323+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22324 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22325 : "memory" \
22326 ); \
22327@@ -602,14 +680,14 @@ extern void __cmpxchg_wrong_size(void)
22328 __cmpxchg_wrong_size(); \
22329 \
22330 asm volatile("\t" ASM_STAC "\n" \
22331- "1:\t" LOCK_PREFIX "cmpxchgq %4, %2\n" \
22332+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgq %4, %2\n"\
22333 "2:\t" ASM_CLAC "\n" \
22334 "\t.section .fixup, \"ax\"\n" \
22335 "3:\tmov %3, %0\n" \
22336 "\tjmp 2b\n" \
22337 "\t.previous\n" \
22338 _ASM_EXTABLE(1b, 3b) \
22339- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22340+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22341 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22342 : "memory" \
22343 ); \
22344@@ -618,6 +696,7 @@ extern void __cmpxchg_wrong_size(void)
22345 default: \
22346 __cmpxchg_wrong_size(); \
22347 } \
22348+ pax_close_userland(); \
22349 *__uval = __old; \
22350 __ret; \
22351 })
22352@@ -641,17 +720,6 @@ extern struct movsl_mask {
22353
22354 #define ARCH_HAS_NOCACHE_UACCESS 1
22355
22356-#ifdef CONFIG_X86_32
22357-# include <asm/uaccess_32.h>
22358-#else
22359-# include <asm/uaccess_64.h>
22360-#endif
22361-
22362-unsigned long __must_check _copy_from_user(void *to, const void __user *from,
22363- unsigned n);
22364-unsigned long __must_check _copy_to_user(void __user *to, const void *from,
22365- unsigned n);
22366-
22367 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
22368 # define copy_user_diag __compiletime_error
22369 #else
22370@@ -661,7 +729,7 @@ unsigned long __must_check _copy_to_user(void __user *to, const void *from,
22371 extern void copy_user_diag("copy_from_user() buffer size is too small")
22372 copy_from_user_overflow(void);
22373 extern void copy_user_diag("copy_to_user() buffer size is too small")
22374-copy_to_user_overflow(void) __asm__("copy_from_user_overflow");
22375+copy_to_user_overflow(void);
22376
22377 #undef copy_user_diag
22378
22379@@ -674,7 +742,7 @@ __copy_from_user_overflow(void) __asm__("copy_from_user_overflow");
22380
22381 extern void
22382 __compiletime_warning("copy_to_user() buffer size is not provably correct")
22383-__copy_to_user_overflow(void) __asm__("copy_from_user_overflow");
22384+__copy_to_user_overflow(void) __asm__("copy_to_user_overflow");
22385 #define __copy_to_user_overflow(size, count) __copy_to_user_overflow()
22386
22387 #else
22388@@ -689,10 +757,16 @@ __copy_from_user_overflow(int size, unsigned long count)
22389
22390 #endif
22391
22392+#ifdef CONFIG_X86_32
22393+# include <asm/uaccess_32.h>
22394+#else
22395+# include <asm/uaccess_64.h>
22396+#endif
22397+
22398 static inline unsigned long __must_check
22399 copy_from_user(void *to, const void __user *from, unsigned long n)
22400 {
22401- int sz = __compiletime_object_size(to);
22402+ size_t sz = __compiletime_object_size(to);
22403
22404 might_fault();
22405
22406@@ -714,12 +788,15 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
22407 * case, and do only runtime checking for non-constant sizes.
22408 */
22409
22410- if (likely(sz < 0 || sz >= n))
22411- n = _copy_from_user(to, from, n);
22412- else if(__builtin_constant_p(n))
22413- copy_from_user_overflow();
22414- else
22415- __copy_from_user_overflow(sz, n);
22416+ if (likely(sz != (size_t)-1 && sz < n)) {
22417+ if(__builtin_constant_p(n))
22418+ copy_from_user_overflow();
22419+ else
22420+ __copy_from_user_overflow(sz, n);
22421+ } else if (access_ok(VERIFY_READ, from, n))
22422+ n = __copy_from_user(to, from, n);
22423+ else if ((long)n > 0)
22424+ memset(to, 0, n);
22425
22426 return n;
22427 }
22428@@ -727,17 +804,18 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
22429 static inline unsigned long __must_check
22430 copy_to_user(void __user *to, const void *from, unsigned long n)
22431 {
22432- int sz = __compiletime_object_size(from);
22433+ size_t sz = __compiletime_object_size(from);
22434
22435 might_fault();
22436
22437 /* See the comment in copy_from_user() above. */
22438- if (likely(sz < 0 || sz >= n))
22439- n = _copy_to_user(to, from, n);
22440- else if(__builtin_constant_p(n))
22441- copy_to_user_overflow();
22442- else
22443- __copy_to_user_overflow(sz, n);
22444+ if (likely(sz != (size_t)-1 && sz < n)) {
22445+ if(__builtin_constant_p(n))
22446+ copy_to_user_overflow();
22447+ else
22448+ __copy_to_user_overflow(sz, n);
22449+ } else if (access_ok(VERIFY_WRITE, to, n))
22450+ n = __copy_to_user(to, from, n);
22451
22452 return n;
22453 }
22454diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
22455index f5dcb52..da2c15b 100644
22456--- a/arch/x86/include/asm/uaccess_32.h
22457+++ b/arch/x86/include/asm/uaccess_32.h
22458@@ -40,9 +40,14 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
22459 * anything, so this is accurate.
22460 */
22461
22462-static __always_inline unsigned long __must_check
22463+static __always_inline __size_overflow(3) unsigned long __must_check
22464 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
22465 {
22466+ if ((long)n < 0)
22467+ return n;
22468+
22469+ check_object_size(from, n, true);
22470+
22471 if (__builtin_constant_p(n)) {
22472 unsigned long ret;
22473
22474@@ -87,12 +92,16 @@ static __always_inline unsigned long __must_check
22475 __copy_to_user(void __user *to, const void *from, unsigned long n)
22476 {
22477 might_fault();
22478+
22479 return __copy_to_user_inatomic(to, from, n);
22480 }
22481
22482-static __always_inline unsigned long
22483+static __always_inline __size_overflow(3) unsigned long
22484 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
22485 {
22486+ if ((long)n < 0)
22487+ return n;
22488+
22489 /* Avoid zeroing the tail if the copy fails..
22490 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
22491 * but as the zeroing behaviour is only significant when n is not
22492@@ -143,6 +152,12 @@ static __always_inline unsigned long
22493 __copy_from_user(void *to, const void __user *from, unsigned long n)
22494 {
22495 might_fault();
22496+
22497+ if ((long)n < 0)
22498+ return n;
22499+
22500+ check_object_size(to, n, false);
22501+
22502 if (__builtin_constant_p(n)) {
22503 unsigned long ret;
22504
22505@@ -165,6 +180,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
22506 const void __user *from, unsigned long n)
22507 {
22508 might_fault();
22509+
22510+ if ((long)n < 0)
22511+ return n;
22512+
22513 if (__builtin_constant_p(n)) {
22514 unsigned long ret;
22515
22516@@ -187,7 +206,10 @@ static __always_inline unsigned long
22517 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
22518 unsigned long n)
22519 {
22520- return __copy_from_user_ll_nocache_nozero(to, from, n);
22521+ if ((long)n < 0)
22522+ return n;
22523+
22524+ return __copy_from_user_ll_nocache_nozero(to, from, n);
22525 }
22526
22527 #endif /* _ASM_X86_UACCESS_32_H */
22528diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
22529index f2f9b39..2ae1bf8 100644
22530--- a/arch/x86/include/asm/uaccess_64.h
22531+++ b/arch/x86/include/asm/uaccess_64.h
22532@@ -10,6 +10,9 @@
22533 #include <asm/alternative.h>
22534 #include <asm/cpufeature.h>
22535 #include <asm/page.h>
22536+#include <asm/pgtable.h>
22537+
22538+#define set_fs(x) (current_thread_info()->addr_limit = (x))
22539
22540 /*
22541 * Copy To/From Userspace
22542@@ -23,8 +26,8 @@ copy_user_generic_string(void *to, const void *from, unsigned len);
22543 __must_check unsigned long
22544 copy_user_generic_unrolled(void *to, const void *from, unsigned len);
22545
22546-static __always_inline __must_check unsigned long
22547-copy_user_generic(void *to, const void *from, unsigned len)
22548+static __always_inline __must_check __size_overflow(3) unsigned long
22549+copy_user_generic(void *to, const void *from, unsigned long len)
22550 {
22551 unsigned ret;
22552
22553@@ -46,121 +49,170 @@ copy_user_generic(void *to, const void *from, unsigned len)
22554 }
22555
22556 __must_check unsigned long
22557-copy_in_user(void __user *to, const void __user *from, unsigned len);
22558+copy_in_user(void __user *to, const void __user *from, unsigned long len);
22559
22560 static __always_inline __must_check
22561-int __copy_from_user_nocheck(void *dst, const void __user *src, unsigned size)
22562+unsigned long __copy_from_user_nocheck(void *dst, const void __user *src, unsigned long size)
22563 {
22564- int ret = 0;
22565+ size_t sz = __compiletime_object_size(dst);
22566+ unsigned ret = 0;
22567+
22568+ if (size > INT_MAX)
22569+ return size;
22570+
22571+ check_object_size(dst, size, false);
22572+
22573+#ifdef CONFIG_PAX_MEMORY_UDEREF
22574+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22575+ return size;
22576+#endif
22577+
22578+ if (unlikely(sz != (size_t)-1 && sz < size)) {
22579+ if(__builtin_constant_p(size))
22580+ copy_from_user_overflow();
22581+ else
22582+ __copy_from_user_overflow(sz, size);
22583+ return size;
22584+ }
22585
22586 if (!__builtin_constant_p(size))
22587- return copy_user_generic(dst, (__force void *)src, size);
22588+ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
22589 switch (size) {
22590- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
22591+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
22592 ret, "b", "b", "=q", 1);
22593 return ret;
22594- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
22595+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
22596 ret, "w", "w", "=r", 2);
22597 return ret;
22598- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
22599+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
22600 ret, "l", "k", "=r", 4);
22601 return ret;
22602- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
22603+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22604 ret, "q", "", "=r", 8);
22605 return ret;
22606 case 10:
22607- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
22608+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22609 ret, "q", "", "=r", 10);
22610 if (unlikely(ret))
22611 return ret;
22612 __get_user_asm(*(u16 *)(8 + (char *)dst),
22613- (u16 __user *)(8 + (char __user *)src),
22614+ (const u16 __user *)(8 + (const char __user *)src),
22615 ret, "w", "w", "=r", 2);
22616 return ret;
22617 case 16:
22618- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
22619+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22620 ret, "q", "", "=r", 16);
22621 if (unlikely(ret))
22622 return ret;
22623 __get_user_asm(*(u64 *)(8 + (char *)dst),
22624- (u64 __user *)(8 + (char __user *)src),
22625+ (const u64 __user *)(8 + (const char __user *)src),
22626 ret, "q", "", "=r", 8);
22627 return ret;
22628 default:
22629- return copy_user_generic(dst, (__force void *)src, size);
22630+ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
22631 }
22632 }
22633
22634 static __always_inline __must_check
22635-int __copy_from_user(void *dst, const void __user *src, unsigned size)
22636+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size)
22637 {
22638 might_fault();
22639 return __copy_from_user_nocheck(dst, src, size);
22640 }
22641
22642 static __always_inline __must_check
22643-int __copy_to_user_nocheck(void __user *dst, const void *src, unsigned size)
22644+unsigned long __copy_to_user_nocheck(void __user *dst, const void *src, unsigned long size)
22645 {
22646- int ret = 0;
22647+ size_t sz = __compiletime_object_size(src);
22648+ unsigned ret = 0;
22649+
22650+ if (size > INT_MAX)
22651+ return size;
22652+
22653+ check_object_size(src, size, true);
22654+
22655+#ifdef CONFIG_PAX_MEMORY_UDEREF
22656+ if (!access_ok_noprefault(VERIFY_WRITE, dst, size))
22657+ return size;
22658+#endif
22659+
22660+ if (unlikely(sz != (size_t)-1 && sz < size)) {
22661+ if(__builtin_constant_p(size))
22662+ copy_to_user_overflow();
22663+ else
22664+ __copy_to_user_overflow(sz, size);
22665+ return size;
22666+ }
22667
22668 if (!__builtin_constant_p(size))
22669- return copy_user_generic((__force void *)dst, src, size);
22670+ return copy_user_generic((__force_kernel void *)____m(dst), src, size);
22671 switch (size) {
22672- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
22673+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
22674 ret, "b", "b", "iq", 1);
22675 return ret;
22676- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
22677+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
22678 ret, "w", "w", "ir", 2);
22679 return ret;
22680- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
22681+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
22682 ret, "l", "k", "ir", 4);
22683 return ret;
22684- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
22685+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22686 ret, "q", "", "er", 8);
22687 return ret;
22688 case 10:
22689- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
22690+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22691 ret, "q", "", "er", 10);
22692 if (unlikely(ret))
22693 return ret;
22694 asm("":::"memory");
22695- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
22696+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
22697 ret, "w", "w", "ir", 2);
22698 return ret;
22699 case 16:
22700- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
22701+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22702 ret, "q", "", "er", 16);
22703 if (unlikely(ret))
22704 return ret;
22705 asm("":::"memory");
22706- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
22707+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
22708 ret, "q", "", "er", 8);
22709 return ret;
22710 default:
22711- return copy_user_generic((__force void *)dst, src, size);
22712+ return copy_user_generic((__force_kernel void *)____m(dst), src, size);
22713 }
22714 }
22715
22716 static __always_inline __must_check
22717-int __copy_to_user(void __user *dst, const void *src, unsigned size)
22718+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size)
22719 {
22720 might_fault();
22721 return __copy_to_user_nocheck(dst, src, size);
22722 }
22723
22724 static __always_inline __must_check
22725-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22726+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22727 {
22728- int ret = 0;
22729+ unsigned ret = 0;
22730
22731 might_fault();
22732+
22733+ if (size > INT_MAX)
22734+ return size;
22735+
22736+#ifdef CONFIG_PAX_MEMORY_UDEREF
22737+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22738+ return size;
22739+ if (!access_ok_noprefault(VERIFY_WRITE, dst, size))
22740+ return size;
22741+#endif
22742+
22743 if (!__builtin_constant_p(size))
22744- return copy_user_generic((__force void *)dst,
22745- (__force void *)src, size);
22746+ return copy_user_generic((__force_kernel void *)____m(dst),
22747+ (__force_kernel const void *)____m(src), size);
22748 switch (size) {
22749 case 1: {
22750 u8 tmp;
22751- __get_user_asm(tmp, (u8 __user *)src,
22752+ __get_user_asm(tmp, (const u8 __user *)src,
22753 ret, "b", "b", "=q", 1);
22754 if (likely(!ret))
22755 __put_user_asm(tmp, (u8 __user *)dst,
22756@@ -169,7 +221,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22757 }
22758 case 2: {
22759 u16 tmp;
22760- __get_user_asm(tmp, (u16 __user *)src,
22761+ __get_user_asm(tmp, (const u16 __user *)src,
22762 ret, "w", "w", "=r", 2);
22763 if (likely(!ret))
22764 __put_user_asm(tmp, (u16 __user *)dst,
22765@@ -179,7 +231,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22766
22767 case 4: {
22768 u32 tmp;
22769- __get_user_asm(tmp, (u32 __user *)src,
22770+ __get_user_asm(tmp, (const u32 __user *)src,
22771 ret, "l", "k", "=r", 4);
22772 if (likely(!ret))
22773 __put_user_asm(tmp, (u32 __user *)dst,
22774@@ -188,7 +240,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22775 }
22776 case 8: {
22777 u64 tmp;
22778- __get_user_asm(tmp, (u64 __user *)src,
22779+ __get_user_asm(tmp, (const u64 __user *)src,
22780 ret, "q", "", "=r", 8);
22781 if (likely(!ret))
22782 __put_user_asm(tmp, (u64 __user *)dst,
22783@@ -196,41 +248,58 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22784 return ret;
22785 }
22786 default:
22787- return copy_user_generic((__force void *)dst,
22788- (__force void *)src, size);
22789+ return copy_user_generic((__force_kernel void *)____m(dst),
22790+ (__force_kernel const void *)____m(src), size);
22791 }
22792 }
22793
22794-static __must_check __always_inline int
22795-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
22796+static __must_check __always_inline unsigned long
22797+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
22798 {
22799 return __copy_from_user_nocheck(dst, src, size);
22800 }
22801
22802-static __must_check __always_inline int
22803-__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
22804+static __must_check __always_inline unsigned long
22805+__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size)
22806 {
22807 return __copy_to_user_nocheck(dst, src, size);
22808 }
22809
22810-extern long __copy_user_nocache(void *dst, const void __user *src,
22811- unsigned size, int zerorest);
22812+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
22813+ unsigned long size, int zerorest);
22814
22815-static inline int
22816-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
22817+static inline unsigned long
22818+__copy_from_user_nocache(void *dst, const void __user *src, unsigned long size)
22819 {
22820 might_fault();
22821+
22822+ if (size > INT_MAX)
22823+ return size;
22824+
22825+#ifdef CONFIG_PAX_MEMORY_UDEREF
22826+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22827+ return size;
22828+#endif
22829+
22830 return __copy_user_nocache(dst, src, size, 1);
22831 }
22832
22833-static inline int
22834+static inline unsigned long
22835 __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
22836- unsigned size)
22837+ unsigned long size)
22838 {
22839+ if (size > INT_MAX)
22840+ return size;
22841+
22842+#ifdef CONFIG_PAX_MEMORY_UDEREF
22843+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22844+ return size;
22845+#endif
22846+
22847 return __copy_user_nocache(dst, src, size, 0);
22848 }
22849
22850 unsigned long
22851-copy_user_handle_tail(char *to, char *from, unsigned len);
22852+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len) __size_overflow(3);
22853
22854 #endif /* _ASM_X86_UACCESS_64_H */
22855diff --git a/arch/x86/include/asm/word-at-a-time.h b/arch/x86/include/asm/word-at-a-time.h
22856index 5b238981..77fdd78 100644
22857--- a/arch/x86/include/asm/word-at-a-time.h
22858+++ b/arch/x86/include/asm/word-at-a-time.h
22859@@ -11,7 +11,7 @@
22860 * and shift, for example.
22861 */
22862 struct word_at_a_time {
22863- const unsigned long one_bits, high_bits;
22864+ unsigned long one_bits, high_bits;
22865 };
22866
22867 #define WORD_AT_A_TIME_CONSTANTS { REPEAT_BYTE(0x01), REPEAT_BYTE(0x80) }
22868diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
22869index 48d34d2..90671c7 100644
22870--- a/arch/x86/include/asm/x86_init.h
22871+++ b/arch/x86/include/asm/x86_init.h
22872@@ -129,7 +129,7 @@ struct x86_init_ops {
22873 struct x86_init_timers timers;
22874 struct x86_init_iommu iommu;
22875 struct x86_init_pci pci;
22876-};
22877+} __no_const;
22878
22879 /**
22880 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
22881@@ -140,7 +140,7 @@ struct x86_cpuinit_ops {
22882 void (*setup_percpu_clockev)(void);
22883 void (*early_percpu_clock_init)(void);
22884 void (*fixup_cpu_id)(struct cpuinfo_x86 *c, int node);
22885-};
22886+} __no_const;
22887
22888 struct timespec;
22889
22890@@ -168,7 +168,7 @@ struct x86_platform_ops {
22891 void (*save_sched_clock_state)(void);
22892 void (*restore_sched_clock_state)(void);
22893 void (*apic_post_init)(void);
22894-};
22895+} __no_const;
22896
22897 struct pci_dev;
22898
22899@@ -177,12 +177,12 @@ struct x86_msi_ops {
22900 void (*teardown_msi_irq)(unsigned int irq);
22901 void (*teardown_msi_irqs)(struct pci_dev *dev);
22902 void (*restore_msi_irqs)(struct pci_dev *dev);
22903-};
22904+} __no_const;
22905
22906 struct x86_io_apic_ops {
22907 unsigned int (*read) (unsigned int apic, unsigned int reg);
22908 void (*disable)(void);
22909-};
22910+} __no_const;
22911
22912 extern struct x86_init_ops x86_init;
22913 extern struct x86_cpuinit_ops x86_cpuinit;
22914diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h
22915index c44a5d5..7f83cfc 100644
22916--- a/arch/x86/include/asm/xen/page.h
22917+++ b/arch/x86/include/asm/xen/page.h
22918@@ -82,7 +82,7 @@ static inline int xen_safe_read_ulong(unsigned long *addr, unsigned long *val)
22919 * - get_phys_to_machine() is to be called by __pfn_to_mfn() only in special
22920 * cases needing an extended handling.
22921 */
22922-static inline unsigned long __pfn_to_mfn(unsigned long pfn)
22923+static inline unsigned long __intentional_overflow(-1) __pfn_to_mfn(unsigned long pfn)
22924 {
22925 unsigned long mfn;
22926
22927diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h
22928index 0f457e6..5970c0a 100644
22929--- a/arch/x86/include/uapi/asm/e820.h
22930+++ b/arch/x86/include/uapi/asm/e820.h
22931@@ -69,7 +69,7 @@ struct e820map {
22932 #define ISA_START_ADDRESS 0xa0000
22933 #define ISA_END_ADDRESS 0x100000
22934
22935-#define BIOS_BEGIN 0x000a0000
22936+#define BIOS_BEGIN 0x000c0000
22937 #define BIOS_END 0x00100000
22938
22939 #define BIOS_ROM_BASE 0xffe00000
22940diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
22941index 0f15af4..501a76a 100644
22942--- a/arch/x86/kernel/Makefile
22943+++ b/arch/x86/kernel/Makefile
22944@@ -28,7 +28,7 @@ obj-y += time.o ioport.o ldt.o dumpstack.o nmi.o
22945 obj-y += setup.o x86_init.o i8259.o irqinit.o jump_label.o
22946 obj-$(CONFIG_IRQ_WORK) += irq_work.o
22947 obj-y += probe_roms.o
22948-obj-$(CONFIG_X86_32) += i386_ksyms_32.o
22949+obj-$(CONFIG_X86_32) += sys_i386_32.o i386_ksyms_32.o
22950 obj-$(CONFIG_X86_64) += sys_x86_64.o x8664_ksyms_64.o
22951 obj-$(CONFIG_X86_64) += mcount_64.o
22952 obj-$(CONFIG_X86_ESPFIX64) += espfix_64.o
22953diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
22954index 9393896..adbaa90 100644
22955--- a/arch/x86/kernel/acpi/boot.c
22956+++ b/arch/x86/kernel/acpi/boot.c
22957@@ -1333,7 +1333,7 @@ static void __init acpi_reduced_hw_init(void)
22958 * If your system is blacklisted here, but you find that acpi=force
22959 * works for you, please contact linux-acpi@vger.kernel.org
22960 */
22961-static struct dmi_system_id __initdata acpi_dmi_table[] = {
22962+static const struct dmi_system_id __initconst acpi_dmi_table[] = {
22963 /*
22964 * Boxes that need ACPI disabled
22965 */
22966@@ -1408,7 +1408,7 @@ static struct dmi_system_id __initdata acpi_dmi_table[] = {
22967 };
22968
22969 /* second table for DMI checks that should run after early-quirks */
22970-static struct dmi_system_id __initdata acpi_dmi_table_late[] = {
22971+static const struct dmi_system_id __initconst acpi_dmi_table_late[] = {
22972 /*
22973 * HP laptops which use a DSDT reporting as HP/SB400/10000,
22974 * which includes some code which overrides all temperature
22975diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c
22976index d1daead..acd77e2 100644
22977--- a/arch/x86/kernel/acpi/sleep.c
22978+++ b/arch/x86/kernel/acpi/sleep.c
22979@@ -99,8 +99,12 @@ int x86_acpi_suspend_lowlevel(void)
22980 #else /* CONFIG_64BIT */
22981 #ifdef CONFIG_SMP
22982 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
22983+
22984+ pax_open_kernel();
22985 early_gdt_descr.address =
22986 (unsigned long)get_cpu_gdt_table(smp_processor_id());
22987+ pax_close_kernel();
22988+
22989 initial_gs = per_cpu_offset(smp_processor_id());
22990 #endif
22991 initial_code = (unsigned long)wakeup_long64;
22992diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S
22993index 0c26b1b..a766e85 100644
22994--- a/arch/x86/kernel/acpi/wakeup_32.S
22995+++ b/arch/x86/kernel/acpi/wakeup_32.S
22996@@ -31,13 +31,11 @@ wakeup_pmode_return:
22997 # and restore the stack ... but you need gdt for this to work
22998 movl saved_context_esp, %esp
22999
23000- movl %cs:saved_magic, %eax
23001- cmpl $0x12345678, %eax
23002+ cmpl $0x12345678, saved_magic
23003 jne bogus_magic
23004
23005 # jump to place where we left off
23006- movl saved_eip, %eax
23007- jmp *%eax
23008+ jmp *(saved_eip)
23009
23010 bogus_magic:
23011 jmp bogus_magic
23012diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
23013index c42827e..c2fd50b 100644
23014--- a/arch/x86/kernel/alternative.c
23015+++ b/arch/x86/kernel/alternative.c
23016@@ -20,6 +20,7 @@
23017 #include <asm/tlbflush.h>
23018 #include <asm/io.h>
23019 #include <asm/fixmap.h>
23020+#include <asm/boot.h>
23021
23022 int __read_mostly alternatives_patched;
23023
23024@@ -261,7 +262,9 @@ static void __init_or_module add_nops(void *insns, unsigned int len)
23025 unsigned int noplen = len;
23026 if (noplen > ASM_NOP_MAX)
23027 noplen = ASM_NOP_MAX;
23028+ pax_open_kernel();
23029 memcpy(insns, ideal_nops[noplen], noplen);
23030+ pax_close_kernel();
23031 insns += noplen;
23032 len -= noplen;
23033 }
23034@@ -289,6 +292,13 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf)
23035 if (a->replacementlen != 5)
23036 return;
23037
23038+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23039+ if (orig_insn < (u8 *)_text || (u8 *)_einittext <= orig_insn)
23040+ orig_insn = (u8 *)ktva_ktla((unsigned long)orig_insn);
23041+ else
23042+ orig_insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23043+#endif
23044+
23045 o_dspl = *(s32 *)(insnbuf + 1);
23046
23047 /* next_rip of the replacement JMP */
23048@@ -359,6 +369,7 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
23049 {
23050 struct alt_instr *a;
23051 u8 *instr, *replacement;
23052+ u8 *vinstr, *vreplacement;
23053 u8 insnbuf[MAX_PATCH_LEN];
23054
23055 DPRINTK("alt table %p -> %p", start, end);
23056@@ -374,46 +385,71 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
23057 for (a = start; a < end; a++) {
23058 int insnbuf_sz = 0;
23059
23060- instr = (u8 *)&a->instr_offset + a->instr_offset;
23061- replacement = (u8 *)&a->repl_offset + a->repl_offset;
23062+ vinstr = instr = (u8 *)&a->instr_offset + a->instr_offset;
23063+
23064+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23065+ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= instr &&
23066+ instr < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
23067+ instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23068+ vinstr = (u8 *)ktla_ktva((unsigned long)instr);
23069+ } else if ((u8 *)_text <= instr && instr < (u8 *)_einittext) {
23070+ vinstr = (u8 *)ktla_ktva((unsigned long)instr);
23071+ } else {
23072+ instr = (u8 *)ktva_ktla((unsigned long)instr);
23073+ }
23074+#endif
23075+
23076+ vreplacement = replacement = (u8 *)&a->repl_offset + a->repl_offset;
23077+
23078+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23079+ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= replacement &&
23080+ replacement < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
23081+ replacement += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23082+ vreplacement = (u8 *)ktla_ktva((unsigned long)replacement);
23083+ } else if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) {
23084+ vreplacement = (u8 *)ktla_ktva((unsigned long)replacement);
23085+ } else
23086+ replacement = (u8 *)ktva_ktla((unsigned long)replacement);
23087+#endif
23088+
23089 BUG_ON(a->instrlen > sizeof(insnbuf));
23090 BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
23091 if (!boot_cpu_has(a->cpuid)) {
23092 if (a->padlen > 1)
23093- optimize_nops(a, instr);
23094+ optimize_nops(a, vinstr);
23095
23096 continue;
23097 }
23098
23099- DPRINTK("feat: %d*32+%d, old: (%p, len: %d), repl: (%p, len: %d), pad: %d",
23100+ DPRINTK("feat: %d*32+%d, old: (%p/%p, len: %d), repl: (%p, len: %d), pad: %d",
23101 a->cpuid >> 5,
23102 a->cpuid & 0x1f,
23103- instr, a->instrlen,
23104- replacement, a->replacementlen, a->padlen);
23105+ instr, vinstr, a->instrlen,
23106+ vreplacement, a->replacementlen, a->padlen);
23107
23108- DUMP_BYTES(instr, a->instrlen, "%p: old_insn: ", instr);
23109- DUMP_BYTES(replacement, a->replacementlen, "%p: rpl_insn: ", replacement);
23110+ DUMP_BYTES(vinstr, a->instrlen, "%p: old_insn: ", vinstr);
23111+ DUMP_BYTES(vreplacement, a->replacementlen, "%p: rpl_insn: ", vreplacement);
23112
23113- memcpy(insnbuf, replacement, a->replacementlen);
23114+ memcpy(insnbuf, vreplacement, a->replacementlen);
23115 insnbuf_sz = a->replacementlen;
23116
23117 /* 0xe8 is a relative jump; fix the offset. */
23118 if (*insnbuf == 0xe8 && a->replacementlen == 5) {
23119- *(s32 *)(insnbuf + 1) += replacement - instr;
23120+ *(s32 *)(insnbuf + 1) += vreplacement - vinstr;
23121 DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
23122 *(s32 *)(insnbuf + 1),
23123- (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
23124+ (unsigned long)vinstr + *(s32 *)(insnbuf + 1) + 5);
23125 }
23126
23127- if (a->replacementlen && is_jmp(replacement[0]))
23128- recompute_jump(a, instr, replacement, insnbuf);
23129+ if (a->replacementlen && is_jmp(vreplacement[0]))
23130+ recompute_jump(a, instr, vreplacement, insnbuf);
23131
23132 if (a->instrlen > a->replacementlen) {
23133 add_nops(insnbuf + a->replacementlen,
23134 a->instrlen - a->replacementlen);
23135 insnbuf_sz += a->instrlen - a->replacementlen;
23136 }
23137- DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr);
23138+ DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", vinstr);
23139
23140 text_poke_early(instr, insnbuf, insnbuf_sz);
23141 }
23142@@ -429,10 +465,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end,
23143 for (poff = start; poff < end; poff++) {
23144 u8 *ptr = (u8 *)poff + *poff;
23145
23146+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23147+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23148+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
23149+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23150+#endif
23151+
23152 if (!*poff || ptr < text || ptr >= text_end)
23153 continue;
23154 /* turn DS segment override prefix into lock prefix */
23155- if (*ptr == 0x3e)
23156+ if (*(u8 *)ktla_ktva((unsigned long)ptr) == 0x3e)
23157 text_poke(ptr, ((unsigned char []){0xf0}), 1);
23158 }
23159 mutex_unlock(&text_mutex);
23160@@ -447,10 +489,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end,
23161 for (poff = start; poff < end; poff++) {
23162 u8 *ptr = (u8 *)poff + *poff;
23163
23164+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23165+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23166+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
23167+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23168+#endif
23169+
23170 if (!*poff || ptr < text || ptr >= text_end)
23171 continue;
23172 /* turn lock prefix into DS segment override prefix */
23173- if (*ptr == 0xf0)
23174+ if (*(u8 *)ktla_ktva((unsigned long)ptr) == 0xf0)
23175 text_poke(ptr, ((unsigned char []){0x3E}), 1);
23176 }
23177 mutex_unlock(&text_mutex);
23178@@ -587,7 +635,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
23179
23180 BUG_ON(p->len > MAX_PATCH_LEN);
23181 /* prep the buffer with the original instructions */
23182- memcpy(insnbuf, p->instr, p->len);
23183+ memcpy(insnbuf, (const void *)ktla_ktva((unsigned long)p->instr), p->len);
23184 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
23185 (unsigned long)p->instr, p->len);
23186
23187@@ -634,7 +682,7 @@ void __init alternative_instructions(void)
23188 if (!uniproc_patched || num_possible_cpus() == 1)
23189 free_init_pages("SMP alternatives",
23190 (unsigned long)__smp_locks,
23191- (unsigned long)__smp_locks_end);
23192+ PAGE_ALIGN((unsigned long)__smp_locks_end));
23193 #endif
23194
23195 apply_paravirt(__parainstructions, __parainstructions_end);
23196@@ -655,13 +703,17 @@ void __init alternative_instructions(void)
23197 * instructions. And on the local CPU you need to be protected again NMI or MCE
23198 * handlers seeing an inconsistent instruction while you patch.
23199 */
23200-void *__init_or_module text_poke_early(void *addr, const void *opcode,
23201+void *__kprobes text_poke_early(void *addr, const void *opcode,
23202 size_t len)
23203 {
23204 unsigned long flags;
23205 local_irq_save(flags);
23206- memcpy(addr, opcode, len);
23207+
23208+ pax_open_kernel();
23209+ memcpy((void *)ktla_ktva((unsigned long)addr), opcode, len);
23210 sync_core();
23211+ pax_close_kernel();
23212+
23213 local_irq_restore(flags);
23214 /* Could also do a CLFLUSH here to speed up CPU recovery; but
23215 that causes hangs on some VIA CPUs. */
23216@@ -683,36 +735,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
23217 */
23218 void *text_poke(void *addr, const void *opcode, size_t len)
23219 {
23220- unsigned long flags;
23221- char *vaddr;
23222+ unsigned char *vaddr = (void *)ktla_ktva((unsigned long)addr);
23223 struct page *pages[2];
23224- int i;
23225+ size_t i;
23226
23227 if (!core_kernel_text((unsigned long)addr)) {
23228- pages[0] = vmalloc_to_page(addr);
23229- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
23230+ pages[0] = vmalloc_to_page(vaddr);
23231+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
23232 } else {
23233- pages[0] = virt_to_page(addr);
23234+ pages[0] = virt_to_page(vaddr);
23235 WARN_ON(!PageReserved(pages[0]));
23236- pages[1] = virt_to_page(addr + PAGE_SIZE);
23237+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
23238 }
23239 BUG_ON(!pages[0]);
23240- local_irq_save(flags);
23241- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
23242- if (pages[1])
23243- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
23244- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
23245- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
23246- clear_fixmap(FIX_TEXT_POKE0);
23247- if (pages[1])
23248- clear_fixmap(FIX_TEXT_POKE1);
23249- local_flush_tlb();
23250- sync_core();
23251- /* Could also do a CLFLUSH here to speed up CPU recovery; but
23252- that causes hangs on some VIA CPUs. */
23253+ text_poke_early(addr, opcode, len);
23254 for (i = 0; i < len; i++)
23255- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
23256- local_irq_restore(flags);
23257+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
23258 return addr;
23259 }
23260
23261@@ -766,7 +804,7 @@ int poke_int3_handler(struct pt_regs *regs)
23262 */
23263 void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler)
23264 {
23265- unsigned char int3 = 0xcc;
23266+ const unsigned char int3 = 0xcc;
23267
23268 bp_int3_handler = handler;
23269 bp_int3_addr = (u8 *)addr + sizeof(int3);
23270diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
23271index cde732c..6365ac2 100644
23272--- a/arch/x86/kernel/apic/apic.c
23273+++ b/arch/x86/kernel/apic/apic.c
23274@@ -171,7 +171,7 @@ int first_system_vector = FIRST_SYSTEM_VECTOR;
23275 /*
23276 * Debug level, exported for io_apic.c
23277 */
23278-unsigned int apic_verbosity;
23279+int apic_verbosity;
23280
23281 int pic_mode;
23282
23283@@ -1857,7 +1857,7 @@ static inline void __smp_error_interrupt(struct pt_regs *regs)
23284 apic_write(APIC_ESR, 0);
23285 v = apic_read(APIC_ESR);
23286 ack_APIC_irq();
23287- atomic_inc(&irq_err_count);
23288+ atomic_inc_unchecked(&irq_err_count);
23289
23290 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x",
23291 smp_processor_id(), v);
23292diff --git a/arch/x86/kernel/apic/apic_flat_64.c b/arch/x86/kernel/apic/apic_flat_64.c
23293index de918c4..32eed23 100644
23294--- a/arch/x86/kernel/apic/apic_flat_64.c
23295+++ b/arch/x86/kernel/apic/apic_flat_64.c
23296@@ -154,7 +154,7 @@ static int flat_probe(void)
23297 return 1;
23298 }
23299
23300-static struct apic apic_flat = {
23301+static struct apic apic_flat __read_only = {
23302 .name = "flat",
23303 .probe = flat_probe,
23304 .acpi_madt_oem_check = flat_acpi_madt_oem_check,
23305@@ -260,7 +260,7 @@ static int physflat_probe(void)
23306 return 0;
23307 }
23308
23309-static struct apic apic_physflat = {
23310+static struct apic apic_physflat __read_only = {
23311
23312 .name = "physical flat",
23313 .probe = physflat_probe,
23314diff --git a/arch/x86/kernel/apic/apic_noop.c b/arch/x86/kernel/apic/apic_noop.c
23315index b205cdb..d8503ff 100644
23316--- a/arch/x86/kernel/apic/apic_noop.c
23317+++ b/arch/x86/kernel/apic/apic_noop.c
23318@@ -108,7 +108,7 @@ static void noop_apic_write(u32 reg, u32 v)
23319 WARN_ON_ONCE(cpu_has_apic && !disable_apic);
23320 }
23321
23322-struct apic apic_noop = {
23323+struct apic apic_noop __read_only = {
23324 .name = "noop",
23325 .probe = noop_probe,
23326 .acpi_madt_oem_check = NULL,
23327diff --git a/arch/x86/kernel/apic/bigsmp_32.c b/arch/x86/kernel/apic/bigsmp_32.c
23328index c4a8d63..fe893ac 100644
23329--- a/arch/x86/kernel/apic/bigsmp_32.c
23330+++ b/arch/x86/kernel/apic/bigsmp_32.c
23331@@ -147,7 +147,7 @@ static int probe_bigsmp(void)
23332 return dmi_bigsmp;
23333 }
23334
23335-static struct apic apic_bigsmp = {
23336+static struct apic apic_bigsmp __read_only = {
23337
23338 .name = "bigsmp",
23339 .probe = probe_bigsmp,
23340diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
23341index 206052e..621dfb4 100644
23342--- a/arch/x86/kernel/apic/io_apic.c
23343+++ b/arch/x86/kernel/apic/io_apic.c
23344@@ -1682,7 +1682,7 @@ static unsigned int startup_ioapic_irq(struct irq_data *data)
23345 return was_pending;
23346 }
23347
23348-atomic_t irq_mis_count;
23349+atomic_unchecked_t irq_mis_count;
23350
23351 #ifdef CONFIG_GENERIC_PENDING_IRQ
23352 static bool io_apic_level_ack_pending(struct mp_chip_data *data)
23353@@ -1821,7 +1821,7 @@ static void ioapic_ack_level(struct irq_data *irq_data)
23354 * at the cpu.
23355 */
23356 if (!(v & (1 << (i & 0x1f)))) {
23357- atomic_inc(&irq_mis_count);
23358+ atomic_inc_unchecked(&irq_mis_count);
23359 eoi_ioapic_pin(cfg->vector, irq_data->chip_data);
23360 }
23361
23362@@ -1867,7 +1867,7 @@ static int ioapic_set_affinity(struct irq_data *irq_data,
23363 return ret;
23364 }
23365
23366-static struct irq_chip ioapic_chip __read_mostly = {
23367+static struct irq_chip ioapic_chip = {
23368 .name = "IO-APIC",
23369 .irq_startup = startup_ioapic_irq,
23370 .irq_mask = mask_ioapic_irq,
23371@@ -1936,7 +1936,7 @@ static void ack_lapic_irq(struct irq_data *data)
23372 ack_APIC_irq();
23373 }
23374
23375-static struct irq_chip lapic_chip __read_mostly = {
23376+static struct irq_chip lapic_chip = {
23377 .name = "local-APIC",
23378 .irq_mask = mask_lapic_irq,
23379 .irq_unmask = unmask_lapic_irq,
23380diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
23381index 1a9d735..c58b5c5 100644
23382--- a/arch/x86/kernel/apic/msi.c
23383+++ b/arch/x86/kernel/apic/msi.c
23384@@ -267,7 +267,7 @@ static void hpet_msi_write_msg(struct irq_data *data, struct msi_msg *msg)
23385 hpet_msi_write(data->handler_data, msg);
23386 }
23387
23388-static struct irq_chip hpet_msi_controller = {
23389+static irq_chip_no_const hpet_msi_controller __read_only = {
23390 .name = "HPET-MSI",
23391 .irq_unmask = hpet_msi_unmask,
23392 .irq_mask = hpet_msi_mask,
23393diff --git a/arch/x86/kernel/apic/probe_32.c b/arch/x86/kernel/apic/probe_32.c
23394index bda4886..f9c7195 100644
23395--- a/arch/x86/kernel/apic/probe_32.c
23396+++ b/arch/x86/kernel/apic/probe_32.c
23397@@ -72,7 +72,7 @@ static int probe_default(void)
23398 return 1;
23399 }
23400
23401-static struct apic apic_default = {
23402+static struct apic apic_default __read_only = {
23403
23404 .name = "default",
23405 .probe = probe_default,
23406diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
23407index 2683f36..0bdc74c 100644
23408--- a/arch/x86/kernel/apic/vector.c
23409+++ b/arch/x86/kernel/apic/vector.c
23410@@ -36,7 +36,7 @@ static struct irq_chip lapic_controller;
23411 static struct apic_chip_data *legacy_irq_data[NR_IRQS_LEGACY];
23412 #endif
23413
23414-void lock_vector_lock(void)
23415+void lock_vector_lock(void) __acquires(vector_lock)
23416 {
23417 /* Used to the online set of cpus does not change
23418 * during assign_irq_vector.
23419@@ -44,7 +44,7 @@ void lock_vector_lock(void)
23420 raw_spin_lock(&vector_lock);
23421 }
23422
23423-void unlock_vector_lock(void)
23424+void unlock_vector_lock(void) __releases(vector_lock)
23425 {
23426 raw_spin_unlock(&vector_lock);
23427 }
23428diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
23429index ab3219b..e8033eb 100644
23430--- a/arch/x86/kernel/apic/x2apic_cluster.c
23431+++ b/arch/x86/kernel/apic/x2apic_cluster.c
23432@@ -182,7 +182,7 @@ update_clusterinfo(struct notifier_block *nfb, unsigned long action, void *hcpu)
23433 return notifier_from_errno(err);
23434 }
23435
23436-static struct notifier_block __refdata x2apic_cpu_notifier = {
23437+static struct notifier_block x2apic_cpu_notifier = {
23438 .notifier_call = update_clusterinfo,
23439 };
23440
23441@@ -234,7 +234,7 @@ static void cluster_vector_allocation_domain(int cpu, struct cpumask *retmask,
23442 cpumask_and(retmask, mask, per_cpu(cpus_in_cluster, cpu));
23443 }
23444
23445-static struct apic apic_x2apic_cluster = {
23446+static struct apic apic_x2apic_cluster __read_only = {
23447
23448 .name = "cluster x2apic",
23449 .probe = x2apic_cluster_probe,
23450diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c
23451index 3ffd925..8c0f5a8 100644
23452--- a/arch/x86/kernel/apic/x2apic_phys.c
23453+++ b/arch/x86/kernel/apic/x2apic_phys.c
23454@@ -90,7 +90,7 @@ static int x2apic_phys_probe(void)
23455 return apic == &apic_x2apic_phys;
23456 }
23457
23458-static struct apic apic_x2apic_phys = {
23459+static struct apic apic_x2apic_phys __read_only = {
23460
23461 .name = "physical x2apic",
23462 .probe = x2apic_phys_probe,
23463diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c
23464index c8d9295..9af2d03 100644
23465--- a/arch/x86/kernel/apic/x2apic_uv_x.c
23466+++ b/arch/x86/kernel/apic/x2apic_uv_x.c
23467@@ -375,7 +375,7 @@ static int uv_probe(void)
23468 return apic == &apic_x2apic_uv_x;
23469 }
23470
23471-static struct apic __refdata apic_x2apic_uv_x = {
23472+static struct apic apic_x2apic_uv_x __read_only = {
23473
23474 .name = "UV large system",
23475 .probe = uv_probe,
23476diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c
23477index 927ec92..de68f32 100644
23478--- a/arch/x86/kernel/apm_32.c
23479+++ b/arch/x86/kernel/apm_32.c
23480@@ -432,7 +432,7 @@ static DEFINE_MUTEX(apm_mutex);
23481 * This is for buggy BIOS's that refer to (real mode) segment 0x40
23482 * even though they are called in protected mode.
23483 */
23484-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
23485+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
23486 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
23487
23488 static const char driver_version[] = "1.16ac"; /* no spaces */
23489@@ -610,7 +610,10 @@ static long __apm_bios_call(void *_call)
23490 BUG_ON(cpu != 0);
23491 gdt = get_cpu_gdt_table(cpu);
23492 save_desc_40 = gdt[0x40 / 8];
23493+
23494+ pax_open_kernel();
23495 gdt[0x40 / 8] = bad_bios_desc;
23496+ pax_close_kernel();
23497
23498 apm_irq_save(flags);
23499 APM_DO_SAVE_SEGS;
23500@@ -619,7 +622,11 @@ static long __apm_bios_call(void *_call)
23501 &call->esi);
23502 APM_DO_RESTORE_SEGS;
23503 apm_irq_restore(flags);
23504+
23505+ pax_open_kernel();
23506 gdt[0x40 / 8] = save_desc_40;
23507+ pax_close_kernel();
23508+
23509 put_cpu();
23510
23511 return call->eax & 0xff;
23512@@ -686,7 +693,10 @@ static long __apm_bios_call_simple(void *_call)
23513 BUG_ON(cpu != 0);
23514 gdt = get_cpu_gdt_table(cpu);
23515 save_desc_40 = gdt[0x40 / 8];
23516+
23517+ pax_open_kernel();
23518 gdt[0x40 / 8] = bad_bios_desc;
23519+ pax_close_kernel();
23520
23521 apm_irq_save(flags);
23522 APM_DO_SAVE_SEGS;
23523@@ -694,7 +704,11 @@ static long __apm_bios_call_simple(void *_call)
23524 &call->eax);
23525 APM_DO_RESTORE_SEGS;
23526 apm_irq_restore(flags);
23527+
23528+ pax_open_kernel();
23529 gdt[0x40 / 8] = save_desc_40;
23530+ pax_close_kernel();
23531+
23532 put_cpu();
23533 return error;
23534 }
23535@@ -2039,7 +2053,7 @@ static int __init swab_apm_power_in_minutes(const struct dmi_system_id *d)
23536 return 0;
23537 }
23538
23539-static struct dmi_system_id __initdata apm_dmi_table[] = {
23540+static const struct dmi_system_id __initconst apm_dmi_table[] = {
23541 {
23542 print_if_true,
23543 KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
23544@@ -2349,12 +2363,15 @@ static int __init apm_init(void)
23545 * code to that CPU.
23546 */
23547 gdt = get_cpu_gdt_table(0);
23548+
23549+ pax_open_kernel();
23550 set_desc_base(&gdt[APM_CS >> 3],
23551 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
23552 set_desc_base(&gdt[APM_CS_16 >> 3],
23553 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
23554 set_desc_base(&gdt[APM_DS >> 3],
23555 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
23556+ pax_close_kernel();
23557
23558 proc_create("apm", 0, NULL, &apm_file_ops);
23559
23560diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
23561index 8e3d22a1..37118b6 100644
23562--- a/arch/x86/kernel/asm-offsets.c
23563+++ b/arch/x86/kernel/asm-offsets.c
23564@@ -32,6 +32,8 @@ void common(void) {
23565 OFFSET(TI_flags, thread_info, flags);
23566 OFFSET(TI_status, thread_info, status);
23567 OFFSET(TI_addr_limit, thread_info, addr_limit);
23568+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
23569+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
23570
23571 BLANK();
23572 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
23573@@ -73,8 +75,26 @@ void common(void) {
23574 #endif
23575 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
23576 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
23577+
23578+#ifdef CONFIG_PAX_KERNEXEC
23579+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
23580 #endif
23581
23582+#ifdef CONFIG_PAX_MEMORY_UDEREF
23583+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
23584+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
23585+#ifdef CONFIG_X86_64
23586+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
23587+#endif
23588+#endif
23589+
23590+#endif
23591+
23592+ BLANK();
23593+ DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
23594+ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
23595+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
23596+
23597 #ifdef CONFIG_XEN
23598 BLANK();
23599 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
23600diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c
23601index d8f42f9..a46f1fc 100644
23602--- a/arch/x86/kernel/asm-offsets_64.c
23603+++ b/arch/x86/kernel/asm-offsets_64.c
23604@@ -59,6 +59,7 @@ int main(void)
23605 BLANK();
23606 #undef ENTRY
23607
23608+ DEFINE(TSS_size, sizeof(struct tss_struct));
23609 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
23610 OFFSET(TSS_sp0, tss_struct, x86_tss.sp0);
23611 BLANK();
23612diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
23613index 9bff687..5b899fb 100644
23614--- a/arch/x86/kernel/cpu/Makefile
23615+++ b/arch/x86/kernel/cpu/Makefile
23616@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
23617 CFLAGS_REMOVE_perf_event.o = -pg
23618 endif
23619
23620-# Make sure load_percpu_segment has no stackprotector
23621-nostackp := $(call cc-option, -fno-stack-protector)
23622-CFLAGS_common.o := $(nostackp)
23623-
23624 obj-y := intel_cacheinfo.o scattered.o topology.o
23625 obj-y += common.o
23626 obj-y += rdrand.o
23627diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
23628index dd3a4ba..06672af 100644
23629--- a/arch/x86/kernel/cpu/amd.c
23630+++ b/arch/x86/kernel/cpu/amd.c
23631@@ -750,7 +750,7 @@ static void init_amd(struct cpuinfo_x86 *c)
23632 static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size)
23633 {
23634 /* AMD errata T13 (order #21922) */
23635- if ((c->x86 == 6)) {
23636+ if (c->x86 == 6) {
23637 /* Duron Rev A0 */
23638 if (c->x86_model == 3 && c->x86_mask == 0)
23639 size = 64;
23640diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c
23641index 04f0fe5..3c0598c 100644
23642--- a/arch/x86/kernel/cpu/bugs_64.c
23643+++ b/arch/x86/kernel/cpu/bugs_64.c
23644@@ -10,6 +10,7 @@
23645 #include <asm/processor.h>
23646 #include <asm/mtrr.h>
23647 #include <asm/cacheflush.h>
23648+#include <asm/sections.h>
23649
23650 void __init check_bugs(void)
23651 {
23652@@ -18,6 +19,7 @@ void __init check_bugs(void)
23653 printk(KERN_INFO "CPU: ");
23654 print_cpu_info(&boot_cpu_data);
23655 #endif
23656+ set_memory_nx((unsigned long)_sinitdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sinitdata) >> PAGE_SHIFT);
23657 alternative_instructions();
23658
23659 /*
23660diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
23661index cb9e5df..0d25636 100644
23662--- a/arch/x86/kernel/cpu/common.c
23663+++ b/arch/x86/kernel/cpu/common.c
23664@@ -91,60 +91,6 @@ static const struct cpu_dev default_cpu = {
23665
23666 static const struct cpu_dev *this_cpu = &default_cpu;
23667
23668-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
23669-#ifdef CONFIG_X86_64
23670- /*
23671- * We need valid kernel segments for data and code in long mode too
23672- * IRET will check the segment types kkeil 2000/10/28
23673- * Also sysret mandates a special GDT layout
23674- *
23675- * TLS descriptors are currently at a different place compared to i386.
23676- * Hopefully nobody expects them at a fixed place (Wine?)
23677- */
23678- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
23679- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
23680- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
23681- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
23682- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
23683- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
23684-#else
23685- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
23686- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23687- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
23688- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
23689- /*
23690- * Segments used for calling PnP BIOS have byte granularity.
23691- * They code segments and data segments have fixed 64k limits,
23692- * the transfer segment sizes are set at run time.
23693- */
23694- /* 32-bit code */
23695- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
23696- /* 16-bit code */
23697- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
23698- /* 16-bit data */
23699- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
23700- /* 16-bit data */
23701- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
23702- /* 16-bit data */
23703- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
23704- /*
23705- * The APM segments have byte granularity and their bases
23706- * are set at run time. All have 64k limits.
23707- */
23708- /* 32-bit code */
23709- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
23710- /* 16-bit code */
23711- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
23712- /* data */
23713- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
23714-
23715- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23716- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23717- GDT_STACK_CANARY_INIT
23718-#endif
23719-} };
23720-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
23721-
23722 static int __init x86_mpx_setup(char *s)
23723 {
23724 /* require an exact match without trailing characters */
23725@@ -287,6 +233,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
23726 }
23727 }
23728
23729+#ifdef CONFIG_PAX_MEMORY_UDEREF
23730+#ifdef CONFIG_X86_64
23731+static bool uderef_enabled __read_only = true;
23732+unsigned long pax_user_shadow_base __read_only;
23733+EXPORT_SYMBOL(pax_user_shadow_base);
23734+extern char pax_enter_kernel_user[];
23735+extern char pax_exit_kernel_user[];
23736+
23737+static int __init setup_pax_weakuderef(char *str)
23738+{
23739+ if (uderef_enabled)
23740+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23741+ return 1;
23742+}
23743+__setup("pax_weakuderef", setup_pax_weakuderef);
23744+#endif
23745+
23746+static int __init setup_pax_nouderef(char *str)
23747+{
23748+#ifdef CONFIG_X86_32
23749+ unsigned int cpu;
23750+ struct desc_struct *gdt;
23751+
23752+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
23753+ gdt = get_cpu_gdt_table(cpu);
23754+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
23755+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
23756+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
23757+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
23758+ }
23759+ loadsegment(ds, __KERNEL_DS);
23760+ loadsegment(es, __KERNEL_DS);
23761+ loadsegment(ss, __KERNEL_DS);
23762+#else
23763+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
23764+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
23765+ clone_pgd_mask = ~(pgdval_t)0UL;
23766+ pax_user_shadow_base = 0UL;
23767+ setup_clear_cpu_cap(X86_FEATURE_PCIDUDEREF);
23768+ uderef_enabled = false;
23769+#endif
23770+
23771+ return 0;
23772+}
23773+early_param("pax_nouderef", setup_pax_nouderef);
23774+#endif
23775+
23776+#ifdef CONFIG_X86_64
23777+static __init int setup_disable_pcid(char *arg)
23778+{
23779+ setup_clear_cpu_cap(X86_FEATURE_PCID);
23780+ setup_clear_cpu_cap(X86_FEATURE_INVPCID);
23781+
23782+#ifdef CONFIG_PAX_MEMORY_UDEREF
23783+ if (uderef_enabled)
23784+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23785+#endif
23786+
23787+ return 1;
23788+}
23789+__setup("nopcid", setup_disable_pcid);
23790+
23791+static void setup_pcid(struct cpuinfo_x86 *c)
23792+{
23793+ if (cpu_has(c, X86_FEATURE_PCID)) {
23794+ printk("PAX: PCID detected\n");
23795+ cr4_set_bits(X86_CR4_PCIDE);
23796+ } else
23797+ clear_cpu_cap(c, X86_FEATURE_INVPCID);
23798+
23799+ if (cpu_has(c, X86_FEATURE_INVPCID))
23800+ printk("PAX: INVPCID detected\n");
23801+
23802+#ifdef CONFIG_PAX_MEMORY_UDEREF
23803+ if (!uderef_enabled) {
23804+ printk("PAX: UDEREF disabled\n");
23805+ return;
23806+ }
23807+
23808+ if (!cpu_has(c, X86_FEATURE_PCID)) {
23809+ pax_open_kernel();
23810+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23811+ pax_close_kernel();
23812+ printk("PAX: slow and weak UDEREF enabled\n");
23813+ return;
23814+ }
23815+
23816+ set_cpu_cap(c, X86_FEATURE_PCIDUDEREF);
23817+
23818+ pax_open_kernel();
23819+ clone_pgd_mask = ~(pgdval_t)0UL;
23820+ pax_close_kernel();
23821+ if (pax_user_shadow_base)
23822+ printk("PAX: weak UDEREF enabled\n");
23823+ else {
23824+ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF);
23825+ printk("PAX: strong UDEREF enabled\n");
23826+ }
23827+#endif
23828+
23829+}
23830+#endif
23831+
23832 /*
23833 * Some CPU features depend on higher CPUID levels, which may not always
23834 * be available due to CPUID level capping or broken virtualization
23835@@ -387,7 +436,7 @@ void switch_to_new_gdt(int cpu)
23836 {
23837 struct desc_ptr gdt_descr;
23838
23839- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
23840+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
23841 gdt_descr.size = GDT_SIZE - 1;
23842 load_gdt(&gdt_descr);
23843 /* Reload the per-cpu base */
23844@@ -918,6 +967,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
23845 setup_smep(c);
23846 setup_smap(c);
23847
23848+#ifdef CONFIG_X86_32
23849+#ifdef CONFIG_PAX_PAGEEXEC
23850+ if (!(__supported_pte_mask & _PAGE_NX))
23851+ clear_cpu_cap(c, X86_FEATURE_PSE);
23852+#endif
23853+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
23854+ clear_cpu_cap(c, X86_FEATURE_SEP);
23855+#endif
23856+#endif
23857+
23858+#ifdef CONFIG_X86_64
23859+ setup_pcid(c);
23860+#endif
23861+
23862 /*
23863 * The vendor-specific functions might have changed features.
23864 * Now we do "generic changes."
23865@@ -992,7 +1055,7 @@ void enable_sep_cpu(void)
23866 int cpu;
23867
23868 cpu = get_cpu();
23869- tss = &per_cpu(cpu_tss, cpu);
23870+ tss = cpu_tss + cpu;
23871
23872 if (!boot_cpu_has(X86_FEATURE_SEP))
23873 goto out;
23874@@ -1138,10 +1201,12 @@ static __init int setup_disablecpuid(char *arg)
23875 }
23876 __setup("clearcpuid=", setup_disablecpuid);
23877
23878+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
23879+EXPORT_PER_CPU_SYMBOL(current_tinfo);
23880+
23881 #ifdef CONFIG_X86_64
23882-struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
23883-struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1,
23884- (unsigned long) debug_idt_table };
23885+struct desc_ptr idt_descr __read_only = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
23886+const struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) debug_idt_table };
23887
23888 DEFINE_PER_CPU_FIRST(union irq_stack_union,
23889 irq_stack_union) __aligned(PAGE_SIZE) __visible;
23890@@ -1253,21 +1318,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
23891 DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
23892 EXPORT_PER_CPU_SYMBOL(__preempt_count);
23893
23894+#ifdef CONFIG_CC_STACKPROTECTOR
23895+DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
23896+#endif
23897+
23898+#endif /* CONFIG_X86_64 */
23899+
23900 /*
23901 * On x86_32, vm86 modifies tss.sp0, so sp0 isn't a reliable way to find
23902 * the top of the kernel stack. Use an extra percpu variable to track the
23903 * top of the kernel stack directly.
23904 */
23905 DEFINE_PER_CPU(unsigned long, cpu_current_top_of_stack) =
23906- (unsigned long)&init_thread_union + THREAD_SIZE;
23907+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
23908 EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack);
23909
23910-#ifdef CONFIG_CC_STACKPROTECTOR
23911-DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
23912-#endif
23913-
23914-#endif /* CONFIG_X86_64 */
23915-
23916 /*
23917 * Clear all 6 debug registers:
23918 */
23919@@ -1343,7 +1408,7 @@ void cpu_init(void)
23920 */
23921 load_ucode_ap();
23922
23923- t = &per_cpu(cpu_tss, cpu);
23924+ t = cpu_tss + cpu;
23925 oist = &per_cpu(orig_ist, cpu);
23926
23927 #ifdef CONFIG_NUMA
23928@@ -1375,7 +1440,6 @@ void cpu_init(void)
23929 wrmsrl(MSR_KERNEL_GS_BASE, 0);
23930 barrier();
23931
23932- x86_configure_nx();
23933 x2apic_setup();
23934
23935 /*
23936@@ -1427,7 +1491,7 @@ void cpu_init(void)
23937 {
23938 int cpu = smp_processor_id();
23939 struct task_struct *curr = current;
23940- struct tss_struct *t = &per_cpu(cpu_tss, cpu);
23941+ struct tss_struct *t = cpu_tss + cpu;
23942 struct thread_struct *thread = &curr->thread;
23943
23944 wait_for_master_cpu(cpu);
23945diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
23946index be4febc..f7af533 100644
23947--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
23948+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
23949@@ -519,25 +519,23 @@ cache_private_attrs_is_visible(struct kobject *kobj,
23950 return 0;
23951 }
23952
23953+static struct attribute *amd_l3_attrs[4];
23954+
23955 static struct attribute_group cache_private_group = {
23956 .is_visible = cache_private_attrs_is_visible,
23957+ .attrs = amd_l3_attrs,
23958 };
23959
23960 static void init_amd_l3_attrs(void)
23961 {
23962 int n = 1;
23963- static struct attribute **amd_l3_attrs;
23964-
23965- if (amd_l3_attrs) /* already initialized */
23966- return;
23967
23968 if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE))
23969 n += 2;
23970 if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
23971 n += 1;
23972
23973- amd_l3_attrs = kcalloc(n, sizeof(*amd_l3_attrs), GFP_KERNEL);
23974- if (!amd_l3_attrs)
23975+ if (n > 1 && amd_l3_attrs[0]) /* already initialized */
23976 return;
23977
23978 n = 0;
23979@@ -547,8 +545,6 @@ static void init_amd_l3_attrs(void)
23980 }
23981 if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
23982 amd_l3_attrs[n++] = &dev_attr_subcaches.attr;
23983-
23984- cache_private_group.attrs = amd_l3_attrs;
23985 }
23986
23987 const struct attribute_group *
23988@@ -559,7 +555,7 @@ cache_get_priv_group(struct cacheinfo *this_leaf)
23989 if (this_leaf->level < 3 || !nb)
23990 return NULL;
23991
23992- if (nb && nb->l3_cache.indices)
23993+ if (nb->l3_cache.indices)
23994 init_amd_l3_attrs();
23995
23996 return &cache_private_group;
23997diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
23998index df919ff..3332bf7 100644
23999--- a/arch/x86/kernel/cpu/mcheck/mce.c
24000+++ b/arch/x86/kernel/cpu/mcheck/mce.c
24001@@ -47,6 +47,7 @@
24002 #include <asm/tlbflush.h>
24003 #include <asm/mce.h>
24004 #include <asm/msr.h>
24005+#include <asm/local.h>
24006
24007 #include "mce-internal.h"
24008
24009@@ -259,7 +260,7 @@ static void print_mce(struct mce *m)
24010 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
24011 m->cs, m->ip);
24012
24013- if (m->cs == __KERNEL_CS)
24014+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
24015 print_symbol("{%s}", m->ip);
24016 pr_cont("\n");
24017 }
24018@@ -292,10 +293,10 @@ static void print_mce(struct mce *m)
24019
24020 #define PANIC_TIMEOUT 5 /* 5 seconds */
24021
24022-static atomic_t mce_panicked;
24023+static atomic_unchecked_t mce_panicked;
24024
24025 static int fake_panic;
24026-static atomic_t mce_fake_panicked;
24027+static atomic_unchecked_t mce_fake_panicked;
24028
24029 /* Panic in progress. Enable interrupts and wait for final IPI */
24030 static void wait_for_panic(void)
24031@@ -319,7 +320,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24032 /*
24033 * Make sure only one CPU runs in machine check panic
24034 */
24035- if (atomic_inc_return(&mce_panicked) > 1)
24036+ if (atomic_inc_return_unchecked(&mce_panicked) > 1)
24037 wait_for_panic();
24038 barrier();
24039
24040@@ -327,7 +328,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24041 console_verbose();
24042 } else {
24043 /* Don't log too much for fake panic */
24044- if (atomic_inc_return(&mce_fake_panicked) > 1)
24045+ if (atomic_inc_return_unchecked(&mce_fake_panicked) > 1)
24046 return;
24047 }
24048 /* First print corrected ones that are still unlogged */
24049@@ -366,7 +367,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24050 if (!fake_panic) {
24051 if (panic_timeout == 0)
24052 panic_timeout = mca_cfg.panic_timeout;
24053- panic(msg);
24054+ panic("%s", msg);
24055 } else
24056 pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
24057 }
24058@@ -752,7 +753,7 @@ static int mce_timed_out(u64 *t, const char *msg)
24059 * might have been modified by someone else.
24060 */
24061 rmb();
24062- if (atomic_read(&mce_panicked))
24063+ if (atomic_read_unchecked(&mce_panicked))
24064 wait_for_panic();
24065 if (!mca_cfg.monarch_timeout)
24066 goto out;
24067@@ -1708,7 +1709,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
24068 }
24069
24070 /* Call the installed machine check handler for this CPU setup. */
24071-void (*machine_check_vector)(struct pt_regs *, long error_code) =
24072+void (*machine_check_vector)(struct pt_regs *, long error_code) __read_only =
24073 unexpected_machine_check;
24074
24075 /*
24076@@ -1731,7 +1732,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
24077 return;
24078 }
24079
24080+ pax_open_kernel();
24081 machine_check_vector = do_machine_check;
24082+ pax_close_kernel();
24083
24084 __mcheck_cpu_init_generic();
24085 __mcheck_cpu_init_vendor(c);
24086@@ -1745,7 +1748,7 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
24087 */
24088
24089 static DEFINE_SPINLOCK(mce_chrdev_state_lock);
24090-static int mce_chrdev_open_count; /* #times opened */
24091+static local_t mce_chrdev_open_count; /* #times opened */
24092 static int mce_chrdev_open_exclu; /* already open exclusive? */
24093
24094 static int mce_chrdev_open(struct inode *inode, struct file *file)
24095@@ -1753,7 +1756,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
24096 spin_lock(&mce_chrdev_state_lock);
24097
24098 if (mce_chrdev_open_exclu ||
24099- (mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
24100+ (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) {
24101 spin_unlock(&mce_chrdev_state_lock);
24102
24103 return -EBUSY;
24104@@ -1761,7 +1764,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
24105
24106 if (file->f_flags & O_EXCL)
24107 mce_chrdev_open_exclu = 1;
24108- mce_chrdev_open_count++;
24109+ local_inc(&mce_chrdev_open_count);
24110
24111 spin_unlock(&mce_chrdev_state_lock);
24112
24113@@ -1772,7 +1775,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
24114 {
24115 spin_lock(&mce_chrdev_state_lock);
24116
24117- mce_chrdev_open_count--;
24118+ local_dec(&mce_chrdev_open_count);
24119 mce_chrdev_open_exclu = 0;
24120
24121 spin_unlock(&mce_chrdev_state_lock);
24122@@ -2448,7 +2451,7 @@ static __init void mce_init_banks(void)
24123
24124 for (i = 0; i < mca_cfg.banks; i++) {
24125 struct mce_bank *b = &mce_banks[i];
24126- struct device_attribute *a = &b->attr;
24127+ device_attribute_no_const *a = &b->attr;
24128
24129 sysfs_attr_init(&a->attr);
24130 a->attr.name = b->attrname;
24131@@ -2555,7 +2558,7 @@ struct dentry *mce_get_debugfs_dir(void)
24132 static void mce_reset(void)
24133 {
24134 cpu_missing = 0;
24135- atomic_set(&mce_fake_panicked, 0);
24136+ atomic_set_unchecked(&mce_fake_panicked, 0);
24137 atomic_set(&mce_executing, 0);
24138 atomic_set(&mce_callin, 0);
24139 atomic_set(&global_nwo, 0);
24140diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
24141index 737b0ad..09ec66e 100644
24142--- a/arch/x86/kernel/cpu/mcheck/p5.c
24143+++ b/arch/x86/kernel/cpu/mcheck/p5.c
24144@@ -12,6 +12,7 @@
24145 #include <asm/tlbflush.h>
24146 #include <asm/mce.h>
24147 #include <asm/msr.h>
24148+#include <asm/pgtable.h>
24149
24150 /* By default disabled */
24151 int mce_p5_enabled __read_mostly;
24152@@ -55,7 +56,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
24153 if (!cpu_has(c, X86_FEATURE_MCE))
24154 return;
24155
24156+ pax_open_kernel();
24157 machine_check_vector = pentium_machine_check;
24158+ pax_close_kernel();
24159 /* Make sure the vector pointer is visible before we enable MCEs: */
24160 wmb();
24161
24162diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c
24163index 44f1382..315b292 100644
24164--- a/arch/x86/kernel/cpu/mcheck/winchip.c
24165+++ b/arch/x86/kernel/cpu/mcheck/winchip.c
24166@@ -11,6 +11,7 @@
24167 #include <asm/tlbflush.h>
24168 #include <asm/mce.h>
24169 #include <asm/msr.h>
24170+#include <asm/pgtable.h>
24171
24172 /* Machine check handler for WinChip C6: */
24173 static void winchip_machine_check(struct pt_regs *regs, long error_code)
24174@@ -28,7 +29,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
24175 {
24176 u32 lo, hi;
24177
24178+ pax_open_kernel();
24179 machine_check_vector = winchip_machine_check;
24180+ pax_close_kernel();
24181 /* Make sure the vector pointer is visible before we enable MCEs: */
24182 wmb();
24183
24184diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
24185index 6236a54..532026d 100644
24186--- a/arch/x86/kernel/cpu/microcode/core.c
24187+++ b/arch/x86/kernel/cpu/microcode/core.c
24188@@ -460,7 +460,7 @@ mc_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu)
24189 return NOTIFY_OK;
24190 }
24191
24192-static struct notifier_block __refdata mc_cpu_notifier = {
24193+static struct notifier_block mc_cpu_notifier = {
24194 .notifier_call = mc_cpu_callback,
24195 };
24196
24197diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
24198index 969dc17..a9c3fdd 100644
24199--- a/arch/x86/kernel/cpu/microcode/intel.c
24200+++ b/arch/x86/kernel/cpu/microcode/intel.c
24201@@ -237,13 +237,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
24202
24203 static int get_ucode_user(void *to, const void *from, size_t n)
24204 {
24205- return copy_from_user(to, from, n);
24206+ return copy_from_user(to, (const void __force_user *)from, n);
24207 }
24208
24209 static enum ucode_state
24210 request_microcode_user(int cpu, const void __user *buf, size_t size)
24211 {
24212- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
24213+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
24214 }
24215
24216 static void microcode_fini_cpu(int cpu)
24217diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
24218index e7ed0d8..57a2ab9 100644
24219--- a/arch/x86/kernel/cpu/mtrr/main.c
24220+++ b/arch/x86/kernel/cpu/mtrr/main.c
24221@@ -72,7 +72,7 @@ static DEFINE_MUTEX(mtrr_mutex);
24222 u64 size_or_mask, size_and_mask;
24223 static bool mtrr_aps_delayed_init;
24224
24225-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
24226+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
24227
24228 const struct mtrr_ops *mtrr_if;
24229
24230diff --git a/arch/x86/kernel/cpu/mtrr/mtrr.h b/arch/x86/kernel/cpu/mtrr/mtrr.h
24231index 951884d..4796b75 100644
24232--- a/arch/x86/kernel/cpu/mtrr/mtrr.h
24233+++ b/arch/x86/kernel/cpu/mtrr/mtrr.h
24234@@ -25,7 +25,7 @@ struct mtrr_ops {
24235 int (*validate_add_page)(unsigned long base, unsigned long size,
24236 unsigned int type);
24237 int (*have_wrcomb)(void);
24238-};
24239+} __do_const;
24240
24241 extern int generic_get_free_region(unsigned long base, unsigned long size,
24242 int replace_reg);
24243diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
24244index 9469dfa..2b026bc 100644
24245--- a/arch/x86/kernel/cpu/perf_event.c
24246+++ b/arch/x86/kernel/cpu/perf_event.c
24247@@ -1518,7 +1518,7 @@ static void __init pmu_check_apic(void)
24248
24249 }
24250
24251-static struct attribute_group x86_pmu_format_group = {
24252+static attribute_group_no_const x86_pmu_format_group = {
24253 .name = "format",
24254 .attrs = NULL,
24255 };
24256@@ -1617,7 +1617,7 @@ static struct attribute *events_attr[] = {
24257 NULL,
24258 };
24259
24260-static struct attribute_group x86_pmu_events_group = {
24261+static attribute_group_no_const x86_pmu_events_group = {
24262 .name = "events",
24263 .attrs = events_attr,
24264 };
24265@@ -2176,7 +2176,7 @@ valid_user_frame(const void __user *fp, unsigned long size)
24266 static unsigned long get_segment_base(unsigned int segment)
24267 {
24268 struct desc_struct *desc;
24269- int idx = segment >> 3;
24270+ unsigned int idx = segment >> 3;
24271
24272 if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
24273 struct ldt_struct *ldt;
24274@@ -2194,7 +2194,7 @@ static unsigned long get_segment_base(unsigned int segment)
24275 if (idx > GDT_ENTRIES)
24276 return 0;
24277
24278- desc = raw_cpu_ptr(gdt_page.gdt) + idx;
24279+ desc = get_cpu_gdt_table(smp_processor_id()) + idx;
24280 }
24281
24282 return get_desc_base(desc);
24283@@ -2284,7 +2284,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
24284 break;
24285
24286 perf_callchain_store(entry, frame.return_address);
24287- fp = frame.next_frame;
24288+ fp = (const void __force_user *)frame.next_frame;
24289 }
24290 }
24291
24292diff --git a/arch/x86/kernel/cpu/perf_event_amd_iommu.c b/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24293index 97242a9..cf9c30e 100644
24294--- a/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24295+++ b/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24296@@ -402,7 +402,7 @@ static void perf_iommu_del(struct perf_event *event, int flags)
24297 static __init int _init_events_attrs(struct perf_amd_iommu *perf_iommu)
24298 {
24299 struct attribute **attrs;
24300- struct attribute_group *attr_group;
24301+ attribute_group_no_const *attr_group;
24302 int i = 0, j;
24303
24304 while (amd_iommu_v2_event_descs[i].attr.attr.name)
24305diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
24306index 6326ae2..f092747 100644
24307--- a/arch/x86/kernel/cpu/perf_event_intel.c
24308+++ b/arch/x86/kernel/cpu/perf_event_intel.c
24309@@ -3016,10 +3016,10 @@ __init int intel_pmu_init(void)
24310 x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3);
24311
24312 if (boot_cpu_has(X86_FEATURE_PDCM)) {
24313- u64 capabilities;
24314+ u64 capabilities = x86_pmu.intel_cap.capabilities;
24315
24316- rdmsrl(MSR_IA32_PERF_CAPABILITIES, capabilities);
24317- x86_pmu.intel_cap.capabilities = capabilities;
24318+ if (rdmsrl_safe(MSR_IA32_PERF_CAPABILITIES, &x86_pmu.intel_cap.capabilities))
24319+ x86_pmu.intel_cap.capabilities = capabilities;
24320 }
24321
24322 intel_ds_init();
24323diff --git a/arch/x86/kernel/cpu/perf_event_intel_bts.c b/arch/x86/kernel/cpu/perf_event_intel_bts.c
24324index 43dd672..78c0562 100644
24325--- a/arch/x86/kernel/cpu/perf_event_intel_bts.c
24326+++ b/arch/x86/kernel/cpu/perf_event_intel_bts.c
24327@@ -252,7 +252,7 @@ static void bts_event_start(struct perf_event *event, int flags)
24328 __bts_event_start(event);
24329
24330 /* PMI handler: this counter is running and likely generating PMIs */
24331- ACCESS_ONCE(bts->started) = 1;
24332+ ACCESS_ONCE_RW(bts->started) = 1;
24333 }
24334
24335 static void __bts_event_stop(struct perf_event *event)
24336@@ -266,7 +266,7 @@ static void __bts_event_stop(struct perf_event *event)
24337 if (event->hw.state & PERF_HES_STOPPED)
24338 return;
24339
24340- ACCESS_ONCE(event->hw.state) |= PERF_HES_STOPPED;
24341+ ACCESS_ONCE_RW(event->hw.state) |= PERF_HES_STOPPED;
24342 }
24343
24344 static void bts_event_stop(struct perf_event *event, int flags)
24345@@ -274,7 +274,7 @@ static void bts_event_stop(struct perf_event *event, int flags)
24346 struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
24347
24348 /* PMI handler: don't restart this counter */
24349- ACCESS_ONCE(bts->started) = 0;
24350+ ACCESS_ONCE_RW(bts->started) = 0;
24351
24352 __bts_event_stop(event);
24353
24354diff --git a/arch/x86/kernel/cpu/perf_event_intel_cqm.c b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24355index 377e8f8..2982f48 100644
24356--- a/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24357+++ b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24358@@ -1364,7 +1364,9 @@ static int __init intel_cqm_init(void)
24359 goto out;
24360 }
24361
24362- event_attr_intel_cqm_llc_scale.event_str = str;
24363+ pax_open_kernel();
24364+ *(const char **)&event_attr_intel_cqm_llc_scale.event_str = str;
24365+ pax_close_kernel();
24366
24367 ret = intel_cqm_setup_rmid_cache();
24368 if (ret)
24369diff --git a/arch/x86/kernel/cpu/perf_event_intel_pt.c b/arch/x86/kernel/cpu/perf_event_intel_pt.c
24370index 183de71..bd34d52 100644
24371--- a/arch/x86/kernel/cpu/perf_event_intel_pt.c
24372+++ b/arch/x86/kernel/cpu/perf_event_intel_pt.c
24373@@ -116,16 +116,12 @@ static const struct attribute_group *pt_attr_groups[] = {
24374
24375 static int __init pt_pmu_hw_init(void)
24376 {
24377- struct dev_ext_attribute *de_attrs;
24378- struct attribute **attrs;
24379- size_t size;
24380- int ret;
24381+ static struct dev_ext_attribute de_attrs[ARRAY_SIZE(pt_caps)];
24382+ static struct attribute *attrs[ARRAY_SIZE(pt_caps)];
24383 long i;
24384
24385- attrs = NULL;
24386- ret = -ENODEV;
24387 if (!test_cpu_cap(&boot_cpu_data, X86_FEATURE_INTEL_PT))
24388- goto fail;
24389+ return -ENODEV;
24390
24391 for (i = 0; i < PT_CPUID_LEAVES; i++) {
24392 cpuid_count(20, i,
24393@@ -135,39 +131,25 @@ static int __init pt_pmu_hw_init(void)
24394 &pt_pmu.caps[CR_EDX + i*4]);
24395 }
24396
24397- ret = -ENOMEM;
24398- size = sizeof(struct attribute *) * (ARRAY_SIZE(pt_caps)+1);
24399- attrs = kzalloc(size, GFP_KERNEL);
24400- if (!attrs)
24401- goto fail;
24402-
24403- size = sizeof(struct dev_ext_attribute) * (ARRAY_SIZE(pt_caps)+1);
24404- de_attrs = kzalloc(size, GFP_KERNEL);
24405- if (!de_attrs)
24406- goto fail;
24407-
24408+ pax_open_kernel();
24409 for (i = 0; i < ARRAY_SIZE(pt_caps); i++) {
24410- struct dev_ext_attribute *de_attr = de_attrs + i;
24411+ struct dev_ext_attribute *de_attr = &de_attrs[i];
24412
24413- de_attr->attr.attr.name = pt_caps[i].name;
24414+ *(const char **)&de_attr->attr.attr.name = pt_caps[i].name;
24415
24416 sysfs_attr_init(&de_attr->attr.attr);
24417
24418- de_attr->attr.attr.mode = S_IRUGO;
24419- de_attr->attr.show = pt_cap_show;
24420- de_attr->var = (void *)i;
24421+ *(umode_t *)&de_attr->attr.attr.mode = S_IRUGO;
24422+ *(void **)&de_attr->attr.show = pt_cap_show;
24423+ *(void **)&de_attr->var = (void *)i;
24424
24425 attrs[i] = &de_attr->attr.attr;
24426 }
24427
24428- pt_cap_group.attrs = attrs;
24429+ *(struct attribute ***)&pt_cap_group.attrs = attrs;
24430+ pax_close_kernel();
24431
24432 return 0;
24433-
24434-fail:
24435- kfree(attrs);
24436-
24437- return ret;
24438 }
24439
24440 #define PT_CONFIG_MASK (RTIT_CTL_TSC_EN | RTIT_CTL_DISRETC)
24441@@ -929,7 +911,7 @@ static void pt_event_start(struct perf_event *event, int mode)
24442 return;
24443 }
24444
24445- ACCESS_ONCE(pt->handle_nmi) = 1;
24446+ ACCESS_ONCE_RW(pt->handle_nmi) = 1;
24447 event->hw.state = 0;
24448
24449 pt_config_buffer(buf->cur->table, buf->cur_idx,
24450@@ -946,7 +928,7 @@ static void pt_event_stop(struct perf_event *event, int mode)
24451 * Protect against the PMI racing with disabling wrmsr,
24452 * see comment in intel_pt_interrupt().
24453 */
24454- ACCESS_ONCE(pt->handle_nmi) = 0;
24455+ ACCESS_ONCE_RW(pt->handle_nmi) = 0;
24456 pt_config_start(false);
24457
24458 if (event->hw.state == PERF_HES_STOPPED)
24459diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24460index 5cbd4e6..ee9388a 100644
24461--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24462+++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24463@@ -486,7 +486,7 @@ static struct attribute *rapl_events_hsw_attr[] = {
24464 NULL,
24465 };
24466
24467-static struct attribute_group rapl_pmu_events_group = {
24468+static attribute_group_no_const rapl_pmu_events_group __read_only = {
24469 .name = "events",
24470 .attrs = NULL, /* patched at runtime */
24471 };
24472diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24473index 21b5e38..84f1f82 100644
24474--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24475+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24476@@ -731,7 +731,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
24477 static int __init uncore_type_init(struct intel_uncore_type *type)
24478 {
24479 struct intel_uncore_pmu *pmus;
24480- struct attribute_group *attr_group;
24481+ attribute_group_no_const *attr_group;
24482 struct attribute **attrs;
24483 int i, j;
24484
24485diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24486index 0f77f0a..d3c6b7d 100644
24487--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24488+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24489@@ -115,7 +115,7 @@ struct intel_uncore_box {
24490 struct uncore_event_desc {
24491 struct kobj_attribute attr;
24492 const char *config;
24493-};
24494+} __do_const;
24495
24496 ssize_t uncore_event_show(struct kobject *kobj,
24497 struct kobj_attribute *attr, char *buf);
24498diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c
24499index 83741a7..bd3507d 100644
24500--- a/arch/x86/kernel/cpuid.c
24501+++ b/arch/x86/kernel/cpuid.c
24502@@ -170,7 +170,7 @@ static int cpuid_class_cpu_callback(struct notifier_block *nfb,
24503 return notifier_from_errno(err);
24504 }
24505
24506-static struct notifier_block __refdata cpuid_class_cpu_notifier =
24507+static struct notifier_block cpuid_class_cpu_notifier =
24508 {
24509 .notifier_call = cpuid_class_cpu_callback,
24510 };
24511diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c
24512index afa64ad..dce67dd 100644
24513--- a/arch/x86/kernel/crash_dump_64.c
24514+++ b/arch/x86/kernel/crash_dump_64.c
24515@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
24516 return -ENOMEM;
24517
24518 if (userbuf) {
24519- if (copy_to_user(buf, vaddr + offset, csize)) {
24520+ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) {
24521 iounmap(vaddr);
24522 return -EFAULT;
24523 }
24524diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c
24525index f6dfd93..892ade4 100644
24526--- a/arch/x86/kernel/doublefault.c
24527+++ b/arch/x86/kernel/doublefault.c
24528@@ -12,7 +12,7 @@
24529
24530 #define DOUBLEFAULT_STACKSIZE (1024)
24531 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
24532-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
24533+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
24534
24535 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
24536
24537@@ -22,7 +22,7 @@ static void doublefault_fn(void)
24538 unsigned long gdt, tss;
24539
24540 native_store_gdt(&gdt_desc);
24541- gdt = gdt_desc.address;
24542+ gdt = (unsigned long)gdt_desc.address;
24543
24544 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
24545
24546@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cacheline_aligned = {
24547 /* 0x2 bit is always set */
24548 .flags = X86_EFLAGS_SF | 0x2,
24549 .sp = STACK_START,
24550- .es = __USER_DS,
24551+ .es = __KERNEL_DS,
24552 .cs = __KERNEL_CS,
24553 .ss = __KERNEL_DS,
24554- .ds = __USER_DS,
24555+ .ds = __KERNEL_DS,
24556 .fs = __KERNEL_PERCPU,
24557
24558 .__cr3 = __pa_nodebug(swapper_pg_dir),
24559diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
24560index 9c30acf..8cf2411 100644
24561--- a/arch/x86/kernel/dumpstack.c
24562+++ b/arch/x86/kernel/dumpstack.c
24563@@ -2,6 +2,9 @@
24564 * Copyright (C) 1991, 1992 Linus Torvalds
24565 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
24566 */
24567+#ifdef CONFIG_GRKERNSEC_HIDESYM
24568+#define __INCLUDED_BY_HIDESYM 1
24569+#endif
24570 #include <linux/kallsyms.h>
24571 #include <linux/kprobes.h>
24572 #include <linux/uaccess.h>
24573@@ -35,23 +38,21 @@ static void printk_stack_address(unsigned long address, int reliable,
24574
24575 void printk_address(unsigned long address)
24576 {
24577- pr_cont(" [<%p>] %pS\n", (void *)address, (void *)address);
24578+ pr_cont(" [<%p>] %pA\n", (void *)address, (void *)address);
24579 }
24580
24581 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
24582 static void
24583 print_ftrace_graph_addr(unsigned long addr, void *data,
24584 const struct stacktrace_ops *ops,
24585- struct thread_info *tinfo, int *graph)
24586+ struct task_struct *task, int *graph)
24587 {
24588- struct task_struct *task;
24589 unsigned long ret_addr;
24590 int index;
24591
24592 if (addr != (unsigned long)return_to_handler)
24593 return;
24594
24595- task = tinfo->task;
24596 index = task->curr_ret_stack;
24597
24598 if (!task->ret_stack || index < *graph)
24599@@ -68,7 +69,7 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
24600 static inline void
24601 print_ftrace_graph_addr(unsigned long addr, void *data,
24602 const struct stacktrace_ops *ops,
24603- struct thread_info *tinfo, int *graph)
24604+ struct task_struct *task, int *graph)
24605 { }
24606 #endif
24607
24608@@ -79,10 +80,8 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
24609 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
24610 */
24611
24612-static inline int valid_stack_ptr(struct thread_info *tinfo,
24613- void *p, unsigned int size, void *end)
24614+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
24615 {
24616- void *t = tinfo;
24617 if (end) {
24618 if (p < end && p >= (end-THREAD_SIZE))
24619 return 1;
24620@@ -93,14 +92,14 @@ static inline int valid_stack_ptr(struct thread_info *tinfo,
24621 }
24622
24623 unsigned long
24624-print_context_stack(struct thread_info *tinfo,
24625+print_context_stack(struct task_struct *task, void *stack_start,
24626 unsigned long *stack, unsigned long bp,
24627 const struct stacktrace_ops *ops, void *data,
24628 unsigned long *end, int *graph)
24629 {
24630 struct stack_frame *frame = (struct stack_frame *)bp;
24631
24632- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
24633+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
24634 unsigned long addr;
24635
24636 addr = *stack;
24637@@ -112,7 +111,7 @@ print_context_stack(struct thread_info *tinfo,
24638 } else {
24639 ops->address(data, addr, 0);
24640 }
24641- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
24642+ print_ftrace_graph_addr(addr, data, ops, task, graph);
24643 }
24644 stack++;
24645 }
24646@@ -121,7 +120,7 @@ print_context_stack(struct thread_info *tinfo,
24647 EXPORT_SYMBOL_GPL(print_context_stack);
24648
24649 unsigned long
24650-print_context_stack_bp(struct thread_info *tinfo,
24651+print_context_stack_bp(struct task_struct *task, void *stack_start,
24652 unsigned long *stack, unsigned long bp,
24653 const struct stacktrace_ops *ops, void *data,
24654 unsigned long *end, int *graph)
24655@@ -129,7 +128,7 @@ print_context_stack_bp(struct thread_info *tinfo,
24656 struct stack_frame *frame = (struct stack_frame *)bp;
24657 unsigned long *ret_addr = &frame->return_address;
24658
24659- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
24660+ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
24661 unsigned long addr = *ret_addr;
24662
24663 if (!__kernel_text_address(addr))
24664@@ -138,7 +137,7 @@ print_context_stack_bp(struct thread_info *tinfo,
24665 ops->address(data, addr, 1);
24666 frame = frame->next_frame;
24667 ret_addr = &frame->return_address;
24668- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
24669+ print_ftrace_graph_addr(addr, data, ops, task, graph);
24670 }
24671
24672 return (unsigned long)frame;
24673@@ -226,6 +225,8 @@ unsigned long oops_begin(void)
24674 EXPORT_SYMBOL_GPL(oops_begin);
24675 NOKPROBE_SYMBOL(oops_begin);
24676
24677+extern void gr_handle_kernel_exploit(void);
24678+
24679 void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
24680 {
24681 if (regs && kexec_should_crash(current))
24682@@ -247,7 +248,10 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
24683 panic("Fatal exception in interrupt");
24684 if (panic_on_oops)
24685 panic("Fatal exception");
24686- do_exit(signr);
24687+
24688+ gr_handle_kernel_exploit();
24689+
24690+ do_group_exit(signr);
24691 }
24692 NOKPROBE_SYMBOL(oops_end);
24693
24694diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
24695index 464ffd6..01f2cda 100644
24696--- a/arch/x86/kernel/dumpstack_32.c
24697+++ b/arch/x86/kernel/dumpstack_32.c
24698@@ -61,15 +61,14 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24699 bp = stack_frame(task, regs);
24700
24701 for (;;) {
24702- struct thread_info *context;
24703+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
24704 void *end_stack;
24705
24706 end_stack = is_hardirq_stack(stack, cpu);
24707 if (!end_stack)
24708 end_stack = is_softirq_stack(stack, cpu);
24709
24710- context = task_thread_info(task);
24711- bp = ops->walk_stack(context, stack, bp, ops, data,
24712+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data,
24713 end_stack, &graph);
24714
24715 /* Stop if not on irq stack */
24716@@ -137,16 +136,17 @@ void show_regs(struct pt_regs *regs)
24717 unsigned int code_len = code_bytes;
24718 unsigned char c;
24719 u8 *ip;
24720+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]);
24721
24722 pr_emerg("Stack:\n");
24723 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
24724
24725 pr_emerg("Code:");
24726
24727- ip = (u8 *)regs->ip - code_prologue;
24728+ ip = (u8 *)regs->ip - code_prologue + cs_base;
24729 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
24730 /* try starting at IP */
24731- ip = (u8 *)regs->ip;
24732+ ip = (u8 *)regs->ip + cs_base;
24733 code_len = code_len - code_prologue + 1;
24734 }
24735 for (i = 0; i < code_len; i++, ip++) {
24736@@ -155,7 +155,7 @@ void show_regs(struct pt_regs *regs)
24737 pr_cont(" Bad EIP value.");
24738 break;
24739 }
24740- if (ip == (u8 *)regs->ip)
24741+ if (ip == (u8 *)regs->ip + cs_base)
24742 pr_cont(" <%02x>", c);
24743 else
24744 pr_cont(" %02x", c);
24745@@ -168,6 +168,7 @@ int is_valid_bugaddr(unsigned long ip)
24746 {
24747 unsigned short ud2;
24748
24749+ ip = ktla_ktva(ip);
24750 if (ip < PAGE_OFFSET)
24751 return 0;
24752 if (probe_kernel_address((unsigned short *)ip, ud2))
24753@@ -175,3 +176,15 @@ int is_valid_bugaddr(unsigned long ip)
24754
24755 return ud2 == 0x0b0f;
24756 }
24757+
24758+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
24759+void __used pax_check_alloca(unsigned long size)
24760+{
24761+ unsigned long sp = (unsigned long)&sp, stack_left;
24762+
24763+ /* all kernel stacks are of the same size */
24764+ stack_left = sp & (THREAD_SIZE - 1);
24765+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24766+}
24767+EXPORT_SYMBOL(pax_check_alloca);
24768+#endif
24769diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
24770index 5f1c626..1cba97e 100644
24771--- a/arch/x86/kernel/dumpstack_64.c
24772+++ b/arch/x86/kernel/dumpstack_64.c
24773@@ -153,12 +153,12 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24774 const struct stacktrace_ops *ops, void *data)
24775 {
24776 const unsigned cpu = get_cpu();
24777- struct thread_info *tinfo;
24778 unsigned long *irq_stack = (unsigned long *)per_cpu(irq_stack_ptr, cpu);
24779 unsigned long dummy;
24780 unsigned used = 0;
24781 int graph = 0;
24782 int done = 0;
24783+ void *stack_start;
24784
24785 if (!task)
24786 task = current;
24787@@ -179,7 +179,6 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24788 * current stack address. If the stacks consist of nested
24789 * exceptions
24790 */
24791- tinfo = task_thread_info(task);
24792 while (!done) {
24793 unsigned long *stack_end;
24794 enum stack_type stype;
24795@@ -202,7 +201,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24796 if (ops->stack(data, id) < 0)
24797 break;
24798
24799- bp = ops->walk_stack(tinfo, stack, bp, ops,
24800+ bp = ops->walk_stack(task, stack_end - EXCEPTION_STKSZ, stack, bp, ops,
24801 data, stack_end, &graph);
24802 ops->stack(data, "<EOE>");
24803 /*
24804@@ -210,6 +209,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24805 * second-to-last pointer (index -2 to end) in the
24806 * exception stack:
24807 */
24808+ if ((u16)stack_end[-1] != __KERNEL_DS)
24809+ goto out;
24810 stack = (unsigned long *) stack_end[-2];
24811 done = 0;
24812 break;
24813@@ -218,7 +219,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24814
24815 if (ops->stack(data, "IRQ") < 0)
24816 break;
24817- bp = ops->walk_stack(tinfo, stack, bp,
24818+ bp = ops->walk_stack(task, irq_stack, stack, bp,
24819 ops, data, stack_end, &graph);
24820 /*
24821 * We link to the next stack (which would be
24822@@ -240,7 +241,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24823 /*
24824 * This handles the process stack:
24825 */
24826- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
24827+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
24828+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
24829+out:
24830 put_cpu();
24831 }
24832 EXPORT_SYMBOL(dump_trace);
24833@@ -347,8 +350,55 @@ int is_valid_bugaddr(unsigned long ip)
24834 {
24835 unsigned short ud2;
24836
24837- if (__copy_from_user(&ud2, (const void __user *) ip, sizeof(ud2)))
24838+ if (probe_kernel_address((unsigned short *)ip, ud2))
24839 return 0;
24840
24841 return ud2 == 0x0b0f;
24842 }
24843+
24844+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
24845+void __used pax_check_alloca(unsigned long size)
24846+{
24847+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
24848+ unsigned cpu, used;
24849+ char *id;
24850+
24851+ /* check the process stack first */
24852+ stack_start = (unsigned long)task_stack_page(current);
24853+ stack_end = stack_start + THREAD_SIZE;
24854+ if (likely(stack_start <= sp && sp < stack_end)) {
24855+ unsigned long stack_left = sp & (THREAD_SIZE - 1);
24856+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24857+ return;
24858+ }
24859+
24860+ cpu = get_cpu();
24861+
24862+ /* check the irq stacks */
24863+ stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
24864+ stack_start = stack_end - IRQ_STACK_SIZE;
24865+ if (stack_start <= sp && sp < stack_end) {
24866+ unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
24867+ put_cpu();
24868+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24869+ return;
24870+ }
24871+
24872+ /* check the exception stacks */
24873+ used = 0;
24874+ stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
24875+ stack_start = stack_end - EXCEPTION_STKSZ;
24876+ if (stack_end && stack_start <= sp && sp < stack_end) {
24877+ unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
24878+ put_cpu();
24879+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24880+ return;
24881+ }
24882+
24883+ put_cpu();
24884+
24885+ /* unknown stack */
24886+ BUG();
24887+}
24888+EXPORT_SYMBOL(pax_check_alloca);
24889+#endif
24890diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
24891index a102564..d1f0b73 100644
24892--- a/arch/x86/kernel/e820.c
24893+++ b/arch/x86/kernel/e820.c
24894@@ -803,8 +803,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void)
24895
24896 static void early_panic(char *msg)
24897 {
24898- early_printk(msg);
24899- panic(msg);
24900+ early_printk("%s", msg);
24901+ panic("%s", msg);
24902 }
24903
24904 static int userdef __initdata;
24905diff --git a/arch/x86/kernel/early_printk.c b/arch/x86/kernel/early_printk.c
24906index eec40f5..4fee808 100644
24907--- a/arch/x86/kernel/early_printk.c
24908+++ b/arch/x86/kernel/early_printk.c
24909@@ -7,6 +7,7 @@
24910 #include <linux/pci_regs.h>
24911 #include <linux/pci_ids.h>
24912 #include <linux/errno.h>
24913+#include <linux/sched.h>
24914 #include <asm/io.h>
24915 #include <asm/processor.h>
24916 #include <asm/fcntl.h>
24917diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
24918index ce95676..da8c6ff 100644
24919--- a/arch/x86/kernel/espfix_64.c
24920+++ b/arch/x86/kernel/espfix_64.c
24921@@ -41,6 +41,7 @@
24922 #include <asm/pgalloc.h>
24923 #include <asm/setup.h>
24924 #include <asm/espfix.h>
24925+#include <asm/bug.h>
24926
24927 /*
24928 * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
24929@@ -70,8 +71,10 @@ static DEFINE_MUTEX(espfix_init_mutex);
24930 #define ESPFIX_MAX_PAGES DIV_ROUND_UP(CONFIG_NR_CPUS, ESPFIX_STACKS_PER_PAGE)
24931 static void *espfix_pages[ESPFIX_MAX_PAGES];
24932
24933-static __page_aligned_bss pud_t espfix_pud_page[PTRS_PER_PUD]
24934- __aligned(PAGE_SIZE);
24935+static __page_aligned_rodata pud_t espfix_pud_page[PTRS_PER_PUD];
24936+static __page_aligned_rodata pmd_t espfix_pmd_page[PTRS_PER_PMD];
24937+static __page_aligned_rodata pte_t espfix_pte_page[PTRS_PER_PTE];
24938+static __page_aligned_rodata char espfix_stack_page[ESPFIX_MAX_PAGES][PAGE_SIZE];
24939
24940 static unsigned int page_random, slot_random;
24941
24942@@ -122,14 +125,25 @@ static void init_espfix_random(void)
24943 void __init init_espfix_bsp(void)
24944 {
24945 pgd_t *pgd_p;
24946+ pud_t *pud_p;
24947+ unsigned long addr, index = pgd_index(ESPFIX_BASE_ADDR);
24948
24949 /* Install the espfix pud into the kernel page directory */
24950- pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
24951- pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
24952+ pgd_p = &init_level4_pgt[index];
24953+ pud_p = espfix_pud_page;
24954+ paravirt_alloc_pud(&init_mm, __pa(pud_p) >> PAGE_SHIFT);
24955+ set_pgd(pgd_p, __pgd(PGTABLE_PROT | __pa(pud_p)));
24956+
24957+#ifdef CONFIG_PAX_PER_CPU_PGD
24958+ clone_pgd_range(get_cpu_pgd(0, kernel) + index, swapper_pg_dir + index, 1);
24959+ clone_pgd_range(get_cpu_pgd(0, user) + index, swapper_pg_dir + index, 1);
24960+#endif
24961
24962 /* Randomize the locations */
24963 init_espfix_random();
24964
24965+ addr = espfix_base_addr(0);
24966+
24967 /* The rest is the same as for any other processor */
24968 init_espfix_ap(0);
24969 }
24970@@ -170,35 +184,39 @@ void init_espfix_ap(int cpu)
24971 pud_p = &espfix_pud_page[pud_index(addr)];
24972 pud = *pud_p;
24973 if (!pud_present(pud)) {
24974- struct page *page = alloc_pages_node(node, PGALLOC_GFP, 0);
24975-
24976- pmd_p = (pmd_t *)page_address(page);
24977+ if (cpu)
24978+ pmd_p = page_address(alloc_pages_node(node, PGALLOC_GFP, 0));
24979+ else
24980+ pmd_p = espfix_pmd_page;
24981 pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
24982 paravirt_alloc_pmd(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
24983 for (n = 0; n < ESPFIX_PUD_CLONES; n++)
24984 set_pud(&pud_p[n], pud);
24985- }
24986+ } else
24987+ BUG_ON(!cpu);
24988
24989 pmd_p = pmd_offset(&pud, addr);
24990 pmd = *pmd_p;
24991 if (!pmd_present(pmd)) {
24992- struct page *page = alloc_pages_node(node, PGALLOC_GFP, 0);
24993-
24994- pte_p = (pte_t *)page_address(page);
24995+ if (cpu)
24996+ pte_p = page_address(alloc_pages_node(node, PGALLOC_GFP, 0));
24997+ else
24998+ pte_p = espfix_pte_page;
24999 pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
25000 paravirt_alloc_pte(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
25001 for (n = 0; n < ESPFIX_PMD_CLONES; n++)
25002 set_pmd(&pmd_p[n], pmd);
25003- }
25004+ } else
25005+ BUG_ON(!cpu);
25006
25007 pte_p = pte_offset_kernel(&pmd, addr);
25008- stack_page = page_address(alloc_pages_node(node, GFP_KERNEL, 0));
25009+ stack_page = espfix_stack_page[page];
25010 pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
25011 for (n = 0; n < ESPFIX_PTE_CLONES; n++)
25012 set_pte(&pte_p[n*PTE_STRIDE], pte);
25013
25014 /* Job is done for this CPU and any CPU which shares this page */
25015- ACCESS_ONCE(espfix_pages[page]) = stack_page;
25016+ ACCESS_ONCE_RW(espfix_pages[page]) = stack_page;
25017
25018 unlock_done:
25019 mutex_unlock(&espfix_init_mutex);
25020diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
25021index d25097c..84b0d51 100644
25022--- a/arch/x86/kernel/fpu/core.c
25023+++ b/arch/x86/kernel/fpu/core.c
25024@@ -127,7 +127,7 @@ void __kernel_fpu_end(void)
25025 struct fpu *fpu = &current->thread.fpu;
25026
25027 if (fpu->fpregs_active)
25028- copy_kernel_to_fpregs(&fpu->state);
25029+ copy_kernel_to_fpregs(fpu->state);
25030 else
25031 __fpregs_deactivate_hw();
25032
25033@@ -238,7 +238,7 @@ static void fpu_copy(struct fpu *dst_fpu, struct fpu *src_fpu)
25034 * leak into the child task:
25035 */
25036 if (use_eager_fpu())
25037- memset(&dst_fpu->state.xsave, 0, xstate_size);
25038+ memset(&dst_fpu->state->xsave, 0, xstate_size);
25039
25040 /*
25041 * Save current FPU registers directly into the child
25042@@ -285,7 +285,7 @@ void fpu__activate_curr(struct fpu *fpu)
25043 WARN_ON_FPU(fpu != &current->thread.fpu);
25044
25045 if (!fpu->fpstate_active) {
25046- fpstate_init(&fpu->state);
25047+ fpstate_init(fpu->state);
25048
25049 /* Safe to do for the current task: */
25050 fpu->fpstate_active = 1;
25051@@ -311,7 +311,7 @@ void fpu__activate_fpstate_read(struct fpu *fpu)
25052 fpu__save(fpu);
25053 } else {
25054 if (!fpu->fpstate_active) {
25055- fpstate_init(&fpu->state);
25056+ fpstate_init(fpu->state);
25057
25058 /* Safe to do for current and for stopped child tasks: */
25059 fpu->fpstate_active = 1;
25060@@ -344,7 +344,7 @@ void fpu__activate_fpstate_write(struct fpu *fpu)
25061 /* Invalidate any lazy state: */
25062 fpu->last_cpu = -1;
25063 } else {
25064- fpstate_init(&fpu->state);
25065+ fpstate_init(fpu->state);
25066
25067 /* Safe to do for stopped child tasks: */
25068 fpu->fpstate_active = 1;
25069@@ -368,7 +368,7 @@ void fpu__restore(struct fpu *fpu)
25070 /* Avoid __kernel_fpu_begin() right after fpregs_activate() */
25071 kernel_fpu_disable();
25072 fpregs_activate(fpu);
25073- copy_kernel_to_fpregs(&fpu->state);
25074+ copy_kernel_to_fpregs(fpu->state);
25075 fpu->counter++;
25076 kernel_fpu_enable();
25077 }
25078@@ -442,25 +442,25 @@ void fpu__clear(struct fpu *fpu)
25079 static inline unsigned short get_fpu_cwd(struct fpu *fpu)
25080 {
25081 if (cpu_has_fxsr) {
25082- return fpu->state.fxsave.cwd;
25083+ return fpu->state->fxsave.cwd;
25084 } else {
25085- return (unsigned short)fpu->state.fsave.cwd;
25086+ return (unsigned short)fpu->state->fsave.cwd;
25087 }
25088 }
25089
25090 static inline unsigned short get_fpu_swd(struct fpu *fpu)
25091 {
25092 if (cpu_has_fxsr) {
25093- return fpu->state.fxsave.swd;
25094+ return fpu->state->fxsave.swd;
25095 } else {
25096- return (unsigned short)fpu->state.fsave.swd;
25097+ return (unsigned short)fpu->state->fsave.swd;
25098 }
25099 }
25100
25101 static inline unsigned short get_fpu_mxcsr(struct fpu *fpu)
25102 {
25103 if (cpu_has_xmm) {
25104- return fpu->state.fxsave.mxcsr;
25105+ return fpu->state->fxsave.mxcsr;
25106 } else {
25107 return MXCSR_DEFAULT;
25108 }
25109diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
25110index d14e9ac..8ca141b 100644
25111--- a/arch/x86/kernel/fpu/init.c
25112+++ b/arch/x86/kernel/fpu/init.c
25113@@ -42,7 +42,7 @@ static void fpu__init_cpu_generic(void)
25114 /* Flush out any pending x87 state: */
25115 #ifdef CONFIG_MATH_EMULATION
25116 if (!cpu_has_fpu)
25117- fpstate_init_soft(&current->thread.fpu.state.soft);
25118+ fpstate_init_soft(&current->thread.fpu.state->soft);
25119 else
25120 #endif
25121 asm volatile ("fninit");
25122@@ -147,12 +147,14 @@ EXPORT_SYMBOL_GPL(xstate_size);
25123 #define CHECK_MEMBER_AT_END_OF(TYPE, MEMBER) \
25124 BUILD_BUG_ON(sizeof(TYPE) != offsetofend(TYPE, MEMBER))
25125
25126+union fpregs_state init_fpregs_state;
25127+
25128 /*
25129 * We append the 'struct fpu' to the task_struct:
25130 */
25131 static void __init fpu__init_task_struct_size(void)
25132 {
25133- int task_size = sizeof(struct task_struct);
25134+ size_t task_size = sizeof(struct task_struct);
25135
25136 /*
25137 * Subtract off the static size of the register state.
25138@@ -168,16 +170,12 @@ static void __init fpu__init_task_struct_size(void)
25139
25140 /*
25141 * We dynamically size 'struct fpu', so we require that
25142- * it be at the end of 'thread_struct' and that
25143- * 'thread_struct' be at the end of 'task_struct'. If
25144+ * it be at the end of 'thread_struct'. If
25145 * you hit a compile error here, check the structure to
25146 * see if something got added to the end.
25147 */
25148 CHECK_MEMBER_AT_END_OF(struct fpu, state);
25149 CHECK_MEMBER_AT_END_OF(struct thread_struct, fpu);
25150- CHECK_MEMBER_AT_END_OF(struct task_struct, thread);
25151-
25152- arch_task_struct_size = task_size;
25153 }
25154
25155 /*
25156diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
25157index dc60810..6c8a1fa 100644
25158--- a/arch/x86/kernel/fpu/regset.c
25159+++ b/arch/x86/kernel/fpu/regset.c
25160@@ -37,7 +37,7 @@ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
25161 fpstate_sanitize_xstate(fpu);
25162
25163 return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
25164- &fpu->state.fxsave, 0, -1);
25165+ &fpu->state->fxsave, 0, -1);
25166 }
25167
25168 int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
25169@@ -54,19 +54,19 @@ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
25170 fpstate_sanitize_xstate(fpu);
25171
25172 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
25173- &fpu->state.fxsave, 0, -1);
25174+ &fpu->state->fxsave, 0, -1);
25175
25176 /*
25177 * mxcsr reserved bits must be masked to zero for security reasons.
25178 */
25179- fpu->state.fxsave.mxcsr &= mxcsr_feature_mask;
25180+ fpu->state->fxsave.mxcsr &= mxcsr_feature_mask;
25181
25182 /*
25183 * update the header bits in the xsave header, indicating the
25184 * presence of FP and SSE state.
25185 */
25186 if (cpu_has_xsave)
25187- fpu->state.xsave.header.xfeatures |= XSTATE_FPSSE;
25188+ fpu->state->xsave.header.xfeatures |= XSTATE_FPSSE;
25189
25190 return ret;
25191 }
25192@@ -84,7 +84,7 @@ int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
25193
25194 fpu__activate_fpstate_read(fpu);
25195
25196- xsave = &fpu->state.xsave;
25197+ xsave = &fpu->state->xsave;
25198
25199 /*
25200 * Copy the 48bytes defined by the software first into the xstate
25201@@ -113,7 +113,7 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
25202
25203 fpu__activate_fpstate_write(fpu);
25204
25205- xsave = &fpu->state.xsave;
25206+ xsave = &fpu->state->xsave;
25207
25208 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
25209 /*
25210@@ -204,7 +204,7 @@ static inline u32 twd_fxsr_to_i387(struct fxregs_state *fxsave)
25211 void
25212 convert_from_fxsr(struct user_i387_ia32_struct *env, struct task_struct *tsk)
25213 {
25214- struct fxregs_state *fxsave = &tsk->thread.fpu.state.fxsave;
25215+ struct fxregs_state *fxsave = &tsk->thread.fpu.state->fxsave;
25216 struct _fpreg *to = (struct _fpreg *) &env->st_space[0];
25217 struct _fpxreg *from = (struct _fpxreg *) &fxsave->st_space[0];
25218 int i;
25219@@ -242,7 +242,7 @@ void convert_to_fxsr(struct task_struct *tsk,
25220 const struct user_i387_ia32_struct *env)
25221
25222 {
25223- struct fxregs_state *fxsave = &tsk->thread.fpu.state.fxsave;
25224+ struct fxregs_state *fxsave = &tsk->thread.fpu.state->fxsave;
25225 struct _fpreg *from = (struct _fpreg *) &env->st_space[0];
25226 struct _fpxreg *to = (struct _fpxreg *) &fxsave->st_space[0];
25227 int i;
25228@@ -280,7 +280,7 @@ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
25229
25230 if (!cpu_has_fxsr)
25231 return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
25232- &fpu->state.fsave, 0,
25233+ &fpu->state->fsave, 0,
25234 -1);
25235
25236 fpstate_sanitize_xstate(fpu);
25237@@ -311,7 +311,7 @@ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
25238
25239 if (!cpu_has_fxsr)
25240 return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
25241- &fpu->state.fsave, 0,
25242+ &fpu->state->fsave, 0,
25243 -1);
25244
25245 if (pos > 0 || count < sizeof(env))
25246@@ -326,7 +326,7 @@ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
25247 * presence of FP.
25248 */
25249 if (cpu_has_xsave)
25250- fpu->state.xsave.header.xfeatures |= XSTATE_FP;
25251+ fpu->state->xsave.header.xfeatures |= XSTATE_FP;
25252 return ret;
25253 }
25254
25255diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
25256index 50ec9af..bb871ca 100644
25257--- a/arch/x86/kernel/fpu/signal.c
25258+++ b/arch/x86/kernel/fpu/signal.c
25259@@ -54,7 +54,7 @@ static inline int check_for_xstate(struct fxregs_state __user *buf,
25260 static inline int save_fsave_header(struct task_struct *tsk, void __user *buf)
25261 {
25262 if (use_fxsr()) {
25263- struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
25264+ struct xregs_state *xsave = &tsk->thread.fpu.state->xsave;
25265 struct user_i387_ia32_struct env;
25266 struct _fpstate_ia32 __user *fp = buf;
25267
25268@@ -83,18 +83,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
25269
25270 /* Setup the bytes not touched by the [f]xsave and reserved for SW. */
25271 sw_bytes = ia32_frame ? &fx_sw_reserved_ia32 : &fx_sw_reserved;
25272- err = __copy_to_user(&x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes));
25273+ err = __copy_to_user(x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes));
25274
25275 if (!use_xsave())
25276 return err;
25277
25278- err |= __put_user(FP_XSTATE_MAGIC2, (__u32 *)(buf + xstate_size));
25279+ err |= __put_user(FP_XSTATE_MAGIC2, (__u32 __user *)(buf + xstate_size));
25280
25281 /*
25282 * Read the xfeatures which we copied (directly from the cpu or
25283 * from the state in task struct) to the user buffers.
25284 */
25285- err |= __get_user(xfeatures, (__u32 *)&x->header.xfeatures);
25286+ err |= __get_user(xfeatures, (__u32 __user *)&x->header.xfeatures);
25287
25288 /*
25289 * For legacy compatible, we always set FP/SSE bits in the bit
25290@@ -109,7 +109,7 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
25291 */
25292 xfeatures |= XSTATE_FPSSE;
25293
25294- err |= __put_user(xfeatures, (__u32 *)&x->header.xfeatures);
25295+ err |= __put_user(xfeatures, (__u32 __user *)&x->header.xfeatures);
25296
25297 return err;
25298 }
25299@@ -118,6 +118,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
25300 {
25301 int err;
25302
25303+ buf = (struct xregs_state __user *)____m(buf);
25304 if (use_xsave())
25305 err = copy_xregs_to_user(buf);
25306 else if (use_fxsr())
25307@@ -152,7 +153,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
25308 */
25309 int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
25310 {
25311- struct xregs_state *xsave = &current->thread.fpu.state.xsave;
25312+ struct xregs_state *xsave = &current->thread.fpu.state->xsave;
25313 struct task_struct *tsk = current;
25314 int ia32_fxstate = (buf != buf_fx);
25315
25316@@ -195,7 +196,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25317 struct user_i387_ia32_struct *ia32_env,
25318 u64 xfeatures, int fx_only)
25319 {
25320- struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
25321+ struct xregs_state *xsave = &tsk->thread.fpu.state->xsave;
25322 struct xstate_header *header = &xsave->header;
25323
25324 if (use_xsave()) {
25325@@ -228,6 +229,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25326 */
25327 static inline int copy_user_to_fpregs_zeroing(void __user *buf, u64 xbv, int fx_only)
25328 {
25329+ buf = (void __user *)____m(buf);
25330 if (use_xsave()) {
25331 if ((unsigned long)buf % 64 || fx_only) {
25332 u64 init_bv = xfeatures_mask & ~XSTATE_FPSSE;
25333@@ -308,9 +310,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
25334 */
25335 fpu__drop(fpu);
25336
25337- if (__copy_from_user(&fpu->state.xsave, buf_fx, state_size) ||
25338+ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
25339 __copy_from_user(&env, buf, sizeof(env))) {
25340- fpstate_init(&fpu->state);
25341+ fpstate_init(fpu->state);
25342 err = -1;
25343 } else {
25344 sanitize_restored_xstate(tsk, &env, xfeatures, fx_only);
25345diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
25346index 62fc001..5ce38be 100644
25347--- a/arch/x86/kernel/fpu/xstate.c
25348+++ b/arch/x86/kernel/fpu/xstate.c
25349@@ -93,14 +93,14 @@ EXPORT_SYMBOL_GPL(cpu_has_xfeatures);
25350 */
25351 void fpstate_sanitize_xstate(struct fpu *fpu)
25352 {
25353- struct fxregs_state *fx = &fpu->state.fxsave;
25354+ struct fxregs_state *fx = &fpu->state->fxsave;
25355 int feature_bit;
25356 u64 xfeatures;
25357
25358 if (!use_xsaveopt())
25359 return;
25360
25361- xfeatures = fpu->state.xsave.header.xfeatures;
25362+ xfeatures = fpu->state->xsave.header.xfeatures;
25363
25364 /*
25365 * None of the feature bits are in init state. So nothing else
25366@@ -402,7 +402,7 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
25367 if (!boot_cpu_has(X86_FEATURE_XSAVE))
25368 return NULL;
25369
25370- xsave = &current->thread.fpu.state.xsave;
25371+ xsave = &current->thread.fpu.state->xsave;
25372 /*
25373 * We should not ever be requesting features that we
25374 * have not enabled. Remember that pcntxt_mask is
25375@@ -457,5 +457,5 @@ const void *get_xsave_field_ptr(int xsave_state)
25376 */
25377 fpu__save(fpu);
25378
25379- return get_xsave_addr(&fpu->state.xsave, xsave_state);
25380+ return get_xsave_addr(&fpu->state->xsave, xsave_state);
25381 }
25382diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
25383index 8b7b0a5..02219db 100644
25384--- a/arch/x86/kernel/ftrace.c
25385+++ b/arch/x86/kernel/ftrace.c
25386@@ -89,7 +89,7 @@ static unsigned long text_ip_addr(unsigned long ip)
25387 * kernel identity mapping to modify code.
25388 */
25389 if (within(ip, (unsigned long)_text, (unsigned long)_etext))
25390- ip = (unsigned long)__va(__pa_symbol(ip));
25391+ ip = (unsigned long)__va(__pa_symbol(ktla_ktva(ip)));
25392
25393 return ip;
25394 }
25395@@ -105,6 +105,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code,
25396 {
25397 unsigned char replaced[MCOUNT_INSN_SIZE];
25398
25399+ ip = ktla_ktva(ip);
25400+
25401 /*
25402 * Note: Due to modules and __init, code can
25403 * disappear and change, we need to protect against faulting
25404@@ -230,7 +232,7 @@ static int update_ftrace_func(unsigned long ip, void *new)
25405 unsigned char old[MCOUNT_INSN_SIZE];
25406 int ret;
25407
25408- memcpy(old, (void *)ip, MCOUNT_INSN_SIZE);
25409+ memcpy(old, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE);
25410
25411 ftrace_update_func = ip;
25412 /* Make sure the breakpoints see the ftrace_update_func update */
25413@@ -311,7 +313,7 @@ static int add_break(unsigned long ip, const char *old)
25414 unsigned char replaced[MCOUNT_INSN_SIZE];
25415 unsigned char brk = BREAKPOINT_INSTRUCTION;
25416
25417- if (probe_kernel_read(replaced, (void *)ip, MCOUNT_INSN_SIZE))
25418+ if (probe_kernel_read(replaced, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE))
25419 return -EFAULT;
25420
25421 /* Make sure it is what we expect it to be */
25422@@ -670,11 +672,11 @@ static unsigned char *ftrace_jmp_replace(unsigned long ip, unsigned long addr)
25423 /* Module allocation simplifies allocating memory for code */
25424 static inline void *alloc_tramp(unsigned long size)
25425 {
25426- return module_alloc(size);
25427+ return module_alloc_exec(size);
25428 }
25429 static inline void tramp_free(void *tramp)
25430 {
25431- module_memfree(tramp);
25432+ module_memfree_exec(tramp);
25433 }
25434 #else
25435 /* Trampolines can only be created if modules are supported */
25436@@ -753,7 +755,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25437 *tramp_size = size + MCOUNT_INSN_SIZE + sizeof(void *);
25438
25439 /* Copy ftrace_caller onto the trampoline memory */
25440+ pax_open_kernel();
25441 ret = probe_kernel_read(trampoline, (void *)start_offset, size);
25442+ pax_close_kernel();
25443 if (WARN_ON(ret < 0)) {
25444 tramp_free(trampoline);
25445 return 0;
25446@@ -763,6 +767,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25447
25448 /* The trampoline ends with a jmp to ftrace_return */
25449 jmp = ftrace_jmp_replace(ip, (unsigned long)ftrace_return);
25450+ pax_open_kernel();
25451 memcpy(trampoline + size, jmp, MCOUNT_INSN_SIZE);
25452
25453 /*
25454@@ -775,6 +780,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25455
25456 ptr = (unsigned long *)(trampoline + size + MCOUNT_INSN_SIZE);
25457 *ptr = (unsigned long)ops;
25458+ pax_close_kernel();
25459
25460 op_offset -= start_offset;
25461 memcpy(&op_ptr, trampoline + op_offset, OP_REF_SIZE);
25462@@ -792,7 +798,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25463 op_ptr.offset = offset;
25464
25465 /* put in the new offset to the ftrace_ops */
25466+ pax_open_kernel();
25467 memcpy(trampoline + op_offset, &op_ptr, OP_REF_SIZE);
25468+ pax_close_kernel();
25469
25470 /* ALLOC_TRAMP flags lets us know we created it */
25471 ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
25472diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
25473index f129a9a..af8f6da 100644
25474--- a/arch/x86/kernel/head64.c
25475+++ b/arch/x86/kernel/head64.c
25476@@ -68,12 +68,12 @@ again:
25477 pgd = *pgd_p;
25478
25479 /*
25480- * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is
25481- * critical -- __PAGE_OFFSET would point us back into the dynamic
25482+ * The use of __early_va rather than __va here is critical:
25483+ * __va would point us back into the dynamic
25484 * range and we might end up looping forever...
25485 */
25486 if (pgd)
25487- pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
25488+ pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK));
25489 else {
25490 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
25491 reset_early_page_tables();
25492@@ -83,13 +83,13 @@ again:
25493 pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++];
25494 for (i = 0; i < PTRS_PER_PUD; i++)
25495 pud_p[i] = 0;
25496- *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
25497+ *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE;
25498 }
25499 pud_p += pud_index(address);
25500 pud = *pud_p;
25501
25502 if (pud)
25503- pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
25504+ pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK));
25505 else {
25506 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
25507 reset_early_page_tables();
25508@@ -99,7 +99,7 @@ again:
25509 pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++];
25510 for (i = 0; i < PTRS_PER_PMD; i++)
25511 pmd_p[i] = 0;
25512- *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
25513+ *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE;
25514 }
25515 pmd = (physaddr & PMD_MASK) + early_pmd_flags;
25516 pmd_p[pmd_index(address)] = pmd;
25517@@ -163,8 +163,6 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
25518
25519 clear_bss();
25520
25521- clear_page(init_level4_pgt);
25522-
25523 kasan_early_init();
25524
25525 for (i = 0; i < NUM_EXCEPTION_VECTORS; i++)
25526diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
25527index 0e2d96f..5889003 100644
25528--- a/arch/x86/kernel/head_32.S
25529+++ b/arch/x86/kernel/head_32.S
25530@@ -27,6 +27,12 @@
25531 /* Physical address */
25532 #define pa(X) ((X) - __PAGE_OFFSET)
25533
25534+#ifdef CONFIG_PAX_KERNEXEC
25535+#define ta(X) (X)
25536+#else
25537+#define ta(X) ((X) - __PAGE_OFFSET)
25538+#endif
25539+
25540 /*
25541 * References to members of the new_cpu_data structure.
25542 */
25543@@ -56,11 +62,7 @@
25544 * and small than max_low_pfn, otherwise will waste some page table entries
25545 */
25546
25547-#if PTRS_PER_PMD > 1
25548-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
25549-#else
25550-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
25551-#endif
25552+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
25553
25554 /*
25555 * Number of possible pages in the lowmem region.
25556@@ -86,6 +88,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_PAGES) * PAGE_SIZE
25557 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
25558
25559 /*
25560+ * Real beginning of normal "text" segment
25561+ */
25562+ENTRY(stext)
25563+ENTRY(_stext)
25564+
25565+/*
25566 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
25567 * %esi points to the real-mode code as a 32-bit pointer.
25568 * CS and DS must be 4 GB flat segments, but we don't depend on
25569@@ -93,6 +101,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
25570 * can.
25571 */
25572 __HEAD
25573+
25574+#ifdef CONFIG_PAX_KERNEXEC
25575+ jmp startup_32
25576+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
25577+.fill PAGE_SIZE-5,1,0xcc
25578+#endif
25579+
25580 ENTRY(startup_32)
25581 movl pa(stack_start),%ecx
25582
25583@@ -114,6 +129,66 @@ ENTRY(startup_32)
25584 2:
25585 leal -__PAGE_OFFSET(%ecx),%esp
25586
25587+#ifdef CONFIG_SMP
25588+ movl $pa(cpu_gdt_table),%edi
25589+ movl $__per_cpu_load,%eax
25590+ movw %ax,GDT_ENTRY_PERCPU * 8 + 2(%edi)
25591+ rorl $16,%eax
25592+ movb %al,GDT_ENTRY_PERCPU * 8 + 4(%edi)
25593+ movb %ah,GDT_ENTRY_PERCPU * 8 + 7(%edi)
25594+ movl $__per_cpu_end - 1,%eax
25595+ subl $__per_cpu_start,%eax
25596+ cmpl $0x100000,%eax
25597+ jb 1f
25598+ shrl $PAGE_SHIFT,%eax
25599+ orb $0x80,GDT_ENTRY_PERCPU * 8 + 6(%edi)
25600+1:
25601+ movw %ax,GDT_ENTRY_PERCPU * 8 + 0(%edi)
25602+ shrl $16,%eax
25603+ orb %al,GDT_ENTRY_PERCPU * 8 + 6(%edi)
25604+#endif
25605+
25606+#ifdef CONFIG_PAX_MEMORY_UDEREF
25607+ movl $NR_CPUS,%ecx
25608+ movl $pa(cpu_gdt_table),%edi
25609+1:
25610+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
25611+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
25612+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
25613+ addl $PAGE_SIZE_asm,%edi
25614+ loop 1b
25615+#endif
25616+
25617+#ifdef CONFIG_PAX_KERNEXEC
25618+ movl $pa(boot_gdt),%edi
25619+ movl $__LOAD_PHYSICAL_ADDR,%eax
25620+ movw %ax,GDT_ENTRY_BOOT_CS * 8 + 2(%edi)
25621+ rorl $16,%eax
25622+ movb %al,GDT_ENTRY_BOOT_CS * 8 + 4(%edi)
25623+ movb %ah,GDT_ENTRY_BOOT_CS * 8 + 7(%edi)
25624+ rorl $16,%eax
25625+
25626+ ljmp $(__BOOT_CS),$1f
25627+1:
25628+
25629+ movl $NR_CPUS,%ecx
25630+ movl $pa(cpu_gdt_table),%edi
25631+ addl $__PAGE_OFFSET,%eax
25632+1:
25633+ movb $0xc0,GDT_ENTRY_KERNEL_CS * 8 + 6(%edi)
25634+ movb $0xc0,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 6(%edi)
25635+ movw %ax,GDT_ENTRY_KERNEL_CS * 8 + 2(%edi)
25636+ movw %ax,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 2(%edi)
25637+ rorl $16,%eax
25638+ movb %al,GDT_ENTRY_KERNEL_CS * 8 + 4(%edi)
25639+ movb %al,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 4(%edi)
25640+ movb %ah,GDT_ENTRY_KERNEL_CS * 8 + 7(%edi)
25641+ movb %ah,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 7(%edi)
25642+ rorl $16,%eax
25643+ addl $PAGE_SIZE_asm,%edi
25644+ loop 1b
25645+#endif
25646+
25647 /*
25648 * Clear BSS first so that there are no surprises...
25649 */
25650@@ -209,8 +284,11 @@ ENTRY(startup_32)
25651 movl %eax, pa(max_pfn_mapped)
25652
25653 /* Do early initialization of the fixmap area */
25654- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
25655- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
25656+#ifdef CONFIG_COMPAT_VDSO
25657+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
25658+#else
25659+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
25660+#endif
25661 #else /* Not PAE */
25662
25663 page_pde_offset = (__PAGE_OFFSET >> 20);
25664@@ -240,8 +318,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
25665 movl %eax, pa(max_pfn_mapped)
25666
25667 /* Do early initialization of the fixmap area */
25668- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
25669- movl %eax,pa(initial_page_table+0xffc)
25670+#ifdef CONFIG_COMPAT_VDSO
25671+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
25672+#else
25673+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
25674+#endif
25675 #endif
25676
25677 #ifdef CONFIG_PARAVIRT
25678@@ -255,9 +336,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
25679 cmpl $num_subarch_entries, %eax
25680 jae bad_subarch
25681
25682- movl pa(subarch_entries)(,%eax,4), %eax
25683- subl $__PAGE_OFFSET, %eax
25684- jmp *%eax
25685+ jmp *pa(subarch_entries)(,%eax,4)
25686
25687 bad_subarch:
25688 WEAK(lguest_entry)
25689@@ -269,10 +348,10 @@ WEAK(xen_entry)
25690 __INITDATA
25691
25692 subarch_entries:
25693- .long default_entry /* normal x86/PC */
25694- .long lguest_entry /* lguest hypervisor */
25695- .long xen_entry /* Xen hypervisor */
25696- .long default_entry /* Moorestown MID */
25697+ .long ta(default_entry) /* normal x86/PC */
25698+ .long ta(lguest_entry) /* lguest hypervisor */
25699+ .long ta(xen_entry) /* Xen hypervisor */
25700+ .long ta(default_entry) /* Moorestown MID */
25701 num_subarch_entries = (. - subarch_entries) / 4
25702 .previous
25703 #else
25704@@ -362,6 +441,7 @@ default_entry:
25705 movl pa(mmu_cr4_features),%eax
25706 movl %eax,%cr4
25707
25708+#ifdef CONFIG_X86_PAE
25709 testb $X86_CR4_PAE, %al # check if PAE is enabled
25710 jz enable_paging
25711
25712@@ -390,6 +470,9 @@ default_entry:
25713 /* Make changes effective */
25714 wrmsr
25715
25716+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
25717+#endif
25718+
25719 enable_paging:
25720
25721 /*
25722@@ -457,14 +540,20 @@ is486:
25723 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
25724 movl %eax,%ss # after changing gdt.
25725
25726- movl $(__USER_DS),%eax # DS/ES contains default USER segment
25727+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
25728 movl %eax,%ds
25729 movl %eax,%es
25730
25731 movl $(__KERNEL_PERCPU), %eax
25732 movl %eax,%fs # set this cpu's percpu
25733
25734+#ifdef CONFIG_CC_STACKPROTECTOR
25735 movl $(__KERNEL_STACK_CANARY),%eax
25736+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
25737+ movl $(__USER_DS),%eax
25738+#else
25739+ xorl %eax,%eax
25740+#endif
25741 movl %eax,%gs
25742
25743 xorl %eax,%eax # Clear LDT
25744@@ -521,8 +610,11 @@ setup_once:
25745 * relocation. Manually set base address in stack canary
25746 * segment descriptor.
25747 */
25748- movl $gdt_page,%eax
25749+ movl $cpu_gdt_table,%eax
25750 movl $stack_canary,%ecx
25751+#ifdef CONFIG_SMP
25752+ addl $__per_cpu_load,%ecx
25753+#endif
25754 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
25755 shrl $16, %ecx
25756 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
25757@@ -559,7 +651,7 @@ early_idt_handler_common:
25758 cmpl $2,(%esp) # X86_TRAP_NMI
25759 je .Lis_nmi # Ignore NMI
25760
25761- cmpl $2,%ss:early_recursion_flag
25762+ cmpl $1,%ss:early_recursion_flag
25763 je hlt_loop
25764 incl %ss:early_recursion_flag
25765
25766@@ -597,8 +689,8 @@ early_idt_handler_common:
25767 pushl (20+6*4)(%esp) /* trapno */
25768 pushl $fault_msg
25769 call printk
25770-#endif
25771 call dump_stack
25772+#endif
25773 hlt_loop:
25774 hlt
25775 jmp hlt_loop
25776@@ -618,8 +710,11 @@ ENDPROC(early_idt_handler_common)
25777 /* This is the default interrupt "handler" :-) */
25778 ALIGN
25779 ignore_int:
25780- cld
25781 #ifdef CONFIG_PRINTK
25782+ cmpl $2,%ss:early_recursion_flag
25783+ je hlt_loop
25784+ incl %ss:early_recursion_flag
25785+ cld
25786 pushl %eax
25787 pushl %ecx
25788 pushl %edx
25789@@ -628,9 +723,6 @@ ignore_int:
25790 movl $(__KERNEL_DS),%eax
25791 movl %eax,%ds
25792 movl %eax,%es
25793- cmpl $2,early_recursion_flag
25794- je hlt_loop
25795- incl early_recursion_flag
25796 pushl 16(%esp)
25797 pushl 24(%esp)
25798 pushl 32(%esp)
25799@@ -664,29 +756,34 @@ ENTRY(setup_once_ref)
25800 /*
25801 * BSS section
25802 */
25803-__PAGE_ALIGNED_BSS
25804- .align PAGE_SIZE
25805 #ifdef CONFIG_X86_PAE
25806+.section .initial_pg_pmd,"a",@progbits
25807 initial_pg_pmd:
25808 .fill 1024*KPMDS,4,0
25809 #else
25810+.section .initial_page_table,"a",@progbits
25811 ENTRY(initial_page_table)
25812 .fill 1024,4,0
25813 #endif
25814+.section .initial_pg_fixmap,"a",@progbits
25815 initial_pg_fixmap:
25816 .fill 1024,4,0
25817+.section .empty_zero_page,"a",@progbits
25818 ENTRY(empty_zero_page)
25819 .fill 4096,1,0
25820+.section .swapper_pg_dir,"a",@progbits
25821 ENTRY(swapper_pg_dir)
25822+#ifdef CONFIG_X86_PAE
25823+ .fill 4,8,0
25824+#else
25825 .fill 1024,4,0
25826+#endif
25827
25828 /*
25829 * This starts the data section.
25830 */
25831 #ifdef CONFIG_X86_PAE
25832-__PAGE_ALIGNED_DATA
25833- /* Page-aligned for the benefit of paravirt? */
25834- .align PAGE_SIZE
25835+.section .initial_page_table,"a",@progbits
25836 ENTRY(initial_page_table)
25837 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
25838 # if KPMDS == 3
25839@@ -705,12 +802,20 @@ ENTRY(initial_page_table)
25840 # error "Kernel PMDs should be 1, 2 or 3"
25841 # endif
25842 .align PAGE_SIZE /* needs to be page-sized too */
25843+
25844+#ifdef CONFIG_PAX_PER_CPU_PGD
25845+ENTRY(cpu_pgd)
25846+ .rept 2*NR_CPUS
25847+ .fill 4,8,0
25848+ .endr
25849+#endif
25850+
25851 #endif
25852
25853 .data
25854 .balign 4
25855 ENTRY(stack_start)
25856- .long init_thread_union+THREAD_SIZE
25857+ .long init_thread_union+THREAD_SIZE-8
25858
25859 __INITRODATA
25860 int_msg:
25861@@ -738,7 +843,7 @@ fault_msg:
25862 * segment size, and 32-bit linear address value:
25863 */
25864
25865- .data
25866+.section .rodata,"a",@progbits
25867 .globl boot_gdt_descr
25868 .globl idt_descr
25869
25870@@ -747,7 +852,7 @@ fault_msg:
25871 .word 0 # 32 bit align gdt_desc.address
25872 boot_gdt_descr:
25873 .word __BOOT_DS+7
25874- .long boot_gdt - __PAGE_OFFSET
25875+ .long pa(boot_gdt)
25876
25877 .word 0 # 32-bit align idt_desc.address
25878 idt_descr:
25879@@ -758,7 +863,7 @@ idt_descr:
25880 .word 0 # 32 bit align gdt_desc.address
25881 ENTRY(early_gdt_descr)
25882 .word GDT_ENTRIES*8-1
25883- .long gdt_page /* Overwritten for secondary CPUs */
25884+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
25885
25886 /*
25887 * The boot_gdt must mirror the equivalent in setup.S and is
25888@@ -767,5 +872,65 @@ ENTRY(early_gdt_descr)
25889 .align L1_CACHE_BYTES
25890 ENTRY(boot_gdt)
25891 .fill GDT_ENTRY_BOOT_CS,8,0
25892- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
25893- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
25894+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
25895+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
25896+
25897+ .align PAGE_SIZE_asm
25898+ENTRY(cpu_gdt_table)
25899+ .rept NR_CPUS
25900+ .quad 0x0000000000000000 /* NULL descriptor */
25901+ .quad 0x0000000000000000 /* 0x0b reserved */
25902+ .quad 0x0000000000000000 /* 0x13 reserved */
25903+ .quad 0x0000000000000000 /* 0x1b reserved */
25904+
25905+#ifdef CONFIG_PAX_KERNEXEC
25906+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
25907+#else
25908+ .quad 0x0000000000000000 /* 0x20 unused */
25909+#endif
25910+
25911+ .quad 0x0000000000000000 /* 0x28 unused */
25912+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
25913+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
25914+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
25915+ .quad 0x0000000000000000 /* 0x4b reserved */
25916+ .quad 0x0000000000000000 /* 0x53 reserved */
25917+ .quad 0x0000000000000000 /* 0x5b reserved */
25918+
25919+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
25920+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
25921+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
25922+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
25923+
25924+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
25925+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
25926+
25927+ /*
25928+ * Segments used for calling PnP BIOS have byte granularity.
25929+ * The code segments and data segments have fixed 64k limits,
25930+ * the transfer segment sizes are set at run time.
25931+ */
25932+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
25933+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
25934+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
25935+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
25936+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
25937+
25938+ /*
25939+ * The APM segments have byte granularity and their bases
25940+ * are set at run time. All have 64k limits.
25941+ */
25942+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
25943+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
25944+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
25945+
25946+ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */
25947+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
25948+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
25949+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
25950+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
25951+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
25952+
25953+ /* Be sure this is zeroed to avoid false validations in Xen */
25954+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
25955+ .endr
25956diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
25957index 1d40ca8..4d38dbd 100644
25958--- a/arch/x86/kernel/head_64.S
25959+++ b/arch/x86/kernel/head_64.S
25960@@ -20,6 +20,8 @@
25961 #include <asm/processor-flags.h>
25962 #include <asm/percpu.h>
25963 #include <asm/nops.h>
25964+#include <asm/cpufeature.h>
25965+#include <asm/alternative-asm.h>
25966
25967 #ifdef CONFIG_PARAVIRT
25968 #include <asm/asm-offsets.h>
25969@@ -41,6 +43,12 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET)
25970 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
25971 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
25972 L3_START_KERNEL = pud_index(__START_KERNEL_map)
25973+L4_VMALLOC_START = pgd_index(VMALLOC_START)
25974+L3_VMALLOC_START = pud_index(VMALLOC_START)
25975+L4_VMALLOC_END = pgd_index(VMALLOC_END)
25976+L3_VMALLOC_END = pud_index(VMALLOC_END)
25977+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
25978+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
25979
25980 .text
25981 __HEAD
25982@@ -89,11 +97,33 @@ startup_64:
25983 * Fixup the physical addresses in the page table
25984 */
25985 addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
25986+ addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
25987+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
25988+ addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip)
25989+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
25990+ addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
25991
25992- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
25993- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
25994+ addq %rbp, level3_ident_pgt + (0*8)(%rip)
25995+#ifndef CONFIG_XEN
25996+ addq %rbp, level3_ident_pgt + (1*8)(%rip)
25997+#endif
25998
25999+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
26000+
26001+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
26002+ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip)
26003+
26004+ addq %rbp, level2_ident_pgt + (0*8)(%rip)
26005+
26006+ addq %rbp, level2_fixmap_pgt + (0*8)(%rip)
26007+ addq %rbp, level2_fixmap_pgt + (1*8)(%rip)
26008+ addq %rbp, level2_fixmap_pgt + (2*8)(%rip)
26009+ addq %rbp, level2_fixmap_pgt + (3*8)(%rip)
26010+
26011+ addq %rbp, level2_fixmap_pgt + (504*8)(%rip)
26012+ addq %rbp, level2_fixmap_pgt + (505*8)(%rip)
26013 addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
26014+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
26015
26016 /*
26017 * Set up the identity mapping for the switchover. These
26018@@ -174,11 +204,12 @@ ENTRY(secondary_startup_64)
26019 * after the boot processor executes this code.
26020 */
26021
26022+ orq $-1, %rbp
26023 movq $(init_level4_pgt - __START_KERNEL_map), %rax
26024 1:
26025
26026- /* Enable PAE mode and PGE */
26027- movl $(X86_CR4_PAE | X86_CR4_PGE), %ecx
26028+ /* Enable PAE mode and PSE/PGE */
26029+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %ecx
26030 movq %rcx, %cr4
26031
26032 /* Setup early boot stage 4 level pagetables. */
26033@@ -199,10 +230,21 @@ ENTRY(secondary_startup_64)
26034 movl $MSR_EFER, %ecx
26035 rdmsr
26036 btsl $_EFER_SCE, %eax /* Enable System Call */
26037- btl $20,%edi /* No Execute supported? */
26038+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
26039 jnc 1f
26040 btsl $_EFER_NX, %eax
26041+ cmpq $-1, %rbp
26042+ je 1f
26043 btsq $_PAGE_BIT_NX,early_pmd_flags(%rip)
26044+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip)
26045+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip)
26046+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip)
26047+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip)
26048+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*504(%rip)
26049+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*505(%rip)
26050+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*506(%rip)
26051+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*507(%rip)
26052+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
26053 1: wrmsr /* Make changes effective */
26054
26055 /* Setup cr0 */
26056@@ -282,6 +324,7 @@ ENTRY(secondary_startup_64)
26057 * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
26058 * address given in m16:64.
26059 */
26060+ pax_set_fptr_mask
26061 movq initial_code(%rip),%rax
26062 pushq $0 # fake return address to stop unwinder
26063 pushq $__KERNEL_CS # set correct cs
26064@@ -313,7 +356,7 @@ ENDPROC(start_cpu0)
26065 .quad INIT_PER_CPU_VAR(irq_stack_union)
26066
26067 GLOBAL(stack_start)
26068- .quad init_thread_union+THREAD_SIZE-8
26069+ .quad init_thread_union+THREAD_SIZE-16
26070 .word 0
26071 __FINITDATA
26072
26073@@ -393,7 +436,7 @@ early_idt_handler_common:
26074 call dump_stack
26075 #ifdef CONFIG_KALLSYMS
26076 leaq early_idt_ripmsg(%rip),%rdi
26077- movq 40(%rsp),%rsi # %rip again
26078+ movq 88(%rsp),%rsi # %rip again
26079 call __print_symbol
26080 #endif
26081 #endif /* EARLY_PRINTK */
26082@@ -422,6 +465,7 @@ ENDPROC(early_idt_handler_common)
26083 early_recursion_flag:
26084 .long 0
26085
26086+ .section .rodata,"a",@progbits
26087 #ifdef CONFIG_EARLY_PRINTK
26088 early_idt_msg:
26089 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
26090@@ -444,40 +488,67 @@ GLOBAL(name)
26091 __INITDATA
26092 NEXT_PAGE(early_level4_pgt)
26093 .fill 511,8,0
26094- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
26095+ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26096
26097 NEXT_PAGE(early_dynamic_pgts)
26098 .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
26099
26100- .data
26101+ .section .rodata,"a",@progbits
26102
26103-#ifndef CONFIG_XEN
26104 NEXT_PAGE(init_level4_pgt)
26105- .fill 512,8,0
26106-#else
26107-NEXT_PAGE(init_level4_pgt)
26108- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26109 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
26110 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26111+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
26112+ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + _KERNPG_TABLE
26113+ .org init_level4_pgt + L4_VMALLOC_END*8, 0
26114+ .quad level3_vmalloc_end_pgt - __START_KERNEL_map + _KERNPG_TABLE
26115+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
26116+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26117 .org init_level4_pgt + L4_START_KERNEL*8, 0
26118 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
26119- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
26120+ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26121+
26122+#ifdef CONFIG_PAX_PER_CPU_PGD
26123+NEXT_PAGE(cpu_pgd)
26124+ .rept 2*NR_CPUS
26125+ .fill 512,8,0
26126+ .endr
26127+#endif
26128
26129 NEXT_PAGE(level3_ident_pgt)
26130 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26131+#ifdef CONFIG_XEN
26132 .fill 511, 8, 0
26133+#else
26134+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
26135+ .fill 510,8,0
26136+#endif
26137+
26138+NEXT_PAGE(level3_vmalloc_start_pgt)
26139+ .fill 512,8,0
26140+
26141+NEXT_PAGE(level3_vmalloc_end_pgt)
26142+ .fill 512,8,0
26143+
26144+NEXT_PAGE(level3_vmemmap_pgt)
26145+ .fill L3_VMEMMAP_START,8,0
26146+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26147+
26148 NEXT_PAGE(level2_ident_pgt)
26149- /* Since I easily can, map the first 1G.
26150+ .quad level1_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26151+ /* Since I easily can, map the first 2G.
26152 * Don't set NX because code runs from these pages.
26153 */
26154- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
26155-#endif
26156+ PMDS(PMD_SIZE, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD - 1)
26157
26158 NEXT_PAGE(level3_kernel_pgt)
26159 .fill L3_START_KERNEL,8,0
26160 /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
26161 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26162- .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
26163+ .quad level2_fixmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26164+
26165+NEXT_PAGE(level2_vmemmap_pgt)
26166+ .fill 512,8,0
26167
26168 NEXT_PAGE(level2_kernel_pgt)
26169 /*
26170@@ -494,31 +565,79 @@ NEXT_PAGE(level2_kernel_pgt)
26171 KERNEL_IMAGE_SIZE/PMD_SIZE)
26172
26173 NEXT_PAGE(level2_fixmap_pgt)
26174- .fill 506,8,0
26175- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
26176- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
26177- .fill 5,8,0
26178+ .quad level1_modules_pgt - __START_KERNEL_map + 0 * PAGE_SIZE + _KERNPG_TABLE
26179+ .quad level1_modules_pgt - __START_KERNEL_map + 1 * PAGE_SIZE + _KERNPG_TABLE
26180+ .quad level1_modules_pgt - __START_KERNEL_map + 2 * PAGE_SIZE + _KERNPG_TABLE
26181+ .quad level1_modules_pgt - __START_KERNEL_map + 3 * PAGE_SIZE + _KERNPG_TABLE
26182+ .fill 500,8,0
26183+ .quad level1_fixmap_pgt - __START_KERNEL_map + 0 * PAGE_SIZE + _KERNPG_TABLE
26184+ .quad level1_fixmap_pgt - __START_KERNEL_map + 1 * PAGE_SIZE + _KERNPG_TABLE
26185+ .quad level1_fixmap_pgt - __START_KERNEL_map + 2 * PAGE_SIZE + _KERNPG_TABLE
26186+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _KERNPG_TABLE
26187+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
26188+ .fill 4,8,0
26189+
26190+NEXT_PAGE(level1_ident_pgt)
26191+ .fill 512,8,0
26192+
26193+NEXT_PAGE(level1_modules_pgt)
26194+ .fill 4*512,8,0
26195
26196 NEXT_PAGE(level1_fixmap_pgt)
26197+ .fill 3*512,8,0
26198+
26199+NEXT_PAGE(level1_vsyscall_pgt)
26200 .fill 512,8,0
26201
26202 #undef PMDS
26203
26204- .data
26205+ .align PAGE_SIZE
26206+ENTRY(cpu_gdt_table)
26207+ .rept NR_CPUS
26208+ .quad 0x0000000000000000 /* NULL descriptor */
26209+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
26210+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
26211+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
26212+ .quad 0x00cffb000000ffff /* __USER32_CS */
26213+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
26214+ .quad 0x00affb000000ffff /* __USER_CS */
26215+
26216+#ifdef CONFIG_PAX_KERNEXEC
26217+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
26218+#else
26219+ .quad 0x0 /* unused */
26220+#endif
26221+
26222+ .quad 0,0 /* TSS */
26223+ .quad 0,0 /* LDT */
26224+ .quad 0,0,0 /* three TLS descriptors */
26225+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
26226+ /* asm/segment.h:GDT_ENTRIES must match this */
26227+
26228+#ifdef CONFIG_PAX_MEMORY_UDEREF
26229+ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */
26230+#else
26231+ .quad 0x0 /* unused */
26232+#endif
26233+
26234+ /* zero the remaining page */
26235+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
26236+ .endr
26237+
26238 .align 16
26239 .globl early_gdt_descr
26240 early_gdt_descr:
26241 .word GDT_ENTRIES*8-1
26242 early_gdt_descr_base:
26243- .quad INIT_PER_CPU_VAR(gdt_page)
26244+ .quad cpu_gdt_table
26245
26246 ENTRY(phys_base)
26247 /* This must match the first entry in level2_kernel_pgt */
26248 .quad 0x0000000000000000
26249
26250 #include "../../x86/xen/xen-head.S"
26251-
26252- __PAGE_ALIGNED_BSS
26253+
26254+ .section .rodata,"a",@progbits
26255 NEXT_PAGE(empty_zero_page)
26256 .skip PAGE_SIZE
26257
26258diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
26259index 64341aa..b1e6632 100644
26260--- a/arch/x86/kernel/i386_ksyms_32.c
26261+++ b/arch/x86/kernel/i386_ksyms_32.c
26262@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
26263 EXPORT_SYMBOL(cmpxchg8b_emu);
26264 #endif
26265
26266+EXPORT_SYMBOL_GPL(cpu_gdt_table);
26267+
26268 /* Networking helper routines. */
26269 EXPORT_SYMBOL(csum_partial_copy_generic);
26270+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
26271+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
26272
26273 EXPORT_SYMBOL(__get_user_1);
26274 EXPORT_SYMBOL(__get_user_2);
26275@@ -42,3 +46,11 @@ EXPORT_SYMBOL(empty_zero_page);
26276 EXPORT_SYMBOL(___preempt_schedule);
26277 EXPORT_SYMBOL(___preempt_schedule_notrace);
26278 #endif
26279+
26280+#ifdef CONFIG_PAX_KERNEXEC
26281+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
26282+#endif
26283+
26284+#ifdef CONFIG_PAX_PER_CPU_PGD
26285+EXPORT_SYMBOL(cpu_pgd);
26286+#endif
26287diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
26288index 16cb827..372334f 100644
26289--- a/arch/x86/kernel/i8259.c
26290+++ b/arch/x86/kernel/i8259.c
26291@@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq)
26292 static void make_8259A_irq(unsigned int irq)
26293 {
26294 disable_irq_nosync(irq);
26295- io_apic_irqs &= ~(1<<irq);
26296+ io_apic_irqs &= ~(1UL<<irq);
26297 irq_set_chip_and_handler(irq, &i8259A_chip, handle_level_irq);
26298 enable_irq(irq);
26299 }
26300@@ -208,7 +208,7 @@ spurious_8259A_irq:
26301 "spurious 8259A interrupt: IRQ%d.\n", irq);
26302 spurious_irq_mask |= irqmask;
26303 }
26304- atomic_inc(&irq_err_count);
26305+ atomic_inc_unchecked(&irq_err_count);
26306 /*
26307 * Theoretically we do not have to handle this IRQ,
26308 * but in Linux this does not cause problems and is
26309@@ -349,14 +349,16 @@ static void init_8259A(int auto_eoi)
26310 /* (slave's support for AEOI in flat mode is to be investigated) */
26311 outb_pic(SLAVE_ICW4_DEFAULT, PIC_SLAVE_IMR);
26312
26313+ pax_open_kernel();
26314 if (auto_eoi)
26315 /*
26316 * In AEOI mode we just have to mask the interrupt
26317 * when acking.
26318 */
26319- i8259A_chip.irq_mask_ack = disable_8259A_irq;
26320+ *(void **)&i8259A_chip.irq_mask_ack = disable_8259A_irq;
26321 else
26322- i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
26323+ *(void **)&i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
26324+ pax_close_kernel();
26325
26326 udelay(100); /* wait for 8259A to initialize */
26327
26328diff --git a/arch/x86/kernel/io_delay.c b/arch/x86/kernel/io_delay.c
26329index a979b5b..1d6db75 100644
26330--- a/arch/x86/kernel/io_delay.c
26331+++ b/arch/x86/kernel/io_delay.c
26332@@ -58,7 +58,7 @@ static int __init dmi_io_delay_0xed_port(const struct dmi_system_id *id)
26333 * Quirk table for systems that misbehave (lock up, etc.) if port
26334 * 0x80 is used:
26335 */
26336-static struct dmi_system_id __initdata io_delay_0xed_port_dmi_table[] = {
26337+static const struct dmi_system_id __initconst io_delay_0xed_port_dmi_table[] = {
26338 {
26339 .callback = dmi_io_delay_0xed_port,
26340 .ident = "Compaq Presario V6000",
26341diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
26342index 37dae79..620dd84 100644
26343--- a/arch/x86/kernel/ioport.c
26344+++ b/arch/x86/kernel/ioport.c
26345@@ -6,6 +6,7 @@
26346 #include <linux/sched.h>
26347 #include <linux/kernel.h>
26348 #include <linux/capability.h>
26349+#include <linux/security.h>
26350 #include <linux/errno.h>
26351 #include <linux/types.h>
26352 #include <linux/ioport.h>
26353@@ -30,6 +31,12 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
26354 return -EINVAL;
26355 if (turn_on && !capable(CAP_SYS_RAWIO))
26356 return -EPERM;
26357+#ifdef CONFIG_GRKERNSEC_IO
26358+ if (turn_on && grsec_disable_privio) {
26359+ gr_handle_ioperm();
26360+ return -ENODEV;
26361+ }
26362+#endif
26363
26364 /*
26365 * If it's the first ioperm() call in this thread's lifetime, set the
26366@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
26367 * because the ->io_bitmap_max value must match the bitmap
26368 * contents:
26369 */
26370- tss = &per_cpu(cpu_tss, get_cpu());
26371+ tss = cpu_tss + get_cpu();
26372
26373 if (turn_on)
26374 bitmap_clear(t->io_bitmap_ptr, from, num);
26375@@ -105,6 +112,12 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
26376 if (level > old) {
26377 if (!capable(CAP_SYS_RAWIO))
26378 return -EPERM;
26379+#ifdef CONFIG_GRKERNSEC_IO
26380+ if (grsec_disable_privio) {
26381+ gr_handle_iopl();
26382+ return -ENODEV;
26383+ }
26384+#endif
26385 }
26386 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
26387 t->iopl = level << 12;
26388diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
26389index c7dfe1b..146f63c 100644
26390--- a/arch/x86/kernel/irq.c
26391+++ b/arch/x86/kernel/irq.c
26392@@ -28,7 +28,7 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
26393 DEFINE_PER_CPU(struct pt_regs *, irq_regs);
26394 EXPORT_PER_CPU_SYMBOL(irq_regs);
26395
26396-atomic_t irq_err_count;
26397+atomic_unchecked_t irq_err_count;
26398
26399 /* Function pointer for generic interrupt vector handling */
26400 void (*x86_platform_ipi_callback)(void) = NULL;
26401@@ -144,9 +144,9 @@ int arch_show_interrupts(struct seq_file *p, int prec)
26402 seq_printf(p, "%10u ", irq_stats(j)->irq_hv_callback_count);
26403 seq_puts(p, " Hypervisor callback interrupts\n");
26404 #endif
26405- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
26406+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
26407 #if defined(CONFIG_X86_IO_APIC)
26408- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
26409+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
26410 #endif
26411 #ifdef CONFIG_HAVE_KVM
26412 seq_printf(p, "%*s: ", prec, "PIN");
26413@@ -198,7 +198,7 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
26414
26415 u64 arch_irq_stat(void)
26416 {
26417- u64 sum = atomic_read(&irq_err_count);
26418+ u64 sum = atomic_read_unchecked(&irq_err_count);
26419 return sum;
26420 }
26421
26422diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
26423index cd74f59..588af0b 100644
26424--- a/arch/x86/kernel/irq_32.c
26425+++ b/arch/x86/kernel/irq_32.c
26426@@ -23,6 +23,8 @@
26427
26428 #ifdef CONFIG_DEBUG_STACKOVERFLOW
26429
26430+extern void gr_handle_kernel_exploit(void);
26431+
26432 int sysctl_panic_on_stackoverflow __read_mostly;
26433
26434 /* Debugging check for stack overflow: is there less than 1KB free? */
26435@@ -33,13 +35,14 @@ static int check_stack_overflow(void)
26436 __asm__ __volatile__("andl %%esp,%0" :
26437 "=r" (sp) : "0" (THREAD_SIZE - 1));
26438
26439- return sp < (sizeof(struct thread_info) + STACK_WARN);
26440+ return sp < STACK_WARN;
26441 }
26442
26443 static void print_stack_overflow(void)
26444 {
26445 printk(KERN_WARNING "low stack detected by irq handler\n");
26446 dump_stack();
26447+ gr_handle_kernel_exploit();
26448 if (sysctl_panic_on_stackoverflow)
26449 panic("low stack detected by irq handler - check messages\n");
26450 }
26451@@ -71,10 +74,9 @@ static inline void *current_stack(void)
26452 static inline int
26453 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26454 {
26455- struct irq_stack *curstk, *irqstk;
26456+ struct irq_stack *irqstk;
26457 u32 *isp, *prev_esp, arg1, arg2;
26458
26459- curstk = (struct irq_stack *) current_stack();
26460 irqstk = __this_cpu_read(hardirq_stack);
26461
26462 /*
26463@@ -83,15 +85,19 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26464 * handler) we can't do that and just have to keep using the
26465 * current stack (which is the irq stack already after all)
26466 */
26467- if (unlikely(curstk == irqstk))
26468+ if (unlikely((void *)current_stack_pointer - (void *)irqstk < THREAD_SIZE))
26469 return 0;
26470
26471- isp = (u32 *) ((char *)irqstk + sizeof(*irqstk));
26472+ isp = (u32 *) ((char *)irqstk + sizeof(*irqstk) - 8);
26473
26474 /* Save the next esp at the bottom of the stack */
26475 prev_esp = (u32 *)irqstk;
26476 *prev_esp = current_stack_pointer();
26477
26478+#ifdef CONFIG_PAX_MEMORY_UDEREF
26479+ __set_fs(MAKE_MM_SEG(0));
26480+#endif
26481+
26482 if (unlikely(overflow))
26483 call_on_stack(print_stack_overflow, isp);
26484
26485@@ -102,6 +108,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26486 : "0" (irq), "1" (desc), "2" (isp),
26487 "D" (desc->handle_irq)
26488 : "memory", "cc", "ecx");
26489+
26490+#ifdef CONFIG_PAX_MEMORY_UDEREF
26491+ __set_fs(current_thread_info()->addr_limit);
26492+#endif
26493+
26494 return 1;
26495 }
26496
26497@@ -110,32 +121,18 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26498 */
26499 void irq_ctx_init(int cpu)
26500 {
26501- struct irq_stack *irqstk;
26502-
26503 if (per_cpu(hardirq_stack, cpu))
26504 return;
26505
26506- irqstk = page_address(alloc_pages_node(cpu_to_node(cpu),
26507- THREADINFO_GFP,
26508- THREAD_SIZE_ORDER));
26509- per_cpu(hardirq_stack, cpu) = irqstk;
26510-
26511- irqstk = page_address(alloc_pages_node(cpu_to_node(cpu),
26512- THREADINFO_GFP,
26513- THREAD_SIZE_ORDER));
26514- per_cpu(softirq_stack, cpu) = irqstk;
26515-
26516- printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
26517- cpu, per_cpu(hardirq_stack, cpu), per_cpu(softirq_stack, cpu));
26518+ per_cpu(hardirq_stack, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
26519+ per_cpu(softirq_stack, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
26520 }
26521
26522 void do_softirq_own_stack(void)
26523 {
26524- struct thread_info *curstk;
26525 struct irq_stack *irqstk;
26526 u32 *isp, *prev_esp;
26527
26528- curstk = current_stack();
26529 irqstk = __this_cpu_read(softirq_stack);
26530
26531 /* build the stack frame on the softirq stack */
26532@@ -145,7 +142,16 @@ void do_softirq_own_stack(void)
26533 prev_esp = (u32 *)irqstk;
26534 *prev_esp = current_stack_pointer();
26535
26536+#ifdef CONFIG_PAX_MEMORY_UDEREF
26537+ __set_fs(MAKE_MM_SEG(0));
26538+#endif
26539+
26540 call_on_stack(__do_softirq, isp);
26541+
26542+#ifdef CONFIG_PAX_MEMORY_UDEREF
26543+ __set_fs(current_thread_info()->addr_limit);
26544+#endif
26545+
26546 }
26547
26548 bool handle_irq(unsigned irq, struct pt_regs *regs)
26549diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
26550index bc4604e..0be227d 100644
26551--- a/arch/x86/kernel/irq_64.c
26552+++ b/arch/x86/kernel/irq_64.c
26553@@ -20,6 +20,8 @@
26554 #include <asm/idle.h>
26555 #include <asm/apic.h>
26556
26557+extern void gr_handle_kernel_exploit(void);
26558+
26559 int sysctl_panic_on_stackoverflow;
26560
26561 /*
26562@@ -63,6 +65,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
26563 irq_stack_top, irq_stack_bottom,
26564 estack_top, estack_bottom);
26565
26566+ gr_handle_kernel_exploit();
26567+
26568 if (sysctl_panic_on_stackoverflow)
26569 panic("low stack detected by irq handler - check messages\n");
26570 #endif
26571diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
26572index 26d5a55..063fef8 100644
26573--- a/arch/x86/kernel/jump_label.c
26574+++ b/arch/x86/kernel/jump_label.c
26575@@ -31,6 +31,8 @@ static void bug_at(unsigned char *ip, int line)
26576 * Something went wrong. Crash the box, as something could be
26577 * corrupting the kernel.
26578 */
26579+ ip = (unsigned char *)ktla_ktva((unsigned long)ip);
26580+ pr_warning("Unexpected op at %pS [%p] %s:%d\n", ip, ip, __FILE__, line);
26581 pr_warning("Unexpected op at %pS [%p] (%02x %02x %02x %02x %02x) %s:%d\n",
26582 ip, ip, ip[0], ip[1], ip[2], ip[3], ip[4], __FILE__, line);
26583 BUG();
26584@@ -51,7 +53,7 @@ static void __jump_label_transform(struct jump_entry *entry,
26585 * Jump label is enabled for the first time.
26586 * So we expect a default_nop...
26587 */
26588- if (unlikely(memcmp((void *)entry->code, default_nop, 5)
26589+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5)
26590 != 0))
26591 bug_at((void *)entry->code, __LINE__);
26592 } else {
26593@@ -59,7 +61,7 @@ static void __jump_label_transform(struct jump_entry *entry,
26594 * ...otherwise expect an ideal_nop. Otherwise
26595 * something went horribly wrong.
26596 */
26597- if (unlikely(memcmp((void *)entry->code, ideal_nop, 5)
26598+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), ideal_nop, 5)
26599 != 0))
26600 bug_at((void *)entry->code, __LINE__);
26601 }
26602@@ -75,13 +77,13 @@ static void __jump_label_transform(struct jump_entry *entry,
26603 * are converting the default nop to the ideal nop.
26604 */
26605 if (init) {
26606- if (unlikely(memcmp((void *)entry->code, default_nop, 5) != 0))
26607+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5) != 0))
26608 bug_at((void *)entry->code, __LINE__);
26609 } else {
26610 code.jump = 0xe9;
26611 code.offset = entry->target -
26612 (entry->code + JUMP_LABEL_NOP_SIZE);
26613- if (unlikely(memcmp((void *)entry->code, &code, 5) != 0))
26614+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), &code, 5) != 0))
26615 bug_at((void *)entry->code, __LINE__);
26616 }
26617 memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);
26618diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
26619index d6178d9..598681f 100644
26620--- a/arch/x86/kernel/kgdb.c
26621+++ b/arch/x86/kernel/kgdb.c
26622@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)
26623 bp->attr.bp_addr = breakinfo[breakno].addr;
26624 bp->attr.bp_len = breakinfo[breakno].len;
26625 bp->attr.bp_type = breakinfo[breakno].type;
26626- info->address = breakinfo[breakno].addr;
26627+ if (breakinfo[breakno].type == X86_BREAKPOINT_EXECUTE)
26628+ info->address = ktla_ktva(breakinfo[breakno].addr);
26629+ else
26630+ info->address = breakinfo[breakno].addr;
26631 info->len = breakinfo[breakno].len;
26632 info->type = breakinfo[breakno].type;
26633 val = arch_install_hw_breakpoint(bp);
26634@@ -475,12 +478,12 @@ int kgdb_arch_handle_exception(int e_vector, int signo, int err_code,
26635 case 'k':
26636 /* clear the trace bit */
26637 linux_regs->flags &= ~X86_EFLAGS_TF;
26638- atomic_set(&kgdb_cpu_doing_single_step, -1);
26639+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
26640
26641 /* set the trace bit if we're stepping */
26642 if (remcomInBuffer[0] == 's') {
26643 linux_regs->flags |= X86_EFLAGS_TF;
26644- atomic_set(&kgdb_cpu_doing_single_step,
26645+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
26646 raw_smp_processor_id());
26647 }
26648
26649@@ -545,7 +548,7 @@ static int __kgdb_notify(struct die_args *args, unsigned long cmd)
26650
26651 switch (cmd) {
26652 case DIE_DEBUG:
26653- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
26654+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
26655 if (user_mode(regs))
26656 return single_step_cont(regs, args);
26657 break;
26658@@ -750,11 +753,11 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
26659 #endif /* CONFIG_DEBUG_RODATA */
26660
26661 bpt->type = BP_BREAKPOINT;
26662- err = probe_kernel_read(bpt->saved_instr, (char *)bpt->bpt_addr,
26663+ err = probe_kernel_read(bpt->saved_instr, (const void *)ktla_ktva(bpt->bpt_addr),
26664 BREAK_INSTR_SIZE);
26665 if (err)
26666 return err;
26667- err = probe_kernel_write((char *)bpt->bpt_addr,
26668+ err = probe_kernel_write((void *)ktla_ktva(bpt->bpt_addr),
26669 arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE);
26670 #ifdef CONFIG_DEBUG_RODATA
26671 if (!err)
26672@@ -767,7 +770,7 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
26673 return -EBUSY;
26674 text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
26675 BREAK_INSTR_SIZE);
26676- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
26677+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
26678 if (err)
26679 return err;
26680 if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
26681@@ -792,13 +795,13 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt)
26682 if (mutex_is_locked(&text_mutex))
26683 goto knl_write;
26684 text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
26685- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
26686+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
26687 if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
26688 goto knl_write;
26689 return err;
26690 knl_write:
26691 #endif /* CONFIG_DEBUG_RODATA */
26692- return probe_kernel_write((char *)bpt->bpt_addr,
26693+ return probe_kernel_write((void *)ktla_ktva(bpt->bpt_addr),
26694 (char *)bpt->saved_instr, BREAK_INSTR_SIZE);
26695 }
26696
26697diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
26698index 1deffe6..3be342a 100644
26699--- a/arch/x86/kernel/kprobes/core.c
26700+++ b/arch/x86/kernel/kprobes/core.c
26701@@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op)
26702 s32 raddr;
26703 } __packed *insn;
26704
26705- insn = (struct __arch_relative_insn *)from;
26706+ insn = (struct __arch_relative_insn *)ktla_ktva((unsigned long)from);
26707+
26708+ pax_open_kernel();
26709 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
26710 insn->op = op;
26711+ pax_close_kernel();
26712 }
26713
26714 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
26715@@ -168,7 +171,7 @@ int can_boost(kprobe_opcode_t *opcodes)
26716 kprobe_opcode_t opcode;
26717 kprobe_opcode_t *orig_opcodes = opcodes;
26718
26719- if (search_exception_tables((unsigned long)opcodes))
26720+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
26721 return 0; /* Page fault may occur on this address. */
26722
26723 retry:
26724@@ -260,12 +263,12 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
26725 * Fortunately, we know that the original code is the ideal 5-byte
26726 * long NOP.
26727 */
26728- memcpy(buf, (void *)addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
26729+ memcpy(buf, (void *)ktla_ktva(addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
26730 if (faddr)
26731 memcpy(buf, ideal_nops[NOP_ATOMIC5], 5);
26732 else
26733 buf[0] = kp->opcode;
26734- return (unsigned long)buf;
26735+ return ktva_ktla((unsigned long)buf);
26736 }
26737
26738 /*
26739@@ -367,7 +370,9 @@ int __copy_instruction(u8 *dest, u8 *src)
26740 /* Another subsystem puts a breakpoint, failed to recover */
26741 if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
26742 return 0;
26743+ pax_open_kernel();
26744 memcpy(dest, insn.kaddr, length);
26745+ pax_close_kernel();
26746
26747 #ifdef CONFIG_X86_64
26748 if (insn_rip_relative(&insn)) {
26749@@ -394,7 +399,9 @@ int __copy_instruction(u8 *dest, u8 *src)
26750 return 0;
26751 }
26752 disp = (u8 *) dest + insn_offset_displacement(&insn);
26753+ pax_open_kernel();
26754 *(s32 *) disp = (s32) newdisp;
26755+ pax_close_kernel();
26756 }
26757 #endif
26758 return length;
26759@@ -536,7 +543,7 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
26760 * nor set current_kprobe, because it doesn't use single
26761 * stepping.
26762 */
26763- regs->ip = (unsigned long)p->ainsn.insn;
26764+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
26765 preempt_enable_no_resched();
26766 return;
26767 }
26768@@ -553,9 +560,9 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
26769 regs->flags &= ~X86_EFLAGS_IF;
26770 /* single step inline if the instruction is an int3 */
26771 if (p->opcode == BREAKPOINT_INSTRUCTION)
26772- regs->ip = (unsigned long)p->addr;
26773+ regs->ip = ktla_ktva((unsigned long)p->addr);
26774 else
26775- regs->ip = (unsigned long)p->ainsn.insn;
26776+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
26777 }
26778 NOKPROBE_SYMBOL(setup_singlestep);
26779
26780@@ -640,7 +647,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
26781 setup_singlestep(p, regs, kcb, 0);
26782 return 1;
26783 }
26784- } else if (*addr != BREAKPOINT_INSTRUCTION) {
26785+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
26786 /*
26787 * The breakpoint instruction was removed right
26788 * after we hit it. Another cpu has removed
26789@@ -687,6 +694,9 @@ static void __used kretprobe_trampoline_holder(void)
26790 " movq %rax, 152(%rsp)\n"
26791 RESTORE_REGS_STRING
26792 " popfq\n"
26793+#ifdef KERNEXEC_PLUGIN
26794+ " btsq $63,(%rsp)\n"
26795+#endif
26796 #else
26797 " pushf\n"
26798 SAVE_REGS_STRING
26799@@ -827,7 +837,7 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
26800 struct kprobe_ctlblk *kcb)
26801 {
26802 unsigned long *tos = stack_addr(regs);
26803- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
26804+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
26805 unsigned long orig_ip = (unsigned long)p->addr;
26806 kprobe_opcode_t *insn = p->ainsn.insn;
26807
26808diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
26809index 7b3b9d1..e2478b91 100644
26810--- a/arch/x86/kernel/kprobes/opt.c
26811+++ b/arch/x86/kernel/kprobes/opt.c
26812@@ -79,6 +79,7 @@ found:
26813 /* Insert a move instruction which sets a pointer to eax/rdi (1st arg). */
26814 static void synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
26815 {
26816+ pax_open_kernel();
26817 #ifdef CONFIG_X86_64
26818 *addr++ = 0x48;
26819 *addr++ = 0xbf;
26820@@ -86,6 +87,7 @@ static void synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
26821 *addr++ = 0xb8;
26822 #endif
26823 *(unsigned long *)addr = val;
26824+ pax_close_kernel();
26825 }
26826
26827 asm (
26828@@ -342,7 +344,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
26829 * Verify if the address gap is in 2GB range, because this uses
26830 * a relative jump.
26831 */
26832- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
26833+ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
26834 if (abs(rel) > 0x7fffffff) {
26835 __arch_remove_optimized_kprobe(op, 0);
26836 return -ERANGE;
26837@@ -359,16 +361,18 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
26838 op->optinsn.size = ret;
26839
26840 /* Copy arch-dep-instance from template */
26841- memcpy(buf, &optprobe_template_entry, TMPL_END_IDX);
26842+ pax_open_kernel();
26843+ memcpy(buf, ktla_ktva(&optprobe_template_entry), TMPL_END_IDX);
26844+ pax_close_kernel();
26845
26846 /* Set probe information */
26847 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
26848
26849 /* Set probe function call */
26850- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
26851+ synthesize_relcall(ktva_ktla(buf) + TMPL_CALL_IDX, optimized_callback);
26852
26853 /* Set returning jmp instruction at the tail of out-of-line buffer */
26854- synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
26855+ synthesize_reljump(ktva_ktla(buf) + TMPL_END_IDX + op->optinsn.size,
26856 (u8 *)op->kp.addr + op->optinsn.size);
26857
26858 flush_icache_range((unsigned long) buf,
26859@@ -393,7 +397,7 @@ void arch_optimize_kprobes(struct list_head *oplist)
26860 WARN_ON(kprobe_disabled(&op->kp));
26861
26862 /* Backup instructions which will be replaced by jump address */
26863- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
26864+ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
26865 RELATIVE_ADDR_SIZE);
26866
26867 insn_buf[0] = RELATIVEJUMP_OPCODE;
26868@@ -441,7 +445,7 @@ int setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter)
26869 /* This kprobe is really able to run optimized path. */
26870 op = container_of(p, struct optimized_kprobe, kp);
26871 /* Detour through copied instructions */
26872- regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX;
26873+ regs->ip = ktva_ktla((unsigned long)op->optinsn.insn) + TMPL_END_IDX;
26874 if (!reenter)
26875 reset_current_kprobe();
26876 preempt_enable_no_resched();
26877diff --git a/arch/x86/kernel/ksysfs.c b/arch/x86/kernel/ksysfs.c
26878index c2bedae..25e7ab60 100644
26879--- a/arch/x86/kernel/ksysfs.c
26880+++ b/arch/x86/kernel/ksysfs.c
26881@@ -184,7 +184,7 @@ out:
26882
26883 static struct kobj_attribute type_attr = __ATTR_RO(type);
26884
26885-static struct bin_attribute data_attr = {
26886+static bin_attribute_no_const data_attr __read_only = {
26887 .attr = {
26888 .name = "data",
26889 .mode = S_IRUGO,
26890diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
26891index 2bcc052..864eb84 100644
26892--- a/arch/x86/kernel/ldt.c
26893+++ b/arch/x86/kernel/ldt.c
26894@@ -11,6 +11,7 @@
26895 #include <linux/sched.h>
26896 #include <linux/string.h>
26897 #include <linux/mm.h>
26898+#include <linux/ratelimit.h>
26899 #include <linux/smp.h>
26900 #include <linux/slab.h>
26901 #include <linux/vmalloc.h>
26902@@ -21,6 +22,14 @@
26903 #include <asm/mmu_context.h>
26904 #include <asm/syscalls.h>
26905
26906+#ifdef CONFIG_GRKERNSEC
26907+int sysctl_modify_ldt __read_only = 0;
26908+#elif defined(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL)
26909+int sysctl_modify_ldt __read_only = 1;
26910+#else
26911+int sysctl_modify_ldt __read_only = 0;
26912+#endif
26913+
26914 /* context.lock is held for us, so we don't need any locking. */
26915 static void flush_ldt(void *current_mm)
26916 {
26917@@ -109,6 +118,23 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
26918 struct mm_struct *old_mm;
26919 int retval = 0;
26920
26921+ if (tsk == current) {
26922+ mm->context.vdso = 0;
26923+
26924+#ifdef CONFIG_X86_32
26925+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26926+ mm->context.user_cs_base = 0UL;
26927+ mm->context.user_cs_limit = ~0UL;
26928+
26929+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
26930+ cpumask_clear(&mm->context.cpu_user_cs_mask);
26931+#endif
26932+
26933+#endif
26934+#endif
26935+
26936+ }
26937+
26938 mutex_init(&mm->context.lock);
26939 old_mm = current->mm;
26940 if (!old_mm) {
26941@@ -235,6 +261,14 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
26942 /* The user wants to clear the entry. */
26943 memset(&ldt, 0, sizeof(ldt));
26944 } else {
26945+
26946+#ifdef CONFIG_PAX_SEGMEXEC
26947+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
26948+ error = -EINVAL;
26949+ goto out;
26950+ }
26951+#endif
26952+
26953 if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
26954 error = -EINVAL;
26955 goto out;
26956@@ -276,6 +310,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
26957 {
26958 int ret = -ENOSYS;
26959
26960+ if (!sysctl_modify_ldt) {
26961+ printk_ratelimited(KERN_INFO
26962+ "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
26963+ " Adjust sysctl if this was not an exploit attempt.\n",
26964+ current->comm, task_pid_nr(current),
26965+ from_kuid_munged(current_user_ns(), current_uid()));
26966+ return ret;
26967+ }
26968+
26969 switch (func) {
26970 case 0:
26971 ret = read_ldt(ptr, bytecount);
26972diff --git a/arch/x86/kernel/livepatch.c b/arch/x86/kernel/livepatch.c
26973index ff3c3101d..d7c0cd8 100644
26974--- a/arch/x86/kernel/livepatch.c
26975+++ b/arch/x86/kernel/livepatch.c
26976@@ -41,9 +41,10 @@ int klp_write_module_reloc(struct module *mod, unsigned long type,
26977 int ret, numpages, size = 4;
26978 bool readonly;
26979 unsigned long val;
26980- unsigned long core = (unsigned long)mod->module_core;
26981- unsigned long core_ro_size = mod->core_ro_size;
26982- unsigned long core_size = mod->core_size;
26983+ unsigned long core_rx = (unsigned long)mod->module_core_rx;
26984+ unsigned long core_rw = (unsigned long)mod->module_core_rw;
26985+ unsigned long core_size_rx = mod->core_size_rx;
26986+ unsigned long core_size_rw = mod->core_size_rw;
26987
26988 switch (type) {
26989 case R_X86_64_NONE:
26990@@ -66,11 +67,12 @@ int klp_write_module_reloc(struct module *mod, unsigned long type,
26991 return -EINVAL;
26992 }
26993
26994- if (loc < core || loc >= core + core_size)
26995+ if ((loc < core_rx || loc >= core_rx + core_size_rx) &&
26996+ (loc < core_rw || loc >= core_rw + core_size_rw))
26997 /* loc does not point to any symbol inside the module */
26998 return -EINVAL;
26999
27000- if (loc < core + core_ro_size)
27001+ if (loc < core_rx + core_size_rx)
27002 readonly = true;
27003 else
27004 readonly = false;
27005diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
27006index 469b23d..5449cfe 100644
27007--- a/arch/x86/kernel/machine_kexec_32.c
27008+++ b/arch/x86/kernel/machine_kexec_32.c
27009@@ -26,7 +26,7 @@
27010 #include <asm/cacheflush.h>
27011 #include <asm/debugreg.h>
27012
27013-static void set_idt(void *newidt, __u16 limit)
27014+static void set_idt(struct desc_struct *newidt, __u16 limit)
27015 {
27016 struct desc_ptr curidt;
27017
27018@@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16 limit)
27019 }
27020
27021
27022-static void set_gdt(void *newgdt, __u16 limit)
27023+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
27024 {
27025 struct desc_ptr curgdt;
27026
27027@@ -216,7 +216,7 @@ void machine_kexec(struct kimage *image)
27028 }
27029
27030 control_page = page_address(image->control_code_page);
27031- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
27032+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
27033
27034 relocate_kernel_ptr = control_page;
27035 page_list[PA_CONTROL_PAGE] = __pa(control_page);
27036diff --git a/arch/x86/kernel/mcount_64.S b/arch/x86/kernel/mcount_64.S
27037index 94ea120..4154cea 100644
27038--- a/arch/x86/kernel/mcount_64.S
27039+++ b/arch/x86/kernel/mcount_64.S
27040@@ -7,7 +7,7 @@
27041 #include <linux/linkage.h>
27042 #include <asm/ptrace.h>
27043 #include <asm/ftrace.h>
27044-
27045+#include <asm/alternative-asm.h>
27046
27047 .code64
27048 .section .entry.text, "ax"
27049@@ -148,8 +148,9 @@
27050 #ifdef CONFIG_DYNAMIC_FTRACE
27051
27052 ENTRY(function_hook)
27053+ pax_force_retaddr
27054 retq
27055-END(function_hook)
27056+ENDPROC(function_hook)
27057
27058 ENTRY(ftrace_caller)
27059 /* save_mcount_regs fills in first two parameters */
27060@@ -181,8 +182,9 @@ GLOBAL(ftrace_graph_call)
27061 #endif
27062
27063 GLOBAL(ftrace_stub)
27064+ pax_force_retaddr
27065 retq
27066-END(ftrace_caller)
27067+ENDPROC(ftrace_caller)
27068
27069 ENTRY(ftrace_regs_caller)
27070 /* Save the current flags before any operations that can change them */
27071@@ -253,7 +255,7 @@ GLOBAL(ftrace_regs_caller_end)
27072
27073 jmp ftrace_return
27074
27075-END(ftrace_regs_caller)
27076+ENDPROC(ftrace_regs_caller)
27077
27078
27079 #else /* ! CONFIG_DYNAMIC_FTRACE */
27080@@ -272,18 +274,20 @@ fgraph_trace:
27081 #endif
27082
27083 GLOBAL(ftrace_stub)
27084+ pax_force_retaddr
27085 retq
27086
27087 trace:
27088 /* save_mcount_regs fills in first two parameters */
27089 save_mcount_regs
27090
27091+ pax_force_fptr ftrace_trace_function
27092 call *ftrace_trace_function
27093
27094 restore_mcount_regs
27095
27096 jmp fgraph_trace
27097-END(function_hook)
27098+ENDPROC(function_hook)
27099 #endif /* CONFIG_DYNAMIC_FTRACE */
27100 #endif /* CONFIG_FUNCTION_TRACER */
27101
27102@@ -305,8 +309,9 @@ ENTRY(ftrace_graph_caller)
27103
27104 restore_mcount_regs
27105
27106+ pax_force_retaddr
27107 retq
27108-END(ftrace_graph_caller)
27109+ENDPROC(ftrace_graph_caller)
27110
27111 GLOBAL(return_to_handler)
27112 subq $24, %rsp
27113@@ -322,5 +327,7 @@ GLOBAL(return_to_handler)
27114 movq 8(%rsp), %rdx
27115 movq (%rsp), %rax
27116 addq $24, %rsp
27117+ pax_force_fptr %rdi
27118 jmp *%rdi
27119+ENDPROC(return_to_handler)
27120 #endif
27121diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
27122index 005c03e..7000fe4 100644
27123--- a/arch/x86/kernel/module.c
27124+++ b/arch/x86/kernel/module.c
27125@@ -75,17 +75,17 @@ static unsigned long int get_module_load_offset(void)
27126 }
27127 #endif
27128
27129-void *module_alloc(unsigned long size)
27130+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
27131 {
27132 void *p;
27133
27134- if (PAGE_ALIGN(size) > MODULES_LEN)
27135+ if (!size || PAGE_ALIGN(size) > MODULES_LEN)
27136 return NULL;
27137
27138 p = __vmalloc_node_range(size, MODULE_ALIGN,
27139 MODULES_VADDR + get_module_load_offset(),
27140- MODULES_END, GFP_KERNEL | __GFP_HIGHMEM,
27141- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
27142+ MODULES_END, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
27143+ prot, 0, NUMA_NO_NODE,
27144 __builtin_return_address(0));
27145 if (p && (kasan_module_alloc(p, size) < 0)) {
27146 vfree(p);
27147@@ -95,6 +95,51 @@ void *module_alloc(unsigned long size)
27148 return p;
27149 }
27150
27151+void *module_alloc(unsigned long size)
27152+{
27153+
27154+#ifdef CONFIG_PAX_KERNEXEC
27155+ return __module_alloc(size, PAGE_KERNEL);
27156+#else
27157+ return __module_alloc(size, PAGE_KERNEL_EXEC);
27158+#endif
27159+
27160+}
27161+
27162+#ifdef CONFIG_PAX_KERNEXEC
27163+#ifdef CONFIG_X86_32
27164+void *module_alloc_exec(unsigned long size)
27165+{
27166+ struct vm_struct *area;
27167+
27168+ if (size == 0)
27169+ return NULL;
27170+
27171+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
27172+return area ? area->addr : NULL;
27173+}
27174+EXPORT_SYMBOL(module_alloc_exec);
27175+
27176+void module_memfree_exec(void *module_region)
27177+{
27178+ vunmap(module_region);
27179+}
27180+EXPORT_SYMBOL(module_memfree_exec);
27181+#else
27182+void module_memfree_exec(void *module_region)
27183+{
27184+ module_memfree(module_region);
27185+}
27186+EXPORT_SYMBOL(module_memfree_exec);
27187+
27188+void *module_alloc_exec(unsigned long size)
27189+{
27190+ return __module_alloc(size, PAGE_KERNEL_RX);
27191+}
27192+EXPORT_SYMBOL(module_alloc_exec);
27193+#endif
27194+#endif
27195+
27196 #ifdef CONFIG_X86_32
27197 int apply_relocate(Elf32_Shdr *sechdrs,
27198 const char *strtab,
27199@@ -105,14 +150,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
27200 unsigned int i;
27201 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
27202 Elf32_Sym *sym;
27203- uint32_t *location;
27204+ uint32_t *plocation, location;
27205
27206 DEBUGP("Applying relocate section %u to %u\n",
27207 relsec, sechdrs[relsec].sh_info);
27208 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
27209 /* This is where to make the change */
27210- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
27211- + rel[i].r_offset;
27212+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
27213+ location = (uint32_t)plocation;
27214+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
27215+ plocation = (uint32_t *)ktla_ktva((unsigned long)plocation);
27216 /* This is the symbol it is referring to. Note that all
27217 undefined symbols have been resolved. */
27218 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
27219@@ -121,11 +168,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
27220 switch (ELF32_R_TYPE(rel[i].r_info)) {
27221 case R_386_32:
27222 /* We add the value into the location given */
27223- *location += sym->st_value;
27224+ pax_open_kernel();
27225+ *plocation += sym->st_value;
27226+ pax_close_kernel();
27227 break;
27228 case R_386_PC32:
27229 /* Add the value, subtract its position */
27230- *location += sym->st_value - (uint32_t)location;
27231+ pax_open_kernel();
27232+ *plocation += sym->st_value - location;
27233+ pax_close_kernel();
27234 break;
27235 default:
27236 pr_err("%s: Unknown relocation: %u\n",
27237@@ -170,21 +221,30 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
27238 case R_X86_64_NONE:
27239 break;
27240 case R_X86_64_64:
27241+ pax_open_kernel();
27242 *(u64 *)loc = val;
27243+ pax_close_kernel();
27244 break;
27245 case R_X86_64_32:
27246+ pax_open_kernel();
27247 *(u32 *)loc = val;
27248+ pax_close_kernel();
27249 if (val != *(u32 *)loc)
27250 goto overflow;
27251 break;
27252 case R_X86_64_32S:
27253+ pax_open_kernel();
27254 *(s32 *)loc = val;
27255+ pax_close_kernel();
27256 if ((s64)val != *(s32 *)loc)
27257 goto overflow;
27258 break;
27259 case R_X86_64_PC32:
27260 val -= (u64)loc;
27261+ pax_open_kernel();
27262 *(u32 *)loc = val;
27263+ pax_close_kernel();
27264+
27265 #if 0
27266 if ((s64)val != *(s32 *)loc)
27267 goto overflow;
27268diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
27269index 113e707..0a690e1 100644
27270--- a/arch/x86/kernel/msr.c
27271+++ b/arch/x86/kernel/msr.c
27272@@ -39,6 +39,7 @@
27273 #include <linux/notifier.h>
27274 #include <linux/uaccess.h>
27275 #include <linux/gfp.h>
27276+#include <linux/grsecurity.h>
27277
27278 #include <asm/processor.h>
27279 #include <asm/msr.h>
27280@@ -105,6 +106,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
27281 int err = 0;
27282 ssize_t bytes = 0;
27283
27284+#ifdef CONFIG_GRKERNSEC_KMEM
27285+ gr_handle_msr_write();
27286+ return -EPERM;
27287+#endif
27288+
27289 if (count % 8)
27290 return -EINVAL; /* Invalid chunk size */
27291
27292@@ -152,6 +158,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
27293 err = -EBADF;
27294 break;
27295 }
27296+#ifdef CONFIG_GRKERNSEC_KMEM
27297+ gr_handle_msr_write();
27298+ return -EPERM;
27299+#endif
27300 if (copy_from_user(&regs, uregs, sizeof regs)) {
27301 err = -EFAULT;
27302 break;
27303@@ -235,7 +245,7 @@ static int msr_class_cpu_callback(struct notifier_block *nfb,
27304 return notifier_from_errno(err);
27305 }
27306
27307-static struct notifier_block __refdata msr_class_cpu_notifier = {
27308+static struct notifier_block msr_class_cpu_notifier = {
27309 .notifier_call = msr_class_cpu_callback,
27310 };
27311
27312diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
27313index d05bd2e..f690edd 100644
27314--- a/arch/x86/kernel/nmi.c
27315+++ b/arch/x86/kernel/nmi.c
27316@@ -98,16 +98,16 @@ fs_initcall(nmi_warning_debugfs);
27317
27318 static void nmi_max_handler(struct irq_work *w)
27319 {
27320- struct nmiaction *a = container_of(w, struct nmiaction, irq_work);
27321+ struct nmiwork *n = container_of(w, struct nmiwork, irq_work);
27322 int remainder_ns, decimal_msecs;
27323- u64 whole_msecs = ACCESS_ONCE(a->max_duration);
27324+ u64 whole_msecs = ACCESS_ONCE(n->max_duration);
27325
27326 remainder_ns = do_div(whole_msecs, (1000 * 1000));
27327 decimal_msecs = remainder_ns / 1000;
27328
27329 printk_ratelimited(KERN_INFO
27330 "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n",
27331- a->handler, whole_msecs, decimal_msecs);
27332+ n->action->handler, whole_msecs, decimal_msecs);
27333 }
27334
27335 static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27336@@ -134,11 +134,11 @@ static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27337 delta = sched_clock() - delta;
27338 trace_nmi_handler(a->handler, (int)delta, thishandled);
27339
27340- if (delta < nmi_longest_ns || delta < a->max_duration)
27341+ if (delta < nmi_longest_ns || delta < a->work->max_duration)
27342 continue;
27343
27344- a->max_duration = delta;
27345- irq_work_queue(&a->irq_work);
27346+ a->work->max_duration = delta;
27347+ irq_work_queue(&a->work->irq_work);
27348 }
27349
27350 rcu_read_unlock();
27351@@ -148,7 +148,7 @@ static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27352 }
27353 NOKPROBE_SYMBOL(nmi_handle);
27354
27355-int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27356+int __register_nmi_handler(unsigned int type, const struct nmiaction *action)
27357 {
27358 struct nmi_desc *desc = nmi_to_desc(type);
27359 unsigned long flags;
27360@@ -156,7 +156,8 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27361 if (!action->handler)
27362 return -EINVAL;
27363
27364- init_irq_work(&action->irq_work, nmi_max_handler);
27365+ action->work->action = action;
27366+ init_irq_work(&action->work->irq_work, nmi_max_handler);
27367
27368 spin_lock_irqsave(&desc->lock, flags);
27369
27370@@ -174,9 +175,9 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27371 * event confuses some handlers (kdump uses this flag)
27372 */
27373 if (action->flags & NMI_FLAG_FIRST)
27374- list_add_rcu(&action->list, &desc->head);
27375+ pax_list_add_rcu((struct list_head *)&action->list, &desc->head);
27376 else
27377- list_add_tail_rcu(&action->list, &desc->head);
27378+ pax_list_add_tail_rcu((struct list_head *)&action->list, &desc->head);
27379
27380 spin_unlock_irqrestore(&desc->lock, flags);
27381 return 0;
27382@@ -199,7 +200,7 @@ void unregister_nmi_handler(unsigned int type, const char *name)
27383 if (!strcmp(n->name, name)) {
27384 WARN(in_nmi(),
27385 "Trying to free NMI (%s) from NMI context!\n", n->name);
27386- list_del_rcu(&n->list);
27387+ pax_list_del_rcu((struct list_head *)&n->list);
27388 break;
27389 }
27390 }
27391@@ -481,6 +482,17 @@ static DEFINE_PER_CPU(int, update_debug_stack);
27392 dotraplinkage notrace void
27393 do_nmi(struct pt_regs *regs, long error_code)
27394 {
27395+
27396+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
27397+ if (!user_mode(regs)) {
27398+ unsigned long cs = regs->cs & 0xFFFF;
27399+ unsigned long ip = ktva_ktla(regs->ip);
27400+
27401+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
27402+ regs->ip = ip;
27403+ }
27404+#endif
27405+
27406 if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
27407 this_cpu_write(nmi_state, NMI_LATCHED);
27408 return;
27409diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c
27410index 6d9582e..f746287 100644
27411--- a/arch/x86/kernel/nmi_selftest.c
27412+++ b/arch/x86/kernel/nmi_selftest.c
27413@@ -43,7 +43,7 @@ static void __init init_nmi_testsuite(void)
27414 {
27415 /* trap all the unknown NMIs we may generate */
27416 register_nmi_handler(NMI_UNKNOWN, nmi_unk_cb, 0, "nmi_selftest_unk",
27417- __initdata);
27418+ __initconst);
27419 }
27420
27421 static void __init cleanup_nmi_testsuite(void)
27422@@ -66,7 +66,7 @@ static void __init test_nmi_ipi(struct cpumask *mask)
27423 unsigned long timeout;
27424
27425 if (register_nmi_handler(NMI_LOCAL, test_nmi_ipi_callback,
27426- NMI_FLAG_FIRST, "nmi_selftest", __initdata)) {
27427+ NMI_FLAG_FIRST, "nmi_selftest", __initconst)) {
27428 nmi_fail = FAILURE;
27429 return;
27430 }
27431diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c
27432index 33ee3e0..da3519a 100644
27433--- a/arch/x86/kernel/paravirt-spinlocks.c
27434+++ b/arch/x86/kernel/paravirt-spinlocks.c
27435@@ -23,7 +23,7 @@ bool pv_is_native_spin_unlock(void)
27436 }
27437 #endif
27438
27439-struct pv_lock_ops pv_lock_ops = {
27440+struct pv_lock_ops pv_lock_ops __read_only = {
27441 #ifdef CONFIG_SMP
27442 #ifdef CONFIG_QUEUED_SPINLOCKS
27443 .queued_spin_lock_slowpath = native_queued_spin_lock_slowpath,
27444diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
27445index 58bcfb6..0adb7d7 100644
27446--- a/arch/x86/kernel/paravirt.c
27447+++ b/arch/x86/kernel/paravirt.c
27448@@ -56,6 +56,9 @@ u64 _paravirt_ident_64(u64 x)
27449 {
27450 return x;
27451 }
27452+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
27453+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
27454+#endif
27455
27456 void __init default_banner(void)
27457 {
27458@@ -142,16 +145,20 @@ unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
27459
27460 if (opfunc == NULL)
27461 /* If there's no function, patch it with a ud2a (BUG) */
27462- ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
27463- else if (opfunc == _paravirt_nop)
27464+ ret = paravirt_patch_insns(insnbuf, len, (const char *)ktva_ktla((unsigned long)ud2a), ud2a+sizeof(ud2a));
27465+ else if (opfunc == (void *)_paravirt_nop)
27466 /* If the operation is a nop, then nop the callsite */
27467 ret = paravirt_patch_nop();
27468
27469 /* identity functions just return their single argument */
27470- else if (opfunc == _paravirt_ident_32)
27471+ else if (opfunc == (void *)_paravirt_ident_32)
27472 ret = paravirt_patch_ident_32(insnbuf, len);
27473- else if (opfunc == _paravirt_ident_64)
27474+ else if (opfunc == (void *)_paravirt_ident_64)
27475 ret = paravirt_patch_ident_64(insnbuf, len);
27476+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
27477+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
27478+ ret = paravirt_patch_ident_64(insnbuf, len);
27479+#endif
27480
27481 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
27482 #ifdef CONFIG_X86_32
27483@@ -178,7 +185,7 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len,
27484 if (insn_len > len || start == NULL)
27485 insn_len = len;
27486 else
27487- memcpy(insnbuf, start, insn_len);
27488+ memcpy(insnbuf, (const char *)ktla_ktva((unsigned long)start), insn_len);
27489
27490 return insn_len;
27491 }
27492@@ -302,7 +309,7 @@ enum paravirt_lazy_mode paravirt_get_lazy_mode(void)
27493 return this_cpu_read(paravirt_lazy_mode);
27494 }
27495
27496-struct pv_info pv_info = {
27497+struct pv_info pv_info __read_only = {
27498 .name = "bare hardware",
27499 .paravirt_enabled = 0,
27500 .kernel_rpl = 0,
27501@@ -313,16 +320,16 @@ struct pv_info pv_info = {
27502 #endif
27503 };
27504
27505-struct pv_init_ops pv_init_ops = {
27506+struct pv_init_ops pv_init_ops __read_only = {
27507 .patch = native_patch,
27508 };
27509
27510-struct pv_time_ops pv_time_ops = {
27511+struct pv_time_ops pv_time_ops __read_only = {
27512 .sched_clock = native_sched_clock,
27513 .steal_clock = native_steal_clock,
27514 };
27515
27516-__visible struct pv_irq_ops pv_irq_ops = {
27517+__visible struct pv_irq_ops pv_irq_ops __read_only = {
27518 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
27519 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
27520 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
27521@@ -334,7 +341,7 @@ __visible struct pv_irq_ops pv_irq_ops = {
27522 #endif
27523 };
27524
27525-__visible struct pv_cpu_ops pv_cpu_ops = {
27526+__visible struct pv_cpu_ops pv_cpu_ops __read_only = {
27527 .cpuid = native_cpuid,
27528 .get_debugreg = native_get_debugreg,
27529 .set_debugreg = native_set_debugreg,
27530@@ -397,21 +404,26 @@ NOKPROBE_SYMBOL(native_get_debugreg);
27531 NOKPROBE_SYMBOL(native_set_debugreg);
27532 NOKPROBE_SYMBOL(native_load_idt);
27533
27534-struct pv_apic_ops pv_apic_ops = {
27535+struct pv_apic_ops pv_apic_ops __read_only= {
27536 #ifdef CONFIG_X86_LOCAL_APIC
27537 .startup_ipi_hook = paravirt_nop,
27538 #endif
27539 };
27540
27541-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
27542+#ifdef CONFIG_X86_32
27543+#ifdef CONFIG_X86_PAE
27544+/* 64-bit pagetable entries */
27545+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
27546+#else
27547 /* 32-bit pagetable entries */
27548 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
27549+#endif
27550 #else
27551 /* 64-bit pagetable entries */
27552 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
27553 #endif
27554
27555-struct pv_mmu_ops pv_mmu_ops = {
27556+struct pv_mmu_ops pv_mmu_ops __read_only = {
27557
27558 .read_cr2 = native_read_cr2,
27559 .write_cr2 = native_write_cr2,
27560@@ -461,6 +473,7 @@ struct pv_mmu_ops pv_mmu_ops = {
27561 .make_pud = PTE_IDENT,
27562
27563 .set_pgd = native_set_pgd,
27564+ .set_pgd_batched = native_set_pgd_batched,
27565 #endif
27566 #endif /* CONFIG_PGTABLE_LEVELS >= 3 */
27567
27568@@ -481,6 +494,12 @@ struct pv_mmu_ops pv_mmu_ops = {
27569 },
27570
27571 .set_fixmap = native_set_fixmap,
27572+
27573+#ifdef CONFIG_PAX_KERNEXEC
27574+ .pax_open_kernel = native_pax_open_kernel,
27575+ .pax_close_kernel = native_pax_close_kernel,
27576+#endif
27577+
27578 };
27579
27580 EXPORT_SYMBOL_GPL(pv_time_ops);
27581diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
27582index 8aa0558..465512e 100644
27583--- a/arch/x86/kernel/paravirt_patch_64.c
27584+++ b/arch/x86/kernel/paravirt_patch_64.c
27585@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
27586 DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
27587 DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
27588 DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
27589+
27590+#ifndef CONFIG_PAX_MEMORY_UDEREF
27591 DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
27592+#endif
27593+
27594 DEF_NATIVE(pv_cpu_ops, clts, "clts");
27595 DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
27596
27597@@ -62,7 +66,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
27598 PATCH_SITE(pv_mmu_ops, read_cr3);
27599 PATCH_SITE(pv_mmu_ops, write_cr3);
27600 PATCH_SITE(pv_cpu_ops, clts);
27601+
27602+#ifndef CONFIG_PAX_MEMORY_UDEREF
27603 PATCH_SITE(pv_mmu_ops, flush_tlb_single);
27604+#endif
27605+
27606 PATCH_SITE(pv_cpu_ops, wbinvd);
27607 #if defined(CONFIG_PARAVIRT_SPINLOCKS) && defined(CONFIG_QUEUED_SPINLOCKS)
27608 case PARAVIRT_PATCH(pv_lock_ops.queued_spin_unlock):
27609diff --git a/arch/x86/kernel/pci-calgary_64.c b/arch/x86/kernel/pci-calgary_64.c
27610index 0497f71..7186c0d 100644
27611--- a/arch/x86/kernel/pci-calgary_64.c
27612+++ b/arch/x86/kernel/pci-calgary_64.c
27613@@ -1347,7 +1347,7 @@ static void __init get_tce_space_from_tar(void)
27614 tce_space = be64_to_cpu(readq(target));
27615 tce_space = tce_space & TAR_SW_BITS;
27616
27617- tce_space = tce_space & (~specified_table_size);
27618+ tce_space = tce_space & (~(unsigned long)specified_table_size);
27619 info->tce_space = (u64 *)__va(tce_space);
27620 }
27621 }
27622diff --git a/arch/x86/kernel/pci-iommu_table.c b/arch/x86/kernel/pci-iommu_table.c
27623index 35ccf75..7a15747 100644
27624--- a/arch/x86/kernel/pci-iommu_table.c
27625+++ b/arch/x86/kernel/pci-iommu_table.c
27626@@ -2,7 +2,7 @@
27627 #include <asm/iommu_table.h>
27628 #include <linux/string.h>
27629 #include <linux/kallsyms.h>
27630-
27631+#include <linux/sched.h>
27632
27633 #define DEBUG 1
27634
27635diff --git a/arch/x86/kernel/pci-swiotlb.c b/arch/x86/kernel/pci-swiotlb.c
27636index adf0392..88a7576 100644
27637--- a/arch/x86/kernel/pci-swiotlb.c
27638+++ b/arch/x86/kernel/pci-swiotlb.c
27639@@ -40,7 +40,7 @@ void x86_swiotlb_free_coherent(struct device *dev, size_t size,
27640 struct dma_attrs *attrs)
27641 {
27642 if (is_swiotlb_buffer(dma_to_phys(dev, dma_addr)))
27643- swiotlb_free_coherent(dev, size, vaddr, dma_addr);
27644+ swiotlb_free_coherent(dev, size, vaddr, dma_addr, attrs);
27645 else
27646 dma_generic_free_coherent(dev, size, vaddr, dma_addr, attrs);
27647 }
27648diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
27649index c27cad7..47e3f47 100644
27650--- a/arch/x86/kernel/process.c
27651+++ b/arch/x86/kernel/process.c
27652@@ -15,6 +15,7 @@
27653 #include <linux/dmi.h>
27654 #include <linux/utsname.h>
27655 #include <linux/stackprotector.h>
27656+#include <linux/kthread.h>
27657 #include <linux/tick.h>
27658 #include <linux/cpuidle.h>
27659 #include <trace/events/power.h>
27660@@ -37,7 +38,8 @@
27661 * section. Since TSS's are completely CPU-local, we want them
27662 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
27663 */
27664-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
27665+struct tss_struct cpu_tss[NR_CPUS] __visible ____cacheline_internodealigned_in_smp = {
27666+ [0 ... NR_CPUS-1] = {
27667 .x86_tss = {
27668 .sp0 = TOP_OF_INIT_STACK,
27669 #ifdef CONFIG_X86_32
27670@@ -55,6 +57,7 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
27671 */
27672 .io_bitmap = { [0 ... IO_BITMAP_LONGS] = ~0 },
27673 #endif
27674+}
27675 };
27676 EXPORT_PER_CPU_SYMBOL(cpu_tss);
27677
27678@@ -75,17 +78,35 @@ void idle_notifier_unregister(struct notifier_block *n)
27679 EXPORT_SYMBOL_GPL(idle_notifier_unregister);
27680 #endif
27681
27682+struct kmem_cache *fpregs_state_cachep;
27683+EXPORT_SYMBOL(fpregs_state_cachep);
27684+
27685+void __init arch_task_cache_init(void)
27686+{
27687+ /* create a slab on which task_structs can be allocated */
27688+ fpregs_state_cachep =
27689+ kmem_cache_create("fpregs_state", xstate_size,
27690+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
27691+}
27692+
27693 /*
27694 * this gets called so that we can store lazy state into memory and copy the
27695 * current task into the new thread.
27696 */
27697 int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
27698 {
27699- memcpy(dst, src, arch_task_struct_size);
27700+ *dst = *src;
27701
27702+ dst->thread.fpu.state = kmem_cache_alloc_node(fpregs_state_cachep, GFP_KERNEL, tsk_fork_get_node(src));
27703 return fpu__copy(&dst->thread.fpu, &src->thread.fpu);
27704 }
27705
27706+void arch_release_task_struct(struct task_struct *tsk)
27707+{
27708+ kmem_cache_free(fpregs_state_cachep, tsk->thread.fpu.state);
27709+ tsk->thread.fpu.state = NULL;
27710+}
27711+
27712 /*
27713 * Free current thread data structures etc..
27714 */
27715@@ -97,7 +118,7 @@ void exit_thread(void)
27716 struct fpu *fpu = &t->fpu;
27717
27718 if (bp) {
27719- struct tss_struct *tss = &per_cpu(cpu_tss, get_cpu());
27720+ struct tss_struct *tss = cpu_tss + get_cpu();
27721
27722 t->io_bitmap_ptr = NULL;
27723 clear_thread_flag(TIF_IO_BITMAP);
27724@@ -117,6 +138,9 @@ void flush_thread(void)
27725 {
27726 struct task_struct *tsk = current;
27727
27728+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
27729+ loadsegment(gs, 0);
27730+#endif
27731 flush_ptrace_hw_breakpoint(tsk);
27732 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
27733
27734@@ -258,7 +282,7 @@ static void __exit_idle(void)
27735 void exit_idle(void)
27736 {
27737 /* idle loop has pid 0 */
27738- if (current->pid)
27739+ if (task_pid_nr(current))
27740 return;
27741 __exit_idle();
27742 }
27743@@ -311,7 +335,7 @@ bool xen_set_default_idle(void)
27744 return ret;
27745 }
27746 #endif
27747-void stop_this_cpu(void *dummy)
27748+__noreturn void stop_this_cpu(void *dummy)
27749 {
27750 local_irq_disable();
27751 /*
27752@@ -488,16 +512,40 @@ static int __init idle_setup(char *str)
27753 }
27754 early_param("idle", idle_setup);
27755
27756-unsigned long arch_align_stack(unsigned long sp)
27757-{
27758- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
27759- sp -= get_random_int() % 8192;
27760- return sp & ~0xf;
27761-}
27762-
27763 unsigned long arch_randomize_brk(struct mm_struct *mm)
27764 {
27765 unsigned long range_end = mm->brk + 0x02000000;
27766 return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
27767 }
27768
27769+#ifdef CONFIG_PAX_RANDKSTACK
27770+void pax_randomize_kstack(struct pt_regs *regs)
27771+{
27772+ struct thread_struct *thread = &current->thread;
27773+ unsigned long time;
27774+
27775+ if (!randomize_va_space)
27776+ return;
27777+
27778+ if (v8086_mode(regs))
27779+ return;
27780+
27781+ rdtscl(time);
27782+
27783+ /* P4 seems to return a 0 LSB, ignore it */
27784+#ifdef CONFIG_MPENTIUM4
27785+ time &= 0x3EUL;
27786+ time <<= 2;
27787+#elif defined(CONFIG_X86_64)
27788+ time &= 0xFUL;
27789+ time <<= 4;
27790+#else
27791+ time &= 0x1FUL;
27792+ time <<= 3;
27793+#endif
27794+
27795+ thread->sp0 ^= time;
27796+ load_sp0(cpu_tss + smp_processor_id(), thread);
27797+ this_cpu_write(cpu_current_top_of_stack, thread->sp0);
27798+}
27799+#endif
27800diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
27801index f73c962..6589332 100644
27802--- a/arch/x86/kernel/process_32.c
27803+++ b/arch/x86/kernel/process_32.c
27804@@ -63,6 +63,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread");
27805 unsigned long thread_saved_pc(struct task_struct *tsk)
27806 {
27807 return ((unsigned long *)tsk->thread.sp)[3];
27808+//XXX return tsk->thread.eip;
27809 }
27810
27811 void __show_regs(struct pt_regs *regs, int all)
27812@@ -75,16 +76,15 @@ void __show_regs(struct pt_regs *regs, int all)
27813 if (user_mode(regs)) {
27814 sp = regs->sp;
27815 ss = regs->ss & 0xffff;
27816- gs = get_user_gs(regs);
27817 } else {
27818 sp = kernel_stack_pointer(regs);
27819 savesegment(ss, ss);
27820- savesegment(gs, gs);
27821 }
27822+ gs = get_user_gs(regs);
27823
27824 printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n",
27825 (u16)regs->cs, regs->ip, regs->flags,
27826- smp_processor_id());
27827+ raw_smp_processor_id());
27828 print_symbol("EIP is at %s\n", regs->ip);
27829
27830 printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n",
27831@@ -131,21 +131,22 @@ void release_thread(struct task_struct *dead_task)
27832 int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
27833 unsigned long arg, struct task_struct *p, unsigned long tls)
27834 {
27835- struct pt_regs *childregs = task_pt_regs(p);
27836+ struct pt_regs *childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
27837 struct task_struct *tsk;
27838 int err;
27839
27840 p->thread.sp = (unsigned long) childregs;
27841 p->thread.sp0 = (unsigned long) (childregs+1);
27842+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
27843 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
27844
27845 if (unlikely(p->flags & PF_KTHREAD)) {
27846 /* kernel thread */
27847 memset(childregs, 0, sizeof(struct pt_regs));
27848 p->thread.ip = (unsigned long) ret_from_kernel_thread;
27849- task_user_gs(p) = __KERNEL_STACK_CANARY;
27850- childregs->ds = __USER_DS;
27851- childregs->es = __USER_DS;
27852+ savesegment(gs, childregs->gs);
27853+ childregs->ds = __KERNEL_DS;
27854+ childregs->es = __KERNEL_DS;
27855 childregs->fs = __KERNEL_PERCPU;
27856 childregs->bx = sp; /* function */
27857 childregs->bp = arg;
27858@@ -245,7 +246,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27859 struct fpu *prev_fpu = &prev->fpu;
27860 struct fpu *next_fpu = &next->fpu;
27861 int cpu = smp_processor_id();
27862- struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
27863+ struct tss_struct *tss = cpu_tss + cpu;
27864 fpu_switch_t fpu_switch;
27865
27866 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
27867@@ -264,6 +265,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27868 */
27869 lazy_save_gs(prev->gs);
27870
27871+#ifdef CONFIG_PAX_MEMORY_UDEREF
27872+ __set_fs(task_thread_info(next_p)->addr_limit);
27873+#endif
27874+
27875 /*
27876 * Load the per-thread Thread-Local Storage descriptor.
27877 */
27878@@ -307,9 +312,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27879 * current_thread_info().
27880 */
27881 load_sp0(tss, next);
27882- this_cpu_write(cpu_current_top_of_stack,
27883- (unsigned long)task_stack_page(next_p) +
27884- THREAD_SIZE);
27885+ this_cpu_write(current_task, next_p);
27886+ this_cpu_write(current_tinfo, &next_p->tinfo);
27887+ this_cpu_write(cpu_current_top_of_stack, next->sp0);
27888
27889 /*
27890 * Restore %gs if needed (which is common)
27891@@ -319,8 +324,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27892
27893 switch_fpu_finish(next_fpu, fpu_switch);
27894
27895- this_cpu_write(current_task, next_p);
27896-
27897 return prev_p;
27898 }
27899
27900@@ -350,4 +353,3 @@ unsigned long get_wchan(struct task_struct *p)
27901 } while (count++ < 16);
27902 return 0;
27903 }
27904-
27905diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
27906index f6b9163..1ab8c96 100644
27907--- a/arch/x86/kernel/process_64.c
27908+++ b/arch/x86/kernel/process_64.c
27909@@ -157,9 +157,10 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
27910 struct pt_regs *childregs;
27911 struct task_struct *me = current;
27912
27913- p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE;
27914+ p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE - 16;
27915 childregs = task_pt_regs(p);
27916 p->thread.sp = (unsigned long) childregs;
27917+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
27918 set_tsk_thread_flag(p, TIF_FORK);
27919 p->thread.io_bitmap_ptr = NULL;
27920
27921@@ -169,6 +170,8 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
27922 p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs;
27923 savesegment(es, p->thread.es);
27924 savesegment(ds, p->thread.ds);
27925+ savesegment(ss, p->thread.ss);
27926+ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS);
27927 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
27928
27929 if (unlikely(p->flags & PF_KTHREAD)) {
27930@@ -276,7 +279,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27931 struct fpu *prev_fpu = &prev->fpu;
27932 struct fpu *next_fpu = &next->fpu;
27933 int cpu = smp_processor_id();
27934- struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
27935+ struct tss_struct *tss = cpu_tss + cpu;
27936 unsigned fsindex, gsindex;
27937 fpu_switch_t fpu_switch;
27938
27939@@ -327,6 +330,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27940 if (unlikely(next->ds | prev->ds))
27941 loadsegment(ds, next->ds);
27942
27943+ savesegment(ss, prev->ss);
27944+ if (unlikely(next->ss != prev->ss))
27945+ loadsegment(ss, next->ss);
27946+
27947 /*
27948 * Switch FS and GS.
27949 *
27950@@ -398,6 +405,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27951 * Switch the PDA and FPU contexts.
27952 */
27953 this_cpu_write(current_task, next_p);
27954+ this_cpu_write(current_tinfo, &next_p->tinfo);
27955
27956 /*
27957 * If it were not for PREEMPT_ACTIVE we could guarantee that the
27958@@ -410,6 +418,8 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27959 /* Reload esp0 and ss1. This changes current_thread_info(). */
27960 load_sp0(tss, next);
27961
27962+ this_cpu_write(cpu_current_top_of_stack, next->sp0);
27963+
27964 /*
27965 * Now maybe reload the debug registers and handle I/O bitmaps
27966 */
27967@@ -506,12 +516,11 @@ unsigned long get_wchan(struct task_struct *p)
27968 if (!p || p == current || p->state == TASK_RUNNING)
27969 return 0;
27970 stack = (unsigned long)task_stack_page(p);
27971- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
27972+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
27973 return 0;
27974 fp = *(u64 *)(p->thread.sp);
27975 do {
27976- if (fp < (unsigned long)stack ||
27977- fp >= (unsigned long)stack+THREAD_SIZE)
27978+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
27979 return 0;
27980 ip = *(u64 *)(fp+8);
27981 if (!in_sched_functions(ip))
27982diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
27983index 9be72bc..f4329c5 100644
27984--- a/arch/x86/kernel/ptrace.c
27985+++ b/arch/x86/kernel/ptrace.c
27986@@ -186,10 +186,10 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
27987 unsigned long sp = (unsigned long)&regs->sp;
27988 u32 *prev_esp;
27989
27990- if (context == (sp & ~(THREAD_SIZE - 1)))
27991+ if (context == ((sp + 8) & ~(THREAD_SIZE - 1)))
27992 return sp;
27993
27994- prev_esp = (u32 *)(context);
27995+ prev_esp = *(u32 **)(context);
27996 if (prev_esp)
27997 return (unsigned long)prev_esp;
27998
27999@@ -446,6 +446,20 @@ static int putreg(struct task_struct *child,
28000 if (child->thread.gs != value)
28001 return do_arch_prctl(child, ARCH_SET_GS, value);
28002 return 0;
28003+
28004+ case offsetof(struct user_regs_struct,ip):
28005+ /*
28006+ * Protect against any attempt to set ip to an
28007+ * impossible address. There are dragons lurking if the
28008+ * address is noncanonical. (This explicitly allows
28009+ * setting ip to TASK_SIZE_MAX, because user code can do
28010+ * that all by itself by running off the end of its
28011+ * address space.
28012+ */
28013+ if (value > TASK_SIZE_MAX)
28014+ return -EIO;
28015+ break;
28016+
28017 #endif
28018 }
28019
28020@@ -582,7 +596,7 @@ static void ptrace_triggered(struct perf_event *bp,
28021 static unsigned long ptrace_get_dr7(struct perf_event *bp[])
28022 {
28023 int i;
28024- int dr7 = 0;
28025+ unsigned long dr7 = 0;
28026 struct arch_hw_breakpoint *info;
28027
28028 for (i = 0; i < HBP_NUM; i++) {
28029@@ -816,7 +830,7 @@ long arch_ptrace(struct task_struct *child, long request,
28030 unsigned long addr, unsigned long data)
28031 {
28032 int ret;
28033- unsigned long __user *datap = (unsigned long __user *)data;
28034+ unsigned long __user *datap = (__force unsigned long __user *)data;
28035
28036 switch (request) {
28037 /* read the word at location addr in the USER area. */
28038@@ -901,14 +915,14 @@ long arch_ptrace(struct task_struct *child, long request,
28039 if ((int) addr < 0)
28040 return -EIO;
28041 ret = do_get_thread_area(child, addr,
28042- (struct user_desc __user *)data);
28043+ (__force struct user_desc __user *) data);
28044 break;
28045
28046 case PTRACE_SET_THREAD_AREA:
28047 if ((int) addr < 0)
28048 return -EIO;
28049 ret = do_set_thread_area(child, addr,
28050- (struct user_desc __user *)data, 0);
28051+ (__force struct user_desc __user *) data, 0);
28052 break;
28053 #endif
28054
28055@@ -1286,7 +1300,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
28056
28057 #ifdef CONFIG_X86_64
28058
28059-static struct user_regset x86_64_regsets[] __read_mostly = {
28060+static user_regset_no_const x86_64_regsets[] __read_only = {
28061 [REGSET_GENERAL] = {
28062 .core_note_type = NT_PRSTATUS,
28063 .n = sizeof(struct user_regs_struct) / sizeof(long),
28064@@ -1327,7 +1341,7 @@ static const struct user_regset_view user_x86_64_view = {
28065 #endif /* CONFIG_X86_64 */
28066
28067 #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
28068-static struct user_regset x86_32_regsets[] __read_mostly = {
28069+static user_regset_no_const x86_32_regsets[] __read_only = {
28070 [REGSET_GENERAL] = {
28071 .core_note_type = NT_PRSTATUS,
28072 .n = sizeof(struct user_regs_struct32) / sizeof(u32),
28073@@ -1380,7 +1394,7 @@ static const struct user_regset_view user_x86_32_view = {
28074 */
28075 u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
28076
28077-void update_regset_xstate_info(unsigned int size, u64 xstate_mask)
28078+void __init update_regset_xstate_info(unsigned int size, u64 xstate_mask)
28079 {
28080 #ifdef CONFIG_X86_64
28081 x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
28082@@ -1415,7 +1429,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
28083 memset(info, 0, sizeof(*info));
28084 info->si_signo = SIGTRAP;
28085 info->si_code = si_code;
28086- info->si_addr = user_mode(regs) ? (void __user *)regs->ip : NULL;
28087+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
28088 }
28089
28090 void user_single_step_siginfo(struct task_struct *tsk,
28091@@ -1449,6 +1463,10 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch)
28092 }
28093 }
28094
28095+#ifdef CONFIG_GRKERNSEC_SETXID
28096+extern void gr_delayed_cred_worker(void);
28097+#endif
28098+
28099 /*
28100 * We can return 0 to resume the syscall or anything else to go to phase
28101 * 2. If we resume the syscall, we need to put something appropriate in
28102@@ -1556,6 +1574,11 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch,
28103
28104 BUG_ON(regs != task_pt_regs(current));
28105
28106+#ifdef CONFIG_GRKERNSEC_SETXID
28107+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
28108+ gr_delayed_cred_worker();
28109+#endif
28110+
28111 /*
28112 * If we stepped into a sysenter/syscall insn, it trapped in
28113 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
28114@@ -1614,6 +1637,11 @@ void syscall_trace_leave(struct pt_regs *regs)
28115 */
28116 user_exit();
28117
28118+#ifdef CONFIG_GRKERNSEC_SETXID
28119+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
28120+ gr_delayed_cred_worker();
28121+#endif
28122+
28123 audit_syscall_exit(regs);
28124
28125 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
28126diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
28127index 2f355d2..e75ed0a 100644
28128--- a/arch/x86/kernel/pvclock.c
28129+++ b/arch/x86/kernel/pvclock.c
28130@@ -51,11 +51,11 @@ void pvclock_touch_watchdogs(void)
28131 reset_hung_task_detector();
28132 }
28133
28134-static atomic64_t last_value = ATOMIC64_INIT(0);
28135+static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
28136
28137 void pvclock_resume(void)
28138 {
28139- atomic64_set(&last_value, 0);
28140+ atomic64_set_unchecked(&last_value, 0);
28141 }
28142
28143 u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src)
28144@@ -105,11 +105,11 @@ cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
28145 * updating at the same time, and one of them could be slightly behind,
28146 * making the assumption that last_value always go forward fail to hold.
28147 */
28148- last = atomic64_read(&last_value);
28149+ last = atomic64_read_unchecked(&last_value);
28150 do {
28151 if (ret < last)
28152 return last;
28153- last = atomic64_cmpxchg(&last_value, last, ret);
28154+ last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
28155 } while (unlikely(last != ret));
28156
28157 return ret;
28158diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
28159index 86db4bc..a50a54a 100644
28160--- a/arch/x86/kernel/reboot.c
28161+++ b/arch/x86/kernel/reboot.c
28162@@ -70,6 +70,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
28163
28164 void __noreturn machine_real_restart(unsigned int type)
28165 {
28166+
28167+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
28168+ struct desc_struct *gdt;
28169+#endif
28170+
28171 local_irq_disable();
28172
28173 /*
28174@@ -97,7 +102,29 @@ void __noreturn machine_real_restart(unsigned int type)
28175
28176 /* Jump to the identity-mapped low memory code */
28177 #ifdef CONFIG_X86_32
28178- asm volatile("jmpl *%0" : :
28179+
28180+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
28181+ gdt = get_cpu_gdt_table(smp_processor_id());
28182+ pax_open_kernel();
28183+#ifdef CONFIG_PAX_MEMORY_UDEREF
28184+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
28185+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
28186+ loadsegment(ds, __KERNEL_DS);
28187+ loadsegment(es, __KERNEL_DS);
28188+ loadsegment(ss, __KERNEL_DS);
28189+#endif
28190+#ifdef CONFIG_PAX_KERNEXEC
28191+ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
28192+ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
28193+ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
28194+ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
28195+ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
28196+ gdt[GDT_ENTRY_KERNEL_CS].g = 1;
28197+#endif
28198+ pax_close_kernel();
28199+#endif
28200+
28201+ asm volatile("ljmpl *%0" : :
28202 "rm" (real_mode_header->machine_real_restart_asm),
28203 "a" (type));
28204 #else
28205@@ -137,7 +164,7 @@ static int __init set_kbd_reboot(const struct dmi_system_id *d)
28206 /*
28207 * This is a single dmi_table handling all reboot quirks.
28208 */
28209-static struct dmi_system_id __initdata reboot_dmi_table[] = {
28210+static const struct dmi_system_id __initconst reboot_dmi_table[] = {
28211
28212 /* Acer */
28213 { /* Handle reboot issue on Acer Aspire one */
28214@@ -511,7 +538,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
28215 * This means that this function can never return, it can misbehave
28216 * by not rebooting properly and hanging.
28217 */
28218-static void native_machine_emergency_restart(void)
28219+static void __noreturn native_machine_emergency_restart(void)
28220 {
28221 int i;
28222 int attempt = 0;
28223@@ -631,13 +658,13 @@ void native_machine_shutdown(void)
28224 #endif
28225 }
28226
28227-static void __machine_emergency_restart(int emergency)
28228+static void __noreturn __machine_emergency_restart(int emergency)
28229 {
28230 reboot_emergency = emergency;
28231 machine_ops.emergency_restart();
28232 }
28233
28234-static void native_machine_restart(char *__unused)
28235+static void __noreturn native_machine_restart(char *__unused)
28236 {
28237 pr_notice("machine restart\n");
28238
28239@@ -646,7 +673,7 @@ static void native_machine_restart(char *__unused)
28240 __machine_emergency_restart(0);
28241 }
28242
28243-static void native_machine_halt(void)
28244+static void __noreturn native_machine_halt(void)
28245 {
28246 /* Stop other cpus and apics */
28247 machine_shutdown();
28248@@ -656,7 +683,7 @@ static void native_machine_halt(void)
28249 stop_this_cpu(NULL);
28250 }
28251
28252-static void native_machine_power_off(void)
28253+static void __noreturn native_machine_power_off(void)
28254 {
28255 if (pm_power_off) {
28256 if (!reboot_force)
28257@@ -665,9 +692,10 @@ static void native_machine_power_off(void)
28258 }
28259 /* A fallback in case there is no PM info available */
28260 tboot_shutdown(TB_SHUTDOWN_HALT);
28261+ unreachable();
28262 }
28263
28264-struct machine_ops machine_ops = {
28265+struct machine_ops machine_ops __read_only = {
28266 .power_off = native_machine_power_off,
28267 .shutdown = native_machine_shutdown,
28268 .emergency_restart = native_machine_emergency_restart,
28269diff --git a/arch/x86/kernel/reboot_fixups_32.c b/arch/x86/kernel/reboot_fixups_32.c
28270index c8e41e9..64049ef 100644
28271--- a/arch/x86/kernel/reboot_fixups_32.c
28272+++ b/arch/x86/kernel/reboot_fixups_32.c
28273@@ -57,7 +57,7 @@ struct device_fixup {
28274 unsigned int vendor;
28275 unsigned int device;
28276 void (*reboot_fixup)(struct pci_dev *);
28277-};
28278+} __do_const;
28279
28280 /*
28281 * PCI ids solely used for fixups_table go here
28282diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
28283index 98111b3..73ca125 100644
28284--- a/arch/x86/kernel/relocate_kernel_64.S
28285+++ b/arch/x86/kernel/relocate_kernel_64.S
28286@@ -96,8 +96,7 @@ relocate_kernel:
28287
28288 /* jump to identity mapped page */
28289 addq $(identity_mapped - relocate_kernel), %r8
28290- pushq %r8
28291- ret
28292+ jmp *%r8
28293
28294 identity_mapped:
28295 /* set return address to 0 if not preserving context */
28296diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
28297index 80f874b..b3eff67 100644
28298--- a/arch/x86/kernel/setup.c
28299+++ b/arch/x86/kernel/setup.c
28300@@ -111,6 +111,7 @@
28301 #include <asm/mce.h>
28302 #include <asm/alternative.h>
28303 #include <asm/prom.h>
28304+#include <asm/boot.h>
28305
28306 /*
28307 * max_low_pfn_mapped: highest direct mapped pfn under 4GB
28308@@ -206,10 +207,12 @@ EXPORT_SYMBOL(boot_cpu_data);
28309 #endif
28310
28311
28312-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64)
28313-__visible unsigned long mmu_cr4_features;
28314+#ifdef CONFIG_X86_64
28315+__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE;
28316+#elif defined(CONFIG_X86_PAE)
28317+__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PAE;
28318 #else
28319-__visible unsigned long mmu_cr4_features = X86_CR4_PAE;
28320+__visible unsigned long mmu_cr4_features __read_only;
28321 #endif
28322
28323 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */
28324@@ -772,7 +775,7 @@ static void __init trim_bios_range(void)
28325 * area (640->1Mb) as ram even though it is not.
28326 * take them out.
28327 */
28328- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
28329+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
28330
28331 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
28332 }
28333@@ -780,7 +783,7 @@ static void __init trim_bios_range(void)
28334 /* called before trim_bios_range() to spare extra sanitize */
28335 static void __init e820_add_kernel_range(void)
28336 {
28337- u64 start = __pa_symbol(_text);
28338+ u64 start = __pa_symbol(ktla_ktva((unsigned long)_text));
28339 u64 size = __pa_symbol(_end) - start;
28340
28341 /*
28342@@ -861,8 +864,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
28343
28344 void __init setup_arch(char **cmdline_p)
28345 {
28346- memblock_reserve(__pa_symbol(_text),
28347- (unsigned long)__bss_stop - (unsigned long)_text);
28348+ memblock_reserve(__pa_symbol(ktla_ktva((unsigned long)_text)),
28349+ (unsigned long)__bss_stop - ktla_ktva((unsigned long)_text));
28350
28351 early_reserve_initrd();
28352
28353@@ -960,16 +963,16 @@ void __init setup_arch(char **cmdline_p)
28354
28355 if (!boot_params.hdr.root_flags)
28356 root_mountflags &= ~MS_RDONLY;
28357- init_mm.start_code = (unsigned long) _text;
28358- init_mm.end_code = (unsigned long) _etext;
28359- init_mm.end_data = (unsigned long) _edata;
28360+ init_mm.start_code = ktla_ktva((unsigned long)_text);
28361+ init_mm.end_code = ktla_ktva((unsigned long)_etext);
28362+ init_mm.end_data = (unsigned long)_edata;
28363 init_mm.brk = _brk_end;
28364
28365 mpx_mm_init(&init_mm);
28366
28367- code_resource.start = __pa_symbol(_text);
28368- code_resource.end = __pa_symbol(_etext)-1;
28369- data_resource.start = __pa_symbol(_etext);
28370+ code_resource.start = __pa_symbol(ktla_ktva((unsigned long)_text));
28371+ code_resource.end = __pa_symbol(ktla_ktva((unsigned long)_etext))-1;
28372+ data_resource.start = __pa_symbol(_sdata);
28373 data_resource.end = __pa_symbol(_edata)-1;
28374 bss_resource.start = __pa_symbol(__bss_start);
28375 bss_resource.end = __pa_symbol(__bss_stop)-1;
28376diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
28377index e4fcb87..9c06c55 100644
28378--- a/arch/x86/kernel/setup_percpu.c
28379+++ b/arch/x86/kernel/setup_percpu.c
28380@@ -21,19 +21,17 @@
28381 #include <asm/cpu.h>
28382 #include <asm/stackprotector.h>
28383
28384-DEFINE_PER_CPU_READ_MOSTLY(int, cpu_number);
28385+#ifdef CONFIG_SMP
28386+DEFINE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
28387 EXPORT_PER_CPU_SYMBOL(cpu_number);
28388+#endif
28389
28390-#ifdef CONFIG_X86_64
28391 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
28392-#else
28393-#define BOOT_PERCPU_OFFSET 0
28394-#endif
28395
28396 DEFINE_PER_CPU_READ_MOSTLY(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
28397 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
28398
28399-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
28400+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
28401 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
28402 };
28403 EXPORT_SYMBOL(__per_cpu_offset);
28404@@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void)
28405 {
28406 #ifdef CONFIG_NEED_MULTIPLE_NODES
28407 pg_data_t *last = NULL;
28408- unsigned int cpu;
28409+ int cpu;
28410
28411 for_each_possible_cpu(cpu) {
28412 int node = early_cpu_to_node(cpu);
28413@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu)
28414 {
28415 #ifdef CONFIG_X86_32
28416 struct desc_struct gdt;
28417+ unsigned long base = per_cpu_offset(cpu);
28418
28419- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
28420- 0x2 | DESCTYPE_S, 0x8);
28421- gdt.s = 1;
28422+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
28423+ 0x83 | DESCTYPE_S, 0xC);
28424 write_gdt_entry(get_cpu_gdt_table(cpu),
28425 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
28426 #endif
28427@@ -219,6 +217,11 @@ void __init setup_per_cpu_areas(void)
28428 /* alrighty, percpu areas up and running */
28429 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
28430 for_each_possible_cpu(cpu) {
28431+#ifdef CONFIG_CC_STACKPROTECTOR
28432+#ifdef CONFIG_X86_32
28433+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
28434+#endif
28435+#endif
28436 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
28437 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
28438 per_cpu(cpu_number, cpu) = cpu;
28439@@ -259,6 +262,12 @@ void __init setup_per_cpu_areas(void)
28440 */
28441 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
28442 #endif
28443+#ifdef CONFIG_CC_STACKPROTECTOR
28444+#ifdef CONFIG_X86_32
28445+ if (!cpu)
28446+ per_cpu(stack_canary.canary, cpu) = canary;
28447+#endif
28448+#endif
28449 /*
28450 * Up to this point, the boot CPU has been using .init.data
28451 * area. Reload any changed state for the boot CPU.
28452diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
28453index 71820c4..ad16f6b 100644
28454--- a/arch/x86/kernel/signal.c
28455+++ b/arch/x86/kernel/signal.c
28456@@ -189,7 +189,7 @@ static unsigned long align_sigframe(unsigned long sp)
28457 * Align the stack pointer according to the i386 ABI,
28458 * i.e. so that on function entry ((sp + 4) & 15) == 0.
28459 */
28460- sp = ((sp + 4) & -16ul) - 4;
28461+ sp = ((sp - 12) & -16ul) - 4;
28462 #else /* !CONFIG_X86_32 */
28463 sp = round_down(sp, 16) - 8;
28464 #endif
28465@@ -298,10 +298,9 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
28466 }
28467
28468 if (current->mm->context.vdso)
28469- restorer = current->mm->context.vdso +
28470- selected_vdso32->sym___kernel_sigreturn;
28471+ restorer = (void __force_user *)(current->mm->context.vdso + selected_vdso32->sym___kernel_sigreturn);
28472 else
28473- restorer = &frame->retcode;
28474+ restorer = (void __user *)&frame->retcode;
28475 if (ksig->ka.sa.sa_flags & SA_RESTORER)
28476 restorer = ksig->ka.sa.sa_restorer;
28477
28478@@ -315,7 +314,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
28479 * reasons and because gdb uses it as a signature to notice
28480 * signal handler stack frames.
28481 */
28482- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
28483+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
28484
28485 if (err)
28486 return -EFAULT;
28487@@ -362,8 +361,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
28488 save_altstack_ex(&frame->uc.uc_stack, regs->sp);
28489
28490 /* Set up to return from userspace. */
28491- restorer = current->mm->context.vdso +
28492- selected_vdso32->sym___kernel_rt_sigreturn;
28493+ if (current->mm->context.vdso)
28494+ restorer = (void __force_user *)(current->mm->context.vdso + selected_vdso32->sym___kernel_rt_sigreturn);
28495+ else
28496+ restorer = (void __user *)&frame->retcode;
28497 if (ksig->ka.sa.sa_flags & SA_RESTORER)
28498 restorer = ksig->ka.sa.sa_restorer;
28499 put_user_ex(restorer, &frame->pretcode);
28500@@ -375,7 +376,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
28501 * reasons and because gdb uses it as a signature to notice
28502 * signal handler stack frames.
28503 */
28504- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
28505+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
28506 } put_user_catch(err);
28507
28508 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
28509@@ -611,7 +612,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
28510 {
28511 int usig = ksig->sig;
28512 sigset_t *set = sigmask_to_save();
28513- compat_sigset_t *cset = (compat_sigset_t *) set;
28514+ sigset_t sigcopy;
28515+ compat_sigset_t *cset;
28516+
28517+ sigcopy = *set;
28518+
28519+ cset = (compat_sigset_t *) &sigcopy;
28520
28521 /* Set up the stack frame */
28522 if (is_ia32_frame()) {
28523@@ -622,7 +628,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
28524 } else if (is_x32_frame()) {
28525 return x32_setup_rt_frame(ksig, cset, regs);
28526 } else {
28527- return __setup_rt_frame(ksig->sig, ksig, set, regs);
28528+ return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs);
28529 }
28530 }
28531
28532diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
28533index 15aaa69..66103af 100644
28534--- a/arch/x86/kernel/smp.c
28535+++ b/arch/x86/kernel/smp.c
28536@@ -334,7 +334,7 @@ static int __init nonmi_ipi_setup(char *str)
28537
28538 __setup("nonmi_ipi", nonmi_ipi_setup);
28539
28540-struct smp_ops smp_ops = {
28541+struct smp_ops smp_ops __read_only = {
28542 .smp_prepare_boot_cpu = native_smp_prepare_boot_cpu,
28543 .smp_prepare_cpus = native_smp_prepare_cpus,
28544 .smp_cpus_done = native_smp_cpus_done,
28545diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
28546index b1f3ed9c..b76221b 100644
28547--- a/arch/x86/kernel/smpboot.c
28548+++ b/arch/x86/kernel/smpboot.c
28549@@ -220,14 +220,17 @@ static void notrace start_secondary(void *unused)
28550
28551 enable_start_cpu0 = 0;
28552
28553-#ifdef CONFIG_X86_32
28554+ /* otherwise gcc will move up smp_processor_id before the cpu_init */
28555+ barrier();
28556+
28557 /* switch away from the initial page table */
28558+#ifdef CONFIG_PAX_PER_CPU_PGD
28559+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
28560+#else
28561 load_cr3(swapper_pg_dir);
28562+#endif
28563 __flush_tlb_all();
28564-#endif
28565
28566- /* otherwise gcc will move up smp_processor_id before the cpu_init */
28567- barrier();
28568 /*
28569 * Check TSC synchronization with the BP:
28570 */
28571@@ -808,16 +811,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle)
28572 alternatives_enable_smp();
28573
28574 per_cpu(current_task, cpu) = idle;
28575+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
28576
28577 #ifdef CONFIG_X86_32
28578- /* Stack for startup_32 can be just as for start_secondary onwards */
28579 irq_ctx_init(cpu);
28580- per_cpu(cpu_current_top_of_stack, cpu) =
28581- (unsigned long)task_stack_page(idle) + THREAD_SIZE;
28582 #else
28583 clear_tsk_thread_flag(idle, TIF_FORK);
28584 initial_gs = per_cpu_offset(cpu);
28585 #endif
28586+ per_cpu(cpu_current_top_of_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
28587 }
28588
28589 /*
28590@@ -838,9 +840,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
28591 unsigned long timeout;
28592
28593 idle->thread.sp = (unsigned long) (((struct pt_regs *)
28594- (THREAD_SIZE + task_stack_page(idle))) - 1);
28595+ (THREAD_SIZE - 16 + task_stack_page(idle))) - 1);
28596
28597+ pax_open_kernel();
28598 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
28599+ pax_close_kernel();
28600 initial_code = (unsigned long)start_secondary;
28601 stack_start = idle->thread.sp;
28602
28603@@ -992,6 +996,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
28604
28605 common_cpu_up(cpu, tidle);
28606
28607+#ifdef CONFIG_PAX_PER_CPU_PGD
28608+ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY,
28609+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28610+ KERNEL_PGD_PTRS);
28611+ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY,
28612+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28613+ KERNEL_PGD_PTRS);
28614+#endif
28615+
28616 /*
28617 * We have to walk the irq descriptors to setup the vector
28618 * space for the cpu which comes online. Prevent irq
28619diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
28620index 0ccb53a..fbc4759 100644
28621--- a/arch/x86/kernel/step.c
28622+++ b/arch/x86/kernel/step.c
28623@@ -44,7 +44,8 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
28624 addr += base;
28625 }
28626 mutex_unlock(&child->mm->context.lock);
28627- }
28628+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
28629+ addr = ktla_ktva(addr);
28630
28631 return addr;
28632 }
28633@@ -55,6 +56,9 @@ static int is_setting_trap_flag(struct task_struct *child, struct pt_regs *regs)
28634 unsigned char opcode[15];
28635 unsigned long addr = convert_ip_to_linear(child, regs);
28636
28637+ if (addr == -EINVAL)
28638+ return 0;
28639+
28640 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
28641 for (i = 0; i < copied; i++) {
28642 switch (opcode[i]) {
28643diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
28644new file mode 100644
28645index 0000000..5877189
28646--- /dev/null
28647+++ b/arch/x86/kernel/sys_i386_32.c
28648@@ -0,0 +1,189 @@
28649+/*
28650+ * This file contains various random system calls that
28651+ * have a non-standard calling sequence on the Linux/i386
28652+ * platform.
28653+ */
28654+
28655+#include <linux/errno.h>
28656+#include <linux/sched.h>
28657+#include <linux/mm.h>
28658+#include <linux/fs.h>
28659+#include <linux/smp.h>
28660+#include <linux/sem.h>
28661+#include <linux/msg.h>
28662+#include <linux/shm.h>
28663+#include <linux/stat.h>
28664+#include <linux/syscalls.h>
28665+#include <linux/mman.h>
28666+#include <linux/file.h>
28667+#include <linux/utsname.h>
28668+#include <linux/ipc.h>
28669+#include <linux/elf.h>
28670+
28671+#include <linux/uaccess.h>
28672+#include <linux/unistd.h>
28673+
28674+#include <asm/syscalls.h>
28675+
28676+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
28677+{
28678+ unsigned long pax_task_size = TASK_SIZE;
28679+
28680+#ifdef CONFIG_PAX_SEGMEXEC
28681+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
28682+ pax_task_size = SEGMEXEC_TASK_SIZE;
28683+#endif
28684+
28685+ if (flags & MAP_FIXED)
28686+ if (len > pax_task_size || addr > pax_task_size - len)
28687+ return -EINVAL;
28688+
28689+ return 0;
28690+}
28691+
28692+/*
28693+ * Align a virtual address to avoid aliasing in the I$ on AMD F15h.
28694+ */
28695+static unsigned long get_align_mask(void)
28696+{
28697+ if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32))
28698+ return 0;
28699+
28700+ if (!(current->flags & PF_RANDOMIZE))
28701+ return 0;
28702+
28703+ return va_align.mask;
28704+}
28705+
28706+unsigned long
28707+arch_get_unmapped_area(struct file *filp, unsigned long addr,
28708+ unsigned long len, unsigned long pgoff, unsigned long flags)
28709+{
28710+ struct mm_struct *mm = current->mm;
28711+ struct vm_area_struct *vma;
28712+ unsigned long pax_task_size = TASK_SIZE;
28713+ struct vm_unmapped_area_info info;
28714+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28715+
28716+#ifdef CONFIG_PAX_SEGMEXEC
28717+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
28718+ pax_task_size = SEGMEXEC_TASK_SIZE;
28719+#endif
28720+
28721+ pax_task_size -= PAGE_SIZE;
28722+
28723+ if (len > pax_task_size)
28724+ return -ENOMEM;
28725+
28726+ if (flags & MAP_FIXED)
28727+ return addr;
28728+
28729+#ifdef CONFIG_PAX_RANDMMAP
28730+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28731+#endif
28732+
28733+ if (addr) {
28734+ addr = PAGE_ALIGN(addr);
28735+ if (pax_task_size - len >= addr) {
28736+ vma = find_vma(mm, addr);
28737+ if (check_heap_stack_gap(vma, addr, len, offset))
28738+ return addr;
28739+ }
28740+ }
28741+
28742+ info.flags = 0;
28743+ info.length = len;
28744+ info.align_mask = filp ? get_align_mask() : 0;
28745+ info.align_offset = pgoff << PAGE_SHIFT;
28746+ info.threadstack_offset = offset;
28747+
28748+#ifdef CONFIG_PAX_PAGEEXEC
28749+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) {
28750+ info.low_limit = 0x00110000UL;
28751+ info.high_limit = mm->start_code;
28752+
28753+#ifdef CONFIG_PAX_RANDMMAP
28754+ if (mm->pax_flags & MF_PAX_RANDMMAP)
28755+ info.low_limit += mm->delta_mmap & 0x03FFF000UL;
28756+#endif
28757+
28758+ if (info.low_limit < info.high_limit) {
28759+ addr = vm_unmapped_area(&info);
28760+ if (!IS_ERR_VALUE(addr))
28761+ return addr;
28762+ }
28763+ } else
28764+#endif
28765+
28766+ info.low_limit = mm->mmap_base;
28767+ info.high_limit = pax_task_size;
28768+
28769+ return vm_unmapped_area(&info);
28770+}
28771+
28772+unsigned long
28773+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28774+ const unsigned long len, const unsigned long pgoff,
28775+ const unsigned long flags)
28776+{
28777+ struct vm_area_struct *vma;
28778+ struct mm_struct *mm = current->mm;
28779+ unsigned long addr = addr0, pax_task_size = TASK_SIZE;
28780+ struct vm_unmapped_area_info info;
28781+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28782+
28783+#ifdef CONFIG_PAX_SEGMEXEC
28784+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
28785+ pax_task_size = SEGMEXEC_TASK_SIZE;
28786+#endif
28787+
28788+ pax_task_size -= PAGE_SIZE;
28789+
28790+ /* requested length too big for entire address space */
28791+ if (len > pax_task_size)
28792+ return -ENOMEM;
28793+
28794+ if (flags & MAP_FIXED)
28795+ return addr;
28796+
28797+#ifdef CONFIG_PAX_PAGEEXEC
28798+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
28799+ goto bottomup;
28800+#endif
28801+
28802+#ifdef CONFIG_PAX_RANDMMAP
28803+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28804+#endif
28805+
28806+ /* requesting a specific address */
28807+ if (addr) {
28808+ addr = PAGE_ALIGN(addr);
28809+ if (pax_task_size - len >= addr) {
28810+ vma = find_vma(mm, addr);
28811+ if (check_heap_stack_gap(vma, addr, len, offset))
28812+ return addr;
28813+ }
28814+ }
28815+
28816+ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
28817+ info.length = len;
28818+ info.low_limit = PAGE_SIZE;
28819+ info.high_limit = mm->mmap_base;
28820+ info.align_mask = filp ? get_align_mask() : 0;
28821+ info.align_offset = pgoff << PAGE_SHIFT;
28822+ info.threadstack_offset = offset;
28823+
28824+ addr = vm_unmapped_area(&info);
28825+ if (!(addr & ~PAGE_MASK))
28826+ return addr;
28827+ VM_BUG_ON(addr != -ENOMEM);
28828+
28829+bottomup:
28830+ /*
28831+ * A failed mmap() very likely causes application failure,
28832+ * so fall back to the bottom-up function here. This scenario
28833+ * can happen with large stack limits and large mmap()
28834+ * allocations.
28835+ */
28836+ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
28837+}
28838diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
28839index 10e0272..b4bb9a7 100644
28840--- a/arch/x86/kernel/sys_x86_64.c
28841+++ b/arch/x86/kernel/sys_x86_64.c
28842@@ -97,8 +97,8 @@ out:
28843 return error;
28844 }
28845
28846-static void find_start_end(unsigned long flags, unsigned long *begin,
28847- unsigned long *end)
28848+static void find_start_end(struct mm_struct *mm, unsigned long flags,
28849+ unsigned long *begin, unsigned long *end)
28850 {
28851 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) {
28852 unsigned long new_begin;
28853@@ -117,7 +117,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
28854 *begin = new_begin;
28855 }
28856 } else {
28857- *begin = current->mm->mmap_legacy_base;
28858+ *begin = mm->mmap_legacy_base;
28859 *end = TASK_SIZE;
28860 }
28861 }
28862@@ -130,20 +130,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
28863 struct vm_area_struct *vma;
28864 struct vm_unmapped_area_info info;
28865 unsigned long begin, end;
28866+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28867
28868 if (flags & MAP_FIXED)
28869 return addr;
28870
28871- find_start_end(flags, &begin, &end);
28872+ find_start_end(mm, flags, &begin, &end);
28873
28874 if (len > end)
28875 return -ENOMEM;
28876
28877+#ifdef CONFIG_PAX_RANDMMAP
28878+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28879+#endif
28880+
28881 if (addr) {
28882 addr = PAGE_ALIGN(addr);
28883 vma = find_vma(mm, addr);
28884- if (end - len >= addr &&
28885- (!vma || addr + len <= vma->vm_start))
28886+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
28887 return addr;
28888 }
28889
28890@@ -157,6 +161,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
28891 info.align_mask = get_align_mask();
28892 info.align_offset += get_align_bits();
28893 }
28894+ info.threadstack_offset = offset;
28895 return vm_unmapped_area(&info);
28896 }
28897
28898@@ -169,6 +174,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28899 struct mm_struct *mm = current->mm;
28900 unsigned long addr = addr0;
28901 struct vm_unmapped_area_info info;
28902+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28903
28904 /* requested length too big for entire address space */
28905 if (len > TASK_SIZE)
28906@@ -181,12 +187,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28907 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT))
28908 goto bottomup;
28909
28910+#ifdef CONFIG_PAX_RANDMMAP
28911+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28912+#endif
28913+
28914 /* requesting a specific address */
28915 if (addr) {
28916 addr = PAGE_ALIGN(addr);
28917 vma = find_vma(mm, addr);
28918- if (TASK_SIZE - len >= addr &&
28919- (!vma || addr + len <= vma->vm_start))
28920+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
28921 return addr;
28922 }
28923
28924@@ -200,6 +209,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28925 info.align_mask = get_align_mask();
28926 info.align_offset += get_align_bits();
28927 }
28928+ info.threadstack_offset = offset;
28929 addr = vm_unmapped_area(&info);
28930 if (!(addr & ~PAGE_MASK))
28931 return addr;
28932diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
28933index 91a4496..42fc304 100644
28934--- a/arch/x86/kernel/tboot.c
28935+++ b/arch/x86/kernel/tboot.c
28936@@ -44,6 +44,7 @@
28937 #include <asm/setup.h>
28938 #include <asm/e820.h>
28939 #include <asm/io.h>
28940+#include <asm/tlbflush.h>
28941
28942 #include "../realmode/rm/wakeup.h"
28943
28944@@ -221,7 +222,7 @@ static int tboot_setup_sleep(void)
28945
28946 void tboot_shutdown(u32 shutdown_type)
28947 {
28948- void (*shutdown)(void);
28949+ void (* __noreturn shutdown)(void);
28950
28951 if (!tboot_enabled())
28952 return;
28953@@ -242,8 +243,9 @@ void tboot_shutdown(u32 shutdown_type)
28954 tboot->shutdown_type = shutdown_type;
28955
28956 switch_to_tboot_pt();
28957+ cr4_clear_bits(X86_CR4_PCIDE);
28958
28959- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
28960+ shutdown = (void *)(unsigned long)tboot->shutdown_entry;
28961 shutdown();
28962
28963 /* should not reach here */
28964@@ -310,7 +312,7 @@ static int tboot_extended_sleep(u8 sleep_state, u32 val_a, u32 val_b)
28965 return -ENODEV;
28966 }
28967
28968-static atomic_t ap_wfs_count;
28969+static atomic_unchecked_t ap_wfs_count;
28970
28971 static int tboot_wait_for_aps(int num_aps)
28972 {
28973@@ -334,9 +336,9 @@ static int tboot_cpu_callback(struct notifier_block *nfb, unsigned long action,
28974 {
28975 switch (action) {
28976 case CPU_DYING:
28977- atomic_inc(&ap_wfs_count);
28978+ atomic_inc_unchecked(&ap_wfs_count);
28979 if (num_online_cpus() == 1)
28980- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
28981+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
28982 return NOTIFY_BAD;
28983 break;
28984 }
28985@@ -422,7 +424,7 @@ static __init int tboot_late_init(void)
28986
28987 tboot_create_trampoline();
28988
28989- atomic_set(&ap_wfs_count, 0);
28990+ atomic_set_unchecked(&ap_wfs_count, 0);
28991 register_hotcpu_notifier(&tboot_cpu_notifier);
28992
28993 #ifdef CONFIG_DEBUG_FS
28994diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
28995index d39c091..1df4349 100644
28996--- a/arch/x86/kernel/time.c
28997+++ b/arch/x86/kernel/time.c
28998@@ -32,7 +32,7 @@ unsigned long profile_pc(struct pt_regs *regs)
28999
29000 if (!user_mode(regs) && in_lock_functions(pc)) {
29001 #ifdef CONFIG_FRAME_POINTER
29002- return *(unsigned long *)(regs->bp + sizeof(long));
29003+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
29004 #else
29005 unsigned long *sp =
29006 (unsigned long *)kernel_stack_pointer(regs);
29007@@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs *regs)
29008 * or above a saved flags. Eflags has bits 22-31 zero,
29009 * kernel addresses don't.
29010 */
29011+
29012+#ifdef CONFIG_PAX_KERNEXEC
29013+ return ktla_ktva(sp[0]);
29014+#else
29015 if (sp[0] >> 22)
29016 return sp[0];
29017 if (sp[1] >> 22)
29018 return sp[1];
29019 #endif
29020+
29021+#endif
29022 }
29023 return pc;
29024 }
29025diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
29026index 7fc5e84..c6e445a 100644
29027--- a/arch/x86/kernel/tls.c
29028+++ b/arch/x86/kernel/tls.c
29029@@ -139,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
29030 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
29031 return -EINVAL;
29032
29033+#ifdef CONFIG_PAX_SEGMEXEC
29034+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
29035+ return -EINVAL;
29036+#endif
29037+
29038 set_tls_desc(p, idx, &info, 1);
29039
29040 return 0;
29041@@ -256,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
29042
29043 if (kbuf)
29044 info = kbuf;
29045- else if (__copy_from_user(infobuf, ubuf, count))
29046+ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
29047 return -EFAULT;
29048 else
29049 info = infobuf;
29050diff --git a/arch/x86/kernel/tracepoint.c b/arch/x86/kernel/tracepoint.c
29051index 1c113db..287b42e 100644
29052--- a/arch/x86/kernel/tracepoint.c
29053+++ b/arch/x86/kernel/tracepoint.c
29054@@ -9,11 +9,11 @@
29055 #include <linux/atomic.h>
29056
29057 atomic_t trace_idt_ctr = ATOMIC_INIT(0);
29058-struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
29059+const struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
29060 (unsigned long) trace_idt_table };
29061
29062 /* No need to be aligned, but done to keep all IDTs defined the same way. */
29063-gate_desc trace_idt_table[NR_VECTORS] __page_aligned_bss;
29064+gate_desc trace_idt_table[NR_VECTORS] __page_aligned_rodata;
29065
29066 static int trace_irq_vector_refcount;
29067 static DEFINE_MUTEX(irq_vector_mutex);
29068diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
29069index f579192..aed90b8 100644
29070--- a/arch/x86/kernel/traps.c
29071+++ b/arch/x86/kernel/traps.c
29072@@ -69,7 +69,7 @@
29073 #include <asm/proto.h>
29074
29075 /* No need to be aligned, but done to keep all IDTs defined the same way. */
29076-gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss;
29077+gate_desc debug_idt_table[NR_VECTORS] __page_aligned_rodata;
29078 #else
29079 #include <asm/processor-flags.h>
29080 #include <asm/setup.h>
29081@@ -77,7 +77,7 @@ gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss;
29082 #endif
29083
29084 /* Must be page-aligned because the real IDT is used in a fixmap. */
29085-gate_desc idt_table[NR_VECTORS] __page_aligned_bss;
29086+gate_desc idt_table[NR_VECTORS] __page_aligned_rodata;
29087
29088 DECLARE_BITMAP(used_vectors, NR_VECTORS);
29089 EXPORT_SYMBOL_GPL(used_vectors);
29090@@ -174,7 +174,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
29091 * will catch asm bugs and any attempt to use ist_preempt_enable
29092 * from double_fault.
29093 */
29094- BUG_ON((unsigned long)(current_top_of_stack() -
29095+ BUG_ON((unsigned long)(current_top_of_stack(smp_processor_id()) -
29096 current_stack_pointer()) >= THREAD_SIZE);
29097
29098 preempt_count_sub(HARDIRQ_OFFSET);
29099@@ -191,7 +191,7 @@ void ist_end_non_atomic(void)
29100 }
29101
29102 static nokprobe_inline int
29103-do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
29104+do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str,
29105 struct pt_regs *regs, long error_code)
29106 {
29107 if (v8086_mode(regs)) {
29108@@ -211,8 +211,20 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
29109 if (!fixup_exception(regs)) {
29110 tsk->thread.error_code = error_code;
29111 tsk->thread.trap_nr = trapnr;
29112+
29113+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29114+ if (trapnr == X86_TRAP_SS && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
29115+ str = "PAX: suspicious stack segment fault";
29116+#endif
29117+
29118 die(str, regs, error_code);
29119 }
29120+
29121+#ifdef CONFIG_PAX_REFCOUNT
29122+ if (trapnr == X86_TRAP_OF)
29123+ pax_report_refcount_overflow(regs);
29124+#endif
29125+
29126 return 0;
29127 }
29128
29129@@ -251,7 +263,7 @@ static siginfo_t *fill_trap_info(struct pt_regs *regs, int signr, int trapnr,
29130 }
29131
29132 static void
29133-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
29134+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
29135 long error_code, siginfo_t *info)
29136 {
29137 struct task_struct *tsk = current;
29138@@ -275,7 +287,7 @@ do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
29139 if (show_unhandled_signals && unhandled_signal(tsk, signr) &&
29140 printk_ratelimit()) {
29141 pr_info("%s[%d] trap %s ip:%lx sp:%lx error:%lx",
29142- tsk->comm, tsk->pid, str,
29143+ tsk->comm, task_pid_nr(tsk), str,
29144 regs->ip, regs->sp, error_code);
29145 print_vma_addr(" in ", regs->ip);
29146 pr_cont("\n");
29147@@ -357,6 +369,11 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
29148 tsk->thread.error_code = error_code;
29149 tsk->thread.trap_nr = X86_TRAP_DF;
29150
29151+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
29152+ if ((unsigned long)tsk->stack - regs->sp <= PAGE_SIZE)
29153+ die("grsec: kernel stack overflow detected", regs, error_code);
29154+#endif
29155+
29156 #ifdef CONFIG_DOUBLEFAULT
29157 df_debug(regs, error_code);
29158 #endif
29159@@ -473,11 +490,35 @@ do_general_protection(struct pt_regs *regs, long error_code)
29160 tsk->thread.error_code = error_code;
29161 tsk->thread.trap_nr = X86_TRAP_GP;
29162 if (notify_die(DIE_GPF, "general protection fault", regs, error_code,
29163- X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP)
29164+ X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP) {
29165+
29166+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29167+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
29168+ die("PAX: suspicious general protection fault", regs, error_code);
29169+ else
29170+#endif
29171+
29172 die("general protection fault", regs, error_code);
29173+ }
29174 goto exit;
29175 }
29176
29177+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
29178+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
29179+ struct mm_struct *mm = tsk->mm;
29180+ unsigned long limit;
29181+
29182+ down_write(&mm->mmap_sem);
29183+ limit = mm->context.user_cs_limit;
29184+ if (limit < TASK_SIZE) {
29185+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
29186+ up_write(&mm->mmap_sem);
29187+ return;
29188+ }
29189+ up_write(&mm->mmap_sem);
29190+ }
29191+#endif
29192+
29193 tsk->thread.error_code = error_code;
29194 tsk->thread.trap_nr = X86_TRAP_GP;
29195
29196@@ -576,6 +617,9 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
29197 container_of(task_pt_regs(current),
29198 struct bad_iret_stack, regs);
29199
29200+ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE)
29201+ new_stack = s;
29202+
29203 /* Copy the IRET target to the new stack. */
29204 memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
29205
29206diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
29207index 7437b41..45f6250 100644
29208--- a/arch/x86/kernel/tsc.c
29209+++ b/arch/x86/kernel/tsc.c
29210@@ -150,7 +150,7 @@ static void cyc2ns_write_end(int cpu, struct cyc2ns_data *data)
29211 */
29212 smp_wmb();
29213
29214- ACCESS_ONCE(c2n->head) = data;
29215+ ACCESS_ONCE_RW(c2n->head) = data;
29216 }
29217
29218 /*
29219diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
29220index 6647624..2056791 100644
29221--- a/arch/x86/kernel/uprobes.c
29222+++ b/arch/x86/kernel/uprobes.c
29223@@ -978,7 +978,7 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs
29224
29225 if (nleft != rasize) {
29226 pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, "
29227- "%%ip=%#lx\n", current->pid, regs->sp, regs->ip);
29228+ "%%ip=%#lx\n", task_pid_nr(current), regs->sp, regs->ip);
29229
29230 force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
29231 }
29232diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
29233index b9242ba..50c5edd 100644
29234--- a/arch/x86/kernel/verify_cpu.S
29235+++ b/arch/x86/kernel/verify_cpu.S
29236@@ -20,6 +20,7 @@
29237 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
29238 * arch/x86/kernel/trampoline_64.S: secondary processor verification
29239 * arch/x86/kernel/head_32.S: processor startup
29240+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
29241 *
29242 * verify_cpu, returns the status of longmode and SSE in register %eax.
29243 * 0: Success 1: Failure
29244diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
29245index fc9db6e..2c5865d 100644
29246--- a/arch/x86/kernel/vm86_32.c
29247+++ b/arch/x86/kernel/vm86_32.c
29248@@ -44,6 +44,7 @@
29249 #include <linux/ptrace.h>
29250 #include <linux/audit.h>
29251 #include <linux/stddef.h>
29252+#include <linux/grsecurity.h>
29253
29254 #include <asm/uaccess.h>
29255 #include <asm/io.h>
29256@@ -150,7 +151,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
29257 do_exit(SIGSEGV);
29258 }
29259
29260- tss = &per_cpu(cpu_tss, get_cpu());
29261+ tss = cpu_tss + get_cpu();
29262 current->thread.sp0 = current->thread.saved_sp0;
29263 current->thread.sysenter_cs = __KERNEL_CS;
29264 load_sp0(tss, &current->thread);
29265@@ -214,6 +215,14 @@ SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
29266
29267 if (tsk->thread.saved_sp0)
29268 return -EPERM;
29269+
29270+#ifdef CONFIG_GRKERNSEC_VM86
29271+ if (!capable(CAP_SYS_RAWIO)) {
29272+ gr_handle_vm86();
29273+ return -EPERM;
29274+ }
29275+#endif
29276+
29277 tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
29278 offsetof(struct kernel_vm86_struct, vm86plus) -
29279 sizeof(info.regs));
29280@@ -238,6 +247,13 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
29281 int tmp;
29282 struct vm86plus_struct __user *v86;
29283
29284+#ifdef CONFIG_GRKERNSEC_VM86
29285+ if (!capable(CAP_SYS_RAWIO)) {
29286+ gr_handle_vm86();
29287+ return -EPERM;
29288+ }
29289+#endif
29290+
29291 tsk = current;
29292 switch (cmd) {
29293 case VM86_REQUEST_IRQ:
29294@@ -318,7 +334,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
29295 tsk->thread.saved_fs = info->regs32->fs;
29296 tsk->thread.saved_gs = get_user_gs(info->regs32);
29297
29298- tss = &per_cpu(cpu_tss, get_cpu());
29299+ tss = cpu_tss + get_cpu();
29300 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
29301 if (cpu_has_sep)
29302 tsk->thread.sysenter_cs = 0;
29303@@ -525,7 +541,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i,
29304 goto cannot_handle;
29305 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
29306 goto cannot_handle;
29307- intr_ptr = (unsigned long __user *) (i << 2);
29308+ intr_ptr = (__force unsigned long __user *) (i << 2);
29309 if (get_user(segoffs, intr_ptr))
29310 goto cannot_handle;
29311 if ((segoffs >> 16) == BIOSSEG)
29312diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
29313index 00bf300..03e1c3b 100644
29314--- a/arch/x86/kernel/vmlinux.lds.S
29315+++ b/arch/x86/kernel/vmlinux.lds.S
29316@@ -26,6 +26,13 @@
29317 #include <asm/page_types.h>
29318 #include <asm/cache.h>
29319 #include <asm/boot.h>
29320+#include <asm/segment.h>
29321+
29322+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29323+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
29324+#else
29325+#define __KERNEL_TEXT_OFFSET 0
29326+#endif
29327
29328 #undef i386 /* in case the preprocessor is a 32bit one */
29329
29330@@ -69,30 +76,43 @@ jiffies_64 = jiffies;
29331
29332 PHDRS {
29333 text PT_LOAD FLAGS(5); /* R_E */
29334+#ifdef CONFIG_X86_32
29335+ module PT_LOAD FLAGS(5); /* R_E */
29336+#endif
29337+#ifdef CONFIG_XEN
29338+ rodata PT_LOAD FLAGS(5); /* R_E */
29339+#else
29340+ rodata PT_LOAD FLAGS(4); /* R__ */
29341+#endif
29342 data PT_LOAD FLAGS(6); /* RW_ */
29343-#ifdef CONFIG_X86_64
29344+ init.begin PT_LOAD FLAGS(6); /* RW_ */
29345 #ifdef CONFIG_SMP
29346 percpu PT_LOAD FLAGS(6); /* RW_ */
29347 #endif
29348- init PT_LOAD FLAGS(7); /* RWE */
29349-#endif
29350+ text.init PT_LOAD FLAGS(5); /* R_E */
29351+ text.exit PT_LOAD FLAGS(5); /* R_E */
29352+ init PT_LOAD FLAGS(6); /* RW_ */
29353 note PT_NOTE FLAGS(0); /* ___ */
29354 }
29355
29356 SECTIONS
29357 {
29358 #ifdef CONFIG_X86_32
29359- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
29360- phys_startup_32 = startup_32 - LOAD_OFFSET;
29361+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
29362 #else
29363- . = __START_KERNEL;
29364- phys_startup_64 = startup_64 - LOAD_OFFSET;
29365+ . = __START_KERNEL;
29366 #endif
29367
29368 /* Text and read-only data */
29369- .text : AT(ADDR(.text) - LOAD_OFFSET) {
29370- _text = .;
29371+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
29372 /* bootstrapping code */
29373+#ifdef CONFIG_X86_32
29374+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29375+#else
29376+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29377+#endif
29378+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29379+ _text = .;
29380 HEAD_TEXT
29381 . = ALIGN(8);
29382 _stext = .;
29383@@ -104,13 +124,47 @@ SECTIONS
29384 IRQENTRY_TEXT
29385 *(.fixup)
29386 *(.gnu.warning)
29387- /* End of text section */
29388- _etext = .;
29389 } :text = 0x9090
29390
29391- NOTES :text :note
29392+ . += __KERNEL_TEXT_OFFSET;
29393
29394- EXCEPTION_TABLE(16) :text = 0x9090
29395+#ifdef CONFIG_X86_32
29396+ . = ALIGN(PAGE_SIZE);
29397+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
29398+
29399+#ifdef CONFIG_PAX_KERNEXEC
29400+ MODULES_EXEC_VADDR = .;
29401+ BYTE(0)
29402+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
29403+ . = ALIGN(HPAGE_SIZE) - 1;
29404+ MODULES_EXEC_END = .;
29405+#endif
29406+
29407+ } :module
29408+#endif
29409+
29410+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
29411+ /* End of text section */
29412+ BYTE(0)
29413+ _etext = . - __KERNEL_TEXT_OFFSET;
29414+ }
29415+
29416+#ifdef CONFIG_X86_32
29417+ . = ALIGN(PAGE_SIZE);
29418+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
29419+ . = ALIGN(PAGE_SIZE);
29420+ *(.empty_zero_page)
29421+ *(.initial_pg_fixmap)
29422+ *(.initial_pg_pmd)
29423+ *(.initial_page_table)
29424+ *(.swapper_pg_dir)
29425+ } :rodata
29426+#endif
29427+
29428+ . = ALIGN(PAGE_SIZE);
29429+ NOTES :rodata :note
29430+
29431+ EXCEPTION_TABLE(16) :rodata
29432
29433 #if defined(CONFIG_DEBUG_RODATA)
29434 /* .text should occupy whole number of pages */
29435@@ -122,16 +176,20 @@ SECTIONS
29436
29437 /* Data */
29438 .data : AT(ADDR(.data) - LOAD_OFFSET) {
29439+
29440+#ifdef CONFIG_PAX_KERNEXEC
29441+ . = ALIGN(HPAGE_SIZE);
29442+#else
29443+ . = ALIGN(PAGE_SIZE);
29444+#endif
29445+
29446 /* Start of data section */
29447 _sdata = .;
29448
29449 /* init_task */
29450 INIT_TASK_DATA(THREAD_SIZE)
29451
29452-#ifdef CONFIG_X86_32
29453- /* 32 bit has nosave before _edata */
29454 NOSAVE_DATA
29455-#endif
29456
29457 PAGE_ALIGNED_DATA(PAGE_SIZE)
29458
29459@@ -174,12 +232,19 @@ SECTIONS
29460 . = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE);
29461
29462 /* Init code and data - will be freed after init */
29463- . = ALIGN(PAGE_SIZE);
29464 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
29465+ BYTE(0)
29466+
29467+#ifdef CONFIG_PAX_KERNEXEC
29468+ . = ALIGN(HPAGE_SIZE);
29469+#else
29470+ . = ALIGN(PAGE_SIZE);
29471+#endif
29472+
29473 __init_begin = .; /* paired with __init_end */
29474- }
29475+ } :init.begin
29476
29477-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
29478+#ifdef CONFIG_SMP
29479 /*
29480 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
29481 * output PHDR, so the next output section - .init.text - should
29482@@ -190,12 +255,33 @@ SECTIONS
29483 "per-CPU data too large - increase CONFIG_PHYSICAL_START")
29484 #endif
29485
29486- INIT_TEXT_SECTION(PAGE_SIZE)
29487-#ifdef CONFIG_X86_64
29488- :init
29489+ . = ALIGN(PAGE_SIZE);
29490+ init_begin = .;
29491+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
29492+ VMLINUX_SYMBOL(_sinittext) = .;
29493+ INIT_TEXT
29494+ . = ALIGN(PAGE_SIZE);
29495+ } :text.init
29496+
29497+ /*
29498+ * .exit.text is discard at runtime, not link time, to deal with
29499+ * references from .altinstructions and .eh_frame
29500+ */
29501+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
29502+ EXIT_TEXT
29503+ VMLINUX_SYMBOL(_einittext) = .;
29504+
29505+#ifdef CONFIG_PAX_KERNEXEC
29506+ . = ALIGN(HPAGE_SIZE);
29507+#else
29508+ . = ALIGN(16);
29509 #endif
29510
29511- INIT_DATA_SECTION(16)
29512+ } :text.exit
29513+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
29514+
29515+ . = ALIGN(PAGE_SIZE);
29516+ INIT_DATA_SECTION(16) :init
29517
29518 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
29519 __x86_cpu_dev_start = .;
29520@@ -266,19 +352,12 @@ SECTIONS
29521 }
29522
29523 . = ALIGN(8);
29524- /*
29525- * .exit.text is discard at runtime, not link time, to deal with
29526- * references from .altinstructions and .eh_frame
29527- */
29528- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
29529- EXIT_TEXT
29530- }
29531
29532 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
29533 EXIT_DATA
29534 }
29535
29536-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
29537+#ifndef CONFIG_SMP
29538 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
29539 #endif
29540
29541@@ -297,16 +376,10 @@ SECTIONS
29542 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
29543 __smp_locks = .;
29544 *(.smp_locks)
29545- . = ALIGN(PAGE_SIZE);
29546 __smp_locks_end = .;
29547+ . = ALIGN(PAGE_SIZE);
29548 }
29549
29550-#ifdef CONFIG_X86_64
29551- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
29552- NOSAVE_DATA
29553- }
29554-#endif
29555-
29556 /* BSS */
29557 . = ALIGN(PAGE_SIZE);
29558 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
29559@@ -322,6 +395,7 @@ SECTIONS
29560 __brk_base = .;
29561 . += 64 * 1024; /* 64k alignment slop space */
29562 *(.brk_reservation) /* areas brk users have reserved */
29563+ . = ALIGN(HPAGE_SIZE);
29564 __brk_limit = .;
29565 }
29566
29567@@ -348,13 +422,12 @@ SECTIONS
29568 * for the boot processor.
29569 */
29570 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
29571-INIT_PER_CPU(gdt_page);
29572 INIT_PER_CPU(irq_stack_union);
29573
29574 /*
29575 * Build-time check on the image size:
29576 */
29577-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
29578+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
29579 "kernel image bigger than KERNEL_IMAGE_SIZE");
29580
29581 #ifdef CONFIG_SMP
29582diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
29583index a0695be..33e180c 100644
29584--- a/arch/x86/kernel/x8664_ksyms_64.c
29585+++ b/arch/x86/kernel/x8664_ksyms_64.c
29586@@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string);
29587 EXPORT_SYMBOL(copy_user_generic_unrolled);
29588 EXPORT_SYMBOL(copy_user_enhanced_fast_string);
29589 EXPORT_SYMBOL(__copy_user_nocache);
29590-EXPORT_SYMBOL(_copy_from_user);
29591-EXPORT_SYMBOL(_copy_to_user);
29592
29593 EXPORT_SYMBOL(copy_page);
29594 EXPORT_SYMBOL(clear_page);
29595@@ -77,3 +75,7 @@ EXPORT_SYMBOL(native_load_gs_index);
29596 EXPORT_SYMBOL(___preempt_schedule);
29597 EXPORT_SYMBOL(___preempt_schedule_notrace);
29598 #endif
29599+
29600+#ifdef CONFIG_PAX_PER_CPU_PGD
29601+EXPORT_SYMBOL(cpu_pgd);
29602+#endif
29603diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
29604index 3839628..2e5b5b35 100644
29605--- a/arch/x86/kernel/x86_init.c
29606+++ b/arch/x86/kernel/x86_init.c
29607@@ -92,7 +92,7 @@ struct x86_cpuinit_ops x86_cpuinit = {
29608 static void default_nmi_init(void) { };
29609 static int default_i8042_detect(void) { return 1; };
29610
29611-struct x86_platform_ops x86_platform = {
29612+struct x86_platform_ops x86_platform __read_only = {
29613 .calibrate_tsc = native_calibrate_tsc,
29614 .get_wallclock = mach_get_cmos_time,
29615 .set_wallclock = mach_set_rtc_mmss,
29616@@ -108,7 +108,7 @@ struct x86_platform_ops x86_platform = {
29617 EXPORT_SYMBOL_GPL(x86_platform);
29618
29619 #if defined(CONFIG_PCI_MSI)
29620-struct x86_msi_ops x86_msi = {
29621+struct x86_msi_ops x86_msi __read_only = {
29622 .setup_msi_irqs = native_setup_msi_irqs,
29623 .teardown_msi_irq = native_teardown_msi_irq,
29624 .teardown_msi_irqs = default_teardown_msi_irqs,
29625@@ -137,7 +137,7 @@ void arch_restore_msi_irqs(struct pci_dev *dev)
29626 }
29627 #endif
29628
29629-struct x86_io_apic_ops x86_io_apic_ops = {
29630+struct x86_io_apic_ops x86_io_apic_ops __read_only = {
29631 .read = native_io_apic_read,
29632 .disable = native_disable_io_apic,
29633 };
29634diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
29635index 2fbea25..9e0f8c7 100644
29636--- a/arch/x86/kvm/cpuid.c
29637+++ b/arch/x86/kvm/cpuid.c
29638@@ -206,15 +206,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
29639 struct kvm_cpuid2 *cpuid,
29640 struct kvm_cpuid_entry2 __user *entries)
29641 {
29642- int r;
29643+ int r, i;
29644
29645 r = -E2BIG;
29646 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
29647 goto out;
29648 r = -EFAULT;
29649- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
29650- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
29651+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
29652 goto out;
29653+ for (i = 0; i < cpuid->nent; ++i) {
29654+ struct kvm_cpuid_entry2 cpuid_entry;
29655+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
29656+ goto out;
29657+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
29658+ }
29659 vcpu->arch.cpuid_nent = cpuid->nent;
29660 kvm_apic_set_version(vcpu);
29661 kvm_x86_ops->cpuid_update(vcpu);
29662@@ -227,15 +232,19 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
29663 struct kvm_cpuid2 *cpuid,
29664 struct kvm_cpuid_entry2 __user *entries)
29665 {
29666- int r;
29667+ int r, i;
29668
29669 r = -E2BIG;
29670 if (cpuid->nent < vcpu->arch.cpuid_nent)
29671 goto out;
29672 r = -EFAULT;
29673- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
29674- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
29675+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
29676 goto out;
29677+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
29678+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
29679+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
29680+ goto out;
29681+ }
29682 return 0;
29683
29684 out:
29685diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
29686index e7a4fde..623af93 100644
29687--- a/arch/x86/kvm/emulate.c
29688+++ b/arch/x86/kvm/emulate.c
29689@@ -3847,7 +3847,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
29690 int cr = ctxt->modrm_reg;
29691 u64 efer = 0;
29692
29693- static u64 cr_reserved_bits[] = {
29694+ static const u64 cr_reserved_bits[] = {
29695 0xffffffff00000000ULL,
29696 0, 0, 0, /* CR3 checked later */
29697 CR4_RESERVED_BITS,
29698diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
29699index 2a5ca97..ce8577a 100644
29700--- a/arch/x86/kvm/lapic.c
29701+++ b/arch/x86/kvm/lapic.c
29702@@ -56,7 +56,7 @@
29703 #define APIC_BUS_CYCLE_NS 1
29704
29705 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
29706-#define apic_debug(fmt, arg...)
29707+#define apic_debug(fmt, arg...) do {} while (0)
29708
29709 #define APIC_LVT_NUM 6
29710 /* 14 is the version for Xeon and Pentium 8.4.8*/
29711diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
29712index 0f67d7e..4b9fa11 100644
29713--- a/arch/x86/kvm/paging_tmpl.h
29714+++ b/arch/x86/kvm/paging_tmpl.h
29715@@ -343,7 +343,7 @@ retry_walk:
29716 if (unlikely(kvm_is_error_hva(host_addr)))
29717 goto error;
29718
29719- ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
29720+ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
29721 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
29722 goto error;
29723 walker->ptep_user[walker->level - 1] = ptep_user;
29724diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
29725index 8e0c084..bdb9c3b 100644
29726--- a/arch/x86/kvm/svm.c
29727+++ b/arch/x86/kvm/svm.c
29728@@ -3688,7 +3688,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
29729 int cpu = raw_smp_processor_id();
29730
29731 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
29732+
29733+ pax_open_kernel();
29734 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
29735+ pax_close_kernel();
29736+
29737 load_TR_desc();
29738 }
29739
29740@@ -4084,6 +4088,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
29741 #endif
29742 #endif
29743
29744+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
29745+ __set_fs(current_thread_info()->addr_limit);
29746+#endif
29747+
29748 reload_tss(vcpu);
29749
29750 local_irq_disable();
29751diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
29752index 83b7b5c..26d8b1b 100644
29753--- a/arch/x86/kvm/vmx.c
29754+++ b/arch/x86/kvm/vmx.c
29755@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
29756 #endif
29757 }
29758
29759-static void vmcs_clear_bits(unsigned long field, u32 mask)
29760+static void vmcs_clear_bits(unsigned long field, unsigned long mask)
29761 {
29762 vmcs_writel(field, vmcs_readl(field) & ~mask);
29763 }
29764
29765-static void vmcs_set_bits(unsigned long field, u32 mask)
29766+static void vmcs_set_bits(unsigned long field, unsigned long mask)
29767 {
29768 vmcs_writel(field, vmcs_readl(field) | mask);
29769 }
29770@@ -1705,7 +1705,11 @@ static void reload_tss(void)
29771 struct desc_struct *descs;
29772
29773 descs = (void *)gdt->address;
29774+
29775+ pax_open_kernel();
29776 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
29777+ pax_close_kernel();
29778+
29779 load_TR_desc();
29780 }
29781
29782@@ -1941,6 +1945,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
29783 vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
29784 vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */
29785
29786+#ifdef CONFIG_PAX_PER_CPU_PGD
29787+ vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
29788+#endif
29789+
29790 rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
29791 vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
29792 vmx->loaded_vmcs->cpu = cpu;
29793@@ -2232,7 +2240,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
29794 * reads and returns guest's timestamp counter "register"
29795 * guest_tsc = host_tsc + tsc_offset -- 21.3
29796 */
29797-static u64 guest_read_tsc(void)
29798+static u64 __intentional_overflow(-1) guest_read_tsc(void)
29799 {
29800 u64 host_tsc, tsc_offset;
29801
29802@@ -4459,7 +4467,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
29803 unsigned long cr4;
29804
29805 vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
29806+
29807+#ifndef CONFIG_PAX_PER_CPU_PGD
29808 vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
29809+#endif
29810
29811 /* Save the most likely value for this task's CR4 in the VMCS. */
29812 cr4 = cr4_read_shadow();
29813@@ -4486,7 +4497,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
29814 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
29815 vmx->host_idt_base = dt.address;
29816
29817- vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */
29818+ vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */
29819
29820 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
29821 vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
29822@@ -6097,11 +6108,17 @@ static __init int hardware_setup(void)
29823 * page upon invalidation. No need to do anything if not
29824 * using the APIC_ACCESS_ADDR VMCS field.
29825 */
29826- if (!flexpriority_enabled)
29827- kvm_x86_ops->set_apic_access_page_addr = NULL;
29828+ if (!flexpriority_enabled) {
29829+ pax_open_kernel();
29830+ *(void **)&kvm_x86_ops->set_apic_access_page_addr = NULL;
29831+ pax_close_kernel();
29832+ }
29833
29834- if (!cpu_has_vmx_tpr_shadow())
29835- kvm_x86_ops->update_cr8_intercept = NULL;
29836+ if (!cpu_has_vmx_tpr_shadow()) {
29837+ pax_open_kernel();
29838+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
29839+ pax_close_kernel();
29840+ }
29841
29842 if (enable_ept && !cpu_has_vmx_ept_2m_page())
29843 kvm_disable_largepages();
29844@@ -6112,14 +6129,16 @@ static __init int hardware_setup(void)
29845 if (!cpu_has_vmx_apicv())
29846 enable_apicv = 0;
29847
29848+ pax_open_kernel();
29849 if (enable_apicv)
29850- kvm_x86_ops->update_cr8_intercept = NULL;
29851+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
29852 else {
29853- kvm_x86_ops->hwapic_irr_update = NULL;
29854- kvm_x86_ops->hwapic_isr_update = NULL;
29855- kvm_x86_ops->deliver_posted_interrupt = NULL;
29856- kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
29857+ *(void **)&kvm_x86_ops->hwapic_irr_update = NULL;
29858+ *(void **)&kvm_x86_ops->hwapic_isr_update = NULL;
29859+ *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL;
29860+ *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
29861 }
29862+ pax_close_kernel();
29863
29864 vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
29865 vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
29866@@ -6172,10 +6191,12 @@ static __init int hardware_setup(void)
29867 enable_pml = 0;
29868
29869 if (!enable_pml) {
29870- kvm_x86_ops->slot_enable_log_dirty = NULL;
29871- kvm_x86_ops->slot_disable_log_dirty = NULL;
29872- kvm_x86_ops->flush_log_dirty = NULL;
29873- kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
29874+ pax_open_kernel();
29875+ *(void **)&kvm_x86_ops->slot_enable_log_dirty = NULL;
29876+ *(void **)&kvm_x86_ops->slot_disable_log_dirty = NULL;
29877+ *(void **)&kvm_x86_ops->flush_log_dirty = NULL;
29878+ *(void **)&kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
29879+ pax_close_kernel();
29880 }
29881
29882 return alloc_kvm_area();
29883@@ -8378,6 +8399,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
29884 "jmp 2f \n\t"
29885 "1: " __ex(ASM_VMX_VMRESUME) "\n\t"
29886 "2: "
29887+
29888+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29889+ "ljmp %[cs],$3f\n\t"
29890+ "3: "
29891+#endif
29892+
29893 /* Save guest registers, load host registers, keep flags */
29894 "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
29895 "pop %0 \n\t"
29896@@ -8430,6 +8457,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
29897 #endif
29898 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
29899 [wordsize]"i"(sizeof(ulong))
29900+
29901+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29902+ ,[cs]"i"(__KERNEL_CS)
29903+#endif
29904+
29905 : "cc", "memory"
29906 #ifdef CONFIG_X86_64
29907 , "rax", "rbx", "rdi", "rsi"
29908@@ -8443,7 +8475,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
29909 if (debugctlmsr)
29910 update_debugctlmsr(debugctlmsr);
29911
29912-#ifndef CONFIG_X86_64
29913+#ifdef CONFIG_X86_32
29914 /*
29915 * The sysexit path does not restore ds/es, so we must set them to
29916 * a reasonable value ourselves.
29917@@ -8452,8 +8484,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
29918 * may be executed in interrupt context, which saves and restore segments
29919 * around it, nullifying its effect.
29920 */
29921- loadsegment(ds, __USER_DS);
29922- loadsegment(es, __USER_DS);
29923+ loadsegment(ds, __KERNEL_DS);
29924+ loadsegment(es, __KERNEL_DS);
29925+ loadsegment(ss, __KERNEL_DS);
29926+
29927+#ifdef CONFIG_PAX_KERNEXEC
29928+ loadsegment(fs, __KERNEL_PERCPU);
29929+#endif
29930+
29931+#ifdef CONFIG_PAX_MEMORY_UDEREF
29932+ __set_fs(current_thread_info()->addr_limit);
29933+#endif
29934+
29935 #endif
29936
29937 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
29938diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
29939index 8f0f6ec..9cee69e 100644
29940--- a/arch/x86/kvm/x86.c
29941+++ b/arch/x86/kvm/x86.c
29942@@ -1842,8 +1842,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
29943 {
29944 struct kvm *kvm = vcpu->kvm;
29945 int lm = is_long_mode(vcpu);
29946- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
29947- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
29948+ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
29949+ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
29950 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
29951 : kvm->arch.xen_hvm_config.blob_size_32;
29952 u32 page_num = data & ~PAGE_MASK;
29953@@ -2731,6 +2731,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
29954 if (n < msr_list.nmsrs)
29955 goto out;
29956 r = -EFAULT;
29957+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
29958+ goto out;
29959 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
29960 num_msrs_to_save * sizeof(u32)))
29961 goto out;
29962@@ -3091,7 +3093,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
29963
29964 static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
29965 {
29966- struct xregs_state *xsave = &vcpu->arch.guest_fpu.state.xsave;
29967+ struct xregs_state *xsave = &vcpu->arch.guest_fpu.state->xsave;
29968 u64 xstate_bv = xsave->header.xfeatures;
29969 u64 valid;
29970
29971@@ -3127,7 +3129,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
29972
29973 static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
29974 {
29975- struct xregs_state *xsave = &vcpu->arch.guest_fpu.state.xsave;
29976+ struct xregs_state *xsave = &vcpu->arch.guest_fpu.state->xsave;
29977 u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET);
29978 u64 valid;
29979
29980@@ -3171,7 +3173,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
29981 fill_xsave((u8 *) guest_xsave->region, vcpu);
29982 } else {
29983 memcpy(guest_xsave->region,
29984- &vcpu->arch.guest_fpu.state.fxsave,
29985+ &vcpu->arch.guest_fpu.state->fxsave,
29986 sizeof(struct fxregs_state));
29987 *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] =
29988 XSTATE_FPSSE;
29989@@ -3196,7 +3198,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
29990 } else {
29991 if (xstate_bv & ~XSTATE_FPSSE)
29992 return -EINVAL;
29993- memcpy(&vcpu->arch.guest_fpu.state.fxsave,
29994+ memcpy(&vcpu->arch.guest_fpu.state->fxsave,
29995 guest_xsave->region, sizeof(struct fxregs_state));
29996 }
29997 return 0;
29998@@ -5786,7 +5788,7 @@ static struct notifier_block pvclock_gtod_notifier = {
29999 };
30000 #endif
30001
30002-int kvm_arch_init(void *opaque)
30003+int kvm_arch_init(const void *opaque)
30004 {
30005 int r;
30006 struct kvm_x86_ops *ops = opaque;
30007@@ -7210,7 +7212,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
30008 int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30009 {
30010 struct fxregs_state *fxsave =
30011- &vcpu->arch.guest_fpu.state.fxsave;
30012+ &vcpu->arch.guest_fpu.state->fxsave;
30013
30014 memcpy(fpu->fpr, fxsave->st_space, 128);
30015 fpu->fcw = fxsave->cwd;
30016@@ -7227,7 +7229,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30017 int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30018 {
30019 struct fxregs_state *fxsave =
30020- &vcpu->arch.guest_fpu.state.fxsave;
30021+ &vcpu->arch.guest_fpu.state->fxsave;
30022
30023 memcpy(fxsave->st_space, fpu->fpr, 128);
30024 fxsave->cwd = fpu->fcw;
30025@@ -7243,9 +7245,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30026
30027 static void fx_init(struct kvm_vcpu *vcpu)
30028 {
30029- fpstate_init(&vcpu->arch.guest_fpu.state);
30030+ fpstate_init(vcpu->arch.guest_fpu.state);
30031 if (cpu_has_xsaves)
30032- vcpu->arch.guest_fpu.state.xsave.header.xcomp_bv =
30033+ vcpu->arch.guest_fpu.state->xsave.header.xcomp_bv =
30034 host_xcr0 | XSTATE_COMPACTION_ENABLED;
30035
30036 /*
30037@@ -7269,7 +7271,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
30038 kvm_put_guest_xcr0(vcpu);
30039 vcpu->guest_fpu_loaded = 1;
30040 __kernel_fpu_begin();
30041- __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu.state);
30042+ __copy_kernel_to_fpregs(vcpu->arch.guest_fpu.state);
30043 trace_kvm_fpu(1);
30044 }
30045
30046@@ -7547,6 +7549,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
30047
30048 struct static_key kvm_no_apic_vcpu __read_mostly;
30049
30050+extern struct kmem_cache *fpregs_state_cachep;
30051+
30052 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
30053 {
30054 struct page *page;
30055@@ -7563,11 +7567,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
30056 else
30057 vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
30058
30059- page = alloc_page(GFP_KERNEL | __GFP_ZERO);
30060- if (!page) {
30061- r = -ENOMEM;
30062+ r = -ENOMEM;
30063+ vcpu->arch.guest_fpu.state = kmem_cache_alloc(fpregs_state_cachep, GFP_KERNEL);
30064+ if (!vcpu->arch.guest_fpu.state)
30065 goto fail;
30066- }
30067+
30068+ page = alloc_page(GFP_KERNEL | __GFP_ZERO);
30069+ if (!page)
30070+ goto fail_free_fpregs;
30071 vcpu->arch.pio_data = page_address(page);
30072
30073 kvm_set_tsc_khz(vcpu, max_tsc_khz);
30074@@ -7621,6 +7628,9 @@ fail_mmu_destroy:
30075 kvm_mmu_destroy(vcpu);
30076 fail_free_pio_data:
30077 free_page((unsigned long)vcpu->arch.pio_data);
30078+fail_free_fpregs:
30079+ kmem_cache_free(fpregs_state_cachep, vcpu->arch.guest_fpu.state);
30080+ vcpu->arch.guest_fpu.state = NULL;
30081 fail:
30082 return r;
30083 }
30084@@ -7638,6 +7648,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
30085 free_page((unsigned long)vcpu->arch.pio_data);
30086 if (!irqchip_in_kernel(vcpu->kvm))
30087 static_key_slow_dec(&kvm_no_apic_vcpu);
30088+ kmem_cache_free(fpregs_state_cachep, vcpu->arch.guest_fpu.state);
30089+ vcpu->arch.guest_fpu.state = NULL;
30090 }
30091
30092 void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
30093diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
30094index f2dc08c..d85d906 100644
30095--- a/arch/x86/lguest/boot.c
30096+++ b/arch/x86/lguest/boot.c
30097@@ -1341,9 +1341,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count)
30098 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
30099 * Launcher to reboot us.
30100 */
30101-static void lguest_restart(char *reason)
30102+static __noreturn void lguest_restart(char *reason)
30103 {
30104 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
30105+ BUG();
30106 }
30107
30108 /*G:050
30109diff --git a/arch/x86/lib/atomic64_386_32.S b/arch/x86/lib/atomic64_386_32.S
30110index 9b0ca8f..bb4af41 100644
30111--- a/arch/x86/lib/atomic64_386_32.S
30112+++ b/arch/x86/lib/atomic64_386_32.S
30113@@ -45,6 +45,10 @@ BEGIN(read)
30114 movl (v), %eax
30115 movl 4(v), %edx
30116 RET_ENDP
30117+BEGIN(read_unchecked)
30118+ movl (v), %eax
30119+ movl 4(v), %edx
30120+RET_ENDP
30121 #undef v
30122
30123 #define v %esi
30124@@ -52,6 +56,10 @@ BEGIN(set)
30125 movl %ebx, (v)
30126 movl %ecx, 4(v)
30127 RET_ENDP
30128+BEGIN(set_unchecked)
30129+ movl %ebx, (v)
30130+ movl %ecx, 4(v)
30131+RET_ENDP
30132 #undef v
30133
30134 #define v %esi
30135@@ -67,6 +75,20 @@ RET_ENDP
30136 BEGIN(add)
30137 addl %eax, (v)
30138 adcl %edx, 4(v)
30139+
30140+#ifdef CONFIG_PAX_REFCOUNT
30141+ jno 0f
30142+ subl %eax, (v)
30143+ sbbl %edx, 4(v)
30144+ int $4
30145+0:
30146+ _ASM_EXTABLE(0b, 0b)
30147+#endif
30148+
30149+RET_ENDP
30150+BEGIN(add_unchecked)
30151+ addl %eax, (v)
30152+ adcl %edx, 4(v)
30153 RET_ENDP
30154 #undef v
30155
30156@@ -74,6 +96,24 @@ RET_ENDP
30157 BEGIN(add_return)
30158 addl (v), %eax
30159 adcl 4(v), %edx
30160+
30161+#ifdef CONFIG_PAX_REFCOUNT
30162+ into
30163+1234:
30164+ _ASM_EXTABLE(1234b, 2f)
30165+#endif
30166+
30167+ movl %eax, (v)
30168+ movl %edx, 4(v)
30169+
30170+#ifdef CONFIG_PAX_REFCOUNT
30171+2:
30172+#endif
30173+
30174+RET_ENDP
30175+BEGIN(add_return_unchecked)
30176+ addl (v), %eax
30177+ adcl 4(v), %edx
30178 movl %eax, (v)
30179 movl %edx, 4(v)
30180 RET_ENDP
30181@@ -83,6 +123,20 @@ RET_ENDP
30182 BEGIN(sub)
30183 subl %eax, (v)
30184 sbbl %edx, 4(v)
30185+
30186+#ifdef CONFIG_PAX_REFCOUNT
30187+ jno 0f
30188+ addl %eax, (v)
30189+ adcl %edx, 4(v)
30190+ int $4
30191+0:
30192+ _ASM_EXTABLE(0b, 0b)
30193+#endif
30194+
30195+RET_ENDP
30196+BEGIN(sub_unchecked)
30197+ subl %eax, (v)
30198+ sbbl %edx, 4(v)
30199 RET_ENDP
30200 #undef v
30201
30202@@ -93,6 +147,27 @@ BEGIN(sub_return)
30203 sbbl $0, %edx
30204 addl (v), %eax
30205 adcl 4(v), %edx
30206+
30207+#ifdef CONFIG_PAX_REFCOUNT
30208+ into
30209+1234:
30210+ _ASM_EXTABLE(1234b, 2f)
30211+#endif
30212+
30213+ movl %eax, (v)
30214+ movl %edx, 4(v)
30215+
30216+#ifdef CONFIG_PAX_REFCOUNT
30217+2:
30218+#endif
30219+
30220+RET_ENDP
30221+BEGIN(sub_return_unchecked)
30222+ negl %edx
30223+ negl %eax
30224+ sbbl $0, %edx
30225+ addl (v), %eax
30226+ adcl 4(v), %edx
30227 movl %eax, (v)
30228 movl %edx, 4(v)
30229 RET_ENDP
30230@@ -102,6 +177,20 @@ RET_ENDP
30231 BEGIN(inc)
30232 addl $1, (v)
30233 adcl $0, 4(v)
30234+
30235+#ifdef CONFIG_PAX_REFCOUNT
30236+ jno 0f
30237+ subl $1, (v)
30238+ sbbl $0, 4(v)
30239+ int $4
30240+0:
30241+ _ASM_EXTABLE(0b, 0b)
30242+#endif
30243+
30244+RET_ENDP
30245+BEGIN(inc_unchecked)
30246+ addl $1, (v)
30247+ adcl $0, 4(v)
30248 RET_ENDP
30249 #undef v
30250
30251@@ -111,6 +200,26 @@ BEGIN(inc_return)
30252 movl 4(v), %edx
30253 addl $1, %eax
30254 adcl $0, %edx
30255+
30256+#ifdef CONFIG_PAX_REFCOUNT
30257+ into
30258+1234:
30259+ _ASM_EXTABLE(1234b, 2f)
30260+#endif
30261+
30262+ movl %eax, (v)
30263+ movl %edx, 4(v)
30264+
30265+#ifdef CONFIG_PAX_REFCOUNT
30266+2:
30267+#endif
30268+
30269+RET_ENDP
30270+BEGIN(inc_return_unchecked)
30271+ movl (v), %eax
30272+ movl 4(v), %edx
30273+ addl $1, %eax
30274+ adcl $0, %edx
30275 movl %eax, (v)
30276 movl %edx, 4(v)
30277 RET_ENDP
30278@@ -120,6 +229,20 @@ RET_ENDP
30279 BEGIN(dec)
30280 subl $1, (v)
30281 sbbl $0, 4(v)
30282+
30283+#ifdef CONFIG_PAX_REFCOUNT
30284+ jno 0f
30285+ addl $1, (v)
30286+ adcl $0, 4(v)
30287+ int $4
30288+0:
30289+ _ASM_EXTABLE(0b, 0b)
30290+#endif
30291+
30292+RET_ENDP
30293+BEGIN(dec_unchecked)
30294+ subl $1, (v)
30295+ sbbl $0, 4(v)
30296 RET_ENDP
30297 #undef v
30298
30299@@ -129,6 +252,26 @@ BEGIN(dec_return)
30300 movl 4(v), %edx
30301 subl $1, %eax
30302 sbbl $0, %edx
30303+
30304+#ifdef CONFIG_PAX_REFCOUNT
30305+ into
30306+1234:
30307+ _ASM_EXTABLE(1234b, 2f)
30308+#endif
30309+
30310+ movl %eax, (v)
30311+ movl %edx, 4(v)
30312+
30313+#ifdef CONFIG_PAX_REFCOUNT
30314+2:
30315+#endif
30316+
30317+RET_ENDP
30318+BEGIN(dec_return_unchecked)
30319+ movl (v), %eax
30320+ movl 4(v), %edx
30321+ subl $1, %eax
30322+ sbbl $0, %edx
30323 movl %eax, (v)
30324 movl %edx, 4(v)
30325 RET_ENDP
30326@@ -140,6 +283,13 @@ BEGIN(add_unless)
30327 adcl %edx, %edi
30328 addl (v), %eax
30329 adcl 4(v), %edx
30330+
30331+#ifdef CONFIG_PAX_REFCOUNT
30332+ into
30333+1234:
30334+ _ASM_EXTABLE(1234b, 2f)
30335+#endif
30336+
30337 cmpl %eax, %ecx
30338 je 3f
30339 1:
30340@@ -165,6 +315,13 @@ BEGIN(inc_not_zero)
30341 1:
30342 addl $1, %eax
30343 adcl $0, %edx
30344+
30345+#ifdef CONFIG_PAX_REFCOUNT
30346+ into
30347+1234:
30348+ _ASM_EXTABLE(1234b, 2f)
30349+#endif
30350+
30351 movl %eax, (v)
30352 movl %edx, 4(v)
30353 movl $1, %eax
30354@@ -183,6 +340,13 @@ BEGIN(dec_if_positive)
30355 movl 4(v), %edx
30356 subl $1, %eax
30357 sbbl $0, %edx
30358+
30359+#ifdef CONFIG_PAX_REFCOUNT
30360+ into
30361+1234:
30362+ _ASM_EXTABLE(1234b, 1f)
30363+#endif
30364+
30365 js 1f
30366 movl %eax, (v)
30367 movl %edx, 4(v)
30368diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S
30369index db3ae854..b8ad0de 100644
30370--- a/arch/x86/lib/atomic64_cx8_32.S
30371+++ b/arch/x86/lib/atomic64_cx8_32.S
30372@@ -22,9 +22,16 @@
30373
30374 ENTRY(atomic64_read_cx8)
30375 read64 %ecx
30376+ pax_force_retaddr
30377 ret
30378 ENDPROC(atomic64_read_cx8)
30379
30380+ENTRY(atomic64_read_unchecked_cx8)
30381+ read64 %ecx
30382+ pax_force_retaddr
30383+ ret
30384+ENDPROC(atomic64_read_unchecked_cx8)
30385+
30386 ENTRY(atomic64_set_cx8)
30387 1:
30388 /* we don't need LOCK_PREFIX since aligned 64-bit writes
30389@@ -32,20 +39,33 @@ ENTRY(atomic64_set_cx8)
30390 cmpxchg8b (%esi)
30391 jne 1b
30392
30393+ pax_force_retaddr
30394 ret
30395 ENDPROC(atomic64_set_cx8)
30396
30397+ENTRY(atomic64_set_unchecked_cx8)
30398+1:
30399+/* we don't need LOCK_PREFIX since aligned 64-bit writes
30400+ * are atomic on 586 and newer */
30401+ cmpxchg8b (%esi)
30402+ jne 1b
30403+
30404+ pax_force_retaddr
30405+ ret
30406+ENDPROC(atomic64_set_unchecked_cx8)
30407+
30408 ENTRY(atomic64_xchg_cx8)
30409 1:
30410 LOCK_PREFIX
30411 cmpxchg8b (%esi)
30412 jne 1b
30413
30414+ pax_force_retaddr
30415 ret
30416 ENDPROC(atomic64_xchg_cx8)
30417
30418-.macro addsub_return func ins insc
30419-ENTRY(atomic64_\func\()_return_cx8)
30420+.macro addsub_return func ins insc unchecked=""
30421+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
30422 pushl %ebp
30423 pushl %ebx
30424 pushl %esi
30425@@ -61,26 +81,43 @@ ENTRY(atomic64_\func\()_return_cx8)
30426 movl %edx, %ecx
30427 \ins\()l %esi, %ebx
30428 \insc\()l %edi, %ecx
30429+
30430+.ifb \unchecked
30431+#ifdef CONFIG_PAX_REFCOUNT
30432+ into
30433+2:
30434+ _ASM_EXTABLE(2b, 3f)
30435+#endif
30436+.endif
30437+
30438 LOCK_PREFIX
30439 cmpxchg8b (%ebp)
30440 jne 1b
30441-
30442-10:
30443 movl %ebx, %eax
30444 movl %ecx, %edx
30445+
30446+.ifb \unchecked
30447+#ifdef CONFIG_PAX_REFCOUNT
30448+3:
30449+#endif
30450+.endif
30451+
30452 popl %edi
30453 popl %esi
30454 popl %ebx
30455 popl %ebp
30456+ pax_force_retaddr
30457 ret
30458-ENDPROC(atomic64_\func\()_return_cx8)
30459+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
30460 .endm
30461
30462 addsub_return add add adc
30463 addsub_return sub sub sbb
30464+addsub_return add add adc _unchecked
30465+addsub_return sub sub sbb _unchecked
30466
30467-.macro incdec_return func ins insc
30468-ENTRY(atomic64_\func\()_return_cx8)
30469+.macro incdec_return func ins insc unchecked=""
30470+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
30471 pushl %ebx
30472
30473 read64 %esi
30474@@ -89,20 +126,37 @@ ENTRY(atomic64_\func\()_return_cx8)
30475 movl %edx, %ecx
30476 \ins\()l $1, %ebx
30477 \insc\()l $0, %ecx
30478+
30479+.ifb \unchecked
30480+#ifdef CONFIG_PAX_REFCOUNT
30481+ into
30482+2:
30483+ _ASM_EXTABLE(2b, 3f)
30484+#endif
30485+.endif
30486+
30487 LOCK_PREFIX
30488 cmpxchg8b (%esi)
30489 jne 1b
30490-
30491-10:
30492 movl %ebx, %eax
30493 movl %ecx, %edx
30494+
30495+.ifb \unchecked
30496+#ifdef CONFIG_PAX_REFCOUNT
30497+3:
30498+#endif
30499+.endif
30500+
30501 popl %ebx
30502+ pax_force_retaddr
30503 ret
30504-ENDPROC(atomic64_\func\()_return_cx8)
30505+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
30506 .endm
30507
30508 incdec_return inc add adc
30509 incdec_return dec sub sbb
30510+incdec_return inc add adc _unchecked
30511+incdec_return dec sub sbb _unchecked
30512
30513 ENTRY(atomic64_dec_if_positive_cx8)
30514 pushl %ebx
30515@@ -113,6 +167,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
30516 movl %edx, %ecx
30517 subl $1, %ebx
30518 sbb $0, %ecx
30519+
30520+#ifdef CONFIG_PAX_REFCOUNT
30521+ into
30522+1234:
30523+ _ASM_EXTABLE(1234b, 2f)
30524+#endif
30525+
30526 js 2f
30527 LOCK_PREFIX
30528 cmpxchg8b (%esi)
30529@@ -122,6 +183,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
30530 movl %ebx, %eax
30531 movl %ecx, %edx
30532 popl %ebx
30533+ pax_force_retaddr
30534 ret
30535 ENDPROC(atomic64_dec_if_positive_cx8)
30536
30537@@ -144,6 +206,13 @@ ENTRY(atomic64_add_unless_cx8)
30538 movl %edx, %ecx
30539 addl %ebp, %ebx
30540 adcl %edi, %ecx
30541+
30542+#ifdef CONFIG_PAX_REFCOUNT
30543+ into
30544+1234:
30545+ _ASM_EXTABLE(1234b, 3f)
30546+#endif
30547+
30548 LOCK_PREFIX
30549 cmpxchg8b (%esi)
30550 jne 1b
30551@@ -153,6 +222,7 @@ ENTRY(atomic64_add_unless_cx8)
30552 addl $8, %esp
30553 popl %ebx
30554 popl %ebp
30555+ pax_force_retaddr
30556 ret
30557 4:
30558 cmpl %edx, 4(%esp)
30559@@ -173,6 +243,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
30560 xorl %ecx, %ecx
30561 addl $1, %ebx
30562 adcl %edx, %ecx
30563+
30564+#ifdef CONFIG_PAX_REFCOUNT
30565+ into
30566+1234:
30567+ _ASM_EXTABLE(1234b, 3f)
30568+#endif
30569+
30570 LOCK_PREFIX
30571 cmpxchg8b (%esi)
30572 jne 1b
30573@@ -180,5 +257,6 @@ ENTRY(atomic64_inc_not_zero_cx8)
30574 movl $1, %eax
30575 3:
30576 popl %ebx
30577+ pax_force_retaddr
30578 ret
30579 ENDPROC(atomic64_inc_not_zero_cx8)
30580diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
30581index c1e6232..758bc31 100644
30582--- a/arch/x86/lib/checksum_32.S
30583+++ b/arch/x86/lib/checksum_32.S
30584@@ -28,7 +28,8 @@
30585 #include <linux/linkage.h>
30586 #include <asm/errno.h>
30587 #include <asm/asm.h>
30588-
30589+#include <asm/segment.h>
30590+
30591 /*
30592 * computes a partial checksum, e.g. for TCP/UDP fragments
30593 */
30594@@ -280,7 +281,20 @@ unsigned int csum_partial_copy_generic (const char *src, char *dst,
30595
30596 #define ARGBASE 16
30597 #define FP 12
30598-
30599+
30600+#ifdef CONFIG_PAX_MEMORY_UDEREF
30601+ pushl %gs
30602+ popl %es
30603+ jmp csum_partial_copy_generic
30604+#endif
30605+
30606+ENTRY(csum_partial_copy_generic_from_user)
30607+
30608+#ifdef CONFIG_PAX_MEMORY_UDEREF
30609+ pushl %gs
30610+ popl %ds
30611+#endif
30612+
30613 ENTRY(csum_partial_copy_generic)
30614 subl $4,%esp
30615 pushl %edi
30616@@ -299,7 +313,7 @@ ENTRY(csum_partial_copy_generic)
30617 jmp 4f
30618 SRC(1: movw (%esi), %bx )
30619 addl $2, %esi
30620-DST( movw %bx, (%edi) )
30621+DST( movw %bx, %es:(%edi) )
30622 addl $2, %edi
30623 addw %bx, %ax
30624 adcl $0, %eax
30625@@ -311,30 +325,30 @@ DST( movw %bx, (%edi) )
30626 SRC(1: movl (%esi), %ebx )
30627 SRC( movl 4(%esi), %edx )
30628 adcl %ebx, %eax
30629-DST( movl %ebx, (%edi) )
30630+DST( movl %ebx, %es:(%edi) )
30631 adcl %edx, %eax
30632-DST( movl %edx, 4(%edi) )
30633+DST( movl %edx, %es:4(%edi) )
30634
30635 SRC( movl 8(%esi), %ebx )
30636 SRC( movl 12(%esi), %edx )
30637 adcl %ebx, %eax
30638-DST( movl %ebx, 8(%edi) )
30639+DST( movl %ebx, %es:8(%edi) )
30640 adcl %edx, %eax
30641-DST( movl %edx, 12(%edi) )
30642+DST( movl %edx, %es:12(%edi) )
30643
30644 SRC( movl 16(%esi), %ebx )
30645 SRC( movl 20(%esi), %edx )
30646 adcl %ebx, %eax
30647-DST( movl %ebx, 16(%edi) )
30648+DST( movl %ebx, %es:16(%edi) )
30649 adcl %edx, %eax
30650-DST( movl %edx, 20(%edi) )
30651+DST( movl %edx, %es:20(%edi) )
30652
30653 SRC( movl 24(%esi), %ebx )
30654 SRC( movl 28(%esi), %edx )
30655 adcl %ebx, %eax
30656-DST( movl %ebx, 24(%edi) )
30657+DST( movl %ebx, %es:24(%edi) )
30658 adcl %edx, %eax
30659-DST( movl %edx, 28(%edi) )
30660+DST( movl %edx, %es:28(%edi) )
30661
30662 lea 32(%esi), %esi
30663 lea 32(%edi), %edi
30664@@ -348,7 +362,7 @@ DST( movl %edx, 28(%edi) )
30665 shrl $2, %edx # This clears CF
30666 SRC(3: movl (%esi), %ebx )
30667 adcl %ebx, %eax
30668-DST( movl %ebx, (%edi) )
30669+DST( movl %ebx, %es:(%edi) )
30670 lea 4(%esi), %esi
30671 lea 4(%edi), %edi
30672 dec %edx
30673@@ -360,12 +374,12 @@ DST( movl %ebx, (%edi) )
30674 jb 5f
30675 SRC( movw (%esi), %cx )
30676 leal 2(%esi), %esi
30677-DST( movw %cx, (%edi) )
30678+DST( movw %cx, %es:(%edi) )
30679 leal 2(%edi), %edi
30680 je 6f
30681 shll $16,%ecx
30682 SRC(5: movb (%esi), %cl )
30683-DST( movb %cl, (%edi) )
30684+DST( movb %cl, %es:(%edi) )
30685 6: addl %ecx, %eax
30686 adcl $0, %eax
30687 7:
30688@@ -376,7 +390,7 @@ DST( movb %cl, (%edi) )
30689
30690 6001:
30691 movl ARGBASE+20(%esp), %ebx # src_err_ptr
30692- movl $-EFAULT, (%ebx)
30693+ movl $-EFAULT, %ss:(%ebx)
30694
30695 # zero the complete destination - computing the rest
30696 # is too much work
30697@@ -389,34 +403,58 @@ DST( movb %cl, (%edi) )
30698
30699 6002:
30700 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
30701- movl $-EFAULT,(%ebx)
30702+ movl $-EFAULT,%ss:(%ebx)
30703 jmp 5000b
30704
30705 .previous
30706
30707+#ifdef CONFIG_PAX_MEMORY_UDEREF
30708+ pushl %ss
30709+ popl %ds
30710+ pushl %ss
30711+ popl %es
30712+#endif
30713+
30714 popl %ebx
30715 popl %esi
30716 popl %edi
30717 popl %ecx # equivalent to addl $4,%esp
30718 ret
30719-ENDPROC(csum_partial_copy_generic)
30720+ENDPROC(csum_partial_copy_generic_to_user)
30721
30722 #else
30723
30724 /* Version for PentiumII/PPro */
30725
30726 #define ROUND1(x) \
30727+ nop; nop; nop; \
30728 SRC(movl x(%esi), %ebx ) ; \
30729 addl %ebx, %eax ; \
30730- DST(movl %ebx, x(%edi) ) ;
30731+ DST(movl %ebx, %es:x(%edi)) ;
30732
30733 #define ROUND(x) \
30734+ nop; nop; nop; \
30735 SRC(movl x(%esi), %ebx ) ; \
30736 adcl %ebx, %eax ; \
30737- DST(movl %ebx, x(%edi) ) ;
30738+ DST(movl %ebx, %es:x(%edi)) ;
30739
30740 #define ARGBASE 12
30741-
30742+
30743+ENTRY(csum_partial_copy_generic_to_user)
30744+
30745+#ifdef CONFIG_PAX_MEMORY_UDEREF
30746+ pushl %gs
30747+ popl %es
30748+ jmp csum_partial_copy_generic
30749+#endif
30750+
30751+ENTRY(csum_partial_copy_generic_from_user)
30752+
30753+#ifdef CONFIG_PAX_MEMORY_UDEREF
30754+ pushl %gs
30755+ popl %ds
30756+#endif
30757+
30758 ENTRY(csum_partial_copy_generic)
30759 pushl %ebx
30760 pushl %edi
30761@@ -435,7 +473,7 @@ ENTRY(csum_partial_copy_generic)
30762 subl %ebx, %edi
30763 lea -1(%esi),%edx
30764 andl $-32,%edx
30765- lea 3f(%ebx,%ebx), %ebx
30766+ lea 3f(%ebx,%ebx,2), %ebx
30767 testl %esi, %esi
30768 jmp *%ebx
30769 1: addl $64,%esi
30770@@ -456,19 +494,19 @@ ENTRY(csum_partial_copy_generic)
30771 jb 5f
30772 SRC( movw (%esi), %dx )
30773 leal 2(%esi), %esi
30774-DST( movw %dx, (%edi) )
30775+DST( movw %dx, %es:(%edi) )
30776 leal 2(%edi), %edi
30777 je 6f
30778 shll $16,%edx
30779 5:
30780 SRC( movb (%esi), %dl )
30781-DST( movb %dl, (%edi) )
30782+DST( movb %dl, %es:(%edi) )
30783 6: addl %edx, %eax
30784 adcl $0, %eax
30785 7:
30786 .section .fixup, "ax"
30787 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
30788- movl $-EFAULT, (%ebx)
30789+ movl $-EFAULT, %ss:(%ebx)
30790 # zero the complete destination (computing the rest is too much work)
30791 movl ARGBASE+8(%esp),%edi # dst
30792 movl ARGBASE+12(%esp),%ecx # len
30793@@ -476,15 +514,22 @@ DST( movb %dl, (%edi) )
30794 rep; stosb
30795 jmp 7b
30796 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
30797- movl $-EFAULT, (%ebx)
30798+ movl $-EFAULT, %ss:(%ebx)
30799 jmp 7b
30800 .previous
30801
30802+#ifdef CONFIG_PAX_MEMORY_UDEREF
30803+ pushl %ss
30804+ popl %ds
30805+ pushl %ss
30806+ popl %es
30807+#endif
30808+
30809 popl %esi
30810 popl %edi
30811 popl %ebx
30812 ret
30813-ENDPROC(csum_partial_copy_generic)
30814+ENDPROC(csum_partial_copy_generic_to_user)
30815
30816 #undef ROUND
30817 #undef ROUND1
30818diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S
30819index a2fe51b..507dab0 100644
30820--- a/arch/x86/lib/clear_page_64.S
30821+++ b/arch/x86/lib/clear_page_64.S
30822@@ -21,6 +21,7 @@ ENTRY(clear_page)
30823 movl $4096/8,%ecx
30824 xorl %eax,%eax
30825 rep stosq
30826+ pax_force_retaddr
30827 ret
30828 ENDPROC(clear_page)
30829
30830@@ -43,6 +44,7 @@ ENTRY(clear_page_orig)
30831 leaq 64(%rdi),%rdi
30832 jnz .Lloop
30833 nop
30834+ pax_force_retaddr
30835 ret
30836 ENDPROC(clear_page_orig)
30837
30838@@ -50,5 +52,6 @@ ENTRY(clear_page_c_e)
30839 movl $4096,%ecx
30840 xorl %eax,%eax
30841 rep stosb
30842+ pax_force_retaddr
30843 ret
30844 ENDPROC(clear_page_c_e)
30845diff --git a/arch/x86/lib/cmpxchg16b_emu.S b/arch/x86/lib/cmpxchg16b_emu.S
30846index 9b33024..e52ee44 100644
30847--- a/arch/x86/lib/cmpxchg16b_emu.S
30848+++ b/arch/x86/lib/cmpxchg16b_emu.S
30849@@ -7,6 +7,7 @@
30850 */
30851 #include <linux/linkage.h>
30852 #include <asm/percpu.h>
30853+#include <asm/alternative-asm.h>
30854
30855 .text
30856
30857@@ -43,11 +44,13 @@ ENTRY(this_cpu_cmpxchg16b_emu)
30858
30859 popfq
30860 mov $1, %al
30861+ pax_force_retaddr
30862 ret
30863
30864 .Lnot_same:
30865 popfq
30866 xor %al,%al
30867+ pax_force_retaddr
30868 ret
30869
30870 ENDPROC(this_cpu_cmpxchg16b_emu)
30871diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S
30872index 009f982..9b3db5e 100644
30873--- a/arch/x86/lib/copy_page_64.S
30874+++ b/arch/x86/lib/copy_page_64.S
30875@@ -15,13 +15,14 @@ ENTRY(copy_page)
30876 ALTERNATIVE "jmp copy_page_regs", "", X86_FEATURE_REP_GOOD
30877 movl $4096/8, %ecx
30878 rep movsq
30879+ pax_force_retaddr
30880 ret
30881 ENDPROC(copy_page)
30882
30883 ENTRY(copy_page_regs)
30884 subq $2*8, %rsp
30885 movq %rbx, (%rsp)
30886- movq %r12, 1*8(%rsp)
30887+ movq %r13, 1*8(%rsp)
30888
30889 movl $(4096/64)-5, %ecx
30890 .p2align 4
30891@@ -34,7 +35,7 @@ ENTRY(copy_page_regs)
30892 movq 0x8*4(%rsi), %r9
30893 movq 0x8*5(%rsi), %r10
30894 movq 0x8*6(%rsi), %r11
30895- movq 0x8*7(%rsi), %r12
30896+ movq 0x8*7(%rsi), %r13
30897
30898 prefetcht0 5*64(%rsi)
30899
30900@@ -45,7 +46,7 @@ ENTRY(copy_page_regs)
30901 movq %r9, 0x8*4(%rdi)
30902 movq %r10, 0x8*5(%rdi)
30903 movq %r11, 0x8*6(%rdi)
30904- movq %r12, 0x8*7(%rdi)
30905+ movq %r13, 0x8*7(%rdi)
30906
30907 leaq 64 (%rsi), %rsi
30908 leaq 64 (%rdi), %rdi
30909@@ -64,7 +65,7 @@ ENTRY(copy_page_regs)
30910 movq 0x8*4(%rsi), %r9
30911 movq 0x8*5(%rsi), %r10
30912 movq 0x8*6(%rsi), %r11
30913- movq 0x8*7(%rsi), %r12
30914+ movq 0x8*7(%rsi), %r13
30915
30916 movq %rax, 0x8*0(%rdi)
30917 movq %rbx, 0x8*1(%rdi)
30918@@ -73,14 +74,15 @@ ENTRY(copy_page_regs)
30919 movq %r9, 0x8*4(%rdi)
30920 movq %r10, 0x8*5(%rdi)
30921 movq %r11, 0x8*6(%rdi)
30922- movq %r12, 0x8*7(%rdi)
30923+ movq %r13, 0x8*7(%rdi)
30924
30925 leaq 64(%rdi), %rdi
30926 leaq 64(%rsi), %rsi
30927 jnz .Loop2
30928
30929 movq (%rsp), %rbx
30930- movq 1*8(%rsp), %r12
30931+ movq 1*8(%rsp), %r13
30932 addq $2*8, %rsp
30933+ pax_force_retaddr
30934 ret
30935 ENDPROC(copy_page_regs)
30936diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
30937index 982ce34..8e14731 100644
30938--- a/arch/x86/lib/copy_user_64.S
30939+++ b/arch/x86/lib/copy_user_64.S
30940@@ -14,50 +14,7 @@
30941 #include <asm/alternative-asm.h>
30942 #include <asm/asm.h>
30943 #include <asm/smap.h>
30944-
30945-/* Standard copy_to_user with segment limit checking */
30946-ENTRY(_copy_to_user)
30947- GET_THREAD_INFO(%rax)
30948- movq %rdi,%rcx
30949- addq %rdx,%rcx
30950- jc bad_to_user
30951- cmpq TI_addr_limit(%rax),%rcx
30952- ja bad_to_user
30953- ALTERNATIVE_2 "jmp copy_user_generic_unrolled", \
30954- "jmp copy_user_generic_string", \
30955- X86_FEATURE_REP_GOOD, \
30956- "jmp copy_user_enhanced_fast_string", \
30957- X86_FEATURE_ERMS
30958-ENDPROC(_copy_to_user)
30959-
30960-/* Standard copy_from_user with segment limit checking */
30961-ENTRY(_copy_from_user)
30962- GET_THREAD_INFO(%rax)
30963- movq %rsi,%rcx
30964- addq %rdx,%rcx
30965- jc bad_from_user
30966- cmpq TI_addr_limit(%rax),%rcx
30967- ja bad_from_user
30968- ALTERNATIVE_2 "jmp copy_user_generic_unrolled", \
30969- "jmp copy_user_generic_string", \
30970- X86_FEATURE_REP_GOOD, \
30971- "jmp copy_user_enhanced_fast_string", \
30972- X86_FEATURE_ERMS
30973-ENDPROC(_copy_from_user)
30974-
30975- .section .fixup,"ax"
30976- /* must zero dest */
30977-ENTRY(bad_from_user)
30978-bad_from_user:
30979- movl %edx,%ecx
30980- xorl %eax,%eax
30981- rep
30982- stosb
30983-bad_to_user:
30984- movl %edx,%eax
30985- ret
30986-ENDPROC(bad_from_user)
30987- .previous
30988+#include <asm/pgtable.h>
30989
30990 /*
30991 * copy_user_generic_unrolled - memory copy with exception handling.
30992@@ -73,6 +30,7 @@ ENDPROC(bad_from_user)
30993 * eax uncopied bytes or 0 if successful.
30994 */
30995 ENTRY(copy_user_generic_unrolled)
30996+ ASM_PAX_OPEN_USERLAND
30997 ASM_STAC
30998 cmpl $8,%edx
30999 jb 20f /* less then 8 bytes, go to byte copy loop */
31000@@ -122,6 +80,8 @@ ENTRY(copy_user_generic_unrolled)
31001 jnz 21b
31002 23: xor %eax,%eax
31003 ASM_CLAC
31004+ ASM_PAX_CLOSE_USERLAND
31005+ pax_force_retaddr
31006 ret
31007
31008 .section .fixup,"ax"
31009@@ -175,6 +135,7 @@ ENDPROC(copy_user_generic_unrolled)
31010 * eax uncopied bytes or 0 if successful.
31011 */
31012 ENTRY(copy_user_generic_string)
31013+ ASM_PAX_OPEN_USERLAND
31014 ASM_STAC
31015 cmpl $8,%edx
31016 jb 2f /* less than 8 bytes, go to byte copy loop */
31017@@ -189,6 +150,8 @@ ENTRY(copy_user_generic_string)
31018 movsb
31019 xorl %eax,%eax
31020 ASM_CLAC
31021+ ASM_PAX_CLOSE_USERLAND
31022+ pax_force_retaddr
31023 ret
31024
31025 .section .fixup,"ax"
31026@@ -214,12 +177,15 @@ ENDPROC(copy_user_generic_string)
31027 * eax uncopied bytes or 0 if successful.
31028 */
31029 ENTRY(copy_user_enhanced_fast_string)
31030+ ASM_PAX_OPEN_USERLAND
31031 ASM_STAC
31032 movl %edx,%ecx
31033 1: rep
31034 movsb
31035 xorl %eax,%eax
31036 ASM_CLAC
31037+ ASM_PAX_CLOSE_USERLAND
31038+ pax_force_retaddr
31039 ret
31040
31041 .section .fixup,"ax"
31042@@ -235,6 +201,16 @@ ENDPROC(copy_user_enhanced_fast_string)
31043 * This will force destination/source out of cache for more performance.
31044 */
31045 ENTRY(__copy_user_nocache)
31046+
31047+#ifdef CONFIG_PAX_MEMORY_UDEREF
31048+ mov pax_user_shadow_base,%rcx
31049+ cmp %rcx,%rsi
31050+ jae 1f
31051+ add %rcx,%rsi
31052+1:
31053+#endif
31054+
31055+ ASM_PAX_OPEN_USERLAND
31056 ASM_STAC
31057 cmpl $8,%edx
31058 jb 20f /* less then 8 bytes, go to byte copy loop */
31059@@ -284,7 +260,9 @@ ENTRY(__copy_user_nocache)
31060 jnz 21b
31061 23: xorl %eax,%eax
31062 ASM_CLAC
31063+ ASM_PAX_CLOSE_USERLAND
31064 sfence
31065+ pax_force_retaddr
31066 ret
31067
31068 .section .fixup,"ax"
31069diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S
31070index 7e48807..cc966ff 100644
31071--- a/arch/x86/lib/csum-copy_64.S
31072+++ b/arch/x86/lib/csum-copy_64.S
31073@@ -8,6 +8,7 @@
31074 #include <linux/linkage.h>
31075 #include <asm/errno.h>
31076 #include <asm/asm.h>
31077+#include <asm/alternative-asm.h>
31078
31079 /*
31080 * Checksum copy with exception handling.
31081@@ -52,7 +53,7 @@ ENTRY(csum_partial_copy_generic)
31082 .Lignore:
31083 subq $7*8, %rsp
31084 movq %rbx, 2*8(%rsp)
31085- movq %r12, 3*8(%rsp)
31086+ movq %r15, 3*8(%rsp)
31087 movq %r14, 4*8(%rsp)
31088 movq %r13, 5*8(%rsp)
31089 movq %rbp, 6*8(%rsp)
31090@@ -64,16 +65,16 @@ ENTRY(csum_partial_copy_generic)
31091 movl %edx, %ecx
31092
31093 xorl %r9d, %r9d
31094- movq %rcx, %r12
31095+ movq %rcx, %r15
31096
31097- shrq $6, %r12
31098+ shrq $6, %r15
31099 jz .Lhandle_tail /* < 64 */
31100
31101 clc
31102
31103 /* main loop. clear in 64 byte blocks */
31104 /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */
31105- /* r11: temp3, rdx: temp4, r12 loopcnt */
31106+ /* r11: temp3, rdx: temp4, r15 loopcnt */
31107 /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */
31108 .p2align 4
31109 .Lloop:
31110@@ -107,7 +108,7 @@ ENTRY(csum_partial_copy_generic)
31111 adcq %r14, %rax
31112 adcq %r13, %rax
31113
31114- decl %r12d
31115+ decl %r15d
31116
31117 dest
31118 movq %rbx, (%rsi)
31119@@ -200,11 +201,12 @@ ENTRY(csum_partial_copy_generic)
31120
31121 .Lende:
31122 movq 2*8(%rsp), %rbx
31123- movq 3*8(%rsp), %r12
31124+ movq 3*8(%rsp), %r15
31125 movq 4*8(%rsp), %r14
31126 movq 5*8(%rsp), %r13
31127 movq 6*8(%rsp), %rbp
31128 addq $7*8, %rsp
31129+ pax_force_retaddr
31130 ret
31131
31132 /* Exception handlers. Very simple, zeroing is done in the wrappers */
31133diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
31134index 1318f75..44c30fd 100644
31135--- a/arch/x86/lib/csum-wrappers_64.c
31136+++ b/arch/x86/lib/csum-wrappers_64.c
31137@@ -52,10 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
31138 len -= 2;
31139 }
31140 }
31141+ pax_open_userland();
31142 stac();
31143- isum = csum_partial_copy_generic((__force const void *)src,
31144+ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src),
31145 dst, len, isum, errp, NULL);
31146 clac();
31147+ pax_close_userland();
31148 if (unlikely(*errp))
31149 goto out_err;
31150
31151@@ -109,10 +111,12 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
31152 }
31153
31154 *errp = 0;
31155+ pax_open_userland();
31156 stac();
31157- ret = csum_partial_copy_generic(src, (void __force *)dst,
31158+ ret = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
31159 len, isum, NULL, errp);
31160 clac();
31161+ pax_close_userland();
31162 return ret;
31163 }
31164 EXPORT_SYMBOL(csum_partial_copy_to_user);
31165diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
31166index 46668cd..a3bdfb9 100644
31167--- a/arch/x86/lib/getuser.S
31168+++ b/arch/x86/lib/getuser.S
31169@@ -32,42 +32,93 @@
31170 #include <asm/thread_info.h>
31171 #include <asm/asm.h>
31172 #include <asm/smap.h>
31173+#include <asm/segment.h>
31174+#include <asm/pgtable.h>
31175+#include <asm/alternative-asm.h>
31176+
31177+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
31178+#define __copyuser_seg gs;
31179+#else
31180+#define __copyuser_seg
31181+#endif
31182
31183 .text
31184 ENTRY(__get_user_1)
31185+
31186+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31187 GET_THREAD_INFO(%_ASM_DX)
31188 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31189 jae bad_get_user
31190+
31191+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31192+ mov pax_user_shadow_base,%_ASM_DX
31193+ cmp %_ASM_DX,%_ASM_AX
31194+ jae 1234f
31195+ add %_ASM_DX,%_ASM_AX
31196+1234:
31197+#endif
31198+
31199+#endif
31200+
31201 ASM_STAC
31202-1: movzbl (%_ASM_AX),%edx
31203+1: __copyuser_seg movzbl (%_ASM_AX),%edx
31204 xor %eax,%eax
31205 ASM_CLAC
31206+ pax_force_retaddr
31207 ret
31208 ENDPROC(__get_user_1)
31209
31210 ENTRY(__get_user_2)
31211 add $1,%_ASM_AX
31212+
31213+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31214 jc bad_get_user
31215 GET_THREAD_INFO(%_ASM_DX)
31216 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31217 jae bad_get_user
31218+
31219+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31220+ mov pax_user_shadow_base,%_ASM_DX
31221+ cmp %_ASM_DX,%_ASM_AX
31222+ jae 1234f
31223+ add %_ASM_DX,%_ASM_AX
31224+1234:
31225+#endif
31226+
31227+#endif
31228+
31229 ASM_STAC
31230-2: movzwl -1(%_ASM_AX),%edx
31231+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
31232 xor %eax,%eax
31233 ASM_CLAC
31234+ pax_force_retaddr
31235 ret
31236 ENDPROC(__get_user_2)
31237
31238 ENTRY(__get_user_4)
31239 add $3,%_ASM_AX
31240+
31241+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31242 jc bad_get_user
31243 GET_THREAD_INFO(%_ASM_DX)
31244 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31245 jae bad_get_user
31246+
31247+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31248+ mov pax_user_shadow_base,%_ASM_DX
31249+ cmp %_ASM_DX,%_ASM_AX
31250+ jae 1234f
31251+ add %_ASM_DX,%_ASM_AX
31252+1234:
31253+#endif
31254+
31255+#endif
31256+
31257 ASM_STAC
31258-3: movl -3(%_ASM_AX),%edx
31259+3: __copyuser_seg movl -3(%_ASM_AX),%edx
31260 xor %eax,%eax
31261 ASM_CLAC
31262+ pax_force_retaddr
31263 ret
31264 ENDPROC(__get_user_4)
31265
31266@@ -78,10 +129,20 @@ ENTRY(__get_user_8)
31267 GET_THREAD_INFO(%_ASM_DX)
31268 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31269 jae bad_get_user
31270+
31271+#ifdef CONFIG_PAX_MEMORY_UDEREF
31272+ mov pax_user_shadow_base,%_ASM_DX
31273+ cmp %_ASM_DX,%_ASM_AX
31274+ jae 1234f
31275+ add %_ASM_DX,%_ASM_AX
31276+1234:
31277+#endif
31278+
31279 ASM_STAC
31280 4: movq -7(%_ASM_AX),%rdx
31281 xor %eax,%eax
31282 ASM_CLAC
31283+ pax_force_retaddr
31284 ret
31285 #else
31286 add $7,%_ASM_AX
31287@@ -90,10 +151,11 @@ ENTRY(__get_user_8)
31288 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31289 jae bad_get_user_8
31290 ASM_STAC
31291-4: movl -7(%_ASM_AX),%edx
31292-5: movl -3(%_ASM_AX),%ecx
31293+4: __copyuser_seg movl -7(%_ASM_AX),%edx
31294+5: __copyuser_seg movl -3(%_ASM_AX),%ecx
31295 xor %eax,%eax
31296 ASM_CLAC
31297+ pax_force_retaddr
31298 ret
31299 #endif
31300 ENDPROC(__get_user_8)
31301@@ -103,6 +165,7 @@ bad_get_user:
31302 xor %edx,%edx
31303 mov $(-EFAULT),%_ASM_AX
31304 ASM_CLAC
31305+ pax_force_retaddr
31306 ret
31307 END(bad_get_user)
31308
31309@@ -112,6 +175,7 @@ bad_get_user_8:
31310 xor %ecx,%ecx
31311 mov $(-EFAULT),%_ASM_AX
31312 ASM_CLAC
31313+ pax_force_retaddr
31314 ret
31315 END(bad_get_user_8)
31316 #endif
31317diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
31318index 8f72b33..4667a46 100644
31319--- a/arch/x86/lib/insn.c
31320+++ b/arch/x86/lib/insn.c
31321@@ -20,8 +20,10 @@
31322
31323 #ifdef __KERNEL__
31324 #include <linux/string.h>
31325+#include <asm/pgtable_types.h>
31326 #else
31327 #include <string.h>
31328+#define ktla_ktva(addr) addr
31329 #endif
31330 #include <asm/inat.h>
31331 #include <asm/insn.h>
31332@@ -60,9 +62,9 @@ void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64)
31333 buf_len = MAX_INSN_SIZE;
31334
31335 memset(insn, 0, sizeof(*insn));
31336- insn->kaddr = kaddr;
31337- insn->end_kaddr = kaddr + buf_len;
31338- insn->next_byte = kaddr;
31339+ insn->kaddr = (void *)ktla_ktva((unsigned long)kaddr);
31340+ insn->end_kaddr = insn->kaddr + buf_len;
31341+ insn->next_byte = insn->kaddr;
31342 insn->x86_64 = x86_64 ? 1 : 0;
31343 insn->opnd_bytes = 4;
31344 if (x86_64)
31345diff --git a/arch/x86/lib/iomap_copy_64.S b/arch/x86/lib/iomap_copy_64.S
31346index 33147fe..12a8815 100644
31347--- a/arch/x86/lib/iomap_copy_64.S
31348+++ b/arch/x86/lib/iomap_copy_64.S
31349@@ -16,6 +16,7 @@
31350 */
31351
31352 #include <linux/linkage.h>
31353+#include <asm/alternative-asm.h>
31354
31355 /*
31356 * override generic version in lib/iomap_copy.c
31357@@ -23,5 +24,6 @@
31358 ENTRY(__iowrite32_copy)
31359 movl %edx,%ecx
31360 rep movsd
31361+ pax_force_retaddr
31362 ret
31363 ENDPROC(__iowrite32_copy)
31364diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
31365index 16698bb..971d300 100644
31366--- a/arch/x86/lib/memcpy_64.S
31367+++ b/arch/x86/lib/memcpy_64.S
31368@@ -36,6 +36,7 @@ ENTRY(memcpy)
31369 rep movsq
31370 movl %edx, %ecx
31371 rep movsb
31372+ pax_force_retaddr
31373 ret
31374 ENDPROC(memcpy)
31375 ENDPROC(__memcpy)
31376@@ -48,6 +49,7 @@ ENTRY(memcpy_erms)
31377 movq %rdi, %rax
31378 movq %rdx, %rcx
31379 rep movsb
31380+ pax_force_retaddr
31381 ret
31382 ENDPROC(memcpy_erms)
31383
31384@@ -132,6 +134,7 @@ ENTRY(memcpy_orig)
31385 movq %r9, 1*8(%rdi)
31386 movq %r10, -2*8(%rdi, %rdx)
31387 movq %r11, -1*8(%rdi, %rdx)
31388+ pax_force_retaddr
31389 retq
31390 .p2align 4
31391 .Lless_16bytes:
31392@@ -144,6 +147,7 @@ ENTRY(memcpy_orig)
31393 movq -1*8(%rsi, %rdx), %r9
31394 movq %r8, 0*8(%rdi)
31395 movq %r9, -1*8(%rdi, %rdx)
31396+ pax_force_retaddr
31397 retq
31398 .p2align 4
31399 .Lless_8bytes:
31400@@ -157,6 +161,7 @@ ENTRY(memcpy_orig)
31401 movl -4(%rsi, %rdx), %r8d
31402 movl %ecx, (%rdi)
31403 movl %r8d, -4(%rdi, %rdx)
31404+ pax_force_retaddr
31405 retq
31406 .p2align 4
31407 .Lless_3bytes:
31408@@ -175,5 +180,6 @@ ENTRY(memcpy_orig)
31409 movb %cl, (%rdi)
31410
31411 .Lend:
31412+ pax_force_retaddr
31413 retq
31414 ENDPROC(memcpy_orig)
31415diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
31416index ca2afdd..2e474fa 100644
31417--- a/arch/x86/lib/memmove_64.S
31418+++ b/arch/x86/lib/memmove_64.S
31419@@ -41,7 +41,7 @@ ENTRY(__memmove)
31420 jg 2f
31421
31422 .Lmemmove_begin_forward:
31423- ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; retq", X86_FEATURE_ERMS
31424+ ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; pax_force_retaddr; retq", X86_FEATURE_ERMS
31425
31426 /*
31427 * movsq instruction have many startup latency
31428@@ -204,6 +204,7 @@ ENTRY(__memmove)
31429 movb (%rsi), %r11b
31430 movb %r11b, (%rdi)
31431 13:
31432+ pax_force_retaddr
31433 retq
31434 ENDPROC(__memmove)
31435 ENDPROC(memmove)
31436diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
31437index 2661fad..b584d5c 100644
31438--- a/arch/x86/lib/memset_64.S
31439+++ b/arch/x86/lib/memset_64.S
31440@@ -40,6 +40,7 @@ ENTRY(__memset)
31441 movl %edx,%ecx
31442 rep stosb
31443 movq %r9,%rax
31444+ pax_force_retaddr
31445 ret
31446 ENDPROC(memset)
31447 ENDPROC(__memset)
31448@@ -61,6 +62,7 @@ ENTRY(memset_erms)
31449 movq %rdx,%rcx
31450 rep stosb
31451 movq %r9,%rax
31452+ pax_force_retaddr
31453 ret
31454 ENDPROC(memset_erms)
31455
31456@@ -123,6 +125,7 @@ ENTRY(memset_orig)
31457
31458 .Lende:
31459 movq %r10,%rax
31460+ pax_force_retaddr
31461 ret
31462
31463 .Lbad_alignment:
31464diff --git a/arch/x86/lib/mmx_32.c b/arch/x86/lib/mmx_32.c
31465index e5e3ed8..d7c08c2 100644
31466--- a/arch/x86/lib/mmx_32.c
31467+++ b/arch/x86/lib/mmx_32.c
31468@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
31469 {
31470 void *p;
31471 int i;
31472+ unsigned long cr0;
31473
31474 if (unlikely(in_interrupt()))
31475 return __memcpy(to, from, len);
31476@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
31477 kernel_fpu_begin();
31478
31479 __asm__ __volatile__ (
31480- "1: prefetch (%0)\n" /* This set is 28 bytes */
31481- " prefetch 64(%0)\n"
31482- " prefetch 128(%0)\n"
31483- " prefetch 192(%0)\n"
31484- " prefetch 256(%0)\n"
31485+ "1: prefetch (%1)\n" /* This set is 28 bytes */
31486+ " prefetch 64(%1)\n"
31487+ " prefetch 128(%1)\n"
31488+ " prefetch 192(%1)\n"
31489+ " prefetch 256(%1)\n"
31490 "2: \n"
31491 ".section .fixup, \"ax\"\n"
31492- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31493+ "3: \n"
31494+
31495+#ifdef CONFIG_PAX_KERNEXEC
31496+ " movl %%cr0, %0\n"
31497+ " movl %0, %%eax\n"
31498+ " andl $0xFFFEFFFF, %%eax\n"
31499+ " movl %%eax, %%cr0\n"
31500+#endif
31501+
31502+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31503+
31504+#ifdef CONFIG_PAX_KERNEXEC
31505+ " movl %0, %%cr0\n"
31506+#endif
31507+
31508 " jmp 2b\n"
31509 ".previous\n"
31510 _ASM_EXTABLE(1b, 3b)
31511- : : "r" (from));
31512+ : "=&r" (cr0) : "r" (from) : "ax");
31513
31514 for ( ; i > 5; i--) {
31515 __asm__ __volatile__ (
31516- "1: prefetch 320(%0)\n"
31517- "2: movq (%0), %%mm0\n"
31518- " movq 8(%0), %%mm1\n"
31519- " movq 16(%0), %%mm2\n"
31520- " movq 24(%0), %%mm3\n"
31521- " movq %%mm0, (%1)\n"
31522- " movq %%mm1, 8(%1)\n"
31523- " movq %%mm2, 16(%1)\n"
31524- " movq %%mm3, 24(%1)\n"
31525- " movq 32(%0), %%mm0\n"
31526- " movq 40(%0), %%mm1\n"
31527- " movq 48(%0), %%mm2\n"
31528- " movq 56(%0), %%mm3\n"
31529- " movq %%mm0, 32(%1)\n"
31530- " movq %%mm1, 40(%1)\n"
31531- " movq %%mm2, 48(%1)\n"
31532- " movq %%mm3, 56(%1)\n"
31533+ "1: prefetch 320(%1)\n"
31534+ "2: movq (%1), %%mm0\n"
31535+ " movq 8(%1), %%mm1\n"
31536+ " movq 16(%1), %%mm2\n"
31537+ " movq 24(%1), %%mm3\n"
31538+ " movq %%mm0, (%2)\n"
31539+ " movq %%mm1, 8(%2)\n"
31540+ " movq %%mm2, 16(%2)\n"
31541+ " movq %%mm3, 24(%2)\n"
31542+ " movq 32(%1), %%mm0\n"
31543+ " movq 40(%1), %%mm1\n"
31544+ " movq 48(%1), %%mm2\n"
31545+ " movq 56(%1), %%mm3\n"
31546+ " movq %%mm0, 32(%2)\n"
31547+ " movq %%mm1, 40(%2)\n"
31548+ " movq %%mm2, 48(%2)\n"
31549+ " movq %%mm3, 56(%2)\n"
31550 ".section .fixup, \"ax\"\n"
31551- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31552+ "3:\n"
31553+
31554+#ifdef CONFIG_PAX_KERNEXEC
31555+ " movl %%cr0, %0\n"
31556+ " movl %0, %%eax\n"
31557+ " andl $0xFFFEFFFF, %%eax\n"
31558+ " movl %%eax, %%cr0\n"
31559+#endif
31560+
31561+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31562+
31563+#ifdef CONFIG_PAX_KERNEXEC
31564+ " movl %0, %%cr0\n"
31565+#endif
31566+
31567 " jmp 2b\n"
31568 ".previous\n"
31569 _ASM_EXTABLE(1b, 3b)
31570- : : "r" (from), "r" (to) : "memory");
31571+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31572
31573 from += 64;
31574 to += 64;
31575@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
31576 static void fast_copy_page(void *to, void *from)
31577 {
31578 int i;
31579+ unsigned long cr0;
31580
31581 kernel_fpu_begin();
31582
31583@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, void *from)
31584 * but that is for later. -AV
31585 */
31586 __asm__ __volatile__(
31587- "1: prefetch (%0)\n"
31588- " prefetch 64(%0)\n"
31589- " prefetch 128(%0)\n"
31590- " prefetch 192(%0)\n"
31591- " prefetch 256(%0)\n"
31592+ "1: prefetch (%1)\n"
31593+ " prefetch 64(%1)\n"
31594+ " prefetch 128(%1)\n"
31595+ " prefetch 192(%1)\n"
31596+ " prefetch 256(%1)\n"
31597 "2: \n"
31598 ".section .fixup, \"ax\"\n"
31599- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31600+ "3: \n"
31601+
31602+#ifdef CONFIG_PAX_KERNEXEC
31603+ " movl %%cr0, %0\n"
31604+ " movl %0, %%eax\n"
31605+ " andl $0xFFFEFFFF, %%eax\n"
31606+ " movl %%eax, %%cr0\n"
31607+#endif
31608+
31609+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31610+
31611+#ifdef CONFIG_PAX_KERNEXEC
31612+ " movl %0, %%cr0\n"
31613+#endif
31614+
31615 " jmp 2b\n"
31616 ".previous\n"
31617- _ASM_EXTABLE(1b, 3b) : : "r" (from));
31618+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
31619
31620 for (i = 0; i < (4096-320)/64; i++) {
31621 __asm__ __volatile__ (
31622- "1: prefetch 320(%0)\n"
31623- "2: movq (%0), %%mm0\n"
31624- " movntq %%mm0, (%1)\n"
31625- " movq 8(%0), %%mm1\n"
31626- " movntq %%mm1, 8(%1)\n"
31627- " movq 16(%0), %%mm2\n"
31628- " movntq %%mm2, 16(%1)\n"
31629- " movq 24(%0), %%mm3\n"
31630- " movntq %%mm3, 24(%1)\n"
31631- " movq 32(%0), %%mm4\n"
31632- " movntq %%mm4, 32(%1)\n"
31633- " movq 40(%0), %%mm5\n"
31634- " movntq %%mm5, 40(%1)\n"
31635- " movq 48(%0), %%mm6\n"
31636- " movntq %%mm6, 48(%1)\n"
31637- " movq 56(%0), %%mm7\n"
31638- " movntq %%mm7, 56(%1)\n"
31639+ "1: prefetch 320(%1)\n"
31640+ "2: movq (%1), %%mm0\n"
31641+ " movntq %%mm0, (%2)\n"
31642+ " movq 8(%1), %%mm1\n"
31643+ " movntq %%mm1, 8(%2)\n"
31644+ " movq 16(%1), %%mm2\n"
31645+ " movntq %%mm2, 16(%2)\n"
31646+ " movq 24(%1), %%mm3\n"
31647+ " movntq %%mm3, 24(%2)\n"
31648+ " movq 32(%1), %%mm4\n"
31649+ " movntq %%mm4, 32(%2)\n"
31650+ " movq 40(%1), %%mm5\n"
31651+ " movntq %%mm5, 40(%2)\n"
31652+ " movq 48(%1), %%mm6\n"
31653+ " movntq %%mm6, 48(%2)\n"
31654+ " movq 56(%1), %%mm7\n"
31655+ " movntq %%mm7, 56(%2)\n"
31656 ".section .fixup, \"ax\"\n"
31657- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31658+ "3:\n"
31659+
31660+#ifdef CONFIG_PAX_KERNEXEC
31661+ " movl %%cr0, %0\n"
31662+ " movl %0, %%eax\n"
31663+ " andl $0xFFFEFFFF, %%eax\n"
31664+ " movl %%eax, %%cr0\n"
31665+#endif
31666+
31667+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31668+
31669+#ifdef CONFIG_PAX_KERNEXEC
31670+ " movl %0, %%cr0\n"
31671+#endif
31672+
31673 " jmp 2b\n"
31674 ".previous\n"
31675- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
31676+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31677
31678 from += 64;
31679 to += 64;
31680@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
31681 static void fast_copy_page(void *to, void *from)
31682 {
31683 int i;
31684+ unsigned long cr0;
31685
31686 kernel_fpu_begin();
31687
31688 __asm__ __volatile__ (
31689- "1: prefetch (%0)\n"
31690- " prefetch 64(%0)\n"
31691- " prefetch 128(%0)\n"
31692- " prefetch 192(%0)\n"
31693- " prefetch 256(%0)\n"
31694+ "1: prefetch (%1)\n"
31695+ " prefetch 64(%1)\n"
31696+ " prefetch 128(%1)\n"
31697+ " prefetch 192(%1)\n"
31698+ " prefetch 256(%1)\n"
31699 "2: \n"
31700 ".section .fixup, \"ax\"\n"
31701- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31702+ "3: \n"
31703+
31704+#ifdef CONFIG_PAX_KERNEXEC
31705+ " movl %%cr0, %0\n"
31706+ " movl %0, %%eax\n"
31707+ " andl $0xFFFEFFFF, %%eax\n"
31708+ " movl %%eax, %%cr0\n"
31709+#endif
31710+
31711+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31712+
31713+#ifdef CONFIG_PAX_KERNEXEC
31714+ " movl %0, %%cr0\n"
31715+#endif
31716+
31717 " jmp 2b\n"
31718 ".previous\n"
31719- _ASM_EXTABLE(1b, 3b) : : "r" (from));
31720+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
31721
31722 for (i = 0; i < 4096/64; i++) {
31723 __asm__ __volatile__ (
31724- "1: prefetch 320(%0)\n"
31725- "2: movq (%0), %%mm0\n"
31726- " movq 8(%0), %%mm1\n"
31727- " movq 16(%0), %%mm2\n"
31728- " movq 24(%0), %%mm3\n"
31729- " movq %%mm0, (%1)\n"
31730- " movq %%mm1, 8(%1)\n"
31731- " movq %%mm2, 16(%1)\n"
31732- " movq %%mm3, 24(%1)\n"
31733- " movq 32(%0), %%mm0\n"
31734- " movq 40(%0), %%mm1\n"
31735- " movq 48(%0), %%mm2\n"
31736- " movq 56(%0), %%mm3\n"
31737- " movq %%mm0, 32(%1)\n"
31738- " movq %%mm1, 40(%1)\n"
31739- " movq %%mm2, 48(%1)\n"
31740- " movq %%mm3, 56(%1)\n"
31741+ "1: prefetch 320(%1)\n"
31742+ "2: movq (%1), %%mm0\n"
31743+ " movq 8(%1), %%mm1\n"
31744+ " movq 16(%1), %%mm2\n"
31745+ " movq 24(%1), %%mm3\n"
31746+ " movq %%mm0, (%2)\n"
31747+ " movq %%mm1, 8(%2)\n"
31748+ " movq %%mm2, 16(%2)\n"
31749+ " movq %%mm3, 24(%2)\n"
31750+ " movq 32(%1), %%mm0\n"
31751+ " movq 40(%1), %%mm1\n"
31752+ " movq 48(%1), %%mm2\n"
31753+ " movq 56(%1), %%mm3\n"
31754+ " movq %%mm0, 32(%2)\n"
31755+ " movq %%mm1, 40(%2)\n"
31756+ " movq %%mm2, 48(%2)\n"
31757+ " movq %%mm3, 56(%2)\n"
31758 ".section .fixup, \"ax\"\n"
31759- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31760+ "3:\n"
31761+
31762+#ifdef CONFIG_PAX_KERNEXEC
31763+ " movl %%cr0, %0\n"
31764+ " movl %0, %%eax\n"
31765+ " andl $0xFFFEFFFF, %%eax\n"
31766+ " movl %%eax, %%cr0\n"
31767+#endif
31768+
31769+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31770+
31771+#ifdef CONFIG_PAX_KERNEXEC
31772+ " movl %0, %%cr0\n"
31773+#endif
31774+
31775 " jmp 2b\n"
31776 ".previous\n"
31777 _ASM_EXTABLE(1b, 3b)
31778- : : "r" (from), "r" (to) : "memory");
31779+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31780
31781 from += 64;
31782 to += 64;
31783diff --git a/arch/x86/lib/msr-reg.S b/arch/x86/lib/msr-reg.S
31784index c815564..303dcfa 100644
31785--- a/arch/x86/lib/msr-reg.S
31786+++ b/arch/x86/lib/msr-reg.S
31787@@ -2,6 +2,7 @@
31788 #include <linux/errno.h>
31789 #include <asm/asm.h>
31790 #include <asm/msr.h>
31791+#include <asm/alternative-asm.h>
31792
31793 #ifdef CONFIG_X86_64
31794 /*
31795@@ -34,6 +35,7 @@ ENTRY(\op\()_safe_regs)
31796 movl %edi, 28(%r10)
31797 popq %rbp
31798 popq %rbx
31799+ pax_force_retaddr
31800 ret
31801 3:
31802 movl $-EIO, %r11d
31803diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
31804index e0817a1..bc9cf66 100644
31805--- a/arch/x86/lib/putuser.S
31806+++ b/arch/x86/lib/putuser.S
31807@@ -15,7 +15,9 @@
31808 #include <asm/errno.h>
31809 #include <asm/asm.h>
31810 #include <asm/smap.h>
31811-
31812+#include <asm/segment.h>
31813+#include <asm/pgtable.h>
31814+#include <asm/alternative-asm.h>
31815
31816 /*
31817 * __put_user_X
31818@@ -29,55 +31,124 @@
31819 * as they get called from within inline assembly.
31820 */
31821
31822-#define ENTER GET_THREAD_INFO(%_ASM_BX)
31823-#define EXIT ASM_CLAC ; \
31824+#define ENTER
31825+#define EXIT ASM_CLAC ; \
31826+ pax_force_retaddr ; \
31827 ret
31828
31829+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31830+#define _DEST %_ASM_CX,%_ASM_BX
31831+#else
31832+#define _DEST %_ASM_CX
31833+#endif
31834+
31835+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
31836+#define __copyuser_seg gs;
31837+#else
31838+#define __copyuser_seg
31839+#endif
31840+
31841 .text
31842 ENTRY(__put_user_1)
31843 ENTER
31844+
31845+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31846+ GET_THREAD_INFO(%_ASM_BX)
31847 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
31848 jae bad_put_user
31849+
31850+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31851+ mov pax_user_shadow_base,%_ASM_BX
31852+ cmp %_ASM_BX,%_ASM_CX
31853+ jb 1234f
31854+ xor %ebx,%ebx
31855+1234:
31856+#endif
31857+
31858+#endif
31859+
31860 ASM_STAC
31861-1: movb %al,(%_ASM_CX)
31862+1: __copyuser_seg movb %al,(_DEST)
31863 xor %eax,%eax
31864 EXIT
31865 ENDPROC(__put_user_1)
31866
31867 ENTRY(__put_user_2)
31868 ENTER
31869+
31870+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31871+ GET_THREAD_INFO(%_ASM_BX)
31872 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
31873 sub $1,%_ASM_BX
31874 cmp %_ASM_BX,%_ASM_CX
31875 jae bad_put_user
31876+
31877+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31878+ mov pax_user_shadow_base,%_ASM_BX
31879+ cmp %_ASM_BX,%_ASM_CX
31880+ jb 1234f
31881+ xor %ebx,%ebx
31882+1234:
31883+#endif
31884+
31885+#endif
31886+
31887 ASM_STAC
31888-2: movw %ax,(%_ASM_CX)
31889+2: __copyuser_seg movw %ax,(_DEST)
31890 xor %eax,%eax
31891 EXIT
31892 ENDPROC(__put_user_2)
31893
31894 ENTRY(__put_user_4)
31895 ENTER
31896+
31897+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31898+ GET_THREAD_INFO(%_ASM_BX)
31899 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
31900 sub $3,%_ASM_BX
31901 cmp %_ASM_BX,%_ASM_CX
31902 jae bad_put_user
31903+
31904+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31905+ mov pax_user_shadow_base,%_ASM_BX
31906+ cmp %_ASM_BX,%_ASM_CX
31907+ jb 1234f
31908+ xor %ebx,%ebx
31909+1234:
31910+#endif
31911+
31912+#endif
31913+
31914 ASM_STAC
31915-3: movl %eax,(%_ASM_CX)
31916+3: __copyuser_seg movl %eax,(_DEST)
31917 xor %eax,%eax
31918 EXIT
31919 ENDPROC(__put_user_4)
31920
31921 ENTRY(__put_user_8)
31922 ENTER
31923+
31924+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31925+ GET_THREAD_INFO(%_ASM_BX)
31926 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
31927 sub $7,%_ASM_BX
31928 cmp %_ASM_BX,%_ASM_CX
31929 jae bad_put_user
31930+
31931+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31932+ mov pax_user_shadow_base,%_ASM_BX
31933+ cmp %_ASM_BX,%_ASM_CX
31934+ jb 1234f
31935+ xor %ebx,%ebx
31936+1234:
31937+#endif
31938+
31939+#endif
31940+
31941 ASM_STAC
31942-4: mov %_ASM_AX,(%_ASM_CX)
31943+4: __copyuser_seg mov %_ASM_AX,(_DEST)
31944 #ifdef CONFIG_X86_32
31945-5: movl %edx,4(%_ASM_CX)
31946+5: __copyuser_seg movl %edx,4(_DEST)
31947 #endif
31948 xor %eax,%eax
31949 EXIT
31950diff --git a/arch/x86/lib/rwsem.S b/arch/x86/lib/rwsem.S
31951index 40027db..37bb69d 100644
31952--- a/arch/x86/lib/rwsem.S
31953+++ b/arch/x86/lib/rwsem.S
31954@@ -90,6 +90,7 @@ ENTRY(call_rwsem_down_read_failed)
31955 call rwsem_down_read_failed
31956 __ASM_SIZE(pop,) %__ASM_REG(dx)
31957 restore_common_regs
31958+ pax_force_retaddr
31959 ret
31960 ENDPROC(call_rwsem_down_read_failed)
31961
31962@@ -98,6 +99,7 @@ ENTRY(call_rwsem_down_write_failed)
31963 movq %rax,%rdi
31964 call rwsem_down_write_failed
31965 restore_common_regs
31966+ pax_force_retaddr
31967 ret
31968 ENDPROC(call_rwsem_down_write_failed)
31969
31970@@ -109,7 +111,8 @@ ENTRY(call_rwsem_wake)
31971 movq %rax,%rdi
31972 call rwsem_wake
31973 restore_common_regs
31974-1: ret
31975+1: pax_force_retaddr
31976+ ret
31977 ENDPROC(call_rwsem_wake)
31978
31979 ENTRY(call_rwsem_downgrade_wake)
31980@@ -119,5 +122,6 @@ ENTRY(call_rwsem_downgrade_wake)
31981 call rwsem_downgrade_wake
31982 __ASM_SIZE(pop,) %__ASM_REG(dx)
31983 restore_common_regs
31984+ pax_force_retaddr
31985 ret
31986 ENDPROC(call_rwsem_downgrade_wake)
31987diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
31988index 91d93b9..4b22130 100644
31989--- a/arch/x86/lib/usercopy_32.c
31990+++ b/arch/x86/lib/usercopy_32.c
31991@@ -42,11 +42,13 @@ do { \
31992 int __d0; \
31993 might_fault(); \
31994 __asm__ __volatile__( \
31995+ __COPYUSER_SET_ES \
31996 ASM_STAC "\n" \
31997 "0: rep; stosl\n" \
31998 " movl %2,%0\n" \
31999 "1: rep; stosb\n" \
32000 "2: " ASM_CLAC "\n" \
32001+ __COPYUSER_RESTORE_ES \
32002 ".section .fixup,\"ax\"\n" \
32003 "3: lea 0(%2,%0,4),%0\n" \
32004 " jmp 2b\n" \
32005@@ -98,7 +100,7 @@ EXPORT_SYMBOL(__clear_user);
32006
32007 #ifdef CONFIG_X86_INTEL_USERCOPY
32008 static unsigned long
32009-__copy_user_intel(void __user *to, const void *from, unsigned long size)
32010+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
32011 {
32012 int d0, d1;
32013 __asm__ __volatile__(
32014@@ -110,36 +112,36 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
32015 " .align 2,0x90\n"
32016 "3: movl 0(%4), %%eax\n"
32017 "4: movl 4(%4), %%edx\n"
32018- "5: movl %%eax, 0(%3)\n"
32019- "6: movl %%edx, 4(%3)\n"
32020+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
32021+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
32022 "7: movl 8(%4), %%eax\n"
32023 "8: movl 12(%4),%%edx\n"
32024- "9: movl %%eax, 8(%3)\n"
32025- "10: movl %%edx, 12(%3)\n"
32026+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
32027+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
32028 "11: movl 16(%4), %%eax\n"
32029 "12: movl 20(%4), %%edx\n"
32030- "13: movl %%eax, 16(%3)\n"
32031- "14: movl %%edx, 20(%3)\n"
32032+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
32033+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
32034 "15: movl 24(%4), %%eax\n"
32035 "16: movl 28(%4), %%edx\n"
32036- "17: movl %%eax, 24(%3)\n"
32037- "18: movl %%edx, 28(%3)\n"
32038+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
32039+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
32040 "19: movl 32(%4), %%eax\n"
32041 "20: movl 36(%4), %%edx\n"
32042- "21: movl %%eax, 32(%3)\n"
32043- "22: movl %%edx, 36(%3)\n"
32044+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
32045+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
32046 "23: movl 40(%4), %%eax\n"
32047 "24: movl 44(%4), %%edx\n"
32048- "25: movl %%eax, 40(%3)\n"
32049- "26: movl %%edx, 44(%3)\n"
32050+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
32051+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
32052 "27: movl 48(%4), %%eax\n"
32053 "28: movl 52(%4), %%edx\n"
32054- "29: movl %%eax, 48(%3)\n"
32055- "30: movl %%edx, 52(%3)\n"
32056+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
32057+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
32058 "31: movl 56(%4), %%eax\n"
32059 "32: movl 60(%4), %%edx\n"
32060- "33: movl %%eax, 56(%3)\n"
32061- "34: movl %%edx, 60(%3)\n"
32062+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
32063+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
32064 " addl $-64, %0\n"
32065 " addl $64, %4\n"
32066 " addl $64, %3\n"
32067@@ -149,10 +151,116 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
32068 " shrl $2, %0\n"
32069 " andl $3, %%eax\n"
32070 " cld\n"
32071+ __COPYUSER_SET_ES
32072 "99: rep; movsl\n"
32073 "36: movl %%eax, %0\n"
32074 "37: rep; movsb\n"
32075 "100:\n"
32076+ __COPYUSER_RESTORE_ES
32077+ ".section .fixup,\"ax\"\n"
32078+ "101: lea 0(%%eax,%0,4),%0\n"
32079+ " jmp 100b\n"
32080+ ".previous\n"
32081+ _ASM_EXTABLE(1b,100b)
32082+ _ASM_EXTABLE(2b,100b)
32083+ _ASM_EXTABLE(3b,100b)
32084+ _ASM_EXTABLE(4b,100b)
32085+ _ASM_EXTABLE(5b,100b)
32086+ _ASM_EXTABLE(6b,100b)
32087+ _ASM_EXTABLE(7b,100b)
32088+ _ASM_EXTABLE(8b,100b)
32089+ _ASM_EXTABLE(9b,100b)
32090+ _ASM_EXTABLE(10b,100b)
32091+ _ASM_EXTABLE(11b,100b)
32092+ _ASM_EXTABLE(12b,100b)
32093+ _ASM_EXTABLE(13b,100b)
32094+ _ASM_EXTABLE(14b,100b)
32095+ _ASM_EXTABLE(15b,100b)
32096+ _ASM_EXTABLE(16b,100b)
32097+ _ASM_EXTABLE(17b,100b)
32098+ _ASM_EXTABLE(18b,100b)
32099+ _ASM_EXTABLE(19b,100b)
32100+ _ASM_EXTABLE(20b,100b)
32101+ _ASM_EXTABLE(21b,100b)
32102+ _ASM_EXTABLE(22b,100b)
32103+ _ASM_EXTABLE(23b,100b)
32104+ _ASM_EXTABLE(24b,100b)
32105+ _ASM_EXTABLE(25b,100b)
32106+ _ASM_EXTABLE(26b,100b)
32107+ _ASM_EXTABLE(27b,100b)
32108+ _ASM_EXTABLE(28b,100b)
32109+ _ASM_EXTABLE(29b,100b)
32110+ _ASM_EXTABLE(30b,100b)
32111+ _ASM_EXTABLE(31b,100b)
32112+ _ASM_EXTABLE(32b,100b)
32113+ _ASM_EXTABLE(33b,100b)
32114+ _ASM_EXTABLE(34b,100b)
32115+ _ASM_EXTABLE(35b,100b)
32116+ _ASM_EXTABLE(36b,100b)
32117+ _ASM_EXTABLE(37b,100b)
32118+ _ASM_EXTABLE(99b,101b)
32119+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
32120+ : "1"(to), "2"(from), "0"(size)
32121+ : "eax", "edx", "memory");
32122+ return size;
32123+}
32124+
32125+static unsigned long
32126+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
32127+{
32128+ int d0, d1;
32129+ __asm__ __volatile__(
32130+ " .align 2,0x90\n"
32131+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
32132+ " cmpl $67, %0\n"
32133+ " jbe 3f\n"
32134+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
32135+ " .align 2,0x90\n"
32136+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
32137+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
32138+ "5: movl %%eax, 0(%3)\n"
32139+ "6: movl %%edx, 4(%3)\n"
32140+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
32141+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
32142+ "9: movl %%eax, 8(%3)\n"
32143+ "10: movl %%edx, 12(%3)\n"
32144+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
32145+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
32146+ "13: movl %%eax, 16(%3)\n"
32147+ "14: movl %%edx, 20(%3)\n"
32148+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
32149+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
32150+ "17: movl %%eax, 24(%3)\n"
32151+ "18: movl %%edx, 28(%3)\n"
32152+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
32153+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
32154+ "21: movl %%eax, 32(%3)\n"
32155+ "22: movl %%edx, 36(%3)\n"
32156+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
32157+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
32158+ "25: movl %%eax, 40(%3)\n"
32159+ "26: movl %%edx, 44(%3)\n"
32160+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
32161+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
32162+ "29: movl %%eax, 48(%3)\n"
32163+ "30: movl %%edx, 52(%3)\n"
32164+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
32165+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
32166+ "33: movl %%eax, 56(%3)\n"
32167+ "34: movl %%edx, 60(%3)\n"
32168+ " addl $-64, %0\n"
32169+ " addl $64, %4\n"
32170+ " addl $64, %3\n"
32171+ " cmpl $63, %0\n"
32172+ " ja 1b\n"
32173+ "35: movl %0, %%eax\n"
32174+ " shrl $2, %0\n"
32175+ " andl $3, %%eax\n"
32176+ " cld\n"
32177+ "99: rep; "__copyuser_seg" movsl\n"
32178+ "36: movl %%eax, %0\n"
32179+ "37: rep; "__copyuser_seg" movsb\n"
32180+ "100:\n"
32181 ".section .fixup,\"ax\"\n"
32182 "101: lea 0(%%eax,%0,4),%0\n"
32183 " jmp 100b\n"
32184@@ -207,41 +315,41 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
32185 int d0, d1;
32186 __asm__ __volatile__(
32187 " .align 2,0x90\n"
32188- "0: movl 32(%4), %%eax\n"
32189+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32190 " cmpl $67, %0\n"
32191 " jbe 2f\n"
32192- "1: movl 64(%4), %%eax\n"
32193+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32194 " .align 2,0x90\n"
32195- "2: movl 0(%4), %%eax\n"
32196- "21: movl 4(%4), %%edx\n"
32197+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32198+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32199 " movl %%eax, 0(%3)\n"
32200 " movl %%edx, 4(%3)\n"
32201- "3: movl 8(%4), %%eax\n"
32202- "31: movl 12(%4),%%edx\n"
32203+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32204+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32205 " movl %%eax, 8(%3)\n"
32206 " movl %%edx, 12(%3)\n"
32207- "4: movl 16(%4), %%eax\n"
32208- "41: movl 20(%4), %%edx\n"
32209+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32210+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32211 " movl %%eax, 16(%3)\n"
32212 " movl %%edx, 20(%3)\n"
32213- "10: movl 24(%4), %%eax\n"
32214- "51: movl 28(%4), %%edx\n"
32215+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32216+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32217 " movl %%eax, 24(%3)\n"
32218 " movl %%edx, 28(%3)\n"
32219- "11: movl 32(%4), %%eax\n"
32220- "61: movl 36(%4), %%edx\n"
32221+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32222+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32223 " movl %%eax, 32(%3)\n"
32224 " movl %%edx, 36(%3)\n"
32225- "12: movl 40(%4), %%eax\n"
32226- "71: movl 44(%4), %%edx\n"
32227+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32228+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32229 " movl %%eax, 40(%3)\n"
32230 " movl %%edx, 44(%3)\n"
32231- "13: movl 48(%4), %%eax\n"
32232- "81: movl 52(%4), %%edx\n"
32233+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32234+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32235 " movl %%eax, 48(%3)\n"
32236 " movl %%edx, 52(%3)\n"
32237- "14: movl 56(%4), %%eax\n"
32238- "91: movl 60(%4), %%edx\n"
32239+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32240+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32241 " movl %%eax, 56(%3)\n"
32242 " movl %%edx, 60(%3)\n"
32243 " addl $-64, %0\n"
32244@@ -253,9 +361,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
32245 " shrl $2, %0\n"
32246 " andl $3, %%eax\n"
32247 " cld\n"
32248- "6: rep; movsl\n"
32249+ "6: rep; "__copyuser_seg" movsl\n"
32250 " movl %%eax,%0\n"
32251- "7: rep; movsb\n"
32252+ "7: rep; "__copyuser_seg" movsb\n"
32253 "8:\n"
32254 ".section .fixup,\"ax\"\n"
32255 "9: lea 0(%%eax,%0,4),%0\n"
32256@@ -305,41 +413,41 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
32257
32258 __asm__ __volatile__(
32259 " .align 2,0x90\n"
32260- "0: movl 32(%4), %%eax\n"
32261+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32262 " cmpl $67, %0\n"
32263 " jbe 2f\n"
32264- "1: movl 64(%4), %%eax\n"
32265+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32266 " .align 2,0x90\n"
32267- "2: movl 0(%4), %%eax\n"
32268- "21: movl 4(%4), %%edx\n"
32269+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32270+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32271 " movnti %%eax, 0(%3)\n"
32272 " movnti %%edx, 4(%3)\n"
32273- "3: movl 8(%4), %%eax\n"
32274- "31: movl 12(%4),%%edx\n"
32275+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32276+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32277 " movnti %%eax, 8(%3)\n"
32278 " movnti %%edx, 12(%3)\n"
32279- "4: movl 16(%4), %%eax\n"
32280- "41: movl 20(%4), %%edx\n"
32281+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32282+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32283 " movnti %%eax, 16(%3)\n"
32284 " movnti %%edx, 20(%3)\n"
32285- "10: movl 24(%4), %%eax\n"
32286- "51: movl 28(%4), %%edx\n"
32287+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32288+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32289 " movnti %%eax, 24(%3)\n"
32290 " movnti %%edx, 28(%3)\n"
32291- "11: movl 32(%4), %%eax\n"
32292- "61: movl 36(%4), %%edx\n"
32293+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32294+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32295 " movnti %%eax, 32(%3)\n"
32296 " movnti %%edx, 36(%3)\n"
32297- "12: movl 40(%4), %%eax\n"
32298- "71: movl 44(%4), %%edx\n"
32299+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32300+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32301 " movnti %%eax, 40(%3)\n"
32302 " movnti %%edx, 44(%3)\n"
32303- "13: movl 48(%4), %%eax\n"
32304- "81: movl 52(%4), %%edx\n"
32305+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32306+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32307 " movnti %%eax, 48(%3)\n"
32308 " movnti %%edx, 52(%3)\n"
32309- "14: movl 56(%4), %%eax\n"
32310- "91: movl 60(%4), %%edx\n"
32311+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32312+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32313 " movnti %%eax, 56(%3)\n"
32314 " movnti %%edx, 60(%3)\n"
32315 " addl $-64, %0\n"
32316@@ -352,9 +460,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
32317 " shrl $2, %0\n"
32318 " andl $3, %%eax\n"
32319 " cld\n"
32320- "6: rep; movsl\n"
32321+ "6: rep; "__copyuser_seg" movsl\n"
32322 " movl %%eax,%0\n"
32323- "7: rep; movsb\n"
32324+ "7: rep; "__copyuser_seg" movsb\n"
32325 "8:\n"
32326 ".section .fixup,\"ax\"\n"
32327 "9: lea 0(%%eax,%0,4),%0\n"
32328@@ -399,41 +507,41 @@ static unsigned long __copy_user_intel_nocache(void *to,
32329
32330 __asm__ __volatile__(
32331 " .align 2,0x90\n"
32332- "0: movl 32(%4), %%eax\n"
32333+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32334 " cmpl $67, %0\n"
32335 " jbe 2f\n"
32336- "1: movl 64(%4), %%eax\n"
32337+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32338 " .align 2,0x90\n"
32339- "2: movl 0(%4), %%eax\n"
32340- "21: movl 4(%4), %%edx\n"
32341+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32342+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32343 " movnti %%eax, 0(%3)\n"
32344 " movnti %%edx, 4(%3)\n"
32345- "3: movl 8(%4), %%eax\n"
32346- "31: movl 12(%4),%%edx\n"
32347+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32348+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32349 " movnti %%eax, 8(%3)\n"
32350 " movnti %%edx, 12(%3)\n"
32351- "4: movl 16(%4), %%eax\n"
32352- "41: movl 20(%4), %%edx\n"
32353+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32354+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32355 " movnti %%eax, 16(%3)\n"
32356 " movnti %%edx, 20(%3)\n"
32357- "10: movl 24(%4), %%eax\n"
32358- "51: movl 28(%4), %%edx\n"
32359+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32360+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32361 " movnti %%eax, 24(%3)\n"
32362 " movnti %%edx, 28(%3)\n"
32363- "11: movl 32(%4), %%eax\n"
32364- "61: movl 36(%4), %%edx\n"
32365+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32366+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32367 " movnti %%eax, 32(%3)\n"
32368 " movnti %%edx, 36(%3)\n"
32369- "12: movl 40(%4), %%eax\n"
32370- "71: movl 44(%4), %%edx\n"
32371+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32372+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32373 " movnti %%eax, 40(%3)\n"
32374 " movnti %%edx, 44(%3)\n"
32375- "13: movl 48(%4), %%eax\n"
32376- "81: movl 52(%4), %%edx\n"
32377+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32378+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32379 " movnti %%eax, 48(%3)\n"
32380 " movnti %%edx, 52(%3)\n"
32381- "14: movl 56(%4), %%eax\n"
32382- "91: movl 60(%4), %%edx\n"
32383+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32384+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32385 " movnti %%eax, 56(%3)\n"
32386 " movnti %%edx, 60(%3)\n"
32387 " addl $-64, %0\n"
32388@@ -446,9 +554,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
32389 " shrl $2, %0\n"
32390 " andl $3, %%eax\n"
32391 " cld\n"
32392- "6: rep; movsl\n"
32393+ "6: rep; "__copyuser_seg" movsl\n"
32394 " movl %%eax,%0\n"
32395- "7: rep; movsb\n"
32396+ "7: rep; "__copyuser_seg" movsb\n"
32397 "8:\n"
32398 ".section .fixup,\"ax\"\n"
32399 "9: lea 0(%%eax,%0,4),%0\n"
32400@@ -488,32 +596,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
32401 */
32402 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
32403 unsigned long size);
32404-unsigned long __copy_user_intel(void __user *to, const void *from,
32405+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
32406+ unsigned long size);
32407+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
32408 unsigned long size);
32409 unsigned long __copy_user_zeroing_intel_nocache(void *to,
32410 const void __user *from, unsigned long size);
32411 #endif /* CONFIG_X86_INTEL_USERCOPY */
32412
32413 /* Generic arbitrary sized copy. */
32414-#define __copy_user(to, from, size) \
32415+#define __copy_user(to, from, size, prefix, set, restore) \
32416 do { \
32417 int __d0, __d1, __d2; \
32418 __asm__ __volatile__( \
32419+ set \
32420 " cmp $7,%0\n" \
32421 " jbe 1f\n" \
32422 " movl %1,%0\n" \
32423 " negl %0\n" \
32424 " andl $7,%0\n" \
32425 " subl %0,%3\n" \
32426- "4: rep; movsb\n" \
32427+ "4: rep; "prefix"movsb\n" \
32428 " movl %3,%0\n" \
32429 " shrl $2,%0\n" \
32430 " andl $3,%3\n" \
32431 " .align 2,0x90\n" \
32432- "0: rep; movsl\n" \
32433+ "0: rep; "prefix"movsl\n" \
32434 " movl %3,%0\n" \
32435- "1: rep; movsb\n" \
32436+ "1: rep; "prefix"movsb\n" \
32437 "2:\n" \
32438+ restore \
32439 ".section .fixup,\"ax\"\n" \
32440 "5: addl %3,%0\n" \
32441 " jmp 2b\n" \
32442@@ -538,14 +650,14 @@ do { \
32443 " negl %0\n" \
32444 " andl $7,%0\n" \
32445 " subl %0,%3\n" \
32446- "4: rep; movsb\n" \
32447+ "4: rep; "__copyuser_seg"movsb\n" \
32448 " movl %3,%0\n" \
32449 " shrl $2,%0\n" \
32450 " andl $3,%3\n" \
32451 " .align 2,0x90\n" \
32452- "0: rep; movsl\n" \
32453+ "0: rep; "__copyuser_seg"movsl\n" \
32454 " movl %3,%0\n" \
32455- "1: rep; movsb\n" \
32456+ "1: rep; "__copyuser_seg"movsb\n" \
32457 "2:\n" \
32458 ".section .fixup,\"ax\"\n" \
32459 "5: addl %3,%0\n" \
32460@@ -572,9 +684,9 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from,
32461 {
32462 stac();
32463 if (movsl_is_ok(to, from, n))
32464- __copy_user(to, from, n);
32465+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
32466 else
32467- n = __copy_user_intel(to, from, n);
32468+ n = __generic_copy_to_user_intel(to, from, n);
32469 clac();
32470 return n;
32471 }
32472@@ -598,10 +710,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
32473 {
32474 stac();
32475 if (movsl_is_ok(to, from, n))
32476- __copy_user(to, from, n);
32477+ __copy_user(to, from, n, __copyuser_seg, "", "");
32478 else
32479- n = __copy_user_intel((void __user *)to,
32480- (const void *)from, n);
32481+ n = __generic_copy_from_user_intel(to, from, n);
32482 clac();
32483 return n;
32484 }
32485@@ -632,60 +743,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
32486 if (n > 64 && cpu_has_xmm2)
32487 n = __copy_user_intel_nocache(to, from, n);
32488 else
32489- __copy_user(to, from, n);
32490+ __copy_user(to, from, n, __copyuser_seg, "", "");
32491 #else
32492- __copy_user(to, from, n);
32493+ __copy_user(to, from, n, __copyuser_seg, "", "");
32494 #endif
32495 clac();
32496 return n;
32497 }
32498 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
32499
32500-/**
32501- * copy_to_user: - Copy a block of data into user space.
32502- * @to: Destination address, in user space.
32503- * @from: Source address, in kernel space.
32504- * @n: Number of bytes to copy.
32505- *
32506- * Context: User context only. This function may sleep if pagefaults are
32507- * enabled.
32508- *
32509- * Copy data from kernel space to user space.
32510- *
32511- * Returns number of bytes that could not be copied.
32512- * On success, this will be zero.
32513- */
32514-unsigned long _copy_to_user(void __user *to, const void *from, unsigned n)
32515+#ifdef CONFIG_PAX_MEMORY_UDEREF
32516+void __set_fs(mm_segment_t x)
32517 {
32518- if (access_ok(VERIFY_WRITE, to, n))
32519- n = __copy_to_user(to, from, n);
32520- return n;
32521+ switch (x.seg) {
32522+ case 0:
32523+ loadsegment(gs, 0);
32524+ break;
32525+ case TASK_SIZE_MAX:
32526+ loadsegment(gs, __USER_DS);
32527+ break;
32528+ case -1UL:
32529+ loadsegment(gs, __KERNEL_DS);
32530+ break;
32531+ default:
32532+ BUG();
32533+ }
32534 }
32535-EXPORT_SYMBOL(_copy_to_user);
32536+EXPORT_SYMBOL(__set_fs);
32537
32538-/**
32539- * copy_from_user: - Copy a block of data from user space.
32540- * @to: Destination address, in kernel space.
32541- * @from: Source address, in user space.
32542- * @n: Number of bytes to copy.
32543- *
32544- * Context: User context only. This function may sleep if pagefaults are
32545- * enabled.
32546- *
32547- * Copy data from user space to kernel space.
32548- *
32549- * Returns number of bytes that could not be copied.
32550- * On success, this will be zero.
32551- *
32552- * If some data could not be copied, this function will pad the copied
32553- * data to the requested size using zero bytes.
32554- */
32555-unsigned long _copy_from_user(void *to, const void __user *from, unsigned n)
32556+void set_fs(mm_segment_t x)
32557 {
32558- if (access_ok(VERIFY_READ, from, n))
32559- n = __copy_from_user(to, from, n);
32560- else
32561- memset(to, 0, n);
32562- return n;
32563+ current_thread_info()->addr_limit = x;
32564+ __set_fs(x);
32565 }
32566-EXPORT_SYMBOL(_copy_from_user);
32567+EXPORT_SYMBOL(set_fs);
32568+#endif
32569diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
32570index 0a42327..7a82465 100644
32571--- a/arch/x86/lib/usercopy_64.c
32572+++ b/arch/x86/lib/usercopy_64.c
32573@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
32574 might_fault();
32575 /* no memory constraint because it doesn't change any memory gcc knows
32576 about */
32577+ pax_open_userland();
32578 stac();
32579 asm volatile(
32580 " testq %[size8],%[size8]\n"
32581@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
32582 _ASM_EXTABLE(0b,3b)
32583 _ASM_EXTABLE(1b,2b)
32584 : [size8] "=&c"(size), [dst] "=&D" (__d0)
32585- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr),
32586+ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)),
32587 [zero] "r" (0UL), [eight] "r" (8UL));
32588 clac();
32589+ pax_close_userland();
32590 return size;
32591 }
32592 EXPORT_SYMBOL(__clear_user);
32593@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n)
32594 }
32595 EXPORT_SYMBOL(clear_user);
32596
32597-unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
32598+unsigned long copy_in_user(void __user *to, const void __user *from, unsigned long len)
32599 {
32600- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
32601- return copy_user_generic((__force void *)to, (__force void *)from, len);
32602- }
32603- return len;
32604+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len))
32605+ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len);
32606+ return len;
32607 }
32608 EXPORT_SYMBOL(copy_in_user);
32609
32610@@ -69,8 +70,10 @@ EXPORT_SYMBOL(copy_in_user);
32611 * it is not necessary to optimize tail handling.
32612 */
32613 __visible unsigned long
32614-copy_user_handle_tail(char *to, char *from, unsigned len)
32615+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len)
32616 {
32617+ clac();
32618+ pax_close_userland();
32619 for (; len; --len, to++) {
32620 char c;
32621
32622@@ -79,10 +82,9 @@ copy_user_handle_tail(char *to, char *from, unsigned len)
32623 if (__put_user_nocheck(c, to, sizeof(char)))
32624 break;
32625 }
32626- clac();
32627
32628 /* If the destination is a kernel buffer, we always clear the end */
32629- if (!__addr_ok(to))
32630+ if (!__addr_ok(to) && (unsigned long)to >= TASK_SIZE_MAX + pax_user_shadow_base)
32631 memset(to, 0, len);
32632 return len;
32633 }
32634diff --git a/arch/x86/math-emu/fpu_aux.c b/arch/x86/math-emu/fpu_aux.c
32635index dd76a05..df65688 100644
32636--- a/arch/x86/math-emu/fpu_aux.c
32637+++ b/arch/x86/math-emu/fpu_aux.c
32638@@ -52,7 +52,7 @@ void fpstate_init_soft(struct swregs_state *soft)
32639
32640 void finit(void)
32641 {
32642- fpstate_init_soft(&current->thread.fpu.state.soft);
32643+ fpstate_init_soft(&current->thread.fpu.state->soft);
32644 }
32645
32646 /*
32647diff --git a/arch/x86/math-emu/fpu_entry.c b/arch/x86/math-emu/fpu_entry.c
32648index 3d8f2e4..ef7cf4e 100644
32649--- a/arch/x86/math-emu/fpu_entry.c
32650+++ b/arch/x86/math-emu/fpu_entry.c
32651@@ -677,7 +677,7 @@ int fpregs_soft_set(struct task_struct *target,
32652 unsigned int pos, unsigned int count,
32653 const void *kbuf, const void __user *ubuf)
32654 {
32655- struct swregs_state *s387 = &target->thread.fpu.state.soft;
32656+ struct swregs_state *s387 = &target->thread.fpu.state->soft;
32657 void *space = s387->st_space;
32658 int ret;
32659 int offset, other, i, tags, regnr, tag, newtop;
32660@@ -729,7 +729,7 @@ int fpregs_soft_get(struct task_struct *target,
32661 unsigned int pos, unsigned int count,
32662 void *kbuf, void __user *ubuf)
32663 {
32664- struct swregs_state *s387 = &target->thread.fpu.state.soft;
32665+ struct swregs_state *s387 = &target->thread.fpu.state->soft;
32666 const void *space = s387->st_space;
32667 int ret;
32668 int offset = (S387->ftop & 7) * 10, other = 80 - offset;
32669diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
32670index 5e044d5..d342fce 100644
32671--- a/arch/x86/math-emu/fpu_system.h
32672+++ b/arch/x86/math-emu/fpu_system.h
32673@@ -46,7 +46,7 @@ static inline struct desc_struct FPU_get_ldt_descriptor(unsigned seg)
32674 #define SEG_EXPAND_DOWN(s) (((s).b & ((1 << 11) | (1 << 10))) \
32675 == (1 << 10))
32676
32677-#define I387 (&current->thread.fpu.state)
32678+#define I387 (current->thread.fpu.state)
32679 #define FPU_info (I387->soft.info)
32680
32681 #define FPU_CS (*(unsigned short *) &(FPU_info->regs->cs))
32682diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
32683index a482d10..1a6edb5 100644
32684--- a/arch/x86/mm/Makefile
32685+++ b/arch/x86/mm/Makefile
32686@@ -33,3 +33,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
32687 obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
32688
32689 obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
32690+
32691+quote:="
32692+obj-$(CONFIG_X86_64) += uderef_64.o
32693+CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) -fcall-saved-rax
32694diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
32695index 903ec1e..41b4708 100644
32696--- a/arch/x86/mm/extable.c
32697+++ b/arch/x86/mm/extable.c
32698@@ -2,16 +2,29 @@
32699 #include <linux/spinlock.h>
32700 #include <linux/sort.h>
32701 #include <asm/uaccess.h>
32702+#include <asm/boot.h>
32703
32704 static inline unsigned long
32705 ex_insn_addr(const struct exception_table_entry *x)
32706 {
32707- return (unsigned long)&x->insn + x->insn;
32708+ unsigned long reloc = 0;
32709+
32710+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32711+ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32712+#endif
32713+
32714+ return (unsigned long)&x->insn + x->insn + reloc;
32715 }
32716 static inline unsigned long
32717 ex_fixup_addr(const struct exception_table_entry *x)
32718 {
32719- return (unsigned long)&x->fixup + x->fixup;
32720+ unsigned long reloc = 0;
32721+
32722+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32723+ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32724+#endif
32725+
32726+ return (unsigned long)&x->fixup + x->fixup + reloc;
32727 }
32728
32729 int fixup_exception(struct pt_regs *regs)
32730@@ -20,7 +33,7 @@ int fixup_exception(struct pt_regs *regs)
32731 unsigned long new_ip;
32732
32733 #ifdef CONFIG_PNPBIOS
32734- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
32735+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
32736 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
32737 extern u32 pnp_bios_is_utter_crap;
32738 pnp_bios_is_utter_crap = 1;
32739@@ -145,6 +158,13 @@ void sort_extable(struct exception_table_entry *start,
32740 i += 4;
32741 p->fixup -= i;
32742 i += 4;
32743+
32744+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32745+ BUILD_BUG_ON(!IS_ENABLED(CONFIG_BUILDTIME_EXTABLE_SORT));
32746+ p->insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32747+ p->fixup -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32748+#endif
32749+
32750 }
32751 }
32752
32753diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
32754index 9dc9098..938251a 100644
32755--- a/arch/x86/mm/fault.c
32756+++ b/arch/x86/mm/fault.c
32757@@ -14,12 +14,19 @@
32758 #include <linux/prefetch.h> /* prefetchw */
32759 #include <linux/context_tracking.h> /* exception_enter(), ... */
32760 #include <linux/uaccess.h> /* faulthandler_disabled() */
32761+#include <linux/unistd.h>
32762+#include <linux/compiler.h>
32763
32764 #include <asm/traps.h> /* dotraplinkage, ... */
32765 #include <asm/pgalloc.h> /* pgd_*(), ... */
32766 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
32767 #include <asm/fixmap.h> /* VSYSCALL_ADDR */
32768 #include <asm/vsyscall.h> /* emulate_vsyscall */
32769+#include <asm/tlbflush.h>
32770+
32771+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32772+#include <asm/stacktrace.h>
32773+#endif
32774
32775 #define CREATE_TRACE_POINTS
32776 #include <asm/trace/exceptions.h>
32777@@ -121,7 +128,10 @@ check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
32778 return !instr_lo || (instr_lo>>1) == 1;
32779 case 0x00:
32780 /* Prefetch instruction is 0x0F0D or 0x0F18 */
32781- if (probe_kernel_address(instr, opcode))
32782+ if (user_mode(regs)) {
32783+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
32784+ return 0;
32785+ } else if (probe_kernel_address(instr, opcode))
32786 return 0;
32787
32788 *prefetch = (instr_lo == 0xF) &&
32789@@ -155,7 +165,10 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
32790 while (instr < max_instr) {
32791 unsigned char opcode;
32792
32793- if (probe_kernel_address(instr, opcode))
32794+ if (user_mode(regs)) {
32795+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
32796+ break;
32797+ } else if (probe_kernel_address(instr, opcode))
32798 break;
32799
32800 instr++;
32801@@ -186,6 +199,34 @@ force_sig_info_fault(int si_signo, int si_code, unsigned long address,
32802 force_sig_info(si_signo, &info, tsk);
32803 }
32804
32805+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
32806+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
32807+#endif
32808+
32809+#ifdef CONFIG_PAX_EMUTRAMP
32810+static int pax_handle_fetch_fault(struct pt_regs *regs);
32811+#endif
32812+
32813+#ifdef CONFIG_PAX_PAGEEXEC
32814+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
32815+{
32816+ pgd_t *pgd;
32817+ pud_t *pud;
32818+ pmd_t *pmd;
32819+
32820+ pgd = pgd_offset(mm, address);
32821+ if (!pgd_present(*pgd))
32822+ return NULL;
32823+ pud = pud_offset(pgd, address);
32824+ if (!pud_present(*pud))
32825+ return NULL;
32826+ pmd = pmd_offset(pud, address);
32827+ if (!pmd_present(*pmd))
32828+ return NULL;
32829+ return pmd;
32830+}
32831+#endif
32832+
32833 DEFINE_SPINLOCK(pgd_lock);
32834 LIST_HEAD(pgd_list);
32835
32836@@ -236,10 +277,27 @@ void vmalloc_sync_all(void)
32837 for (address = VMALLOC_START & PMD_MASK;
32838 address >= TASK_SIZE && address < FIXADDR_TOP;
32839 address += PMD_SIZE) {
32840+
32841+#ifdef CONFIG_PAX_PER_CPU_PGD
32842+ unsigned long cpu;
32843+#else
32844 struct page *page;
32845+#endif
32846
32847 spin_lock(&pgd_lock);
32848+
32849+#ifdef CONFIG_PAX_PER_CPU_PGD
32850+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
32851+ pgd_t *pgd = get_cpu_pgd(cpu, user);
32852+ pmd_t *ret;
32853+
32854+ ret = vmalloc_sync_one(pgd, address);
32855+ if (!ret)
32856+ break;
32857+ pgd = get_cpu_pgd(cpu, kernel);
32858+#else
32859 list_for_each_entry(page, &pgd_list, lru) {
32860+ pgd_t *pgd;
32861 spinlock_t *pgt_lock;
32862 pmd_t *ret;
32863
32864@@ -247,8 +305,14 @@ void vmalloc_sync_all(void)
32865 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
32866
32867 spin_lock(pgt_lock);
32868- ret = vmalloc_sync_one(page_address(page), address);
32869+ pgd = page_address(page);
32870+#endif
32871+
32872+ ret = vmalloc_sync_one(pgd, address);
32873+
32874+#ifndef CONFIG_PAX_PER_CPU_PGD
32875 spin_unlock(pgt_lock);
32876+#endif
32877
32878 if (!ret)
32879 break;
32880@@ -282,6 +346,12 @@ static noinline int vmalloc_fault(unsigned long address)
32881 * an interrupt in the middle of a task switch..
32882 */
32883 pgd_paddr = read_cr3();
32884+
32885+#ifdef CONFIG_PAX_PER_CPU_PGD
32886+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK));
32887+ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address);
32888+#endif
32889+
32890 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
32891 if (!pmd_k)
32892 return -1;
32893@@ -378,11 +448,25 @@ static noinline int vmalloc_fault(unsigned long address)
32894 * happen within a race in page table update. In the later
32895 * case just flush:
32896 */
32897- pgd = pgd_offset(current->active_mm, address);
32898+
32899 pgd_ref = pgd_offset_k(address);
32900 if (pgd_none(*pgd_ref))
32901 return -1;
32902
32903+#ifdef CONFIG_PAX_PER_CPU_PGD
32904+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK));
32905+ pgd = pgd_offset_cpu(smp_processor_id(), user, address);
32906+ if (pgd_none(*pgd)) {
32907+ set_pgd(pgd, *pgd_ref);
32908+ arch_flush_lazy_mmu_mode();
32909+ } else {
32910+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
32911+ }
32912+ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address);
32913+#else
32914+ pgd = pgd_offset(current->active_mm, address);
32915+#endif
32916+
32917 if (pgd_none(*pgd)) {
32918 set_pgd(pgd, *pgd_ref);
32919 arch_flush_lazy_mmu_mode();
32920@@ -549,7 +633,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address)
32921 static int is_errata100(struct pt_regs *regs, unsigned long address)
32922 {
32923 #ifdef CONFIG_X86_64
32924- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
32925+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
32926 return 1;
32927 #endif
32928 return 0;
32929@@ -576,9 +660,9 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
32930 }
32931
32932 static const char nx_warning[] = KERN_CRIT
32933-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
32934+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
32935 static const char smep_warning[] = KERN_CRIT
32936-"unable to execute userspace code (SMEP?) (uid: %d)\n";
32937+"unable to execute userspace code (SMEP?) (uid: %d, task: %s, pid: %d)\n";
32938
32939 static void
32940 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
32941@@ -587,7 +671,7 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
32942 if (!oops_may_print())
32943 return;
32944
32945- if (error_code & PF_INSTR) {
32946+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
32947 unsigned int level;
32948 pgd_t *pgd;
32949 pte_t *pte;
32950@@ -598,13 +682,25 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
32951 pte = lookup_address_in_pgd(pgd, address, &level);
32952
32953 if (pte && pte_present(*pte) && !pte_exec(*pte))
32954- printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
32955+ printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
32956 if (pte && pte_present(*pte) && pte_exec(*pte) &&
32957 (pgd_flags(*pgd) & _PAGE_USER) &&
32958 (__read_cr4() & X86_CR4_SMEP))
32959- printk(smep_warning, from_kuid(&init_user_ns, current_uid()));
32960+ printk(smep_warning, from_kuid(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
32961 }
32962
32963+#ifdef CONFIG_PAX_KERNEXEC
32964+ if (init_mm.start_code <= address && address < init_mm.end_code) {
32965+ if (current->signal->curr_ip)
32966+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
32967+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
32968+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
32969+ else
32970+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
32971+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
32972+ }
32973+#endif
32974+
32975 printk(KERN_ALERT "BUG: unable to handle kernel ");
32976 if (address < PAGE_SIZE)
32977 printk(KERN_CONT "NULL pointer dereference");
32978@@ -783,6 +879,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
32979 return;
32980 }
32981 #endif
32982+
32983+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
32984+ if (pax_is_fetch_fault(regs, error_code, address)) {
32985+
32986+#ifdef CONFIG_PAX_EMUTRAMP
32987+ switch (pax_handle_fetch_fault(regs)) {
32988+ case 2:
32989+ return;
32990+ }
32991+#endif
32992+
32993+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
32994+ do_group_exit(SIGKILL);
32995+ }
32996+#endif
32997+
32998 /* Kernel addresses are always protection faults: */
32999 if (address >= TASK_SIZE)
33000 error_code |= PF_PROT;
33001@@ -865,7 +977,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
33002 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
33003 printk(KERN_ERR
33004 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
33005- tsk->comm, tsk->pid, address);
33006+ tsk->comm, task_pid_nr(tsk), address);
33007 code = BUS_MCEERR_AR;
33008 }
33009 #endif
33010@@ -917,6 +1029,107 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
33011 return 1;
33012 }
33013
33014+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
33015+static inline unsigned long get_limit(unsigned long segment)
33016+{
33017+ unsigned long __limit;
33018+
33019+ asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
33020+ return __limit + 1;
33021+}
33022+
33023+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
33024+{
33025+ pte_t *pte;
33026+ pmd_t *pmd;
33027+ spinlock_t *ptl;
33028+ unsigned char pte_mask;
33029+
33030+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
33031+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
33032+ return 0;
33033+
33034+ /* PaX: it's our fault, let's handle it if we can */
33035+
33036+ /* PaX: take a look at read faults before acquiring any locks */
33037+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
33038+ /* instruction fetch attempt from a protected page in user mode */
33039+ up_read(&mm->mmap_sem);
33040+
33041+#ifdef CONFIG_PAX_EMUTRAMP
33042+ switch (pax_handle_fetch_fault(regs)) {
33043+ case 2:
33044+ return 1;
33045+ }
33046+#endif
33047+
33048+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
33049+ do_group_exit(SIGKILL);
33050+ }
33051+
33052+ pmd = pax_get_pmd(mm, address);
33053+ if (unlikely(!pmd))
33054+ return 0;
33055+
33056+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
33057+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
33058+ pte_unmap_unlock(pte, ptl);
33059+ return 0;
33060+ }
33061+
33062+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
33063+ /* write attempt to a protected page in user mode */
33064+ pte_unmap_unlock(pte, ptl);
33065+ return 0;
33066+ }
33067+
33068+#ifdef CONFIG_SMP
33069+ if (likely(address > get_limit(regs->cs) && cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
33070+#else
33071+ if (likely(address > get_limit(regs->cs)))
33072+#endif
33073+ {
33074+ set_pte(pte, pte_mkread(*pte));
33075+ __flush_tlb_one(address);
33076+ pte_unmap_unlock(pte, ptl);
33077+ up_read(&mm->mmap_sem);
33078+ return 1;
33079+ }
33080+
33081+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
33082+
33083+ /*
33084+ * PaX: fill DTLB with user rights and retry
33085+ */
33086+ __asm__ __volatile__ (
33087+ "orb %2,(%1)\n"
33088+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
33089+/*
33090+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
33091+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
33092+ * page fault when examined during a TLB load attempt. this is true not only
33093+ * for PTEs holding a non-present entry but also present entries that will
33094+ * raise a page fault (such as those set up by PaX, or the copy-on-write
33095+ * mechanism). in effect it means that we do *not* need to flush the TLBs
33096+ * for our target pages since their PTEs are simply not in the TLBs at all.
33097+
33098+ * the best thing in omitting it is that we gain around 15-20% speed in the
33099+ * fast path of the page fault handler and can get rid of tracing since we
33100+ * can no longer flush unintended entries.
33101+ */
33102+ "invlpg (%0)\n"
33103+#endif
33104+ __copyuser_seg"testb $0,(%0)\n"
33105+ "xorb %3,(%1)\n"
33106+ :
33107+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
33108+ : "memory", "cc");
33109+ pte_unmap_unlock(pte, ptl);
33110+ up_read(&mm->mmap_sem);
33111+ return 1;
33112+}
33113+#endif
33114+
33115 /*
33116 * Handle a spurious fault caused by a stale TLB entry.
33117 *
33118@@ -1002,6 +1215,9 @@ int show_unhandled_signals = 1;
33119 static inline int
33120 access_error(unsigned long error_code, struct vm_area_struct *vma)
33121 {
33122+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
33123+ return 1;
33124+
33125 if (error_code & PF_WRITE) {
33126 /* write, present and write, not present: */
33127 if (unlikely(!(vma->vm_flags & VM_WRITE)))
33128@@ -1064,6 +1280,22 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
33129 tsk = current;
33130 mm = tsk->mm;
33131
33132+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
33133+ if (!user_mode(regs) && address < 2 * pax_user_shadow_base) {
33134+ if (!search_exception_tables(regs->ip)) {
33135+ printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n");
33136+ bad_area_nosemaphore(regs, error_code, address);
33137+ return;
33138+ }
33139+ if (address < pax_user_shadow_base) {
33140+ printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n");
33141+ printk(KERN_EMERG "PAX: faulting IP: %pS\n", (void *)regs->ip);
33142+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_EMERG);
33143+ } else
33144+ address -= pax_user_shadow_base;
33145+ }
33146+#endif
33147+
33148 /*
33149 * Detect and handle instructions that would cause a page fault for
33150 * both a tracked kernel page and a userspace page.
33151@@ -1188,6 +1420,11 @@ retry:
33152 might_sleep();
33153 }
33154
33155+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
33156+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
33157+ return;
33158+#endif
33159+
33160 vma = find_vma(mm, address);
33161 if (unlikely(!vma)) {
33162 bad_area(regs, error_code, address);
33163@@ -1199,18 +1436,24 @@ retry:
33164 bad_area(regs, error_code, address);
33165 return;
33166 }
33167- if (error_code & PF_USER) {
33168- /*
33169- * Accessing the stack below %sp is always a bug.
33170- * The large cushion allows instructions like enter
33171- * and pusha to work. ("enter $65535, $31" pushes
33172- * 32 pointers and then decrements %sp by 65535.)
33173- */
33174- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
33175- bad_area(regs, error_code, address);
33176- return;
33177- }
33178+ /*
33179+ * Accessing the stack below %sp is always a bug.
33180+ * The large cushion allows instructions like enter
33181+ * and pusha to work. ("enter $65535, $31" pushes
33182+ * 32 pointers and then decrements %sp by 65535.)
33183+ */
33184+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
33185+ bad_area(regs, error_code, address);
33186+ return;
33187 }
33188+
33189+#ifdef CONFIG_PAX_SEGMEXEC
33190+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
33191+ bad_area(regs, error_code, address);
33192+ return;
33193+ }
33194+#endif
33195+
33196 if (unlikely(expand_stack(vma, address))) {
33197 bad_area(regs, error_code, address);
33198 return;
33199@@ -1330,3 +1573,292 @@ trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
33200 }
33201 NOKPROBE_SYMBOL(trace_do_page_fault);
33202 #endif /* CONFIG_TRACING */
33203+
33204+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33205+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
33206+{
33207+ struct mm_struct *mm = current->mm;
33208+ unsigned long ip = regs->ip;
33209+
33210+ if (v8086_mode(regs))
33211+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
33212+
33213+#ifdef CONFIG_PAX_PAGEEXEC
33214+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
33215+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
33216+ return true;
33217+ if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
33218+ return true;
33219+ return false;
33220+ }
33221+#endif
33222+
33223+#ifdef CONFIG_PAX_SEGMEXEC
33224+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
33225+ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
33226+ return true;
33227+ return false;
33228+ }
33229+#endif
33230+
33231+ return false;
33232+}
33233+#endif
33234+
33235+#ifdef CONFIG_PAX_EMUTRAMP
33236+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
33237+{
33238+ int err;
33239+
33240+ do { /* PaX: libffi trampoline emulation */
33241+ unsigned char mov, jmp;
33242+ unsigned int addr1, addr2;
33243+
33244+#ifdef CONFIG_X86_64
33245+ if ((regs->ip + 9) >> 32)
33246+ break;
33247+#endif
33248+
33249+ err = get_user(mov, (unsigned char __user *)regs->ip);
33250+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33251+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
33252+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33253+
33254+ if (err)
33255+ break;
33256+
33257+ if (mov == 0xB8 && jmp == 0xE9) {
33258+ regs->ax = addr1;
33259+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
33260+ return 2;
33261+ }
33262+ } while (0);
33263+
33264+ do { /* PaX: gcc trampoline emulation #1 */
33265+ unsigned char mov1, mov2;
33266+ unsigned short jmp;
33267+ unsigned int addr1, addr2;
33268+
33269+#ifdef CONFIG_X86_64
33270+ if ((regs->ip + 11) >> 32)
33271+ break;
33272+#endif
33273+
33274+ err = get_user(mov1, (unsigned char __user *)regs->ip);
33275+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33276+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
33277+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33278+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
33279+
33280+ if (err)
33281+ break;
33282+
33283+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
33284+ regs->cx = addr1;
33285+ regs->ax = addr2;
33286+ regs->ip = addr2;
33287+ return 2;
33288+ }
33289+ } while (0);
33290+
33291+ do { /* PaX: gcc trampoline emulation #2 */
33292+ unsigned char mov, jmp;
33293+ unsigned int addr1, addr2;
33294+
33295+#ifdef CONFIG_X86_64
33296+ if ((regs->ip + 9) >> 32)
33297+ break;
33298+#endif
33299+
33300+ err = get_user(mov, (unsigned char __user *)regs->ip);
33301+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33302+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
33303+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33304+
33305+ if (err)
33306+ break;
33307+
33308+ if (mov == 0xB9 && jmp == 0xE9) {
33309+ regs->cx = addr1;
33310+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
33311+ return 2;
33312+ }
33313+ } while (0);
33314+
33315+ return 1; /* PaX in action */
33316+}
33317+
33318+#ifdef CONFIG_X86_64
33319+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
33320+{
33321+ int err;
33322+
33323+ do { /* PaX: libffi trampoline emulation */
33324+ unsigned short mov1, mov2, jmp1;
33325+ unsigned char stcclc, jmp2;
33326+ unsigned long addr1, addr2;
33327+
33328+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33329+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
33330+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
33331+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
33332+ err |= get_user(stcclc, (unsigned char __user *)(regs->ip + 20));
33333+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 21));
33334+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 23));
33335+
33336+ if (err)
33337+ break;
33338+
33339+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && (stcclc == 0xF8 || stcclc == 0xF9) && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33340+ regs->r11 = addr1;
33341+ regs->r10 = addr2;
33342+ if (stcclc == 0xF8)
33343+ regs->flags &= ~X86_EFLAGS_CF;
33344+ else
33345+ regs->flags |= X86_EFLAGS_CF;
33346+ regs->ip = addr1;
33347+ return 2;
33348+ }
33349+ } while (0);
33350+
33351+ do { /* PaX: gcc trampoline emulation #1 */
33352+ unsigned short mov1, mov2, jmp1;
33353+ unsigned char jmp2;
33354+ unsigned int addr1;
33355+ unsigned long addr2;
33356+
33357+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33358+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
33359+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
33360+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
33361+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
33362+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
33363+
33364+ if (err)
33365+ break;
33366+
33367+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33368+ regs->r11 = addr1;
33369+ regs->r10 = addr2;
33370+ regs->ip = addr1;
33371+ return 2;
33372+ }
33373+ } while (0);
33374+
33375+ do { /* PaX: gcc trampoline emulation #2 */
33376+ unsigned short mov1, mov2, jmp1;
33377+ unsigned char jmp2;
33378+ unsigned long addr1, addr2;
33379+
33380+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33381+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
33382+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
33383+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
33384+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
33385+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
33386+
33387+ if (err)
33388+ break;
33389+
33390+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33391+ regs->r11 = addr1;
33392+ regs->r10 = addr2;
33393+ regs->ip = addr1;
33394+ return 2;
33395+ }
33396+ } while (0);
33397+
33398+ return 1; /* PaX in action */
33399+}
33400+#endif
33401+
33402+/*
33403+ * PaX: decide what to do with offenders (regs->ip = fault address)
33404+ *
33405+ * returns 1 when task should be killed
33406+ * 2 when gcc trampoline was detected
33407+ */
33408+static int pax_handle_fetch_fault(struct pt_regs *regs)
33409+{
33410+ if (v8086_mode(regs))
33411+ return 1;
33412+
33413+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
33414+ return 1;
33415+
33416+#ifdef CONFIG_X86_32
33417+ return pax_handle_fetch_fault_32(regs);
33418+#else
33419+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
33420+ return pax_handle_fetch_fault_32(regs);
33421+ else
33422+ return pax_handle_fetch_fault_64(regs);
33423+#endif
33424+}
33425+#endif
33426+
33427+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33428+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
33429+{
33430+ long i;
33431+
33432+ printk(KERN_ERR "PAX: bytes at PC: ");
33433+ for (i = 0; i < 20; i++) {
33434+ unsigned char c;
33435+ if (get_user(c, (unsigned char __force_user *)pc+i))
33436+ printk(KERN_CONT "?? ");
33437+ else
33438+ printk(KERN_CONT "%02x ", c);
33439+ }
33440+ printk("\n");
33441+
33442+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
33443+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
33444+ unsigned long c;
33445+ if (get_user(c, (unsigned long __force_user *)sp+i)) {
33446+#ifdef CONFIG_X86_32
33447+ printk(KERN_CONT "???????? ");
33448+#else
33449+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
33450+ printk(KERN_CONT "???????? ???????? ");
33451+ else
33452+ printk(KERN_CONT "???????????????? ");
33453+#endif
33454+ } else {
33455+#ifdef CONFIG_X86_64
33456+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
33457+ printk(KERN_CONT "%08x ", (unsigned int)c);
33458+ printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
33459+ } else
33460+#endif
33461+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
33462+ }
33463+ }
33464+ printk("\n");
33465+}
33466+#endif
33467+
33468+/**
33469+ * probe_kernel_write(): safely attempt to write to a location
33470+ * @dst: address to write to
33471+ * @src: pointer to the data that shall be written
33472+ * @size: size of the data chunk
33473+ *
33474+ * Safely write to address @dst from the buffer at @src. If a kernel fault
33475+ * happens, handle that and return -EFAULT.
33476+ */
33477+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
33478+{
33479+ long ret;
33480+ mm_segment_t old_fs = get_fs();
33481+
33482+ set_fs(KERNEL_DS);
33483+ pagefault_disable();
33484+ pax_open_kernel();
33485+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
33486+ pax_close_kernel();
33487+ pagefault_enable();
33488+ set_fs(old_fs);
33489+
33490+ return ret ? -EFAULT : 0;
33491+}
33492diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
33493index 81bf3d2..7ef25c2 100644
33494--- a/arch/x86/mm/gup.c
33495+++ b/arch/x86/mm/gup.c
33496@@ -268,7 +268,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
33497 addr = start;
33498 len = (unsigned long) nr_pages << PAGE_SHIFT;
33499 end = start + len;
33500- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
33501+ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ,
33502 (void __user *)start, len)))
33503 return 0;
33504
33505@@ -344,6 +344,10 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
33506 goto slow_irqon;
33507 #endif
33508
33509+ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ,
33510+ (void __user *)start, len)))
33511+ return 0;
33512+
33513 /*
33514 * XXX: batch / limit 'nr', to avoid large irq off latency
33515 * needs some instrumenting to determine the common sizes used by
33516diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
33517index eecb207a..ad42a30 100644
33518--- a/arch/x86/mm/highmem_32.c
33519+++ b/arch/x86/mm/highmem_32.c
33520@@ -45,7 +45,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
33521 idx = type + KM_TYPE_NR*smp_processor_id();
33522 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
33523 BUG_ON(!pte_none(*(kmap_pte-idx)));
33524+
33525 set_pte(kmap_pte-idx, mk_pte(page, prot));
33526+
33527 arch_flush_lazy_mmu_mode();
33528
33529 return (void *)vaddr;
33530diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
33531index 42982b2..7168fc3 100644
33532--- a/arch/x86/mm/hugetlbpage.c
33533+++ b/arch/x86/mm/hugetlbpage.c
33534@@ -74,23 +74,24 @@ int pud_huge(pud_t pud)
33535 #ifdef CONFIG_HUGETLB_PAGE
33536 static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
33537 unsigned long addr, unsigned long len,
33538- unsigned long pgoff, unsigned long flags)
33539+ unsigned long pgoff, unsigned long flags, unsigned long offset)
33540 {
33541 struct hstate *h = hstate_file(file);
33542 struct vm_unmapped_area_info info;
33543-
33544+
33545 info.flags = 0;
33546 info.length = len;
33547 info.low_limit = current->mm->mmap_legacy_base;
33548 info.high_limit = TASK_SIZE;
33549 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
33550 info.align_offset = 0;
33551+ info.threadstack_offset = offset;
33552 return vm_unmapped_area(&info);
33553 }
33554
33555 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33556 unsigned long addr0, unsigned long len,
33557- unsigned long pgoff, unsigned long flags)
33558+ unsigned long pgoff, unsigned long flags, unsigned long offset)
33559 {
33560 struct hstate *h = hstate_file(file);
33561 struct vm_unmapped_area_info info;
33562@@ -102,6 +103,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33563 info.high_limit = current->mm->mmap_base;
33564 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
33565 info.align_offset = 0;
33566+ info.threadstack_offset = offset;
33567 addr = vm_unmapped_area(&info);
33568
33569 /*
33570@@ -114,6 +116,12 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33571 VM_BUG_ON(addr != -ENOMEM);
33572 info.flags = 0;
33573 info.low_limit = TASK_UNMAPPED_BASE;
33574+
33575+#ifdef CONFIG_PAX_RANDMMAP
33576+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
33577+ info.low_limit += current->mm->delta_mmap;
33578+#endif
33579+
33580 info.high_limit = TASK_SIZE;
33581 addr = vm_unmapped_area(&info);
33582 }
33583@@ -128,10 +136,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
33584 struct hstate *h = hstate_file(file);
33585 struct mm_struct *mm = current->mm;
33586 struct vm_area_struct *vma;
33587+ unsigned long pax_task_size = TASK_SIZE;
33588+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
33589
33590 if (len & ~huge_page_mask(h))
33591 return -EINVAL;
33592- if (len > TASK_SIZE)
33593+
33594+#ifdef CONFIG_PAX_SEGMEXEC
33595+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
33596+ pax_task_size = SEGMEXEC_TASK_SIZE;
33597+#endif
33598+
33599+ pax_task_size -= PAGE_SIZE;
33600+
33601+ if (len > pax_task_size)
33602 return -ENOMEM;
33603
33604 if (flags & MAP_FIXED) {
33605@@ -140,19 +158,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
33606 return addr;
33607 }
33608
33609+#ifdef CONFIG_PAX_RANDMMAP
33610+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33611+#endif
33612+
33613 if (addr) {
33614 addr = ALIGN(addr, huge_page_size(h));
33615 vma = find_vma(mm, addr);
33616- if (TASK_SIZE - len >= addr &&
33617- (!vma || addr + len <= vma->vm_start))
33618+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
33619 return addr;
33620 }
33621 if (mm->get_unmapped_area == arch_get_unmapped_area)
33622 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
33623- pgoff, flags);
33624+ pgoff, flags, offset);
33625 else
33626 return hugetlb_get_unmapped_area_topdown(file, addr, len,
33627- pgoff, flags);
33628+ pgoff, flags, offset);
33629 }
33630 #endif /* CONFIG_HUGETLB_PAGE */
33631
33632diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
33633index 8533b46..8c83176 100644
33634--- a/arch/x86/mm/init.c
33635+++ b/arch/x86/mm/init.c
33636@@ -4,6 +4,7 @@
33637 #include <linux/swap.h>
33638 #include <linux/memblock.h>
33639 #include <linux/bootmem.h> /* for max_low_pfn */
33640+#include <linux/tboot.h>
33641
33642 #include <asm/cacheflush.h>
33643 #include <asm/e820.h>
33644@@ -17,6 +18,8 @@
33645 #include <asm/proto.h>
33646 #include <asm/dma.h> /* for MAX_DMA_PFN */
33647 #include <asm/microcode.h>
33648+#include <asm/desc.h>
33649+#include <asm/bios_ebda.h>
33650
33651 /*
33652 * We need to define the tracepoints somewhere, and tlb.c
33653@@ -615,7 +618,18 @@ void __init init_mem_mapping(void)
33654 early_ioremap_page_table_range_init();
33655 #endif
33656
33657+#ifdef CONFIG_PAX_PER_CPU_PGD
33658+ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY,
33659+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
33660+ KERNEL_PGD_PTRS);
33661+ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY,
33662+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
33663+ KERNEL_PGD_PTRS);
33664+ load_cr3(get_cpu_pgd(0, kernel));
33665+#else
33666 load_cr3(swapper_pg_dir);
33667+#endif
33668+
33669 __flush_tlb_all();
33670
33671 early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
33672@@ -631,10 +645,40 @@ void __init init_mem_mapping(void)
33673 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
33674 * mmio resources as well as potential bios/acpi data regions.
33675 */
33676+
33677+#ifdef CONFIG_GRKERNSEC_KMEM
33678+static unsigned int ebda_start __read_only;
33679+static unsigned int ebda_end __read_only;
33680+#endif
33681+
33682 int devmem_is_allowed(unsigned long pagenr)
33683 {
33684- if (pagenr < 256)
33685+#ifdef CONFIG_GRKERNSEC_KMEM
33686+ /* allow BDA */
33687+ if (!pagenr)
33688 return 1;
33689+ /* allow EBDA */
33690+ if (pagenr >= ebda_start && pagenr < ebda_end)
33691+ return 1;
33692+ /* if tboot is in use, allow access to its hardcoded serial log range */
33693+ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
33694+ return 1;
33695+#else
33696+ if (!pagenr)
33697+ return 1;
33698+#ifdef CONFIG_VM86
33699+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
33700+ return 1;
33701+#endif
33702+#endif
33703+
33704+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
33705+ return 1;
33706+#ifdef CONFIG_GRKERNSEC_KMEM
33707+ /* throw out everything else below 1MB */
33708+ if (pagenr <= 256)
33709+ return 0;
33710+#endif
33711 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
33712 return 0;
33713 if (!page_is_ram(pagenr))
33714@@ -680,8 +724,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
33715 #endif
33716 }
33717
33718+#ifdef CONFIG_GRKERNSEC_KMEM
33719+static inline void gr_init_ebda(void)
33720+{
33721+ unsigned int ebda_addr;
33722+ unsigned int ebda_size = 0;
33723+
33724+ ebda_addr = get_bios_ebda();
33725+ if (ebda_addr) {
33726+ ebda_size = *(unsigned char *)phys_to_virt(ebda_addr);
33727+ ebda_size <<= 10;
33728+ }
33729+ if (ebda_addr && ebda_size) {
33730+ ebda_start = ebda_addr >> PAGE_SHIFT;
33731+ ebda_end = min((unsigned int)PAGE_ALIGN(ebda_addr + ebda_size), (unsigned int)0xa0000) >> PAGE_SHIFT;
33732+ } else {
33733+ ebda_start = 0x9f000 >> PAGE_SHIFT;
33734+ ebda_end = 0xa0000 >> PAGE_SHIFT;
33735+ }
33736+}
33737+#else
33738+static inline void gr_init_ebda(void) { }
33739+#endif
33740+
33741 void free_initmem(void)
33742 {
33743+#ifdef CONFIG_PAX_KERNEXEC
33744+#ifdef CONFIG_X86_32
33745+ /* PaX: limit KERNEL_CS to actual size */
33746+ unsigned long addr, limit;
33747+ struct desc_struct d;
33748+ int cpu;
33749+#else
33750+ pgd_t *pgd;
33751+ pud_t *pud;
33752+ pmd_t *pmd;
33753+ unsigned long addr, end;
33754+#endif
33755+#endif
33756+
33757+ gr_init_ebda();
33758+
33759+#ifdef CONFIG_PAX_KERNEXEC
33760+#ifdef CONFIG_X86_32
33761+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
33762+ limit = (limit - 1UL) >> PAGE_SHIFT;
33763+
33764+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
33765+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
33766+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
33767+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
33768+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
33769+ }
33770+
33771+ /* PaX: make KERNEL_CS read-only */
33772+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
33773+ if (!paravirt_enabled())
33774+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
33775+/*
33776+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
33777+ pgd = pgd_offset_k(addr);
33778+ pud = pud_offset(pgd, addr);
33779+ pmd = pmd_offset(pud, addr);
33780+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33781+ }
33782+*/
33783+#ifdef CONFIG_X86_PAE
33784+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
33785+/*
33786+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
33787+ pgd = pgd_offset_k(addr);
33788+ pud = pud_offset(pgd, addr);
33789+ pmd = pmd_offset(pud, addr);
33790+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
33791+ }
33792+*/
33793+#endif
33794+
33795+#ifdef CONFIG_MODULES
33796+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
33797+#endif
33798+
33799+#else
33800+ /* PaX: make kernel code/rodata read-only, rest non-executable */
33801+ set_memory_ro((unsigned long)_text, ((unsigned long)(_sdata - _text) >> PAGE_SHIFT));
33802+ set_memory_nx((unsigned long)_sdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sdata) >> PAGE_SHIFT);
33803+
33804+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
33805+ pgd = pgd_offset_k(addr);
33806+ pud = pud_offset(pgd, addr);
33807+ pmd = pmd_offset(pud, addr);
33808+ if (!pmd_present(*pmd))
33809+ continue;
33810+ if (addr >= (unsigned long)_text)
33811+ BUG_ON(!pmd_large(*pmd));
33812+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
33813+ BUG_ON(pmd_write(*pmd));
33814+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33815+ else
33816+ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX));
33817+// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
33818+ }
33819+
33820+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
33821+ end = addr + KERNEL_IMAGE_SIZE;
33822+ for (; addr < end; addr += PMD_SIZE) {
33823+ pgd = pgd_offset_k(addr);
33824+ pud = pud_offset(pgd, addr);
33825+ pmd = pmd_offset(pud, addr);
33826+ if (!pmd_present(*pmd))
33827+ continue;
33828+ if (addr >= (unsigned long)_text)
33829+ BUG_ON(!pmd_large(*pmd));
33830+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
33831+ BUG_ON(pmd_write(*pmd));
33832+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33833+ }
33834+#endif
33835+
33836+ flush_tlb_all();
33837+#endif
33838+
33839 free_init_pages("unused kernel",
33840 (unsigned long)(&__init_begin),
33841 (unsigned long)(&__init_end));
33842diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
33843index 68aec42..95ad5d3 100644
33844--- a/arch/x86/mm/init_32.c
33845+++ b/arch/x86/mm/init_32.c
33846@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
33847 bool __read_mostly __vmalloc_start_set = false;
33848
33849 /*
33850- * Creates a middle page table and puts a pointer to it in the
33851- * given global directory entry. This only returns the gd entry
33852- * in non-PAE compilation mode, since the middle layer is folded.
33853- */
33854-static pmd_t * __init one_md_table_init(pgd_t *pgd)
33855-{
33856- pud_t *pud;
33857- pmd_t *pmd_table;
33858-
33859-#ifdef CONFIG_X86_PAE
33860- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
33861- pmd_table = (pmd_t *)alloc_low_page();
33862- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
33863- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
33864- pud = pud_offset(pgd, 0);
33865- BUG_ON(pmd_table != pmd_offset(pud, 0));
33866-
33867- return pmd_table;
33868- }
33869-#endif
33870- pud = pud_offset(pgd, 0);
33871- pmd_table = pmd_offset(pud, 0);
33872-
33873- return pmd_table;
33874-}
33875-
33876-/*
33877 * Create a page table and place a pointer to it in a middle page
33878 * directory entry:
33879 */
33880@@ -98,13 +71,28 @@ static pte_t * __init one_page_table_init(pmd_t *pmd)
33881 pte_t *page_table = (pte_t *)alloc_low_page();
33882
33883 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
33884+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33885+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
33886+#else
33887 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
33888+#endif
33889 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
33890 }
33891
33892 return pte_offset_kernel(pmd, 0);
33893 }
33894
33895+static pmd_t * __init one_md_table_init(pgd_t *pgd)
33896+{
33897+ pud_t *pud;
33898+ pmd_t *pmd_table;
33899+
33900+ pud = pud_offset(pgd, 0);
33901+ pmd_table = pmd_offset(pud, 0);
33902+
33903+ return pmd_table;
33904+}
33905+
33906 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
33907 {
33908 int pgd_idx = pgd_index(vaddr);
33909@@ -209,6 +197,7 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
33910 int pgd_idx, pmd_idx;
33911 unsigned long vaddr;
33912 pgd_t *pgd;
33913+ pud_t *pud;
33914 pmd_t *pmd;
33915 pte_t *pte = NULL;
33916 unsigned long count = page_table_range_init_count(start, end);
33917@@ -223,8 +212,13 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
33918 pgd = pgd_base + pgd_idx;
33919
33920 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
33921- pmd = one_md_table_init(pgd);
33922- pmd = pmd + pmd_index(vaddr);
33923+ pud = pud_offset(pgd, vaddr);
33924+ pmd = pmd_offset(pud, vaddr);
33925+
33926+#ifdef CONFIG_X86_PAE
33927+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
33928+#endif
33929+
33930 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
33931 pmd++, pmd_idx++) {
33932 pte = page_table_kmap_check(one_page_table_init(pmd),
33933@@ -236,11 +230,20 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
33934 }
33935 }
33936
33937-static inline int is_kernel_text(unsigned long addr)
33938+static inline int is_kernel_text(unsigned long start, unsigned long end)
33939 {
33940- if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
33941- return 1;
33942- return 0;
33943+ if ((start >= ktla_ktva((unsigned long)_etext) ||
33944+ end <= ktla_ktva((unsigned long)_stext)) &&
33945+ (start >= ktla_ktva((unsigned long)_einittext) ||
33946+ end <= ktla_ktva((unsigned long)_sinittext)) &&
33947+
33948+#ifdef CONFIG_ACPI_SLEEP
33949+ (start >= (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
33950+#endif
33951+
33952+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
33953+ return 0;
33954+ return 1;
33955 }
33956
33957 /*
33958@@ -257,9 +260,10 @@ kernel_physical_mapping_init(unsigned long start,
33959 unsigned long last_map_addr = end;
33960 unsigned long start_pfn, end_pfn;
33961 pgd_t *pgd_base = swapper_pg_dir;
33962- int pgd_idx, pmd_idx, pte_ofs;
33963+ unsigned int pgd_idx, pmd_idx, pte_ofs;
33964 unsigned long pfn;
33965 pgd_t *pgd;
33966+ pud_t *pud;
33967 pmd_t *pmd;
33968 pte_t *pte;
33969 unsigned pages_2m, pages_4k;
33970@@ -292,8 +296,13 @@ repeat:
33971 pfn = start_pfn;
33972 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
33973 pgd = pgd_base + pgd_idx;
33974- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
33975- pmd = one_md_table_init(pgd);
33976+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
33977+ pud = pud_offset(pgd, 0);
33978+ pmd = pmd_offset(pud, 0);
33979+
33980+#ifdef CONFIG_X86_PAE
33981+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
33982+#endif
33983
33984 if (pfn >= end_pfn)
33985 continue;
33986@@ -305,14 +314,13 @@ repeat:
33987 #endif
33988 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
33989 pmd++, pmd_idx++) {
33990- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
33991+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
33992
33993 /*
33994 * Map with big pages if possible, otherwise
33995 * create normal page tables:
33996 */
33997 if (use_pse) {
33998- unsigned int addr2;
33999 pgprot_t prot = PAGE_KERNEL_LARGE;
34000 /*
34001 * first pass will use the same initial
34002@@ -323,11 +331,7 @@ repeat:
34003 _PAGE_PSE);
34004
34005 pfn &= PMD_MASK >> PAGE_SHIFT;
34006- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
34007- PAGE_OFFSET + PAGE_SIZE-1;
34008-
34009- if (is_kernel_text(addr) ||
34010- is_kernel_text(addr2))
34011+ if (is_kernel_text(address, address + PMD_SIZE))
34012 prot = PAGE_KERNEL_LARGE_EXEC;
34013
34014 pages_2m++;
34015@@ -344,7 +348,7 @@ repeat:
34016 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
34017 pte += pte_ofs;
34018 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
34019- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
34020+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
34021 pgprot_t prot = PAGE_KERNEL;
34022 /*
34023 * first pass will use the same initial
34024@@ -352,7 +356,7 @@ repeat:
34025 */
34026 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
34027
34028- if (is_kernel_text(addr))
34029+ if (is_kernel_text(address, address + PAGE_SIZE))
34030 prot = PAGE_KERNEL_EXEC;
34031
34032 pages_4k++;
34033@@ -475,7 +479,7 @@ void __init native_pagetable_init(void)
34034
34035 pud = pud_offset(pgd, va);
34036 pmd = pmd_offset(pud, va);
34037- if (!pmd_present(*pmd))
34038+ if (!pmd_present(*pmd)) // PAX TODO || pmd_large(*pmd))
34039 break;
34040
34041 /* should not be large page here */
34042@@ -533,12 +537,10 @@ void __init early_ioremap_page_table_range_init(void)
34043
34044 static void __init pagetable_init(void)
34045 {
34046- pgd_t *pgd_base = swapper_pg_dir;
34047-
34048- permanent_kmaps_init(pgd_base);
34049+ permanent_kmaps_init(swapper_pg_dir);
34050 }
34051
34052-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL);
34053+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL);
34054 EXPORT_SYMBOL_GPL(__supported_pte_mask);
34055
34056 /* user-defined highmem size */
34057@@ -788,10 +790,10 @@ void __init mem_init(void)
34058 ((unsigned long)&__init_end -
34059 (unsigned long)&__init_begin) >> 10,
34060
34061- (unsigned long)&_etext, (unsigned long)&_edata,
34062- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
34063+ (unsigned long)&_sdata, (unsigned long)&_edata,
34064+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
34065
34066- (unsigned long)&_text, (unsigned long)&_etext,
34067+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
34068 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
34069
34070 /*
34071@@ -885,6 +887,7 @@ void set_kernel_text_rw(void)
34072 if (!kernel_set_to_readonly)
34073 return;
34074
34075+ start = ktla_ktva(start);
34076 pr_debug("Set kernel text: %lx - %lx for read write\n",
34077 start, start+size);
34078
34079@@ -899,6 +902,7 @@ void set_kernel_text_ro(void)
34080 if (!kernel_set_to_readonly)
34081 return;
34082
34083+ start = ktla_ktva(start);
34084 pr_debug("Set kernel text: %lx - %lx for read only\n",
34085 start, start+size);
34086
34087@@ -927,6 +931,7 @@ void mark_rodata_ro(void)
34088 unsigned long start = PFN_ALIGN(_text);
34089 unsigned long size = PFN_ALIGN(_etext) - start;
34090
34091+ start = ktla_ktva(start);
34092 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
34093 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
34094 size >> 10);
34095diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
34096index 3fba623..a5d0500 100644
34097--- a/arch/x86/mm/init_64.c
34098+++ b/arch/x86/mm/init_64.c
34099@@ -136,7 +136,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
34100 * around without checking the pgd every time.
34101 */
34102
34103-pteval_t __supported_pte_mask __read_mostly = ~0;
34104+pteval_t __supported_pte_mask __read_only = ~_PAGE_NX;
34105 EXPORT_SYMBOL_GPL(__supported_pte_mask);
34106
34107 int force_personality32;
34108@@ -169,7 +169,12 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34109
34110 for (address = start; address <= end; address += PGDIR_SIZE) {
34111 const pgd_t *pgd_ref = pgd_offset_k(address);
34112+
34113+#ifdef CONFIG_PAX_PER_CPU_PGD
34114+ unsigned long cpu;
34115+#else
34116 struct page *page;
34117+#endif
34118
34119 /*
34120 * When it is called after memory hot remove, pgd_none()
34121@@ -180,6 +185,25 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34122 continue;
34123
34124 spin_lock(&pgd_lock);
34125+
34126+#ifdef CONFIG_PAX_PER_CPU_PGD
34127+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
34128+ pgd_t *pgd = pgd_offset_cpu(cpu, user, address);
34129+
34130+ if (!pgd_none(*pgd_ref) && !pgd_none(*pgd))
34131+ BUG_ON(pgd_page_vaddr(*pgd)
34132+ != pgd_page_vaddr(*pgd_ref));
34133+
34134+ if (removed) {
34135+ if (pgd_none(*pgd_ref) && !pgd_none(*pgd))
34136+ pgd_clear(pgd);
34137+ } else {
34138+ if (pgd_none(*pgd))
34139+ set_pgd(pgd, *pgd_ref);
34140+ }
34141+
34142+ pgd = pgd_offset_cpu(cpu, kernel, address);
34143+#else
34144 list_for_each_entry(page, &pgd_list, lru) {
34145 pgd_t *pgd;
34146 spinlock_t *pgt_lock;
34147@@ -188,6 +212,7 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34148 /* the pgt_lock only for Xen */
34149 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
34150 spin_lock(pgt_lock);
34151+#endif
34152
34153 if (!pgd_none(*pgd_ref) && !pgd_none(*pgd))
34154 BUG_ON(pgd_page_vaddr(*pgd)
34155@@ -201,7 +226,10 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34156 set_pgd(pgd, *pgd_ref);
34157 }
34158
34159+#ifndef CONFIG_PAX_PER_CPU_PGD
34160 spin_unlock(pgt_lock);
34161+#endif
34162+
34163 }
34164 spin_unlock(&pgd_lock);
34165 }
34166@@ -234,7 +262,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr)
34167 {
34168 if (pgd_none(*pgd)) {
34169 pud_t *pud = (pud_t *)spp_getpage();
34170- pgd_populate(&init_mm, pgd, pud);
34171+ pgd_populate_kernel(&init_mm, pgd, pud);
34172 if (pud != pud_offset(pgd, 0))
34173 printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n",
34174 pud, pud_offset(pgd, 0));
34175@@ -246,7 +274,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr)
34176 {
34177 if (pud_none(*pud)) {
34178 pmd_t *pmd = (pmd_t *) spp_getpage();
34179- pud_populate(&init_mm, pud, pmd);
34180+ pud_populate_kernel(&init_mm, pud, pmd);
34181 if (pmd != pmd_offset(pud, 0))
34182 printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n",
34183 pmd, pmd_offset(pud, 0));
34184@@ -337,14 +365,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
34185 pgd = pgd_offset_k((unsigned long)__va(phys));
34186 if (pgd_none(*pgd)) {
34187 pud = (pud_t *) spp_getpage();
34188- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
34189- _PAGE_USER));
34190+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
34191 }
34192 pud = pud_offset(pgd, (unsigned long)__va(phys));
34193 if (pud_none(*pud)) {
34194 pmd = (pmd_t *) spp_getpage();
34195- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
34196- _PAGE_USER));
34197+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
34198 }
34199 pmd = pmd_offset(pud, phys);
34200 BUG_ON(!pmd_none(*pmd));
34201@@ -585,7 +611,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
34202 prot);
34203
34204 spin_lock(&init_mm.page_table_lock);
34205- pud_populate(&init_mm, pud, pmd);
34206+ pud_populate_kernel(&init_mm, pud, pmd);
34207 spin_unlock(&init_mm.page_table_lock);
34208 }
34209 __flush_tlb_all();
34210@@ -626,7 +652,7 @@ kernel_physical_mapping_init(unsigned long start,
34211 page_size_mask);
34212
34213 spin_lock(&init_mm.page_table_lock);
34214- pgd_populate(&init_mm, pgd, pud);
34215+ pgd_populate_kernel(&init_mm, pgd, pud);
34216 spin_unlock(&init_mm.page_table_lock);
34217 pgd_changed = true;
34218 }
34219diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
34220index b9c78f3..9ca7e24 100644
34221--- a/arch/x86/mm/ioremap.c
34222+++ b/arch/x86/mm/ioremap.c
34223@@ -59,8 +59,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
34224 unsigned long i;
34225
34226 for (i = 0; i < nr_pages; ++i)
34227- if (pfn_valid(start_pfn + i) &&
34228- !PageReserved(pfn_to_page(start_pfn + i)))
34229+ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 ||
34230+ !PageReserved(pfn_to_page(start_pfn + i))))
34231 return 1;
34232
34233 return 0;
34234@@ -332,7 +332,7 @@ EXPORT_SYMBOL(ioremap_prot);
34235 *
34236 * Caller must ensure there is only one unmapping for the same pointer.
34237 */
34238-void iounmap(volatile void __iomem *addr)
34239+void iounmap(const volatile void __iomem *addr)
34240 {
34241 struct vm_struct *p, *o;
34242
34243@@ -395,31 +395,37 @@ int __init arch_ioremap_pmd_supported(void)
34244 */
34245 void *xlate_dev_mem_ptr(phys_addr_t phys)
34246 {
34247- unsigned long start = phys & PAGE_MASK;
34248- unsigned long offset = phys & ~PAGE_MASK;
34249- void *vaddr;
34250+ phys_addr_t pfn = phys >> PAGE_SHIFT;
34251
34252- /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
34253- if (page_is_ram(start >> PAGE_SHIFT))
34254- return __va(phys);
34255+ if (page_is_ram(pfn)) {
34256+#ifdef CONFIG_HIGHMEM
34257+ if (pfn >= max_low_pfn)
34258+ return kmap_high(pfn_to_page(pfn));
34259+ else
34260+#endif
34261+ return __va(phys);
34262+ }
34263
34264- vaddr = ioremap_cache(start, PAGE_SIZE);
34265- /* Only add the offset on success and return NULL if the ioremap() failed: */
34266- if (vaddr)
34267- vaddr += offset;
34268-
34269- return vaddr;
34270+ return (void __force *)ioremap_cache(phys, 1);
34271 }
34272
34273 void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr)
34274 {
34275- if (page_is_ram(phys >> PAGE_SHIFT))
34276+ phys_addr_t pfn = phys >> PAGE_SHIFT;
34277+
34278+ if (page_is_ram(pfn)) {
34279+#ifdef CONFIG_HIGHMEM
34280+ if (pfn >= max_low_pfn)
34281+ kunmap_high(pfn_to_page(pfn));
34282+#endif
34283 return;
34284+ }
34285
34286- iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
34287+ iounmap((void __iomem __force *)addr);
34288 }
34289
34290-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
34291+static pte_t __bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
34292+static pte_t *bm_pte __read_only = __bm_pte;
34293
34294 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
34295 {
34296@@ -455,8 +461,14 @@ void __init early_ioremap_init(void)
34297 early_ioremap_setup();
34298
34299 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
34300- memset(bm_pte, 0, sizeof(bm_pte));
34301- pmd_populate_kernel(&init_mm, pmd, bm_pte);
34302+ if (pmd_none(*pmd))
34303+#ifdef CONFIG_COMPAT_VDSO
34304+ pmd_populate_user(&init_mm, pmd, __bm_pte);
34305+#else
34306+ pmd_populate_kernel(&init_mm, pmd, __bm_pte);
34307+#endif
34308+ else
34309+ bm_pte = (pte_t *)pmd_page_vaddr(*pmd);
34310
34311 /*
34312 * The boot-ioremap range spans multiple pmds, for which
34313diff --git a/arch/x86/mm/kmemcheck/kmemcheck.c b/arch/x86/mm/kmemcheck/kmemcheck.c
34314index b4f2e7e..96c9c3e 100644
34315--- a/arch/x86/mm/kmemcheck/kmemcheck.c
34316+++ b/arch/x86/mm/kmemcheck/kmemcheck.c
34317@@ -628,9 +628,9 @@ bool kmemcheck_fault(struct pt_regs *regs, unsigned long address,
34318 * memory (e.g. tracked pages)? For now, we need this to avoid
34319 * invoking kmemcheck for PnP BIOS calls.
34320 */
34321- if (regs->flags & X86_VM_MASK)
34322+ if (v8086_mode(regs))
34323 return false;
34324- if (regs->cs != __KERNEL_CS)
34325+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
34326 return false;
34327
34328 pte = kmemcheck_pte_lookup(address);
34329diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
34330index 844b06d..f363c86 100644
34331--- a/arch/x86/mm/mmap.c
34332+++ b/arch/x86/mm/mmap.c
34333@@ -52,7 +52,7 @@ static unsigned long stack_maxrandom_size(void)
34334 * Leave an at least ~128 MB hole with possible stack randomization.
34335 */
34336 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
34337-#define MAX_GAP (TASK_SIZE/6*5)
34338+#define MAX_GAP (pax_task_size/6*5)
34339
34340 static int mmap_is_legacy(void)
34341 {
34342@@ -81,27 +81,40 @@ unsigned long arch_mmap_rnd(void)
34343 return rnd << PAGE_SHIFT;
34344 }
34345
34346-static unsigned long mmap_base(unsigned long rnd)
34347+static unsigned long mmap_base(struct mm_struct *mm, unsigned long rnd)
34348 {
34349 unsigned long gap = rlimit(RLIMIT_STACK);
34350+ unsigned long pax_task_size = TASK_SIZE;
34351+
34352+#ifdef CONFIG_PAX_SEGMEXEC
34353+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
34354+ pax_task_size = SEGMEXEC_TASK_SIZE;
34355+#endif
34356
34357 if (gap < MIN_GAP)
34358 gap = MIN_GAP;
34359 else if (gap > MAX_GAP)
34360 gap = MAX_GAP;
34361
34362- return PAGE_ALIGN(TASK_SIZE - gap - rnd);
34363+ return PAGE_ALIGN(pax_task_size - gap - rnd);
34364 }
34365
34366 /*
34367 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
34368 * does, but not when emulating X86_32
34369 */
34370-static unsigned long mmap_legacy_base(unsigned long rnd)
34371+static unsigned long mmap_legacy_base(struct mm_struct *mm, unsigned long rnd)
34372 {
34373- if (mmap_is_ia32())
34374+ if (mmap_is_ia32()) {
34375+
34376+#ifdef CONFIG_PAX_SEGMEXEC
34377+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
34378+ return SEGMEXEC_TASK_UNMAPPED_BASE;
34379+ else
34380+#endif
34381+
34382 return TASK_UNMAPPED_BASE;
34383- else
34384+ } else
34385 return TASK_UNMAPPED_BASE + rnd;
34386 }
34387
34388@@ -113,18 +126,29 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
34389 {
34390 unsigned long random_factor = 0UL;
34391
34392+#ifdef CONFIG_PAX_RANDMMAP
34393+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
34394+#endif
34395 if (current->flags & PF_RANDOMIZE)
34396 random_factor = arch_mmap_rnd();
34397
34398- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
34399+ mm->mmap_legacy_base = mmap_legacy_base(mm, random_factor);
34400
34401 if (mmap_is_legacy()) {
34402 mm->mmap_base = mm->mmap_legacy_base;
34403 mm->get_unmapped_area = arch_get_unmapped_area;
34404 } else {
34405- mm->mmap_base = mmap_base(random_factor);
34406+ mm->mmap_base = mmap_base(mm, random_factor);
34407 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
34408 }
34409+
34410+#ifdef CONFIG_PAX_RANDMMAP
34411+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
34412+ mm->mmap_legacy_base += mm->delta_mmap;
34413+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
34414+ }
34415+#endif
34416+
34417 }
34418
34419 const char *arch_vma_name(struct vm_area_struct *vma)
34420diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
34421index 0057a7a..95c7edd 100644
34422--- a/arch/x86/mm/mmio-mod.c
34423+++ b/arch/x86/mm/mmio-mod.c
34424@@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs,
34425 break;
34426 default:
34427 {
34428- unsigned char *ip = (unsigned char *)instptr;
34429+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
34430 my_trace->opcode = MMIO_UNKNOWN_OP;
34431 my_trace->width = 0;
34432 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
34433@@ -234,7 +234,7 @@ static void post(struct kmmio_probe *p, unsigned long condition,
34434 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
34435 void __iomem *addr)
34436 {
34437- static atomic_t next_id;
34438+ static atomic_unchecked_t next_id;
34439 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
34440 /* These are page-unaligned. */
34441 struct mmiotrace_map map = {
34442@@ -258,7 +258,7 @@ static void ioremap_trace_core(resource_size_t offset, unsigned long size,
34443 .private = trace
34444 },
34445 .phys = offset,
34446- .id = atomic_inc_return(&next_id)
34447+ .id = atomic_inc_return_unchecked(&next_id)
34448 };
34449 map.map_id = trace->id;
34450
34451@@ -290,7 +290,7 @@ void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
34452 ioremap_trace_core(offset, size, addr);
34453 }
34454
34455-static void iounmap_trace_core(volatile void __iomem *addr)
34456+static void iounmap_trace_core(const volatile void __iomem *addr)
34457 {
34458 struct mmiotrace_map map = {
34459 .phys = 0,
34460@@ -328,7 +328,7 @@ not_enabled:
34461 }
34462 }
34463
34464-void mmiotrace_iounmap(volatile void __iomem *addr)
34465+void mmiotrace_iounmap(const volatile void __iomem *addr)
34466 {
34467 might_sleep();
34468 if (is_enabled()) /* recheck and proper locking in *_core() */
34469diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
34470index 4053bb5..b1ad3dc 100644
34471--- a/arch/x86/mm/numa.c
34472+++ b/arch/x86/mm/numa.c
34473@@ -506,7 +506,7 @@ static void __init numa_clear_kernel_node_hotplug(void)
34474 }
34475 }
34476
34477-static int __init numa_register_memblks(struct numa_meminfo *mi)
34478+static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi)
34479 {
34480 unsigned long uninitialized_var(pfn_align);
34481 int i, nid;
34482diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
34483index 727158c..91bc23b 100644
34484--- a/arch/x86/mm/pageattr.c
34485+++ b/arch/x86/mm/pageattr.c
34486@@ -260,7 +260,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34487 */
34488 #ifdef CONFIG_PCI_BIOS
34489 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
34490- pgprot_val(forbidden) |= _PAGE_NX;
34491+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34492 #endif
34493
34494 /*
34495@@ -268,9 +268,10 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34496 * Does not cover __inittext since that is gone later on. On
34497 * 64bit we do not enforce !NX on the low mapping
34498 */
34499- if (within(address, (unsigned long)_text, (unsigned long)_etext))
34500- pgprot_val(forbidden) |= _PAGE_NX;
34501+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
34502+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34503
34504+#ifdef CONFIG_DEBUG_RODATA
34505 /*
34506 * The .rodata section needs to be read-only. Using the pfn
34507 * catches all aliases.
34508@@ -278,6 +279,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34509 if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
34510 __pa_symbol(__end_rodata) >> PAGE_SHIFT))
34511 pgprot_val(forbidden) |= _PAGE_RW;
34512+#endif
34513
34514 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
34515 /*
34516@@ -316,6 +318,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34517 }
34518 #endif
34519
34520+#ifdef CONFIG_PAX_KERNEXEC
34521+ if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)), __pa((unsigned long)&_sdata))) {
34522+ pgprot_val(forbidden) |= _PAGE_RW;
34523+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34524+ }
34525+#endif
34526+
34527 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
34528
34529 return prot;
34530@@ -437,16 +446,28 @@ static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
34531 {
34532 /* change init_mm */
34533 set_pte_atomic(kpte, pte);
34534+
34535 #ifdef CONFIG_X86_32
34536 if (!SHARED_KERNEL_PMD) {
34537+
34538+#ifdef CONFIG_PAX_PER_CPU_PGD
34539+ unsigned long cpu;
34540+#else
34541 struct page *page;
34542+#endif
34543
34544+#ifdef CONFIG_PAX_PER_CPU_PGD
34545+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
34546+ pgd_t *pgd = get_cpu_pgd(cpu, kernel);
34547+#else
34548 list_for_each_entry(page, &pgd_list, lru) {
34549- pgd_t *pgd;
34550+ pgd_t *pgd = (pgd_t *)page_address(page);
34551+#endif
34552+
34553 pud_t *pud;
34554 pmd_t *pmd;
34555
34556- pgd = (pgd_t *)page_address(page) + pgd_index(address);
34557+ pgd += pgd_index(address);
34558 pud = pud_offset(pgd, address);
34559 pmd = pmd_offset(pud, address);
34560 set_pte_atomic((pte_t *)pmd, pte);
34561@@ -505,7 +526,8 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
34562 * up accordingly.
34563 */
34564 old_pte = *kpte;
34565- old_prot = req_prot = pgprot_large_2_4k(pte_pgprot(old_pte));
34566+ old_prot = pte_pgprot(old_pte);
34567+ req_prot = pgprot_large_2_4k(old_prot);
34568
34569 pgprot_val(req_prot) &= ~pgprot_val(cpa->mask_clr);
34570 pgprot_val(req_prot) |= pgprot_val(cpa->mask_set);
34571diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
34572index 188e3e0..5c75446 100644
34573--- a/arch/x86/mm/pat.c
34574+++ b/arch/x86/mm/pat.c
34575@@ -588,7 +588,7 @@ int free_memtype(u64 start, u64 end)
34576
34577 if (!entry) {
34578 pr_info("x86/PAT: %s:%d freeing invalid memtype [mem %#010Lx-%#010Lx]\n",
34579- current->comm, current->pid, start, end - 1);
34580+ current->comm, task_pid_nr(current), start, end - 1);
34581 return -EINVAL;
34582 }
34583
34584@@ -711,8 +711,8 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
34585
34586 while (cursor < to) {
34587 if (!devmem_is_allowed(pfn)) {
34588- pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx], PAT prevents it\n",
34589- current->comm, from, to - 1);
34590+ pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx] (%#010Lx), PAT prevents it\n",
34591+ current->comm, from, to - 1, cursor);
34592 return 0;
34593 }
34594 cursor += PAGE_SIZE;
34595@@ -782,7 +782,7 @@ int kernel_map_sync_memtype(u64 base, unsigned long size,
34596
34597 if (ioremap_change_attr((unsigned long)__va(base), id_sz, pcm) < 0) {
34598 pr_info("x86/PAT: %s:%d ioremap_change_attr failed %s for [mem %#010Lx-%#010Lx]\n",
34599- current->comm, current->pid,
34600+ current->comm, task_pid_nr(current),
34601 cattr_name(pcm),
34602 base, (unsigned long long)(base + size-1));
34603 return -EINVAL;
34604@@ -817,7 +817,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
34605 pcm = lookup_memtype(paddr);
34606 if (want_pcm != pcm) {
34607 pr_warn("x86/PAT: %s:%d map pfn RAM range req %s for [mem %#010Lx-%#010Lx], got %s\n",
34608- current->comm, current->pid,
34609+ current->comm, task_pid_nr(current),
34610 cattr_name(want_pcm),
34611 (unsigned long long)paddr,
34612 (unsigned long long)(paddr + size - 1),
34613@@ -838,7 +838,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
34614 !is_new_memtype_allowed(paddr, size, want_pcm, pcm)) {
34615 free_memtype(paddr, paddr + size);
34616 pr_err("x86/PAT: %s:%d map pfn expected mapping type %s for [mem %#010Lx-%#010Lx], got %s\n",
34617- current->comm, current->pid,
34618+ current->comm, task_pid_nr(current),
34619 cattr_name(want_pcm),
34620 (unsigned long long)paddr,
34621 (unsigned long long)(paddr + size - 1),
34622diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c
34623index 6393108..890adda 100644
34624--- a/arch/x86/mm/pat_rbtree.c
34625+++ b/arch/x86/mm/pat_rbtree.c
34626@@ -161,7 +161,7 @@ success:
34627
34628 failure:
34629 pr_info("x86/PAT: %s:%d conflicting memory types %Lx-%Lx %s<->%s\n",
34630- current->comm, current->pid, start, end,
34631+ current->comm, task_pid_nr(current), start, end,
34632 cattr_name(found_type), cattr_name(match->type));
34633 return -EBUSY;
34634 }
34635diff --git a/arch/x86/mm/pf_in.c b/arch/x86/mm/pf_in.c
34636index 9f0614d..92ae64a 100644
34637--- a/arch/x86/mm/pf_in.c
34638+++ b/arch/x86/mm/pf_in.c
34639@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned long ins_addr)
34640 int i;
34641 enum reason_type rv = OTHERS;
34642
34643- p = (unsigned char *)ins_addr;
34644+ p = (unsigned char *)ktla_ktva(ins_addr);
34645 p += skip_prefix(p, &prf);
34646 p += get_opcode(p, &opcode);
34647
34648@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(unsigned long ins_addr)
34649 struct prefix_bits prf;
34650 int i;
34651
34652- p = (unsigned char *)ins_addr;
34653+ p = (unsigned char *)ktla_ktva(ins_addr);
34654 p += skip_prefix(p, &prf);
34655 p += get_opcode(p, &opcode);
34656
34657@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned long ins_addr)
34658 struct prefix_bits prf;
34659 int i;
34660
34661- p = (unsigned char *)ins_addr;
34662+ p = (unsigned char *)ktla_ktva(ins_addr);
34663 p += skip_prefix(p, &prf);
34664 p += get_opcode(p, &opcode);
34665
34666@@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned long ins_addr, struct pt_regs *regs)
34667 struct prefix_bits prf;
34668 int i;
34669
34670- p = (unsigned char *)ins_addr;
34671+ p = (unsigned char *)ktla_ktva(ins_addr);
34672 p += skip_prefix(p, &prf);
34673 p += get_opcode(p, &opcode);
34674 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
34675@@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned long ins_addr)
34676 struct prefix_bits prf;
34677 int i;
34678
34679- p = (unsigned char *)ins_addr;
34680+ p = (unsigned char *)ktla_ktva(ins_addr);
34681 p += skip_prefix(p, &prf);
34682 p += get_opcode(p, &opcode);
34683 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
34684diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
34685index fb0a9dd..72a6e6f 100644
34686--- a/arch/x86/mm/pgtable.c
34687+++ b/arch/x86/mm/pgtable.c
34688@@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd)
34689 list_del(&page->lru);
34690 }
34691
34692-#define UNSHARED_PTRS_PER_PGD \
34693- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
34694+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
34695+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
34696
34697+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src)
34698+{
34699+ unsigned int count = USER_PGD_PTRS;
34700
34701+ if (!pax_user_shadow_base)
34702+ return;
34703+
34704+ while (count--)
34705+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
34706+}
34707+#endif
34708+
34709+#ifdef CONFIG_PAX_PER_CPU_PGD
34710+void __clone_user_pgds(pgd_t *dst, const pgd_t *src)
34711+{
34712+ unsigned int count = USER_PGD_PTRS;
34713+
34714+ while (count--) {
34715+ pgd_t pgd;
34716+
34717+#ifdef CONFIG_X86_64
34718+ pgd = __pgd(pgd_val(*src++) | _PAGE_USER);
34719+#else
34720+ pgd = *src++;
34721+#endif
34722+
34723+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
34724+ pgd = __pgd(pgd_val(pgd) & clone_pgd_mask);
34725+#endif
34726+
34727+ *dst++ = pgd;
34728+ }
34729+
34730+}
34731+#endif
34732+
34733+#ifdef CONFIG_X86_64
34734+#define pxd_t pud_t
34735+#define pyd_t pgd_t
34736+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
34737+#define pgtable_pxd_page_ctor(page) true
34738+#define pgtable_pxd_page_dtor(page) do {} while (0)
34739+#define pxd_free(mm, pud) pud_free((mm), (pud))
34740+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
34741+#define pyd_offset(mm, address) pgd_offset((mm), (address))
34742+#define PYD_SIZE PGDIR_SIZE
34743+#define mm_inc_nr_pxds(mm) do {} while (0)
34744+#define mm_dec_nr_pxds(mm) do {} while (0)
34745+#else
34746+#define pxd_t pmd_t
34747+#define pyd_t pud_t
34748+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
34749+#define pgtable_pxd_page_ctor(page) pgtable_pmd_page_ctor(page)
34750+#define pgtable_pxd_page_dtor(page) pgtable_pmd_page_dtor(page)
34751+#define pxd_free(mm, pud) pmd_free((mm), (pud))
34752+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
34753+#define pyd_offset(mm, address) pud_offset((mm), (address))
34754+#define PYD_SIZE PUD_SIZE
34755+#define mm_inc_nr_pxds(mm) mm_inc_nr_pmds(mm)
34756+#define mm_dec_nr_pxds(mm) mm_dec_nr_pmds(mm)
34757+#endif
34758+
34759+#ifdef CONFIG_PAX_PER_CPU_PGD
34760+static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
34761+static inline void pgd_dtor(pgd_t *pgd) {}
34762+#else
34763 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
34764 {
34765 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
34766@@ -142,6 +207,7 @@ static void pgd_dtor(pgd_t *pgd)
34767 pgd_list_del(pgd);
34768 spin_unlock(&pgd_lock);
34769 }
34770+#endif
34771
34772 /*
34773 * List of all pgd's needed for non-PAE so it can invalidate entries
34774@@ -154,7 +220,7 @@ static void pgd_dtor(pgd_t *pgd)
34775 * -- nyc
34776 */
34777
34778-#ifdef CONFIG_X86_PAE
34779+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
34780 /*
34781 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
34782 * updating the top-level pagetable entries to guarantee the
34783@@ -166,7 +232,7 @@ static void pgd_dtor(pgd_t *pgd)
34784 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
34785 * and initialize the kernel pmds here.
34786 */
34787-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
34788+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
34789
34790 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
34791 {
34792@@ -184,46 +250,48 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
34793 */
34794 flush_tlb_mm(mm);
34795 }
34796+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
34797+#define PREALLOCATED_PXDS USER_PGD_PTRS
34798 #else /* !CONFIG_X86_PAE */
34799
34800 /* No need to prepopulate any pagetable entries in non-PAE modes. */
34801-#define PREALLOCATED_PMDS 0
34802+#define PREALLOCATED_PXDS 0
34803
34804 #endif /* CONFIG_X86_PAE */
34805
34806-static void free_pmds(struct mm_struct *mm, pmd_t *pmds[])
34807+static void free_pxds(struct mm_struct *mm, pxd_t *pxds[])
34808 {
34809 int i;
34810
34811- for(i = 0; i < PREALLOCATED_PMDS; i++)
34812- if (pmds[i]) {
34813- pgtable_pmd_page_dtor(virt_to_page(pmds[i]));
34814- free_page((unsigned long)pmds[i]);
34815- mm_dec_nr_pmds(mm);
34816+ for(i = 0; i < PREALLOCATED_PXDS; i++)
34817+ if (pxds[i]) {
34818+ pgtable_pxd_page_dtor(virt_to_page(pxds[i]));
34819+ free_page((unsigned long)pxds[i]);
34820+ mm_dec_nr_pxds(mm);
34821 }
34822 }
34823
34824-static int preallocate_pmds(struct mm_struct *mm, pmd_t *pmds[])
34825+static int preallocate_pxds(struct mm_struct *mm, pxd_t *pxds[])
34826 {
34827 int i;
34828 bool failed = false;
34829
34830- for(i = 0; i < PREALLOCATED_PMDS; i++) {
34831- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
34832- if (!pmd)
34833+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
34834+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
34835+ if (!pxd)
34836 failed = true;
34837- if (pmd && !pgtable_pmd_page_ctor(virt_to_page(pmd))) {
34838- free_page((unsigned long)pmd);
34839- pmd = NULL;
34840+ if (pxd && !pgtable_pxd_page_ctor(virt_to_page(pxd))) {
34841+ free_page((unsigned long)pxd);
34842+ pxd = NULL;
34843 failed = true;
34844 }
34845- if (pmd)
34846- mm_inc_nr_pmds(mm);
34847- pmds[i] = pmd;
34848+ if (pxd)
34849+ mm_inc_nr_pxds(mm);
34850+ pxds[i] = pxd;
34851 }
34852
34853 if (failed) {
34854- free_pmds(mm, pmds);
34855+ free_pxds(mm, pxds);
34856 return -ENOMEM;
34857 }
34858
34859@@ -236,43 +304,47 @@ static int preallocate_pmds(struct mm_struct *mm, pmd_t *pmds[])
34860 * preallocate which never got a corresponding vma will need to be
34861 * freed manually.
34862 */
34863-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
34864+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
34865 {
34866 int i;
34867
34868- for(i = 0; i < PREALLOCATED_PMDS; i++) {
34869+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
34870 pgd_t pgd = pgdp[i];
34871
34872 if (pgd_val(pgd) != 0) {
34873- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
34874+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
34875
34876- pgdp[i] = native_make_pgd(0);
34877+ set_pgd(pgdp + i, native_make_pgd(0));
34878
34879- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
34880- pmd_free(mm, pmd);
34881- mm_dec_nr_pmds(mm);
34882+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
34883+ pxd_free(mm, pxd);
34884+ mm_dec_nr_pxds(mm);
34885 }
34886 }
34887 }
34888
34889-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
34890+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
34891 {
34892- pud_t *pud;
34893+ pyd_t *pyd;
34894 int i;
34895
34896- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
34897+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
34898 return;
34899
34900- pud = pud_offset(pgd, 0);
34901+#ifdef CONFIG_X86_64
34902+ pyd = pyd_offset(mm, 0L);
34903+#else
34904+ pyd = pyd_offset(pgd, 0L);
34905+#endif
34906
34907- for (i = 0; i < PREALLOCATED_PMDS; i++, pud++) {
34908- pmd_t *pmd = pmds[i];
34909+ for (i = 0; i < PREALLOCATED_PXDS; i++, pyd++) {
34910+ pxd_t *pxd = pxds[i];
34911
34912 if (i >= KERNEL_PGD_BOUNDARY)
34913- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
34914- sizeof(pmd_t) * PTRS_PER_PMD);
34915+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
34916+ sizeof(pxd_t) * PTRS_PER_PMD);
34917
34918- pud_populate(mm, pud, pmd);
34919+ pyd_populate(mm, pyd, pxd);
34920 }
34921 }
34922
34923@@ -354,7 +426,7 @@ static inline void _pgd_free(pgd_t *pgd)
34924 pgd_t *pgd_alloc(struct mm_struct *mm)
34925 {
34926 pgd_t *pgd;
34927- pmd_t *pmds[PREALLOCATED_PMDS];
34928+ pxd_t *pxds[PREALLOCATED_PXDS];
34929
34930 pgd = _pgd_alloc();
34931
34932@@ -363,11 +435,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
34933
34934 mm->pgd = pgd;
34935
34936- if (preallocate_pmds(mm, pmds) != 0)
34937+ if (preallocate_pxds(mm, pxds) != 0)
34938 goto out_free_pgd;
34939
34940 if (paravirt_pgd_alloc(mm) != 0)
34941- goto out_free_pmds;
34942+ goto out_free_pxds;
34943
34944 /*
34945 * Make sure that pre-populating the pmds is atomic with
34946@@ -377,14 +449,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
34947 spin_lock(&pgd_lock);
34948
34949 pgd_ctor(mm, pgd);
34950- pgd_prepopulate_pmd(mm, pgd, pmds);
34951+ pgd_prepopulate_pxd(mm, pgd, pxds);
34952
34953 spin_unlock(&pgd_lock);
34954
34955 return pgd;
34956
34957-out_free_pmds:
34958- free_pmds(mm, pmds);
34959+out_free_pxds:
34960+ free_pxds(mm, pxds);
34961 out_free_pgd:
34962 _pgd_free(pgd);
34963 out:
34964@@ -393,7 +465,7 @@ out:
34965
34966 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
34967 {
34968- pgd_mop_up_pmds(mm, pgd);
34969+ pgd_mop_up_pxds(mm, pgd);
34970 pgd_dtor(pgd);
34971 paravirt_pgd_free(mm, pgd);
34972 _pgd_free(pgd);
34973diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
34974index 90555bf..f5f1828 100644
34975--- a/arch/x86/mm/setup_nx.c
34976+++ b/arch/x86/mm/setup_nx.c
34977@@ -5,8 +5,10 @@
34978 #include <asm/pgtable.h>
34979 #include <asm/proto.h>
34980
34981+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
34982 static int disable_nx;
34983
34984+#ifndef CONFIG_PAX_PAGEEXEC
34985 /*
34986 * noexec = on|off
34987 *
34988@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str)
34989 return 0;
34990 }
34991 early_param("noexec", noexec_setup);
34992+#endif
34993+
34994+#endif
34995
34996 void x86_configure_nx(void)
34997 {
34998+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
34999 if (cpu_has_nx && !disable_nx)
35000 __supported_pte_mask |= _PAGE_NX;
35001 else
35002+#endif
35003 __supported_pte_mask &= ~_PAGE_NX;
35004 }
35005
35006diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
35007index 90b924a..4197ac2 100644
35008--- a/arch/x86/mm/tlb.c
35009+++ b/arch/x86/mm/tlb.c
35010@@ -45,7 +45,11 @@ void leave_mm(int cpu)
35011 BUG();
35012 if (cpumask_test_cpu(cpu, mm_cpumask(active_mm))) {
35013 cpumask_clear_cpu(cpu, mm_cpumask(active_mm));
35014+
35015+#ifndef CONFIG_PAX_PER_CPU_PGD
35016 load_cr3(swapper_pg_dir);
35017+#endif
35018+
35019 /*
35020 * This gets called in the idle path where RCU
35021 * functions differently. Tracing normally
35022diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
35023new file mode 100644
35024index 0000000..3fda3f3
35025--- /dev/null
35026+++ b/arch/x86/mm/uderef_64.c
35027@@ -0,0 +1,37 @@
35028+#include <linux/mm.h>
35029+#include <asm/pgtable.h>
35030+#include <asm/uaccess.h>
35031+
35032+#ifdef CONFIG_PAX_MEMORY_UDEREF
35033+/* PaX: due to the special call convention these functions must
35034+ * - remain leaf functions under all configurations,
35035+ * - never be called directly, only dereferenced from the wrappers.
35036+ */
35037+void __used __pax_open_userland(void)
35038+{
35039+ unsigned int cpu;
35040+
35041+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
35042+ return;
35043+
35044+ cpu = raw_get_cpu();
35045+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
35046+ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
35047+ raw_put_cpu_no_resched();
35048+}
35049+EXPORT_SYMBOL(__pax_open_userland);
35050+
35051+void __used __pax_close_userland(void)
35052+{
35053+ unsigned int cpu;
35054+
35055+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
35056+ return;
35057+
35058+ cpu = raw_get_cpu();
35059+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
35060+ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
35061+ raw_put_cpu_no_resched();
35062+}
35063+EXPORT_SYMBOL(__pax_close_userland);
35064+#endif
35065diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S
35066index 4093216..44b6b83 100644
35067--- a/arch/x86/net/bpf_jit.S
35068+++ b/arch/x86/net/bpf_jit.S
35069@@ -8,6 +8,7 @@
35070 * of the License.
35071 */
35072 #include <linux/linkage.h>
35073+#include <asm/alternative-asm.h>
35074
35075 /*
35076 * Calling convention :
35077@@ -37,6 +38,7 @@ sk_load_word_positive_offset:
35078 jle bpf_slow_path_word
35079 mov (SKBDATA,%rsi),%eax
35080 bswap %eax /* ntohl() */
35081+ pax_force_retaddr
35082 ret
35083
35084 sk_load_half:
35085@@ -54,6 +56,7 @@ sk_load_half_positive_offset:
35086 jle bpf_slow_path_half
35087 movzwl (SKBDATA,%rsi),%eax
35088 rol $8,%ax # ntohs()
35089+ pax_force_retaddr
35090 ret
35091
35092 sk_load_byte:
35093@@ -68,6 +71,7 @@ sk_load_byte_positive_offset:
35094 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
35095 jle bpf_slow_path_byte
35096 movzbl (SKBDATA,%rsi),%eax
35097+ pax_force_retaddr
35098 ret
35099
35100 /* rsi contains offset and can be scratched */
35101@@ -89,6 +93,7 @@ bpf_slow_path_word:
35102 js bpf_error
35103 mov - MAX_BPF_STACK + 32(%rbp),%eax
35104 bswap %eax
35105+ pax_force_retaddr
35106 ret
35107
35108 bpf_slow_path_half:
35109@@ -97,12 +102,14 @@ bpf_slow_path_half:
35110 mov - MAX_BPF_STACK + 32(%rbp),%ax
35111 rol $8,%ax
35112 movzwl %ax,%eax
35113+ pax_force_retaddr
35114 ret
35115
35116 bpf_slow_path_byte:
35117 bpf_slow_path_common(1)
35118 js bpf_error
35119 movzbl - MAX_BPF_STACK + 32(%rbp),%eax
35120+ pax_force_retaddr
35121 ret
35122
35123 #define sk_negative_common(SIZE) \
35124@@ -125,6 +132,7 @@ sk_load_word_negative_offset:
35125 sk_negative_common(4)
35126 mov (%rax), %eax
35127 bswap %eax
35128+ pax_force_retaddr
35129 ret
35130
35131 bpf_slow_path_half_neg:
35132@@ -136,6 +144,7 @@ sk_load_half_negative_offset:
35133 mov (%rax),%ax
35134 rol $8,%ax
35135 movzwl %ax,%eax
35136+ pax_force_retaddr
35137 ret
35138
35139 bpf_slow_path_byte_neg:
35140@@ -145,6 +154,7 @@ sk_load_byte_negative_offset:
35141 .globl sk_load_byte_negative_offset
35142 sk_negative_common(1)
35143 movzbl (%rax), %eax
35144+ pax_force_retaddr
35145 ret
35146
35147 bpf_error:
35148@@ -155,4 +165,5 @@ bpf_error:
35149 mov - MAX_BPF_STACK + 16(%rbp),%r14
35150 mov - MAX_BPF_STACK + 24(%rbp),%r15
35151 leaveq
35152+ pax_force_retaddr
35153 ret
35154diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
35155index be2e7a2..e6960dd 100644
35156--- a/arch/x86/net/bpf_jit_comp.c
35157+++ b/arch/x86/net/bpf_jit_comp.c
35158@@ -14,7 +14,11 @@
35159 #include <asm/cacheflush.h>
35160 #include <linux/bpf.h>
35161
35162+#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
35163+int bpf_jit_enable __read_only;
35164+#else
35165 int bpf_jit_enable __read_mostly;
35166+#endif
35167
35168 /*
35169 * assembly code in arch/x86/net/bpf_jit.S
35170@@ -176,7 +180,9 @@ static u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
35171 static void jit_fill_hole(void *area, unsigned int size)
35172 {
35173 /* fill whole space with int3 instructions */
35174+ pax_open_kernel();
35175 memset(area, 0xcc, size);
35176+ pax_close_kernel();
35177 }
35178
35179 struct jit_context {
35180@@ -1026,7 +1032,9 @@ common_load:
35181 pr_err("bpf_jit_compile fatal error\n");
35182 return -EFAULT;
35183 }
35184+ pax_open_kernel();
35185 memcpy(image + proglen, temp, ilen);
35186+ pax_close_kernel();
35187 }
35188 proglen += ilen;
35189 addrs[i] = proglen;
35190@@ -1103,7 +1111,6 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
35191
35192 if (image) {
35193 bpf_flush_icache(header, image + proglen);
35194- set_memory_ro((unsigned long)header, header->pages);
35195 prog->bpf_func = (void *)image;
35196 prog->jited = true;
35197 }
35198@@ -1116,12 +1123,8 @@ void bpf_jit_free(struct bpf_prog *fp)
35199 unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
35200 struct bpf_binary_header *header = (void *)addr;
35201
35202- if (!fp->jited)
35203- goto free_filter;
35204+ if (fp->jited)
35205+ bpf_jit_binary_free(header);
35206
35207- set_memory_rw(addr, header->pages);
35208- bpf_jit_binary_free(header);
35209-
35210-free_filter:
35211 bpf_prog_unlock_free(fp);
35212 }
35213diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
35214index 4e664bd..2beeaa2 100644
35215--- a/arch/x86/oprofile/backtrace.c
35216+++ b/arch/x86/oprofile/backtrace.c
35217@@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_frame_ia32 *head)
35218 struct stack_frame_ia32 *fp;
35219 unsigned long bytes;
35220
35221- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
35222+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
35223 if (bytes != 0)
35224 return NULL;
35225
35226- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
35227+ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
35228
35229 oprofile_add_trace(bufhead[0].return_address);
35230
35231@@ -92,7 +92,7 @@ static struct stack_frame *dump_user_backtrace(struct stack_frame *head)
35232 struct stack_frame bufhead[2];
35233 unsigned long bytes;
35234
35235- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
35236+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
35237 if (bytes != 0)
35238 return NULL;
35239
35240diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
35241index 1d2e639..f6ef82a 100644
35242--- a/arch/x86/oprofile/nmi_int.c
35243+++ b/arch/x86/oprofile/nmi_int.c
35244@@ -23,6 +23,7 @@
35245 #include <asm/nmi.h>
35246 #include <asm/msr.h>
35247 #include <asm/apic.h>
35248+#include <asm/pgtable.h>
35249
35250 #include "op_counter.h"
35251 #include "op_x86_model.h"
35252@@ -785,8 +786,11 @@ int __init op_nmi_init(struct oprofile_operations *ops)
35253 if (ret)
35254 return ret;
35255
35256- if (!model->num_virt_counters)
35257- model->num_virt_counters = model->num_counters;
35258+ if (!model->num_virt_counters) {
35259+ pax_open_kernel();
35260+ *(unsigned int *)&model->num_virt_counters = model->num_counters;
35261+ pax_close_kernel();
35262+ }
35263
35264 mux_init(ops);
35265
35266diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c
35267index 50d86c0..7985318 100644
35268--- a/arch/x86/oprofile/op_model_amd.c
35269+++ b/arch/x86/oprofile/op_model_amd.c
35270@@ -519,9 +519,11 @@ static int op_amd_init(struct oprofile_operations *ops)
35271 num_counters = AMD64_NUM_COUNTERS;
35272 }
35273
35274- op_amd_spec.num_counters = num_counters;
35275- op_amd_spec.num_controls = num_counters;
35276- op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
35277+ pax_open_kernel();
35278+ *(unsigned int *)&op_amd_spec.num_counters = num_counters;
35279+ *(unsigned int *)&op_amd_spec.num_controls = num_counters;
35280+ *(unsigned int *)&op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
35281+ pax_close_kernel();
35282
35283 return 0;
35284 }
35285diff --git a/arch/x86/oprofile/op_model_ppro.c b/arch/x86/oprofile/op_model_ppro.c
35286index d90528e..0127e2b 100644
35287--- a/arch/x86/oprofile/op_model_ppro.c
35288+++ b/arch/x86/oprofile/op_model_ppro.c
35289@@ -19,6 +19,7 @@
35290 #include <asm/msr.h>
35291 #include <asm/apic.h>
35292 #include <asm/nmi.h>
35293+#include <asm/pgtable.h>
35294
35295 #include "op_x86_model.h"
35296 #include "op_counter.h"
35297@@ -221,8 +222,10 @@ static void arch_perfmon_setup_counters(void)
35298
35299 num_counters = min((int)eax.split.num_counters, OP_MAX_COUNTER);
35300
35301- op_arch_perfmon_spec.num_counters = num_counters;
35302- op_arch_perfmon_spec.num_controls = num_counters;
35303+ pax_open_kernel();
35304+ *(unsigned int *)&op_arch_perfmon_spec.num_counters = num_counters;
35305+ *(unsigned int *)&op_arch_perfmon_spec.num_controls = num_counters;
35306+ pax_close_kernel();
35307 }
35308
35309 static int arch_perfmon_init(struct oprofile_operations *ignore)
35310diff --git a/arch/x86/oprofile/op_x86_model.h b/arch/x86/oprofile/op_x86_model.h
35311index 71e8a67..6a313bb 100644
35312--- a/arch/x86/oprofile/op_x86_model.h
35313+++ b/arch/x86/oprofile/op_x86_model.h
35314@@ -52,7 +52,7 @@ struct op_x86_model_spec {
35315 void (*switch_ctrl)(struct op_x86_model_spec const *model,
35316 struct op_msrs const * const msrs);
35317 #endif
35318-};
35319+} __do_const;
35320
35321 struct op_counter_config;
35322
35323diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c
35324index 2706230..74b4d9f 100644
35325--- a/arch/x86/pci/intel_mid_pci.c
35326+++ b/arch/x86/pci/intel_mid_pci.c
35327@@ -258,7 +258,7 @@ int __init intel_mid_pci_init(void)
35328 pci_mmcfg_late_init();
35329 pcibios_enable_irq = intel_mid_pci_irq_enable;
35330 pcibios_disable_irq = intel_mid_pci_irq_disable;
35331- pci_root_ops = intel_mid_pci_ops;
35332+ memcpy((void *)&pci_root_ops, &intel_mid_pci_ops, sizeof pci_root_ops);
35333 pci_soc_mode = 1;
35334 /* Continue with standard init */
35335 return 1;
35336diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
35337index 9bd1154..e9d4656 100644
35338--- a/arch/x86/pci/irq.c
35339+++ b/arch/x86/pci/irq.c
35340@@ -51,7 +51,7 @@ struct irq_router {
35341 struct irq_router_handler {
35342 u16 vendor;
35343 int (*probe)(struct irq_router *r, struct pci_dev *router, u16 device);
35344-};
35345+} __do_const;
35346
35347 int (*pcibios_enable_irq)(struct pci_dev *dev) = pirq_enable_irq;
35348 void (*pcibios_disable_irq)(struct pci_dev *dev) = pirq_disable_irq;
35349@@ -792,7 +792,7 @@ static __init int pico_router_probe(struct irq_router *r, struct pci_dev *router
35350 return 0;
35351 }
35352
35353-static __initdata struct irq_router_handler pirq_routers[] = {
35354+static __initconst const struct irq_router_handler pirq_routers[] = {
35355 { PCI_VENDOR_ID_INTEL, intel_router_probe },
35356 { PCI_VENDOR_ID_AL, ali_router_probe },
35357 { PCI_VENDOR_ID_ITE, ite_router_probe },
35358@@ -819,7 +819,7 @@ static struct pci_dev *pirq_router_dev;
35359 static void __init pirq_find_router(struct irq_router *r)
35360 {
35361 struct irq_routing_table *rt = pirq_table;
35362- struct irq_router_handler *h;
35363+ const struct irq_router_handler *h;
35364
35365 #ifdef CONFIG_PCI_BIOS
35366 if (!rt->signature) {
35367@@ -1092,7 +1092,7 @@ static int __init fix_acer_tm360_irqrouting(const struct dmi_system_id *d)
35368 return 0;
35369 }
35370
35371-static struct dmi_system_id __initdata pciirq_dmi_table[] = {
35372+static const struct dmi_system_id __initconst pciirq_dmi_table[] = {
35373 {
35374 .callback = fix_broken_hp_bios_irq9,
35375 .ident = "HP Pavilion N5400 Series Laptop",
35376diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c
35377index 9b83b90..2c256c5 100644
35378--- a/arch/x86/pci/pcbios.c
35379+++ b/arch/x86/pci/pcbios.c
35380@@ -79,7 +79,7 @@ union bios32 {
35381 static struct {
35382 unsigned long address;
35383 unsigned short segment;
35384-} bios32_indirect __initdata = { 0, __KERNEL_CS };
35385+} bios32_indirect __initdata = { 0, __PCIBIOS_CS };
35386
35387 /*
35388 * Returns the entry point for the given service, NULL on error
35389@@ -92,37 +92,80 @@ static unsigned long __init bios32_service(unsigned long service)
35390 unsigned long length; /* %ecx */
35391 unsigned long entry; /* %edx */
35392 unsigned long flags;
35393+ struct desc_struct d, *gdt;
35394
35395 local_irq_save(flags);
35396- __asm__("lcall *(%%edi); cld"
35397+
35398+ gdt = get_cpu_gdt_table(smp_processor_id());
35399+
35400+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
35401+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
35402+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
35403+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
35404+
35405+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
35406 : "=a" (return_code),
35407 "=b" (address),
35408 "=c" (length),
35409 "=d" (entry)
35410 : "0" (service),
35411 "1" (0),
35412- "D" (&bios32_indirect));
35413+ "D" (&bios32_indirect),
35414+ "r"(__PCIBIOS_DS)
35415+ : "memory");
35416+
35417+ pax_open_kernel();
35418+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
35419+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
35420+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
35421+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
35422+ pax_close_kernel();
35423+
35424 local_irq_restore(flags);
35425
35426 switch (return_code) {
35427- case 0:
35428- return address + entry;
35429- case 0x80: /* Not present */
35430- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
35431- return 0;
35432- default: /* Shouldn't happen */
35433- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
35434- service, return_code);
35435+ case 0: {
35436+ int cpu;
35437+ unsigned char flags;
35438+
35439+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
35440+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
35441+ printk(KERN_WARNING "bios32_service: not valid\n");
35442 return 0;
35443+ }
35444+ address = address + PAGE_OFFSET;
35445+ length += 16UL; /* some BIOSs underreport this... */
35446+ flags = 4;
35447+ if (length >= 64*1024*1024) {
35448+ length >>= PAGE_SHIFT;
35449+ flags |= 8;
35450+ }
35451+
35452+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
35453+ gdt = get_cpu_gdt_table(cpu);
35454+ pack_descriptor(&d, address, length, 0x9b, flags);
35455+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
35456+ pack_descriptor(&d, address, length, 0x93, flags);
35457+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
35458+ }
35459+ return entry;
35460+ }
35461+ case 0x80: /* Not present */
35462+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
35463+ return 0;
35464+ default: /* Shouldn't happen */
35465+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
35466+ service, return_code);
35467+ return 0;
35468 }
35469 }
35470
35471 static struct {
35472 unsigned long address;
35473 unsigned short segment;
35474-} pci_indirect = { 0, __KERNEL_CS };
35475+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
35476
35477-static int pci_bios_present;
35478+static int pci_bios_present __read_only;
35479
35480 static int __init check_pcibios(void)
35481 {
35482@@ -131,11 +174,13 @@ static int __init check_pcibios(void)
35483 unsigned long flags, pcibios_entry;
35484
35485 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
35486- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
35487+ pci_indirect.address = pcibios_entry;
35488
35489 local_irq_save(flags);
35490- __asm__(
35491- "lcall *(%%edi); cld\n\t"
35492+ __asm__("movw %w6, %%ds\n\t"
35493+ "lcall *%%ss:(%%edi); cld\n\t"
35494+ "push %%ss\n\t"
35495+ "pop %%ds\n\t"
35496 "jc 1f\n\t"
35497 "xor %%ah, %%ah\n"
35498 "1:"
35499@@ -144,7 +189,8 @@ static int __init check_pcibios(void)
35500 "=b" (ebx),
35501 "=c" (ecx)
35502 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
35503- "D" (&pci_indirect)
35504+ "D" (&pci_indirect),
35505+ "r" (__PCIBIOS_DS)
35506 : "memory");
35507 local_irq_restore(flags);
35508
35509@@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35510
35511 switch (len) {
35512 case 1:
35513- __asm__("lcall *(%%esi); cld\n\t"
35514+ __asm__("movw %w6, %%ds\n\t"
35515+ "lcall *%%ss:(%%esi); cld\n\t"
35516+ "push %%ss\n\t"
35517+ "pop %%ds\n\t"
35518 "jc 1f\n\t"
35519 "xor %%ah, %%ah\n"
35520 "1:"
35521@@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35522 : "1" (PCIBIOS_READ_CONFIG_BYTE),
35523 "b" (bx),
35524 "D" ((long)reg),
35525- "S" (&pci_indirect));
35526+ "S" (&pci_indirect),
35527+ "r" (__PCIBIOS_DS));
35528 /*
35529 * Zero-extend the result beyond 8 bits, do not trust the
35530 * BIOS having done it:
35531@@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35532 *value &= 0xff;
35533 break;
35534 case 2:
35535- __asm__("lcall *(%%esi); cld\n\t"
35536+ __asm__("movw %w6, %%ds\n\t"
35537+ "lcall *%%ss:(%%esi); cld\n\t"
35538+ "push %%ss\n\t"
35539+ "pop %%ds\n\t"
35540 "jc 1f\n\t"
35541 "xor %%ah, %%ah\n"
35542 "1:"
35543@@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35544 : "1" (PCIBIOS_READ_CONFIG_WORD),
35545 "b" (bx),
35546 "D" ((long)reg),
35547- "S" (&pci_indirect));
35548+ "S" (&pci_indirect),
35549+ "r" (__PCIBIOS_DS));
35550 /*
35551 * Zero-extend the result beyond 16 bits, do not trust the
35552 * BIOS having done it:
35553@@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35554 *value &= 0xffff;
35555 break;
35556 case 4:
35557- __asm__("lcall *(%%esi); cld\n\t"
35558+ __asm__("movw %w6, %%ds\n\t"
35559+ "lcall *%%ss:(%%esi); cld\n\t"
35560+ "push %%ss\n\t"
35561+ "pop %%ds\n\t"
35562 "jc 1f\n\t"
35563 "xor %%ah, %%ah\n"
35564 "1:"
35565@@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35566 : "1" (PCIBIOS_READ_CONFIG_DWORD),
35567 "b" (bx),
35568 "D" ((long)reg),
35569- "S" (&pci_indirect));
35570+ "S" (&pci_indirect),
35571+ "r" (__PCIBIOS_DS));
35572 break;
35573 }
35574
35575@@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35576
35577 switch (len) {
35578 case 1:
35579- __asm__("lcall *(%%esi); cld\n\t"
35580+ __asm__("movw %w6, %%ds\n\t"
35581+ "lcall *%%ss:(%%esi); cld\n\t"
35582+ "push %%ss\n\t"
35583+ "pop %%ds\n\t"
35584 "jc 1f\n\t"
35585 "xor %%ah, %%ah\n"
35586 "1:"
35587@@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35588 "c" (value),
35589 "b" (bx),
35590 "D" ((long)reg),
35591- "S" (&pci_indirect));
35592+ "S" (&pci_indirect),
35593+ "r" (__PCIBIOS_DS));
35594 break;
35595 case 2:
35596- __asm__("lcall *(%%esi); cld\n\t"
35597+ __asm__("movw %w6, %%ds\n\t"
35598+ "lcall *%%ss:(%%esi); cld\n\t"
35599+ "push %%ss\n\t"
35600+ "pop %%ds\n\t"
35601 "jc 1f\n\t"
35602 "xor %%ah, %%ah\n"
35603 "1:"
35604@@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35605 "c" (value),
35606 "b" (bx),
35607 "D" ((long)reg),
35608- "S" (&pci_indirect));
35609+ "S" (&pci_indirect),
35610+ "r" (__PCIBIOS_DS));
35611 break;
35612 case 4:
35613- __asm__("lcall *(%%esi); cld\n\t"
35614+ __asm__("movw %w6, %%ds\n\t"
35615+ "lcall *%%ss:(%%esi); cld\n\t"
35616+ "push %%ss\n\t"
35617+ "pop %%ds\n\t"
35618 "jc 1f\n\t"
35619 "xor %%ah, %%ah\n"
35620 "1:"
35621@@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35622 "c" (value),
35623 "b" (bx),
35624 "D" ((long)reg),
35625- "S" (&pci_indirect));
35626+ "S" (&pci_indirect),
35627+ "r" (__PCIBIOS_DS));
35628 break;
35629 }
35630
35631@@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
35632
35633 DBG("PCI: Fetching IRQ routing table... ");
35634 __asm__("push %%es\n\t"
35635+ "movw %w8, %%ds\n\t"
35636 "push %%ds\n\t"
35637 "pop %%es\n\t"
35638- "lcall *(%%esi); cld\n\t"
35639+ "lcall *%%ss:(%%esi); cld\n\t"
35640 "pop %%es\n\t"
35641+ "push %%ss\n\t"
35642+ "pop %%ds\n"
35643 "jc 1f\n\t"
35644 "xor %%ah, %%ah\n"
35645 "1:"
35646@@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
35647 "1" (0),
35648 "D" ((long) &opt),
35649 "S" (&pci_indirect),
35650- "m" (opt)
35651+ "m" (opt),
35652+ "r" (__PCIBIOS_DS)
35653 : "memory");
35654 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
35655 if (ret & 0xff00)
35656@@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
35657 {
35658 int ret;
35659
35660- __asm__("lcall *(%%esi); cld\n\t"
35661+ __asm__("movw %w5, %%ds\n\t"
35662+ "lcall *%%ss:(%%esi); cld\n\t"
35663+ "push %%ss\n\t"
35664+ "pop %%ds\n"
35665 "jc 1f\n\t"
35666 "xor %%ah, %%ah\n"
35667 "1:"
35668@@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
35669 : "0" (PCIBIOS_SET_PCI_HW_INT),
35670 "b" ((dev->bus->number << 8) | dev->devfn),
35671 "c" ((irq << 8) | (pin + 10)),
35672- "S" (&pci_indirect));
35673+ "S" (&pci_indirect),
35674+ "r" (__PCIBIOS_DS));
35675 return !(ret & 0xff00);
35676 }
35677 EXPORT_SYMBOL(pcibios_set_irq_routing);
35678diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
35679index ed5b673..24d2d53 100644
35680--- a/arch/x86/platform/efi/efi_32.c
35681+++ b/arch/x86/platform/efi/efi_32.c
35682@@ -61,11 +61,27 @@ pgd_t * __init efi_call_phys_prolog(void)
35683 struct desc_ptr gdt_descr;
35684 pgd_t *save_pgd;
35685
35686+#ifdef CONFIG_PAX_KERNEXEC
35687+ struct desc_struct d;
35688+#endif
35689+
35690 /* Current pgd is swapper_pg_dir, we'll restore it later: */
35691+#ifdef CONFIG_PAX_PER_CPU_PGD
35692+ save_pgd = get_cpu_pgd(smp_processor_id(), kernel);
35693+#else
35694 save_pgd = swapper_pg_dir;
35695+#endif
35696+
35697 load_cr3(initial_page_table);
35698 __flush_tlb_all();
35699
35700+#ifdef CONFIG_PAX_KERNEXEC
35701+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
35702+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
35703+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
35704+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
35705+#endif
35706+
35707 gdt_descr.address = __pa(get_cpu_gdt_table(0));
35708 gdt_descr.size = GDT_SIZE - 1;
35709 load_gdt(&gdt_descr);
35710@@ -77,6 +93,14 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
35711 {
35712 struct desc_ptr gdt_descr;
35713
35714+#ifdef CONFIG_PAX_KERNEXEC
35715+ struct desc_struct d;
35716+
35717+ memset(&d, 0, sizeof d);
35718+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
35719+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
35720+#endif
35721+
35722 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
35723 gdt_descr.size = GDT_SIZE - 1;
35724 load_gdt(&gdt_descr);
35725diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
35726index a0ac0f9..f41d324 100644
35727--- a/arch/x86/platform/efi/efi_64.c
35728+++ b/arch/x86/platform/efi/efi_64.c
35729@@ -96,6 +96,11 @@ pgd_t * __init efi_call_phys_prolog(void)
35730 vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
35731 set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
35732 }
35733+
35734+#ifdef CONFIG_PAX_PER_CPU_PGD
35735+ load_cr3(swapper_pg_dir);
35736+#endif
35737+
35738 __flush_tlb_all();
35739
35740 return save_pgd;
35741@@ -119,6 +124,10 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
35742
35743 kfree(save_pgd);
35744
35745+#ifdef CONFIG_PAX_PER_CPU_PGD
35746+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
35747+#endif
35748+
35749 __flush_tlb_all();
35750 early_code_mapping_set_exec(0);
35751 }
35752@@ -148,8 +157,23 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
35753 unsigned npages;
35754 pgd_t *pgd;
35755
35756- if (efi_enabled(EFI_OLD_MEMMAP))
35757+ if (efi_enabled(EFI_OLD_MEMMAP)) {
35758+ /* PaX: We need to disable the NX bit in the PGD, otherwise we won't be
35759+ * able to execute the EFI services.
35760+ */
35761+ if (__supported_pte_mask & _PAGE_NX) {
35762+ unsigned long addr = (unsigned long) __va(0);
35763+ pgd_t pe = __pgd(pgd_val(*pgd_offset_k(addr)) & ~_PAGE_NX);
35764+
35765+ pr_alert("PAX: Disabling NX protection for low memory map. Try booting without \"efi=old_map\"\n");
35766+#ifdef CONFIG_PAX_PER_CPU_PGD
35767+ set_pgd(pgd_offset_cpu(0, kernel, addr), pe);
35768+#endif
35769+ set_pgd(pgd_offset_k(addr), pe);
35770+ }
35771+
35772 return 0;
35773+ }
35774
35775 efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd;
35776 pgd = __va(efi_scratch.efi_pgt);
35777diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S
35778index 040192b..7d3300f 100644
35779--- a/arch/x86/platform/efi/efi_stub_32.S
35780+++ b/arch/x86/platform/efi/efi_stub_32.S
35781@@ -6,7 +6,9 @@
35782 */
35783
35784 #include <linux/linkage.h>
35785+#include <linux/init.h>
35786 #include <asm/page_types.h>
35787+#include <asm/segment.h>
35788
35789 /*
35790 * efi_call_phys(void *, ...) is a function with variable parameters.
35791@@ -20,7 +22,7 @@
35792 * service functions will comply with gcc calling convention, too.
35793 */
35794
35795-.text
35796+__INIT
35797 ENTRY(efi_call_phys)
35798 /*
35799 * 0. The function can only be called in Linux kernel. So CS has been
35800@@ -36,10 +38,24 @@ ENTRY(efi_call_phys)
35801 * The mapping of lower virtual memory has been created in prolog and
35802 * epilog.
35803 */
35804- movl $1f, %edx
35805- subl $__PAGE_OFFSET, %edx
35806- jmp *%edx
35807+#ifdef CONFIG_PAX_KERNEXEC
35808+ movl $(__KERNEXEC_EFI_DS), %edx
35809+ mov %edx, %ds
35810+ mov %edx, %es
35811+ mov %edx, %ss
35812+ addl $2f,(1f)
35813+ ljmp *(1f)
35814+
35815+__INITDATA
35816+1: .long __LOAD_PHYSICAL_ADDR, __KERNEXEC_EFI_CS
35817+.previous
35818+
35819+2:
35820+ subl $2b,(1b)
35821+#else
35822+ jmp 1f-__PAGE_OFFSET
35823 1:
35824+#endif
35825
35826 /*
35827 * 2. Now on the top of stack is the return
35828@@ -47,14 +63,8 @@ ENTRY(efi_call_phys)
35829 * parameter 2, ..., param n. To make things easy, we save the return
35830 * address of efi_call_phys in a global variable.
35831 */
35832- popl %edx
35833- movl %edx, saved_return_addr
35834- /* get the function pointer into ECX*/
35835- popl %ecx
35836- movl %ecx, efi_rt_function_ptr
35837- movl $2f, %edx
35838- subl $__PAGE_OFFSET, %edx
35839- pushl %edx
35840+ popl (saved_return_addr)
35841+ popl (efi_rt_function_ptr)
35842
35843 /*
35844 * 3. Clear PG bit in %CR0.
35845@@ -73,9 +83,8 @@ ENTRY(efi_call_phys)
35846 /*
35847 * 5. Call the physical function.
35848 */
35849- jmp *%ecx
35850+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
35851
35852-2:
35853 /*
35854 * 6. After EFI runtime service returns, control will return to
35855 * following instruction. We'd better readjust stack pointer first.
35856@@ -88,35 +97,36 @@ ENTRY(efi_call_phys)
35857 movl %cr0, %edx
35858 orl $0x80000000, %edx
35859 movl %edx, %cr0
35860- jmp 1f
35861-1:
35862+
35863 /*
35864 * 8. Now restore the virtual mode from flat mode by
35865 * adding EIP with PAGE_OFFSET.
35866 */
35867- movl $1f, %edx
35868- jmp *%edx
35869+#ifdef CONFIG_PAX_KERNEXEC
35870+ movl $(__KERNEL_DS), %edx
35871+ mov %edx, %ds
35872+ mov %edx, %es
35873+ mov %edx, %ss
35874+ ljmp $(__KERNEL_CS),$1f
35875+#else
35876+ jmp 1f+__PAGE_OFFSET
35877+#endif
35878 1:
35879
35880 /*
35881 * 9. Balance the stack. And because EAX contain the return value,
35882 * we'd better not clobber it.
35883 */
35884- leal efi_rt_function_ptr, %edx
35885- movl (%edx), %ecx
35886- pushl %ecx
35887+ pushl (efi_rt_function_ptr)
35888
35889 /*
35890- * 10. Push the saved return address onto the stack and return.
35891+ * 10. Return to the saved return address.
35892 */
35893- leal saved_return_addr, %edx
35894- movl (%edx), %ecx
35895- pushl %ecx
35896- ret
35897+ jmpl *(saved_return_addr)
35898 ENDPROC(efi_call_phys)
35899 .previous
35900
35901-.data
35902+__INITDATA
35903 saved_return_addr:
35904 .long 0
35905 efi_rt_function_ptr:
35906diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S
35907index 86d0f9e..6d499f4 100644
35908--- a/arch/x86/platform/efi/efi_stub_64.S
35909+++ b/arch/x86/platform/efi/efi_stub_64.S
35910@@ -11,6 +11,7 @@
35911 #include <asm/msr.h>
35912 #include <asm/processor-flags.h>
35913 #include <asm/page_types.h>
35914+#include <asm/alternative-asm.h>
35915
35916 #define SAVE_XMM \
35917 mov %rsp, %rax; \
35918@@ -88,6 +89,7 @@ ENTRY(efi_call)
35919 RESTORE_PGT
35920 addq $48, %rsp
35921 RESTORE_XMM
35922+ pax_force_retaddr 0, 1
35923 ret
35924 ENDPROC(efi_call)
35925
35926diff --git a/arch/x86/platform/intel-mid/intel-mid.c b/arch/x86/platform/intel-mid/intel-mid.c
35927index 01d54ea..ba1d71c 100644
35928--- a/arch/x86/platform/intel-mid/intel-mid.c
35929+++ b/arch/x86/platform/intel-mid/intel-mid.c
35930@@ -63,7 +63,7 @@ enum intel_mid_timer_options intel_mid_timer_options;
35931 /* intel_mid_ops to store sub arch ops */
35932 struct intel_mid_ops *intel_mid_ops;
35933 /* getter function for sub arch ops*/
35934-static void *(*get_intel_mid_ops[])(void) = INTEL_MID_OPS_INIT;
35935+static const void *(*get_intel_mid_ops[])(void) = INTEL_MID_OPS_INIT;
35936 enum intel_mid_cpu_type __intel_mid_cpu_chip;
35937 EXPORT_SYMBOL_GPL(__intel_mid_cpu_chip);
35938
35939@@ -71,9 +71,10 @@ static void intel_mid_power_off(void)
35940 {
35941 };
35942
35943-static void intel_mid_reboot(void)
35944+static void __noreturn intel_mid_reboot(void)
35945 {
35946 intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0);
35947+ BUG();
35948 }
35949
35950 static unsigned long __init intel_mid_calibrate_tsc(void)
35951diff --git a/arch/x86/platform/intel-mid/intel_mid_weak_decls.h b/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
35952index 3c1c386..59a68ed 100644
35953--- a/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
35954+++ b/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
35955@@ -13,6 +13,6 @@
35956 /* For every CPU addition a new get_<cpuname>_ops interface needs
35957 * to be added.
35958 */
35959-extern void *get_penwell_ops(void);
35960-extern void *get_cloverview_ops(void);
35961-extern void *get_tangier_ops(void);
35962+extern const void *get_penwell_ops(void);
35963+extern const void *get_cloverview_ops(void);
35964+extern const void *get_tangier_ops(void);
35965diff --git a/arch/x86/platform/intel-mid/mfld.c b/arch/x86/platform/intel-mid/mfld.c
35966index 23381d2..8ddc10e 100644
35967--- a/arch/x86/platform/intel-mid/mfld.c
35968+++ b/arch/x86/platform/intel-mid/mfld.c
35969@@ -64,12 +64,12 @@ static void __init penwell_arch_setup(void)
35970 pm_power_off = mfld_power_off;
35971 }
35972
35973-void *get_penwell_ops(void)
35974+const void *get_penwell_ops(void)
35975 {
35976 return &penwell_ops;
35977 }
35978
35979-void *get_cloverview_ops(void)
35980+const void *get_cloverview_ops(void)
35981 {
35982 return &penwell_ops;
35983 }
35984diff --git a/arch/x86/platform/intel-mid/mrfl.c b/arch/x86/platform/intel-mid/mrfl.c
35985index aaca917..66eadbc 100644
35986--- a/arch/x86/platform/intel-mid/mrfl.c
35987+++ b/arch/x86/platform/intel-mid/mrfl.c
35988@@ -97,7 +97,7 @@ static struct intel_mid_ops tangier_ops = {
35989 .arch_setup = tangier_arch_setup,
35990 };
35991
35992-void *get_tangier_ops(void)
35993+const void *get_tangier_ops(void)
35994 {
35995 return &tangier_ops;
35996 }
35997diff --git a/arch/x86/platform/intel-quark/imr_selftest.c b/arch/x86/platform/intel-quark/imr_selftest.c
35998index 278e4da..35db1a9 100644
35999--- a/arch/x86/platform/intel-quark/imr_selftest.c
36000+++ b/arch/x86/platform/intel-quark/imr_selftest.c
36001@@ -55,7 +55,7 @@ static void __init imr_self_test_result(int res, const char *fmt, ...)
36002 */
36003 static void __init imr_self_test(void)
36004 {
36005- phys_addr_t base = virt_to_phys(&_text);
36006+ phys_addr_t base = virt_to_phys((void *)ktla_ktva((unsigned long)_text));
36007 size_t size = virt_to_phys(&__end_rodata) - base;
36008 const char *fmt_over = "overlapped IMR @ (0x%08lx - 0x%08lx)\n";
36009 int ret;
36010diff --git a/arch/x86/platform/olpc/olpc_dt.c b/arch/x86/platform/olpc/olpc_dt.c
36011index d6ee929..3637cb5 100644
36012--- a/arch/x86/platform/olpc/olpc_dt.c
36013+++ b/arch/x86/platform/olpc/olpc_dt.c
36014@@ -156,7 +156,7 @@ void * __init prom_early_alloc(unsigned long size)
36015 return res;
36016 }
36017
36018-static struct of_pdt_ops prom_olpc_ops __initdata = {
36019+static struct of_pdt_ops prom_olpc_ops __initconst = {
36020 .nextprop = olpc_dt_nextprop,
36021 .getproplen = olpc_dt_getproplen,
36022 .getproperty = olpc_dt_getproperty,
36023diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
36024index 9ab5279..8ba4611 100644
36025--- a/arch/x86/power/cpu.c
36026+++ b/arch/x86/power/cpu.c
36027@@ -134,11 +134,8 @@ static void do_fpu_end(void)
36028 static void fix_processor_context(void)
36029 {
36030 int cpu = smp_processor_id();
36031- struct tss_struct *t = &per_cpu(cpu_tss, cpu);
36032-#ifdef CONFIG_X86_64
36033- struct desc_struct *desc = get_cpu_gdt_table(cpu);
36034- tss_desc tss;
36035-#endif
36036+ struct tss_struct *t = cpu_tss + cpu;
36037+
36038 set_tss_desc(cpu, t); /*
36039 * This just modifies memory; should not be
36040 * necessary. But... This is necessary, because
36041@@ -147,10 +144,6 @@ static void fix_processor_context(void)
36042 */
36043
36044 #ifdef CONFIG_X86_64
36045- memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
36046- tss.type = 0x9; /* The available 64-bit TSS (see AMD vol 2, pg 91 */
36047- write_gdt_entry(desc, GDT_ENTRY_TSS, &tss, DESC_TSS);
36048-
36049 syscall_init(); /* This sets MSR_*STAR and related */
36050 #endif
36051 load_TR_desc(); /* This does ltr */
36052diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
36053index 0b7a63d..dff2199 100644
36054--- a/arch/x86/realmode/init.c
36055+++ b/arch/x86/realmode/init.c
36056@@ -68,7 +68,13 @@ void __init setup_real_mode(void)
36057 __va(real_mode_header->trampoline_header);
36058
36059 #ifdef CONFIG_X86_32
36060- trampoline_header->start = __pa_symbol(startup_32_smp);
36061+ trampoline_header->start = __pa_symbol(ktla_ktva((unsigned long)startup_32_smp));
36062+
36063+#ifdef CONFIG_PAX_KERNEXEC
36064+ trampoline_header->start -= LOAD_PHYSICAL_ADDR;
36065+#endif
36066+
36067+ trampoline_header->boot_cs = __BOOT_CS;
36068 trampoline_header->gdt_limit = __BOOT_DS + 7;
36069 trampoline_header->gdt_base = __pa_symbol(boot_gdt);
36070 #else
36071@@ -84,7 +90,7 @@ void __init setup_real_mode(void)
36072 *trampoline_cr4_features = __read_cr4();
36073
36074 trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd);
36075- trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd;
36076+ trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd & ~_PAGE_NX;
36077 trampoline_pgd[511] = init_level4_pgt[511].pgd;
36078 #endif
36079 }
36080diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile
36081index 2730d77..2e4cd19 100644
36082--- a/arch/x86/realmode/rm/Makefile
36083+++ b/arch/x86/realmode/rm/Makefile
36084@@ -68,5 +68,8 @@ $(obj)/realmode.relocs: $(obj)/realmode.elf FORCE
36085
36086 KBUILD_CFLAGS := $(LINUXINCLUDE) $(REALMODE_CFLAGS) -D_SETUP -D_WAKEUP \
36087 -I$(srctree)/arch/x86/boot
36088+ifdef CONSTIFY_PLUGIN
36089+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
36090+endif
36091 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
36092 GCOV_PROFILE := n
36093diff --git a/arch/x86/realmode/rm/header.S b/arch/x86/realmode/rm/header.S
36094index a28221d..93c40f1 100644
36095--- a/arch/x86/realmode/rm/header.S
36096+++ b/arch/x86/realmode/rm/header.S
36097@@ -30,7 +30,9 @@ GLOBAL(real_mode_header)
36098 #endif
36099 /* APM/BIOS reboot */
36100 .long pa_machine_real_restart_asm
36101-#ifdef CONFIG_X86_64
36102+#ifdef CONFIG_X86_32
36103+ .long __KERNEL_CS
36104+#else
36105 .long __KERNEL32_CS
36106 #endif
36107 END(real_mode_header)
36108diff --git a/arch/x86/realmode/rm/reboot.S b/arch/x86/realmode/rm/reboot.S
36109index d66c607..3def845 100644
36110--- a/arch/x86/realmode/rm/reboot.S
36111+++ b/arch/x86/realmode/rm/reboot.S
36112@@ -27,6 +27,10 @@ ENTRY(machine_real_restart_asm)
36113 lgdtl pa_tr_gdt
36114
36115 /* Disable paging to drop us out of long mode */
36116+ movl %cr4, %eax
36117+ andl $~X86_CR4_PCIDE, %eax
36118+ movl %eax, %cr4
36119+
36120 movl %cr0, %eax
36121 andl $~X86_CR0_PG, %eax
36122 movl %eax, %cr0
36123diff --git a/arch/x86/realmode/rm/trampoline_32.S b/arch/x86/realmode/rm/trampoline_32.S
36124index 48ddd76..c26749f 100644
36125--- a/arch/x86/realmode/rm/trampoline_32.S
36126+++ b/arch/x86/realmode/rm/trampoline_32.S
36127@@ -24,6 +24,12 @@
36128 #include <asm/page_types.h>
36129 #include "realmode.h"
36130
36131+#ifdef CONFIG_PAX_KERNEXEC
36132+#define ta(X) (X)
36133+#else
36134+#define ta(X) (pa_ ## X)
36135+#endif
36136+
36137 .text
36138 .code16
36139
36140@@ -38,8 +44,6 @@ ENTRY(trampoline_start)
36141
36142 cli # We should be safe anyway
36143
36144- movl tr_start, %eax # where we need to go
36145-
36146 movl $0xA5A5A5A5, trampoline_status
36147 # write marker for master knows we're running
36148
36149@@ -55,7 +59,7 @@ ENTRY(trampoline_start)
36150 movw $1, %dx # protected mode (PE) bit
36151 lmsw %dx # into protected mode
36152
36153- ljmpl $__BOOT_CS, $pa_startup_32
36154+ ljmpl *(trampoline_header)
36155
36156 .section ".text32","ax"
36157 .code32
36158@@ -66,7 +70,7 @@ ENTRY(startup_32) # note: also used from wakeup_asm.S
36159 .balign 8
36160 GLOBAL(trampoline_header)
36161 tr_start: .space 4
36162- tr_gdt_pad: .space 2
36163+ tr_boot_cs: .space 2
36164 tr_gdt: .space 6
36165 END(trampoline_header)
36166
36167diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S
36168index dac7b20..72dbaca 100644
36169--- a/arch/x86/realmode/rm/trampoline_64.S
36170+++ b/arch/x86/realmode/rm/trampoline_64.S
36171@@ -93,6 +93,7 @@ ENTRY(startup_32)
36172 movl %edx, %gs
36173
36174 movl pa_tr_cr4, %eax
36175+ andl $~X86_CR4_PCIDE, %eax
36176 movl %eax, %cr4 # Enable PAE mode
36177
36178 # Setup trampoline 4 level pagetables
36179@@ -106,7 +107,7 @@ ENTRY(startup_32)
36180 wrmsr
36181
36182 # Enable paging and in turn activate Long Mode
36183- movl $(X86_CR0_PG | X86_CR0_WP | X86_CR0_PE), %eax
36184+ movl $(X86_CR0_PG | X86_CR0_PE), %eax
36185 movl %eax, %cr0
36186
36187 /*
36188diff --git a/arch/x86/realmode/rm/wakeup_asm.S b/arch/x86/realmode/rm/wakeup_asm.S
36189index 9e7e147..25a4158 100644
36190--- a/arch/x86/realmode/rm/wakeup_asm.S
36191+++ b/arch/x86/realmode/rm/wakeup_asm.S
36192@@ -126,11 +126,10 @@ ENTRY(wakeup_start)
36193 lgdtl pmode_gdt
36194
36195 /* This really couldn't... */
36196- movl pmode_entry, %eax
36197 movl pmode_cr0, %ecx
36198 movl %ecx, %cr0
36199- ljmpl $__KERNEL_CS, $pa_startup_32
36200- /* -> jmp *%eax in trampoline_32.S */
36201+
36202+ ljmpl *pmode_entry
36203 #else
36204 jmp trampoline_start
36205 #endif
36206diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile
36207index 604a37e..e49702a 100644
36208--- a/arch/x86/tools/Makefile
36209+++ b/arch/x86/tools/Makefile
36210@@ -37,7 +37,7 @@ $(obj)/test_get_len.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/in
36211
36212 $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/inat.c $(srctree)/arch/x86/include/asm/inat_types.h $(srctree)/arch/x86/include/asm/inat.h $(srctree)/arch/x86/include/asm/insn.h $(objtree)/arch/x86/lib/inat-tables.c
36213
36214-HOST_EXTRACFLAGS += -I$(srctree)/tools/include
36215+HOST_EXTRACFLAGS += -I$(srctree)/tools/include -ggdb
36216 hostprogs-y += relocs
36217 relocs-objs := relocs_32.o relocs_64.o relocs_common.o
36218 PHONY += relocs
36219diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
36220index 0c2fae8..88d7719 100644
36221--- a/arch/x86/tools/relocs.c
36222+++ b/arch/x86/tools/relocs.c
36223@@ -1,5 +1,7 @@
36224 /* This is included from relocs_32/64.c */
36225
36226+#include "../../../include/generated/autoconf.h"
36227+
36228 #define ElfW(type) _ElfW(ELF_BITS, type)
36229 #define _ElfW(bits, type) __ElfW(bits, type)
36230 #define __ElfW(bits, type) Elf##bits##_##type
36231@@ -11,6 +13,7 @@
36232 #define Elf_Sym ElfW(Sym)
36233
36234 static Elf_Ehdr ehdr;
36235+static Elf_Phdr *phdr;
36236
36237 struct relocs {
36238 uint32_t *offset;
36239@@ -386,9 +389,39 @@ static void read_ehdr(FILE *fp)
36240 }
36241 }
36242
36243+static void read_phdrs(FILE *fp)
36244+{
36245+ unsigned int i;
36246+
36247+ phdr = calloc(ehdr.e_phnum, sizeof(Elf_Phdr));
36248+ if (!phdr) {
36249+ die("Unable to allocate %d program headers\n",
36250+ ehdr.e_phnum);
36251+ }
36252+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
36253+ die("Seek to %d failed: %s\n",
36254+ ehdr.e_phoff, strerror(errno));
36255+ }
36256+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
36257+ die("Cannot read ELF program headers: %s\n",
36258+ strerror(errno));
36259+ }
36260+ for(i = 0; i < ehdr.e_phnum; i++) {
36261+ phdr[i].p_type = elf_word_to_cpu(phdr[i].p_type);
36262+ phdr[i].p_offset = elf_off_to_cpu(phdr[i].p_offset);
36263+ phdr[i].p_vaddr = elf_addr_to_cpu(phdr[i].p_vaddr);
36264+ phdr[i].p_paddr = elf_addr_to_cpu(phdr[i].p_paddr);
36265+ phdr[i].p_filesz = elf_word_to_cpu(phdr[i].p_filesz);
36266+ phdr[i].p_memsz = elf_word_to_cpu(phdr[i].p_memsz);
36267+ phdr[i].p_flags = elf_word_to_cpu(phdr[i].p_flags);
36268+ phdr[i].p_align = elf_word_to_cpu(phdr[i].p_align);
36269+ }
36270+
36271+}
36272+
36273 static void read_shdrs(FILE *fp)
36274 {
36275- int i;
36276+ unsigned int i;
36277 Elf_Shdr shdr;
36278
36279 secs = calloc(ehdr.e_shnum, sizeof(struct section));
36280@@ -423,7 +456,7 @@ static void read_shdrs(FILE *fp)
36281
36282 static void read_strtabs(FILE *fp)
36283 {
36284- int i;
36285+ unsigned int i;
36286 for (i = 0; i < ehdr.e_shnum; i++) {
36287 struct section *sec = &secs[i];
36288 if (sec->shdr.sh_type != SHT_STRTAB) {
36289@@ -448,7 +481,7 @@ static void read_strtabs(FILE *fp)
36290
36291 static void read_symtabs(FILE *fp)
36292 {
36293- int i,j;
36294+ unsigned int i,j;
36295 for (i = 0; i < ehdr.e_shnum; i++) {
36296 struct section *sec = &secs[i];
36297 if (sec->shdr.sh_type != SHT_SYMTAB) {
36298@@ -479,9 +512,11 @@ static void read_symtabs(FILE *fp)
36299 }
36300
36301
36302-static void read_relocs(FILE *fp)
36303+static void read_relocs(FILE *fp, int use_real_mode)
36304 {
36305- int i,j;
36306+ unsigned int i,j;
36307+ uint32_t base;
36308+
36309 for (i = 0; i < ehdr.e_shnum; i++) {
36310 struct section *sec = &secs[i];
36311 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36312@@ -501,9 +536,22 @@ static void read_relocs(FILE *fp)
36313 die("Cannot read symbol table: %s\n",
36314 strerror(errno));
36315 }
36316+ base = 0;
36317+
36318+#ifdef CONFIG_X86_32
36319+ for (j = 0; !use_real_mode && j < ehdr.e_phnum; j++) {
36320+ if (phdr[j].p_type != PT_LOAD )
36321+ continue;
36322+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
36323+ continue;
36324+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
36325+ break;
36326+ }
36327+#endif
36328+
36329 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) {
36330 Elf_Rel *rel = &sec->reltab[j];
36331- rel->r_offset = elf_addr_to_cpu(rel->r_offset);
36332+ rel->r_offset = elf_addr_to_cpu(rel->r_offset) + base;
36333 rel->r_info = elf_xword_to_cpu(rel->r_info);
36334 #if (SHT_REL_TYPE == SHT_RELA)
36335 rel->r_addend = elf_xword_to_cpu(rel->r_addend);
36336@@ -515,7 +563,7 @@ static void read_relocs(FILE *fp)
36337
36338 static void print_absolute_symbols(void)
36339 {
36340- int i;
36341+ unsigned int i;
36342 const char *format;
36343
36344 if (ELF_BITS == 64)
36345@@ -528,7 +576,7 @@ static void print_absolute_symbols(void)
36346 for (i = 0; i < ehdr.e_shnum; i++) {
36347 struct section *sec = &secs[i];
36348 char *sym_strtab;
36349- int j;
36350+ unsigned int j;
36351
36352 if (sec->shdr.sh_type != SHT_SYMTAB) {
36353 continue;
36354@@ -555,7 +603,7 @@ static void print_absolute_symbols(void)
36355
36356 static void print_absolute_relocs(void)
36357 {
36358- int i, printed = 0;
36359+ unsigned int i, printed = 0;
36360 const char *format;
36361
36362 if (ELF_BITS == 64)
36363@@ -568,7 +616,7 @@ static void print_absolute_relocs(void)
36364 struct section *sec_applies, *sec_symtab;
36365 char *sym_strtab;
36366 Elf_Sym *sh_symtab;
36367- int j;
36368+ unsigned int j;
36369 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36370 continue;
36371 }
36372@@ -645,13 +693,13 @@ static void add_reloc(struct relocs *r, uint32_t offset)
36373 static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
36374 Elf_Sym *sym, const char *symname))
36375 {
36376- int i;
36377+ unsigned int i;
36378 /* Walk through the relocations */
36379 for (i = 0; i < ehdr.e_shnum; i++) {
36380 char *sym_strtab;
36381 Elf_Sym *sh_symtab;
36382 struct section *sec_applies, *sec_symtab;
36383- int j;
36384+ unsigned int j;
36385 struct section *sec = &secs[i];
36386
36387 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36388@@ -697,7 +745,7 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
36389 * kernel data and does not require special treatment.
36390 *
36391 */
36392-static int per_cpu_shndx = -1;
36393+static unsigned int per_cpu_shndx = ~0;
36394 static Elf_Addr per_cpu_load_addr;
36395
36396 static void percpu_init(void)
36397@@ -830,6 +878,23 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
36398 {
36399 unsigned r_type = ELF32_R_TYPE(rel->r_info);
36400 int shn_abs = (sym->st_shndx == SHN_ABS) && !is_reloc(S_REL, symname);
36401+ char *sym_strtab = sec->link->link->strtab;
36402+
36403+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
36404+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
36405+ return 0;
36406+
36407+#ifdef CONFIG_PAX_KERNEXEC
36408+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
36409+ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
36410+ return 0;
36411+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
36412+ return 0;
36413+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
36414+ return 0;
36415+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
36416+ return 0;
36417+#endif
36418
36419 switch (r_type) {
36420 case R_386_NONE:
36421@@ -968,7 +1033,7 @@ static int write32_as_text(uint32_t v, FILE *f)
36422
36423 static void emit_relocs(int as_text, int use_real_mode)
36424 {
36425- int i;
36426+ unsigned int i;
36427 int (*write_reloc)(uint32_t, FILE *) = write32;
36428 int (*do_reloc)(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
36429 const char *symname);
36430@@ -1078,10 +1143,11 @@ void process(FILE *fp, int use_real_mode, int as_text,
36431 {
36432 regex_init(use_real_mode);
36433 read_ehdr(fp);
36434+ read_phdrs(fp);
36435 read_shdrs(fp);
36436 read_strtabs(fp);
36437 read_symtabs(fp);
36438- read_relocs(fp);
36439+ read_relocs(fp, use_real_mode);
36440 if (ELF_BITS == 64)
36441 percpu_init();
36442 if (show_absolute_syms) {
36443diff --git a/arch/x86/um/mem_32.c b/arch/x86/um/mem_32.c
36444index 744afdc..a0b8a0d 100644
36445--- a/arch/x86/um/mem_32.c
36446+++ b/arch/x86/um/mem_32.c
36447@@ -20,7 +20,7 @@ static int __init gate_vma_init(void)
36448 gate_vma.vm_start = FIXADDR_USER_START;
36449 gate_vma.vm_end = FIXADDR_USER_END;
36450 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
36451- gate_vma.vm_page_prot = __P101;
36452+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
36453
36454 return 0;
36455 }
36456diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c
36457index 48e3858..ab4458c 100644
36458--- a/arch/x86/um/tls_32.c
36459+++ b/arch/x86/um/tls_32.c
36460@@ -261,7 +261,7 @@ out:
36461 if (unlikely(task == current &&
36462 !t->arch.tls_array[idx - GDT_ENTRY_TLS_MIN].flushed)) {
36463 printk(KERN_ERR "get_tls_entry: task with pid %d got here "
36464- "without flushed TLS.", current->pid);
36465+ "without flushed TLS.", task_pid_nr(current));
36466 }
36467
36468 return 0;
36469diff --git a/arch/x86/xen/Kconfig b/arch/x86/xen/Kconfig
36470index 4841453..d59a203 100644
36471--- a/arch/x86/xen/Kconfig
36472+++ b/arch/x86/xen/Kconfig
36473@@ -9,6 +9,7 @@ config XEN
36474 select XEN_HAVE_PVMMU
36475 depends on X86_64 || (X86_32 && X86_PAE)
36476 depends on X86_LOCAL_APIC && X86_TSC
36477+ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_XEN
36478 help
36479 This is the Linux Xen port. Enabling this will allow the
36480 kernel to boot in a paravirtualized environment under the
36481diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
36482index 11d6fb4..c581662 100644
36483--- a/arch/x86/xen/enlighten.c
36484+++ b/arch/x86/xen/enlighten.c
36485@@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
36486
36487 struct shared_info xen_dummy_shared_info;
36488
36489-void *xen_initial_gdt;
36490-
36491 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
36492 __read_mostly int xen_have_vector_callback;
36493 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
36494@@ -584,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
36495 {
36496 unsigned long va = dtr->address;
36497 unsigned int size = dtr->size + 1;
36498- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
36499- unsigned long frames[pages];
36500+ unsigned long frames[65536 / PAGE_SIZE];
36501 int f;
36502
36503 /*
36504@@ -633,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
36505 {
36506 unsigned long va = dtr->address;
36507 unsigned int size = dtr->size + 1;
36508- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
36509- unsigned long frames[pages];
36510+ unsigned long frames[(GDT_SIZE + PAGE_SIZE - 1) / PAGE_SIZE];
36511 int f;
36512
36513 /*
36514@@ -642,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
36515 * 8-byte entries, or 16 4k pages..
36516 */
36517
36518- BUG_ON(size > 65536);
36519+ BUG_ON(size > GDT_SIZE);
36520 BUG_ON(va & ~PAGE_MASK);
36521
36522 for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
36523@@ -1264,30 +1260,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
36524 #endif
36525 };
36526
36527-static void xen_reboot(int reason)
36528+static __noreturn void xen_reboot(int reason)
36529 {
36530 struct sched_shutdown r = { .reason = reason };
36531
36532- if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
36533- BUG();
36534+ HYPERVISOR_sched_op(SCHEDOP_shutdown, &r);
36535+ BUG();
36536 }
36537
36538-static void xen_restart(char *msg)
36539+static __noreturn void xen_restart(char *msg)
36540 {
36541 xen_reboot(SHUTDOWN_reboot);
36542 }
36543
36544-static void xen_emergency_restart(void)
36545+static __noreturn void xen_emergency_restart(void)
36546 {
36547 xen_reboot(SHUTDOWN_reboot);
36548 }
36549
36550-static void xen_machine_halt(void)
36551+static __noreturn void xen_machine_halt(void)
36552 {
36553 xen_reboot(SHUTDOWN_poweroff);
36554 }
36555
36556-static void xen_machine_power_off(void)
36557+static __noreturn void xen_machine_power_off(void)
36558 {
36559 if (pm_power_off)
36560 pm_power_off();
36561@@ -1440,8 +1436,11 @@ static void __ref xen_setup_gdt(int cpu)
36562 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
36563 pv_cpu_ops.load_gdt = xen_load_gdt_boot;
36564
36565- setup_stack_canary_segment(0);
36566- switch_to_new_gdt(0);
36567+ setup_stack_canary_segment(cpu);
36568+#ifdef CONFIG_X86_64
36569+ load_percpu_segment(cpu);
36570+#endif
36571+ switch_to_new_gdt(cpu);
36572
36573 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
36574 pv_cpu_ops.load_gdt = xen_load_gdt;
36575@@ -1557,7 +1556,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
36576 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
36577
36578 /* Work out if we support NX */
36579- x86_configure_nx();
36580+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
36581+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
36582+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
36583+ unsigned l, h;
36584+
36585+ __supported_pte_mask |= _PAGE_NX;
36586+ rdmsr(MSR_EFER, l, h);
36587+ l |= EFER_NX;
36588+ wrmsr(MSR_EFER, l, h);
36589+ }
36590+#endif
36591
36592 /* Get mfn list */
36593 xen_build_dynamic_phys_to_machine();
36594@@ -1585,13 +1594,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
36595
36596 machine_ops = xen_machine_ops;
36597
36598- /*
36599- * The only reliable way to retain the initial address of the
36600- * percpu gdt_page is to remember it here, so we can go and
36601- * mark it RW later, when the initial percpu area is freed.
36602- */
36603- xen_initial_gdt = &per_cpu(gdt_page, 0);
36604-
36605 xen_smp_init();
36606
36607 #ifdef CONFIG_ACPI_NUMA
36608diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
36609index dd151b2..d87e22e 100644
36610--- a/arch/x86/xen/mmu.c
36611+++ b/arch/x86/xen/mmu.c
36612@@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
36613 return val;
36614 }
36615
36616-static pteval_t pte_pfn_to_mfn(pteval_t val)
36617+static pteval_t __intentional_overflow(-1) pte_pfn_to_mfn(pteval_t val)
36618 {
36619 if (val & _PAGE_PRESENT) {
36620 unsigned long pfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT;
36621@@ -1835,7 +1835,11 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
36622 * L3_k[511] -> level2_fixmap_pgt */
36623 convert_pfn_mfn(level3_kernel_pgt);
36624
36625+ convert_pfn_mfn(level3_vmalloc_start_pgt);
36626+ convert_pfn_mfn(level3_vmalloc_end_pgt);
36627+ convert_pfn_mfn(level3_vmemmap_pgt);
36628 /* L3_k[511][506] -> level1_fixmap_pgt */
36629+ /* L3_k[511][507] -> level1_vsyscall_pgt */
36630 convert_pfn_mfn(level2_fixmap_pgt);
36631 }
36632 /* We get [511][511] and have Xen's version of level2_kernel_pgt */
36633@@ -1860,11 +1864,22 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
36634 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
36635 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
36636 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
36637+ set_page_prot(level3_vmalloc_start_pgt, PAGE_KERNEL_RO);
36638+ set_page_prot(level3_vmalloc_end_pgt, PAGE_KERNEL_RO);
36639+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
36640 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
36641 set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO);
36642+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
36643 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
36644 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
36645- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
36646+ set_page_prot(level1_modules_pgt[0], PAGE_KERNEL_RO);
36647+ set_page_prot(level1_modules_pgt[1], PAGE_KERNEL_RO);
36648+ set_page_prot(level1_modules_pgt[2], PAGE_KERNEL_RO);
36649+ set_page_prot(level1_modules_pgt[3], PAGE_KERNEL_RO);
36650+ set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
36651+ set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
36652+ set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
36653+ set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
36654
36655 /* Pin down new L4 */
36656 pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
36657@@ -2048,6 +2063,7 @@ static void __init xen_post_allocator_init(void)
36658 pv_mmu_ops.set_pud = xen_set_pud;
36659 #if CONFIG_PGTABLE_LEVELS == 4
36660 pv_mmu_ops.set_pgd = xen_set_pgd;
36661+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
36662 #endif
36663
36664 /* This will work as long as patching hasn't happened yet
36665@@ -2126,6 +2142,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
36666 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
36667 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
36668 .set_pgd = xen_set_pgd_hyper,
36669+ .set_pgd_batched = xen_set_pgd_hyper,
36670
36671 .alloc_pud = xen_alloc_pmd_init,
36672 .release_pud = xen_release_pmd_init,
36673diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
36674index 8648438..18bac20 100644
36675--- a/arch/x86/xen/smp.c
36676+++ b/arch/x86/xen/smp.c
36677@@ -284,17 +284,13 @@ static void __init xen_smp_prepare_boot_cpu(void)
36678
36679 if (xen_pv_domain()) {
36680 if (!xen_feature(XENFEAT_writable_page_tables))
36681- /* We've switched to the "real" per-cpu gdt, so make
36682- * sure the old memory can be recycled. */
36683- make_lowmem_page_readwrite(xen_initial_gdt);
36684-
36685 #ifdef CONFIG_X86_32
36686 /*
36687 * Xen starts us with XEN_FLAT_RING1_DS, but linux code
36688 * expects __USER_DS
36689 */
36690- loadsegment(ds, __USER_DS);
36691- loadsegment(es, __USER_DS);
36692+ loadsegment(ds, __KERNEL_DS);
36693+ loadsegment(es, __KERNEL_DS);
36694 #endif
36695
36696 xen_filter_cpu_maps();
36697@@ -375,7 +371,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
36698 #ifdef CONFIG_X86_32
36699 /* Note: PVH is not yet supported on x86_32. */
36700 ctxt->user_regs.fs = __KERNEL_PERCPU;
36701- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
36702+ savesegment(gs, ctxt->user_regs.gs);
36703 #endif
36704 memset(&ctxt->fpu_ctxt, 0, sizeof(ctxt->fpu_ctxt));
36705
36706@@ -383,8 +379,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
36707 ctxt->user_regs.eip = (unsigned long)cpu_bringup_and_idle;
36708 ctxt->flags = VGCF_IN_KERNEL;
36709 ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
36710- ctxt->user_regs.ds = __USER_DS;
36711- ctxt->user_regs.es = __USER_DS;
36712+ ctxt->user_regs.ds = __KERNEL_DS;
36713+ ctxt->user_regs.es = __KERNEL_DS;
36714 ctxt->user_regs.ss = __KERNEL_DS;
36715
36716 xen_copy_trap_info(ctxt->trap_ctxt);
36717@@ -720,7 +716,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
36718
36719 void __init xen_smp_init(void)
36720 {
36721- smp_ops = xen_smp_ops;
36722+ memcpy((void *)&smp_ops, &xen_smp_ops, sizeof smp_ops);
36723 xen_fill_possible_map();
36724 }
36725
36726diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
36727index fd92a64..1f72641 100644
36728--- a/arch/x86/xen/xen-asm_32.S
36729+++ b/arch/x86/xen/xen-asm_32.S
36730@@ -99,7 +99,7 @@ ENTRY(xen_iret)
36731 pushw %fs
36732 movl $(__KERNEL_PERCPU), %eax
36733 movl %eax, %fs
36734- movl %fs:xen_vcpu, %eax
36735+ mov PER_CPU_VAR(xen_vcpu), %eax
36736 POP_FS
36737 #else
36738 movl %ss:xen_vcpu, %eax
36739diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
36740index 8afdfcc..79239db 100644
36741--- a/arch/x86/xen/xen-head.S
36742+++ b/arch/x86/xen/xen-head.S
36743@@ -41,6 +41,17 @@ ENTRY(startup_xen)
36744 #ifdef CONFIG_X86_32
36745 mov %esi,xen_start_info
36746 mov $init_thread_union+THREAD_SIZE,%esp
36747+#ifdef CONFIG_SMP
36748+ movl $cpu_gdt_table,%edi
36749+ movl $__per_cpu_load,%eax
36750+ movw %ax,__KERNEL_PERCPU + 2(%edi)
36751+ rorl $16,%eax
36752+ movb %al,__KERNEL_PERCPU + 4(%edi)
36753+ movb %ah,__KERNEL_PERCPU + 7(%edi)
36754+ movl $__per_cpu_end - 1,%eax
36755+ subl $__per_cpu_start,%eax
36756+ movw %ax,__KERNEL_PERCPU + 0(%edi)
36757+#endif
36758 #else
36759 mov %rsi,xen_start_info
36760 mov $init_thread_union+THREAD_SIZE,%rsp
36761diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
36762index 2292721..a9bb18e 100644
36763--- a/arch/x86/xen/xen-ops.h
36764+++ b/arch/x86/xen/xen-ops.h
36765@@ -16,8 +16,6 @@ void xen_syscall_target(void);
36766 void xen_syscall32_target(void);
36767 #endif
36768
36769-extern void *xen_initial_gdt;
36770-
36771 struct trap_info;
36772 void xen_copy_trap_info(struct trap_info *traps);
36773
36774diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h
36775index 525bd3d..ef888b1 100644
36776--- a/arch/xtensa/variants/dc232b/include/variant/core.h
36777+++ b/arch/xtensa/variants/dc232b/include/variant/core.h
36778@@ -119,9 +119,9 @@
36779 ----------------------------------------------------------------------*/
36780
36781 #define XCHAL_ICACHE_LINESIZE 32 /* I-cache line size in bytes */
36782-#define XCHAL_DCACHE_LINESIZE 32 /* D-cache line size in bytes */
36783 #define XCHAL_ICACHE_LINEWIDTH 5 /* log2(I line size in bytes) */
36784 #define XCHAL_DCACHE_LINEWIDTH 5 /* log2(D line size in bytes) */
36785+#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
36786
36787 #define XCHAL_ICACHE_SIZE 16384 /* I-cache size in bytes or 0 */
36788 #define XCHAL_DCACHE_SIZE 16384 /* D-cache size in bytes or 0 */
36789diff --git a/arch/xtensa/variants/fsf/include/variant/core.h b/arch/xtensa/variants/fsf/include/variant/core.h
36790index 2f33760..835e50a 100644
36791--- a/arch/xtensa/variants/fsf/include/variant/core.h
36792+++ b/arch/xtensa/variants/fsf/include/variant/core.h
36793@@ -11,6 +11,7 @@
36794 #ifndef _XTENSA_CORE_H
36795 #define _XTENSA_CORE_H
36796
36797+#include <linux/const.h>
36798
36799 /****************************************************************************
36800 Parameters Useful for Any Code, USER or PRIVILEGED
36801@@ -112,9 +113,9 @@
36802 ----------------------------------------------------------------------*/
36803
36804 #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */
36805-#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */
36806 #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */
36807 #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */
36808+#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
36809
36810 #define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */
36811 #define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */
36812diff --git a/block/bio.c b/block/bio.c
36813index d6e5ba3..2bb142c 100644
36814--- a/block/bio.c
36815+++ b/block/bio.c
36816@@ -1187,7 +1187,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
36817 /*
36818 * Overflow, abort
36819 */
36820- if (end < start)
36821+ if (end < start || end - start > INT_MAX - nr_pages)
36822 return ERR_PTR(-EINVAL);
36823
36824 nr_pages += end - start;
36825@@ -1312,7 +1312,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
36826 /*
36827 * Overflow, abort
36828 */
36829- if (end < start)
36830+ if (end < start || end - start > INT_MAX - nr_pages)
36831 return ERR_PTR(-EINVAL);
36832
36833 nr_pages += end - start;
36834diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
36835index 0736729..2ec3b48 100644
36836--- a/block/blk-iopoll.c
36837+++ b/block/blk-iopoll.c
36838@@ -74,7 +74,7 @@ void blk_iopoll_complete(struct blk_iopoll *iop)
36839 }
36840 EXPORT_SYMBOL(blk_iopoll_complete);
36841
36842-static void blk_iopoll_softirq(struct softirq_action *h)
36843+static __latent_entropy void blk_iopoll_softirq(void)
36844 {
36845 struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll);
36846 int rearm = 0, budget = blk_iopoll_budget;
36847diff --git a/block/blk-map.c b/block/blk-map.c
36848index da310a1..213b5c9 100644
36849--- a/block/blk-map.c
36850+++ b/block/blk-map.c
36851@@ -192,7 +192,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
36852 if (!len || !kbuf)
36853 return -EINVAL;
36854
36855- do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
36856+ do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
36857 if (do_copy)
36858 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
36859 else
36860diff --git a/block/blk-softirq.c b/block/blk-softirq.c
36861index 53b1737..08177d2e 100644
36862--- a/block/blk-softirq.c
36863+++ b/block/blk-softirq.c
36864@@ -18,7 +18,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done);
36865 * Softirq action handler - move entries to local list and loop over them
36866 * while passing them to the queue registered handler.
36867 */
36868-static void blk_done_softirq(struct softirq_action *h)
36869+static __latent_entropy void blk_done_softirq(void)
36870 {
36871 struct list_head *cpu_list, local_list;
36872
36873diff --git a/block/bsg.c b/block/bsg.c
36874index d214e92..9649863 100644
36875--- a/block/bsg.c
36876+++ b/block/bsg.c
36877@@ -140,16 +140,24 @@ static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq,
36878 struct sg_io_v4 *hdr, struct bsg_device *bd,
36879 fmode_t has_write_perm)
36880 {
36881+ unsigned char tmpcmd[sizeof(rq->__cmd)];
36882+ unsigned char *cmdptr;
36883+
36884 if (hdr->request_len > BLK_MAX_CDB) {
36885 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
36886 if (!rq->cmd)
36887 return -ENOMEM;
36888- }
36889+ cmdptr = rq->cmd;
36890+ } else
36891+ cmdptr = tmpcmd;
36892
36893- if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
36894+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
36895 hdr->request_len))
36896 return -EFAULT;
36897
36898+ if (cmdptr != rq->cmd)
36899+ memcpy(rq->cmd, cmdptr, hdr->request_len);
36900+
36901 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
36902 if (blk_verify_command(rq->cmd, has_write_perm))
36903 return -EPERM;
36904diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c
36905index f678c73..f35aa18 100644
36906--- a/block/compat_ioctl.c
36907+++ b/block/compat_ioctl.c
36908@@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode,
36909 cgc = compat_alloc_user_space(sizeof(*cgc));
36910 cgc32 = compat_ptr(arg);
36911
36912- if (copy_in_user(&cgc->cmd, &cgc32->cmd, sizeof(cgc->cmd)) ||
36913+ if (copy_in_user(cgc->cmd, cgc32->cmd, sizeof(cgc->cmd)) ||
36914 get_user(data, &cgc32->buffer) ||
36915 put_user(compat_ptr(data), &cgc->buffer) ||
36916 copy_in_user(&cgc->buflen, &cgc32->buflen,
36917@@ -341,7 +341,7 @@ static int compat_fd_ioctl(struct block_device *bdev, fmode_t mode,
36918 err |= __get_user(f->spec1, &uf->spec1);
36919 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
36920 err |= __get_user(name, &uf->name);
36921- f->name = compat_ptr(name);
36922+ f->name = (void __force_kernel *)compat_ptr(name);
36923 if (err) {
36924 err = -EFAULT;
36925 goto out;
36926diff --git a/block/genhd.c b/block/genhd.c
36927index 59a1395..54ff187 100644
36928--- a/block/genhd.c
36929+++ b/block/genhd.c
36930@@ -470,21 +470,24 @@ static char *bdevt_str(dev_t devt, char *buf)
36931
36932 /*
36933 * Register device numbers dev..(dev+range-1)
36934- * range must be nonzero
36935+ * Noop if @range is zero.
36936 * The hash chain is sorted on range, so that subranges can override.
36937 */
36938 void blk_register_region(dev_t devt, unsigned long range, struct module *module,
36939 struct kobject *(*probe)(dev_t, int *, void *),
36940 int (*lock)(dev_t, void *), void *data)
36941 {
36942- kobj_map(bdev_map, devt, range, module, probe, lock, data);
36943+ if (range)
36944+ kobj_map(bdev_map, devt, range, module, probe, lock, data);
36945 }
36946
36947 EXPORT_SYMBOL(blk_register_region);
36948
36949+/* undo blk_register_region(), noop if @range is zero */
36950 void blk_unregister_region(dev_t devt, unsigned long range)
36951 {
36952- kobj_unmap(bdev_map, devt, range);
36953+ if (range)
36954+ kobj_unmap(bdev_map, devt, range);
36955 }
36956
36957 EXPORT_SYMBOL(blk_unregister_region);
36958diff --git a/block/partitions/efi.c b/block/partitions/efi.c
36959index 26cb624..a49c3a5 100644
36960--- a/block/partitions/efi.c
36961+++ b/block/partitions/efi.c
36962@@ -293,14 +293,14 @@ static gpt_entry *alloc_read_gpt_entries(struct parsed_partitions *state,
36963 if (!gpt)
36964 return NULL;
36965
36966+ if (!le32_to_cpu(gpt->num_partition_entries))
36967+ return NULL;
36968+ pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL);
36969+ if (!pte)
36970+ return NULL;
36971+
36972 count = le32_to_cpu(gpt->num_partition_entries) *
36973 le32_to_cpu(gpt->sizeof_partition_entry);
36974- if (!count)
36975- return NULL;
36976- pte = kmalloc(count, GFP_KERNEL);
36977- if (!pte)
36978- return NULL;
36979-
36980 if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba),
36981 (u8 *) pte, count) < count) {
36982 kfree(pte);
36983diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
36984index dda653c..028a13ee 100644
36985--- a/block/scsi_ioctl.c
36986+++ b/block/scsi_ioctl.c
36987@@ -67,7 +67,7 @@ static int scsi_get_bus(struct request_queue *q, int __user *p)
36988 return put_user(0, p);
36989 }
36990
36991-static int sg_get_timeout(struct request_queue *q)
36992+static int __intentional_overflow(-1) sg_get_timeout(struct request_queue *q)
36993 {
36994 return jiffies_to_clock_t(q->sg_timeout);
36995 }
36996@@ -227,8 +227,20 @@ EXPORT_SYMBOL(blk_verify_command);
36997 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
36998 struct sg_io_hdr *hdr, fmode_t mode)
36999 {
37000- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
37001+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37002+ unsigned char *cmdptr;
37003+
37004+ if (rq->cmd != rq->__cmd)
37005+ cmdptr = rq->cmd;
37006+ else
37007+ cmdptr = tmpcmd;
37008+
37009+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
37010 return -EFAULT;
37011+
37012+ if (cmdptr != rq->cmd)
37013+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
37014+
37015 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
37016 return -EPERM;
37017
37018@@ -420,6 +432,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
37019 int err;
37020 unsigned int in_len, out_len, bytes, opcode, cmdlen;
37021 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
37022+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37023+ unsigned char *cmdptr;
37024
37025 if (!sic)
37026 return -EINVAL;
37027@@ -458,9 +472,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
37028 */
37029 err = -EFAULT;
37030 rq->cmd_len = cmdlen;
37031- if (copy_from_user(rq->cmd, sic->data, cmdlen))
37032+
37033+ if (rq->cmd != rq->__cmd)
37034+ cmdptr = rq->cmd;
37035+ else
37036+ cmdptr = tmpcmd;
37037+
37038+ if (copy_from_user(cmdptr, sic->data, cmdlen))
37039 goto error;
37040
37041+ if (rq->cmd != cmdptr)
37042+ memcpy(rq->cmd, cmdptr, cmdlen);
37043+
37044 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
37045 goto error;
37046
37047diff --git a/crypto/cryptd.c b/crypto/cryptd.c
37048index 22ba81f..1acac67 100644
37049--- a/crypto/cryptd.c
37050+++ b/crypto/cryptd.c
37051@@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
37052
37053 struct cryptd_blkcipher_request_ctx {
37054 crypto_completion_t complete;
37055-};
37056+} __no_const;
37057
37058 struct cryptd_hash_ctx {
37059 struct crypto_shash *child;
37060@@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
37061
37062 struct cryptd_aead_request_ctx {
37063 crypto_completion_t complete;
37064-};
37065+} __no_const;
37066
37067 static void cryptd_queue_worker(struct work_struct *work);
37068
37069diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
37070index 45e7d51..2967121 100644
37071--- a/crypto/pcrypt.c
37072+++ b/crypto/pcrypt.c
37073@@ -385,7 +385,7 @@ static int pcrypt_sysfs_add(struct padata_instance *pinst, const char *name)
37074 int ret;
37075
37076 pinst->kobj.kset = pcrypt_kset;
37077- ret = kobject_add(&pinst->kobj, NULL, name);
37078+ ret = kobject_add(&pinst->kobj, NULL, "%s", name);
37079 if (!ret)
37080 kobject_uevent(&pinst->kobj, KOBJ_ADD);
37081
37082diff --git a/crypto/zlib.c b/crypto/zlib.c
37083index d51a30a..fb1f8af 100644
37084--- a/crypto/zlib.c
37085+++ b/crypto/zlib.c
37086@@ -95,10 +95,10 @@ static int zlib_compress_setup(struct crypto_pcomp *tfm, const void *params,
37087 zlib_comp_exit(ctx);
37088
37089 window_bits = tb[ZLIB_COMP_WINDOWBITS]
37090- ? nla_get_u32(tb[ZLIB_COMP_WINDOWBITS])
37091+ ? nla_get_s32(tb[ZLIB_COMP_WINDOWBITS])
37092 : MAX_WBITS;
37093 mem_level = tb[ZLIB_COMP_MEMLEVEL]
37094- ? nla_get_u32(tb[ZLIB_COMP_MEMLEVEL])
37095+ ? nla_get_s32(tb[ZLIB_COMP_MEMLEVEL])
37096 : DEF_MEM_LEVEL;
37097
37098 workspacesize = zlib_deflate_workspacesize(window_bits, mem_level);
37099diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
37100index 8c2fe2f..fc47c12 100644
37101--- a/drivers/acpi/acpi_video.c
37102+++ b/drivers/acpi/acpi_video.c
37103@@ -398,7 +398,7 @@ static int video_disable_backlight_sysfs_if(
37104 return 0;
37105 }
37106
37107-static struct dmi_system_id video_dmi_table[] = {
37108+static const struct dmi_system_id video_dmi_table[] = {
37109 /*
37110 * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121
37111 */
37112diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c
37113index 52dfd0d..8386baf 100644
37114--- a/drivers/acpi/acpica/hwxfsleep.c
37115+++ b/drivers/acpi/acpica/hwxfsleep.c
37116@@ -70,11 +70,12 @@ static acpi_status acpi_hw_sleep_dispatch(u8 sleep_state, u32 function_id);
37117 /* Legacy functions are optional, based upon ACPI_REDUCED_HARDWARE */
37118
37119 static struct acpi_sleep_functions acpi_sleep_dispatch[] = {
37120- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep),
37121- acpi_hw_extended_sleep},
37122- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep),
37123- acpi_hw_extended_wake_prep},
37124- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake), acpi_hw_extended_wake}
37125+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep),
37126+ .extended_function = acpi_hw_extended_sleep},
37127+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep),
37128+ .extended_function = acpi_hw_extended_wake_prep},
37129+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake),
37130+ .extended_function = acpi_hw_extended_wake}
37131 };
37132
37133 /*
37134diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h
37135index 16129c7..8b675cd 100644
37136--- a/drivers/acpi/apei/apei-internal.h
37137+++ b/drivers/acpi/apei/apei-internal.h
37138@@ -19,7 +19,7 @@ typedef int (*apei_exec_ins_func_t)(struct apei_exec_context *ctx,
37139 struct apei_exec_ins_type {
37140 u32 flags;
37141 apei_exec_ins_func_t run;
37142-};
37143+} __do_const;
37144
37145 struct apei_exec_context {
37146 u32 ip;
37147diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
37148index 2bfd53c..391e9a4 100644
37149--- a/drivers/acpi/apei/ghes.c
37150+++ b/drivers/acpi/apei/ghes.c
37151@@ -478,7 +478,7 @@ static void __ghes_print_estatus(const char *pfx,
37152 const struct acpi_hest_generic *generic,
37153 const struct acpi_hest_generic_status *estatus)
37154 {
37155- static atomic_t seqno;
37156+ static atomic_unchecked_t seqno;
37157 unsigned int curr_seqno;
37158 char pfx_seq[64];
37159
37160@@ -489,7 +489,7 @@ static void __ghes_print_estatus(const char *pfx,
37161 else
37162 pfx = KERN_ERR;
37163 }
37164- curr_seqno = atomic_inc_return(&seqno);
37165+ curr_seqno = atomic_inc_return_unchecked(&seqno);
37166 snprintf(pfx_seq, sizeof(pfx_seq), "%s{%u}" HW_ERR, pfx, curr_seqno);
37167 printk("%s""Hardware error from APEI Generic Hardware Error Source: %d\n",
37168 pfx_seq, generic->header.source_id);
37169diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
37170index a83e3c6..c3d617f 100644
37171--- a/drivers/acpi/bgrt.c
37172+++ b/drivers/acpi/bgrt.c
37173@@ -86,8 +86,10 @@ static int __init bgrt_init(void)
37174 if (!bgrt_image)
37175 return -ENODEV;
37176
37177- bin_attr_image.private = bgrt_image;
37178- bin_attr_image.size = bgrt_image_size;
37179+ pax_open_kernel();
37180+ *(void **)&bin_attr_image.private = bgrt_image;
37181+ *(size_t *)&bin_attr_image.size = bgrt_image_size;
37182+ pax_close_kernel();
37183
37184 bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj);
37185 if (!bgrt_kobj)
37186diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
37187index 278dc4b..976433d 100644
37188--- a/drivers/acpi/blacklist.c
37189+++ b/drivers/acpi/blacklist.c
37190@@ -51,7 +51,7 @@ struct acpi_blacklist_item {
37191 u32 is_critical_error;
37192 };
37193
37194-static struct dmi_system_id acpi_osi_dmi_table[] __initdata;
37195+static const struct dmi_system_id acpi_osi_dmi_table[] __initconst;
37196
37197 /*
37198 * POLICY: If *anything* doesn't work, put it on the blacklist.
37199@@ -172,7 +172,7 @@ static int __init dmi_enable_rev_override(const struct dmi_system_id *d)
37200 }
37201 #endif
37202
37203-static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
37204+static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
37205 {
37206 .callback = dmi_disable_osi_vista,
37207 .ident = "Fujitsu Siemens",
37208diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
37209index 513e7230e..802015a 100644
37210--- a/drivers/acpi/bus.c
37211+++ b/drivers/acpi/bus.c
37212@@ -67,7 +67,7 @@ static int set_copy_dsdt(const struct dmi_system_id *id)
37213 }
37214 #endif
37215
37216-static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37217+static const struct dmi_system_id dsdt_dmi_table[] __initconst = {
37218 /*
37219 * Invoke DSDT corruption work-around on all Toshiba Satellite.
37220 * https://bugzilla.kernel.org/show_bug.cgi?id=14679
37221@@ -83,7 +83,7 @@ static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37222 {}
37223 };
37224 #else
37225-static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37226+static const struct dmi_system_id dsdt_dmi_table[] __initconst = {
37227 {}
37228 };
37229 #endif
37230diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
37231index c68e724..e863008 100644
37232--- a/drivers/acpi/custom_method.c
37233+++ b/drivers/acpi/custom_method.c
37234@@ -29,6 +29,10 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
37235 struct acpi_table_header table;
37236 acpi_status status;
37237
37238+#ifdef CONFIG_GRKERNSEC_KMEM
37239+ return -EPERM;
37240+#endif
37241+
37242 if (!(*ppos)) {
37243 /* parse the table header to get the table length */
37244 if (count <= sizeof(struct acpi_table_header))
37245diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
37246index 88dbbb1..90714c0 100644
37247--- a/drivers/acpi/device_pm.c
37248+++ b/drivers/acpi/device_pm.c
37249@@ -1045,6 +1045,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze);
37250
37251 #endif /* CONFIG_PM_SLEEP */
37252
37253+static void acpi_dev_pm_detach(struct device *dev, bool power_off);
37254+
37255 static struct dev_pm_domain acpi_general_pm_domain = {
37256 .ops = {
37257 .runtime_suspend = acpi_subsys_runtime_suspend,
37258@@ -1061,6 +1063,7 @@ static struct dev_pm_domain acpi_general_pm_domain = {
37259 .restore_early = acpi_subsys_resume_early,
37260 #endif
37261 },
37262+ .detach = acpi_dev_pm_detach
37263 };
37264
37265 /**
37266@@ -1130,7 +1133,6 @@ int acpi_dev_pm_attach(struct device *dev, bool power_on)
37267 acpi_device_wakeup(adev, ACPI_STATE_S0, false);
37268 }
37269
37270- dev->pm_domain->detach = acpi_dev_pm_detach;
37271 return 0;
37272 }
37273 EXPORT_SYMBOL_GPL(acpi_dev_pm_attach);
37274diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
37275index 9d4761d..ece2163 100644
37276--- a/drivers/acpi/ec.c
37277+++ b/drivers/acpi/ec.c
37278@@ -1434,7 +1434,7 @@ static int ec_clear_on_resume(const struct dmi_system_id *id)
37279 return 0;
37280 }
37281
37282-static struct dmi_system_id ec_dmi_table[] __initdata = {
37283+static const struct dmi_system_id ec_dmi_table[] __initconst = {
37284 {
37285 ec_skip_dsdt_scan, "Compal JFL92", {
37286 DMI_MATCH(DMI_BIOS_VENDOR, "COMPAL"),
37287diff --git a/drivers/acpi/pci_slot.c b/drivers/acpi/pci_slot.c
37288index 139d9e4..9a9d799 100644
37289--- a/drivers/acpi/pci_slot.c
37290+++ b/drivers/acpi/pci_slot.c
37291@@ -195,7 +195,7 @@ static int do_sta_before_sun(const struct dmi_system_id *d)
37292 return 0;
37293 }
37294
37295-static struct dmi_system_id acpi_pci_slot_dmi_table[] __initdata = {
37296+static const struct dmi_system_id acpi_pci_slot_dmi_table[] __initconst = {
37297 /*
37298 * Fujitsu Primequest machines will return 1023 to indicate an
37299 * error if the _SUN method is evaluated on SxFy objects that
37300diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c
37301index d9f7158..168e742 100644
37302--- a/drivers/acpi/processor_driver.c
37303+++ b/drivers/acpi/processor_driver.c
37304@@ -159,7 +159,7 @@ static int acpi_cpu_soft_notify(struct notifier_block *nfb,
37305 return NOTIFY_OK;
37306 }
37307
37308-static struct notifier_block __refdata acpi_cpu_notifier = {
37309+static struct notifier_block __refconst acpi_cpu_notifier = {
37310 .notifier_call = acpi_cpu_soft_notify,
37311 };
37312
37313diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
37314index d540f42..d5b32ac 100644
37315--- a/drivers/acpi/processor_idle.c
37316+++ b/drivers/acpi/processor_idle.c
37317@@ -910,7 +910,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr)
37318 {
37319 int i, count = CPUIDLE_DRIVER_STATE_START;
37320 struct acpi_processor_cx *cx;
37321- struct cpuidle_state *state;
37322+ cpuidle_state_no_const *state;
37323 struct cpuidle_driver *drv = &acpi_idle_driver;
37324
37325 if (!pr->flags.power_setup_done)
37326diff --git a/drivers/acpi/processor_pdc.c b/drivers/acpi/processor_pdc.c
37327index 7cfbda4..74f738c 100644
37328--- a/drivers/acpi/processor_pdc.c
37329+++ b/drivers/acpi/processor_pdc.c
37330@@ -173,7 +173,7 @@ static int __init set_no_mwait(const struct dmi_system_id *id)
37331 return 0;
37332 }
37333
37334-static struct dmi_system_id processor_idle_dmi_table[] __initdata = {
37335+static const struct dmi_system_id processor_idle_dmi_table[] __initconst = {
37336 {
37337 set_no_mwait, "Extensa 5220", {
37338 DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37339diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
37340index 2f0d4db..b9e9b15 100644
37341--- a/drivers/acpi/sleep.c
37342+++ b/drivers/acpi/sleep.c
37343@@ -148,7 +148,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
37344 return 0;
37345 }
37346
37347-static struct dmi_system_id acpisleep_dmi_table[] __initdata = {
37348+static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
37349 {
37350 .callback = init_old_suspend_ordering,
37351 .ident = "Abit KN9 (nForce4 variant)",
37352diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
37353index 0876d77b..3ba0127 100644
37354--- a/drivers/acpi/sysfs.c
37355+++ b/drivers/acpi/sysfs.c
37356@@ -423,11 +423,11 @@ static u32 num_counters;
37357 static struct attribute **all_attrs;
37358 static u32 acpi_gpe_count;
37359
37360-static struct attribute_group interrupt_stats_attr_group = {
37361+static attribute_group_no_const interrupt_stats_attr_group = {
37362 .name = "interrupts",
37363 };
37364
37365-static struct kobj_attribute *counter_attrs;
37366+static kobj_attribute_no_const *counter_attrs;
37367
37368 static void delete_gpe_attr_array(void)
37369 {
37370diff --git a/drivers/acpi/thermal.c b/drivers/acpi/thermal.c
37371index 6d4e44e..44fb839 100644
37372--- a/drivers/acpi/thermal.c
37373+++ b/drivers/acpi/thermal.c
37374@@ -1212,7 +1212,7 @@ static int thermal_psv(const struct dmi_system_id *d) {
37375 return 0;
37376 }
37377
37378-static struct dmi_system_id thermal_dmi_table[] __initdata = {
37379+static const struct dmi_system_id thermal_dmi_table[] __initconst = {
37380 /*
37381 * Award BIOS on this AOpen makes thermal control almost worthless.
37382 * http://bugzilla.kernel.org/show_bug.cgi?id=8842
37383diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
37384index 2922f1f..26b0c03 100644
37385--- a/drivers/acpi/video_detect.c
37386+++ b/drivers/acpi/video_detect.c
37387@@ -41,7 +41,6 @@ ACPI_MODULE_NAME("video");
37388 void acpi_video_unregister_backlight(void);
37389
37390 static bool backlight_notifier_registered;
37391-static struct notifier_block backlight_nb;
37392 static struct work_struct backlight_notify_work;
37393
37394 static enum acpi_backlight_type acpi_backlight_cmdline = acpi_backlight_undef;
37395@@ -284,6 +283,10 @@ static int acpi_video_backlight_notify(struct notifier_block *nb,
37396 return NOTIFY_OK;
37397 }
37398
37399+static const struct notifier_block backlight_nb = {
37400+ .notifier_call = acpi_video_backlight_notify,
37401+};
37402+
37403 /*
37404 * Determine which type of backlight interface to use on this system,
37405 * First check cmdline, then dmi quirks, then do autodetect.
37406@@ -314,8 +317,6 @@ enum acpi_backlight_type acpi_video_get_backlight_type(void)
37407 &video_caps, NULL);
37408 INIT_WORK(&backlight_notify_work,
37409 acpi_video_backlight_notify_work);
37410- backlight_nb.notifier_call = acpi_video_backlight_notify;
37411- backlight_nb.priority = 0;
37412 if (backlight_register_notifier(&backlight_nb) == 0)
37413 backlight_notifier_registered = true;
37414 init_done = true;
37415diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
37416index d256a66..4040556 100644
37417--- a/drivers/ata/libahci.c
37418+++ b/drivers/ata/libahci.c
37419@@ -1252,7 +1252,7 @@ int ahci_kick_engine(struct ata_port *ap)
37420 }
37421 EXPORT_SYMBOL_GPL(ahci_kick_engine);
37422
37423-static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
37424+static int __intentional_overflow(-1) ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
37425 struct ata_taskfile *tf, int is_cmd, u16 flags,
37426 unsigned long timeout_msec)
37427 {
37428diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
37429index 790e0de..6bae378 100644
37430--- a/drivers/ata/libata-core.c
37431+++ b/drivers/ata/libata-core.c
37432@@ -102,7 +102,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev);
37433 static void ata_dev_xfermask(struct ata_device *dev);
37434 static unsigned long ata_dev_blacklisted(const struct ata_device *dev);
37435
37436-atomic_t ata_print_id = ATOMIC_INIT(0);
37437+atomic_unchecked_t ata_print_id = ATOMIC_INIT(0);
37438
37439 struct ata_force_param {
37440 const char *name;
37441@@ -4800,7 +4800,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
37442 struct ata_port *ap;
37443 unsigned int tag;
37444
37445- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37446+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37447 ap = qc->ap;
37448
37449 qc->flags = 0;
37450@@ -4817,7 +4817,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
37451 struct ata_port *ap;
37452 struct ata_link *link;
37453
37454- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37455+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37456 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
37457 ap = qc->ap;
37458 link = qc->dev->link;
37459@@ -5924,6 +5924,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
37460 return;
37461
37462 spin_lock(&lock);
37463+ pax_open_kernel();
37464
37465 for (cur = ops->inherits; cur; cur = cur->inherits) {
37466 void **inherit = (void **)cur;
37467@@ -5937,8 +5938,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
37468 if (IS_ERR(*pp))
37469 *pp = NULL;
37470
37471- ops->inherits = NULL;
37472+ *(struct ata_port_operations **)&ops->inherits = NULL;
37473
37474+ pax_close_kernel();
37475 spin_unlock(&lock);
37476 }
37477
37478@@ -6134,7 +6136,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
37479
37480 /* give ports names and add SCSI hosts */
37481 for (i = 0; i < host->n_ports; i++) {
37482- host->ports[i]->print_id = atomic_inc_return(&ata_print_id);
37483+ host->ports[i]->print_id = atomic_inc_return_unchecked(&ata_print_id);
37484 host->ports[i]->local_port_no = i + 1;
37485 }
37486
37487diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
37488index 0d7f0da..bc20aa6 100644
37489--- a/drivers/ata/libata-scsi.c
37490+++ b/drivers/ata/libata-scsi.c
37491@@ -4193,7 +4193,7 @@ int ata_sas_port_init(struct ata_port *ap)
37492
37493 if (rc)
37494 return rc;
37495- ap->print_id = atomic_inc_return(&ata_print_id);
37496+ ap->print_id = atomic_inc_return_unchecked(&ata_print_id);
37497 return 0;
37498 }
37499 EXPORT_SYMBOL_GPL(ata_sas_port_init);
37500diff --git a/drivers/ata/libata.h b/drivers/ata/libata.h
37501index f840ca1..edd6ef3 100644
37502--- a/drivers/ata/libata.h
37503+++ b/drivers/ata/libata.h
37504@@ -53,7 +53,7 @@ enum {
37505 ATA_DNXFER_QUIET = (1 << 31),
37506 };
37507
37508-extern atomic_t ata_print_id;
37509+extern atomic_unchecked_t ata_print_id;
37510 extern int atapi_passthru16;
37511 extern int libata_fua;
37512 extern int libata_noacpi;
37513diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
37514index 5d9ee99..8fa2585 100644
37515--- a/drivers/ata/pata_arasan_cf.c
37516+++ b/drivers/ata/pata_arasan_cf.c
37517@@ -865,7 +865,9 @@ static int arasan_cf_probe(struct platform_device *pdev)
37518 /* Handle platform specific quirks */
37519 if (quirk) {
37520 if (quirk & CF_BROKEN_PIO) {
37521- ap->ops->set_piomode = NULL;
37522+ pax_open_kernel();
37523+ *(void **)&ap->ops->set_piomode = NULL;
37524+ pax_close_kernel();
37525 ap->pio_mask = 0;
37526 }
37527 if (quirk & CF_BROKEN_MWDMA)
37528diff --git a/drivers/atm/adummy.c b/drivers/atm/adummy.c
37529index f9b983a..887b9d8 100644
37530--- a/drivers/atm/adummy.c
37531+++ b/drivers/atm/adummy.c
37532@@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct sk_buff *skb)
37533 vcc->pop(vcc, skb);
37534 else
37535 dev_kfree_skb_any(skb);
37536- atomic_inc(&vcc->stats->tx);
37537+ atomic_inc_unchecked(&vcc->stats->tx);
37538
37539 return 0;
37540 }
37541diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
37542index f1a9198..f466a4a 100644
37543--- a/drivers/atm/ambassador.c
37544+++ b/drivers/atm/ambassador.c
37545@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
37546 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
37547
37548 // VC layer stats
37549- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
37550+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
37551
37552 // free the descriptor
37553 kfree (tx_descr);
37554@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
37555 dump_skb ("<<<", vc, skb);
37556
37557 // VC layer stats
37558- atomic_inc(&atm_vcc->stats->rx);
37559+ atomic_inc_unchecked(&atm_vcc->stats->rx);
37560 __net_timestamp(skb);
37561 // end of our responsibility
37562 atm_vcc->push (atm_vcc, skb);
37563@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
37564 } else {
37565 PRINTK (KERN_INFO, "dropped over-size frame");
37566 // should we count this?
37567- atomic_inc(&atm_vcc->stats->rx_drop);
37568+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
37569 }
37570
37571 } else {
37572@@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * atm_vcc, struct sk_buff * skb) {
37573 }
37574
37575 if (check_area (skb->data, skb->len)) {
37576- atomic_inc(&atm_vcc->stats->tx_err);
37577+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
37578 return -ENOMEM; // ?
37579 }
37580
37581diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
37582index 480fa6f..947067c 100644
37583--- a/drivers/atm/atmtcp.c
37584+++ b/drivers/atm/atmtcp.c
37585@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37586 if (vcc->pop) vcc->pop(vcc,skb);
37587 else dev_kfree_skb(skb);
37588 if (dev_data) return 0;
37589- atomic_inc(&vcc->stats->tx_err);
37590+ atomic_inc_unchecked(&vcc->stats->tx_err);
37591 return -ENOLINK;
37592 }
37593 size = skb->len+sizeof(struct atmtcp_hdr);
37594@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37595 if (!new_skb) {
37596 if (vcc->pop) vcc->pop(vcc,skb);
37597 else dev_kfree_skb(skb);
37598- atomic_inc(&vcc->stats->tx_err);
37599+ atomic_inc_unchecked(&vcc->stats->tx_err);
37600 return -ENOBUFS;
37601 }
37602 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
37603@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37604 if (vcc->pop) vcc->pop(vcc,skb);
37605 else dev_kfree_skb(skb);
37606 out_vcc->push(out_vcc,new_skb);
37607- atomic_inc(&vcc->stats->tx);
37608- atomic_inc(&out_vcc->stats->rx);
37609+ atomic_inc_unchecked(&vcc->stats->tx);
37610+ atomic_inc_unchecked(&out_vcc->stats->rx);
37611 return 0;
37612 }
37613
37614@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
37615 read_unlock(&vcc_sklist_lock);
37616 if (!out_vcc) {
37617 result = -EUNATCH;
37618- atomic_inc(&vcc->stats->tx_err);
37619+ atomic_inc_unchecked(&vcc->stats->tx_err);
37620 goto done;
37621 }
37622 skb_pull(skb,sizeof(struct atmtcp_hdr));
37623@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
37624 __net_timestamp(new_skb);
37625 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
37626 out_vcc->push(out_vcc,new_skb);
37627- atomic_inc(&vcc->stats->tx);
37628- atomic_inc(&out_vcc->stats->rx);
37629+ atomic_inc_unchecked(&vcc->stats->tx);
37630+ atomic_inc_unchecked(&out_vcc->stats->rx);
37631 done:
37632 if (vcc->pop) vcc->pop(vcc,skb);
37633 else dev_kfree_skb(skb);
37634diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
37635index 6339efd..2b441d5 100644
37636--- a/drivers/atm/eni.c
37637+++ b/drivers/atm/eni.c
37638@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
37639 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
37640 vcc->dev->number);
37641 length = 0;
37642- atomic_inc(&vcc->stats->rx_err);
37643+ atomic_inc_unchecked(&vcc->stats->rx_err);
37644 }
37645 else {
37646 length = ATM_CELL_SIZE-1; /* no HEC */
37647@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
37648 size);
37649 }
37650 eff = length = 0;
37651- atomic_inc(&vcc->stats->rx_err);
37652+ atomic_inc_unchecked(&vcc->stats->rx_err);
37653 }
37654 else {
37655 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
37656@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
37657 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
37658 vcc->dev->number,vcc->vci,length,size << 2,descr);
37659 length = eff = 0;
37660- atomic_inc(&vcc->stats->rx_err);
37661+ atomic_inc_unchecked(&vcc->stats->rx_err);
37662 }
37663 }
37664 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
37665@@ -770,7 +770,7 @@ rx_dequeued++;
37666 vcc->push(vcc,skb);
37667 pushed++;
37668 }
37669- atomic_inc(&vcc->stats->rx);
37670+ atomic_inc_unchecked(&vcc->stats->rx);
37671 }
37672 wake_up(&eni_dev->rx_wait);
37673 }
37674@@ -1230,7 +1230,7 @@ static void dequeue_tx(struct atm_dev *dev)
37675 DMA_TO_DEVICE);
37676 if (vcc->pop) vcc->pop(vcc,skb);
37677 else dev_kfree_skb_irq(skb);
37678- atomic_inc(&vcc->stats->tx);
37679+ atomic_inc_unchecked(&vcc->stats->tx);
37680 wake_up(&eni_dev->tx_wait);
37681 dma_complete++;
37682 }
37683diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c
37684index 82f2ae0..f205c02 100644
37685--- a/drivers/atm/firestream.c
37686+++ b/drivers/atm/firestream.c
37687@@ -749,7 +749,7 @@ static void process_txdone_queue (struct fs_dev *dev, struct queue *q)
37688 }
37689 }
37690
37691- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
37692+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
37693
37694 fs_dprintk (FS_DEBUG_TXMEM, "i");
37695 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
37696@@ -816,7 +816,7 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
37697 #endif
37698 skb_put (skb, qe->p1 & 0xffff);
37699 ATM_SKB(skb)->vcc = atm_vcc;
37700- atomic_inc(&atm_vcc->stats->rx);
37701+ atomic_inc_unchecked(&atm_vcc->stats->rx);
37702 __net_timestamp(skb);
37703 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
37704 atm_vcc->push (atm_vcc, skb);
37705@@ -837,12 +837,12 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
37706 kfree (pe);
37707 }
37708 if (atm_vcc)
37709- atomic_inc(&atm_vcc->stats->rx_drop);
37710+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
37711 break;
37712 case 0x1f: /* Reassembly abort: no buffers. */
37713 /* Silently increment error counter. */
37714 if (atm_vcc)
37715- atomic_inc(&atm_vcc->stats->rx_drop);
37716+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
37717 break;
37718 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
37719 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
37720diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c
37721index 75dde90..4309ead 100644
37722--- a/drivers/atm/fore200e.c
37723+++ b/drivers/atm/fore200e.c
37724@@ -932,9 +932,9 @@ fore200e_tx_irq(struct fore200e* fore200e)
37725 #endif
37726 /* check error condition */
37727 if (*entry->status & STATUS_ERROR)
37728- atomic_inc(&vcc->stats->tx_err);
37729+ atomic_inc_unchecked(&vcc->stats->tx_err);
37730 else
37731- atomic_inc(&vcc->stats->tx);
37732+ atomic_inc_unchecked(&vcc->stats->tx);
37733 }
37734 }
37735
37736@@ -1083,7 +1083,7 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
37737 if (skb == NULL) {
37738 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
37739
37740- atomic_inc(&vcc->stats->rx_drop);
37741+ atomic_inc_unchecked(&vcc->stats->rx_drop);
37742 return -ENOMEM;
37743 }
37744
37745@@ -1126,14 +1126,14 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
37746
37747 dev_kfree_skb_any(skb);
37748
37749- atomic_inc(&vcc->stats->rx_drop);
37750+ atomic_inc_unchecked(&vcc->stats->rx_drop);
37751 return -ENOMEM;
37752 }
37753
37754 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
37755
37756 vcc->push(vcc, skb);
37757- atomic_inc(&vcc->stats->rx);
37758+ atomic_inc_unchecked(&vcc->stats->rx);
37759
37760 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
37761
37762@@ -1211,7 +1211,7 @@ fore200e_rx_irq(struct fore200e* fore200e)
37763 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
37764 fore200e->atm_dev->number,
37765 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
37766- atomic_inc(&vcc->stats->rx_err);
37767+ atomic_inc_unchecked(&vcc->stats->rx_err);
37768 }
37769 }
37770
37771@@ -1656,7 +1656,7 @@ fore200e_send(struct atm_vcc *vcc, struct sk_buff *skb)
37772 goto retry_here;
37773 }
37774
37775- atomic_inc(&vcc->stats->tx_err);
37776+ atomic_inc_unchecked(&vcc->stats->tx_err);
37777
37778 fore200e->tx_sat++;
37779 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
37780diff --git a/drivers/atm/he.c b/drivers/atm/he.c
37781index a8da3a5..67cf6c2 100644
37782--- a/drivers/atm/he.c
37783+++ b/drivers/atm/he.c
37784@@ -1692,7 +1692,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
37785
37786 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
37787 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
37788- atomic_inc(&vcc->stats->rx_drop);
37789+ atomic_inc_unchecked(&vcc->stats->rx_drop);
37790 goto return_host_buffers;
37791 }
37792
37793@@ -1719,7 +1719,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
37794 RBRQ_LEN_ERR(he_dev->rbrq_head)
37795 ? "LEN_ERR" : "",
37796 vcc->vpi, vcc->vci);
37797- atomic_inc(&vcc->stats->rx_err);
37798+ atomic_inc_unchecked(&vcc->stats->rx_err);
37799 goto return_host_buffers;
37800 }
37801
37802@@ -1771,7 +1771,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
37803 vcc->push(vcc, skb);
37804 spin_lock(&he_dev->global_lock);
37805
37806- atomic_inc(&vcc->stats->rx);
37807+ atomic_inc_unchecked(&vcc->stats->rx);
37808
37809 return_host_buffers:
37810 ++pdus_assembled;
37811@@ -2097,7 +2097,7 @@ __enqueue_tpd(struct he_dev *he_dev, struct he_tpd *tpd, unsigned cid)
37812 tpd->vcc->pop(tpd->vcc, tpd->skb);
37813 else
37814 dev_kfree_skb_any(tpd->skb);
37815- atomic_inc(&tpd->vcc->stats->tx_err);
37816+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
37817 }
37818 dma_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
37819 return;
37820@@ -2509,7 +2509,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
37821 vcc->pop(vcc, skb);
37822 else
37823 dev_kfree_skb_any(skb);
37824- atomic_inc(&vcc->stats->tx_err);
37825+ atomic_inc_unchecked(&vcc->stats->tx_err);
37826 return -EINVAL;
37827 }
37828
37829@@ -2520,7 +2520,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
37830 vcc->pop(vcc, skb);
37831 else
37832 dev_kfree_skb_any(skb);
37833- atomic_inc(&vcc->stats->tx_err);
37834+ atomic_inc_unchecked(&vcc->stats->tx_err);
37835 return -EINVAL;
37836 }
37837 #endif
37838@@ -2532,7 +2532,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
37839 vcc->pop(vcc, skb);
37840 else
37841 dev_kfree_skb_any(skb);
37842- atomic_inc(&vcc->stats->tx_err);
37843+ atomic_inc_unchecked(&vcc->stats->tx_err);
37844 spin_unlock_irqrestore(&he_dev->global_lock, flags);
37845 return -ENOMEM;
37846 }
37847@@ -2574,7 +2574,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
37848 vcc->pop(vcc, skb);
37849 else
37850 dev_kfree_skb_any(skb);
37851- atomic_inc(&vcc->stats->tx_err);
37852+ atomic_inc_unchecked(&vcc->stats->tx_err);
37853 spin_unlock_irqrestore(&he_dev->global_lock, flags);
37854 return -ENOMEM;
37855 }
37856@@ -2605,7 +2605,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
37857 __enqueue_tpd(he_dev, tpd, cid);
37858 spin_unlock_irqrestore(&he_dev->global_lock, flags);
37859
37860- atomic_inc(&vcc->stats->tx);
37861+ atomic_inc_unchecked(&vcc->stats->tx);
37862
37863 return 0;
37864 }
37865diff --git a/drivers/atm/horizon.c b/drivers/atm/horizon.c
37866index 527bbd5..96570c8 100644
37867--- a/drivers/atm/horizon.c
37868+++ b/drivers/atm/horizon.c
37869@@ -1018,7 +1018,7 @@ static void rx_schedule (hrz_dev * dev, int irq) {
37870 {
37871 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
37872 // VC layer stats
37873- atomic_inc(&vcc->stats->rx);
37874+ atomic_inc_unchecked(&vcc->stats->rx);
37875 __net_timestamp(skb);
37876 // end of our responsibility
37877 vcc->push (vcc, skb);
37878@@ -1170,7 +1170,7 @@ static void tx_schedule (hrz_dev * const dev, int irq) {
37879 dev->tx_iovec = NULL;
37880
37881 // VC layer stats
37882- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
37883+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
37884
37885 // free the skb
37886 hrz_kfree_skb (skb);
37887diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
37888index 074616b..d6b3d5f 100644
37889--- a/drivers/atm/idt77252.c
37890+++ b/drivers/atm/idt77252.c
37891@@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc)
37892 else
37893 dev_kfree_skb(skb);
37894
37895- atomic_inc(&vcc->stats->tx);
37896+ atomic_inc_unchecked(&vcc->stats->tx);
37897 }
37898
37899 atomic_dec(&scq->used);
37900@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
37901 if ((sb = dev_alloc_skb(64)) == NULL) {
37902 printk("%s: Can't allocate buffers for aal0.\n",
37903 card->name);
37904- atomic_add(i, &vcc->stats->rx_drop);
37905+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
37906 break;
37907 }
37908 if (!atm_charge(vcc, sb->truesize)) {
37909 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
37910 card->name);
37911- atomic_add(i - 1, &vcc->stats->rx_drop);
37912+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
37913 dev_kfree_skb(sb);
37914 break;
37915 }
37916@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
37917 ATM_SKB(sb)->vcc = vcc;
37918 __net_timestamp(sb);
37919 vcc->push(vcc, sb);
37920- atomic_inc(&vcc->stats->rx);
37921+ atomic_inc_unchecked(&vcc->stats->rx);
37922
37923 cell += ATM_CELL_PAYLOAD;
37924 }
37925@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
37926 "(CDC: %08x)\n",
37927 card->name, len, rpp->len, readl(SAR_REG_CDC));
37928 recycle_rx_pool_skb(card, rpp);
37929- atomic_inc(&vcc->stats->rx_err);
37930+ atomic_inc_unchecked(&vcc->stats->rx_err);
37931 return;
37932 }
37933 if (stat & SAR_RSQE_CRC) {
37934 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
37935 recycle_rx_pool_skb(card, rpp);
37936- atomic_inc(&vcc->stats->rx_err);
37937+ atomic_inc_unchecked(&vcc->stats->rx_err);
37938 return;
37939 }
37940 if (skb_queue_len(&rpp->queue) > 1) {
37941@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
37942 RXPRINTK("%s: Can't alloc RX skb.\n",
37943 card->name);
37944 recycle_rx_pool_skb(card, rpp);
37945- atomic_inc(&vcc->stats->rx_err);
37946+ atomic_inc_unchecked(&vcc->stats->rx_err);
37947 return;
37948 }
37949 if (!atm_charge(vcc, skb->truesize)) {
37950@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
37951 __net_timestamp(skb);
37952
37953 vcc->push(vcc, skb);
37954- atomic_inc(&vcc->stats->rx);
37955+ atomic_inc_unchecked(&vcc->stats->rx);
37956
37957 return;
37958 }
37959@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
37960 __net_timestamp(skb);
37961
37962 vcc->push(vcc, skb);
37963- atomic_inc(&vcc->stats->rx);
37964+ atomic_inc_unchecked(&vcc->stats->rx);
37965
37966 if (skb->truesize > SAR_FB_SIZE_3)
37967 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
37968@@ -1302,14 +1302,14 @@ idt77252_rx_raw(struct idt77252_dev *card)
37969 if (vcc->qos.aal != ATM_AAL0) {
37970 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
37971 card->name, vpi, vci);
37972- atomic_inc(&vcc->stats->rx_drop);
37973+ atomic_inc_unchecked(&vcc->stats->rx_drop);
37974 goto drop;
37975 }
37976
37977 if ((sb = dev_alloc_skb(64)) == NULL) {
37978 printk("%s: Can't allocate buffers for AAL0.\n",
37979 card->name);
37980- atomic_inc(&vcc->stats->rx_err);
37981+ atomic_inc_unchecked(&vcc->stats->rx_err);
37982 goto drop;
37983 }
37984
37985@@ -1328,7 +1328,7 @@ idt77252_rx_raw(struct idt77252_dev *card)
37986 ATM_SKB(sb)->vcc = vcc;
37987 __net_timestamp(sb);
37988 vcc->push(vcc, sb);
37989- atomic_inc(&vcc->stats->rx);
37990+ atomic_inc_unchecked(&vcc->stats->rx);
37991
37992 drop:
37993 skb_pull(queue, 64);
37994@@ -1953,13 +1953,13 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
37995
37996 if (vc == NULL) {
37997 printk("%s: NULL connection in send().\n", card->name);
37998- atomic_inc(&vcc->stats->tx_err);
37999+ atomic_inc_unchecked(&vcc->stats->tx_err);
38000 dev_kfree_skb(skb);
38001 return -EINVAL;
38002 }
38003 if (!test_bit(VCF_TX, &vc->flags)) {
38004 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
38005- atomic_inc(&vcc->stats->tx_err);
38006+ atomic_inc_unchecked(&vcc->stats->tx_err);
38007 dev_kfree_skb(skb);
38008 return -EINVAL;
38009 }
38010@@ -1971,14 +1971,14 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38011 break;
38012 default:
38013 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
38014- atomic_inc(&vcc->stats->tx_err);
38015+ atomic_inc_unchecked(&vcc->stats->tx_err);
38016 dev_kfree_skb(skb);
38017 return -EINVAL;
38018 }
38019
38020 if (skb_shinfo(skb)->nr_frags != 0) {
38021 printk("%s: No scatter-gather yet.\n", card->name);
38022- atomic_inc(&vcc->stats->tx_err);
38023+ atomic_inc_unchecked(&vcc->stats->tx_err);
38024 dev_kfree_skb(skb);
38025 return -EINVAL;
38026 }
38027@@ -1986,7 +1986,7 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38028
38029 err = queue_skb(card, vc, skb, oam);
38030 if (err) {
38031- atomic_inc(&vcc->stats->tx_err);
38032+ atomic_inc_unchecked(&vcc->stats->tx_err);
38033 dev_kfree_skb(skb);
38034 return err;
38035 }
38036@@ -2009,7 +2009,7 @@ idt77252_send_oam(struct atm_vcc *vcc, void *cell, int flags)
38037 skb = dev_alloc_skb(64);
38038 if (!skb) {
38039 printk("%s: Out of memory in send_oam().\n", card->name);
38040- atomic_inc(&vcc->stats->tx_err);
38041+ atomic_inc_unchecked(&vcc->stats->tx_err);
38042 return -ENOMEM;
38043 }
38044 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
38045diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
38046index 65e6590..df77d04 100644
38047--- a/drivers/atm/iphase.c
38048+++ b/drivers/atm/iphase.c
38049@@ -1145,7 +1145,7 @@ static int rx_pkt(struct atm_dev *dev)
38050 status = (u_short) (buf_desc_ptr->desc_mode);
38051 if (status & (RX_CER | RX_PTE | RX_OFL))
38052 {
38053- atomic_inc(&vcc->stats->rx_err);
38054+ atomic_inc_unchecked(&vcc->stats->rx_err);
38055 IF_ERR(printk("IA: bad packet, dropping it");)
38056 if (status & RX_CER) {
38057 IF_ERR(printk(" cause: packet CRC error\n");)
38058@@ -1168,7 +1168,7 @@ static int rx_pkt(struct atm_dev *dev)
38059 len = dma_addr - buf_addr;
38060 if (len > iadev->rx_buf_sz) {
38061 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
38062- atomic_inc(&vcc->stats->rx_err);
38063+ atomic_inc_unchecked(&vcc->stats->rx_err);
38064 goto out_free_desc;
38065 }
38066
38067@@ -1318,7 +1318,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38068 ia_vcc = INPH_IA_VCC(vcc);
38069 if (ia_vcc == NULL)
38070 {
38071- atomic_inc(&vcc->stats->rx_err);
38072+ atomic_inc_unchecked(&vcc->stats->rx_err);
38073 atm_return(vcc, skb->truesize);
38074 dev_kfree_skb_any(skb);
38075 goto INCR_DLE;
38076@@ -1330,7 +1330,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38077 if ((length > iadev->rx_buf_sz) || (length >
38078 (skb->len - sizeof(struct cpcs_trailer))))
38079 {
38080- atomic_inc(&vcc->stats->rx_err);
38081+ atomic_inc_unchecked(&vcc->stats->rx_err);
38082 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
38083 length, skb->len);)
38084 atm_return(vcc, skb->truesize);
38085@@ -1346,7 +1346,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38086
38087 IF_RX(printk("rx_dle_intr: skb push");)
38088 vcc->push(vcc,skb);
38089- atomic_inc(&vcc->stats->rx);
38090+ atomic_inc_unchecked(&vcc->stats->rx);
38091 iadev->rx_pkt_cnt++;
38092 }
38093 INCR_DLE:
38094@@ -2828,15 +2828,15 @@ static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg)
38095 {
38096 struct k_sonet_stats *stats;
38097 stats = &PRIV(_ia_dev[board])->sonet_stats;
38098- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
38099- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
38100- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
38101- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
38102- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
38103- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
38104- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
38105- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
38106- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
38107+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
38108+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
38109+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
38110+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
38111+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
38112+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
38113+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
38114+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
38115+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
38116 }
38117 ia_cmds.status = 0;
38118 break;
38119@@ -2941,7 +2941,7 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
38120 if ((desc == 0) || (desc > iadev->num_tx_desc))
38121 {
38122 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
38123- atomic_inc(&vcc->stats->tx);
38124+ atomic_inc_unchecked(&vcc->stats->tx);
38125 if (vcc->pop)
38126 vcc->pop(vcc, skb);
38127 else
38128@@ -3046,14 +3046,14 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
38129 ATM_DESC(skb) = vcc->vci;
38130 skb_queue_tail(&iadev->tx_dma_q, skb);
38131
38132- atomic_inc(&vcc->stats->tx);
38133+ atomic_inc_unchecked(&vcc->stats->tx);
38134 iadev->tx_pkt_cnt++;
38135 /* Increment transaction counter */
38136 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
38137
38138 #if 0
38139 /* add flow control logic */
38140- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
38141+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
38142 if (iavcc->vc_desc_cnt > 10) {
38143 vcc->tx_quota = vcc->tx_quota * 3 / 4;
38144 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
38145diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c
38146index ce43ae3..969de38 100644
38147--- a/drivers/atm/lanai.c
38148+++ b/drivers/atm/lanai.c
38149@@ -1295,7 +1295,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai,
38150 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
38151 lanai_endtx(lanai, lvcc);
38152 lanai_free_skb(lvcc->tx.atmvcc, skb);
38153- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
38154+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
38155 }
38156
38157 /* Try to fill the buffer - don't call unless there is backlog */
38158@@ -1418,7 +1418,7 @@ static void vcc_rx_aal5(struct lanai_vcc *lvcc, int endptr)
38159 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
38160 __net_timestamp(skb);
38161 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
38162- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
38163+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
38164 out:
38165 lvcc->rx.buf.ptr = end;
38166 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
38167@@ -1659,7 +1659,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38168 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
38169 "vcc %d\n", lanai->number, (unsigned int) s, vci);
38170 lanai->stats.service_rxnotaal5++;
38171- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38172+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38173 return 0;
38174 }
38175 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
38176@@ -1671,7 +1671,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38177 int bytes;
38178 read_unlock(&vcc_sklist_lock);
38179 DPRINTK("got trashed rx pdu on vci %d\n", vci);
38180- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38181+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38182 lvcc->stats.x.aal5.service_trash++;
38183 bytes = (SERVICE_GET_END(s) * 16) -
38184 (((unsigned long) lvcc->rx.buf.ptr) -
38185@@ -1683,7 +1683,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38186 }
38187 if (s & SERVICE_STREAM) {
38188 read_unlock(&vcc_sklist_lock);
38189- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38190+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38191 lvcc->stats.x.aal5.service_stream++;
38192 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
38193 "PDU on VCI %d!\n", lanai->number, vci);
38194@@ -1691,7 +1691,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38195 return 0;
38196 }
38197 DPRINTK("got rx crc error on vci %d\n", vci);
38198- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38199+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38200 lvcc->stats.x.aal5.service_rxcrc++;
38201 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
38202 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
38203diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
38204index ddc4ceb..36e29aa 100644
38205--- a/drivers/atm/nicstar.c
38206+++ b/drivers/atm/nicstar.c
38207@@ -1632,7 +1632,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38208 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
38209 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
38210 card->index);
38211- atomic_inc(&vcc->stats->tx_err);
38212+ atomic_inc_unchecked(&vcc->stats->tx_err);
38213 dev_kfree_skb_any(skb);
38214 return -EINVAL;
38215 }
38216@@ -1640,7 +1640,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38217 if (!vc->tx) {
38218 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
38219 card->index);
38220- atomic_inc(&vcc->stats->tx_err);
38221+ atomic_inc_unchecked(&vcc->stats->tx_err);
38222 dev_kfree_skb_any(skb);
38223 return -EINVAL;
38224 }
38225@@ -1648,14 +1648,14 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38226 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
38227 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
38228 card->index);
38229- atomic_inc(&vcc->stats->tx_err);
38230+ atomic_inc_unchecked(&vcc->stats->tx_err);
38231 dev_kfree_skb_any(skb);
38232 return -EINVAL;
38233 }
38234
38235 if (skb_shinfo(skb)->nr_frags != 0) {
38236 printk("nicstar%d: No scatter-gather yet.\n", card->index);
38237- atomic_inc(&vcc->stats->tx_err);
38238+ atomic_inc_unchecked(&vcc->stats->tx_err);
38239 dev_kfree_skb_any(skb);
38240 return -EINVAL;
38241 }
38242@@ -1703,11 +1703,11 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38243 }
38244
38245 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
38246- atomic_inc(&vcc->stats->tx_err);
38247+ atomic_inc_unchecked(&vcc->stats->tx_err);
38248 dev_kfree_skb_any(skb);
38249 return -EIO;
38250 }
38251- atomic_inc(&vcc->stats->tx);
38252+ atomic_inc_unchecked(&vcc->stats->tx);
38253
38254 return 0;
38255 }
38256@@ -2024,14 +2024,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38257 printk
38258 ("nicstar%d: Can't allocate buffers for aal0.\n",
38259 card->index);
38260- atomic_add(i, &vcc->stats->rx_drop);
38261+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
38262 break;
38263 }
38264 if (!atm_charge(vcc, sb->truesize)) {
38265 RXPRINTK
38266 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
38267 card->index);
38268- atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
38269+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
38270 dev_kfree_skb_any(sb);
38271 break;
38272 }
38273@@ -2046,7 +2046,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38274 ATM_SKB(sb)->vcc = vcc;
38275 __net_timestamp(sb);
38276 vcc->push(vcc, sb);
38277- atomic_inc(&vcc->stats->rx);
38278+ atomic_inc_unchecked(&vcc->stats->rx);
38279 cell += ATM_CELL_PAYLOAD;
38280 }
38281
38282@@ -2063,7 +2063,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38283 if (iovb == NULL) {
38284 printk("nicstar%d: Out of iovec buffers.\n",
38285 card->index);
38286- atomic_inc(&vcc->stats->rx_drop);
38287+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38288 recycle_rx_buf(card, skb);
38289 return;
38290 }
38291@@ -2087,7 +2087,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38292 small or large buffer itself. */
38293 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
38294 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
38295- atomic_inc(&vcc->stats->rx_err);
38296+ atomic_inc_unchecked(&vcc->stats->rx_err);
38297 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38298 NS_MAX_IOVECS);
38299 NS_PRV_IOVCNT(iovb) = 0;
38300@@ -2107,7 +2107,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38301 ("nicstar%d: Expected a small buffer, and this is not one.\n",
38302 card->index);
38303 which_list(card, skb);
38304- atomic_inc(&vcc->stats->rx_err);
38305+ atomic_inc_unchecked(&vcc->stats->rx_err);
38306 recycle_rx_buf(card, skb);
38307 vc->rx_iov = NULL;
38308 recycle_iov_buf(card, iovb);
38309@@ -2120,7 +2120,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38310 ("nicstar%d: Expected a large buffer, and this is not one.\n",
38311 card->index);
38312 which_list(card, skb);
38313- atomic_inc(&vcc->stats->rx_err);
38314+ atomic_inc_unchecked(&vcc->stats->rx_err);
38315 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38316 NS_PRV_IOVCNT(iovb));
38317 vc->rx_iov = NULL;
38318@@ -2143,7 +2143,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38319 printk(" - PDU size mismatch.\n");
38320 else
38321 printk(".\n");
38322- atomic_inc(&vcc->stats->rx_err);
38323+ atomic_inc_unchecked(&vcc->stats->rx_err);
38324 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38325 NS_PRV_IOVCNT(iovb));
38326 vc->rx_iov = NULL;
38327@@ -2157,14 +2157,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38328 /* skb points to a small buffer */
38329 if (!atm_charge(vcc, skb->truesize)) {
38330 push_rxbufs(card, skb);
38331- atomic_inc(&vcc->stats->rx_drop);
38332+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38333 } else {
38334 skb_put(skb, len);
38335 dequeue_sm_buf(card, skb);
38336 ATM_SKB(skb)->vcc = vcc;
38337 __net_timestamp(skb);
38338 vcc->push(vcc, skb);
38339- atomic_inc(&vcc->stats->rx);
38340+ atomic_inc_unchecked(&vcc->stats->rx);
38341 }
38342 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
38343 struct sk_buff *sb;
38344@@ -2175,14 +2175,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38345 if (len <= NS_SMBUFSIZE) {
38346 if (!atm_charge(vcc, sb->truesize)) {
38347 push_rxbufs(card, sb);
38348- atomic_inc(&vcc->stats->rx_drop);
38349+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38350 } else {
38351 skb_put(sb, len);
38352 dequeue_sm_buf(card, sb);
38353 ATM_SKB(sb)->vcc = vcc;
38354 __net_timestamp(sb);
38355 vcc->push(vcc, sb);
38356- atomic_inc(&vcc->stats->rx);
38357+ atomic_inc_unchecked(&vcc->stats->rx);
38358 }
38359
38360 push_rxbufs(card, skb);
38361@@ -2191,7 +2191,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38362
38363 if (!atm_charge(vcc, skb->truesize)) {
38364 push_rxbufs(card, skb);
38365- atomic_inc(&vcc->stats->rx_drop);
38366+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38367 } else {
38368 dequeue_lg_buf(card, skb);
38369 skb_push(skb, NS_SMBUFSIZE);
38370@@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38371 ATM_SKB(skb)->vcc = vcc;
38372 __net_timestamp(skb);
38373 vcc->push(vcc, skb);
38374- atomic_inc(&vcc->stats->rx);
38375+ atomic_inc_unchecked(&vcc->stats->rx);
38376 }
38377
38378 push_rxbufs(card, sb);
38379@@ -2222,7 +2222,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38380 printk
38381 ("nicstar%d: Out of huge buffers.\n",
38382 card->index);
38383- atomic_inc(&vcc->stats->rx_drop);
38384+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38385 recycle_iovec_rx_bufs(card,
38386 (struct iovec *)
38387 iovb->data,
38388@@ -2273,7 +2273,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38389 card->hbpool.count++;
38390 } else
38391 dev_kfree_skb_any(hb);
38392- atomic_inc(&vcc->stats->rx_drop);
38393+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38394 } else {
38395 /* Copy the small buffer to the huge buffer */
38396 sb = (struct sk_buff *)iov->iov_base;
38397@@ -2307,7 +2307,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38398 ATM_SKB(hb)->vcc = vcc;
38399 __net_timestamp(hb);
38400 vcc->push(vcc, hb);
38401- atomic_inc(&vcc->stats->rx);
38402+ atomic_inc_unchecked(&vcc->stats->rx);
38403 }
38404 }
38405
38406diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c
38407index 74e18b0..f16afa0 100644
38408--- a/drivers/atm/solos-pci.c
38409+++ b/drivers/atm/solos-pci.c
38410@@ -838,7 +838,7 @@ static void solos_bh(unsigned long card_arg)
38411 }
38412 atm_charge(vcc, skb->truesize);
38413 vcc->push(vcc, skb);
38414- atomic_inc(&vcc->stats->rx);
38415+ atomic_inc_unchecked(&vcc->stats->rx);
38416 break;
38417
38418 case PKT_STATUS:
38419@@ -1116,7 +1116,7 @@ static uint32_t fpga_tx(struct solos_card *card)
38420 vcc = SKB_CB(oldskb)->vcc;
38421
38422 if (vcc) {
38423- atomic_inc(&vcc->stats->tx);
38424+ atomic_inc_unchecked(&vcc->stats->tx);
38425 solos_pop(vcc, oldskb);
38426 } else {
38427 dev_kfree_skb_irq(oldskb);
38428diff --git a/drivers/atm/suni.c b/drivers/atm/suni.c
38429index 0215934..ce9f5b1 100644
38430--- a/drivers/atm/suni.c
38431+++ b/drivers/atm/suni.c
38432@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
38433
38434
38435 #define ADD_LIMITED(s,v) \
38436- atomic_add((v),&stats->s); \
38437- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
38438+ atomic_add_unchecked((v),&stats->s); \
38439+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
38440
38441
38442 static void suni_hz(unsigned long from_timer)
38443diff --git a/drivers/atm/uPD98402.c b/drivers/atm/uPD98402.c
38444index 5120a96..e2572bd 100644
38445--- a/drivers/atm/uPD98402.c
38446+++ b/drivers/atm/uPD98402.c
38447@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *dev,struct sonet_stats __user *arg,int ze
38448 struct sonet_stats tmp;
38449 int error = 0;
38450
38451- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
38452+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
38453 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
38454 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
38455 if (zero && !error) {
38456@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg)
38457
38458
38459 #define ADD_LIMITED(s,v) \
38460- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
38461- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
38462- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
38463+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
38464+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
38465+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
38466
38467
38468 static void stat_event(struct atm_dev *dev)
38469@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev *dev)
38470 if (reason & uPD98402_INT_PFM) stat_event(dev);
38471 if (reason & uPD98402_INT_PCO) {
38472 (void) GET(PCOCR); /* clear interrupt cause */
38473- atomic_add(GET(HECCT),
38474+ atomic_add_unchecked(GET(HECCT),
38475 &PRIV(dev)->sonet_stats.uncorr_hcs);
38476 }
38477 if ((reason & uPD98402_INT_RFO) &&
38478@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev *dev)
38479 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
38480 uPD98402_INT_LOS),PIMR); /* enable them */
38481 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
38482- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
38483- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
38484- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
38485+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
38486+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
38487+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
38488 return 0;
38489 }
38490
38491diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
38492index cecfb94..87009ec 100644
38493--- a/drivers/atm/zatm.c
38494+++ b/drivers/atm/zatm.c
38495@@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
38496 }
38497 if (!size) {
38498 dev_kfree_skb_irq(skb);
38499- if (vcc) atomic_inc(&vcc->stats->rx_err);
38500+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
38501 continue;
38502 }
38503 if (!atm_charge(vcc,skb->truesize)) {
38504@@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
38505 skb->len = size;
38506 ATM_SKB(skb)->vcc = vcc;
38507 vcc->push(vcc,skb);
38508- atomic_inc(&vcc->stats->rx);
38509+ atomic_inc_unchecked(&vcc->stats->rx);
38510 }
38511 zout(pos & 0xffff,MTA(mbx));
38512 #if 0 /* probably a stupid idea */
38513@@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD_V | uPD98401_TXPD_DP |
38514 skb_queue_head(&zatm_vcc->backlog,skb);
38515 break;
38516 }
38517- atomic_inc(&vcc->stats->tx);
38518+ atomic_inc_unchecked(&vcc->stats->tx);
38519 wake_up(&zatm_vcc->tx_wait);
38520 }
38521
38522diff --git a/drivers/base/bus.c b/drivers/base/bus.c
38523index 5005924..9fc06c4 100644
38524--- a/drivers/base/bus.c
38525+++ b/drivers/base/bus.c
38526@@ -1141,7 +1141,7 @@ int subsys_interface_register(struct subsys_interface *sif)
38527 return -EINVAL;
38528
38529 mutex_lock(&subsys->p->mutex);
38530- list_add_tail(&sif->node, &subsys->p->interfaces);
38531+ pax_list_add_tail((struct list_head *)&sif->node, &subsys->p->interfaces);
38532 if (sif->add_dev) {
38533 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
38534 while ((dev = subsys_dev_iter_next(&iter)))
38535@@ -1166,7 +1166,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
38536 subsys = sif->subsys;
38537
38538 mutex_lock(&subsys->p->mutex);
38539- list_del_init(&sif->node);
38540+ pax_list_del_init((struct list_head *)&sif->node);
38541 if (sif->remove_dev) {
38542 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
38543 while ((dev = subsys_dev_iter_next(&iter)))
38544diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
38545index 68f0314..ca2a609 100644
38546--- a/drivers/base/devtmpfs.c
38547+++ b/drivers/base/devtmpfs.c
38548@@ -354,7 +354,7 @@ int devtmpfs_mount(const char *mntdir)
38549 if (!thread)
38550 return 0;
38551
38552- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
38553+ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
38554 if (err)
38555 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
38556 else
38557@@ -380,11 +380,11 @@ static int devtmpfsd(void *p)
38558 *err = sys_unshare(CLONE_NEWNS);
38559 if (*err)
38560 goto out;
38561- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
38562+ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options);
38563 if (*err)
38564 goto out;
38565- sys_chdir("/.."); /* will traverse into overmounted root */
38566- sys_chroot(".");
38567+ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */
38568+ sys_chroot((char __force_user *)".");
38569 complete(&setup_done);
38570 while (1) {
38571 spin_lock(&req_lock);
38572diff --git a/drivers/base/node.c b/drivers/base/node.c
38573index 560751b..3a4847a 100644
38574--- a/drivers/base/node.c
38575+++ b/drivers/base/node.c
38576@@ -627,7 +627,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf)
38577 struct node_attr {
38578 struct device_attribute attr;
38579 enum node_states state;
38580-};
38581+} __do_const;
38582
38583 static ssize_t show_node_state(struct device *dev,
38584 struct device_attribute *attr, char *buf)
38585diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
38586index 0ee43c1..369dd62 100644
38587--- a/drivers/base/power/domain.c
38588+++ b/drivers/base/power/domain.c
38589@@ -1738,7 +1738,7 @@ int pm_genpd_attach_cpuidle(struct generic_pm_domain *genpd, int state)
38590 {
38591 struct cpuidle_driver *cpuidle_drv;
38592 struct gpd_cpuidle_data *cpuidle_data;
38593- struct cpuidle_state *idle_state;
38594+ cpuidle_state_no_const *idle_state;
38595 int ret = 0;
38596
38597 if (IS_ERR_OR_NULL(genpd) || state < 0)
38598@@ -1806,7 +1806,7 @@ int pm_genpd_name_attach_cpuidle(const char *name, int state)
38599 int pm_genpd_detach_cpuidle(struct generic_pm_domain *genpd)
38600 {
38601 struct gpd_cpuidle_data *cpuidle_data;
38602- struct cpuidle_state *idle_state;
38603+ cpuidle_state_no_const *idle_state;
38604 int ret = 0;
38605
38606 if (IS_ERR_OR_NULL(genpd))
38607@@ -2241,8 +2241,11 @@ int genpd_dev_pm_attach(struct device *dev)
38608 return ret;
38609 }
38610
38611- dev->pm_domain->detach = genpd_dev_pm_detach;
38612- dev->pm_domain->sync = genpd_dev_pm_sync;
38613+ pax_open_kernel();
38614+ *(void **)&dev->pm_domain->detach = genpd_dev_pm_detach;
38615+ *(void **)&dev->pm_domain->sync = genpd_dev_pm_sync;
38616+ pax_close_kernel();
38617+
38618 pm_genpd_poweron(pd);
38619
38620 return 0;
38621diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c
38622index d2be3f9..0a3167a 100644
38623--- a/drivers/base/power/sysfs.c
38624+++ b/drivers/base/power/sysfs.c
38625@@ -181,7 +181,7 @@ static ssize_t rtpm_status_show(struct device *dev,
38626 return -EIO;
38627 }
38628 }
38629- return sprintf(buf, p);
38630+ return sprintf(buf, "%s", p);
38631 }
38632
38633 static DEVICE_ATTR(runtime_status, 0444, rtpm_status_show, NULL);
38634diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
38635index 51f15bc..892a668 100644
38636--- a/drivers/base/power/wakeup.c
38637+++ b/drivers/base/power/wakeup.c
38638@@ -33,14 +33,14 @@ static bool pm_abort_suspend __read_mostly;
38639 * They need to be modified together atomically, so it's better to use one
38640 * atomic variable to hold them both.
38641 */
38642-static atomic_t combined_event_count = ATOMIC_INIT(0);
38643+static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
38644
38645 #define IN_PROGRESS_BITS (sizeof(int) * 4)
38646 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
38647
38648 static void split_counters(unsigned int *cnt, unsigned int *inpr)
38649 {
38650- unsigned int comb = atomic_read(&combined_event_count);
38651+ unsigned int comb = atomic_read_unchecked(&combined_event_count);
38652
38653 *cnt = (comb >> IN_PROGRESS_BITS);
38654 *inpr = comb & MAX_IN_PROGRESS;
38655@@ -537,7 +537,7 @@ static void wakeup_source_activate(struct wakeup_source *ws)
38656 ws->start_prevent_time = ws->last_time;
38657
38658 /* Increment the counter of events in progress. */
38659- cec = atomic_inc_return(&combined_event_count);
38660+ cec = atomic_inc_return_unchecked(&combined_event_count);
38661
38662 trace_wakeup_source_activate(ws->name, cec);
38663 }
38664@@ -663,7 +663,7 @@ static void wakeup_source_deactivate(struct wakeup_source *ws)
38665 * Increment the counter of registered wakeup events and decrement the
38666 * couter of wakeup events in progress simultaneously.
38667 */
38668- cec = atomic_add_return(MAX_IN_PROGRESS, &combined_event_count);
38669+ cec = atomic_add_return_unchecked(MAX_IN_PROGRESS, &combined_event_count);
38670 trace_wakeup_source_deactivate(ws->name, cec);
38671
38672 split_counters(&cnt, &inpr);
38673diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
38674index 5799a0b..f7c7a7e 100644
38675--- a/drivers/base/regmap/regmap-debugfs.c
38676+++ b/drivers/base/regmap/regmap-debugfs.c
38677@@ -30,10 +30,9 @@ static LIST_HEAD(regmap_debugfs_early_list);
38678 static DEFINE_MUTEX(regmap_debugfs_early_lock);
38679
38680 /* Calculate the length of a fixed format */
38681-static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size)
38682+static size_t regmap_calc_reg_len(int max_val)
38683 {
38684- snprintf(buf, buf_size, "%x", max_val);
38685- return strlen(buf);
38686+ return snprintf(NULL, 0, "%x", max_val);
38687 }
38688
38689 static ssize_t regmap_name_read_file(struct file *file,
38690@@ -174,8 +173,7 @@ static inline void regmap_calc_tot_len(struct regmap *map,
38691 {
38692 /* Calculate the length of a fixed format */
38693 if (!map->debugfs_tot_len) {
38694- map->debugfs_reg_len = regmap_calc_reg_len(map->max_register,
38695- buf, count);
38696+ map->debugfs_reg_len = regmap_calc_reg_len(map->max_register);
38697 map->debugfs_val_len = 2 * map->format.val_bytes;
38698 map->debugfs_tot_len = map->debugfs_reg_len +
38699 map->debugfs_val_len + 3; /* : \n */
38700@@ -405,7 +403,7 @@ static ssize_t regmap_access_read_file(struct file *file,
38701 char __user *user_buf, size_t count,
38702 loff_t *ppos)
38703 {
38704- int reg_len, tot_len;
38705+ size_t reg_len, tot_len;
38706 size_t buf_pos = 0;
38707 loff_t p = 0;
38708 ssize_t ret;
38709@@ -421,7 +419,7 @@ static ssize_t regmap_access_read_file(struct file *file,
38710 return -ENOMEM;
38711
38712 /* Calculate the length of a fixed format */
38713- reg_len = regmap_calc_reg_len(map->max_register, buf, count);
38714+ reg_len = regmap_calc_reg_len(map->max_register);
38715 tot_len = reg_len + 10; /* ': R W V P\n' */
38716
38717 for (i = 0; i <= map->max_register; i += map->reg_stride) {
38718@@ -432,7 +430,7 @@ static ssize_t regmap_access_read_file(struct file *file,
38719 /* If we're in the region the user is trying to read */
38720 if (p >= *ppos) {
38721 /* ...but not beyond it */
38722- if (buf_pos >= count - 1 - tot_len)
38723+ if (buf_pos + tot_len + 1 >= count)
38724 break;
38725
38726 /* Format the register */
38727diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c
38728index 8d98a32..61d3165 100644
38729--- a/drivers/base/syscore.c
38730+++ b/drivers/base/syscore.c
38731@@ -22,7 +22,7 @@ static DEFINE_MUTEX(syscore_ops_lock);
38732 void register_syscore_ops(struct syscore_ops *ops)
38733 {
38734 mutex_lock(&syscore_ops_lock);
38735- list_add_tail(&ops->node, &syscore_ops_list);
38736+ pax_list_add_tail((struct list_head *)&ops->node, &syscore_ops_list);
38737 mutex_unlock(&syscore_ops_lock);
38738 }
38739 EXPORT_SYMBOL_GPL(register_syscore_ops);
38740@@ -34,7 +34,7 @@ EXPORT_SYMBOL_GPL(register_syscore_ops);
38741 void unregister_syscore_ops(struct syscore_ops *ops)
38742 {
38743 mutex_lock(&syscore_ops_lock);
38744- list_del(&ops->node);
38745+ pax_list_del((struct list_head *)&ops->node);
38746 mutex_unlock(&syscore_ops_lock);
38747 }
38748 EXPORT_SYMBOL_GPL(unregister_syscore_ops);
38749diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
38750index 0422c47..b222c7a 100644
38751--- a/drivers/block/cciss.c
38752+++ b/drivers/block/cciss.c
38753@@ -3024,7 +3024,7 @@ static void start_io(ctlr_info_t *h)
38754 while (!list_empty(&h->reqQ)) {
38755 c = list_entry(h->reqQ.next, CommandList_struct, list);
38756 /* can't do anything if fifo is full */
38757- if ((h->access.fifo_full(h))) {
38758+ if ((h->access->fifo_full(h))) {
38759 dev_warn(&h->pdev->dev, "fifo full\n");
38760 break;
38761 }
38762@@ -3034,7 +3034,7 @@ static void start_io(ctlr_info_t *h)
38763 h->Qdepth--;
38764
38765 /* Tell the controller execute command */
38766- h->access.submit_command(h, c);
38767+ h->access->submit_command(h, c);
38768
38769 /* Put job onto the completed Q */
38770 addQ(&h->cmpQ, c);
38771@@ -3460,17 +3460,17 @@ startio:
38772
38773 static inline unsigned long get_next_completion(ctlr_info_t *h)
38774 {
38775- return h->access.command_completed(h);
38776+ return h->access->command_completed(h);
38777 }
38778
38779 static inline int interrupt_pending(ctlr_info_t *h)
38780 {
38781- return h->access.intr_pending(h);
38782+ return h->access->intr_pending(h);
38783 }
38784
38785 static inline long interrupt_not_for_us(ctlr_info_t *h)
38786 {
38787- return ((h->access.intr_pending(h) == 0) ||
38788+ return ((h->access->intr_pending(h) == 0) ||
38789 (h->interrupts_enabled == 0));
38790 }
38791
38792@@ -3503,7 +3503,7 @@ static inline u32 next_command(ctlr_info_t *h)
38793 u32 a;
38794
38795 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
38796- return h->access.command_completed(h);
38797+ return h->access->command_completed(h);
38798
38799 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
38800 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
38801@@ -4060,7 +4060,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
38802 trans_support & CFGTBL_Trans_use_short_tags);
38803
38804 /* Change the access methods to the performant access methods */
38805- h->access = SA5_performant_access;
38806+ h->access = &SA5_performant_access;
38807 h->transMethod = CFGTBL_Trans_Performant;
38808
38809 return;
38810@@ -4334,7 +4334,7 @@ static int cciss_pci_init(ctlr_info_t *h)
38811 if (prod_index < 0)
38812 return -ENODEV;
38813 h->product_name = products[prod_index].product_name;
38814- h->access = *(products[prod_index].access);
38815+ h->access = products[prod_index].access;
38816
38817 if (cciss_board_disabled(h)) {
38818 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
38819@@ -5065,7 +5065,7 @@ reinit_after_soft_reset:
38820 }
38821
38822 /* make sure the board interrupts are off */
38823- h->access.set_intr_mask(h, CCISS_INTR_OFF);
38824+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
38825 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
38826 if (rc)
38827 goto clean2;
38828@@ -5115,7 +5115,7 @@ reinit_after_soft_reset:
38829 * fake ones to scoop up any residual completions.
38830 */
38831 spin_lock_irqsave(&h->lock, flags);
38832- h->access.set_intr_mask(h, CCISS_INTR_OFF);
38833+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
38834 spin_unlock_irqrestore(&h->lock, flags);
38835 free_irq(h->intr[h->intr_mode], h);
38836 rc = cciss_request_irq(h, cciss_msix_discard_completions,
38837@@ -5135,9 +5135,9 @@ reinit_after_soft_reset:
38838 dev_info(&h->pdev->dev, "Board READY.\n");
38839 dev_info(&h->pdev->dev,
38840 "Waiting for stale completions to drain.\n");
38841- h->access.set_intr_mask(h, CCISS_INTR_ON);
38842+ h->access->set_intr_mask(h, CCISS_INTR_ON);
38843 msleep(10000);
38844- h->access.set_intr_mask(h, CCISS_INTR_OFF);
38845+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
38846
38847 rc = controller_reset_failed(h->cfgtable);
38848 if (rc)
38849@@ -5160,7 +5160,7 @@ reinit_after_soft_reset:
38850 cciss_scsi_setup(h);
38851
38852 /* Turn the interrupts on so we can service requests */
38853- h->access.set_intr_mask(h, CCISS_INTR_ON);
38854+ h->access->set_intr_mask(h, CCISS_INTR_ON);
38855
38856 /* Get the firmware version */
38857 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
38858@@ -5232,7 +5232,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
38859 kfree(flush_buf);
38860 if (return_code != IO_OK)
38861 dev_warn(&h->pdev->dev, "Error flushing cache\n");
38862- h->access.set_intr_mask(h, CCISS_INTR_OFF);
38863+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
38864 free_irq(h->intr[h->intr_mode], h);
38865 }
38866
38867diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h
38868index 7fda30e..2f27946 100644
38869--- a/drivers/block/cciss.h
38870+++ b/drivers/block/cciss.h
38871@@ -101,7 +101,7 @@ struct ctlr_info
38872 /* information about each logical volume */
38873 drive_info_struct *drv[CISS_MAX_LUN];
38874
38875- struct access_method access;
38876+ struct access_method *access;
38877
38878 /* queue and queue Info */
38879 struct list_head reqQ;
38880@@ -402,27 +402,27 @@ static bool SA5_performant_intr_pending(ctlr_info_t *h)
38881 }
38882
38883 static struct access_method SA5_access = {
38884- SA5_submit_command,
38885- SA5_intr_mask,
38886- SA5_fifo_full,
38887- SA5_intr_pending,
38888- SA5_completed,
38889+ .submit_command = SA5_submit_command,
38890+ .set_intr_mask = SA5_intr_mask,
38891+ .fifo_full = SA5_fifo_full,
38892+ .intr_pending = SA5_intr_pending,
38893+ .command_completed = SA5_completed,
38894 };
38895
38896 static struct access_method SA5B_access = {
38897- SA5_submit_command,
38898- SA5B_intr_mask,
38899- SA5_fifo_full,
38900- SA5B_intr_pending,
38901- SA5_completed,
38902+ .submit_command = SA5_submit_command,
38903+ .set_intr_mask = SA5B_intr_mask,
38904+ .fifo_full = SA5_fifo_full,
38905+ .intr_pending = SA5B_intr_pending,
38906+ .command_completed = SA5_completed,
38907 };
38908
38909 static struct access_method SA5_performant_access = {
38910- SA5_submit_command,
38911- SA5_performant_intr_mask,
38912- SA5_fifo_full,
38913- SA5_performant_intr_pending,
38914- SA5_performant_completed,
38915+ .submit_command = SA5_submit_command,
38916+ .set_intr_mask = SA5_performant_intr_mask,
38917+ .fifo_full = SA5_fifo_full,
38918+ .intr_pending = SA5_performant_intr_pending,
38919+ .command_completed = SA5_performant_completed,
38920 };
38921
38922 struct board_type {
38923diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
38924index f749df9..5f8b9c4 100644
38925--- a/drivers/block/cpqarray.c
38926+++ b/drivers/block/cpqarray.c
38927@@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
38928 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
38929 goto Enomem4;
38930 }
38931- hba[i]->access.set_intr_mask(hba[i], 0);
38932+ hba[i]->access->set_intr_mask(hba[i], 0);
38933 if (request_irq(hba[i]->intr, do_ida_intr, IRQF_SHARED,
38934 hba[i]->devname, hba[i]))
38935 {
38936@@ -459,7 +459,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
38937 add_timer(&hba[i]->timer);
38938
38939 /* Enable IRQ now that spinlock and rate limit timer are set up */
38940- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
38941+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
38942
38943 for(j=0; j<NWD; j++) {
38944 struct gendisk *disk = ida_gendisk[i][j];
38945@@ -694,7 +694,7 @@ DBGINFO(
38946 for(i=0; i<NR_PRODUCTS; i++) {
38947 if (board_id == products[i].board_id) {
38948 c->product_name = products[i].product_name;
38949- c->access = *(products[i].access);
38950+ c->access = products[i].access;
38951 break;
38952 }
38953 }
38954@@ -792,7 +792,7 @@ static int cpqarray_eisa_detect(void)
38955 hba[ctlr]->intr = intr;
38956 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
38957 hba[ctlr]->product_name = products[j].product_name;
38958- hba[ctlr]->access = *(products[j].access);
38959+ hba[ctlr]->access = products[j].access;
38960 hba[ctlr]->ctlr = ctlr;
38961 hba[ctlr]->board_id = board_id;
38962 hba[ctlr]->pci_dev = NULL; /* not PCI */
38963@@ -978,7 +978,7 @@ static void start_io(ctlr_info_t *h)
38964
38965 while((c = h->reqQ) != NULL) {
38966 /* Can't do anything if we're busy */
38967- if (h->access.fifo_full(h) == 0)
38968+ if (h->access->fifo_full(h) == 0)
38969 return;
38970
38971 /* Get the first entry from the request Q */
38972@@ -986,7 +986,7 @@ static void start_io(ctlr_info_t *h)
38973 h->Qdepth--;
38974
38975 /* Tell the controller to do our bidding */
38976- h->access.submit_command(h, c);
38977+ h->access->submit_command(h, c);
38978
38979 /* Get onto the completion Q */
38980 addQ(&h->cmpQ, c);
38981@@ -1048,7 +1048,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
38982 unsigned long flags;
38983 __u32 a,a1;
38984
38985- istat = h->access.intr_pending(h);
38986+ istat = h->access->intr_pending(h);
38987 /* Is this interrupt for us? */
38988 if (istat == 0)
38989 return IRQ_NONE;
38990@@ -1059,7 +1059,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
38991 */
38992 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
38993 if (istat & FIFO_NOT_EMPTY) {
38994- while((a = h->access.command_completed(h))) {
38995+ while((a = h->access->command_completed(h))) {
38996 a1 = a; a &= ~3;
38997 if ((c = h->cmpQ) == NULL)
38998 {
38999@@ -1448,11 +1448,11 @@ static int sendcmd(
39000 /*
39001 * Disable interrupt
39002 */
39003- info_p->access.set_intr_mask(info_p, 0);
39004+ info_p->access->set_intr_mask(info_p, 0);
39005 /* Make sure there is room in the command FIFO */
39006 /* Actually it should be completely empty at this time. */
39007 for (i = 200000; i > 0; i--) {
39008- temp = info_p->access.fifo_full(info_p);
39009+ temp = info_p->access->fifo_full(info_p);
39010 if (temp != 0) {
39011 break;
39012 }
39013@@ -1465,7 +1465,7 @@ DBG(
39014 /*
39015 * Send the cmd
39016 */
39017- info_p->access.submit_command(info_p, c);
39018+ info_p->access->submit_command(info_p, c);
39019 complete = pollcomplete(ctlr);
39020
39021 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
39022@@ -1548,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host)
39023 * we check the new geometry. Then turn interrupts back on when
39024 * we're done.
39025 */
39026- host->access.set_intr_mask(host, 0);
39027+ host->access->set_intr_mask(host, 0);
39028 getgeometry(ctlr);
39029- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
39030+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
39031
39032 for(i=0; i<NWD; i++) {
39033 struct gendisk *disk = ida_gendisk[ctlr][i];
39034@@ -1590,7 +1590,7 @@ static int pollcomplete(int ctlr)
39035 /* Wait (up to 2 seconds) for a command to complete */
39036
39037 for (i = 200000; i > 0; i--) {
39038- done = hba[ctlr]->access.command_completed(hba[ctlr]);
39039+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
39040 if (done == 0) {
39041 udelay(10); /* a short fixed delay */
39042 } else
39043diff --git a/drivers/block/cpqarray.h b/drivers/block/cpqarray.h
39044index be73e9d..7fbf140 100644
39045--- a/drivers/block/cpqarray.h
39046+++ b/drivers/block/cpqarray.h
39047@@ -99,7 +99,7 @@ struct ctlr_info {
39048 drv_info_t drv[NWD];
39049 struct proc_dir_entry *proc;
39050
39051- struct access_method access;
39052+ struct access_method *access;
39053
39054 cmdlist_t *reqQ;
39055 cmdlist_t *cmpQ;
39056diff --git a/drivers/block/drbd/drbd_bitmap.c b/drivers/block/drbd/drbd_bitmap.c
39057index 434c77d..6d3219a 100644
39058--- a/drivers/block/drbd/drbd_bitmap.c
39059+++ b/drivers/block/drbd/drbd_bitmap.c
39060@@ -1036,7 +1036,7 @@ static void bm_page_io_async(struct drbd_bm_aio_ctx *ctx, int page_nr) __must_ho
39061 submit_bio(rw, bio);
39062 /* this should not count as user activity and cause the
39063 * resync to throttle -- see drbd_rs_should_slow_down(). */
39064- atomic_add(len >> 9, &device->rs_sect_ev);
39065+ atomic_add_unchecked(len >> 9, &device->rs_sect_ev);
39066 }
39067 }
39068
39069diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
39070index efd19c2..6ccfa94 100644
39071--- a/drivers/block/drbd/drbd_int.h
39072+++ b/drivers/block/drbd/drbd_int.h
39073@@ -386,7 +386,7 @@ struct drbd_epoch {
39074 struct drbd_connection *connection;
39075 struct list_head list;
39076 unsigned int barrier_nr;
39077- atomic_t epoch_size; /* increased on every request added. */
39078+ atomic_unchecked_t epoch_size; /* increased on every request added. */
39079 atomic_t active; /* increased on every req. added, and dec on every finished. */
39080 unsigned long flags;
39081 };
39082@@ -947,7 +947,7 @@ struct drbd_device {
39083 unsigned int al_tr_number;
39084 int al_tr_cycle;
39085 wait_queue_head_t seq_wait;
39086- atomic_t packet_seq;
39087+ atomic_unchecked_t packet_seq;
39088 unsigned int peer_seq;
39089 spinlock_t peer_seq_lock;
39090 unsigned long comm_bm_set; /* communicated number of set bits. */
39091@@ -956,8 +956,8 @@ struct drbd_device {
39092 struct mutex own_state_mutex;
39093 struct mutex *state_mutex; /* either own_state_mutex or first_peer_device(device)->connection->cstate_mutex */
39094 char congestion_reason; /* Why we where congested... */
39095- atomic_t rs_sect_in; /* for incoming resync data rate, SyncTarget */
39096- atomic_t rs_sect_ev; /* for submitted resync data rate, both */
39097+ atomic_unchecked_t rs_sect_in; /* for incoming resync data rate, SyncTarget */
39098+ atomic_unchecked_t rs_sect_ev; /* for submitted resync data rate, both */
39099 int rs_last_sect_ev; /* counter to compare with */
39100 int rs_last_events; /* counter of read or write "events" (unit sectors)
39101 * on the lower level device when we last looked. */
39102diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
39103index a151853..b9b5baa 100644
39104--- a/drivers/block/drbd/drbd_main.c
39105+++ b/drivers/block/drbd/drbd_main.c
39106@@ -1328,7 +1328,7 @@ static int _drbd_send_ack(struct drbd_peer_device *peer_device, enum drbd_packet
39107 p->sector = sector;
39108 p->block_id = block_id;
39109 p->blksize = blksize;
39110- p->seq_num = cpu_to_be32(atomic_inc_return(&peer_device->device->packet_seq));
39111+ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&peer_device->device->packet_seq));
39112 return drbd_send_command(peer_device, sock, cmd, sizeof(*p), NULL, 0);
39113 }
39114
39115@@ -1634,7 +1634,7 @@ int drbd_send_dblock(struct drbd_peer_device *peer_device, struct drbd_request *
39116 return -EIO;
39117 p->sector = cpu_to_be64(req->i.sector);
39118 p->block_id = (unsigned long)req;
39119- p->seq_num = cpu_to_be32(atomic_inc_return(&device->packet_seq));
39120+ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&device->packet_seq));
39121 dp_flags = bio_flags_to_wire(peer_device->connection, req->master_bio->bi_rw);
39122 if (device->state.conn >= C_SYNC_SOURCE &&
39123 device->state.conn <= C_PAUSED_SYNC_T)
39124@@ -1915,8 +1915,8 @@ void drbd_init_set_defaults(struct drbd_device *device)
39125 atomic_set(&device->unacked_cnt, 0);
39126 atomic_set(&device->local_cnt, 0);
39127 atomic_set(&device->pp_in_use_by_net, 0);
39128- atomic_set(&device->rs_sect_in, 0);
39129- atomic_set(&device->rs_sect_ev, 0);
39130+ atomic_set_unchecked(&device->rs_sect_in, 0);
39131+ atomic_set_unchecked(&device->rs_sect_ev, 0);
39132 atomic_set(&device->ap_in_flight, 0);
39133 atomic_set(&device->md_io.in_use, 0);
39134
39135@@ -2683,8 +2683,8 @@ void drbd_destroy_connection(struct kref *kref)
39136 struct drbd_connection *connection = container_of(kref, struct drbd_connection, kref);
39137 struct drbd_resource *resource = connection->resource;
39138
39139- if (atomic_read(&connection->current_epoch->epoch_size) != 0)
39140- drbd_err(connection, "epoch_size:%d\n", atomic_read(&connection->current_epoch->epoch_size));
39141+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size) != 0)
39142+ drbd_err(connection, "epoch_size:%d\n", atomic_read_unchecked(&connection->current_epoch->epoch_size));
39143 kfree(connection->current_epoch);
39144
39145 idr_destroy(&connection->peer_devices);
39146diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
39147index 74df8cf..e41fc24 100644
39148--- a/drivers/block/drbd/drbd_nl.c
39149+++ b/drivers/block/drbd/drbd_nl.c
39150@@ -3637,13 +3637,13 @@ finish:
39151
39152 void drbd_bcast_event(struct drbd_device *device, const struct sib_info *sib)
39153 {
39154- static atomic_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
39155+ static atomic_unchecked_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
39156 struct sk_buff *msg;
39157 struct drbd_genlmsghdr *d_out;
39158 unsigned seq;
39159 int err = -ENOMEM;
39160
39161- seq = atomic_inc_return(&drbd_genl_seq);
39162+ seq = atomic_inc_return_unchecked(&drbd_genl_seq);
39163 msg = genlmsg_new(NLMSG_GOODSIZE, GFP_NOIO);
39164 if (!msg)
39165 goto failed;
39166diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
39167index c097909..13688e1 100644
39168--- a/drivers/block/drbd/drbd_receiver.c
39169+++ b/drivers/block/drbd/drbd_receiver.c
39170@@ -870,7 +870,7 @@ int drbd_connected(struct drbd_peer_device *peer_device)
39171 struct drbd_device *device = peer_device->device;
39172 int err;
39173
39174- atomic_set(&device->packet_seq, 0);
39175+ atomic_set_unchecked(&device->packet_seq, 0);
39176 device->peer_seq = 0;
39177
39178 device->state_mutex = peer_device->connection->agreed_pro_version < 100 ?
39179@@ -1233,7 +1233,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_connection *connectio
39180 do {
39181 next_epoch = NULL;
39182
39183- epoch_size = atomic_read(&epoch->epoch_size);
39184+ epoch_size = atomic_read_unchecked(&epoch->epoch_size);
39185
39186 switch (ev & ~EV_CLEANUP) {
39187 case EV_PUT:
39188@@ -1273,7 +1273,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_connection *connectio
39189 rv = FE_DESTROYED;
39190 } else {
39191 epoch->flags = 0;
39192- atomic_set(&epoch->epoch_size, 0);
39193+ atomic_set_unchecked(&epoch->epoch_size, 0);
39194 /* atomic_set(&epoch->active, 0); is already zero */
39195 if (rv == FE_STILL_LIVE)
39196 rv = FE_RECYCLED;
39197@@ -1550,7 +1550,7 @@ static int receive_Barrier(struct drbd_connection *connection, struct packet_inf
39198 conn_wait_active_ee_empty(connection);
39199 drbd_flush(connection);
39200
39201- if (atomic_read(&connection->current_epoch->epoch_size)) {
39202+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size)) {
39203 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
39204 if (epoch)
39205 break;
39206@@ -1564,11 +1564,11 @@ static int receive_Barrier(struct drbd_connection *connection, struct packet_inf
39207 }
39208
39209 epoch->flags = 0;
39210- atomic_set(&epoch->epoch_size, 0);
39211+ atomic_set_unchecked(&epoch->epoch_size, 0);
39212 atomic_set(&epoch->active, 0);
39213
39214 spin_lock(&connection->epoch_lock);
39215- if (atomic_read(&connection->current_epoch->epoch_size)) {
39216+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size)) {
39217 list_add(&epoch->list, &connection->current_epoch->list);
39218 connection->current_epoch = epoch;
39219 connection->epochs++;
39220@@ -1802,7 +1802,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto
39221 list_add_tail(&peer_req->w.list, &device->sync_ee);
39222 spin_unlock_irq(&device->resource->req_lock);
39223
39224- atomic_add(pi->size >> 9, &device->rs_sect_ev);
39225+ atomic_add_unchecked(pi->size >> 9, &device->rs_sect_ev);
39226 if (drbd_submit_peer_request(device, peer_req, WRITE, DRBD_FAULT_RS_WR) == 0)
39227 return 0;
39228
39229@@ -1900,7 +1900,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet
39230 drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
39231 }
39232
39233- atomic_add(pi->size >> 9, &device->rs_sect_in);
39234+ atomic_add_unchecked(pi->size >> 9, &device->rs_sect_in);
39235
39236 return err;
39237 }
39238@@ -2290,7 +2290,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
39239
39240 err = wait_for_and_update_peer_seq(peer_device, peer_seq);
39241 drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
39242- atomic_inc(&connection->current_epoch->epoch_size);
39243+ atomic_inc_unchecked(&connection->current_epoch->epoch_size);
39244 err2 = drbd_drain_block(peer_device, pi->size);
39245 if (!err)
39246 err = err2;
39247@@ -2334,7 +2334,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
39248
39249 spin_lock(&connection->epoch_lock);
39250 peer_req->epoch = connection->current_epoch;
39251- atomic_inc(&peer_req->epoch->epoch_size);
39252+ atomic_inc_unchecked(&peer_req->epoch->epoch_size);
39253 atomic_inc(&peer_req->epoch->active);
39254 spin_unlock(&connection->epoch_lock);
39255
39256@@ -2479,7 +2479,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device)
39257
39258 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
39259 (int)part_stat_read(&disk->part0, sectors[1]) -
39260- atomic_read(&device->rs_sect_ev);
39261+ atomic_read_unchecked(&device->rs_sect_ev);
39262
39263 if (atomic_read(&device->ap_actlog_cnt)
39264 || curr_events - device->rs_last_events > 64) {
39265@@ -2618,7 +2618,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
39266 device->use_csums = true;
39267 } else if (pi->cmd == P_OV_REPLY) {
39268 /* track progress, we may need to throttle */
39269- atomic_add(size >> 9, &device->rs_sect_in);
39270+ atomic_add_unchecked(size >> 9, &device->rs_sect_in);
39271 peer_req->w.cb = w_e_end_ov_reply;
39272 dec_rs_pending(device);
39273 /* drbd_rs_begin_io done when we sent this request,
39274@@ -2691,7 +2691,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
39275 goto out_free_e;
39276
39277 submit_for_resync:
39278- atomic_add(size >> 9, &device->rs_sect_ev);
39279+ atomic_add_unchecked(size >> 9, &device->rs_sect_ev);
39280
39281 submit:
39282 update_receiver_timing_details(connection, drbd_submit_peer_request);
39283@@ -4564,7 +4564,7 @@ struct data_cmd {
39284 int expect_payload;
39285 size_t pkt_size;
39286 int (*fn)(struct drbd_connection *, struct packet_info *);
39287-};
39288+} __do_const;
39289
39290 static struct data_cmd drbd_cmd_handler[] = {
39291 [P_DATA] = { 1, sizeof(struct p_data), receive_Data },
39292@@ -4678,7 +4678,7 @@ static void conn_disconnect(struct drbd_connection *connection)
39293 if (!list_empty(&connection->current_epoch->list))
39294 drbd_err(connection, "ASSERTION FAILED: connection->current_epoch->list not empty\n");
39295 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
39296- atomic_set(&connection->current_epoch->epoch_size, 0);
39297+ atomic_set_unchecked(&connection->current_epoch->epoch_size, 0);
39298 connection->send.seen_any_write_yet = false;
39299
39300 drbd_info(connection, "Connection closed\n");
39301@@ -5182,7 +5182,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info *
39302 put_ldev(device);
39303 }
39304 dec_rs_pending(device);
39305- atomic_add(blksize >> 9, &device->rs_sect_in);
39306+ atomic_add_unchecked(blksize >> 9, &device->rs_sect_in);
39307
39308 return 0;
39309 }
39310@@ -5470,7 +5470,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection)
39311 struct asender_cmd {
39312 size_t pkt_size;
39313 int (*fn)(struct drbd_connection *connection, struct packet_info *);
39314-};
39315+} __do_const;
39316
39317 static struct asender_cmd asender_tbl[] = {
39318 [P_PING] = { 0, got_Ping },
39319diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
39320index d0fae55..4469096 100644
39321--- a/drivers/block/drbd/drbd_worker.c
39322+++ b/drivers/block/drbd/drbd_worker.c
39323@@ -408,7 +408,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector,
39324 list_add_tail(&peer_req->w.list, &device->read_ee);
39325 spin_unlock_irq(&device->resource->req_lock);
39326
39327- atomic_add(size >> 9, &device->rs_sect_ev);
39328+ atomic_add_unchecked(size >> 9, &device->rs_sect_ev);
39329 if (drbd_submit_peer_request(device, peer_req, READ, DRBD_FAULT_RS_RD) == 0)
39330 return 0;
39331
39332@@ -553,7 +553,7 @@ static int drbd_rs_number_requests(struct drbd_device *device)
39333 unsigned int sect_in; /* Number of sectors that came in since the last turn */
39334 int number, mxb;
39335
39336- sect_in = atomic_xchg(&device->rs_sect_in, 0);
39337+ sect_in = atomic_xchg_unchecked(&device->rs_sect_in, 0);
39338 device->rs_in_flight -= sect_in;
39339
39340 rcu_read_lock();
39341@@ -1595,8 +1595,8 @@ void drbd_rs_controller_reset(struct drbd_device *device)
39342 struct gendisk *disk = device->ldev->backing_bdev->bd_contains->bd_disk;
39343 struct fifo_buffer *plan;
39344
39345- atomic_set(&device->rs_sect_in, 0);
39346- atomic_set(&device->rs_sect_ev, 0);
39347+ atomic_set_unchecked(&device->rs_sect_in, 0);
39348+ atomic_set_unchecked(&device->rs_sect_ev, 0);
39349 device->rs_in_flight = 0;
39350 device->rs_last_events =
39351 (int)part_stat_read(&disk->part0, sectors[0]) +
39352diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
39353index 4c20c22..caef1eb 100644
39354--- a/drivers/block/pktcdvd.c
39355+++ b/drivers/block/pktcdvd.c
39356@@ -109,7 +109,7 @@ static int pkt_seq_show(struct seq_file *m, void *p);
39357
39358 static sector_t get_zone(sector_t sector, struct pktcdvd_device *pd)
39359 {
39360- return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1);
39361+ return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1UL);
39362 }
39363
39364 /*
39365@@ -1891,7 +1891,7 @@ static noinline_for_stack int pkt_probe_settings(struct pktcdvd_device *pd)
39366 return -EROFS;
39367 }
39368 pd->settings.fp = ti.fp;
39369- pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1);
39370+ pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1UL);
39371
39372 if (ti.nwa_v) {
39373 pd->nwa = be32_to_cpu(ti.next_writable);
39374diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
39375index bc67a93..d552e86 100644
39376--- a/drivers/block/rbd.c
39377+++ b/drivers/block/rbd.c
39378@@ -64,7 +64,7 @@
39379 * If the counter is already at its maximum value returns
39380 * -EINVAL without updating it.
39381 */
39382-static int atomic_inc_return_safe(atomic_t *v)
39383+static int __intentional_overflow(-1) atomic_inc_return_safe(atomic_t *v)
39384 {
39385 unsigned int counter;
39386
39387diff --git a/drivers/block/smart1,2.h b/drivers/block/smart1,2.h
39388index e5565fb..71be10b4 100644
39389--- a/drivers/block/smart1,2.h
39390+++ b/drivers/block/smart1,2.h
39391@@ -108,11 +108,11 @@ static unsigned long smart4_intr_pending(ctlr_info_t *h)
39392 }
39393
39394 static struct access_method smart4_access = {
39395- smart4_submit_command,
39396- smart4_intr_mask,
39397- smart4_fifo_full,
39398- smart4_intr_pending,
39399- smart4_completed,
39400+ .submit_command = smart4_submit_command,
39401+ .set_intr_mask = smart4_intr_mask,
39402+ .fifo_full = smart4_fifo_full,
39403+ .intr_pending = smart4_intr_pending,
39404+ .command_completed = smart4_completed,
39405 };
39406
39407 /*
39408@@ -144,11 +144,11 @@ static unsigned long smart2_intr_pending(ctlr_info_t *h)
39409 }
39410
39411 static struct access_method smart2_access = {
39412- smart2_submit_command,
39413- smart2_intr_mask,
39414- smart2_fifo_full,
39415- smart2_intr_pending,
39416- smart2_completed,
39417+ .submit_command = smart2_submit_command,
39418+ .set_intr_mask = smart2_intr_mask,
39419+ .fifo_full = smart2_fifo_full,
39420+ .intr_pending = smart2_intr_pending,
39421+ .command_completed = smart2_completed,
39422 };
39423
39424 /*
39425@@ -180,11 +180,11 @@ static unsigned long smart2e_intr_pending(ctlr_info_t *h)
39426 }
39427
39428 static struct access_method smart2e_access = {
39429- smart2e_submit_command,
39430- smart2e_intr_mask,
39431- smart2e_fifo_full,
39432- smart2e_intr_pending,
39433- smart2e_completed,
39434+ .submit_command = smart2e_submit_command,
39435+ .set_intr_mask = smart2e_intr_mask,
39436+ .fifo_full = smart2e_fifo_full,
39437+ .intr_pending = smart2e_intr_pending,
39438+ .command_completed = smart2e_completed,
39439 };
39440
39441 /*
39442@@ -270,9 +270,9 @@ static unsigned long smart1_intr_pending(ctlr_info_t *h)
39443 }
39444
39445 static struct access_method smart1_access = {
39446- smart1_submit_command,
39447- smart1_intr_mask,
39448- smart1_fifo_full,
39449- smart1_intr_pending,
39450- smart1_completed,
39451+ .submit_command = smart1_submit_command,
39452+ .set_intr_mask = smart1_intr_mask,
39453+ .fifo_full = smart1_fifo_full,
39454+ .intr_pending = smart1_intr_pending,
39455+ .command_completed = smart1_completed,
39456 };
39457diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
39458index 7a722df..54b76ab 100644
39459--- a/drivers/bluetooth/btwilink.c
39460+++ b/drivers/bluetooth/btwilink.c
39461@@ -288,7 +288,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
39462
39463 static int bt_ti_probe(struct platform_device *pdev)
39464 {
39465- static struct ti_st *hst;
39466+ struct ti_st *hst;
39467 struct hci_dev *hdev;
39468 int err;
39469
39470diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
39471index 5d28a45..a538f90 100644
39472--- a/drivers/cdrom/cdrom.c
39473+++ b/drivers/cdrom/cdrom.c
39474@@ -610,7 +610,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
39475 ENSURE(reset, CDC_RESET);
39476 ENSURE(generic_packet, CDC_GENERIC_PACKET);
39477 cdi->mc_flags = 0;
39478- cdo->n_minors = 0;
39479 cdi->options = CDO_USE_FFLAGS;
39480
39481 if (autoclose == 1 && CDROM_CAN(CDC_CLOSE_TRAY))
39482@@ -630,8 +629,11 @@ int register_cdrom(struct cdrom_device_info *cdi)
39483 else
39484 cdi->cdda_method = CDDA_OLD;
39485
39486- if (!cdo->generic_packet)
39487- cdo->generic_packet = cdrom_dummy_generic_packet;
39488+ if (!cdo->generic_packet) {
39489+ pax_open_kernel();
39490+ *(void **)&cdo->generic_packet = cdrom_dummy_generic_packet;
39491+ pax_close_kernel();
39492+ }
39493
39494 cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
39495 mutex_lock(&cdrom_mutex);
39496@@ -652,7 +654,6 @@ void unregister_cdrom(struct cdrom_device_info *cdi)
39497 if (cdi->exit)
39498 cdi->exit(cdi);
39499
39500- cdi->ops->n_minors--;
39501 cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name);
39502 }
39503
39504@@ -2126,7 +2127,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
39505 */
39506 nr = nframes;
39507 do {
39508- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
39509+ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
39510 if (cgc.buffer)
39511 break;
39512
39513@@ -3434,7 +3435,7 @@ static int cdrom_print_info(const char *header, int val, char *info,
39514 struct cdrom_device_info *cdi;
39515 int ret;
39516
39517- ret = scnprintf(info + *pos, max_size - *pos, header);
39518+ ret = scnprintf(info + *pos, max_size - *pos, "%s", header);
39519 if (!ret)
39520 return 1;
39521
39522diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
39523index 584bc31..e64a12c 100644
39524--- a/drivers/cdrom/gdrom.c
39525+++ b/drivers/cdrom/gdrom.c
39526@@ -491,7 +491,6 @@ static struct cdrom_device_ops gdrom_ops = {
39527 .audio_ioctl = gdrom_audio_ioctl,
39528 .capability = CDC_MULTI_SESSION | CDC_MEDIA_CHANGED |
39529 CDC_RESET | CDC_DRIVE_STATUS | CDC_CD_R,
39530- .n_minors = 1,
39531 };
39532
39533 static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
39534diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
39535index a043107..1263e4a 100644
39536--- a/drivers/char/Kconfig
39537+++ b/drivers/char/Kconfig
39538@@ -17,7 +17,8 @@ config DEVMEM
39539
39540 config DEVKMEM
39541 bool "/dev/kmem virtual device support"
39542- default y
39543+ default n
39544+ depends on !GRKERNSEC_KMEM
39545 help
39546 Say Y here if you want to support the /dev/kmem device. The
39547 /dev/kmem device is rarely used, but can be used for certain
39548@@ -586,6 +587,7 @@ config DEVPORT
39549 bool
39550 depends on !M68K
39551 depends on ISA || PCI
39552+ depends on !GRKERNSEC_KMEM
39553 default y
39554
39555 source "drivers/s390/char/Kconfig"
39556diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
39557index a48e05b..6bac831 100644
39558--- a/drivers/char/agp/compat_ioctl.c
39559+++ b/drivers/char/agp/compat_ioctl.c
39560@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user
39561 return -ENOMEM;
39562 }
39563
39564- if (copy_from_user(usegment, (void __user *) ureserve.seg_list,
39565+ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list,
39566 sizeof(*usegment) * ureserve.seg_count)) {
39567 kfree(usegment);
39568 kfree(ksegment);
39569diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
39570index 09f17eb..8531d2f 100644
39571--- a/drivers/char/agp/frontend.c
39572+++ b/drivers/char/agp/frontend.c
39573@@ -806,7 +806,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
39574 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
39575 return -EFAULT;
39576
39577- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
39578+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
39579 return -EFAULT;
39580
39581 client = agp_find_client_by_pid(reserve.pid);
39582@@ -836,7 +836,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
39583 if (segment == NULL)
39584 return -ENOMEM;
39585
39586- if (copy_from_user(segment, (void __user *) reserve.seg_list,
39587+ if (copy_from_user(segment, (void __force_user *) reserve.seg_list,
39588 sizeof(struct agp_segment) * reserve.seg_count)) {
39589 kfree(segment);
39590 return -EFAULT;
39591diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
39592index c6dea3f..72ae4b0 100644
39593--- a/drivers/char/agp/intel-gtt.c
39594+++ b/drivers/char/agp/intel-gtt.c
39595@@ -1408,8 +1408,8 @@ int intel_gmch_probe(struct pci_dev *bridge_pdev, struct pci_dev *gpu_pdev,
39596 }
39597 EXPORT_SYMBOL(intel_gmch_probe);
39598
39599-void intel_gtt_get(size_t *gtt_total, size_t *stolen_size,
39600- phys_addr_t *mappable_base, unsigned long *mappable_end)
39601+void intel_gtt_get(uint64_t *gtt_total, uint64_t *stolen_size,
39602+ uint64_t *mappable_base, uint64_t *mappable_end)
39603 {
39604 *gtt_total = intel_private.gtt_total_entries << PAGE_SHIFT;
39605 *stolen_size = intel_private.stolen_size;
39606diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c
39607index 4f94375..413694e 100644
39608--- a/drivers/char/genrtc.c
39609+++ b/drivers/char/genrtc.c
39610@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *file,
39611 switch (cmd) {
39612
39613 case RTC_PLL_GET:
39614+ memset(&pll, 0, sizeof(pll));
39615 if (get_rtc_pll(&pll))
39616 return -EINVAL;
39617 else
39618diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
39619index 5c0baa9..44011b1 100644
39620--- a/drivers/char/hpet.c
39621+++ b/drivers/char/hpet.c
39622@@ -575,7 +575,7 @@ static inline unsigned long hpet_time_div(struct hpets *hpets,
39623 }
39624
39625 static int
39626-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
39627+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
39628 struct hpet_info *info)
39629 {
39630 struct hpet_timer __iomem *timer;
39631diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
39632index bf75f63..359fa10 100644
39633--- a/drivers/char/ipmi/ipmi_msghandler.c
39634+++ b/drivers/char/ipmi/ipmi_msghandler.c
39635@@ -436,7 +436,7 @@ struct ipmi_smi {
39636 struct proc_dir_entry *proc_dir;
39637 char proc_dir_name[10];
39638
39639- atomic_t stats[IPMI_NUM_STATS];
39640+ atomic_unchecked_t stats[IPMI_NUM_STATS];
39641
39642 /*
39643 * run_to_completion duplicate of smb_info, smi_info
39644@@ -468,9 +468,9 @@ static LIST_HEAD(smi_watchers);
39645 static DEFINE_MUTEX(smi_watchers_mutex);
39646
39647 #define ipmi_inc_stat(intf, stat) \
39648- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
39649+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
39650 #define ipmi_get_stat(intf, stat) \
39651- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
39652+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
39653
39654 static char *addr_src_to_str[] = { "invalid", "hotmod", "hardcoded", "SPMI",
39655 "ACPI", "SMBIOS", "PCI",
39656@@ -2828,7 +2828,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers,
39657 INIT_LIST_HEAD(&intf->cmd_rcvrs);
39658 init_waitqueue_head(&intf->waitq);
39659 for (i = 0; i < IPMI_NUM_STATS; i++)
39660- atomic_set(&intf->stats[i], 0);
39661+ atomic_set_unchecked(&intf->stats[i], 0);
39662
39663 intf->proc_dir = NULL;
39664
39665diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
39666index 8a45e92..e41b1c7 100644
39667--- a/drivers/char/ipmi/ipmi_si_intf.c
39668+++ b/drivers/char/ipmi/ipmi_si_intf.c
39669@@ -289,7 +289,7 @@ struct smi_info {
39670 unsigned char slave_addr;
39671
39672 /* Counters and things for the proc filesystem. */
39673- atomic_t stats[SI_NUM_STATS];
39674+ atomic_unchecked_t stats[SI_NUM_STATS];
39675
39676 struct task_struct *thread;
39677
39678@@ -298,9 +298,9 @@ struct smi_info {
39679 };
39680
39681 #define smi_inc_stat(smi, stat) \
39682- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
39683+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
39684 #define smi_get_stat(smi, stat) \
39685- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
39686+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
39687
39688 #define SI_MAX_PARMS 4
39689
39690@@ -3500,7 +3500,7 @@ static int try_smi_init(struct smi_info *new_smi)
39691 atomic_set(&new_smi->req_events, 0);
39692 new_smi->run_to_completion = false;
39693 for (i = 0; i < SI_NUM_STATS; i++)
39694- atomic_set(&new_smi->stats[i], 0);
39695+ atomic_set_unchecked(&new_smi->stats[i], 0);
39696
39697 new_smi->interrupt_disabled = true;
39698 atomic_set(&new_smi->need_watch, 0);
39699diff --git a/drivers/char/mem.c b/drivers/char/mem.c
39700index 6b1721f..fda9398 100644
39701--- a/drivers/char/mem.c
39702+++ b/drivers/char/mem.c
39703@@ -18,6 +18,7 @@
39704 #include <linux/raw.h>
39705 #include <linux/tty.h>
39706 #include <linux/capability.h>
39707+#include <linux/security.h>
39708 #include <linux/ptrace.h>
39709 #include <linux/device.h>
39710 #include <linux/highmem.h>
39711@@ -36,6 +37,10 @@
39712
39713 #define DEVPORT_MINOR 4
39714
39715+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
39716+extern const struct file_operations grsec_fops;
39717+#endif
39718+
39719 static inline unsigned long size_inside_page(unsigned long start,
39720 unsigned long size)
39721 {
39722@@ -67,9 +72,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
39723
39724 while (cursor < to) {
39725 if (!devmem_is_allowed(pfn)) {
39726+#ifdef CONFIG_GRKERNSEC_KMEM
39727+ gr_handle_mem_readwrite(from, to);
39728+#else
39729 printk(KERN_INFO
39730 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
39731 current->comm, from, to);
39732+#endif
39733 return 0;
39734 }
39735 cursor += PAGE_SIZE;
39736@@ -77,6 +86,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
39737 }
39738 return 1;
39739 }
39740+#elif defined(CONFIG_GRKERNSEC_KMEM)
39741+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
39742+{
39743+ return 0;
39744+}
39745 #else
39746 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
39747 {
39748@@ -124,7 +138,8 @@ static ssize_t read_mem(struct file *file, char __user *buf,
39749 #endif
39750
39751 while (count > 0) {
39752- unsigned long remaining;
39753+ unsigned long remaining = 0;
39754+ char *temp;
39755
39756 sz = size_inside_page(p, count);
39757
39758@@ -140,7 +155,24 @@ static ssize_t read_mem(struct file *file, char __user *buf,
39759 if (!ptr)
39760 return -EFAULT;
39761
39762- remaining = copy_to_user(buf, ptr, sz);
39763+#ifdef CONFIG_PAX_USERCOPY
39764+ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
39765+ if (!temp) {
39766+ unxlate_dev_mem_ptr(p, ptr);
39767+ return -ENOMEM;
39768+ }
39769+ remaining = probe_kernel_read(temp, ptr, sz);
39770+#else
39771+ temp = ptr;
39772+#endif
39773+
39774+ if (!remaining)
39775+ remaining = copy_to_user(buf, temp, sz);
39776+
39777+#ifdef CONFIG_PAX_USERCOPY
39778+ kfree(temp);
39779+#endif
39780+
39781 unxlate_dev_mem_ptr(p, ptr);
39782 if (remaining)
39783 return -EFAULT;
39784@@ -380,9 +412,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
39785 size_t count, loff_t *ppos)
39786 {
39787 unsigned long p = *ppos;
39788- ssize_t low_count, read, sz;
39789+ ssize_t low_count, read, sz, err = 0;
39790 char *kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
39791- int err = 0;
39792
39793 read = 0;
39794 if (p < (unsigned long) high_memory) {
39795@@ -404,6 +435,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
39796 }
39797 #endif
39798 while (low_count > 0) {
39799+ char *temp;
39800+
39801 sz = size_inside_page(p, low_count);
39802
39803 /*
39804@@ -413,7 +446,23 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
39805 */
39806 kbuf = xlate_dev_kmem_ptr((void *)p);
39807
39808- if (copy_to_user(buf, kbuf, sz))
39809+#ifdef CONFIG_PAX_USERCOPY
39810+ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
39811+ if (!temp)
39812+ return -ENOMEM;
39813+ err = probe_kernel_read(temp, kbuf, sz);
39814+#else
39815+ temp = kbuf;
39816+#endif
39817+
39818+ if (!err)
39819+ err = copy_to_user(buf, temp, sz);
39820+
39821+#ifdef CONFIG_PAX_USERCOPY
39822+ kfree(temp);
39823+#endif
39824+
39825+ if (err)
39826 return -EFAULT;
39827 buf += sz;
39828 p += sz;
39829@@ -802,6 +851,9 @@ static const struct memdev {
39830 #ifdef CONFIG_PRINTK
39831 [11] = { "kmsg", 0644, &kmsg_fops, 0 },
39832 #endif
39833+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
39834+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, 0 },
39835+#endif
39836 };
39837
39838 static int memory_open(struct inode *inode, struct file *filp)
39839@@ -863,7 +915,7 @@ static int __init chr_dev_init(void)
39840 continue;
39841
39842 device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor),
39843- NULL, devlist[minor].name);
39844+ NULL, "%s", devlist[minor].name);
39845 }
39846
39847 return tty_init();
39848diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
39849index 9df78e2..01ba9ae 100644
39850--- a/drivers/char/nvram.c
39851+++ b/drivers/char/nvram.c
39852@@ -247,7 +247,7 @@ static ssize_t nvram_read(struct file *file, char __user *buf,
39853
39854 spin_unlock_irq(&rtc_lock);
39855
39856- if (copy_to_user(buf, contents, tmp - contents))
39857+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
39858 return -EFAULT;
39859
39860 *ppos = i;
39861diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c
39862index 7680d52..073f799e 100644
39863--- a/drivers/char/pcmcia/synclink_cs.c
39864+++ b/drivers/char/pcmcia/synclink_cs.c
39865@@ -2345,7 +2345,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
39866
39867 if (debug_level >= DEBUG_LEVEL_INFO)
39868 printk("%s(%d):mgslpc_close(%s) entry, count=%d\n",
39869- __FILE__, __LINE__, info->device_name, port->count);
39870+ __FILE__, __LINE__, info->device_name, atomic_read(&port->count));
39871
39872 if (tty_port_close_start(port, tty, filp) == 0)
39873 goto cleanup;
39874@@ -2363,7 +2363,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
39875 cleanup:
39876 if (debug_level >= DEBUG_LEVEL_INFO)
39877 printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__,
39878- tty->driver->name, port->count);
39879+ tty->driver->name, atomic_read(&port->count));
39880 }
39881
39882 /* Wait until the transmitter is empty.
39883@@ -2505,7 +2505,7 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
39884
39885 if (debug_level >= DEBUG_LEVEL_INFO)
39886 printk("%s(%d):mgslpc_open(%s), old ref count = %d\n",
39887- __FILE__, __LINE__, tty->driver->name, port->count);
39888+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
39889
39890 /* If port is closing, signal caller to try again */
39891 if (port->flags & ASYNC_CLOSING){
39892@@ -2525,11 +2525,11 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
39893 goto cleanup;
39894 }
39895 spin_lock(&port->lock);
39896- port->count++;
39897+ atomic_inc(&port->count);
39898 spin_unlock(&port->lock);
39899 spin_unlock_irqrestore(&info->netlock, flags);
39900
39901- if (port->count == 1) {
39902+ if (atomic_read(&port->count) == 1) {
39903 /* 1st open on this device, init hardware */
39904 retval = startup(info, tty);
39905 if (retval < 0)
39906@@ -3918,7 +3918,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
39907 unsigned short new_crctype;
39908
39909 /* return error if TTY interface open */
39910- if (info->port.count)
39911+ if (atomic_read(&info->port.count))
39912 return -EBUSY;
39913
39914 switch (encoding)
39915@@ -4022,7 +4022,7 @@ static int hdlcdev_open(struct net_device *dev)
39916
39917 /* arbitrate between network and tty opens */
39918 spin_lock_irqsave(&info->netlock, flags);
39919- if (info->port.count != 0 || info->netcount != 0) {
39920+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
39921 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
39922 spin_unlock_irqrestore(&info->netlock, flags);
39923 return -EBUSY;
39924@@ -4112,7 +4112,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
39925 printk("%s:hdlcdev_ioctl(%s)\n", __FILE__, dev->name);
39926
39927 /* return error if TTY interface open */
39928- if (info->port.count)
39929+ if (atomic_read(&info->port.count))
39930 return -EBUSY;
39931
39932 if (cmd != SIOCWANDEV)
39933diff --git a/drivers/char/random.c b/drivers/char/random.c
39934index d0da5d8..739fd3a 100644
39935--- a/drivers/char/random.c
39936+++ b/drivers/char/random.c
39937@@ -289,9 +289,6 @@
39938 /*
39939 * To allow fractional bits to be tracked, the entropy_count field is
39940 * denominated in units of 1/8th bits.
39941- *
39942- * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in
39943- * credit_entropy_bits() needs to be 64 bits wide.
39944 */
39945 #define ENTROPY_SHIFT 3
39946 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
39947@@ -442,9 +439,9 @@ struct entropy_store {
39948 };
39949
39950 static void push_to_pool(struct work_struct *work);
39951-static __u32 input_pool_data[INPUT_POOL_WORDS];
39952-static __u32 blocking_pool_data[OUTPUT_POOL_WORDS];
39953-static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS];
39954+static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
39955+static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
39956+static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
39957
39958 static struct entropy_store input_pool = {
39959 .poolinfo = &poolinfo_table[0],
39960@@ -654,7 +651,7 @@ retry:
39961 /* The +2 corresponds to the /4 in the denominator */
39962
39963 do {
39964- unsigned int anfrac = min(pnfrac, pool_size/2);
39965+ u64 anfrac = min(pnfrac, pool_size/2);
39966 unsigned int add =
39967 ((pool_size - entropy_count)*anfrac*3) >> s;
39968
39969@@ -1227,7 +1224,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
39970
39971 extract_buf(r, tmp);
39972 i = min_t(int, nbytes, EXTRACT_SIZE);
39973- if (copy_to_user(buf, tmp, i)) {
39974+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
39975 ret = -EFAULT;
39976 break;
39977 }
39978@@ -1668,7 +1665,7 @@ static char sysctl_bootid[16];
39979 static int proc_do_uuid(struct ctl_table *table, int write,
39980 void __user *buffer, size_t *lenp, loff_t *ppos)
39981 {
39982- struct ctl_table fake_table;
39983+ ctl_table_no_const fake_table;
39984 unsigned char buf[64], tmp_uuid[16], *uuid;
39985
39986 uuid = table->data;
39987@@ -1698,7 +1695,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
39988 static int proc_do_entropy(struct ctl_table *table, int write,
39989 void __user *buffer, size_t *lenp, loff_t *ppos)
39990 {
39991- struct ctl_table fake_table;
39992+ ctl_table_no_const fake_table;
39993 int entropy_count;
39994
39995 entropy_count = *(int *)table->data >> ENTROPY_SHIFT;
39996diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c
39997index e496dae..3db53b6 100644
39998--- a/drivers/char/sonypi.c
39999+++ b/drivers/char/sonypi.c
40000@@ -54,6 +54,7 @@
40001
40002 #include <asm/uaccess.h>
40003 #include <asm/io.h>
40004+#include <asm/local.h>
40005
40006 #include <linux/sonypi.h>
40007
40008@@ -490,7 +491,7 @@ static struct sonypi_device {
40009 spinlock_t fifo_lock;
40010 wait_queue_head_t fifo_proc_list;
40011 struct fasync_struct *fifo_async;
40012- int open_count;
40013+ local_t open_count;
40014 int model;
40015 struct input_dev *input_jog_dev;
40016 struct input_dev *input_key_dev;
40017@@ -892,7 +893,7 @@ static int sonypi_misc_fasync(int fd, struct file *filp, int on)
40018 static int sonypi_misc_release(struct inode *inode, struct file *file)
40019 {
40020 mutex_lock(&sonypi_device.lock);
40021- sonypi_device.open_count--;
40022+ local_dec(&sonypi_device.open_count);
40023 mutex_unlock(&sonypi_device.lock);
40024 return 0;
40025 }
40026@@ -901,9 +902,9 @@ static int sonypi_misc_open(struct inode *inode, struct file *file)
40027 {
40028 mutex_lock(&sonypi_device.lock);
40029 /* Flush input queue on first open */
40030- if (!sonypi_device.open_count)
40031+ if (!local_read(&sonypi_device.open_count))
40032 kfifo_reset(&sonypi_device.fifo);
40033- sonypi_device.open_count++;
40034+ local_inc(&sonypi_device.open_count);
40035 mutex_unlock(&sonypi_device.lock);
40036
40037 return 0;
40038@@ -1491,7 +1492,7 @@ static struct platform_driver sonypi_driver = {
40039
40040 static struct platform_device *sonypi_platform_device;
40041
40042-static struct dmi_system_id __initdata sonypi_dmi_table[] = {
40043+static const struct dmi_system_id __initconst sonypi_dmi_table[] = {
40044 {
40045 .ident = "Sony Vaio",
40046 .matches = {
40047diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c
40048index 565a947..dcdc06e 100644
40049--- a/drivers/char/tpm/tpm_acpi.c
40050+++ b/drivers/char/tpm/tpm_acpi.c
40051@@ -98,11 +98,12 @@ int read_log(struct tpm_bios_log *log)
40052 virt = acpi_os_map_iomem(start, len);
40053 if (!virt) {
40054 kfree(log->bios_event_log);
40055+ log->bios_event_log = NULL;
40056 printk("%s: ERROR - Unable to map memory\n", __func__);
40057 return -EIO;
40058 }
40059
40060- memcpy_fromio(log->bios_event_log, virt, len);
40061+ memcpy_fromio(log->bios_event_log, (const char __force_kernel *)virt, len);
40062
40063 acpi_os_unmap_iomem(virt, len);
40064 return 0;
40065diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
40066index 3a56a13..f8cbd25 100644
40067--- a/drivers/char/tpm/tpm_eventlog.c
40068+++ b/drivers/char/tpm/tpm_eventlog.c
40069@@ -95,7 +95,7 @@ static void *tpm_bios_measurements_start(struct seq_file *m, loff_t *pos)
40070 event = addr;
40071
40072 if ((event->event_type == 0 && event->event_size == 0) ||
40073- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
40074+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
40075 return NULL;
40076
40077 return addr;
40078@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(struct seq_file *m, void *v,
40079 return NULL;
40080
40081 if ((event->event_type == 0 && event->event_size == 0) ||
40082- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
40083+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
40084 return NULL;
40085
40086 (*pos)++;
40087@@ -213,7 +213,8 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
40088 int i;
40089
40090 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
40091- seq_putc(m, data[i]);
40092+ if (!seq_putc(m, data[i]))
40093+ return -EFAULT;
40094
40095 return 0;
40096 }
40097diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
40098index d2406fe..243951a 100644
40099--- a/drivers/char/virtio_console.c
40100+++ b/drivers/char/virtio_console.c
40101@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf,
40102 if (to_user) {
40103 ssize_t ret;
40104
40105- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
40106+ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
40107 if (ret)
40108 return -EFAULT;
40109 } else {
40110@@ -789,7 +789,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
40111 if (!port_has_data(port) && !port->host_connected)
40112 return 0;
40113
40114- return fill_readbuf(port, ubuf, count, true);
40115+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
40116 }
40117
40118 static int wait_port_writable(struct port *port, bool nonblock)
40119diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c
40120index 616f5ae..747bdd0 100644
40121--- a/drivers/clk/clk-composite.c
40122+++ b/drivers/clk/clk-composite.c
40123@@ -197,7 +197,7 @@ struct clk *clk_register_composite(struct device *dev, const char *name,
40124 struct clk *clk;
40125 struct clk_init_data init;
40126 struct clk_composite *composite;
40127- struct clk_ops *clk_composite_ops;
40128+ clk_ops_no_const *clk_composite_ops;
40129
40130 composite = kzalloc(sizeof(*composite), GFP_KERNEL);
40131 if (!composite)
40132diff --git a/drivers/clk/samsung/clk.h b/drivers/clk/samsung/clk.h
40133index b775fc2..2d45b64 100644
40134--- a/drivers/clk/samsung/clk.h
40135+++ b/drivers/clk/samsung/clk.h
40136@@ -260,7 +260,7 @@ struct samsung_gate_clock {
40137 #define GATE_DA(_id, dname, cname, pname, o, b, f, gf, a) \
40138 __GATE(_id, dname, cname, pname, o, b, f, gf, a)
40139
40140-#define PNAME(x) static const char *x[] __initdata
40141+#define PNAME(x) static const char * const x[] __initconst
40142
40143 /**
40144 * struct samsung_clk_reg_dump: register dump of clock controller registers.
40145diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
40146index 82449cd..dcfec30 100644
40147--- a/drivers/clk/socfpga/clk-gate.c
40148+++ b/drivers/clk/socfpga/clk-gate.c
40149@@ -22,6 +22,7 @@
40150 #include <linux/mfd/syscon.h>
40151 #include <linux/of.h>
40152 #include <linux/regmap.h>
40153+#include <asm/pgtable.h>
40154
40155 #include "clk.h"
40156
40157@@ -170,7 +171,7 @@ static int socfpga_clk_prepare(struct clk_hw *hwclk)
40158 return 0;
40159 }
40160
40161-static struct clk_ops gateclk_ops = {
40162+static clk_ops_no_const gateclk_ops __read_only = {
40163 .prepare = socfpga_clk_prepare,
40164 .recalc_rate = socfpga_clk_recalc_rate,
40165 .get_parent = socfpga_clk_get_parent,
40166@@ -203,8 +204,10 @@ static void __init __socfpga_gate_init(struct device_node *node,
40167 socfpga_clk->hw.reg = clk_mgr_base_addr + clk_gate[0];
40168 socfpga_clk->hw.bit_idx = clk_gate[1];
40169
40170- gateclk_ops.enable = clk_gate_ops.enable;
40171- gateclk_ops.disable = clk_gate_ops.disable;
40172+ pax_open_kernel();
40173+ *(void **)&gateclk_ops.enable = clk_gate_ops.enable;
40174+ *(void **)&gateclk_ops.disable = clk_gate_ops.disable;
40175+ pax_close_kernel();
40176 }
40177
40178 rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
40179diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
40180index 8f26b52..29f2a3a 100644
40181--- a/drivers/clk/socfpga/clk-pll.c
40182+++ b/drivers/clk/socfpga/clk-pll.c
40183@@ -21,6 +21,7 @@
40184 #include <linux/io.h>
40185 #include <linux/of.h>
40186 #include <linux/of_address.h>
40187+#include <asm/pgtable.h>
40188
40189 #include "clk.h"
40190
40191@@ -76,7 +77,7 @@ static u8 clk_pll_get_parent(struct clk_hw *hwclk)
40192 CLK_MGR_PLL_CLK_SRC_MASK;
40193 }
40194
40195-static struct clk_ops clk_pll_ops = {
40196+static clk_ops_no_const clk_pll_ops __read_only = {
40197 .recalc_rate = clk_pll_recalc_rate,
40198 .get_parent = clk_pll_get_parent,
40199 };
40200@@ -115,8 +116,10 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node,
40201 pll_clk->hw.hw.init = &init;
40202
40203 pll_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
40204- clk_pll_ops.enable = clk_gate_ops.enable;
40205- clk_pll_ops.disable = clk_gate_ops.disable;
40206+ pax_open_kernel();
40207+ *(void **)&clk_pll_ops.enable = clk_gate_ops.enable;
40208+ *(void **)&clk_pll_ops.disable = clk_gate_ops.disable;
40209+ pax_close_kernel();
40210
40211 clk = clk_register(NULL, &pll_clk->hw.hw);
40212 if (WARN_ON(IS_ERR(clk))) {
40213diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
40214index 0136dfc..4cc55cb 100644
40215--- a/drivers/cpufreq/acpi-cpufreq.c
40216+++ b/drivers/cpufreq/acpi-cpufreq.c
40217@@ -675,8 +675,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
40218 data->acpi_data = per_cpu_ptr(acpi_perf_data, cpu);
40219 per_cpu(acfreq_data, cpu) = data;
40220
40221- if (cpu_has(c, X86_FEATURE_CONSTANT_TSC))
40222- acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
40223+ if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) {
40224+ pax_open_kernel();
40225+ *(u8 *)&acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
40226+ pax_close_kernel();
40227+ }
40228
40229 result = acpi_processor_register_performance(data->acpi_data, cpu);
40230 if (result)
40231@@ -810,7 +813,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
40232 policy->cur = acpi_cpufreq_guess_freq(data, policy->cpu);
40233 break;
40234 case ACPI_ADR_SPACE_FIXED_HARDWARE:
40235- acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
40236+ pax_open_kernel();
40237+ *(void **)&acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
40238+ pax_close_kernel();
40239 break;
40240 default:
40241 break;
40242@@ -904,8 +909,10 @@ static void __init acpi_cpufreq_boost_init(void)
40243 if (!msrs)
40244 return;
40245
40246- acpi_cpufreq_driver.boost_supported = true;
40247- acpi_cpufreq_driver.boost_enabled = boost_state(0);
40248+ pax_open_kernel();
40249+ *(bool *)&acpi_cpufreq_driver.boost_supported = true;
40250+ *(bool *)&acpi_cpufreq_driver.boost_enabled = boost_state(0);
40251+ pax_close_kernel();
40252
40253 cpu_notifier_register_begin();
40254
40255diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c
40256index 528a82bf..78dc025 100644
40257--- a/drivers/cpufreq/cpufreq-dt.c
40258+++ b/drivers/cpufreq/cpufreq-dt.c
40259@@ -392,7 +392,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev)
40260 if (!IS_ERR(cpu_reg))
40261 regulator_put(cpu_reg);
40262
40263- dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
40264+ pax_open_kernel();
40265+ *(void **)&dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
40266+ pax_close_kernel();
40267
40268 ret = cpufreq_register_driver(&dt_cpufreq_driver);
40269 if (ret)
40270diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
40271index 7a3c30c..bac142e 100644
40272--- a/drivers/cpufreq/cpufreq.c
40273+++ b/drivers/cpufreq/cpufreq.c
40274@@ -2197,7 +2197,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor)
40275 read_unlock_irqrestore(&cpufreq_driver_lock, flags);
40276
40277 mutex_lock(&cpufreq_governor_mutex);
40278- list_del(&governor->governor_list);
40279+ pax_list_del(&governor->governor_list);
40280 mutex_unlock(&cpufreq_governor_mutex);
40281 return;
40282 }
40283@@ -2412,7 +2412,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
40284 return NOTIFY_OK;
40285 }
40286
40287-static struct notifier_block __refdata cpufreq_cpu_notifier = {
40288+static struct notifier_block cpufreq_cpu_notifier = {
40289 .notifier_call = cpufreq_cpu_callback,
40290 };
40291
40292@@ -2452,13 +2452,17 @@ int cpufreq_boost_trigger_state(int state)
40293 return 0;
40294
40295 write_lock_irqsave(&cpufreq_driver_lock, flags);
40296- cpufreq_driver->boost_enabled = state;
40297+ pax_open_kernel();
40298+ *(bool *)&cpufreq_driver->boost_enabled = state;
40299+ pax_close_kernel();
40300 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40301
40302 ret = cpufreq_driver->set_boost(state);
40303 if (ret) {
40304 write_lock_irqsave(&cpufreq_driver_lock, flags);
40305- cpufreq_driver->boost_enabled = !state;
40306+ pax_open_kernel();
40307+ *(bool *)&cpufreq_driver->boost_enabled = !state;
40308+ pax_close_kernel();
40309 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40310
40311 pr_err("%s: Cannot %s BOOST\n",
40312@@ -2523,16 +2527,22 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
40313 cpufreq_driver = driver_data;
40314 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40315
40316- if (driver_data->setpolicy)
40317- driver_data->flags |= CPUFREQ_CONST_LOOPS;
40318+ if (driver_data->setpolicy) {
40319+ pax_open_kernel();
40320+ *(u8 *)&driver_data->flags |= CPUFREQ_CONST_LOOPS;
40321+ pax_close_kernel();
40322+ }
40323
40324 if (cpufreq_boost_supported()) {
40325 /*
40326 * Check if driver provides function to enable boost -
40327 * if not, use cpufreq_boost_set_sw as default
40328 */
40329- if (!cpufreq_driver->set_boost)
40330- cpufreq_driver->set_boost = cpufreq_boost_set_sw;
40331+ if (!cpufreq_driver->set_boost) {
40332+ pax_open_kernel();
40333+ *(void **)&cpufreq_driver->set_boost = cpufreq_boost_set_sw;
40334+ pax_close_kernel();
40335+ }
40336
40337 ret = cpufreq_sysfs_create_file(&boost.attr);
40338 if (ret) {
40339diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
40340index 57a39f8..feb9c73 100644
40341--- a/drivers/cpufreq/cpufreq_governor.c
40342+++ b/drivers/cpufreq/cpufreq_governor.c
40343@@ -378,7 +378,7 @@ static int cpufreq_governor_start(struct cpufreq_policy *policy,
40344 cs_dbs_info->enable = 1;
40345 cs_dbs_info->requested_freq = policy->cur;
40346 } else {
40347- struct od_ops *od_ops = cdata->gov_ops;
40348+ const struct od_ops *od_ops = cdata->gov_ops;
40349 struct od_cpu_dbs_info_s *od_dbs_info = cdata->get_cpu_dbs_info_s(cpu);
40350
40351 od_dbs_info->rate_mult = 1;
40352diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h
40353index 34736f5..da8cf4a 100644
40354--- a/drivers/cpufreq/cpufreq_governor.h
40355+++ b/drivers/cpufreq/cpufreq_governor.h
40356@@ -212,7 +212,7 @@ struct common_dbs_data {
40357 void (*exit)(struct dbs_data *dbs_data, bool notify);
40358
40359 /* Governor specific ops, see below */
40360- void *gov_ops;
40361+ const void *gov_ops;
40362
40363 /*
40364 * Protects governor's data (struct dbs_data and struct common_dbs_data)
40365@@ -234,7 +234,7 @@ struct od_ops {
40366 unsigned int (*powersave_bias_target)(struct cpufreq_policy *policy,
40367 unsigned int freq_next, unsigned int relation);
40368 void (*freq_increase)(struct cpufreq_policy *policy, unsigned int freq);
40369-};
40370+} __no_const;
40371
40372 static inline int delay_for_sampling_rate(unsigned int sampling_rate)
40373 {
40374diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c
40375index 3c1e10f..02f17af 100644
40376--- a/drivers/cpufreq/cpufreq_ondemand.c
40377+++ b/drivers/cpufreq/cpufreq_ondemand.c
40378@@ -523,7 +523,7 @@ static void od_exit(struct dbs_data *dbs_data, bool notify)
40379
40380 define_get_cpu_dbs_routines(od_cpu_dbs_info);
40381
40382-static struct od_ops od_ops = {
40383+static struct od_ops od_ops __read_only = {
40384 .powersave_bias_init_cpu = ondemand_powersave_bias_init_cpu,
40385 .powersave_bias_target = generic_powersave_bias_target,
40386 .freq_increase = dbs_freq_increase,
40387@@ -579,14 +579,18 @@ void od_register_powersave_bias_handler(unsigned int (*f)
40388 (struct cpufreq_policy *, unsigned int, unsigned int),
40389 unsigned int powersave_bias)
40390 {
40391- od_ops.powersave_bias_target = f;
40392+ pax_open_kernel();
40393+ *(void **)&od_ops.powersave_bias_target = f;
40394+ pax_close_kernel();
40395 od_set_powersave_bias(powersave_bias);
40396 }
40397 EXPORT_SYMBOL_GPL(od_register_powersave_bias_handler);
40398
40399 void od_unregister_powersave_bias_handler(void)
40400 {
40401- od_ops.powersave_bias_target = generic_powersave_bias_target;
40402+ pax_open_kernel();
40403+ *(void **)&od_ops.powersave_bias_target = generic_powersave_bias_target;
40404+ pax_close_kernel();
40405 od_set_powersave_bias(0);
40406 }
40407 EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
40408diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
40409index fcb929e..e628818 100644
40410--- a/drivers/cpufreq/intel_pstate.c
40411+++ b/drivers/cpufreq/intel_pstate.c
40412@@ -137,10 +137,10 @@ struct pstate_funcs {
40413 struct cpu_defaults {
40414 struct pstate_adjust_policy pid_policy;
40415 struct pstate_funcs funcs;
40416-};
40417+} __do_const;
40418
40419 static struct pstate_adjust_policy pid_params;
40420-static struct pstate_funcs pstate_funcs;
40421+static struct pstate_funcs *pstate_funcs;
40422 static int hwp_active;
40423
40424 struct perf_limits {
40425@@ -726,18 +726,18 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate, bool force)
40426
40427 cpu->pstate.current_pstate = pstate;
40428
40429- pstate_funcs.set(cpu, pstate);
40430+ pstate_funcs->set(cpu, pstate);
40431 }
40432
40433 static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
40434 {
40435- cpu->pstate.min_pstate = pstate_funcs.get_min();
40436- cpu->pstate.max_pstate = pstate_funcs.get_max();
40437- cpu->pstate.turbo_pstate = pstate_funcs.get_turbo();
40438- cpu->pstate.scaling = pstate_funcs.get_scaling();
40439+ cpu->pstate.min_pstate = pstate_funcs->get_min();
40440+ cpu->pstate.max_pstate = pstate_funcs->get_max();
40441+ cpu->pstate.turbo_pstate = pstate_funcs->get_turbo();
40442+ cpu->pstate.scaling = pstate_funcs->get_scaling();
40443
40444- if (pstate_funcs.get_vid)
40445- pstate_funcs.get_vid(cpu);
40446+ if (pstate_funcs->get_vid)
40447+ pstate_funcs->get_vid(cpu);
40448 intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate, false);
40449 }
40450
40451@@ -1070,15 +1070,15 @@ static unsigned int force_load;
40452
40453 static int intel_pstate_msrs_not_valid(void)
40454 {
40455- if (!pstate_funcs.get_max() ||
40456- !pstate_funcs.get_min() ||
40457- !pstate_funcs.get_turbo())
40458+ if (!pstate_funcs->get_max() ||
40459+ !pstate_funcs->get_min() ||
40460+ !pstate_funcs->get_turbo())
40461 return -ENODEV;
40462
40463 return 0;
40464 }
40465
40466-static void copy_pid_params(struct pstate_adjust_policy *policy)
40467+static void copy_pid_params(const struct pstate_adjust_policy *policy)
40468 {
40469 pid_params.sample_rate_ms = policy->sample_rate_ms;
40470 pid_params.p_gain_pct = policy->p_gain_pct;
40471@@ -1090,12 +1090,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
40472
40473 static void copy_cpu_funcs(struct pstate_funcs *funcs)
40474 {
40475- pstate_funcs.get_max = funcs->get_max;
40476- pstate_funcs.get_min = funcs->get_min;
40477- pstate_funcs.get_turbo = funcs->get_turbo;
40478- pstate_funcs.get_scaling = funcs->get_scaling;
40479- pstate_funcs.set = funcs->set;
40480- pstate_funcs.get_vid = funcs->get_vid;
40481+ pstate_funcs = funcs;
40482 }
40483
40484 #if IS_ENABLED(CONFIG_ACPI)
40485diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c
40486index 5dd95da..abc3837 100644
40487--- a/drivers/cpufreq/p4-clockmod.c
40488+++ b/drivers/cpufreq/p4-clockmod.c
40489@@ -134,10 +134,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
40490 case 0x0F: /* Core Duo */
40491 case 0x16: /* Celeron Core */
40492 case 0x1C: /* Atom */
40493- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40494+ pax_open_kernel();
40495+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40496+ pax_close_kernel();
40497 return speedstep_get_frequency(SPEEDSTEP_CPU_PCORE);
40498 case 0x0D: /* Pentium M (Dothan) */
40499- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40500+ pax_open_kernel();
40501+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40502+ pax_close_kernel();
40503 /* fall through */
40504 case 0x09: /* Pentium M (Banias) */
40505 return speedstep_get_frequency(SPEEDSTEP_CPU_PM);
40506@@ -149,7 +153,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
40507
40508 /* on P-4s, the TSC runs with constant frequency independent whether
40509 * throttling is active or not. */
40510- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40511+ pax_open_kernel();
40512+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40513+ pax_close_kernel();
40514
40515 if (speedstep_detect_processor() == SPEEDSTEP_CPU_P4M) {
40516 printk(KERN_WARNING PFX "Warning: Pentium 4-M detected. "
40517diff --git a/drivers/cpufreq/sparc-us3-cpufreq.c b/drivers/cpufreq/sparc-us3-cpufreq.c
40518index 9bb42ba..b01b4a2 100644
40519--- a/drivers/cpufreq/sparc-us3-cpufreq.c
40520+++ b/drivers/cpufreq/sparc-us3-cpufreq.c
40521@@ -18,14 +18,12 @@
40522 #include <asm/head.h>
40523 #include <asm/timer.h>
40524
40525-static struct cpufreq_driver *cpufreq_us3_driver;
40526-
40527 struct us3_freq_percpu_info {
40528 struct cpufreq_frequency_table table[4];
40529 };
40530
40531 /* Indexed by cpu number. */
40532-static struct us3_freq_percpu_info *us3_freq_table;
40533+static struct us3_freq_percpu_info us3_freq_table[NR_CPUS];
40534
40535 /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled
40536 * in the Safari config register.
40537@@ -156,16 +154,27 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy)
40538
40539 static int us3_freq_cpu_exit(struct cpufreq_policy *policy)
40540 {
40541- if (cpufreq_us3_driver)
40542- us3_freq_target(policy, 0);
40543+ us3_freq_target(policy, 0);
40544
40545 return 0;
40546 }
40547
40548+static int __init us3_freq_init(void);
40549+static void __exit us3_freq_exit(void);
40550+
40551+static struct cpufreq_driver cpufreq_us3_driver = {
40552+ .init = us3_freq_cpu_init,
40553+ .verify = cpufreq_generic_frequency_table_verify,
40554+ .target_index = us3_freq_target,
40555+ .get = us3_freq_get,
40556+ .exit = us3_freq_cpu_exit,
40557+ .name = "UltraSPARC-III",
40558+
40559+};
40560+
40561 static int __init us3_freq_init(void)
40562 {
40563 unsigned long manuf, impl, ver;
40564- int ret;
40565
40566 if (tlb_type != cheetah && tlb_type != cheetah_plus)
40567 return -ENODEV;
40568@@ -178,55 +187,15 @@ static int __init us3_freq_init(void)
40569 (impl == CHEETAH_IMPL ||
40570 impl == CHEETAH_PLUS_IMPL ||
40571 impl == JAGUAR_IMPL ||
40572- impl == PANTHER_IMPL)) {
40573- struct cpufreq_driver *driver;
40574-
40575- ret = -ENOMEM;
40576- driver = kzalloc(sizeof(*driver), GFP_KERNEL);
40577- if (!driver)
40578- goto err_out;
40579-
40580- us3_freq_table = kzalloc((NR_CPUS * sizeof(*us3_freq_table)),
40581- GFP_KERNEL);
40582- if (!us3_freq_table)
40583- goto err_out;
40584-
40585- driver->init = us3_freq_cpu_init;
40586- driver->verify = cpufreq_generic_frequency_table_verify;
40587- driver->target_index = us3_freq_target;
40588- driver->get = us3_freq_get;
40589- driver->exit = us3_freq_cpu_exit;
40590- strcpy(driver->name, "UltraSPARC-III");
40591-
40592- cpufreq_us3_driver = driver;
40593- ret = cpufreq_register_driver(driver);
40594- if (ret)
40595- goto err_out;
40596-
40597- return 0;
40598-
40599-err_out:
40600- if (driver) {
40601- kfree(driver);
40602- cpufreq_us3_driver = NULL;
40603- }
40604- kfree(us3_freq_table);
40605- us3_freq_table = NULL;
40606- return ret;
40607- }
40608+ impl == PANTHER_IMPL))
40609+ return cpufreq_register_driver(&cpufreq_us3_driver);
40610
40611 return -ENODEV;
40612 }
40613
40614 static void __exit us3_freq_exit(void)
40615 {
40616- if (cpufreq_us3_driver) {
40617- cpufreq_unregister_driver(cpufreq_us3_driver);
40618- kfree(cpufreq_us3_driver);
40619- cpufreq_us3_driver = NULL;
40620- kfree(us3_freq_table);
40621- us3_freq_table = NULL;
40622- }
40623+ cpufreq_unregister_driver(&cpufreq_us3_driver);
40624 }
40625
40626 MODULE_AUTHOR("David S. Miller <davem@redhat.com>");
40627diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c
40628index 7d4a315..21bb886 100644
40629--- a/drivers/cpufreq/speedstep-centrino.c
40630+++ b/drivers/cpufreq/speedstep-centrino.c
40631@@ -351,8 +351,11 @@ static int centrino_cpu_init(struct cpufreq_policy *policy)
40632 !cpu_has(cpu, X86_FEATURE_EST))
40633 return -ENODEV;
40634
40635- if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC))
40636- centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
40637+ if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC)) {
40638+ pax_open_kernel();
40639+ *(u8 *)&centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
40640+ pax_close_kernel();
40641+ }
40642
40643 if (policy->cpu != 0)
40644 return -ENODEV;
40645diff --git a/drivers/cpuidle/driver.c b/drivers/cpuidle/driver.c
40646index 5db1478..e90e25e 100644
40647--- a/drivers/cpuidle/driver.c
40648+++ b/drivers/cpuidle/driver.c
40649@@ -193,7 +193,7 @@ static int poll_idle(struct cpuidle_device *dev,
40650
40651 static void poll_idle_init(struct cpuidle_driver *drv)
40652 {
40653- struct cpuidle_state *state = &drv->states[0];
40654+ cpuidle_state_no_const *state = &drv->states[0];
40655
40656 snprintf(state->name, CPUIDLE_NAME_LEN, "POLL");
40657 snprintf(state->desc, CPUIDLE_DESC_LEN, "CPUIDLE CORE POLL IDLE");
40658diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
40659index a5c111b..1113002 100644
40660--- a/drivers/cpuidle/dt_idle_states.c
40661+++ b/drivers/cpuidle/dt_idle_states.c
40662@@ -21,7 +21,7 @@
40663
40664 #include "dt_idle_states.h"
40665
40666-static int init_state_node(struct cpuidle_state *idle_state,
40667+static int init_state_node(cpuidle_state_no_const *idle_state,
40668 const struct of_device_id *matches,
40669 struct device_node *state_node)
40670 {
40671diff --git a/drivers/cpuidle/governor.c b/drivers/cpuidle/governor.c
40672index fb9f511..213e6cc 100644
40673--- a/drivers/cpuidle/governor.c
40674+++ b/drivers/cpuidle/governor.c
40675@@ -87,7 +87,7 @@ int cpuidle_register_governor(struct cpuidle_governor *gov)
40676 mutex_lock(&cpuidle_lock);
40677 if (__cpuidle_find_governor(gov->name) == NULL) {
40678 ret = 0;
40679- list_add_tail(&gov->governor_list, &cpuidle_governors);
40680+ pax_list_add_tail((struct list_head *)&gov->governor_list, &cpuidle_governors);
40681 if (!cpuidle_curr_governor ||
40682 cpuidle_curr_governor->rating < gov->rating)
40683 cpuidle_switch_governor(gov);
40684diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
40685index 832a2c3..1794080 100644
40686--- a/drivers/cpuidle/sysfs.c
40687+++ b/drivers/cpuidle/sysfs.c
40688@@ -135,7 +135,7 @@ static struct attribute *cpuidle_switch_attrs[] = {
40689 NULL
40690 };
40691
40692-static struct attribute_group cpuidle_attr_group = {
40693+static attribute_group_no_const cpuidle_attr_group = {
40694 .attrs = cpuidle_default_attrs,
40695 .name = "cpuidle",
40696 };
40697diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
40698index 8d2a772..33826c9 100644
40699--- a/drivers/crypto/hifn_795x.c
40700+++ b/drivers/crypto/hifn_795x.c
40701@@ -51,7 +51,7 @@ module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444);
40702 MODULE_PARM_DESC(hifn_pll_ref,
40703 "PLL reference clock (pci[freq] or ext[freq], default ext)");
40704
40705-static atomic_t hifn_dev_number;
40706+static atomic_unchecked_t hifn_dev_number;
40707
40708 #define ACRYPTO_OP_DECRYPT 0
40709 #define ACRYPTO_OP_ENCRYPT 1
40710@@ -2577,7 +2577,7 @@ static int hifn_probe(struct pci_dev *pdev, const struct pci_device_id *id)
40711 goto err_out_disable_pci_device;
40712
40713 snprintf(name, sizeof(name), "hifn%d",
40714- atomic_inc_return(&hifn_dev_number)-1);
40715+ atomic_inc_return_unchecked(&hifn_dev_number)-1);
40716
40717 err = pci_request_regions(pdev, name);
40718 if (err)
40719diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
40720index ca1b362..01cae6a 100644
40721--- a/drivers/devfreq/devfreq.c
40722+++ b/drivers/devfreq/devfreq.c
40723@@ -672,7 +672,7 @@ int devfreq_add_governor(struct devfreq_governor *governor)
40724 goto err_out;
40725 }
40726
40727- list_add(&governor->node, &devfreq_governor_list);
40728+ pax_list_add((struct list_head *)&governor->node, &devfreq_governor_list);
40729
40730 list_for_each_entry(devfreq, &devfreq_list, node) {
40731 int ret = 0;
40732@@ -760,7 +760,7 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
40733 }
40734 }
40735
40736- list_del(&governor->node);
40737+ pax_list_del((struct list_head *)&governor->node);
40738 err_out:
40739 mutex_unlock(&devfreq_list_lock);
40740
40741diff --git a/drivers/dma/sh/shdma-base.c b/drivers/dma/sh/shdma-base.c
40742index 10fcaba..326f709 100644
40743--- a/drivers/dma/sh/shdma-base.c
40744+++ b/drivers/dma/sh/shdma-base.c
40745@@ -227,8 +227,8 @@ static int shdma_alloc_chan_resources(struct dma_chan *chan)
40746 schan->slave_id = -EINVAL;
40747 }
40748
40749- schan->desc = kcalloc(NR_DESCS_PER_CHANNEL,
40750- sdev->desc_size, GFP_KERNEL);
40751+ schan->desc = kcalloc(sdev->desc_size,
40752+ NR_DESCS_PER_CHANNEL, GFP_KERNEL);
40753 if (!schan->desc) {
40754 ret = -ENOMEM;
40755 goto edescalloc;
40756diff --git a/drivers/dma/sh/shdmac.c b/drivers/dma/sh/shdmac.c
40757index 11707df..2ea96f7 100644
40758--- a/drivers/dma/sh/shdmac.c
40759+++ b/drivers/dma/sh/shdmac.c
40760@@ -513,7 +513,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self,
40761 return ret;
40762 }
40763
40764-static struct notifier_block sh_dmae_nmi_notifier __read_mostly = {
40765+static struct notifier_block sh_dmae_nmi_notifier = {
40766 .notifier_call = sh_dmae_nmi_handler,
40767
40768 /* Run before NMI debug handler and KGDB */
40769diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c
40770index 592af5f..bb1d583 100644
40771--- a/drivers/edac/edac_device.c
40772+++ b/drivers/edac/edac_device.c
40773@@ -477,9 +477,9 @@ void edac_device_reset_delay_period(struct edac_device_ctl_info *edac_dev,
40774 */
40775 int edac_device_alloc_index(void)
40776 {
40777- static atomic_t device_indexes = ATOMIC_INIT(0);
40778+ static atomic_unchecked_t device_indexes = ATOMIC_INIT(0);
40779
40780- return atomic_inc_return(&device_indexes) - 1;
40781+ return atomic_inc_return_unchecked(&device_indexes) - 1;
40782 }
40783 EXPORT_SYMBOL_GPL(edac_device_alloc_index);
40784
40785diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
40786index 33df7d9..0794989 100644
40787--- a/drivers/edac/edac_mc_sysfs.c
40788+++ b/drivers/edac/edac_mc_sysfs.c
40789@@ -154,7 +154,7 @@ static const char * const edac_caps[] = {
40790 struct dev_ch_attribute {
40791 struct device_attribute attr;
40792 int channel;
40793-};
40794+} __do_const;
40795
40796 #define DEVICE_CHANNEL(_name, _mode, _show, _store, _var) \
40797 static struct dev_ch_attribute dev_attr_legacy_##_name = \
40798diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c
40799index 2cf44b4d..6dd2dc7 100644
40800--- a/drivers/edac/edac_pci.c
40801+++ b/drivers/edac/edac_pci.c
40802@@ -29,7 +29,7 @@
40803
40804 static DEFINE_MUTEX(edac_pci_ctls_mutex);
40805 static LIST_HEAD(edac_pci_list);
40806-static atomic_t pci_indexes = ATOMIC_INIT(0);
40807+static atomic_unchecked_t pci_indexes = ATOMIC_INIT(0);
40808
40809 /*
40810 * edac_pci_alloc_ctl_info
40811@@ -315,7 +315,7 @@ EXPORT_SYMBOL_GPL(edac_pci_reset_delay_period);
40812 */
40813 int edac_pci_alloc_index(void)
40814 {
40815- return atomic_inc_return(&pci_indexes) - 1;
40816+ return atomic_inc_return_unchecked(&pci_indexes) - 1;
40817 }
40818 EXPORT_SYMBOL_GPL(edac_pci_alloc_index);
40819
40820diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
40821index 24d877f..4e30133 100644
40822--- a/drivers/edac/edac_pci_sysfs.c
40823+++ b/drivers/edac/edac_pci_sysfs.c
40824@@ -23,8 +23,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */
40825 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
40826 static int edac_pci_poll_msec = 1000; /* one second workq period */
40827
40828-static atomic_t pci_parity_count = ATOMIC_INIT(0);
40829-static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
40830+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
40831+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
40832
40833 static struct kobject *edac_pci_top_main_kobj;
40834 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
40835@@ -232,7 +232,7 @@ struct edac_pci_dev_attribute {
40836 void *value;
40837 ssize_t(*show) (void *, char *);
40838 ssize_t(*store) (void *, const char *, size_t);
40839-};
40840+} __do_const;
40841
40842 /* Set of show/store abstract level functions for PCI Parity object */
40843 static ssize_t edac_pci_dev_show(struct kobject *kobj, struct attribute *attr,
40844@@ -576,7 +576,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
40845 edac_printk(KERN_CRIT, EDAC_PCI,
40846 "Signaled System Error on %s\n",
40847 pci_name(dev));
40848- atomic_inc(&pci_nonparity_count);
40849+ atomic_inc_unchecked(&pci_nonparity_count);
40850 }
40851
40852 if (status & (PCI_STATUS_PARITY)) {
40853@@ -584,7 +584,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
40854 "Master Data Parity Error on %s\n",
40855 pci_name(dev));
40856
40857- atomic_inc(&pci_parity_count);
40858+ atomic_inc_unchecked(&pci_parity_count);
40859 }
40860
40861 if (status & (PCI_STATUS_DETECTED_PARITY)) {
40862@@ -592,7 +592,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
40863 "Detected Parity Error on %s\n",
40864 pci_name(dev));
40865
40866- atomic_inc(&pci_parity_count);
40867+ atomic_inc_unchecked(&pci_parity_count);
40868 }
40869 }
40870
40871@@ -615,7 +615,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
40872 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
40873 "Signaled System Error on %s\n",
40874 pci_name(dev));
40875- atomic_inc(&pci_nonparity_count);
40876+ atomic_inc_unchecked(&pci_nonparity_count);
40877 }
40878
40879 if (status & (PCI_STATUS_PARITY)) {
40880@@ -623,7 +623,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
40881 "Master Data Parity Error on "
40882 "%s\n", pci_name(dev));
40883
40884- atomic_inc(&pci_parity_count);
40885+ atomic_inc_unchecked(&pci_parity_count);
40886 }
40887
40888 if (status & (PCI_STATUS_DETECTED_PARITY)) {
40889@@ -631,7 +631,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
40890 "Detected Parity Error on %s\n",
40891 pci_name(dev));
40892
40893- atomic_inc(&pci_parity_count);
40894+ atomic_inc_unchecked(&pci_parity_count);
40895 }
40896 }
40897 }
40898@@ -669,7 +669,7 @@ void edac_pci_do_parity_check(void)
40899 if (!check_pci_errors)
40900 return;
40901
40902- before_count = atomic_read(&pci_parity_count);
40903+ before_count = atomic_read_unchecked(&pci_parity_count);
40904
40905 /* scan all PCI devices looking for a Parity Error on devices and
40906 * bridges.
40907@@ -681,7 +681,7 @@ void edac_pci_do_parity_check(void)
40908 /* Only if operator has selected panic on PCI Error */
40909 if (edac_pci_get_panic_on_pe()) {
40910 /* If the count is different 'after' from 'before' */
40911- if (before_count != atomic_read(&pci_parity_count))
40912+ if (before_count != atomic_read_unchecked(&pci_parity_count))
40913 panic("EDAC: PCI Parity Error");
40914 }
40915 }
40916diff --git a/drivers/edac/mce_amd.h b/drivers/edac/mce_amd.h
40917index c2359a1..8bd119d 100644
40918--- a/drivers/edac/mce_amd.h
40919+++ b/drivers/edac/mce_amd.h
40920@@ -74,7 +74,7 @@ struct amd_decoder_ops {
40921 bool (*mc0_mce)(u16, u8);
40922 bool (*mc1_mce)(u16, u8);
40923 bool (*mc2_mce)(u16, u8);
40924-};
40925+} __no_const;
40926
40927 void amd_report_gart_errors(bool);
40928 void amd_register_ecc_decoder(void (*f)(int, struct mce *));
40929diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c
40930index 57ea7f4..af06b76 100644
40931--- a/drivers/firewire/core-card.c
40932+++ b/drivers/firewire/core-card.c
40933@@ -528,9 +528,9 @@ void fw_card_initialize(struct fw_card *card,
40934 const struct fw_card_driver *driver,
40935 struct device *device)
40936 {
40937- static atomic_t index = ATOMIC_INIT(-1);
40938+ static atomic_unchecked_t index = ATOMIC_INIT(-1);
40939
40940- card->index = atomic_inc_return(&index);
40941+ card->index = atomic_inc_return_unchecked(&index);
40942 card->driver = driver;
40943 card->device = device;
40944 card->current_tlabel = 0;
40945@@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release);
40946
40947 void fw_core_remove_card(struct fw_card *card)
40948 {
40949- struct fw_card_driver dummy_driver = dummy_driver_template;
40950+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
40951
40952 card->driver->update_phy_reg(card, 4,
40953 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
40954diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
40955index f9e3aee..269dbdb 100644
40956--- a/drivers/firewire/core-device.c
40957+++ b/drivers/firewire/core-device.c
40958@@ -256,7 +256,7 @@ EXPORT_SYMBOL(fw_device_enable_phys_dma);
40959 struct config_rom_attribute {
40960 struct device_attribute attr;
40961 u32 key;
40962-};
40963+} __do_const;
40964
40965 static ssize_t show_immediate(struct device *dev,
40966 struct device_attribute *dattr, char *buf)
40967diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c
40968index d6a09b9..18e90dd 100644
40969--- a/drivers/firewire/core-transaction.c
40970+++ b/drivers/firewire/core-transaction.c
40971@@ -38,6 +38,7 @@
40972 #include <linux/timer.h>
40973 #include <linux/types.h>
40974 #include <linux/workqueue.h>
40975+#include <linux/sched.h>
40976
40977 #include <asm/byteorder.h>
40978
40979diff --git a/drivers/firewire/core.h b/drivers/firewire/core.h
40980index e1480ff6..1a429bd 100644
40981--- a/drivers/firewire/core.h
40982+++ b/drivers/firewire/core.h
40983@@ -111,6 +111,7 @@ struct fw_card_driver {
40984
40985 int (*stop_iso)(struct fw_iso_context *ctx);
40986 };
40987+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
40988
40989 void fw_card_initialize(struct fw_card *card,
40990 const struct fw_card_driver *driver, struct device *device);
40991diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
40992index f51d376..b118e40 100644
40993--- a/drivers/firewire/ohci.c
40994+++ b/drivers/firewire/ohci.c
40995@@ -2049,10 +2049,12 @@ static void bus_reset_work(struct work_struct *work)
40996 be32_to_cpu(ohci->next_header));
40997 }
40998
40999+#ifndef CONFIG_GRKERNSEC
41000 if (param_remote_dma) {
41001 reg_write(ohci, OHCI1394_PhyReqFilterHiSet, ~0);
41002 reg_write(ohci, OHCI1394_PhyReqFilterLoSet, ~0);
41003 }
41004+#endif
41005
41006 spin_unlock_irq(&ohci->lock);
41007
41008@@ -2584,8 +2586,10 @@ static int ohci_enable_phys_dma(struct fw_card *card,
41009 unsigned long flags;
41010 int n, ret = 0;
41011
41012+#ifndef CONFIG_GRKERNSEC
41013 if (param_remote_dma)
41014 return 0;
41015+#endif
41016
41017 /*
41018 * FIXME: Make sure this bitmask is cleared when we clear the busReset
41019diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c
41020index 94a58a0..f5eba42 100644
41021--- a/drivers/firmware/dmi-id.c
41022+++ b/drivers/firmware/dmi-id.c
41023@@ -16,7 +16,7 @@
41024 struct dmi_device_attribute{
41025 struct device_attribute dev_attr;
41026 int field;
41027-};
41028+} __do_const;
41029 #define to_dmi_dev_attr(_dev_attr) \
41030 container_of(_dev_attr, struct dmi_device_attribute, dev_attr)
41031
41032diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
41033index ac1ce4a..321745e 100644
41034--- a/drivers/firmware/dmi_scan.c
41035+++ b/drivers/firmware/dmi_scan.c
41036@@ -690,14 +690,18 @@ static int __init dmi_init(void)
41037 if (!dmi_table)
41038 goto err_tables;
41039
41040- bin_attr_smbios_entry_point.size = smbios_entry_point_size;
41041- bin_attr_smbios_entry_point.private = smbios_entry_point;
41042+ pax_open_kernel();
41043+ *(size_t *)&bin_attr_smbios_entry_point.size = smbios_entry_point_size;
41044+ *(void **)&bin_attr_smbios_entry_point.private = smbios_entry_point;
41045+ pax_close_kernel();
41046 ret = sysfs_create_bin_file(tables_kobj, &bin_attr_smbios_entry_point);
41047 if (ret)
41048 goto err_unmap;
41049
41050- bin_attr_DMI.size = dmi_len;
41051- bin_attr_DMI.private = dmi_table;
41052+ pax_open_kernel();
41053+ *(size_t *)&bin_attr_DMI.size = dmi_len;
41054+ *(void **)&bin_attr_DMI.private = dmi_table;
41055+ pax_close_kernel();
41056 ret = sysfs_create_bin_file(tables_kobj, &bin_attr_DMI);
41057 if (!ret)
41058 return 0;
41059diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
41060index d425374..1da1716 100644
41061--- a/drivers/firmware/efi/cper.c
41062+++ b/drivers/firmware/efi/cper.c
41063@@ -44,12 +44,12 @@ static char rcd_decode_str[CPER_REC_LEN];
41064 */
41065 u64 cper_next_record_id(void)
41066 {
41067- static atomic64_t seq;
41068+ static atomic64_unchecked_t seq;
41069
41070- if (!atomic64_read(&seq))
41071- atomic64_set(&seq, ((u64)get_seconds()) << 32);
41072+ if (!atomic64_read_unchecked(&seq))
41073+ atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
41074
41075- return atomic64_inc_return(&seq);
41076+ return atomic64_inc_return_unchecked(&seq);
41077 }
41078 EXPORT_SYMBOL_GPL(cper_next_record_id);
41079
41080diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
41081index d6144e3..23f9686 100644
41082--- a/drivers/firmware/efi/efi.c
41083+++ b/drivers/firmware/efi/efi.c
41084@@ -170,14 +170,16 @@ static struct attribute_group efi_subsys_attr_group = {
41085 };
41086
41087 static struct efivars generic_efivars;
41088-static struct efivar_operations generic_ops;
41089+static efivar_operations_no_const generic_ops __read_only;
41090
41091 static int generic_ops_register(void)
41092 {
41093- generic_ops.get_variable = efi.get_variable;
41094- generic_ops.set_variable = efi.set_variable;
41095- generic_ops.get_next_variable = efi.get_next_variable;
41096- generic_ops.query_variable_store = efi_query_variable_store;
41097+ pax_open_kernel();
41098+ *(void **)&generic_ops.get_variable = efi.get_variable;
41099+ *(void **)&generic_ops.set_variable = efi.set_variable;
41100+ *(void **)&generic_ops.get_next_variable = efi.get_next_variable;
41101+ *(void **)&generic_ops.query_variable_store = efi_query_variable_store;
41102+ pax_close_kernel();
41103
41104 return efivars_register(&generic_efivars, &generic_ops, efi_kobj);
41105 }
41106diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c
41107index 756eca8..2336d08 100644
41108--- a/drivers/firmware/efi/efivars.c
41109+++ b/drivers/firmware/efi/efivars.c
41110@@ -590,7 +590,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var)
41111 static int
41112 create_efivars_bin_attributes(void)
41113 {
41114- struct bin_attribute *attr;
41115+ bin_attribute_no_const *attr;
41116 int error;
41117
41118 /* new_var */
41119diff --git a/drivers/firmware/efi/runtime-map.c b/drivers/firmware/efi/runtime-map.c
41120index 5c55227..97f4978 100644
41121--- a/drivers/firmware/efi/runtime-map.c
41122+++ b/drivers/firmware/efi/runtime-map.c
41123@@ -97,7 +97,7 @@ static void map_release(struct kobject *kobj)
41124 kfree(entry);
41125 }
41126
41127-static struct kobj_type __refdata map_ktype = {
41128+static const struct kobj_type __refconst map_ktype = {
41129 .sysfs_ops = &map_attr_ops,
41130 .default_attrs = def_attrs,
41131 .release = map_release,
41132diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
41133index f1ab05e..ab51228 100644
41134--- a/drivers/firmware/google/gsmi.c
41135+++ b/drivers/firmware/google/gsmi.c
41136@@ -709,7 +709,7 @@ static u32 __init hash_oem_table_id(char s[8])
41137 return local_hash_64(input, 32);
41138 }
41139
41140-static struct dmi_system_id gsmi_dmi_table[] __initdata = {
41141+static const struct dmi_system_id gsmi_dmi_table[] __initconst = {
41142 {
41143 .ident = "Google Board",
41144 .matches = {
41145diff --git a/drivers/firmware/google/memconsole.c b/drivers/firmware/google/memconsole.c
41146index 2f569aa..26e4f39 100644
41147--- a/drivers/firmware/google/memconsole.c
41148+++ b/drivers/firmware/google/memconsole.c
41149@@ -136,7 +136,7 @@ static bool __init found_memconsole(void)
41150 return false;
41151 }
41152
41153-static struct dmi_system_id memconsole_dmi_table[] __initdata = {
41154+static const struct dmi_system_id memconsole_dmi_table[] __initconst = {
41155 {
41156 .ident = "Google Board",
41157 .matches = {
41158@@ -155,7 +155,10 @@ static int __init memconsole_init(void)
41159 if (!found_memconsole())
41160 return -ENODEV;
41161
41162- memconsole_bin_attr.size = memconsole_length;
41163+ pax_open_kernel();
41164+ *(size_t *)&memconsole_bin_attr.size = memconsole_length;
41165+ pax_close_kernel();
41166+
41167 return sysfs_create_bin_file(firmware_kobj, &memconsole_bin_attr);
41168 }
41169
41170diff --git a/drivers/firmware/memmap.c b/drivers/firmware/memmap.c
41171index 5de3ed2..d839c56 100644
41172--- a/drivers/firmware/memmap.c
41173+++ b/drivers/firmware/memmap.c
41174@@ -124,7 +124,7 @@ static void __meminit release_firmware_map_entry(struct kobject *kobj)
41175 kfree(entry);
41176 }
41177
41178-static struct kobj_type __refdata memmap_ktype = {
41179+static const struct kobj_type __refconst memmap_ktype = {
41180 .release = release_firmware_map_entry,
41181 .sysfs_ops = &memmap_attr_ops,
41182 .default_attrs = def_attrs,
41183diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c
41184index c246ac3..6867ca6 100644
41185--- a/drivers/gpio/gpio-davinci.c
41186+++ b/drivers/gpio/gpio-davinci.c
41187@@ -442,9 +442,9 @@ static struct irq_chip *davinci_gpio_get_irq_chip(unsigned int irq)
41188 return &gpio_unbanked.chip;
41189 };
41190
41191-static struct irq_chip *keystone_gpio_get_irq_chip(unsigned int irq)
41192+static irq_chip_no_const *keystone_gpio_get_irq_chip(unsigned int irq)
41193 {
41194- static struct irq_chip gpio_unbanked;
41195+ static irq_chip_no_const gpio_unbanked;
41196
41197 gpio_unbanked = *irq_get_chip(irq);
41198 return &gpio_unbanked;
41199@@ -474,7 +474,7 @@ static int davinci_gpio_irq_setup(struct platform_device *pdev)
41200 struct davinci_gpio_regs __iomem *g;
41201 struct irq_domain *irq_domain = NULL;
41202 const struct of_device_id *match;
41203- struct irq_chip *irq_chip;
41204+ irq_chip_no_const *irq_chip;
41205 gpio_get_irq_chip_cb_t gpio_get_irq_chip;
41206
41207 /*
41208diff --git a/drivers/gpio/gpio-em.c b/drivers/gpio/gpio-em.c
41209index fbf2873..0a37114 100644
41210--- a/drivers/gpio/gpio-em.c
41211+++ b/drivers/gpio/gpio-em.c
41212@@ -278,7 +278,7 @@ static int em_gio_probe(struct platform_device *pdev)
41213 struct em_gio_priv *p;
41214 struct resource *io[2], *irq[2];
41215 struct gpio_chip *gpio_chip;
41216- struct irq_chip *irq_chip;
41217+ irq_chip_no_const *irq_chip;
41218 const char *name = dev_name(&pdev->dev);
41219 int ret;
41220
41221diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c
41222index 4ba7ed5..1536b5d 100644
41223--- a/drivers/gpio/gpio-ich.c
41224+++ b/drivers/gpio/gpio-ich.c
41225@@ -94,7 +94,7 @@ struct ichx_desc {
41226 * this option allows driver caching written output values
41227 */
41228 bool use_outlvl_cache;
41229-};
41230+} __do_const;
41231
41232 static struct {
41233 spinlock_t lock;
41234diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
41235index 61a731f..d5ca6cb 100644
41236--- a/drivers/gpio/gpio-omap.c
41237+++ b/drivers/gpio/gpio-omap.c
41238@@ -1067,7 +1067,7 @@ static void omap_gpio_mod_init(struct gpio_bank *bank)
41239 dev_err(bank->dev, "Could not get gpio dbck\n");
41240 }
41241
41242-static int omap_gpio_chip_init(struct gpio_bank *bank, struct irq_chip *irqc)
41243+static int omap_gpio_chip_init(struct gpio_bank *bank, irq_chip_no_const *irqc)
41244 {
41245 static int gpio;
41246 int irq_base = 0;
41247@@ -1150,7 +1150,7 @@ static int omap_gpio_probe(struct platform_device *pdev)
41248 const struct omap_gpio_platform_data *pdata;
41249 struct resource *res;
41250 struct gpio_bank *bank;
41251- struct irq_chip *irqc;
41252+ irq_chip_no_const *irqc;
41253 int ret;
41254
41255 match = of_match_device(of_match_ptr(omap_gpio_match), dev);
41256diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c
41257index 1e14a6c..0442450 100644
41258--- a/drivers/gpio/gpio-rcar.c
41259+++ b/drivers/gpio/gpio-rcar.c
41260@@ -379,7 +379,7 @@ static int gpio_rcar_probe(struct platform_device *pdev)
41261 struct gpio_rcar_priv *p;
41262 struct resource *io, *irq;
41263 struct gpio_chip *gpio_chip;
41264- struct irq_chip *irq_chip;
41265+ irq_chip_no_const *irq_chip;
41266 struct device *dev = &pdev->dev;
41267 const char *name = dev_name(dev);
41268 int ret;
41269diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c
41270index c1caa45..f0f97d2 100644
41271--- a/drivers/gpio/gpio-vr41xx.c
41272+++ b/drivers/gpio/gpio-vr41xx.c
41273@@ -224,7 +224,7 @@ static int giu_get_irq(unsigned int irq)
41274 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
41275 maskl, pendl, maskh, pendh);
41276
41277- atomic_inc(&irq_err_count);
41278+ atomic_inc_unchecked(&irq_err_count);
41279
41280 return -EINVAL;
41281 }
41282diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
41283index bf4bd1d..51154a3 100644
41284--- a/drivers/gpio/gpiolib.c
41285+++ b/drivers/gpio/gpiolib.c
41286@@ -569,8 +569,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip)
41287 }
41288
41289 if (gpiochip->irqchip) {
41290- gpiochip->irqchip->irq_request_resources = NULL;
41291- gpiochip->irqchip->irq_release_resources = NULL;
41292+ pax_open_kernel();
41293+ *(void **)&gpiochip->irqchip->irq_request_resources = NULL;
41294+ *(void **)&gpiochip->irqchip->irq_release_resources = NULL;
41295+ pax_close_kernel();
41296 gpiochip->irqchip = NULL;
41297 }
41298 }
41299@@ -636,8 +638,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip,
41300 gpiochip->irqchip = NULL;
41301 return -EINVAL;
41302 }
41303- irqchip->irq_request_resources = gpiochip_irq_reqres;
41304- irqchip->irq_release_resources = gpiochip_irq_relres;
41305+
41306+ pax_open_kernel();
41307+ *(void **)&irqchip->irq_request_resources = gpiochip_irq_reqres;
41308+ *(void **)&irqchip->irq_release_resources = gpiochip_irq_relres;
41309+ pax_close_kernel();
41310
41311 /*
41312 * Prepare the mapping since the irqchip shall be orthogonal to
41313diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41314index 99f158e..20b6c4c 100644
41315--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41316+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41317@@ -1071,7 +1071,7 @@ static bool amdgpu_switcheroo_can_switch(struct pci_dev *pdev)
41318 * locking inversion with the driver load path. And the access here is
41319 * completely racy anyway. So don't bother with locking for now.
41320 */
41321- return dev->open_count == 0;
41322+ return local_read(&dev->open_count) == 0;
41323 }
41324
41325 static const struct vga_switcheroo_client_ops amdgpu_switcheroo_ops = {
41326diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41327index c991973..8eb176b 100644
41328--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41329+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41330@@ -419,7 +419,7 @@ static int kfd_ioctl_set_memory_policy(struct file *filep,
41331 (args->alternate_policy == KFD_IOC_CACHE_POLICY_COHERENT)
41332 ? cache_policy_coherent : cache_policy_noncoherent;
41333
41334- if (!dev->dqm->ops.set_cache_memory_policy(dev->dqm,
41335+ if (!dev->dqm->ops->set_cache_memory_policy(dev->dqm,
41336 &pdd->qpd,
41337 default_policy,
41338 alternate_policy,
41339diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41340index 75312c8..e3684e6 100644
41341--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41342+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41343@@ -293,7 +293,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd,
41344 goto device_queue_manager_error;
41345 }
41346
41347- if (kfd->dqm->ops.start(kfd->dqm) != 0) {
41348+ if (kfd->dqm->ops->start(kfd->dqm) != 0) {
41349 dev_err(kfd_device,
41350 "Error starting queuen manager for device (%x:%x)\n",
41351 kfd->pdev->vendor, kfd->pdev->device);
41352@@ -349,7 +349,7 @@ void kgd2kfd_suspend(struct kfd_dev *kfd)
41353 BUG_ON(kfd == NULL);
41354
41355 if (kfd->init_complete) {
41356- kfd->dqm->ops.stop(kfd->dqm);
41357+ kfd->dqm->ops->stop(kfd->dqm);
41358 amd_iommu_set_invalidate_ctx_cb(kfd->pdev, NULL);
41359 amd_iommu_set_invalid_ppr_cb(kfd->pdev, NULL);
41360 amd_iommu_free_device(kfd->pdev);
41361@@ -372,7 +372,7 @@ int kgd2kfd_resume(struct kfd_dev *kfd)
41362 amd_iommu_set_invalidate_ctx_cb(kfd->pdev,
41363 iommu_pasid_shutdown_callback);
41364 amd_iommu_set_invalid_ppr_cb(kfd->pdev, iommu_invalid_ppr_cb);
41365- kfd->dqm->ops.start(kfd->dqm);
41366+ kfd->dqm->ops->start(kfd->dqm);
41367 }
41368
41369 return 0;
41370diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41371index 4bb7f42..320fcac 100644
41372--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41373+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41374@@ -242,7 +242,7 @@ static int create_compute_queue_nocpsch(struct device_queue_manager *dqm,
41375
41376 BUG_ON(!dqm || !q || !qpd);
41377
41378- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41379+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41380 if (mqd == NULL)
41381 return -ENOMEM;
41382
41383@@ -288,14 +288,14 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm,
41384 mutex_lock(&dqm->lock);
41385
41386 if (q->properties.type == KFD_QUEUE_TYPE_COMPUTE) {
41387- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41388+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41389 if (mqd == NULL) {
41390 retval = -ENOMEM;
41391 goto out;
41392 }
41393 deallocate_hqd(dqm, q);
41394 } else if (q->properties.type == KFD_QUEUE_TYPE_SDMA) {
41395- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41396+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41397 if (mqd == NULL) {
41398 retval = -ENOMEM;
41399 goto out;
41400@@ -347,7 +347,7 @@ static int update_queue(struct device_queue_manager *dqm, struct queue *q)
41401 BUG_ON(!dqm || !q || !q->mqd);
41402
41403 mutex_lock(&dqm->lock);
41404- mqd = dqm->ops.get_mqd_manager(dqm,
41405+ mqd = dqm->ops->get_mqd_manager(dqm,
41406 get_mqd_type_from_queue_type(q->properties.type));
41407 if (mqd == NULL) {
41408 mutex_unlock(&dqm->lock);
41409@@ -414,7 +414,7 @@ static int register_process_nocpsch(struct device_queue_manager *dqm,
41410 mutex_lock(&dqm->lock);
41411 list_add(&n->list, &dqm->queues);
41412
41413- retval = dqm->ops_asic_specific.register_process(dqm, qpd);
41414+ retval = dqm->ops_asic_specific->register_process(dqm, qpd);
41415
41416 dqm->processes_count++;
41417
41418@@ -502,7 +502,7 @@ int init_pipelines(struct device_queue_manager *dqm,
41419
41420 memset(hpdptr, 0, CIK_HPD_EOP_BYTES * pipes_num);
41421
41422- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41423+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41424 if (mqd == NULL) {
41425 kfd_gtt_sa_free(dqm->dev, dqm->pipeline_mem);
41426 return -ENOMEM;
41427@@ -635,7 +635,7 @@ static int create_sdma_queue_nocpsch(struct device_queue_manager *dqm,
41428 struct mqd_manager *mqd;
41429 int retval;
41430
41431- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41432+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41433 if (!mqd)
41434 return -ENOMEM;
41435
41436@@ -650,7 +650,7 @@ static int create_sdma_queue_nocpsch(struct device_queue_manager *dqm,
41437 pr_debug(" sdma queue id: %d\n", q->properties.sdma_queue_id);
41438 pr_debug(" sdma engine id: %d\n", q->properties.sdma_engine_id);
41439
41440- dqm->ops_asic_specific.init_sdma_vm(dqm, q, qpd);
41441+ dqm->ops_asic_specific->init_sdma_vm(dqm, q, qpd);
41442 retval = mqd->init_mqd(mqd, &q->mqd, &q->mqd_mem_obj,
41443 &q->gart_mqd_addr, &q->properties);
41444 if (retval != 0) {
41445@@ -712,7 +712,7 @@ static int initialize_cpsch(struct device_queue_manager *dqm)
41446 dqm->queue_count = dqm->processes_count = 0;
41447 dqm->sdma_queue_count = 0;
41448 dqm->active_runlist = false;
41449- retval = dqm->ops_asic_specific.initialize(dqm);
41450+ retval = dqm->ops_asic_specific->initialize(dqm);
41451 if (retval != 0)
41452 goto fail_init_pipelines;
41453
41454@@ -879,7 +879,7 @@ static int create_queue_cpsch(struct device_queue_manager *dqm, struct queue *q,
41455 if (q->properties.type == KFD_QUEUE_TYPE_SDMA)
41456 select_sdma_engine_id(q);
41457
41458- mqd = dqm->ops.get_mqd_manager(dqm,
41459+ mqd = dqm->ops->get_mqd_manager(dqm,
41460 get_mqd_type_from_queue_type(q->properties.type));
41461
41462 if (mqd == NULL) {
41463@@ -887,7 +887,7 @@ static int create_queue_cpsch(struct device_queue_manager *dqm, struct queue *q,
41464 return -ENOMEM;
41465 }
41466
41467- dqm->ops_asic_specific.init_sdma_vm(dqm, q, qpd);
41468+ dqm->ops_asic_specific->init_sdma_vm(dqm, q, qpd);
41469 retval = mqd->init_mqd(mqd, &q->mqd, &q->mqd_mem_obj,
41470 &q->gart_mqd_addr, &q->properties);
41471 if (retval != 0)
41472@@ -1060,7 +1060,7 @@ static int destroy_queue_cpsch(struct device_queue_manager *dqm,
41473
41474 }
41475
41476- mqd = dqm->ops.get_mqd_manager(dqm,
41477+ mqd = dqm->ops->get_mqd_manager(dqm,
41478 get_mqd_type_from_queue_type(q->properties.type));
41479 if (!mqd) {
41480 retval = -ENOMEM;
41481@@ -1149,7 +1149,7 @@ static bool set_cache_memory_policy(struct device_queue_manager *dqm,
41482 qpd->sh_mem_ape1_limit = limit >> 16;
41483 }
41484
41485- retval = dqm->ops_asic_specific.set_cache_memory_policy(
41486+ retval = dqm->ops_asic_specific->set_cache_memory_policy(
41487 dqm,
41488 qpd,
41489 default_policy,
41490@@ -1172,6 +1172,36 @@ out:
41491 return false;
41492 }
41493
41494+static const struct device_queue_manager_ops cp_dqm_ops = {
41495+ .create_queue = create_queue_cpsch,
41496+ .initialize = initialize_cpsch,
41497+ .start = start_cpsch,
41498+ .stop = stop_cpsch,
41499+ .destroy_queue = destroy_queue_cpsch,
41500+ .update_queue = update_queue,
41501+ .get_mqd_manager = get_mqd_manager_nocpsch,
41502+ .register_process = register_process_nocpsch,
41503+ .unregister_process = unregister_process_nocpsch,
41504+ .uninitialize = uninitialize_nocpsch,
41505+ .create_kernel_queue = create_kernel_queue_cpsch,
41506+ .destroy_kernel_queue = destroy_kernel_queue_cpsch,
41507+ .set_cache_memory_policy = set_cache_memory_policy,
41508+};
41509+
41510+static const struct device_queue_manager_ops no_cp_dqm_ops = {
41511+ .start = start_nocpsch,
41512+ .stop = stop_nocpsch,
41513+ .create_queue = create_queue_nocpsch,
41514+ .destroy_queue = destroy_queue_nocpsch,
41515+ .update_queue = update_queue,
41516+ .get_mqd_manager = get_mqd_manager_nocpsch,
41517+ .register_process = register_process_nocpsch,
41518+ .unregister_process = unregister_process_nocpsch,
41519+ .initialize = initialize_nocpsch,
41520+ .uninitialize = uninitialize_nocpsch,
41521+ .set_cache_memory_policy = set_cache_memory_policy,
41522+};
41523+
41524 struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41525 {
41526 struct device_queue_manager *dqm;
41527@@ -1189,33 +1219,11 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41528 case KFD_SCHED_POLICY_HWS:
41529 case KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION:
41530 /* initialize dqm for cp scheduling */
41531- dqm->ops.create_queue = create_queue_cpsch;
41532- dqm->ops.initialize = initialize_cpsch;
41533- dqm->ops.start = start_cpsch;
41534- dqm->ops.stop = stop_cpsch;
41535- dqm->ops.destroy_queue = destroy_queue_cpsch;
41536- dqm->ops.update_queue = update_queue;
41537- dqm->ops.get_mqd_manager = get_mqd_manager_nocpsch;
41538- dqm->ops.register_process = register_process_nocpsch;
41539- dqm->ops.unregister_process = unregister_process_nocpsch;
41540- dqm->ops.uninitialize = uninitialize_nocpsch;
41541- dqm->ops.create_kernel_queue = create_kernel_queue_cpsch;
41542- dqm->ops.destroy_kernel_queue = destroy_kernel_queue_cpsch;
41543- dqm->ops.set_cache_memory_policy = set_cache_memory_policy;
41544+ dqm->ops = &cp_dqm_ops;
41545 break;
41546 case KFD_SCHED_POLICY_NO_HWS:
41547 /* initialize dqm for no cp scheduling */
41548- dqm->ops.start = start_nocpsch;
41549- dqm->ops.stop = stop_nocpsch;
41550- dqm->ops.create_queue = create_queue_nocpsch;
41551- dqm->ops.destroy_queue = destroy_queue_nocpsch;
41552- dqm->ops.update_queue = update_queue;
41553- dqm->ops.get_mqd_manager = get_mqd_manager_nocpsch;
41554- dqm->ops.register_process = register_process_nocpsch;
41555- dqm->ops.unregister_process = unregister_process_nocpsch;
41556- dqm->ops.initialize = initialize_nocpsch;
41557- dqm->ops.uninitialize = uninitialize_nocpsch;
41558- dqm->ops.set_cache_memory_policy = set_cache_memory_policy;
41559+ dqm->ops = &no_cp_dqm_ops;
41560 break;
41561 default:
41562 BUG();
41563@@ -1224,15 +1232,15 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41564
41565 switch (dev->device_info->asic_family) {
41566 case CHIP_CARRIZO:
41567- device_queue_manager_init_vi(&dqm->ops_asic_specific);
41568+ device_queue_manager_init_vi(dqm);
41569 break;
41570
41571 case CHIP_KAVERI:
41572- device_queue_manager_init_cik(&dqm->ops_asic_specific);
41573+ device_queue_manager_init_cik(dqm);
41574 break;
41575 }
41576
41577- if (dqm->ops.initialize(dqm) != 0) {
41578+ if (dqm->ops->initialize(dqm) != 0) {
41579 kfree(dqm);
41580 return NULL;
41581 }
41582@@ -1244,6 +1252,6 @@ void device_queue_manager_uninit(struct device_queue_manager *dqm)
41583 {
41584 BUG_ON(!dqm);
41585
41586- dqm->ops.uninitialize(dqm);
41587+ dqm->ops->uninitialize(dqm);
41588 kfree(dqm);
41589 }
41590diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
41591index ec4036a..3ef0646 100644
41592--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
41593+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
41594@@ -154,8 +154,8 @@ struct device_queue_manager_asic_ops {
41595 */
41596
41597 struct device_queue_manager {
41598- struct device_queue_manager_ops ops;
41599- struct device_queue_manager_asic_ops ops_asic_specific;
41600+ struct device_queue_manager_ops *ops;
41601+ struct device_queue_manager_asic_ops *ops_asic_specific;
41602
41603 struct mqd_manager *mqds[KFD_MQD_TYPE_MAX];
41604 struct packet_manager packets;
41605@@ -178,8 +178,8 @@ struct device_queue_manager {
41606 bool active_runlist;
41607 };
41608
41609-void device_queue_manager_init_cik(struct device_queue_manager_asic_ops *ops);
41610-void device_queue_manager_init_vi(struct device_queue_manager_asic_ops *ops);
41611+void device_queue_manager_init_cik(struct device_queue_manager *dqm);
41612+void device_queue_manager_init_vi(struct device_queue_manager *dqm);
41613 void program_sh_mem_settings(struct device_queue_manager *dqm,
41614 struct qcm_process_device *qpd);
41615 int init_pipelines(struct device_queue_manager *dqm,
41616diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
41617index 9ce8a20..1ca4e22 100644
41618--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
41619+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
41620@@ -36,12 +36,16 @@ static int initialize_cpsch_cik(struct device_queue_manager *dqm);
41621 static void init_sdma_vm(struct device_queue_manager *dqm, struct queue *q,
41622 struct qcm_process_device *qpd);
41623
41624-void device_queue_manager_init_cik(struct device_queue_manager_asic_ops *ops)
41625+static const struct device_queue_manager_asic_ops cik_dqm_asic_ops = {
41626+ .set_cache_memory_policy = set_cache_memory_policy_cik,
41627+ .register_process = register_process_cik,
41628+ .initialize = initialize_cpsch_cik,
41629+ .init_sdma_vm = init_sdma_vm,
41630+};
41631+
41632+void device_queue_manager_init_cik(struct device_queue_manager *dqm)
41633 {
41634- ops->set_cache_memory_policy = set_cache_memory_policy_cik;
41635- ops->register_process = register_process_cik;
41636- ops->initialize = initialize_cpsch_cik;
41637- ops->init_sdma_vm = init_sdma_vm;
41638+ dqm->ops_asic_specific = &cik_dqm_asic_ops;
41639 }
41640
41641 static uint32_t compute_sh_mem_bases_64bit(unsigned int top_address_nybble)
41642diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
41643index 4c15212..61bfab8 100644
41644--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
41645+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
41646@@ -35,14 +35,18 @@ static int initialize_cpsch_vi(struct device_queue_manager *dqm);
41647 static void init_sdma_vm(struct device_queue_manager *dqm, struct queue *q,
41648 struct qcm_process_device *qpd);
41649
41650-void device_queue_manager_init_vi(struct device_queue_manager_asic_ops *ops)
41651+static const struct device_queue_manager_asic_ops vi_dqm_asic_ops = {
41652+ .set_cache_memory_policy = set_cache_memory_policy_vi,
41653+ .register_process = register_process_vi,
41654+ .initialize = initialize_cpsch_vi,
41655+ .init_sdma_vm = init_sdma_vm,
41656+};
41657+
41658+void device_queue_manager_init_vi(struct device_queue_manager *dqm)
41659 {
41660 pr_warn("amdkfd: VI DQM is not currently supported\n");
41661
41662- ops->set_cache_memory_policy = set_cache_memory_policy_vi;
41663- ops->register_process = register_process_vi;
41664- ops->initialize = initialize_cpsch_vi;
41665- ops->init_sdma_vm = init_sdma_vm;
41666+ dqm->ops_asic_specific = &vi_dqm_asic_ops;
41667 }
41668
41669 static bool set_cache_memory_policy_vi(struct device_queue_manager *dqm,
41670diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c b/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
41671index 7f134aa..cd34d4a 100644
41672--- a/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
41673+++ b/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
41674@@ -50,8 +50,8 @@ static void interrupt_wq(struct work_struct *);
41675
41676 int kfd_interrupt_init(struct kfd_dev *kfd)
41677 {
41678- void *interrupt_ring = kmalloc_array(KFD_INTERRUPT_RING_SIZE,
41679- kfd->device_info->ih_ring_entry_size,
41680+ void *interrupt_ring = kmalloc_array(kfd->device_info->ih_ring_entry_size,
41681+ KFD_INTERRUPT_RING_SIZE,
41682 GFP_KERNEL);
41683 if (!interrupt_ring)
41684 return -ENOMEM;
41685diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
41686index 8fa8941..5ae07df 100644
41687--- a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
41688+++ b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
41689@@ -56,7 +56,7 @@ static bool initialize(struct kernel_queue *kq, struct kfd_dev *dev,
41690 switch (type) {
41691 case KFD_QUEUE_TYPE_DIQ:
41692 case KFD_QUEUE_TYPE_HIQ:
41693- kq->mqd = dev->dqm->ops.get_mqd_manager(dev->dqm,
41694+ kq->mqd = dev->dqm->ops->get_mqd_manager(dev->dqm,
41695 KFD_MQD_TYPE_HIQ);
41696 break;
41697 default:
41698diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
41699index 5940531..a75b0e5 100644
41700--- a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
41701+++ b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
41702@@ -62,7 +62,7 @@ struct kernel_queue_ops {
41703
41704 void (*submit_packet)(struct kernel_queue *kq);
41705 void (*rollback_packet)(struct kernel_queue *kq);
41706-};
41707+} __no_const;
41708
41709 struct kernel_queue {
41710 struct kernel_queue_ops ops;
41711diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
41712index 7b69070..d7bd78b 100644
41713--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
41714+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
41715@@ -194,7 +194,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
41716
41717 if (list_empty(&pqm->queues)) {
41718 pdd->qpd.pqm = pqm;
41719- dev->dqm->ops.register_process(dev->dqm, &pdd->qpd);
41720+ dev->dqm->ops->register_process(dev->dqm, &pdd->qpd);
41721 }
41722
41723 pqn = kzalloc(sizeof(struct process_queue_node), GFP_KERNEL);
41724@@ -220,7 +220,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
41725 goto err_create_queue;
41726 pqn->q = q;
41727 pqn->kq = NULL;
41728- retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
41729+ retval = dev->dqm->ops->create_queue(dev->dqm, q, &pdd->qpd,
41730 &q->properties.vmid);
41731 pr_debug("DQM returned %d for create_queue\n", retval);
41732 print_queue(q);
41733@@ -234,7 +234,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
41734 kq->queue->properties.queue_id = *qid;
41735 pqn->kq = kq;
41736 pqn->q = NULL;
41737- retval = dev->dqm->ops.create_kernel_queue(dev->dqm,
41738+ retval = dev->dqm->ops->create_kernel_queue(dev->dqm,
41739 kq, &pdd->qpd);
41740 break;
41741 default:
41742@@ -265,7 +265,7 @@ err_allocate_pqn:
41743 /* check if queues list is empty unregister process from device */
41744 clear_bit(*qid, pqm->queue_slot_bitmap);
41745 if (list_empty(&pqm->queues))
41746- dev->dqm->ops.unregister_process(dev->dqm, &pdd->qpd);
41747+ dev->dqm->ops->unregister_process(dev->dqm, &pdd->qpd);
41748 return retval;
41749 }
41750
41751@@ -306,13 +306,13 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
41752 if (pqn->kq) {
41753 /* destroy kernel queue (DIQ) */
41754 dqm = pqn->kq->dev->dqm;
41755- dqm->ops.destroy_kernel_queue(dqm, pqn->kq, &pdd->qpd);
41756+ dqm->ops->destroy_kernel_queue(dqm, pqn->kq, &pdd->qpd);
41757 kernel_queue_uninit(pqn->kq);
41758 }
41759
41760 if (pqn->q) {
41761 dqm = pqn->q->device->dqm;
41762- retval = dqm->ops.destroy_queue(dqm, &pdd->qpd, pqn->q);
41763+ retval = dqm->ops->destroy_queue(dqm, &pdd->qpd, pqn->q);
41764 if (retval != 0)
41765 return retval;
41766
41767@@ -324,7 +324,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
41768 clear_bit(qid, pqm->queue_slot_bitmap);
41769
41770 if (list_empty(&pqm->queues))
41771- dqm->ops.unregister_process(dqm, &pdd->qpd);
41772+ dqm->ops->unregister_process(dqm, &pdd->qpd);
41773
41774 return retval;
41775 }
41776@@ -349,7 +349,7 @@ int pqm_update_queue(struct process_queue_manager *pqm, unsigned int qid,
41777 pqn->q->properties.queue_percent = p->queue_percent;
41778 pqn->q->properties.priority = p->priority;
41779
41780- retval = pqn->q->device->dqm->ops.update_queue(pqn->q->device->dqm,
41781+ retval = pqn->q->device->dqm->ops->update_queue(pqn->q->device->dqm,
41782 pqn->q);
41783 if (retval != 0)
41784 return retval;
41785diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c
41786index 9b23525..65f4110 100644
41787--- a/drivers/gpu/drm/drm_context.c
41788+++ b/drivers/gpu/drm/drm_context.c
41789@@ -53,6 +53,9 @@ struct drm_ctx_list {
41790 */
41791 void drm_legacy_ctxbitmap_free(struct drm_device * dev, int ctx_handle)
41792 {
41793+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41794+ return;
41795+
41796 mutex_lock(&dev->struct_mutex);
41797 idr_remove(&dev->ctx_idr, ctx_handle);
41798 mutex_unlock(&dev->struct_mutex);
41799@@ -87,6 +90,9 @@ static int drm_legacy_ctxbitmap_next(struct drm_device * dev)
41800 */
41801 int drm_legacy_ctxbitmap_init(struct drm_device * dev)
41802 {
41803+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41804+ return -EINVAL;
41805+
41806 idr_init(&dev->ctx_idr);
41807 return 0;
41808 }
41809@@ -101,6 +107,9 @@ int drm_legacy_ctxbitmap_init(struct drm_device * dev)
41810 */
41811 void drm_legacy_ctxbitmap_cleanup(struct drm_device * dev)
41812 {
41813+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41814+ return;
41815+
41816 mutex_lock(&dev->struct_mutex);
41817 idr_destroy(&dev->ctx_idr);
41818 mutex_unlock(&dev->struct_mutex);
41819@@ -119,11 +128,14 @@ void drm_legacy_ctxbitmap_flush(struct drm_device *dev, struct drm_file *file)
41820 {
41821 struct drm_ctx_list *pos, *tmp;
41822
41823+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41824+ return;
41825+
41826 mutex_lock(&dev->ctxlist_mutex);
41827
41828 list_for_each_entry_safe(pos, tmp, &dev->ctxlist, head) {
41829 if (pos->tag == file &&
41830- pos->handle != DRM_KERNEL_CONTEXT) {
41831+ _DRM_LOCKING_CONTEXT(pos->handle) != DRM_KERNEL_CONTEXT) {
41832 if (dev->driver->context_dtor)
41833 dev->driver->context_dtor(dev, pos->handle);
41834
41835@@ -161,6 +173,9 @@ int drm_legacy_getsareactx(struct drm_device *dev, void *data,
41836 struct drm_local_map *map;
41837 struct drm_map_list *_entry;
41838
41839+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41840+ return -EINVAL;
41841+
41842 mutex_lock(&dev->struct_mutex);
41843
41844 map = idr_find(&dev->ctx_idr, request->ctx_id);
41845@@ -205,6 +220,9 @@ int drm_legacy_setsareactx(struct drm_device *dev, void *data,
41846 struct drm_local_map *map = NULL;
41847 struct drm_map_list *r_list = NULL;
41848
41849+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41850+ return -EINVAL;
41851+
41852 mutex_lock(&dev->struct_mutex);
41853 list_for_each_entry(r_list, &dev->maplist, head) {
41854 if (r_list->map
41855@@ -277,7 +295,13 @@ static int drm_context_switch_complete(struct drm_device *dev,
41856 {
41857 dev->last_context = new; /* PRE/POST: This is the _only_ writer. */
41858
41859- if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
41860+ if (file_priv->master->lock.hw_lock == NULL) {
41861+ DRM_ERROR(
41862+ "Device has been unregistered. Hard exit. Process %d\n",
41863+ task_pid_nr(current));
41864+ send_sig(SIGTERM, current, 0);
41865+ return -EPERM;
41866+ } else if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
41867 DRM_ERROR("Lock isn't held after context switch\n");
41868 }
41869
41870@@ -305,6 +329,9 @@ int drm_legacy_resctx(struct drm_device *dev, void *data,
41871 struct drm_ctx ctx;
41872 int i;
41873
41874+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41875+ return -EINVAL;
41876+
41877 if (res->count >= DRM_RESERVED_CONTEXTS) {
41878 memset(&ctx, 0, sizeof(ctx));
41879 for (i = 0; i < DRM_RESERVED_CONTEXTS; i++) {
41880@@ -335,8 +362,11 @@ int drm_legacy_addctx(struct drm_device *dev, void *data,
41881 struct drm_ctx_list *ctx_entry;
41882 struct drm_ctx *ctx = data;
41883
41884+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41885+ return -EINVAL;
41886+
41887 ctx->handle = drm_legacy_ctxbitmap_next(dev);
41888- if (ctx->handle == DRM_KERNEL_CONTEXT) {
41889+ if (_DRM_LOCKING_CONTEXT(ctx->handle) == DRM_KERNEL_CONTEXT) {
41890 /* Skip kernel's context and get a new one. */
41891 ctx->handle = drm_legacy_ctxbitmap_next(dev);
41892 }
41893@@ -378,6 +408,9 @@ int drm_legacy_getctx(struct drm_device *dev, void *data,
41894 {
41895 struct drm_ctx *ctx = data;
41896
41897+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41898+ return -EINVAL;
41899+
41900 /* This is 0, because we don't handle any context flags */
41901 ctx->flags = 0;
41902
41903@@ -400,6 +433,9 @@ int drm_legacy_switchctx(struct drm_device *dev, void *data,
41904 {
41905 struct drm_ctx *ctx = data;
41906
41907+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41908+ return -EINVAL;
41909+
41910 DRM_DEBUG("%d\n", ctx->handle);
41911 return drm_context_switch(dev, dev->last_context, ctx->handle);
41912 }
41913@@ -420,6 +456,9 @@ int drm_legacy_newctx(struct drm_device *dev, void *data,
41914 {
41915 struct drm_ctx *ctx = data;
41916
41917+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41918+ return -EINVAL;
41919+
41920 DRM_DEBUG("%d\n", ctx->handle);
41921 drm_context_switch_complete(dev, file_priv, ctx->handle);
41922
41923@@ -442,8 +481,11 @@ int drm_legacy_rmctx(struct drm_device *dev, void *data,
41924 {
41925 struct drm_ctx *ctx = data;
41926
41927+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
41928+ return -EINVAL;
41929+
41930 DRM_DEBUG("%d\n", ctx->handle);
41931- if (ctx->handle != DRM_KERNEL_CONTEXT) {
41932+ if (_DRM_LOCKING_CONTEXT(ctx->handle) != DRM_KERNEL_CONTEXT) {
41933 if (dev->driver->context_dtor)
41934 dev->driver->context_dtor(dev, ctx->handle);
41935 drm_legacy_ctxbitmap_free(dev, ctx->handle);
41936diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
41937index fed7483..5bc0335 100644
41938--- a/drivers/gpu/drm/drm_crtc.c
41939+++ b/drivers/gpu/drm/drm_crtc.c
41940@@ -4174,7 +4174,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
41941 goto done;
41942 }
41943
41944- if (copy_to_user(&enum_ptr[copied].name,
41945+ if (copy_to_user(enum_ptr[copied].name,
41946 &prop_enum->name, DRM_PROP_NAME_LEN)) {
41947 ret = -EFAULT;
41948 goto done;
41949diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
41950index b7bf4ce..585cf3b 100644
41951--- a/drivers/gpu/drm/drm_drv.c
41952+++ b/drivers/gpu/drm/drm_drv.c
41953@@ -434,7 +434,7 @@ void drm_unplug_dev(struct drm_device *dev)
41954
41955 drm_device_set_unplugged(dev);
41956
41957- if (dev->open_count == 0) {
41958+ if (local_read(&dev->open_count) == 0) {
41959 drm_put_dev(dev);
41960 }
41961 mutex_unlock(&drm_global_mutex);
41962@@ -582,10 +582,13 @@ struct drm_device *drm_dev_alloc(struct drm_driver *driver,
41963 if (drm_ht_create(&dev->map_hash, 12))
41964 goto err_minors;
41965
41966- ret = drm_legacy_ctxbitmap_init(dev);
41967- if (ret) {
41968- DRM_ERROR("Cannot allocate memory for context bitmap.\n");
41969- goto err_ht;
41970+ if (drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT)) {
41971+ ret = drm_legacy_ctxbitmap_init(dev);
41972+ if (ret) {
41973+ DRM_ERROR(
41974+ "Cannot allocate memory for context bitmap.\n");
41975+ goto err_ht;
41976+ }
41977 }
41978
41979 if (drm_core_check_feature(dev, DRIVER_GEM)) {
41980diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
41981index c59ce4d..056d413 100644
41982--- a/drivers/gpu/drm/drm_fops.c
41983+++ b/drivers/gpu/drm/drm_fops.c
41984@@ -89,7 +89,7 @@ int drm_open(struct inode *inode, struct file *filp)
41985 return PTR_ERR(minor);
41986
41987 dev = minor->dev;
41988- if (!dev->open_count++)
41989+ if (local_inc_return(&dev->open_count) == 1)
41990 need_setup = 1;
41991
41992 /* share address_space across all char-devs of a single device */
41993@@ -106,7 +106,7 @@ int drm_open(struct inode *inode, struct file *filp)
41994 return 0;
41995
41996 err_undo:
41997- dev->open_count--;
41998+ local_dec(&dev->open_count);
41999 drm_minor_release(minor);
42000 return retcode;
42001 }
42002@@ -377,7 +377,7 @@ int drm_release(struct inode *inode, struct file *filp)
42003
42004 mutex_lock(&drm_global_mutex);
42005
42006- DRM_DEBUG("open_count = %d\n", dev->open_count);
42007+ DRM_DEBUG("open_count = %ld\n", local_read(&dev->open_count));
42008
42009 mutex_lock(&dev->struct_mutex);
42010 list_del(&file_priv->lhead);
42011@@ -392,10 +392,10 @@ int drm_release(struct inode *inode, struct file *filp)
42012 * Begin inline drm_release
42013 */
42014
42015- DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
42016+ DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %ld\n",
42017 task_pid_nr(current),
42018 (long)old_encode_dev(file_priv->minor->kdev->devt),
42019- dev->open_count);
42020+ local_read(&dev->open_count));
42021
42022 /* if the master has gone away we can't do anything with the lock */
42023 if (file_priv->minor->master)
42024@@ -465,7 +465,7 @@ int drm_release(struct inode *inode, struct file *filp)
42025 * End inline drm_release
42026 */
42027
42028- if (!--dev->open_count) {
42029+ if (local_dec_and_test(&dev->open_count)) {
42030 retcode = drm_lastclose(dev);
42031 if (drm_device_is_unplugged(dev))
42032 drm_put_dev(dev);
42033diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c
42034index 3d2e91c..d31c4c9 100644
42035--- a/drivers/gpu/drm/drm_global.c
42036+++ b/drivers/gpu/drm/drm_global.c
42037@@ -36,7 +36,7 @@
42038 struct drm_global_item {
42039 struct mutex mutex;
42040 void *object;
42041- int refcount;
42042+ atomic_t refcount;
42043 };
42044
42045 static struct drm_global_item glob[DRM_GLOBAL_NUM];
42046@@ -49,7 +49,7 @@ void drm_global_init(void)
42047 struct drm_global_item *item = &glob[i];
42048 mutex_init(&item->mutex);
42049 item->object = NULL;
42050- item->refcount = 0;
42051+ atomic_set(&item->refcount, 0);
42052 }
42053 }
42054
42055@@ -59,7 +59,7 @@ void drm_global_release(void)
42056 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
42057 struct drm_global_item *item = &glob[i];
42058 BUG_ON(item->object != NULL);
42059- BUG_ON(item->refcount != 0);
42060+ BUG_ON(atomic_read(&item->refcount) != 0);
42061 }
42062 }
42063
42064@@ -69,7 +69,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
42065 struct drm_global_item *item = &glob[ref->global_type];
42066
42067 mutex_lock(&item->mutex);
42068- if (item->refcount == 0) {
42069+ if (atomic_read(&item->refcount) == 0) {
42070 item->object = kzalloc(ref->size, GFP_KERNEL);
42071 if (unlikely(item->object == NULL)) {
42072 ret = -ENOMEM;
42073@@ -82,7 +82,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
42074 goto out_err;
42075
42076 }
42077- ++item->refcount;
42078+ atomic_inc(&item->refcount);
42079 ref->object = item->object;
42080 mutex_unlock(&item->mutex);
42081 return 0;
42082@@ -98,9 +98,9 @@ void drm_global_item_unref(struct drm_global_reference *ref)
42083 struct drm_global_item *item = &glob[ref->global_type];
42084
42085 mutex_lock(&item->mutex);
42086- BUG_ON(item->refcount == 0);
42087+ BUG_ON(atomic_read(&item->refcount) == 0);
42088 BUG_ON(ref->object != item->object);
42089- if (--item->refcount == 0) {
42090+ if (atomic_dec_and_test(&item->refcount)) {
42091 ref->release(ref);
42092 item->object = NULL;
42093 }
42094diff --git a/drivers/gpu/drm/drm_info.c b/drivers/gpu/drm/drm_info.c
42095index cbb4fc0..5c756cb9 100644
42096--- a/drivers/gpu/drm/drm_info.c
42097+++ b/drivers/gpu/drm/drm_info.c
42098@@ -77,10 +77,13 @@ int drm_vm_info(struct seq_file *m, void *data)
42099 struct drm_local_map *map;
42100 struct drm_map_list *r_list;
42101
42102- /* Hardcoded from _DRM_FRAME_BUFFER,
42103- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
42104- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
42105- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
42106+ static const char * const types[] = {
42107+ [_DRM_FRAME_BUFFER] = "FB",
42108+ [_DRM_REGISTERS] = "REG",
42109+ [_DRM_SHM] = "SHM",
42110+ [_DRM_AGP] = "AGP",
42111+ [_DRM_SCATTER_GATHER] = "SG",
42112+ [_DRM_CONSISTENT] = "PCI"};
42113 const char *type;
42114 int i;
42115
42116@@ -91,7 +94,7 @@ int drm_vm_info(struct seq_file *m, void *data)
42117 map = r_list->map;
42118 if (!map)
42119 continue;
42120- if (map->type < 0 || map->type > 5)
42121+ if (map->type >= ARRAY_SIZE(types))
42122 type = "??";
42123 else
42124 type = types[map->type];
42125diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
42126index 9cfcd0a..7142a7f 100644
42127--- a/drivers/gpu/drm/drm_ioc32.c
42128+++ b/drivers/gpu/drm/drm_ioc32.c
42129@@ -459,7 +459,7 @@ static int compat_drm_infobufs(struct file *file, unsigned int cmd,
42130 request = compat_alloc_user_space(nbytes);
42131 if (!access_ok(VERIFY_WRITE, request, nbytes))
42132 return -EFAULT;
42133- list = (struct drm_buf_desc *) (request + 1);
42134+ list = (struct drm_buf_desc __user *) (request + 1);
42135
42136 if (__put_user(count, &request->count)
42137 || __put_user(list, &request->list))
42138@@ -520,7 +520,7 @@ static int compat_drm_mapbufs(struct file *file, unsigned int cmd,
42139 request = compat_alloc_user_space(nbytes);
42140 if (!access_ok(VERIFY_WRITE, request, nbytes))
42141 return -EFAULT;
42142- list = (struct drm_buf_pub *) (request + 1);
42143+ list = (struct drm_buf_pub __user *) (request + 1);
42144
42145 if (__put_user(count, &request->count)
42146 || __put_user(list, &request->list))
42147@@ -1075,7 +1075,7 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd,
42148 return 0;
42149 }
42150
42151-static drm_ioctl_compat_t *drm_compat_ioctls[] = {
42152+static drm_ioctl_compat_t drm_compat_ioctls[] = {
42153 [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
42154 [DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE32)] = compat_drm_getunique,
42155 [DRM_IOCTL_NR(DRM_IOCTL_GET_MAP32)] = compat_drm_getmap,
42156@@ -1122,7 +1122,6 @@ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
42157 long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42158 {
42159 unsigned int nr = DRM_IOCTL_NR(cmd);
42160- drm_ioctl_compat_t *fn;
42161 int ret;
42162
42163 /* Assume that ioctls without an explicit compat routine will just
42164@@ -1132,10 +1131,8 @@ long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42165 if (nr >= ARRAY_SIZE(drm_compat_ioctls))
42166 return drm_ioctl(filp, cmd, arg);
42167
42168- fn = drm_compat_ioctls[nr];
42169-
42170- if (fn != NULL)
42171- ret = (*fn) (filp, cmd, arg);
42172+ if (drm_compat_ioctls[nr] != NULL)
42173+ ret = (*drm_compat_ioctls[nr]) (filp, cmd, arg);
42174 else
42175 ret = drm_ioctl(filp, cmd, arg);
42176
42177diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
42178index b1d303f..c59012c 100644
42179--- a/drivers/gpu/drm/drm_ioctl.c
42180+++ b/drivers/gpu/drm/drm_ioctl.c
42181@@ -650,7 +650,7 @@ long drm_ioctl(struct file *filp,
42182 struct drm_file *file_priv = filp->private_data;
42183 struct drm_device *dev;
42184 const struct drm_ioctl_desc *ioctl = NULL;
42185- drm_ioctl_t *func;
42186+ drm_ioctl_no_const_t func;
42187 unsigned int nr = DRM_IOCTL_NR(cmd);
42188 int retcode = -EINVAL;
42189 char stack_kdata[128];
42190diff --git a/drivers/gpu/drm/drm_lock.c b/drivers/gpu/drm/drm_lock.c
42191index f861361..b61d4c7 100644
42192--- a/drivers/gpu/drm/drm_lock.c
42193+++ b/drivers/gpu/drm/drm_lock.c
42194@@ -61,9 +61,12 @@ int drm_legacy_lock(struct drm_device *dev, void *data,
42195 struct drm_master *master = file_priv->master;
42196 int ret = 0;
42197
42198+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42199+ return -EINVAL;
42200+
42201 ++file_priv->lock_count;
42202
42203- if (lock->context == DRM_KERNEL_CONTEXT) {
42204+ if (_DRM_LOCKING_CONTEXT(lock->context) == DRM_KERNEL_CONTEXT) {
42205 DRM_ERROR("Process %d using kernel context %d\n",
42206 task_pid_nr(current), lock->context);
42207 return -EINVAL;
42208@@ -153,12 +156,23 @@ int drm_legacy_unlock(struct drm_device *dev, void *data, struct drm_file *file_
42209 struct drm_lock *lock = data;
42210 struct drm_master *master = file_priv->master;
42211
42212- if (lock->context == DRM_KERNEL_CONTEXT) {
42213+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42214+ return -EINVAL;
42215+
42216+ if (_DRM_LOCKING_CONTEXT(lock->context) == DRM_KERNEL_CONTEXT) {
42217 DRM_ERROR("Process %d using kernel context %d\n",
42218 task_pid_nr(current), lock->context);
42219 return -EINVAL;
42220 }
42221
42222+ if (!master->lock.hw_lock) {
42223+ DRM_ERROR(
42224+ "Device has been unregistered. Hard exit. Process %d\n",
42225+ task_pid_nr(current));
42226+ send_sig(SIGTERM, current, 0);
42227+ return -EPERM;
42228+ }
42229+
42230 if (drm_legacy_lock_free(&master->lock, lock->context)) {
42231 /* FIXME: Should really bail out here. */
42232 }
42233diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42234index d4813e0..6c1ab4d 100644
42235--- a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42236+++ b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42237@@ -825,10 +825,16 @@ void mdfld_dsi_dpi_mode_set(struct drm_encoder *encoder,
42238 u32 pipeconf_reg = PIPEACONF;
42239 u32 dspcntr_reg = DSPACNTR;
42240
42241- u32 pipeconf = dev_priv->pipeconf[pipe];
42242- u32 dspcntr = dev_priv->dspcntr[pipe];
42243+ u32 pipeconf;
42244+ u32 dspcntr;
42245 u32 mipi = MIPI_PORT_EN | PASS_FROM_SPHY_TO_AFE | SEL_FLOPPED_HSTX;
42246
42247+ if (pipe == -1)
42248+ return;
42249+
42250+ pipeconf = dev_priv->pipeconf[pipe];
42251+ dspcntr = dev_priv->dspcntr[pipe];
42252+
42253 if (pipe) {
42254 pipeconf_reg = PIPECCONF;
42255 dspcntr_reg = DSPCCNTR;
42256diff --git a/drivers/gpu/drm/i810/i810_drv.h b/drivers/gpu/drm/i810/i810_drv.h
42257index 93ec5dc..82acbaf 100644
42258--- a/drivers/gpu/drm/i810/i810_drv.h
42259+++ b/drivers/gpu/drm/i810/i810_drv.h
42260@@ -110,8 +110,8 @@ typedef struct drm_i810_private {
42261 int page_flipping;
42262
42263 wait_queue_head_t irq_queue;
42264- atomic_t irq_received;
42265- atomic_t irq_emitted;
42266+ atomic_unchecked_t irq_received;
42267+ atomic_unchecked_t irq_emitted;
42268
42269 int front_offset;
42270 } drm_i810_private_t;
42271diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
42272index 82bbe3f..ce004bf 100644
42273--- a/drivers/gpu/drm/i915/i915_debugfs.c
42274+++ b/drivers/gpu/drm/i915/i915_debugfs.c
42275@@ -480,7 +480,7 @@ static int i915_gem_object_info(struct seq_file *m, void* data)
42276 seq_printf(m, "%u fault mappable objects, %zu bytes\n",
42277 count, size);
42278
42279- seq_printf(m, "%zu [%lu] gtt total\n",
42280+ seq_printf(m, "%llu [%llu] gtt total\n",
42281 dev_priv->gtt.base.total,
42282 dev_priv->gtt.mappable_end - dev_priv->gtt.base.start);
42283
42284diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
42285index d2df321..f746478 100644
42286--- a/drivers/gpu/drm/i915/i915_dma.c
42287+++ b/drivers/gpu/drm/i915/i915_dma.c
42288@@ -162,6 +162,8 @@ static int i915_getparam(struct drm_device *dev, void *data,
42289 value = INTEL_INFO(dev)->eu_total;
42290 if (!value)
42291 return -ENODEV;
42292+ case I915_PARAM_HAS_LEGACY_CONTEXT:
42293+ value = drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT);
42294 break;
42295 default:
42296 DRM_DEBUG("Unknown parameter %d\n", param->param);
42297@@ -376,7 +378,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
42298 * locking inversion with the driver load path. And the access here is
42299 * completely racy anyway. So don't bother with locking for now.
42300 */
42301- return dev->open_count == 0;
42302+ return local_read(&dev->open_count) == 0;
42303 }
42304
42305 static const struct vga_switcheroo_client_ops i915_switcheroo_ops = {
42306diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42307index 5e6b4a2..6ba2c85 100644
42308--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42309+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42310@@ -935,12 +935,12 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
42311 static int
42312 validate_exec_list(struct drm_device *dev,
42313 struct drm_i915_gem_exec_object2 *exec,
42314- int count)
42315+ unsigned int count)
42316 {
42317 unsigned relocs_total = 0;
42318 unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
42319 unsigned invalid_flags;
42320- int i;
42321+ unsigned int i;
42322
42323 invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
42324 if (USES_FULL_PPGTT(dev))
42325diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
42326index 31e8269..7055934 100644
42327--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
42328+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
42329@@ -2360,10 +2360,10 @@ static void chv_setup_private_ppat(struct drm_i915_private *dev_priv)
42330 }
42331
42332 static int gen8_gmch_probe(struct drm_device *dev,
42333- size_t *gtt_total,
42334- size_t *stolen,
42335- phys_addr_t *mappable_base,
42336- unsigned long *mappable_end)
42337+ uint64_t *gtt_total,
42338+ uint64_t *stolen,
42339+ uint64_t *mappable_base,
42340+ uint64_t *mappable_end)
42341 {
42342 struct drm_i915_private *dev_priv = dev->dev_private;
42343 unsigned int gtt_size;
42344@@ -2408,10 +2408,10 @@ static int gen8_gmch_probe(struct drm_device *dev,
42345 }
42346
42347 static int gen6_gmch_probe(struct drm_device *dev,
42348- size_t *gtt_total,
42349- size_t *stolen,
42350- phys_addr_t *mappable_base,
42351- unsigned long *mappable_end)
42352+ uint64_t *gtt_total,
42353+ uint64_t *stolen,
42354+ uint64_t *mappable_base,
42355+ uint64_t *mappable_end)
42356 {
42357 struct drm_i915_private *dev_priv = dev->dev_private;
42358 unsigned int gtt_size;
42359@@ -2425,7 +2425,7 @@ static int gen6_gmch_probe(struct drm_device *dev,
42360 * a coarse sanity check.
42361 */
42362 if ((*mappable_end < (64<<20) || (*mappable_end > (512<<20)))) {
42363- DRM_ERROR("Unknown GMADR size (%lx)\n",
42364+ DRM_ERROR("Unknown GMADR size (%llx)\n",
42365 dev_priv->gtt.mappable_end);
42366 return -ENXIO;
42367 }
42368@@ -2459,10 +2459,10 @@ static void gen6_gmch_remove(struct i915_address_space *vm)
42369 }
42370
42371 static int i915_gmch_probe(struct drm_device *dev,
42372- size_t *gtt_total,
42373- size_t *stolen,
42374- phys_addr_t *mappable_base,
42375- unsigned long *mappable_end)
42376+ uint64_t *gtt_total,
42377+ uint64_t *stolen,
42378+ uint64_t *mappable_base,
42379+ uint64_t *mappable_end)
42380 {
42381 struct drm_i915_private *dev_priv = dev->dev_private;
42382 int ret;
42383@@ -2527,10 +2527,10 @@ int i915_gem_gtt_init(struct drm_device *dev)
42384 gtt->base.dev = dev;
42385
42386 /* GMADR is the PCI mmio aperture into the global GTT. */
42387- DRM_INFO("Memory usable by graphics device = %zdM\n",
42388+ DRM_INFO("Memory usable by graphics device = %lldM\n",
42389 gtt->base.total >> 20);
42390- DRM_DEBUG_DRIVER("GMADR size = %ldM\n", gtt->mappable_end >> 20);
42391- DRM_DEBUG_DRIVER("GTT stolen size = %zdM\n", gtt->stolen_size >> 20);
42392+ DRM_DEBUG_DRIVER("GMADR size = %lldM\n", gtt->mappable_end >> 20);
42393+ DRM_DEBUG_DRIVER("GTT stolen size = %lldM\n", gtt->stolen_size >> 20);
42394 #ifdef CONFIG_INTEL_IOMMU
42395 if (intel_iommu_gfx_mapped)
42396 DRM_INFO("VT-d active for gfx access\n");
42397diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
42398index 0d46dd2..1171c00 100644
42399--- a/drivers/gpu/drm/i915/i915_gem_gtt.h
42400+++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
42401@@ -233,8 +233,8 @@ struct i915_address_space {
42402 struct drm_mm mm;
42403 struct drm_device *dev;
42404 struct list_head global_link;
42405- unsigned long start; /* Start offset always 0 for dri2 */
42406- size_t total; /* size addr space maps (ex. 2GB for ggtt) */
42407+ uint64_t start; /* Start offset always 0 for dri2 */
42408+ uint64_t total; /* size addr space maps (ex. 2GB for ggtt) */
42409
42410 struct {
42411 dma_addr_t addr;
42412@@ -300,11 +300,11 @@ struct i915_address_space {
42413 */
42414 struct i915_gtt {
42415 struct i915_address_space base;
42416- size_t stolen_size; /* Total size of stolen memory */
42417+ uint64_t stolen_size; /* Total size of stolen memory */
42418
42419- unsigned long mappable_end; /* End offset that we can CPU map */
42420+ uint64_t mappable_end; /* End offset that we can CPU map */
42421 struct io_mapping *mappable; /* Mapping to our CPU mappable region */
42422- phys_addr_t mappable_base; /* PA of our GMADR */
42423+ uint64_t mappable_base; /* PA of our GMADR */
42424
42425 /** "Graphics Stolen Memory" holds the global PTEs */
42426 void __iomem *gsm;
42427@@ -314,9 +314,9 @@ struct i915_gtt {
42428 int mtrr;
42429
42430 /* global gtt ops */
42431- int (*gtt_probe)(struct drm_device *dev, size_t *gtt_total,
42432- size_t *stolen, phys_addr_t *mappable_base,
42433- unsigned long *mappable_end);
42434+ int (*gtt_probe)(struct drm_device *dev, uint64_t *gtt_total,
42435+ uint64_t *stolen, uint64_t *mappable_base,
42436+ uint64_t *mappable_end);
42437 };
42438
42439 struct i915_hw_ppgtt {
42440diff --git a/drivers/gpu/drm/i915/i915_gem_stolen.c b/drivers/gpu/drm/i915/i915_gem_stolen.c
42441index 8b5b784..78711f6 100644
42442--- a/drivers/gpu/drm/i915/i915_gem_stolen.c
42443+++ b/drivers/gpu/drm/i915/i915_gem_stolen.c
42444@@ -310,7 +310,7 @@ int i915_gem_init_stolen(struct drm_device *dev)
42445 if (dev_priv->mm.stolen_base == 0)
42446 return 0;
42447
42448- DRM_DEBUG_KMS("found %zd bytes of stolen memory at %08lx\n",
42449+ DRM_DEBUG_KMS("found %lld bytes of stolen memory at %08lx\n",
42450 dev_priv->gtt.stolen_size, dev_priv->mm.stolen_base);
42451
42452 if (INTEL_INFO(dev)->gen >= 8) {
42453diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
42454index 23aa04c..1d25960 100644
42455--- a/drivers/gpu/drm/i915/i915_ioc32.c
42456+++ b/drivers/gpu/drm/i915/i915_ioc32.c
42457@@ -62,7 +62,7 @@ static int compat_i915_batchbuffer(struct file *file, unsigned int cmd,
42458 || __put_user(batchbuffer32.DR4, &batchbuffer->DR4)
42459 || __put_user(batchbuffer32.num_cliprects,
42460 &batchbuffer->num_cliprects)
42461- || __put_user((int __user *)(unsigned long)batchbuffer32.cliprects,
42462+ || __put_user((struct drm_clip_rect __user *)(unsigned long)batchbuffer32.cliprects,
42463 &batchbuffer->cliprects))
42464 return -EFAULT;
42465
42466@@ -91,13 +91,13 @@ static int compat_i915_cmdbuffer(struct file *file, unsigned int cmd,
42467
42468 cmdbuffer = compat_alloc_user_space(sizeof(*cmdbuffer));
42469 if (!access_ok(VERIFY_WRITE, cmdbuffer, sizeof(*cmdbuffer))
42470- || __put_user((int __user *)(unsigned long)cmdbuffer32.buf,
42471+ || __put_user((char __user *)(unsigned long)cmdbuffer32.buf,
42472 &cmdbuffer->buf)
42473 || __put_user(cmdbuffer32.sz, &cmdbuffer->sz)
42474 || __put_user(cmdbuffer32.DR1, &cmdbuffer->DR1)
42475 || __put_user(cmdbuffer32.DR4, &cmdbuffer->DR4)
42476 || __put_user(cmdbuffer32.num_cliprects, &cmdbuffer->num_cliprects)
42477- || __put_user((int __user *)(unsigned long)cmdbuffer32.cliprects,
42478+ || __put_user((struct drm_clip_rect __user *)(unsigned long)cmdbuffer32.cliprects,
42479 &cmdbuffer->cliprects))
42480 return -EFAULT;
42481
42482@@ -181,7 +181,7 @@ static int compat_i915_alloc(struct file *file, unsigned int cmd,
42483 (unsigned long)request);
42484 }
42485
42486-static drm_ioctl_compat_t *i915_compat_ioctls[] = {
42487+static drm_ioctl_compat_t i915_compat_ioctls[] = {
42488 [DRM_I915_BATCHBUFFER] = compat_i915_batchbuffer,
42489 [DRM_I915_CMDBUFFER] = compat_i915_cmdbuffer,
42490 [DRM_I915_GETPARAM] = compat_i915_getparam,
42491@@ -201,17 +201,13 @@ static drm_ioctl_compat_t *i915_compat_ioctls[] = {
42492 long i915_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42493 {
42494 unsigned int nr = DRM_IOCTL_NR(cmd);
42495- drm_ioctl_compat_t *fn = NULL;
42496 int ret;
42497
42498 if (nr < DRM_COMMAND_BASE || nr >= DRM_COMMAND_END)
42499 return drm_compat_ioctl(filp, cmd, arg);
42500
42501- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(i915_compat_ioctls))
42502- fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE];
42503-
42504- if (fn != NULL)
42505- ret = (*fn) (filp, cmd, arg);
42506+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(i915_compat_ioctls) && i915_compat_ioctls[nr - DRM_COMMAND_BASE])
42507+ ret = (*i915_compat_ioctls[nr - DRM_COMMAND_BASE])(filp, cmd, arg);
42508 else
42509 ret = drm_ioctl(filp, cmd, arg);
42510
42511diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
42512index 107c6c0..e1926b0 100644
42513--- a/drivers/gpu/drm/i915/intel_display.c
42514+++ b/drivers/gpu/drm/i915/intel_display.c
42515@@ -14501,13 +14501,13 @@ struct intel_quirk {
42516 int subsystem_vendor;
42517 int subsystem_device;
42518 void (*hook)(struct drm_device *dev);
42519-};
42520+} __do_const;
42521
42522 /* For systems that don't have a meaningful PCI subdevice/subvendor ID */
42523 struct intel_dmi_quirk {
42524 void (*hook)(struct drm_device *dev);
42525 const struct dmi_system_id (*dmi_id_list)[];
42526-};
42527+} __do_const;
42528
42529 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
42530 {
42531@@ -14515,18 +14515,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
42532 return 1;
42533 }
42534
42535-static const struct intel_dmi_quirk intel_dmi_quirks[] = {
42536+static const struct dmi_system_id intel_dmi_quirks_table[] = {
42537 {
42538- .dmi_id_list = &(const struct dmi_system_id[]) {
42539- {
42540- .callback = intel_dmi_reverse_brightness,
42541- .ident = "NCR Corporation",
42542- .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
42543- DMI_MATCH(DMI_PRODUCT_NAME, ""),
42544- },
42545- },
42546- { } /* terminating entry */
42547+ .callback = intel_dmi_reverse_brightness,
42548+ .ident = "NCR Corporation",
42549+ .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
42550+ DMI_MATCH(DMI_PRODUCT_NAME, ""),
42551 },
42552+ },
42553+ { } /* terminating entry */
42554+};
42555+
42556+static const struct intel_dmi_quirk intel_dmi_quirks[] = {
42557+ {
42558+ .dmi_id_list = &intel_dmi_quirks_table,
42559 .hook = quirk_invert_brightness,
42560 },
42561 };
42562diff --git a/drivers/gpu/drm/imx/imx-drm-core.c b/drivers/gpu/drm/imx/imx-drm-core.c
42563index 74f505b..21f6914 100644
42564--- a/drivers/gpu/drm/imx/imx-drm-core.c
42565+++ b/drivers/gpu/drm/imx/imx-drm-core.c
42566@@ -355,7 +355,7 @@ int imx_drm_add_crtc(struct drm_device *drm, struct drm_crtc *crtc,
42567 if (imxdrm->pipes >= MAX_CRTC)
42568 return -EINVAL;
42569
42570- if (imxdrm->drm->open_count)
42571+ if (local_read(&imxdrm->drm->open_count))
42572 return -EBUSY;
42573
42574 imx_drm_crtc = kzalloc(sizeof(*imx_drm_crtc), GFP_KERNEL);
42575diff --git a/drivers/gpu/drm/mga/mga_drv.h b/drivers/gpu/drm/mga/mga_drv.h
42576index b4a20149..219ab78 100644
42577--- a/drivers/gpu/drm/mga/mga_drv.h
42578+++ b/drivers/gpu/drm/mga/mga_drv.h
42579@@ -122,9 +122,9 @@ typedef struct drm_mga_private {
42580 u32 clear_cmd;
42581 u32 maccess;
42582
42583- atomic_t vbl_received; /**< Number of vblanks received. */
42584+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
42585 wait_queue_head_t fence_queue;
42586- atomic_t last_fence_retired;
42587+ atomic_unchecked_t last_fence_retired;
42588 u32 next_fence_to_post;
42589
42590 unsigned int fb_cpp;
42591diff --git a/drivers/gpu/drm/mga/mga_ioc32.c b/drivers/gpu/drm/mga/mga_ioc32.c
42592index 729bfd5..14bae78 100644
42593--- a/drivers/gpu/drm/mga/mga_ioc32.c
42594+++ b/drivers/gpu/drm/mga/mga_ioc32.c
42595@@ -190,7 +190,7 @@ static int compat_mga_dma_bootstrap(struct file *file, unsigned int cmd,
42596 return 0;
42597 }
42598
42599-drm_ioctl_compat_t *mga_compat_ioctls[] = {
42600+drm_ioctl_compat_t mga_compat_ioctls[] = {
42601 [DRM_MGA_INIT] = compat_mga_init,
42602 [DRM_MGA_GETPARAM] = compat_mga_getparam,
42603 [DRM_MGA_DMA_BOOTSTRAP] = compat_mga_dma_bootstrap,
42604@@ -208,17 +208,13 @@ drm_ioctl_compat_t *mga_compat_ioctls[] = {
42605 long mga_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42606 {
42607 unsigned int nr = DRM_IOCTL_NR(cmd);
42608- drm_ioctl_compat_t *fn = NULL;
42609 int ret;
42610
42611 if (nr < DRM_COMMAND_BASE)
42612 return drm_compat_ioctl(filp, cmd, arg);
42613
42614- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(mga_compat_ioctls))
42615- fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE];
42616-
42617- if (fn != NULL)
42618- ret = (*fn) (filp, cmd, arg);
42619+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(mga_compat_ioctls) && mga_compat_ioctls[nr - DRM_COMMAND_BASE])
42620+ ret = (*mga_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
42621 else
42622 ret = drm_ioctl(filp, cmd, arg);
42623
42624diff --git a/drivers/gpu/drm/mga/mga_irq.c b/drivers/gpu/drm/mga/mga_irq.c
42625index 1b071b8..de8601a 100644
42626--- a/drivers/gpu/drm/mga/mga_irq.c
42627+++ b/drivers/gpu/drm/mga/mga_irq.c
42628@@ -43,7 +43,7 @@ u32 mga_get_vblank_counter(struct drm_device *dev, int crtc)
42629 if (crtc != 0)
42630 return 0;
42631
42632- return atomic_read(&dev_priv->vbl_received);
42633+ return atomic_read_unchecked(&dev_priv->vbl_received);
42634 }
42635
42636
42637@@ -59,7 +59,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg)
42638 /* VBLANK interrupt */
42639 if (status & MGA_VLINEPEN) {
42640 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
42641- atomic_inc(&dev_priv->vbl_received);
42642+ atomic_inc_unchecked(&dev_priv->vbl_received);
42643 drm_handle_vblank(dev, 0);
42644 handled = 1;
42645 }
42646@@ -78,7 +78,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg)
42647 if ((prim_start & ~0x03) != (prim_end & ~0x03))
42648 MGA_WRITE(MGA_PRIMEND, prim_end);
42649
42650- atomic_inc(&dev_priv->last_fence_retired);
42651+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
42652 wake_up(&dev_priv->fence_queue);
42653 handled = 1;
42654 }
42655@@ -129,7 +129,7 @@ int mga_driver_fence_wait(struct drm_device *dev, unsigned int *sequence)
42656 * using fences.
42657 */
42658 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * HZ,
42659- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
42660+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
42661 - *sequence) <= (1 << 23)));
42662
42663 *sequence = cur_fence;
42664diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c
42665index 0190b69..60c3eaf 100644
42666--- a/drivers/gpu/drm/nouveau/nouveau_bios.c
42667+++ b/drivers/gpu/drm/nouveau/nouveau_bios.c
42668@@ -963,7 +963,7 @@ static int parse_bit_tmds_tbl_entry(struct drm_device *dev, struct nvbios *bios,
42669 struct bit_table {
42670 const char id;
42671 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
42672-};
42673+} __no_const;
42674
42675 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
42676
42677diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
42678index 477cbb1..109b826 100644
42679--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
42680+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
42681@@ -946,7 +946,8 @@ static struct drm_driver
42682 driver_stub = {
42683 .driver_features =
42684 DRIVER_USE_AGP |
42685- DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER,
42686+ DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER |
42687+ DRIVER_KMS_LEGACY_CONTEXT,
42688
42689 .load = nouveau_drm_load,
42690 .unload = nouveau_drm_unload,
42691diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h
42692index dd72652..1fd2368 100644
42693--- a/drivers/gpu/drm/nouveau/nouveau_drm.h
42694+++ b/drivers/gpu/drm/nouveau/nouveau_drm.h
42695@@ -123,7 +123,6 @@ struct nouveau_drm {
42696 struct drm_global_reference mem_global_ref;
42697 struct ttm_bo_global_ref bo_global_ref;
42698 struct ttm_bo_device bdev;
42699- atomic_t validate_sequence;
42700 int (*move)(struct nouveau_channel *,
42701 struct ttm_buffer_object *,
42702 struct ttm_mem_reg *, struct ttm_mem_reg *);
42703diff --git a/drivers/gpu/drm/nouveau/nouveau_ioc32.c b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
42704index 462679a..88e32a7 100644
42705--- a/drivers/gpu/drm/nouveau/nouveau_ioc32.c
42706+++ b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
42707@@ -50,7 +50,7 @@ long nouveau_compat_ioctl(struct file *filp, unsigned int cmd,
42708 unsigned long arg)
42709 {
42710 unsigned int nr = DRM_IOCTL_NR(cmd);
42711- drm_ioctl_compat_t *fn = NULL;
42712+ drm_ioctl_compat_t fn = NULL;
42713 int ret;
42714
42715 if (nr < DRM_COMMAND_BASE)
42716diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c
42717index 7464aef3..c63ae4f 100644
42718--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c
42719+++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c
42720@@ -130,11 +130,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
42721 }
42722
42723 const struct ttm_mem_type_manager_func nouveau_vram_manager = {
42724- nouveau_vram_manager_init,
42725- nouveau_vram_manager_fini,
42726- nouveau_vram_manager_new,
42727- nouveau_vram_manager_del,
42728- nouveau_vram_manager_debug
42729+ .init = nouveau_vram_manager_init,
42730+ .takedown = nouveau_vram_manager_fini,
42731+ .get_node = nouveau_vram_manager_new,
42732+ .put_node = nouveau_vram_manager_del,
42733+ .debug = nouveau_vram_manager_debug
42734 };
42735
42736 static int
42737@@ -207,11 +207,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
42738 }
42739
42740 const struct ttm_mem_type_manager_func nouveau_gart_manager = {
42741- nouveau_gart_manager_init,
42742- nouveau_gart_manager_fini,
42743- nouveau_gart_manager_new,
42744- nouveau_gart_manager_del,
42745- nouveau_gart_manager_debug
42746+ .init = nouveau_gart_manager_init,
42747+ .takedown = nouveau_gart_manager_fini,
42748+ .get_node = nouveau_gart_manager_new,
42749+ .put_node = nouveau_gart_manager_del,
42750+ .debug = nouveau_gart_manager_debug
42751 };
42752
42753 /*XXX*/
42754@@ -280,11 +280,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
42755 }
42756
42757 const struct ttm_mem_type_manager_func nv04_gart_manager = {
42758- nv04_gart_manager_init,
42759- nv04_gart_manager_fini,
42760- nv04_gart_manager_new,
42761- nv04_gart_manager_del,
42762- nv04_gart_manager_debug
42763+ .init = nv04_gart_manager_init,
42764+ .takedown = nv04_gart_manager_fini,
42765+ .get_node = nv04_gart_manager_new,
42766+ .put_node = nv04_gart_manager_del,
42767+ .debug = nv04_gart_manager_debug
42768 };
42769
42770 int
42771diff --git a/drivers/gpu/drm/nouveau/nouveau_vga.c b/drivers/gpu/drm/nouveau/nouveau_vga.c
42772index c7592ec..dd45ebc 100644
42773--- a/drivers/gpu/drm/nouveau/nouveau_vga.c
42774+++ b/drivers/gpu/drm/nouveau/nouveau_vga.c
42775@@ -72,7 +72,7 @@ nouveau_switcheroo_can_switch(struct pci_dev *pdev)
42776 * locking inversion with the driver load path. And the access here is
42777 * completely racy anyway. So don't bother with locking for now.
42778 */
42779- return dev->open_count == 0;
42780+ return local_read(&dev->open_count) == 0;
42781 }
42782
42783 static const struct vga_switcheroo_client_ops
42784diff --git a/drivers/gpu/drm/omapdrm/Makefile b/drivers/gpu/drm/omapdrm/Makefile
42785index 778372b..4b81cb4 100644
42786--- a/drivers/gpu/drm/omapdrm/Makefile
42787+++ b/drivers/gpu/drm/omapdrm/Makefile
42788@@ -3,7 +3,7 @@
42789 # Direct Rendering Infrastructure (DRI)
42790 #
42791
42792-ccflags-y := -Iinclude/drm -Werror
42793+ccflags-y := -Iinclude/drm
42794 omapdrm-y := omap_drv.o \
42795 omap_irq.o \
42796 omap_debugfs.o \
42797diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c
42798index fdc1833..f307630 100644
42799--- a/drivers/gpu/drm/qxl/qxl_cmd.c
42800+++ b/drivers/gpu/drm/qxl/qxl_cmd.c
42801@@ -285,27 +285,27 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port,
42802 int ret;
42803
42804 mutex_lock(&qdev->async_io_mutex);
42805- irq_num = atomic_read(&qdev->irq_received_io_cmd);
42806+ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd);
42807 if (qdev->last_sent_io_cmd > irq_num) {
42808 if (intr)
42809 ret = wait_event_interruptible_timeout(qdev->io_cmd_event,
42810- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42811+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42812 else
42813 ret = wait_event_timeout(qdev->io_cmd_event,
42814- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42815+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42816 /* 0 is timeout, just bail the "hw" has gone away */
42817 if (ret <= 0)
42818 goto out;
42819- irq_num = atomic_read(&qdev->irq_received_io_cmd);
42820+ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd);
42821 }
42822 outb(val, addr);
42823 qdev->last_sent_io_cmd = irq_num + 1;
42824 if (intr)
42825 ret = wait_event_interruptible_timeout(qdev->io_cmd_event,
42826- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42827+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42828 else
42829 ret = wait_event_timeout(qdev->io_cmd_event,
42830- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42831+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
42832 out:
42833 if (ret > 0)
42834 ret = 0;
42835diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c
42836index 6911b8c..89d6867 100644
42837--- a/drivers/gpu/drm/qxl/qxl_debugfs.c
42838+++ b/drivers/gpu/drm/qxl/qxl_debugfs.c
42839@@ -42,10 +42,10 @@ qxl_debugfs_irq_received(struct seq_file *m, void *data)
42840 struct drm_info_node *node = (struct drm_info_node *) m->private;
42841 struct qxl_device *qdev = node->minor->dev->dev_private;
42842
42843- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received));
42844- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_display));
42845- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_cursor));
42846- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_io_cmd));
42847+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received));
42848+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_display));
42849+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_cursor));
42850+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_io_cmd));
42851 seq_printf(m, "%d\n", qdev->irq_received_error);
42852 return 0;
42853 }
42854diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h
42855index 01a8694..584fb48 100644
42856--- a/drivers/gpu/drm/qxl/qxl_drv.h
42857+++ b/drivers/gpu/drm/qxl/qxl_drv.h
42858@@ -290,10 +290,10 @@ struct qxl_device {
42859 unsigned int last_sent_io_cmd;
42860
42861 /* interrupt handling */
42862- atomic_t irq_received;
42863- atomic_t irq_received_display;
42864- atomic_t irq_received_cursor;
42865- atomic_t irq_received_io_cmd;
42866+ atomic_unchecked_t irq_received;
42867+ atomic_unchecked_t irq_received_display;
42868+ atomic_unchecked_t irq_received_cursor;
42869+ atomic_unchecked_t irq_received_io_cmd;
42870 unsigned irq_received_error;
42871 wait_queue_head_t display_event;
42872 wait_queue_head_t cursor_event;
42873diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
42874index bda5c5f..140ac46 100644
42875--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
42876+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
42877@@ -183,7 +183,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
42878
42879 /* TODO copy slow path code from i915 */
42880 fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE));
42881- unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)cmd->command, cmd->command_size);
42882+ unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void __force_user *)(unsigned long)cmd->command, cmd->command_size);
42883
42884 {
42885 struct qxl_drawable *draw = fb_cmd;
42886@@ -203,7 +203,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
42887 struct drm_qxl_reloc reloc;
42888
42889 if (copy_from_user(&reloc,
42890- &((struct drm_qxl_reloc *)(uintptr_t)cmd->relocs)[i],
42891+ &((struct drm_qxl_reloc __force_user *)(uintptr_t)cmd->relocs)[i],
42892 sizeof(reloc))) {
42893 ret = -EFAULT;
42894 goto out_free_bos;
42895@@ -282,10 +282,10 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data,
42896
42897 for (cmd_num = 0; cmd_num < execbuffer->commands_num; ++cmd_num) {
42898
42899- struct drm_qxl_command *commands =
42900- (struct drm_qxl_command *)(uintptr_t)execbuffer->commands;
42901+ struct drm_qxl_command __user *commands =
42902+ (struct drm_qxl_command __user *)(uintptr_t)execbuffer->commands;
42903
42904- if (copy_from_user(&user_cmd, &commands[cmd_num],
42905+ if (copy_from_user(&user_cmd, (struct drm_qxl_command __force_user *)&commands[cmd_num],
42906 sizeof(user_cmd)))
42907 return -EFAULT;
42908
42909diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c
42910index 0bf1e20..42a7310 100644
42911--- a/drivers/gpu/drm/qxl/qxl_irq.c
42912+++ b/drivers/gpu/drm/qxl/qxl_irq.c
42913@@ -36,19 +36,19 @@ irqreturn_t qxl_irq_handler(int irq, void *arg)
42914 if (!pending)
42915 return IRQ_NONE;
42916
42917- atomic_inc(&qdev->irq_received);
42918+ atomic_inc_unchecked(&qdev->irq_received);
42919
42920 if (pending & QXL_INTERRUPT_DISPLAY) {
42921- atomic_inc(&qdev->irq_received_display);
42922+ atomic_inc_unchecked(&qdev->irq_received_display);
42923 wake_up_all(&qdev->display_event);
42924 qxl_queue_garbage_collect(qdev, false);
42925 }
42926 if (pending & QXL_INTERRUPT_CURSOR) {
42927- atomic_inc(&qdev->irq_received_cursor);
42928+ atomic_inc_unchecked(&qdev->irq_received_cursor);
42929 wake_up_all(&qdev->cursor_event);
42930 }
42931 if (pending & QXL_INTERRUPT_IO_CMD) {
42932- atomic_inc(&qdev->irq_received_io_cmd);
42933+ atomic_inc_unchecked(&qdev->irq_received_io_cmd);
42934 wake_up_all(&qdev->io_cmd_event);
42935 }
42936 if (pending & QXL_INTERRUPT_ERROR) {
42937@@ -85,10 +85,10 @@ int qxl_irq_init(struct qxl_device *qdev)
42938 init_waitqueue_head(&qdev->io_cmd_event);
42939 INIT_WORK(&qdev->client_monitors_config_work,
42940 qxl_client_monitors_config_work_func);
42941- atomic_set(&qdev->irq_received, 0);
42942- atomic_set(&qdev->irq_received_display, 0);
42943- atomic_set(&qdev->irq_received_cursor, 0);
42944- atomic_set(&qdev->irq_received_io_cmd, 0);
42945+ atomic_set_unchecked(&qdev->irq_received, 0);
42946+ atomic_set_unchecked(&qdev->irq_received_display, 0);
42947+ atomic_set_unchecked(&qdev->irq_received_cursor, 0);
42948+ atomic_set_unchecked(&qdev->irq_received_io_cmd, 0);
42949 qdev->irq_received_error = 0;
42950 ret = drm_irq_install(qdev->ddev, qdev->ddev->pdev->irq);
42951 qdev->ram_header->int_mask = QXL_INTERRUPT_MASK;
42952diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c
42953index 0cbc4c9..0e46686 100644
42954--- a/drivers/gpu/drm/qxl/qxl_ttm.c
42955+++ b/drivers/gpu/drm/qxl/qxl_ttm.c
42956@@ -103,7 +103,7 @@ static void qxl_ttm_global_fini(struct qxl_device *qdev)
42957 }
42958 }
42959
42960-static struct vm_operations_struct qxl_ttm_vm_ops;
42961+static vm_operations_struct_no_const qxl_ttm_vm_ops __read_only;
42962 static const struct vm_operations_struct *ttm_vm_ops;
42963
42964 static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
42965@@ -145,8 +145,10 @@ int qxl_mmap(struct file *filp, struct vm_area_struct *vma)
42966 return r;
42967 if (unlikely(ttm_vm_ops == NULL)) {
42968 ttm_vm_ops = vma->vm_ops;
42969+ pax_open_kernel();
42970 qxl_ttm_vm_ops = *ttm_vm_ops;
42971 qxl_ttm_vm_ops.fault = &qxl_ttm_fault;
42972+ pax_close_kernel();
42973 }
42974 vma->vm_ops = &qxl_ttm_vm_ops;
42975 return 0;
42976@@ -464,25 +466,23 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data)
42977 static int qxl_ttm_debugfs_init(struct qxl_device *qdev)
42978 {
42979 #if defined(CONFIG_DEBUG_FS)
42980- static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES];
42981- static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32];
42982- unsigned i;
42983+ static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES] = {
42984+ {
42985+ .name = "qxl_mem_mm",
42986+ .show = &qxl_mm_dump_table,
42987+ },
42988+ {
42989+ .name = "qxl_surf_mm",
42990+ .show = &qxl_mm_dump_table,
42991+ }
42992+ };
42993
42994- for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) {
42995- if (i == 0)
42996- sprintf(qxl_mem_types_names[i], "qxl_mem_mm");
42997- else
42998- sprintf(qxl_mem_types_names[i], "qxl_surf_mm");
42999- qxl_mem_types_list[i].name = qxl_mem_types_names[i];
43000- qxl_mem_types_list[i].show = &qxl_mm_dump_table;
43001- qxl_mem_types_list[i].driver_features = 0;
43002- if (i == 0)
43003- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
43004- else
43005- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
43006+ pax_open_kernel();
43007+ *(void **)&qxl_mem_types_list[0].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
43008+ *(void **)&qxl_mem_types_list[1].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
43009+ pax_close_kernel();
43010
43011- }
43012- return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i);
43013+ return qxl_debugfs_add_files(qdev, qxl_mem_types_list, QXL_DEBUGFS_MEM_TYPES);
43014 #else
43015 return 0;
43016 #endif
43017diff --git a/drivers/gpu/drm/r128/r128_cce.c b/drivers/gpu/drm/r128/r128_cce.c
43018index 2c45ac9..5d740f8 100644
43019--- a/drivers/gpu/drm/r128/r128_cce.c
43020+++ b/drivers/gpu/drm/r128/r128_cce.c
43021@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_device *dev, drm_r128_init_t *init)
43022
43023 /* GH: Simple idle check.
43024 */
43025- atomic_set(&dev_priv->idle_count, 0);
43026+ atomic_set_unchecked(&dev_priv->idle_count, 0);
43027
43028 /* We don't support anything other than bus-mastering ring mode,
43029 * but the ring can be in either AGP or PCI space for the ring
43030diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h
43031index 723e5d6..102dbaf 100644
43032--- a/drivers/gpu/drm/r128/r128_drv.h
43033+++ b/drivers/gpu/drm/r128/r128_drv.h
43034@@ -93,14 +93,14 @@ typedef struct drm_r128_private {
43035 int is_pci;
43036 unsigned long cce_buffers_offset;
43037
43038- atomic_t idle_count;
43039+ atomic_unchecked_t idle_count;
43040
43041 int page_flipping;
43042 int current_page;
43043 u32 crtc_offset;
43044 u32 crtc_offset_cntl;
43045
43046- atomic_t vbl_received;
43047+ atomic_unchecked_t vbl_received;
43048
43049 u32 color_fmt;
43050 unsigned int front_offset;
43051diff --git a/drivers/gpu/drm/r128/r128_ioc32.c b/drivers/gpu/drm/r128/r128_ioc32.c
43052index 663f38c..ec159a1 100644
43053--- a/drivers/gpu/drm/r128/r128_ioc32.c
43054+++ b/drivers/gpu/drm/r128/r128_ioc32.c
43055@@ -178,7 +178,7 @@ static int compat_r128_getparam(struct file *file, unsigned int cmd,
43056 return drm_ioctl(file, DRM_IOCTL_R128_GETPARAM, (unsigned long)getparam);
43057 }
43058
43059-drm_ioctl_compat_t *r128_compat_ioctls[] = {
43060+drm_ioctl_compat_t r128_compat_ioctls[] = {
43061 [DRM_R128_INIT] = compat_r128_init,
43062 [DRM_R128_DEPTH] = compat_r128_depth,
43063 [DRM_R128_STIPPLE] = compat_r128_stipple,
43064@@ -197,17 +197,13 @@ drm_ioctl_compat_t *r128_compat_ioctls[] = {
43065 long r128_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43066 {
43067 unsigned int nr = DRM_IOCTL_NR(cmd);
43068- drm_ioctl_compat_t *fn = NULL;
43069 int ret;
43070
43071 if (nr < DRM_COMMAND_BASE)
43072 return drm_compat_ioctl(filp, cmd, arg);
43073
43074- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(r128_compat_ioctls))
43075- fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE];
43076-
43077- if (fn != NULL)
43078- ret = (*fn) (filp, cmd, arg);
43079+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(r128_compat_ioctls) && r128_compat_ioctls[nr - DRM_COMMAND_BASE])
43080+ ret = (*r128_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43081 else
43082 ret = drm_ioctl(filp, cmd, arg);
43083
43084diff --git a/drivers/gpu/drm/r128/r128_irq.c b/drivers/gpu/drm/r128/r128_irq.c
43085index c2ae496..30b5993 100644
43086--- a/drivers/gpu/drm/r128/r128_irq.c
43087+++ b/drivers/gpu/drm/r128/r128_irq.c
43088@@ -41,7 +41,7 @@ u32 r128_get_vblank_counter(struct drm_device *dev, int crtc)
43089 if (crtc != 0)
43090 return 0;
43091
43092- return atomic_read(&dev_priv->vbl_received);
43093+ return atomic_read_unchecked(&dev_priv->vbl_received);
43094 }
43095
43096 irqreturn_t r128_driver_irq_handler(int irq, void *arg)
43097@@ -55,7 +55,7 @@ irqreturn_t r128_driver_irq_handler(int irq, void *arg)
43098 /* VBLANK interrupt */
43099 if (status & R128_CRTC_VBLANK_INT) {
43100 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
43101- atomic_inc(&dev_priv->vbl_received);
43102+ atomic_inc_unchecked(&dev_priv->vbl_received);
43103 drm_handle_vblank(dev, 0);
43104 return IRQ_HANDLED;
43105 }
43106diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c
43107index 8fd2d9f..18c9660 100644
43108--- a/drivers/gpu/drm/r128/r128_state.c
43109+++ b/drivers/gpu/drm/r128/r128_state.c
43110@@ -320,10 +320,10 @@ static void r128_clear_box(drm_r128_private_t *dev_priv,
43111
43112 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
43113 {
43114- if (atomic_read(&dev_priv->idle_count) == 0)
43115+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
43116 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
43117 else
43118- atomic_set(&dev_priv->idle_count, 0);
43119+ atomic_set_unchecked(&dev_priv->idle_count, 0);
43120 }
43121
43122 #endif
43123diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c
43124index b928c17..e5d9400 100644
43125--- a/drivers/gpu/drm/radeon/mkregtable.c
43126+++ b/drivers/gpu/drm/radeon/mkregtable.c
43127@@ -624,14 +624,14 @@ static int parser_auth(struct table *t, const char *filename)
43128 regex_t mask_rex;
43129 regmatch_t match[4];
43130 char buf[1024];
43131- size_t end;
43132+ long end;
43133 int len;
43134 int done = 0;
43135 int r;
43136 unsigned o;
43137 struct offset *offset;
43138 char last_reg_s[10];
43139- int last_reg;
43140+ unsigned long last_reg;
43141
43142 if (regcomp
43143 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
43144diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
43145index d8319da..d6e066f 100644
43146--- a/drivers/gpu/drm/radeon/radeon_device.c
43147+++ b/drivers/gpu/drm/radeon/radeon_device.c
43148@@ -1253,7 +1253,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
43149 * locking inversion with the driver load path. And the access here is
43150 * completely racy anyway. So don't bother with locking for now.
43151 */
43152- return dev->open_count == 0;
43153+ return local_read(&dev->open_count) == 0;
43154 }
43155
43156 static const struct vga_switcheroo_client_ops radeon_switcheroo_ops = {
43157diff --git a/drivers/gpu/drm/radeon/radeon_drv.h b/drivers/gpu/drm/radeon/radeon_drv.h
43158index 46bd393..6ae4719 100644
43159--- a/drivers/gpu/drm/radeon/radeon_drv.h
43160+++ b/drivers/gpu/drm/radeon/radeon_drv.h
43161@@ -264,7 +264,7 @@ typedef struct drm_radeon_private {
43162
43163 /* SW interrupt */
43164 wait_queue_head_t swi_queue;
43165- atomic_t swi_emitted;
43166+ atomic_unchecked_t swi_emitted;
43167 int vblank_crtc;
43168 uint32_t irq_enable_reg;
43169 uint32_t r500_disp_irq_reg;
43170diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c
43171index 0b98ea1..a3c770f 100644
43172--- a/drivers/gpu/drm/radeon/radeon_ioc32.c
43173+++ b/drivers/gpu/drm/radeon/radeon_ioc32.c
43174@@ -358,7 +358,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
43175 request = compat_alloc_user_space(sizeof(*request));
43176 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
43177 || __put_user(req32.param, &request->param)
43178- || __put_user((void __user *)(unsigned long)req32.value,
43179+ || __put_user((unsigned long)req32.value,
43180 &request->value))
43181 return -EFAULT;
43182
43183@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
43184 #define compat_radeon_cp_setparam NULL
43185 #endif /* X86_64 || IA64 */
43186
43187-static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
43188+static drm_ioctl_compat_t radeon_compat_ioctls[] = {
43189 [DRM_RADEON_CP_INIT] = compat_radeon_cp_init,
43190 [DRM_RADEON_CLEAR] = compat_radeon_cp_clear,
43191 [DRM_RADEON_STIPPLE] = compat_radeon_cp_stipple,
43192@@ -393,17 +393,13 @@ static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
43193 long radeon_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43194 {
43195 unsigned int nr = DRM_IOCTL_NR(cmd);
43196- drm_ioctl_compat_t *fn = NULL;
43197 int ret;
43198
43199 if (nr < DRM_COMMAND_BASE)
43200 return drm_compat_ioctl(filp, cmd, arg);
43201
43202- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(radeon_compat_ioctls))
43203- fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE];
43204-
43205- if (fn != NULL)
43206- ret = (*fn) (filp, cmd, arg);
43207+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(radeon_compat_ioctls) && radeon_compat_ioctls[nr - DRM_COMMAND_BASE])
43208+ ret = (*radeon_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43209 else
43210 ret = drm_ioctl(filp, cmd, arg);
43211
43212diff --git a/drivers/gpu/drm/radeon/radeon_irq.c b/drivers/gpu/drm/radeon/radeon_irq.c
43213index 244b19b..c19226d 100644
43214--- a/drivers/gpu/drm/radeon/radeon_irq.c
43215+++ b/drivers/gpu/drm/radeon/radeon_irq.c
43216@@ -226,8 +226,8 @@ static int radeon_emit_irq(struct drm_device * dev)
43217 unsigned int ret;
43218 RING_LOCALS;
43219
43220- atomic_inc(&dev_priv->swi_emitted);
43221- ret = atomic_read(&dev_priv->swi_emitted);
43222+ atomic_inc_unchecked(&dev_priv->swi_emitted);
43223+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
43224
43225 BEGIN_RING(4);
43226 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
43227@@ -353,7 +353,7 @@ int radeon_driver_irq_postinstall(struct drm_device *dev)
43228 drm_radeon_private_t *dev_priv =
43229 (drm_radeon_private_t *) dev->dev_private;
43230
43231- atomic_set(&dev_priv->swi_emitted, 0);
43232+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
43233 init_waitqueue_head(&dev_priv->swi_queue);
43234
43235 dev->max_vblank_count = 0x001fffff;
43236diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
43237index 15aee72..cda326e 100644
43238--- a/drivers/gpu/drm/radeon/radeon_state.c
43239+++ b/drivers/gpu/drm/radeon/radeon_state.c
43240@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_device *dev, void *data, struct drm_file *
43241 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
43242 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
43243
43244- if (copy_from_user(&depth_boxes, clear->depth_boxes,
43245+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || copy_from_user(&depth_boxes, clear->depth_boxes,
43246 sarea_priv->nbox * sizeof(depth_boxes[0])))
43247 return -EFAULT;
43248
43249@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm_device *dev, void *data, struct drm_fil
43250 {
43251 drm_radeon_private_t *dev_priv = dev->dev_private;
43252 drm_radeon_getparam_t *param = data;
43253- int value;
43254+ int value = 0;
43255
43256 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
43257
43258diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
43259index 06ac59fe..57e0681 100644
43260--- a/drivers/gpu/drm/radeon/radeon_ttm.c
43261+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
43262@@ -961,7 +961,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
43263 man->size = size >> PAGE_SHIFT;
43264 }
43265
43266-static struct vm_operations_struct radeon_ttm_vm_ops;
43267+static vm_operations_struct_no_const radeon_ttm_vm_ops __read_only;
43268 static const struct vm_operations_struct *ttm_vm_ops = NULL;
43269
43270 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
43271@@ -1002,8 +1002,10 @@ int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
43272 }
43273 if (unlikely(ttm_vm_ops == NULL)) {
43274 ttm_vm_ops = vma->vm_ops;
43275+ pax_open_kernel();
43276 radeon_ttm_vm_ops = *ttm_vm_ops;
43277 radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
43278+ pax_close_kernel();
43279 }
43280 vma->vm_ops = &radeon_ttm_vm_ops;
43281 return 0;
43282diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
43283index a287e4f..df1d5dd 100644
43284--- a/drivers/gpu/drm/tegra/dc.c
43285+++ b/drivers/gpu/drm/tegra/dc.c
43286@@ -1594,7 +1594,7 @@ static int tegra_dc_debugfs_init(struct tegra_dc *dc, struct drm_minor *minor)
43287 }
43288
43289 for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
43290- dc->debugfs_files[i].data = dc;
43291+ *(void **)&dc->debugfs_files[i].data = dc;
43292
43293 err = drm_debugfs_create_files(dc->debugfs_files,
43294 ARRAY_SIZE(debugfs_files),
43295diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
43296index ed970f6..4eeea42 100644
43297--- a/drivers/gpu/drm/tegra/dsi.c
43298+++ b/drivers/gpu/drm/tegra/dsi.c
43299@@ -62,7 +62,7 @@ struct tegra_dsi {
43300 struct clk *clk_lp;
43301 struct clk *clk;
43302
43303- struct drm_info_list *debugfs_files;
43304+ drm_info_list_no_const *debugfs_files;
43305 struct drm_minor *minor;
43306 struct dentry *debugfs;
43307
43308diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c
43309index 06ab178..b5324e4 100644
43310--- a/drivers/gpu/drm/tegra/hdmi.c
43311+++ b/drivers/gpu/drm/tegra/hdmi.c
43312@@ -64,7 +64,7 @@ struct tegra_hdmi {
43313 bool stereo;
43314 bool dvi;
43315
43316- struct drm_info_list *debugfs_files;
43317+ drm_info_list_no_const *debugfs_files;
43318 struct drm_minor *minor;
43319 struct dentry *debugfs;
43320 };
43321diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c
43322index 7591d89..463e2b6 100644
43323--- a/drivers/gpu/drm/tegra/sor.c
43324+++ b/drivers/gpu/drm/tegra/sor.c
43325@@ -826,8 +826,11 @@ static int tegra_sor_debugfs_init(struct tegra_sor *sor,
43326 goto remove;
43327 }
43328
43329- for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
43330- sor->debugfs_files[i].data = sor;
43331+ for (i = 0; i < ARRAY_SIZE(debugfs_files); i++) {
43332+ pax_open_kernel();
43333+ *(void **)&sor->debugfs_files[i].data = sor;
43334+ pax_close_kernel();
43335+ }
43336
43337 err = drm_debugfs_create_files(sor->debugfs_files,
43338 ARRAY_SIZE(debugfs_files),
43339diff --git a/drivers/gpu/drm/tilcdc/Makefile b/drivers/gpu/drm/tilcdc/Makefile
43340index deeca48..54e1b6c 100644
43341--- a/drivers/gpu/drm/tilcdc/Makefile
43342+++ b/drivers/gpu/drm/tilcdc/Makefile
43343@@ -1,7 +1,7 @@
43344 ccflags-y := -Iinclude/drm
43345-ifeq (, $(findstring -W,$(EXTRA_CFLAGS)))
43346- ccflags-y += -Werror
43347-endif
43348+#ifeq (, $(findstring -W,$(EXTRA_CFLAGS)))
43349+# ccflags-y += -Werror
43350+#endif
43351
43352 obj-$(CONFIG_DRM_TILCDC_SLAVE_COMPAT) += tilcdc_slave_compat.o \
43353 tilcdc_slave_compat.dtb.o
43354diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c
43355index aa0bd054..aea6a01 100644
43356--- a/drivers/gpu/drm/ttm/ttm_bo_manager.c
43357+++ b/drivers/gpu/drm/ttm/ttm_bo_manager.c
43358@@ -148,10 +148,10 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man,
43359 }
43360
43361 const struct ttm_mem_type_manager_func ttm_bo_manager_func = {
43362- ttm_bo_man_init,
43363- ttm_bo_man_takedown,
43364- ttm_bo_man_get_node,
43365- ttm_bo_man_put_node,
43366- ttm_bo_man_debug
43367+ .init = ttm_bo_man_init,
43368+ .takedown = ttm_bo_man_takedown,
43369+ .get_node = ttm_bo_man_get_node,
43370+ .put_node = ttm_bo_man_put_node,
43371+ .debug = ttm_bo_man_debug
43372 };
43373 EXPORT_SYMBOL(ttm_bo_manager_func);
43374diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
43375index a1803fb..c53f6b0 100644
43376--- a/drivers/gpu/drm/ttm/ttm_memory.c
43377+++ b/drivers/gpu/drm/ttm/ttm_memory.c
43378@@ -264,7 +264,7 @@ static int ttm_mem_init_kernel_zone(struct ttm_mem_global *glob,
43379 zone->glob = glob;
43380 glob->zone_kernel = zone;
43381 ret = kobject_init_and_add(
43382- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
43383+ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
43384 if (unlikely(ret != 0)) {
43385 kobject_put(&zone->kobj);
43386 return ret;
43387@@ -348,7 +348,7 @@ static int ttm_mem_init_dma32_zone(struct ttm_mem_global *glob,
43388 zone->glob = glob;
43389 glob->zone_dma32 = zone;
43390 ret = kobject_init_and_add(
43391- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
43392+ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
43393 if (unlikely(ret != 0)) {
43394 kobject_put(&zone->kobj);
43395 return ret;
43396diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
43397index 025c429..314062f 100644
43398--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
43399+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
43400@@ -54,7 +54,7 @@
43401
43402 #define NUM_PAGES_TO_ALLOC (PAGE_SIZE/sizeof(struct page *))
43403 #define SMALL_ALLOCATION 16
43404-#define FREE_ALL_PAGES (~0U)
43405+#define FREE_ALL_PAGES (~0UL)
43406 /* times are in msecs */
43407 #define PAGE_FREE_INTERVAL 1000
43408
43409@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
43410 * @free_all: If set to true will free all pages in pool
43411 * @use_static: Safe to use static buffer
43412 **/
43413-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
43414+static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
43415 bool use_static)
43416 {
43417 static struct page *static_buf[NUM_PAGES_TO_ALLOC];
43418 unsigned long irq_flags;
43419 struct page *p;
43420 struct page **pages_to_free;
43421- unsigned freed_pages = 0,
43422- npages_to_free = nr_free;
43423+ unsigned long freed_pages = 0, npages_to_free = nr_free;
43424
43425 if (NUM_PAGES_TO_ALLOC < nr_free)
43426 npages_to_free = NUM_PAGES_TO_ALLOC;
43427@@ -371,7 +370,8 @@ restart:
43428 __list_del(&p->lru, &pool->list);
43429
43430 ttm_pool_update_free_locked(pool, freed_pages);
43431- nr_free -= freed_pages;
43432+ if (likely(nr_free != FREE_ALL_PAGES))
43433+ nr_free -= freed_pages;
43434 }
43435
43436 spin_unlock_irqrestore(&pool->lock, irq_flags);
43437@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43438 unsigned i;
43439 unsigned pool_offset;
43440 struct ttm_page_pool *pool;
43441- int shrink_pages = sc->nr_to_scan;
43442+ unsigned long shrink_pages = sc->nr_to_scan;
43443 unsigned long freed = 0;
43444
43445 if (!mutex_trylock(&lock))
43446@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43447 pool_offset = ++start_pool % NUM_POOLS;
43448 /* select start pool in round robin fashion */
43449 for (i = 0; i < NUM_POOLS; ++i) {
43450- unsigned nr_free = shrink_pages;
43451+ unsigned long nr_free = shrink_pages;
43452 if (shrink_pages == 0)
43453 break;
43454 pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
43455@@ -673,7 +673,7 @@ out:
43456 }
43457
43458 /* Put all pages in pages list to correct pool to wait for reuse */
43459-static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
43460+static void ttm_put_pages(struct page **pages, unsigned long npages, int flags,
43461 enum ttm_caching_state cstate)
43462 {
43463 unsigned long irq_flags;
43464@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
43465 struct list_head plist;
43466 struct page *p = NULL;
43467 gfp_t gfp_flags = GFP_USER;
43468- unsigned count;
43469+ unsigned long count;
43470 int r;
43471
43472 /* set zero flag for page allocation if required */
43473diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43474index 624d941..106fa1f 100644
43475--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43476+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43477@@ -56,7 +56,7 @@
43478
43479 #define NUM_PAGES_TO_ALLOC (PAGE_SIZE/sizeof(struct page *))
43480 #define SMALL_ALLOCATION 4
43481-#define FREE_ALL_PAGES (~0U)
43482+#define FREE_ALL_PAGES (~0UL)
43483 /* times are in msecs */
43484 #define IS_UNDEFINED (0)
43485 #define IS_WC (1<<1)
43486@@ -416,7 +416,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
43487 * @nr_free: If set to true will free all pages in pool
43488 * @use_static: Safe to use static buffer
43489 **/
43490-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
43491+static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
43492 bool use_static)
43493 {
43494 static struct page *static_buf[NUM_PAGES_TO_ALLOC];
43495@@ -424,8 +424,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
43496 struct dma_page *dma_p, *tmp;
43497 struct page **pages_to_free;
43498 struct list_head d_pages;
43499- unsigned freed_pages = 0,
43500- npages_to_free = nr_free;
43501+ unsigned long freed_pages = 0, npages_to_free = nr_free;
43502
43503 if (NUM_PAGES_TO_ALLOC < nr_free)
43504 npages_to_free = NUM_PAGES_TO_ALLOC;
43505@@ -502,7 +501,8 @@ restart:
43506 /* remove range of pages from the pool */
43507 if (freed_pages) {
43508 ttm_pool_update_free_locked(pool, freed_pages);
43509- nr_free -= freed_pages;
43510+ if (likely(nr_free != FREE_ALL_PAGES))
43511+ nr_free -= freed_pages;
43512 }
43513
43514 spin_unlock_irqrestore(&pool->lock, irq_flags);
43515@@ -939,7 +939,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
43516 struct dma_page *d_page, *next;
43517 enum pool_type type;
43518 bool is_cached = false;
43519- unsigned count = 0, i, npages = 0;
43520+ unsigned long count = 0, i, npages = 0;
43521 unsigned long irq_flags;
43522
43523 type = ttm_to_type(ttm->page_flags, ttm->caching_state);
43524@@ -1014,7 +1014,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43525 static unsigned start_pool;
43526 unsigned idx = 0;
43527 unsigned pool_offset;
43528- unsigned shrink_pages = sc->nr_to_scan;
43529+ unsigned long shrink_pages = sc->nr_to_scan;
43530 struct device_pools *p;
43531 unsigned long freed = 0;
43532
43533@@ -1027,7 +1027,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43534 goto out;
43535 pool_offset = ++start_pool % _manager->npools;
43536 list_for_each_entry(p, &_manager->pools, pools) {
43537- unsigned nr_free;
43538+ unsigned long nr_free;
43539
43540 if (!p->dev)
43541 continue;
43542@@ -1041,7 +1041,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43543 shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true);
43544 freed += nr_free - shrink_pages;
43545
43546- pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
43547+ pr_debug("%s: (%s:%d) Asked to shrink %lu, have %lu more to go\n",
43548 p->pool->dev_name, p->pool->name, current->pid,
43549 nr_free, shrink_pages);
43550 }
43551diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
43552index 5fc16ce..1bd84ec 100644
43553--- a/drivers/gpu/drm/udl/udl_fb.c
43554+++ b/drivers/gpu/drm/udl/udl_fb.c
43555@@ -367,7 +367,6 @@ static int udl_fb_release(struct fb_info *info, int user)
43556 fb_deferred_io_cleanup(info);
43557 kfree(info->fbdefio);
43558 info->fbdefio = NULL;
43559- info->fbops->fb_mmap = udl_fb_mmap;
43560 }
43561
43562 pr_warn("released /dev/fb%d user=%d count=%d\n",
43563diff --git a/drivers/gpu/drm/via/via_drv.h b/drivers/gpu/drm/via/via_drv.h
43564index ef8c500..01030c8 100644
43565--- a/drivers/gpu/drm/via/via_drv.h
43566+++ b/drivers/gpu/drm/via/via_drv.h
43567@@ -53,7 +53,7 @@ typedef struct drm_via_ring_buffer {
43568 typedef uint32_t maskarray_t[5];
43569
43570 typedef struct drm_via_irq {
43571- atomic_t irq_received;
43572+ atomic_unchecked_t irq_received;
43573 uint32_t pending_mask;
43574 uint32_t enable_mask;
43575 wait_queue_head_t irq_queue;
43576@@ -77,7 +77,7 @@ typedef struct drm_via_private {
43577 struct timeval last_vblank;
43578 int last_vblank_valid;
43579 unsigned usec_per_vblank;
43580- atomic_t vbl_received;
43581+ atomic_unchecked_t vbl_received;
43582 drm_via_state_t hc_state;
43583 char pci_buf[VIA_PCI_BUF_SIZE];
43584 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
43585diff --git a/drivers/gpu/drm/via/via_irq.c b/drivers/gpu/drm/via/via_irq.c
43586index 1319433..a993b0c 100644
43587--- a/drivers/gpu/drm/via/via_irq.c
43588+++ b/drivers/gpu/drm/via/via_irq.c
43589@@ -101,7 +101,7 @@ u32 via_get_vblank_counter(struct drm_device *dev, int crtc)
43590 if (crtc != 0)
43591 return 0;
43592
43593- return atomic_read(&dev_priv->vbl_received);
43594+ return atomic_read_unchecked(&dev_priv->vbl_received);
43595 }
43596
43597 irqreturn_t via_driver_irq_handler(int irq, void *arg)
43598@@ -116,8 +116,8 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
43599
43600 status = VIA_READ(VIA_REG_INTERRUPT);
43601 if (status & VIA_IRQ_VBLANK_PENDING) {
43602- atomic_inc(&dev_priv->vbl_received);
43603- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
43604+ atomic_inc_unchecked(&dev_priv->vbl_received);
43605+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
43606 do_gettimeofday(&cur_vblank);
43607 if (dev_priv->last_vblank_valid) {
43608 dev_priv->usec_per_vblank =
43609@@ -127,7 +127,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
43610 dev_priv->last_vblank = cur_vblank;
43611 dev_priv->last_vblank_valid = 1;
43612 }
43613- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
43614+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
43615 DRM_DEBUG("US per vblank is: %u\n",
43616 dev_priv->usec_per_vblank);
43617 }
43618@@ -137,7 +137,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
43619
43620 for (i = 0; i < dev_priv->num_irqs; ++i) {
43621 if (status & cur_irq->pending_mask) {
43622- atomic_inc(&cur_irq->irq_received);
43623+ atomic_inc_unchecked(&cur_irq->irq_received);
43624 wake_up(&cur_irq->irq_queue);
43625 handled = 1;
43626 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
43627@@ -242,11 +242,11 @@ via_driver_irq_wait(struct drm_device *dev, unsigned int irq, int force_sequence
43628 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ,
43629 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
43630 masks[irq][4]));
43631- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
43632+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
43633 } else {
43634 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ,
43635 (((cur_irq_sequence =
43636- atomic_read(&cur_irq->irq_received)) -
43637+ atomic_read_unchecked(&cur_irq->irq_received)) -
43638 *sequence) <= (1 << 23)));
43639 }
43640 *sequence = cur_irq_sequence;
43641@@ -284,7 +284,7 @@ void via_driver_irq_preinstall(struct drm_device *dev)
43642 }
43643
43644 for (i = 0; i < dev_priv->num_irqs; ++i) {
43645- atomic_set(&cur_irq->irq_received, 0);
43646+ atomic_set_unchecked(&cur_irq->irq_received, 0);
43647 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
43648 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
43649 init_waitqueue_head(&cur_irq->irq_queue);
43650@@ -366,7 +366,7 @@ int via_wait_irq(struct drm_device *dev, void *data, struct drm_file *file_priv)
43651 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
43652 case VIA_IRQ_RELATIVE:
43653 irqwait->request.sequence +=
43654- atomic_read(&cur_irq->irq_received);
43655+ atomic_read_unchecked(&cur_irq->irq_received);
43656 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
43657 case VIA_IRQ_ABSOLUTE:
43658 break;
43659diff --git a/drivers/gpu/drm/virtio/virtgpu_debugfs.c b/drivers/gpu/drm/virtio/virtgpu_debugfs.c
43660index db8b491..d87b27c 100644
43661--- a/drivers/gpu/drm/virtio/virtgpu_debugfs.c
43662+++ b/drivers/gpu/drm/virtio/virtgpu_debugfs.c
43663@@ -34,7 +34,7 @@ virtio_gpu_debugfs_irq_info(struct seq_file *m, void *data)
43664 struct drm_info_node *node = (struct drm_info_node *) m->private;
43665 struct virtio_gpu_device *vgdev = node->minor->dev->dev_private;
43666
43667- seq_printf(m, "fence %ld %lld\n",
43668+ seq_printf(m, "fence %lld %lld\n",
43669 atomic64_read(&vgdev->fence_drv.last_seq),
43670 vgdev->fence_drv.sync_seq);
43671 return 0;
43672diff --git a/drivers/gpu/drm/virtio/virtgpu_fence.c b/drivers/gpu/drm/virtio/virtgpu_fence.c
43673index 1da6326..98dd385 100644
43674--- a/drivers/gpu/drm/virtio/virtgpu_fence.c
43675+++ b/drivers/gpu/drm/virtio/virtgpu_fence.c
43676@@ -61,7 +61,7 @@ static void virtio_timeline_value_str(struct fence *f, char *str, int size)
43677 {
43678 struct virtio_gpu_fence *fence = to_virtio_fence(f);
43679
43680- snprintf(str, size, "%lu", atomic64_read(&fence->drv->last_seq));
43681+ snprintf(str, size, "%llu", atomic64_read(&fence->drv->last_seq));
43682 }
43683
43684 static const struct fence_ops virtio_fence_ops = {
43685diff --git a/drivers/gpu/drm/virtio/virtgpu_ttm.c b/drivers/gpu/drm/virtio/virtgpu_ttm.c
43686index b092d7b..3bbecd9 100644
43687--- a/drivers/gpu/drm/virtio/virtgpu_ttm.c
43688+++ b/drivers/gpu/drm/virtio/virtgpu_ttm.c
43689@@ -197,11 +197,11 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man,
43690 }
43691
43692 static const struct ttm_mem_type_manager_func virtio_gpu_bo_manager_func = {
43693- ttm_bo_man_init,
43694- ttm_bo_man_takedown,
43695- ttm_bo_man_get_node,
43696- ttm_bo_man_put_node,
43697- ttm_bo_man_debug
43698+ .init = &ttm_bo_man_init,
43699+ .takedown = &ttm_bo_man_takedown,
43700+ .get_node = &ttm_bo_man_get_node,
43701+ .put_node = &ttm_bo_man_put_node,
43702+ .debug = &ttm_bo_man_debug
43703 };
43704
43705 static int virtio_gpu_init_mem_type(struct ttm_bo_device *bdev, uint32_t type,
43706diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
43707index d26a6da..5fa41ed 100644
43708--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
43709+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
43710@@ -447,7 +447,7 @@ struct vmw_private {
43711 * Fencing and IRQs.
43712 */
43713
43714- atomic_t marker_seq;
43715+ atomic_unchecked_t marker_seq;
43716 wait_queue_head_t fence_queue;
43717 wait_queue_head_t fifo_queue;
43718 spinlock_t waiter_lock;
43719diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
43720index 39f2b03..d1b0a64 100644
43721--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
43722+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
43723@@ -152,7 +152,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo)
43724 (unsigned int) min,
43725 (unsigned int) fifo->capabilities);
43726
43727- atomic_set(&dev_priv->marker_seq, dev_priv->last_read_seqno);
43728+ atomic_set_unchecked(&dev_priv->marker_seq, dev_priv->last_read_seqno);
43729 iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE);
43730 vmw_marker_queue_init(&fifo->marker_queue);
43731 return vmw_fifo_send_fence(dev_priv, &dummy);
43732@@ -372,7 +372,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes)
43733 if (reserveable)
43734 iowrite32(bytes, fifo_mem +
43735 SVGA_FIFO_RESERVED);
43736- return fifo_mem + (next_cmd >> 2);
43737+ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
43738 } else {
43739 need_bounce = true;
43740 }
43741@@ -492,7 +492,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
43742
43743 fm = vmw_fifo_reserve(dev_priv, bytes);
43744 if (unlikely(fm == NULL)) {
43745- *seqno = atomic_read(&dev_priv->marker_seq);
43746+ *seqno = atomic_read_unchecked(&dev_priv->marker_seq);
43747 ret = -ENOMEM;
43748 (void)vmw_fallback_wait(dev_priv, false, true, *seqno,
43749 false, 3*HZ);
43750@@ -500,7 +500,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
43751 }
43752
43753 do {
43754- *seqno = atomic_add_return(1, &dev_priv->marker_seq);
43755+ *seqno = atomic_add_return_unchecked(1, &dev_priv->marker_seq);
43756 } while (*seqno == 0);
43757
43758 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
43759diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
43760index 170b61b..fec7348 100644
43761--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
43762+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
43763@@ -164,9 +164,9 @@ static void vmw_gmrid_man_debug(struct ttm_mem_type_manager *man,
43764 }
43765
43766 const struct ttm_mem_type_manager_func vmw_gmrid_manager_func = {
43767- vmw_gmrid_man_init,
43768- vmw_gmrid_man_takedown,
43769- vmw_gmrid_man_get_node,
43770- vmw_gmrid_man_put_node,
43771- vmw_gmrid_man_debug
43772+ .init = vmw_gmrid_man_init,
43773+ .takedown = vmw_gmrid_man_takedown,
43774+ .get_node = vmw_gmrid_man_get_node,
43775+ .put_node = vmw_gmrid_man_put_node,
43776+ .debug = vmw_gmrid_man_debug
43777 };
43778diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
43779index 69c8ce2..cacb0ab 100644
43780--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
43781+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
43782@@ -235,7 +235,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
43783 int ret;
43784
43785 num_clips = arg->num_clips;
43786- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
43787+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
43788
43789 if (unlikely(num_clips == 0))
43790 return 0;
43791@@ -318,7 +318,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data,
43792 int ret;
43793
43794 num_clips = arg->num_clips;
43795- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
43796+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
43797
43798 if (unlikely(num_clips == 0))
43799 return 0;
43800diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
43801index 9fe9827..0aa2fc0 100644
43802--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
43803+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
43804@@ -102,7 +102,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv,
43805 * emitted. Then the fence is stale and signaled.
43806 */
43807
43808- ret = ((atomic_read(&dev_priv->marker_seq) - seqno)
43809+ ret = ((atomic_read_unchecked(&dev_priv->marker_seq) - seqno)
43810 > VMW_FENCE_WRAP);
43811
43812 return ret;
43813@@ -133,7 +133,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv,
43814
43815 if (fifo_idle)
43816 down_read(&fifo_state->rwsem);
43817- signal_seq = atomic_read(&dev_priv->marker_seq);
43818+ signal_seq = atomic_read_unchecked(&dev_priv->marker_seq);
43819 ret = 0;
43820
43821 for (;;) {
43822diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
43823index efd1ffd..0ae13ca 100644
43824--- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
43825+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
43826@@ -135,7 +135,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv,
43827 while (!vmw_lag_lt(queue, us)) {
43828 spin_lock(&queue->lock);
43829 if (list_empty(&queue->head))
43830- seqno = atomic_read(&dev_priv->marker_seq);
43831+ seqno = atomic_read_unchecked(&dev_priv->marker_seq);
43832 else {
43833 marker = list_first_entry(&queue->head,
43834 struct vmw_marker, head);
43835diff --git a/drivers/gpu/vga/vga_switcheroo.c b/drivers/gpu/vga/vga_switcheroo.c
43836index 37ac7b5..d52a5c9 100644
43837--- a/drivers/gpu/vga/vga_switcheroo.c
43838+++ b/drivers/gpu/vga/vga_switcheroo.c
43839@@ -644,7 +644,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev)
43840
43841 /* this version is for the case where the power switch is separate
43842 to the device being powered down. */
43843-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain)
43844+int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain)
43845 {
43846 /* copy over all the bus versions */
43847 if (dev->bus && dev->bus->pm) {
43848@@ -695,7 +695,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev)
43849 return ret;
43850 }
43851
43852-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain)
43853+int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain)
43854 {
43855 /* copy over all the bus versions */
43856 if (dev->bus && dev->bus->pm) {
43857diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
43858index e6fce23..85949a0 100644
43859--- a/drivers/hid/hid-core.c
43860+++ b/drivers/hid/hid-core.c
43861@@ -2550,7 +2550,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
43862
43863 int hid_add_device(struct hid_device *hdev)
43864 {
43865- static atomic_t id = ATOMIC_INIT(0);
43866+ static atomic_unchecked_t id = ATOMIC_INIT(0);
43867 int ret;
43868
43869 if (WARN_ON(hdev->status & HID_STAT_ADDED))
43870@@ -2593,7 +2593,7 @@ int hid_add_device(struct hid_device *hdev)
43871 /* XXX hack, any other cleaner solution after the driver core
43872 * is converted to allow more than 20 bytes as the device name? */
43873 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
43874- hdev->vendor, hdev->product, atomic_inc_return(&id));
43875+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
43876
43877 hid_debug_register(hdev, dev_name(&hdev->dev));
43878 ret = device_add(&hdev->dev);
43879diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
43880index 5614fee..8a6f5f6 100644
43881--- a/drivers/hid/hid-sensor-custom.c
43882+++ b/drivers/hid/hid-sensor-custom.c
43883@@ -590,7 +590,7 @@ static int hid_sensor_custom_add_attributes(struct hid_sensor_custom
43884 j = 0;
43885 while (j < HID_CUSTOM_TOTAL_ATTRS &&
43886 hid_custom_attrs[j].name) {
43887- struct device_attribute *device_attr;
43888+ device_attribute_no_const *device_attr;
43889
43890 device_attr = &sensor_inst->fields[i].sd_attrs[j];
43891
43892diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
43893index c13fb5b..55a3802 100644
43894--- a/drivers/hid/hid-wiimote-debug.c
43895+++ b/drivers/hid/hid-wiimote-debug.c
43896@@ -66,7 +66,7 @@ static ssize_t wiidebug_eeprom_read(struct file *f, char __user *u, size_t s,
43897 else if (size == 0)
43898 return -EIO;
43899
43900- if (copy_to_user(u, buf, size))
43901+ if (size > sizeof(buf) || copy_to_user(u, buf, size))
43902 return -EFAULT;
43903
43904 *off += size;
43905diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
43906index 603ce97..7f27468 100644
43907--- a/drivers/hv/channel.c
43908+++ b/drivers/hv/channel.c
43909@@ -382,7 +382,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
43910 int ret = 0;
43911
43912 next_gpadl_handle =
43913- (atomic_inc_return(&vmbus_connection.next_gpadl_handle) - 1);
43914+ (atomic_inc_return_unchecked(&vmbus_connection.next_gpadl_handle) - 1);
43915
43916 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
43917 if (ret)
43918diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
43919index d3943bc..597fd1e 100644
43920--- a/drivers/hv/hv.c
43921+++ b/drivers/hv/hv.c
43922@@ -118,7 +118,7 @@ static u64 do_hypercall(u64 control, void *input, void *output)
43923 u64 output_address = (output) ? virt_to_phys(output) : 0;
43924 u32 output_address_hi = output_address >> 32;
43925 u32 output_address_lo = output_address & 0xFFFFFFFF;
43926- void *hypercall_page = hv_context.hypercall_page;
43927+ void *hypercall_page = (void *)ktva_ktla((unsigned long)hv_context.hypercall_page);
43928
43929 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
43930 "=a"(hv_status_lo) : "d" (control_hi),
43931@@ -164,7 +164,7 @@ int hv_init(void)
43932 /* See if the hypercall page is already set */
43933 rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
43934
43935- virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC);
43936+ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX);
43937
43938 if (!virtaddr)
43939 goto cleanup;
43940diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
43941index 8a725cd..91abaf0 100644
43942--- a/drivers/hv/hv_balloon.c
43943+++ b/drivers/hv/hv_balloon.c
43944@@ -469,7 +469,7 @@ MODULE_PARM_DESC(hot_add, "If set attempt memory hot_add");
43945
43946 module_param(pressure_report_delay, uint, (S_IRUGO | S_IWUSR));
43947 MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure");
43948-static atomic_t trans_id = ATOMIC_INIT(0);
43949+static atomic_unchecked_t trans_id = ATOMIC_INIT(0);
43950
43951 static int dm_ring_size = (5 * PAGE_SIZE);
43952
43953@@ -943,7 +943,7 @@ static void hot_add_req(struct work_struct *dummy)
43954 pr_info("Memory hot add failed\n");
43955
43956 dm->state = DM_INITIALIZED;
43957- resp.hdr.trans_id = atomic_inc_return(&trans_id);
43958+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
43959 vmbus_sendpacket(dm->dev->channel, &resp,
43960 sizeof(struct dm_hot_add_response),
43961 (unsigned long)NULL,
43962@@ -1024,7 +1024,7 @@ static void post_status(struct hv_dynmem_device *dm)
43963 memset(&status, 0, sizeof(struct dm_status));
43964 status.hdr.type = DM_STATUS_REPORT;
43965 status.hdr.size = sizeof(struct dm_status);
43966- status.hdr.trans_id = atomic_inc_return(&trans_id);
43967+ status.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
43968
43969 /*
43970 * The host expects the guest to report free and committed memory.
43971@@ -1048,7 +1048,7 @@ static void post_status(struct hv_dynmem_device *dm)
43972 * send the status. This can happen if we were interrupted
43973 * after we picked our transaction ID.
43974 */
43975- if (status.hdr.trans_id != atomic_read(&trans_id))
43976+ if (status.hdr.trans_id != atomic_read_unchecked(&trans_id))
43977 return;
43978
43979 /*
43980@@ -1193,7 +1193,7 @@ static void balloon_up(struct work_struct *dummy)
43981 */
43982
43983 do {
43984- bl_resp->hdr.trans_id = atomic_inc_return(&trans_id);
43985+ bl_resp->hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
43986 ret = vmbus_sendpacket(dm_device.dev->channel,
43987 bl_resp,
43988 bl_resp->hdr.size,
43989@@ -1239,7 +1239,7 @@ static void balloon_down(struct hv_dynmem_device *dm,
43990
43991 memset(&resp, 0, sizeof(struct dm_unballoon_response));
43992 resp.hdr.type = DM_UNBALLOON_RESPONSE;
43993- resp.hdr.trans_id = atomic_inc_return(&trans_id);
43994+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
43995 resp.hdr.size = sizeof(struct dm_unballoon_response);
43996
43997 vmbus_sendpacket(dm_device.dev->channel, &resp,
43998@@ -1300,7 +1300,7 @@ static void version_resp(struct hv_dynmem_device *dm,
43999 memset(&version_req, 0, sizeof(struct dm_version_request));
44000 version_req.hdr.type = DM_VERSION_REQUEST;
44001 version_req.hdr.size = sizeof(struct dm_version_request);
44002- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
44003+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44004 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN7;
44005 version_req.is_last_attempt = 1;
44006
44007@@ -1473,7 +1473,7 @@ static int balloon_probe(struct hv_device *dev,
44008 memset(&version_req, 0, sizeof(struct dm_version_request));
44009 version_req.hdr.type = DM_VERSION_REQUEST;
44010 version_req.hdr.size = sizeof(struct dm_version_request);
44011- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
44012+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44013 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN8;
44014 version_req.is_last_attempt = 0;
44015
44016@@ -1504,7 +1504,7 @@ static int balloon_probe(struct hv_device *dev,
44017 memset(&cap_msg, 0, sizeof(struct dm_capabilities));
44018 cap_msg.hdr.type = DM_CAPABILITIES_REPORT;
44019 cap_msg.hdr.size = sizeof(struct dm_capabilities);
44020- cap_msg.hdr.trans_id = atomic_inc_return(&trans_id);
44021+ cap_msg.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44022
44023 cap_msg.caps.cap_bits.balloon = 1;
44024 cap_msg.caps.cap_bits.hot_add = 1;
44025diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
44026index cddc0c9..2eb587d 100644
44027--- a/drivers/hv/hyperv_vmbus.h
44028+++ b/drivers/hv/hyperv_vmbus.h
44029@@ -645,7 +645,7 @@ enum vmbus_connect_state {
44030 struct vmbus_connection {
44031 enum vmbus_connect_state conn_state;
44032
44033- atomic_t next_gpadl_handle;
44034+ atomic_unchecked_t next_gpadl_handle;
44035
44036 struct completion unload_event;
44037 /*
44038diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c
44039index 579bdf9..0dac21d5 100644
44040--- a/drivers/hwmon/acpi_power_meter.c
44041+++ b/drivers/hwmon/acpi_power_meter.c
44042@@ -116,7 +116,7 @@ struct sensor_template {
44043 struct device_attribute *devattr,
44044 const char *buf, size_t count);
44045 int index;
44046-};
44047+} __do_const;
44048
44049 /* Averaging interval */
44050 static int update_avg_interval(struct acpi_power_meter_resource *resource)
44051@@ -631,7 +631,7 @@ static int register_attrs(struct acpi_power_meter_resource *resource,
44052 struct sensor_template *attrs)
44053 {
44054 struct device *dev = &resource->acpi_dev->dev;
44055- struct sensor_device_attribute *sensors =
44056+ sensor_device_attribute_no_const *sensors =
44057 &resource->sensors[resource->num_sensors];
44058 int res = 0;
44059
44060@@ -973,7 +973,7 @@ static int __init enable_cap_knobs(const struct dmi_system_id *d)
44061 return 0;
44062 }
44063
44064-static struct dmi_system_id __initdata pm_dmi_table[] = {
44065+static const struct dmi_system_id __initconst pm_dmi_table[] = {
44066 {
44067 enable_cap_knobs, "IBM Active Energy Manager",
44068 {
44069diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
44070index 0af63da..05a183a 100644
44071--- a/drivers/hwmon/applesmc.c
44072+++ b/drivers/hwmon/applesmc.c
44073@@ -1105,7 +1105,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
44074 {
44075 struct applesmc_node_group *grp;
44076 struct applesmc_dev_attr *node;
44077- struct attribute *attr;
44078+ attribute_no_const *attr;
44079 int ret, i;
44080
44081 for (grp = groups; grp->format; grp++) {
44082diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
44083index cccef87..06ce8ec 100644
44084--- a/drivers/hwmon/asus_atk0110.c
44085+++ b/drivers/hwmon/asus_atk0110.c
44086@@ -147,10 +147,10 @@ MODULE_DEVICE_TABLE(acpi, atk_ids);
44087 struct atk_sensor_data {
44088 struct list_head list;
44089 struct atk_data *data;
44090- struct device_attribute label_attr;
44091- struct device_attribute input_attr;
44092- struct device_attribute limit1_attr;
44093- struct device_attribute limit2_attr;
44094+ device_attribute_no_const label_attr;
44095+ device_attribute_no_const input_attr;
44096+ device_attribute_no_const limit1_attr;
44097+ device_attribute_no_const limit2_attr;
44098 char label_attr_name[ATTR_NAME_SIZE];
44099 char input_attr_name[ATTR_NAME_SIZE];
44100 char limit1_attr_name[ATTR_NAME_SIZE];
44101@@ -270,7 +270,7 @@ static ssize_t atk_name_show(struct device *dev,
44102 static struct device_attribute atk_name_attr =
44103 __ATTR(name, 0444, atk_name_show, NULL);
44104
44105-static void atk_init_attribute(struct device_attribute *attr, char *name,
44106+static void atk_init_attribute(device_attribute_no_const *attr, char *name,
44107 sysfs_show_func show)
44108 {
44109 sysfs_attr_init(&attr->attr);
44110diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
44111index 3e03379..ec521d3 100644
44112--- a/drivers/hwmon/coretemp.c
44113+++ b/drivers/hwmon/coretemp.c
44114@@ -783,7 +783,7 @@ static int coretemp_cpu_callback(struct notifier_block *nfb,
44115 return NOTIFY_OK;
44116 }
44117
44118-static struct notifier_block coretemp_cpu_notifier __refdata = {
44119+static struct notifier_block coretemp_cpu_notifier = {
44120 .notifier_call = coretemp_cpu_callback,
44121 };
44122
44123diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
44124index c848789..e9e9217 100644
44125--- a/drivers/hwmon/dell-smm-hwmon.c
44126+++ b/drivers/hwmon/dell-smm-hwmon.c
44127@@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = {
44128 },
44129 };
44130
44131-static struct dmi_system_id i8k_dmi_table[] __initdata = {
44132+static const struct dmi_system_id i8k_dmi_table[] __initconst = {
44133 {
44134 .ident = "Dell Inspiron",
44135 .matches = {
44136diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
44137index 7a8a6fb..015c1fd 100644
44138--- a/drivers/hwmon/ibmaem.c
44139+++ b/drivers/hwmon/ibmaem.c
44140@@ -924,7 +924,7 @@ static int aem_register_sensors(struct aem_data *data,
44141 struct aem_rw_sensor_template *rw)
44142 {
44143 struct device *dev = &data->pdev->dev;
44144- struct sensor_device_attribute *sensors = data->sensors;
44145+ sensor_device_attribute_no_const *sensors = data->sensors;
44146 int err;
44147
44148 /* Set up read-only sensors */
44149diff --git a/drivers/hwmon/iio_hwmon.c b/drivers/hwmon/iio_hwmon.c
44150index 17ae2eb..21b71dd 100644
44151--- a/drivers/hwmon/iio_hwmon.c
44152+++ b/drivers/hwmon/iio_hwmon.c
44153@@ -61,7 +61,7 @@ static int iio_hwmon_probe(struct platform_device *pdev)
44154 {
44155 struct device *dev = &pdev->dev;
44156 struct iio_hwmon_state *st;
44157- struct sensor_device_attribute *a;
44158+ sensor_device_attribute_no_const *a;
44159 int ret, i;
44160 int in_i = 1, temp_i = 1, curr_i = 1, humidity_i = 1;
44161 enum iio_chan_type type;
44162diff --git a/drivers/hwmon/nct6683.c b/drivers/hwmon/nct6683.c
44163index 37f0170..414ec2c 100644
44164--- a/drivers/hwmon/nct6683.c
44165+++ b/drivers/hwmon/nct6683.c
44166@@ -397,11 +397,11 @@ static struct attribute_group *
44167 nct6683_create_attr_group(struct device *dev, struct sensor_template_group *tg,
44168 int repeat)
44169 {
44170- struct sensor_device_attribute_2 *a2;
44171- struct sensor_device_attribute *a;
44172+ sensor_device_attribute_2_no_const *a2;
44173+ sensor_device_attribute_no_const *a;
44174 struct sensor_device_template **t;
44175 struct sensor_device_attr_u *su;
44176- struct attribute_group *group;
44177+ attribute_group_no_const *group;
44178 struct attribute **attrs;
44179 int i, j, count;
44180
44181diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
44182index bd1c99d..2fa55ad 100644
44183--- a/drivers/hwmon/nct6775.c
44184+++ b/drivers/hwmon/nct6775.c
44185@@ -953,10 +953,10 @@ static struct attribute_group *
44186 nct6775_create_attr_group(struct device *dev, struct sensor_template_group *tg,
44187 int repeat)
44188 {
44189- struct attribute_group *group;
44190+ attribute_group_no_const *group;
44191 struct sensor_device_attr_u *su;
44192- struct sensor_device_attribute *a;
44193- struct sensor_device_attribute_2 *a2;
44194+ sensor_device_attribute_no_const *a;
44195+ sensor_device_attribute_2_no_const *a2;
44196 struct attribute **attrs;
44197 struct sensor_device_template **t;
44198 int i, count;
44199diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
44200index f2e47c7..45d7941 100644
44201--- a/drivers/hwmon/pmbus/pmbus_core.c
44202+++ b/drivers/hwmon/pmbus/pmbus_core.c
44203@@ -816,7 +816,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr)
44204 return 0;
44205 }
44206
44207-static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
44208+static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr,
44209 const char *name,
44210 umode_t mode,
44211 ssize_t (*show)(struct device *dev,
44212@@ -833,7 +833,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
44213 dev_attr->store = store;
44214 }
44215
44216-static void pmbus_attr_init(struct sensor_device_attribute *a,
44217+static void pmbus_attr_init(sensor_device_attribute_no_const *a,
44218 const char *name,
44219 umode_t mode,
44220 ssize_t (*show)(struct device *dev,
44221@@ -855,7 +855,7 @@ static int pmbus_add_boolean(struct pmbus_data *data,
44222 u16 reg, u8 mask)
44223 {
44224 struct pmbus_boolean *boolean;
44225- struct sensor_device_attribute *a;
44226+ sensor_device_attribute_no_const *a;
44227
44228 boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL);
44229 if (!boolean)
44230@@ -880,7 +880,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
44231 bool update, bool readonly)
44232 {
44233 struct pmbus_sensor *sensor;
44234- struct device_attribute *a;
44235+ device_attribute_no_const *a;
44236
44237 sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL);
44238 if (!sensor)
44239@@ -911,7 +911,7 @@ static int pmbus_add_label(struct pmbus_data *data,
44240 const char *lstring, int index)
44241 {
44242 struct pmbus_label *label;
44243- struct device_attribute *a;
44244+ device_attribute_no_const *a;
44245
44246 label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL);
44247 if (!label)
44248diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
44249index 497a7f8..3fffedf 100644
44250--- a/drivers/hwmon/sht15.c
44251+++ b/drivers/hwmon/sht15.c
44252@@ -169,7 +169,7 @@ struct sht15_data {
44253 int supply_uv;
44254 bool supply_uv_valid;
44255 struct work_struct update_supply_work;
44256- atomic_t interrupt_handled;
44257+ atomic_unchecked_t interrupt_handled;
44258 };
44259
44260 /**
44261@@ -542,13 +542,13 @@ static int sht15_measurement(struct sht15_data *data,
44262 ret = gpio_direction_input(data->pdata->gpio_data);
44263 if (ret)
44264 return ret;
44265- atomic_set(&data->interrupt_handled, 0);
44266+ atomic_set_unchecked(&data->interrupt_handled, 0);
44267
44268 enable_irq(gpio_to_irq(data->pdata->gpio_data));
44269 if (gpio_get_value(data->pdata->gpio_data) == 0) {
44270 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
44271 /* Only relevant if the interrupt hasn't occurred. */
44272- if (!atomic_read(&data->interrupt_handled))
44273+ if (!atomic_read_unchecked(&data->interrupt_handled))
44274 schedule_work(&data->read_work);
44275 }
44276 ret = wait_event_timeout(data->wait_queue,
44277@@ -820,7 +820,7 @@ static irqreturn_t sht15_interrupt_fired(int irq, void *d)
44278
44279 /* First disable the interrupt */
44280 disable_irq_nosync(irq);
44281- atomic_inc(&data->interrupt_handled);
44282+ atomic_inc_unchecked(&data->interrupt_handled);
44283 /* Then schedule a reading work struct */
44284 if (data->state != SHT15_READING_NOTHING)
44285 schedule_work(&data->read_work);
44286@@ -842,11 +842,11 @@ static void sht15_bh_read_data(struct work_struct *work_s)
44287 * If not, then start the interrupt again - care here as could
44288 * have gone low in meantime so verify it hasn't!
44289 */
44290- atomic_set(&data->interrupt_handled, 0);
44291+ atomic_set_unchecked(&data->interrupt_handled, 0);
44292 enable_irq(gpio_to_irq(data->pdata->gpio_data));
44293 /* If still not occurred or another handler was scheduled */
44294 if (gpio_get_value(data->pdata->gpio_data)
44295- || atomic_read(&data->interrupt_handled))
44296+ || atomic_read_unchecked(&data->interrupt_handled))
44297 return;
44298 }
44299
44300diff --git a/drivers/hwmon/via-cputemp.c b/drivers/hwmon/via-cputemp.c
44301index ac91c07..8e69663 100644
44302--- a/drivers/hwmon/via-cputemp.c
44303+++ b/drivers/hwmon/via-cputemp.c
44304@@ -295,7 +295,7 @@ static int via_cputemp_cpu_callback(struct notifier_block *nfb,
44305 return NOTIFY_OK;
44306 }
44307
44308-static struct notifier_block via_cputemp_cpu_notifier __refdata = {
44309+static struct notifier_block via_cputemp_cpu_notifier = {
44310 .notifier_call = via_cputemp_cpu_callback,
44311 };
44312
44313diff --git a/drivers/i2c/busses/i2c-amd756-s4882.c b/drivers/i2c/busses/i2c-amd756-s4882.c
44314index 65e3240..e6c511d 100644
44315--- a/drivers/i2c/busses/i2c-amd756-s4882.c
44316+++ b/drivers/i2c/busses/i2c-amd756-s4882.c
44317@@ -39,7 +39,7 @@
44318 extern struct i2c_adapter amd756_smbus;
44319
44320 static struct i2c_adapter *s4882_adapter;
44321-static struct i2c_algorithm *s4882_algo;
44322+static i2c_algorithm_no_const *s4882_algo;
44323
44324 /* Wrapper access functions for multiplexed SMBus */
44325 static DEFINE_MUTEX(amd756_lock);
44326diff --git a/drivers/i2c/busses/i2c-diolan-u2c.c b/drivers/i2c/busses/i2c-diolan-u2c.c
44327index b19a310..d6eece0 100644
44328--- a/drivers/i2c/busses/i2c-diolan-u2c.c
44329+++ b/drivers/i2c/busses/i2c-diolan-u2c.c
44330@@ -98,7 +98,7 @@ MODULE_PARM_DESC(frequency, "I2C clock frequency in hertz");
44331 /* usb layer */
44332
44333 /* Send command to device, and get response. */
44334-static int diolan_usb_transfer(struct i2c_diolan_u2c *dev)
44335+static int __intentional_overflow(-1) diolan_usb_transfer(struct i2c_diolan_u2c *dev)
44336 {
44337 int ret = 0;
44338 int actual;
44339diff --git a/drivers/i2c/busses/i2c-nforce2-s4985.c b/drivers/i2c/busses/i2c-nforce2-s4985.c
44340index 88eda09..cf40434 100644
44341--- a/drivers/i2c/busses/i2c-nforce2-s4985.c
44342+++ b/drivers/i2c/busses/i2c-nforce2-s4985.c
44343@@ -37,7 +37,7 @@
44344 extern struct i2c_adapter *nforce2_smbus;
44345
44346 static struct i2c_adapter *s4985_adapter;
44347-static struct i2c_algorithm *s4985_algo;
44348+static i2c_algorithm_no_const *s4985_algo;
44349
44350 /* Wrapper access functions for multiplexed SMBus */
44351 static DEFINE_MUTEX(nforce2_lock);
44352diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
44353index 71c7a39..71dd3e0 100644
44354--- a/drivers/i2c/i2c-dev.c
44355+++ b/drivers/i2c/i2c-dev.c
44356@@ -272,7 +272,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
44357 break;
44358 }
44359
44360- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
44361+ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf;
44362 rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
44363 if (IS_ERR(rdwr_pa[i].buf)) {
44364 res = PTR_ERR(rdwr_pa[i].buf);
44365diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
44366index 64a6b82..a524354 100644
44367--- a/drivers/ide/ide-cd.c
44368+++ b/drivers/ide/ide-cd.c
44369@@ -768,7 +768,7 @@ static void cdrom_do_block_pc(ide_drive_t *drive, struct request *rq)
44370 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
44371 if ((unsigned long)buf & alignment
44372 || blk_rq_bytes(rq) & q->dma_pad_mask
44373- || object_is_on_stack(buf))
44374+ || object_starts_on_stack(buf))
44375 drive->dma = 0;
44376 }
44377 }
44378diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
44379index 56b9708..980b63b 100644
44380--- a/drivers/ide/ide-disk.c
44381+++ b/drivers/ide/ide-disk.c
44382@@ -178,7 +178,7 @@ static ide_startstop_t __ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44383 * 1073741822 == 549756 MB or 48bit addressing fake drive
44384 */
44385
44386-static ide_startstop_t ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44387+static ide_startstop_t __intentional_overflow(-1) ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44388 sector_t block)
44389 {
44390 ide_hwif_t *hwif = drive->hwif;
44391diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
44392index 3524b0d..8c14520 100644
44393--- a/drivers/iio/industrialio-core.c
44394+++ b/drivers/iio/industrialio-core.c
44395@@ -576,7 +576,7 @@ static ssize_t iio_write_channel_info(struct device *dev,
44396 }
44397
44398 static
44399-int __iio_device_attr_init(struct device_attribute *dev_attr,
44400+int __iio_device_attr_init(device_attribute_no_const *dev_attr,
44401 const char *postfix,
44402 struct iio_chan_spec const *chan,
44403 ssize_t (*readfunc)(struct device *dev,
44404diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
44405index b13936d..65322b2 100644
44406--- a/drivers/iio/magnetometer/ak8975.c
44407+++ b/drivers/iio/magnetometer/ak8975.c
44408@@ -776,7 +776,7 @@ static int ak8975_probe(struct i2c_client *client,
44409 name = id->name;
44410 } else if (ACPI_HANDLE(&client->dev))
44411 name = ak8975_match_acpi_device(&client->dev, &chipset);
44412- else
44413+ if (!name)
44414 return -ENOSYS;
44415
44416 if (chipset >= AK_MAX_TYPE) {
44417diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
44418index 3a972eb..4126183 100644
44419--- a/drivers/infiniband/core/cm.c
44420+++ b/drivers/infiniband/core/cm.c
44421@@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
44422
44423 struct cm_counter_group {
44424 struct kobject obj;
44425- atomic_long_t counter[CM_ATTR_COUNT];
44426+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
44427 };
44428
44429 struct cm_counter_attribute {
44430@@ -1411,7 +1411,7 @@ static void cm_dup_req_handler(struct cm_work *work,
44431 struct ib_mad_send_buf *msg = NULL;
44432 int ret;
44433
44434- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44435+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44436 counter[CM_REQ_COUNTER]);
44437
44438 /* Quick state check to discard duplicate REQs. */
44439@@ -1798,7 +1798,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
44440 if (!cm_id_priv)
44441 return;
44442
44443- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44444+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44445 counter[CM_REP_COUNTER]);
44446 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
44447 if (ret)
44448@@ -1965,7 +1965,7 @@ static int cm_rtu_handler(struct cm_work *work)
44449 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
44450 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
44451 spin_unlock_irq(&cm_id_priv->lock);
44452- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44453+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44454 counter[CM_RTU_COUNTER]);
44455 goto out;
44456 }
44457@@ -2148,7 +2148,7 @@ static int cm_dreq_handler(struct cm_work *work)
44458 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
44459 dreq_msg->local_comm_id);
44460 if (!cm_id_priv) {
44461- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44462+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44463 counter[CM_DREQ_COUNTER]);
44464 cm_issue_drep(work->port, work->mad_recv_wc);
44465 return -EINVAL;
44466@@ -2173,7 +2173,7 @@ static int cm_dreq_handler(struct cm_work *work)
44467 case IB_CM_MRA_REP_RCVD:
44468 break;
44469 case IB_CM_TIMEWAIT:
44470- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44471+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44472 counter[CM_DREQ_COUNTER]);
44473 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
44474 goto unlock;
44475@@ -2187,7 +2187,7 @@ static int cm_dreq_handler(struct cm_work *work)
44476 cm_free_msg(msg);
44477 goto deref;
44478 case IB_CM_DREQ_RCVD:
44479- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44480+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44481 counter[CM_DREQ_COUNTER]);
44482 goto unlock;
44483 default:
44484@@ -2554,7 +2554,7 @@ static int cm_mra_handler(struct cm_work *work)
44485 ib_modify_mad(cm_id_priv->av.port->mad_agent,
44486 cm_id_priv->msg, timeout)) {
44487 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
44488- atomic_long_inc(&work->port->
44489+ atomic_long_inc_unchecked(&work->port->
44490 counter_group[CM_RECV_DUPLICATES].
44491 counter[CM_MRA_COUNTER]);
44492 goto out;
44493@@ -2563,7 +2563,7 @@ static int cm_mra_handler(struct cm_work *work)
44494 break;
44495 case IB_CM_MRA_REQ_RCVD:
44496 case IB_CM_MRA_REP_RCVD:
44497- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44498+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44499 counter[CM_MRA_COUNTER]);
44500 /* fall through */
44501 default:
44502@@ -2725,7 +2725,7 @@ static int cm_lap_handler(struct cm_work *work)
44503 case IB_CM_LAP_IDLE:
44504 break;
44505 case IB_CM_MRA_LAP_SENT:
44506- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44507+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44508 counter[CM_LAP_COUNTER]);
44509 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
44510 goto unlock;
44511@@ -2741,7 +2741,7 @@ static int cm_lap_handler(struct cm_work *work)
44512 cm_free_msg(msg);
44513 goto deref;
44514 case IB_CM_LAP_RCVD:
44515- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44516+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44517 counter[CM_LAP_COUNTER]);
44518 goto unlock;
44519 default:
44520@@ -3025,7 +3025,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
44521 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
44522 if (cur_cm_id_priv) {
44523 spin_unlock_irq(&cm.lock);
44524- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44525+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44526 counter[CM_SIDR_REQ_COUNTER]);
44527 goto out; /* Duplicate message. */
44528 }
44529@@ -3237,10 +3237,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent,
44530 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
44531 msg->retries = 1;
44532
44533- atomic_long_add(1 + msg->retries,
44534+ atomic_long_add_unchecked(1 + msg->retries,
44535 &port->counter_group[CM_XMIT].counter[attr_index]);
44536 if (msg->retries)
44537- atomic_long_add(msg->retries,
44538+ atomic_long_add_unchecked(msg->retries,
44539 &port->counter_group[CM_XMIT_RETRIES].
44540 counter[attr_index]);
44541
44542@@ -3466,7 +3466,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent,
44543 }
44544
44545 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
44546- atomic_long_inc(&port->counter_group[CM_RECV].
44547+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
44548 counter[attr_id - CM_ATTR_ID_OFFSET]);
44549
44550 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
44551@@ -3709,7 +3709,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr,
44552 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
44553
44554 return sprintf(buf, "%ld\n",
44555- atomic_long_read(&group->counter[cm_attr->index]));
44556+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
44557 }
44558
44559 static const struct sysfs_ops cm_counter_ops = {
44560diff --git a/drivers/infiniband/core/fmr_pool.c b/drivers/infiniband/core/fmr_pool.c
44561index 9f5ad7c..588cd84 100644
44562--- a/drivers/infiniband/core/fmr_pool.c
44563+++ b/drivers/infiniband/core/fmr_pool.c
44564@@ -98,8 +98,8 @@ struct ib_fmr_pool {
44565
44566 struct task_struct *thread;
44567
44568- atomic_t req_ser;
44569- atomic_t flush_ser;
44570+ atomic_unchecked_t req_ser;
44571+ atomic_unchecked_t flush_ser;
44572
44573 wait_queue_head_t force_wait;
44574 };
44575@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
44576 struct ib_fmr_pool *pool = pool_ptr;
44577
44578 do {
44579- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
44580+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
44581 ib_fmr_batch_release(pool);
44582
44583- atomic_inc(&pool->flush_ser);
44584+ atomic_inc_unchecked(&pool->flush_ser);
44585 wake_up_interruptible(&pool->force_wait);
44586
44587 if (pool->flush_function)
44588@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
44589 }
44590
44591 set_current_state(TASK_INTERRUPTIBLE);
44592- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
44593+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
44594 !kthread_should_stop())
44595 schedule();
44596 __set_current_state(TASK_RUNNING);
44597@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(struct ib_pd *pd,
44598 pool->dirty_watermark = params->dirty_watermark;
44599 pool->dirty_len = 0;
44600 spin_lock_init(&pool->pool_lock);
44601- atomic_set(&pool->req_ser, 0);
44602- atomic_set(&pool->flush_ser, 0);
44603+ atomic_set_unchecked(&pool->req_ser, 0);
44604+ atomic_set_unchecked(&pool->flush_ser, 0);
44605 init_waitqueue_head(&pool->force_wait);
44606
44607 pool->thread = kthread_run(ib_fmr_cleanup_thread,
44608@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool *pool)
44609 }
44610 spin_unlock_irq(&pool->pool_lock);
44611
44612- serial = atomic_inc_return(&pool->req_ser);
44613+ serial = atomic_inc_return_unchecked(&pool->req_ser);
44614 wake_up_process(pool->thread);
44615
44616 if (wait_event_interruptible(pool->force_wait,
44617- atomic_read(&pool->flush_ser) - serial >= 0))
44618+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
44619 return -EINTR;
44620
44621 return 0;
44622@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr *fmr)
44623 } else {
44624 list_add_tail(&fmr->list, &pool->dirty_list);
44625 if (++pool->dirty_len >= pool->dirty_watermark) {
44626- atomic_inc(&pool->req_ser);
44627+ atomic_inc_unchecked(&pool->req_ser);
44628 wake_up_process(pool->thread);
44629 }
44630 }
44631diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
44632index a6ca83b..bd3a726 100644
44633--- a/drivers/infiniband/core/uverbs_cmd.c
44634+++ b/drivers/infiniband/core/uverbs_cmd.c
44635@@ -951,6 +951,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
44636 if (copy_from_user(&cmd, buf, sizeof cmd))
44637 return -EFAULT;
44638
44639+ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
44640+ return -EFAULT;
44641+
44642 INIT_UDATA(&udata, buf + sizeof cmd,
44643 (unsigned long) cmd.response + sizeof resp,
44644 in_len - sizeof cmd, out_len - sizeof resp);
44645diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
44646index cff815b..75576dd 100644
44647--- a/drivers/infiniband/hw/cxgb4/mem.c
44648+++ b/drivers/infiniband/hw/cxgb4/mem.c
44649@@ -256,7 +256,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
44650 int err;
44651 struct fw_ri_tpte tpt;
44652 u32 stag_idx;
44653- static atomic_t key;
44654+ static atomic_unchecked_t key;
44655
44656 if (c4iw_fatal_error(rdev))
44657 return -EIO;
44658@@ -277,7 +277,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
44659 if (rdev->stats.stag.cur > rdev->stats.stag.max)
44660 rdev->stats.stag.max = rdev->stats.stag.cur;
44661 mutex_unlock(&rdev->stats.lock);
44662- *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
44663+ *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
44664 }
44665 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
44666 __func__, stag_state, type, pdid, stag_idx);
44667diff --git a/drivers/infiniband/hw/ipath/ipath_rc.c b/drivers/infiniband/hw/ipath/ipath_rc.c
44668index 79b3dbc..96e5fcc 100644
44669--- a/drivers/infiniband/hw/ipath/ipath_rc.c
44670+++ b/drivers/infiniband/hw/ipath/ipath_rc.c
44671@@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
44672 struct ib_atomic_eth *ateth;
44673 struct ipath_ack_entry *e;
44674 u64 vaddr;
44675- atomic64_t *maddr;
44676+ atomic64_unchecked_t *maddr;
44677 u64 sdata;
44678 u32 rkey;
44679 u8 next;
44680@@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
44681 IB_ACCESS_REMOTE_ATOMIC)))
44682 goto nack_acc_unlck;
44683 /* Perform atomic OP and save result. */
44684- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
44685+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
44686 sdata = be64_to_cpu(ateth->swap_data);
44687 e = &qp->s_ack_queue[qp->r_head_ack_queue];
44688 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
44689- (u64) atomic64_add_return(sdata, maddr) - sdata :
44690+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
44691 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
44692 be64_to_cpu(ateth->compare_data),
44693 sdata);
44694diff --git a/drivers/infiniband/hw/ipath/ipath_ruc.c b/drivers/infiniband/hw/ipath/ipath_ruc.c
44695index 1f95bba..9530f87 100644
44696--- a/drivers/infiniband/hw/ipath/ipath_ruc.c
44697+++ b/drivers/infiniband/hw/ipath/ipath_ruc.c
44698@@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ipath_qp *sqp)
44699 unsigned long flags;
44700 struct ib_wc wc;
44701 u64 sdata;
44702- atomic64_t *maddr;
44703+ atomic64_unchecked_t *maddr;
44704 enum ib_wc_status send_status;
44705
44706 /*
44707@@ -382,11 +382,11 @@ again:
44708 IB_ACCESS_REMOTE_ATOMIC)))
44709 goto acc_err;
44710 /* Perform atomic OP and save result. */
44711- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
44712+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
44713 sdata = wqe->wr.wr.atomic.compare_add;
44714 *(u64 *) sqp->s_sge.sge.vaddr =
44715 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
44716- (u64) atomic64_add_return(sdata, maddr) - sdata :
44717+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
44718 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
44719 sdata, wqe->wr.wr.atomic.swap);
44720 goto send_comp;
44721diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
44722index 68b3dfa..3e0c511 100644
44723--- a/drivers/infiniband/hw/mlx4/mad.c
44724+++ b/drivers/infiniband/hw/mlx4/mad.c
44725@@ -98,7 +98,7 @@ __be64 mlx4_ib_gen_node_guid(void)
44726
44727 __be64 mlx4_ib_get_new_demux_tid(struct mlx4_ib_demux_ctx *ctx)
44728 {
44729- return cpu_to_be64(atomic_inc_return(&ctx->tid)) |
44730+ return cpu_to_be64(atomic_inc_return_unchecked(&ctx->tid)) |
44731 cpu_to_be64(0xff00000000000000LL);
44732 }
44733
44734diff --git a/drivers/infiniband/hw/mlx4/mcg.c b/drivers/infiniband/hw/mlx4/mcg.c
44735index a0559a8..86a2320 100644
44736--- a/drivers/infiniband/hw/mlx4/mcg.c
44737+++ b/drivers/infiniband/hw/mlx4/mcg.c
44738@@ -1042,7 +1042,7 @@ int mlx4_ib_mcg_port_init(struct mlx4_ib_demux_ctx *ctx)
44739 {
44740 char name[20];
44741
44742- atomic_set(&ctx->tid, 0);
44743+ atomic_set_unchecked(&ctx->tid, 0);
44744 sprintf(name, "mlx4_ib_mcg%d", ctx->port);
44745 ctx->mcg_wq = create_singlethread_workqueue(name);
44746 if (!ctx->mcg_wq)
44747diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h
44748index 334387f..e640d74 100644
44749--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
44750+++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
44751@@ -436,7 +436,7 @@ struct mlx4_ib_demux_ctx {
44752 struct list_head mcg_mgid0_list;
44753 struct workqueue_struct *mcg_wq;
44754 struct mlx4_ib_demux_pv_ctx **tun;
44755- atomic_t tid;
44756+ atomic_unchecked_t tid;
44757 int flushing; /* flushing the work queue */
44758 };
44759
44760diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
44761index c7f49bb..6a021bb 100644
44762--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
44763+++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
44764@@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base)
44765 mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n");
44766 }
44767
44768-int mthca_QUERY_FW(struct mthca_dev *dev)
44769+int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev)
44770 {
44771 struct mthca_mailbox *mailbox;
44772 u32 *outbox;
44773@@ -1612,7 +1612,7 @@ int mthca_HW2SW_MPT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
44774 CMD_TIME_CLASS_B);
44775 }
44776
44777-int mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
44778+int __intentional_overflow(-1) mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
44779 int num_mtt)
44780 {
44781 return mthca_cmd(dev, mailbox->dma, num_mtt, 0, CMD_WRITE_MTT,
44782@@ -1634,7 +1634,7 @@ int mthca_MAP_EQ(struct mthca_dev *dev, u64 event_mask, int unmap,
44783 0, CMD_MAP_EQ, CMD_TIME_CLASS_B);
44784 }
44785
44786-int mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
44787+int __intentional_overflow(-1) mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
44788 int eq_num)
44789 {
44790 return mthca_cmd(dev, mailbox->dma, eq_num, 0, CMD_SW2HW_EQ,
44791@@ -1857,7 +1857,7 @@ int mthca_CONF_SPECIAL_QP(struct mthca_dev *dev, int type, u32 qpn)
44792 CMD_TIME_CLASS_B);
44793 }
44794
44795-int mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey,
44796+int __intentional_overflow(-1) mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey,
44797 int port, const struct ib_wc *in_wc, const struct ib_grh *in_grh,
44798 const void *in_mad, void *response_mad)
44799 {
44800diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c
44801index ded76c1..0cf0a08 100644
44802--- a/drivers/infiniband/hw/mthca/mthca_main.c
44803+++ b/drivers/infiniband/hw/mthca/mthca_main.c
44804@@ -692,7 +692,7 @@ err_close:
44805 return err;
44806 }
44807
44808-static int mthca_setup_hca(struct mthca_dev *dev)
44809+static int __intentional_overflow(-1) mthca_setup_hca(struct mthca_dev *dev)
44810 {
44811 int err;
44812
44813diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c
44814index ed9a989..6aa5dc2 100644
44815--- a/drivers/infiniband/hw/mthca/mthca_mr.c
44816+++ b/drivers/infiniband/hw/mthca/mthca_mr.c
44817@@ -81,7 +81,7 @@ struct mthca_mpt_entry {
44818 * through the bitmaps)
44819 */
44820
44821-static u32 mthca_buddy_alloc(struct mthca_buddy *buddy, int order)
44822+static u32 __intentional_overflow(-1) mthca_buddy_alloc(struct mthca_buddy *buddy, int order)
44823 {
44824 int o;
44825 int m;
44826@@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key)
44827 return key;
44828 }
44829
44830-int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
44831+int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
44832 u64 iova, u64 total_size, u32 access, struct mthca_mr *mr)
44833 {
44834 struct mthca_mailbox *mailbox;
44835@@ -516,7 +516,7 @@ int mthca_mr_alloc_notrans(struct mthca_dev *dev, u32 pd,
44836 return mthca_mr_alloc(dev, pd, 12, 0, ~0ULL, access, mr);
44837 }
44838
44839-int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
44840+int __intentional_overflow(-1) mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
44841 u64 *buffer_list, int buffer_size_shift,
44842 int list_len, u64 iova, u64 total_size,
44843 u32 access, struct mthca_mr *mr)
44844diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
44845index 93ae51d..84c4a44 100644
44846--- a/drivers/infiniband/hw/mthca/mthca_provider.c
44847+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
44848@@ -771,7 +771,7 @@ unlock:
44849 return 0;
44850 }
44851
44852-static int mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata)
44853+static int __intentional_overflow(-1) mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata)
44854 {
44855 struct mthca_dev *dev = to_mdev(ibcq->device);
44856 struct mthca_cq *cq = to_mcq(ibcq);
44857diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
44858index 9f9d5c5..3c19aac 100644
44859--- a/drivers/infiniband/hw/nes/nes.c
44860+++ b/drivers/infiniband/hw/nes/nes.c
44861@@ -97,7 +97,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limit max read request size to 256 Bytes");
44862 LIST_HEAD(nes_adapter_list);
44863 static LIST_HEAD(nes_dev_list);
44864
44865-atomic_t qps_destroyed;
44866+atomic_unchecked_t qps_destroyed;
44867
44868 static unsigned int ee_flsh_adapter;
44869 static unsigned int sysfs_nonidx_addr;
44870@@ -279,7 +279,7 @@ static void nes_cqp_rem_ref_callback(struct nes_device *nesdev, struct nes_cqp_r
44871 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
44872 struct nes_adapter *nesadapter = nesdev->nesadapter;
44873
44874- atomic_inc(&qps_destroyed);
44875+ atomic_inc_unchecked(&qps_destroyed);
44876
44877 /* Free the control structures */
44878
44879diff --git a/drivers/infiniband/hw/nes/nes.h b/drivers/infiniband/hw/nes/nes.h
44880index bd9d132..70d84f4 100644
44881--- a/drivers/infiniband/hw/nes/nes.h
44882+++ b/drivers/infiniband/hw/nes/nes.h
44883@@ -180,17 +180,17 @@ extern unsigned int nes_debug_level;
44884 extern unsigned int wqm_quanta;
44885 extern struct list_head nes_adapter_list;
44886
44887-extern atomic_t cm_connects;
44888-extern atomic_t cm_accepts;
44889-extern atomic_t cm_disconnects;
44890-extern atomic_t cm_closes;
44891-extern atomic_t cm_connecteds;
44892-extern atomic_t cm_connect_reqs;
44893-extern atomic_t cm_rejects;
44894-extern atomic_t mod_qp_timouts;
44895-extern atomic_t qps_created;
44896-extern atomic_t qps_destroyed;
44897-extern atomic_t sw_qps_destroyed;
44898+extern atomic_unchecked_t cm_connects;
44899+extern atomic_unchecked_t cm_accepts;
44900+extern atomic_unchecked_t cm_disconnects;
44901+extern atomic_unchecked_t cm_closes;
44902+extern atomic_unchecked_t cm_connecteds;
44903+extern atomic_unchecked_t cm_connect_reqs;
44904+extern atomic_unchecked_t cm_rejects;
44905+extern atomic_unchecked_t mod_qp_timouts;
44906+extern atomic_unchecked_t qps_created;
44907+extern atomic_unchecked_t qps_destroyed;
44908+extern atomic_unchecked_t sw_qps_destroyed;
44909 extern u32 mh_detected;
44910 extern u32 mh_pauses_sent;
44911 extern u32 cm_packets_sent;
44912@@ -199,16 +199,16 @@ extern u32 cm_packets_created;
44913 extern u32 cm_packets_received;
44914 extern u32 cm_packets_dropped;
44915 extern u32 cm_packets_retrans;
44916-extern atomic_t cm_listens_created;
44917-extern atomic_t cm_listens_destroyed;
44918+extern atomic_unchecked_t cm_listens_created;
44919+extern atomic_unchecked_t cm_listens_destroyed;
44920 extern u32 cm_backlog_drops;
44921-extern atomic_t cm_loopbacks;
44922-extern atomic_t cm_nodes_created;
44923-extern atomic_t cm_nodes_destroyed;
44924-extern atomic_t cm_accel_dropped_pkts;
44925-extern atomic_t cm_resets_recvd;
44926-extern atomic_t pau_qps_created;
44927-extern atomic_t pau_qps_destroyed;
44928+extern atomic_unchecked_t cm_loopbacks;
44929+extern atomic_unchecked_t cm_nodes_created;
44930+extern atomic_unchecked_t cm_nodes_destroyed;
44931+extern atomic_unchecked_t cm_accel_dropped_pkts;
44932+extern atomic_unchecked_t cm_resets_recvd;
44933+extern atomic_unchecked_t pau_qps_created;
44934+extern atomic_unchecked_t pau_qps_destroyed;
44935
44936 extern u32 int_mod_timer_init;
44937 extern u32 int_mod_cq_depth_256;
44938diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c
44939index 8a3ad17..e1ed4bc 100644
44940--- a/drivers/infiniband/hw/nes/nes_cm.c
44941+++ b/drivers/infiniband/hw/nes/nes_cm.c
44942@@ -69,14 +69,14 @@ u32 cm_packets_dropped;
44943 u32 cm_packets_retrans;
44944 u32 cm_packets_created;
44945 u32 cm_packets_received;
44946-atomic_t cm_listens_created;
44947-atomic_t cm_listens_destroyed;
44948+atomic_unchecked_t cm_listens_created;
44949+atomic_unchecked_t cm_listens_destroyed;
44950 u32 cm_backlog_drops;
44951-atomic_t cm_loopbacks;
44952-atomic_t cm_nodes_created;
44953-atomic_t cm_nodes_destroyed;
44954-atomic_t cm_accel_dropped_pkts;
44955-atomic_t cm_resets_recvd;
44956+atomic_unchecked_t cm_loopbacks;
44957+atomic_unchecked_t cm_nodes_created;
44958+atomic_unchecked_t cm_nodes_destroyed;
44959+atomic_unchecked_t cm_accel_dropped_pkts;
44960+atomic_unchecked_t cm_resets_recvd;
44961
44962 static inline int mini_cm_accelerated(struct nes_cm_core *, struct nes_cm_node *);
44963 static struct nes_cm_listener *mini_cm_listen(struct nes_cm_core *, struct nes_vnic *, struct nes_cm_info *);
44964@@ -135,28 +135,28 @@ static void record_ird_ord(struct nes_cm_node *, u16, u16);
44965 /* instance of function pointers for client API */
44966 /* set address of this instance to cm_core->cm_ops at cm_core alloc */
44967 static struct nes_cm_ops nes_cm_api = {
44968- mini_cm_accelerated,
44969- mini_cm_listen,
44970- mini_cm_del_listen,
44971- mini_cm_connect,
44972- mini_cm_close,
44973- mini_cm_accept,
44974- mini_cm_reject,
44975- mini_cm_recv_pkt,
44976- mini_cm_dealloc_core,
44977- mini_cm_get,
44978- mini_cm_set
44979+ .accelerated = mini_cm_accelerated,
44980+ .listen = mini_cm_listen,
44981+ .stop_listener = mini_cm_del_listen,
44982+ .connect = mini_cm_connect,
44983+ .close = mini_cm_close,
44984+ .accept = mini_cm_accept,
44985+ .reject = mini_cm_reject,
44986+ .recv_pkt = mini_cm_recv_pkt,
44987+ .destroy_cm_core = mini_cm_dealloc_core,
44988+ .get = mini_cm_get,
44989+ .set = mini_cm_set
44990 };
44991
44992 static struct nes_cm_core *g_cm_core;
44993
44994-atomic_t cm_connects;
44995-atomic_t cm_accepts;
44996-atomic_t cm_disconnects;
44997-atomic_t cm_closes;
44998-atomic_t cm_connecteds;
44999-atomic_t cm_connect_reqs;
45000-atomic_t cm_rejects;
45001+atomic_unchecked_t cm_connects;
45002+atomic_unchecked_t cm_accepts;
45003+atomic_unchecked_t cm_disconnects;
45004+atomic_unchecked_t cm_closes;
45005+atomic_unchecked_t cm_connecteds;
45006+atomic_unchecked_t cm_connect_reqs;
45007+atomic_unchecked_t cm_rejects;
45008
45009 int nes_add_ref_cm_node(struct nes_cm_node *cm_node)
45010 {
45011@@ -1461,7 +1461,7 @@ static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core,
45012 kfree(listener);
45013 listener = NULL;
45014 ret = 0;
45015- atomic_inc(&cm_listens_destroyed);
45016+ atomic_inc_unchecked(&cm_listens_destroyed);
45017 } else {
45018 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
45019 }
45020@@ -1670,7 +1670,7 @@ static struct nes_cm_node *make_cm_node(struct nes_cm_core *cm_core,
45021 cm_node->rem_mac);
45022
45023 add_hte_node(cm_core, cm_node);
45024- atomic_inc(&cm_nodes_created);
45025+ atomic_inc_unchecked(&cm_nodes_created);
45026
45027 return cm_node;
45028 }
45029@@ -1731,7 +1731,7 @@ static int rem_ref_cm_node(struct nes_cm_core *cm_core,
45030 }
45031
45032 atomic_dec(&cm_core->node_cnt);
45033- atomic_inc(&cm_nodes_destroyed);
45034+ atomic_inc_unchecked(&cm_nodes_destroyed);
45035 nesqp = cm_node->nesqp;
45036 if (nesqp) {
45037 nesqp->cm_node = NULL;
45038@@ -1795,7 +1795,7 @@ static int process_options(struct nes_cm_node *cm_node, u8 *optionsloc,
45039
45040 static void drop_packet(struct sk_buff *skb)
45041 {
45042- atomic_inc(&cm_accel_dropped_pkts);
45043+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
45044 dev_kfree_skb_any(skb);
45045 }
45046
45047@@ -1858,7 +1858,7 @@ static void handle_rst_pkt(struct nes_cm_node *cm_node, struct sk_buff *skb,
45048 {
45049
45050 int reset = 0; /* whether to send reset in case of err.. */
45051- atomic_inc(&cm_resets_recvd);
45052+ atomic_inc_unchecked(&cm_resets_recvd);
45053 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
45054 " refcnt=%d\n", cm_node, cm_node->state,
45055 atomic_read(&cm_node->ref_count));
45056@@ -2526,7 +2526,7 @@ static struct nes_cm_node *mini_cm_connect(struct nes_cm_core *cm_core,
45057 rem_ref_cm_node(cm_node->cm_core, cm_node);
45058 return NULL;
45059 }
45060- atomic_inc(&cm_loopbacks);
45061+ atomic_inc_unchecked(&cm_loopbacks);
45062 loopbackremotenode->loopbackpartner = cm_node;
45063 loopbackremotenode->tcp_cntxt.rcv_wscale =
45064 NES_CM_DEFAULT_RCV_WND_SCALE;
45065@@ -2807,7 +2807,7 @@ static int mini_cm_recv_pkt(struct nes_cm_core *cm_core,
45066 nes_queue_mgt_skbs(skb, nesvnic, cm_node->nesqp);
45067 else {
45068 rem_ref_cm_node(cm_core, cm_node);
45069- atomic_inc(&cm_accel_dropped_pkts);
45070+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
45071 dev_kfree_skb_any(skb);
45072 }
45073 break;
45074@@ -3118,7 +3118,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
45075
45076 if ((cm_id) && (cm_id->event_handler)) {
45077 if (issue_disconn) {
45078- atomic_inc(&cm_disconnects);
45079+ atomic_inc_unchecked(&cm_disconnects);
45080 cm_event.event = IW_CM_EVENT_DISCONNECT;
45081 cm_event.status = disconn_status;
45082 cm_event.local_addr = cm_id->local_addr;
45083@@ -3140,7 +3140,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
45084 }
45085
45086 if (issue_close) {
45087- atomic_inc(&cm_closes);
45088+ atomic_inc_unchecked(&cm_closes);
45089 nes_disconnect(nesqp, 1);
45090
45091 cm_id->provider_data = nesqp;
45092@@ -3278,7 +3278,7 @@ int nes_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
45093
45094 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
45095 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
45096- atomic_inc(&cm_accepts);
45097+ atomic_inc_unchecked(&cm_accepts);
45098
45099 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
45100 netdev_refcnt_read(nesvnic->netdev));
45101@@ -3476,7 +3476,7 @@ int nes_reject(struct iw_cm_id *cm_id, const void *pdata, u8 pdata_len)
45102 struct nes_cm_core *cm_core;
45103 u8 *start_buff;
45104
45105- atomic_inc(&cm_rejects);
45106+ atomic_inc_unchecked(&cm_rejects);
45107 cm_node = (struct nes_cm_node *)cm_id->provider_data;
45108 loopback = cm_node->loopbackpartner;
45109 cm_core = cm_node->cm_core;
45110@@ -3541,7 +3541,7 @@ int nes_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
45111 ntohs(raddr->sin_port), ntohl(laddr->sin_addr.s_addr),
45112 ntohs(laddr->sin_port));
45113
45114- atomic_inc(&cm_connects);
45115+ atomic_inc_unchecked(&cm_connects);
45116 nesqp->active_conn = 1;
45117
45118 /* cache the cm_id in the qp */
45119@@ -3688,7 +3688,7 @@ int nes_create_listen(struct iw_cm_id *cm_id, int backlog)
45120 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
45121 return err;
45122 }
45123- atomic_inc(&cm_listens_created);
45124+ atomic_inc_unchecked(&cm_listens_created);
45125 }
45126
45127 cm_id->add_ref(cm_id);
45128@@ -3795,7 +3795,7 @@ static void cm_event_connected(struct nes_cm_event *event)
45129
45130 if (nesqp->destroyed)
45131 return;
45132- atomic_inc(&cm_connecteds);
45133+ atomic_inc_unchecked(&cm_connecteds);
45134 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
45135 " local port 0x%04X. jiffies = %lu.\n",
45136 nesqp->hwqp.qp_id, ntohl(raddr->sin_addr.s_addr),
45137@@ -3980,7 +3980,7 @@ static void cm_event_reset(struct nes_cm_event *event)
45138
45139 cm_id->add_ref(cm_id);
45140 ret = cm_id->event_handler(cm_id, &cm_event);
45141- atomic_inc(&cm_closes);
45142+ atomic_inc_unchecked(&cm_closes);
45143 cm_event.event = IW_CM_EVENT_CLOSE;
45144 cm_event.status = 0;
45145 cm_event.provider_data = cm_id->provider_data;
45146@@ -4020,7 +4020,7 @@ static void cm_event_mpa_req(struct nes_cm_event *event)
45147 return;
45148 cm_id = cm_node->cm_id;
45149
45150- atomic_inc(&cm_connect_reqs);
45151+ atomic_inc_unchecked(&cm_connect_reqs);
45152 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
45153 cm_node, cm_id, jiffies);
45154
45155@@ -4069,7 +4069,7 @@ static void cm_event_mpa_reject(struct nes_cm_event *event)
45156 return;
45157 cm_id = cm_node->cm_id;
45158
45159- atomic_inc(&cm_connect_reqs);
45160+ atomic_inc_unchecked(&cm_connect_reqs);
45161 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
45162 cm_node, cm_id, jiffies);
45163
45164diff --git a/drivers/infiniband/hw/nes/nes_mgt.c b/drivers/infiniband/hw/nes/nes_mgt.c
45165index 4166452..fc952c3 100644
45166--- a/drivers/infiniband/hw/nes/nes_mgt.c
45167+++ b/drivers/infiniband/hw/nes/nes_mgt.c
45168@@ -40,8 +40,8 @@
45169 #include "nes.h"
45170 #include "nes_mgt.h"
45171
45172-atomic_t pau_qps_created;
45173-atomic_t pau_qps_destroyed;
45174+atomic_unchecked_t pau_qps_created;
45175+atomic_unchecked_t pau_qps_destroyed;
45176
45177 static void nes_replenish_mgt_rq(struct nes_vnic_mgt *mgtvnic)
45178 {
45179@@ -621,7 +621,7 @@ void nes_destroy_pau_qp(struct nes_device *nesdev, struct nes_qp *nesqp)
45180 {
45181 struct sk_buff *skb;
45182 unsigned long flags;
45183- atomic_inc(&pau_qps_destroyed);
45184+ atomic_inc_unchecked(&pau_qps_destroyed);
45185
45186 /* Free packets that have not yet been forwarded */
45187 /* Lock is acquired by skb_dequeue when removing the skb */
45188@@ -810,7 +810,7 @@ static void nes_mgt_ce_handler(struct nes_device *nesdev, struct nes_hw_nic_cq *
45189 cq->cq_vbase[head].cqe_words[NES_NIC_CQE_HASH_RCVNXT]);
45190 skb_queue_head_init(&nesqp->pau_list);
45191 spin_lock_init(&nesqp->pau_lock);
45192- atomic_inc(&pau_qps_created);
45193+ atomic_inc_unchecked(&pau_qps_created);
45194 nes_change_quad_hash(nesdev, mgtvnic->nesvnic, nesqp);
45195 }
45196
45197diff --git a/drivers/infiniband/hw/nes/nes_nic.c b/drivers/infiniband/hw/nes/nes_nic.c
45198index 70acda9..a96de9d 100644
45199--- a/drivers/infiniband/hw/nes/nes_nic.c
45200+++ b/drivers/infiniband/hw/nes/nes_nic.c
45201@@ -1274,39 +1274,39 @@ static void nes_netdev_get_ethtool_stats(struct net_device *netdev,
45202 target_stat_values[++index] = mh_detected;
45203 target_stat_values[++index] = mh_pauses_sent;
45204 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
45205- target_stat_values[++index] = atomic_read(&cm_connects);
45206- target_stat_values[++index] = atomic_read(&cm_accepts);
45207- target_stat_values[++index] = atomic_read(&cm_disconnects);
45208- target_stat_values[++index] = atomic_read(&cm_connecteds);
45209- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
45210- target_stat_values[++index] = atomic_read(&cm_rejects);
45211- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
45212- target_stat_values[++index] = atomic_read(&qps_created);
45213- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
45214- target_stat_values[++index] = atomic_read(&qps_destroyed);
45215- target_stat_values[++index] = atomic_read(&cm_closes);
45216+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
45217+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
45218+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
45219+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
45220+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
45221+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
45222+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
45223+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
45224+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
45225+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
45226+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
45227 target_stat_values[++index] = cm_packets_sent;
45228 target_stat_values[++index] = cm_packets_bounced;
45229 target_stat_values[++index] = cm_packets_created;
45230 target_stat_values[++index] = cm_packets_received;
45231 target_stat_values[++index] = cm_packets_dropped;
45232 target_stat_values[++index] = cm_packets_retrans;
45233- target_stat_values[++index] = atomic_read(&cm_listens_created);
45234- target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
45235+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
45236+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
45237 target_stat_values[++index] = cm_backlog_drops;
45238- target_stat_values[++index] = atomic_read(&cm_loopbacks);
45239- target_stat_values[++index] = atomic_read(&cm_nodes_created);
45240- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
45241- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
45242- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
45243+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
45244+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
45245+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
45246+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
45247+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
45248 target_stat_values[++index] = nesadapter->free_4kpbl;
45249 target_stat_values[++index] = nesadapter->free_256pbl;
45250 target_stat_values[++index] = int_mod_timer_init;
45251 target_stat_values[++index] = nesvnic->lro_mgr.stats.aggregated;
45252 target_stat_values[++index] = nesvnic->lro_mgr.stats.flushed;
45253 target_stat_values[++index] = nesvnic->lro_mgr.stats.no_desc;
45254- target_stat_values[++index] = atomic_read(&pau_qps_created);
45255- target_stat_values[++index] = atomic_read(&pau_qps_destroyed);
45256+ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_created);
45257+ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_destroyed);
45258 }
45259
45260 /**
45261diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
45262index fbc43e5..3672792 100644
45263--- a/drivers/infiniband/hw/nes/nes_verbs.c
45264+++ b/drivers/infiniband/hw/nes/nes_verbs.c
45265@@ -46,9 +46,9 @@
45266
45267 #include <rdma/ib_umem.h>
45268
45269-atomic_t mod_qp_timouts;
45270-atomic_t qps_created;
45271-atomic_t sw_qps_destroyed;
45272+atomic_unchecked_t mod_qp_timouts;
45273+atomic_unchecked_t qps_created;
45274+atomic_unchecked_t sw_qps_destroyed;
45275
45276 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
45277
45278@@ -1137,7 +1137,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
45279 if (init_attr->create_flags)
45280 return ERR_PTR(-EINVAL);
45281
45282- atomic_inc(&qps_created);
45283+ atomic_inc_unchecked(&qps_created);
45284 switch (init_attr->qp_type) {
45285 case IB_QPT_RC:
45286 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
45287@@ -1471,7 +1471,7 @@ static int nes_destroy_qp(struct ib_qp *ibqp)
45288 struct iw_cm_event cm_event;
45289 int ret = 0;
45290
45291- atomic_inc(&sw_qps_destroyed);
45292+ atomic_inc_unchecked(&sw_qps_destroyed);
45293 nesqp->destroyed = 1;
45294
45295 /* Blow away the connection if it exists. */
45296diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
45297index 7df16f7..7e1b21e 100644
45298--- a/drivers/infiniband/hw/qib/qib.h
45299+++ b/drivers/infiniband/hw/qib/qib.h
45300@@ -52,6 +52,7 @@
45301 #include <linux/kref.h>
45302 #include <linux/sched.h>
45303 #include <linux/kthread.h>
45304+#include <linux/slab.h>
45305
45306 #include "qib_common.h"
45307 #include "qib_verbs.h"
45308diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45309index cdc7df4..a2fdfdb 100644
45310--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45311+++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45312@@ -156,7 +156,7 @@ static size_t ipoib_get_size(const struct net_device *dev)
45313 nla_total_size(2); /* IFLA_IPOIB_UMCAST */
45314 }
45315
45316-static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
45317+static struct rtnl_link_ops ipoib_link_ops = {
45318 .kind = "ipoib",
45319 .maxtype = IFLA_IPOIB_MAX,
45320 .policy = ipoib_policy,
45321diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
45322index e853a21..56fc5a8 100644
45323--- a/drivers/input/gameport/gameport.c
45324+++ b/drivers/input/gameport/gameport.c
45325@@ -527,14 +527,14 @@ EXPORT_SYMBOL(gameport_set_phys);
45326 */
45327 static void gameport_init_port(struct gameport *gameport)
45328 {
45329- static atomic_t gameport_no = ATOMIC_INIT(-1);
45330+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(-1);
45331
45332 __module_get(THIS_MODULE);
45333
45334 mutex_init(&gameport->drv_mutex);
45335 device_initialize(&gameport->dev);
45336 dev_set_name(&gameport->dev, "gameport%lu",
45337- (unsigned long)atomic_inc_return(&gameport_no));
45338+ (unsigned long)atomic_inc_return_unchecked(&gameport_no));
45339 gameport->dev.bus = &gameport_bus;
45340 gameport->dev.release = gameport_release_port;
45341 if (gameport->parent)
45342diff --git a/drivers/input/input.c b/drivers/input/input.c
45343index 78d2499..1f0318e 100644
45344--- a/drivers/input/input.c
45345+++ b/drivers/input/input.c
45346@@ -1775,7 +1775,7 @@ EXPORT_SYMBOL_GPL(input_class);
45347 */
45348 struct input_dev *input_allocate_device(void)
45349 {
45350- static atomic_t input_no = ATOMIC_INIT(-1);
45351+ static atomic_unchecked_t input_no = ATOMIC_INIT(-1);
45352 struct input_dev *dev;
45353
45354 dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL);
45355@@ -1790,7 +1790,7 @@ struct input_dev *input_allocate_device(void)
45356 INIT_LIST_HEAD(&dev->node);
45357
45358 dev_set_name(&dev->dev, "input%lu",
45359- (unsigned long)atomic_inc_return(&input_no));
45360+ (unsigned long)atomic_inc_return_unchecked(&input_no));
45361
45362 __module_get(THIS_MODULE);
45363 }
45364diff --git a/drivers/input/joystick/sidewinder.c b/drivers/input/joystick/sidewinder.c
45365index 4a95b22..874c182 100644
45366--- a/drivers/input/joystick/sidewinder.c
45367+++ b/drivers/input/joystick/sidewinder.c
45368@@ -30,6 +30,7 @@
45369 #include <linux/kernel.h>
45370 #include <linux/module.h>
45371 #include <linux/slab.h>
45372+#include <linux/sched.h>
45373 #include <linux/input.h>
45374 #include <linux/gameport.h>
45375 #include <linux/jiffies.h>
45376diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
45377index f8850f9..9708a2d 100644
45378--- a/drivers/input/joystick/xpad.c
45379+++ b/drivers/input/joystick/xpad.c
45380@@ -959,7 +959,7 @@ static void xpad_led_set(struct led_classdev *led_cdev,
45381
45382 static int xpad_led_probe(struct usb_xpad *xpad)
45383 {
45384- static atomic_t led_seq = ATOMIC_INIT(-1);
45385+ static atomic_unchecked_t led_seq = ATOMIC_INIT(-1);
45386 struct xpad_led *led;
45387 struct led_classdev *led_cdev;
45388 int error;
45389@@ -971,7 +971,7 @@ static int xpad_led_probe(struct usb_xpad *xpad)
45390 if (!led)
45391 return -ENOMEM;
45392
45393- xpad->led_no = atomic_inc_return(&led_seq);
45394+ xpad->led_no = atomic_inc_return_unchecked(&led_seq);
45395
45396 snprintf(led->name, sizeof(led->name), "xpad%lu", xpad->led_no);
45397 led->xpad = xpad;
45398diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
45399index ac1fa5f..5f7502c 100644
45400--- a/drivers/input/misc/ims-pcu.c
45401+++ b/drivers/input/misc/ims-pcu.c
45402@@ -1851,7 +1851,7 @@ static int ims_pcu_identify_type(struct ims_pcu *pcu, u8 *device_id)
45403
45404 static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
45405 {
45406- static atomic_t device_no = ATOMIC_INIT(-1);
45407+ static atomic_unchecked_t device_no = ATOMIC_INIT(-1);
45408
45409 const struct ims_pcu_device_info *info;
45410 int error;
45411@@ -1882,7 +1882,7 @@ static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
45412 }
45413
45414 /* Device appears to be operable, complete initialization */
45415- pcu->device_no = atomic_inc_return(&device_no);
45416+ pcu->device_no = atomic_inc_return_unchecked(&device_no);
45417
45418 /*
45419 * PCU-B devices, both GEN_1 and GEN_2 do not have OFN sensor
45420diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h
45421index ad5a5a1..5eac214 100644
45422--- a/drivers/input/mouse/psmouse.h
45423+++ b/drivers/input/mouse/psmouse.h
45424@@ -125,7 +125,7 @@ struct psmouse_attribute {
45425 ssize_t (*set)(struct psmouse *psmouse, void *data,
45426 const char *buf, size_t count);
45427 bool protect;
45428-};
45429+} __do_const;
45430 #define to_psmouse_attr(a) container_of((a), struct psmouse_attribute, dattr)
45431
45432 ssize_t psmouse_attr_show_helper(struct device *dev, struct device_attribute *attr,
45433diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
45434index b604564..3f14ae4 100644
45435--- a/drivers/input/mousedev.c
45436+++ b/drivers/input/mousedev.c
45437@@ -744,7 +744,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer,
45438
45439 spin_unlock_irq(&client->packet_lock);
45440
45441- if (copy_to_user(buffer, data, count))
45442+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
45443 return -EFAULT;
45444
45445 return count;
45446diff --git a/drivers/input/serio/serio.c b/drivers/input/serio/serio.c
45447index a05a517..323a2fd 100644
45448--- a/drivers/input/serio/serio.c
45449+++ b/drivers/input/serio/serio.c
45450@@ -514,7 +514,7 @@ static void serio_release_port(struct device *dev)
45451 */
45452 static void serio_init_port(struct serio *serio)
45453 {
45454- static atomic_t serio_no = ATOMIC_INIT(-1);
45455+ static atomic_unchecked_t serio_no = ATOMIC_INIT(-1);
45456
45457 __module_get(THIS_MODULE);
45458
45459@@ -525,7 +525,7 @@ static void serio_init_port(struct serio *serio)
45460 mutex_init(&serio->drv_mutex);
45461 device_initialize(&serio->dev);
45462 dev_set_name(&serio->dev, "serio%lu",
45463- (unsigned long)atomic_inc_return(&serio_no));
45464+ (unsigned long)atomic_inc_return_unchecked(&serio_no));
45465 serio->dev.bus = &serio_bus;
45466 serio->dev.release = serio_release_port;
45467 serio->dev.groups = serio_device_attr_groups;
45468diff --git a/drivers/input/serio/serio_raw.c b/drivers/input/serio/serio_raw.c
45469index 71ef5d6..93380a9 100644
45470--- a/drivers/input/serio/serio_raw.c
45471+++ b/drivers/input/serio/serio_raw.c
45472@@ -292,7 +292,7 @@ static irqreturn_t serio_raw_interrupt(struct serio *serio, unsigned char data,
45473
45474 static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
45475 {
45476- static atomic_t serio_raw_no = ATOMIC_INIT(-1);
45477+ static atomic_unchecked_t serio_raw_no = ATOMIC_INIT(-1);
45478 struct serio_raw *serio_raw;
45479 int err;
45480
45481@@ -303,7 +303,7 @@ static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
45482 }
45483
45484 snprintf(serio_raw->name, sizeof(serio_raw->name),
45485- "serio_raw%ld", (long)atomic_inc_return(&serio_raw_no));
45486+ "serio_raw%ld", (long)atomic_inc_return_unchecked(&serio_raw_no));
45487 kref_init(&serio_raw->kref);
45488 INIT_LIST_HEAD(&serio_raw->client_list);
45489 init_waitqueue_head(&serio_raw->wait);
45490diff --git a/drivers/input/touchscreen/htcpen.c b/drivers/input/touchscreen/htcpen.c
45491index 92e2243..8fd9092 100644
45492--- a/drivers/input/touchscreen/htcpen.c
45493+++ b/drivers/input/touchscreen/htcpen.c
45494@@ -219,7 +219,7 @@ static struct isa_driver htcpen_isa_driver = {
45495 }
45496 };
45497
45498-static struct dmi_system_id htcshift_dmi_table[] __initdata = {
45499+static const struct dmi_system_id htcshift_dmi_table[] __initconst = {
45500 {
45501 .ident = "Shift",
45502 .matches = {
45503diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
45504index 658ee39..6fde5be 100644
45505--- a/drivers/iommu/amd_iommu.c
45506+++ b/drivers/iommu/amd_iommu.c
45507@@ -794,11 +794,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
45508
45509 static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
45510 {
45511+ phys_addr_t physaddr;
45512 WARN_ON(address & 0x7ULL);
45513
45514 memset(cmd, 0, sizeof(*cmd));
45515- cmd->data[0] = lower_32_bits(__pa(address)) | CMD_COMPL_WAIT_STORE_MASK;
45516- cmd->data[1] = upper_32_bits(__pa(address));
45517+
45518+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
45519+ if (object_starts_on_stack((void *)address)) {
45520+ void *adjbuf = (void *)address - current->stack + current->lowmem_stack;
45521+ physaddr = __pa((u64)adjbuf);
45522+ } else
45523+#endif
45524+ physaddr = __pa(address);
45525+
45526+ cmd->data[0] = lower_32_bits(physaddr) | CMD_COMPL_WAIT_STORE_MASK;
45527+ cmd->data[1] = upper_32_bits(physaddr);
45528 cmd->data[2] = 1;
45529 CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
45530 }
45531diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
45532index 4cd0c29..afd3cbe 100644
45533--- a/drivers/iommu/arm-smmu.c
45534+++ b/drivers/iommu/arm-smmu.c
45535@@ -330,7 +330,7 @@ enum arm_smmu_domain_stage {
45536
45537 struct arm_smmu_domain {
45538 struct arm_smmu_device *smmu;
45539- struct io_pgtable_ops *pgtbl_ops;
45540+ struct io_pgtable *pgtbl;
45541 spinlock_t pgtbl_lock;
45542 struct arm_smmu_cfg cfg;
45543 enum arm_smmu_domain_stage stage;
45544@@ -816,7 +816,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
45545 {
45546 int irq, start, ret = 0;
45547 unsigned long ias, oas;
45548- struct io_pgtable_ops *pgtbl_ops;
45549+ struct io_pgtable *pgtbl;
45550 struct io_pgtable_cfg pgtbl_cfg;
45551 enum io_pgtable_fmt fmt;
45552 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45553@@ -901,14 +901,16 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
45554 };
45555
45556 smmu_domain->smmu = smmu;
45557- pgtbl_ops = alloc_io_pgtable_ops(fmt, &pgtbl_cfg, smmu_domain);
45558- if (!pgtbl_ops) {
45559+ pgtbl = alloc_io_pgtable(fmt, &pgtbl_cfg, smmu_domain);
45560+ if (!pgtbl) {
45561 ret = -ENOMEM;
45562 goto out_clear_smmu;
45563 }
45564
45565 /* Update our support page sizes to reflect the page table format */
45566- arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
45567+ pax_open_kernel();
45568+ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
45569+ pax_close_kernel();
45570
45571 /* Initialise the context bank with our page table cfg */
45572 arm_smmu_init_context_bank(smmu_domain, &pgtbl_cfg);
45573@@ -929,7 +931,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
45574 mutex_unlock(&smmu_domain->init_mutex);
45575
45576 /* Publish page table ops for map/unmap */
45577- smmu_domain->pgtbl_ops = pgtbl_ops;
45578+ smmu_domain->pgtbl = pgtbl;
45579 return 0;
45580
45581 out_clear_smmu:
45582@@ -962,8 +964,7 @@ static void arm_smmu_destroy_domain_context(struct iommu_domain *domain)
45583 free_irq(irq, domain);
45584 }
45585
45586- if (smmu_domain->pgtbl_ops)
45587- free_io_pgtable_ops(smmu_domain->pgtbl_ops);
45588+ free_io_pgtable(smmu_domain->pgtbl);
45589
45590 __arm_smmu_free_bitmap(smmu->context_map, cfg->cbndx);
45591 }
45592@@ -1189,13 +1190,13 @@ static int arm_smmu_map(struct iommu_domain *domain, unsigned long iova,
45593 int ret;
45594 unsigned long flags;
45595 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45596- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
45597+ struct io_pgtable *iop = smmu_domain->pgtbl;
45598
45599- if (!ops)
45600+ if (!iop)
45601 return -ENODEV;
45602
45603 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
45604- ret = ops->map(ops, iova, paddr, size, prot);
45605+ ret = iop->ops->map(iop, iova, paddr, size, prot);
45606 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
45607 return ret;
45608 }
45609@@ -1206,13 +1207,13 @@ static size_t arm_smmu_unmap(struct iommu_domain *domain, unsigned long iova,
45610 size_t ret;
45611 unsigned long flags;
45612 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45613- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
45614+ struct io_pgtable *iop = smmu_domain->pgtbl;
45615
45616- if (!ops)
45617+ if (!iop)
45618 return 0;
45619
45620 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
45621- ret = ops->unmap(ops, iova, size);
45622+ ret = iop->ops->unmap(iop, iova, size);
45623 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
45624 return ret;
45625 }
45626@@ -1223,7 +1224,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
45627 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45628 struct arm_smmu_device *smmu = smmu_domain->smmu;
45629 struct arm_smmu_cfg *cfg = &smmu_domain->cfg;
45630- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
45631+ struct io_pgtable *iop = smmu_domain->pgtbl;
45632 struct device *dev = smmu->dev;
45633 void __iomem *cb_base;
45634 u32 tmp;
45635@@ -1246,7 +1247,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
45636 dev_err(dev,
45637 "iova to phys timed out on 0x%pad. Falling back to software table walk.\n",
45638 &iova);
45639- return ops->iova_to_phys(ops, iova);
45640+ return iop->ops->iova_to_phys(iop, iova);
45641 }
45642
45643 phys = readl_relaxed(cb_base + ARM_SMMU_CB_PAR_LO);
45644@@ -1267,9 +1268,9 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
45645 phys_addr_t ret;
45646 unsigned long flags;
45647 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45648- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
45649+ struct io_pgtable *iop = smmu_domain->pgtbl;
45650
45651- if (!ops)
45652+ if (!iop)
45653 return 0;
45654
45655 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
45656@@ -1277,7 +1278,7 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
45657 smmu_domain->stage == ARM_SMMU_DOMAIN_S1) {
45658 ret = arm_smmu_iova_to_phys_hard(domain, iova);
45659 } else {
45660- ret = ops->iova_to_phys(ops, iova);
45661+ ret = iop->ops->iova_to_phys(iop, iova);
45662 }
45663
45664 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
45665@@ -1667,7 +1668,9 @@ static int arm_smmu_device_cfg_probe(struct arm_smmu_device *smmu)
45666 size |= SZ_64K | SZ_512M;
45667 }
45668
45669- arm_smmu_ops.pgsize_bitmap &= size;
45670+ pax_open_kernel();
45671+ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap &= size;
45672+ pax_close_kernel();
45673 dev_notice(smmu->dev, "\tSupported page sizes: 0x%08lx\n", size);
45674
45675 if (smmu->features & ARM_SMMU_FEAT_TRANS_S1)
45676diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
45677index e29d5d7..e5eeb3e 100644
45678--- a/drivers/iommu/io-pgtable-arm.c
45679+++ b/drivers/iommu/io-pgtable-arm.c
45680@@ -36,12 +36,6 @@
45681 #define io_pgtable_to_data(x) \
45682 container_of((x), struct arm_lpae_io_pgtable, iop)
45683
45684-#define io_pgtable_ops_to_pgtable(x) \
45685- container_of((x), struct io_pgtable, ops)
45686-
45687-#define io_pgtable_ops_to_data(x) \
45688- io_pgtable_to_data(io_pgtable_ops_to_pgtable(x))
45689-
45690 /*
45691 * For consistency with the architecture, we always consider
45692 * ARM_LPAE_MAX_LEVELS levels, with the walk starting at level n >=0
45693@@ -319,10 +313,10 @@ static arm_lpae_iopte arm_lpae_prot_to_pte(struct arm_lpae_io_pgtable *data,
45694 return pte;
45695 }
45696
45697-static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
45698+static int arm_lpae_map(struct io_pgtable *iop, unsigned long iova,
45699 phys_addr_t paddr, size_t size, int iommu_prot)
45700 {
45701- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
45702+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
45703 arm_lpae_iopte *ptep = data->pgd;
45704 int lvl = ARM_LPAE_START_LVL(data);
45705 arm_lpae_iopte prot;
45706@@ -462,12 +456,11 @@ static int __arm_lpae_unmap(struct arm_lpae_io_pgtable *data,
45707 return __arm_lpae_unmap(data, iova, size, lvl + 1, ptep);
45708 }
45709
45710-static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
45711+static int arm_lpae_unmap(struct io_pgtable *iop, unsigned long iova,
45712 size_t size)
45713 {
45714 size_t unmapped;
45715- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
45716- struct io_pgtable *iop = &data->iop;
45717+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
45718 arm_lpae_iopte *ptep = data->pgd;
45719 int lvl = ARM_LPAE_START_LVL(data);
45720
45721@@ -478,10 +471,10 @@ static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
45722 return unmapped;
45723 }
45724
45725-static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable_ops *ops,
45726+static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable *iop,
45727 unsigned long iova)
45728 {
45729- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
45730+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
45731 arm_lpae_iopte pte, *ptep = data->pgd;
45732 int lvl = ARM_LPAE_START_LVL(data);
45733
45734@@ -548,6 +541,12 @@ static void arm_lpae_restrict_pgsizes(struct io_pgtable_cfg *cfg)
45735 }
45736 }
45737
45738+static struct io_pgtable_ops arm_lpae_io_pgtable_ops = {
45739+ .map = arm_lpae_map,
45740+ .unmap = arm_lpae_unmap,
45741+ .iova_to_phys = arm_lpae_iova_to_phys,
45742+};
45743+
45744 static struct arm_lpae_io_pgtable *
45745 arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
45746 {
45747@@ -579,11 +578,7 @@ arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
45748 pgd_bits = va_bits - (data->bits_per_level * (data->levels - 1));
45749 data->pgd_size = 1UL << (pgd_bits + ilog2(sizeof(arm_lpae_iopte)));
45750
45751- data->iop.ops = (struct io_pgtable_ops) {
45752- .map = arm_lpae_map,
45753- .unmap = arm_lpae_unmap,
45754- .iova_to_phys = arm_lpae_iova_to_phys,
45755- };
45756+ data->iop.ops = &arm_lpae_io_pgtable_ops;
45757
45758 return data;
45759 }
45760@@ -845,9 +840,9 @@ static struct iommu_gather_ops dummy_tlb_ops __initdata = {
45761 .flush_pgtable = dummy_flush_pgtable,
45762 };
45763
45764-static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
45765+static void __init arm_lpae_dump_ops(struct io_pgtable *iop)
45766 {
45767- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
45768+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
45769 struct io_pgtable_cfg *cfg = &data->iop.cfg;
45770
45771 pr_err("cfg: pgsize_bitmap 0x%lx, ias %u-bit\n",
45772@@ -857,9 +852,9 @@ static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
45773 data->bits_per_level, data->pgd);
45774 }
45775
45776-#define __FAIL(ops, i) ({ \
45777+#define __FAIL(iop, i) ({ \
45778 WARN(1, "selftest: test failed for fmt idx %d\n", (i)); \
45779- arm_lpae_dump_ops(ops); \
45780+ arm_lpae_dump_ops(iop); \
45781 selftest_running = false; \
45782 -EFAULT; \
45783 })
45784@@ -874,30 +869,32 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
45785 int i, j;
45786 unsigned long iova;
45787 size_t size;
45788- struct io_pgtable_ops *ops;
45789+ struct io_pgtable *iop;
45790+ const struct io_pgtable_ops *ops;
45791
45792 selftest_running = true;
45793
45794 for (i = 0; i < ARRAY_SIZE(fmts); ++i) {
45795 cfg_cookie = cfg;
45796- ops = alloc_io_pgtable_ops(fmts[i], cfg, cfg);
45797- if (!ops) {
45798+ iop = alloc_io_pgtable(fmts[i], cfg, cfg);
45799+ if (!iop) {
45800 pr_err("selftest: failed to allocate io pgtable ops\n");
45801 return -ENOMEM;
45802 }
45803+ ops = iop->ops;
45804
45805 /*
45806 * Initial sanity checks.
45807 * Empty page tables shouldn't provide any translations.
45808 */
45809- if (ops->iova_to_phys(ops, 42))
45810- return __FAIL(ops, i);
45811+ if (ops->iova_to_phys(iop, 42))
45812+ return __FAIL(iop, i);
45813
45814- if (ops->iova_to_phys(ops, SZ_1G + 42))
45815- return __FAIL(ops, i);
45816+ if (ops->iova_to_phys(iop, SZ_1G + 42))
45817+ return __FAIL(iop, i);
45818
45819- if (ops->iova_to_phys(ops, SZ_2G + 42))
45820- return __FAIL(ops, i);
45821+ if (ops->iova_to_phys(iop, SZ_2G + 42))
45822+ return __FAIL(iop, i);
45823
45824 /*
45825 * Distinct mappings of different granule sizes.
45826@@ -907,19 +904,19 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
45827 while (j != BITS_PER_LONG) {
45828 size = 1UL << j;
45829
45830- if (ops->map(ops, iova, iova, size, IOMMU_READ |
45831+ if (ops->map(iop, iova, iova, size, IOMMU_READ |
45832 IOMMU_WRITE |
45833 IOMMU_NOEXEC |
45834 IOMMU_CACHE))
45835- return __FAIL(ops, i);
45836+ return __FAIL(iop, i);
45837
45838 /* Overlapping mappings */
45839- if (!ops->map(ops, iova, iova + size, size,
45840+ if (!ops->map(iop, iova, iova + size, size,
45841 IOMMU_READ | IOMMU_NOEXEC))
45842- return __FAIL(ops, i);
45843+ return __FAIL(iop, i);
45844
45845- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
45846- return __FAIL(ops, i);
45847+ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
45848+ return __FAIL(iop, i);
45849
45850 iova += SZ_1G;
45851 j++;
45852@@ -928,15 +925,15 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
45853
45854 /* Partial unmap */
45855 size = 1UL << __ffs(cfg->pgsize_bitmap);
45856- if (ops->unmap(ops, SZ_1G + size, size) != size)
45857- return __FAIL(ops, i);
45858+ if (ops->unmap(iop, SZ_1G + size, size) != size)
45859+ return __FAIL(iop, i);
45860
45861 /* Remap of partial unmap */
45862- if (ops->map(ops, SZ_1G + size, size, size, IOMMU_READ))
45863- return __FAIL(ops, i);
45864+ if (ops->map(iop, SZ_1G + size, size, size, IOMMU_READ))
45865+ return __FAIL(iop, i);
45866
45867- if (ops->iova_to_phys(ops, SZ_1G + size + 42) != (size + 42))
45868- return __FAIL(ops, i);
45869+ if (ops->iova_to_phys(iop, SZ_1G + size + 42) != (size + 42))
45870+ return __FAIL(iop, i);
45871
45872 /* Full unmap */
45873 iova = 0;
45874@@ -944,25 +941,25 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
45875 while (j != BITS_PER_LONG) {
45876 size = 1UL << j;
45877
45878- if (ops->unmap(ops, iova, size) != size)
45879- return __FAIL(ops, i);
45880+ if (ops->unmap(iop, iova, size) != size)
45881+ return __FAIL(iop, i);
45882
45883- if (ops->iova_to_phys(ops, iova + 42))
45884- return __FAIL(ops, i);
45885+ if (ops->iova_to_phys(iop, iova + 42))
45886+ return __FAIL(iop, i);
45887
45888 /* Remap full block */
45889- if (ops->map(ops, iova, iova, size, IOMMU_WRITE))
45890- return __FAIL(ops, i);
45891+ if (ops->map(iop, iova, iova, size, IOMMU_WRITE))
45892+ return __FAIL(iop, i);
45893
45894- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
45895- return __FAIL(ops, i);
45896+ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
45897+ return __FAIL(iop, i);
45898
45899 iova += SZ_1G;
45900 j++;
45901 j = find_next_bit(&cfg->pgsize_bitmap, BITS_PER_LONG, j);
45902 }
45903
45904- free_io_pgtable_ops(ops);
45905+ free_io_pgtable(iop);
45906 }
45907
45908 selftest_running = false;
45909diff --git a/drivers/iommu/io-pgtable.c b/drivers/iommu/io-pgtable.c
45910index 6436fe2..088c965 100644
45911--- a/drivers/iommu/io-pgtable.c
45912+++ b/drivers/iommu/io-pgtable.c
45913@@ -40,7 +40,7 @@ io_pgtable_init_table[IO_PGTABLE_NUM_FMTS] =
45914 #endif
45915 };
45916
45917-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
45918+struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
45919 struct io_pgtable_cfg *cfg,
45920 void *cookie)
45921 {
45922@@ -62,21 +62,18 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
45923 iop->cookie = cookie;
45924 iop->cfg = *cfg;
45925
45926- return &iop->ops;
45927+ return iop;
45928 }
45929
45930 /*
45931 * It is the IOMMU driver's responsibility to ensure that the page table
45932 * is no longer accessible to the walker by this point.
45933 */
45934-void free_io_pgtable_ops(struct io_pgtable_ops *ops)
45935+void free_io_pgtable(struct io_pgtable *iop)
45936 {
45937- struct io_pgtable *iop;
45938-
45939- if (!ops)
45940+ if (!iop)
45941 return;
45942
45943- iop = container_of(ops, struct io_pgtable, ops);
45944 iop->cfg.tlb->tlb_flush_all(iop->cookie);
45945 io_pgtable_init_table[iop->fmt]->free(iop);
45946 }
45947diff --git a/drivers/iommu/io-pgtable.h b/drivers/iommu/io-pgtable.h
45948index 10e32f6..0b276c8 100644
45949--- a/drivers/iommu/io-pgtable.h
45950+++ b/drivers/iommu/io-pgtable.h
45951@@ -75,17 +75,18 @@ struct io_pgtable_cfg {
45952 * These functions map directly onto the iommu_ops member functions with
45953 * the same names.
45954 */
45955+struct io_pgtable;
45956 struct io_pgtable_ops {
45957- int (*map)(struct io_pgtable_ops *ops, unsigned long iova,
45958+ int (*map)(struct io_pgtable *iop, unsigned long iova,
45959 phys_addr_t paddr, size_t size, int prot);
45960- int (*unmap)(struct io_pgtable_ops *ops, unsigned long iova,
45961+ int (*unmap)(struct io_pgtable *iop, unsigned long iova,
45962 size_t size);
45963- phys_addr_t (*iova_to_phys)(struct io_pgtable_ops *ops,
45964+ phys_addr_t (*iova_to_phys)(struct io_pgtable *iop,
45965 unsigned long iova);
45966 };
45967
45968 /**
45969- * alloc_io_pgtable_ops() - Allocate a page table allocator for use by an IOMMU.
45970+ * alloc_io_pgtable() - Allocate a page table allocator for use by an IOMMU.
45971 *
45972 * @fmt: The page table format.
45973 * @cfg: The page table configuration. This will be modified to represent
45974@@ -94,9 +95,9 @@ struct io_pgtable_ops {
45975 * @cookie: An opaque token provided by the IOMMU driver and passed back to
45976 * the callback routines in cfg->tlb.
45977 */
45978-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
45979- struct io_pgtable_cfg *cfg,
45980- void *cookie);
45981+struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
45982+ struct io_pgtable_cfg *cfg,
45983+ void *cookie);
45984
45985 /**
45986 * free_io_pgtable_ops() - Free an io_pgtable_ops structure. The caller
45987@@ -105,7 +106,7 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
45988 *
45989 * @ops: The ops returned from alloc_io_pgtable_ops.
45990 */
45991-void free_io_pgtable_ops(struct io_pgtable_ops *ops);
45992+void free_io_pgtable(struct io_pgtable *iop);
45993
45994
45995 /*
45996@@ -125,7 +126,7 @@ struct io_pgtable {
45997 enum io_pgtable_fmt fmt;
45998 void *cookie;
45999 struct io_pgtable_cfg cfg;
46000- struct io_pgtable_ops ops;
46001+ const struct io_pgtable_ops *ops;
46002 };
46003
46004 /**
46005diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
46006index f286090..bac3e7e 100644
46007--- a/drivers/iommu/iommu.c
46008+++ b/drivers/iommu/iommu.c
46009@@ -934,7 +934,7 @@ static int iommu_bus_notifier(struct notifier_block *nb,
46010 static int iommu_bus_init(struct bus_type *bus, const struct iommu_ops *ops)
46011 {
46012 int err;
46013- struct notifier_block *nb;
46014+ notifier_block_no_const *nb;
46015 struct iommu_callback_data cb = {
46016 .ops = ops,
46017 };
46018diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c
46019index 1a67c53..23181d8 100644
46020--- a/drivers/iommu/ipmmu-vmsa.c
46021+++ b/drivers/iommu/ipmmu-vmsa.c
46022@@ -41,7 +41,7 @@ struct ipmmu_vmsa_domain {
46023 struct iommu_domain io_domain;
46024
46025 struct io_pgtable_cfg cfg;
46026- struct io_pgtable_ops *iop;
46027+ struct io_pgtable *iop;
46028
46029 unsigned int context_id;
46030 spinlock_t lock; /* Protects mappings */
46031@@ -328,8 +328,7 @@ static int ipmmu_domain_init_context(struct ipmmu_vmsa_domain *domain)
46032 domain->cfg.oas = 40;
46033 domain->cfg.tlb = &ipmmu_gather_ops;
46034
46035- domain->iop = alloc_io_pgtable_ops(ARM_32_LPAE_S1, &domain->cfg,
46036- domain);
46037+ domain->iop = alloc_io_pgtable(ARM_32_LPAE_S1, &domain->cfg, domain);
46038 if (!domain->iop)
46039 return -EINVAL;
46040
46041@@ -487,7 +486,7 @@ static void ipmmu_domain_free(struct iommu_domain *io_domain)
46042 * been detached.
46043 */
46044 ipmmu_domain_destroy_context(domain);
46045- free_io_pgtable_ops(domain->iop);
46046+ free_io_pgtable(domain->iop);
46047 kfree(domain);
46048 }
46049
46050@@ -556,7 +555,7 @@ static int ipmmu_map(struct iommu_domain *io_domain, unsigned long iova,
46051 if (!domain)
46052 return -ENODEV;
46053
46054- return domain->iop->map(domain->iop, iova, paddr, size, prot);
46055+ return domain->iop->ops->map(domain->iop, iova, paddr, size, prot);
46056 }
46057
46058 static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
46059@@ -564,7 +563,7 @@ static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
46060 {
46061 struct ipmmu_vmsa_domain *domain = to_vmsa_domain(io_domain);
46062
46063- return domain->iop->unmap(domain->iop, iova, size);
46064+ return domain->iop->ops->unmap(domain->iop, iova, size);
46065 }
46066
46067 static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
46068@@ -574,7 +573,7 @@ static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
46069
46070 /* TODO: Is locking needed ? */
46071
46072- return domain->iop->iova_to_phys(domain->iop, iova);
46073+ return domain->iop->ops->iova_to_phys(domain->iop, iova);
46074 }
46075
46076 static int ipmmu_find_utlbs(struct ipmmu_vmsa_device *mmu, struct device *dev,
46077diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
46078index 2d99930..b8b358c 100644
46079--- a/drivers/iommu/irq_remapping.c
46080+++ b/drivers/iommu/irq_remapping.c
46081@@ -149,7 +149,7 @@ int __init irq_remap_enable_fault_handling(void)
46082 void panic_if_irq_remap(const char *msg)
46083 {
46084 if (irq_remapping_enabled)
46085- panic(msg);
46086+ panic("%s", msg);
46087 }
46088
46089 void ir_ack_apic_edge(struct irq_data *data)
46090diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
46091index 4dd8826..1f33400 100644
46092--- a/drivers/irqchip/irq-gic.c
46093+++ b/drivers/irqchip/irq-gic.c
46094@@ -313,7 +313,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc)
46095 chained_irq_exit(chip, desc);
46096 }
46097
46098-static struct irq_chip gic_chip = {
46099+static irq_chip_no_const gic_chip __read_only = {
46100 .name = "GIC",
46101 .irq_mask = gic_mask_irq,
46102 .irq_unmask = gic_unmask_irq,
46103diff --git a/drivers/irqchip/irq-renesas-intc-irqpin.c b/drivers/irqchip/irq-renesas-intc-irqpin.c
46104index 0670ab4..1094651 100644
46105--- a/drivers/irqchip/irq-renesas-intc-irqpin.c
46106+++ b/drivers/irqchip/irq-renesas-intc-irqpin.c
46107@@ -373,7 +373,7 @@ static int intc_irqpin_probe(struct platform_device *pdev)
46108 struct intc_irqpin_iomem *i;
46109 struct resource *io[INTC_IRQPIN_REG_NR];
46110 struct resource *irq;
46111- struct irq_chip *irq_chip;
46112+ irq_chip_no_const *irq_chip;
46113 void (*enable_fn)(struct irq_data *d);
46114 void (*disable_fn)(struct irq_data *d);
46115 const char *name = dev_name(dev);
46116diff --git a/drivers/irqchip/irq-renesas-irqc.c b/drivers/irqchip/irq-renesas-irqc.c
46117index 778bd07..0397152 100644
46118--- a/drivers/irqchip/irq-renesas-irqc.c
46119+++ b/drivers/irqchip/irq-renesas-irqc.c
46120@@ -176,7 +176,7 @@ static int irqc_probe(struct platform_device *pdev)
46121 struct irqc_priv *p;
46122 struct resource *io;
46123 struct resource *irq;
46124- struct irq_chip *irq_chip;
46125+ irq_chip_no_const *irq_chip;
46126 const char *name = dev_name(&pdev->dev);
46127 int ret;
46128 int k;
46129diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c
46130index 6a2df32..dc962f1 100644
46131--- a/drivers/isdn/capi/capi.c
46132+++ b/drivers/isdn/capi/capi.c
46133@@ -81,8 +81,8 @@ struct capiminor {
46134
46135 struct capi20_appl *ap;
46136 u32 ncci;
46137- atomic_t datahandle;
46138- atomic_t msgid;
46139+ atomic_unchecked_t datahandle;
46140+ atomic_unchecked_t msgid;
46141
46142 struct tty_port port;
46143 int ttyinstop;
46144@@ -391,7 +391,7 @@ gen_data_b3_resp_for(struct capiminor *mp, struct sk_buff *skb)
46145 capimsg_setu16(s, 2, mp->ap->applid);
46146 capimsg_setu8 (s, 4, CAPI_DATA_B3);
46147 capimsg_setu8 (s, 5, CAPI_RESP);
46148- capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
46149+ capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
46150 capimsg_setu32(s, 8, mp->ncci);
46151 capimsg_setu16(s, 12, datahandle);
46152 }
46153@@ -512,14 +512,14 @@ static void handle_minor_send(struct capiminor *mp)
46154 mp->outbytes -= len;
46155 spin_unlock_bh(&mp->outlock);
46156
46157- datahandle = atomic_inc_return(&mp->datahandle);
46158+ datahandle = atomic_inc_return_unchecked(&mp->datahandle);
46159 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
46160 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
46161 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
46162 capimsg_setu16(skb->data, 2, mp->ap->applid);
46163 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
46164 capimsg_setu8 (skb->data, 5, CAPI_REQ);
46165- capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
46166+ capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
46167 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
46168 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
46169 capimsg_setu16(skb->data, 16, len); /* Data length */
46170diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
46171index aecec6d..11e13c5 100644
46172--- a/drivers/isdn/gigaset/bas-gigaset.c
46173+++ b/drivers/isdn/gigaset/bas-gigaset.c
46174@@ -2565,22 +2565,22 @@ static int gigaset_post_reset(struct usb_interface *intf)
46175
46176
46177 static const struct gigaset_ops gigops = {
46178- gigaset_write_cmd,
46179- gigaset_write_room,
46180- gigaset_chars_in_buffer,
46181- gigaset_brkchars,
46182- gigaset_init_bchannel,
46183- gigaset_close_bchannel,
46184- gigaset_initbcshw,
46185- gigaset_freebcshw,
46186- gigaset_reinitbcshw,
46187- gigaset_initcshw,
46188- gigaset_freecshw,
46189- gigaset_set_modem_ctrl,
46190- gigaset_baud_rate,
46191- gigaset_set_line_ctrl,
46192- gigaset_isoc_send_skb,
46193- gigaset_isoc_input,
46194+ .write_cmd = gigaset_write_cmd,
46195+ .write_room = gigaset_write_room,
46196+ .chars_in_buffer = gigaset_chars_in_buffer,
46197+ .brkchars = gigaset_brkchars,
46198+ .init_bchannel = gigaset_init_bchannel,
46199+ .close_bchannel = gigaset_close_bchannel,
46200+ .initbcshw = gigaset_initbcshw,
46201+ .freebcshw = gigaset_freebcshw,
46202+ .reinitbcshw = gigaset_reinitbcshw,
46203+ .initcshw = gigaset_initcshw,
46204+ .freecshw = gigaset_freecshw,
46205+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46206+ .baud_rate = gigaset_baud_rate,
46207+ .set_line_ctrl = gigaset_set_line_ctrl,
46208+ .send_skb = gigaset_isoc_send_skb,
46209+ .handle_input = gigaset_isoc_input,
46210 };
46211
46212 /* bas_gigaset_init
46213diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c
46214index 600c79b..3752bab 100644
46215--- a/drivers/isdn/gigaset/interface.c
46216+++ b/drivers/isdn/gigaset/interface.c
46217@@ -130,9 +130,9 @@ static int if_open(struct tty_struct *tty, struct file *filp)
46218 }
46219 tty->driver_data = cs;
46220
46221- ++cs->port.count;
46222+ atomic_inc(&cs->port.count);
46223
46224- if (cs->port.count == 1) {
46225+ if (atomic_read(&cs->port.count) == 1) {
46226 tty_port_tty_set(&cs->port, tty);
46227 cs->port.low_latency = 1;
46228 }
46229@@ -156,9 +156,9 @@ static void if_close(struct tty_struct *tty, struct file *filp)
46230
46231 if (!cs->connected)
46232 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
46233- else if (!cs->port.count)
46234+ else if (!atomic_read(&cs->port.count))
46235 dev_warn(cs->dev, "%s: device not opened\n", __func__);
46236- else if (!--cs->port.count)
46237+ else if (!atomic_dec_return(&cs->port.count))
46238 tty_port_tty_set(&cs->port, NULL);
46239
46240 mutex_unlock(&cs->mutex);
46241diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
46242index 375be50..675293c 100644
46243--- a/drivers/isdn/gigaset/ser-gigaset.c
46244+++ b/drivers/isdn/gigaset/ser-gigaset.c
46245@@ -453,22 +453,22 @@ static int gigaset_set_line_ctrl(struct cardstate *cs, unsigned cflag)
46246 }
46247
46248 static const struct gigaset_ops ops = {
46249- gigaset_write_cmd,
46250- gigaset_write_room,
46251- gigaset_chars_in_buffer,
46252- gigaset_brkchars,
46253- gigaset_init_bchannel,
46254- gigaset_close_bchannel,
46255- gigaset_initbcshw,
46256- gigaset_freebcshw,
46257- gigaset_reinitbcshw,
46258- gigaset_initcshw,
46259- gigaset_freecshw,
46260- gigaset_set_modem_ctrl,
46261- gigaset_baud_rate,
46262- gigaset_set_line_ctrl,
46263- gigaset_m10x_send_skb, /* asyncdata.c */
46264- gigaset_m10x_input, /* asyncdata.c */
46265+ .write_cmd = gigaset_write_cmd,
46266+ .write_room = gigaset_write_room,
46267+ .chars_in_buffer = gigaset_chars_in_buffer,
46268+ .brkchars = gigaset_brkchars,
46269+ .init_bchannel = gigaset_init_bchannel,
46270+ .close_bchannel = gigaset_close_bchannel,
46271+ .initbcshw = gigaset_initbcshw,
46272+ .freebcshw = gigaset_freebcshw,
46273+ .reinitbcshw = gigaset_reinitbcshw,
46274+ .initcshw = gigaset_initcshw,
46275+ .freecshw = gigaset_freecshw,
46276+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46277+ .baud_rate = gigaset_baud_rate,
46278+ .set_line_ctrl = gigaset_set_line_ctrl,
46279+ .send_skb = gigaset_m10x_send_skb, /* asyncdata.c */
46280+ .handle_input = gigaset_m10x_input, /* asyncdata.c */
46281 };
46282
46283
46284diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c
46285index 5f306e2..5342f88 100644
46286--- a/drivers/isdn/gigaset/usb-gigaset.c
46287+++ b/drivers/isdn/gigaset/usb-gigaset.c
46288@@ -543,7 +543,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6])
46289 gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf);
46290 memcpy(cs->hw.usb->bchars, buf, 6);
46291 return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41,
46292- 0, 0, &buf, 6, 2000);
46293+ 0, 0, buf, 6, 2000);
46294 }
46295
46296 static void gigaset_freebcshw(struct bc_state *bcs)
46297@@ -862,22 +862,22 @@ static int gigaset_pre_reset(struct usb_interface *intf)
46298 }
46299
46300 static const struct gigaset_ops ops = {
46301- gigaset_write_cmd,
46302- gigaset_write_room,
46303- gigaset_chars_in_buffer,
46304- gigaset_brkchars,
46305- gigaset_init_bchannel,
46306- gigaset_close_bchannel,
46307- gigaset_initbcshw,
46308- gigaset_freebcshw,
46309- gigaset_reinitbcshw,
46310- gigaset_initcshw,
46311- gigaset_freecshw,
46312- gigaset_set_modem_ctrl,
46313- gigaset_baud_rate,
46314- gigaset_set_line_ctrl,
46315- gigaset_m10x_send_skb,
46316- gigaset_m10x_input,
46317+ .write_cmd = gigaset_write_cmd,
46318+ .write_room = gigaset_write_room,
46319+ .chars_in_buffer = gigaset_chars_in_buffer,
46320+ .brkchars = gigaset_brkchars,
46321+ .init_bchannel = gigaset_init_bchannel,
46322+ .close_bchannel = gigaset_close_bchannel,
46323+ .initbcshw = gigaset_initbcshw,
46324+ .freebcshw = gigaset_freebcshw,
46325+ .reinitbcshw = gigaset_reinitbcshw,
46326+ .initcshw = gigaset_initcshw,
46327+ .freecshw = gigaset_freecshw,
46328+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46329+ .baud_rate = gigaset_baud_rate,
46330+ .set_line_ctrl = gigaset_set_line_ctrl,
46331+ .send_skb = gigaset_m10x_send_skb,
46332+ .handle_input = gigaset_m10x_input,
46333 };
46334
46335 /*
46336diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c
46337index 4d9b195..455075c 100644
46338--- a/drivers/isdn/hardware/avm/b1.c
46339+++ b/drivers/isdn/hardware/avm/b1.c
46340@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart *t4file)
46341 }
46342 if (left) {
46343 if (t4file->user) {
46344- if (copy_from_user(buf, dp, left))
46345+ if (left > sizeof buf || copy_from_user(buf, dp, left))
46346 return -EFAULT;
46347 } else {
46348 memcpy(buf, dp, left);
46349@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capiloaddatapart *config)
46350 }
46351 if (left) {
46352 if (config->user) {
46353- if (copy_from_user(buf, dp, left))
46354+ if (left > sizeof buf || copy_from_user(buf, dp, left))
46355 return -EFAULT;
46356 } else {
46357 memcpy(buf, dp, left);
46358diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
46359index 9b856e1..fa03c92 100644
46360--- a/drivers/isdn/i4l/isdn_common.c
46361+++ b/drivers/isdn/i4l/isdn_common.c
46362@@ -1654,6 +1654,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
46363 } else
46364 return -EINVAL;
46365 case IIOCDBGVAR:
46366+ if (!capable(CAP_SYS_RAWIO))
46367+ return -EPERM;
46368 if (arg) {
46369 if (copy_to_user(argp, &dev, sizeof(ulong)))
46370 return -EFAULT;
46371diff --git a/drivers/isdn/i4l/isdn_concap.c b/drivers/isdn/i4l/isdn_concap.c
46372index 91d5730..336523e 100644
46373--- a/drivers/isdn/i4l/isdn_concap.c
46374+++ b/drivers/isdn/i4l/isdn_concap.c
46375@@ -80,9 +80,9 @@ static int isdn_concap_dl_disconn_req(struct concap_proto *concap)
46376 }
46377
46378 struct concap_device_ops isdn_concap_reliable_dl_dops = {
46379- &isdn_concap_dl_data_req,
46380- &isdn_concap_dl_connect_req,
46381- &isdn_concap_dl_disconn_req
46382+ .data_req = &isdn_concap_dl_data_req,
46383+ .connect_req = &isdn_concap_dl_connect_req,
46384+ .disconn_req = &isdn_concap_dl_disconn_req
46385 };
46386
46387 /* The following should better go into a dedicated source file such that
46388diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
46389index bc91261..2ef7e36 100644
46390--- a/drivers/isdn/i4l/isdn_tty.c
46391+++ b/drivers/isdn/i4l/isdn_tty.c
46392@@ -1503,9 +1503,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp)
46393
46394 #ifdef ISDN_DEBUG_MODEM_OPEN
46395 printk(KERN_DEBUG "isdn_tty_open %s, count = %d\n", tty->name,
46396- port->count);
46397+ atomic_read(&port->count));
46398 #endif
46399- port->count++;
46400+ atomic_inc(&port->count);
46401 port->tty = tty;
46402 /*
46403 * Start up serial port
46404@@ -1549,7 +1549,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
46405 #endif
46406 return;
46407 }
46408- if ((tty->count == 1) && (port->count != 1)) {
46409+ if ((tty->count == 1) && (atomic_read(&port->count) != 1)) {
46410 /*
46411 * Uh, oh. tty->count is 1, which means that the tty
46412 * structure will be freed. Info->count should always
46413@@ -1558,15 +1558,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
46414 * serial port won't be shutdown.
46415 */
46416 printk(KERN_ERR "isdn_tty_close: bad port count; tty->count is 1, "
46417- "info->count is %d\n", port->count);
46418- port->count = 1;
46419+ "info->count is %d\n", atomic_read(&port->count));
46420+ atomic_set(&port->count, 1);
46421 }
46422- if (--port->count < 0) {
46423+ if (atomic_dec_return(&port->count) < 0) {
46424 printk(KERN_ERR "isdn_tty_close: bad port count for ttyi%d: %d\n",
46425- info->line, port->count);
46426- port->count = 0;
46427+ info->line, atomic_read(&port->count));
46428+ atomic_set(&port->count, 0);
46429 }
46430- if (port->count) {
46431+ if (atomic_read(&port->count)) {
46432 #ifdef ISDN_DEBUG_MODEM_OPEN
46433 printk(KERN_DEBUG "isdn_tty_close after info->count != 0\n");
46434 #endif
46435@@ -1620,7 +1620,7 @@ isdn_tty_hangup(struct tty_struct *tty)
46436 if (isdn_tty_paranoia_check(info, tty->name, "isdn_tty_hangup"))
46437 return;
46438 isdn_tty_shutdown(info);
46439- port->count = 0;
46440+ atomic_set(&port->count, 0);
46441 port->flags &= ~ASYNC_NORMAL_ACTIVE;
46442 port->tty = NULL;
46443 wake_up_interruptible(&port->open_wait);
46444@@ -1965,7 +1965,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup)
46445 for (i = 0; i < ISDN_MAX_CHANNELS; i++) {
46446 modem_info *info = &dev->mdm.info[i];
46447
46448- if (info->port.count == 0)
46449+ if (atomic_read(&info->port.count) == 0)
46450 continue;
46451 if ((info->emu.mdmreg[REG_SI1] & si2bit[si1]) && /* SI1 is matching */
46452 (info->emu.mdmreg[REG_SI2] == si2)) { /* SI2 is matching */
46453diff --git a/drivers/isdn/i4l/isdn_x25iface.c b/drivers/isdn/i4l/isdn_x25iface.c
46454index e2d4e58..40cd045 100644
46455--- a/drivers/isdn/i4l/isdn_x25iface.c
46456+++ b/drivers/isdn/i4l/isdn_x25iface.c
46457@@ -53,14 +53,14 @@ static int isdn_x25iface_disconn_ind(struct concap_proto *);
46458
46459
46460 static struct concap_proto_ops ix25_pops = {
46461- &isdn_x25iface_proto_new,
46462- &isdn_x25iface_proto_del,
46463- &isdn_x25iface_proto_restart,
46464- &isdn_x25iface_proto_close,
46465- &isdn_x25iface_xmit,
46466- &isdn_x25iface_receive,
46467- &isdn_x25iface_connect_ind,
46468- &isdn_x25iface_disconn_ind
46469+ .proto_new = &isdn_x25iface_proto_new,
46470+ .proto_del = &isdn_x25iface_proto_del,
46471+ .restart = &isdn_x25iface_proto_restart,
46472+ .close = &isdn_x25iface_proto_close,
46473+ .encap_and_xmit = &isdn_x25iface_xmit,
46474+ .data_ind = &isdn_x25iface_receive,
46475+ .connect_ind = &isdn_x25iface_connect_ind,
46476+ .disconn_ind = &isdn_x25iface_disconn_ind
46477 };
46478
46479 /* error message helper function */
46480diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
46481index 358a574..b4987ea 100644
46482--- a/drivers/isdn/icn/icn.c
46483+++ b/drivers/isdn/icn/icn.c
46484@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card)
46485 if (count > len)
46486 count = len;
46487 if (user) {
46488- if (copy_from_user(msg, buf, count))
46489+ if (count > sizeof msg || copy_from_user(msg, buf, count))
46490 return -EFAULT;
46491 } else
46492 memcpy(msg, buf, count);
46493diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c
46494index 52c4382..09e0c7c 100644
46495--- a/drivers/isdn/mISDN/dsp_cmx.c
46496+++ b/drivers/isdn/mISDN/dsp_cmx.c
46497@@ -1625,7 +1625,7 @@ unsigned long dsp_spl_jiffies; /* calculate the next time to fire */
46498 static u16 dsp_count; /* last sample count */
46499 static int dsp_count_valid; /* if we have last sample count */
46500
46501-void
46502+void __intentional_overflow(-1)
46503 dsp_cmx_send(void *arg)
46504 {
46505 struct dsp_conf *conf;
46506diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
46507index 312ffd3..9263d05 100644
46508--- a/drivers/lguest/core.c
46509+++ b/drivers/lguest/core.c
46510@@ -96,9 +96,17 @@ static __init int map_switcher(void)
46511 * The end address needs +1 because __get_vm_area allocates an
46512 * extra guard page, so we need space for that.
46513 */
46514+
46515+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
46516+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
46517+ VM_ALLOC | VM_KERNEXEC, switcher_addr, switcher_addr
46518+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
46519+#else
46520 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
46521 VM_ALLOC, switcher_addr, switcher_addr
46522 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
46523+#endif
46524+
46525 if (!switcher_vma) {
46526 err = -ENOMEM;
46527 printk("lguest: could not map switcher pages high\n");
46528@@ -121,7 +129,7 @@ static __init int map_switcher(void)
46529 * Now the Switcher is mapped at the right address, we can't fail!
46530 * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
46531 */
46532- memcpy(switcher_vma->addr, start_switcher_text,
46533+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
46534 end_switcher_text - start_switcher_text);
46535
46536 printk(KERN_INFO "lguest: mapped switcher at %p\n",
46537diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
46538index e3abebc9..6a35328 100644
46539--- a/drivers/lguest/page_tables.c
46540+++ b/drivers/lguest/page_tables.c
46541@@ -585,7 +585,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr)
46542 /*:*/
46543
46544 #ifdef CONFIG_X86_PAE
46545-static void release_pmd(pmd_t *spmd)
46546+static void __intentional_overflow(-1) release_pmd(pmd_t *spmd)
46547 {
46548 /* If the entry's not present, there's nothing to release. */
46549 if (pmd_flags(*spmd) & _PAGE_PRESENT) {
46550diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
46551index 6a4cd77..c9e2d9f 100644
46552--- a/drivers/lguest/x86/core.c
46553+++ b/drivers/lguest/x86/core.c
46554@@ -60,7 +60,7 @@ static struct {
46555 /* Offset from where switcher.S was compiled to where we've copied it */
46556 static unsigned long switcher_offset(void)
46557 {
46558- return switcher_addr - (unsigned long)start_switcher_text;
46559+ return switcher_addr - ktla_ktva((unsigned long)start_switcher_text);
46560 }
46561
46562 /* This cpu's struct lguest_pages (after the Switcher text page) */
46563@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages)
46564 * These copies are pretty cheap, so we do them unconditionally: */
46565 /* Save the current Host top-level page directory.
46566 */
46567+
46568+#ifdef CONFIG_PAX_PER_CPU_PGD
46569+ pages->state.host_cr3 = read_cr3();
46570+#else
46571 pages->state.host_cr3 = __pa(current->mm->pgd);
46572+#endif
46573+
46574 /*
46575 * Set up the Guest's page tables to see this CPU's pages (and no
46576 * other CPU's pages).
46577@@ -494,7 +500,7 @@ void __init lguest_arch_host_init(void)
46578 * compiled-in switcher code and the high-mapped copy we just made.
46579 */
46580 for (i = 0; i < IDT_ENTRIES; i++)
46581- default_idt_entries[i] += switcher_offset();
46582+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
46583
46584 /*
46585 * Set up the Switcher's per-cpu areas.
46586@@ -577,7 +583,7 @@ void __init lguest_arch_host_init(void)
46587 * it will be undisturbed when we switch. To change %cs and jump we
46588 * need this structure to feed to Intel's "lcall" instruction.
46589 */
46590- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
46591+ lguest_entry.offset = ktla_ktva((unsigned long)switch_to_guest) + switcher_offset();
46592 lguest_entry.segment = LGUEST_CS;
46593
46594 /*
46595diff --git a/drivers/lguest/x86/switcher_32.S b/drivers/lguest/x86/switcher_32.S
46596index 40634b0..4f5855e 100644
46597--- a/drivers/lguest/x86/switcher_32.S
46598+++ b/drivers/lguest/x86/switcher_32.S
46599@@ -87,6 +87,7 @@
46600 #include <asm/page.h>
46601 #include <asm/segment.h>
46602 #include <asm/lguest.h>
46603+#include <asm/processor-flags.h>
46604
46605 // We mark the start of the code to copy
46606 // It's placed in .text tho it's never run here
46607@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
46608 // Changes type when we load it: damn Intel!
46609 // For after we switch over our page tables
46610 // That entry will be read-only: we'd crash.
46611+
46612+#ifdef CONFIG_PAX_KERNEXEC
46613+ mov %cr0, %edx
46614+ xor $X86_CR0_WP, %edx
46615+ mov %edx, %cr0
46616+#endif
46617+
46618 movl $(GDT_ENTRY_TSS*8), %edx
46619 ltr %dx
46620
46621@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
46622 // Let's clear it again for our return.
46623 // The GDT descriptor of the Host
46624 // Points to the table after two "size" bytes
46625- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
46626+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
46627 // Clear "used" from type field (byte 5, bit 2)
46628- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
46629+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
46630+
46631+#ifdef CONFIG_PAX_KERNEXEC
46632+ mov %cr0, %eax
46633+ xor $X86_CR0_WP, %eax
46634+ mov %eax, %cr0
46635+#endif
46636
46637 // Once our page table's switched, the Guest is live!
46638 // The Host fades as we run this final step.
46639@@ -295,13 +309,12 @@ deliver_to_host:
46640 // I consulted gcc, and it gave
46641 // These instructions, which I gladly credit:
46642 leal (%edx,%ebx,8), %eax
46643- movzwl (%eax),%edx
46644- movl 4(%eax), %eax
46645- xorw %ax, %ax
46646- orl %eax, %edx
46647+ movl 4(%eax), %edx
46648+ movw (%eax), %dx
46649 // Now the address of the handler's in %edx
46650 // We call it now: its "iret" drops us home.
46651- jmp *%edx
46652+ ljmp $__KERNEL_CS, $1f
46653+1: jmp *%edx
46654
46655 // Every interrupt can come to us here
46656 // But we must truly tell each apart.
46657diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h
46658index 79a6d63..47acff6 100644
46659--- a/drivers/md/bcache/closure.h
46660+++ b/drivers/md/bcache/closure.h
46661@@ -238,7 +238,7 @@ static inline void closure_set_stopped(struct closure *cl)
46662 static inline void set_closure_fn(struct closure *cl, closure_fn *fn,
46663 struct workqueue_struct *wq)
46664 {
46665- BUG_ON(object_is_on_stack(cl));
46666+ BUG_ON(object_starts_on_stack(cl));
46667 closure_set_ip(cl);
46668 cl->fn = fn;
46669 cl->wq = wq;
46670diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
46671index e51de52..c52ff17 100644
46672--- a/drivers/md/bitmap.c
46673+++ b/drivers/md/bitmap.c
46674@@ -1933,7 +1933,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap)
46675 chunk_kb ? "KB" : "B");
46676 if (bitmap->storage.file) {
46677 seq_printf(seq, ", file: ");
46678- seq_file_path(seq, bitmap->storage.file, " \t\n");
46679+ seq_file_path(seq, bitmap->storage.file, " \t\n\\");
46680 }
46681
46682 seq_printf(seq, "\n");
46683diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
46684index 720ceeb..030f1d4 100644
46685--- a/drivers/md/dm-ioctl.c
46686+++ b/drivers/md/dm-ioctl.c
46687@@ -1773,7 +1773,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
46688 cmd == DM_LIST_VERSIONS_CMD)
46689 return 0;
46690
46691- if ((cmd == DM_DEV_CREATE_CMD)) {
46692+ if (cmd == DM_DEV_CREATE_CMD) {
46693 if (!*param->name) {
46694 DMWARN("name not supplied when creating device");
46695 return -EINVAL;
46696diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
46697index d83696b..44f22f7 100644
46698--- a/drivers/md/dm-raid1.c
46699+++ b/drivers/md/dm-raid1.c
46700@@ -42,7 +42,7 @@ enum dm_raid1_error {
46701
46702 struct mirror {
46703 struct mirror_set *ms;
46704- atomic_t error_count;
46705+ atomic_unchecked_t error_count;
46706 unsigned long error_type;
46707 struct dm_dev *dev;
46708 sector_t offset;
46709@@ -188,7 +188,7 @@ static struct mirror *get_valid_mirror(struct mirror_set *ms)
46710 struct mirror *m;
46711
46712 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
46713- if (!atomic_read(&m->error_count))
46714+ if (!atomic_read_unchecked(&m->error_count))
46715 return m;
46716
46717 return NULL;
46718@@ -220,7 +220,7 @@ static void fail_mirror(struct mirror *m, enum dm_raid1_error error_type)
46719 * simple way to tell if a device has encountered
46720 * errors.
46721 */
46722- atomic_inc(&m->error_count);
46723+ atomic_inc_unchecked(&m->error_count);
46724
46725 if (test_and_set_bit(error_type, &m->error_type))
46726 return;
46727@@ -378,7 +378,7 @@ static void reset_ms_flags(struct mirror_set *ms)
46728
46729 ms->leg_failure = 0;
46730 for (m = 0; m < ms->nr_mirrors; m++) {
46731- atomic_set(&(ms->mirror[m].error_count), 0);
46732+ atomic_set_unchecked(&(ms->mirror[m].error_count), 0);
46733 ms->mirror[m].error_type = 0;
46734 }
46735 }
46736@@ -423,7 +423,7 @@ static struct mirror *choose_mirror(struct mirror_set *ms, sector_t sector)
46737 struct mirror *m = get_default_mirror(ms);
46738
46739 do {
46740- if (likely(!atomic_read(&m->error_count)))
46741+ if (likely(!atomic_read_unchecked(&m->error_count)))
46742 return m;
46743
46744 if (m-- == ms->mirror)
46745@@ -437,7 +437,7 @@ static int default_ok(struct mirror *m)
46746 {
46747 struct mirror *default_mirror = get_default_mirror(m->ms);
46748
46749- return !atomic_read(&default_mirror->error_count);
46750+ return !atomic_read_unchecked(&default_mirror->error_count);
46751 }
46752
46753 static int mirror_available(struct mirror_set *ms, struct bio *bio)
46754@@ -574,7 +574,7 @@ static void do_reads(struct mirror_set *ms, struct bio_list *reads)
46755 */
46756 if (likely(region_in_sync(ms, region, 1)))
46757 m = choose_mirror(ms, bio->bi_iter.bi_sector);
46758- else if (m && atomic_read(&m->error_count))
46759+ else if (m && atomic_read_unchecked(&m->error_count))
46760 m = NULL;
46761
46762 if (likely(m))
46763@@ -956,7 +956,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti,
46764 }
46765
46766 ms->mirror[mirror].ms = ms;
46767- atomic_set(&(ms->mirror[mirror].error_count), 0);
46768+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
46769 ms->mirror[mirror].error_type = 0;
46770 ms->mirror[mirror].offset = offset;
46771
46772@@ -1380,7 +1380,7 @@ static void mirror_resume(struct dm_target *ti)
46773 */
46774 static char device_status_char(struct mirror *m)
46775 {
46776- if (!atomic_read(&(m->error_count)))
46777+ if (!atomic_read_unchecked(&(m->error_count)))
46778 return 'A';
46779
46780 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
46781diff --git a/drivers/md/dm-stats.c b/drivers/md/dm-stats.c
46782index 8289804..12db118 100644
46783--- a/drivers/md/dm-stats.c
46784+++ b/drivers/md/dm-stats.c
46785@@ -435,7 +435,7 @@ do_sync_free:
46786 synchronize_rcu_expedited();
46787 dm_stat_free(&s->rcu_head);
46788 } else {
46789- ACCESS_ONCE(dm_stat_need_rcu_barrier) = 1;
46790+ ACCESS_ONCE_RW(dm_stat_need_rcu_barrier) = 1;
46791 call_rcu(&s->rcu_head, dm_stat_free);
46792 }
46793 return 0;
46794@@ -648,8 +648,8 @@ void dm_stats_account_io(struct dm_stats *stats, unsigned long bi_rw,
46795 ((bi_rw & (REQ_WRITE | REQ_DISCARD)) ==
46796 (ACCESS_ONCE(last->last_rw) & (REQ_WRITE | REQ_DISCARD)))
46797 ));
46798- ACCESS_ONCE(last->last_sector) = end_sector;
46799- ACCESS_ONCE(last->last_rw) = bi_rw;
46800+ ACCESS_ONCE_RW(last->last_sector) = end_sector;
46801+ ACCESS_ONCE_RW(last->last_rw) = bi_rw;
46802 }
46803
46804 rcu_read_lock();
46805diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
46806index a672a15..dc85e99 100644
46807--- a/drivers/md/dm-stripe.c
46808+++ b/drivers/md/dm-stripe.c
46809@@ -21,7 +21,7 @@ struct stripe {
46810 struct dm_dev *dev;
46811 sector_t physical_start;
46812
46813- atomic_t error_count;
46814+ atomic_unchecked_t error_count;
46815 };
46816
46817 struct stripe_c {
46818@@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
46819 kfree(sc);
46820 return r;
46821 }
46822- atomic_set(&(sc->stripe[i].error_count), 0);
46823+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
46824 }
46825
46826 ti->private = sc;
46827@@ -332,7 +332,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
46828 DMEMIT("%d ", sc->stripes);
46829 for (i = 0; i < sc->stripes; i++) {
46830 DMEMIT("%s ", sc->stripe[i].dev->name);
46831- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
46832+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
46833 'D' : 'A';
46834 }
46835 buffer[i] = '\0';
46836@@ -377,8 +377,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
46837 */
46838 for (i = 0; i < sc->stripes; i++)
46839 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
46840- atomic_inc(&(sc->stripe[i].error_count));
46841- if (atomic_read(&(sc->stripe[i].error_count)) <
46842+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
46843+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
46844 DM_IO_ERROR_THRESHOLD)
46845 schedule_work(&sc->trigger_event);
46846 }
46847diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
46848index 16ba55a..31af906 100644
46849--- a/drivers/md/dm-table.c
46850+++ b/drivers/md/dm-table.c
46851@@ -305,7 +305,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
46852 if (!dev_size)
46853 return 0;
46854
46855- if ((start >= dev_size) || (start + len > dev_size)) {
46856+ if ((start >= dev_size) || (len > dev_size - start)) {
46857 DMWARN("%s: %s too small for target: "
46858 "start=%llu, len=%llu, dev_size=%llu",
46859 dm_device_name(ti->table->md), bdevname(bdev, b),
46860diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
46861index 6ba47cf..a870ba2 100644
46862--- a/drivers/md/dm-thin-metadata.c
46863+++ b/drivers/md/dm-thin-metadata.c
46864@@ -403,7 +403,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
46865 {
46866 pmd->info.tm = pmd->tm;
46867 pmd->info.levels = 2;
46868- pmd->info.value_type.context = pmd->data_sm;
46869+ pmd->info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
46870 pmd->info.value_type.size = sizeof(__le64);
46871 pmd->info.value_type.inc = data_block_inc;
46872 pmd->info.value_type.dec = data_block_dec;
46873@@ -422,7 +422,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
46874
46875 pmd->bl_info.tm = pmd->tm;
46876 pmd->bl_info.levels = 1;
46877- pmd->bl_info.value_type.context = pmd->data_sm;
46878+ pmd->bl_info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
46879 pmd->bl_info.value_type.size = sizeof(__le64);
46880 pmd->bl_info.value_type.inc = data_block_inc;
46881 pmd->bl_info.value_type.dec = data_block_dec;
46882diff --git a/drivers/md/dm.c b/drivers/md/dm.c
46883index 0d7ab20..350d006 100644
46884--- a/drivers/md/dm.c
46885+++ b/drivers/md/dm.c
46886@@ -194,9 +194,9 @@ struct mapped_device {
46887 /*
46888 * Event handling.
46889 */
46890- atomic_t event_nr;
46891+ atomic_unchecked_t event_nr;
46892 wait_queue_head_t eventq;
46893- atomic_t uevent_seq;
46894+ atomic_unchecked_t uevent_seq;
46895 struct list_head uevent_list;
46896 spinlock_t uevent_lock; /* Protect access to uevent_list */
46897
46898@@ -2339,8 +2339,8 @@ static struct mapped_device *alloc_dev(int minor)
46899 spin_lock_init(&md->deferred_lock);
46900 atomic_set(&md->holders, 1);
46901 atomic_set(&md->open_count, 0);
46902- atomic_set(&md->event_nr, 0);
46903- atomic_set(&md->uevent_seq, 0);
46904+ atomic_set_unchecked(&md->event_nr, 0);
46905+ atomic_set_unchecked(&md->uevent_seq, 0);
46906 INIT_LIST_HEAD(&md->uevent_list);
46907 INIT_LIST_HEAD(&md->table_devices);
46908 spin_lock_init(&md->uevent_lock);
46909@@ -2481,7 +2481,7 @@ static void event_callback(void *context)
46910
46911 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
46912
46913- atomic_inc(&md->event_nr);
46914+ atomic_inc_unchecked(&md->event_nr);
46915 wake_up(&md->eventq);
46916 }
46917
46918@@ -3481,18 +3481,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
46919
46920 uint32_t dm_next_uevent_seq(struct mapped_device *md)
46921 {
46922- return atomic_add_return(1, &md->uevent_seq);
46923+ return atomic_add_return_unchecked(1, &md->uevent_seq);
46924 }
46925
46926 uint32_t dm_get_event_nr(struct mapped_device *md)
46927 {
46928- return atomic_read(&md->event_nr);
46929+ return atomic_read_unchecked(&md->event_nr);
46930 }
46931
46932 int dm_wait_event(struct mapped_device *md, int event_nr)
46933 {
46934 return wait_event_interruptible(md->eventq,
46935- (event_nr != atomic_read(&md->event_nr)));
46936+ (event_nr != atomic_read_unchecked(&md->event_nr)));
46937 }
46938
46939 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
46940diff --git a/drivers/md/md.c b/drivers/md/md.c
46941index e25f00f..12caa60 100644
46942--- a/drivers/md/md.c
46943+++ b/drivers/md/md.c
46944@@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
46945 * start build, activate spare
46946 */
46947 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
46948-static atomic_t md_event_count;
46949+static atomic_unchecked_t md_event_count;
46950 void md_new_event(struct mddev *mddev)
46951 {
46952- atomic_inc(&md_event_count);
46953+ atomic_inc_unchecked(&md_event_count);
46954 wake_up(&md_event_waiters);
46955 }
46956 EXPORT_SYMBOL_GPL(md_new_event);
46957@@ -210,7 +210,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
46958 */
46959 static void md_new_event_inintr(struct mddev *mddev)
46960 {
46961- atomic_inc(&md_event_count);
46962+ atomic_inc_unchecked(&md_event_count);
46963 wake_up(&md_event_waiters);
46964 }
46965
46966@@ -1449,7 +1449,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
46967 if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
46968 (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
46969 rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
46970- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
46971+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
46972
46973 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
46974 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
46975@@ -1700,7 +1700,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
46976 else
46977 sb->resync_offset = cpu_to_le64(0);
46978
46979- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
46980+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
46981
46982 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
46983 sb->size = cpu_to_le64(mddev->dev_sectors);
46984@@ -2622,7 +2622,7 @@ __ATTR_PREALLOC(state, S_IRUGO|S_IWUSR, state_show, state_store);
46985 static ssize_t
46986 errors_show(struct md_rdev *rdev, char *page)
46987 {
46988- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
46989+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
46990 }
46991
46992 static ssize_t
46993@@ -2634,7 +2634,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
46994 rv = kstrtouint(buf, 10, &n);
46995 if (rv < 0)
46996 return rv;
46997- atomic_set(&rdev->corrected_errors, n);
46998+ atomic_set_unchecked(&rdev->corrected_errors, n);
46999 return len;
47000 }
47001 static struct rdev_sysfs_entry rdev_errors =
47002@@ -3071,8 +3071,8 @@ int md_rdev_init(struct md_rdev *rdev)
47003 rdev->sb_loaded = 0;
47004 rdev->bb_page = NULL;
47005 atomic_set(&rdev->nr_pending, 0);
47006- atomic_set(&rdev->read_errors, 0);
47007- atomic_set(&rdev->corrected_errors, 0);
47008+ atomic_set_unchecked(&rdev->read_errors, 0);
47009+ atomic_set_unchecked(&rdev->corrected_errors, 0);
47010
47011 INIT_LIST_HEAD(&rdev->same_set);
47012 init_waitqueue_head(&rdev->blocked_wait);
47013@@ -7256,7 +7256,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
47014
47015 spin_unlock(&pers_lock);
47016 seq_printf(seq, "\n");
47017- seq->poll_event = atomic_read(&md_event_count);
47018+ seq->poll_event = atomic_read_unchecked(&md_event_count);
47019 return 0;
47020 }
47021 if (v == (void*)2) {
47022@@ -7359,7 +7359,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
47023 return error;
47024
47025 seq = file->private_data;
47026- seq->poll_event = atomic_read(&md_event_count);
47027+ seq->poll_event = atomic_read_unchecked(&md_event_count);
47028 return error;
47029 }
47030
47031@@ -7376,7 +7376,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
47032 /* always allow read */
47033 mask = POLLIN | POLLRDNORM;
47034
47035- if (seq->poll_event != atomic_read(&md_event_count))
47036+ if (seq->poll_event != atomic_read_unchecked(&md_event_count))
47037 mask |= POLLERR | POLLPRI;
47038 return mask;
47039 }
47040@@ -7472,7 +7472,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
47041 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
47042 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
47043 (int)part_stat_read(&disk->part0, sectors[1]) -
47044- atomic_read(&disk->sync_io);
47045+ atomic_read_unchecked(&disk->sync_io);
47046 /* sync IO will cause sync_io to increase before the disk_stats
47047 * as sync_io is counted when a request starts, and
47048 * disk_stats is counted when it completes.
47049diff --git a/drivers/md/md.h b/drivers/md/md.h
47050index 7da6e9c..f0c1f10 100644
47051--- a/drivers/md/md.h
47052+++ b/drivers/md/md.h
47053@@ -96,13 +96,13 @@ struct md_rdev {
47054 * only maintained for arrays that
47055 * support hot removal
47056 */
47057- atomic_t read_errors; /* number of consecutive read errors that
47058+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
47059 * we have tried to ignore.
47060 */
47061 struct timespec last_read_error; /* monotonic time since our
47062 * last read error
47063 */
47064- atomic_t corrected_errors; /* number of corrected read errors,
47065+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
47066 * for reporting to userspace and storing
47067 * in superblock.
47068 */
47069@@ -487,7 +487,7 @@ extern void mddev_unlock(struct mddev *mddev);
47070
47071 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
47072 {
47073- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
47074+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
47075 }
47076
47077 struct md_personality
47078diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
47079index 5309129..7fb096e 100644
47080--- a/drivers/md/persistent-data/dm-space-map-metadata.c
47081+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
47082@@ -691,7 +691,7 @@ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks)
47083 * Flick into a mode where all blocks get allocated in the new area.
47084 */
47085 smm->begin = old_len;
47086- memcpy(sm, &bootstrap_ops, sizeof(*sm));
47087+ memcpy((void *)sm, &bootstrap_ops, sizeof(*sm));
47088
47089 /*
47090 * Extend.
47091@@ -728,7 +728,7 @@ out:
47092 /*
47093 * Switch back to normal behaviour.
47094 */
47095- memcpy(sm, &ops, sizeof(*sm));
47096+ memcpy((void *)sm, &ops, sizeof(*sm));
47097 return r;
47098 }
47099
47100diff --git a/drivers/md/persistent-data/dm-space-map.h b/drivers/md/persistent-data/dm-space-map.h
47101index 3e6d115..ffecdeb 100644
47102--- a/drivers/md/persistent-data/dm-space-map.h
47103+++ b/drivers/md/persistent-data/dm-space-map.h
47104@@ -71,6 +71,7 @@ struct dm_space_map {
47105 dm_sm_threshold_fn fn,
47106 void *context);
47107 };
47108+typedef struct dm_space_map __no_const dm_space_map_no_const;
47109
47110 /*----------------------------------------------------------------*/
47111
47112diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
47113index 967a4ed..002d339 100644
47114--- a/drivers/md/raid1.c
47115+++ b/drivers/md/raid1.c
47116@@ -1937,7 +1937,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
47117 if (r1_sync_page_io(rdev, sect, s,
47118 bio->bi_io_vec[idx].bv_page,
47119 READ) != 0)
47120- atomic_add(s, &rdev->corrected_errors);
47121+ atomic_add_unchecked(s, &rdev->corrected_errors);
47122 }
47123 sectors -= s;
47124 sect += s;
47125@@ -2170,7 +2170,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
47126 !test_bit(Faulty, &rdev->flags)) {
47127 if (r1_sync_page_io(rdev, sect, s,
47128 conf->tmppage, READ)) {
47129- atomic_add(s, &rdev->corrected_errors);
47130+ atomic_add_unchecked(s, &rdev->corrected_errors);
47131 printk(KERN_INFO
47132 "md/raid1:%s: read error corrected "
47133 "(%d sectors at %llu on %s)\n",
47134diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
47135index 38c58e1..89c3e0f 100644
47136--- a/drivers/md/raid10.c
47137+++ b/drivers/md/raid10.c
47138@@ -1934,7 +1934,7 @@ static void end_sync_read(struct bio *bio, int error)
47139 /* The write handler will notice the lack of
47140 * R10BIO_Uptodate and record any errors etc
47141 */
47142- atomic_add(r10_bio->sectors,
47143+ atomic_add_unchecked(r10_bio->sectors,
47144 &conf->mirrors[d].rdev->corrected_errors);
47145
47146 /* for reconstruct, we always reschedule after a read.
47147@@ -2281,7 +2281,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
47148 {
47149 struct timespec cur_time_mon;
47150 unsigned long hours_since_last;
47151- unsigned int read_errors = atomic_read(&rdev->read_errors);
47152+ unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
47153
47154 ktime_get_ts(&cur_time_mon);
47155
47156@@ -2303,9 +2303,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
47157 * overflowing the shift of read_errors by hours_since_last.
47158 */
47159 if (hours_since_last >= 8 * sizeof(read_errors))
47160- atomic_set(&rdev->read_errors, 0);
47161+ atomic_set_unchecked(&rdev->read_errors, 0);
47162 else
47163- atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
47164+ atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
47165 }
47166
47167 static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
47168@@ -2359,8 +2359,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47169 return;
47170
47171 check_decay_read_errors(mddev, rdev);
47172- atomic_inc(&rdev->read_errors);
47173- if (atomic_read(&rdev->read_errors) > max_read_errors) {
47174+ atomic_inc_unchecked(&rdev->read_errors);
47175+ if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
47176 char b[BDEVNAME_SIZE];
47177 bdevname(rdev->bdev, b);
47178
47179@@ -2368,7 +2368,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47180 "md/raid10:%s: %s: Raid device exceeded "
47181 "read_error threshold [cur %d:max %d]\n",
47182 mdname(mddev), b,
47183- atomic_read(&rdev->read_errors), max_read_errors);
47184+ atomic_read_unchecked(&rdev->read_errors), max_read_errors);
47185 printk(KERN_NOTICE
47186 "md/raid10:%s: %s: Failing raid device\n",
47187 mdname(mddev), b);
47188@@ -2523,7 +2523,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47189 sect +
47190 choose_data_offset(r10_bio, rdev)),
47191 bdevname(rdev->bdev, b));
47192- atomic_add(s, &rdev->corrected_errors);
47193+ atomic_add_unchecked(s, &rdev->corrected_errors);
47194 }
47195
47196 rdev_dec_pending(rdev, mddev);
47197diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
47198index f757023..f958632 100644
47199--- a/drivers/md/raid5.c
47200+++ b/drivers/md/raid5.c
47201@@ -1119,23 +1119,23 @@ async_copy_data(int frombio, struct bio *bio, struct page **page,
47202 struct bio_vec bvl;
47203 struct bvec_iter iter;
47204 struct page *bio_page;
47205- int page_offset;
47206+ s64 page_offset;
47207 struct async_submit_ctl submit;
47208 enum async_tx_flags flags = 0;
47209
47210 if (bio->bi_iter.bi_sector >= sector)
47211- page_offset = (signed)(bio->bi_iter.bi_sector - sector) * 512;
47212+ page_offset = (s64)(bio->bi_iter.bi_sector - sector) * 512;
47213 else
47214- page_offset = (signed)(sector - bio->bi_iter.bi_sector) * -512;
47215+ page_offset = (s64)(sector - bio->bi_iter.bi_sector) * -512;
47216
47217 if (frombio)
47218 flags |= ASYNC_TX_FENCE;
47219 init_async_submit(&submit, flags, tx, NULL, NULL, NULL);
47220
47221 bio_for_each_segment(bvl, bio, iter) {
47222- int len = bvl.bv_len;
47223- int clen;
47224- int b_offset = 0;
47225+ s64 len = bvl.bv_len;
47226+ s64 clen;
47227+ s64 b_offset = 0;
47228
47229 if (page_offset < 0) {
47230 b_offset = -page_offset;
47231@@ -2028,6 +2028,10 @@ static int grow_one_stripe(struct r5conf *conf, gfp_t gfp)
47232 return 1;
47233 }
47234
47235+#ifdef CONFIG_GRKERNSEC_HIDESYM
47236+static atomic_unchecked_t raid5_cache_id = ATOMIC_INIT(0);
47237+#endif
47238+
47239 static int grow_stripes(struct r5conf *conf, int num)
47240 {
47241 struct kmem_cache *sc;
47242@@ -2038,7 +2042,11 @@ static int grow_stripes(struct r5conf *conf, int num)
47243 "raid%d-%s", conf->level, mdname(conf->mddev));
47244 else
47245 sprintf(conf->cache_name[0],
47246+#ifdef CONFIG_GRKERNSEC_HIDESYM
47247+ "raid%d-%08lx", conf->level, atomic_inc_return_unchecked(&raid5_cache_id));
47248+#else
47249 "raid%d-%p", conf->level, conf->mddev);
47250+#endif
47251 sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
47252
47253 conf->active_name = 0;
47254@@ -2331,21 +2339,21 @@ static void raid5_end_read_request(struct bio * bi, int error)
47255 mdname(conf->mddev), STRIPE_SECTORS,
47256 (unsigned long long)s,
47257 bdevname(rdev->bdev, b));
47258- atomic_add(STRIPE_SECTORS, &rdev->corrected_errors);
47259+ atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors);
47260 clear_bit(R5_ReadError, &sh->dev[i].flags);
47261 clear_bit(R5_ReWrite, &sh->dev[i].flags);
47262 } else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags))
47263 clear_bit(R5_ReadNoMerge, &sh->dev[i].flags);
47264
47265- if (atomic_read(&rdev->read_errors))
47266- atomic_set(&rdev->read_errors, 0);
47267+ if (atomic_read_unchecked(&rdev->read_errors))
47268+ atomic_set_unchecked(&rdev->read_errors, 0);
47269 } else {
47270 const char *bdn = bdevname(rdev->bdev, b);
47271 int retry = 0;
47272 int set_bad = 0;
47273
47274 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
47275- atomic_inc(&rdev->read_errors);
47276+ atomic_inc_unchecked(&rdev->read_errors);
47277 if (test_bit(R5_ReadRepl, &sh->dev[i].flags))
47278 printk_ratelimited(
47279 KERN_WARNING
47280@@ -2373,7 +2381,7 @@ static void raid5_end_read_request(struct bio * bi, int error)
47281 mdname(conf->mddev),
47282 (unsigned long long)s,
47283 bdn);
47284- } else if (atomic_read(&rdev->read_errors)
47285+ } else if (atomic_read_unchecked(&rdev->read_errors)
47286 > conf->max_nr_stripes)
47287 printk(KERN_WARNING
47288 "md/raid:%s: Too many read errors, failing device %s.\n",
47289diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
47290index 13bb57f..0ca21b2 100644
47291--- a/drivers/media/dvb-core/dvbdev.c
47292+++ b/drivers/media/dvb-core/dvbdev.c
47293@@ -272,7 +272,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
47294 const struct dvb_device *template, void *priv, int type)
47295 {
47296 struct dvb_device *dvbdev;
47297- struct file_operations *dvbdevfops;
47298+ file_operations_no_const *dvbdevfops;
47299 struct device *clsdev;
47300 int minor;
47301 int id;
47302diff --git a/drivers/media/dvb-frontends/af9033.h b/drivers/media/dvb-frontends/af9033.h
47303index 6ad22b6..6e90e2a 100644
47304--- a/drivers/media/dvb-frontends/af9033.h
47305+++ b/drivers/media/dvb-frontends/af9033.h
47306@@ -96,6 +96,6 @@ struct af9033_ops {
47307 int (*pid_filter_ctrl)(struct dvb_frontend *fe, int onoff);
47308 int (*pid_filter)(struct dvb_frontend *fe, int index, u16 pid,
47309 int onoff);
47310-};
47311+} __no_const;
47312
47313 #endif /* AF9033_H */
47314diff --git a/drivers/media/dvb-frontends/dib3000.h b/drivers/media/dvb-frontends/dib3000.h
47315index 6ae9899..07d8543 100644
47316--- a/drivers/media/dvb-frontends/dib3000.h
47317+++ b/drivers/media/dvb-frontends/dib3000.h
47318@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
47319 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
47320 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
47321 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
47322-};
47323+} __no_const;
47324
47325 #if IS_REACHABLE(CONFIG_DVB_DIB3000MB)
47326 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
47327diff --git a/drivers/media/dvb-frontends/dib7000p.h b/drivers/media/dvb-frontends/dib7000p.h
47328index baa2789..c8de7fe 100644
47329--- a/drivers/media/dvb-frontends/dib7000p.h
47330+++ b/drivers/media/dvb-frontends/dib7000p.h
47331@@ -64,7 +64,7 @@ struct dib7000p_ops {
47332 int (*get_adc_power)(struct dvb_frontend *fe);
47333 int (*slave_reset)(struct dvb_frontend *fe);
47334 struct dvb_frontend *(*init)(struct i2c_adapter *i2c_adap, u8 i2c_addr, struct dib7000p_config *cfg);
47335-};
47336+} __no_const;
47337
47338 #if IS_REACHABLE(CONFIG_DVB_DIB7000P)
47339 void *dib7000p_attach(struct dib7000p_ops *ops);
47340diff --git a/drivers/media/dvb-frontends/dib8000.h b/drivers/media/dvb-frontends/dib8000.h
47341index 2b8b4b1..8cef451 100644
47342--- a/drivers/media/dvb-frontends/dib8000.h
47343+++ b/drivers/media/dvb-frontends/dib8000.h
47344@@ -61,7 +61,7 @@ struct dib8000_ops {
47345 int (*pid_filter_ctrl)(struct dvb_frontend *fe, u8 onoff);
47346 int (*pid_filter)(struct dvb_frontend *fe, u8 id, u16 pid, u8 onoff);
47347 struct dvb_frontend *(*init)(struct i2c_adapter *i2c_adap, u8 i2c_addr, struct dib8000_config *cfg);
47348-};
47349+} __no_const;
47350
47351 #if IS_REACHABLE(CONFIG_DVB_DIB8000)
47352 void *dib8000_attach(struct dib8000_ops *ops);
47353diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
47354index 400e5ca..f69f748 100644
47355--- a/drivers/media/pci/cx88/cx88-video.c
47356+++ b/drivers/media/pci/cx88/cx88-video.c
47357@@ -50,9 +50,9 @@ MODULE_VERSION(CX88_VERSION);
47358
47359 /* ------------------------------------------------------------------ */
47360
47361-static unsigned int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47362-static unsigned int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47363-static unsigned int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47364+static int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47365+static int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47366+static int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47367
47368 module_param_array(video_nr, int, NULL, 0444);
47369 module_param_array(vbi_nr, int, NULL, 0444);
47370diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
47371index 8616fa8..e16eeaf 100644
47372--- a/drivers/media/pci/ivtv/ivtv-driver.c
47373+++ b/drivers/media/pci/ivtv/ivtv-driver.c
47374@@ -83,7 +83,7 @@ static struct pci_device_id ivtv_pci_tbl[] = {
47375 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
47376
47377 /* ivtv instance counter */
47378-static atomic_t ivtv_instance = ATOMIC_INIT(0);
47379+static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
47380
47381 /* Parameter declarations */
47382 static int cardtype[IVTV_MAX_CARDS];
47383diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c
47384index 570d119..ed25830 100644
47385--- a/drivers/media/pci/solo6x10/solo6x10-core.c
47386+++ b/drivers/media/pci/solo6x10/solo6x10-core.c
47387@@ -424,7 +424,7 @@ static void solo_device_release(struct device *dev)
47388
47389 static int solo_sysfs_init(struct solo_dev *solo_dev)
47390 {
47391- struct bin_attribute *sdram_attr = &solo_dev->sdram_attr;
47392+ bin_attribute_no_const *sdram_attr = &solo_dev->sdram_attr;
47393 struct device *dev = &solo_dev->dev;
47394 const char *driver;
47395 int i;
47396diff --git a/drivers/media/pci/solo6x10/solo6x10-g723.c b/drivers/media/pci/solo6x10/solo6x10-g723.c
47397index 7ddc767..1c24361 100644
47398--- a/drivers/media/pci/solo6x10/solo6x10-g723.c
47399+++ b/drivers/media/pci/solo6x10/solo6x10-g723.c
47400@@ -351,7 +351,7 @@ static int solo_snd_pcm_init(struct solo_dev *solo_dev)
47401
47402 int solo_g723_init(struct solo_dev *solo_dev)
47403 {
47404- static struct snd_device_ops ops = { NULL };
47405+ static struct snd_device_ops ops = { };
47406 struct snd_card *card;
47407 struct snd_kcontrol_new kctl;
47408 char name[32];
47409diff --git a/drivers/media/pci/solo6x10/solo6x10-p2m.c b/drivers/media/pci/solo6x10/solo6x10-p2m.c
47410index 8c84846..27b4f83 100644
47411--- a/drivers/media/pci/solo6x10/solo6x10-p2m.c
47412+++ b/drivers/media/pci/solo6x10/solo6x10-p2m.c
47413@@ -73,7 +73,7 @@ int solo_p2m_dma_desc(struct solo_dev *solo_dev,
47414
47415 /* Get next ID. According to Softlogic, 6110 has problems on !=0 P2M */
47416 if (solo_dev->type != SOLO_DEV_6110 && multi_p2m) {
47417- p2m_id = atomic_inc_return(&solo_dev->p2m_count) % SOLO_NR_P2M;
47418+ p2m_id = atomic_inc_return_unchecked(&solo_dev->p2m_count) % SOLO_NR_P2M;
47419 if (p2m_id < 0)
47420 p2m_id = -p2m_id;
47421 }
47422diff --git a/drivers/media/pci/solo6x10/solo6x10.h b/drivers/media/pci/solo6x10/solo6x10.h
47423index 1ca54b0..7d7cb9a 100644
47424--- a/drivers/media/pci/solo6x10/solo6x10.h
47425+++ b/drivers/media/pci/solo6x10/solo6x10.h
47426@@ -218,7 +218,7 @@ struct solo_dev {
47427
47428 /* P2M DMA Engine */
47429 struct solo_p2m_dev p2m_dev[SOLO_NR_P2M];
47430- atomic_t p2m_count;
47431+ atomic_unchecked_t p2m_count;
47432 int p2m_jiffies;
47433 unsigned int p2m_timeouts;
47434
47435diff --git a/drivers/media/pci/tw68/tw68-core.c b/drivers/media/pci/tw68/tw68-core.c
47436index c135165..dc69499 100644
47437--- a/drivers/media/pci/tw68/tw68-core.c
47438+++ b/drivers/media/pci/tw68/tw68-core.c
47439@@ -60,7 +60,7 @@ static unsigned int card[] = {[0 ... (TW68_MAXBOARDS - 1)] = UNSET };
47440 module_param_array(card, int, NULL, 0444);
47441 MODULE_PARM_DESC(card, "card type");
47442
47443-static atomic_t tw68_instance = ATOMIC_INIT(0);
47444+static atomic_unchecked_t tw68_instance = ATOMIC_INIT(0);
47445
47446 /* ------------------------------------------------------------------ */
47447
47448diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
47449index f09c5f1..38f6d65 100644
47450--- a/drivers/media/platform/omap/omap_vout.c
47451+++ b/drivers/media/platform/omap/omap_vout.c
47452@@ -63,7 +63,6 @@ enum omap_vout_channels {
47453 OMAP_VIDEO2,
47454 };
47455
47456-static struct videobuf_queue_ops video_vbq_ops;
47457 /* Variables configurable through module params*/
47458 static u32 video1_numbuffers = 3;
47459 static u32 video2_numbuffers = 3;
47460@@ -1008,6 +1007,12 @@ static int omap_vout_open(struct file *file)
47461 {
47462 struct videobuf_queue *q;
47463 struct omap_vout_device *vout = NULL;
47464+ static struct videobuf_queue_ops video_vbq_ops = {
47465+ .buf_setup = omap_vout_buffer_setup,
47466+ .buf_prepare = omap_vout_buffer_prepare,
47467+ .buf_release = omap_vout_buffer_release,
47468+ .buf_queue = omap_vout_buffer_queue,
47469+ };
47470
47471 vout = video_drvdata(file);
47472 v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__);
47473@@ -1025,10 +1030,6 @@ static int omap_vout_open(struct file *file)
47474 vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
47475
47476 q = &vout->vbq;
47477- video_vbq_ops.buf_setup = omap_vout_buffer_setup;
47478- video_vbq_ops.buf_prepare = omap_vout_buffer_prepare;
47479- video_vbq_ops.buf_release = omap_vout_buffer_release;
47480- video_vbq_ops.buf_queue = omap_vout_buffer_queue;
47481 spin_lock_init(&vout->vbq_lock);
47482
47483 videobuf_queue_dma_contig_init(q, &video_vbq_ops, q->dev,
47484diff --git a/drivers/media/platform/s5p-tv/mixer.h b/drivers/media/platform/s5p-tv/mixer.h
47485index fb2acc5..a2fcbdc4 100644
47486--- a/drivers/media/platform/s5p-tv/mixer.h
47487+++ b/drivers/media/platform/s5p-tv/mixer.h
47488@@ -156,7 +156,7 @@ struct mxr_layer {
47489 /** layer index (unique identifier) */
47490 int idx;
47491 /** callbacks for layer methods */
47492- struct mxr_layer_ops ops;
47493+ struct mxr_layer_ops *ops;
47494 /** format array */
47495 const struct mxr_format **fmt_array;
47496 /** size of format array */
47497diff --git a/drivers/media/platform/s5p-tv/mixer_grp_layer.c b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
47498index 74344c7..a39e70e 100644
47499--- a/drivers/media/platform/s5p-tv/mixer_grp_layer.c
47500+++ b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
47501@@ -235,7 +235,7 @@ struct mxr_layer *mxr_graph_layer_create(struct mxr_device *mdev, int idx)
47502 {
47503 struct mxr_layer *layer;
47504 int ret;
47505- struct mxr_layer_ops ops = {
47506+ static struct mxr_layer_ops ops = {
47507 .release = mxr_graph_layer_release,
47508 .buffer_set = mxr_graph_buffer_set,
47509 .stream_set = mxr_graph_stream_set,
47510diff --git a/drivers/media/platform/s5p-tv/mixer_reg.c b/drivers/media/platform/s5p-tv/mixer_reg.c
47511index b713403..53cb5ad 100644
47512--- a/drivers/media/platform/s5p-tv/mixer_reg.c
47513+++ b/drivers/media/platform/s5p-tv/mixer_reg.c
47514@@ -276,7 +276,7 @@ static void mxr_irq_layer_handle(struct mxr_layer *layer)
47515 layer->update_buf = next;
47516 }
47517
47518- layer->ops.buffer_set(layer, layer->update_buf);
47519+ layer->ops->buffer_set(layer, layer->update_buf);
47520
47521 if (done && done != layer->shadow_buf)
47522 vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE);
47523diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c
47524index 751f3b6..d829203 100644
47525--- a/drivers/media/platform/s5p-tv/mixer_video.c
47526+++ b/drivers/media/platform/s5p-tv/mixer_video.c
47527@@ -210,7 +210,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer)
47528 layer->geo.src.height = layer->geo.src.full_height;
47529
47530 mxr_geometry_dump(mdev, &layer->geo);
47531- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
47532+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
47533 mxr_geometry_dump(mdev, &layer->geo);
47534 }
47535
47536@@ -228,7 +228,7 @@ static void mxr_layer_update_output(struct mxr_layer *layer)
47537 layer->geo.dst.full_width = mbus_fmt.width;
47538 layer->geo.dst.full_height = mbus_fmt.height;
47539 layer->geo.dst.field = mbus_fmt.field;
47540- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
47541+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
47542
47543 mxr_geometry_dump(mdev, &layer->geo);
47544 }
47545@@ -334,7 +334,7 @@ static int mxr_s_fmt(struct file *file, void *priv,
47546 /* set source size to highest accepted value */
47547 geo->src.full_width = max(geo->dst.full_width, pix->width);
47548 geo->src.full_height = max(geo->dst.full_height, pix->height);
47549- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
47550+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
47551 mxr_geometry_dump(mdev, &layer->geo);
47552 /* set cropping to total visible screen */
47553 geo->src.width = pix->width;
47554@@ -342,12 +342,12 @@ static int mxr_s_fmt(struct file *file, void *priv,
47555 geo->src.x_offset = 0;
47556 geo->src.y_offset = 0;
47557 /* assure consistency of geometry */
47558- layer->ops.fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
47559+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
47560 mxr_geometry_dump(mdev, &layer->geo);
47561 /* set full size to lowest possible value */
47562 geo->src.full_width = 0;
47563 geo->src.full_height = 0;
47564- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
47565+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
47566 mxr_geometry_dump(mdev, &layer->geo);
47567
47568 /* returning results */
47569@@ -474,7 +474,7 @@ static int mxr_s_selection(struct file *file, void *fh,
47570 target->width = s->r.width;
47571 target->height = s->r.height;
47572
47573- layer->ops.fix_geometry(layer, stage, s->flags);
47574+ layer->ops->fix_geometry(layer, stage, s->flags);
47575
47576 /* retrieve update selection rectangle */
47577 res.left = target->x_offset;
47578@@ -938,13 +938,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count)
47579 mxr_output_get(mdev);
47580
47581 mxr_layer_update_output(layer);
47582- layer->ops.format_set(layer);
47583+ layer->ops->format_set(layer);
47584 /* enabling layer in hardware */
47585 spin_lock_irqsave(&layer->enq_slock, flags);
47586 layer->state = MXR_LAYER_STREAMING;
47587 spin_unlock_irqrestore(&layer->enq_slock, flags);
47588
47589- layer->ops.stream_set(layer, MXR_ENABLE);
47590+ layer->ops->stream_set(layer, MXR_ENABLE);
47591 mxr_streamer_get(mdev);
47592
47593 return 0;
47594@@ -1014,7 +1014,7 @@ static void stop_streaming(struct vb2_queue *vq)
47595 spin_unlock_irqrestore(&layer->enq_slock, flags);
47596
47597 /* disabling layer in hardware */
47598- layer->ops.stream_set(layer, MXR_DISABLE);
47599+ layer->ops->stream_set(layer, MXR_DISABLE);
47600 /* remove one streamer */
47601 mxr_streamer_put(mdev);
47602 /* allow changes in output configuration */
47603@@ -1052,8 +1052,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer)
47604
47605 void mxr_layer_release(struct mxr_layer *layer)
47606 {
47607- if (layer->ops.release)
47608- layer->ops.release(layer);
47609+ if (layer->ops->release)
47610+ layer->ops->release(layer);
47611 }
47612
47613 void mxr_base_layer_release(struct mxr_layer *layer)
47614@@ -1079,7 +1079,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev,
47615
47616 layer->mdev = mdev;
47617 layer->idx = idx;
47618- layer->ops = *ops;
47619+ layer->ops = ops;
47620
47621 spin_lock_init(&layer->enq_slock);
47622 INIT_LIST_HEAD(&layer->enq_list);
47623diff --git a/drivers/media/platform/s5p-tv/mixer_vp_layer.c b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
47624index c9388c4..ce71ece 100644
47625--- a/drivers/media/platform/s5p-tv/mixer_vp_layer.c
47626+++ b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
47627@@ -206,7 +206,7 @@ struct mxr_layer *mxr_vp_layer_create(struct mxr_device *mdev, int idx)
47628 {
47629 struct mxr_layer *layer;
47630 int ret;
47631- struct mxr_layer_ops ops = {
47632+ static struct mxr_layer_ops ops = {
47633 .release = mxr_vp_layer_release,
47634 .buffer_set = mxr_vp_buffer_set,
47635 .stream_set = mxr_vp_stream_set,
47636diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
47637index 82affae..42833ec 100644
47638--- a/drivers/media/radio/radio-cadet.c
47639+++ b/drivers/media/radio/radio-cadet.c
47640@@ -333,6 +333,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
47641 unsigned char readbuf[RDS_BUFFER];
47642 int i = 0;
47643
47644+ if (count > RDS_BUFFER)
47645+ return -EFAULT;
47646 mutex_lock(&dev->lock);
47647 if (dev->rdsstat == 0)
47648 cadet_start_rds(dev);
47649@@ -349,8 +351,9 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
47650 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
47651 mutex_unlock(&dev->lock);
47652
47653- if (i && copy_to_user(data, readbuf, i))
47654- return -EFAULT;
47655+ if (i > sizeof(readbuf) || (i && copy_to_user(data, readbuf, i)))
47656+ i = -EFAULT;
47657+
47658 return i;
47659 }
47660
47661diff --git a/drivers/media/radio/radio-maxiradio.c b/drivers/media/radio/radio-maxiradio.c
47662index 5236035..c622c74 100644
47663--- a/drivers/media/radio/radio-maxiradio.c
47664+++ b/drivers/media/radio/radio-maxiradio.c
47665@@ -61,7 +61,7 @@ MODULE_PARM_DESC(radio_nr, "Radio device number");
47666 /* TEA5757 pin mappings */
47667 static const int clk = 1, data = 2, wren = 4, mo_st = 8, power = 16;
47668
47669-static atomic_t maxiradio_instance = ATOMIC_INIT(0);
47670+static atomic_unchecked_t maxiradio_instance = ATOMIC_INIT(0);
47671
47672 #define PCI_VENDOR_ID_GUILLEMOT 0x5046
47673 #define PCI_DEVICE_ID_GUILLEMOT_MAXIRADIO 0x1001
47674diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c
47675index 050b3bb..79f62b9 100644
47676--- a/drivers/media/radio/radio-shark.c
47677+++ b/drivers/media/radio/radio-shark.c
47678@@ -79,7 +79,7 @@ struct shark_device {
47679 u32 last_val;
47680 };
47681
47682-static atomic_t shark_instance = ATOMIC_INIT(0);
47683+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
47684
47685 static void shark_write_val(struct snd_tea575x *tea, u32 val)
47686 {
47687diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c
47688index 8654e0d..0608a64 100644
47689--- a/drivers/media/radio/radio-shark2.c
47690+++ b/drivers/media/radio/radio-shark2.c
47691@@ -74,7 +74,7 @@ struct shark_device {
47692 u8 *transfer_buffer;
47693 };
47694
47695-static atomic_t shark_instance = ATOMIC_INIT(0);
47696+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
47697
47698 static int shark_write_reg(struct radio_tea5777 *tea, u64 reg)
47699 {
47700diff --git a/drivers/media/radio/radio-si476x.c b/drivers/media/radio/radio-si476x.c
47701index 9cbb8cd..2bf2ff3 100644
47702--- a/drivers/media/radio/radio-si476x.c
47703+++ b/drivers/media/radio/radio-si476x.c
47704@@ -1445,7 +1445,7 @@ static int si476x_radio_probe(struct platform_device *pdev)
47705 struct si476x_radio *radio;
47706 struct v4l2_ctrl *ctrl;
47707
47708- static atomic_t instance = ATOMIC_INIT(0);
47709+ static atomic_unchecked_t instance = ATOMIC_INIT(0);
47710
47711 radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
47712 if (!radio)
47713diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
47714index 704397f..4d05977 100644
47715--- a/drivers/media/radio/wl128x/fmdrv_common.c
47716+++ b/drivers/media/radio/wl128x/fmdrv_common.c
47717@@ -71,7 +71,7 @@ module_param(default_rds_buf, uint, 0444);
47718 MODULE_PARM_DESC(rds_buf, "RDS buffer entries");
47719
47720 /* Radio Nr */
47721-static u32 radio_nr = -1;
47722+static int radio_nr = -1;
47723 module_param(radio_nr, int, 0444);
47724 MODULE_PARM_DESC(radio_nr, "Radio Nr");
47725
47726diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
47727index 9fd1527..8927230 100644
47728--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
47729+++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
47730@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
47731
47732 static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
47733 {
47734- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
47735- char result[64];
47736- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
47737- sizeof(result), 0);
47738+ char *buf;
47739+ char *result;
47740+ int retval;
47741+
47742+ buf = kmalloc(2, GFP_KERNEL);
47743+ if (buf == NULL)
47744+ return -ENOMEM;
47745+ result = kmalloc(64, GFP_KERNEL);
47746+ if (result == NULL) {
47747+ kfree(buf);
47748+ return -ENOMEM;
47749+ }
47750+
47751+ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
47752+ buf[1] = enable ? 1 : 0;
47753+
47754+ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
47755+
47756+ kfree(buf);
47757+ kfree(result);
47758+ return retval;
47759 }
47760
47761 static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
47762 {
47763- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
47764- char state[3];
47765- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
47766+ char *buf;
47767+ char *state;
47768+ int retval;
47769+
47770+ buf = kmalloc(2, GFP_KERNEL);
47771+ if (buf == NULL)
47772+ return -ENOMEM;
47773+ state = kmalloc(3, GFP_KERNEL);
47774+ if (state == NULL) {
47775+ kfree(buf);
47776+ return -ENOMEM;
47777+ }
47778+
47779+ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
47780+ buf[1] = enable ? 1 : 0;
47781+
47782+ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
47783+
47784+ kfree(buf);
47785+ kfree(state);
47786+ return retval;
47787 }
47788
47789 static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
47790 {
47791- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
47792- char state[3];
47793+ char *query;
47794+ char *state;
47795 int ret;
47796+ query = kmalloc(1, GFP_KERNEL);
47797+ if (query == NULL)
47798+ return -ENOMEM;
47799+ state = kmalloc(3, GFP_KERNEL);
47800+ if (state == NULL) {
47801+ kfree(query);
47802+ return -ENOMEM;
47803+ }
47804+
47805+ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
47806
47807 adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
47808
47809- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
47810- sizeof(state), 0);
47811+ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
47812 if (ret < 0) {
47813 deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
47814 "state info\n");
47815@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
47816
47817 /* Copy this pointer as we are gonna need it in the release phase */
47818 cinergyt2_usb_device = adap->dev;
47819-
47820+ kfree(query);
47821+ kfree(state);
47822 return 0;
47823 }
47824
47825@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
47826 static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
47827 {
47828 struct cinergyt2_state *st = d->priv;
47829- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
47830+ u8 *key, *cmd;
47831 int i;
47832
47833+ cmd = kmalloc(1, GFP_KERNEL);
47834+ if (cmd == NULL)
47835+ return -EINVAL;
47836+ key = kzalloc(5, GFP_KERNEL);
47837+ if (key == NULL) {
47838+ kfree(cmd);
47839+ return -EINVAL;
47840+ }
47841+
47842+ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
47843+
47844 *state = REMOTE_NO_KEY_PRESSED;
47845
47846- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
47847+ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
47848 if (key[4] == 0xff) {
47849 /* key repeat */
47850 st->rc_counter++;
47851@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
47852 *event = d->last_event;
47853 deb_rc("repeat key, event %x\n",
47854 *event);
47855- return 0;
47856+ goto out;
47857 }
47858 }
47859 deb_rc("repeated key (non repeatable)\n");
47860 }
47861- return 0;
47862+ goto out;
47863 }
47864
47865 /* hack to pass checksum on the custom field */
47866@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
47867
47868 deb_rc("key: %*ph\n", 5, key);
47869 }
47870+out:
47871+ kfree(cmd);
47872+ kfree(key);
47873 return 0;
47874 }
47875
47876diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
47877index b3ec743..9c0e418 100644
47878--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
47879+++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
47880@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
47881 enum fe_status *status)
47882 {
47883 struct cinergyt2_fe_state *state = fe->demodulator_priv;
47884- struct dvbt_get_status_msg result;
47885- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
47886+ struct dvbt_get_status_msg *result;
47887+ u8 *cmd;
47888 int ret;
47889
47890- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
47891- sizeof(result), 0);
47892+ cmd = kmalloc(1, GFP_KERNEL);
47893+ if (cmd == NULL)
47894+ return -ENOMEM;
47895+ result = kmalloc(sizeof(*result), GFP_KERNEL);
47896+ if (result == NULL) {
47897+ kfree(cmd);
47898+ return -ENOMEM;
47899+ }
47900+
47901+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
47902+
47903+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
47904+ sizeof(*result), 0);
47905 if (ret < 0)
47906- return ret;
47907+ goto out;
47908
47909 *status = 0;
47910
47911- if (0xffff - le16_to_cpu(result.gain) > 30)
47912+ if (0xffff - le16_to_cpu(result->gain) > 30)
47913 *status |= FE_HAS_SIGNAL;
47914- if (result.lock_bits & (1 << 6))
47915+ if (result->lock_bits & (1 << 6))
47916 *status |= FE_HAS_LOCK;
47917- if (result.lock_bits & (1 << 5))
47918+ if (result->lock_bits & (1 << 5))
47919 *status |= FE_HAS_SYNC;
47920- if (result.lock_bits & (1 << 4))
47921+ if (result->lock_bits & (1 << 4))
47922 *status |= FE_HAS_CARRIER;
47923- if (result.lock_bits & (1 << 1))
47924+ if (result->lock_bits & (1 << 1))
47925 *status |= FE_HAS_VITERBI;
47926
47927 if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
47928 (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
47929 *status &= ~FE_HAS_LOCK;
47930
47931- return 0;
47932+out:
47933+ kfree(cmd);
47934+ kfree(result);
47935+ return ret;
47936 }
47937
47938 static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
47939 {
47940 struct cinergyt2_fe_state *state = fe->demodulator_priv;
47941- struct dvbt_get_status_msg status;
47942- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
47943+ struct dvbt_get_status_msg *status;
47944+ char *cmd;
47945 int ret;
47946
47947- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
47948- sizeof(status), 0);
47949+ cmd = kmalloc(1, GFP_KERNEL);
47950+ if (cmd == NULL)
47951+ return -ENOMEM;
47952+ status = kmalloc(sizeof(*status), GFP_KERNEL);
47953+ if (status == NULL) {
47954+ kfree(cmd);
47955+ return -ENOMEM;
47956+ }
47957+
47958+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
47959+
47960+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
47961+ sizeof(*status), 0);
47962 if (ret < 0)
47963- return ret;
47964+ goto out;
47965
47966- *ber = le32_to_cpu(status.viterbi_error_rate);
47967+ *ber = le32_to_cpu(status->viterbi_error_rate);
47968+out:
47969+ kfree(cmd);
47970+ kfree(status);
47971 return 0;
47972 }
47973
47974 static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
47975 {
47976 struct cinergyt2_fe_state *state = fe->demodulator_priv;
47977- struct dvbt_get_status_msg status;
47978- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
47979+ struct dvbt_get_status_msg *status;
47980+ u8 *cmd;
47981 int ret;
47982
47983- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
47984- sizeof(status), 0);
47985+ cmd = kmalloc(1, GFP_KERNEL);
47986+ if (cmd == NULL)
47987+ return -ENOMEM;
47988+ status = kmalloc(sizeof(*status), GFP_KERNEL);
47989+ if (status == NULL) {
47990+ kfree(cmd);
47991+ return -ENOMEM;
47992+ }
47993+
47994+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
47995+
47996+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
47997+ sizeof(*status), 0);
47998 if (ret < 0) {
47999 err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
48000 ret);
48001- return ret;
48002+ goto out;
48003 }
48004- *unc = le32_to_cpu(status.uncorrected_block_count);
48005- return 0;
48006+ *unc = le32_to_cpu(status->uncorrected_block_count);
48007+
48008+out:
48009+ kfree(cmd);
48010+ kfree(status);
48011+ return ret;
48012 }
48013
48014 static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
48015 u16 *strength)
48016 {
48017 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48018- struct dvbt_get_status_msg status;
48019- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48020+ struct dvbt_get_status_msg *status;
48021+ char *cmd;
48022 int ret;
48023
48024- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48025- sizeof(status), 0);
48026+ cmd = kmalloc(1, GFP_KERNEL);
48027+ if (cmd == NULL)
48028+ return -ENOMEM;
48029+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48030+ if (status == NULL) {
48031+ kfree(cmd);
48032+ return -ENOMEM;
48033+ }
48034+
48035+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48036+
48037+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48038+ sizeof(*status), 0);
48039 if (ret < 0) {
48040 err("cinergyt2_fe_read_signal_strength() Failed!"
48041 " (Error=%d)\n", ret);
48042- return ret;
48043+ goto out;
48044 }
48045- *strength = (0xffff - le16_to_cpu(status.gain));
48046+ *strength = (0xffff - le16_to_cpu(status->gain));
48047+
48048+out:
48049+ kfree(cmd);
48050+ kfree(status);
48051 return 0;
48052 }
48053
48054 static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
48055 {
48056 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48057- struct dvbt_get_status_msg status;
48058- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48059+ struct dvbt_get_status_msg *status;
48060+ char *cmd;
48061 int ret;
48062
48063- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48064- sizeof(status), 0);
48065+ cmd = kmalloc(1, GFP_KERNEL);
48066+ if (cmd == NULL)
48067+ return -ENOMEM;
48068+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48069+ if (status == NULL) {
48070+ kfree(cmd);
48071+ return -ENOMEM;
48072+ }
48073+
48074+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48075+
48076+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48077+ sizeof(*status), 0);
48078 if (ret < 0) {
48079 err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
48080- return ret;
48081+ goto out;
48082 }
48083- *snr = (status.snr << 8) | status.snr;
48084- return 0;
48085+ *snr = (status->snr << 8) | status->snr;
48086+
48087+out:
48088+ kfree(cmd);
48089+ kfree(status);
48090+ return ret;
48091 }
48092
48093 static int cinergyt2_fe_init(struct dvb_frontend *fe)
48094@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe)
48095 {
48096 struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
48097 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48098- struct dvbt_set_parameters_msg param;
48099- char result[2];
48100+ struct dvbt_set_parameters_msg *param;
48101+ char *result;
48102 int err;
48103
48104- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
48105- param.tps = cpu_to_le16(compute_tps(fep));
48106- param.freq = cpu_to_le32(fep->frequency / 1000);
48107- param.flags = 0;
48108+ result = kmalloc(2, GFP_KERNEL);
48109+ if (result == NULL)
48110+ return -ENOMEM;
48111+ param = kmalloc(sizeof(*param), GFP_KERNEL);
48112+ if (param == NULL) {
48113+ kfree(result);
48114+ return -ENOMEM;
48115+ }
48116+
48117+ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
48118+ param->tps = cpu_to_le16(compute_tps(fep));
48119+ param->freq = cpu_to_le32(fep->frequency / 1000);
48120+ param->flags = 0;
48121
48122 switch (fep->bandwidth_hz) {
48123 default:
48124 case 8000000:
48125- param.bandwidth = 8;
48126+ param->bandwidth = 8;
48127 break;
48128 case 7000000:
48129- param.bandwidth = 7;
48130+ param->bandwidth = 7;
48131 break;
48132 case 6000000:
48133- param.bandwidth = 6;
48134+ param->bandwidth = 6;
48135 break;
48136 }
48137
48138 err = dvb_usb_generic_rw(state->d,
48139- (char *)&param, sizeof(param),
48140- result, sizeof(result), 0);
48141+ (char *)param, sizeof(*param),
48142+ result, 2, 0);
48143 if (err < 0)
48144 err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
48145
48146- return (err < 0) ? err : 0;
48147+ kfree(result);
48148+ kfree(param);
48149+ return err;
48150 }
48151
48152 static void cinergyt2_fe_release(struct dvb_frontend *fe)
48153diff --git a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48154index 733a7ff..f8b52e3 100644
48155--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48156+++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48157@@ -35,42 +35,57 @@ static int usb_cypress_writemem(struct usb_device *udev,u16 addr,u8 *data, u8 le
48158
48159 int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type)
48160 {
48161- struct hexline hx;
48162- u8 reset;
48163+ struct hexline *hx;
48164+ u8 *reset;
48165 int ret,pos=0;
48166
48167+ reset = kmalloc(1, GFP_KERNEL);
48168+ if (reset == NULL)
48169+ return -ENOMEM;
48170+
48171+ hx = kmalloc(sizeof(struct hexline), GFP_KERNEL);
48172+ if (hx == NULL) {
48173+ kfree(reset);
48174+ return -ENOMEM;
48175+ }
48176+
48177 /* stop the CPU */
48178- reset = 1;
48179- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1)
48180+ reset[0] = 1;
48181+ if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1)) != 1)
48182 err("could not stop the USB controller CPU.");
48183
48184- while ((ret = dvb_usb_get_hexline(fw,&hx,&pos)) > 0) {
48185- deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx.addr,hx.len,hx.chk);
48186- ret = usb_cypress_writemem(udev,hx.addr,hx.data,hx.len);
48187+ while ((ret = dvb_usb_get_hexline(fw,hx,&pos)) > 0) {
48188+ deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx->addr,hx->len,hx->chk);
48189+ ret = usb_cypress_writemem(udev,hx->addr,hx->data,hx->len);
48190
48191- if (ret != hx.len) {
48192+ if (ret != hx->len) {
48193 err("error while transferring firmware "
48194 "(transferred size: %d, block size: %d)",
48195- ret,hx.len);
48196+ ret,hx->len);
48197 ret = -EINVAL;
48198 break;
48199 }
48200 }
48201 if (ret < 0) {
48202 err("firmware download failed at %d with %d",pos,ret);
48203+ kfree(reset);
48204+ kfree(hx);
48205 return ret;
48206 }
48207
48208 if (ret == 0) {
48209 /* restart the CPU */
48210- reset = 0;
48211- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) {
48212+ reset[0] = 0;
48213+ if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1) != 1) {
48214 err("could not restart the USB controller CPU.");
48215 ret = -EINVAL;
48216 }
48217 } else
48218 ret = -EIO;
48219
48220+ kfree(reset);
48221+ kfree(hx);
48222+
48223 return ret;
48224 }
48225 EXPORT_SYMBOL(usb_cypress_load_firmware);
48226diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
48227index 03f334d..0986492 100644
48228--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
48229+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
48230@@ -87,8 +87,11 @@ struct technisat_usb2_state {
48231 static int technisat_usb2_i2c_access(struct usb_device *udev,
48232 u8 device_addr, u8 *tx, u8 txlen, u8 *rx, u8 rxlen)
48233 {
48234- u8 b[64];
48235- int ret, actual_length;
48236+ u8 *b = kmalloc(64, GFP_KERNEL);
48237+ int ret, actual_length, error = 0;
48238+
48239+ if (b == NULL)
48240+ return -ENOMEM;
48241
48242 deb_i2c("i2c-access: %02x, tx: ", device_addr);
48243 debug_dump(tx, txlen, deb_i2c);
48244@@ -121,7 +124,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48245
48246 if (ret < 0) {
48247 err("i2c-error: out failed %02x = %d", device_addr, ret);
48248- return -ENODEV;
48249+ error = -ENODEV;
48250+ goto out;
48251 }
48252
48253 ret = usb_bulk_msg(udev,
48254@@ -129,7 +133,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48255 b, 64, &actual_length, 1000);
48256 if (ret < 0) {
48257 err("i2c-error: in failed %02x = %d", device_addr, ret);
48258- return -ENODEV;
48259+ error = -ENODEV;
48260+ goto out;
48261 }
48262
48263 if (b[0] != I2C_STATUS_OK) {
48264@@ -137,8 +142,10 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48265 /* handle tuner-i2c-nak */
48266 if (!(b[0] == I2C_STATUS_NAK &&
48267 device_addr == 0x60
48268- /* && device_is_technisat_usb2 */))
48269- return -ENODEV;
48270+ /* && device_is_technisat_usb2 */)) {
48271+ error = -ENODEV;
48272+ goto out;
48273+ }
48274 }
48275
48276 deb_i2c("status: %d, ", b[0]);
48277@@ -152,7 +159,9 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48278
48279 deb_i2c("\n");
48280
48281- return 0;
48282+out:
48283+ kfree(b);
48284+ return error;
48285 }
48286
48287 static int technisat_usb2_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msg,
48288@@ -224,14 +233,16 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
48289 {
48290 int ret;
48291
48292- u8 led[8] = {
48293- red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
48294- 0
48295- };
48296+ u8 *led = kzalloc(8, GFP_KERNEL);
48297+
48298+ if (led == NULL)
48299+ return -ENOMEM;
48300
48301 if (disable_led_control && state != TECH_LED_OFF)
48302 return 0;
48303
48304+ led[0] = red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST;
48305+
48306 switch (state) {
48307 case TECH_LED_ON:
48308 led[1] = 0x82;
48309@@ -263,16 +274,22 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
48310 red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
48311 USB_TYPE_VENDOR | USB_DIR_OUT,
48312 0, 0,
48313- led, sizeof(led), 500);
48314+ led, 8, 500);
48315
48316 mutex_unlock(&d->i2c_mutex);
48317+
48318+ kfree(led);
48319+
48320 return ret;
48321 }
48322
48323 static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 green)
48324 {
48325 int ret;
48326- u8 b = 0;
48327+ u8 *b = kzalloc(1, GFP_KERNEL);
48328+
48329+ if (b == NULL)
48330+ return -ENOMEM;
48331
48332 if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
48333 return -EAGAIN;
48334@@ -281,10 +298,12 @@ static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 gre
48335 SET_LED_TIMER_DIVIDER_VENDOR_REQUEST,
48336 USB_TYPE_VENDOR | USB_DIR_OUT,
48337 (red << 8) | green, 0,
48338- &b, 1, 500);
48339+ b, 1, 500);
48340
48341 mutex_unlock(&d->i2c_mutex);
48342
48343+ kfree(b);
48344+
48345 return ret;
48346 }
48347
48348@@ -328,7 +347,7 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48349 struct dvb_usb_device_description **desc, int *cold)
48350 {
48351 int ret;
48352- u8 version[3];
48353+ u8 *version = kmalloc(3, GFP_KERNEL);
48354
48355 /* first select the interface */
48356 if (usb_set_interface(udev, 0, 1) != 0)
48357@@ -338,11 +357,14 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48358
48359 *cold = 0; /* by default do not download a firmware - just in case something is wrong */
48360
48361+ if (version == NULL)
48362+ return 0;
48363+
48364 ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
48365 GET_VERSION_INFO_VENDOR_REQUEST,
48366 USB_TYPE_VENDOR | USB_DIR_IN,
48367 0, 0,
48368- version, sizeof(version), 500);
48369+ version, 3, 500);
48370
48371 if (ret < 0)
48372 *cold = 1;
48373@@ -351,6 +373,8 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48374 *cold = 0;
48375 }
48376
48377+ kfree(version);
48378+
48379 return 0;
48380 }
48381
48382@@ -594,10 +618,15 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
48383
48384 static int technisat_usb2_get_ir(struct dvb_usb_device *d)
48385 {
48386- u8 buf[62], *b;
48387+ u8 *buf, *b;
48388 int ret;
48389 struct ir_raw_event ev;
48390
48391+ buf = kmalloc(62, GFP_KERNEL);
48392+
48393+ if (buf == NULL)
48394+ return -ENOMEM;
48395+
48396 buf[0] = GET_IR_DATA_VENDOR_REQUEST;
48397 buf[1] = 0x08;
48398 buf[2] = 0x8f;
48399@@ -620,16 +649,20 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
48400 GET_IR_DATA_VENDOR_REQUEST,
48401 USB_TYPE_VENDOR | USB_DIR_IN,
48402 0x8080, 0,
48403- buf, sizeof(buf), 500);
48404+ buf, 62, 500);
48405
48406 unlock:
48407 mutex_unlock(&d->i2c_mutex);
48408
48409- if (ret < 0)
48410+ if (ret < 0) {
48411+ kfree(buf);
48412 return ret;
48413+ }
48414
48415- if (ret == 1)
48416+ if (ret == 1) {
48417+ kfree(buf);
48418 return 0; /* no key pressed */
48419+ }
48420
48421 /* decoding */
48422 b = buf+1;
48423@@ -656,6 +689,8 @@ unlock:
48424
48425 ir_raw_event_handle(d->rc_dev);
48426
48427+ kfree(buf);
48428+
48429 return 1;
48430 }
48431
48432diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
48433index af63543..0436f20 100644
48434--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
48435+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
48436@@ -429,7 +429,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
48437 * by passing a very big num_planes value */
48438 uplane = compat_alloc_user_space(num_planes *
48439 sizeof(struct v4l2_plane));
48440- kp->m.planes = (__force struct v4l2_plane *)uplane;
48441+ kp->m.planes = (__force_kernel struct v4l2_plane *)uplane;
48442
48443 while (--num_planes >= 0) {
48444 ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
48445@@ -500,7 +500,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
48446 if (num_planes == 0)
48447 return 0;
48448
48449- uplane = (__force struct v4l2_plane __user *)kp->m.planes;
48450+ uplane = (struct v4l2_plane __force_user *)kp->m.planes;
48451 if (get_user(p, &up->m.planes))
48452 return -EFAULT;
48453 uplane32 = compat_ptr(p);
48454@@ -564,7 +564,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame
48455 get_user(kp->flags, &up->flags) ||
48456 copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
48457 return -EFAULT;
48458- kp->base = (__force void *)compat_ptr(tmp);
48459+ kp->base = (__force_kernel void *)compat_ptr(tmp);
48460 return 0;
48461 }
48462
48463@@ -669,7 +669,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
48464 n * sizeof(struct v4l2_ext_control32)))
48465 return -EFAULT;
48466 kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
48467- kp->controls = (__force struct v4l2_ext_control *)kcontrols;
48468+ kp->controls = (__force_kernel struct v4l2_ext_control *)kcontrols;
48469 while (--n >= 0) {
48470 u32 id;
48471
48472@@ -696,7 +696,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
48473 {
48474 struct v4l2_ext_control32 __user *ucontrols;
48475 struct v4l2_ext_control __user *kcontrols =
48476- (__force struct v4l2_ext_control __user *)kp->controls;
48477+ (struct v4l2_ext_control __force_user *)kp->controls;
48478 int n = kp->count;
48479 compat_caddr_t p;
48480
48481@@ -780,7 +780,7 @@ static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
48482 get_user(tmp, &up->edid) ||
48483 copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
48484 return -EFAULT;
48485- kp->edid = (__force u8 *)compat_ptr(tmp);
48486+ kp->edid = (__force_kernel u8 *)compat_ptr(tmp);
48487 return 0;
48488 }
48489
48490diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c
48491index 5b0a30b..1974b38 100644
48492--- a/drivers/media/v4l2-core/v4l2-device.c
48493+++ b/drivers/media/v4l2-core/v4l2-device.c
48494@@ -74,9 +74,9 @@ int v4l2_device_put(struct v4l2_device *v4l2_dev)
48495 EXPORT_SYMBOL_GPL(v4l2_device_put);
48496
48497 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
48498- atomic_t *instance)
48499+ atomic_unchecked_t *instance)
48500 {
48501- int num = atomic_inc_return(instance) - 1;
48502+ int num = atomic_inc_return_unchecked(instance) - 1;
48503 int len = strlen(basename);
48504
48505 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
48506diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
48507index 85de455..4987854 100644
48508--- a/drivers/media/v4l2-core/v4l2-ioctl.c
48509+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
48510@@ -2341,7 +2341,8 @@ struct v4l2_ioctl_info {
48511 struct file *file, void *fh, void *p);
48512 } u;
48513 void (*debug)(const void *arg, bool write_only);
48514-};
48515+} __do_const;
48516+typedef struct v4l2_ioctl_info __no_const v4l2_ioctl_info_no_const;
48517
48518 /* This control needs a priority check */
48519 #define INFO_FL_PRIO (1 << 0)
48520@@ -2525,7 +2526,7 @@ static long __video_do_ioctl(struct file *file,
48521 struct video_device *vfd = video_devdata(file);
48522 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;
48523 bool write_only = false;
48524- struct v4l2_ioctl_info default_info;
48525+ v4l2_ioctl_info_no_const default_info;
48526 const struct v4l2_ioctl_info *info;
48527 void *fh = file->private_data;
48528 struct v4l2_fh *vfh = NULL;
48529@@ -2616,7 +2617,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
48530 ret = -EINVAL;
48531 break;
48532 }
48533- *user_ptr = (void __user *)buf->m.planes;
48534+ *user_ptr = (void __force_user *)buf->m.planes;
48535 *kernel_ptr = (void **)&buf->m.planes;
48536 *array_size = sizeof(struct v4l2_plane) * buf->length;
48537 ret = 1;
48538@@ -2633,7 +2634,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
48539 ret = -EINVAL;
48540 break;
48541 }
48542- *user_ptr = (void __user *)edid->edid;
48543+ *user_ptr = (void __force_user *)edid->edid;
48544 *kernel_ptr = (void **)&edid->edid;
48545 *array_size = edid->blocks * 128;
48546 ret = 1;
48547@@ -2651,7 +2652,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
48548 ret = -EINVAL;
48549 break;
48550 }
48551- *user_ptr = (void __user *)ctrls->controls;
48552+ *user_ptr = (void __force_user *)ctrls->controls;
48553 *kernel_ptr = (void **)&ctrls->controls;
48554 *array_size = sizeof(struct v4l2_ext_control)
48555 * ctrls->count;
48556@@ -2752,7 +2753,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
48557 }
48558
48559 if (has_array_args) {
48560- *kernel_ptr = (void __force *)user_ptr;
48561+ *kernel_ptr = (void __force_kernel *)user_ptr;
48562 if (copy_to_user(user_ptr, mbuf, array_size))
48563 err = -EFAULT;
48564 goto out_array_args;
48565diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
48566index 9426276..9abd11e 100644
48567--- a/drivers/memory/omap-gpmc.c
48568+++ b/drivers/memory/omap-gpmc.c
48569@@ -232,7 +232,6 @@ struct omap3_gpmc_regs {
48570 };
48571
48572 static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ];
48573-static struct irq_chip gpmc_irq_chip;
48574 static int gpmc_irq_start;
48575
48576 static struct resource gpmc_mem_root;
48577@@ -1146,6 +1145,17 @@ static void gpmc_irq_noop(struct irq_data *data) { }
48578
48579 static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; }
48580
48581+static struct irq_chip gpmc_irq_chip = {
48582+ .name = "gpmc",
48583+ .irq_startup = gpmc_irq_noop_ret,
48584+ .irq_enable = gpmc_irq_enable,
48585+ .irq_disable = gpmc_irq_disable,
48586+ .irq_shutdown = gpmc_irq_noop,
48587+ .irq_ack = gpmc_irq_noop,
48588+ .irq_mask = gpmc_irq_noop,
48589+ .irq_unmask = gpmc_irq_noop,
48590+};
48591+
48592 static int gpmc_setup_irq(void)
48593 {
48594 int i;
48595@@ -1160,15 +1170,6 @@ static int gpmc_setup_irq(void)
48596 return gpmc_irq_start;
48597 }
48598
48599- gpmc_irq_chip.name = "gpmc";
48600- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret;
48601- gpmc_irq_chip.irq_enable = gpmc_irq_enable;
48602- gpmc_irq_chip.irq_disable = gpmc_irq_disable;
48603- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop;
48604- gpmc_irq_chip.irq_ack = gpmc_irq_noop;
48605- gpmc_irq_chip.irq_mask = gpmc_irq_noop;
48606- gpmc_irq_chip.irq_unmask = gpmc_irq_noop;
48607-
48608 gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE;
48609 gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT;
48610
48611diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
48612index 5dcc031..e08ecd2 100644
48613--- a/drivers/message/fusion/mptbase.c
48614+++ b/drivers/message/fusion/mptbase.c
48615@@ -6722,8 +6722,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
48616 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
48617 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
48618
48619+#ifdef CONFIG_GRKERNSEC_HIDESYM
48620+ seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
48621+#else
48622 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
48623 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
48624+#endif
48625+
48626 /*
48627 * Rounding UP to nearest 4-kB boundary here...
48628 */
48629@@ -6736,7 +6741,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
48630 ioc->facts.GlobalCredits);
48631
48632 seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n",
48633+#ifdef CONFIG_GRKERNSEC_HIDESYM
48634+ NULL, NULL);
48635+#else
48636 (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
48637+#endif
48638 sz = (ioc->reply_sz * ioc->reply_depth) + 128;
48639 seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
48640 ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
48641diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
48642index 005a88b..5a90fbb 100644
48643--- a/drivers/message/fusion/mptsas.c
48644+++ b/drivers/message/fusion/mptsas.c
48645@@ -446,6 +446,23 @@ mptsas_is_end_device(struct mptsas_devinfo * attached)
48646 return 0;
48647 }
48648
48649+static inline void
48650+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
48651+{
48652+ if (phy_info->port_details) {
48653+ phy_info->port_details->rphy = rphy;
48654+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
48655+ ioc->name, rphy));
48656+ }
48657+
48658+ if (rphy) {
48659+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
48660+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
48661+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
48662+ ioc->name, rphy, rphy->dev.release));
48663+ }
48664+}
48665+
48666 /* no mutex */
48667 static void
48668 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
48669@@ -484,23 +501,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *phy_info)
48670 return NULL;
48671 }
48672
48673-static inline void
48674-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
48675-{
48676- if (phy_info->port_details) {
48677- phy_info->port_details->rphy = rphy;
48678- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
48679- ioc->name, rphy));
48680- }
48681-
48682- if (rphy) {
48683- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
48684- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
48685- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
48686- ioc->name, rphy, rphy->dev.release));
48687- }
48688-}
48689-
48690 static inline struct sas_port *
48691 mptsas_get_port(struct mptsas_phyinfo *phy_info)
48692 {
48693diff --git a/drivers/mfd/ab8500-debugfs.c b/drivers/mfd/ab8500-debugfs.c
48694index 0236cd7..53b10d7 100644
48695--- a/drivers/mfd/ab8500-debugfs.c
48696+++ b/drivers/mfd/ab8500-debugfs.c
48697@@ -100,7 +100,7 @@ static int irq_last;
48698 static u32 *irq_count;
48699 static int num_irqs;
48700
48701-static struct device_attribute **dev_attr;
48702+static device_attribute_no_const **dev_attr;
48703 static char **event_name;
48704
48705 static u8 avg_sample = SAMPLE_16;
48706diff --git a/drivers/mfd/kempld-core.c b/drivers/mfd/kempld-core.c
48707index 8057849..0550fdf 100644
48708--- a/drivers/mfd/kempld-core.c
48709+++ b/drivers/mfd/kempld-core.c
48710@@ -499,7 +499,7 @@ static struct platform_driver kempld_driver = {
48711 .remove = kempld_remove,
48712 };
48713
48714-static struct dmi_system_id kempld_dmi_table[] __initdata = {
48715+static const struct dmi_system_id kempld_dmi_table[] __initconst = {
48716 {
48717 .ident = "BHL6",
48718 .matches = {
48719diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c
48720index c880c89..45a7c68 100644
48721--- a/drivers/mfd/max8925-i2c.c
48722+++ b/drivers/mfd/max8925-i2c.c
48723@@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_client *client,
48724 const struct i2c_device_id *id)
48725 {
48726 struct max8925_platform_data *pdata = dev_get_platdata(&client->dev);
48727- static struct max8925_chip *chip;
48728+ struct max8925_chip *chip;
48729 struct device_node *node = client->dev.of_node;
48730
48731 if (node && !pdata) {
48732diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
48733index 7612d89..70549c2 100644
48734--- a/drivers/mfd/tps65910.c
48735+++ b/drivers/mfd/tps65910.c
48736@@ -230,7 +230,7 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq,
48737 struct tps65910_platform_data *pdata)
48738 {
48739 int ret = 0;
48740- static struct regmap_irq_chip *tps6591x_irqs_chip;
48741+ struct regmap_irq_chip *tps6591x_irqs_chip;
48742
48743 if (!irq) {
48744 dev_warn(tps65910->dev, "No interrupt support, no core IRQ\n");
48745diff --git a/drivers/mfd/twl4030-irq.c b/drivers/mfd/twl4030-irq.c
48746index a3fa7f4..eac02ef 100644
48747--- a/drivers/mfd/twl4030-irq.c
48748+++ b/drivers/mfd/twl4030-irq.c
48749@@ -34,6 +34,7 @@
48750 #include <linux/of.h>
48751 #include <linux/irqdomain.h>
48752 #include <linux/i2c/twl.h>
48753+#include <asm/pgtable.h>
48754
48755 #include "twl-core.h"
48756
48757@@ -729,10 +730,12 @@ int twl4030_init_irq(struct device *dev, int irq_num)
48758 * Install an irq handler for each of the SIH modules;
48759 * clone dummy irq_chip since PIH can't *do* anything
48760 */
48761- twl4030_irq_chip = dummy_irq_chip;
48762- twl4030_irq_chip.name = "twl4030";
48763+ pax_open_kernel();
48764+ memcpy((void *)&twl4030_irq_chip, &dummy_irq_chip, sizeof twl4030_irq_chip);
48765+ *(const char **)&twl4030_irq_chip.name = "twl4030";
48766
48767- twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
48768+ *(void **)&twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
48769+ pax_close_kernel();
48770
48771 for (i = irq_base; i < irq_end; i++) {
48772 irq_set_chip_and_handler(i, &twl4030_irq_chip,
48773diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
48774index 464419b..64bae8d 100644
48775--- a/drivers/misc/c2port/core.c
48776+++ b/drivers/misc/c2port/core.c
48777@@ -922,7 +922,9 @@ struct c2port_device *c2port_device_register(char *name,
48778 goto error_idr_alloc;
48779 c2dev->id = ret;
48780
48781- bin_attr_flash_data.size = ops->blocks_num * ops->block_size;
48782+ pax_open_kernel();
48783+ *(size_t *)&bin_attr_flash_data.size = ops->blocks_num * ops->block_size;
48784+ pax_close_kernel();
48785
48786 c2dev->dev = device_create(c2port_class, NULL, 0, c2dev,
48787 "c2port%d", c2dev->id);
48788diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c
48789index 8385177..2f54635 100644
48790--- a/drivers/misc/eeprom/sunxi_sid.c
48791+++ b/drivers/misc/eeprom/sunxi_sid.c
48792@@ -126,7 +126,9 @@ static int sunxi_sid_probe(struct platform_device *pdev)
48793
48794 platform_set_drvdata(pdev, sid_data);
48795
48796- sid_bin_attr.size = sid_data->keysize;
48797+ pax_open_kernel();
48798+ *(size_t *)&sid_bin_attr.size = sid_data->keysize;
48799+ pax_close_kernel();
48800 if (device_create_bin_file(&pdev->dev, &sid_bin_attr))
48801 return -ENODEV;
48802
48803diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
48804index 9a60bd4..cee2069 100644
48805--- a/drivers/misc/kgdbts.c
48806+++ b/drivers/misc/kgdbts.c
48807@@ -834,7 +834,7 @@ static void run_plant_and_detach_test(int is_early)
48808 char before[BREAK_INSTR_SIZE];
48809 char after[BREAK_INSTR_SIZE];
48810
48811- probe_kernel_read(before, (char *)kgdbts_break_test,
48812+ probe_kernel_read(before, (void *)ktla_ktva((unsigned long)kgdbts_break_test),
48813 BREAK_INSTR_SIZE);
48814 init_simple_test();
48815 ts.tst = plant_and_detach_test;
48816@@ -842,7 +842,7 @@ static void run_plant_and_detach_test(int is_early)
48817 /* Activate test with initial breakpoint */
48818 if (!is_early)
48819 kgdb_breakpoint();
48820- probe_kernel_read(after, (char *)kgdbts_break_test,
48821+ probe_kernel_read(after, (void *)ktla_ktva((unsigned long)kgdbts_break_test),
48822 BREAK_INSTR_SIZE);
48823 if (memcmp(before, after, BREAK_INSTR_SIZE)) {
48824 printk(KERN_CRIT "kgdbts: ERROR kgdb corrupted memory\n");
48825diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c
48826index fb8705f..dc2f679 100644
48827--- a/drivers/misc/lis3lv02d/lis3lv02d.c
48828+++ b/drivers/misc/lis3lv02d/lis3lv02d.c
48829@@ -497,7 +497,7 @@ static irqreturn_t lis302dl_interrupt(int irq, void *data)
48830 * the lid is closed. This leads to interrupts as soon as a little move
48831 * is done.
48832 */
48833- atomic_inc(&lis3->count);
48834+ atomic_inc_unchecked(&lis3->count);
48835
48836 wake_up_interruptible(&lis3->misc_wait);
48837 kill_fasync(&lis3->async_queue, SIGIO, POLL_IN);
48838@@ -583,7 +583,7 @@ static int lis3lv02d_misc_open(struct inode *inode, struct file *file)
48839 if (lis3->pm_dev)
48840 pm_runtime_get_sync(lis3->pm_dev);
48841
48842- atomic_set(&lis3->count, 0);
48843+ atomic_set_unchecked(&lis3->count, 0);
48844 return 0;
48845 }
48846
48847@@ -615,7 +615,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf,
48848 add_wait_queue(&lis3->misc_wait, &wait);
48849 while (true) {
48850 set_current_state(TASK_INTERRUPTIBLE);
48851- data = atomic_xchg(&lis3->count, 0);
48852+ data = atomic_xchg_unchecked(&lis3->count, 0);
48853 if (data)
48854 break;
48855
48856@@ -656,7 +656,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
48857 struct lis3lv02d, miscdev);
48858
48859 poll_wait(file, &lis3->misc_wait, wait);
48860- if (atomic_read(&lis3->count))
48861+ if (atomic_read_unchecked(&lis3->count))
48862 return POLLIN | POLLRDNORM;
48863 return 0;
48864 }
48865diff --git a/drivers/misc/lis3lv02d/lis3lv02d.h b/drivers/misc/lis3lv02d/lis3lv02d.h
48866index c439c82..1f20f57 100644
48867--- a/drivers/misc/lis3lv02d/lis3lv02d.h
48868+++ b/drivers/misc/lis3lv02d/lis3lv02d.h
48869@@ -297,7 +297,7 @@ struct lis3lv02d {
48870 struct input_polled_dev *idev; /* input device */
48871 struct platform_device *pdev; /* platform device */
48872 struct regulator_bulk_data regulators[2];
48873- atomic_t count; /* interrupt count after last read */
48874+ atomic_unchecked_t count; /* interrupt count after last read */
48875 union axis_conversion ac; /* hw -> logical axis */
48876 int mapped_btns[3];
48877
48878diff --git a/drivers/misc/mic/scif/scif_rb.c b/drivers/misc/mic/scif/scif_rb.c
48879index 637cc46..4fb1267 100644
48880--- a/drivers/misc/mic/scif/scif_rb.c
48881+++ b/drivers/misc/mic/scif/scif_rb.c
48882@@ -138,7 +138,7 @@ void scif_rb_commit(struct scif_rb *rb)
48883 * the read barrier in scif_rb_count(..)
48884 */
48885 wmb();
48886- ACCESS_ONCE(*rb->write_ptr) = rb->current_write_offset;
48887+ ACCESS_ONCE_RW(*rb->write_ptr) = rb->current_write_offset;
48888 #ifdef CONFIG_INTEL_MIC_CARD
48889 /*
48890 * X100 Si bug: For the case where a Core is performing an EXT_WR
48891@@ -147,7 +147,7 @@ void scif_rb_commit(struct scif_rb *rb)
48892 * This way, if ordering is violated for the Interrupt Message, it will
48893 * fall just behind the first Posted associated with the first EXT_WR.
48894 */
48895- ACCESS_ONCE(*rb->write_ptr) = rb->current_write_offset;
48896+ ACCESS_ONCE_RW(*rb->write_ptr) = rb->current_write_offset;
48897 #endif
48898 }
48899
48900@@ -210,7 +210,7 @@ void scif_rb_update_read_ptr(struct scif_rb *rb)
48901 * scif_rb_space(..)
48902 */
48903 mb();
48904- ACCESS_ONCE(*rb->read_ptr) = new_offset;
48905+ ACCESS_ONCE_RW(*rb->read_ptr) = new_offset;
48906 #ifdef CONFIG_INTEL_MIC_CARD
48907 /*
48908 * X100 Si Bug: For the case where a Core is performing an EXT_WR
48909@@ -219,7 +219,7 @@ void scif_rb_update_read_ptr(struct scif_rb *rb)
48910 * This way, if ordering is violated for the Interrupt Message, it will
48911 * fall just behind the first Posted associated with the first EXT_WR.
48912 */
48913- ACCESS_ONCE(*rb->read_ptr) = new_offset;
48914+ ACCESS_ONCE_RW(*rb->read_ptr) = new_offset;
48915 #endif
48916 }
48917
48918diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c
48919index 2f30bad..c4c13d0 100644
48920--- a/drivers/misc/sgi-gru/gruhandles.c
48921+++ b/drivers/misc/sgi-gru/gruhandles.c
48922@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op op, unsigned long clks)
48923 unsigned long nsec;
48924
48925 nsec = CLKS2NSEC(clks);
48926- atomic_long_inc(&mcs_op_statistics[op].count);
48927- atomic_long_add(nsec, &mcs_op_statistics[op].total);
48928+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
48929+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
48930 if (mcs_op_statistics[op].max < nsec)
48931 mcs_op_statistics[op].max = nsec;
48932 }
48933diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
48934index 4f76359..cdfcb2e 100644
48935--- a/drivers/misc/sgi-gru/gruprocfs.c
48936+++ b/drivers/misc/sgi-gru/gruprocfs.c
48937@@ -32,9 +32,9 @@
48938
48939 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
48940
48941-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
48942+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
48943 {
48944- unsigned long val = atomic_long_read(v);
48945+ unsigned long val = atomic_long_read_unchecked(v);
48946
48947 seq_printf(s, "%16lu %s\n", val, id);
48948 }
48949@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct seq_file *s, void *p)
48950
48951 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
48952 for (op = 0; op < mcsop_last; op++) {
48953- count = atomic_long_read(&mcs_op_statistics[op].count);
48954- total = atomic_long_read(&mcs_op_statistics[op].total);
48955+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
48956+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
48957 max = mcs_op_statistics[op].max;
48958 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
48959 count ? total / count : 0, max);
48960diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
48961index 5c3ce24..4915ccb 100644
48962--- a/drivers/misc/sgi-gru/grutables.h
48963+++ b/drivers/misc/sgi-gru/grutables.h
48964@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
48965 * GRU statistics.
48966 */
48967 struct gru_stats_s {
48968- atomic_long_t vdata_alloc;
48969- atomic_long_t vdata_free;
48970- atomic_long_t gts_alloc;
48971- atomic_long_t gts_free;
48972- atomic_long_t gms_alloc;
48973- atomic_long_t gms_free;
48974- atomic_long_t gts_double_allocate;
48975- atomic_long_t assign_context;
48976- atomic_long_t assign_context_failed;
48977- atomic_long_t free_context;
48978- atomic_long_t load_user_context;
48979- atomic_long_t load_kernel_context;
48980- atomic_long_t lock_kernel_context;
48981- atomic_long_t unlock_kernel_context;
48982- atomic_long_t steal_user_context;
48983- atomic_long_t steal_kernel_context;
48984- atomic_long_t steal_context_failed;
48985- atomic_long_t nopfn;
48986- atomic_long_t asid_new;
48987- atomic_long_t asid_next;
48988- atomic_long_t asid_wrap;
48989- atomic_long_t asid_reuse;
48990- atomic_long_t intr;
48991- atomic_long_t intr_cbr;
48992- atomic_long_t intr_tfh;
48993- atomic_long_t intr_spurious;
48994- atomic_long_t intr_mm_lock_failed;
48995- atomic_long_t call_os;
48996- atomic_long_t call_os_wait_queue;
48997- atomic_long_t user_flush_tlb;
48998- atomic_long_t user_unload_context;
48999- atomic_long_t user_exception;
49000- atomic_long_t set_context_option;
49001- atomic_long_t check_context_retarget_intr;
49002- atomic_long_t check_context_unload;
49003- atomic_long_t tlb_dropin;
49004- atomic_long_t tlb_preload_page;
49005- atomic_long_t tlb_dropin_fail_no_asid;
49006- atomic_long_t tlb_dropin_fail_upm;
49007- atomic_long_t tlb_dropin_fail_invalid;
49008- atomic_long_t tlb_dropin_fail_range_active;
49009- atomic_long_t tlb_dropin_fail_idle;
49010- atomic_long_t tlb_dropin_fail_fmm;
49011- atomic_long_t tlb_dropin_fail_no_exception;
49012- atomic_long_t tfh_stale_on_fault;
49013- atomic_long_t mmu_invalidate_range;
49014- atomic_long_t mmu_invalidate_page;
49015- atomic_long_t flush_tlb;
49016- atomic_long_t flush_tlb_gru;
49017- atomic_long_t flush_tlb_gru_tgh;
49018- atomic_long_t flush_tlb_gru_zero_asid;
49019+ atomic_long_unchecked_t vdata_alloc;
49020+ atomic_long_unchecked_t vdata_free;
49021+ atomic_long_unchecked_t gts_alloc;
49022+ atomic_long_unchecked_t gts_free;
49023+ atomic_long_unchecked_t gms_alloc;
49024+ atomic_long_unchecked_t gms_free;
49025+ atomic_long_unchecked_t gts_double_allocate;
49026+ atomic_long_unchecked_t assign_context;
49027+ atomic_long_unchecked_t assign_context_failed;
49028+ atomic_long_unchecked_t free_context;
49029+ atomic_long_unchecked_t load_user_context;
49030+ atomic_long_unchecked_t load_kernel_context;
49031+ atomic_long_unchecked_t lock_kernel_context;
49032+ atomic_long_unchecked_t unlock_kernel_context;
49033+ atomic_long_unchecked_t steal_user_context;
49034+ atomic_long_unchecked_t steal_kernel_context;
49035+ atomic_long_unchecked_t steal_context_failed;
49036+ atomic_long_unchecked_t nopfn;
49037+ atomic_long_unchecked_t asid_new;
49038+ atomic_long_unchecked_t asid_next;
49039+ atomic_long_unchecked_t asid_wrap;
49040+ atomic_long_unchecked_t asid_reuse;
49041+ atomic_long_unchecked_t intr;
49042+ atomic_long_unchecked_t intr_cbr;
49043+ atomic_long_unchecked_t intr_tfh;
49044+ atomic_long_unchecked_t intr_spurious;
49045+ atomic_long_unchecked_t intr_mm_lock_failed;
49046+ atomic_long_unchecked_t call_os;
49047+ atomic_long_unchecked_t call_os_wait_queue;
49048+ atomic_long_unchecked_t user_flush_tlb;
49049+ atomic_long_unchecked_t user_unload_context;
49050+ atomic_long_unchecked_t user_exception;
49051+ atomic_long_unchecked_t set_context_option;
49052+ atomic_long_unchecked_t check_context_retarget_intr;
49053+ atomic_long_unchecked_t check_context_unload;
49054+ atomic_long_unchecked_t tlb_dropin;
49055+ atomic_long_unchecked_t tlb_preload_page;
49056+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
49057+ atomic_long_unchecked_t tlb_dropin_fail_upm;
49058+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
49059+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
49060+ atomic_long_unchecked_t tlb_dropin_fail_idle;
49061+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
49062+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
49063+ atomic_long_unchecked_t tfh_stale_on_fault;
49064+ atomic_long_unchecked_t mmu_invalidate_range;
49065+ atomic_long_unchecked_t mmu_invalidate_page;
49066+ atomic_long_unchecked_t flush_tlb;
49067+ atomic_long_unchecked_t flush_tlb_gru;
49068+ atomic_long_unchecked_t flush_tlb_gru_tgh;
49069+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
49070
49071- atomic_long_t copy_gpa;
49072- atomic_long_t read_gpa;
49073+ atomic_long_unchecked_t copy_gpa;
49074+ atomic_long_unchecked_t read_gpa;
49075
49076- atomic_long_t mesq_receive;
49077- atomic_long_t mesq_receive_none;
49078- atomic_long_t mesq_send;
49079- atomic_long_t mesq_send_failed;
49080- atomic_long_t mesq_noop;
49081- atomic_long_t mesq_send_unexpected_error;
49082- atomic_long_t mesq_send_lb_overflow;
49083- atomic_long_t mesq_send_qlimit_reached;
49084- atomic_long_t mesq_send_amo_nacked;
49085- atomic_long_t mesq_send_put_nacked;
49086- atomic_long_t mesq_page_overflow;
49087- atomic_long_t mesq_qf_locked;
49088- atomic_long_t mesq_qf_noop_not_full;
49089- atomic_long_t mesq_qf_switch_head_failed;
49090- atomic_long_t mesq_qf_unexpected_error;
49091- atomic_long_t mesq_noop_unexpected_error;
49092- atomic_long_t mesq_noop_lb_overflow;
49093- atomic_long_t mesq_noop_qlimit_reached;
49094- atomic_long_t mesq_noop_amo_nacked;
49095- atomic_long_t mesq_noop_put_nacked;
49096- atomic_long_t mesq_noop_page_overflow;
49097+ atomic_long_unchecked_t mesq_receive;
49098+ atomic_long_unchecked_t mesq_receive_none;
49099+ atomic_long_unchecked_t mesq_send;
49100+ atomic_long_unchecked_t mesq_send_failed;
49101+ atomic_long_unchecked_t mesq_noop;
49102+ atomic_long_unchecked_t mesq_send_unexpected_error;
49103+ atomic_long_unchecked_t mesq_send_lb_overflow;
49104+ atomic_long_unchecked_t mesq_send_qlimit_reached;
49105+ atomic_long_unchecked_t mesq_send_amo_nacked;
49106+ atomic_long_unchecked_t mesq_send_put_nacked;
49107+ atomic_long_unchecked_t mesq_page_overflow;
49108+ atomic_long_unchecked_t mesq_qf_locked;
49109+ atomic_long_unchecked_t mesq_qf_noop_not_full;
49110+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
49111+ atomic_long_unchecked_t mesq_qf_unexpected_error;
49112+ atomic_long_unchecked_t mesq_noop_unexpected_error;
49113+ atomic_long_unchecked_t mesq_noop_lb_overflow;
49114+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
49115+ atomic_long_unchecked_t mesq_noop_amo_nacked;
49116+ atomic_long_unchecked_t mesq_noop_put_nacked;
49117+ atomic_long_unchecked_t mesq_noop_page_overflow;
49118
49119 };
49120
49121@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start, cchop_interrupt, cchop_interrupt_sync,
49122 tghop_invalidate, mcsop_last};
49123
49124 struct mcs_op_statistic {
49125- atomic_long_t count;
49126- atomic_long_t total;
49127+ atomic_long_unchecked_t count;
49128+ atomic_long_unchecked_t total;
49129 unsigned long max;
49130 };
49131
49132@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_statistics[mcsop_last];
49133
49134 #define STAT(id) do { \
49135 if (gru_options & OPT_STATS) \
49136- atomic_long_inc(&gru_stats.id); \
49137+ atomic_long_inc_unchecked(&gru_stats.id); \
49138 } while (0)
49139
49140 #ifdef CONFIG_SGI_GRU_DEBUG
49141diff --git a/drivers/misc/sgi-xp/xp.h b/drivers/misc/sgi-xp/xp.h
49142index c862cd4..0d176fe 100644
49143--- a/drivers/misc/sgi-xp/xp.h
49144+++ b/drivers/misc/sgi-xp/xp.h
49145@@ -288,7 +288,7 @@ struct xpc_interface {
49146 xpc_notify_func, void *);
49147 void (*received) (short, int, void *);
49148 enum xp_retval (*partid_to_nasids) (short, void *);
49149-};
49150+} __no_const;
49151
49152 extern struct xpc_interface xpc_interface;
49153
49154diff --git a/drivers/misc/sgi-xp/xp_main.c b/drivers/misc/sgi-xp/xp_main.c
49155index 01be66d..e3a0c7e 100644
49156--- a/drivers/misc/sgi-xp/xp_main.c
49157+++ b/drivers/misc/sgi-xp/xp_main.c
49158@@ -78,13 +78,13 @@ xpc_notloaded(void)
49159 }
49160
49161 struct xpc_interface xpc_interface = {
49162- (void (*)(int))xpc_notloaded,
49163- (void (*)(int))xpc_notloaded,
49164- (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded,
49165- (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func,
49166+ .connect = (void (*)(int))xpc_notloaded,
49167+ .disconnect = (void (*)(int))xpc_notloaded,
49168+ .send = (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded,
49169+ .send_notify = (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func,
49170 void *))xpc_notloaded,
49171- (void (*)(short, int, void *))xpc_notloaded,
49172- (enum xp_retval(*)(short, void *))xpc_notloaded
49173+ .received = (void (*)(short, int, void *))xpc_notloaded,
49174+ .partid_to_nasids = (enum xp_retval(*)(short, void *))xpc_notloaded
49175 };
49176 EXPORT_SYMBOL_GPL(xpc_interface);
49177
49178diff --git a/drivers/misc/sgi-xp/xpc.h b/drivers/misc/sgi-xp/xpc.h
49179index b94d5f7..7f494c5 100644
49180--- a/drivers/misc/sgi-xp/xpc.h
49181+++ b/drivers/misc/sgi-xp/xpc.h
49182@@ -835,6 +835,7 @@ struct xpc_arch_operations {
49183 void (*received_payload) (struct xpc_channel *, void *);
49184 void (*notify_senders_of_disconnect) (struct xpc_channel *);
49185 };
49186+typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
49187
49188 /* struct xpc_partition act_state values (for XPC HB) */
49189
49190@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_registrations[];
49191 /* found in xpc_main.c */
49192 extern struct device *xpc_part;
49193 extern struct device *xpc_chan;
49194-extern struct xpc_arch_operations xpc_arch_ops;
49195+extern xpc_arch_operations_no_const xpc_arch_ops;
49196 extern int xpc_disengage_timelimit;
49197 extern int xpc_disengage_timedout;
49198 extern int xpc_activate_IRQ_rcvd;
49199diff --git a/drivers/misc/sgi-xp/xpc_main.c b/drivers/misc/sgi-xp/xpc_main.c
49200index 7f32712..8539ab2 100644
49201--- a/drivers/misc/sgi-xp/xpc_main.c
49202+++ b/drivers/misc/sgi-xp/xpc_main.c
49203@@ -166,7 +166,7 @@ static struct notifier_block xpc_die_notifier = {
49204 .notifier_call = xpc_system_die,
49205 };
49206
49207-struct xpc_arch_operations xpc_arch_ops;
49208+xpc_arch_operations_no_const xpc_arch_ops;
49209
49210 /*
49211 * Timer function to enforce the timelimit on the partition disengage.
49212diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
49213index a1b820f..e299c58 100644
49214--- a/drivers/mmc/card/block.c
49215+++ b/drivers/mmc/card/block.c
49216@@ -579,7 +579,7 @@ static int mmc_blk_ioctl_cmd(struct block_device *bdev,
49217 if (idata->ic.postsleep_min_us)
49218 usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
49219
49220- if (copy_to_user(&(ic_ptr->response), cmd.resp, sizeof(cmd.resp))) {
49221+ if (copy_to_user(ic_ptr->response, cmd.resp, sizeof(cmd.resp))) {
49222 err = -EFAULT;
49223 goto cmd_rel_host;
49224 }
49225diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
49226index 8ce4674..a23c858 100644
49227--- a/drivers/mmc/host/dw_mmc.h
49228+++ b/drivers/mmc/host/dw_mmc.h
49229@@ -286,5 +286,5 @@ struct dw_mci_drv_data {
49230 struct mmc_ios *ios);
49231 int (*switch_voltage)(struct mmc_host *mmc,
49232 struct mmc_ios *ios);
49233-};
49234+} __do_const;
49235 #endif /* _DW_MMC_H_ */
49236diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
49237index fb26674..3172c2b 100644
49238--- a/drivers/mmc/host/mmci.c
49239+++ b/drivers/mmc/host/mmci.c
49240@@ -1633,7 +1633,9 @@ static int mmci_probe(struct amba_device *dev,
49241 mmc->caps |= MMC_CAP_CMD23;
49242
49243 if (variant->busy_detect) {
49244- mmci_ops.card_busy = mmci_card_busy;
49245+ pax_open_kernel();
49246+ *(void **)&mmci_ops.card_busy = mmci_card_busy;
49247+ pax_close_kernel();
49248 mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE);
49249 mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY;
49250 mmc->max_busy_timeout = 0;
49251diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
49252index 4d12032..2b0eb6d 100644
49253--- a/drivers/mmc/host/omap_hsmmc.c
49254+++ b/drivers/mmc/host/omap_hsmmc.c
49255@@ -1984,7 +1984,9 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
49256
49257 if (host->pdata->controller_flags & OMAP_HSMMC_BROKEN_MULTIBLOCK_READ) {
49258 dev_info(&pdev->dev, "multiblock reads disabled due to 35xx erratum 2.1.1.128; MMC read performance may suffer\n");
49259- omap_hsmmc_ops.multi_io_quirk = omap_hsmmc_multi_io_quirk;
49260+ pax_open_kernel();
49261+ *(void **)&omap_hsmmc_ops.multi_io_quirk = omap_hsmmc_multi_io_quirk;
49262+ pax_close_kernel();
49263 }
49264
49265 device_init_wakeup(&pdev->dev, true);
49266diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
49267index c6b9f64..00e656c 100644
49268--- a/drivers/mmc/host/sdhci-esdhc-imx.c
49269+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
49270@@ -1088,9 +1088,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev)
49271 host->ioaddr + 0x6c);
49272 }
49273
49274- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING)
49275- sdhci_esdhc_ops.platform_execute_tuning =
49276+ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) {
49277+ pax_open_kernel();
49278+ *(void **)&sdhci_esdhc_ops.platform_execute_tuning =
49279 esdhc_executing_tuning;
49280+ pax_close_kernel();
49281+ }
49282
49283 if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING)
49284 writel(readl(host->ioaddr + ESDHC_TUNING_CTRL) |
49285diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c
49286index 70c724b..308aafc 100644
49287--- a/drivers/mmc/host/sdhci-s3c.c
49288+++ b/drivers/mmc/host/sdhci-s3c.c
49289@@ -598,9 +598,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev)
49290 * we can use overriding functions instead of default.
49291 */
49292 if (sc->no_divider) {
49293- sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
49294- sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
49295- sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
49296+ pax_open_kernel();
49297+ *(void **)&sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
49298+ *(void **)&sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
49299+ *(void **)&sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
49300+ pax_close_kernel();
49301 }
49302
49303 /* It supports additional host capabilities if needed */
49304diff --git a/drivers/mtd/chips/cfi_cmdset_0020.c b/drivers/mtd/chips/cfi_cmdset_0020.c
49305index 9a1a6ff..b8f1a57 100644
49306--- a/drivers/mtd/chips/cfi_cmdset_0020.c
49307+++ b/drivers/mtd/chips/cfi_cmdset_0020.c
49308@@ -666,7 +666,7 @@ cfi_staa_writev(struct mtd_info *mtd, const struct kvec *vecs,
49309 size_t totlen = 0, thislen;
49310 int ret = 0;
49311 size_t buflen = 0;
49312- static char *buffer;
49313+ char *buffer;
49314
49315 if (!ECCBUF_SIZE) {
49316 /* We should fall back to a general writev implementation.
49317diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c
49318index 870c7fc..c7d6440 100644
49319--- a/drivers/mtd/nand/denali.c
49320+++ b/drivers/mtd/nand/denali.c
49321@@ -24,6 +24,7 @@
49322 #include <linux/slab.h>
49323 #include <linux/mtd/mtd.h>
49324 #include <linux/module.h>
49325+#include <linux/slab.h>
49326
49327 #include "denali.h"
49328
49329diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49330index 1b8f350..990f2e9 100644
49331--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49332+++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49333@@ -386,7 +386,7 @@ void prepare_data_dma(struct gpmi_nand_data *this, enum dma_data_direction dr)
49334
49335 /* first try to map the upper buffer directly */
49336 if (virt_addr_valid(this->upper_buf) &&
49337- !object_is_on_stack(this->upper_buf)) {
49338+ !object_starts_on_stack(this->upper_buf)) {
49339 sg_init_one(sgl, this->upper_buf, this->upper_len);
49340 ret = dma_map_sg(this->dev, sgl, 1, dr);
49341 if (ret == 0)
49342diff --git a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c
49343index a5dfbfb..8042ab4 100644
49344--- a/drivers/mtd/nftlmount.c
49345+++ b/drivers/mtd/nftlmount.c
49346@@ -24,6 +24,7 @@
49347 #include <asm/errno.h>
49348 #include <linux/delay.h>
49349 #include <linux/slab.h>
49350+#include <linux/sched.h>
49351 #include <linux/mtd/mtd.h>
49352 #include <linux/mtd/nand.h>
49353 #include <linux/mtd/nftl.h>
49354diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c
49355index c23184a..4115c41 100644
49356--- a/drivers/mtd/sm_ftl.c
49357+++ b/drivers/mtd/sm_ftl.c
49358@@ -56,7 +56,7 @@ static ssize_t sm_attr_show(struct device *dev, struct device_attribute *attr,
49359 #define SM_CIS_VENDOR_OFFSET 0x59
49360 static struct attribute_group *sm_create_sysfs_attributes(struct sm_ftl *ftl)
49361 {
49362- struct attribute_group *attr_group;
49363+ attribute_group_no_const *attr_group;
49364 struct attribute **attributes;
49365 struct sm_sysfs_attribute *vendor_attribute;
49366 char *vendor;
49367diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
49368index 1bda292..3f4af40 100644
49369--- a/drivers/net/bonding/bond_netlink.c
49370+++ b/drivers/net/bonding/bond_netlink.c
49371@@ -649,7 +649,7 @@ nla_put_failure:
49372 return -EMSGSIZE;
49373 }
49374
49375-struct rtnl_link_ops bond_link_ops __read_mostly = {
49376+struct rtnl_link_ops bond_link_ops = {
49377 .kind = "bond",
49378 .priv_size = sizeof(struct bonding),
49379 .setup = bond_setup,
49380diff --git a/drivers/net/caif/caif_hsi.c b/drivers/net/caif/caif_hsi.c
49381index b3b922a..80bba38 100644
49382--- a/drivers/net/caif/caif_hsi.c
49383+++ b/drivers/net/caif/caif_hsi.c
49384@@ -1444,7 +1444,7 @@ err:
49385 return -ENODEV;
49386 }
49387
49388-static struct rtnl_link_ops caif_hsi_link_ops __read_mostly = {
49389+static struct rtnl_link_ops caif_hsi_link_ops = {
49390 .kind = "cfhsi",
49391 .priv_size = sizeof(struct cfhsi),
49392 .setup = cfhsi_setup,
49393diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig
49394index e8c96b8..516a96c 100644
49395--- a/drivers/net/can/Kconfig
49396+++ b/drivers/net/can/Kconfig
49397@@ -98,7 +98,7 @@ config CAN_JANZ_ICAN3
49398
49399 config CAN_FLEXCAN
49400 tristate "Support for Freescale FLEXCAN based chips"
49401- depends on ARM || PPC
49402+ depends on (ARM && CPU_LITTLE_ENDIAN) || PPC
49403 ---help---
49404 Say Y here if you want to support for Freescale FlexCAN.
49405
49406diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
49407index aede704..b516b4d 100644
49408--- a/drivers/net/can/dev.c
49409+++ b/drivers/net/can/dev.c
49410@@ -961,7 +961,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
49411 return -EOPNOTSUPP;
49412 }
49413
49414-static struct rtnl_link_ops can_link_ops __read_mostly = {
49415+static struct rtnl_link_ops can_link_ops = {
49416 .kind = "can",
49417 .maxtype = IFLA_CAN_MAX,
49418 .policy = can_policy,
49419diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
49420index 674f367..ec3a31f 100644
49421--- a/drivers/net/can/vcan.c
49422+++ b/drivers/net/can/vcan.c
49423@@ -163,7 +163,7 @@ static void vcan_setup(struct net_device *dev)
49424 dev->destructor = free_netdev;
49425 }
49426
49427-static struct rtnl_link_ops vcan_link_ops __read_mostly = {
49428+static struct rtnl_link_ops vcan_link_ops = {
49429 .kind = "vcan",
49430 .setup = vcan_setup,
49431 };
49432diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
49433index 49adbf1..fff7ff8 100644
49434--- a/drivers/net/dummy.c
49435+++ b/drivers/net/dummy.c
49436@@ -164,7 +164,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[])
49437 return 0;
49438 }
49439
49440-static struct rtnl_link_ops dummy_link_ops __read_mostly = {
49441+static struct rtnl_link_ops dummy_link_ops = {
49442 .kind = DRV_NAME,
49443 .setup = dummy_setup,
49444 .validate = dummy_validate,
49445diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
49446index 0443654..4f0aa18 100644
49447--- a/drivers/net/ethernet/8390/ax88796.c
49448+++ b/drivers/net/ethernet/8390/ax88796.c
49449@@ -889,9 +889,11 @@ static int ax_probe(struct platform_device *pdev)
49450 if (ax->plat->reg_offsets)
49451 ei_local->reg_offset = ax->plat->reg_offsets;
49452 else {
49453+ resource_size_t _mem_size = mem_size;
49454+ do_div(_mem_size, 0x18);
49455 ei_local->reg_offset = ax->reg_offsets;
49456 for (ret = 0; ret < 0x18; ret++)
49457- ax->reg_offsets[ret] = (mem_size / 0x18) * ret;
49458+ ax->reg_offsets[ret] = _mem_size * ret;
49459 }
49460
49461 if (!request_mem_region(mem->start, mem_size, pdev->name)) {
49462diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c
49463index 8207877..ce13e99 100644
49464--- a/drivers/net/ethernet/altera/altera_tse_main.c
49465+++ b/drivers/net/ethernet/altera/altera_tse_main.c
49466@@ -1255,7 +1255,7 @@ static int tse_shutdown(struct net_device *dev)
49467 return 0;
49468 }
49469
49470-static struct net_device_ops altera_tse_netdev_ops = {
49471+static net_device_ops_no_const altera_tse_netdev_ops __read_only = {
49472 .ndo_open = tse_open,
49473 .ndo_stop = tse_shutdown,
49474 .ndo_start_xmit = tse_start_xmit,
49475@@ -1492,11 +1492,13 @@ static int altera_tse_probe(struct platform_device *pdev)
49476 ndev->netdev_ops = &altera_tse_netdev_ops;
49477 altera_tse_set_ethtool_ops(ndev);
49478
49479+ pax_open_kernel();
49480 altera_tse_netdev_ops.ndo_set_rx_mode = tse_set_rx_mode;
49481
49482 if (priv->hash_filter)
49483 altera_tse_netdev_ops.ndo_set_rx_mode =
49484 tse_set_rx_mode_hashfilter;
49485+ pax_close_kernel();
49486
49487 /* Scatter/gather IO is not supported,
49488 * so it is turned off
49489diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
49490index b6fa891..31ef157 100644
49491--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
49492+++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
49493@@ -1279,14 +1279,14 @@ do { \
49494 * operations, everything works on mask values.
49495 */
49496 #define XMDIO_READ(_pdata, _mmd, _reg) \
49497- ((_pdata)->hw_if.read_mmd_regs((_pdata), 0, \
49498+ ((_pdata)->hw_if->read_mmd_regs((_pdata), 0, \
49499 MII_ADDR_C45 | (_mmd << 16) | ((_reg) & 0xffff)))
49500
49501 #define XMDIO_READ_BITS(_pdata, _mmd, _reg, _mask) \
49502 (XMDIO_READ((_pdata), _mmd, _reg) & _mask)
49503
49504 #define XMDIO_WRITE(_pdata, _mmd, _reg, _val) \
49505- ((_pdata)->hw_if.write_mmd_regs((_pdata), 0, \
49506+ ((_pdata)->hw_if->write_mmd_regs((_pdata), 0, \
49507 MII_ADDR_C45 | (_mmd << 16) | ((_reg) & 0xffff), (_val)))
49508
49509 #define XMDIO_WRITE_BITS(_pdata, _mmd, _reg, _mask, _val) \
49510diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c b/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
49511index a6b9899..2e5e972 100644
49512--- a/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
49513+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
49514@@ -190,7 +190,7 @@ static int xgbe_dcb_ieee_setets(struct net_device *netdev,
49515
49516 memcpy(pdata->ets, ets, sizeof(*pdata->ets));
49517
49518- pdata->hw_if.config_dcb_tc(pdata);
49519+ pdata->hw_if->config_dcb_tc(pdata);
49520
49521 return 0;
49522 }
49523@@ -230,7 +230,7 @@ static int xgbe_dcb_ieee_setpfc(struct net_device *netdev,
49524
49525 memcpy(pdata->pfc, pfc, sizeof(*pdata->pfc));
49526
49527- pdata->hw_if.config_dcb_pfc(pdata);
49528+ pdata->hw_if->config_dcb_pfc(pdata);
49529
49530 return 0;
49531 }
49532diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
49533index b3bc87f..5bdfdd3 100644
49534--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
49535+++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
49536@@ -353,7 +353,7 @@ static int xgbe_map_rx_buffer(struct xgbe_prv_data *pdata,
49537
49538 static void xgbe_wrapper_tx_descriptor_init(struct xgbe_prv_data *pdata)
49539 {
49540- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49541+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49542 struct xgbe_channel *channel;
49543 struct xgbe_ring *ring;
49544 struct xgbe_ring_data *rdata;
49545@@ -394,7 +394,7 @@ static void xgbe_wrapper_tx_descriptor_init(struct xgbe_prv_data *pdata)
49546
49547 static void xgbe_wrapper_rx_descriptor_init(struct xgbe_prv_data *pdata)
49548 {
49549- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49550+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49551 struct xgbe_channel *channel;
49552 struct xgbe_ring *ring;
49553 struct xgbe_ring_desc *rdesc;
49554@@ -628,17 +628,12 @@ err_out:
49555 return 0;
49556 }
49557
49558-void xgbe_init_function_ptrs_desc(struct xgbe_desc_if *desc_if)
49559-{
49560- DBGPR("-->xgbe_init_function_ptrs_desc\n");
49561-
49562- desc_if->alloc_ring_resources = xgbe_alloc_ring_resources;
49563- desc_if->free_ring_resources = xgbe_free_ring_resources;
49564- desc_if->map_tx_skb = xgbe_map_tx_skb;
49565- desc_if->map_rx_buffer = xgbe_map_rx_buffer;
49566- desc_if->unmap_rdata = xgbe_unmap_rdata;
49567- desc_if->wrapper_tx_desc_init = xgbe_wrapper_tx_descriptor_init;
49568- desc_if->wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init;
49569-
49570- DBGPR("<--xgbe_init_function_ptrs_desc\n");
49571-}
49572+const struct xgbe_desc_if default_xgbe_desc_if = {
49573+ .alloc_ring_resources = xgbe_alloc_ring_resources,
49574+ .free_ring_resources = xgbe_free_ring_resources,
49575+ .map_tx_skb = xgbe_map_tx_skb,
49576+ .map_rx_buffer = xgbe_map_rx_buffer,
49577+ .unmap_rdata = xgbe_unmap_rdata,
49578+ .wrapper_tx_desc_init = xgbe_wrapper_tx_descriptor_init,
49579+ .wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init,
49580+};
49581diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
49582index a4473d8..039a2ab 100644
49583--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
49584+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
49585@@ -2776,7 +2776,7 @@ static void xgbe_powerdown_rx(struct xgbe_prv_data *pdata)
49586
49587 static int xgbe_init(struct xgbe_prv_data *pdata)
49588 {
49589- struct xgbe_desc_if *desc_if = &pdata->desc_if;
49590+ struct xgbe_desc_if *desc_if = pdata->desc_if;
49591 int ret;
49592
49593 DBGPR("-->xgbe_init\n");
49594@@ -2842,106 +2842,101 @@ static int xgbe_init(struct xgbe_prv_data *pdata)
49595 return 0;
49596 }
49597
49598-void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *hw_if)
49599-{
49600- DBGPR("-->xgbe_init_function_ptrs\n");
49601-
49602- hw_if->tx_complete = xgbe_tx_complete;
49603-
49604- hw_if->set_mac_address = xgbe_set_mac_address;
49605- hw_if->config_rx_mode = xgbe_config_rx_mode;
49606-
49607- hw_if->enable_rx_csum = xgbe_enable_rx_csum;
49608- hw_if->disable_rx_csum = xgbe_disable_rx_csum;
49609-
49610- hw_if->enable_rx_vlan_stripping = xgbe_enable_rx_vlan_stripping;
49611- hw_if->disable_rx_vlan_stripping = xgbe_disable_rx_vlan_stripping;
49612- hw_if->enable_rx_vlan_filtering = xgbe_enable_rx_vlan_filtering;
49613- hw_if->disable_rx_vlan_filtering = xgbe_disable_rx_vlan_filtering;
49614- hw_if->update_vlan_hash_table = xgbe_update_vlan_hash_table;
49615-
49616- hw_if->read_mmd_regs = xgbe_read_mmd_regs;
49617- hw_if->write_mmd_regs = xgbe_write_mmd_regs;
49618-
49619- hw_if->set_gmii_speed = xgbe_set_gmii_speed;
49620- hw_if->set_gmii_2500_speed = xgbe_set_gmii_2500_speed;
49621- hw_if->set_xgmii_speed = xgbe_set_xgmii_speed;
49622-
49623- hw_if->enable_tx = xgbe_enable_tx;
49624- hw_if->disable_tx = xgbe_disable_tx;
49625- hw_if->enable_rx = xgbe_enable_rx;
49626- hw_if->disable_rx = xgbe_disable_rx;
49627-
49628- hw_if->powerup_tx = xgbe_powerup_tx;
49629- hw_if->powerdown_tx = xgbe_powerdown_tx;
49630- hw_if->powerup_rx = xgbe_powerup_rx;
49631- hw_if->powerdown_rx = xgbe_powerdown_rx;
49632-
49633- hw_if->dev_xmit = xgbe_dev_xmit;
49634- hw_if->dev_read = xgbe_dev_read;
49635- hw_if->enable_int = xgbe_enable_int;
49636- hw_if->disable_int = xgbe_disable_int;
49637- hw_if->init = xgbe_init;
49638- hw_if->exit = xgbe_exit;
49639+const struct xgbe_hw_if default_xgbe_hw_if = {
49640+ .tx_complete = xgbe_tx_complete,
49641+
49642+ .set_mac_address = xgbe_set_mac_address,
49643+ .config_rx_mode = xgbe_config_rx_mode,
49644+
49645+ .enable_rx_csum = xgbe_enable_rx_csum,
49646+ .disable_rx_csum = xgbe_disable_rx_csum,
49647+
49648+ .enable_rx_vlan_stripping = xgbe_enable_rx_vlan_stripping,
49649+ .disable_rx_vlan_stripping = xgbe_disable_rx_vlan_stripping,
49650+ .enable_rx_vlan_filtering = xgbe_enable_rx_vlan_filtering,
49651+ .disable_rx_vlan_filtering = xgbe_disable_rx_vlan_filtering,
49652+ .update_vlan_hash_table = xgbe_update_vlan_hash_table,
49653+
49654+ .read_mmd_regs = xgbe_read_mmd_regs,
49655+ .write_mmd_regs = xgbe_write_mmd_regs,
49656+
49657+ .set_gmii_speed = xgbe_set_gmii_speed,
49658+ .set_gmii_2500_speed = xgbe_set_gmii_2500_speed,
49659+ .set_xgmii_speed = xgbe_set_xgmii_speed,
49660+
49661+ .enable_tx = xgbe_enable_tx,
49662+ .disable_tx = xgbe_disable_tx,
49663+ .enable_rx = xgbe_enable_rx,
49664+ .disable_rx = xgbe_disable_rx,
49665+
49666+ .powerup_tx = xgbe_powerup_tx,
49667+ .powerdown_tx = xgbe_powerdown_tx,
49668+ .powerup_rx = xgbe_powerup_rx,
49669+ .powerdown_rx = xgbe_powerdown_rx,
49670+
49671+ .dev_xmit = xgbe_dev_xmit,
49672+ .dev_read = xgbe_dev_read,
49673+ .enable_int = xgbe_enable_int,
49674+ .disable_int = xgbe_disable_int,
49675+ .init = xgbe_init,
49676+ .exit = xgbe_exit,
49677
49678 /* Descriptor related Sequences have to be initialized here */
49679- hw_if->tx_desc_init = xgbe_tx_desc_init;
49680- hw_if->rx_desc_init = xgbe_rx_desc_init;
49681- hw_if->tx_desc_reset = xgbe_tx_desc_reset;
49682- hw_if->rx_desc_reset = xgbe_rx_desc_reset;
49683- hw_if->is_last_desc = xgbe_is_last_desc;
49684- hw_if->is_context_desc = xgbe_is_context_desc;
49685- hw_if->tx_start_xmit = xgbe_tx_start_xmit;
49686+ .tx_desc_init = xgbe_tx_desc_init,
49687+ .rx_desc_init = xgbe_rx_desc_init,
49688+ .tx_desc_reset = xgbe_tx_desc_reset,
49689+ .rx_desc_reset = xgbe_rx_desc_reset,
49690+ .is_last_desc = xgbe_is_last_desc,
49691+ .is_context_desc = xgbe_is_context_desc,
49692+ .tx_start_xmit = xgbe_tx_start_xmit,
49693
49694 /* For FLOW ctrl */
49695- hw_if->config_tx_flow_control = xgbe_config_tx_flow_control;
49696- hw_if->config_rx_flow_control = xgbe_config_rx_flow_control;
49697+ .config_tx_flow_control = xgbe_config_tx_flow_control,
49698+ .config_rx_flow_control = xgbe_config_rx_flow_control,
49699
49700 /* For RX coalescing */
49701- hw_if->config_rx_coalesce = xgbe_config_rx_coalesce;
49702- hw_if->config_tx_coalesce = xgbe_config_tx_coalesce;
49703- hw_if->usec_to_riwt = xgbe_usec_to_riwt;
49704- hw_if->riwt_to_usec = xgbe_riwt_to_usec;
49705+ .config_rx_coalesce = xgbe_config_rx_coalesce,
49706+ .config_tx_coalesce = xgbe_config_tx_coalesce,
49707+ .usec_to_riwt = xgbe_usec_to_riwt,
49708+ .riwt_to_usec = xgbe_riwt_to_usec,
49709
49710 /* For RX and TX threshold config */
49711- hw_if->config_rx_threshold = xgbe_config_rx_threshold;
49712- hw_if->config_tx_threshold = xgbe_config_tx_threshold;
49713+ .config_rx_threshold = xgbe_config_rx_threshold,
49714+ .config_tx_threshold = xgbe_config_tx_threshold,
49715
49716 /* For RX and TX Store and Forward Mode config */
49717- hw_if->config_rsf_mode = xgbe_config_rsf_mode;
49718- hw_if->config_tsf_mode = xgbe_config_tsf_mode;
49719+ .config_rsf_mode = xgbe_config_rsf_mode,
49720+ .config_tsf_mode = xgbe_config_tsf_mode,
49721
49722 /* For TX DMA Operating on Second Frame config */
49723- hw_if->config_osp_mode = xgbe_config_osp_mode;
49724+ .config_osp_mode = xgbe_config_osp_mode,
49725
49726 /* For RX and TX PBL config */
49727- hw_if->config_rx_pbl_val = xgbe_config_rx_pbl_val;
49728- hw_if->get_rx_pbl_val = xgbe_get_rx_pbl_val;
49729- hw_if->config_tx_pbl_val = xgbe_config_tx_pbl_val;
49730- hw_if->get_tx_pbl_val = xgbe_get_tx_pbl_val;
49731- hw_if->config_pblx8 = xgbe_config_pblx8;
49732+ .config_rx_pbl_val = xgbe_config_rx_pbl_val,
49733+ .get_rx_pbl_val = xgbe_get_rx_pbl_val,
49734+ .config_tx_pbl_val = xgbe_config_tx_pbl_val,
49735+ .get_tx_pbl_val = xgbe_get_tx_pbl_val,
49736+ .config_pblx8 = xgbe_config_pblx8,
49737
49738 /* For MMC statistics support */
49739- hw_if->tx_mmc_int = xgbe_tx_mmc_int;
49740- hw_if->rx_mmc_int = xgbe_rx_mmc_int;
49741- hw_if->read_mmc_stats = xgbe_read_mmc_stats;
49742+ .tx_mmc_int = xgbe_tx_mmc_int,
49743+ .rx_mmc_int = xgbe_rx_mmc_int,
49744+ .read_mmc_stats = xgbe_read_mmc_stats,
49745
49746 /* For PTP config */
49747- hw_if->config_tstamp = xgbe_config_tstamp;
49748- hw_if->update_tstamp_addend = xgbe_update_tstamp_addend;
49749- hw_if->set_tstamp_time = xgbe_set_tstamp_time;
49750- hw_if->get_tstamp_time = xgbe_get_tstamp_time;
49751- hw_if->get_tx_tstamp = xgbe_get_tx_tstamp;
49752+ .config_tstamp = xgbe_config_tstamp,
49753+ .update_tstamp_addend = xgbe_update_tstamp_addend,
49754+ .set_tstamp_time = xgbe_set_tstamp_time,
49755+ .get_tstamp_time = xgbe_get_tstamp_time,
49756+ .get_tx_tstamp = xgbe_get_tx_tstamp,
49757
49758 /* For Data Center Bridging config */
49759- hw_if->config_dcb_tc = xgbe_config_dcb_tc;
49760- hw_if->config_dcb_pfc = xgbe_config_dcb_pfc;
49761+ .config_dcb_tc = xgbe_config_dcb_tc,
49762+ .config_dcb_pfc = xgbe_config_dcb_pfc,
49763
49764 /* For Receive Side Scaling */
49765- hw_if->enable_rss = xgbe_enable_rss;
49766- hw_if->disable_rss = xgbe_disable_rss;
49767- hw_if->set_rss_hash_key = xgbe_set_rss_hash_key;
49768- hw_if->set_rss_lookup_table = xgbe_set_rss_lookup_table;
49769-
49770- DBGPR("<--xgbe_init_function_ptrs\n");
49771-}
49772+ .enable_rss = xgbe_enable_rss,
49773+ .disable_rss = xgbe_disable_rss,
49774+ .set_rss_hash_key = xgbe_set_rss_hash_key,
49775+ .set_rss_lookup_table = xgbe_set_rss_lookup_table,
49776+};
49777diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
49778index aae9d5e..29ce58d 100644
49779--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
49780+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
49781@@ -245,7 +245,7 @@ static int xgbe_maybe_stop_tx_queue(struct xgbe_channel *channel,
49782 * support, tell it now
49783 */
49784 if (ring->tx.xmit_more)
49785- pdata->hw_if.tx_start_xmit(channel, ring);
49786+ pdata->hw_if->tx_start_xmit(channel, ring);
49787
49788 return NETDEV_TX_BUSY;
49789 }
49790@@ -273,7 +273,7 @@ static int xgbe_calc_rx_buf_size(struct net_device *netdev, unsigned int mtu)
49791
49792 static void xgbe_enable_rx_tx_ints(struct xgbe_prv_data *pdata)
49793 {
49794- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49795+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49796 struct xgbe_channel *channel;
49797 enum xgbe_int int_id;
49798 unsigned int i;
49799@@ -295,7 +295,7 @@ static void xgbe_enable_rx_tx_ints(struct xgbe_prv_data *pdata)
49800
49801 static void xgbe_disable_rx_tx_ints(struct xgbe_prv_data *pdata)
49802 {
49803- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49804+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49805 struct xgbe_channel *channel;
49806 enum xgbe_int int_id;
49807 unsigned int i;
49808@@ -318,7 +318,7 @@ static void xgbe_disable_rx_tx_ints(struct xgbe_prv_data *pdata)
49809 static irqreturn_t xgbe_isr(int irq, void *data)
49810 {
49811 struct xgbe_prv_data *pdata = data;
49812- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49813+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49814 struct xgbe_channel *channel;
49815 unsigned int dma_isr, dma_ch_isr;
49816 unsigned int mac_isr, mac_tssr;
49817@@ -443,7 +443,7 @@ static void xgbe_service(struct work_struct *work)
49818 struct xgbe_prv_data,
49819 service_work);
49820
49821- pdata->phy_if.phy_status(pdata);
49822+ pdata->phy_if->phy_status(pdata);
49823 }
49824
49825 static void xgbe_service_timer(unsigned long data)
49826@@ -702,7 +702,7 @@ static void xgbe_free_irqs(struct xgbe_prv_data *pdata)
49827
49828 void xgbe_init_tx_coalesce(struct xgbe_prv_data *pdata)
49829 {
49830- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49831+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49832
49833 DBGPR("-->xgbe_init_tx_coalesce\n");
49834
49835@@ -716,7 +716,7 @@ void xgbe_init_tx_coalesce(struct xgbe_prv_data *pdata)
49836
49837 void xgbe_init_rx_coalesce(struct xgbe_prv_data *pdata)
49838 {
49839- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49840+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49841
49842 DBGPR("-->xgbe_init_rx_coalesce\n");
49843
49844@@ -731,7 +731,7 @@ void xgbe_init_rx_coalesce(struct xgbe_prv_data *pdata)
49845
49846 static void xgbe_free_tx_data(struct xgbe_prv_data *pdata)
49847 {
49848- struct xgbe_desc_if *desc_if = &pdata->desc_if;
49849+ struct xgbe_desc_if *desc_if = pdata->desc_if;
49850 struct xgbe_channel *channel;
49851 struct xgbe_ring *ring;
49852 struct xgbe_ring_data *rdata;
49853@@ -756,7 +756,7 @@ static void xgbe_free_tx_data(struct xgbe_prv_data *pdata)
49854
49855 static void xgbe_free_rx_data(struct xgbe_prv_data *pdata)
49856 {
49857- struct xgbe_desc_if *desc_if = &pdata->desc_if;
49858+ struct xgbe_desc_if *desc_if = pdata->desc_if;
49859 struct xgbe_channel *channel;
49860 struct xgbe_ring *ring;
49861 struct xgbe_ring_data *rdata;
49862@@ -784,13 +784,13 @@ static int xgbe_phy_init(struct xgbe_prv_data *pdata)
49863 pdata->phy_link = -1;
49864 pdata->phy_speed = SPEED_UNKNOWN;
49865
49866- return pdata->phy_if.phy_reset(pdata);
49867+ return pdata->phy_if->phy_reset(pdata);
49868 }
49869
49870 int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
49871 {
49872 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49873- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49874+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49875 unsigned long flags;
49876
49877 DBGPR("-->xgbe_powerdown\n");
49878@@ -829,7 +829,7 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
49879 int xgbe_powerup(struct net_device *netdev, unsigned int caller)
49880 {
49881 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49882- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49883+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49884 unsigned long flags;
49885
49886 DBGPR("-->xgbe_powerup\n");
49887@@ -866,8 +866,8 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
49888
49889 static int xgbe_start(struct xgbe_prv_data *pdata)
49890 {
49891- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49892- struct xgbe_phy_if *phy_if = &pdata->phy_if;
49893+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49894+ struct xgbe_phy_if *phy_if = pdata->phy_if;
49895 struct net_device *netdev = pdata->netdev;
49896 int ret;
49897
49898@@ -910,8 +910,8 @@ err_phy:
49899
49900 static void xgbe_stop(struct xgbe_prv_data *pdata)
49901 {
49902- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49903- struct xgbe_phy_if *phy_if = &pdata->phy_if;
49904+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49905+ struct xgbe_phy_if *phy_if = pdata->phy_if;
49906 struct xgbe_channel *channel;
49907 struct net_device *netdev = pdata->netdev;
49908 struct netdev_queue *txq;
49909@@ -1139,7 +1139,7 @@ static int xgbe_set_hwtstamp_settings(struct xgbe_prv_data *pdata,
49910 return -ERANGE;
49911 }
49912
49913- pdata->hw_if.config_tstamp(pdata, mac_tscr);
49914+ pdata->hw_if->config_tstamp(pdata, mac_tscr);
49915
49916 memcpy(&pdata->tstamp_config, &config, sizeof(config));
49917
49918@@ -1288,7 +1288,7 @@ static void xgbe_packet_info(struct xgbe_prv_data *pdata,
49919 static int xgbe_open(struct net_device *netdev)
49920 {
49921 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49922- struct xgbe_desc_if *desc_if = &pdata->desc_if;
49923+ struct xgbe_desc_if *desc_if = pdata->desc_if;
49924 int ret;
49925
49926 DBGPR("-->xgbe_open\n");
49927@@ -1360,7 +1360,7 @@ err_sysclk:
49928 static int xgbe_close(struct net_device *netdev)
49929 {
49930 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49931- struct xgbe_desc_if *desc_if = &pdata->desc_if;
49932+ struct xgbe_desc_if *desc_if = pdata->desc_if;
49933
49934 DBGPR("-->xgbe_close\n");
49935
49936@@ -1387,8 +1387,8 @@ static int xgbe_close(struct net_device *netdev)
49937 static int xgbe_xmit(struct sk_buff *skb, struct net_device *netdev)
49938 {
49939 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49940- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49941- struct xgbe_desc_if *desc_if = &pdata->desc_if;
49942+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49943+ struct xgbe_desc_if *desc_if = pdata->desc_if;
49944 struct xgbe_channel *channel;
49945 struct xgbe_ring *ring;
49946 struct xgbe_packet_data *packet;
49947@@ -1457,7 +1457,7 @@ tx_netdev_return:
49948 static void xgbe_set_rx_mode(struct net_device *netdev)
49949 {
49950 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49951- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49952+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49953
49954 DBGPR("-->xgbe_set_rx_mode\n");
49955
49956@@ -1469,7 +1469,7 @@ static void xgbe_set_rx_mode(struct net_device *netdev)
49957 static int xgbe_set_mac_address(struct net_device *netdev, void *addr)
49958 {
49959 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49960- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49961+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49962 struct sockaddr *saddr = addr;
49963
49964 DBGPR("-->xgbe_set_mac_address\n");
49965@@ -1544,7 +1544,7 @@ static struct rtnl_link_stats64 *xgbe_get_stats64(struct net_device *netdev,
49966
49967 DBGPR("-->%s\n", __func__);
49968
49969- pdata->hw_if.read_mmc_stats(pdata);
49970+ pdata->hw_if->read_mmc_stats(pdata);
49971
49972 s->rx_packets = pstats->rxframecount_gb;
49973 s->rx_bytes = pstats->rxoctetcount_gb;
49974@@ -1571,7 +1571,7 @@ static int xgbe_vlan_rx_add_vid(struct net_device *netdev, __be16 proto,
49975 u16 vid)
49976 {
49977 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49978- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49979+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49980
49981 DBGPR("-->%s\n", __func__);
49982
49983@@ -1587,7 +1587,7 @@ static int xgbe_vlan_rx_kill_vid(struct net_device *netdev, __be16 proto,
49984 u16 vid)
49985 {
49986 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49987- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49988+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49989
49990 DBGPR("-->%s\n", __func__);
49991
49992@@ -1654,7 +1654,7 @@ static int xgbe_set_features(struct net_device *netdev,
49993 netdev_features_t features)
49994 {
49995 struct xgbe_prv_data *pdata = netdev_priv(netdev);
49996- struct xgbe_hw_if *hw_if = &pdata->hw_if;
49997+ struct xgbe_hw_if *hw_if = pdata->hw_if;
49998 netdev_features_t rxhash, rxcsum, rxvlan, rxvlan_filter;
49999 int ret = 0;
50000
50001@@ -1720,8 +1720,8 @@ struct net_device_ops *xgbe_get_netdev_ops(void)
50002 static void xgbe_rx_refresh(struct xgbe_channel *channel)
50003 {
50004 struct xgbe_prv_data *pdata = channel->pdata;
50005- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50006- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50007+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50008+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50009 struct xgbe_ring *ring = channel->rx_ring;
50010 struct xgbe_ring_data *rdata;
50011
50012@@ -1798,8 +1798,8 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata,
50013 static int xgbe_tx_poll(struct xgbe_channel *channel)
50014 {
50015 struct xgbe_prv_data *pdata = channel->pdata;
50016- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50017- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50018+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50019+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50020 struct xgbe_ring *ring = channel->tx_ring;
50021 struct xgbe_ring_data *rdata;
50022 struct xgbe_ring_desc *rdesc;
50023@@ -1863,7 +1863,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
50024 static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
50025 {
50026 struct xgbe_prv_data *pdata = channel->pdata;
50027- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50028+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50029 struct xgbe_ring *ring = channel->rx_ring;
50030 struct xgbe_ring_data *rdata;
50031 struct xgbe_packet_data *packet;
50032diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50033index 59e090e..90bc0b4 100644
50034--- a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50035+++ b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50036@@ -211,7 +211,7 @@ static void xgbe_get_ethtool_stats(struct net_device *netdev,
50037
50038 DBGPR("-->%s\n", __func__);
50039
50040- pdata->hw_if.read_mmc_stats(pdata);
50041+ pdata->hw_if->read_mmc_stats(pdata);
50042 for (i = 0; i < XGBE_STATS_COUNT; i++) {
50043 stat = (u8 *)pdata + xgbe_gstring_stats[i].stat_offset;
50044 *data++ = *(u64 *)stat;
50045@@ -284,7 +284,7 @@ static int xgbe_set_pauseparam(struct net_device *netdev,
50046 pdata->phy.advertising ^= ADVERTISED_Asym_Pause;
50047
50048 if (netif_running(netdev))
50049- ret = pdata->phy_if.phy_config_aneg(pdata);
50050+ ret = pdata->phy_if->phy_config_aneg(pdata);
50051
50052 DBGPR("<--xgbe_set_pauseparam\n");
50053
50054@@ -364,7 +364,7 @@ static int xgbe_set_settings(struct net_device *netdev,
50055 pdata->phy.advertising &= ~ADVERTISED_Autoneg;
50056
50057 if (netif_running(netdev))
50058- ret = pdata->phy_if.phy_config_aneg(pdata);
50059+ ret = pdata->phy_if->phy_config_aneg(pdata);
50060
50061 DBGPR("<--xgbe_set_settings\n");
50062
50063@@ -411,7 +411,7 @@ static int xgbe_set_coalesce(struct net_device *netdev,
50064 struct ethtool_coalesce *ec)
50065 {
50066 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50067- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50068+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50069 unsigned int rx_frames, rx_riwt, rx_usecs;
50070 unsigned int tx_frames;
50071
50072@@ -536,7 +536,7 @@ static int xgbe_set_rxfh(struct net_device *netdev, const u32 *indir,
50073 const u8 *key, const u8 hfunc)
50074 {
50075 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50076- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50077+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50078 unsigned int ret;
50079
50080 if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP)
50081diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50082index e83bd76..f2d5d56 100644
50083--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50084+++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50085@@ -202,13 +202,6 @@ static void xgbe_default_config(struct xgbe_prv_data *pdata)
50086 DBGPR("<--xgbe_default_config\n");
50087 }
50088
50089-static void xgbe_init_all_fptrs(struct xgbe_prv_data *pdata)
50090-{
50091- xgbe_init_function_ptrs_dev(&pdata->hw_if);
50092- xgbe_init_function_ptrs_phy(&pdata->phy_if);
50093- xgbe_init_function_ptrs_desc(&pdata->desc_if);
50094-}
50095-
50096 #ifdef CONFIG_ACPI
50097 static int xgbe_acpi_support(struct xgbe_prv_data *pdata)
50098 {
50099@@ -641,10 +634,12 @@ static int xgbe_probe(struct platform_device *pdev)
50100 memcpy(netdev->dev_addr, pdata->mac_addr, netdev->addr_len);
50101
50102 /* Set all the function pointers */
50103- xgbe_init_all_fptrs(pdata);
50104+ pdata->hw_if = &default_xgbe_hw_if;
50105+ pdata->phy_if = &default_xgbe_phy_if;
50106+ pdata->desc_if = &default_xgbe_desc_if;
50107
50108 /* Issue software reset to device */
50109- pdata->hw_if.exit(pdata);
50110+ pdata->hw_if->exit(pdata);
50111
50112 /* Populate the hardware features */
50113 xgbe_get_all_hw_features(pdata);
50114@@ -698,7 +693,7 @@ static int xgbe_probe(struct platform_device *pdev)
50115 XGMAC_SET_BITS(pdata->rss_options, MAC_RSSCR, UDP4TE, 1);
50116
50117 /* Call MDIO/PHY initialization routine */
50118- pdata->phy_if.phy_init(pdata);
50119+ pdata->phy_if->phy_init(pdata);
50120
50121 /* Set device operations */
50122 netdev->netdev_ops = xgbe_get_netdev_ops();
50123diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50124index 9088c3a..2ffe7c4 100644
50125--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50126+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50127@@ -202,7 +202,7 @@ static void xgbe_xgmii_mode(struct xgbe_prv_data *pdata)
50128 xgbe_an_enable_kr_training(pdata);
50129
50130 /* Set MAC to 10G speed */
50131- pdata->hw_if.set_xgmii_speed(pdata);
50132+ pdata->hw_if->set_xgmii_speed(pdata);
50133
50134 /* Set PCS to KR/10G speed */
50135 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50136@@ -250,7 +250,7 @@ static void xgbe_gmii_2500_mode(struct xgbe_prv_data *pdata)
50137 xgbe_an_disable_kr_training(pdata);
50138
50139 /* Set MAC to 2.5G speed */
50140- pdata->hw_if.set_gmii_2500_speed(pdata);
50141+ pdata->hw_if->set_gmii_2500_speed(pdata);
50142
50143 /* Set PCS to KX/1G speed */
50144 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50145@@ -298,7 +298,7 @@ static void xgbe_gmii_mode(struct xgbe_prv_data *pdata)
50146 xgbe_an_disable_kr_training(pdata);
50147
50148 /* Set MAC to 1G speed */
50149- pdata->hw_if.set_gmii_speed(pdata);
50150+ pdata->hw_if->set_gmii_speed(pdata);
50151
50152 /* Set PCS to KX/1G speed */
50153 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50154@@ -872,13 +872,13 @@ static void xgbe_phy_adjust_link(struct xgbe_prv_data *pdata)
50155
50156 if (pdata->tx_pause != pdata->phy.tx_pause) {
50157 new_state = 1;
50158- pdata->hw_if.config_tx_flow_control(pdata);
50159+ pdata->hw_if->config_tx_flow_control(pdata);
50160 pdata->tx_pause = pdata->phy.tx_pause;
50161 }
50162
50163 if (pdata->rx_pause != pdata->phy.rx_pause) {
50164 new_state = 1;
50165- pdata->hw_if.config_rx_flow_control(pdata);
50166+ pdata->hw_if->config_rx_flow_control(pdata);
50167 pdata->rx_pause = pdata->phy.rx_pause;
50168 }
50169
50170@@ -1351,14 +1351,13 @@ static void xgbe_phy_init(struct xgbe_prv_data *pdata)
50171 xgbe_dump_phy_registers(pdata);
50172 }
50173
50174-void xgbe_init_function_ptrs_phy(struct xgbe_phy_if *phy_if)
50175-{
50176- phy_if->phy_init = xgbe_phy_init;
50177+const struct xgbe_phy_if default_xgbe_phy_if = {
50178+ .phy_init = xgbe_phy_init,
50179
50180- phy_if->phy_reset = xgbe_phy_reset;
50181- phy_if->phy_start = xgbe_phy_start;
50182- phy_if->phy_stop = xgbe_phy_stop;
50183+ .phy_reset = xgbe_phy_reset,
50184+ .phy_start = xgbe_phy_start,
50185+ .phy_stop = xgbe_phy_stop,
50186
50187- phy_if->phy_status = xgbe_phy_status;
50188- phy_if->phy_config_aneg = xgbe_phy_config_aneg;
50189-}
50190+ .phy_status = xgbe_phy_status,
50191+ .phy_config_aneg = xgbe_phy_config_aneg,
50192+};
50193diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c b/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50194index b03e4f5..78e4cc4 100644
50195--- a/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50196+++ b/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50197@@ -129,7 +129,7 @@ static cycle_t xgbe_cc_read(const struct cyclecounter *cc)
50198 tstamp_cc);
50199 u64 nsec;
50200
50201- nsec = pdata->hw_if.get_tstamp_time(pdata);
50202+ nsec = pdata->hw_if->get_tstamp_time(pdata);
50203
50204 return nsec;
50205 }
50206@@ -158,7 +158,7 @@ static int xgbe_adjfreq(struct ptp_clock_info *info, s32 delta)
50207
50208 spin_lock_irqsave(&pdata->tstamp_lock, flags);
50209
50210- pdata->hw_if.update_tstamp_addend(pdata, addend);
50211+ pdata->hw_if->update_tstamp_addend(pdata, addend);
50212
50213 spin_unlock_irqrestore(&pdata->tstamp_lock, flags);
50214
50215diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
50216index 717ce21..aacd1f3 100644
50217--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
50218+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
50219@@ -801,9 +801,9 @@ struct xgbe_prv_data {
50220 int dev_irq;
50221 unsigned int per_channel_irq;
50222
50223- struct xgbe_hw_if hw_if;
50224- struct xgbe_phy_if phy_if;
50225- struct xgbe_desc_if desc_if;
50226+ struct xgbe_hw_if *hw_if;
50227+ struct xgbe_phy_if *phy_if;
50228+ struct xgbe_desc_if *desc_if;
50229
50230 /* AXI DMA settings */
50231 unsigned int coherent;
50232@@ -964,6 +964,10 @@ struct xgbe_prv_data {
50233 #endif
50234 };
50235
50236+extern const struct xgbe_hw_if default_xgbe_hw_if;
50237+extern const struct xgbe_phy_if default_xgbe_phy_if;
50238+extern const struct xgbe_desc_if default_xgbe_desc_if;
50239+
50240 /* Function prototypes*/
50241
50242 void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *);
50243diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50244index 03b7404..01ff3b3 100644
50245--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50246+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50247@@ -1082,7 +1082,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp)
50248 static inline void bnx2x_init_bp_objs(struct bnx2x *bp)
50249 {
50250 /* RX_MODE controlling object */
50251- bnx2x_init_rx_mode_obj(bp, &bp->rx_mode_obj);
50252+ bnx2x_init_rx_mode_obj(bp);
50253
50254 /* multicast configuration controlling object */
50255 bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid,
50256diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50257index 4ad415a..8e0a040 100644
50258--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50259+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50260@@ -2329,15 +2329,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp,
50261 return rc;
50262 }
50263
50264-void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
50265- struct bnx2x_rx_mode_obj *o)
50266+void bnx2x_init_rx_mode_obj(struct bnx2x *bp)
50267 {
50268 if (CHIP_IS_E1x(bp)) {
50269- o->wait_comp = bnx2x_empty_rx_mode_wait;
50270- o->config_rx_mode = bnx2x_set_rx_mode_e1x;
50271+ bp->rx_mode_obj.wait_comp = bnx2x_empty_rx_mode_wait;
50272+ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e1x;
50273 } else {
50274- o->wait_comp = bnx2x_wait_rx_mode_comp_e2;
50275- o->config_rx_mode = bnx2x_set_rx_mode_e2;
50276+ bp->rx_mode_obj.wait_comp = bnx2x_wait_rx_mode_comp_e2;
50277+ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e2;
50278 }
50279 }
50280
50281diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50282index 86baecb..ff3bb46 100644
50283--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50284+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50285@@ -1411,8 +1411,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp,
50286
50287 /********************* RX MODE ****************/
50288
50289-void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
50290- struct bnx2x_rx_mode_obj *o);
50291+void bnx2x_init_rx_mode_obj(struct bnx2x *bp);
50292
50293 /**
50294 * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters.
50295diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
50296index 31c9f82..e65e986 100644
50297--- a/drivers/net/ethernet/broadcom/tg3.h
50298+++ b/drivers/net/ethernet/broadcom/tg3.h
50299@@ -150,6 +150,7 @@
50300 #define CHIPREV_ID_5750_A0 0x4000
50301 #define CHIPREV_ID_5750_A1 0x4001
50302 #define CHIPREV_ID_5750_A3 0x4003
50303+#define CHIPREV_ID_5750_C1 0x4201
50304 #define CHIPREV_ID_5750_C2 0x4202
50305 #define CHIPREV_ID_5752_A0_HW 0x5000
50306 #define CHIPREV_ID_5752_A0 0x6000
50307diff --git a/drivers/net/ethernet/brocade/bna/bna_enet.c b/drivers/net/ethernet/brocade/bna/bna_enet.c
50308index 4e5c387..bba8173 100644
50309--- a/drivers/net/ethernet/brocade/bna/bna_enet.c
50310+++ b/drivers/net/ethernet/brocade/bna/bna_enet.c
50311@@ -1676,10 +1676,10 @@ bna_cb_ioceth_reset(void *arg)
50312 }
50313
50314 static struct bfa_ioc_cbfn bna_ioceth_cbfn = {
50315- bna_cb_ioceth_enable,
50316- bna_cb_ioceth_disable,
50317- bna_cb_ioceth_hbfail,
50318- bna_cb_ioceth_reset
50319+ .enable_cbfn = bna_cb_ioceth_enable,
50320+ .disable_cbfn = bna_cb_ioceth_disable,
50321+ .hbfail_cbfn = bna_cb_ioceth_hbfail,
50322+ .reset_cbfn = bna_cb_ioceth_reset
50323 };
50324
50325 static void bna_attr_init(struct bna_ioceth *ioceth)
50326diff --git a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50327index 29f3308..b594c38 100644
50328--- a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50329+++ b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50330@@ -265,9 +265,9 @@ static void octnet_mdio_resp_callback(struct octeon_device *oct,
50331 if (status) {
50332 dev_err(&oct->pci_dev->dev, "MIDO instruction failed. Status: %llx\n",
50333 CVM_CAST64(status));
50334- ACCESS_ONCE(mdio_cmd_ctx->cond) = -1;
50335+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = -1;
50336 } else {
50337- ACCESS_ONCE(mdio_cmd_ctx->cond) = 1;
50338+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = 1;
50339 }
50340 wake_up_interruptible(&mdio_cmd_ctx->wc);
50341 }
50342@@ -298,7 +298,7 @@ octnet_mdio45_access(struct lio *lio, int op, int loc, int *value)
50343 mdio_cmd_rsp = (struct oct_mdio_cmd_resp *)sc->virtrptr;
50344 mdio_cmd = (struct oct_mdio_cmd *)sc->virtdptr;
50345
50346- ACCESS_ONCE(mdio_cmd_ctx->cond) = 0;
50347+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = 0;
50348 mdio_cmd_ctx->octeon_id = lio_get_device_id(oct_dev);
50349 mdio_cmd->op = op;
50350 mdio_cmd->mdio_addr = loc;
50351diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
50352index 0660dee..e07895e 100644
50353--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
50354+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
50355@@ -1727,7 +1727,7 @@ static void if_cfg_callback(struct octeon_device *oct,
50356 if (resp->status)
50357 dev_err(&oct->pci_dev->dev, "nic if cfg instruction failed. Status: %llx\n",
50358 CVM_CAST64(resp->status));
50359- ACCESS_ONCE(ctx->cond) = 1;
50360+ ACCESS_ONCE_RW(ctx->cond) = 1;
50361
50362 /* This barrier is required to be sure that the response has been
50363 * written fully before waking up the handler
50364@@ -3177,7 +3177,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
50365 dev_dbg(&octeon_dev->pci_dev->dev,
50366 "requesting config for interface %d, iqs %d, oqs %d\n",
50367 i, num_iqueues, num_oqueues);
50368- ACCESS_ONCE(ctx->cond) = 0;
50369+ ACCESS_ONCE_RW(ctx->cond) = 0;
50370 ctx->octeon_id = lio_get_device_id(octeon_dev);
50371 init_waitqueue_head(&ctx->wc);
50372
50373@@ -3240,8 +3240,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
50374 props = &octeon_dev->props[i];
50375 props->netdev = netdev;
50376
50377- if (num_iqueues > 1)
50378- lionetdevops.ndo_select_queue = select_q;
50379+ if (num_iqueues > 1) {
50380+ pax_open_kernel();
50381+ *(void **)&lionetdevops.ndo_select_queue = select_q;
50382+ pax_close_kernel();
50383+ }
50384
50385 /* Associate the routines that will handle different
50386 * netdev tasks.
50387diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
50388index 8cffcdf..aadf043 100644
50389--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
50390+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
50391@@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
50392 */
50393 struct l2t_skb_cb {
50394 arp_failure_handler_func arp_failure_handler;
50395-};
50396+} __no_const;
50397
50398 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
50399
50400diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
50401index 8966f31..e15a101 100644
50402--- a/drivers/net/ethernet/dec/tulip/de4x5.c
50403+++ b/drivers/net/ethernet/dec/tulip/de4x5.c
50404@@ -5373,7 +5373,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
50405 for (i=0; i<ETH_ALEN; i++) {
50406 tmp.addr[i] = dev->dev_addr[i];
50407 }
50408- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
50409+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
50410 break;
50411
50412 case DE4X5_SET_HWADDR: /* Set the hardware address */
50413@@ -5413,7 +5413,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
50414 spin_lock_irqsave(&lp->lock, flags);
50415 memcpy(&statbuf, &lp->pktStats, ioc->len);
50416 spin_unlock_irqrestore(&lp->lock, flags);
50417- if (copy_to_user(ioc->data, &statbuf, ioc->len))
50418+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
50419 return -EFAULT;
50420 break;
50421 }
50422diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
50423index 6ca693b..fa18c3f 100644
50424--- a/drivers/net/ethernet/emulex/benet/be_main.c
50425+++ b/drivers/net/ethernet/emulex/benet/be_main.c
50426@@ -551,7 +551,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val)
50427
50428 if (wrapped)
50429 newacc += 65536;
50430- ACCESS_ONCE(*acc) = newacc;
50431+ ACCESS_ONCE_RW(*acc) = newacc;
50432 }
50433
50434 static void populate_erx_stats(struct be_adapter *adapter,
50435diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
50436index 6d0c5d5..55be363 100644
50437--- a/drivers/net/ethernet/faraday/ftgmac100.c
50438+++ b/drivers/net/ethernet/faraday/ftgmac100.c
50439@@ -30,6 +30,8 @@
50440 #include <linux/netdevice.h>
50441 #include <linux/phy.h>
50442 #include <linux/platform_device.h>
50443+#include <linux/interrupt.h>
50444+#include <linux/irqreturn.h>
50445 #include <net/ip.h>
50446
50447 #include "ftgmac100.h"
50448diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c
50449index dce5f7b..2433466 100644
50450--- a/drivers/net/ethernet/faraday/ftmac100.c
50451+++ b/drivers/net/ethernet/faraday/ftmac100.c
50452@@ -31,6 +31,8 @@
50453 #include <linux/module.h>
50454 #include <linux/netdevice.h>
50455 #include <linux/platform_device.h>
50456+#include <linux/interrupt.h>
50457+#include <linux/irqreturn.h>
50458
50459 #include "ftmac100.h"
50460
50461diff --git a/drivers/net/ethernet/intel/i40e/i40e_ptp.c b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
50462index a92b772..250fe69 100644
50463--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
50464+++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
50465@@ -419,7 +419,7 @@ void i40e_ptp_set_increment(struct i40e_pf *pf)
50466 wr32(hw, I40E_PRTTSYN_INC_H, incval >> 32);
50467
50468 /* Update the base adjustement value. */
50469- ACCESS_ONCE(pf->ptp_base_adj) = incval;
50470+ ACCESS_ONCE_RW(pf->ptp_base_adj) = incval;
50471 smp_mb(); /* Force the above update. */
50472 }
50473
50474diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
50475index e5ba040..d47531c 100644
50476--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
50477+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
50478@@ -782,7 +782,7 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
50479 }
50480
50481 /* update the base incval used to calculate frequency adjustment */
50482- ACCESS_ONCE(adapter->base_incval) = incval;
50483+ ACCESS_ONCE_RW(adapter->base_incval) = incval;
50484 smp_mb();
50485
50486 /* need lock to prevent incorrect read while modifying cyclecounter */
50487diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
50488index c10d98f..72914c6 100644
50489--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
50490+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
50491@@ -475,8 +475,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
50492 wmb();
50493
50494 /* we want to dirty this cache line once */
50495- ACCESS_ONCE(ring->last_nr_txbb) = last_nr_txbb;
50496- ACCESS_ONCE(ring->cons) = ring_cons + txbbs_skipped;
50497+ ACCESS_ONCE_RW(ring->last_nr_txbb) = last_nr_txbb;
50498+ ACCESS_ONCE_RW(ring->cons) = ring_cons + txbbs_skipped;
50499
50500 netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
50501
50502diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
50503index 40206da..9d94643 100644
50504--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
50505+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
50506@@ -1734,7 +1734,9 @@ static void mlx5e_build_netdev(struct net_device *netdev)
50507 SET_NETDEV_DEV(netdev, &mdev->pdev->dev);
50508
50509 if (priv->num_tc > 1) {
50510- mlx5e_netdev_ops.ndo_select_queue = mlx5e_select_queue;
50511+ pax_open_kernel();
50512+ *(void **)&mlx5e_netdev_ops.ndo_select_queue = mlx5e_select_queue;
50513+ pax_close_kernel();
50514 }
50515
50516 netdev->netdev_ops = &mlx5e_netdev_ops;
50517diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
50518index 6223930..975033d 100644
50519--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
50520+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
50521@@ -3457,7 +3457,10 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
50522 struct __vxge_hw_fifo *fifo;
50523 struct vxge_hw_fifo_config *config;
50524 u32 txdl_size, txdl_per_memblock;
50525- struct vxge_hw_mempool_cbs fifo_mp_callback;
50526+ static struct vxge_hw_mempool_cbs fifo_mp_callback = {
50527+ .item_func_alloc = __vxge_hw_fifo_mempool_item_alloc,
50528+ };
50529+
50530 struct __vxge_hw_virtualpath *vpath;
50531
50532 if ((vp == NULL) || (attr == NULL)) {
50533@@ -3540,8 +3543,6 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
50534 goto exit;
50535 }
50536
50537- fifo_mp_callback.item_func_alloc = __vxge_hw_fifo_mempool_item_alloc;
50538-
50539 fifo->mempool =
50540 __vxge_hw_mempool_create(vpath->hldev,
50541 fifo->config->memblock_size,
50542diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
50543index 753ea8b..674c39a 100644
50544--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
50545+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
50546@@ -2324,7 +2324,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter)
50547 max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS;
50548 } else if (ret == QLC_83XX_DEFAULT_OPMODE) {
50549 ahw->nic_mode = QLCNIC_DEFAULT_MODE;
50550- adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
50551+ pax_open_kernel();
50552+ *(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
50553+ pax_close_kernel();
50554 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
50555 max_sds_rings = QLCNIC_MAX_SDS_RINGS;
50556 max_tx_rings = QLCNIC_MAX_TX_RINGS;
50557diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
50558index be7d7a6..a8983f8 100644
50559--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
50560+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
50561@@ -207,17 +207,23 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter)
50562 case QLCNIC_NON_PRIV_FUNC:
50563 ahw->op_mode = QLCNIC_NON_PRIV_FUNC;
50564 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
50565- nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
50566+ pax_open_kernel();
50567+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
50568+ pax_close_kernel();
50569 break;
50570 case QLCNIC_PRIV_FUNC:
50571 ahw->op_mode = QLCNIC_PRIV_FUNC;
50572 ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry;
50573- nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
50574+ pax_open_kernel();
50575+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
50576+ pax_close_kernel();
50577 break;
50578 case QLCNIC_MGMT_FUNC:
50579 ahw->op_mode = QLCNIC_MGMT_FUNC;
50580 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
50581- nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
50582+ pax_open_kernel();
50583+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
50584+ pax_close_kernel();
50585 break;
50586 default:
50587 dev_err(&adapter->pdev->dev, "Invalid Virtual NIC opmode\n");
50588diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
50589index 332bb8a..e6adcd1 100644
50590--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
50591+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
50592@@ -1285,7 +1285,7 @@ flash_temp:
50593 int qlcnic_dump_fw(struct qlcnic_adapter *adapter)
50594 {
50595 struct qlcnic_fw_dump *fw_dump = &adapter->ahw->fw_dump;
50596- static const struct qlcnic_dump_operations *fw_dump_ops;
50597+ const struct qlcnic_dump_operations *fw_dump_ops;
50598 struct qlcnic_83xx_dump_template_hdr *hdr_83xx;
50599 u32 entry_offset, dump, no_entries, buf_offset = 0;
50600 int i, k, ops_cnt, ops_index, dump_size = 0;
50601diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
50602index f790f61..f1faafe 100644
50603--- a/drivers/net/ethernet/realtek/r8169.c
50604+++ b/drivers/net/ethernet/realtek/r8169.c
50605@@ -788,22 +788,22 @@ struct rtl8169_private {
50606 struct mdio_ops {
50607 void (*write)(struct rtl8169_private *, int, int);
50608 int (*read)(struct rtl8169_private *, int);
50609- } mdio_ops;
50610+ } __no_const mdio_ops;
50611
50612 struct pll_power_ops {
50613 void (*down)(struct rtl8169_private *);
50614 void (*up)(struct rtl8169_private *);
50615- } pll_power_ops;
50616+ } __no_const pll_power_ops;
50617
50618 struct jumbo_ops {
50619 void (*enable)(struct rtl8169_private *);
50620 void (*disable)(struct rtl8169_private *);
50621- } jumbo_ops;
50622+ } __no_const jumbo_ops;
50623
50624 struct csi_ops {
50625 void (*write)(struct rtl8169_private *, int, int);
50626 u32 (*read)(struct rtl8169_private *, int);
50627- } csi_ops;
50628+ } __no_const csi_ops;
50629
50630 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
50631 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
50632diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
50633index ad62615..a4c124d 100644
50634--- a/drivers/net/ethernet/sfc/ptp.c
50635+++ b/drivers/net/ethernet/sfc/ptp.c
50636@@ -832,7 +832,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings)
50637 ptp->start.dma_addr);
50638
50639 /* Clear flag that signals MC ready */
50640- ACCESS_ONCE(*start) = 0;
50641+ ACCESS_ONCE_RW(*start) = 0;
50642 rc = efx_mcdi_rpc_start(efx, MC_CMD_PTP, synch_buf,
50643 MC_CMD_PTP_IN_SYNCHRONIZE_LEN);
50644 EFX_BUG_ON_PARANOID(rc);
50645diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
50646index 3f20bb1..59add41 100644
50647--- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
50648+++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
50649@@ -140,8 +140,8 @@ void dwmac_mmc_ctrl(void __iomem *ioaddr, unsigned int mode)
50650
50651 writel(value, ioaddr + MMC_CNTRL);
50652
50653- pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
50654- MMC_CNTRL, value);
50655+// pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
50656+// MMC_CNTRL, value);
50657 }
50658
50659 /* To mask all all interrupts.*/
50660diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c
50661index a832637..092da0a 100644
50662--- a/drivers/net/ethernet/via/via-rhine.c
50663+++ b/drivers/net/ethernet/via/via-rhine.c
50664@@ -2599,7 +2599,7 @@ static struct platform_driver rhine_driver_platform = {
50665 }
50666 };
50667
50668-static struct dmi_system_id rhine_dmi_table[] __initdata = {
50669+static const struct dmi_system_id rhine_dmi_table[] __initconst = {
50670 {
50671 .ident = "EPIA-M",
50672 .matches = {
50673diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
50674index dd45440..c5f3cae 100644
50675--- a/drivers/net/hyperv/hyperv_net.h
50676+++ b/drivers/net/hyperv/hyperv_net.h
50677@@ -177,7 +177,7 @@ struct rndis_device {
50678 enum rndis_device_state state;
50679 bool link_state;
50680 bool link_change;
50681- atomic_t new_req_id;
50682+ atomic_unchecked_t new_req_id;
50683
50684 spinlock_t request_lock;
50685 struct list_head req_list;
50686diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
50687index 236aeb7..fd695e2 100644
50688--- a/drivers/net/hyperv/rndis_filter.c
50689+++ b/drivers/net/hyperv/rndis_filter.c
50690@@ -101,7 +101,7 @@ static struct rndis_request *get_rndis_request(struct rndis_device *dev,
50691 * template
50692 */
50693 set = &rndis_msg->msg.set_req;
50694- set->req_id = atomic_inc_return(&dev->new_req_id);
50695+ set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
50696
50697 /* Add to the request list */
50698 spin_lock_irqsave(&dev->request_lock, flags);
50699@@ -924,7 +924,7 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
50700
50701 /* Setup the rndis set */
50702 halt = &request->request_msg.msg.halt_req;
50703- halt->req_id = atomic_inc_return(&dev->new_req_id);
50704+ halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
50705
50706 /* Ignore return since this msg is optional. */
50707 rndis_filter_send_request(dev, request);
50708diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
50709index 94570aa..1a798e1 100644
50710--- a/drivers/net/ifb.c
50711+++ b/drivers/net/ifb.c
50712@@ -253,7 +253,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[])
50713 return 0;
50714 }
50715
50716-static struct rtnl_link_ops ifb_link_ops __read_mostly = {
50717+static struct rtnl_link_ops ifb_link_ops = {
50718 .kind = "ifb",
50719 .priv_size = sizeof(struct ifb_private),
50720 .setup = ifb_setup,
50721diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
50722index 207f62e..af3f5e5 100644
50723--- a/drivers/net/ipvlan/ipvlan_core.c
50724+++ b/drivers/net/ipvlan/ipvlan_core.c
50725@@ -466,7 +466,7 @@ static void ipvlan_multicast_enqueue(struct ipvl_port *port,
50726 schedule_work(&port->wq);
50727 } else {
50728 spin_unlock(&port->backlog.lock);
50729- atomic_long_inc(&skb->dev->rx_dropped);
50730+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
50731 kfree_skb(skb);
50732 }
50733 }
50734diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
50735index 9f59f17..52cb38f 100644
50736--- a/drivers/net/macvlan.c
50737+++ b/drivers/net/macvlan.c
50738@@ -335,7 +335,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
50739 free_nskb:
50740 kfree_skb(nskb);
50741 err:
50742- atomic_long_inc(&skb->dev->rx_dropped);
50743+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
50744 }
50745
50746 static void macvlan_flush_sources(struct macvlan_port *port,
50747@@ -1480,13 +1480,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = {
50748 int macvlan_link_register(struct rtnl_link_ops *ops)
50749 {
50750 /* common fields */
50751- ops->priv_size = sizeof(struct macvlan_dev);
50752- ops->validate = macvlan_validate;
50753- ops->maxtype = IFLA_MACVLAN_MAX;
50754- ops->policy = macvlan_policy;
50755- ops->changelink = macvlan_changelink;
50756- ops->get_size = macvlan_get_size;
50757- ops->fill_info = macvlan_fill_info;
50758+ pax_open_kernel();
50759+ *(size_t *)&ops->priv_size = sizeof(struct macvlan_dev);
50760+ *(void **)&ops->validate = macvlan_validate;
50761+ *(int *)&ops->maxtype = IFLA_MACVLAN_MAX;
50762+ *(const void **)&ops->policy = macvlan_policy;
50763+ *(void **)&ops->changelink = macvlan_changelink;
50764+ *(void **)&ops->get_size = macvlan_get_size;
50765+ *(void **)&ops->fill_info = macvlan_fill_info;
50766+ pax_close_kernel();
50767
50768 return rtnl_link_register(ops);
50769 };
50770@@ -1572,7 +1574,7 @@ static int macvlan_device_event(struct notifier_block *unused,
50771 return NOTIFY_DONE;
50772 }
50773
50774-static struct notifier_block macvlan_notifier_block __read_mostly = {
50775+static struct notifier_block macvlan_notifier_block = {
50776 .notifier_call = macvlan_device_event,
50777 };
50778
50779diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
50780index 248478c..05e8467 100644
50781--- a/drivers/net/macvtap.c
50782+++ b/drivers/net/macvtap.c
50783@@ -485,7 +485,7 @@ static void macvtap_setup(struct net_device *dev)
50784 dev->tx_queue_len = TUN_READQ_SIZE;
50785 }
50786
50787-static struct rtnl_link_ops macvtap_link_ops __read_mostly = {
50788+static struct rtnl_link_ops macvtap_link_ops = {
50789 .kind = "macvtap",
50790 .setup = macvtap_setup,
50791 .newlink = macvtap_newlink,
50792@@ -1090,7 +1090,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
50793
50794 ret = 0;
50795 u = q->flags;
50796- if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
50797+ if (copy_to_user(ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
50798 put_user(u, &ifr->ifr_flags))
50799 ret = -EFAULT;
50800 macvtap_put_vlan(vlan);
50801@@ -1308,7 +1308,7 @@ static int macvtap_device_event(struct notifier_block *unused,
50802 return NOTIFY_DONE;
50803 }
50804
50805-static struct notifier_block macvtap_notifier_block __read_mostly = {
50806+static struct notifier_block macvtap_notifier_block = {
50807 .notifier_call = macvtap_device_event,
50808 };
50809
50810diff --git a/drivers/net/nlmon.c b/drivers/net/nlmon.c
50811index 34924df..a747360 100644
50812--- a/drivers/net/nlmon.c
50813+++ b/drivers/net/nlmon.c
50814@@ -154,7 +154,7 @@ static int nlmon_validate(struct nlattr *tb[], struct nlattr *data[])
50815 return 0;
50816 }
50817
50818-static struct rtnl_link_ops nlmon_link_ops __read_mostly = {
50819+static struct rtnl_link_ops nlmon_link_ops = {
50820 .kind = "nlmon",
50821 .priv_size = sizeof(struct nlmon),
50822 .setup = nlmon_setup,
50823diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
50824index 55f0178..6220e93 100644
50825--- a/drivers/net/phy/phy_device.c
50826+++ b/drivers/net/phy/phy_device.c
50827@@ -218,7 +218,7 @@ EXPORT_SYMBOL(phy_device_create);
50828 * zero on success.
50829 *
50830 */
50831-static int get_phy_c45_ids(struct mii_bus *bus, int addr, u32 *phy_id,
50832+static int get_phy_c45_ids(struct mii_bus *bus, int addr, int *phy_id,
50833 struct phy_c45_device_ids *c45_ids) {
50834 int phy_reg;
50835 int i, reg_addr;
50836@@ -296,7 +296,7 @@ retry: reg_addr = MII_ADDR_C45 | i << 16 | MDIO_DEVS2;
50837 * its return value is in turn returned.
50838 *
50839 */
50840-static int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id,
50841+static int get_phy_id(struct mii_bus *bus, int addr, int *phy_id,
50842 bool is_c45, struct phy_c45_device_ids *c45_ids)
50843 {
50844 int phy_reg;
50845@@ -334,7 +334,7 @@ static int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id,
50846 struct phy_device *get_phy_device(struct mii_bus *bus, int addr, bool is_c45)
50847 {
50848 struct phy_c45_device_ids c45_ids = {0};
50849- u32 phy_id = 0;
50850+ int phy_id = 0;
50851 int r;
50852
50853 r = get_phy_id(bus, addr, &phy_id, is_c45, &c45_ids);
50854diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
50855index 487be20..f4c87bc 100644
50856--- a/drivers/net/ppp/ppp_generic.c
50857+++ b/drivers/net/ppp/ppp_generic.c
50858@@ -1035,7 +1035,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
50859 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
50860 struct ppp_stats stats;
50861 struct ppp_comp_stats cstats;
50862- char *vers;
50863
50864 switch (cmd) {
50865 case SIOCGPPPSTATS:
50866@@ -1057,8 +1056,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
50867 break;
50868
50869 case SIOCGPPPVER:
50870- vers = PPP_VERSION;
50871- if (copy_to_user(addr, vers, strlen(vers) + 1))
50872+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
50873 break;
50874 err = 0;
50875 break;
50876diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
50877index 079f7ad..b2a2bfa7 100644
50878--- a/drivers/net/slip/slhc.c
50879+++ b/drivers/net/slip/slhc.c
50880@@ -487,7 +487,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
50881 register struct tcphdr *thp;
50882 register struct iphdr *ip;
50883 register struct cstate *cs;
50884- int len, hdrlen;
50885+ long len, hdrlen;
50886 unsigned char *cp = icp;
50887
50888 /* We've got a compressed packet; read the change byte */
50889diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
50890index daa054b..07d6b98 100644
50891--- a/drivers/net/team/team.c
50892+++ b/drivers/net/team/team.c
50893@@ -2107,7 +2107,7 @@ static unsigned int team_get_num_rx_queues(void)
50894 return TEAM_DEFAULT_NUM_RX_QUEUES;
50895 }
50896
50897-static struct rtnl_link_ops team_link_ops __read_mostly = {
50898+static struct rtnl_link_ops team_link_ops = {
50899 .kind = DRV_NAME,
50900 .priv_size = sizeof(struct team),
50901 .setup = team_setup,
50902@@ -2897,7 +2897,7 @@ static int team_device_event(struct notifier_block *unused,
50903 return NOTIFY_DONE;
50904 }
50905
50906-static struct notifier_block team_notifier_block __read_mostly = {
50907+static struct notifier_block team_notifier_block = {
50908 .notifier_call = team_device_event,
50909 };
50910
50911diff --git a/drivers/net/tun.c b/drivers/net/tun.c
50912index 06a0394..1756d18 100644
50913--- a/drivers/net/tun.c
50914+++ b/drivers/net/tun.c
50915@@ -1472,7 +1472,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
50916 return -EINVAL;
50917 }
50918
50919-static struct rtnl_link_ops tun_link_ops __read_mostly = {
50920+static struct rtnl_link_ops tun_link_ops = {
50921 .kind = DRV_NAME,
50922 .priv_size = sizeof(struct tun_struct),
50923 .setup = tun_setup,
50924@@ -1871,7 +1871,7 @@ unlock:
50925 }
50926
50927 static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
50928- unsigned long arg, int ifreq_len)
50929+ unsigned long arg, size_t ifreq_len)
50930 {
50931 struct tun_file *tfile = file->private_data;
50932 struct tun_struct *tun;
50933@@ -1885,6 +1885,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
50934 int le;
50935 int ret;
50936
50937+ if (ifreq_len > sizeof ifr)
50938+ return -EFAULT;
50939+
50940 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
50941 if (copy_from_user(&ifr, argp, ifreq_len))
50942 return -EFAULT;
50943diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
50944index 111d907..1ee643e 100644
50945--- a/drivers/net/usb/hso.c
50946+++ b/drivers/net/usb/hso.c
50947@@ -70,7 +70,7 @@
50948 #include <asm/byteorder.h>
50949 #include <linux/serial_core.h>
50950 #include <linux/serial.h>
50951-
50952+#include <asm/local.h>
50953
50954 #define MOD_AUTHOR "Option Wireless"
50955 #define MOD_DESCRIPTION "USB High Speed Option driver"
50956@@ -1183,7 +1183,7 @@ static void put_rxbuf_data_and_resubmit_ctrl_urb(struct hso_serial *serial)
50957 struct urb *urb;
50958
50959 urb = serial->rx_urb[0];
50960- if (serial->port.count > 0) {
50961+ if (atomic_read(&serial->port.count) > 0) {
50962 count = put_rxbuf_data(urb, serial);
50963 if (count == -1)
50964 return;
50965@@ -1221,7 +1221,7 @@ static void hso_std_serial_read_bulk_callback(struct urb *urb)
50966 DUMP1(urb->transfer_buffer, urb->actual_length);
50967
50968 /* Anyone listening? */
50969- if (serial->port.count == 0)
50970+ if (atomic_read(&serial->port.count) == 0)
50971 return;
50972
50973 if (serial->parent->port_spec & HSO_INFO_CRC_BUG)
50974@@ -1282,8 +1282,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
50975 tty_port_tty_set(&serial->port, tty);
50976
50977 /* check for port already opened, if not set the termios */
50978- serial->port.count++;
50979- if (serial->port.count == 1) {
50980+ if (atomic_inc_return(&serial->port.count) == 1) {
50981 serial->rx_state = RX_IDLE;
50982 /* Force default termio settings */
50983 _hso_serial_set_termios(tty, NULL);
50984@@ -1293,7 +1292,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
50985 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
50986 if (result) {
50987 hso_stop_serial_device(serial->parent);
50988- serial->port.count--;
50989+ atomic_dec(&serial->port.count);
50990 } else {
50991 kref_get(&serial->parent->ref);
50992 }
50993@@ -1331,10 +1330,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp)
50994
50995 /* reset the rts and dtr */
50996 /* do the actual close */
50997- serial->port.count--;
50998+ atomic_dec(&serial->port.count);
50999
51000- if (serial->port.count <= 0) {
51001- serial->port.count = 0;
51002+ if (atomic_read(&serial->port.count) <= 0) {
51003+ atomic_set(&serial->port.count, 0);
51004 tty_port_tty_set(&serial->port, NULL);
51005 if (!usb_gone)
51006 hso_stop_serial_device(serial->parent);
51007@@ -1417,7 +1416,7 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old)
51008
51009 /* the actual setup */
51010 spin_lock_irqsave(&serial->serial_lock, flags);
51011- if (serial->port.count)
51012+ if (atomic_read(&serial->port.count))
51013 _hso_serial_set_termios(tty, old);
51014 else
51015 tty->termios = *old;
51016@@ -1891,7 +1890,7 @@ static void intr_callback(struct urb *urb)
51017 D1("Pending read interrupt on port %d\n", i);
51018 spin_lock(&serial->serial_lock);
51019 if (serial->rx_state == RX_IDLE &&
51020- serial->port.count > 0) {
51021+ atomic_read(&serial->port.count) > 0) {
51022 /* Setup and send a ctrl req read on
51023 * port i */
51024 if (!serial->rx_urb_filled[0]) {
51025@@ -3058,7 +3057,7 @@ static int hso_resume(struct usb_interface *iface)
51026 /* Start all serial ports */
51027 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
51028 if (serial_table[i] && (serial_table[i]->interface == iface)) {
51029- if (dev2ser(serial_table[i])->port.count) {
51030+ if (atomic_read(&dev2ser(serial_table[i])->port.count)) {
51031 result =
51032 hso_start_serial_device(serial_table[i], GFP_NOIO);
51033 hso_kick_transmit(dev2ser(serial_table[i]));
51034diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
51035index ad8cbc6..de80b09 100644
51036--- a/drivers/net/usb/r8152.c
51037+++ b/drivers/net/usb/r8152.c
51038@@ -603,7 +603,7 @@ struct r8152 {
51039 void (*unload)(struct r8152 *);
51040 int (*eee_get)(struct r8152 *, struct ethtool_eee *);
51041 int (*eee_set)(struct r8152 *, struct ethtool_eee *);
51042- } rtl_ops;
51043+ } __no_const rtl_ops;
51044
51045 int intr_interval;
51046 u32 saved_wolopts;
51047diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
51048index a2515887..6d13233 100644
51049--- a/drivers/net/usb/sierra_net.c
51050+++ b/drivers/net/usb/sierra_net.c
51051@@ -51,7 +51,7 @@ static const char driver_name[] = "sierra_net";
51052 /* atomic counter partially included in MAC address to make sure 2 devices
51053 * do not end up with the same MAC - concept breaks in case of > 255 ifaces
51054 */
51055-static atomic_t iface_counter = ATOMIC_INIT(0);
51056+static atomic_unchecked_t iface_counter = ATOMIC_INIT(0);
51057
51058 /*
51059 * SYNC Timer Delay definition used to set the expiry time
51060@@ -697,7 +697,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
51061 dev->net->netdev_ops = &sierra_net_device_ops;
51062
51063 /* change MAC addr to include, ifacenum, and to be unique */
51064- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
51065+ dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return_unchecked(&iface_counter);
51066 dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
51067
51068 /* we will have to manufacture ethernet headers, prepare template */
51069diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
51070index 237f8e5..8dccb91 100644
51071--- a/drivers/net/virtio_net.c
51072+++ b/drivers/net/virtio_net.c
51073@@ -48,7 +48,7 @@ module_param(gso, bool, 0444);
51074 #define RECEIVE_AVG_WEIGHT 64
51075
51076 /* Minimum alignment for mergeable packet buffers. */
51077-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256)
51078+#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256UL)
51079
51080 #define VIRTNET_DRIVER_VERSION "1.0.0"
51081
51082diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
51083index 5bc4b1e..d5769f5 100644
51084--- a/drivers/net/vxlan.c
51085+++ b/drivers/net/vxlan.c
51086@@ -2884,7 +2884,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev)
51087 return vxlan->net;
51088 }
51089
51090-static struct rtnl_link_ops vxlan_link_ops __read_mostly = {
51091+static struct rtnl_link_ops vxlan_link_ops = {
51092 .kind = "vxlan",
51093 .maxtype = IFLA_VXLAN_MAX,
51094 .policy = vxlan_policy,
51095@@ -2932,7 +2932,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
51096 return NOTIFY_DONE;
51097 }
51098
51099-static struct notifier_block vxlan_notifier_block __read_mostly = {
51100+static struct notifier_block vxlan_notifier_block = {
51101 .notifier_call = vxlan_lowerdev_event,
51102 };
51103
51104diff --git a/drivers/net/wan/lmc/lmc_media.c b/drivers/net/wan/lmc/lmc_media.c
51105index 5920c99..ff2e4a5 100644
51106--- a/drivers/net/wan/lmc/lmc_media.c
51107+++ b/drivers/net/wan/lmc/lmc_media.c
51108@@ -95,62 +95,63 @@ static inline void write_av9110_bit (lmc_softc_t *, int);
51109 static void write_av9110(lmc_softc_t *, u32, u32, u32, u32, u32);
51110
51111 lmc_media_t lmc_ds3_media = {
51112- lmc_ds3_init, /* special media init stuff */
51113- lmc_ds3_default, /* reset to default state */
51114- lmc_ds3_set_status, /* reset status to state provided */
51115- lmc_dummy_set_1, /* set clock source */
51116- lmc_dummy_set2_1, /* set line speed */
51117- lmc_ds3_set_100ft, /* set cable length */
51118- lmc_ds3_set_scram, /* set scrambler */
51119- lmc_ds3_get_link_status, /* get link status */
51120- lmc_dummy_set_1, /* set link status */
51121- lmc_ds3_set_crc_length, /* set CRC length */
51122- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51123- lmc_ds3_watchdog
51124+ .init = lmc_ds3_init, /* special media init stuff */
51125+ .defaults = lmc_ds3_default, /* reset to default state */
51126+ .set_status = lmc_ds3_set_status, /* reset status to state provided */
51127+ .set_clock_source = lmc_dummy_set_1, /* set clock source */
51128+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51129+ .set_cable_length = lmc_ds3_set_100ft, /* set cable length */
51130+ .set_scrambler = lmc_ds3_set_scram, /* set scrambler */
51131+ .get_link_status = lmc_ds3_get_link_status, /* get link status */
51132+ .set_link_status = lmc_dummy_set_1, /* set link status */
51133+ .set_crc_length = lmc_ds3_set_crc_length, /* set CRC length */
51134+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51135+ .watchdog = lmc_ds3_watchdog
51136 };
51137
51138 lmc_media_t lmc_hssi_media = {
51139- lmc_hssi_init, /* special media init stuff */
51140- lmc_hssi_default, /* reset to default state */
51141- lmc_hssi_set_status, /* reset status to state provided */
51142- lmc_hssi_set_clock, /* set clock source */
51143- lmc_dummy_set2_1, /* set line speed */
51144- lmc_dummy_set_1, /* set cable length */
51145- lmc_dummy_set_1, /* set scrambler */
51146- lmc_hssi_get_link_status, /* get link status */
51147- lmc_hssi_set_link_status, /* set link status */
51148- lmc_hssi_set_crc_length, /* set CRC length */
51149- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51150- lmc_hssi_watchdog
51151+ .init = lmc_hssi_init, /* special media init stuff */
51152+ .defaults = lmc_hssi_default, /* reset to default state */
51153+ .set_status = lmc_hssi_set_status, /* reset status to state provided */
51154+ .set_clock_source = lmc_hssi_set_clock, /* set clock source */
51155+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51156+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51157+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51158+ .get_link_status = lmc_hssi_get_link_status, /* get link status */
51159+ .set_link_status = lmc_hssi_set_link_status, /* set link status */
51160+ .set_crc_length = lmc_hssi_set_crc_length, /* set CRC length */
51161+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51162+ .watchdog = lmc_hssi_watchdog
51163 };
51164
51165-lmc_media_t lmc_ssi_media = { lmc_ssi_init, /* special media init stuff */
51166- lmc_ssi_default, /* reset to default state */
51167- lmc_ssi_set_status, /* reset status to state provided */
51168- lmc_ssi_set_clock, /* set clock source */
51169- lmc_ssi_set_speed, /* set line speed */
51170- lmc_dummy_set_1, /* set cable length */
51171- lmc_dummy_set_1, /* set scrambler */
51172- lmc_ssi_get_link_status, /* get link status */
51173- lmc_ssi_set_link_status, /* set link status */
51174- lmc_ssi_set_crc_length, /* set CRC length */
51175- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51176- lmc_ssi_watchdog
51177+lmc_media_t lmc_ssi_media = {
51178+ .init = lmc_ssi_init, /* special media init stuff */
51179+ .defaults = lmc_ssi_default, /* reset to default state */
51180+ .set_status = lmc_ssi_set_status, /* reset status to state provided */
51181+ .set_clock_source = lmc_ssi_set_clock, /* set clock source */
51182+ .set_speed = lmc_ssi_set_speed, /* set line speed */
51183+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51184+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51185+ .get_link_status = lmc_ssi_get_link_status, /* get link status */
51186+ .set_link_status = lmc_ssi_set_link_status, /* set link status */
51187+ .set_crc_length = lmc_ssi_set_crc_length, /* set CRC length */
51188+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51189+ .watchdog = lmc_ssi_watchdog
51190 };
51191
51192 lmc_media_t lmc_t1_media = {
51193- lmc_t1_init, /* special media init stuff */
51194- lmc_t1_default, /* reset to default state */
51195- lmc_t1_set_status, /* reset status to state provided */
51196- lmc_t1_set_clock, /* set clock source */
51197- lmc_dummy_set2_1, /* set line speed */
51198- lmc_dummy_set_1, /* set cable length */
51199- lmc_dummy_set_1, /* set scrambler */
51200- lmc_t1_get_link_status, /* get link status */
51201- lmc_dummy_set_1, /* set link status */
51202- lmc_t1_set_crc_length, /* set CRC length */
51203- lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */
51204- lmc_t1_watchdog
51205+ .init = lmc_t1_init, /* special media init stuff */
51206+ .defaults = lmc_t1_default, /* reset to default state */
51207+ .set_status = lmc_t1_set_status, /* reset status to state provided */
51208+ .set_clock_source = lmc_t1_set_clock, /* set clock source */
51209+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51210+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51211+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51212+ .get_link_status = lmc_t1_get_link_status, /* get link status */
51213+ .set_link_status = lmc_dummy_set_1, /* set link status */
51214+ .set_crc_length = lmc_t1_set_crc_length, /* set CRC length */
51215+ .set_circuit_type = lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */
51216+ .watchdog = lmc_t1_watchdog
51217 };
51218
51219 static void
51220diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c
51221index 2f0bd69..e46ed7b 100644
51222--- a/drivers/net/wan/z85230.c
51223+++ b/drivers/net/wan/z85230.c
51224@@ -485,9 +485,9 @@ static void z8530_status(struct z8530_channel *chan)
51225
51226 struct z8530_irqhandler z8530_sync =
51227 {
51228- z8530_rx,
51229- z8530_tx,
51230- z8530_status
51231+ .rx = z8530_rx,
51232+ .tx = z8530_tx,
51233+ .status = z8530_status
51234 };
51235
51236 EXPORT_SYMBOL(z8530_sync);
51237@@ -605,15 +605,15 @@ static void z8530_dma_status(struct z8530_channel *chan)
51238 }
51239
51240 static struct z8530_irqhandler z8530_dma_sync = {
51241- z8530_dma_rx,
51242- z8530_dma_tx,
51243- z8530_dma_status
51244+ .rx = z8530_dma_rx,
51245+ .tx = z8530_dma_tx,
51246+ .status = z8530_dma_status
51247 };
51248
51249 static struct z8530_irqhandler z8530_txdma_sync = {
51250- z8530_rx,
51251- z8530_dma_tx,
51252- z8530_dma_status
51253+ .rx = z8530_rx,
51254+ .tx = z8530_dma_tx,
51255+ .status = z8530_dma_status
51256 };
51257
51258 /**
51259@@ -680,9 +680,9 @@ static void z8530_status_clear(struct z8530_channel *chan)
51260
51261 struct z8530_irqhandler z8530_nop=
51262 {
51263- z8530_rx_clear,
51264- z8530_tx_clear,
51265- z8530_status_clear
51266+ .rx = z8530_rx_clear,
51267+ .tx = z8530_tx_clear,
51268+ .status = z8530_status_clear
51269 };
51270
51271
51272diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c
51273index 0b60295..b8bfa5b 100644
51274--- a/drivers/net/wimax/i2400m/rx.c
51275+++ b/drivers/net/wimax/i2400m/rx.c
51276@@ -1359,7 +1359,7 @@ int i2400m_rx_setup(struct i2400m *i2400m)
51277 if (i2400m->rx_roq == NULL)
51278 goto error_roq_alloc;
51279
51280- rd = kcalloc(I2400M_RO_CIN + 1, sizeof(*i2400m->rx_roq[0].log),
51281+ rd = kcalloc(sizeof(*i2400m->rx_roq[0].log), I2400M_RO_CIN + 1,
51282 GFP_KERNEL);
51283 if (rd == NULL) {
51284 result = -ENOMEM;
51285diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
51286index d0c97c2..108f59b 100644
51287--- a/drivers/net/wireless/airo.c
51288+++ b/drivers/net/wireless/airo.c
51289@@ -7846,7 +7846,7 @@ static int writerids(struct net_device *dev, aironet_ioctl *comp) {
51290 struct airo_info *ai = dev->ml_priv;
51291 int ridcode;
51292 int enabled;
51293- static int (* writer)(struct airo_info *, u16 rid, const void *, int, int);
51294+ int (* writer)(struct airo_info *, u16 rid, const void *, int, int);
51295 unsigned char *iobuf;
51296
51297 /* Only super-user can write RIDs */
51298diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
51299index dab2513..4c4b65d 100644
51300--- a/drivers/net/wireless/at76c50x-usb.c
51301+++ b/drivers/net/wireless/at76c50x-usb.c
51302@@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state)
51303 }
51304
51305 /* Convert timeout from the DFU status to jiffies */
51306-static inline unsigned long at76_get_timeout(struct dfu_status *s)
51307+static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s)
51308 {
51309 return msecs_to_jiffies((s->poll_timeout[2] << 16)
51310 | (s->poll_timeout[1] << 8)
51311diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
51312index 85bfa2a..3f6e72c 100644
51313--- a/drivers/net/wireless/ath/ath10k/htc.c
51314+++ b/drivers/net/wireless/ath/ath10k/htc.c
51315@@ -839,7 +839,10 @@ int ath10k_htc_start(struct ath10k_htc *htc)
51316 /* registered target arrival callback from the HIF layer */
51317 int ath10k_htc_init(struct ath10k *ar)
51318 {
51319- struct ath10k_hif_cb htc_callbacks;
51320+ static struct ath10k_hif_cb htc_callbacks = {
51321+ .rx_completion = ath10k_htc_rx_completion_handler,
51322+ .tx_completion = ath10k_htc_tx_completion_handler,
51323+ };
51324 struct ath10k_htc_ep *ep = NULL;
51325 struct ath10k_htc *htc = &ar->htc;
51326
51327@@ -848,8 +851,6 @@ int ath10k_htc_init(struct ath10k *ar)
51328 ath10k_htc_reset_endpoint_states(htc);
51329
51330 /* setup HIF layer callbacks */
51331- htc_callbacks.rx_completion = ath10k_htc_rx_completion_handler;
51332- htc_callbacks.tx_completion = ath10k_htc_tx_completion_handler;
51333 htc->ar = ar;
51334
51335 /* Get HIF default pipe for HTC message exchange */
51336diff --git a/drivers/net/wireless/ath/ath10k/htc.h b/drivers/net/wireless/ath/ath10k/htc.h
51337index 527179c..a890150 100644
51338--- a/drivers/net/wireless/ath/ath10k/htc.h
51339+++ b/drivers/net/wireless/ath/ath10k/htc.h
51340@@ -270,13 +270,13 @@ enum ath10k_htc_ep_id {
51341
51342 struct ath10k_htc_ops {
51343 void (*target_send_suspend_complete)(struct ath10k *ar);
51344-};
51345+} __no_const;
51346
51347 struct ath10k_htc_ep_ops {
51348 void (*ep_tx_complete)(struct ath10k *, struct sk_buff *);
51349 void (*ep_rx_complete)(struct ath10k *, struct sk_buff *);
51350 void (*ep_tx_credits)(struct ath10k *);
51351-};
51352+} __no_const;
51353
51354 /* service connection information */
51355 struct ath10k_htc_svc_conn_req {
51356diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51357index f816909..e56cd8b 100644
51358--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51359+++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51360@@ -220,8 +220,8 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51361 ads->ds_txstatus6 = ads->ds_txstatus7 = 0;
51362 ads->ds_txstatus8 = ads->ds_txstatus9 = 0;
51363
51364- ACCESS_ONCE(ads->ds_link) = i->link;
51365- ACCESS_ONCE(ads->ds_data) = i->buf_addr[0];
51366+ ACCESS_ONCE_RW(ads->ds_link) = i->link;
51367+ ACCESS_ONCE_RW(ads->ds_data) = i->buf_addr[0];
51368
51369 ctl1 = i->buf_len[0] | (i->is_last ? 0 : AR_TxMore);
51370 ctl6 = SM(i->keytype, AR_EncrType);
51371@@ -235,26 +235,26 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51372
51373 if ((i->is_first || i->is_last) &&
51374 i->aggr != AGGR_BUF_MIDDLE && i->aggr != AGGR_BUF_LAST) {
51375- ACCESS_ONCE(ads->ds_ctl2) = set11nTries(i->rates, 0)
51376+ ACCESS_ONCE_RW(ads->ds_ctl2) = set11nTries(i->rates, 0)
51377 | set11nTries(i->rates, 1)
51378 | set11nTries(i->rates, 2)
51379 | set11nTries(i->rates, 3)
51380 | (i->dur_update ? AR_DurUpdateEna : 0)
51381 | SM(0, AR_BurstDur);
51382
51383- ACCESS_ONCE(ads->ds_ctl3) = set11nRate(i->rates, 0)
51384+ ACCESS_ONCE_RW(ads->ds_ctl3) = set11nRate(i->rates, 0)
51385 | set11nRate(i->rates, 1)
51386 | set11nRate(i->rates, 2)
51387 | set11nRate(i->rates, 3);
51388 } else {
51389- ACCESS_ONCE(ads->ds_ctl2) = 0;
51390- ACCESS_ONCE(ads->ds_ctl3) = 0;
51391+ ACCESS_ONCE_RW(ads->ds_ctl2) = 0;
51392+ ACCESS_ONCE_RW(ads->ds_ctl3) = 0;
51393 }
51394
51395 if (!i->is_first) {
51396- ACCESS_ONCE(ads->ds_ctl0) = 0;
51397- ACCESS_ONCE(ads->ds_ctl1) = ctl1;
51398- ACCESS_ONCE(ads->ds_ctl6) = ctl6;
51399+ ACCESS_ONCE_RW(ads->ds_ctl0) = 0;
51400+ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
51401+ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
51402 return;
51403 }
51404
51405@@ -279,7 +279,7 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51406 break;
51407 }
51408
51409- ACCESS_ONCE(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
51410+ ACCESS_ONCE_RW(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
51411 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
51412 | SM(i->txpower[0], AR_XmitPower0)
51413 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
51414@@ -289,27 +289,27 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51415 | (i->flags & ATH9K_TXDESC_RTSENA ? AR_RTSEnable :
51416 (i->flags & ATH9K_TXDESC_CTSENA ? AR_CTSEnable : 0));
51417
51418- ACCESS_ONCE(ads->ds_ctl1) = ctl1;
51419- ACCESS_ONCE(ads->ds_ctl6) = ctl6;
51420+ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
51421+ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
51422
51423 if (i->aggr == AGGR_BUF_MIDDLE || i->aggr == AGGR_BUF_LAST)
51424 return;
51425
51426- ACCESS_ONCE(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
51427+ ACCESS_ONCE_RW(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
51428 | set11nPktDurRTSCTS(i->rates, 1);
51429
51430- ACCESS_ONCE(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
51431+ ACCESS_ONCE_RW(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
51432 | set11nPktDurRTSCTS(i->rates, 3);
51433
51434- ACCESS_ONCE(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
51435+ ACCESS_ONCE_RW(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
51436 | set11nRateFlags(i->rates, 1)
51437 | set11nRateFlags(i->rates, 2)
51438 | set11nRateFlags(i->rates, 3)
51439 | SM(i->rtscts_rate, AR_RTSCTSRate);
51440
51441- ACCESS_ONCE(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
51442- ACCESS_ONCE(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
51443- ACCESS_ONCE(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
51444+ ACCESS_ONCE_RW(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
51445+ ACCESS_ONCE_RW(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
51446+ ACCESS_ONCE_RW(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
51447 }
51448
51449 static int ar9002_hw_proc_txdesc(struct ath_hw *ah, void *ds,
51450diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
51451index da84b70..83e4978 100644
51452--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
51453+++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
51454@@ -39,47 +39,47 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51455 (i->qcu << AR_TxQcuNum_S) | desc_len;
51456
51457 checksum += val;
51458- ACCESS_ONCE(ads->info) = val;
51459+ ACCESS_ONCE_RW(ads->info) = val;
51460
51461 checksum += i->link;
51462- ACCESS_ONCE(ads->link) = i->link;
51463+ ACCESS_ONCE_RW(ads->link) = i->link;
51464
51465 checksum += i->buf_addr[0];
51466- ACCESS_ONCE(ads->data0) = i->buf_addr[0];
51467+ ACCESS_ONCE_RW(ads->data0) = i->buf_addr[0];
51468 checksum += i->buf_addr[1];
51469- ACCESS_ONCE(ads->data1) = i->buf_addr[1];
51470+ ACCESS_ONCE_RW(ads->data1) = i->buf_addr[1];
51471 checksum += i->buf_addr[2];
51472- ACCESS_ONCE(ads->data2) = i->buf_addr[2];
51473+ ACCESS_ONCE_RW(ads->data2) = i->buf_addr[2];
51474 checksum += i->buf_addr[3];
51475- ACCESS_ONCE(ads->data3) = i->buf_addr[3];
51476+ ACCESS_ONCE_RW(ads->data3) = i->buf_addr[3];
51477
51478 checksum += (val = (i->buf_len[0] << AR_BufLen_S) & AR_BufLen);
51479- ACCESS_ONCE(ads->ctl3) = val;
51480+ ACCESS_ONCE_RW(ads->ctl3) = val;
51481 checksum += (val = (i->buf_len[1] << AR_BufLen_S) & AR_BufLen);
51482- ACCESS_ONCE(ads->ctl5) = val;
51483+ ACCESS_ONCE_RW(ads->ctl5) = val;
51484 checksum += (val = (i->buf_len[2] << AR_BufLen_S) & AR_BufLen);
51485- ACCESS_ONCE(ads->ctl7) = val;
51486+ ACCESS_ONCE_RW(ads->ctl7) = val;
51487 checksum += (val = (i->buf_len[3] << AR_BufLen_S) & AR_BufLen);
51488- ACCESS_ONCE(ads->ctl9) = val;
51489+ ACCESS_ONCE_RW(ads->ctl9) = val;
51490
51491 checksum = (u16) (((checksum & 0xffff) + (checksum >> 16)) & 0xffff);
51492- ACCESS_ONCE(ads->ctl10) = checksum;
51493+ ACCESS_ONCE_RW(ads->ctl10) = checksum;
51494
51495 if (i->is_first || i->is_last) {
51496- ACCESS_ONCE(ads->ctl13) = set11nTries(i->rates, 0)
51497+ ACCESS_ONCE_RW(ads->ctl13) = set11nTries(i->rates, 0)
51498 | set11nTries(i->rates, 1)
51499 | set11nTries(i->rates, 2)
51500 | set11nTries(i->rates, 3)
51501 | (i->dur_update ? AR_DurUpdateEna : 0)
51502 | SM(0, AR_BurstDur);
51503
51504- ACCESS_ONCE(ads->ctl14) = set11nRate(i->rates, 0)
51505+ ACCESS_ONCE_RW(ads->ctl14) = set11nRate(i->rates, 0)
51506 | set11nRate(i->rates, 1)
51507 | set11nRate(i->rates, 2)
51508 | set11nRate(i->rates, 3);
51509 } else {
51510- ACCESS_ONCE(ads->ctl13) = 0;
51511- ACCESS_ONCE(ads->ctl14) = 0;
51512+ ACCESS_ONCE_RW(ads->ctl13) = 0;
51513+ ACCESS_ONCE_RW(ads->ctl14) = 0;
51514 }
51515
51516 ads->ctl20 = 0;
51517@@ -89,17 +89,17 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51518
51519 ctl17 = SM(i->keytype, AR_EncrType);
51520 if (!i->is_first) {
51521- ACCESS_ONCE(ads->ctl11) = 0;
51522- ACCESS_ONCE(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
51523- ACCESS_ONCE(ads->ctl15) = 0;
51524- ACCESS_ONCE(ads->ctl16) = 0;
51525- ACCESS_ONCE(ads->ctl17) = ctl17;
51526- ACCESS_ONCE(ads->ctl18) = 0;
51527- ACCESS_ONCE(ads->ctl19) = 0;
51528+ ACCESS_ONCE_RW(ads->ctl11) = 0;
51529+ ACCESS_ONCE_RW(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
51530+ ACCESS_ONCE_RW(ads->ctl15) = 0;
51531+ ACCESS_ONCE_RW(ads->ctl16) = 0;
51532+ ACCESS_ONCE_RW(ads->ctl17) = ctl17;
51533+ ACCESS_ONCE_RW(ads->ctl18) = 0;
51534+ ACCESS_ONCE_RW(ads->ctl19) = 0;
51535 return;
51536 }
51537
51538- ACCESS_ONCE(ads->ctl11) = (i->pkt_len & AR_FrameLen)
51539+ ACCESS_ONCE_RW(ads->ctl11) = (i->pkt_len & AR_FrameLen)
51540 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
51541 | SM(i->txpower[0], AR_XmitPower0)
51542 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
51543@@ -135,26 +135,26 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51544 val = (i->flags & ATH9K_TXDESC_PAPRD) >> ATH9K_TXDESC_PAPRD_S;
51545 ctl12 |= SM(val, AR_PAPRDChainMask);
51546
51547- ACCESS_ONCE(ads->ctl12) = ctl12;
51548- ACCESS_ONCE(ads->ctl17) = ctl17;
51549+ ACCESS_ONCE_RW(ads->ctl12) = ctl12;
51550+ ACCESS_ONCE_RW(ads->ctl17) = ctl17;
51551
51552- ACCESS_ONCE(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
51553+ ACCESS_ONCE_RW(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
51554 | set11nPktDurRTSCTS(i->rates, 1);
51555
51556- ACCESS_ONCE(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
51557+ ACCESS_ONCE_RW(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
51558 | set11nPktDurRTSCTS(i->rates, 3);
51559
51560- ACCESS_ONCE(ads->ctl18) = set11nRateFlags(i->rates, 0)
51561+ ACCESS_ONCE_RW(ads->ctl18) = set11nRateFlags(i->rates, 0)
51562 | set11nRateFlags(i->rates, 1)
51563 | set11nRateFlags(i->rates, 2)
51564 | set11nRateFlags(i->rates, 3)
51565 | SM(i->rtscts_rate, AR_RTSCTSRate);
51566
51567- ACCESS_ONCE(ads->ctl19) = AR_Not_Sounding;
51568+ ACCESS_ONCE_RW(ads->ctl19) = AR_Not_Sounding;
51569
51570- ACCESS_ONCE(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
51571- ACCESS_ONCE(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
51572- ACCESS_ONCE(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
51573+ ACCESS_ONCE_RW(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
51574+ ACCESS_ONCE_RW(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
51575+ ACCESS_ONCE_RW(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
51576 }
51577
51578 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
51579diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
51580index e8454db..c7b26fe 100644
51581--- a/drivers/net/wireless/ath/ath9k/hw.h
51582+++ b/drivers/net/wireless/ath/ath9k/hw.h
51583@@ -671,7 +671,7 @@ struct ath_hw_private_ops {
51584 #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT
51585 bool (*is_aic_enabled)(struct ath_hw *ah);
51586 #endif /* CONFIG_ATH9K_BTCOEX_SUPPORT */
51587-};
51588+} __no_const;
51589
51590 /**
51591 * struct ath_spec_scan - parameters for Atheros spectral scan
51592@@ -747,7 +747,7 @@ struct ath_hw_ops {
51593 #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT
51594 void (*set_bt_ant_diversity)(struct ath_hw *hw, bool enable);
51595 #endif
51596-};
51597+} __no_const;
51598
51599 struct ath_nf_limits {
51600 s16 max;
51601diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
51602index cfd45cb..6de2be6 100644
51603--- a/drivers/net/wireless/ath/ath9k/main.c
51604+++ b/drivers/net/wireless/ath/ath9k/main.c
51605@@ -2574,16 +2574,18 @@ void ath9k_fill_chanctx_ops(void)
51606 if (!ath9k_is_chanctx_enabled())
51607 return;
51608
51609- ath9k_ops.hw_scan = ath9k_hw_scan;
51610- ath9k_ops.cancel_hw_scan = ath9k_cancel_hw_scan;
51611- ath9k_ops.remain_on_channel = ath9k_remain_on_channel;
51612- ath9k_ops.cancel_remain_on_channel = ath9k_cancel_remain_on_channel;
51613- ath9k_ops.add_chanctx = ath9k_add_chanctx;
51614- ath9k_ops.remove_chanctx = ath9k_remove_chanctx;
51615- ath9k_ops.change_chanctx = ath9k_change_chanctx;
51616- ath9k_ops.assign_vif_chanctx = ath9k_assign_vif_chanctx;
51617- ath9k_ops.unassign_vif_chanctx = ath9k_unassign_vif_chanctx;
51618- ath9k_ops.mgd_prepare_tx = ath9k_mgd_prepare_tx;
51619+ pax_open_kernel();
51620+ *(void **)&ath9k_ops.hw_scan = ath9k_hw_scan;
51621+ *(void **)&ath9k_ops.cancel_hw_scan = ath9k_cancel_hw_scan;
51622+ *(void **)&ath9k_ops.remain_on_channel = ath9k_remain_on_channel;
51623+ *(void **)&ath9k_ops.cancel_remain_on_channel = ath9k_cancel_remain_on_channel;
51624+ *(void **)&ath9k_ops.add_chanctx = ath9k_add_chanctx;
51625+ *(void **)&ath9k_ops.remove_chanctx = ath9k_remove_chanctx;
51626+ *(void **)&ath9k_ops.change_chanctx = ath9k_change_chanctx;
51627+ *(void **)&ath9k_ops.assign_vif_chanctx = ath9k_assign_vif_chanctx;
51628+ *(void **)&ath9k_ops.unassign_vif_chanctx = ath9k_unassign_vif_chanctx;
51629+ *(void **)&ath9k_ops.mgd_prepare_tx = ath9k_mgd_prepare_tx;
51630+ pax_close_kernel();
51631 }
51632
51633 #endif
51634diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c
51635index 058a9f2..d5cb1ba 100644
51636--- a/drivers/net/wireless/b43/phy_lp.c
51637+++ b/drivers/net/wireless/b43/phy_lp.c
51638@@ -2502,7 +2502,7 @@ static int lpphy_b2063_tune(struct b43_wldev *dev,
51639 {
51640 struct ssb_bus *bus = dev->dev->sdev->bus;
51641
51642- static const struct b206x_channel *chandata = NULL;
51643+ const struct b206x_channel *chandata = NULL;
51644 u32 crystal_freq = bus->chipco.pmu.crystalfreq * 1000;
51645 u32 freqref, vco_freq, val1, val2, val3, timeout, timeoutref, count;
51646 u16 old_comm15, scale;
51647diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
51648index 7f4cb69..16c0825 100644
51649--- a/drivers/net/wireless/iwlegacy/3945-mac.c
51650+++ b/drivers/net/wireless/iwlegacy/3945-mac.c
51651@@ -3633,7 +3633,9 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
51652 */
51653 if (il3945_mod_params.disable_hw_scan) {
51654 D_INFO("Disabling hw_scan\n");
51655- il3945_mac_ops.hw_scan = NULL;
51656+ pax_open_kernel();
51657+ *(void **)&il3945_mac_ops.hw_scan = NULL;
51658+ pax_close_kernel();
51659 }
51660
51661 D_INFO("*** LOAD DRIVER ***\n");
51662diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
51663index 0ffb6ff..c0b7f0e 100644
51664--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
51665+++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
51666@@ -188,7 +188,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
51667 {
51668 struct iwl_priv *priv = file->private_data;
51669 char buf[64];
51670- int buf_size;
51671+ size_t buf_size;
51672 u32 offset, len;
51673
51674 memset(buf, 0, sizeof(buf));
51675@@ -458,7 +458,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
51676 struct iwl_priv *priv = file->private_data;
51677
51678 char buf[8];
51679- int buf_size;
51680+ size_t buf_size;
51681 u32 reset_flag;
51682
51683 memset(buf, 0, sizeof(buf));
51684@@ -539,7 +539,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
51685 {
51686 struct iwl_priv *priv = file->private_data;
51687 char buf[8];
51688- int buf_size;
51689+ size_t buf_size;
51690 int ht40;
51691
51692 memset(buf, 0, sizeof(buf));
51693@@ -591,7 +591,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
51694 {
51695 struct iwl_priv *priv = file->private_data;
51696 char buf[8];
51697- int buf_size;
51698+ size_t buf_size;
51699 int value;
51700
51701 memset(buf, 0, sizeof(buf));
51702@@ -683,10 +683,10 @@ DEBUGFS_READ_FILE_OPS(temperature);
51703 DEBUGFS_READ_WRITE_FILE_OPS(sleep_level_override);
51704 DEBUGFS_READ_FILE_OPS(current_sleep_command);
51705
51706-static const char *fmt_value = " %-30s %10u\n";
51707-static const char *fmt_hex = " %-30s 0x%02X\n";
51708-static const char *fmt_table = " %-30s %10u %10u %10u %10u\n";
51709-static const char *fmt_header =
51710+static const char fmt_value[] = " %-30s %10u\n";
51711+static const char fmt_hex[] = " %-30s 0x%02X\n";
51712+static const char fmt_table[] = " %-30s %10u %10u %10u %10u\n";
51713+static const char fmt_header[] =
51714 "%-32s current cumulative delta max\n";
51715
51716 static int iwl_statistics_flag(struct iwl_priv *priv, char *buf, int bufsz)
51717@@ -1856,7 +1856,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
51718 {
51719 struct iwl_priv *priv = file->private_data;
51720 char buf[8];
51721- int buf_size;
51722+ size_t buf_size;
51723 int clear;
51724
51725 memset(buf, 0, sizeof(buf));
51726@@ -1901,7 +1901,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
51727 {
51728 struct iwl_priv *priv = file->private_data;
51729 char buf[8];
51730- int buf_size;
51731+ size_t buf_size;
51732 int trace;
51733
51734 memset(buf, 0, sizeof(buf));
51735@@ -1972,7 +1972,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
51736 {
51737 struct iwl_priv *priv = file->private_data;
51738 char buf[8];
51739- int buf_size;
51740+ size_t buf_size;
51741 int missed;
51742
51743 memset(buf, 0, sizeof(buf));
51744@@ -2013,7 +2013,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
51745
51746 struct iwl_priv *priv = file->private_data;
51747 char buf[8];
51748- int buf_size;
51749+ size_t buf_size;
51750 int plcp;
51751
51752 memset(buf, 0, sizeof(buf));
51753@@ -2073,7 +2073,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
51754
51755 struct iwl_priv *priv = file->private_data;
51756 char buf[8];
51757- int buf_size;
51758+ size_t buf_size;
51759 int flush;
51760
51761 memset(buf, 0, sizeof(buf));
51762@@ -2163,7 +2163,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
51763
51764 struct iwl_priv *priv = file->private_data;
51765 char buf[8];
51766- int buf_size;
51767+ size_t buf_size;
51768 int rts;
51769
51770 if (!priv->cfg->ht_params)
51771@@ -2204,7 +2204,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
51772 {
51773 struct iwl_priv *priv = file->private_data;
51774 char buf[8];
51775- int buf_size;
51776+ size_t buf_size;
51777
51778 memset(buf, 0, sizeof(buf));
51779 buf_size = min(count, sizeof(buf) - 1);
51780@@ -2238,7 +2238,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file,
51781 struct iwl_priv *priv = file->private_data;
51782 u32 event_log_flag;
51783 char buf[8];
51784- int buf_size;
51785+ size_t buf_size;
51786
51787 /* check that the interface is up */
51788 if (!iwl_is_ready(priv))
51789@@ -2292,7 +2292,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file,
51790 struct iwl_priv *priv = file->private_data;
51791 char buf[8];
51792 u32 calib_disabled;
51793- int buf_size;
51794+ size_t buf_size;
51795
51796 memset(buf, 0, sizeof(buf));
51797 buf_size = min(count, sizeof(buf) - 1);
51798diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
51799index 9e144e7..2f5511a 100644
51800--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
51801+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
51802@@ -1950,7 +1950,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
51803 struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
51804
51805 char buf[8];
51806- int buf_size;
51807+ size_t buf_size;
51808 u32 reset_flag;
51809
51810 memset(buf, 0, sizeof(buf));
51811@@ -1971,7 +1971,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
51812 {
51813 struct iwl_trans *trans = file->private_data;
51814 char buf[8];
51815- int buf_size;
51816+ size_t buf_size;
51817 int csr;
51818
51819 memset(buf, 0, sizeof(buf));
51820diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
51821index 99e873d..0d9aab2 100644
51822--- a/drivers/net/wireless/mac80211_hwsim.c
51823+++ b/drivers/net/wireless/mac80211_hwsim.c
51824@@ -3148,20 +3148,20 @@ static int __init init_mac80211_hwsim(void)
51825 if (channels < 1)
51826 return -EINVAL;
51827
51828- mac80211_hwsim_mchan_ops = mac80211_hwsim_ops;
51829- mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan;
51830- mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
51831- mac80211_hwsim_mchan_ops.sw_scan_start = NULL;
51832- mac80211_hwsim_mchan_ops.sw_scan_complete = NULL;
51833- mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc;
51834- mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
51835- mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx;
51836- mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
51837- mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx;
51838- mac80211_hwsim_mchan_ops.assign_vif_chanctx =
51839- mac80211_hwsim_assign_vif_chanctx;
51840- mac80211_hwsim_mchan_ops.unassign_vif_chanctx =
51841- mac80211_hwsim_unassign_vif_chanctx;
51842+ pax_open_kernel();
51843+ memcpy((void *)&mac80211_hwsim_mchan_ops, &mac80211_hwsim_ops, sizeof mac80211_hwsim_mchan_ops);
51844+ *(void **)&mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan;
51845+ *(void **)&mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
51846+ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_start = NULL;
51847+ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_complete = NULL;
51848+ *(void **)&mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc;
51849+ *(void **)&mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
51850+ *(void **)&mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx;
51851+ *(void **)&mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
51852+ *(void **)&mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx;
51853+ *(void **)&mac80211_hwsim_mchan_ops.assign_vif_chanctx = mac80211_hwsim_assign_vif_chanctx;
51854+ *(void **)&mac80211_hwsim_mchan_ops.unassign_vif_chanctx = mac80211_hwsim_unassign_vif_chanctx;
51855+ pax_close_kernel();
51856
51857 spin_lock_init(&hwsim_radio_lock);
51858 INIT_LIST_HEAD(&hwsim_radios);
51859diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
51860index 71a825c..ce7d6c3 100644
51861--- a/drivers/net/wireless/rndis_wlan.c
51862+++ b/drivers/net/wireless/rndis_wlan.c
51863@@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbnet *usbdev, u32 rts_threshold)
51864
51865 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
51866
51867- if (rts_threshold < 0 || rts_threshold > 2347)
51868+ if (rts_threshold > 2347)
51869 rts_threshold = 2347;
51870
51871 tmp = cpu_to_le32(rts_threshold);
51872diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
51873index 9bb398b..b0cc047 100644
51874--- a/drivers/net/wireless/rt2x00/rt2x00.h
51875+++ b/drivers/net/wireless/rt2x00/rt2x00.h
51876@@ -375,7 +375,7 @@ struct rt2x00_intf {
51877 * for hardware which doesn't support hardware
51878 * sequence counting.
51879 */
51880- atomic_t seqno;
51881+ atomic_unchecked_t seqno;
51882 };
51883
51884 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif)
51885diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
51886index 68b620b..92ecd9e 100644
51887--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
51888+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
51889@@ -224,9 +224,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
51890 * sequence counter given by mac80211.
51891 */
51892 if (test_bit(ENTRY_TXD_FIRST_FRAGMENT, &txdesc->flags))
51893- seqno = atomic_add_return(0x10, &intf->seqno);
51894+ seqno = atomic_add_return_unchecked(0x10, &intf->seqno);
51895 else
51896- seqno = atomic_read(&intf->seqno);
51897+ seqno = atomic_read_unchecked(&intf->seqno);
51898
51899 hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG);
51900 hdr->seq_ctrl |= cpu_to_le16(seqno);
51901diff --git a/drivers/net/wireless/ti/wl1251/sdio.c b/drivers/net/wireless/ti/wl1251/sdio.c
51902index b661f896..ddf7d2b 100644
51903--- a/drivers/net/wireless/ti/wl1251/sdio.c
51904+++ b/drivers/net/wireless/ti/wl1251/sdio.c
51905@@ -282,13 +282,17 @@ static int wl1251_sdio_probe(struct sdio_func *func,
51906
51907 irq_set_irq_type(wl->irq, IRQ_TYPE_EDGE_RISING);
51908
51909- wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
51910- wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
51911+ pax_open_kernel();
51912+ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
51913+ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
51914+ pax_close_kernel();
51915
51916 wl1251_info("using dedicated interrupt line");
51917 } else {
51918- wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
51919- wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
51920+ pax_open_kernel();
51921+ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
51922+ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
51923+ pax_close_kernel();
51924
51925 wl1251_info("using SDIO interrupt");
51926 }
51927diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
51928index af0fe2e..d04986b 100644
51929--- a/drivers/net/wireless/ti/wl12xx/main.c
51930+++ b/drivers/net/wireless/ti/wl12xx/main.c
51931@@ -655,7 +655,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
51932 sizeof(wl->conf.mem));
51933
51934 /* read data preparation is only needed by wl127x */
51935- wl->ops->prepare_read = wl127x_prepare_read;
51936+ pax_open_kernel();
51937+ *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
51938+ pax_close_kernel();
51939
51940 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
51941 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
51942@@ -680,7 +682,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
51943 sizeof(wl->conf.mem));
51944
51945 /* read data preparation is only needed by wl127x */
51946- wl->ops->prepare_read = wl127x_prepare_read;
51947+ pax_open_kernel();
51948+ *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
51949+ pax_close_kernel();
51950
51951 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
51952 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
51953diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c
51954index 49aca2c..3b9c10c 100644
51955--- a/drivers/net/wireless/ti/wl18xx/main.c
51956+++ b/drivers/net/wireless/ti/wl18xx/main.c
51957@@ -1952,8 +1952,10 @@ static int wl18xx_setup(struct wl1271 *wl)
51958 }
51959
51960 if (!checksum_param) {
51961- wl18xx_ops.set_rx_csum = NULL;
51962- wl18xx_ops.init_vif = NULL;
51963+ pax_open_kernel();
51964+ *(void **)&wl18xx_ops.set_rx_csum = NULL;
51965+ *(void **)&wl18xx_ops.init_vif = NULL;
51966+ pax_close_kernel();
51967 }
51968
51969 /* Enable 11a Band only if we have 5G antennas */
51970diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
51971index a912dc0..a8225ba 100644
51972--- a/drivers/net/wireless/zd1211rw/zd_usb.c
51973+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
51974@@ -385,7 +385,7 @@ static inline void handle_regs_int(struct urb *urb)
51975 {
51976 struct zd_usb *usb = urb->context;
51977 struct zd_usb_interrupt *intr = &usb->intr;
51978- int len;
51979+ unsigned int len;
51980 u16 int_num;
51981
51982 ZD_ASSERT(in_interrupt());
51983diff --git a/drivers/nfc/nfcwilink.c b/drivers/nfc/nfcwilink.c
51984index ce2e2cf..f81e500 100644
51985--- a/drivers/nfc/nfcwilink.c
51986+++ b/drivers/nfc/nfcwilink.c
51987@@ -497,7 +497,7 @@ static struct nci_ops nfcwilink_ops = {
51988
51989 static int nfcwilink_probe(struct platform_device *pdev)
51990 {
51991- static struct nfcwilink *drv;
51992+ struct nfcwilink *drv;
51993 int rc;
51994 __u32 protocols;
51995
51996diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
51997index 6e82bc42..ab4145c 100644
51998--- a/drivers/of/fdt.c
51999+++ b/drivers/of/fdt.c
52000@@ -1161,7 +1161,9 @@ static int __init of_fdt_raw_init(void)
52001 pr_warn("fdt: not creating '/sys/firmware/fdt': CRC check failed\n");
52002 return 0;
52003 }
52004- of_fdt_raw_attr.size = fdt_totalsize(initial_boot_params);
52005+ pax_open_kernel();
52006+ *(size_t *)&of_fdt_raw_attr.size = fdt_totalsize(initial_boot_params);
52007+ pax_close_kernel();
52008 return sysfs_create_bin_file(firmware_kobj, &of_fdt_raw_attr);
52009 }
52010 late_initcall(of_fdt_raw_init);
52011diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c
52012index 82f7000..d6d0447 100644
52013--- a/drivers/oprofile/buffer_sync.c
52014+++ b/drivers/oprofile/buffer_sync.c
52015@@ -345,7 +345,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm)
52016 if (cookie == NO_COOKIE)
52017 offset = pc;
52018 if (cookie == INVALID_COOKIE) {
52019- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
52020+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
52021 offset = pc;
52022 }
52023 if (cookie != last_cookie) {
52024@@ -389,14 +389,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel)
52025 /* add userspace sample */
52026
52027 if (!mm) {
52028- atomic_inc(&oprofile_stats.sample_lost_no_mm);
52029+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
52030 return 0;
52031 }
52032
52033 cookie = lookup_dcookie(mm, s->eip, &offset);
52034
52035 if (cookie == INVALID_COOKIE) {
52036- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
52037+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
52038 return 0;
52039 }
52040
52041@@ -554,7 +554,7 @@ void sync_buffer(int cpu)
52042 /* ignore backtraces if failed to add a sample */
52043 if (state == sb_bt_start) {
52044 state = sb_bt_ignore;
52045- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
52046+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
52047 }
52048 }
52049 release_mm(mm);
52050diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c
52051index c0cc4e7..44d4e54 100644
52052--- a/drivers/oprofile/event_buffer.c
52053+++ b/drivers/oprofile/event_buffer.c
52054@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value)
52055 }
52056
52057 if (buffer_pos == buffer_size) {
52058- atomic_inc(&oprofile_stats.event_lost_overflow);
52059+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
52060 return;
52061 }
52062
52063diff --git a/drivers/oprofile/oprof.c b/drivers/oprofile/oprof.c
52064index ed2c3ec..deda85a 100644
52065--- a/drivers/oprofile/oprof.c
52066+++ b/drivers/oprofile/oprof.c
52067@@ -110,7 +110,7 @@ static void switch_worker(struct work_struct *work)
52068 if (oprofile_ops.switch_events())
52069 return;
52070
52071- atomic_inc(&oprofile_stats.multiplex_counter);
52072+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
52073 start_switch_worker();
52074 }
52075
52076diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c
52077index ee2cfce..7f8f699 100644
52078--- a/drivers/oprofile/oprofile_files.c
52079+++ b/drivers/oprofile/oprofile_files.c
52080@@ -27,7 +27,7 @@ unsigned long oprofile_time_slice;
52081
52082 #ifdef CONFIG_OPROFILE_EVENT_MULTIPLEX
52083
52084-static ssize_t timeout_read(struct file *file, char __user *buf,
52085+static ssize_t __intentional_overflow(-1) timeout_read(struct file *file, char __user *buf,
52086 size_t count, loff_t *offset)
52087 {
52088 return oprofilefs_ulong_to_user(jiffies_to_msecs(oprofile_time_slice),
52089diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
52090index 59659ce..6c860a0 100644
52091--- a/drivers/oprofile/oprofile_stats.c
52092+++ b/drivers/oprofile/oprofile_stats.c
52093@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
52094 cpu_buf->sample_invalid_eip = 0;
52095 }
52096
52097- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
52098- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
52099- atomic_set(&oprofile_stats.event_lost_overflow, 0);
52100- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
52101- atomic_set(&oprofile_stats.multiplex_counter, 0);
52102+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
52103+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
52104+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
52105+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
52106+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
52107 }
52108
52109
52110diff --git a/drivers/oprofile/oprofile_stats.h b/drivers/oprofile/oprofile_stats.h
52111index 1fc622b..8c48fc3 100644
52112--- a/drivers/oprofile/oprofile_stats.h
52113+++ b/drivers/oprofile/oprofile_stats.h
52114@@ -13,11 +13,11 @@
52115 #include <linux/atomic.h>
52116
52117 struct oprofile_stat_struct {
52118- atomic_t sample_lost_no_mm;
52119- atomic_t sample_lost_no_mapping;
52120- atomic_t bt_lost_no_mapping;
52121- atomic_t event_lost_overflow;
52122- atomic_t multiplex_counter;
52123+ atomic_unchecked_t sample_lost_no_mm;
52124+ atomic_unchecked_t sample_lost_no_mapping;
52125+ atomic_unchecked_t bt_lost_no_mapping;
52126+ atomic_unchecked_t event_lost_overflow;
52127+ atomic_unchecked_t multiplex_counter;
52128 };
52129
52130 extern struct oprofile_stat_struct oprofile_stats;
52131diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c
52132index dd92c5e..dfc04b5 100644
52133--- a/drivers/oprofile/oprofilefs.c
52134+++ b/drivers/oprofile/oprofilefs.c
52135@@ -176,8 +176,8 @@ int oprofilefs_create_ro_ulong(struct dentry *root,
52136
52137 static ssize_t atomic_read_file(struct file *file, char __user *buf, size_t count, loff_t *offset)
52138 {
52139- atomic_t *val = file->private_data;
52140- return oprofilefs_ulong_to_user(atomic_read(val), buf, count, offset);
52141+ atomic_unchecked_t *val = file->private_data;
52142+ return oprofilefs_ulong_to_user(atomic_read_unchecked(val), buf, count, offset);
52143 }
52144
52145
52146@@ -189,7 +189,7 @@ static const struct file_operations atomic_ro_fops = {
52147
52148
52149 int oprofilefs_create_ro_atomic(struct dentry *root,
52150- char const *name, atomic_t *val)
52151+ char const *name, atomic_unchecked_t *val)
52152 {
52153 return __oprofilefs_create_file(root, name,
52154 &atomic_ro_fops, 0444, val);
52155diff --git a/drivers/oprofile/timer_int.c b/drivers/oprofile/timer_int.c
52156index bdef916..88c7dee 100644
52157--- a/drivers/oprofile/timer_int.c
52158+++ b/drivers/oprofile/timer_int.c
52159@@ -93,7 +93,7 @@ static int oprofile_cpu_notify(struct notifier_block *self,
52160 return NOTIFY_OK;
52161 }
52162
52163-static struct notifier_block __refdata oprofile_cpu_notifier = {
52164+static struct notifier_block oprofile_cpu_notifier = {
52165 .notifier_call = oprofile_cpu_notify,
52166 };
52167
52168diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
52169index c776333..aa6b325 100644
52170--- a/drivers/parport/procfs.c
52171+++ b/drivers/parport/procfs.c
52172@@ -65,7 +65,7 @@ static int do_active_device(struct ctl_table *table, int write,
52173
52174 *ppos += len;
52175
52176- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
52177+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
52178 }
52179
52180 #ifdef CONFIG_PARPORT_1284
52181@@ -107,7 +107,7 @@ static int do_autoprobe(struct ctl_table *table, int write,
52182
52183 *ppos += len;
52184
52185- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
52186+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
52187 }
52188 #endif /* IEEE1284.3 support. */
52189
52190diff --git a/drivers/pci/host/pci-host-generic.c b/drivers/pci/host/pci-host-generic.c
52191index ba46e58..90cfc24 100644
52192--- a/drivers/pci/host/pci-host-generic.c
52193+++ b/drivers/pci/host/pci-host-generic.c
52194@@ -26,9 +26,9 @@
52195 #include <linux/platform_device.h>
52196
52197 struct gen_pci_cfg_bus_ops {
52198+ struct pci_ops ops;
52199 u32 bus_shift;
52200- void __iomem *(*map_bus)(struct pci_bus *, unsigned int, int);
52201-};
52202+} __do_const;
52203
52204 struct gen_pci_cfg_windows {
52205 struct resource res;
52206@@ -56,8 +56,12 @@ static void __iomem *gen_pci_map_cfg_bus_cam(struct pci_bus *bus,
52207 }
52208
52209 static struct gen_pci_cfg_bus_ops gen_pci_cfg_cam_bus_ops = {
52210+ .ops = {
52211+ .map_bus = gen_pci_map_cfg_bus_cam,
52212+ .read = pci_generic_config_read,
52213+ .write = pci_generic_config_write,
52214+ },
52215 .bus_shift = 16,
52216- .map_bus = gen_pci_map_cfg_bus_cam,
52217 };
52218
52219 static void __iomem *gen_pci_map_cfg_bus_ecam(struct pci_bus *bus,
52220@@ -72,13 +76,12 @@ static void __iomem *gen_pci_map_cfg_bus_ecam(struct pci_bus *bus,
52221 }
52222
52223 static struct gen_pci_cfg_bus_ops gen_pci_cfg_ecam_bus_ops = {
52224+ .ops = {
52225+ .map_bus = gen_pci_map_cfg_bus_ecam,
52226+ .read = pci_generic_config_read,
52227+ .write = pci_generic_config_write,
52228+ },
52229 .bus_shift = 20,
52230- .map_bus = gen_pci_map_cfg_bus_ecam,
52231-};
52232-
52233-static struct pci_ops gen_pci_ops = {
52234- .read = pci_generic_config_read,
52235- .write = pci_generic_config_write,
52236 };
52237
52238 static const struct of_device_id gen_pci_of_match[] = {
52239@@ -219,7 +222,6 @@ static int gen_pci_probe(struct platform_device *pdev)
52240 .private_data = (void **)&pci,
52241 .setup = gen_pci_setup,
52242 .map_irq = of_irq_parse_and_map_pci,
52243- .ops = &gen_pci_ops,
52244 };
52245
52246 if (!pci)
52247@@ -241,7 +243,7 @@ static int gen_pci_probe(struct platform_device *pdev)
52248
52249 of_id = of_match_node(gen_pci_of_match, np);
52250 pci->cfg.ops = of_id->data;
52251- gen_pci_ops.map_bus = pci->cfg.ops->map_bus;
52252+ hw.ops = &pci->cfg.ops->ops;
52253 pci->host.dev.parent = dev;
52254 INIT_LIST_HEAD(&pci->host.windows);
52255 INIT_LIST_HEAD(&pci->resources);
52256diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
52257index 6ca2399..68d866b 100644
52258--- a/drivers/pci/hotplug/acpiphp_ibm.c
52259+++ b/drivers/pci/hotplug/acpiphp_ibm.c
52260@@ -452,7 +452,9 @@ static int __init ibm_acpiphp_init(void)
52261 goto init_cleanup;
52262 }
52263
52264- ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
52265+ pax_open_kernel();
52266+ *(size_t *)&ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
52267+ pax_close_kernel();
52268 retval = sysfs_create_bin_file(sysdir, &ibm_apci_table_attr);
52269
52270 return retval;
52271diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c
52272index 66b7bbe..26bee78 100644
52273--- a/drivers/pci/hotplug/cpcihp_generic.c
52274+++ b/drivers/pci/hotplug/cpcihp_generic.c
52275@@ -73,7 +73,6 @@ static u16 port;
52276 static unsigned int enum_bit;
52277 static u8 enum_mask;
52278
52279-static struct cpci_hp_controller_ops generic_hpc_ops;
52280 static struct cpci_hp_controller generic_hpc;
52281
52282 static int __init validate_parameters(void)
52283@@ -139,6 +138,10 @@ static int query_enum(void)
52284 return ((value & enum_mask) == enum_mask);
52285 }
52286
52287+static struct cpci_hp_controller_ops generic_hpc_ops = {
52288+ .query_enum = query_enum,
52289+};
52290+
52291 static int __init cpcihp_generic_init(void)
52292 {
52293 int status;
52294@@ -165,7 +168,6 @@ static int __init cpcihp_generic_init(void)
52295 pci_dev_put(dev);
52296
52297 memset(&generic_hpc, 0, sizeof (struct cpci_hp_controller));
52298- generic_hpc_ops.query_enum = query_enum;
52299 generic_hpc.ops = &generic_hpc_ops;
52300
52301 status = cpci_hp_register_controller(&generic_hpc);
52302diff --git a/drivers/pci/hotplug/cpcihp_zt5550.c b/drivers/pci/hotplug/cpcihp_zt5550.c
52303index 7ecf34e..effed62 100644
52304--- a/drivers/pci/hotplug/cpcihp_zt5550.c
52305+++ b/drivers/pci/hotplug/cpcihp_zt5550.c
52306@@ -59,7 +59,6 @@
52307 /* local variables */
52308 static bool debug;
52309 static bool poll;
52310-static struct cpci_hp_controller_ops zt5550_hpc_ops;
52311 static struct cpci_hp_controller zt5550_hpc;
52312
52313 /* Primary cPCI bus bridge device */
52314@@ -204,6 +203,10 @@ static int zt5550_hc_disable_irq(void)
52315 return 0;
52316 }
52317
52318+static struct cpci_hp_controller_ops zt5550_hpc_ops = {
52319+ .query_enum = zt5550_hc_query_enum,
52320+};
52321+
52322 static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id *ent)
52323 {
52324 int status;
52325@@ -215,16 +218,17 @@ static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id
52326 dbg("returned from zt5550_hc_config");
52327
52328 memset(&zt5550_hpc, 0, sizeof (struct cpci_hp_controller));
52329- zt5550_hpc_ops.query_enum = zt5550_hc_query_enum;
52330 zt5550_hpc.ops = &zt5550_hpc_ops;
52331 if (!poll) {
52332 zt5550_hpc.irq = hc_dev->irq;
52333 zt5550_hpc.irq_flags = IRQF_SHARED;
52334 zt5550_hpc.dev_id = hc_dev;
52335
52336- zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
52337- zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
52338- zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
52339+ pax_open_kernel();
52340+ *(void **)&zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
52341+ *(void **)&zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
52342+ *(void **)&zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
52343+ pax_open_kernel();
52344 } else {
52345 info("using ENUM# polling mode");
52346 }
52347diff --git a/drivers/pci/hotplug/cpqphp_nvram.c b/drivers/pci/hotplug/cpqphp_nvram.c
52348index 1e08ff8c..3cd145f 100644
52349--- a/drivers/pci/hotplug/cpqphp_nvram.c
52350+++ b/drivers/pci/hotplug/cpqphp_nvram.c
52351@@ -425,8 +425,10 @@ static u32 store_HRT (void __iomem *rom_start)
52352
52353 void compaq_nvram_init (void __iomem *rom_start)
52354 {
52355+#ifndef CONFIG_PAX_KERNEXEC
52356 if (rom_start)
52357 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
52358+#endif
52359
52360 dbg("int15 entry = %p\n", compaq_int15_entry_point);
52361
52362diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c
52363index 56d8486..f26113f 100644
52364--- a/drivers/pci/hotplug/pci_hotplug_core.c
52365+++ b/drivers/pci/hotplug/pci_hotplug_core.c
52366@@ -436,8 +436,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus,
52367 return -EINVAL;
52368 }
52369
52370- slot->ops->owner = owner;
52371- slot->ops->mod_name = mod_name;
52372+ pax_open_kernel();
52373+ *(struct module **)&slot->ops->owner = owner;
52374+ *(const char **)&slot->ops->mod_name = mod_name;
52375+ pax_close_kernel();
52376
52377 mutex_lock(&pci_hp_mutex);
52378 /*
52379diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
52380index 612b21a..9494a5e 100644
52381--- a/drivers/pci/hotplug/pciehp_core.c
52382+++ b/drivers/pci/hotplug/pciehp_core.c
52383@@ -87,7 +87,7 @@ static int init_slot(struct controller *ctrl)
52384 struct slot *slot = ctrl->slot;
52385 struct hotplug_slot *hotplug = NULL;
52386 struct hotplug_slot_info *info = NULL;
52387- struct hotplug_slot_ops *ops = NULL;
52388+ hotplug_slot_ops_no_const *ops = NULL;
52389 char name[SLOT_NAME_SIZE];
52390 int retval = -ENOMEM;
52391
52392diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
52393index f66be86..6cbcabb 100644
52394--- a/drivers/pci/msi.c
52395+++ b/drivers/pci/msi.c
52396@@ -492,8 +492,8 @@ static int populate_msi_sysfs(struct pci_dev *pdev)
52397 {
52398 struct attribute **msi_attrs;
52399 struct attribute *msi_attr;
52400- struct device_attribute *msi_dev_attr;
52401- struct attribute_group *msi_irq_group;
52402+ device_attribute_no_const *msi_dev_attr;
52403+ attribute_group_no_const *msi_irq_group;
52404 const struct attribute_group **msi_irq_groups;
52405 struct msi_desc *entry;
52406 int ret = -ENOMEM;
52407@@ -552,7 +552,7 @@ error_attrs:
52408 count = 0;
52409 msi_attr = msi_attrs[count];
52410 while (msi_attr) {
52411- msi_dev_attr = container_of(msi_attr, struct device_attribute, attr);
52412+ msi_dev_attr = container_of(msi_attr, device_attribute_no_const, attr);
52413 kfree(msi_attr->name);
52414 kfree(msi_dev_attr);
52415 ++count;
52416@@ -1236,12 +1236,14 @@ static void pci_msi_domain_update_dom_ops(struct msi_domain_info *info)
52417 if (ops == NULL) {
52418 info->ops = &pci_msi_domain_ops_default;
52419 } else {
52420+ pax_open_kernel();
52421 if (ops->set_desc == NULL)
52422- ops->set_desc = pci_msi_domain_set_desc;
52423+ *(void **)&ops->set_desc = pci_msi_domain_set_desc;
52424 if (ops->msi_check == NULL)
52425- ops->msi_check = pci_msi_domain_check_cap;
52426+ *(void **)&ops->msi_check = pci_msi_domain_check_cap;
52427 if (ops->handle_error == NULL)
52428- ops->handle_error = pci_msi_domain_handle_error;
52429+ *(void **)&ops->handle_error = pci_msi_domain_handle_error;
52430+ pax_close_kernel();
52431 }
52432 }
52433
52434@@ -1250,8 +1252,11 @@ static void pci_msi_domain_update_chip_ops(struct msi_domain_info *info)
52435 struct irq_chip *chip = info->chip;
52436
52437 BUG_ON(!chip);
52438- if (!chip->irq_write_msi_msg)
52439- chip->irq_write_msi_msg = pci_msi_domain_write_msg;
52440+ if (!chip->irq_write_msi_msg) {
52441+ pax_open_kernel();
52442+ *(void **)&chip->irq_write_msi_msg = pci_msi_domain_write_msg;
52443+ pax_close_kernel();
52444+ }
52445 }
52446
52447 /**
52448diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
52449index 312f23a..d21181c 100644
52450--- a/drivers/pci/pci-sysfs.c
52451+++ b/drivers/pci/pci-sysfs.c
52452@@ -1140,7 +1140,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
52453 {
52454 /* allocate attribute structure, piggyback attribute name */
52455 int name_len = write_combine ? 13 : 10;
52456- struct bin_attribute *res_attr;
52457+ bin_attribute_no_const *res_attr;
52458 int retval;
52459
52460 res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);
52461@@ -1317,7 +1317,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
52462 static int pci_create_capabilities_sysfs(struct pci_dev *dev)
52463 {
52464 int retval;
52465- struct bin_attribute *attr;
52466+ bin_attribute_no_const *attr;
52467
52468 /* If the device has VPD, try to expose it in sysfs. */
52469 if (dev->vpd) {
52470@@ -1364,7 +1364,7 @@ int __must_check pci_create_sysfs_dev_files(struct pci_dev *pdev)
52471 {
52472 int retval;
52473 int rom_size = 0;
52474- struct bin_attribute *attr;
52475+ bin_attribute_no_const *attr;
52476
52477 if (!sysfs_initialized)
52478 return -EACCES;
52479diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
52480index 4ff0ff1..e309fb0 100644
52481--- a/drivers/pci/pci.h
52482+++ b/drivers/pci/pci.h
52483@@ -99,7 +99,7 @@ struct pci_vpd_ops {
52484 struct pci_vpd {
52485 unsigned int len;
52486 const struct pci_vpd_ops *ops;
52487- struct bin_attribute *attr; /* descriptor for sysfs VPD entry */
52488+ bin_attribute_no_const *attr; /* descriptor for sysfs VPD entry */
52489 };
52490
52491 int pci_vpd_pci22_init(struct pci_dev *dev);
52492diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
52493index 317e355..21f7b91 100644
52494--- a/drivers/pci/pcie/aspm.c
52495+++ b/drivers/pci/pcie/aspm.c
52496@@ -27,9 +27,9 @@
52497 #define MODULE_PARAM_PREFIX "pcie_aspm."
52498
52499 /* Note: those are not register definitions */
52500-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
52501-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
52502-#define ASPM_STATE_L1 (4) /* L1 state */
52503+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
52504+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
52505+#define ASPM_STATE_L1 (4U) /* L1 state */
52506 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
52507 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
52508
52509diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c
52510index be35da2..ec16cdb 100644
52511--- a/drivers/pci/pcie/portdrv_pci.c
52512+++ b/drivers/pci/pcie/portdrv_pci.c
52513@@ -324,7 +324,7 @@ static int __init dmi_pcie_pme_disable_msi(const struct dmi_system_id *d)
52514 return 0;
52515 }
52516
52517-static struct dmi_system_id __initdata pcie_portdrv_dmi_table[] = {
52518+static const struct dmi_system_id __initconst pcie_portdrv_dmi_table[] = {
52519 /*
52520 * Boxes that should not use MSI for PCIe PME signaling.
52521 */
52522diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
52523index f6ae0d0..af897bc 100644
52524--- a/drivers/pci/probe.c
52525+++ b/drivers/pci/probe.c
52526@@ -176,7 +176,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
52527 u16 orig_cmd;
52528 struct pci_bus_region region, inverted_region;
52529
52530- mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
52531+ mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
52532
52533 /* No printks while decoding is disabled! */
52534 if (!dev->mmio_always_on) {
52535diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
52536index 3f155e7..0f4b1f0 100644
52537--- a/drivers/pci/proc.c
52538+++ b/drivers/pci/proc.c
52539@@ -434,7 +434,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
52540 static int __init pci_proc_init(void)
52541 {
52542 struct pci_dev *dev = NULL;
52543+
52544+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52545+#ifdef CONFIG_GRKERNSEC_PROC_USER
52546+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
52547+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52548+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
52549+#endif
52550+#else
52551 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
52552+#endif
52553 proc_create("devices", 0, proc_bus_pci_dir,
52554 &proc_bus_pci_dev_operations);
52555 proc_initialized = 1;
52556diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
52557index 2deb130..8194e13 100644
52558--- a/drivers/pinctrl/pinctrl-at91.c
52559+++ b/drivers/pinctrl/pinctrl-at91.c
52560@@ -24,6 +24,7 @@
52561 #include <linux/pinctrl/pinmux.h>
52562 /* Since we request GPIOs from ourself */
52563 #include <linux/pinctrl/consumer.h>
52564+#include <asm/pgtable.h>
52565
52566 #include "pinctrl-at91.h"
52567 #include "core.h"
52568@@ -1656,7 +1657,9 @@ static int at91_gpio_of_irq_setup(struct platform_device *pdev,
52569 at91_gpio->pioc_hwirq = irqd_to_hwirq(d);
52570
52571 /* Setup proper .irq_set_type function */
52572- gpio_irqchip.irq_set_type = at91_gpio->ops->irq_type;
52573+ pax_open_kernel();
52574+ *(void **)&gpio_irqchip.irq_set_type = at91_gpio->ops->irq_type;
52575+ pax_close_kernel();
52576
52577 /* Disable irqs of this PIO controller */
52578 writel_relaxed(~0, at91_gpio->regbase + PIO_IDR);
52579diff --git a/drivers/platform/chrome/chromeos_pstore.c b/drivers/platform/chrome/chromeos_pstore.c
52580index 3474920..acc9581 100644
52581--- a/drivers/platform/chrome/chromeos_pstore.c
52582+++ b/drivers/platform/chrome/chromeos_pstore.c
52583@@ -13,7 +13,7 @@
52584 #include <linux/platform_device.h>
52585 #include <linux/pstore_ram.h>
52586
52587-static struct dmi_system_id chromeos_pstore_dmi_table[] __initdata = {
52588+static const struct dmi_system_id chromeos_pstore_dmi_table[] __initconst = {
52589 {
52590 /*
52591 * Today all Chromebooks/boxes ship with Google_* as version and
52592diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
52593index 1e1e594..8fe59c5 100644
52594--- a/drivers/platform/x86/alienware-wmi.c
52595+++ b/drivers/platform/x86/alienware-wmi.c
52596@@ -150,7 +150,7 @@ struct wmax_led_args {
52597 } __packed;
52598
52599 static struct platform_device *platform_device;
52600-static struct device_attribute *zone_dev_attrs;
52601+static device_attribute_no_const *zone_dev_attrs;
52602 static struct attribute **zone_attrs;
52603 static struct platform_zone *zone_data;
52604
52605@@ -160,7 +160,7 @@ static struct platform_driver platform_driver = {
52606 }
52607 };
52608
52609-static struct attribute_group zone_attribute_group = {
52610+static attribute_group_no_const zone_attribute_group = {
52611 .name = "rgb_zones",
52612 };
52613
52614diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
52615index efbc3f0..18ae682 100644
52616--- a/drivers/platform/x86/asus-wmi.c
52617+++ b/drivers/platform/x86/asus-wmi.c
52618@@ -1868,6 +1868,10 @@ static int show_dsts(struct seq_file *m, void *data)
52619 int err;
52620 u32 retval = -1;
52621
52622+#ifdef CONFIG_GRKERNSEC_KMEM
52623+ return -EPERM;
52624+#endif
52625+
52626 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
52627
52628 if (err < 0)
52629@@ -1884,6 +1888,10 @@ static int show_devs(struct seq_file *m, void *data)
52630 int err;
52631 u32 retval = -1;
52632
52633+#ifdef CONFIG_GRKERNSEC_KMEM
52634+ return -EPERM;
52635+#endif
52636+
52637 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
52638 &retval);
52639
52640@@ -1908,6 +1916,10 @@ static int show_call(struct seq_file *m, void *data)
52641 union acpi_object *obj;
52642 acpi_status status;
52643
52644+#ifdef CONFIG_GRKERNSEC_KMEM
52645+ return -EPERM;
52646+#endif
52647+
52648 status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
52649 1, asus->debug.method_id,
52650 &input, &output);
52651diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
52652index f2706d2..850edfa4 100644
52653--- a/drivers/platform/x86/compal-laptop.c
52654+++ b/drivers/platform/x86/compal-laptop.c
52655@@ -765,7 +765,7 @@ static int dmi_check_cb_extra(const struct dmi_system_id *id)
52656 return 1;
52657 }
52658
52659-static struct dmi_system_id __initdata compal_dmi_table[] = {
52660+static const struct dmi_system_id __initconst compal_dmi_table[] = {
52661 {
52662 .ident = "FL90/IFL90",
52663 .matches = {
52664diff --git a/drivers/platform/x86/hdaps.c b/drivers/platform/x86/hdaps.c
52665index 458e6c9..089aee7 100644
52666--- a/drivers/platform/x86/hdaps.c
52667+++ b/drivers/platform/x86/hdaps.c
52668@@ -514,7 +514,7 @@ static int __init hdaps_dmi_match_invert(const struct dmi_system_id *id)
52669 "ThinkPad T42p", so the order of the entries matters.
52670 If your ThinkPad is not recognized, please update to latest
52671 BIOS. This is especially the case for some R52 ThinkPads. */
52672-static struct dmi_system_id __initdata hdaps_whitelist[] = {
52673+static const struct dmi_system_id __initconst hdaps_whitelist[] = {
52674 HDAPS_DMI_MATCH_INVERT("IBM", "ThinkPad R50p", HDAPS_BOTH_AXES),
52675 HDAPS_DMI_MATCH_NORMAL("IBM", "ThinkPad R50"),
52676 HDAPS_DMI_MATCH_NORMAL("IBM", "ThinkPad R51"),
52677diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
52678index 97c2be1..2ee50ce 100644
52679--- a/drivers/platform/x86/ibm_rtl.c
52680+++ b/drivers/platform/x86/ibm_rtl.c
52681@@ -227,7 +227,7 @@ static void rtl_teardown_sysfs(void) {
52682 }
52683
52684
52685-static struct dmi_system_id __initdata ibm_rtl_dmi_table[] = {
52686+static const struct dmi_system_id __initconst ibm_rtl_dmi_table[] = {
52687 { \
52688 .matches = { \
52689 DMI_MATCH(DMI_SYS_VENDOR, "IBM"), \
52690diff --git a/drivers/platform/x86/intel_oaktrail.c b/drivers/platform/x86/intel_oaktrail.c
52691index 6aa33c4..cfb5425 100644
52692--- a/drivers/platform/x86/intel_oaktrail.c
52693+++ b/drivers/platform/x86/intel_oaktrail.c
52694@@ -299,7 +299,7 @@ static int dmi_check_cb(const struct dmi_system_id *id)
52695 return 0;
52696 }
52697
52698-static struct dmi_system_id __initdata oaktrail_dmi_table[] = {
52699+static const struct dmi_system_id __initconst oaktrail_dmi_table[] = {
52700 {
52701 .ident = "OakTrail platform",
52702 .matches = {
52703diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
52704index 4231770..10a6caf 100644
52705--- a/drivers/platform/x86/msi-laptop.c
52706+++ b/drivers/platform/x86/msi-laptop.c
52707@@ -605,7 +605,7 @@ static int dmi_check_cb(const struct dmi_system_id *dmi)
52708 return 1;
52709 }
52710
52711-static struct dmi_system_id __initdata msi_dmi_table[] = {
52712+static const struct dmi_system_id __initconst msi_dmi_table[] = {
52713 {
52714 .ident = "MSI S270",
52715 .matches = {
52716@@ -1000,12 +1000,14 @@ static int __init load_scm_model_init(struct platform_device *sdev)
52717
52718 if (!quirks->ec_read_only) {
52719 /* allow userland write sysfs file */
52720- dev_attr_bluetooth.store = store_bluetooth;
52721- dev_attr_wlan.store = store_wlan;
52722- dev_attr_threeg.store = store_threeg;
52723- dev_attr_bluetooth.attr.mode |= S_IWUSR;
52724- dev_attr_wlan.attr.mode |= S_IWUSR;
52725- dev_attr_threeg.attr.mode |= S_IWUSR;
52726+ pax_open_kernel();
52727+ *(void **)&dev_attr_bluetooth.store = store_bluetooth;
52728+ *(void **)&dev_attr_wlan.store = store_wlan;
52729+ *(void **)&dev_attr_threeg.store = store_threeg;
52730+ *(umode_t *)&dev_attr_bluetooth.attr.mode |= S_IWUSR;
52731+ *(umode_t *)&dev_attr_wlan.attr.mode |= S_IWUSR;
52732+ *(umode_t *)&dev_attr_threeg.attr.mode |= S_IWUSR;
52733+ pax_close_kernel();
52734 }
52735
52736 /* disable hardware control by fn key */
52737diff --git a/drivers/platform/x86/msi-wmi.c b/drivers/platform/x86/msi-wmi.c
52738index 978e6d6..1f0b37d 100644
52739--- a/drivers/platform/x86/msi-wmi.c
52740+++ b/drivers/platform/x86/msi-wmi.c
52741@@ -184,7 +184,7 @@ static const struct backlight_ops msi_backlight_ops = {
52742 static void msi_wmi_notify(u32 value, void *context)
52743 {
52744 struct acpi_buffer response = { ACPI_ALLOCATE_BUFFER, NULL };
52745- static struct key_entry *key;
52746+ struct key_entry *key;
52747 union acpi_object *obj;
52748 acpi_status status;
52749
52750diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
52751index 8c146e2..356c62e 100644
52752--- a/drivers/platform/x86/samsung-laptop.c
52753+++ b/drivers/platform/x86/samsung-laptop.c
52754@@ -1567,7 +1567,7 @@ static int __init samsung_dmi_matched(const struct dmi_system_id *d)
52755 return 0;
52756 }
52757
52758-static struct dmi_system_id __initdata samsung_dmi_table[] = {
52759+static const struct dmi_system_id __initconst samsung_dmi_table[] = {
52760 {
52761 .matches = {
52762 DMI_MATCH(DMI_SYS_VENDOR,
52763diff --git a/drivers/platform/x86/samsung-q10.c b/drivers/platform/x86/samsung-q10.c
52764index e6aac72..e11ff24 100644
52765--- a/drivers/platform/x86/samsung-q10.c
52766+++ b/drivers/platform/x86/samsung-q10.c
52767@@ -95,7 +95,7 @@ static int __init dmi_check_callback(const struct dmi_system_id *id)
52768 return 1;
52769 }
52770
52771-static struct dmi_system_id __initdata samsungq10_dmi_table[] = {
52772+static const struct dmi_system_id __initconst samsungq10_dmi_table[] = {
52773 {
52774 .ident = "Samsung Q10",
52775 .matches = {
52776diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
52777index aeb80d1..3eb376b 100644
52778--- a/drivers/platform/x86/sony-laptop.c
52779+++ b/drivers/platform/x86/sony-laptop.c
52780@@ -2527,7 +2527,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd)
52781 }
52782
52783 /* High speed charging function */
52784-static struct device_attribute *hsc_handle;
52785+static device_attribute_no_const *hsc_handle;
52786
52787 static ssize_t sony_nc_highspeed_charging_store(struct device *dev,
52788 struct device_attribute *attr,
52789@@ -2601,7 +2601,7 @@ static void sony_nc_highspeed_charging_cleanup(struct platform_device *pd)
52790 }
52791
52792 /* low battery function */
52793-static struct device_attribute *lowbatt_handle;
52794+static device_attribute_no_const *lowbatt_handle;
52795
52796 static ssize_t sony_nc_lowbatt_store(struct device *dev,
52797 struct device_attribute *attr,
52798@@ -2667,7 +2667,7 @@ static void sony_nc_lowbatt_cleanup(struct platform_device *pd)
52799 }
52800
52801 /* fan speed function */
52802-static struct device_attribute *fan_handle, *hsf_handle;
52803+static device_attribute_no_const *fan_handle, *hsf_handle;
52804
52805 static ssize_t sony_nc_hsfan_store(struct device *dev,
52806 struct device_attribute *attr,
52807@@ -2774,7 +2774,7 @@ static void sony_nc_fanspeed_cleanup(struct platform_device *pd)
52808 }
52809
52810 /* USB charge function */
52811-static struct device_attribute *uc_handle;
52812+static device_attribute_no_const *uc_handle;
52813
52814 static ssize_t sony_nc_usb_charge_store(struct device *dev,
52815 struct device_attribute *attr,
52816@@ -2848,7 +2848,7 @@ static void sony_nc_usb_charge_cleanup(struct platform_device *pd)
52817 }
52818
52819 /* Panel ID function */
52820-static struct device_attribute *panel_handle;
52821+static device_attribute_no_const *panel_handle;
52822
52823 static ssize_t sony_nc_panelid_show(struct device *dev,
52824 struct device_attribute *attr, char *buffer)
52825@@ -2895,7 +2895,7 @@ static void sony_nc_panelid_cleanup(struct platform_device *pd)
52826 }
52827
52828 /* smart connect function */
52829-static struct device_attribute *sc_handle;
52830+static device_attribute_no_const *sc_handle;
52831
52832 static ssize_t sony_nc_smart_conn_store(struct device *dev,
52833 struct device_attribute *attr,
52834@@ -4851,7 +4851,7 @@ static struct acpi_driver sony_pic_driver = {
52835 .drv.pm = &sony_pic_pm,
52836 };
52837
52838-static struct dmi_system_id __initdata sonypi_dmi_table[] = {
52839+static const struct dmi_system_id __initconst sonypi_dmi_table[] = {
52840 {
52841 .ident = "Sony Vaio",
52842 .matches = {
52843diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
52844index 33e488c..417aaea 100644
52845--- a/drivers/platform/x86/thinkpad_acpi.c
52846+++ b/drivers/platform/x86/thinkpad_acpi.c
52847@@ -2460,10 +2460,10 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
52848 && !tp_features.bright_unkfw)
52849 TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME);
52850 }
52851+}
52852
52853 #undef TPACPI_COMPARE_KEY
52854 #undef TPACPI_MAY_SEND_KEY
52855-}
52856
52857 /*
52858 * Polling driver
52859diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
52860index 438d4c7..ca8a2fb 100644
52861--- a/drivers/pnp/pnpbios/bioscalls.c
52862+++ b/drivers/pnp/pnpbios/bioscalls.c
52863@@ -59,7 +59,7 @@ do { \
52864 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
52865 } while(0)
52866
52867-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
52868+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
52869 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
52870
52871 /*
52872@@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
52873
52874 cpu = get_cpu();
52875 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
52876+
52877+ pax_open_kernel();
52878 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
52879+ pax_close_kernel();
52880
52881 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
52882 spin_lock_irqsave(&pnp_bios_lock, flags);
52883@@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
52884 :"memory");
52885 spin_unlock_irqrestore(&pnp_bios_lock, flags);
52886
52887+ pax_open_kernel();
52888 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
52889+ pax_close_kernel();
52890+
52891 put_cpu();
52892
52893 /* If we get here and this is set then the PnP BIOS faulted on us. */
52894@@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 nvram_base)
52895 return status;
52896 }
52897
52898-void pnpbios_calls_init(union pnp_bios_install_struct *header)
52899+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
52900 {
52901 int i;
52902
52903@@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
52904 pnp_bios_callpoint.offset = header->fields.pm16offset;
52905 pnp_bios_callpoint.segment = PNP_CS16;
52906
52907+ pax_open_kernel();
52908+
52909 for_each_possible_cpu(i) {
52910 struct desc_struct *gdt = get_cpu_gdt_table(i);
52911 if (!gdt)
52912@@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
52913 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
52914 (unsigned long)__va(header->fields.pm16dseg));
52915 }
52916+
52917+ pax_close_kernel();
52918 }
52919diff --git a/drivers/pnp/pnpbios/core.c b/drivers/pnp/pnpbios/core.c
52920index facd43b..b291260 100644
52921--- a/drivers/pnp/pnpbios/core.c
52922+++ b/drivers/pnp/pnpbios/core.c
52923@@ -494,7 +494,7 @@ static int __init exploding_pnp_bios(const struct dmi_system_id *d)
52924 return 0;
52925 }
52926
52927-static struct dmi_system_id pnpbios_dmi_table[] __initdata = {
52928+static const struct dmi_system_id pnpbios_dmi_table[] __initconst = {
52929 { /* PnPBIOS GPF on boot */
52930 .callback = exploding_pnp_bios,
52931 .ident = "Higraded P14H",
52932diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c
52933index dfe1ee8..67e820c 100644
52934--- a/drivers/power/pda_power.c
52935+++ b/drivers/power/pda_power.c
52936@@ -38,7 +38,11 @@ static struct power_supply *pda_psy_ac, *pda_psy_usb;
52937
52938 #if IS_ENABLED(CONFIG_USB_PHY)
52939 static struct usb_phy *transceiver;
52940-static struct notifier_block otg_nb;
52941+static int otg_handle_notification(struct notifier_block *nb,
52942+ unsigned long event, void *unused);
52943+static struct notifier_block otg_nb = {
52944+ .notifier_call = otg_handle_notification
52945+};
52946 #endif
52947
52948 static struct regulator *ac_draw;
52949@@ -373,7 +377,6 @@ static int pda_power_probe(struct platform_device *pdev)
52950
52951 #if IS_ENABLED(CONFIG_USB_PHY)
52952 if (!IS_ERR_OR_NULL(transceiver) && pdata->use_otg_notifier) {
52953- otg_nb.notifier_call = otg_handle_notification;
52954 ret = usb_register_notifier(transceiver, &otg_nb);
52955 if (ret) {
52956 dev_err(dev, "failure to register otg notifier\n");
52957diff --git a/drivers/power/power_supply.h b/drivers/power/power_supply.h
52958index cc439fd..8fa30df 100644
52959--- a/drivers/power/power_supply.h
52960+++ b/drivers/power/power_supply.h
52961@@ -16,12 +16,12 @@ struct power_supply;
52962
52963 #ifdef CONFIG_SYSFS
52964
52965-extern void power_supply_init_attrs(struct device_type *dev_type);
52966+extern void power_supply_init_attrs(void);
52967 extern int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env);
52968
52969 #else
52970
52971-static inline void power_supply_init_attrs(struct device_type *dev_type) {}
52972+static inline void power_supply_init_attrs(void) {}
52973 #define power_supply_uevent NULL
52974
52975 #endif /* CONFIG_SYSFS */
52976diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c
52977index 869284c..38a812b 100644
52978--- a/drivers/power/power_supply_core.c
52979+++ b/drivers/power/power_supply_core.c
52980@@ -28,7 +28,10 @@ EXPORT_SYMBOL_GPL(power_supply_class);
52981 ATOMIC_NOTIFIER_HEAD(power_supply_notifier);
52982 EXPORT_SYMBOL_GPL(power_supply_notifier);
52983
52984-static struct device_type power_supply_dev_type;
52985+extern const struct attribute_group *power_supply_attr_groups[];
52986+static struct device_type power_supply_dev_type = {
52987+ .groups = power_supply_attr_groups,
52988+};
52989
52990 #define POWER_SUPPLY_DEFERRED_REGISTER_TIME msecs_to_jiffies(10)
52991
52992@@ -960,7 +963,7 @@ static int __init power_supply_class_init(void)
52993 return PTR_ERR(power_supply_class);
52994
52995 power_supply_class->dev_uevent = power_supply_uevent;
52996- power_supply_init_attrs(&power_supply_dev_type);
52997+ power_supply_init_attrs();
52998
52999 return 0;
53000 }
53001diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c
53002index ed2d7fd..266b28f 100644
53003--- a/drivers/power/power_supply_sysfs.c
53004+++ b/drivers/power/power_supply_sysfs.c
53005@@ -238,17 +238,15 @@ static struct attribute_group power_supply_attr_group = {
53006 .is_visible = power_supply_attr_is_visible,
53007 };
53008
53009-static const struct attribute_group *power_supply_attr_groups[] = {
53010+const struct attribute_group *power_supply_attr_groups[] = {
53011 &power_supply_attr_group,
53012 NULL,
53013 };
53014
53015-void power_supply_init_attrs(struct device_type *dev_type)
53016+void power_supply_init_attrs(void)
53017 {
53018 int i;
53019
53020- dev_type->groups = power_supply_attr_groups;
53021-
53022 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++)
53023 __power_supply_attrs[i] = &power_supply_attrs[i].attr;
53024 }
53025diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
53026index 36dc52f..e2e8a4b 100644
53027--- a/drivers/power/reset/at91-reset.c
53028+++ b/drivers/power/reset/at91-reset.c
53029@@ -16,6 +16,7 @@
53030 #include <linux/of_address.h>
53031 #include <linux/platform_device.h>
53032 #include <linux/reboot.h>
53033+#include <asm/pgtable.h>
53034
53035 #include <soc/at91/at91sam9_ddrsdr.h>
53036 #include <soc/at91/at91sam9_sdramc.h>
53037@@ -191,7 +192,9 @@ static int at91_reset_of_probe(struct platform_device *pdev)
53038 }
53039
53040 match = of_match_node(at91_reset_of_match, pdev->dev.of_node);
53041- at91_restart_nb.notifier_call = match->data;
53042+ pax_open_kernel();
53043+ *(void **)&at91_restart_nb.notifier_call = match->data;
53044+ pax_close_kernel();
53045 return register_restart_handler(&at91_restart_nb);
53046 }
53047
53048@@ -219,9 +222,11 @@ static int at91_reset_platform_probe(struct platform_device *pdev)
53049 }
53050
53051 match = platform_get_device_id(pdev);
53052- at91_restart_nb.notifier_call =
53053+ pax_open_kernel();
53054+ *(void **)&at91_restart_nb.notifier_call =
53055 (int (*)(struct notifier_block *,
53056 unsigned long, void *)) match->driver_data;
53057+ pax_close_kernel();
53058
53059 return register_restart_handler(&at91_restart_nb);
53060 }
53061diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
53062index 84419af..268ede8 100644
53063--- a/drivers/powercap/powercap_sys.c
53064+++ b/drivers/powercap/powercap_sys.c
53065@@ -154,8 +154,77 @@ struct powercap_constraint_attr {
53066 struct device_attribute name_attr;
53067 };
53068
53069+static ssize_t show_constraint_name(struct device *dev,
53070+ struct device_attribute *dev_attr,
53071+ char *buf);
53072+
53073 static struct powercap_constraint_attr
53074- constraint_attrs[MAX_CONSTRAINTS_PER_ZONE];
53075+ constraint_attrs[MAX_CONSTRAINTS_PER_ZONE] = {
53076+ [0 ... MAX_CONSTRAINTS_PER_ZONE - 1] = {
53077+ .power_limit_attr = {
53078+ .attr = {
53079+ .name = NULL,
53080+ .mode = S_IWUSR | S_IRUGO
53081+ },
53082+ .show = show_constraint_power_limit_uw,
53083+ .store = store_constraint_power_limit_uw
53084+ },
53085+
53086+ .time_window_attr = {
53087+ .attr = {
53088+ .name = NULL,
53089+ .mode = S_IWUSR | S_IRUGO
53090+ },
53091+ .show = show_constraint_time_window_us,
53092+ .store = store_constraint_time_window_us
53093+ },
53094+
53095+ .max_power_attr = {
53096+ .attr = {
53097+ .name = NULL,
53098+ .mode = S_IRUGO
53099+ },
53100+ .show = show_constraint_max_power_uw,
53101+ .store = NULL
53102+ },
53103+
53104+ .min_power_attr = {
53105+ .attr = {
53106+ .name = NULL,
53107+ .mode = S_IRUGO
53108+ },
53109+ .show = show_constraint_min_power_uw,
53110+ .store = NULL
53111+ },
53112+
53113+ .max_time_window_attr = {
53114+ .attr = {
53115+ .name = NULL,
53116+ .mode = S_IRUGO
53117+ },
53118+ .show = show_constraint_max_time_window_us,
53119+ .store = NULL
53120+ },
53121+
53122+ .min_time_window_attr = {
53123+ .attr = {
53124+ .name = NULL,
53125+ .mode = S_IRUGO
53126+ },
53127+ .show = show_constraint_min_time_window_us,
53128+ .store = NULL
53129+ },
53130+
53131+ .name_attr = {
53132+ .attr = {
53133+ .name = NULL,
53134+ .mode = S_IRUGO
53135+ },
53136+ .show = show_constraint_name,
53137+ .store = NULL
53138+ }
53139+ }
53140+};
53141
53142 /* A list of powercap control_types */
53143 static LIST_HEAD(powercap_cntrl_list);
53144@@ -193,23 +262,16 @@ static ssize_t show_constraint_name(struct device *dev,
53145 }
53146
53147 static int create_constraint_attribute(int id, const char *name,
53148- int mode,
53149- struct device_attribute *dev_attr,
53150- ssize_t (*show)(struct device *,
53151- struct device_attribute *, char *),
53152- ssize_t (*store)(struct device *,
53153- struct device_attribute *,
53154- const char *, size_t)
53155- )
53156+ struct device_attribute *dev_attr)
53157 {
53158+ name = kasprintf(GFP_KERNEL, "constraint_%d_%s", id, name);
53159
53160- dev_attr->attr.name = kasprintf(GFP_KERNEL, "constraint_%d_%s",
53161- id, name);
53162- if (!dev_attr->attr.name)
53163+ if (!name)
53164 return -ENOMEM;
53165- dev_attr->attr.mode = mode;
53166- dev_attr->show = show;
53167- dev_attr->store = store;
53168+
53169+ pax_open_kernel();
53170+ *(const char **)&dev_attr->attr.name = name;
53171+ pax_close_kernel();
53172
53173 return 0;
53174 }
53175@@ -236,49 +298,31 @@ static int seed_constraint_attributes(void)
53176
53177 for (i = 0; i < MAX_CONSTRAINTS_PER_ZONE; ++i) {
53178 ret = create_constraint_attribute(i, "power_limit_uw",
53179- S_IWUSR | S_IRUGO,
53180- &constraint_attrs[i].power_limit_attr,
53181- show_constraint_power_limit_uw,
53182- store_constraint_power_limit_uw);
53183+ &constraint_attrs[i].power_limit_attr);
53184 if (ret)
53185 goto err_alloc;
53186 ret = create_constraint_attribute(i, "time_window_us",
53187- S_IWUSR | S_IRUGO,
53188- &constraint_attrs[i].time_window_attr,
53189- show_constraint_time_window_us,
53190- store_constraint_time_window_us);
53191+ &constraint_attrs[i].time_window_attr);
53192 if (ret)
53193 goto err_alloc;
53194- ret = create_constraint_attribute(i, "name", S_IRUGO,
53195- &constraint_attrs[i].name_attr,
53196- show_constraint_name,
53197- NULL);
53198+ ret = create_constraint_attribute(i, "name",
53199+ &constraint_attrs[i].name_attr);
53200 if (ret)
53201 goto err_alloc;
53202- ret = create_constraint_attribute(i, "max_power_uw", S_IRUGO,
53203- &constraint_attrs[i].max_power_attr,
53204- show_constraint_max_power_uw,
53205- NULL);
53206+ ret = create_constraint_attribute(i, "max_power_uw",
53207+ &constraint_attrs[i].max_power_attr);
53208 if (ret)
53209 goto err_alloc;
53210- ret = create_constraint_attribute(i, "min_power_uw", S_IRUGO,
53211- &constraint_attrs[i].min_power_attr,
53212- show_constraint_min_power_uw,
53213- NULL);
53214+ ret = create_constraint_attribute(i, "min_power_uw",
53215+ &constraint_attrs[i].min_power_attr);
53216 if (ret)
53217 goto err_alloc;
53218 ret = create_constraint_attribute(i, "max_time_window_us",
53219- S_IRUGO,
53220- &constraint_attrs[i].max_time_window_attr,
53221- show_constraint_max_time_window_us,
53222- NULL);
53223+ &constraint_attrs[i].max_time_window_attr);
53224 if (ret)
53225 goto err_alloc;
53226 ret = create_constraint_attribute(i, "min_time_window_us",
53227- S_IRUGO,
53228- &constraint_attrs[i].min_time_window_attr,
53229- show_constraint_min_time_window_us,
53230- NULL);
53231+ &constraint_attrs[i].min_time_window_attr);
53232 if (ret)
53233 goto err_alloc;
53234
53235@@ -378,10 +422,12 @@ static void create_power_zone_common_attributes(
53236 power_zone->zone_dev_attrs[count++] =
53237 &dev_attr_max_energy_range_uj.attr;
53238 if (power_zone->ops->get_energy_uj) {
53239+ pax_open_kernel();
53240 if (power_zone->ops->reset_energy_uj)
53241- dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO;
53242+ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO;
53243 else
53244- dev_attr_energy_uj.attr.mode = S_IRUGO;
53245+ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IRUGO;
53246+ pax_close_kernel();
53247 power_zone->zone_dev_attrs[count++] =
53248 &dev_attr_energy_uj.attr;
53249 }
53250diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
53251index 9c5d414..c7900ce 100644
53252--- a/drivers/ptp/ptp_private.h
53253+++ b/drivers/ptp/ptp_private.h
53254@@ -51,7 +51,7 @@ struct ptp_clock {
53255 struct mutex pincfg_mux; /* protect concurrent info->pin_config access */
53256 wait_queue_head_t tsev_wq;
53257 int defunct; /* tells readers to go away when clock is being removed */
53258- struct device_attribute *pin_dev_attr;
53259+ device_attribute_no_const *pin_dev_attr;
53260 struct attribute **pin_attr;
53261 struct attribute_group pin_attr_group;
53262 };
53263diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
53264index 302e626..12579af 100644
53265--- a/drivers/ptp/ptp_sysfs.c
53266+++ b/drivers/ptp/ptp_sysfs.c
53267@@ -280,7 +280,7 @@ static int ptp_populate_pins(struct ptp_clock *ptp)
53268 goto no_pin_attr;
53269
53270 for (i = 0; i < n_pins; i++) {
53271- struct device_attribute *da = &ptp->pin_dev_attr[i];
53272+ device_attribute_no_const *da = &ptp->pin_dev_attr[i];
53273 sysfs_attr_init(&da->attr);
53274 da->attr.name = info->pin_config[i].name;
53275 da->attr.mode = 0644;
53276diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
53277index 78387a6..faffdc7 100644
53278--- a/drivers/regulator/core.c
53279+++ b/drivers/regulator/core.c
53280@@ -3646,7 +3646,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
53281 const struct regulation_constraints *constraints = NULL;
53282 const struct regulator_init_data *init_data;
53283 struct regulator_config *config = NULL;
53284- static atomic_t regulator_no = ATOMIC_INIT(-1);
53285+ static atomic_unchecked_t regulator_no = ATOMIC_INIT(-1);
53286 struct regulator_dev *rdev;
53287 struct device *dev;
53288 int ret, i;
53289@@ -3729,7 +3729,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
53290 rdev->dev.class = &regulator_class;
53291 rdev->dev.parent = dev;
53292 dev_set_name(&rdev->dev, "regulator.%lu",
53293- (unsigned long) atomic_inc_return(&regulator_no));
53294+ (unsigned long) atomic_inc_return_unchecked(&regulator_no));
53295 ret = device_register(&rdev->dev);
53296 if (ret != 0) {
53297 put_device(&rdev->dev);
53298diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c
53299index 4071d74..260b15a 100644
53300--- a/drivers/regulator/max8660.c
53301+++ b/drivers/regulator/max8660.c
53302@@ -423,8 +423,10 @@ static int max8660_probe(struct i2c_client *client,
53303 max8660->shadow_regs[MAX8660_OVER1] = 5;
53304 } else {
53305 /* Otherwise devices can be toggled via software */
53306- max8660_dcdc_ops.enable = max8660_dcdc_enable;
53307- max8660_dcdc_ops.disable = max8660_dcdc_disable;
53308+ pax_open_kernel();
53309+ *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
53310+ *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
53311+ pax_close_kernel();
53312 }
53313
53314 /*
53315diff --git a/drivers/regulator/max8973-regulator.c b/drivers/regulator/max8973-regulator.c
53316index e94ddcf..bad33ad 100644
53317--- a/drivers/regulator/max8973-regulator.c
53318+++ b/drivers/regulator/max8973-regulator.c
53319@@ -580,9 +580,11 @@ static int max8973_probe(struct i2c_client *client,
53320 if (!pdata->enable_ext_control) {
53321 max->desc.enable_reg = MAX8973_VOUT;
53322 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
53323- max->ops.enable = regulator_enable_regmap;
53324- max->ops.disable = regulator_disable_regmap;
53325- max->ops.is_enabled = regulator_is_enabled_regmap;
53326+ pax_open_kernel();
53327+ *(void **)&max->ops.enable = regulator_enable_regmap;
53328+ *(void **)&max->ops.disable = regulator_disable_regmap;
53329+ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap;
53330+ pax_close_kernel();
53331 break;
53332 }
53333
53334@@ -610,9 +612,11 @@ static int max8973_probe(struct i2c_client *client,
53335
53336 max->desc.enable_reg = MAX8973_VOUT;
53337 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
53338- max->ops.enable = regulator_enable_regmap;
53339- max->ops.disable = regulator_disable_regmap;
53340- max->ops.is_enabled = regulator_is_enabled_regmap;
53341+ pax_open_kernel();
53342+ *(void **)&max->ops.enable = regulator_enable_regmap;
53343+ *(void **)&max->ops.disable = regulator_disable_regmap;
53344+ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap;
53345+ pax_close_kernel();
53346 break;
53347 default:
53348 break;
53349diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c
53350index 0d17c92..a29f627 100644
53351--- a/drivers/regulator/mc13892-regulator.c
53352+++ b/drivers/regulator/mc13892-regulator.c
53353@@ -584,10 +584,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev)
53354 mc13xxx_unlock(mc13892);
53355
53356 /* update mc13892_vcam ops */
53357- memcpy(&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
53358+ pax_open_kernel();
53359+ memcpy((void *)&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
53360 sizeof(struct regulator_ops));
53361- mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
53362- mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
53363+ *(void **)&mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
53364+ *(void **)&mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
53365+ pax_close_kernel();
53366 mc13892_regulators[MC13892_VCAM].desc.ops = &mc13892_vcam_ops;
53367
53368 mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators,
53369diff --git a/drivers/rtc/rtc-armada38x.c b/drivers/rtc/rtc-armada38x.c
53370index 2b08cac..8942201 100644
53371--- a/drivers/rtc/rtc-armada38x.c
53372+++ b/drivers/rtc/rtc-armada38x.c
53373@@ -18,6 +18,7 @@
53374 #include <linux/of.h>
53375 #include <linux/platform_device.h>
53376 #include <linux/rtc.h>
53377+#include <asm/pgtable.h>
53378
53379 #define RTC_STATUS 0x0
53380 #define RTC_STATUS_ALARM1 BIT(0)
53381@@ -254,8 +255,10 @@ static __init int armada38x_rtc_probe(struct platform_device *pdev)
53382 * If there is no interrupt available then we can't
53383 * use the alarm
53384 */
53385- armada38x_rtc_ops.set_alarm = NULL;
53386- armada38x_rtc_ops.alarm_irq_enable = NULL;
53387+ pax_open_kernel();
53388+ *(void **)&armada38x_rtc_ops.set_alarm = NULL;
53389+ *(void **)&armada38x_rtc_ops.alarm_irq_enable = NULL;
53390+ pax_close_kernel();
53391 }
53392 platform_set_drvdata(pdev, rtc);
53393 if (rtc->irq != -1)
53394diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
53395index a82556a0..e842923 100644
53396--- a/drivers/rtc/rtc-cmos.c
53397+++ b/drivers/rtc/rtc-cmos.c
53398@@ -793,7 +793,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
53399 hpet_rtc_timer_init();
53400
53401 /* export at least the first block of NVRAM */
53402- nvram.size = address_space - NVRAM_OFFSET;
53403+ pax_open_kernel();
53404+ *(size_t *)&nvram.size = address_space - NVRAM_OFFSET;
53405+ pax_close_kernel();
53406 retval = sysfs_create_bin_file(&dev->kobj, &nvram);
53407 if (retval < 0) {
53408 dev_dbg(dev, "can't create nvram file? %d\n", retval);
53409diff --git a/drivers/rtc/rtc-dev.c b/drivers/rtc/rtc-dev.c
53410index 799c34b..8e9786a 100644
53411--- a/drivers/rtc/rtc-dev.c
53412+++ b/drivers/rtc/rtc-dev.c
53413@@ -16,6 +16,7 @@
53414 #include <linux/module.h>
53415 #include <linux/rtc.h>
53416 #include <linux/sched.h>
53417+#include <linux/grsecurity.h>
53418 #include "rtc-core.h"
53419
53420 static dev_t rtc_devt;
53421@@ -347,6 +348,8 @@ static long rtc_dev_ioctl(struct file *file,
53422 if (copy_from_user(&tm, uarg, sizeof(tm)))
53423 return -EFAULT;
53424
53425+ gr_log_timechange();
53426+
53427 return rtc_set_time(rtc, &tm);
53428
53429 case RTC_PIE_ON:
53430diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
53431index 6e76de1..d38a1e0 100644
53432--- a/drivers/rtc/rtc-ds1307.c
53433+++ b/drivers/rtc/rtc-ds1307.c
53434@@ -107,7 +107,7 @@ struct ds1307 {
53435 u8 offset; /* register's offset */
53436 u8 regs[11];
53437 u16 nvram_offset;
53438- struct bin_attribute *nvram;
53439+ bin_attribute_no_const *nvram;
53440 enum ds_type type;
53441 unsigned long flags;
53442 #define HAS_NVRAM 0 /* bit 0 == sysfs file active */
53443diff --git a/drivers/rtc/rtc-m48t59.c b/drivers/rtc/rtc-m48t59.c
53444index 90abb5b..e0bf6dd 100644
53445--- a/drivers/rtc/rtc-m48t59.c
53446+++ b/drivers/rtc/rtc-m48t59.c
53447@@ -483,7 +483,9 @@ static int m48t59_rtc_probe(struct platform_device *pdev)
53448 if (IS_ERR(m48t59->rtc))
53449 return PTR_ERR(m48t59->rtc);
53450
53451- m48t59_nvram_attr.size = pdata->offset;
53452+ pax_open_kernel();
53453+ *(size_t *)&m48t59_nvram_attr.size = pdata->offset;
53454+ pax_close_kernel();
53455
53456 ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr);
53457 if (ret)
53458diff --git a/drivers/rtc/rtc-test.c b/drivers/rtc/rtc-test.c
53459index 3a2da4c..e88493c 100644
53460--- a/drivers/rtc/rtc-test.c
53461+++ b/drivers/rtc/rtc-test.c
53462@@ -112,8 +112,10 @@ static int test_probe(struct platform_device *plat_dev)
53463 struct rtc_device *rtc;
53464
53465 if (test_mmss64) {
53466- test_rtc_ops.set_mmss64 = test_rtc_set_mmss64;
53467- test_rtc_ops.set_mmss = NULL;
53468+ pax_open_kernel();
53469+ *(void **)&test_rtc_ops.set_mmss64 = test_rtc_set_mmss64;
53470+ *(void **)&test_rtc_ops.set_mmss = NULL;
53471+ pax_close_kernel();
53472 }
53473
53474 rtc = devm_rtc_device_register(&plat_dev->dev, "test",
53475diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
53476index 7a6dbfb..5cdcd29 100644
53477--- a/drivers/scsi/be2iscsi/be_main.c
53478+++ b/drivers/scsi/be2iscsi/be_main.c
53479@@ -3184,7 +3184,7 @@ be_sgl_create_contiguous(void *virtual_address,
53480 {
53481 WARN_ON(!virtual_address);
53482 WARN_ON(!physical_address);
53483- WARN_ON(!length > 0);
53484+ WARN_ON(!length);
53485 WARN_ON(!sgl);
53486
53487 sgl->va = virtual_address;
53488diff --git a/drivers/scsi/bfa/bfa_fcpim.h b/drivers/scsi/bfa/bfa_fcpim.h
53489index e693af6..2e525b6 100644
53490--- a/drivers/scsi/bfa/bfa_fcpim.h
53491+++ b/drivers/scsi/bfa/bfa_fcpim.h
53492@@ -36,7 +36,7 @@ struct bfa_iotag_s {
53493
53494 struct bfa_itn_s {
53495 bfa_isr_func_t isr;
53496-};
53497+} __no_const;
53498
53499 void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport,
53500 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m));
53501diff --git a/drivers/scsi/bfa/bfa_fcs.c b/drivers/scsi/bfa/bfa_fcs.c
53502index 0f19455..ef7adb5 100644
53503--- a/drivers/scsi/bfa/bfa_fcs.c
53504+++ b/drivers/scsi/bfa/bfa_fcs.c
53505@@ -38,10 +38,21 @@ struct bfa_fcs_mod_s {
53506 #define BFA_FCS_MODULE(_mod) { _mod ## _modinit, _mod ## _modexit }
53507
53508 static struct bfa_fcs_mod_s fcs_modules[] = {
53509- { bfa_fcs_port_attach, NULL, NULL },
53510- { bfa_fcs_uf_attach, NULL, NULL },
53511- { bfa_fcs_fabric_attach, bfa_fcs_fabric_modinit,
53512- bfa_fcs_fabric_modexit },
53513+ {
53514+ .attach = bfa_fcs_port_attach,
53515+ .modinit = NULL,
53516+ .modexit = NULL
53517+ },
53518+ {
53519+ .attach = bfa_fcs_uf_attach,
53520+ .modinit = NULL,
53521+ .modexit = NULL
53522+ },
53523+ {
53524+ .attach = bfa_fcs_fabric_attach,
53525+ .modinit = bfa_fcs_fabric_modinit,
53526+ .modexit = bfa_fcs_fabric_modexit
53527+ },
53528 };
53529
53530 /*
53531diff --git a/drivers/scsi/bfa/bfa_fcs_lport.c b/drivers/scsi/bfa/bfa_fcs_lport.c
53532index ff75ef8..2dfe00a 100644
53533--- a/drivers/scsi/bfa/bfa_fcs_lport.c
53534+++ b/drivers/scsi/bfa/bfa_fcs_lport.c
53535@@ -89,15 +89,26 @@ static struct {
53536 void (*offline) (struct bfa_fcs_lport_s *port);
53537 } __port_action[] = {
53538 {
53539- bfa_fcs_lport_unknown_init, bfa_fcs_lport_unknown_online,
53540- bfa_fcs_lport_unknown_offline}, {
53541- bfa_fcs_lport_fab_init, bfa_fcs_lport_fab_online,
53542- bfa_fcs_lport_fab_offline}, {
53543- bfa_fcs_lport_n2n_init, bfa_fcs_lport_n2n_online,
53544- bfa_fcs_lport_n2n_offline}, {
53545- bfa_fcs_lport_loop_init, bfa_fcs_lport_loop_online,
53546- bfa_fcs_lport_loop_offline},
53547- };
53548+ .init = bfa_fcs_lport_unknown_init,
53549+ .online = bfa_fcs_lport_unknown_online,
53550+ .offline = bfa_fcs_lport_unknown_offline
53551+ },
53552+ {
53553+ .init = bfa_fcs_lport_fab_init,
53554+ .online = bfa_fcs_lport_fab_online,
53555+ .offline = bfa_fcs_lport_fab_offline
53556+ },
53557+ {
53558+ .init = bfa_fcs_lport_n2n_init,
53559+ .online = bfa_fcs_lport_n2n_online,
53560+ .offline = bfa_fcs_lport_n2n_offline
53561+ },
53562+ {
53563+ .init = bfa_fcs_lport_loop_init,
53564+ .online = bfa_fcs_lport_loop_online,
53565+ .offline = bfa_fcs_lport_loop_offline
53566+ },
53567+};
53568
53569 /*
53570 * fcs_port_sm FCS logical port state machine
53571diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h
53572index a38aafa0..fe8f03b 100644
53573--- a/drivers/scsi/bfa/bfa_ioc.h
53574+++ b/drivers/scsi/bfa/bfa_ioc.h
53575@@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s {
53576 bfa_ioc_disable_cbfn_t disable_cbfn;
53577 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
53578 bfa_ioc_reset_cbfn_t reset_cbfn;
53579-};
53580+} __no_const;
53581
53582 /*
53583 * IOC event notification mechanism.
53584@@ -352,7 +352,7 @@ struct bfa_ioc_hwif_s {
53585 void (*ioc_set_alt_fwstate) (struct bfa_ioc_s *ioc,
53586 enum bfi_ioc_state fwstate);
53587 enum bfi_ioc_state (*ioc_get_alt_fwstate) (struct bfa_ioc_s *ioc);
53588-};
53589+} __no_const;
53590
53591 /*
53592 * Queue element to wait for room in request queue. FIFO order is
53593diff --git a/drivers/scsi/bfa/bfa_modules.h b/drivers/scsi/bfa/bfa_modules.h
53594index a14c784..6de6790 100644
53595--- a/drivers/scsi/bfa/bfa_modules.h
53596+++ b/drivers/scsi/bfa/bfa_modules.h
53597@@ -78,12 +78,12 @@ enum {
53598 \
53599 extern struct bfa_module_s hal_mod_ ## __mod; \
53600 struct bfa_module_s hal_mod_ ## __mod = { \
53601- bfa_ ## __mod ## _meminfo, \
53602- bfa_ ## __mod ## _attach, \
53603- bfa_ ## __mod ## _detach, \
53604- bfa_ ## __mod ## _start, \
53605- bfa_ ## __mod ## _stop, \
53606- bfa_ ## __mod ## _iocdisable, \
53607+ .meminfo = bfa_ ## __mod ## _meminfo, \
53608+ .attach = bfa_ ## __mod ## _attach, \
53609+ .detach = bfa_ ## __mod ## _detach, \
53610+ .start = bfa_ ## __mod ## _start, \
53611+ .stop = bfa_ ## __mod ## _stop, \
53612+ .iocdisable = bfa_ ## __mod ## _iocdisable, \
53613 }
53614
53615 #define BFA_CACHELINE_SZ (256)
53616diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
53617index 045c4e1..13de803 100644
53618--- a/drivers/scsi/fcoe/fcoe_sysfs.c
53619+++ b/drivers/scsi/fcoe/fcoe_sysfs.c
53620@@ -33,8 +33,8 @@
53621 */
53622 #include "libfcoe.h"
53623
53624-static atomic_t ctlr_num;
53625-static atomic_t fcf_num;
53626+static atomic_unchecked_t ctlr_num;
53627+static atomic_unchecked_t fcf_num;
53628
53629 /*
53630 * fcoe_fcf_dev_loss_tmo: the default number of seconds that fcoe sysfs
53631@@ -685,7 +685,7 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
53632 if (!ctlr)
53633 goto out;
53634
53635- ctlr->id = atomic_inc_return(&ctlr_num) - 1;
53636+ ctlr->id = atomic_inc_return_unchecked(&ctlr_num) - 1;
53637 ctlr->f = f;
53638 ctlr->mode = FIP_CONN_TYPE_FABRIC;
53639 INIT_LIST_HEAD(&ctlr->fcfs);
53640@@ -902,7 +902,7 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
53641 fcf->dev.parent = &ctlr->dev;
53642 fcf->dev.bus = &fcoe_bus_type;
53643 fcf->dev.type = &fcoe_fcf_device_type;
53644- fcf->id = atomic_inc_return(&fcf_num) - 1;
53645+ fcf->id = atomic_inc_return_unchecked(&fcf_num) - 1;
53646 fcf->state = FCOE_FCF_STATE_UNKNOWN;
53647
53648 fcf->dev_loss_tmo = ctlr->fcf_dev_loss_tmo;
53649@@ -938,8 +938,8 @@ int __init fcoe_sysfs_setup(void)
53650 {
53651 int error;
53652
53653- atomic_set(&ctlr_num, 0);
53654- atomic_set(&fcf_num, 0);
53655+ atomic_set_unchecked(&ctlr_num, 0);
53656+ atomic_set_unchecked(&fcf_num, 0);
53657
53658 error = bus_register(&fcoe_bus_type);
53659 if (error)
53660diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
53661index 8bb173e..20236b4 100644
53662--- a/drivers/scsi/hosts.c
53663+++ b/drivers/scsi/hosts.c
53664@@ -42,7 +42,7 @@
53665 #include "scsi_logging.h"
53666
53667
53668-static atomic_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
53669+static atomic_unchecked_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
53670
53671
53672 static void scsi_host_cls_release(struct device *dev)
53673@@ -392,7 +392,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)
53674 * subtract one because we increment first then return, but we need to
53675 * know what the next host number was before increment
53676 */
53677- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
53678+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
53679 shost->dma_channel = 0xff;
53680
53681 /* These three are default values which can be overridden */
53682diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
53683index 1dafeb4..3da5095 100644
53684--- a/drivers/scsi/hpsa.c
53685+++ b/drivers/scsi/hpsa.c
53686@@ -793,10 +793,10 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
53687 struct reply_queue_buffer *rq = &h->reply_queue[q];
53688
53689 if (h->transMethod & CFGTBL_Trans_io_accel1)
53690- return h->access.command_completed(h, q);
53691+ return h->access->command_completed(h, q);
53692
53693 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
53694- return h->access.command_completed(h, q);
53695+ return h->access->command_completed(h, q);
53696
53697 if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
53698 a = rq->head[rq->current_entry];
53699@@ -978,7 +978,7 @@ static void __enqueue_cmd_and_start_io(struct ctlr_info *h,
53700 break;
53701 default:
53702 set_performant_mode(h, c, reply_queue);
53703- h->access.submit_command(h, c);
53704+ h->access->submit_command(h, c);
53705 }
53706 }
53707
53708@@ -6340,17 +6340,17 @@ static void __iomem *remap_pci_mem(ulong base, ulong size)
53709
53710 static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q)
53711 {
53712- return h->access.command_completed(h, q);
53713+ return h->access->command_completed(h, q);
53714 }
53715
53716 static inline bool interrupt_pending(struct ctlr_info *h)
53717 {
53718- return h->access.intr_pending(h);
53719+ return h->access->intr_pending(h);
53720 }
53721
53722 static inline long interrupt_not_for_us(struct ctlr_info *h)
53723 {
53724- return (h->access.intr_pending(h) == 0) ||
53725+ return (h->access->intr_pending(h) == 0) ||
53726 (h->interrupts_enabled == 0);
53727 }
53728
53729@@ -7288,7 +7288,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
53730 if (prod_index < 0)
53731 return prod_index;
53732 h->product_name = products[prod_index].product_name;
53733- h->access = *(products[prod_index].access);
53734+ h->access = products[prod_index].access;
53735
53736 h->needs_abort_tags_swizzled =
53737 ctlr_needs_abort_tags_swizzled(h->board_id);
53738@@ -7687,7 +7687,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
53739 unsigned long flags;
53740 u32 lockup_detected;
53741
53742- h->access.set_intr_mask(h, HPSA_INTR_OFF);
53743+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
53744 spin_lock_irqsave(&h->lock, flags);
53745 lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
53746 if (!lockup_detected) {
53747@@ -7970,7 +7970,7 @@ reinit_after_soft_reset:
53748 }
53749
53750 /* make sure the board interrupts are off */
53751- h->access.set_intr_mask(h, HPSA_INTR_OFF);
53752+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
53753
53754 rc = hpsa_request_irqs(h, do_hpsa_intr_msi, do_hpsa_intr_intx);
53755 if (rc)
53756@@ -8029,7 +8029,7 @@ reinit_after_soft_reset:
53757 * fake ones to scoop up any residual completions.
53758 */
53759 spin_lock_irqsave(&h->lock, flags);
53760- h->access.set_intr_mask(h, HPSA_INTR_OFF);
53761+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
53762 spin_unlock_irqrestore(&h->lock, flags);
53763 hpsa_free_irqs(h);
53764 rc = hpsa_request_irqs(h, hpsa_msix_discard_completions,
53765@@ -8059,9 +8059,9 @@ reinit_after_soft_reset:
53766 dev_info(&h->pdev->dev, "Board READY.\n");
53767 dev_info(&h->pdev->dev,
53768 "Waiting for stale completions to drain.\n");
53769- h->access.set_intr_mask(h, HPSA_INTR_ON);
53770+ h->access->set_intr_mask(h, HPSA_INTR_ON);
53771 msleep(10000);
53772- h->access.set_intr_mask(h, HPSA_INTR_OFF);
53773+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
53774
53775 rc = controller_reset_failed(h->cfgtable);
53776 if (rc)
53777@@ -8086,7 +8086,7 @@ reinit_after_soft_reset:
53778
53779
53780 /* Turn the interrupts on so we can service requests */
53781- h->access.set_intr_mask(h, HPSA_INTR_ON);
53782+ h->access->set_intr_mask(h, HPSA_INTR_ON);
53783
53784 hpsa_hba_inquiry(h);
53785
53786@@ -8104,7 +8104,7 @@ clean9: /* wq, sh, perf, sg, cmd, irq, shost, pci, lu, aer/h */
53787 kfree(h->hba_inquiry_data);
53788 clean7: /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
53789 hpsa_free_performant_mode(h);
53790- h->access.set_intr_mask(h, HPSA_INTR_OFF);
53791+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
53792 clean6: /* sg, cmd, irq, pci, lockup, wq/aer/h */
53793 hpsa_free_sg_chain_blocks(h);
53794 clean5: /* cmd, irq, shost, pci, lu, aer/h */
53795@@ -8174,7 +8174,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
53796 * To write all data in the battery backed cache to disks
53797 */
53798 hpsa_flush_cache(h);
53799- h->access.set_intr_mask(h, HPSA_INTR_OFF);
53800+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
53801 hpsa_free_irqs(h); /* init_one 4 */
53802 hpsa_disable_interrupt_mode(h); /* pci_init 2 */
53803 }
53804@@ -8306,7 +8306,7 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
53805 CFGTBL_Trans_enable_directed_msix |
53806 (trans_support & (CFGTBL_Trans_io_accel1 |
53807 CFGTBL_Trans_io_accel2));
53808- struct access_method access = SA5_performant_access;
53809+ struct access_method *access = &SA5_performant_access;
53810
53811 /* This is a bit complicated. There are 8 registers on
53812 * the controller which we write to to tell it 8 different
53813@@ -8348,7 +8348,7 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
53814 * perform the superfluous readl() after each command submission.
53815 */
53816 if (trans_support & (CFGTBL_Trans_io_accel1 | CFGTBL_Trans_io_accel2))
53817- access = SA5_performant_access_no_read;
53818+ access = &SA5_performant_access_no_read;
53819
53820 /* Controller spec: zero out this buffer. */
53821 for (i = 0; i < h->nreply_queues; i++)
53822@@ -8378,12 +8378,12 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
53823 * enable outbound interrupt coalescing in accelerator mode;
53824 */
53825 if (trans_support & CFGTBL_Trans_io_accel1) {
53826- access = SA5_ioaccel_mode1_access;
53827+ access = &SA5_ioaccel_mode1_access;
53828 writel(10, &h->cfgtable->HostWrite.CoalIntDelay);
53829 writel(4, &h->cfgtable->HostWrite.CoalIntCount);
53830 } else {
53831 if (trans_support & CFGTBL_Trans_io_accel2) {
53832- access = SA5_ioaccel_mode2_access;
53833+ access = &SA5_ioaccel_mode2_access;
53834 writel(10, &h->cfgtable->HostWrite.CoalIntDelay);
53835 writel(4, &h->cfgtable->HostWrite.CoalIntCount);
53836 }
53837diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
53838index 6ee4da6..dfafb48 100644
53839--- a/drivers/scsi/hpsa.h
53840+++ b/drivers/scsi/hpsa.h
53841@@ -152,7 +152,7 @@ struct ctlr_info {
53842 unsigned int msix_vector;
53843 unsigned int msi_vector;
53844 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
53845- struct access_method access;
53846+ struct access_method *access;
53847 char hba_mode_enabled;
53848
53849 /* queue and queue Info */
53850@@ -542,38 +542,38 @@ static unsigned long SA5_ioaccel_mode1_completed(struct ctlr_info *h, u8 q)
53851 }
53852
53853 static struct access_method SA5_access = {
53854- SA5_submit_command,
53855- SA5_intr_mask,
53856- SA5_intr_pending,
53857- SA5_completed,
53858+ .submit_command = SA5_submit_command,
53859+ .set_intr_mask = SA5_intr_mask,
53860+ .intr_pending = SA5_intr_pending,
53861+ .command_completed = SA5_completed,
53862 };
53863
53864 static struct access_method SA5_ioaccel_mode1_access = {
53865- SA5_submit_command,
53866- SA5_performant_intr_mask,
53867- SA5_ioaccel_mode1_intr_pending,
53868- SA5_ioaccel_mode1_completed,
53869+ .submit_command = SA5_submit_command,
53870+ .set_intr_mask = SA5_performant_intr_mask,
53871+ .intr_pending = SA5_ioaccel_mode1_intr_pending,
53872+ .command_completed = SA5_ioaccel_mode1_completed,
53873 };
53874
53875 static struct access_method SA5_ioaccel_mode2_access = {
53876- SA5_submit_command_ioaccel2,
53877- SA5_performant_intr_mask,
53878- SA5_performant_intr_pending,
53879- SA5_performant_completed,
53880+ .submit_command = SA5_submit_command_ioaccel2,
53881+ .set_intr_mask = SA5_performant_intr_mask,
53882+ .intr_pending = SA5_performant_intr_pending,
53883+ .command_completed = SA5_performant_completed,
53884 };
53885
53886 static struct access_method SA5_performant_access = {
53887- SA5_submit_command,
53888- SA5_performant_intr_mask,
53889- SA5_performant_intr_pending,
53890- SA5_performant_completed,
53891+ .submit_command = SA5_submit_command,
53892+ .set_intr_mask = SA5_performant_intr_mask,
53893+ .intr_pending = SA5_performant_intr_pending,
53894+ .command_completed = SA5_performant_completed,
53895 };
53896
53897 static struct access_method SA5_performant_access_no_read = {
53898- SA5_submit_command_no_read,
53899- SA5_performant_intr_mask,
53900- SA5_performant_intr_pending,
53901- SA5_performant_completed,
53902+ .submit_command = SA5_submit_command_no_read,
53903+ .set_intr_mask = SA5_performant_intr_mask,
53904+ .intr_pending = SA5_performant_intr_pending,
53905+ .command_completed = SA5_performant_completed,
53906 };
53907
53908 struct board_type {
53909diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
53910index 30f9ef0..a1e29ac 100644
53911--- a/drivers/scsi/libfc/fc_exch.c
53912+++ b/drivers/scsi/libfc/fc_exch.c
53913@@ -101,12 +101,12 @@ struct fc_exch_mgr {
53914 u16 pool_max_index;
53915
53916 struct {
53917- atomic_t no_free_exch;
53918- atomic_t no_free_exch_xid;
53919- atomic_t xid_not_found;
53920- atomic_t xid_busy;
53921- atomic_t seq_not_found;
53922- atomic_t non_bls_resp;
53923+ atomic_unchecked_t no_free_exch;
53924+ atomic_unchecked_t no_free_exch_xid;
53925+ atomic_unchecked_t xid_not_found;
53926+ atomic_unchecked_t xid_busy;
53927+ atomic_unchecked_t seq_not_found;
53928+ atomic_unchecked_t non_bls_resp;
53929 } stats;
53930 };
53931
53932@@ -809,7 +809,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport,
53933 /* allocate memory for exchange */
53934 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
53935 if (!ep) {
53936- atomic_inc(&mp->stats.no_free_exch);
53937+ atomic_inc_unchecked(&mp->stats.no_free_exch);
53938 goto out;
53939 }
53940 memset(ep, 0, sizeof(*ep));
53941@@ -872,7 +872,7 @@ out:
53942 return ep;
53943 err:
53944 spin_unlock_bh(&pool->lock);
53945- atomic_inc(&mp->stats.no_free_exch_xid);
53946+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
53947 mempool_free(ep, mp->ep_pool);
53948 return NULL;
53949 }
53950@@ -1021,7 +1021,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
53951 xid = ntohs(fh->fh_ox_id); /* we originated exch */
53952 ep = fc_exch_find(mp, xid);
53953 if (!ep) {
53954- atomic_inc(&mp->stats.xid_not_found);
53955+ atomic_inc_unchecked(&mp->stats.xid_not_found);
53956 reject = FC_RJT_OX_ID;
53957 goto out;
53958 }
53959@@ -1051,7 +1051,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
53960 ep = fc_exch_find(mp, xid);
53961 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
53962 if (ep) {
53963- atomic_inc(&mp->stats.xid_busy);
53964+ atomic_inc_unchecked(&mp->stats.xid_busy);
53965 reject = FC_RJT_RX_ID;
53966 goto rel;
53967 }
53968@@ -1062,7 +1062,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
53969 }
53970 xid = ep->xid; /* get our XID */
53971 } else if (!ep) {
53972- atomic_inc(&mp->stats.xid_not_found);
53973+ atomic_inc_unchecked(&mp->stats.xid_not_found);
53974 reject = FC_RJT_RX_ID; /* XID not found */
53975 goto out;
53976 }
53977@@ -1080,7 +1080,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
53978 } else {
53979 sp = &ep->seq;
53980 if (sp->id != fh->fh_seq_id) {
53981- atomic_inc(&mp->stats.seq_not_found);
53982+ atomic_inc_unchecked(&mp->stats.seq_not_found);
53983 if (f_ctl & FC_FC_END_SEQ) {
53984 /*
53985 * Update sequence_id based on incoming last
53986@@ -1531,22 +1531,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
53987
53988 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
53989 if (!ep) {
53990- atomic_inc(&mp->stats.xid_not_found);
53991+ atomic_inc_unchecked(&mp->stats.xid_not_found);
53992 goto out;
53993 }
53994 if (ep->esb_stat & ESB_ST_COMPLETE) {
53995- atomic_inc(&mp->stats.xid_not_found);
53996+ atomic_inc_unchecked(&mp->stats.xid_not_found);
53997 goto rel;
53998 }
53999 if (ep->rxid == FC_XID_UNKNOWN)
54000 ep->rxid = ntohs(fh->fh_rx_id);
54001 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
54002- atomic_inc(&mp->stats.xid_not_found);
54003+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54004 goto rel;
54005 }
54006 if (ep->did != ntoh24(fh->fh_s_id) &&
54007 ep->did != FC_FID_FLOGI) {
54008- atomic_inc(&mp->stats.xid_not_found);
54009+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54010 goto rel;
54011 }
54012 sof = fr_sof(fp);
54013@@ -1555,7 +1555,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54014 sp->ssb_stat |= SSB_ST_RESP;
54015 sp->id = fh->fh_seq_id;
54016 } else if (sp->id != fh->fh_seq_id) {
54017- atomic_inc(&mp->stats.seq_not_found);
54018+ atomic_inc_unchecked(&mp->stats.seq_not_found);
54019 goto rel;
54020 }
54021
54022@@ -1618,9 +1618,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54023 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
54024
54025 if (!sp)
54026- atomic_inc(&mp->stats.xid_not_found);
54027+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54028 else
54029- atomic_inc(&mp->stats.non_bls_resp);
54030+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
54031
54032 fc_frame_free(fp);
54033 }
54034@@ -2261,13 +2261,13 @@ void fc_exch_update_stats(struct fc_lport *lport)
54035
54036 list_for_each_entry(ema, &lport->ema_list, ema_list) {
54037 mp = ema->mp;
54038- st->fc_no_free_exch += atomic_read(&mp->stats.no_free_exch);
54039+ st->fc_no_free_exch += atomic_read_unchecked(&mp->stats.no_free_exch);
54040 st->fc_no_free_exch_xid +=
54041- atomic_read(&mp->stats.no_free_exch_xid);
54042- st->fc_xid_not_found += atomic_read(&mp->stats.xid_not_found);
54043- st->fc_xid_busy += atomic_read(&mp->stats.xid_busy);
54044- st->fc_seq_not_found += atomic_read(&mp->stats.seq_not_found);
54045- st->fc_non_bls_resp += atomic_read(&mp->stats.non_bls_resp);
54046+ atomic_read_unchecked(&mp->stats.no_free_exch_xid);
54047+ st->fc_xid_not_found += atomic_read_unchecked(&mp->stats.xid_not_found);
54048+ st->fc_xid_busy += atomic_read_unchecked(&mp->stats.xid_busy);
54049+ st->fc_seq_not_found += atomic_read_unchecked(&mp->stats.seq_not_found);
54050+ st->fc_non_bls_resp += atomic_read_unchecked(&mp->stats.non_bls_resp);
54051 }
54052 }
54053 EXPORT_SYMBOL(fc_exch_update_stats);
54054diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
54055index 9c706d8..d3e3ed2 100644
54056--- a/drivers/scsi/libsas/sas_ata.c
54057+++ b/drivers/scsi/libsas/sas_ata.c
54058@@ -535,7 +535,7 @@ static struct ata_port_operations sas_sata_ops = {
54059 .postreset = ata_std_postreset,
54060 .error_handler = ata_std_error_handler,
54061 .post_internal_cmd = sas_ata_post_internal,
54062- .qc_defer = ata_std_qc_defer,
54063+ .qc_defer = ata_std_qc_defer,
54064 .qc_prep = ata_noop_qc_prep,
54065 .qc_issue = sas_ata_qc_issue,
54066 .qc_fill_rtf = sas_ata_qc_fill_rtf,
54067diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
54068index a5a56fa..43499fd 100644
54069--- a/drivers/scsi/lpfc/lpfc.h
54070+++ b/drivers/scsi/lpfc/lpfc.h
54071@@ -435,7 +435,7 @@ struct lpfc_vport {
54072 struct dentry *debug_nodelist;
54073 struct dentry *vport_debugfs_root;
54074 struct lpfc_debugfs_trc *disc_trc;
54075- atomic_t disc_trc_cnt;
54076+ atomic_unchecked_t disc_trc_cnt;
54077 #endif
54078 uint8_t stat_data_enabled;
54079 uint8_t stat_data_blocked;
54080@@ -885,8 +885,8 @@ struct lpfc_hba {
54081 struct timer_list fabric_block_timer;
54082 unsigned long bit_flags;
54083 #define FABRIC_COMANDS_BLOCKED 0
54084- atomic_t num_rsrc_err;
54085- atomic_t num_cmd_success;
54086+ atomic_unchecked_t num_rsrc_err;
54087+ atomic_unchecked_t num_cmd_success;
54088 unsigned long last_rsrc_error_time;
54089 unsigned long last_ramp_down_time;
54090 #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
54091@@ -921,7 +921,7 @@ struct lpfc_hba {
54092
54093 struct dentry *debug_slow_ring_trc;
54094 struct lpfc_debugfs_trc *slow_ring_trc;
54095- atomic_t slow_ring_trc_cnt;
54096+ atomic_unchecked_t slow_ring_trc_cnt;
54097 /* iDiag debugfs sub-directory */
54098 struct dentry *idiag_root;
54099 struct dentry *idiag_pci_cfg;
54100diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
54101index 25aa9b9..d700a65 100644
54102--- a/drivers/scsi/lpfc/lpfc_debugfs.c
54103+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
54104@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
54105
54106 #include <linux/debugfs.h>
54107
54108-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
54109+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
54110 static unsigned long lpfc_debugfs_start_time = 0L;
54111
54112 /* iDiag */
54113@@ -147,7 +147,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
54114 lpfc_debugfs_enable = 0;
54115
54116 len = 0;
54117- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
54118+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
54119 (lpfc_debugfs_max_disc_trc - 1);
54120 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
54121 dtp = vport->disc_trc + i;
54122@@ -213,7 +213,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
54123 lpfc_debugfs_enable = 0;
54124
54125 len = 0;
54126- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
54127+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
54128 (lpfc_debugfs_max_slow_ring_trc - 1);
54129 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
54130 dtp = phba->slow_ring_trc + i;
54131@@ -646,14 +646,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport *vport, int mask, char *fmt,
54132 !vport || !vport->disc_trc)
54133 return;
54134
54135- index = atomic_inc_return(&vport->disc_trc_cnt) &
54136+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
54137 (lpfc_debugfs_max_disc_trc - 1);
54138 dtp = vport->disc_trc + index;
54139 dtp->fmt = fmt;
54140 dtp->data1 = data1;
54141 dtp->data2 = data2;
54142 dtp->data3 = data3;
54143- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
54144+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
54145 dtp->jif = jiffies;
54146 #endif
54147 return;
54148@@ -684,14 +684,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_hba *phba, char *fmt,
54149 !phba || !phba->slow_ring_trc)
54150 return;
54151
54152- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
54153+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
54154 (lpfc_debugfs_max_slow_ring_trc - 1);
54155 dtp = phba->slow_ring_trc + index;
54156 dtp->fmt = fmt;
54157 dtp->data1 = data1;
54158 dtp->data2 = data2;
54159 dtp->data3 = data3;
54160- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
54161+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
54162 dtp->jif = jiffies;
54163 #endif
54164 return;
54165@@ -4268,7 +4268,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
54166 "slow_ring buffer\n");
54167 goto debug_failed;
54168 }
54169- atomic_set(&phba->slow_ring_trc_cnt, 0);
54170+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
54171 memset(phba->slow_ring_trc, 0,
54172 (sizeof(struct lpfc_debugfs_trc) *
54173 lpfc_debugfs_max_slow_ring_trc));
54174@@ -4314,7 +4314,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
54175 "buffer\n");
54176 goto debug_failed;
54177 }
54178- atomic_set(&vport->disc_trc_cnt, 0);
54179+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
54180
54181 snprintf(name, sizeof(name), "discovery_trace");
54182 vport->debug_disc_trc =
54183diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
54184index f962118..6706983 100644
54185--- a/drivers/scsi/lpfc/lpfc_init.c
54186+++ b/drivers/scsi/lpfc/lpfc_init.c
54187@@ -11416,8 +11416,10 @@ lpfc_init(void)
54188 "misc_register returned with status %d", error);
54189
54190 if (lpfc_enable_npiv) {
54191- lpfc_transport_functions.vport_create = lpfc_vport_create;
54192- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
54193+ pax_open_kernel();
54194+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
54195+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
54196+ pax_close_kernel();
54197 }
54198 lpfc_transport_template =
54199 fc_attach_transport(&lpfc_transport_functions);
54200diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
54201index e5eb40d..056dcd4 100644
54202--- a/drivers/scsi/lpfc/lpfc_scsi.c
54203+++ b/drivers/scsi/lpfc/lpfc_scsi.c
54204@@ -261,7 +261,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba)
54205 unsigned long expires;
54206
54207 spin_lock_irqsave(&phba->hbalock, flags);
54208- atomic_inc(&phba->num_rsrc_err);
54209+ atomic_inc_unchecked(&phba->num_rsrc_err);
54210 phba->last_rsrc_error_time = jiffies;
54211
54212 expires = phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL;
54213@@ -303,8 +303,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
54214 unsigned long num_rsrc_err, num_cmd_success;
54215 int i;
54216
54217- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
54218- num_cmd_success = atomic_read(&phba->num_cmd_success);
54219+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
54220+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
54221
54222 /*
54223 * The error and success command counters are global per
54224@@ -331,8 +331,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
54225 }
54226 }
54227 lpfc_destroy_vport_work_array(phba, vports);
54228- atomic_set(&phba->num_rsrc_err, 0);
54229- atomic_set(&phba->num_cmd_success, 0);
54230+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
54231+ atomic_set_unchecked(&phba->num_cmd_success, 0);
54232 }
54233
54234 /**
54235diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54236index 3f26147..ee8efd1 100644
54237--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54238+++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54239@@ -1509,7 +1509,7 @@ _scsih_get_resync(struct device *dev)
54240 {
54241 struct scsi_device *sdev = to_scsi_device(dev);
54242 struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host);
54243- static struct _raid_device *raid_device;
54244+ struct _raid_device *raid_device;
54245 unsigned long flags;
54246 Mpi2RaidVolPage0_t vol_pg0;
54247 Mpi2ConfigReply_t mpi_reply;
54248@@ -1561,7 +1561,7 @@ _scsih_get_state(struct device *dev)
54249 {
54250 struct scsi_device *sdev = to_scsi_device(dev);
54251 struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host);
54252- static struct _raid_device *raid_device;
54253+ struct _raid_device *raid_device;
54254 unsigned long flags;
54255 Mpi2RaidVolPage0_t vol_pg0;
54256 Mpi2ConfigReply_t mpi_reply;
54257@@ -6641,7 +6641,7 @@ _scsih_sas_ir_operation_status_event(struct MPT2SAS_ADAPTER *ioc,
54258 Mpi2EventDataIrOperationStatus_t *event_data =
54259 (Mpi2EventDataIrOperationStatus_t *)
54260 fw_event->event_data;
54261- static struct _raid_device *raid_device;
54262+ struct _raid_device *raid_device;
54263 unsigned long flags;
54264 u16 handle;
54265
54266@@ -7112,7 +7112,7 @@ _scsih_scan_for_devices_after_reset(struct MPT2SAS_ADAPTER *ioc)
54267 u64 sas_address;
54268 struct _sas_device *sas_device;
54269 struct _sas_node *expander_device;
54270- static struct _raid_device *raid_device;
54271+ struct _raid_device *raid_device;
54272 u8 retry_count;
54273 unsigned long flags;
54274
54275diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
54276index ed31d8c..ab856b3 100644
54277--- a/drivers/scsi/pmcraid.c
54278+++ b/drivers/scsi/pmcraid.c
54279@@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev)
54280 res->scsi_dev = scsi_dev;
54281 scsi_dev->hostdata = res;
54282 res->change_detected = 0;
54283- atomic_set(&res->read_failures, 0);
54284- atomic_set(&res->write_failures, 0);
54285+ atomic_set_unchecked(&res->read_failures, 0);
54286+ atomic_set_unchecked(&res->write_failures, 0);
54287 rc = 0;
54288 }
54289 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
54290@@ -2640,9 +2640,9 @@ static int pmcraid_error_handler(struct pmcraid_cmd *cmd)
54291
54292 /* If this was a SCSI read/write command keep count of errors */
54293 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
54294- atomic_inc(&res->read_failures);
54295+ atomic_inc_unchecked(&res->read_failures);
54296 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
54297- atomic_inc(&res->write_failures);
54298+ atomic_inc_unchecked(&res->write_failures);
54299
54300 if (!RES_IS_GSCSI(res->cfg_entry) &&
54301 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
54302@@ -3468,7 +3468,7 @@ static int pmcraid_queuecommand_lck(
54303 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
54304 * hrrq_id assigned here in queuecommand
54305 */
54306- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
54307+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
54308 pinstance->num_hrrq;
54309 cmd->cmd_done = pmcraid_io_done;
54310
54311@@ -3782,7 +3782,7 @@ static long pmcraid_ioctl_passthrough(
54312 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
54313 * hrrq_id assigned here in queuecommand
54314 */
54315- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
54316+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
54317 pinstance->num_hrrq;
54318
54319 if (request_size) {
54320@@ -4420,7 +4420,7 @@ static void pmcraid_worker_function(struct work_struct *workp)
54321
54322 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
54323 /* add resources only after host is added into system */
54324- if (!atomic_read(&pinstance->expose_resources))
54325+ if (!atomic_read_unchecked(&pinstance->expose_resources))
54326 return;
54327
54328 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
54329@@ -5237,8 +5237,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host,
54330 init_waitqueue_head(&pinstance->reset_wait_q);
54331
54332 atomic_set(&pinstance->outstanding_cmds, 0);
54333- atomic_set(&pinstance->last_message_id, 0);
54334- atomic_set(&pinstance->expose_resources, 0);
54335+ atomic_set_unchecked(&pinstance->last_message_id, 0);
54336+ atomic_set_unchecked(&pinstance->expose_resources, 0);
54337
54338 INIT_LIST_HEAD(&pinstance->free_res_q);
54339 INIT_LIST_HEAD(&pinstance->used_res_q);
54340@@ -5951,7 +5951,7 @@ static int pmcraid_probe(struct pci_dev *pdev,
54341 /* Schedule worker thread to handle CCN and take care of adding and
54342 * removing devices to OS
54343 */
54344- atomic_set(&pinstance->expose_resources, 1);
54345+ atomic_set_unchecked(&pinstance->expose_resources, 1);
54346 schedule_work(&pinstance->worker_q);
54347 return rc;
54348
54349diff --git a/drivers/scsi/pmcraid.h b/drivers/scsi/pmcraid.h
54350index e1d150f..6c6df44 100644
54351--- a/drivers/scsi/pmcraid.h
54352+++ b/drivers/scsi/pmcraid.h
54353@@ -748,7 +748,7 @@ struct pmcraid_instance {
54354 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
54355
54356 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
54357- atomic_t last_message_id;
54358+ atomic_unchecked_t last_message_id;
54359
54360 /* configuration table */
54361 struct pmcraid_config_table *cfg_table;
54362@@ -777,7 +777,7 @@ struct pmcraid_instance {
54363 atomic_t outstanding_cmds;
54364
54365 /* should add/delete resources to mid-layer now ?*/
54366- atomic_t expose_resources;
54367+ atomic_unchecked_t expose_resources;
54368
54369
54370
54371@@ -813,8 +813,8 @@ struct pmcraid_resource_entry {
54372 struct pmcraid_config_table_entry_ext cfg_entry_ext;
54373 };
54374 struct scsi_device *scsi_dev; /* Link scsi_device structure */
54375- atomic_t read_failures; /* count of failed READ commands */
54376- atomic_t write_failures; /* count of failed WRITE commands */
54377+ atomic_unchecked_t read_failures; /* count of failed READ commands */
54378+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
54379
54380 /* To indicate add/delete/modify during CCN */
54381 u8 change_detected;
54382diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
54383index 437254e..a66eb82 100644
54384--- a/drivers/scsi/qla2xxx/qla_attr.c
54385+++ b/drivers/scsi/qla2xxx/qla_attr.c
54386@@ -2192,7 +2192,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable)
54387 return 0;
54388 }
54389
54390-struct fc_function_template qla2xxx_transport_functions = {
54391+fc_function_template_no_const qla2xxx_transport_functions = {
54392
54393 .show_host_node_name = 1,
54394 .show_host_port_name = 1,
54395@@ -2240,7 +2240,7 @@ struct fc_function_template qla2xxx_transport_functions = {
54396 .bsg_timeout = qla24xx_bsg_timeout,
54397 };
54398
54399-struct fc_function_template qla2xxx_transport_vport_functions = {
54400+fc_function_template_no_const qla2xxx_transport_vport_functions = {
54401
54402 .show_host_node_name = 1,
54403 .show_host_port_name = 1,
54404diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
54405index 7686bfe..4710893 100644
54406--- a/drivers/scsi/qla2xxx/qla_gbl.h
54407+++ b/drivers/scsi/qla2xxx/qla_gbl.h
54408@@ -571,8 +571,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *, size_t);
54409 struct device_attribute;
54410 extern struct device_attribute *qla2x00_host_attrs[];
54411 struct fc_function_template;
54412-extern struct fc_function_template qla2xxx_transport_functions;
54413-extern struct fc_function_template qla2xxx_transport_vport_functions;
54414+extern fc_function_template_no_const qla2xxx_transport_functions;
54415+extern fc_function_template_no_const qla2xxx_transport_vport_functions;
54416 extern void qla2x00_alloc_sysfs_attr(scsi_qla_host_t *);
54417 extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool);
54418 extern void qla2x00_init_host_attr(scsi_qla_host_t *);
54419diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
54420index 8a5cac8..4eba6ab 100644
54421--- a/drivers/scsi/qla2xxx/qla_os.c
54422+++ b/drivers/scsi/qla2xxx/qla_os.c
54423@@ -1435,8 +1435,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha)
54424 !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) {
54425 /* Ok, a 64bit DMA mask is applicable. */
54426 ha->flags.enable_64bit_addressing = 1;
54427- ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
54428- ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
54429+ pax_open_kernel();
54430+ *(void **)&ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
54431+ *(void **)&ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
54432+ pax_close_kernel();
54433 return;
54434 }
54435 }
54436diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h
54437index a7cfc27..151f483 100644
54438--- a/drivers/scsi/qla4xxx/ql4_def.h
54439+++ b/drivers/scsi/qla4xxx/ql4_def.h
54440@@ -306,7 +306,7 @@ struct ddb_entry {
54441 * (4000 only) */
54442 atomic_t relogin_timer; /* Max Time to wait for
54443 * relogin to complete */
54444- atomic_t relogin_retry_count; /* Num of times relogin has been
54445+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
54446 * retried */
54447 uint32_t default_time2wait; /* Default Min time between
54448 * relogins (+aens) */
54449diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
54450index 6d25879..3031a9f 100644
54451--- a/drivers/scsi/qla4xxx/ql4_os.c
54452+++ b/drivers/scsi/qla4xxx/ql4_os.c
54453@@ -4491,12 +4491,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess)
54454 */
54455 if (!iscsi_is_session_online(cls_sess)) {
54456 /* Reset retry relogin timer */
54457- atomic_inc(&ddb_entry->relogin_retry_count);
54458+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
54459 DEBUG2(ql4_printk(KERN_INFO, ha,
54460 "%s: index[%d] relogin timed out-retrying"
54461 " relogin (%d), retry (%d)\n", __func__,
54462 ddb_entry->fw_ddb_index,
54463- atomic_read(&ddb_entry->relogin_retry_count),
54464+ atomic_read_unchecked(&ddb_entry->relogin_retry_count),
54465 ddb_entry->default_time2wait + 4));
54466 set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags);
54467 atomic_set(&ddb_entry->retry_relogin_timer,
54468@@ -6604,7 +6604,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha,
54469
54470 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
54471 atomic_set(&ddb_entry->relogin_timer, 0);
54472- atomic_set(&ddb_entry->relogin_retry_count, 0);
54473+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
54474 def_timeout = le16_to_cpu(ddb_entry->fw_ddb_entry.def_timeout);
54475 ddb_entry->default_relogin_timeout =
54476 (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ?
54477diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
54478index 207d6a7..bf155b5 100644
54479--- a/drivers/scsi/scsi.c
54480+++ b/drivers/scsi/scsi.c
54481@@ -591,7 +591,7 @@ void scsi_finish_command(struct scsi_cmnd *cmd)
54482
54483 good_bytes = scsi_bufflen(cmd);
54484 if (cmd->request->cmd_type != REQ_TYPE_BLOCK_PC) {
54485- int old_good_bytes = good_bytes;
54486+ unsigned int old_good_bytes = good_bytes;
54487 drv = scsi_cmd_to_driver(cmd);
54488 if (drv->done)
54489 good_bytes = drv->done(cmd);
54490diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
54491index 448ebda..9bd345f 100644
54492--- a/drivers/scsi/scsi_lib.c
54493+++ b/drivers/scsi/scsi_lib.c
54494@@ -1597,7 +1597,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
54495 shost = sdev->host;
54496 scsi_init_cmd_errh(cmd);
54497 cmd->result = DID_NO_CONNECT << 16;
54498- atomic_inc(&cmd->device->iorequest_cnt);
54499+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
54500
54501 /*
54502 * SCSI request completion path will do scsi_device_unbusy(),
54503@@ -1620,9 +1620,9 @@ static void scsi_softirq_done(struct request *rq)
54504
54505 INIT_LIST_HEAD(&cmd->eh_entry);
54506
54507- atomic_inc(&cmd->device->iodone_cnt);
54508+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
54509 if (cmd->result)
54510- atomic_inc(&cmd->device->ioerr_cnt);
54511+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
54512
54513 disposition = scsi_decide_disposition(cmd);
54514 if (disposition != SUCCESS &&
54515@@ -1663,7 +1663,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
54516 struct Scsi_Host *host = cmd->device->host;
54517 int rtn = 0;
54518
54519- atomic_inc(&cmd->device->iorequest_cnt);
54520+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
54521
54522 /* check if the device is still usable */
54523 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
54524diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
54525index 9ad4116..4e736fc 100644
54526--- a/drivers/scsi/scsi_sysfs.c
54527+++ b/drivers/scsi/scsi_sysfs.c
54528@@ -788,7 +788,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \
54529 char *buf) \
54530 { \
54531 struct scsi_device *sdev = to_scsi_device(dev); \
54532- unsigned long long count = atomic_read(&sdev->field); \
54533+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
54534 return snprintf(buf, 20, "0x%llx\n", count); \
54535 } \
54536 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
54537diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
54538index 24eaaf6..de30ec9 100644
54539--- a/drivers/scsi/scsi_transport_fc.c
54540+++ b/drivers/scsi/scsi_transport_fc.c
54541@@ -502,7 +502,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class,
54542 * Netlink Infrastructure
54543 */
54544
54545-static atomic_t fc_event_seq;
54546+static atomic_unchecked_t fc_event_seq;
54547
54548 /**
54549 * fc_get_event_number - Obtain the next sequential FC event number
54550@@ -515,7 +515,7 @@ static atomic_t fc_event_seq;
54551 u32
54552 fc_get_event_number(void)
54553 {
54554- return atomic_add_return(1, &fc_event_seq);
54555+ return atomic_add_return_unchecked(1, &fc_event_seq);
54556 }
54557 EXPORT_SYMBOL(fc_get_event_number);
54558
54559@@ -659,7 +659,7 @@ static __init int fc_transport_init(void)
54560 {
54561 int error;
54562
54563- atomic_set(&fc_event_seq, 0);
54564+ atomic_set_unchecked(&fc_event_seq, 0);
54565
54566 error = transport_class_register(&fc_host_class);
54567 if (error)
54568@@ -849,7 +849,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val)
54569 char *cp;
54570
54571 *val = simple_strtoul(buf, &cp, 0);
54572- if ((*cp && (*cp != '\n')) || (*val < 0))
54573+ if (*cp && (*cp != '\n'))
54574 return -EINVAL;
54575 /*
54576 * Check for overflow; dev_loss_tmo is u32
54577diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
54578index 55647aa..b647d05 100644
54579--- a/drivers/scsi/scsi_transport_iscsi.c
54580+++ b/drivers/scsi/scsi_transport_iscsi.c
54581@@ -79,7 +79,7 @@ struct iscsi_internal {
54582 struct transport_container session_cont;
54583 };
54584
54585-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
54586+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
54587 static struct workqueue_struct *iscsi_eh_timer_workq;
54588
54589 static DEFINE_IDA(iscsi_sess_ida);
54590@@ -2073,7 +2073,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id)
54591 int err;
54592
54593 ihost = shost->shost_data;
54594- session->sid = atomic_add_return(1, &iscsi_session_nr);
54595+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
54596
54597 if (target_id == ISCSI_MAX_TARGET) {
54598 id = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL);
54599@@ -4517,7 +4517,7 @@ static __init int iscsi_transport_init(void)
54600 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
54601 ISCSI_TRANSPORT_VERSION);
54602
54603- atomic_set(&iscsi_session_nr, 0);
54604+ atomic_set_unchecked(&iscsi_session_nr, 0);
54605
54606 err = class_register(&iscsi_transport_class);
54607 if (err)
54608diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c
54609index e3cd3ec..00560ec 100644
54610--- a/drivers/scsi/scsi_transport_srp.c
54611+++ b/drivers/scsi/scsi_transport_srp.c
54612@@ -35,7 +35,7 @@
54613 #include "scsi_priv.h"
54614
54615 struct srp_host_attrs {
54616- atomic_t next_port_id;
54617+ atomic_unchecked_t next_port_id;
54618 };
54619 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
54620
54621@@ -105,7 +105,7 @@ static int srp_host_setup(struct transport_container *tc, struct device *dev,
54622 struct Scsi_Host *shost = dev_to_shost(dev);
54623 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
54624
54625- atomic_set(&srp_host->next_port_id, 0);
54626+ atomic_set_unchecked(&srp_host->next_port_id, 0);
54627 return 0;
54628 }
54629
54630@@ -752,7 +752,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost,
54631 rport_fast_io_fail_timedout);
54632 INIT_DELAYED_WORK(&rport->dev_loss_work, rport_dev_loss_timedout);
54633
54634- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
54635+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
54636 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
54637
54638 transport_setup_device(&rport->dev);
54639diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
54640index a20da8c..7f47bac 100644
54641--- a/drivers/scsi/sd.c
54642+++ b/drivers/scsi/sd.c
54643@@ -111,7 +111,7 @@ static int sd_resume(struct device *);
54644 static void sd_rescan(struct device *);
54645 static int sd_init_command(struct scsi_cmnd *SCpnt);
54646 static void sd_uninit_command(struct scsi_cmnd *SCpnt);
54647-static int sd_done(struct scsi_cmnd *);
54648+static unsigned int sd_done(struct scsi_cmnd *);
54649 static int sd_eh_action(struct scsi_cmnd *, int);
54650 static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer);
54651 static void scsi_disk_release(struct device *cdev);
54652@@ -1646,7 +1646,7 @@ static unsigned int sd_completed_bytes(struct scsi_cmnd *scmd)
54653 *
54654 * Note: potentially run from within an ISR. Must not block.
54655 **/
54656-static int sd_done(struct scsi_cmnd *SCpnt)
54657+static unsigned int sd_done(struct scsi_cmnd *SCpnt)
54658 {
54659 int result = SCpnt->result;
54660 unsigned int good_bytes = result ? 0 : scsi_bufflen(SCpnt);
54661@@ -2973,7 +2973,7 @@ static int sd_probe(struct device *dev)
54662 sdkp->disk = gd;
54663 sdkp->index = index;
54664 atomic_set(&sdkp->openers, 0);
54665- atomic_set(&sdkp->device->ioerr_cnt, 0);
54666+ atomic_set_unchecked(&sdkp->device->ioerr_cnt, 0);
54667
54668 if (!sdp->request_queue->rq_timeout) {
54669 if (sdp->type != TYPE_MOD)
54670diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
54671index 9d7b7db..33ecc51 100644
54672--- a/drivers/scsi/sg.c
54673+++ b/drivers/scsi/sg.c
54674@@ -1083,7 +1083,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
54675 sdp->disk->disk_name,
54676 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
54677 NULL,
54678- (char *)arg);
54679+ (char __user *)arg);
54680 case BLKTRACESTART:
54681 return blk_trace_startstop(sdp->device->request_queue, 1);
54682 case BLKTRACESTOP:
54683diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
54684index 8bd54a6..58fa0d6 100644
54685--- a/drivers/scsi/sr.c
54686+++ b/drivers/scsi/sr.c
54687@@ -80,7 +80,7 @@ static DEFINE_MUTEX(sr_mutex);
54688 static int sr_probe(struct device *);
54689 static int sr_remove(struct device *);
54690 static int sr_init_command(struct scsi_cmnd *SCpnt);
54691-static int sr_done(struct scsi_cmnd *);
54692+static unsigned int sr_done(struct scsi_cmnd *);
54693 static int sr_runtime_suspend(struct device *dev);
54694
54695 static struct dev_pm_ops sr_pm_ops = {
54696@@ -312,13 +312,13 @@ do_tur:
54697 * It will be notified on the end of a SCSI read / write, and will take one
54698 * of several actions based on success or failure.
54699 */
54700-static int sr_done(struct scsi_cmnd *SCpnt)
54701+static unsigned int sr_done(struct scsi_cmnd *SCpnt)
54702 {
54703 int result = SCpnt->result;
54704- int this_count = scsi_bufflen(SCpnt);
54705- int good_bytes = (result == 0 ? this_count : 0);
54706- int block_sectors = 0;
54707- long error_sector;
54708+ unsigned int this_count = scsi_bufflen(SCpnt);
54709+ unsigned int good_bytes = (result == 0 ? this_count : 0);
54710+ unsigned int block_sectors = 0;
54711+ sector_t error_sector;
54712 struct scsi_cd *cd = scsi_cd(SCpnt->request->rq_disk);
54713
54714 #ifdef DEBUG
54715@@ -351,9 +351,12 @@ static int sr_done(struct scsi_cmnd *SCpnt)
54716 if (cd->device->sector_size == 2048)
54717 error_sector <<= 2;
54718 error_sector &= ~(block_sectors - 1);
54719- good_bytes = (error_sector -
54720- blk_rq_pos(SCpnt->request)) << 9;
54721- if (good_bytes < 0 || good_bytes >= this_count)
54722+ if (error_sector >= blk_rq_pos(SCpnt->request)) {
54723+ good_bytes = (error_sector -
54724+ blk_rq_pos(SCpnt->request)) << 9;
54725+ if (good_bytes >= this_count)
54726+ good_bytes = 0;
54727+ } else
54728 good_bytes = 0;
54729 /*
54730 * The SCSI specification allows for the value
54731diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c
54732index c0d660f..24a5854 100644
54733--- a/drivers/soc/tegra/fuse/fuse-tegra.c
54734+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
54735@@ -71,7 +71,7 @@ static ssize_t fuse_read(struct file *fd, struct kobject *kobj,
54736 return i;
54737 }
54738
54739-static struct bin_attribute fuse_bin_attr = {
54740+static bin_attribute_no_const fuse_bin_attr = {
54741 .attr = { .name = "fuse", .mode = S_IRUGO, },
54742 .read = fuse_read,
54743 };
54744diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
54745index cf8b91b..a13d434 100644
54746--- a/drivers/spi/spi.c
54747+++ b/drivers/spi/spi.c
54748@@ -2216,7 +2216,7 @@ int spi_bus_unlock(struct spi_master *master)
54749 EXPORT_SYMBOL_GPL(spi_bus_unlock);
54750
54751 /* portable code must never pass more than 32 bytes */
54752-#define SPI_BUFSIZ max(32, SMP_CACHE_BYTES)
54753+#define SPI_BUFSIZ max(32UL, SMP_CACHE_BYTES)
54754
54755 static u8 *buf;
54756
54757diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
54758index c7de641..ff76c07 100644
54759--- a/drivers/spi/spidev.c
54760+++ b/drivers/spi/spidev.c
54761@@ -95,7 +95,7 @@ MODULE_PARM_DESC(bufsiz, "data bytes in biggest supported SPI message");
54762
54763 /*-------------------------------------------------------------------------*/
54764
54765-static ssize_t
54766+static ssize_t __intentional_overflow(-1)
54767 spidev_sync(struct spidev_data *spidev, struct spi_message *message)
54768 {
54769 DECLARE_COMPLETION_ONSTACK(done);
54770diff --git a/drivers/staging/android/timed_output.c b/drivers/staging/android/timed_output.c
54771index b41429f..2de5373 100644
54772--- a/drivers/staging/android/timed_output.c
54773+++ b/drivers/staging/android/timed_output.c
54774@@ -25,7 +25,7 @@
54775 #include "timed_output.h"
54776
54777 static struct class *timed_output_class;
54778-static atomic_t device_count;
54779+static atomic_unchecked_t device_count;
54780
54781 static ssize_t enable_show(struct device *dev, struct device_attribute *attr,
54782 char *buf)
54783@@ -65,7 +65,7 @@ static int create_timed_output_class(void)
54784 timed_output_class = class_create(THIS_MODULE, "timed_output");
54785 if (IS_ERR(timed_output_class))
54786 return PTR_ERR(timed_output_class);
54787- atomic_set(&device_count, 0);
54788+ atomic_set_unchecked(&device_count, 0);
54789 timed_output_class->dev_groups = timed_output_groups;
54790 }
54791
54792@@ -83,7 +83,7 @@ int timed_output_dev_register(struct timed_output_dev *tdev)
54793 if (ret < 0)
54794 return ret;
54795
54796- tdev->index = atomic_inc_return(&device_count);
54797+ tdev->index = atomic_inc_return_unchecked(&device_count);
54798 tdev->dev = device_create(timed_output_class, NULL,
54799 MKDEV(0, tdev->index), NULL, "%s", tdev->name);
54800 if (IS_ERR(tdev->dev))
54801diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
54802index 985d94b..49c59fb 100644
54803--- a/drivers/staging/comedi/comedi_fops.c
54804+++ b/drivers/staging/comedi/comedi_fops.c
54805@@ -314,8 +314,8 @@ static void comedi_file_reset(struct file *file)
54806 }
54807 cfp->last_attached = dev->attached;
54808 cfp->last_detach_count = dev->detach_count;
54809- ACCESS_ONCE(cfp->read_subdev) = read_s;
54810- ACCESS_ONCE(cfp->write_subdev) = write_s;
54811+ ACCESS_ONCE_RW(cfp->read_subdev) = read_s;
54812+ ACCESS_ONCE_RW(cfp->write_subdev) = write_s;
54813 }
54814
54815 static void comedi_file_check(struct file *file)
54816@@ -1983,7 +1983,7 @@ static int do_setrsubd_ioctl(struct comedi_device *dev, unsigned long arg,
54817 !(s_old->async->cmd.flags & CMDF_WRITE))
54818 return -EBUSY;
54819
54820- ACCESS_ONCE(cfp->read_subdev) = s_new;
54821+ ACCESS_ONCE_RW(cfp->read_subdev) = s_new;
54822 return 0;
54823 }
54824
54825@@ -2025,7 +2025,7 @@ static int do_setwsubd_ioctl(struct comedi_device *dev, unsigned long arg,
54826 (s_old->async->cmd.flags & CMDF_WRITE))
54827 return -EBUSY;
54828
54829- ACCESS_ONCE(cfp->write_subdev) = s_new;
54830+ ACCESS_ONCE_RW(cfp->write_subdev) = s_new;
54831 return 0;
54832 }
54833
54834diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
54835index 9cc8141..ffd5039 100644
54836--- a/drivers/staging/fbtft/fbtft-core.c
54837+++ b/drivers/staging/fbtft/fbtft-core.c
54838@@ -681,7 +681,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
54839 {
54840 struct fb_info *info;
54841 struct fbtft_par *par;
54842- struct fb_ops *fbops = NULL;
54843+ fb_ops_no_const *fbops = NULL;
54844 struct fb_deferred_io *fbdefio = NULL;
54845 struct fbtft_platform_data *pdata = dev->platform_data;
54846 u8 *vmem = NULL;
54847diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h
54848index 7d817eb..d22e49e 100644
54849--- a/drivers/staging/fbtft/fbtft.h
54850+++ b/drivers/staging/fbtft/fbtft.h
54851@@ -106,7 +106,7 @@ struct fbtft_ops {
54852
54853 int (*set_var)(struct fbtft_par *par);
54854 int (*set_gamma)(struct fbtft_par *par, unsigned long *curves);
54855-};
54856+} __no_const;
54857
54858 /**
54859 * struct fbtft_display - Describes the display properties
54860diff --git a/drivers/staging/gdm724x/gdm_tty.c b/drivers/staging/gdm724x/gdm_tty.c
54861index 001348c..cfaac8a 100644
54862--- a/drivers/staging/gdm724x/gdm_tty.c
54863+++ b/drivers/staging/gdm724x/gdm_tty.c
54864@@ -44,7 +44,7 @@
54865 #define gdm_tty_send_control(n, r, v, d, l) (\
54866 n->tty_dev->send_control(n->tty_dev->priv_dev, r, v, d, l))
54867
54868-#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && gdm->port.count)
54869+#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && atomic_read(&gdm->port.count))
54870
54871 static struct tty_driver *gdm_driver[TTY_MAX_COUNT];
54872 static struct gdm *gdm_table[TTY_MAX_COUNT][GDM_TTY_MINOR];
54873diff --git a/drivers/staging/iio/accel/lis3l02dq_ring.c b/drivers/staging/iio/accel/lis3l02dq_ring.c
54874index b892f2c..9b4898a 100644
54875--- a/drivers/staging/iio/accel/lis3l02dq_ring.c
54876+++ b/drivers/staging/iio/accel/lis3l02dq_ring.c
54877@@ -118,7 +118,7 @@ static int lis3l02dq_get_buffer_element(struct iio_dev *indio_dev,
54878 int scan_count = bitmap_weight(indio_dev->active_scan_mask,
54879 indio_dev->masklength);
54880
54881- rx_array = kcalloc(4, scan_count, GFP_KERNEL);
54882+ rx_array = kcalloc(scan_count, 4, GFP_KERNEL);
54883 if (!rx_array)
54884 return -ENOMEM;
54885 ret = lis3l02dq_read_all(indio_dev, rx_array);
54886diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c
54887index d98e229..9c59bc2 100644
54888--- a/drivers/staging/iio/adc/ad7280a.c
54889+++ b/drivers/staging/iio/adc/ad7280a.c
54890@@ -547,8 +547,8 @@ static int ad7280_attr_init(struct ad7280_state *st)
54891 {
54892 int dev, ch, cnt;
54893
54894- st->iio_attr = kcalloc(2, sizeof(*st->iio_attr) *
54895- (st->slave_num + 1) * AD7280A_CELLS_PER_DEV,
54896+ st->iio_attr = kcalloc(sizeof(*st->iio_attr) *
54897+ (st->slave_num + 1) * AD7280A_CELLS_PER_DEV, 2,
54898 GFP_KERNEL);
54899 if (st->iio_attr == NULL)
54900 return -ENOMEM;
54901diff --git a/drivers/staging/lustre/lnet/selftest/brw_test.c b/drivers/staging/lustre/lnet/selftest/brw_test.c
54902index de11f1b..f7181cf 100644
54903--- a/drivers/staging/lustre/lnet/selftest/brw_test.c
54904+++ b/drivers/staging/lustre/lnet/selftest/brw_test.c
54905@@ -487,13 +487,11 @@ brw_server_handle(struct srpc_server_rpc *rpc)
54906 return 0;
54907 }
54908
54909-sfw_test_client_ops_t brw_test_client;
54910-void brw_init_test_client(void)
54911-{
54912- brw_test_client.tso_init = brw_client_init;
54913- brw_test_client.tso_fini = brw_client_fini;
54914- brw_test_client.tso_prep_rpc = brw_client_prep_rpc;
54915- brw_test_client.tso_done_rpc = brw_client_done_rpc;
54916+sfw_test_client_ops_t brw_test_client = {
54917+ .tso_init = brw_client_init,
54918+ .tso_fini = brw_client_fini,
54919+ .tso_prep_rpc = brw_client_prep_rpc,
54920+ .tso_done_rpc = brw_client_done_rpc,
54921 };
54922
54923 srpc_service_t brw_test_service;
54924diff --git a/drivers/staging/lustre/lnet/selftest/framework.c b/drivers/staging/lustre/lnet/selftest/framework.c
54925index 7c5185a..51c2ae7 100644
54926--- a/drivers/staging/lustre/lnet/selftest/framework.c
54927+++ b/drivers/staging/lustre/lnet/selftest/framework.c
54928@@ -1628,12 +1628,10 @@ static srpc_service_t sfw_services[] = {
54929
54930 extern sfw_test_client_ops_t ping_test_client;
54931 extern srpc_service_t ping_test_service;
54932-extern void ping_init_test_client(void);
54933 extern void ping_init_test_service(void);
54934
54935 extern sfw_test_client_ops_t brw_test_client;
54936 extern srpc_service_t brw_test_service;
54937-extern void brw_init_test_client(void);
54938 extern void brw_init_test_service(void);
54939
54940
54941@@ -1675,12 +1673,10 @@ sfw_startup(void)
54942 INIT_LIST_HEAD(&sfw_data.fw_zombie_rpcs);
54943 INIT_LIST_HEAD(&sfw_data.fw_zombie_sessions);
54944
54945- brw_init_test_client();
54946 brw_init_test_service();
54947 rc = sfw_register_test(&brw_test_service, &brw_test_client);
54948 LASSERT(rc == 0);
54949
54950- ping_init_test_client();
54951 ping_init_test_service();
54952 rc = sfw_register_test(&ping_test_service, &ping_test_client);
54953 LASSERT(rc == 0);
54954diff --git a/drivers/staging/lustre/lnet/selftest/ping_test.c b/drivers/staging/lustre/lnet/selftest/ping_test.c
54955index 1dab998..edfe0ac 100644
54956--- a/drivers/staging/lustre/lnet/selftest/ping_test.c
54957+++ b/drivers/staging/lustre/lnet/selftest/ping_test.c
54958@@ -211,14 +211,12 @@ ping_server_handle(struct srpc_server_rpc *rpc)
54959 return 0;
54960 }
54961
54962-sfw_test_client_ops_t ping_test_client;
54963-void ping_init_test_client(void)
54964-{
54965- ping_test_client.tso_init = ping_client_init;
54966- ping_test_client.tso_fini = ping_client_fini;
54967- ping_test_client.tso_prep_rpc = ping_client_prep_rpc;
54968- ping_test_client.tso_done_rpc = ping_client_done_rpc;
54969-}
54970+sfw_test_client_ops_t ping_test_client = {
54971+ .tso_init = ping_client_init,
54972+ .tso_fini = ping_client_fini,
54973+ .tso_prep_rpc = ping_client_prep_rpc,
54974+ .tso_done_rpc = ping_client_done_rpc,
54975+};
54976
54977 srpc_service_t ping_test_service;
54978 void ping_init_test_service(void)
54979diff --git a/drivers/staging/lustre/lustre/include/lustre_dlm.h b/drivers/staging/lustre/lustre/include/lustre_dlm.h
54980index f6f4c03..cdc3556 100644
54981--- a/drivers/staging/lustre/lustre/include/lustre_dlm.h
54982+++ b/drivers/staging/lustre/lustre/include/lustre_dlm.h
54983@@ -1107,7 +1107,7 @@ struct ldlm_callback_suite {
54984 ldlm_completion_callback lcs_completion;
54985 ldlm_blocking_callback lcs_blocking;
54986 ldlm_glimpse_callback lcs_glimpse;
54987-};
54988+} __no_const;
54989
54990 /* ldlm_lockd.c */
54991 int ldlm_del_waiting_lock(struct ldlm_lock *lock);
54992diff --git a/drivers/staging/lustre/lustre/include/obd.h b/drivers/staging/lustre/lustre/include/obd.h
54993index 55452e5..43b0f2f 100644
54994--- a/drivers/staging/lustre/lustre/include/obd.h
54995+++ b/drivers/staging/lustre/lustre/include/obd.h
54996@@ -1364,7 +1364,7 @@ struct md_ops {
54997 * lprocfs_alloc_md_stats() in obdclass/lprocfs_status.c. Also, add a
54998 * wrapper function in include/linux/obd_class.h.
54999 */
55000-};
55001+} __no_const;
55002
55003 struct lsm_operations {
55004 void (*lsm_free)(struct lov_stripe_md *);
55005diff --git a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55006index a4c252f..b21acac 100644
55007--- a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55008+++ b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55009@@ -258,7 +258,7 @@ ldlm_process_flock_lock(struct ldlm_lock *req, __u64 *flags, int first_enq,
55010 int added = (mode == LCK_NL);
55011 int overlaps = 0;
55012 int splitted = 0;
55013- const struct ldlm_callback_suite null_cbs = { NULL };
55014+ const struct ldlm_callback_suite null_cbs = { };
55015
55016 CDEBUG(D_DLMTRACE,
55017 "flags %#llx owner %llu pid %u mode %u start %llu end %llu\n",
55018diff --git a/drivers/staging/lustre/lustre/libcfs/module.c b/drivers/staging/lustre/lustre/libcfs/module.c
55019index e60b2e9..ad9ceb3 100644
55020--- a/drivers/staging/lustre/lustre/libcfs/module.c
55021+++ b/drivers/staging/lustre/lustre/libcfs/module.c
55022@@ -377,11 +377,11 @@ out:
55023
55024
55025 struct cfs_psdev_ops libcfs_psdev_ops = {
55026- libcfs_psdev_open,
55027- libcfs_psdev_release,
55028- NULL,
55029- NULL,
55030- libcfs_ioctl
55031+ .p_open = libcfs_psdev_open,
55032+ .p_close = libcfs_psdev_release,
55033+ .p_read = NULL,
55034+ .p_write = NULL,
55035+ .p_ioctl = libcfs_ioctl
55036 };
55037
55038 static int init_libcfs_module(void)
55039@@ -623,7 +623,7 @@ static int proc_console_max_delay_cs(struct ctl_table *table, int write,
55040 loff_t *ppos)
55041 {
55042 int rc, max_delay_cs;
55043- struct ctl_table dummy = *table;
55044+ ctl_table_no_const dummy = *table;
55045 long d;
55046
55047 dummy.data = &max_delay_cs;
55048@@ -656,7 +656,7 @@ static int proc_console_min_delay_cs(struct ctl_table *table, int write,
55049 loff_t *ppos)
55050 {
55051 int rc, min_delay_cs;
55052- struct ctl_table dummy = *table;
55053+ ctl_table_no_const dummy = *table;
55054 long d;
55055
55056 dummy.data = &min_delay_cs;
55057@@ -688,7 +688,7 @@ static int proc_console_backoff(struct ctl_table *table, int write,
55058 void __user *buffer, size_t *lenp, loff_t *ppos)
55059 {
55060 int rc, backoff;
55061- struct ctl_table dummy = *table;
55062+ ctl_table_no_const dummy = *table;
55063
55064 dummy.data = &backoff;
55065 dummy.proc_handler = &proc_dointvec;
55066diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c
55067index 22853d3..cfa3c49 100644
55068--- a/drivers/staging/octeon/ethernet-rx.c
55069+++ b/drivers/staging/octeon/ethernet-rx.c
55070@@ -335,14 +335,14 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
55071 /* Increment RX stats for virtual ports */
55072 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
55073 #ifdef CONFIG_64BIT
55074- atomic64_add(1,
55075+ atomic64_add_unchecked(1,
55076 (atomic64_t *)&priv->stats.rx_packets);
55077- atomic64_add(skb->len,
55078+ atomic64_add_unchecked(skb->len,
55079 (atomic64_t *)&priv->stats.rx_bytes);
55080 #else
55081- atomic_add(1,
55082+ atomic_add_unchecked(1,
55083 (atomic_t *)&priv->stats.rx_packets);
55084- atomic_add(skb->len,
55085+ atomic_add_unchecked(skb->len,
55086 (atomic_t *)&priv->stats.rx_bytes);
55087 #endif
55088 }
55089@@ -354,10 +354,10 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
55090 dev->name);
55091 */
55092 #ifdef CONFIG_64BIT
55093- atomic64_add(1,
55094+ atomic64_add_unchecked(1,
55095 (atomic64_t *)&priv->stats.rx_dropped);
55096 #else
55097- atomic_add(1,
55098+ atomic_add_unchecked(1,
55099 (atomic_t *)&priv->stats.rx_dropped);
55100 #endif
55101 dev_kfree_skb_irq(skb);
55102diff --git a/drivers/staging/octeon/ethernet.c b/drivers/staging/octeon/ethernet.c
55103index f9dba23..7bc0ef3 100644
55104--- a/drivers/staging/octeon/ethernet.c
55105+++ b/drivers/staging/octeon/ethernet.c
55106@@ -231,11 +231,11 @@ static struct net_device_stats *cvm_oct_common_get_stats(struct net_device *dev)
55107 * since the RX tasklet also increments it.
55108 */
55109 #ifdef CONFIG_64BIT
55110- atomic64_add(rx_status.dropped_packets,
55111- (atomic64_t *)&priv->stats.rx_dropped);
55112+ atomic64_add_unchecked(rx_status.dropped_packets,
55113+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
55114 #else
55115- atomic_add(rx_status.dropped_packets,
55116- (atomic_t *)&priv->stats.rx_dropped);
55117+ atomic_add_unchecked(rx_status.dropped_packets,
55118+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
55119 #endif
55120 }
55121
55122diff --git a/drivers/staging/rtl8188eu/include/hal_intf.h b/drivers/staging/rtl8188eu/include/hal_intf.h
55123index 3b476d8..f522d68 100644
55124--- a/drivers/staging/rtl8188eu/include/hal_intf.h
55125+++ b/drivers/staging/rtl8188eu/include/hal_intf.h
55126@@ -225,7 +225,7 @@ struct hal_ops {
55127
55128 void (*hal_notch_filter)(struct adapter *adapter, bool enable);
55129 void (*hal_reset_security_engine)(struct adapter *adapter);
55130-};
55131+} __no_const;
55132
55133 enum rt_eeprom_type {
55134 EEPROM_93C46,
55135diff --git a/drivers/staging/rtl8712/rtl871x_io.h b/drivers/staging/rtl8712/rtl871x_io.h
55136index 070cc03..6806e37 100644
55137--- a/drivers/staging/rtl8712/rtl871x_io.h
55138+++ b/drivers/staging/rtl8712/rtl871x_io.h
55139@@ -108,7 +108,7 @@ struct _io_ops {
55140 u8 *pmem);
55141 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
55142 u8 *pmem);
55143-};
55144+} __no_const;
55145
55146 struct io_req {
55147 struct list_head list;
55148diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
55149index 8e201f1..bf2a28d 100644
55150--- a/drivers/staging/sm750fb/sm750.c
55151+++ b/drivers/staging/sm750fb/sm750.c
55152@@ -775,6 +775,7 @@ static struct fb_ops lynxfb_ops = {
55153 .fb_set_par = lynxfb_ops_set_par,
55154 .fb_setcolreg = lynxfb_ops_setcolreg,
55155 .fb_blank = lynxfb_ops_blank,
55156+ .fb_pan_display = lynxfb_ops_pan_display,
55157 .fb_fillrect = cfb_fillrect,
55158 .fb_imageblit = cfb_imageblit,
55159 .fb_copyarea = cfb_copyarea,
55160@@ -822,8 +823,10 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55161 par->index = index;
55162 output->channel = &crtc->channel;
55163 sm750fb_set_drv(par);
55164- lynxfb_ops.fb_pan_display = lynxfb_ops_pan_display;
55165
55166+ pax_open_kernel();
55167+ *(void **)&lynxfb_ops.fb_pan_display = lynxfb_ops_pan_display;
55168+ pax_close_kernel();
55169
55170 /* set current cursor variable and proc pointer,
55171 * must be set after crtc member initialized */
55172@@ -845,7 +848,9 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55173 crtc->cursor.share = share;
55174 memset_io(crtc->cursor.vstart, 0, crtc->cursor.size);
55175 if (!g_hwcursor) {
55176- lynxfb_ops.fb_cursor = NULL;
55177+ pax_open_kernel();
55178+ *(void **)&lynxfb_ops.fb_cursor = NULL;
55179+ pax_close_kernel();
55180 crtc->cursor.disable(&crtc->cursor);
55181 }
55182
55183@@ -853,9 +858,11 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55184 /* set info->fbops, must be set before fb_find_mode */
55185 if (!share->accel_off) {
55186 /* use 2d acceleration */
55187- lynxfb_ops.fb_fillrect = lynxfb_ops_fillrect;
55188- lynxfb_ops.fb_copyarea = lynxfb_ops_copyarea;
55189- lynxfb_ops.fb_imageblit = lynxfb_ops_imageblit;
55190+ pax_open_kernel();
55191+ *(void **)&lynxfb_ops.fb_fillrect = lynxfb_ops_fillrect;
55192+ *(void **)&lynxfb_ops.fb_copyarea = lynxfb_ops_copyarea;
55193+ *(void **)&lynxfb_ops.fb_imageblit = lynxfb_ops_imageblit;
55194+ pax_close_kernel();
55195 }
55196 info->fbops = &lynxfb_ops;
55197
55198diff --git a/drivers/staging/unisys/visorbus/visorbus_private.h b/drivers/staging/unisys/visorbus/visorbus_private.h
55199index 2f12483..6e1b50a 100644
55200--- a/drivers/staging/unisys/visorbus/visorbus_private.h
55201+++ b/drivers/staging/unisys/visorbus/visorbus_private.h
55202@@ -35,7 +35,7 @@ struct visorchipset_busdev_notifiers {
55203 void (*device_destroy)(struct visor_device *bus_info);
55204 void (*device_pause)(struct visor_device *bus_info);
55205 void (*device_resume)(struct visor_device *bus_info);
55206-};
55207+} __no_const;
55208
55209 /* These functions live inside visorchipset, and will be called to indicate
55210 * responses to specific events (by code outside of visorchipset).
55211@@ -50,7 +50,7 @@ struct visorchipset_busdev_responders {
55212 void (*device_destroy)(struct visor_device *p, int response);
55213 void (*device_pause)(struct visor_device *p, int response);
55214 void (*device_resume)(struct visor_device *p, int response);
55215-};
55216+} __no_const;
55217
55218 /** Register functions (in the bus driver) to get called by visorchipset
55219 * whenever a bus or device appears for which this guest is to be the
55220diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
55221index 0edf320..49afe95 100644
55222--- a/drivers/target/sbp/sbp_target.c
55223+++ b/drivers/target/sbp/sbp_target.c
55224@@ -60,7 +60,7 @@ static const u32 sbp_unit_directory_template[] = {
55225
55226 #define SESSION_MAINTENANCE_INTERVAL HZ
55227
55228-static atomic_t login_id = ATOMIC_INIT(0);
55229+static atomic_unchecked_t login_id = ATOMIC_INIT(0);
55230
55231 static void session_maintenance_work(struct work_struct *);
55232 static int sbp_run_transaction(struct fw_card *, int, int, int, int,
55233@@ -441,7 +441,7 @@ static void sbp_management_request_login(
55234 login->login_lun = unpacked_lun;
55235 login->status_fifo_addr = sbp2_pointer_to_addr(&req->orb.status_fifo);
55236 login->exclusive = LOGIN_ORB_EXCLUSIVE(be32_to_cpu(req->orb.misc));
55237- login->login_id = atomic_inc_return(&login_id);
55238+ login->login_id = atomic_inc_return_unchecked(&login_id);
55239
55240 login->tgt_agt = sbp_target_agent_register(login);
55241 if (IS_ERR(login->tgt_agt)) {
55242diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
55243index 09e682b..1980042 100644
55244--- a/drivers/target/target_core_device.c
55245+++ b/drivers/target/target_core_device.c
55246@@ -771,7 +771,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
55247 spin_lock_init(&dev->se_tmr_lock);
55248 spin_lock_init(&dev->qf_cmd_lock);
55249 sema_init(&dev->caw_sem, 1);
55250- atomic_set(&dev->dev_ordered_id, 0);
55251+ atomic_set_unchecked(&dev->dev_ordered_id, 0);
55252 INIT_LIST_HEAD(&dev->t10_wwn.t10_vpd_list);
55253 spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
55254 INIT_LIST_HEAD(&dev->t10_pr.registration_list);
55255diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
55256index ce8574b..98d6199 100644
55257--- a/drivers/target/target_core_transport.c
55258+++ b/drivers/target/target_core_transport.c
55259@@ -1181,7 +1181,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
55260 * Used to determine when ORDERED commands should go from
55261 * Dormant to Active status.
55262 */
55263- cmd->se_ordered_id = atomic_inc_return(&dev->dev_ordered_id);
55264+ cmd->se_ordered_id = atomic_inc_return_unchecked(&dev->dev_ordered_id);
55265 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
55266 cmd->se_ordered_id, cmd->sam_task_attr,
55267 dev->transport->name);
55268diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
55269index 620dcd4..b91b5e0 100644
55270--- a/drivers/thermal/cpu_cooling.c
55271+++ b/drivers/thermal/cpu_cooling.c
55272@@ -831,10 +831,11 @@ __cpufreq_cooling_register(struct device_node *np,
55273 cpumask_copy(&cpufreq_dev->allowed_cpus, clip_cpus);
55274
55275 if (capacitance) {
55276- cpufreq_cooling_ops.get_requested_power =
55277- cpufreq_get_requested_power;
55278- cpufreq_cooling_ops.state2power = cpufreq_state2power;
55279- cpufreq_cooling_ops.power2state = cpufreq_power2state;
55280+ pax_open_kernel();
55281+ *(void **)&cpufreq_cooling_ops.get_requested_power = cpufreq_get_requested_power;
55282+ *(void **)&cpufreq_cooling_ops.state2power = cpufreq_state2power;
55283+ *(void **)&cpufreq_cooling_ops.power2state = cpufreq_power2state;
55284+ pax_close_kernel();
55285 cpufreq_dev->plat_get_static_power = plat_static_func;
55286
55287 ret = build_dyn_power_table(cpufreq_dev, capacitance);
55288diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c
55289index 031018e..90981a1 100644
55290--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
55291+++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
55292@@ -272,8 +272,10 @@ static int int3400_thermal_probe(struct platform_device *pdev)
55293 platform_set_drvdata(pdev, priv);
55294
55295 if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) {
55296- int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
55297- int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
55298+ pax_open_kernel();
55299+ *(void **)&int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
55300+ *(void **)&int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
55301+ pax_close_kernel();
55302 }
55303 priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0,
55304 priv, &int3400_thermal_ops,
55305diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c
55306index b295b2b..f7e2a30 100644
55307--- a/drivers/thermal/of-thermal.c
55308+++ b/drivers/thermal/of-thermal.c
55309@@ -31,6 +31,7 @@
55310 #include <linux/export.h>
55311 #include <linux/string.h>
55312 #include <linux/thermal.h>
55313+#include <linux/mm.h>
55314
55315 #include "thermal_core.h"
55316
55317@@ -417,9 +418,11 @@ thermal_zone_of_add_sensor(struct device_node *zone,
55318 tz->ops = ops;
55319 tz->sensor_data = data;
55320
55321- tzd->ops->get_temp = of_thermal_get_temp;
55322- tzd->ops->get_trend = of_thermal_get_trend;
55323- tzd->ops->set_emul_temp = of_thermal_set_emul_temp;
55324+ pax_open_kernel();
55325+ *(void **)&tzd->ops->get_temp = of_thermal_get_temp;
55326+ *(void **)&tzd->ops->get_trend = of_thermal_get_trend;
55327+ *(void **)&tzd->ops->set_emul_temp = of_thermal_set_emul_temp;
55328+ pax_close_kernel();
55329 mutex_unlock(&tzd->lock);
55330
55331 return tzd;
55332@@ -549,9 +552,11 @@ void thermal_zone_of_sensor_unregister(struct device *dev,
55333 return;
55334
55335 mutex_lock(&tzd->lock);
55336- tzd->ops->get_temp = NULL;
55337- tzd->ops->get_trend = NULL;
55338- tzd->ops->set_emul_temp = NULL;
55339+ pax_open_kernel();
55340+ *(void **)&tzd->ops->get_temp = NULL;
55341+ *(void **)&tzd->ops->get_trend = NULL;
55342+ *(void **)&tzd->ops->set_emul_temp = NULL;
55343+ pax_close_kernel();
55344
55345 tz->ops = NULL;
55346 tz->sensor_data = NULL;
55347diff --git a/drivers/thermal/x86_pkg_temp_thermal.c b/drivers/thermal/x86_pkg_temp_thermal.c
55348index 50d1d2c..39c5ce0 100644
55349--- a/drivers/thermal/x86_pkg_temp_thermal.c
55350+++ b/drivers/thermal/x86_pkg_temp_thermal.c
55351@@ -567,7 +567,7 @@ static int pkg_temp_thermal_cpu_callback(struct notifier_block *nfb,
55352 return NOTIFY_OK;
55353 }
55354
55355-static struct notifier_block pkg_temp_thermal_notifier __refdata = {
55356+static struct notifier_block pkg_temp_thermal_notifier __refconst = {
55357 .notifier_call = pkg_temp_thermal_cpu_callback,
55358 };
55359
55360diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
55361index 87f6578..905c8f8 100644
55362--- a/drivers/tty/cyclades.c
55363+++ b/drivers/tty/cyclades.c
55364@@ -1570,10 +1570,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp)
55365 printk(KERN_DEBUG "cyc:cy_open ttyC%d, count = %d\n", info->line,
55366 info->port.count);
55367 #endif
55368- info->port.count++;
55369+ atomic_inc(&info->port.count);
55370 #ifdef CY_DEBUG_COUNT
55371 printk(KERN_DEBUG "cyc:cy_open (%d): incrementing count to %d\n",
55372- current->pid, info->port.count);
55373+ current->pid, atomic_read(&info->port.count));
55374 #endif
55375
55376 /*
55377@@ -3970,7 +3970,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v)
55378 for (j = 0; j < cy_card[i].nports; j++) {
55379 info = &cy_card[i].ports[j];
55380
55381- if (info->port.count) {
55382+ if (atomic_read(&info->port.count)) {
55383 /* XXX is the ldisc num worth this? */
55384 struct tty_struct *tty;
55385 struct tty_ldisc *ld;
55386diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
55387index 4e9c4cc..2199d8f 100644
55388--- a/drivers/tty/hvc/hvc_console.c
55389+++ b/drivers/tty/hvc/hvc_console.c
55390@@ -343,7 +343,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
55391
55392 spin_lock_irqsave(&hp->port.lock, flags);
55393 /* Check and then increment for fast path open. */
55394- if (hp->port.count++ > 0) {
55395+ if (atomic_inc_return(&hp->port.count) > 1) {
55396 spin_unlock_irqrestore(&hp->port.lock, flags);
55397 hvc_kick();
55398 return 0;
55399@@ -398,7 +398,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
55400
55401 spin_lock_irqsave(&hp->port.lock, flags);
55402
55403- if (--hp->port.count == 0) {
55404+ if (atomic_dec_return(&hp->port.count) == 0) {
55405 spin_unlock_irqrestore(&hp->port.lock, flags);
55406 /* We are done with the tty pointer now. */
55407 tty_port_tty_set(&hp->port, NULL);
55408@@ -420,9 +420,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
55409 */
55410 tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT);
55411 } else {
55412- if (hp->port.count < 0)
55413+ if (atomic_read(&hp->port.count) < 0)
55414 printk(KERN_ERR "hvc_close %X: oops, count is %d\n",
55415- hp->vtermno, hp->port.count);
55416+ hp->vtermno, atomic_read(&hp->port.count));
55417 spin_unlock_irqrestore(&hp->port.lock, flags);
55418 }
55419 }
55420@@ -452,12 +452,12 @@ static void hvc_hangup(struct tty_struct *tty)
55421 * open->hangup case this can be called after the final close so prevent
55422 * that from happening for now.
55423 */
55424- if (hp->port.count <= 0) {
55425+ if (atomic_read(&hp->port.count) <= 0) {
55426 spin_unlock_irqrestore(&hp->port.lock, flags);
55427 return;
55428 }
55429
55430- hp->port.count = 0;
55431+ atomic_set(&hp->port.count, 0);
55432 spin_unlock_irqrestore(&hp->port.lock, flags);
55433 tty_port_tty_set(&hp->port, NULL);
55434
55435@@ -505,7 +505,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count
55436 return -EPIPE;
55437
55438 /* FIXME what's this (unprotected) check for? */
55439- if (hp->port.count <= 0)
55440+ if (atomic_read(&hp->port.count) <= 0)
55441 return -EIO;
55442
55443 spin_lock_irqsave(&hp->lock, flags);
55444diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
55445index f7ff97c..0c0ebbf 100644
55446--- a/drivers/tty/hvc/hvcs.c
55447+++ b/drivers/tty/hvc/hvcs.c
55448@@ -83,6 +83,7 @@
55449 #include <asm/hvcserver.h>
55450 #include <asm/uaccess.h>
55451 #include <asm/vio.h>
55452+#include <asm/local.h>
55453
55454 /*
55455 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
55456@@ -416,7 +417,7 @@ static ssize_t hvcs_vterm_state_store(struct device *dev, struct device_attribut
55457
55458 spin_lock_irqsave(&hvcsd->lock, flags);
55459
55460- if (hvcsd->port.count > 0) {
55461+ if (atomic_read(&hvcsd->port.count) > 0) {
55462 spin_unlock_irqrestore(&hvcsd->lock, flags);
55463 printk(KERN_INFO "HVCS: vterm state unchanged. "
55464 "The hvcs device node is still in use.\n");
55465@@ -1127,7 +1128,7 @@ static int hvcs_install(struct tty_driver *driver, struct tty_struct *tty)
55466 }
55467 }
55468
55469- hvcsd->port.count = 0;
55470+ atomic_set(&hvcsd->port.count, 0);
55471 hvcsd->port.tty = tty;
55472 tty->driver_data = hvcsd;
55473
55474@@ -1180,7 +1181,7 @@ static int hvcs_open(struct tty_struct *tty, struct file *filp)
55475 unsigned long flags;
55476
55477 spin_lock_irqsave(&hvcsd->lock, flags);
55478- hvcsd->port.count++;
55479+ atomic_inc(&hvcsd->port.count);
55480 hvcsd->todo_mask |= HVCS_SCHED_READ;
55481 spin_unlock_irqrestore(&hvcsd->lock, flags);
55482
55483@@ -1216,7 +1217,7 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
55484 hvcsd = tty->driver_data;
55485
55486 spin_lock_irqsave(&hvcsd->lock, flags);
55487- if (--hvcsd->port.count == 0) {
55488+ if (atomic_dec_and_test(&hvcsd->port.count)) {
55489
55490 vio_disable_interrupts(hvcsd->vdev);
55491
55492@@ -1241,10 +1242,10 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
55493
55494 free_irq(irq, hvcsd);
55495 return;
55496- } else if (hvcsd->port.count < 0) {
55497+ } else if (atomic_read(&hvcsd->port.count) < 0) {
55498 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
55499 " is missmanaged.\n",
55500- hvcsd->vdev->unit_address, hvcsd->port.count);
55501+ hvcsd->vdev->unit_address, atomic_read(&hvcsd->port.count));
55502 }
55503
55504 spin_unlock_irqrestore(&hvcsd->lock, flags);
55505@@ -1266,7 +1267,7 @@ static void hvcs_hangup(struct tty_struct * tty)
55506
55507 spin_lock_irqsave(&hvcsd->lock, flags);
55508 /* Preserve this so that we know how many kref refs to put */
55509- temp_open_count = hvcsd->port.count;
55510+ temp_open_count = atomic_read(&hvcsd->port.count);
55511
55512 /*
55513 * Don't kref put inside the spinlock because the destruction
55514@@ -1281,7 +1282,7 @@ static void hvcs_hangup(struct tty_struct * tty)
55515 tty->driver_data = NULL;
55516 hvcsd->port.tty = NULL;
55517
55518- hvcsd->port.count = 0;
55519+ atomic_set(&hvcsd->port.count, 0);
55520
55521 /* This will drop any buffered data on the floor which is OK in a hangup
55522 * scenario. */
55523@@ -1352,7 +1353,7 @@ static int hvcs_write(struct tty_struct *tty,
55524 * the middle of a write operation? This is a crummy place to do this
55525 * but we want to keep it all in the spinlock.
55526 */
55527- if (hvcsd->port.count <= 0) {
55528+ if (atomic_read(&hvcsd->port.count) <= 0) {
55529 spin_unlock_irqrestore(&hvcsd->lock, flags);
55530 return -ENODEV;
55531 }
55532@@ -1426,7 +1427,7 @@ static int hvcs_write_room(struct tty_struct *tty)
55533 {
55534 struct hvcs_struct *hvcsd = tty->driver_data;
55535
55536- if (!hvcsd || hvcsd->port.count <= 0)
55537+ if (!hvcsd || atomic_read(&hvcsd->port.count) <= 0)
55538 return 0;
55539
55540 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
55541diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c
55542index 4190199..06d5bfa 100644
55543--- a/drivers/tty/hvc/hvsi.c
55544+++ b/drivers/tty/hvc/hvsi.c
55545@@ -85,7 +85,7 @@ struct hvsi_struct {
55546 int n_outbuf;
55547 uint32_t vtermno;
55548 uint32_t virq;
55549- atomic_t seqno; /* HVSI packet sequence number */
55550+ atomic_unchecked_t seqno; /* HVSI packet sequence number */
55551 uint16_t mctrl;
55552 uint8_t state; /* HVSI protocol state */
55553 uint8_t flags;
55554@@ -295,7 +295,7 @@ static int hvsi_version_respond(struct hvsi_struct *hp, uint16_t query_seqno)
55555
55556 packet.hdr.type = VS_QUERY_RESPONSE_PACKET_HEADER;
55557 packet.hdr.len = sizeof(struct hvsi_query_response);
55558- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
55559+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
55560 packet.verb = VSV_SEND_VERSION_NUMBER;
55561 packet.u.version = HVSI_VERSION;
55562 packet.query_seqno = query_seqno+1;
55563@@ -555,7 +555,7 @@ static int hvsi_query(struct hvsi_struct *hp, uint16_t verb)
55564
55565 packet.hdr.type = VS_QUERY_PACKET_HEADER;
55566 packet.hdr.len = sizeof(struct hvsi_query);
55567- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
55568+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
55569 packet.verb = verb;
55570
55571 pr_debug("%s: sending %i bytes\n", __func__, packet.hdr.len);
55572@@ -597,7 +597,7 @@ static int hvsi_set_mctrl(struct hvsi_struct *hp, uint16_t mctrl)
55573 int wrote;
55574
55575 packet.hdr.type = VS_CONTROL_PACKET_HEADER,
55576- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
55577+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
55578 packet.hdr.len = sizeof(struct hvsi_control);
55579 packet.verb = VSV_SET_MODEM_CTL;
55580 packet.mask = HVSI_TSDTR;
55581@@ -680,7 +680,7 @@ static int hvsi_put_chars(struct hvsi_struct *hp, const char *buf, int count)
55582 BUG_ON(count > HVSI_MAX_OUTGOING_DATA);
55583
55584 packet.hdr.type = VS_DATA_PACKET_HEADER;
55585- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
55586+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
55587 packet.hdr.len = count + sizeof(struct hvsi_header);
55588 memcpy(&packet.data, buf, count);
55589
55590@@ -697,7 +697,7 @@ static void hvsi_close_protocol(struct hvsi_struct *hp)
55591 struct hvsi_control packet __ALIGNED__;
55592
55593 packet.hdr.type = VS_CONTROL_PACKET_HEADER;
55594- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
55595+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
55596 packet.hdr.len = 6;
55597 packet.verb = VSV_CLOSE_PROTOCOL;
55598
55599@@ -725,7 +725,7 @@ static int hvsi_open(struct tty_struct *tty, struct file *filp)
55600
55601 tty_port_tty_set(&hp->port, tty);
55602 spin_lock_irqsave(&hp->lock, flags);
55603- hp->port.count++;
55604+ atomic_inc(&hp->port.count);
55605 atomic_set(&hp->seqno, 0);
55606 h_vio_signal(hp->vtermno, VIO_IRQ_ENABLE);
55607 spin_unlock_irqrestore(&hp->lock, flags);
55608@@ -782,7 +782,7 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp)
55609
55610 spin_lock_irqsave(&hp->lock, flags);
55611
55612- if (--hp->port.count == 0) {
55613+ if (atomic_dec_return(&hp->port.count) == 0) {
55614 tty_port_tty_set(&hp->port, NULL);
55615 hp->inbuf_end = hp->inbuf; /* discard remaining partial packets */
55616
55617@@ -815,9 +815,9 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp)
55618
55619 spin_lock_irqsave(&hp->lock, flags);
55620 }
55621- } else if (hp->port.count < 0)
55622+ } else if (atomic_read(&hp->port.count) < 0)
55623 printk(KERN_ERR "hvsi_close %lu: oops, count is %d\n",
55624- hp - hvsi_ports, hp->port.count);
55625+ hp - hvsi_ports, atomic_read(&hp->port.count));
55626
55627 spin_unlock_irqrestore(&hp->lock, flags);
55628 }
55629@@ -832,7 +832,7 @@ static void hvsi_hangup(struct tty_struct *tty)
55630 tty_port_tty_set(&hp->port, NULL);
55631
55632 spin_lock_irqsave(&hp->lock, flags);
55633- hp->port.count = 0;
55634+ atomic_set(&hp->port.count, 0);
55635 hp->n_outbuf = 0;
55636 spin_unlock_irqrestore(&hp->lock, flags);
55637 }
55638diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c
55639index a270f04..7c77b5d 100644
55640--- a/drivers/tty/hvc/hvsi_lib.c
55641+++ b/drivers/tty/hvc/hvsi_lib.c
55642@@ -8,7 +8,7 @@
55643
55644 static int hvsi_send_packet(struct hvsi_priv *pv, struct hvsi_header *packet)
55645 {
55646- packet->seqno = cpu_to_be16(atomic_inc_return(&pv->seqno));
55647+ packet->seqno = cpu_to_be16(atomic_inc_return_unchecked(&pv->seqno));
55648
55649 /* Assumes that always succeeds, works in practice */
55650 return pv->put_chars(pv->termno, (char *)packet, packet->len);
55651@@ -20,7 +20,7 @@ static void hvsi_start_handshake(struct hvsi_priv *pv)
55652
55653 /* Reset state */
55654 pv->established = 0;
55655- atomic_set(&pv->seqno, 0);
55656+ atomic_set_unchecked(&pv->seqno, 0);
55657
55658 pr_devel("HVSI@%x: Handshaking started\n", pv->termno);
55659
55660diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
55661index 345cebb..d5a1e9e 100644
55662--- a/drivers/tty/ipwireless/tty.c
55663+++ b/drivers/tty/ipwireless/tty.c
55664@@ -28,6 +28,7 @@
55665 #include <linux/tty_driver.h>
55666 #include <linux/tty_flip.h>
55667 #include <linux/uaccess.h>
55668+#include <asm/local.h>
55669
55670 #include "tty.h"
55671 #include "network.h"
55672@@ -93,10 +94,10 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
55673 return -ENODEV;
55674
55675 mutex_lock(&tty->ipw_tty_mutex);
55676- if (tty->port.count == 0)
55677+ if (atomic_read(&tty->port.count) == 0)
55678 tty->tx_bytes_queued = 0;
55679
55680- tty->port.count++;
55681+ atomic_inc(&tty->port.count);
55682
55683 tty->port.tty = linux_tty;
55684 linux_tty->driver_data = tty;
55685@@ -112,9 +113,7 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
55686
55687 static void do_ipw_close(struct ipw_tty *tty)
55688 {
55689- tty->port.count--;
55690-
55691- if (tty->port.count == 0) {
55692+ if (atomic_dec_return(&tty->port.count) == 0) {
55693 struct tty_struct *linux_tty = tty->port.tty;
55694
55695 if (linux_tty != NULL) {
55696@@ -135,7 +134,7 @@ static void ipw_hangup(struct tty_struct *linux_tty)
55697 return;
55698
55699 mutex_lock(&tty->ipw_tty_mutex);
55700- if (tty->port.count == 0) {
55701+ if (atomic_read(&tty->port.count) == 0) {
55702 mutex_unlock(&tty->ipw_tty_mutex);
55703 return;
55704 }
55705@@ -158,7 +157,7 @@ void ipwireless_tty_received(struct ipw_tty *tty, unsigned char *data,
55706
55707 mutex_lock(&tty->ipw_tty_mutex);
55708
55709- if (!tty->port.count) {
55710+ if (!atomic_read(&tty->port.count)) {
55711 mutex_unlock(&tty->ipw_tty_mutex);
55712 return;
55713 }
55714@@ -197,7 +196,7 @@ static int ipw_write(struct tty_struct *linux_tty,
55715 return -ENODEV;
55716
55717 mutex_lock(&tty->ipw_tty_mutex);
55718- if (!tty->port.count) {
55719+ if (!atomic_read(&tty->port.count)) {
55720 mutex_unlock(&tty->ipw_tty_mutex);
55721 return -EINVAL;
55722 }
55723@@ -237,7 +236,7 @@ static int ipw_write_room(struct tty_struct *linux_tty)
55724 if (!tty)
55725 return -ENODEV;
55726
55727- if (!tty->port.count)
55728+ if (!atomic_read(&tty->port.count))
55729 return -EINVAL;
55730
55731 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
55732@@ -279,7 +278,7 @@ static int ipw_chars_in_buffer(struct tty_struct *linux_tty)
55733 if (!tty)
55734 return 0;
55735
55736- if (!tty->port.count)
55737+ if (!atomic_read(&tty->port.count))
55738 return 0;
55739
55740 return tty->tx_bytes_queued;
55741@@ -360,7 +359,7 @@ static int ipw_tiocmget(struct tty_struct *linux_tty)
55742 if (!tty)
55743 return -ENODEV;
55744
55745- if (!tty->port.count)
55746+ if (!atomic_read(&tty->port.count))
55747 return -EINVAL;
55748
55749 return get_control_lines(tty);
55750@@ -376,7 +375,7 @@ ipw_tiocmset(struct tty_struct *linux_tty,
55751 if (!tty)
55752 return -ENODEV;
55753
55754- if (!tty->port.count)
55755+ if (!atomic_read(&tty->port.count))
55756 return -EINVAL;
55757
55758 return set_control_lines(tty, set, clear);
55759@@ -390,7 +389,7 @@ static int ipw_ioctl(struct tty_struct *linux_tty,
55760 if (!tty)
55761 return -ENODEV;
55762
55763- if (!tty->port.count)
55764+ if (!atomic_read(&tty->port.count))
55765 return -EINVAL;
55766
55767 /* FIXME: Exactly how is the tty object locked here .. */
55768@@ -546,7 +545,7 @@ void ipwireless_tty_free(struct ipw_tty *tty)
55769 * are gone */
55770 mutex_lock(&ttyj->ipw_tty_mutex);
55771 }
55772- while (ttyj->port.count)
55773+ while (atomic_read(&ttyj->port.count))
55774 do_ipw_close(ttyj);
55775 ipwireless_disassociate_network_ttys(network,
55776 ttyj->channel_idx);
55777diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c
55778index 14c54e0..1efd4f2 100644
55779--- a/drivers/tty/moxa.c
55780+++ b/drivers/tty/moxa.c
55781@@ -1189,7 +1189,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp)
55782 }
55783
55784 ch = &brd->ports[port % MAX_PORTS_PER_BOARD];
55785- ch->port.count++;
55786+ atomic_inc(&ch->port.count);
55787 tty->driver_data = ch;
55788 tty_port_tty_set(&ch->port, tty);
55789 mutex_lock(&ch->port.mutex);
55790diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
55791index 382d3fc..b16d625 100644
55792--- a/drivers/tty/n_gsm.c
55793+++ b/drivers/tty/n_gsm.c
55794@@ -1644,7 +1644,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
55795 spin_lock_init(&dlci->lock);
55796 mutex_init(&dlci->mutex);
55797 dlci->fifo = &dlci->_fifo;
55798- if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
55799+ if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
55800 kfree(dlci);
55801 return NULL;
55802 }
55803@@ -2957,7 +2957,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp)
55804 struct gsm_dlci *dlci = tty->driver_data;
55805 struct tty_port *port = &dlci->port;
55806
55807- port->count++;
55808+ atomic_inc(&port->count);
55809 tty_port_tty_set(port, tty);
55810
55811 dlci->modem_rx = 0;
55812diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
55813index ee8bfac..9e4ed6f 100644
55814--- a/drivers/tty/n_tty.c
55815+++ b/drivers/tty/n_tty.c
55816@@ -116,7 +116,7 @@ struct n_tty_data {
55817 int minimum_to_wake;
55818
55819 /* consumer-published */
55820- size_t read_tail;
55821+ size_t read_tail __intentional_overflow(-1);
55822 size_t line_start;
55823
55824 /* protected by output lock */
55825@@ -2579,6 +2579,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
55826 {
55827 *ops = tty_ldisc_N_TTY;
55828 ops->owner = NULL;
55829- ops->refcount = ops->flags = 0;
55830+ atomic_set(&ops->refcount, 0);
55831+ ops->flags = 0;
55832 }
55833 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
55834diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
55835index 4d5e840..a2340a6 100644
55836--- a/drivers/tty/pty.c
55837+++ b/drivers/tty/pty.c
55838@@ -849,8 +849,10 @@ static void __init unix98_pty_init(void)
55839 panic("Couldn't register Unix98 pts driver");
55840
55841 /* Now create the /dev/ptmx special device */
55842+ pax_open_kernel();
55843 tty_default_fops(&ptmx_fops);
55844- ptmx_fops.open = ptmx_open;
55845+ *(void **)&ptmx_fops.open = ptmx_open;
55846+ pax_close_kernel();
55847
55848 cdev_init(&ptmx_cdev, &ptmx_fops);
55849 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
55850diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
55851index c8dd8dc..dca6cfd 100644
55852--- a/drivers/tty/rocket.c
55853+++ b/drivers/tty/rocket.c
55854@@ -914,7 +914,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
55855 tty->driver_data = info;
55856 tty_port_tty_set(port, tty);
55857
55858- if (port->count++ == 0) {
55859+ if (atomic_inc_return(&port->count) == 1) {
55860 atomic_inc(&rp_num_ports_open);
55861
55862 #ifdef ROCKET_DEBUG_OPEN
55863@@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
55864 #endif
55865 }
55866 #ifdef ROCKET_DEBUG_OPEN
55867- printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, info->port.count);
55868+ printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, atomic-read(&info->port.count));
55869 #endif
55870
55871 /*
55872@@ -1515,7 +1515,7 @@ static void rp_hangup(struct tty_struct *tty)
55873 spin_unlock_irqrestore(&info->port.lock, flags);
55874 return;
55875 }
55876- if (info->port.count)
55877+ if (atomic_read(&info->port.count))
55878 atomic_dec(&rp_num_ports_open);
55879 clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]);
55880 spin_unlock_irqrestore(&info->port.lock, flags);
55881diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
55882index 37fff12..1a88ae1 100644
55883--- a/drivers/tty/serial/8250/8250_core.c
55884+++ b/drivers/tty/serial/8250/8250_core.c
55885@@ -3229,9 +3229,9 @@ static void univ8250_release_port(struct uart_port *port)
55886
55887 static void univ8250_rsa_support(struct uart_ops *ops)
55888 {
55889- ops->config_port = univ8250_config_port;
55890- ops->request_port = univ8250_request_port;
55891- ops->release_port = univ8250_release_port;
55892+ *(void **)&ops->config_port = univ8250_config_port;
55893+ *(void **)&ops->request_port = univ8250_request_port;
55894+ *(void **)&ops->release_port = univ8250_release_port;
55895 }
55896
55897 #else
55898@@ -3274,8 +3274,10 @@ static void __init serial8250_isa_init_ports(void)
55899 }
55900
55901 /* chain base port ops to support Remote Supervisor Adapter */
55902- univ8250_port_ops = *base_ops;
55903+ pax_open_kernel();
55904+ memcpy((void *)&univ8250_port_ops, base_ops, sizeof univ8250_port_ops);
55905 univ8250_rsa_support(&univ8250_port_ops);
55906+ pax_close_kernel();
55907
55908 if (share_irqs)
55909 irqflag = IRQF_SHARED;
55910diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c
55911index 536a33b..1b98f43 100644
55912--- a/drivers/tty/serial/ifx6x60.c
55913+++ b/drivers/tty/serial/ifx6x60.c
55914@@ -649,7 +649,7 @@ static void ifx_spi_complete(void *ctx)
55915 struct ifx_spi_device *ifx_dev = ctx;
55916 int length;
55917 int actual_length;
55918- unsigned char more;
55919+ unsigned char more = 0;
55920 unsigned char cts;
55921 int local_write_pending = 0;
55922 int queue_length;
55923diff --git a/drivers/tty/serial/ioc4_serial.c b/drivers/tty/serial/ioc4_serial.c
55924index e5c42fe..f091b02 100644
55925--- a/drivers/tty/serial/ioc4_serial.c
55926+++ b/drivers/tty/serial/ioc4_serial.c
55927@@ -437,7 +437,7 @@ struct ioc4_soft {
55928 } is_intr_info[MAX_IOC4_INTR_ENTS];
55929
55930 /* Number of entries active in the above array */
55931- atomic_t is_num_intrs;
55932+ atomic_unchecked_t is_num_intrs;
55933 } is_intr_type[IOC4_NUM_INTR_TYPES];
55934
55935 /* is_ir_lock must be held while
55936@@ -974,7 +974,7 @@ intr_connect(struct ioc4_soft *soft, int type,
55937 BUG_ON(!((type == IOC4_SIO_INTR_TYPE)
55938 || (type == IOC4_OTHER_INTR_TYPE)));
55939
55940- i = atomic_inc_return(&soft-> is_intr_type[type].is_num_intrs) - 1;
55941+ i = atomic_inc_return_unchecked(&soft-> is_intr_type[type].is_num_intrs) - 1;
55942 BUG_ON(!(i < MAX_IOC4_INTR_ENTS || (printk("i %d\n", i), 0)));
55943
55944 /* Save off the lower level interrupt handler */
55945@@ -1001,7 +1001,7 @@ static irqreturn_t ioc4_intr(int irq, void *arg)
55946
55947 soft = arg;
55948 for (intr_type = 0; intr_type < IOC4_NUM_INTR_TYPES; intr_type++) {
55949- num_intrs = (int)atomic_read(
55950+ num_intrs = (int)atomic_read_unchecked(
55951 &soft->is_intr_type[intr_type].is_num_intrs);
55952
55953 this_mir = this_ir = pending_intrs(soft, intr_type);
55954diff --git a/drivers/tty/serial/kgdb_nmi.c b/drivers/tty/serial/kgdb_nmi.c
55955index 117df15..2f7dfcf 100644
55956--- a/drivers/tty/serial/kgdb_nmi.c
55957+++ b/drivers/tty/serial/kgdb_nmi.c
55958@@ -53,7 +53,9 @@ static int kgdb_nmi_console_setup(struct console *co, char *options)
55959 * I/O utilities that messages sent to the console will automatically
55960 * be displayed on the dbg_io.
55961 */
55962- dbg_io_ops->is_console = true;
55963+ pax_open_kernel();
55964+ *(int *)&dbg_io_ops->is_console = true;
55965+ pax_close_kernel();
55966
55967 return 0;
55968 }
55969diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
55970index a260cde..6b2b5ce 100644
55971--- a/drivers/tty/serial/kgdboc.c
55972+++ b/drivers/tty/serial/kgdboc.c
55973@@ -24,8 +24,9 @@
55974 #define MAX_CONFIG_LEN 40
55975
55976 static struct kgdb_io kgdboc_io_ops;
55977+static struct kgdb_io kgdboc_io_ops_console;
55978
55979-/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
55980+/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
55981 static int configured = -1;
55982
55983 static char config[MAX_CONFIG_LEN];
55984@@ -151,6 +152,8 @@ static void cleanup_kgdboc(void)
55985 kgdboc_unregister_kbd();
55986 if (configured == 1)
55987 kgdb_unregister_io_module(&kgdboc_io_ops);
55988+ else if (configured == 2)
55989+ kgdb_unregister_io_module(&kgdboc_io_ops_console);
55990 }
55991
55992 static int configure_kgdboc(void)
55993@@ -160,13 +163,13 @@ static int configure_kgdboc(void)
55994 int err;
55995 char *cptr = config;
55996 struct console *cons;
55997+ int is_console = 0;
55998
55999 err = kgdboc_option_setup(config);
56000 if (err || !strlen(config) || isspace(config[0]))
56001 goto noconfig;
56002
56003 err = -ENODEV;
56004- kgdboc_io_ops.is_console = 0;
56005 kgdb_tty_driver = NULL;
56006
56007 kgdboc_use_kms = 0;
56008@@ -187,7 +190,7 @@ static int configure_kgdboc(void)
56009 int idx;
56010 if (cons->device && cons->device(cons, &idx) == p &&
56011 idx == tty_line) {
56012- kgdboc_io_ops.is_console = 1;
56013+ is_console = 1;
56014 break;
56015 }
56016 cons = cons->next;
56017@@ -197,7 +200,13 @@ static int configure_kgdboc(void)
56018 kgdb_tty_line = tty_line;
56019
56020 do_register:
56021- err = kgdb_register_io_module(&kgdboc_io_ops);
56022+ if (is_console) {
56023+ err = kgdb_register_io_module(&kgdboc_io_ops_console);
56024+ configured = 2;
56025+ } else {
56026+ err = kgdb_register_io_module(&kgdboc_io_ops);
56027+ configured = 1;
56028+ }
56029 if (err)
56030 goto noconfig;
56031
56032@@ -205,8 +214,6 @@ do_register:
56033 if (err)
56034 goto nmi_con_failed;
56035
56036- configured = 1;
56037-
56038 return 0;
56039
56040 nmi_con_failed:
56041@@ -223,7 +230,7 @@ noconfig:
56042 static int __init init_kgdboc(void)
56043 {
56044 /* Already configured? */
56045- if (configured == 1)
56046+ if (configured >= 1)
56047 return 0;
56048
56049 return configure_kgdboc();
56050@@ -272,7 +279,7 @@ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
56051 if (config[len - 1] == '\n')
56052 config[len - 1] = '\0';
56053
56054- if (configured == 1)
56055+ if (configured >= 1)
56056 cleanup_kgdboc();
56057
56058 /* Go and configure with the new params. */
56059@@ -312,6 +319,15 @@ static struct kgdb_io kgdboc_io_ops = {
56060 .post_exception = kgdboc_post_exp_handler,
56061 };
56062
56063+static struct kgdb_io kgdboc_io_ops_console = {
56064+ .name = "kgdboc",
56065+ .read_char = kgdboc_get_char,
56066+ .write_char = kgdboc_put_char,
56067+ .pre_exception = kgdboc_pre_exp_handler,
56068+ .post_exception = kgdboc_post_exp_handler,
56069+ .is_console = 1
56070+};
56071+
56072 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
56073 /* This is only available if kgdboc is a built in for early debugging */
56074 static int __init kgdboc_early_init(char *opt)
56075diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
56076index b73889c..9f74f0a 100644
56077--- a/drivers/tty/serial/msm_serial.c
56078+++ b/drivers/tty/serial/msm_serial.c
56079@@ -1012,7 +1012,7 @@ static struct uart_driver msm_uart_driver = {
56080 .cons = MSM_CONSOLE,
56081 };
56082
56083-static atomic_t msm_uart_next_id = ATOMIC_INIT(0);
56084+static atomic_unchecked_t msm_uart_next_id = ATOMIC_INIT(0);
56085
56086 static const struct of_device_id msm_uartdm_table[] = {
56087 { .compatible = "qcom,msm-uartdm-v1.1", .data = (void *)UARTDM_1P1 },
56088@@ -1036,7 +1036,7 @@ static int msm_serial_probe(struct platform_device *pdev)
56089 line = pdev->id;
56090
56091 if (line < 0)
56092- line = atomic_inc_return(&msm_uart_next_id) - 1;
56093+ line = atomic_inc_return_unchecked(&msm_uart_next_id) - 1;
56094
56095 if (unlikely(line < 0 || line >= UART_NR))
56096 return -ENXIO;
56097diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
56098index 5916311..1e32415 100644
56099--- a/drivers/tty/serial/samsung.c
56100+++ b/drivers/tty/serial/samsung.c
56101@@ -995,11 +995,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
56102 ourport->tx_in_progress = 0;
56103 }
56104
56105+static int s3c64xx_serial_startup(struct uart_port *port);
56106 static int s3c24xx_serial_startup(struct uart_port *port)
56107 {
56108 struct s3c24xx_uart_port *ourport = to_ourport(port);
56109 int ret;
56110
56111+ /* Startup sequence is different for s3c64xx and higher SoC's */
56112+ if (s3c24xx_serial_has_interrupt_mask(port))
56113+ return s3c64xx_serial_startup(port);
56114+
56115 dbg("s3c24xx_serial_startup: port=%p (%08llx,%p)\n",
56116 port, (unsigned long long)port->mapbase, port->membase);
56117
56118@@ -1706,10 +1711,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
56119 /* setup info for port */
56120 port->dev = &platdev->dev;
56121
56122- /* Startup sequence is different for s3c64xx and higher SoC's */
56123- if (s3c24xx_serial_has_interrupt_mask(port))
56124- s3c24xx_serial_ops.startup = s3c64xx_serial_startup;
56125-
56126 port->uartclk = 1;
56127
56128 if (cfg->uart_flags & UPF_CONS_FLOW) {
56129diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
56130index f368520..c7a703a 100644
56131--- a/drivers/tty/serial/serial_core.c
56132+++ b/drivers/tty/serial/serial_core.c
56133@@ -1385,7 +1385,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
56134 state = drv->state + tty->index;
56135 port = &state->port;
56136 spin_lock_irq(&port->lock);
56137- --port->count;
56138+ atomic_dec(&port->count);
56139 spin_unlock_irq(&port->lock);
56140 return;
56141 }
56142@@ -1395,7 +1395,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
56143
56144 pr_debug("uart_close(%d) called\n", uport ? uport->line : -1);
56145
56146- if (!port->count || tty_port_close_start(port, tty, filp) == 0)
56147+ if (!atomic_read(&port->count) || tty_port_close_start(port, tty, filp) == 0)
56148 return;
56149
56150 /*
56151@@ -1520,7 +1520,7 @@ static void uart_hangup(struct tty_struct *tty)
56152 uart_flush_buffer(tty);
56153 uart_shutdown(tty, state);
56154 spin_lock_irqsave(&port->lock, flags);
56155- port->count = 0;
56156+ atomic_set(&port->count, 0);
56157 clear_bit(ASYNCB_NORMAL_ACTIVE, &port->flags);
56158 spin_unlock_irqrestore(&port->lock, flags);
56159 tty_port_tty_set(port, NULL);
56160@@ -1607,7 +1607,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
56161 pr_debug("uart_open(%d) called\n", line);
56162
56163 spin_lock_irq(&port->lock);
56164- ++port->count;
56165+ atomic_inc(&port->count);
56166 spin_unlock_irq(&port->lock);
56167
56168 /*
56169diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c
56170index b1c6bd3..5f038e2 100644
56171--- a/drivers/tty/serial/uartlite.c
56172+++ b/drivers/tty/serial/uartlite.c
56173@@ -341,13 +341,13 @@ static int ulite_request_port(struct uart_port *port)
56174 return -EBUSY;
56175 }
56176
56177- port->private_data = &uartlite_be;
56178+ port->private_data = (void *)&uartlite_be;
56179 ret = uart_in32(ULITE_CONTROL, port);
56180 uart_out32(ULITE_CONTROL_RST_TX, ULITE_CONTROL, port);
56181 ret = uart_in32(ULITE_STATUS, port);
56182 /* Endianess detection */
56183 if ((ret & ULITE_STATUS_TXEMPTY) != ULITE_STATUS_TXEMPTY)
56184- port->private_data = &uartlite_le;
56185+ port->private_data = (void *)&uartlite_le;
56186
56187 return 0;
56188 }
56189diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c
56190index 2fac712..fcd5268 100644
56191--- a/drivers/tty/synclink.c
56192+++ b/drivers/tty/synclink.c
56193@@ -3090,7 +3090,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
56194
56195 if (debug_level >= DEBUG_LEVEL_INFO)
56196 printk("%s(%d):mgsl_close(%s) entry, count=%d\n",
56197- __FILE__,__LINE__, info->device_name, info->port.count);
56198+ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
56199
56200 if (tty_port_close_start(&info->port, tty, filp) == 0)
56201 goto cleanup;
56202@@ -3108,7 +3108,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
56203 cleanup:
56204 if (debug_level >= DEBUG_LEVEL_INFO)
56205 printk("%s(%d):mgsl_close(%s) exit, count=%d\n", __FILE__,__LINE__,
56206- tty->driver->name, info->port.count);
56207+ tty->driver->name, atomic_read(&info->port.count));
56208
56209 } /* end of mgsl_close() */
56210
56211@@ -3207,8 +3207,8 @@ static void mgsl_hangup(struct tty_struct *tty)
56212
56213 mgsl_flush_buffer(tty);
56214 shutdown(info);
56215-
56216- info->port.count = 0;
56217+
56218+ atomic_set(&info->port.count, 0);
56219 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
56220 info->port.tty = NULL;
56221
56222@@ -3296,10 +3296,10 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56223
56224 if (debug_level >= DEBUG_LEVEL_INFO)
56225 printk("%s(%d):block_til_ready before block on %s count=%d\n",
56226- __FILE__,__LINE__, tty->driver->name, port->count );
56227+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56228
56229 spin_lock_irqsave(&info->irq_spinlock, flags);
56230- port->count--;
56231+ atomic_dec(&port->count);
56232 spin_unlock_irqrestore(&info->irq_spinlock, flags);
56233 port->blocked_open++;
56234
56235@@ -3327,7 +3327,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56236
56237 if (debug_level >= DEBUG_LEVEL_INFO)
56238 printk("%s(%d):block_til_ready blocking on %s count=%d\n",
56239- __FILE__,__LINE__, tty->driver->name, port->count );
56240+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56241
56242 tty_unlock(tty);
56243 schedule();
56244@@ -3339,12 +3339,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56245
56246 /* FIXME: Racy on hangup during close wait */
56247 if (!tty_hung_up_p(filp))
56248- port->count++;
56249+ atomic_inc(&port->count);
56250 port->blocked_open--;
56251
56252 if (debug_level >= DEBUG_LEVEL_INFO)
56253 printk("%s(%d):block_til_ready after blocking on %s count=%d\n",
56254- __FILE__,__LINE__, tty->driver->name, port->count );
56255+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56256
56257 if (!retval)
56258 port->flags |= ASYNC_NORMAL_ACTIVE;
56259@@ -3396,7 +3396,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
56260
56261 if (debug_level >= DEBUG_LEVEL_INFO)
56262 printk("%s(%d):mgsl_open(%s), old ref count = %d\n",
56263- __FILE__,__LINE__,tty->driver->name, info->port.count);
56264+ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
56265
56266 /* If port is closing, signal caller to try again */
56267 if (info->port.flags & ASYNC_CLOSING){
56268@@ -3415,10 +3415,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
56269 spin_unlock_irqrestore(&info->netlock, flags);
56270 goto cleanup;
56271 }
56272- info->port.count++;
56273+ atomic_inc(&info->port.count);
56274 spin_unlock_irqrestore(&info->netlock, flags);
56275
56276- if (info->port.count == 1) {
56277+ if (atomic_read(&info->port.count) == 1) {
56278 /* 1st open on this device, init hardware */
56279 retval = startup(info);
56280 if (retval < 0)
56281@@ -3442,8 +3442,8 @@ cleanup:
56282 if (retval) {
56283 if (tty->count == 1)
56284 info->port.tty = NULL; /* tty layer will release tty struct */
56285- if(info->port.count)
56286- info->port.count--;
56287+ if (atomic_read(&info->port.count))
56288+ atomic_dec(&info->port.count);
56289 }
56290
56291 return retval;
56292@@ -7662,7 +7662,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
56293 unsigned short new_crctype;
56294
56295 /* return error if TTY interface open */
56296- if (info->port.count)
56297+ if (atomic_read(&info->port.count))
56298 return -EBUSY;
56299
56300 switch (encoding)
56301@@ -7758,7 +7758,7 @@ static int hdlcdev_open(struct net_device *dev)
56302
56303 /* arbitrate between network and tty opens */
56304 spin_lock_irqsave(&info->netlock, flags);
56305- if (info->port.count != 0 || info->netcount != 0) {
56306+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
56307 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
56308 spin_unlock_irqrestore(&info->netlock, flags);
56309 return -EBUSY;
56310@@ -7844,7 +7844,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
56311 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
56312
56313 /* return error if TTY interface open */
56314- if (info->port.count)
56315+ if (atomic_read(&info->port.count))
56316 return -EBUSY;
56317
56318 if (cmd != SIOCWANDEV)
56319diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
56320index 0ea8eee..b3f1b8f 100644
56321--- a/drivers/tty/synclink_gt.c
56322+++ b/drivers/tty/synclink_gt.c
56323@@ -670,7 +670,7 @@ static int open(struct tty_struct *tty, struct file *filp)
56324 tty->driver_data = info;
56325 info->port.tty = tty;
56326
56327- DBGINFO(("%s open, old ref count = %d\n", info->device_name, info->port.count));
56328+ DBGINFO(("%s open, old ref count = %d\n", info->device_name, atomic_read(&info->port.count)));
56329
56330 /* If port is closing, signal caller to try again */
56331 if (info->port.flags & ASYNC_CLOSING){
56332@@ -691,10 +691,10 @@ static int open(struct tty_struct *tty, struct file *filp)
56333 mutex_unlock(&info->port.mutex);
56334 goto cleanup;
56335 }
56336- info->port.count++;
56337+ atomic_inc(&info->port.count);
56338 spin_unlock_irqrestore(&info->netlock, flags);
56339
56340- if (info->port.count == 1) {
56341+ if (atomic_read(&info->port.count) == 1) {
56342 /* 1st open on this device, init hardware */
56343 retval = startup(info);
56344 if (retval < 0) {
56345@@ -715,8 +715,8 @@ cleanup:
56346 if (retval) {
56347 if (tty->count == 1)
56348 info->port.tty = NULL; /* tty layer will release tty struct */
56349- if(info->port.count)
56350- info->port.count--;
56351+ if(atomic_read(&info->port.count))
56352+ atomic_dec(&info->port.count);
56353 }
56354
56355 DBGINFO(("%s open rc=%d\n", info->device_name, retval));
56356@@ -729,7 +729,7 @@ static void close(struct tty_struct *tty, struct file *filp)
56357
56358 if (sanity_check(info, tty->name, "close"))
56359 return;
56360- DBGINFO(("%s close entry, count=%d\n", info->device_name, info->port.count));
56361+ DBGINFO(("%s close entry, count=%d\n", info->device_name, atomic_read(&info->port.count)));
56362
56363 if (tty_port_close_start(&info->port, tty, filp) == 0)
56364 goto cleanup;
56365@@ -746,7 +746,7 @@ static void close(struct tty_struct *tty, struct file *filp)
56366 tty_port_close_end(&info->port, tty);
56367 info->port.tty = NULL;
56368 cleanup:
56369- DBGINFO(("%s close exit, count=%d\n", tty->driver->name, info->port.count));
56370+ DBGINFO(("%s close exit, count=%d\n", tty->driver->name, atomic_read(&info->port.count)));
56371 }
56372
56373 static void hangup(struct tty_struct *tty)
56374@@ -764,7 +764,7 @@ static void hangup(struct tty_struct *tty)
56375 shutdown(info);
56376
56377 spin_lock_irqsave(&info->port.lock, flags);
56378- info->port.count = 0;
56379+ atomic_set(&info->port.count, 0);
56380 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
56381 info->port.tty = NULL;
56382 spin_unlock_irqrestore(&info->port.lock, flags);
56383@@ -1449,7 +1449,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
56384 unsigned short new_crctype;
56385
56386 /* return error if TTY interface open */
56387- if (info->port.count)
56388+ if (atomic_read(&info->port.count))
56389 return -EBUSY;
56390
56391 DBGINFO(("%s hdlcdev_attach\n", info->device_name));
56392@@ -1545,7 +1545,7 @@ static int hdlcdev_open(struct net_device *dev)
56393
56394 /* arbitrate between network and tty opens */
56395 spin_lock_irqsave(&info->netlock, flags);
56396- if (info->port.count != 0 || info->netcount != 0) {
56397+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
56398 DBGINFO(("%s hdlc_open busy\n", dev->name));
56399 spin_unlock_irqrestore(&info->netlock, flags);
56400 return -EBUSY;
56401@@ -1630,7 +1630,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
56402 DBGINFO(("%s hdlcdev_ioctl\n", dev->name));
56403
56404 /* return error if TTY interface open */
56405- if (info->port.count)
56406+ if (atomic_read(&info->port.count))
56407 return -EBUSY;
56408
56409 if (cmd != SIOCWANDEV)
56410@@ -2417,7 +2417,7 @@ static irqreturn_t slgt_interrupt(int dummy, void *dev_id)
56411 if (port == NULL)
56412 continue;
56413 spin_lock(&port->lock);
56414- if ((port->port.count || port->netcount) &&
56415+ if ((atomic_read(&port->port.count) || port->netcount) &&
56416 port->pending_bh && !port->bh_running &&
56417 !port->bh_requested) {
56418 DBGISR(("%s bh queued\n", port->device_name));
56419@@ -3303,7 +3303,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
56420 add_wait_queue(&port->open_wait, &wait);
56421
56422 spin_lock_irqsave(&info->lock, flags);
56423- port->count--;
56424+ atomic_dec(&port->count);
56425 spin_unlock_irqrestore(&info->lock, flags);
56426 port->blocked_open++;
56427
56428@@ -3339,7 +3339,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
56429 remove_wait_queue(&port->open_wait, &wait);
56430
56431 if (!tty_hung_up_p(filp))
56432- port->count++;
56433+ atomic_inc(&port->count);
56434 port->blocked_open--;
56435
56436 if (!retval)
56437diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c
56438index 08633a8..3d56e14 100644
56439--- a/drivers/tty/synclinkmp.c
56440+++ b/drivers/tty/synclinkmp.c
56441@@ -750,7 +750,7 @@ static int open(struct tty_struct *tty, struct file *filp)
56442
56443 if (debug_level >= DEBUG_LEVEL_INFO)
56444 printk("%s(%d):%s open(), old ref count = %d\n",
56445- __FILE__,__LINE__,tty->driver->name, info->port.count);
56446+ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
56447
56448 /* If port is closing, signal caller to try again */
56449 if (info->port.flags & ASYNC_CLOSING){
56450@@ -769,10 +769,10 @@ static int open(struct tty_struct *tty, struct file *filp)
56451 spin_unlock_irqrestore(&info->netlock, flags);
56452 goto cleanup;
56453 }
56454- info->port.count++;
56455+ atomic_inc(&info->port.count);
56456 spin_unlock_irqrestore(&info->netlock, flags);
56457
56458- if (info->port.count == 1) {
56459+ if (atomic_read(&info->port.count) == 1) {
56460 /* 1st open on this device, init hardware */
56461 retval = startup(info);
56462 if (retval < 0)
56463@@ -796,8 +796,8 @@ cleanup:
56464 if (retval) {
56465 if (tty->count == 1)
56466 info->port.tty = NULL; /* tty layer will release tty struct */
56467- if(info->port.count)
56468- info->port.count--;
56469+ if(atomic_read(&info->port.count))
56470+ atomic_dec(&info->port.count);
56471 }
56472
56473 return retval;
56474@@ -815,7 +815,7 @@ static void close(struct tty_struct *tty, struct file *filp)
56475
56476 if (debug_level >= DEBUG_LEVEL_INFO)
56477 printk("%s(%d):%s close() entry, count=%d\n",
56478- __FILE__,__LINE__, info->device_name, info->port.count);
56479+ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
56480
56481 if (tty_port_close_start(&info->port, tty, filp) == 0)
56482 goto cleanup;
56483@@ -834,7 +834,7 @@ static void close(struct tty_struct *tty, struct file *filp)
56484 cleanup:
56485 if (debug_level >= DEBUG_LEVEL_INFO)
56486 printk("%s(%d):%s close() exit, count=%d\n", __FILE__,__LINE__,
56487- tty->driver->name, info->port.count);
56488+ tty->driver->name, atomic_read(&info->port.count));
56489 }
56490
56491 /* Called by tty_hangup() when a hangup is signaled.
56492@@ -857,7 +857,7 @@ static void hangup(struct tty_struct *tty)
56493 shutdown(info);
56494
56495 spin_lock_irqsave(&info->port.lock, flags);
56496- info->port.count = 0;
56497+ atomic_set(&info->port.count, 0);
56498 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
56499 info->port.tty = NULL;
56500 spin_unlock_irqrestore(&info->port.lock, flags);
56501@@ -1565,7 +1565,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
56502 unsigned short new_crctype;
56503
56504 /* return error if TTY interface open */
56505- if (info->port.count)
56506+ if (atomic_read(&info->port.count))
56507 return -EBUSY;
56508
56509 switch (encoding)
56510@@ -1661,7 +1661,7 @@ static int hdlcdev_open(struct net_device *dev)
56511
56512 /* arbitrate between network and tty opens */
56513 spin_lock_irqsave(&info->netlock, flags);
56514- if (info->port.count != 0 || info->netcount != 0) {
56515+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
56516 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
56517 spin_unlock_irqrestore(&info->netlock, flags);
56518 return -EBUSY;
56519@@ -1747,7 +1747,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
56520 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
56521
56522 /* return error if TTY interface open */
56523- if (info->port.count)
56524+ if (atomic_read(&info->port.count))
56525 return -EBUSY;
56526
56527 if (cmd != SIOCWANDEV)
56528@@ -2624,7 +2624,7 @@ static irqreturn_t synclinkmp_interrupt(int dummy, void *dev_id)
56529 * do not request bottom half processing if the
56530 * device is not open in a normal mode.
56531 */
56532- if ( port && (port->port.count || port->netcount) &&
56533+ if ( port && (atomic_read(&port->port.count) || port->netcount) &&
56534 port->pending_bh && !port->bh_running &&
56535 !port->bh_requested ) {
56536 if ( debug_level >= DEBUG_LEVEL_ISR )
56537@@ -3321,10 +3321,10 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
56538
56539 if (debug_level >= DEBUG_LEVEL_INFO)
56540 printk("%s(%d):%s block_til_ready() before block, count=%d\n",
56541- __FILE__,__LINE__, tty->driver->name, port->count );
56542+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56543
56544 spin_lock_irqsave(&info->lock, flags);
56545- port->count--;
56546+ atomic_dec(&port->count);
56547 spin_unlock_irqrestore(&info->lock, flags);
56548 port->blocked_open++;
56549
56550@@ -3352,7 +3352,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
56551
56552 if (debug_level >= DEBUG_LEVEL_INFO)
56553 printk("%s(%d):%s block_til_ready() count=%d\n",
56554- __FILE__,__LINE__, tty->driver->name, port->count );
56555+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56556
56557 tty_unlock(tty);
56558 schedule();
56559@@ -3362,12 +3362,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
56560 set_current_state(TASK_RUNNING);
56561 remove_wait_queue(&port->open_wait, &wait);
56562 if (!tty_hung_up_p(filp))
56563- port->count++;
56564+ atomic_inc(&port->count);
56565 port->blocked_open--;
56566
56567 if (debug_level >= DEBUG_LEVEL_INFO)
56568 printk("%s(%d):%s block_til_ready() after, count=%d\n",
56569- __FILE__,__LINE__, tty->driver->name, port->count );
56570+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56571
56572 if (!retval)
56573 port->flags |= ASYNC_NORMAL_ACTIVE;
56574diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
56575index b5b4278..bb9c7b0 100644
56576--- a/drivers/tty/sysrq.c
56577+++ b/drivers/tty/sysrq.c
56578@@ -1072,7 +1072,7 @@ EXPORT_SYMBOL(unregister_sysrq_key);
56579 static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
56580 size_t count, loff_t *ppos)
56581 {
56582- if (count) {
56583+ if (count && capable(CAP_SYS_ADMIN)) {
56584 char c;
56585
56586 if (get_user(c, buf))
56587diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
56588index 57fc6ee..b83cc81 100644
56589--- a/drivers/tty/tty_io.c
56590+++ b/drivers/tty/tty_io.c
56591@@ -3501,7 +3501,7 @@ EXPORT_SYMBOL(tty_devnum);
56592
56593 void tty_default_fops(struct file_operations *fops)
56594 {
56595- *fops = tty_fops;
56596+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
56597 }
56598
56599 /*
56600diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
56601index c07fb5d..942acf7 100644
56602--- a/drivers/tty/tty_ldisc.c
56603+++ b/drivers/tty/tty_ldisc.c
56604@@ -70,7 +70,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc)
56605 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
56606 tty_ldiscs[disc] = new_ldisc;
56607 new_ldisc->num = disc;
56608- new_ldisc->refcount = 0;
56609+ atomic_set(&new_ldisc->refcount, 0);
56610 raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags);
56611
56612 return ret;
56613@@ -98,7 +98,7 @@ int tty_unregister_ldisc(int disc)
56614 return -EINVAL;
56615
56616 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
56617- if (tty_ldiscs[disc]->refcount)
56618+ if (atomic_read(&tty_ldiscs[disc]->refcount))
56619 ret = -EBUSY;
56620 else
56621 tty_ldiscs[disc] = NULL;
56622@@ -119,7 +119,7 @@ static struct tty_ldisc_ops *get_ldops(int disc)
56623 if (ldops) {
56624 ret = ERR_PTR(-EAGAIN);
56625 if (try_module_get(ldops->owner)) {
56626- ldops->refcount++;
56627+ atomic_inc(&ldops->refcount);
56628 ret = ldops;
56629 }
56630 }
56631@@ -132,7 +132,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops)
56632 unsigned long flags;
56633
56634 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
56635- ldops->refcount--;
56636+ atomic_dec(&ldops->refcount);
56637 module_put(ldops->owner);
56638 raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags);
56639 }
56640diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
56641index 40b31835..94d92ae 100644
56642--- a/drivers/tty/tty_port.c
56643+++ b/drivers/tty/tty_port.c
56644@@ -236,7 +236,7 @@ void tty_port_hangup(struct tty_port *port)
56645 unsigned long flags;
56646
56647 spin_lock_irqsave(&port->lock, flags);
56648- port->count = 0;
56649+ atomic_set(&port->count, 0);
56650 port->flags &= ~ASYNC_NORMAL_ACTIVE;
56651 tty = port->tty;
56652 if (tty)
56653@@ -398,7 +398,7 @@ int tty_port_block_til_ready(struct tty_port *port,
56654
56655 /* The port lock protects the port counts */
56656 spin_lock_irqsave(&port->lock, flags);
56657- port->count--;
56658+ atomic_dec(&port->count);
56659 port->blocked_open++;
56660 spin_unlock_irqrestore(&port->lock, flags);
56661
56662@@ -440,7 +440,7 @@ int tty_port_block_til_ready(struct tty_port *port,
56663 we must not mess that up further */
56664 spin_lock_irqsave(&port->lock, flags);
56665 if (!tty_hung_up_p(filp))
56666- port->count++;
56667+ atomic_inc(&port->count);
56668 port->blocked_open--;
56669 if (retval == 0)
56670 port->flags |= ASYNC_NORMAL_ACTIVE;
56671@@ -476,19 +476,19 @@ int tty_port_close_start(struct tty_port *port,
56672 return 0;
56673
56674 spin_lock_irqsave(&port->lock, flags);
56675- if (tty->count == 1 && port->count != 1) {
56676+ if (tty->count == 1 && atomic_read(&port->count) != 1) {
56677 printk(KERN_WARNING
56678 "tty_port_close_start: tty->count = 1 port count = %d.\n",
56679- port->count);
56680- port->count = 1;
56681+ atomic_read(&port->count));
56682+ atomic_set(&port->count, 1);
56683 }
56684- if (--port->count < 0) {
56685+ if (atomic_dec_return(&port->count) < 0) {
56686 printk(KERN_WARNING "tty_port_close_start: count = %d\n",
56687- port->count);
56688- port->count = 0;
56689+ atomic_read(&port->count));
56690+ atomic_set(&port->count, 0);
56691 }
56692
56693- if (port->count) {
56694+ if (atomic_read(&port->count)) {
56695 spin_unlock_irqrestore(&port->lock, flags);
56696 return 0;
56697 }
56698@@ -590,7 +590,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty,
56699 struct file *filp)
56700 {
56701 spin_lock_irq(&port->lock);
56702- ++port->count;
56703+ atomic_inc(&port->count);
56704 spin_unlock_irq(&port->lock);
56705 tty_port_tty_set(port, tty);
56706
56707diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
56708index 6f0336f..5818bc1 100644
56709--- a/drivers/tty/vt/keyboard.c
56710+++ b/drivers/tty/vt/keyboard.c
56711@@ -642,6 +642,16 @@ static void k_spec(struct vc_data *vc, unsigned char value, char up_flag)
56712 kbd->kbdmode == VC_OFF) &&
56713 value != KVAL(K_SAK))
56714 return; /* SAK is allowed even in raw mode */
56715+
56716+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
56717+ {
56718+ void *func = fn_handler[value];
56719+ if (func == fn_show_state || func == fn_show_ptregs ||
56720+ func == fn_show_mem)
56721+ return;
56722+ }
56723+#endif
56724+
56725 fn_handler[value](vc);
56726 }
56727
56728@@ -1880,9 +1890,6 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
56729 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
56730 return -EFAULT;
56731
56732- if (!capable(CAP_SYS_TTY_CONFIG))
56733- perm = 0;
56734-
56735 switch (cmd) {
56736 case KDGKBENT:
56737 /* Ensure another thread doesn't free it under us */
56738@@ -1897,6 +1904,9 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
56739 spin_unlock_irqrestore(&kbd_event_lock, flags);
56740 return put_user(val, &user_kbe->kb_value);
56741 case KDSKBENT:
56742+ if (!capable(CAP_SYS_TTY_CONFIG))
56743+ perm = 0;
56744+
56745 if (!perm)
56746 return -EPERM;
56747 if (!i && v == K_NOSUCHMAP) {
56748@@ -1987,9 +1997,6 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
56749 int i, j, k;
56750 int ret;
56751
56752- if (!capable(CAP_SYS_TTY_CONFIG))
56753- perm = 0;
56754-
56755 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
56756 if (!kbs) {
56757 ret = -ENOMEM;
56758@@ -2023,6 +2030,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
56759 kfree(kbs);
56760 return ((p && *p) ? -EOVERFLOW : 0);
56761 case KDSKBSENT:
56762+ if (!capable(CAP_SYS_TTY_CONFIG))
56763+ perm = 0;
56764+
56765 if (!perm) {
56766 ret = -EPERM;
56767 goto reterr;
56768diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
56769index 3257d42..b430b06 100644
56770--- a/drivers/uio/uio.c
56771+++ b/drivers/uio/uio.c
56772@@ -25,6 +25,7 @@
56773 #include <linux/kobject.h>
56774 #include <linux/cdev.h>
56775 #include <linux/uio_driver.h>
56776+#include <asm/local.h>
56777
56778 #define UIO_MAX_DEVICES (1U << MINORBITS)
56779
56780@@ -231,7 +232,7 @@ static ssize_t event_show(struct device *dev,
56781 struct device_attribute *attr, char *buf)
56782 {
56783 struct uio_device *idev = dev_get_drvdata(dev);
56784- return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
56785+ return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
56786 }
56787 static DEVICE_ATTR_RO(event);
56788
56789@@ -393,7 +394,7 @@ void uio_event_notify(struct uio_info *info)
56790 {
56791 struct uio_device *idev = info->uio_dev;
56792
56793- atomic_inc(&idev->event);
56794+ atomic_inc_unchecked(&idev->event);
56795 wake_up_interruptible(&idev->wait);
56796 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
56797 }
56798@@ -446,7 +447,7 @@ static int uio_open(struct inode *inode, struct file *filep)
56799 }
56800
56801 listener->dev = idev;
56802- listener->event_count = atomic_read(&idev->event);
56803+ listener->event_count = atomic_read_unchecked(&idev->event);
56804 filep->private_data = listener;
56805
56806 if (idev->info->open) {
56807@@ -497,7 +498,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
56808 return -EIO;
56809
56810 poll_wait(filep, &idev->wait, wait);
56811- if (listener->event_count != atomic_read(&idev->event))
56812+ if (listener->event_count != atomic_read_unchecked(&idev->event))
56813 return POLLIN | POLLRDNORM;
56814 return 0;
56815 }
56816@@ -522,7 +523,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf,
56817 do {
56818 set_current_state(TASK_INTERRUPTIBLE);
56819
56820- event_count = atomic_read(&idev->event);
56821+ event_count = atomic_read_unchecked(&idev->event);
56822 if (event_count != listener->event_count) {
56823 if (copy_to_user(buf, &event_count, count))
56824 retval = -EFAULT;
56825@@ -579,9 +580,13 @@ static ssize_t uio_write(struct file *filep, const char __user *buf,
56826 static int uio_find_mem_index(struct vm_area_struct *vma)
56827 {
56828 struct uio_device *idev = vma->vm_private_data;
56829+ unsigned long size;
56830
56831 if (vma->vm_pgoff < MAX_UIO_MAPS) {
56832- if (idev->info->mem[vma->vm_pgoff].size == 0)
56833+ size = idev->info->mem[vma->vm_pgoff].size;
56834+ if (size == 0)
56835+ return -1;
56836+ if (vma->vm_end - vma->vm_start > size)
56837 return -1;
56838 return (int)vma->vm_pgoff;
56839 }
56840@@ -813,7 +818,7 @@ int __uio_register_device(struct module *owner,
56841 idev->owner = owner;
56842 idev->info = info;
56843 init_waitqueue_head(&idev->wait);
56844- atomic_set(&idev->event, 0);
56845+ atomic_set_unchecked(&idev->event, 0);
56846
56847 ret = uio_get_minor(idev);
56848 if (ret)
56849diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
56850index 813d4d3..a71934f 100644
56851--- a/drivers/usb/atm/cxacru.c
56852+++ b/drivers/usb/atm/cxacru.c
56853@@ -472,7 +472,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev,
56854 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
56855 if (ret < 2)
56856 return -EINVAL;
56857- if (index < 0 || index > 0x7f)
56858+ if (index > 0x7f)
56859 return -EINVAL;
56860 pos += tmp;
56861
56862diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
56863index db322d9..f0f4bc1 100644
56864--- a/drivers/usb/atm/usbatm.c
56865+++ b/drivers/usb/atm/usbatm.c
56866@@ -331,7 +331,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
56867 if (printk_ratelimit())
56868 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
56869 __func__, vpi, vci);
56870- atomic_inc(&vcc->stats->rx_err);
56871+ atomic_inc_unchecked(&vcc->stats->rx_err);
56872 return;
56873 }
56874
56875@@ -358,7 +358,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
56876 if (length > ATM_MAX_AAL5_PDU) {
56877 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
56878 __func__, length, vcc);
56879- atomic_inc(&vcc->stats->rx_err);
56880+ atomic_inc_unchecked(&vcc->stats->rx_err);
56881 goto out;
56882 }
56883
56884@@ -367,14 +367,14 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
56885 if (sarb->len < pdu_length) {
56886 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
56887 __func__, pdu_length, sarb->len, vcc);
56888- atomic_inc(&vcc->stats->rx_err);
56889+ atomic_inc_unchecked(&vcc->stats->rx_err);
56890 goto out;
56891 }
56892
56893 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
56894 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
56895 __func__, vcc);
56896- atomic_inc(&vcc->stats->rx_err);
56897+ atomic_inc_unchecked(&vcc->stats->rx_err);
56898 goto out;
56899 }
56900
56901@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
56902 if (printk_ratelimit())
56903 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
56904 __func__, length);
56905- atomic_inc(&vcc->stats->rx_drop);
56906+ atomic_inc_unchecked(&vcc->stats->rx_drop);
56907 goto out;
56908 }
56909
56910@@ -415,7 +415,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
56911
56912 vcc->push(vcc, skb);
56913
56914- atomic_inc(&vcc->stats->rx);
56915+ atomic_inc_unchecked(&vcc->stats->rx);
56916 out:
56917 skb_trim(sarb, 0);
56918 }
56919@@ -613,7 +613,7 @@ static void usbatm_tx_process(unsigned long data)
56920 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
56921
56922 usbatm_pop(vcc, skb);
56923- atomic_inc(&vcc->stats->tx);
56924+ atomic_inc_unchecked(&vcc->stats->tx);
56925
56926 skb = skb_dequeue(&instance->sndqueue);
56927 }
56928@@ -757,11 +757,11 @@ static int usbatm_atm_proc_read(struct atm_dev *atm_dev, loff_t *pos, char *page
56929 if (!left--)
56930 return sprintf(page,
56931 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
56932- atomic_read(&atm_dev->stats.aal5.tx),
56933- atomic_read(&atm_dev->stats.aal5.tx_err),
56934- atomic_read(&atm_dev->stats.aal5.rx),
56935- atomic_read(&atm_dev->stats.aal5.rx_err),
56936- atomic_read(&atm_dev->stats.aal5.rx_drop));
56937+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
56938+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
56939+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
56940+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
56941+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
56942
56943 if (!left--) {
56944 if (instance->disconnected)
56945diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
56946index 2a3bbdf..91d72cf 100644
56947--- a/drivers/usb/core/devices.c
56948+++ b/drivers/usb/core/devices.c
56949@@ -126,7 +126,7 @@ static const char format_endpt[] =
56950 * time it gets called.
56951 */
56952 static struct device_connect_event {
56953- atomic_t count;
56954+ atomic_unchecked_t count;
56955 wait_queue_head_t wait;
56956 } device_event = {
56957 .count = ATOMIC_INIT(1),
56958@@ -164,7 +164,7 @@ static const struct class_info clas_info[] = {
56959
56960 void usbfs_conn_disc_event(void)
56961 {
56962- atomic_add(2, &device_event.count);
56963+ atomic_add_unchecked(2, &device_event.count);
56964 wake_up(&device_event.wait);
56965 }
56966
56967@@ -652,7 +652,7 @@ static unsigned int usb_device_poll(struct file *file,
56968
56969 poll_wait(file, &device_event.wait, wait);
56970
56971- event_count = atomic_read(&device_event.count);
56972+ event_count = atomic_read_unchecked(&device_event.count);
56973 if (file->f_version != event_count) {
56974 file->f_version = event_count;
56975 return POLLIN | POLLRDNORM;
56976diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
56977index 986abde..80e8279 100644
56978--- a/drivers/usb/core/devio.c
56979+++ b/drivers/usb/core/devio.c
56980@@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
56981 struct usb_dev_state *ps = file->private_data;
56982 struct usb_device *dev = ps->dev;
56983 ssize_t ret = 0;
56984- unsigned len;
56985+ size_t len;
56986 loff_t pos;
56987 int i;
56988
56989@@ -229,22 +229,22 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
56990 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
56991 struct usb_config_descriptor *config =
56992 (struct usb_config_descriptor *)dev->rawdescriptors[i];
56993- unsigned int length = le16_to_cpu(config->wTotalLength);
56994+ size_t length = le16_to_cpu(config->wTotalLength);
56995
56996 if (*ppos < pos + length) {
56997
56998 /* The descriptor may claim to be longer than it
56999 * really is. Here is the actual allocated length. */
57000- unsigned alloclen =
57001+ size_t alloclen =
57002 le16_to_cpu(dev->config[i].desc.wTotalLength);
57003
57004- len = length - (*ppos - pos);
57005+ len = length + pos - *ppos;
57006 if (len > nbytes)
57007 len = nbytes;
57008
57009 /* Simply don't write (skip over) unallocated parts */
57010 if (alloclen > (*ppos - pos)) {
57011- alloclen -= (*ppos - pos);
57012+ alloclen = alloclen + pos - *ppos;
57013 if (copy_to_user(buf,
57014 dev->rawdescriptors[i] + (*ppos - pos),
57015 min(len, alloclen))) {
57016diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
57017index cbcd092..e783f87 100644
57018--- a/drivers/usb/core/hcd.c
57019+++ b/drivers/usb/core/hcd.c
57020@@ -1554,7 +1554,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
57021 */
57022 usb_get_urb(urb);
57023 atomic_inc(&urb->use_count);
57024- atomic_inc(&urb->dev->urbnum);
57025+ atomic_inc_unchecked(&urb->dev->urbnum);
57026 usbmon_urb_submit(&hcd->self, urb);
57027
57028 /* NOTE requirements on root-hub callers (usbfs and the hub
57029@@ -1581,7 +1581,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
57030 urb->hcpriv = NULL;
57031 INIT_LIST_HEAD(&urb->urb_list);
57032 atomic_dec(&urb->use_count);
57033- atomic_dec(&urb->dev->urbnum);
57034+ atomic_dec_unchecked(&urb->dev->urbnum);
57035 if (atomic_read(&urb->reject))
57036 wake_up(&usb_kill_urb_queue);
57037 usb_put_urb(urb);
57038diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
57039index 73dfa19..c22f1e43 100644
57040--- a/drivers/usb/core/hub.c
57041+++ b/drivers/usb/core/hub.c
57042@@ -26,6 +26,7 @@
57043 #include <linux/mutex.h>
57044 #include <linux/random.h>
57045 #include <linux/pm_qos.h>
57046+#include <linux/grsecurity.h>
57047
57048 #include <asm/uaccess.h>
57049 #include <asm/byteorder.h>
57050@@ -4655,6 +4656,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
57051 goto done;
57052 return;
57053 }
57054+
57055+ if (gr_handle_new_usb())
57056+ goto done;
57057+
57058 if (hub_is_superspeed(hub->hdev))
57059 unit_load = 150;
57060 else
57061diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
57062index f368d20..0c30ac5 100644
57063--- a/drivers/usb/core/message.c
57064+++ b/drivers/usb/core/message.c
57065@@ -128,7 +128,7 @@ static int usb_internal_control_msg(struct usb_device *usb_dev,
57066 * Return: If successful, the number of bytes transferred. Otherwise, a negative
57067 * error number.
57068 */
57069-int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
57070+int __intentional_overflow(-1) usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
57071 __u8 requesttype, __u16 value, __u16 index, void *data,
57072 __u16 size, int timeout)
57073 {
57074@@ -180,7 +180,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg);
57075 * If successful, 0. Otherwise a negative error number. The number of actual
57076 * bytes transferred will be stored in the @actual_length parameter.
57077 */
57078-int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
57079+int __intentional_overflow(-1) usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
57080 void *data, int len, int *actual_length, int timeout)
57081 {
57082 return usb_bulk_msg(usb_dev, pipe, data, len, actual_length, timeout);
57083@@ -220,7 +220,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg);
57084 * bytes transferred will be stored in the @actual_length parameter.
57085 *
57086 */
57087-int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
57088+int __intentional_overflow(-1) usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
57089 void *data, int len, int *actual_length, int timeout)
57090 {
57091 struct urb *urb;
57092diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
57093index d269738..7340cd7 100644
57094--- a/drivers/usb/core/sysfs.c
57095+++ b/drivers/usb/core/sysfs.c
57096@@ -244,7 +244,7 @@ static ssize_t urbnum_show(struct device *dev, struct device_attribute *attr,
57097 struct usb_device *udev;
57098
57099 udev = to_usb_device(dev);
57100- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum));
57101+ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum));
57102 }
57103 static DEVICE_ATTR_RO(urbnum);
57104
57105diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
57106index 8d5b2f4..3896940 100644
57107--- a/drivers/usb/core/usb.c
57108+++ b/drivers/usb/core/usb.c
57109@@ -447,7 +447,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
57110 set_dev_node(&dev->dev, dev_to_node(bus->controller));
57111 dev->state = USB_STATE_ATTACHED;
57112 dev->lpm_disable_count = 1;
57113- atomic_set(&dev->urbnum, 0);
57114+ atomic_set_unchecked(&dev->urbnum, 0);
57115
57116 INIT_LIST_HEAD(&dev->ep0.urb_list);
57117 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
57118diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
57119index 8cfc319..4868255 100644
57120--- a/drivers/usb/early/ehci-dbgp.c
57121+++ b/drivers/usb/early/ehci-dbgp.c
57122@@ -98,7 +98,8 @@ static inline u32 dbgp_len_update(u32 x, u32 len)
57123
57124 #ifdef CONFIG_KGDB
57125 static struct kgdb_io kgdbdbgp_io_ops;
57126-#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
57127+static struct kgdb_io kgdbdbgp_io_ops_console;
57128+#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
57129 #else
57130 #define dbgp_kgdb_mode (0)
57131 #endif
57132@@ -1043,6 +1044,13 @@ static struct kgdb_io kgdbdbgp_io_ops = {
57133 .write_char = kgdbdbgp_write_char,
57134 };
57135
57136+static struct kgdb_io kgdbdbgp_io_ops_console = {
57137+ .name = "kgdbdbgp",
57138+ .read_char = kgdbdbgp_read_char,
57139+ .write_char = kgdbdbgp_write_char,
57140+ .is_console = 1
57141+};
57142+
57143 static int kgdbdbgp_wait_time;
57144
57145 static int __init kgdbdbgp_parse_config(char *str)
57146@@ -1058,8 +1066,10 @@ static int __init kgdbdbgp_parse_config(char *str)
57147 ptr++;
57148 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
57149 }
57150- kgdb_register_io_module(&kgdbdbgp_io_ops);
57151- kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
57152+ if (early_dbgp_console.index != -1)
57153+ kgdb_register_io_module(&kgdbdbgp_io_ops_console);
57154+ else
57155+ kgdb_register_io_module(&kgdbdbgp_io_ops);
57156
57157 return 0;
57158 }
57159diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
57160index 7856b33..8b7fe09 100644
57161--- a/drivers/usb/gadget/function/f_uac1.c
57162+++ b/drivers/usb/gadget/function/f_uac1.c
57163@@ -14,6 +14,7 @@
57164 #include <linux/module.h>
57165 #include <linux/device.h>
57166 #include <linux/atomic.h>
57167+#include <linux/module.h>
57168
57169 #include "u_uac1.h"
57170
57171diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
57172index 7ee05793..2e31e99 100644
57173--- a/drivers/usb/gadget/function/u_serial.c
57174+++ b/drivers/usb/gadget/function/u_serial.c
57175@@ -732,9 +732,9 @@ static int gs_open(struct tty_struct *tty, struct file *file)
57176 spin_lock_irq(&port->port_lock);
57177
57178 /* already open? Great. */
57179- if (port->port.count) {
57180+ if (atomic_read(&port->port.count)) {
57181 status = 0;
57182- port->port.count++;
57183+ atomic_inc(&port->port.count);
57184
57185 /* currently opening/closing? wait ... */
57186 } else if (port->openclose) {
57187@@ -793,7 +793,7 @@ static int gs_open(struct tty_struct *tty, struct file *file)
57188 tty->driver_data = port;
57189 port->port.tty = tty;
57190
57191- port->port.count = 1;
57192+ atomic_set(&port->port.count, 1);
57193 port->openclose = false;
57194
57195 /* if connected, start the I/O stream */
57196@@ -835,11 +835,11 @@ static void gs_close(struct tty_struct *tty, struct file *file)
57197
57198 spin_lock_irq(&port->port_lock);
57199
57200- if (port->port.count != 1) {
57201- if (port->port.count == 0)
57202+ if (atomic_read(&port->port.count) != 1) {
57203+ if (atomic_read(&port->port.count) == 0)
57204 WARN_ON(1);
57205 else
57206- --port->port.count;
57207+ atomic_dec(&port->port.count);
57208 goto exit;
57209 }
57210
57211@@ -849,7 +849,7 @@ static void gs_close(struct tty_struct *tty, struct file *file)
57212 * and sleep if necessary
57213 */
57214 port->openclose = true;
57215- port->port.count = 0;
57216+ atomic_set(&port->port.count, 0);
57217
57218 gser = port->port_usb;
57219 if (gser && gser->disconnect)
57220@@ -1065,7 +1065,7 @@ static int gs_closed(struct gs_port *port)
57221 int cond;
57222
57223 spin_lock_irq(&port->port_lock);
57224- cond = (port->port.count == 0) && !port->openclose;
57225+ cond = (atomic_read(&port->port.count) == 0) && !port->openclose;
57226 spin_unlock_irq(&port->port_lock);
57227 return cond;
57228 }
57229@@ -1208,7 +1208,7 @@ int gserial_connect(struct gserial *gser, u8 port_num)
57230 /* if it's already open, start I/O ... and notify the serial
57231 * protocol about open/close status (connect/disconnect).
57232 */
57233- if (port->port.count) {
57234+ if (atomic_read(&port->port.count)) {
57235 pr_debug("gserial_connect: start ttyGS%d\n", port->port_num);
57236 gs_start_io(port);
57237 if (gser->connect)
57238@@ -1255,7 +1255,7 @@ void gserial_disconnect(struct gserial *gser)
57239
57240 port->port_usb = NULL;
57241 gser->ioport = NULL;
57242- if (port->port.count > 0 || port->openclose) {
57243+ if (atomic_read(&port->port.count) > 0 || port->openclose) {
57244 wake_up_interruptible(&port->drain_wait);
57245 if (port->port.tty)
57246 tty_hangup(port->port.tty);
57247@@ -1271,7 +1271,7 @@ void gserial_disconnect(struct gserial *gser)
57248
57249 /* finally, free any unused/unusable I/O buffers */
57250 spin_lock_irqsave(&port->port_lock, flags);
57251- if (port->port.count == 0 && !port->openclose)
57252+ if (atomic_read(&port->port.count) == 0 && !port->openclose)
57253 gs_buf_free(&port->port_write_buf);
57254 gs_free_requests(gser->out, &port->read_pool, NULL);
57255 gs_free_requests(gser->out, &port->read_queue, NULL);
57256diff --git a/drivers/usb/gadget/function/u_uac1.c b/drivers/usb/gadget/function/u_uac1.c
57257index c78c841..48fd281 100644
57258--- a/drivers/usb/gadget/function/u_uac1.c
57259+++ b/drivers/usb/gadget/function/u_uac1.c
57260@@ -17,6 +17,7 @@
57261 #include <linux/ctype.h>
57262 #include <linux/random.h>
57263 #include <linux/syscalls.h>
57264+#include <linux/module.h>
57265
57266 #include "u_uac1.h"
57267
57268diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
57269index 181112c..036bcab 100644
57270--- a/drivers/usb/gadget/udc/dummy_hcd.c
57271+++ b/drivers/usb/gadget/udc/dummy_hcd.c
57272@@ -2384,7 +2384,7 @@ static int dummy_setup(struct usb_hcd *hcd)
57273 struct dummy *dum;
57274
57275 dum = *((void **)dev_get_platdata(hcd->self.controller));
57276- hcd->self.sg_tablesize = ~0;
57277+ hcd->self.sg_tablesize = SG_ALL;
57278 if (usb_hcd_is_primary_hcd(hcd)) {
57279 dum->hs_hcd = hcd_to_dummy_hcd(hcd);
57280 dum->hs_hcd->dum = dum;
57281diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
57282index c63d82c..a7e8665 100644
57283--- a/drivers/usb/host/ehci-hcd.c
57284+++ b/drivers/usb/host/ehci-hcd.c
57285@@ -564,7 +564,7 @@ static int ehci_init(struct usb_hcd *hcd)
57286
57287 /* Accept arbitrarily long scatter-gather lists */
57288 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
57289- hcd->self.sg_tablesize = ~0;
57290+ hcd->self.sg_tablesize = SG_ALL;
57291 return 0;
57292 }
57293
57294diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
57295index 22abb68..50b7b84 100644
57296--- a/drivers/usb/host/ehci-hub.c
57297+++ b/drivers/usb/host/ehci-hub.c
57298@@ -773,7 +773,7 @@ static struct urb *request_single_step_set_feature_urb(
57299 urb->transfer_flags = URB_DIR_IN;
57300 usb_get_urb(urb);
57301 atomic_inc(&urb->use_count);
57302- atomic_inc(&urb->dev->urbnum);
57303+ atomic_inc_unchecked(&urb->dev->urbnum);
57304 urb->setup_dma = dma_map_single(
57305 hcd->self.controller,
57306 urb->setup_packet,
57307@@ -840,7 +840,7 @@ static int ehset_single_step_set_feature(struct usb_hcd *hcd, int port)
57308 urb->status = -EINPROGRESS;
57309 usb_get_urb(urb);
57310 atomic_inc(&urb->use_count);
57311- atomic_inc(&urb->dev->urbnum);
57312+ atomic_inc_unchecked(&urb->dev->urbnum);
57313 retval = submit_single_step_set_feature(hcd, urb, 0);
57314 if (!retval && !wait_for_completion_timeout(&done,
57315 msecs_to_jiffies(2000))) {
57316diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
57317index 54f5332..8b8335c 100644
57318--- a/drivers/usb/host/ehci-q.c
57319+++ b/drivers/usb/host/ehci-q.c
57320@@ -44,9 +44,9 @@
57321
57322 static int
57323 qtd_fill(struct ehci_hcd *ehci, struct ehci_qtd *qtd, dma_addr_t buf,
57324- size_t len, int token, int maxpacket)
57325+ size_t len, u32 token, int maxpacket)
57326 {
57327- int i, count;
57328+ u32 i, count;
57329 u64 addr = buf;
57330
57331 /* one buffer entry per 4K ... first might be short or unaligned */
57332diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
57333index 000ed80..2701154 100644
57334--- a/drivers/usb/host/fotg210-hcd.c
57335+++ b/drivers/usb/host/fotg210-hcd.c
57336@@ -5231,7 +5231,7 @@ static int hcd_fotg210_init(struct usb_hcd *hcd)
57337
57338 /* Accept arbitrarily long scatter-gather lists */
57339 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
57340- hcd->self.sg_tablesize = ~0;
57341+ hcd->self.sg_tablesize = SG_ALL;
57342 return 0;
57343 }
57344
57345diff --git a/drivers/usb/host/fusbh200-hcd.c b/drivers/usb/host/fusbh200-hcd.c
57346index 1fd8718..c7ff47c 100644
57347--- a/drivers/usb/host/fusbh200-hcd.c
57348+++ b/drivers/usb/host/fusbh200-hcd.c
57349@@ -5156,7 +5156,7 @@ static int hcd_fusbh200_init(struct usb_hcd *hcd)
57350
57351 /* Accept arbitrarily long scatter-gather lists */
57352 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
57353- hcd->self.sg_tablesize = ~0;
57354+ hcd->self.sg_tablesize = SG_ALL;
57355 return 0;
57356 }
57357
57358diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
57359index 1db0626..2e9f5ea 100644
57360--- a/drivers/usb/host/hwa-hc.c
57361+++ b/drivers/usb/host/hwa-hc.c
57362@@ -337,7 +337,10 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
57363 struct hwahc *hwahc = container_of(wusbhc, struct hwahc, wusbhc);
57364 struct wahc *wa = &hwahc->wa;
57365 struct device *dev = &wa->usb_iface->dev;
57366- u8 mas_le[UWB_NUM_MAS/8];
57367+ u8 *mas_le = kmalloc(UWB_NUM_MAS/8, GFP_KERNEL);
57368+
57369+ if (mas_le == NULL)
57370+ return -ENOMEM;
57371
57372 /* Set the stream index */
57373 result = usb_control_msg(wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
57374@@ -356,10 +359,12 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
57375 WUSB_REQ_SET_WUSB_MAS,
57376 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
57377 0, wa->usb_iface->cur_altsetting->desc.bInterfaceNumber,
57378- mas_le, 32, USB_CTRL_SET_TIMEOUT);
57379+ mas_le, UWB_NUM_MAS/8, USB_CTRL_SET_TIMEOUT);
57380 if (result < 0)
57381 dev_err(dev, "Cannot set WUSB MAS allocation: %d\n", result);
57382 out:
57383+ kfree(mas_le);
57384+
57385 return result;
57386 }
57387
57388@@ -812,7 +817,7 @@ static int hwahc_probe(struct usb_interface *usb_iface,
57389 goto error_alloc;
57390 }
57391 usb_hcd->wireless = 1;
57392- usb_hcd->self.sg_tablesize = ~0;
57393+ usb_hcd->self.sg_tablesize = SG_ALL;
57394 wusbhc = usb_hcd_to_wusbhc(usb_hcd);
57395 hwahc = container_of(wusbhc, struct hwahc, wusbhc);
57396 hwahc_init(hwahc);
57397diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
57398index 760cb57..fc7f8ad 100644
57399--- a/drivers/usb/host/ohci-hcd.c
57400+++ b/drivers/usb/host/ohci-hcd.c
57401@@ -444,7 +444,7 @@ static int ohci_init (struct ohci_hcd *ohci)
57402 struct usb_hcd *hcd = ohci_to_hcd(ohci);
57403
57404 /* Accept arbitrarily long scatter-gather lists */
57405- hcd->self.sg_tablesize = ~0;
57406+ hcd->self.sg_tablesize = SG_ALL;
57407
57408 if (distrust_firmware)
57409 ohci->flags |= OHCI_QUIRK_HUB_POWER;
57410diff --git a/drivers/usb/host/r8a66597.h b/drivers/usb/host/r8a66597.h
57411index 672cea3..31a730db 100644
57412--- a/drivers/usb/host/r8a66597.h
57413+++ b/drivers/usb/host/r8a66597.h
57414@@ -125,7 +125,7 @@ struct r8a66597 {
57415 unsigned short interval_map;
57416 unsigned char pipe_cnt[R8A66597_MAX_NUM_PIPE];
57417 unsigned char dma_map;
57418- unsigned int max_root_hub;
57419+ unsigned char max_root_hub;
57420
57421 struct list_head child_device;
57422 unsigned long child_connect_map[4];
57423diff --git a/drivers/usb/host/uhci-hcd.c b/drivers/usb/host/uhci-hcd.c
57424index a7de8e8..e1ef134 100644
57425--- a/drivers/usb/host/uhci-hcd.c
57426+++ b/drivers/usb/host/uhci-hcd.c
57427@@ -570,7 +570,7 @@ static int uhci_start(struct usb_hcd *hcd)
57428 hcd->uses_new_polling = 1;
57429 /* Accept arbitrarily long scatter-gather lists */
57430 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
57431- hcd->self.sg_tablesize = ~0;
57432+ hcd->self.sg_tablesize = SG_ALL;
57433
57434 spin_lock_init(&uhci->lock);
57435 setup_timer(&uhci->fsbr_timer, uhci_fsbr_timeout,
57436diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
57437index 5590eac..16d71c5 100644
57438--- a/drivers/usb/host/xhci-pci.c
57439+++ b/drivers/usb/host/xhci-pci.c
57440@@ -30,7 +30,7 @@
57441
57442 #define PORT2_SSIC_CONFIG_REG2 0x883c
57443 #define PROG_DONE (1 << 30)
57444-#define SSIC_PORT_UNUSED (1 << 31)
57445+#define SSIC_PORT_UNUSED (1U << 31)
57446
57447 /* Device for a quirk */
57448 #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
57449diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
57450index 526ebc0..fa8f325 100644
57451--- a/drivers/usb/host/xhci.c
57452+++ b/drivers/usb/host/xhci.c
57453@@ -4834,7 +4834,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
57454 int retval;
57455
57456 /* Accept arbitrarily long scatter-gather lists */
57457- hcd->self.sg_tablesize = ~0;
57458+ hcd->self.sg_tablesize = SG_ALL;
57459
57460 /* support to build packet from discontinuous buffers */
57461 hcd->self.no_sg_constraint = 1;
57462diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
57463index a0a3827..d7ec10b 100644
57464--- a/drivers/usb/misc/appledisplay.c
57465+++ b/drivers/usb/misc/appledisplay.c
57466@@ -84,7 +84,7 @@ struct appledisplay {
57467 struct mutex sysfslock; /* concurrent read and write */
57468 };
57469
57470-static atomic_t count_displays = ATOMIC_INIT(0);
57471+static atomic_unchecked_t count_displays = ATOMIC_INIT(0);
57472 static struct workqueue_struct *wq;
57473
57474 static void appledisplay_complete(struct urb *urb)
57475@@ -288,7 +288,7 @@ static int appledisplay_probe(struct usb_interface *iface,
57476
57477 /* Register backlight device */
57478 snprintf(bl_name, sizeof(bl_name), "appledisplay%d",
57479- atomic_inc_return(&count_displays) - 1);
57480+ atomic_inc_return_unchecked(&count_displays) - 1);
57481 memset(&props, 0, sizeof(struct backlight_properties));
57482 props.type = BACKLIGHT_RAW;
57483 props.max_brightness = 0xff;
57484diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
57485index 3806e70..55c508b 100644
57486--- a/drivers/usb/serial/console.c
57487+++ b/drivers/usb/serial/console.c
57488@@ -126,7 +126,7 @@ static int usb_console_setup(struct console *co, char *options)
57489
57490 info->port = port;
57491
57492- ++port->port.count;
57493+ atomic_inc(&port->port.count);
57494 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
57495 if (serial->type->set_termios) {
57496 /*
57497@@ -175,7 +175,7 @@ static int usb_console_setup(struct console *co, char *options)
57498 }
57499 /* Now that any required fake tty operations are completed restore
57500 * the tty port count */
57501- --port->port.count;
57502+ atomic_dec(&port->port.count);
57503 /* The console is special in terms of closing the device so
57504 * indicate this port is now acting as a system console. */
57505 port->port.console = 1;
57506@@ -188,7 +188,7 @@ static int usb_console_setup(struct console *co, char *options)
57507 put_tty:
57508 tty_kref_put(tty);
57509 reset_open_count:
57510- port->port.count = 0;
57511+ atomic_set(&port->port.count, 0);
57512 usb_autopm_put_interface(serial->interface);
57513 error_get_interface:
57514 usb_serial_put(serial);
57515@@ -199,7 +199,7 @@ static int usb_console_setup(struct console *co, char *options)
57516 static void usb_console_write(struct console *co,
57517 const char *buf, unsigned count)
57518 {
57519- static struct usbcons_info *info = &usbcons_info;
57520+ struct usbcons_info *info = &usbcons_info;
57521 struct usb_serial_port *port = info->port;
57522 struct usb_serial *serial;
57523 int retval = -ENODEV;
57524diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c
57525index 43576ed..583589d 100644
57526--- a/drivers/usb/storage/usb.c
57527+++ b/drivers/usb/storage/usb.c
57528@@ -912,7 +912,7 @@ static void usb_stor_scan_dwork(struct work_struct *work)
57529 clear_bit(US_FLIDX_SCAN_PENDING, &us->dflags);
57530 }
57531
57532-static unsigned int usb_stor_sg_tablesize(struct usb_interface *intf)
57533+static unsigned short usb_stor_sg_tablesize(struct usb_interface *intf)
57534 {
57535 struct usb_device *usb_dev = interface_to_usbdev(intf);
57536
57537diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h
57538index da0ad32..50b5bbe 100644
57539--- a/drivers/usb/storage/usb.h
57540+++ b/drivers/usb/storage/usb.h
57541@@ -63,7 +63,7 @@ struct us_unusual_dev {
57542 __u8 useProtocol;
57543 __u8 useTransport;
57544 int (*initFunction)(struct us_data *);
57545-};
57546+} __do_const;
57547
57548
57549 /* Dynamic bitflag definitions (us->dflags): used in set_bit() etc. */
57550diff --git a/drivers/usb/usbip/vhci.h b/drivers/usb/usbip/vhci.h
57551index a863a98..d272795 100644
57552--- a/drivers/usb/usbip/vhci.h
57553+++ b/drivers/usb/usbip/vhci.h
57554@@ -83,7 +83,7 @@ struct vhci_hcd {
57555 unsigned resuming:1;
57556 unsigned long re_timeout;
57557
57558- atomic_t seqnum;
57559+ atomic_unchecked_t seqnum;
57560
57561 /*
57562 * NOTE:
57563diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
57564index e9ef1ec..c3a0b04 100644
57565--- a/drivers/usb/usbip/vhci_hcd.c
57566+++ b/drivers/usb/usbip/vhci_hcd.c
57567@@ -440,7 +440,7 @@ static void vhci_tx_urb(struct urb *urb)
57568
57569 spin_lock(&vdev->priv_lock);
57570
57571- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
57572+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
57573 if (priv->seqnum == 0xffff)
57574 dev_info(&urb->dev->dev, "seqnum max\n");
57575
57576@@ -685,7 +685,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
57577 return -ENOMEM;
57578 }
57579
57580- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
57581+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
57582 if (unlink->seqnum == 0xffff)
57583 pr_info("seqnum max\n");
57584
57585@@ -889,7 +889,7 @@ static int vhci_start(struct usb_hcd *hcd)
57586 vdev->rhport = rhport;
57587 }
57588
57589- atomic_set(&vhci->seqnum, 0);
57590+ atomic_set_unchecked(&vhci->seqnum, 0);
57591 spin_lock_init(&vhci->lock);
57592
57593 hcd->power_budget = 0; /* no limit */
57594diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
57595index 00e4a54..d676f85 100644
57596--- a/drivers/usb/usbip/vhci_rx.c
57597+++ b/drivers/usb/usbip/vhci_rx.c
57598@@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
57599 if (!urb) {
57600 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
57601 pr_info("max seqnum %d\n",
57602- atomic_read(&the_controller->seqnum));
57603+ atomic_read_unchecked(&the_controller->seqnum));
57604 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
57605 return;
57606 }
57607diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
57608index 211f43f..6c22ae1 100644
57609--- a/drivers/usb/usbip/vhci_sysfs.c
57610+++ b/drivers/usb/usbip/vhci_sysfs.c
57611@@ -59,7 +59,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
57612 if (vdev->ud.status == VDEV_ST_USED) {
57613 out += sprintf(out, "%03u %08x ",
57614 vdev->speed, vdev->devid);
57615- out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
57616+ out += sprintf(out, "%16pK ", vdev->ud.tcp_socket);
57617 out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
57618
57619 } else {
57620diff --git a/drivers/usb/wusbcore/wa-hc.h b/drivers/usb/wusbcore/wa-hc.h
57621index edc7267..9f65ce2 100644
57622--- a/drivers/usb/wusbcore/wa-hc.h
57623+++ b/drivers/usb/wusbcore/wa-hc.h
57624@@ -240,7 +240,7 @@ struct wahc {
57625 spinlock_t xfer_list_lock;
57626 struct work_struct xfer_enqueue_work;
57627 struct work_struct xfer_error_work;
57628- atomic_t xfer_id_count;
57629+ atomic_unchecked_t xfer_id_count;
57630
57631 kernel_ulong_t quirks;
57632 };
57633@@ -305,7 +305,7 @@ static inline void wa_init(struct wahc *wa)
57634 INIT_WORK(&wa->xfer_enqueue_work, wa_urb_enqueue_run);
57635 INIT_WORK(&wa->xfer_error_work, wa_process_errored_transfers_run);
57636 wa->dto_in_use = 0;
57637- atomic_set(&wa->xfer_id_count, 1);
57638+ atomic_set_unchecked(&wa->xfer_id_count, 1);
57639 /* init the buf in URBs */
57640 for (index = 0; index < WA_MAX_BUF_IN_URBS; ++index)
57641 usb_init_urb(&(wa->buf_in_urbs[index]));
57642diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
57643index 69af4fd..da390d7 100644
57644--- a/drivers/usb/wusbcore/wa-xfer.c
57645+++ b/drivers/usb/wusbcore/wa-xfer.c
57646@@ -314,7 +314,7 @@ static void wa_xfer_completion(struct wa_xfer *xfer)
57647 */
57648 static void wa_xfer_id_init(struct wa_xfer *xfer)
57649 {
57650- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
57651+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
57652 }
57653
57654 /* Return the xfer's ID. */
57655diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
57656index 563c510..1fcc957 100644
57657--- a/drivers/vfio/vfio.c
57658+++ b/drivers/vfio/vfio.c
57659@@ -517,7 +517,7 @@ static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev)
57660 return 0;
57661
57662 /* TODO Prevent device auto probing */
57663- WARN("Device %s added to live group %d!\n", dev_name(dev),
57664+ WARN(1, "Device %s added to live group %d!\n", dev_name(dev),
57665 iommu_group_id(group->iommu_group));
57666
57667 return 0;
57668diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
57669index 3bb02c6..a01ff38 100644
57670--- a/drivers/vhost/vringh.c
57671+++ b/drivers/vhost/vringh.c
57672@@ -551,7 +551,7 @@ static inline void __vringh_notify_disable(struct vringh *vrh,
57673 static inline int getu16_user(const struct vringh *vrh, u16 *val, const __virtio16 *p)
57674 {
57675 __virtio16 v = 0;
57676- int rc = get_user(v, (__force __virtio16 __user *)p);
57677+ int rc = get_user(v, (__force_user __virtio16 *)p);
57678 *val = vringh16_to_cpu(vrh, v);
57679 return rc;
57680 }
57681@@ -559,12 +559,12 @@ static inline int getu16_user(const struct vringh *vrh, u16 *val, const __virtio
57682 static inline int putu16_user(const struct vringh *vrh, __virtio16 *p, u16 val)
57683 {
57684 __virtio16 v = cpu_to_vringh16(vrh, val);
57685- return put_user(v, (__force __virtio16 __user *)p);
57686+ return put_user(v, (__force_user __virtio16 *)p);
57687 }
57688
57689 static inline int copydesc_user(void *dst, const void *src, size_t len)
57690 {
57691- return copy_from_user(dst, (__force void __user *)src, len) ?
57692+ return copy_from_user(dst, (void __force_user *)src, len) ?
57693 -EFAULT : 0;
57694 }
57695
57696@@ -572,19 +572,19 @@ static inline int putused_user(struct vring_used_elem *dst,
57697 const struct vring_used_elem *src,
57698 unsigned int num)
57699 {
57700- return copy_to_user((__force void __user *)dst, src,
57701+ return copy_to_user((void __force_user *)dst, src,
57702 sizeof(*dst) * num) ? -EFAULT : 0;
57703 }
57704
57705 static inline int xfer_from_user(void *src, void *dst, size_t len)
57706 {
57707- return copy_from_user(dst, (__force void __user *)src, len) ?
57708+ return copy_from_user(dst, (void __force_user *)src, len) ?
57709 -EFAULT : 0;
57710 }
57711
57712 static inline int xfer_to_user(void *dst, void *src, size_t len)
57713 {
57714- return copy_to_user((__force void __user *)dst, src, len) ?
57715+ return copy_to_user((void __force_user *)dst, src, len) ?
57716 -EFAULT : 0;
57717 }
57718
57719@@ -621,9 +621,9 @@ int vringh_init_user(struct vringh *vrh, u64 features,
57720 vrh->last_used_idx = 0;
57721 vrh->vring.num = num;
57722 /* vring expects kernel addresses, but only used via accessors. */
57723- vrh->vring.desc = (__force struct vring_desc *)desc;
57724- vrh->vring.avail = (__force struct vring_avail *)avail;
57725- vrh->vring.used = (__force struct vring_used *)used;
57726+ vrh->vring.desc = (__force_kernel struct vring_desc *)desc;
57727+ vrh->vring.avail = (__force_kernel struct vring_avail *)avail;
57728+ vrh->vring.used = (__force_kernel struct vring_used *)used;
57729 return 0;
57730 }
57731 EXPORT_SYMBOL(vringh_init_user);
57732@@ -826,7 +826,7 @@ static inline int getu16_kern(const struct vringh *vrh,
57733
57734 static inline int putu16_kern(const struct vringh *vrh, __virtio16 *p, u16 val)
57735 {
57736- ACCESS_ONCE(*p) = cpu_to_vringh16(vrh, val);
57737+ ACCESS_ONCE_RW(*p) = cpu_to_vringh16(vrh, val);
57738 return 0;
57739 }
57740
57741diff --git a/drivers/video/backlight/kb3886_bl.c b/drivers/video/backlight/kb3886_bl.c
57742index 84a110a..96312c3 100644
57743--- a/drivers/video/backlight/kb3886_bl.c
57744+++ b/drivers/video/backlight/kb3886_bl.c
57745@@ -78,7 +78,7 @@ static struct kb3886bl_machinfo *bl_machinfo;
57746 static unsigned long kb3886bl_flags;
57747 #define KB3886BL_SUSPENDED 0x01
57748
57749-static struct dmi_system_id kb3886bl_device_table[] __initdata = {
57750+static const struct dmi_system_id kb3886bl_device_table[] __initconst = {
57751 {
57752 .ident = "Sahara Touch-iT",
57753 .matches = {
57754diff --git a/drivers/video/fbdev/arcfb.c b/drivers/video/fbdev/arcfb.c
57755index 1b0b233..6f34c2c 100644
57756--- a/drivers/video/fbdev/arcfb.c
57757+++ b/drivers/video/fbdev/arcfb.c
57758@@ -458,7 +458,7 @@ static ssize_t arcfb_write(struct fb_info *info, const char __user *buf,
57759 return -ENOSPC;
57760
57761 err = 0;
57762- if ((count + p) > fbmemlength) {
57763+ if (count > (fbmemlength - p)) {
57764 count = fbmemlength - p;
57765 err = -ENOSPC;
57766 }
57767diff --git a/drivers/video/fbdev/aty/aty128fb.c b/drivers/video/fbdev/aty/aty128fb.c
57768index c42ce2f..4c8bc59 100644
57769--- a/drivers/video/fbdev/aty/aty128fb.c
57770+++ b/drivers/video/fbdev/aty/aty128fb.c
57771@@ -145,7 +145,7 @@ enum {
57772 };
57773
57774 /* Must match above enum */
57775-static char * const r128_family[] = {
57776+static const char * const r128_family[] = {
57777 "AGP",
57778 "PCI",
57779 "PRO AGP",
57780diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
57781index 8789e48..698fe4c 100644
57782--- a/drivers/video/fbdev/aty/atyfb_base.c
57783+++ b/drivers/video/fbdev/aty/atyfb_base.c
57784@@ -1326,10 +1326,14 @@ static int atyfb_set_par(struct fb_info *info)
57785 par->accel_flags = var->accel_flags; /* hack */
57786
57787 if (var->accel_flags) {
57788- info->fbops->fb_sync = atyfb_sync;
57789+ pax_open_kernel();
57790+ *(void **)&info->fbops->fb_sync = atyfb_sync;
57791+ pax_close_kernel();
57792 info->flags &= ~FBINFO_HWACCEL_DISABLED;
57793 } else {
57794- info->fbops->fb_sync = NULL;
57795+ pax_open_kernel();
57796+ *(void **)&info->fbops->fb_sync = NULL;
57797+ pax_close_kernel();
57798 info->flags |= FBINFO_HWACCEL_DISABLED;
57799 }
57800
57801diff --git a/drivers/video/fbdev/aty/mach64_cursor.c b/drivers/video/fbdev/aty/mach64_cursor.c
57802index 2fa0317..4983f2a 100644
57803--- a/drivers/video/fbdev/aty/mach64_cursor.c
57804+++ b/drivers/video/fbdev/aty/mach64_cursor.c
57805@@ -8,6 +8,7 @@
57806 #include "../core/fb_draw.h"
57807
57808 #include <asm/io.h>
57809+#include <asm/pgtable.h>
57810
57811 #ifdef __sparc__
57812 #include <asm/fbio.h>
57813@@ -218,7 +219,9 @@ int aty_init_cursor(struct fb_info *info)
57814 info->sprite.buf_align = 16; /* and 64 lines tall. */
57815 info->sprite.flags = FB_PIXMAP_IO;
57816
57817- info->fbops->fb_cursor = atyfb_cursor;
57818+ pax_open_kernel();
57819+ *(void **)&info->fbops->fb_cursor = atyfb_cursor;
57820+ pax_close_kernel();
57821
57822 return 0;
57823 }
57824diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
57825index 3fc63c2..eec5e49 100644
57826--- a/drivers/video/fbdev/core/fb_defio.c
57827+++ b/drivers/video/fbdev/core/fb_defio.c
57828@@ -207,7 +207,9 @@ void fb_deferred_io_init(struct fb_info *info)
57829
57830 BUG_ON(!fbdefio);
57831 mutex_init(&fbdefio->lock);
57832- info->fbops->fb_mmap = fb_deferred_io_mmap;
57833+ pax_open_kernel();
57834+ *(void **)&info->fbops->fb_mmap = fb_deferred_io_mmap;
57835+ pax_close_kernel();
57836 INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
57837 INIT_LIST_HEAD(&fbdefio->pagelist);
57838 if (fbdefio->delay == 0) /* set a default of 1 s */
57839@@ -238,7 +240,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
57840 page->mapping = NULL;
57841 }
57842
57843- info->fbops->fb_mmap = NULL;
57844+ *(void **)&info->fbops->fb_mmap = NULL;
57845 mutex_destroy(&fbdefio->lock);
57846 }
57847 EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
57848diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
57849index 0705d88..d9429bf 100644
57850--- a/drivers/video/fbdev/core/fbmem.c
57851+++ b/drivers/video/fbdev/core/fbmem.c
57852@@ -1301,7 +1301,7 @@ static int do_fscreeninfo_to_user(struct fb_fix_screeninfo *fix,
57853 __u32 data;
57854 int err;
57855
57856- err = copy_to_user(&fix32->id, &fix->id, sizeof(fix32->id));
57857+ err = copy_to_user(fix32->id, &fix->id, sizeof(fix32->id));
57858
57859 data = (__u32) (unsigned long) fix->smem_start;
57860 err |= put_user(data, &fix32->smem_start);
57861diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
57862index 807ee22..7814cd6 100644
57863--- a/drivers/video/fbdev/hyperv_fb.c
57864+++ b/drivers/video/fbdev/hyperv_fb.c
57865@@ -240,7 +240,7 @@ static uint screen_fb_size;
57866 static inline int synthvid_send(struct hv_device *hdev,
57867 struct synthvid_msg *msg)
57868 {
57869- static atomic64_t request_id = ATOMIC64_INIT(0);
57870+ static atomic64_unchecked_t request_id = ATOMIC64_INIT(0);
57871 int ret;
57872
57873 msg->pipe_hdr.type = PIPE_MSG_DATA;
57874@@ -248,7 +248,7 @@ static inline int synthvid_send(struct hv_device *hdev,
57875
57876 ret = vmbus_sendpacket(hdev->channel, msg,
57877 msg->vid_hdr.size + sizeof(struct pipe_msg_hdr),
57878- atomic64_inc_return(&request_id),
57879+ atomic64_inc_return_unchecked(&request_id),
57880 VM_PKT_DATA_INBAND, 0);
57881
57882 if (ret)
57883diff --git a/drivers/video/fbdev/i810/i810_accel.c b/drivers/video/fbdev/i810/i810_accel.c
57884index 7672d2e..b56437f 100644
57885--- a/drivers/video/fbdev/i810/i810_accel.c
57886+++ b/drivers/video/fbdev/i810/i810_accel.c
57887@@ -73,6 +73,7 @@ static inline int wait_for_space(struct fb_info *info, u32 space)
57888 }
57889 }
57890 printk("ringbuffer lockup!!!\n");
57891+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
57892 i810_report_error(mmio);
57893 par->dev_flags |= LOCKUP;
57894 info->pixmap.scan_align = 1;
57895diff --git a/drivers/video/fbdev/matrox/matroxfb_DAC1064.c b/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
57896index a01147f..5d896f8 100644
57897--- a/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
57898+++ b/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
57899@@ -1088,14 +1088,20 @@ static void MGAG100_restore(struct matrox_fb_info *minfo)
57900
57901 #ifdef CONFIG_FB_MATROX_MYSTIQUE
57902 struct matrox_switch matrox_mystique = {
57903- MGA1064_preinit, MGA1064_reset, MGA1064_init, MGA1064_restore,
57904+ .preinit = MGA1064_preinit,
57905+ .reset = MGA1064_reset,
57906+ .init = MGA1064_init,
57907+ .restore = MGA1064_restore,
57908 };
57909 EXPORT_SYMBOL(matrox_mystique);
57910 #endif
57911
57912 #ifdef CONFIG_FB_MATROX_G
57913 struct matrox_switch matrox_G100 = {
57914- MGAG100_preinit, MGAG100_reset, MGAG100_init, MGAG100_restore,
57915+ .preinit = MGAG100_preinit,
57916+ .reset = MGAG100_reset,
57917+ .init = MGAG100_init,
57918+ .restore = MGAG100_restore,
57919 };
57920 EXPORT_SYMBOL(matrox_G100);
57921 #endif
57922diff --git a/drivers/video/fbdev/matrox/matroxfb_Ti3026.c b/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
57923index 195ad7c..09743fc 100644
57924--- a/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
57925+++ b/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
57926@@ -738,7 +738,10 @@ static int Ti3026_preinit(struct matrox_fb_info *minfo)
57927 }
57928
57929 struct matrox_switch matrox_millennium = {
57930- Ti3026_preinit, Ti3026_reset, Ti3026_init, Ti3026_restore
57931+ .preinit = Ti3026_preinit,
57932+ .reset = Ti3026_reset,
57933+ .init = Ti3026_init,
57934+ .restore = Ti3026_restore
57935 };
57936 EXPORT_SYMBOL(matrox_millennium);
57937 #endif
57938diff --git a/drivers/video/fbdev/matrox/matroxfb_base.c b/drivers/video/fbdev/matrox/matroxfb_base.c
57939index 11eb094..622ee31 100644
57940--- a/drivers/video/fbdev/matrox/matroxfb_base.c
57941+++ b/drivers/video/fbdev/matrox/matroxfb_base.c
57942@@ -2176,7 +2176,7 @@ static struct pci_driver matroxfb_driver = {
57943 #define RS1056x480 14 /* 132 x 60 text */
57944 #define RSNoxNo 15
57945 /* 10-FF */
57946-static struct { int xres, yres, left, right, upper, lower, hslen, vslen, vfreq; } timmings[] __initdata = {
57947+static struct { unsigned int xres, yres, left, right, upper, lower, hslen, vslen, vfreq; } timmings[] __initdata = {
57948 { 640, 400, 48, 16, 39, 8, 96, 2, 70 },
57949 { 640, 480, 48, 16, 33, 10, 96, 2, 60 },
57950 { 800, 600, 144, 24, 28, 8, 112, 6, 60 },
57951diff --git a/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c b/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
57952index fe92eed..106e085 100644
57953--- a/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
57954+++ b/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
57955@@ -312,14 +312,18 @@ void mb862xxfb_init_accel(struct fb_info *info, int xres)
57956 struct mb862xxfb_par *par = info->par;
57957
57958 if (info->var.bits_per_pixel == 32) {
57959- info->fbops->fb_fillrect = cfb_fillrect;
57960- info->fbops->fb_copyarea = cfb_copyarea;
57961- info->fbops->fb_imageblit = cfb_imageblit;
57962+ pax_open_kernel();
57963+ *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
57964+ *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
57965+ *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
57966+ pax_close_kernel();
57967 } else {
57968 outreg(disp, GC_L0EM, 3);
57969- info->fbops->fb_fillrect = mb86290fb_fillrect;
57970- info->fbops->fb_copyarea = mb86290fb_copyarea;
57971- info->fbops->fb_imageblit = mb86290fb_imageblit;
57972+ pax_open_kernel();
57973+ *(void **)&info->fbops->fb_fillrect = mb86290fb_fillrect;
57974+ *(void **)&info->fbops->fb_copyarea = mb86290fb_copyarea;
57975+ *(void **)&info->fbops->fb_imageblit = mb86290fb_imageblit;
57976+ pax_close_kernel();
57977 }
57978 outreg(draw, GDC_REG_DRAW_BASE, 0);
57979 outreg(draw, GDC_REG_MODE_MISC, 0x8000);
57980diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
57981index ce7dab7..a87baf8 100644
57982--- a/drivers/video/fbdev/nvidia/nvidia.c
57983+++ b/drivers/video/fbdev/nvidia/nvidia.c
57984@@ -660,19 +660,23 @@ static int nvidiafb_set_par(struct fb_info *info)
57985 info->fix.line_length = (info->var.xres_virtual *
57986 info->var.bits_per_pixel) >> 3;
57987 if (info->var.accel_flags) {
57988- info->fbops->fb_imageblit = nvidiafb_imageblit;
57989- info->fbops->fb_fillrect = nvidiafb_fillrect;
57990- info->fbops->fb_copyarea = nvidiafb_copyarea;
57991- info->fbops->fb_sync = nvidiafb_sync;
57992+ pax_open_kernel();
57993+ *(void **)&info->fbops->fb_imageblit = nvidiafb_imageblit;
57994+ *(void **)&info->fbops->fb_fillrect = nvidiafb_fillrect;
57995+ *(void **)&info->fbops->fb_copyarea = nvidiafb_copyarea;
57996+ *(void **)&info->fbops->fb_sync = nvidiafb_sync;
57997+ pax_close_kernel();
57998 info->pixmap.scan_align = 4;
57999 info->flags &= ~FBINFO_HWACCEL_DISABLED;
58000 info->flags |= FBINFO_READS_FAST;
58001 NVResetGraphics(info);
58002 } else {
58003- info->fbops->fb_imageblit = cfb_imageblit;
58004- info->fbops->fb_fillrect = cfb_fillrect;
58005- info->fbops->fb_copyarea = cfb_copyarea;
58006- info->fbops->fb_sync = NULL;
58007+ pax_open_kernel();
58008+ *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
58009+ *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
58010+ *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
58011+ *(void **)&info->fbops->fb_sync = NULL;
58012+ pax_close_kernel();
58013 info->pixmap.scan_align = 1;
58014 info->flags |= FBINFO_HWACCEL_DISABLED;
58015 info->flags &= ~FBINFO_READS_FAST;
58016@@ -1164,8 +1168,11 @@ static int nvidia_set_fbinfo(struct fb_info *info)
58017 info->pixmap.size = 8 * 1024;
58018 info->pixmap.flags = FB_PIXMAP_SYSTEM;
58019
58020- if (!hwcur)
58021- info->fbops->fb_cursor = NULL;
58022+ if (!hwcur) {
58023+ pax_open_kernel();
58024+ *(void **)&info->fbops->fb_cursor = NULL;
58025+ pax_close_kernel();
58026+ }
58027
58028 info->var.accel_flags = (!noaccel);
58029
58030diff --git a/drivers/video/fbdev/omap2/dss/display.c b/drivers/video/fbdev/omap2/dss/display.c
58031index ef5b902..47cf7f5 100644
58032--- a/drivers/video/fbdev/omap2/dss/display.c
58033+++ b/drivers/video/fbdev/omap2/dss/display.c
58034@@ -161,12 +161,14 @@ int omapdss_register_display(struct omap_dss_device *dssdev)
58035 if (dssdev->name == NULL)
58036 dssdev->name = dssdev->alias;
58037
58038+ pax_open_kernel();
58039 if (drv && drv->get_resolution == NULL)
58040- drv->get_resolution = omapdss_default_get_resolution;
58041+ *(void **)&drv->get_resolution = omapdss_default_get_resolution;
58042 if (drv && drv->get_recommended_bpp == NULL)
58043- drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
58044+ *(void **)&drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
58045 if (drv && drv->get_timings == NULL)
58046- drv->get_timings = omapdss_default_get_timings;
58047+ *(void **)&drv->get_timings = omapdss_default_get_timings;
58048+ pax_close_kernel();
58049
58050 mutex_lock(&panel_list_mutex);
58051 list_add_tail(&dssdev->panel_list, &panel_list);
58052diff --git a/drivers/video/fbdev/s1d13xxxfb.c b/drivers/video/fbdev/s1d13xxxfb.c
58053index 83433cb..71e9b98 100644
58054--- a/drivers/video/fbdev/s1d13xxxfb.c
58055+++ b/drivers/video/fbdev/s1d13xxxfb.c
58056@@ -881,8 +881,10 @@ static int s1d13xxxfb_probe(struct platform_device *pdev)
58057
58058 switch(prod_id) {
58059 case S1D13506_PROD_ID: /* activate acceleration */
58060- s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
58061- s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
58062+ pax_open_kernel();
58063+ *(void **)&s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
58064+ *(void **)&s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
58065+ pax_close_kernel();
58066 info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN |
58067 FBINFO_HWACCEL_FILLRECT | FBINFO_HWACCEL_COPYAREA;
58068 break;
58069diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c
58070index 82c0a8c..42499a1 100644
58071--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c
58072+++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c
58073@@ -439,9 +439,9 @@ static unsigned long lcdc_sys_read_data(void *handle)
58074 }
58075
58076 static struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
58077- lcdc_sys_write_index,
58078- lcdc_sys_write_data,
58079- lcdc_sys_read_data,
58080+ .write_index = lcdc_sys_write_index,
58081+ .write_data = lcdc_sys_write_data,
58082+ .read_data = lcdc_sys_read_data,
58083 };
58084
58085 static int sh_mobile_lcdc_sginit(struct fb_info *info,
58086diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c
58087index 9279e5f..d5f5276 100644
58088--- a/drivers/video/fbdev/smscufx.c
58089+++ b/drivers/video/fbdev/smscufx.c
58090@@ -1174,7 +1174,9 @@ static int ufx_ops_release(struct fb_info *info, int user)
58091 fb_deferred_io_cleanup(info);
58092 kfree(info->fbdefio);
58093 info->fbdefio = NULL;
58094- info->fbops->fb_mmap = ufx_ops_mmap;
58095+ pax_open_kernel();
58096+ *(void **)&info->fbops->fb_mmap = ufx_ops_mmap;
58097+ pax_close_kernel();
58098 }
58099
58100 pr_debug("released /dev/fb%d user=%d count=%d",
58101diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
58102index ff2b873..626a8d5 100644
58103--- a/drivers/video/fbdev/udlfb.c
58104+++ b/drivers/video/fbdev/udlfb.c
58105@@ -623,11 +623,11 @@ static int dlfb_handle_damage(struct dlfb_data *dev, int x, int y,
58106 dlfb_urb_completion(urb);
58107
58108 error:
58109- atomic_add(bytes_sent, &dev->bytes_sent);
58110- atomic_add(bytes_identical, &dev->bytes_identical);
58111- atomic_add(width*height*2, &dev->bytes_rendered);
58112+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
58113+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
58114+ atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
58115 end_cycles = get_cycles();
58116- atomic_add(((unsigned int) ((end_cycles - start_cycles)
58117+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
58118 >> 10)), /* Kcycles */
58119 &dev->cpu_kcycles_used);
58120
58121@@ -748,11 +748,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info,
58122 dlfb_urb_completion(urb);
58123
58124 error:
58125- atomic_add(bytes_sent, &dev->bytes_sent);
58126- atomic_add(bytes_identical, &dev->bytes_identical);
58127- atomic_add(bytes_rendered, &dev->bytes_rendered);
58128+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
58129+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
58130+ atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
58131 end_cycles = get_cycles();
58132- atomic_add(((unsigned int) ((end_cycles - start_cycles)
58133+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
58134 >> 10)), /* Kcycles */
58135 &dev->cpu_kcycles_used);
58136 }
58137@@ -991,7 +991,9 @@ static int dlfb_ops_release(struct fb_info *info, int user)
58138 fb_deferred_io_cleanup(info);
58139 kfree(info->fbdefio);
58140 info->fbdefio = NULL;
58141- info->fbops->fb_mmap = dlfb_ops_mmap;
58142+ pax_open_kernel();
58143+ *(void **)&info->fbops->fb_mmap = dlfb_ops_mmap;
58144+ pax_close_kernel();
58145 }
58146
58147 pr_warn("released /dev/fb%d user=%d count=%d\n",
58148@@ -1373,7 +1375,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev,
58149 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58150 struct dlfb_data *dev = fb_info->par;
58151 return snprintf(buf, PAGE_SIZE, "%u\n",
58152- atomic_read(&dev->bytes_rendered));
58153+ atomic_read_unchecked(&dev->bytes_rendered));
58154 }
58155
58156 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
58157@@ -1381,7 +1383,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev,
58158 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58159 struct dlfb_data *dev = fb_info->par;
58160 return snprintf(buf, PAGE_SIZE, "%u\n",
58161- atomic_read(&dev->bytes_identical));
58162+ atomic_read_unchecked(&dev->bytes_identical));
58163 }
58164
58165 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
58166@@ -1389,7 +1391,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev,
58167 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58168 struct dlfb_data *dev = fb_info->par;
58169 return snprintf(buf, PAGE_SIZE, "%u\n",
58170- atomic_read(&dev->bytes_sent));
58171+ atomic_read_unchecked(&dev->bytes_sent));
58172 }
58173
58174 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
58175@@ -1397,7 +1399,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
58176 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58177 struct dlfb_data *dev = fb_info->par;
58178 return snprintf(buf, PAGE_SIZE, "%u\n",
58179- atomic_read(&dev->cpu_kcycles_used));
58180+ atomic_read_unchecked(&dev->cpu_kcycles_used));
58181 }
58182
58183 static ssize_t edid_show(
58184@@ -1457,10 +1459,10 @@ static ssize_t metrics_reset_store(struct device *fbdev,
58185 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58186 struct dlfb_data *dev = fb_info->par;
58187
58188- atomic_set(&dev->bytes_rendered, 0);
58189- atomic_set(&dev->bytes_identical, 0);
58190- atomic_set(&dev->bytes_sent, 0);
58191- atomic_set(&dev->cpu_kcycles_used, 0);
58192+ atomic_set_unchecked(&dev->bytes_rendered, 0);
58193+ atomic_set_unchecked(&dev->bytes_identical, 0);
58194+ atomic_set_unchecked(&dev->bytes_sent, 0);
58195+ atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
58196
58197 return count;
58198 }
58199diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
58200index 178ae93..624b2eb 100644
58201--- a/drivers/video/fbdev/uvesafb.c
58202+++ b/drivers/video/fbdev/uvesafb.c
58203@@ -19,6 +19,7 @@
58204 #include <linux/io.h>
58205 #include <linux/mutex.h>
58206 #include <linux/slab.h>
58207+#include <linux/moduleloader.h>
58208 #include <video/edid.h>
58209 #include <video/uvesafb.h>
58210 #ifdef CONFIG_X86
58211@@ -565,10 +566,32 @@ static int uvesafb_vbe_getpmi(struct uvesafb_ktask *task,
58212 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
58213 par->pmi_setpal = par->ypan = 0;
58214 } else {
58215+
58216+#ifdef CONFIG_PAX_KERNEXEC
58217+#ifdef CONFIG_MODULES
58218+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
58219+#endif
58220+ if (!par->pmi_code) {
58221+ par->pmi_setpal = par->ypan = 0;
58222+ return 0;
58223+ }
58224+#endif
58225+
58226 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
58227 + task->t.regs.edi);
58228+
58229+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58230+ pax_open_kernel();
58231+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
58232+ pax_close_kernel();
58233+
58234+ par->pmi_start = (void *)ktva_ktla((unsigned long)(par->pmi_code + par->pmi_base[1]));
58235+ par->pmi_pal = (void *)ktva_ktla((unsigned long)(par->pmi_code + par->pmi_base[2]));
58236+#else
58237 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
58238 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
58239+#endif
58240+
58241 printk(KERN_INFO "uvesafb: protected mode interface info at "
58242 "%04x:%04x\n",
58243 (u16)task->t.regs.es, (u16)task->t.regs.edi);
58244@@ -813,13 +836,14 @@ static int uvesafb_vbe_init(struct fb_info *info)
58245 par->ypan = ypan;
58246
58247 if (par->pmi_setpal || par->ypan) {
58248+#if !defined(CONFIG_MODULES) || !defined(CONFIG_PAX_KERNEXEC)
58249 if (__supported_pte_mask & _PAGE_NX) {
58250 par->pmi_setpal = par->ypan = 0;
58251 printk(KERN_WARNING "uvesafb: NX protection is active, "
58252 "better not use the PMI.\n");
58253- } else {
58254+ } else
58255+#endif
58256 uvesafb_vbe_getpmi(task, par);
58257- }
58258 }
58259 #else
58260 /* The protected mode interface is not available on non-x86. */
58261@@ -1452,8 +1476,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
58262 info->fix.ywrapstep = (par->ypan > 1) ? 1 : 0;
58263
58264 /* Disable blanking if the user requested so. */
58265- if (!blank)
58266- info->fbops->fb_blank = NULL;
58267+ if (!blank) {
58268+ pax_open_kernel();
58269+ *(void **)&info->fbops->fb_blank = NULL;
58270+ pax_close_kernel();
58271+ }
58272
58273 /*
58274 * Find out how much IO memory is required for the mode with
58275@@ -1524,8 +1551,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
58276 info->flags = FBINFO_FLAG_DEFAULT |
58277 (par->ypan ? FBINFO_HWACCEL_YPAN : 0);
58278
58279- if (!par->ypan)
58280- info->fbops->fb_pan_display = NULL;
58281+ if (!par->ypan) {
58282+ pax_open_kernel();
58283+ *(void **)&info->fbops->fb_pan_display = NULL;
58284+ pax_close_kernel();
58285+ }
58286 }
58287
58288 static void uvesafb_init_mtrr(struct fb_info *info)
58289@@ -1786,6 +1816,11 @@ out_mode:
58290 out:
58291 kfree(par->vbe_modes);
58292
58293+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58294+ if (par->pmi_code)
58295+ module_memfree_exec(par->pmi_code);
58296+#endif
58297+
58298 framebuffer_release(info);
58299 return err;
58300 }
58301@@ -1810,6 +1845,11 @@ static int uvesafb_remove(struct platform_device *dev)
58302 kfree(par->vbe_state_orig);
58303 kfree(par->vbe_state_saved);
58304
58305+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58306+ if (par->pmi_code)
58307+ module_memfree_exec(par->pmi_code);
58308+#endif
58309+
58310 framebuffer_release(info);
58311 }
58312 return 0;
58313diff --git a/drivers/video/fbdev/vesafb.c b/drivers/video/fbdev/vesafb.c
58314index 528fe91..6fd29fe 100644
58315--- a/drivers/video/fbdev/vesafb.c
58316+++ b/drivers/video/fbdev/vesafb.c
58317@@ -9,6 +9,7 @@
58318 */
58319
58320 #include <linux/module.h>
58321+#include <linux/moduleloader.h>
58322 #include <linux/kernel.h>
58323 #include <linux/errno.h>
58324 #include <linux/string.h>
58325@@ -56,8 +57,8 @@ static int vram_remap; /* Set amount of memory to be used */
58326 static int vram_total; /* Set total amount of memory */
58327 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
58328 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
58329-static void (*pmi_start)(void) __read_mostly;
58330-static void (*pmi_pal) (void) __read_mostly;
58331+static void (*pmi_start)(void) __read_only;
58332+static void (*pmi_pal) (void) __read_only;
58333 static int depth __read_mostly;
58334 static int vga_compat __read_mostly;
58335 /* --------------------------------------------------------------------- */
58336@@ -241,6 +242,7 @@ static int vesafb_probe(struct platform_device *dev)
58337 unsigned int size_remap;
58338 unsigned int size_total;
58339 char *option = NULL;
58340+ void *pmi_code = NULL;
58341
58342 /* ignore error return of fb_get_options */
58343 fb_get_options("vesafb", &option);
58344@@ -287,10 +289,6 @@ static int vesafb_probe(struct platform_device *dev)
58345 size_remap = size_total;
58346 vesafb_fix.smem_len = size_remap;
58347
58348-#ifndef __i386__
58349- screen_info.vesapm_seg = 0;
58350-#endif
58351-
58352 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
58353 printk(KERN_WARNING
58354 "vesafb: cannot reserve video memory at 0x%lx\n",
58355@@ -320,9 +318,21 @@ static int vesafb_probe(struct platform_device *dev)
58356 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
58357 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
58358
58359+#ifdef __i386__
58360+
58361+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58362+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
58363+ if (!pmi_code)
58364+#elif !defined(CONFIG_PAX_KERNEXEC)
58365+ if (0)
58366+#endif
58367+
58368+#endif
58369+ screen_info.vesapm_seg = 0;
58370+
58371 if (screen_info.vesapm_seg) {
58372- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
58373- screen_info.vesapm_seg,screen_info.vesapm_off);
58374+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
58375+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
58376 }
58377
58378 if (screen_info.vesapm_seg < 0xc000)
58379@@ -330,9 +340,25 @@ static int vesafb_probe(struct platform_device *dev)
58380
58381 if (ypan || pmi_setpal) {
58382 unsigned short *pmi_base;
58383+
58384 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
58385- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
58386- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
58387+
58388+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58389+ pax_open_kernel();
58390+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
58391+#else
58392+ pmi_code = pmi_base;
58393+#endif
58394+
58395+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
58396+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
58397+
58398+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58399+ pmi_start = (void *)ktva_ktla((unsigned long)pmi_start);
58400+ pmi_pal = (void *)ktva_ktla((unsigned long)pmi_pal);
58401+ pax_close_kernel();
58402+#endif
58403+
58404 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
58405 if (pmi_base[3]) {
58406 printk(KERN_INFO "vesafb: pmi: ports = ");
58407@@ -452,8 +478,11 @@ static int vesafb_probe(struct platform_device *dev)
58408 info->flags = FBINFO_FLAG_DEFAULT | FBINFO_MISC_FIRMWARE |
58409 (ypan ? FBINFO_HWACCEL_YPAN : 0);
58410
58411- if (!ypan)
58412- info->fbops->fb_pan_display = NULL;
58413+ if (!ypan) {
58414+ pax_open_kernel();
58415+ *(void **)&info->fbops->fb_pan_display = NULL;
58416+ pax_close_kernel();
58417+ }
58418
58419 if (fb_alloc_cmap(&info->cmap, 256, 0) < 0) {
58420 err = -ENOMEM;
58421@@ -467,6 +496,11 @@ static int vesafb_probe(struct platform_device *dev)
58422 fb_info(info, "%s frame buffer device\n", info->fix.id);
58423 return 0;
58424 err:
58425+
58426+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58427+ module_memfree_exec(pmi_code);
58428+#endif
58429+
58430 arch_phys_wc_del(par->wc_cookie);
58431 if (info->screen_base)
58432 iounmap(info->screen_base);
58433diff --git a/drivers/video/fbdev/via/via_clock.h b/drivers/video/fbdev/via/via_clock.h
58434index 88714ae..16c2e11 100644
58435--- a/drivers/video/fbdev/via/via_clock.h
58436+++ b/drivers/video/fbdev/via/via_clock.h
58437@@ -56,7 +56,7 @@ struct via_clock {
58438
58439 void (*set_engine_pll_state)(u8 state);
58440 void (*set_engine_pll)(struct via_pll_config config);
58441-};
58442+} __no_const;
58443
58444
58445 static inline u32 get_pll_internal_frequency(u32 ref_freq,
58446diff --git a/drivers/video/logo/logo_linux_clut224.ppm b/drivers/video/logo/logo_linux_clut224.ppm
58447index 3c14e43..2630570 100644
58448--- a/drivers/video/logo/logo_linux_clut224.ppm
58449+++ b/drivers/video/logo/logo_linux_clut224.ppm
58450@@ -2,1603 +2,1123 @@ P3
58451 # Standard 224-color Linux logo
58452 80 80
58453 255
58454- 0 0 0 0 0 0 0 0 0 0 0 0
58455- 0 0 0 0 0 0 0 0 0 0 0 0
58456- 0 0 0 0 0 0 0 0 0 0 0 0
58457- 0 0 0 0 0 0 0 0 0 0 0 0
58458- 0 0 0 0 0 0 0 0 0 0 0 0
58459- 0 0 0 0 0 0 0 0 0 0 0 0
58460- 0 0 0 0 0 0 0 0 0 0 0 0
58461- 0 0 0 0 0 0 0 0 0 0 0 0
58462- 0 0 0 0 0 0 0 0 0 0 0 0
58463- 6 6 6 6 6 6 10 10 10 10 10 10
58464- 10 10 10 6 6 6 6 6 6 6 6 6
58465- 0 0 0 0 0 0 0 0 0 0 0 0
58466- 0 0 0 0 0 0 0 0 0 0 0 0
58467- 0 0 0 0 0 0 0 0 0 0 0 0
58468- 0 0 0 0 0 0 0 0 0 0 0 0
58469- 0 0 0 0 0 0 0 0 0 0 0 0
58470- 0 0 0 0 0 0 0 0 0 0 0 0
58471- 0 0 0 0 0 0 0 0 0 0 0 0
58472- 0 0 0 0 0 0 0 0 0 0 0 0
58473- 0 0 0 0 0 0 0 0 0 0 0 0
58474- 0 0 0 0 0 0 0 0 0 0 0 0
58475- 0 0 0 0 0 0 0 0 0 0 0 0
58476- 0 0 0 0 0 0 0 0 0 0 0 0
58477- 0 0 0 0 0 0 0 0 0 0 0 0
58478- 0 0 0 0 0 0 0 0 0 0 0 0
58479- 0 0 0 0 0 0 0 0 0 0 0 0
58480- 0 0 0 0 0 0 0 0 0 0 0 0
58481- 0 0 0 0 0 0 0 0 0 0 0 0
58482- 0 0 0 6 6 6 10 10 10 14 14 14
58483- 22 22 22 26 26 26 30 30 30 34 34 34
58484- 30 30 30 30 30 30 26 26 26 18 18 18
58485- 14 14 14 10 10 10 6 6 6 0 0 0
58486- 0 0 0 0 0 0 0 0 0 0 0 0
58487- 0 0 0 0 0 0 0 0 0 0 0 0
58488- 0 0 0 0 0 0 0 0 0 0 0 0
58489- 0 0 0 0 0 0 0 0 0 0 0 0
58490- 0 0 0 0 0 0 0 0 0 0 0 0
58491- 0 0 0 0 0 0 0 0 0 0 0 0
58492- 0 0 0 0 0 0 0 0 0 0 0 0
58493- 0 0 0 0 0 0 0 0 0 0 0 0
58494- 0 0 0 0 0 0 0 0 0 0 0 0
58495- 0 0 0 0 0 1 0 0 1 0 0 0
58496- 0 0 0 0 0 0 0 0 0 0 0 0
58497- 0 0 0 0 0 0 0 0 0 0 0 0
58498- 0 0 0 0 0 0 0 0 0 0 0 0
58499- 0 0 0 0 0 0 0 0 0 0 0 0
58500- 0 0 0 0 0 0 0 0 0 0 0 0
58501- 0 0 0 0 0 0 0 0 0 0 0 0
58502- 6 6 6 14 14 14 26 26 26 42 42 42
58503- 54 54 54 66 66 66 78 78 78 78 78 78
58504- 78 78 78 74 74 74 66 66 66 54 54 54
58505- 42 42 42 26 26 26 18 18 18 10 10 10
58506- 6 6 6 0 0 0 0 0 0 0 0 0
58507- 0 0 0 0 0 0 0 0 0 0 0 0
58508- 0 0 0 0 0 0 0 0 0 0 0 0
58509- 0 0 0 0 0 0 0 0 0 0 0 0
58510- 0 0 0 0 0 0 0 0 0 0 0 0
58511- 0 0 0 0 0 0 0 0 0 0 0 0
58512- 0 0 0 0 0 0 0 0 0 0 0 0
58513- 0 0 0 0 0 0 0 0 0 0 0 0
58514- 0 0 0 0 0 0 0 0 0 0 0 0
58515- 0 0 1 0 0 0 0 0 0 0 0 0
58516- 0 0 0 0 0 0 0 0 0 0 0 0
58517- 0 0 0 0 0 0 0 0 0 0 0 0
58518- 0 0 0 0 0 0 0 0 0 0 0 0
58519- 0 0 0 0 0 0 0 0 0 0 0 0
58520- 0 0 0 0 0 0 0 0 0 0 0 0
58521- 0 0 0 0 0 0 0 0 0 10 10 10
58522- 22 22 22 42 42 42 66 66 66 86 86 86
58523- 66 66 66 38 38 38 38 38 38 22 22 22
58524- 26 26 26 34 34 34 54 54 54 66 66 66
58525- 86 86 86 70 70 70 46 46 46 26 26 26
58526- 14 14 14 6 6 6 0 0 0 0 0 0
58527- 0 0 0 0 0 0 0 0 0 0 0 0
58528- 0 0 0 0 0 0 0 0 0 0 0 0
58529- 0 0 0 0 0 0 0 0 0 0 0 0
58530- 0 0 0 0 0 0 0 0 0 0 0 0
58531- 0 0 0 0 0 0 0 0 0 0 0 0
58532- 0 0 0 0 0 0 0 0 0 0 0 0
58533- 0 0 0 0 0 0 0 0 0 0 0 0
58534- 0 0 0 0 0 0 0 0 0 0 0 0
58535- 0 0 1 0 0 1 0 0 1 0 0 0
58536- 0 0 0 0 0 0 0 0 0 0 0 0
58537- 0 0 0 0 0 0 0 0 0 0 0 0
58538- 0 0 0 0 0 0 0 0 0 0 0 0
58539- 0 0 0 0 0 0 0 0 0 0 0 0
58540- 0 0 0 0 0 0 0 0 0 0 0 0
58541- 0 0 0 0 0 0 10 10 10 26 26 26
58542- 50 50 50 82 82 82 58 58 58 6 6 6
58543- 2 2 6 2 2 6 2 2 6 2 2 6
58544- 2 2 6 2 2 6 2 2 6 2 2 6
58545- 6 6 6 54 54 54 86 86 86 66 66 66
58546- 38 38 38 18 18 18 6 6 6 0 0 0
58547- 0 0 0 0 0 0 0 0 0 0 0 0
58548- 0 0 0 0 0 0 0 0 0 0 0 0
58549- 0 0 0 0 0 0 0 0 0 0 0 0
58550- 0 0 0 0 0 0 0 0 0 0 0 0
58551- 0 0 0 0 0 0 0 0 0 0 0 0
58552- 0 0 0 0 0 0 0 0 0 0 0 0
58553- 0 0 0 0 0 0 0 0 0 0 0 0
58554- 0 0 0 0 0 0 0 0 0 0 0 0
58555- 0 0 0 0 0 0 0 0 0 0 0 0
58556- 0 0 0 0 0 0 0 0 0 0 0 0
58557- 0 0 0 0 0 0 0 0 0 0 0 0
58558- 0 0 0 0 0 0 0 0 0 0 0 0
58559- 0 0 0 0 0 0 0 0 0 0 0 0
58560- 0 0 0 0 0 0 0 0 0 0 0 0
58561- 0 0 0 6 6 6 22 22 22 50 50 50
58562- 78 78 78 34 34 34 2 2 6 2 2 6
58563- 2 2 6 2 2 6 2 2 6 2 2 6
58564- 2 2 6 2 2 6 2 2 6 2 2 6
58565- 2 2 6 2 2 6 6 6 6 70 70 70
58566- 78 78 78 46 46 46 22 22 22 6 6 6
58567- 0 0 0 0 0 0 0 0 0 0 0 0
58568- 0 0 0 0 0 0 0 0 0 0 0 0
58569- 0 0 0 0 0 0 0 0 0 0 0 0
58570- 0 0 0 0 0 0 0 0 0 0 0 0
58571- 0 0 0 0 0 0 0 0 0 0 0 0
58572- 0 0 0 0 0 0 0 0 0 0 0 0
58573- 0 0 0 0 0 0 0 0 0 0 0 0
58574- 0 0 0 0 0 0 0 0 0 0 0 0
58575- 0 0 1 0 0 1 0 0 1 0 0 0
58576- 0 0 0 0 0 0 0 0 0 0 0 0
58577- 0 0 0 0 0 0 0 0 0 0 0 0
58578- 0 0 0 0 0 0 0 0 0 0 0 0
58579- 0 0 0 0 0 0 0 0 0 0 0 0
58580- 0 0 0 0 0 0 0 0 0 0 0 0
58581- 6 6 6 18 18 18 42 42 42 82 82 82
58582- 26 26 26 2 2 6 2 2 6 2 2 6
58583- 2 2 6 2 2 6 2 2 6 2 2 6
58584- 2 2 6 2 2 6 2 2 6 14 14 14
58585- 46 46 46 34 34 34 6 6 6 2 2 6
58586- 42 42 42 78 78 78 42 42 42 18 18 18
58587- 6 6 6 0 0 0 0 0 0 0 0 0
58588- 0 0 0 0 0 0 0 0 0 0 0 0
58589- 0 0 0 0 0 0 0 0 0 0 0 0
58590- 0 0 0 0 0 0 0 0 0 0 0 0
58591- 0 0 0 0 0 0 0 0 0 0 0 0
58592- 0 0 0 0 0 0 0 0 0 0 0 0
58593- 0 0 0 0 0 0 0 0 0 0 0 0
58594- 0 0 0 0 0 0 0 0 0 0 0 0
58595- 0 0 1 0 0 0 0 0 1 0 0 0
58596- 0 0 0 0 0 0 0 0 0 0 0 0
58597- 0 0 0 0 0 0 0 0 0 0 0 0
58598- 0 0 0 0 0 0 0 0 0 0 0 0
58599- 0 0 0 0 0 0 0 0 0 0 0 0
58600- 0 0 0 0 0 0 0 0 0 0 0 0
58601- 10 10 10 30 30 30 66 66 66 58 58 58
58602- 2 2 6 2 2 6 2 2 6 2 2 6
58603- 2 2 6 2 2 6 2 2 6 2 2 6
58604- 2 2 6 2 2 6 2 2 6 26 26 26
58605- 86 86 86 101 101 101 46 46 46 10 10 10
58606- 2 2 6 58 58 58 70 70 70 34 34 34
58607- 10 10 10 0 0 0 0 0 0 0 0 0
58608- 0 0 0 0 0 0 0 0 0 0 0 0
58609- 0 0 0 0 0 0 0 0 0 0 0 0
58610- 0 0 0 0 0 0 0 0 0 0 0 0
58611- 0 0 0 0 0 0 0 0 0 0 0 0
58612- 0 0 0 0 0 0 0 0 0 0 0 0
58613- 0 0 0 0 0 0 0 0 0 0 0 0
58614- 0 0 0 0 0 0 0 0 0 0 0 0
58615- 0 0 1 0 0 1 0 0 1 0 0 0
58616- 0 0 0 0 0 0 0 0 0 0 0 0
58617- 0 0 0 0 0 0 0 0 0 0 0 0
58618- 0 0 0 0 0 0 0 0 0 0 0 0
58619- 0 0 0 0 0 0 0 0 0 0 0 0
58620- 0 0 0 0 0 0 0 0 0 0 0 0
58621- 14 14 14 42 42 42 86 86 86 10 10 10
58622- 2 2 6 2 2 6 2 2 6 2 2 6
58623- 2 2 6 2 2 6 2 2 6 2 2 6
58624- 2 2 6 2 2 6 2 2 6 30 30 30
58625- 94 94 94 94 94 94 58 58 58 26 26 26
58626- 2 2 6 6 6 6 78 78 78 54 54 54
58627- 22 22 22 6 6 6 0 0 0 0 0 0
58628- 0 0 0 0 0 0 0 0 0 0 0 0
58629- 0 0 0 0 0 0 0 0 0 0 0 0
58630- 0 0 0 0 0 0 0 0 0 0 0 0
58631- 0 0 0 0 0 0 0 0 0 0 0 0
58632- 0 0 0 0 0 0 0 0 0 0 0 0
58633- 0 0 0 0 0 0 0 0 0 0 0 0
58634- 0 0 0 0 0 0 0 0 0 0 0 0
58635- 0 0 0 0 0 0 0 0 0 0 0 0
58636- 0 0 0 0 0 0 0 0 0 0 0 0
58637- 0 0 0 0 0 0 0 0 0 0 0 0
58638- 0 0 0 0 0 0 0 0 0 0 0 0
58639- 0 0 0 0 0 0 0 0 0 0 0 0
58640- 0 0 0 0 0 0 0 0 0 6 6 6
58641- 22 22 22 62 62 62 62 62 62 2 2 6
58642- 2 2 6 2 2 6 2 2 6 2 2 6
58643- 2 2 6 2 2 6 2 2 6 2 2 6
58644- 2 2 6 2 2 6 2 2 6 26 26 26
58645- 54 54 54 38 38 38 18 18 18 10 10 10
58646- 2 2 6 2 2 6 34 34 34 82 82 82
58647- 38 38 38 14 14 14 0 0 0 0 0 0
58648- 0 0 0 0 0 0 0 0 0 0 0 0
58649- 0 0 0 0 0 0 0 0 0 0 0 0
58650- 0 0 0 0 0 0 0 0 0 0 0 0
58651- 0 0 0 0 0 0 0 0 0 0 0 0
58652- 0 0 0 0 0 0 0 0 0 0 0 0
58653- 0 0 0 0 0 0 0 0 0 0 0 0
58654- 0 0 0 0 0 0 0 0 0 0 0 0
58655- 0 0 0 0 0 1 0 0 1 0 0 0
58656- 0 0 0 0 0 0 0 0 0 0 0 0
58657- 0 0 0 0 0 0 0 0 0 0 0 0
58658- 0 0 0 0 0 0 0 0 0 0 0 0
58659- 0 0 0 0 0 0 0 0 0 0 0 0
58660- 0 0 0 0 0 0 0 0 0 6 6 6
58661- 30 30 30 78 78 78 30 30 30 2 2 6
58662- 2 2 6 2 2 6 2 2 6 2 2 6
58663- 2 2 6 2 2 6 2 2 6 2 2 6
58664- 2 2 6 2 2 6 2 2 6 10 10 10
58665- 10 10 10 2 2 6 2 2 6 2 2 6
58666- 2 2 6 2 2 6 2 2 6 78 78 78
58667- 50 50 50 18 18 18 6 6 6 0 0 0
58668- 0 0 0 0 0 0 0 0 0 0 0 0
58669- 0 0 0 0 0 0 0 0 0 0 0 0
58670- 0 0 0 0 0 0 0 0 0 0 0 0
58671- 0 0 0 0 0 0 0 0 0 0 0 0
58672- 0 0 0 0 0 0 0 0 0 0 0 0
58673- 0 0 0 0 0 0 0 0 0 0 0 0
58674- 0 0 0 0 0 0 0 0 0 0 0 0
58675- 0 0 1 0 0 0 0 0 0 0 0 0
58676- 0 0 0 0 0 0 0 0 0 0 0 0
58677- 0 0 0 0 0 0 0 0 0 0 0 0
58678- 0 0 0 0 0 0 0 0 0 0 0 0
58679- 0 0 0 0 0 0 0 0 0 0 0 0
58680- 0 0 0 0 0 0 0 0 0 10 10 10
58681- 38 38 38 86 86 86 14 14 14 2 2 6
58682- 2 2 6 2 2 6 2 2 6 2 2 6
58683- 2 2 6 2 2 6 2 2 6 2 2 6
58684- 2 2 6 2 2 6 2 2 6 2 2 6
58685- 2 2 6 2 2 6 2 2 6 2 2 6
58686- 2 2 6 2 2 6 2 2 6 54 54 54
58687- 66 66 66 26 26 26 6 6 6 0 0 0
58688- 0 0 0 0 0 0 0 0 0 0 0 0
58689- 0 0 0 0 0 0 0 0 0 0 0 0
58690- 0 0 0 0 0 0 0 0 0 0 0 0
58691- 0 0 0 0 0 0 0 0 0 0 0 0
58692- 0 0 0 0 0 0 0 0 0 0 0 0
58693- 0 0 0 0 0 0 0 0 0 0 0 0
58694- 0 0 0 0 0 0 0 0 0 0 0 0
58695- 0 0 0 0 0 1 0 0 1 0 0 0
58696- 0 0 0 0 0 0 0 0 0 0 0 0
58697- 0 0 0 0 0 0 0 0 0 0 0 0
58698- 0 0 0 0 0 0 0 0 0 0 0 0
58699- 0 0 0 0 0 0 0 0 0 0 0 0
58700- 0 0 0 0 0 0 0 0 0 14 14 14
58701- 42 42 42 82 82 82 2 2 6 2 2 6
58702- 2 2 6 6 6 6 10 10 10 2 2 6
58703- 2 2 6 2 2 6 2 2 6 2 2 6
58704- 2 2 6 2 2 6 2 2 6 6 6 6
58705- 14 14 14 10 10 10 2 2 6 2 2 6
58706- 2 2 6 2 2 6 2 2 6 18 18 18
58707- 82 82 82 34 34 34 10 10 10 0 0 0
58708- 0 0 0 0 0 0 0 0 0 0 0 0
58709- 0 0 0 0 0 0 0 0 0 0 0 0
58710- 0 0 0 0 0 0 0 0 0 0 0 0
58711- 0 0 0 0 0 0 0 0 0 0 0 0
58712- 0 0 0 0 0 0 0 0 0 0 0 0
58713- 0 0 0 0 0 0 0 0 0 0 0 0
58714- 0 0 0 0 0 0 0 0 0 0 0 0
58715- 0 0 1 0 0 0 0 0 0 0 0 0
58716- 0 0 0 0 0 0 0 0 0 0 0 0
58717- 0 0 0 0 0 0 0 0 0 0 0 0
58718- 0 0 0 0 0 0 0 0 0 0 0 0
58719- 0 0 0 0 0 0 0 0 0 0 0 0
58720- 0 0 0 0 0 0 0 0 0 14 14 14
58721- 46 46 46 86 86 86 2 2 6 2 2 6
58722- 6 6 6 6 6 6 22 22 22 34 34 34
58723- 6 6 6 2 2 6 2 2 6 2 2 6
58724- 2 2 6 2 2 6 18 18 18 34 34 34
58725- 10 10 10 50 50 50 22 22 22 2 2 6
58726- 2 2 6 2 2 6 2 2 6 10 10 10
58727- 86 86 86 42 42 42 14 14 14 0 0 0
58728- 0 0 0 0 0 0 0 0 0 0 0 0
58729- 0 0 0 0 0 0 0 0 0 0 0 0
58730- 0 0 0 0 0 0 0 0 0 0 0 0
58731- 0 0 0 0 0 0 0 0 0 0 0 0
58732- 0 0 0 0 0 0 0 0 0 0 0 0
58733- 0 0 0 0 0 0 0 0 0 0 0 0
58734- 0 0 0 0 0 0 0 0 0 0 0 0
58735- 0 0 1 0 0 1 0 0 1 0 0 0
58736- 0 0 0 0 0 0 0 0 0 0 0 0
58737- 0 0 0 0 0 0 0 0 0 0 0 0
58738- 0 0 0 0 0 0 0 0 0 0 0 0
58739- 0 0 0 0 0 0 0 0 0 0 0 0
58740- 0 0 0 0 0 0 0 0 0 14 14 14
58741- 46 46 46 86 86 86 2 2 6 2 2 6
58742- 38 38 38 116 116 116 94 94 94 22 22 22
58743- 22 22 22 2 2 6 2 2 6 2 2 6
58744- 14 14 14 86 86 86 138 138 138 162 162 162
58745-154 154 154 38 38 38 26 26 26 6 6 6
58746- 2 2 6 2 2 6 2 2 6 2 2 6
58747- 86 86 86 46 46 46 14 14 14 0 0 0
58748- 0 0 0 0 0 0 0 0 0 0 0 0
58749- 0 0 0 0 0 0 0 0 0 0 0 0
58750- 0 0 0 0 0 0 0 0 0 0 0 0
58751- 0 0 0 0 0 0 0 0 0 0 0 0
58752- 0 0 0 0 0 0 0 0 0 0 0 0
58753- 0 0 0 0 0 0 0 0 0 0 0 0
58754- 0 0 0 0 0 0 0 0 0 0 0 0
58755- 0 0 0 0 0 0 0 0 0 0 0 0
58756- 0 0 0 0 0 0 0 0 0 0 0 0
58757- 0 0 0 0 0 0 0 0 0 0 0 0
58758- 0 0 0 0 0 0 0 0 0 0 0 0
58759- 0 0 0 0 0 0 0 0 0 0 0 0
58760- 0 0 0 0 0 0 0 0 0 14 14 14
58761- 46 46 46 86 86 86 2 2 6 14 14 14
58762-134 134 134 198 198 198 195 195 195 116 116 116
58763- 10 10 10 2 2 6 2 2 6 6 6 6
58764-101 98 89 187 187 187 210 210 210 218 218 218
58765-214 214 214 134 134 134 14 14 14 6 6 6
58766- 2 2 6 2 2 6 2 2 6 2 2 6
58767- 86 86 86 50 50 50 18 18 18 6 6 6
58768- 0 0 0 0 0 0 0 0 0 0 0 0
58769- 0 0 0 0 0 0 0 0 0 0 0 0
58770- 0 0 0 0 0 0 0 0 0 0 0 0
58771- 0 0 0 0 0 0 0 0 0 0 0 0
58772- 0 0 0 0 0 0 0 0 0 0 0 0
58773- 0 0 0 0 0 0 0 0 0 0 0 0
58774- 0 0 0 0 0 0 0 0 1 0 0 0
58775- 0 0 1 0 0 1 0 0 1 0 0 0
58776- 0 0 0 0 0 0 0 0 0 0 0 0
58777- 0 0 0 0 0 0 0 0 0 0 0 0
58778- 0 0 0 0 0 0 0 0 0 0 0 0
58779- 0 0 0 0 0 0 0 0 0 0 0 0
58780- 0 0 0 0 0 0 0 0 0 14 14 14
58781- 46 46 46 86 86 86 2 2 6 54 54 54
58782-218 218 218 195 195 195 226 226 226 246 246 246
58783- 58 58 58 2 2 6 2 2 6 30 30 30
58784-210 210 210 253 253 253 174 174 174 123 123 123
58785-221 221 221 234 234 234 74 74 74 2 2 6
58786- 2 2 6 2 2 6 2 2 6 2 2 6
58787- 70 70 70 58 58 58 22 22 22 6 6 6
58788- 0 0 0 0 0 0 0 0 0 0 0 0
58789- 0 0 0 0 0 0 0 0 0 0 0 0
58790- 0 0 0 0 0 0 0 0 0 0 0 0
58791- 0 0 0 0 0 0 0 0 0 0 0 0
58792- 0 0 0 0 0 0 0 0 0 0 0 0
58793- 0 0 0 0 0 0 0 0 0 0 0 0
58794- 0 0 0 0 0 0 0 0 0 0 0 0
58795- 0 0 0 0 0 0 0 0 0 0 0 0
58796- 0 0 0 0 0 0 0 0 0 0 0 0
58797- 0 0 0 0 0 0 0 0 0 0 0 0
58798- 0 0 0 0 0 0 0 0 0 0 0 0
58799- 0 0 0 0 0 0 0 0 0 0 0 0
58800- 0 0 0 0 0 0 0 0 0 14 14 14
58801- 46 46 46 82 82 82 2 2 6 106 106 106
58802-170 170 170 26 26 26 86 86 86 226 226 226
58803-123 123 123 10 10 10 14 14 14 46 46 46
58804-231 231 231 190 190 190 6 6 6 70 70 70
58805- 90 90 90 238 238 238 158 158 158 2 2 6
58806- 2 2 6 2 2 6 2 2 6 2 2 6
58807- 70 70 70 58 58 58 22 22 22 6 6 6
58808- 0 0 0 0 0 0 0 0 0 0 0 0
58809- 0 0 0 0 0 0 0 0 0 0 0 0
58810- 0 0 0 0 0 0 0 0 0 0 0 0
58811- 0 0 0 0 0 0 0 0 0 0 0 0
58812- 0 0 0 0 0 0 0 0 0 0 0 0
58813- 0 0 0 0 0 0 0 0 0 0 0 0
58814- 0 0 0 0 0 0 0 0 1 0 0 0
58815- 0 0 1 0 0 1 0 0 1 0 0 0
58816- 0 0 0 0 0 0 0 0 0 0 0 0
58817- 0 0 0 0 0 0 0 0 0 0 0 0
58818- 0 0 0 0 0 0 0 0 0 0 0 0
58819- 0 0 0 0 0 0 0 0 0 0 0 0
58820- 0 0 0 0 0 0 0 0 0 14 14 14
58821- 42 42 42 86 86 86 6 6 6 116 116 116
58822-106 106 106 6 6 6 70 70 70 149 149 149
58823-128 128 128 18 18 18 38 38 38 54 54 54
58824-221 221 221 106 106 106 2 2 6 14 14 14
58825- 46 46 46 190 190 190 198 198 198 2 2 6
58826- 2 2 6 2 2 6 2 2 6 2 2 6
58827- 74 74 74 62 62 62 22 22 22 6 6 6
58828- 0 0 0 0 0 0 0 0 0 0 0 0
58829- 0 0 0 0 0 0 0 0 0 0 0 0
58830- 0 0 0 0 0 0 0 0 0 0 0 0
58831- 0 0 0 0 0 0 0 0 0 0 0 0
58832- 0 0 0 0 0 0 0 0 0 0 0 0
58833- 0 0 0 0 0 0 0 0 0 0 0 0
58834- 0 0 0 0 0 0 0 0 1 0 0 0
58835- 0 0 1 0 0 0 0 0 1 0 0 0
58836- 0 0 0 0 0 0 0 0 0 0 0 0
58837- 0 0 0 0 0 0 0 0 0 0 0 0
58838- 0 0 0 0 0 0 0 0 0 0 0 0
58839- 0 0 0 0 0 0 0 0 0 0 0 0
58840- 0 0 0 0 0 0 0 0 0 14 14 14
58841- 42 42 42 94 94 94 14 14 14 101 101 101
58842-128 128 128 2 2 6 18 18 18 116 116 116
58843-118 98 46 121 92 8 121 92 8 98 78 10
58844-162 162 162 106 106 106 2 2 6 2 2 6
58845- 2 2 6 195 195 195 195 195 195 6 6 6
58846- 2 2 6 2 2 6 2 2 6 2 2 6
58847- 74 74 74 62 62 62 22 22 22 6 6 6
58848- 0 0 0 0 0 0 0 0 0 0 0 0
58849- 0 0 0 0 0 0 0 0 0 0 0 0
58850- 0 0 0 0 0 0 0 0 0 0 0 0
58851- 0 0 0 0 0 0 0 0 0 0 0 0
58852- 0 0 0 0 0 0 0 0 0 0 0 0
58853- 0 0 0 0 0 0 0 0 0 0 0 0
58854- 0 0 0 0 0 0 0 0 1 0 0 1
58855- 0 0 1 0 0 0 0 0 1 0 0 0
58856- 0 0 0 0 0 0 0 0 0 0 0 0
58857- 0 0 0 0 0 0 0 0 0 0 0 0
58858- 0 0 0 0 0 0 0 0 0 0 0 0
58859- 0 0 0 0 0 0 0 0 0 0 0 0
58860- 0 0 0 0 0 0 0 0 0 10 10 10
58861- 38 38 38 90 90 90 14 14 14 58 58 58
58862-210 210 210 26 26 26 54 38 6 154 114 10
58863-226 170 11 236 186 11 225 175 15 184 144 12
58864-215 174 15 175 146 61 37 26 9 2 2 6
58865- 70 70 70 246 246 246 138 138 138 2 2 6
58866- 2 2 6 2 2 6 2 2 6 2 2 6
58867- 70 70 70 66 66 66 26 26 26 6 6 6
58868- 0 0 0 0 0 0 0 0 0 0 0 0
58869- 0 0 0 0 0 0 0 0 0 0 0 0
58870- 0 0 0 0 0 0 0 0 0 0 0 0
58871- 0 0 0 0 0 0 0 0 0 0 0 0
58872- 0 0 0 0 0 0 0 0 0 0 0 0
58873- 0 0 0 0 0 0 0 0 0 0 0 0
58874- 0 0 0 0 0 0 0 0 0 0 0 0
58875- 0 0 0 0 0 0 0 0 0 0 0 0
58876- 0 0 0 0 0 0 0 0 0 0 0 0
58877- 0 0 0 0 0 0 0 0 0 0 0 0
58878- 0 0 0 0 0 0 0 0 0 0 0 0
58879- 0 0 0 0 0 0 0 0 0 0 0 0
58880- 0 0 0 0 0 0 0 0 0 10 10 10
58881- 38 38 38 86 86 86 14 14 14 10 10 10
58882-195 195 195 188 164 115 192 133 9 225 175 15
58883-239 182 13 234 190 10 232 195 16 232 200 30
58884-245 207 45 241 208 19 232 195 16 184 144 12
58885-218 194 134 211 206 186 42 42 42 2 2 6
58886- 2 2 6 2 2 6 2 2 6 2 2 6
58887- 50 50 50 74 74 74 30 30 30 6 6 6
58888- 0 0 0 0 0 0 0 0 0 0 0 0
58889- 0 0 0 0 0 0 0 0 0 0 0 0
58890- 0 0 0 0 0 0 0 0 0 0 0 0
58891- 0 0 0 0 0 0 0 0 0 0 0 0
58892- 0 0 0 0 0 0 0 0 0 0 0 0
58893- 0 0 0 0 0 0 0 0 0 0 0 0
58894- 0 0 0 0 0 0 0 0 0 0 0 0
58895- 0 0 0 0 0 0 0 0 0 0 0 0
58896- 0 0 0 0 0 0 0 0 0 0 0 0
58897- 0 0 0 0 0 0 0 0 0 0 0 0
58898- 0 0 0 0 0 0 0 0 0 0 0 0
58899- 0 0 0 0 0 0 0 0 0 0 0 0
58900- 0 0 0 0 0 0 0 0 0 10 10 10
58901- 34 34 34 86 86 86 14 14 14 2 2 6
58902-121 87 25 192 133 9 219 162 10 239 182 13
58903-236 186 11 232 195 16 241 208 19 244 214 54
58904-246 218 60 246 218 38 246 215 20 241 208 19
58905-241 208 19 226 184 13 121 87 25 2 2 6
58906- 2 2 6 2 2 6 2 2 6 2 2 6
58907- 50 50 50 82 82 82 34 34 34 10 10 10
58908- 0 0 0 0 0 0 0 0 0 0 0 0
58909- 0 0 0 0 0 0 0 0 0 0 0 0
58910- 0 0 0 0 0 0 0 0 0 0 0 0
58911- 0 0 0 0 0 0 0 0 0 0 0 0
58912- 0 0 0 0 0 0 0 0 0 0 0 0
58913- 0 0 0 0 0 0 0 0 0 0 0 0
58914- 0 0 0 0 0 0 0 0 0 0 0 0
58915- 0 0 0 0 0 0 0 0 0 0 0 0
58916- 0 0 0 0 0 0 0 0 0 0 0 0
58917- 0 0 0 0 0 0 0 0 0 0 0 0
58918- 0 0 0 0 0 0 0 0 0 0 0 0
58919- 0 0 0 0 0 0 0 0 0 0 0 0
58920- 0 0 0 0 0 0 0 0 0 10 10 10
58921- 34 34 34 82 82 82 30 30 30 61 42 6
58922-180 123 7 206 145 10 230 174 11 239 182 13
58923-234 190 10 238 202 15 241 208 19 246 218 74
58924-246 218 38 246 215 20 246 215 20 246 215 20
58925-226 184 13 215 174 15 184 144 12 6 6 6
58926- 2 2 6 2 2 6 2 2 6 2 2 6
58927- 26 26 26 94 94 94 42 42 42 14 14 14
58928- 0 0 0 0 0 0 0 0 0 0 0 0
58929- 0 0 0 0 0 0 0 0 0 0 0 0
58930- 0 0 0 0 0 0 0 0 0 0 0 0
58931- 0 0 0 0 0 0 0 0 0 0 0 0
58932- 0 0 0 0 0 0 0 0 0 0 0 0
58933- 0 0 0 0 0 0 0 0 0 0 0 0
58934- 0 0 0 0 0 0 0 0 0 0 0 0
58935- 0 0 0 0 0 0 0 0 0 0 0 0
58936- 0 0 0 0 0 0 0 0 0 0 0 0
58937- 0 0 0 0 0 0 0 0 0 0 0 0
58938- 0 0 0 0 0 0 0 0 0 0 0 0
58939- 0 0 0 0 0 0 0 0 0 0 0 0
58940- 0 0 0 0 0 0 0 0 0 10 10 10
58941- 30 30 30 78 78 78 50 50 50 104 69 6
58942-192 133 9 216 158 10 236 178 12 236 186 11
58943-232 195 16 241 208 19 244 214 54 245 215 43
58944-246 215 20 246 215 20 241 208 19 198 155 10
58945-200 144 11 216 158 10 156 118 10 2 2 6
58946- 2 2 6 2 2 6 2 2 6 2 2 6
58947- 6 6 6 90 90 90 54 54 54 18 18 18
58948- 6 6 6 0 0 0 0 0 0 0 0 0
58949- 0 0 0 0 0 0 0 0 0 0 0 0
58950- 0 0 0 0 0 0 0 0 0 0 0 0
58951- 0 0 0 0 0 0 0 0 0 0 0 0
58952- 0 0 0 0 0 0 0 0 0 0 0 0
58953- 0 0 0 0 0 0 0 0 0 0 0 0
58954- 0 0 0 0 0 0 0 0 0 0 0 0
58955- 0 0 0 0 0 0 0 0 0 0 0 0
58956- 0 0 0 0 0 0 0 0 0 0 0 0
58957- 0 0 0 0 0 0 0 0 0 0 0 0
58958- 0 0 0 0 0 0 0 0 0 0 0 0
58959- 0 0 0 0 0 0 0 0 0 0 0 0
58960- 0 0 0 0 0 0 0 0 0 10 10 10
58961- 30 30 30 78 78 78 46 46 46 22 22 22
58962-137 92 6 210 162 10 239 182 13 238 190 10
58963-238 202 15 241 208 19 246 215 20 246 215 20
58964-241 208 19 203 166 17 185 133 11 210 150 10
58965-216 158 10 210 150 10 102 78 10 2 2 6
58966- 6 6 6 54 54 54 14 14 14 2 2 6
58967- 2 2 6 62 62 62 74 74 74 30 30 30
58968- 10 10 10 0 0 0 0 0 0 0 0 0
58969- 0 0 0 0 0 0 0 0 0 0 0 0
58970- 0 0 0 0 0 0 0 0 0 0 0 0
58971- 0 0 0 0 0 0 0 0 0 0 0 0
58972- 0 0 0 0 0 0 0 0 0 0 0 0
58973- 0 0 0 0 0 0 0 0 0 0 0 0
58974- 0 0 0 0 0 0 0 0 0 0 0 0
58975- 0 0 0 0 0 0 0 0 0 0 0 0
58976- 0 0 0 0 0 0 0 0 0 0 0 0
58977- 0 0 0 0 0 0 0 0 0 0 0 0
58978- 0 0 0 0 0 0 0 0 0 0 0 0
58979- 0 0 0 0 0 0 0 0 0 0 0 0
58980- 0 0 0 0 0 0 0 0 0 10 10 10
58981- 34 34 34 78 78 78 50 50 50 6 6 6
58982- 94 70 30 139 102 15 190 146 13 226 184 13
58983-232 200 30 232 195 16 215 174 15 190 146 13
58984-168 122 10 192 133 9 210 150 10 213 154 11
58985-202 150 34 182 157 106 101 98 89 2 2 6
58986- 2 2 6 78 78 78 116 116 116 58 58 58
58987- 2 2 6 22 22 22 90 90 90 46 46 46
58988- 18 18 18 6 6 6 0 0 0 0 0 0
58989- 0 0 0 0 0 0 0 0 0 0 0 0
58990- 0 0 0 0 0 0 0 0 0 0 0 0
58991- 0 0 0 0 0 0 0 0 0 0 0 0
58992- 0 0 0 0 0 0 0 0 0 0 0 0
58993- 0 0 0 0 0 0 0 0 0 0 0 0
58994- 0 0 0 0 0 0 0 0 0 0 0 0
58995- 0 0 0 0 0 0 0 0 0 0 0 0
58996- 0 0 0 0 0 0 0 0 0 0 0 0
58997- 0 0 0 0 0 0 0 0 0 0 0 0
58998- 0 0 0 0 0 0 0 0 0 0 0 0
58999- 0 0 0 0 0 0 0 0 0 0 0 0
59000- 0 0 0 0 0 0 0 0 0 10 10 10
59001- 38 38 38 86 86 86 50 50 50 6 6 6
59002-128 128 128 174 154 114 156 107 11 168 122 10
59003-198 155 10 184 144 12 197 138 11 200 144 11
59004-206 145 10 206 145 10 197 138 11 188 164 115
59005-195 195 195 198 198 198 174 174 174 14 14 14
59006- 2 2 6 22 22 22 116 116 116 116 116 116
59007- 22 22 22 2 2 6 74 74 74 70 70 70
59008- 30 30 30 10 10 10 0 0 0 0 0 0
59009- 0 0 0 0 0 0 0 0 0 0 0 0
59010- 0 0 0 0 0 0 0 0 0 0 0 0
59011- 0 0 0 0 0 0 0 0 0 0 0 0
59012- 0 0 0 0 0 0 0 0 0 0 0 0
59013- 0 0 0 0 0 0 0 0 0 0 0 0
59014- 0 0 0 0 0 0 0 0 0 0 0 0
59015- 0 0 0 0 0 0 0 0 0 0 0 0
59016- 0 0 0 0 0 0 0 0 0 0 0 0
59017- 0 0 0 0 0 0 0 0 0 0 0 0
59018- 0 0 0 0 0 0 0 0 0 0 0 0
59019- 0 0 0 0 0 0 0 0 0 0 0 0
59020- 0 0 0 0 0 0 6 6 6 18 18 18
59021- 50 50 50 101 101 101 26 26 26 10 10 10
59022-138 138 138 190 190 190 174 154 114 156 107 11
59023-197 138 11 200 144 11 197 138 11 192 133 9
59024-180 123 7 190 142 34 190 178 144 187 187 187
59025-202 202 202 221 221 221 214 214 214 66 66 66
59026- 2 2 6 2 2 6 50 50 50 62 62 62
59027- 6 6 6 2 2 6 10 10 10 90 90 90
59028- 50 50 50 18 18 18 6 6 6 0 0 0
59029- 0 0 0 0 0 0 0 0 0 0 0 0
59030- 0 0 0 0 0 0 0 0 0 0 0 0
59031- 0 0 0 0 0 0 0 0 0 0 0 0
59032- 0 0 0 0 0 0 0 0 0 0 0 0
59033- 0 0 0 0 0 0 0 0 0 0 0 0
59034- 0 0 0 0 0 0 0 0 0 0 0 0
59035- 0 0 0 0 0 0 0 0 0 0 0 0
59036- 0 0 0 0 0 0 0 0 0 0 0 0
59037- 0 0 0 0 0 0 0 0 0 0 0 0
59038- 0 0 0 0 0 0 0 0 0 0 0 0
59039- 0 0 0 0 0 0 0 0 0 0 0 0
59040- 0 0 0 0 0 0 10 10 10 34 34 34
59041- 74 74 74 74 74 74 2 2 6 6 6 6
59042-144 144 144 198 198 198 190 190 190 178 166 146
59043-154 121 60 156 107 11 156 107 11 168 124 44
59044-174 154 114 187 187 187 190 190 190 210 210 210
59045-246 246 246 253 253 253 253 253 253 182 182 182
59046- 6 6 6 2 2 6 2 2 6 2 2 6
59047- 2 2 6 2 2 6 2 2 6 62 62 62
59048- 74 74 74 34 34 34 14 14 14 0 0 0
59049- 0 0 0 0 0 0 0 0 0 0 0 0
59050- 0 0 0 0 0 0 0 0 0 0 0 0
59051- 0 0 0 0 0 0 0 0 0 0 0 0
59052- 0 0 0 0 0 0 0 0 0 0 0 0
59053- 0 0 0 0 0 0 0 0 0 0 0 0
59054- 0 0 0 0 0 0 0 0 0 0 0 0
59055- 0 0 0 0 0 0 0 0 0 0 0 0
59056- 0 0 0 0 0 0 0 0 0 0 0 0
59057- 0 0 0 0 0 0 0 0 0 0 0 0
59058- 0 0 0 0 0 0 0 0 0 0 0 0
59059- 0 0 0 0 0 0 0 0 0 0 0 0
59060- 0 0 0 10 10 10 22 22 22 54 54 54
59061- 94 94 94 18 18 18 2 2 6 46 46 46
59062-234 234 234 221 221 221 190 190 190 190 190 190
59063-190 190 190 187 187 187 187 187 187 190 190 190
59064-190 190 190 195 195 195 214 214 214 242 242 242
59065-253 253 253 253 253 253 253 253 253 253 253 253
59066- 82 82 82 2 2 6 2 2 6 2 2 6
59067- 2 2 6 2 2 6 2 2 6 14 14 14
59068- 86 86 86 54 54 54 22 22 22 6 6 6
59069- 0 0 0 0 0 0 0 0 0 0 0 0
59070- 0 0 0 0 0 0 0 0 0 0 0 0
59071- 0 0 0 0 0 0 0 0 0 0 0 0
59072- 0 0 0 0 0 0 0 0 0 0 0 0
59073- 0 0 0 0 0 0 0 0 0 0 0 0
59074- 0 0 0 0 0 0 0 0 0 0 0 0
59075- 0 0 0 0 0 0 0 0 0 0 0 0
59076- 0 0 0 0 0 0 0 0 0 0 0 0
59077- 0 0 0 0 0 0 0 0 0 0 0 0
59078- 0 0 0 0 0 0 0 0 0 0 0 0
59079- 0 0 0 0 0 0 0 0 0 0 0 0
59080- 6 6 6 18 18 18 46 46 46 90 90 90
59081- 46 46 46 18 18 18 6 6 6 182 182 182
59082-253 253 253 246 246 246 206 206 206 190 190 190
59083-190 190 190 190 190 190 190 190 190 190 190 190
59084-206 206 206 231 231 231 250 250 250 253 253 253
59085-253 253 253 253 253 253 253 253 253 253 253 253
59086-202 202 202 14 14 14 2 2 6 2 2 6
59087- 2 2 6 2 2 6 2 2 6 2 2 6
59088- 42 42 42 86 86 86 42 42 42 18 18 18
59089- 6 6 6 0 0 0 0 0 0 0 0 0
59090- 0 0 0 0 0 0 0 0 0 0 0 0
59091- 0 0 0 0 0 0 0 0 0 0 0 0
59092- 0 0 0 0 0 0 0 0 0 0 0 0
59093- 0 0 0 0 0 0 0 0 0 0 0 0
59094- 0 0 0 0 0 0 0 0 0 0 0 0
59095- 0 0 0 0 0 0 0 0 0 0 0 0
59096- 0 0 0 0 0 0 0 0 0 0 0 0
59097- 0 0 0 0 0 0 0 0 0 0 0 0
59098- 0 0 0 0 0 0 0 0 0 0 0 0
59099- 0 0 0 0 0 0 0 0 0 6 6 6
59100- 14 14 14 38 38 38 74 74 74 66 66 66
59101- 2 2 6 6 6 6 90 90 90 250 250 250
59102-253 253 253 253 253 253 238 238 238 198 198 198
59103-190 190 190 190 190 190 195 195 195 221 221 221
59104-246 246 246 253 253 253 253 253 253 253 253 253
59105-253 253 253 253 253 253 253 253 253 253 253 253
59106-253 253 253 82 82 82 2 2 6 2 2 6
59107- 2 2 6 2 2 6 2 2 6 2 2 6
59108- 2 2 6 78 78 78 70 70 70 34 34 34
59109- 14 14 14 6 6 6 0 0 0 0 0 0
59110- 0 0 0 0 0 0 0 0 0 0 0 0
59111- 0 0 0 0 0 0 0 0 0 0 0 0
59112- 0 0 0 0 0 0 0 0 0 0 0 0
59113- 0 0 0 0 0 0 0 0 0 0 0 0
59114- 0 0 0 0 0 0 0 0 0 0 0 0
59115- 0 0 0 0 0 0 0 0 0 0 0 0
59116- 0 0 0 0 0 0 0 0 0 0 0 0
59117- 0 0 0 0 0 0 0 0 0 0 0 0
59118- 0 0 0 0 0 0 0 0 0 0 0 0
59119- 0 0 0 0 0 0 0 0 0 14 14 14
59120- 34 34 34 66 66 66 78 78 78 6 6 6
59121- 2 2 6 18 18 18 218 218 218 253 253 253
59122-253 253 253 253 253 253 253 253 253 246 246 246
59123-226 226 226 231 231 231 246 246 246 253 253 253
59124-253 253 253 253 253 253 253 253 253 253 253 253
59125-253 253 253 253 253 253 253 253 253 253 253 253
59126-253 253 253 178 178 178 2 2 6 2 2 6
59127- 2 2 6 2 2 6 2 2 6 2 2 6
59128- 2 2 6 18 18 18 90 90 90 62 62 62
59129- 30 30 30 10 10 10 0 0 0 0 0 0
59130- 0 0 0 0 0 0 0 0 0 0 0 0
59131- 0 0 0 0 0 0 0 0 0 0 0 0
59132- 0 0 0 0 0 0 0 0 0 0 0 0
59133- 0 0 0 0 0 0 0 0 0 0 0 0
59134- 0 0 0 0 0 0 0 0 0 0 0 0
59135- 0 0 0 0 0 0 0 0 0 0 0 0
59136- 0 0 0 0 0 0 0 0 0 0 0 0
59137- 0 0 0 0 0 0 0 0 0 0 0 0
59138- 0 0 0 0 0 0 0 0 0 0 0 0
59139- 0 0 0 0 0 0 10 10 10 26 26 26
59140- 58 58 58 90 90 90 18 18 18 2 2 6
59141- 2 2 6 110 110 110 253 253 253 253 253 253
59142-253 253 253 253 253 253 253 253 253 253 253 253
59143-250 250 250 253 253 253 253 253 253 253 253 253
59144-253 253 253 253 253 253 253 253 253 253 253 253
59145-253 253 253 253 253 253 253 253 253 253 253 253
59146-253 253 253 231 231 231 18 18 18 2 2 6
59147- 2 2 6 2 2 6 2 2 6 2 2 6
59148- 2 2 6 2 2 6 18 18 18 94 94 94
59149- 54 54 54 26 26 26 10 10 10 0 0 0
59150- 0 0 0 0 0 0 0 0 0 0 0 0
59151- 0 0 0 0 0 0 0 0 0 0 0 0
59152- 0 0 0 0 0 0 0 0 0 0 0 0
59153- 0 0 0 0 0 0 0 0 0 0 0 0
59154- 0 0 0 0 0 0 0 0 0 0 0 0
59155- 0 0 0 0 0 0 0 0 0 0 0 0
59156- 0 0 0 0 0 0 0 0 0 0 0 0
59157- 0 0 0 0 0 0 0 0 0 0 0 0
59158- 0 0 0 0 0 0 0 0 0 0 0 0
59159- 0 0 0 6 6 6 22 22 22 50 50 50
59160- 90 90 90 26 26 26 2 2 6 2 2 6
59161- 14 14 14 195 195 195 250 250 250 253 253 253
59162-253 253 253 253 253 253 253 253 253 253 253 253
59163-253 253 253 253 253 253 253 253 253 253 253 253
59164-253 253 253 253 253 253 253 253 253 253 253 253
59165-253 253 253 253 253 253 253 253 253 253 253 253
59166-250 250 250 242 242 242 54 54 54 2 2 6
59167- 2 2 6 2 2 6 2 2 6 2 2 6
59168- 2 2 6 2 2 6 2 2 6 38 38 38
59169- 86 86 86 50 50 50 22 22 22 6 6 6
59170- 0 0 0 0 0 0 0 0 0 0 0 0
59171- 0 0 0 0 0 0 0 0 0 0 0 0
59172- 0 0 0 0 0 0 0 0 0 0 0 0
59173- 0 0 0 0 0 0 0 0 0 0 0 0
59174- 0 0 0 0 0 0 0 0 0 0 0 0
59175- 0 0 0 0 0 0 0 0 0 0 0 0
59176- 0 0 0 0 0 0 0 0 0 0 0 0
59177- 0 0 0 0 0 0 0 0 0 0 0 0
59178- 0 0 0 0 0 0 0 0 0 0 0 0
59179- 6 6 6 14 14 14 38 38 38 82 82 82
59180- 34 34 34 2 2 6 2 2 6 2 2 6
59181- 42 42 42 195 195 195 246 246 246 253 253 253
59182-253 253 253 253 253 253 253 253 253 250 250 250
59183-242 242 242 242 242 242 250 250 250 253 253 253
59184-253 253 253 253 253 253 253 253 253 253 253 253
59185-253 253 253 250 250 250 246 246 246 238 238 238
59186-226 226 226 231 231 231 101 101 101 6 6 6
59187- 2 2 6 2 2 6 2 2 6 2 2 6
59188- 2 2 6 2 2 6 2 2 6 2 2 6
59189- 38 38 38 82 82 82 42 42 42 14 14 14
59190- 6 6 6 0 0 0 0 0 0 0 0 0
59191- 0 0 0 0 0 0 0 0 0 0 0 0
59192- 0 0 0 0 0 0 0 0 0 0 0 0
59193- 0 0 0 0 0 0 0 0 0 0 0 0
59194- 0 0 0 0 0 0 0 0 0 0 0 0
59195- 0 0 0 0 0 0 0 0 0 0 0 0
59196- 0 0 0 0 0 0 0 0 0 0 0 0
59197- 0 0 0 0 0 0 0 0 0 0 0 0
59198- 0 0 0 0 0 0 0 0 0 0 0 0
59199- 10 10 10 26 26 26 62 62 62 66 66 66
59200- 2 2 6 2 2 6 2 2 6 6 6 6
59201- 70 70 70 170 170 170 206 206 206 234 234 234
59202-246 246 246 250 250 250 250 250 250 238 238 238
59203-226 226 226 231 231 231 238 238 238 250 250 250
59204-250 250 250 250 250 250 246 246 246 231 231 231
59205-214 214 214 206 206 206 202 202 202 202 202 202
59206-198 198 198 202 202 202 182 182 182 18 18 18
59207- 2 2 6 2 2 6 2 2 6 2 2 6
59208- 2 2 6 2 2 6 2 2 6 2 2 6
59209- 2 2 6 62 62 62 66 66 66 30 30 30
59210- 10 10 10 0 0 0 0 0 0 0 0 0
59211- 0 0 0 0 0 0 0 0 0 0 0 0
59212- 0 0 0 0 0 0 0 0 0 0 0 0
59213- 0 0 0 0 0 0 0 0 0 0 0 0
59214- 0 0 0 0 0 0 0 0 0 0 0 0
59215- 0 0 0 0 0 0 0 0 0 0 0 0
59216- 0 0 0 0 0 0 0 0 0 0 0 0
59217- 0 0 0 0 0 0 0 0 0 0 0 0
59218- 0 0 0 0 0 0 0 0 0 0 0 0
59219- 14 14 14 42 42 42 82 82 82 18 18 18
59220- 2 2 6 2 2 6 2 2 6 10 10 10
59221- 94 94 94 182 182 182 218 218 218 242 242 242
59222-250 250 250 253 253 253 253 253 253 250 250 250
59223-234 234 234 253 253 253 253 253 253 253 253 253
59224-253 253 253 253 253 253 253 253 253 246 246 246
59225-238 238 238 226 226 226 210 210 210 202 202 202
59226-195 195 195 195 195 195 210 210 210 158 158 158
59227- 6 6 6 14 14 14 50 50 50 14 14 14
59228- 2 2 6 2 2 6 2 2 6 2 2 6
59229- 2 2 6 6 6 6 86 86 86 46 46 46
59230- 18 18 18 6 6 6 0 0 0 0 0 0
59231- 0 0 0 0 0 0 0 0 0 0 0 0
59232- 0 0 0 0 0 0 0 0 0 0 0 0
59233- 0 0 0 0 0 0 0 0 0 0 0 0
59234- 0 0 0 0 0 0 0 0 0 0 0 0
59235- 0 0 0 0 0 0 0 0 0 0 0 0
59236- 0 0 0 0 0 0 0 0 0 0 0 0
59237- 0 0 0 0 0 0 0 0 0 0 0 0
59238- 0 0 0 0 0 0 0 0 0 6 6 6
59239- 22 22 22 54 54 54 70 70 70 2 2 6
59240- 2 2 6 10 10 10 2 2 6 22 22 22
59241-166 166 166 231 231 231 250 250 250 253 253 253
59242-253 253 253 253 253 253 253 253 253 250 250 250
59243-242 242 242 253 253 253 253 253 253 253 253 253
59244-253 253 253 253 253 253 253 253 253 253 253 253
59245-253 253 253 253 253 253 253 253 253 246 246 246
59246-231 231 231 206 206 206 198 198 198 226 226 226
59247- 94 94 94 2 2 6 6 6 6 38 38 38
59248- 30 30 30 2 2 6 2 2 6 2 2 6
59249- 2 2 6 2 2 6 62 62 62 66 66 66
59250- 26 26 26 10 10 10 0 0 0 0 0 0
59251- 0 0 0 0 0 0 0 0 0 0 0 0
59252- 0 0 0 0 0 0 0 0 0 0 0 0
59253- 0 0 0 0 0 0 0 0 0 0 0 0
59254- 0 0 0 0 0 0 0 0 0 0 0 0
59255- 0 0 0 0 0 0 0 0 0 0 0 0
59256- 0 0 0 0 0 0 0 0 0 0 0 0
59257- 0 0 0 0 0 0 0 0 0 0 0 0
59258- 0 0 0 0 0 0 0 0 0 10 10 10
59259- 30 30 30 74 74 74 50 50 50 2 2 6
59260- 26 26 26 26 26 26 2 2 6 106 106 106
59261-238 238 238 253 253 253 253 253 253 253 253 253
59262-253 253 253 253 253 253 253 253 253 253 253 253
59263-253 253 253 253 253 253 253 253 253 253 253 253
59264-253 253 253 253 253 253 253 253 253 253 253 253
59265-253 253 253 253 253 253 253 253 253 253 253 253
59266-253 253 253 246 246 246 218 218 218 202 202 202
59267-210 210 210 14 14 14 2 2 6 2 2 6
59268- 30 30 30 22 22 22 2 2 6 2 2 6
59269- 2 2 6 2 2 6 18 18 18 86 86 86
59270- 42 42 42 14 14 14 0 0 0 0 0 0
59271- 0 0 0 0 0 0 0 0 0 0 0 0
59272- 0 0 0 0 0 0 0 0 0 0 0 0
59273- 0 0 0 0 0 0 0 0 0 0 0 0
59274- 0 0 0 0 0 0 0 0 0 0 0 0
59275- 0 0 0 0 0 0 0 0 0 0 0 0
59276- 0 0 0 0 0 0 0 0 0 0 0 0
59277- 0 0 0 0 0 0 0 0 0 0 0 0
59278- 0 0 0 0 0 0 0 0 0 14 14 14
59279- 42 42 42 90 90 90 22 22 22 2 2 6
59280- 42 42 42 2 2 6 18 18 18 218 218 218
59281-253 253 253 253 253 253 253 253 253 253 253 253
59282-253 253 253 253 253 253 253 253 253 253 253 253
59283-253 253 253 253 253 253 253 253 253 253 253 253
59284-253 253 253 253 253 253 253 253 253 253 253 253
59285-253 253 253 253 253 253 253 253 253 253 253 253
59286-253 253 253 253 253 253 250 250 250 221 221 221
59287-218 218 218 101 101 101 2 2 6 14 14 14
59288- 18 18 18 38 38 38 10 10 10 2 2 6
59289- 2 2 6 2 2 6 2 2 6 78 78 78
59290- 58 58 58 22 22 22 6 6 6 0 0 0
59291- 0 0 0 0 0 0 0 0 0 0 0 0
59292- 0 0 0 0 0 0 0 0 0 0 0 0
59293- 0 0 0 0 0 0 0 0 0 0 0 0
59294- 0 0 0 0 0 0 0 0 0 0 0 0
59295- 0 0 0 0 0 0 0 0 0 0 0 0
59296- 0 0 0 0 0 0 0 0 0 0 0 0
59297- 0 0 0 0 0 0 0 0 0 0 0 0
59298- 0 0 0 0 0 0 6 6 6 18 18 18
59299- 54 54 54 82 82 82 2 2 6 26 26 26
59300- 22 22 22 2 2 6 123 123 123 253 253 253
59301-253 253 253 253 253 253 253 253 253 253 253 253
59302-253 253 253 253 253 253 253 253 253 253 253 253
59303-253 253 253 253 253 253 253 253 253 253 253 253
59304-253 253 253 253 253 253 253 253 253 253 253 253
59305-253 253 253 253 253 253 253 253 253 253 253 253
59306-253 253 253 253 253 253 253 253 253 250 250 250
59307-238 238 238 198 198 198 6 6 6 38 38 38
59308- 58 58 58 26 26 26 38 38 38 2 2 6
59309- 2 2 6 2 2 6 2 2 6 46 46 46
59310- 78 78 78 30 30 30 10 10 10 0 0 0
59311- 0 0 0 0 0 0 0 0 0 0 0 0
59312- 0 0 0 0 0 0 0 0 0 0 0 0
59313- 0 0 0 0 0 0 0 0 0 0 0 0
59314- 0 0 0 0 0 0 0 0 0 0 0 0
59315- 0 0 0 0 0 0 0 0 0 0 0 0
59316- 0 0 0 0 0 0 0 0 0 0 0 0
59317- 0 0 0 0 0 0 0 0 0 0 0 0
59318- 0 0 0 0 0 0 10 10 10 30 30 30
59319- 74 74 74 58 58 58 2 2 6 42 42 42
59320- 2 2 6 22 22 22 231 231 231 253 253 253
59321-253 253 253 253 253 253 253 253 253 253 253 253
59322-253 253 253 253 253 253 253 253 253 250 250 250
59323-253 253 253 253 253 253 253 253 253 253 253 253
59324-253 253 253 253 253 253 253 253 253 253 253 253
59325-253 253 253 253 253 253 253 253 253 253 253 253
59326-253 253 253 253 253 253 253 253 253 253 253 253
59327-253 253 253 246 246 246 46 46 46 38 38 38
59328- 42 42 42 14 14 14 38 38 38 14 14 14
59329- 2 2 6 2 2 6 2 2 6 6 6 6
59330- 86 86 86 46 46 46 14 14 14 0 0 0
59331- 0 0 0 0 0 0 0 0 0 0 0 0
59332- 0 0 0 0 0 0 0 0 0 0 0 0
59333- 0 0 0 0 0 0 0 0 0 0 0 0
59334- 0 0 0 0 0 0 0 0 0 0 0 0
59335- 0 0 0 0 0 0 0 0 0 0 0 0
59336- 0 0 0 0 0 0 0 0 0 0 0 0
59337- 0 0 0 0 0 0 0 0 0 0 0 0
59338- 0 0 0 6 6 6 14 14 14 42 42 42
59339- 90 90 90 18 18 18 18 18 18 26 26 26
59340- 2 2 6 116 116 116 253 253 253 253 253 253
59341-253 253 253 253 253 253 253 253 253 253 253 253
59342-253 253 253 253 253 253 250 250 250 238 238 238
59343-253 253 253 253 253 253 253 253 253 253 253 253
59344-253 253 253 253 253 253 253 253 253 253 253 253
59345-253 253 253 253 253 253 253 253 253 253 253 253
59346-253 253 253 253 253 253 253 253 253 253 253 253
59347-253 253 253 253 253 253 94 94 94 6 6 6
59348- 2 2 6 2 2 6 10 10 10 34 34 34
59349- 2 2 6 2 2 6 2 2 6 2 2 6
59350- 74 74 74 58 58 58 22 22 22 6 6 6
59351- 0 0 0 0 0 0 0 0 0 0 0 0
59352- 0 0 0 0 0 0 0 0 0 0 0 0
59353- 0 0 0 0 0 0 0 0 0 0 0 0
59354- 0 0 0 0 0 0 0 0 0 0 0 0
59355- 0 0 0 0 0 0 0 0 0 0 0 0
59356- 0 0 0 0 0 0 0 0 0 0 0 0
59357- 0 0 0 0 0 0 0 0 0 0 0 0
59358- 0 0 0 10 10 10 26 26 26 66 66 66
59359- 82 82 82 2 2 6 38 38 38 6 6 6
59360- 14 14 14 210 210 210 253 253 253 253 253 253
59361-253 253 253 253 253 253 253 253 253 253 253 253
59362-253 253 253 253 253 253 246 246 246 242 242 242
59363-253 253 253 253 253 253 253 253 253 253 253 253
59364-253 253 253 253 253 253 253 253 253 253 253 253
59365-253 253 253 253 253 253 253 253 253 253 253 253
59366-253 253 253 253 253 253 253 253 253 253 253 253
59367-253 253 253 253 253 253 144 144 144 2 2 6
59368- 2 2 6 2 2 6 2 2 6 46 46 46
59369- 2 2 6 2 2 6 2 2 6 2 2 6
59370- 42 42 42 74 74 74 30 30 30 10 10 10
59371- 0 0 0 0 0 0 0 0 0 0 0 0
59372- 0 0 0 0 0 0 0 0 0 0 0 0
59373- 0 0 0 0 0 0 0 0 0 0 0 0
59374- 0 0 0 0 0 0 0 0 0 0 0 0
59375- 0 0 0 0 0 0 0 0 0 0 0 0
59376- 0 0 0 0 0 0 0 0 0 0 0 0
59377- 0 0 0 0 0 0 0 0 0 0 0 0
59378- 6 6 6 14 14 14 42 42 42 90 90 90
59379- 26 26 26 6 6 6 42 42 42 2 2 6
59380- 74 74 74 250 250 250 253 253 253 253 253 253
59381-253 253 253 253 253 253 253 253 253 253 253 253
59382-253 253 253 253 253 253 242 242 242 242 242 242
59383-253 253 253 253 253 253 253 253 253 253 253 253
59384-253 253 253 253 253 253 253 253 253 253 253 253
59385-253 253 253 253 253 253 253 253 253 253 253 253
59386-253 253 253 253 253 253 253 253 253 253 253 253
59387-253 253 253 253 253 253 182 182 182 2 2 6
59388- 2 2 6 2 2 6 2 2 6 46 46 46
59389- 2 2 6 2 2 6 2 2 6 2 2 6
59390- 10 10 10 86 86 86 38 38 38 10 10 10
59391- 0 0 0 0 0 0 0 0 0 0 0 0
59392- 0 0 0 0 0 0 0 0 0 0 0 0
59393- 0 0 0 0 0 0 0 0 0 0 0 0
59394- 0 0 0 0 0 0 0 0 0 0 0 0
59395- 0 0 0 0 0 0 0 0 0 0 0 0
59396- 0 0 0 0 0 0 0 0 0 0 0 0
59397- 0 0 0 0 0 0 0 0 0 0 0 0
59398- 10 10 10 26 26 26 66 66 66 82 82 82
59399- 2 2 6 22 22 22 18 18 18 2 2 6
59400-149 149 149 253 253 253 253 253 253 253 253 253
59401-253 253 253 253 253 253 253 253 253 253 253 253
59402-253 253 253 253 253 253 234 234 234 242 242 242
59403-253 253 253 253 253 253 253 253 253 253 253 253
59404-253 253 253 253 253 253 253 253 253 253 253 253
59405-253 253 253 253 253 253 253 253 253 253 253 253
59406-253 253 253 253 253 253 253 253 253 253 253 253
59407-253 253 253 253 253 253 206 206 206 2 2 6
59408- 2 2 6 2 2 6 2 2 6 38 38 38
59409- 2 2 6 2 2 6 2 2 6 2 2 6
59410- 6 6 6 86 86 86 46 46 46 14 14 14
59411- 0 0 0 0 0 0 0 0 0 0 0 0
59412- 0 0 0 0 0 0 0 0 0 0 0 0
59413- 0 0 0 0 0 0 0 0 0 0 0 0
59414- 0 0 0 0 0 0 0 0 0 0 0 0
59415- 0 0 0 0 0 0 0 0 0 0 0 0
59416- 0 0 0 0 0 0 0 0 0 0 0 0
59417- 0 0 0 0 0 0 0 0 0 6 6 6
59418- 18 18 18 46 46 46 86 86 86 18 18 18
59419- 2 2 6 34 34 34 10 10 10 6 6 6
59420-210 210 210 253 253 253 253 253 253 253 253 253
59421-253 253 253 253 253 253 253 253 253 253 253 253
59422-253 253 253 253 253 253 234 234 234 242 242 242
59423-253 253 253 253 253 253 253 253 253 253 253 253
59424-253 253 253 253 253 253 253 253 253 253 253 253
59425-253 253 253 253 253 253 253 253 253 253 253 253
59426-253 253 253 253 253 253 253 253 253 253 253 253
59427-253 253 253 253 253 253 221 221 221 6 6 6
59428- 2 2 6 2 2 6 6 6 6 30 30 30
59429- 2 2 6 2 2 6 2 2 6 2 2 6
59430- 2 2 6 82 82 82 54 54 54 18 18 18
59431- 6 6 6 0 0 0 0 0 0 0 0 0
59432- 0 0 0 0 0 0 0 0 0 0 0 0
59433- 0 0 0 0 0 0 0 0 0 0 0 0
59434- 0 0 0 0 0 0 0 0 0 0 0 0
59435- 0 0 0 0 0 0 0 0 0 0 0 0
59436- 0 0 0 0 0 0 0 0 0 0 0 0
59437- 0 0 0 0 0 0 0 0 0 10 10 10
59438- 26 26 26 66 66 66 62 62 62 2 2 6
59439- 2 2 6 38 38 38 10 10 10 26 26 26
59440-238 238 238 253 253 253 253 253 253 253 253 253
59441-253 253 253 253 253 253 253 253 253 253 253 253
59442-253 253 253 253 253 253 231 231 231 238 238 238
59443-253 253 253 253 253 253 253 253 253 253 253 253
59444-253 253 253 253 253 253 253 253 253 253 253 253
59445-253 253 253 253 253 253 253 253 253 253 253 253
59446-253 253 253 253 253 253 253 253 253 253 253 253
59447-253 253 253 253 253 253 231 231 231 6 6 6
59448- 2 2 6 2 2 6 10 10 10 30 30 30
59449- 2 2 6 2 2 6 2 2 6 2 2 6
59450- 2 2 6 66 66 66 58 58 58 22 22 22
59451- 6 6 6 0 0 0 0 0 0 0 0 0
59452- 0 0 0 0 0 0 0 0 0 0 0 0
59453- 0 0 0 0 0 0 0 0 0 0 0 0
59454- 0 0 0 0 0 0 0 0 0 0 0 0
59455- 0 0 0 0 0 0 0 0 0 0 0 0
59456- 0 0 0 0 0 0 0 0 0 0 0 0
59457- 0 0 0 0 0 0 0 0 0 10 10 10
59458- 38 38 38 78 78 78 6 6 6 2 2 6
59459- 2 2 6 46 46 46 14 14 14 42 42 42
59460-246 246 246 253 253 253 253 253 253 253 253 253
59461-253 253 253 253 253 253 253 253 253 253 253 253
59462-253 253 253 253 253 253 231 231 231 242 242 242
59463-253 253 253 253 253 253 253 253 253 253 253 253
59464-253 253 253 253 253 253 253 253 253 253 253 253
59465-253 253 253 253 253 253 253 253 253 253 253 253
59466-253 253 253 253 253 253 253 253 253 253 253 253
59467-253 253 253 253 253 253 234 234 234 10 10 10
59468- 2 2 6 2 2 6 22 22 22 14 14 14
59469- 2 2 6 2 2 6 2 2 6 2 2 6
59470- 2 2 6 66 66 66 62 62 62 22 22 22
59471- 6 6 6 0 0 0 0 0 0 0 0 0
59472- 0 0 0 0 0 0 0 0 0 0 0 0
59473- 0 0 0 0 0 0 0 0 0 0 0 0
59474- 0 0 0 0 0 0 0 0 0 0 0 0
59475- 0 0 0 0 0 0 0 0 0 0 0 0
59476- 0 0 0 0 0 0 0 0 0 0 0 0
59477- 0 0 0 0 0 0 6 6 6 18 18 18
59478- 50 50 50 74 74 74 2 2 6 2 2 6
59479- 14 14 14 70 70 70 34 34 34 62 62 62
59480-250 250 250 253 253 253 253 253 253 253 253 253
59481-253 253 253 253 253 253 253 253 253 253 253 253
59482-253 253 253 253 253 253 231 231 231 246 246 246
59483-253 253 253 253 253 253 253 253 253 253 253 253
59484-253 253 253 253 253 253 253 253 253 253 253 253
59485-253 253 253 253 253 253 253 253 253 253 253 253
59486-253 253 253 253 253 253 253 253 253 253 253 253
59487-253 253 253 253 253 253 234 234 234 14 14 14
59488- 2 2 6 2 2 6 30 30 30 2 2 6
59489- 2 2 6 2 2 6 2 2 6 2 2 6
59490- 2 2 6 66 66 66 62 62 62 22 22 22
59491- 6 6 6 0 0 0 0 0 0 0 0 0
59492- 0 0 0 0 0 0 0 0 0 0 0 0
59493- 0 0 0 0 0 0 0 0 0 0 0 0
59494- 0 0 0 0 0 0 0 0 0 0 0 0
59495- 0 0 0 0 0 0 0 0 0 0 0 0
59496- 0 0 0 0 0 0 0 0 0 0 0 0
59497- 0 0 0 0 0 0 6 6 6 18 18 18
59498- 54 54 54 62 62 62 2 2 6 2 2 6
59499- 2 2 6 30 30 30 46 46 46 70 70 70
59500-250 250 250 253 253 253 253 253 253 253 253 253
59501-253 253 253 253 253 253 253 253 253 253 253 253
59502-253 253 253 253 253 253 231 231 231 246 246 246
59503-253 253 253 253 253 253 253 253 253 253 253 253
59504-253 253 253 253 253 253 253 253 253 253 253 253
59505-253 253 253 253 253 253 253 253 253 253 253 253
59506-253 253 253 253 253 253 253 253 253 253 253 253
59507-253 253 253 253 253 253 226 226 226 10 10 10
59508- 2 2 6 6 6 6 30 30 30 2 2 6
59509- 2 2 6 2 2 6 2 2 6 2 2 6
59510- 2 2 6 66 66 66 58 58 58 22 22 22
59511- 6 6 6 0 0 0 0 0 0 0 0 0
59512- 0 0 0 0 0 0 0 0 0 0 0 0
59513- 0 0 0 0 0 0 0 0 0 0 0 0
59514- 0 0 0 0 0 0 0 0 0 0 0 0
59515- 0 0 0 0 0 0 0 0 0 0 0 0
59516- 0 0 0 0 0 0 0 0 0 0 0 0
59517- 0 0 0 0 0 0 6 6 6 22 22 22
59518- 58 58 58 62 62 62 2 2 6 2 2 6
59519- 2 2 6 2 2 6 30 30 30 78 78 78
59520-250 250 250 253 253 253 253 253 253 253 253 253
59521-253 253 253 253 253 253 253 253 253 253 253 253
59522-253 253 253 253 253 253 231 231 231 246 246 246
59523-253 253 253 253 253 253 253 253 253 253 253 253
59524-253 253 253 253 253 253 253 253 253 253 253 253
59525-253 253 253 253 253 253 253 253 253 253 253 253
59526-253 253 253 253 253 253 253 253 253 253 253 253
59527-253 253 253 253 253 253 206 206 206 2 2 6
59528- 22 22 22 34 34 34 18 14 6 22 22 22
59529- 26 26 26 18 18 18 6 6 6 2 2 6
59530- 2 2 6 82 82 82 54 54 54 18 18 18
59531- 6 6 6 0 0 0 0 0 0 0 0 0
59532- 0 0 0 0 0 0 0 0 0 0 0 0
59533- 0 0 0 0 0 0 0 0 0 0 0 0
59534- 0 0 0 0 0 0 0 0 0 0 0 0
59535- 0 0 0 0 0 0 0 0 0 0 0 0
59536- 0 0 0 0 0 0 0 0 0 0 0 0
59537- 0 0 0 0 0 0 6 6 6 26 26 26
59538- 62 62 62 106 106 106 74 54 14 185 133 11
59539-210 162 10 121 92 8 6 6 6 62 62 62
59540-238 238 238 253 253 253 253 253 253 253 253 253
59541-253 253 253 253 253 253 253 253 253 253 253 253
59542-253 253 253 253 253 253 231 231 231 246 246 246
59543-253 253 253 253 253 253 253 253 253 253 253 253
59544-253 253 253 253 253 253 253 253 253 253 253 253
59545-253 253 253 253 253 253 253 253 253 253 253 253
59546-253 253 253 253 253 253 253 253 253 253 253 253
59547-253 253 253 253 253 253 158 158 158 18 18 18
59548- 14 14 14 2 2 6 2 2 6 2 2 6
59549- 6 6 6 18 18 18 66 66 66 38 38 38
59550- 6 6 6 94 94 94 50 50 50 18 18 18
59551- 6 6 6 0 0 0 0 0 0 0 0 0
59552- 0 0 0 0 0 0 0 0 0 0 0 0
59553- 0 0 0 0 0 0 0 0 0 0 0 0
59554- 0 0 0 0 0 0 0 0 0 0 0 0
59555- 0 0 0 0 0 0 0 0 0 0 0 0
59556- 0 0 0 0 0 0 0 0 0 6 6 6
59557- 10 10 10 10 10 10 18 18 18 38 38 38
59558- 78 78 78 142 134 106 216 158 10 242 186 14
59559-246 190 14 246 190 14 156 118 10 10 10 10
59560- 90 90 90 238 238 238 253 253 253 253 253 253
59561-253 253 253 253 253 253 253 253 253 253 253 253
59562-253 253 253 253 253 253 231 231 231 250 250 250
59563-253 253 253 253 253 253 253 253 253 253 253 253
59564-253 253 253 253 253 253 253 253 253 253 253 253
59565-253 253 253 253 253 253 253 253 253 253 253 253
59566-253 253 253 253 253 253 253 253 253 246 230 190
59567-238 204 91 238 204 91 181 142 44 37 26 9
59568- 2 2 6 2 2 6 2 2 6 2 2 6
59569- 2 2 6 2 2 6 38 38 38 46 46 46
59570- 26 26 26 106 106 106 54 54 54 18 18 18
59571- 6 6 6 0 0 0 0 0 0 0 0 0
59572- 0 0 0 0 0 0 0 0 0 0 0 0
59573- 0 0 0 0 0 0 0 0 0 0 0 0
59574- 0 0 0 0 0 0 0 0 0 0 0 0
59575- 0 0 0 0 0 0 0 0 0 0 0 0
59576- 0 0 0 6 6 6 14 14 14 22 22 22
59577- 30 30 30 38 38 38 50 50 50 70 70 70
59578-106 106 106 190 142 34 226 170 11 242 186 14
59579-246 190 14 246 190 14 246 190 14 154 114 10
59580- 6 6 6 74 74 74 226 226 226 253 253 253
59581-253 253 253 253 253 253 253 253 253 253 253 253
59582-253 253 253 253 253 253 231 231 231 250 250 250
59583-253 253 253 253 253 253 253 253 253 253 253 253
59584-253 253 253 253 253 253 253 253 253 253 253 253
59585-253 253 253 253 253 253 253 253 253 253 253 253
59586-253 253 253 253 253 253 253 253 253 228 184 62
59587-241 196 14 241 208 19 232 195 16 38 30 10
59588- 2 2 6 2 2 6 2 2 6 2 2 6
59589- 2 2 6 6 6 6 30 30 30 26 26 26
59590-203 166 17 154 142 90 66 66 66 26 26 26
59591- 6 6 6 0 0 0 0 0 0 0 0 0
59592- 0 0 0 0 0 0 0 0 0 0 0 0
59593- 0 0 0 0 0 0 0 0 0 0 0 0
59594- 0 0 0 0 0 0 0 0 0 0 0 0
59595- 0 0 0 0 0 0 0 0 0 0 0 0
59596- 6 6 6 18 18 18 38 38 38 58 58 58
59597- 78 78 78 86 86 86 101 101 101 123 123 123
59598-175 146 61 210 150 10 234 174 13 246 186 14
59599-246 190 14 246 190 14 246 190 14 238 190 10
59600-102 78 10 2 2 6 46 46 46 198 198 198
59601-253 253 253 253 253 253 253 253 253 253 253 253
59602-253 253 253 253 253 253 234 234 234 242 242 242
59603-253 253 253 253 253 253 253 253 253 253 253 253
59604-253 253 253 253 253 253 253 253 253 253 253 253
59605-253 253 253 253 253 253 253 253 253 253 253 253
59606-253 253 253 253 253 253 253 253 253 224 178 62
59607-242 186 14 241 196 14 210 166 10 22 18 6
59608- 2 2 6 2 2 6 2 2 6 2 2 6
59609- 2 2 6 2 2 6 6 6 6 121 92 8
59610-238 202 15 232 195 16 82 82 82 34 34 34
59611- 10 10 10 0 0 0 0 0 0 0 0 0
59612- 0 0 0 0 0 0 0 0 0 0 0 0
59613- 0 0 0 0 0 0 0 0 0 0 0 0
59614- 0 0 0 0 0 0 0 0 0 0 0 0
59615- 0 0 0 0 0 0 0 0 0 0 0 0
59616- 14 14 14 38 38 38 70 70 70 154 122 46
59617-190 142 34 200 144 11 197 138 11 197 138 11
59618-213 154 11 226 170 11 242 186 14 246 190 14
59619-246 190 14 246 190 14 246 190 14 246 190 14
59620-225 175 15 46 32 6 2 2 6 22 22 22
59621-158 158 158 250 250 250 253 253 253 253 253 253
59622-253 253 253 253 253 253 253 253 253 253 253 253
59623-253 253 253 253 253 253 253 253 253 253 253 253
59624-253 253 253 253 253 253 253 253 253 253 253 253
59625-253 253 253 253 253 253 253 253 253 253 253 253
59626-253 253 253 250 250 250 242 242 242 224 178 62
59627-239 182 13 236 186 11 213 154 11 46 32 6
59628- 2 2 6 2 2 6 2 2 6 2 2 6
59629- 2 2 6 2 2 6 61 42 6 225 175 15
59630-238 190 10 236 186 11 112 100 78 42 42 42
59631- 14 14 14 0 0 0 0 0 0 0 0 0
59632- 0 0 0 0 0 0 0 0 0 0 0 0
59633- 0 0 0 0 0 0 0 0 0 0 0 0
59634- 0 0 0 0 0 0 0 0 0 0 0 0
59635- 0 0 0 0 0 0 0 0 0 6 6 6
59636- 22 22 22 54 54 54 154 122 46 213 154 11
59637-226 170 11 230 174 11 226 170 11 226 170 11
59638-236 178 12 242 186 14 246 190 14 246 190 14
59639-246 190 14 246 190 14 246 190 14 246 190 14
59640-241 196 14 184 144 12 10 10 10 2 2 6
59641- 6 6 6 116 116 116 242 242 242 253 253 253
59642-253 253 253 253 253 253 253 253 253 253 253 253
59643-253 253 253 253 253 253 253 253 253 253 253 253
59644-253 253 253 253 253 253 253 253 253 253 253 253
59645-253 253 253 253 253 253 253 253 253 253 253 253
59646-253 253 253 231 231 231 198 198 198 214 170 54
59647-236 178 12 236 178 12 210 150 10 137 92 6
59648- 18 14 6 2 2 6 2 2 6 2 2 6
59649- 6 6 6 70 47 6 200 144 11 236 178 12
59650-239 182 13 239 182 13 124 112 88 58 58 58
59651- 22 22 22 6 6 6 0 0 0 0 0 0
59652- 0 0 0 0 0 0 0 0 0 0 0 0
59653- 0 0 0 0 0 0 0 0 0 0 0 0
59654- 0 0 0 0 0 0 0 0 0 0 0 0
59655- 0 0 0 0 0 0 0 0 0 10 10 10
59656- 30 30 30 70 70 70 180 133 36 226 170 11
59657-239 182 13 242 186 14 242 186 14 246 186 14
59658-246 190 14 246 190 14 246 190 14 246 190 14
59659-246 190 14 246 190 14 246 190 14 246 190 14
59660-246 190 14 232 195 16 98 70 6 2 2 6
59661- 2 2 6 2 2 6 66 66 66 221 221 221
59662-253 253 253 253 253 253 253 253 253 253 253 253
59663-253 253 253 253 253 253 253 253 253 253 253 253
59664-253 253 253 253 253 253 253 253 253 253 253 253
59665-253 253 253 253 253 253 253 253 253 253 253 253
59666-253 253 253 206 206 206 198 198 198 214 166 58
59667-230 174 11 230 174 11 216 158 10 192 133 9
59668-163 110 8 116 81 8 102 78 10 116 81 8
59669-167 114 7 197 138 11 226 170 11 239 182 13
59670-242 186 14 242 186 14 162 146 94 78 78 78
59671- 34 34 34 14 14 14 6 6 6 0 0 0
59672- 0 0 0 0 0 0 0 0 0 0 0 0
59673- 0 0 0 0 0 0 0 0 0 0 0 0
59674- 0 0 0 0 0 0 0 0 0 0 0 0
59675- 0 0 0 0 0 0 0 0 0 6 6 6
59676- 30 30 30 78 78 78 190 142 34 226 170 11
59677-239 182 13 246 190 14 246 190 14 246 190 14
59678-246 190 14 246 190 14 246 190 14 246 190 14
59679-246 190 14 246 190 14 246 190 14 246 190 14
59680-246 190 14 241 196 14 203 166 17 22 18 6
59681- 2 2 6 2 2 6 2 2 6 38 38 38
59682-218 218 218 253 253 253 253 253 253 253 253 253
59683-253 253 253 253 253 253 253 253 253 253 253 253
59684-253 253 253 253 253 253 253 253 253 253 253 253
59685-253 253 253 253 253 253 253 253 253 253 253 253
59686-250 250 250 206 206 206 198 198 198 202 162 69
59687-226 170 11 236 178 12 224 166 10 210 150 10
59688-200 144 11 197 138 11 192 133 9 197 138 11
59689-210 150 10 226 170 11 242 186 14 246 190 14
59690-246 190 14 246 186 14 225 175 15 124 112 88
59691- 62 62 62 30 30 30 14 14 14 6 6 6
59692- 0 0 0 0 0 0 0 0 0 0 0 0
59693- 0 0 0 0 0 0 0 0 0 0 0 0
59694- 0 0 0 0 0 0 0 0 0 0 0 0
59695- 0 0 0 0 0 0 0 0 0 10 10 10
59696- 30 30 30 78 78 78 174 135 50 224 166 10
59697-239 182 13 246 190 14 246 190 14 246 190 14
59698-246 190 14 246 190 14 246 190 14 246 190 14
59699-246 190 14 246 190 14 246 190 14 246 190 14
59700-246 190 14 246 190 14 241 196 14 139 102 15
59701- 2 2 6 2 2 6 2 2 6 2 2 6
59702- 78 78 78 250 250 250 253 253 253 253 253 253
59703-253 253 253 253 253 253 253 253 253 253 253 253
59704-253 253 253 253 253 253 253 253 253 253 253 253
59705-253 253 253 253 253 253 253 253 253 253 253 253
59706-250 250 250 214 214 214 198 198 198 190 150 46
59707-219 162 10 236 178 12 234 174 13 224 166 10
59708-216 158 10 213 154 11 213 154 11 216 158 10
59709-226 170 11 239 182 13 246 190 14 246 190 14
59710-246 190 14 246 190 14 242 186 14 206 162 42
59711-101 101 101 58 58 58 30 30 30 14 14 14
59712- 6 6 6 0 0 0 0 0 0 0 0 0
59713- 0 0 0 0 0 0 0 0 0 0 0 0
59714- 0 0 0 0 0 0 0 0 0 0 0 0
59715- 0 0 0 0 0 0 0 0 0 10 10 10
59716- 30 30 30 74 74 74 174 135 50 216 158 10
59717-236 178 12 246 190 14 246 190 14 246 190 14
59718-246 190 14 246 190 14 246 190 14 246 190 14
59719-246 190 14 246 190 14 246 190 14 246 190 14
59720-246 190 14 246 190 14 241 196 14 226 184 13
59721- 61 42 6 2 2 6 2 2 6 2 2 6
59722- 22 22 22 238 238 238 253 253 253 253 253 253
59723-253 253 253 253 253 253 253 253 253 253 253 253
59724-253 253 253 253 253 253 253 253 253 253 253 253
59725-253 253 253 253 253 253 253 253 253 253 253 253
59726-253 253 253 226 226 226 187 187 187 180 133 36
59727-216 158 10 236 178 12 239 182 13 236 178 12
59728-230 174 11 226 170 11 226 170 11 230 174 11
59729-236 178 12 242 186 14 246 190 14 246 190 14
59730-246 190 14 246 190 14 246 186 14 239 182 13
59731-206 162 42 106 106 106 66 66 66 34 34 34
59732- 14 14 14 6 6 6 0 0 0 0 0 0
59733- 0 0 0 0 0 0 0 0 0 0 0 0
59734- 0 0 0 0 0 0 0 0 0 0 0 0
59735- 0 0 0 0 0 0 0 0 0 6 6 6
59736- 26 26 26 70 70 70 163 133 67 213 154 11
59737-236 178 12 246 190 14 246 190 14 246 190 14
59738-246 190 14 246 190 14 246 190 14 246 190 14
59739-246 190 14 246 190 14 246 190 14 246 190 14
59740-246 190 14 246 190 14 246 190 14 241 196 14
59741-190 146 13 18 14 6 2 2 6 2 2 6
59742- 46 46 46 246 246 246 253 253 253 253 253 253
59743-253 253 253 253 253 253 253 253 253 253 253 253
59744-253 253 253 253 253 253 253 253 253 253 253 253
59745-253 253 253 253 253 253 253 253 253 253 253 253
59746-253 253 253 221 221 221 86 86 86 156 107 11
59747-216 158 10 236 178 12 242 186 14 246 186 14
59748-242 186 14 239 182 13 239 182 13 242 186 14
59749-242 186 14 246 186 14 246 190 14 246 190 14
59750-246 190 14 246 190 14 246 190 14 246 190 14
59751-242 186 14 225 175 15 142 122 72 66 66 66
59752- 30 30 30 10 10 10 0 0 0 0 0 0
59753- 0 0 0 0 0 0 0 0 0 0 0 0
59754- 0 0 0 0 0 0 0 0 0 0 0 0
59755- 0 0 0 0 0 0 0 0 0 6 6 6
59756- 26 26 26 70 70 70 163 133 67 210 150 10
59757-236 178 12 246 190 14 246 190 14 246 190 14
59758-246 190 14 246 190 14 246 190 14 246 190 14
59759-246 190 14 246 190 14 246 190 14 246 190 14
59760-246 190 14 246 190 14 246 190 14 246 190 14
59761-232 195 16 121 92 8 34 34 34 106 106 106
59762-221 221 221 253 253 253 253 253 253 253 253 253
59763-253 253 253 253 253 253 253 253 253 253 253 253
59764-253 253 253 253 253 253 253 253 253 253 253 253
59765-253 253 253 253 253 253 253 253 253 253 253 253
59766-242 242 242 82 82 82 18 14 6 163 110 8
59767-216 158 10 236 178 12 242 186 14 246 190 14
59768-246 190 14 246 190 14 246 190 14 246 190 14
59769-246 190 14 246 190 14 246 190 14 246 190 14
59770-246 190 14 246 190 14 246 190 14 246 190 14
59771-246 190 14 246 190 14 242 186 14 163 133 67
59772- 46 46 46 18 18 18 6 6 6 0 0 0
59773- 0 0 0 0 0 0 0 0 0 0 0 0
59774- 0 0 0 0 0 0 0 0 0 0 0 0
59775- 0 0 0 0 0 0 0 0 0 10 10 10
59776- 30 30 30 78 78 78 163 133 67 210 150 10
59777-236 178 12 246 186 14 246 190 14 246 190 14
59778-246 190 14 246 190 14 246 190 14 246 190 14
59779-246 190 14 246 190 14 246 190 14 246 190 14
59780-246 190 14 246 190 14 246 190 14 246 190 14
59781-241 196 14 215 174 15 190 178 144 253 253 253
59782-253 253 253 253 253 253 253 253 253 253 253 253
59783-253 253 253 253 253 253 253 253 253 253 253 253
59784-253 253 253 253 253 253 253 253 253 253 253 253
59785-253 253 253 253 253 253 253 253 253 218 218 218
59786- 58 58 58 2 2 6 22 18 6 167 114 7
59787-216 158 10 236 178 12 246 186 14 246 190 14
59788-246 190 14 246 190 14 246 190 14 246 190 14
59789-246 190 14 246 190 14 246 190 14 246 190 14
59790-246 190 14 246 190 14 246 190 14 246 190 14
59791-246 190 14 246 186 14 242 186 14 190 150 46
59792- 54 54 54 22 22 22 6 6 6 0 0 0
59793- 0 0 0 0 0 0 0 0 0 0 0 0
59794- 0 0 0 0 0 0 0 0 0 0 0 0
59795- 0 0 0 0 0 0 0 0 0 14 14 14
59796- 38 38 38 86 86 86 180 133 36 213 154 11
59797-236 178 12 246 186 14 246 190 14 246 190 14
59798-246 190 14 246 190 14 246 190 14 246 190 14
59799-246 190 14 246 190 14 246 190 14 246 190 14
59800-246 190 14 246 190 14 246 190 14 246 190 14
59801-246 190 14 232 195 16 190 146 13 214 214 214
59802-253 253 253 253 253 253 253 253 253 253 253 253
59803-253 253 253 253 253 253 253 253 253 253 253 253
59804-253 253 253 253 253 253 253 253 253 253 253 253
59805-253 253 253 250 250 250 170 170 170 26 26 26
59806- 2 2 6 2 2 6 37 26 9 163 110 8
59807-219 162 10 239 182 13 246 186 14 246 190 14
59808-246 190 14 246 190 14 246 190 14 246 190 14
59809-246 190 14 246 190 14 246 190 14 246 190 14
59810-246 190 14 246 190 14 246 190 14 246 190 14
59811-246 186 14 236 178 12 224 166 10 142 122 72
59812- 46 46 46 18 18 18 6 6 6 0 0 0
59813- 0 0 0 0 0 0 0 0 0 0 0 0
59814- 0 0 0 0 0 0 0 0 0 0 0 0
59815- 0 0 0 0 0 0 6 6 6 18 18 18
59816- 50 50 50 109 106 95 192 133 9 224 166 10
59817-242 186 14 246 190 14 246 190 14 246 190 14
59818-246 190 14 246 190 14 246 190 14 246 190 14
59819-246 190 14 246 190 14 246 190 14 246 190 14
59820-246 190 14 246 190 14 246 190 14 246 190 14
59821-242 186 14 226 184 13 210 162 10 142 110 46
59822-226 226 226 253 253 253 253 253 253 253 253 253
59823-253 253 253 253 253 253 253 253 253 253 253 253
59824-253 253 253 253 253 253 253 253 253 253 253 253
59825-198 198 198 66 66 66 2 2 6 2 2 6
59826- 2 2 6 2 2 6 50 34 6 156 107 11
59827-219 162 10 239 182 13 246 186 14 246 190 14
59828-246 190 14 246 190 14 246 190 14 246 190 14
59829-246 190 14 246 190 14 246 190 14 246 190 14
59830-246 190 14 246 190 14 246 190 14 242 186 14
59831-234 174 13 213 154 11 154 122 46 66 66 66
59832- 30 30 30 10 10 10 0 0 0 0 0 0
59833- 0 0 0 0 0 0 0 0 0 0 0 0
59834- 0 0 0 0 0 0 0 0 0 0 0 0
59835- 0 0 0 0 0 0 6 6 6 22 22 22
59836- 58 58 58 154 121 60 206 145 10 234 174 13
59837-242 186 14 246 186 14 246 190 14 246 190 14
59838-246 190 14 246 190 14 246 190 14 246 190 14
59839-246 190 14 246 190 14 246 190 14 246 190 14
59840-246 190 14 246 190 14 246 190 14 246 190 14
59841-246 186 14 236 178 12 210 162 10 163 110 8
59842- 61 42 6 138 138 138 218 218 218 250 250 250
59843-253 253 253 253 253 253 253 253 253 250 250 250
59844-242 242 242 210 210 210 144 144 144 66 66 66
59845- 6 6 6 2 2 6 2 2 6 2 2 6
59846- 2 2 6 2 2 6 61 42 6 163 110 8
59847-216 158 10 236 178 12 246 190 14 246 190 14
59848-246 190 14 246 190 14 246 190 14 246 190 14
59849-246 190 14 246 190 14 246 190 14 246 190 14
59850-246 190 14 239 182 13 230 174 11 216 158 10
59851-190 142 34 124 112 88 70 70 70 38 38 38
59852- 18 18 18 6 6 6 0 0 0 0 0 0
59853- 0 0 0 0 0 0 0 0 0 0 0 0
59854- 0 0 0 0 0 0 0 0 0 0 0 0
59855- 0 0 0 0 0 0 6 6 6 22 22 22
59856- 62 62 62 168 124 44 206 145 10 224 166 10
59857-236 178 12 239 182 13 242 186 14 242 186 14
59858-246 186 14 246 190 14 246 190 14 246 190 14
59859-246 190 14 246 190 14 246 190 14 246 190 14
59860-246 190 14 246 190 14 246 190 14 246 190 14
59861-246 190 14 236 178 12 216 158 10 175 118 6
59862- 80 54 7 2 2 6 6 6 6 30 30 30
59863- 54 54 54 62 62 62 50 50 50 38 38 38
59864- 14 14 14 2 2 6 2 2 6 2 2 6
59865- 2 2 6 2 2 6 2 2 6 2 2 6
59866- 2 2 6 6 6 6 80 54 7 167 114 7
59867-213 154 11 236 178 12 246 190 14 246 190 14
59868-246 190 14 246 190 14 246 190 14 246 190 14
59869-246 190 14 242 186 14 239 182 13 239 182 13
59870-230 174 11 210 150 10 174 135 50 124 112 88
59871- 82 82 82 54 54 54 34 34 34 18 18 18
59872- 6 6 6 0 0 0 0 0 0 0 0 0
59873- 0 0 0 0 0 0 0 0 0 0 0 0
59874- 0 0 0 0 0 0 0 0 0 0 0 0
59875- 0 0 0 0 0 0 6 6 6 18 18 18
59876- 50 50 50 158 118 36 192 133 9 200 144 11
59877-216 158 10 219 162 10 224 166 10 226 170 11
59878-230 174 11 236 178 12 239 182 13 239 182 13
59879-242 186 14 246 186 14 246 190 14 246 190 14
59880-246 190 14 246 190 14 246 190 14 246 190 14
59881-246 186 14 230 174 11 210 150 10 163 110 8
59882-104 69 6 10 10 10 2 2 6 2 2 6
59883- 2 2 6 2 2 6 2 2 6 2 2 6
59884- 2 2 6 2 2 6 2 2 6 2 2 6
59885- 2 2 6 2 2 6 2 2 6 2 2 6
59886- 2 2 6 6 6 6 91 60 6 167 114 7
59887-206 145 10 230 174 11 242 186 14 246 190 14
59888-246 190 14 246 190 14 246 186 14 242 186 14
59889-239 182 13 230 174 11 224 166 10 213 154 11
59890-180 133 36 124 112 88 86 86 86 58 58 58
59891- 38 38 38 22 22 22 10 10 10 6 6 6
59892- 0 0 0 0 0 0 0 0 0 0 0 0
59893- 0 0 0 0 0 0 0 0 0 0 0 0
59894- 0 0 0 0 0 0 0 0 0 0 0 0
59895- 0 0 0 0 0 0 0 0 0 14 14 14
59896- 34 34 34 70 70 70 138 110 50 158 118 36
59897-167 114 7 180 123 7 192 133 9 197 138 11
59898-200 144 11 206 145 10 213 154 11 219 162 10
59899-224 166 10 230 174 11 239 182 13 242 186 14
59900-246 186 14 246 186 14 246 186 14 246 186 14
59901-239 182 13 216 158 10 185 133 11 152 99 6
59902-104 69 6 18 14 6 2 2 6 2 2 6
59903- 2 2 6 2 2 6 2 2 6 2 2 6
59904- 2 2 6 2 2 6 2 2 6 2 2 6
59905- 2 2 6 2 2 6 2 2 6 2 2 6
59906- 2 2 6 6 6 6 80 54 7 152 99 6
59907-192 133 9 219 162 10 236 178 12 239 182 13
59908-246 186 14 242 186 14 239 182 13 236 178 12
59909-224 166 10 206 145 10 192 133 9 154 121 60
59910- 94 94 94 62 62 62 42 42 42 22 22 22
59911- 14 14 14 6 6 6 0 0 0 0 0 0
59912- 0 0 0 0 0 0 0 0 0 0 0 0
59913- 0 0 0 0 0 0 0 0 0 0 0 0
59914- 0 0 0 0 0 0 0 0 0 0 0 0
59915- 0 0 0 0 0 0 0 0 0 6 6 6
59916- 18 18 18 34 34 34 58 58 58 78 78 78
59917-101 98 89 124 112 88 142 110 46 156 107 11
59918-163 110 8 167 114 7 175 118 6 180 123 7
59919-185 133 11 197 138 11 210 150 10 219 162 10
59920-226 170 11 236 178 12 236 178 12 234 174 13
59921-219 162 10 197 138 11 163 110 8 130 83 6
59922- 91 60 6 10 10 10 2 2 6 2 2 6
59923- 18 18 18 38 38 38 38 38 38 38 38 38
59924- 38 38 38 38 38 38 38 38 38 38 38 38
59925- 38 38 38 38 38 38 26 26 26 2 2 6
59926- 2 2 6 6 6 6 70 47 6 137 92 6
59927-175 118 6 200 144 11 219 162 10 230 174 11
59928-234 174 13 230 174 11 219 162 10 210 150 10
59929-192 133 9 163 110 8 124 112 88 82 82 82
59930- 50 50 50 30 30 30 14 14 14 6 6 6
59931- 0 0 0 0 0 0 0 0 0 0 0 0
59932- 0 0 0 0 0 0 0 0 0 0 0 0
59933- 0 0 0 0 0 0 0 0 0 0 0 0
59934- 0 0 0 0 0 0 0 0 0 0 0 0
59935- 0 0 0 0 0 0 0 0 0 0 0 0
59936- 6 6 6 14 14 14 22 22 22 34 34 34
59937- 42 42 42 58 58 58 74 74 74 86 86 86
59938-101 98 89 122 102 70 130 98 46 121 87 25
59939-137 92 6 152 99 6 163 110 8 180 123 7
59940-185 133 11 197 138 11 206 145 10 200 144 11
59941-180 123 7 156 107 11 130 83 6 104 69 6
59942- 50 34 6 54 54 54 110 110 110 101 98 89
59943- 86 86 86 82 82 82 78 78 78 78 78 78
59944- 78 78 78 78 78 78 78 78 78 78 78 78
59945- 78 78 78 82 82 82 86 86 86 94 94 94
59946-106 106 106 101 101 101 86 66 34 124 80 6
59947-156 107 11 180 123 7 192 133 9 200 144 11
59948-206 145 10 200 144 11 192 133 9 175 118 6
59949-139 102 15 109 106 95 70 70 70 42 42 42
59950- 22 22 22 10 10 10 0 0 0 0 0 0
59951- 0 0 0 0 0 0 0 0 0 0 0 0
59952- 0 0 0 0 0 0 0 0 0 0 0 0
59953- 0 0 0 0 0 0 0 0 0 0 0 0
59954- 0 0 0 0 0 0 0 0 0 0 0 0
59955- 0 0 0 0 0 0 0 0 0 0 0 0
59956- 0 0 0 0 0 0 6 6 6 10 10 10
59957- 14 14 14 22 22 22 30 30 30 38 38 38
59958- 50 50 50 62 62 62 74 74 74 90 90 90
59959-101 98 89 112 100 78 121 87 25 124 80 6
59960-137 92 6 152 99 6 152 99 6 152 99 6
59961-138 86 6 124 80 6 98 70 6 86 66 30
59962-101 98 89 82 82 82 58 58 58 46 46 46
59963- 38 38 38 34 34 34 34 34 34 34 34 34
59964- 34 34 34 34 34 34 34 34 34 34 34 34
59965- 34 34 34 34 34 34 38 38 38 42 42 42
59966- 54 54 54 82 82 82 94 86 76 91 60 6
59967-134 86 6 156 107 11 167 114 7 175 118 6
59968-175 118 6 167 114 7 152 99 6 121 87 25
59969-101 98 89 62 62 62 34 34 34 18 18 18
59970- 6 6 6 0 0 0 0 0 0 0 0 0
59971- 0 0 0 0 0 0 0 0 0 0 0 0
59972- 0 0 0 0 0 0 0 0 0 0 0 0
59973- 0 0 0 0 0 0 0 0 0 0 0 0
59974- 0 0 0 0 0 0 0 0 0 0 0 0
59975- 0 0 0 0 0 0 0 0 0 0 0 0
59976- 0 0 0 0 0 0 0 0 0 0 0 0
59977- 0 0 0 6 6 6 6 6 6 10 10 10
59978- 18 18 18 22 22 22 30 30 30 42 42 42
59979- 50 50 50 66 66 66 86 86 86 101 98 89
59980-106 86 58 98 70 6 104 69 6 104 69 6
59981-104 69 6 91 60 6 82 62 34 90 90 90
59982- 62 62 62 38 38 38 22 22 22 14 14 14
59983- 10 10 10 10 10 10 10 10 10 10 10 10
59984- 10 10 10 10 10 10 6 6 6 10 10 10
59985- 10 10 10 10 10 10 10 10 10 14 14 14
59986- 22 22 22 42 42 42 70 70 70 89 81 66
59987- 80 54 7 104 69 6 124 80 6 137 92 6
59988-134 86 6 116 81 8 100 82 52 86 86 86
59989- 58 58 58 30 30 30 14 14 14 6 6 6
59990- 0 0 0 0 0 0 0 0 0 0 0 0
59991- 0 0 0 0 0 0 0 0 0 0 0 0
59992- 0 0 0 0 0 0 0 0 0 0 0 0
59993- 0 0 0 0 0 0 0 0 0 0 0 0
59994- 0 0 0 0 0 0 0 0 0 0 0 0
59995- 0 0 0 0 0 0 0 0 0 0 0 0
59996- 0 0 0 0 0 0 0 0 0 0 0 0
59997- 0 0 0 0 0 0 0 0 0 0 0 0
59998- 0 0 0 6 6 6 10 10 10 14 14 14
59999- 18 18 18 26 26 26 38 38 38 54 54 54
60000- 70 70 70 86 86 86 94 86 76 89 81 66
60001- 89 81 66 86 86 86 74 74 74 50 50 50
60002- 30 30 30 14 14 14 6 6 6 0 0 0
60003- 0 0 0 0 0 0 0 0 0 0 0 0
60004- 0 0 0 0 0 0 0 0 0 0 0 0
60005- 0 0 0 0 0 0 0 0 0 0 0 0
60006- 6 6 6 18 18 18 34 34 34 58 58 58
60007- 82 82 82 89 81 66 89 81 66 89 81 66
60008- 94 86 66 94 86 76 74 74 74 50 50 50
60009- 26 26 26 14 14 14 6 6 6 0 0 0
60010- 0 0 0 0 0 0 0 0 0 0 0 0
60011- 0 0 0 0 0 0 0 0 0 0 0 0
60012- 0 0 0 0 0 0 0 0 0 0 0 0
60013- 0 0 0 0 0 0 0 0 0 0 0 0
60014- 0 0 0 0 0 0 0 0 0 0 0 0
60015- 0 0 0 0 0 0 0 0 0 0 0 0
60016- 0 0 0 0 0 0 0 0 0 0 0 0
60017- 0 0 0 0 0 0 0 0 0 0 0 0
60018- 0 0 0 0 0 0 0 0 0 0 0 0
60019- 6 6 6 6 6 6 14 14 14 18 18 18
60020- 30 30 30 38 38 38 46 46 46 54 54 54
60021- 50 50 50 42 42 42 30 30 30 18 18 18
60022- 10 10 10 0 0 0 0 0 0 0 0 0
60023- 0 0 0 0 0 0 0 0 0 0 0 0
60024- 0 0 0 0 0 0 0 0 0 0 0 0
60025- 0 0 0 0 0 0 0 0 0 0 0 0
60026- 0 0 0 6 6 6 14 14 14 26 26 26
60027- 38 38 38 50 50 50 58 58 58 58 58 58
60028- 54 54 54 42 42 42 30 30 30 18 18 18
60029- 10 10 10 0 0 0 0 0 0 0 0 0
60030- 0 0 0 0 0 0 0 0 0 0 0 0
60031- 0 0 0 0 0 0 0 0 0 0 0 0
60032- 0 0 0 0 0 0 0 0 0 0 0 0
60033- 0 0 0 0 0 0 0 0 0 0 0 0
60034- 0 0 0 0 0 0 0 0 0 0 0 0
60035- 0 0 0 0 0 0 0 0 0 0 0 0
60036- 0 0 0 0 0 0 0 0 0 0 0 0
60037- 0 0 0 0 0 0 0 0 0 0 0 0
60038- 0 0 0 0 0 0 0 0 0 0 0 0
60039- 0 0 0 0 0 0 0 0 0 6 6 6
60040- 6 6 6 10 10 10 14 14 14 18 18 18
60041- 18 18 18 14 14 14 10 10 10 6 6 6
60042- 0 0 0 0 0 0 0 0 0 0 0 0
60043- 0 0 0 0 0 0 0 0 0 0 0 0
60044- 0 0 0 0 0 0 0 0 0 0 0 0
60045- 0 0 0 0 0 0 0 0 0 0 0 0
60046- 0 0 0 0 0 0 0 0 0 6 6 6
60047- 14 14 14 18 18 18 22 22 22 22 22 22
60048- 18 18 18 14 14 14 10 10 10 6 6 6
60049- 0 0 0 0 0 0 0 0 0 0 0 0
60050- 0 0 0 0 0 0 0 0 0 0 0 0
60051- 0 0 0 0 0 0 0 0 0 0 0 0
60052- 0 0 0 0 0 0 0 0 0 0 0 0
60053- 0 0 0 0 0 0 0 0 0 0 0 0
60054+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60055+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60056+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60057+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60058+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60059+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60060+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60061+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60062+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60063+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60064+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60065+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60066+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60067+4 4 4 4 4 4
60068+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60069+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60070+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60071+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60072+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60073+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60074+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60075+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60076+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60077+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60078+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60079+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60080+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60081+4 4 4 4 4 4
60082+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60083+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60084+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60085+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60086+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60087+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60088+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60089+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60090+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60091+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60092+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60093+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60094+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60095+4 4 4 4 4 4
60096+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60097+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60098+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60099+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60100+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60101+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60102+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60103+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60104+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60105+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60106+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60107+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60108+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60109+4 4 4 4 4 4
60110+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60111+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60112+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60113+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60114+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60115+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60116+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60117+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60118+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60119+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60120+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60121+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60122+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60123+4 4 4 4 4 4
60124+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60125+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60126+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60127+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60128+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60129+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60130+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60131+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60132+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60133+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60134+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60135+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60136+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60137+4 4 4 4 4 4
60138+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60139+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60140+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60141+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60142+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
60143+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
60144+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60145+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60146+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60147+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
60148+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60149+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
60150+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60151+4 4 4 4 4 4
60152+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60153+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60154+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60155+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60156+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
60157+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
60158+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60159+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60160+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60161+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
60162+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
60163+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
60164+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60165+4 4 4 4 4 4
60166+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60167+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60168+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60169+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60170+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
60171+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
60172+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60173+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60174+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60175+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
60176+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
60177+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
60178+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
60179+4 4 4 4 4 4
60180+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60181+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60182+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60183+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
60184+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
60185+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
60186+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
60187+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60188+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
60189+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
60190+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
60191+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
60192+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
60193+4 4 4 4 4 4
60194+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60195+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60196+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60197+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
60198+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
60199+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
60200+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
60201+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
60202+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
60203+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
60204+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
60205+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
60206+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
60207+4 4 4 4 4 4
60208+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60209+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60210+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
60211+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
60212+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
60213+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
60214+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
60215+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
60216+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
60217+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
60218+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
60219+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
60220+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
60221+4 4 4 4 4 4
60222+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60223+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60224+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
60225+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
60226+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
60227+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
60228+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
60229+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
60230+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
60231+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
60232+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
60233+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
60234+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
60235+4 4 4 4 4 4
60236+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60237+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60238+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
60239+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
60240+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
60241+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
60242+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
60243+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
60244+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
60245+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
60246+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
60247+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
60248+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
60249+4 4 4 4 4 4
60250+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60251+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60252+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
60253+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
60254+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
60255+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
60256+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
60257+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
60258+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
60259+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
60260+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
60261+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
60262+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60263+4 4 4 4 4 4
60264+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60265+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60266+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
60267+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
60268+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
60269+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
60270+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
60271+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
60272+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
60273+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
60274+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
60275+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
60276+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
60277+4 4 4 4 4 4
60278+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60279+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
60280+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
60281+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
60282+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
60283+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
60284+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
60285+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
60286+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
60287+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
60288+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
60289+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
60290+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
60291+4 4 4 4 4 4
60292+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60293+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
60294+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
60295+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
60296+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
60297+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
60298+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
60299+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
60300+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
60301+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
60302+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
60303+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
60304+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
60305+0 0 0 4 4 4
60306+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
60307+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
60308+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
60309+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
60310+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
60311+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
60312+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
60313+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
60314+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
60315+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
60316+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
60317+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
60318+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
60319+2 0 0 0 0 0
60320+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
60321+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
60322+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
60323+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
60324+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
60325+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
60326+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
60327+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
60328+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
60329+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
60330+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
60331+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
60332+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
60333+37 38 37 0 0 0
60334+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
60335+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
60336+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
60337+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
60338+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
60339+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
60340+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
60341+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
60342+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
60343+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
60344+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
60345+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
60346+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
60347+85 115 134 4 0 0
60348+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
60349+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
60350+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
60351+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
60352+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
60353+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
60354+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
60355+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
60356+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
60357+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
60358+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
60359+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
60360+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
60361+60 73 81 4 0 0
60362+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
60363+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
60364+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
60365+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
60366+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
60367+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
60368+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
60369+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
60370+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
60371+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
60372+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
60373+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
60374+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
60375+16 19 21 4 0 0
60376+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
60377+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
60378+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
60379+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
60380+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
60381+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
60382+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
60383+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
60384+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
60385+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
60386+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
60387+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
60388+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
60389+4 0 0 4 3 3
60390+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
60391+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
60392+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
60393+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
60394+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
60395+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
60396+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
60397+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
60398+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
60399+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
60400+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
60401+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
60402+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
60403+3 2 2 4 4 4
60404+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
60405+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
60406+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
60407+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
60408+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
60409+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
60410+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
60411+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
60412+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
60413+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
60414+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
60415+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
60416+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
60417+4 4 4 4 4 4
60418+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
60419+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
60420+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
60421+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
60422+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
60423+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
60424+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
60425+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
60426+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
60427+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
60428+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
60429+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
60430+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
60431+4 4 4 4 4 4
60432+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
60433+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
60434+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
60435+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
60436+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
60437+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
60438+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
60439+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
60440+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
60441+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
60442+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
60443+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
60444+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
60445+5 5 5 5 5 5
60446+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
60447+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
60448+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
60449+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
60450+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
60451+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
60452+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
60453+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
60454+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
60455+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
60456+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
60457+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
60458+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
60459+5 5 5 4 4 4
60460+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
60461+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
60462+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
60463+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
60464+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
60465+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
60466+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
60467+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
60468+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
60469+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
60470+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
60471+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
60472+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60473+4 4 4 4 4 4
60474+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
60475+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
60476+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
60477+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
60478+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
60479+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
60480+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
60481+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
60482+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
60483+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
60484+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
60485+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
60486+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60487+4 4 4 4 4 4
60488+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
60489+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
60490+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
60491+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
60492+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
60493+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
60494+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
60495+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
60496+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
60497+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
60498+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
60499+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60500+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60501+4 4 4 4 4 4
60502+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
60503+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
60504+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
60505+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
60506+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
60507+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
60508+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
60509+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
60510+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
60511+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
60512+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
60513+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60514+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60515+4 4 4 4 4 4
60516+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
60517+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
60518+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
60519+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
60520+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
60521+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
60522+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
60523+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
60524+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
60525+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
60526+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60527+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60528+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60529+4 4 4 4 4 4
60530+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
60531+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
60532+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
60533+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
60534+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
60535+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
60536+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
60537+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
60538+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
60539+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
60540+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
60541+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60542+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60543+4 4 4 4 4 4
60544+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
60545+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
60546+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
60547+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
60548+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
60549+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
60550+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
60551+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
60552+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
60553+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
60554+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
60555+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60556+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60557+4 4 4 4 4 4
60558+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
60559+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
60560+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
60561+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
60562+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
60563+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
60564+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
60565+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
60566+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
60567+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
60568+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60569+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60570+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60571+4 4 4 4 4 4
60572+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
60573+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
60574+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
60575+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
60576+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
60577+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
60578+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
60579+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
60580+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
60581+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
60582+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60583+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60584+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60585+4 4 4 4 4 4
60586+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
60587+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
60588+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
60589+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
60590+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
60591+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
60592+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
60593+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
60594+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
60595+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
60596+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60597+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60598+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60599+4 4 4 4 4 4
60600+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
60601+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
60602+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
60603+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
60604+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
60605+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
60606+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
60607+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
60608+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
60609+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60610+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60611+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60612+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60613+4 4 4 4 4 4
60614+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
60615+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
60616+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
60617+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
60618+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
60619+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
60620+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
60621+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
60622+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
60623+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60624+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60625+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60626+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60627+4 4 4 4 4 4
60628+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
60629+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
60630+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
60631+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
60632+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
60633+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
60634+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
60635+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
60636+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
60637+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60638+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60639+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60640+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60641+4 4 4 4 4 4
60642+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
60643+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
60644+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
60645+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
60646+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
60647+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
60648+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
60649+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
60650+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
60651+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60652+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60653+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60654+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60655+4 4 4 4 4 4
60656+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
60657+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
60658+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
60659+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
60660+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
60661+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
60662+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
60663+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
60664+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
60665+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60666+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60667+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60668+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60669+4 4 4 4 4 4
60670+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
60671+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
60672+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
60673+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
60674+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
60675+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
60676+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
60677+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
60678+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
60679+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60680+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60681+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60682+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60683+4 4 4 4 4 4
60684+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
60685+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
60686+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
60687+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
60688+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
60689+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
60690+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
60691+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
60692+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
60693+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60694+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60695+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60696+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60697+4 4 4 4 4 4
60698+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
60699+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
60700+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
60701+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
60702+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
60703+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
60704+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
60705+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
60706+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
60707+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60708+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60709+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60710+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60711+4 4 4 4 4 4
60712+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
60713+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
60714+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
60715+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
60716+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
60717+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
60718+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
60719+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
60720+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
60721+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60722+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60723+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60724+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60725+4 4 4 4 4 4
60726+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
60727+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
60728+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
60729+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
60730+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
60731+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
60732+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
60733+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
60734+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
60735+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60736+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60737+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60738+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60739+4 4 4 4 4 4
60740+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
60741+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
60742+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
60743+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
60744+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
60745+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
60746+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
60747+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
60748+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
60749+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60750+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60751+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60752+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60753+4 4 4 4 4 4
60754+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
60755+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
60756+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
60757+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
60758+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
60759+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
60760+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
60761+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
60762+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
60763+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60764+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60765+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60766+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60767+4 4 4 4 4 4
60768+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
60769+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
60770+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
60771+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
60772+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
60773+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
60774+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
60775+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
60776+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
60777+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60778+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60779+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60780+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60781+4 4 4 4 4 4
60782+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
60783+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
60784+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
60785+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
60786+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
60787+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
60788+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
60789+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
60790+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
60791+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60792+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60793+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60794+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60795+4 4 4 4 4 4
60796+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
60797+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
60798+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
60799+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
60800+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
60801+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
60802+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
60803+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
60804+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
60805+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
60806+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60807+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60808+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60809+4 4 4 4 4 4
60810+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
60811+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
60812+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
60813+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
60814+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
60815+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
60816+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
60817+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
60818+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
60819+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
60820+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
60821+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60822+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60823+4 4 4 4 4 4
60824+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
60825+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
60826+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
60827+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
60828+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
60829+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
60830+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
60831+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
60832+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
60833+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
60834+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60835+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60836+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60837+4 4 4 4 4 4
60838+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
60839+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
60840+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
60841+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
60842+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
60843+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
60844+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60845+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
60846+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
60847+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
60848+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
60849+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60850+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60851+4 4 4 4 4 4
60852+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
60853+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
60854+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
60855+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
60856+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
60857+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
60858+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
60859+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
60860+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
60861+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
60862+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60863+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60864+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60865+4 4 4 4 4 4
60866+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
60867+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
60868+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
60869+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
60870+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
60871+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
60872+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
60873+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
60874+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
60875+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
60876+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60877+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60878+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60879+4 4 4 4 4 4
60880+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
60881+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
60882+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
60883+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
60884+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
60885+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
60886+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
60887+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
60888+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
60889+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
60890+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60891+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60892+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60893+4 4 4 4 4 4
60894+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
60895+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
60896+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
60897+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
60898+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
60899+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
60900+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
60901+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
60902+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
60903+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
60904+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60905+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60906+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60907+4 4 4 4 4 4
60908+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
60909+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
60910+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
60911+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
60912+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
60913+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
60914+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
60915+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
60916+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
60917+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
60918+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60919+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60920+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60921+4 4 4 4 4 4
60922+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
60923+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
60924+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
60925+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
60926+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
60927+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
60928+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
60929+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
60930+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
60931+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60932+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60933+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60934+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60935+4 4 4 4 4 4
60936+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
60937+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
60938+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
60939+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
60940+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
60941+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
60942+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
60943+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
60944+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
60945+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60946+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60947+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60948+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60949+4 4 4 4 4 4
60950+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
60951+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
60952+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
60953+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
60954+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
60955+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
60956+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
60957+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
60958+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60959+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60960+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60961+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60962+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60963+4 4 4 4 4 4
60964+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
60965+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
60966+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
60967+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
60968+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
60969+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
60970+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
60971+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
60972+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60973+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60974+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60975+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60976+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60977+4 4 4 4 4 4
60978+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
60979+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
60980+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
60981+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
60982+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
60983+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
60984+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
60985+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
60986+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60987+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60988+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60989+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60990+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60991+4 4 4 4 4 4
60992+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
60993+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
60994+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
60995+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
60996+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
60997+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
60998+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
60999+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
61000+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61001+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61002+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61003+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61004+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61005+4 4 4 4 4 4
61006+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61007+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
61008+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
61009+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
61010+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
61011+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
61012+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
61013+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
61014+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61015+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61016+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61017+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61018+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61019+4 4 4 4 4 4
61020+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61021+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
61022+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
61023+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
61024+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
61025+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
61026+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
61027+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61028+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61029+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61030+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61031+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61032+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61033+4 4 4 4 4 4
61034+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61035+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61036+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
61037+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
61038+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
61039+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
61040+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
61041+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61042+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61043+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61044+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61045+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61046+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61047+4 4 4 4 4 4
61048+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61049+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61050+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61051+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61052+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
61053+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
61054+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
61055+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61056+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61057+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61058+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61059+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61060+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61061+4 4 4 4 4 4
61062+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61063+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61064+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61065+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
61066+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
61067+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
61068+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
61069+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61070+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61071+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61072+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61073+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61074+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61075+4 4 4 4 4 4
61076+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61077+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61078+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61079+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
61080+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61081+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
61082+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
61083+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61084+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61085+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61086+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61087+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61088+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61089+4 4 4 4 4 4
61090+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61091+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61092+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61093+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
61094+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
61095+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
61096+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
61097+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61098+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61099+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61100+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61101+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61102+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61103+4 4 4 4 4 4
61104+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61105+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61106+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61107+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61108+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
61109+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61110+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61111+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61112+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61113+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61114+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61115+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61116+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61117+4 4 4 4 4 4
61118+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61119+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61120+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61121+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61122+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
61123+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
61124+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
61125+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61126+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61127+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61128+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61129+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61130+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61131+4 4 4 4 4 4
61132+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61133+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61134+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61135+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61136+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
61137+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
61138+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61139+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61140+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61141+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61142+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61143+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61144+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61145+4 4 4 4 4 4
61146+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61147+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61148+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61149+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61150+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
61151+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
61152+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61153+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61154+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61155+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61156+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61157+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61158+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61159+4 4 4 4 4 4
61160+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61161+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61162+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61163+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61164+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
61165+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
61166+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61167+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61168+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61169+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61170+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61171+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61172+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61173+4 4 4 4 4 4
61174diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
61175index 96093ae..b9eed29 100644
61176--- a/drivers/xen/events/events_base.c
61177+++ b/drivers/xen/events/events_base.c
61178@@ -1568,7 +1568,7 @@ void xen_irq_resume(void)
61179 restore_pirqs();
61180 }
61181
61182-static struct irq_chip xen_dynamic_chip __read_mostly = {
61183+static struct irq_chip xen_dynamic_chip = {
61184 .name = "xen-dyn",
61185
61186 .irq_disable = disable_dynirq,
61187@@ -1582,7 +1582,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = {
61188 .irq_retrigger = retrigger_dynirq,
61189 };
61190
61191-static struct irq_chip xen_pirq_chip __read_mostly = {
61192+static struct irq_chip xen_pirq_chip = {
61193 .name = "xen-pirq",
61194
61195 .irq_startup = startup_pirq,
61196@@ -1602,7 +1602,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = {
61197 .irq_retrigger = retrigger_dynirq,
61198 };
61199
61200-static struct irq_chip xen_percpu_chip __read_mostly = {
61201+static struct irq_chip xen_percpu_chip = {
61202 .name = "xen-percpu",
61203
61204 .irq_disable = disable_dynirq,
61205diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c
61206index 00f40f0..e3c0b15 100644
61207--- a/drivers/xen/evtchn.c
61208+++ b/drivers/xen/evtchn.c
61209@@ -201,8 +201,8 @@ static ssize_t evtchn_read(struct file *file, char __user *buf,
61210
61211 /* Byte lengths of two chunks. Chunk split (if any) is at ring wrap. */
61212 if (((c ^ p) & EVTCHN_RING_SIZE) != 0) {
61213- bytes1 = (EVTCHN_RING_SIZE - EVTCHN_RING_MASK(c)) *
61214- sizeof(evtchn_port_t);
61215+ bytes1 = EVTCHN_RING_SIZE - EVTCHN_RING_MASK(c);
61216+ bytes1 *= sizeof(evtchn_port_t);
61217 bytes2 = EVTCHN_RING_MASK(p) * sizeof(evtchn_port_t);
61218 } else {
61219 bytes1 = (p - c) * sizeof(evtchn_port_t);
61220diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
61221index fef20db..d28b1ab 100644
61222--- a/drivers/xen/xenfs/xenstored.c
61223+++ b/drivers/xen/xenfs/xenstored.c
61224@@ -24,7 +24,12 @@ static int xsd_release(struct inode *inode, struct file *file)
61225 static int xsd_kva_open(struct inode *inode, struct file *file)
61226 {
61227 file->private_data = (void *)kasprintf(GFP_KERNEL, "0x%p",
61228+#ifdef CONFIG_GRKERNSEC_HIDESYM
61229+ NULL);
61230+#else
61231 xen_store_interface);
61232+#endif
61233+
61234 if (!file->private_data)
61235 return -ENOMEM;
61236 return 0;
61237diff --git a/firmware/Makefile b/firmware/Makefile
61238index e297e1b..aeb0982 100644
61239--- a/firmware/Makefile
61240+++ b/firmware/Makefile
61241@@ -35,9 +35,11 @@ fw-shipped-$(CONFIG_BNX2X) += bnx2x/bnx2x-e1-6.2.9.0.fw \
61242 bnx2x/bnx2x-e1h-6.2.9.0.fw \
61243 bnx2x/bnx2x-e2-6.2.9.0.fw
61244 fw-shipped-$(CONFIG_BNX2) += bnx2/bnx2-mips-09-6.2.1a.fw \
61245+ bnx2/bnx2-mips-09-6.2.1b.fw \
61246 bnx2/bnx2-rv2p-09-6.0.17.fw \
61247 bnx2/bnx2-rv2p-09ax-6.0.17.fw \
61248 bnx2/bnx2-mips-06-6.2.1.fw \
61249+ bnx2/bnx2-mips-06-6.2.3.fw \
61250 bnx2/bnx2-rv2p-06-6.0.15.fw
61251 fw-shipped-$(CONFIG_CASSINI) += sun/cassini.bin
61252 fw-shipped-$(CONFIG_CHELSIO_T3) += cxgb3/t3b_psram-1.1.0.bin \
61253diff --git a/firmware/WHENCE b/firmware/WHENCE
61254index 0c4d96d..b17700f 100644
61255--- a/firmware/WHENCE
61256+++ b/firmware/WHENCE
61257@@ -653,21 +653,23 @@ Found in hex form in kernel source.
61258 Driver: BNX2 - Broadcom NetXtremeII
61259
61260 File: bnx2/bnx2-mips-06-6.2.1.fw
61261+File: bnx2/bnx2-mips-06-6.2.3.fw
61262 File: bnx2/bnx2-rv2p-06-6.0.15.fw
61263 File: bnx2/bnx2-mips-09-6.2.1a.fw
61264+File: bnx2/bnx2-mips-09-6.2.1b.fw
61265 File: bnx2/bnx2-rv2p-09-6.0.17.fw
61266 File: bnx2/bnx2-rv2p-09ax-6.0.17.fw
61267
61268 Licence:
61269-
61270- This file contains firmware data derived from proprietary unpublished
61271- source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
61272-
61273- Permission is hereby granted for the distribution of this firmware data
61274- in hexadecimal or equivalent format, provided this copyright notice is
61275- accompanying it.
61276-
61277-Found in hex form in kernel source.
61278+
61279+ This file contains firmware data derived from proprietary unpublished
61280+ source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
61281+
61282+ Permission is hereby granted for the distribution of this firmware data
61283+ in hexadecimal or equivalent format, provided this copyright notice is
61284+ accompanying it.
61285+
61286+Found in hex form in kernel source.
61287
61288 --------------------------------------------------------------------------
61289
61290diff --git a/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
61291new file mode 100644
61292index 0000000..da72bf1
61293--- /dev/null
61294+++ b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
61295@@ -0,0 +1,5804 @@
61296+:10000000080001180800000000004A68000000C84D
61297+:1000100000000000000000000000000008004A6826
61298+:100020000000001400004B30080000A00800000091
61299+:100030000000569400004B44080058200000008443
61300+:100040000000A1D808005694000001580000A25CEE
61301+:100050000800321008000000000072F00000A3B495
61302+:10006000000000000000000000000000080072F026
61303+:1000700000000024000116A40800049008000400F9
61304+:10008000000017D4000116C80000000000000000A6
61305+:100090000000000000000000000000000000000060
61306+:1000A000080000A80800000000003BFC00012E9C96
61307+:1000B0000000000000000000000000000000000040
61308+:1000C00000000000000000000A00004600000000E0
61309+:1000D000000000000000000D636F6D362E322E33DD
61310+:1000E0000000000006020302000000000000000300
61311+:1000F000000000C800000032000000030000000003
61312+:1001000000000000000000000000000000000000EF
61313+:1001100000000010000001360000EA600000000549
61314+:1001200000000000000000000000000000000008C7
61315+:1001300000000000000000000000000000000000BF
61316+:1001400000000000000000000000000000000000AF
61317+:10015000000000000000000000000000000000009F
61318+:10016000000000020000000000000000000000008D
61319+:10017000000000000000000000000000000000007F
61320+:10018000000000000000000000000010000000005F
61321+:10019000000000000000000000000000000000005F
61322+:1001A000000000000000000000000000000000004F
61323+:1001B000000000000000000000000000000000003F
61324+:1001C000000000000000000000000000000000002F
61325+:1001D000000000000000000000000000000000001F
61326+:1001E0000000000010000003000000000000000DEF
61327+:1001F0000000000D3C02080024424AA03C03080015
61328+:1002000024634B9CAC4000000043202B1480FFFD76
61329+:10021000244200043C1D080037BD7FFC03A0F021F0
61330+:100220003C100800261001183C1C0800279C4AA01E
61331+:100230000E000168000000000000000D27470100CB
61332+:1002400090E3000B2402001A94E5000814620028D1
61333+:10025000000020218CE200003C0308008C63004475
61334+:1002600094E60014000211C20002104030A4000203
61335+:10027000005A10212463000130A50004A446008028
61336+:100280003C010800AC23004410A000190004202BFE
61337+:100290008F4202B804410008240400013C02080017
61338+:1002A0008C420060244200013C010800AC22006046
61339+:1002B00003E00008008010218CE2002094E3001687
61340+:1002C00000002021AF4202808CE20004A743028498
61341+:1002D000AF4202883C021000AF4202B83C02080064
61342+:1002E0008C42005C244200013C010800AC22005C0E
61343+:1002F00003E00008008010212747010090E3000B75
61344+:100300002402000394E50008146200280000202164
61345+:100310008CE200003C0308008C63004494E6001467
61346+:10032000000211C20002104030A40002005A102145
61347+:100330002463000130A50004A44600803C010800AD
61348+:10034000AC23004410A000190004202B8F4202B8F7
61349+:1003500004410008240400013C0208008C420060B3
61350+:10036000244200013C010800AC22006003E00008C8
61351+:10037000008010218CE2002094E300160000202170
61352+:10038000AF4202808CE20004A7430284AF4202889D
61353+:100390003C021000AF4202B83C0208008C42005CF4
61354+:1003A000244200013C010800AC22005C03E000088C
61355+:1003B000008010218F4301002402010050620003DD
61356+:1003C000000311C20000000D000311C20002104022
61357+:1003D000005A1021A440008003E000080000102112
61358+:1003E0009362000003E00008AF80000003E0000813
61359+:1003F0000000102103E00008000010212402010089
61360+:1004000014820008000000003C0208008C4200FC3E
61361+:10041000244200013C010800AC2200FC0A0000DD7F
61362+:1004200030A200203C0208008C42008424420001DB
61363+:100430003C010800AC22008430A2002010400008DB
61364+:1004400030A300103C0208008C4201082442000145
61365+:100450003C010800AC22010803E000080000000095
61366+:1004600010600008000000003C0208008C420104FB
61367+:10047000244200013C010800AC22010403E0000812
61368+:10048000000000003C0208008C42010024420001F0
61369+:100490003C010800AC22010003E00008000000005D
61370+:1004A00027BDFFE8AFBF0010274401009483000878
61371+:1004B000306200041040001B306600028F4202B818
61372+:1004C00004410008240500013C0208008C42006041
61373+:1004D000244200013C010800AC2200600A0001290E
61374+:1004E0008FBF00108C82002094830016000028210A
61375+:1004F000AF4202808C820004A7430284AF4202888C
61376+:100500003C021000AF4202B83C0208008C42005C82
61377+:10051000244200013C010800AC22005C0A000129D1
61378+:100520008FBF001010C00006006028218F4401001A
61379+:100530000E0000CD000000000A0001282405000183
61380+:100540008F8200088F4301045043000700002821D8
61381+:100550008F4401000E0000CD000000008F42010416
61382+:10056000AF820008000028218FBF001000A01021DA
61383+:1005700003E0000827BD001827BDFFE8AFBF001447
61384+:10058000AFB00010974201083043700024022000F1
61385+:100590001062000B286220011440002F000010217F
61386+:1005A00024024000106200250000000024026000C8
61387+:1005B00010620026000010210A0001658FBF0014A0
61388+:1005C00027500100920200091040001A2403000184
61389+:1005D0003C0208008C420020104000160000182148
61390+:1005E0000E00049300000000960300083C0608007B
61391+:1005F00094C64B5E8E0400188F8200209605000C76
61392+:1006000000031C0000661825AC440000AC45000443
61393+:1006100024040001AC400008AC40000CAC400010C9
61394+:10062000AC400014AC4000180E0004B8AC43001CF1
61395+:10063000000018210A000164006010210E0003254B
61396+:10064000000000000A000164000010210E000EE905
61397+:1006500000000000000010218FBF00148FB00010B8
61398+:1006600003E0000827BD001827BDFFE0AFB2001867
61399+:100670003C036010AFBF001CAFB10014AFB000105E
61400+:100680008C6450002402FF7F3C1A800000822024EA
61401+:100690003484380C24020037AC6450003C1208004B
61402+:1006A00026524AD8AF42000824020C80AF420024F0
61403+:1006B0003C1B80083C06080024C60324024010218D
61404+:1006C0002404001D2484FFFFAC4600000481FFFDCC
61405+:1006D000244200043C020800244204B03C0108000B
61406+:1006E000AC224AE03C020800244202303C010800EF
61407+:1006F000AC224AE43C020800244201743C03080096
61408+:100700002463032C3C040800248403D83C0508001F
61409+:1007100024A538F03C010800AC224B403C02080004
61410+:10072000244202EC3C010800AC264B243C010800AA
61411+:10073000AC254B343C010800AC234B3C3C01080089
61412+:10074000AC244B443C010800AC224B483C0108005F
61413+:10075000AC234ADC3C010800AC204AE83C0108001C
61414+:10076000AC204AEC3C010800AC204AF03C010800F7
61415+:10077000AC204AF43C010800AC204AF83C010800D7
61416+:10078000AC204AFC3C010800AC204B003C010800B6
61417+:10079000AC244B043C010800AC204B083C01080091
61418+:1007A000AC204B0C3C010800AC204B103C01080075
61419+:1007B000AC204B143C010800AC204B183C01080055
61420+:1007C000AC264B1C3C010800AC264B203C01080029
61421+:1007D000AC254B303C010800AC234B380E000623FF
61422+:1007E000000000003C028000344200708C42000097
61423+:1007F000AF8200143C0308008C6300208F82000449
61424+:10080000104300043C0280000E00045BAF83000430
61425+:100810003C028000344600703C0308008C6300A05A
61426+:100820003C0208008C4200A4104300048F84001492
61427+:100830003C010800AC2300A4A743009E8CCA000022
61428+:100840003C0308008C6300BC3C0208008C4200B8EA
61429+:100850000144202300641821000040210064202B63
61430+:1008600000481021004410213C010800AC2300BCCA
61431+:100870003C010800AC2200B88F5100003222000772
61432+:100880001040FFDCAF8A00148CC600003C05080055
61433+:100890008CA500BC3C0408008C8400B800CA30233E
61434+:1008A00000A628210000102100A6302B0082202164
61435+:1008B00000862021322700013C010800AC2500BC45
61436+:1008C0003C010800AC2400B810E0001F32220002F6
61437+:1008D0008F420100AF4200208F420104AF4200A8C6
61438+:1008E0009342010B0E0000C6305000FF2E02001E86
61439+:1008F00054400004001010800E0000C90A000213CA
61440+:1009000000000000005210218C4200000040F80955
61441+:1009100000000000104000053C0240008F4301042D
61442+:100920003C026020AC4300143C024000AF4201385E
61443+:100930003C0208008C420034244200013C010800C3
61444+:10094000AC220034322200021040000E3222000499
61445+:100950008F4201400E0000C6AF4200200E000295FB
61446+:10096000000000003C024000AF4201783C02080059
61447+:100970008C420038244200013C010800AC220038BF
61448+:10098000322200041040FF983C0280008F42018018
61449+:100990000E0000C6AF4200208F43018024020F00EA
61450+:1009A00014620005000000008F420188A742009CED
61451+:1009B0000A0002483C0240009362000024030050F9
61452+:1009C000304200FF144300083C0240000E00027B4E
61453+:1009D00000000000544000043C0240000E000D7571
61454+:1009E000000000003C024000AF4201B83C02080099
61455+:1009F0008C42003C244200013C010800AC22003C37
61456+:100A00000A0001C83C0280003C0290003442000110
61457+:100A100000822025AF4400208F4200200440FFFECA
61458+:100A20000000000003E00008000000003C0280001D
61459+:100A3000344200010082202503E00008AF4400207A
61460+:100A400027BDFFE0AFB10014AFB0001000808821D7
61461+:100A5000AFBF00180E00025030B000FF9362007D5F
61462+:100A60000220202102028025A370007D8F70007477
61463+:100A70003C0280000E000259020280241600000988
61464+:100A80008FBF00188F4201F80440FFFE24020002CD
61465+:100A9000AF5101C0A34201C43C021000AF4201F8B3
61466+:100AA0008FBF00188FB100148FB0001003E0000852
61467+:100AB00027BD002027BDFFE8AFBF0010974201848B
61468+:100AC0008F440188304202001040000500002821B8
61469+:100AD0000E000FAA000000000A00028D240500018C
61470+:100AE0003C02FF0004800005008218243C02040040
61471+:100AF000506200019362003E240500018FBF001088
61472+:100B000000A0102103E0000827BD0018A360002208
61473+:100B10008F4401400A00025E2405000127BDFFE862
61474+:100B2000AFBF0014AFB0001093620000304400FF6C
61475+:100B300038830020388200300003182B0002102B6D
61476+:100B40000062182410600003240200501482008008
61477+:100B50008FBF001493620005304200011040007CFA
61478+:100B60008FBF0014934201482443FFFF2C6200050D
61479+:100B7000104000788FB00010000310803C03080084
61480+:100B800024634A68004310218C42000000400008A2
61481+:100B9000000000000E0002508F4401408F70000CD6
61482+:100BA0008F4201441602000224020001AF62000CD1
61483+:100BB0000E0002598F4401408F420144145000043A
61484+:100BC0008FBF00148FB000100A000F2027BD00183F
61485+:100BD0008F62000C0A0003040000000097620010FE
61486+:100BE0008F4301443042FFFF1462001A00000000EE
61487+:100BF00024020001A76200108F4202380443001053
61488+:100C00008F4201403C02003F3446F0003C0560004A
61489+:100C10003C04FFC08CA22BBC0044182400461024C6
61490+:100C20000002130200031D82106200390000000060
61491+:100C30008F4202380440FFF7000000008F4201405D
61492+:100C4000AF4202003C021000AF4202380A00032209
61493+:100C50008FBF0014976200100A0003040000000018
61494+:100C60000E0002508F440140976200128F430144EE
61495+:100C70003050FFFF1603000224020001A762001299
61496+:100C80000E0002598F4401408F42014416020004B5
61497+:100C90008FBF00148FB000100A00029127BD00180A
61498+:100CA000976200120A00030400000000976200141B
61499+:100CB0008F4301443042FFFF14620006240200010A
61500+:100CC0008FBF00148FB00010A76200140A00124AF0
61501+:100CD00027BD0018976200141440001D8FBF001438
61502+:100CE0000A00031C00000000976200168F430144B5
61503+:100CF0003042FFFF1462000B240200018FBF00147A
61504+:100D00008FB00010A76200160A000B1227BD001852
61505+:100D10009742007824420004A76200100A000322D0
61506+:100D20008FBF001497620016240300013042FFFFBA
61507+:100D3000144300078FBF00143C0208008C4200706F
61508+:100D4000244200013C010800AC2200708FBF001457
61509+:100D50008FB0001003E0000827BD001827BDFFE892
61510+:100D6000AFBF0014AFB000108F50010093620000BD
61511+:100D700093430109304400FF2402001F106200A5C4
61512+:100D80002862002010400018240200382862000A5F
61513+:100D90001040000C2402000B286200081040002CB8
61514+:100DA00000000000046000E52862000214400028F2
61515+:100DB00024020006106200268FBF00140A00041FE0
61516+:100DC0008FB000101062005E2862000B144000DC3F
61517+:100DD0008FBF00142402000E106200738FB0001049
61518+:100DE0000A00041F00000000106200C028620039E1
61519+:100DF0001040000A2402008024020036106200CA5B
61520+:100E000028620037104000B424020035106200C18F
61521+:100E10008FBF00140A00041F8FB000101062002B57
61522+:100E20002862008110400006240200C82402003914
61523+:100E3000106200B48FBF00140A00041F8FB00010AE
61524+:100E4000106200998FBF00140A00041F8FB00010B9
61525+:100E50003C0208008C420020104000B98FBF0014F3
61526+:100E60000E000493000000008F4201008F830020D9
61527+:100E70009745010C97460108AC6200008F420104BF
61528+:100E80003C04080094844B5E00052C00AC62000416
61529+:100E90008F4201180006340000C43025AC620008FF
61530+:100EA0008F42011C24040001AC62000C9342010A31
61531+:100EB00000A22825AC650010AC600014AC600018DE
61532+:100EC000AC66001C0A0003F58FBF00143C0208004A
61533+:100ED0008C4200201040009A8FBF00140E00049333
61534+:100EE00000000000974401083C03080094634B5E37
61535+:100EF0009745010C000422029746010E8F820020C4
61536+:100F0000000426000083202500052C003C030080FF
61537+:100F100000A6282500832025AC400000AC4000043A
61538+:100F2000AC400008AC40000CAC450010AC400014D4
61539+:100F3000AC400018AC44001C0A0003F42404000177
61540+:100F40009742010C14400015000000009362000558
61541+:100F50003042001014400011000000000E0002504A
61542+:100F6000020020219362000502002021344200107B
61543+:100F70000E000259A36200059362000024030020C2
61544+:100F8000304200FF1043006D020020218FBF00148B
61545+:100F90008FB000100A000FC027BD00180000000D20
61546+:100FA0000A00041E8FBF00143C0208008C4200207F
61547+:100FB000104000638FBF00140E0004930000000077
61548+:100FC0008F4201048F8300209744010C3C050800E8
61549+:100FD00094A54B5EAC6200009762002C00042400D4
61550+:100FE0003042FFFF008220253C02400E00A228254F
61551+:100FF000AC640004AC600008AC60000CAC60001095
61552+:10100000AC600014AC600018AC65001C0A0003F46E
61553+:10101000240400010E00025002002021A7600008F5
61554+:101020000E00025902002021020020210E00025E63
61555+:10103000240500013C0208008C42002010400040C2
61556+:101040008FBF00140E000493000000009742010CB3
61557+:101050008F8300203C05080094A54B5E000214001D
61558+:10106000AC700000AC620004AC6000088F64004CFF
61559+:101070003C02401F00A22825AC64000C8F62005087
61560+:1010800024040001AC6200108F620054AC620014B2
61561+:10109000AC600018AC65001C8FBF00148FB000104E
61562+:1010A0000A0004B827BD0018240200205082002541
61563+:1010B0008FB000100E000F0A020020211040002007
61564+:1010C0008FBF0014020020218FB0001000002821E3
61565+:1010D0000A00025E27BD0018020020218FBF001405
61566+:1010E0008FB000100A00058027BD00189745010C3D
61567+:1010F000020020218FBF00148FB000100A0005A04D
61568+:1011000027BD0018020020218FB000100A0005C57D
61569+:1011100027BD00189345010D020020218FB000105B
61570+:101120000A00060F27BD0018020020218FBF0014FF
61571+:101130008FB000100A0005EB27BD00188FBF001408
61572+:101140008FB0001003E0000827BD00188F4202781E
61573+:101150000440FFFE2402000234840080AF440240B9
61574+:10116000A34202443C02100003E00008AF420278B0
61575+:101170003C04080094844B6A3C0208008C424B7487
61576+:101180003083FFFF000318C000431021AF42003C32
61577+:101190003C0208008C424B70AF4200383C020050C9
61578+:1011A00034420008AF4200300000000000000000A0
61579+:1011B000000000008F420000304200201040FFFD80
61580+:1011C000000000008F4204003C010800AC224B608C
61581+:1011D0008F4204043C010800AC224B643C02002016
61582+:1011E000AF420030000000003C02080094424B680F
61583+:1011F0003C03080094634B6C3C05080094A54B6EBF
61584+:1012000024840001004310213083FFFF3C010800CB
61585+:10121000A4224B683C010800A4244B6A1465000317
61586+:10122000000000003C010800A4204B6A03E0000815
61587+:10123000000000003C05000A27BDFFE80345282107
61588+:101240003C04080024844B50AFBF00100E00051D65
61589+:101250002406000A3C02080094424B523C0308005A
61590+:1012600094634B6E3042000F244200030043180485
61591+:1012700024027FFF0043102B10400002AF83001CAC
61592+:101280000000000D0E00042A000000003C020800CF
61593+:1012900094424B5A8FBF001027BD001803E000088E
61594+:1012A000A74200A23C02000A034210219443000618
61595+:1012B0003C02080094424B5A3C010800A4234B56C0
61596+:1012C000004310238F83001C00021400000214034B
61597+:1012D0000043102B03E000083842000127BDFFE85F
61598+:1012E000AFBF00103C02000A0342102194420006E6
61599+:1012F0003C010800A4224B560E00047700000000B9
61600+:101300005440FFF93C02000A8FBF001003E00008C0
61601+:1013100027BD001827BDFFE8AFBF00100E000477FF
61602+:101320000000000010400003000000000E000485D3
61603+:10133000000000003C0208008C424B608FBF001090
61604+:1013400027430400AF4200383C0208008C424B6443
61605+:1013500027BD0018AF830020AF42003C3C020005CF
61606+:10136000AF42003003E00008AF8000188F82001801
61607+:101370003C0300060002114000431025AF4200303C
61608+:101380000000000000000000000000008F4200008C
61609+:10139000304200101040FFFD27420400AF820020C1
61610+:1013A00003E00008AF8000183C0608008CC64B64C0
61611+:1013B0008F8500188F8300203C02080094424B5A0E
61612+:1013C00027BDFFE024A50001246300202442000182
61613+:1013D00024C70020AFB10014AFB00010AFBF001899
61614+:1013E000AF850018AF8300203C010800A4224B5AAF
61615+:1013F000309000FF3C010800AC274B6404C100089A
61616+:101400000000882104E00006000000003C02080003
61617+:101410008C424B60244200013C010800AC224B602E
61618+:101420003C02080094424B5A3C03080094634B680A
61619+:101430000010202B004310262C42000100441025F0
61620+:10144000144000048F830018240200101462000F5F
61621+:10145000000000000E0004A9241100013C03080054
61622+:1014600094634B5A3C02080094424B681462000398
61623+:10147000000000000E00042A000000001600000317
61624+:10148000000000000E000493000000003C03080070
61625+:1014900094634B5E3C02080094424B5C2463000161
61626+:1014A0003064FFFF3C010800A4234B5E148200035C
61627+:1014B000000000003C010800A4204B5E1200000662
61628+:1014C000000000003C02080094424B5AA74200A2D0
61629+:1014D0000A00050B022010210E0004770000000016
61630+:1014E00010400004022010210E00048500000000BE
61631+:1014F000022010218FBF00188FB100148FB0001090
61632+:1015000003E0000827BD00203084FFFF30A5FFFF67
61633+:101510000000182110800007000000003082000148
61634+:101520001040000200042042006518210A00051343
61635+:101530000005284003E000080060102110C00006EC
61636+:1015400024C6FFFF8CA2000024A50004AC8200008A
61637+:101550000A00051D2484000403E0000800000000C8
61638+:1015600010A0000824A3FFFFAC86000000000000CC
61639+:10157000000000002402FFFF2463FFFF1462FFFA53
61640+:101580002484000403E0000800000000240200019D
61641+:10159000AF62000CA7620010A7620012A7620014DD
61642+:1015A00003E00008A76200163082007F034210218A
61643+:1015B0003C08000E004818213C0208008C42002024
61644+:1015C00027BDFFD82407FF80AFB3001CAFB20018BF
61645+:1015D000AFB10014AFB00010AFBF00200080802179
61646+:1015E00030B100FF0087202430D200FF1040002FD0
61647+:1015F00000009821AF44002C9062000024030050AA
61648+:10160000304200FF1443000E000000003C020800BE
61649+:101610008C4200E00202102100471024AF42002C4F
61650+:101620003C0208008C4200E0020210213042007FA0
61651+:101630000342102100481021944200D43053FFFF90
61652+:101640000E000493000000003C02080094424B5E30
61653+:101650008F8300200011340000C2302500122C00BE
61654+:101660003C02400000C2302534A50001AC700000EF
61655+:101670008FBF0020AC6000048FB20018AC7300086C
61656+:101680008FB10014AC60000C8FB3001CAC6500106F
61657+:101690008FB00010AC60001424040001AC6000188E
61658+:1016A00027BD00280A0004B8AC66001C8FBF0020CC
61659+:1016B0008FB3001C8FB200188FB100148FB00010D0
61660+:1016C00003E0000827BD00289343010F2402001007
61661+:1016D0001062000E2865001110A0000724020012FD
61662+:1016E000240200082405003A1062000600003021A0
61663+:1016F00003E0000800000000240500351462FFFC30
61664+:10170000000030210A000538000000008F420074FC
61665+:1017100024420FA003E00008AF62000C27BDFFE8E1
61666+:10172000AFBF00100E00025E240500018FBF001045
61667+:1017300024020001A762001227BD00182402000144
61668+:1017400003E00008A360002227BDFFE0AFB1001452
61669+:10175000AFB00010AFBF001830B1FFFF0E00025055
61670+:10176000008080219362003F24030004304200FF88
61671+:101770001443000C02002021122000082402000A59
61672+:101780000E00053100000000936200052403FFFEF7
61673+:1017900000431024A362000524020012A362003F4C
61674+:1017A000020020210E000259A360008116200003D0
61675+:1017B000020020210E0005950000000002002021FB
61676+:1017C000322600FF8FBF00188FB100148FB00010B9
61677+:1017D000240500380A00053827BD002027BDFFE09A
61678+:1017E000AFBF001CAFB20018AFB10014AFB0001013
61679+:1017F0000E000250008080210E0005310000000024
61680+:101800009362003F24120018305100FF123200038F
61681+:101810000200202124020012A362003F936200050F
61682+:101820002403FFFE004310240E000259A3620005AA
61683+:10183000020020212405002016320007000030217C
61684+:101840008FBF001C8FB200188FB100148FB0001032
61685+:101850000A00025E27BD00208FBF001C8FB2001857
61686+:101860008FB100148FB00010240500390A0005382C
61687+:1018700027BD002027BDFFE8AFB00010AFBF0014A8
61688+:101880009742010C2405003600808021144000108E
61689+:10189000304600FF0E00025000000000240200123B
61690+:1018A000A362003F93620005344200100E00053130
61691+:1018B000A36200050E00025902002021020020212F
61692+:1018C0000E00025E240500200A000604000000004D
61693+:1018D0000E000538000000000E000250020020211A
61694+:1018E000936200232403FF9F020020210043102461
61695+:1018F0008FBF00148FB00010A36200230A000259AA
61696+:1019000027BD001827BDFFE0AFBF0018AFB100141E
61697+:10191000AFB0001030B100FF0E00025000808021F7
61698+:10192000240200120E000531A362003F0E0002598E
61699+:101930000200202102002021022030218FBF001848
61700+:101940008FB100148FB00010240500350A0005384F
61701+:1019500027BD0020A380002C03E00008A380002DF9
61702+:101960008F4202780440FFFE8F820034AF42024073
61703+:1019700024020002A34202443C02100003E00008DB
61704+:10198000AF4202783C0360008C6254003042000891
61705+:101990001440FFFD000000008C625408AF82000C70
61706+:1019A00024020052AC605408AC645430AC6254342D
61707+:1019B0002402000803E00008AC6254003C0260000E
61708+:1019C0008C42540030420008104000053C03600087
61709+:1019D0008C625400304200081440FFFD00000000FB
61710+:1019E0008F83000C3C02600003E00008AC43540805
61711+:1019F00090A3000024020005008040213063003FD6
61712+:101A000000004821146200050000502190A2001C33
61713+:101A100094A3001E304900FF306AFFFFAD00000CA8
61714+:101A2000AD000010AD000024950200148D05001CCF
61715+:101A30008D0400183042FFFF0049102300021100FE
61716+:101A4000000237C3004038210086202300A2102B5B
61717+:101A50000082202300A72823AD05001CAD04001838
61718+:101A6000A5090014A5090020A50A001603E0000836
61719+:101A7000A50A00228F4201F80440FFFE2402000262
61720+:101A8000AF4401C0A34201C43C02100003E00008BF
61721+:101A9000AF4201F83C0208008C4200B427BDFFE8C9
61722+:101AA000AFBF001424420001AFB000103C01080099
61723+:101AB000AC2200B48F4300243C02001F30AA00FF78
61724+:101AC0003442FF8030D800FF006280240080F8217B
61725+:101AD00030EF00FF1158003B01405821240CFF80DB
61726+:101AE0003C19000A3163007F000310C00003194055
61727+:101AF000006218213C0208008C4200DC25680001CD
61728+:101B0000310D007F03E21021004310213043007F9C
61729+:101B100003431821004C102400794821AF420024CF
61730+:101B20008D220024016C1824006C7026AD22000C5C
61731+:101B30008D220024310800FFAD22001095220014F0
61732+:101B4000952300208D27001C3042FFFF3063FFFFEC
61733+:101B50008D2600180043102300021100000227C345
61734+:101B60000040282100C4302300E2102B00C23023A3
61735+:101B700000E53823AD27001CAD2600189522002073
61736+:101B8000A522001495220022154B000AA52200165A
61737+:101B90008D2300248D220008254600013145008058
61738+:101BA0001462000430C4007F108F000238AA008045
61739+:101BB00000C0502151AF000131C800FF1518FFC906
61740+:101BC000010058218F8400343082007F03421821A5
61741+:101BD0003C02000A006218212402FF8000822024B7
61742+:101BE000AF440024A06A0079A06A00838C62005090
61743+:101BF0008F840034AC6200708C6500743C027FFFFF
61744+:101C00003442FFFF00A228240E00066BAC6500746E
61745+:101C1000AF5000248FBF00148FB0001003E0000805
61746+:101C200027BD001827BDFFC0AFBE0038AFB70034D6
61747+:101C3000AFB5002CAFB20020AFB1001CAFB00018A0
61748+:101C4000AFBF003CAFB60030AFB40028AFB3002444
61749+:101C50008F4500248F4600288F43002C3C02001F34
61750+:101C60003442FF800062182400C230240080A82182
61751+:101C7000AFA3001400A2F0240E00062FAFA60010A0
61752+:101C80003C0208008C4200E02410FF8003608821A1
61753+:101C900002A2102100501024AF4200243C02080090
61754+:101CA0008C4200E002A210213042007F0342182142
61755+:101CB0003C02000A00629021924200D293630084A9
61756+:101CC000305700FF306300FF24020001106200342F
61757+:101CD000036020212402000214620036000000008C
61758+:101CE0000E001216024028219223008392220083C4
61759+:101CF0003063007F3042007F000210C000031940B3
61760+:101D0000006218213C0208008C4200DC02A2102173
61761+:101D10000043382100F01024AF42002892250078BB
61762+:101D20009224008330E2007F034218213C02000C21
61763+:101D300014850007006280212402FFFFA24200F107
61764+:101D40002402FFFFA64200F20A0007272402FFFF39
61765+:101D500096020020A24200F196020022A64200F262
61766+:101D60008E020024AE4200F492220083A24200F0D0
61767+:101D70008E4200C8AE4200FC8E4200C4AE4200F863
61768+:101D80008E220050AE4201008E4200CCAE420104D1
61769+:101D9000922200853042003F0A0007823442004010
61770+:101DA0000E00123902402821922200850A00078283
61771+:101DB0003042003F936200852403FFDF3042003F42
61772+:101DC000A36200859362008500431024A36200850E
61773+:101DD0009363008393620078307400FF304200FF09
61774+:101DE00010540036240AFF803C0C000C3283007F24
61775+:101DF000000310C000031940006218213C020800D3
61776+:101E00008C4200DC268800013109007F02A21021EB
61777+:101E10000043382130E2007F0342182100EA1024F9
61778+:101E2000AF420028006C80218E020024028A182410
61779+:101E3000006A5826AE02000C8E020024310800FF12
61780+:101E4000AE02001096020014960300208E07001CBC
61781+:101E50003042FFFF3063FFFF8E060018004310235F
61782+:101E600000021100000227C30040282100C43023D3
61783+:101E700000E2102B00C2302300E53823AE07001C1F
61784+:101E8000AE06001896020020A60200149602002258
61785+:101E9000A602001692220079304200FF105400077B
61786+:101EA0000000000051370001316800FF92220078E5
61787+:101EB000304200FF1448FFCD0100A0219222008390
61788+:101EC000A22200798E2200500A0007E2AE220070A2
61789+:101ED000A22200858E22004C2405FF80AE42010C18
61790+:101EE0009222008534420020A2220085924200D135
61791+:101EF0003C0308008C6300DC305400FF3C02080007
61792+:101F00008C4200E400143140001420C002A31821C8
61793+:101F100000C4202102A210210064382100461021B3
61794+:101F20000045182400E52824AF450028AF43002CC5
61795+:101F30003042007F924400D030E3007F03422821EA
61796+:101F4000034318213C02000C006280213C02000E79
61797+:101F5000309600FF00A298211296002A000000008F
61798+:101F60008E02000C02002021026028211040002572
61799+:101F7000261000280E00064A000000009262000DA4
61800+:101F800026830001307400FF3042007FA262000D02
61801+:101F90002404FF801697FFF0267300203C020800FF
61802+:101FA0008C4200DC0000A02102A210210044102479
61803+:101FB000AF4200283C0208008C4200E43C030800C9
61804+:101FC0008C6300DC02A2102100441024AF42002CDC
61805+:101FD0003C0208008C4200E402A318213063007F19
61806+:101FE00002A210213042007F034220210343182126
61807+:101FF0003C02000C006280213C02000E0A0007A493
61808+:10200000008298218E4200D8AE2200508E4200D825
61809+:10201000AE22007092250083924600D19223008365
61810+:10202000924400D12402FF8000A228243063007F64
61811+:10203000308400FF00A628250064182A10600002E2
61812+:1020400030A500FF38A50080A2250083A2250079D5
61813+:102050000E00063D000000009222007E02A020211A
61814+:10206000A222007A8E2300743C027FFF3442FFFFDD
61815+:10207000006218240E00066BAE2300748FA20010BD
61816+:10208000AF5E00248FBF003CAF4200288FBE0038F7
61817+:102090008FA200148FB700348FB600308FB5002C9C
61818+:1020A0008FB400288FB300248FB200208FB1001CA2
61819+:1020B0008FB0001827BD004003E00008AF42002C9D
61820+:1020C00090A2000024420001A0A200003C030800EE
61821+:1020D0008C6300F4304200FF1443000F0080302175
61822+:1020E000A0A000003C0208008C4200E48F84003471
61823+:1020F000008220213082007F034218213C02000C24
61824+:10210000006218212402FF8000822024ACC300005A
61825+:1021100003E00008AF4400288C8200002442002025
61826+:1021200003E00008AC82000094C200003C080800F4
61827+:10213000950800CA30E7FFFF008048210102102106
61828+:10214000A4C2000094C200003042FFFF00E2102B46
61829+:1021500054400001A4C7000094A200003C03080002
61830+:102160008C6300CC24420001A4A2000094A20000D1
61831+:102170003042FFFF544300078F8600280107102BD1
61832+:10218000A4A000005440000101003821A4C70000B1
61833+:102190008F8600288CC4001CAF44003C94A2000031
61834+:1021A0008F43003C3042FFFF000210C00062182144
61835+:1021B000AF43003C8F42003C008220231880000483
61836+:1021C000000000008CC200180A00084324420001ED
61837+:1021D0008CC20018AF4200383C020050344200105C
61838+:1021E000AF420030000000000000000000000000CE
61839+:1021F0008F420000304200201040FFFD0000000030
61840+:102200008F420404AD2200048F420400AD2200007E
61841+:102210003C020020AF42003003E000080000000054
61842+:1022200027BDFFE0AFB20018AFB10014AFB000108F
61843+:10223000AFBF001C94C2000000C080213C12080007
61844+:10224000965200C624420001A60200009603000038
61845+:1022500094E2000000E03021144300058FB100300B
61846+:102260000E000818024038210A000875000000001E
61847+:102270008C8300048C820004244200400461000727
61848+:10228000AC8200048C8200040440000400000000C2
61849+:102290008C82000024420001AC8200009602000003
61850+:1022A0003042FFFF50520001A600000096220000BD
61851+:1022B00024420001A62200008F82002896230000FD
61852+:1022C00094420016144300048FBF001C2402000136
61853+:1022D000A62200008FBF001C8FB200188FB100141F
61854+:1022E0008FB0001003E0000827BD00208F89002870
61855+:1022F00027BDFFE0AFBF00188D220028274804004B
61856+:1023000030E700FFAF4200388D22002CAF8800304C
61857+:10231000AF42003C3C020005AF420030000000002C
61858+:1023200000000000000000000000000000000000AD
61859+:10233000000000008C82000C8C82000CAD020000BA
61860+:102340008C820010AD0200048C820018AD020008DF
61861+:102350008C82001CAD02000C8CA20014AD02001097
61862+:102360008C820020AD02001490820005304200FFF4
61863+:1023700000021200AD0200188CA20018AD02001C71
61864+:102380008CA2000CAD0200208CA20010AD02002433
61865+:102390008CA2001CAD0200288CA20020AD02002CF3
61866+:1023A000AD060030AD000034978300263402FFFFF5
61867+:1023B00014620002006020213404FFFF10E00011CD
61868+:1023C000AD04003895230036952400362402000120
61869+:1023D0003063FFFF000318C20069182190650040B8
61870+:1023E000308400070082100400451025A0620040E0
61871+:1023F0008F820028944200563042FFFF0A0008DC1A
61872+:10240000AD02003C952300369524003624020001DD
61873+:102410003063FFFF000318C2006918219065004077
61874+:1024200030840007008210040002102700451024A9
61875+:10243000A0620040AD00003C000000000000000071
61876+:10244000000000003C02000634420040AF42003071
61877+:102450000000000000000000000000008F420000AB
61878+:10246000304200101040FFFD8F860028AF880030FA
61879+:1024700024C2005624C7003C24C4002824C50032CE
61880+:1024800024C600360E000856AFA200108FBF0018F9
61881+:1024900003E0000827BD00208F8300243C060800CD
61882+:1024A0008CC600E88F82003430633FFF0003198040
61883+:1024B00000461021004310212403FF803046007F96
61884+:1024C00000431024AF420028034618213C02000CB0
61885+:1024D0000062302190C2000D30A500FF00003821BD
61886+:1024E00034420010A0C2000D8F8900288F8A00247A
61887+:1024F00095230036000A13823048000324020001AD
61888+:10250000A4C3000E1102000B2902000210400005B6
61889+:10251000240200021100000C240300010A0009201B
61890+:102520000000182111020006000000000A00092026
61891+:10253000000018218CC2002C0A000920244300014D
61892+:102540008CC20014244300018CC200180043102BDD
61893+:1025500050400009240700012402002714A20003B0
61894+:10256000000000000A00092C240700019522003E0B
61895+:1025700024420001A522003E000A138230430003DA
61896+:102580002C62000210400009008028211460000421
61897+:102590000000000094C200360A00093C3046FFFFEC
61898+:1025A0008CC600380A00093C008028210000302138
61899+:1025B0003C04080024844B780A00088900000000CD
61900+:1025C000274901008D22000C9523000601202021BF
61901+:1025D000000216023046003F3063FFFF240200274E
61902+:1025E00000C0282128C7002810C2000EAF83002495
61903+:1025F00010E00008240200312402002110C200096A
61904+:102600002402002510C200079382002D0A00095BF6
61905+:102610000000000010C200059382002D0A00095B33
61906+:10262000000000000A0008F4000000000A0006266E
61907+:102630000000000095230006912400058D25000C64
61908+:102640008D2600108D2700188D28001C8D29002054
61909+:10265000244200013C010800A4234B7E3C010800F9
61910+:10266000A0244B7D3C010800AC254B843C010800B4
61911+:10267000AC264B883C010800AC274B903C0108007D
61912+:10268000AC284B943C010800AC294B9803E00008AF
61913+:10269000A382002D8F87002827BDFFC0AFB3003471
61914+:1026A000AFB20030AFB1002CAFB00028AFBF0038E0
61915+:1026B0003C0208008C4200D094E3003030B0FFFFB1
61916+:1026C000005010073045FFFF3063FFFF00C0982126
61917+:1026D000A7A200103C110800963100C614A3000602
61918+:1026E0003092FFFF8CE2002424420030AF42003CD5
61919+:1026F0000A0009948CE2002094E200323042FFFF8D
61920+:1027000054A2000827A400188CE2002C24420030B8
61921+:10271000AF42003C8CE20028AF4200380A0009A218
61922+:102720008F84002827A5001027A60020022038212A
61923+:102730000E000818A7A000208FA200182442003025
61924+:10274000AF4200388FA2001CAF42003C8F840028AB
61925+:102750003C020005AF42003094820034274304005D
61926+:102760003042FFFF0202102B14400007AF830030FD
61927+:1027700094820054948300340202102100431023F9
61928+:102780000A0009B63043FFFF94830054948200345A
61929+:102790000223182100501023006218233063FFFF2A
61930+:1027A000948200163042FFFF144300030000000033
61931+:1027B0000A0009C424030001948200163042FFFF7E
61932+:1027C0000043102B104000058F82003094820016C9
61933+:1027D000006210233043FFFF8F820030AC530000B3
61934+:1027E000AC400004AC520008AC43000C3C020006B4
61935+:1027F00034420010AF420030000000000000000032
61936+:10280000000000008F420000304200101040FFFD29
61937+:10281000001018C2006418219065004032040007BF
61938+:10282000240200018FBF00388FB300348FB2003014
61939+:102830008FB1002C8FB000280082100400451025B5
61940+:1028400027BD004003E00008A062004027BDFFA8AC
61941+:10285000AFB60050AFB5004CAFB40048AFB30044C2
61942+:10286000AFB1003CAFBF0054AFB20040AFB00038D2
61943+:102870008C9000003C0208008C4200E88F860034F7
61944+:10288000960300022413FF8000C2302130633FFF13
61945+:102890000003198000C3382100F3102490B2000017
61946+:1028A000AF42002C9203000230E2007F034230214D
61947+:1028B0003C02000E00C28821306300C024020040A8
61948+:1028C0000080A82100A0B021146200260000A021F1
61949+:1028D0008E3400388E2200181440000224020001B9
61950+:1028E000AE2200189202000D304200201440001564
61951+:1028F0008F8200343C0308008C6300DC001238C077
61952+:10290000001231400043102100C730210046382119
61953+:1029100030E300073C02008030E6007800C230253A
61954+:102920000343182100F31024AF4208002463090078
61955+:10293000AF4608108E2200188C6300080043102157
61956+:10294000AE2200188E22002C8E2300182442000193
61957+:102950000062182B1060003D000000000A000A7899
61958+:1029600000000000920300022402FFC00043102474
61959+:10297000304200FF1440000524020001AE2200187E
61960+:10298000962200360A000A613054FFFF8E2200149E
61961+:1029900024420001AE22001892020000000216003C
61962+:1029A0000002160304410029000000009602000204
61963+:1029B00027A4001000802821A7A20016960200027A
61964+:1029C00024070001000030213042FFFFAF820024C5
61965+:1029D0000E000889AFA0001C960300023C0408000A
61966+:1029E0008C8400E88F82003430633FFF000319803D
61967+:1029F00000441021004310213043007F3C05000CAF
61968+:102A00000053102403431821AF4200280065182109
61969+:102A10009062000D001221403042007FA062000D44
61970+:102A20003C0308008C6300E48F82003400431021D3
61971+:102A30000044382130E2007F03421021004510217C
61972+:102A400000F31824AF430028AEA200009222000D2C
61973+:102A5000304200101040001302A020218F83002874
61974+:102A60008EA40000028030219462003E2442FFFFC9
61975+:102A7000A462003E948400029625000E3084FFFF7D
61976+:102A80000E00097330A5FFFF8F82002894430034A5
61977+:102A90009622000E1443000302A02021240200010C
61978+:102AA000A382002C02C028210E0007FE00000000B7
61979+:102AB0008FBF00548FB600508FB5004C8FB40048C4
61980+:102AC0008FB300448FB200408FB1003C8FB000380C
61981+:102AD00003E0000827BD00588F82002827BDFFD0E3
61982+:102AE000AFB40028AFB20020AFBF002CAFB30024BA
61983+:102AF000AFB1001CAFB00018904400D0904300D19B
61984+:102B00000000A021309200FFA3A30010306300FF5B
61985+:102B10008C5100D88C5300DC1072002B2402000171
61986+:102B20003C0308008C6300E493A400108F820034FF
61987+:102B30002406FF800004214000431021004410219E
61988+:102B40003043007F00461024AF4200280343182181
61989+:102B50003C02000C006218218C62000427A40014BF
61990+:102B600027A50010022280210270102304400015C6
61991+:102B7000AFA300149062000D00C21024304200FF89
61992+:102B800014400007020088219062000D344200408A
61993+:102B90000E0007FEA062000D0A000ABD93A20010FD
61994+:102BA0000E0009E1241400018F830028AC7000D8C6
61995+:102BB00093A20010A06200D193A200101452FFD87B
61996+:102BC0000000000024020001168200048FBF002CC8
61997+:102BD0000E000626000000008FBF002C8FB40028D6
61998+:102BE0008FB300248FB200208FB1001C8FB000186B
61999+:102BF00003E0000827BD003027BDFFD8AFB3001C9D
62000+:102C0000AFB20018AFB10014AFB00010AFBF0020DA
62001+:102C10000080982100E0802130B1FFFF0E00049376
62002+:102C200030D200FF000000000000000000000000A3
62003+:102C30008F820020AC510000AC520004AC5300085D
62004+:102C4000AC40000CAC400010AC400014AC4000188C
62005+:102C50003C03080094634B5E02038025AC50001CCB
62006+:102C6000000000000000000000000000240400013B
62007+:102C70008FBF00208FB3001C8FB200188FB10014DB
62008+:102C80008FB000100A0004B827BD002827BDFFE858
62009+:102C9000AFB00010AFBF001430A5FFFF30C600FF7B
62010+:102CA0000080802124020C80AF420024000000003C
62011+:102CB0000000000000000000000000000000000014
62012+:102CC0000E000ACC000000003C040800248400E050
62013+:102CD0008C8200002403FF808FBF001402021021A9
62014+:102CE00000431024AF4200248C8200003C03000A01
62015+:102CF000020280213210007F035010218FB000109B
62016+:102D00000043102127BD001803E00008AF8200280F
62017+:102D100027BDFFE8AFBF00108F4401403C0308000F
62018+:102D20008C6300E02402FF80AF840034008318210C
62019+:102D300000621024AF4200243C02000803424021FC
62020+:102D4000950500023063007F3C02000A034318210E
62021+:102D50000062182130A5FFFF3402FFFF0000302180
62022+:102D60003C07602010A20006AF8300282402FFFF6A
62023+:102D7000A5020002946500D40E000AF130A5FFFF01
62024+:102D80008FBF001024020C8027BD001803E000084C
62025+:102D9000AF4200243C020008034240219502000299
62026+:102DA0003C0A0800954A00C63046FFFF14C00007E1
62027+:102DB0003402FFFF8F8200288F8400343C0760209C
62028+:102DC000944500D40A000B5A30A5FFFF10C200241E
62029+:102DD0008F87002894E2005494E400163045FFFFEA
62030+:102DE00000A6102300A6182B3089FFFF10600004F6
62031+:102DF0003044FFFF00C51023012210233044FFFFA1
62032+:102E0000008A102B1040000C012A1023240200011C
62033+:102E1000A50200162402FFFFA502000294E500D4DB
62034+:102E20008F8400340000302130A5FFFF3C07602074
62035+:102E30000A000AF1000000000044102A10400008B7
62036+:102E4000000000009502001630420001104000040E
62037+:102E5000000000009742007E24420014A5020016E4
62038+:102E600003E00008000000008F84002827BDFFE079
62039+:102E7000AFBF0018948200349483003E1060001AA3
62040+:102E80003048FFFF9383002C2402000114620027C6
62041+:102E90008FBF00188F820028000818C23108000771
62042+:102EA000006218212447003A244900542444002099
62043+:102EB000244500302446003490620040304200FF38
62044+:102EC0000102100730420001104000168FBF0018A9
62045+:102ED0000E000856AFA900108F82002894420034DB
62046+:102EE0000A000B733048FFFF94830036948200344D
62047+:102EF0001043000E8FBF001894820036A482003465
62048+:102F000094820056A48200548C82002CAC8200244F
62049+:102F100094820032A48200309482003CA482003A61
62050+:102F20008FBF00180A000B3327BD002003E0000804
62051+:102F300027BD002027BDFFE8AFBF00108F4A01006A
62052+:102F40003C0508008CA500E03C02080090424B8440
62053+:102F50003C0C0800958C4B7E01452821304B003FEE
62054+:102F600030A2007F03424021396900323C02000A4E
62055+:102F70003963003F2C630001010240212D2900012B
62056+:102F80002402FF8000A2282401234825AF8A0034B0
62057+:102F900000801821AF450024000030210080282146
62058+:102FA00024070001AF8800283C04080024844B78E3
62059+:102FB000AF8C002415200007A380002D24020020E0
62060+:102FC0005562000F006020213402FFFF5582000C83
62061+:102FD000006020212402002015620005000000008E
62062+:102FE0008C6300142402FFFF106200070000000041
62063+:102FF0000E000889000000000A000BD0000000004D
62064+:103000000E0008F4016028210E000B68000000008B
62065+:103010008FBF001024020C8027BD001803E00008B9
62066+:10302000AF4200243C0208008C4200E027BDFFA014
62067+:10303000AFB1003C008210212411FF80AFBE0058C8
62068+:10304000AFB70054AFB20040AFB00038AFBF005CC4
62069+:10305000AFB60050AFB5004CAFB40048AFB30044BA
62070+:10306000005110248F4800248F4900288F470028E2
62071+:10307000AF4200243C0208008C4200E00080902116
62072+:1030800024060006008210213042007F03421821EE
62073+:103090003C02000A006280213C02001F3442FF8093
62074+:1030A00000E2382427A40010260500F00122F024B5
62075+:1030B0000102B8240E00051DAFA700308FA2001832
62076+:1030C000AE0200C48FA2001CAE0200C88FA2002472
62077+:1030D000AE0200CC93A40010920300D12402FF8022
62078+:1030E0000082102400431025304900FF3083007F08
62079+:1030F0003122007F0062102A10400004000310C03B
62080+:1031000001311026304900FF000310C000031940B0
62081+:10311000006218213C0208008C4200DC920400D2BC
62082+:10312000024210210043102100511024AF42002818
62083+:1031300093A300103063007F000310C00003194008
62084+:10314000006218213C0208008C4200DC024210217F
62085+:10315000004310213042007F034218213C02000C42
62086+:10316000006240218FA300142402FFFF1062003090
62087+:10317000309500FF93A2001195030014304400FF26
62088+:103180003063FFFF0064182B1060000D000000008A
62089+:10319000950400148D07001C8D0600183084FFFF75
62090+:1031A00000442023000421000000102100E4382105
62091+:1031B00000E4202B00C230210A000C4A00C4302158
62092+:1031C000950400148D07001C8D0600183084FFFF45
62093+:1031D000008220230004210000001021008018211B
62094+:1031E00000C2302300E4202B00C4302300E3382346
62095+:1031F000AD07001CAD06001893A20011A502001433
62096+:1032000097A20012A50200168FA20014AD020010B2
62097+:103210008FA20014AD02000C93A20011A5020020A1
62098+:1032200097A20012A50200228FA20014AD02002472
62099+:103230002406FF80024610243256007FAF4200244D
62100+:10324000035618213C02000A006280218E02004CC5
62101+:103250008FA200203124007F000428C0AE0200505D
62102+:103260008FA200200004214000852821AE020070BA
62103+:1032700093A2001001208821A202008393A20010D3
62104+:10328000A2020079920200853042003FA20200852E
62105+:103290003C0208008C4200DC024210210045102153
62106+:1032A00000461024AF42002C3C0208008C4200E48F
62107+:1032B0003C0308008C6300DC024210210044102112
62108+:1032C00000461024AF4200283C0208008C4200E473
62109+:1032D00002431821006518210242102100441021E8
62110+:1032E0003042007F3063007F93A50010034220210D
62111+:1032F000034318213C02000E006240213C02000CF6
62112+:1033000010B1008C008248213233007F1660001912
62113+:103310002404FF803C0208008C4200DC02421021A1
62114+:1033200000441024AF42002C3C0208008C4200E410
62115+:103330003C0308008C6300DC02421021004410248E
62116+:10334000AF4200283C0208008C4200E402431821EE
62117+:103350003063007F024210213042007F034220216F
62118+:10336000034318213C02000E006240213C02000C85
62119+:10337000008248219124000D2414FF8000001021B8
62120+:1033800000942025A124000D950400029505001449
62121+:103390008D07001C3084FFFF30A5FFFF8D0600184D
62122+:1033A000008520230004210000E4382100C23021E0
62123+:1033B00000E4202B00C43021AD07001CAD0600182E
62124+:1033C00095020002A5020014A50000168D02000857
62125+:1033D000AD0200108D020008AD02000C9502000243
62126+:1033E000A5020020A50000228D020008AD020024E5
62127+:1033F0009122000D30420040104000422622000180
62128+:103400003C0208008C4200E0A3B300283C10000AF4
62129+:103410000242102100541024AF4200243C02080054
62130+:103420008C4200E0A380002C27A4002C0242102133
62131+:103430003042007F03421821007018218C6200D8AE
62132+:103440008D26000427A50028AFA9002C00461021D6
62133+:10345000AC6200D80E0009E1AF83002893A30028D6
62134+:103460008F8200280E000626A04300D10E000B68B4
62135+:103470000000000002541024AF4200243C02080067
62136+:103480008C4200DC00132940001320C000A420213E
62137+:10349000024210210044102100541024AF42002C9D
62138+:1034A0003C0208008C4200E43C0308008C6300DC12
62139+:1034B00003563021024210210045102100541024EF
62140+:1034C000AF4200283C0208008C4200E4024318216D
62141+:1034D0000064182102421021004510213042007F73
62142+:1034E0003063007F03422021034318213C02000E79
62143+:1034F000006240213C02000C00D080210082482163
62144+:10350000262200013043007F14750005304400FF7F
62145+:103510002403FF800223102400431026304400FFC0
62146+:1035200093A2001000808821250800281444FF760B
62147+:103530002529002093A400108FA300142402FFFF6C
62148+:103540001062000A308900FF2482000124830001F8
62149+:103550003042007F14550005306900FF2403FF80CE
62150+:103560000083102400431026304900FF92020078A7
62151+:10357000305300FF11330032012088213C02080043
62152+:103580008C4200DC3225007F000520C00005294068
62153+:1035900000A42021024210212406FF8000441021B3
62154+:1035A00000461024AF42002C3C0308008C6300DC72
62155+:1035B0003C0208008C4200E4024318210242102120
62156+:1035C0000045102100641821004610243063007F5C
62157+:1035D000AF420028034318213C02000E0062402144
62158+:1035E0003C0208008C4200E48D06000C0100202102
62159+:1035F00002421021004510213042007F0342182171
62160+:103600003C02000C0062482110C0000D012028215E
62161+:103610000E00064A000000002402FF800222182447
62162+:1036200026240001006228263082007F1455000203
62163+:10363000308300FF30A300FF1473FFD000608821A7
62164+:103640008E0300743C027FFF3442FFFF00621824A7
62165+:10365000AE0300740E00066B02402021AF57002419
62166+:103660008FA20030AF5E00288FBF005C8FBE005875
62167+:103670008FB700548FB600508FB5004C8FB4004800
62168+:103680008FB300448FB200408FB1003C8FB0003840
62169+:1036900027BD006003E00008AF42002C27BDFFD823
62170+:1036A000AFB1001CAFBF0020AFB000182751018898
62171+:1036B000922200032408FF803C03000A3047007F69
62172+:1036C000A3A700108F4601803C0208008C4200E056
62173+:1036D000AF86003400C2282100A81024AF42002485
62174+:1036E0009224000030A2007F0342102100431021E9
62175+:1036F000AF8200283084007F24020002148200255B
62176+:10370000000719403C0208008C4200E400C210216E
62177+:103710000043282130A2007F0342182100A8102472
62178+:10372000AF4200283C02000C006218219062000D9C
62179+:10373000AFA3001400481025A062000D8FA3001451
62180+:103740009062000D304200405040006A8FBF002060
62181+:103750008F860028A380002C27A400148CC200D8D8
62182+:103760008C63000427A50010004310210E0009E11E
62183+:10377000ACC200D893A300108F8200280E0006264A
62184+:10378000A04300D10E000B68000000000A000E0BE1
62185+:103790008FBF00200E00062F00C020210E00063D26
62186+:1037A000000000003C020008034280219223000137
62187+:1037B0009202007B1443004F8FBF00209222000032
62188+:1037C0003044007F24020004108200172882000584
62189+:1037D00010400006240200052402000310820007A6
62190+:1037E0008FB1001C0A000E0C0000000010820012B5
62191+:1037F0008FBF00200A000E0C8FB1001C92050083C1
62192+:10380000920600788E0700748F84003430A500FF84
62193+:1038100000073E0230C600FF0E00067330E7007F4F
62194+:103820000A000E0B8FBF00200E000BD78F840034D0
62195+:103830000A000E0B8FBF002024020C80AF42002430
62196+:103840009202003E30420040104000200000000084
62197+:103850009202003E00021600000216030441000618
62198+:10386000000000008F8400340E0005A024050093A2
62199+:103870000A000E0B8FBF00209202003F24030018A5
62200+:10388000304200FF1443000C8F84003424050039BB
62201+:103890000E000538000030210E0002508F840034E5
62202+:1038A00024020012A202003F0E0002598F8400344D
62203+:1038B0000A000E0B8FBF0020240500360E000538CD
62204+:1038C000000030210A000E0B8FBF00200E000250B6
62205+:1038D0008F8400349202000534420020A2020005C9
62206+:1038E0000E0002598F8400340E000FC08F84003404
62207+:1038F0008FBF00208FB1001C8FB0001824020C80F5
62208+:1039000027BD002803E00008AF42002427BDFFE8E0
62209+:10391000AFB00010AFBF001427430100946200084D
62210+:103920000002140000021403044100020000802180
62211+:103930002410000194620008304200801040001AF8
62212+:10394000020010219462000830422000104000164E
62213+:10395000020010218C6300183C021C2D344219ED2A
62214+:10396000240600061062000F3C0760213C0208009C
62215+:103970008C4200D4104000078F8200288F830028DB
62216+:10398000906200623042000F34420040A062006248
62217+:103990008F8200288F840034944500D40E000AF1F1
62218+:1039A00030A5FFFF020010218FBF00148FB0001060
62219+:1039B00003E0000827BD001827BDFFE0AFB10014E9
62220+:1039C000AFB00010A380002CAFBF00188F450100DE
62221+:1039D0003C0308008C6300E02402FF80AF850034C4
62222+:1039E00000A318213064007F0344202100621824C2
62223+:1039F0003C02000A00822021AF430024275001002E
62224+:103A00008E0200148C8300DCAF8400280043102356
62225+:103A100018400004000088218E0200140E000A8461
62226+:103A2000AC8200DC9202000B24030002304200FF53
62227+:103A30001443002F0000000096020008304300FFEE
62228+:103A40002402008214620005240200840E00093E54
62229+:103A5000000000000A000E97000000001462000938
62230+:103A6000240200818F8200288F8400343C0760216B
62231+:103A7000944500D49206000530A5FFFF0A000E868B
62232+:103A800030C600FF14620027000000009202000A06
62233+:103A9000304300FF306200201040000430620040DC
62234+:103AA0008F8400340A000E82240600401040000477
62235+:103AB000000316008F8400340A000E8224060041A1
62236+:103AC00000021603044100178F84003424060042CC
62237+:103AD0008F8200283C076019944500D430A5FFFF71
62238+:103AE0000E000AF1000000000A000E97000000001E
62239+:103AF0009202000B24030016304200FF1043000620
62240+:103B0000000000009202000B24030017304200FF67
62241+:103B100014430004000000000E000E11000000001D
62242+:103B2000004088210E000B68000000009202000A8D
62243+:103B3000304200081040000624020C808F850028C7
62244+:103B40003C0400080E0011EE0344202124020C80E6
62245+:103B5000AF4200248FBF0018022010218FB0001048
62246+:103B60008FB1001403E0000827BD002027BDFFE847
62247+:103B7000AFBF0014AFB000108F5000243C0308000A
62248+:103B80008C6300E08F4501002402FF8000A3182110
62249+:103B90003064007F03442021006218243C02000AA4
62250+:103BA00000822021AF850034AF4300249082006260
62251+:103BB000AF8400283042000F34420050A0820062DF
62252+:103BC0003C02001F3442FF800E00062602028024C1
62253+:103BD000AF5000248FBF00148FB0001003E0000826
62254+:103BE00027BD00183C0208008C4200201040001D38
62255+:103BF0002745010090A300093C0200080342202150
62256+:103C000024020018546200033C0200080A000ED887
62257+:103C10002402000803422021240200161462000539
62258+:103C20002402001724020012A082003F0A000EE2C4
62259+:103C300094A700085462000694A700089362000548
62260+:103C40002403FFFE00431024A362000594A700088C
62261+:103C500090A6001B8CA4000094A500060A000ACCC4
62262+:103C600000073C0003E000080000000027440100BA
62263+:103C700094820008304500FF38A3008238A20084F7
62264+:103C80002C6300012C420001006218251060000620
62265+:103C9000240200839382002D1040000D00000000DC
62266+:103CA0000A000B9B0000000014A2000524A2FF8064
62267+:103CB0008F4301043C02602003E00008AC43001481
62268+:103CC000304200FF2C420002104000032402002278
62269+:103CD0000A000E3C0000000014A2000300000000D7
62270+:103CE0000A000EA9000000000A000EC70000000034
62271+:103CF0009363007E9362007A144300090000202140
62272+:103D00009362000024030050304200FF144300047B
62273+:103D1000240400019362007E24420001A362007E1D
62274+:103D200003E00008008010218F4201F80440FFFEEC
62275+:103D300024020002AF4401C0A34201C43C021000AF
62276+:103D400003E00008AF4201F827BDFFE8AFBF001055
62277+:103D50009362003F2403000A304200FF14430046F0
62278+:103D6000000000008F6300548F62004C1062007DE1
62279+:103D7000036030219362000024030050304200FFB2
62280+:103D80001443002F000000008F4401403C02080053
62281+:103D90008C4200E02403FF800082102100431024A5
62282+:103DA000AF4200243C0208008C4200E08F650054C2
62283+:103DB0003C03000A008220213084007F034410214C
62284+:103DC00000431021AC4501089762003C8F63004C12
62285+:103DD0003042FFFF0002104000621821AF63005C18
62286+:103DE0008F6300548F64004C9762003C006418237A
62287+:103DF0003042FFFF00031843000210400043102A26
62288+:103E000010400006000000008F6200548F63004CD9
62289+:103E1000004310230A000F58000210439762003C31
62290+:103E20003042FFFF00021040ACC2006424020001D7
62291+:103E3000A0C0007CA0C2008424020C80AF420024F9
62292+:103E40000E000F0A8F440140104000478FBF001042
62293+:103E50008F4301408F4201F80440FFFE240200021C
62294+:103E6000AF4301C0A34201C43C021000AF4201F8BD
62295+:103E70000A000FA88FBF00109362003F24030010B8
62296+:103E8000304200FF14430004000000008F44014052
62297+:103E90000A000F94000028219362003F24030016BB
62298+:103EA000304200FF1443000424020014A362003FC8
62299+:103EB0000A000FA2000000008F62004C8F630050C8
62300+:103EC00000431023044100288FBF0010936200813B
62301+:103ED00024420001A3620081936200812C4200040D
62302+:103EE00014400010000000009362003F240300040F
62303+:103EF000304200FF14430006000000008F440140E0
62304+:103F00008FBF0010240500930A0005A027BD0018EC
62305+:103F10008F440140240500938FBF00100A00060F54
62306+:103F200027BD00188F4401400E0002500000000021
62307+:103F30008F6200542442FFFFAF6200548F62005032
62308+:103F40002442FFFFAF6200500E0002598F4401402F
62309+:103F50008F4401408FBF0010240500040A00025E58
62310+:103F600027BD00188FBF001003E0000827BD001810
62311+:103F70008F4201889363007E00021402304400FFE8
62312+:103F8000306300FF1464000D0000000093620080A5
62313+:103F9000304200FF1044000900000000A3640080CC
62314+:103FA0009362000024030050304200FF14430004D9
62315+:103FB000000000000A0006D78F440180A36400803F
62316+:103FC00003E000080000000027BDFFE8AFB00010CC
62317+:103FD000AFBF00149362000524030030304200306C
62318+:103FE00014430089008080213C0208008C4200209C
62319+:103FF00010400080020020210E0004930000000009
62320+:104000008F850020ACB000009362003E9363003FB8
62321+:10401000304200FF00021200306300FF0043102511
62322+:10402000ACA2000493620082000216000002160394
62323+:1040300004410005000000003C0308008C630048B8
62324+:104040000A000FE6000000009362003E304200408C
62325+:10405000144000030000182193620081304300FFE8
62326+:104060009362008200031E00304200FF0002140031
62327+:1040700000621825ACA300088F620040ACA2000CBF
62328+:104080008F620048ACA200108F62004CACA20014FA
62329+:104090008F6200508F63004C0043102304410003E3
62330+:1040A000000000000A000FFA8F62004C8F6200507F
62331+:1040B000ACA200183C02080094424B5E3C03C00BCB
62332+:1040C00000002021004310250E0004B8ACA2001C03
62333+:1040D0008F6200548F840020AC8200008F620058F1
62334+:1040E000AC8200048F62005CAC8200088F620060CA
62335+:1040F0008F43007400431021AC82000C8F62006477
62336+:10410000AC820010976300689762006A00031C008D
62337+:104110003042FFFF00621825AC83001493620082D6
62338+:1041200024030080304200FF14430003000000001D
62339+:104130000A00102EAC8000188F63000C24020001CE
62340+:104140001062000E2402FFFF9362003E30420040E6
62341+:104150001440000A2402FFFF8F63000C8F4200749A
62342+:10416000006218233C020800006210241440000280
62343+:10417000000028210060282100051043AC820018AF
62344+:104180003C02080094424B5E3C03C00C000020211E
62345+:10419000004310258F8300200E0004B8AC62001C81
62346+:1041A0008F6200188F8300203C05080094A54B5EA9
62347+:1041B00024040001AC620000AC6000048F66006C57
62348+:1041C0003C02400D00A22825AC6600088F6200DC8E
62349+:1041D000AC62000CAC600010936200050002160097
62350+:1041E000AC620014AC6000180E0004B8AC65001C92
62351+:1041F000020020218FBF00148FB00010A3600005C3
62352+:104200000A00042127BD00188FBF00148FB00010D2
62353+:1042100003E0000827BD00189742007C30C600FF6D
62354+:10422000A08600843047FFFF2402000514C2000B63
62355+:1042300024E3465090A201122C42000710400007D0
62356+:1042400024E30A0090A30112240200140062100467
62357+:1042500000E210210A0010663047FFFF3067FFFFC1
62358+:1042600003E00008A4870014AC87004C8CA201086E
62359+:104270000080402100A0482100E2102330C600FF4A
62360+:104280001840000393AA001324E2FFFCACA201082B
62361+:1042900030C2000110400008000000008D020050F4
62362+:1042A00000E2102304410013240600058D0200548F
62363+:1042B00010E20010000000008D02005414E2001A09
62364+:1042C000000000003C0208008C4200D83042002070
62365+:1042D0001040000A2402000191030078910200833B
62366+:1042E000144300062402000101002021012028219E
62367+:1042F000240600040A00105400000000A1000084FD
62368+:1043000011400009A50200148F4301008F4201F8FB
62369+:104310000440FFFE24020002AF4301C0A34201C4D7
62370+:104320003C021000AF4201F803E00008000000006A
62371+:1043300027BDFFE88FA90028AFBF001000804021F3
62372+:1043400000E918231860007330C600FFA080007CCD
62373+:10435000A08000818CA2010800E210230440004DDF
62374+:10436000000000008C8200509483003C8C84006428
62375+:10437000004748233063FFFF012318210083202BCF
62376+:1043800010800004000000008D0200640A0010B7D5
62377+:1043900000E210219502003C3042FFFF0122102173
62378+:1043A00000E21021AD02005C9502003C8D03005C30
62379+:1043B0003042FFFF0002104000E210210043102BAA
62380+:1043C00010400003000000000A0010C68D02005CCF
62381+:1043D0009502003C3042FFFF0002104000E2102135
62382+:1043E000AD02005CA1000084AD07004C8CA2010866
62383+:1043F00000E210231840000224E2FFFCACA20108F6
62384+:1044000030C200011040000A000000008D02005080
62385+:1044100000E2102304410004010020218D02005419
62386+:1044200014E20003000000000A0010E82406000562
62387+:104430008D02005414E200478FBF00103C020800B8
62388+:104440008C4200D8304200201040000A24020001B3
62389+:1044500091030078910200831443000624020001B6
62390+:1044600001002021240600048FBF00100A00105410
62391+:1044700027BD0018A1000084A50200148F4301008D
62392+:104480008F4201F80440FFFE240200020A00110DD1
62393+:10449000000000008C82005C004910230043102BB8
62394+:1044A00054400001AC87005C9502003C3042FFFFA5
62395+:1044B0000062102B14400007240200029502003C09
62396+:1044C0008D03005C3042FFFF00621821AD03005CE9
62397+:1044D00024020002AD07004CA10200840E000F0A66
62398+:1044E0008F4401001040001B8FBF00108F4301005C
62399+:1044F0008F4201F80440FFFE24020002AF4301C0D6
62400+:10450000A34201C43C021000AF4201F80A0011238B
62401+:104510008FBF001030C200101040000E8FBF00107F
62402+:104520008C83005C9482003C006918233042FFFFBA
62403+:10453000006218213C023FFF3444FFFF0083102B30
62404+:10454000544000010080182101231021AD02005CBD
62405+:104550008FBF001003E0000827BD001827BDFFE84B
62406+:104560008FAA0028AFBF00100080402100EA482336
62407+:104570001920002130C600FF8C83005C8C8200640F
62408+:10458000006A18230043102B5040001000691821C6
62409+:1045900094A2011001221021A4A2011094A20110E2
62410+:1045A0003042FFFF0043102B1440000A3C023FFF43
62411+:1045B00094A2011000431023A4A201109482003C95
62412+:1045C0003042FFFF0A00114200621821A4A001102E
62413+:1045D0003C023FFF3444FFFF0083102B5440000196
62414+:1045E0000080182100671021AD02005CA100007C52
62415+:1045F0000A00118AA100008130C200101040003C66
62416+:10460000000000008C820050004A1023184000383F
62417+:10461000000000009082007C24420001A082007C07
62418+:104620009082007C3C0308008C630024304200FF31
62419+:104630000043102B1440005C8FBF00108CA20108B7
62420+:1046400000E2102318400058000000008C83005442
62421+:104650009482003C006A18233042FFFF0003184395
62422+:10466000000210400043102A104000050000000026
62423+:104670008C820054004A10230A001171000210437A
62424+:104680009482003C3042FFFF00021040AD02006403
62425+:104690009502003C8D0400649503003C3042FFFF0E
62426+:1046A00000021040008220213063FFFF00831821A8
62427+:1046B00001431021AD02005C8D020054ACA2010840
62428+:1046C00024020002A10200840E000F0A8F440100A0
62429+:1046D000104000358FBF00108F4301008F4201F85A
62430+:1046E0000440FFFE240200020A0011B30000000093
62431+:1046F000AD07004C8CA2010800E210231840000214
62432+:1047000024E2FFFCACA2010830C200011040000A04
62433+:10471000000000008D02005000E21023044100045C
62434+:10472000010020218D02005414E20003000000006B
62435+:104730000A0011AA240600058D02005414E2001A92
62436+:104740008FBF00103C0208008C4200D8304200208D
62437+:104750001040000A240200019103007891020083B6
62438+:104760001443000624020001010020212406000455
62439+:104770008FBF00100A00105427BD0018A10000844C
62440+:10478000A50200148F4301008F4201F80440FFFE90
62441+:1047900024020002AF4301C0A34201C43C02100046
62442+:1047A000AF4201F88FBF001003E0000827BD0018DA
62443+:1047B0008FAA00108C8200500080402130C600FF7C
62444+:1047C000004A102300A048211840000700E01821EB
62445+:1047D00024020001A0800084A0A00112A482001481
62446+:1047E0000A001125AFAA0010A0800081AD07004C7F
62447+:1047F0008CA2010800E210231840000224E2FFFC12
62448+:10480000ACA2010830C20001104000080000000006
62449+:104810008D0200500062102304410013240600059D
62450+:104820008D02005410620010000000008D02005440
62451+:1048300014620011000000003C0208008C4200D805
62452+:10484000304200201040000A240200019103007849
62453+:10485000910200831443000624020001010020217C
62454+:1048600001202821240600040A0010540000000042
62455+:10487000A1000084A502001403E00008000000006D
62456+:1048800027BDFFE0AFBF0018274201009046000A95
62457+:104890008C4800148C8B004C9082008430C900FF3F
62458+:1048A00001681823304A00FF1C60001A2D460006DC
62459+:1048B000240200010142100410C00016304300031E
62460+:1048C000012030210100382114600007304C000C19
62461+:1048D00015800009304200301440000B8FBF0018D3
62462+:1048E0000A001214000000000E001125AFAB0010EA
62463+:1048F0000A0012148FBF00180E00109AAFAB001000
62464+:104900000A0012148FBF0018AFAB00100E0011BACE
62465+:10491000AFAA00148FBF001803E0000827BD0020D5
62466+:1049200024020003A08200848C82005403E000086B
62467+:10493000ACA201083C0200080342182190620081E9
62468+:10494000240600433C07601924420001A062008154
62469+:10495000906300813C0208008C4200C0306300FF7D
62470+:10496000146200102403FF803C0208008C4200E027
62471+:104970000082102100431024AF4200243C020800B2
62472+:104980008C4200E03C03000A008210213042007F8C
62473+:104990000342102100431021944500D40A000AF17B
62474+:1049A00030A5FFFF03E000080000000027BDFFE086
62475+:1049B000AFBF0018AFB10014AFB000108F4201803C
62476+:1049C0000080802100A088210E00121B00402021C1
62477+:1049D000A20000848E0200548FBF00188FB0001018
62478+:1049E000AE2201088FB1001403E0000827BD0020AB
62479+:1049F00027BDFFE03C020008AFB00010AFBF0018B9
62480+:104A0000AFB10014034280218F5101409203008412
62481+:104A10008E0400508E02004C14820040306600FF6D
62482+:104A20003C0208008C4200E02403FF800222102197
62483+:104A300000431024AF4200243C0208008C4200E0F6
62484+:104A40009744007C92050081022210213042007FB1
62485+:104A5000034218213C02000A0062182114A0000B36
62486+:104A60003084FFFF2402000554C20014248205DCB8
62487+:104A70009062011224420001A062011224020C8003
62488+:104A8000AF4200240A00127324020005A060011244
62489+:104A90002402000514C20009248205DC9202008170
62490+:104AA0002C4200075040000524820A009203008136
62491+:104AB0002402001400621004008210213044FFFF21
62492+:104AC000A60400140E00121B022020219602003CB6
62493+:104AD0008E03004C022020213042FFFF00021040D4
62494+:104AE000006218210E000250AE03005C9202007DAD
62495+:104AF00002202021344200400E000259A202007D13
62496+:104B00008F4201F80440FFFE24020002AF5101C0B1
62497+:104B1000A34201C43C021000AF4201F88FBF00184D
62498+:104B20008FB100148FB0001003E0000827BD0020F3
62499+:104B300008000ACC08000B1408000B9808000BE4CE
62500+:104B400008000C200A0000280000000000000000FF
62501+:104B50000000000D6370362E322E3300000000007E
62502+:104B60000602030400000000000000000000000036
62503+:104B70000000000000000000000000000000000035
62504+:104B80000000000000000000000000000000002005
62505+:104B90000000000000000000000000000000000015
62506+:104BA0000000000000000000000000000000000005
62507+:104BB00000000000000000000000000000000001F4
62508+:104BC0000000002B000000000000000400030D4066
62509+:104BD00000000000000000000000000000000000D5
62510+:104BE00000000000000000001000000300000000B2
62511+:104BF0000000000D0000000D3C020800244258A4F3
62512+:104C00003C03080024635F70AC4000000043202B8D
62513+:104C10001480FFFD244200043C1D080037BD7FFCCA
62514+:104C200003A0F0213C100800261000A03C1C080046
62515+:104C3000279C58A40E0001AC000000000000000DED
62516+:104C400027BDFFE83C096018AFBF00108D2C500055
62517+:104C5000240DFF7F24080031018D5824356A380C5B
62518+:104C600024070C003C1A8000AD2A50003C04800A46
62519+:104C7000AF4800083C1B8008AF4700240E00091510
62520+:104C8000AF8400100E0008D8000000000E000825B8
62521+:104C9000000000000E001252000000003C046016EC
62522+:104CA0008C8500003C06FFFF3C02535300A61824ED
62523+:104CB0001062004734867C0094C201F2A780002C69
62524+:104CC00010400003A78000CC38581E1EA798002C67
62525+:104CD00094C201F810400004978300CC38591E1E7E
62526+:104CE000A79900CC978300CC2C7F006753E000018C
62527+:104CF000240300669784002C2C82040114400002D7
62528+:104D000000602821240404003C0760008CE904387A
62529+:104D10002403103C3128FFFF1103001F30B9FFFFAF
62530+:104D200057200010A38000CE24020050A38200CEA2
62531+:104D3000939F00CE53E0000FA78500CCA78000CC46
62532+:104D4000978500CC8FBF0010A780002CA78000346F
62533+:104D5000A78000E63C010800AC25008003E00008C5
62534+:104D600027BD0018939F00CE57E0FFF5A78000CC29
62535+:104D7000A78500CC978500CC8FBF0010A784002C9E
62536+:104D8000A7800034A78000E63C010800AC25008025
62537+:104D900003E0000827BD0018A38000CE8CCB003CA8
62538+:104DA000316A00011140000E0000000030A7FFFF33
62539+:104DB00010E0FFDE240200508CCC00C831860001D8
62540+:104DC00014C0FFDC939F00CE0A00007A2402005139
62541+:104DD0008C8F00043C0E60000A00005D01EE302163
62542+:104DE0008CEF0808240D5708000F740211CD000441
62543+:104DF00030B8FFFF240500660A00007B240404008D
62544+:104E00001700FFCC939F00CE0A00007A24020050C6
62545+:104E10008F8600103089FFFF000939408CC30010D5
62546+:104E20003C08005000E82025AF4300388CC5001432
62547+:104E300027420400AF82001CAF45003CAF44003065
62548+:104E40000000000000000000000000000000000062
62549+:104E50000000000000000000000000000000000052
62550+:104E60008F4B0000316A00201140FFFD0000000060
62551+:104E700003E00008000000008F840010948A001AEC
62552+:104E80008C8700243149FFFF000940C000E8302131
62553+:104E9000AF46003C8C8500248F43003C00A31023C8
62554+:104EA00018400029000000008C8B002025620001C2
62555+:104EB0003C0D005035AC0008AF420038AF4C00301C
62556+:104EC00000000000000000000000000000000000E2
62557+:104ED00000000000000000000000000000000000D2
62558+:104EE0008F4F000031EE002011C0FFFD00000000D8
62559+:104EF0008F4A04003C080020AC8A00108F4904044B
62560+:104F0000AC890014AF4800300000000094860018FF
62561+:104F10009487001C00C71821A48300189485001AE8
62562+:104F200024A20001A482001A9498001A9499001EE9
62563+:104F3000133800030000000003E000080000000038
62564+:104F400003E00008A480001A8C8200200A0000DC24
62565+:104F50003C0D00500A0000CD000000003C0308009A
62566+:104F60008C6300208F82001827BDFFE810620008C4
62567+:104F7000AFBF00100E000104AF8300183C0308000F
62568+:104F80008C63002024040001106400048F89001049
62569+:104F90008FBF001003E0000827BD00188FBF00106E
62570+:104FA0003C076012A520000A9528000A34E500108D
62571+:104FB00027BD00183106FFFF03E00008ACA60090F3
62572+:104FC0003C0208008C42002027BDFFC8AFBF003460
62573+:104FD000AFBE0030AFB7002CAFB60028AFB500248D
62574+:104FE000AFB40020AFB3001CAFB20018AFB10014D3
62575+:104FF00010400050AFB000108F840010948600065F
62576+:105000009483000A00C3282330B6FFFF12C0004A71
62577+:105010008FBF003494890018948A000A012A402323
62578+:105020003102FFFF02C2382B14E0000202C020212F
62579+:10503000004020212C8C0005158000020080A0215A
62580+:10504000241400040E0000B3028020218F8700107A
62581+:1050500002809821AF80001494ED000A028088211C
62582+:105060001280004E31B2FFFF3C1770003C1540002B
62583+:105070003C1E60008F8F001C8DEE000001D71824AD
62584+:10508000507500500220202102A3802B160000350D
62585+:105090003C182000507800470220202124100001F5
62586+:1050A0008F83001414600039029158230230F823D2
62587+:1050B0000250C82133F1FFFF1620FFEE3332FFFF0D
62588+:1050C0008F8700103C110020AF510030000000001D
62589+:1050D00094E6000A3C1E601237D5001002662821B3
62590+:1050E000A4E5000A94E2000A94F2000A94F400187D
62591+:1050F0003057FFFF1292003BAEB700908CED0014CA
62592+:105100008CE400100013714001AE4021000E5FC31B
62593+:10511000010E502B008B4821012A1821ACE8001405
62594+:10512000ACE3001002D3382330F6FFFF16C0FFB9FE
62595+:105130008F8400108FBF00348FBE00308FB7002CDB
62596+:105140008FB600288FB500248FB400208FB3001CC9
62597+:105150008FB200188FB100148FB0001003E0000868
62598+:1051600027BD0038107E001B000000001477FFCC24
62599+:10517000241000010E00159B000000008F83001416
62600+:105180001060FFCB0230F823029158238F87001064
62601+:10519000017020210A0001973093FFFF8F830014D4
62602+:1051A0001460FFCB3C110020AF5100300A000163B6
62603+:1051B000000000000E00077D024028210A00015770
62604+:1051C000004080210E00033A024028210A000157C6
62605+:1051D000004080210E001463022020210A000157A4
62606+:1051E000004080210E0000CD000000000A0001797F
62607+:1051F00002D3382327BDFFE8AFB00010AFBF0014C3
62608+:105200000E00003F000000003C028000345000709F
62609+:105210000A0001BA8E0600008F4F000039EE00012F
62610+:1052200031C20001104000248F8600A88E070000C4
62611+:105230003C0C08008D8C003C3C0908008D2900388E
62612+:1052400000E66823018D28210000502100AD302B9D
62613+:10525000012A4021010620213C010800AC25003C28
62614+:10526000AF8700A83C010800AC2400380E000106FE
62615+:10527000000000003C0308008C6300701060FFE633
62616+:10528000006020213C0508008CA500683C06080051
62617+:105290008CC6006C0E00152A000000003C010800BE
62618+:1052A000AC2000708F4F000039EE000131C20001C8
62619+:1052B0001440FFDE8F8600A88E0A00008F8B00A8A6
62620+:1052C0003C0508008CA5003C3C0408008C84003898
62621+:1052D000014B482300A938210082182100E9402B06
62622+:1052E000006810213C010800AC27003C3C0108008C
62623+:1052F000AC2200388F5F01002419FF0024180C0035
62624+:1053000003F9202410980012AF840000AF4400205D
62625+:10531000936D0000240C002031A600FF10CC001279
62626+:10532000240E005010CE00043C194000AF59013843
62627+:105330000A0001B3000000000E0011C800000000C8
62628+:105340003C194000AF5901380A0001B300000000C9
62629+:105350000E00011F000000003C194000AF59013849
62630+:105360000A0001B3000000008F58010000802821CE
62631+:10537000330F00FF01E020210E0002F1AF8F000487
62632+:105380003C194000AF5901380A0001B30000000089
62633+:1053900000A4102B2403000110400009000030215C
62634+:1053A0000005284000A4102B04A0000300031840AF
62635+:1053B0005440FFFC000528405060000A0004182BF0
62636+:1053C0000085382B54E000040003184200C3302548
62637+:1053D00000852023000318421460FFF900052842CD
62638+:1053E0000004182B03E0000800C310218F4201B80D
62639+:1053F0000440FFFE00000000AF4401803C031000A9
62640+:1054000024040040AF450184A3440188A3460189D8
62641+:10541000A747018A03E00008AF4301B83084FFFFCB
62642+:105420000080382130A5FFFF000020210A00022A59
62643+:10543000240600803087FFFF8CA40000240600387B
62644+:105440000A00022A000028218F8300388F8600304E
62645+:105450001066000B008040213C07080024E75A1822
62646+:10546000000328C000A710218C4400002463000121
62647+:10547000108800053063000F5466FFFA000328C04F
62648+:1054800003E00008000010213C07080024E75A1C34
62649+:1054900000A7302103E000088CC200003C0390000C
62650+:1054A0003462000100822025AF4400208F45002097
62651+:1054B00004A0FFFE0000000003E000080000000060
62652+:1054C0003C038000346200010082202503E00008D4
62653+:1054D000AF44002027BDFFE0AFB100143091FFFFC3
62654+:1054E000AFB00010AFBF00181220001300A0802141
62655+:1054F0008CA2000024040002240601401040000F8A
62656+:10550000004028210E000C5C00000000000010216B
62657+:10551000AE000000022038218FBF00188FB10014A8
62658+:105520008FB0001000402021000028210000302111
62659+:105530000A00022A27BD00208CA200000220382188
62660+:105540008FBF00188FB100148FB0001000402021D1
62661+:1055500000002821000030210A00022A27BD002077
62662+:1055600000A010213087FFFF8CA500048C440000B0
62663+:105570000A00022A2406000627BDFFE0AFB0001093
62664+:10558000AFBF0018AFB100149363003E00808021CC
62665+:105590000080282130620040000020211040000FD0
62666+:1055A0008E1100000E000851022020219367000098
62667+:1055B0002404005030E500FF50A400128E0F0000BC
62668+:1055C000022020218FBF00188FB100148FB000106F
62669+:1055D000A762013C0A00091127BD00200E000287C6
62670+:1055E000000000000E0008510220202193670000F7
62671+:1055F0002404005030E500FF14A4FFF20220202113
62672+:105600008E0F00003C1008008E1000503C0D000C66
62673+:10561000240BFF8001F05021314E007F01DA602120
62674+:10562000018D4021014B4824AF4900280220202150
62675+:105630008FBF00188FB100148FB00010A50200D6E4
62676+:1056400027BD00200A000911AF8800D027BDFFE068
62677+:10565000AFBF0018AFB10014AFB0001093660001E7
62678+:10566000008080210E00025630D1000493640005B2
62679+:10567000001029C2A765000034830040A363000521
62680+:105680000E00025F020020210E00091302002021FB
62681+:1056900024020001AF62000C02002821A762001062
62682+:1056A00024040002A762001224060140A76200142D
62683+:1056B0000E000C5CA76200161620000F8FBF0018AA
62684+:1056C000978C00343C0B08008D6B00782588FFFF19
62685+:1056D0003109FFFF256A0001012A382B10E000067E
62686+:1056E000A78800343C0F6006240E001635ED00102C
62687+:1056F000ADAE00508FBF00188FB100148FB00010F6
62688+:1057000003E0000827BD002027BDFFE0AFB1001473
62689+:10571000AFBF0018AFB0001000A088211080000AB1
62690+:105720003C03600024020080108200120000000090
62691+:105730000000000D8FBF00188FB100148FB0001053
62692+:1057400003E0000827BD00208C682BF80500FFFE51
62693+:1057500000000000AC712BC08FBF00188FB1001487
62694+:105760008FB000103C09100027BD002003E00008A6
62695+:10577000AC692BF80E00025600A0202193650005AD
62696+:10578000022020210E00025F30B000FF2403003E03
62697+:105790001603FFE7000000008F4401780480FFFE3D
62698+:1057A000240700073C061000AF51014002202021D1
62699+:1057B000A34701448FBF00188FB100148FB00010B1
62700+:1057C000AF4601780A0002C227BD002027BDFFE8CE
62701+:1057D000AFBF0014AFB000108F50002000000000D9
62702+:1057E0000E000913AF440020AF5000208FBF0014FB
62703+:1057F0008FB0001003E0000827BD00183084FFFFC1
62704+:10580000008038212406003500A020210A00022A49
62705+:10581000000028213084FFFF008038212406003654
62706+:1058200000A020210A00022A0000282127BDFFD065
62707+:10583000AFB3001C3093FFFFAFB50024AFB2001828
62708+:10584000AFBF0028AFB40020AFB10014AFB000105C
62709+:1058500030B5FFFF12600027000090218F90001CE0
62710+:105860008E0300003C0680002402004000033E023C
62711+:1058700000032C0230E4007F006688241482001D9F
62712+:1058800030A500FF8F8300282C68000A510000100B
62713+:105890008F910014000358803C0C0800258C56940E
62714+:1058A000016C50218D49000001200008000000001B
62715+:1058B00002B210213045FFFF0E000236240400849E
62716+:1058C000162000028F90001CAF8000288F910014DA
62717+:1058D000260C002026430001018080213072FFFF4A
62718+:1058E00016200004AF8C001C0253502B1540FFDC27
62719+:1058F00000000000024010218FBF00288FB5002457
62720+:105900008FB400208FB3001C8FB200188FB1001429
62721+:105910008FB0001003E0000827BD0030240E0034D3
62722+:1059200014AE00F9000000009203000E241F168040
62723+:105930003C07000CA36300219202000D0347C8211D
62724+:105940003C066000A3620020961100123C0A7FFF13
62725+:10595000354CFFFFA771003C960B00102403000597
62726+:105960003168FFFFAF6800848E05001CAF5F002820
62727+:105970008F3800008CC4444803057826008F3021FE
62728+:10598000AF66004C8F69004C24CE00013C057F00BF
62729+:10599000AF6900508F740050AF740054AF66007050
62730+:1059A000AF6E00588F6D005824140050AF6D005C2E
62731+:1059B000A3600023AF6C0064A36300378E02001461
62732+:1059C000AF6200488F710048AF7100248E0B001841
62733+:1059D000AF6B006C9208000CA3680036937F003E0A
62734+:1059E00037F90020A379003E8F78007403058024E6
62735+:1059F000360F4000AF6F007493640000308900FFE1
62736+:105A0000513402452404FF803C04080024845A9841
62737+:105A10000E00028D000000003C1008008E105A9805
62738+:105A20000E00025602002021240600042407000173
62739+:105A3000A366007D020020210E00025FA36700051F
62740+:105A40008F5F017807E0FFFE240B0002AF5001409A
62741+:105A5000A34B01448F90001C3C081000AF48017814
62742+:105A60000A000362AF8000282CAD003751A0FF98D8
62743+:105A70008F9100140005A0803C180800271856BC20
62744+:105A8000029878218DEE000001C00008000000009F
62745+:105A90002418000614B80011000000003C0808009B
62746+:105AA0008D085A9824040005AF4800208E1F001866
62747+:105AB000AF7F00188F79004CAF79001C8F650050C4
62748+:105AC000122000C0AF6500700A000362AF84002896
62749+:105AD0002406000710A60083240300063C050800E6
62750+:105AE00024A55A980E000264240400818F90001CA3
62751+:105AF0000011102B0A000362AF8200282407000463
62752+:105B000014A7FFF6240500503C1808008F185A9877
62753+:105B1000AF5800208E0F0008AF6F00408E090008BC
62754+:105B2000AF6900448E14000CAF7400488E0E001054
62755+:105B3000AF6E004C8E0D0010AF6D00848E0A001405
62756+:105B4000AF6A00508E0C0018AF6C00548E04001C1D
62757+:105B5000AF64005893630000306B00FF116501D8FB
62758+:105B6000000000008F7400488F6900400289702394
62759+:105B700005C000042404008C1620FFDE240200036C
62760+:105B8000240400823C05080024A55A980E000287D0
62761+:105B9000000000008F90001C000010210A0003622A
62762+:105BA000AF820028240F000514AFFFCC240520008D
62763+:105BB0003C0708008CE75A98AF4700208E06000487
62764+:105BC000AF66005C9208000824100008A36800215A
62765+:105BD0008F9F001C93F90009A37900208F86001C79
62766+:105BE00090D8000A330400FF10900011000000005C
62767+:105BF0002885000914A0006924020002240A00205C
62768+:105C0000108A000B34058000288D002115A00008A3
62769+:105C100024054000240E0040108E00053C050001C4
62770+:105C200024140080109400023C050002240540006A
62771+:105C30008F7800743C19FF00031980240205782531
62772+:105C4000AF6F007490C4000BA36400818F84001CAC
62773+:105C50009489000C11200192000000009490000C27
62774+:105C60002406FFBF24050004A770003C908F000E9F
62775+:105C7000A36F003E8F84001C9089000FA369003F32
62776+:105C80008F8B001C8D6E00108F54007401D468231C
62777+:105C9000AF6D00608D6A0014AF6A0064956C0018E7
62778+:105CA000A76C00689563001AA763006A8D62001CE8
62779+:105CB000AF62006C9167000EA367003E9368003EE0
62780+:105CC0000106F8241220014BA37F003E8F90001C98
62781+:105CD0000A000362AF8500282407002214A7FF7F73
62782+:105CE000240300073C0B08008D6B5A981220000C0F
62783+:105CF000AF4B00200A000362AF830028240C00335E
62784+:105D000010AC0014240A00283C05080024A55A9869
62785+:105D10000E00023C240400810A0003EB8F90001C5B
62786+:105D20003C04080024845A980E00028D00000000F4
62787+:105D30009363000024110050306200FF10510135C0
62788+:105D4000000000008F90001C000018210A00036270
62789+:105D5000AF8300283C0D08008DAD5A9824040081C3
62790+:105D6000AF4D00203C05080024A55A980E00023CC7
62791+:105D7000A36A00348F90001C240200090A00036209
62792+:105D8000AF82002802B288213225FFFF0E000236C2
62793+:105D9000240400840A0003628F90001C1082FFA478
62794+:105DA00024050400288B000311600170240C0004FA
62795+:105DB000240300015483FF9E240540000A00043B95
62796+:105DC000240501003C04080024845A988F62004C8A
62797+:105DD0000E00028D8F6300508F90001C0000202168
62798+:105DE0000A000362AF8400288E1000042404008A95
62799+:105DF000AF50002093790005333800021700015F8F
62800+:105E0000020028219368002302002821311F00206E
62801+:105E100017E0015A2404008D9367003F2406001206
62802+:105E200030E200FF10460155240400810E000256A6
62803+:105E30000200202193630023240500040200202196
62804+:105E4000346B0042A36B00230E00025FA365007D4C
62805+:105E50008F4401780480FFFE240A0002AF50014005
62806+:105E6000A34A01448F90001C3C0C1000AF4C0178F9
62807+:105E70000A0003EC0011102B8E1000042404008A89
62808+:105E8000AF500020936E000531CD000215A0001622
62809+:105E900002002821936F003F2414000402002821EF
62810+:105EA00031E900FF11340010240400810E00025675
62811+:105EB000020020219362002324080012241FFFFE09
62812+:105EC00034460020A3660023A368003F93790005B1
62813+:105ED00002002021033FC0240E00025FA3780005CA
62814+:105EE00002002821000020210E00033400000000E1
62815+:105EF0000A0003EB8F90001C8E1000043C03000886
62816+:105F00000343A021AF500020928B000024050050D5
62817+:105F1000316400FF10850161240700880200202100
62818+:105F2000000028210E00022A2406000E928D000097
62819+:105F3000240EFF800200282101AE8025A2900000DF
62820+:105F4000240400040E000C5C240600300A0003EB5D
62821+:105F50008F90001C8E0800043C14080026945A9868
62822+:105F60003C010800AC285A98AF480020921F00035B
62823+:105F700033F9000413200002240200122402000658
62824+:105F8000A362003F920B001B2404FFC03165003F59
62825+:105F900000A43825A367003E9206000330C200012A
62826+:105FA00014400132000000008E020008AE8200089A
62827+:105FB0003C0208008C425AA010400131000249C244
62828+:105FC000A76900088E14000C240C0001240300149F
62829+:105FD000AF74002C8E0E0010AF6E0030960D0016C0
62830+:105FE000A76D0038960A0014A76A003AAF6C000C3F
62831+:105FF000A76C0010A76C0012A76C0014A76C001609
62832+:1060000012200136A3630034920F000331F0000226
62833+:106010002E1100018F90001C262200080A00036246
62834+:10602000AF8200288E0400043C0E0008034E30218D
62835+:10603000AF4400208E05000890CD0000240C0050D5
62836+:1060400031AA00FF114C00862407008824060009AD
62837+:106050000E00022A000000000A0003EB8F90001CD3
62838+:106060008E04001C0E00024100000000104000F4ED
62839+:10607000004050218F89001C240700890140202105
62840+:106080008D25001C240600010E00022A00000000DD
62841+:106090000A0003EB8F90001C960D00023C140800D0
62842+:1060A00026945A9831AA0004514000B83C10600070
62843+:1060B0008E0E001C3C010800AC2E5A98AF4E0020FA
62844+:1060C000920700102408001430E200FF144800D6A4
62845+:1060D00000000000960B00023163000114600165AE
62846+:1060E000000000008E020004AE8200083C1408008C
62847+:1060F0008E945AA01280015B000000008F7400741F
62848+:106100003C0380002404000102835825AF6B007417
62849+:10611000A3600005AF64000C3C0708008CE75AA0A0
62850+:106120008F86001CA7640010000711C2A76400122C
62851+:10613000A7640014A7640016A76200088CC80008B2
62852+:1061400024040002AF68002C8CC5000CAF65003041
62853+:1061500090DF0010A37F00348F99001C9330001152
62854+:10616000A37000358F98001C930F0012A36F0036A8
62855+:106170008F89001C912E0013A36E00378F90001C96
62856+:10618000960D0014A76D0038960A0016A76A003A0B
62857+:106190008E0C0018AF6C00245620FDCCAF84002874
62858+:1061A0003C05080024A55A980E0002640000202136
62859+:1061B0008F90001C0A0004A7000020218E1000040C
62860+:1061C00024070081AF500020936900233134001070
62861+:1061D000128000170000000002002021000028218A
62862+:1061E0002406001F0E00022A000000000A0003EB34
62863+:1061F0008F90001C3C05080024A55A980E000287C9
62864+:10620000240400828F90001C000028210A000362F1
62865+:10621000AF8500283C0408008C845A980E0014E8CE
62866+:10622000000000008F90001C0A000482000018216A
62867+:106230000E00025602002021937800230200202144
62868+:10624000370F00100E00025FA36F002300003821FB
62869+:1062500002002021000028210A0005A82406001FB2
62870+:10626000920F000C31E90001112000030000000032
62871+:106270009618000EA4D8002C921F000C33F90002CF
62872+:1062800013200005000038218E0200149608001229
62873+:10629000ACC2001CA4C8001A0A0005432406000969
62874+:1062A0003C05080024A55A980E0002872404008BA0
62875+:1062B0008F90001C0011282B0A000362AF85002874
62876+:1062C000AF6000843C0A08008D4A5A983C0D0800D3
62877+:1062D0008DAD0050240CFF803C02000C014D1821B4
62878+:1062E000006C2024AF4400288E070014306B007F20
62879+:1062F000017A282100A2C821AF2700D88E060014F9
62880+:10630000AF9900D0AF2600DC8E080010251FFFFEDD
62881+:106310000A000408AF3F01083C0508008CA55A9804
62882+:106320003C1908008F39005024CCFFFE00B9C02171
62883+:1063300003047824AF4F00283C1408008E945A9828
62884+:106340003C0908008D2900500289702131CD007F61
62885+:1063500001BA502101478021AE0600D8AF9000D08D
62886+:10636000AE0000DC0A0003B1AE0C0108548CFE3014
62887+:10637000240540000A00043B240510000E00032EF3
62888+:10638000000000000A0003EB8F90001C8E0F442CCD
62889+:106390003C186C62370979703C010800AC205A98AF
62890+:1063A00015E9000824050140979F00349786002CCA
62891+:1063B0000280282103E6C82B132000112404009238
62892+:1063C000240501400E000C7A240400023C01080060
62893+:1063D000AC225A98AF4200203C0508008CA55A9880
62894+:1063E00010A00005240400830E00084500000000F2
62895+:1063F00010400009240400833C05080024A55A9895
62896+:106400000E000264000000008F90001C0011202B81
62897+:106410000A000362AF8400280E0008490000000053
62898+:106420000A00055F8F90001C0E00084D0000000060
62899+:106430003C05080024A55A980A00062F2404008B66
62900+:10644000240400040E000C7A240500301440002AB5
62901+:10645000004050218F89001C240700830140202127
62902+:106460008D25001C0A000551240600018E04000839
62903+:106470000E000241000000000A00051BAE82000869
62904+:106480003C05080024A55A980E00023C240400870D
62905+:106490008F90001C0A0005360011102B8F830038E6
62906+:1064A0008F8600301066FE9D000038213C070800F2
62907+:1064B00024E75A1C000320C0008728218CAC000070
62908+:1064C00011900061246A00013143000F5466FFFA05
62909+:1064D000000320C00A0004F6000038213C05080033
62910+:1064E00024A55A980E000287240400828F90001C75
62911+:1064F0000A000536000010213C0B0008034B202148
62912+:106500002403005024070001AF420020A0830000B4
62913+:10651000A08700018F82001C90480004A08800180A
62914+:106520008F85001C90A60005A08600198F9F001C77
62915+:1065300093F90006A099001A8F90001C921800078A
62916+:10654000A098001B8F94001C928F0008A08F001C45
62917+:106550008F89001C912E0009A08E001D8F8D001CBC
62918+:1065600091AC000AA08C001E8F8B001C3C0C080014
62919+:10657000258C5A1C9163000B3C0B0800256B5A18A4
62920+:10658000A083001F8F87001C90E8000CA0880020CB
62921+:106590008F82001C9045000D24024646A0850021F4
62922+:1065A0008F86001C90DF000EA09F00228F99001C98
62923+:1065B0009330000FA09000238F98001C93140010BC
62924+:1065C000A09400248F8F001C91E90011A089002560
62925+:1065D0008F89001C8F8E00308F900038952D00140D
62926+:1065E000000E18C025C80001A48D002895270016AC
62927+:1065F000006C3021006BC821A487002A9525001863
62928+:106600003108000FA485002CA482002E8D3F001CB1
62929+:10661000ACCA0000AF88003011100006AF3F000088
62930+:10662000000038218D25001C014020210A00055161
62931+:1066300024060001250C00013184000F00003821E0
62932+:106640000A0006B8AF8400383C07080024E75A184F
62933+:106650000087302100003821ACA000000A0004F6B9
62934+:10666000ACC000003C05080024A55A980A00062F7B
62935+:10667000240400878E0400040E0002410000000084
62936+:106680000A00056AAE8200083084FFFF30C600FFB2
62937+:106690008F4201B80440FFFE00064400010430258B
62938+:1066A0003C07200000C720253C031000AF400180BC
62939+:1066B000AF450184AF44018803E00008AF4301B84F
62940+:1066C00027BDFFE8AFB00010AFBF00143C0760006B
62941+:1066D000240600021080000600A080210010102B6C
62942+:1066E0008FBF00148FB0001003E0000827BD001812
62943+:1066F0003C09600EAD2000348CE5201C8F82001C0C
62944+:106700002408FFFC00A81824ACE3201C0E0006D1CE
62945+:106710008C45000C0010102B8FBF00148FB00010A0
62946+:1067200003E0000827BD00183C02600E344701005A
62947+:1067300024090018274A040000000000000000009F
62948+:10674000000000003C06005034C30200AF44003893
62949+:10675000AF45003CAF430030014018218F4B000093
62950+:10676000316800201100FFFD2406007F2408FFFF90
62951+:106770008C6C000024C6FFFF24630004ACEC000016
62952+:1067800014C8FFFB24E70004000000000000000024
62953+:10679000000000003C0F0020AF4F00300000000060
62954+:1067A00024AD020001A5702B2529FFFF008E2021BA
62955+:1067B0001520FFE101A0282103E0000800000000EF
62956+:1067C00027BDFFE0AFB10014AFBF0018AFB000109D
62957+:1067D0003C05600E8CA20034008088211440000625
62958+:1067E0003C0460008C87201C2408FFFC00E8302457
62959+:1067F00034C30001AC83201C8F8B001C24090001D2
62960+:10680000ACA90034956900028D6500148D70000CF0
62961+:106810002D2400818D6700048D660008108000071C
62962+:106820008D6A00102D2C00041580000E30CE00075C
62963+:10683000312D000311A0000B000000002404008B88
62964+:10684000020028210E0006D1240600030011102B9F
62965+:106850008FBF00188FB100148FB0001003E0000844
62966+:1068600027BD002015C0FFF62404008B3C03002048
62967+:10687000AF4300300000000024020001AF8200148A
62968+:106880000000000000000000000000003C1F01505C
62969+:10689000013FC825253800033C0F600EAF47003884
62970+:1068A00000181882AF46003C35E8003CAF59003074
62971+:1068B000274704008F4400003086002010C0FFFDF1
62972+:1068C00000000000106000082466FFFF2403FFFFA3
62973+:1068D0008CEB000024C6FFFF24E70004AD0B000092
62974+:1068E00014C3FFFB250800043C08600EAD09003806
62975+:1068F0000000000000000000000000003C07002035
62976+:10690000AF470030000000000E0006F901402021D2
62977+:1069100002002821000020210E0006D124060003D9
62978+:106920000011102B8FBF00188FB100148FB0001012
62979+:1069300003E0000827BD002027BDFFE0AFB200182C
62980+:106940003092FFFFAFB10014AFBF001CAFB000101A
62981+:106950001640000D000088210A0007AA022010211D
62982+:1069600024050001508500278CE5000C0000000D77
62983+:10697000262300013071FFFF24E200200232382B71
62984+:1069800010E00019AF82001C8F8200141440001622
62985+:106990008F87001C3C0670003C0320008CE5000043
62986+:1069A00000A62024148300108F84003C00054402BC
62987+:1069B0003C09800000A980241480FFE9310600FF13
62988+:1069C0002CCA00095140FFEB262300010006688015
62989+:1069D0003C0E080025CE579801AE60218D8B00003B
62990+:1069E0000160000800000000022010218FBF001C81
62991+:1069F0008FB200188FB100148FB0001003E00008B0
62992+:106A000027BD00200E0006D1240400841600FFD804
62993+:106A10008F87001C0A00078BAF80003C90EF0002BC
62994+:106A200000002021240600090E0006D1000F2E00D0
62995+:106A30008F87001C0010102B0A00078BAF82003CD0
62996+:106A4000020028210E0006DF240400018F87001CAD
62997+:106A50000A00078BAF82003C020028210E0006DFEF
62998+:106A6000000020210A0007C38F87001C0E00071FAB
62999+:106A7000020020210A0007C38F87001C30B0FFFFEF
63000+:106A8000001019C08F5801B80700FFFE3C1F2004FA
63001+:106A90003C191000AF430180AF400184AF5F018813
63002+:106AA000AF5901B80A00078C262300013082FFFF8E
63003+:106AB00014400003000018210004240224030010E5
63004+:106AC000308500FF14A000053087000F2466000801
63005+:106AD0000004220230C300FF3087000F14E00005DD
63006+:106AE000308900032468000400042102310300FF00
63007+:106AF0003089000315200005388B0001246A00024C
63008+:106B000000042082314300FF388B00013164000112
63009+:106B100010800002246C0001318300FF03E00008B4
63010+:106B200000601021308BFFFF000B394230E600FF80
63011+:106B30003C09080025295998000640800109602178
63012+:106B40008D8700003164001F240A0001008A1804A8
63013+:106B500030A500FF00E3202514A000020003102749
63014+:106B600000E22024240F000100CF700401096821F5
63015+:106B7000000E282714800005ADA400008F86000CAD
63016+:106B800000A6102403E00008AF82000C8F88000CE0
63017+:106B900001C8102503E00008AF82000C3C06001F6E
63018+:106BA0003C0360003084FFFF34C5FF8024020020D6
63019+:106BB000AC602008AC60200CAC602010AC652014E8
63020+:106BC000AC642018AC62200000000000000000004F
63021+:106BD00003E000080000000027BDFFE82402FFFFDB
63022+:106BE000AFBF0010AF82000C000020213C0608005F
63023+:106BF00024C659982405FFFF248900010004408021
63024+:106C00003124FFFF010618212C87002014E0FFFA31
63025+:106C1000AC6500000E0008160000202124020001CF
63026+:106C20003C04600024050020AC822018AC852000C4
63027+:106C3000000000000000000000000000244A0001E5
63028+:106C40003142FFFF2C46040014C0FFF78FBF001035
63029+:106C500003E0000827BD00188F8300082C620400A1
63030+:106C600003E00008384200018F830008246200011D
63031+:106C700003E00008AF8200088F8300082462FFFF52
63032+:106C800003E00008AF82000827BDFFE0AFB10014A9
63033+:106C9000AFBF0018AFB000108F6B00303C06600033
63034+:106CA00000808821ACCB20088F6A002C3C02800039
63035+:106CB00024030008ACCA200C9769003A9768003892
63036+:106CC00000092C003107FFFF00A72025ACC42010CD
63037+:106CD000ACC22014ACC32000000000000000000083
63038+:106CE000000000003C0360008C6D200031AC000807
63039+:106CF0001580FFF9000000008C6E201405C00020F4
63040+:106D0000000000000E0007DA8F84000C00024080B3
63041+:106D10003C09080025295998010938218CE4000014
63042+:106D20000E0007DA00028140020220213090FFFFAE
63043+:106D3000020020210E0007F8000028213C0C8000F2
63044+:106D4000022C58253210FFFF3C116000240A00205D
63045+:106D5000AE2B2014AE302018AE2A20000000000018
63046+:106D60000000000000000000020010218FBF00188A
63047+:106D70008FB100148FB0001003E0000827BD002081
63048+:106D80008C6620143C02001F3443FF803C1FFFE848
63049+:106D900000C3C02437F9080003198021001079C20C
63050+:106DA0003C0C8000022C582531F0FFFF3C116000A4
63051+:106DB000240A0020AE2B2014AE302018AE2A20006A
63052+:106DC0000000000000000000000000000200102190
63053+:106DD0008FBF00188FB100148FB0001003E00008BF
63054+:106DE00027BD002027BDFFE8AFB000103402FFFF31
63055+:106DF0003090FFFFAFBF00141202000602002021F6
63056+:106E00000E00081600000000020020210E0007F806
63057+:106E1000240500018F8400088FBF00148FB000107C
63058+:106E20002483FFFF27BD001803E00008AF8300089C
63059+:106E3000000439C230E6003F00043B42000718401E
63060+:106E4000240210002CC4002024C8FFE0AF42002C14
63061+:106E5000246300011480000330A900FF00071840DC
63062+:106E6000310600FF0003608024080001019A5821C8
63063+:106E70003C0A000E00C82804016A382111200005D0
63064+:106E8000000530278CE900000125302503E00008CB
63065+:106E9000ACE600008CEE000001C6682403E00008A8
63066+:106EA000ACED000027BDFFE8AFBF0014AFB000108D
63067+:106EB0003C0460008C8508083403F00030A2F00028
63068+:106EC00050430006240200018C8708083404E000C7
63069+:106ED00030E6F00010C4001E24020002AF82004021
63070+:106EE0003C1060003C0A0200AE0A0814240910009D
63071+:106EF0003C08000E8E03440003482021AF49002CBB
63072+:106F0000240501200E000CC0000030218F830040BA
63073+:106F1000106000043C021691240B0001106B000E5F
63074+:106F20003C023D2C344F0090AE0F44088FBF00143C
63075+:106F30008FB000103C0C6000240E10003C0D0200CD
63076+:106F400027BD0018AD8E442003E00008AD8D081069
63077+:106F50000A0008E7AF8000403C0218DA344F009086
63078+:106F6000AE0F44088FBF00148FB000103C0C6000BF
63079+:106F7000240E10003C0D020027BD0018AD8E4420E9
63080+:106F800003E00008AD8D08100A0008BB24050001CD
63081+:106F90000A0008BB000028213C08080025085DA461
63082+:106FA0002404FFFF010018212402001E2442FFFFD9
63083+:106FB000AC6400000441FFFD246300043C070800AA
63084+:106FC00024E75E208CE5FFFC2404001C240600015D
63085+:106FD000308A001F0146480424840001000910275C
63086+:106FE0002C8300201460FFFA00A22824ACE5FFFCEB
63087+:106FF0003C05666634A4616E3C06080024C65EE06B
63088+:10700000AF840058AF88009C2404FFFF00C0182103
63089+:107010002402001F2442FFFFAC6400000441FFFD76
63090+:10702000246300043C0766663C05080024A55EA0B6
63091+:10703000AF86004834E6616EAF8600982404FFFFF7
63092+:1070400000A018212402000F2442FFFFAC640000BE
63093+:107050000441FFFD246300043C0B66663C06080007
63094+:1070600024C65E203568616EAF8500A4AF880070CD
63095+:107070002404FFFF00C018212402001F2442FFFF48
63096+:10708000AC6400000441FFFD246300043C0D66660F
63097+:107090003C0A0800254A5F6035AC616EAF860090FF
63098+:1070A000AF8C005C2404FFFF014018212402000380
63099+:1070B0002442FFFFAC6400000441FFFD2463000490
63100+:1070C0003C09080025295F708D27FFFC2404000679
63101+:1070D000240500013099001F0325C0042484000109
63102+:1070E000001878272C8E002015C0FFFA00EF3824F6
63103+:1070F000AD27FFFC3C09666624030400240403DC7E
63104+:1071000024050200240600663522616E3C08080052
63105+:1071100025085AA4AF820074AF830044AF83006C8B
63106+:10712000AF830050AF830084AF8A008CAF840064CB
63107+:10713000AF85004CAF860054AF840078AF85006007
63108+:10714000AF86008001001821240200022442FFFFC4
63109+:10715000AC6000000441FFFD24630004240400032C
63110+:107160002403000C3C0A0800254A5AB0AF8A006884
63111+:107170000A00098E2405FFFF000418802484000102
63112+:10718000006858212C8700C014E0FFFBAD650000AB
63113+:107190003C0E666635CD616E240C17A024081800DD
63114+:1071A000AF8D0088AF8C009403E00008AF88007CAE
63115+:1071B0002484007F000421C200004021000030210F
63116+:1071C00000003821000028210A0009A5AF8400A092
63117+:1071D0001060000624E7000100C4302124A500014E
63118+:1071E0002CC20BF51440FFFA2CA300663C090800E2
63119+:1071F00025295F6001201821240200032442FFFF9B
63120+:10720000AC6000000441FFFD2463000410E0001A9C
63121+:1072100024E3FFFF0003294210A0000A0000202100
63122+:107220002406FFFF3C03080024635F602484000100
63123+:107230000085502BAC660000250800011540FFFBBF
63124+:107240002463000430E2001F10400008000868803A
63125+:10725000240C0001004C38040008588001692821E2
63126+:1072600024E6FFFF03E00008ACA6000001A94021CE
63127+:107270002409FFFFAD09000003E000080000000042
63128+:10728000AF4400283C04000C034420210005288260
63129+:107290000A000CC000003021000421803C03600083
63130+:1072A000AC6410080000000000052980AC65100CDB
63131+:1072B0000000000003E000088C62100C27BDFFE80E
63132+:1072C0000080282124040038AFBF00140E0009D527
63133+:1072D000AFB0001024040E00AF4400283C10000C96
63134+:1072E00003502021240500100E000CC000003021A6
63135+:1072F00003501021AC400000AC40000424040038CE
63136+:107300008FBF00148FB0001024053FFF27BD001869
63137+:107310000A0009D58C430000000421803C03600072
63138+:10732000AC641008000000008C62100C03E0000840
63139+:107330000002118227BDFFC8AFB400208F940068FF
63140+:10734000AFBE0030AFB7002CAFB600280000B821A8
63141+:107350000080B021241E00C0AFBF0034AFB50024B0
63142+:10736000AFB3001CAFB20018AFB10014AFB0001043
63143+:107370000A000A12AFA5003C504000018F9400683B
63144+:1073800027DEFFFF13C00028269400048E92000021
63145+:107390003C03080024635DA01240FFF70283102B1A
63146+:1073A0003C04080024845AA4028410230002A8C0CC
63147+:1073B000000098210A000A212411000100118840D0
63148+:1073C000122000260000000002B380210251282470
63149+:1073D0000200202110A0FFF9267300010E0009DE33
63150+:1073E000000000000016684032EC000101AC2021D2
63151+:1073F0000E0009D5020028218F89009426F700018C
63152+:107400008FA6003C3AEB0001316A00012528FFFFFE
63153+:107410000011382702CAB021AF88009416E6FFE7B2
63154+:1074200002479024AE92000002E010218FBF00348A
63155+:107430008FBE00308FB7002C8FB600288FB5002488
63156+:107440008FB400208FB3001C8FB200188FB10014CE
63157+:107450008FB0001003E0000827BD00383C0E080084
63158+:1074600025CE5DA0028E102B0A000A0DAE92000000
63159+:1074700027BDFFD8AFB10014AFB00010AFBF0020E0
63160+:10748000AFB3001CAFB2001800A0882110A0001FED
63161+:10749000000480403C13080026735AA40A000A5ACC
63162+:1074A0002412000112200019261000010E0009F517
63163+:1074B00002002021000231422444FFA0000618806F
63164+:1074C0003045001F2C8217A1007318212631FFFFC1
63165+:1074D0001040FFF400B230048C690000020020214B
63166+:1074E00024053FFF012640241500FFEE0126382524
63167+:1074F0000E0009D5AC6700008F8A009426100001A9
63168+:10750000254700011620FFE9AF8700948FBF0020B8
63169+:107510008FB3001C8FB200188FB100148FB0001011
63170+:1075200003E0000827BD00288F85009C00805821BB
63171+:107530000000402100004821240A001F3C0C0800E4
63172+:10754000258C5E1C3C0D080025AD5DA48CA60000BA
63173+:1075500050C000140000402100AD1023000238C0CC
63174+:10756000240300010A000A930000202115000003F3
63175+:1075700000E410212448202400004821252900018E
63176+:10758000512B00132506DFDC106000062484000167
63177+:1075900000C3702415C0FFF5000318400A000A91CB
63178+:1075A0000000402110AC002624A300040060282124
63179+:1075B000254AFFFF1540FFE5AF85009C512B0004D5
63180+:1075C0002506DFDC0000402103E000080100102157
63181+:1075D0000006614230C5001F000C50803C070800C7
63182+:1075E00024E75DA424040001014730211120000F8D
63183+:1075F00000A420043C05080024A55E20148000059A
63184+:107600002529FFFF24C6000410C50011000000005A
63185+:10761000240400018CCF00000004C0270004204097
63186+:1076200001F868241520FFF5ACCD00008F99007893
63187+:1076300001001021032B482303E00008AF890078E4
63188+:107640003C05080024A55DA40A000A9B0000402117
63189+:107650003C06080024C65DA40A000AB42404000104
63190+:10766000308800FF240200021102000A24030003F4
63191+:107670001103005C8F8900A4240400041104005F3E
63192+:1076800024050005110500670000182103E000082B
63193+:10769000006010218F8900483C0C0800258C5EE0BA
63194+:1076A0003C04080024845F60240300201060000F65
63195+:1076B00000005821240D0002240E00033C0F080096
63196+:1076C00025EF5EE08D27000014E0000B30F9FFFF8E
63197+:1076D000252900040124C02B53000001018048210A
63198+:1076E0002463FFFF5460FFF88D270000016018211C
63199+:1076F00003E0000800601021132000323C0500FF69
63200+:1077000030E200FF004030211040004200005021D4
63201+:1077100024050001000020210005C84000A6C02467
63202+:1077200017000003332500FF14A0FFFB2484000191
63203+:10773000012CC023001828C000AA6021008C502111
63204+:107740003144001F240C0001008C18040003102792
63205+:1077500000E23024110D0041AD260000110E004C56
63206+:10776000000A1840110D00368F87006C510E00562C
63207+:107770008F8C0060240D0004110D005A8F8E008440
63208+:10778000240E0005150EFFDA01601821240B1430B9
63209+:1077900011400006000018218F8400A0246300011E
63210+:1077A000006A402B1500FFFD016458218F8A00807C
63211+:1077B000AF89008C016018212549FFFF0A000AEB00
63212+:1077C000AF89008000E52024000736021080FFD03A
63213+:1077D000240A001800075402314600FF0A000AF389
63214+:1077E000240A00103C0C0800258C5EA03C04080014
63215+:1077F00024845EE00A000ADA240300103C0C08002E
63216+:10780000258C5E203C04080024845EA00A000AD96E
63217+:107810008F89009000071A02306600FF0A000AF301
63218+:10782000240A00088F89008C3C0C0800258C5F60BE
63219+:107830003C04080024845F700A000ADA2403000470
63220+:10784000000A4080250B003024E6FFFF016018216C
63221+:10785000AF8900480A000AEBAF86006C000AC982B3
63222+:10786000001978803C07080024E75EA001E720218A
63223+:10787000000A18428C8F00003079001F032C380456
63224+:107880000007C02701F860240A000B08AC8C000038
63225+:10789000000331420006288000AF28213062001F1B
63226+:1078A0008CB8000024630001004CC804000321428E
63227+:1078B000001938270004108003073024004F2021CE
63228+:1078C0000A000B4CACA60000000A68C025AB0032D1
63229+:1078D000258AFFFF01601821AF8900A40A000AEB86
63230+:1078E000AF8A0060254B1030AF89009001601821ED
63231+:1078F00025C9FFFF0A000AEBAF8900843086000724
63232+:107900002CC2000610400014000000000006408059
63233+:107910003C030800246357BC010338218CE40000B9
63234+:1079200000800008000000002409000310A9000ED8
63235+:1079300000000000240A000510AA000B000000004F
63236+:10794000240B000110AB0008000000008F8C00A089
63237+:1079500010AC00050000000003E00008000010214A
63238+:107960000A000A7900A020210A000AC700C02021CD
63239+:1079700027BDFFE8308400FF240300021083000BC2
63240+:10798000AFBF0010240600031086003A240800044C
63241+:1079900010880068240E0005108E007F2CAF143074
63242+:1079A0008FBF001003E0000827BD00182CA2003094
63243+:1079B0001440FFFC8FBF001024A5FFD0000531C28A
63244+:1079C000000668803C07080024E75EE001A730213C
63245+:1079D0008CC900000005288230AC001F240B000178
63246+:1079E000018B50048F840048012A4025ACC8000058
63247+:1079F0008C83000050600001AF8600488F98006CB7
63248+:107A000030AE000124A6FFFF270F000115C00002C1
63249+:107A1000AF8F006C24A600010006414200082080C0
63250+:107A2000008718218C79000030C2001F2406000155
63251+:107A30000046F804033F382410E0FFDA8FBF00103F
63252+:107A40000005C182001870803C0F080025EF5EA081
63253+:107A500001CF48218D2B00000005684231A5001F91
63254+:107A600000A66004016C502527BD001803E0000843
63255+:107A7000AD2A00002CA7003014E0FFCA8FBF001011
63256+:107A800030B900071723FFC724A8FFCE00086A02F9
63257+:107A9000000D60803C0B0800256B5EA0018B30213F
63258+:107AA0008CC40000000828C230AA001F240800016E
63259+:107AB000014848048F8200A400891825ACC3000047
63260+:107AC0008C5F000053E00001AF8600A40005704009
63261+:107AD000000E7942000F28803C04080024845EE0F8
63262+:107AE00000A418218C6B000025DF000131CD001FA0
63263+:107AF000001F514201A86004016C4825000A108053
63264+:107B0000AC690000004428218CA600008F9800601A
63265+:107B100033F9001F8FBF00100328380400C77825F1
63266+:107B2000270E000127BD0018ACAF000003E00008DD
63267+:107B3000AF8E006024A5EFD02CB804001300FF998D
63268+:107B40008FBF001000053142000658803C0A080033
63269+:107B5000254A5E20016A30218CC4000030A3001F3A
63270+:107B600024090001006910048F9900900082F82513
63271+:107B7000ACDF00008F27000050E00001AF860090CE
63272+:107B80008F8D00848FBF001027BD001825AC000129
63273+:107B900003E00008AF8C008415E0FF828FBF001067
63274+:107BA0008F8600A0000610400046F821001F21002B
63275+:107BB00003E4C8210019384024F8143000B8402BE1
63276+:107BC0001100FF788FBF001024A4EBD00E00021329
63277+:107BD00000C0282100027942000F70803C0D08008F
63278+:107BE00025AD5F6001CD20218C8B0000304C001F43
63279+:107BF00024060001018618048F89008C016350253A
63280+:107C0000AC8A00008D25000050A00001AF84008CDC
63281+:107C10008F9800808FBF001027BD00182708000133
63282+:107C200003E00008AF88008030A5000724030003AC
63283+:107C300010A3001028A2000414400008240700022A
63284+:107C40002403000410A300152408000510A8000F49
63285+:107C50008F8500A003E000080000000014A7FFFDCE
63286+:107C60000080282114C3FFFB240400020A000B8BB0
63287+:107C700000000000240900050080282110C9FFFB36
63288+:107C80002404000303E000080000000014C5FFF115
63289+:107C9000008028210A000B8B24040005240A00011F
63290+:107CA0000080282110CAFFF12404000403E000082A
63291+:107CB0000000000027BDFFE0AFB00010000581C24A
63292+:107CC0002603FFD024C5003F2C6223D024C6007FAA
63293+:107CD000AFB20018AFB10014AFBF001C309100FF6D
63294+:107CE000000691C2000529820200202110400008F0
63295+:107CF0002403FFFF0E000A4B0000000002002021B9
63296+:107D0000022028210E000C390240302100001821E9
63297+:107D10008FBF001C8FB200188FB100148FB00010FD
63298+:107D20000060102103E0000827BD002027BDFFD818
63299+:107D300024A2007FAFB3001CAFB20018000299C2AA
63300+:107D4000309200FF24A3003F02402021026028213E
63301+:107D5000AFB10014AFB00010AFBF00200E000B6E2B
63302+:107D60000003898200408021004020210220282138
63303+:107D700014400009000018218FBF00208FB3001CA1
63304+:107D80008FB200188FB100148FB000100060102166
63305+:107D900003E0000827BD00280E0009FC00000000D9
63306+:107DA00000402821020020211051FFF3001019C0CB
63307+:107DB0000E000A4B00000000020020210240282192
63308+:107DC0000E000C39026030218FBF00208FB3001CE1
63309+:107DD0008FB200188FB100148FB00010000018216E
63310+:107DE0000060102103E0000827BD00283084FFFF59
63311+:107DF00030A5FFFF1080000700001821308200012D
63312+:107E00001040000200042042006518211480FFFB8E
63313+:107E10000005284003E000080060102110C00007A2
63314+:107E2000000000008CA2000024C6FFFF24A500046F
63315+:107E3000AC82000014C0FFFB2484000403E00008AF
63316+:107E40000000000010A0000824A3FFFFAC86000083
63317+:107E500000000000000000002402FFFF2463FFFF79
63318+:107E60001462FFFA2484000403E00008000000000C
63319+:107E700030A5FFFF8F4201B80440FFFE3C076015AC
63320+:107E800000A730253C031000AF440180AF400184BF
63321+:107E9000AF46018803E00008AF4301B88F8500D0EA
63322+:107EA0002C864000008018218CA700840087102BAE
63323+:107EB00014400010000000008CA800842D06400033
63324+:107EC00050C0000F240340008CAA0084008A482B75
63325+:107ED000512000018CA3008400035A42000B208033
63326+:107EE0003C05080024A558200085182103E000085F
63327+:107EF0008C62000014C0FFF4000000002403400066
63328+:107F000000035A42000B20803C05080024A558209D
63329+:107F10000085182103E000088C6200008F8300D0E8
63330+:107F2000906600D024C50001A06500D08F8500D0E8
63331+:107F3000906400D090A200D210440017000000000E
63332+:107F4000936C00788F8B00BC318A00FFA16A000C13
63333+:107F500025490001938700C4312200FF3048007F8B
63334+:107F60001107000B00026827A36200788F4E01788A
63335+:107F700005C0FFFE8F9900B0241800023C0F1000CE
63336+:107F8000AF590140A358014403E00008AF4F017806
63337+:107F90000A000D0931A20080A0A000D00A000CFF49
63338+:107FA000000000008F8700D027BDFFC8AFBF0030A2
63339+:107FB000AFB7002CAFB60028AFB50024AFB4002097
63340+:107FC000AFB3001CAFB20018AFB10014AFB00010D7
63341+:107FD00094E300E094E200E2104300D72405FFFFA1
63342+:107FE0003C047FFF3497FFFF2415FF800A000DF04B
63343+:107FF0003C16000E108A00D18FBF00308F9100B068
63344+:108000003C1808008F18005C001230C0001291402C
63345+:108010000311702101D57824AF4F002C94EC00E2BD
63346+:1080200031CD007F01BA5821318A7FFF0176482186
63347+:10803000000A804002091021945300003C08080007
63348+:108040008D0800580246C02132733FFF001319808B
63349+:10805000010320210224282130BF007F03FAC82118
63350+:1080600000B5A024AF54002C0336A0218E87001049
63351+:108070008E8F003003785821256D008800EF702323
63352+:10808000240C0002AE8E0010AF8D00ACA16C0088F5
63353+:10809000976A003C8E8400308F9100AC0E000CD6A5
63354+:1080A0003150FFFF00024B80020940253C02420094
63355+:1080B00001022025AE2400048E8300048F8D00ACC5
63356+:1080C0008E860000240E0008ADA3001CADA600188B
63357+:1080D000ADA0000CADA00010929F000A33F900FF84
63358+:1080E000A5B90014968500083C1F000CA5A5001634
63359+:1080F0009298000A331100FFA5B100209690000865
63360+:1081000024180005A5B00022ADA00024928F000B1A
63361+:108110002410C00031E700FFA5A70002A1AE0001B6
63362+:108120008E8C00308F8B00AC8F8400B0AD6C00085B
63363+:108130003C0A08008D4A005401444821013540247E
63364+:10814000AF4800283C0208008C4200540044302113
63365+:1081500030C3007F007AC821033F282102458821CF
63366+:10816000AF9100BCAF8500C0A23800008F8A00BC70
63367+:108170002403FFBF2418FFDF954F000201F03824CD
63368+:1081800000F37025A54E0002914D000231AC003F76
63369+:10819000358B0040A14B00028F8600BC8F8900D038
63370+:1081A000ACC000048D28007C3C098000ACC80008ED
63371+:1081B00090C4000D3082007FA0C2000D8F8500BCEE
63372+:1081C00090BF000D03E3C824A0B9000D8F9100BC3F
63373+:1081D0009233000D02789024A232000D8E9000346C
63374+:1081E0008F8B00BCAD7000108E87002C8E8F0030FE
63375+:1081F00000EF7023AD6E0014916D001831AC007F5C
63376+:10820000A16C00188F9F00BC8E8A00308FE8001888
63377+:10821000015720240109302400C41025AFE20018C2
63378+:108220009283000AA3E3001C969900088F8500BC86
63379+:108230008F9800D0A4B9001E8E9000308E8400303C
63380+:108240000E0002138F0500848F8500D0000291403C
63381+:108250000002990090AF00BC0253882100403021F9
63382+:1082600031E7000210E0000302118021000290803B
63383+:108270000212802190B900BC3327000410E00002F4
63384+:108280000006F880021F80218E9800308F8B00BC82
63385+:1082900024068000330F0003000F702331CD00034C
63386+:1082A000020D6021AD6C000494A400E294AA00E2E7
63387+:1082B00094B000E231497FFF2522000130537FFF57
63388+:1082C0000206182400734025A4A800E294A400E24A
63389+:1082D0003C1408008E94006030917FFF123400221D
63390+:1082E000000000000E000CF6000000008F8700D098
63391+:1082F0000000282194F300E094F000E21213000F34
63392+:108300008FBF003090E900D090E800D1313200FFFB
63393+:10831000310400FF0244302B14C0FF36264A00010E
63394+:1083200090EE00D2264B000131CD00FF008D602180
63395+:10833000158BFF338F9100B08FBF00308FB7002CAB
63396+:108340008FB600288FB500248FB400208FB3001C97
63397+:108350008FB200188FB100148FB0001000A0102150
63398+:1083600003E0000827BD003894A300E20066402423
63399+:10837000A4A800E290A400E290B900E2309100FFCE
63400+:108380000011A1C20014F827001F39C03332007F4A
63401+:10839000024730250A000DE8A0A600E23084FFFF66
63402+:1083A00030A5FFFFAF440018AF45001C03E00008F4
63403+:1083B0008F42001427BDFFB8AFB000208F9000D0CF
63404+:1083C0003084FFFFAFA40010AFBF0044AFBE004039
63405+:1083D000AFB7003CAFB60038AFB50034AFB4003033
63406+:1083E000AFB3002CAFB20028AFB10024A7A0001893
63407+:1083F000920600D1920500D030C400FF30A300FFE8
63408+:108400000064102B10400122AFA00014920900D08C
63409+:108410008FB50010312800FF0088382324F4FFFFB7
63410+:108420000014882B0015982B02339024524001260B
63411+:108430008FB40014961E0012961F00108FB7001004
63412+:1084400003DFC823001714000019C400000224032E
63413+:108450000018140302E2B02A52C00001004020219B
63414+:108460000284282B10A0000200801821028018210D
63415+:1084700000033C0000071C033064FFFF2C8600094A
63416+:1084800014C000020060B821241700088E0A0008FA
63417+:10849000001769808E09000C31ABFFFF3C0C001007
63418+:1084A000016C402527520400AF4A0038AF9200B853
63419+:1084B000AF49003CAF480030000000000000000061
63420+:1084C00000000000000000000000000000000000AC
63421+:1084D00000000000000000008F4F000031EE00207F
63422+:1084E00011C0FFFD0017982A027110240A000E83A4
63423+:1084F0000000B02155E001019258000131130080C5
63424+:10850000126001CF012020219655001232A5FFFFF5
63425+:108510000E000CCBA7B500188F9000D00291A023BD
63426+:1085200026CD00018F9100B8000DB4000016B403F1
63427+:108530002638004002D7582A0014882B2405000151
63428+:108540000300902101711024AF9800B8AFA500146A
63429+:10855000104001BC8F8900B03C0C08008D8C005489
63430+:10856000240BFF80921E00D001895021014B28244A
63431+:10857000921900D0AF4500288E4700103C08080033
63432+:108580008D0800583C1808008F18005430E33FFF56
63433+:108590000003218001043021012658212402FF809C
63434+:1085A0000162F824920C00D0AF5F002C92480000CA
63435+:1085B00033D100FF333500FF0309982100117140CA
63436+:1085C000001578C0326D007F01CF382101BA282113
63437+:1085D000318300FF3164007F3C0A000C00AA88212F
63438+:1085E0000367F02100033140009A10213108003F59
63439+:1085F0003C1F000E00D1C021005F982127D90088C0
63440+:108600002D150008AF9100C0AF9900ACAF9800BC29
63441+:10861000AF9300B412A0018A00008821240E00014B
63442+:10862000010E4004310D005D11A0FFB2310F0002B8
63443+:108630008E4A00283C0300803C04FFEFAE6A000035
63444+:108640008E450024A260000A3488FFFFAE65000456
63445+:108650009247002C3C1FFF9F37FEFFFFA267000CD4
63446+:108660008E62000C3C180040A267000B00433025CE
63447+:1086700000C8C824033E88240238A825AE75000C23
63448+:108680008E490004AE6000183C0F00FFAE69001474
63449+:108690008E4D002C35EEFFFF8F8B00B001AE6024B5
63450+:1086A000AE6C00108E470008A660000896450012C8
63451+:1086B000AE6700208E42000C30B03FFF00105180AA
63452+:1086C000AE6200248E5E0014014B182130A400011C
63453+:1086D000AE7E00288E590018000331C2000443808A
63454+:1086E000AE79002C8E51001C00C8F821A67F001C1A
63455+:1086F000AE710030965800028E550020A678001EFC
63456+:10870000AE75003492490033313000045600000544
63457+:10871000925000008F8C00D08D8B007CAE6B0030AF
63458+:10872000925000008F8F00BCA1F00000924E0033E9
63459+:1087300031CD000251A00007925E00018F8900BC7C
63460+:108740002418FF80913100000311A825A1350000F5
63461+:10875000925E00018F9900BC2409FFBF240BFFDF4C
63462+:10876000A33E00018F9500BC92B8000D3311007F2D
63463+:10877000A2B1000D8F8E00BC91D0000D02097824AB
63464+:10878000A1CF000D8F8800BC8E6D0014910A000DE2
63465+:108790002DAC0001000C2940014B382400E51825C0
63466+:1087A000A103000D964200128F8800BC8F8700D075
63467+:1087B000A50200028E45000490FF00BC30A4000317
63468+:1087C0000004302330DE000300BE102133F9000224
63469+:1087D00017200002244400342444003090E200BCFE
63470+:1087E00000A2302430DF000417E0000224830004DC
63471+:1087F000008018218F8F00AC24090002AD03000413
63472+:10880000A1E90000924E003F8F8D00ACA1AE0001A7
63473+:108810008F9500AC924C003F8E440004A6AC000241
63474+:10882000976B003C0E000CD63170FFFF00025380A6
63475+:10883000020A38253C05420000E51825AEA30004D5
63476+:108840008F8600AC8E480038ACC800188E440034C7
63477+:10885000ACC4001CACC0000CACC00010A4C0001420
63478+:10886000A4C00016A4C00020A4C00022ACC00024F4
63479+:108870008E6400145080000124040001ACC4000880
63480+:108880000E000CF6241100010A000E768F9000D025
63481+:10889000920F00D2920E00D08FB5001031EB00FF86
63482+:1088A00031CD00FF008D6023016C50212554FFFF66
63483+:1088B0000014882B0015982B023390241640FEDDFF
63484+:1088C000000000008FB400148FBF00448FBE004032
63485+:1088D0003A8200018FB7003C8FB600388FB5003464
63486+:1088E0008FB400308FB3002C8FB200288FB10024DA
63487+:1088F0008FB0002003E0000827BD0048331100209E
63488+:10890000122000EF24150001921E00BC241F00015C
63489+:108910000000A82133D900011320000DAFBF001CB7
63490+:108920008E4400148E0800840088102B144000022E
63491+:10893000008030218E0600848E03006400C3A82BC3
63492+:1089400016A0000200C020218E0400640080A8212F
63493+:108950008E4700148E05006400E5302B14C0000221
63494+:1089600000E020218E0400640095F02313C0000471
63495+:108970008FAC001C240A0002AFAA001C8FAC001CA4
63496+:10898000028C582B156000A8000018218E4F00386B
63497+:108990008E6D000C3C0E0080AE6F00008E4A0034DD
63498+:1089A0003C10FF9F01AE5825AE6A00049246003F7E
63499+:1089B000360CFFFF016C38243C0500203C03FFEF20
63500+:1089C000A266000B00E510253468FFFF8F8700B812
63501+:1089D0000048F8243C04000803E4C825AE79000CE4
63502+:1089E0008CF80014AE60001802BE7821AE78001436
63503+:1089F0008CF10018AE71001C8CE90008AE690024EF
63504+:108A00008CEE000CAE6F002CAE600028AE6E002025
63505+:108A1000A6600038A660003A8CED001401B58023F2
63506+:108A2000021E902312400011AE72001090EA003D29
63507+:108A30008E6500048E640000000A310000A6C82183
63508+:108A4000000010210326402B0082F82103E8C021FA
63509+:108A5000AE790004AE78000090F1003DA271000AEA
63510+:108A60008F8900B895320006A67200088F9800AC76
63511+:108A70002419000202A02021A31900009769003CDC
63512+:108A80008F9200AC0E000CD63131FFFF00027B80CC
63513+:108A90008F8500B8022F68253C0E420001AE80256C
63514+:108AA000AE5000048F8400AC8CAC0038AC8C001845
63515+:108AB0008CAB0034AC8B001CAC80000CAC80001084
63516+:108AC000A4800014A4800016A4800020A4800022AA
63517+:108AD000AC80002490A7003FA487000212A00135BB
63518+:108AE0002403000153C0000290A2003D90A2003E6A
63519+:108AF00024480001A08800018F9F00ACAFF500085A
63520+:108B00008F8300D024070034906600BC30C500027B
63521+:108B100050A00001240700308F9200B88F8A00BC5B
63522+:108B2000906D00BC924B00002412C00032A50003DF
63523+:108B3000A14B00008F8600B88F8800BC240200047F
63524+:108B400090C400010045182330790003A1040001FE
63525+:108B50008F8A00BC8F9F00B800F53821955800021D
63526+:108B600097E9001200F9382103128824312F3FFFC2
63527+:108B7000022F7025A54E00029150000231A800047A
63528+:108B8000320C003F358B0040A14B000212A00002C6
63529+:108B90008F8500BC00E838218F8E00D0ACA7000480
63530+:108BA000240BFFBF8DCD007C2EA400012403FFDF2A
63531+:108BB000ACAD000890B0000D00044140320C007FC5
63532+:108BC000A0AC000D8F8600BC90CA000D014B102494
63533+:108BD000A0C2000D8F8700BC90E5000D00A3F82413
63534+:108BE00003E8C825A0F9000D8F9100B88F8D00BC57
63535+:108BF0008E380020ADB800108E290024ADA90014D5
63536+:108C00008E2F0028ADAF00188E2E002C0E000CF613
63537+:108C1000ADAE001C8FB0001C240C0002120C00EE44
63538+:108C20008F9000D08FA3001C006088211460000288
63539+:108C30000060A8210000A02156A0FE390291A023C7
63540+:108C40000014882B8FA90010960700103C1E0020EE
63541+:108C50000136402302C750213112FFFFA60A00103F
63542+:108C6000AFB20010AF5E0030000000009617001099
63543+:108C7000961300121277008F000000008E05000C82
63544+:108C80008E0B00080016698000AD7021000DC7C36F
63545+:108C900001CDA82B0178782101F56021AE0E000CE2
63546+:108CA000AE0C00088FB300100013B82B02378024DD
63547+:108CB0001200FF048F9000D00A000E3C000000005C
63548+:108CC0008E4D0038A6600008240B0003AE6D000036
63549+:108CD0008E500034A260000A8F9800B8AE70000475
63550+:108CE0003C0500809311003FA26B000C8E6F000CBE
63551+:108CF0003C0EFF9FA271000B01E5102535CCFFFF54
63552+:108D00003C03FFEF8F9200B8004C30243464FFFF27
63553+:108D100000C4F824AE7F000C8E590014964800124F
63554+:108D20008F8A00B0AE7900108E490014AE60001832
63555+:108D3000AE600020AE690014AE6000248E470018BB
63556+:108D400031093FFF0009F180AE6700288E4D000811
63557+:108D500003CA802131180001AE6D00308E4F000C27
63558+:108D60008F8C00AC001089C200185B80022B282178
63559+:108D7000240E0002A665001CA6600036AE6F002C13
63560+:108D8000A18E00009763003C8F8A00AC3C04420037
63561+:108D90003062FFFF00443025AD4600048F9F00B8CD
63562+:108DA000240700012411C0008FF30038240600348A
63563+:108DB000AD5300188FF90034AD59001CAD40000CC4
63564+:108DC000AD400010A5400014A5400016A5400020AD
63565+:108DD000A5400022AD400024A5550002A147000196
63566+:108DE0008F9E00AC8F8800B88F9200BCAFD5000872
63567+:108DF000910D0000A24D00008F9000B88F8B00BC39
63568+:108E000092180001A17800018F8400BC94850002B3
63569+:108E100000B1782401E97025A48E0002908C000234
63570+:108E20003183003FA08300028F8300D08F8400BC79
63571+:108E3000906200BC305300025260000124060030F2
63572+:108E4000AC8600048C6F007C2403FFBF02A0882145
63573+:108E5000AC8F0008908E000D31CC007FA08C000DEF
63574+:108E60008F8600BC90C2000D00432024A0C4000DDA
63575+:108E70008F8900BC913F000D37F90020A139000D0A
63576+:108E80008F8800B88F9300BC8D070020AE6700105C
63577+:108E90008D0A0024AE6A00148D1E0028AE7E0018D4
63578+:108EA0008D12002C0E000CF6AE72001C0A00103D54
63579+:108EB0008F9000D0960E00148E03000431CCFFFF7B
63580+:108EC000000C10C000622021AF44003C8E1F000443
63581+:108ED0008F46003C03E6C8231B20003C0000000036
63582+:108EE0008E0F000025E200013C05001034B500089B
63583+:108EF000AF420038AF550030000000000000000015
63584+:108F00000000000000000000000000000000000061
63585+:108F100000000000000000008F580000330B00200C
63586+:108F20001160FFFD000000008F5304003C0D002085
63587+:108F3000AE1300088F570404AE17000CAF4D00307D
63588+:108F4000000000003C0608008CC600442416000106
63589+:108F500010D600BD00000000961F00123C0508005E
63590+:108F60008CA5004000BFC821A61900129609001464
63591+:108F700025270001A6070014960A00143144FFFFBC
63592+:108F80005486FF498FB30010A60000140E000E1681
63593+:108F900030A5FFFF3C0408008C84002496030012D7
63594+:108FA0000044102300623023A60600120A00105964
63595+:108FB0008FB30010A08300018F8200AC2404000155
63596+:108FC000AC4400080A000FF08F8300D08E0200002E
63597+:108FD0000A0010EA3C0500108F8200C08FA7001C19
63598+:108FE000921800D0920B00D0920E00D0331100FFE7
63599+:108FF000316900FF00117940000928C001E56021B6
63600+:1090000031C300FF036C50210003314000C2C8216E
63601+:10901000255F0088AF9F00ACAF9900BCA1470088D6
63602+:109020009768003C03C020218F9100AC0E000CD645
63603+:109030003110FFFF00026B80020DC0253C0442008E
63604+:109040008F8D00B803045825AE2B00048DA900387D
63605+:109050008F8B00AC0000882100118100AD690018E1
63606+:109060008DAF00343C087FFF3504FFFFAD6F001C5F
63607+:1090700091AC003E8D65001C8D660018000C190037
63608+:10908000000C770200A33821020E102500E3F82B14
63609+:1090900000C2C821033F5021AD67001CAD6A001813
63610+:1090A000AD60000CAD60001091B8003E24050005D5
63611+:1090B00003C45024A578001495A9000403C02021FE
63612+:1090C000A569001691AF003EA56F002095B1000480
63613+:1090D000A5710022AD60002491AE003FA56E000294
63614+:1090E00091B0003E91AC003D01901023244300015B
63615+:1090F000A16300018F8600AC8F9F00BCACDE00082E
63616+:10910000A3E500008F9000BC8F9900B82405FFBF35
63617+:1091100096070002973800120247782433093FFF70
63618+:1091200001E98825A6110002921200022418FFDF2F
63619+:10913000324E003F35CD0040A20D00028F8600BCAC
63620+:109140008F8C00D02412FFFFACC000048D8B007CFC
63621+:109150003C0C8000ACCB000890C2000D3043007F77
63622+:10916000A0C3000D8F8700BC90FF000D03E5C8244D
63623+:10917000A0F9000D8F9100BC9229000D01387824D0
63624+:10918000A22F000D8F9000BCAE120010AE1500147F
63625+:10919000920E00182415FF8002AE6825A20D00185B
63626+:1091A0008F8500BC8F8300B88CAB0018016C102435
63627+:1091B000004A3025ACA600189068003EA0A8001C0C
63628+:1091C0008F9F00B88F8700BC8F9800D097F900045C
63629+:1091D000A4F9001E0E0002138F0500848F8600D0B4
63630+:1091E000000279400002490090D200BC01E98821C8
63631+:1091F000004028213255000212A0000303D1202193
63632+:109200000002A8800095202190CD00BC31B200045E
63633+:109210001240000333DF0003000540800088202156
63634+:10922000240600048F9E00BC00DFC8233327000300
63635+:1092300000875021AFCA00040E000CF6A665003866
63636+:109240000A0010388F9000D0961E00123C080800CB
63637+:109250008D080024011E9021A61200120A00105948
63638+:109260008FB3001027BDFFE03C1808008F18005096
63639+:10927000AFB00010AFBF0018AFB10014AF8400B0A2
63640+:1092800093710074030478212410FF8031EE007F75
63641+:109290003225007F01F0582401DA68213C0C000AD5
63642+:1092A000A38500C401AC2821AF4B002494A9001071
63643+:1092B0009768000690A600620080382124020030E2
63644+:1092C0000109202330C300F0AF8500D010620019DF
63645+:1092D0003090FFFF90AE0062240DFFF0240A005092
63646+:1092E00001AE6024318B00FF116A002F00000000E6
63647+:1092F00016000007241F0C00AF5F00248FB100147C
63648+:109300008FBF00188FB0001003E0000827BD0020B9
63649+:109310000E000E1C02002021241F0C00AF5F002451
63650+:109320008FB100148FBF00188FB0001003E0000849
63651+:1093300027BD002094A200E094A400E290BF011396
63652+:10934000008218263079FFFF33E700C014E00009DF
63653+:109350002F31000116000038000000005620FFE603
63654+:10936000241F0C000E000D18000000000A0011ED73
63655+:10937000241F0C001620FFDE000000000E000D1858
63656+:10938000000000001440FFDC241F0C001600002227
63657+:109390008F8300D0906901133122003FA062011336
63658+:1093A0000A0011ED241F0C0094AF00D48F8600D466
63659+:1093B00000E02821240400050E000C5C31F0FFFFC2
63660+:1093C0001440000524030003979100E600001821D3
63661+:1093D0002625FFFFA78500E68F5801B80700FFFE8E
63662+:1093E0003C196013AF400180241F0C00AF50018472
63663+:1093F000007938253C101000AF4701888FB1001468
63664+:10940000AF5001B8AF5F00248FB000108FBF0018BD
63665+:1094100003E0000827BD00200E000E1C02002021E2
63666+:109420005040FFB5241F0C008F8300D090690113BA
63667+:109430000A0012163122003F0E000E1C02002021ED
63668+:109440001440FFAD241F0C00122000078F8300D0B2
63669+:10945000906801133106003F34C20040A06201133E
63670+:109460000A0011ED241F0C000E000D180000000072
63671+:109470005040FFA1241F0C008F8300D0906801137F
63672+:109480003106003F0A00124634C20040AF9B00C8BC
63673+:1094900003E00008AF8000EC3089FFFF0009404284
63674+:1094A0002D020041000921801440000200095040B3
63675+:1094B00024080040000830C0000811400046582130
63676+:1094C000256701A800E2C821272F007F2418FF800C
63677+:1094D00001F818240064302100CA702125CC00FF57
63678+:1094E000240DFF00018D202425650088240A0088B2
63679+:1094F0003C010800AC2A004C3C010800AC2500509F
63680+:10950000AF8400D43C010800AC2900603C01080095
63681+:10951000AC2800643C010800AC2700543C01080062
63682+:10952000AC2300583C010800AC26005C03E00008B6
63683+:1095300000000000308300FF30C6FFFF30E400FF72
63684+:109540008F4201B80440FFFE00034C00012438257F
63685+:109550003C08600000E820253C031000AF45018076
63686+:10956000AF460184AF44018803E00008AF4301B86F
63687+:109570008F86001C3C096012352700108CCB00043C
63688+:109580003C0C600E35850010316A00062D48000144
63689+:10959000ACE800C48CC40004ACA431808CC20008C8
63690+:1095A00094C30002ACA2318403E00008A78300E466
63691+:1095B0003C0308008C6300508F8400E88F86001CF9
63692+:1095C0002402FF800064C0210302C824AF59002890
63693+:1095D0008CCD00043305007F00BA78213C0E000CCE
63694+:1095E00001EE2821ACAD00588CC80008AF8500D032
63695+:1095F0003C076012ACA8005C8CCC001034E8001072
63696+:10960000ACAC000C8CCB000CACAB000894AA0014E2
63697+:109610003C0208008C42004425490001A4A9001422
63698+:1096200094A400143083FFFF106200178F8400D0D1
63699+:109630003C0A08008D4A0040A4AA00128CCE0018F3
63700+:10964000AC8E00248CCD0014AC8D00208CC700188B
63701+:10965000AC87002C8CCC001424060001AC8C0028B4
63702+:109660008D0B00BC5166001A8D0200B48D0200B84B
63703+:10967000A482003A948F003AA48F003C948800D4CE
63704+:1096800003E000083102FFFF3C0908008D29002497
63705+:10969000A4A000148F8400D0A4A900128CCE0018BE
63706+:1096A000AC8E00248CCD0014AC8D00208CC700182B
63707+:1096B000AC87002C8CCC001424060001AC8C002854
63708+:1096C0008D0B00BC5566FFEA8D0200B88D0200B418
63709+:1096D000A482003A948F003AA48F003C948800D46E
63710+:1096E00003E000083102FFFF8F86001C3C0C0800DD
63711+:1096F0008D8C0050240BFF808CCD00083C03000CA7
63712+:10970000000D51C0018A4021010B4824AF8A00E8B6
63713+:10971000AF49002890C700073105007F00BA10212B
63714+:109720000043282130E4000410800039AF8500D0C8
63715+:1097300090CF000731EE000811C000380000000093
63716+:109740008CD9000C8CC400140324C02B13000030EF
63717+:10975000000000008CC2000CACA200648CCD00188C
63718+:109760002402FFF8ACAD00688CCC0010ACAC0080DB
63719+:109770008CCB000CACAB00848CCA001CACAA007C67
63720+:1097800090A900BC01224024A0A800BC90C30007FF
63721+:109790003067000810E000048F8500D090AF00BC57
63722+:1097A00035EE0001A0AE00BC90D9000733380001AF
63723+:1097B000130000088F8300D08F8700D0240400346A
63724+:1097C00090E800BC35030002A0E300BC8F8300D00A
63725+:1097D000AC6400C090C900073126000210C000052B
63726+:1097E00000000000906A00BC35420004A06200BC8A
63727+:1097F0008F8300D09065011330AD003FA06D011341
63728+:109800008F8C00D0958B00D403E000083162FFFFFD
63729+:109810008CC200140A001305000000000A001306A1
63730+:10982000ACA0006427BDFFD8AFB000108F90001C23
63731+:10983000AFBF0024AFB40020AFB20018AFB1001426
63732+:10984000AFB3001C9613000E3C07600A3C14600680
63733+:109850003264FFFF369300100E00125534F40410EA
63734+:109860008F8400D43C11600E0E00099B363100102D
63735+:10987000920E00153C0708008CE700603C12601255
63736+:1098800031CD000FA38D00F08E0E00048E0D000868
63737+:1098900096080012961F00109619001A9618001EBE
63738+:1098A000960F001C310CFFFF33EBFFFF332AFFFF45
63739+:1098B0003309FFFF31E6FFFF3C010800AC2B0040FD
63740+:1098C0003C010800AC2C00243C010800AC2A0044F8
63741+:1098D000AE293178AE26317C92020015960300162F
63742+:1098E00036520010304400FF3065FFFF3C06080090
63743+:1098F0008CC60064AE243188AE4500B492080014D2
63744+:1099000096190018241F0001011FC004332FFFFF08
63745+:109910003C0508008CA50058AE5800B8AE4F00BCFE
63746+:10992000920C0014AF8E00D8AF8D00DC318B00FF9D
63747+:10993000AE4B00C0920A0015AE670048AE66004C00
63748+:10994000314900FFAE4900C8AE65007C3C03080009
63749+:109950008C6300503C0408008C84004C3C080800D8
63750+:109960008D0800543C0208008C42005C8FBF00242C
63751+:10997000AE6300808FB00010AE8300748FB3001C04
63752+:10998000AE22319CAE4200DCAE2731A0AE2631A41F
63753+:10999000AE24318CAE233190AE283194AE2531986F
63754+:1099A000AE870050AE860054AE8500708FB10014B3
63755+:1099B000AE4700E0AE4600E4AE4400CCAE4300D07B
63756+:1099C000AE4800D4AE4500D88FB400208FB2001846
63757+:1099D00003E0000827BD002827BDFFE0AFB1001459
63758+:1099E000AFBF0018241100010E000845AFB00010F1
63759+:1099F00010510005978400E6978300CC0083102B5C
63760+:109A0000144000088F8500D4240700028FBF00187F
63761+:109A10008FB100148FB0001000E0102103E00008A7
63762+:109A200027BD00200E000C7A24040005AF8200E858
63763+:109A30001040FFF6240700020E0008498F90001C1A
63764+:109A4000979F00E68F9900E88F8D00C827EF0001EF
63765+:109A5000240E0050AF590020A78F00E6A1AE0000F1
63766+:109A60003C0C08008D8C00648F8600C8240A80009E
63767+:109A7000000C5E00ACCB0074A4C0000694C9000AC0
63768+:109A8000241FFF803C0D000C012AC024A4D8000A2A
63769+:109A900090C8000A24182000011F1825A0C3000A3E
63770+:109AA0008F8700C8A0E000788F8500C800003821AB
63771+:109AB000A0A000833C0208008C4200508F8400E884
63772+:109AC0000044782101FFC824AF590028960B0002FA
63773+:109AD00031EE007F01DA6021018D3021A4CB00D46A
63774+:109AE000960A0002AF8600D03C0E000425492401EE
63775+:109AF000A4C900E68E080004ACC800048E03000868
63776+:109B0000ACC30000A4C00010A4C00014A0C000D0CA
63777+:109B10008F8500D02403FFBFA0A000D13C04080023
63778+:109B20008C8400648F8200D0A04400D28E1F000C71
63779+:109B30008F8A00D0978F00E4AD5F001C8E19001053
63780+:109B400024100030AD590018A5400030A551005434
63781+:109B5000A5510056A54F0016AD4E0068AD580080C7
63782+:109B6000AD580084914D006231AC000F358B001070
63783+:109B7000A14B00628F8600D090C900633128007F1E
63784+:109B8000A0C800638F8400D02406FFFF9085006387
63785+:109B900000A31024A08200638F9100D000E0102168
63786+:109BA000923F00BC37F90001A23900BC8F8A00D077
63787+:109BB000938F00F0AD580064AD5000C0914E00D3BB
63788+:109BC000000F690031CC000F018D5825A14B00D347
63789+:109BD0008F8500D08F8900DCACA900E88F8800D881
63790+:109BE0008FBF00188FB100148FB0001027BD002068
63791+:109BF000ACA800ECA4A600D6A4A000E0A4A000E2BB
63792+:109C000003E000080000000027BDFFE0AFB0001037
63793+:109C10008F90001CAFB10014AFBF00188E19000464
63794+:109C20003C1808008F180050240FFF80001989C0CD
63795+:109C30000238702131CD007F01CF602401BA50215C
63796+:109C40003C0B000CAF4C0028014B4021950900D47F
63797+:109C5000950400D68E0700043131FFFFAF8800D095
63798+:109C60000E000913000721C08E0600048F8300C870
63799+:109C7000000629C0AF4500209064003E30820040BD
63800+:109C8000144000068F8400D0341FFFFF948300D659
63801+:109C90003062FFFF145F000400000000948400D6CF
63802+:109CA0000E0008A83084FFFF8E050004022030213A
63803+:109CB0008FBF00188FB100148FB000102404002251
63804+:109CC00000003821000529C00A00127C27BD0020B1
63805+:109CD00027BDFFE0AFB100143091FFFFAFB000101F
63806+:109CE000AFBF00181220001D000080218F86001CCD
63807+:109CF0008CC500002403000600053F020005140285
63808+:109D000030E4000714830015304500FF2CA800063E
63809+:109D10001100004D000558803C0C0800258C57D4DC
63810+:109D2000016C50218D490000012000080000000056
63811+:109D30008F8E00EC240D000111CD005900000000B1
63812+:109D4000260B00013170FFFF24CA00200211202BD6
63813+:109D5000014030211480FFE6AF8A001C0200102170
63814+:109D60008FBF00188FB100148FB0001003E00008FF
63815+:109D700027BD0020938700CE14E00038240400148F
63816+:109D80000E001338000000008F86001C2402000122
63817+:109D90000A00147FAF8200EC8F8900EC24080002D7
63818+:109DA0001128003B2404001300002821000030216A
63819+:109DB000240700010E00127C000000000A00147F3E
63820+:109DC0008F86001C8F8700EC2405000214E5FFF647
63821+:109DD000240400120E0012E9000000008F8500E844
63822+:109DE00000403021240400120E00127C00003821B3
63823+:109DF0000A00147F8F86001C8F8300EC241F000351
63824+:109E0000147FFFD0260B00010E00129B0000000003
63825+:109E10008F8500E800403021240200022404001055
63826+:109E200000003821AF8200EC0E00127C0000000020
63827+:109E30000A00147F8F86001C8F8F00EC240600021E
63828+:109E400011E6000B0000000024040010000028218F
63829+:109E5000000030210A00149C240700010000282182
63830+:109E60000E00127C000030210A00147F8F86001C37
63831+:109E70000E0013A500000000144000128F99001C72
63832+:109E80008F86001C240200030A00147FAF8200ECBE
63833+:109E90000E001431000000000A00147F8F86001CA1
63834+:109EA0000E00128B000000002402000224040014A3
63835+:109EB0000000282100003021000038210A0014B9D8
63836+:109EC000AF8200EC004038212404001097380002D3
63837+:109ED000000028210E00127C3306FFFF0A00147FC9
63838+:109EE0008F86001C8F8400C83C077FFF34E6FFFF8D
63839+:109EF0008C8500742402000100A61824AC83007431
63840+:109F000003E00008A082000510A000362CA200800B
63841+:109F1000274A04003C0B000524090080104000077C
63842+:109F20002408008030A6000F00C540212D030081C9
63843+:109F30001460000200A0482124080080AF4B0030CC
63844+:109F400000000000000000000000000011000009F7
63845+:109F500000003821014030218C8D000024E70004EE
63846+:109F600000E8602BACCD0000248400041580FFFACB
63847+:109F700024C60004000000000000000000000000F3
63848+:109F80003C0E0006010E3825AF47003000000000EF
63849+:109F900000000000000000008F4F000031E80010BA
63850+:109FA0001100FFFD000000008F42003C8F43003C89
63851+:109FB0000049C8210323C02B130000040000000047
63852+:109FC0008F4C003825860001AF4600388F47003C93
63853+:109FD00000A9282300E96821AF4D003C14A0FFCE62
63854+:109FE0002CA2008003E000080000000027BDFFD085
63855+:109FF0003C020002AFB100143C11000CAF45003828
63856+:10A00000AFB3001CAF46003C00809821AF42003047
63857+:10A0100024050088AF44002803512021AFBF002849
63858+:10A02000AFB50024AFB40020AFB200180E0014F199
63859+:10A03000AFB000103C1F08008FFF004C3C18080018
63860+:10A040008F1800642410FF8003F3A82132B9007F29
63861+:10A0500002B078240018A0C0033A70210018914083
63862+:10A0600001D12021AF4F00280E0014F10254282105
63863+:10A070003C0D08008DAD00502405012001B358218E
63864+:10A08000316C007F01705024019A48210131202158
63865+:10A090000E0014F1AF4A00283C0808008D08005457
63866+:10A0A0003C0508008CA500640113382130E6007FD0
63867+:10A0B00000F0182400DA202100912021AF4300286D
63868+:10A0C0000E0014F1000529403C0208008C420058A3
63869+:10A0D0003C1008008E1000601200001C0053882104
63870+:10A0E0002415FF800A0015743C14000C3226007FF2
63871+:10A0F0000235182400DA202102402821AF4300282D
63872+:10A10000009420210E0014F12610FFC01200000F51
63873+:10A11000023288212E05004110A0FFF42412100005
63874+:10A120003226007F001091800235182400DA2021A9
63875+:10A1300002402821AF430028009420210E0014F192
63876+:10A14000000080211600FFF3023288213C0B08003A
63877+:10A150008D6B005C240AFF802405000201734021FE
63878+:10A16000010A4824AF4900283C0408009484006296
63879+:10A170003110007F021A88213C07000C0E000CAA47
63880+:10A180000227982100402821026020218FBF00284B
63881+:10A190008FB500248FB400208FB3001C8FB200183D
63882+:10A1A0008FB100148FB000100A0014F127BD0030E9
63883+:10A1B0008F83001C8C62000410400003000000002C
63884+:10A1C00003E00008000000008C6400108C650008AB
63885+:10A1D0000A00152A8C66000C000000000000001B1D
63886+:10A1E0000000000F0000000A000000080000000648
63887+:10A1F000000000050000000500000004000000044D
63888+:10A200000000000300000003000000030000000342
63889+:10A210000000000300000002000000020000000235
63890+:10A220000000000200000002000000020000000226
63891+:10A230000000000200000002000000020000000216
63892+:10A240000000000200000002000000020000000206
63893+:10A2500000000001000000010000000108000F24C0
63894+:10A2600008000D6C08000FB80800106008000F4CC3
63895+:10A2700008000F8C0800119408000D88080011B820
63896+:10A2800008000DD8080015540800151C08000D889A
63897+:10A2900008000D8808000D880800124008001240D0
63898+:10A2A00008000D8808000D88080014E008000D88DB
63899+:10A2B00008000D8808000D8808000D88080013B4F8
63900+:10A2C00008000D8808000D8808000D8808000D881A
63901+:10A2D00008000D8808000D8808000D8808000D880A
63902+:10A2E00008000D8808000D8808000D8808000D88FA
63903+:10A2F00008000D8808000D8808000FAC08000D88C4
63904+:10A3000008000D880800167808000D8808000D88E0
63905+:10A3100008000D8808000D8808000D8808000D88C9
63906+:10A3200008000D8808000D8808000D8808000D88B9
63907+:10A3300008000D8808000D8808000D8808000D88A9
63908+:10A3400008000D8808000D8808000D88080014100A
63909+:10A3500008000D8808000D8808001334080012A4B6
63910+:10A3600008001E2C08001EFC08001F1408001F28EF
63911+:10A3700008001F3808001E2C08001E2C08001E2C88
63912+:10A3800008001ED808002E1408002E1C08002DE41A
63913+:10A3900008002DF008002DFC08002E08080052F4DB
63914+:10A3A000080052B40800528008005254080052308D
63915+:10A3B000080051EC0A000C840000000000000000BE
63916+:10A3C0000000000D727870362E322E33000000002F
63917+:10A3D000060203030000000000000001000000006E
63918+:10A3E000000000000000000000000000000000006D
63919+:10A3F000000000000000000000000000000000005D
63920+:10A40000000000000000000000000000000000004C
63921+:10A41000000000000000000000000000000000003C
63922+:10A42000000000000000000000000000000000002C
63923+:10A43000000000000000000000000000000000001C
63924+:10A44000000000000000000000000000000000000C
63925+:10A4500000000000000000000000000000000000FC
63926+:10A4600000000000000000000000000000000000EC
63927+:10A4700000000000000000000000000000000000DC
63928+:10A4800000000000000000000000000000000000CC
63929+:10A4900000000000000000000000000000000000BC
63930+:10A4A00000000000000000000000000000000000AC
63931+:10A4B000000000000000000000000000000000009C
63932+:10A4C000000000000000000000000000000000008C
63933+:10A4D000000000000000000000000000000000007C
63934+:10A4E000000000000000000000000000000000006C
63935+:10A4F000000000000000000000000000000000005C
63936+:10A50000000000000000000000000000000000004B
63937+:10A51000000000000000000000000000000000003B
63938+:10A52000000000000000000000000000000000002B
63939+:10A53000000000000000000000000000000000001B
63940+:10A54000000000000000000000000000000000000B
63941+:10A5500000000000000000000000000000000000FB
63942+:10A5600000000000000000000000000000000000EB
63943+:10A5700000000000000000000000000000000000DB
63944+:10A5800000000000000000000000000000000000CB
63945+:10A5900000000000000000000000000000000000BB
63946+:10A5A00000000000000000000000000000000000AB
63947+:10A5B000000000000000000000000000000000009B
63948+:10A5C000000000000000000000000000000000008B
63949+:10A5D000000000000000000000000000000000007B
63950+:10A5E000000000000000000000000000000000006B
63951+:10A5F000000000000000000000000000000000005B
63952+:10A60000000000000000000000000000000000004A
63953+:10A61000000000000000000000000000000000003A
63954+:10A62000000000000000000000000000000000002A
63955+:10A63000000000000000000000000000000000001A
63956+:10A64000000000000000000000000000000000000A
63957+:10A6500000000000000000000000000000000000FA
63958+:10A6600000000000000000000000000000000000EA
63959+:10A6700000000000000000000000000000000000DA
63960+:10A6800000000000000000000000000000000000CA
63961+:10A6900000000000000000000000000000000000BA
63962+:10A6A00000000000000000000000000000000000AA
63963+:10A6B000000000000000000000000000000000009A
63964+:10A6C000000000000000000000000000000000008A
63965+:10A6D000000000000000000000000000000000007A
63966+:10A6E000000000000000000000000000000000006A
63967+:10A6F000000000000000000000000000000000005A
63968+:10A700000000000000000000000000000000000049
63969+:10A710000000000000000000000000000000000039
63970+:10A720000000000000000000000000000000000029
63971+:10A730000000000000000000000000000000000019
63972+:10A740000000000000000000000000000000000009
63973+:10A7500000000000000000000000000000000000F9
63974+:10A7600000000000000000000000000000000000E9
63975+:10A7700000000000000000000000000000000000D9
63976+:10A7800000000000000000000000000000000000C9
63977+:10A7900000000000000000000000000000000000B9
63978+:10A7A00000000000000000000000000000000000A9
63979+:10A7B0000000000000000000000000000000000099
63980+:10A7C0000000000000000000000000000000000089
63981+:10A7D0000000000000000000000000000000000079
63982+:10A7E0000000000000000000000000000000000069
63983+:10A7F0000000000000000000000000000000000059
63984+:10A800000000000000000000000000000000000048
63985+:10A810000000000000000000000000000000000038
63986+:10A820000000000000000000000000000000000028
63987+:10A830000000000000000000000000000000000018
63988+:10A840000000000000000000000000000000000008
63989+:10A8500000000000000000000000000000000000F8
63990+:10A8600000000000000000000000000000000000E8
63991+:10A8700000000000000000000000000000000000D8
63992+:10A8800000000000000000000000000000000000C8
63993+:10A8900000000000000000000000000000000000B8
63994+:10A8A00000000000000000000000000000000000A8
63995+:10A8B0000000000000000000000000000000000098
63996+:10A8C0000000000000000000000000000000000088
63997+:10A8D0000000000000000000000000000000000078
63998+:10A8E0000000000000000000000000000000000068
63999+:10A8F0000000000000000000000000000000000058
64000+:10A900000000000000000000000000000000000047
64001+:10A910000000000000000000000000000000000037
64002+:10A920000000000000000000000000000000000027
64003+:10A930000000000000000000000000000000000017
64004+:10A940000000000000000000000000000000000007
64005+:10A9500000000000000000000000000000000000F7
64006+:10A9600000000000000000000000000000000000E7
64007+:10A9700000000000000000000000000000000000D7
64008+:10A9800000000000000000000000000000000000C7
64009+:10A9900000000000000000000000000000000000B7
64010+:10A9A00000000000000000000000000000000000A7
64011+:10A9B0000000000000000000000000000000000097
64012+:10A9C0000000000000000000000000000000000087
64013+:10A9D0000000000000000000000000000000000077
64014+:10A9E0000000000000000000000000000000000067
64015+:10A9F0000000000000000000000000000000000057
64016+:10AA00000000000000000000000000000000000046
64017+:10AA10000000000000000000000000000000000036
64018+:10AA20000000000000000000000000000000000026
64019+:10AA30000000000000000000000000000000000016
64020+:10AA40000000000000000000000000000000000006
64021+:10AA500000000000000000000000000000000000F6
64022+:10AA600000000000000000000000000000000000E6
64023+:10AA700000000000000000000000000000000000D6
64024+:10AA800000000000000000000000000000000000C6
64025+:10AA900000000000000000000000000000000000B6
64026+:10AAA00000000000000000000000000000000000A6
64027+:10AAB0000000000000000000000000000000000096
64028+:10AAC0000000000000000000000000000000000086
64029+:10AAD0000000000000000000000000000000000076
64030+:10AAE0000000000000000000000000000000000066
64031+:10AAF0000000000000000000000000000000000056
64032+:10AB00000000000000000000000000000000000045
64033+:10AB10000000000000000000000000000000000035
64034+:10AB20000000000000000000000000000000000025
64035+:10AB30000000000000000000000000000000000015
64036+:10AB40000000000000000000000000000000000005
64037+:10AB500000000000000000000000000000000000F5
64038+:10AB600000000000000000000000000000000000E5
64039+:10AB700000000000000000000000000000000000D5
64040+:10AB800000000000000000000000000000000000C5
64041+:10AB900000000000000000000000000000000000B5
64042+:10ABA00000000000000000000000000000000000A5
64043+:10ABB0000000000000000000000000000000000095
64044+:10ABC0000000000000000000000000000000000085
64045+:10ABD0000000000000000000000000000000000075
64046+:10ABE0000000000000000000000000000000000065
64047+:10ABF0000000000000000000000000000000000055
64048+:10AC00000000000000000000000000000000000044
64049+:10AC10000000000000000000000000000000000034
64050+:10AC20000000000000000000000000000000000024
64051+:10AC30000000000000000000000000000000000014
64052+:10AC40000000000000000000000000000000000004
64053+:10AC500000000000000000000000000000000000F4
64054+:10AC600000000000000000000000000000000000E4
64055+:10AC700000000000000000000000000000000000D4
64056+:10AC800000000000000000000000000000000000C4
64057+:10AC900000000000000000000000000000000000B4
64058+:10ACA00000000000000000000000000000000000A4
64059+:10ACB0000000000000000000000000000000000094
64060+:10ACC0000000000000000000000000000000000084
64061+:10ACD0000000000000000000000000000000000074
64062+:10ACE0000000000000000000000000000000000064
64063+:10ACF0000000000000000000000000000000000054
64064+:10AD00000000000000000000000000000000000043
64065+:10AD10000000000000000000000000000000000033
64066+:10AD20000000000000000000000000000000000023
64067+:10AD30000000000000000000000000000000000013
64068+:10AD40000000000000000000000000000000000003
64069+:10AD500000000000000000000000000000000000F3
64070+:10AD600000000000000000000000000000000000E3
64071+:10AD700000000000000000000000000000000000D3
64072+:10AD800000000000000000000000000000000000C3
64073+:10AD900000000000000000000000000000000000B3
64074+:10ADA00000000000000000000000000000000000A3
64075+:10ADB0000000000000000000000000000000000093
64076+:10ADC0000000000000000000000000000000000083
64077+:10ADD0000000000000000000000000000000000073
64078+:10ADE0000000000000000000000000000000000063
64079+:10ADF0000000000000000000000000000000000053
64080+:10AE00000000000000000000000000000000000042
64081+:10AE10000000000000000000000000000000000032
64082+:10AE20000000000000000000000000000000000022
64083+:10AE30000000000000000000000000000000000012
64084+:10AE40000000000000000000000000000000000002
64085+:10AE500000000000000000000000000000000000F2
64086+:10AE600000000000000000000000000000000000E2
64087+:10AE700000000000000000000000000000000000D2
64088+:10AE800000000000000000000000000000000000C2
64089+:10AE900000000000000000000000000000000000B2
64090+:10AEA00000000000000000000000000000000000A2
64091+:10AEB0000000000000000000000000000000000092
64092+:10AEC0000000000000000000000000000000000082
64093+:10AED0000000000000000000000000000000000072
64094+:10AEE0000000000000000000000000000000000062
64095+:10AEF0000000000000000000000000000000000052
64096+:10AF00000000000000000000000000000000000041
64097+:10AF10000000000000000000000000000000000031
64098+:10AF20000000000000000000000000000000000021
64099+:10AF30000000000000000000000000000000000011
64100+:10AF40000000000000000000000000000000000001
64101+:10AF500000000000000000000000000000000000F1
64102+:10AF600000000000000000000000000000000000E1
64103+:10AF700000000000000000000000000000000000D1
64104+:10AF800000000000000000000000000000000000C1
64105+:10AF900000000000000000000000000000000000B1
64106+:10AFA00000000000000000000000000000000000A1
64107+:10AFB0000000000000000000000000000000000091
64108+:10AFC0000000000000000000000000000000000081
64109+:10AFD0000000000000000000000000000000000071
64110+:10AFE0000000000000000000000000000000000061
64111+:10AFF0000000000000000000000000000000000051
64112+:10B000000000000000000000000000000000000040
64113+:10B010000000000000000000000000000000000030
64114+:10B020000000000000000000000000000000000020
64115+:10B030000000000000000000000000000000000010
64116+:10B040000000000000000000000000000000000000
64117+:10B0500000000000000000000000000000000000F0
64118+:10B0600000000000000000000000000000000000E0
64119+:10B0700000000000000000000000000000000000D0
64120+:10B0800000000000000000000000000000000000C0
64121+:10B0900000000000000000000000000000000000B0
64122+:10B0A00000000000000000000000000000000000A0
64123+:10B0B0000000000000000000000000000000000090
64124+:10B0C0000000000000000000000000000000000080
64125+:10B0D0000000000000000000000000000000000070
64126+:10B0E0000000000000000000000000000000000060
64127+:10B0F0000000000000000000000000000000000050
64128+:10B10000000000000000000000000000000000003F
64129+:10B11000000000000000000000000000000000002F
64130+:10B12000000000000000000000000000000000001F
64131+:10B13000000000000000000000000000000000000F
64132+:10B1400000000000000000000000000000000000FF
64133+:10B1500000000000000000000000000000000000EF
64134+:10B1600000000000000000000000000000000000DF
64135+:10B1700000000000000000000000000000000000CF
64136+:10B1800000000000000000000000000000000000BF
64137+:10B1900000000000000000000000000000000000AF
64138+:10B1A000000000000000000000000000000000009F
64139+:10B1B000000000000000000000000000000000008F
64140+:10B1C000000000000000000000000000000000007F
64141+:10B1D000000000000000000000000000000000006F
64142+:10B1E000000000000000000000000000000000005F
64143+:10B1F000000000000000000000000000000000004F
64144+:10B20000000000000000000000000000000000003E
64145+:10B21000000000000000000000000000000000002E
64146+:10B22000000000000000000000000000000000001E
64147+:10B23000000000000000000000000000000000000E
64148+:10B2400000000000000000000000000000000000FE
64149+:10B2500000000000000000000000000000000000EE
64150+:10B2600000000000000000000000000000000000DE
64151+:10B2700000000000000000000000000000000000CE
64152+:10B2800000000000000000000000000000000000BE
64153+:10B2900000000000000000000000000000000000AE
64154+:10B2A000000000000000000000000000000000009E
64155+:10B2B000000000000000000000000000000000008E
64156+:10B2C000000000000000000000000000000000007E
64157+:10B2D000000000000000000000000000000000006E
64158+:10B2E000000000000000000000000000000000005E
64159+:10B2F000000000000000000000000000000000004E
64160+:10B30000000000000000000000000000000000003D
64161+:10B31000000000000000000000000000000000002D
64162+:10B32000000000000000000000000000000000001D
64163+:10B33000000000000000000000000000000000000D
64164+:10B3400000000000000000000000000000000000FD
64165+:10B3500000000000000000000000000000000000ED
64166+:10B3600000000000000000000000000000000000DD
64167+:10B3700000000000000000000000000000000000CD
64168+:10B3800000000000000000000000000000000000BD
64169+:10B3900000000000000000000000000000000000AD
64170+:10B3A000000000000000000000000000000000009D
64171+:10B3B000000000000000000000000000000000008D
64172+:10B3C000000000000000000000000000000000007D
64173+:10B3D000000000000000000000000000000000006D
64174+:10B3E000000000000000000000000000000000005D
64175+:10B3F000000000000000000000000000000000004D
64176+:10B40000000000000000000000000000000000003C
64177+:10B41000000000000000000000000000000000002C
64178+:10B42000000000000000000000000000000000001C
64179+:10B43000000000000000000000000000000000000C
64180+:10B4400000000000000000000000000000000000FC
64181+:10B4500000000000000000000000000000000000EC
64182+:10B4600000000000000000000000000000000000DC
64183+:10B4700000000000000000000000000000000000CC
64184+:10B4800000000000000000000000000000000000BC
64185+:10B4900000000000000000000000000000000000AC
64186+:10B4A000000000000000000000000000000000009C
64187+:10B4B000000000000000000000000000000000008C
64188+:10B4C000000000000000000000000000000000007C
64189+:10B4D000000000000000000000000000000000006C
64190+:10B4E000000000000000000000000000000000005C
64191+:10B4F000000000000000000000000000000000004C
64192+:10B50000000000000000000000000000000000003B
64193+:10B51000000000000000000000000000000000002B
64194+:10B52000000000000000000000000000000000001B
64195+:10B53000000000000000000000000000000000000B
64196+:10B5400000000000000000000000000000000000FB
64197+:10B5500000000000000000000000000000000000EB
64198+:10B5600000000000000000000000000000000000DB
64199+:10B5700000000000000000000000000000000000CB
64200+:10B5800000000000000000000000000000000000BB
64201+:10B5900000000000000000000000000000000000AB
64202+:10B5A000000000000000000000000000000000009B
64203+:10B5B000000000000000000000000000000000008B
64204+:10B5C000000000000000000000000000000000007B
64205+:10B5D000000000000000000000000000000000006B
64206+:10B5E000000000000000000000000000000000005B
64207+:10B5F000000000000000000000000000000000004B
64208+:10B60000000000000000000000000000000000003A
64209+:10B61000000000000000000000000000000000002A
64210+:10B62000000000000000000000000000000000001A
64211+:10B63000000000000000000000000000000000000A
64212+:10B6400000000000000000000000000000000000FA
64213+:10B6500000000000000000000000000000000000EA
64214+:10B6600000000000000000000000000000000000DA
64215+:10B6700000000000000000000000000000000000CA
64216+:10B6800000000000000000000000000000000000BA
64217+:10B6900000000000000000000000000000000000AA
64218+:10B6A000000000000000000000000000000000009A
64219+:10B6B000000000000000000000000000000000008A
64220+:10B6C000000000000000000000000000000000007A
64221+:10B6D000000000000000000000000000000000006A
64222+:10B6E000000000000000000000000000000000005A
64223+:10B6F000000000000000000000000000000000004A
64224+:10B700000000000000000000000000000000000039
64225+:10B710000000000000000000000000000000000029
64226+:10B720000000000000000000000000000000000019
64227+:10B730000000000000000000000000000000000009
64228+:10B7400000000000000000000000000000000000F9
64229+:10B7500000000000000000000000000000000000E9
64230+:10B7600000000000000000000000000000000000D9
64231+:10B7700000000000000000000000000000000000C9
64232+:10B7800000000000000000000000000000000000B9
64233+:10B7900000000000000000000000000000000000A9
64234+:10B7A0000000000000000000000000000000000099
64235+:10B7B0000000000000000000000000000000000089
64236+:10B7C0000000000000000000000000000000000079
64237+:10B7D0000000000000000000000000000000000069
64238+:10B7E0000000000000000000000000000000000059
64239+:10B7F0000000000000000000000000000000000049
64240+:10B800000000000000000000000000000000000038
64241+:10B810000000000000000000000000000000000028
64242+:10B820000000000000000000000000000000000018
64243+:10B830000000000000000000000000000000000008
64244+:10B8400000000000000000000000000000000000F8
64245+:10B8500000000000000000000000000000000000E8
64246+:10B8600000000000000000000000000000000000D8
64247+:10B8700000000000000000000000000000000000C8
64248+:10B8800000000000000000000000000000000000B8
64249+:10B8900000000000000000000000000000000000A8
64250+:10B8A0000000000000000000000000000000000098
64251+:10B8B0000000000000000000000000000000000088
64252+:10B8C0000000000000000000000000000000000078
64253+:10B8D0000000000000000000000000000000000068
64254+:10B8E0000000000000000000000000000000000058
64255+:10B8F0000000000000000000000000000000000048
64256+:10B900000000000000000000000000000000000037
64257+:10B910000000000000000000000000000000000027
64258+:10B920000000000000000000000000000000000017
64259+:10B930000000000000000000000000000000000007
64260+:10B9400000000000000000000000000000000000F7
64261+:10B9500000000000000000000000000000000000E7
64262+:10B9600000000000000000000000000000000000D7
64263+:10B9700000000000000000000000000000000000C7
64264+:10B9800000000000000000000000000000000000B7
64265+:10B9900000000000000000000000000000000000A7
64266+:10B9A0000000000000000000000000000000000097
64267+:10B9B0000000000000000000000000000000000087
64268+:10B9C0000000000000000000000000000000000077
64269+:10B9D0000000000000000000000000000000000067
64270+:10B9E0000000000000000000000000000000000057
64271+:10B9F0000000000000000000000000000000000047
64272+:10BA00000000000000000000000000000000000036
64273+:10BA10000000000000000000000000000000000026
64274+:10BA20000000000000000000000000000000000016
64275+:10BA30000000000000000000000000000000000006
64276+:10BA400000000000000000000000000000000000F6
64277+:10BA500000000000000000000000000000000000E6
64278+:10BA600000000000000000000000000000000000D6
64279+:10BA700000000000000000000000000000000000C6
64280+:10BA800000000000000000000000000000000000B6
64281+:10BA900000000000000000000000000000000000A6
64282+:10BAA0000000000000000000000000000000000096
64283+:10BAB0000000000000000000000000000000000086
64284+:10BAC0000000000000000000000000000000000076
64285+:10BAD0000000000000000000000000000000000066
64286+:10BAE0000000000000000000000000000000000056
64287+:10BAF0000000000000000000000000000000000046
64288+:10BB00000000000000000000000000000000000035
64289+:10BB10000000000000000000000000000000000025
64290+:10BB20000000000000000000000000000000000015
64291+:10BB30000000000000000000000000000000000005
64292+:10BB400000000000000000000000000000000000F5
64293+:10BB500000000000000000000000000000000000E5
64294+:10BB600000000000000000000000000000000000D5
64295+:10BB700000000000000000000000000000000000C5
64296+:10BB800000000000000000000000000000000000B5
64297+:10BB900000000000000000000000000000000000A5
64298+:10BBA0000000000000000000000000000000000095
64299+:10BBB0000000000000000000000000000000000085
64300+:10BBC0000000000000000000000000000000000075
64301+:10BBD0000000000000000000000000000000000065
64302+:10BBE0000000000000000000000000000000000055
64303+:10BBF0000000000000000000000000000000000045
64304+:10BC00000000000000000000000000000000000034
64305+:10BC10000000000000000000000000000000000024
64306+:10BC20000000000000000000000000000000000014
64307+:10BC30000000000000000000000000000000000004
64308+:10BC400000000000000000000000000000000000F4
64309+:10BC500000000000000000000000000000000000E4
64310+:10BC600000000000000000000000000000000000D4
64311+:10BC700000000000000000000000000000000000C4
64312+:10BC800000000000000000000000000000000000B4
64313+:10BC900000000000000000000000000000000000A4
64314+:10BCA0000000000000000000000000000000000094
64315+:10BCB0000000000000000000000000000000000084
64316+:10BCC0000000000000000000000000000000000074
64317+:10BCD0000000000000000000000000000000000064
64318+:10BCE0000000000000000000000000000000000054
64319+:10BCF0000000000000000000000000000000000044
64320+:10BD00000000000000000000000000000000000033
64321+:10BD10000000000000000000000000000000000023
64322+:10BD20000000000000000000000000000000000013
64323+:10BD30000000000000000000000000000000000003
64324+:10BD400000000000000000000000000000000000F3
64325+:10BD500000000000000000000000000000000000E3
64326+:10BD600000000000000000000000000000000000D3
64327+:10BD700000000000000000000000000000000000C3
64328+:10BD800000000000000000000000000000000000B3
64329+:10BD900000000000000000000000000000000000A3
64330+:10BDA0000000000000000000000000000000000093
64331+:10BDB0000000000000000000000000000000000083
64332+:10BDC0000000000000000000000000000000000073
64333+:10BDD0000000000000000000000000000000000063
64334+:10BDE0000000000000000000000000000000000053
64335+:10BDF0000000000000000000000000000000000043
64336+:10BE00000000000000000000000000000000000032
64337+:10BE10000000000000000000000000000000000022
64338+:10BE20000000000000000000000000000000000012
64339+:10BE30000000000000000000000000000000000002
64340+:10BE400000000000000000000000000000000000F2
64341+:10BE500000000000000000000000000000000000E2
64342+:10BE600000000000000000000000000000000000D2
64343+:10BE700000000000000000000000000000000000C2
64344+:10BE800000000000000000000000000000000000B2
64345+:10BE900000000000000000000000000000000000A2
64346+:10BEA0000000000000000000000000000000000092
64347+:10BEB0000000000000000000000000000000000082
64348+:10BEC0000000000000000000000000000000000072
64349+:10BED0000000000000000000000000000000000062
64350+:10BEE0000000000000000000000000000000000052
64351+:10BEF0000000000000000000000000000000000042
64352+:10BF00000000000000000000000000000000000031
64353+:10BF10000000000000000000000000000000000021
64354+:10BF20000000000000000000000000000000000011
64355+:10BF30000000000000000000000000000000000001
64356+:10BF400000000000000000000000000000000000F1
64357+:10BF500000000000000000000000000000000000E1
64358+:10BF600000000000000000000000000000000000D1
64359+:10BF700000000000000000000000000000000000C1
64360+:10BF800000000000000000000000000000000000B1
64361+:10BF900000000000000000000000000000000000A1
64362+:10BFA0000000000000000000000000000000000091
64363+:10BFB0000000000000000000000000000000000081
64364+:10BFC0000000000000000000000000000000000071
64365+:10BFD0000000000000000000000000000000000061
64366+:10BFE0000000000000000000000000000000000051
64367+:10BFF0000000000000000000000000000000000041
64368+:10C000000000000000000000000000000000000030
64369+:10C010000000000000000000000000000000000020
64370+:10C020000000000000000000000000000000000010
64371+:10C030000000000000000000000000000000000000
64372+:10C0400000000000000000000000000000000000F0
64373+:10C0500000000000000000000000000000000000E0
64374+:10C0600000000000000000000000000000000000D0
64375+:10C0700000000000000000000000000000000000C0
64376+:10C0800000000000000000000000000000000000B0
64377+:10C0900000000000000000000000000000000000A0
64378+:10C0A0000000000000000000000000000000000090
64379+:10C0B0000000000000000000000000000000000080
64380+:10C0C0000000000000000000000000000000000070
64381+:10C0D0000000000000000000000000000000000060
64382+:10C0E0000000000000000000000000000000000050
64383+:10C0F0000000000000000000000000000000000040
64384+:10C10000000000000000000000000000000000002F
64385+:10C11000000000000000000000000000000000001F
64386+:10C12000000000000000000000000000000000000F
64387+:10C1300000000000000000000000000000000000FF
64388+:10C1400000000000000000000000000000000000EF
64389+:10C1500000000000000000000000000000000000DF
64390+:10C1600000000000000000000000000000000000CF
64391+:10C1700000000000000000000000000000000000BF
64392+:10C1800000000000000000000000000000000000AF
64393+:10C19000000000000000000000000000000000009F
64394+:10C1A000000000000000000000000000000000008F
64395+:10C1B000000000000000000000000000000000007F
64396+:10C1C000000000000000000000000000000000006F
64397+:10C1D000000000000000000000000000000000005F
64398+:10C1E000000000000000000000000000000000004F
64399+:10C1F000000000000000000000000000000000003F
64400+:10C20000000000000000000000000000000000002E
64401+:10C21000000000000000000000000000000000001E
64402+:10C22000000000000000000000000000000000000E
64403+:10C2300000000000000000000000000000000000FE
64404+:10C2400000000000000000000000000000000000EE
64405+:10C2500000000000000000000000000000000000DE
64406+:10C2600000000000000000000000000000000000CE
64407+:10C2700000000000000000000000000000000000BE
64408+:10C2800000000000000000000000000000000000AE
64409+:10C29000000000000000000000000000000000009E
64410+:10C2A000000000000000000000000000000000008E
64411+:10C2B000000000000000000000000000000000007E
64412+:10C2C000000000000000000000000000000000006E
64413+:10C2D000000000000000000000000000000000005E
64414+:10C2E000000000000000000000000000000000004E
64415+:10C2F000000000000000000000000000000000003E
64416+:10C30000000000000000000000000000000000002D
64417+:10C31000000000000000000000000000000000001D
64418+:10C32000000000000000000000000000000000000D
64419+:10C3300000000000000000000000000000000000FD
64420+:10C3400000000000000000000000000000000000ED
64421+:10C3500000000000000000000000000000000000DD
64422+:10C3600000000000000000000000000000000000CD
64423+:10C3700000000000000000000000000000000000BD
64424+:10C3800000000000000000000000000000000000AD
64425+:10C39000000000000000000000000000000000009D
64426+:10C3A000000000000000000000000000000000008D
64427+:10C3B000000000000000000000000000000000007D
64428+:10C3C000000000000000000000000000000000006D
64429+:10C3D000000000000000000000000000000000005D
64430+:10C3E000000000000000000000000000000000004D
64431+:10C3F000000000000000000000000000000000003D
64432+:10C40000000000000000000000000000000000002C
64433+:10C41000000000000000000000000000000000001C
64434+:10C42000000000000000000000000000000000000C
64435+:10C4300000000000000000000000000000000000FC
64436+:10C4400000000000000000000000000000000000EC
64437+:10C4500000000000000000000000000000000000DC
64438+:10C4600000000000000000000000000000000000CC
64439+:10C4700000000000000000000000000000000000BC
64440+:10C4800000000000000000000000000000000000AC
64441+:10C49000000000000000000000000000000000009C
64442+:10C4A000000000000000000000000000000000008C
64443+:10C4B000000000000000000000000000000000007C
64444+:10C4C000000000000000000000000000000000006C
64445+:10C4D000000000000000000000000000000000005C
64446+:10C4E000000000000000000000000000000000004C
64447+:10C4F000000000000000000000000000000000003C
64448+:10C50000000000000000000000000000000000002B
64449+:10C51000000000000000000000000000000000001B
64450+:10C52000000000000000000000000000000000000B
64451+:10C5300000000000000000000000000000000000FB
64452+:10C5400000000000000000000000000000000000EB
64453+:10C5500000000000000000000000000000000000DB
64454+:10C5600000000000000000000000000000000000CB
64455+:10C5700000000000000000000000000000000000BB
64456+:10C5800000000000000000000000000000000000AB
64457+:10C59000000000000000000000000000000000009B
64458+:10C5A000000000000000000000000000000000008B
64459+:10C5B000000000000000000000000000000000007B
64460+:10C5C000000000000000000000000000000000006B
64461+:10C5D000000000000000000000000000000000005B
64462+:10C5E000000000000000000000000000000000004B
64463+:10C5F000000000000000000000000000000000003B
64464+:10C60000000000000000000000000000000000002A
64465+:10C61000000000000000000000000000000000001A
64466+:10C62000000000000000000000000000000000000A
64467+:10C6300000000000000000000000000000000000FA
64468+:10C6400000000000000000000000000000000000EA
64469+:10C6500000000000000000000000000000000000DA
64470+:10C6600000000000000000000000000000000000CA
64471+:10C6700000000000000000000000000000000000BA
64472+:10C6800000000000000000000000000000000000AA
64473+:10C69000000000000000000000000000000000009A
64474+:10C6A000000000000000000000000000000000008A
64475+:10C6B000000000000000000000000000000000007A
64476+:10C6C000000000000000000000000000000000006A
64477+:10C6D000000000000000000000000000000000005A
64478+:10C6E000000000000000000000000000000000004A
64479+:10C6F000000000000000000000000000000000003A
64480+:10C700000000000000000000000000000000000029
64481+:10C710000000000000000000000000000000000019
64482+:10C720000000000000000000000000000000000009
64483+:10C7300000000000000000000000000000000000F9
64484+:10C7400000000000000000000000000000000000E9
64485+:10C7500000000000000000000000000000000000D9
64486+:10C7600000000000000000000000000000000000C9
64487+:10C7700000000000000000000000000000000000B9
64488+:10C7800000000000000000000000000000000000A9
64489+:10C790000000000000000000000000000000000099
64490+:10C7A0000000000000000000000000000000000089
64491+:10C7B0000000000000000000000000000000000079
64492+:10C7C0000000000000000000000000000000000069
64493+:10C7D0000000000000000000000000000000000059
64494+:10C7E0000000000000000000000000000000000049
64495+:10C7F0000000000000000000000000000000000039
64496+:10C800000000000000000000000000000000000028
64497+:10C810000000000000000000000000000000000018
64498+:10C820000000000000000000000000000000000008
64499+:10C8300000000000000000000000000000000000F8
64500+:10C8400000000000000000000000000000000000E8
64501+:10C8500000000000000000000000000000000000D8
64502+:10C8600000000000000000000000000000000000C8
64503+:10C8700000000000000000000000000000000000B8
64504+:10C8800000000000000000000000000000000000A8
64505+:10C890000000000000000000000000000000000098
64506+:10C8A0000000000000000000000000000000000088
64507+:10C8B0000000000000000000000000000000000078
64508+:10C8C0000000000000000000000000000000000068
64509+:10C8D0000000000000000000000000000000000058
64510+:10C8E0000000000000000000000000000000000048
64511+:10C8F0000000000000000000000000000000000038
64512+:10C900000000000000000000000000000000000027
64513+:10C910000000000000000000000000000000000017
64514+:10C920000000000000000000000000000000000007
64515+:10C9300000000000000000000000000000000000F7
64516+:10C9400000000000000000000000000000000000E7
64517+:10C9500000000000000000000000000000000000D7
64518+:10C9600000000000000000000000000000000000C7
64519+:10C9700000000000000000000000000000000000B7
64520+:10C9800000000000000000000000000000000000A7
64521+:10C990000000000000000000000000000000000097
64522+:10C9A0000000000000000000000000000000000087
64523+:10C9B0000000000000000000000000000000000077
64524+:10C9C0000000000000000000000000000000000067
64525+:10C9D0000000000000000000000000000000000057
64526+:10C9E0000000000000000000000000000000000047
64527+:10C9F0000000000000000000000000000000000037
64528+:10CA00000000000000000000000000000000000026
64529+:10CA10000000000000000000000000000000000016
64530+:10CA20000000000000000000000000000000000006
64531+:10CA300000000000000000000000000000000000F6
64532+:10CA400000000000000000000000000000000000E6
64533+:10CA500000000000000000000000000000000000D6
64534+:10CA600000000000000000000000000000000000C6
64535+:10CA700000000000000000000000000000000000B6
64536+:10CA800000000000000000000000000000000000A6
64537+:10CA90000000000000000000000000000000000096
64538+:10CAA0000000000000000000000000000000000086
64539+:10CAB0000000000000000000000000000000000076
64540+:10CAC0000000000000000000000000000000000066
64541+:10CAD0000000000000000000000000000000000056
64542+:10CAE0000000000000000000000000000000000046
64543+:10CAF0000000000000000000000000000000000036
64544+:10CB00000000000000000000000000000000000025
64545+:10CB10000000000000000000000000000000000015
64546+:10CB20000000000000000000000000000000000005
64547+:10CB300000000000000000000000000000000000F5
64548+:10CB400000000000000000000000000000000000E5
64549+:10CB500000000000000000000000000000000000D5
64550+:10CB600000000000000000000000000000000000C5
64551+:10CB700000000000000000000000000000000000B5
64552+:10CB800000000000000000000000000000000000A5
64553+:10CB90000000000000000000000000000000000095
64554+:10CBA0000000000000000000000000000000000085
64555+:10CBB0000000000000000000000000000000000075
64556+:10CBC0000000000000000000000000000000000065
64557+:10CBD0000000000000000000000000000000000055
64558+:10CBE0000000000000000000000000000000000045
64559+:10CBF0000000000000000000000000000000000035
64560+:10CC00000000000000000000000000000000000024
64561+:10CC10000000000000000000000000000000000014
64562+:10CC20000000000000000000000000000000000004
64563+:10CC300000000000000000000000000000000000F4
64564+:10CC400000000000000000000000000000000000E4
64565+:10CC500000000000000000000000000000000000D4
64566+:10CC600000000000000000000000000000000000C4
64567+:10CC700000000000000000000000000000000000B4
64568+:10CC800000000000000000000000000000000000A4
64569+:10CC90000000000000000000000000000000000094
64570+:10CCA0000000000000000000000000000000000084
64571+:10CCB0000000000000000000000000000000000074
64572+:10CCC0000000000000000000000000000000000064
64573+:10CCD0000000000000000000000000000000000054
64574+:10CCE0000000000000000000000000000000000044
64575+:10CCF0000000000000000000000000000000000034
64576+:10CD00000000000000000000000000000000000023
64577+:10CD10000000000000000000000000000000000013
64578+:10CD20000000000000000000000000000000000003
64579+:10CD300000000000000000000000000000000000F3
64580+:10CD400000000000000000000000000000000000E3
64581+:10CD500000000000000000000000000000000000D3
64582+:10CD600000000000000000000000000000000000C3
64583+:10CD700000000000000000000000000000000000B3
64584+:10CD800000000000000000000000000000000000A3
64585+:10CD90000000000000000000000000000000000093
64586+:10CDA0000000000000000000000000000000000083
64587+:10CDB0000000000000000000000000000000000073
64588+:10CDC0000000000000000000000000000000000063
64589+:10CDD0000000000000000000000000000000000053
64590+:10CDE0000000000000000000000000000000000043
64591+:10CDF0000000000000000000000000000000000033
64592+:10CE00000000000000000000000000000000000022
64593+:10CE10000000000000000000000000000000000012
64594+:10CE20000000000000000000000000000000000002
64595+:10CE300000000000000000000000000000000000F2
64596+:10CE400000000000000000000000000000000000E2
64597+:10CE500000000000000000000000000000000000D2
64598+:10CE600000000000000000000000000000000000C2
64599+:10CE700000000000000000000000000000000000B2
64600+:10CE800000000000000000000000000000000000A2
64601+:10CE90000000000000000000000000000000000092
64602+:10CEA0000000000000000000000000000000000082
64603+:10CEB0000000000000000000000000000000000072
64604+:10CEC0000000000000000000000000000000000062
64605+:10CED0000000000000000000000000000000000052
64606+:10CEE0000000000000000000000000000000000042
64607+:10CEF0000000000000000000000000000000000032
64608+:10CF00000000000000000000000000000000000021
64609+:10CF10000000000000000000000000000000000011
64610+:10CF20000000000000000000000000000000000001
64611+:10CF300000000000000000000000000000000000F1
64612+:10CF400000000000000000000000000000000000E1
64613+:10CF500000000000000000000000000000000000D1
64614+:10CF600000000000000000000000000000000000C1
64615+:10CF700000000000000000000000000000000000B1
64616+:10CF800000000000000000000000000000000000A1
64617+:10CF90000000000000000000000000000000000091
64618+:10CFA0000000000000000000000000000000000081
64619+:10CFB0000000000000000000000000000000000071
64620+:10CFC0000000000000000000000000000000000061
64621+:10CFD0000000000000000000000000000000000051
64622+:10CFE0000000000000000000000000000000000041
64623+:10CFF0000000000000000000000000000000000031
64624+:10D000000000000000000000000000000000000020
64625+:10D010000000000000000000000000000000000010
64626+:10D020000000000000000000000000000000000000
64627+:10D0300000000000000000000000000000000000F0
64628+:10D0400000000000000000000000000000000000E0
64629+:10D0500000000000000000000000000000000000D0
64630+:10D0600000000000000000000000000000000000C0
64631+:10D0700000000000000000000000000000000000B0
64632+:10D0800000000000000000000000000000000000A0
64633+:10D090000000000000000000000000000000000090
64634+:10D0A0000000000000000000000000000000000080
64635+:10D0B0000000000000000000000000000000000070
64636+:10D0C0000000000000000000000000000000000060
64637+:10D0D0000000000000000000000000000000000050
64638+:10D0E0000000000000000000000000000000000040
64639+:10D0F0000000000000000000000000000000000030
64640+:10D10000000000000000000000000000000000001F
64641+:10D11000000000000000000000000000000000000F
64642+:10D1200000000000000000000000000000000000FF
64643+:10D1300000000000000000000000000000000000EF
64644+:10D1400000000000000000000000000000000000DF
64645+:10D1500000000000000000000000000000000000CF
64646+:10D1600000000000000000000000000000000000BF
64647+:10D1700000000000000000000000000000000000AF
64648+:10D18000000000000000000000000000000000009F
64649+:10D19000000000000000000000000000000000008F
64650+:10D1A000000000000000000000000000000000007F
64651+:10D1B000000000000000000000000000000000006F
64652+:10D1C000000000000000000000000000000000005F
64653+:10D1D000000000000000000000000000000000004F
64654+:10D1E000000000000000000000000000000000003F
64655+:10D1F000000000000000000000000000000000002F
64656+:10D20000000000000000000000000000000000001E
64657+:10D21000000000000000000000000000000000000E
64658+:10D2200000000000000000000000000000000000FE
64659+:10D2300000000000000000000000000000000000EE
64660+:10D2400000000000000000000000000000000000DE
64661+:10D2500000000000000000000000000000000000CE
64662+:10D2600000000000000000000000000000000000BE
64663+:10D2700000000000000000000000000000000000AE
64664+:10D28000000000000000000000000000000000009E
64665+:10D29000000000000000000000000000000000008E
64666+:10D2A000000000000000000000000000000000007E
64667+:10D2B000000000000000000000000000000000006E
64668+:10D2C000000000000000000000000000000000005E
64669+:10D2D000000000000000000000000000000000004E
64670+:10D2E000000000000000000000000000000000003E
64671+:10D2F000000000000000000000000000000000002E
64672+:10D30000000000000000000000000000000000001D
64673+:10D31000000000000000000000000000000000000D
64674+:10D3200000000000000000000000000000000000FD
64675+:10D3300000000000000000000000000000000000ED
64676+:10D3400000000000000000000000000000000000DD
64677+:10D3500000000000000000000000000000000000CD
64678+:10D3600000000000000000000000000000000000BD
64679+:10D3700000000000000000000000000000000000AD
64680+:10D38000000000000000000000000000000000009D
64681+:10D39000000000000000000000000000000000008D
64682+:10D3A000000000000000000000000000000000007D
64683+:10D3B000000000000000000000000000000000006D
64684+:10D3C000000000000000000000000000000000005D
64685+:10D3D000000000000000000000000000000000004D
64686+:10D3E000000000000000000000000000000000003D
64687+:10D3F000000000000000000000000000000000002D
64688+:10D40000000000000000000000000000000000001C
64689+:10D41000000000000000000000000000000000000C
64690+:10D4200000000000000000000000000000000000FC
64691+:10D4300000000000000000000000000000000000EC
64692+:10D4400000000000000000000000000000000000DC
64693+:10D4500000000000000000000000000000000000CC
64694+:10D4600000000000000000000000000000000000BC
64695+:10D4700000000000000000000000000000000000AC
64696+:10D48000000000000000000000000000000000009C
64697+:10D49000000000000000000000000000000000008C
64698+:10D4A000000000000000000000000000000000007C
64699+:10D4B000000000000000000000000000000000006C
64700+:10D4C000000000000000000000000000000000005C
64701+:10D4D000000000000000000000000000000000004C
64702+:10D4E000000000000000000000000000000000003C
64703+:10D4F000000000000000000000000000000000002C
64704+:10D50000000000000000000000000000000000001B
64705+:10D51000000000000000000000000000000000000B
64706+:10D5200000000000000000000000000000000000FB
64707+:10D5300000000000000000000000000000000000EB
64708+:10D5400000000000000000000000000000000000DB
64709+:10D5500000000000000000000000000000000000CB
64710+:10D5600000000000000000000000000000000000BB
64711+:10D5700000000000000000000000000000000000AB
64712+:10D58000000000000000000000000000000000009B
64713+:10D59000000000000000008000000000000000000B
64714+:10D5A000000000000000000000000000000000007B
64715+:10D5B00000000000000000000000000A0000000061
64716+:10D5C0000000000000000000100000030000000048
64717+:10D5D0000000000D0000000D3C02080024427340D2
64718+:10D5E0003C030800246377CCAC4000000043202BB0
64719+:10D5F0001480FFFD244200043C1D080037BD7FFC61
64720+:10D6000003A0F0213C100800261032103C1C08003A
64721+:10D61000279C73400E0010FE000000000000000D6B
64722+:10D6200030A5FFFF30C600FF274301808F4201B8BD
64723+:10D630000440FFFE24020002AC640000A465000860
64724+:10D64000A066000AA062000B3C021000AC67001844
64725+:10D6500003E00008AF4201B83C0360008C624FF861
64726+:10D660000440FFFE3C020200AC644FC0AC624FC4F9
64727+:10D670003C02100003E00008AC624FF89482000CFA
64728+:10D680002486001400A0382100021302000210803A
64729+:10D690000082402100C8102B1040005700000000FD
64730+:10D6A00090C300002C6200095040005190C200015C
64731+:10D6B000000310803C030800246372F00043102133
64732+:10D6C0008C420000004000080000000090C30001F0
64733+:10D6D0002402000A1462003A000000000106102330
64734+:10D6E0002C42000A1440003624C600028CE20000DE
64735+:10D6F00034420100ACE2000090C2000090C300017F
64736+:10D7000090C4000290C5000300031C000002160034
64737+:10D710000043102500042200004410250045102578
64738+:10D7200024C60004ACE2000490C2000090C30001D3
64739+:10D7300090C4000290C500030002160000031C0004
64740+:10D740000043102500042200004410250045102548
64741+:10D7500024C600040A000CB8ACE2000890C3000123
64742+:10D76000240200041462001624C6000290C20000C5
64743+:10D7700090C400018CE30000000212000044102558
64744+:10D780003463000424C60002ACE2000C0A000CB8AA
64745+:10D79000ACE3000090C300012402000314620008FF
64746+:10D7A00024C600028CE2000090C3000024C60001E1
64747+:10D7B00034420008A0E300100A000CB8ACE20000FC
64748+:10D7C00003E000082402000190C3000124020002CB
64749+:10D7D0001062000224C40002010020210A000CB8DB
64750+:10D7E000008030210A000CB824C6000190C200015C
64751+:10D7F0000A000CB800C2302103E00008000010212C
64752+:10D8000027BDFFE8AFBF0014AFB000100E00130239
64753+:10D8100000808021936200052403FFFE0200202186
64754+:10D82000004310248FBF00148FB00010A3620005C6
64755+:10D830000A00130B27BD001827BDFFE8AFB000108A
64756+:10D84000AFBF00140E000F3C0080802193620000E7
64757+:10D8500024030050304200FF14430004240201005E
64758+:10D86000AF4201800A000D3002002021AF4001804C
64759+:10D87000020020218FBF00148FB000100A000FE7B4
64760+:10D8800027BD001827BDFF80AFBE0078AFB700747A
64761+:10D89000AFB20060AFBF007CAFB60070AFB5006C38
64762+:10D8A000AFB40068AFB30064AFB1005CAFB0005874
64763+:10D8B0008F5001283C0208008C4231A02403FF80D5
64764+:10D8C0009365003F0202102100431024AF42002460
64765+:10D8D0003C0208008C4231A09364000530B200FF86
64766+:10D8E000020210213042007F034218210004202749
64767+:10D8F0003C02000A0062182130840001AF8300144A
64768+:10D900000000F0210000B82114800053AFA00050A7
64769+:10D9100093430116934401128F450104306300FFC5
64770+:10D920003C020001308400FF00A2282403431021A0
64771+:10D9300003441821245640002467400014A001CD60
64772+:10D940002402000193620000304300FF2402002003
64773+:10D950001062000524020050106200060000000062
64774+:10D960000A000D74000000000000000D0A000D7D8B
64775+:10D97000AFA000303C1E080027DE738C0A000D7D2E
64776+:10D98000AFA000303C0208008C4200DC24420001C1
64777+:10D990003C010800AC2200DC0E00139F00000000D8
64778+:10D9A0000A000F318FBF007C8F4201043C0300202E
64779+:10D9B00092D3000D004310240002202B00042140CC
64780+:10D9C000AFA400308F4301043C02004000621824E1
64781+:10D9D000146000023485004000802821326200205B
64782+:10D9E000AFA500301440000234A6008000A0302112
64783+:10D9F00010C0000BAFA6003093C500088F67004C25
64784+:10DA00000200202100052B0034A5008130A5F08103
64785+:10DA10000E000C9B30C600FF0A000F2E0000000015
64786+:10DA20009362003E304200401040000F2402000488
64787+:10DA300056420007240200120200202100E02821A3
64788+:10DA40000E0013F702C030210A000F318FBF007C97
64789+:10DA500016420005000000000E000D2100002021EC
64790+:10DA60000A000F318FBF007C9743011A96C4000E45
64791+:10DA700093620035326500043075FFFF00442004D6
64792+:10DA8000AFA400548ED1000410A000158ED400085D
64793+:10DA90009362003E3042004010400007000000004A
64794+:10DAA0000E0013E0022020211040000D00000000B5
64795+:10DAB0000A000F2E000000008F6200440222102393
64796+:10DAC0000440016A000000008F6200480222102317
64797+:10DAD00004410166240400160A000E218FC20004CE
64798+:10DAE0008F6200480222102304400008000000005A
64799+:10DAF0003C0208008C423100244200013C01080035
64800+:10DB0000AC2231000A000F23000000008F620040A9
64801+:10DB100002221023184000128F8400143C020800D7
64802+:10DB20008C423100327300FC0000A8212442000125
64803+:10DB30003C010800AC2231008F6300409482011C3C
64804+:10DB4000022318233042FFFF0043102A50400010E8
64805+:10DB50002402000C8F6200400A000DF20222102302
64806+:10DB60009483011C9762003C0043102B1040000678
64807+:10DB7000000000009482011C00551023A482011CA7
64808+:10DB80000A000DF72402000CA480011C2402000CE2
64809+:10DB9000AFA200308F620040005120231880000D9A
64810+:10DBA00002A4102A1440012600000000149500066B
64811+:10DBB00002A410233A620001304200011440012007
64812+:10DBC0000000000002A41023022488210A000E098C
64813+:10DBD0003055FFFF00002021326200021040001A81
64814+:10DBE000326200109362003E30420040504000110B
64815+:10DBF0008FC200040E00130202002021240200182C
64816+:10DC0000A362003F936200052403FFFE020020216F
64817+:10DC1000004310240E00130BA362000524040039F6
64818+:10DC2000000028210E0013C9240600180A000F3036
64819+:10DC300024020001240400170040F809000000003D
64820+:10DC40000A000F302402000110400108000000000B
64821+:10DC50008F63004C8F620054028210231C4001032A
64822+:10DC600002831023044200010060A021AFA4001829
64823+:10DC7000AFB10010AFB50014934201208F65004092
64824+:10DC80009763003C304200FF034210210044102102
64825+:10DC90008FA400543063FFFF244240000083182B00
64826+:10DCA0008FA40030AFA20020AFA50028008320255C
64827+:10DCB000AFA40030AFA50024AFA0002CAFB4003457
64828+:10DCC0009362003E30420008504000118FC20000B5
64829+:10DCD00002C0202127A500380E000CB2AFA00038EA
64830+:10DCE0005440000B8FC200008FA200383042010068
64831+:10DCF000504000078FC200008FA3003C8F6200607D
64832+:10DD00000062102304430001AF6300608FC2000073
64833+:10DD10000040F80927A400108FA200303042000212
64834+:10DD200054400001327300FE9362003E30420040D6
64835+:10DD3000104000378FA200248F6200541682001A10
64836+:10DD40003262000124020014124200102A4200151F
64837+:10DD500010400006240200162402000C12420007A4
64838+:10DD6000326200010A000E7D000000001242000530
64839+:10DD7000326200010A000E7D000000000A000E78E9
64840+:10DD80002417000E0A000E78241700100A000E7CDB
64841+:10DD900024170012936200232403FFBD00431024C4
64842+:10DDA000A362002332620001104000198FA20024F8
64843+:10DDB0002402000C1242000E2A42000D1040000600
64844+:10DDC0002402000E2402000A124200078FA200243F
64845+:10DDD0000A000E9524420001124200088FA200247E
64846+:10DDE0000A000E95244200010A000E932417000831
64847+:10DDF0002402000E16E20002241700162417001059
64848+:10DE00008FA2002424420001AFA200248FA200248C
64849+:10DE10008FA300148F76004000431021AF620040B2
64850+:10DE20008F8200149442011C104000090000000081
64851+:10DE30008F6200488F6400409763003C00441023C9
64852+:10DE40003063FFFF0043102A104000088FA20054E7
64853+:10DE5000936400368F6300403402FFFC008210049C
64854+:10DE600000621821AF6300488FA200548FA60030D3
64855+:10DE70000282902130C200081040000E0000000015
64856+:10DE80008F6200581642000430C600FF9742011A04
64857+:10DE90005040000134C6001093C500088FA700341D
64858+:10DEA0000200202100052B0034A500800E000C9BF1
64859+:10DEB00030A5F0808F620040005610231840001BF0
64860+:10DEC0008FA200183C0208008C42319830420010AA
64861+:10DED0001040000D24020001976200681440000AFF
64862+:10DEE000240200018F8200149442011C1440000699
64863+:10DEF00024020001A76200689742007A244200646D
64864+:10DF00000A000EE9A7620012A76200120E001302B7
64865+:10DF1000020020219362007D2403000102002021E1
64866+:10DF2000344200010A000EE7AFA300501840000A77
64867+:10DF3000000000000E001302020020219362007D09
64868+:10DF40002403000102002021AFA30050344200044A
64869+:10DF50000E00130BA362007D9362003E304200402E
64870+:10DF60001440000C326200011040000A0000000062
64871+:10DF70008F6300408FC20004240400182463000152
64872+:10DF80000040F809AF6300408FA200300A000F3054
64873+:10DF9000304200048F620058105200100000000050
64874+:10DFA0008F620018022210231C4000082404000184
64875+:10DFB0008F62001816220009000000008F62001C0A
64876+:10DFC000028210230440000500000000AF720058D8
64877+:10DFD000AFA40050AF710018AF74001C12E0000B2A
64878+:10DFE0008FA200500E00130202002021A377003FF1
64879+:10DFF0000E00130B0200202102E030212404003720
64880+:10E000000E0013C9000028218FA200501040000309
64881+:10E01000000000000E000CA90200202112A0000543
64882+:10E02000000018218FA2003030420004504000113F
64883+:10E0300000601021240300010A000F30006010214D
64884+:10E040000E001302020020219362007D02002021B5
64885+:10E05000344200040E00130BA362007D0E000CA9D5
64886+:10E06000020020210A000F3024020001AF400044CA
64887+:10E07000240200018FBF007C8FBE00788FB7007430
64888+:10E080008FB600708FB5006C8FB400688FB30064DA
64889+:10E090008FB200608FB1005C8FB0005803E00008C1
64890+:10E0A00027BD00808F4201B80440FFFE2402080013
64891+:10E0B000AF4201B803E00008000000003C02000885
64892+:10E0C00003421021944200483084FFFF2484001250
64893+:10E0D0003045FFFF10A0001700A4102B10400016C1
64894+:10E0E00024020003934201202403001AA343018B5E
64895+:10E0F000304200FF2446FFFE8F82000000A6182B4E
64896+:10E100003863000100021382004310241040000510
64897+:10E110008F84000434820001A746019403E00008C4
64898+:10E12000AF8200042402FFFE0082102403E00008F6
64899+:10E13000AF8200042402000303E00008A342018B25
64900+:10E1400027BDFFE0AFB10014AFB00010AFBF0018A3
64901+:10E1500030B0FFFF30D1FFFF8F4201B80440FFFE17
64902+:10E1600000000000AF440180AF4400200E000F42C9
64903+:10E17000020020218F8300008F840004A750019AA1
64904+:10E18000A750018EA74301908F8300083082800042
64905+:10E19000AF4301A8A75101881040000E8F820004F0
64906+:10E1A00093420116304200FC24420004005A102120
64907+:10E1B0008C4240003042FFFF144000068F82000472
64908+:10E1C0003C02FFFF34427FFF00821024AF82000434
64909+:10E1D0008F8200042403BFFF00431024A74201A63E
64910+:10E1E0009743010C8F42010400031C003042FFFFE3
64911+:10E1F00000621825AF4301AC3C021000AF4201B8E9
64912+:10E200008FBF00188FB100148FB0001003E000081A
64913+:10E2100027BD00208F470070934201128F830000BA
64914+:10E2200027BDFFF0304200FF00022882306201006B
64915+:10E23000000030211040004324A40003306240005D
64916+:10E24000104000103062200000041080005A10219D
64917+:10E250008C43400024A4000400041080AFA30000FD
64918+:10E26000005A10218C424000AFA2000493420116D4
64919+:10E27000304200FC005A10218C4240000A000FC0BE
64920+:10E28000AFA200081040002F0000302100041080D1
64921+:10E29000005A10218C43400024A400040004108084
64922+:10E2A000AFA30000005A10218C424000AFA000082C
64923+:10E2B000AFA200048FA80008000030210000202138
64924+:10E2C000240A00083C0908002529010003A41021A4
64925+:10E2D000148A000300042A001100000A0000000054
64926+:10E2E00090420000248400012C83000C00A2102125
64927+:10E2F00000021080004910218C4200001460FFF3DE
64928+:10E3000000C230263C0408008C8431048F42007027
64929+:10E310002C83002010600009004738233C030800CC
64930+:10E32000246331080004108000431021248300017D
64931+:10E33000AC4700003C010800AC233104AF86000864
64932+:10E340002406000100C0102103E0000827BD0010D2
64933+:10E350003C0208008C42003827BDFFD0AFB5002436
64934+:10E36000AFB40020AFB10014AFBF0028AFB3001CA2
64935+:10E37000AFB20018AFB00010000088213C150800B3
64936+:10E3800026B50038144000022454FFFF0000A021ED
64937+:10E390009742010E8F8400003042FFFF308340001F
64938+:10E3A0001060000A245200043C0200200082102465
64939+:10E3B00050400007308280008F8200042403BFFF9A
64940+:10E3C000008318240A0010103442100030828000AC
64941+:10E3D0001040000A3C020020008210241040000778
64942+:10E3E0008F8200043C03FFFF34637FFF0083182407
64943+:10E3F00034428000AF820004AF8300000E000F980B
64944+:10E400000000000014400007000000009743011EB8
64945+:10E410009742011C3063FFFF0002140000621825C0
64946+:10E42000AF8300089742010C8F4340003045FFFF47
64947+:10E430003402FFFF14620003000000000A001028ED
64948+:10E44000241100208F42400030420100544000015E
64949+:10E45000241100108F8400003082100050400014FE
64950+:10E4600036310001308200201440000B3C021000C5
64951+:10E47000008210245040000E363100013C030E0093
64952+:10E480003C020DFF008318243442FFFF0043102B91
64953+:10E4900050400007363100013C0208008C42002C3D
64954+:10E4A000244200013C010800AC22002C363100055A
64955+:10E4B0003C0608008CC6003454C000238F85000041
64956+:10E4C0008F820004304240005440001F8F850000BE
64957+:10E4D0003C021F01008210243C0310005443001A28
64958+:10E4E0008F85000030A20200144000178F850000C5
64959+:10E4F0003250FFFF363100028F4201B80440FFFE68
64960+:10E5000000000000AF400180020020210E000F42F9
64961+:10E51000AF4000208F8300042402BFFFA750019A60
64962+:10E52000006218248F820000A750018EA751018835
64963+:10E53000A74301A6A74201903C021000AF4201B8D8
64964+:10E540000A0010F5000010213C02100000A2102467
64965+:10E550001040003A0000000010C0000F0000000052
64966+:10E5600030A201001040000C3C0302003C020F00EE
64967+:10E5700000A2102410430008000000008F82000851
64968+:10E58000005410240055102190420004244200043D
64969+:10E590000A00109F000221C00000000000051602C2
64970+:10E5A0003050000F3A0300022E4203EF38420001C0
64971+:10E5B0002C6300010062182414600073240200011F
64972+:10E5C0003C0308008C6300D02E06000C386200016A
64973+:10E5D0002C4200010046102414400015001021C0F8
64974+:10E5E0002602FFFC2C4200045440001100002021B0
64975+:10E5F000386200022C420001004610241040000343
64976+:10E60000000512420A00109F000020210010182B64
64977+:10E610000043102450400006001021C000002021BB
64978+:10E620003245FFFF0E000F633226FFFB001021C0B2
64979+:10E630003245FFFF0A0010F2362600028F424000EA
64980+:10E640003C0308008C630024304201001040004667
64981+:10E6500030620001322200043070000D14400002CC
64982+:10E660002413000424130002000512C238420001E2
64983+:10E670002E4303EF304200013863000100431025B0
64984+:10E68000104000033231FFFB2402FFFB0202802412
64985+:10E6900010C000183202000130A201001040001525
64986+:10E6A000320200013C020F0000A210243C030200D1
64987+:10E6B0001043000F8F8200082403FFFE0203802412
64988+:10E6C00000541024005510219042000402333025DC
64989+:10E6D0002442000412000002000221C03226FFFF83
64990+:10E6E0000E000F633245FFFF1200002700001021CB
64991+:10E6F000320200011040000D320200042402000129
64992+:10E7000012020002023330253226FFFF00002021D2
64993+:10E710000E000F633245FFFF2402FFFE0202802439
64994+:10E7200012000019000010213202000410400016EF
64995+:10E7300024020001240200041202000202333025E8
64996+:10E740003226FFFF3245FFFF0E000F632404010055
64997+:10E750002402FFFB020280241200000B00001021A3
64998+:10E760000A0010F5240200011040000700001021EB
64999+:10E770003245FFFF36260002000020210E000F6305
65000+:10E7800000000000000010218FBF00288FB500247A
65001+:10E790008FB400208FB3001C8FB200188FB100140B
65002+:10E7A0008FB0001003E0000827BD003027BDFFD068
65003+:10E7B000AFB000103C04600CAFBF002CAFB6002817
65004+:10E7C000AFB50024AFB40020AFB3001CAFB2001847
65005+:10E7D000AFB100148C8250002403FF7F3C1A8000EC
65006+:10E7E000004310243442380CAC8250002402000351
65007+:10E7F0003C106000AF4200088E0208083C1B8008F5
65008+:10E800003C010800AC2000203042FFF038420010EC
65009+:10E810002C4200010E001B8DAF8200183C04FFFF4C
65010+:10E820003C020400348308063442000CAE0219484E
65011+:10E83000AE03194C3C0560168E0219808CA30000B3
65012+:10E840003442020000641824AE0219803C02535383
65013+:10E850001462000334A47C008CA200040050202128
65014+:10E860008C82007C8C830078AF820010AF83000C18
65015+:10E870008F55000032A200031040FFFD32A20001BC
65016+:10E880001040013D32A200028F420128AF42002019
65017+:10E890008F4201048F430100AF8200000E000F3C45
65018+:10E8A000AF8300043C0208008C4200C01040000806
65019+:10E8B0008F8400003C0208008C4200C42442000106
65020+:10E8C0003C010800AC2200C40A00126900000000EC
65021+:10E8D0003C020010008210241440010C8F830004BD
65022+:10E8E0003C0208008C4200203C0308008C63003886
65023+:10E8F00000008821244200013C010800AC220020D5
65024+:10E900003C16080026D60038146000022474FFFF6D
65025+:10E910000000A0219742010E308340003042FFFFEB
65026+:10E920001060000A245200043C02002000821024DF
65027+:10E9300050400007308280008F8200042403BFFF14
65028+:10E94000008318240A0011703442100030828000C5
65029+:10E950001040000A3C0200200082102410400007F2
65030+:10E960008F8200043C03FFFF34637FFF0083182481
65031+:10E9700034428000AF820004AF8300000E000F9885
65032+:10E980000000000014400007000000009743011E33
65033+:10E990009742011C3063FFFF00021400006218253B
65034+:10E9A000AF8300089742010C8F4340003045FFFFC2
65035+:10E9B0003402FFFF14620003000000000A00118807
65036+:10E9C000241100208F4240003042010054400001D9
65037+:10E9D000241100108F840000308210005040001479
65038+:10E9E00036310001308200201440000B3C02100040
65039+:10E9F000008210245040000E363100013C030E000E
65040+:10EA00003C020DFF008318243442FFFF0043102B0B
65041+:10EA100050400007363100013C0208008C42002CB7
65042+:10EA2000244200013C010800AC22002C36310005D4
65043+:10EA30003C0608008CC6003454C000238F850000BB
65044+:10EA40008F820004304240005440001F8F85000038
65045+:10EA50003C021F01008210243C0310005443001AA2
65046+:10EA60008F85000030A20200144000178F8500003F
65047+:10EA70003250FFFF363100028F4201B80440FFFEE2
65048+:10EA800000000000AF400180020020210E000F4274
65049+:10EA9000AF4000208F8300042402BFFFA750019ADB
65050+:10EAA000006218248F820000A750018EA7510188B0
65051+:10EAB000A74301A6A74201903C021000AF4201B853
65052+:10EAC0000A001267000010213C02100000A210246E
65053+:10EAD0001040003A0000000010C0000F00000000CD
65054+:10EAE00030A201001040000C3C0302003C020F0069
65055+:10EAF00000A2102410430008000000008F820008CC
65056+:10EB000000541024005610219042000424420004B6
65057+:10EB10000A0011FF000221C00000000000051602DB
65058+:10EB20003050000F3A0300022E4203EF384200013A
65059+:10EB30002C63000100621824146000852402000187
65060+:10EB40003C0308008C6300D02E06000C38620001E4
65061+:10EB50002C4200010046102414400015001021C072
65062+:10EB60002602FFFC2C42000454400011000020212A
65063+:10EB7000386200022C42000100461024504000037D
65064+:10EB8000000512420A0011FF000020210010182B7E
65065+:10EB90000043102450400006001021C00000202136
65066+:10EBA0003245FFFF0E000F633226FFFB001021C02D
65067+:10EBB0003245FFFF0A001252362600028F42400003
65068+:10EBC0003C0308008C6300243042010010400046E2
65069+:10EBD00030620001322200043070000D1440000247
65070+:10EBE0002413000424130002000512C2384200015D
65071+:10EBF0002E4303EF3042000138630001004310252B
65072+:10EC0000104000033231FFFB2402FFFB020280248C
65073+:10EC100010C000183202000130A20100104000159F
65074+:10EC2000320200013C020F0000A210243C0302004B
65075+:10EC30001043000F8F8200082403FFFE020380248C
65076+:10EC40000054102400561021904200040233302555
65077+:10EC50002442000412000002000221C03226FFFFFD
65078+:10EC60000E000F633245FFFF120000390000102133
65079+:10EC7000320200011040000D3202000424020001A3
65080+:10EC800012020002023330253226FFFF000020214D
65081+:10EC90000E000F633245FFFF2402FFFE02028024B4
65082+:10ECA0001200002B00001021320200041040002846
65083+:10ECB0002402000124020004120200020233302563
65084+:10ECC0003226FFFF3245FFFF0E000F6324040100D0
65085+:10ECD0002402FFFB020280241200001D000010210C
65086+:10ECE0000A001267240200015040001900001021A0
65087+:10ECF0003245FFFF36260002000020210E000F6380
65088+:10ED0000000000000A001267000010212402BFFF6B
65089+:10ED1000006210241040000800000000240287FF59
65090+:10ED200000621024144000083C020060008210249D
65091+:10ED300010400005000000000E000D34000000002F
65092+:10ED40000A001267000000000E0012C70000000059
65093+:10ED5000104000063C0240008F4301243C0260202A
65094+:10ED6000AC430014000000003C024000AF420138F8
65095+:10ED70000000000032A200021040FEBD00000000B2
65096+:10ED80008F4201403C044000AF4200208F430148C5
65097+:10ED90003C02700000621824106400420000000071
65098+:10EDA0000083102B144000063C0260003C0220004F
65099+:10EDB000106200073C0240000A0012C3000000007D
65100+:10EDC0001062003C3C0240000A0012C30000000038
65101+:10EDD0008F4501408F4601448F42014800021402D2
65102+:10EDE000304300FF240200041462000A274401801B
65103+:10EDF0008F4201B80440FFFE2402001CAC850000D5
65104+:10EE0000A082000B3C021000AF4201B80A0012C3FE
65105+:10EE10003C0240002402000914620012000616029F
65106+:10EE2000000229C0AF4500208F4201B80440FFFE18
65107+:10EE30002402000124030003AF450180A343018B9A
65108+:10EE4000A740018EA740019AA7400190AF4001A8BA
65109+:10EE5000A7420188A74201A6AF4001AC3C021000C6
65110+:10EE6000AF4201B88F4201B80440FFFE000000002D
65111+:10EE7000AC8500008F42014800021402A482000801
65112+:10EE800024020002A082000B8F420148A4820010DD
65113+:10EE90003C021000AC860024AF4201B80A0012C345
65114+:10EEA0003C0240000E001310000000000A0012C3D4
65115+:10EEB0003C0240000E001BC2000000003C0240006B
65116+:10EEC000AF420178000000000A00112F000000008E
65117+:10EED0008F4201003042003E144000112402000124
65118+:10EEE000AF4000488F420100304207C0104000058B
65119+:10EEF00000000000AF40004CAF40005003E00008AD
65120+:10EF000024020001AF400054AF4000408F42010096
65121+:10EF10003042380054400001AF4000442402000158
65122+:10EF200003E00008000000008F4201B80440FFFE2B
65123+:10EF300024020001AF440180AF400184A74501884D
65124+:10EF4000A342018A24020002A342018B9742014A94
65125+:10EF500014C00004A7420190AF4001A40A0012EFC0
65126+:10EF60003C0210008F420144AF4201A43C02100059
65127+:10EF7000AF4001A803E00008AF4201B88F4201B8DA
65128+:10EF80000440FFFE24020002AF440180AF4401842C
65129+:10EF9000A7450188A342018AA342018B9742014AF7
65130+:10EFA000A7420190AF4001A48F420144AF4201A8A3
65131+:10EFB0003C02100003E00008AF4201B83C029000A0
65132+:10EFC0003442000100822025AF4400208F420020FF
65133+:10EFD0000440FFFE0000000003E000080000000005
65134+:10EFE0003C028000344200010082202503E000083A
65135+:10EFF000AF44002027BDFFE8AFBF0014AFB0001042
65136+:10F000008F50014093430149934201489344014882
65137+:10F01000306300FF304200FF00021200006228252A
65138+:10F020002402001910620076308400802862001AE1
65139+:10F030001040001C24020020240200081062007707
65140+:10F04000286200091040000E2402000B2402000177
65141+:10F0500010620034286200025040000524020006BD
65142+:10F0600050600034020020210A00139A00000000C2
65143+:10F0700010620030020020210A00139A00000000F4
65144+:10F080001062003B2862000C504000022402000E77
65145+:10F090002402000910620056020020210A00139A7F
65146+:10F0A0000000000010620056286200211040000F8E
65147+:10F0B000240200382402001C106200582862001D3F
65148+:10F0C000104000062402001F2402001B1062004CA6
65149+:10F0D000000000000A00139A000000001062004ABD
65150+:10F0E000020020210A00139A00000000106200456F
65151+:10F0F0002862003910400007240200802462FFCB00
65152+:10F100002C42000210400045020020210A00139604
65153+:10F110000000302110620009000000000A00139A6C
65154+:10F12000000000001480003D020020210A0013901E
65155+:10F130008FBF00140A001396240600018F4201B805
65156+:10F140000440FFFE24020002A342018BA745018870
65157+:10F150009742014AA74201908F420144A74201927F
65158+:10F160003C021000AF4201B80A00139C8FBF00148C
65159+:10F170009742014A144000290000000093620005F4
65160+:10F180003042000414400025000000000E0013026D
65161+:10F190000200202193620005020020213442000475
65162+:10F1A0000E00130BA36200059362000530420004B9
65163+:10F1B00014400002000000000000000D93620000F7
65164+:10F1C00024030020304200FF14430014000000001C
65165+:10F1D0008F4201B80440FFFE24020005AF500180B9
65166+:10F1E000A342018B3C0210000A00139AAF4201B8FF
65167+:10F1F0008FBF00148FB000100A0012F227BD001854
65168+:10F200000000000D02002021000030218FBF0014FB
65169+:10F210008FB000100A0012DD27BD00180000000D9D
65170+:10F220008FBF00148FB0001003E0000827BD001846
65171+:10F2300027BDFFE8AFBF00100E000F3C000000002C
65172+:10F24000AF4001808FBF0010000020210A000FE7AF
65173+:10F2500027BD00183084FFFF30A5FFFF00001821F4
65174+:10F260001080000700000000308200011040000202
65175+:10F2700000042042006518210A0013AB0005284055
65176+:10F2800003E000080060102110C0000624C6FFFF44
65177+:10F290008CA2000024A50004AC8200000A0013B573
65178+:10F2A0002484000403E000080000000010A000080F
65179+:10F2B00024A3FFFFAC860000000000000000000057
65180+:10F2C0002402FFFF2463FFFF1462FFFA248400047A
65181+:10F2D00003E0000800000000308300FF30A500FFBD
65182+:10F2E00030C600FF274701808F4201B80440FFFE6F
65183+:10F2F000000000008F42012834634000ACE20000AF
65184+:10F3000024020001ACE00004A4E30008A0E2000A2B
65185+:10F3100024020002A0E2000B3C021000A4E5001051
65186+:10F32000ACE00024ACE00028A4E6001203E00008F2
65187+:10F33000AF4201B827BDFFE8AFBF00109362003FA6
65188+:10F3400024030012304200FF1043000D00803021E2
65189+:10F350008F620044008210230440000A8FBF001017
65190+:10F360008F620048240400390000282100C21023C5
65191+:10F3700004410004240600120E0013C9000000001E
65192+:10F380008FBF00102402000103E0000827BD001811
65193+:10F3900027BDFFC8AFB20030AFB1002CAFBF003403
65194+:10F3A000AFB0002890C5000D0080902130A400105F
65195+:10F3B0001080000B00C088218CC300088F620054AD
65196+:10F3C0001062000730A20005144000B524040001BB
65197+:10F3D0000E000D21000020210A0014BB0040202156
65198+:10F3E00030A200051040000930A30012108000ACCC
65199+:10F3F000240400018E2300088F620054146200A9C7
65200+:10F400008FBF00340A00142C240400382402001298
65201+:10F41000146200A3240400010220202127A500106B
65202+:10F420000E000CB2AFA000101040001102402021CD
65203+:10F430008E220008AF620084AF6000400E0013020D
65204+:10F44000000000009362007D024020213442002031
65205+:10F450000E00130BA362007D0E000CA902402021B8
65206+:10F46000240400382405008D0A0014B82406001274
65207+:10F470009362003E304200081040000F8FA200103F
65208+:10F4800030420100104000078FA300148F6200601B
65209+:10F490000062102304430008AF6300600A001441B7
65210+:10F4A00000000000AF6000609362003E2403FFF79D
65211+:10F4B00000431024A362003E9362003E30420008E5
65212+:10F4C000144000022406000300003021936200343F
65213+:10F4D000936300378F640084304200FF306300FF85
65214+:10F4E00000661821000318800043282100A4202B67
65215+:10F4F0001080000B000000009763003C8F620084C6
65216+:10F500003063FFFF004510230062182B14600004D5
65217+:10F51000000000008F6200840A00145D0045802313
65218+:10F520009762003C3050FFFF8FA300103062000450
65219+:10F5300010400004000628808FA2001C0A001465F9
65220+:10F540000202102B2E02021850400003240202185F
65221+:10F550000A00146E020510233063000410600003DB
65222+:10F56000004510238FA2001C00451023004080217D
65223+:10F570002C42008054400001241000800E00130231
65224+:10F580000240202124020001AF62000C9362003E81
65225+:10F59000001020403042007FA362003E8E22000413
65226+:10F5A00024420001AF620040A770003C8F6200500F
65227+:10F5B0009623000E00431021AF6200588F62005066
65228+:10F5C00000441021AF62005C8E220004AF6200187C
65229+:10F5D0008E220008AF62001C8FA20010304200088B
65230+:10F5E0005440000A93A20020A360003693620036C4
65231+:10F5F0002403FFDFA36200359362003E0043102422
65232+:10F60000A362003E0A0014988E220008A36200350F
65233+:10F610008E220008AF62004C8F6200248F6300408E
65234+:10F6200000431021AF6200489362000024030050A1
65235+:10F63000304200FF144300122403FF803C02080004
65236+:10F640008C4231A00242102100431024AF42002816
65237+:10F650003C0208008C4231A08E2400083C03000CC0
65238+:10F66000024210213042007F03421021004310214A
65239+:10F67000AC4400D88E230008AF820014AC4300DCF9
65240+:10F680000E00130B02402021240400380000282122
65241+:10F690002406000A0E0013C9000000002404000123
65242+:10F6A0008FBF00348FB200308FB1002C8FB0002894
65243+:10F6B0000080102103E0000827BD003827BDFFF8B7
65244+:10F6C00027420180AFA20000308A00FF8F4201B8BC
65245+:10F6D0000440FFFE000000008F4601283C020800A5
65246+:10F6E0008C4231A02403FF80AF86004800C2102165
65247+:10F6F00000431024AF4200243C0208008C4231A099
65248+:10F700008FA900008FA8000000C210213042007FA6
65249+:10F71000034218213C02000A00621821946400D4BC
65250+:10F720008FA700008FA5000024020002AF83001401
65251+:10F73000A0A2000B8FA30000354260003084FFFFC1
65252+:10F74000A4E200083C021000AD260000AD04000455
65253+:10F75000AC60002427BD0008AF4201B803E00008F8
65254+:10F76000240200018F88003C938200288F830014BC
65255+:10F770003C07080024E7779800481023304200FF38
65256+:10F78000304900FC246500888F860040304A000321
65257+:10F790001120000900002021248200048CA3000015
65258+:10F7A000304400FF0089102AACE3000024A50004C7
65259+:10F7B0001440FFF924E70004114000090000202153
65260+:10F7C0002482000190A30000304400FF008A102B27
65261+:10F7D000A0E3000024A500011440FFF924E7000184
65262+:10F7E00030C20003144000048F85003C3102000346
65263+:10F7F0001040000D0000000010A0000900002021B2
65264+:10F800002482000190C30000304400FF0085102BCB
65265+:10F81000A0E3000024C600011440FFF924E7000122
65266+:10F8200003E00008000000001100FFFD000020219F
65267+:10F83000248200048CC30000304400FF0088102B99
65268+:10F84000ACE3000024C600041440FFF924E70004E0
65269+:10F8500003E00008000000008F83003C9382002832
65270+:10F8600030C600FF30A500FF00431023304300FFE7
65271+:10F870008F820014008038210043102114C0000240
65272+:10F88000244800880083382130E20003144000053A
65273+:10F8900030A2000314400003306200031040000D4A
65274+:10F8A0000000000010A000090000202124820001B7
65275+:10F8B00090E30000304400FF0085102BA1030000FE
65276+:10F8C00024E700011440FFF92508000103E00008C7
65277+:10F8D0000000000010A0FFFD000020212482000491
65278+:10F8E0008CE30000304400FF0085102BAD030000C6
65279+:10F8F00024E700041440FFF92508000403E0000891
65280+:10F90000000000000080482130AAFFFF30C600FF41
65281+:10F9100030E7FFFF274801808F4201B80440FFFE17
65282+:10F920008F820048AD0200008F420124AD02000426
65283+:10F930008D220020A5070008A102000A240200165B
65284+:10F94000A102000B934301208D2200088D240004A6
65285+:10F95000306300FF004310219783003A00441021D8
65286+:10F960008D250024004310233C0308008C6331A044
65287+:10F970008F840014A502000C246300E82402FFFF1A
65288+:10F98000A50A000EA5030010A5060012AD0500187B
65289+:10F99000AD020024948201142403FFF73042FFFFDC
65290+:10F9A000AD0200288C820118AD02002C3C02100030
65291+:10F9B000AD000030AF4201B88D220020004310247A
65292+:10F9C00003E00008AD2200208F82001430E7FFFF23
65293+:10F9D00000804821904200D330A5FFFF30C600FFD1
65294+:10F9E0000002110030420F0000E238252748018054
65295+:10F9F0008F4201B80440FFFE8F820048AD02000034
65296+:10FA00008F420124AD0200048D220020A5070008CA
65297+:10FA1000A102000A24020017A102000B9343012057
65298+:10FA20008D2200088D240004306300FF0043102164
65299+:10FA30009783003A004410218F8400140043102360
65300+:10FA40003C0308008C6331A0A502000CA505000E44
65301+:10FA5000246300E8A5030010A5060012AD00001401
65302+:10FA60008D220024AD0200188C82005CAD02001CC7
65303+:10FA70008C820058AD0200202402FFFFAD0200245A
65304+:10FA8000948200E63042FFFFAD02002894820060BD
65305+:10FA9000948300BE30427FFF3063FFFF00021200FC
65306+:10FAA00000431021AD02002C3C021000AD000030DC
65307+:10FAB000AF4201B8948200BE2403FFF700A21021D8
65308+:10FAC000A48200BE8D2200200043102403E0000821
65309+:10FAD000AD220020274301808F4201B80440FFFE81
65310+:10FAE0008F8200249442001C3042FFFF000211C0AC
65311+:10FAF000AC62000024020019A062000B3C0210005E
65312+:10FB0000AC60003003E00008AF4201B88F87002CE2
65313+:10FB100030C300FF8F4201B80440FFFE8F820048CF
65314+:10FB200034636000ACA2000093820044A0A20005F0
65315+:10FB30008CE20010A4A20006A4A300088C8200207E
65316+:10FB40002403FFF7A0A2000A24020002A0A2000BD7
65317+:10FB50008CE20000ACA200108CE20004ACA2001405
65318+:10FB60008CE2001CACA200248CE20020ACA2002895
65319+:10FB70008CE2002CACA2002C8C820024ACA20018D9
65320+:10FB80003C021000AF4201B88C82002000431024D8
65321+:10FB900003E00008AC8200208F86001427BDFFE838
65322+:10FBA000AFBF0014AFB0001090C20063304200201D
65323+:10FBB0001040000830A500FF8CC2007C2403FFDF4A
65324+:10FBC00024420001ACC2007C90C2006300431024B8
65325+:10FBD000A0C2006310A000238F830014275001806F
65326+:10FBE000020028210E0015D6240600828F82001400
65327+:10FBF000904200633042004050400019A38000440E
65328+:10FC00008F83002C8F4201B80440FFFE8F82004892
65329+:10FC1000AE02000024026082A60200082402000254
65330+:10FC2000A202000B8C620008AE0200108C62000C75
65331+:10FC3000AE0200148C620014AE0200188C62001830
65332+:10FC4000AE0200248C620024AE0200288C620028E0
65333+:10FC5000AE02002C3C021000AF4201B8A380004469
65334+:10FC60008F8300148FBF00148FB000109062006368
65335+:10FC700027BD00183042007FA06200639782003ADF
65336+:10FC80008F86003C8F850014938300280046102344
65337+:10FC9000A782003AA4A000E490A400638F820040F1
65338+:10FCA000AF83003C2403FFBF0046102100832024C3
65339+:10FCB000AF820040A0A400638F820014A04000BD6A
65340+:10FCC0008F82001403E00008A44000BE8F8A001455
65341+:10FCD00027BDFFE0AFB10014AFB000108F88003C2B
65342+:10FCE000AFBF00189389001C954200E430D100FF9B
65343+:10FCF0000109182B0080802130AC00FF3047FFFF46
65344+:10FD00000000582114600003310600FF012030215B
65345+:10FD1000010958239783003A0068102B1440003CD7
65346+:10FD20000000000014680007240200018E02002079
65347+:10FD30002403FFFB34E7800000431024AE020020C0
65348+:10FD40002402000134E70880158200053165FFFFB9
65349+:10FD50000E001554020020210A00169102002021F5
65350+:10FD60000E001585020020218F8400482743018062
65351+:10FD70008F4201B80440FFFE24020018AC6400006A
65352+:10FD8000A062000B8F840014948200E6A46200102D
65353+:10FD90003C021000AC600030AF4201B894820060B9
65354+:10FDA00024420001A4820060948200603C030800A9
65355+:10FDB0008C63318830427FFF5443000F02002021C2
65356+:10FDC000948200602403800000431024A482006019
65357+:10FDD0009082006090830060304200FF000211C2F8
65358+:10FDE00000021027000211C03063007F0062182556
65359+:10FDF000A083006002002021022028218FBF00186C
65360+:10FE00008FB100148FB000100A0015F927BD002033
65361+:10FE1000914200632403FF8000431025A142006348
65362+:10FE20009782003A3048FFFF110000209383001CA6
65363+:10FE30008F840014004B1023304600FF948300E4AD
65364+:10FE40002402EFFF0168282B00621824A48300E439
65365+:10FE500014A000038E020020010058210000302170
65366+:10FE60002403FFFB34E7800000431024AE0200208F
65367+:10FE700024020001158200053165FFFF0E001554B4
65368+:10FE8000020020210A0016B99783003A0E0015855A
65369+:10FE9000020020219783003A8F82003CA780003A1D
65370+:10FEA00000431023AF82003C9383001C8F82001418
65371+:10FEB0008FBF00188FB100148FB0001027BD002035
65372+:10FEC00003E00008A04300BD938200442403000126
65373+:10FED00027BDFFE8004330042C420020AFB00010E3
65374+:10FEE000AFBF00142410FFFE10400005274501801D
65375+:10FEF0003C0208008C4231900A0016D600461024BD
65376+:10FF00003C0208008C423194004610241440000743
65377+:10FF1000240600848F8300142410FFFF9062006287
65378+:10FF20003042000F34420040A06200620E0015D63D
65379+:10FF300000000000020010218FBF00148FB00010DD
65380+:10FF400003E0000827BD00188F83002427BDFFE0D1
65381+:10FF5000AFB20018AFB10014AFB00010AFBF001CBB
65382+:10FF60009062000D00A0902130D100FF3042007F50
65383+:10FF7000A062000D8F8500148E4300180080802140
65384+:10FF80008CA2007C146200052402000E90A2006383
65385+:10FF9000344200200A0016FFA0A200630E0016C51E
65386+:10FFA000A38200442403FFFF104300472404FFFF03
65387+:10FFB00052200045000020218E4300003C0200102A
65388+:10FFC00000621024504000043C020008020020217E
65389+:10FFD0000A00170E24020015006210245040000988
65390+:10FFE0008E45000002002021240200140E0016C5D8
65391+:10FFF000A38200442403FFFF104300332404FFFFC7
65392+:020000021000EC
65393+:100000008E4500003C02000200A2102410400016A1
65394+:100010003C0200048F8600248CC200148CC30010A4
65395+:100020008CC40014004310230044102B50400005E2
65396+:10003000020020218E43002C8CC2001010620003AD
65397+:10004000020020210A00173F240200123C02000493
65398+:1000500000A210245040001C00002021020020219A
65399+:100060000A00173F2402001300A2102410400006CB
65400+:100070008F8300248C620010504000130000202168
65401+:100080000A001739020020218C6200105040000441
65402+:100090008E42002C020020210A00173F240200118A
65403+:1000A00050400009000020210200202124020017F6
65404+:1000B0000E0016C5A38200442403FFFF1043000274
65405+:1000C0002404FFFF000020218FBF001C8FB2001806
65406+:1000D0008FB100148FB000100080102103E00008E1
65407+:1000E00027BD00208F83001427BDFFD8AFB40020A8
65408+:1000F000AFB3001CAFB20018AFB10014AFB0001026
65409+:10010000AFBF0024906200638F91002C2412FFFF88
65410+:100110003442004092250000A06200638E2200104D
65411+:100120000080982130B0003F105200060360A021EB
65412+:100130002402000D0E0016C5A38200441052005484
65413+:100140002404FFFF8F8300148E2200188C63007C30
65414+:1001500010430007026020212402000E0E0016C585
65415+:10016000A38200442403FFFF104300492404FFFF3F
65416+:1001700024040020120400048F83001490620063A2
65417+:1001800034420020A06200638F85003410A000205C
65418+:1001900000000000560400048F8200140260202139
65419+:1001A0000A0017902402000A9683000A9442006015
65420+:1001B0003042FFFF144300048F8200202404FFFD1F
65421+:1001C0000A0017B7AF82003C3C0208008C42318C19
65422+:1001D0000045102B14400006026020210000282159
65423+:1001E0000E001646240600010A0017B70000202161
65424+:1001F0002402002D0E0016C5A38200442403FFFF35
65425+:10020000104300232404FFFF0A0017B70000202139
65426+:10021000160400058F8400148E2300142402FFFFAF
65427+:100220005062001802602021948200602442000184
65428+:10023000A4820060948200603C0308008C633188D3
65429+:1002400030427FFF5443000F0260202194820060FF
65430+:100250002403800000431024A48200609082006088
65431+:1002600090830060304200FF000211C2000210279C
65432+:10027000000211C03063007F00621825A083006077
65433+:10028000026020210E0015F9240500010000202144
65434+:100290008FBF00248FB400208FB3001C8FB20018D2
65435+:1002A0008FB100148FB000100080102103E000080F
65436+:1002B00027BD00288F83001427BDFFE8AFB00010D2
65437+:1002C000AFBF0014906200638F87002C00808021F4
65438+:1002D000344200408CE60010A06200633C0308003A
65439+:1002E0008C6331B030C23FFF0043102B1040004EF2
65440+:1002F0008F8500302402FF8090A3000D004310245E
65441+:10030000304200FF504000490200202100061382C5
65442+:10031000304800032402000255020044020020215C
65443+:1003200094A2001C8F85001424030023A4A20114AE
65444+:100330008CE60000000616023042003F1043001019
65445+:100340003C0300838CE300188CA2007C1062000642
65446+:100350002402000E0E0016C5A38200442403FFFFF2
65447+:10036000104300382404FFFF8F8300149062006361
65448+:1003700034420020A06200630A0017FC8F8300242F
65449+:1003800000C31024144300078F83002490A200624E
65450+:100390003042000F34420020A0A20062A38800383F
65451+:1003A0008F8300249062000D3042007FA062000D18
65452+:1003B0008F83003410600018020020218F840030E9
65453+:1003C0008C8200100043102B1040000924020018FA
65454+:1003D000020020210E0016C5A38200442403FFFF63
65455+:1003E000104300182404FFFF0A00182400002021F5
65456+:1003F0008C820010240500010200202100431023FC
65457+:100400008F830024240600010E001646AC62001003
65458+:100410000A001824000020210E0015F9240500010F
65459+:100420000A00182400002021020020212402000DCF
65460+:100430008FBF00148FB0001027BD00180A0016C52A
65461+:10044000A38200448FBF00148FB0001000801021E1
65462+:1004500003E0000827BD001827BDFFC8AFB2002089
65463+:10046000AFBF0034AFB60030AFB5002CAFB400283A
65464+:10047000AFB30024AFB1001CAFB000188F46012805
65465+:100480003C0308008C6331A02402FF80AF86004843
65466+:1004900000C318213065007F03452821006218241D
65467+:1004A0003C02000AAF43002400A2282190A200626F
65468+:1004B00000809021AF850014304200FF000211023D
65469+:1004C000A382003890A200BC304200021440000217
65470+:1004D00024030034240300308F820014A3830028F7
65471+:1004E000938300388C4200C0A3800044AF82003C5C
65472+:1004F000240200041062031C8F84003C8E4400041C
65473+:10050000508003198F84003C8E4200103083FFFF1F
65474+:10051000A784003A106002FFAF8200408F8400146D
65475+:100520002403FF809082006300621024304200FFA9
65476+:10053000144002CF9785003A9383003824020002CA
65477+:1005400030B6FFFF14620005000088219382002866
65478+:100550002403FFFD0A001B19AF82003C8F82003C80
65479+:1005600002C2102B144002A18F8400400E0014EC34
65480+:1005700000000000938300283C040800248477983E
65481+:10058000240200341462002EAF84002C3C0A0800C0
65482+:100590008D4A77C82402FFFFAFA2001000803821E7
65483+:1005A0002405002F3C09080025297398240800FF22
65484+:1005B0002406FFFF90E2000024A3FFFF00062202B2
65485+:1005C00000C21026304200FF0002108000491021B6
65486+:1005D0008C420000306500FF24E7000114A8FFF5FD
65487+:1005E0000082302600061027AFA20014AFA2001030
65488+:1005F0000000282127A7001027A6001400C51023FB
65489+:100600009044000324A2000100A71821304500FFF8
65490+:100610002CA200041440FFF9A06400008FA2001077
65491+:100620001142000724020005024020210E0016C5D9
65492+:10063000A38200442403FFFF104300642404FFFF4F
65493+:100640003C0208009042779C104000098F82001401
65494+:10065000024020212402000C0E0016C5A382004493
65495+:100660002403FFFF104300592404FFFF8F8200146E
65496+:10067000A380001C3C0308008C63779C8C440080A2
65497+:100680003C0200FF3442FFFF006218240083202B4D
65498+:1006900010800008AF83003402402021240200199A
65499+:1006A0000E0016C5A38200442403FFFF1043004739
65500+:1006B0002404FFFF8F87003C9782003A8F85003427
65501+:1006C000AF8700200047202310A0003BA784003AFA
65502+:1006D0008F86001430A200030002102390C300BCD8
65503+:1006E0003050000300B0282100031882307300014D
65504+:1006F0000013108000A228213C0308008C6331A065
65505+:100700008F8200483084FFFF0085202B004310219A
65506+:1007100010800011244200888F84002C1082000E6B
65507+:100720003C033F013C0208008C42779800431024B0
65508+:100730003C0325001443000630E500FF8C820000D6
65509+:10074000ACC200888C8200100A0018E9ACC2009884
65510+:100750000E001529000030219382001C8F850014A3
65511+:100760008F830040020238218F82003CA387001C47
65512+:1007700094A400E4006218218F82003434841000B5
65513+:10078000AF83004000503021A4A400E41260000EAA
65514+:10079000AF86003C24E20004A382001C94A200E483
65515+:1007A00024C30004AF83003C34422000A4A200E430
65516+:1007B0000A001906000020218F820040AF80003C13
65517+:1007C00000471021AF820040000020212414FFFFC9
65518+:1007D000109402112403FFFF3C0808008D0877A83D
65519+:1007E0003C0208008C4231B03C03080090637798CB
65520+:1007F00031043FFF0082102B1040001B3067003F88
65521+:100800003C0208008C4231A88F83004800042180FC
65522+:1008100000621821006418213062007F0342282101
65523+:100820003C02000C00A228213C020080344200015E
65524+:100830003066007800C230252402FF800062102458
65525+:10084000AF42002830640007AF4208048F820014D2
65526+:100850000344202124840940AF460814AF850024B6
65527+:10086000AF840030AC4301189383003824020003A6
65528+:10087000146201CF240200012402002610E201D1FB
65529+:1008800028E2002710400013240200322402002234
65530+:1008900010E201CC28E200231040000824020024CA
65531+:1008A0002402002010E201B82402002110E20147D6
65532+:1008B000024020210A001AFB2402000B10E201C1B1
65533+:1008C0002402002510E20010024020210A001AFB39
65534+:1008D0002402000B10E201AE28E2003310400006B3
65535+:1008E0002402003F2402003110E2009A024020213D
65536+:1008F0000A001AFB2402000B10E201A5024020218D
65537+:100900000A001AFB2402000B8F90002C3C03080005
65538+:100910008C6331B08F8500308E0400100000A82158
65539+:100920008CB3001430823FFF0043102B8CB10020A9
65540+:100930005040018F0240202190A3000D2402FF802F
65541+:1009400000431024304200FF504001890240202122
65542+:10095000000413823042000314400185024020212C
65543+:1009600094A3001C8F8200148E040028A443011459
65544+:100970008CA20010026218231064000302402021A0
65545+:100980000A00197C2402001F8F82003400621021AB
65546+:100990000262102B104000088F83002402402021A7
65547+:1009A000240200180E0016C5A382004410540174DE
65548+:1009B0002404FFFF8F8300248F8400348C62001096
65549+:1009C0000224882100441023AC6200108F8200149E
65550+:1009D000AC7100208C4200680051102B10400009BF
65551+:1009E0008F830030024020212402001D0E0016C516
65552+:1009F000A38200442403FFFF104301612404FFFF8E
65553+:100A00008F8300308E0200248C6300241043000783
65554+:100A1000024020212402001C0E0016C5A3820044BF
65555+:100A20002403FFFF104301562404FFFF8F8400249A
65556+:100A30008C82002424420001AC8200241233000482
65557+:100A40008F8200148C4200685622000E8E02000035
65558+:100A50008E0200003C030080004310241440000D6F
65559+:100A60002402001A024020210E0016C5A382004471
65560+:100A70002403FFFF104301422404FFFF0A0019BAB8
65561+:100A80008E0200143C0300800043102450400003F9
65562+:100A90008E020014AC8000208E0200142411FFFF8F
65563+:100AA0001051000E3C0308003C0208008C423190BB
65564+:100AB000004310242403001B14400007A3830044B8
65565+:100AC0000E0016C5024020211051012D2404FFFF05
65566+:100AD0000A0019CB8E030000A38000448E0300009F
65567+:100AE0003C02000100621024104000123C02008011
65568+:100AF0000062102414400008024020212402001A41
65569+:100B00000E0016C5A38200442403FFFF1043011CFE
65570+:100B10002404FFFF02402021020028210E0016E5D8
65571+:100B2000240600012403FFFF104301152404FFFFE6
65572+:100B3000241500018F83002402A0302102402021CF
65573+:100B40009462003624050001244200010A001ADFE5
65574+:100B5000A46200368F90002C3C0308008C6331B0F7
65575+:100B60008E13001032623FFF0043102B10400089AB
65576+:100B70008F8400302402FF809083000D00431024F6
65577+:100B8000304200FF104000842402000D0013138245
65578+:100B900030420003240300011443007F2402000DAF
65579+:100BA0009082000D30420008544000048F820034CF
65580+:100BB000024020210A001A102402002450400004A0
65581+:100BC0008E03000C024020210A001A102402002784
65582+:100BD0008C82002054620006024020218E0300080F
65583+:100BE0008C820024506200098E02001402402021F1
65584+:100BF000240200200E0016C5A38200441054007188
65585+:100C00002403FFFF0A001A458F8400242411FFFFEC
65586+:100C1000145100048F860014024020210A001A405B
65587+:100C2000240200258E0300188CC2007C1062000391
65588+:100C30002402000E0A001A40024020218E030024E4
65589+:100C40008C82002810620003240200210A001A404E
65590+:100C5000024020218E0500288C82002C10A2000367
65591+:100C60002402001F0A001A40024020218E03002C9B
65592+:100C700014600003240200230A001A4002402021CD
65593+:100C80008CC200680043102B104000032402002691
65594+:100C90000A001A40024020218C82001400651821AD
65595+:100CA0000043102B104000088F84002402402021B4
65596+:100CB000240200220E0016C5A382004410510041F8
65597+:100CC0002403FFFF8F8400242403FFF79082000D8C
65598+:100CD00000431024A082000D8F8600143C030800FE
65599+:100CE0008C6331AC8F82004894C400E08F8500246F
65600+:100CF0000043102130847FFF000420400044102175
65601+:100D00003043007F034320213C03000E0083202159
65602+:100D10002403FF8000431024AF42002CA493000062
65603+:100D20008CA2002824420001ACA200288CA2002C36
65604+:100D30008E03002C00431021ACA2002C8E02002C4C
65605+:100D4000ACA200308E020014ACA2003494A2003A8F
65606+:100D500024420001A4A2003A94C600E03C0208002C
65607+:100D60008C4231B024C4000130837FFF1462000F35
65608+:100D700000803021240280000082302430C2FFFF36
65609+:100D8000000213C2304200FF000210270A001A7E40
65610+:100D9000000233C02402000D024020210E0016C5BF
65611+:100DA000A38200440A001A84004018218F82001494
65612+:100DB00002402021240500010E0015F9A44600E0A0
65613+:100DC000000018210A001B16006088218F90002C5B
65614+:100DD0003C0308008C6331B08E05001030A23FFF49
65615+:100DE0000043102B104000612402FF808F840030EC
65616+:100DF0009083000D00431024304200FF5040005CFF
65617+:100E0000024020218F8200341040000B0005138225
65618+:100E10008F8200149763000A944200603042FFFF03
65619+:100E200014430005000513828F8200202404FFFD77
65620+:100E30000A001AF3AF82003C304200031440000E57
65621+:100E40000000000092020002104000058E03002402
65622+:100E500050600015920300030A001AAF02402021DF
65623+:100E60008C82002450620010920300030240202173
65624+:100E70000A001AB72402000F9082000D30420008C9
65625+:100E80005440000992030003024020212402001074
65626+:100E90000E0016C5A38200442403FFFF1043003850
65627+:100EA0002404FFFF92030003240200025462000C9A
65628+:100EB000920200038F820034544000099202000322
65629+:100EC000024020212402002C0E0016C5A3820044FB
65630+:100ED0002403FFFF1043002A2404FFFF92020003B3
65631+:100EE0000200282102402021384600102CC60001B3
65632+:100EF0002C4200010E0016E5004630252410FFFFAD
65633+:100F00001050001F2404FFFF8F8300341060001373
65634+:100F1000024020213C0208008C42318C0043102BFF
65635+:100F200014400007000000000000282124060001F2
65636+:100F30000E001646000000000A001AF300002021EF
65637+:100F40002402002D0E0016C5A38200441050000C90
65638+:100F50002404FFFF0A001AF3000020210E0015F9F7
65639+:100F6000240500010A001AF300002021024020217C
65640+:100F70002402000D0E0016C5A3820044004020216B
65641+:100F80000A001B16008088211514000E00000000C6
65642+:100F90000E00174C024020210A001B160040882139
65643+:100FA0000E0016C5A38200440A001B1600408821CB
65644+:100FB00014620017022018212402002314E2000505
65645+:100FC0002402000B0E0017C0024020210A001B164D
65646+:100FD0000040882102402021A38200440E0016C553
65647+:100FE0002411FFFF0A001B170220182130A500FF63
65648+:100FF0000E001529240600019783003A8F82003CD9
65649+:10100000A780003A00431023AF82003C0220182141
65650+:101010001220003E9782003A2402FFFD5462003EF7
65651+:101020008E4300208E4200048F830014005610234C
65652+:10103000AE420004906200633042007FA062006311
65653+:101040008E4200208F840014A780003A34420002B0
65654+:10105000AE420020A48000E4908200632403FFBF1E
65655+:1010600000431024A08200630A001B598E43002015
65656+:101070009082006300621024304200FF1040002381
65657+:101080009782003A90820088908300BD2485008872
65658+:101090003042003F2444FFE02C820020A383001C48
65659+:1010A00010400019AF85002C2402000100821804B2
65660+:1010B000306200191440000C3C02800034420002EF
65661+:1010C000006210241440000B306200201040000F1A
65662+:1010D0009782003A90A600010240202124050001D9
65663+:1010E0000A001B5330C60001024020210A001B5297
65664+:1010F00024050001024020210000282124060001CF
65665+:101100000E001646000000009782003A1440FD04CD
65666+:101110008F8400148E4300203062000410400012BF
65667+:101120008F84003C2402FFFB00621024AE420020AA
65668+:10113000274301808F4201B80440FFFE8F820048A0
65669+:10114000AC6200008F420124AC6200042402608380
65670+:10115000A462000824020002A062000B3C021000FE
65671+:10116000AF4201B88F84003C8F8300148FBF0034DE
65672+:101170008FB600308FB5002C8FB400288FB30024B9
65673+:101180008FB200208FB1001C8FB000182402000124
65674+:1011900027BD003803E00008AC6400C030A500FFA4
65675+:1011A0002403000124A900010069102B1040000C49
65676+:1011B00000004021240A000100A31023004A380443
65677+:1011C00024630001308200010069302B10400002CE
65678+:1011D000000420420107402554C0FFF800A310235B
65679+:1011E00003E00008010010213C020800244260A432
65680+:1011F0003C010800AC22738C3C02080024425308D6
65681+:101200003C010800AC2273902402000627BDFFE0D9
65682+:101210003C010800A02273943C021EDCAFB200180F
65683+:10122000AFB10014AFBF001CAFB0001034526F411B
65684+:1012300000008821240500080E001B7A02202021CE
65685+:10124000001180803C07080024E773980002160014
65686+:1012500002071821AC6200000000282124A200012E
65687+:101260003045FFFF8C6200002CA6000804410002FC
65688+:10127000000220400092202614C0FFF8AC64000059
65689+:10128000020780218E0400000E001B7A2405002036
65690+:10129000262300013071FFFF2E2301001460FFE5BB
65691+:1012A000AE0200008FBF001C8FB200188FB1001477
65692+:1012B0008FB0001003E0000827BD002027BDFFD835
65693+:1012C000AFB3001CAFB20018AFBF0020AFB1001425
65694+:1012D000AFB000108F5101408F48014800089402C0
65695+:1012E000324300FF311300FF8F4201B80440FFFE7C
65696+:1012F00027500180AE1100008F420144AE0200046D
65697+:1013000024020002A6120008A202000B240200140C
65698+:10131000AE1300241062002528620015104000085A
65699+:101320002402001524020010106200302402001272
65700+:10133000106200098FBF00200A001CB58FB3001C8B
65701+:101340001062007024020022106200378FBF00205C
65702+:101350000A001CB58FB3001C3C0208008C4231A06F
65703+:101360002403FF800222102100431024AF420024F6
65704+:101370003C0208008C4231A0022210213042007F42
65705+:10138000034218213C02000A00621821166000BCCA
65706+:10139000AF830014906200623042000F344200308C
65707+:1013A000A06200620A001CB48FBF00203C046000F1
65708+:1013B0008C832C083C02F0033442FFFF00621824A7
65709+:1013C000AC832C083C0208008C4231A08C832C0892
65710+:1013D000244200740002108200021480006218256A
65711+:1013E000AC832C080A001CB48FBF00203C0208000C
65712+:1013F0008C4231A02403FF800222102100431024DC
65713+:10140000AF4200243C0208008C4231A03C03000A99
65714+:10141000022210213042007F03421021004310219C
65715+:101420000A001CB3AF8200143C0208008C4231A0B9
65716+:101430002405FF800222102100451024AF42002421
65717+:101440003C0208008C4231A0022210213042007F71
65718+:10145000034218213C02000A0062182190620063D6
65719+:1014600000A21024304200FF10400085AF8300141A
65720+:1014700024620088944300123C0208008C4231A888
65721+:1014800030633FFF00031980022210210043102126
65722+:101490003043007F03432021004510243C03000C0F
65723+:1014A00000832021AF4200289082000D00A210246A
65724+:1014B000304200FF10400072AF8400249082000D83
65725+:1014C000304200101440006F8FBF00200E0015C87E
65726+:1014D000000000008F4201B80440FFFE0000000041
65727+:1014E000AE1100008F420144AE020004240200024B
65728+:1014F000A6120008A202000BAE1300240A001CB4BE
65729+:101500008FBF00202406FF8002261024AF42002057
65730+:101510003C0208008C4231A031043FFF00042180CE
65731+:101520000222102100461024AF4200243C03080090
65732+:101530008C6331A83C0208008C4231A03227007F26
65733+:101540000223182102221021006418213042007F5A
65734+:101550003064007F034228213C02000A0066182400
65735+:1015600000A22821034420213C02000C00822021FB
65736+:10157000AF4300283C020008034718210062902175
65737+:10158000AF850014AF8400240E0015C8010080212F
65738+:101590008F4201B80440FFFE8F8200248F84001424
65739+:1015A000274501809042000DACB10000A4B00006B8
65740+:1015B000000216000002160300021027000237C2C4
65741+:1015C00014C00016248200889442001232033FFFA8
65742+:1015D00030423FFF14430012240260829083006374
65743+:1015E0002402FF8000431024304200FF5040000CD2
65744+:1015F00024026082908200623042000F3442004038
65745+:10160000A082006224026084A4A200082402000DCB
65746+:10161000A0A200050A001C9E3C0227002402608252
65747+:10162000A4A20008A0A000053C02270000061C00A0
65748+:101630000062182524020002A0A2000BACA3001037
65749+:10164000ACA00014ACA00024ACA00028ACA0002CDE
65750+:101650008E42004C8F840024ACA200189083000DB1
65751+:101660002402FF8000431024304200FF1040000598
65752+:101670008FBF00209082000D3042007FA082000DBD
65753+:101680008FBF00208FB3001C8FB200188FB10014E1
65754+:101690008FB000103C02100027BD002803E00008B6
65755+:1016A000AF4201B80800343008003430080033A8D5
65756+:1016B000080033E0080034140800343808003438D7
65757+:1016C00008003438080033180A0001240000000024
65758+:1016D000000000000000000D747061362E322E33C1
65759+:1016E00000000000060203010000000000000000EE
65760+:1016F00000000000000000000000000000000000EA
65761+:1017000000000000000000000000000000000000D9
65762+:1017100000000000000000000000000000000000C9
65763+:1017200000000000000000000000000000000000B9
65764+:1017300000000000000000000000000000000000A9
65765+:101740000000000000000000000000000000000099
65766+:101750000000000000000000000000001000000376
65767+:10176000000000000000000D0000000D3C02080019
65768+:1017700024421C003C03080024632094AC40000079
65769+:101780000043202B1480FFFD244200043C1D080070
65770+:1017900037BD2FFC03A0F0213C1008002610049058
65771+:1017A0003C1C0800279C1C000E00015C000000008F
65772+:1017B0000000000D3084FFFF308200078F85001885
65773+:1017C00010400002248300073064FFF800853021B8
65774+:1017D00030C41FFF03441821247B4000AF85001C48
65775+:1017E000AF84001803E00008AF4400843084FFFF9A
65776+:1017F000308200078F8500208F860028104000026D
65777+:10180000248300073064FFF8008520210086182B10
65778+:1018100014600002AF8500240086202303442821A1
65779+:1018200034068000AF840020AF44008000A6202151
65780+:1018300003E00008AF84003827BDFFD8AFB3001C19
65781+:10184000AFB20018AFB00010AFBF0024AFB400209B
65782+:10185000AFB100143C0860088D1450002418FF7FBD
65783+:101860003C1A8000029898243672380CAD12500051
65784+:101870008F5100083C07601C3C08600036300001B6
65785+:10188000AF500008AF800018AF400080AF40008428
65786+:101890008CE600088D0F08083C0760168CEC0000F1
65787+:1018A00031EEFFF039CA00103C0DFFFF340B800011
65788+:1018B0003C030080034B48212D440001018D282466
65789+:1018C0003C0253533C010800AC230420AF8900388C
65790+:1018D000AF860028AF840010275B400014A20003ED
65791+:1018E00034E37C008CF90004032818218C7F007CF1
65792+:1018F0008C6500783C0280003C0B08008D6B048CEA
65793+:101900003C0A08008D4A048834520070AF85003CC0
65794+:10191000AF9F00403C13080026731C440240A021E6
65795+:101920008E4800008F46000038C30001306400017B
65796+:1019300010800017AF880034028048218D2F0000EE
65797+:101940003C0508008CA5045C3C1808008F1804585E
65798+:1019500001E8102300A280210000C8210202402BD0
65799+:1019600003198821022838213C010800AC30045CAE
65800+:101970003C010800AC2704588F4E000039CD00010F
65801+:1019800031AC00011580FFED01E04021AF8F003444
65802+:101990008E5100003C0708008CE7045C3C0D0800F9
65803+:1019A0008DAD04580228802300F0602100007021D2
65804+:1019B0000190302B01AE1821006620213C01080067
65805+:1019C000AC2C045C3C010800AC2404588F46010890
65806+:1019D0008F47010030C92000AF860000AF87000CA0
65807+:1019E0001120000A00C040213C1808008F18042C68
65808+:1019F000270800013C010800AC28042C3C184000DA
65809+:101A0000AF5801380A000196000000009749010410
65810+:101A100000002821014550213122FFFF0162582199
65811+:101A20000162F82B015F502130D902003C0108000F
65812+:101A3000AC2B048C3C010800AC2A0488172000154C
65813+:101A400024040F0010E400130000000024080D001F
65814+:101A500010E8023B30CD000611A0FFE93C18400021
65815+:101A6000936E00002409001031C400F01089027147
65816+:101A700024020070108202E58F880014250F0001F7
65817+:101A8000AF8F00143C184000AF5801380A0001968F
65818+:101A900000000000974C01041180FFD93C18400061
65819+:101AA00030C34000146000A1000000008F460178A0
65820+:101AB00004C0FFFE8F87003824100800240F0008A0
65821+:101AC0008CE30008AF500178A74F0140A7400142C6
65822+:101AD000974E01048F86000031C9FFFF30CD000111
65823+:101AE00011A002E1012040212531FFFE241800024F
65824+:101AF000A75801463228FFFFA75101483C190800AA
65825+:101B00008F39043C172002D08F8C000C30DF00206E
65826+:101B100017E00002240400092404000130C20C0074
65827+:101B2000240504005045000134840004A744014A00
65828+:101B30003C1108008E3104203C1800483C10000184
65829+:101B40000238182530CF00020070282511E000046B
65830+:101B5000000018213C19010000B9282524030001C8
65831+:101B600030DF000453E00005AF8300083C0600109E
65832+:101B700000A6282524030001AF830008AF4510000C
65833+:101B80000000000000000000000000000000000055
65834+:101B90008F83000810600023000000008F451000B4
65835+:101BA00004A1FFFE000000001060001E0000000005
65836+:101BB0008F4410003C0C0020008C102410400019B1
65837+:101BC0008F8E000031CD000211A000160000000031
65838+:101BD000974F101415E000130000000097591008EB
65839+:101BE0003338FFFF271100060011188200033080F0
65840+:101BF00000C7282132300001322300031200032CD9
65841+:101C00008CA200000000000D00C7F821AFE2000028
65842+:101C10003C0508008CA5043024A600013C01080006
65843+:101C2000AC2604308F6D00003402FFFFAF8D00043E
65844+:101C30008CEC0000118202A6000020218CED000037
65845+:101C400031AC01001180028A000000003C02080053
65846+:101C50008C4204743C0308008C63044C3C1F080055
65847+:101C60008FFF04703C1808008F1804480048382182
65848+:101C70000068802100E8282B03E430210208402B73
65849+:101C80000304882100C57021022878213C01080046
65850+:101C9000AC30044C3C010800AC2F04483C01080067
65851+:101CA000AC2704743C010800AC2E04708F8400182B
65852+:101CB0000120302131290007249F000833F91FFF3C
65853+:101CC00003594021AF84001CAF990018251B400028
65854+:101CD000AF590084112000038F83002024C2000725
65855+:101CE0003046FFF88F84002800C3282100A4302B41
65856+:101CF00014C00002AF83002400A428230345602100
65857+:101D0000340D8000018D10213C0F1000AF850020A4
65858+:101D1000AF820038AF450080AF4F01788F88001444
65859+:101D2000250F00010A0001EFAF8F00148F62000839
65860+:101D30008F670000240500300007760231C300F0F1
65861+:101D4000106500A7240F0040546FFF4C8F880014CB
65862+:101D50008F4B01780560FFFE0000000030CA0200D2
65863+:101D600015400003000612820000000D00061282DA
65864+:101D7000304D0003000D4900012D18210003808023
65865+:101D8000020D402100086080019380218E1F000019
65866+:101D900017E00002000000000000000D8F6E00043C
65867+:101DA00005C202BD92070006920E000592020004D1
65868+:101DB0003C090001000E18800070F8218FED00181A
65869+:101DC000277100082448000501A96021000830821D
65870+:101DD000AFEC0018022020210E00059E26050014FD
65871+:101DE000920A00068F7900043C0B7FFF000A2080D6
65872+:101DF000009178218DF800043566FFFF0326282422
65873+:101E000003053821ADE70004920E0005920D000491
65874+:101E1000960C0008000E10800051C8218F2300008E
65875+:101E2000974901043C07FFFF006758243128FFFF52
65876+:101E3000010DF82103EC50233144FFFF01643025EC
65877+:101E4000AF260000920300072418000110780275E5
65878+:101E5000240F0003106F0285000000008E050010A3
65879+:101E60002419000AA7590140A7450142921800040D
65880+:101E70008F860000240F0001A7580144A7400146A7
65881+:101E80009747010430D100023C050041A7470148B3
65882+:101E900000001821A74F014A1220000330CB000494
65883+:101EA0003C0501412403000151600005AF83000897
65884+:101EB0003C06001000A6282524030001AF8300087B
65885+:101EC000AF4510000000000000000000000000000E
65886+:101ED000000000008F8A000811400004000000008C
65887+:101EE0008F4410000481FFFE000000008F6B000093
65888+:101EF000920800043C1108008E310444AF8B0004AA
65889+:101F000097590104311800FF3C0E08008DCE0440A3
65890+:101F10003325FFFF0305382102276021000010212F
65891+:101F2000250F000A31E8FFFF0187482B01C2682115
65892+:101F300001A9F821311000073C010800AC2C044431
65893+:101F40003C010800AC3F0440120000038F8C0018D5
65894+:101F50002506000730C8FFF8010C682131BF1FFFBC
65895+:101F6000AF8C001CAF9F0018AF5F00849744010442
65896+:101F7000035F80213084FFFF308A00071140000397
65897+:101F8000261B4000248900073124FFF88F8200209F
65898+:101F90008F850028008220210085702B15C000024B
65899+:101FA000AF820024008520233C0B08008D6B048C3D
65900+:101FB0003C0A08008D4A04880344882134038000C9
65901+:101FC000022310213C0F1000AF840020AF820038A4
65902+:101FD000AF440080AF4F01780A0002968F8800144A
65903+:101FE0008F5001780600FFFE30D10200162000035A
65904+:101FF000000612820000000D00061282305F00030E
65905+:10200000001F1900007F302100062080009FC8219A
65906+:1020100000194880013380218E180000130000024F
65907+:10202000000000000000000D8F6C000C058001FB1B
65908+:102030008F870038240E0001AE0E00008CE30008EC
65909+:10204000A20000078F65000400055402314D00FF17
65910+:1020500025A80005000830822CCB00411560000245
65911+:10206000A20A00040000000D8F7800043C03FFFF6B
65912+:1020700000E02821330BFFFF256C000B000C1082C1
65913+:1020800000022080008748218D3F000026040014B4
65914+:10209000A618000803E3C8240E00059EAD39000011
65915+:1020A0008F4F01083C11100001F1382410E001AB02
65916+:1020B00000000000974D01049208000725AAFFECDC
65917+:1020C000350600023144FFFFA2060007960600080D
65918+:1020D0002CC7001354E0000592030007921100077B
65919+:1020E000362F0001A20F00079203000724180001F9
65920+:1020F000107801C224090003106901D58F880038C7
65921+:1021000030CBFFFF257100020011788331E400FF1E
65922+:1021100000042880A20F000500A848218D2D000092
65923+:10212000974A01043C0EFFFF01AEF8243143FFFF44
65924+:10213000006B1023244CFFFE03ECC825AD390000D2
65925+:10214000920600053C03FFF63462FFFF30D800FF23
65926+:102150000018388000F08821922F00143C04FF7F83
65927+:102160003487FFFF31EE000F01C65821316500FFB3
65928+:1021700000055080015068218DAC00200148F821F5
65929+:10218000A20B00060182C824AE0C000CAFF9000CB3
65930+:10219000920900068E11000C032778240009C080E4
65931+:1021A0000310702195C60026030828210227202449
65932+:1021B000AE04000CADCF0020ADC60024ACA60010CC
65933+:1021C0008F8800003C0B08008D6B048C3C0A0800D3
65934+:1021D0008D4A0488241F001024190002A75F0140C3
65935+:1021E000A7400142A7400144A7590146974901046D
65936+:1021F00024070001310600022538FFFEA7580148D8
65937+:102200003C050009A747014A10C00003000018213F
65938+:102210003C05010924030001310C00045180000534
65939+:10222000AF8300083C08001000A828252403000103
65940+:10223000AF830008AF451000000000000000000060
65941+:1022400000000000000000009205000424AE00021F
65942+:1022500031CD0007000D182330620007AE020010D8
65943+:102260008F90000812000004000000008F4F100043
65944+:1022700005E1FFFE000000008F7100008F8E001846
65945+:102280003C0308008C630444AF91000497450104AB
65946+:1022900025CF001031E61FFF30A2FFFFAF8E001CDC
65947+:1022A000AF860018AF4600842449FFFE3C0C0800AE
65948+:1022B0008D8C0440974D010401208021000947C303
65949+:1022C0000070C02131A9FFFF0310F82B0188C8213D
65950+:1022D000033F202103463821313100073C0108002B
65951+:1022E000AC3804443C010800AC2404401220000334
65952+:1022F00024FB40002527000730E9FFF88F860020E7
65953+:102300008F8400280126382100E4C02B170000022A
65954+:10231000AF86002400E438230347202134198000CD
65955+:10232000009910213C0F1000AF870020AF820038C9
65956+:10233000AF470080AF4F01780A0002968F880014E3
65957+:102340009747010410E0FDAE3C1840008F5801781B
65958+:102350000700FFFE30C5400010A000033C1F00082E
65959+:102360000000000D3C1F0008AF5F01402410080072
65960+:102370008F860000AF5001789744010430D90001E6
65961+:10238000132000ED3086FFFF24CCFFFE240D000259
65962+:10239000A74D0146A74C01488F9100182408000D55
65963+:1023A000A748014A8F630000262F000831E21FFF73
65964+:1023B0000342702130C90007AF830004AF91001CB5
65965+:1023C000AF82001800C03821AF4200841120000302
65966+:1023D00025DB400024D800073307FFF88F85002055
65967+:1023E0008F84002800E5302100C4382B14E000025F
65968+:1023F000AF85002400C430238F8400140346F821E5
65969+:10240000340C8000AF86002003EC8021AF460080B2
65970+:10241000249900013C0610003C184000AF460178AA
65971+:10242000AF900038AF990014AF5801380A000196F8
65972+:10243000000000008F630000975101043067FFFF28
65973+:102440003228FFFF8F4F017805E0FFFE30EC0007D8
65974+:10245000000CF82333F0000724F9FFFE2404000ADF
65975+:10246000A7440140A7500142A7590144A740014693
65976+:10247000A74801488F45010830B800201700000226
65977+:10248000240300092403000130CD0002A743014AC0
65978+:102490003C04004111A00003000018213C0401414C
65979+:1024A0002403000130C9000451200005AF83000857
65980+:1024B0003C0600100086202524030001AF8300089D
65981+:1024C000AF44100000000000000000000000000009
65982+:1024D000000000008F8E000811C000040000000002
65983+:1024E0008F4210000441FFFE000000008F7F0000BB
65984+:1024F000276400088F91003CAF9F0004948500087A
65985+:102500009490000A9499000C30AFFFFF0010C400B3
65986+:102510003323FFFF11F100A6030320253C0E080022
65987+:102520008DCE04443C0C08008D8C044000E88821CA
65988+:102530002626FFFE01C628210000682100A6F82BF0
65989+:10254000018D2021009F80213C010800AC2504441E
65990+:102550003C010800AC30044024E200083042FFFF98
65991+:102560003047000710E000038F830018244F000756
65992+:1025700031E2FFF83106FFFF30C800070043802139
65993+:1025800032191FFF0359C021AF83001CAF990018F7
65994+:10259000271B4000AF590084110000038F8C0020DE
65995+:1025A00024C5000730A6FFF88F84002800CC28211E
65996+:1025B00000A4F82B17E00002AF8C002400A428230D
65997+:1025C000AF850020AF4500803C0408008C840434B3
65998+:1025D00003454821340E8000012E6821108000053B
65999+:1025E000AF8D0038939100172406000E12260011BB
66000+:1025F0002407043F3C021000AF4201788F8800148A
66001+:10260000250F00010A0001EFAF8F00140E0005C472
66002+:1026100000E020218F8800143C0B08008D6B048C97
66003+:102620003C0A08008D4A0488250F00010A0001EFCA
66004+:10263000AF8F00143C021000A7470148AF42017859
66005+:102640000A0004CE8F88001424040F001184003D7A
66006+:1026500030CE002015C0000224030009240300012D
66007+:102660000A00021AA743014A0A00020DA7400146C8
66008+:1026700094EF000894F1000A94F0000C8F8C003C59
66009+:10268000001174003207FFFF31EDFFFF11AC00377E
66010+:1026900001C720253C1808008F1804443C0F08008F
66011+:1026A0008DEF0440000080210308682101A8382B29
66012+:1026B00001F0702101C760213C010800AC2D0444E9
66013+:1026C0003C010800AC2C04400A00027A8F840018F8
66014+:1026D0003C0208008C42047C3C0308008C630454D8
66015+:1026E0003C1F08008FFF04783C1808008F18045026
66016+:1026F000004838210068802100E8282B03E43021BD
66017+:102700000208402B0304882100C57021022878218B
66018+:102710003C010800AC3004543C010800AC2F0450CC
66019+:102720003C010800AC27047C3C010800AC2E047876
66020+:102730000A00027A8F840018A74001460A00043577
66021+:102740008F91001830CD002015A0FFC52403000D87
66022+:10275000240300050A00021AA743014A974E010408
66023+:1027600025C5FFF00A00038130A4FFFF8F980040C9
66024+:102770001498FFC8000010213C0508008CA5046CCB
66025+:102780003C1F08008FFF046800A8C8210328302BD5
66026+:1027900003E22021008640213C010800AC39046C92
66027+:1027A0003C010800AC2804680A00027A8F840018F3
66028+:1027B0008F8C0040148CFF5900E8C8213C18080099
66029+:1027C0008F18046C3C1108008E3104682723FFFE2B
66030+:1027D00003034821000010210123302B0222702125
66031+:1027E00001C668213C010800AC29046C3C010800CA
66032+:1027F000AC2D04680A0004A524E200088F88003884
66033+:102800003C03FFFF8D02000C0043F82403E4C825BD
66034+:10281000AD19000C0A00038F30CBFFFF0A0003C381
66035+:10282000AE000000974A0104920400048E26000CBA
66036+:10283000014458212579FFF200C7C0243325FFFF4A
66037+:1028400003053825AE27000C0A0002E68E050010AD
66038+:102850003C0DFFFF8D0A0010014D582401646025D6
66039+:10286000AD0C00100A00038F30CBFFFF974301042B
66040+:10287000920E00048E290010006E1021244DFFEEF0
66041+:102880000127602431A8FFFF0188F825AE3F001022
66042+:102890000A0002E68E0500108E0F000CAE0000004C
66043+:1028A00000078880023028210A0002B8ACAF00205F
66044+:1028B0001460000D3058FFFF3C04FFFF0044682403
66045+:1028C00001A47026000E602B000D102B004CF82484
66046+:1028D00013E00002000000000000000D8CAF0000BB
66047+:1028E0000A00025001E410253B03FFFF0003882B80
66048+:1028F0000018802B0211202410800002000000002C
66049+:102900000000000D8CB900000A0002503722FFFFC2
66050+:102910003084FFFF30A5FFFF108000070000182162
66051+:10292000308200011040000200042042006518219E
66052+:102930001480FFFB0005284003E000080060102120
66053+:1029400010C00007000000008CA2000024C6FFFF9A
66054+:1029500024A50004AC82000014C0FFFB2484000402
66055+:1029600003E000080000000010A0000824A3FFFFFF
66056+:10297000AC86000000000000000000002402FFFF01
66057+:102980002463FFFF1462FFFA2484000403E00008BC
66058+:1029900000000000308EFFFF30D8FFFF00057C00F4
66059+:1029A00001F8602539CDFFFF01AC5021014C582BB7
66060+:1029B000014B4821000944023127FFFF00E8302184
66061+:1029C0000006240230C5FFFF00A418213862FFFF73
66062+:1029D00003E000083042FFFF3C0C08008D8C0484AB
66063+:1029E000240BFF8027BDFFD001845021014B4824D8
66064+:1029F000AF4900203C0808008D080484AFB20020D5
66065+:102A0000AFB00018AFBF0028AFB30024AFB1001CB7
66066+:102A1000936600040104382130E4007F009A1021FD
66067+:102A20003C0300080043902130C500200360802152
66068+:102A30003C080111277B000814A000022646007004
66069+:102A40002646006C9213000497510104920F000473
66070+:102A50003267000F322EFFFF31ED004001C72823FF
66071+:102A600011A0000500004821925900BC3338000431
66072+:102A70001700009000000000924300BC307F00046B
66073+:102A800013E0000F0000000010A0000D0000000087
66074+:102A9000960E0002240AFF8000A7602125CDFFFECC
66075+:102AA000A74D1016920B0004014B2024308200FF2A
66076+:102AB00010400085010C40253C0F0400010F40250B
66077+:102AC0008F5301780660FFFE2404000AA7440140EA
66078+:102AD000960D00022404000931AC0007000C5823B5
66079+:102AE000316A0007A74A0142960200022443FFFE12
66080+:102AF000A7430144A7400146975F0104A75F01482F
66081+:102B00008F590108333800205300000124040001CC
66082+:102B1000920F000431EE001015C000023483001043
66083+:102B200000801821A743014A0000000000000000B7
66084+:102B30000000000000000000AF481000000000008E
66085+:102B40000000000000000000000000008F51100095
66086+:102B50000621FFFE3113FFFF12600003000000009A
66087+:102B60008F481018ACC8000096030006307FFFFFA6
66088+:102B700027F900020019988200138880023B302157
66089+:102B80008CD800001520005700183402920300046E
66090+:102B90002405FF8000A3F82433F100FF1220002C4D
66091+:102BA00000000000924700BC30F2000212400028F2
66092+:102BB00000000000974B100C2562FFFEA742101684
66093+:102BC000000000003C0A040035490030AF49100005
66094+:102BD00000000000000000000000000000000000F5
66095+:102BE0008F4C10000581FFFE000000009749100C7B
66096+:102BF0008F51101C00C020213127FFFF24F200302C
66097+:102C0000001218820003288000BBF8213226FFFF43
66098+:102C1000AFF100000E0005B300112C020013C880B4
66099+:102C2000033B98218E78000000027400AFB80010BA
66100+:102C30008FA80010310FFFFFAFAF00108FA400105E
66101+:102C400001C46825AFAD00108FA60010AE6600006D
66102+:102C500097730008976D000A9766000C8F8A003CF6
66103+:102C6000000D5C0030CCFFFF3262FFFF104A0036DF
66104+:102C7000016C2025960600023C10100024D30008A9
66105+:102C80000E00013B3264FFFF974C01040E00014926
66106+:102C90003184FFFFAF5001788FBF00288FB300242D
66107+:102CA0008FB200208FB1001C8FB0001803E0000825
66108+:102CB00027BD003010A0FF700000000024A5FFFC1D
66109+:102CC0000A0005EC240900048CD10000AF51101853
66110+:102CD0008F5301780660FF7A2404000A0A00060177
66111+:102CE0000000000000A7C8218F8800388F4E101CFC
66112+:102CF0000019C0820018788001E82021AC8E000005
66113+:102D0000000E2C0200C020210E0005B331C6FFFFCB
66114+:102D1000023B28218CAD000000025400004030210D
66115+:102D2000AFAD00108FAC0010318BFFFFAFAB0010C8
66116+:102D30008FA2001001424825AFA900108FA70010F4
66117+:102D40000A000631ACA700008F8F0040148FFFC926
66118+:102D50000000000097420104960B00023C050800A9
66119+:102D60008CA5046C3049FFFF316AFFFF3C1108005D
66120+:102D70008E310468012A382124F2FFFE00B240217E
66121+:102D80000012FFC30112C82B023FC02103192021EA
66122+:102D90003C010800AC28046C3C010800AC24046829
66123+:102DA0000A00066B0000000000A4102B1040000970
66124+:102DB000240300010005284000A4102B04A00003F8
66125+:102DC000000318405440FFFC000528401060000735
66126+:102DD000000000000085302B14C0000200031842E0
66127+:102DE000008520231460FFFB0005284203E0000853
66128+:102DF000008010218F85002C27BDFFE800053027BB
66129+:102E00002CC300012CA400020083102510400003F5
66130+:102E1000AFBF00102405007FAF85002C00052827D8
66131+:102E200030A5FFFF0E000592240426F58F830030A5
66132+:102E3000240402BD004030210083382B10E000093B
66133+:102E400024050001000420400083102B04800003AF
66134+:102E5000000528405440FFFC0004204010A000085A
66135+:102E600000C350210064402B1500000200052842D9
66136+:102E70000064182314A0FFFB0004204200C350216B
66137+:102E80008FBF0010000A4C02312200FF27BD00183E
66138+:102E9000AF8A002C03E00008AF8900300A00002A46
66139+:102EA00000000000000000000000000D7478703683
66140+:102EB0002E322E3300000000060203000000000046
66141+:102EC000000001360000EA60000000000000000081
66142+:102ED00000000000000000000000000000000000F2
66143+:102EE00000000000000000000000000000000000E2
66144+:102EF00000000000000000000000000000000016BC
66145+:102F000000000000000000000000000000000000C1
66146+:102F100000000000000000000000000000000000B1
66147+:102F200000000000000000000000000000000000A1
66148+:102F3000000000000000138800000000000005DC15
66149+:102F4000000000000000000010000003000000006E
66150+:102F50000000000D0000000D3C02080024423C204F
66151+:102F60003C03080024633DD4AC4000000043202B08
66152+:102F70001480FFFD244200043C1D080037BD7FFC87
66153+:102F800003A0F0213C100800261000A83C1C0800FB
66154+:102F9000279C3C200E0002BA000000000000000D3B
66155+:102FA0008F8300383C088000350700708CE50000F6
66156+:102FB000008330253C02900000C22025AF85003000
66157+:102FC000AF4400208F4900200520FFFE3C03800015
66158+:102FD000346200708C4500008F8600303C19080078
66159+:102FE0008F39007C3C0E08008DCE007800A620238F
66160+:102FF00003245821000078210164682B01CF60214F
66161+:10300000018D50213C010800AC2B007C3C010800E4
66162+:10301000AC2A007803E00008000000000A0000412C
66163+:10302000240400018F8400383C05800034A2000194
66164+:103030000082182503E00008AF43002003E00008E9
66165+:10304000000010213084FFFF30A5FFFF1080000733
66166+:1030500000001821308200011040000200042042CC
66167+:10306000006518211480FFFB0005284003E00008DC
66168+:103070000060102110C00007000000008CA20000BA
66169+:1030800024C6FFFF24A50004AC82000014C0FFFB8F
66170+:103090002484000403E000080000000010A00008E1
66171+:1030A00024A3FFFFAC860000000000000000000029
66172+:1030B0002402FFFF2463FFFF1462FFFA248400044C
66173+:1030C00003E0000800000000308AFFFF93A800130F
66174+:1030D000A74A014497490E1630C600FF3C02100073
66175+:1030E000A7490146AF450148A3460152A748015AE6
66176+:1030F000AF4701608FA400188FA30014A7440158A4
66177+:10310000AF43015403E00008AF42017803E0000838
66178+:10311000000000003C038000346200708C49000015
66179+:103120008F8800002484000727BDFFF83084FFF853
66180+:10313000AF890030974D008A31ACFFFFAFAC000083
66181+:103140008FAB0000016850232547FFFF30E61FFFCB
66182+:1031500000C4282B14A0FFF73C0C8000358B0070B6
66183+:103160008D6A00003C0708008CE700843C060800DC
66184+:103170008CC6008000081082014918230002788064
66185+:1031800000E370210000202101C3C82B00C4C0212E
66186+:1031900001FA4021031948212502400027BD0008FB
66187+:1031A0003C010800AC2E00843C010800AC290080E2
66188+:1031B00003E00008000000008F8200002486000762
66189+:1031C00030C5FFF800A2182130641FFF03E000089B
66190+:1031D000AF8400008F8700388F8A004027BDFFB87A
66191+:1031E0008F860044AFB60040AFBF0044AFB5003C8F
66192+:1031F000AFB40038AFB30034AFB20030AFB1002C81
66193+:10320000AFB000288F4501048D4900ACAF47008066
66194+:103210008CC8002000A938230000B021AF480E1050
66195+:103220008F440E1000004821AF440E148CC20024BD
66196+:10323000AF420E188F430E18AF430E1C10E001254D
66197+:103240002D230001936B0008116000D400000000E2
66198+:10325000976E001031CDFFFF00ED602B158000CF81
66199+:103260000000000097700010320FFFFFAF4F0E00FC
66200+:103270008F520000325100081220FFFD00000000B4
66201+:1032800097540E088F460E043285FFFF30B30001BD
66202+:1032900012600132000000000000000D30B8A040B4
66203+:1032A00024150040131500C030A9A0001120012DE5
66204+:1032B00000000000937F000813E0000800000000F9
66205+:1032C00097630010306BFFFF00CB402B1100000311
66206+:1032D00030AC00401180012300000000A785003CB5
66207+:1032E000AF8600349366000800E02821AFA70020D5
66208+:1032F00014C0012427B30020AF60000C9782003C6B
66209+:103300003047400014E00002240300162403000E9E
66210+:1033100024194007A363000AAF790014938A003E82
66211+:103320008F740014315800070018AA4002959025A8
66212+:10333000AF7200149784003C8F700014309100101D
66213+:1033400002117825AF6F0014978E003C31CD000834
66214+:1033500011A00147000028218F6700143C021000D3
66215+:103360003C0C810000E22825AF65001497460E0A48
66216+:103370002408000E3405FFFC30C3FFFF006C582505
66217+:10338000AF6B0004A3680002937F000A27E90004E2
66218+:10339000A369000A9786003C9363000A30CC1F00A3
66219+:1033A000000C598301634021251F0028A37F0009D9
66220+:1033B00097490E0CA769001093790009272A00028B
66221+:1033C000315800070018A82332B10007A371000B81
66222+:1033D00093740009976400108F910034978F003C1C
66223+:1033E000329200FF024480210205702131ED00403D
66224+:1033F00011A0000531C4FFFF0091282B3C12800072
66225+:1034000010A000140000A0210224382B14E0011B9E
66226+:103410008FA500208F4D0E14AF4D0E108F420E1C45
66227+:10342000AF420E18AF440E008F4F000031EE00087F
66228+:1034300011C0FFFD0000000097540E080080882195
66229+:1034400000009021A794003C8F500E04241400012A
66230+:10345000AF900034976400103095FFFF8E68000035
66231+:103460000111F82317E00009AE7F00008F650014FA
66232+:103470008F8B004434A60040AF6600148F4C0E10B2
66233+:10348000AD6C00208F430E18AD63002493670008D5
66234+:1034900014E000D2000000000E00009E2404001082
66235+:1034A0008F8900483C08320000402821312600FF67
66236+:1034B0000006FC0003E8502525390001AF990048BB
66237+:1034C000AC4A0000937800099370000A330400FFAF
66238+:1034D00000047400320F00FF01CF6825AC4D0004DA
66239+:1034E0008F820048064000EAACA20008ACA0000CA5
66240+:1034F0009783003C306B0008156000022628000608
66241+:1035000026280002974E0E148F450E1C8F6700046C
66242+:10351000936D000231C4FFFF31A200FFAFA2001083
66243+:103520008F6C0014AFA800180E00008BAFAC001415
66244+:10353000240400100E0000C7000000008E7200007E
66245+:1035400016400005000000008F6400142405FFBF32
66246+:1035500000859824AF7300148F79000C033538214F
66247+:10356000AF67000C9375000816A00008000000006B
66248+:1035700012800006000000008F7F00143C0BEFFF5C
66249+:103580003568FFFE03E84824AF690014A3740008FF
66250+:103590008FA500200A00024602202021AF470E001E
66251+:1035A0000A0000F5000000008F5901780720FFFE97
66252+:1035B000241F08008F840000AF5F0178974B008ABA
66253+:1035C000316AFFFF014448232528FFFF31021FFF16
66254+:1035D0002C4300081460FFF9000000008F8E0048A3
66255+:1035E0008F8D003800C048210344202125C60001EA
66256+:1035F000240C0F00AF86004800E9382324864000E1
66257+:1036000031CA00FF11AC0005240800019391003E6F
66258+:103610003230000700107A4035E80001000AAC00A3
66259+:103620003C18010002B8A025AC9440008F930048DC
66260+:1036300030B2003630A40008ACD3000410800097EC
66261+:1036400001123025974E0E0A8F8D00003C0281003A
66262+:1036500031CCFFFF25AB0008018240253C03100060
66263+:1036600031651FFF25390006241F000EAF48016099
66264+:1036700000C33025A75F015AAF850000A759015844
66265+:1036800014E0000A8F93003824120F0052720002D7
66266+:103690002416000134C600408F580E108F94004449
66267+:1036A000AE9800208F550E18AE9500248F450E144D
66268+:1036B000AF4501448F590E1CAF590148A34A01522E
66269+:1036C0003C0A1000AF460154AF4A017814E0FEDD19
66270+:1036D0002D2300010076A025128000178FBF004423
66271+:1036E0008F84003824160F0010960084000000001C
66272+:1036F0008F45017804A0FFFE24150F001095006E81
66273+:10370000000000008F470E14240202403C1F1000EE
66274+:10371000AF4701448F440E1CAF440148A3400152FF
66275+:10372000A740015AAF400160A7400158AF42015481
66276+:10373000AF5F01788FBF00448FB600408FB5003C6B
66277+:103740008FB400388FB300348FB200308FB1002CAB
66278+:103750008FB0002803E0000827BD004814C0FED049
66279+:1037600030B8A0408F420E148F84004400004821DE
66280+:10377000AC8200208F510E1CAC9100240A00020E76
66281+:103780002D2300018F910034978A003C3C12800069
66282+:103790000220A821315800401700FF300000A0216E
66283+:1037A000976900108F9200343139FFFF13320035D2
66284+:1037B00000002021008048211480FEA000A03821B4
66285+:1037C0008F420E148F840044AC8200208F510E1C57
66286+:1037D000AC9100240A00020E2D230001936A000917
66287+:1037E0009378000B315000FF330F00FF020F702160
66288+:1037F00025C2000A3050FFFF0E00009E020020216B
66289+:103800008F8600483C1F410024CD0001AF8D004849
66290+:10381000936C000930C600FF00064400318300FFAE
66291+:10382000246B0002010B4825013FC825AC5900005C
66292+:103830008F67000C97440E1400F22825AC45000455
66293+:103840008F450E1C8F670004936A00023084FFFFCF
66294+:10385000315800FFAFB800108F6F0014AFB10018DF
66295+:103860000E00008BAFAF00140A0001A60200202159
66296+:10387000AF6000040A00013EA36000020A00024695
66297+:1038800000002021000090210A0001702414000192
66298+:103890003C1280000A000195ACB2000C8F91000030
66299+:1038A00025240002A744015826300008320F1FFFCC
66300+:1038B0000A0001F9AF8F0000AF40014C1120002C2D
66301+:1038C000000000008F590E10AF5901448F430E18AD
66302+:1038D000240200403C1F1000AF430148A3400152A6
66303+:1038E000A740015AAF400160A7400158AF420154C0
66304+:1038F000AF5F01780A0002278FBF00441120000645
66305+:103900000000000097460E0830CC004015800002F1
66306+:10391000000000000000000D8F4D017805A0FFFEA3
66307+:103920000000000097530E103C120500240E2000EA
66308+:10393000326AFFFF0152C025AF58014C8F4F0E1461
66309+:103940003C021000AF4F01448F500E1CAF50014895
66310+:10395000A34001528F840038A740015AAF40016054
66311+:10396000A7400158AF4E01540A000215AF4201783A
66312+:103970008F490E14AF4901448F430E1C0A00028E7A
66313+:10398000240200403C0E20FF27BDFFE03C1A8000CF
66314+:103990003C0F800835CDFFFDAFBF001CAFB2001853
66315+:1039A000AFB10014AFB00010AF8F0040AF4D0E00AC
66316+:1039B0000000000000000000000000000000000007
66317+:1039C000000000003C0C00FF358BFFFDAF4B0E00EC
66318+:1039D0003C0660048CC95000240AFF7F3C11600043
66319+:1039E000012A40243507380CACC750008E24043817
66320+:1039F00024050009AF4500083083FFFF38622F71AE
66321+:103A00002450C0B3AF8000480E000068AF800000B3
66322+:103A100052000001AE20442C0E0004353C11800001
66323+:103A20000E000ED9363000708F8A00403C1208001C
66324+:103A300026523C88020088218E0800008F5F00001B
66325+:103A40003BF900013338000113000017AF88003044
66326+:103A5000022048218D2700003C0F08008DEF006CEC
66327+:103A60003C0C08008D8C006800E8C02301F8282178
66328+:103A70000000682100B8302B018D582101664021DB
66329+:103A80003C010800AC25006C3C010800AC28006833
66330+:103A90008F44000038830001306200011440FFEDC4
66331+:103AA00000E04021AF8700308E0C00003C0508008C
66332+:103AB0008CA5006C3C0408008C84006801883023CD
66333+:103AC00000A638210000102100E6402B00821821BA
66334+:103AD0000068F8213C010800AC27006C3C0108009C
66335+:103AE000AC3F00688F49010025590088AF99004418
66336+:103AF000AF890038AF4900208E070000AF87003043
66337+:103B00008F4D017805A0FFFE000000008E0600002A
66338+:103B10003C0B08008D6B00743C0408008C84007022
66339+:103B200000C728230165F8210000102103E5402B80
66340+:103B30000082382100E8C821240908003C0108005F
66341+:103B4000AC3F00743C010800AC390070AF4901780B
66342+:103B500093580108A398003E938F003E31EE000178
66343+:103B600015C000158F830038240E0D00106E00194B
66344+:103B7000240F0F00106F001D00000000915900007D
66345+:103B800024180050332900FF113800043C1F400066
66346+:103B9000AF5F01380A0002E7000000000E00090EC6
66347+:103BA000000000008F8A00403C1F4000AF5F0138DA
66348+:103BB0000A0002E700000000938D003E31AC0006D1
66349+:103BC000000C51000E0000CE0152D8210A00034320
66350+:103BD0008F8A00403C1B0800277B3D080E0000CE6A
66351+:103BE000000000000A0003438F8A00403C1B0800CD
66352+:103BF000277B3D280E0000CE000000000A00034392
66353+:103C00008F8A004090AA00018FAB00108CAC00108E
66354+:103C10003C0300FF8D680004AD6C00208CAD0014E7
66355+:103C200000E060213462FFFFAD6D00248CA7001816
66356+:103C30003C09FF000109C024AD6700288CAE001CC0
66357+:103C40000182C82403197825AD6F0004AD6E002CE5
66358+:103C50008CAD0008314A00FFAD6D001C94A9000234
66359+:103C60003128FFFFAD68001090A70000A56000029A
66360+:103C7000A1600004A167000090A30002306200FF71
66361+:103C80000002198210600005240500011065000E75
66362+:103C90000000000003E00008A16A00018CD80028A1
66363+:103CA000354A0080AD7800188CCF0014AD6F001439
66364+:103CB0008CCE0030AD6E00088CC4002CA16A0001CF
66365+:103CC00003E00008AD64000C8CCD001CAD6D001845
66366+:103CD0008CC90014AD6900148CC80024AD680008BC
66367+:103CE0008CC70020AD67000C8CC200148C8300646C
66368+:103CF0000043C82B13200007000000008CC20014F2
66369+:103D0000144CFFE400000000354A008003E0000886
66370+:103D1000A16A00018C8200640A000399000000007F
66371+:103D200090AA000027BDFFF88FA9001CA3AA0000DD
66372+:103D30008FAE00003C0FFF808FA8001835E2FFFF18
66373+:103D40008CCD002C01C26024AFAC0000A120000487
66374+:103D500000E06021A7A000028FB800008D270004BA
66375+:103D60000188182100A0582100C05021006D28268C
66376+:103D70003C06FF7F3C0F00FF2CAD000135EEFFFF3E
66377+:103D800034D9FFFF3C02FF0003193024000D1DC091
66378+:103D9000010EC82400E2C02400C370250319782551
66379+:103DA000AD2E0000AD2F00048D450024AFAE000005
66380+:103DB000AD2500088D4D00202405FFFFAD2D000C22
66381+:103DC000956800023107FFFFAD27001091660018CB
66382+:103DD00030C200FF000219C2506000018D4500345E
66383+:103DE000AD2500148D67000827BD0008AD27001C15
66384+:103DF0008C8B00CCAD2C0028AD20002CAD2B0024EA
66385+:103E0000AD20001803E00008AD20002027BDFFE032
66386+:103E1000AFB20018AFB10014AFB00010AFBF001CBC
66387+:103E20009098000000C088213C0D00FF330F007FF8
66388+:103E3000A0CF0000908E000135ACFFFF3C0AFF00D0
66389+:103E4000A0CE000194A6001EA22000048CAB00149A
66390+:103E50008E29000400A08021016C2824012A40241E
66391+:103E60000080902101052025A6260002AE24000432
66392+:103E700026050020262400080E00007624060002F5
66393+:103E800092470000260500282624001400071E0083
66394+:103E90000003160324060004044000032403FFFF6C
66395+:103EA000965900023323FFFF0E000076AE23001068
66396+:103EB000262400248FBF001C8FB200188FB100147D
66397+:103EC0008FB0001024050003000030210A0000809C
66398+:103ED00027BD002027BDFFD8AFB1001CAFB0001830
66399+:103EE000AFBF002090A80000240200018FB0003C6A
66400+:103EF0003103003F00808821106200148FAA00382F
66401+:103F0000240B0005506B0016AFAA001000A0202162
66402+:103F100000C028210E0003DC02003021922400BCE6
66403+:103F2000308300021060000326060030ACC00000A1
66404+:103F300024C600048FBF00208FB1001C8FB0001872
66405+:103F400000C0102103E0000827BD002801403821EF
66406+:103F50000E00035AAFB000100A0004200000000059
66407+:103F60000E0003A1AFB000140A00042000000000FE
66408+:103F70003C02000A034218213C04080024843D6CE2
66409+:103F80002405001A000030210A000080AF8300548D
66410+:103F90003C038000346200708C48000000A058216F
66411+:103FA00000C04821308A00FFAF8800308F4401787C
66412+:103FB0000480FFFE3C0C8000358600708CC500003C
66413+:103FC0003C0308008C6300743C1808008F180070D4
66414+:103FD00000A82023006468210000C82101A4782BD8
66415+:103FE0000319702101CF60213C010800AC2D007441
66416+:103FF0003C010800AC2C00708F480E14AF480144FF
66417+:10400000AF47014CA34A0152A74B01589346010800
66418+:1040100030C5000854A0000135291000934B090059
66419+:1040200024070050316A00FF11470007000000001C
66420+:104030008F450E1CAF450148AF4901543C091000A3
66421+:1040400003E00008AF490178934D010831A800084A
66422+:104050001100001000000000934F010831EE001025
66423+:1040600051C00001352900083C04080090843DD06F
66424+:10407000A34401508F4309A4AF4301488F4209A0D4
66425+:10408000AF420144AF4901543C09100003E000086D
66426+:10409000AF4901783C1908008F393D8C333800084E
66427+:1040A0005700FFF1352900080A00047300000000E2
66428+:1040B00024070040AF470814AF4008108F4209445E
66429+:1040C0008F4309508F4409548F45095C8F46094C32
66430+:1040D000AF820064AF830050AF84004CAF85005CBA
66431+:1040E00003E00008AF8600609346010930C5007FF9
66432+:1040F000000518C0000521400083102103E00008DE
66433+:10410000244200883C09080091293D9124A800021E
66434+:104110003C05110000093C0000E8302500C51825C9
66435+:1041200024820008AC83000003E00008AC80000497
66436+:104130009347010B8F4A002C974F09083C18000E3B
66437+:104140000358482131EEFFFF000E41C0AF48002C5C
66438+:1041500097430908952C001A008040212403000190
66439+:10416000318BFFFFAC8B00008D2D001C00A058216F
66440+:1041700000C06021AC8D00048D24002030E7004099
66441+:10418000AD04000891220019304400031083004858
66442+:104190002885000214A00062240600021086005642
66443+:1041A00024190003109900660000000010E0003A96
66444+:1041B000000000003C07080094E73D8624E200016F
66445+:1041C000934F0934934709219525002A31EE00FFCA
66446+:1041D000000E488230ED00FF978700580009360036
66447+:1041E000000D1C003044FFFF00C310250044C02513
66448+:1041F00000A778213C19400003197025000F4C00DE
66449+:10420000AD090004AD0E0000934D09203C030006EB
66450+:1042100025090014000D360000C32025AD04000858
66451+:104220008F59092C24E5000130A27FFFAD19000C45
66452+:104230008F580930A782005825020028AD180010B9
66453+:104240008F4F0938AD0F0014AD2B00048F4E09407D
66454+:10425000AD2E0008934D09373C05080090A53D9010
66455+:104260008F4409488F46094031A700FF00EC182110
66456+:10427000008678230003C7000005CC0003196025E1
66457+:1042800031E8FFFC01885825AD2B000CAD20001053
66458+:1042900003E00008AF4A002C3C0D080095AD3D86B8
66459+:1042A0003C0E080095CE3D800A0004C901AE1021E5
66460+:1042B0003C05080094A53D8A3C06080094C63D8054
66461+:1042C0003C18080097183D7C952E002400A6782104
66462+:1042D00001F86823000E240025A2FFF200821825B1
66463+:1042E00024190800AD03000CAD190014AD00001036
66464+:1042F0000A0004C4250800189526002495250028E6
66465+:104300000006C40000057C00370E810035ED080072
66466+:10431000AD0E000CAD0D00100A0004C425080014F9
66467+:104320001480FFA200000000952400240004140063
66468+:1043300034430800AD03000C0A0004C42508001033
66469+:104340003C03080094633D8A3C05080094A53D8029
66470+:104350003C06080094C63D7C953900249538002819
66471+:10436000006520210086782300196C000018740075
66472+:1043700025E2FFEE01C2202535A3810024190800A3
66473+:10438000AD03000CAD040010AD190018AD00001411
66474+:104390000A0004C42508001C03E00008240201F4FC
66475+:1043A00027BDFFE8AFB00010AFBF00140E000060E3
66476+:1043B0000080802124050040AF4508148F83005001
66477+:1043C0008F84004C8F85005C0070182100641023DE
66478+:1043D00018400004AF830050AF6300548F66005450
66479+:1043E000AF86004C1200000C000000008F440074E7
66480+:1043F000936800813409FA002D07000710E00005DA
66481+:1044000000891021936C0081240B01F4018B50046E
66482+:1044100001441021AF62000C8F4E095C01C5682376
66483+:1044200019A000048FBF00148F4F095CAF8F005C90
66484+:104430008FBF00148FB000100A00006227BD001863
66485+:104440008F8400648F8300508F82004CAF640044DF
66486+:10445000AF63005003E00008AF6200543C038000EB
66487+:10446000346200708C43000027BDFFF8308700FFE6
66488+:1044700030A900FF30C800FFAF8300308F440178BF
66489+:104480000480FFFE3C028000345900708F38000029
66490+:10449000A3A700033C0708008CE700748FAC000062
66491+:1044A0003C0608008CC60070030378233C0E7FFF97
66492+:1044B00000EFC82135CDFFFF00005021018D2824D9
66493+:1044C00000CA1821000847C0032F202B00A8102580
66494+:1044D0000064C021AFA200003C010800AC390074A8
66495+:1044E0003C010800AC380070934F010AA3A0000201
66496+:1044F0003C0E80FFA3AF00018FAC0000312B007F8A
66497+:1045000035CDFFFF018D4824000B5600012A4025C0
66498+:10451000240730002406FF803C05100027BD00085A
66499+:10452000AF48014CAF470154A7400158A346015280
66500+:1045300003E00008AF45017827BDFFE8AFBF0014D6
66501+:10454000AFB000108F6500743C068000309000FF13
66502+:1045500000A620250E000060AF6400749363000580
66503+:10456000346200080E000062A362000502002021F0
66504+:104570008FBF00148FB00010240500052406000131
66505+:104580000A00057027BD001827BDFFE03C0380002E
66506+:10459000AFB00010AFBF0018AFB1001434620070AC
66507+:1045A0008C470000309000FF30A800FFAF8700303C
66508+:1045B0008F4401780480FFFE3C18800037110070A2
66509+:1045C0008E2F00003C0D08008DAD00743C0A0800E1
66510+:1045D0008D4A007001E7702301AE282100005821A8
66511+:1045E00000AE302B014B4821012638213C01080048
66512+:1045F000AC250074000088213C010800AC27007045
66513+:104600001100000F000000008F6200742619FFFFE8
66514+:104610003208007F0002FE0233E5007F150000062D
66515+:10462000332200FF2407FF800207202624A3FFFF78
66516+:1046300000838025320200FF0040802124111008F1
66517+:104640000E000060000000008F49081831250004AA
66518+:1046500014A0FFFD3218007F001878C000187140C8
66519+:1046600001CF682125AC0088AF4C0818274A098083
66520+:104670008D4B0020AF4B01448D460024AF460148CE
66521+:10468000A35001500E000062A740015802201021E3
66522+:104690008FBF00188FB100148FB0001003E0000826
66523+:1046A00027BD002027BDFFE8308400FFAFBF00100A
66524+:1046B0000E0005BB30A500FF8F8300508FBF001098
66525+:1046C000344500402404FF903C02100027BD001830
66526+:1046D000AF43014CA3440152AF45015403E000082D
66527+:1046E000AF4201789343093E306200081040000D4C
66528+:1046F0003C0901013528080AAC8800008F47007486
66529+:10470000AC8700043C06080090C63D9030C5001000
66530+:1047100050A00006AC8000088F6A0060AC8A0008D8
66531+:104720002484000C03E00008008010210A00062207
66532+:104730002484000C27BDFFE8AFBF0014AFB0001009
66533+:104740009346093F00A050210005288000853823AA
66534+:1047500030C200FF240300063C09080095293D866D
66535+:1047600024E8FFD824050004104300372406000283
66536+:104770009750093C3C0F020400063400320EFFFF44
66537+:1047800001CF6825AC8D0000934C093E318B002091
66538+:104790001160000800000000934309363C02010349
66539+:1047A000345F0300307900FF033FC0252405000873
66540+:1047B000AC98000493430934935909210005F88209
66541+:1047C000306200FF0002C082332F00FF00186E002D
66542+:1047D000000F740001AE6025018920253C094000CE
66543+:1047E00000898025ACF0FFD8934309378F4F0948E3
66544+:1047F0008F580940306200FF004AC821033F7021F2
66545+:1048000001F86023000E6F0001A650253185FFFCE2
66546+:10481000001F58800145482501683821AD09002056
66547+:104820000E00006024F00028240400040E00006242
66548+:10483000A364003F020010218FBF00148FB000104E
66549+:1048400003E0000827BD00180A0006352406001200
66550+:1048500027BDFFD024090010AFB60028AFB5002453
66551+:10486000AFB40020AFB10014AFB000103C0108009D
66552+:10487000A0293D90AFBF002CAFB3001CAFB2001811
66553+:1048800097480908309400FF3C02000E3107FFFFF3
66554+:10489000000731C0AF46002C974409089344010B30
66555+:1048A00030B500FF03428021308300300000B0218A
66556+:1048B0001060012500008821240C00043C01080040
66557+:1048C000A02C3D90934B093E000B5600000A2E038E
66558+:1048D00004A0016000000000AF400048934F010BAE
66559+:1048E00031EE002011C00006000000009358093E80
66560+:1048F00000189E0000139603064001890000000086
66561+:104900009344010B30830040106000038F930050EC
66562+:104910008F8200502453FFFF9347093E30E6000882
66563+:1049200014C0000224120003000090219619002CEC
66564+:1049300093580934934F0937A7990058330C00FF57
66565+:1049400031EE00FF024E6821000D5880016C5021AD
66566+:10495000015140213C010800A4283D869205001821
66567+:1049600030A900FF010918213C010800A4233D885B
66568+:104970009211001816200002000000000000000D37
66569+:104980003C010800A4233D8A3C010800A4203D808E
66570+:104990003C010800A4203D7C935F010B3063FFFFC6
66571+:1049A00033F00040120000022464000A2464000B6B
66572+:1049B0003091FFFF0E00009E022020219358010B32
66573+:1049C0003C08080095083D8A0040202100185982C3
66574+:1049D000316700010E00049A01072821934C010B56
66575+:1049E0008F4B002C974E09083C0F000E034F4021BF
66576+:1049F00031CDFFFF000D51C0AF4A002C974309088D
66577+:104A00009505001A004038212404000130A9FFFF59
66578+:104A1000AC4900008D06001C00404821318A00404E
66579+:104A2000AC4600048D020020ACE20008910300199E
66580+:104A300030630003106400EC28790002172001188D
66581+:104A4000241000021070010C241F0003107F011EAF
66582+:104A500000000000114000DE000000003C090800DA
66583+:104A600095293D8625220001935F0934934E092143
66584+:104A70009504002A33F900FF0019C08231CF00FFEE
66585+:104A8000978E005800184600000F6C00010D80251D
66586+:104A90003045FFFF02051025008E50213C034000E9
66587+:104AA00000433025000A6400ACEC0004ACE60000D2
66588+:104AB000935F09203C19000624EC0014001FC60077
66589+:104AC00003197825ACEF00088F48092C25CD00018B
66590+:104AD00031A57FFFACE8000C8F500930A785005846
66591+:104AE00024E80028ACF000108F4409380100802130
66592+:104AF000ACE40014AD9300048F530940AD9300085B
66593+:104B0000934A09373C19080093393D908F4309486F
66594+:104B10008F460940314200FF0052F82100667023A1
66595+:104B2000001F7F000019C40001F8282531CDFFFCCB
66596+:104B300000AD2025AD84000CAD800010AF4B002CE3
66597+:104B4000934B093E317300081260000D3C060101D1
66598+:104B500034CC080AACEC00288F530074AD13000469
66599+:104B60003C0B0800916B3D903167001050E0000352
66600+:104B7000AD0000088F6A0060AD0A00082510000C27
66601+:104B800012C0003D000000009343093F24160006B8
66602+:104B900024060004306200FF105600C924070002FA
66603+:104BA0009758093C3C0F0204330DFFFF01AF40252D
66604+:104BB000AE0800009345093E30A400201080000894
66605+:104BC00000000000935309363C0B0103357F0300BE
66606+:104BD000327900FF033F7025AE0E00042406000862
66607+:104BE000934F093493480921312AFFFF31ED00FF2B
66608+:104BF000000D1082310300FF0002B60000032C00FC
66609+:104C000002C56025018A9825001220803C094000D9
66610+:104C10000204502302695825AD4BFFD8935F093732
66611+:104C20008F4F09488F58094033F900FF0332702134
66612+:104C30000006B08201D668210007440001F828234D
66613+:104C4000000D1F000068302530A2FFFC2547FFD86B
66614+:104C500000C260250016808002074821ACEC0020CD
66615+:104C6000253000280E00006024120004A372003FCB
66616+:104C70000E000062000000009347010B30F200407C
66617+:104C8000124000053C1900FF8E180000372EFFFF70
66618+:104C9000030E3024AE0600000E0000C702202021C3
66619+:104CA0003C10080092103D90321100031220000FBA
66620+:104CB00002A028218F89005025330001AF930050B6
66621+:104CC000AF7300508F6B00540173F8231BE0000298
66622+:104CD000026020218F640054AF6400548F4C007434
66623+:104CE000258401F4AF64000C02A028210280202159
66624+:104CF000A76000680E0005BB3C1410008F850050B3
66625+:104D000034550006AF45014C8F8A00488FBF002CF8
66626+:104D10008FB3001C25560001AF9600488FB20018D3
66627+:104D2000A34A01528FB60028AF5501548FB1001429
66628+:104D3000AF5401788FB500248FB400208FB00010DD
66629+:104D400003E0000827BD00309358093E00189E007C
66630+:104D500000139603064200362411000293440923EF
66631+:104D6000308300021060FEDD8F8600608F8200506D
66632+:104D700014C2FEDA000000000E0000600000000017
66633+:104D80009369003F24070016312800FF1107000C2B
66634+:104D9000240500083C0C0800918C3D90358B0001E7
66635+:104DA0003C010800A02B3D90936A003F314300FF77
66636+:104DB00010650065240D000A106D005E2402000CD1
66637+:104DC0000E000062000000000A00069000000000D3
66638+:104DD0003C09080095293D863C0A0800954A3D801B
66639+:104DE0000A0006F3012A10213C09080095293D8A92
66640+:104DF0003C04080094843D803C06080094C63D7C39
66641+:104E000095030024012410210046F8230003CC0060
66642+:104E100027F0FFF20330C025240F0800ACF8000C87
66643+:104E2000ACEF0014ACE000100A0006EE24E7001816
66644+:104E30003C010800A0313D90935F093E241600011B
66645+:104E400033F900201720FEA5241100080A0006905F
66646+:104E5000241100048F6E00848F4D094011A0FE9E26
66647+:104E6000AF8E0050240F00143C010800A02F3D908D
66648+:104E70000A00068F00000000950E0024950D002802
66649+:104E8000000E6400000D2C003589810034A6080056
66650+:104E9000ACE9000CACE600100A0006EE24E70014B2
66651+:104EA0001460FEEC000000009502002400021C00CB
66652+:104EB00034640800ACE4000C0A0006EE24E700109D
66653+:104EC0000A000741240700123C02080094423D8A70
66654+:104ED0003C06080094C63D803C03080094633D7C7A
66655+:104EE00095100024951900280046F82103E3C023FB
66656+:104EF00000106C0000197400270FFFEE01CF282569
66657+:104F000035AC8100ACEC000CACE5001024070800C7
66658+:104F1000AD2700182527001C0A0006EEAD2000145E
66659+:104F20008F7F004CAF7F00548F7900540A000699A0
66660+:104F3000AF790050A362003F0E0000620000000045
66661+:104F40000A00069000000000240200140A0008274E
66662+:104F5000A362003F27BDFFE8308400FFAFBF001011
66663+:104F60000E0005BB30A500FF9378007E9379007F8B
66664+:104F7000936E00809368007A332F00FF001866005C
66665+:104F8000000F6C0031CB00FF018D4825000B520053
66666+:104F90008FBF0010012A3825310600FF344470000D
66667+:104FA00000E628252402FF813C03100027BD0018DD
66668+:104FB000AF45014CAF440154A342015203E0000845
66669+:104FC000AF43017827BDFFD8AFB20018AFB10014CE
66670+:104FD000AFB00010AFBF0020AFB3001C9342010977
66671+:104FE000308600FF30B000FF000618C23204000215
66672+:104FF0003071000114800005305200FF93670005F6
66673+:1050000030E5000810A0000D30C80010024020213B
66674+:105010000E0005A702202821240400018FBF0020D4
66675+:105020008FB3001C8FB200188FB100148FB0001026
66676+:105030000080102103E0000827BD00281500003281
66677+:105040000000000093430109000028213062007F26
66678+:10505000000220C00002F94003E49821267900886C
66679+:10506000033B98218E7800248E6F0008130F0046B2
66680+:10507000000000008F640084241800020004FD82F8
66681+:1050800033F900031338007C0000000093660083AE
66682+:10509000934A0109514600043205007C10A00060CB
66683+:1050A000000000003205007C14A0005302402021C3
66684+:1050B00016200006320400018E7F00248F5901045F
66685+:1050C00017F9FFD600002021320400011080000AE9
66686+:1050D000024020218F4209408F9300641053000644
66687+:1050E000000000000E00066D022028218F430940B9
66688+:1050F000AF630044024020210E0006020220282156
66689+:105100000A000860240400013C0908008D2900649D
66690+:10511000252600013C010800AC26006416000012A0
66691+:10512000000000008F6D00843C0E00C001AE6024C2
66692+:1051300015800005024020210E00082E02202821A3
66693+:105140000A00086024040001240500040E00057014
66694+:1051500024060001024020210E00082E02202821F2
66695+:105160000A000860240400010E000041240400012C
66696+:10517000936B007D020B50250E000062A36A007D38
66697+:105180000A0008A38F6D00848F6600748F480104A5
66698+:105190008E67002400064E021507FFB63126007FF9
66699+:1051A000936B008326440001308A007F1146004340
66700+:1051B000316300FF5464FFB08F6400842645000112
66701+:1051C00030B1007F30A200FF122600042405000148
66702+:1051D000004090210A00087624110001240FFF806E
66703+:1051E000024F702401CF9026324200FF00409021F0
66704+:1051F0000A000876241100010E00066D0220282105
66705+:10520000321800301300FFAA321000820240202121
66706+:105210000E0005A7022028210A00086024040001CE
66707+:105220008F6E00743C0F80002405000301CF902591
66708+:10523000AF72007493710083240600010E000570A4
66709+:10524000322400FF0E00004124040001936D007D14
66710+:10525000020D60250E000062A36C007D3C0B08006F
66711+:105260008D6B0054257000013C010800AC300054E7
66712+:105270000A000860240400018F6800743C09800063
66713+:105280002405000401093825AF6700749363008387
66714+:10529000240600010E000570306400FF0E0000417E
66715+:1052A000240400019362007D020298250E00006232
66716+:1052B000A373007D0A00086024040001324D0080C1
66717+:1052C00039AC0080546CFF6C8F6400840A0008C9FC
66718+:1052D0002645000127BDFFC83C0A0008AFBF0030CB
66719+:1052E000AFB5002CAFB40028AFB30024AFB200209C
66720+:1052F000AFB1001CAFB00018034AD8212409004008
66721+:10530000AF490814AF4008108F4209448F43095039
66722+:105310008F4609548F47095C8F48094C9344010814
66723+:105320009345010BAF820064308400FF30A500FF7D
66724+:10533000AF830050AF86004CAF87005C0E00084A78
66725+:10534000AF8800601440017D8FBF0030A760006807
66726+:10535000934D0900240B00503C15080026B53D482C
66727+:1053600031AC00FF3C12080026523D58118B00035F
66728+:10537000000000000000A8210000902193510109C5
66729+:105380008F9F005024040010322E007F000E68C052
66730+:10539000000E6140018D282124B40088AF54081804
66731+:1053A0008F4901048F4A09A43C0B000E034BC02116
66732+:1053B000012A10233C010800AC223D6C8F430958A0
66733+:1053C0003C010800A0243D9097470908007F302346
66734+:1053D0003C010800AC263D7030E8FFFF0008C9C062
66735+:1053E0003C010800AC3F3D94AF59002C974209089E
66736+:1053F0009710002C8EB10000930F001803749821B1
66737+:10540000A7900058AF9300440220F80931F000FF44
66738+:10541000304E000215C001B2304F000111E0014FC3
66739+:10542000000000009343093E3066000814C00002EB
66740+:10543000241400030000A0218F5809A424130001A4
66741+:105440003C010800AC383D98934F0934935109371B
66742+:1054500031EC00FF322E00FF028E6821000D288003
66743+:1054600000AC5021015058213C010800A42B3D887C
66744+:105470003C010800A42A3D8693490934312200FFEB
66745+:1054800002022021249000103C010800A4303D8439
66746+:10549000240700068F9F00503C010800AC273D8C7C
66747+:1054A0008F88005C8F59095800008021011F282334
66748+:1054B00004A00149033F20230480014700A4302BAE
66749+:1054C00010C00149000000003C010800AC253D70FF
66750+:1054D0008E4200000040F809000000003043000246
66751+:1054E000146000F80040882130440001548000100E
66752+:1054F0008E4200043C0908008D293D743C0AC0001E
66753+:10550000012A8025AF500E008F45000030AB000807
66754+:105510001160FFFD00000000974D0E0824100001EF
66755+:10552000A78D003C8F4C0E04AF8C00348E420004DB
66756+:105530000040F8090000000002228825322E0002F7
66757+:1055400015C00180000000003C09080095293D7C41
66758+:105550003C06080094C63D883C0A0800954A3D7EFA
66759+:105560003C1908008F393D74012660213C18080061
66760+:105570008F183D983C03080094633D92018A2021D6
66761+:105580008F4E09400329F821248F000203E32821CC
66762+:10559000031968213C010800A42C3D8AAF8E0064E9
66763+:1055A0003C010800AC2D3D983C010800A4253D803D
66764+:1055B0000E00009E31E4FFFF8F870048004020214D
66765+:1055C0003C010800A0273D918E42000824E800011C
66766+:1055D000AF8800480040F809000000009344010B28
66767+:1055E0008F4C002C974A09083C0B000E034B4021BE
66768+:1055F0003149FFFF000919C08F8B0050AF43002CC9
66769+:10560000974309089506001A00403821308A004067
66770+:1056100030DFFFFFAC5F00008D19001C0040482107
66771+:10562000AC5900048D180020AC580008910F0019E7
66772+:1056300031E30003107300F0000000002862000254
66773+:105640001440010924050002106500FD240D00032B
66774+:10565000106D010D00000000114000D90000000095
66775+:105660003C0A0800954A3D8625420001934D0934C5
66776+:1056700093580921950E002A31A300FF00032082D0
66777+:10568000331F00FF9798005800047E00001FCC00D5
66778+:1056900001F940253049FFFF0109102501D83021CB
66779+:1056A0003C0540000045502500066C00ACED0004B0
66780+:1056B000ACEA0000934309203C04000624ED0014EA
66781+:1056C0000003FE0003E4C825ACF900088F49092C4B
66782+:1056D000270F000131EE7FFFACE9000C8F48093045
66783+:1056E000A78E005824E90028ACE800108F4509383F
66784+:1056F00001204021ACE50014ADAB00048F4209400D
66785+:10570000ADA20008934B09373C1F080093FF3D9062
66786+:105710008F4309488F4A0940316600FF00D4202199
66787+:10572000006A78230004C700001FCC000319282555
66788+:1057300031EEFFFC00AE1025ADA2000CADA00010B4
66789+:10574000AF4C002C934C093E318B00085160000F88
66790+:105750008E58000C3C06010134CA080AACEA002845
66791+:105760008F4B0074AD2B00043C0C0800918C3D90D5
66792+:105770003187001050E00003AD2000088F62006008
66793+:10578000AD2200082528000C8E58000C0300F809F3
66794+:10579000010020213C19080097393D8A3C1F080070
66795+:1057A00097FF3D7E033F782125E900020E0000C7E8
66796+:1057B0003124FFFF3C0E08008DCE3D6C3C080800F4
66797+:1057C0008D083D7401C828233C010800AC253D6CC0
66798+:1057D00014A00006000000003C0308008C633D8C10
66799+:1057E000346400403C010800AC243D8C1200007081
66800+:1057F0008F8C00448F470E108F900044AE0700201E
66801+:105800008F4D0E18AE0D00243C10080096103D8000
66802+:105810000E0000600000000024020040AF420814A7
66803+:105820008F8600508F8A004C00D01821006A5823C0
66804+:1058300019600004AF830050AF6300548F650054BB
66805+:10584000AF85004C1200000C000000008F44007473
66806+:10585000936800813409FA002D0E000711C000057D
66807+:1058600000891821937F0081241901F403F9780439
66808+:1058700001E41821AF63000C8F44095C8F83005C46
66809+:105880000083C0231B000003000000008F50095C50
66810+:10589000AF90005C0E000062000000008F8C005092
66811+:1058A0008E4700103C010800AC2C3D9400E0F80944
66812+:1058B000000000003C0D08008DAD3D6C55A0FEF5CC
66813+:1058C000240700068F450024975909088F8B006430
66814+:1058D0008F9400503C0F001F978200588F86005411
66815+:1058E0008F93004C3328FFFF35E9FF8000A9502437
66816+:1058F000000871C032320100AF4E0024A4C2002C57
66817+:10590000AF4A0024AF6B0044AF740050AF73005433
66818+:105910001640008032380010570000868EA4000424
66819+:10592000322300405460001B8EB100088EB0000C82
66820+:105930000200F809000000008FBF00308FB5002C76
66821+:105940008FB400288FB300248FB200208FB1001CC9
66822+:105950008FB0001803E0000827BD00389347010905
66823+:105960008F8800380007FE0003E8C825AF59008083
66824+:105970008F5809A08F5309A4AFB80010AF580E1468
66825+:105980008FB40010AF540E10AF530E1C0A00096202
66826+:10599000AF530E180220F809000000008EB0000C72
66827+:1059A0000200F809000000000A000AA88FBF0030BA
66828+:1059B000A5800020A59300220A000A5BAD93002475
66829+:1059C0003C09080095293D863C06080094C63D80A8
66830+:1059D0000A0009F4012610213C010800AC203D70AA
66831+:1059E0000A00098E8E4200003C010800AC243D7084
66832+:1059F0000A00098E8E4200003C03080094633D8A31
66833+:105A00003C04080094843D803C1F080097FF3D7CC7
66834+:105A1000951800240064C821033F782300186C0007
66835+:105A200025EEFFF201AE2825AC45000C240208004B
66836+:105A3000ACE20014ACE000100A0009EF24E7001803
66837+:105A400095060024950900280006240000091C0082
66838+:105A5000349F810034790800ACFF000CACF90010D1
66839+:105A60000A0009EF24E700141460FEFB00000000A8
66840+:105A70009518002400187C0035EE0800ACEE000CF0
66841+:105A80000A0009EF24E700103C07080094E73D8076
66842+:105A90003C04080094843D8A3C03080094633D7CE8
66843+:105AA00095190024951800280087F82103E378232E
66844+:105AB0002407080000192C0000186C0025EEFFEEEA
66845+:105AC00001AE302534A28100AD2700182527001C27
66846+:105AD000AD22000CAD2600100A0009EFAD20001425
66847+:105AE00093520109000028210E000602324400FFF3
66848+:105AF0008FBF00308FB5002C8FB400288FB30024E7
66849+:105B00008FB200208FB1001C8FB0001803E0000896
66850+:105B100027BD0038935F010933E400FF0E00066DD6
66851+:105B200000002821323800105300FF7E322300404D
66852+:105B30008EA400040080F809000000000A000AA2F8
66853+:105B4000322300401200FF5F000000008F540E144B
66854+:105B50008F920044AE5400208F530E1C0A000A8A14
66855+:105B6000AE5300248F82001C008040213C040100C1
66856+:105B70009047008530E3002010600009000000001D
66857+:105B80003C0708008CE73D948F83001800E3202336
66858+:105B9000048000089389000414E30003010020211D
66859+:105BA00003E00008008010213C04010003E000082D
66860+:105BB000008010211120000B006738238F8C0020FB
66861+:105BC00024090034918B00BC316A0002514000016D
66862+:105BD0002409003000E9682B15A0FFF10100202105
66863+:105BE00000E938232419FFFC00B9C02400F9782407
66864+:105BF00000F8702B15C0FFEA01E8202130C2000335
66865+:105C00000002182314C00012306900030000302184
66866+:105C100000A9702101C6682100ED602B1180FFE012
66867+:105C20003C0401002D2F00010006482B01053821FE
66868+:105C300001E9302414C0FFDA24E4FFFC2419FFFC3E
66869+:105C400000B9C0240308202103E0000800801021CF
66870+:105C50008F8B002024060004916A00BC31440004AC
66871+:105C60001480FFEC00A970210A000B5E00003021B7
66872+:105C700027BDFFE8AFBF00108F460100934A01091E
66873+:105C80003C1F08008FFF00902407FF80314F00FF6A
66874+:105C900031E8007F0008614003E6C821032CC021E1
66875+:105CA00027090120012770243C010800A02F3DD0C6
66876+:105CB000AF4E080C3C0D08008DAD00903C040080F8
66877+:105CC0003482000301A65821016C182124650120AB
66878+:105CD00030AA007801424025AF48081C3C1F08004C
66879+:105CE0008FFF00908F88004003E6C0213319000722
66880+:105CF00003074824033A7821AF49002825E909C061
66881+:105D0000952E00023C0D08008DAD008C3C0A080069
66882+:105D10008D4A009031CC3FFF01A61821000C59801C
66883+:105D2000006B282100A72024AF44002C95220002FC
66884+:105D30003C1F08008FFF008C9107008530593FFF02
66885+:105D400003E678210019C1800146702101F868211D
66886+:105D500031CC007F31AB007F019A2821017A50219C
66887+:105D60003C03000C3C04000E00A328210144102138
66888+:105D700030E6002027470980AF82002CAF88001C46
66889+:105D8000AF890024AF85002010C00006AF8700282F
66890+:105D90008D0200508CA4010C0044302318C0007701
66891+:105DA00000000000910C0085240DFFDF018D3824D8
66892+:105DB000A10700858F8B001C8F8900248F87002806
66893+:105DC0008D65004CAF850018912F000D31EE00203D
66894+:105DD00011C000170000000024090001A38900047D
66895+:105DE000AF80000C8CE400248F85000C240A00088E
66896+:105DF000AF800008AF8000103C010800A42A3D7E5F
66897+:105E00003C010800A4203D920E000B32000030211E
66898+:105E10008F8500248FBF0010AF82001490A8000D62
66899+:105E200027BD00180008394203E0000830E20001F5
66900+:105E3000913F00022418000133F900FF001921826C
66901+:105E400010980039240800021088005B8F86002C0F
66902+:105E50008CE5002414A0001B8F9F002091220000DD
66903+:105E6000240A00053046003F10CA00472404000100
66904+:105E70008F860008A3840004AF860010AF86000C54
66905+:105E80008CE400248F85000C240A00083C010800E3
66906+:105E9000A42A3D7E3C010800A4203D920E000B3256
66907+:105EA000000000008F8500248FBF0010AF82001417
66908+:105EB00090A8000D27BD00180008394203E0000833
66909+:105EC00030E200018CF800088CF900248FEE00C449
66910+:105ED000A38000048CE40024AF8E000C8F85000C9E
66911+:105EE0008F86000803197823240A0008AF8F00105A
66912+:105EF0003C010800A42A3D7E3C010800A4203D92FC
66913+:105F00000E000B32000000008F8500248FBF0010B0
66914+:105F1000AF82001490A8000D27BD00180008394278
66915+:105F200003E0000830E20001912300003062003FEE
66916+:105F3000104400278F8500208CE400241480002169
66917+:105F4000000000008D2E00183C187FFF8F85002078
66918+:105F5000370FFFFF01CF1824AF8300088F9F000881
66919+:105F60008CA8008403E8C82B1720000203E020213E
66920+:105F70008CA400840A000BEDAF8400088CA3010CF4
66921+:105F80000A000BCBAF8300188D2C00188F860008F9
66922+:105F90003C0D7FFF8F89002035A3FFFF018358242C
66923+:105FA00024040001AF8B0010AD2000CCA3840004BA
66924+:105FB0000A000BF9AF86000C8CCA00140A000BED26
66925+:105FC000AF8A00088CA300C80A000C30AF83000819
66926+:105FD0008F84002C8CAC00648C8D0014018D582BA8
66927+:105FE00011600004000000008CA200640A000C3064
66928+:105FF000AF8200088C8200140A000C30AF820008C7
66929+:106000008F85000C27BDFFE0AFBF0018AFB10014B3
66930+:1060100014A00007AFB000108F86002424020005F2
66931+:1060200090C400003083003F106200B68F840020CF
66932+:106030008F91000800A080218F8C00283C0508006B
66933+:106040008CA53D708D8B000431663FFF00C5502B41
66934+:106050005540000100C02821938D000411A0007359
66935+:1060600000B0F82B8F98002024040034930F00BC5C
66936+:1060700031EE000251C000012404003000A4C82BFE
66937+:10608000172000D10000000000A4282300B0F82B46
66938+:106090003C010800A4243D7C17E000680200202198
66939+:1060A0003C0308008C633D6C0083102B54400001BE
66940+:1060B000008018218F8800243C010800AC233D7427
66941+:1060C000000048219104000D308300205060000141
66942+:1060D0008F490E188F8300140123382B10E00059CC
66943+:1060E000000000003C0408008C843D7400895821A5
66944+:1060F000006B502B114000560090602B006930233C
66945+:1061000000C020213C010800AC263D7412000003B1
66946+:10611000241FFFFC1090008A32270003009FC82430
66947+:106120003C010800AC393D743C010800A4203D92BC
66948+:106130008F84000C120400078F830020AF910008A9
66949+:10614000020020218C7100CCAF90000C26300001A1
66950+:10615000AC7000CC3C0208008C423D748F8A001069
66951+:10616000240700180082202301422823AF84000C5A
66952+:1061700010800002AF850010240700108F86001CDD
66953+:106180003C010800A0273D902407004090CC0085EA
66954+:10619000318B00C0116700408F8D001414A00015D2
66955+:1061A00000002021934A01098F420974314500FF04
66956+:1061B0000002260224A300013090007F3071007F8E
66957+:1061C0001230007A2407FF80A0C300833C09080036
66958+:1061D0008D293D8C8F880024240D0002352C000869
66959+:1061E0003C010800A02D3DD13C010800AC2C3D8CA9
66960+:1061F00024040010910E000D31C6002010C00005CF
66961+:1062000000801821240800013C010800AC283D74DE
66962+:10621000348300018FBF00188FB100148FB00010BD
66963+:106220000060102103E0000827BD00203C010800A9
66964+:10623000A4203D7C13E0FF9A020020210A000C817B
66965+:1062400000A020213C0408008C843D740090602B49
66966+:106250001180FFAE000000003C0F080095EF3D7C70
66967+:1062600001E4702101C6682B11A000072C820004F4
66968+:106270003C1F60008FF954043338003F1700FFE5DE
66969+:10628000240300422C8200041040FFA0240300429B
66970+:106290000A000CDF8FBF0018152DFFC000000000A2
66971+:1062A0008CDF00743C0380002405FF8003E3C825D5
66972+:1062B000ACD9007490D80085240E0004240400108A
66973+:1062C000330F003F01E54025A0C800858F880024DA
66974+:1062D0003C010800A02E3DD1240300019106000DD1
66975+:1062E00030C9002015200003000000003C03080016
66976+:1062F0008C633D743C010800AC233D6C0A000CD655
66977+:10630000000000008F8700108C88008400E8282B94
66978+:1063100014A0000200E088218C910084240900016F
66979+:10632000A38900048F440E18022028210E000B328E
66980+:1063300002203021022080210A000C67AF82001465
66981+:1063400000071823306600033C010800A4263D9294
66982+:10635000122000058F8C0020918B00BC316A000454
66983+:106360001540001524CD00043C0F080095EF3D9228
66984+:1063700001E4702100AE302B50C0FF6E8F84000C02
66985+:106380002C85000514A0FFA32403004230980003CD
66986+:1063900017000002009818232483FFFC3C0108002A
66987+:1063A000AC233D740A000CA30000000000A7582491
66988+:1063B0000A000CCB016718263C010800A42D3D9271
66989+:1063C0000A000D33000000003C010800AC203D74C1
66990+:1063D0000A000CDE240300428F83001014600007C3
66991+:1063E000000010218F88002424050005910600007C
66992+:1063F00030C400FF108500030000000003E0000827
66993+:1064000000000000910A0018314900FF000939C25C
66994+:1064100014E0FFFA8F85001C3C04080094843D7C46
66995+:106420003C0308008C633D943C1908008F393D748F
66996+:106430003C0F080095EF3D920064C0218CAD0054E4
66997+:106440000319702101CF6021018D58231960001DAF
66998+:1064500000000000910E001C8F8C002C974B0E103A
66999+:1064600031CD00FF8D850004016D30238D88000043
67000+:1064700030CEFFFF000E510000AAC82100003821D5
67001+:1064800001072021032A182B0083C021AD990004A5
67002+:10649000AD980000918F000A01CF6821A18D000AFC
67003+:1064A0008F88002C974B0E12A50B0008950A003818
67004+:1064B00025490001A50900389107000D34E60008C0
67005+:1064C000A106000D03E000080000000027BDFFE06A
67006+:1064D000938700048F8F00248FAD00143C0E7FFF44
67007+:1064E0008F89000C35C8FFFFAFBF001CAFB000188C
67008+:1064F00001A8182491EA000D000717C03C1FBFFF38
67009+:10650000006258252D2E00018F90001837F9FFFFEB
67010+:106510003C1808008F183D943C0F080095EF3D8A09
67011+:1065200001796824000E47803C07EFFF3C05F0FF2F
67012+:1065300001A818253149002034E2FFFF34ACFFFFE9
67013+:106540000310582327A500102406000225EA0002A4
67014+:1065500000621824008080211520000200004021E4
67015+:106560008F480E1CA7AA0012056000372407000000
67016+:1065700030FF00FF001FCF008F8B001C00793825F3
67017+:10658000AFA70014916F00853C08080091083D9169
67018+:106590003C18DFFF31EE00C0370AFFFF000E182B5A
67019+:1065A0003C1F080097FF3D8400EA6824A3A800115F
67020+:1065B0000003174001A248258FB90010AFA90014AD
67021+:1065C0003C0A0800914A3D93A7BF00168FA800140B
67022+:1065D000032CC0243C0B01003C0F0FFF030B1825BC
67023+:1065E0003147000335EEFFFF010C68240007160059
67024+:1065F000006EF8243C09700001A2C82503E9582563
67025+:10660000AFB90014AFAB00100E000076A3A00015C8
67026+:106610008F8C0024260200089186000D30C40020D3
67027+:10662000108000068FBF001C3C05080094A53D802B
67028+:1066300024B0FFFF3C010800A4303D808FB000185B
67029+:1066400003E0000827BD00208F9800140118502B8C
67030+:106650005540FFC7240700010A000DB630FF00FFB8
67031+:106660009382000427BDFFE0AFBF00181040000F69
67032+:10667000008050218F880024240B00058F8900089A
67033+:10668000910700008F8400200100282130E3003FA3
67034+:106690008F86002C106B000800003821AFA9001075
67035+:1066A0000E00040EAFAA0014A38000048FBF0018D0
67036+:1066B00003E0000827BD00208D1900183C0F0800DA
67037+:1066C0008DEF3D748F9800103C027FFF8D08001401
67038+:1066D000345FFFFF033F682401F8702101AE60239F
67039+:1066E00001883821AFA900100E00040EAFAA0014D3
67040+:1066F0000A000E04A38000048F8700243C050800D4
67041+:1067000094A53D923C0208008C423D8C90E6000D21
67042+:106710000005240030C300201060002C00444025F8
67043+:106720008F85001C00006021240B000190A30085D0
67044+:1067300000004821240A00013C0F800035EE007063
67045+:106740008DC70000AF8700308F5801780700FFFE2B
67046+:106750003C038000347900708F3800003C0508004D
67047+:106760008CA500743C0D08008DAD007003077823E4
67048+:1067700000AF38210000102100EF302B01A22021B2
67049+:10678000008618213C010800AC2700743C01080079
67050+:10679000AC230070AF4B01483C1908008F393D9481
67051+:1067A000A7490144A74A0146AF59014C3C0B0800D8
67052+:1067B000916B3D91A34B0152AF4801543C0810002E
67053+:1067C000A74C015803E00008AF4801788F4B0E1C1E
67054+:1067D0003C0A08008D4A3D7497490E16974D0E14D9
67055+:1067E00001456021312AFFFF0A000E2731A9FFFF72
67056+:1067F0008F8300249064000D308200201040002917
67057+:10680000000000000000482100005021000040214D
67058+:106810003C07800034EB00708D670000AF870030CC
67059+:106820008F4C01780580FFFE3C0D800035AC007078
67060+:106830008D8B00003C0508008CA500743C0408000A
67061+:106840008C8400700167302300A67821000010219D
67062+:1068500001E6C82B0082C021031970213C01080009
67063+:10686000AC2F00743C010800AC2E0070AF49014809
67064+:106870003C0D08008DAD3D94A7480144240900401B
67065+:10688000A74A01463C081000240AFF91AF4D014C75
67066+:10689000A34A0152AF490154A740015803E0000840
67067+:1068A000AF4801788F490E1897460E1297450E1083
67068+:1068B00030CAFFFF0A000E5D30A8FFFF8F8300245F
67069+:1068C00027BDFFF89064000D308200201040003A90
67070+:1068D00000000000240B000100004821240A0001F0
67071+:1068E0003C088000350700708CE30000AF83003067
67072+:1068F0008F4C01780580FFFE3C0E80003C040800B0
67073+:1069000090843DD035C700708CEC00003C05080039
67074+:106910008CA50074A3A400033C1908008F390070F3
67075+:106920008FAD00000183302300A638210000102124
67076+:106930000322782100E6C02B01F8602101AE40253A
67077+:10694000AFA800003C010800AC2700743C0108001F
67078+:10695000AC2C00709346010A3C04080090843DD1A1
67079+:10696000A3A00002A3A600018FA300003C0580FFA6
67080+:106970003099007F34A2FFFF006278240019C6001E
67081+:1069800001F87025240D3000AF4E014C27BD0008E2
67082+:10699000AF4D0154A7400158AF4B0148A7490144EE
67083+:1069A000A74A01463C091000240AFF80A34A01526D
67084+:1069B00003E00008AF4901788F4B0E1897460E127E
67085+:1069C00097450E1030CAFFFF0A000E9130A9FFFF55
67086+:1069D0008F85001C2402008090A40085308300C0B5
67087+:1069E000106200058F8600208F8800088F87000CBA
67088+:1069F000ACC800C8ACC700C403E000080000000039
67089+:106A00003C0A0800254A39543C09080025293A2047
67090+:106A10003C08080025082DD43C07080024E73B3437
67091+:106A20003C06080024C637C43C05080024A5353CB4
67092+:106A30003C040800248431643C0308002463385C6F
67093+:106A40003C020800244236303C010800AC2A3D508C
67094+:106A50003C010800AC293D4C3C010800AC283D48F5
67095+:106A60003C010800AC273D543C010800AC263D64C5
67096+:106A70003C010800AC253D5C3C010800AC243D58BD
67097+:106A80003C010800AC233D683C010800AC223D609D
67098+:086A900003E000080000000013
67099+:00000001FF
67100diff --git a/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex b/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex
67101new file mode 100644
67102index 0000000..43d7c4f
67103--- /dev/null
67104+++ b/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex
67105@@ -0,0 +1,6496 @@
67106+:10000000080001180800000000005594000000C816
67107+:1000100000000000000000000000000008005594EF
67108+:10002000000000380000565C080000A00800000036
67109+:100030000000574400005694080059200000008436
67110+:100040000000ADD808005744000001C00000AE5CBD
67111+:100050000800321008000000000092580000B01C98
67112+:10006000000000000000000000000000080092589E
67113+:100070000000033C000142740800049008000400E2
67114+:10008000000012FC000145B000000000000000006C
67115+:1000900000000000080016FC00000004000158AC3D
67116+:1000A000080000A80800000000003D00000158B052
67117+:1000B00000000000000000000000000008003D00FB
67118+:1000C00000000030000195B00A000046000000006A
67119+:1000D000000000000000000D636F6D362E322E31DF
67120+:1000E00062000000060201020000000000000003A0
67121+:1000F000000000C800000032000000030000000003
67122+:1001000000000000000000000000000000000000EF
67123+:1001100000000010000001360000EA600000000549
67124+:1001200000000000000000000000000000000008C7
67125+:1001300000000000000000000000000000000000BF
67126+:1001400000000000000000000000000000000000AF
67127+:10015000000000000000000000000000000000009F
67128+:10016000000000020000000000000000000000008D
67129+:10017000000000000000000000000000000000007F
67130+:10018000000000000000000000000010000000005F
67131+:10019000000000000000000000000000000000005F
67132+:1001A000000000000000000000000000000000004F
67133+:1001B000000000000000000000000000000000003F
67134+:1001C000000000000000000000000000000000002F
67135+:1001D000000000000000000000000000000000001F
67136+:1001E0000000000010000003000000000000000DEF
67137+:1001F0000000000D3C020800244256083C030800A1
67138+:1002000024635754AC4000000043202B1480FFFDB2
67139+:10021000244200043C1D080037BD9FFC03A0F021D0
67140+:100220003C100800261001183C1C0800279C5608AA
67141+:100230000E000256000000000000000D27BDFFB4B4
67142+:10024000AFA10000AFA20004AFA30008AFA4000C50
67143+:10025000AFA50010AFA60014AFA70018AFA8001CF0
67144+:10026000AFA90020AFAA0024AFAB0028AFAC002C90
67145+:10027000AFAD0030AFAE0034AFAF0038AFB8003C28
67146+:10028000AFB90040AFBC0044AFBF00480E001544FA
67147+:10029000000000008FBF00488FBC00448FB90040B1
67148+:1002A0008FB8003C8FAF00388FAE00348FAD003078
67149+:1002B0008FAC002C8FAB00288FAA00248FA90020C0
67150+:1002C0008FA8001C8FA700188FA600148FA5001000
67151+:1002D0008FA4000C8FA300088FA200048FA1000040
67152+:1002E00027BD004C3C1B60108F7A5030377B502864
67153+:1002F00003400008AF7A00008F82002427BDFFE092
67154+:10030000AFB00010AFBF0018AFB100148C42000CAA
67155+:100310003C1080008E110100104000348FBF001887
67156+:100320000E000D84000000008F85002024047FFF54
67157+:100330000091202BACB100008E030104960201084D
67158+:1003400000031C003042FFFF00621825ACA300042C
67159+:100350009202010A96030114304200FF3063FFFF4E
67160+:100360000002140000431025ACA200089603010C03
67161+:100370009602010E00031C003042FFFF00621825A8
67162+:10038000ACA3000C960301109602011200031C009E
67163+:100390003042FFFF00621825ACA300108E02011846
67164+:1003A000ACA200148E02011CACA20018148000083C
67165+:1003B0008F820024978200003C0420050044182509
67166+:1003C00024420001ACA3001C0A0000C6A782000062
67167+:1003D0003C0340189442001E00431025ACA2001CB0
67168+:1003E0000E000DB8240400018FBF00188FB1001457
67169+:1003F0008FB000100000102103E0000827BD00208E
67170+:100400003C0780008CE202B834E50100044100089A
67171+:10041000240300013C0208008C42006024420001D9
67172+:100420003C010800AC22006003E0000800601021DD
67173+:100430003C0208008C42005C8CA4002094A30016AF
67174+:100440008CA6000494A5000E24420001ACE40280B6
67175+:100450002463FFFC3C010800AC22005C3C0210005D
67176+:10046000A4E30284A4E5028600001821ACE6028819
67177+:10047000ACE202B803E000080060102127BDFFE0F5
67178+:100480003C028000AFB0001034420100AFBF001C3E
67179+:10049000AFB20018AFB100148C43000094450008BF
67180+:1004A0002462FE002C42038110400003000381C23D
67181+:1004B0000A00010226100004240201001462000553
67182+:1004C0003C1180003C02800890420004305000FF44
67183+:1004D0003C11800036320100964300143202000FB6
67184+:1004E00000021500004310253C0308008C63004403
67185+:1004F00030A40004AE220080246300013C01080007
67186+:10050000AC2300441080000730A200028FBF001C03
67187+:100510008FB200188FB100148FB000100A0000CE07
67188+:1005200027BD00201040002D0000182130A20080BF
67189+:1005300010400005362200708E44001C0E000C672F
67190+:10054000240500A0362200708C4400008F82000C2D
67191+:10055000008210232C43012C10600004AF82001095
67192+:10056000240300010A000145AF84000C8E42000400
67193+:100570003C036020AF84000CAC6200143C02080015
67194+:100580008C42005850400015000018218C62000475
67195+:10059000240301FE304203FF144300100000182121
67196+:1005A0002E020004104000032E0200080A00014041
67197+:1005B0000000802114400003000000000A000140F8
67198+:1005C0002610FFF90000000D2402000202021004B0
67199+:1005D0003C036000AC626914000018218FBF001C4E
67200+:1005E0008FB200188FB100148FB00010006010217E
67201+:1005F00003E0000827BD00203C0480008C8301003C
67202+:1006000024020100506200033C0280080000000D3B
67203+:100610003C02800890430004000010213063000F6A
67204+:1006200000031D0003E00008AC8300800004188074
67205+:100630002782FF9C00621821000410C00044102390
67206+:100640008C640000000210C03C030800246356E4E0
67207+:10065000004310213C038000AC64009003E00008DC
67208+:10066000AF8200243C0208008C42011410400019A3
67209+:100670003084400030A2007F000231C03C02020002
67210+:100680001080001400A218253C026020AC43001426
67211+:100690003C0408008C8456B83C0308008C630110AD
67212+:1006A0003C02800024050900AC4500200086202182
67213+:1006B000246300013C028008AC4400643C01080053
67214+:1006C000AC2301103C010800AC2456B803E000083C
67215+:1006D000000000003C02602003E00008AC4500146C
67216+:1006E00003E000080000102103E0000800001021D2
67217+:1006F00030A2000810400008240201003C0208005B
67218+:100700008C42010C244200013C010800AC22010C87
67219+:1007100003E0000800000000148200080000000050
67220+:100720003C0208008C4200FC244200013C0108000D
67221+:10073000AC2200FC0A0001A330A200203C02080009
67222+:100740008C420084244200013C010800AC22008459
67223+:1007500030A200201040000830A200103C02080027
67224+:100760008C420108244200013C010800AC2201082F
67225+:1007700003E0000800000000104000080000000036
67226+:100780003C0208008C420104244200013C010800A4
67227+:10079000AC22010403E00008000000003C02080055
67228+:1007A0008C420100244200013C010800AC220100FF
67229+:1007B00003E000080000000027BDFFE0AFB1001417
67230+:1007C0003C118000AFB20018AFBF001CAFB00010EA
67231+:1007D0003632010096500008320200041040000733
67232+:1007E000320300028FBF001C8FB200188FB10014BB
67233+:1007F0008FB000100A0000CE27BD00201060000B53
67234+:10080000020028218E2401000E00018A0000000051
67235+:100810003202008010400003240500A10E000C6786
67236+:100820008E44001C0A0001E3240200018E2301040F
67237+:100830008F82000810430006020028218E24010048
67238+:100840000E00018A000000008E220104AF82000821
67239+:10085000000010218FBF001C8FB200188FB1001450
67240+:100860008FB0001003E0000827BD00202C82000498
67241+:1008700014400002000018212483FFFD240200021E
67242+:10088000006210043C03600003E00008AC626914DD
67243+:1008900027BDFFE0AFBF001CAFB20018AFB100141E
67244+:1008A000AFB000103C048000948201083043700017
67245+:1008B000240220001062000A2862200154400052E5
67246+:1008C0008FBF001C24024000106200482402600018
67247+:1008D0001062004A8FBF001C0A0002518FB200183C
67248+:1008E00034820100904300098C5000189451000C90
67249+:1008F000240200091062001C0000902128620009F7
67250+:10090000144000218F8200242402000A5062001249
67251+:10091000323100FF2402000B1062000F00000000C3
67252+:100920002402000C146200188F8200243C0208008C
67253+:100930008C4256B824030900AC83002000501021DB
67254+:100940003C038008AC6200643C010800AC2256B84D
67255+:100950000A0002508FBF001C0E0001E900102602A1
67256+:100960000A0002308F8200240E0001E900102602E6
67257+:100970003C0380089462001A8C72000C3042FFFF26
67258+:10098000020280258F8200248C42000C5040001E01
67259+:100990008FBF001C0E000D84000000003C02800090
67260+:1009A00034420100944300088F82002400031C009D
67261+:1009B0009444001E8F82002000641825AC50000073
67262+:1009C00024040001AC510004AC520008AC40000CFF
67263+:1009D000AC400010AC400014AC4000180E000DB844
67264+:1009E000AC43001C0A0002508FBF001C0E000440E4
67265+:1009F000000000000A0002508FBF001C0E000C9F78
67266+:100A0000000000008FBF001C8FB200188FB10014CF
67267+:100A10008FB000100000102103E0000827BD002067
67268+:100A200027BDFFD8AFB400203C036010AFBF002447
67269+:100A3000AFB3001CAFB20018AFB10014AFB00010DC
67270+:100A40008C6450002402FF7F3C1408002694563822
67271+:100A5000008220243484380CAC6450003C028000B6
67272+:100A6000240300370E0014B0AC4300083C07080014
67273+:100A700024E70618028010212404001D2484FFFFAF
67274+:100A8000AC4700000481FFFD244200043C02080042
67275+:100A9000244207C83C010800AC2256403C02080032
67276+:100AA000244202303C030800246306203C04080072
67277+:100AB000248403B43C05080024A506F03C06080085
67278+:100AC00024C62C9C3C010800AC2256803C02080045
67279+:100AD000244205303C010800AC2756843C01080044
67280+:100AE000AC2656943C010800AC23569C3C010800FF
67281+:100AF000AC2456A03C010800AC2556A43C010800DB
67282+:100B0000AC2256A83C010800AC23563C3C0108002E
67283+:100B1000AC2456443C010800AC2056603C0108005F
67284+:100B2000AC2556643C010800AC2056703C0108001E
67285+:100B3000AC27567C3C010800AC2656903C010800CE
67286+:100B4000AC2356980E00056E00000000AF80000C2C
67287+:100B50003C0280008C5300008F8300043C0208009C
67288+:100B60008C420020106200213262000700008821C0
67289+:100B70002792FF9C3C100800261056E43C02080017
67290+:100B80008C42002024050001022518040043202483
67291+:100B90008F820004004310245044000C26310001D1
67292+:100BA00010800008AF9000248E4300003C028000BB
67293+:100BB000AC4300900E000D4BAE05000C0A0002C1C4
67294+:100BC00026310001AE00000C263100012E22000269
67295+:100BD000261000381440FFE9265200043C020800A9
67296+:100BE0008C420020AF820004326200071040FFD91F
67297+:100BF0003C028000326200011040002D326200028F
67298+:100C00003C0580008CA2010000002021ACA2002045
67299+:100C10008CA301042C42078110400008ACA300A85B
67300+:100C200094A2010824032000304270001443000302
67301+:100C30003C02800890420005304400FF0E0001593C
67302+:100C4000000000003C0280009042010B304300FF96
67303+:100C50002C62001E54400004000310800E00018628
67304+:100C60000A0002EC00000000005410218C42000039
67305+:100C70000040F80900000000104000043C02800021
67306+:100C80008C4301043C026020AC4300143C02080089
67307+:100C90008C4200343C0440003C03800024420001AC
67308+:100CA000AC6401383C010800AC220034326200021E
67309+:100CB00010400010326200043C1080008E0201409F
67310+:100CC000000020210E000159AE0200200E00038317
67311+:100CD000000000003C024000AE0201783C02080027
67312+:100CE0008C420038244200013C010800AC2200384C
67313+:100CF000326200041040FF973C0280003C108000EC
67314+:100D00008E020180000020210E000159AE02002059
67315+:100D10008E03018024020F00546200073C02800809
67316+:100D20008E0201883C0300E03042FFFF00431025A3
67317+:100D30000A000328AE020080344200809042000086
67318+:100D400024030050304200FF14430007000000005D
67319+:100D50000E000362000000001440000300000000C9
67320+:100D60000E000971000000003C0208008C42003CAB
67321+:100D70003C0440003C03800024420001AC6401B804
67322+:100D80003C010800AC22003C0A0002A33C028000A7
67323+:100D90003C02900034420001008220253C02800089
67324+:100DA000AC4400203C0380008C6200200440FFFE25
67325+:100DB0000000000003E00008000000003C0280008A
67326+:100DC000344300010083202503E00008AC440020E8
67327+:100DD00027BDFFE0AFB10014AFB000100080882144
67328+:100DE000AFBF00180E00033230B000FF8F83FF94B6
67329+:100DF000022020219062002502028025A07000259B
67330+:100E00008C7000183C0280000E00033D020280241A
67331+:100E10001600000B8FBF00183C0480008C8201F884
67332+:100E20000440FFFE348201C024030002AC510000E4
67333+:100E3000A04300043C021000AC8201F88FBF0018F0
67334+:100E40008FB100148FB0001003E0000827BD002010
67335+:100E500027BDFFE83C028000AFBF00103442018094
67336+:100E6000944300048C4400083063020010600005C5
67337+:100E7000000028210E00100C000000000A0003787A
67338+:100E8000240500013C02FF000480000700821824B2
67339+:100E90003C02040014620004240500018F82FF94C8
67340+:100EA00090420008240500018FBF001000A010210F
67341+:100EB00003E0000827BD00188F82FF982405000179
67342+:100EC000A040001A3C028000344201400A00034264
67343+:100ED0008C4400008F85FF9427BDFFE0AFBF001C4E
67344+:100EE000AFB20018AFB10014AFB0001090A2000074
67345+:100EF000304400FF38830020388200300003182B74
67346+:100F00000002102B0062182410600003240200501D
67347+:100F1000148200A88FBF001C90A20005304200017F
67348+:100F2000104000A48FBF001C3C02800034420140EE
67349+:100F3000904200082443FFFF2C6200051040009EF1
67350+:100F40008FB20018000310803C030800246355ACE6
67351+:100F5000004310218C420000004000080000000007
67352+:100F60003C028000345101400E0003328E24000008
67353+:100F70008F92FF948E2200048E50000C1602000205
67354+:100F800024020001AE42000C0E00033D8E2400003E
67355+:100F90008E220004145000068FBF001C8FB2001870
67356+:100FA0008FB100148FB000100A000F7827BD002009
67357+:100FB0008E42000C0A000419000000003C0480006E
67358+:100FC0003482014094A300108C4200043063FFFF80
67359+:100FD0001443001C0000000024020001A4A2001021
67360+:100FE0008C8202380441000F3C0380003C02003F29
67361+:100FF0003448F0003C0760003C06FFC08CE22BBC8C
67362+:1010000000461824004810240002130200031D8229
67363+:10101000106200583C0280008C8202380440FFF7C6
67364+:101020003C038000346201408C44000034620200C2
67365+:10103000AC4400003C021000AC6202380A00043BE1
67366+:101040008FBF001C94A200100A00041900000000C9
67367+:10105000240200201482000F3C0280003C03800028
67368+:1010600094A20012346301408C6300043042FFFFFD
67369+:10107000146200050000000024020001A4A2001276
67370+:101080000A0004028FBF001C94A200120A00041977
67371+:1010900000000000345101400E0003328E24000095
67372+:1010A0008F92FF948E230004964200123050FFFF6F
67373+:1010B0001603000224020001A64200120E00033DA6
67374+:1010C0008E2400008E220004160200068FBF001C32
67375+:1010D0008FB200188FB100148FB000100A00037C8B
67376+:1010E00027BD0020964200120A00041900000000EB
67377+:1010F0003C03800094A20014346301408C6300041C
67378+:101100003042FFFF14620008240200018FBF001C60
67379+:101110008FB200188FB100148FB00010A4A2001479
67380+:101120000A00146327BD002094A20014144000217B
67381+:101130008FBF001C0A000435000000003C03800043
67382+:1011400094A20016346301408C6300043042FFFF18
67383+:101150001462000D240200018FBF001C8FB2001822
67384+:101160008FB100148FB00010A4A200160A000B1457
67385+:1011700027BD00209442007824420004A4A200105D
67386+:101180000A00043B8FBF001C94A200162403000138
67387+:101190003042FFFF144300078FBF001C3C020800D1
67388+:1011A0008C420070244200013C010800AC22007017
67389+:1011B0008FBF001C8FB200188FB100148FB00010C9
67390+:1011C00003E0000827BD002027BDFFD8AFB20018FC
67391+:1011D0008F92FF94AFB10014AFBF0020AFB3001CDB
67392+:1011E000AFB000103C028000345101008C5001006F
67393+:1011F0009242000092230009304400FF2402001FA5
67394+:10120000106200AB28620020104000192402003850
67395+:101210002862000A1040000D2402000B286200081A
67396+:101220001040002E8F820024046001042862000216
67397+:101230001440002A8F820024240200061062002637
67398+:101240008FBF00200A00055F8FB3001C1062006092
67399+:101250002862000B144000FA8FBF00202402000E09
67400+:10126000106200788F8200240A00055F8FB3001C93
67401+:10127000106200D2286200391040000A2402008067
67402+:1012800024020036106200E528620037104000C3D7
67403+:1012900024020035106200D98FBF00200A00055FCC
67404+:1012A0008FB3001C1062002D2862008110400006E0
67405+:1012B000240200C824020039106200C98FBF002038
67406+:1012C0000A00055F8FB3001C106200A28FBF0020D0
67407+:1012D0000A00055F8FB3001C8F8200248C42000C33
67408+:1012E000104000D78FBF00200E000D8400000000CA
67409+:1012F0003C038000346301008C6200008F85002075
67410+:10130000946700089466000CACA200008C64000492
67411+:101310008F82002400063400ACA400049448001E10
67412+:101320008C62001800073C0000E83825ACA20008D9
67413+:101330008C62001C24040001ACA2000C9062000A24
67414+:1013400000C23025ACA60010ACA00014ACA0001860
67415+:10135000ACA7001C0A00051D8FBF00208F8200244F
67416+:101360008C42000C104000B68FBF00200E000D8490
67417+:10137000000000008F820024962400089625000CAF
67418+:101380009443001E000422029626000E8F82002045
67419+:10139000000426000083202500052C003C0300806B
67420+:1013A00000A6282500832025AC400000AC400004A6
67421+:1013B000AC400008AC40000CAC450010AC40001440
67422+:1013C000AC400018AC44001C0A00051C24040001B9
67423+:1013D0009622000C14400018000000009242000504
67424+:1013E0003042001014400014000000000E000332D0
67425+:1013F0000200202192420005020020213442001008
67426+:101400000E00033DA242000592420000240300208A
67427+:10141000304200FF10430089020020218FBF0020CE
67428+:101420008FB3001C8FB200188FB100148FB0001062
67429+:101430000A00107527BD00280000000D0A00055E97
67430+:101440008FBF00208C42000C1040007D8FBF002019
67431+:101450000E000D84000000008E2200048F84002006
67432+:101460009623000CAC8200003C0280089445002CBE
67433+:101470008F82002400031C0030A5FFFF9446001E4D
67434+:101480003C02400E0065182500C23025AC830004E4
67435+:10149000AC800008AC80000CAC800010AC80001464
67436+:1014A000AC800018AC86001C0A00051C2404000156
67437+:1014B0000E000332020020218F93FF9802002021AA
67438+:1014C0000E00033DA660000C020020210E00034226
67439+:1014D000240500018F8200248C42000C104000582B
67440+:1014E0008FBF00200E000D84000000009622000C2B
67441+:1014F0008F83002000021400AC700000AC62000476
67442+:10150000AC6000088E4400388F820024AC64000C6C
67443+:101510008E46003C9445001E3C02401FAC66001005
67444+:1015200000A228258E62000424040001AC6200148D
67445+:10153000AC600018AC65001C8FBF00208FB3001C8E
67446+:101540008FB200188FB100148FB000100A000DB8D0
67447+:1015500027BD0028240200201082003A8FB3001C0F
67448+:101560000E000F5E00000000104000358FBF00200D
67449+:101570003C0480008C8201F80440FFFE348201C0EC
67450+:1015800024030002AC500000A04300043C02100001
67451+:10159000AC8201F80A00055E8FBF00200200202106
67452+:1015A0008FBF00208FB3001C8FB200188FB10014C2
67453+:1015B0008FB000100A000EA727BD00289625000C4A
67454+:1015C000020020218FBF00208FB3001C8FB20018B3
67455+:1015D0008FB100148FB000100A000ECC27BD002878
67456+:1015E000020020218FB3001C8FB200188FB10014AD
67457+:1015F0008FB000100A000EF727BD00289225000DBD
67458+:10160000020020218FB3001C8FB200188FB100148C
67459+:101610008FB000100A000F4827BD002802002021CB
67460+:101620008FBF00208FB3001C8FB200188FB1001441
67461+:101630008FB000100A000F1F27BD00288FBF0020A9
67462+:101640008FB3001C8FB200188FB100148FB0001040
67463+:1016500003E0000827BD00283C0580008CA202782A
67464+:101660000440FFFE34A2024024030002AC44000008
67465+:10167000A04300043C02100003E00008ACA2027882
67466+:10168000A380001803E00008A38000193C03800039
67467+:101690008C6202780440FFFE8F82001CAC62024024
67468+:1016A00024020002A06202443C02100003E0000891
67469+:1016B000AC6202783C02600003E000088C425404F3
67470+:1016C0009083003024020005008040213063003FF9
67471+:1016D0000000482114620005000050219082004C57
67472+:1016E0009483004E304900FF306AFFFFAD00000CCC
67473+:1016F000AD000010AD000024950200148D05001C03
67474+:101700008D0400183042FFFF004910230002110031
67475+:10171000000237C3004038210086202300A2102B8E
67476+:101720000082202300A72823AD05001CAD0400186B
67477+:10173000A5090014A5090020A50A001603E0000869
67478+:10174000A50A002203E000080000000027BDFFD822
67479+:10175000AFB200183C128008AFB40020AFB3001C39
67480+:10176000AFB10014AFBF0024AFB00010365101007C
67481+:101770003C0260008C4254049222000C3C1408008D
67482+:10178000929400F7304300FF2402000110620032FF
67483+:101790000080982124020002146200353650008037
67484+:1017A0000E00143D000000009202004C2403FF8054
67485+:1017B0003C0480003042007F000211C024420240FD
67486+:1017C0000262102100431824AC8300949245000863
67487+:1017D0009204004C3042007F3C03800614850007D1
67488+:1017E000004380212402FFFFA22200112402FFFFF8
67489+:1017F000A62200120A0005D22402FFFF9602002052
67490+:10180000A222001196020022A62200128E020024BB
67491+:101810003C048008AE2200143485008090A2004C65
67492+:1018200034830100A06200108CA2003CAC6200185E
67493+:101830008C820068AC6200F48C820064AC6200F0C0
67494+:101840008C82006CAC6200F824020001A0A2006847
67495+:101850000A0005EE3C0480080E001456000000004B
67496+:1018600036420080A04000680A0005EE3C04800873
67497+:10187000A2000068A20000690A0006293C02800854
67498+:10188000348300808C62003834850100AC62006CC7
67499+:1018900024020001A062006990A200D59083000894
67500+:1018A000305100FF3072007F12320019001111C058
67501+:1018B00024420240026210212403FF8000431824C6
67502+:1018C0003C048000AC8300943042007F3C038006DF
67503+:1018D000004380218E02000C1040000D02002021E8
67504+:1018E0000E00057E0000000026220001305100FF9E
67505+:1018F0009203003C023410260002102B0002102339
67506+:101900003063007F022288240A0005F8A203003C0D
67507+:101910003C088008350401008C8200E03507008017
67508+:10192000ACE2003C8C8200E0AD02000090E5004C8F
67509+:10193000908600D590E3004C908400D52402FF806F
67510+:1019400000A228243063007F308400FF00A62825F1
67511+:101950000064182A1060000230A500FF38A500803E
67512+:10196000A0E5004CA10500093C0280089043000E50
67513+:10197000344400803C058000A043000A8C8300189A
67514+:101980003C027FFF3442FFFF00621824AC83001842
67515+:101990008CA201F80440FFFE00000000ACB301C0BF
67516+:1019A0008FBF00248FB400208FB3001C8FB20018AB
67517+:1019B0008FB100148FB0001024020002A0A201C455
67518+:1019C00027BD00283C02100003E00008ACA201F88B
67519+:1019D00090A2000024420001A0A200003C030800E5
67520+:1019E0008C6300F4304200FF144300020080302179
67521+:1019F000A0A0000090A200008F84001C000211C073
67522+:101A00002442024024830040008220212402FF80DF
67523+:101A1000008220243063007F3C02800A006218218B
67524+:101A20003C028000AC44002403E00008ACC300008A
67525+:101A300094820006908300058C85000C8C86001033
67526+:101A40008C8700188C88001C8C8400203C010800C6
67527+:101A5000A42256C63C010800A02356C53C0108003C
67528+:101A6000AC2556CC3C010800AC2656D03C01080001
67529+:101A7000AC2756D83C010800AC2856DC3C010800D5
67530+:101A8000AC2456E003E00008000000003C0280089F
67531+:101A9000344201008C4400343C038000346504006F
67532+:101AA000AC6400388C420038AF850028AC62003C42
67533+:101AB0003C020005AC6200300000000000000000A5
67534+:101AC00003E00008000000003C020006308400FF34
67535+:101AD000008220253C028000AC4400300000000061
67536+:101AE00000000000000000003C0380008C62000049
67537+:101AF000304200101040FFFD3462040003E0000893
67538+:101B0000AF82002894C200003C080800950800CA73
67539+:101B100030E7FFFF0080482101021021A4C200002D
67540+:101B200094C200003042FFFF00E2102B544000013D
67541+:101B3000A4C7000094A200003C0308008C6300CC02
67542+:101B400024420001A4A2000094A200003042FFFF42
67543+:101B5000144300073C0280080107102BA4A00000DA
67544+:101B60005440000101003821A4C700003C02800855
67545+:101B7000344601008CC3002894A200003C0480007D
67546+:101B80003042FFFE000210C000621021AC82003C17
67547+:101B90008C82003C006218231860000400000000E2
67548+:101BA0008CC200240A0006BA244200018CC2002420
67549+:101BB000AC8200383C020050344200103C038000EC
67550+:101BC000AC620030000000000000000000000000D7
67551+:101BD0008C620000304200201040FFFD0000000039
67552+:101BE00094A200003C04800030420001000210C0BA
67553+:101BF000004410218C430400AD2300008C420404F7
67554+:101C0000AD2200043C02002003E00008AC8200305A
67555+:101C100027BDFFE0AFB20018AFB10014AFB00010A5
67556+:101C2000AFBF001C94C2000000C080213C1208001D
67557+:101C3000965200C624420001A6020000960300004E
67558+:101C400094E2000000E03021144300058FB1003021
67559+:101C50000E00068F024038210A0006F10000000045
67560+:101C60008C8300048C82000424420040046100073D
67561+:101C7000AC8200048C8200040440000400000000D8
67562+:101C80008C82000024420001AC8200009602000019
67563+:101C90003042FFFF50520001A600000096220000D3
67564+:101CA00024420001A62200003C02800834420100C8
67565+:101CB000962300009442003C144300048FBF001C94
67566+:101CC00024020001A62200008FBF001C8FB2001862
67567+:101CD0008FB100148FB0001003E0000827BD002072
67568+:101CE00027BDFFE03C028008AFBF0018344201006E
67569+:101CF0008C4800343C03800034690400AC68003830
67570+:101D00008C42003830E700FFAF890028AC62003C0D
67571+:101D10003C020005AC620030000000000000000042
67572+:101D200000000000000000000000000000000000B3
67573+:101D30008C82000C8C82000C97830016AD22000070
67574+:101D40008C82001000604021AD2200048C820018BB
67575+:101D5000AD2200088C82001CAD22000C8CA2001465
67576+:101D6000AD2200108C820020AD220014908200056C
67577+:101D7000304200FF00021200AD2200188CA20018B1
67578+:101D8000AD22001C8CA2000CAD2200208CA2001001
67579+:101D9000AD2200248CA2001CAD2200288CA20020C1
67580+:101DA000AD22002C3402FFFFAD260030AD20003400
67581+:101DB000506200013408FFFFAD28003850E00011E8
67582+:101DC0003C0280083C048008348401009482005066
67583+:101DD0003042FFFFAD22003C9483004494850044D0
67584+:101DE000240200013063FFFF000318C200641821C1
67585+:101DF0009064006430A5000700A210040A00075C8C
67586+:101E00000044102534420100AD20003C94430044BE
67587+:101E1000944400443063FFFF000318C2006218219D
67588+:101E200030840007906500642402000100821004E1
67589+:101E30000002102700451024A0620064000000008A
67590+:101E400000000000000000003C0200063442004098
67591+:101E50003C038000AC620030000000000000000085
67592+:101E6000000000008C620000304200101040FFFDB6
67593+:101E70003C06800834C201503463040034C7014A70
67594+:101E800034C4013434C5014034C60144AFA200104B
67595+:101E90000E0006D2AF8300288FBF001803E00008B1
67596+:101EA00027BD00208F8300143C0608008CC600E884
67597+:101EB0008F82001C30633FFF000319800046102111
67598+:101EC000004310212403FF80004318243C068000B7
67599+:101ED000ACC300283042007F3C03800C004330211B
67600+:101EE00090C2000D30A500FF0000382134420010E0
67601+:101EF000A0C2000D8F8900143C028008344201000A
67602+:101F00009443004400091382304800032402000176
67603+:101F1000A4C3000E1102000B2902000210400005AC
67604+:101F2000240200021100000C240300010A0007A48F
67605+:101F30000000182111020006000000000A0007A49A
67606+:101F4000000018218CC2002C0A0007A424430001C1
67607+:101F50008CC20014244300018CC200180043102BD3
67608+:101F60005040000A240700012402002714A20003A5
67609+:101F70003C0380080A0007B1240700013463010014
67610+:101F80009462004C24420001A462004C00091382B8
67611+:101F9000304300032C620002104000090080282119
67612+:101FA000146000040000000094C200340A0007C15D
67613+:101FB0003046FFFF8CC600380A0007C10080282188
67614+:101FC000000030213C040800248456C00A000706A3
67615+:101FD0000000000027BDFF90AFB60068AFB50064F9
67616+:101FE000AFB40060AFB3005CAFB20058AFB1005403
67617+:101FF000AFBF006CAFB000508C9000000080B021EB
67618+:102000003C0208008C4200E8960400328F83001CDA
67619+:102010002414FF8030843FFF0062182100042180D7
67620+:1020200000641821007410243C13800000A090214B
67621+:1020300090A50000AE620028920400323C02800CA1
67622+:102040003063007F00628821308400C02402004099
67623+:10205000148200320000A8218E3500388E2200182C
67624+:102060001440000224020001AE2200189202003C3B
67625+:10207000304200201440000E8F83001C000511C068
67626+:102080002442024000621821306400783C02008043
67627+:102090000082202500741824AE630800AE64081086
67628+:1020A0008E2200188E03000800431021AE22001873
67629+:1020B0008E22002C8E230018244200010062182B6F
67630+:1020C0001060004300000000924200002442000122
67631+:1020D000A24200003C0308008C6300F4304200FF81
67632+:1020E00050430001A2400000924200008F84001C77
67633+:1020F000000211C024420240248300403063007F6C
67634+:10210000008220213C02800A0094202400621821D1
67635+:10211000AE6400240A0008D2AEC30000920300326D
67636+:102120002402FFC000431024304200FF1440000589
67637+:1021300024020001AE220018962200340A00084250
67638+:102140003055FFFF8E22001424420001AE220018F9
67639+:102150009202003000021600000216030441001C27
67640+:10216000000000009602003227A400100080282101
67641+:10217000A7A20016960200320000302124070001B9
67642+:102180003042FFFFAF8200140E000706AFA0001C14
67643+:10219000960200328F83001C3C0408008C8400E807
67644+:1021A00030423FFF000211800064182100621821B4
67645+:1021B00000741024AE62002C3063007F3C02800E5D
67646+:1021C000006218219062000D3042007FA062000D75
67647+:1021D0009222000D304200105040007892420000E0
67648+:1021E0003C028008344401009482004C8EC30000FD
67649+:1021F0003C130800967300C62442FFFFA482004CE3
67650+:10220000946200329623000E3054FFFF3070FFFFBF
67651+:102210003C0308008C6300D000701807A7A30038A7
67652+:102220009482003E3063FFFF3042FFFF14620007DC
67653+:10223000000000008C8200303C038000244200300B
67654+:10224000AC62003C0A00086A8C82002C9482004038
67655+:102250003042FFFF5462000927A400408C820038FE
67656+:102260003C03800024420030AC62003C8C8200348D
67657+:10227000AC6200380A0008793C03800027A50038CA
67658+:1022800027A60048026038210E00068FA7A000484C
67659+:102290008FA300403C02800024630030AC43003830
67660+:1022A0008FA30044AC43003C3C0380003C0200058B
67661+:1022B000AC6200303C028008344401009482004249
67662+:1022C000346304003042FFFF0202102B1440000769
67663+:1022D000AF8300289482004E9483004202021021B2
67664+:1022E000004310230A00088F3043FFFF9483004E01
67665+:1022F00094820042026318210050102300621823C8
67666+:102300003063FFFF3C028008344401009482003CAB
67667+:102310003042FFFF14430003000000000A00089F42
67668+:10232000240300019482003C3042FFFF0062102B26
67669+:10233000144000058F8200289482003C0062102324
67670+:102340003043FFFF8F820028AC550000AC400004F2
67671+:10235000AC540008AC43000C3C02000634420010B0
67672+:102360003C038000AC620030000000000000000070
67673+:10237000000000008C620000304200101040FFFDA1
67674+:102380003C04800834840100001018C20064182145
67675+:102390009065006432020007240600010046100424
67676+:1023A00000451025A0620064948300429622000E2E
67677+:1023B00050430001A386001892420000244200010D
67678+:1023C000A24200003C0308008C6300F4304200FF8E
67679+:1023D00050430001A2400000924200008F84001C84
67680+:1023E000000211C0244202402483004000822021C8
67681+:1023F0002402FF80008220243063007F3C02800A98
67682+:10240000006218213C028000AC440024AEC30000EE
67683+:102410008FBF006C8FB600688FB500648FB400600A
67684+:102420008FB3005C8FB200588FB100548FB0005052
67685+:1024300003E0000827BD007027BDFFD8AFB3001C24
67686+:10244000AFB20018AFB10014AFB00010AFBF0020A2
67687+:102450000080982100E0802130B1FFFF0E000D8444
67688+:1024600030D200FF0000000000000000000000006B
67689+:102470008F8200208F830024AC510000AC520004F6
67690+:10248000AC530008AC40000CAC400010AC40001451
67691+:10249000AC4000189463001E02038025AC50001C61
67692+:1024A0000000000000000000000000002404000103
67693+:1024B0008FBF00208FB3001C8FB200188FB10014A3
67694+:1024C0008FB000100A000DB827BD002830A5FFFF0F
67695+:1024D0000A0008DC30C600FF3C02800834430100DB
67696+:1024E0009462000E3C080800950800C63046FFFFC5
67697+:1024F00014C000043402FFFF946500EA0A000929B1
67698+:102500008F84001C10C20027000000009462004E5F
67699+:102510009464003C3045FFFF00A6102300A6182B52
67700+:102520003087FFFF106000043044FFFF00C5102318
67701+:1025300000E210233044FFFF0088102B1040000EF3
67702+:1025400000E810233C028008344401002403000109
67703+:1025500034420080A44300162402FFFFA482000E30
67704+:10256000948500EA8F84001C0000302130A5FFFF15
67705+:102570000A0009013C0760200044102A10400009AD
67706+:102580003C0280083443008094620016304200010F
67707+:10259000104000043C0280009442007E244200145B
67708+:1025A000A462001603E000080000000027BDFFE061
67709+:1025B0003C028008AFBF001CAFB0001834420100DD
67710+:1025C000944300429442004C104000193068FFFFD1
67711+:1025D0009383001824020001146200298FBF001C9D
67712+:1025E0003C06800834D00100000810C200501021C1
67713+:1025F000904200643103000734C70148304200FFB5
67714+:10260000006210073042000134C9014E34C4012C6D
67715+:1026100034C5013E1040001634C601420E0006D2F9
67716+:10262000AFA90010960200420A0009463048FFFF99
67717+:102630003C028008344401009483004494820042A8
67718+:102640001043000F8FBF001C94820044A4820042FC
67719+:1026500094820050A482004E8C820038AC820030FC
67720+:1026600094820040A482003E9482004AA4820048E2
67721+:102670008FBF001C8FB000180A00090427BD00207E
67722+:102680008FB0001803E0000827BD002027BDFFA081
67723+:10269000AFB1004C3C118000AFBF0058AFB3005445
67724+:1026A000AFB20050AFB000483626018890C2000398
67725+:1026B0003044007FA3A400108E32018090C200003D
67726+:1026C0003043007F240200031062003BAF92001CE5
67727+:1026D00028620004104000062402000424020002C4
67728+:1026E000106200098FBF00580A000B0F8FB300540F
67729+:1026F0001062004D240200051062014E8FBF005889
67730+:102700000A000B0F8FB30054000411C002421021C5
67731+:102710002404FF8024420240004410242643004049
67732+:10272000AE2200243063007F3C02800A0062182140
67733+:102730009062003CAFA3003C00441025A062003C26
67734+:102740008FA3003C9062003C304200401040016C7E
67735+:102750008FBF00583C108008A3800018361001007D
67736+:102760008E0200E08C63003427A4003C27A50010F3
67737+:10277000004310210E0007C3AE0200E093A2001038
67738+:102780003C038000A20200D58C6202780440FFFE68
67739+:102790008F82001CAC62024024020002A06202444C
67740+:1027A0003C021000AC6202780E0009390000000003
67741+:1027B0000A000B0E8FBF00583C05800890C3000133
67742+:1027C00090A2000B1443014E8FBF005834A4008028
67743+:1027D0008C8200189082004C90A200083C0260009D
67744+:1027E0008C4254048C8300183C027FFF3442FFFF6C
67745+:1027F000006218243C0208008C4200B4AC8300182C
67746+:102800003C038000244200013C010800AC2200B4DB
67747+:102810008C6201F80440FFFE8F82001CAC6201C094
67748+:102820000A000AD6240200023C10800890C300016E
67749+:102830009202000B144301328FBF005827A40018E6
67750+:1028400036050110240600033C0260008C4254044B
67751+:102850000E000E470000000027A40028360501F0F6
67752+:102860000E000E47240600038FA200283603010045
67753+:10287000AE0200648FA2002CAE0200688FA200306E
67754+:10288000AE02006C93A40018906300D52402FF8070
67755+:102890000082102400431025304900FF3084007F5F
67756+:1028A0003122007F0082102A544000013929008023
67757+:1028B000000411C0244202402403FF800242102180
67758+:1028C00000431024AE220094264200403042007F94
67759+:1028D0003C038006004340218FA3001C2402FFFF1D
67760+:1028E000AFA800403C130800927300F71062003359
67761+:1028F00093A2001995030014304400FF3063FFFFDA
67762+:102900000064182B106000100000000095040014F3
67763+:102910008D07001C8D0600183084FFFF0044202323
67764+:102920000004210000E438210000102100E4202BE5
67765+:1029300000C2302100C43021AD07001CAD060018D4
67766+:102940000A000A2F93A20019950400148D07001C99
67767+:102950008D0600183084FFFF008220230004210030
67768+:10296000000010210080182100C2302300E4202B39
67769+:1029700000C4302300E33823AD07001CAD06001867
67770+:1029800093A200198FA30040A462001497A2001A1A
67771+:10299000A46200168FA2001CAC6200108FA2001C63
67772+:1029A000AC62000C93A20019A462002097A2001A46
67773+:1029B000A46200228FA2001CAC6200243C048008A8
67774+:1029C000348300808C6200388FA20020012088218F
67775+:1029D000AC62003C8FA20020AC82000093A20018E1
67776+:1029E000A062004C93A20018A0820009A0600068B9
67777+:1029F00093A20018105100512407FF803229007F54
67778+:102A0000000911C024420240024210213046007FDA
67779+:102A10003C03800000471024AC6200943C02800616
67780+:102A200000C2302190C2003CAFA60040000020212F
67781+:102A300000471025A0C2003C8FA80040950200026C
67782+:102A4000950300148D07001C3042FFFF3063FFFF29
67783+:102A50008D060018004310230002110000E2382107
67784+:102A600000E2102B00C4302100C23021AD07001C51
67785+:102A7000AD06001895020002A5020014A50000167C
67786+:102A80008D020008AD0200108D020008AD02000C9E
67787+:102A900095020002A5020020A50000228D02000878
67788+:102AA000AD0200249102003C304200401040001A68
67789+:102AB000262200013C108008A3A90038A38000183A
67790+:102AC000361001008E0200E08D03003427A4004080
67791+:102AD00027A50038004310210E0007C3AE0200E016
67792+:102AE00093A200383C038000A20200D58C620278D9
67793+:102AF0000440FFFE8F82001CAC62024024020002F0
67794+:102B0000A06202443C021000AC6202780E00093957
67795+:102B100000000000262200013043007F14730004EF
67796+:102B2000004020212403FF8002231024004320269C
67797+:102B300093A200180A000A4B309100FF93A40018DA
67798+:102B40008FA3001C2402FFFF1062000A308900FFDF
67799+:102B500024820001248300013042007F14530005C9
67800+:102B6000306900FF2403FF800083102400431026F7
67801+:102B7000304900FF3C028008904200080120882173
67802+:102B8000305000FF123000193222007F000211C0C5
67803+:102B900002421021244202402403FF8000431824F3
67804+:102BA0003C048000AC8300943042007F3C038006EC
67805+:102BB000004310218C43000C004020211060000BCA
67806+:102BC000AFA200400E00057E000000002623000199
67807+:102BD0002405FF803062007F145300020225202468
67808+:102BE000008518260A000AAF307100FF3C048008F7
67809+:102BF000348400808C8300183C027FFF3442FFFF46
67810+:102C000000621824AC8300183C0380008C6201F839
67811+:102C10000440FFFE00000000AC7201C0240200026C
67812+:102C2000A06201C43C021000AC6201F80A000B0E65
67813+:102C30008FBF00583C04800890C300019082000BB5
67814+:102C40001443002F8FBF0058349000809202000878
67815+:102C500030420040104000200000000092020008B6
67816+:102C60000002160000021603044100050240202164
67817+:102C70000E000ECC240500930A000B0E8FBF0058E7
67818+:102C80009202000924030018304200FF1443000D93
67819+:102C900002402021240500390E000E64000030217E
67820+:102CA0000E0003328F84001C8F82FF9424030012D5
67821+:102CB000A04300090E00033D8F84001C0A000B0E88
67822+:102CC0008FBF0058240500360E000E64000030212E
67823+:102CD0000A000B0E8FBF00580E0003320240202165
67824+:102CE000920200058F84001C344200200E00033D38
67825+:102CF000A20200050E0010758F84001C8FBF0058C3
67826+:102D00008FB300548FB200508FB1004C8FB0004889
67827+:102D100003E0000827BD00603C0280083445010044
67828+:102D20003C0280008C42014094A3000E0000302140
67829+:102D300000402021AF82001C3063FFFF3402FFFF00
67830+:102D4000106200063C0760202402FFFFA4A2000ED0
67831+:102D500094A500EA0A00090130A5FFFF03E000087E
67832+:102D60000000000027BDFFC83C0280003C06800830
67833+:102D7000AFB5002CAFB1001CAFBF0030AFB400281E
67834+:102D8000AFB30024AFB20020AFB00018345101003F
67835+:102D900034C501008C4301008E2200148CA400E491
67836+:102DA0000000A821AF83001C0044102318400052EB
67837+:102DB000A38000188E22001400005021ACA200E471
67838+:102DC00090C3000890A200D53073007FA3A200102A
67839+:102DD0008CB200E08CB400E4304200FF1053003BA2
67840+:102DE00093A200108F83001C2407FF80000211C0F3
67841+:102DF0000062102124420240246300400047102456
67842+:102E00003063007F3C0980003C08800A006818217C
67843+:102E1000AD2200248C62003427A4001427A50010E2
67844+:102E2000024280210290102304400028AFA3001426
67845+:102E30009062003C00E21024304200FF1440001970
67846+:102E4000020090219062003C34420040A062003CAD
67847+:102E50008F86001C93A3001024C200403042007FE4
67848+:102E6000004828213C0208008C4200F42463000141
67849+:102E7000306400FF14820002A3A30010A3A000107E
67850+:102E800093A20010AFA50014000211C0244202401A
67851+:102E900000C2102100471024AD2200240A000B4577
67852+:102EA00093A200100E0007C3000000003C0280083F
67853+:102EB00034420100AC5000E093A30010240A00014A
67854+:102EC000A04300D50A000B4593A200102402000184
67855+:102ED000154200093C0380008C6202780440FFFE2A
67856+:102EE0008F82001CAC62024024020002A0620244F5
67857+:102EF0003C021000AC6202789222000B2403000214
67858+:102F0000304200FF144300720000000096220008C7
67859+:102F1000304300FF24020082146200402402008437
67860+:102F20003C028000344901008D22000C95230006EC
67861+:102F3000000216023063FFFF3045003F24020027E5
67862+:102F400010A2000FAF83001428A200281040000830
67863+:102F5000240200312402002110A2000924020025CD
67864+:102F600010A20007938200190A000BBD00000000A8
67865+:102F700010A20007938200190A000BBD0000000098
67866+:102F80000E000777012020210A000C3D0000000000
67867+:102F90003C0380008C6202780440FFFE8F82001C9C
67868+:102FA000AC62024024020002A06202443C02100013
67869+:102FB000AC6202780A000C3D000000009523000678
67870+:102FC000912400058D25000C8D2600108D270018FA
67871+:102FD0008D28001C8D290020244200013C0108009E
67872+:102FE000A42356C63C010800A02456C53C01080095
67873+:102FF000AC2556CC3C010800AC2656D03C0108005C
67874+:10300000AC2756D83C010800AC2856DC3C0108002F
67875+:10301000AC2956E00A000C3DA38200191462000A94
67876+:10302000240200813C02800834420100944500EAF9
67877+:10303000922600058F84001C30A5FFFF30C600FFDC
67878+:103040000A000BFE3C0760211462005C00000000D7
67879+:103050009222000A304300FF306200201040000737
67880+:10306000306200403C02800834420100944500EA8E
67881+:103070008F84001C0A000BFC24060040104000074F
67882+:10308000000316003C02800834420100944500EA27
67883+:103090008F84001C0A000BFC24060041000216036A
67884+:1030A000044100463C02800834420100944500EA95
67885+:1030B0008F84001C2406004230A5FFFF3C076019E6
67886+:1030C0000E000901000000000A000C3D0000000095
67887+:1030D0009222000B24040016304200FF1044000628
67888+:1030E0003C0680009222000B24030017304200FFB0
67889+:1030F000144300320000000034C5010090A2000B10
67890+:10310000304200FF1444000B000080218CA20020FC
67891+:103110008CA400202403FF800043102400021140EF
67892+:103120003084007F004410253C032000004310251C
67893+:10313000ACC2083094A2000800021400000214037C
67894+:10314000044200012410000194A2000830420080D3
67895+:103150005040001A0200A82194A20008304220002A
67896+:10316000504000160200A8218CA300183C021C2D20
67897+:10317000344219ED106200110200A8213C0208003F
67898+:103180008C4200D4104000053C0280082403000457
67899+:1031900034420100A04300FC3C028008344201009C
67900+:1031A000944500EA8F84001C2406000630A5FFFF2A
67901+:1031B0000E0009013C0760210200A8210E00093918
67902+:1031C000000000009222000A304200081040000473
67903+:1031D00002A010210E0013790000000002A01021AF
67904+:1031E0008FBF00308FB5002C8FB400288FB3002420
67905+:1031F0008FB200208FB1001C8FB0001803E00008D0
67906+:1032000027BD00382402FF80008220243C02900069
67907+:1032100034420007008220253C028000AC4400209C
67908+:103220003C0380008C6200200440FFFE0000000090
67909+:1032300003E00008000000003C0380002402FF803F
67910+:10324000008220243462000700822025AC64002024
67911+:103250008C6200200440FFFE0000000003E0000834
67912+:103260000000000027BDFFD8AFB3001CAFB10014B1
67913+:10327000AFB00010AFBF0020AFB200183C1180000B
67914+:103280003C0280088E32002034530100AE2400201E
67915+:10329000966300EA000514003C074000004738250B
67916+:1032A00000A08021000030210E0009013065FFFFE1
67917+:1032B000240200A1160200022402FFFFA2620009FC
67918+:1032C000AE3200208FBF00208FB3001C8FB20018D9
67919+:1032D0008FB100148FB0001003E0000827BD002854
67920+:1032E0003C0280082403000527BDFFE834420100AA
67921+:1032F000A04300FCAFBF00103C0280008C420100E4
67922+:10330000240500A1004020210E000C67AF82001CA4
67923+:103310003C0380008C6202780440FFFE8F82001C18
67924+:103320008FBF001027BD0018AC62024024020002CB
67925+:10333000A06202443C021000AC62027803E0000884
67926+:103340000000000027BDFFE83C068000AFBF001072
67927+:1033500034C7010094E20008304400FF3883008243
67928+:10336000388200842C6300012C4200010062182581
67929+:103370001060002D24020083938200195040003B0E
67930+:103380008FBF00103C020800904256CC8CC4010054
67931+:103390003C06080094C656C63045003F38A30032AC
67932+:1033A00038A2003F2C6300012C4200010062182566
67933+:1033B000AF84001CAF860014A380001914600007BE
67934+:1033C00000E020212402002014A2001200000000CE
67935+:1033D0003402FFFF14C2000F00000000240200208E
67936+:1033E00014A2000500E028218CE300142402FFFF52
67937+:1033F0005062000B8FBF00103C040800248456C0AC
67938+:10340000000030210E000706240700010A000CD638
67939+:103410008FBF00100E000777000000008FBF001064
67940+:103420000A00093927BD001814820004240200850F
67941+:103430008CC501040A000CE1000020211482000662
67942+:103440002482FF808CC50104240440008FBF00103B
67943+:103450000A00016727BD0018304200FF2C4200021D
67944+:1034600010400004240200228FBF00100A000B2726
67945+:1034700027BD0018148200048F8200248FBF001023
67946+:103480000A000C8627BD00188C42000C1040001E5C
67947+:1034900000E0282190E300092402001814620003D0
67948+:1034A000240200160A000CFC240300081462000722
67949+:1034B00024020017240300123C02800834420080DA
67950+:1034C000A04300090A000D0994A7000854620007F0
67951+:1034D00094A700088F82FF942404FFFE9043000508
67952+:1034E00000641824A043000594A7000890A6001BC0
67953+:1034F0008CA4000094A500068FBF001000073C00BC
67954+:103500000A0008DC27BD00188FBF001003E0000888
67955+:1035100027BD00188F8500243C04800094A2002A57
67956+:103520008CA30034000230C02402FFF000C210243B
67957+:1035300000621821AC83003C8CA200303C03800068
67958+:10354000AC8200383C02005034420010AC620030C3
67959+:103550000000000000000000000000008C6200007D
67960+:10356000304200201040FFFD30C20008104000062D
67961+:103570003C0280008C620408ACA200208C62040C27
67962+:103580000A000D34ACA200248C430400ACA300203C
67963+:103590008C420404ACA200243C0300203C028000C6
67964+:1035A000AC4300303C0480008C8200300043102487
67965+:1035B0001440FFFD8F8600243C020040AC820030A6
67966+:1035C00094C3002A94C2002894C4002C94C5002EF1
67967+:1035D00024630001004410213064FFFFA4C20028CE
67968+:1035E00014850002A4C3002AA4C0002A03E0000836
67969+:1035F000000000008F84002427BDFFE83C05800404
67970+:1036000024840010AFBF00100E000E472406000AED
67971+:103610008F840024948200129483002E3042000F85
67972+:10362000244200030043180424027FFF0043102BB0
67973+:1036300010400002AC8300000000000D0E000D13CE
67974+:10364000000000008F8300248FBF001027BD0018EA
67975+:10365000946200149463001A3042000F00021500B7
67976+:10366000006218253C02800003E00008AC4300A083
67977+:103670008F8300243C028004944400069462001A64
67978+:103680008C650000A4640016004410233042FFFF44
67979+:103690000045102B03E00008384200018F8400240D
67980+:1036A0003C0780049486001A8C85000094E2000692
67981+:1036B000A482001694E3000600C310233042FFFFEB
67982+:1036C0000045102B384200011440FFF8A483001677
67983+:1036D00003E00008000000008F8400243C02800406
67984+:1036E000944200069483001A8C850000A482001680
67985+:1036F000006210233042FFFF0045102B38420001CA
67986+:103700005040000D8F850024006030213C0780046C
67987+:1037100094E20006A482001694E3000600C310237E
67988+:103720003042FFFF0045102B384200011440FFF8E3
67989+:10373000A48300168F8500243C03800034620400BB
67990+:103740008CA40020AF820020AC6400388CA200243E
67991+:10375000AC62003C3C020005AC62003003E00008B3
67992+:10376000ACA000048F8400243C0300068C8200047B
67993+:1037700000021140004310253C038000AC62003081
67994+:103780000000000000000000000000008C6200004B
67995+:10379000304200101040FFFD34620400AC80000491
67996+:1037A00003E00008AF8200208F86002427BDFFE0E1
67997+:1037B000AFB10014AFB00010AFBF00188CC300044D
67998+:1037C0008CC500248F820020309000FF94C4001A22
67999+:1037D00024630001244200202484000124A7002047
68000+:1037E000ACC30004AF820020A4C4001AACC70024FC
68001+:1037F00004A100060000882104E2000594C2001A1A
68002+:103800008CC2002024420001ACC2002094C2001AE5
68003+:1038100094C300282E040001004310262C4200010E
68004+:10382000004410245040000594C2001A24020001F4
68005+:10383000ACC2000894C2001A94C300280010202BC8
68006+:10384000004310262C4200010044102514400007BC
68007+:10385000000000008CC20008144000042402001084
68008+:103860008CC300041462000F8F8500240E000DA786
68009+:10387000241100018F820024944300289442001AEE
68010+:1038800014430003000000000E000D1300000000B0
68011+:10389000160000048F8500240E000D840000000037
68012+:1038A0008F85002494A2001E94A4001C24420001D1
68013+:1038B0003043FFFF14640002A4A2001EA4A0001E57
68014+:1038C0001200000A3C02800494A2001494A3001A7F
68015+:1038D0003042000F00021500006218253C028000F3
68016+:1038E000AC4300A00A000E1EACA0000894420006E3
68017+:1038F00094A3001A8CA40000A4A200160062102356
68018+:103900003042FFFF0044102B384200011040000DF0
68019+:1039100002201021006030213C07800494E2000660
68020+:10392000A4A2001694E3000600C310233042FFFF58
68021+:103930000044102B384200011440FFF8A4A30016E5
68022+:10394000022010218FBF00188FB100148FB000101B
68023+:1039500003E0000827BD002003E00008000000008D
68024+:103960008F82002C3C03000600021140004310250A
68025+:103970003C038000AC62003000000000000000004A
68026+:10398000000000008C620000304200101040FFFD7B
68027+:1039900034620400AF82002803E00008AF80002CEE
68028+:1039A00003E000080000102103E000080000000010
68029+:1039B0003084FFFF30A5FFFF0000182110800007B2
68030+:1039C000000000003082000110400002000420428C
68031+:1039D000006518210A000E3D0005284003E000089C
68032+:1039E0000060102110C0000624C6FFFF8CA200005A
68033+:1039F00024A50004AC8200000A000E4724840004C1
68034+:103A000003E000080000000010A0000824A3FFFF4E
68035+:103A1000AC86000000000000000000002402FFFF50
68036+:103A20002463FFFF1462FFFA2484000403E000080B
68037+:103A3000000000003C0280083442008024030001A2
68038+:103A4000AC43000CA4430010A4430012A443001490
68039+:103A500003E00008A44300168F82002427BDFFD88E
68040+:103A6000AFB3001CAFB20018AFB10014AFB000107C
68041+:103A7000AFBF00208C47000C248200802409FF8007
68042+:103A80003C08800E3043007F008080213C0A80008B
68043+:103A9000004920240068182130B100FF30D200FF17
68044+:103AA00010E000290000982126020100AD44002CFE
68045+:103AB000004928243042007F004820219062000005
68046+:103AC00024030050304200FF1443000400000000B3
68047+:103AD000AD45002C948200EA3053FFFF0E000D84A8
68048+:103AE000000000008F8200248F83002000112C0032
68049+:103AF0009442001E001224003484000100A22825F4
68050+:103B00003C02400000A22825AC7000008FBF0020BE
68051+:103B1000AC6000048FB20018AC7300088FB10014C1
68052+:103B2000AC60000C8FB3001CAC6400108FB00010B0
68053+:103B3000AC60001424040001AC60001827BD00280C
68054+:103B40000A000DB8AC65001C8FBF00208FB3001CAD
68055+:103B50008FB200188FB100148FB0001003E000087E
68056+:103B600027BD00283C06800034C201009043000FAE
68057+:103B7000240200101062000E2865001110A000073A
68058+:103B800024020012240200082405003A10620006F4
68059+:103B90000000302103E0000800000000240500358B
68060+:103BA0001462FFFC000030210A000E6400000000D7
68061+:103BB0008CC200748F83FF9424420FA003E000089E
68062+:103BC000AC62000C27BDFFE8AFBF00100E0003423F
68063+:103BD000240500013C0480088FBF0010240200016E
68064+:103BE00034830080A462001227BD00182402000163
68065+:103BF00003E00008A080001A27BDFFE0AFB2001864
68066+:103C0000AFB10014AFB00010AFBF001C30B2FFFF67
68067+:103C10000E000332008088213C028008345000806E
68068+:103C20009202000924030004304200FF1443000CF8
68069+:103C30003C028008124000082402000A0E000E5BBD
68070+:103C400000000000920200052403FFFE0043102440
68071+:103C5000A202000524020012A20200093C02800810
68072+:103C600034420080022020210E00033DA0400027A6
68073+:103C700016400003022020210E000EBF00000000AD
68074+:103C800002202021324600FF8FBF001C8FB2001897
68075+:103C90008FB100148FB00010240500380A000E64A4
68076+:103CA00027BD002027BDFFE0AFBF001CAFB200184A
68077+:103CB000AFB10014AFB000100E00033200808021BD
68078+:103CC0000E000E5B000000003C02800834450080BE
68079+:103CD00090A2000924120018305100FF1232000394
68080+:103CE0000200202124020012A0A2000990A20005D7
68081+:103CF0002403FFFE004310240E00033DA0A2000594
68082+:103D00000200202124050020163200070000302187
68083+:103D10008FBF001C8FB200188FB100148FB000103D
68084+:103D20000A00034227BD00208FBF001C8FB200187D
68085+:103D30008FB100148FB00010240500390A000E6402
68086+:103D400027BD002027BDFFE83C028000AFB0001077
68087+:103D5000AFBF0014344201009442000C2405003629
68088+:103D60000080802114400012304600FF0E00033214
68089+:103D7000000000003C02800834420080240300124E
68090+:103D8000A043000990430005346300100E000E5B51
68091+:103D9000A04300050E00033D020020210200202167
68092+:103DA0000E000342240500200A000F3C0000000022
68093+:103DB0000E000E64000000000E00033202002021FD
68094+:103DC0003C0280089043001B2405FF9F0200202135
68095+:103DD000006518248FBF00148FB00010A043001B93
68096+:103DE0000A00033D27BD001827BDFFE0AFBF001844
68097+:103DF000AFB10014AFB0001030B100FF0E000332BD
68098+:103E0000008080213C02800824030012344200809C
68099+:103E10000E000E5BA04300090E00033D02002021AE
68100+:103E200002002021022030218FBF00188FB1001422
68101+:103E30008FB00010240500350A000E6427BD002055
68102+:103E40003C0480089083000E9082000A1443000B0B
68103+:103E5000000028218F82FF942403005024050001D4
68104+:103E600090420000304200FF1443000400000000B4
68105+:103E70009082000E24420001A082000E03E00008A0
68106+:103E800000A010213C0380008C6201F80440FFFE7A
68107+:103E900024020002AC6401C0A06201C43C02100014
68108+:103EA00003E00008AC6201F827BDFFE0AFB20018E4
68109+:103EB0003C128008AFB10014AFBF001CAFB00010BF
68110+:103EC00036510080922200092403000A304200FF8C
68111+:103ED0001443003E000000008E4300048E22003890
68112+:103EE000506200808FBF001C92220000240300500B
68113+:103EF000304200FF144300253C0280008C42014008
68114+:103F00008E4300043642010002202821AC43001CED
68115+:103F10009622005C8E2300383042FFFF00021040E2
68116+:103F200000621821AE23001C8E4300048E2400384A
68117+:103F30009622005C006418233042FFFF0003184300
68118+:103F4000000210400043102A10400006000000004C
68119+:103F50008E4200048E230038004310230A000FAA6B
68120+:103F6000000220439622005C3042FFFF0002204006
68121+:103F70003C0280083443010034420080ACA4002C91
68122+:103F8000A040002424020001A062000C0E000F5E7D
68123+:103F900000000000104000538FBF001C3C02800056
68124+:103FA0008C4401403C0380008C6201F80440FFFE19
68125+:103FB00024020002AC6401C0A06201C43C021000F3
68126+:103FC000AC6201F80A0010078FBF001C92220009A2
68127+:103FD00024030010304200FF144300043C02800020
68128+:103FE0008C4401400A000FEE0000282192220009B3
68129+:103FF00024030016304200FF14430006240200147C
68130+:10400000A22200093C0280008C4401400A001001F9
68131+:104010008FBF001C8E2200388E23003C00431023EB
68132+:10402000044100308FBF001C92220027244200016F
68133+:10403000A2220027922200272C42000414400016DE
68134+:104040003C1080009222000924030004304200FF4B
68135+:10405000144300093C0280008C4401408FBF001CC7
68136+:104060008FB200188FB100148FB000102405009398
68137+:104070000A000ECC27BD00208C440140240500938B
68138+:104080008FBF001C8FB200188FB100148FB00010CA
68139+:104090000A000F4827BD00208E0401400E000332A5
68140+:1040A000000000008E4200042442FFFFAE420004E4
68141+:1040B0008E22003C2442FFFFAE22003C0E00033D56
68142+:1040C0008E0401408E0401408FBF001C8FB2001887
68143+:1040D0008FB100148FB00010240500040A000342C1
68144+:1040E00027BD00208FB200188FB100148FB00010D0
68145+:1040F00003E0000827BD00203C0680008CC2018838
68146+:104100003C038008346500809063000E00021402B6
68147+:10411000304400FF306300FF1464000E3C0280084E
68148+:1041200090A20026304200FF104400098F82FF94C5
68149+:10413000A0A400262403005090420000304200FF5B
68150+:1041400014430006000000000A0005A18CC4018091
68151+:104150003C02800834420080A044002603E00008AE
68152+:104160000000000027BDFFE030E700FFAFB20018FD
68153+:10417000AFBF001CAFB10014AFB0001000809021A1
68154+:1041800014E0000630C600FF000000000000000D33
68155+:10419000000000000A001060240001163C038008A3
68156+:1041A0009062000E304200FF14460023346200800B
68157+:1041B00090420026304200FF1446001F000000001D
68158+:1041C0009062000F304200FF1446001B0000000008
68159+:1041D0009062000A304200FF144600038F90FF9463
68160+:1041E0000000000D8F90FF948F82FF983C1180009B
68161+:1041F000AE05003CAC450000A066000A0E0003328C
68162+:104200008E240100A20000240E00033D8E24010034
68163+:104210003C0380008C6201F80440FFFE240200028F
68164+:10422000AC7201C0A06201C43C021000AC6201F893
68165+:104230000A0010618FBF001C000000000000000D8C
68166+:10424000000000002400013F8FBF001C8FB2001847
68167+:104250008FB100148FB0001003E0000827BD0020CC
68168+:104260008F83FF943C0280008C44010034420100A3
68169+:104270008C65003C9046001B0A00102724070001B3
68170+:104280003C0280089043000E9042000A0043102632
68171+:10429000304200FF03E000080002102B27BDFFE0C2
68172+:1042A0003C028008AFB10014AFB00010AFBF0018DF
68173+:1042B0003450008092020005240300303042003068
68174+:1042C00014430085008088218F8200248C42000CDA
68175+:1042D000104000828FBF00180E000D840000000007
68176+:1042E0008F860020ACD100009202000892030009E2
68177+:1042F000304200FF00021200306300FF004310252F
68178+:10430000ACC200049202004D000216000002160327
68179+:1043100004410005000000003C0308008C630048D5
68180+:104320000A00109F3C1080089202000830420040B2
68181+:10433000144000030000182192020027304300FFC0
68182+:104340003C108008361100809222004D00031E00B0
68183+:10435000304200FF0002140000621825ACC30008C0
68184+:104360008E2400308F820024ACC4000C8E250034D3
68185+:104370009443001E3C02C00BACC50010006218251F
68186+:104380008E22003800002021ACC200148E22003C96
68187+:10439000ACC200180E000DB8ACC3001C8E020004A5
68188+:1043A0008F8400203C058000AC8200008E2200201B
68189+:1043B000AC8200048E22001CAC8200088E220058C1
68190+:1043C0008CA3007400431021AC82000C8E22002CC0
68191+:1043D000AC8200108E2200408E23004400021400A4
68192+:1043E00000431025AC8200149222004D240300806B
68193+:1043F000304200FF1443000400000000AC800018AD
68194+:104400000A0010E38F8200248E23000C2402000196
68195+:104410001062000E2402FFFF92220008304200408A
68196+:104420001440000A2402FFFF8E23000C8CA20074AB
68197+:10443000006218233C0208000062102414400002AD
68198+:10444000000028210060282100051043AC820018DC
68199+:104450008F820024000020219443001E3C02C00CE7
68200+:10446000006218258F8200200E000DB8AC43001C9E
68201+:104470003C038008346201008C4200008F850020DC
68202+:10448000346300808FBF0018ACA20000ACA0000411
68203+:104490008C6400488F8200248FB10014ACA4000803
68204+:1044A000ACA0000CACA00010906300059446001E68
68205+:1044B0003C02400D00031E0000C23025ACA30014D6
68206+:1044C0008FB00010ACA0001824040001ACA6001CA2
68207+:1044D0000A000DB827BD00208FBF00188FB100144F
68208+:1044E0008FB0001003E0000827BD00203C028000D0
68209+:1044F0009443007C3C02800834460100308400FF75
68210+:104500003065FFFF2402000524A34650A0C4000C20
68211+:104510005482000C3065FFFF90C2000D2C42000752
68212+:104520001040000724A30A0090C3000D24020014C9
68213+:104530000062100400A210210A00111F3045FFFF85
68214+:104540003065FFFF3C0280083442008003E0000831
68215+:10455000A44500143C03800834680080AD05003891
68216+:10456000346701008CE2001C308400FF00A210239D
68217+:104570001840000330C600FF24A2FFFCACE2001C80
68218+:1045800030820001504000083C0380088D02003C4E
68219+:1045900000A2102304410012240400058C620004D0
68220+:1045A00010A2000F3C0380088C62000414A2001EBD
68221+:1045B000000000003C0208008C4200D8304200207D
68222+:1045C000104000093C0280083462008090630008BB
68223+:1045D0009042004C144300043C0280082404000470
68224+:1045E0000A00110900000000344300803442010039
68225+:1045F000A040000C24020001A462001410C0000AB4
68226+:104600003C0280008C4401003C0380008C6201F875
68227+:104610000440FFFE24020002AC6401C0A06201C499
68228+:104620003C021000AC6201F803E00008000000004A
68229+:1046300027BDFFE800A61823AFBF00101860008058
68230+:10464000308800FF3C02800834470080A0E000244E
68231+:1046500034440100A0E000278C82001C00A210233B
68232+:1046600004400056000000008CE2003C94E3005C33
68233+:104670008CE4002C004530233063FFFF00C3182179
68234+:104680000083202B1080000400E018218CE2002C15
68235+:104690000A00117800A2102194E2005C3042FFFF72
68236+:1046A00000C2102100A21021AC62001C3C02800854
68237+:1046B000344400809482005C8C83001C3042FFFFF5
68238+:1046C0000002104000A210210043102B10400004F3
68239+:1046D000000000008C82001C0A00118B3C06800840
68240+:1046E0009482005C3042FFFF0002104000A21021C3
68241+:1046F0003C06800834C3010034C70080AC82001C33
68242+:10470000A060000CACE500388C62001C00A21023F5
68243+:104710001840000224A2FFFCAC62001C3102000120
68244+:10472000104000083C0380088CE2003C00A21023EB
68245+:1047300004410012240400058CC2000410A20010E1
68246+:104740008FBF00108C62000414A2004F8FBF0010B6
68247+:104750003C0208008C4200D8304200201040000A81
68248+:104760003C02800834620080906300089042004C54
68249+:10477000144300053C028008240400048FBF00108D
68250+:104780000A00110927BD001834430080344201009B
68251+:10479000A040000C24020001A46200143C0280002E
68252+:1047A0008C4401003C0380008C6201F80440FFFE51
68253+:1047B000240200020A0011D8000000008CE2001C54
68254+:1047C000004610230043102B54400001ACE5001CB0
68255+:1047D00094E2005C3042FFFF0062102B144000079F
68256+:1047E0002402000294E2005C8CE3001C3042FFFFD4
68257+:1047F00000621821ACE3001C24020002ACE5003882
68258+:104800000E000F5EA082000C1040001F8FBF001032
68259+:104810003C0280008C4401003C0380008C6201F863
68260+:104820000440FFFE24020002AC6401C0A06201C487
68261+:104830003C021000AC6201F80A0011F08FBF0010BA
68262+:1048400031020010104000108FBF00103C028008A1
68263+:10485000344500808CA3001C94A2005C00661823E1
68264+:104860003042FFFF006218213C023FFF3444FFFF4B
68265+:104870000083102B544000010080182100C3102138
68266+:10488000ACA2001C8FBF001003E0000827BD001879
68267+:1048900027BDFFE800C0402100A63023AFBF0010B5
68268+:1048A00018C00026308A00FF3C028008344900808E
68269+:1048B0008D24001C8D23002C008820230064182BDD
68270+:1048C0001060000F344701008CE2002000461021E8
68271+:1048D000ACE200208CE200200044102B1440000BBE
68272+:1048E0003C023FFF8CE2002000441023ACE2002099
68273+:1048F0009522005C3042FFFF0A0012100082202146
68274+:10490000ACE00020008620213C023FFF3443FFFF43
68275+:104910000064102B54400001006020213C028008FC
68276+:104920003442008000851821AC43001CA0400024C4
68277+:10493000A04000270A0012623C03800831420010A8
68278+:10494000104000433C0380083C06800834C40080CB
68279+:104950008C82003C004810235840003E34660080A2
68280+:104960009082002424420001A0820024908200242E
68281+:104970003C0308008C630024304200FF0043102BEE
68282+:10498000144000688FBF001034C201008C42001C2C
68283+:1049900000A2102318400063000000008CC3000434
68284+:1049A0009482005C006818233042FFFF0003184324
68285+:1049B000000210400043102A1040000500000000D3
68286+:1049C0008CC20004004810230A0012450002104364
68287+:1049D0009482005C3042FFFF000210403C068008D9
68288+:1049E000AC82002C34C5008094A2005C8CA4002C06
68289+:1049F00094A3005C3042FFFF00021040008220219F
68290+:104A00003063FFFF0083202101041021ACA2001CB1
68291+:104A10008CC2000434C60100ACC2001C2402000297
68292+:104A20000E000F5EA0C2000C1040003E8FBF0010B1
68293+:104A30003C0280008C4401003C0380008C6201F841
68294+:104A40000440FFFE240200020A001292000000004F
68295+:104A500034660080ACC50038346401008C82001CD0
68296+:104A600000A210231840000224A2FFFCAC82001C0C
68297+:104A7000314200015040000A3C0380088CC2003CD7
68298+:104A800000A2102304430014240400058C620004D7
68299+:104A900014A200033C0380080A00128424040005C9
68300+:104AA0008C62000414A2001F8FBF00103C0208009B
68301+:104AB0008C4200D8304200201040000A3C0280089E
68302+:104AC00034620080906300089042004C144300055B
68303+:104AD0003C028008240400048FBF00100A00110962
68304+:104AE00027BD00183443008034420100A040000C70
68305+:104AF00024020001A46200143C0280008C440100E6
68306+:104B00003C0380008C6201F80440FFFE2402000296
68307+:104B1000AC6401C0A06201C43C021000AC6201F8A8
68308+:104B20008FBF001003E0000827BD001827BDFFE875
68309+:104B30003C0A8008AFBF0010354900808D22003C40
68310+:104B400000C04021308400FF004610231840009D23
68311+:104B500030E700FF354701002402000100A63023A2
68312+:104B6000A0E0000CA0E0000DA522001418C0002455
68313+:104B7000308200108D23001C8D22002C0068182329
68314+:104B80000043102B1040000F000000008CE20020BA
68315+:104B900000461021ACE200208CE200200043102BE4
68316+:104BA0001440000B3C023FFF8CE200200043102326
68317+:104BB000ACE200209522005C3042FFFF0A0012C1E7
68318+:104BC00000621821ACE00020006618213C023FFF83
68319+:104BD0003446FFFF00C3102B5440000100C01821D1
68320+:104BE0003C0280083442008000651821AC43001C60
68321+:104BF000A0400024A04000270A00130F3C038008B7
68322+:104C0000104000403C0380088D22003C00481023E7
68323+:104C10005840003D34670080912200242442000166
68324+:104C2000A1220024912200243C0308008C6300246C
68325+:104C3000304200FF0043102B1440009A8FBF001039
68326+:104C40008CE2001C00A21023184000960000000017
68327+:104C50008D4300049522005C006818233042FFFF5A
68328+:104C600000031843000210400043102A10400005C2
68329+:104C7000012020218D420004004810230A0012F276
68330+:104C8000000210439522005C3042FFFF00021040FA
68331+:104C90003C068008AC82002C34C5008094A2005CE5
68332+:104CA0008CA4002C94A3005C3042FFFF0002104053
68333+:104CB000008220213063FFFF0083182101031021AF
68334+:104CC000ACA2001C8CC2000434C60100ACC2001CA3
68335+:104CD000240200020E000F5EA0C2000C1040007102
68336+:104CE0008FBF00103C0280008C4401003C03800018
68337+:104CF0008C6201F80440FFFE240200020A0013390E
68338+:104D00000000000034670080ACE500383466010024
68339+:104D10008CC2001C00A210231840000224A2FFFC39
68340+:104D2000ACC2001C30820001504000083C038008E7
68341+:104D30008CE2003C00A2102304430051240400052F
68342+:104D40008C62000410A2003E3C0380088C620004C8
68343+:104D500054A200548FBF00103C0208008C4200D8BF
68344+:104D600030420020104000063C028008346200807F
68345+:104D7000906300089042004C104300403C028008C1
68346+:104D80003443008034420100A040000C24020001A2
68347+:104D9000A46200143C0280008C4401003C038000AB
68348+:104DA0008C6201F80440FFFE24020002AC6401C0E2
68349+:104DB000A06201C43C021000AC6201F80A00137743
68350+:104DC0008FBF001024020005A120002714E2000A72
68351+:104DD0003C038008354301009062000D2C42000620
68352+:104DE000504000053C0380089062000D2442000101
68353+:104DF000A062000D3C03800834670080ACE50038F9
68354+:104E0000346601008CC2001C00A21023184000026E
68355+:104E100024A2FFFCACC2001C308200015040000AFA
68356+:104E20003C0380088CE2003C00A2102304410014E3
68357+:104E3000240400058C62000414A200033C038008D3
68358+:104E40000A00136E240400058C62000414A20015ED
68359+:104E50008FBF00103C0208008C4200D83042002076
68360+:104E60001040000A3C028008346200809063000811
68361+:104E70009042004C144300053C02800824040004C6
68362+:104E80008FBF00100A00110927BD001834430080AD
68363+:104E900034420100A040000C24020001A46200146E
68364+:104EA0008FBF001003E0000827BD00183C0B8008EE
68365+:104EB00027BDFFE83C028000AFBF00103442010074
68366+:104EC000356A00809044000A356901008C45001461
68367+:104ED0008D4800389123000C308400FF0105102319
68368+:104EE0001C4000B3306700FF2CE20006504000B1C8
68369+:104EF0008FBF00102402000100E2300430C2000322
68370+:104F00005440000800A8302330C2000C144000A117
68371+:104F100030C20030144000A38FBF00100A00143BC1
68372+:104F20000000000018C00024308200108D43001CD7
68373+:104F30008D42002C006818230043102B1040000FF6
68374+:104F4000000000008D22002000461021AD2200202C
68375+:104F50008D2200200043102B1440000B3C023FFF29
68376+:104F60008D22002000431023AD2200209542005CDA
68377+:104F70003042FFFF0A0013AF00621821AD2000206D
68378+:104F8000006618213C023FFF3446FFFF00C3102B90
68379+:104F90005440000100C018213C02800834420080C7
68380+:104FA00000651821AC43001CA0400024A04000274D
68381+:104FB0000A0013FD3C038008104000403C038008B9
68382+:104FC0008D42003C004810231840003D34670080AB
68383+:104FD0009142002424420001A14200249142002475
68384+:104FE0003C0308008C630024304200FF0043102B78
68385+:104FF000144000708FBF00108D22001C00A21023EF
68386+:105000001840006C000000008D6300049542005CB5
68387+:10501000006818233042FFFF0003184300021040CD
68388+:105020000043102A10400005014020218D62000439
68389+:10503000004810230A0013E0000210439542005C70
68390+:105040003042FFFF000210403C068008AC82002C7A
68391+:1050500034C5008094A2005C8CA4002C94A3005C56
68392+:105060003042FFFF00021040008220213063FFFF2A
68393+:105070000083182101031021ACA2001C8CC2000483
68394+:1050800034C60100ACC2001C240200020E000F5EF8
68395+:10509000A0C2000C104000478FBF00103C028000EF
68396+:1050A0008C4401003C0380008C6201F80440FFFE48
68397+:1050B000240200020A00142D000000003467008062
68398+:1050C000ACE50038346601008CC2001C00A210233D
68399+:1050D0001840000224A2FFFCACC2001C3082000178
68400+:1050E0005040000A3C0380088CE2003C00A21023E0
68401+:1050F00004430014240400058C62000414A200037D
68402+:105100003C0380080A00141F240400058C6200047C
68403+:1051100014A200288FBF00103C0208008C4200D867
68404+:10512000304200201040000A3C02800834620080B7
68405+:10513000906300089042004C144300053C02800834
68406+:10514000240400048FBF00100A00110927BD0018B5
68407+:105150003443008034420100A040000C24020001CE
68408+:10516000A46200143C0280008C4401003C038000D7
68409+:105170008C6201F80440FFFE24020002AC6401C00E
68410+:10518000A06201C43C021000AC6201F80A00143BAA
68411+:105190008FBF00108FBF0010010030210A00115A8C
68412+:1051A00027BD0018010030210A00129927BD001800
68413+:1051B0008FBF001003E0000827BD00183C038008E3
68414+:1051C0003464010024020003A082000C8C620004FD
68415+:1051D00003E00008AC82001C3C05800834A300807A
68416+:1051E0009062002734A501002406004324420001F8
68417+:1051F000A0620027906300273C0208008C42004810
68418+:10520000306300FF146200043C07602194A500EAAB
68419+:105210000A00090130A5FFFF03E0000800000000BC
68420+:1052200027BDFFE8AFBF00103C0280000E00144411
68421+:105230008C4401803C02800834430100A060000CD3
68422+:105240008C4200048FBF001027BD001803E0000847
68423+:10525000AC62001C27BDFFE03C028008AFBF001815
68424+:10526000AFB10014AFB000103445008034460100E7
68425+:105270003C0880008D09014090C3000C8CA4003CC8
68426+:105280008CA200381482003B306700FF9502007C3E
68427+:1052900090A30027146000093045FFFF2402000599
68428+:1052A00054E200083C04800890C2000D2442000132
68429+:1052B000A0C2000D0A00147F3C048008A0C0000DAD
68430+:1052C0003C048008348201009042000C2403000555
68431+:1052D000304200FF1443000A24A205DC348300801E
68432+:1052E000906200272C4200075040000524A20A00CB
68433+:1052F00090630027240200140062100400A2102111
68434+:105300003C108008361000803045FFFF012020212E
68435+:105310000E001444A60500149602005C8E030038AB
68436+:105320003C1180003042FFFF000210400062182153
68437+:10533000AE03001C0E0003328E24014092020025B1
68438+:1053400034420040A20200250E00033D8E2401409D
68439+:105350008E2401403C0380008C6201F80440FFFE73
68440+:1053600024020002AC6401C0A06201C43C0210002F
68441+:10537000AC6201F88FBF00188FB100148FB000101D
68442+:1053800003E0000827BD00203C0360103C02080039
68443+:1053900024420174AC62502C8C6250003C048000AA
68444+:1053A00034420080AC6250003C0208002442547C2D
68445+:1053B0003C010800AC2256003C020800244254384C
68446+:1053C0003C010800AC2256043C020002AC840008F8
68447+:1053D000AC82000C03E000082402000100A0302190
68448+:1053E0003C1C0800279C56083C0200023C050400B7
68449+:1053F00000852826008220260004102B2CA5000101
68450+:105400002C840001000210803C0308002463560035
68451+:105410000085202500431821108000030000102182
68452+:10542000AC6600002402000103E000080000000058
68453+:105430003C1C0800279C56083C0200023C05040066
68454+:1054400000852826008220260004102B2CA50001B0
68455+:105450002C840001000210803C03080024635600E5
68456+:105460000085202500431821108000050000102130
68457+:105470003C02080024425438AC62000024020001BF
68458+:1054800003E00008000000003C0200023C030400AE
68459+:1054900000821026008318262C4200012C63000194
68460+:1054A000004310251040000B000028213C1C080080
68461+:1054B000279C56083C0380008C62000824050001EC
68462+:1054C00000431025AC6200088C62000C00441025DB
68463+:1054D000AC62000C03E0000800A010213C1C080096
68464+:1054E000279C56083C0580008CA3000C0004202754
68465+:1054F000240200010064182403E00008ACA3000C9F
68466+:105500003C020002148200063C0560008CA208D018
68467+:105510002403FFFE0043102403E00008ACA208D0DF
68468+:105520003C02040014820005000000008CA208D098
68469+:105530002403FFFD00431024ACA208D003E00008C0
68470+:10554000000000003C02601A344200108C430080CE
68471+:1055500027BDFFF88C440084AFA3000093A3000094
68472+:10556000240200041462001AAFA4000493A20001F4
68473+:105570001040000797A300023062FFFC3C0380004C
68474+:10558000004310218C4200000A001536AFA200042F
68475+:105590003062FFFC3C03800000431021AC4400005B
68476+:1055A000A3A000003C0560008CA208D02403FFFEED
68477+:1055B0003C04601A00431024ACA208D08FA300045E
68478+:1055C0008FA2000034840010AC830084AC82008081
68479+:1055D00003E0000827BD000827BDFFE8AFBF0010AB
68480+:1055E0003C1C0800279C56083C0280008C43000CA1
68481+:1055F0008C420004004318243C0200021060001496
68482+:10560000006228243C0204003C04000210A00005B3
68483+:10561000006210243C0208008C4256000A00155B10
68484+:1056200000000000104000073C0404003C02080099
68485+:105630008C4256040040F809000000000A00156082
68486+:10564000000000000000000D3C1C0800279C5608CC
68487+:105650008FBF001003E0000827BD0018800802403B
68488+:1056600080080100800800808008000000000C8095
68489+:105670000000320008000E9808000EF408000F88A1
68490+:1056800008001028080010748008010080080080BD
68491+:10569000800800000A000028000000000000000050
68492+:1056A0000000000D6370362E322E316200000000C3
68493+:1056B00006020104000000000000000000000000DD
68494+:1056C000000000000000000038003C000000000066
68495+:1056D00000000000000000000000000000000020AA
68496+:1056E00000000000000000000000000000000000BA
68497+:1056F00000000000000000000000000000000000AA
68498+:10570000000000000000000021003800000000013F
68499+:105710000000002B000000000000000400030D400A
68500+:105720000000000000000000000000000000000079
68501+:105730000000000000000000100000030000000056
68502+:105740000000000D0000000D3C020800244259AC8E
68503+:105750003C03080024635BF4AC4000000043202BB2
68504+:105760001480FFFD244200043C1D080037BD9FFC4F
68505+:1057700003A0F0213C100800261000A03C1C0800EB
68506+:10578000279C59AC0E0002F6000000000000000D3E
68507+:1057900027BDFFB4AFA10000AFA20004AFA3000873
68508+:1057A000AFA4000CAFA50010AFA60014AFA700185F
68509+:1057B000AFA8001CAFA90020AFAA0024AFAB0028FF
68510+:1057C000AFAC002CAFAD0030AFAE0034AFAF00389F
68511+:1057D000AFB8003CAFB90040AFBC0044AFBF004819
68512+:1057E0000E000820000000008FBF00488FBC00445E
68513+:1057F0008FB900408FB8003C8FAF00388FAE0034B7
68514+:105800008FAD00308FAC002C8FAB00288FAA002406
68515+:105810008FA900208FA8001C8FA700188FA6001446
68516+:105820008FA500108FA4000C8FA300088FA2000486
68517+:105830008FA1000027BD004C3C1B60188F7A5030B0
68518+:10584000377B502803400008AF7A000000A01821E1
68519+:1058500000801021008028213C0460003C0760008B
68520+:105860002406000810600006348420788C42000072
68521+:10587000ACE220088C63000003E00008ACE3200CDD
68522+:105880000A000F8100000000240300403C02600079
68523+:1058900003E00008AC4320003C0760008F86000452
68524+:1058A0008CE520740086102100A2182B14600007DC
68525+:1058B000000028218F8AFDA024050001A1440013C7
68526+:1058C0008F89000401244021AF88000403E0000810
68527+:1058D00000A010218F84FDA08F8500049086001306
68528+:1058E00030C300FF00A31023AF82000403E00008D0
68529+:1058F000A08000138F84FDA027BDFFE8AFB000108B
68530+:10590000AFBF001490890011908700112402002875
68531+:10591000312800FF3906002830E300FF2485002CE1
68532+:105920002CD00001106200162484001C0E00006EB2
68533+:10593000000000008F8FFDA03C05600024020204DF
68534+:1059400095EE003E95ED003C000E5C0031ACFFFF93
68535+:10595000016C5025ACAA2010520000012402000462
68536+:10596000ACA22000000000000000000000000000C9
68537+:105970008FBF00148FB0001003E0000827BD00188F
68538+:105980000A0000A6000028218F85FDA027BDFFD8B2
68539+:10599000AFBF0020AFB3001CAFB20018AFB100140E
68540+:1059A000AFB000100080982190A4001124B0001C1A
68541+:1059B00024B1002C308300FF386200280E000090D4
68542+:1059C0002C5200010E00009800000000020020216F
68543+:1059D0001240000202202821000028210E00006E43
68544+:1059E000000000008F8DFDA03C0880003C05600099
68545+:1059F00095AC003E95AB003C02683025000C4C0095
68546+:105A0000316AFFFF012A3825ACA7201024020202C8
68547+:105A1000ACA6201452400001240200028FBF0020D7
68548+:105A20008FB3001C8FB200188FB100148FB000101C
68549+:105A300027BD002803E00008ACA2200027BDFFE03E
68550+:105A4000AFB20018AFB10014AFB00010AFBF001C70
68551+:105A50003C1160008E2320748F82000430D0FFFF41
68552+:105A600030F2FFFF1062000C2406008F0E00006E63
68553+:105A7000000000003C06801F0010440034C5FF00F9
68554+:105A80000112382524040002AE2720100000302126
68555+:105A9000AE252014AE2420008FBF001C8FB200184A
68556+:105AA0008FB100148FB0001000C0102103E0000877
68557+:105AB00027BD002027BDFFE0AFB0001030D0FFFFB2
68558+:105AC000AFBF0018AFB100140E00006E30F1FFFF41
68559+:105AD00000102400009180253C036000AC70201071
68560+:105AE0008FBF00188FB100148FB000102402000483
68561+:105AF000AC62200027BD002003E000080000102158
68562+:105B000027BDFFE03C046018AFBF0018AFB1001420
68563+:105B1000AFB000108C8850002403FF7F34028071E6
68564+:105B20000103382434E5380C241F00313C1980006F
68565+:105B3000AC8550003C11800AAC8253BCAF3F0008DA
68566+:105B40000E00054CAF9100400E00050A3C116000AC
68567+:105B50000E00007D000000008E3008083C0F570941
68568+:105B60002418FFF00218602435EEE00035EDF00057
68569+:105B7000018E5026018D58262D4600012D69000109
68570+:105B8000AF86004C0E000D09AF8900503C06601630
68571+:105B90008CC700003C0860148D0500A03C03FFFF8B
68572+:105BA00000E320243C02535300052FC2108200550D
68573+:105BB00034D07C00960201F2A780006C10400003F4
68574+:105BC000A780007C384B1E1EA78B006C960201F844
68575+:105BD000104000048F8D0050384C1E1EA78C007C96
68576+:105BE0008F8D005011A000058F83004C240E0020E3
68577+:105BF000A78E007CA78E006C8F83004C1060000580
68578+:105C00009785007C240F0020A78F007CA78F006C55
68579+:105C10009785007C2CB8008153000001240500808A
68580+:105C20009784006C2C91040152200001240404008C
68581+:105C30001060000B3C0260008FBF00188FB1001491
68582+:105C40008FB0001027BD0020A784006CA785007CC2
68583+:105C5000A380007EA780007403E00008A780009264
68584+:105C60008C4704382419103C30FFFFFF13F9000360
68585+:105C700030A8FFFF1100004624030050A380007EDF
68586+:105C80009386007E50C00024A785007CA780007CFE
68587+:105C90009798007CA780006CA7800074A780009272
68588+:105CA0003C010800AC3800800E00078700000000AF
68589+:105CB0003C0F60008DED0808240EFFF03C0B600ED9
68590+:105CC000260C0388356A00100000482100002821B6
68591+:105CD00001AE20243C105709AF8C0010AF8A004859
68592+:105CE000AF89001810900023AF8500148FBF0018F3
68593+:105CF0008FB100148FB0001027BD002003E0000812
68594+:105D0000AF80005400055080014648218D260004D4
68595+:105D10000A00014800D180219798007CA784006C7C
68596+:105D2000A7800074A78000923C010800AC38008076
68597+:105D30000E000787000000003C0F60008DED080892
68598+:105D4000240EFFF03C0B600E260C0388356A001011
68599+:105D5000000048210000282101AE20243C105709F2
68600+:105D6000AF8C0010AF8A0048AF8900181490FFDF95
68601+:105D7000AF85001424110001AF9100548FBF0018AB
68602+:105D80008FB100148FB0001003E0000827BD002081
68603+:105D90000A00017BA383007E3083FFFF8F880040D1
68604+:105DA0008F87003C000321403C0580003C020050EE
68605+:105DB000008248253C0660003C0A010034AC040027
68606+:105DC0008CCD08E001AA58241160000500000000F5
68607+:105DD0008CCF08E024E7000101EA7025ACCE08E092
68608+:105DE0008D19001001805821ACB900388D180014AD
68609+:105DF000ACB8003CACA9003000000000000000007E
68610+:105E00000000000000000000000000000000000092
68611+:105E100000000000000000003C0380008C640000D3
68612+:105E2000308200201040FFFD3C0F60008DED08E047
68613+:105E30003C0E010001AE18241460FFE100000000D8
68614+:105E4000AF87003C03E00008AF8B00588F8500400F
68615+:105E5000240BFFF03C06800094A7001A8CA90024B4
68616+:105E600030ECFFFF000C38C000EB5024012A402129
68617+:105E7000ACC8003C8CA400248CC3003C00831023DD
68618+:105E800018400033000000008CAD002025A2000166
68619+:105E90003C0F0050ACC2003835EE00103C068000CC
68620+:105EA000ACCE003000000000000000000000000048
68621+:105EB00000000000000000000000000000000000E2
68622+:105EC000000000003C0480008C9900003338002062
68623+:105ED0001300FFFD30E20008104000173C0980006D
68624+:105EE0008C880408ACA800108C83040CACA30014AC
68625+:105EF0003C1900203C188000AF19003094AE001807
68626+:105F000094AF001C01CF3021A4A6001894AD001A54
68627+:105F100025A70001A4A7001A94AB001A94AC001E98
68628+:105F2000118B00030000000003E0000800000000E7
68629+:105F300003E00008A4A0001A8D2A0400ACAA0010F7
68630+:105F40008D240404ACA400140A0002183C1900209B
68631+:105F50008CA200200A0002003C0F00500A0001EE53
68632+:105F60000000000027BDFFE8AFBF00100E000232A6
68633+:105F7000000000008F8900408FBF00103C038000AC
68634+:105F8000A520000A9528000A9527000427BD0018BF
68635+:105F90003105FFFF30E6000F0006150000A22025A6
68636+:105FA00003E00008AC6400803C0508008CA50020DC
68637+:105FB0008F83000C27BDFFE8AFB00010AFBF001407
68638+:105FC00010A300100000802124040001020430040A
68639+:105FD00000A6202400C3102450440006261000010F
68640+:105FE000001018802787FDA41480000A006718217C
68641+:105FF000261000012E0900025520FFF38F83000CAC
68642+:10600000AF85000C8FBF00148FB0001003E00008B4
68643+:1060100027BD00188C6800003C058000ACA8002457
68644+:106020000E000234261000013C0508008CA500205B
68645+:106030000A0002592E0900022405000100851804F7
68646+:106040003C0408008C84002027BDFFC8AFBF00348B
68647+:1060500000831024AFBE0030AFB7002CAFB60028CD
68648+:10606000AFB50024AFB40020AFB3001CAFB200182E
68649+:10607000AFB1001410400051AFB000108F84004049
68650+:10608000948700069488000A00E8302330D5FFFF8B
68651+:1060900012A0004B8FBF0034948B0018948C000A20
68652+:1060A000016C50233142FFFF02A2482B1520000251
68653+:1060B00002A02021004020212C8F000515E00002C5
68654+:1060C00000809821241300040E0001C102602021E9
68655+:1060D0008F87004002609021AF80004494F4000A52
68656+:1060E000026080211260004E3291FFFF3C1670006A
68657+:1060F0003C1440003C1E20003C1760008F99005863
68658+:106100008F380000031618241074004F0283F82BF8
68659+:1061100017E0003600000000107E00478F86004424
68660+:1061200014C0003A2403000102031023022320219B
68661+:106130003050FFFF1600FFF13091FFFF8F870040C6
68662+:106140003C1100203C108000AE11003094EB000A9E
68663+:106150003C178000024B5021A4EA000A94E9000A8F
68664+:1061600094E800043123FFFF3106000F00062D00E4
68665+:106170000065F025AEFE008094F3000A94F6001846
68666+:1061800012D30036001221408CFF00148CF4001052
68667+:1061900003E468210000C02101A4782B029870213B
68668+:1061A00001CF6021ACED0014ACEC001002B238233A
68669+:1061B00030F5FFFF16A0FFB88F8400408FBF00347A
68670+:1061C0008FBE00308FB7002C8FB600288FB500240B
68671+:1061D0008FB400208FB3001C8FB200188FB1001451
68672+:1061E0008FB0001003E0000827BD00381477FFCC03
68673+:1061F0008F8600440E000EE202002021004018218C
68674+:106200008F86004410C0FFC9020310230270702360
68675+:106210008F87004001C368210A0002E431B2FFFF0A
68676+:106220008F86004414C0FFC93C1100203C10800040
68677+:106230000A0002AEAE1100300E00046602002021FA
68678+:106240000A0002DB00401821020020210E0009395B
68679+:10625000022028210A0002DB004018210E0001EE76
68680+:10626000000000000A0002C702B2382327BDFFC8A1
68681+:10627000AFB7002CAFB60028AFB50024AFB40020F4
68682+:10628000AFB3001CAFB20018AFB10014AFB0001034
68683+:10629000AFBF00300E00011B241300013C047FFF40
68684+:1062A0003C0380083C0220003C010800AC20007048
68685+:1062B0003496FFFF34770080345200033C1512C03F
68686+:1062C000241400013C1080002411FF800E000245C0
68687+:1062D000000000008F8700488F8B00188F89001402
68688+:1062E0008CEA00EC8CE800E8014B302B01092823F4
68689+:1062F00000A6102314400006014B18231440000E82
68690+:106300003C05800002A3602B1180000B0000000000
68691+:106310003C0560008CEE00EC8CED00E88CA4180CC1
68692+:10632000AF8E001804800053AF8D00148F8F0010C3
68693+:10633000ADF400003C0580008CBF00003BF900017B
68694+:10634000333800011700FFE13C0380008C6201003C
68695+:1063500024060C0010460009000000008C680100B3
68696+:106360002D043080548000103C0480008C690100B2
68697+:106370002D2331811060000C3C0480008CAA0100A8
68698+:1063800011460004000020218CA6010024C5FF81D5
68699+:1063900030A400FF8E0B01000E000269AE0B00243A
68700+:1063A0000A00034F3C0480008C8D01002DAC3300AB
68701+:1063B00011800022000000003C0708008CE70098D4
68702+:1063C00024EE00013C010800AC2E00983C04800043
68703+:1063D0008C8201001440000300000000566000148D
68704+:1063E0003C0440008C9F01008C9801000000982123
68705+:1063F00003F1C82400193940330F007F00EF7025E6
68706+:1064000001D26825AC8D08308C8C01008C85010090
68707+:10641000258B0100017130240006514030A3007F1C
68708+:106420000143482501324025AC8808303C04400037
68709+:10643000AE0401380A00030E000000008C99010030
68710+:10644000240F0020AC99002092F80000330300FFD5
68711+:10645000106F000C241F0050547FFFDD3C048000AF
68712+:106460008C8401000E00154E000000000A00034F4E
68713+:106470003C04800000963824ACA7180C0A000327BF
68714+:106480008F8F00108C8501000E0008F72404008017
68715+:106490000A00034F3C04800000A4102B24030001D9
68716+:1064A00010400009000030210005284000A4102BF6
68717+:1064B00004A00003000318405440FFFC00052840DE
68718+:1064C0005060000A0004182B0085382B54E00004AB
68719+:1064D0000003184200C33025008520230003184222
68720+:1064E0001460FFF9000528420004182B03E000089F
68721+:1064F00000C310213084FFFF30C600FF3C0780003E
68722+:106500008CE201B80440FFFE00064C000124302557
68723+:106510003C08200000C820253C031000ACE00180AE
68724+:10652000ACE50184ACE4018803E00008ACE301B809
68725+:106530003C0660008CC5201C2402FFF03083020062
68726+:10654000308601001060000E00A2282434A500014E
68727+:106550003087300010E0000530830C0034A50004C3
68728+:106560003C04600003E00008AC85201C1060FFFDC7
68729+:106570003C04600034A5000803E00008AC85201C42
68730+:1065800054C0FFF334A500020A0003B03087300086
68731+:1065900027BDFFE8AFB00010AFBF00143C0760009C
68732+:1065A000240600021080001100A080218F83005873
68733+:1065B0000E0003A78C6400188F8200580000202171
68734+:1065C000240600018C45000C0E000398000000001A
68735+:1065D0001600000224020003000010218FBF0014E7
68736+:1065E0008FB0001003E0000827BD00188CE8201CC5
68737+:1065F0002409FFF001092824ACE5201C8F870058EE
68738+:106600000A0003CD8CE5000C3C02600E00804021A6
68739+:1066100034460100240900180000000000000000BA
68740+:10662000000000003C0A00503C0380003547020097
68741+:10663000AC68003834640400AC65003CAC670030E2
68742+:106640008C6C0000318B00201160FFFD2407FFFFE0
68743+:106650002403007F8C8D00002463FFFF248400044A
68744+:10666000ACCD00001467FFFB24C60004000000004E
68745+:10667000000000000000000024A402000085282B78
68746+:106680003C0300203C0E80002529FFFF010540212E
68747+:10669000ADC300301520FFE00080282103E0000892
68748+:1066A000000000008F82005827BDFFD8AFB3001C48
68749+:1066B000AFBF0020AFB20018AFB10014AFB00010F0
68750+:1066C00094460002008098218C5200182CC300814F
68751+:1066D0008C4800048C4700088C51000C8C49001039
68752+:1066E000106000078C4A00142CC4000414800013AE
68753+:1066F00030EB000730C5000310A0001000000000C0
68754+:106700002410008B02002021022028210E00039873
68755+:10671000240600031660000224020003000010217A
68756+:106720008FBF00208FB3001C8FB200188FB10014F0
68757+:106730008FB0001003E0000827BD00281560FFF1AE
68758+:106740002410008B3C0C80003C030020241F00011F
68759+:10675000AD830030AF9F0044000000000000000047
68760+:10676000000000002419FFF024D8000F031978243A
68761+:106770003C1000D0AD88003801F0702524CD000316
68762+:106780003C08600EAD87003C35850400AD8E0030BE
68763+:10679000000D38823504003C3C0380008C6B000007
68764+:1067A000316200201040FFFD0000000010E00008F2
68765+:1067B00024E3FFFF2407FFFF8CA800002463FFFFF2
68766+:1067C00024A50004AC8800001467FFFB24840004A7
68767+:1067D0003C05600EACA60038000000000000000080
68768+:1067E000000000008F8600543C0400203C0780001D
68769+:1067F000ACE4003054C000060120202102402021DA
68770+:106800000E0003A7000080210A00041D02002021C1
68771+:106810000E0003DD01402821024020210E0003A7C5
68772+:10682000000080210A00041D0200202127BDFFE096
68773+:10683000AFB200183092FFFFAFB10014AFBF001C21
68774+:10684000AFB000101640000D000088210A0004932C
68775+:106850000220102124050003508500278CE5000C40
68776+:106860000000000D262800013111FFFF24E2002066
68777+:106870000232802B12000019AF8200588F82004430
68778+:10688000144000168F8700583C0670003C0320001F
68779+:106890008CE5000000A62024148300108F84006083
68780+:1068A000000544023C09800000A980241480FFE90F
68781+:1068B000310600FF2CCA000B5140FFEB26280001D7
68782+:1068C000000668803C0E080025CE575801AE6021B6
68783+:1068D0008D8B0000016000080000000002201021E4
68784+:1068E0008FBF001C8FB200188FB100148FB0001042
68785+:1068F00003E0000827BD00200E0003982404008454
68786+:106900001600FFD88F8700580A000474AF8000601B
68787+:10691000020028210E0003BF240400018F870058C5
68788+:106920000A000474AF820060020028210E0003BF39
68789+:10693000000020210A0004A38F8700580E000404E1
68790+:10694000020020218F8700580A000474AF82006083
68791+:1069500030AFFFFF000F19C03C0480008C9001B8DD
68792+:106960000600FFFE3C1920043C181000AC83018097
68793+:10697000AC800184AC990188AC9801B80A00047518
68794+:106980002628000190E2000390E30002000020218D
68795+:106990000002FE0000033A0000FF2825240600083C
68796+:1069A0000E000398000000001600FFDC2402000324
68797+:1069B0008F870058000010210A000474AF82006025
68798+:1069C00090E8000200002021240600090A0004C308
68799+:1069D00000082E0090E4000C240900FF308500FF21
68800+:1069E00010A900150000302190F9000290F8000372
68801+:1069F000308F00FF94EB000400196E000018740043
68802+:106A0000000F62000186202501AE5025014B28258C
68803+:106A10003084FF8B0A0004C32406000A90E30002BE
68804+:106A200090FF0004000020210003360000DF28252D
68805+:106A30000A0004C32406000B0A0004D52406008BB8
68806+:106A4000000449C23127003F000443423C02800059
68807+:106A500000082040240316802CE60020AC43002CC4
68808+:106A600024EAFFE02482000114C0000330A900FFE3
68809+:106A700000801021314700FF000260803C0D800043
68810+:106A8000240A0001018D20213C0B000E00EA28049D
68811+:106A9000008B302111200005000538278CCE000026
68812+:106AA00001C5382503E00008ACC700008CD8000001
68813+:106AB0000307782403E00008ACCF000027BDFFE007
68814+:106AC000AFB10014AFB00010AFBF00183C076000BA
68815+:106AD0008CE408083402F0003C1160003083F000C0
68816+:106AE000240501C03C04800E000030211062000625
68817+:106AF000241000018CEA08083149F0003928E00030
68818+:106B00000008382B000780403C0D0200AE2D081411
68819+:106B1000240C16803C0B80008E2744000E000F8B47
68820+:106B2000AD6C002C120000043C02169124050001FB
68821+:106B3000120500103C023D2C345800E0AE384408E9
68822+:106B40003C1108008E31007C8FBF00183C066000AD
68823+:106B500000118540360F16808FB100148FB00010E1
68824+:106B60003C0E020027BD0020ACCF442003E000080B
68825+:106B7000ACCE08103C0218DA345800E0AE384408B5
68826+:106B80003C1108008E31007C8FBF00183C0660006D
68827+:106B900000118540360F16808FB100148FB00010A1
68828+:106BA0003C0E020027BD0020ACCF442003E00008CB
68829+:106BB000ACCE08100A0004EB240500010A0004EB27
68830+:106BC0000000282124020400A7820024A780001CC2
68831+:106BD000000020213C06080024C65A582405FFFF67
68832+:106BE00024890001000440803124FFFF01061821A0
68833+:106BF0002C87002014E0FFFAAC6500002404040098
68834+:106C0000A7840026A780001E000020213C06080063
68835+:106C100024C65AD82405FFFF248D0001000460809B
68836+:106C200031A4FFFF018658212C8A00201540FFFA6D
68837+:106C3000AD650000A7800028A7800020A780002263
68838+:106C4000000020213C06080024C65B582405FFFFF5
68839+:106C5000249900010004C0803324FFFF030678213B
68840+:106C60002C8E000415C0FFFAADE500003C05600065
68841+:106C70008CA73D002403E08F00E31024344601403C
68842+:106C800003E00008ACA63D002487007F000731C266
68843+:106C900024C5FFFF000518C2246400013082FFFFF5
68844+:106CA000000238C0A78400303C010800AC27003047
68845+:106CB000AF80002C0000282100002021000030219E
68846+:106CC0002489000100A728213124FFFF2CA81701E7
68847+:106CD000110000032C8300801460FFF924C600011A
68848+:106CE00000C02821AF86002C10C0001DA786002AF6
68849+:106CF00024CAFFFF000A11423C08080025085B581F
68850+:106D00001040000A00002021004030212407FFFF2E
68851+:106D1000248E00010004688031C4FFFF01A86021B7
68852+:106D20000086582B1560FFFAAD87000030A2001FC7
68853+:106D30005040000800043080240300010043C804D0
68854+:106D400000041080004878212738FFFF03E0000886
68855+:106D5000ADF8000000C820212405FFFFAC8500002D
68856+:106D600003E000080000000030A5FFFF30C6FFFF71
68857+:106D700030A8001F0080602130E700FF0005294295
68858+:106D80000000502110C0001D24090001240B000147
68859+:106D900025180001010B2004330800FF0126782686
68860+:106DA000390E00202DED00012DC2000101A2182591
68861+:106DB0001060000D014450250005C880032C4021BF
68862+:106DC0000100182110E0000F000A20278D040000A8
68863+:106DD000008A1825AD03000024AD00010000402109
68864+:106DE0000000502131A5FFFF252E000131C9FFFF12
68865+:106DF00000C9102B1040FFE72518000103E0000830
68866+:106E0000000000008D0A0000014440240A0005D162
68867+:106E1000AC68000027BDFFE830A5FFFF30C6FFFFCC
68868+:106E2000AFB00010AFBF001430E7FFFF00005021EB
68869+:106E30003410FFFF0000602124AF001F00C0482174
68870+:106E4000241800012419002005E0001601E010219B
68871+:106E50000002F943019F682A0009702B01AE40240B
68872+:106E600011000017000C18800064102110E00005CC
68873+:106E70008C4B000000F840040008382301675824B8
68874+:106E800000003821154000410000402155600016E7
68875+:106E90003169FFFF258B0001316CFFFF05E1FFEC3D
68876+:106EA00001E0102124A2003E0002F943019F682A5C
68877+:106EB0000009702B01AE40241500FFEB000C188078
68878+:106EC000154600053402FFFF020028210E0005B51B
68879+:106ED00000003821020010218FBF00148FB0001075
68880+:106EE00003E0000827BD00181520000301601821E9
68881+:106EF000000B1C0224080010306A00FF154000053A
68882+:106F0000306E000F250D000800031A0231A800FFA3
68883+:106F1000306E000F15C00005307F000325100004FF
68884+:106F200000031902320800FF307F000317E000055C
68885+:106F3000386900012502000200031882304800FF72
68886+:106F4000386900013123000110600004310300FFA3
68887+:106F5000250A0001314800FF310300FF000C6940A1
68888+:106F600001A34021240A000110CAFFD53110FFFF00
68889+:106F7000246E000131C800FF1119FFC638C9000195
68890+:106F80002D1F002053E0001C258B0001240D000163
68891+:106F90000A000648240E002051460017258B0001E8
68892+:106FA00025090001312800FF2D0900205120001281
68893+:106FB000258B000125430001010D5004014B1024D5
68894+:106FC000250900011440FFF4306AFFFF3127FFFF5D
68895+:106FD00010EE000C2582FFFF304CFFFF0000502117
68896+:106FE0003410FFFF312800FF2D0900205520FFF24B
68897+:106FF00025430001258B0001014648260A000602B0
68898+:10700000316CFFFF00003821000050210A000654B7
68899+:107010003410FFFF27BDFFD8AFB0001030F0FFFFE6
68900+:10702000AFB10014001039423211FFE000071080A8
68901+:10703000AFB3001C00B1282330D3FFFFAFB200185C
68902+:1070400030A5FFFF00809021026030210044202104
68903+:10705000AFBF00200E0005E03207001F022288218A
68904+:107060003403FFFF0240202102002821026030216A
68905+:1070700000003821104300093231FFFF02201021A7
68906+:107080008FBF00208FB3001C8FB200188FB1001487
68907+:107090008FB0001003E0000827BD00280E0005E0B7
68908+:1070A0000000000000408821022010218FBF002036
68909+:1070B0008FB3001C8FB200188FB100148FB0001076
68910+:1070C00003E0000827BD0028000424003C03600002
68911+:1070D000AC603D0810A00002348210063482101605
68912+:1070E00003E00008AC623D0427BDFFE0AFB0001034
68913+:1070F000309000FF2E020006AFBF001810400008BD
68914+:10710000AFB10014001030803C03080024635784A2
68915+:1071100000C328218CA400000080000800000000AB
68916+:10712000000020218FBF00188FB100148FB0001015
68917+:107130000080102103E0000827BD00209791002A5D
68918+:1071400016200051000020213C020800904200332C
68919+:107150000A0006BB00000000978D002615A0003134
68920+:10716000000020210A0006BB2402000897870024A3
68921+:1071700014E0001A00001821006020212402000100
68922+:107180001080FFE98FBF0018000429C2004530219C
68923+:1071900000A6582B1160FFE43C0880003C0720004B
68924+:1071A000000569C001A76025AD0C00203C038008E4
68925+:1071B0002402001F2442FFFFAC6000000441FFFDD9
68926+:1071C0002463000424A5000100A6702B15C0FFF560
68927+:1071D000000569C00A0006A58FBF00189787001C2C
68928+:1071E0003C04080024845A58240504000E0006605C
68929+:1071F00024060001978B002424440001308AFFFFFD
68930+:107200002569FFFF2D48040000402821150000409B
68931+:10721000A789002424AC3800000C19C00A0006B964
68932+:10722000A780001C9787001E3C04080024845AD8BD
68933+:10723000240504000E00066024060001979900262C
68934+:10724000244400013098FFFF272FFFFF2F0E04007A
68935+:107250000040882115C0002CA78F0026A780001EA3
68936+:107260003A020003262401003084FFFF0E00068D41
68937+:107270002C4500010011F8C027F00100001021C0CA
68938+:107280000A0006BB240200089785002E978700227B
68939+:107290003C04080024845B580E00066024060001AC
68940+:1072A0009787002A8F89002C2445000130A8FFFF12
68941+:1072B00024E3FFFF0109302B0040802114C0001897
68942+:1072C000A783002AA7800022978500300E000F7543
68943+:1072D00002002021244A05003144FFFF0E00068DE4
68944+:1072E000240500013C05080094A500320E000F752E
68945+:1072F00002002021244521003C0208009042003376
68946+:107300000A0006BB000521C00A0006F3A784001E80
68947+:1073100024AC3800000C19C00A0006B9A784001C70
68948+:107320000A00070DA7850022308400FF27BDFFE873
68949+:107330002C820006AFBF0014AFB000101040001543
68950+:1073400000A03821000440803C0308002463579CBF
68951+:10735000010328218CA40000008000080000000028
68952+:1073600024CC007F000751C2000C59C23170FFFFCE
68953+:107370002547C40030E5FFFF2784001C02003021B0
68954+:107380000E0005B52407000197860028020620217B
68955+:10739000A78400288FBF00148FB0001003E00008FE
68956+:1073A00027BD00183C0508008CA50030000779C2F5
68957+:1073B0000E00038125E4DF003045FFFF3C04080098
68958+:1073C00024845B58240600010E0005B52407000143
68959+:1073D000978E002A8FBF00148FB0001025CD0001BA
68960+:1073E00027BD001803E00008A78D002A0007C9C2C6
68961+:1073F0002738FF00001878C231F0FFFF3C04080076
68962+:1074000024845AD802002821240600010E0005B564
68963+:1074100024070001978D0026260E0100000E84002F
68964+:1074200025AC00013C0B6000A78C0026AD603D0838
68965+:1074300036040006000030213C0760008CE23D0469
68966+:10744000305F000617E0FFFD24C9000100061B00A5
68967+:10745000312600FF006440252CC50004ACE83D0443
68968+:1074600014A0FFF68FBF00148FB0001003E00008D7
68969+:1074700027BD0018000751C22549C8002406000195
68970+:10748000240700013C04080024845A580E0005B566
68971+:107490003125FFFF978700248FBF00148FB00010A5
68972+:1074A00024E6000127BD001803E00008A786002499
68973+:1074B0003C0660183C090800252900FCACC9502C8A
68974+:1074C0008CC850003C0580003C020002350700805B
68975+:1074D000ACC750003C04080024841FE03C030800B3
68976+:1074E00024631F98ACA50008ACA2000C3C01080066
68977+:1074F000AC2459A43C010800AC2359A803E00008BF
68978+:107500002402000100A030213C1C0800279C59AC3B
68979+:107510003C0C04003C0B0002008B3826008C4026FB
68980+:107520002CE200010007502B2D050001000A4880C5
68981+:107530003C030800246359A4004520250123182199
68982+:107540001080000300001021AC660000240200013E
68983+:1075500003E00008000000003C1C0800279C59AC18
68984+:107560003C0B04003C0A0002008A3026008B3826BF
68985+:107570002CC200010006482B2CE5000100094080C8
68986+:107580003C030800246359A4004520250103182169
68987+:1075900010800005000010213C0C0800258C1F986D
68988+:1075A000AC6C00002402000103E0000800000000B1
68989+:1075B0003C0900023C080400008830260089382677
68990+:1075C0002CC30001008028212CE400010083102539
68991+:1075D0001040000B000030213C1C0800279C59ACD7
68992+:1075E0003C0A80008D4E00082406000101CA68256F
68993+:1075F000AD4D00088D4C000C01855825AD4B000C9D
68994+:1076000003E0000800C010213C1C0800279C59AC76
68995+:107610003C0580008CA6000C0004202724020001F9
68996+:1076200000C4182403E00008ACA3000C3C020002D4
68997+:107630001082000B3C0560003C070400108700032B
68998+:107640000000000003E00008000000008CA908D042
68999+:10765000240AFFFD012A402403E00008ACA808D05A
69000+:107660008CA408D02406FFFE0086182403E000083E
69001+:10767000ACA308D03C05601A34A600108CC300806F
69002+:1076800027BDFFF88CC50084AFA3000093A40000C1
69003+:107690002402001010820003AFA5000403E00008DC
69004+:1076A00027BD000893A7000114E0001497AC000266
69005+:1076B00097B800023C0F8000330EFFFC01CF682119
69006+:1076C000ADA50000A3A000003C0660008CC708D058
69007+:1076D0002408FFFE3C04601A00E82824ACC508D04A
69008+:1076E0008FA300048FA200003499001027BD00086A
69009+:1076F000AF22008003E00008AF2300843C0B800031
69010+:10770000318AFFFC014B48218D2800000A00080C3B
69011+:10771000AFA8000427BDFFE8AFBF00103C1C080065
69012+:10772000279C59AC3C0580008CA4000C8CA2000462
69013+:107730003C0300020044282410A0000A00A31824DF
69014+:107740003C0604003C0400021460000900A610245A
69015+:107750001440000F3C0404000000000D3C1C080015
69016+:10776000279C59AC8FBF001003E0000827BD00180C
69017+:107770003C0208008C4259A40040F80900000000B7
69018+:107780003C1C0800279C59AC0A0008358FBF00102C
69019+:107790003C0208008C4259A80040F8090000000093
69020+:1077A0000A00083B000000003C0880008D0201B880
69021+:1077B0000440FFFE35090180AD2400003C031000A9
69022+:1077C00024040040AD250004A1240008A1260009DE
69023+:1077D000A527000A03E00008AD0301B83084FFFFCD
69024+:1077E0000080382130A5FFFF000020210A00084555
69025+:1077F000240600803087FFFF8CA400002406003898
69026+:107800000A000845000028218F8300788F860070C9
69027+:107810001066000B008040213C07080024E75B68ED
69028+:10782000000328C000A710218C440000246300013D
69029+:10783000108800053063000F5466FFFA000328C06B
69030+:1078400003E00008000010213C07080024E75B6CFF
69031+:1078500000A7302103E000088CC200003C03900028
69032+:1078600034620001008220253C038000AC640020CB
69033+:107870008C65002004A0FFFE0000000003E000086B
69034+:10788000000000003C0280003443000100832025FA
69035+:1078900003E00008AC44002027BDFFE0AFB10014B6
69036+:1078A0003091FFFFAFB00010AFBF001812200013DF
69037+:1078B00000A080218CA20000240400022406020003
69038+:1078C0001040000F004028210E0007250000000096
69039+:1078D00000001021AE000000022038218FBF0018E8
69040+:1078E0008FB100148FB0001000402021000028212B
69041+:1078F000000030210A00084527BD00208CA20000AE
69042+:10790000022038218FBF00188FB100148FB00010F3
69043+:107910000040202100002821000030210A000845F5
69044+:1079200027BD002000A010213087FFFF8CA5000498
69045+:107930008C4400000A000845240600068F83FD9C45
69046+:1079400027BDFFE8AFBF0014AFB00010906700087C
69047+:10795000008010210080282130E600400000202116
69048+:1079600010C000088C5000000E0000BD0200202155
69049+:10797000020020218FBF00148FB000100A000548BC
69050+:1079800027BD00180E0008A4000000000E0000BD76
69051+:1079900002002021020020218FBF00148FB00010B0
69052+:1079A0000A00054827BD001827BDFFE0AFB0001052
69053+:1079B0008F90FD9CAFBF001CAFB20018AFB1001498
69054+:1079C00092060001008088210E00087230D2000467
69055+:1079D00092040005001129C2A6050000348300406E
69056+:1079E000A20300050E00087C022020210E00054A9B
69057+:1079F0000220202124020001AE02000C02202821D6
69058+:107A0000A602001024040002A602001224060200AE
69059+:107A1000A60200140E000725A60200161640000F4D
69060+:107A20008FBF001C978C00743C0B08008D6B007896
69061+:107A30002588FFFF3109FFFF256A0001012A382B45
69062+:107A400010E00006A78800743C0F6006240E0016A4
69063+:107A500035ED0010ADAE00508FBF001C8FB2001886
69064+:107A60008FB100148FB0001003E0000827BD002084
69065+:107A700027BDFFE0AFB10014AFBF0018AFB00010DA
69066+:107A80001080000400A088212402008010820007DA
69067+:107A9000000000000000000D8FBF00188FB100141F
69068+:107AA0008FB0001003E0000827BD00200E00087210
69069+:107AB00000A020218F86FD9C0220202190C500057A
69070+:107AC0000E00087C30B000FF2403003E1603FFF1D7
69071+:107AD0003C0680008CC401780480FFFE34C801405D
69072+:107AE000240900073C071000AD11000002202021EE
69073+:107AF000A10900048FBF00188FB100148FB00010CF
69074+:107B0000ACC701780A0008C527BD002027BDFFE0EB
69075+:107B1000AFB00010AFBF0018AFB100143C10800030
69076+:107B20008E110020000000000E00054AAE04002067
69077+:107B3000AE1100208FBF00188FB100148FB000105D
69078+:107B400003E0000827BD00203084FFFF00803821BB
69079+:107B50002406003500A020210A0008450000282145
69080+:107B60003084FFFF008038212406003600A0202149
69081+:107B70000A0008450000282127BDFFD0AFB500242A
69082+:107B80003095FFFFAFB60028AFB40020AFBF002C88
69083+:107B9000AFB3001CAFB20018AFB10014AFB000100B
69084+:107BA00030B6FFFF12A000270000A0218F920058DE
69085+:107BB0008E4300003C0680002402004000033E0289
69086+:107BC00000032C0230E4007F006698241482001D1C
69087+:107BD00030A500FF8F8300682C68000A1100001098
69088+:107BE0008F8D0044000358803C0C0800258C57B84A
69089+:107BF000016C50218D4900000120000800000000A8
69090+:107C000002D4302130C5FFFF0E0008522404008446
69091+:107C1000166000028F920058AF8000688F8D00447C
69092+:107C20002659002026980001032090213314FFFFDD
69093+:107C300015A00004AF9900580295202B1480FFDC9A
69094+:107C400000000000028010218FBF002C8FB600289A
69095+:107C50008FB500248FB400208FB3001C8FB20018A2
69096+:107C60008FB100148FB0001003E0000827BD003072
69097+:107C70002407003414A70149000000009247000EB9
69098+:107C80008F9FFDA08F90FD9C24181600A3E700197C
69099+:107C90009242000D3C0880003C07800CA3E20018D3
69100+:107CA000964A00123C0D60003C117FFFA60A005C62
69101+:107CB000964400103623FFFF240200053099FFFF91
69102+:107CC000AE1900548E46001CAD1800288CEF000041
69103+:107CD0008DAE444801E6482601C93021AE06003881
69104+:107CE0008E05003824CB00013C0E7F00AE05003C21
69105+:107CF0008E0C003CAFEC0004AE0B00208E13002075
69106+:107D0000AE13001CA3E0001BAE03002CA3E2001284
69107+:107D10008E4A001424130050AE0A00348E0400343E
69108+:107D2000AFE400148E590018AE1900489258000CA8
69109+:107D3000A218004E920D000835AF0020A20F0008D7
69110+:107D40008E090018012E282434AC4000AE0C001817
69111+:107D5000920B0000317200FF1253027F2403FF8058
69112+:107D60003C04080024845BE80E0008AA0000000020
69113+:107D70003C1108008E315BE80E00087202202021C1
69114+:107D80002405000424080001A2050025022020216A
69115+:107D90000E00087CA20800053C0580008CB001782C
69116+:107DA0000600FFFE8F92005834AE0140240F0002FF
69117+:107DB0003C091000ADD10000A1CF0004ACA90178AE
69118+:107DC0000A000962AF8000682CAD003751A0FF9413
69119+:107DD0008F8D0044000580803C110800263157E05B
69120+:107DE000021178218DEE000001C0000800000000A3
69121+:107DF0002411000414B1008C3C0780003C080800EA
69122+:107E00008D085BE88F86FD9CACE800208E4500085D
69123+:107E10008F99FDA0240D0050ACC500308E4C000899
69124+:107E2000ACCC00508E4B000CACCB00348E43001019
69125+:107E3000ACC300388E4A0010ACCA00548E42001405
69126+:107E4000ACC2003C8E5F0018AF3F00048E50001C97
69127+:107E5000ACD0002090C40000309800FF130D024AFF
69128+:107E6000000000008CC400348CD00030009030231F
69129+:107E700004C000F12404008C126000EE2402000310
69130+:107E80000A000962AF8200682419000514B900666F
69131+:107E90003C0580003C0808008D085BE88F86FD9C4F
69132+:107EA000ACA800208E4C00048F8AFDA0240720007F
69133+:107EB000ACCC001C924B000824120008A14B001906
69134+:107EC0008F82005890430009A14300188F85005805
69135+:107ED00090BF000A33E400FF1092001028890009C7
69136+:107EE000152000BA240E0002240D0020108D000B76
69137+:107EF000340780002898002117000008240740005C
69138+:107F000024100040109000053C0700012419008057
69139+:107F1000109900023C070002240740008CC20018A0
69140+:107F20003C03FF00004350240147F825ACDF001854
69141+:107F300090B2000BA0D200278F8300589464000CED
69142+:107F4000108001FE000000009467000C3C1F8000C0
69143+:107F50002405FFBFA4C7005C9063000E2407000443
69144+:107F6000A0C300088F820058904A000FA0CA0009E1
69145+:107F70008F8900588D3200108FE400740244C823AA
69146+:107F8000ACD900588D300014ACD0002C95380018B6
69147+:107F9000330DFFFFACCD00409531001A322FFFFFAB
69148+:107FA000ACCF00448D2E001CACCE00489128000EB2
69149+:107FB000A0C8000890CC000801855824126001B6C2
69150+:107FC000A0CB00088F9200580A000962AF870068B2
69151+:107FD0002406000614A600143C0E80003C0F080086
69152+:107FE0008DEF5BE88F85FD98ADCF00208E4900189E
69153+:107FF0008F86FD9C8F8BFDA0ACA900008CC800383B
69154+:1080000024040005ACA800048CCC003C1260008164
69155+:10801000AD6C00000A000962AF84006824110007FB
69156+:1080200010B1004B240400063C05080024A55BE8C1
69157+:108030000E000881240400818F9200580013102B39
69158+:108040000A000962AF820068241F002314BFFFF6F4
69159+:108050003C0C80003C0508008CA55BE88F8BFDA0E4
69160+:10806000AD8500208F91FD9C8E4600042564002084
69161+:1080700026450014AE260028240600030E000F81BA
69162+:10808000257000308F87005802002021240600034D
69163+:108090000E000F8124E500083C04080024845BE8FE
69164+:1080A0000E0008AA0000000092230000240A0050DD
69165+:1080B000306200FF544AFFE18F9200580E000F6CAF
69166+:1080C000000000000A000A6A8F920058240800335A
69167+:1080D00014A800323C0380003C1108008E315BE89C
69168+:1080E0008F8FFDA0AC7100208E420008240D002867
69169+:1080F0008F89FD9CADE200308E4A000C24060009F9
69170+:10810000ADEA00348E5F0010ADFF00388E440014DD
69171+:10811000ADE400208E590018ADF900248E58001CE3
69172+:10812000ADF80028A1ED00118E4E00041260003160
69173+:10813000AD2E00288F9200580A000962AF860068B1
69174+:10814000240D002214ADFFB8000000002404000735
69175+:108150003C1008008E105BE83C188000AF10002037
69176+:108160005660FEAEAF8400683C04080024845BE8DF
69177+:108170000E0008AA241300508F84FD9C90920000EA
69178+:10818000325900FF1333014B000000008F9200585A
69179+:10819000000020210A000962AF8400683C05080045
69180+:1081A00024A55BE80E000858240400810A000A6A2E
69181+:1081B0008F92005802D498213265FFFF0E000852BA
69182+:1081C000240400840A0009628F920058108EFF5325
69183+:1081D000240704002887000310E00179241100041B
69184+:1081E000240F0001548FFF4D240740000A000A228B
69185+:1081F000240701003C05080024A55BE80E0008A444
69186+:10820000240400828F920058000030210A00096285
69187+:10821000AF8600683C04080024845BE88CC2003808
69188+:108220000E0008AA8CC3003C8F9200580A000AC0B6
69189+:1082300000002021240400823C05080024A55BE8FE
69190+:108240000E0008A4000000008F92005800001021CA
69191+:108250000A000962AF8200688E5000048F91FD9C75
69192+:108260003C078000ACF00020922C00050200282181
69193+:10827000318B0002156001562404008A8F92FDA004
69194+:108280002404008D9245001B30A6002014C001502C
69195+:1082900002002821922E00092408001231C900FF93
69196+:1082A0001128014B240400810E00087202002021D5
69197+:1082B0009258001B240F000402002021370D0042B9
69198+:1082C000A24D001B0E00087CA22F00253C0580005B
69199+:1082D0008CA401780480FFFE34B90140241F000201
69200+:1082E000AF300000A33F00048F9200583C101000F4
69201+:1082F000ACB001780A000A6B0013102B8E500004FA
69202+:108300008F91FD9C3C038000AC700020922A0005F8
69203+:108310000200282131420002144000172404008A80
69204+:10832000922C00092412000402002821318B00FF46
69205+:1083300011720011240400810E0008720200202135
69206+:108340008F89FDA0240800122405FFFE912F001B39
69207+:108350000200202135EE0020A12E001BA2280009DA
69208+:108360009226000500C538240E00087CA2270005CF
69209+:1083700002002821000020210E0009330000000027
69210+:108380000A000A6A8F9200588E4C00043C07800055
69211+:108390003C10080026105BE8ACEC00203C01080013
69212+:1083A000AC2C5BE8924B0003317100041220013BBE
69213+:1083B0008F84FD9C24020006A0820009924F001BBE
69214+:1083C000240EFFC031E9003F012E4025A08800089F
69215+:1083D0009245000330A6000114C0013200000000E5
69216+:1083E0008E420008AE0200083C0208008C425BF09E
69217+:1083F000104001318F90FDA0000219C28F8DFD9CAD
69218+:10840000A603000C8E4A000C24180001240400145A
69219+:10841000AE0A002C8E420010AE02001C965F0016C1
69220+:10842000A61F003C96590014A619003EADB8000CDA
69221+:10843000A5B80010A5B80012A5B80014A5B800167C
69222+:1084400012600144A2040011925100033232000272
69223+:108450002E5300018F920058266200080A0009621C
69224+:10846000AF8200688E4400043C1980003C068008FE
69225+:10847000AF2400208E45000890D80000240D005045
69226+:10848000331100FF122D009C2407008824060009E8
69227+:108490000E000845000000000A000A6A8F9200588A
69228+:1084A0008E5000043C0980003C118008AD30002053
69229+:1084B0009228000024050050310400FF10850110AF
69230+:1084C0002407008802002021000028210E00084512
69231+:1084D0002406000E922D00002418FF80020028219F
69232+:1084E00001B8802524040004240600300E0007256E
69233+:1084F000A23000000A000A6A8F9200588E500004D1
69234+:108500008F91FDA03C028000AC500020923F001BE8
69235+:1085100033F900101320006C240700810200202191
69236+:10852000000028212406001F0E000845000000005E
69237+:108530000A000A6A8F9200588E44001C0E00085DE3
69238+:1085400000000000104000E3004048218F880058E0
69239+:1085500024070089012020218D05001C240600012C
69240+:108560000E000845000000000A000A6A8F920058B9
69241+:10857000964900023C10080026105BE831280004F0
69242+:10858000110000973C0460008E4E001C3C0F8000E0
69243+:10859000ADEE00203C010800AC2E5BE896470002DF
69244+:1085A00030E40001148000E6000000008E42000468
69245+:1085B000AE0200083C1008008E105BF0120000ECC8
69246+:1085C0003C0F80008F92FD9C241000018E4E0018FD
69247+:1085D0008F8DFDA08F9FFD9801CF4825AE490018D3
69248+:1085E000A2400005AE50000C3C0808008D085BF06E
69249+:1085F0008F840058A6500010000839C2A6500012FF
69250+:10860000A6500014A6500016A5A7000C8C8C0008DC
69251+:108610008F8B00588F8A0058ADAC002C8D63000CF6
69252+:1086200024070002ADA3001C91460010A1A6001172
69253+:108630008F82005890450011A3E500088F990058DB
69254+:1086400093380012A258004E8F910058922F0013B9
69255+:10865000A1AF00128F920058964E0014A5AE003CB8
69256+:1086600096490016A5A9003E8E480018ADA8001432
69257+:108670005660FD6AAF8700683C05080024A55BE8EA
69258+:108680000E000881000020218F9200580000382140
69259+:108690000A000962AF8700683C05080024A55BE872
69260+:1086A0000E0008A4240400828F9200580A000A4D8C
69261+:1086B000000038210E000F6C000000008F9200585F
69262+:1086C0000A000AC0000020210E00087202002021CA
69263+:1086D0009223001B02002021346A00100E00087C47
69264+:1086E000A22A001B000038210200202100002821BE
69265+:1086F0000A000BA52406001F9242000C305F000107
69266+:1087000013E0000300000000964A000EA4CA002CEB
69267+:10871000924B000C316300025060000600003821CB
69268+:108720008E470014964C0012ACC7001CA4CC001A53
69269+:10873000000038210A000B7F240600093C050800D0
69270+:1087400024A55BE80E0008A42404008B8F92005837
69271+:108750000A000A4D0013382B3C0C08008D8C5BE896
69272+:1087600024DFFFFE25930100326B007F016790211B
69273+:1087700002638824AD110028AE4600E0AE4000E45C
69274+:108780000A0009B3AE5F001CACC000543C0D0800E9
69275+:108790008DAD5BE83C18800C37090100ACED00287A
69276+:1087A0008E510014AD3100E08E4F0014AD2F00E467
69277+:1087B0008E4E001025C7FFFE0A0009F4AD27001CED
69278+:1087C0005491FDD6240740000A000A222407100015
69279+:1087D0000E00092D000000000A000A6A8F9200585E
69280+:1087E0008C83442C3C12DEAD3651BEEF3C010800B8
69281+:1087F000AC205BE810710062000000003C196C6264
69282+:1088000037387970147800082404000297850074C2
69283+:108810009782006C2404009200A2F82B13E0001948
69284+:1088200002002821240400020E00069524050200FF
69285+:108830003C068000ACC200203C010800AC225BE892
69286+:108840001040000D8F8C0058240A002824040003D7
69287+:10885000918B0010316300FF546A00012404000171
69288+:108860000E0000810000000010400004240400837A
69289+:108870000A000BC28F920058240400833C050800B4
69290+:1088800024A55BE80E000881000000008F920058CC
69291+:108890000013382B0A000962AF8700680A000B49F1
69292+:1088A000240200128E4400080E00085D0000000043
69293+:1088B0000A000B55AE0200083C05080024A55BE841
69294+:1088C0000E000858240400878F9200580A000B728B
69295+:1088D0000013102B240400040E000695240500301C
69296+:1088E0001440002A004048218F8800582407008344
69297+:1088F000012020218D05001C0A000BB32406000175
69298+:108900008F8300788F8600701066FEEE000038219D
69299+:108910003C07080024E75B6C000320C00087282187
69300+:108920008CAE000011D0005D246F000131E3000F18
69301+:108930005466FFFA000320C00A000B8C00003821A7
69302+:108940008E4400040E00085D000000000A000BC801
69303+:10895000AE0200083C05080024A55BE80E0008A450
69304+:10896000240400828F9200580A000B72000010212C
69305+:108970003C05080024A55BE80A000C7C2404008761
69306+:108980008C83442C0A000C5B3C196C628F88005865
69307+:108990003C0780083C0C8000240B0050240A000196
69308+:1089A000AD820020A0EB0000A0EA000191030004CA
69309+:1089B000A0E3001891040005A0E400199106000648
69310+:1089C0003C04080024845B6CA0E6001A91020007B6
69311+:1089D0003C06080024C65B68A0E2001B9105000865
69312+:1089E000A0E5001C911F0009A0FF001D9119000ABD
69313+:1089F000A0F9001E9118000BA0F8001F9112000CA6
69314+:108A0000A0F200209111000DA0F100219110000EA4
69315+:108A1000A0F00022910F000FA0EF0023910E001094
69316+:108A2000A0EE0024910D0011A0ED0025950C00147E
69317+:108A3000A4EC0028950B00168F8A00708F920078A6
69318+:108A4000A4EB002A95030018000A10C02545000178
69319+:108A5000A4E3002C8D1F001C0044C0210046C82147
69320+:108A600030A5000FAF3F0000AF09000010B20006B4
69321+:108A7000AF850070000038218D05001C01202021E9
69322+:108A80000A000BB32406000124AD000131A7000F3A
69323+:108A9000AF8700780A000CF9000038213C06080076
69324+:108AA00024C65B680086902100003821ACA000003D
69325+:108AB0000A000B8CAE4000003C0482013C036000C5
69326+:108AC00034820E02AC603D68AF80009803E000087D
69327+:108AD000AC623D6C27BDFFE8AFB000103090FFFFE7
69328+:108AE000001018422C620041AFBF00141440000275
69329+:108AF00024040080240300403C010800AC300060E6
69330+:108B00003C010800AC2300640E000F7500602821B2
69331+:108B1000244802BF2409FF8001092824001039805D
69332+:108B2000001030408FBF00148FB0001000A720212C
69333+:108B300000861821AF8300803C010800AC25005856
69334+:108B40003C010800AC24005C03E0000827BD0018CD
69335+:108B5000308300FF30C6FFFF30E400FF3C08800098
69336+:108B60008D0201B80440FFFE000354000144382583
69337+:108B70003C09600000E920253C031000AD050180A0
69338+:108B8000AD060184AD04018803E00008AD0301B81F
69339+:108B90008F8500583C0A6012354800108CAC0004E8
69340+:108BA0003C0D600E35A60010318B00062D690001CA
69341+:108BB000AD0900C48CA70004ACC731808CA20008AA
69342+:108BC00094A40002ACC231848CA3001C0460000396
69343+:108BD000A784009003E00008000000008CAF00189C
69344+:108BE000ACCF31D08CAE001C03E00008ACCE31D449
69345+:108BF0008F8500588F87FF288F86FF308CAE00044A
69346+:108C00003C0F601235E80010ACEE00788CAD000827
69347+:108C1000ACED007C8CAC0010ACCC004C8CAB000CF0
69348+:108C2000ACCB004894CA00543C0208008C4200447B
69349+:108C300025490001A4C9005494C400543083FFFFA7
69350+:108C400010620017000000003C0208008C42004047
69351+:108C5000A4C200528CA30018ACE300308CA2001414
69352+:108C6000ACE2002C8CB90018ACF900388CB80014B8
69353+:108C700024050001ACF800348D0600BC50C5001975
69354+:108C80008D0200B48D0200B8A4E2004894E40048CC
69355+:108C9000A4E4004A94E800EA03E000083102FFFF80
69356+:108CA0003C0208008C420024A4C00054A4C200521C
69357+:108CB0008CA30018ACE300308CA20014ACE2002CB2
69358+:108CC0008CB90018ACF900388CB8001424050001E8
69359+:108CD000ACF800348D0600BC54C5FFEB8D0200B823
69360+:108CE0008D0200B4A4E2004894E40048A4E4004AE1
69361+:108CF00094E800EA03E000083102FFFF8F86005885
69362+:108D00003C0480008CC900088CC80008000929C0F8
69363+:108D1000000839C0AC87002090C30007306200040F
69364+:108D20001040003EAF85009490CB0007316A0008E8
69365+:108D30001140003D8F87FF2C8CCD000C8CCE001491
69366+:108D400001AE602B11800036000000008CC2000CC8
69367+:108D5000ACE200708CCB00188F85FF288F88FF3025
69368+:108D6000ACEB00748CCA00102402FFF8ACAA00D847
69369+:108D70008CC9000CAD0900608CC4001CACA400D0F0
69370+:108D800090E3007C0062C824A0F9007C90D8000722
69371+:108D9000330F000811E000040000000090ED007C9B
69372+:108DA00035AC0001A0EC007C90CF000731EE000153
69373+:108DB00011C000060000000090E3007C241800347D
69374+:108DC00034790002A0F9007CACB800DC90C2000746
69375+:108DD0003046000210C000040000000090E8007C53
69376+:108DE00035040004A0E4007C90ED007D3C0B600E97
69377+:108DF000356A001031AC003FA0EC007D8D4931D4C4
69378+:108E00003127000110E00002240E0001A0AE00098D
69379+:108E100094AF00EA03E0000831E2FFFF8F87FF2CE8
69380+:108E20000A000DAF8CC200140A000DB0ACE0007057
69381+:108E30008F8C005827BDFFD8AFB3001CAFB200180D
69382+:108E4000AFB00010AFBF0020AFB10014918F00157C
69383+:108E50003C13600E3673001031EB000FA38B009CA7
69384+:108E60008D8F00048D8B0008959F0012959900103E
69385+:108E70009584001A9598001E958E001C33EDFFFF17
69386+:108E8000332AFFFF3089FFFF3308FFFF31C7FFFFA1
69387+:108E90003C010800AC2D00243C010800AC29004432
69388+:108EA0003C010800AC2A0040AE683178AE67317CE6
69389+:108EB00091850015959100163C12601236520010F3
69390+:108EC00030A200FF3230FFFFAE623188AE5000B4F6
69391+:108ED00091830014959F0018240600010066C804C1
69392+:108EE00033F8FFFFAE5900B8AE5800BC918E0014A5
69393+:108EF000AF8F00843C08600631CD00FFAE4D00C04E
69394+:108F0000918A00159584000E3C07600A314900FFE4
69395+:108F1000AF8B00883084FFFFAE4900C835110010C8
69396+:108F20000E000D1034F004103C0208008C4200606A
69397+:108F30003C0308008C6300643C0608008CC60058A3
69398+:108F40003C0508008CA5005C8F8400808FBF00204A
69399+:108F5000AE23004CAE65319CAE030054AE4500DC40
69400+:108F6000AE6231A0AE6331A4AE663198AE22004845
69401+:108F70008FB3001CAE0200508FB10014AE4200E06F
69402+:108F8000AE4300E4AE4600D88FB000108FB2001898
69403+:108F90000A00057D27BD0028978500929783007CF5
69404+:108FA00027BDFFE8AFB0001000A3102BAFBF001427
69405+:108FB000240400058F900058104000552409000239
69406+:108FC0000E0006958F850080AF8200942404000374
69407+:108FD0001040004F240900023C0680000E00008172
69408+:108FE000ACC2002024070001240820001040004DDE
69409+:108FF00024040005978E00928F8AFF2C24090050CC
69410+:1090000025C50001A7850092A14900003C0D08007C
69411+:109010008DAD0064240380008F84FF28000D66005E
69412+:10902000AD4C0018A5400006954B000A8F85FF3017
69413+:109030002402FF8001633024A546000A915F000AE4
69414+:109040000000482103E2C825A159000AA0A0000899
69415+:10905000A140004CA08000D5961800029783009094
69416+:109060003C020004A49800EA960F00022418FFBFF7
69417+:1090700025EE2401A48E00BE8E0D0004ACAD00448C
69418+:109080008E0C0008ACAC0040A4A00050A4A000547A
69419+:109090008E0B000C240C0030AC8B00288E060010C8
69420+:1090A000AC860024A480003EA487004EA487005014
69421+:1090B000A483003CAD420074AC8800D8ACA800602A
69422+:1090C000A08700FC909F00D433F9007FA09900D4C2
69423+:1090D000909000D402187824A08F00D4914E007C88
69424+:1090E00035CD0001A14D007C938B009CAD480070F4
69425+:1090F000AC8C00DCA08B00D68F8800888F87008422
69426+:10910000AC8800C4AC8700C8A5400078A540007AB0
69427+:109110008FBF00148FB000100120102103E0000861
69428+:1091200027BD00188F8500940E0007258F860080CC
69429+:109130000A000E9F2409000227BDFFE0AFB0001017
69430+:109140008F900058AFB10014AFBF00188E09000413
69431+:109150000E00054A000921C08E0800048F84FF28F4
69432+:109160008F82FF30000839C03C068000ACC7002069
69433+:10917000948500EA904300131460001C30B1FFFF97
69434+:109180008F8CFF2C918B0008316A00401540000B3A
69435+:10919000000000008E0D0004022030218FBF001857
69436+:1091A0008FB100148FB00010240400220000382179
69437+:1091B000000D29C00A000D2F27BD00200E000098C9
69438+:1091C000000000008E0D0004022030218FBF001827
69439+:1091D0008FB100148FB00010240400220000382149
69440+:1091E000000D29C00A000D2F27BD00200E000090A1
69441+:1091F000000000008E0D0004022030218FBF0018F7
69442+:109200008FB100148FB00010240400220000382118
69443+:10921000000D29C00A000D2F27BD002027BDFFE04B
69444+:10922000AFB200183092FFFFAFB00010AFBF001C0C
69445+:10923000AFB100141240001E000080218F8600583C
69446+:109240008CC500002403000600053F02000514023F
69447+:1092500030E4000714830016304500FF2CA80006F8
69448+:1092600011000040000558803C0C0800258C58BCBB
69449+:10927000016C50218D490000012000080000000011
69450+:109280008F8E0098240D000111CD005024020002A1
69451+:10929000AF820098260900013130FFFF24C800206A
69452+:1092A0000212202B010030211480FFE5AF88005806
69453+:1092B000020010218FBF001C8FB200188FB1001464
69454+:1092C0008FB0001003E0000827BD00209387007EC8
69455+:1092D00054E00034000030210E000DE700000000D3
69456+:1092E0008F8600580A000EFF240200018F87009825
69457+:1092F0002405000210E50031240400130000282199
69458+:1093000000003021240700010E000D2F0000000096
69459+:109310000A000F008F8600588F83009824020002F5
69460+:109320001462FFF6240400120E000D9A00000000E3
69461+:109330008F85009400403021240400120E000D2F70
69462+:10934000000038210A000F008F8600588F83009894
69463+:109350002411000310710029241F0002107FFFCE8A
69464+:1093600026090001240400100000282100003021FB
69465+:109370000A000F1D240700018F91009824060002A7
69466+:109380001626FFF9240400100E000E410000000014
69467+:10939000144000238F9800588F8600580A000EFF53
69468+:1093A00024020003240400140E000D2F00002821C5
69469+:1093B0008F8600580A000EFF240200020E000EA93C
69470+:1093C000000000000A000F008F8600580E000D3FBD
69471+:1093D00000000000241900022404001400002821C9
69472+:1093E0000000302100003821AF9900980E000D2FA9
69473+:1093F000000000000A000F008F8600580E000D5775
69474+:10940000000000008F8500942419000200403021E4
69475+:1094100024040010000038210A000F56AF9900986C
69476+:109420000040382124040010970F0002000028217A
69477+:109430000E000D2F31E6FFFF8F8600580A000F0047
69478+:10944000AF9100988F84FF2C3C077FFF34E6FFFF2D
69479+:109450008C8500182402000100A61824AC83001893
69480+:1094600003E00008A08200053084FFFF30A5FFFF65
69481+:109470001080000700001821308200011040000217
69482+:1094800000042042006518211480FFFB00052840DD
69483+:1094900003E000080060102110C000070000000079
69484+:1094A0008CA2000024C6FFFF24A50004AC820000AB
69485+:1094B00014C0FFFB2484000403E000080000000047
69486+:1094C00010A0000824A3FFFFAC86000000000000ED
69487+:1094D000000000002402FFFF2463FFFF1462FFFA74
69488+:1094E0002484000403E0000800000000000411C010
69489+:1094F00003E000082442024027BDFFE8AFB000109F
69490+:1095000000808021AFBF00140E000F9600A0202124
69491+:1095100000504821240AFF808FBF00148FB0001034
69492+:10952000012A30243127007F3C08800A3C042100B6
69493+:1095300000E8102100C428253C03800027BD001846
69494+:10954000AC650024AF820038AC400000AC6500245C
69495+:1095500003E00008AC4000403C0D08008DAD005811
69496+:1095600000056180240AFF8001A45821016C482174
69497+:10957000012A30243127007F3C08800C3C04210064
69498+:1095800000E8102100C428253C038000AC650028B9
69499+:10959000AF82003403E00008AC40002430A5FFFF98
69500+:1095A0003C0680008CC201B80440FFFE3C086015F8
69501+:1095B00000A838253C031000ACC40180ACC0018475
69502+:1095C000ACC7018803E00008ACC301B83C0D08003B
69503+:1095D0008DAD005800056180240AFF8001A4582148
69504+:1095E000016C4021010A4824000931403107007F05
69505+:1095F00000C728253C04200000A418253C02800058
69506+:10960000AC43083003E00008AF80003427BDFFE81A
69507+:10961000AFB0001000808021AFBF00140E000F9685
69508+:1096200000A0202100504821240BFF80012B502452
69509+:10963000000A39403128007F3C0620008FBF00140B
69510+:109640008FB0001000E8282534C2000100A21825C0
69511+:109650003C04800027BD0018AC83083003E00008FC
69512+:10966000AF8000383C0580088CA700603C0680086D
69513+:109670000087102B144000112C8340008CA8006040
69514+:109680002D0340001060000F240340008CC90060CF
69515+:109690000089282B14A00002008018218CC30060D0
69516+:1096A00000035A42000B30803C0A0800254A59202A
69517+:1096B00000CA202103E000088C8200001460FFF340
69518+:1096C0002403400000035A42000B30803C0A08008B
69519+:1096D000254A592000CA202103E000088C8200009E
69520+:1096E0003C05800890A60008938400AB24C20001CA
69521+:1096F000304200FF3043007F1064000C0002382726
69522+:10970000A0A200083C0480008C85017804A0FFFE24
69523+:109710008F8A00A0240900023C081000AC8A014096
69524+:10972000A089014403E00008AC8801780A00101BFE
69525+:1097300030E2008027BDFFD8AFB200188F9200A49E
69526+:10974000AFBF0020AFB3001CAFB00010AFB100142A
69527+:109750008F9300348E5900283C1000803C0EFFEFA0
69528+:10976000AE7900008E580024A260000A35CDFFFFBC
69529+:10977000AE7800049251002C3C0BFF9F356AFFFF2E
69530+:10978000A271000C8E6F000C3C080040A271000B0F
69531+:1097900001F06025018D4824012A382400E8302595
69532+:1097A000AE66000C8E450004AE6000183C0400FF5D
69533+:1097B000AE6500148E43002C3482FFFFA6600008C3
69534+:1097C0000062F824AE7F00108E5900088F9000A030
69535+:1097D000964E0012AE7900208E51000C31D83FFF1A
69536+:1097E00000187980AE7100248E4D001401F06021C4
69537+:1097F00031CB0001AE6D00288E4A0018000C41C22A
69538+:10980000000B4B80AE6A002C8E46001C01093821EB
69539+:10981000A667001CAE660030964500028E4400200C
69540+:10982000A665001EAE64003492430033306200042B
69541+:1098300054400006924700003C0280083443010077
69542+:109840008C7F00D0AE7F0030924700008F860038BA
69543+:10985000A0C700309245003330A4000250800007BA
69544+:10986000925100018F880038240BFF80910A00304C
69545+:10987000014B4825A1090030925100018F9000381A
69546+:10988000240CFFBF2404FFDFA21100318F8D0038AC
69547+:109890003C1880083711008091AF003C31EE007F0A
69548+:1098A000A1AE003C8F890038912B003C016C502404
69549+:1098B000A12A003C8F9F00388E68001493E6003C7C
69550+:1098C0002D0700010007114000C4282400A218251C
69551+:1098D000A3E3003C8F87003896590012A4F90032A8
69552+:1098E0008E450004922E007C30B0000300107823D7
69553+:1098F00031ED000300AD102131CC000215800002D3
69554+:1099000024460034244600303C0280083443008062
69555+:10991000907F007C00BFC824333800041700000289
69556+:1099200024C2000400C010218F98003824190002BE
69557+:10993000ACE20034A3190000924F003F8F8E003834
69558+:109940003C0C8008358B0080A1CF00018F9100383E
69559+:10995000924D003F8E440004A62D0002956A005CE3
69560+:109960000E000FF43150FFFF00024B800209382532
69561+:109970003C08420000E82825AE2500048E4400384B
69562+:109980008F850038ACA400188E460034ACA6001CAD
69563+:10999000ACA0000CACA00010A4A00014A4A0001661
69564+:1099A000A4A00020A4A00022ACA000248E62001479
69565+:1099B00050400001240200018FBF00208FB3001C23
69566+:1099C0008FB200188FB100148FB00010ACA2000845
69567+:1099D0000A00101327BD002827BDFFC83C058008DA
69568+:1099E00034A40080AFBF0034AFBE0030AFB7002C4E
69569+:1099F000AFB60028AFB50024AFB40020AFB3001C51
69570+:109A0000AFB20018AFB10014AFB00010948300786B
69571+:109A10009482007A104300512405FFFF0080F0215A
69572+:109A20000A0011230080B821108B004D8FBF003435
69573+:109A30008F8600A03C1808008F18005C2411FF805E
69574+:109A40003C1680000306782101F18024AED0002C62
69575+:109A500096EE007A31EC007F3C0D800E31CB7FFF1B
69576+:109A6000018D5021000B4840012AA82196A4000036
69577+:109A70003C0808008D0800582405FF8030953FFF02
69578+:109A800001061821001539800067C8210325F82434
69579+:109A90003C02010003E290253338007F3C11800C2A
69580+:109AA000AED20028031190219250000D320F000415
69581+:109AB00011E0003702E0982196E3007A96E8007AF8
69582+:109AC00096E5007A2404800031077FFF24E300013B
69583+:109AD00030627FFF00A4F82403E2C825A6F9007ACB
69584+:109AE00096E6007A3C1408008E94006030D67FFF22
69585+:109AF00012D400C1000000008E5800188F8400A00E
69586+:109B000002A028212713FFFF0E000FCEAE53002C1A
69587+:109B100097D5007897D4007A12950010000028217C
69588+:109B20003C098008352401003C0A8008914800085F
69589+:109B3000908700D53114007F30E400FF0284302B81
69590+:109B400014C0FFB9268B0001938E00AB268C000158
69591+:109B5000008E682115ACFFB78F8600A08FBF003440
69592+:109B60008FBE00308FB7002C8FB600288FB5002431
69593+:109B70008FB400208FB3001C8FB200188FB1001477
69594+:109B80008FB0001000A0102103E0000827BD0038AE
69595+:109B900000C020210E000F99028028218E4B00105A
69596+:109BA0008E4C00308F84003824090002016C502351
69597+:109BB000AE4A0010A089000096E3005C8E4400309D
69598+:109BC0008F9100380E000FF43070FFFF00024380C9
69599+:109BD000020838253C02420000E22825AE25000498
69600+:109BE0008E5F00048F8A00388E590000240B000815
69601+:109BF000AD5F001CAD590018AD40000CAD40001029
69602+:109C00009246000A240400052408C00030D000FF5A
69603+:109C1000A550001496580008A55800169251000A45
69604+:109C20003C188008322F00FFA54F0020964E0008F8
69605+:109C300037110100A54E0022AD400024924D000BCB
69606+:109C400031AC00FFA54C0002A14B00018E49003051
69607+:109C50008F830038240BFFBFAC690008A06400307C
69608+:109C60008F9000382403FFDF9607003200E8282495
69609+:109C700000B51025A6020032921F003233F9003FD2
69610+:109C800037260040A20600328F8C0038AD800034A9
69611+:109C90008E2F00D0AD8F0038918E003C3C0F7FFF9F
69612+:109CA00031CD007FA18D003C8F84003835EEFFFF61
69613+:109CB000908A003C014B4824A089003C8F850038E5
69614+:109CC00090A8003C01033824A0A7003C8E42003439
69615+:109CD0008F9100383C038008AE2200408E59002C42
69616+:109CE0008E5F0030033F3023AE26004492300048A0
69617+:109CF0003218007FA23800488F8800388E4D00301F
69618+:109D00008D0C004801AE582401965024014B482583
69619+:109D1000AD0900489244000AA104004C964700088F
69620+:109D20008F850038A4A7004E8E5000308E4400303E
69621+:109D30000E0003818C65006092F9007C0002F940FE
69622+:109D4000004028210002110003E2302133360002D6
69623+:109D500012C00003020680210005B0800216802197
69624+:109D6000926D007C31B30004126000020005708027
69625+:109D7000020E80218E4B00308F8800382405800031
69626+:109D8000316A0003000A4823312400030204182129
69627+:109D9000AD03003496E4007A96F0007A96F1007AEA
69628+:109DA00032027FFF2447000130FF7FFF0225C824D5
69629+:109DB000033F3025A6E6007A96F8007A3C120800A8
69630+:109DC0008E520060330F7FFF11F200180000000078
69631+:109DD0008F8400A00E000FCE02A028218F8400A047
69632+:109DE0000E000FDE028028210E001013000000007C
69633+:109DF0000A00111F0000000096F1007A022480245E
69634+:109E0000A6F0007A92EF007A92EB007A31EE00FF32
69635+:109E1000000E69C2000D6027000C51C03169007F3F
69636+:109E2000012A20250A001119A2E4007A96E6007A98
69637+:109E300000C5C024A6F8007A92EF007A92F3007A67
69638+:109E400031F200FF001271C2000E6827000DB1C090
69639+:109E5000326C007F01962825A2E5007A0A0011D015
69640+:109E60008F8400A03C0380003084FFFF30A5FFFFFB
69641+:109E7000AC640018AC65001C03E000088C620014A0
69642+:109E800027BDFFA03C068008AFBF005CAFBE0058F6
69643+:109E9000AFB70054AFB60050AFB5004CAFB40048F8
69644+:109EA000AFB30044AFB20040AFB1003CAFB0003838
69645+:109EB00034C80100910500D590C700083084FFFF29
69646+:109EC00030A500FF30E2007F0045182AAFA4001043
69647+:109ED000A7A00018A7A0002610600055AFA000148E
69648+:109EE00090CA00083149007F00A9302324D3FFFF26
69649+:109EF0000013802B8FB400100014902B02128824C2
69650+:109F0000522000888FB300143C03800894790052DB
69651+:109F1000947E00508FB60010033EC0230018BC0092
69652+:109F2000001714030016FC0002C2A82A16A00002A3
69653+:109F3000001F2C030040282100133C0000072403CD
69654+:109F400000A4102A5440000100A020212885000907
69655+:109F500014A000020080A021241400083C0C8008FA
69656+:109F60008D860048001459808D88004C3C03800089
69657+:109F70003169FFFF3C0A0010012A202534710400DA
69658+:109F8000AC660038AF9100A4AC68003CAC64003013
69659+:109F900000000000000000000000000000000000C1
69660+:109FA00000000000000000000000000000000000B1
69661+:109FB0008C6E000031CD002011A0FFFD0014782A26
69662+:109FC00001F01024104000390000A8213C16800840
69663+:109FD00092D700083C1280008E44010032F6007FC8
69664+:109FE0000E000F9902C028218E3900108E44010006
69665+:109FF0000000902133373FFF0E000FB102E028210F
69666+:10A00000923800003302003F2C500008520000102C
69667+:10A0100000008821000210803C030800246358E4FB
69668+:10A020000043F8218FFE000003C00008000000007C
69669+:10A0300090CF0008938C00AB31EE007F00AE682318
69670+:10A04000018D58210A0012172573FFFF0000882197
69671+:10A050003C1E80008FC401000E000FCE02E02821BC
69672+:10A060008FC401000E000FDE02C028211220000F55
69673+:10A070000013802B8F8B00A426A400010004AC00E9
69674+:10A08000027298230015AC032578004002B4B02A70
69675+:10A090000013802B241700010300882102D0102414
69676+:10A0A000AF9800A41440FFC9AFB700143C07800864
69677+:10A0B00094E200508FAE00103C05800002A288217F
69678+:10A0C0003C060020A4F10050ACA6003094F40050EF
69679+:10A0D00094EF005201D51823306CFFFF11F4001EDD
69680+:10A0E000AFAC00108CEF004C001561808CF500487F
69681+:10A0F00001EC28210000202100AC582B02A4C02133
69682+:10A10000030BB021ACE5004CACF600488FB4001056
69683+:10A110000014902B021288241620FF7C3C03800838
69684+:10A120008FB300148FBF005C8FBE00583A620001ED
69685+:10A130008FB700548FB600508FB5004C8FB40048D5
69686+:10A140008FB300448FB200408FB1003C8FB0003815
69687+:10A1500003E0000827BD006094FE00548CF2004428
69688+:10A1600033C9FFFE0009C8C00259F821ACBF003C4A
69689+:10A170008CE800448CAD003C010D50231940003B9D
69690+:10A18000000000008CF7004026E20001ACA200387D
69691+:10A190003C05005034A700103C038000AC67003041
69692+:10A1A00000000000000000000000000000000000AF
69693+:10A1B000000000000000000000000000000000009F
69694+:10A1C0008C7800003316002012C0FFFD3C1180087F
69695+:10A1D000962200543C1580003C068008304E000159
69696+:10A1E000000E18C0007578218DEC04003C070800B3
69697+:10A1F0008CE700443C040020ACCC00488DF40404FF
69698+:10A20000240B0001ACD4004C10EB0260AEA4003073
69699+:10A21000963900523C0508008CA5004000B99021F9
69700+:10A22000A6320052963F005427ED0001A62D00549F
69701+:10A230009626005430C4FFFF5487FF2F8FB40010C0
69702+:10A2400030A5FFFF0E0011F4A62000543C070800C3
69703+:10A250008CE70024963E00520047B82303D74823DA
69704+:10A26000A62900520A0012198FB400108CE2004097
69705+:10A270000A0012BE00000000922400012407000121
69706+:10A280003085007F14A7001C97AD00268E2B00148C
69707+:10A29000240CC000316A3FFF01AC48243C06080092
69708+:10A2A0008CC60060012A402531043FFF0086882BC0
69709+:10A2B00012200011A7A800263C0508008CA5005814
69710+:10A2C0008F9100A0000439802402FF8000B1182182
69711+:10A2D0000067F82103E2F02433F8007F3C1280008D
69712+:10A2E0003C19800EAE5E002C0319702191D0000D38
69713+:10A2F000360F0004A1CF000D0E001028241200011B
69714+:10A30000241100013C1E80008FC401000E000FCEFE
69715+:10A3100002E028218FC401000E000FDE02C02821B8
69716+:10A320001620FF558F8B00A40A0012860013802B85
69717+:10A330008F8600A490C80001310400201080019194
69718+:10A34000241000013C048008348B0080916A007C5A
69719+:10A350008F9E0034AFA0002C314900011120000F66
69720+:10A36000AFB000288CCD00148C8E006001AE602B45
69721+:10A370001580000201A038218C8700603C188008FD
69722+:10A38000370300808C70007000F0782B15E000021D
69723+:10A3900000E020218C640070AFA4002C3C028008F7
69724+:10A3A000344500808CD200148CBF0070025FC82B33
69725+:10A3B00017200002024020218CA400708FA7002CDF
69726+:10A3C0000087182310600003AFA3003024050002AB
69727+:10A3D000AFA500288FA400280264882B162000BA9D
69728+:10A3E000000018218CD000388FCE000C3C0F00806C
69729+:10A3F000AFD000008CCD00343C0CFF9F01CF58251E
69730+:10A40000AFCD000490CA003F3586FFFF01662024CF
69731+:10A410003C0900203C08FFEFA3CA000B0089382547
69732+:10A420003511FFFF00F118243C0500088F8700A4B8
69733+:10A430000065C825AFD9000C8CE20014AFC000182D
69734+:10A440008FA60030AFC200148CF800188FB0002C1B
69735+:10A450003C1FFFFBAFD8001C8CEF000837F2FFFF5A
69736+:10A4600003326824AFCF00248CEC000C020670216C
69737+:10A47000AFCD000CA7C00038A7C0003AAFCE002C6B
69738+:10A48000AFCC0020AFC000288CEA00148FAB002CAA
69739+:10A49000014B48230126402311000011AFC80010D2
69740+:10A4A00090EB003D8FC900048FC80000000B5100E5
69741+:10A4B000012A28210000102100AA882B010218215E
69742+:10A4C0000071F821AFC50004AFDF000090F2003D3D
69743+:10A4D000A3D2000A8F9900A497380006A7D80008D5
69744+:10A4E0008F910038240800023C038008A228000055
69745+:10A4F0003465008094BF005C8FA4002C33F0FFFF14
69746+:10A500000E000FF48F9200380002CB808F8500A4DC
69747+:10A51000021978253C18420001F87025AE4E00045F
69748+:10A520008F8400388CAD0038AC8D00188CAC0034B2
69749+:10A53000AC8C001CAC80000CAC800010A48000141B
69750+:10A54000A4800016A4800020A4800022AC800024F7
69751+:10A5500090A6003F8FA7002CA486000250E0019235
69752+:10A56000240700018FA200305040000290A2003D5D
69753+:10A5700090A2003E244A0001A08A00018F84003886
69754+:10A580008FA9002CAC8900083C128008364D008051
69755+:10A5900091AC007C3186000214C000022407003414
69756+:10A5A000240700308F8500A43C198008373F0080C5
69757+:10A5B00090B0000093F9007C240E0004A0900030BD
69758+:10A5C0008F8F00A48FB8002C8F8D003891F200017E
69759+:10A5D0003304000301C46023A1B200318F8E003820
69760+:10A5E0008F8600A42402C00095CA003294C90012CC
69761+:10A5F0008FAB002C0142402431233FFF010388250B
69762+:10A60000A5D1003291D000323185000300EBF82152
69763+:10A610003218003F370F0040A1CF00328FA4002C2A
69764+:10A6200003E5382133280004108000028F850038AC
69765+:10A6300000E838213C0A8008ACA700343549010005
69766+:10A640008D2800D08FA3002C2419FFBFACA80038A0
69767+:10A6500090B1003C2C640001240FFFDF3227007F03
69768+:10A66000A0A7003C8F98003800049140931F003C45
69769+:10A6700003F98024A310003C8F8C0038918E003C9D
69770+:10A6800001CF682401B23025A186003C8F8900A447
69771+:10A690008F8800388D2B0020AD0B00408D220024C8
69772+:10A6A000AD0200448D2A0028AD0A00488D23002CFD
69773+:10A6B0000E001013AD03004C8FB1002824070002D8
69774+:10A6C000122700118FA300280003282B00058023E8
69775+:10A6D0000270982400608021006090210A00126FAF
69776+:10A6E0000010882B962900128F8400A00000902172
69777+:10A6F0003125FFFFA7A900180E000FC22411000189
69778+:10A700000A00131D3C1E80003C0B80003C12800898
69779+:10A710008D640100924900088F92FF340E000F995A
69780+:10A720003125007F8F9900388FA700288FA4003033
69781+:10A73000A3270000965F005C33F0FFFF0E000FF4CC
69782+:10A740008F91003800026B80020D80253C0842008A
69783+:10A750008F8D00A402085025AE2A00048DA5003874
69784+:10A760008F8A003800007821000F1100AD450018D5
69785+:10A770008DB800343C047FFF3488FFFFAD58001CC7
69786+:10A7800091A6003E8D4C001C8D4900180006190052
69787+:10A79000000677020183C821004E58250323882B29
69788+:10A7A000012B382100F1F821AD59001CAD5F0018D4
69789+:10A7B000AD40000CAD40001091B0003E8FA40030C1
69790+:10A7C00024090005A550001495A500042419C00013
69791+:10A7D00000884024A545001691B8003EA5580020E9
69792+:10A7E00095AF0004A54F0022AD40002491AE003F7C
69793+:10A7F000A54E000291A6003E91AC003D01861023BB
69794+:10A80000244B0001A14B00018F9100388FA3003031
69795+:10A810003C028008344B0100AE230008A22900301E
69796+:10A820008F8C00388F8700A4959F003294F000121F
69797+:10A830002407FFBF033FC02432053FFF03057825EF
69798+:10A84000A58F0032918E00322418FFDF31CD003FFA
69799+:10A8500035A60040A18600328F910038240DFFFFFD
69800+:10A86000240CFF80AE2000348D6A00D0AE2A003860
69801+:10A870009223003C3069007FA229003C8F90003871
69802+:10A880003C0380009219003C0327F824A21F003CDF
69803+:10A890008F8E003891C5003C00B87824A1CF003CD1
69804+:10A8A0008F8A00383C0E8008AD4D00408FA6002CEA
69805+:10A8B000AD46004491420048004C5825A14B004849
69806+:10A8C0008F9000388F9900A48E09004801238824B6
69807+:10A8D00002283825AE070048933F003EA21F004CD7
69808+:10A8E0008F9800A48F8F003897050004A5E5004ECF
69809+:10A8F0000E0003818DC500609246007C8FAC003055
69810+:10A9000000026940000291000040282130CB000283
69811+:10A9100001B21021156000AA018230213C0E80088E
69812+:10A9200035C20080904C007C31830004106000032D
69813+:10A930008FB900300005788000CF3021241F00043B
69814+:10A940008F910038332D000303ED8023320800037C
69815+:10A9500000C85021AE2A00343C188000A7C500383A
69816+:10A960003C0680088F04010090DE00080E000FDE18
69817+:10A9700033C5007F0E001013000000000A00140D04
69818+:10A980008FA300288F9800348CC90038241F00033F
69819+:10A99000A7000008AF0900008CC50034A300000A1E
69820+:10A9A0008F9900A4AF0500043C080080932D003F60
69821+:10A9B000A31F000C8F0A000C3C02FF9FA30D000B8D
69822+:10A9C0000148F0253451FFFF3C12FFEF8F9900A49E
69823+:10A9D00003D170243646FFFF01C61824AF03000CD4
69824+:10A9E0008F2C0014972900128F8400A0AF0C001048
69825+:10A9F0008F2F0014AF000018AF000020AF0F00141D
69826+:10AA0000AF0000248F270018312F3FFF000F59801F
69827+:10AA1000AF0700288F2500080164F821312D0001BF
69828+:10AA2000AF0500308F31000C8F920038001F51C2EB
69829+:10AA3000000D438001481021241E00023C068008BE
69830+:10AA4000A702001CA7000034AF11002CA25E00007A
69831+:10AA500034D20080964E005C8F9900383C0342004F
69832+:10AA600031CCFFFF01833825AF2700048F8B00A472
69833+:10AA7000240500012402C0008D640038240700343E
69834+:10AA8000AF2400188D690034AF29001CAF20000CE2
69835+:10AA9000AF200010A7200014A7200016A720002038
69836+:10AAA000A7200022AF200024A7300002A325000128
69837+:10AAB0008F8800388F9F00A4AD10000893ED000030
69838+:10AAC000A10D00308F8A00A48F98003891510001A9
69839+:10AAD000A31100318F8B0038957E003203C27024A1
69840+:10AAE00001CF6025A56C0032916300323064003FD5
69841+:10AAF000A16400329249007C3125000214A00002BA
69842+:10AB00008F840038240700303C198008AC8700345B
69843+:10AB1000373201008E5F00D0240AFFBF020090216F
69844+:10AB2000AC9F0038908D003C31A8007FA088003C8D
69845+:10AB30008F9E003893C2003C004A8824A3D1003C79
69846+:10AB40008F8300380010882B9066003C34CE0020A4
69847+:10AB5000A06E003C8F8400A48F9800388C8C00205D
69848+:10AB6000AF0C00408C8F0024AF0F00448C8700286E
69849+:10AB7000AF0700488C8B002CAF0B004C0E0010135D
69850+:10AB80003C1E80000A0012700000000094C80052B1
69851+:10AB90003C0A08008D4A002401488821A4D10052B3
69852+:10ABA0000A0012198FB40010A08700018F840038AA
69853+:10ABB000240B0001AC8B00080A0013BE3C12800875
69854+:10ABC000000520800A0014A200C4302127BDFFE048
69855+:10ABD0003C0D8008AFB20018AFB00010AFBF001C32
69856+:10ABE000AFB1001435B200808E4C001835A80100BA
69857+:10ABF000964B000695A70050910900FC000C5602E8
69858+:10AC0000016728233143007F312600FF240200031F
69859+:10AC1000AF8300A8AF8400A010C2001B30B0FFFFBC
69860+:10AC2000910600FC2412000530C200FF10520033D0
69861+:10AC300000000000160000098FBF001C8FB2001832
69862+:10AC40008FB100148FB00010240D0C003C0C80005C
69863+:10AC500027BD002003E00008AD8D00240E0011FB8D
69864+:10AC6000020020218FBF001C8FB200188FB100148A
69865+:10AC70008FB00010240D0C003C0C800027BD00207C
69866+:10AC800003E00008AD8D0024965800789651007AB4
69867+:10AC9000924E007D0238782631E8FFFF31C400C0B3
69868+:10ACA000148000092D11000116000037000000007B
69869+:10ACB0005620FFE28FBF001C0E0010D100000000E4
69870+:10ACC0000A00156A8FBF001C1620FFDA0000000082
69871+:10ACD0000E0010D1000000001440FFD88FBF001CF0
69872+:10ACE0001600002200000000925F007D33E2003F6A
69873+:10ACF000A242007D0A00156A8FBF001C950900EA78
69874+:10AD00008F86008000802821240400050E0007257E
69875+:10AD10003130FFFF978300923C0480002465FFFFE1
69876+:10AD2000A78500928C8A01B80540FFFE0000000054
69877+:10AD3000AC8001808FBF001CAC9001848FB20018E2
69878+:10AD40008FB100148FB000103C0760133C0B100053
69879+:10AD5000240D0C003C0C800027BD0020AC8701882E
69880+:10AD6000AC8B01B803E00008AD8D00240E0011FB90
69881+:10AD7000020020215040FFB18FBF001C925F007D78
69882+:10AD80000A00159733E2003F0E0011FB020020215C
69883+:10AD90001440FFAA8FBF001C122000070000000013
69884+:10ADA0009259007D3330003F36020040A242007DC0
69885+:10ADB0000A00156A8FBF001C0E0010D100000000B1
69886+:10ADC0005040FF9E8FBF001C9259007D3330003FE2
69887+:10ADD0000A0015C636020040000000000000001BFB
69888+:10ADE0000000000F0000000A00000008000000063C
69889+:10ADF0000000000500000005000000040000000441
69890+:10AE00000000000300000003000000030000000336
69891+:10AE10000000000300000002000000020000000229
69892+:10AE2000000000020000000200000002000000021A
69893+:10AE3000000000020000000200000002000000020A
69894+:10AE400000000002000000020000000200000002FA
69895+:10AE50000000000100000001000000018008010066
69896+:10AE6000800800808008000000000C000000308096
69897+:10AE7000080011D00800127C08001294080012A8E3
69898+:10AE8000080012BC080011D0080011D0080012F010
69899+:10AE90000800132C080013400800138808001A8CBF
69900+:10AEA00008001A8C08001AC408001AC408001AD82E
69901+:10AEB00008001AA808001D0008001CCC08001D5836
69902+:10AEC00008001D5808001DE008001D108008024001
69903+:10AED000080027340800256C0800275C080027F4C8
69904+:10AEE0000800293C0800298808002AAC080029B479
69905+:10AEF00008002A38080025DC08002EDC08002EA4F3
69906+:10AF000008002588080025880800258808002B20CF
69907+:10AF100008002B20080025880800258808002DD06F
69908+:10AF2000080025880800258808002588080025884D
69909+:10AF300008002E0C080025880800258808002588B0
69910+:10AF4000080025880800258808002588080025882D
69911+:10AF5000080025880800258808002588080025881D
69912+:10AF6000080025880800258808002588080029A8E9
69913+:10AF7000080025880800258808002E680800258814
69914+:10AF800008002588080025880800258808002588ED
69915+:10AF900008002588080025880800258808002588DD
69916+:10AFA00008002588080025880800258808002588CD
69917+:10AFB00008002588080025880800258808002588BD
69918+:10AFC00008002CF4080025880800258808002C6853
69919+:10AFD00008002BC408003CE408003CB808003C848E
69920+:10AFE00008003C5808003C3808003BEC8008010091
69921+:10AFF00080080080800800008008008008004C6401
69922+:10B0000008004C9C08004BE408004C6408004C64A9
69923+:10B01000080049B808004C64080050500A000C842D
69924+:10B0200000000000000000000000000D7278703683
69925+:10B030002E322E31620000000602010300000000E3
69926+:10B0400000000001000000000000000000000000FF
69927+:10B0500000000000000000000000000000000000F0
69928+:10B0600000000000000000000000000000000000E0
69929+:10B0700000000000000000000000000000000000D0
69930+:10B0800000000000000000000000000000000000C0
69931+:10B0900000000000000000000000000000000000B0
69932+:10B0A00000000000000000000000000000000000A0
69933+:10B0B0000000000000000000000000000000000090
69934+:10B0C0000000000000000000000000000000000080
69935+:10B0D0000000000000000000000000000000000070
69936+:10B0E0000000000000000000000000000000000060
69937+:10B0F0000000000000000000000000000000000050
69938+:10B10000000000000000000000000000000000003F
69939+:10B11000000000000000000000000000000000002F
69940+:10B12000000000000000000000000000000000001F
69941+:10B13000000000000000000000000000000000000F
69942+:10B1400000000000000000000000000000000000FF
69943+:10B1500000000000000000000000000000000000EF
69944+:10B1600000000000000000000000000000000000DF
69945+:10B1700000000000000000000000000000000000CF
69946+:10B1800000000000000000000000000000000000BF
69947+:10B1900000000000000000000000000000000000AF
69948+:10B1A000000000000000000000000000000000009F
69949+:10B1B000000000000000000000000000000000008F
69950+:10B1C000000000000000000000000000000000007F
69951+:10B1D000000000000000000000000000000000006F
69952+:10B1E000000000000000000000000000000000005F
69953+:10B1F000000000000000000000000000000000004F
69954+:10B20000000000000000000000000000000000003E
69955+:10B21000000000000000000000000000000000002E
69956+:10B22000000000000000000000000000000000001E
69957+:10B23000000000000000000000000000000000000E
69958+:10B2400000000000000000000000000000000000FE
69959+:10B2500000000000000000000000000000000000EE
69960+:10B2600000000000000000000000000000000000DE
69961+:10B2700000000000000000000000000000000000CE
69962+:10B2800000000000000000000000000000000000BE
69963+:10B2900000000000000000000000000000000000AE
69964+:10B2A000000000000000000000000000000000009E
69965+:10B2B000000000000000000000000000000000008E
69966+:10B2C000000000000000000000000000000000007E
69967+:10B2D000000000000000000000000000000000006E
69968+:10B2E000000000000000000000000000000000005E
69969+:10B2F000000000000000000000000000000000004E
69970+:10B30000000000000000000000000000000000003D
69971+:10B31000000000000000000000000000000000002D
69972+:10B32000000000000000000000000000000000001D
69973+:10B33000000000000000000000000000000000000D
69974+:10B3400000000000000000000000000000000000FD
69975+:10B3500000000000000000000000000000000000ED
69976+:10B3600000000000000000000000000000000000DD
69977+:10B3700000000000000000000000000000000000CD
69978+:10B3800000000000000000000000000000000000BD
69979+:10B3900000000000000000000000000000000000AD
69980+:10B3A000000000000000000000000000000000009D
69981+:10B3B000000000000000000000000000000000008D
69982+:10B3C000000000000000000000000000000000007D
69983+:10B3D000000000000000000000000000000000006D
69984+:10B3E000000000000000000000000000000000005D
69985+:10B3F000000000000000000000000000000000004D
69986+:10B40000000000000000000000000000000000003C
69987+:10B41000000000000000000000000000000000002C
69988+:10B42000000000000000000000000000000000001C
69989+:10B43000000000000000000000000000000000000C
69990+:10B4400000000000000000000000000000000000FC
69991+:10B4500000000000000000000000000000000000EC
69992+:10B4600000000000000000000000000000000000DC
69993+:10B4700000000000000000000000000000000000CC
69994+:10B4800000000000000000000000000000000000BC
69995+:10B4900000000000000000000000000000000000AC
69996+:10B4A000000000000000000000000000000000009C
69997+:10B4B000000000000000000000000000000000008C
69998+:10B4C000000000000000000000000000000000007C
69999+:10B4D000000000000000000000000000000000006C
70000+:10B4E000000000000000000000000000000000005C
70001+:10B4F000000000000000000000000000000000004C
70002+:10B50000000000000000000000000000000000003B
70003+:10B51000000000000000000000000000000000002B
70004+:10B52000000000000000000000000000000000001B
70005+:10B53000000000000000000000000000000000000B
70006+:10B5400000000000000000000000000000000000FB
70007+:10B5500000000000000000000000000000000000EB
70008+:10B5600000000000000000000000000000000000DB
70009+:10B5700000000000000000000000000000000000CB
70010+:10B5800000000000000000000000000000000000BB
70011+:10B5900000000000000000000000000000000000AB
70012+:10B5A000000000000000000000000000000000009B
70013+:10B5B000000000000000000000000000000000008B
70014+:10B5C000000000000000000000000000000000007B
70015+:10B5D000000000000000000000000000000000006B
70016+:10B5E000000000000000000000000000000000005B
70017+:10B5F000000000000000000000000000000000004B
70018+:10B60000000000000000000000000000000000003A
70019+:10B61000000000000000000000000000000000002A
70020+:10B62000000000000000000000000000000000001A
70021+:10B63000000000000000000000000000000000000A
70022+:10B6400000000000000000000000000000000000FA
70023+:10B6500000000000000000000000000000000000EA
70024+:10B6600000000000000000000000000000000000DA
70025+:10B6700000000000000000000000000000000000CA
70026+:10B6800000000000000000000000000000000000BA
70027+:10B6900000000000000000000000000000000000AA
70028+:10B6A000000000000000000000000000000000009A
70029+:10B6B000000000000000000000000000000000008A
70030+:10B6C000000000000000000000000000000000007A
70031+:10B6D000000000000000000000000000000000006A
70032+:10B6E000000000000000000000000000000000005A
70033+:10B6F000000000000000000000000000000000004A
70034+:10B700000000000000000000000000000000000039
70035+:10B710000000000000000000000000000000000029
70036+:10B720000000000000000000000000000000000019
70037+:10B730000000000000000000000000000000000009
70038+:10B7400000000000000000000000000000000000F9
70039+:10B7500000000000000000000000000000000000E9
70040+:10B7600000000000000000000000000000000000D9
70041+:10B7700000000000000000000000000000000000C9
70042+:10B7800000000000000000000000000000000000B9
70043+:10B7900000000000000000000000000000000000A9
70044+:10B7A0000000000000000000000000000000000099
70045+:10B7B0000000000000000000000000000000000089
70046+:10B7C0000000000000000000000000000000000079
70047+:10B7D0000000000000000000000000000000000069
70048+:10B7E0000000000000000000000000000000000059
70049+:10B7F0000000000000000000000000000000000049
70050+:10B800000000000000000000000000000000000038
70051+:10B810000000000000000000000000000000000028
70052+:10B820000000000000000000000000000000000018
70053+:10B830000000000000000000000000000000000008
70054+:10B8400000000000000000000000000000000000F8
70055+:10B8500000000000000000000000000000000000E8
70056+:10B8600000000000000000000000000000000000D8
70057+:10B8700000000000000000000000000000000000C8
70058+:10B8800000000000000000000000000000000000B8
70059+:10B8900000000000000000000000000000000000A8
70060+:10B8A0000000000000000000000000000000000098
70061+:10B8B0000000000000000000000000000000000088
70062+:10B8C0000000000000000000000000000000000078
70063+:10B8D0000000000000000000000000000000000068
70064+:10B8E0000000000000000000000000000000000058
70065+:10B8F0000000000000000000000000000000000048
70066+:10B900000000000000000000000000000000000037
70067+:10B910000000000000000000000000000000000027
70068+:10B920000000000000000000000000000000000017
70069+:10B930000000000000000000000000000000000007
70070+:10B9400000000000000000000000000000000000F7
70071+:10B9500000000000000000000000000000000000E7
70072+:10B9600000000000000000000000000000000000D7
70073+:10B9700000000000000000000000000000000000C7
70074+:10B9800000000000000000000000000000000000B7
70075+:10B9900000000000000000000000000000000000A7
70076+:10B9A0000000000000000000000000000000000097
70077+:10B9B0000000000000000000000000000000000087
70078+:10B9C0000000000000000000000000000000000077
70079+:10B9D0000000000000000000000000000000000067
70080+:10B9E0000000000000000000000000000000000057
70081+:10B9F0000000000000000000000000000000000047
70082+:10BA00000000000000000000000000000000000036
70083+:10BA10000000000000000000000000000000000026
70084+:10BA20000000000000000000000000000000000016
70085+:10BA30000000000000000000000000000000000006
70086+:10BA400000000000000000000000000000000000F6
70087+:10BA500000000000000000000000000000000000E6
70088+:10BA600000000000000000000000000000000000D6
70089+:10BA700000000000000000000000000000000000C6
70090+:10BA800000000000000000000000000000000000B6
70091+:10BA900000000000000000000000000000000000A6
70092+:10BAA0000000000000000000000000000000000096
70093+:10BAB0000000000000000000000000000000000086
70094+:10BAC0000000000000000000000000000000000076
70095+:10BAD0000000000000000000000000000000000066
70096+:10BAE0000000000000000000000000000000000056
70097+:10BAF0000000000000000000000000000000000046
70098+:10BB00000000000000000000000000000000000035
70099+:10BB10000000000000000000000000000000000025
70100+:10BB20000000000000000000000000000000000015
70101+:10BB30000000000000000000000000000000000005
70102+:10BB400000000000000000000000000000000000F5
70103+:10BB500000000000000000000000000000000000E5
70104+:10BB600000000000000000000000000000000000D5
70105+:10BB700000000000000000000000000000000000C5
70106+:10BB800000000000000000000000000000000000B5
70107+:10BB900000000000000000000000000000000000A5
70108+:10BBA0000000000000000000000000000000000095
70109+:10BBB0000000000000000000000000000000000085
70110+:10BBC0000000000000000000000000000000000075
70111+:10BBD0000000000000000000000000000000000065
70112+:10BBE0000000000000000000000000000000000055
70113+:10BBF0000000000000000000000000000000000045
70114+:10BC00000000000000000000000000000000000034
70115+:10BC10000000000000000000000000000000000024
70116+:10BC20000000000000000000000000000000000014
70117+:10BC30000000000000000000000000000000000004
70118+:10BC400000000000000000000000000000000000F4
70119+:10BC500000000000000000000000000000000000E4
70120+:10BC600000000000000000000000000000000000D4
70121+:10BC700000000000000000000000000000000000C4
70122+:10BC800000000000000000000000000000000000B4
70123+:10BC900000000000000000000000000000000000A4
70124+:10BCA0000000000000000000000000000000000094
70125+:10BCB0000000000000000000000000000000000084
70126+:10BCC0000000000000000000000000000000000074
70127+:10BCD0000000000000000000000000000000000064
70128+:10BCE0000000000000000000000000000000000054
70129+:10BCF0000000000000000000000000000000000044
70130+:10BD00000000000000000000000000000000000033
70131+:10BD10000000000000000000000000000000000023
70132+:10BD20000000000000000000000000000000000013
70133+:10BD30000000000000000000000000000000000003
70134+:10BD400000000000000000000000000000000000F3
70135+:10BD500000000000000000000000000000000000E3
70136+:10BD600000000000000000000000000000000000D3
70137+:10BD700000000000000000000000000000000000C3
70138+:10BD800000000000000000000000000000000000B3
70139+:10BD900000000000000000000000000000000000A3
70140+:10BDA0000000000000000000000000000000000093
70141+:10BDB0000000000000000000000000000000000083
70142+:10BDC0000000000000000000000000000000000073
70143+:10BDD0000000000000000000000000000000000063
70144+:10BDE0000000000000000000000000000000000053
70145+:10BDF0000000000000000000000000000000000043
70146+:10BE00000000000000000000000000000000000032
70147+:10BE10000000000000000000000000000000000022
70148+:10BE20000000000000000000000000000000000012
70149+:10BE30000000000000000000000000000000000002
70150+:10BE400000000000000000000000000000000000F2
70151+:10BE500000000000000000000000000000000000E2
70152+:10BE600000000000000000000000000000000000D2
70153+:10BE700000000000000000000000000000000000C2
70154+:10BE800000000000000000000000000000000000B2
70155+:10BE900000000000000000000000000000000000A2
70156+:10BEA0000000000000000000000000000000000092
70157+:10BEB0000000000000000000000000000000000082
70158+:10BEC0000000000000000000000000000000000072
70159+:10BED0000000000000000000000000000000000062
70160+:10BEE0000000000000000000000000000000000052
70161+:10BEF0000000000000000000000000000000000042
70162+:10BF00000000000000000000000000000000000031
70163+:10BF10000000000000000000000000000000000021
70164+:10BF20000000000000000000000000000000000011
70165+:10BF30000000000000000000000000000000000001
70166+:10BF400000000000000000000000000000000000F1
70167+:10BF500000000000000000000000000000000000E1
70168+:10BF600000000000000000000000000000000000D1
70169+:10BF700000000000000000000000000000000000C1
70170+:10BF800000000000000000000000000000000000B1
70171+:10BF900000000000000000000000000000000000A1
70172+:10BFA0000000000000000000000000000000000091
70173+:10BFB0000000000000000000000000000000000081
70174+:10BFC0000000000000000000000000000000000071
70175+:10BFD0000000000000000000000000000000000061
70176+:10BFE0000000000000000000000000000000000051
70177+:10BFF0000000000000000000000000000000000041
70178+:10C000000000000000000000000000000000000030
70179+:10C010000000000000000000000000000000000020
70180+:10C020000000000000000000000000000000000010
70181+:10C030000000000000000000000000000000000000
70182+:10C0400000000000000000000000000000000000F0
70183+:10C0500000000000000000000000000000000000E0
70184+:10C0600000000000000000000000000000000000D0
70185+:10C0700000000000000000000000000000000000C0
70186+:10C0800000000000000000000000000000000000B0
70187+:10C0900000000000000000000000000000000000A0
70188+:10C0A0000000000000000000000000000000000090
70189+:10C0B0000000000000000000000000000000000080
70190+:10C0C0000000000000000000000000000000000070
70191+:10C0D0000000000000000000000000000000000060
70192+:10C0E0000000000000000000000000000000000050
70193+:10C0F0000000000000000000000000000000000040
70194+:10C10000000000000000000000000000000000002F
70195+:10C11000000000000000000000000000000000001F
70196+:10C12000000000000000000000000000000000000F
70197+:10C1300000000000000000000000000000000000FF
70198+:10C1400000000000000000000000000000000000EF
70199+:10C1500000000000000000000000000000000000DF
70200+:10C1600000000000000000000000000000000000CF
70201+:10C1700000000000000000000000000000000000BF
70202+:10C1800000000000000000000000000000000000AF
70203+:10C19000000000000000000000000000000000009F
70204+:10C1A000000000000000000000000000000000008F
70205+:10C1B000000000000000000000000000000000007F
70206+:10C1C000000000000000000000000000000000006F
70207+:10C1D000000000000000000000000000000000005F
70208+:10C1E000000000000000000000000000000000004F
70209+:10C1F000000000000000000000000000000000003F
70210+:10C20000000000000000000000000000000000002E
70211+:10C21000000000000000000000000000000000001E
70212+:10C22000000000000000000000000000000000000E
70213+:10C2300000000000000000000000000000000000FE
70214+:10C2400000000000000000000000000000000000EE
70215+:10C2500000000000000000000000000000000000DE
70216+:10C2600000000000000000000000000000000000CE
70217+:10C2700000000000000000000000000000000000BE
70218+:10C2800000000000000000000000000000000000AE
70219+:10C29000000000000000000000000000000000009E
70220+:10C2A000000000000000000000000000000000008E
70221+:10C2B000000000000000000000000000000000007E
70222+:10C2C000000000000000000000000000000000006E
70223+:10C2D000000000000000000000000000000000005E
70224+:10C2E000000000000000000000000000000000004E
70225+:10C2F000000000000000000000000000000000003E
70226+:10C30000000000000000000000000000000000002D
70227+:10C31000000000000000000000000000000000001D
70228+:10C32000000000000000000000000000000000000D
70229+:10C3300000000000000000000000000000000000FD
70230+:10C3400000000000000000000000000000000000ED
70231+:10C3500000000000000000000000000000000000DD
70232+:10C3600000000000000000000000000000000000CD
70233+:10C3700000000000000000000000000000000000BD
70234+:10C3800000000000000000000000000000000000AD
70235+:10C39000000000000000000000000000000000009D
70236+:10C3A000000000000000000000000000000000008D
70237+:10C3B000000000000000000000000000000000007D
70238+:10C3C000000000000000000000000000000000006D
70239+:10C3D000000000000000000000000000000000005D
70240+:10C3E000000000000000000000000000000000004D
70241+:10C3F000000000000000000000000000000000003D
70242+:10C40000000000000000000000000000000000002C
70243+:10C41000000000000000000000000000000000001C
70244+:10C42000000000000000000000000000000000000C
70245+:10C4300000000000000000000000000000000000FC
70246+:10C4400000000000000000000000000000000000EC
70247+:10C4500000000000000000000000000000000000DC
70248+:10C4600000000000000000000000000000000000CC
70249+:10C4700000000000000000000000000000000000BC
70250+:10C4800000000000000000000000000000000000AC
70251+:10C49000000000000000000000000000000000009C
70252+:10C4A000000000000000000000000000000000008C
70253+:10C4B000000000000000000000000000000000007C
70254+:10C4C000000000000000000000000000000000006C
70255+:10C4D000000000000000000000000000000000005C
70256+:10C4E000000000000000000000000000000000004C
70257+:10C4F000000000000000000000000000000000003C
70258+:10C50000000000000000000000000000000000002B
70259+:10C51000000000000000000000000000000000001B
70260+:10C52000000000000000000000000000000000000B
70261+:10C5300000000000000000000000000000000000FB
70262+:10C5400000000000000000000000000000000000EB
70263+:10C5500000000000000000000000000000000000DB
70264+:10C5600000000000000000000000000000000000CB
70265+:10C5700000000000000000000000000000000000BB
70266+:10C5800000000000000000000000000000000000AB
70267+:10C59000000000000000000000000000000000009B
70268+:10C5A000000000000000000000000000000000008B
70269+:10C5B000000000000000000000000000000000007B
70270+:10C5C000000000000000000000000000000000006B
70271+:10C5D000000000000000000000000000000000005B
70272+:10C5E000000000000000000000000000000000004B
70273+:10C5F000000000000000000000000000000000003B
70274+:10C60000000000000000000000000000000000002A
70275+:10C61000000000000000000000000000000000001A
70276+:10C62000000000000000000000000000000000000A
70277+:10C6300000000000000000000000000000000000FA
70278+:10C6400000000000000000000000000000000000EA
70279+:10C6500000000000000000000000000000000000DA
70280+:10C6600000000000000000000000000000000000CA
70281+:10C6700000000000000000000000000000000000BA
70282+:10C6800000000000000000000000000000000000AA
70283+:10C69000000000000000000000000000000000009A
70284+:10C6A000000000000000000000000000000000008A
70285+:10C6B000000000000000000000000000000000007A
70286+:10C6C000000000000000000000000000000000006A
70287+:10C6D000000000000000000000000000000000005A
70288+:10C6E000000000000000000000000000000000004A
70289+:10C6F000000000000000000000000000000000003A
70290+:10C700000000000000000000000000000000000029
70291+:10C710000000000000000000000000000000000019
70292+:10C720000000000000000000000000000000000009
70293+:10C7300000000000000000000000000000000000F9
70294+:10C7400000000000000000000000000000000000E9
70295+:10C7500000000000000000000000000000000000D9
70296+:10C7600000000000000000000000000000000000C9
70297+:10C7700000000000000000000000000000000000B9
70298+:10C7800000000000000000000000000000000000A9
70299+:10C790000000000000000000000000000000000099
70300+:10C7A0000000000000000000000000000000000089
70301+:10C7B0000000000000000000000000000000000079
70302+:10C7C0000000000000000000000000000000000069
70303+:10C7D0000000000000000000000000000000000059
70304+:10C7E0000000000000000000000000000000000049
70305+:10C7F0000000000000000000000000000000000039
70306+:10C800000000000000000000000000000000000028
70307+:10C810000000000000000000000000000000000018
70308+:10C820000000000000000000000000000000000008
70309+:10C8300000000000000000000000000000000000F8
70310+:10C8400000000000000000000000000000000000E8
70311+:10C8500000000000000000000000000000000000D8
70312+:10C8600000000000000000000000000000000000C8
70313+:10C8700000000000000000000000000000000000B8
70314+:10C8800000000000000000000000000000000000A8
70315+:10C890000000000000000000000000000000000098
70316+:10C8A0000000000000000000000000000000000088
70317+:10C8B0000000000000000000000000000000000078
70318+:10C8C0000000000000000000000000000000000068
70319+:10C8D0000000000000000000000000000000000058
70320+:10C8E0000000000000000000000000000000000048
70321+:10C8F0000000000000000000000000000000000038
70322+:10C900000000000000000000000000000000000027
70323+:10C910000000000000000000000000000000000017
70324+:10C920000000000000000000000000000000000007
70325+:10C9300000000000000000000000000000000000F7
70326+:10C9400000000000000000000000000000000000E7
70327+:10C9500000000000000000000000000000000000D7
70328+:10C9600000000000000000000000000000000000C7
70329+:10C9700000000000000000000000000000000000B7
70330+:10C9800000000000000000000000000000000000A7
70331+:10C990000000000000000000000000000000000097
70332+:10C9A0000000000000000000000000000000000087
70333+:10C9B0000000000000000000000000000000000077
70334+:10C9C0000000000000000000000000000000000067
70335+:10C9D0000000000000000000000000000000000057
70336+:10C9E0000000000000000000000000000000000047
70337+:10C9F0000000000000000000000000000000000037
70338+:10CA00000000000000000000000000000000000026
70339+:10CA10000000000000000000000000000000000016
70340+:10CA20000000000000000000000000000000000006
70341+:10CA300000000000000000000000000000000000F6
70342+:10CA400000000000000000000000000000000000E6
70343+:10CA500000000000000000000000000000000000D6
70344+:10CA600000000000000000000000000000000000C6
70345+:10CA700000000000000000000000000000000000B6
70346+:10CA800000000000000000000000000000000000A6
70347+:10CA90000000000000000000000000000000000096
70348+:10CAA0000000000000000000000000000000000086
70349+:10CAB0000000000000000000000000000000000076
70350+:10CAC0000000000000000000000000000000000066
70351+:10CAD0000000000000000000000000000000000056
70352+:10CAE0000000000000000000000000000000000046
70353+:10CAF0000000000000000000000000000000000036
70354+:10CB00000000000000000000000000000000000025
70355+:10CB10000000000000000000000000000000000015
70356+:10CB20000000000000000000000000000000000005
70357+:10CB300000000000000000000000000000000000F5
70358+:10CB400000000000000000000000000000000000E5
70359+:10CB500000000000000000000000000000000000D5
70360+:10CB600000000000000000000000000000000000C5
70361+:10CB700000000000000000000000000000000000B5
70362+:10CB800000000000000000000000000000000000A5
70363+:10CB90000000000000000000000000000000000095
70364+:10CBA0000000000000000000000000000000000085
70365+:10CBB0000000000000000000000000000000000075
70366+:10CBC0000000000000000000000000000000000065
70367+:10CBD0000000000000000000000000000000000055
70368+:10CBE0000000000000000000000000000000000045
70369+:10CBF0000000000000000000000000000000000035
70370+:10CC00000000000000000000000000000000000024
70371+:10CC10000000000000000000000000000000000014
70372+:10CC20000000000000000000000000000000000004
70373+:10CC300000000000000000000000000000000000F4
70374+:10CC400000000000000000000000000000000000E4
70375+:10CC500000000000000000000000000000000000D4
70376+:10CC600000000000000000000000000000000000C4
70377+:10CC700000000000000000000000000000000000B4
70378+:10CC800000000000000000000000000000000000A4
70379+:10CC90000000000000000000000000000000000094
70380+:10CCA0000000000000000000000000000000000084
70381+:10CCB0000000000000000000000000000000000074
70382+:10CCC0000000000000000000000000000000000064
70383+:10CCD0000000000000000000000000000000000054
70384+:10CCE0000000000000000000000000000000000044
70385+:10CCF0000000000000000000000000000000000034
70386+:10CD00000000000000000000000000000000000023
70387+:10CD10000000000000000000000000000000000013
70388+:10CD20000000000000000000000000000000000003
70389+:10CD300000000000000000000000000000000000F3
70390+:10CD400000000000000000000000000000000000E3
70391+:10CD500000000000000000000000000000000000D3
70392+:10CD600000000000000000000000000000000000C3
70393+:10CD700000000000000000000000000000000000B3
70394+:10CD800000000000000000000000000000000000A3
70395+:10CD90000000000000000000000000000000000093
70396+:10CDA0000000000000000000000000000000000083
70397+:10CDB0000000000000000000000000000000000073
70398+:10CDC0000000000000000000000000000000000063
70399+:10CDD0000000000000000000000000000000000053
70400+:10CDE0000000000000000000000000000000000043
70401+:10CDF0000000000000000000000000000000000033
70402+:10CE00000000000000000000000000000000000022
70403+:10CE10000000000000000000000000000000000012
70404+:10CE20000000000000000000000000000000000002
70405+:10CE300000000000000000000000000000000000F2
70406+:10CE400000000000000000000000000000000000E2
70407+:10CE500000000000000000000000000000000000D2
70408+:10CE600000000000000000000000000000000000C2
70409+:10CE700000000000000000000000000000000000B2
70410+:10CE800000000000000000000000000000000000A2
70411+:10CE90000000000000000000000000000000000092
70412+:10CEA0000000000000000000000000000000000082
70413+:10CEB0000000000000000000000000000000000072
70414+:10CEC0000000000000000000000000000000000062
70415+:10CED0000000000000000000000000000000000052
70416+:10CEE0000000000000000000000000000000000042
70417+:10CEF0000000000000000000000000000000000032
70418+:10CF00000000000000000000000000000000000021
70419+:10CF10000000000000000000000000000000000011
70420+:10CF20000000000000000000000000000000000001
70421+:10CF300000000000000000000000000000000000F1
70422+:10CF400000000000000000000000000000000000E1
70423+:10CF500000000000000000000000000000000000D1
70424+:10CF600000000000000000000000000000000000C1
70425+:10CF700000000000000000000000000000000000B1
70426+:10CF800000000000000000000000000000000000A1
70427+:10CF90000000000000000000000000000000000091
70428+:10CFA0000000000000000000000000000000000081
70429+:10CFB0000000000000000000000000000000000071
70430+:10CFC0000000000000000000000000000000000061
70431+:10CFD0000000000000000000000000000000000051
70432+:10CFE0000000000000000000000000000000000041
70433+:10CFF0000000000000000000000000000000000031
70434+:10D000000000000000000000000000000000000020
70435+:10D010000000000000000000000000000000000010
70436+:10D020000000000000000000000000000000000000
70437+:10D0300000000000000000000000000000000000F0
70438+:10D0400000000000000000000000000000000000E0
70439+:10D0500000000000000000000000000000000000D0
70440+:10D0600000000000000000000000000000000000C0
70441+:10D0700000000000000000000000000000000000B0
70442+:10D0800000000000000000000000000000000000A0
70443+:10D090000000000000000000000000000000000090
70444+:10D0A0000000000000000000000000000000000080
70445+:10D0B0000000000000000000000000000000000070
70446+:10D0C0000000000000000000000000000000000060
70447+:10D0D0000000000000000000000000000000000050
70448+:10D0E0000000000000000000000000000000000040
70449+:10D0F0000000000000000000000000000000000030
70450+:10D10000000000000000000000000000000000001F
70451+:10D11000000000000000000000000000000000000F
70452+:10D1200000000000000000000000000000000000FF
70453+:10D1300000000000000000000000000000000000EF
70454+:10D1400000000000000000000000000000000000DF
70455+:10D1500000000000000000000000000000000000CF
70456+:10D1600000000000000000000000000000000000BF
70457+:10D1700000000000000000000000000000000000AF
70458+:10D18000000000000000000000000000000000009F
70459+:10D19000000000000000000000000000000000008F
70460+:10D1A000000000000000000000000000000000007F
70461+:10D1B000000000000000000000000000000000006F
70462+:10D1C000000000000000000000000000000000005F
70463+:10D1D000000000000000000000000000000000004F
70464+:10D1E000000000000000000000000000000000003F
70465+:10D1F000000000000000000000000000000000002F
70466+:10D20000000000000000000000000000000000001E
70467+:10D21000000000000000000000000000000000000E
70468+:10D2200000000000000000000000000000000000FE
70469+:10D2300000000000000000000000000000000000EE
70470+:10D2400000000000000000000000000000000000DE
70471+:10D2500000000000000000000000000000000000CE
70472+:10D2600000000000000000000000000000000000BE
70473+:10D2700000000000000000000000000000000000AE
70474+:10D28000000000000000000000000000000000009E
70475+:10D29000000000000000000000000000000000008E
70476+:10D2A000000000000000000000000000000000007E
70477+:10D2B000000000000000000000000000000000006E
70478+:10D2C000000000000000000000000000000000005E
70479+:10D2D000000000000000000000000000000000004E
70480+:10D2E000000000000000000000000000000000003E
70481+:10D2F000000000000000000000000000000000002E
70482+:10D30000000000000000000000000000000000001D
70483+:10D31000000000000000000000000000000000000D
70484+:10D3200000000000000000000000000000000000FD
70485+:10D3300000000000000000000000000000000000ED
70486+:10D3400000000000000000000000000000000000DD
70487+:10D3500000000000000000000000000000000000CD
70488+:10D3600000000000000000000000000000000000BD
70489+:10D3700000000000000000000000000000000000AD
70490+:10D38000000000000000000000000000000000009D
70491+:10D39000000000000000000000000000000000008D
70492+:10D3A000000000000000000000000000000000007D
70493+:10D3B000000000000000000000000000000000006D
70494+:10D3C000000000000000000000000000000000005D
70495+:10D3D000000000000000000000000000000000004D
70496+:10D3E000000000000000000000000000000000003D
70497+:10D3F000000000000000000000000000000000002D
70498+:10D40000000000000000000000000000000000001C
70499+:10D41000000000000000000000000000000000000C
70500+:10D4200000000000000000000000000000000000FC
70501+:10D4300000000000000000000000000000000000EC
70502+:10D4400000000000000000000000000000000000DC
70503+:10D4500000000000000000000000000000000000CC
70504+:10D4600000000000000000000000000000000000BC
70505+:10D4700000000000000000000000000000000000AC
70506+:10D48000000000000000000000000000000000009C
70507+:10D49000000000000000000000000000000000008C
70508+:10D4A000000000000000000000000000000000007C
70509+:10D4B000000000000000000000000000000000006C
70510+:10D4C000000000000000000000000000000000005C
70511+:10D4D000000000000000000000000000000000004C
70512+:10D4E000000000000000000000000000000000003C
70513+:10D4F000000000000000000000000000000000002C
70514+:10D50000000000000000000000000000000000001B
70515+:10D51000000000000000000000000000000000000B
70516+:10D5200000000000000000000000000000000000FB
70517+:10D5300000000000000000000000000000000000EB
70518+:10D5400000000000000000000000000000000000DB
70519+:10D5500000000000000000000000000000000000CB
70520+:10D5600000000000000000000000000000000000BB
70521+:10D5700000000000000000000000000000000000AB
70522+:10D58000000000000000000000000000000000009B
70523+:10D59000000000000000000000000000000000008B
70524+:10D5A000000000000000000000000000000000007B
70525+:10D5B000000000000000000000000000000000006B
70526+:10D5C000000000000000000000000000000000005B
70527+:10D5D000000000000000000000000000000000004B
70528+:10D5E000000000000000000000000000000000003B
70529+:10D5F000000000000000000000000000000000002B
70530+:10D60000000000000000000000000000000000001A
70531+:10D61000000000000000000000000000000000000A
70532+:10D6200000000000000000000000000000000000FA
70533+:10D6300000000000000000000000000000000000EA
70534+:10D6400000000000000000000000000000000000DA
70535+:10D6500000000000000000000000000000000000CA
70536+:10D6600000000000000000000000000000000000BA
70537+:10D6700000000000000000000000000000000000AA
70538+:10D68000000000000000000000000000000000009A
70539+:10D69000000000000000000000000000000000008A
70540+:10D6A000000000000000000000000000000000007A
70541+:10D6B000000000000000000000000000000000006A
70542+:10D6C000000000000000000000000000000000005A
70543+:10D6D000000000000000000000000000000000004A
70544+:10D6E000000000000000000000000000000000003A
70545+:10D6F000000000000000000000000000000000002A
70546+:10D700000000000000000000000000000000000019
70547+:10D710000000000000000000000000000000000009
70548+:10D7200000000000000000000000000000000000F9
70549+:10D7300000000000000000000000000000000000E9
70550+:10D7400000000000000000000000000000000000D9
70551+:10D7500000000000000000000000000000000000C9
70552+:10D7600000000000000000000000000000000000B9
70553+:10D7700000000000000000000000000000000000A9
70554+:10D780000000000000000000000000000000000099
70555+:10D790000000000000000000000000000000000089
70556+:10D7A0000000000000000000000000000000000079
70557+:10D7B0000000000000000000000000000000000069
70558+:10D7C0000000000000000000000000000000000059
70559+:10D7D0000000000000000000000000000000000049
70560+:10D7E0000000000000000000000000000000000039
70561+:10D7F0000000000000000000000000000000000029
70562+:10D800000000000000000000000000000000000018
70563+:10D810000000000000000000000000000000000008
70564+:10D8200000000000000000000000000000000000F8
70565+:10D8300000000000000000000000000000000000E8
70566+:10D8400000000000000000000000000000000000D8
70567+:10D8500000000000000000000000000000000000C8
70568+:10D8600000000000000000000000000000000000B8
70569+:10D8700000000000000000000000000000000000A8
70570+:10D880000000000000000000000000000000000098
70571+:10D890000000000000000000000000000000000088
70572+:10D8A0000000000000000000000000000000000078
70573+:10D8B0000000000000000000000000000000000068
70574+:10D8C0000000000000000000000000000000000058
70575+:10D8D0000000000000000000000000000000000048
70576+:10D8E0000000000000000000000000000000000038
70577+:10D8F0000000000000000000000000000000000028
70578+:10D900000000000000000000000000000000000017
70579+:10D910000000000000000000000000000000000007
70580+:10D9200000000000000000000000000000000000F7
70581+:10D9300000000000000000000000000000000000E7
70582+:10D9400000000000000000000000000000000000D7
70583+:10D9500000000000000000000000000000000000C7
70584+:10D9600000000000000000000000000000000000B7
70585+:10D9700000000000000000000000000000000000A7
70586+:10D980000000000000000000000000000000000097
70587+:10D990000000000000000000000000000000000087
70588+:10D9A0000000000000000000000000000000000077
70589+:10D9B0000000000000000000000000000000000067
70590+:10D9C0000000000000000000000000000000000057
70591+:10D9D0000000000000000000000000000000000047
70592+:10D9E0000000000000000000000000000000000037
70593+:10D9F0000000000000000000000000000000000027
70594+:10DA00000000000000000000000000000000000016
70595+:10DA10000000000000000000000000000000000006
70596+:10DA200000000000000000000000000000000000F6
70597+:10DA300000000000000000000000000000000000E6
70598+:10DA400000000000000000000000000000000000D6
70599+:10DA500000000000000000000000000000000000C6
70600+:10DA600000000000000000000000000000000000B6
70601+:10DA700000000000000000000000000000000000A6
70602+:10DA80000000000000000000000000000000000096
70603+:10DA90000000000000000000000000000000000086
70604+:10DAA0000000000000000000000000000000000076
70605+:10DAB0000000000000000000000000000000000066
70606+:10DAC0000000000000000000000000000000000056
70607+:10DAD0000000000000000000000000000000000046
70608+:10DAE0000000000000000000000000000000000036
70609+:10DAF0000000000000000000000000000000000026
70610+:10DB00000000000000000000000000000000000015
70611+:10DB10000000000000000000000000000000000005
70612+:10DB200000000000000000000000000000000000F5
70613+:10DB300000000000000000000000000000000000E5
70614+:10DB400000000000000000000000000000000000D5
70615+:10DB500000000000000000000000000000000000C5
70616+:10DB600000000000000000000000000000000000B5
70617+:10DB700000000000000000000000000000000000A5
70618+:10DB80000000000000000000000000000000000095
70619+:10DB90000000000000000000000000000000000085
70620+:10DBA0000000000000000000000000000000000075
70621+:10DBB0000000000000000000000000000000000065
70622+:10DBC0000000000000000000000000000000000055
70623+:10DBD0000000000000000000000000000000000045
70624+:10DBE0000000000000000000000000000000000035
70625+:10DBF0000000000000000000000000000000000025
70626+:10DC00000000000000000000000000000000000014
70627+:10DC10000000000000000000000000000000000004
70628+:10DC200000000000000000000000000000000000F4
70629+:10DC300000000000000000000000000000000000E4
70630+:10DC400000000000000000000000000000000000D4
70631+:10DC500000000000000000000000000000000000C4
70632+:10DC600000000000000000000000000000000000B4
70633+:10DC700000000000000000000000000000000000A4
70634+:10DC80000000000000000000000000000000000094
70635+:10DC90000000000000000000000000000000000084
70636+:10DCA0000000000000000000000000000000000074
70637+:10DCB0000000000000000000000000000000000064
70638+:10DCC0000000000000000000000000000000000054
70639+:10DCD0000000000000000000000000000000000044
70640+:10DCE0000000000000000000000000000000000034
70641+:10DCF0000000000000000000000000000000000024
70642+:10DD00000000000000000000000000000000000013
70643+:10DD10000000000000000000000000000000000003
70644+:10DD200000000000000000000000000000000000F3
70645+:10DD300000000000000000000000000000000000E3
70646+:10DD400000000000000000000000000000000000D3
70647+:10DD500000000000000000000000000000000000C3
70648+:10DD600000000000000000000000000000000000B3
70649+:10DD700000000000000000000000000000000000A3
70650+:10DD80000000000000000000000000000000000093
70651+:10DD90000000000000000000000000000000000083
70652+:10DDA0000000000000000000000000000000000073
70653+:10DDB0000000000000000000000000000000000063
70654+:10DDC0000000000000000000000000000000000053
70655+:10DDD0000000000000000000000000000000000043
70656+:10DDE0000000000000000000000000000000000033
70657+:10DDF0000000000000000000000000000000000023
70658+:10DE00000000000000000000000000000000000012
70659+:10DE10000000000000000000000000000000000002
70660+:10DE200000000000000000000000000000000000F2
70661+:10DE300000000000000000000000000000000000E2
70662+:10DE400000000000000000000000000000000000D2
70663+:10DE500000000000000000000000000000000000C2
70664+:10DE600000000000000000000000000000000000B2
70665+:10DE700000000000000000000000000000000000A2
70666+:10DE80000000000000000000000000000000000092
70667+:10DE90000000000000000000000000000000000082
70668+:10DEA0000000000000000000000000000000000072
70669+:10DEB0000000000000000000000000000000000062
70670+:10DEC0000000000000000000000000000000000052
70671+:10DED0000000000000000000000000000000000042
70672+:10DEE0000000000000000000000000000000000032
70673+:10DEF0000000000000000000000000000000000022
70674+:10DF00000000000000000000000000000000000011
70675+:10DF10000000000000000000000000000000000001
70676+:10DF200000000000000000000000000000000000F1
70677+:10DF300000000000000000000000000000000000E1
70678+:10DF400000000000000000000000000000000000D1
70679+:10DF500000000000000000000000000000000000C1
70680+:10DF600000000000000000000000000000000000B1
70681+:10DF700000000000000000000000000000000000A1
70682+:10DF80000000000000000000000000000000000091
70683+:10DF90000000000000000000000000000000000081
70684+:10DFA0000000000000000000000000000000000071
70685+:10DFB0000000000000000000000000000000000061
70686+:10DFC0000000000000000000000000000000000051
70687+:10DFD0000000000000000000000000000000000041
70688+:10DFE0000000000000000000000000000000000031
70689+:10DFF0000000000000000000000000000000000021
70690+:10E000000000000000000000000000000000000010
70691+:10E010000000000000000000000000000000000000
70692+:10E0200000000000000000000000000000000000F0
70693+:10E0300000000000000000000000000000000000E0
70694+:10E0400000000000000000000000000000000000D0
70695+:10E0500000000000000000000000000000000000C0
70696+:10E0600000000000000000000000000000000000B0
70697+:10E0700000000000000000000000000000000000A0
70698+:10E080000000000000000000000000000000000090
70699+:10E090000000000000000000000000000000000080
70700+:10E0A0000000000000000000000000000000000070
70701+:10E0B0000000000000000000000000000000000060
70702+:10E0C0000000000000000000000000000000000050
70703+:10E0D0000000000000000000000000000000000040
70704+:10E0E0000000000000000000000000000000000030
70705+:10E0F0000000000000000000000000000000000020
70706+:10E10000000000000000000000000000000000000F
70707+:10E1100000000000000000000000000000000000FF
70708+:10E1200000000000000000000000000000000000EF
70709+:10E1300000000000000000000000000000000000DF
70710+:10E1400000000000000000000000000000000000CF
70711+:10E1500000000000000000000000000000000000BF
70712+:10E1600000000000000000000000000000000000AF
70713+:10E17000000000000000000000000000000000009F
70714+:10E18000000000000000000000000000000000008F
70715+:10E19000000000000000000000000000000000007F
70716+:10E1A000000000000000000000000000000000006F
70717+:10E1B000000000000000000000000000000000005F
70718+:10E1C000000000000000000000000000000000004F
70719+:10E1D000000000000000000000000000000000003F
70720+:10E1E000000000000000000000000000000000002F
70721+:10E1F000000000000000000000000000000000809F
70722+:10E20000000000000000000000000000000000000E
70723+:10E2100000000000000000000000000000000000FE
70724+:10E220000000000A000000000000000000000000E4
70725+:10E2300010000003000000000000000D0000000DB1
70726+:10E240003C020801244295C03C030801246397FC6A
70727+:10E25000AC4000000043202B1480FFFD244200044A
70728+:10E260003C1D080037BD9FFC03A0F0213C100800B6
70729+:10E27000261032103C1C0801279C95C00E0012BECF
70730+:10E28000000000000000000D3C02800030A5FFFFF0
70731+:10E2900030C600FF344301803C0880008D0901B87E
70732+:10E2A0000520FFFE00000000AC6400002404000212
70733+:10E2B000A4650008A066000AA064000BAC67001803
70734+:10E2C0003C03100003E00008AD0301B83C0560000A
70735+:10E2D0008CA24FF80440FFFE00000000ACA44FC029
70736+:10E2E0003C0310003C040200ACA44FC403E000084F
70737+:10E2F000ACA34FF89486000C00A050212488001491
70738+:10E3000000062B0200051080004448210109182B4B
70739+:10E310001060001100000000910300002C6400094F
70740+:10E320005080000991190001000360803C0D080134
70741+:10E3300025AD9258018D58218D67000000E000083E
70742+:10E340000000000091190001011940210109302B42
70743+:10E3500054C0FFF29103000003E000080000102108
70744+:10E360000A000CCC25080001910F0001240E000AC0
70745+:10E3700015EE00400128C8232F38000A1700003D81
70746+:10E38000250D00028D580000250F0006370E0100F4
70747+:10E39000AD4E0000910C000291AB000191A400026F
70748+:10E3A00091A60003000C2E00000B3C0000A71025D6
70749+:10E3B00000041A000043C8250326C025AD580004F8
70750+:10E3C000910E000691ED000191E7000291E5000336
70751+:10E3D000000E5E00000D6400016C30250007220075
70752+:10E3E00000C41025004518252508000A0A000CCC99
70753+:10E3F000AD430008910F000125040002240800022B
70754+:10E4000055E80001012020210A000CCC00804021A9
70755+:10E41000910C0001240B0003158B00160000000076
70756+:10E420008D580000910E000225080003370D0008EA
70757+:10E43000A14E00100A000CCCAD4D00009119000156
70758+:10E44000240F0004172F000B0000000091070002AA
70759+:10E45000910400038D43000000072A0000A410254A
70760+:10E460003466000425080004AD42000C0A000CCC00
70761+:10E47000AD46000003E000082402000127BDFFE8CC
70762+:10E48000AFBF0014AFB000100E00164E0080802108
70763+:10E490003C0480083485008090A600052403FFFE1C
70764+:10E4A0000200202100C310248FBF00148FB0001081
70765+:10E4B000A0A200050A00165827BD001827BDFFE8D6
70766+:10E4C000AFB00010AFBF00140E000FD40080802149
70767+:10E4D0003C06800834C5008090A40000240200504F
70768+:10E4E000308300FF106200073C09800002002021F9
70769+:10E4F0008FBF00148FB00010AD2001800A00108F74
70770+:10E5000027BD0018240801003C07800002002021DC
70771+:10E510008FBF00148FB00010ACE801800A00108F8C
70772+:10E5200027BD001827BDFF783C058008AFBE0080DE
70773+:10E53000AFB7007CAFB3006CAFB10064AFBF008475
70774+:10E54000AFB60078AFB50074AFB40070AFB200687A
70775+:10E55000AFB0006034A600803C0580008CB201287A
70776+:10E5600090C400098CA701043C020001309100FF17
70777+:10E5700000E218240000B8210000F021106000071C
70778+:10E58000000098213C0908008D2931F02413000176
70779+:10E59000252800013C010800AC2831F0ACA0008423
70780+:10E5A00090CC0005000C5827316A0001154000721C
70781+:10E5B000AFA0005090CD00002406002031A400FF41
70782+:10E5C00010860018240E0050108E009300000000EA
70783+:10E5D0003C1008008E1000DC260F00013C010800F2
70784+:10E5E000AC2F00DC0E0016C7000000000040182110
70785+:10E5F0008FBF00848FBE00808FB7007C8FB60078FD
70786+:10E600008FB500748FB400708FB3006C8FB2006848
70787+:10E610008FB100648FB000600060102103E000083B
70788+:10E6200027BD00880000000D3C1F8000AFA0003017
70789+:10E6300097E501168FE201043C04002030B9FFFF8A
70790+:10E64000004438240007182B00033140AFA60030E7
70791+:10E650008FF5010437F80C003C1600400338802188
70792+:10E6600002B6A02434C40040128000479215000D69
70793+:10E6700032A800201500000234860080008030217E
70794+:10E6800014C0009FAFA600303C0D800835A6008066
70795+:10E6900090CC0008318B0040516000063C06800899
70796+:10E6A000240E0004122E00A8240F0012122F003294
70797+:10E6B0003C06800834C401003C0280009447011AE3
70798+:10E6C0009619000E909F00088E18000830E3FFFF97
70799+:10E6D00003F9B00432B40004AFB6005CAFA3005835
70800+:10E6E0008E1600041280002EAFB8005434C3008090
70801+:10E6F000906800083105004014A0002500000000CB
70802+:10E700008C70005002D090230640000500000000ED
70803+:10E710008C71003402D1A82306A201678EE20008A2
70804+:10E72000126000063C1280003C1508008EB531F4E2
70805+:10E7300026B600013C010800AC3631F4AE4000447E
70806+:10E74000240300018FBF00848FBE00808FB7007C40
70807+:10E750008FB600788FB500748FB400708FB3006CE3
70808+:10E760008FB200688FB100648FB00060006010212C
70809+:10E7700003E0000827BD00880E000D2800002021BE
70810+:10E780000A000D75004018210A000D9500C02021D7
70811+:10E790000E00171702C020211440FFE10000000006
70812+:10E7A0003C0B8008356400808C8A003402CA482300
70813+:10E7B0000520001D000000003C1E08008FDE310017
70814+:10E7C00027D700013C010800AC3731001260000679
70815+:10E7D000024020213C1408008E9431F42690000160
70816+:10E7E0003C010800AC3031F40E00164E3C1E80088F
70817+:10E7F00037CD008091B700250240202136EE00047D
70818+:10E800000E001658A1AE00250E000CAC02402021CF
70819+:10E810000A000DCA240300013C17080126F796C020
70820+:10E820000A000D843C1F80008C86003002C66023E5
70821+:10E830001980000C2419000C908F004F3C14080024
70822+:10E840008E94310032B500FC35ED0001268E0001BA
70823+:10E850003C010800AC2E3100A08D004FAFA0005845
70824+:10E860002419000CAFB900308C9800300316A02397
70825+:10E870001A80010B8FA300580074F82A17E0FFD309
70826+:10E88000000000001074002A8FA5005802D4B021A7
70827+:10E8900000B410233044FFFFAFA4005832A8000298
70828+:10E8A0001100002E32AB00103C15800836B00080FD
70829+:10E8B0009216000832D30040526000FB8EE200083E
70830+:10E8C0000E00164E02402021240A0018A20A000958
70831+:10E8D000921100052409FFFE024020210229902404
70832+:10E8E0000E001658A2120005240400390000282149
70833+:10E8F0000E0016F2240600180A000DCA24030001B7
70834+:10E9000092FE000C3C0A800835490080001EBB00C6
70835+:10E910008D27003836F10081024020213225F08118
70836+:10E920000E000C9B30C600FF0A000DC10000000065
70837+:10E930003AA7000130E300011460FFA402D4B02123
70838+:10E940000A000E1D00000000024020210E001734B6
70839+:10E95000020028210A000D75004018211160FF7087
70840+:10E960003C0F80083C0D800835EE00808DC40038D7
70841+:10E970008FA300548DA60004006660231D80FF68ED
70842+:10E98000000000000064C02307020001AFA400548F
70843+:10E990003C1F08008FFF31E433F9000113200015FC
70844+:10E9A0008FAC00583C07800094E3011A10600012FD
70845+:10E9B0003C0680080E00216A024020213C03080129
70846+:10E9C000906396F13064000214800145000000005D
70847+:10E9D000306C0004118000078FAC0058306600FBDB
70848+:10E9E0003C010801A02696F132B500FCAFA000580A
70849+:10E9F0008FAC00583C06800834D30080AFB40018B8
70850+:10EA0000AFB60010AFAC00143C088000950B01209D
70851+:10EA10008E6F0030966A005C8FA3005C8FBF003061
70852+:10EA20003169FFFF3144FFFF8FAE005401341021E4
70853+:10EA3000350540000064382B0045C82103E7C02598
70854+:10EA4000AFB90020AFAF0028AFB80030AFAF00249F
70855+:10EA5000AFA0002CAFAE0034926D000831B40008B6
70856+:10EA6000168000BB020020218EE200040040F8095D
70857+:10EA700027A400108FAF003031F300025660000170
70858+:10EA800032B500FE3C048008349F008093F90008F2
70859+:10EA900033380040530000138FA400248C850004F9
70860+:10EAA0008FA7005410A700D52404001432B0000131
70861+:10EAB0001200000C8FA400242414000C1234011A3C
70862+:10EAC0002A2D000D11A001022413000E240E000AAD
70863+:10EAD000522E0001241E00088FAF002425E40001FF
70864+:10EAE000AFA400248FAA00143C0B80083565008079
70865+:10EAF000008A48218CB10030ACA9003090A4004EAF
70866+:10EB00008CA700303408FFFF0088180400E3F821C8
70867+:10EB1000ACBF00348FA600308FB900548FB8005CB2
70868+:10EB200030C200081040000B033898218CAC002044
70869+:10EB3000119300D330C600FF92EE000C8FA7003473
70870+:10EB400002402021000E6B0035B400800E000C9BAB
70871+:10EB50003285F0803C028008345000808E0F0030F7
70872+:10EB600001F1302318C00097264800803C070800B8
70873+:10EB70008CE731E42404FF80010418243118007F5D
70874+:10EB80003C1F80003C19800430F10001AFE300908D
70875+:10EB900012200006031928213C030801906396F116
70876+:10EBA00030690008152000C6306A00F73C10800864
70877+:10EBB00036040080908C004F318B000115600042BC
70878+:10EBC000000000003C0608008CC6319830CE0010D2
70879+:10EBD00051C0004230F9000190AF006B55E0003F9A
70880+:10EBE00030F9000124180001A0B8006B3C1180002E
70881+:10EBF0009622007A24470064A48700123C0D800806
70882+:10EC000035A5008090B40008329000401600000442
70883+:10EC10003C03800832AE000115C0008B00000000EC
70884+:10EC2000346400808C86002010D3000A3463010015
70885+:10EC30008C67000002C7782319E000978FBF00544B
70886+:10EC4000AC93002024130001AC760000AFB3005059
70887+:10EC5000AC7F000417C0004E000000008FA90050D8
70888+:10EC60001520000B000000003C030801906396F1A2
70889+:10EC7000306A00011140002E8FAB0058306400FE56
70890+:10EC80003C010801A02496F10A000D75000018212E
70891+:10EC90000E000CAC024020210A000F1300000000FF
70892+:10ECA0000A000E200000A0210040F80924040017EB
70893+:10ECB0000A000DCA240300010040F80924040016CC
70894+:10ECC0000A000DCA240300019094004F240DFFFE9A
70895+:10ECD000028D2824A085004F30F900011320000682
70896+:10ECE0003C0480083C030801906396F1307F0010DB
70897+:10ECF00017E00051306800EF34900080240A0001D2
70898+:10ED0000024020210E00164EA60A00129203002592
70899+:10ED100024090001AFA90050346200010240202103
70900+:10ED20000E001658A20200250A000EF93C0D8008BC
70901+:10ED30001160FE83000018218FA5003030AC000464
70902+:10ED40001180FE2C8FBF00840A000DCB240300012C
70903+:10ED500027A500380E000CB6AFA000385440FF4382
70904+:10ED60008EE200048FB40038329001005200FF3F61
70905+:10ED70008EE200048FA3003C8E6E0058006E682364
70906+:10ED800005A3FF39AE6300580A000E948EE200041A
70907+:10ED90000E00164E024020213C038008346800809B
70908+:10EDA000024020210E001658A11E000903C0302188
70909+:10EDB000240400370E0016F2000028210A000F116B
70910+:10EDC0008FA900508FAB00185960FF8D3C0D800853
70911+:10EDD0000E00164E02402021920C00252405000151
70912+:10EDE000AFA5005035820004024020210E001658C5
70913+:10EDF000A20200250A000EF93C0D800812240059D9
70914+:10EE00002A2300151060004D240900162408000C68
70915+:10EE10005628FF2732B000013C0A8008914C001BA5
70916+:10EE20002406FFBD241E000E01865824A14B001BA2
70917+:10EE30000A000EA532B000013C010801A02896F19D
70918+:10EE40000A000EF93C0D80088CB500308EFE0008DB
70919+:10EE50002404001826B6000103C0F809ACB600303F
70920+:10EE60003C030801906396F13077000116E0FF81C2
70921+:10EE7000306A00018FB200300A000D753243000481
70922+:10EE80003C1080009605011A50A0FF2B34C60010DC
70923+:10EE90000A000EC892EE000C8C6200001456FF6D42
70924+:10EEA000000000008C7800048FB9005403388823D8
70925+:10EEB0000621FF638FBF00540A000F0E0000000000
70926+:10EEC0003C010801A02A96F10A000F3030F9000138
70927+:10EED0001633FF028FAF00240A000EB0241E00106C
70928+:10EEE0000E00164E024020213C0B80083568008041
70929+:10EEF00091090025240A0001AFAA0050353300040F
70930+:10EF0000024020210E001658A11300253C050801DF
70931+:10EF100090A596F130A200FD3C010801A02296F1D7
70932+:10EF20000A000E6D004018212411000E53D1FEEA94
70933+:10EF3000241E00100A000EAF241E00165629FEDC07
70934+:10EF400032B000013C0A8008914C001B2406FFBD32
70935+:10EF5000241E001001865824A14B001B0A000EA598
70936+:10EF600032B000010A000EA4241E00123C038000EF
70937+:10EF70008C6201B80440FFFE24040800AC6401B8B0
70938+:10EF800003E000080000000030A5FFFF30C6FFFFCF
70939+:10EF90003C0780008CE201B80440FFFE34EA0180A7
70940+:10EFA000AD440000ACE400203C0480089483004899
70941+:10EFB0003068FFFF11000016AF88000824AB001274
70942+:10EFC000010B482B512000133C04800034EF01005A
70943+:10EFD00095EE00208F890000240D001A31CCFFFF30
70944+:10EFE00031274000A14D000B10E000362583FFFEC5
70945+:10EFF0000103C02B170000348F9900048F88000490
70946+:10F00000A5430014350700010A001003AF87000470
70947+:10F010003C04800024030003348201808F890000B7
70948+:10F020008F870004A043000B3C088000350C018052
70949+:10F03000A585000EA585001A8F85000C30EB800099
70950+:10F04000A5890010AD850028A58600081160000F75
70951+:10F050008F85001435190100972A00163158FFFCDE
70952+:10F06000270F000401E870218DCD400031A6FFFF7D
70953+:10F0700014C000072403BFFF3C02FFFF34487FFF9A
70954+:10F0800000E83824AF8700048F8500142403BFFFF5
70955+:10F090003C04800000E3582434830180A46B0026E4
70956+:10F0A000AC69002C10A0000300054C02A465001000
70957+:10F0B000A46900263C071000AC8701B803E00008F3
70958+:10F0C000000000008F990004240AFFFE032A382460
70959+:10F0D0000A001003AF87000427BDFFE88FA20028B5
70960+:10F0E00030A5FFFF30C6FFFFAFBF0010AF87000C99
70961+:10F0F000AF820014AF8000040E000FDBAF80000071
70962+:10F100008FBF001027BD001803E00008AF80001477
70963+:10F110003C06800034C4007034C701008C8A0000B3
70964+:10F1200090E500128F84000027BDFFF030A300FFA0
70965+:10F13000000318823082400010400037246500032D
70966+:10F140000005C8800326C0218F0E4000246F0004F4
70967+:10F15000000F6880AFAE000001A660218D8B4000DB
70968+:10F16000AFAB000494E900163128FFFC01063821FA
70969+:10F170008CE64000AFA600088FA9000800003021EF
70970+:10F18000000028213C07080024E701000A0010675E
70971+:10F19000240800089059000024A500012CAC000CA4
70972+:10F1A0000079C0210018788001E770218DCD000022
70973+:10F1B0001180000600CD302603A5102114A8FFF50C
70974+:10F1C00000051A005520FFF4905900003C0480000F
70975+:10F1D000348700703C0508008CA531048CE30000E6
70976+:10F1E0002CA2002010400009006A38230005488046
70977+:10F1F0003C0B0800256B3108012B402124AA00019B
70978+:10F20000AD0700003C010800AC2A310400C0102109
70979+:10F2100003E0000827BD0010308220001040000BE2
70980+:10F2200000055880016648218D24400024680004B0
70981+:10F2300000083880AFA4000000E618218C6540006B
70982+:10F24000AFA000080A001057AFA500040000000D91
70983+:10F250000A0010588FA9000827BDFFE03C07800076
70984+:10F2600034E60100AFBF001CAFB20018AFB100140C
70985+:10F27000AFB0001094C5000E8F87000030A4FFFFD0
70986+:10F280002483000430E2400010400010AF830028C7
70987+:10F290003C09002000E940241100000D30EC800002
70988+:10F2A0008F8A0004240BBFFF00EB38243543100085
70989+:10F2B000AF87000030F220001640000B3C1900041C
70990+:10F2C000241FFFBF0A0010B7007F102430EC80001D
70991+:10F2D000158000423C0E002030F220001240FFF862
70992+:10F2E0008F8300043C19000400F9C0241300FFF5CB
70993+:10F2F000241FFFBF34620040AF82000430E20100EF
70994+:10F300001040001130F010008F83002C10600006B8
70995+:10F310003C0F80003C05002000E52024148000C044
70996+:10F320003C0800043C0F800035EE010095CD001E26
70997+:10F3300095CC001C31AAFFFF000C5C00014B482556
70998+:10F34000AF89000C30F010001200000824110001F9
70999+:10F3500030F100201620008B3C18100000F890249B
71000+:10F36000164000823C040C002411000130E801002A
71001+:10F370001500000B3C0900018F85000430A94000F6
71002+:10F38000152000073C0900013C0C1F0100EC58242B
71003+:10F390003C0A1000116A01183C1080003C09000171
71004+:10F3A00000E9302410C000173C0B10003C18080086
71005+:10F3B0008F1800243307000214E0014024030001E9
71006+:10F3C0008FBF001C8FB200188FB100148FB00010D7
71007+:10F3D0000060102103E0000827BD002000EE682433
71008+:10F3E00011A0FFBE30F220008F8F00043C11FFFF00
71009+:10F3F00036307FFF00F0382435E380000A0010A685
71010+:10F40000AF87000000EB102450400065AF8000245F
71011+:10F410008F8C002C3C0D0F0000ED18241580008807
71012+:10F42000AF83001030E8010011000086938F0010B8
71013+:10F430003C0A0200106A00833C1280003650010032
71014+:10F44000920500139789002A3626000230AF00FF8C
71015+:10F4500025EE0004000E19C03C0480008C9801B811
71016+:10F460000700FFFE34880180AD0300003C198008CE
71017+:10F47000AC830020973100483225FFFF10A0015CCB
71018+:10F48000AF8500082523001200A3F82B53E0015993
71019+:10F490008F850004348D010095AC00202402001AF1
71020+:10F4A00030E44000318BFFFFA102000B108001927D
71021+:10F4B0002563FFFE00A3502B154001908F8F0004A1
71022+:10F4C000A50300148F88000435050001AF850004F2
71023+:10F4D0003C08800035190180A729000EA729001AD1
71024+:10F4E0008F89000C30B18000A7270010AF290028B9
71025+:10F4F000A72600081220000E3C04800035020100FF
71026+:10F50000944C0016318BFFFC256400040088182100
71027+:10F510008C7F400033E6FFFF14C000053C048000F0
71028+:10F520003C0AFFFF354D7FFF00AD2824AF85000466
71029+:10F53000240EBFFF00AE402434850180A4A800261D
71030+:10F54000ACA7002C3C071000AC8701B800001821C4
71031+:10F550008FBF001C8FB200188FB100148FB0001045
71032+:10F560000060102103E0000827BD00203C020BFFD3
71033+:10F5700000E41824345FFFFF03E3C82B5320FF7B14
71034+:10F58000241100013C0608008CC6002C24C5000193
71035+:10F590003C010800AC25002C0A0010D42411000501
71036+:10F5A0008F85002410A0002FAF80001090A30000D2
71037+:10F5B000146000792419000310A0002A30E601002D
71038+:10F5C00010C000CC8F860010241F000210DF00C97D
71039+:10F5D0008F8B000C3C0708008CE7003824E4FFFF09
71040+:10F5E00014E0000201641824000018213C0D0800FA
71041+:10F5F00025AD0038006D1021904C00048F85002847
71042+:10F6000025830004000321C030A5FFFF3626000239
71043+:10F610000E000FDB000000000A00114D0000182151
71044+:10F6200000E8302414C0FF403C0F80000E00103D65
71045+:10F63000000000008F8700000A0010CAAF82000C93
71046+:10F64000938F00103C18080127189640000F90C0B7
71047+:10F6500002588021AF9000248F85002414A0FFD38E
71048+:10F66000AF8F00103C0480008C86400030C5010044
71049+:10F6700010A000BC322300043C0C08008D8C002438
71050+:10F6800024120004106000C23190000D3C04800080
71051+:10F690008C8D40003402FFFF11A201003231FFFBCC
71052+:10F6A0008C884000310A01005540000124110010EF
71053+:10F6B00030EE080011C000BE2419FFFB8F9800280F
71054+:10F6C0002F0F03EF51E000010219802430E90100FF
71055+:10F6D00011200014320800018F87002C14E000FB79
71056+:10F6E0008F8C000C3C05800034AB0100917F00132F
71057+:10F6F00033E300FF246A00042403FFFE0203802496
71058+:10F70000000A21C012000002023230253226FFFF1B
71059+:10F710000E000FDB9785002A1200FF290000182138
71060+:10F72000320800011100000D32180004240E0001FF
71061+:10F73000120E0002023230253226FFFF9785002A82
71062+:10F740000E000FDB00002021240FFFFE020F80249B
71063+:10F750001200FF1B00001821321800045300FF188C
71064+:10F760002403000102323025241200045612000145
71065+:10F770003226FFFF9785002A0E000FDB24040100CC
71066+:10F780002419FFFB021988241220FF0D0000182104
71067+:10F790000A0010E9240300011079009C00003021C8
71068+:10F7A00090AD00012402000211A200BE30EA004028
71069+:10F7B00090B90001241800011338007F30E900409F
71070+:10F7C0008CA600049785002A00C020210E000FDBC4
71071+:10F7D0003626000200004021010018218FBF001CC6
71072+:10F7E0008FB200188FB100148FB00010006010218C
71073+:10F7F00003E0000827BD0020360F010095EE000C45
71074+:10F8000031CD020015A0FEE63C0900013C1880083D
71075+:10F81000971200489789002A362600023248FFFFD7
71076+:10F82000AF8800083C0380008C7101B80620FFFE01
71077+:10F83000346A0180AD4000001100008E3C0F800052
71078+:10F84000253F0012011FC82B1320008B240E00033C
71079+:10F85000346C0100958B00202402001A30E4400033
71080+:10F860003163FFFFA142000B108000A72463FFFE5D
71081+:10F870000103682B15A000A52408FFFE34A5000194
71082+:10F88000A5430014AF8500043C0480002412BFFF90
71083+:10F8900000B2802434850180A4A9000EA4A9001A16
71084+:10F8A000A4A60008A4B00026A4A700103C071000DE
71085+:10F8B000AC8701B80A00114D000018213C038000FC
71086+:10F8C00034640100949F000E3C1908008F3900D861
71087+:10F8D0002404008033E5FFFF273100013C010800CC
71088+:10F8E000AC3100D80E000FDB240600030A00114DD6
71089+:10F8F00000001821240A000210CA00598F85002830
71090+:10F900003C0308008C6300D0240E0001106E005EE2
71091+:10F910002CCF000C24D2FFFC2E5000041600002136
71092+:10F9200000002021241800021078001B2CD9000CA4
71093+:10F9300024DFFFF82FE900041520FF330000202109
71094+:10F9400030EB020051600004000621C054C00022C8
71095+:10F9500030A5FFFF000621C030A5FFFF0A00117D82
71096+:10F96000362600023C0908008D29002431300001B0
71097+:10F970005200FEF7000018219785002A3626000263
71098+:10F980000E000FDB000020210A00114D000018219D
71099+:10F990000A00119C241200021320FFE624DFFFF866
71100+:10F9A0000000202130A5FFFF0A00117D362600024D
71101+:10F9B0000A0011AC021980245120FF828CA6000499
71102+:10F9C0003C05080190A5964110A0FF7E2408000187
71103+:10F9D0000A0011F0010018210E000FDB3226000191
71104+:10F9E0008F8600108F8500280A00124F000621C064
71105+:10F9F0008F8500043C18800024120003371001801A
71106+:10FA0000A212000B0A00112E3C08800090A30001F6
71107+:10FA1000241100011071FF70240800012409000264
71108+:10FA20005069000430E60040240800010A0011F08B
71109+:10FA30000100182150C0FFFD240800013C0C80008B
71110+:10FA4000358B01009563001094A40002307FFFFF06
71111+:10FA5000509FFF62010018210A001284240800014F
71112+:10FA60002CA803EF1100FE56240300010A001239EE
71113+:10FA700000000000240E000335EA0180A14E000BB7
71114+:10FA80000A00121C3C04800011E0FFA2000621C005
71115+:10FA900030A5FFFF0A00117D362600020A0011A5DD
71116+:10FAA000241100201140FFC63C1280003650010096
71117+:10FAB000960F001094AE000231E80FFF15C8FFC08A
71118+:10FAC000000000000A0011E690B900013C060800A1
71119+:10FAD0008CC6003824C4FFFF14C00002018418241F
71120+:10FAE000000018213C0D080025AD0038006D1021E4
71121+:10FAF0000A0011B6904300048F8F0004240EFFFE0D
71122+:10FB00000A00112C01EE28242408FFFE0A00121A14
71123+:10FB100000A8282427BDFFC8AFB00010AFBF003435
71124+:10FB20003C10600CAFBE0030AFB7002CAFB6002861
71125+:10FB3000AFB50024AFB40020AFB3001CAFB20018C3
71126+:10FB4000AFB100148E0E5000240FFF7F3C068000E2
71127+:10FB500001CF682435AC380C240B0003AE0C5000E8
71128+:10FB6000ACCB00083C010800AC2000200E001819A6
71129+:10FB7000000000003C0A0010354980513C06601628
71130+:10FB8000AE09537C8CC700003C0860148D0500A0B2
71131+:10FB90003C03FFFF00E320243C02535300051FC237
71132+:10FBA0001482000634C57C000003A08002869821E0
71133+:10FBB0008E7200043C116000025128218CBF007C31
71134+:10FBC0008CA200783C1E600037C420203C05080150
71135+:10FBD00024A59288AF820018AF9F001C0E0016DD8E
71136+:10FBE0002406000A3C190001273996403C01080010
71137+:10FBF000AC3931DC0E0020DDAF8000148FD708084F
71138+:10FC00002418FFF03C15570902F8B02412D502F56C
71139+:10FC100024040001AF80002C3C1480003697018042
71140+:10FC20003C1E080127DE9644369301008E900000AA
71141+:10FC30003205000310A0FFFD3207000110E000882C
71142+:10FC4000320600028E7100283C048000AE91002034
71143+:10FC50008E6500048E66000000A0382100C040219F
71144+:10FC60008C8301B80460FFFE3C0B0010240A0800DE
71145+:10FC700000AB4824AC8A01B8552000E0240BBFFF3C
71146+:10FC80009675000E3C1208008E52002030AC4000E9
71147+:10FC900032AFFFFF264E000125ED00043C010800B5
71148+:10FCA000AC2E0020118000E8AF8D00283C18002009
71149+:10FCB00000B8B02412C000E530B980002408BFFFAE
71150+:10FCC00000A8382434C81000AF87000030E62000B8
71151+:10FCD00010C000E92409FFBF3C03000400E328240E
71152+:10FCE00010A00002010910243502004030EA010092
71153+:10FCF00011400010AF8200048F8B002C11600007B0
71154+:10FD00003C0D002000ED6024118000043C0F000435
71155+:10FD100000EF702411C00239000000009668001E38
71156+:10FD20009678001C3115FFFF0018B40002B690252C
71157+:10FD3000AF92000C30F910001320001324150001BD
71158+:10FD400030FF002017E0000A3C04100000E41024FB
71159+:10FD50001040000D3C0A0C003C090BFF00EA18247F
71160+:10FD60003525FFFF00A3302B10C0000830ED010047
71161+:10FD70003C0C08008D8C002C24150005258B0001FF
71162+:10FD80003C010800AC2B002C30ED010015A0000B4D
71163+:10FD90003C0500018F85000430AE400055C00007CF
71164+:10FDA0003C0500013C161F0100F690243C0F10009A
71165+:10FDB000124F01CE000000003C05000100E5302498
71166+:10FDC00010C000AF3C0C10003C1F08008FFF002447
71167+:10FDD00033E90002152000712403000100601021A6
71168+:10FDE000104000083C0680003C08800035180100E7
71169+:10FDF0008F0F00243C056020ACAF00140000000011
71170+:10FE00003C0680003C194000ACD9013800000000DD
71171+:10FE10005220001332060002262B0140262C0080BF
71172+:10FE2000240EFF80016E2024018E6824000D1940ED
71173+:10FE3000318A007F0004A9403172007F3C16200007
71174+:10FE400036C20002006A482502B2382500E2882541
71175+:10FE50000122F825ACDF0830ACD1083032060002B0
71176+:10FE600010C0FF723C188000370501408CA80000CC
71177+:10FE700024100040AF08002090AF000831E300706C
71178+:10FE8000107000D428790041532000082405006038
71179+:10FE9000241100201071000E3C0A40003C09800033
71180+:10FEA000AD2A01780A001304000000001465FFFB6E
71181+:10FEB0003C0A40000E001FFA000000003C0A40000F
71182+:10FEC0003C098000AD2A01780A00130400000000FC
71183+:10FED00090A90009241F00048CA70000312800FF0E
71184+:10FEE000111F01B22503FFFA2C7200061240001404
71185+:10FEF0003C0680008CA9000494A4000A310500FF90
71186+:10FF000000095E022D6A00083086FFFF15400002DE
71187+:10FF10002567000424070003240C000910AC01FA33
71188+:10FF200028AD000A11A001DE2410000A240E0008EA
71189+:10FF300010AE0028000731C000C038213C06800008
71190+:10FF40008CD501B806A0FFFE34D20180AE47000078
71191+:10FF500034CB0140916E0008240300023C0A4000AB
71192+:10FF600031C400FF00046A0001A86025A64C000807
71193+:10FF7000A243000B9562000A3C0810003C09800077
71194+:10FF8000A64200108D670004AE470024ACC801B83B
71195+:10FF9000AD2A01780A001304000000003C0A80002A
71196+:10FFA000354401009483000E3C0208008C4200D8C6
71197+:10FFB000240400803065FFFF245500013C01080047
71198+:10FFC000AC3500D80E000FDB240600030A001370C6
71199+:10FFD000000018210009320230D900FF2418000166
71200+:10FFE0001738FFD5000731C08F910020262200016D
71201+:10FFF000AF8200200A0013C800C0382100CB2024A3
71202+:020000021000EC
71203+:10000000AF85000010800008AF860004240D87FF34
71204+:1000100000CD6024158000083C0E006000AE302446
71205+:1000200010C00005000000000E000D42000000009E
71206+:100030000A001371000000000E0016050000000009
71207+:100040000A0013710000000030B980005320FF1F28
71208+:10005000AF8500003C02002000A2F82453E0FF1B03
71209+:10006000AF8500003C07FFFF34E47FFF00A4382485
71210+:100070000A00132B34C880000A001334010910242D
71211+:1000800000EC58245160005AAF8000248F8D002C62
71212+:100090003C0E0F0000EE182415A00075AF83001071
71213+:1000A00030EF010011E00073939800103C12020041
71214+:1000B000107200703C06800034D9010093280013B0
71215+:1000C0009789002A36A60002311800FF271600047F
71216+:1000D000001619C03C0480008C8501B804A0FFFE06
71217+:1000E00034880180AD0300003C158008AC830020FB
71218+:1000F00096BF004833E5FFFF10A001BCAF850008A4
71219+:100100002523001200A3102B504001B98F85000455
71220+:10011000348D010095AC0020240B001A30E440001F
71221+:10012000318AFFFFA10B000B108001BA2543FFFEAF
71222+:1001300000A3702B15C001B88F9600048F8F0004A8
71223+:10014000A503001435E50001AF8500043C088000DC
71224+:1001500035150180A6A9000EA6A9001A8F89000CEA
71225+:1001600030BF8000A6A70010AEA90028A6A60008F0
71226+:1001700013E0000F3C0F8000350C0100958B00163A
71227+:10018000316AFFFC25440004008818218C6240007D
71228+:100190003046FFFF14C000072416BFFF3C0EFFFFD0
71229+:1001A00035CD7FFF00AD2824AF8500043C0F8000D3
71230+:1001B0002416BFFF00B6902435E50180A4B20026C6
71231+:1001C000ACA7002C3C071000ADE701B80A00137083
71232+:1001D000000018210E00165D000000003C0A4000DF
71233+:1001E0003C098000AD2A01780A00130400000000D9
71234+:1001F0008F85002410A00027AF80001090A300007E
71235+:10020000106000742409000310690101000030210E
71236+:1002100090AE0001240D000211CD014230EF0040EC
71237+:1002200090A90001241F0001113F000930E20040A5
71238+:100230008CA600049785002A00C020210E000FDB49
71239+:1002400036A60002000040210A00137001001821A8
71240+:100250005040FFF88CA600043C07080190E7964147
71241+:1002600010E0FFF4240800010A00137001001821B7
71242+:10027000939800103C1F080127FF96400018C8C043
71243+:10028000033F4021AF8800248F85002414A0FFDBAA
71244+:10029000AF9800103C0480008C86400030C50100FF
71245+:1002A00010A0008732AB00043C0C08008D8C0024A9
71246+:1002B00024160004156000033192000D241600027C
71247+:1002C0003C0480008C8E4000340DFFFF11CD0113E3
71248+:1002D00032B5FFFB8C984000330F010055E0000160
71249+:1002E0002415001030E80800110000382409FFFB35
71250+:1002F0008F9F00282FF903EF53200001024990241B
71251+:1003000030E2010010400014325F00018F87002CA2
71252+:1003100014E0010E8F8C000C3C0480003486010038
71253+:1003200090C5001330AA00FF25430004000321C03C
71254+:100330002419FFFE025990241240000202B6302513
71255+:1003400032A6FFFF0E000FDB9785002A1240FEA3A6
71256+:1003500000001821325F000113E0000D3247000455
71257+:10036000240900011249000202B6302532A6FFFF1F
71258+:100370009785002A0E000FDB000020212402FFFEDB
71259+:10038000024290241240FE950000182132470004DA
71260+:1003900050E0FE922403000102B63025241600042A
71261+:1003A0005656000132A6FFFF9785002A0E000FDB8C
71262+:1003B000240401002403FFFB0243A82412A0FE87AB
71263+:1003C000000018210A001370240300010A0014B968
71264+:1003D0000249902410A0FFAF30E5010010A00017E3
71265+:1003E0008F8600102403000210C300148F84000CB9
71266+:1003F0003C0608008CC6003824CAFFFF14C0000267
71267+:10040000008A1024000010213C0E080025CE003880
71268+:10041000004E682191AC00048F850028258B0004D4
71269+:10042000000B21C030A5FFFF36A600020E000FDB37
71270+:10043000000000000A00137000001821240F0002C1
71271+:1004400010CF0088241600013C0308008C6300D004
71272+:100450001076008D8F85002824D9FFFC2F280004FA
71273+:100460001500006300002021241F0002107F005DA2
71274+:100470002CC9000C24C3FFF82C6200041440FFE9CF
71275+:100480000000202130EA020051400004000621C093
71276+:1004900054C0000530A5FFFF000621C030A5FFFFB6
71277+:1004A0000A00150436A600020E000FDB32A600017A
71278+:1004B0008F8600108F8500280A001520000621C0B5
71279+:1004C0003C0A08008D4A0024315200015240FE438C
71280+:1004D000000018219785002A36A600020E000FDBC7
71281+:1004E000000020210A001370000018219668000CFB
71282+:1004F000311802005700FE313C0500013C1F800806
71283+:1005000097F900489789002A36A600023328FFFF92
71284+:10051000AF8800083C0380008C7501B806A0FFFE80
71285+:100520003C04800034820180AC400000110000B621
71286+:1005300024180003252A0012010A182B106000B2AB
71287+:1005400000000000966F00203C0E8000240D001A71
71288+:1005500031ECFFFF35CA018030EB4000A14D000BAC
71289+:10056000116000B02583FFFE0103902B164000AE02
71290+:100570002416FFFE34A50001A5430014AF85000436
71291+:100580002419BFFF00B94024A6E9000EA6E9001A0D
71292+:10059000A6E60008A6E80026A6E700103C07100023
71293+:1005A000AE8701B80A001370000018213C048000D7
71294+:1005B0008C8201B80440FFFE349601802415001C93
71295+:1005C000AEC70000A2D5000B3C071000AC8701B8F5
71296+:1005D0003C0A40003C098000AD2A01780A0013045F
71297+:1005E000000000005120FFA424C3FFF800002021D8
71298+:1005F00030A5FFFF0A00150436A600020E00103DCC
71299+:10060000000000008F8700000A001346AF82000C34
71300+:1006100090A30001241500011075FF0B24080001B0
71301+:10062000240600021066000430E2004024080001A5
71302+:100630000A001370010018215040FFFD240800013A
71303+:100640003C0C8000358B0100956A001094A40002D8
71304+:100650003143FFFF5083FDE1010018210A00158599
71305+:10066000240800018F8500282CB203EF1240FDDB27
71306+:10067000240300013C0308008C6300D02416000111
71307+:100680001476FF7624D9FFFC2CD8000C1300FF72DF
71308+:10069000000621C030A5FFFF0A00150436A600029F
71309+:1006A00010B00037240F000B14AFFE23000731C039
71310+:1006B000312600FF00065600000A4E0305220047BF
71311+:1006C00030C6007F0006F8C03C16080126D69640CA
71312+:1006D00003F68021A2000001A20000003C0F600090
71313+:1006E0008DF918202405000100C588040011302769
71314+:1006F0000326C024000731C000C03821ADF81820FF
71315+:100700000A0013C8A60000028F850020000731C030
71316+:1007100024A2FFFF0A0013F6AF8200200A0014B2E1
71317+:100720002415002011E0FECC3C1980003728010080
71318+:100730009518001094B6000233120FFF16D2FEC6B1
71319+:10074000000000000A00148290A900013C0B080080
71320+:100750008D6B0038256DFFFF15600002018D1024A0
71321+:10076000000010213C080800250800380048C0217E
71322+:10077000930F000425EE00040A0014C5000E21C0EA
71323+:1007800000065202241F00FF115FFDEB000731C07D
71324+:10079000000A20C03C0E080125CE9640008EA821FC
71325+:1007A000009E602100095C02240D00013C076000EE
71326+:1007B000A2AD0000AD860000A2AB00018CF21820B3
71327+:1007C00024030001014310040242B025ACF61820B6
71328+:1007D00000C038210A0013C8A6A900020A0015AA01
71329+:1007E000AF8000200A0012FFAF84002C8F85000428
71330+:1007F0003C1980002408000337380180A308000B4F
71331+:100800000A00144D3C088000A2F8000B0A00155A9B
71332+:100810002419BFFF8F9600042412FFFE0A00144B18
71333+:1008200002D228242416FFFE0A00155800B62824F8
71334+:100830003C038000346401008C85000030A2003E3F
71335+:100840001440000800000000AC6000488C870000E5
71336+:1008500030E607C010C0000500000000AC60004C8E
71337+:10086000AC60005003E0000824020001AC600054BA
71338+:10087000AC6000408C880000310438001080FFF923
71339+:10088000000000002402000103E00008AC60004406
71340+:100890003C0380008C6201B80440FFFE3467018095
71341+:1008A000ACE4000024080001ACE00004A4E500086A
71342+:1008B00024050002A0E8000A34640140A0E5000B12
71343+:1008C0009483000A14C00008A4E30010ACE00024E4
71344+:1008D0003C07800034E901803C041000AD20002872
71345+:1008E00003E00008ACE401B88C8600043C0410006E
71346+:1008F000ACE600243C07800034E90180AD200028EC
71347+:1009000003E00008ACE401B83C0680008CC201B8EA
71348+:100910000440FFFE34C7018024090002ACE400005B
71349+:10092000ACE40004A4E50008A0E9000A34C50140D5
71350+:10093000A0E9000B94A8000A3C041000A4E80010F1
71351+:10094000ACE000248CA30004ACE3002803E0000822
71352+:10095000ACC401B83C039000346200010082202541
71353+:100960003C038000AC6400208C65002004A0FFFEE6
71354+:100970000000000003E00008000000003C028000CE
71355+:10098000344300010083202503E00008AC4400202C
71356+:1009900027BDFFE03C098000AFBF0018AFB10014D5
71357+:1009A000AFB00010352801408D10000091040009FF
71358+:1009B0009107000891050008308400FF30E600FF31
71359+:1009C00000061A002C820081008330251040002A86
71360+:1009D00030A50080000460803C0D080125AD92B078
71361+:1009E000018D58218D6A00000140000800000000C0
71362+:1009F0003C038000346201409445000A14A0001EAC
71363+:100A00008F91FCC09227000530E6000414C0001A44
71364+:100A1000000000000E00164E02002021922A000560
71365+:100A200002002021354900040E001658A2290005B5
71366+:100A30009228000531040004148000020000000028
71367+:100A40000000000D922D0000240B002031AC00FFAF
71368+:100A5000158B00093C0580008CAE01B805C0FFFE77
71369+:100A600034B10180AE3000003C0F100024100005AE
71370+:100A7000A230000BACAF01B80000000D8FBF001812
71371+:100A80008FB100148FB0001003E0000827BD0020D4
71372+:100A90000200202100C028218FBF00188FB1001450
71373+:100AA0008FB00010240600010A00161D27BD00208B
71374+:100AB0000000000D0200202100C028218FBF001877
71375+:100AC0008FB100148FB00010000030210A00161DF5
71376+:100AD00027BD002014A0FFE8000000000200202134
71377+:100AE0008FBF00188FB100148FB0001000C02821F4
71378+:100AF0000A00163B27BD00203C0780008CEE01B8A1
71379+:100B000005C0FFFE34F00180241F0002A21F000B6D
71380+:100B100034F80140A60600089719000A3C0F10009F
71381+:100B2000A61900108F110004A6110012ACEF01B835
71382+:100B30000A0016998FBF001827BDFFE8AFBF00104D
71383+:100B40000E000FD4000000003C0280008FBF001098
71384+:100B500000002021AC4001800A00108F27BD001842
71385+:100B60003084FFFF30A5FFFF108000070000182130
71386+:100B7000308200011040000200042042006518216C
71387+:100B80001480FFFB0005284003E0000800601021EE
71388+:100B900010C00007000000008CA2000024C6FFFF68
71389+:100BA00024A50004AC82000014C0FFFB24840004D0
71390+:100BB00003E000080000000010A0000824A3FFFFCD
71391+:100BC000AC86000000000000000000002402FFFFCF
71392+:100BD0002463FFFF1462FFFA2484000403E000088A
71393+:100BE000000000003C03800027BDFFF83462018054
71394+:100BF000AFA20000308C00FF30AD00FF30CE00FF10
71395+:100C00003C0B80008D6401B80480FFFE00000000F2
71396+:100C10008FA900008D6801288FAA00008FA700000F
71397+:100C20008FA400002405000124020002A085000A10
71398+:100C30008FA30000359940003C051000A062000B16
71399+:100C40008FB800008FAC00008FA600008FAF0000AF
71400+:100C500027BD0008AD280000AD400004AD80002491
71401+:100C6000ACC00028A4F90008A70D0010A5EE0012E2
71402+:100C700003E00008AD6501B83C06800827BDFFE829
71403+:100C800034C50080AFBF001090A7000924020012F5
71404+:100C900030E300FF1062000B008030218CA8005070
71405+:100CA00000882023048000088FBF00108CAA003425
71406+:100CB000240400390000282100CA4823052000052B
71407+:100CC000240600128FBF00102402000103E0000878
71408+:100CD00027BD00180E0016F2000000008FBF0010A4
71409+:100CE0002402000103E0000827BD001827BDFFC84B
71410+:100CF000AFB20030AFB00028AFBF0034AFB1002CAE
71411+:100D000000A0802190A5000D30A6001010C000109A
71412+:100D1000008090213C0280088C4400048E0300086F
71413+:100D20001064000C30A7000530A6000510C0009329
71414+:100D3000240400018FBF00348FB200308FB1002C2B
71415+:100D40008FB000280080102103E0000827BD003884
71416+:100D500030A7000510E0000F30AB001210C00006F5
71417+:100D6000240400013C0980088E0800088D25000439
71418+:100D70005105009C240400388FBF00348FB200302E
71419+:100D80008FB1002C8FB000280080102103E00008F4
71420+:100D900027BD0038240A0012156AFFE6240400016A
71421+:100DA0000200202127A500100E000CB6AFA00010F5
71422+:100DB0001440007C3C19800837240080909800087B
71423+:100DC000331100081220000A8FA7001030FF010025
71424+:100DD00013E000A48FA300148C8600580066102333
71425+:100DE000044000043C0A8008AC8300588FA7001020
71426+:100DF0003C0A800835480080910900083124000829
71427+:100E00001480000224080003000040213C1F8008D9
71428+:100E100093F1001193F9001237E600808CCC005456
71429+:100E2000333800FF03087821322D00FF000F708057
71430+:100E300001AE282100AC582B1160006F00000000AB
71431+:100E400094CA005C8CC900543144FFFF0125102373
71432+:100E50000082182B14600068000000008CCB005446
71433+:100E60000165182330EC00041180006C000830800C
71434+:100E70008FA8001C0068102B1040006230ED0004A9
71435+:100E8000006610232C46008010C00002004088211C
71436+:100E9000241100800E00164E024020213C0D8008D7
71437+:100EA00035A6008024070001ACC7000C90C80008DC
71438+:100EB0000011484035A70100310C007FA0CC00088C
71439+:100EC0008E05000424AB0001ACCB0030A4D1005C43
71440+:100ED0008CCA003C9602000E01422021ACC40020C6
71441+:100EE0008CC3003C0069F821ACDF001C8E190004A3
71442+:100EF000ACF900008E180008ACF800048FB10010A7
71443+:100F0000322F000855E0004793A60020A0C0004EF5
71444+:100F100090D8004E2411FFDFA0F8000890CF000801
71445+:100F200001F17024A0CE00088E0500083C0B80085B
71446+:100F300035690080AD2500388D6A00148D2200309F
71447+:100F40002419005001422021AD24003491230000D7
71448+:100F5000307F00FF13F90036264F01000E001658AF
71449+:100F60000240202124040038000028210E0016F23F
71450+:100F70002406000A0A001757240400010E000D2859
71451+:100F8000000020218FBF00348FB200308FB1002CC1
71452+:100F90008FB00028004020210080102103E00008CD
71453+:100FA00027BD00388E0E00083C0F800835F0008009
71454+:100FB000AE0E005402402021AE0000300E00164E4E
71455+:100FC00000000000920D00250240202135AC0020D9
71456+:100FD0000E001658A20C00250E000CAC0240202179
71457+:100FE000240400382405008D0E0016F22406001299
71458+:100FF0000A0017572404000194C5005C0A001792E8
71459+:1010000030A3FFFF2407021811A0FF9E00E6102363
71460+:101010008FAE001C0A00179A01C610230A0017970A
71461+:101020002C620218A0E600080A0017C48E0500080A
71462+:101030002406FF8001E6C0243C118000AE38002861
71463+:101040008E0D000831E7007F3C0E800C00EE602121
71464+:10105000AD8D00E08E080008AF8C00380A0017D074
71465+:10106000AD8800E4AC800058908500082403FFF7A9
71466+:1010700000A33824A08700080A0017758FA7001066
71467+:101080003C05080024A560A83C04080024846FF4F3
71468+:101090003C020800244260B0240300063C01080121
71469+:1010A000AC2596C03C010801AC2496C43C01080163
71470+:1010B000AC2296C83C010801A02396CC03E00008AE
71471+:1010C0000000000003E00008240200013C02800050
71472+:1010D000308800FF344701803C0680008CC301B893
71473+:1010E0000460FFFE000000008CC501282418FF806A
71474+:1010F0003C0D800A24AF010001F8702431EC007F20
71475+:10110000ACCE0024018D2021ACE50000948B00EAD8
71476+:101110003509600024080002316AFFFFACEA0004D0
71477+:1011200024020001A4E90008A0E8000BACE00024C0
71478+:101130003C071000ACC701B8AF84003803E00008DA
71479+:10114000AF85006C938800488F8900608F820038DB
71480+:1011500030C600FF0109382330E900FF01221821C1
71481+:1011600030A500FF2468008810C000020124382147
71482+:101170000080382130E400031480000330AA00030B
71483+:101180001140000D312B000310A0000900001021B8
71484+:1011900090ED0000244E000131C200FF0045602B9D
71485+:1011A000A10D000024E700011580FFF925080001CA
71486+:1011B00003E00008000000001560FFF300000000DD
71487+:1011C00010A0FFFB000010218CF80000245900043F
71488+:1011D000332200FF0045782BAD18000024E70004FF
71489+:1011E00015E0FFF92508000403E0000800000000F6
71490+:1011F00093850048938800588F8700600004320070
71491+:101200003103007F00E5102B30C47F001040000F39
71492+:10121000006428258F8400383C0980008C8A00EC0B
71493+:10122000AD2A00A43C03800000A35825AC6B00A0AD
71494+:101230008C6C00A00580FFFE000000008C6D00ACEF
71495+:10124000AC8D00EC03E000088C6200A80A00188254
71496+:101250008F840038938800593C0280000080502120
71497+:10126000310300FEA383005930ABFFFF30CC00FFF9
71498+:1012700030E7FFFF344801803C0980008D2401B82D
71499+:101280000480FFFE8F8D006C24180016AD0D000049
71500+:101290008D2201248F8D0038AD0200048D5900206D
71501+:1012A000A5070008240201C4A119000AA118000B17
71502+:1012B000952F01208D4E00088D4700049783005C18
71503+:1012C0008D59002401CF302100C7282100A32023FD
71504+:1012D0002418FFFFA504000CA50B000EA5020010AA
71505+:1012E000A50C0012AD190018AD18002495AF00E848
71506+:1012F0003C0B10002407FFF731EEFFFFAD0E002876
71507+:101300008DAC0084AD0C002CAD2B01B88D460020B7
71508+:1013100000C7282403E00008AD4500208F8800386E
71509+:101320000080582130E7FFFF910900D63C02800081
71510+:1013300030A5FFFF312400FF00041A00006750258C
71511+:1013400030C600FF344701803C0980008D2C01B875
71512+:101350000580FFFE8F82006C240F0017ACE20000B6
71513+:101360008D390124ACF900048D780020A4EA00082E
71514+:10137000241901C4A0F8000AA0EF000B9523012056
71515+:101380008D6E00088D6D00049784005C01C35021B0
71516+:10139000014D602101841023A4E2000CA4E5000E9D
71517+:1013A000A4F90010A4E60012ACE000148D7800242B
71518+:1013B000240DFFFFACF800188D0F007CACEF001C73
71519+:1013C0008D0E00783C0F1000ACEE0020ACED002438
71520+:1013D000950A00BE240DFFF73146FFFFACE600285A
71521+:1013E000950C00809504008231837FFF0003CA00C2
71522+:1013F0003082FFFF0322C021ACF8002CAD2F01B8D2
71523+:10140000950E00828D6A002000AE3021014D282407
71524+:10141000A506008203E00008AD6500203C028000C4
71525+:10142000344501803C0480008C8301B80460FFFED9
71526+:101430008F8A0044240600199549001C3128FFFFBB
71527+:10144000000839C0ACA70000A0A6000B3C051000A6
71528+:1014500003E00008AC8501B88F87004C0080402174
71529+:1014600030C400FF3C0680008CC201B80440FFFE7F
71530+:101470008F89006C9383006834996000ACA90000E8
71531+:10148000A0A300058CE20010240F00022403FFF744
71532+:10149000A4A20006A4B900088D180020A0B8000A74
71533+:1014A000A0AF000B8CEE0000ACAE00108CED000481
71534+:1014B000ACAD00148CEC001CACAC00248CEB002018
71535+:1014C000ACAB00288CEA002C3C071000ACAA002C26
71536+:1014D0008D090024ACA90018ACC701B88D05002007
71537+:1014E00000A3202403E00008AD0400208F8600380C
71538+:1014F00027BDFFE0AFB10014AFBF0018AFB00010C0
71539+:1015000090C300D430A500FF3062002010400008D6
71540+:10151000008088218CCB00D02409FFDF256A0001E0
71541+:10152000ACCA00D090C800D401093824A0C700D4A8
71542+:1015300014A000403C0C80008F840038908700D4B9
71543+:101540002418FFBF2406FFEF30E3007FA08300D400
71544+:10155000979F005C8F8200608F8D003803E2C82364
71545+:10156000A799005CA5A000BC91AF00D401F870243D
71546+:10157000A1AE00D48F8C0038A18000D78F8A0038AC
71547+:10158000A5400082AD4000EC914500D400A658244F
71548+:10159000A14B00D48F9000348F8400609786005C4C
71549+:1015A0000204282110C0000FAF850034A38000582A
71550+:1015B0003C0780008E2C000894ED01208E2B000447
71551+:1015C000018D5021014B8021020620233086FFFF30
71552+:1015D00030C8000F3909000131310001162000091F
71553+:1015E000A3880058938600488FBF00188FB100145D
71554+:1015F0008FB0001027BD0020AF85006403E0000815
71555+:10160000AF86006000C870238FBF00189386004823
71556+:101610008FB100148FB0001034EF0C00010F28219F
71557+:1016200027BD0020ACEE0084AF85006403E0000815
71558+:10163000AF86006035900180020028210E00190F4E
71559+:10164000240600828F840038908600D430C5004084
71560+:1016500050A0FFBAA38000688F85004C3C06800034
71561+:101660008CCD01B805A0FFFE8F89006C2408608234
71562+:1016700024070002AE090000A6080008A207000B1C
71563+:101680008CA300083C0E1000AE0300108CA2000CCE
71564+:10169000AE0200148CBF0014AE1F00188CB90018E5
71565+:1016A000AE1900248CB80024AE1800288CAF002896
71566+:1016B000AE0F002CACCE01B80A001948A380006818
71567+:1016C0008F8A003827BDFFE0AFB10014AFB0001023
71568+:1016D0008F880060AFBF00189389003C954200BC22
71569+:1016E00030D100FF0109182B0080802130AC00FFB1
71570+:1016F0003047FFFF0000582114600003310600FF4F
71571+:1017000001203021010958239783005C0068202BB9
71572+:101710001480002700000000106800562419000102
71573+:101720001199006334E708803165FFFF0E0018C08F
71574+:10173000020020218F83006C3C07800034E601808A
71575+:101740003C0580008CAB01B80560FFFE240A001840
71576+:101750008F840038ACC30000A0CA000B948900BE7F
71577+:101760003C081000A4C90010ACC00030ACA801B8FF
71578+:101770009482008024430001A4830080949F008011
71579+:101780003C0608008CC6318833EC7FFF1186005E72
71580+:101790000000000002002021022028218FBF001835
71581+:1017A0008FB100148FB000100A00193427BD00203B
71582+:1017B000914400D42403FF8000838825A15100D4E4
71583+:1017C0009784005C3088FFFF51000023938C003C1D
71584+:1017D0008F8500382402EFFF008B782394AE00BC85
71585+:1017E0000168502B31E900FF01C26824A4AD00BCA0
71586+:1017F00051400039010058213C1F800037E60100AC
71587+:101800008CD800043C190001031940245500000144
71588+:1018100034E740008E0A00202403FFFB241100015E
71589+:1018200001432024AE0400201191002D34E78000F4
71590+:1018300002002021012030210E0018C03165FFFF79
71591+:101840009787005C8F890060A780005C0127802358
71592+:10185000AF900060938C003C8F8B00388FBF0018D6
71593+:101860008FB100148FB0001027BD002003E00008E6
71594+:10187000A16C00D73C0D800035AA01008D48000402
71595+:101880003C0900010109282454A0000134E740006C
71596+:101890008E0F00202418FFFB34E7800001F870242D
71597+:1018A00024190001AE0E00201599FF9F34E708802F
71598+:1018B000020020210E00188E3165FFFF020020215A
71599+:1018C000022028218FBF00188FB100148FB00010A4
71600+:1018D0000A00193427BD00200A0019F7000048212A
71601+:1018E00002002021012030210E00188E3165FFFFFB
71602+:1018F0009787005C8F890060A780005C01278023A8
71603+:101900000A001A0EAF900060948C0080241F8000A3
71604+:10191000019F3024A4860080908B0080908F0080EF
71605+:10192000316700FF0007C9C20019C027001871C045
71606+:1019300031ED007F01AE2825A08500800A0019DF67
71607+:1019400002002021938500682403000127BDFFE8E1
71608+:1019500000A330042CA20020AFB00010AFBF0014D1
71609+:1019600000C01821104000132410FFFE3C0708009F
71610+:101970008CE7319000E610243C088000350501809A
71611+:1019800014400005240600848F890038240A0004CE
71612+:101990002410FFFFA12A00FC0E00190F0000000018
71613+:1019A000020010218FBF00148FB0001003E0000868
71614+:1019B00027BD00183C0608008CC631940A001A574F
71615+:1019C00000C310248F87004427BDFFE0AFB200188A
71616+:1019D000AFB10014AFB00010AFBF001C30D000FF9B
71617+:1019E00090E6000D00A088210080902130C5007F86
71618+:1019F000A0E5000D8F8500388E2300188CA200D042
71619+:101A00001062002E240A000E0E001A4AA38A0068F3
71620+:101A10002409FFFF104900222404FFFF5200002088
71621+:101A2000000020218E2600003C0C001000CC582421
71622+:101A3000156000393C0E000800CE682455A0003F18
71623+:101A4000024020213C18000200D880241200001F10
71624+:101A50003C0A00048F8700448CE200148CE30010E1
71625+:101A60008CE500140043F82303E5C82B1320000580
71626+:101A7000024020218E24002C8CF1001010910031A6
71627+:101A80000240202124020012A38200680E001A4A9C
71628+:101A90002412FFFF105200022404FFFF0000202147
71629+:101AA0008FBF001C8FB200188FB100148FB00010D0
71630+:101AB0000080102103E0000827BD002090A800D47A
71631+:101AC000350400200A001A80A0A400D400CA4824CB
71632+:101AD0001520000B8F8B00448F8D00448DAC0010BF
71633+:101AE0001580000B024020218E2E002C51C0FFECEF
71634+:101AF00000002021024020210A001A9B2402001726
71635+:101B00008D66001050C0FFE6000020210240202119
71636+:101B10000A001A9B24020011024020212402001511
71637+:101B20000E001A4AA3820068240FFFFF104FFFDC4B
71638+:101B30002404FFFF0A001A8A8E2600000A001AC138
71639+:101B4000240200143C08000400C8382450E0FFD4EC
71640+:101B500000002021024020210A001A9B24020013C9
71641+:101B60008F85003827BDFFD8AFB3001CAFB2001877
71642+:101B7000AFB10014AFB00010AFBF002090A700D4E9
71643+:101B80008F90004C2412FFFF34E2004092060000C8
71644+:101B9000A0A200D48E0300100080982110720006CD
71645+:101BA00030D1003F2408000D0E001A4AA3880068B7
71646+:101BB000105200252404FFFF8F8A00388E09001878
71647+:101BC0008D4400D01124000702602021240C000E57
71648+:101BD0000E001A4AA38C0068240BFFFF104B001A5A
71649+:101BE0002404FFFF24040020122400048F8D0038F9
71650+:101BF00091AF00D435EE0020A1AE00D48F85005403
71651+:101C000010A00019000000001224004A8F9800382C
71652+:101C10008F92FCC0971000809651000A5230004805
71653+:101C20008F9300403C1F08008FFF318C03E5C82BC9
71654+:101C30001720001E02602021000028210E0019A993
71655+:101C400024060001000020218FBF00208FB3001C5C
71656+:101C50008FB200188FB100148FB0001000801021D7
71657+:101C600003E0000827BD00285224002A8E05001436
71658+:101C70008F840038948A008025490001A48900805F
71659+:101C8000948800803C0208008C42318831077FFF35
71660+:101C900010E2000E00000000026020210E00193446
71661+:101CA000240500010A001B0B000020212402002D46
71662+:101CB0000E001A4AA38200682403FFFF1443FFE1C9
71663+:101CC0002404FFFF0A001B0C8FBF002094990080A2
71664+:101CD000241F800024050001033FC024A498008035
71665+:101CE00090920080908E0080325100FF001181C2DE
71666+:101CF00000107827000F69C031CC007F018D582576
71667+:101D0000A08B00800E001934026020210A001B0BFA
71668+:101D1000000020212406FFFF54A6FFD68F84003840
71669+:101D2000026020210E001934240500010A001B0B5B
71670+:101D300000002021026020210A001B252402000A45
71671+:101D40002404FFFD0A001B0BAF9300608F8800384E
71672+:101D500027BDFFE8AFB00010AFBF0014910A00D458
71673+:101D60008F87004C00808021354900408CE60010B0
71674+:101D7000A10900D43C0208008C4231B030C53FFFBD
71675+:101D800000A2182B106000078F850050240DFF80E3
71676+:101D900090AE000D01AE6024318B00FF156000088D
71677+:101DA0000006C382020020212403000D8FBF00140F
71678+:101DB0008FB0001027BD00180A001A4AA3830068DC
71679+:101DC00033060003240F000254CFFFF70200202146
71680+:101DD00094A2001C8F85003824190023A4A200E8D7
71681+:101DE0008CE8000000081E02307F003F13F9003528
71682+:101DF0003C0A00838CE800188CA600D0110600086D
71683+:101E0000000000002405000E0E001A4AA385006899
71684+:101E10002407FFFF104700182404FFFF8F850038B8
71685+:101E200090A900D435240020A0A400D48F8C0044B5
71686+:101E3000918E000D31CD007FA18D000D8F83005458
71687+:101E40001060001C020020218F8400508C9800102C
71688+:101E50000303782B11E0000D241900180200202143
71689+:101E6000A39900680E001A4A2410FFFF10500002C8
71690+:101E70002404FFFF000020218FBF00148FB000104A
71691+:101E80000080102103E0000827BD00188C86001098
71692+:101E90008F9F00440200202100C31023AFE20010F6
71693+:101EA000240500010E0019A9240600010A001B9751
71694+:101EB000000020210E001934240500010A001B97A0
71695+:101EC00000002021010A5824156AFFD98F8C004494
71696+:101ED000A0A600FC0A001B84A386005A30A500FFC0
71697+:101EE0002406000124A9000100C9102B1040000C99
71698+:101EF00000004021240A000100A61823308B0001B5
71699+:101F000024C60001006A3804000420421160000267
71700+:101F100000C9182B010740251460FFF800A61823FC
71701+:101F200003E000080100102127BDFFD8AFB0001862
71702+:101F30008F90004CAFB1001CAFBF00202403FFFF07
71703+:101F40002411002FAFA30010920600002405000802
71704+:101F500026100001006620260E001BB0308400FF12
71705+:101F600000021E003C021EDC34466F410A001BD8F2
71706+:101F70000000102110A00009008018212445000154
71707+:101F800030A2FFFF2C4500080461FFFA0003204047
71708+:101F90000086202614A0FFF9008018210E001BB037
71709+:101FA000240500208FA300102629FFFF313100FFF8
71710+:101FB00000034202240700FF1627FFE20102182651
71711+:101FC00000035027AFAA0014AFAA00100000302170
71712+:101FD00027A8001027A7001400E6782391ED00033E
71713+:101FE00024CE000100C8602131C600FF2CCB0004C4
71714+:101FF0001560FFF9A18D00008FA200108FBF002097
71715+:102000008FB1001C8FB0001803E0000827BD002826
71716+:1020100027BDFFD0AFB3001CAFB00010AFBF00288A
71717+:10202000AFB50024AFB40020AFB20018AFB10014B8
71718+:102030003C0C80008D880128240FFF803C06800A1C
71719+:1020400025100100250B0080020F68243205007F57
71720+:10205000016F7024AD8E009000A62821AD8D002464
71721+:1020600090A600FC3169007F3C0A8004012A1821F7
71722+:10207000A386005A9067007C00809821AF830030CF
71723+:1020800030E20002AF88006CAF85003800A0182154
71724+:10209000144000022404003424040030A3840048C7
71725+:1020A0008C7200DC30D100FF24040004AF92006089
71726+:1020B00012240004A38000688E7400041680001EA1
71727+:1020C0003C0880009386005930C7000110E0000FE3
71728+:1020D0008F9300608CB000848CA800842404FF805F
71729+:1020E000020410240002F940310A007F03EA482567
71730+:1020F0003C0C2000012C902530CD00FE3C038000DC
71731+:10210000AC720830A38D00598F9300608FBF0028F8
71732+:102110008FB50024ACB300DC8FB400208FB3001C5B
71733+:102120008FB200188FB100148FB00010240200018C
71734+:1021300003E0000827BD00308E7F000895020120D3
71735+:102140008E67001003E2C8213326FFFF30D8000F4E
71736+:1021500033150001AF87003416A00058A39800582B
71737+:1021600035090C000309382100D81823AD03008479
71738+:10217000AF8700648E6A00043148FFFF1100007EC3
71739+:10218000A78A005C90AC00D42407FF8000EC3024C8
71740+:1021900030CB00FF1560004B9786005C938E005A91
71741+:1021A000240D000230D5FFFF11CD02A20000A021B6
71742+:1021B0008F85006002A5802B160000BC9388004824
71743+:1021C0003C11800096240120310400FF1485008812
71744+:1021D0008F8400648F9800343312000356400085CA
71745+:1021E00030A500FF8F900064310C00FF24060034FE
71746+:1021F00011860095AF90004C9204000414800118E1
71747+:102200008F8E0038A380003C8E0D00048DC800D84E
71748+:102210003C0600FF34CCFFFF01AC30240106182B34
71749+:1022200014600120AF8600548F8700609798005C8F
71750+:10223000AF8700400307402310C000C7A788005C99
71751+:102240008F91003030C3000300035823922A007C92
71752+:102250003171000302261021000A20823092000111
71753+:102260000012488000492821311FFFFF03E5C82BD9
71754+:10227000132001208F8800388F8500348F880064F8
71755+:102280001105025A3C0E3F018E0600003C0C250051
71756+:1022900000CE682411AC01638F84004C30E500FF50
71757+:1022A0000E00184A000030218F8800388F870060A8
71758+:1022B0008F8500340A001DB78F8600540A001C5613
71759+:1022C000AF87006490A400D400E48024320200FFB1
71760+:1022D000104000169386005990A6008890AE00D753
71761+:1022E00024A8008830D4003F2686FFE02CD10020AF
71762+:1022F000A38E003C1220000CAF88004C240B000180
71763+:1023000000CB20043095001916A0012B3C0680005C
71764+:1023100034CF0002008FC0241700022E3099002015
71765+:1023200017200234000000009386005930CB0001D2
71766+:102330001160000F9788005C8CBF00848CA900841A
71767+:10234000240AFF8003EA6024000C19403132007F28
71768+:10235000007238253C0D200000EDC82530D800FE65
71769+:102360003C0F8000ADF90830A39800599788005CB5
71770+:102370001500FF84000000008E630020306200041E
71771+:102380001040FF51938600592404FFFB0064802411
71772+:102390003C038000AE700020346601808C7301B86D
71773+:1023A0000660FFFE8F98006C347501003C1400013C
71774+:1023B000ACD800008C6B012424076085ACCB0004F2
71775+:1023C0008EAE000401D488245220000124076083CB
71776+:1023D00024190002A4C700083C0F1000A0D9000B6C
71777+:1023E0003C068000ACCF01B80A001C2B9386005934
71778+:1023F00030A500FF0E00184A240600018F88006CEB
71779+:102400003C05800034A90900250201889388004812
71780+:10241000304A0007304B00783C0340802407FF809F
71781+:102420000163C825014980210047F824310C00FFD1
71782+:1024300024060034ACBF0800AF90004CACB90810C3
71783+:102440005586FF6E920400048F8400388E11003090
71784+:10245000908E00D431CD001015A000108F83006045
71785+:102460002C6F000515E000E400000000909800D4F7
71786+:102470002465FFFC331200101640000830A400FF52
71787+:102480008F9F00648F99003413F90004388700018E
71788+:1024900030E20001144001C8000000000E001BC320
71789+:1024A000000000000A001DF8000000008F84006496
71790+:1024B00030C500FF0E00184A24060001939800481A
71791+:1024C000240B0034130B00A08F8500388F8600602A
71792+:1024D0009783005C306EFFFF00CE8823AF910060D1
71793+:1024E000A780005C1280FF90028018212414FFFD59
71794+:1024F0005474FFA28E6300208E6A00042403FFBF81
71795+:102500002408FFEF0155F823AE7F000490AC00D4FF
71796+:102510003189007FA0A900D48E7200208F8F0038EF
71797+:10252000A780005C364D0002AE6D0020A5E000BC27
71798+:1025300091E500D400A3C824A1F900D48F950038F8
71799+:10254000AEA000EC92B800D403085824A2AB00D48B
71800+:102550000A001CD78F8500388F910034AF8000604F
71801+:1025600002275821AF8B0034000020212403FFFFF5
71802+:10257000108301B48F8500388E0C00103C0D0800CC
71803+:102580008DAD31B09208000031843FFF008D802B6B
71804+:1025900012000023310D003F3C1908008F3931A88B
71805+:1025A0008F9F006C000479802408FF80033F202166
71806+:1025B000008FC821938500590328F8243C06008029
71807+:1025C0003C0F800034D80001001F91403331007F60
71808+:1025D0008F8600380251502535EE0940332B0078A4
71809+:1025E000333000073C0310003C02800C017890253A
71810+:1025F000020E48210143C0250222382134AE0001D9
71811+:10260000ADFF0804AF890050ADF20814AF87004455
71812+:10261000ADFF0028ACD90084ADF80830A38E005976
71813+:102620009383005A24070003106700272407000142
71814+:102630001467FFAC8F8500382411002311B1008589
71815+:1026400000000000240E000B026020210E001A4A38
71816+:10265000A38E00680040A0210A001D328F8500383B
71817+:1026600002602021240B000C0E001A4AA38B006884
71818+:10267000240AFFFF104AFFBD2404FFFF8F8E00389D
71819+:10268000A380003C8E0D00048DC800D83C0600FFDE
71820+:1026900034CCFFFF01AC30240106182B1060FEE2A1
71821+:1026A000AF86005402602021241200190E001A4A3D
71822+:1026B000A3920068240FFFFF104FFFAC2404FFFF1C
71823+:1026C0000A001C838F86005425A3FFE02C74002091
71824+:1026D0001280FFDD240E000B000328803C1108014E
71825+:1026E000263194B400B148218D2D000001A00008CE
71826+:1026F000000000008F85003400A710219385003C66
71827+:10270000AF82003402251821A383003C951F00BC32
71828+:102710000226282137F91000A51900BC5240FF926B
71829+:10272000AF850060246A0004A38A003C950900BCC0
71830+:1027300024A40004AF84006035322000A51200BC40
71831+:102740000A001D54000020218F8600602CC800055F
71832+:102750001500FF609783005C3065FFFF00C5C8234C
71833+:102760002F2F000511E00003306400FF24CDFFFC93
71834+:1027700031A400FF8F8900648F920034113200046D
71835+:10278000389F000133EC0001158001380000000083
71836+:102790008F840038908700D434E60010A08600D4DF
71837+:1027A0008F8500388F8600609783005CACA000ECBA
71838+:1027B0000A001D2F306EFFFF8CB500848CB400849E
71839+:1027C0003C04100002A7302400068940328E007FAE
71840+:1027D000022E8025020410253C08800024050001FB
71841+:1027E00002602021240600010E0019A9AD02083064
71842+:1027F0000A001CC38F8500388C8200EC1222FE7EFA
71843+:102800000260202124090005A38900680E001A4AED
71844+:102810002411FFFF1451FE782404FFFF0A001D5508
71845+:102820002403FFFF8F8F004C8F8800388DF8000045
71846+:10283000AD1800888DE70010AD0700988F87006005
71847+:102840000A001DB78F8600542406FFFF118600057D
71848+:10285000000000000E001B4C026020210A001D8FAA
71849+:102860000040A0210E001AD1026020210A001D8F15
71850+:102870000040A0218F90004C3C0208008C4231B0F7
71851+:102880008E110010322C3FFF0182282B10A0000C6B
71852+:10289000240BFF808F85005090A3000D01637024EE
71853+:1028A00031CA00FF1140000702602021001143825D
71854+:1028B000310600032418000110D8010600000000B2
71855+:1028C000026020212403000D0E001A4AA383006831
71856+:1028D000004020218F8500380A001D320080A02191
71857+:1028E0008F90004C3C0A08008D4A31B08F85005013
71858+:1028F0008E0400100000A0218CB1001430823FFF34
71859+:10290000004A602B8CB200205180FFEE0260202133
71860+:1029100090B8000D240BFF800178702431C300FFB4
71861+:102920005060FFE80260202100044382310600036A
71862+:1029300014C0FFE40260202194BF001C8F9900386E
71863+:102940008E060028A73F00E88CAF0010022F20233E
71864+:1029500014C4013A026020218F83005400C368210F
71865+:10296000022D382B14E00136240200188F8A00440F
71866+:102970008F820030024390218D4B00100163702341
71867+:10298000AD4E0010AD5200208C4C00740192282BEB
71868+:1029900014A0015F026020218F8400508E08002463
71869+:1029A0008C86002411060007026020212419001CD7
71870+:1029B0000E001A4AA3990068240FFFFF104FFFC5AD
71871+:1029C0002404FFFF8F8400448C87002424FF00012F
71872+:1029D000AC9F00241251012F8F8D00308DB10074F7
71873+:1029E0001232012C3C0B00808E0E000001CB5024D3
71874+:1029F00015400075000000008E0300142411FFFF35
71875+:102A0000107100073C0808003C0608008CC6319095
71876+:102A100000C8C0241300015202602021A380006876
71877+:102A20008E0300003C19000100792024108000135F
71878+:102A30003C1F0080007FA02416800009020028218E
71879+:102A4000026020212411001A0E001A4AA391006886
71880+:102A50002407FFFF1047FF9F2404FFFF02002821E7
71881+:102A6000026020210E001A6A240600012410FFFFD4
71882+:102A70001050FF982404FFFF241400018F8D0044A0
71883+:102A8000026020210280302195A900342405000134
71884+:102A9000253200010E0019A9A5B200340000202142
71885+:102AA0008F8500380A001D320080A0218F90004CD5
71886+:102AB0003C1408008E9431B08E07001030E53FFFC3
71887+:102AC00000B4C82B132000618F8600502412FF80B1
71888+:102AD00090C9000D0249682431A400FF5080005CB9
71889+:102AE000026020218F8C00541180000700078B8228
71890+:102AF0008F8500388F82FCC094BF0080944A000A02
71891+:102B0000515F00F78F8600403227000314E0006415
71892+:102B100000000000920E000211C000D8000000006A
71893+:102B20008E0B0024156000D902602021920400035E
71894+:102B300024190002308500FF14B90005308900FF18
71895+:102B40008F940054128000EA240D002C308900FF7D
71896+:102B5000392C00102D8400012D3200010244302553
71897+:102B6000020028210E001A6A026020212410FFFFB3
71898+:102B7000105000BF8F8500388F830054106000D341
71899+:102B8000240500013C0A08008D4A318C0143F82BD2
71900+:102B900017E000B22402002D02602021000028214D
71901+:102BA0000E0019A9240600018F85003800001821A5
71902+:102BB0000A001D320060A0210E0018750000000000
71903+:102BC0000A001DF800000000AC8000200A001E78FA
71904+:102BD0008E03001400002821026020210E0019A994
71905+:102BE000240600010A001CC38F8500380A001DB7A7
71906+:102BF0008F8800388CAA00848CAC00843C031000C1
71907+:102C00000147F824001F91403189007F024968255F
71908+:102C100001A32825ACC50830910700012405000157
71909+:102C2000026020210E0019A930E600010A001CC331
71910+:102C30008F850038938F00482403FFFD0A001D3460
71911+:102C4000AF8F00600A001D342403FFFF02602021C3
71912+:102C50002410000D0E001A4AA390006800401821AD
71913+:102C60008F8500380A001D320060A0210E00187503
71914+:102C7000000000009783005C8F86006000402021E8
71915+:102C80003070FFFF00D010232C4A00051140FE11C8
71916+:102C90008F850038ACA400EC0A001D2F306EFFFFBA
71917+:102CA00090CF000D31E300085460FFA192040003AF
71918+:102CB00002602021240200100E001A4AA38200683C
71919+:102CC0002403FFFF5443FF9A920400030A001F12DB
71920+:102CD0008F85003890A4000D308F000811E000951A
71921+:102CE0008F990054572000A6026020218E1F000CEF
71922+:102CF0008CB4002057F40005026020218E0D0008DE
71923+:102D00008CA7002411A7003A026020212402002091
71924+:102D1000A38200680E001A4A2412FFFF1052FEED33
71925+:102D20002404FFFF8F9F00442402FFF73C14800E11
71926+:102D300093EA000D2419FF803C03800001423824EF
71927+:102D4000A3E7000D8F9F00303C0908008D2931ACAE
71928+:102D50008F8C006C97F200788F870044012C302113
71929+:102D6000324D7FFF000D204000C4782131E5007F07
71930+:102D700000B4C02101F94024AC68002CA711000068
71931+:102D80008CEB0028256E0001ACEE00288CEA002CAC
71932+:102D90008E02002C01426021ACEC002C8E09002C2C
71933+:102DA000ACE900308E120014ACF2003494ED003A1D
71934+:102DB00025A40001A4E4003A97E600783C1108003D
71935+:102DC0008E3131B024C3000130707FFF1211005CDE
71936+:102DD000006030218F8F0030026020212405000127
71937+:102DE0000E001934A5E600780A001EA1000020217B
71938+:102DF0008E0900142412FFFF1132006B8F8A0038F5
71939+:102E00008E0200188D4C00D0144C00650260202109
71940+:102E10008E0B00248CAE0028116E005B2402002172
71941+:102E20000E001A4AA38200681452FFBE2404FFFF5A
71942+:102E30008F8500380A001D320080A0212402001F67
71943+:102E40000E001A4AA38200682409FFFF1049FEA160
71944+:102E50002404FFFF0A001E548F83005402602021C7
71945+:102E60000E001A4AA38200681450FF508F85003864
71946+:102E70002403FFFF0A001D320060A0218CD800242B
71947+:102E80008E0800241118FF29026020210A001F2744
71948+:102E90002402000F8E0900003C05008001259024CB
71949+:102EA0001640FF492402001A026020210E001A4A2F
71950+:102EB000A3820068240CFFFF144CFECF2404FFFF04
71951+:102EC0008F8500380A001D320080A0210E001934C1
71952+:102ED000026020218F8500380A001EE500001821BD
71953+:102EE0002403FFFD0060A0210A001D32AF860060B0
71954+:102EF000026020210E001A4AA38D00682403FFFF00
71955+:102F00001043FF588F8500380A001ECC920400033E
71956+:102F10002418001D0E001A4AA39800682403FFFF1E
71957+:102F20001443FE9D2404FFFF8F8500380A001D32E4
71958+:102F30000080A021026020210A001F3D24020024FD
71959+:102F4000240880000068C024330BFFFF000B73C20D
71960+:102F500031D000FF001088270A001F6E001133C017
71961+:102F6000240F001B0E001A4AA38F00681451FEACF8
71962+:102F70002404FFFF8F8500380A001D320080A02145
71963+:102F80000A001F3D240200278E0600288CA3002C77
71964+:102F900010C30008026020210A001F812402001FC4
71965+:102FA0000A001F812402000E026020210A001F81F6
71966+:102FB000240200258E04002C1080000D8F8F00301D
71967+:102FC0008DE800740104C02B5700000C0260202122
71968+:102FD0008CB900140086A0210334282B10A0FF52C6
71969+:102FE0008F9F0044026020210A001F8124020022DA
71970+:102FF000026020210A001F81240200230A001F8191
71971+:103000002402002627BDFFD8AFB3001CAFB10014C7
71972+:10301000AFBF0020AFB20018AFB000103C0280007C
71973+:103020008C5201408C4B01483C048000000B8C0208
71974+:10303000322300FF317300FF8C8501B804A0FFFE2E
71975+:1030400034900180AE1200008C8701442464FFF0AC
71976+:10305000240600022C830013AE070004A61100080A
71977+:10306000A206000BAE1300241060004F8FBF00209B
71978+:10307000000448803C0A0801254A9534012A402171
71979+:103080008D04000000800008000000003C030800E0
71980+:103090008C6331A831693FFF00099980007280215B
71981+:1030A000021370212405FF80264D0100264C00806C
71982+:1030B0003C02800031B1007F3198007F31CA007F2F
71983+:1030C0003C1F800A3C1980043C0F800C01C5202461
71984+:1030D00001A5302401853824014F1821AC46002475
71985+:1030E000023F402103194821AC470090AC4400281E
71986+:1030F000AF830044AF880038AF8900300E0019005C
71987+:10310000016080213C0380008C6B01B80560FFFEEC
71988+:103110008F8700448F8600383465018090E8000D69
71989+:10312000ACB20000A4B0000600082600000416039C
71990+:1031300000029027001227C21080008124C200885C
71991+:10314000241F6082A4BF0008A0A000052402000282
71992+:10315000A0A2000B8F8B0030000424003C08270045
71993+:1031600000889025ACB20010ACA00014ACA00024E4
71994+:10317000ACA00028ACA0002C8D6900382413FF807F
71995+:10318000ACA9001890E3000D02638024320500FF13
71996+:1031900010A000058FBF002090ED000D31AC007F26
71997+:1031A000A0EC000D8FBF00208FB3001C8FB2001861
71998+:1031B0008FB100148FB000103C0A10003C0E80004C
71999+:1031C00027BD002803E00008ADCA01B8265F010052
72000+:1031D0002405FF8033F8007F3C06800003E5782457
72001+:1031E0003C19800A03192021ACCF0024908E00D412
72002+:1031F00000AE682431AC00FF11800024AF84003899
72003+:10320000248E008895CD00123C0C08008D8C31A8CE
72004+:1032100031AB3FFF01924821000B5180012A402130
72005+:1032200001052024ACC400283107007F3C06800C37
72006+:1032300000E620219083000D00A31024304500FFFC
72007+:1032400010A0FFD8AF8400449098000D330F0010F9
72008+:1032500015E0FFD58FBF00200E0019000000000010
72009+:103260003C0380008C7901B80720FFFE00000000BD
72010+:10327000AE1200008C7F0144AE1F0004A6110008AE
72011+:1032800024110002A211000BAE1300243C1308010C
72012+:10329000927396F0327000015200FFC38FBF00207E
72013+:1032A0000E002146024020210A0020638FBF00202B
72014+:1032B0003C1260008E452C083C03F0033462FFFF93
72015+:1032C00000A2F824AE5F2C088E582C083C1901C0CF
72016+:1032D00003199825AE532C080A0020638FBF0020E5
72017+:1032E000264D010031AF007F3C10800A240EFF8084
72018+:1032F00001F0282101AE60243C0B8000AD6C00245D
72019+:103300001660FFA8AF85003824110003A0B100FCAF
72020+:103310000A0020638FBF002026480100310A007F89
72021+:103320003C0B800A2409FF80014B30210109202435
72022+:103330003C078000ACE400240A002062AF8600381D
72023+:10334000944E0012320C3FFF31CD3FFF15ACFF7D94
72024+:10335000241F608290D900D42418FF800319782498
72025+:1033600031EA00FF1140FF7700000000240700044D
72026+:10337000A0C700FC8F870044241160842406000D40
72027+:10338000A4B10008A0A600050A00204D24020002F6
72028+:103390003C040001248496DC24030014240200FE73
72029+:1033A0003C010800AC2431EC3C010800AC2331E8BE
72030+:1033B0003C010801A42296F83C040801248496F8F4
72031+:1033C0000000182100643021A0C300042463000120
72032+:1033D0002C6500FF54A0FFFC006430213C0708006E
72033+:1033E00024E7010003E00008AF87007800A058211F
72034+:1033F000008048210000102114A00012000050217C
72035+:103400000A002142000000003C010801A42096F8B7
72036+:103410003C05080194A596F88F8200783C0C0801C1
72037+:10342000258C96F800E2182100AC2021014B302BAE
72038+:10343000A089000400001021A460000810C0003919
72039+:10344000010048218F8600780009384000E94021BA
72040+:103450000008388000E6282190A8000B90B9000AE7
72041+:103460000008204000881021000218800066C0215A
72042+:10347000A319000A8F85007800E5782191EE000AF3
72043+:1034800091E6000B000E684001AE6021000C208028
72044+:1034900000851021A046000B3C030801906396F2C2
72045+:1034A000106000222462FFFF8F8300383C01080176
72046+:1034B000A02296F2906C00FF118000040000000032
72047+:1034C000906E00FF25CDFFFFA06D00FF3C190801A5
72048+:1034D000973996F8272300013078FFFF2F0F00FF60
72049+:1034E00011E0FFC9254A00013C010801A42396F818
72050+:1034F0003C05080194A596F88F8200783C0C0801E1
72051+:10350000258C96F800E2182100AC2021014B302BCD
72052+:10351000A089000400001021A460000814C0FFC9A5
72053+:103520000100482103E000080000000003E000085B
72054+:103530002402000227BDFFE0248501002407FF804C
72055+:10354000AFB00010AFBF0018AFB1001400A718242F
72056+:103550003C10800030A4007F3C06800A00862821B1
72057+:103560008E110024AE03002490A200FF1440000836
72058+:10357000AF850038A0A000098FBF0018AE1100244D
72059+:103580008FB100148FB0001003E0000827BD0020A9
72060+:1035900090A900FD90A800FF312400FF0E0020F448
72061+:1035A000310500FF8F8500388FBF0018A0A00009EB
72062+:1035B000AE1100248FB100148FB0001003E000089A
72063+:1035C00027BD002027BDFFD0AFB20020AFB1001C47
72064+:1035D000AFB00018AFBF002CAFB40028AFB30024C9
72065+:1035E0003C0980009533011635320C00952F011AE5
72066+:1035F0003271FFFF023280218E08000431EEFFFF9E
72067+:10360000248B0100010E6821240CFF8025A5FFFFFB
72068+:10361000016C50243166007F3C07800AAD2A0024EB
72069+:1036200000C73021AF850074AF8800703C010801ED
72070+:10363000A02096F190C300090200D02100809821BB
72071+:10364000306300FF2862000510400048AF86003854
72072+:10365000286400021480008E24140001240D00054B
72073+:103660003C010801A02D96D590CC00FD3C0108013D
72074+:10367000A02096D63C010801A02096D790CB000A46
72075+:10368000240AFF80318500FF014B4824312700FFC9
72076+:1036900010E0000C000058213C12800836510080D8
72077+:1036A0008E2F00308CD0005C01F0702305C0018E9D
72078+:1036B0008F87007090D4000A3284007FA0C4000A73
72079+:1036C0008F8600383C118008363000808E0F003025
72080+:1036D0008F87007000EF702319C000EE000000001B
72081+:1036E00090D4000924120002328400FF1092024795
72082+:1036F000000000008CC2005800E2F82327F9FFFF09
72083+:103700001B2001300000000090C5000924080004BF
72084+:1037100030A300FF10680057240A00013C01080193
72085+:10372000A02A96D590C900FF252700013C01080179
72086+:10373000A02796D43C030801906396D52406000583
72087+:103740001066006A2C780005130000C40000902168
72088+:103750000003F8803C0408012484958003E4C82118
72089+:103760008F25000000A0000800000000241800FFC2
72090+:103770001078005C0000000090CC000A90CA00099C
72091+:103780003C080801910896F13187008000EA48253D
72092+:103790003C010801A02996DC90C500FD3C140801FD
72093+:1037A000929496F2311100013C010801A02596DDAA
72094+:1037B00090DF00FE3C010801A03F96DE90D200FFA2
72095+:1037C0003C010801A03296DF8CD900543C0108016D
72096+:1037D000AC3996E08CD000583C010801AC3096E43E
72097+:1037E0008CC3005C3C010801AC3496EC3C01080140
72098+:1037F000AC2396E8162000088FBF002C8FB4002859
72099+:103800008FB300248FB200208FB1001C8FB000183E
72100+:1038100003E0000827BD00303C1180009624010E13
72101+:103820000E000FD43094FFFF3C0B08018D6B96F413
72102+:103830000260382102802821AE2B01803C13080150
72103+:103840008E7396D401602021240600830E00102F71
72104+:10385000AFB300108FBF002C8FB400288FB30024AB
72105+:103860008FB200208FB1001C8FB0001803E0000859
72106+:1038700027BD00303C1808008F1831FC270F0001CD
72107+:103880003C010800AC2F31FC0A0021D700000000E9
72108+:103890001474FFB900000000A0C000FF3C05080040
72109+:1038A0008CA531E43C0308008C6331E03C02080045
72110+:1038B0008C4232048F99003834A80001241F000282
72111+:1038C0003C010801AC2396F43C010801A02896F0C5
72112+:1038D0003C010801A02296F3A33F00090A002190B1
72113+:1038E0008F8600380E002146000000000A0021D714
72114+:1038F0008F8600383C1F080193FF96D424190001DD
72115+:1039000013F902298F8700703C100801921096D895
72116+:103910003C06080190C696D610C000050200A02102
72117+:103920003C040801908496D9109001E48F870078B8
72118+:10393000001088408F9F0078023048210009C8801D
72119+:10394000033F702195D80008270F0001A5CF00087C
72120+:103950003C040801908496D93C05080190A596D6B0
72121+:103960000E0020F4000000008F8700780230202134
72122+:103970000004308000C720218C8500048F820074F1
72123+:1039800000A2402305020006AC8200048C8A0000DD
72124+:103990008F830070014310235C400001AC83000062
72125+:1039A0008F86003890CB00FF2D6C00025580002DD3
72126+:1039B000241400010230F821001F40800107282153
72127+:1039C00090B9000B8CAE00040019C0400319782197
72128+:1039D000000F1880006710218C4D000001AE882375
72129+:1039E0002630FFFF5E00001F241400018C440004F9
72130+:1039F0008CAA0000008A482319200019240E000414
72131+:103A00003C010801A02E96D590AD000B8CAB0004B4
72132+:103A1000000D8840022D80210010108000471021E9
72133+:103A20008C44000401646023058202009443000872
72134+:103A300090DF00FE90B9000B33E500FF54B900049D
72135+:103A40000107A021A0D400FE8F8700780107A021E4
72136+:103A50009284000B0E0020F4240500018F860038AC
72137+:103A600024140001125400962E500001160000424A
72138+:103A70003C08FFFF241900021659FF3F0000000018
72139+:103A8000A0C000FF8F860038A0D200090A0021D70D
72140+:103A90008F86003890C700092404000230E300FF3D
72141+:103AA0001064016F24090004106901528F880074AA
72142+:103AB0008CCE0054010E682325B10001062001754B
72143+:103AC000241800043C010801A03896D53C010801E7
72144+:103AD000A02096D490D400FD90D200FF2E4F00027B
72145+:103AE00015E0FF14328400FF000438408F8900780D
72146+:103AF00090DF00FF00E41021000220800089C8212F
72147+:103B00002FE500029324000B14A0FF0A24070002F3
72148+:103B100000041840006480210010588001692821A9
72149+:103B20008CAC0004010C50230540FF020000000093
72150+:103B30003C030801906396D614600005246F0001D1
72151+:103B40003C010801A02496D93C010801A02796D782
72152+:103B50003C010801A02F96D690CE00FF24E700017B
72153+:103B600031CD00FF01A7882B1220FFE990A4000BA4
72154+:103B70000A0021C6000000003C0508018CA596D46F
72155+:103B80003C12000400A8F82413F2000624020005E9
72156+:103B90003C090801912996D5152000022402000352
72157+:103BA000240200053C010801A02296F190C700FF05
72158+:103BB00014E0012024020002A0C200090A0021D75B
72159+:103BC0008F86003890CC00FF1180FEDA240A0001B5
72160+:103BD0008F8C00748F890078240F00030180682186
72161+:103BE0001160001E240E0002000540400105A021C6
72162+:103BF00000142080008990218E51000401918023BF
72163+:103C00000600FECC000000003C020801904296D65F
72164+:103C100014400005245800013C010801A02A96D751
72165+:103C20003C010801A02596D93C010801A03896D690
72166+:103C300090DF00FF010510210002C88033E500FF7E
72167+:103C4000254A00010329202100AA402B1500FEB9B6
72168+:103C50009085000B1560FFE50005404000054040E1
72169+:103C600001051821000310803C010801A02A96D408
72170+:103C70003C010801A02596D8004918218C64000455
72171+:103C800000E4F82327F9FFFF1F20FFE900000000F0
72172+:103C90008C63000000E358230560013A01A38823E8
72173+:103CA00010E301170184C0231B00FEA200000000E6
72174+:103CB0003C010801A02E96D50A002305240B000123
72175+:103CC000240E0004A0CE00093C0D08008DAD31F893
72176+:103CD0008F86003825A200013C010800AC2231F893
72177+:103CE0000A0021D7000000008CD9005C00F9C02335
72178+:103CF0001F00FE7B000000008CDF005C10FFFF65F2
72179+:103D00008F8400748CC3005C008340232502000173
72180+:103D10001C40FF60000000008CC9005C248700018B
72181+:103D200000E9282B10A0FE943C0D80008DAB01040F
72182+:103D30003C0C0001016C50241140FE8F2402001045
72183+:103D40003C010801A02296F10A0021D700000000E2
72184+:103D50008F9100748F86003826220001ACC2005C6F
72185+:103D60000A002292241400018F8700382404FF8067
72186+:103D70000000882190E9000A241400010124302564
72187+:103D8000A0E6000A3C05080190A596D63C0408016F
72188+:103D9000908496D90E0020F4000000008F86003831
72189+:103DA0008F85007890C800FD310700FF0007404074
72190+:103DB0000107F821001FC0800305C8219323000BD1
72191+:103DC000A0C300FD8F8500788F8600380305602131
72192+:103DD000918F000B000F704001CF6821000D808093
72193+:103DE000020510218C4B0000ACCB00548D840004E4
72194+:103DF0008F83007400645023194000022482000164
72195+:103E00002462000101074821ACC2005C0009308037
72196+:103E100000C5402100E02021240500010E0020F40F
72197+:103E20009110000B8F86003890C500FF10A0FF0C8A
72198+:103E3000001070408F85007801D06821000D10803F
72199+:103E4000004558218D6400008F8C0074018450233C
72200+:103E50002547000104E0FF02263100013C03080170
72201+:103E6000906396D62E2F0002247800013C010801B1
72202+:103E7000A03896D63C010801A03496D711E0FEF890
72203+:103E8000020038210A002365000740408F84003873
72204+:103E90008F8300748C85005800A340230502FE9A8E
72205+:103EA000AC8300580A00223B000000003C070801D8
72206+:103EB00090E796F2240200FF10E200BE8F860038E1
72207+:103EC0003C110801963196FA3C030801246396F8E8
72208+:103ED000262500013230FFFF30ABFFFF02036021D7
72209+:103EE0002D6A00FF1540008D918700043C010801F8
72210+:103EF000A42096FA8F88003800074840012728211F
72211+:103F0000911800FF000530802405000127140001EE
72212+:103F1000A11400FF3C120801925296F28F8800789B
72213+:103F20008F8E0070264F000100C820213C0108013F
72214+:103F3000A02F96F2AC8E00008F8D0074A48500082F
72215+:103F4000AC8D00043C030801906396D414600077A4
72216+:103F5000000090213C010801A02596D4A087000B09
72217+:103F60008F8C007800CC5021A147000A8F82003846
72218+:103F7000A04700FD8F840038A08700FE8F860038A0
72219+:103F80008F9F0070ACDF00548F990074ACD900583B
72220+:103F90008F8D00780127C02100185880016DA02165
72221+:103FA000928F000A000F704001CF18210003888013
72222+:103FB000022D8021A207000B8F8600780166602108
72223+:103FC000918A000B000A1040004A2021000428803A
72224+:103FD00000A64021A107000A3C07800834E90080C0
72225+:103FE0008D2200308F860038ACC2005C0A0022921D
72226+:103FF0002414000190CA00FF1540FEAD8F880074A4
72227+:10400000A0C400090A0021D78F860038A0C000FD97
72228+:104010008F98003824060001A30000FE3C0108012F
72229+:10402000A02696D53C010801A02096D40A0021C6FE
72230+:104030000000000090CB00FF3C040801908496F340
72231+:10404000316C00FF0184502B1540000F2402000347
72232+:1040500024020004A0C200090A0021D78F8600387C
72233+:1040600090C3000A2410FF8002035824316C00FF23
72234+:104070001180FDC1000000003C010801A02096D580
72235+:104080000A0021C600000000A0C200090A0021D7D2
72236+:104090008F86003890D4000A2412FF8002544824EE
72237+:1040A000312800FF1500FFF4240200083C0108013C
72238+:1040B000A02296F10A0021D70000000000108840DD
72239+:1040C0008F8B0070023018210003688001A7202127
72240+:1040D000AC8B00008F8A0074240C0001A48C0008B3
72241+:1040E000AC8A00043C05080190A596D62402000184
72242+:1040F00010A2FE1E24A5FFFF0A0022519084000B8F
72243+:104100000184A0231A80FD8B000000003C010801FF
72244+:10411000A02E96D50A002305240B00013C010801BE
72245+:10412000A42596FA0A0023B78F880038240B0001D3
72246+:10413000106B00228F9800388F85003890BF00FFE9
72247+:1041400033F900FF1079002B000000003C1F08012C
72248+:1041500093FF96D8001FC840033FC0210018A080DD
72249+:104160000288782191EE000AA08E000A8F8D0078D7
72250+:104170003C030801906396D800CD88210A0023DD16
72251+:10418000A223000B263000010600003101A4902379
72252+:104190000640002B240200033C010801A02F96D505
72253+:1041A0000A002305240B00018F8900380A00223BF6
72254+:1041B000AD2700540A00229124120001931400FD3F
72255+:1041C000A094000B8F8800388F8F0078910E00FE2E
72256+:1041D00000CF6821A1AE000A8F910038A22700FD10
72257+:1041E0008F8300708F900038AE0300540A0023DEE6
72258+:1041F0008F8D007890B000FEA090000A8F8B003861
72259+:104200008F8C0078916A00FD00CC1021A04A000B31
72260+:104210008F840038A08700FE8F8600748F85003859
72261+:10422000ACA600580A0023DE8F8D007894B80008F1
72262+:10423000ACA40004030378210A002285A4AF00087F
72263+:104240003C010801A02296D50A0021C6000000000A
72264+:1042500090CF0009240D000431EE00FF11CDFD8543
72265+:10426000240200013C010801A02296D50A0021C6C3
72266+:1042700000000000080033440800334408003420E4
72267+:10428000080033F4080033D8080033280800332826
72268+:10429000080033280800334C8008010080080080A3
72269+:1042A000800800005F865437E4AC62CC50103A4579
72270+:1042B00036621985BF14C0E81BC27A1E84F4B55655
72271+:1042C000094EA6FE7DDA01E7C04D748108005A74DC
72272+:1042D00008005AB808005A5C08005A5C08005A5C8A
72273+:1042E00008005A5C08005A7408005A5C08005A5CBE
72274+:1042F00008005AC008005A5C080059D408005A5CEB
72275+:1043000008005A5C08005AC008005A5C08005A5C51
72276+:1043100008005A5C08005A5C08005A5C08005A5CA5
72277+:1043200008005A5C08005A5C08005A5C08005A5C95
72278+:1043300008005A9408005A5C08005A9408005A5C15
72279+:1043400008005A5C08005A5C08005A9808005A9401
72280+:1043500008005A5C08005A5C08005A5C08005A5C65
72281+:1043600008005A5C08005A5C08005A5C08005A5C55
72282+:1043700008005A5C08005A5C08005A5C08005A5C45
72283+:1043800008005A5C08005A5C08005A5C08005A5C35
72284+:1043900008005A5C08005A5C08005A5C08005A5C25
72285+:1043A00008005A9808005A9808005A5C08005A9861
72286+:1043B00008005A5C08005A5C08005A5C08005A5C05
72287+:1043C00008005A5C08005A5C08005A5C08005A5CF5
72288+:1043D00008005A5C08005A5C08005A5C08005A5CE5
72289+:1043E00008005A5C08005A5C08005A5C08005A5CD5
72290+:1043F00008005A5C08005A5C08005A5C08005A5CC5
72291+:1044000008005A5C08005A5C08005A5C08005A5CB4
72292+:1044100008005A5C08005A5C08005A5C08005A5CA4
72293+:1044200008005A5C08005A5C08005A5C08005A5C94
72294+:1044300008005A5C08005A5C08005A5C08005A5C84
72295+:1044400008005A5C08005A5C08005A5C08005A5C74
72296+:1044500008005A5C08005A5C08005A5C08005A5C64
72297+:1044600008005A5C08005A5C08005A5C08005A5C54
72298+:1044700008005A5C08005A5C08005A5C08005A5C44
72299+:1044800008005A5C08005A5C08005A5C08005A5C34
72300+:1044900008005A5C08005A5C08005A5C08005A5C24
72301+:1044A00008005A5C08005A5C08005A5C08005A5C14
72302+:1044B00008005A5C08005A5C08005A5C08005A5C04
72303+:1044C00008005A5C08005A5C08005A5C08005ADC74
72304+:1044D0000800782C08007A900800783808007628C0
72305+:1044E00008007838080078C4080078380800762872
72306+:1044F0000800762808007628080076280800762824
72307+:104500000800762808007628080076280800762813
72308+:1045100008007628080078580800784808007628AF
72309+:1045200008007628080076280800762808007628F3
72310+:1045300008007628080076280800762808007628E3
72311+:1045400008007628080076280800762808007848B1
72312+:10455000080082FC08008188080082C40800818865
72313+:104560000800829408008070080081880800818813
72314+:1045700008008188080081880800818808008188F7
72315+:1045800008008188080081880800818808008188E7
72316+:104590000800818808008188080081B008008D34F7
72317+:1045A00008008E9008008E70080088D808008D4C96
72318+:1045B0000A00012400000000000000000000000DBF
72319+:1045C000747061362E322E31620000000602010145
72320+:1045D00000000000000000000000000000000000DB
72321+:1045E00000000000000000000000000000000000CB
72322+:1045F00000000000000000000000000000000000BB
72323+:1046000000000000000000000000000000000000AA
72324+:10461000000000000000000000000000000000009A
72325+:10462000000000000000000000000000000000008A
72326+:10463000000000000000000000000000000000007A
72327+:104640000000000010000003000000000000000D4A
72328+:104650000000000D3C020800244217203C03080023
72329+:1046600024632A10AC4000000043202B1480FFFD7F
72330+:10467000244200043C1D080037BD2FFC03A0F0219C
72331+:104680003C100800261004903C1C0800279C1720B2
72332+:104690000E000262000000000000000D2402FF80F6
72333+:1046A00027BDFFE000821024AFB00010AF42002011
72334+:1046B000AFBF0018AFB10014936500043084007FD1
72335+:1046C000034418213C0200080062182130A5002094
72336+:1046D000036080213C080111277B000814A0000220
72337+:1046E0002466005C2466005892020004974301048B
72338+:1046F000920400043047000F3063FFFF3084004015
72339+:10470000006728231080000900004821920200055C
72340+:1047100030420004104000050000000010A000031B
72341+:104720000000000024A5FFFC2409000492020005FB
72342+:1047300030420004104000120000000010A00010E1
72343+:10474000000000009602000200A72021010440257D
72344+:104750002442FFFEA7421016920300042402FF80A9
72345+:1047600000431024304200FF104000033C020400CC
72346+:104770000A000174010240258CC20000AF421018EB
72347+:104780008F4201780440FFFE2402000AA742014044
72348+:1047900096020002240400093042000700021023A0
72349+:1047A00030420007A7420142960200022442FFFE67
72350+:1047B000A7420144A740014697420104A74201488D
72351+:1047C0008F420108304200205040000124040001C3
72352+:1047D00092020004304200101440000234830010A2
72353+:1047E00000801821A743014A0000000000000000DB
72354+:1047F0000000000000000000AF48100000000000B2
72355+:104800000000000000000000000000008F421000C7
72356+:104810000441FFFE3102FFFF1040000700000000CE
72357+:1048200092020004304200401440000300000000E7
72358+:104830008F421018ACC20000960200063042FFFF03
72359+:10484000244200020002104300021040036288214B
72360+:10485000962200001120000D3044FFFF00A7102118
72361+:104860008F8300388F45101C0002108200021080D8
72362+:1048700000431021AC45000030A6FFFF0E00058D5F
72363+:1048800000052C0200402021A62200009203000413
72364+:104890002402FF8000431024304200FF1040001F1C
72365+:1048A0000000000092020005304200021040001B90
72366+:1048B000000000009742100C2442FFFEA742101691
72367+:1048C000000000003C02040034420030AF421000FF
72368+:1048D00000000000000000000000000000000000D8
72369+:1048E0008F4210000441FFFE000000009742100CB0
72370+:1048F0008F45101C3042FFFF24420030000210821E
72371+:1049000000021080005B1021AC45000030A6FFFFC4
72372+:104910000E00058D00052C02A62200009604000260
72373+:10492000248400080E0001E93084FFFF974401044D
72374+:104930000E0001F73084FFFF8FBF00188FB1001405
72375+:104940008FB000103C02100027BD002003E00008DB
72376+:10495000AF4201783084FFFF308200078F8500244A
72377+:1049600010400002248300073064FFF800A41021E7
72378+:1049700030421FFF03421821247B4000AF850028EE
72379+:10498000AF82002403E00008AF4200843084FFFFC0
72380+:104990003082000F8F85002C8F860034104000027B
72381+:1049A0002483000F3064FFF000A410210046182B70
72382+:1049B000AF8500300046202314600002AF82002C37
72383+:1049C000AF84002C8F82002C340480000342182115
72384+:1049D00000641821AF83003803E00008AF42008074
72385+:1049E0008F820014104000088F8200048F82FFDC49
72386+:1049F000144000058F8200043C02FFBF3442FFFFD9
72387+:104A0000008220248F82000430430006240200022A
72388+:104A10001062000F3C0201012C62000350400005AF
72389+:104A2000240200041060000F3C0200010A00023062
72390+:104A30000000000010620005240200061462000C51
72391+:104A40003C0201110A000229008210253C020011DB
72392+:104A500000821025AF421000240200010A0002303B
72393+:104A6000AF82000C00821025AF421000AF80000C16
72394+:104A700000000000000000000000000003E000084B
72395+:104A8000000000008F82000C1040000400000000B5
72396+:104A90008F4210000441FFFE0000000003E0000808
72397+:104AA000000000008F8200102443F800000231C291
72398+:104AB00024C2FFF02C6303011060000300021042C7
72399+:104AC0000A000257AC8200008F85001800C5102B29
72400+:104AD0001440000B0000182100C5102324470001DA
72401+:104AE0008F82001C00A210212442FFFF0046102BE1
72402+:104AF000544000042402FFFF0A000257AC87000064
72403+:104B00002402FFFF0A000260AC8200008C820000D9
72404+:104B10000002194000621821000318800062182169
72405+:104B2000000318803C0208002442175C0062182130
72406+:104B300003E000080060102127BDFFD8AFBF0020B0
72407+:104B4000AFB1001CAFB000183C0460088C8250006C
72408+:104B50002403FF7F3C066000004310243442380CDD
72409+:104B6000AC8250008CC24C1C3C1A80000002160221
72410+:104B70003042000F10400007AF82001C8CC34C1C59
72411+:104B80003C02001F3442FC0000621824000319C2DA
72412+:104B9000AF8300188F420008275B400034420001B9
72413+:104BA000AF420008AF8000243C02601CAF40008090
72414+:104BB000AF4000848C4500088CC308083402800094
72415+:104BC000034220212402FFF0006218243C020080EE
72416+:104BD0003C010800AC2204203C025709AF84003895
72417+:104BE00014620004AF850034240200010A0002921E
72418+:104BF000AF820014AF8000148F42000038420001E1
72419+:104C0000304200011440FFFC8F8200141040001657
72420+:104C10000000000097420104104000058F8300004F
72421+:104C2000146000072462FFFF0A0002A72C62000A3A
72422+:104C30002C620010504000048F83000024620001A9
72423+:104C4000AF8200008F8300002C62000A1440000332
72424+:104C50002C6200070A0002AEAF80FFDC10400002A9
72425+:104C600024020001AF82FFDC8F4301088F44010062
72426+:104C700030622000AF83000410400008AF840010B1
72427+:104C80003C0208008C42042C244200013C01080034
72428+:104C9000AC22042C0A00058A3C0240003065020068
72429+:104CA00014A0000324020F001482026024020D00ED
72430+:104CB00097420104104002C83C02400030624000AC
72431+:104CC000144000AD8F8200388C4400088F42017878
72432+:104CD0000440FFFE24020800AF42017824020008CD
72433+:104CE000A7420140A7400142974201048F8400047B
72434+:104CF0003051FFFF30820001104000070220802168
72435+:104D00002623FFFE240200023070FFFFA742014667
72436+:104D10000A0002DBA7430148A74001463C02080005
72437+:104D20008C42043C1440000D8F8300103082002020
72438+:104D30001440000224030009240300010060202124
72439+:104D40008F830010240209005062000134840004A3
72440+:104D5000A744014A0A0002F60000000024020F00E6
72441+:104D60001462000530820020144000062403000D68
72442+:104D70000A0002F524030005144000022403000980
72443+:104D800024030001A743014A3C0208008C4204208E
72444+:104D90003C0400480E00020C004420250E000235A1
72445+:104DA000000000008F82000C1040003E0000000058
72446+:104DB0008F4210003C0300200043102410400039B3
72447+:104DC0008F820004304200021040003600000000D4
72448+:104DD000974210141440003300000000974210085E
72449+:104DE0008F8800383042FFFF2442000600021882FC
72450+:104DF0000003388000E83021304300018CC40000FB
72451+:104E000010600004304200030000000D0A00033768
72452+:104E100000E81021544000103084FFFF3C05FFFFE4
72453+:104E200000852024008518260003182B0004102B71
72454+:104E300000431024104000050000000000000000A6
72455+:104E40000000000D00000000240002228CC20000BF
72456+:104E50000A000336004520253883FFFF0003182B86
72457+:104E60000004102B00431024104000050000000037
72458+:104E7000000000000000000D000000002400022BD4
72459+:104E80008CC200003444FFFF00E81021AC44000055
72460+:104E90003C0208008C420430244200013C0108001E
72461+:104EA000AC2204308F6200008F840038AF8200088B
72462+:104EB0008C8300003402FFFF1462000F00001021F9
72463+:104EC0003C0508008CA504543C0408008C84045064
72464+:104ED00000B0282100B0302B008220210086202144
72465+:104EE0003C010800AC2504543C010800AC240450EB
72466+:104EF0000A000580240400088C8200003042010072
72467+:104F00001040000F000010213C0508008CA5044C47
72468+:104F10003C0408008C84044800B0282100B0302BE9
72469+:104F200000822021008620213C010800AC25044C91
72470+:104F30003C010800AC2404480A0005802404000851
72471+:104F40003C0508008CA504443C0408008C84044003
72472+:104F500000B0282100B0302B0082202100862021C3
72473+:104F60003C010800AC2504443C010800AC2404408A
72474+:104F70000A000580240400088F6200088F62000088
72475+:104F800000021602304300F02402003010620005D7
72476+:104F900024020040106200E08F8200200A00058891
72477+:104FA0002442000114A000050000000000000000E1
72478+:104FB0000000000D00000000240002568F4201781E
72479+:104FC0000440FFFE000000000E00023D27A4001078
72480+:104FD0001440000500408021000000000000000D8A
72481+:104FE000000000002400025D8E0200001040000559
72482+:104FF00000000000000000000000000D00000000A4
72483+:10500000240002608F62000C0443000324020001AC
72484+:105010000A00042EAE000000AE0200008F820038AD
72485+:105020008C480008A20000078F65000C8F64000404
72486+:1050300030A3FFFF0004240200852023308200FFFC
72487+:105040000043102124420005000230832CC200815D
72488+:10505000A605000A14400005A20400040000000098
72489+:105060000000000D00000000240002788F85003849
72490+:105070000E0005AB260400148F6200048F43010864
72491+:10508000A60200083C02100000621824106000080C
72492+:105090000000000097420104920300072442FFEC45
72493+:1050A000346300023045FFFF0A0003C3A203000778
72494+:1050B000974201042442FFF03045FFFF96060008A6
72495+:1050C0002CC200135440000592030007920200070F
72496+:1050D00034420001A20200079203000724020001EB
72497+:1050E00010620005240200031062000B8F8200385A
72498+:1050F0000A0003E030C6FFFF8F8200383C04FFFF48
72499+:105100008C43000C0064182400651825AC43000C87
72500+:105110000A0003E030C6FFFF3C04FFFF8C43001091
72501+:105120000064182400651825AC43001030C6FFFF4A
72502+:1051300024C2000200021083A20200058F830038FF
72503+:10514000304200FF00021080004328218CA800009C
72504+:105150008CA2000024030004000217021443001272
72505+:1051600000000000974201043C03FFFF01031824E4
72506+:105170003042FFFF004610232442FFFE006240251C
72507+:10518000ACA8000092030005306200FF000210800E
72508+:1051900000501021904200143042000F00431021B3
72509+:1051A0000A000415A20200068CA400049742010420
72510+:1051B0009603000A3088FFFF3042FFFF00461023AD
72511+:1051C0002442FFD60002140001024025ACA80004CE
72512+:1051D000920200079204000524630028000318834C
72513+:1051E0000064182134420004A2030006A202000752
72514+:1051F0008F8200042403FFFB34420002004310248A
72515+:10520000AF820004920300068F87003800031880E5
72516+:10521000007010218C4400203C02FFF63442FFFF56
72517+:105220000082402400671821AE04000CAC68000C1A
72518+:10523000920500063C03FF7F8E02000C00052880CB
72519+:1052400000B020213463FFFF01033024948800263E
72520+:1052500000A7282100431024AE02000CAC860020D9
72521+:10526000AC880024ACA8001024020010A742014022
72522+:1052700024020002A7400142A7400144A742014680
72523+:10528000974201043C0400082442FFFEA742014863
72524+:10529000240200010E00020CA742014A9603000AF4
72525+:1052A0009202000400431021244200023042000711
72526+:1052B00000021023304200070E000235AE0200103B
72527+:1052C0008F6200003C0308008C6304442404001037
72528+:1052D000AF820008974201043042FFFF2442FFFEE4
72529+:1052E00000403821000237C33C0208008C420440D1
72530+:1052F000006718210067282B004610210045102167
72531+:105300003C010800AC2304443C010800AC220440EA
72532+:105310000A0005150000000014A0000500000000B0
72533+:10532000000000000000000D000000002400030A3F
72534+:105330008F4201780440FFFE000000000E00023D95
72535+:1053400027A4001414400005004080210000000044
72536+:105350000000000D00000000240003118E02000078
72537+:105360005440000692020007000000000000000DFB
72538+:10537000000000002400031C9202000730420004D9
72539+:10538000104000058F8200042403FFFB344200021A
72540+:1053900000431024AF8200048F620004044300081D
72541+:1053A00092020007920200068E03000CAE0000007D
72542+:1053B0000002108000501021AC4300209202000730
72543+:1053C00030420004544000099602000A920200058F
72544+:1053D0003C03000100021080005010218C46001890
72545+:1053E00000C33021AC4600189602000A9206000461
72546+:1053F000277100080220202100C2302124C60005A8
72547+:10540000260500140E0005AB00063082920400064B
72548+:105410008F6500043C027FFF000420800091202162
72549+:105420008C8300043442FFFF00A228240065182169
72550+:10543000AC8300049202000792040005920300046A
72551+:10544000304200041040001496070008308400FF2A
72552+:1054500000042080009120218C86000497420104E2
72553+:105460009605000A306300FF3042FFFF0043102121
72554+:105470000045102130E3FFFF004310232442FFD8F2
72555+:1054800030C6FFFF0002140000C23025AC860004C5
72556+:105490000A0004C992030007308500FF0005288038
72557+:1054A00000B128218CA4000097420104306300FF62
72558+:1054B0003042FFFF00431021004710233C03FFFF51
72559+:1054C000008320243042FFFF00822025ACA400008E
72560+:1054D0009203000724020001106200060000000091
72561+:1054E0002402000310620011000000000A0004EC16
72562+:1054F0008E03001097420104920300049605000AEF
72563+:105500008E24000C00431021004510212442FFF29C
72564+:105510003C03FFFF008320243042FFFF0082202550
72565+:10552000AE24000C0A0004EC8E0300109742010424
72566+:10553000920300049605000A8E24001000431021F7
72567+:10554000004510212442FFEE3C03FFFF008320248E
72568+:105550003042FFFF00822025AE2400108E03001091
72569+:105560002402000AA7420140A74301429603000A11
72570+:10557000920200043C04004000431021A742014471
72571+:10558000A740014697420104A742014824020001B6
72572+:105590000E00020CA742014A0E0002350000000076
72573+:1055A0008F6200009203000400002021AF820008F7
72574+:1055B000974201049606000A3042FFFF006218215C
72575+:1055C000006028213C0308008C6304443C0208006E
72576+:1055D0008C42044000651821004410210065382BDE
72577+:1055E000004710213C010800AC2304443C010800A2
72578+:1055F000AC22044092040004008620212484000A86
72579+:105600003084FFFF0E0001E9000000009744010410
72580+:105610003084FFFF0E0001F7000000003C02100084
72581+:10562000AF4201780A0005878F820020148200278C
72582+:105630003062000697420104104000673C024000BF
72583+:105640003062400010400005000000000000000033
72584+:105650000000000D00000000240004208F420178AB
72585+:105660000440FFFE24020800AF4201782402000833
72586+:10567000A7420140A74001428F82000497430104E2
72587+:1056800030420001104000073070FFFF2603FFFE8C
72588+:1056900024020002A7420146A74301480A00053F31
72589+:1056A0002402000DA74001462402000DA742014A32
72590+:1056B0008F62000024040008AF8200080E0001E998
72591+:1056C000000000000A0005190200202110400042DD
72592+:1056D0003C02400093620000304300F024020010BE
72593+:1056E0001062000524020070106200358F820020D5
72594+:1056F0000A000588244200018F62000097430104DC
72595+:105700003050FFFF3071FFFF8F4201780440FFFEF1
72596+:105710003202000700021023304200072403000A6F
72597+:105720002604FFFEA7430140A7420142A7440144CB
72598+:10573000A7400146A75101488F420108304200208E
72599+:10574000144000022403000924030001A743014A76
72600+:105750000E00020C3C0400400E0002350000000068
72601+:105760003C0708008CE70444021110212442FFFE8C
72602+:105770003C0608008CC604400040182100E3382194
72603+:10578000000010218F65000000E3402B00C2302193
72604+:105790002604000800C830213084FFFFAF850008D0
72605+:1057A0003C010800AC2704443C010800AC2604403E
72606+:1057B0000E0001E9000000000A0005190220202166
72607+:1057C0000E00013B000000008F82002024420001F7
72608+:1057D000AF8200203C024000AF4201380A00029232
72609+:1057E000000000003084FFFF30C6FFFF00052C00E2
72610+:1057F00000A628253882FFFF004510210045282BF0
72611+:105800000045102100021C023042FFFF004310211E
72612+:1058100000021C023042FFFF004310213842FFFF0C
72613+:1058200003E000083042FFFF3084FFFF30A5FFFF98
72614+:1058300000001821108000070000000030820001E5
72615+:105840001040000200042042006518210A0005A152
72616+:105850000005284003E000080060102110C0000689
72617+:1058600024C6FFFF8CA2000024A50004AC82000027
72618+:105870000A0005AB2484000403E0000800000000D7
72619+:1058800010A0000824A3FFFFAC8600000000000069
72620+:10589000000000002402FFFF2463FFFF1462FFFAF0
72621+:1058A0002484000403E00008000000000000000160
72622+:1058B0000A00002A00000000000000000000000DA7
72623+:1058C000747870362E322E3162000000060201001C
72624+:1058D00000000000000001360000EA600000000047
72625+:1058E00000000000000000000000000000000000B8
72626+:1058F00000000000000000000000000000000000A8
72627+:105900000000000000000000000000000000000097
72628+:105910000000001600000000000000000000000071
72629+:105920000000000000000000000000000000000077
72630+:105930000000000000000000000000000000000067
72631+:1059400000000000000000000000138800000000BC
72632+:10595000000005DC00000000000000001000000353
72633+:10596000000000000000000D0000000D3C020800D7
72634+:1059700024423D683C0308002463401CAC40000006
72635+:105980000043202B1480FFFD244200043C1D08002E
72636+:1059900037BD7FFC03A0F0213C100800261000A8B2
72637+:1059A0003C1C0800279C3D680E00044E00000000CF
72638+:1059B0000000000D27BDFFB4AFA10000AFA200049E
72639+:1059C000AFA30008AFA4000CAFA50010AFA6001451
72640+:1059D000AFA70018AFA8001CAFA90020AFAA0024F1
72641+:1059E000AFAB0028AFAC002CAFAD0030AFAE003491
72642+:1059F000AFAF0038AFB8003CAFB90040AFBC004417
72643+:105A0000AFBF00480E000591000000008FBF0048A6
72644+:105A10008FBC00448FB900408FB8003C8FAF003876
72645+:105A20008FAE00348FAD00308FAC002C8FAB0028D0
72646+:105A30008FAA00248FA900208FA8001C8FA7001810
72647+:105A40008FA600148FA500108FA4000C8FA3000850
72648+:105A50008FA200048FA1000027BD004C3C1B6004F6
72649+:105A60008F7A5030377B502803400008AF7A00000F
72650+:105A70008F86003C3C0390003C0280000086282575
72651+:105A800000A32025AC4400203C0380008C6700204C
72652+:105A900004E0FFFE0000000003E00008000000003A
72653+:105AA0000A000070240400018F85003C3C04800043
72654+:105AB0003483000100A3102503E00008AC8200201D
72655+:105AC00003E00008000010213084FFFF30A5FFFF35
72656+:105AD00010800007000018213082000110400002F1
72657+:105AE00000042042006518211480FFFB00052840B7
72658+:105AF00003E000080060102110C000070000000053
72659+:105B00008CA2000024C6FFFF24A50004AC82000084
72660+:105B100014C0FFFB2484000403E000080000000020
72661+:105B200010A0000824A3FFFFAC86000000000000C6
72662+:105B3000000000002402FFFF2463FFFF1462FFFA4D
72663+:105B40002484000403E000080000000090AA003153
72664+:105B50008FAB00108CAC00403C0300FF8D6800044C
72665+:105B6000AD6C00208CAD004400E060213462FFFF8A
72666+:105B7000AD6D00248CA700483C09FF000109C0243A
72667+:105B8000AD6700288CAE004C0182C824031978252B
72668+:105B9000AD6F0004AD6E002C8CAD0038314A00FFB3
72669+:105BA000AD6D001C94A900323128FFFFAD680010D4
72670+:105BB00090A70030A5600002A1600004A16700006A
72671+:105BC00090A30032306200FF0002198210600005CD
72672+:105BD000240500011065000E0000000003E000082D
72673+:105BE000A16A00018CD80028354A0080AD780018E1
72674+:105BF0008CCF0014AD6F00148CCE0030AD6E000859
72675+:105C00008CC4002CA16A000103E00008AD64000C04
72676+:105C10008CCD001CAD6D00188CC90014AD6900144A
72677+:105C20008CC80024AD6800088CC70020AD67000C4C
72678+:105C30008CC200148C8300700043C82B1320000713
72679+:105C4000000000008CC20014144CFFE400000000AF
72680+:105C5000354A008003E00008A16A00018C820070D0
72681+:105C60000A0000E6000000009089003027BDFFF820
72682+:105C70008FA8001CA3A900008FA300003C0DFF808B
72683+:105C800035A2FFFF8CAC002C00625824AFAB0000A3
72684+:105C9000A100000400C05821A7A000028D06000446
72685+:105CA00000A048210167C8218FA500000080502175
72686+:105CB0003C18FF7F032C20263C0E00FF2C8C00019B
72687+:105CC000370FFFFF35CDFFFF3C02FF0000AFC824B8
72688+:105CD00000EDC02400C27824000C1DC003236825F9
72689+:105CE00001F87025AD0D0000AD0E00048D240024D8
72690+:105CF000AFAD0000AD0400088D2C00202404FFFF90
72691+:105D0000AD0C000C9547003230E6FFFFAD060010E9
72692+:105D10009145004830A200FF000219C25060000106
72693+:105D20008D240034AD0400148D4700388FAA00186C
72694+:105D300027BD0008AD0B0028AD0A0024AD07001CEC
72695+:105D4000AD00002CAD00001803E00008AD000020FD
72696+:105D500027BDFFE0AFB20018AFB10014AFB0001024
72697+:105D6000AFBF001C9098003000C088213C0D00FFA0
72698+:105D7000330F007FA0CF0000908E003135ACFFFFC5
72699+:105D80003C0AFF00A0CE000194A6001EA220000441
72700+:105D90008CAB00148E29000400A08021016C282403
72701+:105DA000012A40240080902101052025A62600021A
72702+:105DB000AE24000426050020262400080E000092D0
72703+:105DC00024060002924700302605002826240014ED
72704+:105DD00000071E000003160324060004044000030D
72705+:105DE0002403FFFF965900323323FFFF0E00009279
72706+:105DF000AE230010262400248FBF001C8FB2001891
72707+:105E00008FB100148FB00010240500030000302172
72708+:105E10000A00009C27BD002027BDFFD8AFB1001CA1
72709+:105E2000AFB00018AFBF002090A9003024020001DD
72710+:105E300000E050213123003F00A040218FB00040FE
72711+:105E40000080882100C04821106200148FA700380C
72712+:105E5000240B000500A0202100C02821106B001396
72713+:105E6000020030210E000128000000009225007C75
72714+:105E700030A400021080000326030030AE00003082
72715+:105E8000260300348FBF00208FB1001C8FB0001894
72716+:105E90000060102103E0000827BD00280E0000A7C5
72717+:105EA000AFB000100A00016F000000008FA3003C9B
72718+:105EB000010020210120282101403021AFA3001042
72719+:105EC0000E0000EEAFB000140A00016F00000000E9
72720+:105ED0003C06800034C20E008C4400108F850044C4
72721+:105EE000ACA400208C43001803E00008ACA30024FD
72722+:105EF0003C06800034C20E008C4400148F850044A0
72723+:105F0000ACA400208C43001C03E00008ACA30024D8
72724+:105F10009382000C1040001B2483000F2404FFF028
72725+:105F20000064382410E00019978B00109784000E4D
72726+:105F30009389000D3C0A601C0A0001AC01644023F7
72727+:105F400001037021006428231126000231C2FFFFE3
72728+:105F500030A2FFFF0047302B50C0000E00E4482164
72729+:105F60008D4D000C31A3FFFF00036400000C2C03D7
72730+:105F700004A1FFF30000302130637FFF0A0001A479
72731+:105F80002406000103E00008000000009784000ED2
72732+:105F900000E448213123FFFF3168FFFF0068382B00
72733+:105FA00054E0FFF8A783000E938A000D114000050E
72734+:105FB000240F0001006BC023A380000D03E0000844
72735+:105FC000A798000E006BC023A38F000D03E000080C
72736+:105FD000A798000E03E000080000000027BDFFE8BE
72737+:105FE000AFB000103C10800036030140308BFFFF43
72738+:105FF00093AA002BAFBF0014A46B000436040E005C
72739+:106000009488001630C600FF8FA90030A4680006EF
72740+:10601000AC650008A0660012A46A001AAC670020F4
72741+:106020008FA5002CA4690018012020210E000198E2
72742+:10603000AC6500143C021000AE0201788FBF001462
72743+:106040008FB0001003E0000827BD00188F85000006
72744+:106050002484000727BDFFF83084FFF83C06800049
72745+:1060600094CB008A316AFFFFAFAA00008FA900001D
72746+:10607000012540232507FFFF30E31FFF0064102B9D
72747+:106080001440FFF700056882000D288034CC4000E2
72748+:1060900000AC102103E0000827BD00088F8200003B
72749+:1060A0002486000730C5FFF800A2182130641FFFC6
72750+:1060B00003E00008AF8400008F87003C8F84004419
72751+:1060C00027BDFFB0AFB70044AFB40038AFB1002C6C
72752+:1060D000AFBF0048AFB60040AFB5003CAFB300342F
72753+:1060E000AFB20030AFB000283C0B80008C8600249B
72754+:1060F000AD6700808C8A002035670E00356901008D
72755+:10610000ACEA00108C8800248D2500040000B82122
72756+:10611000ACE800188CE3001000A688230000A02142
72757+:10612000ACE300148CE20018ACE2001C122000FE6C
72758+:1061300000E0B021936C0008118000F40000000022
72759+:10614000976F001031EEFFFF022E682B15A000EFB5
72760+:1061500000000000977200103250FFFFAED0000028
72761+:106160003C0380008C740000329300081260FFFD35
72762+:106170000000000096D800088EC700043305FFFF1A
72763+:1061800030B5000112A000E4000000000000000D86
72764+:1061900030BFA0402419004013F9011B30B4A00007
72765+:1061A000128000DF000000009373000812600008F6
72766+:1061B00000000000976D001031ACFFFF00EC202BB9
72767+:1061C0001080000330AE004011C000D50000000078
72768+:1061D000A7850040AF87003893630008022028217C
72769+:1061E000AFB10020146000F527B40020AF60000CB0
72770+:1061F000978F004031F14000162000022403001662
72771+:106200002403000E24054007A363000AAF650014B1
72772+:10621000938A00428F70001431550001001512401E
72773+:1062200002024825AF690014979F00408F78001440
72774+:1062300033F9001003194025AF680014979200400D
72775+:106240003247000810E0016E000000008F67001464
72776+:106250003C1210003C11800000F27825AF6F001452
72777+:1062600036230E00946E000A3C0D81002406000EB9
72778+:1062700031CCFFFF018D2025AF640004A36600022E
72779+:106280009373000A3406FFFC266B0004A36B000A1C
72780+:1062900097980040330820001100015F00000000C3
72781+:1062A0003C05800034A90E00979900409538000CF9
72782+:1062B00097870040001940423312C00031030003A9
72783+:1062C00000127B0330F11000006F6825001172038B
72784+:1062D00001AE6025000C20C0A76400129793004017
72785+:1062E000936A000A001359823175003C02AA1021FA
72786+:1062F0002450003CA3700009953F000C33F93FFF88
72787+:10630000A779001097700012936900090130F821F5
72788+:1063100027E5000230B900070019C0233308000741
72789+:10632000A368000B9371000997720012976F001019
72790+:10633000322700FF8F910038978D004000F218211E
72791+:10634000006F702101C6602131A6004010C0000519
72792+:106350003185FFFF00B1102B3C1280001040001768
72793+:10636000000098210225A82B56A0013E8FA50020F1
72794+:106370003C048000348A0E008D5300143C068000DB
72795+:10638000AD5300108D4B001CAD4B0018AD45000007
72796+:106390008CCD000031AC00081180FFFD34CE0E0022
72797+:1063A00095C3000800A0882100009021A783004029
72798+:1063B0008DC6000424130001AF860038976F0010CB
72799+:1063C00031F5FFFF8E9F000003F1282310A0011F6D
72800+:1063D000AE85000093620008144000DD000000005C
72801+:1063E0000E0001E7240400108F900048004028218F
72802+:1063F0003C023200320600FF000654000142F8253C
72803+:1064000026090001AF890048ACBF0000937900095C
72804+:1064100097780012936F000A332800FF3303FFFFC1
72805+:106420000103382100076C0031EE00FF01AE60254A
72806+:10643000ACAC00048F840048978B0040316A200088
72807+:106440001140010AACA4000897640012308BFFFFD2
72808+:1064500006400108ACAB000C978E004031C5000827
72809+:1064600014A0000226280006262800023C1F8000F7
72810+:1064700037E70E0094F900148CE5001C8F670004C8
72811+:10648000937800023324FFFF330300FFAFA3001013
72812+:106490008F6F0014AFA800180E0001CBAFAF00142F
72813+:1064A000240400100E0001FB000000008E9200008A
72814+:1064B00016400005000000008F7800142403FFBF81
72815+:1064C0000303A024AF7400148F67000C00F5C821EB
72816+:1064D000AF79000C9375000816A0000800000000BA
72817+:1064E00012600006000000008F6800143C0AEFFFF5
72818+:1064F0003549FFFE0109F824AF7F0014A37300089B
72819+:106500008FA500200A00034F02202021AED10000F9
72820+:106510000A00022D3C03800014E0FF1E30BFA040A3
72821+:106520000E0001900000A0212E9100010237B0253D
72822+:1065300012C000188FBF00488F87003C24170F003F
72823+:1065400010F700D43C0680008CD901780720FFFEAC
72824+:10655000241F0F0010FF00F634CA0E008D560014E1
72825+:1065600034C7014024080240ACF600048D49001CE9
72826+:106570003C141000ACE90008A0E00012A4E0001AEE
72827+:10658000ACE00020A4E00018ACE80014ACD4017822
72828+:106590008FBF00488FB700448FB600408FB5003CD6
72829+:1065A0008FB400388FB300348FB200308FB1002C1D
72830+:1065B0008FB0002803E0000827BD00508F910038FD
72831+:1065C000978800403C1280000220A821310700403B
72832+:1065D00014E0FF7C00009821977900108F9200381A
72833+:1065E0003338FFFF131200A8000020210080A021F3
72834+:1065F000108000F300A088211620FECE00000000CD
72835+:106600000A00031F2E9100013C0380008C62017878
72836+:106610000440FFFE240808008F860000AC68017863
72837+:106620003C038000946D008A31ACFFFF0186582343
72838+:10663000256AFFFF31441FFF2C8900081520FFF950
72839+:10664000000000008F8F0048347040008F83003CB2
72840+:1066500000E0A021240E0F0025E70001AF870048CD
72841+:1066600000D03021023488233C08800031F500FF3F
72842+:10667000106E0005240700019398004233130001B7
72843+:106680000013924036470001001524003C0A010027
72844+:10669000008A4825ACC900008F82004830BF003610
72845+:1066A00030B90008ACC200041320009900FF9825FF
72846+:1066B00035120E009650000A8F8700003C0F8100B3
72847+:1066C0003203FFFF24ED000835060140006F60250E
72848+:1066D0003C0E100031AB1FFF269200062405000E71
72849+:1066E000ACCC0020026E9825A4C5001AAF8B000028
72850+:1066F000A4D20018162000083C1080008F89003CAE
72851+:1067000024020F00512200022417000136730040BA
72852+:106710000E0001883C10800036060E008CCB001461
72853+:10672000360A014002402021AD4B00048CC5001CFC
72854+:10673000AD450008A1550012AD5300140E0001989C
72855+:106740003C151000AE1501780A000352000000004D
72856+:10675000936F0009976E0012936D000B31E500FFF7
72857+:1067600000AE202131AC00FF008C80212602000AFF
72858+:106770003050FFFF0E0001E7020020218F86004805
72859+:106780003C0341003C05800024CB0001AF8B004856
72860+:10679000936A00099769001230C600FF315F00FF5D
72861+:1067A0003128FFFF03E8382124F900020006C40065
72862+:1067B0000319782501E37025AC4E00008F6D000CA5
72863+:1067C00034A40E00948B001401B26025AC4C00047C
72864+:1067D0008C85001C8F670004936A00023164FFFF00
72865+:1067E000314900FFAFA900108F680014AFB1001845
72866+:1067F0000E0001CBAFA800140A0002FD0200202108
72867+:10680000AF600004A36000029798004033082000A6
72868+:106810001500FEA300003021A760001297840040FD
72869+:10682000936B000A3C10800030931F0000135183CB
72870+:10683000014BA82126A20028A362000936090E00F8
72871+:10684000953F000C0A000295A77F00108F7000147E
72872+:10685000360900400E000188AF6900140A0002C921
72873+:10686000000000000A00034F000020210641FEFA4C
72874+:10687000ACA0000C8CAC000C3C0D8000018D902570
72875+:106880000A0002EAACB2000C000090210A0002C526
72876+:1068900024130001128000073C028000344B0E00DC
72877+:1068A0009566000830D300401260004900000000E7
72878+:1068B0003C0680008CD001780600FFFE34C50E0037
72879+:1068C00094B500103C03050034CC014032B8FFFF02
72880+:1068D00003039025AD92000C8CAF0014240D200012
72881+:1068E0003C041000AD8F00048CAE001CAD8E00087F
72882+:1068F000A1800012A580001AAD800020A58000189C
72883+:10690000AD8D0014ACC401780A0003263C0680005B
72884+:106910008F9F0000351801402692000227F90008D9
72885+:1069200033281FFFA71200180A000391AF88000048
72886+:106930003C02800034450140ACA0000C1280001BDA
72887+:1069400034530E0034510E008E370010ACB70004E3
72888+:106950008E2400183C0B8000ACA400083570014068
72889+:1069600024040040A20000128FBF0048A600001AB5
72890+:106970008FB70044AE0000208FB60040A60000187C
72891+:106980008FB5003CAE0400148FB400388FB30034D0
72892+:106990008FB200308FB1002C8FB000283C02100065
72893+:1069A00027BD005003E00008AD6201788E66001438
72894+:1069B000ACA600048E64001C0A00042A3C0B800074
72895+:1069C0000E0001902E9100010A0003200237B0252D
72896+:1069D000000000000000000D00000000240003691A
72897+:1069E0000A0004013C06800027BDFFD8AFBF00208D
72898+:1069F0003C0980003C1F20FFAFB200183C0760003C
72899+:106A000035320E002402001037F9FFFDACE23008E9
72900+:106A1000AFB3001CAFB10014AFB00010AE5900000E
72901+:106A20000000000000000000000000000000000066
72902+:106A3000000000003C1800FF3713FFFDAE530000BC
72903+:106A40003C0B60048D7050002411FF7F3C0E00024F
72904+:106A50000211782435EC380C35CD0109ACED4C1819
72905+:106A6000240A0009AD6C50008CE80438AD2A0008F7
72906+:106A7000AD2000148CE54C1C3106FFFF38C42F718B
72907+:106A800000051E023062000F2486C0B310400007CC
72908+:106A9000AF8200088CE54C1C3C09001F3528FC0027
72909+:106AA00000A81824000321C2AF8400048CF1080858
72910+:106AB0003C0F57092412F0000232702435F0001008
72911+:106AC00001D0602601CF68262DAA00012D8B000180
72912+:106AD000014B382550E00009A380000C3C1F601CCE
72913+:106AE0008FF8000824190001A399000C33137C00CF
72914+:106AF000A7930010A780000EA380000DAF80004870
72915+:106B000014C00003AF8000003C066000ACC0442C01
72916+:106B10000E0005B93C1080000E000F1A361101005E
72917+:106B20003C12080026523DD03C13080026733E500C
72918+:106B30008E03000038640001308200011440FFFC25
72919+:106B40003C0B800A8E2600002407FF8024C90240E7
72920+:106B5000312A007F014B402101272824AE06002066
72921+:106B6000AF880044AE0500243C048000AF86003CA2
72922+:106B70008C8C01780580FFFE24180800922F0008F5
72923+:106B8000AC980178A38F0042938E004231CD000172
72924+:106B900011A0000F24050D0024DFF8002FF90301D8
72925+:106BA0001320001C000629C224A4FFF00004104298
72926+:106BB000000231400E00020200D2D8213C02400007
72927+:106BC0003C068000ACC201380A0004A000000000AE
72928+:106BD00010C50023240D0F0010CD00273C1F800896
72929+:106BE00037F9008093380000240E0050330F00FF67
72930+:106BF00015EEFFF33C0240000E000A3600000000D4
72931+:106C00003C0240003C068000ACC201380A0004A0EF
72932+:106C1000000000008F83000400A3402B1500000B30
72933+:106C20008F8B0008006B50212547FFFF00E5482BA4
72934+:106C30001520000600A36023000C19400E0002027C
72935+:106C40000073D8210A0004C43C0240000000000D7B
72936+:106C50000E000202000000000A0004C43C024000D2
72937+:106C60003C1B0800277B3F500E0002020000000082
72938+:106C70000A0004C43C0240003C1B0800277B3F7014
72939+:106C80000E000202000000000A0004C43C024000A2
72940+:106C90003C0660043C09080025290104ACC9502CBD
72941+:106CA0008CC850003C0580003C0200023507008083
72942+:106CB000ACC750003C040800248415A43C03080021
72943+:106CC0002463155CACA50008ACA2000C3C010800D4
72944+:106CD000AC243D603C010800AC233D6403E00008A7
72945+:106CE0002402000100A030213C1C0800279C3D68C4
72946+:106CF0003C0C04003C0B0002008B3826008C402624
72947+:106D00002CE200010007502B2D050001000A4880ED
72948+:106D10003C03080024633D60004520250123182121
72949+:106D20001080000300001021AC6600002402000166
72950+:106D300003E00008000000003C1C0800279C3D68A0
72951+:106D40003C0B04003C0A0002008A3026008B3826E7
72952+:106D50002CC200010006482B2CE5000100094080F0
72953+:106D60003C03080024633D600045202501031821F1
72954+:106D700010800005000010213C0C0800258C155CDB
72955+:106D8000AC6C00002402000103E0000800000000D9
72956+:106D90003C0900023C08040000883026008938269F
72957+:106DA0002CC30001008028212CE400010083102561
72958+:106DB0001040000B000030213C1C0800279C3D685F
72959+:106DC0003C0A80008D4E00082406000101CA682597
72960+:106DD000AD4D00088D4C000C01855825AD4B000CC5
72961+:106DE00003E0000800C010213C1C0800279C3D68FF
72962+:106DF0003C0580008CA6000C000420272402000122
72963+:106E000000C4182403E00008ACA3000C3C020002FC
72964+:106E10001082000B3C0560003C0704001087000353
72965+:106E20000000000003E00008000000008CA908D06A
72966+:106E3000240AFFFD012A402403E00008ACA808D082
72967+:106E40008CA408D02406FFFE0086182403E0000866
72968+:106E5000ACA308D03C05601A34A600108CC3008097
72969+:106E600027BDFFF88CC50084AFA3000093A40000E9
72970+:106E70002402000110820003AFA5000403E0000813
72971+:106E800027BD000893A7000114E0001497AC00028E
72972+:106E900097B800023C0F8000330EFFFC01CF682141
72973+:106EA000ADA50000A3A000003C0660008CC708D080
72974+:106EB0002408FFFE3C04601A00E82824ACC508D072
72975+:106EC0008FA300048FA200003499001027BD000892
72976+:106ED000AF22008003E00008AF2300843C0B800059
72977+:106EE000318AFFFC014B48218D2800000A00057DF6
72978+:106EF000AFA8000427BDFFE8AFBF00103C1C08008E
72979+:106F0000279C3D683C0580008CA4000C8CA20004EA
72980+:106F10003C0300020044282410A0000A00A3182407
72981+:106F20003C0604003C0400021460000900A6102482
72982+:106F30001440000F3C0404000000000D3C1C08003D
72983+:106F4000279C3D688FBF001003E0000827BD001894
72984+:106F50003C0208008C423D600040F809000000003F
72985+:106F60003C1C0800279C3D680A0005A68FBF001046
72986+:106F70003C0208008C423D640040F809000000001B
72987+:106F80000A0005AC00000000000411C003E0000886
72988+:106F9000244202403C04080024843FB42405001A23
72989+:106FA0000A00009C0000302127BDFFE0AFB00010B8
72990+:106FB0003C108000AFBF0018AFB1001436110100C3
72991+:106FC000922200090E0005B63044007F8E3F00007B
72992+:106FD0008F89003C3C0F008003E26021258800403F
72993+:106FE0000049F821240DFF80310E00783198007897
72994+:106FF00035F9000135F100020319382501D1482582
72995+:10700000010D302403ED5824018D2824240A00406A
72996+:1070100024040080240300C0AE0B0024AE0008103E
72997+:10702000AE0A0814AE040818AE03081CAE05080426
72998+:10703000AE070820AE060808AE0908243609090084
72999+:107040009539000C3605098033ED007F3338FFFF9A
73000+:10705000001889C0AE110800AE0F0828952C000C4E
73001+:107060008FBF00188FB10014318BFFFF000B51C090
73002+:10707000AE0A002C8CA400508FB000108CA3003CF2
73003+:107080008D2700048CA8001C8CA600383C0E800ABA
73004+:1070900001AE102127BD0020AF820044AF84005014
73005+:1070A000AF830054AF87004CAF88005C03E000085A
73006+:1070B000AF8600603C09080091293FD924A800024E
73007+:1070C0003C05110000093C0000E8302500C51825EA
73008+:1070D00024820008AC83000003E00008AC800004B8
73009+:1070E0003C098000352309009128010B906A0011AA
73010+:1070F0002402002800804821314700FF00A07021B1
73011+:1071000000C068213108004010E20002340C86DD26
73012+:10711000240C08003C0A800035420A9A944700007B
73013+:10712000354B0A9C35460AA030F9FFFFAD39000007
73014+:107130008D780000354B0A8024040001AD3800042E
73015+:107140008CCF0000AD2F00089165001930A300031B
73016+:107150001064009028640002148000AF240500022F
73017+:107160001065009E240F0003106F00B435450AA47B
73018+:10717000240A0800118A0048000000005100003D68
73019+:107180003C0B80003C0480003483090090670012AF
73020+:1071900030E200FF004D7821000FC8802724000155
73021+:1071A0003C0A8000354F090091E50019354C0980F3
73022+:1071B0008D87002830A300FF0003150000475825E5
73023+:1071C0000004C4003C19600001793025370806FF2F
73024+:1071D000AD260000AD2800048DEA002C25280028EB
73025+:1071E000AD2A00088DEC0030AD2C000C8DE500348C
73026+:1071F000AD2500108DE400383C05800034AC093C1E
73027+:10720000AD2400148DE3001CAD2300188DE7002091
73028+:10721000AD27001C8DE20024AD2200208DF900284E
73029+:1072200034A20100AD3900248D830000AD0E0004AE
73030+:1072300034B90900AD0300008C47000C250200148E
73031+:10724000AD070008932B00123C04080090843FD83F
73032+:10725000AD000010317800FF030D302100064F0013
73033+:1072600000047C00012F702535CDFFFC03E00008F1
73034+:10727000AD0D000C35780900930600123C0508009E
73035+:1072800094A53FC830C800FF010D5021000A60805E
73036+:107290000A00063C018520211500005B000000006B
73037+:1072A0003C08080095083FCE3C06080094C63FC83D
73038+:1072B000010610213C0B800035790900933800113C
73039+:1072C000932A001935660A80330800FF94CF002AFC
73040+:1072D00000086082314500FF978A0058000C1E00AC
73041+:1072E000000524003047FFFF006410250047C0253B
73042+:1072F00001EA30213C0B4000030B402500066400EE
73043+:10730000AD280000AD2C0004932500183C030006B6
73044+:107310002528001400053E0000E31025AD220008DA
73045+:107320008F24002C3C05800034AC093CAD24000CBB
73046+:107330008F38001C34A20100254F0001AD38001029
73047+:107340008D830000AD0E000431EB7FFFAD03000024
73048+:107350008C47000C34B90900A78B0058AD07000812
73049+:10736000932B00123C04080090843FD8250200149F
73050+:10737000317800FF030D302100064F0000047C002F
73051+:10738000012F702535CDFFFCAD00001003E0000893
73052+:10739000AD0D000C3C02080094423FD23C050800B1
73053+:1073A00094A53FC835440AA43C07080094E73FC4AD
73054+:1073B000948B00000045C8210327C023000B1C004C
73055+:1073C0002706FFF200665025AD2A000CAD20001004
73056+:1073D000AD2C00140A00063025290018354F0AA4E8
73057+:1073E00095E50000956400280005140000043C00A9
73058+:1073F0003459810000EC5825AD39000CAD2B00103C
73059+:107400000A000630252900143C0C0800958C3FCE5C
73060+:107410000A000681258200015460FF56240A0800F4
73061+:1074200035580AA49706000000061C00006C502581
73062+:10743000AD2A000C0A000630252900103C03080084
73063+:1074400094633FD23C07080094E73FC83C0F080014
73064+:1074500095EF3FC494A4000095790028006710219F
73065+:10746000004F582300041C00001934002578FFEE5B
73066+:1074700000D87825346A8100AD2A000CAD2F0010A9
73067+:10748000AD200014AD2C00180A0006302529001C80
73068+:1074900003E00008240207D027BDFFE0AFB20018C8
73069+:1074A000AFB10014AFB00010AFBF001C0E00007CE5
73070+:1074B000008088218F8800548F87004C3C0580080D
73071+:1074C00034B20080011128213C1080002402008089
73072+:1074D000240300C000A72023AE0208183C06800841
73073+:1074E000AE03081C18800004AF850054ACC500042E
73074+:1074F0008CC90004AF89004C1220000936040980B1
73075+:107500000E0006F800000000924C00278E0B00745D
73076+:1075100001825004014B3021AE46000C3604098034
73077+:107520008C8E001C8F8F005C01CF682319A0000493
73078+:107530008FBF001C8C90001CAF90005C8FBF001CA4
73079+:107540008FB200188FB100148FB000100A00007EB7
73080+:1075500027BD00208F8600508F8300548F82004CFF
73081+:107560003C05800834A40080AC860050AC83003C0D
73082+:1075700003E00008ACA200043C0308008C63005444
73083+:1075800027BDFFF8308400FF2462000130A500FF12
73084+:107590003C010800AC22005430C600FF3C078000CC
73085+:1075A0008CE801780500FFFE3C0C7FFFA3A40003DC
73086+:1075B0008FAA0000358BFFFF014B4824000627C02F
73087+:1075C00001244025AFA8000034E201009043000AE6
73088+:1075D000A3A000023C1980FFA3A300018FAF00000D
73089+:1075E00030AE007F3738FFFF01F86024000E6E00D8
73090+:1075F0003C0A002034E50140018D58253549200022
73091+:107600002406FF803C04100027BD0008ACAB000C32
73092+:10761000ACA90014A4A00018A0A6001203E0000862
73093+:10762000ACE40178308800FF30A700FF3C03800005
73094+:107630008C6201780440FFFE3C0C8000358A0A0011
73095+:107640008D4B00203584014035850980AC8B0004CA
73096+:107650008D4900240007302B00061540AC89000836
73097+:10766000A088001090A3004CA083002D03E0000828
73098+:10767000A480001827BDFFE8308400FFAFBF0010D2
73099+:107680000E00075D30A500FF8F8300548FBF0010F0
73100+:107690003C06800034C50140344700402404FF907C
73101+:1076A0003C02100027BD0018ACA3000CA0A40012DF
73102+:1076B000ACA7001403E00008ACC2017827BDFFE0CE
73103+:1076C0003C088008AFBF001CAFB20018AFB1001477
73104+:1076D000AFB00010351000808E0600183C07800007
73105+:1076E000309200FF00C72025AE0400180E00007C79
73106+:1076F00030B100FF92030005346200080E00007EE6
73107+:10770000A2020005024020210E000771022028215C
73108+:10771000024020218FBF001C8FB200188FB10014CF
73109+:107720008FB0001024050005240600010A0007326E
73110+:1077300027BD00203C05800034A309809066000826
73111+:1077400030C200081040000F3C0A01013549080A08
73112+:10775000AC8900008CA80074AC8800043C070800C9
73113+:1077600090E73FD830E5001050A00008AC8000083A
73114+:107770003C0D800835AC00808D8B0058AC8B000828
73115+:107780002484000C03E00008008010210A0007B5E3
73116+:107790002484000C27BDFFE83C098000AFB0001036
73117+:1077A000AFBF00143526098090C8000924020006E6
73118+:1077B00000A05821310300FF3527090000808021F7
73119+:1077C000240500041062007B2408000294CF005CB2
73120+:1077D0003C0E020431EDFFFF01AE6025AE0C00004F
73121+:1077E00090CA00083144002010800008000000000A
73122+:1077F00090C2004E3C1F010337F90300305800FFD0
73123+:107800000319302524050008AE06000490F9001184
73124+:1078100090E6001290E40011333800FF00187082E7
73125+:1078200030CF00FF01CF5021014B6821308900FF8C
73126+:1078300031AAFFFF39230028000A60801460002C61
73127+:10784000020C482390E400123C198000372F0100FD
73128+:10785000308C00FF018B1821000310800045F821B7
73129+:10786000001F8400360706FFAD270004373F0900DC
73130+:1078700093EC001193EE0012372609800005C082B8
73131+:107880008DE4000C8CC5003431CD00FF01AB10211C
73132+:107890000058182100A4F8230008840000033F00CA
73133+:1078A00000F0302533F9FFFF318F00FC00D970253F
73134+:1078B0000158202101E9682100045080ADAE000C80
73135+:1078C0000E00007C012A80213C088008240B000463
73136+:1078D000350500800E00007EA0AB000902001021DB
73137+:1078E0008FBF00148FB0001003E0000827BD001800
73138+:1078F00090EC001190E300193C18080097183FCE57
73139+:10790000318200FF0002F882307000FF001FCE00BD
73140+:1079100000103C000327302500D870253C0F4000A4
73141+:1079200001CF68253C198000AD2D0000373F0900CC
73142+:1079300093EC001193EE0012372F010037260980D7
73143+:107940000005C0828DE4000C8CC5003431CD00FFF1
73144+:1079500001AB10210058182100A4F823000884006E
73145+:1079600000033F0000F0302533F9FFFF318F00FCAA
73146+:1079700000D970250158202101E9682100045080B8
73147+:10798000ADAE000C0E00007C012A80213C0880086E
73148+:10799000240B0004350500800E00007EA0AB00091A
73149+:1079A000020010218FBF00148FB0001003E0000808
73150+:1079B00027BD00180A0007C72408001227BDFFD002
73151+:1079C0003C038000AFB60028AFB50024AFB4002060
73152+:1079D000AFB10014AFBF002CAFB3001CAFB20018A2
73153+:1079E000AFB000103467010090E6000B309400FF48
73154+:1079F00030B500FF30C200300000B02110400099C7
73155+:107A000000008821346409809088000800082E0056
73156+:107A100000051E03046000C0240400048F86005487
73157+:107A20003C010800A0243FD83C0C8000AD800048F9
73158+:107A30003C048000348E010091CD000B31A5002064
73159+:107A400010A000073C078000349309809272000860
73160+:107A50000012860000107E0305E000C43C1F800871
73161+:107A600034EC0100918A000B34EB09809169000825
73162+:107A7000314400400004402B3123000800C8982303
73163+:107A80001460000224120003000090213C108000CA
73164+:107A900036180A8036040900970E002C90830011D6
73165+:107AA0009089001293050018307F00FF312800FFF5
73166+:107AB000024810210002C880930D0018033F78216E
73167+:107AC00001F1302130B100FF00D11821A78E0058FC
73168+:107AD0003C010800A4263FCE3C010800A4233FD06F
73169+:107AE00015A00002000000000000000D920B010B29
73170+:107AF0003065FFFF3C010800A4233FD2316A0040FB
73171+:107B00003C010800A4203FC83C010800A4203FC459
73172+:107B10001140000224A4000A24A4000B3091FFFFAE
73173+:107B20000E0001E7022020219206010B3C0C080008
73174+:107B3000958C3FD2004020210006698231A70001C8
73175+:107B40000E00060101872821004020210260282123
73176+:107B50000E00060C024030210E0007A1004020213B
73177+:107B600016C00069004020219212010B32560040DD
73178+:107B700012C000053C0500FF8C93000034AEFFFFEF
73179+:107B8000026E8024AC9000000E0001FB0220202138
73180+:107B90003C0F080091EF3FD831F10003122000168E
73181+:107BA0003C1380088F8200543C09800835280080EF
73182+:107BB000245F0001AD1F003C3C0580088CB9000427
73183+:107BC00003E02021033FC0231B000002AF9F0054AD
73184+:107BD0008CA400040E0006F8ACA400043C0780004E
73185+:107BE0008CEB00743C04800834830080004B5021EF
73186+:107BF000AC6A000C3C1380083670008002802021A3
73187+:107C000002A02821A200006B0E00075D3C1480003A
73188+:107C10008F920054368C0140AD92000C8F86004844
73189+:107C20003C151000344D000624D60001AF960048E4
73190+:107C30008FBF002CA18600128FB60028AD8D0014D6
73191+:107C40008FB3001CAE9501788FB200188FB5002459
73192+:107C50008FB400208FB100148FB0001003E0000833
73193+:107C600027BD003034640980908F0008000F760033
73194+:107C7000000E6E0305A00033347F090093F8001B4B
73195+:107C8000241900103C010800A0393FD8331300022A
73196+:107C90001260FF678F8600548F8200601446FF6574
73197+:107CA0003C0480000E00007C000000003C048008C2
73198+:107CB0003485008090A8000924060016310300FFD7
73199+:107CC0001066000D0000000090AB00093C070800A2
73200+:107CD00090E73FD824090008316400FF34EA00012E
73201+:107CE0003C010800A02A3FD81089002F240C000A6C
73202+:107CF000108C00282402000C0E00007E0000000002
73203+:107D00000A0008608F8600540E0007B9024028213F
73204+:107D10000A0008AE004020213C0B8008356A008034
73205+:107D20008D4600548CE9000C1120FF3DAF860054B5
73206+:107D3000240700143C010800A0273FD80A00085F70
73207+:107D40003C0C800090910008241200023C010800C5
73208+:107D5000A0323FD8323000201200000B2416000160
73209+:107D60008F8600540A0008602411000837F800804C
73210+:107D70008F020038AFE200048FF90004AF19003C15
73211+:107D80000A00086C3C0780008F8600540A000860D7
73212+:107D900024110004A0A200090E00007E00000000D3
73213+:107DA0000A0008608F860054240200140A00093A71
73214+:107DB000A0A2000927BDFFE8AFB000103C10800072
73215+:107DC000AFBF001436020100904400090E00075DA9
73216+:107DD000240500013C0480089099000E3483008043
73217+:107DE000909F000F906F00269089000A33F800FFE3
73218+:107DF00000196E000018740031EC00FF01AE502530
73219+:107E0000000C5A00014B3825312800FF3603014091
73220+:107E10003445600000E830252402FF813C04100056
73221+:107E2000AC66000C8FBF0014AC650014A062001299
73222+:107E3000AE0401788FB0001003E0000827BD0018E1
73223+:107E400027BDFFE8308400FFAFBF00100E00075DC4
73224+:107E500030A500FF3C05800034A4014034470040B9
73225+:107E60002406FF92AC870014A08600128F83005472
73226+:107E70008FBF00103C02100027BD0018AC83000C1F
73227+:107E800003E00008ACA2017827BDFFD8AFB0001016
73228+:107E9000308400FF30B000FF3C058000AFB100141B
73229+:107EA000AFBF0020AFB3001CAFB20018000410C277
73230+:107EB00034A60100320300023051000114600007B3
73231+:107EC00090D200093C098008353300809268000593
73232+:107ED0003107000810E0000C308A00100240202119
73233+:107EE0000E00078302202821240200018FBF0020FA
73234+:107EF0008FB3001C8FB200188FB100148FB0001028
73235+:107F000003E0000827BD00281540003434A50A000E
73236+:107F10008CB800248CAF0008130F004B00003821F0
73237+:107F20003C0D800835B30080926C00682406000286
73238+:107F3000318B00FF116600843C06800034C20100D2
73239+:107F40009263004C90590009307F00FF53F9000400
73240+:107F50003213007C10E00069000000003213007C46
73241+:107F60005660005C0240202116200009320D0001FD
73242+:107F70003C0C800035840100358B0A008D6500249F
73243+:107F80008C86000414A6FFD900001021320D0001D8
73244+:107F900011A0000E024020213C1880003710010083
73245+:107FA0008E0F000C8F8E005011EE000800000000B4
73246+:107FB0000E000843022028218E19000C3C1F800867
73247+:107FC00037F00080AE190050024020210E000771EA
73248+:107FD000022028210A00098F240200013C05080024
73249+:107FE0008CA5006424A400013C010800AC240064BA
73250+:107FF0001600000D00000000022028210E0007716D
73251+:1080000002402021926E0068240C000231CD00FF56
73252+:1080100011AC0022024020210E00094100000000A6
73253+:108020000A00098F240200010E00007024040001E0
73254+:10803000926B0025020B30250E00007EA266002503
73255+:108040000A0009D3022028218E6200188CDF000468
73256+:108050008CB9002400021E0217F9FFB13065007FC1
73257+:108060009268004C264400013093007F1265004066
73258+:10807000310300FF1464FFAB3C0D8008264700016C
73259+:1080800030F1007F30E200FF1225000B24070001D1
73260+:10809000004090210A00099C2411000124050004DD
73261+:1080A0000E000732240600010E0009410000000006
73262+:1080B0000A00098F240200012405FF8002452024C4
73263+:1080C00000859026324200FF004090210A00099C62
73264+:1080D000241100010E00084302202821320700303D
73265+:1080E00010E0FFA132100082024020210E00078321
73266+:1080F000022028210A00098F240200018E6900183D
73267+:108100000240202102202821012640250E0009647A
73268+:10811000AE6800189264004C240500032406000198
73269+:108120000E000732308400FF0E00007024040001AE
73270+:1081300092710025021150250E00007EA26A0025D2
73271+:108140000A00098F240200018E6F00183C1880007D
73272+:108150000240202101F87025022028210E0007711D
73273+:10816000AE6E00189264004C0A000A1B240500043D
73274+:10817000324A0080394900801469FF6A3C0D80084A
73275+:108180000A0009F42647000127BDFFC0AFB0001860
73276+:108190003C108000AFBF0038AFB70034AFB600303E
73277+:1081A000AFB5002CAFB40028AFB30024AFB20020AD
73278+:1081B0000E0005BEAFB1001C360201009045000B59
73279+:1081C0000E00097690440008144000E78FBF003885
73280+:1081D0003C08800835070080A0E0006B3606098067
73281+:1081E00090C50000240300503C17080026F73F907C
73282+:1081F00030A400FF3C13080026733FA01083000347
73283+:108200003C1080000000B82100009821241F0010BD
73284+:108210003611010036120A00361509808E580024E6
73285+:108220008E3400048EAF00208F8C00543C01080077
73286+:10823000A03F3FD836190A80972B002C8EF60000FD
73287+:10824000932A00180298702301EC68233C0108006F
73288+:10825000AC2E3FB43C010800AC2D3FB83C010800F7
73289+:10826000AC2C3FDCA78B005802C0F809315400FF4A
73290+:1082700030490002152000E930420001504000C49E
73291+:108280009227000992A90008312800081500000271
73292+:10829000241500030000A8213C0A80003543090092
73293+:1082A00035440A008C8D00249072001190700012E9
73294+:1082B000907F0011325900FF321100FF02B11021EE
73295+:1082C0000002C08033EF00FF0319B021028F70213C
73296+:1082D00002D4602125CB00103C010800A4363FCE1B
73297+:1082E0003C010800AC2D3FE03C010800A42C3FD02D
73298+:1082F0003C010800A42B3FCC3556010035540980C1
73299+:1083000035510E008F8700548F89005C8E850020C8
73300+:1083100024080006012730233C010800AC283FD484
73301+:1083200000A7282304C000B50000902104A000B3DA
73302+:1083300000C5502B114000B5000000003C010800B2
73303+:10834000AC263FB88E6200000040F8090000000033
73304+:108350003046000214C0007400408021304B000100
73305+:10836000556000118E6200043C0D08008DAD3FBCCD
73306+:108370003C0EC0003C04800001AE6025AE2C000025
73307+:108380008C980000330F000811E0FFFD0000000092
73308+:10839000963F000824120001A79F00408E39000478
73309+:1083A000AF9900388E6200040040F8090000000018
73310+:1083B0000202802532030002146000B300000000B6
73311+:1083C0003C09080095293FC43C06080094C63FD0EC
73312+:1083D0003C0A0800954A3FC63C0708008CE73FBCB2
73313+:1083E000012670213C0308008C633FE03C08080034
73314+:1083F00095083FDA01CA20218ED9000C00E9282116
73315+:10840000249F000200A878210067C02133E4FFFF09
73316+:10841000AF9900503C010800AC383FE03C01080037
73317+:10842000A42F3FC83C010800A42E3FD20E0001E754
73318+:10843000000000008F8D0048004020213C01080012
73319+:10844000A02D3FD98E62000825AC0001AF8C0048FA
73320+:108450000040F809000000008F85005402A0302180
73321+:108460000E00060C004020210E0007A10040202134
73322+:108470008E6B000C0160F809004020213C0A0800C6
73323+:10848000954A3FD23C06080094C63FC601464821A3
73324+:10849000252800020E0001FB3104FFFF3C05080007
73325+:1084A0008CA53FB43C0708008CE73FBC00A7202305
73326+:1084B0003C010800AC243FB414800006000000001A
73327+:1084C0003C0208008C423FD4344B00403C01080081
73328+:1084D000AC2B3FD4124000438F8E00448E2D0010F1
73329+:1084E0008F920044AE4D00208E2C0018AE4C00241C
73330+:1084F0003C04080094843FC80E0006FA0000000007
73331+:108500008F9F00548E6700103C010800AC3F3FDC99
73332+:1085100000E0F809000000003C1908008F393FB462
73333+:108520001720FF798F870054979300583C11800ED5
73334+:10853000321601000E000729A633002C16C0004594
73335+:10854000320300105460004C8EE5000432080040F5
73336+:108550005500001D8EF000088EE4000C0080F80924
73337+:10856000000000008FBF00388FB700348FB6003096
73338+:108570008FB5002C8FB400288FB300248FB2002059
73339+:108580008FB1001C8FB0001803E0000827BD004029
73340+:108590008F86003C36110E0000072E0000A6202515
73341+:1085A000AE0400808E4300208E500024AFA3001044
73342+:1085B000AE2300148FB20010AE320010AE30001C9B
73343+:1085C0000A000A75AE3000180200F8090000000029
73344+:1085D0008EE4000C0080F809000000000A000B2E59
73345+:1085E0008FBF003824180001240F0001A5C000200F
73346+:1085F000A5D800220A000B10ADCF00243C010800D2
73347+:10860000AC203FB80A000AA68E6200003C010800B8
73348+:10861000AC253FB80A000AA68E6200009224000929
73349+:108620000E000771000028218FBF00388FB700347B
73350+:108630008FB600308FB5002C8FB400288FB3002484
73351+:108640008FB200208FB1001C8FB0001803E000082B
73352+:1086500027BD00403C1480009295010900002821AC
73353+:108660000E00084332A400FF320300105060FFB830
73354+:10867000320800408EE5000400A0F8090000000068
73355+:108680000A000B28320800405240FFA89793005878
73356+:108690008E3400148F930044AE7400208E35001C7D
73357+:1086A000AE7500240A000B1F979300588F820014A8
73358+:1086B0000004218003E00008008210213C078008AC
73359+:1086C00034E200809043006900804021106000097E
73360+:1086D0003C0401003C0708008CE73FDC8F8300303E
73361+:1086E00000E32023048000089389001C14E30003A6
73362+:1086F0000100202103E00008008010213C0401005B
73363+:1087000003E00008008010211120000B00673823CF
73364+:108710003C0D800035AC0980918B007C316A0002F1
73365+:10872000114000202409003400E9702B15C0FFF12E
73366+:108730000100202100E938232403FFFC00A3C82402
73367+:1087400000E3C02400F9782B15E0FFEA030820219C
73368+:1087500030C400030004102314C000143049000387
73369+:108760000000302100A9782101E6702100EE682B7D
73370+:1087700011A0FFE03C0401002D3800010006C82BC9
73371+:10878000010548210319382414E0FFDA2524FFFCF1
73372+:108790002402FFFC00A218240068202103E0000846
73373+:1087A000008010210A000B9E240900303C0C800040
73374+:1087B0003586098090CB007C316A00041540FFE9C2
73375+:1087C000240600040A000BAD000030213C03080021
73376+:1087D0008C63005C8F82001827BDFFE0AFBF0018DC
73377+:1087E000AFB1001410620005AFB00010000329C043
73378+:1087F00024A40280AF840014AF8300183C108000D2
73379+:1088000036020A0094450032361101000E000B7F3B
73380+:1088100030A43FFF8E240000241FFF803C11008005
73381+:108820000082C021031F60243309007F000CC9406F
73382+:1088300003294025330E0078362F00033C0D10002D
73383+:10884000010D502501CF5825AE0C002836080980AF
73384+:10885000AE0C080CAE0B082CAE0A08309103006970
73385+:108860003C06800C0126382110600006AF870034DA
73386+:108870008D09003C8D03006C0123382318E0008231
73387+:10888000000000003C0B8008356A00803C1080002E
73388+:10889000A1400069360609808CC200383C06800081
73389+:1088A00034C50A0090A8003C310C00201180001A49
73390+:1088B000AF820030240D00013C0E800035D10A004B
73391+:1088C000A38D001CAF8000248E2400248F850024FB
73392+:1088D000240D0008AF800020AF8000283C01080074
73393+:1088E000A42D3FC63C010800A4203FDA0E000B83F4
73394+:1088F000000030219228003C8FBF00188FB1001477
73395+:108900008FB0001000086142AF82002C27BD00200C
73396+:1089100003E000083182000190B80032240E00010B
73397+:10892000330F00FF000F2182108E00412419000236
73398+:108930001099006434C40AC03C03800034640A0007
73399+:108940008C8F002415E0001E34660900909F0030D3
73400+:108950002418000533F9003F1338004E24030001AA
73401+:108960008F860020A383001CAF860028AF860024DA
73402+:108970003C0E800035D10A008E2400248F8500240F
73403+:10898000240D00083C010800A42D3FC63C0108004E
73404+:10899000A4203FDA0E000B83000000009228003C68
73405+:1089A0008FBF00188FB100148FB000100008614213
73406+:1089B000AF82002C27BD002003E0000831820001B7
73407+:1089C0008C8A00088C8B00248CD000643C0E8000C4
73408+:1089D00035D10A00014B2823AF900024A380001C4E
73409+:1089E000AF8500288E2400248F8600208F850024E8
73410+:1089F000240D00083C010800A42D3FC63C010800DE
73411+:108A0000A4203FDA0E000B83000000009228003CF7
73412+:108A10008FBF00188FB100148FB0001000086142A2
73413+:108A2000AF82002C27BD002003E000083182000146
73414+:108A300090A200303051003F5224002834C50AC0B3
73415+:108A40008CB000241600002234CB09008CA600480C
73416+:108A50003C0A7FFF3545FFFF00C510243C0E800017
73417+:108A6000AF82002035C509008F8800208CAD0060E2
73418+:108A7000010D602B15800002010020218CA40060F4
73419+:108A80000A000C22AF8400208D02006C0A000BFC4F
73420+:108A90003C0680008C8200488F8600203C097FFFC6
73421+:108AA0003527FFFF004788243C0480082403000189
73422+:108AB000AF910028AC80006CA383001C0A000C302E
73423+:108AC000AF8600248C9F00140A000C22AF9F002068
73424+:108AD0008D6200680A000C6C3C0E800034C4098072
73425+:108AE0008C8900708CA300140123382B10E0000443
73426+:108AF000000000008C8200700A000C6C3C0E8000AC
73427+:108B00008CA200140A000C6C3C0E80008F8500249F
73428+:108B100027BDFFE0AFBF0018AFB1001414A00008DC
73429+:108B2000AFB000103C04800034870A0090E60030AB
73430+:108B30002402000530C3003F106200B934840900EC
73431+:108B40008F91002000A080213C048000348E0A0018
73432+:108B50008DCD00043C0608008CC63FB831A73FFF0E
73433+:108B600000E6602B5580000100E03021938F001C4F
73434+:108B700011E0007800D0282B349F098093F9007C05
73435+:108B800033380002130000792403003400C3102B93
73436+:108B9000144000D90000000000C3302300D0282B6F
73437+:108BA0003C010800A4233FC414A0006E0200182159
73438+:108BB0003C0408008C843FB40064402B5500000145
73439+:108BC000006020213C05800034A90A00912A003C65
73440+:108BD0003C010800AC243FBC31430020146000037A
73441+:108BE0000000482134AB0E008D6900188F88002CDE
73442+:108BF0000128202B1080005F000000003C050800C9
73443+:108C00008CA53FBC00A96821010D602B1180005C80
73444+:108C100000B0702B0109382300E028213C01080036
73445+:108C2000AC273FBC12000003240AFFFC10B0008DEB
73446+:108C30003224000300AA18243C010800A4203FDAD3
73447+:108C40003C010800AC233FBC006028218F84002435
73448+:108C5000120400063C0B80088D6C006C0200202181
73449+:108C6000AF91002025900001AD70006C8F8D002821
73450+:108C700000858823AF91002401A52023AF8400281C
73451+:108C80001220000224070018240700103C18800856
73452+:108C90003706008090CF00683C010800A0273FD82D
73453+:108CA0002407000131EE00FF11C70047000000005B
73454+:108CB00014800018000028213C06800034D109806F
73455+:108CC00034CD010091A600098E2C001824C40001A7
73456+:108CD000000C86023205007F308B007F1165007F1B
73457+:108CE0002407FF803C19800837290080A124004C0C
73458+:108CF0003C0808008D083FD4241800023C010800FD
73459+:108D0000A0384019350F00083C010800AC2F3FD4B3
73460+:108D1000240500103C02800034440A009083003C8B
73461+:108D2000307F002013E0000500A02021240A00016C
73462+:108D30003C010800AC2A3FBC34A400018FBF0018DE
73463+:108D40008FB100148FB000100080102103E00008E4
73464+:108D500027BD00203C010800A4203FC410A0FF94C0
73465+:108D6000020018210A000CC000C018210A000CB72C
73466+:108D7000240300303C0508008CA53FBC00B0702BDC
73467+:108D800011C0FFA8000000003C19080097393FC43B
73468+:108D90000325C0210307782B11E000072CAA00044B
73469+:108DA0003C0360008C625404305F003F17E0FFE337
73470+:108DB000240400422CAA00041140FF9A240400421B
73471+:108DC0000A000D248FBF00181528FFB9000000000D
73472+:108DD0008CCA00183C1F800024020002015F182585
73473+:108DE000ACC3001837F90A00A0C200689329003C00
73474+:108DF0002404000400A01021312800203C010800B8
73475+:108E0000A0244019110000022405001024020001D2
73476+:108E10003C010800AC223FB40A000D1A3C0280005D
73477+:108E20008F8800288C8900600109282B14A000027B
73478+:108E3000010088218C9100603C048000348B0E007E
73479+:108E40008D640018240A000102202821022030210C
73480+:108E5000A38A001C0E000B83022080210A000CA6AE
73481+:108E6000AF82002C00045823122000073164000355
73482+:108E70003C0E800035C7098090ED007C31AC0004C9
73483+:108E800015800019248F00043C010800A4243FDA57
73484+:108E90003C1F080097FF3FDA03E5C82100D9C02B2B
73485+:108EA0001300FF6B8F8400242CA6000514C0FFA3C1
73486+:108EB0002404004230A200031440000200A2182340
73487+:108EC00024A3FFFC3C010800AC233FBC3C0108008C
73488+:108ED000A4203FDA0A000CE70060282100C77024B4
73489+:108EE0000A000D0D01C720263C010800A42F3FDA1F
73490+:108EF0000A000D78000000003C010800AC203FBCD7
73491+:108F00000A000D23240400428F8300283C058000C2
73492+:108F100034AA0A00146000060000102191470030B6
73493+:108F20002406000530E400FF108600030000000066
73494+:108F300003E0000800000000914B0048316900FF89
73495+:108F4000000941C21500FFFA3C0680083C040800F5
73496+:108F500094843FC43C0308008C633FDC3C19080048
73497+:108F60008F393FBC3C0F080095EF3FDA0064C02109
73498+:108F70008CCD00040319702101CF602134AB0E00A9
73499+:108F8000018D282318A0001D00000000914F004C07
73500+:108F90008F8C0034956D001031EE00FF8D89000438
73501+:108FA00001AE30238D8A000030CEFFFF000E290075
73502+:108FB0000125C82100003821014720210325182B55
73503+:108FC0000083C021AD990004AD980000918F000A84
73504+:108FD00001CF6821A18D000A956500128F8A0034A7
73505+:108FE000A5450008954B003825690001A5490038C2
73506+:108FF0009148000D35070008A147000D03E0000867
73507+:109000000000000027BDFFD8AFB000189388001CF7
73508+:109010008FB000143C0A80003C197FFF8F8700242A
73509+:109020003738FFFFAFBF0020AFB1001C355F0A002B
73510+:109030000218182493EB003C00087FC03C02BFFFDD
73511+:10904000006F60252CF000013449FFFF3C1F080031
73512+:109050008FFF3FDC8F9900303C18080097183FD2F3
73513+:1090600001897824001047803C07EFFF3C05F0FFA2
73514+:1090700001E818253C1180003169002034E2FFFF2F
73515+:1090800034ADFFFF362E098027A50010240600020C
73516+:1090900003F96023270B0002354A0E0000621824F2
73517+:1090A0000080802115200002000040218D48001C16
73518+:1090B000A7AB0012058000392407000030E800FF4C
73519+:1090C00000083F00006758253C028008AFAB001441
73520+:1090D000344F008091EA00683C08080091083FD9AD
73521+:1090E0003C09DFFF352CFFFF000AF82B3C0208008B
73522+:1090F00094423FCCA3A80011016CC024001FCF40B4
73523+:10910000031918258FA70010AFA300143C0C08000A
73524+:10911000918C3FDBA7A200168FAB001400ED482412
73525+:109120003C0F01003C0A0FFF012FC82531980003B6
73526+:10913000355FFFFF016D40243C027000033F38247F
73527+:1091400000181E0000E2482501037825AFAF001487
73528+:10915000AFA9001091CC007C0E000092A3AC0015CA
73529+:10916000362D0A0091A6003C30C400201080000675
73530+:10917000260200083C11080096313FC8262EFFFF4A
73531+:109180003C010800A42E3FC88FBF00208FB1001CF7
73532+:109190008FB0001803E0000827BD00288F8B002C3B
73533+:1091A000010B502B5540FFC5240700010A000E0497
73534+:1091B00030E800FF9383001C3C02800027BDFFD8ED
73535+:1091C00034480A0000805021AFBF002034460AC056
73536+:1091D000010028211060000E3444098091070030FE
73537+:1091E000240B00058F89002030EC003F118B000B11
73538+:1091F00000003821AFA900103C0B80088D69006C7D
73539+:10920000AFAA00180E00015AAFA90014A380001CD9
73540+:109210008FBF002003E0000827BD00288D1F0048F5
73541+:109220003C1808008F183FBC8F9900283C027FFF34
73542+:109230008D0800443443FFFFAFA900103C0B8008A9
73543+:109240008D69006C03E370240319782101CF682332
73544+:1092500001A83821AFAA00180E00015AAFA90014C6
73545+:109260000A000E58A380001C3C05800034A60A00AA
73546+:1092700090C7003C3C06080094C63FDA3C02080058
73547+:109280008C423FD430E30020000624001060001E12
73548+:10929000004438253C0880083505008090A300680C
73549+:1092A00000004821240800010000282124040001B6
73550+:1092B0003C0680008CCD017805A0FFFE34CF014034
73551+:1092C000ADE800083C0208008C423FDCA5E5000444
73552+:1092D000A5E40006ADE2000C3C04080090843FD9F0
73553+:1092E0003C03800834790080A1E40012ADE700144B
73554+:1092F000A5E900189338004C3C0E1000A1F8002D91
73555+:1093000003E00008ACCE017834A90E008D28001CC3
73556+:109310003C0C08008D8C3FBC952B0016952A001440
73557+:10932000018648213164FFFF0A000E803145FFFFAE
73558+:109330003C04800034830A009065003C30A2002089
73559+:109340001040001934870E00000040210000382131
73560+:10935000000020213C0680008CC901780520FFFE1A
73561+:1093600034CA014034CF010091EB0009AD48000838
73562+:109370003C0E08008DCE3FDC240DFF91240C0040F4
73563+:109380003C081000A5440004A5470006AD4E000CA3
73564+:10939000A14D0012AD4C0014A5400018A14B002DAA
73565+:1093A00003E00008ACC801788CE8001894E60012CD
73566+:1093B00094E4001030C7FFFF0A000EA93084FFFFBD
73567+:1093C0003C04800034830A009065003C30A20020F9
73568+:1093D0001040002727BDFFF82409000100003821B4
73569+:1093E000240800013C0680008CCA01780540FFFE7D
73570+:1093F0003C0280FF34C40100908D00093C0C080041
73571+:10940000918C4019A3AD00038FAB00003185007F24
73572+:109410003459FFFF01665025AFAA00009083000A6F
73573+:10942000A3A0000200057E00A3A300018FB80000E6
73574+:1094300034CB0140240C30000319702401CF68257F
73575+:10944000AD6D000C27BD0008AD6C0014A5600018C0
73576+:10945000AD690008A56700042409FF80A56800061F
73577+:109460003C081000A169001203E00008ACC80178B4
73578+:1094700034870E008CE9001894E6001294E4001082
73579+:1094800030C8FFFF0A000ECD3087FFFF27BDFFE089
73580+:10949000AFB100143C118000AFB00010AFBF001896
73581+:1094A00036380A00970F0032363001000E000B7F6D
73582+:1094B00031E43FFF8E0E0000240DFF803C042000AD
73583+:1094C00001C25821016D6024000C4940316A007FBF
73584+:1094D000012A4025010438253C048008AE270830C5
73585+:1094E0003486008090C500682403000230A200FF8B
73586+:1094F000104300048F9F00208F990024AC9F0068C8
73587+:10950000AC9900648FBF00188FB100148FB00010A9
73588+:1095100003E0000827BD00203C0A0800254A3A80E5
73589+:109520003C09080025293B103C08080025082F1C91
73590+:109530003C07080024E73BDC3C06080024C639044D
73591+:109540003C05080024A536583C0408002484325CFD
73592+:109550003C030800246339B83C0208002442375415
73593+:109560003C010800AC2A3F983C010800AC293F941C
73594+:109570003C010800AC283F903C010800AC273F9C10
73595+:109580003C010800AC263FAC3C010800AC253FA4E0
73596+:109590003C010800AC243FA03C010800AC233FB0D4
73597+:1095A0003C010800AC223FA803E0000800000000D6
73598+:1095B00080000940800009008008010080080080C8
73599+:1095C00080080000800E00008008008080080000F5
73600+:1095D00080000A8080000A00800009808000090065
73601+:00000001FF
73602diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
73603index 2d0cbbd..a6d6149 100644
73604--- a/fs/Kconfig.binfmt
73605+++ b/fs/Kconfig.binfmt
73606@@ -103,7 +103,7 @@ config HAVE_AOUT
73607
73608 config BINFMT_AOUT
73609 tristate "Kernel support for a.out and ECOFF binaries"
73610- depends on HAVE_AOUT
73611+ depends on HAVE_AOUT && BROKEN
73612 ---help---
73613 A.out (Assembler.OUTput) is a set of formats for libraries and
73614 executables used in the earliest versions of UNIX. Linux used
73615diff --git a/fs/afs/inode.c b/fs/afs/inode.c
73616index e06f5a2..81d07ac 100644
73617--- a/fs/afs/inode.c
73618+++ b/fs/afs/inode.c
73619@@ -141,7 +141,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
73620 struct afs_vnode *vnode;
73621 struct super_block *sb;
73622 struct inode *inode;
73623- static atomic_t afs_autocell_ino;
73624+ static atomic_unchecked_t afs_autocell_ino;
73625
73626 _enter("{%x:%u},%*.*s,",
73627 AFS_FS_I(dir)->fid.vid, AFS_FS_I(dir)->fid.vnode,
73628@@ -154,7 +154,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
73629 data.fid.unique = 0;
73630 data.fid.vnode = 0;
73631
73632- inode = iget5_locked(sb, atomic_inc_return(&afs_autocell_ino),
73633+ inode = iget5_locked(sb, atomic_inc_return_unchecked(&afs_autocell_ino),
73634 afs_iget5_autocell_test, afs_iget5_set,
73635 &data);
73636 if (!inode) {
73637diff --git a/fs/aio.c b/fs/aio.c
73638index 480440f..623fd88 100644
73639--- a/fs/aio.c
73640+++ b/fs/aio.c
73641@@ -441,7 +441,7 @@ static int aio_setup_ring(struct kioctx *ctx)
73642 size += sizeof(struct io_event) * nr_events;
73643
73644 nr_pages = PFN_UP(size);
73645- if (nr_pages < 0)
73646+ if (nr_pages <= 0)
73647 return -EINVAL;
73648
73649 file = aio_private_file(ctx, nr_pages);
73650diff --git a/fs/attr.c b/fs/attr.c
73651index 6530ced..4a827e2 100644
73652--- a/fs/attr.c
73653+++ b/fs/attr.c
73654@@ -102,6 +102,7 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
73655 unsigned long limit;
73656
73657 limit = rlimit(RLIMIT_FSIZE);
73658+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
73659 if (limit != RLIM_INFINITY && offset > limit)
73660 goto out_sig;
73661 if (offset > inode->i_sb->s_maxbytes)
73662diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
73663index 35b755e..f4b9e0a 100644
73664--- a/fs/autofs4/waitq.c
73665+++ b/fs/autofs4/waitq.c
73666@@ -59,7 +59,7 @@ static int autofs4_write(struct autofs_sb_info *sbi,
73667 {
73668 unsigned long sigpipe, flags;
73669 mm_segment_t fs;
73670- const char *data = (const char *)addr;
73671+ const char __user *data = (const char __force_user *)addr;
73672 ssize_t wr = 0;
73673
73674 sigpipe = sigismember(&current->pending.signal, SIGPIPE);
73675@@ -340,6 +340,10 @@ static int validate_request(struct autofs_wait_queue **wait,
73676 return 1;
73677 }
73678
73679+#ifdef CONFIG_GRKERNSEC_HIDESYM
73680+static atomic_unchecked_t autofs_dummy_name_id = ATOMIC_INIT(0);
73681+#endif
73682+
73683 int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
73684 enum autofs_notify notify)
73685 {
73686@@ -385,7 +389,12 @@ int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
73687
73688 /* If this is a direct mount request create a dummy name */
73689 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
73690+#ifdef CONFIG_GRKERNSEC_HIDESYM
73691+ /* this name does get written to userland via autofs4_write() */
73692+ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
73693+#else
73694 qstr.len = sprintf(name, "%p", dentry);
73695+#endif
73696 else {
73697 qstr.len = autofs4_getpath(sbi, dentry, &name);
73698 if (!qstr.len) {
73699diff --git a/fs/befs/endian.h b/fs/befs/endian.h
73700index 2722387..56059b5 100644
73701--- a/fs/befs/endian.h
73702+++ b/fs/befs/endian.h
73703@@ -11,7 +11,7 @@
73704
73705 #include <asm/byteorder.h>
73706
73707-static inline u64
73708+static inline u64 __intentional_overflow(-1)
73709 fs64_to_cpu(const struct super_block *sb, fs64 n)
73710 {
73711 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
73712@@ -29,7 +29,7 @@ cpu_to_fs64(const struct super_block *sb, u64 n)
73713 return (__force fs64)cpu_to_be64(n);
73714 }
73715
73716-static inline u32
73717+static inline u32 __intentional_overflow(-1)
73718 fs32_to_cpu(const struct super_block *sb, fs32 n)
73719 {
73720 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
73721@@ -47,7 +47,7 @@ cpu_to_fs32(const struct super_block *sb, u32 n)
73722 return (__force fs32)cpu_to_be32(n);
73723 }
73724
73725-static inline u16
73726+static inline u16 __intentional_overflow(-1)
73727 fs16_to_cpu(const struct super_block *sb, fs16 n)
73728 {
73729 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
73730diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
73731index 4c55668..eeae150 100644
73732--- a/fs/binfmt_aout.c
73733+++ b/fs/binfmt_aout.c
73734@@ -16,6 +16,7 @@
73735 #include <linux/string.h>
73736 #include <linux/fs.h>
73737 #include <linux/file.h>
73738+#include <linux/security.h>
73739 #include <linux/stat.h>
73740 #include <linux/fcntl.h>
73741 #include <linux/ptrace.h>
73742@@ -58,6 +59,8 @@ static int aout_core_dump(struct coredump_params *cprm)
73743 #endif
73744 # define START_STACK(u) ((void __user *)u.start_stack)
73745
73746+ memset(&dump, 0, sizeof(dump));
73747+
73748 fs = get_fs();
73749 set_fs(KERNEL_DS);
73750 has_dumped = 1;
73751@@ -68,10 +71,12 @@ static int aout_core_dump(struct coredump_params *cprm)
73752
73753 /* If the size of the dump file exceeds the rlimit, then see what would happen
73754 if we wrote the stack, but not the data area. */
73755+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
73756 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
73757 dump.u_dsize = 0;
73758
73759 /* Make sure we have enough room to write the stack and data areas. */
73760+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
73761 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
73762 dump.u_ssize = 0;
73763
73764@@ -232,6 +237,8 @@ static int load_aout_binary(struct linux_binprm * bprm)
73765 rlim = rlimit(RLIMIT_DATA);
73766 if (rlim >= RLIM_INFINITY)
73767 rlim = ~0;
73768+
73769+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
73770 if (ex.a_data + ex.a_bss > rlim)
73771 return -ENOMEM;
73772
73773@@ -261,6 +268,27 @@ static int load_aout_binary(struct linux_binprm * bprm)
73774
73775 install_exec_creds(bprm);
73776
73777+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
73778+ current->mm->pax_flags = 0UL;
73779+#endif
73780+
73781+#ifdef CONFIG_PAX_PAGEEXEC
73782+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
73783+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
73784+
73785+#ifdef CONFIG_PAX_EMUTRAMP
73786+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
73787+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
73788+#endif
73789+
73790+#ifdef CONFIG_PAX_MPROTECT
73791+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
73792+ current->mm->pax_flags |= MF_PAX_MPROTECT;
73793+#endif
73794+
73795+ }
73796+#endif
73797+
73798 if (N_MAGIC(ex) == OMAGIC) {
73799 unsigned long text_addr, map_size;
73800 loff_t pos;
73801@@ -312,7 +340,7 @@ static int load_aout_binary(struct linux_binprm * bprm)
73802 return error;
73803
73804 error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
73805- PROT_READ | PROT_WRITE | PROT_EXEC,
73806+ PROT_READ | PROT_WRITE,
73807 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
73808 fd_offset + ex.a_text);
73809 if (error != N_DATADDR(ex))
73810diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
73811index 6b65996..080df24 100644
73812--- a/fs/binfmt_elf.c
73813+++ b/fs/binfmt_elf.c
73814@@ -35,6 +35,7 @@
73815 #include <linux/utsname.h>
73816 #include <linux/coredump.h>
73817 #include <linux/sched.h>
73818+#include <linux/xattr.h>
73819 #include <asm/uaccess.h>
73820 #include <asm/param.h>
73821 #include <asm/page.h>
73822@@ -48,7 +49,7 @@
73823
73824 static int load_elf_binary(struct linux_binprm *bprm);
73825 static unsigned long elf_map(struct file *, unsigned long, struct elf_phdr *,
73826- int, int, unsigned long);
73827+ int, int, unsigned long) __intentional_overflow(-1);
73828
73829 #ifdef CONFIG_USELIB
73830 static int load_elf_library(struct file *);
73831@@ -66,6 +67,14 @@ static int elf_core_dump(struct coredump_params *cprm);
73832 #define elf_core_dump NULL
73833 #endif
73834
73835+#ifdef CONFIG_PAX_MPROTECT
73836+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
73837+#endif
73838+
73839+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
73840+static void elf_handle_mmap(struct file *file);
73841+#endif
73842+
73843 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
73844 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
73845 #else
73846@@ -85,6 +94,15 @@ static struct linux_binfmt elf_format = {
73847 .load_binary = load_elf_binary,
73848 .load_shlib = load_elf_library,
73849 .core_dump = elf_core_dump,
73850+
73851+#ifdef CONFIG_PAX_MPROTECT
73852+ .handle_mprotect= elf_handle_mprotect,
73853+#endif
73854+
73855+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
73856+ .handle_mmap = elf_handle_mmap,
73857+#endif
73858+
73859 .min_coredump = ELF_EXEC_PAGESIZE,
73860 };
73861
73862@@ -92,6 +110,8 @@ static struct linux_binfmt elf_format = {
73863
73864 static int set_brk(unsigned long start, unsigned long end)
73865 {
73866+ unsigned long e = end;
73867+
73868 start = ELF_PAGEALIGN(start);
73869 end = ELF_PAGEALIGN(end);
73870 if (end > start) {
73871@@ -100,7 +120,7 @@ static int set_brk(unsigned long start, unsigned long end)
73872 if (BAD_ADDR(addr))
73873 return addr;
73874 }
73875- current->mm->start_brk = current->mm->brk = end;
73876+ current->mm->start_brk = current->mm->brk = e;
73877 return 0;
73878 }
73879
73880@@ -161,12 +181,13 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
73881 elf_addr_t __user *u_rand_bytes;
73882 const char *k_platform = ELF_PLATFORM;
73883 const char *k_base_platform = ELF_BASE_PLATFORM;
73884- unsigned char k_rand_bytes[16];
73885+ u32 k_rand_bytes[4];
73886 int items;
73887 elf_addr_t *elf_info;
73888 int ei_index = 0;
73889 const struct cred *cred = current_cred();
73890 struct vm_area_struct *vma;
73891+ unsigned long saved_auxv[AT_VECTOR_SIZE];
73892
73893 /*
73894 * In some cases (e.g. Hyper-Threading), we want to avoid L1
73895@@ -208,8 +229,12 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
73896 * Generate 16 random bytes for userspace PRNG seeding.
73897 */
73898 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
73899- u_rand_bytes = (elf_addr_t __user *)
73900- STACK_ALLOC(p, sizeof(k_rand_bytes));
73901+ prandom_seed(k_rand_bytes[0] ^ prandom_u32());
73902+ prandom_seed(k_rand_bytes[1] ^ prandom_u32());
73903+ prandom_seed(k_rand_bytes[2] ^ prandom_u32());
73904+ prandom_seed(k_rand_bytes[3] ^ prandom_u32());
73905+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
73906+ u_rand_bytes = (elf_addr_t __user *) p;
73907 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
73908 return -EFAULT;
73909
73910@@ -324,9 +349,11 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
73911 return -EFAULT;
73912 current->mm->env_end = p;
73913
73914+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
73915+
73916 /* Put the elf_info on the stack in the right place. */
73917 sp = (elf_addr_t __user *)envp + 1;
73918- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
73919+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
73920 return -EFAULT;
73921 return 0;
73922 }
73923@@ -515,14 +542,14 @@ static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
73924 an ELF header */
73925
73926 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
73927- struct file *interpreter, unsigned long *interp_map_addr,
73928+ struct file *interpreter,
73929 unsigned long no_base, struct elf_phdr *interp_elf_phdata)
73930 {
73931 struct elf_phdr *eppnt;
73932- unsigned long load_addr = 0;
73933+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
73934 int load_addr_set = 0;
73935 unsigned long last_bss = 0, elf_bss = 0;
73936- unsigned long error = ~0UL;
73937+ unsigned long error = -EINVAL;
73938 unsigned long total_size;
73939 int i;
73940
73941@@ -542,6 +569,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
73942 goto out;
73943 }
73944
73945+#ifdef CONFIG_PAX_SEGMEXEC
73946+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
73947+ pax_task_size = SEGMEXEC_TASK_SIZE;
73948+#endif
73949+
73950 eppnt = interp_elf_phdata;
73951 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
73952 if (eppnt->p_type == PT_LOAD) {
73953@@ -565,8 +597,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
73954 map_addr = elf_map(interpreter, load_addr + vaddr,
73955 eppnt, elf_prot, elf_type, total_size);
73956 total_size = 0;
73957- if (!*interp_map_addr)
73958- *interp_map_addr = map_addr;
73959 error = map_addr;
73960 if (BAD_ADDR(map_addr))
73961 goto out;
73962@@ -585,8 +615,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
73963 k = load_addr + eppnt->p_vaddr;
73964 if (BAD_ADDR(k) ||
73965 eppnt->p_filesz > eppnt->p_memsz ||
73966- eppnt->p_memsz > TASK_SIZE ||
73967- TASK_SIZE - eppnt->p_memsz < k) {
73968+ eppnt->p_memsz > pax_task_size ||
73969+ pax_task_size - eppnt->p_memsz < k) {
73970 error = -ENOMEM;
73971 goto out;
73972 }
73973@@ -625,9 +655,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
73974 elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
73975
73976 /* Map the last of the bss segment */
73977- error = vm_brk(elf_bss, last_bss - elf_bss);
73978- if (BAD_ADDR(error))
73979- goto out;
73980+ if (last_bss > elf_bss) {
73981+ error = vm_brk(elf_bss, last_bss - elf_bss);
73982+ if (BAD_ADDR(error))
73983+ goto out;
73984+ }
73985 }
73986
73987 error = load_addr;
73988@@ -635,6 +667,336 @@ out:
73989 return error;
73990 }
73991
73992+#ifdef CONFIG_PAX_PT_PAX_FLAGS
73993+#ifdef CONFIG_PAX_SOFTMODE
73994+static unsigned long pax_parse_pt_pax_softmode(const struct elf_phdr * const elf_phdata)
73995+{
73996+ unsigned long pax_flags = 0UL;
73997+
73998+#ifdef CONFIG_PAX_PAGEEXEC
73999+ if (elf_phdata->p_flags & PF_PAGEEXEC)
74000+ pax_flags |= MF_PAX_PAGEEXEC;
74001+#endif
74002+
74003+#ifdef CONFIG_PAX_SEGMEXEC
74004+ if (elf_phdata->p_flags & PF_SEGMEXEC)
74005+ pax_flags |= MF_PAX_SEGMEXEC;
74006+#endif
74007+
74008+#ifdef CONFIG_PAX_EMUTRAMP
74009+ if ((elf_phdata->p_flags & PF_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
74010+ pax_flags |= MF_PAX_EMUTRAMP;
74011+#endif
74012+
74013+#ifdef CONFIG_PAX_MPROTECT
74014+ if (elf_phdata->p_flags & PF_MPROTECT)
74015+ pax_flags |= MF_PAX_MPROTECT;
74016+#endif
74017+
74018+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74019+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
74020+ pax_flags |= MF_PAX_RANDMMAP;
74021+#endif
74022+
74023+ return pax_flags;
74024+}
74025+#endif
74026+
74027+static unsigned long pax_parse_pt_pax_hardmode(const struct elf_phdr * const elf_phdata)
74028+{
74029+ unsigned long pax_flags = 0UL;
74030+
74031+#ifdef CONFIG_PAX_PAGEEXEC
74032+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
74033+ pax_flags |= MF_PAX_PAGEEXEC;
74034+#endif
74035+
74036+#ifdef CONFIG_PAX_SEGMEXEC
74037+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
74038+ pax_flags |= MF_PAX_SEGMEXEC;
74039+#endif
74040+
74041+#ifdef CONFIG_PAX_EMUTRAMP
74042+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
74043+ pax_flags |= MF_PAX_EMUTRAMP;
74044+#endif
74045+
74046+#ifdef CONFIG_PAX_MPROTECT
74047+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
74048+ pax_flags |= MF_PAX_MPROTECT;
74049+#endif
74050+
74051+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74052+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
74053+ pax_flags |= MF_PAX_RANDMMAP;
74054+#endif
74055+
74056+ return pax_flags;
74057+}
74058+#endif
74059+
74060+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
74061+#ifdef CONFIG_PAX_SOFTMODE
74062+static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode)
74063+{
74064+ unsigned long pax_flags = 0UL;
74065+
74066+#ifdef CONFIG_PAX_PAGEEXEC
74067+ if (pax_flags_softmode & MF_PAX_PAGEEXEC)
74068+ pax_flags |= MF_PAX_PAGEEXEC;
74069+#endif
74070+
74071+#ifdef CONFIG_PAX_SEGMEXEC
74072+ if (pax_flags_softmode & MF_PAX_SEGMEXEC)
74073+ pax_flags |= MF_PAX_SEGMEXEC;
74074+#endif
74075+
74076+#ifdef CONFIG_PAX_EMUTRAMP
74077+ if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
74078+ pax_flags |= MF_PAX_EMUTRAMP;
74079+#endif
74080+
74081+#ifdef CONFIG_PAX_MPROTECT
74082+ if (pax_flags_softmode & MF_PAX_MPROTECT)
74083+ pax_flags |= MF_PAX_MPROTECT;
74084+#endif
74085+
74086+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74087+ if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP))
74088+ pax_flags |= MF_PAX_RANDMMAP;
74089+#endif
74090+
74091+ return pax_flags;
74092+}
74093+#endif
74094+
74095+static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode)
74096+{
74097+ unsigned long pax_flags = 0UL;
74098+
74099+#ifdef CONFIG_PAX_PAGEEXEC
74100+ if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC))
74101+ pax_flags |= MF_PAX_PAGEEXEC;
74102+#endif
74103+
74104+#ifdef CONFIG_PAX_SEGMEXEC
74105+ if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC))
74106+ pax_flags |= MF_PAX_SEGMEXEC;
74107+#endif
74108+
74109+#ifdef CONFIG_PAX_EMUTRAMP
74110+ if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP))
74111+ pax_flags |= MF_PAX_EMUTRAMP;
74112+#endif
74113+
74114+#ifdef CONFIG_PAX_MPROTECT
74115+ if (!(pax_flags_hardmode & MF_PAX_MPROTECT))
74116+ pax_flags |= MF_PAX_MPROTECT;
74117+#endif
74118+
74119+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74120+ if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP))
74121+ pax_flags |= MF_PAX_RANDMMAP;
74122+#endif
74123+
74124+ return pax_flags;
74125+}
74126+#endif
74127+
74128+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74129+static unsigned long pax_parse_defaults(void)
74130+{
74131+ unsigned long pax_flags = 0UL;
74132+
74133+#ifdef CONFIG_PAX_SOFTMODE
74134+ if (pax_softmode)
74135+ return pax_flags;
74136+#endif
74137+
74138+#ifdef CONFIG_PAX_PAGEEXEC
74139+ pax_flags |= MF_PAX_PAGEEXEC;
74140+#endif
74141+
74142+#ifdef CONFIG_PAX_SEGMEXEC
74143+ pax_flags |= MF_PAX_SEGMEXEC;
74144+#endif
74145+
74146+#ifdef CONFIG_PAX_MPROTECT
74147+ pax_flags |= MF_PAX_MPROTECT;
74148+#endif
74149+
74150+#ifdef CONFIG_PAX_RANDMMAP
74151+ if (randomize_va_space)
74152+ pax_flags |= MF_PAX_RANDMMAP;
74153+#endif
74154+
74155+ return pax_flags;
74156+}
74157+
74158+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
74159+{
74160+ unsigned long pax_flags = PAX_PARSE_FLAGS_FALLBACK;
74161+
74162+#ifdef CONFIG_PAX_EI_PAX
74163+
74164+#ifdef CONFIG_PAX_SOFTMODE
74165+ if (pax_softmode)
74166+ return pax_flags;
74167+#endif
74168+
74169+ pax_flags = 0UL;
74170+
74171+#ifdef CONFIG_PAX_PAGEEXEC
74172+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
74173+ pax_flags |= MF_PAX_PAGEEXEC;
74174+#endif
74175+
74176+#ifdef CONFIG_PAX_SEGMEXEC
74177+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
74178+ pax_flags |= MF_PAX_SEGMEXEC;
74179+#endif
74180+
74181+#ifdef CONFIG_PAX_EMUTRAMP
74182+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
74183+ pax_flags |= MF_PAX_EMUTRAMP;
74184+#endif
74185+
74186+#ifdef CONFIG_PAX_MPROTECT
74187+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
74188+ pax_flags |= MF_PAX_MPROTECT;
74189+#endif
74190+
74191+#ifdef CONFIG_PAX_ASLR
74192+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
74193+ pax_flags |= MF_PAX_RANDMMAP;
74194+#endif
74195+
74196+#endif
74197+
74198+ return pax_flags;
74199+
74200+}
74201+
74202+static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
74203+{
74204+
74205+#ifdef CONFIG_PAX_PT_PAX_FLAGS
74206+ unsigned long i;
74207+
74208+ for (i = 0UL; i < elf_ex->e_phnum; i++)
74209+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
74210+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
74211+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
74212+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
74213+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
74214+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
74215+ return PAX_PARSE_FLAGS_FALLBACK;
74216+
74217+#ifdef CONFIG_PAX_SOFTMODE
74218+ if (pax_softmode)
74219+ return pax_parse_pt_pax_softmode(&elf_phdata[i]);
74220+ else
74221+#endif
74222+
74223+ return pax_parse_pt_pax_hardmode(&elf_phdata[i]);
74224+ break;
74225+ }
74226+#endif
74227+
74228+ return PAX_PARSE_FLAGS_FALLBACK;
74229+}
74230+
74231+static unsigned long pax_parse_xattr_pax(struct file * const file)
74232+{
74233+
74234+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
74235+ ssize_t xattr_size, i;
74236+ unsigned char xattr_value[sizeof("pemrs") - 1];
74237+ unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL;
74238+
74239+ xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value);
74240+ if (xattr_size < 0 || xattr_size > sizeof xattr_value)
74241+ return PAX_PARSE_FLAGS_FALLBACK;
74242+
74243+ for (i = 0; i < xattr_size; i++)
74244+ switch (xattr_value[i]) {
74245+ default:
74246+ return PAX_PARSE_FLAGS_FALLBACK;
74247+
74248+#define parse_flag(option1, option2, flag) \
74249+ case option1: \
74250+ if (pax_flags_hardmode & MF_PAX_##flag) \
74251+ return PAX_PARSE_FLAGS_FALLBACK;\
74252+ pax_flags_hardmode |= MF_PAX_##flag; \
74253+ break; \
74254+ case option2: \
74255+ if (pax_flags_softmode & MF_PAX_##flag) \
74256+ return PAX_PARSE_FLAGS_FALLBACK;\
74257+ pax_flags_softmode |= MF_PAX_##flag; \
74258+ break;
74259+
74260+ parse_flag('p', 'P', PAGEEXEC);
74261+ parse_flag('e', 'E', EMUTRAMP);
74262+ parse_flag('m', 'M', MPROTECT);
74263+ parse_flag('r', 'R', RANDMMAP);
74264+ parse_flag('s', 'S', SEGMEXEC);
74265+
74266+#undef parse_flag
74267+ }
74268+
74269+ if (pax_flags_hardmode & pax_flags_softmode)
74270+ return PAX_PARSE_FLAGS_FALLBACK;
74271+
74272+#ifdef CONFIG_PAX_SOFTMODE
74273+ if (pax_softmode)
74274+ return pax_parse_xattr_pax_softmode(pax_flags_softmode);
74275+ else
74276+#endif
74277+
74278+ return pax_parse_xattr_pax_hardmode(pax_flags_hardmode);
74279+#else
74280+ return PAX_PARSE_FLAGS_FALLBACK;
74281+#endif
74282+
74283+}
74284+
74285+static long pax_parse_pax_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata, struct file * const file)
74286+{
74287+ unsigned long pax_flags, ei_pax_flags, pt_pax_flags, xattr_pax_flags;
74288+
74289+ pax_flags = pax_parse_defaults();
74290+ ei_pax_flags = pax_parse_ei_pax(elf_ex);
74291+ pt_pax_flags = pax_parse_pt_pax(elf_ex, elf_phdata);
74292+ xattr_pax_flags = pax_parse_xattr_pax(file);
74293+
74294+ if (pt_pax_flags != PAX_PARSE_FLAGS_FALLBACK &&
74295+ xattr_pax_flags != PAX_PARSE_FLAGS_FALLBACK &&
74296+ pt_pax_flags != xattr_pax_flags)
74297+ return -EINVAL;
74298+ if (xattr_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
74299+ pax_flags = xattr_pax_flags;
74300+ else if (pt_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
74301+ pax_flags = pt_pax_flags;
74302+ else if (ei_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
74303+ pax_flags = ei_pax_flags;
74304+
74305+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
74306+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74307+ if ((__supported_pte_mask & _PAGE_NX))
74308+ pax_flags &= ~MF_PAX_SEGMEXEC;
74309+ else
74310+ pax_flags &= ~MF_PAX_PAGEEXEC;
74311+ }
74312+#endif
74313+
74314+ if (0 > pax_check_flags(&pax_flags))
74315+ return -EINVAL;
74316+
74317+ current->mm->pax_flags = pax_flags;
74318+ return 0;
74319+}
74320+#endif
74321+
74322 /*
74323 * These are the functions used to load ELF style executables and shared
74324 * libraries. There is no binary dependent code anywhere else.
74325@@ -648,6 +1010,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
74326 {
74327 unsigned long random_variable = 0;
74328
74329+#ifdef CONFIG_PAX_RANDUSTACK
74330+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
74331+ return stack_top - current->mm->delta_stack;
74332+#endif
74333+
74334 if ((current->flags & PF_RANDOMIZE) &&
74335 !(current->personality & ADDR_NO_RANDOMIZE)) {
74336 random_variable = (unsigned long) get_random_int();
74337@@ -667,7 +1034,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
74338 unsigned long load_addr = 0, load_bias = 0;
74339 int load_addr_set = 0;
74340 char * elf_interpreter = NULL;
74341- unsigned long error;
74342+ unsigned long error = 0;
74343 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
74344 unsigned long elf_bss, elf_brk;
74345 int retval, i;
74346@@ -682,6 +1049,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
74347 struct elfhdr interp_elf_ex;
74348 } *loc;
74349 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
74350+ unsigned long pax_task_size;
74351
74352 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
74353 if (!loc) {
74354@@ -840,6 +1208,77 @@ static int load_elf_binary(struct linux_binprm *bprm)
74355 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
74356 may depend on the personality. */
74357 SET_PERSONALITY2(loc->elf_ex, &arch_state);
74358+
74359+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74360+ current->mm->pax_flags = 0UL;
74361+#endif
74362+
74363+#ifdef CONFIG_PAX_DLRESOLVE
74364+ current->mm->call_dl_resolve = 0UL;
74365+#endif
74366+
74367+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
74368+ current->mm->call_syscall = 0UL;
74369+#endif
74370+
74371+#ifdef CONFIG_PAX_ASLR
74372+ current->mm->delta_mmap = 0UL;
74373+ current->mm->delta_stack = 0UL;
74374+#endif
74375+
74376+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74377+ if (0 > pax_parse_pax_flags(&loc->elf_ex, elf_phdata, bprm->file)) {
74378+ retval = -EINVAL;
74379+ goto out_free_dentry;
74380+ }
74381+#endif
74382+
74383+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
74384+ pax_set_initial_flags(bprm);
74385+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
74386+ if (pax_set_initial_flags_func)
74387+ (pax_set_initial_flags_func)(bprm);
74388+#endif
74389+
74390+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
74391+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
74392+ current->mm->context.user_cs_limit = PAGE_SIZE;
74393+ current->mm->def_flags |= VM_PAGEEXEC | VM_NOHUGEPAGE;
74394+ }
74395+#endif
74396+
74397+#ifdef CONFIG_PAX_SEGMEXEC
74398+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
74399+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
74400+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
74401+ pax_task_size = SEGMEXEC_TASK_SIZE;
74402+ current->mm->def_flags |= VM_NOHUGEPAGE;
74403+ } else
74404+#endif
74405+
74406+ pax_task_size = TASK_SIZE;
74407+
74408+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
74409+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74410+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
74411+ put_cpu();
74412+ }
74413+#endif
74414+
74415+#ifdef CONFIG_PAX_ASLR
74416+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
74417+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
74418+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
74419+ }
74420+#endif
74421+
74422+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
74423+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74424+ executable_stack = EXSTACK_DISABLE_X;
74425+ current->personality &= ~READ_IMPLIES_EXEC;
74426+ } else
74427+#endif
74428+
74429 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
74430 current->personality |= READ_IMPLIES_EXEC;
74431
74432@@ -915,8 +1354,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
74433 if (current->flags & PF_RANDOMIZE)
74434 load_bias += arch_mmap_rnd();
74435 load_bias = ELF_PAGESTART(load_bias);
74436- total_size = total_mapping_size(elf_phdata,
74437- loc->elf_ex.e_phnum);
74438+
74439+#ifdef CONFIG_PAX_RANDMMAP
74440+ /* PaX: randomize base address at the default exe base if requested */
74441+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
74442+#ifdef CONFIG_SPARC64
74443+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
74444+#else
74445+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
74446+#endif
74447+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
74448+ elf_flags |= MAP_FIXED;
74449+ }
74450+#endif
74451+
74452+ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum);
74453 if (!total_size) {
74454 retval = -EINVAL;
74455 goto out_free_dentry;
74456@@ -952,9 +1404,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
74457 * allowed task size. Note that p_filesz must always be
74458 * <= p_memsz so it is only necessary to check p_memsz.
74459 */
74460- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
74461- elf_ppnt->p_memsz > TASK_SIZE ||
74462- TASK_SIZE - elf_ppnt->p_memsz < k) {
74463+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
74464+ elf_ppnt->p_memsz > pax_task_size ||
74465+ pax_task_size - elf_ppnt->p_memsz < k) {
74466 /* set_brk can never work. Avoid overflows. */
74467 retval = -EINVAL;
74468 goto out_free_dentry;
74469@@ -990,16 +1442,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
74470 if (retval)
74471 goto out_free_dentry;
74472 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
74473- retval = -EFAULT; /* Nobody gets to see this, but.. */
74474- goto out_free_dentry;
74475+ /*
74476+ * This bss-zeroing can fail if the ELF
74477+ * file specifies odd protections. So
74478+ * we don't check the return value
74479+ */
74480 }
74481
74482+#ifdef CONFIG_PAX_RANDMMAP
74483+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
74484+ unsigned long start, size, flags;
74485+ vm_flags_t vm_flags;
74486+
74487+ start = ELF_PAGEALIGN(elf_brk);
74488+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
74489+ flags = MAP_FIXED | MAP_PRIVATE;
74490+ vm_flags = VM_DONTEXPAND | VM_DONTDUMP;
74491+
74492+ down_write(&current->mm->mmap_sem);
74493+ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
74494+ retval = -ENOMEM;
74495+ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
74496+// if (current->personality & ADDR_NO_RANDOMIZE)
74497+// vm_flags |= VM_READ | VM_MAYREAD;
74498+ start = mmap_region(NULL, start, PAGE_ALIGN(size), vm_flags, 0);
74499+ retval = IS_ERR_VALUE(start) ? start : 0;
74500+ }
74501+ up_write(&current->mm->mmap_sem);
74502+ if (retval == 0)
74503+ retval = set_brk(start + size, start + size + PAGE_SIZE);
74504+ if (retval < 0)
74505+ goto out_free_dentry;
74506+ }
74507+#endif
74508+
74509 if (elf_interpreter) {
74510- unsigned long interp_map_addr = 0;
74511-
74512 elf_entry = load_elf_interp(&loc->interp_elf_ex,
74513 interpreter,
74514- &interp_map_addr,
74515 load_bias, interp_elf_phdata);
74516 if (!IS_ERR((void *)elf_entry)) {
74517 /*
74518@@ -1050,6 +1529,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
74519 current->mm->end_data = end_data;
74520 current->mm->start_stack = bprm->p;
74521
74522+#ifndef CONFIG_PAX_RANDMMAP
74523 if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
74524 current->mm->brk = current->mm->start_brk =
74525 arch_randomize_brk(current->mm);
74526@@ -1057,6 +1537,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
74527 current->brk_randomized = 1;
74528 #endif
74529 }
74530+#endif
74531
74532 if (current->personality & MMAP_PAGE_ZERO) {
74533 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
74534@@ -1225,7 +1706,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
74535 * Decide what to dump of a segment, part, all or none.
74536 */
74537 static unsigned long vma_dump_size(struct vm_area_struct *vma,
74538- unsigned long mm_flags)
74539+ unsigned long mm_flags, long signr)
74540 {
74541 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
74542
74543@@ -1263,7 +1744,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
74544 if (vma->vm_file == NULL)
74545 return 0;
74546
74547- if (FILTER(MAPPED_PRIVATE))
74548+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
74549 goto whole;
74550
74551 /*
74552@@ -1363,7 +1844,7 @@ static void fill_elf_header(struct elfhdr *elf, int segs,
74553 return;
74554 }
74555
74556-static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
74557+static void fill_elf_note_phdr(struct elf_phdr *phdr, size_t sz, loff_t offset)
74558 {
74559 phdr->p_type = PT_NOTE;
74560 phdr->p_offset = offset;
74561@@ -1470,9 +1951,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
74562 {
74563 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
74564 int i = 0;
74565- do
74566+ do {
74567 i += 2;
74568- while (auxv[i - 2] != AT_NULL);
74569+ } while (auxv[i - 2] != AT_NULL);
74570 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
74571 }
74572
74573@@ -1481,7 +1962,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
74574 {
74575 mm_segment_t old_fs = get_fs();
74576 set_fs(KERNEL_DS);
74577- copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
74578+ copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo);
74579 set_fs(old_fs);
74580 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
74581 }
74582@@ -2201,7 +2682,7 @@ static int elf_core_dump(struct coredump_params *cprm)
74583 vma = next_vma(vma, gate_vma)) {
74584 unsigned long dump_size;
74585
74586- dump_size = vma_dump_size(vma, cprm->mm_flags);
74587+ dump_size = vma_dump_size(vma, cprm->mm_flags, cprm->siginfo->si_signo);
74588 vma_filesz[i++] = dump_size;
74589 vma_data_size += dump_size;
74590 }
74591@@ -2309,6 +2790,167 @@ out:
74592
74593 #endif /* CONFIG_ELF_CORE */
74594
74595+#ifdef CONFIG_PAX_MPROTECT
74596+/* PaX: non-PIC ELF libraries need relocations on their executable segments
74597+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
74598+ * we'll remove VM_MAYWRITE for good on RELRO segments.
74599+ *
74600+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
74601+ * basis because we want to allow the common case and not the special ones.
74602+ */
74603+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
74604+{
74605+ struct elfhdr elf_h;
74606+ struct elf_phdr elf_p;
74607+ unsigned long i;
74608+ unsigned long oldflags;
74609+ bool is_textrel_rw, is_textrel_rx, is_relro;
74610+
74611+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT) || !vma->vm_file)
74612+ return;
74613+
74614+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
74615+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
74616+
74617+#ifdef CONFIG_PAX_ELFRELOCS
74618+ /* possible TEXTREL */
74619+ is_textrel_rw = !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
74620+ is_textrel_rx = vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
74621+#else
74622+ is_textrel_rw = false;
74623+ is_textrel_rx = false;
74624+#endif
74625+
74626+ /* possible RELRO */
74627+ is_relro = vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
74628+
74629+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
74630+ return;
74631+
74632+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
74633+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
74634+
74635+#ifdef CONFIG_PAX_ETEXECRELOCS
74636+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
74637+#else
74638+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
74639+#endif
74640+
74641+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
74642+ !elf_check_arch(&elf_h) ||
74643+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
74644+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
74645+ return;
74646+
74647+ for (i = 0UL; i < elf_h.e_phnum; i++) {
74648+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
74649+ return;
74650+ switch (elf_p.p_type) {
74651+ case PT_DYNAMIC:
74652+ if (!is_textrel_rw && !is_textrel_rx)
74653+ continue;
74654+ i = 0UL;
74655+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
74656+ elf_dyn dyn;
74657+
74658+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
74659+ break;
74660+ if (dyn.d_tag == DT_NULL)
74661+ break;
74662+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
74663+ gr_log_textrel(vma, is_textrel_rw);
74664+ if (is_textrel_rw)
74665+ vma->vm_flags |= VM_MAYWRITE;
74666+ else
74667+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
74668+ vma->vm_flags &= ~VM_MAYWRITE;
74669+ break;
74670+ }
74671+ i++;
74672+ }
74673+ is_textrel_rw = false;
74674+ is_textrel_rx = false;
74675+ continue;
74676+
74677+ case PT_GNU_RELRO:
74678+ if (!is_relro)
74679+ continue;
74680+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
74681+ vma->vm_flags &= ~VM_MAYWRITE;
74682+ is_relro = false;
74683+ continue;
74684+
74685+#ifdef CONFIG_PAX_PT_PAX_FLAGS
74686+ case PT_PAX_FLAGS: {
74687+ const char *msg_mprotect = "", *msg_emutramp = "";
74688+ char *buffer_lib, *buffer_exe;
74689+
74690+ if (elf_p.p_flags & PF_NOMPROTECT)
74691+ msg_mprotect = "MPROTECT disabled";
74692+
74693+#ifdef CONFIG_PAX_EMUTRAMP
74694+ if (!(vma->vm_mm->pax_flags & MF_PAX_EMUTRAMP) && !(elf_p.p_flags & PF_NOEMUTRAMP))
74695+ msg_emutramp = "EMUTRAMP enabled";
74696+#endif
74697+
74698+ if (!msg_mprotect[0] && !msg_emutramp[0])
74699+ continue;
74700+
74701+ if (!printk_ratelimit())
74702+ continue;
74703+
74704+ buffer_lib = (char *)__get_free_page(GFP_KERNEL);
74705+ buffer_exe = (char *)__get_free_page(GFP_KERNEL);
74706+ if (buffer_lib && buffer_exe) {
74707+ char *path_lib, *path_exe;
74708+
74709+ path_lib = pax_get_path(&vma->vm_file->f_path, buffer_lib, PAGE_SIZE);
74710+ path_exe = pax_get_path(&vma->vm_mm->exe_file->f_path, buffer_exe, PAGE_SIZE);
74711+
74712+ pr_info("PAX: %s wants %s%s%s on %s\n", path_lib, msg_mprotect,
74713+ (msg_mprotect[0] && msg_emutramp[0] ? " and " : ""), msg_emutramp, path_exe);
74714+
74715+ }
74716+ free_page((unsigned long)buffer_exe);
74717+ free_page((unsigned long)buffer_lib);
74718+ continue;
74719+ }
74720+#endif
74721+
74722+ }
74723+ }
74724+}
74725+#endif
74726+
74727+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
74728+
74729+extern int grsec_enable_log_rwxmaps;
74730+
74731+static void elf_handle_mmap(struct file *file)
74732+{
74733+ struct elfhdr elf_h;
74734+ struct elf_phdr elf_p;
74735+ unsigned long i;
74736+
74737+ if (!grsec_enable_log_rwxmaps)
74738+ return;
74739+
74740+ if (sizeof(elf_h) != kernel_read(file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
74741+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
74742+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) || !elf_check_arch(&elf_h) ||
74743+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
74744+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
74745+ return;
74746+
74747+ for (i = 0UL; i < elf_h.e_phnum; i++) {
74748+ if (sizeof(elf_p) != kernel_read(file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
74749+ return;
74750+ if (elf_p.p_type == PT_GNU_STACK && (elf_p.p_flags & PF_X))
74751+ gr_log_ptgnustack(file);
74752+ }
74753+}
74754+#endif
74755+
74756 static int __init init_elf_binfmt(void)
74757 {
74758 register_binfmt(&elf_format);
74759diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
74760index d3634bf..10fc244 100644
74761--- a/fs/binfmt_elf_fdpic.c
74762+++ b/fs/binfmt_elf_fdpic.c
74763@@ -1296,7 +1296,7 @@ static inline void fill_elf_fdpic_header(struct elfhdr *elf, int segs)
74764 return;
74765 }
74766
74767-static inline void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
74768+static inline void fill_elf_note_phdr(struct elf_phdr *phdr, size_t sz, loff_t offset)
74769 {
74770 phdr->p_type = PT_NOTE;
74771 phdr->p_offset = offset;
74772@@ -1667,7 +1667,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm)
74773
74774 /* Write notes phdr entry */
74775 {
74776- int sz = 0;
74777+ size_t sz = 0;
74778
74779 for (i = 0; i < numnote; i++)
74780 sz += notesize(notes + i);
74781diff --git a/fs/block_dev.c b/fs/block_dev.c
74782index 1982437..dc80c28 100644
74783--- a/fs/block_dev.c
74784+++ b/fs/block_dev.c
74785@@ -738,7 +738,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
74786 else if (bdev->bd_contains == bdev)
74787 return true; /* is a whole device which isn't held */
74788
74789- else if (whole->bd_holder == bd_may_claim)
74790+ else if (whole->bd_holder == (void *)bd_may_claim)
74791 return true; /* is a partition of a device that is being partitioned */
74792 else if (whole->bd_holder != NULL)
74793 return false; /* is a partition of a held device */
74794diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
74795index 54114b4..580cfc9 100644
74796--- a/fs/btrfs/ctree.c
74797+++ b/fs/btrfs/ctree.c
74798@@ -1180,9 +1180,12 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans,
74799 free_extent_buffer(buf);
74800 add_root_to_dirty_list(root);
74801 } else {
74802- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
74803- parent_start = parent->start;
74804- else
74805+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
74806+ if (parent)
74807+ parent_start = parent->start;
74808+ else
74809+ parent_start = 0;
74810+ } else
74811 parent_start = 0;
74812
74813 WARN_ON(trans->transid != btrfs_header_generation(parent));
74814diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
74815index a2ae427..53c2e98 100644
74816--- a/fs/btrfs/delayed-inode.c
74817+++ b/fs/btrfs/delayed-inode.c
74818@@ -462,7 +462,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
74819
74820 static void finish_one_item(struct btrfs_delayed_root *delayed_root)
74821 {
74822- int seq = atomic_inc_return(&delayed_root->items_seq);
74823+ int seq = atomic_inc_return_unchecked(&delayed_root->items_seq);
74824 if ((atomic_dec_return(&delayed_root->items) <
74825 BTRFS_DELAYED_BACKGROUND || seq % BTRFS_DELAYED_BATCH == 0) &&
74826 waitqueue_active(&delayed_root->wait))
74827@@ -1412,7 +1412,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root)
74828
74829 static int could_end_wait(struct btrfs_delayed_root *delayed_root, int seq)
74830 {
74831- int val = atomic_read(&delayed_root->items_seq);
74832+ int val = atomic_read_unchecked(&delayed_root->items_seq);
74833
74834 if (val < seq || val >= seq + BTRFS_DELAYED_BATCH)
74835 return 1;
74836@@ -1437,7 +1437,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root)
74837 int seq;
74838 int ret;
74839
74840- seq = atomic_read(&delayed_root->items_seq);
74841+ seq = atomic_read_unchecked(&delayed_root->items_seq);
74842
74843 ret = btrfs_wq_run_delayed_node(delayed_root, fs_info, 0);
74844 if (ret)
74845diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
74846index f70119f..ab5894d 100644
74847--- a/fs/btrfs/delayed-inode.h
74848+++ b/fs/btrfs/delayed-inode.h
74849@@ -43,7 +43,7 @@ struct btrfs_delayed_root {
74850 */
74851 struct list_head prepare_list;
74852 atomic_t items; /* for delayed items */
74853- atomic_t items_seq; /* for delayed items */
74854+ atomic_unchecked_t items_seq; /* for delayed items */
74855 int nodes; /* for delayed nodes */
74856 wait_queue_head_t wait;
74857 };
74858@@ -90,7 +90,7 @@ static inline void btrfs_init_delayed_root(
74859 struct btrfs_delayed_root *delayed_root)
74860 {
74861 atomic_set(&delayed_root->items, 0);
74862- atomic_set(&delayed_root->items_seq, 0);
74863+ atomic_set_unchecked(&delayed_root->items_seq, 0);
74864 delayed_root->nodes = 0;
74865 spin_lock_init(&delayed_root->lock);
74866 init_waitqueue_head(&delayed_root->wait);
74867diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
74868index cd7ef34..1e31ae3 100644
74869--- a/fs/btrfs/super.c
74870+++ b/fs/btrfs/super.c
74871@@ -265,7 +265,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans,
74872 function, line, errstr);
74873 return;
74874 }
74875- ACCESS_ONCE(trans->transaction->aborted) = errno;
74876+ ACCESS_ONCE_RW(trans->transaction->aborted) = errno;
74877 /* Wake up anybody who may be waiting on this transaction */
74878 wake_up(&root->fs_info->transaction_wait);
74879 wake_up(&root->fs_info->transaction_blocked_wait);
74880diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
74881index 603b0cc..8e3f600 100644
74882--- a/fs/btrfs/sysfs.c
74883+++ b/fs/btrfs/sysfs.c
74884@@ -481,7 +481,7 @@ static int addrm_unknown_feature_attrs(struct btrfs_fs_info *fs_info, bool add)
74885 for (set = 0; set < FEAT_MAX; set++) {
74886 int i;
74887 struct attribute *attrs[2];
74888- struct attribute_group agroup = {
74889+ attribute_group_no_const agroup = {
74890 .name = "features",
74891 .attrs = attrs,
74892 };
74893diff --git a/fs/btrfs/tests/free-space-tests.c b/fs/btrfs/tests/free-space-tests.c
74894index 2299bfd..4098e72 100644
74895--- a/fs/btrfs/tests/free-space-tests.c
74896+++ b/fs/btrfs/tests/free-space-tests.c
74897@@ -463,7 +463,9 @@ test_steal_space_from_bitmap_to_extent(struct btrfs_block_group_cache *cache)
74898 * extent entry.
74899 */
74900 use_bitmap_op = cache->free_space_ctl->op->use_bitmap;
74901- cache->free_space_ctl->op->use_bitmap = test_use_bitmap;
74902+ pax_open_kernel();
74903+ *(void **)&cache->free_space_ctl->op->use_bitmap = test_use_bitmap;
74904+ pax_close_kernel();
74905
74906 /*
74907 * Extent entry covering free space range [128Mb - 256Kb, 128Mb - 128Kb[
74908@@ -870,7 +872,9 @@ test_steal_space_from_bitmap_to_extent(struct btrfs_block_group_cache *cache)
74909 if (ret)
74910 return ret;
74911
74912- cache->free_space_ctl->op->use_bitmap = use_bitmap_op;
74913+ pax_open_kernel();
74914+ *(void **)&cache->free_space_ctl->op->use_bitmap = use_bitmap_op;
74915+ pax_close_kernel();
74916 __btrfs_remove_free_space_cache(cache->free_space_ctl);
74917
74918 return 0;
74919diff --git a/fs/btrfs/tree-log.h b/fs/btrfs/tree-log.h
74920index 6916a78..4598936 100644
74921--- a/fs/btrfs/tree-log.h
74922+++ b/fs/btrfs/tree-log.h
74923@@ -45,7 +45,7 @@ static inline void btrfs_init_log_ctx(struct btrfs_log_ctx *ctx)
74924 static inline void btrfs_set_log_full_commit(struct btrfs_fs_info *fs_info,
74925 struct btrfs_trans_handle *trans)
74926 {
74927- ACCESS_ONCE(fs_info->last_trans_log_full_commit) = trans->transid;
74928+ ACCESS_ONCE_RW(fs_info->last_trans_log_full_commit) = trans->transid;
74929 }
74930
74931 static inline int btrfs_need_log_full_commit(struct btrfs_fs_info *fs_info,
74932diff --git a/fs/buffer.c b/fs/buffer.c
74933index 1cf7a53..b49f8c0 100644
74934--- a/fs/buffer.c
74935+++ b/fs/buffer.c
74936@@ -3440,7 +3440,7 @@ void __init buffer_init(void)
74937 bh_cachep = kmem_cache_create("buffer_head",
74938 sizeof(struct buffer_head), 0,
74939 (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
74940- SLAB_MEM_SPREAD),
74941+ SLAB_MEM_SPREAD|SLAB_NO_SANITIZE),
74942 NULL);
74943
74944 /*
74945diff --git a/fs/cachefiles/bind.c b/fs/cachefiles/bind.c
74946index 6af790f..ec4c1e6 100644
74947--- a/fs/cachefiles/bind.c
74948+++ b/fs/cachefiles/bind.c
74949@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachefiles_cache *cache, char *args)
74950 args);
74951
74952 /* start by checking things over */
74953- ASSERT(cache->fstop_percent >= 0 &&
74954- cache->fstop_percent < cache->fcull_percent &&
74955+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
74956 cache->fcull_percent < cache->frun_percent &&
74957 cache->frun_percent < 100);
74958
74959- ASSERT(cache->bstop_percent >= 0 &&
74960- cache->bstop_percent < cache->bcull_percent &&
74961+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
74962 cache->bcull_percent < cache->brun_percent &&
74963 cache->brun_percent < 100);
74964
74965diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
74966index f601def..b2cf704 100644
74967--- a/fs/cachefiles/daemon.c
74968+++ b/fs/cachefiles/daemon.c
74969@@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(struct file *file, char __user *_buffer,
74970 if (n > buflen)
74971 return -EMSGSIZE;
74972
74973- if (copy_to_user(_buffer, buffer, n) != 0)
74974+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
74975 return -EFAULT;
74976
74977 return n;
74978@@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(struct file *file,
74979 if (test_bit(CACHEFILES_DEAD, &cache->flags))
74980 return -EIO;
74981
74982- if (datalen < 0 || datalen > PAGE_SIZE - 1)
74983+ if (datalen > PAGE_SIZE - 1)
74984 return -EOPNOTSUPP;
74985
74986 /* drag the command string into the kernel so we can parse it */
74987@@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struct cachefiles_cache *cache, char *args)
74988 if (args[0] != '%' || args[1] != '\0')
74989 return -EINVAL;
74990
74991- if (fstop < 0 || fstop >= cache->fcull_percent)
74992+ if (fstop >= cache->fcull_percent)
74993 return cachefiles_daemon_range_error(cache, args);
74994
74995 cache->fstop_percent = fstop;
74996@@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struct cachefiles_cache *cache, char *args)
74997 if (args[0] != '%' || args[1] != '\0')
74998 return -EINVAL;
74999
75000- if (bstop < 0 || bstop >= cache->bcull_percent)
75001+ if (bstop >= cache->bcull_percent)
75002 return cachefiles_daemon_range_error(cache, args);
75003
75004 cache->bstop_percent = bstop;
75005diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
75006index aecd085..3584e2f 100644
75007--- a/fs/cachefiles/internal.h
75008+++ b/fs/cachefiles/internal.h
75009@@ -65,7 +65,7 @@ struct cachefiles_cache {
75010 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
75011 struct rb_root active_nodes; /* active nodes (can't be culled) */
75012 rwlock_t active_lock; /* lock for active_nodes */
75013- atomic_t gravecounter; /* graveyard uniquifier */
75014+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
75015 unsigned frun_percent; /* when to stop culling (% files) */
75016 unsigned fcull_percent; /* when to start culling (% files) */
75017 unsigned fstop_percent; /* when to stop allocating (% files) */
75018@@ -177,19 +177,19 @@ extern int cachefiles_check_in_use(struct cachefiles_cache *cache,
75019 * proc.c
75020 */
75021 #ifdef CONFIG_CACHEFILES_HISTOGRAM
75022-extern atomic_t cachefiles_lookup_histogram[HZ];
75023-extern atomic_t cachefiles_mkdir_histogram[HZ];
75024-extern atomic_t cachefiles_create_histogram[HZ];
75025+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
75026+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
75027+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
75028
75029 extern int __init cachefiles_proc_init(void);
75030 extern void cachefiles_proc_cleanup(void);
75031 static inline
75032-void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
75033+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
75034 {
75035 unsigned long jif = jiffies - start_jif;
75036 if (jif >= HZ)
75037 jif = HZ - 1;
75038- atomic_inc(&histogram[jif]);
75039+ atomic_inc_unchecked(&histogram[jif]);
75040 }
75041
75042 #else
75043diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
75044index fc1056f..501a546 100644
75045--- a/fs/cachefiles/namei.c
75046+++ b/fs/cachefiles/namei.c
75047@@ -312,7 +312,7 @@ try_again:
75048 /* first step is to make up a grave dentry in the graveyard */
75049 sprintf(nbuffer, "%08x%08x",
75050 (uint32_t) get_seconds(),
75051- (uint32_t) atomic_inc_return(&cache->gravecounter));
75052+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
75053
75054 /* do the multiway lock magic */
75055 trap = lock_rename(cache->graveyard, dir);
75056diff --git a/fs/cachefiles/proc.c b/fs/cachefiles/proc.c
75057index eccd339..4c1d995 100644
75058--- a/fs/cachefiles/proc.c
75059+++ b/fs/cachefiles/proc.c
75060@@ -14,9 +14,9 @@
75061 #include <linux/seq_file.h>
75062 #include "internal.h"
75063
75064-atomic_t cachefiles_lookup_histogram[HZ];
75065-atomic_t cachefiles_mkdir_histogram[HZ];
75066-atomic_t cachefiles_create_histogram[HZ];
75067+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
75068+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
75069+atomic_unchecked_t cachefiles_create_histogram[HZ];
75070
75071 /*
75072 * display the latency histogram
75073@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(struct seq_file *m, void *v)
75074 return 0;
75075 default:
75076 index = (unsigned long) v - 3;
75077- x = atomic_read(&cachefiles_lookup_histogram[index]);
75078- y = atomic_read(&cachefiles_mkdir_histogram[index]);
75079- z = atomic_read(&cachefiles_create_histogram[index]);
75080+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
75081+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
75082+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
75083 if (x == 0 && y == 0 && z == 0)
75084 return 0;
75085
75086diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
75087index 9314b4e..4a1f602 100644
75088--- a/fs/ceph/dir.c
75089+++ b/fs/ceph/dir.c
75090@@ -214,10 +214,18 @@ static int __dcache_readdir(struct file *file, struct dir_context *ctx,
75091 spin_unlock(&dentry->d_lock);
75092
75093 if (emit_dentry) {
75094+ char d_name[DNAME_INLINE_LEN];
75095+ const unsigned char *name;
75096+
75097 dout(" %llu (%llu) dentry %p %pd %p\n", di->offset, ctx->pos,
75098 dentry, dentry, d_inode(dentry));
75099 ctx->pos = di->offset;
75100- if (!dir_emit(ctx, dentry->d_name.name,
75101+ name = dentry->d_name.name;
75102+ if (name == dentry->d_iname) {
75103+ memcpy(d_name, name, dentry->d_name.len);
75104+ name = d_name;
75105+ }
75106+ if (!dir_emit(ctx, name,
75107 dentry->d_name.len,
75108 ceph_translate_ino(dentry->d_sb,
75109 d_inode(dentry)->i_ino),
75110@@ -259,7 +267,7 @@ static int ceph_readdir(struct file *file, struct dir_context *ctx)
75111 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
75112 struct ceph_mds_client *mdsc = fsc->mdsc;
75113 unsigned frag = fpos_frag(ctx->pos);
75114- int off = fpos_off(ctx->pos);
75115+ unsigned int off = fpos_off(ctx->pos);
75116 int err;
75117 u32 ftype;
75118 struct ceph_mds_reply_info_parsed *rinfo;
75119diff --git a/fs/ceph/super.c b/fs/ceph/super.c
75120index 7b6bfcb..f8d5416 100644
75121--- a/fs/ceph/super.c
75122+++ b/fs/ceph/super.c
75123@@ -906,7 +906,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
75124 /*
75125 * construct our own bdi so we can control readahead, etc.
75126 */
75127-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
75128+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
75129
75130 static int ceph_register_bdi(struct super_block *sb,
75131 struct ceph_fs_client *fsc)
75132@@ -923,7 +923,7 @@ static int ceph_register_bdi(struct super_block *sb,
75133 VM_MAX_READAHEAD * 1024 / PAGE_CACHE_SIZE;
75134
75135 err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%ld",
75136- atomic_long_inc_return(&bdi_seq));
75137+ atomic_long_inc_return_unchecked(&bdi_seq));
75138 if (!err)
75139 sb->s_bdi = &fsc->backing_dev_info;
75140 return err;
75141diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
75142index 7febcf2..62a5721 100644
75143--- a/fs/cifs/cifs_debug.c
75144+++ b/fs/cifs/cifs_debug.c
75145@@ -269,8 +269,8 @@ static ssize_t cifs_stats_proc_write(struct file *file,
75146
75147 if (strtobool(&c, &bv) == 0) {
75148 #ifdef CONFIG_CIFS_STATS2
75149- atomic_set(&totBufAllocCount, 0);
75150- atomic_set(&totSmBufAllocCount, 0);
75151+ atomic_set_unchecked(&totBufAllocCount, 0);
75152+ atomic_set_unchecked(&totSmBufAllocCount, 0);
75153 #endif /* CONFIG_CIFS_STATS2 */
75154 spin_lock(&cifs_tcp_ses_lock);
75155 list_for_each(tmp1, &cifs_tcp_ses_list) {
75156@@ -283,7 +283,7 @@ static ssize_t cifs_stats_proc_write(struct file *file,
75157 tcon = list_entry(tmp3,
75158 struct cifs_tcon,
75159 tcon_list);
75160- atomic_set(&tcon->num_smbs_sent, 0);
75161+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
75162 if (server->ops->clear_stats)
75163 server->ops->clear_stats(tcon);
75164 }
75165@@ -315,8 +315,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
75166 smBufAllocCount.counter, cifs_min_small);
75167 #ifdef CONFIG_CIFS_STATS2
75168 seq_printf(m, "Total Large %d Small %d Allocations\n",
75169- atomic_read(&totBufAllocCount),
75170- atomic_read(&totSmBufAllocCount));
75171+ atomic_read_unchecked(&totBufAllocCount),
75172+ atomic_read_unchecked(&totSmBufAllocCount));
75173 #endif /* CONFIG_CIFS_STATS2 */
75174
75175 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
75176@@ -345,7 +345,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
75177 if (tcon->need_reconnect)
75178 seq_puts(m, "\tDISCONNECTED ");
75179 seq_printf(m, "\nSMBs: %d",
75180- atomic_read(&tcon->num_smbs_sent));
75181+ atomic_read_unchecked(&tcon->num_smbs_sent));
75182 if (server->ops->print_stats)
75183 server->ops->print_stats(m, tcon);
75184 }
75185diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
75186index 6a1119e..b2f2160 100644
75187--- a/fs/cifs/cifsfs.c
75188+++ b/fs/cifs/cifsfs.c
75189@@ -1082,7 +1082,7 @@ cifs_init_request_bufs(void)
75190 */
75191 cifs_req_cachep = kmem_cache_create("cifs_request",
75192 CIFSMaxBufSize + max_hdr_size, 0,
75193- SLAB_HWCACHE_ALIGN, NULL);
75194+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
75195 if (cifs_req_cachep == NULL)
75196 return -ENOMEM;
75197
75198@@ -1109,7 +1109,7 @@ cifs_init_request_bufs(void)
75199 efficient to alloc 1 per page off the slab compared to 17K (5page)
75200 alloc of large cifs buffers even when page debugging is on */
75201 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
75202- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
75203+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
75204 NULL);
75205 if (cifs_sm_req_cachep == NULL) {
75206 mempool_destroy(cifs_req_poolp);
75207@@ -1194,8 +1194,8 @@ init_cifs(void)
75208 atomic_set(&bufAllocCount, 0);
75209 atomic_set(&smBufAllocCount, 0);
75210 #ifdef CONFIG_CIFS_STATS2
75211- atomic_set(&totBufAllocCount, 0);
75212- atomic_set(&totSmBufAllocCount, 0);
75213+ atomic_set_unchecked(&totBufAllocCount, 0);
75214+ atomic_set_unchecked(&totSmBufAllocCount, 0);
75215 #endif /* CONFIG_CIFS_STATS2 */
75216
75217 atomic_set(&midCount, 0);
75218diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
75219index b406a32..243eb1c 100644
75220--- a/fs/cifs/cifsglob.h
75221+++ b/fs/cifs/cifsglob.h
75222@@ -832,35 +832,35 @@ struct cifs_tcon {
75223 __u16 Flags; /* optional support bits */
75224 enum statusEnum tidStatus;
75225 #ifdef CONFIG_CIFS_STATS
75226- atomic_t num_smbs_sent;
75227+ atomic_unchecked_t num_smbs_sent;
75228 union {
75229 struct {
75230- atomic_t num_writes;
75231- atomic_t num_reads;
75232- atomic_t num_flushes;
75233- atomic_t num_oplock_brks;
75234- atomic_t num_opens;
75235- atomic_t num_closes;
75236- atomic_t num_deletes;
75237- atomic_t num_mkdirs;
75238- atomic_t num_posixopens;
75239- atomic_t num_posixmkdirs;
75240- atomic_t num_rmdirs;
75241- atomic_t num_renames;
75242- atomic_t num_t2renames;
75243- atomic_t num_ffirst;
75244- atomic_t num_fnext;
75245- atomic_t num_fclose;
75246- atomic_t num_hardlinks;
75247- atomic_t num_symlinks;
75248- atomic_t num_locks;
75249- atomic_t num_acl_get;
75250- atomic_t num_acl_set;
75251+ atomic_unchecked_t num_writes;
75252+ atomic_unchecked_t num_reads;
75253+ atomic_unchecked_t num_flushes;
75254+ atomic_unchecked_t num_oplock_brks;
75255+ atomic_unchecked_t num_opens;
75256+ atomic_unchecked_t num_closes;
75257+ atomic_unchecked_t num_deletes;
75258+ atomic_unchecked_t num_mkdirs;
75259+ atomic_unchecked_t num_posixopens;
75260+ atomic_unchecked_t num_posixmkdirs;
75261+ atomic_unchecked_t num_rmdirs;
75262+ atomic_unchecked_t num_renames;
75263+ atomic_unchecked_t num_t2renames;
75264+ atomic_unchecked_t num_ffirst;
75265+ atomic_unchecked_t num_fnext;
75266+ atomic_unchecked_t num_fclose;
75267+ atomic_unchecked_t num_hardlinks;
75268+ atomic_unchecked_t num_symlinks;
75269+ atomic_unchecked_t num_locks;
75270+ atomic_unchecked_t num_acl_get;
75271+ atomic_unchecked_t num_acl_set;
75272 } cifs_stats;
75273 #ifdef CONFIG_CIFS_SMB2
75274 struct {
75275- atomic_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
75276- atomic_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
75277+ atomic_unchecked_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
75278+ atomic_unchecked_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
75279 } smb2_stats;
75280 #endif /* CONFIG_CIFS_SMB2 */
75281 } stats;
75282@@ -1207,7 +1207,7 @@ convert_delimiter(char *path, char delim)
75283 }
75284
75285 #ifdef CONFIG_CIFS_STATS
75286-#define cifs_stats_inc atomic_inc
75287+#define cifs_stats_inc atomic_inc_unchecked
75288
75289 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
75290 unsigned int bytes)
75291@@ -1574,8 +1574,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount;
75292 /* Various Debug counters */
75293 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
75294 #ifdef CONFIG_CIFS_STATS2
75295-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
75296-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
75297+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
75298+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
75299 #endif
75300 GLOBAL_EXTERN atomic_t smBufAllocCount;
75301 GLOBAL_EXTERN atomic_t midCount;
75302diff --git a/fs/cifs/file.c b/fs/cifs/file.c
75303index 3f50cee..7741620 100644
75304--- a/fs/cifs/file.c
75305+++ b/fs/cifs/file.c
75306@@ -2054,10 +2054,14 @@ static int cifs_writepages(struct address_space *mapping,
75307 index = mapping->writeback_index; /* Start from prev offset */
75308 end = -1;
75309 } else {
75310- index = wbc->range_start >> PAGE_CACHE_SHIFT;
75311- end = wbc->range_end >> PAGE_CACHE_SHIFT;
75312- if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
75313+ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) {
75314 range_whole = true;
75315+ index = 0;
75316+ end = ULONG_MAX;
75317+ } else {
75318+ index = wbc->range_start >> PAGE_CACHE_SHIFT;
75319+ end = wbc->range_end >> PAGE_CACHE_SHIFT;
75320+ }
75321 scanned = true;
75322 }
75323 server = cifs_sb_master_tcon(cifs_sb)->ses->server;
75324diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
75325index f621b44..6b66dd5 100644
75326--- a/fs/cifs/inode.c
75327+++ b/fs/cifs/inode.c
75328@@ -2034,7 +2034,6 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
75329 struct tcon_link *tlink = NULL;
75330 struct cifs_tcon *tcon = NULL;
75331 struct TCP_Server_Info *server;
75332- struct cifs_io_parms io_parms;
75333
75334 /*
75335 * To avoid spurious oplock breaks from server, in the case of
75336@@ -2056,18 +2055,6 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
75337 rc = -ENOSYS;
75338 cifsFileInfo_put(open_file);
75339 cifs_dbg(FYI, "SetFSize for attrs rc = %d\n", rc);
75340- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
75341- unsigned int bytes_written;
75342-
75343- io_parms.netfid = open_file->fid.netfid;
75344- io_parms.pid = open_file->pid;
75345- io_parms.tcon = tcon;
75346- io_parms.offset = 0;
75347- io_parms.length = attrs->ia_size;
75348- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written,
75349- NULL, NULL, 1);
75350- cifs_dbg(FYI, "Wrt seteof rc %d\n", rc);
75351- }
75352 } else
75353 rc = -EINVAL;
75354
75355@@ -2093,28 +2080,7 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
75356 else
75357 rc = -ENOSYS;
75358 cifs_dbg(FYI, "SetEOF by path (setattrs) rc = %d\n", rc);
75359- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
75360- __u16 netfid;
75361- int oplock = 0;
75362
75363- rc = SMBLegacyOpen(xid, tcon, full_path, FILE_OPEN,
75364- GENERIC_WRITE, CREATE_NOT_DIR, &netfid,
75365- &oplock, NULL, cifs_sb->local_nls,
75366- cifs_remap(cifs_sb));
75367- if (rc == 0) {
75368- unsigned int bytes_written;
75369-
75370- io_parms.netfid = netfid;
75371- io_parms.pid = current->tgid;
75372- io_parms.tcon = tcon;
75373- io_parms.offset = 0;
75374- io_parms.length = attrs->ia_size;
75375- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, NULL,
75376- NULL, 1);
75377- cifs_dbg(FYI, "wrt seteof rc %d\n", rc);
75378- CIFSSMBClose(xid, tcon, netfid);
75379- }
75380- }
75381 if (tlink)
75382 cifs_put_tlink(tlink);
75383
75384diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
75385index 8442b8b..ea6986f 100644
75386--- a/fs/cifs/misc.c
75387+++ b/fs/cifs/misc.c
75388@@ -170,7 +170,7 @@ cifs_buf_get(void)
75389 memset(ret_buf, 0, buf_size + 3);
75390 atomic_inc(&bufAllocCount);
75391 #ifdef CONFIG_CIFS_STATS2
75392- atomic_inc(&totBufAllocCount);
75393+ atomic_inc_unchecked(&totBufAllocCount);
75394 #endif /* CONFIG_CIFS_STATS2 */
75395 }
75396
75397@@ -205,7 +205,7 @@ cifs_small_buf_get(void)
75398 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
75399 atomic_inc(&smBufAllocCount);
75400 #ifdef CONFIG_CIFS_STATS2
75401- atomic_inc(&totSmBufAllocCount);
75402+ atomic_inc_unchecked(&totSmBufAllocCount);
75403 #endif /* CONFIG_CIFS_STATS2 */
75404
75405 }
75406diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
75407index fc537c2..47d654c 100644
75408--- a/fs/cifs/smb1ops.c
75409+++ b/fs/cifs/smb1ops.c
75410@@ -622,27 +622,27 @@ static void
75411 cifs_clear_stats(struct cifs_tcon *tcon)
75412 {
75413 #ifdef CONFIG_CIFS_STATS
75414- atomic_set(&tcon->stats.cifs_stats.num_writes, 0);
75415- atomic_set(&tcon->stats.cifs_stats.num_reads, 0);
75416- atomic_set(&tcon->stats.cifs_stats.num_flushes, 0);
75417- atomic_set(&tcon->stats.cifs_stats.num_oplock_brks, 0);
75418- atomic_set(&tcon->stats.cifs_stats.num_opens, 0);
75419- atomic_set(&tcon->stats.cifs_stats.num_posixopens, 0);
75420- atomic_set(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
75421- atomic_set(&tcon->stats.cifs_stats.num_closes, 0);
75422- atomic_set(&tcon->stats.cifs_stats.num_deletes, 0);
75423- atomic_set(&tcon->stats.cifs_stats.num_mkdirs, 0);
75424- atomic_set(&tcon->stats.cifs_stats.num_rmdirs, 0);
75425- atomic_set(&tcon->stats.cifs_stats.num_renames, 0);
75426- atomic_set(&tcon->stats.cifs_stats.num_t2renames, 0);
75427- atomic_set(&tcon->stats.cifs_stats.num_ffirst, 0);
75428- atomic_set(&tcon->stats.cifs_stats.num_fnext, 0);
75429- atomic_set(&tcon->stats.cifs_stats.num_fclose, 0);
75430- atomic_set(&tcon->stats.cifs_stats.num_hardlinks, 0);
75431- atomic_set(&tcon->stats.cifs_stats.num_symlinks, 0);
75432- atomic_set(&tcon->stats.cifs_stats.num_locks, 0);
75433- atomic_set(&tcon->stats.cifs_stats.num_acl_get, 0);
75434- atomic_set(&tcon->stats.cifs_stats.num_acl_set, 0);
75435+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_writes, 0);
75436+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_reads, 0);
75437+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_flushes, 0);
75438+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_oplock_brks, 0);
75439+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_opens, 0);
75440+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixopens, 0);
75441+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
75442+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_closes, 0);
75443+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_deletes, 0);
75444+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_mkdirs, 0);
75445+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_rmdirs, 0);
75446+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_renames, 0);
75447+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_t2renames, 0);
75448+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_ffirst, 0);
75449+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_fnext, 0);
75450+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_fclose, 0);
75451+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_hardlinks, 0);
75452+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_symlinks, 0);
75453+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_locks, 0);
75454+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_get, 0);
75455+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_set, 0);
75456 #endif
75457 }
75458
75459@@ -651,36 +651,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
75460 {
75461 #ifdef CONFIG_CIFS_STATS
75462 seq_printf(m, " Oplocks breaks: %d",
75463- atomic_read(&tcon->stats.cifs_stats.num_oplock_brks));
75464+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_oplock_brks));
75465 seq_printf(m, "\nReads: %d Bytes: %llu",
75466- atomic_read(&tcon->stats.cifs_stats.num_reads),
75467+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_reads),
75468 (long long)(tcon->bytes_read));
75469 seq_printf(m, "\nWrites: %d Bytes: %llu",
75470- atomic_read(&tcon->stats.cifs_stats.num_writes),
75471+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_writes),
75472 (long long)(tcon->bytes_written));
75473 seq_printf(m, "\nFlushes: %d",
75474- atomic_read(&tcon->stats.cifs_stats.num_flushes));
75475+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_flushes));
75476 seq_printf(m, "\nLocks: %d HardLinks: %d Symlinks: %d",
75477- atomic_read(&tcon->stats.cifs_stats.num_locks),
75478- atomic_read(&tcon->stats.cifs_stats.num_hardlinks),
75479- atomic_read(&tcon->stats.cifs_stats.num_symlinks));
75480+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_locks),
75481+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_hardlinks),
75482+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_symlinks));
75483 seq_printf(m, "\nOpens: %d Closes: %d Deletes: %d",
75484- atomic_read(&tcon->stats.cifs_stats.num_opens),
75485- atomic_read(&tcon->stats.cifs_stats.num_closes),
75486- atomic_read(&tcon->stats.cifs_stats.num_deletes));
75487+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_opens),
75488+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_closes),
75489+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_deletes));
75490 seq_printf(m, "\nPosix Opens: %d Posix Mkdirs: %d",
75491- atomic_read(&tcon->stats.cifs_stats.num_posixopens),
75492- atomic_read(&tcon->stats.cifs_stats.num_posixmkdirs));
75493+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixopens),
75494+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs));
75495 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
75496- atomic_read(&tcon->stats.cifs_stats.num_mkdirs),
75497- atomic_read(&tcon->stats.cifs_stats.num_rmdirs));
75498+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_mkdirs),
75499+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_rmdirs));
75500 seq_printf(m, "\nRenames: %d T2 Renames %d",
75501- atomic_read(&tcon->stats.cifs_stats.num_renames),
75502- atomic_read(&tcon->stats.cifs_stats.num_t2renames));
75503+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_renames),
75504+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_t2renames));
75505 seq_printf(m, "\nFindFirst: %d FNext %d FClose %d",
75506- atomic_read(&tcon->stats.cifs_stats.num_ffirst),
75507- atomic_read(&tcon->stats.cifs_stats.num_fnext),
75508- atomic_read(&tcon->stats.cifs_stats.num_fclose));
75509+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_ffirst),
75510+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_fnext),
75511+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_fclose));
75512 #endif
75513 }
75514
75515diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
75516index df91bcf..c499de7 100644
75517--- a/fs/cifs/smb2ops.c
75518+++ b/fs/cifs/smb2ops.c
75519@@ -418,8 +418,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
75520 #ifdef CONFIG_CIFS_STATS
75521 int i;
75522 for (i = 0; i < NUMBER_OF_SMB2_COMMANDS; i++) {
75523- atomic_set(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
75524- atomic_set(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
75525+ atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
75526+ atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
75527 }
75528 #endif
75529 }
75530@@ -459,65 +459,65 @@ static void
75531 smb2_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
75532 {
75533 #ifdef CONFIG_CIFS_STATS
75534- atomic_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
75535- atomic_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
75536+ atomic_unchecked_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
75537+ atomic_unchecked_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
75538 seq_printf(m, "\nNegotiates: %d sent %d failed",
75539- atomic_read(&sent[SMB2_NEGOTIATE_HE]),
75540- atomic_read(&failed[SMB2_NEGOTIATE_HE]));
75541+ atomic_read_unchecked(&sent[SMB2_NEGOTIATE_HE]),
75542+ atomic_read_unchecked(&failed[SMB2_NEGOTIATE_HE]));
75543 seq_printf(m, "\nSessionSetups: %d sent %d failed",
75544- atomic_read(&sent[SMB2_SESSION_SETUP_HE]),
75545- atomic_read(&failed[SMB2_SESSION_SETUP_HE]));
75546+ atomic_read_unchecked(&sent[SMB2_SESSION_SETUP_HE]),
75547+ atomic_read_unchecked(&failed[SMB2_SESSION_SETUP_HE]));
75548 seq_printf(m, "\nLogoffs: %d sent %d failed",
75549- atomic_read(&sent[SMB2_LOGOFF_HE]),
75550- atomic_read(&failed[SMB2_LOGOFF_HE]));
75551+ atomic_read_unchecked(&sent[SMB2_LOGOFF_HE]),
75552+ atomic_read_unchecked(&failed[SMB2_LOGOFF_HE]));
75553 seq_printf(m, "\nTreeConnects: %d sent %d failed",
75554- atomic_read(&sent[SMB2_TREE_CONNECT_HE]),
75555- atomic_read(&failed[SMB2_TREE_CONNECT_HE]));
75556+ atomic_read_unchecked(&sent[SMB2_TREE_CONNECT_HE]),
75557+ atomic_read_unchecked(&failed[SMB2_TREE_CONNECT_HE]));
75558 seq_printf(m, "\nTreeDisconnects: %d sent %d failed",
75559- atomic_read(&sent[SMB2_TREE_DISCONNECT_HE]),
75560- atomic_read(&failed[SMB2_TREE_DISCONNECT_HE]));
75561+ atomic_read_unchecked(&sent[SMB2_TREE_DISCONNECT_HE]),
75562+ atomic_read_unchecked(&failed[SMB2_TREE_DISCONNECT_HE]));
75563 seq_printf(m, "\nCreates: %d sent %d failed",
75564- atomic_read(&sent[SMB2_CREATE_HE]),
75565- atomic_read(&failed[SMB2_CREATE_HE]));
75566+ atomic_read_unchecked(&sent[SMB2_CREATE_HE]),
75567+ atomic_read_unchecked(&failed[SMB2_CREATE_HE]));
75568 seq_printf(m, "\nCloses: %d sent %d failed",
75569- atomic_read(&sent[SMB2_CLOSE_HE]),
75570- atomic_read(&failed[SMB2_CLOSE_HE]));
75571+ atomic_read_unchecked(&sent[SMB2_CLOSE_HE]),
75572+ atomic_read_unchecked(&failed[SMB2_CLOSE_HE]));
75573 seq_printf(m, "\nFlushes: %d sent %d failed",
75574- atomic_read(&sent[SMB2_FLUSH_HE]),
75575- atomic_read(&failed[SMB2_FLUSH_HE]));
75576+ atomic_read_unchecked(&sent[SMB2_FLUSH_HE]),
75577+ atomic_read_unchecked(&failed[SMB2_FLUSH_HE]));
75578 seq_printf(m, "\nReads: %d sent %d failed",
75579- atomic_read(&sent[SMB2_READ_HE]),
75580- atomic_read(&failed[SMB2_READ_HE]));
75581+ atomic_read_unchecked(&sent[SMB2_READ_HE]),
75582+ atomic_read_unchecked(&failed[SMB2_READ_HE]));
75583 seq_printf(m, "\nWrites: %d sent %d failed",
75584- atomic_read(&sent[SMB2_WRITE_HE]),
75585- atomic_read(&failed[SMB2_WRITE_HE]));
75586+ atomic_read_unchecked(&sent[SMB2_WRITE_HE]),
75587+ atomic_read_unchecked(&failed[SMB2_WRITE_HE]));
75588 seq_printf(m, "\nLocks: %d sent %d failed",
75589- atomic_read(&sent[SMB2_LOCK_HE]),
75590- atomic_read(&failed[SMB2_LOCK_HE]));
75591+ atomic_read_unchecked(&sent[SMB2_LOCK_HE]),
75592+ atomic_read_unchecked(&failed[SMB2_LOCK_HE]));
75593 seq_printf(m, "\nIOCTLs: %d sent %d failed",
75594- atomic_read(&sent[SMB2_IOCTL_HE]),
75595- atomic_read(&failed[SMB2_IOCTL_HE]));
75596+ atomic_read_unchecked(&sent[SMB2_IOCTL_HE]),
75597+ atomic_read_unchecked(&failed[SMB2_IOCTL_HE]));
75598 seq_printf(m, "\nCancels: %d sent %d failed",
75599- atomic_read(&sent[SMB2_CANCEL_HE]),
75600- atomic_read(&failed[SMB2_CANCEL_HE]));
75601+ atomic_read_unchecked(&sent[SMB2_CANCEL_HE]),
75602+ atomic_read_unchecked(&failed[SMB2_CANCEL_HE]));
75603 seq_printf(m, "\nEchos: %d sent %d failed",
75604- atomic_read(&sent[SMB2_ECHO_HE]),
75605- atomic_read(&failed[SMB2_ECHO_HE]));
75606+ atomic_read_unchecked(&sent[SMB2_ECHO_HE]),
75607+ atomic_read_unchecked(&failed[SMB2_ECHO_HE]));
75608 seq_printf(m, "\nQueryDirectories: %d sent %d failed",
75609- atomic_read(&sent[SMB2_QUERY_DIRECTORY_HE]),
75610- atomic_read(&failed[SMB2_QUERY_DIRECTORY_HE]));
75611+ atomic_read_unchecked(&sent[SMB2_QUERY_DIRECTORY_HE]),
75612+ atomic_read_unchecked(&failed[SMB2_QUERY_DIRECTORY_HE]));
75613 seq_printf(m, "\nChangeNotifies: %d sent %d failed",
75614- atomic_read(&sent[SMB2_CHANGE_NOTIFY_HE]),
75615- atomic_read(&failed[SMB2_CHANGE_NOTIFY_HE]));
75616+ atomic_read_unchecked(&sent[SMB2_CHANGE_NOTIFY_HE]),
75617+ atomic_read_unchecked(&failed[SMB2_CHANGE_NOTIFY_HE]));
75618 seq_printf(m, "\nQueryInfos: %d sent %d failed",
75619- atomic_read(&sent[SMB2_QUERY_INFO_HE]),
75620- atomic_read(&failed[SMB2_QUERY_INFO_HE]));
75621+ atomic_read_unchecked(&sent[SMB2_QUERY_INFO_HE]),
75622+ atomic_read_unchecked(&failed[SMB2_QUERY_INFO_HE]));
75623 seq_printf(m, "\nSetInfos: %d sent %d failed",
75624- atomic_read(&sent[SMB2_SET_INFO_HE]),
75625- atomic_read(&failed[SMB2_SET_INFO_HE]));
75626+ atomic_read_unchecked(&sent[SMB2_SET_INFO_HE]),
75627+ atomic_read_unchecked(&failed[SMB2_SET_INFO_HE]));
75628 seq_printf(m, "\nOplockBreaks: %d sent %d failed",
75629- atomic_read(&sent[SMB2_OPLOCK_BREAK_HE]),
75630- atomic_read(&failed[SMB2_OPLOCK_BREAK_HE]));
75631+ atomic_read_unchecked(&sent[SMB2_OPLOCK_BREAK_HE]),
75632+ atomic_read_unchecked(&failed[SMB2_OPLOCK_BREAK_HE]));
75633 #endif
75634 }
75635
75636diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
75637index b8b4f08..6e84a23 100644
75638--- a/fs/cifs/smb2pdu.c
75639+++ b/fs/cifs/smb2pdu.c
75640@@ -2206,8 +2206,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon,
75641 default:
75642 cifs_dbg(VFS, "info level %u isn't supported\n",
75643 srch_inf->info_level);
75644- rc = -EINVAL;
75645- goto qdir_exit;
75646+ return -EINVAL;
75647 }
75648
75649 req->FileIndex = cpu_to_le32(index);
75650diff --git a/fs/coda/cache.c b/fs/coda/cache.c
75651index 5bb630a..043dc70 100644
75652--- a/fs/coda/cache.c
75653+++ b/fs/coda/cache.c
75654@@ -24,7 +24,7 @@
75655 #include "coda_linux.h"
75656 #include "coda_cache.h"
75657
75658-static atomic_t permission_epoch = ATOMIC_INIT(0);
75659+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
75660
75661 /* replace or extend an acl cache hit */
75662 void coda_cache_enter(struct inode *inode, int mask)
75663@@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inode, int mask)
75664 struct coda_inode_info *cii = ITOC(inode);
75665
75666 spin_lock(&cii->c_lock);
75667- cii->c_cached_epoch = atomic_read(&permission_epoch);
75668+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
75669 if (!uid_eq(cii->c_uid, current_fsuid())) {
75670 cii->c_uid = current_fsuid();
75671 cii->c_cached_perm = mask;
75672@@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode *inode)
75673 {
75674 struct coda_inode_info *cii = ITOC(inode);
75675 spin_lock(&cii->c_lock);
75676- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
75677+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
75678 spin_unlock(&cii->c_lock);
75679 }
75680
75681 /* remove all acl caches */
75682 void coda_cache_clear_all(struct super_block *sb)
75683 {
75684- atomic_inc(&permission_epoch);
75685+ atomic_inc_unchecked(&permission_epoch);
75686 }
75687
75688
75689@@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode, int mask)
75690 spin_lock(&cii->c_lock);
75691 hit = (mask & cii->c_cached_perm) == mask &&
75692 uid_eq(cii->c_uid, current_fsuid()) &&
75693- cii->c_cached_epoch == atomic_read(&permission_epoch);
75694+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
75695 spin_unlock(&cii->c_lock);
75696
75697 return hit;
75698diff --git a/fs/compat.c b/fs/compat.c
75699index 6fd272d..dd34ba2 100644
75700--- a/fs/compat.c
75701+++ b/fs/compat.c
75702@@ -54,7 +54,7 @@
75703 #include <asm/ioctls.h>
75704 #include "internal.h"
75705
75706-int compat_log = 1;
75707+int compat_log = 0;
75708
75709 int compat_printk(const char *fmt, ...)
75710 {
75711@@ -512,7 +512,7 @@ COMPAT_SYSCALL_DEFINE2(io_setup, unsigned, nr_reqs, u32 __user *, ctx32p)
75712
75713 set_fs(KERNEL_DS);
75714 /* The __user pointer cast is valid because of the set_fs() */
75715- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
75716+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
75717 set_fs(oldfs);
75718 /* truncating is ok because it's a user address */
75719 if (!ret)
75720@@ -562,7 +562,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
75721 goto out;
75722
75723 ret = -EINVAL;
75724- if (nr_segs > UIO_MAXIOV || nr_segs < 0)
75725+ if (nr_segs > UIO_MAXIOV)
75726 goto out;
75727 if (nr_segs > fast_segs) {
75728 ret = -ENOMEM;
75729@@ -844,6 +844,7 @@ struct compat_old_linux_dirent {
75730 struct compat_readdir_callback {
75731 struct dir_context ctx;
75732 struct compat_old_linux_dirent __user *dirent;
75733+ struct file * file;
75734 int result;
75735 };
75736
75737@@ -863,6 +864,10 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
75738 buf->result = -EOVERFLOW;
75739 return -EOVERFLOW;
75740 }
75741+
75742+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
75743+ return 0;
75744+
75745 buf->result++;
75746 dirent = buf->dirent;
75747 if (!access_ok(VERIFY_WRITE, dirent,
75748@@ -894,6 +899,7 @@ COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
75749 if (!f.file)
75750 return -EBADF;
75751
75752+ buf.file = f.file;
75753 error = iterate_dir(f.file, &buf.ctx);
75754 if (buf.result)
75755 error = buf.result;
75756@@ -913,6 +919,7 @@ struct compat_getdents_callback {
75757 struct dir_context ctx;
75758 struct compat_linux_dirent __user *current_dir;
75759 struct compat_linux_dirent __user *previous;
75760+ struct file * file;
75761 int count;
75762 int error;
75763 };
75764@@ -935,6 +942,10 @@ static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
75765 buf->error = -EOVERFLOW;
75766 return -EOVERFLOW;
75767 }
75768+
75769+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
75770+ return 0;
75771+
75772 dirent = buf->previous;
75773 if (dirent) {
75774 if (__put_user(offset, &dirent->d_off))
75775@@ -980,6 +991,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
75776 if (!f.file)
75777 return -EBADF;
75778
75779+ buf.file = f.file;
75780 error = iterate_dir(f.file, &buf.ctx);
75781 if (error >= 0)
75782 error = buf.error;
75783@@ -1000,6 +1012,7 @@ struct compat_getdents_callback64 {
75784 struct dir_context ctx;
75785 struct linux_dirent64 __user *current_dir;
75786 struct linux_dirent64 __user *previous;
75787+ struct file * file;
75788 int count;
75789 int error;
75790 };
75791@@ -1018,6 +1031,10 @@ static int compat_filldir64(struct dir_context *ctx, const char *name,
75792 buf->error = -EINVAL; /* only used if we fail.. */
75793 if (reclen > buf->count)
75794 return -EINVAL;
75795+
75796+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
75797+ return 0;
75798+
75799 dirent = buf->previous;
75800
75801 if (dirent) {
75802@@ -1067,6 +1084,7 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd,
75803 if (!f.file)
75804 return -EBADF;
75805
75806+ buf.file = f.file;
75807 error = iterate_dir(f.file, &buf.ctx);
75808 if (error >= 0)
75809 error = buf.error;
75810diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
75811index 4d24d17..4f8c09e 100644
75812--- a/fs/compat_binfmt_elf.c
75813+++ b/fs/compat_binfmt_elf.c
75814@@ -30,11 +30,13 @@
75815 #undef elf_phdr
75816 #undef elf_shdr
75817 #undef elf_note
75818+#undef elf_dyn
75819 #undef elf_addr_t
75820 #define elfhdr elf32_hdr
75821 #define elf_phdr elf32_phdr
75822 #define elf_shdr elf32_shdr
75823 #define elf_note elf32_note
75824+#define elf_dyn Elf32_Dyn
75825 #define elf_addr_t Elf32_Addr
75826
75827 /*
75828diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
75829index 48851f6..6c79d32 100644
75830--- a/fs/compat_ioctl.c
75831+++ b/fs/compat_ioctl.c
75832@@ -622,7 +622,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
75833 return -EFAULT;
75834 if (__get_user(udata, &ss32->iomem_base))
75835 return -EFAULT;
75836- ss.iomem_base = compat_ptr(udata);
75837+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
75838 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
75839 __get_user(ss.port_high, &ss32->port_high))
75840 return -EFAULT;
75841@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
75842 for (i = 0; i < nmsgs; i++) {
75843 if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
75844 return -EFAULT;
75845- if (get_user(datap, &umsgs[i].buf) ||
75846- put_user(compat_ptr(datap), &tmsgs[i].buf))
75847+ if (get_user(datap, (compat_caddr_t __user *)&umsgs[i].buf) ||
75848+ put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
75849 return -EFAULT;
75850 }
75851 return sys_ioctl(fd, cmd, (unsigned long)tdata);
75852@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
75853 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
75854 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
75855 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
75856- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
75857+ copy_in_user(p->l_pad, p32->l_pad, 4*sizeof(u32)))
75858 return -EFAULT;
75859
75860 return ioctl_preallocate(file, p);
75861@@ -1621,8 +1621,8 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd,
75862 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
75863 {
75864 unsigned int a, b;
75865- a = *(unsigned int *)p;
75866- b = *(unsigned int *)q;
75867+ a = *(const unsigned int *)p;
75868+ b = *(const unsigned int *)q;
75869 if (a > b)
75870 return 1;
75871 if (a < b)
75872diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
75873index c81ce7f..f3de5fd 100644
75874--- a/fs/configfs/dir.c
75875+++ b/fs/configfs/dir.c
75876@@ -1540,7 +1540,8 @@ static int configfs_readdir(struct file *file, struct dir_context *ctx)
75877 }
75878 for (p = q->next; p != &parent_sd->s_children; p = p->next) {
75879 struct configfs_dirent *next;
75880- const char *name;
75881+ const unsigned char * name;
75882+ char d_name[sizeof(next->s_dentry->d_iname)];
75883 int len;
75884 struct inode *inode = NULL;
75885
75886@@ -1549,7 +1550,12 @@ static int configfs_readdir(struct file *file, struct dir_context *ctx)
75887 continue;
75888
75889 name = configfs_get_name(next);
75890- len = strlen(name);
75891+ if (next->s_dentry && name == next->s_dentry->d_iname) {
75892+ len = next->s_dentry->d_name.len;
75893+ memcpy(d_name, name, len);
75894+ name = d_name;
75895+ } else
75896+ len = strlen(name);
75897
75898 /*
75899 * We'll have a dentry and an inode for
75900diff --git a/fs/coredump.c b/fs/coredump.c
75901index a8f7564..3dde349 100644
75902--- a/fs/coredump.c
75903+++ b/fs/coredump.c
75904@@ -457,8 +457,8 @@ static void wait_for_dump_helpers(struct file *file)
75905 struct pipe_inode_info *pipe = file->private_data;
75906
75907 pipe_lock(pipe);
75908- pipe->readers++;
75909- pipe->writers--;
75910+ atomic_inc(&pipe->readers);
75911+ atomic_dec(&pipe->writers);
75912 wake_up_interruptible_sync(&pipe->wait);
75913 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
75914 pipe_unlock(pipe);
75915@@ -467,11 +467,11 @@ static void wait_for_dump_helpers(struct file *file)
75916 * We actually want wait_event_freezable() but then we need
75917 * to clear TIF_SIGPENDING and improve dump_interrupted().
75918 */
75919- wait_event_interruptible(pipe->wait, pipe->readers == 1);
75920+ wait_event_interruptible(pipe->wait, atomic_read(&pipe->readers) == 1);
75921
75922 pipe_lock(pipe);
75923- pipe->readers--;
75924- pipe->writers++;
75925+ atomic_dec(&pipe->readers);
75926+ atomic_inc(&pipe->writers);
75927 pipe_unlock(pipe);
75928 }
75929
75930@@ -518,7 +518,9 @@ void do_coredump(const siginfo_t *siginfo)
75931 /* require nonrelative corefile path and be extra careful */
75932 bool need_suid_safe = false;
75933 bool core_dumped = false;
75934- static atomic_t core_dump_count = ATOMIC_INIT(0);
75935+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
75936+ long signr = siginfo->si_signo;
75937+ int dumpable;
75938 struct coredump_params cprm = {
75939 .siginfo = siginfo,
75940 .regs = signal_pt_regs(),
75941@@ -531,12 +533,17 @@ void do_coredump(const siginfo_t *siginfo)
75942 .mm_flags = mm->flags,
75943 };
75944
75945- audit_core_dumps(siginfo->si_signo);
75946+ audit_core_dumps(signr);
75947+
75948+ dumpable = __get_dumpable(cprm.mm_flags);
75949+
75950+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
75951+ gr_handle_brute_attach(dumpable);
75952
75953 binfmt = mm->binfmt;
75954 if (!binfmt || !binfmt->core_dump)
75955 goto fail;
75956- if (!__get_dumpable(cprm.mm_flags))
75957+ if (!dumpable)
75958 goto fail;
75959
75960 cred = prepare_creds();
75961@@ -554,7 +561,7 @@ void do_coredump(const siginfo_t *siginfo)
75962 need_suid_safe = true;
75963 }
75964
75965- retval = coredump_wait(siginfo->si_signo, &core_state);
75966+ retval = coredump_wait(signr, &core_state);
75967 if (retval < 0)
75968 goto fail_creds;
75969
75970@@ -597,7 +604,7 @@ void do_coredump(const siginfo_t *siginfo)
75971 }
75972 cprm.limit = RLIM_INFINITY;
75973
75974- dump_count = atomic_inc_return(&core_dump_count);
75975+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
75976 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
75977 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
75978 task_tgid_vnr(current), current->comm);
75979@@ -629,6 +636,8 @@ void do_coredump(const siginfo_t *siginfo)
75980 } else {
75981 struct inode *inode;
75982
75983+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
75984+
75985 if (cprm.limit < binfmt->min_coredump)
75986 goto fail_unlock;
75987
75988@@ -718,7 +727,7 @@ close_fail:
75989 filp_close(cprm.file, NULL);
75990 fail_dropcount:
75991 if (ispipe)
75992- atomic_dec(&core_dump_count);
75993+ atomic_dec_unchecked(&core_dump_count);
75994 fail_unlock:
75995 kfree(cn.corename);
75996 coredump_finish(mm, core_dumped);
75997@@ -739,6 +748,8 @@ int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
75998 struct file *file = cprm->file;
75999 loff_t pos = file->f_pos;
76000 ssize_t n;
76001+
76002+ gr_learn_resource(current, RLIMIT_CORE, cprm->written + nr, 1);
76003 if (cprm->written + nr > cprm->limit)
76004 return 0;
76005 while (nr) {
76006diff --git a/fs/dcache.c b/fs/dcache.c
76007index 9b5fe50..8e7901e 100644
76008--- a/fs/dcache.c
76009+++ b/fs/dcache.c
76010@@ -545,7 +545,7 @@ static void __dentry_kill(struct dentry *dentry)
76011 * dentry_iput drops the locks, at which point nobody (except
76012 * transient RCU lookups) can reach this dentry.
76013 */
76014- BUG_ON(dentry->d_lockref.count > 0);
76015+ BUG_ON(__lockref_read(&dentry->d_lockref) > 0);
76016 this_cpu_dec(nr_dentry);
76017 if (dentry->d_op && dentry->d_op->d_release)
76018 dentry->d_op->d_release(dentry);
76019@@ -598,7 +598,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry)
76020 struct dentry *parent = dentry->d_parent;
76021 if (IS_ROOT(dentry))
76022 return NULL;
76023- if (unlikely(dentry->d_lockref.count < 0))
76024+ if (unlikely(__lockref_read(&dentry->d_lockref) < 0))
76025 return NULL;
76026 if (likely(spin_trylock(&parent->d_lock)))
76027 return parent;
76028@@ -660,8 +660,8 @@ static inline bool fast_dput(struct dentry *dentry)
76029 */
76030 if (unlikely(ret < 0)) {
76031 spin_lock(&dentry->d_lock);
76032- if (dentry->d_lockref.count > 1) {
76033- dentry->d_lockref.count--;
76034+ if (__lockref_read(&dentry->d_lockref) > 1) {
76035+ __lockref_dec(&dentry->d_lockref);
76036 spin_unlock(&dentry->d_lock);
76037 return 1;
76038 }
76039@@ -716,7 +716,7 @@ static inline bool fast_dput(struct dentry *dentry)
76040 * else could have killed it and marked it dead. Either way, we
76041 * don't need to do anything else.
76042 */
76043- if (dentry->d_lockref.count) {
76044+ if (__lockref_read(&dentry->d_lockref)) {
76045 spin_unlock(&dentry->d_lock);
76046 return 1;
76047 }
76048@@ -726,7 +726,7 @@ static inline bool fast_dput(struct dentry *dentry)
76049 * lock, and we just tested that it was zero, so we can just
76050 * set it to 1.
76051 */
76052- dentry->d_lockref.count = 1;
76053+ __lockref_set(&dentry->d_lockref, 1);
76054 return 0;
76055 }
76056
76057@@ -788,7 +788,7 @@ repeat:
76058 dentry->d_flags |= DCACHE_REFERENCED;
76059 dentry_lru_add(dentry);
76060
76061- dentry->d_lockref.count--;
76062+ __lockref_dec(&dentry->d_lockref);
76063 spin_unlock(&dentry->d_lock);
76064 return;
76065
76066@@ -803,7 +803,7 @@ EXPORT_SYMBOL(dput);
76067 /* This must be called with d_lock held */
76068 static inline void __dget_dlock(struct dentry *dentry)
76069 {
76070- dentry->d_lockref.count++;
76071+ __lockref_inc(&dentry->d_lockref);
76072 }
76073
76074 static inline void __dget(struct dentry *dentry)
76075@@ -844,8 +844,8 @@ repeat:
76076 goto repeat;
76077 }
76078 rcu_read_unlock();
76079- BUG_ON(!ret->d_lockref.count);
76080- ret->d_lockref.count++;
76081+ BUG_ON(!__lockref_read(&ret->d_lockref));
76082+ __lockref_inc(&ret->d_lockref);
76083 spin_unlock(&ret->d_lock);
76084 return ret;
76085 }
76086@@ -923,9 +923,9 @@ restart:
76087 spin_lock(&inode->i_lock);
76088 hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
76089 spin_lock(&dentry->d_lock);
76090- if (!dentry->d_lockref.count) {
76091+ if (!__lockref_read(&dentry->d_lockref)) {
76092 struct dentry *parent = lock_parent(dentry);
76093- if (likely(!dentry->d_lockref.count)) {
76094+ if (likely(!__lockref_read(&dentry->d_lockref))) {
76095 __dentry_kill(dentry);
76096 dput(parent);
76097 goto restart;
76098@@ -960,7 +960,7 @@ static void shrink_dentry_list(struct list_head *list)
76099 * We found an inuse dentry which was not removed from
76100 * the LRU because of laziness during lookup. Do not free it.
76101 */
76102- if (dentry->d_lockref.count > 0) {
76103+ if (__lockref_read(&dentry->d_lockref) > 0) {
76104 spin_unlock(&dentry->d_lock);
76105 if (parent)
76106 spin_unlock(&parent->d_lock);
76107@@ -998,8 +998,8 @@ static void shrink_dentry_list(struct list_head *list)
76108 dentry = parent;
76109 while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) {
76110 parent = lock_parent(dentry);
76111- if (dentry->d_lockref.count != 1) {
76112- dentry->d_lockref.count--;
76113+ if (__lockref_read(&dentry->d_lockref) != 1) {
76114+ __lockref_inc(&dentry->d_lockref);
76115 spin_unlock(&dentry->d_lock);
76116 if (parent)
76117 spin_unlock(&parent->d_lock);
76118@@ -1039,7 +1039,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
76119 * counts, just remove them from the LRU. Otherwise give them
76120 * another pass through the LRU.
76121 */
76122- if (dentry->d_lockref.count) {
76123+ if (__lockref_read(&dentry->d_lockref)) {
76124 d_lru_isolate(lru, dentry);
76125 spin_unlock(&dentry->d_lock);
76126 return LRU_REMOVED;
76127@@ -1373,7 +1373,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
76128 } else {
76129 if (dentry->d_flags & DCACHE_LRU_LIST)
76130 d_lru_del(dentry);
76131- if (!dentry->d_lockref.count) {
76132+ if (!__lockref_read(&dentry->d_lockref)) {
76133 d_shrink_add(dentry, &data->dispose);
76134 data->found++;
76135 }
76136@@ -1421,7 +1421,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
76137 return D_WALK_CONTINUE;
76138
76139 /* root with refcount 1 is fine */
76140- if (dentry == _data && dentry->d_lockref.count == 1)
76141+ if (dentry == _data && __lockref_read(&dentry->d_lockref) == 1)
76142 return D_WALK_CONTINUE;
76143
76144 printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
76145@@ -1430,7 +1430,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
76146 dentry->d_inode ?
76147 dentry->d_inode->i_ino : 0UL,
76148 dentry,
76149- dentry->d_lockref.count,
76150+ __lockref_read(&dentry->d_lockref),
76151 dentry->d_sb->s_type->name,
76152 dentry->d_sb->s_id);
76153 WARN_ON(1);
76154@@ -1571,7 +1571,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76155 dentry->d_iname[DNAME_INLINE_LEN-1] = 0;
76156 if (name->len > DNAME_INLINE_LEN-1) {
76157 size_t size = offsetof(struct external_name, name[1]);
76158- struct external_name *p = kmalloc(size + name->len, GFP_KERNEL);
76159+ struct external_name *p = kmalloc(round_up(size + name->len, sizeof(unsigned long)), GFP_KERNEL);
76160 if (!p) {
76161 kmem_cache_free(dentry_cache, dentry);
76162 return NULL;
76163@@ -1594,7 +1594,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76164 smp_wmb();
76165 dentry->d_name.name = dname;
76166
76167- dentry->d_lockref.count = 1;
76168+ __lockref_set(&dentry->d_lockref, 1);
76169 dentry->d_flags = 0;
76170 spin_lock_init(&dentry->d_lock);
76171 seqcount_init(&dentry->d_seq);
76172@@ -1603,6 +1603,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76173 dentry->d_sb = sb;
76174 dentry->d_op = NULL;
76175 dentry->d_fsdata = NULL;
76176+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
76177+ atomic_set(&dentry->chroot_refcnt, 0);
76178+#endif
76179 INIT_HLIST_BL_NODE(&dentry->d_hash);
76180 INIT_LIST_HEAD(&dentry->d_lru);
76181 INIT_LIST_HEAD(&dentry->d_subdirs);
76182@@ -2327,7 +2330,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
76183 goto next;
76184 }
76185
76186- dentry->d_lockref.count++;
76187+ __lockref_inc(&dentry->d_lockref);
76188 found = dentry;
76189 spin_unlock(&dentry->d_lock);
76190 break;
76191@@ -2395,7 +2398,7 @@ again:
76192 spin_lock(&dentry->d_lock);
76193 inode = dentry->d_inode;
76194 isdir = S_ISDIR(inode->i_mode);
76195- if (dentry->d_lockref.count == 1) {
76196+ if (__lockref_read(&dentry->d_lockref) == 1) {
76197 if (!spin_trylock(&inode->i_lock)) {
76198 spin_unlock(&dentry->d_lock);
76199 cpu_relax();
76200@@ -3337,7 +3340,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
76201
76202 if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
76203 dentry->d_flags |= DCACHE_GENOCIDE;
76204- dentry->d_lockref.count--;
76205+ __lockref_dec(&dentry->d_lockref);
76206 }
76207 }
76208 return D_WALK_CONTINUE;
76209@@ -3445,7 +3448,8 @@ void __init vfs_caches_init_early(void)
76210 void __init vfs_caches_init(void)
76211 {
76212 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
76213- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
76214+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY|
76215+ SLAB_NO_SANITIZE, NULL);
76216
76217 dcache_init();
76218 inode_init();
76219diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
76220index c711be8..23b8df9 100644
76221--- a/fs/debugfs/inode.c
76222+++ b/fs/debugfs/inode.c
76223@@ -402,6 +402,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size);
76224 * If debugfs is not enabled in the kernel, the value -%ENODEV will be
76225 * returned.
76226 */
76227+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
76228+extern int grsec_enable_sysfs_restrict;
76229+#endif
76230+
76231 struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
76232 {
76233 struct dentry *dentry = start_creating(name, parent);
76234@@ -414,7 +418,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
76235 if (unlikely(!inode))
76236 return failed_creating(dentry);
76237
76238- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
76239+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
76240+ if (grsec_enable_sysfs_restrict)
76241+ inode->i_mode = S_IFDIR | S_IRWXU;
76242+ else
76243+#endif
76244+ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
76245 inode->i_op = &simple_dir_inode_operations;
76246 inode->i_fop = &simple_dir_operations;
76247
76248diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
76249index 3c4db11..a43976f 100644
76250--- a/fs/ecryptfs/inode.c
76251+++ b/fs/ecryptfs/inode.c
76252@@ -662,7 +662,7 @@ static char *ecryptfs_readlink_lower(struct dentry *dentry, size_t *bufsiz)
76253 old_fs = get_fs();
76254 set_fs(get_ds());
76255 rc = d_inode(lower_dentry)->i_op->readlink(lower_dentry,
76256- (char __user *)lower_buf,
76257+ (char __force_user *)lower_buf,
76258 PATH_MAX);
76259 set_fs(old_fs);
76260 if (rc < 0)
76261diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
76262index e4141f2..d8263e8 100644
76263--- a/fs/ecryptfs/miscdev.c
76264+++ b/fs/ecryptfs/miscdev.c
76265@@ -304,7 +304,7 @@ check_list:
76266 goto out_unlock_msg_ctx;
76267 i = PKT_TYPE_SIZE + PKT_CTR_SIZE;
76268 if (msg_ctx->msg) {
76269- if (copy_to_user(&buf[i], packet_length, packet_length_size))
76270+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
76271 goto out_unlock_msg_ctx;
76272 i += packet_length_size;
76273 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
76274diff --git a/fs/exec.c b/fs/exec.c
76275index 1977c2a..40e7f8f 100644
76276--- a/fs/exec.c
76277+++ b/fs/exec.c
76278@@ -56,8 +56,20 @@
76279 #include <linux/pipe_fs_i.h>
76280 #include <linux/oom.h>
76281 #include <linux/compat.h>
76282+#include <linux/random.h>
76283+#include <linux/seq_file.h>
76284+#include <linux/coredump.h>
76285+#include <linux/mman.h>
76286+
76287+#ifdef CONFIG_PAX_REFCOUNT
76288+#include <linux/kallsyms.h>
76289+#include <linux/kdebug.h>
76290+#endif
76291+
76292+#include <trace/events/fs.h>
76293
76294 #include <asm/uaccess.h>
76295+#include <asm/sections.h>
76296 #include <asm/mmu_context.h>
76297 #include <asm/tlb.h>
76298
76299@@ -66,19 +78,34 @@
76300
76301 #include <trace/events/sched.h>
76302
76303+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
76304+void __weak pax_set_initial_flags(struct linux_binprm *bprm)
76305+{
76306+ pr_warn_once("PAX: PAX_HAVE_ACL_FLAGS was enabled without providing the pax_set_initial_flags callback, this is probably not what you wanted.\n");
76307+}
76308+#endif
76309+
76310+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
76311+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
76312+EXPORT_SYMBOL(pax_set_initial_flags_func);
76313+#endif
76314+
76315 int suid_dumpable = 0;
76316
76317 static LIST_HEAD(formats);
76318 static DEFINE_RWLOCK(binfmt_lock);
76319
76320+extern int gr_process_kernel_exec_ban(void);
76321+extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm);
76322+
76323 void __register_binfmt(struct linux_binfmt * fmt, int insert)
76324 {
76325 BUG_ON(!fmt);
76326 if (WARN_ON(!fmt->load_binary))
76327 return;
76328 write_lock(&binfmt_lock);
76329- insert ? list_add(&fmt->lh, &formats) :
76330- list_add_tail(&fmt->lh, &formats);
76331+ insert ? pax_list_add((struct list_head *)&fmt->lh, &formats) :
76332+ pax_list_add_tail((struct list_head *)&fmt->lh, &formats);
76333 write_unlock(&binfmt_lock);
76334 }
76335
76336@@ -87,7 +114,7 @@ EXPORT_SYMBOL(__register_binfmt);
76337 void unregister_binfmt(struct linux_binfmt * fmt)
76338 {
76339 write_lock(&binfmt_lock);
76340- list_del(&fmt->lh);
76341+ pax_list_del((struct list_head *)&fmt->lh);
76342 write_unlock(&binfmt_lock);
76343 }
76344
76345@@ -183,18 +210,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
76346 int write)
76347 {
76348 struct page *page;
76349- int ret;
76350
76351-#ifdef CONFIG_STACK_GROWSUP
76352- if (write) {
76353- ret = expand_downwards(bprm->vma, pos);
76354- if (ret < 0)
76355- return NULL;
76356- }
76357-#endif
76358- ret = get_user_pages(current, bprm->mm, pos,
76359- 1, write, 1, &page, NULL);
76360- if (ret <= 0)
76361+ if (0 > expand_downwards(bprm->vma, pos))
76362+ return NULL;
76363+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
76364 return NULL;
76365
76366 if (write) {
76367@@ -210,6 +229,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
76368 if (size <= ARG_MAX)
76369 return page;
76370
76371+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
76372+ // only allow 512KB for argv+env on suid/sgid binaries
76373+ // to prevent easy ASLR exhaustion
76374+ if (((!uid_eq(bprm->cred->euid, current_euid())) ||
76375+ (!gid_eq(bprm->cred->egid, current_egid()))) &&
76376+ (size > (512 * 1024))) {
76377+ put_page(page);
76378+ return NULL;
76379+ }
76380+#endif
76381+
76382 /*
76383 * Limit to 1/4-th the stack size for the argv+env strings.
76384 * This ensures that:
76385@@ -269,6 +299,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
76386 vma->vm_end = STACK_TOP_MAX;
76387 vma->vm_start = vma->vm_end - PAGE_SIZE;
76388 vma->vm_flags = VM_SOFTDIRTY | VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
76389+
76390+#ifdef CONFIG_PAX_SEGMEXEC
76391+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
76392+#endif
76393+
76394 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
76395 INIT_LIST_HEAD(&vma->anon_vma_chain);
76396
76397@@ -280,6 +315,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
76398 arch_bprm_mm_init(mm, vma);
76399 up_write(&mm->mmap_sem);
76400 bprm->p = vma->vm_end - sizeof(void *);
76401+
76402+#ifdef CONFIG_PAX_RANDUSTACK
76403+ if (randomize_va_space)
76404+ bprm->p ^= prandom_u32() & ~PAGE_MASK;
76405+#endif
76406+
76407 return 0;
76408 err:
76409 up_write(&mm->mmap_sem);
76410@@ -396,7 +437,7 @@ struct user_arg_ptr {
76411 } ptr;
76412 };
76413
76414-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
76415+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
76416 {
76417 const char __user *native;
76418
76419@@ -405,14 +446,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
76420 compat_uptr_t compat;
76421
76422 if (get_user(compat, argv.ptr.compat + nr))
76423- return ERR_PTR(-EFAULT);
76424+ return (const char __force_user *)ERR_PTR(-EFAULT);
76425
76426 return compat_ptr(compat);
76427 }
76428 #endif
76429
76430 if (get_user(native, argv.ptr.native + nr))
76431- return ERR_PTR(-EFAULT);
76432+ return (const char __force_user *)ERR_PTR(-EFAULT);
76433
76434 return native;
76435 }
76436@@ -431,7 +472,7 @@ static int count(struct user_arg_ptr argv, int max)
76437 if (!p)
76438 break;
76439
76440- if (IS_ERR(p))
76441+ if (IS_ERR((const char __force_kernel *)p))
76442 return -EFAULT;
76443
76444 if (i >= max)
76445@@ -466,7 +507,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
76446
76447 ret = -EFAULT;
76448 str = get_user_arg_ptr(argv, argc);
76449- if (IS_ERR(str))
76450+ if (IS_ERR((const char __force_kernel *)str))
76451 goto out;
76452
76453 len = strnlen_user(str, MAX_ARG_STRLEN);
76454@@ -548,7 +589,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
76455 int r;
76456 mm_segment_t oldfs = get_fs();
76457 struct user_arg_ptr argv = {
76458- .ptr.native = (const char __user *const __user *)__argv,
76459+ .ptr.native = (const char __user * const __force_user *)__argv,
76460 };
76461
76462 set_fs(KERNEL_DS);
76463@@ -583,7 +624,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
76464 unsigned long new_end = old_end - shift;
76465 struct mmu_gather tlb;
76466
76467- BUG_ON(new_start > new_end);
76468+ if (new_start >= new_end || new_start < mmap_min_addr)
76469+ return -ENOMEM;
76470
76471 /*
76472 * ensure there are no vmas between where we want to go
76473@@ -592,6 +634,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
76474 if (vma != find_vma(mm, new_start))
76475 return -EFAULT;
76476
76477+#ifdef CONFIG_PAX_SEGMEXEC
76478+ BUG_ON(pax_find_mirror_vma(vma));
76479+#endif
76480+
76481 /*
76482 * cover the whole range: [new_start, old_end)
76483 */
76484@@ -675,10 +721,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
76485 stack_top = arch_align_stack(stack_top);
76486 stack_top = PAGE_ALIGN(stack_top);
76487
76488- if (unlikely(stack_top < mmap_min_addr) ||
76489- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
76490- return -ENOMEM;
76491-
76492 stack_shift = vma->vm_end - stack_top;
76493
76494 bprm->p -= stack_shift;
76495@@ -690,8 +732,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
76496 bprm->exec -= stack_shift;
76497
76498 down_write(&mm->mmap_sem);
76499+
76500+ /* Move stack pages down in memory. */
76501+ if (stack_shift) {
76502+ ret = shift_arg_pages(vma, stack_shift);
76503+ if (ret)
76504+ goto out_unlock;
76505+ }
76506+
76507 vm_flags = VM_STACK_FLAGS;
76508
76509+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
76510+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
76511+ vm_flags &= ~VM_EXEC;
76512+
76513+#ifdef CONFIG_PAX_MPROTECT
76514+ if (mm->pax_flags & MF_PAX_MPROTECT)
76515+ vm_flags &= ~VM_MAYEXEC;
76516+#endif
76517+
76518+ }
76519+#endif
76520+
76521 /*
76522 * Adjust stack execute permissions; explicitly enable for
76523 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
76524@@ -710,13 +772,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
76525 goto out_unlock;
76526 BUG_ON(prev != vma);
76527
76528- /* Move stack pages down in memory. */
76529- if (stack_shift) {
76530- ret = shift_arg_pages(vma, stack_shift);
76531- if (ret)
76532- goto out_unlock;
76533- }
76534-
76535 /* mprotect_fixup is overkill to remove the temporary stack flags */
76536 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
76537
76538@@ -740,6 +795,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
76539 #endif
76540 current->mm->start_stack = bprm->p;
76541 ret = expand_stack(vma, stack_base);
76542+
76543+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
76544+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
76545+ unsigned long size;
76546+ vm_flags_t vm_flags;
76547+
76548+ size = STACK_TOP - vma->vm_end;
76549+ vm_flags = VM_NONE | VM_DONTEXPAND | VM_DONTDUMP;
76550+
76551+ ret = vma->vm_end != mmap_region(NULL, vma->vm_end, size, vm_flags, 0);
76552+
76553+#ifdef CONFIG_X86
76554+ if (!ret) {
76555+ size = PAGE_SIZE + mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
76556+ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), vm_flags, 0);
76557+ }
76558+#endif
76559+
76560+ }
76561+#endif
76562+
76563 if (ret)
76564 ret = -EFAULT;
76565
76566@@ -784,8 +860,10 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
76567 if (err)
76568 goto exit;
76569
76570- if (name->name[0] != '\0')
76571+ if (name->name[0] != '\0') {
76572 fsnotify_open(file);
76573+ trace_open_exec(name->name);
76574+ }
76575
76576 out:
76577 return file;
76578@@ -818,7 +896,7 @@ int kernel_read(struct file *file, loff_t offset,
76579 old_fs = get_fs();
76580 set_fs(get_ds());
76581 /* The cast to a user pointer is valid due to the set_fs() */
76582- result = vfs_read(file, (void __user *)addr, count, &pos);
76583+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
76584 set_fs(old_fs);
76585 return result;
76586 }
76587@@ -863,6 +941,7 @@ static int exec_mmap(struct mm_struct *mm)
76588 tsk->mm = mm;
76589 tsk->active_mm = mm;
76590 activate_mm(active_mm, mm);
76591+ populate_stack();
76592 tsk->mm->vmacache_seqnum = 0;
76593 vmacache_flush(tsk);
76594 task_unlock(tsk);
76595@@ -1271,7 +1350,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
76596 }
76597 rcu_read_unlock();
76598
76599- if (p->fs->users > n_fs)
76600+ if (atomic_read(&p->fs->users) > n_fs)
76601 bprm->unsafe |= LSM_UNSAFE_SHARE;
76602 else
76603 p->fs->in_exec = 1;
76604@@ -1472,6 +1551,31 @@ static int exec_binprm(struct linux_binprm *bprm)
76605 return ret;
76606 }
76607
76608+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
76609+static DEFINE_PER_CPU(u64, exec_counter);
76610+static int __init init_exec_counters(void)
76611+{
76612+ unsigned int cpu;
76613+
76614+ for_each_possible_cpu(cpu) {
76615+ per_cpu(exec_counter, cpu) = (u64)cpu;
76616+ }
76617+
76618+ return 0;
76619+}
76620+early_initcall(init_exec_counters);
76621+static inline void increment_exec_counter(void)
76622+{
76623+ BUILD_BUG_ON(NR_CPUS > (1 << 16));
76624+ current->exec_id = this_cpu_add_return(exec_counter, 1 << 16);
76625+}
76626+#else
76627+static inline void increment_exec_counter(void) {}
76628+#endif
76629+
76630+extern void gr_handle_exec_args(struct linux_binprm *bprm,
76631+ struct user_arg_ptr argv);
76632+
76633 /*
76634 * sys_execve() executes a new program.
76635 */
76636@@ -1480,6 +1584,11 @@ static int do_execveat_common(int fd, struct filename *filename,
76637 struct user_arg_ptr envp,
76638 int flags)
76639 {
76640+#ifdef CONFIG_GRKERNSEC
76641+ struct file *old_exec_file;
76642+ struct acl_subject_label *old_acl;
76643+ struct rlimit old_rlim[RLIM_NLIMITS];
76644+#endif
76645 char *pathbuf = NULL;
76646 struct linux_binprm *bprm;
76647 struct file *file;
76648@@ -1489,6 +1598,8 @@ static int do_execveat_common(int fd, struct filename *filename,
76649 if (IS_ERR(filename))
76650 return PTR_ERR(filename);
76651
76652+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current_user()->processes), 1);
76653+
76654 /*
76655 * We move the actual failure in case of RLIMIT_NPROC excess from
76656 * set*uid() to execve() because too many poorly written programs
76657@@ -1526,6 +1637,11 @@ static int do_execveat_common(int fd, struct filename *filename,
76658 if (IS_ERR(file))
76659 goto out_unmark;
76660
76661+ if (gr_ptrace_readexec(file, bprm->unsafe)) {
76662+ retval = -EPERM;
76663+ goto out_unmark;
76664+ }
76665+
76666 sched_exec();
76667
76668 bprm->file = file;
76669@@ -1552,6 +1668,11 @@ static int do_execveat_common(int fd, struct filename *filename,
76670 }
76671 bprm->interp = bprm->filename;
76672
76673+ if (!gr_acl_handle_execve(file->f_path.dentry, file->f_path.mnt)) {
76674+ retval = -EACCES;
76675+ goto out_unmark;
76676+ }
76677+
76678 retval = bprm_mm_init(bprm);
76679 if (retval)
76680 goto out_unmark;
76681@@ -1568,24 +1689,70 @@ static int do_execveat_common(int fd, struct filename *filename,
76682 if (retval < 0)
76683 goto out;
76684
76685+#ifdef CONFIG_GRKERNSEC
76686+ old_acl = current->acl;
76687+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
76688+ old_exec_file = current->exec_file;
76689+ get_file(file);
76690+ current->exec_file = file;
76691+#endif
76692+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
76693+ /* limit suid stack to 8MB
76694+ * we saved the old limits above and will restore them if this exec fails
76695+ */
76696+ if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) &&
76697+ (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024)))
76698+ current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
76699+#endif
76700+
76701+ if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) {
76702+ retval = -EPERM;
76703+ goto out_fail;
76704+ }
76705+
76706+ if (!gr_tpe_allow(file)) {
76707+ retval = -EACCES;
76708+ goto out_fail;
76709+ }
76710+
76711+ if (gr_check_crash_exec(file)) {
76712+ retval = -EACCES;
76713+ goto out_fail;
76714+ }
76715+
76716+ retval = gr_set_proc_label(file->f_path.dentry, file->f_path.mnt,
76717+ bprm->unsafe);
76718+ if (retval < 0)
76719+ goto out_fail;
76720+
76721 retval = copy_strings_kernel(1, &bprm->filename, bprm);
76722 if (retval < 0)
76723- goto out;
76724+ goto out_fail;
76725
76726 bprm->exec = bprm->p;
76727 retval = copy_strings(bprm->envc, envp, bprm);
76728 if (retval < 0)
76729- goto out;
76730+ goto out_fail;
76731
76732 retval = copy_strings(bprm->argc, argv, bprm);
76733 if (retval < 0)
76734- goto out;
76735+ goto out_fail;
76736+
76737+ gr_log_chroot_exec(file->f_path.dentry, file->f_path.mnt);
76738+
76739+ gr_handle_exec_args(bprm, argv);
76740
76741 retval = exec_binprm(bprm);
76742 if (retval < 0)
76743- goto out;
76744+ goto out_fail;
76745+#ifdef CONFIG_GRKERNSEC
76746+ if (old_exec_file)
76747+ fput(old_exec_file);
76748+#endif
76749
76750 /* execve succeeded */
76751+
76752+ increment_exec_counter();
76753 current->fs->in_exec = 0;
76754 current->in_execve = 0;
76755 acct_update_integrals(current);
76756@@ -1597,6 +1764,14 @@ static int do_execveat_common(int fd, struct filename *filename,
76757 put_files_struct(displaced);
76758 return retval;
76759
76760+out_fail:
76761+#ifdef CONFIG_GRKERNSEC
76762+ current->acl = old_acl;
76763+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
76764+ fput(current->exec_file);
76765+ current->exec_file = old_exec_file;
76766+#endif
76767+
76768 out:
76769 if (bprm->mm) {
76770 acct_arg_size(bprm, 0);
76771@@ -1743,3 +1918,312 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
76772 argv, envp, flags);
76773 }
76774 #endif
76775+
76776+int pax_check_flags(unsigned long *flags)
76777+{
76778+ int retval = 0;
76779+
76780+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
76781+ if (*flags & MF_PAX_SEGMEXEC)
76782+ {
76783+ *flags &= ~MF_PAX_SEGMEXEC;
76784+ retval = -EINVAL;
76785+ }
76786+#endif
76787+
76788+ if ((*flags & MF_PAX_PAGEEXEC)
76789+
76790+#ifdef CONFIG_PAX_PAGEEXEC
76791+ && (*flags & MF_PAX_SEGMEXEC)
76792+#endif
76793+
76794+ )
76795+ {
76796+ *flags &= ~MF_PAX_PAGEEXEC;
76797+ retval = -EINVAL;
76798+ }
76799+
76800+ if ((*flags & MF_PAX_MPROTECT)
76801+
76802+#ifdef CONFIG_PAX_MPROTECT
76803+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
76804+#endif
76805+
76806+ )
76807+ {
76808+ *flags &= ~MF_PAX_MPROTECT;
76809+ retval = -EINVAL;
76810+ }
76811+
76812+ if ((*flags & MF_PAX_EMUTRAMP)
76813+
76814+#ifdef CONFIG_PAX_EMUTRAMP
76815+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
76816+#endif
76817+
76818+ )
76819+ {
76820+ *flags &= ~MF_PAX_EMUTRAMP;
76821+ retval = -EINVAL;
76822+ }
76823+
76824+ return retval;
76825+}
76826+
76827+EXPORT_SYMBOL(pax_check_flags);
76828+
76829+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
76830+char *pax_get_path(const struct path *path, char *buf, int buflen)
76831+{
76832+ char *pathname = d_path(path, buf, buflen);
76833+
76834+ if (IS_ERR(pathname))
76835+ goto toolong;
76836+
76837+ pathname = mangle_path(buf, pathname, "\t\n\\");
76838+ if (!pathname)
76839+ goto toolong;
76840+
76841+ *pathname = 0;
76842+ return buf;
76843+
76844+toolong:
76845+ return "<path too long>";
76846+}
76847+EXPORT_SYMBOL(pax_get_path);
76848+
76849+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
76850+{
76851+ struct task_struct *tsk = current;
76852+ struct mm_struct *mm = current->mm;
76853+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
76854+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
76855+ char *path_exec = NULL;
76856+ char *path_fault = NULL;
76857+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
76858+ siginfo_t info = { };
76859+
76860+ if (buffer_exec && buffer_fault) {
76861+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
76862+
76863+ down_read(&mm->mmap_sem);
76864+ vma = mm->mmap;
76865+ while (vma && (!vma_exec || !vma_fault)) {
76866+ if (vma->vm_file && mm->exe_file == vma->vm_file && (vma->vm_flags & VM_EXEC))
76867+ vma_exec = vma;
76868+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
76869+ vma_fault = vma;
76870+ vma = vma->vm_next;
76871+ }
76872+ if (vma_exec)
76873+ path_exec = pax_get_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
76874+ if (vma_fault) {
76875+ start = vma_fault->vm_start;
76876+ end = vma_fault->vm_end;
76877+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
76878+ if (vma_fault->vm_file)
76879+ path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
76880+ else if ((unsigned long)pc >= mm->start_brk && (unsigned long)pc < mm->brk)
76881+ path_fault = "<heap>";
76882+ else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
76883+ path_fault = "<stack>";
76884+ else
76885+ path_fault = "<anonymous mapping>";
76886+ }
76887+ up_read(&mm->mmap_sem);
76888+ }
76889+ if (tsk->signal->curr_ip)
76890+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
76891+ else
76892+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
76893+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
76894+ from_kuid_munged(&init_user_ns, task_uid(tsk)), from_kuid_munged(&init_user_ns, task_euid(tsk)), pc, sp);
76895+ free_page((unsigned long)buffer_exec);
76896+ free_page((unsigned long)buffer_fault);
76897+ pax_report_insns(regs, pc, sp);
76898+ info.si_signo = SIGKILL;
76899+ info.si_errno = 0;
76900+ info.si_code = SI_KERNEL;
76901+ info.si_pid = 0;
76902+ info.si_uid = 0;
76903+ do_coredump(&info);
76904+}
76905+#endif
76906+
76907+#ifdef CONFIG_PAX_REFCOUNT
76908+void pax_report_refcount_overflow(struct pt_regs *regs)
76909+{
76910+ if (current->signal->curr_ip)
76911+ printk(KERN_EMERG "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
76912+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
76913+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
76914+ else
76915+ printk(KERN_EMERG "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
76916+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
76917+ print_symbol(KERN_EMERG "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
76918+ preempt_disable();
76919+ show_regs(regs);
76920+ preempt_enable();
76921+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
76922+}
76923+#endif
76924+
76925+#ifdef CONFIG_PAX_USERCOPY
76926+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
76927+static noinline int check_stack_object(const void *obj, unsigned long len)
76928+{
76929+ const void * const stack = task_stack_page(current);
76930+ const void * const stackend = stack + THREAD_SIZE;
76931+
76932+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
76933+ const void *frame = NULL;
76934+ const void *oldframe;
76935+#endif
76936+
76937+ if (obj + len < obj)
76938+ return -1;
76939+
76940+ if (obj + len <= stack || stackend <= obj)
76941+ return 0;
76942+
76943+ if (obj < stack || stackend < obj + len)
76944+ return -1;
76945+
76946+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
76947+ oldframe = __builtin_frame_address(1);
76948+ if (oldframe)
76949+ frame = __builtin_frame_address(2);
76950+ /*
76951+ low ----------------------------------------------> high
76952+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
76953+ ^----------------^
76954+ allow copies only within here
76955+ */
76956+ while (stack <= frame && frame < stackend) {
76957+ /* if obj + len extends past the last frame, this
76958+ check won't pass and the next frame will be 0,
76959+ causing us to bail out and correctly report
76960+ the copy as invalid
76961+ */
76962+ if (obj + len <= frame)
76963+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
76964+ oldframe = frame;
76965+ frame = *(const void * const *)frame;
76966+ }
76967+ return -1;
76968+#else
76969+ return 1;
76970+#endif
76971+}
76972+
76973+static __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to_user, const char *type)
76974+{
76975+ if (current->signal->curr_ip)
76976+ printk(KERN_EMERG "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
76977+ &current->signal->curr_ip, to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
76978+ else
76979+ printk(KERN_EMERG "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
76980+ to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
76981+ dump_stack();
76982+ gr_handle_kernel_exploit();
76983+ do_group_exit(SIGKILL);
76984+}
76985+#endif
76986+
76987+#ifdef CONFIG_PAX_USERCOPY
76988+
76989+static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
76990+{
76991+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76992+ unsigned long textlow = ktla_ktva((unsigned long)_stext);
76993+#ifdef CONFIG_MODULES
76994+ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
76995+#else
76996+ unsigned long texthigh = ktla_ktva((unsigned long)_etext);
76997+#endif
76998+
76999+#else
77000+ unsigned long textlow = (unsigned long)_stext;
77001+ unsigned long texthigh = (unsigned long)_etext;
77002+
77003+#ifdef CONFIG_X86_64
77004+ /* check against linear mapping as well */
77005+ if (high > (unsigned long)__va(__pa(textlow)) &&
77006+ low < (unsigned long)__va(__pa(texthigh)))
77007+ return true;
77008+#endif
77009+
77010+#endif
77011+
77012+ if (high <= textlow || low >= texthigh)
77013+ return false;
77014+ else
77015+ return true;
77016+}
77017+#endif
77018+
77019+void __check_object_size(const void *ptr, unsigned long n, bool to_user, bool const_size)
77020+{
77021+#ifdef CONFIG_PAX_USERCOPY
77022+ const char *type;
77023+#endif
77024+
77025+#if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_X86_64)
77026+ unsigned long stackstart = (unsigned long)task_stack_page(current);
77027+ unsigned long currentsp = (unsigned long)&stackstart;
77028+ if (unlikely((currentsp < stackstart + 512 ||
77029+ currentsp >= stackstart + THREAD_SIZE) && !in_interrupt()))
77030+ BUG();
77031+#endif
77032+
77033+#ifndef CONFIG_PAX_USERCOPY_DEBUG
77034+ if (const_size)
77035+ return;
77036+#endif
77037+
77038+#ifdef CONFIG_PAX_USERCOPY
77039+ if (!n)
77040+ return;
77041+
77042+ type = check_heap_object(ptr, n);
77043+ if (!type) {
77044+ int ret = check_stack_object(ptr, n);
77045+ if (ret == 1 || ret == 2)
77046+ return;
77047+ if (ret == 0) {
77048+ if (check_kernel_text_object((unsigned long)ptr, (unsigned long)ptr + n))
77049+ type = "<kernel text>";
77050+ else
77051+ return;
77052+ } else
77053+ type = "<process stack>";
77054+ }
77055+
77056+ pax_report_usercopy(ptr, n, to_user, type);
77057+#endif
77058+
77059+}
77060+EXPORT_SYMBOL(__check_object_size);
77061+
77062+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
77063+void __used pax_track_stack(void)
77064+{
77065+ unsigned long sp = (unsigned long)&sp;
77066+ if (sp < current_thread_info()->lowest_stack &&
77067+ sp >= (unsigned long)task_stack_page(current) + 2 * sizeof(unsigned long))
77068+ current_thread_info()->lowest_stack = sp;
77069+ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
77070+ BUG();
77071+}
77072+EXPORT_SYMBOL(pax_track_stack);
77073+#endif
77074+
77075+#ifdef CONFIG_PAX_SIZE_OVERFLOW
77076+void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
77077+{
77078+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
77079+ dump_stack();
77080+ do_group_exit(SIGKILL);
77081+}
77082+EXPORT_SYMBOL(report_size_overflow);
77083+#endif
77084diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c
77085index 9f9992b..8b59411 100644
77086--- a/fs/ext2/balloc.c
77087+++ b/fs/ext2/balloc.c
77088@@ -1184,10 +1184,10 @@ static int ext2_has_free_blocks(struct ext2_sb_info *sbi)
77089
77090 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
77091 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
77092- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
77093+ if (free_blocks < root_blocks + 1 &&
77094 !uid_eq(sbi->s_resuid, current_fsuid()) &&
77095 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
77096- !in_group_p (sbi->s_resgid))) {
77097+ !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
77098 return 0;
77099 }
77100 return 1;
77101diff --git a/fs/ext2/super.c b/fs/ext2/super.c
77102index 900e19c..f7dc2b8 100644
77103--- a/fs/ext2/super.c
77104+++ b/fs/ext2/super.c
77105@@ -267,10 +267,8 @@ static int ext2_show_options(struct seq_file *seq, struct dentry *root)
77106 #ifdef CONFIG_EXT2_FS_XATTR
77107 if (test_opt(sb, XATTR_USER))
77108 seq_puts(seq, ",user_xattr");
77109- if (!test_opt(sb, XATTR_USER) &&
77110- (def_mount_opts & EXT2_DEFM_XATTR_USER)) {
77111+ if (!test_opt(sb, XATTR_USER))
77112 seq_puts(seq, ",nouser_xattr");
77113- }
77114 #endif
77115
77116 #ifdef CONFIG_EXT2_FS_POSIX_ACL
77117@@ -856,8 +854,8 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
77118 if (def_mount_opts & EXT2_DEFM_UID16)
77119 set_opt(sbi->s_mount_opt, NO_UID32);
77120 #ifdef CONFIG_EXT2_FS_XATTR
77121- if (def_mount_opts & EXT2_DEFM_XATTR_USER)
77122- set_opt(sbi->s_mount_opt, XATTR_USER);
77123+ /* always enable user xattrs */
77124+ set_opt(sbi->s_mount_opt, XATTR_USER);
77125 #endif
77126 #ifdef CONFIG_EXT2_FS_POSIX_ACL
77127 if (def_mount_opts & EXT2_DEFM_ACL)
77128diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
77129index 0b6bfd3..93a2964 100644
77130--- a/fs/ext2/xattr.c
77131+++ b/fs/ext2/xattr.c
77132@@ -247,7 +247,7 @@ ext2_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
77133 struct buffer_head *bh = NULL;
77134 struct ext2_xattr_entry *entry;
77135 char *end;
77136- size_t rest = buffer_size;
77137+ size_t rest = buffer_size, total_size = 0;
77138 int error;
77139
77140 ea_idebug(inode, "buffer=%p, buffer_size=%ld",
77141@@ -305,9 +305,10 @@ bad_block: ext2_error(inode->i_sb, "ext2_xattr_list",
77142 buffer += size;
77143 }
77144 rest -= size;
77145+ total_size += size;
77146 }
77147 }
77148- error = buffer_size - rest; /* total size */
77149+ error = total_size;
77150
77151 cleanup:
77152 brelse(bh);
77153diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
77154index 158b5d4..2432610 100644
77155--- a/fs/ext3/balloc.c
77156+++ b/fs/ext3/balloc.c
77157@@ -1438,10 +1438,10 @@ static int ext3_has_free_blocks(struct ext3_sb_info *sbi, int use_reservation)
77158
77159 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
77160 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
77161- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
77162+ if (free_blocks < root_blocks + 1 &&
77163 !use_reservation && !uid_eq(sbi->s_resuid, current_fsuid()) &&
77164 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
77165- !in_group_p (sbi->s_resgid))) {
77166+ !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
77167 return 0;
77168 }
77169 return 1;
77170diff --git a/fs/ext3/super.c b/fs/ext3/super.c
77171index 5ed0044..656e3d2 100644
77172--- a/fs/ext3/super.c
77173+++ b/fs/ext3/super.c
77174@@ -655,10 +655,8 @@ static int ext3_show_options(struct seq_file *seq, struct dentry *root)
77175 #ifdef CONFIG_EXT3_FS_XATTR
77176 if (test_opt(sb, XATTR_USER))
77177 seq_puts(seq, ",user_xattr");
77178- if (!test_opt(sb, XATTR_USER) &&
77179- (def_mount_opts & EXT3_DEFM_XATTR_USER)) {
77180+ if (!test_opt(sb, XATTR_USER))
77181 seq_puts(seq, ",nouser_xattr");
77182- }
77183 #endif
77184 #ifdef CONFIG_EXT3_FS_POSIX_ACL
77185 if (test_opt(sb, POSIX_ACL))
77186@@ -1760,8 +1758,8 @@ static int ext3_fill_super (struct super_block *sb, void *data, int silent)
77187 if (def_mount_opts & EXT3_DEFM_UID16)
77188 set_opt(sbi->s_mount_opt, NO_UID32);
77189 #ifdef CONFIG_EXT3_FS_XATTR
77190- if (def_mount_opts & EXT3_DEFM_XATTR_USER)
77191- set_opt(sbi->s_mount_opt, XATTR_USER);
77192+ /* always enable user xattrs */
77193+ set_opt(sbi->s_mount_opt, XATTR_USER);
77194 #endif
77195 #ifdef CONFIG_EXT3_FS_POSIX_ACL
77196 if (def_mount_opts & EXT3_DEFM_ACL)
77197diff --git a/fs/ext3/xattr.c b/fs/ext3/xattr.c
77198index 7cf3650..e3f4a51 100644
77199--- a/fs/ext3/xattr.c
77200+++ b/fs/ext3/xattr.c
77201@@ -330,7 +330,7 @@ static int
77202 ext3_xattr_list_entries(struct dentry *dentry, struct ext3_xattr_entry *entry,
77203 char *buffer, size_t buffer_size)
77204 {
77205- size_t rest = buffer_size;
77206+ size_t rest = buffer_size, total_size = 0;
77207
77208 for (; !IS_LAST_ENTRY(entry); entry = EXT3_XATTR_NEXT(entry)) {
77209 const struct xattr_handler *handler =
77210@@ -347,9 +347,10 @@ ext3_xattr_list_entries(struct dentry *dentry, struct ext3_xattr_entry *entry,
77211 buffer += size;
77212 }
77213 rest -= size;
77214+ total_size += size;
77215 }
77216 }
77217- return buffer_size - rest;
77218+ return total_size;
77219 }
77220
77221 static int
77222diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
77223index cd6ea29..1cd2a97 100644
77224--- a/fs/ext4/balloc.c
77225+++ b/fs/ext4/balloc.c
77226@@ -556,8 +556,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
77227 /* Hm, nope. Are (enough) root reserved clusters available? */
77228 if (uid_eq(sbi->s_resuid, current_fsuid()) ||
77229 (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
77230- capable(CAP_SYS_RESOURCE) ||
77231- (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
77232+ (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
77233+ capable_nolog(CAP_SYS_RESOURCE)) {
77234
77235 if (free_clusters >= (nclusters + dirty_clusters +
77236 resv_clusters))
77237diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
77238index f5e9f04..91296b9 100644
77239--- a/fs/ext4/ext4.h
77240+++ b/fs/ext4/ext4.h
77241@@ -1305,19 +1305,19 @@ struct ext4_sb_info {
77242 unsigned long s_mb_last_start;
77243
77244 /* stats for buddy allocator */
77245- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
77246- atomic_t s_bal_success; /* we found long enough chunks */
77247- atomic_t s_bal_allocated; /* in blocks */
77248- atomic_t s_bal_ex_scanned; /* total extents scanned */
77249- atomic_t s_bal_goals; /* goal hits */
77250- atomic_t s_bal_breaks; /* too long searches */
77251- atomic_t s_bal_2orders; /* 2^order hits */
77252+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
77253+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
77254+ atomic_unchecked_t s_bal_allocated; /* in blocks */
77255+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
77256+ atomic_unchecked_t s_bal_goals; /* goal hits */
77257+ atomic_unchecked_t s_bal_breaks; /* too long searches */
77258+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
77259 spinlock_t s_bal_lock;
77260 unsigned long s_mb_buddies_generated;
77261 unsigned long long s_mb_generation_time;
77262- atomic_t s_mb_lost_chunks;
77263- atomic_t s_mb_preallocated;
77264- atomic_t s_mb_discarded;
77265+ atomic_unchecked_t s_mb_lost_chunks;
77266+ atomic_unchecked_t s_mb_preallocated;
77267+ atomic_unchecked_t s_mb_discarded;
77268 atomic_t s_lock_busy;
77269
77270 /* locality groups */
77271diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
77272index 34b610e..ecc47cb 100644
77273--- a/fs/ext4/mballoc.c
77274+++ b/fs/ext4/mballoc.c
77275@@ -1905,7 +1905,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
77276 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
77277
77278 if (EXT4_SB(sb)->s_mb_stats)
77279- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
77280+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
77281
77282 break;
77283 }
77284@@ -2228,7 +2228,7 @@ repeat:
77285 ac->ac_status = AC_STATUS_CONTINUE;
77286 ac->ac_flags |= EXT4_MB_HINT_FIRST;
77287 cr = 3;
77288- atomic_inc(&sbi->s_mb_lost_chunks);
77289+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
77290 goto repeat;
77291 }
77292 }
77293@@ -2732,25 +2732,25 @@ int ext4_mb_release(struct super_block *sb)
77294 if (sbi->s_mb_stats) {
77295 ext4_msg(sb, KERN_INFO,
77296 "mballoc: %u blocks %u reqs (%u success)",
77297- atomic_read(&sbi->s_bal_allocated),
77298- atomic_read(&sbi->s_bal_reqs),
77299- atomic_read(&sbi->s_bal_success));
77300+ atomic_read_unchecked(&sbi->s_bal_allocated),
77301+ atomic_read_unchecked(&sbi->s_bal_reqs),
77302+ atomic_read_unchecked(&sbi->s_bal_success));
77303 ext4_msg(sb, KERN_INFO,
77304 "mballoc: %u extents scanned, %u goal hits, "
77305 "%u 2^N hits, %u breaks, %u lost",
77306- atomic_read(&sbi->s_bal_ex_scanned),
77307- atomic_read(&sbi->s_bal_goals),
77308- atomic_read(&sbi->s_bal_2orders),
77309- atomic_read(&sbi->s_bal_breaks),
77310- atomic_read(&sbi->s_mb_lost_chunks));
77311+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
77312+ atomic_read_unchecked(&sbi->s_bal_goals),
77313+ atomic_read_unchecked(&sbi->s_bal_2orders),
77314+ atomic_read_unchecked(&sbi->s_bal_breaks),
77315+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
77316 ext4_msg(sb, KERN_INFO,
77317 "mballoc: %lu generated and it took %Lu",
77318 sbi->s_mb_buddies_generated,
77319 sbi->s_mb_generation_time);
77320 ext4_msg(sb, KERN_INFO,
77321 "mballoc: %u preallocated, %u discarded",
77322- atomic_read(&sbi->s_mb_preallocated),
77323- atomic_read(&sbi->s_mb_discarded));
77324+ atomic_read_unchecked(&sbi->s_mb_preallocated),
77325+ atomic_read_unchecked(&sbi->s_mb_discarded));
77326 }
77327
77328 free_percpu(sbi->s_locality_groups);
77329@@ -3206,16 +3206,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
77330 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
77331
77332 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
77333- atomic_inc(&sbi->s_bal_reqs);
77334- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
77335+ atomic_inc_unchecked(&sbi->s_bal_reqs);
77336+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
77337 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
77338- atomic_inc(&sbi->s_bal_success);
77339- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
77340+ atomic_inc_unchecked(&sbi->s_bal_success);
77341+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
77342 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
77343 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
77344- atomic_inc(&sbi->s_bal_goals);
77345+ atomic_inc_unchecked(&sbi->s_bal_goals);
77346 if (ac->ac_found > sbi->s_mb_max_to_scan)
77347- atomic_inc(&sbi->s_bal_breaks);
77348+ atomic_inc_unchecked(&sbi->s_bal_breaks);
77349 }
77350
77351 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
77352@@ -3642,7 +3642,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
77353 trace_ext4_mb_new_inode_pa(ac, pa);
77354
77355 ext4_mb_use_inode_pa(ac, pa);
77356- atomic_add(pa->pa_free, &sbi->s_mb_preallocated);
77357+ atomic_add_unchecked(pa->pa_free, &sbi->s_mb_preallocated);
77358
77359 ei = EXT4_I(ac->ac_inode);
77360 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
77361@@ -3702,7 +3702,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
77362 trace_ext4_mb_new_group_pa(ac, pa);
77363
77364 ext4_mb_use_group_pa(ac, pa);
77365- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
77366+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
77367
77368 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
77369 lg = ac->ac_lg;
77370@@ -3791,7 +3791,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh,
77371 * from the bitmap and continue.
77372 */
77373 }
77374- atomic_add(free, &sbi->s_mb_discarded);
77375+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
77376
77377 return err;
77378 }
77379@@ -3809,7 +3809,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b,
77380 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
77381 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
77382 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
77383- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
77384+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
77385 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
77386
77387 return 0;
77388diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
77389index 8313ca3..8a37d08 100644
77390--- a/fs/ext4/mmp.c
77391+++ b/fs/ext4/mmp.c
77392@@ -111,7 +111,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
77393 void __dump_mmp_msg(struct super_block *sb, struct mmp_struct *mmp,
77394 const char *function, unsigned int line, const char *msg)
77395 {
77396- __ext4_warning(sb, function, line, msg);
77397+ __ext4_warning(sb, function, line, "%s", msg);
77398 __ext4_warning(sb, function, line,
77399 "MMP failure info: last update time: %llu, last update "
77400 "node: %s, last update device: %s\n",
77401diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
77402index cf0c472..ddf284d 100644
77403--- a/fs/ext4/resize.c
77404+++ b/fs/ext4/resize.c
77405@@ -413,7 +413,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
77406
77407 ext4_debug("mark blocks [%llu/%u] used\n", block, count);
77408 for (count2 = count; count > 0; count -= count2, block += count2) {
77409- ext4_fsblk_t start;
77410+ ext4_fsblk_t start, diff;
77411 struct buffer_head *bh;
77412 ext4_group_t group;
77413 int err;
77414@@ -422,10 +422,6 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
77415 start = ext4_group_first_block_no(sb, group);
77416 group -= flex_gd->groups[0].group;
77417
77418- count2 = EXT4_BLOCKS_PER_GROUP(sb) - (block - start);
77419- if (count2 > count)
77420- count2 = count;
77421-
77422 if (flex_gd->bg_flags[group] & EXT4_BG_BLOCK_UNINIT) {
77423 BUG_ON(flex_gd->count > 1);
77424 continue;
77425@@ -443,9 +439,15 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
77426 err = ext4_journal_get_write_access(handle, bh);
77427 if (err)
77428 return err;
77429+
77430+ diff = block - start;
77431+ count2 = EXT4_BLOCKS_PER_GROUP(sb) - diff;
77432+ if (count2 > count)
77433+ count2 = count;
77434+
77435 ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
77436- block - start, count2);
77437- ext4_set_bits(bh->b_data, block - start, count2);
77438+ diff, count2);
77439+ ext4_set_bits(bh->b_data, diff, count2);
77440
77441 err = ext4_handle_dirty_metadata(handle, NULL, bh);
77442 if (unlikely(err))
77443diff --git a/fs/ext4/super.c b/fs/ext4/super.c
77444index a5e8c74..a7711a8 100644
77445--- a/fs/ext4/super.c
77446+++ b/fs/ext4/super.c
77447@@ -1274,7 +1274,7 @@ static ext4_fsblk_t get_sb_block(void **data)
77448 }
77449
77450 #define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3))
77451-static char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
77452+static const char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
77453 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
77454
77455 #ifdef CONFIG_QUOTA
77456@@ -2484,7 +2484,7 @@ struct ext4_attr {
77457 int offset;
77458 int deprecated_val;
77459 } u;
77460-};
77461+} __do_const;
77462
77463 static int parse_strtoull(const char *buf,
77464 unsigned long long max, unsigned long long *value)
77465diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
77466index 16e28c0..728c282 100644
77467--- a/fs/ext4/xattr.c
77468+++ b/fs/ext4/xattr.c
77469@@ -398,7 +398,7 @@ static int
77470 ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
77471 char *buffer, size_t buffer_size)
77472 {
77473- size_t rest = buffer_size;
77474+ size_t rest = buffer_size, total_size = 0;
77475
77476 for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
77477 const struct xattr_handler *handler =
77478@@ -415,9 +415,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
77479 buffer += size;
77480 }
77481 rest -= size;
77482+ total_size += size;
77483 }
77484 }
77485- return buffer_size - rest;
77486+ return total_size;
77487 }
77488
77489 static int
77490diff --git a/fs/fcntl.c b/fs/fcntl.c
77491index ee85cd4..9dd0d20 100644
77492--- a/fs/fcntl.c
77493+++ b/fs/fcntl.c
77494@@ -102,6 +102,10 @@ void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
77495 int force)
77496 {
77497 security_file_set_fowner(filp);
77498+ if (gr_handle_chroot_fowner(pid, type))
77499+ return;
77500+ if (gr_check_protected_task_fowner(pid, type))
77501+ return;
77502 f_modown(filp, pid, type, force);
77503 }
77504 EXPORT_SYMBOL(__f_setown);
77505diff --git a/fs/fhandle.c b/fs/fhandle.c
77506index d59712d..2281df9 100644
77507--- a/fs/fhandle.c
77508+++ b/fs/fhandle.c
77509@@ -8,6 +8,7 @@
77510 #include <linux/fs_struct.h>
77511 #include <linux/fsnotify.h>
77512 #include <linux/personality.h>
77513+#include <linux/grsecurity.h>
77514 #include <asm/uaccess.h>
77515 #include "internal.h"
77516 #include "mount.h"
77517@@ -67,8 +68,7 @@ static long do_sys_name_to_handle(struct path *path,
77518 } else
77519 retval = 0;
77520 /* copy the mount id */
77521- if (copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id,
77522- sizeof(*mnt_id)) ||
77523+ if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) ||
77524 copy_to_user(ufh, handle,
77525 sizeof(struct file_handle) + handle_bytes))
77526 retval = -EFAULT;
77527@@ -175,7 +175,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
77528 * the directory. Ideally we would like CAP_DAC_SEARCH.
77529 * But we don't have that
77530 */
77531- if (!capable(CAP_DAC_READ_SEARCH)) {
77532+ if (!capable(CAP_DAC_READ_SEARCH) || !gr_chroot_fhandle()) {
77533 retval = -EPERM;
77534 goto out_err;
77535 }
77536diff --git a/fs/file.c b/fs/file.c
77537index 6c672ad..bf787b0 100644
77538--- a/fs/file.c
77539+++ b/fs/file.c
77540@@ -16,6 +16,7 @@
77541 #include <linux/slab.h>
77542 #include <linux/vmalloc.h>
77543 #include <linux/file.h>
77544+#include <linux/security.h>
77545 #include <linux/fdtable.h>
77546 #include <linux/bitops.h>
77547 #include <linux/interrupt.h>
77548@@ -139,7 +140,7 @@ out:
77549 * Return <0 error code on error; 1 on successful completion.
77550 * The files->file_lock should be held on entry, and will be held on exit.
77551 */
77552-static int expand_fdtable(struct files_struct *files, int nr)
77553+static int expand_fdtable(struct files_struct *files, unsigned int nr)
77554 __releases(files->file_lock)
77555 __acquires(files->file_lock)
77556 {
77557@@ -184,7 +185,7 @@ static int expand_fdtable(struct files_struct *files, int nr)
77558 * expanded and execution may have blocked.
77559 * The files->file_lock should be held on entry, and will be held on exit.
77560 */
77561-static int expand_files(struct files_struct *files, int nr)
77562+static int expand_files(struct files_struct *files, unsigned int nr)
77563 __releases(files->file_lock)
77564 __acquires(files->file_lock)
77565 {
77566@@ -834,6 +835,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
77567 if (!file)
77568 return __close_fd(files, fd);
77569
77570+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
77571 if (fd >= rlimit(RLIMIT_NOFILE))
77572 return -EBADF;
77573
77574@@ -860,6 +862,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
77575 if (unlikely(oldfd == newfd))
77576 return -EINVAL;
77577
77578+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
77579 if (newfd >= rlimit(RLIMIT_NOFILE))
77580 return -EBADF;
77581
77582@@ -915,6 +918,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes)
77583 int f_dupfd(unsigned int from, struct file *file, unsigned flags)
77584 {
77585 int err;
77586+ gr_learn_resource(current, RLIMIT_NOFILE, from, 0);
77587 if (from >= rlimit(RLIMIT_NOFILE))
77588 return -EINVAL;
77589 err = alloc_fd(from, flags);
77590diff --git a/fs/filesystems.c b/fs/filesystems.c
77591index 5797d45..7d7d79a 100644
77592--- a/fs/filesystems.c
77593+++ b/fs/filesystems.c
77594@@ -275,7 +275,11 @@ struct file_system_type *get_fs_type(const char *name)
77595 int len = dot ? dot - name : strlen(name);
77596
77597 fs = __get_fs_type(name, len);
77598+#ifdef CONFIG_GRKERNSEC_MODHARDEN
77599+ if (!fs && (___request_module(true, "grsec_modharden_fs", "fs-%.*s", len, name) == 0))
77600+#else
77601 if (!fs && (request_module("fs-%.*s", len, name) == 0))
77602+#endif
77603 fs = __get_fs_type(name, len);
77604
77605 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
77606diff --git a/fs/fs_struct.c b/fs/fs_struct.c
77607index 7dca743..1ff87ae 100644
77608--- a/fs/fs_struct.c
77609+++ b/fs/fs_struct.c
77610@@ -4,6 +4,7 @@
77611 #include <linux/path.h>
77612 #include <linux/slab.h>
77613 #include <linux/fs_struct.h>
77614+#include <linux/grsecurity.h>
77615 #include "internal.h"
77616
77617 /*
77618@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
77619 struct path old_root;
77620
77621 path_get(path);
77622+ gr_inc_chroot_refcnts(path->dentry, path->mnt);
77623 spin_lock(&fs->lock);
77624 write_seqcount_begin(&fs->seq);
77625 old_root = fs->root;
77626 fs->root = *path;
77627+ gr_set_chroot_entries(current, path);
77628 write_seqcount_end(&fs->seq);
77629 spin_unlock(&fs->lock);
77630- if (old_root.dentry)
77631+ if (old_root.dentry) {
77632+ gr_dec_chroot_refcnts(old_root.dentry, old_root.mnt);
77633 path_put(&old_root);
77634+ }
77635 }
77636
77637 /*
77638@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
77639 int hits = 0;
77640 spin_lock(&fs->lock);
77641 write_seqcount_begin(&fs->seq);
77642+ /* this root replacement is only done by pivot_root,
77643+ leave grsec's chroot tagging alone for this task
77644+ so that a pivoted root isn't treated as a chroot
77645+ */
77646 hits += replace_path(&fs->root, old_root, new_root);
77647 hits += replace_path(&fs->pwd, old_root, new_root);
77648 write_seqcount_end(&fs->seq);
77649@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
77650
77651 void free_fs_struct(struct fs_struct *fs)
77652 {
77653+ gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt);
77654 path_put(&fs->root);
77655 path_put(&fs->pwd);
77656 kmem_cache_free(fs_cachep, fs);
77657@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk)
77658 task_lock(tsk);
77659 spin_lock(&fs->lock);
77660 tsk->fs = NULL;
77661- kill = !--fs->users;
77662+ gr_clear_chroot_entries(tsk);
77663+ kill = !atomic_dec_return(&fs->users);
77664 spin_unlock(&fs->lock);
77665 task_unlock(tsk);
77666 if (kill)
77667@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
77668 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
77669 /* We don't need to lock fs - think why ;-) */
77670 if (fs) {
77671- fs->users = 1;
77672+ atomic_set(&fs->users, 1);
77673 fs->in_exec = 0;
77674 spin_lock_init(&fs->lock);
77675 seqcount_init(&fs->seq);
77676@@ -121,9 +132,13 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
77677 spin_lock(&old->lock);
77678 fs->root = old->root;
77679 path_get(&fs->root);
77680+ /* instead of calling gr_set_chroot_entries here,
77681+ we call it from every caller of this function
77682+ */
77683 fs->pwd = old->pwd;
77684 path_get(&fs->pwd);
77685 spin_unlock(&old->lock);
77686+ gr_inc_chroot_refcnts(fs->root.dentry, fs->root.mnt);
77687 }
77688 return fs;
77689 }
77690@@ -139,8 +154,9 @@ int unshare_fs_struct(void)
77691
77692 task_lock(current);
77693 spin_lock(&fs->lock);
77694- kill = !--fs->users;
77695+ kill = !atomic_dec_return(&fs->users);
77696 current->fs = new_fs;
77697+ gr_set_chroot_entries(current, &new_fs->root);
77698 spin_unlock(&fs->lock);
77699 task_unlock(current);
77700
77701@@ -153,13 +169,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
77702
77703 int current_umask(void)
77704 {
77705- return current->fs->umask;
77706+ return current->fs->umask | gr_acl_umask();
77707 }
77708 EXPORT_SYMBOL(current_umask);
77709
77710 /* to be mentioned only in INIT_TASK */
77711 struct fs_struct init_fs = {
77712- .users = 1,
77713+ .users = ATOMIC_INIT(1),
77714 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
77715 .seq = SEQCNT_ZERO(init_fs.seq),
77716 .umask = 0022,
77717diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
77718index d403c69..30be0a9 100644
77719--- a/fs/fscache/cookie.c
77720+++ b/fs/fscache/cookie.c
77721@@ -19,7 +19,7 @@
77722
77723 struct kmem_cache *fscache_cookie_jar;
77724
77725-static atomic_t fscache_object_debug_id = ATOMIC_INIT(0);
77726+static atomic_unchecked_t fscache_object_debug_id = ATOMIC_INIT(0);
77727
77728 static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie);
77729 static int fscache_alloc_object(struct fscache_cache *cache,
77730@@ -69,11 +69,11 @@ struct fscache_cookie *__fscache_acquire_cookie(
77731 parent ? (char *) parent->def->name : "<no-parent>",
77732 def->name, netfs_data, enable);
77733
77734- fscache_stat(&fscache_n_acquires);
77735+ fscache_stat_unchecked(&fscache_n_acquires);
77736
77737 /* if there's no parent cookie, then we don't create one here either */
77738 if (!parent) {
77739- fscache_stat(&fscache_n_acquires_null);
77740+ fscache_stat_unchecked(&fscache_n_acquires_null);
77741 _leave(" [no parent]");
77742 return NULL;
77743 }
77744@@ -88,7 +88,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
77745 /* allocate and initialise a cookie */
77746 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
77747 if (!cookie) {
77748- fscache_stat(&fscache_n_acquires_oom);
77749+ fscache_stat_unchecked(&fscache_n_acquires_oom);
77750 _leave(" [ENOMEM]");
77751 return NULL;
77752 }
77753@@ -115,13 +115,13 @@ struct fscache_cookie *__fscache_acquire_cookie(
77754
77755 switch (cookie->def->type) {
77756 case FSCACHE_COOKIE_TYPE_INDEX:
77757- fscache_stat(&fscache_n_cookie_index);
77758+ fscache_stat_unchecked(&fscache_n_cookie_index);
77759 break;
77760 case FSCACHE_COOKIE_TYPE_DATAFILE:
77761- fscache_stat(&fscache_n_cookie_data);
77762+ fscache_stat_unchecked(&fscache_n_cookie_data);
77763 break;
77764 default:
77765- fscache_stat(&fscache_n_cookie_special);
77766+ fscache_stat_unchecked(&fscache_n_cookie_special);
77767 break;
77768 }
77769
77770@@ -135,7 +135,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
77771 } else {
77772 atomic_dec(&parent->n_children);
77773 __fscache_cookie_put(cookie);
77774- fscache_stat(&fscache_n_acquires_nobufs);
77775+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
77776 _leave(" = NULL");
77777 return NULL;
77778 }
77779@@ -144,7 +144,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
77780 }
77781 }
77782
77783- fscache_stat(&fscache_n_acquires_ok);
77784+ fscache_stat_unchecked(&fscache_n_acquires_ok);
77785 _leave(" = %p", cookie);
77786 return cookie;
77787 }
77788@@ -213,7 +213,7 @@ static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie)
77789 cache = fscache_select_cache_for_object(cookie->parent);
77790 if (!cache) {
77791 up_read(&fscache_addremove_sem);
77792- fscache_stat(&fscache_n_acquires_no_cache);
77793+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
77794 _leave(" = -ENOMEDIUM [no cache]");
77795 return -ENOMEDIUM;
77796 }
77797@@ -297,14 +297,14 @@ static int fscache_alloc_object(struct fscache_cache *cache,
77798 object = cache->ops->alloc_object(cache, cookie);
77799 fscache_stat_d(&fscache_n_cop_alloc_object);
77800 if (IS_ERR(object)) {
77801- fscache_stat(&fscache_n_object_no_alloc);
77802+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
77803 ret = PTR_ERR(object);
77804 goto error;
77805 }
77806
77807- fscache_stat(&fscache_n_object_alloc);
77808+ fscache_stat_unchecked(&fscache_n_object_alloc);
77809
77810- object->debug_id = atomic_inc_return(&fscache_object_debug_id);
77811+ object->debug_id = atomic_inc_return_unchecked(&fscache_object_debug_id);
77812
77813 _debug("ALLOC OBJ%x: %s {%lx}",
77814 object->debug_id, cookie->def->name, object->events);
77815@@ -419,7 +419,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie)
77816
77817 _enter("{%s}", cookie->def->name);
77818
77819- fscache_stat(&fscache_n_invalidates);
77820+ fscache_stat_unchecked(&fscache_n_invalidates);
77821
77822 /* Only permit invalidation of data files. Invalidating an index will
77823 * require the caller to release all its attachments to the tree rooted
77824@@ -477,10 +477,10 @@ void __fscache_update_cookie(struct fscache_cookie *cookie)
77825 {
77826 struct fscache_object *object;
77827
77828- fscache_stat(&fscache_n_updates);
77829+ fscache_stat_unchecked(&fscache_n_updates);
77830
77831 if (!cookie) {
77832- fscache_stat(&fscache_n_updates_null);
77833+ fscache_stat_unchecked(&fscache_n_updates_null);
77834 _leave(" [no cookie]");
77835 return;
77836 }
77837@@ -581,12 +581,12 @@ EXPORT_SYMBOL(__fscache_disable_cookie);
77838 */
77839 void __fscache_relinquish_cookie(struct fscache_cookie *cookie, bool retire)
77840 {
77841- fscache_stat(&fscache_n_relinquishes);
77842+ fscache_stat_unchecked(&fscache_n_relinquishes);
77843 if (retire)
77844- fscache_stat(&fscache_n_relinquishes_retire);
77845+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
77846
77847 if (!cookie) {
77848- fscache_stat(&fscache_n_relinquishes_null);
77849+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
77850 _leave(" [no cookie]");
77851 return;
77852 }
77853@@ -687,7 +687,7 @@ int __fscache_check_consistency(struct fscache_cookie *cookie)
77854 if (test_bit(FSCACHE_IOERROR, &object->cache->flags))
77855 goto inconsistent;
77856
77857- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
77858+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
77859
77860 __fscache_use_cookie(cookie);
77861 if (fscache_submit_op(object, op) < 0)
77862diff --git a/fs/fscache/internal.h b/fs/fscache/internal.h
77863index 97ec451..f722cee 100644
77864--- a/fs/fscache/internal.h
77865+++ b/fs/fscache/internal.h
77866@@ -136,8 +136,8 @@ extern void fscache_operation_gc(struct work_struct *);
77867 extern int fscache_wait_for_deferred_lookup(struct fscache_cookie *);
77868 extern int fscache_wait_for_operation_activation(struct fscache_object *,
77869 struct fscache_operation *,
77870- atomic_t *,
77871- atomic_t *);
77872+ atomic_unchecked_t *,
77873+ atomic_unchecked_t *);
77874 extern void fscache_invalidate_writes(struct fscache_cookie *);
77875
77876 /*
77877@@ -155,102 +155,102 @@ extern void fscache_proc_cleanup(void);
77878 * stats.c
77879 */
77880 #ifdef CONFIG_FSCACHE_STATS
77881-extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
77882-extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
77883+extern atomic_unchecked_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
77884+extern atomic_unchecked_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
77885
77886-extern atomic_t fscache_n_op_pend;
77887-extern atomic_t fscache_n_op_run;
77888-extern atomic_t fscache_n_op_enqueue;
77889-extern atomic_t fscache_n_op_deferred_release;
77890-extern atomic_t fscache_n_op_initialised;
77891-extern atomic_t fscache_n_op_release;
77892-extern atomic_t fscache_n_op_gc;
77893-extern atomic_t fscache_n_op_cancelled;
77894-extern atomic_t fscache_n_op_rejected;
77895+extern atomic_unchecked_t fscache_n_op_pend;
77896+extern atomic_unchecked_t fscache_n_op_run;
77897+extern atomic_unchecked_t fscache_n_op_enqueue;
77898+extern atomic_unchecked_t fscache_n_op_deferred_release;
77899+extern atomic_unchecked_t fscache_n_op_initialised;
77900+extern atomic_unchecked_t fscache_n_op_release;
77901+extern atomic_unchecked_t fscache_n_op_gc;
77902+extern atomic_unchecked_t fscache_n_op_cancelled;
77903+extern atomic_unchecked_t fscache_n_op_rejected;
77904
77905-extern atomic_t fscache_n_attr_changed;
77906-extern atomic_t fscache_n_attr_changed_ok;
77907-extern atomic_t fscache_n_attr_changed_nobufs;
77908-extern atomic_t fscache_n_attr_changed_nomem;
77909-extern atomic_t fscache_n_attr_changed_calls;
77910+extern atomic_unchecked_t fscache_n_attr_changed;
77911+extern atomic_unchecked_t fscache_n_attr_changed_ok;
77912+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
77913+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
77914+extern atomic_unchecked_t fscache_n_attr_changed_calls;
77915
77916-extern atomic_t fscache_n_allocs;
77917-extern atomic_t fscache_n_allocs_ok;
77918-extern atomic_t fscache_n_allocs_wait;
77919-extern atomic_t fscache_n_allocs_nobufs;
77920-extern atomic_t fscache_n_allocs_intr;
77921-extern atomic_t fscache_n_allocs_object_dead;
77922-extern atomic_t fscache_n_alloc_ops;
77923-extern atomic_t fscache_n_alloc_op_waits;
77924+extern atomic_unchecked_t fscache_n_allocs;
77925+extern atomic_unchecked_t fscache_n_allocs_ok;
77926+extern atomic_unchecked_t fscache_n_allocs_wait;
77927+extern atomic_unchecked_t fscache_n_allocs_nobufs;
77928+extern atomic_unchecked_t fscache_n_allocs_intr;
77929+extern atomic_unchecked_t fscache_n_allocs_object_dead;
77930+extern atomic_unchecked_t fscache_n_alloc_ops;
77931+extern atomic_unchecked_t fscache_n_alloc_op_waits;
77932
77933-extern atomic_t fscache_n_retrievals;
77934-extern atomic_t fscache_n_retrievals_ok;
77935-extern atomic_t fscache_n_retrievals_wait;
77936-extern atomic_t fscache_n_retrievals_nodata;
77937-extern atomic_t fscache_n_retrievals_nobufs;
77938-extern atomic_t fscache_n_retrievals_intr;
77939-extern atomic_t fscache_n_retrievals_nomem;
77940-extern atomic_t fscache_n_retrievals_object_dead;
77941-extern atomic_t fscache_n_retrieval_ops;
77942-extern atomic_t fscache_n_retrieval_op_waits;
77943+extern atomic_unchecked_t fscache_n_retrievals;
77944+extern atomic_unchecked_t fscache_n_retrievals_ok;
77945+extern atomic_unchecked_t fscache_n_retrievals_wait;
77946+extern atomic_unchecked_t fscache_n_retrievals_nodata;
77947+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
77948+extern atomic_unchecked_t fscache_n_retrievals_intr;
77949+extern atomic_unchecked_t fscache_n_retrievals_nomem;
77950+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
77951+extern atomic_unchecked_t fscache_n_retrieval_ops;
77952+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
77953
77954-extern atomic_t fscache_n_stores;
77955-extern atomic_t fscache_n_stores_ok;
77956-extern atomic_t fscache_n_stores_again;
77957-extern atomic_t fscache_n_stores_nobufs;
77958-extern atomic_t fscache_n_stores_oom;
77959-extern atomic_t fscache_n_store_ops;
77960-extern atomic_t fscache_n_store_calls;
77961-extern atomic_t fscache_n_store_pages;
77962-extern atomic_t fscache_n_store_radix_deletes;
77963-extern atomic_t fscache_n_store_pages_over_limit;
77964+extern atomic_unchecked_t fscache_n_stores;
77965+extern atomic_unchecked_t fscache_n_stores_ok;
77966+extern atomic_unchecked_t fscache_n_stores_again;
77967+extern atomic_unchecked_t fscache_n_stores_nobufs;
77968+extern atomic_unchecked_t fscache_n_stores_oom;
77969+extern atomic_unchecked_t fscache_n_store_ops;
77970+extern atomic_unchecked_t fscache_n_store_calls;
77971+extern atomic_unchecked_t fscache_n_store_pages;
77972+extern atomic_unchecked_t fscache_n_store_radix_deletes;
77973+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
77974
77975-extern atomic_t fscache_n_store_vmscan_not_storing;
77976-extern atomic_t fscache_n_store_vmscan_gone;
77977-extern atomic_t fscache_n_store_vmscan_busy;
77978-extern atomic_t fscache_n_store_vmscan_cancelled;
77979-extern atomic_t fscache_n_store_vmscan_wait;
77980+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
77981+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
77982+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
77983+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
77984+extern atomic_unchecked_t fscache_n_store_vmscan_wait;
77985
77986-extern atomic_t fscache_n_marks;
77987-extern atomic_t fscache_n_uncaches;
77988+extern atomic_unchecked_t fscache_n_marks;
77989+extern atomic_unchecked_t fscache_n_uncaches;
77990
77991-extern atomic_t fscache_n_acquires;
77992-extern atomic_t fscache_n_acquires_null;
77993-extern atomic_t fscache_n_acquires_no_cache;
77994-extern atomic_t fscache_n_acquires_ok;
77995-extern atomic_t fscache_n_acquires_nobufs;
77996-extern atomic_t fscache_n_acquires_oom;
77997+extern atomic_unchecked_t fscache_n_acquires;
77998+extern atomic_unchecked_t fscache_n_acquires_null;
77999+extern atomic_unchecked_t fscache_n_acquires_no_cache;
78000+extern atomic_unchecked_t fscache_n_acquires_ok;
78001+extern atomic_unchecked_t fscache_n_acquires_nobufs;
78002+extern atomic_unchecked_t fscache_n_acquires_oom;
78003
78004-extern atomic_t fscache_n_invalidates;
78005-extern atomic_t fscache_n_invalidates_run;
78006+extern atomic_unchecked_t fscache_n_invalidates;
78007+extern atomic_unchecked_t fscache_n_invalidates_run;
78008
78009-extern atomic_t fscache_n_updates;
78010-extern atomic_t fscache_n_updates_null;
78011-extern atomic_t fscache_n_updates_run;
78012+extern atomic_unchecked_t fscache_n_updates;
78013+extern atomic_unchecked_t fscache_n_updates_null;
78014+extern atomic_unchecked_t fscache_n_updates_run;
78015
78016-extern atomic_t fscache_n_relinquishes;
78017-extern atomic_t fscache_n_relinquishes_null;
78018-extern atomic_t fscache_n_relinquishes_waitcrt;
78019-extern atomic_t fscache_n_relinquishes_retire;
78020+extern atomic_unchecked_t fscache_n_relinquishes;
78021+extern atomic_unchecked_t fscache_n_relinquishes_null;
78022+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
78023+extern atomic_unchecked_t fscache_n_relinquishes_retire;
78024
78025-extern atomic_t fscache_n_cookie_index;
78026-extern atomic_t fscache_n_cookie_data;
78027-extern atomic_t fscache_n_cookie_special;
78028+extern atomic_unchecked_t fscache_n_cookie_index;
78029+extern atomic_unchecked_t fscache_n_cookie_data;
78030+extern atomic_unchecked_t fscache_n_cookie_special;
78031
78032-extern atomic_t fscache_n_object_alloc;
78033-extern atomic_t fscache_n_object_no_alloc;
78034-extern atomic_t fscache_n_object_lookups;
78035-extern atomic_t fscache_n_object_lookups_negative;
78036-extern atomic_t fscache_n_object_lookups_positive;
78037-extern atomic_t fscache_n_object_lookups_timed_out;
78038-extern atomic_t fscache_n_object_created;
78039-extern atomic_t fscache_n_object_avail;
78040-extern atomic_t fscache_n_object_dead;
78041+extern atomic_unchecked_t fscache_n_object_alloc;
78042+extern atomic_unchecked_t fscache_n_object_no_alloc;
78043+extern atomic_unchecked_t fscache_n_object_lookups;
78044+extern atomic_unchecked_t fscache_n_object_lookups_negative;
78045+extern atomic_unchecked_t fscache_n_object_lookups_positive;
78046+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
78047+extern atomic_unchecked_t fscache_n_object_created;
78048+extern atomic_unchecked_t fscache_n_object_avail;
78049+extern atomic_unchecked_t fscache_n_object_dead;
78050
78051-extern atomic_t fscache_n_checkaux_none;
78052-extern atomic_t fscache_n_checkaux_okay;
78053-extern atomic_t fscache_n_checkaux_update;
78054-extern atomic_t fscache_n_checkaux_obsolete;
78055+extern atomic_unchecked_t fscache_n_checkaux_none;
78056+extern atomic_unchecked_t fscache_n_checkaux_okay;
78057+extern atomic_unchecked_t fscache_n_checkaux_update;
78058+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
78059
78060 extern atomic_t fscache_n_cop_alloc_object;
78061 extern atomic_t fscache_n_cop_lookup_object;
78062@@ -280,6 +280,11 @@ static inline void fscache_stat(atomic_t *stat)
78063 atomic_inc(stat);
78064 }
78065
78066+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
78067+{
78068+ atomic_inc_unchecked(stat);
78069+}
78070+
78071 static inline void fscache_stat_d(atomic_t *stat)
78072 {
78073 atomic_dec(stat);
78074@@ -292,6 +297,7 @@ extern const struct file_operations fscache_stats_fops;
78075
78076 #define __fscache_stat(stat) (NULL)
78077 #define fscache_stat(stat) do {} while (0)
78078+#define fscache_stat_unchecked(stat) do {} while (0)
78079 #define fscache_stat_d(stat) do {} while (0)
78080 #endif
78081
78082diff --git a/fs/fscache/object.c b/fs/fscache/object.c
78083index 9e792e3..6b2affb 100644
78084--- a/fs/fscache/object.c
78085+++ b/fs/fscache/object.c
78086@@ -465,7 +465,7 @@ static const struct fscache_state *fscache_look_up_object(struct fscache_object
78087 _debug("LOOKUP \"%s\" in \"%s\"",
78088 cookie->def->name, object->cache->tag->name);
78089
78090- fscache_stat(&fscache_n_object_lookups);
78091+ fscache_stat_unchecked(&fscache_n_object_lookups);
78092 fscache_stat(&fscache_n_cop_lookup_object);
78093 ret = object->cache->ops->lookup_object(object);
78094 fscache_stat_d(&fscache_n_cop_lookup_object);
78095@@ -475,7 +475,7 @@ static const struct fscache_state *fscache_look_up_object(struct fscache_object
78096 if (ret == -ETIMEDOUT) {
78097 /* probably stuck behind another object, so move this one to
78098 * the back of the queue */
78099- fscache_stat(&fscache_n_object_lookups_timed_out);
78100+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
78101 _leave(" [timeout]");
78102 return NO_TRANSIT;
78103 }
78104@@ -503,7 +503,7 @@ void fscache_object_lookup_negative(struct fscache_object *object)
78105 _enter("{OBJ%x,%s}", object->debug_id, object->state->name);
78106
78107 if (!test_and_set_bit(FSCACHE_OBJECT_IS_LOOKED_UP, &object->flags)) {
78108- fscache_stat(&fscache_n_object_lookups_negative);
78109+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
78110
78111 /* Allow write requests to begin stacking up and read requests to begin
78112 * returning ENODATA.
78113@@ -538,7 +538,7 @@ void fscache_obtained_object(struct fscache_object *object)
78114 /* if we were still looking up, then we must have a positive lookup
78115 * result, in which case there may be data available */
78116 if (!test_and_set_bit(FSCACHE_OBJECT_IS_LOOKED_UP, &object->flags)) {
78117- fscache_stat(&fscache_n_object_lookups_positive);
78118+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
78119
78120 /* We do (presumably) have data */
78121 clear_bit_unlock(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
78122@@ -550,7 +550,7 @@ void fscache_obtained_object(struct fscache_object *object)
78123 clear_bit_unlock(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags);
78124 wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP);
78125 } else {
78126- fscache_stat(&fscache_n_object_created);
78127+ fscache_stat_unchecked(&fscache_n_object_created);
78128 }
78129
78130 set_bit(FSCACHE_OBJECT_IS_AVAILABLE, &object->flags);
78131@@ -586,7 +586,7 @@ static const struct fscache_state *fscache_object_available(struct fscache_objec
78132 fscache_stat_d(&fscache_n_cop_lookup_complete);
78133
78134 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
78135- fscache_stat(&fscache_n_object_avail);
78136+ fscache_stat_unchecked(&fscache_n_object_avail);
78137
78138 _leave("");
78139 return transit_to(JUMPSTART_DEPS);
78140@@ -735,7 +735,7 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob
78141
78142 /* this just shifts the object release to the work processor */
78143 fscache_put_object(object);
78144- fscache_stat(&fscache_n_object_dead);
78145+ fscache_stat_unchecked(&fscache_n_object_dead);
78146
78147 _leave("");
78148 return transit_to(OBJECT_DEAD);
78149@@ -900,7 +900,7 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
78150 enum fscache_checkaux result;
78151
78152 if (!object->cookie->def->check_aux) {
78153- fscache_stat(&fscache_n_checkaux_none);
78154+ fscache_stat_unchecked(&fscache_n_checkaux_none);
78155 return FSCACHE_CHECKAUX_OKAY;
78156 }
78157
78158@@ -909,17 +909,17 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
78159 switch (result) {
78160 /* entry okay as is */
78161 case FSCACHE_CHECKAUX_OKAY:
78162- fscache_stat(&fscache_n_checkaux_okay);
78163+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
78164 break;
78165
78166 /* entry requires update */
78167 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
78168- fscache_stat(&fscache_n_checkaux_update);
78169+ fscache_stat_unchecked(&fscache_n_checkaux_update);
78170 break;
78171
78172 /* entry requires deletion */
78173 case FSCACHE_CHECKAUX_OBSOLETE:
78174- fscache_stat(&fscache_n_checkaux_obsolete);
78175+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
78176 break;
78177
78178 default:
78179@@ -1007,7 +1007,7 @@ static const struct fscache_state *fscache_invalidate_object(struct fscache_obje
78180 {
78181 const struct fscache_state *s;
78182
78183- fscache_stat(&fscache_n_invalidates_run);
78184+ fscache_stat_unchecked(&fscache_n_invalidates_run);
78185 fscache_stat(&fscache_n_cop_invalidate_object);
78186 s = _fscache_invalidate_object(object, event);
78187 fscache_stat_d(&fscache_n_cop_invalidate_object);
78188@@ -1022,7 +1022,7 @@ static const struct fscache_state *fscache_update_object(struct fscache_object *
78189 {
78190 _enter("{OBJ%x},%d", object->debug_id, event);
78191
78192- fscache_stat(&fscache_n_updates_run);
78193+ fscache_stat_unchecked(&fscache_n_updates_run);
78194 fscache_stat(&fscache_n_cop_update_object);
78195 object->cache->ops->update_object(object);
78196 fscache_stat_d(&fscache_n_cop_update_object);
78197diff --git a/fs/fscache/operation.c b/fs/fscache/operation.c
78198index de67745..6a3a9b6 100644
78199--- a/fs/fscache/operation.c
78200+++ b/fs/fscache/operation.c
78201@@ -17,7 +17,7 @@
78202 #include <linux/slab.h>
78203 #include "internal.h"
78204
78205-atomic_t fscache_op_debug_id;
78206+atomic_unchecked_t fscache_op_debug_id;
78207 EXPORT_SYMBOL(fscache_op_debug_id);
78208
78209 static void fscache_operation_dummy_cancel(struct fscache_operation *op)
78210@@ -40,12 +40,12 @@ void fscache_operation_init(struct fscache_operation *op,
78211 INIT_WORK(&op->work, fscache_op_work_func);
78212 atomic_set(&op->usage, 1);
78213 op->state = FSCACHE_OP_ST_INITIALISED;
78214- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
78215+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
78216 op->processor = processor;
78217 op->cancel = cancel ?: fscache_operation_dummy_cancel;
78218 op->release = release;
78219 INIT_LIST_HEAD(&op->pend_link);
78220- fscache_stat(&fscache_n_op_initialised);
78221+ fscache_stat_unchecked(&fscache_n_op_initialised);
78222 }
78223 EXPORT_SYMBOL(fscache_operation_init);
78224
78225@@ -68,7 +68,7 @@ void fscache_enqueue_operation(struct fscache_operation *op)
78226 ASSERTCMP(atomic_read(&op->usage), >, 0);
78227 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
78228
78229- fscache_stat(&fscache_n_op_enqueue);
78230+ fscache_stat_unchecked(&fscache_n_op_enqueue);
78231 switch (op->flags & FSCACHE_OP_TYPE) {
78232 case FSCACHE_OP_ASYNC:
78233 _debug("queue async");
78234@@ -101,7 +101,7 @@ static void fscache_run_op(struct fscache_object *object,
78235 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
78236 if (op->processor)
78237 fscache_enqueue_operation(op);
78238- fscache_stat(&fscache_n_op_run);
78239+ fscache_stat_unchecked(&fscache_n_op_run);
78240 }
78241
78242 /*
78243@@ -169,7 +169,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78244 op->state = FSCACHE_OP_ST_PENDING;
78245 flags = READ_ONCE(object->flags);
78246 if (unlikely(!(flags & BIT(FSCACHE_OBJECT_IS_LIVE)))) {
78247- fscache_stat(&fscache_n_op_rejected);
78248+ fscache_stat_unchecked(&fscache_n_op_rejected);
78249 op->cancel(op);
78250 op->state = FSCACHE_OP_ST_CANCELLED;
78251 ret = -ENOBUFS;
78252@@ -185,11 +185,11 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78253 if (object->n_in_progress > 0) {
78254 atomic_inc(&op->usage);
78255 list_add_tail(&op->pend_link, &object->pending_ops);
78256- fscache_stat(&fscache_n_op_pend);
78257+ fscache_stat_unchecked(&fscache_n_op_pend);
78258 } else if (!list_empty(&object->pending_ops)) {
78259 atomic_inc(&op->usage);
78260 list_add_tail(&op->pend_link, &object->pending_ops);
78261- fscache_stat(&fscache_n_op_pend);
78262+ fscache_stat_unchecked(&fscache_n_op_pend);
78263 fscache_start_operations(object);
78264 } else {
78265 ASSERTCMP(object->n_in_progress, ==, 0);
78266@@ -205,7 +205,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78267 object->n_exclusive++; /* reads and writes must wait */
78268 atomic_inc(&op->usage);
78269 list_add_tail(&op->pend_link, &object->pending_ops);
78270- fscache_stat(&fscache_n_op_pend);
78271+ fscache_stat_unchecked(&fscache_n_op_pend);
78272 ret = 0;
78273 } else if (flags & BIT(FSCACHE_OBJECT_KILLED_BY_CACHE)) {
78274 op->cancel(op);
78275@@ -254,7 +254,7 @@ int fscache_submit_op(struct fscache_object *object,
78276 op->state = FSCACHE_OP_ST_PENDING;
78277 flags = READ_ONCE(object->flags);
78278 if (unlikely(!(flags & BIT(FSCACHE_OBJECT_IS_LIVE)))) {
78279- fscache_stat(&fscache_n_op_rejected);
78280+ fscache_stat_unchecked(&fscache_n_op_rejected);
78281 op->cancel(op);
78282 op->state = FSCACHE_OP_ST_CANCELLED;
78283 ret = -ENOBUFS;
78284@@ -269,11 +269,11 @@ int fscache_submit_op(struct fscache_object *object,
78285 if (object->n_exclusive > 0) {
78286 atomic_inc(&op->usage);
78287 list_add_tail(&op->pend_link, &object->pending_ops);
78288- fscache_stat(&fscache_n_op_pend);
78289+ fscache_stat_unchecked(&fscache_n_op_pend);
78290 } else if (!list_empty(&object->pending_ops)) {
78291 atomic_inc(&op->usage);
78292 list_add_tail(&op->pend_link, &object->pending_ops);
78293- fscache_stat(&fscache_n_op_pend);
78294+ fscache_stat_unchecked(&fscache_n_op_pend);
78295 fscache_start_operations(object);
78296 } else {
78297 ASSERTCMP(object->n_exclusive, ==, 0);
78298@@ -285,7 +285,7 @@ int fscache_submit_op(struct fscache_object *object,
78299 object->n_ops++;
78300 atomic_inc(&op->usage);
78301 list_add_tail(&op->pend_link, &object->pending_ops);
78302- fscache_stat(&fscache_n_op_pend);
78303+ fscache_stat_unchecked(&fscache_n_op_pend);
78304 ret = 0;
78305 } else if (flags & BIT(FSCACHE_OBJECT_KILLED_BY_CACHE)) {
78306 op->cancel(op);
78307@@ -369,7 +369,7 @@ int fscache_cancel_op(struct fscache_operation *op,
78308 list_del_init(&op->pend_link);
78309 put = true;
78310
78311- fscache_stat(&fscache_n_op_cancelled);
78312+ fscache_stat_unchecked(&fscache_n_op_cancelled);
78313 op->cancel(op);
78314 op->state = FSCACHE_OP_ST_CANCELLED;
78315 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
78316@@ -385,7 +385,7 @@ int fscache_cancel_op(struct fscache_operation *op,
78317 if (object->n_in_progress == 0)
78318 fscache_start_operations(object);
78319
78320- fscache_stat(&fscache_n_op_cancelled);
78321+ fscache_stat_unchecked(&fscache_n_op_cancelled);
78322 op->cancel(op);
78323 op->state = FSCACHE_OP_ST_CANCELLED;
78324 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
78325@@ -416,7 +416,7 @@ void fscache_cancel_all_ops(struct fscache_object *object)
78326 while (!list_empty(&object->pending_ops)) {
78327 op = list_entry(object->pending_ops.next,
78328 struct fscache_operation, pend_link);
78329- fscache_stat(&fscache_n_op_cancelled);
78330+ fscache_stat_unchecked(&fscache_n_op_cancelled);
78331 list_del_init(&op->pend_link);
78332
78333 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_PENDING);
78334@@ -493,7 +493,7 @@ void fscache_put_operation(struct fscache_operation *op)
78335 op->state != FSCACHE_OP_ST_COMPLETE,
78336 op->state, ==, FSCACHE_OP_ST_CANCELLED);
78337
78338- fscache_stat(&fscache_n_op_release);
78339+ fscache_stat_unchecked(&fscache_n_op_release);
78340
78341 if (op->release) {
78342 op->release(op);
78343@@ -513,7 +513,7 @@ void fscache_put_operation(struct fscache_operation *op)
78344 * lock, and defer it otherwise */
78345 if (!spin_trylock(&object->lock)) {
78346 _debug("defer put");
78347- fscache_stat(&fscache_n_op_deferred_release);
78348+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
78349
78350 cache = object->cache;
78351 spin_lock(&cache->op_gc_list_lock);
78352@@ -567,7 +567,7 @@ void fscache_operation_gc(struct work_struct *work)
78353
78354 _debug("GC DEFERRED REL OBJ%x OP%x",
78355 object->debug_id, op->debug_id);
78356- fscache_stat(&fscache_n_op_gc);
78357+ fscache_stat_unchecked(&fscache_n_op_gc);
78358
78359 ASSERTCMP(atomic_read(&op->usage), ==, 0);
78360 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_DEAD);
78361diff --git a/fs/fscache/page.c b/fs/fscache/page.c
78362index 483bbc6..ba36737 100644
78363--- a/fs/fscache/page.c
78364+++ b/fs/fscache/page.c
78365@@ -74,7 +74,7 @@ try_again:
78366 val = radix_tree_lookup(&cookie->stores, page->index);
78367 if (!val) {
78368 rcu_read_unlock();
78369- fscache_stat(&fscache_n_store_vmscan_not_storing);
78370+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
78371 __fscache_uncache_page(cookie, page);
78372 return true;
78373 }
78374@@ -104,11 +104,11 @@ try_again:
78375 spin_unlock(&cookie->stores_lock);
78376
78377 if (xpage) {
78378- fscache_stat(&fscache_n_store_vmscan_cancelled);
78379- fscache_stat(&fscache_n_store_radix_deletes);
78380+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
78381+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
78382 ASSERTCMP(xpage, ==, page);
78383 } else {
78384- fscache_stat(&fscache_n_store_vmscan_gone);
78385+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
78386 }
78387
78388 wake_up_bit(&cookie->flags, 0);
78389@@ -123,11 +123,11 @@ page_busy:
78390 * sleeping on memory allocation, so we may need to impose a timeout
78391 * too. */
78392 if (!(gfp & __GFP_WAIT) || !(gfp & __GFP_FS)) {
78393- fscache_stat(&fscache_n_store_vmscan_busy);
78394+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
78395 return false;
78396 }
78397
78398- fscache_stat(&fscache_n_store_vmscan_wait);
78399+ fscache_stat_unchecked(&fscache_n_store_vmscan_wait);
78400 if (!release_page_wait_timeout(cookie, page))
78401 _debug("fscache writeout timeout page: %p{%lx}",
78402 page, page->index);
78403@@ -156,7 +156,7 @@ static void fscache_end_page_write(struct fscache_object *object,
78404 FSCACHE_COOKIE_STORING_TAG);
78405 if (!radix_tree_tag_get(&cookie->stores, page->index,
78406 FSCACHE_COOKIE_PENDING_TAG)) {
78407- fscache_stat(&fscache_n_store_radix_deletes);
78408+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
78409 xpage = radix_tree_delete(&cookie->stores, page->index);
78410 }
78411 spin_unlock(&cookie->stores_lock);
78412@@ -177,7 +177,7 @@ static void fscache_attr_changed_op(struct fscache_operation *op)
78413
78414 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
78415
78416- fscache_stat(&fscache_n_attr_changed_calls);
78417+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
78418
78419 if (fscache_object_is_active(object)) {
78420 fscache_stat(&fscache_n_cop_attr_changed);
78421@@ -204,11 +204,11 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
78422
78423 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
78424
78425- fscache_stat(&fscache_n_attr_changed);
78426+ fscache_stat_unchecked(&fscache_n_attr_changed);
78427
78428 op = kzalloc(sizeof(*op), GFP_KERNEL);
78429 if (!op) {
78430- fscache_stat(&fscache_n_attr_changed_nomem);
78431+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
78432 _leave(" = -ENOMEM");
78433 return -ENOMEM;
78434 }
78435@@ -230,7 +230,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
78436 if (fscache_submit_exclusive_op(object, op) < 0)
78437 goto nobufs_dec;
78438 spin_unlock(&cookie->lock);
78439- fscache_stat(&fscache_n_attr_changed_ok);
78440+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
78441 fscache_put_operation(op);
78442 _leave(" = 0");
78443 return 0;
78444@@ -242,7 +242,7 @@ nobufs:
78445 fscache_put_operation(op);
78446 if (wake_cookie)
78447 __fscache_wake_unused_cookie(cookie);
78448- fscache_stat(&fscache_n_attr_changed_nobufs);
78449+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
78450 _leave(" = %d", -ENOBUFS);
78451 return -ENOBUFS;
78452 }
78453@@ -293,7 +293,7 @@ static struct fscache_retrieval *fscache_alloc_retrieval(
78454 /* allocate a retrieval operation and attempt to submit it */
78455 op = kzalloc(sizeof(*op), GFP_NOIO);
78456 if (!op) {
78457- fscache_stat(&fscache_n_retrievals_nomem);
78458+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
78459 return NULL;
78460 }
78461
78462@@ -332,12 +332,12 @@ int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
78463 return 0;
78464 }
78465
78466- fscache_stat(&fscache_n_retrievals_wait);
78467+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
78468
78469 jif = jiffies;
78470 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
78471 TASK_INTERRUPTIBLE) != 0) {
78472- fscache_stat(&fscache_n_retrievals_intr);
78473+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
78474 _leave(" = -ERESTARTSYS");
78475 return -ERESTARTSYS;
78476 }
78477@@ -355,8 +355,8 @@ int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
78478 */
78479 int fscache_wait_for_operation_activation(struct fscache_object *object,
78480 struct fscache_operation *op,
78481- atomic_t *stat_op_waits,
78482- atomic_t *stat_object_dead)
78483+ atomic_unchecked_t *stat_op_waits,
78484+ atomic_unchecked_t *stat_object_dead)
78485 {
78486 int ret;
78487
78488@@ -365,7 +365,7 @@ int fscache_wait_for_operation_activation(struct fscache_object *object,
78489
78490 _debug(">>> WT");
78491 if (stat_op_waits)
78492- fscache_stat(stat_op_waits);
78493+ fscache_stat_unchecked(stat_op_waits);
78494 if (wait_on_bit(&op->flags, FSCACHE_OP_WAITING,
78495 TASK_INTERRUPTIBLE) != 0) {
78496 ret = fscache_cancel_op(op, false);
78497@@ -382,7 +382,7 @@ int fscache_wait_for_operation_activation(struct fscache_object *object,
78498 check_if_dead:
78499 if (op->state == FSCACHE_OP_ST_CANCELLED) {
78500 if (stat_object_dead)
78501- fscache_stat(stat_object_dead);
78502+ fscache_stat_unchecked(stat_object_dead);
78503 _leave(" = -ENOBUFS [cancelled]");
78504 return -ENOBUFS;
78505 }
78506@@ -391,7 +391,7 @@ check_if_dead:
78507 enum fscache_operation_state state = op->state;
78508 fscache_cancel_op(op, true);
78509 if (stat_object_dead)
78510- fscache_stat(stat_object_dead);
78511+ fscache_stat_unchecked(stat_object_dead);
78512 _leave(" = -ENOBUFS [obj dead %d]", state);
78513 return -ENOBUFS;
78514 }
78515@@ -420,7 +420,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
78516
78517 _enter("%p,%p,,,", cookie, page);
78518
78519- fscache_stat(&fscache_n_retrievals);
78520+ fscache_stat_unchecked(&fscache_n_retrievals);
78521
78522 if (hlist_empty(&cookie->backing_objects))
78523 goto nobufs;
78524@@ -462,7 +462,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
78525 goto nobufs_unlock_dec;
78526 spin_unlock(&cookie->lock);
78527
78528- fscache_stat(&fscache_n_retrieval_ops);
78529+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
78530
78531 /* we wait for the operation to become active, and then process it
78532 * *here*, in this thread, and not in the thread pool */
78533@@ -488,15 +488,15 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
78534
78535 error:
78536 if (ret == -ENOMEM)
78537- fscache_stat(&fscache_n_retrievals_nomem);
78538+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
78539 else if (ret == -ERESTARTSYS)
78540- fscache_stat(&fscache_n_retrievals_intr);
78541+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
78542 else if (ret == -ENODATA)
78543- fscache_stat(&fscache_n_retrievals_nodata);
78544+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
78545 else if (ret < 0)
78546- fscache_stat(&fscache_n_retrievals_nobufs);
78547+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
78548 else
78549- fscache_stat(&fscache_n_retrievals_ok);
78550+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
78551
78552 fscache_put_retrieval(op);
78553 _leave(" = %d", ret);
78554@@ -511,7 +511,7 @@ nobufs_unlock:
78555 __fscache_wake_unused_cookie(cookie);
78556 fscache_put_retrieval(op);
78557 nobufs:
78558- fscache_stat(&fscache_n_retrievals_nobufs);
78559+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
78560 _leave(" = -ENOBUFS");
78561 return -ENOBUFS;
78562 }
78563@@ -550,7 +550,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
78564
78565 _enter("%p,,%d,,,", cookie, *nr_pages);
78566
78567- fscache_stat(&fscache_n_retrievals);
78568+ fscache_stat_unchecked(&fscache_n_retrievals);
78569
78570 if (hlist_empty(&cookie->backing_objects))
78571 goto nobufs;
78572@@ -588,7 +588,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
78573 goto nobufs_unlock_dec;
78574 spin_unlock(&cookie->lock);
78575
78576- fscache_stat(&fscache_n_retrieval_ops);
78577+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
78578
78579 /* we wait for the operation to become active, and then process it
78580 * *here*, in this thread, and not in the thread pool */
78581@@ -614,15 +614,15 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
78582
78583 error:
78584 if (ret == -ENOMEM)
78585- fscache_stat(&fscache_n_retrievals_nomem);
78586+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
78587 else if (ret == -ERESTARTSYS)
78588- fscache_stat(&fscache_n_retrievals_intr);
78589+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
78590 else if (ret == -ENODATA)
78591- fscache_stat(&fscache_n_retrievals_nodata);
78592+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
78593 else if (ret < 0)
78594- fscache_stat(&fscache_n_retrievals_nobufs);
78595+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
78596 else
78597- fscache_stat(&fscache_n_retrievals_ok);
78598+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
78599
78600 fscache_put_retrieval(op);
78601 _leave(" = %d", ret);
78602@@ -637,7 +637,7 @@ nobufs_unlock:
78603 if (wake_cookie)
78604 __fscache_wake_unused_cookie(cookie);
78605 nobufs:
78606- fscache_stat(&fscache_n_retrievals_nobufs);
78607+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
78608 _leave(" = -ENOBUFS");
78609 return -ENOBUFS;
78610 }
78611@@ -662,7 +662,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
78612
78613 _enter("%p,%p,,,", cookie, page);
78614
78615- fscache_stat(&fscache_n_allocs);
78616+ fscache_stat_unchecked(&fscache_n_allocs);
78617
78618 if (hlist_empty(&cookie->backing_objects))
78619 goto nobufs;
78620@@ -696,7 +696,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
78621 goto nobufs_unlock_dec;
78622 spin_unlock(&cookie->lock);
78623
78624- fscache_stat(&fscache_n_alloc_ops);
78625+ fscache_stat_unchecked(&fscache_n_alloc_ops);
78626
78627 ret = fscache_wait_for_operation_activation(
78628 object, &op->op,
78629@@ -712,11 +712,11 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
78630
78631 error:
78632 if (ret == -ERESTARTSYS)
78633- fscache_stat(&fscache_n_allocs_intr);
78634+ fscache_stat_unchecked(&fscache_n_allocs_intr);
78635 else if (ret < 0)
78636- fscache_stat(&fscache_n_allocs_nobufs);
78637+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
78638 else
78639- fscache_stat(&fscache_n_allocs_ok);
78640+ fscache_stat_unchecked(&fscache_n_allocs_ok);
78641
78642 fscache_put_retrieval(op);
78643 _leave(" = %d", ret);
78644@@ -730,7 +730,7 @@ nobufs_unlock:
78645 if (wake_cookie)
78646 __fscache_wake_unused_cookie(cookie);
78647 nobufs:
78648- fscache_stat(&fscache_n_allocs_nobufs);
78649+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
78650 _leave(" = -ENOBUFS");
78651 return -ENOBUFS;
78652 }
78653@@ -806,7 +806,7 @@ static void fscache_write_op(struct fscache_operation *_op)
78654
78655 spin_lock(&cookie->stores_lock);
78656
78657- fscache_stat(&fscache_n_store_calls);
78658+ fscache_stat_unchecked(&fscache_n_store_calls);
78659
78660 /* find a page to store */
78661 page = NULL;
78662@@ -817,7 +817,7 @@ static void fscache_write_op(struct fscache_operation *_op)
78663 page = results[0];
78664 _debug("gang %d [%lx]", n, page->index);
78665 if (page->index > op->store_limit) {
78666- fscache_stat(&fscache_n_store_pages_over_limit);
78667+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
78668 goto superseded;
78669 }
78670
78671@@ -829,7 +829,7 @@ static void fscache_write_op(struct fscache_operation *_op)
78672 spin_unlock(&cookie->stores_lock);
78673 spin_unlock(&object->lock);
78674
78675- fscache_stat(&fscache_n_store_pages);
78676+ fscache_stat_unchecked(&fscache_n_store_pages);
78677 fscache_stat(&fscache_n_cop_write_page);
78678 ret = object->cache->ops->write_page(op, page);
78679 fscache_stat_d(&fscache_n_cop_write_page);
78680@@ -933,7 +933,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
78681 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
78682 ASSERT(PageFsCache(page));
78683
78684- fscache_stat(&fscache_n_stores);
78685+ fscache_stat_unchecked(&fscache_n_stores);
78686
78687 if (test_bit(FSCACHE_COOKIE_INVALIDATING, &cookie->flags)) {
78688 _leave(" = -ENOBUFS [invalidating]");
78689@@ -992,7 +992,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
78690 spin_unlock(&cookie->stores_lock);
78691 spin_unlock(&object->lock);
78692
78693- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
78694+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
78695 op->store_limit = object->store_limit;
78696
78697 __fscache_use_cookie(cookie);
78698@@ -1001,8 +1001,8 @@ int __fscache_write_page(struct fscache_cookie *cookie,
78699
78700 spin_unlock(&cookie->lock);
78701 radix_tree_preload_end();
78702- fscache_stat(&fscache_n_store_ops);
78703- fscache_stat(&fscache_n_stores_ok);
78704+ fscache_stat_unchecked(&fscache_n_store_ops);
78705+ fscache_stat_unchecked(&fscache_n_stores_ok);
78706
78707 /* the work queue now carries its own ref on the object */
78708 fscache_put_operation(&op->op);
78709@@ -1010,14 +1010,14 @@ int __fscache_write_page(struct fscache_cookie *cookie,
78710 return 0;
78711
78712 already_queued:
78713- fscache_stat(&fscache_n_stores_again);
78714+ fscache_stat_unchecked(&fscache_n_stores_again);
78715 already_pending:
78716 spin_unlock(&cookie->stores_lock);
78717 spin_unlock(&object->lock);
78718 spin_unlock(&cookie->lock);
78719 radix_tree_preload_end();
78720 fscache_put_operation(&op->op);
78721- fscache_stat(&fscache_n_stores_ok);
78722+ fscache_stat_unchecked(&fscache_n_stores_ok);
78723 _leave(" = 0");
78724 return 0;
78725
78726@@ -1039,14 +1039,14 @@ nobufs:
78727 fscache_put_operation(&op->op);
78728 if (wake_cookie)
78729 __fscache_wake_unused_cookie(cookie);
78730- fscache_stat(&fscache_n_stores_nobufs);
78731+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
78732 _leave(" = -ENOBUFS");
78733 return -ENOBUFS;
78734
78735 nomem_free:
78736 fscache_put_operation(&op->op);
78737 nomem:
78738- fscache_stat(&fscache_n_stores_oom);
78739+ fscache_stat_unchecked(&fscache_n_stores_oom);
78740 _leave(" = -ENOMEM");
78741 return -ENOMEM;
78742 }
78743@@ -1064,7 +1064,7 @@ void __fscache_uncache_page(struct fscache_cookie *cookie, struct page *page)
78744 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
78745 ASSERTCMP(page, !=, NULL);
78746
78747- fscache_stat(&fscache_n_uncaches);
78748+ fscache_stat_unchecked(&fscache_n_uncaches);
78749
78750 /* cache withdrawal may beat us to it */
78751 if (!PageFsCache(page))
78752@@ -1115,7 +1115,7 @@ void fscache_mark_page_cached(struct fscache_retrieval *op, struct page *page)
78753 struct fscache_cookie *cookie = op->op.object->cookie;
78754
78755 #ifdef CONFIG_FSCACHE_STATS
78756- atomic_inc(&fscache_n_marks);
78757+ atomic_inc_unchecked(&fscache_n_marks);
78758 #endif
78759
78760 _debug("- mark %p{%lx}", page, page->index);
78761diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c
78762index 7cfa0aa..d5ef97b7 100644
78763--- a/fs/fscache/stats.c
78764+++ b/fs/fscache/stats.c
78765@@ -18,100 +18,100 @@
78766 /*
78767 * operation counters
78768 */
78769-atomic_t fscache_n_op_pend;
78770-atomic_t fscache_n_op_run;
78771-atomic_t fscache_n_op_enqueue;
78772-atomic_t fscache_n_op_requeue;
78773-atomic_t fscache_n_op_deferred_release;
78774-atomic_t fscache_n_op_initialised;
78775-atomic_t fscache_n_op_release;
78776-atomic_t fscache_n_op_gc;
78777-atomic_t fscache_n_op_cancelled;
78778-atomic_t fscache_n_op_rejected;
78779+atomic_unchecked_t fscache_n_op_pend;
78780+atomic_unchecked_t fscache_n_op_run;
78781+atomic_unchecked_t fscache_n_op_enqueue;
78782+atomic_unchecked_t fscache_n_op_requeue;
78783+atomic_unchecked_t fscache_n_op_deferred_release;
78784+atomic_unchecked_t fscache_n_op_initialised;
78785+atomic_unchecked_t fscache_n_op_release;
78786+atomic_unchecked_t fscache_n_op_gc;
78787+atomic_unchecked_t fscache_n_op_cancelled;
78788+atomic_unchecked_t fscache_n_op_rejected;
78789
78790-atomic_t fscache_n_attr_changed;
78791-atomic_t fscache_n_attr_changed_ok;
78792-atomic_t fscache_n_attr_changed_nobufs;
78793-atomic_t fscache_n_attr_changed_nomem;
78794-atomic_t fscache_n_attr_changed_calls;
78795+atomic_unchecked_t fscache_n_attr_changed;
78796+atomic_unchecked_t fscache_n_attr_changed_ok;
78797+atomic_unchecked_t fscache_n_attr_changed_nobufs;
78798+atomic_unchecked_t fscache_n_attr_changed_nomem;
78799+atomic_unchecked_t fscache_n_attr_changed_calls;
78800
78801-atomic_t fscache_n_allocs;
78802-atomic_t fscache_n_allocs_ok;
78803-atomic_t fscache_n_allocs_wait;
78804-atomic_t fscache_n_allocs_nobufs;
78805-atomic_t fscache_n_allocs_intr;
78806-atomic_t fscache_n_allocs_object_dead;
78807-atomic_t fscache_n_alloc_ops;
78808-atomic_t fscache_n_alloc_op_waits;
78809+atomic_unchecked_t fscache_n_allocs;
78810+atomic_unchecked_t fscache_n_allocs_ok;
78811+atomic_unchecked_t fscache_n_allocs_wait;
78812+atomic_unchecked_t fscache_n_allocs_nobufs;
78813+atomic_unchecked_t fscache_n_allocs_intr;
78814+atomic_unchecked_t fscache_n_allocs_object_dead;
78815+atomic_unchecked_t fscache_n_alloc_ops;
78816+atomic_unchecked_t fscache_n_alloc_op_waits;
78817
78818-atomic_t fscache_n_retrievals;
78819-atomic_t fscache_n_retrievals_ok;
78820-atomic_t fscache_n_retrievals_wait;
78821-atomic_t fscache_n_retrievals_nodata;
78822-atomic_t fscache_n_retrievals_nobufs;
78823-atomic_t fscache_n_retrievals_intr;
78824-atomic_t fscache_n_retrievals_nomem;
78825-atomic_t fscache_n_retrievals_object_dead;
78826-atomic_t fscache_n_retrieval_ops;
78827-atomic_t fscache_n_retrieval_op_waits;
78828+atomic_unchecked_t fscache_n_retrievals;
78829+atomic_unchecked_t fscache_n_retrievals_ok;
78830+atomic_unchecked_t fscache_n_retrievals_wait;
78831+atomic_unchecked_t fscache_n_retrievals_nodata;
78832+atomic_unchecked_t fscache_n_retrievals_nobufs;
78833+atomic_unchecked_t fscache_n_retrievals_intr;
78834+atomic_unchecked_t fscache_n_retrievals_nomem;
78835+atomic_unchecked_t fscache_n_retrievals_object_dead;
78836+atomic_unchecked_t fscache_n_retrieval_ops;
78837+atomic_unchecked_t fscache_n_retrieval_op_waits;
78838
78839-atomic_t fscache_n_stores;
78840-atomic_t fscache_n_stores_ok;
78841-atomic_t fscache_n_stores_again;
78842-atomic_t fscache_n_stores_nobufs;
78843-atomic_t fscache_n_stores_oom;
78844-atomic_t fscache_n_store_ops;
78845-atomic_t fscache_n_store_calls;
78846-atomic_t fscache_n_store_pages;
78847-atomic_t fscache_n_store_radix_deletes;
78848-atomic_t fscache_n_store_pages_over_limit;
78849+atomic_unchecked_t fscache_n_stores;
78850+atomic_unchecked_t fscache_n_stores_ok;
78851+atomic_unchecked_t fscache_n_stores_again;
78852+atomic_unchecked_t fscache_n_stores_nobufs;
78853+atomic_unchecked_t fscache_n_stores_oom;
78854+atomic_unchecked_t fscache_n_store_ops;
78855+atomic_unchecked_t fscache_n_store_calls;
78856+atomic_unchecked_t fscache_n_store_pages;
78857+atomic_unchecked_t fscache_n_store_radix_deletes;
78858+atomic_unchecked_t fscache_n_store_pages_over_limit;
78859
78860-atomic_t fscache_n_store_vmscan_not_storing;
78861-atomic_t fscache_n_store_vmscan_gone;
78862-atomic_t fscache_n_store_vmscan_busy;
78863-atomic_t fscache_n_store_vmscan_cancelled;
78864-atomic_t fscache_n_store_vmscan_wait;
78865+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
78866+atomic_unchecked_t fscache_n_store_vmscan_gone;
78867+atomic_unchecked_t fscache_n_store_vmscan_busy;
78868+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
78869+atomic_unchecked_t fscache_n_store_vmscan_wait;
78870
78871-atomic_t fscache_n_marks;
78872-atomic_t fscache_n_uncaches;
78873+atomic_unchecked_t fscache_n_marks;
78874+atomic_unchecked_t fscache_n_uncaches;
78875
78876-atomic_t fscache_n_acquires;
78877-atomic_t fscache_n_acquires_null;
78878-atomic_t fscache_n_acquires_no_cache;
78879-atomic_t fscache_n_acquires_ok;
78880-atomic_t fscache_n_acquires_nobufs;
78881-atomic_t fscache_n_acquires_oom;
78882+atomic_unchecked_t fscache_n_acquires;
78883+atomic_unchecked_t fscache_n_acquires_null;
78884+atomic_unchecked_t fscache_n_acquires_no_cache;
78885+atomic_unchecked_t fscache_n_acquires_ok;
78886+atomic_unchecked_t fscache_n_acquires_nobufs;
78887+atomic_unchecked_t fscache_n_acquires_oom;
78888
78889-atomic_t fscache_n_invalidates;
78890-atomic_t fscache_n_invalidates_run;
78891+atomic_unchecked_t fscache_n_invalidates;
78892+atomic_unchecked_t fscache_n_invalidates_run;
78893
78894-atomic_t fscache_n_updates;
78895-atomic_t fscache_n_updates_null;
78896-atomic_t fscache_n_updates_run;
78897+atomic_unchecked_t fscache_n_updates;
78898+atomic_unchecked_t fscache_n_updates_null;
78899+atomic_unchecked_t fscache_n_updates_run;
78900
78901-atomic_t fscache_n_relinquishes;
78902-atomic_t fscache_n_relinquishes_null;
78903-atomic_t fscache_n_relinquishes_waitcrt;
78904-atomic_t fscache_n_relinquishes_retire;
78905+atomic_unchecked_t fscache_n_relinquishes;
78906+atomic_unchecked_t fscache_n_relinquishes_null;
78907+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
78908+atomic_unchecked_t fscache_n_relinquishes_retire;
78909
78910-atomic_t fscache_n_cookie_index;
78911-atomic_t fscache_n_cookie_data;
78912-atomic_t fscache_n_cookie_special;
78913+atomic_unchecked_t fscache_n_cookie_index;
78914+atomic_unchecked_t fscache_n_cookie_data;
78915+atomic_unchecked_t fscache_n_cookie_special;
78916
78917-atomic_t fscache_n_object_alloc;
78918-atomic_t fscache_n_object_no_alloc;
78919-atomic_t fscache_n_object_lookups;
78920-atomic_t fscache_n_object_lookups_negative;
78921-atomic_t fscache_n_object_lookups_positive;
78922-atomic_t fscache_n_object_lookups_timed_out;
78923-atomic_t fscache_n_object_created;
78924-atomic_t fscache_n_object_avail;
78925-atomic_t fscache_n_object_dead;
78926+atomic_unchecked_t fscache_n_object_alloc;
78927+atomic_unchecked_t fscache_n_object_no_alloc;
78928+atomic_unchecked_t fscache_n_object_lookups;
78929+atomic_unchecked_t fscache_n_object_lookups_negative;
78930+atomic_unchecked_t fscache_n_object_lookups_positive;
78931+atomic_unchecked_t fscache_n_object_lookups_timed_out;
78932+atomic_unchecked_t fscache_n_object_created;
78933+atomic_unchecked_t fscache_n_object_avail;
78934+atomic_unchecked_t fscache_n_object_dead;
78935
78936-atomic_t fscache_n_checkaux_none;
78937-atomic_t fscache_n_checkaux_okay;
78938-atomic_t fscache_n_checkaux_update;
78939-atomic_t fscache_n_checkaux_obsolete;
78940+atomic_unchecked_t fscache_n_checkaux_none;
78941+atomic_unchecked_t fscache_n_checkaux_okay;
78942+atomic_unchecked_t fscache_n_checkaux_update;
78943+atomic_unchecked_t fscache_n_checkaux_obsolete;
78944
78945 atomic_t fscache_n_cop_alloc_object;
78946 atomic_t fscache_n_cop_lookup_object;
78947@@ -144,119 +144,119 @@ static int fscache_stats_show(struct seq_file *m, void *v)
78948 seq_puts(m, "FS-Cache statistics\n");
78949
78950 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
78951- atomic_read(&fscache_n_cookie_index),
78952- atomic_read(&fscache_n_cookie_data),
78953- atomic_read(&fscache_n_cookie_special));
78954+ atomic_read_unchecked(&fscache_n_cookie_index),
78955+ atomic_read_unchecked(&fscache_n_cookie_data),
78956+ atomic_read_unchecked(&fscache_n_cookie_special));
78957
78958 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
78959- atomic_read(&fscache_n_object_alloc),
78960- atomic_read(&fscache_n_object_no_alloc),
78961- atomic_read(&fscache_n_object_avail),
78962- atomic_read(&fscache_n_object_dead));
78963+ atomic_read_unchecked(&fscache_n_object_alloc),
78964+ atomic_read_unchecked(&fscache_n_object_no_alloc),
78965+ atomic_read_unchecked(&fscache_n_object_avail),
78966+ atomic_read_unchecked(&fscache_n_object_dead));
78967 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
78968- atomic_read(&fscache_n_checkaux_none),
78969- atomic_read(&fscache_n_checkaux_okay),
78970- atomic_read(&fscache_n_checkaux_update),
78971- atomic_read(&fscache_n_checkaux_obsolete));
78972+ atomic_read_unchecked(&fscache_n_checkaux_none),
78973+ atomic_read_unchecked(&fscache_n_checkaux_okay),
78974+ atomic_read_unchecked(&fscache_n_checkaux_update),
78975+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
78976
78977 seq_printf(m, "Pages : mrk=%u unc=%u\n",
78978- atomic_read(&fscache_n_marks),
78979- atomic_read(&fscache_n_uncaches));
78980+ atomic_read_unchecked(&fscache_n_marks),
78981+ atomic_read_unchecked(&fscache_n_uncaches));
78982
78983 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
78984 " oom=%u\n",
78985- atomic_read(&fscache_n_acquires),
78986- atomic_read(&fscache_n_acquires_null),
78987- atomic_read(&fscache_n_acquires_no_cache),
78988- atomic_read(&fscache_n_acquires_ok),
78989- atomic_read(&fscache_n_acquires_nobufs),
78990- atomic_read(&fscache_n_acquires_oom));
78991+ atomic_read_unchecked(&fscache_n_acquires),
78992+ atomic_read_unchecked(&fscache_n_acquires_null),
78993+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
78994+ atomic_read_unchecked(&fscache_n_acquires_ok),
78995+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
78996+ atomic_read_unchecked(&fscache_n_acquires_oom));
78997
78998 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
78999- atomic_read(&fscache_n_object_lookups),
79000- atomic_read(&fscache_n_object_lookups_negative),
79001- atomic_read(&fscache_n_object_lookups_positive),
79002- atomic_read(&fscache_n_object_created),
79003- atomic_read(&fscache_n_object_lookups_timed_out));
79004+ atomic_read_unchecked(&fscache_n_object_lookups),
79005+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
79006+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
79007+ atomic_read_unchecked(&fscache_n_object_created),
79008+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
79009
79010 seq_printf(m, "Invals : n=%u run=%u\n",
79011- atomic_read(&fscache_n_invalidates),
79012- atomic_read(&fscache_n_invalidates_run));
79013+ atomic_read_unchecked(&fscache_n_invalidates),
79014+ atomic_read_unchecked(&fscache_n_invalidates_run));
79015
79016 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
79017- atomic_read(&fscache_n_updates),
79018- atomic_read(&fscache_n_updates_null),
79019- atomic_read(&fscache_n_updates_run));
79020+ atomic_read_unchecked(&fscache_n_updates),
79021+ atomic_read_unchecked(&fscache_n_updates_null),
79022+ atomic_read_unchecked(&fscache_n_updates_run));
79023
79024 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
79025- atomic_read(&fscache_n_relinquishes),
79026- atomic_read(&fscache_n_relinquishes_null),
79027- atomic_read(&fscache_n_relinquishes_waitcrt),
79028- atomic_read(&fscache_n_relinquishes_retire));
79029+ atomic_read_unchecked(&fscache_n_relinquishes),
79030+ atomic_read_unchecked(&fscache_n_relinquishes_null),
79031+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
79032+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
79033
79034 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
79035- atomic_read(&fscache_n_attr_changed),
79036- atomic_read(&fscache_n_attr_changed_ok),
79037- atomic_read(&fscache_n_attr_changed_nobufs),
79038- atomic_read(&fscache_n_attr_changed_nomem),
79039- atomic_read(&fscache_n_attr_changed_calls));
79040+ atomic_read_unchecked(&fscache_n_attr_changed),
79041+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
79042+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
79043+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
79044+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
79045
79046 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
79047- atomic_read(&fscache_n_allocs),
79048- atomic_read(&fscache_n_allocs_ok),
79049- atomic_read(&fscache_n_allocs_wait),
79050- atomic_read(&fscache_n_allocs_nobufs),
79051- atomic_read(&fscache_n_allocs_intr));
79052+ atomic_read_unchecked(&fscache_n_allocs),
79053+ atomic_read_unchecked(&fscache_n_allocs_ok),
79054+ atomic_read_unchecked(&fscache_n_allocs_wait),
79055+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
79056+ atomic_read_unchecked(&fscache_n_allocs_intr));
79057 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
79058- atomic_read(&fscache_n_alloc_ops),
79059- atomic_read(&fscache_n_alloc_op_waits),
79060- atomic_read(&fscache_n_allocs_object_dead));
79061+ atomic_read_unchecked(&fscache_n_alloc_ops),
79062+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
79063+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
79064
79065 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
79066 " int=%u oom=%u\n",
79067- atomic_read(&fscache_n_retrievals),
79068- atomic_read(&fscache_n_retrievals_ok),
79069- atomic_read(&fscache_n_retrievals_wait),
79070- atomic_read(&fscache_n_retrievals_nodata),
79071- atomic_read(&fscache_n_retrievals_nobufs),
79072- atomic_read(&fscache_n_retrievals_intr),
79073- atomic_read(&fscache_n_retrievals_nomem));
79074+ atomic_read_unchecked(&fscache_n_retrievals),
79075+ atomic_read_unchecked(&fscache_n_retrievals_ok),
79076+ atomic_read_unchecked(&fscache_n_retrievals_wait),
79077+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
79078+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
79079+ atomic_read_unchecked(&fscache_n_retrievals_intr),
79080+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
79081 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
79082- atomic_read(&fscache_n_retrieval_ops),
79083- atomic_read(&fscache_n_retrieval_op_waits),
79084- atomic_read(&fscache_n_retrievals_object_dead));
79085+ atomic_read_unchecked(&fscache_n_retrieval_ops),
79086+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
79087+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
79088
79089 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
79090- atomic_read(&fscache_n_stores),
79091- atomic_read(&fscache_n_stores_ok),
79092- atomic_read(&fscache_n_stores_again),
79093- atomic_read(&fscache_n_stores_nobufs),
79094- atomic_read(&fscache_n_stores_oom));
79095+ atomic_read_unchecked(&fscache_n_stores),
79096+ atomic_read_unchecked(&fscache_n_stores_ok),
79097+ atomic_read_unchecked(&fscache_n_stores_again),
79098+ atomic_read_unchecked(&fscache_n_stores_nobufs),
79099+ atomic_read_unchecked(&fscache_n_stores_oom));
79100 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
79101- atomic_read(&fscache_n_store_ops),
79102- atomic_read(&fscache_n_store_calls),
79103- atomic_read(&fscache_n_store_pages),
79104- atomic_read(&fscache_n_store_radix_deletes),
79105- atomic_read(&fscache_n_store_pages_over_limit));
79106+ atomic_read_unchecked(&fscache_n_store_ops),
79107+ atomic_read_unchecked(&fscache_n_store_calls),
79108+ atomic_read_unchecked(&fscache_n_store_pages),
79109+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
79110+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
79111
79112 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u wt=%u\n",
79113- atomic_read(&fscache_n_store_vmscan_not_storing),
79114- atomic_read(&fscache_n_store_vmscan_gone),
79115- atomic_read(&fscache_n_store_vmscan_busy),
79116- atomic_read(&fscache_n_store_vmscan_cancelled),
79117- atomic_read(&fscache_n_store_vmscan_wait));
79118+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
79119+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
79120+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
79121+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled),
79122+ atomic_read_unchecked(&fscache_n_store_vmscan_wait));
79123
79124 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
79125- atomic_read(&fscache_n_op_pend),
79126- atomic_read(&fscache_n_op_run),
79127- atomic_read(&fscache_n_op_enqueue),
79128- atomic_read(&fscache_n_op_cancelled),
79129- atomic_read(&fscache_n_op_rejected));
79130+ atomic_read_unchecked(&fscache_n_op_pend),
79131+ atomic_read_unchecked(&fscache_n_op_run),
79132+ atomic_read_unchecked(&fscache_n_op_enqueue),
79133+ atomic_read_unchecked(&fscache_n_op_cancelled),
79134+ atomic_read_unchecked(&fscache_n_op_rejected));
79135 seq_printf(m, "Ops : ini=%u dfr=%u rel=%u gc=%u\n",
79136- atomic_read(&fscache_n_op_initialised),
79137- atomic_read(&fscache_n_op_deferred_release),
79138- atomic_read(&fscache_n_op_release),
79139- atomic_read(&fscache_n_op_gc));
79140+ atomic_read_unchecked(&fscache_n_op_initialised),
79141+ atomic_read_unchecked(&fscache_n_op_deferred_release),
79142+ atomic_read_unchecked(&fscache_n_op_release),
79143+ atomic_read_unchecked(&fscache_n_op_gc));
79144
79145 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
79146 atomic_read(&fscache_n_cop_alloc_object),
79147diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
79148index eae2c11..b277a45 100644
79149--- a/fs/fuse/cuse.c
79150+++ b/fs/fuse/cuse.c
79151@@ -609,10 +609,12 @@ static int __init cuse_init(void)
79152 INIT_LIST_HEAD(&cuse_conntbl[i]);
79153
79154 /* inherit and extend fuse_dev_operations */
79155- cuse_channel_fops = fuse_dev_operations;
79156- cuse_channel_fops.owner = THIS_MODULE;
79157- cuse_channel_fops.open = cuse_channel_open;
79158- cuse_channel_fops.release = cuse_channel_release;
79159+ pax_open_kernel();
79160+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
79161+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
79162+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
79163+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
79164+ pax_close_kernel();
79165
79166 cuse_class = class_create(THIS_MODULE, "cuse");
79167 if (IS_ERR(cuse_class))
79168diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
79169index ebb5e37..beae05b 100644
79170--- a/fs/fuse/dev.c
79171+++ b/fs/fuse/dev.c
79172@@ -1390,7 +1390,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
79173 ret = 0;
79174 pipe_lock(pipe);
79175
79176- if (!pipe->readers) {
79177+ if (!atomic_read(&pipe->readers)) {
79178 send_sig(SIGPIPE, current, 0);
79179 if (!ret)
79180 ret = -EPIPE;
79181@@ -1419,7 +1419,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
79182 page_nr++;
79183 ret += buf->len;
79184
79185- if (pipe->files)
79186+ if (atomic_read(&pipe->files))
79187 do_wakeup = 1;
79188 }
79189
79190diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
79191index a38e38f..6dbdcf6 100644
79192--- a/fs/gfs2/glock.c
79193+++ b/fs/gfs2/glock.c
79194@@ -385,9 +385,9 @@ static void state_change(struct gfs2_glock *gl, unsigned int new_state)
79195 if (held1 != held2) {
79196 GLOCK_BUG_ON(gl, __lockref_is_dead(&gl->gl_lockref));
79197 if (held2)
79198- gl->gl_lockref.count++;
79199+ __lockref_inc(&gl->gl_lockref);
79200 else
79201- gl->gl_lockref.count--;
79202+ __lockref_dec(&gl->gl_lockref);
79203 }
79204 if (held1 && held2 && list_empty(&gl->gl_holders))
79205 clear_bit(GLF_QUEUED, &gl->gl_flags);
79206@@ -614,9 +614,9 @@ out:
79207 out_sched:
79208 clear_bit(GLF_LOCK, &gl->gl_flags);
79209 smp_mb__after_atomic();
79210- gl->gl_lockref.count++;
79211+ __lockref_inc(&gl->gl_lockref);
79212 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79213- gl->gl_lockref.count--;
79214+ __lockref_dec(&gl->gl_lockref);
79215 return;
79216
79217 out_unlock:
79218@@ -742,7 +742,7 @@ int gfs2_glock_get(struct gfs2_sbd *sdp, u64 number,
79219 gl->gl_sbd = sdp;
79220 gl->gl_flags = 0;
79221 gl->gl_name = name;
79222- gl->gl_lockref.count = 1;
79223+ __lockref_set(&gl->gl_lockref, 1);
79224 gl->gl_state = LM_ST_UNLOCKED;
79225 gl->gl_target = LM_ST_UNLOCKED;
79226 gl->gl_demote_state = LM_ST_EXCLUSIVE;
79227@@ -1020,9 +1020,9 @@ int gfs2_glock_nq(struct gfs2_holder *gh)
79228 if (unlikely((LM_FLAG_NOEXP & gh->gh_flags) &&
79229 test_and_clear_bit(GLF_FROZEN, &gl->gl_flags))) {
79230 set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
79231- gl->gl_lockref.count++;
79232+ __lockref_inc(&gl->gl_lockref);
79233 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79234- gl->gl_lockref.count--;
79235+ __lockref_dec(&gl->gl_lockref);
79236 }
79237 run_queue(gl, 1);
79238 spin_unlock(&gl->gl_spin);
79239@@ -1326,7 +1326,7 @@ void gfs2_glock_complete(struct gfs2_glock *gl, int ret)
79240 }
79241 }
79242
79243- gl->gl_lockref.count++;
79244+ __lockref_inc(&gl->gl_lockref);
79245 set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
79246 spin_unlock(&gl->gl_spin);
79247
79248@@ -1385,12 +1385,12 @@ add_back_to_lru:
79249 goto add_back_to_lru;
79250 }
79251 clear_bit(GLF_LRU, &gl->gl_flags);
79252- gl->gl_lockref.count++;
79253+ __lockref_inc(&gl->gl_lockref);
79254 if (demote_ok(gl))
79255 handle_callback(gl, LM_ST_UNLOCKED, 0, false);
79256 WARN_ON(!test_and_clear_bit(GLF_LOCK, &gl->gl_flags));
79257 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79258- gl->gl_lockref.count--;
79259+ __lockref_dec(&gl->gl_lockref);
79260 spin_unlock(&gl->gl_spin);
79261 cond_resched_lock(&lru_lock);
79262 }
79263@@ -1720,7 +1720,7 @@ void gfs2_dump_glock(struct seq_file *seq, const struct gfs2_glock *gl)
79264 state2str(gl->gl_demote_state), dtime,
79265 atomic_read(&gl->gl_ail_count),
79266 atomic_read(&gl->gl_revokes),
79267- (int)gl->gl_lockref.count, gl->gl_hold_time);
79268+ __lockref_read(&gl->gl_lockref), gl->gl_hold_time);
79269
79270 list_for_each_entry(gh, &gl->gl_holders, gh_list)
79271 dump_holder(seq, gh);
79272diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
79273index fa3fa5e..9fe2272 100644
79274--- a/fs/gfs2/glops.c
79275+++ b/fs/gfs2/glops.c
79276@@ -552,9 +552,9 @@ static void iopen_go_callback(struct gfs2_glock *gl, bool remote)
79277
79278 if (gl->gl_demote_state == LM_ST_UNLOCKED &&
79279 gl->gl_state == LM_ST_SHARED && ip) {
79280- gl->gl_lockref.count++;
79281+ __lockref_inc(&gl->gl_lockref);
79282 if (queue_work(gfs2_delete_workqueue, &gl->gl_delete) == 0)
79283- gl->gl_lockref.count--;
79284+ __lockref_dec(&gl->gl_lockref);
79285 }
79286 }
79287
79288diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
79289index 9b61f92..ab84778 100644
79290--- a/fs/gfs2/quota.c
79291+++ b/fs/gfs2/quota.c
79292@@ -154,7 +154,7 @@ static enum lru_status gfs2_qd_isolate(struct list_head *item,
79293 if (!spin_trylock(&qd->qd_lockref.lock))
79294 return LRU_SKIP;
79295
79296- if (qd->qd_lockref.count == 0) {
79297+ if (__lockref_read(&qd->qd_lockref) == 0) {
79298 lockref_mark_dead(&qd->qd_lockref);
79299 list_lru_isolate_move(lru, &qd->qd_lru, dispose);
79300 }
79301@@ -221,7 +221,7 @@ static struct gfs2_quota_data *qd_alloc(unsigned hash, struct gfs2_sbd *sdp, str
79302 return NULL;
79303
79304 qd->qd_sbd = sdp;
79305- qd->qd_lockref.count = 1;
79306+ __lockref_set(&qd->qd_lockref, 1);
79307 spin_lock_init(&qd->qd_lockref.lock);
79308 qd->qd_id = qid;
79309 qd->qd_slot = -1;
79310@@ -312,7 +312,7 @@ static void qd_put(struct gfs2_quota_data *qd)
79311 if (lockref_put_or_lock(&qd->qd_lockref))
79312 return;
79313
79314- qd->qd_lockref.count = 0;
79315+ __lockref_set(&qd->qd_lockref, 0);
79316 list_lru_add(&gfs2_qd_lru, &qd->qd_lru);
79317 spin_unlock(&qd->qd_lockref.lock);
79318
79319diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
79320index 973c24c..a3cbeb3 100644
79321--- a/fs/hugetlbfs/inode.c
79322+++ b/fs/hugetlbfs/inode.c
79323@@ -150,6 +150,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
79324 struct mm_struct *mm = current->mm;
79325 struct vm_area_struct *vma;
79326 struct hstate *h = hstate_file(file);
79327+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
79328 struct vm_unmapped_area_info info;
79329
79330 if (len & ~huge_page_mask(h))
79331@@ -163,17 +164,26 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
79332 return addr;
79333 }
79334
79335+#ifdef CONFIG_PAX_RANDMMAP
79336+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
79337+#endif
79338+
79339 if (addr) {
79340 addr = ALIGN(addr, huge_page_size(h));
79341 vma = find_vma(mm, addr);
79342- if (TASK_SIZE - len >= addr &&
79343- (!vma || addr + len <= vma->vm_start))
79344+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
79345 return addr;
79346 }
79347
79348 info.flags = 0;
79349 info.length = len;
79350 info.low_limit = TASK_UNMAPPED_BASE;
79351+
79352+#ifdef CONFIG_PAX_RANDMMAP
79353+ if (mm->pax_flags & MF_PAX_RANDMMAP)
79354+ info.low_limit += mm->delta_mmap;
79355+#endif
79356+
79357 info.high_limit = TASK_SIZE;
79358 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
79359 info.align_offset = 0;
79360@@ -938,7 +948,7 @@ static struct file_system_type hugetlbfs_fs_type = {
79361 };
79362 MODULE_ALIAS_FS("hugetlbfs");
79363
79364-static struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
79365+struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
79366
79367 static int can_do_hugetlb_shm(void)
79368 {
79369diff --git a/fs/inode.c b/fs/inode.c
79370index d30640f..9d909a7 100644
79371--- a/fs/inode.c
79372+++ b/fs/inode.c
79373@@ -832,19 +832,19 @@ unsigned int get_next_ino(void)
79374 unsigned int *p = &get_cpu_var(last_ino);
79375 unsigned int res = *p;
79376
79377+start:
79378+
79379 #ifdef CONFIG_SMP
79380 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
79381- static atomic_t shared_last_ino;
79382- int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
79383+ static atomic_unchecked_t shared_last_ino;
79384+ int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
79385
79386 res = next - LAST_INO_BATCH;
79387 }
79388 #endif
79389
79390- res++;
79391- /* get_next_ino should not provide a 0 inode number */
79392- if (unlikely(!res))
79393- res++;
79394+ if (unlikely(!++res))
79395+ goto start; /* never zero */
79396 *p = res;
79397 put_cpu_var(last_ino);
79398 return res;
79399diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
79400index 4a6cf28..d3a29d3 100644
79401--- a/fs/jffs2/erase.c
79402+++ b/fs/jffs2/erase.c
79403@@ -452,7 +452,8 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
79404 struct jffs2_unknown_node marker = {
79405 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
79406 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
79407- .totlen = cpu_to_je32(c->cleanmarker_size)
79408+ .totlen = cpu_to_je32(c->cleanmarker_size),
79409+ .hdr_crc = cpu_to_je32(0)
79410 };
79411
79412 jffs2_prealloc_raw_node_refs(c, jeb, 1);
79413diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c
79414index 09ed551..45684f8 100644
79415--- a/fs/jffs2/wbuf.c
79416+++ b/fs/jffs2/wbuf.c
79417@@ -1023,7 +1023,8 @@ static const struct jffs2_unknown_node oob_cleanmarker =
79418 {
79419 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
79420 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
79421- .totlen = constant_cpu_to_je32(8)
79422+ .totlen = constant_cpu_to_je32(8),
79423+ .hdr_crc = constant_cpu_to_je32(0)
79424 };
79425
79426 /*
79427diff --git a/fs/jfs/super.c b/fs/jfs/super.c
79428index 4cd9798..8dfe86a 100644
79429--- a/fs/jfs/super.c
79430+++ b/fs/jfs/super.c
79431@@ -901,7 +901,7 @@ static int __init init_jfs_fs(void)
79432
79433 jfs_inode_cachep =
79434 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
79435- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
79436+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
79437 init_once);
79438 if (jfs_inode_cachep == NULL)
79439 return -ENOMEM;
79440diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
79441index 2d48d28..82eddad 100644
79442--- a/fs/kernfs/dir.c
79443+++ b/fs/kernfs/dir.c
79444@@ -182,7 +182,7 @@ struct kernfs_node *kernfs_get_parent(struct kernfs_node *kn)
79445 *
79446 * Returns 31 bit hash of ns + name (so it fits in an off_t )
79447 */
79448-static unsigned int kernfs_name_hash(const char *name, const void *ns)
79449+static unsigned int kernfs_name_hash(const unsigned char *name, const void *ns)
79450 {
79451 unsigned long hash = init_name_hash();
79452 unsigned int len = strlen(name);
79453@@ -873,6 +873,12 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry,
79454 ret = scops->mkdir(parent, dentry->d_name.name, mode);
79455
79456 kernfs_put_active(parent);
79457+
79458+ if (!ret) {
79459+ struct dentry *dentry_ret = kernfs_iop_lookup(dir, dentry, 0);
79460+ ret = PTR_ERR_OR_ZERO(dentry_ret);
79461+ }
79462+
79463 return ret;
79464 }
79465
79466diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
79467index 7247252..c73808e 100644
79468--- a/fs/kernfs/file.c
79469+++ b/fs/kernfs/file.c
79470@@ -34,7 +34,7 @@ static DEFINE_MUTEX(kernfs_open_file_mutex);
79471
79472 struct kernfs_open_node {
79473 atomic_t refcnt;
79474- atomic_t event;
79475+ atomic_unchecked_t event;
79476 wait_queue_head_t poll;
79477 struct list_head files; /* goes through kernfs_open_file.list */
79478 };
79479@@ -163,7 +163,7 @@ static int kernfs_seq_show(struct seq_file *sf, void *v)
79480 {
79481 struct kernfs_open_file *of = sf->private;
79482
79483- of->event = atomic_read(&of->kn->attr.open->event);
79484+ of->event = atomic_read_unchecked(&of->kn->attr.open->event);
79485
79486 return of->kn->attr.ops->seq_show(sf, v);
79487 }
79488@@ -207,7 +207,7 @@ static ssize_t kernfs_file_direct_read(struct kernfs_open_file *of,
79489 goto out_free;
79490 }
79491
79492- of->event = atomic_read(&of->kn->attr.open->event);
79493+ of->event = atomic_read_unchecked(&of->kn->attr.open->event);
79494 ops = kernfs_ops(of->kn);
79495 if (ops->read)
79496 len = ops->read(of, buf, len, *ppos);
79497@@ -272,7 +272,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
79498 {
79499 struct kernfs_open_file *of = kernfs_of(file);
79500 const struct kernfs_ops *ops;
79501- size_t len;
79502+ ssize_t len;
79503 char *buf;
79504
79505 if (of->atomic_write_len) {
79506@@ -385,12 +385,12 @@ static int kernfs_vma_page_mkwrite(struct vm_area_struct *vma,
79507 return ret;
79508 }
79509
79510-static int kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,
79511- void *buf, int len, int write)
79512+static ssize_t kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,
79513+ void *buf, size_t len, int write)
79514 {
79515 struct file *file = vma->vm_file;
79516 struct kernfs_open_file *of = kernfs_of(file);
79517- int ret;
79518+ ssize_t ret;
79519
79520 if (!of->vm_ops)
79521 return -EINVAL;
79522@@ -569,7 +569,7 @@ static int kernfs_get_open_node(struct kernfs_node *kn,
79523 return -ENOMEM;
79524
79525 atomic_set(&new_on->refcnt, 0);
79526- atomic_set(&new_on->event, 1);
79527+ atomic_set_unchecked(&new_on->event, 1);
79528 init_waitqueue_head(&new_on->poll);
79529 INIT_LIST_HEAD(&new_on->files);
79530 goto retry;
79531@@ -792,7 +792,7 @@ static unsigned int kernfs_fop_poll(struct file *filp, poll_table *wait)
79532
79533 kernfs_put_active(kn);
79534
79535- if (of->event != atomic_read(&on->event))
79536+ if (of->event != atomic_read_unchecked(&on->event))
79537 goto trigger;
79538
79539 return DEFAULT_POLLMASK;
79540@@ -823,7 +823,7 @@ repeat:
79541
79542 on = kn->attr.open;
79543 if (on) {
79544- atomic_inc(&on->event);
79545+ atomic_inc_unchecked(&on->event);
79546 wake_up_interruptible(&on->poll);
79547 }
79548
79549diff --git a/fs/libfs.c b/fs/libfs.c
79550index c7cbfb0..fc3636d4 100644
79551--- a/fs/libfs.c
79552+++ b/fs/libfs.c
79553@@ -155,6 +155,9 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
79554
79555 for (p = q->next; p != &dentry->d_subdirs; p = p->next) {
79556 struct dentry *next = list_entry(p, struct dentry, d_child);
79557+ char d_name[sizeof(next->d_iname)];
79558+ const unsigned char *name;
79559+
79560 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
79561 if (!simple_positive(next)) {
79562 spin_unlock(&next->d_lock);
79563@@ -163,7 +166,12 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
79564
79565 spin_unlock(&next->d_lock);
79566 spin_unlock(&dentry->d_lock);
79567- if (!dir_emit(ctx, next->d_name.name, next->d_name.len,
79568+ name = next->d_name.name;
79569+ if (name == next->d_iname) {
79570+ memcpy(d_name, name, next->d_name.len);
79571+ name = d_name;
79572+ }
79573+ if (!dir_emit(ctx, name, next->d_name.len,
79574 d_inode(next)->i_ino, dt_type(d_inode(next))))
79575 return 0;
79576 spin_lock(&dentry->d_lock);
79577diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
79578index acd3947..1f896e2 100644
79579--- a/fs/lockd/clntproc.c
79580+++ b/fs/lockd/clntproc.c
79581@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
79582 /*
79583 * Cookie counter for NLM requests
79584 */
79585-static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
79586+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
79587
79588 void nlmclnt_next_cookie(struct nlm_cookie *c)
79589 {
79590- u32 cookie = atomic_inc_return(&nlm_cookie);
79591+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
79592
79593 memcpy(c->data, &cookie, 4);
79594 c->len=4;
79595diff --git a/fs/mount.h b/fs/mount.h
79596index 14db05d..687f6d8 100644
79597--- a/fs/mount.h
79598+++ b/fs/mount.h
79599@@ -13,7 +13,7 @@ struct mnt_namespace {
79600 u64 seq; /* Sequence number to prevent loops */
79601 wait_queue_head_t poll;
79602 u64 event;
79603-};
79604+} __randomize_layout;
79605
79606 struct mnt_pcp {
79607 int mnt_count;
79608@@ -65,7 +65,7 @@ struct mount {
79609 struct hlist_head mnt_pins;
79610 struct fs_pin mnt_umount;
79611 struct dentry *mnt_ex_mountpoint;
79612-};
79613+} __randomize_layout;
79614
79615 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
79616
79617diff --git a/fs/namei.c b/fs/namei.c
79618index 1c2105e..79d9ccb 100644
79619--- a/fs/namei.c
79620+++ b/fs/namei.c
79621@@ -336,17 +336,32 @@ int generic_permission(struct inode *inode, int mask)
79622 if (ret != -EACCES)
79623 return ret;
79624
79625+#ifdef CONFIG_GRKERNSEC
79626+ /* we'll block if we have to log due to a denied capability use */
79627+ if (mask & MAY_NOT_BLOCK)
79628+ return -ECHILD;
79629+#endif
79630+
79631 if (S_ISDIR(inode->i_mode)) {
79632 /* DACs are overridable for directories */
79633- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
79634- return 0;
79635 if (!(mask & MAY_WRITE))
79636- if (capable_wrt_inode_uidgid(inode,
79637- CAP_DAC_READ_SEARCH))
79638+ if (capable_wrt_inode_uidgid_nolog(inode, CAP_DAC_OVERRIDE) ||
79639+ capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
79640 return 0;
79641+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
79642+ return 0;
79643 return -EACCES;
79644 }
79645 /*
79646+ * Searching includes executable on directories, else just read.
79647+ */
79648+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
79649+ if (mask == MAY_READ)
79650+ if (capable_wrt_inode_uidgid_nolog(inode, CAP_DAC_OVERRIDE) ||
79651+ capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
79652+ return 0;
79653+
79654+ /*
79655 * Read/write DACs are always overridable.
79656 * Executable DACs are overridable when there is
79657 * at least one exec bit set.
79658@@ -355,14 +370,6 @@ int generic_permission(struct inode *inode, int mask)
79659 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
79660 return 0;
79661
79662- /*
79663- * Searching includes executable on directories, else just read.
79664- */
79665- mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
79666- if (mask == MAY_READ)
79667- if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
79668- return 0;
79669-
79670 return -EACCES;
79671 }
79672 EXPORT_SYMBOL(generic_permission);
79673@@ -514,12 +521,35 @@ struct nameidata {
79674 struct nameidata *saved;
79675 unsigned root_seq;
79676 int dfd;
79677-};
79678+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79679+ struct path *symlinkown_stack;
79680+ struct path symlinkown_internal[EMBEDDED_LEVELS];
79681+ unsigned symlinkown_depth;
79682+ int symlinkown_enabled;
79683+#endif
79684+} __randomize_layout;
79685+
79686+static int gr_handle_nameidata_symlinkowner(const struct nameidata *nd, const struct inode *target)
79687+{
79688+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79689+ int i;
79690+
79691+ for (i = 0; i < nd->symlinkown_depth; i++) {
79692+ if (gr_handle_symlink_owner(&nd->symlinkown_stack[i], target))
79693+ return -EACCES;
79694+ }
79695+#endif
79696+ return 0;
79697+}
79698
79699 static void set_nameidata(struct nameidata *p, int dfd, struct filename *name)
79700 {
79701 struct nameidata *old = current->nameidata;
79702 p->stack = p->internal;
79703+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79704+ p->symlinkown_stack = p->symlinkown_internal;
79705+ p->symlinkown_enabled = -1;
79706+#endif
79707 p->dfd = dfd;
79708 p->name = name;
79709 p->total_link_count = old ? old->total_link_count : 0;
79710@@ -538,6 +568,12 @@ static void restore_nameidata(void)
79711 kfree(now->stack);
79712 now->stack = now->internal;
79713 }
79714+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79715+ if (now->symlinkown_stack != now->symlinkown_internal) {
79716+ kfree(now->symlinkown_stack);
79717+ now->symlinkown_stack = now->symlinkown_internal;
79718+ }
79719+#endif
79720 }
79721
79722 static int __nd_alloc_stack(struct nameidata *nd)
79723@@ -557,11 +593,36 @@ static int __nd_alloc_stack(struct nameidata *nd)
79724 }
79725 memcpy(p, nd->internal, sizeof(nd->internal));
79726 nd->stack = p;
79727+
79728 return 0;
79729 }
79730
79731+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79732+static int nd_alloc_symlinkown_stack(struct nameidata *nd)
79733+{
79734+ struct path *p;
79735+
79736+ if (likely(nd->symlinkown_depth != EMBEDDED_LEVELS))
79737+ return 0;
79738+ if (nd->symlinkown_stack != nd->symlinkown_internal)
79739+ return 0;
79740+
79741+ p = kmalloc(MAXSYMLINKS * sizeof(struct path), GFP_KERNEL);
79742+ if (unlikely(!p))
79743+ return -ENOMEM;
79744+ memcpy(p, nd->symlinkown_internal, sizeof(nd->symlinkown_internal));
79745+ nd->symlinkown_stack = p;
79746+ return 0;
79747+}
79748+#endif
79749+
79750 static inline int nd_alloc_stack(struct nameidata *nd)
79751 {
79752+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79753+ if (nd->flags & LOOKUP_RCU)
79754+ return -ECHILD;
79755+#endif
79756+
79757 if (likely(nd->depth != EMBEDDED_LEVELS))
79758 return 0;
79759 if (likely(nd->stack != nd->internal))
79760@@ -590,6 +651,14 @@ static void terminate_walk(struct nameidata *nd)
79761 path_put(&nd->path);
79762 for (i = 0; i < nd->depth; i++)
79763 path_put(&nd->stack[i].link);
79764+
79765+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79766+ /* we'll only ever set our values in ref-walk mode */
79767+ for (i = 0; i < nd->symlinkown_depth; i++)
79768+ path_put(&nd->symlinkown_stack[i]);
79769+ nd->symlinkown_depth = 0;
79770+#endif
79771+
79772 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
79773 path_put(&nd->root);
79774 nd->root.mnt = NULL;
79775@@ -986,6 +1055,9 @@ const char *get_link(struct nameidata *nd)
79776 if (unlikely(error))
79777 return ERR_PTR(error);
79778
79779+ if (gr_handle_follow_link(dentry, last->link.mnt))
79780+ return ERR_PTR(-EACCES);
79781+
79782 nd->last_type = LAST_BIND;
79783 res = inode->i_link;
79784 if (!res) {
79785@@ -1665,6 +1737,23 @@ static int pick_link(struct nameidata *nd, struct path *link,
79786 }
79787 }
79788
79789+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79790+ if (unlikely(nd->symlinkown_enabled == -1))
79791+ nd->symlinkown_enabled = gr_get_symlinkown_enabled();
79792+ if (nd->symlinkown_enabled && gr_is_global_nonroot(inode->i_uid)) {
79793+ struct path *symlinkownlast;
79794+ error = nd_alloc_symlinkown_stack(nd);
79795+ if (unlikely(error)) {
79796+ path_put(link);
79797+ return error;
79798+ }
79799+ symlinkownlast = nd->symlinkown_stack + nd->symlinkown_depth++;
79800+ symlinkownlast->dentry = link->dentry;
79801+ symlinkownlast->mnt = link->mnt;
79802+ path_get(symlinkownlast);
79803+ }
79804+#endif
79805+
79806 last = nd->stack + nd->depth++;
79807 last->link = *link;
79808 last->cookie = NULL;
79809@@ -1804,7 +1893,7 @@ EXPORT_SYMBOL(full_name_hash);
79810 static inline u64 hash_name(const char *name)
79811 {
79812 unsigned long a, b, adata, bdata, mask, hash, len;
79813- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
79814+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
79815
79816 hash = a = 0;
79817 len = -sizeof(unsigned long);
79818@@ -1973,6 +2062,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
79819 nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
79820 nd->depth = 0;
79821 nd->total_link_count = 0;
79822+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
79823+ nd->symlinkown_depth = 0;
79824+#endif
79825 if (flags & LOOKUP_ROOT) {
79826 struct dentry *root = nd->root.dentry;
79827 struct inode *inode = root->d_inode;
79828@@ -2110,6 +2202,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path
79829 if (!err)
79830 err = complete_walk(nd);
79831
79832+ if (!err && !(nd->flags & LOOKUP_PARENT)) {
79833+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
79834+ err = -ENOENT;
79835+ }
79836+
79837 if (!err && nd->flags & LOOKUP_DIRECTORY)
79838 if (!d_can_lookup(nd->path.dentry))
79839 err = -ENOTDIR;
79840@@ -2158,6 +2255,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags,
79841 err = link_path_walk(s, nd);
79842 if (!err)
79843 err = complete_walk(nd);
79844+
79845+ if (!err && gr_handle_nameidata_symlinkowner(nd, nd->inode))
79846+ err = -EACCES;
79847+
79848 if (!err) {
79849 *parent = nd->path;
79850 nd->path.mnt = NULL;
79851@@ -2689,6 +2790,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
79852 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
79853 return -EPERM;
79854
79855+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode))
79856+ return -EPERM;
79857+ if (gr_handle_rawio(inode))
79858+ return -EPERM;
79859+ if (!gr_acl_handle_open(dentry, path->mnt, acc_mode))
79860+ return -EACCES;
79861+
79862 return 0;
79863 }
79864
79865@@ -2955,6 +3063,18 @@ static int lookup_open(struct nameidata *nd, struct path *path,
79866 /* Negative dentry, just create the file */
79867 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
79868 umode_t mode = op->mode;
79869+
79870+
79871+ if (gr_handle_nameidata_symlinkowner(nd, dir_inode)) {
79872+ error = -EACCES;
79873+ goto out_dput;
79874+ }
79875+
79876+ if (!gr_acl_handle_creat(dentry, dir, nd->path.mnt, op->open_flag, op->acc_mode, mode)) {
79877+ error = -EACCES;
79878+ goto out_dput;
79879+ }
79880+
79881 if (!IS_POSIXACL(dir->d_inode))
79882 mode &= ~current_umask();
79883 /*
79884@@ -2976,6 +3096,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
79885 nd->flags & LOOKUP_EXCL);
79886 if (error)
79887 goto out_dput;
79888+ else
79889+ gr_handle_create(dentry, nd->path.mnt);
79890 }
79891 out_no_open:
79892 path->dentry = dentry;
79893@@ -3039,6 +3161,9 @@ static int do_last(struct nameidata *nd,
79894 if (error)
79895 return error;
79896
79897+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt))
79898+ return -ENOENT;
79899+
79900 audit_inode(nd->name, dir, LOOKUP_PARENT);
79901 /* trailing slashes? */
79902 if (unlikely(nd->last.name[nd->last.len]))
79903@@ -3081,11 +3206,24 @@ retry_lookup:
79904 goto finish_open_created;
79905 }
79906
79907+ if (!gr_acl_handle_hidden_file(path.dentry, nd->path.mnt)) {
79908+ path_to_nameidata(&path, nd);
79909+ return -ENOENT;
79910+ }
79911+
79912 /*
79913 * create/update audit record if it already exists.
79914 */
79915- if (d_is_positive(path.dentry))
79916+ if (d_is_positive(path.dentry)) {
79917+ /* only check if O_CREAT is specified, all other checks need to go
79918+ into may_open */
79919+ if (gr_handle_fifo(path.dentry, path.mnt, dir, open_flag, acc_mode)) {
79920+ path_to_nameidata(&path, nd);
79921+ return -EACCES;
79922+ }
79923+
79924 audit_inode(nd->name, path.dentry, 0);
79925+ }
79926
79927 /*
79928 * If atomic_open() acquired write access it is dropped now due to
79929@@ -3121,6 +3259,11 @@ finish_lookup:
79930 if (unlikely(error))
79931 return error;
79932
79933+ if (gr_handle_nameidata_symlinkowner(nd, inode)) {
79934+ path_to_nameidata(&path, nd);
79935+ return -EACCES;
79936+ }
79937+
79938 if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
79939 path_to_nameidata(&path, nd);
79940 return -ELOOP;
79941@@ -3143,6 +3286,12 @@ finish_open:
79942 path_put(&save_parent);
79943 return error;
79944 }
79945+
79946+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
79947+ error = -ENOENT;
79948+ goto out;
79949+ }
79950+
79951 audit_inode(nd->name, nd->path.dentry, 0);
79952 error = -EISDIR;
79953 if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
79954@@ -3409,9 +3558,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
79955 goto unlock;
79956
79957 error = -EEXIST;
79958- if (d_is_positive(dentry))
79959+ if (d_is_positive(dentry)) {
79960+ if (!gr_acl_handle_hidden_file(dentry, path->mnt))
79961+ error = -ENOENT;
79962 goto fail;
79963-
79964+ }
79965 /*
79966 * Special case - lookup gave negative, but... we had foo/bar/
79967 * From the vfs_mknod() POV we just have a negative dentry -
79968@@ -3465,6 +3616,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname,
79969 }
79970 EXPORT_SYMBOL(user_path_create);
79971
79972+static struct dentry *user_path_create_with_name(int dfd, const char __user *pathname, struct path *path, struct filename **to, unsigned int lookup_flags)
79973+{
79974+ struct filename *tmp = getname(pathname);
79975+ struct dentry *res;
79976+ if (IS_ERR(tmp))
79977+ return ERR_CAST(tmp);
79978+ res = kern_path_create(dfd, tmp->name, path, lookup_flags);
79979+ if (IS_ERR(res))
79980+ putname(tmp);
79981+ else
79982+ *to = tmp;
79983+ return res;
79984+}
79985+
79986 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
79987 {
79988 int error = may_create(dir, dentry);
79989@@ -3528,6 +3693,17 @@ retry:
79990
79991 if (!IS_POSIXACL(path.dentry->d_inode))
79992 mode &= ~current_umask();
79993+
79994+ if (gr_handle_chroot_mknod(dentry, path.mnt, mode)) {
79995+ error = -EPERM;
79996+ goto out;
79997+ }
79998+
79999+ if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
80000+ error = -EACCES;
80001+ goto out;
80002+ }
80003+
80004 error = security_path_mknod(&path, dentry, mode, dev);
80005 if (error)
80006 goto out;
80007@@ -3543,6 +3719,8 @@ retry:
80008 error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
80009 break;
80010 }
80011+ if (!error)
80012+ gr_handle_create(dentry, path.mnt);
80013 out:
80014 done_path_create(&path, dentry);
80015 if (retry_estale(error, lookup_flags)) {
80016@@ -3597,9 +3775,16 @@ retry:
80017
80018 if (!IS_POSIXACL(path.dentry->d_inode))
80019 mode &= ~current_umask();
80020+ if (!gr_acl_handle_mkdir(dentry, path.dentry, path.mnt)) {
80021+ error = -EACCES;
80022+ goto out;
80023+ }
80024 error = security_path_mkdir(&path, dentry, mode);
80025 if (!error)
80026 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
80027+ if (!error)
80028+ gr_handle_create(dentry, path.mnt);
80029+out:
80030 done_path_create(&path, dentry);
80031 if (retry_estale(error, lookup_flags)) {
80032 lookup_flags |= LOOKUP_REVAL;
80033@@ -3632,7 +3817,7 @@ void dentry_unhash(struct dentry *dentry)
80034 {
80035 shrink_dcache_parent(dentry);
80036 spin_lock(&dentry->d_lock);
80037- if (dentry->d_lockref.count == 1)
80038+ if (__lockref_read(&dentry->d_lockref) == 1)
80039 __d_drop(dentry);
80040 spin_unlock(&dentry->d_lock);
80041 }
80042@@ -3685,6 +3870,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
80043 struct path path;
80044 struct qstr last;
80045 int type;
80046+ u64 saved_ino = 0;
80047+ dev_t saved_dev = 0;
80048 unsigned int lookup_flags = 0;
80049 retry:
80050 name = user_path_parent(dfd, pathname,
80051@@ -3717,10 +3904,20 @@ retry:
80052 error = -ENOENT;
80053 goto exit3;
80054 }
80055+ saved_ino = gr_get_ino_from_dentry(dentry);
80056+ saved_dev = gr_get_dev_from_dentry(dentry);
80057+
80058+ if (!gr_acl_handle_rmdir(dentry, path.mnt)) {
80059+ error = -EACCES;
80060+ goto exit3;
80061+ }
80062+
80063 error = security_path_rmdir(&path, dentry);
80064 if (error)
80065 goto exit3;
80066 error = vfs_rmdir(path.dentry->d_inode, dentry);
80067+ if (!error && (saved_dev || saved_ino))
80068+ gr_handle_delete(saved_ino, saved_dev);
80069 exit3:
80070 dput(dentry);
80071 exit2:
80072@@ -3815,6 +4012,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
80073 int type;
80074 struct inode *inode = NULL;
80075 struct inode *delegated_inode = NULL;
80076+ u64 saved_ino = 0;
80077+ dev_t saved_dev = 0;
80078 unsigned int lookup_flags = 0;
80079 retry:
80080 name = user_path_parent(dfd, pathname,
80081@@ -3841,10 +4040,21 @@ retry_deleg:
80082 if (d_is_negative(dentry))
80083 goto slashes;
80084 ihold(inode);
80085+ if (inode->i_nlink <= 1) {
80086+ saved_ino = gr_get_ino_from_dentry(dentry);
80087+ saved_dev = gr_get_dev_from_dentry(dentry);
80088+ }
80089+ if (!gr_acl_handle_unlink(dentry, path.mnt)) {
80090+ error = -EACCES;
80091+ goto exit2;
80092+ }
80093+
80094 error = security_path_unlink(&path, dentry);
80095 if (error)
80096 goto exit2;
80097 error = vfs_unlink(path.dentry->d_inode, dentry, &delegated_inode);
80098+ if (!error && (saved_ino || saved_dev))
80099+ gr_handle_delete(saved_ino, saved_dev);
80100 exit2:
80101 dput(dentry);
80102 }
80103@@ -3933,9 +4143,17 @@ retry:
80104 if (IS_ERR(dentry))
80105 goto out_putname;
80106
80107+ if (!gr_acl_handle_symlink(dentry, path.dentry, path.mnt, from)) {
80108+ error = -EACCES;
80109+ goto out;
80110+ }
80111+
80112 error = security_path_symlink(&path, dentry, from->name);
80113 if (!error)
80114 error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
80115+ if (!error)
80116+ gr_handle_create(dentry, path.mnt);
80117+out:
80118 done_path_create(&path, dentry);
80119 if (retry_estale(error, lookup_flags)) {
80120 lookup_flags |= LOOKUP_REVAL;
80121@@ -4039,6 +4257,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
80122 struct dentry *new_dentry;
80123 struct path old_path, new_path;
80124 struct inode *delegated_inode = NULL;
80125+ struct filename *to = NULL;
80126 int how = 0;
80127 int error;
80128
80129@@ -4062,7 +4281,7 @@ retry:
80130 if (error)
80131 return error;
80132
80133- new_dentry = user_path_create(newdfd, newname, &new_path,
80134+ new_dentry = user_path_create_with_name(newdfd, newname, &new_path, &to,
80135 (how & LOOKUP_REVAL));
80136 error = PTR_ERR(new_dentry);
80137 if (IS_ERR(new_dentry))
80138@@ -4074,11 +4293,26 @@ retry:
80139 error = may_linkat(&old_path);
80140 if (unlikely(error))
80141 goto out_dput;
80142+
80143+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt, to)) {
80144+ error = -EACCES;
80145+ goto out_dput;
80146+ }
80147+
80148+ if (!gr_acl_handle_link(new_dentry, new_path.dentry, new_path.mnt,
80149+ old_path.dentry, old_path.mnt, to)) {
80150+ error = -EACCES;
80151+ goto out_dput;
80152+ }
80153+
80154 error = security_path_link(old_path.dentry, &new_path, new_dentry);
80155 if (error)
80156 goto out_dput;
80157 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
80158+ if (!error)
80159+ gr_handle_create(new_dentry, new_path.mnt);
80160 out_dput:
80161+ putname(to);
80162 done_path_create(&new_path, new_dentry);
80163 if (delegated_inode) {
80164 error = break_deleg_wait(&delegated_inode);
80165@@ -4393,6 +4627,20 @@ retry_deleg:
80166 if (new_dentry == trap)
80167 goto exit5;
80168
80169+ if (gr_bad_chroot_rename(old_dentry, old_path.mnt, new_dentry, new_path.mnt)) {
80170+ /* use EXDEV error to cause 'mv' to switch to an alternative
80171+ * method for usability
80172+ */
80173+ error = -EXDEV;
80174+ goto exit5;
80175+ }
80176+
80177+ error = gr_acl_handle_rename(new_dentry, new_path.dentry, new_path.mnt,
80178+ old_dentry, d_backing_inode(old_path.dentry), old_path.mnt,
80179+ to, flags);
80180+ if (error)
80181+ goto exit5;
80182+
80183 error = security_path_rename(&old_path, old_dentry,
80184 &new_path, new_dentry, flags);
80185 if (error)
80186@@ -4400,6 +4648,9 @@ retry_deleg:
80187 error = vfs_rename(old_path.dentry->d_inode, old_dentry,
80188 new_path.dentry->d_inode, new_dentry,
80189 &delegated_inode, flags);
80190+ if (!error)
80191+ gr_handle_rename(d_backing_inode(old_path.dentry), d_backing_inode(new_path.dentry), old_dentry,
80192+ new_dentry, old_path.mnt, d_is_positive(new_dentry) ? 1 : 0, flags);
80193 exit5:
80194 dput(new_dentry);
80195 exit4:
80196@@ -4456,14 +4707,24 @@ EXPORT_SYMBOL(vfs_whiteout);
80197
80198 int readlink_copy(char __user *buffer, int buflen, const char *link)
80199 {
80200+ char tmpbuf[64];
80201+ const char *newlink;
80202 int len = PTR_ERR(link);
80203+
80204 if (IS_ERR(link))
80205 goto out;
80206
80207 len = strlen(link);
80208 if (len > (unsigned) buflen)
80209 len = buflen;
80210- if (copy_to_user(buffer, link, len))
80211+
80212+ if (len < sizeof(tmpbuf)) {
80213+ memcpy(tmpbuf, link, len);
80214+ newlink = tmpbuf;
80215+ } else
80216+ newlink = link;
80217+
80218+ if (copy_to_user(buffer, newlink, len))
80219 len = -EFAULT;
80220 out:
80221 return len;
80222diff --git a/fs/namespace.c b/fs/namespace.c
80223index 2b8aa15..3230081 100644
80224--- a/fs/namespace.c
80225+++ b/fs/namespace.c
80226@@ -1516,6 +1516,9 @@ static int do_umount(struct mount *mnt, int flags)
80227 if (!(sb->s_flags & MS_RDONLY))
80228 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
80229 up_write(&sb->s_umount);
80230+
80231+ gr_log_remount(mnt->mnt_devname, retval);
80232+
80233 return retval;
80234 }
80235
80236@@ -1538,6 +1541,9 @@ static int do_umount(struct mount *mnt, int flags)
80237 }
80238 unlock_mount_hash();
80239 namespace_unlock();
80240+
80241+ gr_log_unmount(mnt->mnt_devname, retval);
80242+
80243 return retval;
80244 }
80245
80246@@ -1592,7 +1598,7 @@ static inline bool may_mount(void)
80247 * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
80248 */
80249
80250-SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
80251+SYSCALL_DEFINE2(umount, const char __user *, name, int, flags)
80252 {
80253 struct path path;
80254 struct mount *mnt;
80255@@ -1637,7 +1643,7 @@ out:
80256 /*
80257 * The 2.0 compatible umount. No flags.
80258 */
80259-SYSCALL_DEFINE1(oldumount, char __user *, name)
80260+SYSCALL_DEFINE1(oldumount, const char __user *, name)
80261 {
80262 return sys_umount(name, 0);
80263 }
80264@@ -2712,6 +2718,16 @@ long do_mount(const char *dev_name, const char __user *dir_name,
80265 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
80266 MS_STRICTATIME);
80267
80268+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
80269+ retval = -EPERM;
80270+ goto dput_out;
80271+ }
80272+
80273+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
80274+ retval = -EPERM;
80275+ goto dput_out;
80276+ }
80277+
80278 if (flags & MS_REMOUNT)
80279 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
80280 data_page);
80281@@ -2725,7 +2741,10 @@ long do_mount(const char *dev_name, const char __user *dir_name,
80282 retval = do_new_mount(&path, type_page, flags, mnt_flags,
80283 dev_name, data_page);
80284 dput_out:
80285+ gr_log_mount(dev_name, &path, retval);
80286+
80287 path_put(&path);
80288+
80289 return retval;
80290 }
80291
80292@@ -2743,7 +2762,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
80293 * number incrementing at 10Ghz will take 12,427 years to wrap which
80294 * is effectively never, so we can ignore the possibility.
80295 */
80296-static atomic64_t mnt_ns_seq = ATOMIC64_INIT(1);
80297+static atomic64_unchecked_t mnt_ns_seq = ATOMIC64_INIT(1);
80298
80299 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
80300 {
80301@@ -2759,7 +2778,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
80302 return ERR_PTR(ret);
80303 }
80304 new_ns->ns.ops = &mntns_operations;
80305- new_ns->seq = atomic64_add_return(1, &mnt_ns_seq);
80306+ new_ns->seq = atomic64_add_return_unchecked(1, &mnt_ns_seq);
80307 atomic_set(&new_ns->count, 1);
80308 new_ns->root = NULL;
80309 INIT_LIST_HEAD(&new_ns->list);
80310@@ -2769,7 +2788,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
80311 return new_ns;
80312 }
80313
80314-struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
80315+__latent_entropy struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
80316 struct user_namespace *user_ns, struct fs_struct *new_fs)
80317 {
80318 struct mnt_namespace *new_ns;
80319@@ -2890,8 +2909,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
80320 }
80321 EXPORT_SYMBOL(mount_subtree);
80322
80323-SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
80324- char __user *, type, unsigned long, flags, void __user *, data)
80325+SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name,
80326+ const char __user *, type, unsigned long, flags, void __user *, data)
80327 {
80328 int ret;
80329 char *kernel_type;
80330@@ -2997,6 +3016,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
80331 if (error)
80332 goto out2;
80333
80334+ if (gr_handle_chroot_pivot()) {
80335+ error = -EPERM;
80336+ goto out2;
80337+ }
80338+
80339 get_fs_root(current->fs, &root);
80340 old_mp = lock_mount(&old);
80341 error = PTR_ERR(old_mp);
80342@@ -3298,7 +3322,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
80343 !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
80344 return -EPERM;
80345
80346- if (fs->users != 1)
80347+ if (atomic_read(&fs->users) != 1)
80348 return -EINVAL;
80349
80350 get_mnt_ns(mnt_ns);
80351diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
80352index 6b1697a..6d5787c 100644
80353--- a/fs/nfs/callback_xdr.c
80354+++ b/fs/nfs/callback_xdr.c
80355@@ -51,7 +51,7 @@ struct callback_op {
80356 callback_decode_arg_t decode_args;
80357 callback_encode_res_t encode_res;
80358 long res_maxsize;
80359-};
80360+} __do_const;
80361
80362 static struct callback_op callback_ops[];
80363
80364diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
80365index 4afbe13..a6a26ce 100644
80366--- a/fs/nfs/inode.c
80367+++ b/fs/nfs/inode.c
80368@@ -1273,16 +1273,16 @@ static int nfs_check_inode_attributes(struct inode *inode, struct nfs_fattr *fat
80369 return 0;
80370 }
80371
80372-static atomic_long_t nfs_attr_generation_counter;
80373+static atomic_long_unchecked_t nfs_attr_generation_counter;
80374
80375 static unsigned long nfs_read_attr_generation_counter(void)
80376 {
80377- return atomic_long_read(&nfs_attr_generation_counter);
80378+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
80379 }
80380
80381 unsigned long nfs_inc_attr_generation_counter(void)
80382 {
80383- return atomic_long_inc_return(&nfs_attr_generation_counter);
80384+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
80385 }
80386 EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter);
80387
80388diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
80389index 90cfda7..e4b50df 100644
80390--- a/fs/nfsd/nfs4proc.c
80391+++ b/fs/nfsd/nfs4proc.c
80392@@ -1487,7 +1487,7 @@ struct nfsd4_operation {
80393 nfsd4op_rsize op_rsize_bop;
80394 stateid_getter op_get_currentstateid;
80395 stateid_setter op_set_currentstateid;
80396-};
80397+} __do_const;
80398
80399 static struct nfsd4_operation nfsd4_ops[];
80400
80401diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
80402index b81f725..8e36601 100644
80403--- a/fs/nfsd/nfs4xdr.c
80404+++ b/fs/nfsd/nfs4xdr.c
80405@@ -1704,7 +1704,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
80406
80407 typedef __be32(*nfsd4_dec)(struct nfsd4_compoundargs *argp, void *);
80408
80409-static nfsd4_dec nfsd4_dec_ops[] = {
80410+static const nfsd4_dec nfsd4_dec_ops[] = {
80411 [OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
80412 [OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
80413 [OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
80414diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c
80415index 46ec934..f384e41 100644
80416--- a/fs/nfsd/nfscache.c
80417+++ b/fs/nfsd/nfscache.c
80418@@ -541,7 +541,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
80419 struct kvec *resv = &rqstp->rq_res.head[0], *cachv;
80420 u32 hash;
80421 struct nfsd_drc_bucket *b;
80422- int len;
80423+ long len;
80424 size_t bufsize = 0;
80425
80426 if (!rp)
80427@@ -550,11 +550,14 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
80428 hash = nfsd_cache_hash(rp->c_xid);
80429 b = &drc_hashtbl[hash];
80430
80431- len = resv->iov_len - ((char*)statp - (char*)resv->iov_base);
80432- len >>= 2;
80433+ if (statp) {
80434+ len = (char*)statp - (char*)resv->iov_base;
80435+ len = resv->iov_len - len;
80436+ len >>= 2;
80437+ }
80438
80439 /* Don't cache excessive amounts of data and XDR failures */
80440- if (!statp || len > (256 >> 2)) {
80441+ if (!statp || len > (256 >> 2) || len < 0) {
80442 nfsd_reply_cache_free(b, rp);
80443 return;
80444 }
80445@@ -562,7 +565,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
80446 switch (cachetype) {
80447 case RC_REPLSTAT:
80448 if (len != 1)
80449- printk("nfsd: RC_REPLSTAT/reply len %d!\n",len);
80450+ printk("nfsd: RC_REPLSTAT/reply len %ld!\n",len);
80451 rp->c_replstat = *statp;
80452 break;
80453 case RC_REPLBUFF:
80454diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
80455index b5e077a..50cf549 100644
80456--- a/fs/nfsd/vfs.c
80457+++ b/fs/nfsd/vfs.c
80458@@ -855,7 +855,7 @@ __be32 nfsd_readv(struct file *file, loff_t offset, struct kvec *vec, int vlen,
80459
80460 oldfs = get_fs();
80461 set_fs(KERNEL_DS);
80462- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
80463+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
80464 set_fs(oldfs);
80465 return nfsd_finish_read(file, count, host_err);
80466 }
80467@@ -942,7 +942,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
80468
80469 /* Write the data. */
80470 oldfs = get_fs(); set_fs(KERNEL_DS);
80471- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &pos);
80472+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &pos);
80473 set_fs(oldfs);
80474 if (host_err < 0)
80475 goto out_nfserr;
80476@@ -1455,7 +1455,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
80477 */
80478
80479 oldfs = get_fs(); set_fs(KERNEL_DS);
80480- host_err = inode->i_op->readlink(path.dentry, (char __user *)buf, *lenp);
80481+ host_err = inode->i_op->readlink(path.dentry, (char __force_user *)buf, *lenp);
80482 set_fs(oldfs);
80483
80484 if (host_err < 0)
80485diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
80486index 52ccd34..7a6b202 100644
80487--- a/fs/nls/nls_base.c
80488+++ b/fs/nls/nls_base.c
80489@@ -234,21 +234,25 @@ EXPORT_SYMBOL(utf16s_to_utf8s);
80490
80491 int __register_nls(struct nls_table *nls, struct module *owner)
80492 {
80493- struct nls_table ** tmp = &tables;
80494+ struct nls_table *tmp = tables;
80495
80496 if (nls->next)
80497 return -EBUSY;
80498
80499- nls->owner = owner;
80500+ pax_open_kernel();
80501+ *(void **)&nls->owner = owner;
80502+ pax_close_kernel();
80503 spin_lock(&nls_lock);
80504- while (*tmp) {
80505- if (nls == *tmp) {
80506+ while (tmp) {
80507+ if (nls == tmp) {
80508 spin_unlock(&nls_lock);
80509 return -EBUSY;
80510 }
80511- tmp = &(*tmp)->next;
80512+ tmp = tmp->next;
80513 }
80514- nls->next = tables;
80515+ pax_open_kernel();
80516+ *(struct nls_table **)&nls->next = tables;
80517+ pax_close_kernel();
80518 tables = nls;
80519 spin_unlock(&nls_lock);
80520 return 0;
80521@@ -257,12 +261,14 @@ EXPORT_SYMBOL(__register_nls);
80522
80523 int unregister_nls(struct nls_table * nls)
80524 {
80525- struct nls_table ** tmp = &tables;
80526+ struct nls_table * const * tmp = &tables;
80527
80528 spin_lock(&nls_lock);
80529 while (*tmp) {
80530 if (nls == *tmp) {
80531- *tmp = nls->next;
80532+ pax_open_kernel();
80533+ *(struct nls_table **)tmp = nls->next;
80534+ pax_close_kernel();
80535 spin_unlock(&nls_lock);
80536 return 0;
80537 }
80538@@ -272,7 +278,7 @@ int unregister_nls(struct nls_table * nls)
80539 return -EINVAL;
80540 }
80541
80542-static struct nls_table *find_nls(char *charset)
80543+static struct nls_table *find_nls(const char *charset)
80544 {
80545 struct nls_table *nls;
80546 spin_lock(&nls_lock);
80547@@ -288,7 +294,7 @@ static struct nls_table *find_nls(char *charset)
80548 return nls;
80549 }
80550
80551-struct nls_table *load_nls(char *charset)
80552+struct nls_table *load_nls(const char *charset)
80553 {
80554 return try_then_request_module(find_nls(charset), "nls_%s", charset);
80555 }
80556diff --git a/fs/nls/nls_euc-jp.c b/fs/nls/nls_euc-jp.c
80557index 162b3f1..6076a7c 100644
80558--- a/fs/nls/nls_euc-jp.c
80559+++ b/fs/nls/nls_euc-jp.c
80560@@ -560,8 +560,10 @@ static int __init init_nls_euc_jp(void)
80561 p_nls = load_nls("cp932");
80562
80563 if (p_nls) {
80564- table.charset2upper = p_nls->charset2upper;
80565- table.charset2lower = p_nls->charset2lower;
80566+ pax_open_kernel();
80567+ *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
80568+ *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
80569+ pax_close_kernel();
80570 return register_nls(&table);
80571 }
80572
80573diff --git a/fs/nls/nls_koi8-ru.c b/fs/nls/nls_koi8-ru.c
80574index a80a741..7b96e1b 100644
80575--- a/fs/nls/nls_koi8-ru.c
80576+++ b/fs/nls/nls_koi8-ru.c
80577@@ -62,8 +62,10 @@ static int __init init_nls_koi8_ru(void)
80578 p_nls = load_nls("koi8-u");
80579
80580 if (p_nls) {
80581- table.charset2upper = p_nls->charset2upper;
80582- table.charset2lower = p_nls->charset2lower;
80583+ pax_open_kernel();
80584+ *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
80585+ *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
80586+ pax_close_kernel();
80587 return register_nls(&table);
80588 }
80589
80590diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
80591index cf27550..6c70f29d 100644
80592--- a/fs/notify/fanotify/fanotify_user.c
80593+++ b/fs/notify/fanotify/fanotify_user.c
80594@@ -216,8 +216,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
80595
80596 fd = fanotify_event_metadata.fd;
80597 ret = -EFAULT;
80598- if (copy_to_user(buf, &fanotify_event_metadata,
80599- fanotify_event_metadata.event_len))
80600+ if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
80601+ copy_to_user(buf, &fanotify_event_metadata, fanotify_event_metadata.event_len))
80602 goto out_close_fd;
80603
80604 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
80605diff --git a/fs/notify/notification.c b/fs/notify/notification.c
80606index a95d8e0..a91a5fd 100644
80607--- a/fs/notify/notification.c
80608+++ b/fs/notify/notification.c
80609@@ -48,7 +48,7 @@
80610 #include <linux/fsnotify_backend.h>
80611 #include "fsnotify.h"
80612
80613-static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
80614+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
80615
80616 /**
80617 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
80618@@ -56,7 +56,7 @@ static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
80619 */
80620 u32 fsnotify_get_cookie(void)
80621 {
80622- return atomic_inc_return(&fsnotify_sync_cookie);
80623+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
80624 }
80625 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
80626
80627diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c
80628index 9e38daf..5727cae 100644
80629--- a/fs/ntfs/dir.c
80630+++ b/fs/ntfs/dir.c
80631@@ -1310,7 +1310,7 @@ find_next_index_buffer:
80632 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
80633 ~(s64)(ndir->itype.index.block_size - 1)));
80634 /* Bounds checks. */
80635- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
80636+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
80637 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
80638 "inode 0x%lx or driver bug.", vdir->i_ino);
80639 goto err_out;
80640diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
80641index 9e1e112..241a52a 100644
80642--- a/fs/ntfs/super.c
80643+++ b/fs/ntfs/super.c
80644@@ -688,7 +688,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
80645 if (!silent)
80646 ntfs_error(sb, "Primary boot sector is invalid.");
80647 } else if (!silent)
80648- ntfs_error(sb, read_err_str, "primary");
80649+ ntfs_error(sb, read_err_str, "%s", "primary");
80650 if (!(NTFS_SB(sb)->on_errors & ON_ERRORS_RECOVER)) {
80651 if (bh_primary)
80652 brelse(bh_primary);
80653@@ -704,7 +704,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
80654 goto hotfix_primary_boot_sector;
80655 brelse(bh_backup);
80656 } else if (!silent)
80657- ntfs_error(sb, read_err_str, "backup");
80658+ ntfs_error(sb, read_err_str, "%s", "backup");
80659 /* Try to read NT3.51- backup boot sector. */
80660 if ((bh_backup = sb_bread(sb, nr_blocks >> 1))) {
80661 if (is_boot_sector_ntfs(sb, (NTFS_BOOT_SECTOR*)
80662@@ -715,7 +715,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
80663 "sector.");
80664 brelse(bh_backup);
80665 } else if (!silent)
80666- ntfs_error(sb, read_err_str, "backup");
80667+ ntfs_error(sb, read_err_str, "%s", "backup");
80668 /* We failed. Cleanup and return. */
80669 if (bh_primary)
80670 brelse(bh_primary);
80671diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
80672index 857bbbc..3c47d15 100644
80673--- a/fs/ocfs2/localalloc.c
80674+++ b/fs/ocfs2/localalloc.c
80675@@ -1320,7 +1320,7 @@ static int ocfs2_local_alloc_slide_window(struct ocfs2_super *osb,
80676 goto bail;
80677 }
80678
80679- atomic_inc(&osb->alloc_stats.moves);
80680+ atomic_inc_unchecked(&osb->alloc_stats.moves);
80681
80682 bail:
80683 if (handle)
80684diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h
80685index 690ddc6..f2d4c4d 100644
80686--- a/fs/ocfs2/ocfs2.h
80687+++ b/fs/ocfs2/ocfs2.h
80688@@ -247,11 +247,11 @@ enum ocfs2_vol_state
80689
80690 struct ocfs2_alloc_stats
80691 {
80692- atomic_t moves;
80693- atomic_t local_data;
80694- atomic_t bitmap_data;
80695- atomic_t bg_allocs;
80696- atomic_t bg_extends;
80697+ atomic_unchecked_t moves;
80698+ atomic_unchecked_t local_data;
80699+ atomic_unchecked_t bitmap_data;
80700+ atomic_unchecked_t bg_allocs;
80701+ atomic_unchecked_t bg_extends;
80702 };
80703
80704 enum ocfs2_local_alloc_state
80705diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
80706index 4479029..5de740b 100644
80707--- a/fs/ocfs2/suballoc.c
80708+++ b/fs/ocfs2/suballoc.c
80709@@ -867,7 +867,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
80710 mlog_errno(status);
80711 goto bail;
80712 }
80713- atomic_inc(&osb->alloc_stats.bg_extends);
80714+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
80715
80716 /* You should never ask for this much metadata */
80717 BUG_ON(bits_wanted >
80718@@ -2014,7 +2014,7 @@ int ocfs2_claim_metadata(handle_t *handle,
80719 mlog_errno(status);
80720 goto bail;
80721 }
80722- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
80723+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
80724
80725 *suballoc_loc = res.sr_bg_blkno;
80726 *suballoc_bit_start = res.sr_bit_offset;
80727@@ -2180,7 +2180,7 @@ int ocfs2_claim_new_inode_at_loc(handle_t *handle,
80728 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
80729 res->sr_bits);
80730
80731- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
80732+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
80733
80734 BUG_ON(res->sr_bits != 1);
80735
80736@@ -2222,7 +2222,7 @@ int ocfs2_claim_new_inode(handle_t *handle,
80737 mlog_errno(status);
80738 goto bail;
80739 }
80740- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
80741+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
80742
80743 BUG_ON(res.sr_bits != 1);
80744
80745@@ -2326,7 +2326,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
80746 cluster_start,
80747 num_clusters);
80748 if (!status)
80749- atomic_inc(&osb->alloc_stats.local_data);
80750+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
80751 } else {
80752 if (min_clusters > (osb->bitmap_cpg - 1)) {
80753 /* The only paths asking for contiguousness
80754@@ -2352,7 +2352,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
80755 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
80756 res.sr_bg_blkno,
80757 res.sr_bit_offset);
80758- atomic_inc(&osb->alloc_stats.bitmap_data);
80759+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
80760 *num_clusters = res.sr_bits;
80761 }
80762 }
80763diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
80764index a482e31..81b251d 100644
80765--- a/fs/ocfs2/super.c
80766+++ b/fs/ocfs2/super.c
80767@@ -308,11 +308,11 @@ static int ocfs2_osb_dump(struct ocfs2_super *osb, char *buf, int len)
80768 "%10s => GlobalAllocs: %d LocalAllocs: %d "
80769 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
80770 "Stats",
80771- atomic_read(&osb->alloc_stats.bitmap_data),
80772- atomic_read(&osb->alloc_stats.local_data),
80773- atomic_read(&osb->alloc_stats.bg_allocs),
80774- atomic_read(&osb->alloc_stats.moves),
80775- atomic_read(&osb->alloc_stats.bg_extends));
80776+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
80777+ atomic_read_unchecked(&osb->alloc_stats.local_data),
80778+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
80779+ atomic_read_unchecked(&osb->alloc_stats.moves),
80780+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
80781
80782 out += snprintf(buf + out, len - out,
80783 "%10s => State: %u Descriptor: %llu Size: %u bits "
80784@@ -2095,11 +2095,11 @@ static int ocfs2_initialize_super(struct super_block *sb,
80785
80786 mutex_init(&osb->system_file_mutex);
80787
80788- atomic_set(&osb->alloc_stats.moves, 0);
80789- atomic_set(&osb->alloc_stats.local_data, 0);
80790- atomic_set(&osb->alloc_stats.bitmap_data, 0);
80791- atomic_set(&osb->alloc_stats.bg_allocs, 0);
80792- atomic_set(&osb->alloc_stats.bg_extends, 0);
80793+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
80794+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
80795+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
80796+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
80797+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
80798
80799 /* Copy the blockcheck stats from the superblock probe */
80800 osb->osb_ecc_stats = *stats;
80801diff --git a/fs/open.c b/fs/open.c
80802index e33dab2..cdbdad9 100644
80803--- a/fs/open.c
80804+++ b/fs/open.c
80805@@ -32,6 +32,8 @@
80806 #include <linux/dnotify.h>
80807 #include <linux/compat.h>
80808
80809+#define CREATE_TRACE_POINTS
80810+#include <trace/events/fs.h>
80811 #include "internal.h"
80812
80813 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
80814@@ -105,6 +107,8 @@ long vfs_truncate(struct path *path, loff_t length)
80815 error = locks_verify_truncate(inode, NULL, length);
80816 if (!error)
80817 error = security_path_truncate(path);
80818+ if (!error && !gr_acl_handle_truncate(path->dentry, path->mnt))
80819+ error = -EACCES;
80820 if (!error)
80821 error = do_truncate(path->dentry, length, 0, NULL);
80822
80823@@ -189,6 +193,8 @@ static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
80824 error = locks_verify_truncate(inode, f.file, length);
80825 if (!error)
80826 error = security_path_truncate(&f.file->f_path);
80827+ if (!error && !gr_acl_handle_truncate(f.file->f_path.dentry, f.file->f_path.mnt))
80828+ error = -EACCES;
80829 if (!error)
80830 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, f.file);
80831 sb_end_write(inode->i_sb);
80832@@ -398,6 +404,9 @@ retry:
80833 if (__mnt_is_readonly(path.mnt))
80834 res = -EROFS;
80835
80836+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
80837+ res = -EACCES;
80838+
80839 out_path_release:
80840 path_put(&path);
80841 if (retry_estale(res, lookup_flags)) {
80842@@ -429,6 +438,8 @@ retry:
80843 if (error)
80844 goto dput_and_out;
80845
80846+ gr_log_chdir(path.dentry, path.mnt);
80847+
80848 set_fs_pwd(current->fs, &path);
80849
80850 dput_and_out:
80851@@ -458,6 +469,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
80852 goto out_putf;
80853
80854 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
80855+
80856+ if (!error && !gr_chroot_fchdir(f.file->f_path.dentry, f.file->f_path.mnt))
80857+ error = -EPERM;
80858+
80859+ if (!error)
80860+ gr_log_chdir(f.file->f_path.dentry, f.file->f_path.mnt);
80861+
80862 if (!error)
80863 set_fs_pwd(current->fs, &f.file->f_path);
80864 out_putf:
80865@@ -487,7 +505,13 @@ retry:
80866 if (error)
80867 goto dput_and_out;
80868
80869+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
80870+ goto dput_and_out;
80871+
80872 set_fs_root(current->fs, &path);
80873+
80874+ gr_handle_chroot_chdir(&path);
80875+
80876 error = 0;
80877 dput_and_out:
80878 path_put(&path);
80879@@ -511,6 +535,16 @@ static int chmod_common(struct path *path, umode_t mode)
80880 return error;
80881 retry_deleg:
80882 mutex_lock(&inode->i_mutex);
80883+
80884+ if (!gr_acl_handle_chmod(path->dentry, path->mnt, &mode)) {
80885+ error = -EACCES;
80886+ goto out_unlock;
80887+ }
80888+ if (gr_handle_chroot_chmod(path->dentry, path->mnt, mode)) {
80889+ error = -EACCES;
80890+ goto out_unlock;
80891+ }
80892+
80893 error = security_path_chmod(path, mode);
80894 if (error)
80895 goto out_unlock;
80896@@ -576,6 +610,9 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
80897 uid = make_kuid(current_user_ns(), user);
80898 gid = make_kgid(current_user_ns(), group);
80899
80900+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
80901+ return -EACCES;
80902+
80903 retry_deleg:
80904 newattrs.ia_valid = ATTR_CTIME;
80905 if (user != (uid_t) -1) {
80906@@ -1029,6 +1066,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
80907 } else {
80908 fsnotify_open(f);
80909 fd_install(fd, f);
80910+ trace_do_sys_open(tmp->name, flags, mode);
80911 }
80912 }
80913 putname(tmp);
80914diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
80915index d9da5a4..7ced3c7 100644
80916--- a/fs/overlayfs/inode.c
80917+++ b/fs/overlayfs/inode.c
80918@@ -346,6 +346,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
80919 if (d_is_dir(dentry))
80920 return d_backing_inode(dentry);
80921
80922+ if (d_is_dir(dentry))
80923+ return d_backing_inode(dentry);
80924+
80925 type = ovl_path_real(dentry, &realpath);
80926 if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
80927 err = ovl_want_write(dentry);
80928diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
80929index 79073d6..0eb5c27 100644
80930--- a/fs/overlayfs/super.c
80931+++ b/fs/overlayfs/super.c
80932@@ -172,7 +172,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
80933 {
80934 struct ovl_entry *oe = dentry->d_fsdata;
80935
80936- *path = oe->numlower ? oe->lowerstack[0] : (struct path) { NULL, NULL };
80937+ *path = oe->numlower ? oe->lowerstack[0] : (struct path) { .dentry = NULL, .mnt = NULL };
80938 }
80939
80940 int ovl_want_write(struct dentry *dentry)
80941@@ -879,8 +879,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
80942
80943 static int ovl_fill_super(struct super_block *sb, void *data, int silent)
80944 {
80945- struct path upperpath = { NULL, NULL };
80946- struct path workpath = { NULL, NULL };
80947+ struct path upperpath = { .dentry = NULL, .mnt = NULL };
80948+ struct path workpath = { .dentry = NULL, .mnt = NULL };
80949 struct dentry *root_dentry;
80950 struct ovl_entry *oe;
80951 struct ovl_fs *ufs;
80952diff --git a/fs/pipe.c b/fs/pipe.c
80953index 8865f79..bd2c79b 100644
80954--- a/fs/pipe.c
80955+++ b/fs/pipe.c
80956@@ -36,7 +36,7 @@ unsigned int pipe_max_size = 1048576;
80957 /*
80958 * Minimum pipe size, as required by POSIX
80959 */
80960-unsigned int pipe_min_size = PAGE_SIZE;
80961+unsigned int pipe_min_size __read_only = PAGE_SIZE;
80962
80963 /*
80964 * We use a start+len construction, which provides full use of the
80965@@ -55,7 +55,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
80966
80967 static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
80968 {
80969- if (pipe->files)
80970+ if (atomic_read(&pipe->files))
80971 mutex_lock_nested(&pipe->mutex, subclass);
80972 }
80973
80974@@ -70,7 +70,7 @@ EXPORT_SYMBOL(pipe_lock);
80975
80976 void pipe_unlock(struct pipe_inode_info *pipe)
80977 {
80978- if (pipe->files)
80979+ if (atomic_read(&pipe->files))
80980 mutex_unlock(&pipe->mutex);
80981 }
80982 EXPORT_SYMBOL(pipe_unlock);
80983@@ -291,9 +291,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
80984 }
80985 if (bufs) /* More to do? */
80986 continue;
80987- if (!pipe->writers)
80988+ if (!atomic_read(&pipe->writers))
80989 break;
80990- if (!pipe->waiting_writers) {
80991+ if (!atomic_read(&pipe->waiting_writers)) {
80992 /* syscall merging: Usually we must not sleep
80993 * if O_NONBLOCK is set, or if we got some data.
80994 * But if a writer sleeps in kernel space, then
80995@@ -350,7 +350,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
80996
80997 __pipe_lock(pipe);
80998
80999- if (!pipe->readers) {
81000+ if (!atomic_read(&pipe->readers)) {
81001 send_sig(SIGPIPE, current, 0);
81002 ret = -EPIPE;
81003 goto out;
81004@@ -386,7 +386,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81005 for (;;) {
81006 int bufs;
81007
81008- if (!pipe->readers) {
81009+ if (!atomic_read(&pipe->readers)) {
81010 send_sig(SIGPIPE, current, 0);
81011 if (!ret)
81012 ret = -EPIPE;
81013@@ -454,9 +454,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81014 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
81015 do_wakeup = 0;
81016 }
81017- pipe->waiting_writers++;
81018+ atomic_inc(&pipe->waiting_writers);
81019 pipe_wait(pipe);
81020- pipe->waiting_writers--;
81021+ atomic_dec(&pipe->waiting_writers);
81022 }
81023 out:
81024 __pipe_unlock(pipe);
81025@@ -511,7 +511,7 @@ pipe_poll(struct file *filp, poll_table *wait)
81026 mask = 0;
81027 if (filp->f_mode & FMODE_READ) {
81028 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
81029- if (!pipe->writers && filp->f_version != pipe->w_counter)
81030+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
81031 mask |= POLLHUP;
81032 }
81033
81034@@ -521,7 +521,7 @@ pipe_poll(struct file *filp, poll_table *wait)
81035 * Most Unices do not set POLLERR for FIFOs but on Linux they
81036 * behave exactly like pipes for poll().
81037 */
81038- if (!pipe->readers)
81039+ if (!atomic_read(&pipe->readers))
81040 mask |= POLLERR;
81041 }
81042
81043@@ -533,7 +533,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
81044 int kill = 0;
81045
81046 spin_lock(&inode->i_lock);
81047- if (!--pipe->files) {
81048+ if (atomic_dec_and_test(&pipe->files)) {
81049 inode->i_pipe = NULL;
81050 kill = 1;
81051 }
81052@@ -550,11 +550,11 @@ pipe_release(struct inode *inode, struct file *file)
81053
81054 __pipe_lock(pipe);
81055 if (file->f_mode & FMODE_READ)
81056- pipe->readers--;
81057+ atomic_dec(&pipe->readers);
81058 if (file->f_mode & FMODE_WRITE)
81059- pipe->writers--;
81060+ atomic_dec(&pipe->writers);
81061
81062- if (pipe->readers || pipe->writers) {
81063+ if (atomic_read(&pipe->readers) || atomic_read(&pipe->writers)) {
81064 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
81065 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
81066 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
81067@@ -619,7 +619,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
81068 kfree(pipe);
81069 }
81070
81071-static struct vfsmount *pipe_mnt __read_mostly;
81072+struct vfsmount *pipe_mnt __read_mostly;
81073
81074 /*
81075 * pipefs_dname() is called from d_path().
81076@@ -649,8 +649,9 @@ static struct inode * get_pipe_inode(void)
81077 goto fail_iput;
81078
81079 inode->i_pipe = pipe;
81080- pipe->files = 2;
81081- pipe->readers = pipe->writers = 1;
81082+ atomic_set(&pipe->files, 2);
81083+ atomic_set(&pipe->readers, 1);
81084+ atomic_set(&pipe->writers, 1);
81085 inode->i_fop = &pipefifo_fops;
81086
81087 /*
81088@@ -829,17 +830,17 @@ static int fifo_open(struct inode *inode, struct file *filp)
81089 spin_lock(&inode->i_lock);
81090 if (inode->i_pipe) {
81091 pipe = inode->i_pipe;
81092- pipe->files++;
81093+ atomic_inc(&pipe->files);
81094 spin_unlock(&inode->i_lock);
81095 } else {
81096 spin_unlock(&inode->i_lock);
81097 pipe = alloc_pipe_info();
81098 if (!pipe)
81099 return -ENOMEM;
81100- pipe->files = 1;
81101+ atomic_set(&pipe->files, 1);
81102 spin_lock(&inode->i_lock);
81103 if (unlikely(inode->i_pipe)) {
81104- inode->i_pipe->files++;
81105+ atomic_inc(&inode->i_pipe->files);
81106 spin_unlock(&inode->i_lock);
81107 free_pipe_info(pipe);
81108 pipe = inode->i_pipe;
81109@@ -864,10 +865,10 @@ static int fifo_open(struct inode *inode, struct file *filp)
81110 * opened, even when there is no process writing the FIFO.
81111 */
81112 pipe->r_counter++;
81113- if (pipe->readers++ == 0)
81114+ if (atomic_inc_return(&pipe->readers) == 1)
81115 wake_up_partner(pipe);
81116
81117- if (!is_pipe && !pipe->writers) {
81118+ if (!is_pipe && !atomic_read(&pipe->writers)) {
81119 if ((filp->f_flags & O_NONBLOCK)) {
81120 /* suppress POLLHUP until we have
81121 * seen a writer */
81122@@ -886,14 +887,14 @@ static int fifo_open(struct inode *inode, struct file *filp)
81123 * errno=ENXIO when there is no process reading the FIFO.
81124 */
81125 ret = -ENXIO;
81126- if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !pipe->readers)
81127+ if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
81128 goto err;
81129
81130 pipe->w_counter++;
81131- if (!pipe->writers++)
81132+ if (atomic_inc_return(&pipe->writers) == 1)
81133 wake_up_partner(pipe);
81134
81135- if (!is_pipe && !pipe->readers) {
81136+ if (!is_pipe && !atomic_read(&pipe->readers)) {
81137 if (wait_for_partner(pipe, &pipe->r_counter))
81138 goto err_wr;
81139 }
81140@@ -907,11 +908,11 @@ static int fifo_open(struct inode *inode, struct file *filp)
81141 * the process can at least talk to itself.
81142 */
81143
81144- pipe->readers++;
81145- pipe->writers++;
81146+ atomic_inc(&pipe->readers);
81147+ atomic_inc(&pipe->writers);
81148 pipe->r_counter++;
81149 pipe->w_counter++;
81150- if (pipe->readers == 1 || pipe->writers == 1)
81151+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
81152 wake_up_partner(pipe);
81153 break;
81154
81155@@ -925,13 +926,13 @@ static int fifo_open(struct inode *inode, struct file *filp)
81156 return 0;
81157
81158 err_rd:
81159- if (!--pipe->readers)
81160+ if (atomic_dec_and_test(&pipe->readers))
81161 wake_up_interruptible(&pipe->wait);
81162 ret = -ERESTARTSYS;
81163 goto err;
81164
81165 err_wr:
81166- if (!--pipe->writers)
81167+ if (atomic_dec_and_test(&pipe->writers))
81168 wake_up_interruptible(&pipe->wait);
81169 ret = -ERESTARTSYS;
81170 goto err;
81171@@ -1007,7 +1008,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
81172 * Currently we rely on the pipe array holding a power-of-2 number
81173 * of pages.
81174 */
81175-static inline unsigned int round_pipe_size(unsigned int size)
81176+static inline unsigned long round_pipe_size(unsigned long size)
81177 {
81178 unsigned long nr_pages;
81179
81180@@ -1055,13 +1056,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
81181
81182 switch (cmd) {
81183 case F_SETPIPE_SZ: {
81184- unsigned int size, nr_pages;
81185+ unsigned long size, nr_pages;
81186+
81187+ ret = -EINVAL;
81188+ if (arg < pipe_min_size)
81189+ goto out;
81190
81191 size = round_pipe_size(arg);
81192 nr_pages = size >> PAGE_SHIFT;
81193
81194- ret = -EINVAL;
81195- if (!nr_pages)
81196+ if (size < pipe_min_size)
81197 goto out;
81198
81199 if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
81200diff --git a/fs/posix_acl.c b/fs/posix_acl.c
81201index 4fb17de..13d8c0f 100644
81202--- a/fs/posix_acl.c
81203+++ b/fs/posix_acl.c
81204@@ -20,6 +20,7 @@
81205 #include <linux/xattr.h>
81206 #include <linux/export.h>
81207 #include <linux/user_namespace.h>
81208+#include <linux/grsecurity.h>
81209
81210 struct posix_acl **acl_by_type(struct inode *inode, int type)
81211 {
81212@@ -277,7 +278,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
81213 }
81214 }
81215 if (mode_p)
81216- *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
81217+ *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
81218 return not_equiv;
81219 }
81220 EXPORT_SYMBOL(posix_acl_equiv_mode);
81221@@ -427,7 +428,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
81222 mode &= (group_obj->e_perm << 3) | ~S_IRWXG;
81223 }
81224
81225- *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
81226+ *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
81227 return not_equiv;
81228 }
81229
81230@@ -485,6 +486,8 @@ __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
81231 struct posix_acl *clone = posix_acl_clone(*acl, gfp);
81232 int err = -ENOMEM;
81233 if (clone) {
81234+ *mode_p &= ~gr_acl_umask();
81235+
81236 err = posix_acl_create_masq(clone, mode_p);
81237 if (err < 0) {
81238 posix_acl_release(clone);
81239@@ -657,11 +660,12 @@ struct posix_acl *
81240 posix_acl_from_xattr(struct user_namespace *user_ns,
81241 const void *value, size_t size)
81242 {
81243- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
81244- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
81245+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
81246+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
81247 int count;
81248 struct posix_acl *acl;
81249 struct posix_acl_entry *acl_e;
81250+ umode_t umask = gr_acl_umask();
81251
81252 if (!value)
81253 return NULL;
81254@@ -687,12 +691,18 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
81255
81256 switch(acl_e->e_tag) {
81257 case ACL_USER_OBJ:
81258+ acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
81259+ break;
81260 case ACL_GROUP_OBJ:
81261 case ACL_MASK:
81262+ acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
81263+ break;
81264 case ACL_OTHER:
81265+ acl_e->e_perm &= ~(umask & S_IRWXO);
81266 break;
81267
81268 case ACL_USER:
81269+ acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
81270 acl_e->e_uid =
81271 make_kuid(user_ns,
81272 le32_to_cpu(entry->e_id));
81273@@ -700,6 +710,7 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
81274 goto fail;
81275 break;
81276 case ACL_GROUP:
81277+ acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
81278 acl_e->e_gid =
81279 make_kgid(user_ns,
81280 le32_to_cpu(entry->e_id));
81281diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
81282index 1ade120..a86f1a2 100644
81283--- a/fs/proc/Kconfig
81284+++ b/fs/proc/Kconfig
81285@@ -30,7 +30,7 @@ config PROC_FS
81286
81287 config PROC_KCORE
81288 bool "/proc/kcore support" if !ARM
81289- depends on PROC_FS && MMU
81290+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
81291 help
81292 Provides a virtual ELF core file of the live kernel. This can
81293 be read with gdb and other ELF tools. No modifications can be
81294@@ -38,8 +38,8 @@ config PROC_KCORE
81295
81296 config PROC_VMCORE
81297 bool "/proc/vmcore support"
81298- depends on PROC_FS && CRASH_DUMP
81299- default y
81300+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
81301+ default n
81302 help
81303 Exports the dump image of crashed kernel in ELF format.
81304
81305@@ -63,8 +63,8 @@ config PROC_SYSCTL
81306 limited in memory.
81307
81308 config PROC_PAGE_MONITOR
81309- default y
81310- depends on PROC_FS && MMU
81311+ default n
81312+ depends on PROC_FS && MMU && !GRKERNSEC
81313 bool "Enable /proc page monitoring" if EXPERT
81314 help
81315 Various /proc files exist to monitor process memory utilization:
81316diff --git a/fs/proc/array.c b/fs/proc/array.c
81317index ce065cf..8974fed 100644
81318--- a/fs/proc/array.c
81319+++ b/fs/proc/array.c
81320@@ -60,6 +60,7 @@
81321 #include <linux/tty.h>
81322 #include <linux/string.h>
81323 #include <linux/mman.h>
81324+#include <linux/grsecurity.h>
81325 #include <linux/proc_fs.h>
81326 #include <linux/ioport.h>
81327 #include <linux/uaccess.h>
81328@@ -348,6 +349,21 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task)
81329 cpumask_pr_args(&task->cpus_allowed));
81330 }
81331
81332+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
81333+static inline void task_pax(struct seq_file *m, struct task_struct *p)
81334+{
81335+ if (p->mm)
81336+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
81337+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
81338+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
81339+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
81340+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
81341+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
81342+ else
81343+ seq_printf(m, "PaX:\t-----\n");
81344+}
81345+#endif
81346+
81347 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
81348 struct pid *pid, struct task_struct *task)
81349 {
81350@@ -366,9 +382,24 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
81351 task_cpus_allowed(m, task);
81352 cpuset_task_status_allowed(m, task);
81353 task_context_switch_counts(m, task);
81354+
81355+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
81356+ task_pax(m, task);
81357+#endif
81358+
81359+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
81360+ task_grsec_rbac(m, task);
81361+#endif
81362+
81363 return 0;
81364 }
81365
81366+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81367+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
81368+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
81369+ _mm->pax_flags & MF_PAX_SEGMEXEC))
81370+#endif
81371+
81372 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
81373 struct pid *pid, struct task_struct *task, int whole)
81374 {
81375@@ -390,6 +421,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
81376 char tcomm[sizeof(task->comm)];
81377 unsigned long flags;
81378
81379+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81380+ if (current->exec_id != m->exec_id) {
81381+ gr_log_badprocpid("stat");
81382+ return 0;
81383+ }
81384+#endif
81385+
81386 state = *get_task_state(task);
81387 vsize = eip = esp = 0;
81388 permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
81389@@ -460,6 +498,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
81390 gtime = task_gtime(task);
81391 }
81392
81393+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81394+ if (PAX_RAND_FLAGS(mm)) {
81395+ eip = 0;
81396+ esp = 0;
81397+ wchan = 0;
81398+ }
81399+#endif
81400+#ifdef CONFIG_GRKERNSEC_HIDESYM
81401+ wchan = 0;
81402+ eip =0;
81403+ esp =0;
81404+#endif
81405+
81406 /* scale priority and nice values from timeslices to -20..20 */
81407 /* to make it look like a "normal" Unix priority/nice value */
81408 priority = task_prio(task);
81409@@ -491,9 +542,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
81410 seq_put_decimal_ull(m, ' ', vsize);
81411 seq_put_decimal_ull(m, ' ', mm ? get_mm_rss(mm) : 0);
81412 seq_put_decimal_ull(m, ' ', rsslim);
81413+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81414+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0));
81415+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0));
81416+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0));
81417+#else
81418 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->start_code : 1) : 0);
81419 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->end_code : 1) : 0);
81420 seq_put_decimal_ull(m, ' ', (permitted && mm) ? mm->start_stack : 0);
81421+#endif
81422 seq_put_decimal_ull(m, ' ', esp);
81423 seq_put_decimal_ull(m, ' ', eip);
81424 /* The signal information here is obsolete.
81425@@ -515,7 +572,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
81426 seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime));
81427 seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime));
81428
81429- if (mm && permitted) {
81430+ if (mm && permitted
81431+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81432+ && !PAX_RAND_FLAGS(mm)
81433+#endif
81434+ ) {
81435 seq_put_decimal_ull(m, ' ', mm->start_data);
81436 seq_put_decimal_ull(m, ' ', mm->end_data);
81437 seq_put_decimal_ull(m, ' ', mm->start_brk);
81438@@ -553,8 +614,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
81439 struct pid *pid, struct task_struct *task)
81440 {
81441 unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
81442- struct mm_struct *mm = get_task_mm(task);
81443+ struct mm_struct *mm;
81444
81445+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81446+ if (current->exec_id != m->exec_id) {
81447+ gr_log_badprocpid("statm");
81448+ return 0;
81449+ }
81450+#endif
81451+ mm = get_task_mm(task);
81452 if (mm) {
81453 size = task_statm(mm, &shared, &text, &data, &resident);
81454 mmput(mm);
81455@@ -577,6 +645,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
81456 return 0;
81457 }
81458
81459+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
81460+int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task)
81461+{
81462+ unsigned long flags;
81463+ u32 curr_ip = 0;
81464+
81465+ if (lock_task_sighand(task, &flags)) {
81466+ curr_ip = task->signal->curr_ip;
81467+ unlock_task_sighand(task, &flags);
81468+ }
81469+ return seq_printf(m, "%pI4\n", &curr_ip);
81470+}
81471+#endif
81472+
81473 #ifdef CONFIG_PROC_CHILDREN
81474 static struct pid *
81475 get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
81476diff --git a/fs/proc/base.c b/fs/proc/base.c
81477index aa50d1a..7a62b7a 100644
81478--- a/fs/proc/base.c
81479+++ b/fs/proc/base.c
81480@@ -113,6 +113,14 @@ struct pid_entry {
81481 union proc_op op;
81482 };
81483
81484+struct getdents_callback {
81485+ struct linux_dirent __user * current_dir;
81486+ struct linux_dirent __user * previous;
81487+ struct file * file;
81488+ int count;
81489+ int error;
81490+};
81491+
81492 #define NOD(NAME, MODE, IOP, FOP, OP) { \
81493 .name = (NAME), \
81494 .len = sizeof(NAME) - 1, \
81495@@ -224,6 +232,11 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
81496 goto out_mmput;
81497 }
81498
81499+ if (gr_acl_handle_procpidmem(tsk)) {
81500+ rv = 0;
81501+ goto out_mmput;
81502+ }
81503+
81504 page = (char *)__get_free_page(GFP_TEMPORARY);
81505 if (!page) {
81506 rv = -ENOMEM;
81507@@ -400,12 +413,28 @@ static const struct file_operations proc_pid_cmdline_ops = {
81508 .llseek = generic_file_llseek,
81509 };
81510
81511+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81512+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
81513+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
81514+ _mm->pax_flags & MF_PAX_SEGMEXEC))
81515+#endif
81516+
81517 static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
81518 struct pid *pid, struct task_struct *task)
81519 {
81520 struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
81521 if (mm && !IS_ERR(mm)) {
81522 unsigned int nwords = 0;
81523+
81524+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81525+ /* allow if we're currently ptracing this task */
81526+ if (PAX_RAND_FLAGS(mm) &&
81527+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
81528+ mmput(mm);
81529+ return 0;
81530+ }
81531+#endif
81532+
81533 do {
81534 nwords += 2;
81535 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
81536@@ -417,7 +446,7 @@ static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
81537 }
81538
81539
81540-#ifdef CONFIG_KALLSYMS
81541+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
81542 /*
81543 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
81544 * Returns the resolved symbol. If that fails, simply return the address.
81545@@ -459,7 +488,7 @@ static void unlock_trace(struct task_struct *task)
81546 mutex_unlock(&task->signal->cred_guard_mutex);
81547 }
81548
81549-#ifdef CONFIG_STACKTRACE
81550+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
81551
81552 #define MAX_STACK_TRACE_DEPTH 64
81553
81554@@ -657,7 +686,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns,
81555 return 0;
81556 }
81557
81558-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
81559+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
81560 static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
81561 struct pid *pid, struct task_struct *task)
81562 {
81563@@ -690,7 +719,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
81564 /************************************************************************/
81565
81566 /* permission checks */
81567-static int proc_fd_access_allowed(struct inode *inode)
81568+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
81569 {
81570 struct task_struct *task;
81571 int allowed = 0;
81572@@ -700,7 +729,10 @@ static int proc_fd_access_allowed(struct inode *inode)
81573 */
81574 task = get_proc_task(inode);
81575 if (task) {
81576- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
81577+ if (log)
81578+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
81579+ else
81580+ allowed = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
81581 put_task_struct(task);
81582 }
81583 return allowed;
81584@@ -731,10 +763,35 @@ static bool has_pid_permissions(struct pid_namespace *pid,
81585 struct task_struct *task,
81586 int hide_pid_min)
81587 {
81588+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
81589+ return false;
81590+
81591+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
81592+ rcu_read_lock();
81593+ {
81594+ const struct cred *tmpcred = current_cred();
81595+ const struct cred *cred = __task_cred(task);
81596+
81597+ if (uid_eq(tmpcred->uid, GLOBAL_ROOT_UID) || uid_eq(tmpcred->uid, cred->uid)
81598+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
81599+ || in_group_p(grsec_proc_gid)
81600+#endif
81601+ ) {
81602+ rcu_read_unlock();
81603+ return true;
81604+ }
81605+ }
81606+ rcu_read_unlock();
81607+
81608+ if (!pid->hide_pid)
81609+ return false;
81610+#endif
81611+
81612 if (pid->hide_pid < hide_pid_min)
81613 return true;
81614 if (in_group_p(pid->pid_gid))
81615 return true;
81616+
81617 return ptrace_may_access(task, PTRACE_MODE_READ);
81618 }
81619
81620@@ -752,7 +809,11 @@ static int proc_pid_permission(struct inode *inode, int mask)
81621 put_task_struct(task);
81622
81623 if (!has_perms) {
81624+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
81625+ {
81626+#else
81627 if (pid->hide_pid == 2) {
81628+#endif
81629 /*
81630 * Let's make getdents(), stat(), and open()
81631 * consistent with each other. If a process
81632@@ -813,6 +874,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
81633
81634 if (task) {
81635 mm = mm_access(task, mode);
81636+ if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) {
81637+ mmput(mm);
81638+ mm = ERR_PTR(-EPERM);
81639+ }
81640 put_task_struct(task);
81641
81642 if (!IS_ERR_OR_NULL(mm)) {
81643@@ -834,6 +899,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
81644 return PTR_ERR(mm);
81645
81646 file->private_data = mm;
81647+
81648+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81649+ file->f_version = current->exec_id;
81650+#endif
81651+
81652 return 0;
81653 }
81654
81655@@ -855,6 +925,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
81656 ssize_t copied;
81657 char *page;
81658
81659+#ifdef CONFIG_GRKERNSEC
81660+ if (write)
81661+ return -EPERM;
81662+#endif
81663+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81664+ if (file->f_version != current->exec_id) {
81665+ gr_log_badprocpid("mem");
81666+ return 0;
81667+ }
81668+#endif
81669+
81670 if (!mm)
81671 return 0;
81672
81673@@ -867,7 +948,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
81674 goto free;
81675
81676 while (count > 0) {
81677- int this_len = min_t(int, count, PAGE_SIZE);
81678+ ssize_t this_len = min_t(ssize_t, count, PAGE_SIZE);
81679
81680 if (write && copy_from_user(page, buf, this_len)) {
81681 copied = -EFAULT;
81682@@ -959,6 +1040,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
81683 if (!mm)
81684 return 0;
81685
81686+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
81687+ if (file->f_version != current->exec_id) {
81688+ gr_log_badprocpid("environ");
81689+ return 0;
81690+ }
81691+#endif
81692+
81693 page = (char *)__get_free_page(GFP_TEMPORARY);
81694 if (!page)
81695 return -ENOMEM;
81696@@ -968,7 +1056,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
81697 goto free;
81698 while (count > 0) {
81699 size_t this_len, max_len;
81700- int retval;
81701+ ssize_t retval;
81702
81703 if (src >= (mm->env_end - mm->env_start))
81704 break;
81705@@ -1582,7 +1670,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie)
81706 int error = -EACCES;
81707
81708 /* Are we allowed to snoop on the tasks file descriptors? */
81709- if (!proc_fd_access_allowed(inode))
81710+ if (!proc_fd_access_allowed(inode, 0))
81711 goto out;
81712
81713 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
81714@@ -1626,8 +1714,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
81715 struct path path;
81716
81717 /* Are we allowed to snoop on the tasks file descriptors? */
81718- if (!proc_fd_access_allowed(inode))
81719- goto out;
81720+ /* logging this is needed for learning on chromium to work properly,
81721+ but we don't want to flood the logs from 'ps' which does a readlink
81722+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
81723+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
81724+ */
81725+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
81726+ if (!proc_fd_access_allowed(inode,0))
81727+ goto out;
81728+ } else {
81729+ if (!proc_fd_access_allowed(inode,1))
81730+ goto out;
81731+ }
81732
81733 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
81734 if (error)
81735@@ -1677,7 +1775,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
81736 rcu_read_lock();
81737 cred = __task_cred(task);
81738 inode->i_uid = cred->euid;
81739+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
81740+ inode->i_gid = grsec_proc_gid;
81741+#else
81742 inode->i_gid = cred->egid;
81743+#endif
81744 rcu_read_unlock();
81745 }
81746 security_task_to_inode(task, inode);
81747@@ -1713,10 +1815,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
81748 return -ENOENT;
81749 }
81750 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
81751+#ifdef CONFIG_GRKERNSEC_PROC_USER
81752+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
81753+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
81754+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
81755+#endif
81756 task_dumpable(task)) {
81757 cred = __task_cred(task);
81758 stat->uid = cred->euid;
81759+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
81760+ stat->gid = grsec_proc_gid;
81761+#else
81762 stat->gid = cred->egid;
81763+#endif
81764 }
81765 }
81766 rcu_read_unlock();
81767@@ -1754,11 +1865,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
81768
81769 if (task) {
81770 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
81771+#ifdef CONFIG_GRKERNSEC_PROC_USER
81772+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
81773+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
81774+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
81775+#endif
81776 task_dumpable(task)) {
81777 rcu_read_lock();
81778 cred = __task_cred(task);
81779 inode->i_uid = cred->euid;
81780+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
81781+ inode->i_gid = grsec_proc_gid;
81782+#else
81783 inode->i_gid = cred->egid;
81784+#endif
81785 rcu_read_unlock();
81786 } else {
81787 inode->i_uid = GLOBAL_ROOT_UID;
81788@@ -2290,6 +2410,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
81789 if (!task)
81790 goto out_no_task;
81791
81792+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
81793+ goto out;
81794+
81795 /*
81796 * Yes, it does not scale. And it should not. Don't add
81797 * new entries into /proc/<tgid>/ without very good reasons.
81798@@ -2320,6 +2443,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
81799 if (!task)
81800 return -ENOENT;
81801
81802+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
81803+ goto out;
81804+
81805 if (!dir_emit_dots(file, ctx))
81806 goto out;
81807
81808@@ -2764,7 +2890,7 @@ static const struct pid_entry tgid_base_stuff[] = {
81809 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
81810 #endif
81811 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
81812-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
81813+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
81814 ONE("syscall", S_IRUSR, proc_pid_syscall),
81815 #endif
81816 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
81817@@ -2789,10 +2915,10 @@ static const struct pid_entry tgid_base_stuff[] = {
81818 #ifdef CONFIG_SECURITY
81819 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
81820 #endif
81821-#ifdef CONFIG_KALLSYMS
81822+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
81823 ONE("wchan", S_IRUGO, proc_pid_wchan),
81824 #endif
81825-#ifdef CONFIG_STACKTRACE
81826+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
81827 ONE("stack", S_IRUSR, proc_pid_stack),
81828 #endif
81829 #ifdef CONFIG_SCHED_INFO
81830@@ -2826,6 +2952,9 @@ static const struct pid_entry tgid_base_stuff[] = {
81831 #ifdef CONFIG_HARDWALL
81832 ONE("hardwall", S_IRUGO, proc_pid_hardwall),
81833 #endif
81834+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
81835+ ONE("ipaddr", S_IRUSR, proc_pid_ipaddr),
81836+#endif
81837 #ifdef CONFIG_USER_NS
81838 REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
81839 REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
81840@@ -2958,7 +3087,14 @@ static int proc_pid_instantiate(struct inode *dir,
81841 if (!inode)
81842 goto out;
81843
81844+#ifdef CONFIG_GRKERNSEC_PROC_USER
81845+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
81846+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
81847+ inode->i_gid = grsec_proc_gid;
81848+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
81849+#else
81850 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
81851+#endif
81852 inode->i_op = &proc_tgid_base_inode_operations;
81853 inode->i_fop = &proc_tgid_base_operations;
81854 inode->i_flags|=S_IMMUTABLE;
81855@@ -2996,7 +3132,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
81856 if (!task)
81857 goto out;
81858
81859+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
81860+ goto out_put_task;
81861+
81862 result = proc_pid_instantiate(dir, dentry, task, NULL);
81863+out_put_task:
81864 put_task_struct(task);
81865 out:
81866 return ERR_PTR(result);
81867@@ -3110,7 +3250,7 @@ static const struct pid_entry tid_base_stuff[] = {
81868 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
81869 #endif
81870 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
81871-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
81872+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
81873 ONE("syscall", S_IRUSR, proc_pid_syscall),
81874 #endif
81875 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
81876@@ -3137,10 +3277,10 @@ static const struct pid_entry tid_base_stuff[] = {
81877 #ifdef CONFIG_SECURITY
81878 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
81879 #endif
81880-#ifdef CONFIG_KALLSYMS
81881+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
81882 ONE("wchan", S_IRUGO, proc_pid_wchan),
81883 #endif
81884-#ifdef CONFIG_STACKTRACE
81885+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
81886 ONE("stack", S_IRUSR, proc_pid_stack),
81887 #endif
81888 #ifdef CONFIG_SCHED_INFO
81889diff --git a/fs/proc/cmdline.c b/fs/proc/cmdline.c
81890index cbd82df..c0407d2 100644
81891--- a/fs/proc/cmdline.c
81892+++ b/fs/proc/cmdline.c
81893@@ -23,7 +23,11 @@ static const struct file_operations cmdline_proc_fops = {
81894
81895 static int __init proc_cmdline_init(void)
81896 {
81897+#ifdef CONFIG_GRKERNSEC_PROC_ADD
81898+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
81899+#else
81900 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
81901+#endif
81902 return 0;
81903 }
81904 fs_initcall(proc_cmdline_init);
81905diff --git a/fs/proc/devices.c b/fs/proc/devices.c
81906index 50493ed..248166b 100644
81907--- a/fs/proc/devices.c
81908+++ b/fs/proc/devices.c
81909@@ -64,7 +64,11 @@ static const struct file_operations proc_devinfo_operations = {
81910
81911 static int __init proc_devices_init(void)
81912 {
81913+#ifdef CONFIG_GRKERNSEC_PROC_ADD
81914+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
81915+#else
81916 proc_create("devices", 0, NULL, &proc_devinfo_operations);
81917+#endif
81918 return 0;
81919 }
81920 fs_initcall(proc_devices_init);
81921diff --git a/fs/proc/fd.c b/fs/proc/fd.c
81922index 6e5fcd0..06ea074 100644
81923--- a/fs/proc/fd.c
81924+++ b/fs/proc/fd.c
81925@@ -27,7 +27,8 @@ static int seq_show(struct seq_file *m, void *v)
81926 if (!task)
81927 return -ENOENT;
81928
81929- files = get_files_struct(task);
81930+ if (!gr_acl_handle_procpidmem(task))
81931+ files = get_files_struct(task);
81932 put_task_struct(task);
81933
81934 if (files) {
81935@@ -291,11 +292,21 @@ static struct dentry *proc_lookupfd(struct inode *dir, struct dentry *dentry,
81936 */
81937 int proc_fd_permission(struct inode *inode, int mask)
81938 {
81939+ struct task_struct *task;
81940 int rv = generic_permission(inode, mask);
81941- if (rv == 0)
81942- return 0;
81943+
81944 if (task_tgid(current) == proc_pid(inode))
81945 rv = 0;
81946+
81947+ task = get_proc_task(inode);
81948+ if (task == NULL)
81949+ return rv;
81950+
81951+ if (gr_acl_handle_procpidmem(task))
81952+ rv = -EACCES;
81953+
81954+ put_task_struct(task);
81955+
81956 return rv;
81957 }
81958
81959diff --git a/fs/proc/generic.c b/fs/proc/generic.c
81960index e5dee5c..dafe21b 100644
81961--- a/fs/proc/generic.c
81962+++ b/fs/proc/generic.c
81963@@ -22,6 +22,7 @@
81964 #include <linux/bitops.h>
81965 #include <linux/spinlock.h>
81966 #include <linux/completion.h>
81967+#include <linux/grsecurity.h>
81968 #include <asm/uaccess.h>
81969
81970 #include "internal.h"
81971@@ -253,6 +254,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry,
81972 return proc_lookup_de(PDE(dir), dir, dentry);
81973 }
81974
81975+struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry,
81976+ unsigned int flags)
81977+{
81978+ if (gr_proc_is_restricted())
81979+ return ERR_PTR(-EACCES);
81980+
81981+ return proc_lookup_de(PDE(dir), dir, dentry);
81982+}
81983+
81984 /*
81985 * This returns non-zero if at EOF, so that the /proc
81986 * root directory can use this and check if it should
81987@@ -310,6 +320,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx)
81988 return proc_readdir_de(PDE(inode), file, ctx);
81989 }
81990
81991+int proc_readdir_restrict(struct file *file, struct dir_context *ctx)
81992+{
81993+ struct inode *inode = file_inode(file);
81994+
81995+ if (gr_proc_is_restricted())
81996+ return -EACCES;
81997+
81998+ return proc_readdir_de(PDE(inode), file, ctx);
81999+}
82000+
82001 /*
82002 * These are the generic /proc directory operations. They
82003 * use the in-memory "struct proc_dir_entry" tree to parse
82004@@ -321,6 +341,12 @@ static const struct file_operations proc_dir_operations = {
82005 .iterate = proc_readdir,
82006 };
82007
82008+static const struct file_operations proc_dir_restricted_operations = {
82009+ .llseek = generic_file_llseek,
82010+ .read = generic_read_dir,
82011+ .iterate = proc_readdir_restrict,
82012+};
82013+
82014 /*
82015 * proc directories can do almost nothing..
82016 */
82017@@ -330,6 +356,12 @@ static const struct inode_operations proc_dir_inode_operations = {
82018 .setattr = proc_notify_change,
82019 };
82020
82021+static const struct inode_operations proc_dir_restricted_inode_operations = {
82022+ .lookup = proc_lookup_restrict,
82023+ .getattr = proc_getattr,
82024+ .setattr = proc_notify_change,
82025+};
82026+
82027 static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp)
82028 {
82029 int ret;
82030@@ -445,6 +477,31 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode,
82031 }
82032 EXPORT_SYMBOL_GPL(proc_mkdir_data);
82033
82034+struct proc_dir_entry *proc_mkdir_data_restrict(const char *name, umode_t mode,
82035+ struct proc_dir_entry *parent, void *data)
82036+{
82037+ struct proc_dir_entry *ent;
82038+
82039+ if (mode == 0)
82040+ mode = S_IRUGO | S_IXUGO;
82041+
82042+ ent = __proc_create(&parent, name, S_IFDIR | mode, 2);
82043+ if (ent) {
82044+ ent->data = data;
82045+ ent->restricted = 1;
82046+ ent->proc_fops = &proc_dir_restricted_operations;
82047+ ent->proc_iops = &proc_dir_restricted_inode_operations;
82048+ parent->nlink++;
82049+ if (proc_register(parent, ent) < 0) {
82050+ kfree(ent);
82051+ parent->nlink--;
82052+ ent = NULL;
82053+ }
82054+ }
82055+ return ent;
82056+}
82057+EXPORT_SYMBOL_GPL(proc_mkdir_data_restrict);
82058+
82059 struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode,
82060 struct proc_dir_entry *parent)
82061 {
82062@@ -459,6 +516,13 @@ struct proc_dir_entry *proc_mkdir(const char *name,
82063 }
82064 EXPORT_SYMBOL(proc_mkdir);
82065
82066+struct proc_dir_entry *proc_mkdir_restrict(const char *name,
82067+ struct proc_dir_entry *parent)
82068+{
82069+ return proc_mkdir_data_restrict(name, 0, parent, NULL);
82070+}
82071+EXPORT_SYMBOL(proc_mkdir_restrict);
82072+
82073 struct proc_dir_entry *proc_create_mount_point(const char *name)
82074 {
82075 umode_t mode = S_IFDIR | S_IRUGO | S_IXUGO;
82076diff --git a/fs/proc/inode.c b/fs/proc/inode.c
82077index bd95b9f..a64a773 100644
82078--- a/fs/proc/inode.c
82079+++ b/fs/proc/inode.c
82080@@ -23,11 +23,17 @@
82081 #include <linux/slab.h>
82082 #include <linux/mount.h>
82083 #include <linux/magic.h>
82084+#include <linux/grsecurity.h>
82085
82086 #include <asm/uaccess.h>
82087
82088 #include "internal.h"
82089
82090+#ifdef CONFIG_PROC_SYSCTL
82091+extern const struct inode_operations proc_sys_inode_operations;
82092+extern const struct inode_operations proc_sys_dir_operations;
82093+#endif
82094+
82095 static void proc_evict_inode(struct inode *inode)
82096 {
82097 struct proc_dir_entry *de;
82098@@ -48,6 +54,13 @@ static void proc_evict_inode(struct inode *inode)
82099 RCU_INIT_POINTER(PROC_I(inode)->sysctl, NULL);
82100 sysctl_head_put(head);
82101 }
82102+
82103+#ifdef CONFIG_PROC_SYSCTL
82104+ if (inode->i_op == &proc_sys_inode_operations ||
82105+ inode->i_op == &proc_sys_dir_operations)
82106+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
82107+#endif
82108+
82109 }
82110
82111 static struct kmem_cache * proc_inode_cachep;
82112@@ -429,7 +442,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
82113 if (de->mode) {
82114 inode->i_mode = de->mode;
82115 inode->i_uid = de->uid;
82116+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82117+ inode->i_gid = grsec_proc_gid;
82118+#else
82119 inode->i_gid = de->gid;
82120+#endif
82121 }
82122 if (de->size)
82123 inode->i_size = de->size;
82124diff --git a/fs/proc/internal.h b/fs/proc/internal.h
82125index aa27810..9f2d3b2 100644
82126--- a/fs/proc/internal.h
82127+++ b/fs/proc/internal.h
82128@@ -47,9 +47,10 @@ struct proc_dir_entry {
82129 struct completion *pde_unload_completion;
82130 struct list_head pde_openers; /* who did ->open, but not ->release */
82131 spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */
82132+ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */
82133 u8 namelen;
82134 char name[];
82135-};
82136+} __randomize_layout;
82137
82138 union proc_op {
82139 int (*proc_get_link)(struct dentry *, struct path *);
82140@@ -67,7 +68,7 @@ struct proc_inode {
82141 struct ctl_table *sysctl_entry;
82142 const struct proc_ns_operations *ns_ops;
82143 struct inode vfs_inode;
82144-};
82145+} __randomize_layout;
82146
82147 /*
82148 * General functions
82149@@ -155,6 +156,10 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *,
82150 struct pid *, struct task_struct *);
82151 extern int proc_pid_statm(struct seq_file *, struct pid_namespace *,
82152 struct pid *, struct task_struct *);
82153+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82154+extern int proc_pid_ipaddr(struct seq_file *, struct pid_namespace *,
82155+ struct pid *, struct task_struct *);
82156+#endif
82157
82158 /*
82159 * base.c
82160@@ -179,9 +184,11 @@ extern bool proc_fill_cache(struct file *, struct dir_context *, const char *, i
82161 * generic.c
82162 */
82163 extern struct dentry *proc_lookup(struct inode *, struct dentry *, unsigned int);
82164+extern struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, unsigned int);
82165 extern struct dentry *proc_lookup_de(struct proc_dir_entry *, struct inode *,
82166 struct dentry *);
82167 extern int proc_readdir(struct file *, struct dir_context *);
82168+extern int proc_readdir_restrict(struct file *, struct dir_context *);
82169 extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *);
82170
82171 static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde)
82172diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
82173index a352d57..cb94a5c 100644
82174--- a/fs/proc/interrupts.c
82175+++ b/fs/proc/interrupts.c
82176@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {
82177
82178 static int __init proc_interrupts_init(void)
82179 {
82180+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82181+ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);
82182+#else
82183 proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
82184+#endif
82185 return 0;
82186 }
82187 fs_initcall(proc_interrupts_init);
82188diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
82189index 92e6726..a600d4fa 100644
82190--- a/fs/proc/kcore.c
82191+++ b/fs/proc/kcore.c
82192@@ -483,9 +483,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82193 * the addresses in the elf_phdr on our list.
82194 */
82195 start = kc_offset_to_vaddr(*fpos - elf_buflen);
82196- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
82197+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
82198+ if (tsz > buflen)
82199 tsz = buflen;
82200-
82201+
82202 while (buflen) {
82203 struct kcore_list *m;
82204
82205@@ -515,19 +516,20 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82206 } else {
82207 if (kern_addr_valid(start)) {
82208 unsigned long n;
82209+ char *elf_buf;
82210+ mm_segment_t oldfs;
82211
82212- n = copy_to_user(buffer, (char *)start, tsz);
82213- /*
82214- * We cannot distinguish between fault on source
82215- * and fault on destination. When this happens
82216- * we clear too and hope it will trigger the
82217- * EFAULT again.
82218- */
82219- if (n) {
82220- if (clear_user(buffer + tsz - n,
82221- n))
82222- return -EFAULT;
82223- }
82224+ elf_buf = kzalloc(tsz, GFP_KERNEL);
82225+ if (!elf_buf)
82226+ return -ENOMEM;
82227+ oldfs = get_fs();
82228+ set_fs(KERNEL_DS);
82229+ n = __copy_from_user(elf_buf, (const void __user *)start, tsz);
82230+ set_fs(oldfs);
82231+ n = copy_to_user(buffer, elf_buf, tsz);
82232+ kfree(elf_buf);
82233+ if (n)
82234+ return -EFAULT;
82235 } else {
82236 if (clear_user(buffer, tsz))
82237 return -EFAULT;
82238@@ -547,6 +549,9 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82239
82240 static int open_kcore(struct inode *inode, struct file *filp)
82241 {
82242+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
82243+ return -EPERM;
82244+#endif
82245 if (!capable(CAP_SYS_RAWIO))
82246 return -EPERM;
82247 if (kcore_need_update)
82248@@ -580,7 +585,7 @@ static int __meminit kcore_callback(struct notifier_block *self,
82249 return NOTIFY_OK;
82250 }
82251
82252-static struct notifier_block kcore_callback_nb __meminitdata = {
82253+static struct notifier_block kcore_callback_nb __meminitconst = {
82254 .notifier_call = kcore_callback,
82255 .priority = 0,
82256 };
82257diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
82258index d3ebf2e..6ad42d1 100644
82259--- a/fs/proc/meminfo.c
82260+++ b/fs/proc/meminfo.c
82261@@ -194,7 +194,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
82262 vmi.used >> 10,
82263 vmi.largest_chunk >> 10
82264 #ifdef CONFIG_MEMORY_FAILURE
82265- , atomic_long_read(&num_poisoned_pages) << (PAGE_SHIFT - 10)
82266+ , atomic_long_read_unchecked(&num_poisoned_pages) << (PAGE_SHIFT - 10)
82267 #endif
82268 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
82269 , K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
82270diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
82271index f8595e8..e0d13cbd 100644
82272--- a/fs/proc/nommu.c
82273+++ b/fs/proc/nommu.c
82274@@ -64,7 +64,7 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region)
82275
82276 if (file) {
82277 seq_pad(m, ' ');
82278- seq_file_path(m, file, "");
82279+ seq_file_path(m, file, "\n\\");
82280 }
82281
82282 seq_putc(m, '\n');
82283diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
82284index 350984a..0fb02a9 100644
82285--- a/fs/proc/proc_net.c
82286+++ b/fs/proc/proc_net.c
82287@@ -23,9 +23,27 @@
82288 #include <linux/nsproxy.h>
82289 #include <net/net_namespace.h>
82290 #include <linux/seq_file.h>
82291+#include <linux/grsecurity.h>
82292
82293 #include "internal.h"
82294
82295+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
82296+static struct seq_operations *ipv6_seq_ops_addr;
82297+
82298+void register_ipv6_seq_ops_addr(struct seq_operations *addr)
82299+{
82300+ ipv6_seq_ops_addr = addr;
82301+}
82302+
82303+void unregister_ipv6_seq_ops_addr(void)
82304+{
82305+ ipv6_seq_ops_addr = NULL;
82306+}
82307+
82308+EXPORT_SYMBOL_GPL(register_ipv6_seq_ops_addr);
82309+EXPORT_SYMBOL_GPL(unregister_ipv6_seq_ops_addr);
82310+#endif
82311+
82312 static inline struct net *PDE_NET(struct proc_dir_entry *pde)
82313 {
82314 return pde->parent->data;
82315@@ -36,6 +54,8 @@ static struct net *get_proc_net(const struct inode *inode)
82316 return maybe_get_net(PDE_NET(PDE(inode)));
82317 }
82318
82319+extern const struct seq_operations dev_seq_ops;
82320+
82321 int seq_open_net(struct inode *ino, struct file *f,
82322 const struct seq_operations *ops, int size)
82323 {
82324@@ -44,6 +64,14 @@ int seq_open_net(struct inode *ino, struct file *f,
82325
82326 BUG_ON(size < sizeof(*p));
82327
82328+ /* only permit access to /proc/net/dev */
82329+ if (
82330+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
82331+ ops != ipv6_seq_ops_addr &&
82332+#endif
82333+ ops != &dev_seq_ops && gr_proc_is_restricted())
82334+ return -EACCES;
82335+
82336 net = get_proc_net(ino);
82337 if (net == NULL)
82338 return -ENXIO;
82339@@ -66,6 +94,9 @@ int single_open_net(struct inode *inode, struct file *file,
82340 int err;
82341 struct net *net;
82342
82343+ if (gr_proc_is_restricted())
82344+ return -EACCES;
82345+
82346 err = -ENXIO;
82347 net = get_proc_net(inode);
82348 if (net == NULL)
82349diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
82350index fdda62e..cd7c75f 100644
82351--- a/fs/proc/proc_sysctl.c
82352+++ b/fs/proc/proc_sysctl.c
82353@@ -11,13 +11,21 @@
82354 #include <linux/namei.h>
82355 #include <linux/mm.h>
82356 #include <linux/module.h>
82357+#include <linux/nsproxy.h>
82358+#ifdef CONFIG_GRKERNSEC
82359+#include <net/net_namespace.h>
82360+#endif
82361 #include "internal.h"
82362
82363+extern int gr_handle_chroot_sysctl(const int op);
82364+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
82365+ const int op);
82366+
82367 static const struct dentry_operations proc_sys_dentry_operations;
82368 static const struct file_operations proc_sys_file_operations;
82369-static const struct inode_operations proc_sys_inode_operations;
82370+const struct inode_operations proc_sys_inode_operations;
82371 static const struct file_operations proc_sys_dir_file_operations;
82372-static const struct inode_operations proc_sys_dir_operations;
82373+const struct inode_operations proc_sys_dir_operations;
82374
82375 /* Support for permanently empty directories */
82376
82377@@ -32,13 +40,17 @@ static bool is_empty_dir(struct ctl_table_header *head)
82378
82379 static void set_empty_dir(struct ctl_dir *dir)
82380 {
82381- dir->header.ctl_table[0].child = sysctl_mount_point;
82382+ pax_open_kernel();
82383+ *(const void **)&dir->header.ctl_table[0].child = sysctl_mount_point;
82384+ pax_close_kernel();
82385 }
82386
82387 static void clear_empty_dir(struct ctl_dir *dir)
82388
82389 {
82390- dir->header.ctl_table[0].child = NULL;
82391+ pax_open_kernel();
82392+ *(void **)&dir->header.ctl_table[0].child = NULL;
82393+ pax_close_kernel();
82394 }
82395
82396 void proc_sys_poll_notify(struct ctl_table_poll *poll)
82397@@ -504,6 +516,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
82398
82399 err = NULL;
82400 d_set_d_op(dentry, &proc_sys_dentry_operations);
82401+
82402+ gr_handle_proc_create(dentry, inode);
82403+
82404 d_add(dentry, inode);
82405
82406 out:
82407@@ -519,6 +534,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
82408 struct inode *inode = file_inode(filp);
82409 struct ctl_table_header *head = grab_header(inode);
82410 struct ctl_table *table = PROC_I(inode)->sysctl_entry;
82411+ int op = write ? MAY_WRITE : MAY_READ;
82412 ssize_t error;
82413 size_t res;
82414
82415@@ -530,7 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
82416 * and won't be until we finish.
82417 */
82418 error = -EPERM;
82419- if (sysctl_perm(head, table, write ? MAY_WRITE : MAY_READ))
82420+ if (sysctl_perm(head, table, op))
82421 goto out;
82422
82423 /* if that can happen at all, it should be -EINVAL, not -EISDIR */
82424@@ -538,6 +554,27 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
82425 if (!table->proc_handler)
82426 goto out;
82427
82428+#ifdef CONFIG_GRKERNSEC
82429+ error = -EPERM;
82430+ if (gr_handle_chroot_sysctl(op))
82431+ goto out;
82432+ dget(filp->f_path.dentry);
82433+ if (gr_handle_sysctl_mod(filp->f_path.dentry->d_parent->d_name.name, table->procname, op)) {
82434+ dput(filp->f_path.dentry);
82435+ goto out;
82436+ }
82437+ dput(filp->f_path.dentry);
82438+ if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
82439+ goto out;
82440+ if (write) {
82441+ if (current->nsproxy->net_ns != table->extra2) {
82442+ if (!capable(CAP_SYS_ADMIN))
82443+ goto out;
82444+ } else if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
82445+ goto out;
82446+ }
82447+#endif
82448+
82449 /* careful: calling conventions are nasty here */
82450 res = count;
82451 error = table->proc_handler(table, write, buf, &res, ppos);
82452@@ -635,6 +672,9 @@ static bool proc_sys_fill_cache(struct file *file,
82453 return false;
82454 } else {
82455 d_set_d_op(child, &proc_sys_dentry_operations);
82456+
82457+ gr_handle_proc_create(child, inode);
82458+
82459 d_add(child, inode);
82460 }
82461 } else {
82462@@ -678,6 +718,9 @@ static int scan(struct ctl_table_header *head, struct ctl_table *table,
82463 if ((*pos)++ < ctx->pos)
82464 return true;
82465
82466+ if (!gr_acl_handle_hidden_file(file->f_path.dentry, file->f_path.mnt))
82467+ return 0;
82468+
82469 if (unlikely(S_ISLNK(table->mode)))
82470 res = proc_sys_link_fill_cache(file, ctx, head, table);
82471 else
82472@@ -771,6 +814,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
82473 if (IS_ERR(head))
82474 return PTR_ERR(head);
82475
82476+ if (table && !gr_acl_handle_hidden_file(dentry, mnt))
82477+ return -ENOENT;
82478+
82479 generic_fillattr(inode, stat);
82480 if (table)
82481 stat->mode = (stat->mode & S_IFMT) | table->mode;
82482@@ -793,13 +839,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
82483 .llseek = generic_file_llseek,
82484 };
82485
82486-static const struct inode_operations proc_sys_inode_operations = {
82487+const struct inode_operations proc_sys_inode_operations = {
82488 .permission = proc_sys_permission,
82489 .setattr = proc_sys_setattr,
82490 .getattr = proc_sys_getattr,
82491 };
82492
82493-static const struct inode_operations proc_sys_dir_operations = {
82494+const struct inode_operations proc_sys_dir_operations = {
82495 .lookup = proc_sys_lookup,
82496 .permission = proc_sys_permission,
82497 .setattr = proc_sys_setattr,
82498@@ -876,7 +922,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
82499 static struct ctl_dir *new_dir(struct ctl_table_set *set,
82500 const char *name, int namelen)
82501 {
82502- struct ctl_table *table;
82503+ ctl_table_no_const *table;
82504 struct ctl_dir *new;
82505 struct ctl_node *node;
82506 char *new_name;
82507@@ -888,7 +934,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
82508 return NULL;
82509
82510 node = (struct ctl_node *)(new + 1);
82511- table = (struct ctl_table *)(node + 1);
82512+ table = (ctl_table_no_const *)(node + 1);
82513 new_name = (char *)(table + 2);
82514 memcpy(new_name, name, namelen);
82515 new_name[namelen] = '\0';
82516@@ -1057,7 +1103,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
82517 static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table,
82518 struct ctl_table_root *link_root)
82519 {
82520- struct ctl_table *link_table, *entry, *link;
82521+ ctl_table_no_const *link_table, *link;
82522+ struct ctl_table *entry;
82523 struct ctl_table_header *links;
82524 struct ctl_node *node;
82525 char *link_name;
82526@@ -1080,7 +1127,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
82527 return NULL;
82528
82529 node = (struct ctl_node *)(links + 1);
82530- link_table = (struct ctl_table *)(node + nr_entries);
82531+ link_table = (ctl_table_no_const *)(node + nr_entries);
82532 link_name = (char *)&link_table[nr_entries + 1];
82533
82534 for (link = link_table, entry = table; entry->procname; link++, entry++) {
82535@@ -1328,8 +1375,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
82536 struct ctl_table_header ***subheader, struct ctl_table_set *set,
82537 struct ctl_table *table)
82538 {
82539- struct ctl_table *ctl_table_arg = NULL;
82540- struct ctl_table *entry, *files;
82541+ ctl_table_no_const *ctl_table_arg = NULL, *files = NULL;
82542+ struct ctl_table *entry;
82543 int nr_files = 0;
82544 int nr_dirs = 0;
82545 int err = -ENOMEM;
82546@@ -1341,10 +1388,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
82547 nr_files++;
82548 }
82549
82550- files = table;
82551 /* If there are mixed files and directories we need a new table */
82552 if (nr_dirs && nr_files) {
82553- struct ctl_table *new;
82554+ ctl_table_no_const *new;
82555 files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1),
82556 GFP_KERNEL);
82557 if (!files)
82558@@ -1362,7 +1408,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
82559 /* Register everything except a directory full of subdirectories */
82560 if (nr_files || !nr_dirs) {
82561 struct ctl_table_header *header;
82562- header = __register_sysctl_table(set, path, files);
82563+ header = __register_sysctl_table(set, path, files ? files : table);
82564 if (!header) {
82565 kfree(ctl_table_arg);
82566 goto out;
82567diff --git a/fs/proc/root.c b/fs/proc/root.c
82568index 68feb0f..2c04780 100644
82569--- a/fs/proc/root.c
82570+++ b/fs/proc/root.c
82571@@ -185,7 +185,15 @@ void __init proc_root_init(void)
82572 proc_create_mount_point("openprom");
82573 #endif
82574 proc_tty_init();
82575+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82576+#ifdef CONFIG_GRKERNSEC_PROC_USER
82577+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
82578+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82579+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
82580+#endif
82581+#else
82582 proc_mkdir("bus", NULL);
82583+#endif
82584 proc_sys_init();
82585 }
82586
82587diff --git a/fs/proc/stat.c b/fs/proc/stat.c
82588index 510413eb..34d9a8c 100644
82589--- a/fs/proc/stat.c
82590+++ b/fs/proc/stat.c
82591@@ -11,6 +11,7 @@
82592 #include <linux/irqnr.h>
82593 #include <linux/cputime.h>
82594 #include <linux/tick.h>
82595+#include <linux/grsecurity.h>
82596
82597 #ifndef arch_irq_stat_cpu
82598 #define arch_irq_stat_cpu(cpu) 0
82599@@ -87,6 +88,18 @@ static int show_stat(struct seq_file *p, void *v)
82600 u64 sum_softirq = 0;
82601 unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
82602 struct timespec boottime;
82603+ int unrestricted = 1;
82604+
82605+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82606+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82607+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
82608+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82609+ && !in_group_p(grsec_proc_gid)
82610+#endif
82611+ )
82612+ unrestricted = 0;
82613+#endif
82614+#endif
82615
82616 user = nice = system = idle = iowait =
82617 irq = softirq = steal = 0;
82618@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v)
82619 nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
82620 system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
82621 idle += get_idle_time(i);
82622- iowait += get_iowait_time(i);
82623- irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
82624- softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
82625- steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
82626- guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
82627- guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
82628- sum += kstat_cpu_irqs_sum(i);
82629- sum += arch_irq_stat_cpu(i);
82630+ if (unrestricted) {
82631+ iowait += get_iowait_time(i);
82632+ irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
82633+ softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
82634+ steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
82635+ guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
82636+ guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
82637+ sum += kstat_cpu_irqs_sum(i);
82638+ sum += arch_irq_stat_cpu(i);
82639+ for (j = 0; j < NR_SOFTIRQS; j++) {
82640+ unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
82641
82642- for (j = 0; j < NR_SOFTIRQS; j++) {
82643- unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
82644-
82645- per_softirq_sums[j] += softirq_stat;
82646- sum_softirq += softirq_stat;
82647+ per_softirq_sums[j] += softirq_stat;
82648+ sum_softirq += softirq_stat;
82649+ }
82650 }
82651 }
82652- sum += arch_irq_stat();
82653+ if (unrestricted)
82654+ sum += arch_irq_stat();
82655
82656 seq_puts(p, "cpu ");
82657 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
82658@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v)
82659 nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
82660 system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
82661 idle = get_idle_time(i);
82662- iowait = get_iowait_time(i);
82663- irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
82664- softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
82665- steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
82666- guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
82667- guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
82668+ if (unrestricted) {
82669+ iowait = get_iowait_time(i);
82670+ irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
82671+ softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
82672+ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
82673+ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
82674+ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
82675+ }
82676 seq_printf(p, "cpu%d", i);
82677 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
82678 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice));
82679@@ -159,7 +176,7 @@ static int show_stat(struct seq_file *p, void *v)
82680
82681 /* sum again ? it could be updated? */
82682 for_each_irq_nr(j)
82683- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j));
82684+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL);
82685
82686 seq_printf(p,
82687 "\nctxt %llu\n"
82688@@ -167,11 +184,11 @@ static int show_stat(struct seq_file *p, void *v)
82689 "processes %lu\n"
82690 "procs_running %lu\n"
82691 "procs_blocked %lu\n",
82692- nr_context_switches(),
82693+ unrestricted ? nr_context_switches() : 0ULL,
82694 (unsigned long)jif,
82695- total_forks,
82696- nr_running(),
82697- nr_iowait());
82698+ unrestricted ? total_forks : 0UL,
82699+ unrestricted ? nr_running() : 0UL,
82700+ unrestricted ? nr_iowait() : 0UL);
82701
82702 seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
82703
82704diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
82705index ca1e091..a048795 100644
82706--- a/fs/proc/task_mmu.c
82707+++ b/fs/proc/task_mmu.c
82708@@ -13,12 +13,19 @@
82709 #include <linux/swap.h>
82710 #include <linux/swapops.h>
82711 #include <linux/mmu_notifier.h>
82712+#include <linux/grsecurity.h>
82713
82714 #include <asm/elf.h>
82715 #include <asm/uaccess.h>
82716 #include <asm/tlbflush.h>
82717 #include "internal.h"
82718
82719+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82720+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
82721+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
82722+ _mm->pax_flags & MF_PAX_SEGMEXEC))
82723+#endif
82724+
82725 void task_mem(struct seq_file *m, struct mm_struct *mm)
82726 {
82727 unsigned long data, text, lib, swap, ptes, pmds;
82728@@ -57,8 +64,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
82729 "VmLib:\t%8lu kB\n"
82730 "VmPTE:\t%8lu kB\n"
82731 "VmPMD:\t%8lu kB\n"
82732- "VmSwap:\t%8lu kB\n",
82733- hiwater_vm << (PAGE_SHIFT-10),
82734+ "VmSwap:\t%8lu kB\n"
82735+
82736+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
82737+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
82738+#endif
82739+
82740+ ,hiwater_vm << (PAGE_SHIFT-10),
82741 total_vm << (PAGE_SHIFT-10),
82742 mm->locked_vm << (PAGE_SHIFT-10),
82743 mm->pinned_vm << (PAGE_SHIFT-10),
82744@@ -68,7 +80,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
82745 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
82746 ptes >> 10,
82747 pmds >> 10,
82748- swap << (PAGE_SHIFT-10));
82749+ swap << (PAGE_SHIFT-10)
82750+
82751+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
82752+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82753+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
82754+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
82755+#else
82756+ , mm->context.user_cs_base
82757+ , mm->context.user_cs_limit
82758+#endif
82759+#endif
82760+
82761+ );
82762 }
82763
82764 unsigned long task_vsize(struct mm_struct *mm)
82765@@ -285,13 +309,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
82766 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
82767 }
82768
82769- /* We don't show the stack guard page in /proc/maps */
82770+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82771+ start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
82772+ end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
82773+#else
82774 start = vma->vm_start;
82775- if (stack_guard_page_start(vma, start))
82776- start += PAGE_SIZE;
82777 end = vma->vm_end;
82778- if (stack_guard_page_end(vma, end))
82779- end -= PAGE_SIZE;
82780+#endif
82781
82782 seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
82783 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
82784@@ -301,7 +325,11 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
82785 flags & VM_WRITE ? 'w' : '-',
82786 flags & VM_EXEC ? 'x' : '-',
82787 flags & VM_MAYSHARE ? 's' : 'p',
82788+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82789+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
82790+#else
82791 pgoff,
82792+#endif
82793 MAJOR(dev), MINOR(dev), ino);
82794
82795 /*
82796@@ -310,7 +338,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
82797 */
82798 if (file) {
82799 seq_pad(m, ' ');
82800- seq_file_path(m, file, "\n");
82801+ seq_file_path(m, file, "\n\\");
82802 goto done;
82803 }
82804
82805@@ -341,8 +369,9 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
82806 * Thread stack in /proc/PID/task/TID/maps or
82807 * the main process stack.
82808 */
82809- if (!is_pid || (vma->vm_start <= mm->start_stack &&
82810- vma->vm_end >= mm->start_stack)) {
82811+ if (!is_pid || (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
82812+ (vma->vm_start <= mm->start_stack &&
82813+ vma->vm_end >= mm->start_stack)) {
82814 name = "[stack]";
82815 } else {
82816 /* Thread stack in /proc/PID/maps */
82817@@ -362,6 +391,12 @@ done:
82818
82819 static int show_map(struct seq_file *m, void *v, int is_pid)
82820 {
82821+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82822+ if (current->exec_id != m->exec_id) {
82823+ gr_log_badprocpid("maps");
82824+ return 0;
82825+ }
82826+#endif
82827 show_map_vma(m, v, is_pid);
82828 m_cache_vma(m, v);
82829 return 0;
82830@@ -620,9 +655,18 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
82831 .private = &mss,
82832 };
82833
82834+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82835+ if (current->exec_id != m->exec_id) {
82836+ gr_log_badprocpid("smaps");
82837+ return 0;
82838+ }
82839+#endif
82840 memset(&mss, 0, sizeof mss);
82841- /* mmap_sem is held in m_start */
82842- walk_page_vma(vma, &smaps_walk);
82843+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82844+ if (!PAX_RAND_FLAGS(vma->vm_mm))
82845+#endif
82846+ /* mmap_sem is held in m_start */
82847+ walk_page_vma(vma, &smaps_walk);
82848
82849 show_map_vma(m, vma, is_pid);
82850
82851@@ -641,7 +685,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
82852 "KernelPageSize: %8lu kB\n"
82853 "MMUPageSize: %8lu kB\n"
82854 "Locked: %8lu kB\n",
82855+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82856+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
82857+#else
82858 (vma->vm_end - vma->vm_start) >> 10,
82859+#endif
82860 mss.resident >> 10,
82861 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
82862 mss.shared_clean >> 10,
82863@@ -1491,6 +1539,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
82864 char buffer[64];
82865 int nid;
82866
82867+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82868+ if (current->exec_id != m->exec_id) {
82869+ gr_log_badprocpid("numa_maps");
82870+ return 0;
82871+ }
82872+#endif
82873+
82874 if (!mm)
82875 return 0;
82876
82877@@ -1505,11 +1560,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
82878 mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy);
82879 }
82880
82881+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82882+ seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer);
82883+#else
82884 seq_printf(m, "%08lx %s", vma->vm_start, buffer);
82885+#endif
82886
82887 if (file) {
82888 seq_puts(m, " file=");
82889- seq_file_path(m, file, "\n\t= ");
82890+ seq_file_path(m, file, "\n\t\\= ");
82891 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
82892 seq_puts(m, " heap");
82893 } else {
82894diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
82895index e0d64c9..c44c96e 100644
82896--- a/fs/proc/task_nommu.c
82897+++ b/fs/proc/task_nommu.c
82898@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
82899 else
82900 bytes += kobjsize(mm);
82901
82902- if (current->fs && current->fs->users > 1)
82903+ if (current->fs && atomic_read(&current->fs->users) > 1)
82904 sbytes += kobjsize(current->fs);
82905 else
82906 bytes += kobjsize(current->fs);
82907@@ -180,7 +180,7 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
82908
82909 if (file) {
82910 seq_pad(m, ' ');
82911- seq_file_path(m, file, "");
82912+ seq_file_path(m, file, "\n\\");
82913 } else if (mm) {
82914 pid_t tid = pid_of_stack(priv, vma, is_pid);
82915
82916diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
82917index 4e61388..1a2523d 100644
82918--- a/fs/proc/vmcore.c
82919+++ b/fs/proc/vmcore.c
82920@@ -105,9 +105,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count,
82921 nr_bytes = count;
82922
82923 /* If pfn is not ram, return zeros for sparse dump files */
82924- if (pfn_is_ram(pfn) == 0)
82925- memset(buf, 0, nr_bytes);
82926- else {
82927+ if (pfn_is_ram(pfn) == 0) {
82928+ if (userbuf) {
82929+ if (clear_user((char __force_user *)buf, nr_bytes))
82930+ return -EFAULT;
82931+ } else
82932+ memset(buf, 0, nr_bytes);
82933+ } else {
82934 tmp = copy_oldmem_page(pfn, buf, nr_bytes,
82935 offset, userbuf);
82936 if (tmp < 0)
82937@@ -170,7 +174,7 @@ int __weak remap_oldmem_pfn_range(struct vm_area_struct *vma,
82938 static int copy_to(void *target, void *src, size_t size, int userbuf)
82939 {
82940 if (userbuf) {
82941- if (copy_to_user((char __user *) target, src, size))
82942+ if (copy_to_user((char __force_user *) target, src, size))
82943 return -EFAULT;
82944 } else {
82945 memcpy(target, src, size);
82946@@ -233,7 +237,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos,
82947 if (*fpos < m->offset + m->size) {
82948 tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);
82949 start = m->paddr + *fpos - m->offset;
82950- tmp = read_from_oldmem(buffer, tsz, &start, userbuf);
82951+ tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, userbuf);
82952 if (tmp < 0)
82953 return tmp;
82954 buflen -= tsz;
82955@@ -253,7 +257,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos,
82956 static ssize_t read_vmcore(struct file *file, char __user *buffer,
82957 size_t buflen, loff_t *fpos)
82958 {
82959- return __read_vmcore((__force char *) buffer, buflen, fpos, 1);
82960+ return __read_vmcore((__force_kernel char *) buffer, buflen, fpos, 1);
82961 }
82962
82963 /*
82964diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
82965index d3fb2b6..43a8140 100644
82966--- a/fs/qnx6/qnx6.h
82967+++ b/fs/qnx6/qnx6.h
82968@@ -74,7 +74,7 @@ enum {
82969 BYTESEX_BE,
82970 };
82971
82972-static inline __u64 fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
82973+static inline __u64 __intentional_overflow(-1) fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
82974 {
82975 if (sbi->s_bytesex == BYTESEX_LE)
82976 return le64_to_cpu((__force __le64)n);
82977@@ -90,7 +90,7 @@ static inline __fs64 cpu_to_fs64(struct qnx6_sb_info *sbi, __u64 n)
82978 return (__force __fs64)cpu_to_be64(n);
82979 }
82980
82981-static inline __u32 fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
82982+static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
82983 {
82984 if (sbi->s_bytesex == BYTESEX_LE)
82985 return le32_to_cpu((__force __le32)n);
82986diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c
82987index bb2869f..d34ada8 100644
82988--- a/fs/quota/netlink.c
82989+++ b/fs/quota/netlink.c
82990@@ -44,7 +44,7 @@ static struct genl_family quota_genl_family = {
82991 void quota_send_warning(struct kqid qid, dev_t dev,
82992 const char warntype)
82993 {
82994- static atomic_t seq;
82995+ static atomic_unchecked_t seq;
82996 struct sk_buff *skb;
82997 void *msg_head;
82998 int ret;
82999@@ -60,7 +60,7 @@ void quota_send_warning(struct kqid qid, dev_t dev,
83000 "VFS: Not enough memory to send quota warning.\n");
83001 return;
83002 }
83003- msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
83004+ msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
83005 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
83006 if (!msg_head) {
83007 printk(KERN_ERR
83008diff --git a/fs/read_write.c b/fs/read_write.c
83009index 819ef3f..f07222d 100644
83010--- a/fs/read_write.c
83011+++ b/fs/read_write.c
83012@@ -505,7 +505,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t
83013
83014 old_fs = get_fs();
83015 set_fs(get_ds());
83016- p = (__force const char __user *)buf;
83017+ p = (const char __force_user *)buf;
83018 if (count > MAX_RW_COUNT)
83019 count = MAX_RW_COUNT;
83020 ret = __vfs_write(file, p, count, pos);
83021diff --git a/fs/readdir.c b/fs/readdir.c
83022index ced6791..936687b 100644
83023--- a/fs/readdir.c
83024+++ b/fs/readdir.c
83025@@ -18,6 +18,7 @@
83026 #include <linux/security.h>
83027 #include <linux/syscalls.h>
83028 #include <linux/unistd.h>
83029+#include <linux/namei.h>
83030
83031 #include <asm/uaccess.h>
83032
83033@@ -71,6 +72,7 @@ struct old_linux_dirent {
83034 struct readdir_callback {
83035 struct dir_context ctx;
83036 struct old_linux_dirent __user * dirent;
83037+ struct file * file;
83038 int result;
83039 };
83040
83041@@ -89,6 +91,10 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
83042 buf->result = -EOVERFLOW;
83043 return -EOVERFLOW;
83044 }
83045+
83046+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83047+ return 0;
83048+
83049 buf->result++;
83050 dirent = buf->dirent;
83051 if (!access_ok(VERIFY_WRITE, dirent,
83052@@ -120,6 +126,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
83053 if (!f.file)
83054 return -EBADF;
83055
83056+ buf.file = f.file;
83057 error = iterate_dir(f.file, &buf.ctx);
83058 if (buf.result)
83059 error = buf.result;
83060@@ -145,6 +152,7 @@ struct getdents_callback {
83061 struct dir_context ctx;
83062 struct linux_dirent __user * current_dir;
83063 struct linux_dirent __user * previous;
83064+ struct file * file;
83065 int count;
83066 int error;
83067 };
83068@@ -167,6 +175,10 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
83069 buf->error = -EOVERFLOW;
83070 return -EOVERFLOW;
83071 }
83072+
83073+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83074+ return 0;
83075+
83076 dirent = buf->previous;
83077 if (dirent) {
83078 if (__put_user(offset, &dirent->d_off))
83079@@ -212,6 +224,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
83080 if (!f.file)
83081 return -EBADF;
83082
83083+ buf.file = f.file;
83084 error = iterate_dir(f.file, &buf.ctx);
83085 if (error >= 0)
83086 error = buf.error;
83087@@ -230,6 +243,7 @@ struct getdents_callback64 {
83088 struct dir_context ctx;
83089 struct linux_dirent64 __user * current_dir;
83090 struct linux_dirent64 __user * previous;
83091+ struct file *file;
83092 int count;
83093 int error;
83094 };
83095@@ -246,6 +260,10 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
83096 buf->error = -EINVAL; /* only used if we fail.. */
83097 if (reclen > buf->count)
83098 return -EINVAL;
83099+
83100+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83101+ return 0;
83102+
83103 dirent = buf->previous;
83104 if (dirent) {
83105 if (__put_user(offset, &dirent->d_off))
83106@@ -293,6 +311,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
83107 if (!f.file)
83108 return -EBADF;
83109
83110+ buf.file = f.file;
83111 error = iterate_dir(f.file, &buf.ctx);
83112 if (error >= 0)
83113 error = buf.error;
83114diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
83115index 9c02d96..6562c10 100644
83116--- a/fs/reiserfs/do_balan.c
83117+++ b/fs/reiserfs/do_balan.c
83118@@ -1887,7 +1887,7 @@ void do_balance(struct tree_balance *tb, struct item_head *ih,
83119 return;
83120 }
83121
83122- atomic_inc(&fs_generation(tb->tb_sb));
83123+ atomic_inc_unchecked(&fs_generation(tb->tb_sb));
83124 do_balance_starts(tb);
83125
83126 /*
83127diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c
83128index aca73dd..e3c558d 100644
83129--- a/fs/reiserfs/item_ops.c
83130+++ b/fs/reiserfs/item_ops.c
83131@@ -724,18 +724,18 @@ static void errcatch_print_vi(struct virtual_item *vi)
83132 }
83133
83134 static struct item_operations errcatch_ops = {
83135- errcatch_bytes_number,
83136- errcatch_decrement_key,
83137- errcatch_is_left_mergeable,
83138- errcatch_print_item,
83139- errcatch_check_item,
83140+ .bytes_number = errcatch_bytes_number,
83141+ .decrement_key = errcatch_decrement_key,
83142+ .is_left_mergeable = errcatch_is_left_mergeable,
83143+ .print_item = errcatch_print_item,
83144+ .check_item = errcatch_check_item,
83145
83146- errcatch_create_vi,
83147- errcatch_check_left,
83148- errcatch_check_right,
83149- errcatch_part_size,
83150- errcatch_unit_num,
83151- errcatch_print_vi
83152+ .create_vi = errcatch_create_vi,
83153+ .check_left = errcatch_check_left,
83154+ .check_right = errcatch_check_right,
83155+ .part_size = errcatch_part_size,
83156+ .unit_num = errcatch_unit_num,
83157+ .print_vi = errcatch_print_vi
83158 };
83159
83160 #if ! (TYPE_STAT_DATA == 0 && TYPE_INDIRECT == 1 && TYPE_DIRECT == 2 && TYPE_DIRENTRY == 3)
83161diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
83162index 621b9f3..af527fd 100644
83163--- a/fs/reiserfs/procfs.c
83164+++ b/fs/reiserfs/procfs.c
83165@@ -114,7 +114,7 @@ static int show_super(struct seq_file *m, void *unused)
83166 "SMALL_TAILS " : "NO_TAILS ",
83167 replay_only(sb) ? "REPLAY_ONLY " : "",
83168 convert_reiserfs(sb) ? "CONV " : "",
83169- atomic_read(&r->s_generation_counter),
83170+ atomic_read_unchecked(&r->s_generation_counter),
83171 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
83172 SF(s_do_balance), SF(s_unneeded_left_neighbor),
83173 SF(s_good_search_by_key_reada), SF(s_bmaps),
83174diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
83175index 2adcde1..7d27bc8 100644
83176--- a/fs/reiserfs/reiserfs.h
83177+++ b/fs/reiserfs/reiserfs.h
83178@@ -580,7 +580,7 @@ struct reiserfs_sb_info {
83179 /* Comment? -Hans */
83180 wait_queue_head_t s_wait;
83181 /* increased by one every time the tree gets re-balanced */
83182- atomic_t s_generation_counter;
83183+ atomic_unchecked_t s_generation_counter;
83184
83185 /* File system properties. Currently holds on-disk FS format */
83186 unsigned long s_properties;
83187@@ -2300,7 +2300,7 @@ static inline loff_t max_reiserfs_offset(struct inode *inode)
83188 #define REISERFS_USER_MEM 1 /* user memory mode */
83189
83190 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
83191-#define get_generation(s) atomic_read (&fs_generation(s))
83192+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
83193 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
83194 #define __fs_changed(gen,s) (gen != get_generation (s))
83195 #define fs_changed(gen,s) \
83196diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
83197index 4a62fe8..5dc2f5f 100644
83198--- a/fs/reiserfs/super.c
83199+++ b/fs/reiserfs/super.c
83200@@ -1870,6 +1870,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
83201 sbi->s_mount_opt |= (1 << REISERFS_SMALLTAIL);
83202 sbi->s_mount_opt |= (1 << REISERFS_ERROR_RO);
83203 sbi->s_mount_opt |= (1 << REISERFS_BARRIER_FLUSH);
83204+#ifdef CONFIG_REISERFS_FS_XATTR
83205+ /* turn on user xattrs by default */
83206+ sbi->s_mount_opt |= (1 << REISERFS_XATTRS_USER);
83207+#endif
83208 /* no preallocation minimum, be smart in reiserfs_file_write instead */
83209 sbi->s_alloc_options.preallocmin = 0;
83210 /* Preallocate by 16 blocks (17-1) at once */
83211diff --git a/fs/select.c b/fs/select.c
83212index 0155473..29d751f 100644
83213--- a/fs/select.c
83214+++ b/fs/select.c
83215@@ -20,6 +20,7 @@
83216 #include <linux/export.h>
83217 #include <linux/slab.h>
83218 #include <linux/poll.h>
83219+#include <linux/security.h>
83220 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
83221 #include <linux/file.h>
83222 #include <linux/fdtable.h>
83223@@ -880,6 +881,7 @@ int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
83224 struct poll_list *walk = head;
83225 unsigned long todo = nfds;
83226
83227+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
83228 if (nfds > rlimit(RLIMIT_NOFILE))
83229 return -EINVAL;
83230
83231diff --git a/fs/seq_file.c b/fs/seq_file.c
83232index ce9e39f..5c5a436 100644
83233--- a/fs/seq_file.c
83234+++ b/fs/seq_file.c
83235@@ -12,6 +12,8 @@
83236 #include <linux/slab.h>
83237 #include <linux/cred.h>
83238 #include <linux/mm.h>
83239+#include <linux/sched.h>
83240+#include <linux/grsecurity.h>
83241
83242 #include <asm/uaccess.h>
83243 #include <asm/page.h>
83244@@ -29,9 +31,9 @@ static void *seq_buf_alloc(unsigned long size)
83245 * __GFP_NORETRY to avoid oom-killings with high-order allocations -
83246 * it's better to fall back to vmalloc() than to kill things.
83247 */
83248- buf = kmalloc(size, GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN);
83249+ buf = kmalloc(size, GFP_KERNEL | GFP_USERCOPY | __GFP_NORETRY | __GFP_NOWARN);
83250 if (!buf && size > PAGE_SIZE)
83251- buf = vmalloc(size);
83252+ buf = vmalloc_usercopy(size);
83253 return buf;
83254 }
83255
83256@@ -68,6 +70,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
83257 #ifdef CONFIG_USER_NS
83258 p->user_ns = file->f_cred->user_ns;
83259 #endif
83260+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83261+ p->exec_id = current->exec_id;
83262+#endif
83263
83264 /*
83265 * Wrappers around seq_open(e.g. swaps_open) need to be
83266@@ -90,6 +95,16 @@ int seq_open(struct file *file, const struct seq_operations *op)
83267 }
83268 EXPORT_SYMBOL(seq_open);
83269
83270+
83271+int seq_open_restrict(struct file *file, const struct seq_operations *op)
83272+{
83273+ if (gr_proc_is_restricted())
83274+ return -EACCES;
83275+
83276+ return seq_open(file, op);
83277+}
83278+EXPORT_SYMBOL(seq_open_restrict);
83279+
83280 static int traverse(struct seq_file *m, loff_t offset)
83281 {
83282 loff_t pos = 0, index;
83283@@ -161,7 +176,7 @@ Eoverflow:
83284 ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
83285 {
83286 struct seq_file *m = file->private_data;
83287- size_t copied = 0;
83288+ ssize_t copied = 0;
83289 loff_t pos;
83290 size_t n;
83291 void *p;
83292@@ -575,7 +590,7 @@ static void single_stop(struct seq_file *p, void *v)
83293 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
83294 void *data)
83295 {
83296- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
83297+ seq_operations_no_const *op = kzalloc(sizeof(*op), GFP_KERNEL);
83298 int res = -ENOMEM;
83299
83300 if (op) {
83301@@ -611,6 +626,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
83302 }
83303 EXPORT_SYMBOL(single_open_size);
83304
83305+int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *),
83306+ void *data)
83307+{
83308+ if (gr_proc_is_restricted())
83309+ return -EACCES;
83310+
83311+ return single_open(file, show, data);
83312+}
83313+EXPORT_SYMBOL(single_open_restrict);
83314+
83315+
83316 int single_release(struct inode *inode, struct file *file)
83317 {
83318 const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
83319diff --git a/fs/splice.c b/fs/splice.c
83320index 5fc1e50..6ae8957 100644
83321--- a/fs/splice.c
83322+++ b/fs/splice.c
83323@@ -192,7 +192,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
83324 pipe_lock(pipe);
83325
83326 for (;;) {
83327- if (!pipe->readers) {
83328+ if (!atomic_read(&pipe->readers)) {
83329 send_sig(SIGPIPE, current, 0);
83330 if (!ret)
83331 ret = -EPIPE;
83332@@ -215,7 +215,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
83333 page_nr++;
83334 ret += buf->len;
83335
83336- if (pipe->files)
83337+ if (atomic_read(&pipe->files))
83338 do_wakeup = 1;
83339
83340 if (!--spd->nr_pages)
83341@@ -246,9 +246,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
83342 do_wakeup = 0;
83343 }
83344
83345- pipe->waiting_writers++;
83346+ atomic_inc(&pipe->waiting_writers);
83347 pipe_wait(pipe);
83348- pipe->waiting_writers--;
83349+ atomic_dec(&pipe->waiting_writers);
83350 }
83351
83352 pipe_unlock(pipe);
83353@@ -579,7 +579,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
83354 old_fs = get_fs();
83355 set_fs(get_ds());
83356 /* The cast to a user pointer is valid due to the set_fs() */
83357- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
83358+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
83359 set_fs(old_fs);
83360
83361 return res;
83362@@ -594,7 +594,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count,
83363 old_fs = get_fs();
83364 set_fs(get_ds());
83365 /* The cast to a user pointer is valid due to the set_fs() */
83366- res = vfs_write(file, (__force const char __user *)buf, count, &pos);
83367+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
83368 set_fs(old_fs);
83369
83370 return res;
83371@@ -647,7 +647,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
83372 goto err;
83373
83374 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
83375- vec[i].iov_base = (void __user *) page_address(page);
83376+ vec[i].iov_base = (void __force_user *) page_address(page);
83377 vec[i].iov_len = this_len;
83378 spd.pages[i] = page;
83379 spd.nr_pages++;
83380@@ -786,7 +786,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
83381 ops->release(pipe, buf);
83382 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
83383 pipe->nrbufs--;
83384- if (pipe->files)
83385+ if (atomic_read(&pipe->files))
83386 sd->need_wakeup = true;
83387 }
83388
83389@@ -810,10 +810,10 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
83390 static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
83391 {
83392 while (!pipe->nrbufs) {
83393- if (!pipe->writers)
83394+ if (!atomic_read(&pipe->writers))
83395 return 0;
83396
83397- if (!pipe->waiting_writers && sd->num_spliced)
83398+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
83399 return 0;
83400
83401 if (sd->flags & SPLICE_F_NONBLOCK)
83402@@ -1028,7 +1028,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
83403 ops->release(pipe, buf);
83404 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
83405 pipe->nrbufs--;
83406- if (pipe->files)
83407+ if (atomic_read(&pipe->files))
83408 sd.need_wakeup = true;
83409 } else {
83410 buf->offset += ret;
83411@@ -1188,7 +1188,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
83412 * out of the pipe right after the splice_to_pipe(). So set
83413 * PIPE_READERS appropriately.
83414 */
83415- pipe->readers = 1;
83416+ atomic_set(&pipe->readers, 1);
83417
83418 current->splice_pipe = pipe;
83419 }
83420@@ -1495,6 +1495,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
83421
83422 partial[buffers].offset = off;
83423 partial[buffers].len = plen;
83424+ partial[buffers].private = 0;
83425
83426 off = 0;
83427 len -= plen;
83428@@ -1726,9 +1727,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
83429 ret = -ERESTARTSYS;
83430 break;
83431 }
83432- if (!pipe->writers)
83433+ if (!atomic_read(&pipe->writers))
83434 break;
83435- if (!pipe->waiting_writers) {
83436+ if (!atomic_read(&pipe->waiting_writers)) {
83437 if (flags & SPLICE_F_NONBLOCK) {
83438 ret = -EAGAIN;
83439 break;
83440@@ -1760,7 +1761,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
83441 pipe_lock(pipe);
83442
83443 while (pipe->nrbufs >= pipe->buffers) {
83444- if (!pipe->readers) {
83445+ if (!atomic_read(&pipe->readers)) {
83446 send_sig(SIGPIPE, current, 0);
83447 ret = -EPIPE;
83448 break;
83449@@ -1773,9 +1774,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
83450 ret = -ERESTARTSYS;
83451 break;
83452 }
83453- pipe->waiting_writers++;
83454+ atomic_inc(&pipe->waiting_writers);
83455 pipe_wait(pipe);
83456- pipe->waiting_writers--;
83457+ atomic_dec(&pipe->waiting_writers);
83458 }
83459
83460 pipe_unlock(pipe);
83461@@ -1811,14 +1812,14 @@ retry:
83462 pipe_double_lock(ipipe, opipe);
83463
83464 do {
83465- if (!opipe->readers) {
83466+ if (!atomic_read(&opipe->readers)) {
83467 send_sig(SIGPIPE, current, 0);
83468 if (!ret)
83469 ret = -EPIPE;
83470 break;
83471 }
83472
83473- if (!ipipe->nrbufs && !ipipe->writers)
83474+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
83475 break;
83476
83477 /*
83478@@ -1915,7 +1916,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
83479 pipe_double_lock(ipipe, opipe);
83480
83481 do {
83482- if (!opipe->readers) {
83483+ if (!atomic_read(&opipe->readers)) {
83484 send_sig(SIGPIPE, current, 0);
83485 if (!ret)
83486 ret = -EPIPE;
83487@@ -1960,7 +1961,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
83488 * return EAGAIN if we have the potential of some data in the
83489 * future, otherwise just return 0
83490 */
83491- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
83492+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
83493 ret = -EAGAIN;
83494
83495 pipe_unlock(ipipe);
83496diff --git a/fs/squashfs/xattr.c b/fs/squashfs/xattr.c
83497index e5e0ddf..09598c4 100644
83498--- a/fs/squashfs/xattr.c
83499+++ b/fs/squashfs/xattr.c
83500@@ -46,8 +46,8 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
83501 + msblk->xattr_table;
83502 int offset = SQUASHFS_XATTR_OFFSET(squashfs_i(inode)->xattr);
83503 int count = squashfs_i(inode)->xattr_count;
83504- size_t rest = buffer_size;
83505- int err;
83506+ size_t used = 0;
83507+ ssize_t err;
83508
83509 /* check that the file system has xattrs */
83510 if (msblk->xattr_id_table == NULL)
83511@@ -68,11 +68,11 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
83512 name_size = le16_to_cpu(entry.size);
83513 handler = squashfs_xattr_handler(le16_to_cpu(entry.type));
83514 if (handler)
83515- prefix_size = handler->list(d, buffer, rest, NULL,
83516+ prefix_size = handler->list(d, buffer, buffer ? buffer_size - used : 0, NULL,
83517 name_size, handler->flags);
83518 if (prefix_size) {
83519 if (buffer) {
83520- if (prefix_size + name_size + 1 > rest) {
83521+ if (prefix_size + name_size + 1 > buffer_size - used) {
83522 err = -ERANGE;
83523 goto failed;
83524 }
83525@@ -86,7 +86,7 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
83526 buffer[name_size] = '\0';
83527 buffer += name_size + 1;
83528 }
83529- rest -= prefix_size + name_size + 1;
83530+ used += prefix_size + name_size + 1;
83531 } else {
83532 /* no handler or insuffficient privileges, so skip */
83533 err = squashfs_read_metadata(sb, NULL, &start,
83534@@ -107,7 +107,7 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
83535 if (err < 0)
83536 goto failed;
83537 }
83538- err = buffer_size - rest;
83539+ err = used;
83540
83541 failed:
83542 return err;
83543diff --git a/fs/stat.c b/fs/stat.c
83544index cccc1aa..7fe8951 100644
83545--- a/fs/stat.c
83546+++ b/fs/stat.c
83547@@ -28,8 +28,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat)
83548 stat->gid = inode->i_gid;
83549 stat->rdev = inode->i_rdev;
83550 stat->size = i_size_read(inode);
83551- stat->atime = inode->i_atime;
83552- stat->mtime = inode->i_mtime;
83553+ if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
83554+ stat->atime = inode->i_ctime;
83555+ stat->mtime = inode->i_ctime;
83556+ } else {
83557+ stat->atime = inode->i_atime;
83558+ stat->mtime = inode->i_mtime;
83559+ }
83560 stat->ctime = inode->i_ctime;
83561 stat->blksize = (1 << inode->i_blkbits);
83562 stat->blocks = inode->i_blocks;
83563@@ -52,9 +57,16 @@ EXPORT_SYMBOL(generic_fillattr);
83564 int vfs_getattr_nosec(struct path *path, struct kstat *stat)
83565 {
83566 struct inode *inode = d_backing_inode(path->dentry);
83567+ int retval;
83568
83569- if (inode->i_op->getattr)
83570- return inode->i_op->getattr(path->mnt, path->dentry, stat);
83571+ if (inode->i_op->getattr) {
83572+ retval = inode->i_op->getattr(path->mnt, path->dentry, stat);
83573+ if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
83574+ stat->atime = stat->ctime;
83575+ stat->mtime = stat->ctime;
83576+ }
83577+ return retval;
83578+ }
83579
83580 generic_fillattr(inode, stat);
83581 return 0;
83582diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
83583index 94374e4..b5da3a1 100644
83584--- a/fs/sysfs/dir.c
83585+++ b/fs/sysfs/dir.c
83586@@ -33,6 +33,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
83587 kfree(buf);
83588 }
83589
83590+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
83591+extern int grsec_enable_sysfs_restrict;
83592+#endif
83593+
83594 /**
83595 * sysfs_create_dir_ns - create a directory for an object with a namespace tag
83596 * @kobj: object we're creating directory for
83597@@ -41,9 +45,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
83598 int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
83599 {
83600 struct kernfs_node *parent, *kn;
83601+ const char *name;
83602+ umode_t mode = S_IRWXU | S_IRUGO | S_IXUGO;
83603+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
83604+ const char *parent_name;
83605+#endif
83606
83607 BUG_ON(!kobj);
83608
83609+ name = kobject_name(kobj);
83610+
83611 if (kobj->parent)
83612 parent = kobj->parent->sd;
83613 else
83614@@ -52,11 +63,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
83615 if (!parent)
83616 return -ENOENT;
83617
83618- kn = kernfs_create_dir_ns(parent, kobject_name(kobj),
83619- S_IRWXU | S_IRUGO | S_IXUGO, kobj, ns);
83620+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
83621+ parent_name = parent->name;
83622+ mode = S_IRWXU;
83623+
83624+ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
83625+ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
83626+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
83627+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
83628+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
83629+ if (!grsec_enable_sysfs_restrict)
83630+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
83631+#endif
83632+
83633+ kn = kernfs_create_dir_ns(parent, name,
83634+ mode, kobj, ns);
83635 if (IS_ERR(kn)) {
83636 if (PTR_ERR(kn) == -EEXIST)
83637- sysfs_warn_dup(parent, kobject_name(kobj));
83638+ sysfs_warn_dup(parent, name);
83639 return PTR_ERR(kn);
83640 }
83641
83642diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h
83643index 6c21228..9afd5fe 100644
83644--- a/fs/sysv/sysv.h
83645+++ b/fs/sysv/sysv.h
83646@@ -187,7 +187,7 @@ static inline u32 PDP_swab(u32 x)
83647 #endif
83648 }
83649
83650-static inline __u32 fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
83651+static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
83652 {
83653 if (sbi->s_bytesex == BYTESEX_PDP)
83654 return PDP_swab((__force __u32)n);
83655diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
83656index cbc8d5d..56d2600 100644
83657--- a/fs/tracefs/inode.c
83658+++ b/fs/tracefs/inode.c
83659@@ -53,7 +53,7 @@ static const struct file_operations tracefs_file_operations = {
83660 static struct tracefs_dir_ops {
83661 int (*mkdir)(const char *name);
83662 int (*rmdir)(const char *name);
83663-} tracefs_ops;
83664+} __no_const tracefs_ops __read_only;
83665
83666 static char *get_dname(struct dentry *dentry)
83667 {
83668@@ -490,8 +490,10 @@ struct dentry *tracefs_create_instance_dir(const char *name, struct dentry *pare
83669 if (!dentry)
83670 return NULL;
83671
83672- tracefs_ops.mkdir = mkdir;
83673- tracefs_ops.rmdir = rmdir;
83674+ pax_open_kernel();
83675+ *(void **)&tracefs_ops.mkdir = mkdir;
83676+ *(void **)&tracefs_ops.rmdir = rmdir;
83677+ pax_close_kernel();
83678
83679 return dentry;
83680 }
83681diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
83682index 97be412..974b37f 100644
83683--- a/fs/ubifs/io.c
83684+++ b/fs/ubifs/io.c
83685@@ -155,7 +155,7 @@ int ubifs_leb_change(struct ubifs_info *c, int lnum, const void *buf, int len)
83686 return err;
83687 }
83688
83689-int ubifs_leb_unmap(struct ubifs_info *c, int lnum)
83690+int __intentional_overflow(-1) ubifs_leb_unmap(struct ubifs_info *c, int lnum)
83691 {
83692 int err;
83693
83694diff --git a/fs/udf/misc.c b/fs/udf/misc.c
83695index 71d1c25..084e2ad 100644
83696--- a/fs/udf/misc.c
83697+++ b/fs/udf/misc.c
83698@@ -288,7 +288,7 @@ void udf_new_tag(char *data, uint16_t ident, uint16_t version, uint16_t snum,
83699
83700 u8 udf_tag_checksum(const struct tag *t)
83701 {
83702- u8 *data = (u8 *)t;
83703+ const u8 *data = (const u8 *)t;
83704 u8 checksum = 0;
83705 int i;
83706 for (i = 0; i < sizeof(struct tag); ++i)
83707diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
83708index 8d974c4..b82f6ec 100644
83709--- a/fs/ufs/swab.h
83710+++ b/fs/ufs/swab.h
83711@@ -22,7 +22,7 @@ enum {
83712 BYTESEX_BE
83713 };
83714
83715-static inline u64
83716+static inline u64 __intentional_overflow(-1)
83717 fs64_to_cpu(struct super_block *sbp, __fs64 n)
83718 {
83719 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
83720@@ -40,7 +40,7 @@ cpu_to_fs64(struct super_block *sbp, u64 n)
83721 return (__force __fs64)cpu_to_be64(n);
83722 }
83723
83724-static inline u32
83725+static inline u32 __intentional_overflow(-1)
83726 fs32_to_cpu(struct super_block *sbp, __fs32 n)
83727 {
83728 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
83729diff --git a/fs/utimes.c b/fs/utimes.c
83730index aa138d6..5f3a811 100644
83731--- a/fs/utimes.c
83732+++ b/fs/utimes.c
83733@@ -1,6 +1,7 @@
83734 #include <linux/compiler.h>
83735 #include <linux/file.h>
83736 #include <linux/fs.h>
83737+#include <linux/security.h>
83738 #include <linux/linkage.h>
83739 #include <linux/mount.h>
83740 #include <linux/namei.h>
83741@@ -103,6 +104,12 @@ static int utimes_common(struct path *path, struct timespec *times)
83742 }
83743 }
83744 retry_deleg:
83745+
83746+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
83747+ error = -EACCES;
83748+ goto mnt_drop_write_and_out;
83749+ }
83750+
83751 mutex_lock(&inode->i_mutex);
83752 error = notify_change(path->dentry, &newattrs, &delegated_inode);
83753 mutex_unlock(&inode->i_mutex);
83754diff --git a/fs/xattr.c b/fs/xattr.c
83755index 072fee1..9e497b0 100644
83756--- a/fs/xattr.c
83757+++ b/fs/xattr.c
83758@@ -227,6 +227,27 @@ int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
83759 return rc;
83760 }
83761
83762+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
83763+ssize_t
83764+pax_getxattr(struct dentry *dentry, void *value, size_t size)
83765+{
83766+ struct inode *inode = dentry->d_inode;
83767+ ssize_t error;
83768+
83769+ error = inode_permission(inode, MAY_EXEC);
83770+ if (error)
83771+ return error;
83772+
83773+ if (inode->i_op->getxattr)
83774+ error = inode->i_op->getxattr(dentry, XATTR_NAME_PAX_FLAGS, value, size);
83775+ else
83776+ error = -EOPNOTSUPP;
83777+
83778+ return error;
83779+}
83780+EXPORT_SYMBOL(pax_getxattr);
83781+#endif
83782+
83783 ssize_t
83784 vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
83785 {
83786@@ -319,7 +340,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
83787 * Extended attribute SET operations
83788 */
83789 static long
83790-setxattr(struct dentry *d, const char __user *name, const void __user *value,
83791+setxattr(struct path *path, const char __user *name, const void __user *value,
83792 size_t size, int flags)
83793 {
83794 int error;
83795@@ -355,7 +376,12 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
83796 posix_acl_fix_xattr_from_user(kvalue, size);
83797 }
83798
83799- error = vfs_setxattr(d, kname, kvalue, size, flags);
83800+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
83801+ error = -EACCES;
83802+ goto out;
83803+ }
83804+
83805+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
83806 out:
83807 if (vvalue)
83808 vfree(vvalue);
83809@@ -376,7 +402,7 @@ retry:
83810 return error;
83811 error = mnt_want_write(path.mnt);
83812 if (!error) {
83813- error = setxattr(path.dentry, name, value, size, flags);
83814+ error = setxattr(&path, name, value, size, flags);
83815 mnt_drop_write(path.mnt);
83816 }
83817 path_put(&path);
83818@@ -412,7 +438,7 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
83819 audit_file(f.file);
83820 error = mnt_want_write_file(f.file);
83821 if (!error) {
83822- error = setxattr(f.file->f_path.dentry, name, value, size, flags);
83823+ error = setxattr(&f.file->f_path, name, value, size, flags);
83824 mnt_drop_write_file(f.file);
83825 }
83826 fdput(f);
83827@@ -598,7 +624,7 @@ SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
83828 * Extended attribute REMOVE operations
83829 */
83830 static long
83831-removexattr(struct dentry *d, const char __user *name)
83832+removexattr(struct path *path, const char __user *name)
83833 {
83834 int error;
83835 char kname[XATTR_NAME_MAX + 1];
83836@@ -609,7 +635,10 @@ removexattr(struct dentry *d, const char __user *name)
83837 if (error < 0)
83838 return error;
83839
83840- return vfs_removexattr(d, kname);
83841+ if (!gr_acl_handle_removexattr(path->dentry, path->mnt))
83842+ return -EACCES;
83843+
83844+ return vfs_removexattr(path->dentry, kname);
83845 }
83846
83847 static int path_removexattr(const char __user *pathname,
83848@@ -623,7 +652,7 @@ retry:
83849 return error;
83850 error = mnt_want_write(path.mnt);
83851 if (!error) {
83852- error = removexattr(path.dentry, name);
83853+ error = removexattr(&path, name);
83854 mnt_drop_write(path.mnt);
83855 }
83856 path_put(&path);
83857@@ -649,14 +678,16 @@ SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,
83858 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
83859 {
83860 struct fd f = fdget(fd);
83861+ struct path *path;
83862 int error = -EBADF;
83863
83864 if (!f.file)
83865 return error;
83866+ path = &f.file->f_path;
83867 audit_file(f.file);
83868 error = mnt_want_write_file(f.file);
83869 if (!error) {
83870- error = removexattr(f.file->f_path.dentry, name);
83871+ error = removexattr(path, name);
83872 mnt_drop_write_file(f.file);
83873 }
83874 fdput(f);
83875diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
83876index 63e05b6..249b043 100644
83877--- a/fs/xfs/libxfs/xfs_bmap.c
83878+++ b/fs/xfs/libxfs/xfs_bmap.c
83879@@ -554,7 +554,7 @@ xfs_bmap_validate_ret(
83880
83881 #else
83882 #define xfs_bmap_check_leaf_extents(cur, ip, whichfork) do { } while (0)
83883-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
83884+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do { } while (0)
83885 #endif /* DEBUG */
83886
83887 /*
83888diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c
83889index 098cd78..724d3f8 100644
83890--- a/fs/xfs/xfs_dir2_readdir.c
83891+++ b/fs/xfs/xfs_dir2_readdir.c
83892@@ -140,7 +140,12 @@ xfs_dir2_sf_getdents(
83893 ino = dp->d_ops->sf_get_ino(sfp, sfep);
83894 filetype = dp->d_ops->sf_get_ftype(sfep);
83895 ctx->pos = off & 0x7fffffff;
83896- if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino,
83897+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
83898+ char name[sfep->namelen];
83899+ memcpy(name, sfep->name, sfep->namelen);
83900+ if (!dir_emit(ctx, name, sfep->namelen, ino, xfs_dir3_get_dtype(dp->i_mount, filetype)))
83901+ return 0;
83902+ } else if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino,
83903 xfs_dir3_get_dtype(dp->i_mount, filetype)))
83904 return 0;
83905 sfep = dp->d_ops->sf_nextentry(sfp, sfep);
83906diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
83907index ea7d85a..6d4b24b 100644
83908--- a/fs/xfs/xfs_ioctl.c
83909+++ b/fs/xfs/xfs_ioctl.c
83910@@ -120,7 +120,7 @@ xfs_find_handle(
83911 }
83912
83913 error = -EFAULT;
83914- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
83915+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
83916 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
83917 goto out_put;
83918
83919diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
83920index 85f883d..db6eecc 100644
83921--- a/fs/xfs/xfs_linux.h
83922+++ b/fs/xfs/xfs_linux.h
83923@@ -211,7 +211,7 @@ static inline kgid_t xfs_gid_to_kgid(__uint32_t gid)
83924 * of the compiler which do not like us using do_div in the middle
83925 * of large functions.
83926 */
83927-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
83928+static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
83929 {
83930 __u32 mod;
83931
83932@@ -267,7 +267,7 @@ static inline __u32 xfs_do_mod(void *a, __u32 b, int n)
83933 return 0;
83934 }
83935 #else
83936-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
83937+static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
83938 {
83939 __u32 mod;
83940
83941diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
83942new file mode 100644
83943index 0000000..31f8fe4
83944--- /dev/null
83945+++ b/grsecurity/Kconfig
83946@@ -0,0 +1,1182 @@
83947+#
83948+# grecurity configuration
83949+#
83950+menu "Memory Protections"
83951+depends on GRKERNSEC
83952+
83953+config GRKERNSEC_KMEM
83954+ bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
83955+ default y if GRKERNSEC_CONFIG_AUTO
83956+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
83957+ help
83958+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
83959+ be written to or read from to modify or leak the contents of the running
83960+ kernel. /dev/port will also not be allowed to be opened, writing to
83961+ /dev/cpu/*/msr will be prevented, and support for kexec will be removed.
83962+ If you have module support disabled, enabling this will close up several
83963+ ways that are currently used to insert malicious code into the running
83964+ kernel.
83965+
83966+ Even with this feature enabled, we still highly recommend that
83967+ you use the RBAC system, as it is still possible for an attacker to
83968+ modify the running kernel through other more obscure methods.
83969+
83970+ It is highly recommended that you say Y here if you meet all the
83971+ conditions above.
83972+
83973+config GRKERNSEC_VM86
83974+ bool "Restrict VM86 mode"
83975+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
83976+ depends on X86_32
83977+
83978+ help
83979+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
83980+ make use of a special execution mode on 32bit x86 processors called
83981+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
83982+ video cards and will still work with this option enabled. The purpose
83983+ of the option is to prevent exploitation of emulation errors in
83984+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
83985+ Nearly all users should be able to enable this option.
83986+
83987+config GRKERNSEC_IO
83988+ bool "Disable privileged I/O"
83989+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
83990+ depends on X86
83991+ select RTC_CLASS
83992+ select RTC_INTF_DEV
83993+ select RTC_DRV_CMOS
83994+
83995+ help
83996+ If you say Y here, all ioperm and iopl calls will return an error.
83997+ Ioperm and iopl can be used to modify the running kernel.
83998+ Unfortunately, some programs need this access to operate properly,
83999+ the most notable of which are XFree86 and hwclock. hwclock can be
84000+ remedied by having RTC support in the kernel, so real-time
84001+ clock support is enabled if this option is enabled, to ensure
84002+ that hwclock operates correctly. If hwclock still does not work,
84003+ either update udev or symlink /dev/rtc to /dev/rtc0.
84004+
84005+ If you're using XFree86 or a version of Xorg from 2012 or earlier,
84006+ you may not be able to boot into a graphical environment with this
84007+ option enabled. In this case, you should use the RBAC system instead.
84008+
84009+config GRKERNSEC_BPF_HARDEN
84010+ bool "Harden BPF interpreter"
84011+ default y if GRKERNSEC_CONFIG_AUTO
84012+ help
84013+ Unlike previous versions of grsecurity that hardened both the BPF
84014+ interpreted code against corruption at rest as well as the JIT code
84015+ against JIT-spray attacks and attacker-controlled immediate values
84016+ for ROP, this feature will enforce disabling of the new eBPF JIT engine
84017+ and will ensure the interpreted code is read-only at rest. This feature
84018+ may be removed at a later time when eBPF stabilizes to entirely revert
84019+ back to the more secure pre-3.16 BPF interpreter/JIT.
84020+
84021+ If you're using KERNEXEC, it's recommended that you enable this option
84022+ to supplement the hardening of the kernel.
84023+
84024+config GRKERNSEC_PERF_HARDEN
84025+ bool "Disable unprivileged PERF_EVENTS usage by default"
84026+ default y if GRKERNSEC_CONFIG_AUTO
84027+ depends on PERF_EVENTS
84028+ help
84029+ If you say Y here, the range of acceptable values for the
84030+ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
84031+ default to a new value: 3. When the sysctl is set to this value, no
84032+ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
84033+
84034+ Though PERF_EVENTS can be used legitimately for performance monitoring
84035+ and low-level application profiling, it is forced on regardless of
84036+ configuration, has been at fault for several vulnerabilities, and
84037+ creates new opportunities for side channels and other information leaks.
84038+
84039+ This feature puts PERF_EVENTS into a secure default state and permits
84040+ the administrator to change out of it temporarily if unprivileged
84041+ application profiling is needed.
84042+
84043+config GRKERNSEC_RAND_THREADSTACK
84044+ bool "Insert random gaps between thread stacks"
84045+ default y if GRKERNSEC_CONFIG_AUTO
84046+ depends on PAX_RANDMMAP && !PPC
84047+ help
84048+ If you say Y here, a random-sized gap will be enforced between allocated
84049+ thread stacks. Glibc's NPTL and other threading libraries that
84050+ pass MAP_STACK to the kernel for thread stack allocation are supported.
84051+ The implementation currently provides 8 bits of entropy for the gap.
84052+
84053+ Many distributions do not compile threaded remote services with the
84054+ -fstack-check argument to GCC, causing the variable-sized stack-based
84055+ allocator, alloca(), to not probe the stack on allocation. This
84056+ permits an unbounded alloca() to skip over any guard page and potentially
84057+ modify another thread's stack reliably. An enforced random gap
84058+ reduces the reliability of such an attack and increases the chance
84059+ that such a read/write to another thread's stack instead lands in
84060+ an unmapped area, causing a crash and triggering grsecurity's
84061+ anti-bruteforcing logic.
84062+
84063+config GRKERNSEC_PROC_MEMMAP
84064+ bool "Harden ASLR against information leaks and entropy reduction"
84065+ default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR)
84066+ depends on PAX_NOEXEC || PAX_ASLR
84067+ help
84068+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
84069+ give no information about the addresses of its mappings if
84070+ PaX features that rely on random addresses are enabled on the task.
84071+ In addition to sanitizing this information and disabling other
84072+ dangerous sources of information, this option causes reads of sensitive
84073+ /proc/<pid> entries where the file descriptor was opened in a different
84074+ task than the one performing the read. Such attempts are logged.
84075+ This option also limits argv/env strings for suid/sgid binaries
84076+ to 512KB to prevent a complete exhaustion of the stack entropy provided
84077+ by ASLR. Finally, it places an 8MB stack resource limit on suid/sgid
84078+ binaries to prevent alternative mmap layouts from being abused.
84079+
84080+ If you use PaX it is essential that you say Y here as it closes up
84081+ several holes that make full ASLR useless locally.
84082+
84083+
84084+config GRKERNSEC_KSTACKOVERFLOW
84085+ bool "Prevent kernel stack overflows"
84086+ default y if GRKERNSEC_CONFIG_AUTO
84087+ depends on !IA64 && 64BIT
84088+ help
84089+ If you say Y here, the kernel's process stacks will be allocated
84090+ with vmalloc instead of the kernel's default allocator. This
84091+ introduces guard pages that in combination with the alloca checking
84092+ of the STACKLEAK feature prevents all forms of kernel process stack
84093+ overflow abuse. Note that this is different from kernel stack
84094+ buffer overflows.
84095+
84096+config GRKERNSEC_BRUTE
84097+ bool "Deter exploit bruteforcing"
84098+ default y if GRKERNSEC_CONFIG_AUTO
84099+ help
84100+ If you say Y here, attempts to bruteforce exploits against forking
84101+ daemons such as apache or sshd, as well as against suid/sgid binaries
84102+ will be deterred. When a child of a forking daemon is killed by PaX
84103+ or crashes due to an illegal instruction or other suspicious signal,
84104+ the parent process will be delayed 30 seconds upon every subsequent
84105+ fork until the administrator is able to assess the situation and
84106+ restart the daemon.
84107+ In the suid/sgid case, the attempt is logged, the user has all their
84108+ existing instances of the suid/sgid binary terminated and will
84109+ be unable to execute any suid/sgid binaries for 15 minutes.
84110+
84111+ It is recommended that you also enable signal logging in the auditing
84112+ section so that logs are generated when a process triggers a suspicious
84113+ signal.
84114+ If the sysctl option is enabled, a sysctl option with name
84115+ "deter_bruteforce" is created.
84116+
84117+config GRKERNSEC_MODHARDEN
84118+ bool "Harden module auto-loading"
84119+ default y if GRKERNSEC_CONFIG_AUTO
84120+ depends on MODULES
84121+ help
84122+ If you say Y here, module auto-loading in response to use of some
84123+ feature implemented by an unloaded module will be restricted to
84124+ root users. Enabling this option helps defend against attacks
84125+ by unprivileged users who abuse the auto-loading behavior to
84126+ cause a vulnerable module to load that is then exploited.
84127+
84128+ If this option prevents a legitimate use of auto-loading for a
84129+ non-root user, the administrator can execute modprobe manually
84130+ with the exact name of the module mentioned in the alert log.
84131+ Alternatively, the administrator can add the module to the list
84132+ of modules loaded at boot by modifying init scripts.
84133+
84134+ Modification of init scripts will most likely be needed on
84135+ Ubuntu servers with encrypted home directory support enabled,
84136+ as the first non-root user logging in will cause the ecb(aes),
84137+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
84138+
84139+config GRKERNSEC_HIDESYM
84140+ bool "Hide kernel symbols"
84141+ default y if GRKERNSEC_CONFIG_AUTO
84142+ select PAX_USERCOPY_SLABS
84143+ help
84144+ If you say Y here, getting information on loaded modules, and
84145+ displaying all kernel symbols through a syscall will be restricted
84146+ to users with CAP_SYS_MODULE. For software compatibility reasons,
84147+ /proc/kallsyms will be restricted to the root user. The RBAC
84148+ system can hide that entry even from root.
84149+
84150+ This option also prevents leaking of kernel addresses through
84151+ several /proc entries.
84152+
84153+ Note that this option is only effective provided the following
84154+ conditions are met:
84155+ 1) The kernel using grsecurity is not precompiled by some distribution
84156+ 2) You have also enabled GRKERNSEC_DMESG
84157+ 3) You are using the RBAC system and hiding other files such as your
84158+ kernel image and System.map. Alternatively, enabling this option
84159+ causes the permissions on /boot, /lib/modules, and the kernel
84160+ source directory to change at compile time to prevent
84161+ reading by non-root users.
84162+ If the above conditions are met, this option will aid in providing a
84163+ useful protection against local kernel exploitation of overflows
84164+ and arbitrary read/write vulnerabilities.
84165+
84166+ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
84167+ in addition to this feature.
84168+
84169+config GRKERNSEC_RANDSTRUCT
84170+ bool "Randomize layout of sensitive kernel structures"
84171+ default y if GRKERNSEC_CONFIG_AUTO
84172+ select GRKERNSEC_HIDESYM
84173+ select MODVERSIONS if MODULES
84174+ help
84175+ If you say Y here, the layouts of a number of sensitive kernel
84176+ structures (task, fs, cred, etc) and all structures composed entirely
84177+ of function pointers (aka "ops" structs) will be randomized at compile-time.
84178+ This can introduce the requirement of an additional infoleak
84179+ vulnerability for exploits targeting these structure types.
84180+
84181+ Enabling this feature will introduce some performance impact, slightly
84182+ increase memory usage, and prevent the use of forensic tools like
84183+ Volatility against the system (unless the kernel source tree isn't
84184+ cleaned after kernel installation).
84185+
84186+ The seed used for compilation is located at tools/gcc/randomize_layout_seed.h.
84187+ It remains after a make clean to allow for external modules to be compiled
84188+ with the existing seed and will be removed by a make mrproper or
84189+ make distclean.
84190+
84191+ Note that the implementation requires gcc 4.6.4. or newer. You may need
84192+ to install the supporting headers explicitly in addition to the normal
84193+ gcc package.
84194+
84195+config GRKERNSEC_RANDSTRUCT_PERFORMANCE
84196+ bool "Use cacheline-aware structure randomization"
84197+ depends on GRKERNSEC_RANDSTRUCT
84198+ default y if GRKERNSEC_CONFIG_PRIORITY_PERF
84199+ help
84200+ If you say Y here, the RANDSTRUCT randomization will make a best effort
84201+ at restricting randomization to cacheline-sized groups of elements. It
84202+ will further not randomize bitfields in structures. This reduces the
84203+ performance hit of RANDSTRUCT at the cost of weakened randomization.
84204+
84205+config GRKERNSEC_KERN_LOCKOUT
84206+ bool "Active kernel exploit response"
84207+ default y if GRKERNSEC_CONFIG_AUTO
84208+ depends on X86 || ARM || PPC || SPARC
84209+ help
84210+ If you say Y here, when a PaX alert is triggered due to suspicious
84211+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
84212+ or an OOPS occurs due to bad memory accesses, instead of just
84213+ terminating the offending process (and potentially allowing
84214+ a subsequent exploit from the same user), we will take one of two
84215+ actions:
84216+ If the user was root, we will panic the system
84217+ If the user was non-root, we will log the attempt, terminate
84218+ all processes owned by the user, then prevent them from creating
84219+ any new processes until the system is restarted
84220+ This deters repeated kernel exploitation/bruteforcing attempts
84221+ and is useful for later forensics.
84222+
84223+config GRKERNSEC_OLD_ARM_USERLAND
84224+ bool "Old ARM userland compatibility"
84225+ depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7)
84226+ help
84227+ If you say Y here, stubs of executable code to perform such operations
84228+ as "compare-exchange" will be placed at fixed locations in the ARM vector
84229+ table. This is unfortunately needed for old ARM userland meant to run
84230+ across a wide range of processors. Without this option enabled,
84231+ the get_tls and data memory barrier stubs will be emulated by the kernel,
84232+ which is enough for Linaro userlands or other userlands designed for v6
84233+ and newer ARM CPUs. It's recommended that you try without this option enabled
84234+ first, and only enable it if your userland does not boot (it will likely fail
84235+ at init time).
84236+
84237+endmenu
84238+menu "Role Based Access Control Options"
84239+depends on GRKERNSEC
84240+
84241+config GRKERNSEC_RBAC_DEBUG
84242+ bool
84243+
84244+config GRKERNSEC_NO_RBAC
84245+ bool "Disable RBAC system"
84246+ help
84247+ If you say Y here, the /dev/grsec device will be removed from the kernel,
84248+ preventing the RBAC system from being enabled. You should only say Y
84249+ here if you have no intention of using the RBAC system, so as to prevent
84250+ an attacker with root access from misusing the RBAC system to hide files
84251+ and processes when loadable module support and /dev/[k]mem have been
84252+ locked down.
84253+
84254+config GRKERNSEC_ACL_HIDEKERN
84255+ bool "Hide kernel processes"
84256+ help
84257+ If you say Y here, all kernel threads will be hidden to all
84258+ processes but those whose subject has the "view hidden processes"
84259+ flag.
84260+
84261+config GRKERNSEC_ACL_MAXTRIES
84262+ int "Maximum tries before password lockout"
84263+ default 3
84264+ help
84265+ This option enforces the maximum number of times a user can attempt
84266+ to authorize themselves with the grsecurity RBAC system before being
84267+ denied the ability to attempt authorization again for a specified time.
84268+ The lower the number, the harder it will be to brute-force a password.
84269+
84270+config GRKERNSEC_ACL_TIMEOUT
84271+ int "Time to wait after max password tries, in seconds"
84272+ default 30
84273+ help
84274+ This option specifies the time the user must wait after attempting to
84275+ authorize to the RBAC system with the maximum number of invalid
84276+ passwords. The higher the number, the harder it will be to brute-force
84277+ a password.
84278+
84279+endmenu
84280+menu "Filesystem Protections"
84281+depends on GRKERNSEC
84282+
84283+config GRKERNSEC_PROC
84284+ bool "Proc restrictions"
84285+ default y if GRKERNSEC_CONFIG_AUTO
84286+ help
84287+ If you say Y here, the permissions of the /proc filesystem
84288+ will be altered to enhance system security and privacy. You MUST
84289+ choose either a user only restriction or a user and group restriction.
84290+ Depending upon the option you choose, you can either restrict users to
84291+ see only the processes they themselves run, or choose a group that can
84292+ view all processes and files normally restricted to root if you choose
84293+ the "restrict to user only" option. NOTE: If you're running identd or
84294+ ntpd as a non-root user, you will have to run it as the group you
84295+ specify here.
84296+
84297+config GRKERNSEC_PROC_USER
84298+ bool "Restrict /proc to user only"
84299+ depends on GRKERNSEC_PROC
84300+ help
84301+ If you say Y here, non-root users will only be able to view their own
84302+ processes, and restricts them from viewing network-related information,
84303+ and viewing kernel symbol and module information.
84304+
84305+config GRKERNSEC_PROC_USERGROUP
84306+ bool "Allow special group"
84307+ default y if GRKERNSEC_CONFIG_AUTO
84308+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
84309+ help
84310+ If you say Y here, you will be able to select a group that will be
84311+ able to view all processes and network-related information. If you've
84312+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
84313+ remain hidden. This option is useful if you want to run identd as
84314+ a non-root user. The group you select may also be chosen at boot time
84315+ via "grsec_proc_gid=" on the kernel commandline.
84316+
84317+config GRKERNSEC_PROC_GID
84318+ int "GID for special group"
84319+ depends on GRKERNSEC_PROC_USERGROUP
84320+ default 1001
84321+
84322+config GRKERNSEC_PROC_ADD
84323+ bool "Additional restrictions"
84324+ default y if GRKERNSEC_CONFIG_AUTO
84325+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
84326+ help
84327+ If you say Y here, additional restrictions will be placed on
84328+ /proc that keep normal users from viewing device information and
84329+ slabinfo information that could be useful for exploits.
84330+
84331+config GRKERNSEC_LINK
84332+ bool "Linking restrictions"
84333+ default y if GRKERNSEC_CONFIG_AUTO
84334+ help
84335+ If you say Y here, /tmp race exploits will be prevented, since users
84336+ will no longer be able to follow symlinks owned by other users in
84337+ world-writable +t directories (e.g. /tmp), unless the owner of the
84338+ symlink is the owner of the directory. users will also not be
84339+ able to hardlink to files they do not own. If the sysctl option is
84340+ enabled, a sysctl option with name "linking_restrictions" is created.
84341+
84342+config GRKERNSEC_SYMLINKOWN
84343+ bool "Kernel-enforced SymlinksIfOwnerMatch"
84344+ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
84345+ help
84346+ Apache's SymlinksIfOwnerMatch option has an inherent race condition
84347+ that prevents it from being used as a security feature. As Apache
84348+ verifies the symlink by performing a stat() against the target of
84349+ the symlink before it is followed, an attacker can setup a symlink
84350+ to point to a same-owned file, then replace the symlink with one
84351+ that targets another user's file just after Apache "validates" the
84352+ symlink -- a classic TOCTOU race. If you say Y here, a complete,
84353+ race-free replacement for Apache's "SymlinksIfOwnerMatch" option
84354+ will be in place for the group you specify. If the sysctl option
84355+ is enabled, a sysctl option with name "enforce_symlinksifowner" is
84356+ created.
84357+
84358+config GRKERNSEC_SYMLINKOWN_GID
84359+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
84360+ depends on GRKERNSEC_SYMLINKOWN
84361+ default 1006
84362+ help
84363+ Setting this GID determines what group kernel-enforced
84364+ SymlinksIfOwnerMatch will be enabled for. If the sysctl option
84365+ is enabled, a sysctl option with name "symlinkown_gid" is created.
84366+
84367+config GRKERNSEC_FIFO
84368+ bool "FIFO restrictions"
84369+ default y if GRKERNSEC_CONFIG_AUTO
84370+ help
84371+ If you say Y here, users will not be able to write to FIFOs they don't
84372+ own in world-writable +t directories (e.g. /tmp), unless the owner of
84373+ the FIFO is the same owner of the directory it's held in. If the sysctl
84374+ option is enabled, a sysctl option with name "fifo_restrictions" is
84375+ created.
84376+
84377+config GRKERNSEC_SYSFS_RESTRICT
84378+ bool "Sysfs/debugfs restriction"
84379+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
84380+ depends on SYSFS
84381+ help
84382+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
84383+ any filesystem normally mounted under it (e.g. debugfs) will be
84384+ mostly accessible only by root. These filesystems generally provide access
84385+ to hardware and debug information that isn't appropriate for unprivileged
84386+ users of the system. Sysfs and debugfs have also become a large source
84387+ of new vulnerabilities, ranging from infoleaks to local compromise.
84388+ There has been very little oversight with an eye toward security involved
84389+ in adding new exporters of information to these filesystems, so their
84390+ use is discouraged.
84391+ For reasons of compatibility, a few directories have been whitelisted
84392+ for access by non-root users:
84393+ /sys/fs/selinux
84394+ /sys/fs/fuse
84395+ /sys/devices/system/cpu
84396+
84397+config GRKERNSEC_ROFS
84398+ bool "Runtime read-only mount protection"
84399+ depends on SYSCTL
84400+ help
84401+ If you say Y here, a sysctl option with name "romount_protect" will
84402+ be created. By setting this option to 1 at runtime, filesystems
84403+ will be protected in the following ways:
84404+ * No new writable mounts will be allowed
84405+ * Existing read-only mounts won't be able to be remounted read/write
84406+ * Write operations will be denied on all block devices
84407+ This option acts independently of grsec_lock: once it is set to 1,
84408+ it cannot be turned off. Therefore, please be mindful of the resulting
84409+ behavior if this option is enabled in an init script on a read-only
84410+ filesystem.
84411+ Also be aware that as with other root-focused features, GRKERNSEC_KMEM
84412+ and GRKERNSEC_IO should be enabled and module loading disabled via
84413+ config or at runtime.
84414+ This feature is mainly intended for secure embedded systems.
84415+
84416+
84417+config GRKERNSEC_DEVICE_SIDECHANNEL
84418+ bool "Eliminate stat/notify-based device sidechannels"
84419+ default y if GRKERNSEC_CONFIG_AUTO
84420+ help
84421+ If you say Y here, timing analyses on block or character
84422+ devices like /dev/ptmx using stat or inotify/dnotify/fanotify
84423+ will be thwarted for unprivileged users. If a process without
84424+ CAP_MKNOD stats such a device, the last access and last modify times
84425+ will match the device's create time. No access or modify events
84426+ will be triggered through inotify/dnotify/fanotify for such devices.
84427+ This feature will prevent attacks that may at a minimum
84428+ allow an attacker to determine the administrator's password length.
84429+
84430+config GRKERNSEC_CHROOT
84431+ bool "Chroot jail restrictions"
84432+ default y if GRKERNSEC_CONFIG_AUTO
84433+ help
84434+ If you say Y here, you will be able to choose several options that will
84435+ make breaking out of a chrooted jail much more difficult. If you
84436+ encounter no software incompatibilities with the following options, it
84437+ is recommended that you enable each one.
84438+
84439+ Note that the chroot restrictions are not intended to apply to "chroots"
84440+ to directories that are simple bind mounts of the global root filesystem.
84441+ For several other reasons, a user shouldn't expect any significant
84442+ security by performing such a chroot.
84443+
84444+config GRKERNSEC_CHROOT_MOUNT
84445+ bool "Deny mounts"
84446+ default y if GRKERNSEC_CONFIG_AUTO
84447+ depends on GRKERNSEC_CHROOT
84448+ help
84449+ If you say Y here, processes inside a chroot will not be able to
84450+ mount or remount filesystems. If the sysctl option is enabled, a
84451+ sysctl option with name "chroot_deny_mount" is created.
84452+
84453+config GRKERNSEC_CHROOT_DOUBLE
84454+ bool "Deny double-chroots"
84455+ default y if GRKERNSEC_CONFIG_AUTO
84456+ depends on GRKERNSEC_CHROOT
84457+ help
84458+ If you say Y here, processes inside a chroot will not be able to chroot
84459+ again outside the chroot. This is a widely used method of breaking
84460+ out of a chroot jail and should not be allowed. If the sysctl
84461+ option is enabled, a sysctl option with name
84462+ "chroot_deny_chroot" is created.
84463+
84464+config GRKERNSEC_CHROOT_PIVOT
84465+ bool "Deny pivot_root in chroot"
84466+ default y if GRKERNSEC_CONFIG_AUTO
84467+ depends on GRKERNSEC_CHROOT
84468+ help
84469+ If you say Y here, processes inside a chroot will not be able to use
84470+ a function called pivot_root() that was introduced in Linux 2.3.41. It
84471+ works similar to chroot in that it changes the root filesystem. This
84472+ function could be misused in a chrooted process to attempt to break out
84473+ of the chroot, and therefore should not be allowed. If the sysctl
84474+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
84475+ created.
84476+
84477+config GRKERNSEC_CHROOT_CHDIR
84478+ bool "Enforce chdir(\"/\") on all chroots"
84479+ default y if GRKERNSEC_CONFIG_AUTO
84480+ depends on GRKERNSEC_CHROOT
84481+ help
84482+ If you say Y here, the current working directory of all newly-chrooted
84483+ applications will be set to the the root directory of the chroot.
84484+ The man page on chroot(2) states:
84485+ Note that this call does not change the current working
84486+ directory, so that `.' can be outside the tree rooted at
84487+ `/'. In particular, the super-user can escape from a
84488+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
84489+
84490+ It is recommended that you say Y here, since it's not known to break
84491+ any software. If the sysctl option is enabled, a sysctl option with
84492+ name "chroot_enforce_chdir" is created.
84493+
84494+config GRKERNSEC_CHROOT_CHMOD
84495+ bool "Deny (f)chmod +s"
84496+ default y if GRKERNSEC_CONFIG_AUTO
84497+ depends on GRKERNSEC_CHROOT
84498+ help
84499+ If you say Y here, processes inside a chroot will not be able to chmod
84500+ or fchmod files to make them have suid or sgid bits. This protects
84501+ against another published method of breaking a chroot. If the sysctl
84502+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
84503+ created.
84504+
84505+config GRKERNSEC_CHROOT_FCHDIR
84506+ bool "Deny fchdir and fhandle out of chroot"
84507+ default y if GRKERNSEC_CONFIG_AUTO
84508+ depends on GRKERNSEC_CHROOT
84509+ help
84510+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
84511+ to a file descriptor of the chrooting process that points to a directory
84512+ outside the filesystem will be stopped. Additionally, this option prevents
84513+ use of the recently-created syscall for opening files by a guessable "file
84514+ handle" inside a chroot. If the sysctl option is enabled, a sysctl option
84515+ with name "chroot_deny_fchdir" is created.
84516+
84517+config GRKERNSEC_CHROOT_MKNOD
84518+ bool "Deny mknod"
84519+ default y if GRKERNSEC_CONFIG_AUTO
84520+ depends on GRKERNSEC_CHROOT
84521+ help
84522+ If you say Y here, processes inside a chroot will not be allowed to
84523+ mknod. The problem with using mknod inside a chroot is that it
84524+ would allow an attacker to create a device entry that is the same
84525+ as one on the physical root of your system, which could range from
84526+ anything from the console device to a device for your harddrive (which
84527+ they could then use to wipe the drive or steal data). It is recommended
84528+ that you say Y here, unless you run into software incompatibilities.
84529+ If the sysctl option is enabled, a sysctl option with name
84530+ "chroot_deny_mknod" is created.
84531+
84532+config GRKERNSEC_CHROOT_SHMAT
84533+ bool "Deny shmat() out of chroot"
84534+ default y if GRKERNSEC_CONFIG_AUTO
84535+ depends on GRKERNSEC_CHROOT
84536+ help
84537+ If you say Y here, processes inside a chroot will not be able to attach
84538+ to shared memory segments that were created outside of the chroot jail.
84539+ It is recommended that you say Y here. If the sysctl option is enabled,
84540+ a sysctl option with name "chroot_deny_shmat" is created.
84541+
84542+config GRKERNSEC_CHROOT_UNIX
84543+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
84544+ default y if GRKERNSEC_CONFIG_AUTO
84545+ depends on GRKERNSEC_CHROOT
84546+ help
84547+ If you say Y here, processes inside a chroot will not be able to
84548+ connect to abstract (meaning not belonging to a filesystem) Unix
84549+ domain sockets that were bound outside of a chroot. It is recommended
84550+ that you say Y here. If the sysctl option is enabled, a sysctl option
84551+ with name "chroot_deny_unix" is created.
84552+
84553+config GRKERNSEC_CHROOT_FINDTASK
84554+ bool "Protect outside processes"
84555+ default y if GRKERNSEC_CONFIG_AUTO
84556+ depends on GRKERNSEC_CHROOT
84557+ help
84558+ If you say Y here, processes inside a chroot will not be able to
84559+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
84560+ getsid, or view any process outside of the chroot. If the sysctl
84561+ option is enabled, a sysctl option with name "chroot_findtask" is
84562+ created.
84563+
84564+config GRKERNSEC_CHROOT_NICE
84565+ bool "Restrict priority changes"
84566+ default y if GRKERNSEC_CONFIG_AUTO
84567+ depends on GRKERNSEC_CHROOT
84568+ help
84569+ If you say Y here, processes inside a chroot will not be able to raise
84570+ the priority of processes in the chroot, or alter the priority of
84571+ processes outside the chroot. This provides more security than simply
84572+ removing CAP_SYS_NICE from the process' capability set. If the
84573+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
84574+ is created.
84575+
84576+config GRKERNSEC_CHROOT_SYSCTL
84577+ bool "Deny sysctl writes"
84578+ default y if GRKERNSEC_CONFIG_AUTO
84579+ depends on GRKERNSEC_CHROOT
84580+ help
84581+ If you say Y here, an attacker in a chroot will not be able to
84582+ write to sysctl entries, either by sysctl(2) or through a /proc
84583+ interface. It is strongly recommended that you say Y here. If the
84584+ sysctl option is enabled, a sysctl option with name
84585+ "chroot_deny_sysctl" is created.
84586+
84587+config GRKERNSEC_CHROOT_RENAME
84588+ bool "Deny bad renames"
84589+ default y if GRKERNSEC_CONFIG_AUTO
84590+ depends on GRKERNSEC_CHROOT
84591+ help
84592+ If you say Y here, an attacker in a chroot will not be able to
84593+ abuse the ability to create double chroots to break out of the
84594+ chroot by exploiting a race condition between a rename of a directory
84595+ within a chroot against an open of a symlink with relative path
84596+ components. This feature will likewise prevent an accomplice outside
84597+ a chroot from enabling a user inside the chroot to break out and make
84598+ use of their credentials on the global filesystem. Enabling this
84599+ feature is essential to prevent root users from breaking out of a
84600+ chroot. If the sysctl option is enabled, a sysctl option with name
84601+ "chroot_deny_bad_rename" is created.
84602+
84603+config GRKERNSEC_CHROOT_CAPS
84604+ bool "Capability restrictions"
84605+ default y if GRKERNSEC_CONFIG_AUTO
84606+ depends on GRKERNSEC_CHROOT
84607+ help
84608+ If you say Y here, the capabilities on all processes within a
84609+ chroot jail will be lowered to stop module insertion, raw i/o,
84610+ system and net admin tasks, rebooting the system, modifying immutable
84611+ files, modifying IPC owned by another, and changing the system time.
84612+ This is left an option because it can break some apps. Disable this
84613+ if your chrooted apps are having problems performing those kinds of
84614+ tasks. If the sysctl option is enabled, a sysctl option with
84615+ name "chroot_caps" is created.
84616+
84617+config GRKERNSEC_CHROOT_INITRD
84618+ bool "Exempt initrd tasks from restrictions"
84619+ default y if GRKERNSEC_CONFIG_AUTO
84620+ depends on GRKERNSEC_CHROOT && BLK_DEV_INITRD
84621+ help
84622+ If you say Y here, tasks started prior to init will be exempted from
84623+ grsecurity's chroot restrictions. This option is mainly meant to
84624+ resolve Plymouth's performing privileged operations unnecessarily
84625+ in a chroot.
84626+
84627+endmenu
84628+menu "Kernel Auditing"
84629+depends on GRKERNSEC
84630+
84631+config GRKERNSEC_AUDIT_GROUP
84632+ bool "Single group for auditing"
84633+ help
84634+ If you say Y here, the exec and chdir logging features will only operate
84635+ on a group you specify. This option is recommended if you only want to
84636+ watch certain users instead of having a large amount of logs from the
84637+ entire system. If the sysctl option is enabled, a sysctl option with
84638+ name "audit_group" is created.
84639+
84640+config GRKERNSEC_AUDIT_GID
84641+ int "GID for auditing"
84642+ depends on GRKERNSEC_AUDIT_GROUP
84643+ default 1007
84644+
84645+config GRKERNSEC_EXECLOG
84646+ bool "Exec logging"
84647+ help
84648+ If you say Y here, all execve() calls will be logged (since the
84649+ other exec*() calls are frontends to execve(), all execution
84650+ will be logged). Useful for shell-servers that like to keep track
84651+ of their users. If the sysctl option is enabled, a sysctl option with
84652+ name "exec_logging" is created.
84653+ WARNING: This option when enabled will produce a LOT of logs, especially
84654+ on an active system.
84655+
84656+config GRKERNSEC_RESLOG
84657+ bool "Resource logging"
84658+ default y if GRKERNSEC_CONFIG_AUTO
84659+ help
84660+ If you say Y here, all attempts to overstep resource limits will
84661+ be logged with the resource name, the requested size, and the current
84662+ limit. It is highly recommended that you say Y here. If the sysctl
84663+ option is enabled, a sysctl option with name "resource_logging" is
84664+ created. If the RBAC system is enabled, the sysctl value is ignored.
84665+
84666+config GRKERNSEC_CHROOT_EXECLOG
84667+ bool "Log execs within chroot"
84668+ help
84669+ If you say Y here, all executions inside a chroot jail will be logged
84670+ to syslog. This can cause a large amount of logs if certain
84671+ applications (eg. djb's daemontools) are installed on the system, and
84672+ is therefore left as an option. If the sysctl option is enabled, a
84673+ sysctl option with name "chroot_execlog" is created.
84674+
84675+config GRKERNSEC_AUDIT_PTRACE
84676+ bool "Ptrace logging"
84677+ help
84678+ If you say Y here, all attempts to attach to a process via ptrace
84679+ will be logged. If the sysctl option is enabled, a sysctl option
84680+ with name "audit_ptrace" is created.
84681+
84682+config GRKERNSEC_AUDIT_CHDIR
84683+ bool "Chdir logging"
84684+ help
84685+ If you say Y here, all chdir() calls will be logged. If the sysctl
84686+ option is enabled, a sysctl option with name "audit_chdir" is created.
84687+
84688+config GRKERNSEC_AUDIT_MOUNT
84689+ bool "(Un)Mount logging"
84690+ help
84691+ If you say Y here, all mounts and unmounts will be logged. If the
84692+ sysctl option is enabled, a sysctl option with name "audit_mount" is
84693+ created.
84694+
84695+config GRKERNSEC_SIGNAL
84696+ bool "Signal logging"
84697+ default y if GRKERNSEC_CONFIG_AUTO
84698+ help
84699+ If you say Y here, certain important signals will be logged, such as
84700+ SIGSEGV, which will as a result inform you of when a error in a program
84701+ occurred, which in some cases could mean a possible exploit attempt.
84702+ If the sysctl option is enabled, a sysctl option with name
84703+ "signal_logging" is created.
84704+
84705+config GRKERNSEC_FORKFAIL
84706+ bool "Fork failure logging"
84707+ help
84708+ If you say Y here, all failed fork() attempts will be logged.
84709+ This could suggest a fork bomb, or someone attempting to overstep
84710+ their process limit. If the sysctl option is enabled, a sysctl option
84711+ with name "forkfail_logging" is created.
84712+
84713+config GRKERNSEC_TIME
84714+ bool "Time change logging"
84715+ default y if GRKERNSEC_CONFIG_AUTO
84716+ help
84717+ If you say Y here, any changes of the system clock will be logged.
84718+ If the sysctl option is enabled, a sysctl option with name
84719+ "timechange_logging" is created.
84720+
84721+config GRKERNSEC_PROC_IPADDR
84722+ bool "/proc/<pid>/ipaddr support"
84723+ default y if GRKERNSEC_CONFIG_AUTO
84724+ help
84725+ If you say Y here, a new entry will be added to each /proc/<pid>
84726+ directory that contains the IP address of the person using the task.
84727+ The IP is carried across local TCP and AF_UNIX stream sockets.
84728+ This information can be useful for IDS/IPSes to perform remote response
84729+ to a local attack. The entry is readable by only the owner of the
84730+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
84731+ the RBAC system), and thus does not create privacy concerns.
84732+
84733+config GRKERNSEC_RWXMAP_LOG
84734+ bool 'Denied RWX mmap/mprotect logging'
84735+ default y if GRKERNSEC_CONFIG_AUTO
84736+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
84737+ help
84738+ If you say Y here, calls to mmap() and mprotect() with explicit
84739+ usage of PROT_WRITE and PROT_EXEC together will be logged when
84740+ denied by the PAX_MPROTECT feature. This feature will also
84741+ log other problematic scenarios that can occur when PAX_MPROTECT
84742+ is enabled on a binary, like textrels and PT_GNU_STACK. If the
84743+ sysctl option is enabled, a sysctl option with name "rwxmap_logging"
84744+ is created.
84745+
84746+endmenu
84747+
84748+menu "Executable Protections"
84749+depends on GRKERNSEC
84750+
84751+config GRKERNSEC_DMESG
84752+ bool "Dmesg(8) restriction"
84753+ default y if GRKERNSEC_CONFIG_AUTO
84754+ help
84755+ If you say Y here, non-root users will not be able to use dmesg(8)
84756+ to view the contents of the kernel's circular log buffer.
84757+ The kernel's log buffer often contains kernel addresses and other
84758+ identifying information useful to an attacker in fingerprinting a
84759+ system for a targeted exploit.
84760+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
84761+ created.
84762+
84763+config GRKERNSEC_HARDEN_PTRACE
84764+ bool "Deter ptrace-based process snooping"
84765+ default y if GRKERNSEC_CONFIG_AUTO
84766+ help
84767+ If you say Y here, TTY sniffers and other malicious monitoring
84768+ programs implemented through ptrace will be defeated. If you
84769+ have been using the RBAC system, this option has already been
84770+ enabled for several years for all users, with the ability to make
84771+ fine-grained exceptions.
84772+
84773+ This option only affects the ability of non-root users to ptrace
84774+ processes that are not a descendent of the ptracing process.
84775+ This means that strace ./binary and gdb ./binary will still work,
84776+ but attaching to arbitrary processes will not. If the sysctl
84777+ option is enabled, a sysctl option with name "harden_ptrace" is
84778+ created.
84779+
84780+config GRKERNSEC_PTRACE_READEXEC
84781+ bool "Require read access to ptrace sensitive binaries"
84782+ default y if GRKERNSEC_CONFIG_AUTO
84783+ help
84784+ If you say Y here, unprivileged users will not be able to ptrace unreadable
84785+ binaries. This option is useful in environments that
84786+ remove the read bits (e.g. file mode 4711) from suid binaries to
84787+ prevent infoleaking of their contents. This option adds
84788+ consistency to the use of that file mode, as the binary could normally
84789+ be read out when run without privileges while ptracing.
84790+
84791+ If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
84792+ is created.
84793+
84794+config GRKERNSEC_SETXID
84795+ bool "Enforce consistent multithreaded privileges"
84796+ default y if GRKERNSEC_CONFIG_AUTO
84797+ depends on (X86 || SPARC64 || PPC || ARM || MIPS)
84798+ help
84799+ If you say Y here, a change from a root uid to a non-root uid
84800+ in a multithreaded application will cause the resulting uids,
84801+ gids, supplementary groups, and capabilities in that thread
84802+ to be propagated to the other threads of the process. In most
84803+ cases this is unnecessary, as glibc will emulate this behavior
84804+ on behalf of the application. Other libcs do not act in the
84805+ same way, allowing the other threads of the process to continue
84806+ running with root privileges. If the sysctl option is enabled,
84807+ a sysctl option with name "consistent_setxid" is created.
84808+
84809+config GRKERNSEC_HARDEN_IPC
84810+ bool "Disallow access to overly-permissive IPC objects"
84811+ default y if GRKERNSEC_CONFIG_AUTO
84812+ depends on SYSVIPC
84813+ help
84814+ If you say Y here, access to overly-permissive IPC objects (shared
84815+ memory, message queues, and semaphores) will be denied for processes
84816+ given the following criteria beyond normal permission checks:
84817+ 1) If the IPC object is world-accessible and the euid doesn't match
84818+ that of the creator or current uid for the IPC object
84819+ 2) If the IPC object is group-accessible and the egid doesn't
84820+ match that of the creator or current gid for the IPC object
84821+ It's a common error to grant too much permission to these objects,
84822+ with impact ranging from denial of service and information leaking to
84823+ privilege escalation. This feature was developed in response to
84824+ research by Tim Brown:
84825+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
84826+ who found hundreds of such insecure usages. Processes with
84827+ CAP_IPC_OWNER are still permitted to access these IPC objects.
84828+ If the sysctl option is enabled, a sysctl option with name
84829+ "harden_ipc" is created.
84830+
84831+config GRKERNSEC_TPE
84832+ bool "Trusted Path Execution (TPE)"
84833+ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
84834+ help
84835+ If you say Y here, you will be able to choose a gid to add to the
84836+ supplementary groups of users you want to mark as "untrusted."
84837+ These users will not be able to execute any files that are not in
84838+ root-owned directories writable only by root. If the sysctl option
84839+ is enabled, a sysctl option with name "tpe" is created.
84840+
84841+config GRKERNSEC_TPE_ALL
84842+ bool "Partially restrict all non-root users"
84843+ depends on GRKERNSEC_TPE
84844+ help
84845+ If you say Y here, all non-root users will be covered under
84846+ a weaker TPE restriction. This is separate from, and in addition to,
84847+ the main TPE options that you have selected elsewhere. Thus, if a
84848+ "trusted" GID is chosen, this restriction applies to even that GID.
84849+ Under this restriction, all non-root users will only be allowed to
84850+ execute files in directories they own that are not group or
84851+ world-writable, or in directories owned by root and writable only by
84852+ root. If the sysctl option is enabled, a sysctl option with name
84853+ "tpe_restrict_all" is created.
84854+
84855+config GRKERNSEC_TPE_INVERT
84856+ bool "Invert GID option"
84857+ depends on GRKERNSEC_TPE
84858+ help
84859+ If you say Y here, the group you specify in the TPE configuration will
84860+ decide what group TPE restrictions will be *disabled* for. This
84861+ option is useful if you want TPE restrictions to be applied to most
84862+ users on the system. If the sysctl option is enabled, a sysctl option
84863+ with name "tpe_invert" is created. Unlike other sysctl options, this
84864+ entry will default to on for backward-compatibility.
84865+
84866+config GRKERNSEC_TPE_GID
84867+ int
84868+ default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
84869+ default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
84870+
84871+config GRKERNSEC_TPE_UNTRUSTED_GID
84872+ int "GID for TPE-untrusted users"
84873+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
84874+ default 1005
84875+ help
84876+ Setting this GID determines what group TPE restrictions will be
84877+ *enabled* for. If the sysctl option is enabled, a sysctl option
84878+ with name "tpe_gid" is created.
84879+
84880+config GRKERNSEC_TPE_TRUSTED_GID
84881+ int "GID for TPE-trusted users"
84882+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
84883+ default 1005
84884+ help
84885+ Setting this GID determines what group TPE restrictions will be
84886+ *disabled* for. If the sysctl option is enabled, a sysctl option
84887+ with name "tpe_gid" is created.
84888+
84889+endmenu
84890+menu "Network Protections"
84891+depends on GRKERNSEC
84892+
84893+config GRKERNSEC_BLACKHOLE
84894+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
84895+ default y if GRKERNSEC_CONFIG_AUTO
84896+ depends on NET
84897+ help
84898+ If you say Y here, neither TCP resets nor ICMP
84899+ destination-unreachable packets will be sent in response to packets
84900+ sent to ports for which no associated listening process exists.
84901+ It will also prevent the sending of ICMP protocol unreachable packets
84902+ in response to packets with unknown protocols.
84903+ This feature supports both IPV4 and IPV6 and exempts the
84904+ loopback interface from blackholing. Enabling this feature
84905+ makes a host more resilient to DoS attacks and reduces network
84906+ visibility against scanners.
84907+
84908+ The blackhole feature as-implemented is equivalent to the FreeBSD
84909+ blackhole feature, as it prevents RST responses to all packets, not
84910+ just SYNs. Under most application behavior this causes no
84911+ problems, but applications (like haproxy) may not close certain
84912+ connections in a way that cleanly terminates them on the remote
84913+ end, leaving the remote host in LAST_ACK state. Because of this
84914+ side-effect and to prevent intentional LAST_ACK DoSes, this
84915+ feature also adds automatic mitigation against such attacks.
84916+ The mitigation drastically reduces the amount of time a socket
84917+ can spend in LAST_ACK state. If you're using haproxy and not
84918+ all servers it connects to have this option enabled, consider
84919+ disabling this feature on the haproxy host.
84920+
84921+ If the sysctl option is enabled, two sysctl options with names
84922+ "ip_blackhole" and "lastack_retries" will be created.
84923+ While "ip_blackhole" takes the standard zero/non-zero on/off
84924+ toggle, "lastack_retries" uses the same kinds of values as
84925+ "tcp_retries1" and "tcp_retries2". The default value of 4
84926+ prevents a socket from lasting more than 45 seconds in LAST_ACK
84927+ state.
84928+
84929+config GRKERNSEC_NO_SIMULT_CONNECT
84930+ bool "Disable TCP Simultaneous Connect"
84931+ default y if GRKERNSEC_CONFIG_AUTO
84932+ depends on NET
84933+ help
84934+ If you say Y here, a feature by Willy Tarreau will be enabled that
84935+ removes a weakness in Linux's strict implementation of TCP that
84936+ allows two clients to connect to each other without either entering
84937+ a listening state. The weakness allows an attacker to easily prevent
84938+ a client from connecting to a known server provided the source port
84939+ for the connection is guessed correctly.
84940+
84941+ As the weakness could be used to prevent an antivirus or IPS from
84942+ fetching updates, or prevent an SSL gateway from fetching a CRL,
84943+ it should be eliminated by enabling this option. Though Linux is
84944+ one of few operating systems supporting simultaneous connect, it
84945+ has no legitimate use in practice and is rarely supported by firewalls.
84946+
84947+config GRKERNSEC_SOCKET
84948+ bool "Socket restrictions"
84949+ depends on NET
84950+ help
84951+ If you say Y here, you will be able to choose from several options.
84952+ If you assign a GID on your system and add it to the supplementary
84953+ groups of users you want to restrict socket access to, this patch
84954+ will perform up to three things, based on the option(s) you choose.
84955+
84956+config GRKERNSEC_SOCKET_ALL
84957+ bool "Deny any sockets to group"
84958+ depends on GRKERNSEC_SOCKET
84959+ help
84960+ If you say Y here, you will be able to choose a GID of whose users will
84961+ be unable to connect to other hosts from your machine or run server
84962+ applications from your machine. If the sysctl option is enabled, a
84963+ sysctl option with name "socket_all" is created.
84964+
84965+config GRKERNSEC_SOCKET_ALL_GID
84966+ int "GID to deny all sockets for"
84967+ depends on GRKERNSEC_SOCKET_ALL
84968+ default 1004
84969+ help
84970+ Here you can choose the GID to disable socket access for. Remember to
84971+ add the users you want socket access disabled for to the GID
84972+ specified here. If the sysctl option is enabled, a sysctl option
84973+ with name "socket_all_gid" is created.
84974+
84975+config GRKERNSEC_SOCKET_CLIENT
84976+ bool "Deny client sockets to group"
84977+ depends on GRKERNSEC_SOCKET
84978+ help
84979+ If you say Y here, you will be able to choose a GID of whose users will
84980+ be unable to connect to other hosts from your machine, but will be
84981+ able to run servers. If this option is enabled, all users in the group
84982+ you specify will have to use passive mode when initiating ftp transfers
84983+ from the shell on your machine. If the sysctl option is enabled, a
84984+ sysctl option with name "socket_client" is created.
84985+
84986+config GRKERNSEC_SOCKET_CLIENT_GID
84987+ int "GID to deny client sockets for"
84988+ depends on GRKERNSEC_SOCKET_CLIENT
84989+ default 1003
84990+ help
84991+ Here you can choose the GID to disable client socket access for.
84992+ Remember to add the users you want client socket access disabled for to
84993+ the GID specified here. If the sysctl option is enabled, a sysctl
84994+ option with name "socket_client_gid" is created.
84995+
84996+config GRKERNSEC_SOCKET_SERVER
84997+ bool "Deny server sockets to group"
84998+ depends on GRKERNSEC_SOCKET
84999+ help
85000+ If you say Y here, you will be able to choose a GID of whose users will
85001+ be unable to run server applications from your machine. If the sysctl
85002+ option is enabled, a sysctl option with name "socket_server" is created.
85003+
85004+config GRKERNSEC_SOCKET_SERVER_GID
85005+ int "GID to deny server sockets for"
85006+ depends on GRKERNSEC_SOCKET_SERVER
85007+ default 1002
85008+ help
85009+ Here you can choose the GID to disable server socket access for.
85010+ Remember to add the users you want server socket access disabled for to
85011+ the GID specified here. If the sysctl option is enabled, a sysctl
85012+ option with name "socket_server_gid" is created.
85013+
85014+endmenu
85015+
85016+menu "Physical Protections"
85017+depends on GRKERNSEC
85018+
85019+config GRKERNSEC_DENYUSB
85020+ bool "Deny new USB connections after toggle"
85021+ default y if GRKERNSEC_CONFIG_AUTO
85022+ depends on SYSCTL && USB_SUPPORT
85023+ help
85024+ If you say Y here, a new sysctl option with name "deny_new_usb"
85025+ will be created. Setting its value to 1 will prevent any new
85026+ USB devices from being recognized by the OS. Any attempted USB
85027+ device insertion will be logged. This option is intended to be
85028+ used against custom USB devices designed to exploit vulnerabilities
85029+ in various USB device drivers.
85030+
85031+ For greatest effectiveness, this sysctl should be set after any
85032+ relevant init scripts. This option is safe to enable in distros
85033+ as each user can choose whether or not to toggle the sysctl.
85034+
85035+config GRKERNSEC_DENYUSB_FORCE
85036+ bool "Reject all USB devices not connected at boot"
85037+ select USB
85038+ depends on GRKERNSEC_DENYUSB
85039+ help
85040+ If you say Y here, a variant of GRKERNSEC_DENYUSB will be enabled
85041+ that doesn't involve a sysctl entry. This option should only be
85042+ enabled if you're sure you want to deny all new USB connections
85043+ at runtime and don't want to modify init scripts. This should not
85044+ be enabled by distros. It forces the core USB code to be built
85045+ into the kernel image so that all devices connected at boot time
85046+ can be recognized and new USB device connections can be prevented
85047+ prior to init running.
85048+
85049+endmenu
85050+
85051+menu "Sysctl Support"
85052+depends on GRKERNSEC && SYSCTL
85053+
85054+config GRKERNSEC_SYSCTL
85055+ bool "Sysctl support"
85056+ default y if GRKERNSEC_CONFIG_AUTO
85057+ help
85058+ If you say Y here, you will be able to change the options that
85059+ grsecurity runs with at bootup, without having to recompile your
85060+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
85061+ to enable (1) or disable (0) various features. All the sysctl entries
85062+ are mutable until the "grsec_lock" entry is set to a non-zero value.
85063+ All features enabled in the kernel configuration are disabled at boot
85064+ if you do not say Y to the "Turn on features by default" option.
85065+ All options should be set at startup, and the grsec_lock entry should
85066+ be set to a non-zero value after all the options are set.
85067+ *THIS IS EXTREMELY IMPORTANT*
85068+
85069+config GRKERNSEC_SYSCTL_DISTRO
85070+ bool "Extra sysctl support for distro makers (READ HELP)"
85071+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
85072+ help
85073+ If you say Y here, additional sysctl options will be created
85074+ for features that affect processes running as root. Therefore,
85075+ it is critical when using this option that the grsec_lock entry be
85076+ enabled after boot. Only distros with prebuilt kernel packages
85077+ with this option enabled that can ensure grsec_lock is enabled
85078+ after boot should use this option.
85079+ *Failure to set grsec_lock after boot makes all grsec features
85080+ this option covers useless*
85081+
85082+ Currently this option creates the following sysctl entries:
85083+ "Disable Privileged I/O": "disable_priv_io"
85084+
85085+config GRKERNSEC_SYSCTL_ON
85086+ bool "Turn on features by default"
85087+ default y if GRKERNSEC_CONFIG_AUTO
85088+ depends on GRKERNSEC_SYSCTL
85089+ help
85090+ If you say Y here, instead of having all features enabled in the
85091+ kernel configuration disabled at boot time, the features will be
85092+ enabled at boot time. It is recommended you say Y here unless
85093+ there is some reason you would want all sysctl-tunable features to
85094+ be disabled by default. As mentioned elsewhere, it is important
85095+ to enable the grsec_lock entry once you have finished modifying
85096+ the sysctl entries.
85097+
85098+endmenu
85099+menu "Logging Options"
85100+depends on GRKERNSEC
85101+
85102+config GRKERNSEC_FLOODTIME
85103+ int "Seconds in between log messages (minimum)"
85104+ default 10
85105+ help
85106+ This option allows you to enforce the number of seconds between
85107+ grsecurity log messages. The default should be suitable for most
85108+ people, however, if you choose to change it, choose a value small enough
85109+ to allow informative logs to be produced, but large enough to
85110+ prevent flooding.
85111+
85112+ Setting both this value and GRKERNSEC_FLOODBURST to 0 will disable
85113+ any rate limiting on grsecurity log messages.
85114+
85115+config GRKERNSEC_FLOODBURST
85116+ int "Number of messages in a burst (maximum)"
85117+ default 6
85118+ help
85119+ This option allows you to choose the maximum number of messages allowed
85120+ within the flood time interval you chose in a separate option. The
85121+ default should be suitable for most people, however if you find that
85122+ many of your logs are being interpreted as flooding, you may want to
85123+ raise this value.
85124+
85125+ Setting both this value and GRKERNSEC_FLOODTIME to 0 will disable
85126+ any rate limiting on grsecurity log messages.
85127+
85128+endmenu
85129diff --git a/grsecurity/Makefile b/grsecurity/Makefile
85130new file mode 100644
85131index 0000000..30ababb
85132--- /dev/null
85133+++ b/grsecurity/Makefile
85134@@ -0,0 +1,54 @@
85135+# grsecurity – access control and security hardening for Linux
85136+# All code in this directory and various hooks located throughout the Linux kernel are
85137+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
85138+# http://www.grsecurity.net spender@grsecurity.net
85139+#
85140+# This program is free software; you can redistribute it and/or
85141+# modify it under the terms of the GNU General Public License version 2
85142+# as published by the Free Software Foundation.
85143+#
85144+# This program is distributed in the hope that it will be useful,
85145+# but WITHOUT ANY WARRANTY; without even the implied warranty of
85146+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
85147+# GNU General Public License for more details.
85148+#
85149+# You should have received a copy of the GNU General Public License
85150+# along with this program; if not, write to the Free Software
85151+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
85152+
85153+KBUILD_CFLAGS += -Werror
85154+
85155+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
85156+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
85157+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
85158+ grsec_usb.o grsec_ipc.o grsec_proc.o
85159+
85160+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
85161+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
85162+ gracl_learn.o grsec_log.o gracl_policy.o
85163+ifdef CONFIG_COMPAT
85164+obj-$(CONFIG_GRKERNSEC) += gracl_compat.o
85165+endif
85166+
85167+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
85168+
85169+ifdef CONFIG_NET
85170+obj-y += grsec_sock.o
85171+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
85172+endif
85173+
85174+ifndef CONFIG_GRKERNSEC
85175+obj-y += grsec_disabled.o
85176+endif
85177+
85178+ifdef CONFIG_GRKERNSEC_HIDESYM
85179+extra-y := grsec_hidesym.o
85180+$(obj)/grsec_hidesym.o:
85181+ @-chmod -f 500 /boot
85182+ @-chmod -f 500 /lib/modules
85183+ @-chmod -f 500 /lib64/modules
85184+ @-chmod -f 500 /lib32/modules
85185+ @-chmod -f 700 .
85186+ @-chmod -f 700 $(objtree)
85187+ @echo ' grsec: protected kernel image paths'
85188+endif
85189diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
85190new file mode 100644
85191index 0000000..7ad630a
85192--- /dev/null
85193+++ b/grsecurity/gracl.c
85194@@ -0,0 +1,2757 @@
85195+#include <linux/kernel.h>
85196+#include <linux/module.h>
85197+#include <linux/sched.h>
85198+#include <linux/mm.h>
85199+#include <linux/file.h>
85200+#include <linux/fs.h>
85201+#include <linux/namei.h>
85202+#include <linux/mount.h>
85203+#include <linux/tty.h>
85204+#include <linux/proc_fs.h>
85205+#include <linux/lglock.h>
85206+#include <linux/slab.h>
85207+#include <linux/vmalloc.h>
85208+#include <linux/types.h>
85209+#include <linux/sysctl.h>
85210+#include <linux/netdevice.h>
85211+#include <linux/ptrace.h>
85212+#include <linux/gracl.h>
85213+#include <linux/gralloc.h>
85214+#include <linux/security.h>
85215+#include <linux/grinternal.h>
85216+#include <linux/pid_namespace.h>
85217+#include <linux/stop_machine.h>
85218+#include <linux/fdtable.h>
85219+#include <linux/percpu.h>
85220+#include <linux/lglock.h>
85221+#include <linux/hugetlb.h>
85222+#include <linux/posix-timers.h>
85223+#include <linux/prefetch.h>
85224+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
85225+#include <linux/magic.h>
85226+#include <linux/pagemap.h>
85227+#include "../fs/btrfs/async-thread.h"
85228+#include "../fs/btrfs/ctree.h"
85229+#include "../fs/btrfs/btrfs_inode.h"
85230+#endif
85231+#include "../fs/mount.h"
85232+
85233+#include <asm/uaccess.h>
85234+#include <asm/errno.h>
85235+#include <asm/mman.h>
85236+
85237+#define FOR_EACH_ROLE_START(role) \
85238+ role = running_polstate.role_list; \
85239+ while (role) {
85240+
85241+#define FOR_EACH_ROLE_END(role) \
85242+ role = role->prev; \
85243+ }
85244+
85245+extern struct path gr_real_root;
85246+
85247+static struct gr_policy_state running_polstate;
85248+struct gr_policy_state *polstate = &running_polstate;
85249+extern struct gr_alloc_state *current_alloc_state;
85250+
85251+extern char *gr_shared_page[4];
85252+DEFINE_RWLOCK(gr_inode_lock);
85253+
85254+static unsigned int gr_status __read_only = GR_STATUS_INIT;
85255+
85256+#ifdef CONFIG_NET
85257+extern struct vfsmount *sock_mnt;
85258+#endif
85259+
85260+extern struct vfsmount *pipe_mnt;
85261+extern struct vfsmount *shm_mnt;
85262+
85263+#ifdef CONFIG_HUGETLBFS
85264+extern struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
85265+#endif
85266+
85267+extern u16 acl_sp_role_value;
85268+extern struct acl_object_label *fakefs_obj_rw;
85269+extern struct acl_object_label *fakefs_obj_rwx;
85270+
85271+int gr_acl_is_enabled(void)
85272+{
85273+ return (gr_status & GR_READY);
85274+}
85275+
85276+void gr_enable_rbac_system(void)
85277+{
85278+ pax_open_kernel();
85279+ gr_status |= GR_READY;
85280+ pax_close_kernel();
85281+}
85282+
85283+int gr_rbac_disable(void *unused)
85284+{
85285+ pax_open_kernel();
85286+ gr_status &= ~GR_READY;
85287+ pax_close_kernel();
85288+
85289+ return 0;
85290+}
85291+
85292+static inline dev_t __get_dev(const struct dentry *dentry)
85293+{
85294+ struct dentry *ldentry = d_backing_dentry((struct dentry *)dentry);
85295+
85296+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
85297+ if (ldentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
85298+ return BTRFS_I(d_inode(ldentry))->root->anon_dev;
85299+ else
85300+#endif
85301+ return d_inode(ldentry)->i_sb->s_dev;
85302+}
85303+
85304+static inline u64 __get_ino(const struct dentry *dentry)
85305+{
85306+ struct dentry *ldentry = d_backing_dentry((struct dentry *)dentry);
85307+
85308+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
85309+ if (ldentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
85310+ return btrfs_ino(d_inode(dentry));
85311+ else
85312+#endif
85313+ return d_inode(ldentry)->i_ino;
85314+}
85315+
85316+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
85317+{
85318+ return __get_dev(dentry);
85319+}
85320+
85321+u64 gr_get_ino_from_dentry(struct dentry *dentry)
85322+{
85323+ return __get_ino(dentry);
85324+}
85325+
85326+static char gr_task_roletype_to_char(struct task_struct *task)
85327+{
85328+ switch (task->role->roletype &
85329+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
85330+ GR_ROLE_SPECIAL)) {
85331+ case GR_ROLE_DEFAULT:
85332+ return 'D';
85333+ case GR_ROLE_USER:
85334+ return 'U';
85335+ case GR_ROLE_GROUP:
85336+ return 'G';
85337+ case GR_ROLE_SPECIAL:
85338+ return 'S';
85339+ }
85340+
85341+ return 'X';
85342+}
85343+
85344+char gr_roletype_to_char(void)
85345+{
85346+ return gr_task_roletype_to_char(current);
85347+}
85348+
85349+int
85350+gr_acl_tpe_check(void)
85351+{
85352+ if (unlikely(!(gr_status & GR_READY)))
85353+ return 0;
85354+ if (current->role->roletype & GR_ROLE_TPE)
85355+ return 1;
85356+ else
85357+ return 0;
85358+}
85359+
85360+int
85361+gr_handle_rawio(const struct inode *inode)
85362+{
85363+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
85364+ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
85365+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
85366+ !capable(CAP_SYS_RAWIO))
85367+ return 1;
85368+#endif
85369+ return 0;
85370+}
85371+
85372+int
85373+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
85374+{
85375+ if (likely(lena != lenb))
85376+ return 0;
85377+
85378+ return !memcmp(a, b, lena);
85379+}
85380+
85381+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
85382+{
85383+ *buflen -= namelen;
85384+ if (*buflen < 0)
85385+ return -ENAMETOOLONG;
85386+ *buffer -= namelen;
85387+ memcpy(*buffer, str, namelen);
85388+ return 0;
85389+}
85390+
85391+static int prepend_name(char **buffer, int *buflen, struct qstr *name)
85392+{
85393+ return prepend(buffer, buflen, name->name, name->len);
85394+}
85395+
85396+static int prepend_path(const struct path *path, struct path *root,
85397+ char **buffer, int *buflen)
85398+{
85399+ struct dentry *dentry = path->dentry;
85400+ struct vfsmount *vfsmnt = path->mnt;
85401+ struct mount *mnt = real_mount(vfsmnt);
85402+ bool slash = false;
85403+ int error = 0;
85404+
85405+ while (dentry != root->dentry || vfsmnt != root->mnt) {
85406+ struct dentry * parent;
85407+
85408+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
85409+ /* Global root? */
85410+ if (!mnt_has_parent(mnt)) {
85411+ goto out;
85412+ }
85413+ dentry = mnt->mnt_mountpoint;
85414+ mnt = mnt->mnt_parent;
85415+ vfsmnt = &mnt->mnt;
85416+ continue;
85417+ }
85418+ parent = dentry->d_parent;
85419+ prefetch(parent);
85420+ spin_lock(&dentry->d_lock);
85421+ error = prepend_name(buffer, buflen, &dentry->d_name);
85422+ spin_unlock(&dentry->d_lock);
85423+ if (!error)
85424+ error = prepend(buffer, buflen, "/", 1);
85425+ if (error)
85426+ break;
85427+
85428+ slash = true;
85429+ dentry = parent;
85430+ }
85431+
85432+out:
85433+ if (!error && !slash)
85434+ error = prepend(buffer, buflen, "/", 1);
85435+
85436+ return error;
85437+}
85438+
85439+/* this must be called with mount_lock and rename_lock held */
85440+
85441+static char *__our_d_path(const struct path *path, struct path *root,
85442+ char *buf, int buflen)
85443+{
85444+ char *res = buf + buflen;
85445+ int error;
85446+
85447+ prepend(&res, &buflen, "\0", 1);
85448+ error = prepend_path(path, root, &res, &buflen);
85449+ if (error)
85450+ return ERR_PTR(error);
85451+
85452+ return res;
85453+}
85454+
85455+static char *
85456+gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
85457+{
85458+ char *retval;
85459+
85460+ retval = __our_d_path(path, root, buf, buflen);
85461+ if (unlikely(IS_ERR(retval)))
85462+ retval = strcpy(buf, "<path too long>");
85463+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
85464+ retval[1] = '\0';
85465+
85466+ return retval;
85467+}
85468+
85469+static char *
85470+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
85471+ char *buf, int buflen)
85472+{
85473+ struct path path;
85474+ char *res;
85475+
85476+ path.dentry = (struct dentry *)dentry;
85477+ path.mnt = (struct vfsmount *)vfsmnt;
85478+
85479+ /* we can use gr_real_root.dentry, gr_real_root.mnt, because this is only called
85480+ by the RBAC system */
85481+ res = gen_full_path(&path, &gr_real_root, buf, buflen);
85482+
85483+ return res;
85484+}
85485+
85486+static char *
85487+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
85488+ char *buf, int buflen)
85489+{
85490+ char *res;
85491+ struct path path;
85492+ struct path root;
85493+ struct task_struct *reaper = init_pid_ns.child_reaper;
85494+
85495+ path.dentry = (struct dentry *)dentry;
85496+ path.mnt = (struct vfsmount *)vfsmnt;
85497+
85498+ /* we can't use gr_real_root.dentry, gr_real_root.mnt, because they belong only to the RBAC system */
85499+ get_fs_root(reaper->fs, &root);
85500+
85501+ read_seqlock_excl(&mount_lock);
85502+ write_seqlock(&rename_lock);
85503+ res = gen_full_path(&path, &root, buf, buflen);
85504+ write_sequnlock(&rename_lock);
85505+ read_sequnlock_excl(&mount_lock);
85506+
85507+ path_put(&root);
85508+ return res;
85509+}
85510+
85511+char *
85512+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
85513+{
85514+ char *ret;
85515+ read_seqlock_excl(&mount_lock);
85516+ write_seqlock(&rename_lock);
85517+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
85518+ PAGE_SIZE);
85519+ write_sequnlock(&rename_lock);
85520+ read_sequnlock_excl(&mount_lock);
85521+ return ret;
85522+}
85523+
85524+static char *
85525+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
85526+{
85527+ char *ret;
85528+ char *buf;
85529+ int buflen;
85530+
85531+ read_seqlock_excl(&mount_lock);
85532+ write_seqlock(&rename_lock);
85533+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
85534+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
85535+ buflen = (int)(ret - buf);
85536+ if (buflen >= 5)
85537+ prepend(&ret, &buflen, "/proc", 5);
85538+ else
85539+ ret = strcpy(buf, "<path too long>");
85540+ write_sequnlock(&rename_lock);
85541+ read_sequnlock_excl(&mount_lock);
85542+ return ret;
85543+}
85544+
85545+char *
85546+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
85547+{
85548+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
85549+ PAGE_SIZE);
85550+}
85551+
85552+char *
85553+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
85554+{
85555+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
85556+ PAGE_SIZE);
85557+}
85558+
85559+char *
85560+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
85561+{
85562+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
85563+ PAGE_SIZE);
85564+}
85565+
85566+char *
85567+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
85568+{
85569+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
85570+ PAGE_SIZE);
85571+}
85572+
85573+char *
85574+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
85575+{
85576+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
85577+ PAGE_SIZE);
85578+}
85579+
85580+__u32
85581+to_gr_audit(const __u32 reqmode)
85582+{
85583+ /* masks off auditable permission flags, then shifts them to create
85584+ auditing flags, and adds the special case of append auditing if
85585+ we're requesting write */
85586+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
85587+}
85588+
85589+struct acl_role_label *
85590+__lookup_acl_role_label(const struct gr_policy_state *state, const struct task_struct *task, const uid_t uid,
85591+ const gid_t gid)
85592+{
85593+ unsigned int index = gr_rhash(uid, GR_ROLE_USER, state->acl_role_set.r_size);
85594+ struct acl_role_label *match;
85595+ struct role_allowed_ip *ipp;
85596+ unsigned int x;
85597+ u32 curr_ip = task->signal->saved_ip;
85598+
85599+ match = state->acl_role_set.r_hash[index];
85600+
85601+ while (match) {
85602+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
85603+ for (x = 0; x < match->domain_child_num; x++) {
85604+ if (match->domain_children[x] == uid)
85605+ goto found;
85606+ }
85607+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
85608+ break;
85609+ match = match->next;
85610+ }
85611+found:
85612+ if (match == NULL) {
85613+ try_group:
85614+ index = gr_rhash(gid, GR_ROLE_GROUP, state->acl_role_set.r_size);
85615+ match = state->acl_role_set.r_hash[index];
85616+
85617+ while (match) {
85618+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
85619+ for (x = 0; x < match->domain_child_num; x++) {
85620+ if (match->domain_children[x] == gid)
85621+ goto found2;
85622+ }
85623+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
85624+ break;
85625+ match = match->next;
85626+ }
85627+found2:
85628+ if (match == NULL)
85629+ match = state->default_role;
85630+ if (match->allowed_ips == NULL)
85631+ return match;
85632+ else {
85633+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
85634+ if (likely
85635+ ((ntohl(curr_ip) & ipp->netmask) ==
85636+ (ntohl(ipp->addr) & ipp->netmask)))
85637+ return match;
85638+ }
85639+ match = state->default_role;
85640+ }
85641+ } else if (match->allowed_ips == NULL) {
85642+ return match;
85643+ } else {
85644+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
85645+ if (likely
85646+ ((ntohl(curr_ip) & ipp->netmask) ==
85647+ (ntohl(ipp->addr) & ipp->netmask)))
85648+ return match;
85649+ }
85650+ goto try_group;
85651+ }
85652+
85653+ return match;
85654+}
85655+
85656+static struct acl_role_label *
85657+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
85658+ const gid_t gid)
85659+{
85660+ return __lookup_acl_role_label(&running_polstate, task, uid, gid);
85661+}
85662+
85663+struct acl_subject_label *
85664+lookup_acl_subj_label(const u64 ino, const dev_t dev,
85665+ const struct acl_role_label *role)
85666+{
85667+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
85668+ struct acl_subject_label *match;
85669+
85670+ match = role->subj_hash[index];
85671+
85672+ while (match && (match->inode != ino || match->device != dev ||
85673+ (match->mode & GR_DELETED))) {
85674+ match = match->next;
85675+ }
85676+
85677+ if (match && !(match->mode & GR_DELETED))
85678+ return match;
85679+ else
85680+ return NULL;
85681+}
85682+
85683+struct acl_subject_label *
85684+lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev,
85685+ const struct acl_role_label *role)
85686+{
85687+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
85688+ struct acl_subject_label *match;
85689+
85690+ match = role->subj_hash[index];
85691+
85692+ while (match && (match->inode != ino || match->device != dev ||
85693+ !(match->mode & GR_DELETED))) {
85694+ match = match->next;
85695+ }
85696+
85697+ if (match && (match->mode & GR_DELETED))
85698+ return match;
85699+ else
85700+ return NULL;
85701+}
85702+
85703+static struct acl_object_label *
85704+lookup_acl_obj_label(const u64 ino, const dev_t dev,
85705+ const struct acl_subject_label *subj)
85706+{
85707+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
85708+ struct acl_object_label *match;
85709+
85710+ match = subj->obj_hash[index];
85711+
85712+ while (match && (match->inode != ino || match->device != dev ||
85713+ (match->mode & GR_DELETED))) {
85714+ match = match->next;
85715+ }
85716+
85717+ if (match && !(match->mode & GR_DELETED))
85718+ return match;
85719+ else
85720+ return NULL;
85721+}
85722+
85723+static struct acl_object_label *
85724+lookup_acl_obj_label_create(const u64 ino, const dev_t dev,
85725+ const struct acl_subject_label *subj)
85726+{
85727+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
85728+ struct acl_object_label *match;
85729+
85730+ match = subj->obj_hash[index];
85731+
85732+ while (match && (match->inode != ino || match->device != dev ||
85733+ !(match->mode & GR_DELETED))) {
85734+ match = match->next;
85735+ }
85736+
85737+ if (match && (match->mode & GR_DELETED))
85738+ return match;
85739+
85740+ match = subj->obj_hash[index];
85741+
85742+ while (match && (match->inode != ino || match->device != dev ||
85743+ (match->mode & GR_DELETED))) {
85744+ match = match->next;
85745+ }
85746+
85747+ if (match && !(match->mode & GR_DELETED))
85748+ return match;
85749+ else
85750+ return NULL;
85751+}
85752+
85753+struct name_entry *
85754+__lookup_name_entry(const struct gr_policy_state *state, const char *name)
85755+{
85756+ unsigned int len = strlen(name);
85757+ unsigned int key = full_name_hash(name, len);
85758+ unsigned int index = key % state->name_set.n_size;
85759+ struct name_entry *match;
85760+
85761+ match = state->name_set.n_hash[index];
85762+
85763+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
85764+ match = match->next;
85765+
85766+ return match;
85767+}
85768+
85769+static struct name_entry *
85770+lookup_name_entry(const char *name)
85771+{
85772+ return __lookup_name_entry(&running_polstate, name);
85773+}
85774+
85775+static struct name_entry *
85776+lookup_name_entry_create(const char *name)
85777+{
85778+ unsigned int len = strlen(name);
85779+ unsigned int key = full_name_hash(name, len);
85780+ unsigned int index = key % running_polstate.name_set.n_size;
85781+ struct name_entry *match;
85782+
85783+ match = running_polstate.name_set.n_hash[index];
85784+
85785+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
85786+ !match->deleted))
85787+ match = match->next;
85788+
85789+ if (match && match->deleted)
85790+ return match;
85791+
85792+ match = running_polstate.name_set.n_hash[index];
85793+
85794+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
85795+ match->deleted))
85796+ match = match->next;
85797+
85798+ if (match && !match->deleted)
85799+ return match;
85800+ else
85801+ return NULL;
85802+}
85803+
85804+static struct inodev_entry *
85805+lookup_inodev_entry(const u64 ino, const dev_t dev)
85806+{
85807+ unsigned int index = gr_fhash(ino, dev, running_polstate.inodev_set.i_size);
85808+ struct inodev_entry *match;
85809+
85810+ match = running_polstate.inodev_set.i_hash[index];
85811+
85812+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
85813+ match = match->next;
85814+
85815+ return match;
85816+}
85817+
85818+void
85819+__insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry)
85820+{
85821+ unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device,
85822+ state->inodev_set.i_size);
85823+ struct inodev_entry **curr;
85824+
85825+ entry->prev = NULL;
85826+
85827+ curr = &state->inodev_set.i_hash[index];
85828+ if (*curr != NULL)
85829+ (*curr)->prev = entry;
85830+
85831+ entry->next = *curr;
85832+ *curr = entry;
85833+
85834+ return;
85835+}
85836+
85837+static void
85838+insert_inodev_entry(struct inodev_entry *entry)
85839+{
85840+ __insert_inodev_entry(&running_polstate, entry);
85841+}
85842+
85843+void
85844+insert_acl_obj_label(struct acl_object_label *obj,
85845+ struct acl_subject_label *subj)
85846+{
85847+ unsigned int index =
85848+ gr_fhash(obj->inode, obj->device, subj->obj_hash_size);
85849+ struct acl_object_label **curr;
85850+
85851+ obj->prev = NULL;
85852+
85853+ curr = &subj->obj_hash[index];
85854+ if (*curr != NULL)
85855+ (*curr)->prev = obj;
85856+
85857+ obj->next = *curr;
85858+ *curr = obj;
85859+
85860+ return;
85861+}
85862+
85863+void
85864+insert_acl_subj_label(struct acl_subject_label *obj,
85865+ struct acl_role_label *role)
85866+{
85867+ unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size);
85868+ struct acl_subject_label **curr;
85869+
85870+ obj->prev = NULL;
85871+
85872+ curr = &role->subj_hash[index];
85873+ if (*curr != NULL)
85874+ (*curr)->prev = obj;
85875+
85876+ obj->next = *curr;
85877+ *curr = obj;
85878+
85879+ return;
85880+}
85881+
85882+/* derived from glibc fnmatch() 0: match, 1: no match*/
85883+
85884+static int
85885+glob_match(const char *p, const char *n)
85886+{
85887+ char c;
85888+
85889+ while ((c = *p++) != '\0') {
85890+ switch (c) {
85891+ case '?':
85892+ if (*n == '\0')
85893+ return 1;
85894+ else if (*n == '/')
85895+ return 1;
85896+ break;
85897+ case '\\':
85898+ if (*n != c)
85899+ return 1;
85900+ break;
85901+ case '*':
85902+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
85903+ if (*n == '/')
85904+ return 1;
85905+ else if (c == '?') {
85906+ if (*n == '\0')
85907+ return 1;
85908+ else
85909+ ++n;
85910+ }
85911+ }
85912+ if (c == '\0') {
85913+ return 0;
85914+ } else {
85915+ const char *endp;
85916+
85917+ if ((endp = strchr(n, '/')) == NULL)
85918+ endp = n + strlen(n);
85919+
85920+ if (c == '[') {
85921+ for (--p; n < endp; ++n)
85922+ if (!glob_match(p, n))
85923+ return 0;
85924+ } else if (c == '/') {
85925+ while (*n != '\0' && *n != '/')
85926+ ++n;
85927+ if (*n == '/' && !glob_match(p, n + 1))
85928+ return 0;
85929+ } else {
85930+ for (--p; n < endp; ++n)
85931+ if (*n == c && !glob_match(p, n))
85932+ return 0;
85933+ }
85934+
85935+ return 1;
85936+ }
85937+ case '[':
85938+ {
85939+ int not;
85940+ char cold;
85941+
85942+ if (*n == '\0' || *n == '/')
85943+ return 1;
85944+
85945+ not = (*p == '!' || *p == '^');
85946+ if (not)
85947+ ++p;
85948+
85949+ c = *p++;
85950+ for (;;) {
85951+ unsigned char fn = (unsigned char)*n;
85952+
85953+ if (c == '\0')
85954+ return 1;
85955+ else {
85956+ if (c == fn)
85957+ goto matched;
85958+ cold = c;
85959+ c = *p++;
85960+
85961+ if (c == '-' && *p != ']') {
85962+ unsigned char cend = *p++;
85963+
85964+ if (cend == '\0')
85965+ return 1;
85966+
85967+ if (cold <= fn && fn <= cend)
85968+ goto matched;
85969+
85970+ c = *p++;
85971+ }
85972+ }
85973+
85974+ if (c == ']')
85975+ break;
85976+ }
85977+ if (!not)
85978+ return 1;
85979+ break;
85980+ matched:
85981+ while (c != ']') {
85982+ if (c == '\0')
85983+ return 1;
85984+
85985+ c = *p++;
85986+ }
85987+ if (not)
85988+ return 1;
85989+ }
85990+ break;
85991+ default:
85992+ if (c != *n)
85993+ return 1;
85994+ }
85995+
85996+ ++n;
85997+ }
85998+
85999+ if (*n == '\0')
86000+ return 0;
86001+
86002+ if (*n == '/')
86003+ return 0;
86004+
86005+ return 1;
86006+}
86007+
86008+static struct acl_object_label *
86009+chk_glob_label(struct acl_object_label *globbed,
86010+ const struct dentry *dentry, const struct vfsmount *mnt, char **path)
86011+{
86012+ struct acl_object_label *tmp;
86013+
86014+ if (*path == NULL)
86015+ *path = gr_to_filename_nolock(dentry, mnt);
86016+
86017+ tmp = globbed;
86018+
86019+ while (tmp) {
86020+ if (!glob_match(tmp->filename, *path))
86021+ return tmp;
86022+ tmp = tmp->next;
86023+ }
86024+
86025+ return NULL;
86026+}
86027+
86028+static struct acl_object_label *
86029+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
86030+ const u64 curr_ino, const dev_t curr_dev,
86031+ const struct acl_subject_label *subj, char **path, const int checkglob)
86032+{
86033+ struct acl_subject_label *tmpsubj;
86034+ struct acl_object_label *retval;
86035+ struct acl_object_label *retval2;
86036+
86037+ tmpsubj = (struct acl_subject_label *) subj;
86038+ read_lock(&gr_inode_lock);
86039+ do {
86040+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
86041+ if (retval) {
86042+ if (checkglob && retval->globbed) {
86043+ retval2 = chk_glob_label(retval->globbed, orig_dentry, orig_mnt, path);
86044+ if (retval2)
86045+ retval = retval2;
86046+ }
86047+ break;
86048+ }
86049+ } while ((tmpsubj = tmpsubj->parent_subject));
86050+ read_unlock(&gr_inode_lock);
86051+
86052+ return retval;
86053+}
86054+
86055+static struct acl_object_label *
86056+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
86057+ struct dentry *curr_dentry,
86058+ const struct acl_subject_label *subj, char **path, const int checkglob)
86059+{
86060+ int newglob = checkglob;
86061+ u64 inode;
86062+ dev_t device;
86063+
86064+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
86065+ as we don't want a / * rule to match instead of the / object
86066+ don't do this for create lookups that call this function though, since they're looking up
86067+ on the parent and thus need globbing checks on all paths
86068+ */
86069+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
86070+ newglob = GR_NO_GLOB;
86071+
86072+ spin_lock(&curr_dentry->d_lock);
86073+ inode = __get_ino(curr_dentry);
86074+ device = __get_dev(curr_dentry);
86075+ spin_unlock(&curr_dentry->d_lock);
86076+
86077+ return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
86078+}
86079+
86080+#ifdef CONFIG_HUGETLBFS
86081+static inline bool
86082+is_hugetlbfs_mnt(const struct vfsmount *mnt)
86083+{
86084+ int i;
86085+ for (i = 0; i < HUGE_MAX_HSTATE; i++) {
86086+ if (unlikely(hugetlbfs_vfsmount[i] == mnt))
86087+ return true;
86088+ }
86089+
86090+ return false;
86091+}
86092+#endif
86093+
86094+static struct acl_object_label *
86095+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86096+ const struct acl_subject_label *subj, char *path, const int checkglob)
86097+{
86098+ struct dentry *dentry = (struct dentry *) l_dentry;
86099+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
86100+ struct inode * inode = d_backing_inode(dentry);
86101+ struct mount *real_mnt = real_mount(mnt);
86102+ struct acl_object_label *retval;
86103+ struct dentry *parent;
86104+
86105+ read_seqlock_excl(&mount_lock);
86106+ write_seqlock(&rename_lock);
86107+
86108+ if (unlikely((mnt == shm_mnt && inode->i_nlink == 0) || mnt == pipe_mnt ||
86109+#ifdef CONFIG_NET
86110+ mnt == sock_mnt ||
86111+#endif
86112+#ifdef CONFIG_HUGETLBFS
86113+ (is_hugetlbfs_mnt(mnt) && inode->i_nlink == 0) ||
86114+#endif
86115+ /* ignore Eric Biederman */
86116+ IS_PRIVATE(inode))) {
86117+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
86118+ goto out;
86119+ }
86120+
86121+ for (;;) {
86122+ if (dentry == gr_real_root.dentry && mnt == gr_real_root.mnt)
86123+ break;
86124+
86125+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
86126+ if (!mnt_has_parent(real_mnt))
86127+ break;
86128+
86129+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86130+ if (retval != NULL)
86131+ goto out;
86132+
86133+ dentry = real_mnt->mnt_mountpoint;
86134+ real_mnt = real_mnt->mnt_parent;
86135+ mnt = &real_mnt->mnt;
86136+ continue;
86137+ }
86138+
86139+ parent = dentry->d_parent;
86140+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86141+ if (retval != NULL)
86142+ goto out;
86143+
86144+ dentry = parent;
86145+ }
86146+
86147+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86148+
86149+ /* gr_real_root is pinned so we don't have to hold a reference */
86150+ if (retval == NULL)
86151+ retval = full_lookup(l_dentry, l_mnt, gr_real_root.dentry, subj, &path, checkglob);
86152+out:
86153+ write_sequnlock(&rename_lock);
86154+ read_sequnlock_excl(&mount_lock);
86155+
86156+ BUG_ON(retval == NULL);
86157+
86158+ return retval;
86159+}
86160+
86161+static struct acl_object_label *
86162+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86163+ const struct acl_subject_label *subj)
86164+{
86165+ char *path = NULL;
86166+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
86167+}
86168+
86169+static struct acl_object_label *
86170+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86171+ const struct acl_subject_label *subj)
86172+{
86173+ char *path = NULL;
86174+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
86175+}
86176+
86177+static struct acl_object_label *
86178+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86179+ const struct acl_subject_label *subj, char *path)
86180+{
86181+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
86182+}
86183+
86184+struct acl_subject_label *
86185+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86186+ const struct acl_role_label *role)
86187+{
86188+ struct dentry *dentry = (struct dentry *) l_dentry;
86189+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
86190+ struct mount *real_mnt = real_mount(mnt);
86191+ struct acl_subject_label *retval;
86192+ struct dentry *parent;
86193+
86194+ read_seqlock_excl(&mount_lock);
86195+ write_seqlock(&rename_lock);
86196+
86197+ for (;;) {
86198+ if (dentry == gr_real_root.dentry && mnt == gr_real_root.mnt)
86199+ break;
86200+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
86201+ if (!mnt_has_parent(real_mnt))
86202+ break;
86203+
86204+ spin_lock(&dentry->d_lock);
86205+ read_lock(&gr_inode_lock);
86206+ retval =
86207+ lookup_acl_subj_label(__get_ino(dentry),
86208+ __get_dev(dentry), role);
86209+ read_unlock(&gr_inode_lock);
86210+ spin_unlock(&dentry->d_lock);
86211+ if (retval != NULL)
86212+ goto out;
86213+
86214+ dentry = real_mnt->mnt_mountpoint;
86215+ real_mnt = real_mnt->mnt_parent;
86216+ mnt = &real_mnt->mnt;
86217+ continue;
86218+ }
86219+
86220+ spin_lock(&dentry->d_lock);
86221+ read_lock(&gr_inode_lock);
86222+ retval = lookup_acl_subj_label(__get_ino(dentry),
86223+ __get_dev(dentry), role);
86224+ read_unlock(&gr_inode_lock);
86225+ parent = dentry->d_parent;
86226+ spin_unlock(&dentry->d_lock);
86227+
86228+ if (retval != NULL)
86229+ goto out;
86230+
86231+ dentry = parent;
86232+ }
86233+
86234+ spin_lock(&dentry->d_lock);
86235+ read_lock(&gr_inode_lock);
86236+ retval = lookup_acl_subj_label(__get_ino(dentry),
86237+ __get_dev(dentry), role);
86238+ read_unlock(&gr_inode_lock);
86239+ spin_unlock(&dentry->d_lock);
86240+
86241+ if (unlikely(retval == NULL)) {
86242+ /* gr_real_root is pinned, we don't need to hold a reference */
86243+ read_lock(&gr_inode_lock);
86244+ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry),
86245+ __get_dev(gr_real_root.dentry), role);
86246+ read_unlock(&gr_inode_lock);
86247+ }
86248+out:
86249+ write_sequnlock(&rename_lock);
86250+ read_sequnlock_excl(&mount_lock);
86251+
86252+ BUG_ON(retval == NULL);
86253+
86254+ return retval;
86255+}
86256+
86257+void
86258+assign_special_role(const char *rolename)
86259+{
86260+ struct acl_object_label *obj;
86261+ struct acl_role_label *r;
86262+ struct acl_role_label *assigned = NULL;
86263+ struct task_struct *tsk;
86264+ struct file *filp;
86265+
86266+ FOR_EACH_ROLE_START(r)
86267+ if (!strcmp(rolename, r->rolename) &&
86268+ (r->roletype & GR_ROLE_SPECIAL)) {
86269+ assigned = r;
86270+ break;
86271+ }
86272+ FOR_EACH_ROLE_END(r)
86273+
86274+ if (!assigned)
86275+ return;
86276+
86277+ read_lock(&tasklist_lock);
86278+ read_lock(&grsec_exec_file_lock);
86279+
86280+ tsk = current->real_parent;
86281+ if (tsk == NULL)
86282+ goto out_unlock;
86283+
86284+ filp = tsk->exec_file;
86285+ if (filp == NULL)
86286+ goto out_unlock;
86287+
86288+ tsk->is_writable = 0;
86289+ tsk->inherited = 0;
86290+
86291+ tsk->acl_sp_role = 1;
86292+ tsk->acl_role_id = ++acl_sp_role_value;
86293+ tsk->role = assigned;
86294+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
86295+
86296+ /* ignore additional mmap checks for processes that are writable
86297+ by the default ACL */
86298+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, running_polstate.default_role->root_label);
86299+ if (unlikely(obj->mode & GR_WRITE))
86300+ tsk->is_writable = 1;
86301+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
86302+ if (unlikely(obj->mode & GR_WRITE))
86303+ tsk->is_writable = 1;
86304+
86305+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
86306+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename,
86307+ tsk->acl->filename, tsk->comm, task_pid_nr(tsk));
86308+#endif
86309+
86310+out_unlock:
86311+ read_unlock(&grsec_exec_file_lock);
86312+ read_unlock(&tasklist_lock);
86313+ return;
86314+}
86315+
86316+
86317+static void
86318+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
86319+{
86320+ struct task_struct *task = current;
86321+ const struct cred *cred = current_cred();
86322+
86323+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
86324+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
86325+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
86326+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
86327+
86328+ return;
86329+}
86330+
86331+static void
86332+gr_log_learn_uid_change(const kuid_t real, const kuid_t effective, const kuid_t fs)
86333+{
86334+ struct task_struct *task = current;
86335+ const struct cred *cred = current_cred();
86336+
86337+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
86338+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
86339+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
86340+ 'u', GR_GLOBAL_UID(real), GR_GLOBAL_UID(effective), GR_GLOBAL_UID(fs), &task->signal->saved_ip);
86341+
86342+ return;
86343+}
86344+
86345+static void
86346+gr_log_learn_gid_change(const kgid_t real, const kgid_t effective, const kgid_t fs)
86347+{
86348+ struct task_struct *task = current;
86349+ const struct cred *cred = current_cred();
86350+
86351+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
86352+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
86353+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
86354+ 'g', GR_GLOBAL_GID(real), GR_GLOBAL_GID(effective), GR_GLOBAL_GID(fs), &task->signal->saved_ip);
86355+
86356+ return;
86357+}
86358+
86359+static void
86360+gr_set_proc_res(struct task_struct *task)
86361+{
86362+ struct acl_subject_label *proc;
86363+ unsigned short i;
86364+
86365+ proc = task->acl;
86366+
86367+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
86368+ return;
86369+
86370+ for (i = 0; i < RLIM_NLIMITS; i++) {
86371+ unsigned long rlim_cur, rlim_max;
86372+
86373+ if (!(proc->resmask & (1U << i)))
86374+ continue;
86375+
86376+ rlim_cur = proc->res[i].rlim_cur;
86377+ rlim_max = proc->res[i].rlim_max;
86378+
86379+ if (i == RLIMIT_NOFILE) {
86380+ unsigned long saved_sysctl_nr_open = sysctl_nr_open;
86381+ if (rlim_cur > saved_sysctl_nr_open)
86382+ rlim_cur = saved_sysctl_nr_open;
86383+ if (rlim_max > saved_sysctl_nr_open)
86384+ rlim_max = saved_sysctl_nr_open;
86385+ }
86386+
86387+ task->signal->rlim[i].rlim_cur = rlim_cur;
86388+ task->signal->rlim[i].rlim_max = rlim_max;
86389+
86390+ if (i == RLIMIT_CPU)
86391+ update_rlimit_cpu(task, rlim_cur);
86392+ }
86393+
86394+ return;
86395+}
86396+
86397+/* both of the below must be called with
86398+ rcu_read_lock();
86399+ read_lock(&tasklist_lock);
86400+ read_lock(&grsec_exec_file_lock);
86401+ except in the case of gr_set_role_label() (for __gr_get_subject_for_task)
86402+*/
86403+
86404+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback)
86405+{
86406+ char *tmpname;
86407+ struct acl_subject_label *tmpsubj;
86408+ struct file *filp;
86409+ struct name_entry *nmatch;
86410+
86411+ filp = task->exec_file;
86412+ if (filp == NULL)
86413+ return NULL;
86414+
86415+ /* the following is to apply the correct subject
86416+ on binaries running when the RBAC system
86417+ is enabled, when the binaries have been
86418+ replaced or deleted since their execution
86419+ -----
86420+ when the RBAC system starts, the inode/dev
86421+ from exec_file will be one the RBAC system
86422+ is unaware of. It only knows the inode/dev
86423+ of the present file on disk, or the absence
86424+ of it.
86425+ */
86426+
86427+ if (filename)
86428+ nmatch = __lookup_name_entry(state, filename);
86429+ else {
86430+ preempt_disable();
86431+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
86432+
86433+ nmatch = __lookup_name_entry(state, tmpname);
86434+ preempt_enable();
86435+ }
86436+ tmpsubj = NULL;
86437+ if (nmatch) {
86438+ if (nmatch->deleted)
86439+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
86440+ else
86441+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
86442+ }
86443+ /* this also works for the reload case -- if we don't match a potentially inherited subject
86444+ then we fall back to a normal lookup based on the binary's ino/dev
86445+ */
86446+ if (tmpsubj == NULL && fallback)
86447+ tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role);
86448+
86449+ return tmpsubj;
86450+}
86451+
86452+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback)
86453+{
86454+ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback);
86455+}
86456+
86457+void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj)
86458+{
86459+ struct acl_object_label *obj;
86460+ struct file *filp;
86461+
86462+ filp = task->exec_file;
86463+
86464+ task->acl = subj;
86465+ task->is_writable = 0;
86466+ /* ignore additional mmap checks for processes that are writable
86467+ by the default ACL */
86468+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, state->default_role->root_label);
86469+ if (unlikely(obj->mode & GR_WRITE))
86470+ task->is_writable = 1;
86471+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
86472+ if (unlikely(obj->mode & GR_WRITE))
86473+ task->is_writable = 1;
86474+
86475+ gr_set_proc_res(task);
86476+
86477+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
86478+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
86479+#endif
86480+}
86481+
86482+static void gr_apply_subject_to_task(struct task_struct *task, struct acl_subject_label *subj)
86483+{
86484+ __gr_apply_subject_to_task(&running_polstate, task, subj);
86485+}
86486+
86487+__u32
86488+gr_search_file(const struct dentry * dentry, const __u32 mode,
86489+ const struct vfsmount * mnt)
86490+{
86491+ __u32 retval = mode;
86492+ struct acl_subject_label *curracl;
86493+ struct acl_object_label *currobj;
86494+
86495+ if (unlikely(!(gr_status & GR_READY)))
86496+ return (mode & ~GR_AUDITS);
86497+
86498+ curracl = current->acl;
86499+
86500+ currobj = chk_obj_label(dentry, mnt, curracl);
86501+ retval = currobj->mode & mode;
86502+
86503+ /* if we're opening a specified transfer file for writing
86504+ (e.g. /dev/initctl), then transfer our role to init
86505+ */
86506+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
86507+ current->role->roletype & GR_ROLE_PERSIST)) {
86508+ struct task_struct *task = init_pid_ns.child_reaper;
86509+
86510+ if (task->role != current->role) {
86511+ struct acl_subject_label *subj;
86512+
86513+ task->acl_sp_role = 0;
86514+ task->acl_role_id = current->acl_role_id;
86515+ task->role = current->role;
86516+ rcu_read_lock();
86517+ read_lock(&grsec_exec_file_lock);
86518+ subj = gr_get_subject_for_task(task, NULL, 1);
86519+ gr_apply_subject_to_task(task, subj);
86520+ read_unlock(&grsec_exec_file_lock);
86521+ rcu_read_unlock();
86522+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
86523+ }
86524+ }
86525+
86526+ if (unlikely
86527+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
86528+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
86529+ __u32 new_mode = mode;
86530+
86531+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
86532+
86533+ retval = new_mode;
86534+
86535+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
86536+ new_mode |= GR_INHERIT;
86537+
86538+ if (!(mode & GR_NOLEARN))
86539+ gr_log_learn(dentry, mnt, new_mode);
86540+ }
86541+
86542+ return retval;
86543+}
86544+
86545+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
86546+ const struct dentry *parent,
86547+ const struct vfsmount *mnt)
86548+{
86549+ struct name_entry *match;
86550+ struct acl_object_label *matchpo;
86551+ struct acl_subject_label *curracl;
86552+ char *path;
86553+
86554+ if (unlikely(!(gr_status & GR_READY)))
86555+ return NULL;
86556+
86557+ preempt_disable();
86558+ path = gr_to_filename_rbac(new_dentry, mnt);
86559+ match = lookup_name_entry_create(path);
86560+
86561+ curracl = current->acl;
86562+
86563+ if (match) {
86564+ read_lock(&gr_inode_lock);
86565+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
86566+ read_unlock(&gr_inode_lock);
86567+
86568+ if (matchpo) {
86569+ preempt_enable();
86570+ return matchpo;
86571+ }
86572+ }
86573+
86574+ // lookup parent
86575+
86576+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
86577+
86578+ preempt_enable();
86579+ return matchpo;
86580+}
86581+
86582+__u32
86583+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
86584+ const struct vfsmount * mnt, const __u32 mode)
86585+{
86586+ struct acl_object_label *matchpo;
86587+ __u32 retval;
86588+
86589+ if (unlikely(!(gr_status & GR_READY)))
86590+ return (mode & ~GR_AUDITS);
86591+
86592+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
86593+
86594+ retval = matchpo->mode & mode;
86595+
86596+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
86597+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
86598+ __u32 new_mode = mode;
86599+
86600+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
86601+
86602+ gr_log_learn(new_dentry, mnt, new_mode);
86603+ return new_mode;
86604+ }
86605+
86606+ return retval;
86607+}
86608+
86609+__u32
86610+gr_check_link(const struct dentry * new_dentry,
86611+ const struct dentry * parent_dentry,
86612+ const struct vfsmount * parent_mnt,
86613+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
86614+{
86615+ struct acl_object_label *obj;
86616+ __u32 oldmode, newmode;
86617+ __u32 needmode;
86618+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
86619+ GR_DELETE | GR_INHERIT;
86620+
86621+ if (unlikely(!(gr_status & GR_READY)))
86622+ return (GR_CREATE | GR_LINK);
86623+
86624+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
86625+ oldmode = obj->mode;
86626+
86627+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
86628+ newmode = obj->mode;
86629+
86630+ needmode = newmode & checkmodes;
86631+
86632+ // old name for hardlink must have at least the permissions of the new name
86633+ if ((oldmode & needmode) != needmode)
86634+ goto bad;
86635+
86636+ // if old name had restrictions/auditing, make sure the new name does as well
86637+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
86638+
86639+ // don't allow hardlinking of suid/sgid/fcapped files without permission
86640+ if (is_privileged_binary(old_dentry))
86641+ needmode |= GR_SETID;
86642+
86643+ if ((newmode & needmode) != needmode)
86644+ goto bad;
86645+
86646+ // enforce minimum permissions
86647+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
86648+ return newmode;
86649+bad:
86650+ needmode = oldmode;
86651+ if (is_privileged_binary(old_dentry))
86652+ needmode |= GR_SETID;
86653+
86654+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
86655+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
86656+ return (GR_CREATE | GR_LINK);
86657+ } else if (newmode & GR_SUPPRESS)
86658+ return GR_SUPPRESS;
86659+ else
86660+ return 0;
86661+}
86662+
86663+int
86664+gr_check_hidden_task(const struct task_struct *task)
86665+{
86666+ if (unlikely(!(gr_status & GR_READY)))
86667+ return 0;
86668+
86669+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
86670+ return 1;
86671+
86672+ return 0;
86673+}
86674+
86675+int
86676+gr_check_protected_task(const struct task_struct *task)
86677+{
86678+ if (unlikely(!(gr_status & GR_READY) || !task))
86679+ return 0;
86680+
86681+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
86682+ task->acl != current->acl)
86683+ return 1;
86684+
86685+ return 0;
86686+}
86687+
86688+int
86689+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
86690+{
86691+ struct task_struct *p;
86692+ int ret = 0;
86693+
86694+ if (unlikely(!(gr_status & GR_READY) || !pid))
86695+ return ret;
86696+
86697+ read_lock(&tasklist_lock);
86698+ do_each_pid_task(pid, type, p) {
86699+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
86700+ p->acl != current->acl) {
86701+ ret = 1;
86702+ goto out;
86703+ }
86704+ } while_each_pid_task(pid, type, p);
86705+out:
86706+ read_unlock(&tasklist_lock);
86707+
86708+ return ret;
86709+}
86710+
86711+void
86712+gr_copy_label(struct task_struct *tsk)
86713+{
86714+ struct task_struct *p = current;
86715+
86716+ tsk->inherited = p->inherited;
86717+ tsk->acl_sp_role = 0;
86718+ tsk->acl_role_id = p->acl_role_id;
86719+ tsk->acl = p->acl;
86720+ tsk->role = p->role;
86721+ tsk->signal->used_accept = 0;
86722+ tsk->signal->curr_ip = p->signal->curr_ip;
86723+ tsk->signal->saved_ip = p->signal->saved_ip;
86724+ if (p->exec_file)
86725+ get_file(p->exec_file);
86726+ tsk->exec_file = p->exec_file;
86727+ tsk->is_writable = p->is_writable;
86728+ if (unlikely(p->signal->used_accept)) {
86729+ p->signal->curr_ip = 0;
86730+ p->signal->saved_ip = 0;
86731+ }
86732+
86733+ return;
86734+}
86735+
86736+extern int gr_process_kernel_setuid_ban(struct user_struct *user);
86737+
86738+int
86739+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
86740+{
86741+ unsigned int i;
86742+ __u16 num;
86743+ uid_t *uidlist;
86744+ uid_t curuid;
86745+ int realok = 0;
86746+ int effectiveok = 0;
86747+ int fsok = 0;
86748+ uid_t globalreal, globaleffective, globalfs;
86749+
86750+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT)
86751+ struct user_struct *user;
86752+
86753+ if (!uid_valid(real))
86754+ goto skipit;
86755+
86756+ /* find user based on global namespace */
86757+
86758+ globalreal = GR_GLOBAL_UID(real);
86759+
86760+ user = find_user(make_kuid(&init_user_ns, globalreal));
86761+ if (user == NULL)
86762+ goto skipit;
86763+
86764+ if (gr_process_kernel_setuid_ban(user)) {
86765+ /* for find_user */
86766+ free_uid(user);
86767+ return 1;
86768+ }
86769+
86770+ /* for find_user */
86771+ free_uid(user);
86772+
86773+skipit:
86774+#endif
86775+
86776+ if (unlikely(!(gr_status & GR_READY)))
86777+ return 0;
86778+
86779+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
86780+ gr_log_learn_uid_change(real, effective, fs);
86781+
86782+ num = current->acl->user_trans_num;
86783+ uidlist = current->acl->user_transitions;
86784+
86785+ if (uidlist == NULL)
86786+ return 0;
86787+
86788+ if (!uid_valid(real)) {
86789+ realok = 1;
86790+ globalreal = (uid_t)-1;
86791+ } else {
86792+ globalreal = GR_GLOBAL_UID(real);
86793+ }
86794+ if (!uid_valid(effective)) {
86795+ effectiveok = 1;
86796+ globaleffective = (uid_t)-1;
86797+ } else {
86798+ globaleffective = GR_GLOBAL_UID(effective);
86799+ }
86800+ if (!uid_valid(fs)) {
86801+ fsok = 1;
86802+ globalfs = (uid_t)-1;
86803+ } else {
86804+ globalfs = GR_GLOBAL_UID(fs);
86805+ }
86806+
86807+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
86808+ for (i = 0; i < num; i++) {
86809+ curuid = uidlist[i];
86810+ if (globalreal == curuid)
86811+ realok = 1;
86812+ if (globaleffective == curuid)
86813+ effectiveok = 1;
86814+ if (globalfs == curuid)
86815+ fsok = 1;
86816+ }
86817+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
86818+ for (i = 0; i < num; i++) {
86819+ curuid = uidlist[i];
86820+ if (globalreal == curuid)
86821+ break;
86822+ if (globaleffective == curuid)
86823+ break;
86824+ if (globalfs == curuid)
86825+ break;
86826+ }
86827+ /* not in deny list */
86828+ if (i == num) {
86829+ realok = 1;
86830+ effectiveok = 1;
86831+ fsok = 1;
86832+ }
86833+ }
86834+
86835+ if (realok && effectiveok && fsok)
86836+ return 0;
86837+ else {
86838+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
86839+ return 1;
86840+ }
86841+}
86842+
86843+int
86844+gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
86845+{
86846+ unsigned int i;
86847+ __u16 num;
86848+ gid_t *gidlist;
86849+ gid_t curgid;
86850+ int realok = 0;
86851+ int effectiveok = 0;
86852+ int fsok = 0;
86853+ gid_t globalreal, globaleffective, globalfs;
86854+
86855+ if (unlikely(!(gr_status & GR_READY)))
86856+ return 0;
86857+
86858+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
86859+ gr_log_learn_gid_change(real, effective, fs);
86860+
86861+ num = current->acl->group_trans_num;
86862+ gidlist = current->acl->group_transitions;
86863+
86864+ if (gidlist == NULL)
86865+ return 0;
86866+
86867+ if (!gid_valid(real)) {
86868+ realok = 1;
86869+ globalreal = (gid_t)-1;
86870+ } else {
86871+ globalreal = GR_GLOBAL_GID(real);
86872+ }
86873+ if (!gid_valid(effective)) {
86874+ effectiveok = 1;
86875+ globaleffective = (gid_t)-1;
86876+ } else {
86877+ globaleffective = GR_GLOBAL_GID(effective);
86878+ }
86879+ if (!gid_valid(fs)) {
86880+ fsok = 1;
86881+ globalfs = (gid_t)-1;
86882+ } else {
86883+ globalfs = GR_GLOBAL_GID(fs);
86884+ }
86885+
86886+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
86887+ for (i = 0; i < num; i++) {
86888+ curgid = gidlist[i];
86889+ if (globalreal == curgid)
86890+ realok = 1;
86891+ if (globaleffective == curgid)
86892+ effectiveok = 1;
86893+ if (globalfs == curgid)
86894+ fsok = 1;
86895+ }
86896+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
86897+ for (i = 0; i < num; i++) {
86898+ curgid = gidlist[i];
86899+ if (globalreal == curgid)
86900+ break;
86901+ if (globaleffective == curgid)
86902+ break;
86903+ if (globalfs == curgid)
86904+ break;
86905+ }
86906+ /* not in deny list */
86907+ if (i == num) {
86908+ realok = 1;
86909+ effectiveok = 1;
86910+ fsok = 1;
86911+ }
86912+ }
86913+
86914+ if (realok && effectiveok && fsok)
86915+ return 0;
86916+ else {
86917+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
86918+ return 1;
86919+ }
86920+}
86921+
86922+extern int gr_acl_is_capable(const int cap);
86923+
86924+void
86925+gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid)
86926+{
86927+ struct acl_role_label *role = task->role;
86928+ struct acl_role_label *origrole = role;
86929+ struct acl_subject_label *subj = NULL;
86930+ struct acl_object_label *obj;
86931+ struct file *filp;
86932+ uid_t uid;
86933+ gid_t gid;
86934+
86935+ if (unlikely(!(gr_status & GR_READY)))
86936+ return;
86937+
86938+ uid = GR_GLOBAL_UID(kuid);
86939+ gid = GR_GLOBAL_GID(kgid);
86940+
86941+ filp = task->exec_file;
86942+
86943+ /* kernel process, we'll give them the kernel role */
86944+ if (unlikely(!filp)) {
86945+ task->role = running_polstate.kernel_role;
86946+ task->acl = running_polstate.kernel_role->root_label;
86947+ return;
86948+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) {
86949+ /* save the current ip at time of role lookup so that the proper
86950+ IP will be learned for role_allowed_ip */
86951+ task->signal->saved_ip = task->signal->curr_ip;
86952+ role = lookup_acl_role_label(task, uid, gid);
86953+ }
86954+
86955+ /* don't change the role if we're not a privileged process */
86956+ if (role && task->role != role &&
86957+ (((role->roletype & GR_ROLE_USER) && !gr_acl_is_capable(CAP_SETUID)) ||
86958+ ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
86959+ return;
86960+
86961+ task->role = role;
86962+
86963+ if (task->inherited) {
86964+ /* if we reached our subject through inheritance, then first see
86965+ if there's a subject of the same name in the new role that has
86966+ an object that would result in the same inherited subject
86967+ */
86968+ subj = gr_get_subject_for_task(task, task->acl->filename, 0);
86969+ if (subj) {
86970+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj);
86971+ if (!(obj->mode & GR_INHERIT))
86972+ subj = NULL;
86973+ }
86974+
86975+ }
86976+ if (subj == NULL) {
86977+ /* otherwise:
86978+ perform subject lookup in possibly new role
86979+ we can use this result below in the case where role == task->role
86980+ */
86981+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
86982+ }
86983+
86984+ /* if we changed uid/gid, but result in the same role
86985+ and are using inheritance, don't lose the inherited subject
86986+ if current subject is other than what normal lookup
86987+ would result in, we arrived via inheritance, don't
86988+ lose subject
86989+ */
86990+ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) &&
86991+ (subj == task->acl)))
86992+ task->acl = subj;
86993+
86994+ /* leave task->inherited unaffected */
86995+
86996+ task->is_writable = 0;
86997+
86998+ /* ignore additional mmap checks for processes that are writable
86999+ by the default ACL */
87000+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, running_polstate.default_role->root_label);
87001+ if (unlikely(obj->mode & GR_WRITE))
87002+ task->is_writable = 1;
87003+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
87004+ if (unlikely(obj->mode & GR_WRITE))
87005+ task->is_writable = 1;
87006+
87007+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87008+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87009+#endif
87010+
87011+ gr_set_proc_res(task);
87012+
87013+ return;
87014+}
87015+
87016+int
87017+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
87018+ const int unsafe_flags)
87019+{
87020+ struct task_struct *task = current;
87021+ struct acl_subject_label *newacl;
87022+ struct acl_object_label *obj;
87023+ __u32 retmode;
87024+
87025+ if (unlikely(!(gr_status & GR_READY)))
87026+ return 0;
87027+
87028+ newacl = chk_subj_label(dentry, mnt, task->role);
87029+
87030+ /* special handling for if we did an strace -f -p <pid> from an admin role, where pid then
87031+ did an exec
87032+ */
87033+ rcu_read_lock();
87034+ read_lock(&tasklist_lock);
87035+ if (task->ptrace && task->parent && ((task->parent->role->roletype & GR_ROLE_GOD) ||
87036+ (task->parent->acl->mode & GR_POVERRIDE))) {
87037+ read_unlock(&tasklist_lock);
87038+ rcu_read_unlock();
87039+ goto skip_check;
87040+ }
87041+ read_unlock(&tasklist_lock);
87042+ rcu_read_unlock();
87043+
87044+ if (unsafe_flags && !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
87045+ !(task->role->roletype & GR_ROLE_GOD) &&
87046+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
87047+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
87048+ if (unsafe_flags & LSM_UNSAFE_SHARE)
87049+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
87050+ else
87051+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
87052+ return -EACCES;
87053+ }
87054+
87055+skip_check:
87056+
87057+ obj = chk_obj_label(dentry, mnt, task->acl);
87058+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
87059+
87060+ if (!(task->acl->mode & GR_INHERITLEARN) &&
87061+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
87062+ if (obj->nested)
87063+ task->acl = obj->nested;
87064+ else
87065+ task->acl = newacl;
87066+ task->inherited = 0;
87067+ } else {
87068+ task->inherited = 1;
87069+ if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
87070+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
87071+ }
87072+
87073+ task->is_writable = 0;
87074+
87075+ /* ignore additional mmap checks for processes that are writable
87076+ by the default ACL */
87077+ obj = chk_obj_label(dentry, mnt, running_polstate.default_role->root_label);
87078+ if (unlikely(obj->mode & GR_WRITE))
87079+ task->is_writable = 1;
87080+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
87081+ if (unlikely(obj->mode & GR_WRITE))
87082+ task->is_writable = 1;
87083+
87084+ gr_set_proc_res(task);
87085+
87086+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87087+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87088+#endif
87089+ return 0;
87090+}
87091+
87092+/* always called with valid inodev ptr */
87093+static void
87094+do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev)
87095+{
87096+ struct acl_object_label *matchpo;
87097+ struct acl_subject_label *matchps;
87098+ struct acl_subject_label *subj;
87099+ struct acl_role_label *role;
87100+ unsigned int x;
87101+
87102+ FOR_EACH_ROLE_START(role)
87103+ FOR_EACH_SUBJECT_START(role, subj, x)
87104+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
87105+ matchpo->mode |= GR_DELETED;
87106+ FOR_EACH_SUBJECT_END(subj,x)
87107+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
87108+ /* nested subjects aren't in the role's subj_hash table */
87109+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
87110+ matchpo->mode |= GR_DELETED;
87111+ FOR_EACH_NESTED_SUBJECT_END(subj)
87112+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
87113+ matchps->mode |= GR_DELETED;
87114+ FOR_EACH_ROLE_END(role)
87115+
87116+ inodev->nentry->deleted = 1;
87117+
87118+ return;
87119+}
87120+
87121+void
87122+gr_handle_delete(const u64 ino, const dev_t dev)
87123+{
87124+ struct inodev_entry *inodev;
87125+
87126+ if (unlikely(!(gr_status & GR_READY)))
87127+ return;
87128+
87129+ write_lock(&gr_inode_lock);
87130+ inodev = lookup_inodev_entry(ino, dev);
87131+ if (inodev != NULL)
87132+ do_handle_delete(inodev, ino, dev);
87133+ write_unlock(&gr_inode_lock);
87134+
87135+ return;
87136+}
87137+
87138+static void
87139+update_acl_obj_label(const u64 oldinode, const dev_t olddevice,
87140+ const u64 newinode, const dev_t newdevice,
87141+ struct acl_subject_label *subj)
87142+{
87143+ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
87144+ struct acl_object_label *match;
87145+
87146+ match = subj->obj_hash[index];
87147+
87148+ while (match && (match->inode != oldinode ||
87149+ match->device != olddevice ||
87150+ !(match->mode & GR_DELETED)))
87151+ match = match->next;
87152+
87153+ if (match && (match->inode == oldinode)
87154+ && (match->device == olddevice)
87155+ && (match->mode & GR_DELETED)) {
87156+ if (match->prev == NULL) {
87157+ subj->obj_hash[index] = match->next;
87158+ if (match->next != NULL)
87159+ match->next->prev = NULL;
87160+ } else {
87161+ match->prev->next = match->next;
87162+ if (match->next != NULL)
87163+ match->next->prev = match->prev;
87164+ }
87165+ match->prev = NULL;
87166+ match->next = NULL;
87167+ match->inode = newinode;
87168+ match->device = newdevice;
87169+ match->mode &= ~GR_DELETED;
87170+
87171+ insert_acl_obj_label(match, subj);
87172+ }
87173+
87174+ return;
87175+}
87176+
87177+static void
87178+update_acl_subj_label(const u64 oldinode, const dev_t olddevice,
87179+ const u64 newinode, const dev_t newdevice,
87180+ struct acl_role_label *role)
87181+{
87182+ unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size);
87183+ struct acl_subject_label *match;
87184+
87185+ match = role->subj_hash[index];
87186+
87187+ while (match && (match->inode != oldinode ||
87188+ match->device != olddevice ||
87189+ !(match->mode & GR_DELETED)))
87190+ match = match->next;
87191+
87192+ if (match && (match->inode == oldinode)
87193+ && (match->device == olddevice)
87194+ && (match->mode & GR_DELETED)) {
87195+ if (match->prev == NULL) {
87196+ role->subj_hash[index] = match->next;
87197+ if (match->next != NULL)
87198+ match->next->prev = NULL;
87199+ } else {
87200+ match->prev->next = match->next;
87201+ if (match->next != NULL)
87202+ match->next->prev = match->prev;
87203+ }
87204+ match->prev = NULL;
87205+ match->next = NULL;
87206+ match->inode = newinode;
87207+ match->device = newdevice;
87208+ match->mode &= ~GR_DELETED;
87209+
87210+ insert_acl_subj_label(match, role);
87211+ }
87212+
87213+ return;
87214+}
87215+
87216+static void
87217+update_inodev_entry(const u64 oldinode, const dev_t olddevice,
87218+ const u64 newinode, const dev_t newdevice)
87219+{
87220+ unsigned int index = gr_fhash(oldinode, olddevice, running_polstate.inodev_set.i_size);
87221+ struct inodev_entry *match;
87222+
87223+ match = running_polstate.inodev_set.i_hash[index];
87224+
87225+ while (match && (match->nentry->inode != oldinode ||
87226+ match->nentry->device != olddevice || !match->nentry->deleted))
87227+ match = match->next;
87228+
87229+ if (match && (match->nentry->inode == oldinode)
87230+ && (match->nentry->device == olddevice) &&
87231+ match->nentry->deleted) {
87232+ if (match->prev == NULL) {
87233+ running_polstate.inodev_set.i_hash[index] = match->next;
87234+ if (match->next != NULL)
87235+ match->next->prev = NULL;
87236+ } else {
87237+ match->prev->next = match->next;
87238+ if (match->next != NULL)
87239+ match->next->prev = match->prev;
87240+ }
87241+ match->prev = NULL;
87242+ match->next = NULL;
87243+ match->nentry->inode = newinode;
87244+ match->nentry->device = newdevice;
87245+ match->nentry->deleted = 0;
87246+
87247+ insert_inodev_entry(match);
87248+ }
87249+
87250+ return;
87251+}
87252+
87253+static void
87254+__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev)
87255+{
87256+ struct acl_subject_label *subj;
87257+ struct acl_role_label *role;
87258+ unsigned int x;
87259+
87260+ FOR_EACH_ROLE_START(role)
87261+ update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
87262+
87263+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
87264+ if ((subj->inode == ino) && (subj->device == dev)) {
87265+ subj->inode = ino;
87266+ subj->device = dev;
87267+ }
87268+ /* nested subjects aren't in the role's subj_hash table */
87269+ update_acl_obj_label(matchn->inode, matchn->device,
87270+ ino, dev, subj);
87271+ FOR_EACH_NESTED_SUBJECT_END(subj)
87272+ FOR_EACH_SUBJECT_START(role, subj, x)
87273+ update_acl_obj_label(matchn->inode, matchn->device,
87274+ ino, dev, subj);
87275+ FOR_EACH_SUBJECT_END(subj,x)
87276+ FOR_EACH_ROLE_END(role)
87277+
87278+ update_inodev_entry(matchn->inode, matchn->device, ino, dev);
87279+
87280+ return;
87281+}
87282+
87283+static void
87284+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
87285+ const struct vfsmount *mnt)
87286+{
87287+ u64 ino = __get_ino(dentry);
87288+ dev_t dev = __get_dev(dentry);
87289+
87290+ __do_handle_create(matchn, ino, dev);
87291+
87292+ return;
87293+}
87294+
87295+void
87296+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
87297+{
87298+ struct name_entry *matchn;
87299+
87300+ if (unlikely(!(gr_status & GR_READY)))
87301+ return;
87302+
87303+ preempt_disable();
87304+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
87305+
87306+ if (unlikely((unsigned long)matchn)) {
87307+ write_lock(&gr_inode_lock);
87308+ do_handle_create(matchn, dentry, mnt);
87309+ write_unlock(&gr_inode_lock);
87310+ }
87311+ preempt_enable();
87312+
87313+ return;
87314+}
87315+
87316+void
87317+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
87318+{
87319+ struct name_entry *matchn;
87320+
87321+ if (unlikely(!(gr_status & GR_READY)))
87322+ return;
87323+
87324+ preempt_disable();
87325+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
87326+
87327+ if (unlikely((unsigned long)matchn)) {
87328+ write_lock(&gr_inode_lock);
87329+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
87330+ write_unlock(&gr_inode_lock);
87331+ }
87332+ preempt_enable();
87333+
87334+ return;
87335+}
87336+
87337+void
87338+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
87339+ struct dentry *old_dentry,
87340+ struct dentry *new_dentry,
87341+ struct vfsmount *mnt, const __u8 replace, unsigned int flags)
87342+{
87343+ struct name_entry *matchn;
87344+ struct name_entry *matchn2 = NULL;
87345+ struct inodev_entry *inodev;
87346+ struct inode *inode = d_backing_inode(new_dentry);
87347+ struct inode *old_inode = d_backing_inode(old_dentry);
87348+ u64 old_ino = __get_ino(old_dentry);
87349+ dev_t old_dev = __get_dev(old_dentry);
87350+ unsigned int exchange = flags & RENAME_EXCHANGE;
87351+
87352+ /* vfs_rename swaps the name and parent link for old_dentry and
87353+ new_dentry
87354+ at this point, old_dentry has the new name, parent link, and inode
87355+ for the renamed file
87356+ if a file is being replaced by a rename, new_dentry has the inode
87357+ and name for the replaced file
87358+ */
87359+
87360+ if (unlikely(!(gr_status & GR_READY)))
87361+ return;
87362+
87363+ preempt_disable();
87364+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
87365+
87366+ /* exchange cases:
87367+ a filename exists for the source, but not dest
87368+ do a recreate on source
87369+ a filename exists for the dest, but not source
87370+ do a recreate on dest
87371+ a filename exists for both source and dest
87372+ delete source and dest, then create source and dest
87373+ a filename exists for neither source nor dest
87374+ no updates needed
87375+
87376+ the name entry lookups get us the old inode/dev associated with
87377+ each name, so do the deletes first (if possible) so that when
87378+ we do the create, we pick up on the right entries
87379+ */
87380+
87381+ if (exchange)
87382+ matchn2 = lookup_name_entry(gr_to_filename_rbac(new_dentry, mnt));
87383+
87384+ /* we wouldn't have to check d_inode if it weren't for
87385+ NFS silly-renaming
87386+ */
87387+
87388+ write_lock(&gr_inode_lock);
87389+ if (unlikely((replace || exchange) && inode)) {
87390+ u64 new_ino = __get_ino(new_dentry);
87391+ dev_t new_dev = __get_dev(new_dentry);
87392+
87393+ inodev = lookup_inodev_entry(new_ino, new_dev);
87394+ if (inodev != NULL && ((inode->i_nlink <= 1) || d_is_dir(new_dentry)))
87395+ do_handle_delete(inodev, new_ino, new_dev);
87396+ }
87397+
87398+ inodev = lookup_inodev_entry(old_ino, old_dev);
87399+ if (inodev != NULL && ((old_inode->i_nlink <= 1) || d_is_dir(old_dentry)))
87400+ do_handle_delete(inodev, old_ino, old_dev);
87401+
87402+ if (unlikely(matchn != NULL))
87403+ do_handle_create(matchn, old_dentry, mnt);
87404+
87405+ if (unlikely(matchn2 != NULL))
87406+ do_handle_create(matchn2, new_dentry, mnt);
87407+
87408+ write_unlock(&gr_inode_lock);
87409+ preempt_enable();
87410+
87411+ return;
87412+}
87413+
87414+#if defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC)
87415+static const unsigned long res_learn_bumps[GR_NLIMITS] = {
87416+ [RLIMIT_CPU] = GR_RLIM_CPU_BUMP,
87417+ [RLIMIT_FSIZE] = GR_RLIM_FSIZE_BUMP,
87418+ [RLIMIT_DATA] = GR_RLIM_DATA_BUMP,
87419+ [RLIMIT_STACK] = GR_RLIM_STACK_BUMP,
87420+ [RLIMIT_CORE] = GR_RLIM_CORE_BUMP,
87421+ [RLIMIT_RSS] = GR_RLIM_RSS_BUMP,
87422+ [RLIMIT_NPROC] = GR_RLIM_NPROC_BUMP,
87423+ [RLIMIT_NOFILE] = GR_RLIM_NOFILE_BUMP,
87424+ [RLIMIT_MEMLOCK] = GR_RLIM_MEMLOCK_BUMP,
87425+ [RLIMIT_AS] = GR_RLIM_AS_BUMP,
87426+ [RLIMIT_LOCKS] = GR_RLIM_LOCKS_BUMP,
87427+ [RLIMIT_SIGPENDING] = GR_RLIM_SIGPENDING_BUMP,
87428+ [RLIMIT_MSGQUEUE] = GR_RLIM_MSGQUEUE_BUMP,
87429+ [RLIMIT_NICE] = GR_RLIM_NICE_BUMP,
87430+ [RLIMIT_RTPRIO] = GR_RLIM_RTPRIO_BUMP,
87431+ [RLIMIT_RTTIME] = GR_RLIM_RTTIME_BUMP
87432+};
87433+
87434+void
87435+gr_learn_resource(const struct task_struct *task,
87436+ const int res, const unsigned long wanted, const int gt)
87437+{
87438+ struct acl_subject_label *acl;
87439+ const struct cred *cred;
87440+
87441+ if (unlikely((gr_status & GR_READY) &&
87442+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
87443+ goto skip_reslog;
87444+
87445+ gr_log_resource(task, res, wanted, gt);
87446+skip_reslog:
87447+
87448+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
87449+ return;
87450+
87451+ acl = task->acl;
87452+
87453+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
87454+ !(acl->resmask & (1U << (unsigned short) res))))
87455+ return;
87456+
87457+ if (wanted >= acl->res[res].rlim_cur) {
87458+ unsigned long res_add;
87459+
87460+ res_add = wanted + res_learn_bumps[res];
87461+
87462+ acl->res[res].rlim_cur = res_add;
87463+
87464+ if (wanted > acl->res[res].rlim_max)
87465+ acl->res[res].rlim_max = res_add;
87466+
87467+ /* only log the subject filename, since resource logging is supported for
87468+ single-subject learning only */
87469+ rcu_read_lock();
87470+ cred = __task_cred(task);
87471+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
87472+ task->role->roletype, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), acl->filename,
87473+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
87474+ "", (unsigned long) res, &task->signal->saved_ip);
87475+ rcu_read_unlock();
87476+ }
87477+
87478+ return;
87479+}
87480+EXPORT_SYMBOL_GPL(gr_learn_resource);
87481+#endif
87482+
87483+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
87484+void
87485+pax_set_initial_flags(struct linux_binprm *bprm)
87486+{
87487+ struct task_struct *task = current;
87488+ struct acl_subject_label *proc;
87489+ unsigned long flags;
87490+
87491+ if (unlikely(!(gr_status & GR_READY)))
87492+ return;
87493+
87494+ flags = pax_get_flags(task);
87495+
87496+ proc = task->acl;
87497+
87498+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
87499+ flags &= ~MF_PAX_PAGEEXEC;
87500+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
87501+ flags &= ~MF_PAX_SEGMEXEC;
87502+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
87503+ flags &= ~MF_PAX_RANDMMAP;
87504+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
87505+ flags &= ~MF_PAX_EMUTRAMP;
87506+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
87507+ flags &= ~MF_PAX_MPROTECT;
87508+
87509+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
87510+ flags |= MF_PAX_PAGEEXEC;
87511+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
87512+ flags |= MF_PAX_SEGMEXEC;
87513+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
87514+ flags |= MF_PAX_RANDMMAP;
87515+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
87516+ flags |= MF_PAX_EMUTRAMP;
87517+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
87518+ flags |= MF_PAX_MPROTECT;
87519+
87520+ pax_set_flags(task, flags);
87521+
87522+ return;
87523+}
87524+#endif
87525+
87526+int
87527+gr_handle_proc_ptrace(struct task_struct *task)
87528+{
87529+ struct file *filp;
87530+ struct task_struct *tmp = task;
87531+ struct task_struct *curtemp = current;
87532+ __u32 retmode;
87533+
87534+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
87535+ if (unlikely(!(gr_status & GR_READY)))
87536+ return 0;
87537+#endif
87538+
87539+ read_lock(&tasklist_lock);
87540+ read_lock(&grsec_exec_file_lock);
87541+ filp = task->exec_file;
87542+
87543+ while (task_pid_nr(tmp) > 0) {
87544+ if (tmp == curtemp)
87545+ break;
87546+ tmp = tmp->real_parent;
87547+ }
87548+
87549+ if (!filp || (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
87550+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
87551+ read_unlock(&grsec_exec_file_lock);
87552+ read_unlock(&tasklist_lock);
87553+ return 1;
87554+ }
87555+
87556+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
87557+ if (!(gr_status & GR_READY)) {
87558+ read_unlock(&grsec_exec_file_lock);
87559+ read_unlock(&tasklist_lock);
87560+ return 0;
87561+ }
87562+#endif
87563+
87564+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
87565+ read_unlock(&grsec_exec_file_lock);
87566+ read_unlock(&tasklist_lock);
87567+
87568+ if (retmode & GR_NOPTRACE)
87569+ return 1;
87570+
87571+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
87572+ && (current->acl != task->acl || (current->acl != current->role->root_label
87573+ && task_pid_nr(current) != task_pid_nr(task))))
87574+ return 1;
87575+
87576+ return 0;
87577+}
87578+
87579+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
87580+{
87581+ if (unlikely(!(gr_status & GR_READY)))
87582+ return;
87583+
87584+ if (!(current->role->roletype & GR_ROLE_GOD))
87585+ return;
87586+
87587+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
87588+ p->role->rolename, gr_task_roletype_to_char(p),
87589+ p->acl->filename);
87590+}
87591+
87592+int
87593+gr_handle_ptrace(struct task_struct *task, const long request)
87594+{
87595+ struct task_struct *tmp = task;
87596+ struct task_struct *curtemp = current;
87597+ __u32 retmode;
87598+
87599+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
87600+ if (unlikely(!(gr_status & GR_READY)))
87601+ return 0;
87602+#endif
87603+ if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
87604+ read_lock(&tasklist_lock);
87605+ while (task_pid_nr(tmp) > 0) {
87606+ if (tmp == curtemp)
87607+ break;
87608+ tmp = tmp->real_parent;
87609+ }
87610+
87611+ if (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
87612+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
87613+ read_unlock(&tasklist_lock);
87614+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
87615+ return 1;
87616+ }
87617+ read_unlock(&tasklist_lock);
87618+ }
87619+
87620+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
87621+ if (!(gr_status & GR_READY))
87622+ return 0;
87623+#endif
87624+
87625+ read_lock(&grsec_exec_file_lock);
87626+ if (unlikely(!task->exec_file)) {
87627+ read_unlock(&grsec_exec_file_lock);
87628+ return 0;
87629+ }
87630+
87631+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
87632+ read_unlock(&grsec_exec_file_lock);
87633+
87634+ if (retmode & GR_NOPTRACE) {
87635+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
87636+ return 1;
87637+ }
87638+
87639+ if (retmode & GR_PTRACERD) {
87640+ switch (request) {
87641+ case PTRACE_SEIZE:
87642+ case PTRACE_POKETEXT:
87643+ case PTRACE_POKEDATA:
87644+ case PTRACE_POKEUSR:
87645+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
87646+ case PTRACE_SETREGS:
87647+ case PTRACE_SETFPREGS:
87648+#endif
87649+#ifdef CONFIG_X86
87650+ case PTRACE_SETFPXREGS:
87651+#endif
87652+#ifdef CONFIG_ALTIVEC
87653+ case PTRACE_SETVRREGS:
87654+#endif
87655+ return 1;
87656+ default:
87657+ return 0;
87658+ }
87659+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
87660+ !(current->role->roletype & GR_ROLE_GOD) &&
87661+ (current->acl != task->acl)) {
87662+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
87663+ return 1;
87664+ }
87665+
87666+ return 0;
87667+}
87668+
87669+static int is_writable_mmap(const struct file *filp)
87670+{
87671+ struct task_struct *task = current;
87672+ struct acl_object_label *obj, *obj2;
87673+ struct dentry *dentry = filp->f_path.dentry;
87674+ struct vfsmount *mnt = filp->f_path.mnt;
87675+ struct inode *inode = d_backing_inode(dentry);
87676+
87677+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
87678+ !task->is_writable && d_is_reg(dentry) && (mnt != shm_mnt || (inode->i_nlink > 0))) {
87679+ obj = chk_obj_label(dentry, mnt, running_polstate.default_role->root_label);
87680+ obj2 = chk_obj_label(dentry, mnt, task->role->root_label);
87681+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
87682+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, dentry, mnt);
87683+ return 1;
87684+ }
87685+ }
87686+ return 0;
87687+}
87688+
87689+int
87690+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
87691+{
87692+ __u32 mode;
87693+
87694+ if (unlikely(!file || !(prot & PROT_EXEC)))
87695+ return 1;
87696+
87697+ if (is_writable_mmap(file))
87698+ return 0;
87699+
87700+ mode =
87701+ gr_search_file(file->f_path.dentry,
87702+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
87703+ file->f_path.mnt);
87704+
87705+ if (!gr_tpe_allow(file))
87706+ return 0;
87707+
87708+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
87709+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
87710+ return 0;
87711+ } else if (unlikely(!(mode & GR_EXEC))) {
87712+ return 0;
87713+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
87714+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
87715+ return 1;
87716+ }
87717+
87718+ return 1;
87719+}
87720+
87721+int
87722+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
87723+{
87724+ __u32 mode;
87725+
87726+ if (unlikely(!file || !(prot & PROT_EXEC)))
87727+ return 1;
87728+
87729+ if (is_writable_mmap(file))
87730+ return 0;
87731+
87732+ mode =
87733+ gr_search_file(file->f_path.dentry,
87734+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
87735+ file->f_path.mnt);
87736+
87737+ if (!gr_tpe_allow(file))
87738+ return 0;
87739+
87740+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
87741+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
87742+ return 0;
87743+ } else if (unlikely(!(mode & GR_EXEC))) {
87744+ return 0;
87745+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
87746+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
87747+ return 1;
87748+ }
87749+
87750+ return 1;
87751+}
87752+
87753+void
87754+gr_acl_handle_psacct(struct task_struct *task, const long code)
87755+{
87756+ unsigned long runtime, cputime;
87757+ cputime_t utime, stime;
87758+ unsigned int wday, cday;
87759+ __u8 whr, chr;
87760+ __u8 wmin, cmin;
87761+ __u8 wsec, csec;
87762+ struct timespec curtime, starttime;
87763+
87764+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
87765+ !(task->acl->mode & GR_PROCACCT)))
87766+ return;
87767+
87768+ curtime = ns_to_timespec(ktime_get_ns());
87769+ starttime = ns_to_timespec(task->start_time);
87770+ runtime = curtime.tv_sec - starttime.tv_sec;
87771+ wday = runtime / (60 * 60 * 24);
87772+ runtime -= wday * (60 * 60 * 24);
87773+ whr = runtime / (60 * 60);
87774+ runtime -= whr * (60 * 60);
87775+ wmin = runtime / 60;
87776+ runtime -= wmin * 60;
87777+ wsec = runtime;
87778+
87779+ task_cputime(task, &utime, &stime);
87780+ cputime = cputime_to_secs(utime + stime);
87781+ cday = cputime / (60 * 60 * 24);
87782+ cputime -= cday * (60 * 60 * 24);
87783+ chr = cputime / (60 * 60);
87784+ cputime -= chr * (60 * 60);
87785+ cmin = cputime / 60;
87786+ cputime -= cmin * 60;
87787+ csec = cputime;
87788+
87789+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
87790+
87791+ return;
87792+}
87793+
87794+#ifdef CONFIG_TASKSTATS
87795+int gr_is_taskstats_denied(int pid)
87796+{
87797+ struct task_struct *task;
87798+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
87799+ const struct cred *cred;
87800+#endif
87801+ int ret = 0;
87802+
87803+ /* restrict taskstats viewing to un-chrooted root users
87804+ who have the 'view' subject flag if the RBAC system is enabled
87805+ */
87806+
87807+ rcu_read_lock();
87808+ read_lock(&tasklist_lock);
87809+ task = find_task_by_vpid(pid);
87810+ if (task) {
87811+#ifdef CONFIG_GRKERNSEC_CHROOT
87812+ if (proc_is_chrooted(task))
87813+ ret = -EACCES;
87814+#endif
87815+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
87816+ cred = __task_cred(task);
87817+#ifdef CONFIG_GRKERNSEC_PROC_USER
87818+ if (gr_is_global_nonroot(cred->uid))
87819+ ret = -EACCES;
87820+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
87821+ if (gr_is_global_nonroot(cred->uid) && !groups_search(cred->group_info, grsec_proc_gid))
87822+ ret = -EACCES;
87823+#endif
87824+#endif
87825+ if (gr_status & GR_READY) {
87826+ if (!(task->acl->mode & GR_VIEW))
87827+ ret = -EACCES;
87828+ }
87829+ } else
87830+ ret = -ENOENT;
87831+
87832+ read_unlock(&tasklist_lock);
87833+ rcu_read_unlock();
87834+
87835+ return ret;
87836+}
87837+#endif
87838+
87839+/* AUXV entries are filled via a descendant of search_binary_handler
87840+ after we've already applied the subject for the target
87841+*/
87842+int gr_acl_enable_at_secure(void)
87843+{
87844+ if (unlikely(!(gr_status & GR_READY)))
87845+ return 0;
87846+
87847+ if (current->acl->mode & GR_ATSECURE)
87848+ return 1;
87849+
87850+ return 0;
87851+}
87852+
87853+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const u64 ino)
87854+{
87855+ struct task_struct *task = current;
87856+ struct dentry *dentry = file->f_path.dentry;
87857+ struct vfsmount *mnt = file->f_path.mnt;
87858+ struct acl_object_label *obj, *tmp;
87859+ struct acl_subject_label *subj;
87860+ unsigned int bufsize;
87861+ int is_not_root;
87862+ char *path;
87863+ dev_t dev = __get_dev(dentry);
87864+
87865+ if (unlikely(!(gr_status & GR_READY)))
87866+ return 1;
87867+
87868+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
87869+ return 1;
87870+
87871+ /* ignore Eric Biederman */
87872+ if (IS_PRIVATE(d_backing_inode(dentry)))
87873+ return 1;
87874+
87875+ subj = task->acl;
87876+ read_lock(&gr_inode_lock);
87877+ do {
87878+ obj = lookup_acl_obj_label(ino, dev, subj);
87879+ if (obj != NULL) {
87880+ read_unlock(&gr_inode_lock);
87881+ return (obj->mode & GR_FIND) ? 1 : 0;
87882+ }
87883+ } while ((subj = subj->parent_subject));
87884+ read_unlock(&gr_inode_lock);
87885+
87886+ /* this is purely an optimization since we're looking for an object
87887+ for the directory we're doing a readdir on
87888+ if it's possible for any globbed object to match the entry we're
87889+ filling into the directory, then the object we find here will be
87890+ an anchor point with attached globbed objects
87891+ */
87892+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
87893+ if (obj->globbed == NULL)
87894+ return (obj->mode & GR_FIND) ? 1 : 0;
87895+
87896+ is_not_root = ((obj->filename[0] == '/') &&
87897+ (obj->filename[1] == '\0')) ? 0 : 1;
87898+ bufsize = PAGE_SIZE - namelen - is_not_root;
87899+
87900+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
87901+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
87902+ return 1;
87903+
87904+ preempt_disable();
87905+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
87906+ bufsize);
87907+
87908+ bufsize = strlen(path);
87909+
87910+ /* if base is "/", don't append an additional slash */
87911+ if (is_not_root)
87912+ *(path + bufsize) = '/';
87913+ memcpy(path + bufsize + is_not_root, name, namelen);
87914+ *(path + bufsize + namelen + is_not_root) = '\0';
87915+
87916+ tmp = obj->globbed;
87917+ while (tmp) {
87918+ if (!glob_match(tmp->filename, path)) {
87919+ preempt_enable();
87920+ return (tmp->mode & GR_FIND) ? 1 : 0;
87921+ }
87922+ tmp = tmp->next;
87923+ }
87924+ preempt_enable();
87925+ return (obj->mode & GR_FIND) ? 1 : 0;
87926+}
87927+
87928+void gr_put_exec_file(struct task_struct *task)
87929+{
87930+ struct file *filp;
87931+
87932+ write_lock(&grsec_exec_file_lock);
87933+ filp = task->exec_file;
87934+ task->exec_file = NULL;
87935+ write_unlock(&grsec_exec_file_lock);
87936+
87937+ if (filp)
87938+ fput(filp);
87939+
87940+ return;
87941+}
87942+
87943+
87944+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
87945+EXPORT_SYMBOL_GPL(gr_acl_is_enabled);
87946+#endif
87947+#ifdef CONFIG_SECURITY
87948+EXPORT_SYMBOL_GPL(gr_check_user_change);
87949+EXPORT_SYMBOL_GPL(gr_check_group_change);
87950+#endif
87951+
87952diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
87953new file mode 100644
87954index 0000000..9adc75c
87955--- /dev/null
87956+++ b/grsecurity/gracl_alloc.c
87957@@ -0,0 +1,105 @@
87958+#include <linux/kernel.h>
87959+#include <linux/mm.h>
87960+#include <linux/slab.h>
87961+#include <linux/vmalloc.h>
87962+#include <linux/gracl.h>
87963+#include <linux/grsecurity.h>
87964+
87965+static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
87966+struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
87967+
87968+static int
87969+alloc_pop(void)
87970+{
87971+ if (current_alloc_state->alloc_stack_next == 1)
87972+ return 0;
87973+
87974+ kfree(current_alloc_state->alloc_stack[current_alloc_state->alloc_stack_next - 2]);
87975+
87976+ current_alloc_state->alloc_stack_next--;
87977+
87978+ return 1;
87979+}
87980+
87981+static int
87982+alloc_push(void *buf)
87983+{
87984+ if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
87985+ return 1;
87986+
87987+ current_alloc_state->alloc_stack[current_alloc_state->alloc_stack_next - 1] = buf;
87988+
87989+ current_alloc_state->alloc_stack_next++;
87990+
87991+ return 0;
87992+}
87993+
87994+void *
87995+acl_alloc(unsigned long len)
87996+{
87997+ void *ret = NULL;
87998+
87999+ if (!len || len > PAGE_SIZE)
88000+ goto out;
88001+
88002+ ret = kmalloc(len, GFP_KERNEL);
88003+
88004+ if (ret) {
88005+ if (alloc_push(ret)) {
88006+ kfree(ret);
88007+ ret = NULL;
88008+ }
88009+ }
88010+
88011+out:
88012+ return ret;
88013+}
88014+
88015+void *
88016+acl_alloc_num(unsigned long num, unsigned long len)
88017+{
88018+ if (!len || (num > (PAGE_SIZE / len)))
88019+ return NULL;
88020+
88021+ return acl_alloc(num * len);
88022+}
88023+
88024+void
88025+acl_free_all(void)
88026+{
88027+ if (!current_alloc_state->alloc_stack)
88028+ return;
88029+
88030+ while (alloc_pop()) ;
88031+
88032+ if (current_alloc_state->alloc_stack) {
88033+ if ((current_alloc_state->alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
88034+ kfree(current_alloc_state->alloc_stack);
88035+ else
88036+ vfree(current_alloc_state->alloc_stack);
88037+ }
88038+
88039+ current_alloc_state->alloc_stack = NULL;
88040+ current_alloc_state->alloc_stack_size = 1;
88041+ current_alloc_state->alloc_stack_next = 1;
88042+
88043+ return;
88044+}
88045+
88046+int
88047+acl_alloc_stack_init(unsigned long size)
88048+{
88049+ if ((size * sizeof (void *)) <= PAGE_SIZE)
88050+ current_alloc_state->alloc_stack =
88051+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
88052+ else
88053+ current_alloc_state->alloc_stack = (void **) vmalloc(size * sizeof (void *));
88054+
88055+ current_alloc_state->alloc_stack_size = size;
88056+ current_alloc_state->alloc_stack_next = 1;
88057+
88058+ if (!current_alloc_state->alloc_stack)
88059+ return 0;
88060+ else
88061+ return 1;
88062+}
88063diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
88064new file mode 100644
88065index 0000000..1a94c11
88066--- /dev/null
88067+++ b/grsecurity/gracl_cap.c
88068@@ -0,0 +1,127 @@
88069+#include <linux/kernel.h>
88070+#include <linux/module.h>
88071+#include <linux/sched.h>
88072+#include <linux/gracl.h>
88073+#include <linux/grsecurity.h>
88074+#include <linux/grinternal.h>
88075+
88076+extern const char *captab_log[];
88077+extern int captab_log_entries;
88078+
88079+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
88080+{
88081+ struct acl_subject_label *curracl;
88082+
88083+ if (!gr_acl_is_enabled())
88084+ return 1;
88085+
88086+ curracl = task->acl;
88087+
88088+ if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
88089+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
88090+ task->role->roletype, GR_GLOBAL_UID(cred->uid),
88091+ GR_GLOBAL_GID(cred->gid), task->exec_file ?
88092+ gr_to_filename(task->exec_file->f_path.dentry,
88093+ task->exec_file->f_path.mnt) : curracl->filename,
88094+ curracl->filename, 0UL,
88095+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
88096+ return 1;
88097+ }
88098+
88099+ return 0;
88100+}
88101+
88102+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
88103+{
88104+ struct acl_subject_label *curracl;
88105+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
88106+ kernel_cap_t cap_audit = __cap_empty_set;
88107+
88108+ if (!gr_acl_is_enabled())
88109+ return 1;
88110+
88111+ curracl = task->acl;
88112+
88113+ cap_drop = curracl->cap_lower;
88114+ cap_mask = curracl->cap_mask;
88115+ cap_audit = curracl->cap_invert_audit;
88116+
88117+ while ((curracl = curracl->parent_subject)) {
88118+ /* if the cap isn't specified in the current computed mask but is specified in the
88119+ current level subject, and is lowered in the current level subject, then add
88120+ it to the set of dropped capabilities
88121+ otherwise, add the current level subject's mask to the current computed mask
88122+ */
88123+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
88124+ cap_raise(cap_mask, cap);
88125+ if (cap_raised(curracl->cap_lower, cap))
88126+ cap_raise(cap_drop, cap);
88127+ if (cap_raised(curracl->cap_invert_audit, cap))
88128+ cap_raise(cap_audit, cap);
88129+ }
88130+ }
88131+
88132+ if (!cap_raised(cap_drop, cap)) {
88133+ if (cap_raised(cap_audit, cap))
88134+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
88135+ return 1;
88136+ }
88137+
88138+ /* only learn the capability use if the process has the capability in the
88139+ general case, the two uses in sys.c of gr_learn_cap are an exception
88140+ to this rule to ensure any role transition involves what the full-learned
88141+ policy believes in a privileged process
88142+ */
88143+ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap))
88144+ return 1;
88145+
88146+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
88147+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
88148+
88149+ return 0;
88150+}
88151+
88152+int
88153+gr_acl_is_capable(const int cap)
88154+{
88155+ return gr_task_acl_is_capable(current, current_cred(), cap);
88156+}
88157+
88158+int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap)
88159+{
88160+ struct acl_subject_label *curracl;
88161+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
88162+
88163+ if (!gr_acl_is_enabled())
88164+ return 1;
88165+
88166+ curracl = task->acl;
88167+
88168+ cap_drop = curracl->cap_lower;
88169+ cap_mask = curracl->cap_mask;
88170+
88171+ while ((curracl = curracl->parent_subject)) {
88172+ /* if the cap isn't specified in the current computed mask but is specified in the
88173+ current level subject, and is lowered in the current level subject, then add
88174+ it to the set of dropped capabilities
88175+ otherwise, add the current level subject's mask to the current computed mask
88176+ */
88177+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
88178+ cap_raise(cap_mask, cap);
88179+ if (cap_raised(curracl->cap_lower, cap))
88180+ cap_raise(cap_drop, cap);
88181+ }
88182+ }
88183+
88184+ if (!cap_raised(cap_drop, cap))
88185+ return 1;
88186+
88187+ return 0;
88188+}
88189+
88190+int
88191+gr_acl_is_capable_nolog(const int cap)
88192+{
88193+ return gr_task_acl_is_capable_nolog(current, cap);
88194+}
88195+
88196diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
88197new file mode 100644
88198index 0000000..a43dd06
88199--- /dev/null
88200+++ b/grsecurity/gracl_compat.c
88201@@ -0,0 +1,269 @@
88202+#include <linux/kernel.h>
88203+#include <linux/gracl.h>
88204+#include <linux/compat.h>
88205+#include <linux/gracl_compat.h>
88206+
88207+#include <asm/uaccess.h>
88208+
88209+int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap)
88210+{
88211+ struct gr_arg_wrapper_compat uwrapcompat;
88212+
88213+ if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
88214+ return -EFAULT;
88215+
88216+ if ((uwrapcompat.version != GRSECURITY_VERSION) ||
88217+ (uwrapcompat.size != sizeof(struct gr_arg_compat)))
88218+ return -EINVAL;
88219+
88220+ uwrap->arg = compat_ptr(uwrapcompat.arg);
88221+ uwrap->version = uwrapcompat.version;
88222+ uwrap->size = sizeof(struct gr_arg);
88223+
88224+ return 0;
88225+}
88226+
88227+int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg)
88228+{
88229+ struct gr_arg_compat argcompat;
88230+
88231+ if (copy_from_user(&argcompat, buf, sizeof(argcompat)))
88232+ return -EFAULT;
88233+
88234+ arg->role_db.r_table = compat_ptr(argcompat.role_db.r_table);
88235+ arg->role_db.num_pointers = argcompat.role_db.num_pointers;
88236+ arg->role_db.num_roles = argcompat.role_db.num_roles;
88237+ arg->role_db.num_domain_children = argcompat.role_db.num_domain_children;
88238+ arg->role_db.num_subjects = argcompat.role_db.num_subjects;
88239+ arg->role_db.num_objects = argcompat.role_db.num_objects;
88240+
88241+ memcpy(&arg->pw, &argcompat.pw, sizeof(arg->pw));
88242+ memcpy(&arg->salt, &argcompat.salt, sizeof(arg->salt));
88243+ memcpy(&arg->sum, &argcompat.sum, sizeof(arg->sum));
88244+ memcpy(&arg->sp_role, &argcompat.sp_role, sizeof(arg->sp_role));
88245+ arg->sprole_pws = compat_ptr(argcompat.sprole_pws);
88246+ arg->segv_device = argcompat.segv_device;
88247+ arg->segv_inode = argcompat.segv_inode;
88248+ arg->segv_uid = argcompat.segv_uid;
88249+ arg->num_sprole_pws = argcompat.num_sprole_pws;
88250+ arg->mode = argcompat.mode;
88251+
88252+ return 0;
88253+}
88254+
88255+int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp)
88256+{
88257+ struct acl_object_label_compat objcompat;
88258+
88259+ if (copy_from_user(&objcompat, userp, sizeof(objcompat)))
88260+ return -EFAULT;
88261+
88262+ obj->filename = compat_ptr(objcompat.filename);
88263+ obj->inode = objcompat.inode;
88264+ obj->device = objcompat.device;
88265+ obj->mode = objcompat.mode;
88266+
88267+ obj->nested = compat_ptr(objcompat.nested);
88268+ obj->globbed = compat_ptr(objcompat.globbed);
88269+
88270+ obj->prev = compat_ptr(objcompat.prev);
88271+ obj->next = compat_ptr(objcompat.next);
88272+
88273+ return 0;
88274+}
88275+
88276+int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp)
88277+{
88278+ unsigned int i;
88279+ struct acl_subject_label_compat subjcompat;
88280+
88281+ if (copy_from_user(&subjcompat, userp, sizeof(subjcompat)))
88282+ return -EFAULT;
88283+
88284+ subj->filename = compat_ptr(subjcompat.filename);
88285+ subj->inode = subjcompat.inode;
88286+ subj->device = subjcompat.device;
88287+ subj->mode = subjcompat.mode;
88288+ subj->cap_mask = subjcompat.cap_mask;
88289+ subj->cap_lower = subjcompat.cap_lower;
88290+ subj->cap_invert_audit = subjcompat.cap_invert_audit;
88291+
88292+ for (i = 0; i < GR_NLIMITS; i++) {
88293+ if (subjcompat.res[i].rlim_cur == COMPAT_RLIM_INFINITY)
88294+ subj->res[i].rlim_cur = RLIM_INFINITY;
88295+ else
88296+ subj->res[i].rlim_cur = subjcompat.res[i].rlim_cur;
88297+ if (subjcompat.res[i].rlim_max == COMPAT_RLIM_INFINITY)
88298+ subj->res[i].rlim_max = RLIM_INFINITY;
88299+ else
88300+ subj->res[i].rlim_max = subjcompat.res[i].rlim_max;
88301+ }
88302+ subj->resmask = subjcompat.resmask;
88303+
88304+ subj->user_trans_type = subjcompat.user_trans_type;
88305+ subj->group_trans_type = subjcompat.group_trans_type;
88306+ subj->user_transitions = compat_ptr(subjcompat.user_transitions);
88307+ subj->group_transitions = compat_ptr(subjcompat.group_transitions);
88308+ subj->user_trans_num = subjcompat.user_trans_num;
88309+ subj->group_trans_num = subjcompat.group_trans_num;
88310+
88311+ memcpy(&subj->sock_families, &subjcompat.sock_families, sizeof(subj->sock_families));
88312+ memcpy(&subj->ip_proto, &subjcompat.ip_proto, sizeof(subj->ip_proto));
88313+ subj->ip_type = subjcompat.ip_type;
88314+ subj->ips = compat_ptr(subjcompat.ips);
88315+ subj->ip_num = subjcompat.ip_num;
88316+ subj->inaddr_any_override = subjcompat.inaddr_any_override;
88317+
88318+ subj->crashes = subjcompat.crashes;
88319+ subj->expires = subjcompat.expires;
88320+
88321+ subj->parent_subject = compat_ptr(subjcompat.parent_subject);
88322+ subj->hash = compat_ptr(subjcompat.hash);
88323+ subj->prev = compat_ptr(subjcompat.prev);
88324+ subj->next = compat_ptr(subjcompat.next);
88325+
88326+ subj->obj_hash = compat_ptr(subjcompat.obj_hash);
88327+ subj->obj_hash_size = subjcompat.obj_hash_size;
88328+ subj->pax_flags = subjcompat.pax_flags;
88329+
88330+ return 0;
88331+}
88332+
88333+int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp)
88334+{
88335+ struct acl_role_label_compat rolecompat;
88336+
88337+ if (copy_from_user(&rolecompat, userp, sizeof(rolecompat)))
88338+ return -EFAULT;
88339+
88340+ role->rolename = compat_ptr(rolecompat.rolename);
88341+ role->uidgid = rolecompat.uidgid;
88342+ role->roletype = rolecompat.roletype;
88343+
88344+ role->auth_attempts = rolecompat.auth_attempts;
88345+ role->expires = rolecompat.expires;
88346+
88347+ role->root_label = compat_ptr(rolecompat.root_label);
88348+ role->hash = compat_ptr(rolecompat.hash);
88349+
88350+ role->prev = compat_ptr(rolecompat.prev);
88351+ role->next = compat_ptr(rolecompat.next);
88352+
88353+ role->transitions = compat_ptr(rolecompat.transitions);
88354+ role->allowed_ips = compat_ptr(rolecompat.allowed_ips);
88355+ role->domain_children = compat_ptr(rolecompat.domain_children);
88356+ role->domain_child_num = rolecompat.domain_child_num;
88357+
88358+ role->umask = rolecompat.umask;
88359+
88360+ role->subj_hash = compat_ptr(rolecompat.subj_hash);
88361+ role->subj_hash_size = rolecompat.subj_hash_size;
88362+
88363+ return 0;
88364+}
88365+
88366+int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
88367+{
88368+ struct role_allowed_ip_compat roleip_compat;
88369+
88370+ if (copy_from_user(&roleip_compat, userp, sizeof(roleip_compat)))
88371+ return -EFAULT;
88372+
88373+ roleip->addr = roleip_compat.addr;
88374+ roleip->netmask = roleip_compat.netmask;
88375+
88376+ roleip->prev = compat_ptr(roleip_compat.prev);
88377+ roleip->next = compat_ptr(roleip_compat.next);
88378+
88379+ return 0;
88380+}
88381+
88382+int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp)
88383+{
88384+ struct role_transition_compat trans_compat;
88385+
88386+ if (copy_from_user(&trans_compat, userp, sizeof(trans_compat)))
88387+ return -EFAULT;
88388+
88389+ trans->rolename = compat_ptr(trans_compat.rolename);
88390+
88391+ trans->prev = compat_ptr(trans_compat.prev);
88392+ trans->next = compat_ptr(trans_compat.next);
88393+
88394+ return 0;
88395+
88396+}
88397+
88398+int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
88399+{
88400+ struct gr_hash_struct_compat hash_compat;
88401+
88402+ if (copy_from_user(&hash_compat, userp, sizeof(hash_compat)))
88403+ return -EFAULT;
88404+
88405+ hash->table = compat_ptr(hash_compat.table);
88406+ hash->nametable = compat_ptr(hash_compat.nametable);
88407+ hash->first = compat_ptr(hash_compat.first);
88408+
88409+ hash->table_size = hash_compat.table_size;
88410+ hash->used_size = hash_compat.used_size;
88411+
88412+ hash->type = hash_compat.type;
88413+
88414+ return 0;
88415+}
88416+
88417+int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp)
88418+{
88419+ compat_uptr_t ptrcompat;
88420+
88421+ if (copy_from_user(&ptrcompat, userp + (idx * sizeof(ptrcompat)), sizeof(ptrcompat)))
88422+ return -EFAULT;
88423+
88424+ *(void **)ptr = compat_ptr(ptrcompat);
88425+
88426+ return 0;
88427+}
88428+
88429+int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp)
88430+{
88431+ struct acl_ip_label_compat ip_compat;
88432+
88433+ if (copy_from_user(&ip_compat, userp, sizeof(ip_compat)))
88434+ return -EFAULT;
88435+
88436+ ip->iface = compat_ptr(ip_compat.iface);
88437+ ip->addr = ip_compat.addr;
88438+ ip->netmask = ip_compat.netmask;
88439+ ip->low = ip_compat.low;
88440+ ip->high = ip_compat.high;
88441+ ip->mode = ip_compat.mode;
88442+ ip->type = ip_compat.type;
88443+
88444+ memcpy(&ip->proto, &ip_compat.proto, sizeof(ip->proto));
88445+
88446+ ip->prev = compat_ptr(ip_compat.prev);
88447+ ip->next = compat_ptr(ip_compat.next);
88448+
88449+ return 0;
88450+}
88451+
88452+int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
88453+{
88454+ struct sprole_pw_compat pw_compat;
88455+
88456+ if (copy_from_user(&pw_compat, (const void *)userp + (sizeof(pw_compat) * idx), sizeof(pw_compat)))
88457+ return -EFAULT;
88458+
88459+ pw->rolename = compat_ptr(pw_compat.rolename);
88460+ memcpy(&pw->salt, pw_compat.salt, sizeof(pw->salt));
88461+ memcpy(&pw->sum, pw_compat.sum, sizeof(pw->sum));
88462+
88463+ return 0;
88464+}
88465+
88466+size_t get_gr_arg_wrapper_size_compat(void)
88467+{
88468+ return sizeof(struct gr_arg_wrapper_compat);
88469+}
88470+
88471diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c
88472new file mode 100644
88473index 0000000..fce7f71
88474--- /dev/null
88475+++ b/grsecurity/gracl_fs.c
88476@@ -0,0 +1,448 @@
88477+#include <linux/kernel.h>
88478+#include <linux/sched.h>
88479+#include <linux/types.h>
88480+#include <linux/fs.h>
88481+#include <linux/file.h>
88482+#include <linux/stat.h>
88483+#include <linux/grsecurity.h>
88484+#include <linux/grinternal.h>
88485+#include <linux/gracl.h>
88486+
88487+umode_t
88488+gr_acl_umask(void)
88489+{
88490+ if (unlikely(!gr_acl_is_enabled()))
88491+ return 0;
88492+
88493+ return current->role->umask;
88494+}
88495+
88496+__u32
88497+gr_acl_handle_hidden_file(const struct dentry * dentry,
88498+ const struct vfsmount * mnt)
88499+{
88500+ __u32 mode;
88501+
88502+ if (unlikely(d_is_negative(dentry)))
88503+ return GR_FIND;
88504+
88505+ mode =
88506+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
88507+
88508+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
88509+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
88510+ return mode;
88511+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
88512+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
88513+ return 0;
88514+ } else if (unlikely(!(mode & GR_FIND)))
88515+ return 0;
88516+
88517+ return GR_FIND;
88518+}
88519+
88520+__u32
88521+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
88522+ int acc_mode)
88523+{
88524+ __u32 reqmode = GR_FIND;
88525+ __u32 mode;
88526+
88527+ if (unlikely(d_is_negative(dentry)))
88528+ return reqmode;
88529+
88530+ if (acc_mode & MAY_APPEND)
88531+ reqmode |= GR_APPEND;
88532+ else if (acc_mode & MAY_WRITE)
88533+ reqmode |= GR_WRITE;
88534+ if ((acc_mode & MAY_READ) && !d_is_dir(dentry))
88535+ reqmode |= GR_READ;
88536+
88537+ mode =
88538+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
88539+ mnt);
88540+
88541+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
88542+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
88543+ reqmode & GR_READ ? " reading" : "",
88544+ reqmode & GR_WRITE ? " writing" : reqmode &
88545+ GR_APPEND ? " appending" : "");
88546+ return reqmode;
88547+ } else
88548+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
88549+ {
88550+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
88551+ reqmode & GR_READ ? " reading" : "",
88552+ reqmode & GR_WRITE ? " writing" : reqmode &
88553+ GR_APPEND ? " appending" : "");
88554+ return 0;
88555+ } else if (unlikely((mode & reqmode) != reqmode))
88556+ return 0;
88557+
88558+ return reqmode;
88559+}
88560+
88561+__u32
88562+gr_acl_handle_creat(const struct dentry * dentry,
88563+ const struct dentry * p_dentry,
88564+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
88565+ const int imode)
88566+{
88567+ __u32 reqmode = GR_WRITE | GR_CREATE;
88568+ __u32 mode;
88569+
88570+ if (acc_mode & MAY_APPEND)
88571+ reqmode |= GR_APPEND;
88572+ // if a directory was required or the directory already exists, then
88573+ // don't count this open as a read
88574+ if ((acc_mode & MAY_READ) &&
88575+ !((open_flags & O_DIRECTORY) || d_is_dir(dentry)))
88576+ reqmode |= GR_READ;
88577+ if ((open_flags & O_CREAT) &&
88578+ ((imode & S_ISUID) || ((imode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
88579+ reqmode |= GR_SETID;
88580+
88581+ mode =
88582+ gr_check_create(dentry, p_dentry, p_mnt,
88583+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
88584+
88585+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
88586+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
88587+ reqmode & GR_READ ? " reading" : "",
88588+ reqmode & GR_WRITE ? " writing" : reqmode &
88589+ GR_APPEND ? " appending" : "");
88590+ return reqmode;
88591+ } else
88592+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
88593+ {
88594+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
88595+ reqmode & GR_READ ? " reading" : "",
88596+ reqmode & GR_WRITE ? " writing" : reqmode &
88597+ GR_APPEND ? " appending" : "");
88598+ return 0;
88599+ } else if (unlikely((mode & reqmode) != reqmode))
88600+ return 0;
88601+
88602+ return reqmode;
88603+}
88604+
88605+__u32
88606+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
88607+ const int fmode)
88608+{
88609+ __u32 mode, reqmode = GR_FIND;
88610+
88611+ if ((fmode & S_IXOTH) && !d_is_dir(dentry))
88612+ reqmode |= GR_EXEC;
88613+ if (fmode & S_IWOTH)
88614+ reqmode |= GR_WRITE;
88615+ if (fmode & S_IROTH)
88616+ reqmode |= GR_READ;
88617+
88618+ mode =
88619+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
88620+ mnt);
88621+
88622+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
88623+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
88624+ reqmode & GR_READ ? " reading" : "",
88625+ reqmode & GR_WRITE ? " writing" : "",
88626+ reqmode & GR_EXEC ? " executing" : "");
88627+ return reqmode;
88628+ } else
88629+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
88630+ {
88631+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
88632+ reqmode & GR_READ ? " reading" : "",
88633+ reqmode & GR_WRITE ? " writing" : "",
88634+ reqmode & GR_EXEC ? " executing" : "");
88635+ return 0;
88636+ } else if (unlikely((mode & reqmode) != reqmode))
88637+ return 0;
88638+
88639+ return reqmode;
88640+}
88641+
88642+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
88643+{
88644+ __u32 mode;
88645+
88646+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
88647+
88648+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
88649+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
88650+ return mode;
88651+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
88652+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
88653+ return 0;
88654+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
88655+ return 0;
88656+
88657+ return (reqmode);
88658+}
88659+
88660+__u32
88661+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
88662+{
88663+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
88664+}
88665+
88666+__u32
88667+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
88668+{
88669+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
88670+}
88671+
88672+__u32
88673+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
88674+{
88675+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
88676+}
88677+
88678+__u32
88679+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
88680+{
88681+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
88682+}
88683+
88684+__u32
88685+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
88686+ umode_t *modeptr)
88687+{
88688+ umode_t mode;
88689+ struct inode *inode = d_backing_inode(dentry);
88690+
88691+ *modeptr &= ~gr_acl_umask();
88692+ mode = *modeptr;
88693+
88694+ if (unlikely(inode && S_ISSOCK(inode->i_mode)))
88695+ return 1;
88696+
88697+ if (unlikely(!d_is_dir(dentry) &&
88698+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))) {
88699+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
88700+ GR_CHMOD_ACL_MSG);
88701+ } else {
88702+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
88703+ }
88704+}
88705+
88706+__u32
88707+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
88708+{
88709+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
88710+}
88711+
88712+__u32
88713+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
88714+{
88715+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
88716+}
88717+
88718+__u32
88719+gr_acl_handle_removexattr(const struct dentry *dentry, const struct vfsmount *mnt)
88720+{
88721+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_REMOVEXATTR_ACL_MSG);
88722+}
88723+
88724+__u32
88725+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
88726+{
88727+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
88728+}
88729+
88730+__u32
88731+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
88732+{
88733+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
88734+ GR_UNIXCONNECT_ACL_MSG);
88735+}
88736+
88737+/* hardlinks require at minimum create and link permission,
88738+ any additional privilege required is based on the
88739+ privilege of the file being linked to
88740+*/
88741+__u32
88742+gr_acl_handle_link(const struct dentry * new_dentry,
88743+ const struct dentry * parent_dentry,
88744+ const struct vfsmount * parent_mnt,
88745+ const struct dentry * old_dentry,
88746+ const struct vfsmount * old_mnt, const struct filename *to)
88747+{
88748+ __u32 mode;
88749+ __u32 needmode = GR_CREATE | GR_LINK;
88750+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
88751+
88752+ mode =
88753+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
88754+ old_mnt);
88755+
88756+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
88757+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
88758+ return mode;
88759+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
88760+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
88761+ return 0;
88762+ } else if (unlikely((mode & needmode) != needmode))
88763+ return 0;
88764+
88765+ return 1;
88766+}
88767+
88768+__u32
88769+gr_acl_handle_symlink(const struct dentry * new_dentry,
88770+ const struct dentry * parent_dentry,
88771+ const struct vfsmount * parent_mnt, const struct filename *from)
88772+{
88773+ __u32 needmode = GR_WRITE | GR_CREATE;
88774+ __u32 mode;
88775+
88776+ mode =
88777+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
88778+ GR_CREATE | GR_AUDIT_CREATE |
88779+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
88780+
88781+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
88782+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
88783+ return mode;
88784+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
88785+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
88786+ return 0;
88787+ } else if (unlikely((mode & needmode) != needmode))
88788+ return 0;
88789+
88790+ return (GR_WRITE | GR_CREATE);
88791+}
88792+
88793+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
88794+{
88795+ __u32 mode;
88796+
88797+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
88798+
88799+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
88800+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
88801+ return mode;
88802+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
88803+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
88804+ return 0;
88805+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
88806+ return 0;
88807+
88808+ return (reqmode);
88809+}
88810+
88811+__u32
88812+gr_acl_handle_mknod(const struct dentry * new_dentry,
88813+ const struct dentry * parent_dentry,
88814+ const struct vfsmount * parent_mnt,
88815+ const int mode)
88816+{
88817+ __u32 reqmode = GR_WRITE | GR_CREATE;
88818+ if (unlikely((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
88819+ reqmode |= GR_SETID;
88820+
88821+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
88822+ reqmode, GR_MKNOD_ACL_MSG);
88823+}
88824+
88825+__u32
88826+gr_acl_handle_mkdir(const struct dentry *new_dentry,
88827+ const struct dentry *parent_dentry,
88828+ const struct vfsmount *parent_mnt)
88829+{
88830+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
88831+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
88832+}
88833+
88834+#define RENAME_CHECK_SUCCESS(old, new) \
88835+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
88836+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
88837+
88838+int
88839+gr_acl_handle_rename(struct dentry *new_dentry,
88840+ struct dentry *parent_dentry,
88841+ const struct vfsmount *parent_mnt,
88842+ struct dentry *old_dentry,
88843+ struct inode *old_parent_inode,
88844+ struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags)
88845+{
88846+ __u32 comp1, comp2;
88847+ int error = 0;
88848+
88849+ if (unlikely(!gr_acl_is_enabled()))
88850+ return 0;
88851+
88852+ if (flags & RENAME_EXCHANGE) {
88853+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
88854+ GR_AUDIT_READ | GR_AUDIT_WRITE |
88855+ GR_SUPPRESS, parent_mnt);
88856+ comp2 =
88857+ gr_search_file(old_dentry,
88858+ GR_READ | GR_WRITE | GR_AUDIT_READ |
88859+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
88860+ } else if (d_is_negative(new_dentry)) {
88861+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
88862+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
88863+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
88864+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
88865+ GR_DELETE | GR_AUDIT_DELETE |
88866+ GR_AUDIT_READ | GR_AUDIT_WRITE |
88867+ GR_SUPPRESS, old_mnt);
88868+ } else {
88869+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
88870+ GR_CREATE | GR_DELETE |
88871+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
88872+ GR_AUDIT_READ | GR_AUDIT_WRITE |
88873+ GR_SUPPRESS, parent_mnt);
88874+ comp2 =
88875+ gr_search_file(old_dentry,
88876+ GR_READ | GR_WRITE | GR_AUDIT_READ |
88877+ GR_DELETE | GR_AUDIT_DELETE |
88878+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
88879+ }
88880+
88881+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
88882+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
88883+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
88884+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
88885+ && !(comp2 & GR_SUPPRESS)) {
88886+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
88887+ error = -EACCES;
88888+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
88889+ error = -EACCES;
88890+
88891+ return error;
88892+}
88893+
88894+void
88895+gr_acl_handle_exit(void)
88896+{
88897+ u16 id;
88898+ char *rolename;
88899+
88900+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
88901+ !(current->role->roletype & GR_ROLE_PERSIST))) {
88902+ id = current->acl_role_id;
88903+ rolename = current->role->rolename;
88904+ gr_set_acls(1);
88905+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
88906+ }
88907+
88908+ gr_put_exec_file(current);
88909+ return;
88910+}
88911+
88912+int
88913+gr_acl_handle_procpidmem(const struct task_struct *task)
88914+{
88915+ if (unlikely(!gr_acl_is_enabled()))
88916+ return 0;
88917+
88918+ if (task != current && (task->acl->mode & GR_PROTPROCFD) &&
88919+ !(current->acl->mode & GR_POVERRIDE) &&
88920+ !(current->role->roletype & GR_ROLE_GOD))
88921+ return -EACCES;
88922+
88923+ return 0;
88924+}
88925diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
88926new file mode 100644
88927index 0000000..ed6ee43
88928--- /dev/null
88929+++ b/grsecurity/gracl_ip.c
88930@@ -0,0 +1,386 @@
88931+#include <linux/kernel.h>
88932+#include <asm/uaccess.h>
88933+#include <asm/errno.h>
88934+#include <net/sock.h>
88935+#include <linux/file.h>
88936+#include <linux/fs.h>
88937+#include <linux/net.h>
88938+#include <linux/in.h>
88939+#include <linux/skbuff.h>
88940+#include <linux/ip.h>
88941+#include <linux/udp.h>
88942+#include <linux/types.h>
88943+#include <linux/sched.h>
88944+#include <linux/netdevice.h>
88945+#include <linux/inetdevice.h>
88946+#include <linux/gracl.h>
88947+#include <linux/grsecurity.h>
88948+#include <linux/grinternal.h>
88949+
88950+#define GR_BIND 0x01
88951+#define GR_CONNECT 0x02
88952+#define GR_INVERT 0x04
88953+#define GR_BINDOVERRIDE 0x08
88954+#define GR_CONNECTOVERRIDE 0x10
88955+#define GR_SOCK_FAMILY 0x20
88956+
88957+static const char * gr_protocols[IPPROTO_MAX] = {
88958+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
88959+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
88960+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
88961+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
88962+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
88963+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
88964+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
88965+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
88966+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
88967+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
88968+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
88969+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
88970+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
88971+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
88972+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
88973+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
88974+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
88975+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
88976+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
88977+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
88978+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
88979+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
88980+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
88981+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
88982+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
88983+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
88984+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
88985+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
88986+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
88987+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
88988+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
88989+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
88990+ };
88991+
88992+static const char * gr_socktypes[SOCK_MAX] = {
88993+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
88994+ "unknown:7", "unknown:8", "unknown:9", "packet"
88995+ };
88996+
88997+static const char * gr_sockfamilies[AF_MAX+1] = {
88998+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
88999+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
89000+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
89001+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf", "alg", "nfc", "vsock"
89002+ };
89003+
89004+const char *
89005+gr_proto_to_name(unsigned char proto)
89006+{
89007+ return gr_protocols[proto];
89008+}
89009+
89010+const char *
89011+gr_socktype_to_name(unsigned char type)
89012+{
89013+ return gr_socktypes[type];
89014+}
89015+
89016+const char *
89017+gr_sockfamily_to_name(unsigned char family)
89018+{
89019+ return gr_sockfamilies[family];
89020+}
89021+
89022+extern const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
89023+
89024+int
89025+gr_search_socket(const int domain, const int type, const int protocol)
89026+{
89027+ struct acl_subject_label *curr;
89028+ const struct cred *cred = current_cred();
89029+
89030+ if (unlikely(!gr_acl_is_enabled()))
89031+ goto exit;
89032+
89033+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
89034+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
89035+ goto exit; // let the kernel handle it
89036+
89037+ curr = current->acl;
89038+
89039+ if (curr->sock_families[domain / 32] & (1U << (domain % 32))) {
89040+ /* the family is allowed, if this is PF_INET allow it only if
89041+ the extra sock type/protocol checks pass */
89042+ if (domain == PF_INET)
89043+ goto inet_check;
89044+ goto exit;
89045+ } else {
89046+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89047+ __u32 fakeip = 0;
89048+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89049+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89050+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89051+ gr_to_filename(current->exec_file->f_path.dentry,
89052+ current->exec_file->f_path.mnt) :
89053+ curr->filename, curr->filename,
89054+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
89055+ &current->signal->saved_ip);
89056+ goto exit;
89057+ }
89058+ goto exit_fail;
89059+ }
89060+
89061+inet_check:
89062+ /* the rest of this checking is for IPv4 only */
89063+ if (!curr->ips)
89064+ goto exit;
89065+
89066+ if ((curr->ip_type & (1U << type)) &&
89067+ (curr->ip_proto[protocol / 32] & (1U << (protocol % 32))))
89068+ goto exit;
89069+
89070+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89071+ /* we don't place acls on raw sockets , and sometimes
89072+ dgram/ip sockets are opened for ioctl and not
89073+ bind/connect, so we'll fake a bind learn log */
89074+ if (type == SOCK_RAW || type == SOCK_PACKET) {
89075+ __u32 fakeip = 0;
89076+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89077+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89078+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89079+ gr_to_filename(current->exec_file->f_path.dentry,
89080+ current->exec_file->f_path.mnt) :
89081+ curr->filename, curr->filename,
89082+ &fakeip, 0, type,
89083+ protocol, GR_CONNECT, &current->signal->saved_ip);
89084+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
89085+ __u32 fakeip = 0;
89086+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89087+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89088+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89089+ gr_to_filename(current->exec_file->f_path.dentry,
89090+ current->exec_file->f_path.mnt) :
89091+ curr->filename, curr->filename,
89092+ &fakeip, 0, type,
89093+ protocol, GR_BIND, &current->signal->saved_ip);
89094+ }
89095+ /* we'll log when they use connect or bind */
89096+ goto exit;
89097+ }
89098+
89099+exit_fail:
89100+ if (domain == PF_INET)
89101+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
89102+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
89103+ else if (rcu_access_pointer(net_families[domain]) != NULL)
89104+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
89105+ gr_socktype_to_name(type), protocol);
89106+
89107+ return 0;
89108+exit:
89109+ return 1;
89110+}
89111+
89112+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
89113+{
89114+ if ((ip->mode & mode) &&
89115+ (ip_port >= ip->low) &&
89116+ (ip_port <= ip->high) &&
89117+ ((ntohl(ip_addr) & our_netmask) ==
89118+ (ntohl(our_addr) & our_netmask))
89119+ && (ip->proto[protocol / 32] & (1U << (protocol % 32)))
89120+ && (ip->type & (1U << type))) {
89121+ if (ip->mode & GR_INVERT)
89122+ return 2; // specifically denied
89123+ else
89124+ return 1; // allowed
89125+ }
89126+
89127+ return 0; // not specifically allowed, may continue parsing
89128+}
89129+
89130+static int
89131+gr_search_connectbind(const int full_mode, struct sock *sk,
89132+ struct sockaddr_in *addr, const int type)
89133+{
89134+ char iface[IFNAMSIZ] = {0};
89135+ struct acl_subject_label *curr;
89136+ struct acl_ip_label *ip;
89137+ struct inet_sock *isk;
89138+ struct net_device *dev;
89139+ struct in_device *idev;
89140+ unsigned long i;
89141+ int ret;
89142+ int mode = full_mode & (GR_BIND | GR_CONNECT);
89143+ __u32 ip_addr = 0;
89144+ __u32 our_addr;
89145+ __u32 our_netmask;
89146+ char *p;
89147+ __u16 ip_port = 0;
89148+ const struct cred *cred = current_cred();
89149+
89150+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
89151+ return 0;
89152+
89153+ curr = current->acl;
89154+ isk = inet_sk(sk);
89155+
89156+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
89157+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
89158+ addr->sin_addr.s_addr = curr->inaddr_any_override;
89159+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
89160+ struct sockaddr_in saddr;
89161+ int err;
89162+
89163+ saddr.sin_family = AF_INET;
89164+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
89165+ saddr.sin_port = isk->inet_sport;
89166+
89167+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
89168+ if (err)
89169+ return err;
89170+
89171+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
89172+ if (err)
89173+ return err;
89174+ }
89175+
89176+ if (!curr->ips)
89177+ return 0;
89178+
89179+ ip_addr = addr->sin_addr.s_addr;
89180+ ip_port = ntohs(addr->sin_port);
89181+
89182+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89183+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89184+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89185+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89186+ gr_to_filename(current->exec_file->f_path.dentry,
89187+ current->exec_file->f_path.mnt) :
89188+ curr->filename, curr->filename,
89189+ &ip_addr, ip_port, type,
89190+ sk->sk_protocol, mode, &current->signal->saved_ip);
89191+ return 0;
89192+ }
89193+
89194+ for (i = 0; i < curr->ip_num; i++) {
89195+ ip = *(curr->ips + i);
89196+ if (ip->iface != NULL) {
89197+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
89198+ p = strchr(iface, ':');
89199+ if (p != NULL)
89200+ *p = '\0';
89201+ dev = dev_get_by_name(sock_net(sk), iface);
89202+ if (dev == NULL)
89203+ continue;
89204+ idev = in_dev_get(dev);
89205+ if (idev == NULL) {
89206+ dev_put(dev);
89207+ continue;
89208+ }
89209+ rcu_read_lock();
89210+ for_ifa(idev) {
89211+ if (!strcmp(ip->iface, ifa->ifa_label)) {
89212+ our_addr = ifa->ifa_address;
89213+ our_netmask = 0xffffffff;
89214+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
89215+ if (ret == 1) {
89216+ rcu_read_unlock();
89217+ in_dev_put(idev);
89218+ dev_put(dev);
89219+ return 0;
89220+ } else if (ret == 2) {
89221+ rcu_read_unlock();
89222+ in_dev_put(idev);
89223+ dev_put(dev);
89224+ goto denied;
89225+ }
89226+ }
89227+ } endfor_ifa(idev);
89228+ rcu_read_unlock();
89229+ in_dev_put(idev);
89230+ dev_put(dev);
89231+ } else {
89232+ our_addr = ip->addr;
89233+ our_netmask = ip->netmask;
89234+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
89235+ if (ret == 1)
89236+ return 0;
89237+ else if (ret == 2)
89238+ goto denied;
89239+ }
89240+ }
89241+
89242+denied:
89243+ if (mode == GR_BIND)
89244+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
89245+ else if (mode == GR_CONNECT)
89246+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
89247+
89248+ return -EACCES;
89249+}
89250+
89251+int
89252+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
89253+{
89254+ /* always allow disconnection of dgram sockets with connect */
89255+ if (addr->sin_family == AF_UNSPEC)
89256+ return 0;
89257+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
89258+}
89259+
89260+int
89261+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
89262+{
89263+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
89264+}
89265+
89266+int gr_search_listen(struct socket *sock)
89267+{
89268+ struct sock *sk = sock->sk;
89269+ struct sockaddr_in addr;
89270+
89271+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
89272+ addr.sin_port = inet_sk(sk)->inet_sport;
89273+
89274+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
89275+}
89276+
89277+int gr_search_accept(struct socket *sock)
89278+{
89279+ struct sock *sk = sock->sk;
89280+ struct sockaddr_in addr;
89281+
89282+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
89283+ addr.sin_port = inet_sk(sk)->inet_sport;
89284+
89285+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
89286+}
89287+
89288+int
89289+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
89290+{
89291+ if (addr)
89292+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
89293+ else {
89294+ struct sockaddr_in sin;
89295+ const struct inet_sock *inet = inet_sk(sk);
89296+
89297+ sin.sin_addr.s_addr = inet->inet_daddr;
89298+ sin.sin_port = inet->inet_dport;
89299+
89300+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
89301+ }
89302+}
89303+
89304+int
89305+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
89306+{
89307+ struct sockaddr_in sin;
89308+
89309+ if (unlikely(skb->len < sizeof (struct udphdr)))
89310+ return 0; // skip this packet
89311+
89312+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
89313+ sin.sin_port = udp_hdr(skb)->source;
89314+
89315+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
89316+}
89317diff --git a/grsecurity/gracl_learn.c b/grsecurity/gracl_learn.c
89318new file mode 100644
89319index 0000000..25f54ef
89320--- /dev/null
89321+++ b/grsecurity/gracl_learn.c
89322@@ -0,0 +1,207 @@
89323+#include <linux/kernel.h>
89324+#include <linux/mm.h>
89325+#include <linux/sched.h>
89326+#include <linux/poll.h>
89327+#include <linux/string.h>
89328+#include <linux/file.h>
89329+#include <linux/types.h>
89330+#include <linux/vmalloc.h>
89331+#include <linux/grinternal.h>
89332+
89333+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
89334+ size_t count, loff_t *ppos);
89335+extern int gr_acl_is_enabled(void);
89336+
89337+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
89338+static int gr_learn_attached;
89339+
89340+/* use a 512k buffer */
89341+#define LEARN_BUFFER_SIZE (512 * 1024)
89342+
89343+static DEFINE_SPINLOCK(gr_learn_lock);
89344+static DEFINE_MUTEX(gr_learn_user_mutex);
89345+
89346+/* we need to maintain two buffers, so that the kernel context of grlearn
89347+ uses a semaphore around the userspace copying, and the other kernel contexts
89348+ use a spinlock when copying into the buffer, since they cannot sleep
89349+*/
89350+static char *learn_buffer;
89351+static char *learn_buffer_user;
89352+static int learn_buffer_len;
89353+static int learn_buffer_user_len;
89354+
89355+static ssize_t
89356+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
89357+{
89358+ DECLARE_WAITQUEUE(wait, current);
89359+ ssize_t retval = 0;
89360+
89361+ add_wait_queue(&learn_wait, &wait);
89362+ set_current_state(TASK_INTERRUPTIBLE);
89363+ do {
89364+ mutex_lock(&gr_learn_user_mutex);
89365+ spin_lock(&gr_learn_lock);
89366+ if (learn_buffer_len)
89367+ break;
89368+ spin_unlock(&gr_learn_lock);
89369+ mutex_unlock(&gr_learn_user_mutex);
89370+ if (file->f_flags & O_NONBLOCK) {
89371+ retval = -EAGAIN;
89372+ goto out;
89373+ }
89374+ if (signal_pending(current)) {
89375+ retval = -ERESTARTSYS;
89376+ goto out;
89377+ }
89378+
89379+ schedule();
89380+ } while (1);
89381+
89382+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
89383+ learn_buffer_user_len = learn_buffer_len;
89384+ retval = learn_buffer_len;
89385+ learn_buffer_len = 0;
89386+
89387+ spin_unlock(&gr_learn_lock);
89388+
89389+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
89390+ retval = -EFAULT;
89391+
89392+ mutex_unlock(&gr_learn_user_mutex);
89393+out:
89394+ set_current_state(TASK_RUNNING);
89395+ remove_wait_queue(&learn_wait, &wait);
89396+ return retval;
89397+}
89398+
89399+static unsigned int
89400+poll_learn(struct file * file, poll_table * wait)
89401+{
89402+ poll_wait(file, &learn_wait, wait);
89403+
89404+ if (learn_buffer_len)
89405+ return (POLLIN | POLLRDNORM);
89406+
89407+ return 0;
89408+}
89409+
89410+void
89411+gr_clear_learn_entries(void)
89412+{
89413+ char *tmp;
89414+
89415+ mutex_lock(&gr_learn_user_mutex);
89416+ spin_lock(&gr_learn_lock);
89417+ tmp = learn_buffer;
89418+ learn_buffer = NULL;
89419+ spin_unlock(&gr_learn_lock);
89420+ if (tmp)
89421+ vfree(tmp);
89422+ if (learn_buffer_user != NULL) {
89423+ vfree(learn_buffer_user);
89424+ learn_buffer_user = NULL;
89425+ }
89426+ learn_buffer_len = 0;
89427+ mutex_unlock(&gr_learn_user_mutex);
89428+
89429+ return;
89430+}
89431+
89432+void
89433+gr_add_learn_entry(const char *fmt, ...)
89434+{
89435+ va_list args;
89436+ unsigned int len;
89437+
89438+ if (!gr_learn_attached)
89439+ return;
89440+
89441+ spin_lock(&gr_learn_lock);
89442+
89443+ /* leave a gap at the end so we know when it's "full" but don't have to
89444+ compute the exact length of the string we're trying to append
89445+ */
89446+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
89447+ spin_unlock(&gr_learn_lock);
89448+ wake_up_interruptible(&learn_wait);
89449+ return;
89450+ }
89451+ if (learn_buffer == NULL) {
89452+ spin_unlock(&gr_learn_lock);
89453+ return;
89454+ }
89455+
89456+ va_start(args, fmt);
89457+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
89458+ va_end(args);
89459+
89460+ learn_buffer_len += len + 1;
89461+
89462+ spin_unlock(&gr_learn_lock);
89463+ wake_up_interruptible(&learn_wait);
89464+
89465+ return;
89466+}
89467+
89468+static int
89469+open_learn(struct inode *inode, struct file *file)
89470+{
89471+ if (file->f_mode & FMODE_READ && gr_learn_attached)
89472+ return -EBUSY;
89473+ if (file->f_mode & FMODE_READ) {
89474+ int retval = 0;
89475+ mutex_lock(&gr_learn_user_mutex);
89476+ if (learn_buffer == NULL)
89477+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
89478+ if (learn_buffer_user == NULL)
89479+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
89480+ if (learn_buffer == NULL) {
89481+ retval = -ENOMEM;
89482+ goto out_error;
89483+ }
89484+ if (learn_buffer_user == NULL) {
89485+ retval = -ENOMEM;
89486+ goto out_error;
89487+ }
89488+ learn_buffer_len = 0;
89489+ learn_buffer_user_len = 0;
89490+ gr_learn_attached = 1;
89491+out_error:
89492+ mutex_unlock(&gr_learn_user_mutex);
89493+ return retval;
89494+ }
89495+ return 0;
89496+}
89497+
89498+static int
89499+close_learn(struct inode *inode, struct file *file)
89500+{
89501+ if (file->f_mode & FMODE_READ) {
89502+ char *tmp = NULL;
89503+ mutex_lock(&gr_learn_user_mutex);
89504+ spin_lock(&gr_learn_lock);
89505+ tmp = learn_buffer;
89506+ learn_buffer = NULL;
89507+ spin_unlock(&gr_learn_lock);
89508+ if (tmp)
89509+ vfree(tmp);
89510+ if (learn_buffer_user != NULL) {
89511+ vfree(learn_buffer_user);
89512+ learn_buffer_user = NULL;
89513+ }
89514+ learn_buffer_len = 0;
89515+ learn_buffer_user_len = 0;
89516+ gr_learn_attached = 0;
89517+ mutex_unlock(&gr_learn_user_mutex);
89518+ }
89519+
89520+ return 0;
89521+}
89522+
89523+const struct file_operations grsec_fops = {
89524+ .read = read_learn,
89525+ .write = write_grsec_handler,
89526+ .open = open_learn,
89527+ .release = close_learn,
89528+ .poll = poll_learn,
89529+};
89530diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
89531new file mode 100644
89532index 0000000..0773423
89533--- /dev/null
89534+++ b/grsecurity/gracl_policy.c
89535@@ -0,0 +1,1786 @@
89536+#include <linux/kernel.h>
89537+#include <linux/module.h>
89538+#include <linux/sched.h>
89539+#include <linux/mm.h>
89540+#include <linux/file.h>
89541+#include <linux/fs.h>
89542+#include <linux/namei.h>
89543+#include <linux/mount.h>
89544+#include <linux/tty.h>
89545+#include <linux/proc_fs.h>
89546+#include <linux/lglock.h>
89547+#include <linux/slab.h>
89548+#include <linux/vmalloc.h>
89549+#include <linux/types.h>
89550+#include <linux/sysctl.h>
89551+#include <linux/netdevice.h>
89552+#include <linux/ptrace.h>
89553+#include <linux/gracl.h>
89554+#include <linux/gralloc.h>
89555+#include <linux/security.h>
89556+#include <linux/grinternal.h>
89557+#include <linux/pid_namespace.h>
89558+#include <linux/stop_machine.h>
89559+#include <linux/fdtable.h>
89560+#include <linux/percpu.h>
89561+#include <linux/lglock.h>
89562+#include <linux/hugetlb.h>
89563+#include <linux/posix-timers.h>
89564+#include "../fs/mount.h"
89565+
89566+#include <asm/uaccess.h>
89567+#include <asm/errno.h>
89568+#include <asm/mman.h>
89569+
89570+extern struct gr_policy_state *polstate;
89571+
89572+#define FOR_EACH_ROLE_START(role) \
89573+ role = polstate->role_list; \
89574+ while (role) {
89575+
89576+#define FOR_EACH_ROLE_END(role) \
89577+ role = role->prev; \
89578+ }
89579+
89580+struct path gr_real_root;
89581+
89582+extern struct gr_alloc_state *current_alloc_state;
89583+
89584+u16 acl_sp_role_value;
89585+
89586+static DEFINE_MUTEX(gr_dev_mutex);
89587+
89588+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
89589+extern void gr_clear_learn_entries(void);
89590+
89591+struct gr_arg *gr_usermode __read_only;
89592+unsigned char *gr_system_salt __read_only;
89593+unsigned char *gr_system_sum __read_only;
89594+
89595+static unsigned int gr_auth_attempts = 0;
89596+static unsigned long gr_auth_expires = 0UL;
89597+
89598+struct acl_object_label *fakefs_obj_rw;
89599+struct acl_object_label *fakefs_obj_rwx;
89600+
89601+extern int gr_init_uidset(void);
89602+extern void gr_free_uidset(void);
89603+extern void gr_remove_uid(uid_t uid);
89604+extern int gr_find_uid(uid_t uid);
89605+
89606+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback);
89607+extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj);
89608+extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb);
89609+extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry);
89610+extern struct acl_role_label *__lookup_acl_role_label(const struct gr_policy_state *state, const struct task_struct *task, const uid_t uid, const gid_t gid);
89611+extern void insert_acl_obj_label(struct acl_object_label *obj, struct acl_subject_label *subj);
89612+extern void insert_acl_subj_label(struct acl_subject_label *obj, struct acl_role_label *role);
89613+extern struct name_entry * __lookup_name_entry(const struct gr_policy_state *state, const char *name);
89614+extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt);
89615+extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const dev_t dev, const struct acl_role_label *role);
89616+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, const struct acl_role_label *role);
89617+extern void assign_special_role(const char *rolename);
89618+extern struct acl_subject_label *chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role);
89619+extern int gr_rbac_disable(void *unused);
89620+extern void gr_enable_rbac_system(void);
89621+
89622+static int copy_acl_object_label_normal(struct acl_object_label *obj, const struct acl_object_label *userp)
89623+{
89624+ if (copy_from_user(obj, userp, sizeof(struct acl_object_label)))
89625+ return -EFAULT;
89626+
89627+ return 0;
89628+}
89629+
89630+static int copy_acl_ip_label_normal(struct acl_ip_label *ip, const struct acl_ip_label *userp)
89631+{
89632+ if (copy_from_user(ip, userp, sizeof(struct acl_ip_label)))
89633+ return -EFAULT;
89634+
89635+ return 0;
89636+}
89637+
89638+static int copy_acl_subject_label_normal(struct acl_subject_label *subj, const struct acl_subject_label *userp)
89639+{
89640+ if (copy_from_user(subj, userp, sizeof(struct acl_subject_label)))
89641+ return -EFAULT;
89642+
89643+ return 0;
89644+}
89645+
89646+static int copy_acl_role_label_normal(struct acl_role_label *role, const struct acl_role_label *userp)
89647+{
89648+ if (copy_from_user(role, userp, sizeof(struct acl_role_label)))
89649+ return -EFAULT;
89650+
89651+ return 0;
89652+}
89653+
89654+static int copy_role_allowed_ip_normal(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
89655+{
89656+ if (copy_from_user(roleip, userp, sizeof(struct role_allowed_ip)))
89657+ return -EFAULT;
89658+
89659+ return 0;
89660+}
89661+
89662+static int copy_sprole_pw_normal(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
89663+{
89664+ if (copy_from_user(pw, userp + idx, sizeof(struct sprole_pw)))
89665+ return -EFAULT;
89666+
89667+ return 0;
89668+}
89669+
89670+static int copy_gr_hash_struct_normal(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
89671+{
89672+ if (copy_from_user(hash, userp, sizeof(struct gr_hash_struct)))
89673+ return -EFAULT;
89674+
89675+ return 0;
89676+}
89677+
89678+static int copy_role_transition_normal(struct role_transition *trans, const struct role_transition *userp)
89679+{
89680+ if (copy_from_user(trans, userp, sizeof(struct role_transition)))
89681+ return -EFAULT;
89682+
89683+ return 0;
89684+}
89685+
89686+int copy_pointer_from_array_normal(void *ptr, unsigned long idx, const void *userp)
89687+{
89688+ if (copy_from_user(ptr, userp + (idx * sizeof(void *)), sizeof(void *)))
89689+ return -EFAULT;
89690+
89691+ return 0;
89692+}
89693+
89694+static int copy_gr_arg_wrapper_normal(const char __user *buf, struct gr_arg_wrapper *uwrap)
89695+{
89696+ if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
89697+ return -EFAULT;
89698+
89699+ if ((uwrap->version != GRSECURITY_VERSION) ||
89700+ (uwrap->size != sizeof(struct gr_arg)))
89701+ return -EINVAL;
89702+
89703+ return 0;
89704+}
89705+
89706+static int copy_gr_arg_normal(const struct gr_arg __user *buf, struct gr_arg *arg)
89707+{
89708+ if (copy_from_user(arg, buf, sizeof (struct gr_arg)))
89709+ return -EFAULT;
89710+
89711+ return 0;
89712+}
89713+
89714+static size_t get_gr_arg_wrapper_size_normal(void)
89715+{
89716+ return sizeof(struct gr_arg_wrapper);
89717+}
89718+
89719+#ifdef CONFIG_COMPAT
89720+extern int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap);
89721+extern int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg);
89722+extern int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp);
89723+extern int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp);
89724+extern int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp);
89725+extern int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp);
89726+extern int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp);
89727+extern int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp);
89728+extern int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp);
89729+extern int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp);
89730+extern int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp);
89731+extern size_t get_gr_arg_wrapper_size_compat(void);
89732+
89733+int (* copy_gr_arg_wrapper)(const char *buf, struct gr_arg_wrapper *uwrap) __read_only;
89734+int (* copy_gr_arg)(const struct gr_arg *buf, struct gr_arg *arg) __read_only;
89735+int (* copy_acl_object_label)(struct acl_object_label *obj, const struct acl_object_label *userp) __read_only;
89736+int (* copy_acl_subject_label)(struct acl_subject_label *subj, const struct acl_subject_label *userp) __read_only;
89737+int (* copy_acl_role_label)(struct acl_role_label *role, const struct acl_role_label *userp) __read_only;
89738+int (* copy_acl_ip_label)(struct acl_ip_label *ip, const struct acl_ip_label *userp) __read_only;
89739+int (* copy_pointer_from_array)(void *ptr, unsigned long idx, const void *userp) __read_only;
89740+int (* copy_sprole_pw)(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp) __read_only;
89741+int (* copy_gr_hash_struct)(struct gr_hash_struct *hash, const struct gr_hash_struct *userp) __read_only;
89742+int (* copy_role_transition)(struct role_transition *trans, const struct role_transition *userp) __read_only;
89743+int (* copy_role_allowed_ip)(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp) __read_only;
89744+size_t (* get_gr_arg_wrapper_size)(void) __read_only;
89745+
89746+#else
89747+#define copy_gr_arg_wrapper copy_gr_arg_wrapper_normal
89748+#define copy_gr_arg copy_gr_arg_normal
89749+#define copy_gr_hash_struct copy_gr_hash_struct_normal
89750+#define copy_acl_object_label copy_acl_object_label_normal
89751+#define copy_acl_subject_label copy_acl_subject_label_normal
89752+#define copy_acl_role_label copy_acl_role_label_normal
89753+#define copy_acl_ip_label copy_acl_ip_label_normal
89754+#define copy_pointer_from_array copy_pointer_from_array_normal
89755+#define copy_sprole_pw copy_sprole_pw_normal
89756+#define copy_role_transition copy_role_transition_normal
89757+#define copy_role_allowed_ip copy_role_allowed_ip_normal
89758+#define get_gr_arg_wrapper_size get_gr_arg_wrapper_size_normal
89759+#endif
89760+
89761+static struct acl_subject_label *
89762+lookup_subject_map(const struct acl_subject_label *userp)
89763+{
89764+ unsigned int index = gr_shash(userp, polstate->subj_map_set.s_size);
89765+ struct subject_map *match;
89766+
89767+ match = polstate->subj_map_set.s_hash[index];
89768+
89769+ while (match && match->user != userp)
89770+ match = match->next;
89771+
89772+ if (match != NULL)
89773+ return match->kernel;
89774+ else
89775+ return NULL;
89776+}
89777+
89778+static void
89779+insert_subj_map_entry(struct subject_map *subjmap)
89780+{
89781+ unsigned int index = gr_shash(subjmap->user, polstate->subj_map_set.s_size);
89782+ struct subject_map **curr;
89783+
89784+ subjmap->prev = NULL;
89785+
89786+ curr = &polstate->subj_map_set.s_hash[index];
89787+ if (*curr != NULL)
89788+ (*curr)->prev = subjmap;
89789+
89790+ subjmap->next = *curr;
89791+ *curr = subjmap;
89792+
89793+ return;
89794+}
89795+
89796+static void
89797+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
89798+{
89799+ unsigned int index =
89800+ gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), polstate->acl_role_set.r_size);
89801+ struct acl_role_label **curr;
89802+ struct acl_role_label *tmp, *tmp2;
89803+
89804+ curr = &polstate->acl_role_set.r_hash[index];
89805+
89806+ /* simple case, slot is empty, just set it to our role */
89807+ if (*curr == NULL) {
89808+ *curr = role;
89809+ } else {
89810+ /* example:
89811+ 1 -> 2 -> 3 (adding 2 -> 3 to here)
89812+ 2 -> 3
89813+ */
89814+ /* first check to see if we can already be reached via this slot */
89815+ tmp = *curr;
89816+ while (tmp && tmp != role)
89817+ tmp = tmp->next;
89818+ if (tmp == role) {
89819+ /* we don't need to add ourselves to this slot's chain */
89820+ return;
89821+ }
89822+ /* we need to add ourselves to this chain, two cases */
89823+ if (role->next == NULL) {
89824+ /* simple case, append the current chain to our role */
89825+ role->next = *curr;
89826+ *curr = role;
89827+ } else {
89828+ /* 1 -> 2 -> 3 -> 4
89829+ 2 -> 3 -> 4
89830+ 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here)
89831+ */
89832+ /* trickier case: walk our role's chain until we find
89833+ the role for the start of the current slot's chain */
89834+ tmp = role;
89835+ tmp2 = *curr;
89836+ while (tmp->next && tmp->next != tmp2)
89837+ tmp = tmp->next;
89838+ if (tmp->next == tmp2) {
89839+ /* from example above, we found 3, so just
89840+ replace this slot's chain with ours */
89841+ *curr = role;
89842+ } else {
89843+ /* we didn't find a subset of our role's chain
89844+ in the current slot's chain, so append their
89845+ chain to ours, and set us as the first role in
89846+ the slot's chain
89847+
89848+ we could fold this case with the case above,
89849+ but making it explicit for clarity
89850+ */
89851+ tmp->next = tmp2;
89852+ *curr = role;
89853+ }
89854+ }
89855+ }
89856+
89857+ return;
89858+}
89859+
89860+static void
89861+insert_acl_role_label(struct acl_role_label *role)
89862+{
89863+ int i;
89864+
89865+ if (polstate->role_list == NULL) {
89866+ polstate->role_list = role;
89867+ role->prev = NULL;
89868+ } else {
89869+ role->prev = polstate->role_list;
89870+ polstate->role_list = role;
89871+ }
89872+
89873+ /* used for hash chains */
89874+ role->next = NULL;
89875+
89876+ if (role->roletype & GR_ROLE_DOMAIN) {
89877+ for (i = 0; i < role->domain_child_num; i++)
89878+ __insert_acl_role_label(role, role->domain_children[i]);
89879+ } else
89880+ __insert_acl_role_label(role, role->uidgid);
89881+}
89882+
89883+static int
89884+insert_name_entry(char *name, const u64 inode, const dev_t device, __u8 deleted)
89885+{
89886+ struct name_entry **curr, *nentry;
89887+ struct inodev_entry *ientry;
89888+ unsigned int len = strlen(name);
89889+ unsigned int key = full_name_hash(name, len);
89890+ unsigned int index = key % polstate->name_set.n_size;
89891+
89892+ curr = &polstate->name_set.n_hash[index];
89893+
89894+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
89895+ curr = &((*curr)->next);
89896+
89897+ if (*curr != NULL)
89898+ return 1;
89899+
89900+ nentry = acl_alloc(sizeof (struct name_entry));
89901+ if (nentry == NULL)
89902+ return 0;
89903+ ientry = acl_alloc(sizeof (struct inodev_entry));
89904+ if (ientry == NULL)
89905+ return 0;
89906+ ientry->nentry = nentry;
89907+
89908+ nentry->key = key;
89909+ nentry->name = name;
89910+ nentry->inode = inode;
89911+ nentry->device = device;
89912+ nentry->len = len;
89913+ nentry->deleted = deleted;
89914+
89915+ nentry->prev = NULL;
89916+ curr = &polstate->name_set.n_hash[index];
89917+ if (*curr != NULL)
89918+ (*curr)->prev = nentry;
89919+ nentry->next = *curr;
89920+ *curr = nentry;
89921+
89922+ /* insert us into the table searchable by inode/dev */
89923+ __insert_inodev_entry(polstate, ientry);
89924+
89925+ return 1;
89926+}
89927+
89928+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
89929+
89930+static void *
89931+create_table(__u32 * len, int elementsize)
89932+{
89933+ unsigned int table_sizes[] = {
89934+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
89935+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
89936+ 4194301, 8388593, 16777213, 33554393, 67108859
89937+ };
89938+ void *newtable = NULL;
89939+ unsigned int pwr = 0;
89940+
89941+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
89942+ table_sizes[pwr] <= *len)
89943+ pwr++;
89944+
89945+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
89946+ return newtable;
89947+
89948+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
89949+ newtable =
89950+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
89951+ else
89952+ newtable = vmalloc(table_sizes[pwr] * elementsize);
89953+
89954+ *len = table_sizes[pwr];
89955+
89956+ return newtable;
89957+}
89958+
89959+static int
89960+init_variables(const struct gr_arg *arg, bool reload)
89961+{
89962+ struct task_struct *reaper = init_pid_ns.child_reaper;
89963+ unsigned int stacksize;
89964+
89965+ polstate->subj_map_set.s_size = arg->role_db.num_subjects;
89966+ polstate->acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
89967+ polstate->name_set.n_size = arg->role_db.num_objects;
89968+ polstate->inodev_set.i_size = arg->role_db.num_objects;
89969+
89970+ if (!polstate->subj_map_set.s_size || !polstate->acl_role_set.r_size ||
89971+ !polstate->name_set.n_size || !polstate->inodev_set.i_size)
89972+ return 1;
89973+
89974+ if (!reload) {
89975+ if (!gr_init_uidset())
89976+ return 1;
89977+ }
89978+
89979+ /* set up the stack that holds allocation info */
89980+
89981+ stacksize = arg->role_db.num_pointers + 5;
89982+
89983+ if (!acl_alloc_stack_init(stacksize))
89984+ return 1;
89985+
89986+ if (!reload) {
89987+ /* grab reference for the real root dentry and vfsmount */
89988+ get_fs_root(reaper->fs, &gr_real_root);
89989+
89990+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
89991+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", gr_get_dev_from_dentry(gr_real_root.dentry), gr_get_ino_from_dentry(gr_real_root.dentry));
89992+#endif
89993+
89994+ fakefs_obj_rw = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL);
89995+ if (fakefs_obj_rw == NULL)
89996+ return 1;
89997+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
89998+
89999+ fakefs_obj_rwx = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL);
90000+ if (fakefs_obj_rwx == NULL)
90001+ return 1;
90002+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
90003+ }
90004+
90005+ polstate->subj_map_set.s_hash =
90006+ (struct subject_map **) create_table(&polstate->subj_map_set.s_size, sizeof(void *));
90007+ polstate->acl_role_set.r_hash =
90008+ (struct acl_role_label **) create_table(&polstate->acl_role_set.r_size, sizeof(void *));
90009+ polstate->name_set.n_hash = (struct name_entry **) create_table(&polstate->name_set.n_size, sizeof(void *));
90010+ polstate->inodev_set.i_hash =
90011+ (struct inodev_entry **) create_table(&polstate->inodev_set.i_size, sizeof(void *));
90012+
90013+ if (!polstate->subj_map_set.s_hash || !polstate->acl_role_set.r_hash ||
90014+ !polstate->name_set.n_hash || !polstate->inodev_set.i_hash)
90015+ return 1;
90016+
90017+ memset(polstate->subj_map_set.s_hash, 0,
90018+ sizeof(struct subject_map *) * polstate->subj_map_set.s_size);
90019+ memset(polstate->acl_role_set.r_hash, 0,
90020+ sizeof (struct acl_role_label *) * polstate->acl_role_set.r_size);
90021+ memset(polstate->name_set.n_hash, 0,
90022+ sizeof (struct name_entry *) * polstate->name_set.n_size);
90023+ memset(polstate->inodev_set.i_hash, 0,
90024+ sizeof (struct inodev_entry *) * polstate->inodev_set.i_size);
90025+
90026+ return 0;
90027+}
90028+
90029+/* free information not needed after startup
90030+ currently contains user->kernel pointer mappings for subjects
90031+*/
90032+
90033+static void
90034+free_init_variables(void)
90035+{
90036+ __u32 i;
90037+
90038+ if (polstate->subj_map_set.s_hash) {
90039+ for (i = 0; i < polstate->subj_map_set.s_size; i++) {
90040+ if (polstate->subj_map_set.s_hash[i]) {
90041+ kfree(polstate->subj_map_set.s_hash[i]);
90042+ polstate->subj_map_set.s_hash[i] = NULL;
90043+ }
90044+ }
90045+
90046+ if ((polstate->subj_map_set.s_size * sizeof (struct subject_map *)) <=
90047+ PAGE_SIZE)
90048+ kfree(polstate->subj_map_set.s_hash);
90049+ else
90050+ vfree(polstate->subj_map_set.s_hash);
90051+ }
90052+
90053+ return;
90054+}
90055+
90056+static void
90057+free_variables(bool reload)
90058+{
90059+ struct acl_subject_label *s;
90060+ struct acl_role_label *r;
90061+ struct task_struct *task, *task2;
90062+ unsigned int x;
90063+
90064+ if (!reload) {
90065+ gr_clear_learn_entries();
90066+
90067+ read_lock(&tasklist_lock);
90068+ do_each_thread(task2, task) {
90069+ task->acl_sp_role = 0;
90070+ task->acl_role_id = 0;
90071+ task->inherited = 0;
90072+ task->acl = NULL;
90073+ task->role = NULL;
90074+ } while_each_thread(task2, task);
90075+ read_unlock(&tasklist_lock);
90076+
90077+ kfree(fakefs_obj_rw);
90078+ fakefs_obj_rw = NULL;
90079+ kfree(fakefs_obj_rwx);
90080+ fakefs_obj_rwx = NULL;
90081+
90082+ /* release the reference to the real root dentry and vfsmount */
90083+ path_put(&gr_real_root);
90084+ memset(&gr_real_root, 0, sizeof(gr_real_root));
90085+ }
90086+
90087+ /* free all object hash tables */
90088+
90089+ FOR_EACH_ROLE_START(r)
90090+ if (r->subj_hash == NULL)
90091+ goto next_role;
90092+ FOR_EACH_SUBJECT_START(r, s, x)
90093+ if (s->obj_hash == NULL)
90094+ break;
90095+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
90096+ kfree(s->obj_hash);
90097+ else
90098+ vfree(s->obj_hash);
90099+ FOR_EACH_SUBJECT_END(s, x)
90100+ FOR_EACH_NESTED_SUBJECT_START(r, s)
90101+ if (s->obj_hash == NULL)
90102+ break;
90103+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
90104+ kfree(s->obj_hash);
90105+ else
90106+ vfree(s->obj_hash);
90107+ FOR_EACH_NESTED_SUBJECT_END(s)
90108+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
90109+ kfree(r->subj_hash);
90110+ else
90111+ vfree(r->subj_hash);
90112+ r->subj_hash = NULL;
90113+next_role:
90114+ FOR_EACH_ROLE_END(r)
90115+
90116+ acl_free_all();
90117+
90118+ if (polstate->acl_role_set.r_hash) {
90119+ if ((polstate->acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
90120+ PAGE_SIZE)
90121+ kfree(polstate->acl_role_set.r_hash);
90122+ else
90123+ vfree(polstate->acl_role_set.r_hash);
90124+ }
90125+ if (polstate->name_set.n_hash) {
90126+ if ((polstate->name_set.n_size * sizeof (struct name_entry *)) <=
90127+ PAGE_SIZE)
90128+ kfree(polstate->name_set.n_hash);
90129+ else
90130+ vfree(polstate->name_set.n_hash);
90131+ }
90132+
90133+ if (polstate->inodev_set.i_hash) {
90134+ if ((polstate->inodev_set.i_size * sizeof (struct inodev_entry *)) <=
90135+ PAGE_SIZE)
90136+ kfree(polstate->inodev_set.i_hash);
90137+ else
90138+ vfree(polstate->inodev_set.i_hash);
90139+ }
90140+
90141+ if (!reload)
90142+ gr_free_uidset();
90143+
90144+ memset(&polstate->name_set, 0, sizeof (struct name_db));
90145+ memset(&polstate->inodev_set, 0, sizeof (struct inodev_db));
90146+ memset(&polstate->acl_role_set, 0, sizeof (struct acl_role_db));
90147+ memset(&polstate->subj_map_set, 0, sizeof (struct acl_subj_map_db));
90148+
90149+ polstate->default_role = NULL;
90150+ polstate->kernel_role = NULL;
90151+ polstate->role_list = NULL;
90152+
90153+ return;
90154+}
90155+
90156+static struct acl_subject_label *
90157+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
90158+
90159+static int alloc_and_copy_string(char **name, unsigned int maxlen)
90160+{
90161+ unsigned int len = strnlen_user(*name, maxlen);
90162+ char *tmp;
90163+
90164+ if (!len || len >= maxlen)
90165+ return -EINVAL;
90166+
90167+ if ((tmp = (char *) acl_alloc(len)) == NULL)
90168+ return -ENOMEM;
90169+
90170+ if (copy_from_user(tmp, *name, len))
90171+ return -EFAULT;
90172+
90173+ tmp[len-1] = '\0';
90174+ *name = tmp;
90175+
90176+ return 0;
90177+}
90178+
90179+static int
90180+copy_user_glob(struct acl_object_label *obj)
90181+{
90182+ struct acl_object_label *g_tmp, **guser;
90183+ int error;
90184+
90185+ if (obj->globbed == NULL)
90186+ return 0;
90187+
90188+ guser = &obj->globbed;
90189+ while (*guser) {
90190+ g_tmp = (struct acl_object_label *)
90191+ acl_alloc(sizeof (struct acl_object_label));
90192+ if (g_tmp == NULL)
90193+ return -ENOMEM;
90194+
90195+ if (copy_acl_object_label(g_tmp, *guser))
90196+ return -EFAULT;
90197+
90198+ error = alloc_and_copy_string(&g_tmp->filename, PATH_MAX);
90199+ if (error)
90200+ return error;
90201+
90202+ *guser = g_tmp;
90203+ guser = &(g_tmp->next);
90204+ }
90205+
90206+ return 0;
90207+}
90208+
90209+static int
90210+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
90211+ struct acl_role_label *role)
90212+{
90213+ struct acl_object_label *o_tmp;
90214+ int ret;
90215+
90216+ while (userp) {
90217+ if ((o_tmp = (struct acl_object_label *)
90218+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
90219+ return -ENOMEM;
90220+
90221+ if (copy_acl_object_label(o_tmp, userp))
90222+ return -EFAULT;
90223+
90224+ userp = o_tmp->prev;
90225+
90226+ ret = alloc_and_copy_string(&o_tmp->filename, PATH_MAX);
90227+ if (ret)
90228+ return ret;
90229+
90230+ insert_acl_obj_label(o_tmp, subj);
90231+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
90232+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
90233+ return -ENOMEM;
90234+
90235+ ret = copy_user_glob(o_tmp);
90236+ if (ret)
90237+ return ret;
90238+
90239+ if (o_tmp->nested) {
90240+ int already_copied;
90241+
90242+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
90243+ if (IS_ERR(o_tmp->nested))
90244+ return PTR_ERR(o_tmp->nested);
90245+
90246+ /* insert into nested subject list if we haven't copied this one yet
90247+ to prevent duplicate entries */
90248+ if (!already_copied) {
90249+ o_tmp->nested->next = role->hash->first;
90250+ role->hash->first = o_tmp->nested;
90251+ }
90252+ }
90253+ }
90254+
90255+ return 0;
90256+}
90257+
90258+static __u32
90259+count_user_subjs(struct acl_subject_label *userp)
90260+{
90261+ struct acl_subject_label s_tmp;
90262+ __u32 num = 0;
90263+
90264+ while (userp) {
90265+ if (copy_acl_subject_label(&s_tmp, userp))
90266+ break;
90267+
90268+ userp = s_tmp.prev;
90269+ }
90270+
90271+ return num;
90272+}
90273+
90274+static int
90275+copy_user_allowedips(struct acl_role_label *rolep)
90276+{
90277+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
90278+
90279+ ruserip = rolep->allowed_ips;
90280+
90281+ while (ruserip) {
90282+ rlast = rtmp;
90283+
90284+ if ((rtmp = (struct role_allowed_ip *)
90285+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
90286+ return -ENOMEM;
90287+
90288+ if (copy_role_allowed_ip(rtmp, ruserip))
90289+ return -EFAULT;
90290+
90291+ ruserip = rtmp->prev;
90292+
90293+ if (!rlast) {
90294+ rtmp->prev = NULL;
90295+ rolep->allowed_ips = rtmp;
90296+ } else {
90297+ rlast->next = rtmp;
90298+ rtmp->prev = rlast;
90299+ }
90300+
90301+ if (!ruserip)
90302+ rtmp->next = NULL;
90303+ }
90304+
90305+ return 0;
90306+}
90307+
90308+static int
90309+copy_user_transitions(struct acl_role_label *rolep)
90310+{
90311+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
90312+ int error;
90313+
90314+ rusertp = rolep->transitions;
90315+
90316+ while (rusertp) {
90317+ rlast = rtmp;
90318+
90319+ if ((rtmp = (struct role_transition *)
90320+ acl_alloc(sizeof (struct role_transition))) == NULL)
90321+ return -ENOMEM;
90322+
90323+ if (copy_role_transition(rtmp, rusertp))
90324+ return -EFAULT;
90325+
90326+ rusertp = rtmp->prev;
90327+
90328+ error = alloc_and_copy_string(&rtmp->rolename, GR_SPROLE_LEN);
90329+ if (error)
90330+ return error;
90331+
90332+ if (!rlast) {
90333+ rtmp->prev = NULL;
90334+ rolep->transitions = rtmp;
90335+ } else {
90336+ rlast->next = rtmp;
90337+ rtmp->prev = rlast;
90338+ }
90339+
90340+ if (!rusertp)
90341+ rtmp->next = NULL;
90342+ }
90343+
90344+ return 0;
90345+}
90346+
90347+static __u32 count_user_objs(const struct acl_object_label __user *userp)
90348+{
90349+ struct acl_object_label o_tmp;
90350+ __u32 num = 0;
90351+
90352+ while (userp) {
90353+ if (copy_acl_object_label(&o_tmp, userp))
90354+ break;
90355+
90356+ userp = o_tmp.prev;
90357+ num++;
90358+ }
90359+
90360+ return num;
90361+}
90362+
90363+static struct acl_subject_label *
90364+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
90365+{
90366+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
90367+ __u32 num_objs;
90368+ struct acl_ip_label **i_tmp, *i_utmp2;
90369+ struct gr_hash_struct ghash;
90370+ struct subject_map *subjmap;
90371+ unsigned int i_num;
90372+ int err;
90373+
90374+ if (already_copied != NULL)
90375+ *already_copied = 0;
90376+
90377+ s_tmp = lookup_subject_map(userp);
90378+
90379+ /* we've already copied this subject into the kernel, just return
90380+ the reference to it, and don't copy it over again
90381+ */
90382+ if (s_tmp) {
90383+ if (already_copied != NULL)
90384+ *already_copied = 1;
90385+ return(s_tmp);
90386+ }
90387+
90388+ if ((s_tmp = (struct acl_subject_label *)
90389+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
90390+ return ERR_PTR(-ENOMEM);
90391+
90392+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
90393+ if (subjmap == NULL)
90394+ return ERR_PTR(-ENOMEM);
90395+
90396+ subjmap->user = userp;
90397+ subjmap->kernel = s_tmp;
90398+ insert_subj_map_entry(subjmap);
90399+
90400+ if (copy_acl_subject_label(s_tmp, userp))
90401+ return ERR_PTR(-EFAULT);
90402+
90403+ err = alloc_and_copy_string(&s_tmp->filename, PATH_MAX);
90404+ if (err)
90405+ return ERR_PTR(err);
90406+
90407+ if (!strcmp(s_tmp->filename, "/"))
90408+ role->root_label = s_tmp;
90409+
90410+ if (copy_gr_hash_struct(&ghash, s_tmp->hash))
90411+ return ERR_PTR(-EFAULT);
90412+
90413+ /* copy user and group transition tables */
90414+
90415+ if (s_tmp->user_trans_num) {
90416+ uid_t *uidlist;
90417+
90418+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
90419+ if (uidlist == NULL)
90420+ return ERR_PTR(-ENOMEM);
90421+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
90422+ return ERR_PTR(-EFAULT);
90423+
90424+ s_tmp->user_transitions = uidlist;
90425+ }
90426+
90427+ if (s_tmp->group_trans_num) {
90428+ gid_t *gidlist;
90429+
90430+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
90431+ if (gidlist == NULL)
90432+ return ERR_PTR(-ENOMEM);
90433+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
90434+ return ERR_PTR(-EFAULT);
90435+
90436+ s_tmp->group_transitions = gidlist;
90437+ }
90438+
90439+ /* set up object hash table */
90440+ num_objs = count_user_objs(ghash.first);
90441+
90442+ s_tmp->obj_hash_size = num_objs;
90443+ s_tmp->obj_hash =
90444+ (struct acl_object_label **)
90445+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
90446+
90447+ if (!s_tmp->obj_hash)
90448+ return ERR_PTR(-ENOMEM);
90449+
90450+ memset(s_tmp->obj_hash, 0,
90451+ s_tmp->obj_hash_size *
90452+ sizeof (struct acl_object_label *));
90453+
90454+ /* add in objects */
90455+ err = copy_user_objs(ghash.first, s_tmp, role);
90456+
90457+ if (err)
90458+ return ERR_PTR(err);
90459+
90460+ /* set pointer for parent subject */
90461+ if (s_tmp->parent_subject) {
90462+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
90463+
90464+ if (IS_ERR(s_tmp2))
90465+ return s_tmp2;
90466+
90467+ s_tmp->parent_subject = s_tmp2;
90468+ }
90469+
90470+ /* add in ip acls */
90471+
90472+ if (!s_tmp->ip_num) {
90473+ s_tmp->ips = NULL;
90474+ goto insert;
90475+ }
90476+
90477+ i_tmp =
90478+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
90479+ sizeof (struct acl_ip_label *));
90480+
90481+ if (!i_tmp)
90482+ return ERR_PTR(-ENOMEM);
90483+
90484+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
90485+ *(i_tmp + i_num) =
90486+ (struct acl_ip_label *)
90487+ acl_alloc(sizeof (struct acl_ip_label));
90488+ if (!*(i_tmp + i_num))
90489+ return ERR_PTR(-ENOMEM);
90490+
90491+ if (copy_pointer_from_array(&i_utmp2, i_num, s_tmp->ips))
90492+ return ERR_PTR(-EFAULT);
90493+
90494+ if (copy_acl_ip_label(*(i_tmp + i_num), i_utmp2))
90495+ return ERR_PTR(-EFAULT);
90496+
90497+ if ((*(i_tmp + i_num))->iface == NULL)
90498+ continue;
90499+
90500+ err = alloc_and_copy_string(&(*(i_tmp + i_num))->iface, IFNAMSIZ);
90501+ if (err)
90502+ return ERR_PTR(err);
90503+ }
90504+
90505+ s_tmp->ips = i_tmp;
90506+
90507+insert:
90508+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
90509+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
90510+ return ERR_PTR(-ENOMEM);
90511+
90512+ return s_tmp;
90513+}
90514+
90515+static int
90516+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
90517+{
90518+ struct acl_subject_label s_pre;
90519+ struct acl_subject_label * ret;
90520+ int err;
90521+
90522+ while (userp) {
90523+ if (copy_acl_subject_label(&s_pre, userp))
90524+ return -EFAULT;
90525+
90526+ ret = do_copy_user_subj(userp, role, NULL);
90527+
90528+ err = PTR_ERR(ret);
90529+ if (IS_ERR(ret))
90530+ return err;
90531+
90532+ insert_acl_subj_label(ret, role);
90533+
90534+ userp = s_pre.prev;
90535+ }
90536+
90537+ return 0;
90538+}
90539+
90540+static int
90541+copy_user_acl(struct gr_arg *arg)
90542+{
90543+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
90544+ struct acl_subject_label *subj_list;
90545+ struct sprole_pw *sptmp;
90546+ struct gr_hash_struct *ghash;
90547+ uid_t *domainlist;
90548+ unsigned int r_num;
90549+ int err = 0;
90550+ __u16 i;
90551+ __u32 num_subjs;
90552+
90553+ /* we need a default and kernel role */
90554+ if (arg->role_db.num_roles < 2)
90555+ return -EINVAL;
90556+
90557+ /* copy special role authentication info from userspace */
90558+
90559+ polstate->num_sprole_pws = arg->num_sprole_pws;
90560+ polstate->acl_special_roles = (struct sprole_pw **) acl_alloc_num(polstate->num_sprole_pws, sizeof(struct sprole_pw *));
90561+
90562+ if (!polstate->acl_special_roles && polstate->num_sprole_pws)
90563+ return -ENOMEM;
90564+
90565+ for (i = 0; i < polstate->num_sprole_pws; i++) {
90566+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
90567+ if (!sptmp)
90568+ return -ENOMEM;
90569+ if (copy_sprole_pw(sptmp, i, arg->sprole_pws))
90570+ return -EFAULT;
90571+
90572+ err = alloc_and_copy_string((char **)&sptmp->rolename, GR_SPROLE_LEN);
90573+ if (err)
90574+ return err;
90575+
90576+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
90577+ printk(KERN_ALERT "Copying special role %s\n", sptmp->rolename);
90578+#endif
90579+
90580+ polstate->acl_special_roles[i] = sptmp;
90581+ }
90582+
90583+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
90584+
90585+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
90586+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
90587+
90588+ if (!r_tmp)
90589+ return -ENOMEM;
90590+
90591+ if (copy_pointer_from_array(&r_utmp2, r_num, r_utmp))
90592+ return -EFAULT;
90593+
90594+ if (copy_acl_role_label(r_tmp, r_utmp2))
90595+ return -EFAULT;
90596+
90597+ err = alloc_and_copy_string(&r_tmp->rolename, GR_SPROLE_LEN);
90598+ if (err)
90599+ return err;
90600+
90601+ if (!strcmp(r_tmp->rolename, "default")
90602+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
90603+ polstate->default_role = r_tmp;
90604+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
90605+ polstate->kernel_role = r_tmp;
90606+ }
90607+
90608+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL)
90609+ return -ENOMEM;
90610+
90611+ if (copy_gr_hash_struct(ghash, r_tmp->hash))
90612+ return -EFAULT;
90613+
90614+ r_tmp->hash = ghash;
90615+
90616+ num_subjs = count_user_subjs(r_tmp->hash->first);
90617+
90618+ r_tmp->subj_hash_size = num_subjs;
90619+ r_tmp->subj_hash =
90620+ (struct acl_subject_label **)
90621+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
90622+
90623+ if (!r_tmp->subj_hash)
90624+ return -ENOMEM;
90625+
90626+ err = copy_user_allowedips(r_tmp);
90627+ if (err)
90628+ return err;
90629+
90630+ /* copy domain info */
90631+ if (r_tmp->domain_children != NULL) {
90632+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
90633+ if (domainlist == NULL)
90634+ return -ENOMEM;
90635+
90636+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t)))
90637+ return -EFAULT;
90638+
90639+ r_tmp->domain_children = domainlist;
90640+ }
90641+
90642+ err = copy_user_transitions(r_tmp);
90643+ if (err)
90644+ return err;
90645+
90646+ memset(r_tmp->subj_hash, 0,
90647+ r_tmp->subj_hash_size *
90648+ sizeof (struct acl_subject_label *));
90649+
90650+ /* acquire the list of subjects, then NULL out
90651+ the list prior to parsing the subjects for this role,
90652+ as during this parsing the list is replaced with a list
90653+ of *nested* subjects for the role
90654+ */
90655+ subj_list = r_tmp->hash->first;
90656+
90657+ /* set nested subject list to null */
90658+ r_tmp->hash->first = NULL;
90659+
90660+ err = copy_user_subjs(subj_list, r_tmp);
90661+
90662+ if (err)
90663+ return err;
90664+
90665+ insert_acl_role_label(r_tmp);
90666+ }
90667+
90668+ if (polstate->default_role == NULL || polstate->kernel_role == NULL)
90669+ return -EINVAL;
90670+
90671+ return err;
90672+}
90673+
90674+static int gracl_reload_apply_policies(void *reload)
90675+{
90676+ struct gr_reload_state *reload_state = (struct gr_reload_state *)reload;
90677+ struct task_struct *task, *task2;
90678+ struct acl_role_label *role, *rtmp;
90679+ struct acl_subject_label *subj;
90680+ const struct cred *cred;
90681+ int role_applied;
90682+ int ret = 0;
90683+
90684+ memcpy(&reload_state->oldpolicy, reload_state->oldpolicy_ptr, sizeof(struct gr_policy_state));
90685+ memcpy(&reload_state->oldalloc, reload_state->oldalloc_ptr, sizeof(struct gr_alloc_state));
90686+
90687+ /* first make sure we'll be able to apply the new policy cleanly */
90688+ do_each_thread(task2, task) {
90689+ if (task->exec_file == NULL)
90690+ continue;
90691+ role_applied = 0;
90692+ if (!reload_state->oldmode && task->role->roletype & GR_ROLE_SPECIAL) {
90693+ /* preserve special roles */
90694+ FOR_EACH_ROLE_START(role)
90695+ if ((role->roletype & GR_ROLE_SPECIAL) && !strcmp(task->role->rolename, role->rolename)) {
90696+ rtmp = task->role;
90697+ task->role = role;
90698+ role_applied = 1;
90699+ break;
90700+ }
90701+ FOR_EACH_ROLE_END(role)
90702+ }
90703+ if (!role_applied) {
90704+ cred = __task_cred(task);
90705+ rtmp = task->role;
90706+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
90707+ }
90708+ /* this handles non-nested inherited subjects, nested subjects will still
90709+ be dropped currently */
90710+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
90711+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1);
90712+ /* change the role back so that we've made no modifications to the policy */
90713+ task->role = rtmp;
90714+
90715+ if (subj == NULL || task->tmpacl == NULL) {
90716+ ret = -EINVAL;
90717+ goto out;
90718+ }
90719+ } while_each_thread(task2, task);
90720+
90721+ /* now actually apply the policy */
90722+
90723+ do_each_thread(task2, task) {
90724+ if (task->exec_file) {
90725+ role_applied = 0;
90726+ if (!reload_state->oldmode && task->role->roletype & GR_ROLE_SPECIAL) {
90727+ /* preserve special roles */
90728+ FOR_EACH_ROLE_START(role)
90729+ if ((role->roletype & GR_ROLE_SPECIAL) && !strcmp(task->role->rolename, role->rolename)) {
90730+ task->role = role;
90731+ role_applied = 1;
90732+ break;
90733+ }
90734+ FOR_EACH_ROLE_END(role)
90735+ }
90736+ if (!role_applied) {
90737+ cred = __task_cred(task);
90738+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
90739+ }
90740+ /* this handles non-nested inherited subjects, nested subjects will still
90741+ be dropped currently */
90742+ if (!reload_state->oldmode && task->inherited)
90743+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
90744+ else {
90745+ /* looked up and tagged to the task previously */
90746+ subj = task->tmpacl;
90747+ }
90748+ /* subj will be non-null */
90749+ __gr_apply_subject_to_task(polstate, task, subj);
90750+ if (reload_state->oldmode) {
90751+ task->acl_role_id = 0;
90752+ task->acl_sp_role = 0;
90753+ task->inherited = 0;
90754+ }
90755+ } else {
90756+ // it's a kernel process
90757+ task->role = polstate->kernel_role;
90758+ task->acl = polstate->kernel_role->root_label;
90759+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
90760+ task->acl->mode &= ~GR_PROCFIND;
90761+#endif
90762+ }
90763+ } while_each_thread(task2, task);
90764+
90765+ memcpy(reload_state->oldpolicy_ptr, &reload_state->newpolicy, sizeof(struct gr_policy_state));
90766+ memcpy(reload_state->oldalloc_ptr, &reload_state->newalloc, sizeof(struct gr_alloc_state));
90767+
90768+out:
90769+
90770+ return ret;
90771+}
90772+
90773+static int gracl_reload(struct gr_arg *args, unsigned char oldmode)
90774+{
90775+ struct gr_reload_state new_reload_state = { };
90776+ int err;
90777+
90778+ new_reload_state.oldpolicy_ptr = polstate;
90779+ new_reload_state.oldalloc_ptr = current_alloc_state;
90780+ new_reload_state.oldmode = oldmode;
90781+
90782+ current_alloc_state = &new_reload_state.newalloc;
90783+ polstate = &new_reload_state.newpolicy;
90784+
90785+ /* everything relevant is now saved off, copy in the new policy */
90786+ if (init_variables(args, true)) {
90787+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
90788+ err = -ENOMEM;
90789+ goto error;
90790+ }
90791+
90792+ err = copy_user_acl(args);
90793+ free_init_variables();
90794+ if (err)
90795+ goto error;
90796+ /* the new policy is copied in, with the old policy available via saved_state
90797+ first go through applying roles, making sure to preserve special roles
90798+ then apply new subjects, making sure to preserve inherited and nested subjects,
90799+ though currently only inherited subjects will be preserved
90800+ */
90801+ err = stop_machine(gracl_reload_apply_policies, &new_reload_state, NULL);
90802+ if (err)
90803+ goto error;
90804+
90805+ /* we've now applied the new policy, so restore the old policy state to free it */
90806+ polstate = &new_reload_state.oldpolicy;
90807+ current_alloc_state = &new_reload_state.oldalloc;
90808+ free_variables(true);
90809+
90810+ /* oldpolicy/oldalloc_ptr point to the new policy/alloc states as they were copied
90811+ to running_polstate/current_alloc_state inside stop_machine
90812+ */
90813+ err = 0;
90814+ goto out;
90815+error:
90816+ /* on error of loading the new policy, we'll just keep the previous
90817+ policy set around
90818+ */
90819+ free_variables(true);
90820+
90821+ /* doesn't affect runtime, but maintains consistent state */
90822+out:
90823+ polstate = new_reload_state.oldpolicy_ptr;
90824+ current_alloc_state = new_reload_state.oldalloc_ptr;
90825+
90826+ return err;
90827+}
90828+
90829+static int
90830+gracl_init(struct gr_arg *args)
90831+{
90832+ int error = 0;
90833+
90834+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
90835+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
90836+
90837+ if (init_variables(args, false)) {
90838+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
90839+ error = -ENOMEM;
90840+ goto out;
90841+ }
90842+
90843+ error = copy_user_acl(args);
90844+ free_init_variables();
90845+ if (error)
90846+ goto out;
90847+
90848+ error = gr_set_acls(0);
90849+ if (error)
90850+ goto out;
90851+
90852+ gr_enable_rbac_system();
90853+
90854+ return 0;
90855+
90856+out:
90857+ free_variables(false);
90858+ return error;
90859+}
90860+
90861+static int
90862+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
90863+ unsigned char **sum)
90864+{
90865+ struct acl_role_label *r;
90866+ struct role_allowed_ip *ipp;
90867+ struct role_transition *trans;
90868+ unsigned int i;
90869+ int found = 0;
90870+ u32 curr_ip = current->signal->curr_ip;
90871+
90872+ current->signal->saved_ip = curr_ip;
90873+
90874+ /* check transition table */
90875+
90876+ for (trans = current->role->transitions; trans; trans = trans->next) {
90877+ if (!strcmp(rolename, trans->rolename)) {
90878+ found = 1;
90879+ break;
90880+ }
90881+ }
90882+
90883+ if (!found)
90884+ return 0;
90885+
90886+ /* handle special roles that do not require authentication
90887+ and check ip */
90888+
90889+ FOR_EACH_ROLE_START(r)
90890+ if (!strcmp(rolename, r->rolename) &&
90891+ (r->roletype & GR_ROLE_SPECIAL)) {
90892+ found = 0;
90893+ if (r->allowed_ips != NULL) {
90894+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
90895+ if ((ntohl(curr_ip) & ipp->netmask) ==
90896+ (ntohl(ipp->addr) & ipp->netmask))
90897+ found = 1;
90898+ }
90899+ } else
90900+ found = 2;
90901+ if (!found)
90902+ return 0;
90903+
90904+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
90905+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
90906+ *salt = NULL;
90907+ *sum = NULL;
90908+ return 1;
90909+ }
90910+ }
90911+ FOR_EACH_ROLE_END(r)
90912+
90913+ for (i = 0; i < polstate->num_sprole_pws; i++) {
90914+ if (!strcmp(rolename, polstate->acl_special_roles[i]->rolename)) {
90915+ *salt = polstate->acl_special_roles[i]->salt;
90916+ *sum = polstate->acl_special_roles[i]->sum;
90917+ return 1;
90918+ }
90919+ }
90920+
90921+ return 0;
90922+}
90923+
90924+int gr_check_secure_terminal(struct task_struct *task)
90925+{
90926+ struct task_struct *p, *p2, *p3;
90927+ struct files_struct *files;
90928+ struct fdtable *fdt;
90929+ struct file *our_file = NULL, *file;
90930+ struct inode *our_inode = NULL;
90931+ int i;
90932+
90933+ if (task->signal->tty == NULL)
90934+ return 1;
90935+
90936+ files = get_files_struct(task);
90937+ if (files != NULL) {
90938+ rcu_read_lock();
90939+ fdt = files_fdtable(files);
90940+ for (i=0; i < fdt->max_fds; i++) {
90941+ file = fcheck_files(files, i);
90942+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
90943+ get_file(file);
90944+ our_file = file;
90945+ }
90946+ }
90947+ rcu_read_unlock();
90948+ put_files_struct(files);
90949+ }
90950+
90951+ if (our_file == NULL)
90952+ return 1;
90953+
90954+ our_inode = d_backing_inode(our_file->f_path.dentry);
90955+
90956+ read_lock(&tasklist_lock);
90957+ do_each_thread(p2, p) {
90958+ files = get_files_struct(p);
90959+ if (files == NULL ||
90960+ (p->signal && p->signal->tty == task->signal->tty)) {
90961+ if (files != NULL)
90962+ put_files_struct(files);
90963+ continue;
90964+ }
90965+ rcu_read_lock();
90966+ fdt = files_fdtable(files);
90967+ for (i=0; i < fdt->max_fds; i++) {
90968+ struct inode *inode = NULL;
90969+ file = fcheck_files(files, i);
90970+ if (file)
90971+ inode = d_backing_inode(file->f_path.dentry);
90972+ if (inode && S_ISCHR(inode->i_mode) && inode->i_rdev == our_inode->i_rdev) {
90973+ p3 = task;
90974+ while (task_pid_nr(p3) > 0) {
90975+ if (p3 == p)
90976+ break;
90977+ p3 = p3->real_parent;
90978+ }
90979+ if (p3 == p)
90980+ break;
90981+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
90982+ gr_handle_alertkill(p);
90983+ rcu_read_unlock();
90984+ put_files_struct(files);
90985+ read_unlock(&tasklist_lock);
90986+ fput(our_file);
90987+ return 0;
90988+ }
90989+ }
90990+ rcu_read_unlock();
90991+ put_files_struct(files);
90992+ } while_each_thread(p2, p);
90993+ read_unlock(&tasklist_lock);
90994+
90995+ fput(our_file);
90996+ return 1;
90997+}
90998+
90999+ssize_t
91000+write_grsec_handler(struct file *file, const char __user * buf, size_t count, loff_t *ppos)
91001+{
91002+ struct gr_arg_wrapper uwrap;
91003+ unsigned char *sprole_salt = NULL;
91004+ unsigned char *sprole_sum = NULL;
91005+ int error = 0;
91006+ int error2 = 0;
91007+ size_t req_count = 0;
91008+ unsigned char oldmode = 0;
91009+
91010+ mutex_lock(&gr_dev_mutex);
91011+
91012+ if (gr_acl_is_enabled() && !(current->acl->mode & GR_KERNELAUTH)) {
91013+ error = -EPERM;
91014+ goto out;
91015+ }
91016+
91017+#ifdef CONFIG_COMPAT
91018+ pax_open_kernel();
91019+ if (is_compat_task()) {
91020+ copy_gr_arg_wrapper = &copy_gr_arg_wrapper_compat;
91021+ copy_gr_arg = &copy_gr_arg_compat;
91022+ copy_acl_object_label = &copy_acl_object_label_compat;
91023+ copy_acl_subject_label = &copy_acl_subject_label_compat;
91024+ copy_acl_role_label = &copy_acl_role_label_compat;
91025+ copy_acl_ip_label = &copy_acl_ip_label_compat;
91026+ copy_role_allowed_ip = &copy_role_allowed_ip_compat;
91027+ copy_role_transition = &copy_role_transition_compat;
91028+ copy_sprole_pw = &copy_sprole_pw_compat;
91029+ copy_gr_hash_struct = &copy_gr_hash_struct_compat;
91030+ copy_pointer_from_array = &copy_pointer_from_array_compat;
91031+ get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_compat;
91032+ } else {
91033+ copy_gr_arg_wrapper = &copy_gr_arg_wrapper_normal;
91034+ copy_gr_arg = &copy_gr_arg_normal;
91035+ copy_acl_object_label = &copy_acl_object_label_normal;
91036+ copy_acl_subject_label = &copy_acl_subject_label_normal;
91037+ copy_acl_role_label = &copy_acl_role_label_normal;
91038+ copy_acl_ip_label = &copy_acl_ip_label_normal;
91039+ copy_role_allowed_ip = &copy_role_allowed_ip_normal;
91040+ copy_role_transition = &copy_role_transition_normal;
91041+ copy_sprole_pw = &copy_sprole_pw_normal;
91042+ copy_gr_hash_struct = &copy_gr_hash_struct_normal;
91043+ copy_pointer_from_array = &copy_pointer_from_array_normal;
91044+ get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_normal;
91045+ }
91046+ pax_close_kernel();
91047+#endif
91048+
91049+ req_count = get_gr_arg_wrapper_size();
91050+
91051+ if (count != req_count) {
91052+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)req_count);
91053+ error = -EINVAL;
91054+ goto out;
91055+ }
91056+
91057+
91058+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
91059+ gr_auth_expires = 0;
91060+ gr_auth_attempts = 0;
91061+ }
91062+
91063+ error = copy_gr_arg_wrapper(buf, &uwrap);
91064+ if (error)
91065+ goto out;
91066+
91067+ error = copy_gr_arg(uwrap.arg, gr_usermode);
91068+ if (error)
91069+ goto out;
91070+
91071+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
91072+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
91073+ time_after(gr_auth_expires, get_seconds())) {
91074+ error = -EBUSY;
91075+ goto out;
91076+ }
91077+
91078+ /* if non-root trying to do anything other than use a special role,
91079+ do not attempt authentication, do not count towards authentication
91080+ locking
91081+ */
91082+
91083+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
91084+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
91085+ gr_is_global_nonroot(current_uid())) {
91086+ error = -EPERM;
91087+ goto out;
91088+ }
91089+
91090+ /* ensure pw and special role name are null terminated */
91091+
91092+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
91093+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
91094+
91095+ /* Okay.
91096+ * We have our enough of the argument structure..(we have yet
91097+ * to copy_from_user the tables themselves) . Copy the tables
91098+ * only if we need them, i.e. for loading operations. */
91099+
91100+ switch (gr_usermode->mode) {
91101+ case GR_STATUS:
91102+ if (gr_acl_is_enabled()) {
91103+ error = 1;
91104+ if (!gr_check_secure_terminal(current))
91105+ error = 3;
91106+ } else
91107+ error = 2;
91108+ goto out;
91109+ case GR_SHUTDOWN:
91110+ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91111+ stop_machine(gr_rbac_disable, NULL, NULL);
91112+ free_variables(false);
91113+ memset(gr_usermode, 0, sizeof(struct gr_arg));
91114+ memset(gr_system_salt, 0, GR_SALT_LEN);
91115+ memset(gr_system_sum, 0, GR_SHA_LEN);
91116+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
91117+ } else if (gr_acl_is_enabled()) {
91118+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
91119+ error = -EPERM;
91120+ } else {
91121+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
91122+ error = -EAGAIN;
91123+ }
91124+ break;
91125+ case GR_ENABLE:
91126+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode)))
91127+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
91128+ else {
91129+ if (gr_acl_is_enabled())
91130+ error = -EAGAIN;
91131+ else
91132+ error = error2;
91133+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
91134+ }
91135+ break;
91136+ case GR_OLDRELOAD:
91137+ oldmode = 1;
91138+ case GR_RELOAD:
91139+ if (!gr_acl_is_enabled()) {
91140+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
91141+ error = -EAGAIN;
91142+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91143+ error2 = gracl_reload(gr_usermode, oldmode);
91144+ if (!error2)
91145+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
91146+ else {
91147+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
91148+ error = error2;
91149+ }
91150+ } else {
91151+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
91152+ error = -EPERM;
91153+ }
91154+ break;
91155+ case GR_SEGVMOD:
91156+ if (unlikely(!gr_acl_is_enabled())) {
91157+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
91158+ error = -EAGAIN;
91159+ break;
91160+ }
91161+
91162+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91163+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
91164+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
91165+ struct acl_subject_label *segvacl;
91166+ segvacl =
91167+ lookup_acl_subj_label(gr_usermode->segv_inode,
91168+ gr_usermode->segv_device,
91169+ current->role);
91170+ if (segvacl) {
91171+ segvacl->crashes = 0;
91172+ segvacl->expires = 0;
91173+ }
91174+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
91175+ gr_remove_uid(gr_usermode->segv_uid);
91176+ }
91177+ } else {
91178+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
91179+ error = -EPERM;
91180+ }
91181+ break;
91182+ case GR_SPROLE:
91183+ case GR_SPROLEPAM:
91184+ if (unlikely(!gr_acl_is_enabled())) {
91185+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
91186+ error = -EAGAIN;
91187+ break;
91188+ }
91189+
91190+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
91191+ current->role->expires = 0;
91192+ current->role->auth_attempts = 0;
91193+ }
91194+
91195+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
91196+ time_after(current->role->expires, get_seconds())) {
91197+ error = -EBUSY;
91198+ goto out;
91199+ }
91200+
91201+ if (lookup_special_role_auth
91202+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
91203+ && ((!sprole_salt && !sprole_sum)
91204+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
91205+ char *p = "";
91206+ assign_special_role(gr_usermode->sp_role);
91207+ read_lock(&tasklist_lock);
91208+ if (current->real_parent)
91209+ p = current->real_parent->role->rolename;
91210+ read_unlock(&tasklist_lock);
91211+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
91212+ p, acl_sp_role_value);
91213+ } else {
91214+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
91215+ error = -EPERM;
91216+ if(!(current->role->auth_attempts++))
91217+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
91218+
91219+ goto out;
91220+ }
91221+ break;
91222+ case GR_UNSPROLE:
91223+ if (unlikely(!gr_acl_is_enabled())) {
91224+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
91225+ error = -EAGAIN;
91226+ break;
91227+ }
91228+
91229+ if (current->role->roletype & GR_ROLE_SPECIAL) {
91230+ char *p = "";
91231+ int i = 0;
91232+
91233+ read_lock(&tasklist_lock);
91234+ if (current->real_parent) {
91235+ p = current->real_parent->role->rolename;
91236+ i = current->real_parent->acl_role_id;
91237+ }
91238+ read_unlock(&tasklist_lock);
91239+
91240+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
91241+ gr_set_acls(1);
91242+ } else {
91243+ error = -EPERM;
91244+ goto out;
91245+ }
91246+ break;
91247+ default:
91248+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
91249+ error = -EINVAL;
91250+ break;
91251+ }
91252+
91253+ if (error != -EPERM)
91254+ goto out;
91255+
91256+ if(!(gr_auth_attempts++))
91257+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
91258+
91259+ out:
91260+ mutex_unlock(&gr_dev_mutex);
91261+
91262+ if (!error)
91263+ error = req_count;
91264+
91265+ return error;
91266+}
91267+
91268+int
91269+gr_set_acls(const int type)
91270+{
91271+ struct task_struct *task, *task2;
91272+ struct acl_role_label *role = current->role;
91273+ struct acl_subject_label *subj;
91274+ __u16 acl_role_id = current->acl_role_id;
91275+ const struct cred *cred;
91276+ int ret;
91277+
91278+ rcu_read_lock();
91279+ read_lock(&tasklist_lock);
91280+ read_lock(&grsec_exec_file_lock);
91281+ do_each_thread(task2, task) {
91282+ /* check to see if we're called from the exit handler,
91283+ if so, only replace ACLs that have inherited the admin
91284+ ACL */
91285+
91286+ if (type && (task->role != role ||
91287+ task->acl_role_id != acl_role_id))
91288+ continue;
91289+
91290+ task->acl_role_id = 0;
91291+ task->acl_sp_role = 0;
91292+ task->inherited = 0;
91293+
91294+ if (task->exec_file) {
91295+ cred = __task_cred(task);
91296+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
91297+ subj = __gr_get_subject_for_task(polstate, task, NULL, 1);
91298+ if (subj == NULL) {
91299+ ret = -EINVAL;
91300+ read_unlock(&grsec_exec_file_lock);
91301+ read_unlock(&tasklist_lock);
91302+ rcu_read_unlock();
91303+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task_pid_nr(task));
91304+ return ret;
91305+ }
91306+ __gr_apply_subject_to_task(polstate, task, subj);
91307+ } else {
91308+ // it's a kernel process
91309+ task->role = polstate->kernel_role;
91310+ task->acl = polstate->kernel_role->root_label;
91311+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
91312+ task->acl->mode &= ~GR_PROCFIND;
91313+#endif
91314+ }
91315+ } while_each_thread(task2, task);
91316+ read_unlock(&grsec_exec_file_lock);
91317+ read_unlock(&tasklist_lock);
91318+ rcu_read_unlock();
91319+
91320+ return 0;
91321+}
91322diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
91323new file mode 100644
91324index 0000000..39645c9
91325--- /dev/null
91326+++ b/grsecurity/gracl_res.c
91327@@ -0,0 +1,68 @@
91328+#include <linux/kernel.h>
91329+#include <linux/sched.h>
91330+#include <linux/gracl.h>
91331+#include <linux/grinternal.h>
91332+
91333+static const char *restab_log[] = {
91334+ [RLIMIT_CPU] = "RLIMIT_CPU",
91335+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
91336+ [RLIMIT_DATA] = "RLIMIT_DATA",
91337+ [RLIMIT_STACK] = "RLIMIT_STACK",
91338+ [RLIMIT_CORE] = "RLIMIT_CORE",
91339+ [RLIMIT_RSS] = "RLIMIT_RSS",
91340+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
91341+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
91342+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
91343+ [RLIMIT_AS] = "RLIMIT_AS",
91344+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
91345+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
91346+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
91347+ [RLIMIT_NICE] = "RLIMIT_NICE",
91348+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
91349+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
91350+ [GR_CRASH_RES] = "RLIMIT_CRASH"
91351+};
91352+
91353+void
91354+gr_log_resource(const struct task_struct *task,
91355+ const int res, const unsigned long wanted, const int gt)
91356+{
91357+ const struct cred *cred;
91358+ unsigned long rlim;
91359+
91360+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
91361+ return;
91362+
91363+ // not yet supported resource
91364+ if (unlikely(!restab_log[res]))
91365+ return;
91366+
91367+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
91368+ rlim = task_rlimit_max(task, res);
91369+ else
91370+ rlim = task_rlimit(task, res);
91371+
91372+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
91373+ return;
91374+
91375+ rcu_read_lock();
91376+ cred = __task_cred(task);
91377+
91378+ if (res == RLIMIT_NPROC &&
91379+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
91380+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
91381+ goto out_rcu_unlock;
91382+ else if (res == RLIMIT_MEMLOCK &&
91383+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
91384+ goto out_rcu_unlock;
91385+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
91386+ goto out_rcu_unlock;
91387+ rcu_read_unlock();
91388+
91389+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
91390+
91391+ return;
91392+out_rcu_unlock:
91393+ rcu_read_unlock();
91394+ return;
91395+}
91396diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
91397new file mode 100644
91398index 0000000..21646aa
91399--- /dev/null
91400+++ b/grsecurity/gracl_segv.c
91401@@ -0,0 +1,304 @@
91402+#include <linux/kernel.h>
91403+#include <linux/mm.h>
91404+#include <asm/uaccess.h>
91405+#include <asm/errno.h>
91406+#include <asm/mman.h>
91407+#include <net/sock.h>
91408+#include <linux/file.h>
91409+#include <linux/fs.h>
91410+#include <linux/net.h>
91411+#include <linux/in.h>
91412+#include <linux/slab.h>
91413+#include <linux/types.h>
91414+#include <linux/sched.h>
91415+#include <linux/timer.h>
91416+#include <linux/gracl.h>
91417+#include <linux/grsecurity.h>
91418+#include <linux/grinternal.h>
91419+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
91420+#include <linux/magic.h>
91421+#include <linux/pagemap.h>
91422+#include "../fs/btrfs/async-thread.h"
91423+#include "../fs/btrfs/ctree.h"
91424+#include "../fs/btrfs/btrfs_inode.h"
91425+#endif
91426+
91427+static struct crash_uid *uid_set;
91428+static unsigned short uid_used;
91429+static DEFINE_SPINLOCK(gr_uid_lock);
91430+extern rwlock_t gr_inode_lock;
91431+extern struct acl_subject_label *
91432+ lookup_acl_subj_label(const u64 inode, const dev_t dev,
91433+ struct acl_role_label *role);
91434+
91435+int
91436+gr_init_uidset(void)
91437+{
91438+ uid_set =
91439+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
91440+ uid_used = 0;
91441+
91442+ return uid_set ? 1 : 0;
91443+}
91444+
91445+void
91446+gr_free_uidset(void)
91447+{
91448+ if (uid_set) {
91449+ struct crash_uid *tmpset;
91450+ spin_lock(&gr_uid_lock);
91451+ tmpset = uid_set;
91452+ uid_set = NULL;
91453+ uid_used = 0;
91454+ spin_unlock(&gr_uid_lock);
91455+ if (tmpset)
91456+ kfree(tmpset);
91457+ }
91458+
91459+ return;
91460+}
91461+
91462+int
91463+gr_find_uid(const uid_t uid)
91464+{
91465+ struct crash_uid *tmp = uid_set;
91466+ uid_t buid;
91467+ int low = 0, high = uid_used - 1, mid;
91468+
91469+ while (high >= low) {
91470+ mid = (low + high) >> 1;
91471+ buid = tmp[mid].uid;
91472+ if (buid == uid)
91473+ return mid;
91474+ if (buid > uid)
91475+ high = mid - 1;
91476+ if (buid < uid)
91477+ low = mid + 1;
91478+ }
91479+
91480+ return -1;
91481+}
91482+
91483+static void
91484+gr_insertsort(void)
91485+{
91486+ unsigned short i, j;
91487+ struct crash_uid index;
91488+
91489+ for (i = 1; i < uid_used; i++) {
91490+ index = uid_set[i];
91491+ j = i;
91492+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
91493+ uid_set[j] = uid_set[j - 1];
91494+ j--;
91495+ }
91496+ uid_set[j] = index;
91497+ }
91498+
91499+ return;
91500+}
91501+
91502+static void
91503+gr_insert_uid(const kuid_t kuid, const unsigned long expires)
91504+{
91505+ int loc;
91506+ uid_t uid = GR_GLOBAL_UID(kuid);
91507+
91508+ if (uid_used == GR_UIDTABLE_MAX)
91509+ return;
91510+
91511+ loc = gr_find_uid(uid);
91512+
91513+ if (loc >= 0) {
91514+ uid_set[loc].expires = expires;
91515+ return;
91516+ }
91517+
91518+ uid_set[uid_used].uid = uid;
91519+ uid_set[uid_used].expires = expires;
91520+ uid_used++;
91521+
91522+ gr_insertsort();
91523+
91524+ return;
91525+}
91526+
91527+void
91528+gr_remove_uid(const unsigned short loc)
91529+{
91530+ unsigned short i;
91531+
91532+ for (i = loc + 1; i < uid_used; i++)
91533+ uid_set[i - 1] = uid_set[i];
91534+
91535+ uid_used--;
91536+
91537+ return;
91538+}
91539+
91540+int
91541+gr_check_crash_uid(const kuid_t kuid)
91542+{
91543+ int loc;
91544+ int ret = 0;
91545+ uid_t uid;
91546+
91547+ if (unlikely(!gr_acl_is_enabled()))
91548+ return 0;
91549+
91550+ uid = GR_GLOBAL_UID(kuid);
91551+
91552+ spin_lock(&gr_uid_lock);
91553+ loc = gr_find_uid(uid);
91554+
91555+ if (loc < 0)
91556+ goto out_unlock;
91557+
91558+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
91559+ gr_remove_uid(loc);
91560+ else
91561+ ret = 1;
91562+
91563+out_unlock:
91564+ spin_unlock(&gr_uid_lock);
91565+ return ret;
91566+}
91567+
91568+static int
91569+proc_is_setxid(const struct cred *cred)
91570+{
91571+ if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
91572+ !uid_eq(cred->uid, cred->fsuid))
91573+ return 1;
91574+ if (!gid_eq(cred->gid, cred->egid) || !gid_eq(cred->gid, cred->sgid) ||
91575+ !gid_eq(cred->gid, cred->fsgid))
91576+ return 1;
91577+
91578+ return 0;
91579+}
91580+
91581+extern int gr_fake_force_sig(int sig, struct task_struct *t);
91582+
91583+void
91584+gr_handle_crash(struct task_struct *task, const int sig)
91585+{
91586+ struct acl_subject_label *curr;
91587+ struct task_struct *tsk, *tsk2;
91588+ const struct cred *cred;
91589+ const struct cred *cred2;
91590+
91591+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
91592+ return;
91593+
91594+ if (unlikely(!gr_acl_is_enabled()))
91595+ return;
91596+
91597+ curr = task->acl;
91598+
91599+ if (!(curr->resmask & (1U << GR_CRASH_RES)))
91600+ return;
91601+
91602+ if (time_before_eq(curr->expires, get_seconds())) {
91603+ curr->expires = 0;
91604+ curr->crashes = 0;
91605+ }
91606+
91607+ curr->crashes++;
91608+
91609+ if (!curr->expires)
91610+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
91611+
91612+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
91613+ time_after(curr->expires, get_seconds())) {
91614+ rcu_read_lock();
91615+ cred = __task_cred(task);
91616+ if (gr_is_global_nonroot(cred->uid) && proc_is_setxid(cred)) {
91617+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
91618+ spin_lock(&gr_uid_lock);
91619+ gr_insert_uid(cred->uid, curr->expires);
91620+ spin_unlock(&gr_uid_lock);
91621+ curr->expires = 0;
91622+ curr->crashes = 0;
91623+ read_lock(&tasklist_lock);
91624+ do_each_thread(tsk2, tsk) {
91625+ cred2 = __task_cred(tsk);
91626+ if (tsk != task && uid_eq(cred2->uid, cred->uid))
91627+ gr_fake_force_sig(SIGKILL, tsk);
91628+ } while_each_thread(tsk2, tsk);
91629+ read_unlock(&tasklist_lock);
91630+ } else {
91631+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
91632+ read_lock(&tasklist_lock);
91633+ read_lock(&grsec_exec_file_lock);
91634+ do_each_thread(tsk2, tsk) {
91635+ if (likely(tsk != task)) {
91636+ // if this thread has the same subject as the one that triggered
91637+ // RES_CRASH and it's the same binary, kill it
91638+ if (tsk->acl == task->acl && gr_is_same_file(tsk->exec_file, task->exec_file))
91639+ gr_fake_force_sig(SIGKILL, tsk);
91640+ }
91641+ } while_each_thread(tsk2, tsk);
91642+ read_unlock(&grsec_exec_file_lock);
91643+ read_unlock(&tasklist_lock);
91644+ }
91645+ rcu_read_unlock();
91646+ }
91647+
91648+ return;
91649+}
91650+
91651+int
91652+gr_check_crash_exec(const struct file *filp)
91653+{
91654+ struct acl_subject_label *curr;
91655+ struct dentry *dentry;
91656+
91657+ if (unlikely(!gr_acl_is_enabled()))
91658+ return 0;
91659+
91660+ read_lock(&gr_inode_lock);
91661+ dentry = filp->f_path.dentry;
91662+ curr = lookup_acl_subj_label(gr_get_ino_from_dentry(dentry), gr_get_dev_from_dentry(dentry),
91663+ current->role);
91664+ read_unlock(&gr_inode_lock);
91665+
91666+ if (!curr || !(curr->resmask & (1U << GR_CRASH_RES)) ||
91667+ (!curr->crashes && !curr->expires))
91668+ return 0;
91669+
91670+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
91671+ time_after(curr->expires, get_seconds()))
91672+ return 1;
91673+ else if (time_before_eq(curr->expires, get_seconds())) {
91674+ curr->crashes = 0;
91675+ curr->expires = 0;
91676+ }
91677+
91678+ return 0;
91679+}
91680+
91681+void
91682+gr_handle_alertkill(struct task_struct *task)
91683+{
91684+ struct acl_subject_label *curracl;
91685+ __u32 curr_ip;
91686+ struct task_struct *p, *p2;
91687+
91688+ if (unlikely(!gr_acl_is_enabled()))
91689+ return;
91690+
91691+ curracl = task->acl;
91692+ curr_ip = task->signal->curr_ip;
91693+
91694+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
91695+ read_lock(&tasklist_lock);
91696+ do_each_thread(p2, p) {
91697+ if (p->signal->curr_ip == curr_ip)
91698+ gr_fake_force_sig(SIGKILL, p);
91699+ } while_each_thread(p2, p);
91700+ read_unlock(&tasklist_lock);
91701+ } else if (curracl->mode & GR_KILLPROC)
91702+ gr_fake_force_sig(SIGKILL, task);
91703+
91704+ return;
91705+}
91706diff --git a/grsecurity/gracl_shm.c b/grsecurity/gracl_shm.c
91707new file mode 100644
91708index 0000000..6b0c9cc
91709--- /dev/null
91710+++ b/grsecurity/gracl_shm.c
91711@@ -0,0 +1,40 @@
91712+#include <linux/kernel.h>
91713+#include <linux/mm.h>
91714+#include <linux/sched.h>
91715+#include <linux/file.h>
91716+#include <linux/ipc.h>
91717+#include <linux/gracl.h>
91718+#include <linux/grsecurity.h>
91719+#include <linux/grinternal.h>
91720+
91721+int
91722+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
91723+ const u64 shm_createtime, const kuid_t cuid, const int shmid)
91724+{
91725+ struct task_struct *task;
91726+
91727+ if (!gr_acl_is_enabled())
91728+ return 1;
91729+
91730+ rcu_read_lock();
91731+ read_lock(&tasklist_lock);
91732+
91733+ task = find_task_by_vpid(shm_cprid);
91734+
91735+ if (unlikely(!task))
91736+ task = find_task_by_vpid(shm_lapid);
91737+
91738+ if (unlikely(task && (time_before_eq64(task->start_time, shm_createtime) ||
91739+ (task_pid_nr(task) == shm_lapid)) &&
91740+ (task->acl->mode & GR_PROTSHM) &&
91741+ (task->acl != current->acl))) {
91742+ read_unlock(&tasklist_lock);
91743+ rcu_read_unlock();
91744+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, GR_GLOBAL_UID(cuid), shm_cprid, shmid);
91745+ return 0;
91746+ }
91747+ read_unlock(&tasklist_lock);
91748+ rcu_read_unlock();
91749+
91750+ return 1;
91751+}
91752diff --git a/grsecurity/grsec_chdir.c b/grsecurity/grsec_chdir.c
91753new file mode 100644
91754index 0000000..bc0be01
91755--- /dev/null
91756+++ b/grsecurity/grsec_chdir.c
91757@@ -0,0 +1,19 @@
91758+#include <linux/kernel.h>
91759+#include <linux/sched.h>
91760+#include <linux/fs.h>
91761+#include <linux/file.h>
91762+#include <linux/grsecurity.h>
91763+#include <linux/grinternal.h>
91764+
91765+void
91766+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
91767+{
91768+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
91769+ if ((grsec_enable_chdir && grsec_enable_group &&
91770+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
91771+ !grsec_enable_group)) {
91772+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
91773+ }
91774+#endif
91775+ return;
91776+}
91777diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
91778new file mode 100644
91779index 0000000..652ab45
91780--- /dev/null
91781+++ b/grsecurity/grsec_chroot.c
91782@@ -0,0 +1,467 @@
91783+#include <linux/kernel.h>
91784+#include <linux/module.h>
91785+#include <linux/sched.h>
91786+#include <linux/file.h>
91787+#include <linux/fs.h>
91788+#include <linux/mount.h>
91789+#include <linux/types.h>
91790+#include "../fs/mount.h"
91791+#include <linux/grsecurity.h>
91792+#include <linux/grinternal.h>
91793+
91794+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
91795+int gr_init_ran;
91796+#endif
91797+
91798+void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
91799+{
91800+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
91801+ struct dentry *tmpd = dentry;
91802+
91803+ read_seqlock_excl(&mount_lock);
91804+ write_seqlock(&rename_lock);
91805+
91806+ while (tmpd != mnt->mnt_root) {
91807+ atomic_inc(&tmpd->chroot_refcnt);
91808+ tmpd = tmpd->d_parent;
91809+ }
91810+ atomic_inc(&tmpd->chroot_refcnt);
91811+
91812+ write_sequnlock(&rename_lock);
91813+ read_sequnlock_excl(&mount_lock);
91814+#endif
91815+}
91816+
91817+void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
91818+{
91819+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
91820+ struct dentry *tmpd = dentry;
91821+
91822+ read_seqlock_excl(&mount_lock);
91823+ write_seqlock(&rename_lock);
91824+
91825+ while (tmpd != mnt->mnt_root) {
91826+ atomic_dec(&tmpd->chroot_refcnt);
91827+ tmpd = tmpd->d_parent;
91828+ }
91829+ atomic_dec(&tmpd->chroot_refcnt);
91830+
91831+ write_sequnlock(&rename_lock);
91832+ read_sequnlock_excl(&mount_lock);
91833+#endif
91834+}
91835+
91836+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
91837+static struct dentry *get_closest_chroot(struct dentry *dentry)
91838+{
91839+ write_seqlock(&rename_lock);
91840+ do {
91841+ if (atomic_read(&dentry->chroot_refcnt)) {
91842+ write_sequnlock(&rename_lock);
91843+ return dentry;
91844+ }
91845+ dentry = dentry->d_parent;
91846+ } while (!IS_ROOT(dentry));
91847+ write_sequnlock(&rename_lock);
91848+ return NULL;
91849+}
91850+#endif
91851+
91852+int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
91853+ struct dentry *newdentry, struct vfsmount *newmnt)
91854+{
91855+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
91856+ struct dentry *chroot;
91857+
91858+ if (unlikely(!grsec_enable_chroot_rename))
91859+ return 0;
91860+
91861+ if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid())))
91862+ return 0;
91863+
91864+ chroot = get_closest_chroot(olddentry);
91865+
91866+ if (chroot == NULL)
91867+ return 0;
91868+
91869+ if (is_subdir(newdentry, chroot))
91870+ return 0;
91871+
91872+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt);
91873+
91874+ return 1;
91875+#else
91876+ return 0;
91877+#endif
91878+}
91879+
91880+void gr_set_chroot_entries(struct task_struct *task, const struct path *path)
91881+{
91882+#ifdef CONFIG_GRKERNSEC
91883+ if (task_pid_nr(task) > 1 && path->dentry != init_task.fs->root.dentry &&
91884+ path->dentry != task->nsproxy->mnt_ns->root->mnt.mnt_root
91885+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
91886+ && gr_init_ran
91887+#endif
91888+ )
91889+ task->gr_is_chrooted = 1;
91890+ else {
91891+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
91892+ if (task_pid_nr(task) == 1 && !gr_init_ran)
91893+ gr_init_ran = 1;
91894+#endif
91895+ task->gr_is_chrooted = 0;
91896+ }
91897+
91898+ task->gr_chroot_dentry = path->dentry;
91899+#endif
91900+ return;
91901+}
91902+
91903+void gr_clear_chroot_entries(struct task_struct *task)
91904+{
91905+#ifdef CONFIG_GRKERNSEC
91906+ task->gr_is_chrooted = 0;
91907+ task->gr_chroot_dentry = NULL;
91908+#endif
91909+ return;
91910+}
91911+
91912+int
91913+gr_handle_chroot_unix(const pid_t pid)
91914+{
91915+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
91916+ struct task_struct *p;
91917+
91918+ if (unlikely(!grsec_enable_chroot_unix))
91919+ return 1;
91920+
91921+ if (likely(!proc_is_chrooted(current)))
91922+ return 1;
91923+
91924+ rcu_read_lock();
91925+ read_lock(&tasklist_lock);
91926+ p = find_task_by_vpid_unrestricted(pid);
91927+ if (unlikely(p && !have_same_root(current, p))) {
91928+ read_unlock(&tasklist_lock);
91929+ rcu_read_unlock();
91930+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
91931+ return 0;
91932+ }
91933+ read_unlock(&tasklist_lock);
91934+ rcu_read_unlock();
91935+#endif
91936+ return 1;
91937+}
91938+
91939+int
91940+gr_handle_chroot_nice(void)
91941+{
91942+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
91943+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
91944+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
91945+ return -EPERM;
91946+ }
91947+#endif
91948+ return 0;
91949+}
91950+
91951+int
91952+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
91953+{
91954+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
91955+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
91956+ && proc_is_chrooted(current)) {
91957+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, task_pid_nr(p));
91958+ return -EACCES;
91959+ }
91960+#endif
91961+ return 0;
91962+}
91963+
91964+int
91965+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
91966+{
91967+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
91968+ struct task_struct *p;
91969+ int ret = 0;
91970+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
91971+ return ret;
91972+
91973+ read_lock(&tasklist_lock);
91974+ do_each_pid_task(pid, type, p) {
91975+ if (!have_same_root(current, p)) {
91976+ ret = 1;
91977+ goto out;
91978+ }
91979+ } while_each_pid_task(pid, type, p);
91980+out:
91981+ read_unlock(&tasklist_lock);
91982+ return ret;
91983+#endif
91984+ return 0;
91985+}
91986+
91987+int
91988+gr_pid_is_chrooted(struct task_struct *p)
91989+{
91990+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
91991+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
91992+ return 0;
91993+
91994+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
91995+ !have_same_root(current, p)) {
91996+ return 1;
91997+ }
91998+#endif
91999+ return 0;
92000+}
92001+
92002+EXPORT_SYMBOL_GPL(gr_pid_is_chrooted);
92003+
92004+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
92005+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
92006+{
92007+ struct path path, currentroot;
92008+ int ret = 0;
92009+
92010+ path.dentry = (struct dentry *)u_dentry;
92011+ path.mnt = (struct vfsmount *)u_mnt;
92012+ get_fs_root(current->fs, &currentroot);
92013+ if (path_is_under(&path, &currentroot))
92014+ ret = 1;
92015+ path_put(&currentroot);
92016+
92017+ return ret;
92018+}
92019+#endif
92020+
92021+int
92022+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
92023+{
92024+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
92025+ if (!grsec_enable_chroot_fchdir)
92026+ return 1;
92027+
92028+ if (!proc_is_chrooted(current))
92029+ return 1;
92030+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
92031+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
92032+ return 0;
92033+ }
92034+#endif
92035+ return 1;
92036+}
92037+
92038+int
92039+gr_chroot_fhandle(void)
92040+{
92041+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
92042+ if (!grsec_enable_chroot_fchdir)
92043+ return 1;
92044+
92045+ if (!proc_is_chrooted(current))
92046+ return 1;
92047+ else {
92048+ gr_log_noargs(GR_DONT_AUDIT, GR_CHROOT_FHANDLE_MSG);
92049+ return 0;
92050+ }
92051+#endif
92052+ return 1;
92053+}
92054+
92055+int
92056+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
92057+ const u64 shm_createtime)
92058+{
92059+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
92060+ struct task_struct *p;
92061+
92062+ if (unlikely(!grsec_enable_chroot_shmat))
92063+ return 1;
92064+
92065+ if (likely(!proc_is_chrooted(current)))
92066+ return 1;
92067+
92068+ rcu_read_lock();
92069+ read_lock(&tasklist_lock);
92070+
92071+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
92072+ if (time_before_eq64(p->start_time, shm_createtime)) {
92073+ if (have_same_root(current, p)) {
92074+ goto allow;
92075+ } else {
92076+ read_unlock(&tasklist_lock);
92077+ rcu_read_unlock();
92078+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
92079+ return 0;
92080+ }
92081+ }
92082+ /* creator exited, pid reuse, fall through to next check */
92083+ }
92084+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
92085+ if (unlikely(!have_same_root(current, p))) {
92086+ read_unlock(&tasklist_lock);
92087+ rcu_read_unlock();
92088+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
92089+ return 0;
92090+ }
92091+ }
92092+
92093+allow:
92094+ read_unlock(&tasklist_lock);
92095+ rcu_read_unlock();
92096+#endif
92097+ return 1;
92098+}
92099+
92100+void
92101+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
92102+{
92103+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
92104+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
92105+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
92106+#endif
92107+ return;
92108+}
92109+
92110+int
92111+gr_handle_chroot_mknod(const struct dentry *dentry,
92112+ const struct vfsmount *mnt, const int mode)
92113+{
92114+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
92115+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
92116+ proc_is_chrooted(current)) {
92117+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
92118+ return -EPERM;
92119+ }
92120+#endif
92121+ return 0;
92122+}
92123+
92124+int
92125+gr_handle_chroot_mount(const struct dentry *dentry,
92126+ const struct vfsmount *mnt, const char *dev_name)
92127+{
92128+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
92129+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
92130+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
92131+ return -EPERM;
92132+ }
92133+#endif
92134+ return 0;
92135+}
92136+
92137+int
92138+gr_handle_chroot_pivot(void)
92139+{
92140+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
92141+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
92142+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
92143+ return -EPERM;
92144+ }
92145+#endif
92146+ return 0;
92147+}
92148+
92149+int
92150+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
92151+{
92152+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
92153+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
92154+ !gr_is_outside_chroot(dentry, mnt)) {
92155+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
92156+ return -EPERM;
92157+ }
92158+#endif
92159+ return 0;
92160+}
92161+
92162+extern const char *captab_log[];
92163+extern int captab_log_entries;
92164+
92165+int
92166+gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
92167+{
92168+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92169+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
92170+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
92171+ if (cap_raised(chroot_caps, cap)) {
92172+ if (cap_raised(cred->cap_effective, cap) && cap < captab_log_entries) {
92173+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, task, captab_log[cap]);
92174+ }
92175+ return 0;
92176+ }
92177+ }
92178+#endif
92179+ return 1;
92180+}
92181+
92182+int
92183+gr_chroot_is_capable(const int cap)
92184+{
92185+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92186+ return gr_task_chroot_is_capable(current, current_cred(), cap);
92187+#endif
92188+ return 1;
92189+}
92190+
92191+int
92192+gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap)
92193+{
92194+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92195+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
92196+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
92197+ if (cap_raised(chroot_caps, cap)) {
92198+ return 0;
92199+ }
92200+ }
92201+#endif
92202+ return 1;
92203+}
92204+
92205+int
92206+gr_chroot_is_capable_nolog(const int cap)
92207+{
92208+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92209+ return gr_task_chroot_is_capable_nolog(current, cap);
92210+#endif
92211+ return 1;
92212+}
92213+
92214+int
92215+gr_handle_chroot_sysctl(const int op)
92216+{
92217+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
92218+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
92219+ proc_is_chrooted(current))
92220+ return -EACCES;
92221+#endif
92222+ return 0;
92223+}
92224+
92225+void
92226+gr_handle_chroot_chdir(const struct path *path)
92227+{
92228+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
92229+ if (grsec_enable_chroot_chdir)
92230+ set_fs_pwd(current->fs, path);
92231+#endif
92232+ return;
92233+}
92234+
92235+int
92236+gr_handle_chroot_chmod(const struct dentry *dentry,
92237+ const struct vfsmount *mnt, const int mode)
92238+{
92239+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
92240+ /* allow chmod +s on directories, but not files */
92241+ if (grsec_enable_chroot_chmod && !d_is_dir(dentry) &&
92242+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
92243+ proc_is_chrooted(current)) {
92244+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
92245+ return -EPERM;
92246+ }
92247+#endif
92248+ return 0;
92249+}
92250diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
92251new file mode 100644
92252index 0000000..e723c08
92253--- /dev/null
92254+++ b/grsecurity/grsec_disabled.c
92255@@ -0,0 +1,445 @@
92256+#include <linux/kernel.h>
92257+#include <linux/module.h>
92258+#include <linux/sched.h>
92259+#include <linux/file.h>
92260+#include <linux/fs.h>
92261+#include <linux/kdev_t.h>
92262+#include <linux/net.h>
92263+#include <linux/in.h>
92264+#include <linux/ip.h>
92265+#include <linux/skbuff.h>
92266+#include <linux/sysctl.h>
92267+
92268+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
92269+void
92270+pax_set_initial_flags(struct linux_binprm *bprm)
92271+{
92272+ return;
92273+}
92274+#endif
92275+
92276+#ifdef CONFIG_SYSCTL
92277+__u32
92278+gr_handle_sysctl(const struct ctl_table * table, const int op)
92279+{
92280+ return 0;
92281+}
92282+#endif
92283+
92284+#ifdef CONFIG_TASKSTATS
92285+int gr_is_taskstats_denied(int pid)
92286+{
92287+ return 0;
92288+}
92289+#endif
92290+
92291+int
92292+gr_acl_is_enabled(void)
92293+{
92294+ return 0;
92295+}
92296+
92297+int
92298+gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
92299+{
92300+ return 0;
92301+}
92302+
92303+void
92304+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
92305+{
92306+ return;
92307+}
92308+
92309+int
92310+gr_handle_rawio(const struct inode *inode)
92311+{
92312+ return 0;
92313+}
92314+
92315+void
92316+gr_acl_handle_psacct(struct task_struct *task, const long code)
92317+{
92318+ return;
92319+}
92320+
92321+int
92322+gr_handle_ptrace(struct task_struct *task, const long request)
92323+{
92324+ return 0;
92325+}
92326+
92327+int
92328+gr_handle_proc_ptrace(struct task_struct *task)
92329+{
92330+ return 0;
92331+}
92332+
92333+int
92334+gr_set_acls(const int type)
92335+{
92336+ return 0;
92337+}
92338+
92339+int
92340+gr_check_hidden_task(const struct task_struct *tsk)
92341+{
92342+ return 0;
92343+}
92344+
92345+int
92346+gr_check_protected_task(const struct task_struct *task)
92347+{
92348+ return 0;
92349+}
92350+
92351+int
92352+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
92353+{
92354+ return 0;
92355+}
92356+
92357+void
92358+gr_copy_label(struct task_struct *tsk)
92359+{
92360+ return;
92361+}
92362+
92363+void
92364+gr_set_pax_flags(struct task_struct *task)
92365+{
92366+ return;
92367+}
92368+
92369+int
92370+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
92371+ const int unsafe_share)
92372+{
92373+ return 0;
92374+}
92375+
92376+void
92377+gr_handle_delete(const u64 ino, const dev_t dev)
92378+{
92379+ return;
92380+}
92381+
92382+void
92383+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
92384+{
92385+ return;
92386+}
92387+
92388+void
92389+gr_handle_crash(struct task_struct *task, const int sig)
92390+{
92391+ return;
92392+}
92393+
92394+int
92395+gr_check_crash_exec(const struct file *filp)
92396+{
92397+ return 0;
92398+}
92399+
92400+int
92401+gr_check_crash_uid(const kuid_t uid)
92402+{
92403+ return 0;
92404+}
92405+
92406+void
92407+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
92408+ struct dentry *old_dentry,
92409+ struct dentry *new_dentry,
92410+ struct vfsmount *mnt, const __u8 replace, unsigned int flags)
92411+{
92412+ return;
92413+}
92414+
92415+int
92416+gr_search_socket(const int family, const int type, const int protocol)
92417+{
92418+ return 1;
92419+}
92420+
92421+int
92422+gr_search_connectbind(const int mode, const struct socket *sock,
92423+ const struct sockaddr_in *addr)
92424+{
92425+ return 0;
92426+}
92427+
92428+void
92429+gr_handle_alertkill(struct task_struct *task)
92430+{
92431+ return;
92432+}
92433+
92434+__u32
92435+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
92436+{
92437+ return 1;
92438+}
92439+
92440+__u32
92441+gr_acl_handle_hidden_file(const struct dentry * dentry,
92442+ const struct vfsmount * mnt)
92443+{
92444+ return 1;
92445+}
92446+
92447+__u32
92448+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
92449+ int acc_mode)
92450+{
92451+ return 1;
92452+}
92453+
92454+__u32
92455+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
92456+{
92457+ return 1;
92458+}
92459+
92460+__u32
92461+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
92462+{
92463+ return 1;
92464+}
92465+
92466+int
92467+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
92468+ unsigned int *vm_flags)
92469+{
92470+ return 1;
92471+}
92472+
92473+__u32
92474+gr_acl_handle_truncate(const struct dentry * dentry,
92475+ const struct vfsmount * mnt)
92476+{
92477+ return 1;
92478+}
92479+
92480+__u32
92481+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
92482+{
92483+ return 1;
92484+}
92485+
92486+__u32
92487+gr_acl_handle_access(const struct dentry * dentry,
92488+ const struct vfsmount * mnt, const int fmode)
92489+{
92490+ return 1;
92491+}
92492+
92493+__u32
92494+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
92495+ umode_t *mode)
92496+{
92497+ return 1;
92498+}
92499+
92500+__u32
92501+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
92502+{
92503+ return 1;
92504+}
92505+
92506+__u32
92507+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
92508+{
92509+ return 1;
92510+}
92511+
92512+__u32
92513+gr_acl_handle_removexattr(const struct dentry * dentry, const struct vfsmount * mnt)
92514+{
92515+ return 1;
92516+}
92517+
92518+void
92519+grsecurity_init(void)
92520+{
92521+ return;
92522+}
92523+
92524+umode_t gr_acl_umask(void)
92525+{
92526+ return 0;
92527+}
92528+
92529+__u32
92530+gr_acl_handle_mknod(const struct dentry * new_dentry,
92531+ const struct dentry * parent_dentry,
92532+ const struct vfsmount * parent_mnt,
92533+ const int mode)
92534+{
92535+ return 1;
92536+}
92537+
92538+__u32
92539+gr_acl_handle_mkdir(const struct dentry * new_dentry,
92540+ const struct dentry * parent_dentry,
92541+ const struct vfsmount * parent_mnt)
92542+{
92543+ return 1;
92544+}
92545+
92546+__u32
92547+gr_acl_handle_symlink(const struct dentry * new_dentry,
92548+ const struct dentry * parent_dentry,
92549+ const struct vfsmount * parent_mnt, const struct filename *from)
92550+{
92551+ return 1;
92552+}
92553+
92554+__u32
92555+gr_acl_handle_link(const struct dentry * new_dentry,
92556+ const struct dentry * parent_dentry,
92557+ const struct vfsmount * parent_mnt,
92558+ const struct dentry * old_dentry,
92559+ const struct vfsmount * old_mnt, const struct filename *to)
92560+{
92561+ return 1;
92562+}
92563+
92564+int
92565+gr_acl_handle_rename(const struct dentry *new_dentry,
92566+ const struct dentry *parent_dentry,
92567+ const struct vfsmount *parent_mnt,
92568+ const struct dentry *old_dentry,
92569+ const struct inode *old_parent_inode,
92570+ const struct vfsmount *old_mnt, const struct filename *newname,
92571+ unsigned int flags)
92572+{
92573+ return 0;
92574+}
92575+
92576+int
92577+gr_acl_handle_filldir(const struct file *file, const char *name,
92578+ const int namelen, const u64 ino)
92579+{
92580+ return 1;
92581+}
92582+
92583+int
92584+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
92585+ const u64 shm_createtime, const kuid_t cuid, const int shmid)
92586+{
92587+ return 1;
92588+}
92589+
92590+int
92591+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
92592+{
92593+ return 0;
92594+}
92595+
92596+int
92597+gr_search_accept(const struct socket *sock)
92598+{
92599+ return 0;
92600+}
92601+
92602+int
92603+gr_search_listen(const struct socket *sock)
92604+{
92605+ return 0;
92606+}
92607+
92608+int
92609+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
92610+{
92611+ return 0;
92612+}
92613+
92614+__u32
92615+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
92616+{
92617+ return 1;
92618+}
92619+
92620+__u32
92621+gr_acl_handle_creat(const struct dentry * dentry,
92622+ const struct dentry * p_dentry,
92623+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
92624+ const int imode)
92625+{
92626+ return 1;
92627+}
92628+
92629+void
92630+gr_acl_handle_exit(void)
92631+{
92632+ return;
92633+}
92634+
92635+int
92636+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
92637+{
92638+ return 1;
92639+}
92640+
92641+void
92642+gr_set_role_label(const kuid_t uid, const kgid_t gid)
92643+{
92644+ return;
92645+}
92646+
92647+int
92648+gr_acl_handle_procpidmem(const struct task_struct *task)
92649+{
92650+ return 0;
92651+}
92652+
92653+int
92654+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
92655+{
92656+ return 0;
92657+}
92658+
92659+int
92660+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
92661+{
92662+ return 0;
92663+}
92664+
92665+int
92666+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
92667+{
92668+ return 0;
92669+}
92670+
92671+int
92672+gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
92673+{
92674+ return 0;
92675+}
92676+
92677+int gr_acl_enable_at_secure(void)
92678+{
92679+ return 0;
92680+}
92681+
92682+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
92683+{
92684+ return d_backing_inode(dentry)->i_sb->s_dev;
92685+}
92686+
92687+u64 gr_get_ino_from_dentry(struct dentry *dentry)
92688+{
92689+ return d_backing_inode(dentry)->i_ino;
92690+}
92691+
92692+void gr_put_exec_file(struct task_struct *task)
92693+{
92694+ return;
92695+}
92696+
92697+#ifdef CONFIG_SECURITY
92698+EXPORT_SYMBOL_GPL(gr_check_user_change);
92699+EXPORT_SYMBOL_GPL(gr_check_group_change);
92700+#endif
92701diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
92702new file mode 100644
92703index 0000000..fb7531e
92704--- /dev/null
92705+++ b/grsecurity/grsec_exec.c
92706@@ -0,0 +1,189 @@
92707+#include <linux/kernel.h>
92708+#include <linux/sched.h>
92709+#include <linux/file.h>
92710+#include <linux/binfmts.h>
92711+#include <linux/fs.h>
92712+#include <linux/types.h>
92713+#include <linux/grdefs.h>
92714+#include <linux/grsecurity.h>
92715+#include <linux/grinternal.h>
92716+#include <linux/capability.h>
92717+#include <linux/module.h>
92718+#include <linux/compat.h>
92719+
92720+#include <asm/uaccess.h>
92721+
92722+#ifdef CONFIG_GRKERNSEC_EXECLOG
92723+static char gr_exec_arg_buf[132];
92724+static DEFINE_MUTEX(gr_exec_arg_mutex);
92725+#endif
92726+
92727+struct user_arg_ptr {
92728+#ifdef CONFIG_COMPAT
92729+ bool is_compat;
92730+#endif
92731+ union {
92732+ const char __user *const __user *native;
92733+#ifdef CONFIG_COMPAT
92734+ const compat_uptr_t __user *compat;
92735+#endif
92736+ } ptr;
92737+};
92738+
92739+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
92740+
92741+void
92742+gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
92743+{
92744+#ifdef CONFIG_GRKERNSEC_EXECLOG
92745+ char *grarg = gr_exec_arg_buf;
92746+ unsigned int i, x, execlen = 0;
92747+ char c;
92748+
92749+ if (!((grsec_enable_execlog && grsec_enable_group &&
92750+ in_group_p(grsec_audit_gid))
92751+ || (grsec_enable_execlog && !grsec_enable_group)))
92752+ return;
92753+
92754+ mutex_lock(&gr_exec_arg_mutex);
92755+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
92756+
92757+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
92758+ const char __user *p;
92759+ unsigned int len;
92760+
92761+ p = get_user_arg_ptr(argv, i);
92762+ if (IS_ERR(p))
92763+ goto log;
92764+
92765+ len = strnlen_user(p, 128 - execlen);
92766+ if (len > 128 - execlen)
92767+ len = 128 - execlen;
92768+ else if (len > 0)
92769+ len--;
92770+ if (copy_from_user(grarg + execlen, p, len))
92771+ goto log;
92772+
92773+ /* rewrite unprintable characters */
92774+ for (x = 0; x < len; x++) {
92775+ c = *(grarg + execlen + x);
92776+ if (c < 32 || c > 126)
92777+ *(grarg + execlen + x) = ' ';
92778+ }
92779+
92780+ execlen += len;
92781+ *(grarg + execlen) = ' ';
92782+ *(grarg + execlen + 1) = '\0';
92783+ execlen++;
92784+ }
92785+
92786+ log:
92787+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
92788+ bprm->file->f_path.mnt, grarg);
92789+ mutex_unlock(&gr_exec_arg_mutex);
92790+#endif
92791+ return;
92792+}
92793+
92794+#ifdef CONFIG_GRKERNSEC
92795+extern int gr_acl_is_capable(const int cap);
92796+extern int gr_acl_is_capable_nolog(const int cap);
92797+extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
92798+extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap);
92799+extern int gr_chroot_is_capable(const int cap);
92800+extern int gr_chroot_is_capable_nolog(const int cap);
92801+extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
92802+extern int gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap);
92803+#endif
92804+
92805+const char *captab_log[] = {
92806+ "CAP_CHOWN",
92807+ "CAP_DAC_OVERRIDE",
92808+ "CAP_DAC_READ_SEARCH",
92809+ "CAP_FOWNER",
92810+ "CAP_FSETID",
92811+ "CAP_KILL",
92812+ "CAP_SETGID",
92813+ "CAP_SETUID",
92814+ "CAP_SETPCAP",
92815+ "CAP_LINUX_IMMUTABLE",
92816+ "CAP_NET_BIND_SERVICE",
92817+ "CAP_NET_BROADCAST",
92818+ "CAP_NET_ADMIN",
92819+ "CAP_NET_RAW",
92820+ "CAP_IPC_LOCK",
92821+ "CAP_IPC_OWNER",
92822+ "CAP_SYS_MODULE",
92823+ "CAP_SYS_RAWIO",
92824+ "CAP_SYS_CHROOT",
92825+ "CAP_SYS_PTRACE",
92826+ "CAP_SYS_PACCT",
92827+ "CAP_SYS_ADMIN",
92828+ "CAP_SYS_BOOT",
92829+ "CAP_SYS_NICE",
92830+ "CAP_SYS_RESOURCE",
92831+ "CAP_SYS_TIME",
92832+ "CAP_SYS_TTY_CONFIG",
92833+ "CAP_MKNOD",
92834+ "CAP_LEASE",
92835+ "CAP_AUDIT_WRITE",
92836+ "CAP_AUDIT_CONTROL",
92837+ "CAP_SETFCAP",
92838+ "CAP_MAC_OVERRIDE",
92839+ "CAP_MAC_ADMIN",
92840+ "CAP_SYSLOG",
92841+ "CAP_WAKE_ALARM",
92842+ "CAP_BLOCK_SUSPEND",
92843+ "CAP_AUDIT_READ"
92844+};
92845+
92846+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
92847+
92848+int gr_is_capable(const int cap)
92849+{
92850+#ifdef CONFIG_GRKERNSEC
92851+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
92852+ return 1;
92853+ return 0;
92854+#else
92855+ return 1;
92856+#endif
92857+}
92858+
92859+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
92860+{
92861+#ifdef CONFIG_GRKERNSEC
92862+ if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap))
92863+ return 1;
92864+ return 0;
92865+#else
92866+ return 1;
92867+#endif
92868+}
92869+
92870+int gr_is_capable_nolog(const int cap)
92871+{
92872+#ifdef CONFIG_GRKERNSEC
92873+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
92874+ return 1;
92875+ return 0;
92876+#else
92877+ return 1;
92878+#endif
92879+}
92880+
92881+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap)
92882+{
92883+#ifdef CONFIG_GRKERNSEC
92884+ if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap))
92885+ return 1;
92886+ return 0;
92887+#else
92888+ return 1;
92889+#endif
92890+}
92891+
92892+EXPORT_SYMBOL_GPL(gr_is_capable);
92893+EXPORT_SYMBOL_GPL(gr_is_capable_nolog);
92894+EXPORT_SYMBOL_GPL(gr_task_is_capable);
92895+EXPORT_SYMBOL_GPL(gr_task_is_capable_nolog);
92896diff --git a/grsecurity/grsec_fifo.c b/grsecurity/grsec_fifo.c
92897new file mode 100644
92898index 0000000..cdec49b
92899--- /dev/null
92900+++ b/grsecurity/grsec_fifo.c
92901@@ -0,0 +1,26 @@
92902+#include <linux/kernel.h>
92903+#include <linux/sched.h>
92904+#include <linux/fs.h>
92905+#include <linux/file.h>
92906+#include <linux/grinternal.h>
92907+
92908+int
92909+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
92910+ const struct dentry *dir, const int flag, const int acc_mode)
92911+{
92912+#ifdef CONFIG_GRKERNSEC_FIFO
92913+ const struct cred *cred = current_cred();
92914+ struct inode *inode = d_backing_inode(dentry);
92915+ struct inode *dir_inode = d_backing_inode(dir);
92916+
92917+ if (grsec_enable_fifo && S_ISFIFO(inode->i_mode) &&
92918+ !(flag & O_EXCL) && (dir_inode->i_mode & S_ISVTX) &&
92919+ !uid_eq(inode->i_uid, dir_inode->i_uid) &&
92920+ !uid_eq(cred->fsuid, inode->i_uid)) {
92921+ if (!inode_permission(inode, acc_mode))
92922+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid));
92923+ return -EACCES;
92924+ }
92925+#endif
92926+ return 0;
92927+}
92928diff --git a/grsecurity/grsec_fork.c b/grsecurity/grsec_fork.c
92929new file mode 100644
92930index 0000000..8ca18bf
92931--- /dev/null
92932+++ b/grsecurity/grsec_fork.c
92933@@ -0,0 +1,23 @@
92934+#include <linux/kernel.h>
92935+#include <linux/sched.h>
92936+#include <linux/grsecurity.h>
92937+#include <linux/grinternal.h>
92938+#include <linux/errno.h>
92939+
92940+void
92941+gr_log_forkfail(const int retval)
92942+{
92943+#ifdef CONFIG_GRKERNSEC_FORKFAIL
92944+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
92945+ switch (retval) {
92946+ case -EAGAIN:
92947+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
92948+ break;
92949+ case -ENOMEM:
92950+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
92951+ break;
92952+ }
92953+ }
92954+#endif
92955+ return;
92956+}
92957diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
92958new file mode 100644
92959index 0000000..a364c58
92960--- /dev/null
92961+++ b/grsecurity/grsec_init.c
92962@@ -0,0 +1,290 @@
92963+#include <linux/kernel.h>
92964+#include <linux/sched.h>
92965+#include <linux/mm.h>
92966+#include <linux/gracl.h>
92967+#include <linux/slab.h>
92968+#include <linux/vmalloc.h>
92969+#include <linux/percpu.h>
92970+#include <linux/module.h>
92971+
92972+int grsec_enable_ptrace_readexec __read_only;
92973+int grsec_enable_setxid __read_only;
92974+int grsec_enable_symlinkown __read_only;
92975+kgid_t grsec_symlinkown_gid __read_only;
92976+int grsec_enable_brute __read_only;
92977+int grsec_enable_link __read_only;
92978+int grsec_enable_dmesg __read_only;
92979+int grsec_enable_harden_ptrace __read_only;
92980+int grsec_enable_harden_ipc __read_only;
92981+int grsec_enable_fifo __read_only;
92982+int grsec_enable_execlog __read_only;
92983+int grsec_enable_signal __read_only;
92984+int grsec_enable_forkfail __read_only;
92985+int grsec_enable_audit_ptrace __read_only;
92986+int grsec_enable_time __read_only;
92987+int grsec_enable_group __read_only;
92988+kgid_t grsec_audit_gid __read_only;
92989+int grsec_enable_chdir __read_only;
92990+int grsec_enable_mount __read_only;
92991+int grsec_enable_rofs __read_only;
92992+int grsec_deny_new_usb __read_only;
92993+int grsec_enable_chroot_findtask __read_only;
92994+int grsec_enable_chroot_mount __read_only;
92995+int grsec_enable_chroot_shmat __read_only;
92996+int grsec_enable_chroot_fchdir __read_only;
92997+int grsec_enable_chroot_double __read_only;
92998+int grsec_enable_chroot_pivot __read_only;
92999+int grsec_enable_chroot_chdir __read_only;
93000+int grsec_enable_chroot_chmod __read_only;
93001+int grsec_enable_chroot_mknod __read_only;
93002+int grsec_enable_chroot_nice __read_only;
93003+int grsec_enable_chroot_execlog __read_only;
93004+int grsec_enable_chroot_caps __read_only;
93005+int grsec_enable_chroot_rename __read_only;
93006+int grsec_enable_chroot_sysctl __read_only;
93007+int grsec_enable_chroot_unix __read_only;
93008+int grsec_enable_tpe __read_only;
93009+kgid_t grsec_tpe_gid __read_only;
93010+int grsec_enable_blackhole __read_only;
93011+#ifdef CONFIG_IPV6_MODULE
93012+EXPORT_SYMBOL_GPL(grsec_enable_blackhole);
93013+#endif
93014+int grsec_lastack_retries __read_only;
93015+int grsec_enable_tpe_all __read_only;
93016+int grsec_enable_tpe_invert __read_only;
93017+int grsec_enable_socket_all __read_only;
93018+kgid_t grsec_socket_all_gid __read_only;
93019+int grsec_enable_socket_client __read_only;
93020+kgid_t grsec_socket_client_gid __read_only;
93021+int grsec_enable_socket_server __read_only;
93022+kgid_t grsec_socket_server_gid __read_only;
93023+int grsec_resource_logging __read_only;
93024+int grsec_disable_privio __read_only;
93025+int grsec_enable_log_rwxmaps __read_only;
93026+int grsec_lock __read_only;
93027+
93028+DEFINE_SPINLOCK(grsec_alert_lock);
93029+unsigned long grsec_alert_wtime = 0;
93030+unsigned long grsec_alert_fyet = 0;
93031+
93032+DEFINE_SPINLOCK(grsec_audit_lock);
93033+
93034+DEFINE_RWLOCK(grsec_exec_file_lock);
93035+
93036+char *gr_shared_page[4];
93037+
93038+char *gr_alert_log_fmt;
93039+char *gr_audit_log_fmt;
93040+char *gr_alert_log_buf;
93041+char *gr_audit_log_buf;
93042+
93043+extern struct gr_arg *gr_usermode;
93044+extern unsigned char *gr_system_salt;
93045+extern unsigned char *gr_system_sum;
93046+
93047+void __init
93048+grsecurity_init(void)
93049+{
93050+ int j;
93051+ /* create the per-cpu shared pages */
93052+
93053+#ifdef CONFIG_X86
93054+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
93055+#endif
93056+
93057+ for (j = 0; j < 4; j++) {
93058+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
93059+ if (gr_shared_page[j] == NULL) {
93060+ panic("Unable to allocate grsecurity shared page");
93061+ return;
93062+ }
93063+ }
93064+
93065+ /* allocate log buffers */
93066+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
93067+ if (!gr_alert_log_fmt) {
93068+ panic("Unable to allocate grsecurity alert log format buffer");
93069+ return;
93070+ }
93071+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
93072+ if (!gr_audit_log_fmt) {
93073+ panic("Unable to allocate grsecurity audit log format buffer");
93074+ return;
93075+ }
93076+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
93077+ if (!gr_alert_log_buf) {
93078+ panic("Unable to allocate grsecurity alert log buffer");
93079+ return;
93080+ }
93081+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
93082+ if (!gr_audit_log_buf) {
93083+ panic("Unable to allocate grsecurity audit log buffer");
93084+ return;
93085+ }
93086+
93087+ /* allocate memory for authentication structure */
93088+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
93089+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
93090+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
93091+
93092+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
93093+ panic("Unable to allocate grsecurity authentication structure");
93094+ return;
93095+ }
93096+
93097+#ifdef CONFIG_GRKERNSEC_IO
93098+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
93099+ grsec_disable_privio = 1;
93100+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
93101+ grsec_disable_privio = 1;
93102+#else
93103+ grsec_disable_privio = 0;
93104+#endif
93105+#endif
93106+
93107+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
93108+ /* for backward compatibility, tpe_invert always defaults to on if
93109+ enabled in the kernel
93110+ */
93111+ grsec_enable_tpe_invert = 1;
93112+#endif
93113+
93114+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
93115+#ifndef CONFIG_GRKERNSEC_SYSCTL
93116+ grsec_lock = 1;
93117+#endif
93118+
93119+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93120+ grsec_enable_log_rwxmaps = 1;
93121+#endif
93122+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
93123+ grsec_enable_group = 1;
93124+ grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID);
93125+#endif
93126+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
93127+ grsec_enable_ptrace_readexec = 1;
93128+#endif
93129+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
93130+ grsec_enable_chdir = 1;
93131+#endif
93132+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
93133+ grsec_enable_harden_ptrace = 1;
93134+#endif
93135+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
93136+ grsec_enable_harden_ipc = 1;
93137+#endif
93138+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
93139+ grsec_enable_mount = 1;
93140+#endif
93141+#ifdef CONFIG_GRKERNSEC_LINK
93142+ grsec_enable_link = 1;
93143+#endif
93144+#ifdef CONFIG_GRKERNSEC_BRUTE
93145+ grsec_enable_brute = 1;
93146+#endif
93147+#ifdef CONFIG_GRKERNSEC_DMESG
93148+ grsec_enable_dmesg = 1;
93149+#endif
93150+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
93151+ grsec_enable_blackhole = 1;
93152+ grsec_lastack_retries = 4;
93153+#endif
93154+#ifdef CONFIG_GRKERNSEC_FIFO
93155+ grsec_enable_fifo = 1;
93156+#endif
93157+#ifdef CONFIG_GRKERNSEC_EXECLOG
93158+ grsec_enable_execlog = 1;
93159+#endif
93160+#ifdef CONFIG_GRKERNSEC_SETXID
93161+ grsec_enable_setxid = 1;
93162+#endif
93163+#ifdef CONFIG_GRKERNSEC_SIGNAL
93164+ grsec_enable_signal = 1;
93165+#endif
93166+#ifdef CONFIG_GRKERNSEC_FORKFAIL
93167+ grsec_enable_forkfail = 1;
93168+#endif
93169+#ifdef CONFIG_GRKERNSEC_TIME
93170+ grsec_enable_time = 1;
93171+#endif
93172+#ifdef CONFIG_GRKERNSEC_RESLOG
93173+ grsec_resource_logging = 1;
93174+#endif
93175+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
93176+ grsec_enable_chroot_findtask = 1;
93177+#endif
93178+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
93179+ grsec_enable_chroot_unix = 1;
93180+#endif
93181+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
93182+ grsec_enable_chroot_mount = 1;
93183+#endif
93184+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
93185+ grsec_enable_chroot_fchdir = 1;
93186+#endif
93187+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
93188+ grsec_enable_chroot_shmat = 1;
93189+#endif
93190+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
93191+ grsec_enable_audit_ptrace = 1;
93192+#endif
93193+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
93194+ grsec_enable_chroot_double = 1;
93195+#endif
93196+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
93197+ grsec_enable_chroot_pivot = 1;
93198+#endif
93199+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
93200+ grsec_enable_chroot_chdir = 1;
93201+#endif
93202+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
93203+ grsec_enable_chroot_chmod = 1;
93204+#endif
93205+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
93206+ grsec_enable_chroot_mknod = 1;
93207+#endif
93208+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
93209+ grsec_enable_chroot_nice = 1;
93210+#endif
93211+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
93212+ grsec_enable_chroot_execlog = 1;
93213+#endif
93214+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
93215+ grsec_enable_chroot_caps = 1;
93216+#endif
93217+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
93218+ grsec_enable_chroot_rename = 1;
93219+#endif
93220+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
93221+ grsec_enable_chroot_sysctl = 1;
93222+#endif
93223+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
93224+ grsec_enable_symlinkown = 1;
93225+ grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID);
93226+#endif
93227+#ifdef CONFIG_GRKERNSEC_TPE
93228+ grsec_enable_tpe = 1;
93229+ grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID);
93230+#ifdef CONFIG_GRKERNSEC_TPE_ALL
93231+ grsec_enable_tpe_all = 1;
93232+#endif
93233+#endif
93234+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
93235+ grsec_enable_socket_all = 1;
93236+ grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID);
93237+#endif
93238+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
93239+ grsec_enable_socket_client = 1;
93240+ grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID);
93241+#endif
93242+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
93243+ grsec_enable_socket_server = 1;
93244+ grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
93245+#endif
93246+#endif
93247+#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
93248+ grsec_deny_new_usb = 1;
93249+#endif
93250+
93251+ return;
93252+}
93253diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c
93254new file mode 100644
93255index 0000000..1773300
93256--- /dev/null
93257+++ b/grsecurity/grsec_ipc.c
93258@@ -0,0 +1,48 @@
93259+#include <linux/kernel.h>
93260+#include <linux/mm.h>
93261+#include <linux/sched.h>
93262+#include <linux/file.h>
93263+#include <linux/ipc.h>
93264+#include <linux/ipc_namespace.h>
93265+#include <linux/grsecurity.h>
93266+#include <linux/grinternal.h>
93267+
93268+int
93269+gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)
93270+{
93271+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
93272+ int write;
93273+ int orig_granted_mode;
93274+ kuid_t euid;
93275+ kgid_t egid;
93276+
93277+ if (!grsec_enable_harden_ipc)
93278+ return 1;
93279+
93280+ euid = current_euid();
93281+ egid = current_egid();
93282+
93283+ write = requested_mode & 00002;
93284+ orig_granted_mode = ipcp->mode;
93285+
93286+ if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))
93287+ orig_granted_mode >>= 6;
93288+ else {
93289+ /* if likely wrong permissions, lock to user */
93290+ if (orig_granted_mode & 0007)
93291+ orig_granted_mode = 0;
93292+ /* otherwise do a egid-only check */
93293+ else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))
93294+ orig_granted_mode >>= 3;
93295+ /* otherwise, no access */
93296+ else
93297+ orig_granted_mode = 0;
93298+ }
93299+ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
93300+ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
93301+ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
93302+ return 0;
93303+ }
93304+#endif
93305+ return 1;
93306+}
93307diff --git a/grsecurity/grsec_link.c b/grsecurity/grsec_link.c
93308new file mode 100644
93309index 0000000..84c44a0
93310--- /dev/null
93311+++ b/grsecurity/grsec_link.c
93312@@ -0,0 +1,65 @@
93313+#include <linux/kernel.h>
93314+#include <linux/sched.h>
93315+#include <linux/fs.h>
93316+#include <linux/file.h>
93317+#include <linux/grinternal.h>
93318+
93319+int gr_get_symlinkown_enabled(void)
93320+{
93321+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
93322+ if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid))
93323+ return 1;
93324+#endif
93325+ return 0;
93326+}
93327+
93328+int gr_handle_symlink_owner(const struct path *link, const struct inode *target)
93329+{
93330+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
93331+ const struct inode *link_inode = d_backing_inode(link->dentry);
93332+
93333+ if (target && !uid_eq(link_inode->i_uid, target->i_uid)) {
93334+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, GR_GLOBAL_UID(link_inode->i_uid), GR_GLOBAL_UID(target->i_uid));
93335+ return 1;
93336+ }
93337+#endif
93338+ return 0;
93339+}
93340+
93341+int
93342+gr_handle_follow_link(const struct dentry *dentry, const struct vfsmount *mnt)
93343+{
93344+#ifdef CONFIG_GRKERNSEC_LINK
93345+ struct inode *inode = d_backing_inode(dentry);
93346+ struct inode *parent = d_backing_inode(dentry->d_parent);
93347+ const struct cred *cred = current_cred();
93348+
93349+ if (grsec_enable_link && d_is_symlink(dentry) &&
93350+ (parent->i_mode & S_ISVTX) && !uid_eq(parent->i_uid, inode->i_uid) &&
93351+ (parent->i_mode & S_IWOTH) && !uid_eq(cred->fsuid, inode->i_uid)) {
93352+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid));
93353+ return -EACCES;
93354+ }
93355+#endif
93356+ return 0;
93357+}
93358+
93359+int
93360+gr_handle_hardlink(const struct dentry *dentry,
93361+ const struct vfsmount *mnt,
93362+ const struct filename *to)
93363+{
93364+#ifdef CONFIG_GRKERNSEC_LINK
93365+ struct inode *inode = d_backing_inode(dentry);
93366+ const struct cred *cred = current_cred();
93367+
93368+ if (grsec_enable_link && !uid_eq(cred->fsuid, inode->i_uid) &&
93369+ (!d_is_reg(dentry) || is_privileged_binary(dentry) ||
93370+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
93371+ !capable(CAP_FOWNER) && gr_is_global_nonroot(cred->uid)) {
93372+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid), to->name);
93373+ return -EPERM;
93374+ }
93375+#endif
93376+ return 0;
93377+}
93378diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c
93379new file mode 100644
93380index 0000000..a24b338
93381--- /dev/null
93382+++ b/grsecurity/grsec_log.c
93383@@ -0,0 +1,340 @@
93384+#include <linux/kernel.h>
93385+#include <linux/sched.h>
93386+#include <linux/file.h>
93387+#include <linux/tty.h>
93388+#include <linux/fs.h>
93389+#include <linux/mm.h>
93390+#include <linux/grinternal.h>
93391+
93392+#ifdef CONFIG_TREE_PREEMPT_RCU
93393+#define DISABLE_PREEMPT() preempt_disable()
93394+#define ENABLE_PREEMPT() preempt_enable()
93395+#else
93396+#define DISABLE_PREEMPT()
93397+#define ENABLE_PREEMPT()
93398+#endif
93399+
93400+#define BEGIN_LOCKS(x) \
93401+ DISABLE_PREEMPT(); \
93402+ rcu_read_lock(); \
93403+ read_lock(&tasklist_lock); \
93404+ read_lock(&grsec_exec_file_lock); \
93405+ if (x != GR_DO_AUDIT) \
93406+ spin_lock(&grsec_alert_lock); \
93407+ else \
93408+ spin_lock(&grsec_audit_lock)
93409+
93410+#define END_LOCKS(x) \
93411+ if (x != GR_DO_AUDIT) \
93412+ spin_unlock(&grsec_alert_lock); \
93413+ else \
93414+ spin_unlock(&grsec_audit_lock); \
93415+ read_unlock(&grsec_exec_file_lock); \
93416+ read_unlock(&tasklist_lock); \
93417+ rcu_read_unlock(); \
93418+ ENABLE_PREEMPT(); \
93419+ if (x == GR_DONT_AUDIT) \
93420+ gr_handle_alertkill(current)
93421+
93422+enum {
93423+ FLOODING,
93424+ NO_FLOODING
93425+};
93426+
93427+extern char *gr_alert_log_fmt;
93428+extern char *gr_audit_log_fmt;
93429+extern char *gr_alert_log_buf;
93430+extern char *gr_audit_log_buf;
93431+
93432+static int gr_log_start(int audit)
93433+{
93434+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
93435+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
93436+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
93437+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
93438+ unsigned long curr_secs = get_seconds();
93439+
93440+ if (audit == GR_DO_AUDIT)
93441+ goto set_fmt;
93442+
93443+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
93444+ grsec_alert_wtime = curr_secs;
93445+ grsec_alert_fyet = 0;
93446+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
93447+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
93448+ grsec_alert_fyet++;
93449+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
93450+ grsec_alert_wtime = curr_secs;
93451+ grsec_alert_fyet++;
93452+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
93453+ return FLOODING;
93454+ }
93455+ else return FLOODING;
93456+
93457+set_fmt:
93458+#endif
93459+ memset(buf, 0, PAGE_SIZE);
93460+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
93461+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
93462+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
93463+ } else if (current->signal->curr_ip) {
93464+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
93465+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
93466+ } else if (gr_acl_is_enabled()) {
93467+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
93468+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
93469+ } else {
93470+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
93471+ strcpy(buf, fmt);
93472+ }
93473+
93474+ return NO_FLOODING;
93475+}
93476+
93477+static void gr_log_middle(int audit, const char *msg, va_list ap)
93478+ __attribute__ ((format (printf, 2, 0)));
93479+
93480+static void gr_log_middle(int audit, const char *msg, va_list ap)
93481+{
93482+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
93483+ unsigned int len = strlen(buf);
93484+
93485+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
93486+
93487+ return;
93488+}
93489+
93490+static void gr_log_middle_varargs(int audit, const char *msg, ...)
93491+ __attribute__ ((format (printf, 2, 3)));
93492+
93493+static void gr_log_middle_varargs(int audit, const char *msg, ...)
93494+{
93495+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
93496+ unsigned int len = strlen(buf);
93497+ va_list ap;
93498+
93499+ va_start(ap, msg);
93500+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
93501+ va_end(ap);
93502+
93503+ return;
93504+}
93505+
93506+static void gr_log_end(int audit, int append_default)
93507+{
93508+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
93509+ if (append_default) {
93510+ struct task_struct *task = current;
93511+ struct task_struct *parent = task->real_parent;
93512+ const struct cred *cred = __task_cred(task);
93513+ const struct cred *pcred = __task_cred(parent);
93514+ unsigned int len = strlen(buf);
93515+
93516+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
93517+ }
93518+
93519+ printk("%s\n", buf);
93520+
93521+ return;
93522+}
93523+
93524+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
93525+{
93526+ int logtype;
93527+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
93528+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
93529+ void *voidptr = NULL;
93530+ int num1 = 0, num2 = 0;
93531+ unsigned long ulong1 = 0, ulong2 = 0;
93532+ struct dentry *dentry = NULL;
93533+ struct vfsmount *mnt = NULL;
93534+ struct file *file = NULL;
93535+ struct task_struct *task = NULL;
93536+ struct vm_area_struct *vma = NULL;
93537+ const struct cred *cred, *pcred;
93538+ va_list ap;
93539+
93540+ BEGIN_LOCKS(audit);
93541+ logtype = gr_log_start(audit);
93542+ if (logtype == FLOODING) {
93543+ END_LOCKS(audit);
93544+ return;
93545+ }
93546+ va_start(ap, argtypes);
93547+ switch (argtypes) {
93548+ case GR_TTYSNIFF:
93549+ task = va_arg(ap, struct task_struct *);
93550+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task_pid_nr(task), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent));
93551+ break;
93552+ case GR_SYSCTL_HIDDEN:
93553+ str1 = va_arg(ap, char *);
93554+ gr_log_middle_varargs(audit, msg, result, str1);
93555+ break;
93556+ case GR_RBAC:
93557+ dentry = va_arg(ap, struct dentry *);
93558+ mnt = va_arg(ap, struct vfsmount *);
93559+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
93560+ break;
93561+ case GR_RBAC_STR:
93562+ dentry = va_arg(ap, struct dentry *);
93563+ mnt = va_arg(ap, struct vfsmount *);
93564+ str1 = va_arg(ap, char *);
93565+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
93566+ break;
93567+ case GR_STR_RBAC:
93568+ str1 = va_arg(ap, char *);
93569+ dentry = va_arg(ap, struct dentry *);
93570+ mnt = va_arg(ap, struct vfsmount *);
93571+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
93572+ break;
93573+ case GR_RBAC_MODE2:
93574+ dentry = va_arg(ap, struct dentry *);
93575+ mnt = va_arg(ap, struct vfsmount *);
93576+ str1 = va_arg(ap, char *);
93577+ str2 = va_arg(ap, char *);
93578+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
93579+ break;
93580+ case GR_RBAC_MODE3:
93581+ dentry = va_arg(ap, struct dentry *);
93582+ mnt = va_arg(ap, struct vfsmount *);
93583+ str1 = va_arg(ap, char *);
93584+ str2 = va_arg(ap, char *);
93585+ str3 = va_arg(ap, char *);
93586+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
93587+ break;
93588+ case GR_FILENAME:
93589+ dentry = va_arg(ap, struct dentry *);
93590+ mnt = va_arg(ap, struct vfsmount *);
93591+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
93592+ break;
93593+ case GR_STR_FILENAME:
93594+ str1 = va_arg(ap, char *);
93595+ dentry = va_arg(ap, struct dentry *);
93596+ mnt = va_arg(ap, struct vfsmount *);
93597+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
93598+ break;
93599+ case GR_FILENAME_STR:
93600+ dentry = va_arg(ap, struct dentry *);
93601+ mnt = va_arg(ap, struct vfsmount *);
93602+ str1 = va_arg(ap, char *);
93603+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
93604+ break;
93605+ case GR_FILENAME_TWO_INT:
93606+ dentry = va_arg(ap, struct dentry *);
93607+ mnt = va_arg(ap, struct vfsmount *);
93608+ num1 = va_arg(ap, int);
93609+ num2 = va_arg(ap, int);
93610+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
93611+ break;
93612+ case GR_FILENAME_TWO_INT_STR:
93613+ dentry = va_arg(ap, struct dentry *);
93614+ mnt = va_arg(ap, struct vfsmount *);
93615+ num1 = va_arg(ap, int);
93616+ num2 = va_arg(ap, int);
93617+ str1 = va_arg(ap, char *);
93618+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
93619+ break;
93620+ case GR_TEXTREL:
93621+ str1 = va_arg(ap, char *);
93622+ file = va_arg(ap, struct file *);
93623+ ulong1 = va_arg(ap, unsigned long);
93624+ ulong2 = va_arg(ap, unsigned long);
93625+ gr_log_middle_varargs(audit, msg, str1, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
93626+ break;
93627+ case GR_PTRACE:
93628+ task = va_arg(ap, struct task_struct *);
93629+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task_pid_nr(task));
93630+ break;
93631+ case GR_RESOURCE:
93632+ task = va_arg(ap, struct task_struct *);
93633+ cred = __task_cred(task);
93634+ pcred = __task_cred(task->real_parent);
93635+ ulong1 = va_arg(ap, unsigned long);
93636+ str1 = va_arg(ap, char *);
93637+ ulong2 = va_arg(ap, unsigned long);
93638+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
93639+ break;
93640+ case GR_CAP:
93641+ task = va_arg(ap, struct task_struct *);
93642+ cred = __task_cred(task);
93643+ pcred = __task_cred(task->real_parent);
93644+ str1 = va_arg(ap, char *);
93645+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
93646+ break;
93647+ case GR_SIG:
93648+ str1 = va_arg(ap, char *);
93649+ voidptr = va_arg(ap, void *);
93650+ gr_log_middle_varargs(audit, msg, str1, voidptr);
93651+ break;
93652+ case GR_SIG2:
93653+ task = va_arg(ap, struct task_struct *);
93654+ cred = __task_cred(task);
93655+ pcred = __task_cred(task->real_parent);
93656+ num1 = va_arg(ap, int);
93657+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
93658+ break;
93659+ case GR_CRASH1:
93660+ task = va_arg(ap, struct task_struct *);
93661+ cred = __task_cred(task);
93662+ pcred = __task_cred(task->real_parent);
93663+ ulong1 = va_arg(ap, unsigned long);
93664+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), GR_GLOBAL_UID(cred->uid), ulong1);
93665+ break;
93666+ case GR_CRASH2:
93667+ task = va_arg(ap, struct task_struct *);
93668+ cred = __task_cred(task);
93669+ pcred = __task_cred(task->real_parent);
93670+ ulong1 = va_arg(ap, unsigned long);
93671+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), ulong1);
93672+ break;
93673+ case GR_RWXMAP:
93674+ file = va_arg(ap, struct file *);
93675+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
93676+ break;
93677+ case GR_RWXMAPVMA:
93678+ vma = va_arg(ap, struct vm_area_struct *);
93679+ if (vma->vm_file)
93680+ str1 = gr_to_filename(vma->vm_file->f_path.dentry, vma->vm_file->f_path.mnt);
93681+ else if (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
93682+ str1 = "<stack>";
93683+ else if (vma->vm_start <= current->mm->brk &&
93684+ vma->vm_end >= current->mm->start_brk)
93685+ str1 = "<heap>";
93686+ else
93687+ str1 = "<anonymous mapping>";
93688+ gr_log_middle_varargs(audit, msg, str1);
93689+ break;
93690+ case GR_PSACCT:
93691+ {
93692+ unsigned int wday, cday;
93693+ __u8 whr, chr;
93694+ __u8 wmin, cmin;
93695+ __u8 wsec, csec;
93696+
93697+ task = va_arg(ap, struct task_struct *);
93698+ wday = va_arg(ap, unsigned int);
93699+ cday = va_arg(ap, unsigned int);
93700+ whr = va_arg(ap, int);
93701+ chr = va_arg(ap, int);
93702+ wmin = va_arg(ap, int);
93703+ cmin = va_arg(ap, int);
93704+ wsec = va_arg(ap, int);
93705+ csec = va_arg(ap, int);
93706+ ulong1 = va_arg(ap, unsigned long);
93707+ cred = __task_cred(task);
93708+ pcred = __task_cred(task->real_parent);
93709+
93710+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), &task->signal->curr_ip, tty_name(task->signal->tty), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
93711+ }
93712+ break;
93713+ default:
93714+ gr_log_middle(audit, msg, ap);
93715+ }
93716+ va_end(ap);
93717+ // these don't need DEFAULTSECARGS printed on the end
93718+ if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
93719+ gr_log_end(audit, 0);
93720+ else
93721+ gr_log_end(audit, 1);
93722+ END_LOCKS(audit);
93723+}
93724diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c
93725new file mode 100644
93726index 0000000..0e39d8c7
93727--- /dev/null
93728+++ b/grsecurity/grsec_mem.c
93729@@ -0,0 +1,48 @@
93730+#include <linux/kernel.h>
93731+#include <linux/sched.h>
93732+#include <linux/mm.h>
93733+#include <linux/mman.h>
93734+#include <linux/module.h>
93735+#include <linux/grinternal.h>
93736+
93737+void gr_handle_msr_write(void)
93738+{
93739+ gr_log_noargs(GR_DONT_AUDIT, GR_MSRWRITE_MSG);
93740+ return;
93741+}
93742+EXPORT_SYMBOL_GPL(gr_handle_msr_write);
93743+
93744+void
93745+gr_handle_ioperm(void)
93746+{
93747+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
93748+ return;
93749+}
93750+
93751+void
93752+gr_handle_iopl(void)
93753+{
93754+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
93755+ return;
93756+}
93757+
93758+void
93759+gr_handle_mem_readwrite(u64 from, u64 to)
93760+{
93761+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
93762+ return;
93763+}
93764+
93765+void
93766+gr_handle_vm86(void)
93767+{
93768+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
93769+ return;
93770+}
93771+
93772+void
93773+gr_log_badprocpid(const char *entry)
93774+{
93775+ gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry);
93776+ return;
93777+}
93778diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
93779new file mode 100644
93780index 0000000..fe02bf4
93781--- /dev/null
93782+++ b/grsecurity/grsec_mount.c
93783@@ -0,0 +1,65 @@
93784+#include <linux/kernel.h>
93785+#include <linux/sched.h>
93786+#include <linux/mount.h>
93787+#include <linux/major.h>
93788+#include <linux/grsecurity.h>
93789+#include <linux/grinternal.h>
93790+
93791+void
93792+gr_log_remount(const char *devname, const int retval)
93793+{
93794+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
93795+ if (grsec_enable_mount && (retval >= 0))
93796+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
93797+#endif
93798+ return;
93799+}
93800+
93801+void
93802+gr_log_unmount(const char *devname, const int retval)
93803+{
93804+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
93805+ if (grsec_enable_mount && (retval >= 0))
93806+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
93807+#endif
93808+ return;
93809+}
93810+
93811+void
93812+gr_log_mount(const char *from, struct path *to, const int retval)
93813+{
93814+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
93815+ if (grsec_enable_mount && (retval >= 0))
93816+ gr_log_str_fs(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to->dentry, to->mnt);
93817+#endif
93818+ return;
93819+}
93820+
93821+int
93822+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
93823+{
93824+#ifdef CONFIG_GRKERNSEC_ROFS
93825+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
93826+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
93827+ return -EPERM;
93828+ } else
93829+ return 0;
93830+#endif
93831+ return 0;
93832+}
93833+
93834+int
93835+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
93836+{
93837+#ifdef CONFIG_GRKERNSEC_ROFS
93838+ struct inode *inode = d_backing_inode(dentry);
93839+
93840+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
93841+ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
93842+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
93843+ return -EPERM;
93844+ } else
93845+ return 0;
93846+#endif
93847+ return 0;
93848+}
93849diff --git a/grsecurity/grsec_pax.c b/grsecurity/grsec_pax.c
93850new file mode 100644
93851index 0000000..2ad7b96
93852--- /dev/null
93853+++ b/grsecurity/grsec_pax.c
93854@@ -0,0 +1,47 @@
93855+#include <linux/kernel.h>
93856+#include <linux/sched.h>
93857+#include <linux/mm.h>
93858+#include <linux/file.h>
93859+#include <linux/grinternal.h>
93860+#include <linux/grsecurity.h>
93861+
93862+void
93863+gr_log_textrel(struct vm_area_struct * vma, bool is_textrel_rw)
93864+{
93865+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93866+ if (grsec_enable_log_rwxmaps)
93867+ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG,
93868+ is_textrel_rw ? "executable to writable" : "writable to executable",
93869+ vma->vm_file, vma->vm_start, vma->vm_pgoff);
93870+#endif
93871+ return;
93872+}
93873+
93874+void gr_log_ptgnustack(struct file *file)
93875+{
93876+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93877+ if (grsec_enable_log_rwxmaps)
93878+ gr_log_rwxmap(GR_DONT_AUDIT, GR_PTGNUSTACK_MSG, file);
93879+#endif
93880+ return;
93881+}
93882+
93883+void
93884+gr_log_rwxmmap(struct file *file)
93885+{
93886+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93887+ if (grsec_enable_log_rwxmaps)
93888+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
93889+#endif
93890+ return;
93891+}
93892+
93893+void
93894+gr_log_rwxmprotect(struct vm_area_struct *vma)
93895+{
93896+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93897+ if (grsec_enable_log_rwxmaps)
93898+ gr_log_rwxmap_vma(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, vma);
93899+#endif
93900+ return;
93901+}
93902diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c
93903new file mode 100644
93904index 0000000..2005a3a
93905--- /dev/null
93906+++ b/grsecurity/grsec_proc.c
93907@@ -0,0 +1,20 @@
93908+#include <linux/kernel.h>
93909+#include <linux/sched.h>
93910+#include <linux/grsecurity.h>
93911+#include <linux/grinternal.h>
93912+
93913+int gr_proc_is_restricted(void)
93914+{
93915+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
93916+ const struct cred *cred = current_cred();
93917+#endif
93918+
93919+#ifdef CONFIG_GRKERNSEC_PROC_USER
93920+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID))
93921+ return -EACCES;
93922+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
93923+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid))
93924+ return -EACCES;
93925+#endif
93926+ return 0;
93927+}
93928diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c
93929new file mode 100644
93930index 0000000..304c518
93931--- /dev/null
93932+++ b/grsecurity/grsec_ptrace.c
93933@@ -0,0 +1,30 @@
93934+#include <linux/kernel.h>
93935+#include <linux/sched.h>
93936+#include <linux/grinternal.h>
93937+#include <linux/security.h>
93938+
93939+void
93940+gr_audit_ptrace(struct task_struct *task)
93941+{
93942+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
93943+ if (grsec_enable_audit_ptrace)
93944+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
93945+#endif
93946+ return;
93947+}
93948+
93949+int
93950+gr_ptrace_readexec(struct file *file, int unsafe_flags)
93951+{
93952+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
93953+ const struct dentry *dentry = file->f_path.dentry;
93954+ const struct vfsmount *mnt = file->f_path.mnt;
93955+
93956+ if (grsec_enable_ptrace_readexec && (unsafe_flags & LSM_UNSAFE_PTRACE) &&
93957+ (inode_permission(d_backing_inode(dentry), MAY_READ) || !gr_acl_handle_open(dentry, mnt, MAY_READ))) {
93958+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_READEXEC_MSG, dentry, mnt);
93959+ return -EACCES;
93960+ }
93961+#endif
93962+ return 0;
93963+}
93964diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
93965new file mode 100644
93966index 0000000..3860c7e
93967--- /dev/null
93968+++ b/grsecurity/grsec_sig.c
93969@@ -0,0 +1,236 @@
93970+#include <linux/kernel.h>
93971+#include <linux/sched.h>
93972+#include <linux/fs.h>
93973+#include <linux/delay.h>
93974+#include <linux/grsecurity.h>
93975+#include <linux/grinternal.h>
93976+#include <linux/hardirq.h>
93977+
93978+char *signames[] = {
93979+ [SIGSEGV] = "Segmentation fault",
93980+ [SIGILL] = "Illegal instruction",
93981+ [SIGABRT] = "Abort",
93982+ [SIGBUS] = "Invalid alignment/Bus error"
93983+};
93984+
93985+void
93986+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
93987+{
93988+#ifdef CONFIG_GRKERNSEC_SIGNAL
93989+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
93990+ (sig == SIGABRT) || (sig == SIGBUS))) {
93991+ if (task_pid_nr(t) == task_pid_nr(current)) {
93992+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
93993+ } else {
93994+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
93995+ }
93996+ }
93997+#endif
93998+ return;
93999+}
94000+
94001+int
94002+gr_handle_signal(const struct task_struct *p, const int sig)
94003+{
94004+#ifdef CONFIG_GRKERNSEC
94005+ /* ignore the 0 signal for protected task checks */
94006+ if (task_pid_nr(current) > 1 && sig && gr_check_protected_task(p)) {
94007+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
94008+ return -EPERM;
94009+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
94010+ return -EPERM;
94011+ }
94012+#endif
94013+ return 0;
94014+}
94015+
94016+#ifdef CONFIG_GRKERNSEC
94017+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
94018+
94019+int gr_fake_force_sig(int sig, struct task_struct *t)
94020+{
94021+ unsigned long int flags;
94022+ int ret, blocked, ignored;
94023+ struct k_sigaction *action;
94024+
94025+ spin_lock_irqsave(&t->sighand->siglock, flags);
94026+ action = &t->sighand->action[sig-1];
94027+ ignored = action->sa.sa_handler == SIG_IGN;
94028+ blocked = sigismember(&t->blocked, sig);
94029+ if (blocked || ignored) {
94030+ action->sa.sa_handler = SIG_DFL;
94031+ if (blocked) {
94032+ sigdelset(&t->blocked, sig);
94033+ recalc_sigpending_and_wake(t);
94034+ }
94035+ }
94036+ if (action->sa.sa_handler == SIG_DFL)
94037+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
94038+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
94039+
94040+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
94041+
94042+ return ret;
94043+}
94044+#endif
94045+
94046+#define GR_USER_BAN_TIME (15 * 60)
94047+#define GR_DAEMON_BRUTE_TIME (30 * 60)
94048+
94049+void gr_handle_brute_attach(int dumpable)
94050+{
94051+#ifdef CONFIG_GRKERNSEC_BRUTE
94052+ struct task_struct *p = current;
94053+ kuid_t uid = GLOBAL_ROOT_UID;
94054+ int daemon = 0;
94055+
94056+ if (!grsec_enable_brute)
94057+ return;
94058+
94059+ rcu_read_lock();
94060+ read_lock(&tasklist_lock);
94061+ read_lock(&grsec_exec_file_lock);
94062+ if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) {
94063+ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
94064+ p->real_parent->brute = 1;
94065+ daemon = 1;
94066+ } else {
94067+ const struct cred *cred = __task_cred(p), *cred2;
94068+ struct task_struct *tsk, *tsk2;
94069+
94070+ if (dumpable != SUID_DUMP_USER && gr_is_global_nonroot(cred->uid)) {
94071+ struct user_struct *user;
94072+
94073+ uid = cred->uid;
94074+
94075+ /* this is put upon execution past expiration */
94076+ user = find_user(uid);
94077+ if (user == NULL)
94078+ goto unlock;
94079+ user->suid_banned = 1;
94080+ user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
94081+ if (user->suid_ban_expires == ~0UL)
94082+ user->suid_ban_expires--;
94083+
94084+ /* only kill other threads of the same binary, from the same user */
94085+ do_each_thread(tsk2, tsk) {
94086+ cred2 = __task_cred(tsk);
94087+ if (tsk != p && uid_eq(cred2->uid, uid) && gr_is_same_file(tsk->exec_file, p->exec_file))
94088+ gr_fake_force_sig(SIGKILL, tsk);
94089+ } while_each_thread(tsk2, tsk);
94090+ }
94091+ }
94092+unlock:
94093+ read_unlock(&grsec_exec_file_lock);
94094+ read_unlock(&tasklist_lock);
94095+ rcu_read_unlock();
94096+
94097+ if (gr_is_global_nonroot(uid))
94098+ gr_log_fs_int2(GR_DONT_AUDIT, GR_BRUTE_SUID_MSG, p->exec_file->f_path.dentry, p->exec_file->f_path.mnt, GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60);
94099+ else if (daemon)
94100+ gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
94101+
94102+#endif
94103+ return;
94104+}
94105+
94106+void gr_handle_brute_check(void)
94107+{
94108+#ifdef CONFIG_GRKERNSEC_BRUTE
94109+ struct task_struct *p = current;
94110+
94111+ if (unlikely(p->brute)) {
94112+ if (!grsec_enable_brute)
94113+ p->brute = 0;
94114+ else if (time_before(get_seconds(), p->brute_expires))
94115+ msleep(30 * 1000);
94116+ }
94117+#endif
94118+ return;
94119+}
94120+
94121+void gr_handle_kernel_exploit(void)
94122+{
94123+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94124+ const struct cred *cred;
94125+ struct task_struct *tsk, *tsk2;
94126+ struct user_struct *user;
94127+ kuid_t uid;
94128+
94129+ if (in_irq() || in_serving_softirq() || in_nmi())
94130+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
94131+
94132+ uid = current_uid();
94133+
94134+ if (gr_is_global_root(uid))
94135+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
94136+ else {
94137+ /* kill all the processes of this user, hold a reference
94138+ to their creds struct, and prevent them from creating
94139+ another process until system reset
94140+ */
94141+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n",
94142+ GR_GLOBAL_UID(uid));
94143+ /* we intentionally leak this ref */
94144+ user = get_uid(current->cred->user);
94145+ if (user)
94146+ user->kernel_banned = 1;
94147+
94148+ /* kill all processes of this user */
94149+ read_lock(&tasklist_lock);
94150+ do_each_thread(tsk2, tsk) {
94151+ cred = __task_cred(tsk);
94152+ if (uid_eq(cred->uid, uid))
94153+ gr_fake_force_sig(SIGKILL, tsk);
94154+ } while_each_thread(tsk2, tsk);
94155+ read_unlock(&tasklist_lock);
94156+ }
94157+#endif
94158+}
94159+
94160+#ifdef CONFIG_GRKERNSEC_BRUTE
94161+static bool suid_ban_expired(struct user_struct *user)
94162+{
94163+ if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) {
94164+ user->suid_banned = 0;
94165+ user->suid_ban_expires = 0;
94166+ free_uid(user);
94167+ return true;
94168+ }
94169+
94170+ return false;
94171+}
94172+#endif
94173+
94174+int gr_process_kernel_exec_ban(void)
94175+{
94176+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94177+ if (unlikely(current->cred->user->kernel_banned))
94178+ return -EPERM;
94179+#endif
94180+ return 0;
94181+}
94182+
94183+int gr_process_kernel_setuid_ban(struct user_struct *user)
94184+{
94185+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94186+ if (unlikely(user->kernel_banned))
94187+ gr_fake_force_sig(SIGKILL, current);
94188+#endif
94189+ return 0;
94190+}
94191+
94192+int gr_process_suid_exec_ban(const struct linux_binprm *bprm)
94193+{
94194+#ifdef CONFIG_GRKERNSEC_BRUTE
94195+ struct user_struct *user = current->cred->user;
94196+ if (unlikely(user->suid_banned)) {
94197+ if (suid_ban_expired(user))
94198+ return 0;
94199+ /* disallow execution of suid binaries only */
94200+ else if (!uid_eq(bprm->cred->euid, current->cred->uid))
94201+ return -EPERM;
94202+ }
94203+#endif
94204+ return 0;
94205+}
94206diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
94207new file mode 100644
94208index 0000000..a523bd2
94209--- /dev/null
94210+++ b/grsecurity/grsec_sock.c
94211@@ -0,0 +1,244 @@
94212+#include <linux/kernel.h>
94213+#include <linux/module.h>
94214+#include <linux/sched.h>
94215+#include <linux/file.h>
94216+#include <linux/net.h>
94217+#include <linux/in.h>
94218+#include <linux/ip.h>
94219+#include <net/sock.h>
94220+#include <net/inet_sock.h>
94221+#include <linux/grsecurity.h>
94222+#include <linux/grinternal.h>
94223+#include <linux/gracl.h>
94224+
94225+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
94226+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
94227+
94228+EXPORT_SYMBOL_GPL(gr_search_udp_recvmsg);
94229+EXPORT_SYMBOL_GPL(gr_search_udp_sendmsg);
94230+
94231+#ifdef CONFIG_UNIX_MODULE
94232+EXPORT_SYMBOL_GPL(gr_acl_handle_unix);
94233+EXPORT_SYMBOL_GPL(gr_acl_handle_mknod);
94234+EXPORT_SYMBOL_GPL(gr_handle_chroot_unix);
94235+EXPORT_SYMBOL_GPL(gr_handle_create);
94236+#endif
94237+
94238+#ifdef CONFIG_GRKERNSEC
94239+#define gr_conn_table_size 32749
94240+struct conn_table_entry {
94241+ struct conn_table_entry *next;
94242+ struct signal_struct *sig;
94243+};
94244+
94245+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
94246+DEFINE_SPINLOCK(gr_conn_table_lock);
94247+
94248+extern const char * gr_socktype_to_name(unsigned char type);
94249+extern const char * gr_proto_to_name(unsigned char proto);
94250+extern const char * gr_sockfamily_to_name(unsigned char family);
94251+
94252+static int
94253+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
94254+{
94255+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
94256+}
94257+
94258+static int
94259+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
94260+ __u16 sport, __u16 dport)
94261+{
94262+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
94263+ sig->gr_sport == sport && sig->gr_dport == dport))
94264+ return 1;
94265+ else
94266+ return 0;
94267+}
94268+
94269+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
94270+{
94271+ struct conn_table_entry **match;
94272+ unsigned int index;
94273+
94274+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
94275+ sig->gr_sport, sig->gr_dport,
94276+ gr_conn_table_size);
94277+
94278+ newent->sig = sig;
94279+
94280+ match = &gr_conn_table[index];
94281+ newent->next = *match;
94282+ *match = newent;
94283+
94284+ return;
94285+}
94286+
94287+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
94288+{
94289+ struct conn_table_entry *match, *last = NULL;
94290+ unsigned int index;
94291+
94292+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
94293+ sig->gr_sport, sig->gr_dport,
94294+ gr_conn_table_size);
94295+
94296+ match = gr_conn_table[index];
94297+ while (match && !conn_match(match->sig,
94298+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
94299+ sig->gr_dport)) {
94300+ last = match;
94301+ match = match->next;
94302+ }
94303+
94304+ if (match) {
94305+ if (last)
94306+ last->next = match->next;
94307+ else
94308+ gr_conn_table[index] = NULL;
94309+ kfree(match);
94310+ }
94311+
94312+ return;
94313+}
94314+
94315+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
94316+ __u16 sport, __u16 dport)
94317+{
94318+ struct conn_table_entry *match;
94319+ unsigned int index;
94320+
94321+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
94322+
94323+ match = gr_conn_table[index];
94324+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
94325+ match = match->next;
94326+
94327+ if (match)
94328+ return match->sig;
94329+ else
94330+ return NULL;
94331+}
94332+
94333+#endif
94334+
94335+void gr_update_task_in_ip_table(const struct inet_sock *inet)
94336+{
94337+#ifdef CONFIG_GRKERNSEC
94338+ struct signal_struct *sig = current->signal;
94339+ struct conn_table_entry *newent;
94340+
94341+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
94342+ if (newent == NULL)
94343+ return;
94344+ /* no bh lock needed since we are called with bh disabled */
94345+ spin_lock(&gr_conn_table_lock);
94346+ gr_del_task_from_ip_table_nolock(sig);
94347+ sig->gr_saddr = inet->inet_rcv_saddr;
94348+ sig->gr_daddr = inet->inet_daddr;
94349+ sig->gr_sport = inet->inet_sport;
94350+ sig->gr_dport = inet->inet_dport;
94351+ gr_add_to_task_ip_table_nolock(sig, newent);
94352+ spin_unlock(&gr_conn_table_lock);
94353+#endif
94354+ return;
94355+}
94356+
94357+void gr_del_task_from_ip_table(struct task_struct *task)
94358+{
94359+#ifdef CONFIG_GRKERNSEC
94360+ spin_lock_bh(&gr_conn_table_lock);
94361+ gr_del_task_from_ip_table_nolock(task->signal);
94362+ spin_unlock_bh(&gr_conn_table_lock);
94363+#endif
94364+ return;
94365+}
94366+
94367+void
94368+gr_attach_curr_ip(const struct sock *sk)
94369+{
94370+#ifdef CONFIG_GRKERNSEC
94371+ struct signal_struct *p, *set;
94372+ const struct inet_sock *inet = inet_sk(sk);
94373+
94374+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
94375+ return;
94376+
94377+ set = current->signal;
94378+
94379+ spin_lock_bh(&gr_conn_table_lock);
94380+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
94381+ inet->inet_dport, inet->inet_sport);
94382+ if (unlikely(p != NULL)) {
94383+ set->curr_ip = p->curr_ip;
94384+ set->used_accept = 1;
94385+ gr_del_task_from_ip_table_nolock(p);
94386+ spin_unlock_bh(&gr_conn_table_lock);
94387+ return;
94388+ }
94389+ spin_unlock_bh(&gr_conn_table_lock);
94390+
94391+ set->curr_ip = inet->inet_daddr;
94392+ set->used_accept = 1;
94393+#endif
94394+ return;
94395+}
94396+
94397+int
94398+gr_handle_sock_all(const int family, const int type, const int protocol)
94399+{
94400+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
94401+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
94402+ (family != AF_UNIX)) {
94403+ if (family == AF_INET)
94404+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
94405+ else
94406+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
94407+ return -EACCES;
94408+ }
94409+#endif
94410+ return 0;
94411+}
94412+
94413+int
94414+gr_handle_sock_server(const struct sockaddr *sck)
94415+{
94416+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
94417+ if (grsec_enable_socket_server &&
94418+ in_group_p(grsec_socket_server_gid) &&
94419+ sck && (sck->sa_family != AF_UNIX) &&
94420+ (sck->sa_family != AF_LOCAL)) {
94421+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
94422+ return -EACCES;
94423+ }
94424+#endif
94425+ return 0;
94426+}
94427+
94428+int
94429+gr_handle_sock_server_other(const struct sock *sck)
94430+{
94431+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
94432+ if (grsec_enable_socket_server &&
94433+ in_group_p(grsec_socket_server_gid) &&
94434+ sck && (sck->sk_family != AF_UNIX) &&
94435+ (sck->sk_family != AF_LOCAL)) {
94436+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
94437+ return -EACCES;
94438+ }
94439+#endif
94440+ return 0;
94441+}
94442+
94443+int
94444+gr_handle_sock_client(const struct sockaddr *sck)
94445+{
94446+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
94447+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
94448+ sck && (sck->sa_family != AF_UNIX) &&
94449+ (sck->sa_family != AF_LOCAL)) {
94450+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
94451+ return -EACCES;
94452+ }
94453+#endif
94454+ return 0;
94455+}
94456diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
94457new file mode 100644
94458index 0000000..aaec43c
94459--- /dev/null
94460+++ b/grsecurity/grsec_sysctl.c
94461@@ -0,0 +1,488 @@
94462+#include <linux/kernel.h>
94463+#include <linux/sched.h>
94464+#include <linux/sysctl.h>
94465+#include <linux/grsecurity.h>
94466+#include <linux/grinternal.h>
94467+
94468+int
94469+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
94470+{
94471+#ifdef CONFIG_GRKERNSEC_SYSCTL
94472+ if (dirname == NULL || name == NULL)
94473+ return 0;
94474+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
94475+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
94476+ return -EACCES;
94477+ }
94478+#endif
94479+ return 0;
94480+}
94481+
94482+#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB)
94483+static int __maybe_unused __read_only one = 1;
94484+#endif
94485+
94486+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \
94487+ defined(CONFIG_GRKERNSEC_DENYUSB)
94488+struct ctl_table grsecurity_table[] = {
94489+#ifdef CONFIG_GRKERNSEC_SYSCTL
94490+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
94491+#ifdef CONFIG_GRKERNSEC_IO
94492+ {
94493+ .procname = "disable_priv_io",
94494+ .data = &grsec_disable_privio,
94495+ .maxlen = sizeof(int),
94496+ .mode = 0600,
94497+ .proc_handler = &proc_dointvec_secure,
94498+ },
94499+#endif
94500+#endif
94501+#ifdef CONFIG_GRKERNSEC_LINK
94502+ {
94503+ .procname = "linking_restrictions",
94504+ .data = &grsec_enable_link,
94505+ .maxlen = sizeof(int),
94506+ .mode = 0600,
94507+ .proc_handler = &proc_dointvec_secure,
94508+ },
94509+#endif
94510+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
94511+ {
94512+ .procname = "enforce_symlinksifowner",
94513+ .data = &grsec_enable_symlinkown,
94514+ .maxlen = sizeof(int),
94515+ .mode = 0600,
94516+ .proc_handler = &proc_dointvec_secure,
94517+ },
94518+ {
94519+ .procname = "symlinkown_gid",
94520+ .data = &grsec_symlinkown_gid,
94521+ .maxlen = sizeof(int),
94522+ .mode = 0600,
94523+ .proc_handler = &proc_dointvec_secure,
94524+ },
94525+#endif
94526+#ifdef CONFIG_GRKERNSEC_BRUTE
94527+ {
94528+ .procname = "deter_bruteforce",
94529+ .data = &grsec_enable_brute,
94530+ .maxlen = sizeof(int),
94531+ .mode = 0600,
94532+ .proc_handler = &proc_dointvec_secure,
94533+ },
94534+#endif
94535+#ifdef CONFIG_GRKERNSEC_FIFO
94536+ {
94537+ .procname = "fifo_restrictions",
94538+ .data = &grsec_enable_fifo,
94539+ .maxlen = sizeof(int),
94540+ .mode = 0600,
94541+ .proc_handler = &proc_dointvec_secure,
94542+ },
94543+#endif
94544+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
94545+ {
94546+ .procname = "ptrace_readexec",
94547+ .data = &grsec_enable_ptrace_readexec,
94548+ .maxlen = sizeof(int),
94549+ .mode = 0600,
94550+ .proc_handler = &proc_dointvec_secure,
94551+ },
94552+#endif
94553+#ifdef CONFIG_GRKERNSEC_SETXID
94554+ {
94555+ .procname = "consistent_setxid",
94556+ .data = &grsec_enable_setxid,
94557+ .maxlen = sizeof(int),
94558+ .mode = 0600,
94559+ .proc_handler = &proc_dointvec_secure,
94560+ },
94561+#endif
94562+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
94563+ {
94564+ .procname = "ip_blackhole",
94565+ .data = &grsec_enable_blackhole,
94566+ .maxlen = sizeof(int),
94567+ .mode = 0600,
94568+ .proc_handler = &proc_dointvec_secure,
94569+ },
94570+ {
94571+ .procname = "lastack_retries",
94572+ .data = &grsec_lastack_retries,
94573+ .maxlen = sizeof(int),
94574+ .mode = 0600,
94575+ .proc_handler = &proc_dointvec_secure,
94576+ },
94577+#endif
94578+#ifdef CONFIG_GRKERNSEC_EXECLOG
94579+ {
94580+ .procname = "exec_logging",
94581+ .data = &grsec_enable_execlog,
94582+ .maxlen = sizeof(int),
94583+ .mode = 0600,
94584+ .proc_handler = &proc_dointvec_secure,
94585+ },
94586+#endif
94587+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94588+ {
94589+ .procname = "rwxmap_logging",
94590+ .data = &grsec_enable_log_rwxmaps,
94591+ .maxlen = sizeof(int),
94592+ .mode = 0600,
94593+ .proc_handler = &proc_dointvec_secure,
94594+ },
94595+#endif
94596+#ifdef CONFIG_GRKERNSEC_SIGNAL
94597+ {
94598+ .procname = "signal_logging",
94599+ .data = &grsec_enable_signal,
94600+ .maxlen = sizeof(int),
94601+ .mode = 0600,
94602+ .proc_handler = &proc_dointvec_secure,
94603+ },
94604+#endif
94605+#ifdef CONFIG_GRKERNSEC_FORKFAIL
94606+ {
94607+ .procname = "forkfail_logging",
94608+ .data = &grsec_enable_forkfail,
94609+ .maxlen = sizeof(int),
94610+ .mode = 0600,
94611+ .proc_handler = &proc_dointvec_secure,
94612+ },
94613+#endif
94614+#ifdef CONFIG_GRKERNSEC_TIME
94615+ {
94616+ .procname = "timechange_logging",
94617+ .data = &grsec_enable_time,
94618+ .maxlen = sizeof(int),
94619+ .mode = 0600,
94620+ .proc_handler = &proc_dointvec_secure,
94621+ },
94622+#endif
94623+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
94624+ {
94625+ .procname = "chroot_deny_shmat",
94626+ .data = &grsec_enable_chroot_shmat,
94627+ .maxlen = sizeof(int),
94628+ .mode = 0600,
94629+ .proc_handler = &proc_dointvec_secure,
94630+ },
94631+#endif
94632+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
94633+ {
94634+ .procname = "chroot_deny_unix",
94635+ .data = &grsec_enable_chroot_unix,
94636+ .maxlen = sizeof(int),
94637+ .mode = 0600,
94638+ .proc_handler = &proc_dointvec_secure,
94639+ },
94640+#endif
94641+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
94642+ {
94643+ .procname = "chroot_deny_mount",
94644+ .data = &grsec_enable_chroot_mount,
94645+ .maxlen = sizeof(int),
94646+ .mode = 0600,
94647+ .proc_handler = &proc_dointvec_secure,
94648+ },
94649+#endif
94650+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
94651+ {
94652+ .procname = "chroot_deny_fchdir",
94653+ .data = &grsec_enable_chroot_fchdir,
94654+ .maxlen = sizeof(int),
94655+ .mode = 0600,
94656+ .proc_handler = &proc_dointvec_secure,
94657+ },
94658+#endif
94659+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
94660+ {
94661+ .procname = "chroot_deny_chroot",
94662+ .data = &grsec_enable_chroot_double,
94663+ .maxlen = sizeof(int),
94664+ .mode = 0600,
94665+ .proc_handler = &proc_dointvec_secure,
94666+ },
94667+#endif
94668+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
94669+ {
94670+ .procname = "chroot_deny_pivot",
94671+ .data = &grsec_enable_chroot_pivot,
94672+ .maxlen = sizeof(int),
94673+ .mode = 0600,
94674+ .proc_handler = &proc_dointvec_secure,
94675+ },
94676+#endif
94677+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
94678+ {
94679+ .procname = "chroot_enforce_chdir",
94680+ .data = &grsec_enable_chroot_chdir,
94681+ .maxlen = sizeof(int),
94682+ .mode = 0600,
94683+ .proc_handler = &proc_dointvec_secure,
94684+ },
94685+#endif
94686+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
94687+ {
94688+ .procname = "chroot_deny_chmod",
94689+ .data = &grsec_enable_chroot_chmod,
94690+ .maxlen = sizeof(int),
94691+ .mode = 0600,
94692+ .proc_handler = &proc_dointvec_secure,
94693+ },
94694+#endif
94695+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
94696+ {
94697+ .procname = "chroot_deny_mknod",
94698+ .data = &grsec_enable_chroot_mknod,
94699+ .maxlen = sizeof(int),
94700+ .mode = 0600,
94701+ .proc_handler = &proc_dointvec_secure,
94702+ },
94703+#endif
94704+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
94705+ {
94706+ .procname = "chroot_restrict_nice",
94707+ .data = &grsec_enable_chroot_nice,
94708+ .maxlen = sizeof(int),
94709+ .mode = 0600,
94710+ .proc_handler = &proc_dointvec_secure,
94711+ },
94712+#endif
94713+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
94714+ {
94715+ .procname = "chroot_execlog",
94716+ .data = &grsec_enable_chroot_execlog,
94717+ .maxlen = sizeof(int),
94718+ .mode = 0600,
94719+ .proc_handler = &proc_dointvec_secure,
94720+ },
94721+#endif
94722+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
94723+ {
94724+ .procname = "chroot_caps",
94725+ .data = &grsec_enable_chroot_caps,
94726+ .maxlen = sizeof(int),
94727+ .mode = 0600,
94728+ .proc_handler = &proc_dointvec_secure,
94729+ },
94730+#endif
94731+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
94732+ {
94733+ .procname = "chroot_deny_bad_rename",
94734+ .data = &grsec_enable_chroot_rename,
94735+ .maxlen = sizeof(int),
94736+ .mode = 0600,
94737+ .proc_handler = &proc_dointvec_secure,
94738+ },
94739+#endif
94740+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
94741+ {
94742+ .procname = "chroot_deny_sysctl",
94743+ .data = &grsec_enable_chroot_sysctl,
94744+ .maxlen = sizeof(int),
94745+ .mode = 0600,
94746+ .proc_handler = &proc_dointvec_secure,
94747+ },
94748+#endif
94749+#ifdef CONFIG_GRKERNSEC_TPE
94750+ {
94751+ .procname = "tpe",
94752+ .data = &grsec_enable_tpe,
94753+ .maxlen = sizeof(int),
94754+ .mode = 0600,
94755+ .proc_handler = &proc_dointvec_secure,
94756+ },
94757+ {
94758+ .procname = "tpe_gid",
94759+ .data = &grsec_tpe_gid,
94760+ .maxlen = sizeof(int),
94761+ .mode = 0600,
94762+ .proc_handler = &proc_dointvec_secure,
94763+ },
94764+#endif
94765+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
94766+ {
94767+ .procname = "tpe_invert",
94768+ .data = &grsec_enable_tpe_invert,
94769+ .maxlen = sizeof(int),
94770+ .mode = 0600,
94771+ .proc_handler = &proc_dointvec_secure,
94772+ },
94773+#endif
94774+#ifdef CONFIG_GRKERNSEC_TPE_ALL
94775+ {
94776+ .procname = "tpe_restrict_all",
94777+ .data = &grsec_enable_tpe_all,
94778+ .maxlen = sizeof(int),
94779+ .mode = 0600,
94780+ .proc_handler = &proc_dointvec_secure,
94781+ },
94782+#endif
94783+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
94784+ {
94785+ .procname = "socket_all",
94786+ .data = &grsec_enable_socket_all,
94787+ .maxlen = sizeof(int),
94788+ .mode = 0600,
94789+ .proc_handler = &proc_dointvec_secure,
94790+ },
94791+ {
94792+ .procname = "socket_all_gid",
94793+ .data = &grsec_socket_all_gid,
94794+ .maxlen = sizeof(int),
94795+ .mode = 0600,
94796+ .proc_handler = &proc_dointvec_secure,
94797+ },
94798+#endif
94799+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
94800+ {
94801+ .procname = "socket_client",
94802+ .data = &grsec_enable_socket_client,
94803+ .maxlen = sizeof(int),
94804+ .mode = 0600,
94805+ .proc_handler = &proc_dointvec_secure,
94806+ },
94807+ {
94808+ .procname = "socket_client_gid",
94809+ .data = &grsec_socket_client_gid,
94810+ .maxlen = sizeof(int),
94811+ .mode = 0600,
94812+ .proc_handler = &proc_dointvec_secure,
94813+ },
94814+#endif
94815+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
94816+ {
94817+ .procname = "socket_server",
94818+ .data = &grsec_enable_socket_server,
94819+ .maxlen = sizeof(int),
94820+ .mode = 0600,
94821+ .proc_handler = &proc_dointvec_secure,
94822+ },
94823+ {
94824+ .procname = "socket_server_gid",
94825+ .data = &grsec_socket_server_gid,
94826+ .maxlen = sizeof(int),
94827+ .mode = 0600,
94828+ .proc_handler = &proc_dointvec_secure,
94829+ },
94830+#endif
94831+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
94832+ {
94833+ .procname = "audit_group",
94834+ .data = &grsec_enable_group,
94835+ .maxlen = sizeof(int),
94836+ .mode = 0600,
94837+ .proc_handler = &proc_dointvec_secure,
94838+ },
94839+ {
94840+ .procname = "audit_gid",
94841+ .data = &grsec_audit_gid,
94842+ .maxlen = sizeof(int),
94843+ .mode = 0600,
94844+ .proc_handler = &proc_dointvec_secure,
94845+ },
94846+#endif
94847+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
94848+ {
94849+ .procname = "audit_chdir",
94850+ .data = &grsec_enable_chdir,
94851+ .maxlen = sizeof(int),
94852+ .mode = 0600,
94853+ .proc_handler = &proc_dointvec_secure,
94854+ },
94855+#endif
94856+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94857+ {
94858+ .procname = "audit_mount",
94859+ .data = &grsec_enable_mount,
94860+ .maxlen = sizeof(int),
94861+ .mode = 0600,
94862+ .proc_handler = &proc_dointvec_secure,
94863+ },
94864+#endif
94865+#ifdef CONFIG_GRKERNSEC_DMESG
94866+ {
94867+ .procname = "dmesg",
94868+ .data = &grsec_enable_dmesg,
94869+ .maxlen = sizeof(int),
94870+ .mode = 0600,
94871+ .proc_handler = &proc_dointvec_secure,
94872+ },
94873+#endif
94874+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
94875+ {
94876+ .procname = "chroot_findtask",
94877+ .data = &grsec_enable_chroot_findtask,
94878+ .maxlen = sizeof(int),
94879+ .mode = 0600,
94880+ .proc_handler = &proc_dointvec_secure,
94881+ },
94882+#endif
94883+#ifdef CONFIG_GRKERNSEC_RESLOG
94884+ {
94885+ .procname = "resource_logging",
94886+ .data = &grsec_resource_logging,
94887+ .maxlen = sizeof(int),
94888+ .mode = 0600,
94889+ .proc_handler = &proc_dointvec_secure,
94890+ },
94891+#endif
94892+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
94893+ {
94894+ .procname = "audit_ptrace",
94895+ .data = &grsec_enable_audit_ptrace,
94896+ .maxlen = sizeof(int),
94897+ .mode = 0600,
94898+ .proc_handler = &proc_dointvec_secure,
94899+ },
94900+#endif
94901+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
94902+ {
94903+ .procname = "harden_ptrace",
94904+ .data = &grsec_enable_harden_ptrace,
94905+ .maxlen = sizeof(int),
94906+ .mode = 0600,
94907+ .proc_handler = &proc_dointvec_secure,
94908+ },
94909+#endif
94910+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
94911+ {
94912+ .procname = "harden_ipc",
94913+ .data = &grsec_enable_harden_ipc,
94914+ .maxlen = sizeof(int),
94915+ .mode = 0600,
94916+ .proc_handler = &proc_dointvec_secure,
94917+ },
94918+#endif
94919+ {
94920+ .procname = "grsec_lock",
94921+ .data = &grsec_lock,
94922+ .maxlen = sizeof(int),
94923+ .mode = 0600,
94924+ .proc_handler = &proc_dointvec_secure,
94925+ },
94926+#endif
94927+#ifdef CONFIG_GRKERNSEC_ROFS
94928+ {
94929+ .procname = "romount_protect",
94930+ .data = &grsec_enable_rofs,
94931+ .maxlen = sizeof(int),
94932+ .mode = 0600,
94933+ .proc_handler = &proc_dointvec_minmax_secure,
94934+ .extra1 = &one,
94935+ .extra2 = &one,
94936+ },
94937+#endif
94938+#if defined(CONFIG_GRKERNSEC_DENYUSB) && !defined(CONFIG_GRKERNSEC_DENYUSB_FORCE)
94939+ {
94940+ .procname = "deny_new_usb",
94941+ .data = &grsec_deny_new_usb,
94942+ .maxlen = sizeof(int),
94943+ .mode = 0600,
94944+ .proc_handler = &proc_dointvec_secure,
94945+ },
94946+#endif
94947+ { }
94948+};
94949+#endif
94950diff --git a/grsecurity/grsec_time.c b/grsecurity/grsec_time.c
94951new file mode 100644
94952index 0000000..61b514e
94953--- /dev/null
94954+++ b/grsecurity/grsec_time.c
94955@@ -0,0 +1,16 @@
94956+#include <linux/kernel.h>
94957+#include <linux/sched.h>
94958+#include <linux/grinternal.h>
94959+#include <linux/module.h>
94960+
94961+void
94962+gr_log_timechange(void)
94963+{
94964+#ifdef CONFIG_GRKERNSEC_TIME
94965+ if (grsec_enable_time)
94966+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
94967+#endif
94968+ return;
94969+}
94970+
94971+EXPORT_SYMBOL_GPL(gr_log_timechange);
94972diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
94973new file mode 100644
94974index 0000000..9786671
94975--- /dev/null
94976+++ b/grsecurity/grsec_tpe.c
94977@@ -0,0 +1,78 @@
94978+#include <linux/kernel.h>
94979+#include <linux/sched.h>
94980+#include <linux/file.h>
94981+#include <linux/fs.h>
94982+#include <linux/grinternal.h>
94983+
94984+extern int gr_acl_tpe_check(void);
94985+
94986+int
94987+gr_tpe_allow(const struct file *file)
94988+{
94989+#ifdef CONFIG_GRKERNSEC
94990+ struct inode *inode = d_backing_inode(file->f_path.dentry->d_parent);
94991+ struct inode *file_inode = d_backing_inode(file->f_path.dentry);
94992+ const struct cred *cred = current_cred();
94993+ char *msg = NULL;
94994+ char *msg2 = NULL;
94995+
94996+ // never restrict root
94997+ if (gr_is_global_root(cred->uid))
94998+ return 1;
94999+
95000+ if (grsec_enable_tpe) {
95001+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
95002+ if (grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid))
95003+ msg = "not being in trusted group";
95004+ else if (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid))
95005+ msg = "being in untrusted group";
95006+#else
95007+ if (in_group_p(grsec_tpe_gid))
95008+ msg = "being in untrusted group";
95009+#endif
95010+ }
95011+ if (!msg && gr_acl_tpe_check())
95012+ msg = "being in untrusted role";
95013+
95014+ // not in any affected group/role
95015+ if (!msg)
95016+ goto next_check;
95017+
95018+ if (gr_is_global_nonroot(inode->i_uid))
95019+ msg2 = "file in non-root-owned directory";
95020+ else if (inode->i_mode & S_IWOTH)
95021+ msg2 = "file in world-writable directory";
95022+ else if (inode->i_mode & S_IWGRP)
95023+ msg2 = "file in group-writable directory";
95024+ else if (file_inode->i_mode & S_IWOTH)
95025+ msg2 = "file is world-writable";
95026+
95027+ if (msg && msg2) {
95028+ char fullmsg[70] = {0};
95029+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
95030+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
95031+ return 0;
95032+ }
95033+ msg = NULL;
95034+next_check:
95035+#ifdef CONFIG_GRKERNSEC_TPE_ALL
95036+ if (!grsec_enable_tpe || !grsec_enable_tpe_all)
95037+ return 1;
95038+
95039+ if (gr_is_global_nonroot(inode->i_uid) && !uid_eq(inode->i_uid, cred->uid))
95040+ msg = "directory not owned by user";
95041+ else if (inode->i_mode & S_IWOTH)
95042+ msg = "file in world-writable directory";
95043+ else if (inode->i_mode & S_IWGRP)
95044+ msg = "file in group-writable directory";
95045+ else if (file_inode->i_mode & S_IWOTH)
95046+ msg = "file is world-writable";
95047+
95048+ if (msg) {
95049+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
95050+ return 0;
95051+ }
95052+#endif
95053+#endif
95054+ return 1;
95055+}
95056diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
95057new file mode 100644
95058index 0000000..ae02d8e
95059--- /dev/null
95060+++ b/grsecurity/grsec_usb.c
95061@@ -0,0 +1,15 @@
95062+#include <linux/kernel.h>
95063+#include <linux/grinternal.h>
95064+#include <linux/module.h>
95065+
95066+int gr_handle_new_usb(void)
95067+{
95068+#ifdef CONFIG_GRKERNSEC_DENYUSB
95069+ if (grsec_deny_new_usb) {
95070+ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
95071+ return 1;
95072+ }
95073+#endif
95074+ return 0;
95075+}
95076+EXPORT_SYMBOL_GPL(gr_handle_new_usb);
95077diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
95078new file mode 100644
95079index 0000000..158b330
95080--- /dev/null
95081+++ b/grsecurity/grsum.c
95082@@ -0,0 +1,64 @@
95083+#include <linux/err.h>
95084+#include <linux/kernel.h>
95085+#include <linux/sched.h>
95086+#include <linux/mm.h>
95087+#include <linux/scatterlist.h>
95088+#include <linux/crypto.h>
95089+#include <linux/gracl.h>
95090+
95091+
95092+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
95093+#error "crypto and sha256 must be built into the kernel"
95094+#endif
95095+
95096+int
95097+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
95098+{
95099+ struct crypto_hash *tfm;
95100+ struct hash_desc desc;
95101+ struct scatterlist sg[2];
95102+ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long))));
95103+ unsigned long *tmpsumptr = (unsigned long *)temp_sum;
95104+ unsigned long *sumptr = (unsigned long *)sum;
95105+ int cryptres;
95106+ int retval = 1;
95107+ volatile int mismatched = 0;
95108+ volatile int dummy = 0;
95109+ unsigned int i;
95110+
95111+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
95112+ if (IS_ERR(tfm)) {
95113+ /* should never happen, since sha256 should be built in */
95114+ memset(entry->pw, 0, GR_PW_LEN);
95115+ return 1;
95116+ }
95117+
95118+ sg_init_table(sg, 2);
95119+ sg_set_buf(&sg[0], salt, GR_SALT_LEN);
95120+ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw));
95121+
95122+ desc.tfm = tfm;
95123+ desc.flags = 0;
95124+
95125+ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw),
95126+ temp_sum);
95127+
95128+ memset(entry->pw, 0, GR_PW_LEN);
95129+
95130+ if (cryptres)
95131+ goto out;
95132+
95133+ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++)
95134+ if (sumptr[i] != tmpsumptr[i])
95135+ mismatched = 1;
95136+ else
95137+ dummy = 1; // waste a cycle
95138+
95139+ if (!mismatched)
95140+ retval = dummy - 1;
95141+
95142+out:
95143+ crypto_free_hash(tfm);
95144+
95145+ return retval;
95146+}
95147diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h
95148index 5bdab6b..9ae82fe 100644
95149--- a/include/asm-generic/4level-fixup.h
95150+++ b/include/asm-generic/4level-fixup.h
95151@@ -14,8 +14,10 @@
95152 #define pmd_alloc(mm, pud, address) \
95153 ((unlikely(pgd_none(*(pud))) && __pmd_alloc(mm, pud, address))? \
95154 NULL: pmd_offset(pud, address))
95155+#define pmd_alloc_kernel(mm, pud, address) pmd_alloc((mm), (pud), (address))
95156
95157 #define pud_alloc(mm, pgd, address) (pgd)
95158+#define pud_alloc_kernel(mm, pgd, address) pud_alloc((mm), (pgd), (address))
95159 #define pud_offset(pgd, start) (pgd)
95160 #define pud_none(pud) 0
95161 #define pud_bad(pud) 0
95162diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h
95163index b7babf0..1e4b4f1 100644
95164--- a/include/asm-generic/atomic-long.h
95165+++ b/include/asm-generic/atomic-long.h
95166@@ -22,6 +22,12 @@
95167
95168 typedef atomic64_t atomic_long_t;
95169
95170+#ifdef CONFIG_PAX_REFCOUNT
95171+typedef atomic64_unchecked_t atomic_long_unchecked_t;
95172+#else
95173+typedef atomic64_t atomic_long_unchecked_t;
95174+#endif
95175+
95176 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
95177
95178 static inline long atomic_long_read(atomic_long_t *l)
95179@@ -31,6 +37,15 @@ static inline long atomic_long_read(atomic_long_t *l)
95180 return (long)atomic64_read(v);
95181 }
95182
95183+#ifdef CONFIG_PAX_REFCOUNT
95184+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
95185+{
95186+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95187+
95188+ return (long)atomic64_read_unchecked(v);
95189+}
95190+#endif
95191+
95192 static inline void atomic_long_set(atomic_long_t *l, long i)
95193 {
95194 atomic64_t *v = (atomic64_t *)l;
95195@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
95196 atomic64_set(v, i);
95197 }
95198
95199+#ifdef CONFIG_PAX_REFCOUNT
95200+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
95201+{
95202+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95203+
95204+ atomic64_set_unchecked(v, i);
95205+}
95206+#endif
95207+
95208 static inline void atomic_long_inc(atomic_long_t *l)
95209 {
95210 atomic64_t *v = (atomic64_t *)l;
95211@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
95212 atomic64_inc(v);
95213 }
95214
95215+#ifdef CONFIG_PAX_REFCOUNT
95216+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
95217+{
95218+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95219+
95220+ atomic64_inc_unchecked(v);
95221+}
95222+#endif
95223+
95224 static inline void atomic_long_dec(atomic_long_t *l)
95225 {
95226 atomic64_t *v = (atomic64_t *)l;
95227@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
95228 atomic64_dec(v);
95229 }
95230
95231+#ifdef CONFIG_PAX_REFCOUNT
95232+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
95233+{
95234+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95235+
95236+ atomic64_dec_unchecked(v);
95237+}
95238+#endif
95239+
95240 static inline void atomic_long_add(long i, atomic_long_t *l)
95241 {
95242 atomic64_t *v = (atomic64_t *)l;
95243@@ -59,6 +101,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
95244 atomic64_add(i, v);
95245 }
95246
95247+#ifdef CONFIG_PAX_REFCOUNT
95248+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
95249+{
95250+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95251+
95252+ atomic64_add_unchecked(i, v);
95253+}
95254+#endif
95255+
95256 static inline void atomic_long_sub(long i, atomic_long_t *l)
95257 {
95258 atomic64_t *v = (atomic64_t *)l;
95259@@ -66,6 +117,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
95260 atomic64_sub(i, v);
95261 }
95262
95263+#ifdef CONFIG_PAX_REFCOUNT
95264+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
95265+{
95266+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95267+
95268+ atomic64_sub_unchecked(i, v);
95269+}
95270+#endif
95271+
95272 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
95273 {
95274 atomic64_t *v = (atomic64_t *)l;
95275@@ -94,13 +154,22 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
95276 return atomic64_add_negative(i, v);
95277 }
95278
95279-static inline long atomic_long_add_return(long i, atomic_long_t *l)
95280+static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
95281 {
95282 atomic64_t *v = (atomic64_t *)l;
95283
95284 return (long)atomic64_add_return(i, v);
95285 }
95286
95287+#ifdef CONFIG_PAX_REFCOUNT
95288+static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
95289+{
95290+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95291+
95292+ return (long)atomic64_add_return_unchecked(i, v);
95293+}
95294+#endif
95295+
95296 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
95297 {
95298 atomic64_t *v = (atomic64_t *)l;
95299@@ -115,6 +184,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
95300 return (long)atomic64_inc_return(v);
95301 }
95302
95303+#ifdef CONFIG_PAX_REFCOUNT
95304+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
95305+{
95306+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95307+
95308+ return (long)atomic64_inc_return_unchecked(v);
95309+}
95310+#endif
95311+
95312 static inline long atomic_long_dec_return(atomic_long_t *l)
95313 {
95314 atomic64_t *v = (atomic64_t *)l;
95315@@ -140,6 +218,12 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
95316
95317 typedef atomic_t atomic_long_t;
95318
95319+#ifdef CONFIG_PAX_REFCOUNT
95320+typedef atomic_unchecked_t atomic_long_unchecked_t;
95321+#else
95322+typedef atomic_t atomic_long_unchecked_t;
95323+#endif
95324+
95325 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
95326 static inline long atomic_long_read(atomic_long_t *l)
95327 {
95328@@ -148,6 +232,15 @@ static inline long atomic_long_read(atomic_long_t *l)
95329 return (long)atomic_read(v);
95330 }
95331
95332+#ifdef CONFIG_PAX_REFCOUNT
95333+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
95334+{
95335+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95336+
95337+ return (long)atomic_read_unchecked(v);
95338+}
95339+#endif
95340+
95341 static inline void atomic_long_set(atomic_long_t *l, long i)
95342 {
95343 atomic_t *v = (atomic_t *)l;
95344@@ -155,6 +248,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
95345 atomic_set(v, i);
95346 }
95347
95348+#ifdef CONFIG_PAX_REFCOUNT
95349+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
95350+{
95351+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95352+
95353+ atomic_set_unchecked(v, i);
95354+}
95355+#endif
95356+
95357 static inline void atomic_long_inc(atomic_long_t *l)
95358 {
95359 atomic_t *v = (atomic_t *)l;
95360@@ -162,6 +264,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
95361 atomic_inc(v);
95362 }
95363
95364+#ifdef CONFIG_PAX_REFCOUNT
95365+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
95366+{
95367+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95368+
95369+ atomic_inc_unchecked(v);
95370+}
95371+#endif
95372+
95373 static inline void atomic_long_dec(atomic_long_t *l)
95374 {
95375 atomic_t *v = (atomic_t *)l;
95376@@ -169,6 +280,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
95377 atomic_dec(v);
95378 }
95379
95380+#ifdef CONFIG_PAX_REFCOUNT
95381+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
95382+{
95383+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95384+
95385+ atomic_dec_unchecked(v);
95386+}
95387+#endif
95388+
95389 static inline void atomic_long_add(long i, atomic_long_t *l)
95390 {
95391 atomic_t *v = (atomic_t *)l;
95392@@ -176,6 +296,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
95393 atomic_add(i, v);
95394 }
95395
95396+#ifdef CONFIG_PAX_REFCOUNT
95397+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
95398+{
95399+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95400+
95401+ atomic_add_unchecked(i, v);
95402+}
95403+#endif
95404+
95405 static inline void atomic_long_sub(long i, atomic_long_t *l)
95406 {
95407 atomic_t *v = (atomic_t *)l;
95408@@ -183,6 +312,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
95409 atomic_sub(i, v);
95410 }
95411
95412+#ifdef CONFIG_PAX_REFCOUNT
95413+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
95414+{
95415+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95416+
95417+ atomic_sub_unchecked(i, v);
95418+}
95419+#endif
95420+
95421 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
95422 {
95423 atomic_t *v = (atomic_t *)l;
95424@@ -211,13 +349,23 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
95425 return atomic_add_negative(i, v);
95426 }
95427
95428-static inline long atomic_long_add_return(long i, atomic_long_t *l)
95429+static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
95430 {
95431 atomic_t *v = (atomic_t *)l;
95432
95433 return (long)atomic_add_return(i, v);
95434 }
95435
95436+#ifdef CONFIG_PAX_REFCOUNT
95437+static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
95438+{
95439+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95440+
95441+ return (long)atomic_add_return_unchecked(i, v);
95442+}
95443+
95444+#endif
95445+
95446 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
95447 {
95448 atomic_t *v = (atomic_t *)l;
95449@@ -232,6 +380,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
95450 return (long)atomic_inc_return(v);
95451 }
95452
95453+#ifdef CONFIG_PAX_REFCOUNT
95454+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
95455+{
95456+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
95457+
95458+ return (long)atomic_inc_return_unchecked(v);
95459+}
95460+#endif
95461+
95462 static inline long atomic_long_dec_return(atomic_long_t *l)
95463 {
95464 atomic_t *v = (atomic_t *)l;
95465@@ -255,4 +412,57 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
95466
95467 #endif /* BITS_PER_LONG == 64 */
95468
95469+#ifdef CONFIG_PAX_REFCOUNT
95470+static inline void pax_refcount_needs_these_functions(void)
95471+{
95472+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
95473+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
95474+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
95475+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
95476+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
95477+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
95478+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
95479+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
95480+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
95481+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
95482+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
95483+#ifdef CONFIG_X86
95484+ atomic_clear_mask_unchecked(0, NULL);
95485+ atomic_set_mask_unchecked(0, NULL);
95486+#endif
95487+
95488+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
95489+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
95490+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
95491+ atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
95492+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
95493+ atomic_long_add_return_unchecked(0, (atomic_long_unchecked_t *)NULL);
95494+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
95495+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
95496+}
95497+#else
95498+#define atomic_read_unchecked(v) atomic_read(v)
95499+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
95500+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
95501+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
95502+#define atomic_inc_unchecked(v) atomic_inc(v)
95503+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
95504+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
95505+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
95506+#define atomic_dec_unchecked(v) atomic_dec(v)
95507+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
95508+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
95509+#define atomic_clear_mask_unchecked(mask, v) atomic_clear_mask((mask), (v))
95510+#define atomic_set_mask_unchecked(mask, v) atomic_set_mask((mask), (v))
95511+
95512+#define atomic_long_read_unchecked(v) atomic_long_read(v)
95513+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
95514+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
95515+#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
95516+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
95517+#define atomic_long_add_return_unchecked(i, v) atomic_long_add_return((i), (v))
95518+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
95519+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
95520+#endif
95521+
95522 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
95523diff --git a/include/asm-generic/atomic64.h b/include/asm-generic/atomic64.h
95524index 30ad9c8..c70c170 100644
95525--- a/include/asm-generic/atomic64.h
95526+++ b/include/asm-generic/atomic64.h
95527@@ -16,6 +16,8 @@ typedef struct {
95528 long long counter;
95529 } atomic64_t;
95530
95531+typedef atomic64_t atomic64_unchecked_t;
95532+
95533 #define ATOMIC64_INIT(i) { (i) }
95534
95535 extern long long atomic64_read(const atomic64_t *v);
95536@@ -51,4 +53,14 @@ extern int atomic64_add_unless(atomic64_t *v, long long a, long long u);
95537 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
95538 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
95539
95540+#define atomic64_read_unchecked(v) atomic64_read(v)
95541+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
95542+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
95543+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
95544+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
95545+#define atomic64_inc_unchecked(v) atomic64_inc(v)
95546+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
95547+#define atomic64_dec_unchecked(v) atomic64_dec(v)
95548+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
95549+
95550 #endif /* _ASM_GENERIC_ATOMIC64_H */
95551diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h
95552index 55e3abc..104e2a1 100644
95553--- a/include/asm-generic/barrier.h
95554+++ b/include/asm-generic/barrier.h
95555@@ -108,7 +108,7 @@
95556 do { \
95557 compiletime_assert_atomic_type(*p); \
95558 smp_mb(); \
95559- ACCESS_ONCE(*p) = (v); \
95560+ ACCESS_ONCE_RW(*p) = (v); \
95561 } while (0)
95562
95563 #define smp_load_acquire(p) \
95564diff --git a/include/asm-generic/bitops/__fls.h b/include/asm-generic/bitops/__fls.h
95565index a60a7cc..0fe12f2 100644
95566--- a/include/asm-generic/bitops/__fls.h
95567+++ b/include/asm-generic/bitops/__fls.h
95568@@ -9,7 +9,7 @@
95569 *
95570 * Undefined if no set bit exists, so code should check against 0 first.
95571 */
95572-static __always_inline unsigned long __fls(unsigned long word)
95573+static __always_inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
95574 {
95575 int num = BITS_PER_LONG - 1;
95576
95577diff --git a/include/asm-generic/bitops/fls.h b/include/asm-generic/bitops/fls.h
95578index 0576d1f..dad6c71 100644
95579--- a/include/asm-generic/bitops/fls.h
95580+++ b/include/asm-generic/bitops/fls.h
95581@@ -9,7 +9,7 @@
95582 * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32.
95583 */
95584
95585-static __always_inline int fls(int x)
95586+static __always_inline int __intentional_overflow(-1) fls(int x)
95587 {
95588 int r = 32;
95589
95590diff --git a/include/asm-generic/bitops/fls64.h b/include/asm-generic/bitops/fls64.h
95591index b097cf8..3d40e14 100644
95592--- a/include/asm-generic/bitops/fls64.h
95593+++ b/include/asm-generic/bitops/fls64.h
95594@@ -15,7 +15,7 @@
95595 * at position 64.
95596 */
95597 #if BITS_PER_LONG == 32
95598-static __always_inline int fls64(__u64 x)
95599+static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
95600 {
95601 __u32 h = x >> 32;
95602 if (h)
95603@@ -23,7 +23,7 @@ static __always_inline int fls64(__u64 x)
95604 return fls(x);
95605 }
95606 #elif BITS_PER_LONG == 64
95607-static __always_inline int fls64(__u64 x)
95608+static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
95609 {
95610 if (x == 0)
95611 return 0;
95612diff --git a/include/asm-generic/bug.h b/include/asm-generic/bug.h
95613index 630dd23..8c1dcb6b 100644
95614--- a/include/asm-generic/bug.h
95615+++ b/include/asm-generic/bug.h
95616@@ -62,13 +62,13 @@ struct bug_entry {
95617 * to provide better diagnostics.
95618 */
95619 #ifndef __WARN_TAINT
95620-extern __printf(3, 4)
95621+extern __printf(3, 4) __nocapture(1, 3, 4)
95622 void warn_slowpath_fmt(const char *file, const int line,
95623 const char *fmt, ...);
95624-extern __printf(4, 5)
95625+extern __printf(4, 5) __nocapture(1, 4, 5)
95626 void warn_slowpath_fmt_taint(const char *file, const int line, unsigned taint,
95627 const char *fmt, ...);
95628-extern void warn_slowpath_null(const char *file, const int line);
95629+extern __nocapture(1) void warn_slowpath_null(const char *file, const int line);
95630 #define WANT_WARN_ON_SLOWPATH
95631 #define __WARN() warn_slowpath_null(__FILE__, __LINE__)
95632 #define __WARN_printf(arg...) warn_slowpath_fmt(__FILE__, __LINE__, arg)
95633diff --git a/include/asm-generic/cache.h b/include/asm-generic/cache.h
95634index 1bfcfe5..e04c5c9 100644
95635--- a/include/asm-generic/cache.h
95636+++ b/include/asm-generic/cache.h
95637@@ -6,7 +6,7 @@
95638 * cache lines need to provide their own cache.h.
95639 */
95640
95641-#define L1_CACHE_SHIFT 5
95642-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
95643+#define L1_CACHE_SHIFT 5UL
95644+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
95645
95646 #endif /* __ASM_GENERIC_CACHE_H */
95647diff --git a/include/asm-generic/emergency-restart.h b/include/asm-generic/emergency-restart.h
95648index 0d68a1e..b74a761 100644
95649--- a/include/asm-generic/emergency-restart.h
95650+++ b/include/asm-generic/emergency-restart.h
95651@@ -1,7 +1,7 @@
95652 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
95653 #define _ASM_GENERIC_EMERGENCY_RESTART_H
95654
95655-static inline void machine_emergency_restart(void)
95656+static inline __noreturn void machine_emergency_restart(void)
95657 {
95658 machine_restart(NULL);
95659 }
95660diff --git a/include/asm-generic/kmap_types.h b/include/asm-generic/kmap_types.h
95661index 90f99c7..00ce236 100644
95662--- a/include/asm-generic/kmap_types.h
95663+++ b/include/asm-generic/kmap_types.h
95664@@ -2,9 +2,9 @@
95665 #define _ASM_GENERIC_KMAP_TYPES_H
95666
95667 #ifdef __WITH_KM_FENCE
95668-# define KM_TYPE_NR 41
95669+# define KM_TYPE_NR 42
95670 #else
95671-# define KM_TYPE_NR 20
95672+# define KM_TYPE_NR 21
95673 #endif
95674
95675 #endif
95676diff --git a/include/asm-generic/local.h b/include/asm-generic/local.h
95677index 9ceb03b..62b0b8f 100644
95678--- a/include/asm-generic/local.h
95679+++ b/include/asm-generic/local.h
95680@@ -23,24 +23,37 @@ typedef struct
95681 atomic_long_t a;
95682 } local_t;
95683
95684+typedef struct {
95685+ atomic_long_unchecked_t a;
95686+} local_unchecked_t;
95687+
95688 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
95689
95690 #define local_read(l) atomic_long_read(&(l)->a)
95691+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
95692 #define local_set(l,i) atomic_long_set((&(l)->a),(i))
95693+#define local_set_unchecked(l,i) atomic_long_set_unchecked((&(l)->a),(i))
95694 #define local_inc(l) atomic_long_inc(&(l)->a)
95695+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
95696 #define local_dec(l) atomic_long_dec(&(l)->a)
95697+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
95698 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
95699+#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
95700 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
95701+#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
95702
95703 #define local_sub_and_test(i, l) atomic_long_sub_and_test((i), (&(l)->a))
95704 #define local_dec_and_test(l) atomic_long_dec_and_test(&(l)->a)
95705 #define local_inc_and_test(l) atomic_long_inc_and_test(&(l)->a)
95706 #define local_add_negative(i, l) atomic_long_add_negative((i), (&(l)->a))
95707 #define local_add_return(i, l) atomic_long_add_return((i), (&(l)->a))
95708+#define local_add_return_unchecked(i, l) atomic_long_add_return_unchecked((i), (&(l)->a))
95709 #define local_sub_return(i, l) atomic_long_sub_return((i), (&(l)->a))
95710 #define local_inc_return(l) atomic_long_inc_return(&(l)->a)
95711+#define local_dec_return(l) atomic_long_dec_return(&(l)->a)
95712
95713 #define local_cmpxchg(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
95714+#define local_cmpxchg_unchecked(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
95715 #define local_xchg(l, n) atomic_long_xchg((&(l)->a), (n))
95716 #define local_add_unless(l, _a, u) atomic_long_add_unless((&(l)->a), (_a), (u))
95717 #define local_inc_not_zero(l) atomic_long_inc_not_zero(&(l)->a)
95718diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h
95719index 725612b..9cc513a 100644
95720--- a/include/asm-generic/pgtable-nopmd.h
95721+++ b/include/asm-generic/pgtable-nopmd.h
95722@@ -1,14 +1,19 @@
95723 #ifndef _PGTABLE_NOPMD_H
95724 #define _PGTABLE_NOPMD_H
95725
95726-#ifndef __ASSEMBLY__
95727-
95728 #include <asm-generic/pgtable-nopud.h>
95729
95730-struct mm_struct;
95731-
95732 #define __PAGETABLE_PMD_FOLDED
95733
95734+#define PMD_SHIFT PUD_SHIFT
95735+#define PTRS_PER_PMD 1
95736+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
95737+#define PMD_MASK (~(PMD_SIZE-1))
95738+
95739+#ifndef __ASSEMBLY__
95740+
95741+struct mm_struct;
95742+
95743 /*
95744 * Having the pmd type consist of a pud gets the size right, and allows
95745 * us to conceptually access the pud entry that this pmd is folded into
95746@@ -16,11 +21,6 @@ struct mm_struct;
95747 */
95748 typedef struct { pud_t pud; } pmd_t;
95749
95750-#define PMD_SHIFT PUD_SHIFT
95751-#define PTRS_PER_PMD 1
95752-#define PMD_SIZE (1UL << PMD_SHIFT)
95753-#define PMD_MASK (~(PMD_SIZE-1))
95754-
95755 /*
95756 * The "pud_xxx()" functions here are trivial for a folded two-level
95757 * setup: the pmd is never bad, and a pmd always exists (as it's folded
95758diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h
95759index 810431d..0ec4804f 100644
95760--- a/include/asm-generic/pgtable-nopud.h
95761+++ b/include/asm-generic/pgtable-nopud.h
95762@@ -1,10 +1,15 @@
95763 #ifndef _PGTABLE_NOPUD_H
95764 #define _PGTABLE_NOPUD_H
95765
95766-#ifndef __ASSEMBLY__
95767-
95768 #define __PAGETABLE_PUD_FOLDED
95769
95770+#define PUD_SHIFT PGDIR_SHIFT
95771+#define PTRS_PER_PUD 1
95772+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
95773+#define PUD_MASK (~(PUD_SIZE-1))
95774+
95775+#ifndef __ASSEMBLY__
95776+
95777 /*
95778 * Having the pud type consist of a pgd gets the size right, and allows
95779 * us to conceptually access the pgd entry that this pud is folded into
95780@@ -12,11 +17,6 @@
95781 */
95782 typedef struct { pgd_t pgd; } pud_t;
95783
95784-#define PUD_SHIFT PGDIR_SHIFT
95785-#define PTRS_PER_PUD 1
95786-#define PUD_SIZE (1UL << PUD_SHIFT)
95787-#define PUD_MASK (~(PUD_SIZE-1))
95788-
95789 /*
95790 * The "pgd_xxx()" functions here are trivial for a folded two-level
95791 * setup: the pud is never bad, and a pud always exists (as it's folded
95792@@ -29,6 +29,7 @@ static inline void pgd_clear(pgd_t *pgd) { }
95793 #define pud_ERROR(pud) (pgd_ERROR((pud).pgd))
95794
95795 #define pgd_populate(mm, pgd, pud) do { } while (0)
95796+#define pgd_populate_kernel(mm, pgd, pud) do { } while (0)
95797 /*
95798 * (puds are folded into pgds so this doesn't get actually called,
95799 * but the define is needed for a generic inline function.)
95800diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
95801index 29c57b2..da571a2 100644
95802--- a/include/asm-generic/pgtable.h
95803+++ b/include/asm-generic/pgtable.h
95804@@ -715,6 +715,22 @@ static inline int pmd_protnone(pmd_t pmd)
95805 }
95806 #endif /* CONFIG_NUMA_BALANCING */
95807
95808+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
95809+#ifdef CONFIG_PAX_KERNEXEC
95810+#error KERNEXEC requires pax_open_kernel
95811+#else
95812+static inline unsigned long pax_open_kernel(void) { return 0; }
95813+#endif
95814+#endif
95815+
95816+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
95817+#ifdef CONFIG_PAX_KERNEXEC
95818+#error KERNEXEC requires pax_close_kernel
95819+#else
95820+static inline unsigned long pax_close_kernel(void) { return 0; }
95821+#endif
95822+#endif
95823+
95824 #endif /* CONFIG_MMU */
95825
95826 #ifdef CONFIG_HAVE_ARCH_HUGE_VMAP
95827diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
95828index b58fd66..6cfae67 100644
95829--- a/include/asm-generic/sections.h
95830+++ b/include/asm-generic/sections.h
95831@@ -30,6 +30,7 @@ extern char _data[], _sdata[], _edata[];
95832 extern char __bss_start[], __bss_stop[];
95833 extern char __init_begin[], __init_end[];
95834 extern char _sinittext[], _einittext[];
95835+extern char _sinitdata[], _einitdata[];
95836 extern char _end[];
95837 extern char __per_cpu_load[], __per_cpu_start[], __per_cpu_end[];
95838 extern char __kprobes_text_start[], __kprobes_text_end[];
95839diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
95840index 72d8803..cb9749c 100644
95841--- a/include/asm-generic/uaccess.h
95842+++ b/include/asm-generic/uaccess.h
95843@@ -343,4 +343,20 @@ clear_user(void __user *to, unsigned long n)
95844 return __clear_user(to, n);
95845 }
95846
95847+#ifndef __HAVE_ARCH_PAX_OPEN_USERLAND
95848+#ifdef CONFIG_PAX_MEMORY_UDEREF
95849+#error UDEREF requires pax_open_userland
95850+#else
95851+static inline unsigned long pax_open_userland(void) { return 0; }
95852+#endif
95853+#endif
95854+
95855+#ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND
95856+#ifdef CONFIG_PAX_MEMORY_UDEREF
95857+#error UDEREF requires pax_close_userland
95858+#else
95859+static inline unsigned long pax_close_userland(void) { return 0; }
95860+#endif
95861+#endif
95862+
95863 #endif /* __ASM_GENERIC_UACCESS_H */
95864diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
95865index 8bd374d..2665ce3 100644
95866--- a/include/asm-generic/vmlinux.lds.h
95867+++ b/include/asm-generic/vmlinux.lds.h
95868@@ -246,6 +246,7 @@
95869 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
95870 VMLINUX_SYMBOL(__start_rodata) = .; \
95871 *(.rodata) *(.rodata.*) \
95872+ *(.data..read_only) \
95873 *(__vermagic) /* Kernel version magic */ \
95874 . = ALIGN(8); \
95875 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
95876@@ -504,6 +505,7 @@
95877 KERNEL_CTORS() \
95878 MCOUNT_REC() \
95879 *(.init.rodata) \
95880+ *(.init.rodata.*) \
95881 FTRACE_EVENTS() \
95882 TRACE_SYSCALLS() \
95883 KPROBE_BLACKLIST() \
95884@@ -525,6 +527,8 @@
95885
95886 #define EXIT_DATA \
95887 *(.exit.data) \
95888+ *(.exit.rodata) \
95889+ *(.exit.rodata.*) \
95890 MEM_DISCARD(exit.data) \
95891 MEM_DISCARD(exit.rodata)
95892
95893@@ -741,17 +745,18 @@
95894 * section in the linker script will go there too. @phdr should have
95895 * a leading colon.
95896 *
95897- * Note that this macros defines __per_cpu_load as an absolute symbol.
95898+ * Note that this macros defines per_cpu_load as an absolute symbol.
95899 * If there is no need to put the percpu section at a predetermined
95900 * address, use PERCPU_SECTION.
95901 */
95902 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
95903- VMLINUX_SYMBOL(__per_cpu_load) = .; \
95904- .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
95905+ per_cpu_load = .; \
95906+ .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
95907 - LOAD_OFFSET) { \
95908+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
95909 PERCPU_INPUT(cacheline) \
95910 } phdr \
95911- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
95912+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
95913
95914 /**
95915 * PERCPU_SECTION - define output section for percpu area, simple version
95916@@ -813,12 +818,14 @@
95917
95918 #define INIT_DATA_SECTION(initsetup_align) \
95919 .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { \
95920+ VMLINUX_SYMBOL(_sinitdata) = .; \
95921 INIT_DATA \
95922 INIT_SETUP(initsetup_align) \
95923 INIT_CALLS \
95924 CON_INITCALL \
95925 SECURITY_INITCALL \
95926 INIT_RAM_FS \
95927+ VMLINUX_SYMBOL(_einitdata) = .; \
95928 }
95929
95930 #define BSS_SECTION(sbss_align, bss_align, stop_align) \
95931diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
95932index d4ebf6e..ca4bd35 100644
95933--- a/include/crypto/algapi.h
95934+++ b/include/crypto/algapi.h
95935@@ -35,7 +35,7 @@ struct crypto_type {
95936 unsigned int maskclear;
95937 unsigned int maskset;
95938 unsigned int tfmsize;
95939-};
95940+} __do_const;
95941
95942 struct crypto_instance {
95943 struct crypto_alg alg;
95944diff --git a/include/drm/drmP.h b/include/drm/drmP.h
95945index 5aa5197..e4ca348 100644
95946--- a/include/drm/drmP.h
95947+++ b/include/drm/drmP.h
95948@@ -59,6 +59,7 @@
95949
95950 #include <asm/mman.h>
95951 #include <asm/pgalloc.h>
95952+#include <asm/local.h>
95953 #include <asm/uaccess.h>
95954
95955 #include <uapi/drm/drm.h>
95956@@ -137,17 +138,18 @@ void drm_err(const char *format, ...);
95957 /*@{*/
95958
95959 /* driver capabilities and requirements mask */
95960-#define DRIVER_USE_AGP 0x1
95961-#define DRIVER_PCI_DMA 0x8
95962-#define DRIVER_SG 0x10
95963-#define DRIVER_HAVE_DMA 0x20
95964-#define DRIVER_HAVE_IRQ 0x40
95965-#define DRIVER_IRQ_SHARED 0x80
95966-#define DRIVER_GEM 0x1000
95967-#define DRIVER_MODESET 0x2000
95968-#define DRIVER_PRIME 0x4000
95969-#define DRIVER_RENDER 0x8000
95970-#define DRIVER_ATOMIC 0x10000
95971+#define DRIVER_USE_AGP 0x1
95972+#define DRIVER_PCI_DMA 0x8
95973+#define DRIVER_SG 0x10
95974+#define DRIVER_HAVE_DMA 0x20
95975+#define DRIVER_HAVE_IRQ 0x40
95976+#define DRIVER_IRQ_SHARED 0x80
95977+#define DRIVER_GEM 0x1000
95978+#define DRIVER_MODESET 0x2000
95979+#define DRIVER_PRIME 0x4000
95980+#define DRIVER_RENDER 0x8000
95981+#define DRIVER_ATOMIC 0x10000
95982+#define DRIVER_KMS_LEGACY_CONTEXT 0x20000
95983
95984 /***********************************************************************/
95985 /** \name Macros to make printk easier */
95986@@ -233,10 +235,12 @@ void drm_err(const char *format, ...);
95987 * \param cmd command.
95988 * \param arg argument.
95989 */
95990-typedef int drm_ioctl_t(struct drm_device *dev, void *data,
95991+typedef int (* const drm_ioctl_t)(struct drm_device *dev, void *data,
95992+ struct drm_file *file_priv);
95993+typedef int (* drm_ioctl_no_const_t)(struct drm_device *dev, void *data,
95994 struct drm_file *file_priv);
95995
95996-typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
95997+typedef int (* const drm_ioctl_compat_t)(struct file *filp, unsigned int cmd,
95998 unsigned long arg);
95999
96000 #define DRM_IOCTL_NR(n) _IOC_NR(n)
96001@@ -252,9 +256,9 @@ typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
96002 struct drm_ioctl_desc {
96003 unsigned int cmd;
96004 int flags;
96005- drm_ioctl_t *func;
96006+ drm_ioctl_t func;
96007 const char *name;
96008-};
96009+} __do_const;
96010
96011 /**
96012 * Creates a driver or general drm_ioctl_desc array entry for the given
96013@@ -647,7 +651,8 @@ struct drm_info_list {
96014 int (*show)(struct seq_file*, void*); /** show callback */
96015 u32 driver_features; /**< Required driver features for this entry */
96016 void *data;
96017-};
96018+} __do_const;
96019+typedef struct drm_info_list __no_const drm_info_list_no_const;
96020
96021 /**
96022 * debugfs node structure. This structure represents a debugfs file.
96023@@ -735,7 +740,7 @@ struct drm_device {
96024
96025 /** \name Usage Counters */
96026 /*@{ */
96027- int open_count; /**< Outstanding files open, protected by drm_global_mutex. */
96028+ local_t open_count; /**< Outstanding files open, protected by drm_global_mutex. */
96029 spinlock_t buf_lock; /**< For drm_device::buf_use and a few other things. */
96030 int buf_use; /**< Buffers in use -- cannot alloc */
96031 atomic_t buf_alloc; /**< Buffer allocation in progress */
96032diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h
96033index 918aa68..f162a8a 100644
96034--- a/include/drm/drm_crtc_helper.h
96035+++ b/include/drm/drm_crtc_helper.h
96036@@ -161,7 +161,7 @@ struct drm_encoder_helper_funcs {
96037 int (*atomic_check)(struct drm_encoder *encoder,
96038 struct drm_crtc_state *crtc_state,
96039 struct drm_connector_state *conn_state);
96040-};
96041+} __no_const;
96042
96043 /**
96044 * struct drm_connector_helper_funcs - helper operations for connectors
96045diff --git a/include/drm/drm_mm.h b/include/drm/drm_mm.h
96046index 0de6290..600f107 100644
96047--- a/include/drm/drm_mm.h
96048+++ b/include/drm/drm_mm.h
96049@@ -297,7 +297,7 @@ void drm_mm_remove_node(struct drm_mm_node *node);
96050 void drm_mm_replace_node(struct drm_mm_node *old, struct drm_mm_node *new);
96051 void drm_mm_init(struct drm_mm *mm,
96052 u64 start,
96053- u64 size);
96054+ u64 size) __intentional_overflow(-1);
96055 void drm_mm_takedown(struct drm_mm *mm);
96056 bool drm_mm_clean(struct drm_mm *mm);
96057
96058diff --git a/include/drm/i915_pciids.h b/include/drm/i915_pciids.h
96059index 17c4456..da0c5eb 100644
96060--- a/include/drm/i915_pciids.h
96061+++ b/include/drm/i915_pciids.h
96062@@ -37,7 +37,7 @@
96063 */
96064 #define INTEL_VGA_DEVICE(id, info) { \
96065 0x8086, id, \
96066- ~0, ~0, \
96067+ PCI_ANY_ID, PCI_ANY_ID, \
96068 0x030000, 0xff0000, \
96069 (unsigned long) info }
96070
96071diff --git a/include/drm/intel-gtt.h b/include/drm/intel-gtt.h
96072index b08bdad..21e6054 100644
96073--- a/include/drm/intel-gtt.h
96074+++ b/include/drm/intel-gtt.h
96075@@ -3,8 +3,8 @@
96076 #ifndef _DRM_INTEL_GTT_H
96077 #define _DRM_INTEL_GTT_H
96078
96079-void intel_gtt_get(size_t *gtt_total, size_t *stolen_size,
96080- phys_addr_t *mappable_base, unsigned long *mappable_end);
96081+void intel_gtt_get(uint64_t *gtt_total, uint64_t *stolen_size,
96082+ uint64_t *mappable_base, uint64_t *mappable_end);
96083
96084 int intel_gmch_probe(struct pci_dev *bridge_pdev, struct pci_dev *gpu_pdev,
96085 struct agp_bridge_data *bridge);
96086diff --git a/include/drm/ttm/ttm_memory.h b/include/drm/ttm/ttm_memory.h
96087index 72dcbe8..8db58d7 100644
96088--- a/include/drm/ttm/ttm_memory.h
96089+++ b/include/drm/ttm/ttm_memory.h
96090@@ -48,7 +48,7 @@
96091
96092 struct ttm_mem_shrink {
96093 int (*do_shrink) (struct ttm_mem_shrink *);
96094-};
96095+} __no_const;
96096
96097 /**
96098 * struct ttm_mem_global - Global memory accounting structure.
96099diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h
96100index 49a8284..9643967 100644
96101--- a/include/drm/ttm/ttm_page_alloc.h
96102+++ b/include/drm/ttm/ttm_page_alloc.h
96103@@ -80,6 +80,7 @@ void ttm_dma_page_alloc_fini(void);
96104 */
96105 extern int ttm_dma_page_alloc_debugfs(struct seq_file *m, void *data);
96106
96107+struct device;
96108 extern int ttm_dma_populate(struct ttm_dma_tt *ttm_dma, struct device *dev);
96109 extern void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev);
96110
96111diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h
96112index 4b840e8..155d235 100644
96113--- a/include/keys/asymmetric-subtype.h
96114+++ b/include/keys/asymmetric-subtype.h
96115@@ -37,7 +37,7 @@ struct asymmetric_key_subtype {
96116 /* Verify the signature on a key of this subtype (optional) */
96117 int (*verify_signature)(const struct key *key,
96118 const struct public_key_signature *sig);
96119-};
96120+} __do_const;
96121
96122 /**
96123 * asymmetric_key_subtype - Get the subtype from an asymmetric key
96124diff --git a/include/linux/atmdev.h b/include/linux/atmdev.h
96125index c1da539..1dcec55 100644
96126--- a/include/linux/atmdev.h
96127+++ b/include/linux/atmdev.h
96128@@ -28,7 +28,7 @@ struct compat_atm_iobuf {
96129 #endif
96130
96131 struct k_atm_aal_stats {
96132-#define __HANDLE_ITEM(i) atomic_t i
96133+#define __HANDLE_ITEM(i) atomic_unchecked_t i
96134 __AAL_STAT_ITEMS
96135 #undef __HANDLE_ITEM
96136 };
96137@@ -200,7 +200,7 @@ struct atmdev_ops { /* only send is required */
96138 int (*change_qos)(struct atm_vcc *vcc,struct atm_qos *qos,int flags);
96139 int (*proc_read)(struct atm_dev *dev,loff_t *pos,char *page);
96140 struct module *owner;
96141-};
96142+} __do_const ;
96143
96144 struct atmphy_ops {
96145 int (*start)(struct atm_dev *dev);
96146diff --git a/include/linux/atomic.h b/include/linux/atomic.h
96147index 5b08a85..60922fb 100644
96148--- a/include/linux/atomic.h
96149+++ b/include/linux/atomic.h
96150@@ -12,7 +12,7 @@
96151 * Atomically adds @a to @v, so long as @v was not already @u.
96152 * Returns non-zero if @v was not @u, and zero otherwise.
96153 */
96154-static inline int atomic_add_unless(atomic_t *v, int a, int u)
96155+static inline int __intentional_overflow(-1) atomic_add_unless(atomic_t *v, int a, int u)
96156 {
96157 return __atomic_add_unless(v, a, u) != u;
96158 }
96159diff --git a/include/linux/audit.h b/include/linux/audit.h
96160index c2e7e3a..8bfc0e1 100644
96161--- a/include/linux/audit.h
96162+++ b/include/linux/audit.h
96163@@ -223,7 +223,7 @@ static inline void audit_ptrace(struct task_struct *t)
96164 extern unsigned int audit_serial(void);
96165 extern int auditsc_get_stamp(struct audit_context *ctx,
96166 struct timespec *t, unsigned int *serial);
96167-extern int audit_set_loginuid(kuid_t loginuid);
96168+extern int __intentional_overflow(-1) audit_set_loginuid(kuid_t loginuid);
96169
96170 static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
96171 {
96172diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
96173index 576e463..28fd926 100644
96174--- a/include/linux/binfmts.h
96175+++ b/include/linux/binfmts.h
96176@@ -44,7 +44,7 @@ struct linux_binprm {
96177 unsigned interp_flags;
96178 unsigned interp_data;
96179 unsigned long loader, exec;
96180-};
96181+} __randomize_layout;
96182
96183 #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
96184 #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
96185@@ -77,8 +77,10 @@ struct linux_binfmt {
96186 int (*load_binary)(struct linux_binprm *);
96187 int (*load_shlib)(struct file *);
96188 int (*core_dump)(struct coredump_params *cprm);
96189+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
96190+ void (*handle_mmap)(struct file *);
96191 unsigned long min_coredump; /* minimal dump size */
96192-};
96193+} __do_const __randomize_layout;
96194
96195 extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
96196
96197diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
96198index ea17cca..dd56e56 100644
96199--- a/include/linux/bitmap.h
96200+++ b/include/linux/bitmap.h
96201@@ -295,7 +295,7 @@ static inline int bitmap_full(const unsigned long *src, unsigned int nbits)
96202 return find_first_zero_bit(src, nbits) == nbits;
96203 }
96204
96205-static inline int bitmap_weight(const unsigned long *src, unsigned int nbits)
96206+static inline int __intentional_overflow(-1) bitmap_weight(const unsigned long *src, unsigned int nbits)
96207 {
96208 if (small_const_nbits(nbits))
96209 return hweight_long(*src & BITMAP_LAST_WORD_MASK(nbits));
96210diff --git a/include/linux/bitops.h b/include/linux/bitops.h
96211index 297f5bd..5892caa 100644
96212--- a/include/linux/bitops.h
96213+++ b/include/linux/bitops.h
96214@@ -75,7 +75,7 @@ static __inline__ int get_count_order(unsigned int count)
96215 return order;
96216 }
96217
96218-static inline unsigned long hweight_long(unsigned long w)
96219+static inline unsigned long __intentional_overflow(-1) hweight_long(unsigned long w)
96220 {
96221 return sizeof(w) == 4 ? hweight32(w) : hweight64(w);
96222 }
96223@@ -105,7 +105,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift)
96224 * @word: value to rotate
96225 * @shift: bits to roll
96226 */
96227-static inline __u32 rol32(__u32 word, unsigned int shift)
96228+static inline __u32 __intentional_overflow(-1) rol32(__u32 word, unsigned int shift)
96229 {
96230 return (word << shift) | (word >> (32 - shift));
96231 }
96232@@ -115,7 +115,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift)
96233 * @word: value to rotate
96234 * @shift: bits to roll
96235 */
96236-static inline __u32 ror32(__u32 word, unsigned int shift)
96237+static inline __u32 __intentional_overflow(-1) ror32(__u32 word, unsigned int shift)
96238 {
96239 return (word >> shift) | (word << (32 - shift));
96240 }
96241@@ -171,7 +171,7 @@ static inline __s32 sign_extend32(__u32 value, int index)
96242 return (__s32)(value << shift) >> shift;
96243 }
96244
96245-static inline unsigned fls_long(unsigned long l)
96246+static inline unsigned __intentional_overflow(-1) fls_long(unsigned long l)
96247 {
96248 if (sizeof(l) == 4)
96249 return fls(l);
96250diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
96251index d4068c1..77159a1 100644
96252--- a/include/linux/blkdev.h
96253+++ b/include/linux/blkdev.h
96254@@ -1567,7 +1567,7 @@ struct block_device_operations {
96255 /* this callback is with swap_lock and sometimes page table lock held */
96256 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
96257 struct module *owner;
96258-};
96259+} __do_const;
96260
96261 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
96262 unsigned long);
96263diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
96264index afc1343..9735539 100644
96265--- a/include/linux/blktrace_api.h
96266+++ b/include/linux/blktrace_api.h
96267@@ -25,7 +25,7 @@ struct blk_trace {
96268 struct dentry *dropped_file;
96269 struct dentry *msg_file;
96270 struct list_head running_list;
96271- atomic_t dropped;
96272+ atomic_unchecked_t dropped;
96273 };
96274
96275 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
96276diff --git a/include/linux/cache.h b/include/linux/cache.h
96277index 17e7e82..1d7da26 100644
96278--- a/include/linux/cache.h
96279+++ b/include/linux/cache.h
96280@@ -16,6 +16,14 @@
96281 #define __read_mostly
96282 #endif
96283
96284+#ifndef __read_only
96285+#ifdef CONFIG_PAX_KERNEXEC
96286+#error KERNEXEC requires __read_only
96287+#else
96288+#define __read_only __read_mostly
96289+#endif
96290+#endif
96291+
96292 #ifndef ____cacheline_aligned
96293 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
96294 #endif
96295diff --git a/include/linux/capability.h b/include/linux/capability.h
96296index af9f0b9..71a5e5c 100644
96297--- a/include/linux/capability.h
96298+++ b/include/linux/capability.h
96299@@ -237,15 +237,28 @@ static inline bool capable(int cap)
96300 {
96301 return true;
96302 }
96303+static inline bool capable_nolog(int cap)
96304+{
96305+ return true;
96306+}
96307 static inline bool ns_capable(struct user_namespace *ns, int cap)
96308 {
96309 return true;
96310 }
96311+static inline bool ns_capable_nolog(struct user_namespace *ns, int cap)
96312+{
96313+ return true;
96314+}
96315 #endif /* CONFIG_MULTIUSER */
96316 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
96317+extern bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap);
96318 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
96319+extern bool capable_nolog(int cap);
96320+extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
96321
96322 /* audit system wants to get cap info from files as well */
96323 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
96324
96325+extern int is_privileged_binary(const struct dentry *dentry);
96326+
96327 #endif /* !_LINUX_CAPABILITY_H */
96328diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
96329index 8609d57..86e4d79 100644
96330--- a/include/linux/cdrom.h
96331+++ b/include/linux/cdrom.h
96332@@ -87,7 +87,6 @@ struct cdrom_device_ops {
96333
96334 /* driver specifications */
96335 const int capability; /* capability flags */
96336- int n_minors; /* number of active minor devices */
96337 /* handle uniform packets for scsi type devices (scsi,atapi) */
96338 int (*generic_packet) (struct cdrom_device_info *,
96339 struct packet_command *);
96340diff --git a/include/linux/cleancache.h b/include/linux/cleancache.h
96341index bda5ec0b4..51d8ea1 100644
96342--- a/include/linux/cleancache.h
96343+++ b/include/linux/cleancache.h
96344@@ -35,7 +35,7 @@ struct cleancache_ops {
96345 void (*invalidate_page)(int, struct cleancache_filekey, pgoff_t);
96346 void (*invalidate_inode)(int, struct cleancache_filekey);
96347 void (*invalidate_fs)(int);
96348-};
96349+} __no_const;
96350
96351 extern int cleancache_register_ops(struct cleancache_ops *ops);
96352 extern void __cleancache_init_fs(struct super_block *);
96353diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h
96354index 78842f4..7e7f81f 100644
96355--- a/include/linux/clk-provider.h
96356+++ b/include/linux/clk-provider.h
96357@@ -196,6 +196,7 @@ struct clk_ops {
96358 void (*init)(struct clk_hw *hw);
96359 int (*debug_init)(struct clk_hw *hw, struct dentry *dentry);
96360 };
96361+typedef struct clk_ops __no_const clk_ops_no_const;
96362
96363 /**
96364 * struct clk_init_data - holds init data that's common to all clocks and is
96365diff --git a/include/linux/compat.h b/include/linux/compat.h
96366index a76c917..63b52db 100644
96367--- a/include/linux/compat.h
96368+++ b/include/linux/compat.h
96369@@ -316,7 +316,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
96370 compat_size_t __user *len_ptr);
96371
96372 asmlinkage long compat_sys_ipc(u32, int, int, u32, compat_uptr_t, u32);
96373-asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg);
96374+asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg) __intentional_overflow(0);
96375 asmlinkage long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
96376 asmlinkage long compat_sys_msgsnd(int msqid, compat_uptr_t msgp,
96377 compat_ssize_t msgsz, int msgflg);
96378@@ -325,7 +325,7 @@ asmlinkage long compat_sys_msgrcv(int msqid, compat_uptr_t msgp,
96379 long compat_sys_msgctl(int first, int second, void __user *uptr);
96380 long compat_sys_shmctl(int first, int second, void __user *uptr);
96381 long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
96382- unsigned nsems, const struct compat_timespec __user *timeout);
96383+ compat_long_t nsems, const struct compat_timespec __user *timeout);
96384 asmlinkage long compat_sys_keyctl(u32 option,
96385 u32 arg2, u32 arg3, u32 arg4, u32 arg5);
96386 asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u32);
96387@@ -439,7 +439,7 @@ extern int compat_ptrace_request(struct task_struct *child,
96388 extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
96389 compat_ulong_t addr, compat_ulong_t data);
96390 asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
96391- compat_long_t addr, compat_long_t data);
96392+ compat_ulong_t addr, compat_ulong_t data);
96393
96394 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, compat_size_t);
96395 /*
96396diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
96397index dfaa7b3..58cebfb 100644
96398--- a/include/linux/compiler-gcc.h
96399+++ b/include/linux/compiler-gcc.h
96400@@ -116,8 +116,8 @@
96401 */
96402 #define __pure __attribute__((pure))
96403 #define __aligned(x) __attribute__((aligned(x)))
96404-#define __printf(a, b) __attribute__((format(printf, a, b)))
96405-#define __scanf(a, b) __attribute__((format(scanf, a, b)))
96406+#define __printf(a, b) __attribute__((format(printf, a, b))) __nocapture(a, b)
96407+#define __scanf(a, b) __attribute__((format(scanf, a, b))) __nocapture(a, b)
96408 #define __attribute_const__ __attribute__((__const__))
96409 #define __maybe_unused __attribute__((unused))
96410 #define __always_unused __attribute__((unused))
96411@@ -184,9 +184,38 @@
96412 # define __compiletime_warning(message) __attribute__((warning(message)))
96413 # define __compiletime_error(message) __attribute__((error(message)))
96414 #endif /* __CHECKER__ */
96415+
96416+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
96417+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
96418+#define __bos0(ptr) __bos((ptr), 0)
96419+#define __bos1(ptr) __bos((ptr), 1)
96420 #endif /* GCC_VERSION >= 40300 */
96421
96422 #if GCC_VERSION >= 40500
96423+
96424+#ifdef RANDSTRUCT_PLUGIN
96425+#define __randomize_layout __attribute__((randomize_layout))
96426+#define __no_randomize_layout __attribute__((no_randomize_layout))
96427+#endif
96428+
96429+#ifdef CONSTIFY_PLUGIN
96430+#define __no_const __attribute__((no_const))
96431+#define __do_const __attribute__((do_const))
96432+#endif
96433+
96434+#ifdef SIZE_OVERFLOW_PLUGIN
96435+#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
96436+#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
96437+#endif
96438+
96439+#ifdef LATENT_ENTROPY_PLUGIN
96440+#define __latent_entropy __attribute__((latent_entropy))
96441+#endif
96442+
96443+#ifdef INITIFY_PLUGIN
96444+#define __nocapture(...) __attribute__((nocapture(__VA_ARGS__)))
96445+#endif
96446+
96447 /*
96448 * Mark a position in code as unreachable. This can be used to
96449 * suppress control flow warnings after asm blocks that transfer
96450diff --git a/include/linux/compiler.h b/include/linux/compiler.h
96451index e08a6ae..2e5e776 100644
96452--- a/include/linux/compiler.h
96453+++ b/include/linux/compiler.h
96454@@ -5,11 +5,14 @@
96455
96456 #ifdef __CHECKER__
96457 # define __user __attribute__((noderef, address_space(1)))
96458+# define __force_user __force __user
96459 # define __kernel __attribute__((address_space(0)))
96460+# define __force_kernel __force __kernel
96461 # define __safe __attribute__((safe))
96462 # define __force __attribute__((force))
96463 # define __nocast __attribute__((nocast))
96464 # define __iomem __attribute__((noderef, address_space(2)))
96465+# define __force_iomem __force __iomem
96466 # define __must_hold(x) __attribute__((context(x,1,1)))
96467 # define __acquires(x) __attribute__((context(x,0,1)))
96468 # define __releases(x) __attribute__((context(x,1,0)))
96469@@ -17,21 +20,39 @@
96470 # define __release(x) __context__(x,-1)
96471 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
96472 # define __percpu __attribute__((noderef, address_space(3)))
96473+# define __force_percpu __force __percpu
96474 # define __pmem __attribute__((noderef, address_space(5)))
96475+# define __force_pmem __force __pmem
96476 #ifdef CONFIG_SPARSE_RCU_POINTER
96477 # define __rcu __attribute__((noderef, address_space(4)))
96478+# define __force_rcu __force __rcu
96479 #else
96480 # define __rcu
96481+# define __force_rcu
96482 #endif
96483 extern void __chk_user_ptr(const volatile void __user *);
96484 extern void __chk_io_ptr(const volatile void __iomem *);
96485 #else
96486-# define __user
96487-# define __kernel
96488+# ifdef CHECKER_PLUGIN
96489+//# define __user
96490+//# define __force_user
96491+//# define __kernel
96492+//# define __force_kernel
96493+# else
96494+# ifdef STRUCTLEAK_PLUGIN
96495+# define __user __attribute__((user))
96496+# else
96497+# define __user
96498+# endif
96499+# define __force_user
96500+# define __kernel
96501+# define __force_kernel
96502+# endif
96503 # define __safe
96504 # define __force
96505 # define __nocast
96506 # define __iomem
96507+# define __force_iomem
96508 # define __chk_user_ptr(x) (void)0
96509 # define __chk_io_ptr(x) (void)0
96510 # define __builtin_warning(x, y...) (1)
96511@@ -42,8 +63,11 @@ extern void __chk_io_ptr(const volatile void __iomem *);
96512 # define __release(x) (void)0
96513 # define __cond_lock(x,c) (c)
96514 # define __percpu
96515+# define __force_percpu
96516 # define __rcu
96517+# define __force_rcu
96518 # define __pmem
96519+# define __force_pmem
96520 #endif
96521
96522 /* Indirect macros required for expanded argument pasting, eg. __LINE__. */
96523@@ -201,27 +225,27 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
96524 static __always_inline void __read_once_size(const volatile void *p, void *res, int size)
96525 {
96526 switch (size) {
96527- case 1: *(__u8 *)res = *(volatile __u8 *)p; break;
96528- case 2: *(__u16 *)res = *(volatile __u16 *)p; break;
96529- case 4: *(__u32 *)res = *(volatile __u32 *)p; break;
96530- case 8: *(__u64 *)res = *(volatile __u64 *)p; break;
96531+ case 1: *(__u8 *)res = *(const volatile __u8 *)p; break;
96532+ case 2: *(__u16 *)res = *(const volatile __u16 *)p; break;
96533+ case 4: *(__u32 *)res = *(const volatile __u32 *)p; break;
96534+ case 8: *(__u64 *)res = *(const volatile __u64 *)p; break;
96535 default:
96536 barrier();
96537- __builtin_memcpy((void *)res, (const void *)p, size);
96538+ __builtin_memcpy(res, (const void *)p, size);
96539 barrier();
96540 }
96541 }
96542
96543-static __always_inline void __write_once_size(volatile void *p, void *res, int size)
96544+static __always_inline void __write_once_size(volatile void *p, const void *res, int size)
96545 {
96546 switch (size) {
96547- case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
96548- case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
96549- case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
96550- case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
96551+ case 1: *(volatile __u8 *)p = *(const __u8 *)res; break;
96552+ case 2: *(volatile __u16 *)p = *(const __u16 *)res; break;
96553+ case 4: *(volatile __u32 *)p = *(const __u32 *)res; break;
96554+ case 8: *(volatile __u64 *)p = *(const __u64 *)res; break;
96555 default:
96556 barrier();
96557- __builtin_memcpy((void *)p, (const void *)res, size);
96558+ __builtin_memcpy((void *)p, res, size);
96559 barrier();
96560 }
96561 }
96562@@ -370,6 +394,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
96563 # define __attribute_const__ /* unimplemented */
96564 #endif
96565
96566+#ifndef __randomize_layout
96567+# define __randomize_layout
96568+#endif
96569+
96570+#ifndef __no_randomize_layout
96571+# define __no_randomize_layout
96572+#endif
96573+
96574+#ifndef __no_const
96575+# define __no_const
96576+#endif
96577+
96578+#ifndef __do_const
96579+# define __do_const
96580+#endif
96581+
96582+#ifndef __size_overflow
96583+# define __size_overflow(...)
96584+#endif
96585+
96586+#ifndef __intentional_overflow
96587+# define __intentional_overflow(...)
96588+#endif
96589+
96590+#ifndef __latent_entropy
96591+# define __latent_entropy
96592+#endif
96593+
96594+#ifndef __nocapture
96595+# define __nocapture(...)
96596+#endif
96597+
96598 /*
96599 * Tell gcc if a function is cold. The compiler will assume any path
96600 * directly leading to the call is unlikely.
96601@@ -379,6 +435,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
96602 #define __cold
96603 #endif
96604
96605+#ifndef __alloc_size
96606+#define __alloc_size(...)
96607+#endif
96608+
96609+#ifndef __bos
96610+#define __bos(ptr, arg)
96611+#endif
96612+
96613+#ifndef __bos0
96614+#define __bos0(ptr)
96615+#endif
96616+
96617+#ifndef __bos1
96618+#define __bos1(ptr)
96619+#endif
96620+
96621 /* Simple shorthand for a section definition */
96622 #ifndef __section
96623 # define __section(S) __attribute__ ((__section__(#S)))
96624@@ -393,6 +465,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
96625 # define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
96626 #endif
96627
96628+#define __type_is_unsigned(t) (__same_type((t)0, 0UL) || __same_type((t)0, 0U) || __same_type((t)0, (unsigned short)0) || __same_type((t)0, (unsigned char)0))
96629+
96630 /* Is this type a native word size -- useful for atomic operations */
96631 #ifndef __native_word
96632 # define __native_word(t) (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
96633@@ -472,8 +546,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
96634 */
96635 #define __ACCESS_ONCE(x) ({ \
96636 __maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
96637- (volatile typeof(x) *)&(x); })
96638+ (volatile const typeof(x) *)&(x); })
96639 #define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
96640+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
96641
96642 /**
96643 * lockless_dereference() - safely load a pointer for later dereference
96644diff --git a/include/linux/completion.h b/include/linux/completion.h
96645index 5d5aaae..0ea9b84 100644
96646--- a/include/linux/completion.h
96647+++ b/include/linux/completion.h
96648@@ -90,16 +90,16 @@ static inline void reinit_completion(struct completion *x)
96649
96650 extern void wait_for_completion(struct completion *);
96651 extern void wait_for_completion_io(struct completion *);
96652-extern int wait_for_completion_interruptible(struct completion *x);
96653-extern int wait_for_completion_killable(struct completion *x);
96654+extern int wait_for_completion_interruptible(struct completion *x) __intentional_overflow(-1);
96655+extern int wait_for_completion_killable(struct completion *x) __intentional_overflow(-1);
96656 extern unsigned long wait_for_completion_timeout(struct completion *x,
96657- unsigned long timeout);
96658+ unsigned long timeout) __intentional_overflow(-1);
96659 extern unsigned long wait_for_completion_io_timeout(struct completion *x,
96660- unsigned long timeout);
96661+ unsigned long timeout) __intentional_overflow(-1);
96662 extern long wait_for_completion_interruptible_timeout(
96663- struct completion *x, unsigned long timeout);
96664+ struct completion *x, unsigned long timeout) __intentional_overflow(-1);
96665 extern long wait_for_completion_killable_timeout(
96666- struct completion *x, unsigned long timeout);
96667+ struct completion *x, unsigned long timeout) __intentional_overflow(-1);
96668 extern bool try_wait_for_completion(struct completion *x);
96669 extern bool completion_done(struct completion *x);
96670
96671diff --git a/include/linux/configfs.h b/include/linux/configfs.h
96672index 63a36e8..26b0825 100644
96673--- a/include/linux/configfs.h
96674+++ b/include/linux/configfs.h
96675@@ -125,7 +125,7 @@ struct configfs_attribute {
96676 const char *ca_name;
96677 struct module *ca_owner;
96678 umode_t ca_mode;
96679-};
96680+} __do_const;
96681
96682 /*
96683 * Users often need to create attribute structures for their configurable
96684diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
96685index bde1e56..168de74 100644
96686--- a/include/linux/cpufreq.h
96687+++ b/include/linux/cpufreq.h
96688@@ -211,6 +211,7 @@ struct global_attr {
96689 ssize_t (*store)(struct kobject *a, struct attribute *b,
96690 const char *c, size_t count);
96691 };
96692+typedef struct global_attr __no_const global_attr_no_const;
96693
96694 #define define_one_global_ro(_name) \
96695 static struct global_attr _name = \
96696@@ -282,7 +283,7 @@ struct cpufreq_driver {
96697 bool boost_supported;
96698 bool boost_enabled;
96699 int (*set_boost)(int state);
96700-};
96701+} __do_const;
96702
96703 /* flags */
96704 #define CPUFREQ_STICKY (1 << 0) /* driver isn't removed even if
96705diff --git a/include/linux/cpuidle.h b/include/linux/cpuidle.h
96706index d075d34..3b6734a 100644
96707--- a/include/linux/cpuidle.h
96708+++ b/include/linux/cpuidle.h
96709@@ -59,7 +59,8 @@ struct cpuidle_state {
96710 void (*enter_freeze) (struct cpuidle_device *dev,
96711 struct cpuidle_driver *drv,
96712 int index);
96713-};
96714+} __do_const;
96715+typedef struct cpuidle_state __no_const cpuidle_state_no_const;
96716
96717 /* Idle State Flags */
96718 #define CPUIDLE_FLAG_COUPLED (0x02) /* state applies to multiple cpus */
96719@@ -235,7 +236,7 @@ struct cpuidle_governor {
96720 void (*reflect) (struct cpuidle_device *dev, int index);
96721
96722 struct module *owner;
96723-};
96724+} __do_const;
96725
96726 #ifdef CONFIG_CPU_IDLE
96727 extern int cpuidle_register_governor(struct cpuidle_governor *gov);
96728diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
96729index 59915ea..81ebec0 100644
96730--- a/include/linux/cpumask.h
96731+++ b/include/linux/cpumask.h
96732@@ -127,17 +127,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
96733 }
96734
96735 /* Valid inputs for n are -1 and 0. */
96736-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
96737+static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
96738 {
96739 return n+1;
96740 }
96741
96742-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
96743+static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
96744 {
96745 return n+1;
96746 }
96747
96748-static inline unsigned int cpumask_next_and(int n,
96749+static inline unsigned int __intentional_overflow(-1) cpumask_next_and(int n,
96750 const struct cpumask *srcp,
96751 const struct cpumask *andp)
96752 {
96753@@ -181,7 +181,7 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
96754 *
96755 * Returns >= nr_cpu_ids if no further cpus set.
96756 */
96757-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
96758+static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
96759 {
96760 /* -1 is a legal arg here. */
96761 if (n != -1)
96762@@ -196,7 +196,7 @@ static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
96763 *
96764 * Returns >= nr_cpu_ids if no further cpus unset.
96765 */
96766-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
96767+static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
96768 {
96769 /* -1 is a legal arg here. */
96770 if (n != -1)
96771@@ -204,7 +204,7 @@ static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
96772 return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1);
96773 }
96774
96775-int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *);
96776+int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *) __intentional_overflow(-1);
96777 int cpumask_any_but(const struct cpumask *mask, unsigned int cpu);
96778 unsigned int cpumask_local_spread(unsigned int i, int node);
96779
96780@@ -471,7 +471,7 @@ static inline bool cpumask_full(const struct cpumask *srcp)
96781 * cpumask_weight - Count of bits in *srcp
96782 * @srcp: the cpumask to count bits (< nr_cpu_ids) in.
96783 */
96784-static inline unsigned int cpumask_weight(const struct cpumask *srcp)
96785+static inline unsigned int __intentional_overflow(-1) cpumask_weight(const struct cpumask *srcp)
96786 {
96787 return bitmap_weight(cpumask_bits(srcp), nr_cpumask_bits);
96788 }
96789diff --git a/include/linux/cred.h b/include/linux/cred.h
96790index 8b6c083..51cb9f5 100644
96791--- a/include/linux/cred.h
96792+++ b/include/linux/cred.h
96793@@ -35,7 +35,7 @@ struct group_info {
96794 int nblocks;
96795 kgid_t small_block[NGROUPS_SMALL];
96796 kgid_t *blocks[0];
96797-};
96798+} __randomize_layout;
96799
96800 /**
96801 * get_group_info - Get a reference to a group info structure
96802@@ -152,7 +152,7 @@ struct cred {
96803 struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
96804 struct group_info *group_info; /* supplementary groups for euid/fsgid */
96805 struct rcu_head rcu; /* RCU deletion hook */
96806-};
96807+} __randomize_layout;
96808
96809 extern void __put_cred(struct cred *);
96810 extern void exit_creds(struct task_struct *);
96811@@ -210,6 +210,9 @@ static inline void validate_creds_for_do_exit(struct task_struct *tsk)
96812 static inline void validate_process_creds(void)
96813 {
96814 }
96815+static inline void validate_task_creds(struct task_struct *task)
96816+{
96817+}
96818 #endif
96819
96820 /**
96821@@ -347,6 +350,7 @@ static inline void put_cred(const struct cred *_cred)
96822
96823 #define task_uid(task) (task_cred_xxx((task), uid))
96824 #define task_euid(task) (task_cred_xxx((task), euid))
96825+#define task_securebits(task) (task_cred_xxx((task), securebits))
96826
96827 #define current_cred_xxx(xxx) \
96828 ({ \
96829diff --git a/include/linux/crypto.h b/include/linux/crypto.h
96830index 81ef938..9ec0fdb 100644
96831--- a/include/linux/crypto.h
96832+++ b/include/linux/crypto.h
96833@@ -569,7 +569,7 @@ struct cipher_tfm {
96834 const u8 *key, unsigned int keylen);
96835 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
96836 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
96837-};
96838+} __no_const;
96839
96840 struct hash_tfm {
96841 int (*init)(struct hash_desc *desc);
96842@@ -590,7 +590,7 @@ struct compress_tfm {
96843 int (*cot_decompress)(struct crypto_tfm *tfm,
96844 const u8 *src, unsigned int slen,
96845 u8 *dst, unsigned int *dlen);
96846-};
96847+} __no_const;
96848
96849 #define crt_ablkcipher crt_u.ablkcipher
96850 #define crt_blkcipher crt_u.blkcipher
96851diff --git a/include/linux/ctype.h b/include/linux/ctype.h
96852index 653589e..4ef254a 100644
96853--- a/include/linux/ctype.h
96854+++ b/include/linux/ctype.h
96855@@ -56,7 +56,7 @@ static inline unsigned char __toupper(unsigned char c)
96856 * Fast implementation of tolower() for internal usage. Do not use in your
96857 * code.
96858 */
96859-static inline char _tolower(const char c)
96860+static inline unsigned char _tolower(const unsigned char c)
96861 {
96862 return c | 0x20;
96863 }
96864diff --git a/include/linux/dcache.h b/include/linux/dcache.h
96865index d67ae11..9ec20d2 100644
96866--- a/include/linux/dcache.h
96867+++ b/include/linux/dcache.h
96868@@ -123,6 +123,9 @@ struct dentry {
96869 unsigned long d_time; /* used by d_revalidate */
96870 void *d_fsdata; /* fs-specific data */
96871
96872+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
96873+ atomic_t chroot_refcnt; /* tracks use of directory in chroot */
96874+#endif
96875 struct list_head d_lru; /* LRU list */
96876 struct list_head d_child; /* child of parent list */
96877 struct list_head d_subdirs; /* our children */
96878@@ -133,7 +136,7 @@ struct dentry {
96879 struct hlist_node d_alias; /* inode alias list */
96880 struct rcu_head d_rcu;
96881 } d_u;
96882-};
96883+} __randomize_layout;
96884
96885 /*
96886 * dentry->d_lock spinlock nesting subclasses:
96887@@ -321,7 +324,7 @@ extern struct dentry *__d_lookup_rcu(const struct dentry *parent,
96888
96889 static inline unsigned d_count(const struct dentry *dentry)
96890 {
96891- return dentry->d_lockref.count;
96892+ return __lockref_read(&dentry->d_lockref);
96893 }
96894
96895 /*
96896@@ -350,7 +353,7 @@ extern char *dentry_path(struct dentry *, char *, int);
96897 static inline struct dentry *dget_dlock(struct dentry *dentry)
96898 {
96899 if (dentry)
96900- dentry->d_lockref.count++;
96901+ __lockref_inc(&dentry->d_lockref);
96902 return dentry;
96903 }
96904
96905diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
96906index 7925bf0..d5143d2 100644
96907--- a/include/linux/decompress/mm.h
96908+++ b/include/linux/decompress/mm.h
96909@@ -77,7 +77,7 @@ static void free(void *where)
96910 * warnings when not needed (indeed large_malloc / large_free are not
96911 * needed by inflate */
96912
96913-#define malloc(a) kmalloc(a, GFP_KERNEL)
96914+#define malloc(a) kmalloc((a), GFP_KERNEL)
96915 #define free(a) kfree(a)
96916
96917 #define large_malloc(a) vmalloc(a)
96918diff --git a/include/linux/devfreq.h b/include/linux/devfreq.h
96919index ce447f0..83c66bd 100644
96920--- a/include/linux/devfreq.h
96921+++ b/include/linux/devfreq.h
96922@@ -114,7 +114,7 @@ struct devfreq_governor {
96923 int (*get_target_freq)(struct devfreq *this, unsigned long *freq);
96924 int (*event_handler)(struct devfreq *devfreq,
96925 unsigned int event, void *data);
96926-};
96927+} __do_const;
96928
96929 /**
96930 * struct devfreq - Device devfreq structure
96931diff --git a/include/linux/device.h b/include/linux/device.h
96932index a2b4ea7..b07dddd 100644
96933--- a/include/linux/device.h
96934+++ b/include/linux/device.h
96935@@ -342,7 +342,7 @@ struct subsys_interface {
96936 struct list_head node;
96937 int (*add_dev)(struct device *dev, struct subsys_interface *sif);
96938 int (*remove_dev)(struct device *dev, struct subsys_interface *sif);
96939-};
96940+} __do_const;
96941
96942 int subsys_interface_register(struct subsys_interface *sif);
96943 void subsys_interface_unregister(struct subsys_interface *sif);
96944@@ -538,7 +538,7 @@ struct device_type {
96945 void (*release)(struct device *dev);
96946
96947 const struct dev_pm_ops *pm;
96948-};
96949+} __do_const;
96950
96951 /* interface for exporting device attributes */
96952 struct device_attribute {
96953@@ -548,11 +548,12 @@ struct device_attribute {
96954 ssize_t (*store)(struct device *dev, struct device_attribute *attr,
96955 const char *buf, size_t count);
96956 };
96957+typedef struct device_attribute __no_const device_attribute_no_const;
96958
96959 struct dev_ext_attribute {
96960 struct device_attribute attr;
96961 void *var;
96962-};
96963+} __do_const;
96964
96965 ssize_t device_show_ulong(struct device *dev, struct device_attribute *attr,
96966 char *buf);
96967diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
96968index ac07ff0..edff186 100644
96969--- a/include/linux/dma-mapping.h
96970+++ b/include/linux/dma-mapping.h
96971@@ -64,7 +64,7 @@ struct dma_map_ops {
96972 u64 (*get_required_mask)(struct device *dev);
96973 #endif
96974 int is_phys;
96975-};
96976+} __do_const;
96977
96978 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
96979
96980diff --git a/include/linux/efi.h b/include/linux/efi.h
96981index 85ef051..2714c3b 100644
96982--- a/include/linux/efi.h
96983+++ b/include/linux/efi.h
96984@@ -1073,6 +1073,7 @@ struct efivar_operations {
96985 efi_set_variable_nonblocking_t *set_variable_nonblocking;
96986 efi_query_variable_store_t *query_variable_store;
96987 };
96988+typedef struct efivar_operations __no_const efivar_operations_no_const;
96989
96990 struct efivars {
96991 /*
96992diff --git a/include/linux/elf.h b/include/linux/elf.h
96993index 20fa8d8..3d0dd18 100644
96994--- a/include/linux/elf.h
96995+++ b/include/linux/elf.h
96996@@ -29,6 +29,7 @@ extern Elf32_Dyn _DYNAMIC [];
96997 #define elf_note elf32_note
96998 #define elf_addr_t Elf32_Off
96999 #define Elf_Half Elf32_Half
97000+#define elf_dyn Elf32_Dyn
97001
97002 #else
97003
97004@@ -39,6 +40,7 @@ extern Elf64_Dyn _DYNAMIC [];
97005 #define elf_note elf64_note
97006 #define elf_addr_t Elf64_Off
97007 #define Elf_Half Elf64_Half
97008+#define elf_dyn Elf64_Dyn
97009
97010 #endif
97011
97012diff --git a/include/linux/err.h b/include/linux/err.h
97013index a729120..6ede2c9 100644
97014--- a/include/linux/err.h
97015+++ b/include/linux/err.h
97016@@ -20,12 +20,12 @@
97017
97018 #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO)
97019
97020-static inline void * __must_check ERR_PTR(long error)
97021+static inline void * __must_check __intentional_overflow(-1) ERR_PTR(long error)
97022 {
97023 return (void *) error;
97024 }
97025
97026-static inline long __must_check PTR_ERR(__force const void *ptr)
97027+static inline long __must_check __intentional_overflow(-1) PTR_ERR(__force const void *ptr)
97028 {
97029 return (long) ptr;
97030 }
97031diff --git a/include/linux/extcon.h b/include/linux/extcon.h
97032index b16d929..d389bf1 100644
97033--- a/include/linux/extcon.h
97034+++ b/include/linux/extcon.h
97035@@ -120,7 +120,7 @@ struct extcon_dev {
97036 /* /sys/class/extcon/.../mutually_exclusive/... */
97037 struct attribute_group attr_g_muex;
97038 struct attribute **attrs_muex;
97039- struct device_attribute *d_attrs_muex;
97040+ device_attribute_no_const *d_attrs_muex;
97041 };
97042
97043 /**
97044diff --git a/include/linux/fb.h b/include/linux/fb.h
97045index 043f328..180ccbf 100644
97046--- a/include/linux/fb.h
97047+++ b/include/linux/fb.h
97048@@ -305,7 +305,8 @@ struct fb_ops {
97049 /* called at KDB enter and leave time to prepare the console */
97050 int (*fb_debug_enter)(struct fb_info *info);
97051 int (*fb_debug_leave)(struct fb_info *info);
97052-};
97053+} __do_const;
97054+typedef struct fb_ops __no_const fb_ops_no_const;
97055
97056 #ifdef CONFIG_FB_TILEBLITTING
97057 #define FB_TILE_CURSOR_NONE 0
97058diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
97059index fbb8874..15c61e7 100644
97060--- a/include/linux/fdtable.h
97061+++ b/include/linux/fdtable.h
97062@@ -103,7 +103,7 @@ struct files_struct *get_files_struct(struct task_struct *);
97063 void put_files_struct(struct files_struct *fs);
97064 void reset_files_struct(struct files_struct *);
97065 int unshare_files(struct files_struct **);
97066-struct files_struct *dup_fd(struct files_struct *, int *);
97067+struct files_struct *dup_fd(struct files_struct *, int *) __latent_entropy;
97068 void do_close_on_exec(struct files_struct *);
97069 int iterate_fd(struct files_struct *, unsigned,
97070 int (*)(const void *, struct file *, unsigned),
97071diff --git a/include/linux/fs.h b/include/linux/fs.h
97072index 84b783f..b31767d 100644
97073--- a/include/linux/fs.h
97074+++ b/include/linux/fs.h
97075@@ -439,7 +439,7 @@ struct address_space {
97076 spinlock_t private_lock; /* for use by the address_space */
97077 struct list_head private_list; /* ditto */
97078 void *private_data; /* ditto */
97079-} __attribute__((aligned(sizeof(long))));
97080+} __attribute__((aligned(sizeof(long)))) __randomize_layout;
97081 /*
97082 * On most architectures that alignment is already the case; but
97083 * must be enforced here for CRIS, to let the least significant bit
97084@@ -482,7 +482,7 @@ struct block_device {
97085 int bd_fsfreeze_count;
97086 /* Mutex for freeze */
97087 struct mutex bd_fsfreeze_mutex;
97088-};
97089+} __randomize_layout;
97090
97091 /*
97092 * Radix-tree tags, for tagging dirty and writeback pages within the pagecache
97093@@ -677,7 +677,7 @@ struct inode {
97094 #endif
97095
97096 void *i_private; /* fs or device private pointer */
97097-};
97098+} __randomize_layout;
97099
97100 static inline int inode_unhashed(struct inode *inode)
97101 {
97102@@ -872,7 +872,7 @@ struct file {
97103 struct list_head f_tfile_llink;
97104 #endif /* #ifdef CONFIG_EPOLL */
97105 struct address_space *f_mapping;
97106-} __attribute__((aligned(4))); /* lest something weird decides that 2 is OK */
97107+} __attribute__((aligned(4))) __randomize_layout; /* lest something weird decides that 2 is OK */
97108
97109 struct file_handle {
97110 __u32 handle_bytes;
97111@@ -1001,7 +1001,7 @@ struct file_lock {
97112 int state; /* state of grant or error if -ve */
97113 } afs;
97114 } fl_u;
97115-};
97116+} __randomize_layout;
97117
97118 struct file_lock_context {
97119 spinlock_t flc_lock;
97120@@ -1380,7 +1380,7 @@ struct super_block {
97121 * Indicates how deep in a filesystem stack this SB is
97122 */
97123 int s_stack_depth;
97124-};
97125+} __randomize_layout;
97126
97127 extern struct timespec current_fs_time(struct super_block *sb);
97128
97129@@ -1632,7 +1632,8 @@ struct file_operations {
97130 #ifndef CONFIG_MMU
97131 unsigned (*mmap_capabilities)(struct file *);
97132 #endif
97133-};
97134+} __do_const __randomize_layout;
97135+typedef struct file_operations __no_const file_operations_no_const;
97136
97137 struct inode_operations {
97138 struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
97139@@ -2341,7 +2342,7 @@ extern int register_chrdev_region(dev_t, unsigned, const char *);
97140 extern int __register_chrdev(unsigned int major, unsigned int baseminor,
97141 unsigned int count, const char *name,
97142 const struct file_operations *fops);
97143-extern void __unregister_chrdev(unsigned int major, unsigned int baseminor,
97144+extern __nocapture(4) void __unregister_chrdev(unsigned int major, unsigned int baseminor,
97145 unsigned int count, const char *name);
97146 extern void unregister_chrdev_region(dev_t, unsigned);
97147 extern void chrdev_show(struct seq_file *,off_t);
97148@@ -3041,4 +3042,14 @@ static inline bool dir_relax(struct inode *inode)
97149 return !IS_DEADDIR(inode);
97150 }
97151
97152+static inline bool is_sidechannel_device(const struct inode *inode)
97153+{
97154+#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL
97155+ umode_t mode = inode->i_mode;
97156+ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH)));
97157+#else
97158+ return false;
97159+#endif
97160+}
97161+
97162 #endif /* _LINUX_FS_H */
97163diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h
97164index 0efc3e6..fd23610 100644
97165--- a/include/linux/fs_struct.h
97166+++ b/include/linux/fs_struct.h
97167@@ -6,13 +6,13 @@
97168 #include <linux/seqlock.h>
97169
97170 struct fs_struct {
97171- int users;
97172+ atomic_t users;
97173 spinlock_t lock;
97174 seqcount_t seq;
97175 int umask;
97176 int in_exec;
97177 struct path root, pwd;
97178-};
97179+} __randomize_layout;
97180
97181 extern struct kmem_cache *fs_cachep;
97182
97183diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h
97184index 604e152..5954d0d 100644
97185--- a/include/linux/fscache-cache.h
97186+++ b/include/linux/fscache-cache.h
97187@@ -117,7 +117,7 @@ struct fscache_operation {
97188 fscache_operation_release_t release;
97189 };
97190
97191-extern atomic_t fscache_op_debug_id;
97192+extern atomic_unchecked_t fscache_op_debug_id;
97193 extern void fscache_op_work_func(struct work_struct *work);
97194
97195 extern void fscache_enqueue_operation(struct fscache_operation *);
97196diff --git a/include/linux/fscache.h b/include/linux/fscache.h
97197index 115bb81..e7b812b 100644
97198--- a/include/linux/fscache.h
97199+++ b/include/linux/fscache.h
97200@@ -152,7 +152,7 @@ struct fscache_cookie_def {
97201 * - this is mandatory for any object that may have data
97202 */
97203 void (*now_uncached)(void *cookie_netfs_data);
97204-};
97205+} __do_const;
97206
97207 /*
97208 * fscache cached network filesystem type
97209diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
97210index 7ee1774..72505b8 100644
97211--- a/include/linux/fsnotify.h
97212+++ b/include/linux/fsnotify.h
97213@@ -197,6 +197,9 @@ static inline void fsnotify_access(struct file *file)
97214 struct inode *inode = file_inode(file);
97215 __u32 mask = FS_ACCESS;
97216
97217+ if (is_sidechannel_device(inode))
97218+ return;
97219+
97220 if (S_ISDIR(inode->i_mode))
97221 mask |= FS_ISDIR;
97222
97223@@ -215,6 +218,9 @@ static inline void fsnotify_modify(struct file *file)
97224 struct inode *inode = file_inode(file);
97225 __u32 mask = FS_MODIFY;
97226
97227+ if (is_sidechannel_device(inode))
97228+ return;
97229+
97230 if (S_ISDIR(inode->i_mode))
97231 mask |= FS_ISDIR;
97232
97233@@ -317,7 +323,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid)
97234 */
97235 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
97236 {
97237- return kstrdup(name, GFP_KERNEL);
97238+ return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
97239 }
97240
97241 /*
97242diff --git a/include/linux/genhd.h b/include/linux/genhd.h
97243index ec274e0..e678159 100644
97244--- a/include/linux/genhd.h
97245+++ b/include/linux/genhd.h
97246@@ -194,7 +194,7 @@ struct gendisk {
97247 struct kobject *slave_dir;
97248
97249 struct timer_rand_state *random;
97250- atomic_t sync_io; /* RAID */
97251+ atomic_unchecked_t sync_io; /* RAID */
97252 struct disk_events *ev;
97253 #ifdef CONFIG_BLK_DEV_INTEGRITY
97254 struct blk_integrity *integrity;
97255@@ -435,7 +435,7 @@ extern void disk_flush_events(struct gendisk *disk, unsigned int mask);
97256 extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask);
97257
97258 /* drivers/char/random.c */
97259-extern void add_disk_randomness(struct gendisk *disk);
97260+extern void add_disk_randomness(struct gendisk *disk) __latent_entropy;
97261 extern void rand_initialize_disk(struct gendisk *disk);
97262
97263 static inline sector_t get_start_sect(struct block_device *bdev)
97264diff --git a/include/linux/genl_magic_func.h b/include/linux/genl_magic_func.h
97265index 667c311..abac2a7 100644
97266--- a/include/linux/genl_magic_func.h
97267+++ b/include/linux/genl_magic_func.h
97268@@ -246,7 +246,7 @@ const char *CONCAT_(GENL_MAGIC_FAMILY, _genl_cmd_to_str)(__u8 cmd)
97269 },
97270
97271 #define ZZZ_genl_ops CONCAT_(GENL_MAGIC_FAMILY, _genl_ops)
97272-static struct genl_ops ZZZ_genl_ops[] __read_mostly = {
97273+static struct genl_ops ZZZ_genl_ops[] = {
97274 #include GENL_MAGIC_INCLUDE_FILE
97275 };
97276
97277diff --git a/include/linux/gfp.h b/include/linux/gfp.h
97278index ad35f30..30b1916 100644
97279--- a/include/linux/gfp.h
97280+++ b/include/linux/gfp.h
97281@@ -35,6 +35,13 @@ struct vm_area_struct;
97282 #define ___GFP_NO_KSWAPD 0x400000u
97283 #define ___GFP_OTHER_NODE 0x800000u
97284 #define ___GFP_WRITE 0x1000000u
97285+
97286+#ifdef CONFIG_PAX_USERCOPY_SLABS
97287+#define ___GFP_USERCOPY 0x2000000u
97288+#else
97289+#define ___GFP_USERCOPY 0
97290+#endif
97291+
97292 /* If the above are modified, __GFP_BITS_SHIFT may need updating */
97293
97294 /*
97295@@ -94,6 +101,7 @@ struct vm_area_struct;
97296 #define __GFP_NO_KSWAPD ((__force gfp_t)___GFP_NO_KSWAPD)
97297 #define __GFP_OTHER_NODE ((__force gfp_t)___GFP_OTHER_NODE) /* On behalf of other node */
97298 #define __GFP_WRITE ((__force gfp_t)___GFP_WRITE) /* Allocator intends to dirty page */
97299+#define __GFP_USERCOPY ((__force gfp_t)___GFP_USERCOPY)/* Allocator intends to copy page to/from userland */
97300
97301 /*
97302 * This may seem redundant, but it's a way of annotating false positives vs.
97303@@ -101,7 +109,7 @@ struct vm_area_struct;
97304 */
97305 #define __GFP_NOTRACK_FALSE_POSITIVE (__GFP_NOTRACK)
97306
97307-#define __GFP_BITS_SHIFT 25 /* Room for N __GFP_FOO bits */
97308+#define __GFP_BITS_SHIFT 26 /* Room for N __GFP_FOO bits */
97309 #define __GFP_BITS_MASK ((__force gfp_t)((1 << __GFP_BITS_SHIFT) - 1))
97310
97311 /* This equals 0, but use constants in case they ever change */
97312@@ -146,6 +154,8 @@ struct vm_area_struct;
97313 /* 4GB DMA on some platforms */
97314 #define GFP_DMA32 __GFP_DMA32
97315
97316+#define GFP_USERCOPY __GFP_USERCOPY
97317+
97318 /* Convert GFP flags to their corresponding migrate type */
97319 static inline int gfpflags_to_migratetype(const gfp_t gfp_flags)
97320 {
97321diff --git a/include/linux/gracl.h b/include/linux/gracl.h
97322new file mode 100644
97323index 0000000..91858e4
97324--- /dev/null
97325+++ b/include/linux/gracl.h
97326@@ -0,0 +1,342 @@
97327+#ifndef GR_ACL_H
97328+#define GR_ACL_H
97329+
97330+#include <linux/grdefs.h>
97331+#include <linux/resource.h>
97332+#include <linux/capability.h>
97333+#include <linux/dcache.h>
97334+#include <asm/resource.h>
97335+
97336+/* Major status information */
97337+
97338+#define GR_VERSION "grsecurity 3.1"
97339+#define GRSECURITY_VERSION 0x3100
97340+
97341+enum {
97342+ GR_SHUTDOWN = 0,
97343+ GR_ENABLE = 1,
97344+ GR_SPROLE = 2,
97345+ GR_OLDRELOAD = 3,
97346+ GR_SEGVMOD = 4,
97347+ GR_STATUS = 5,
97348+ GR_UNSPROLE = 6,
97349+ GR_PASSSET = 7,
97350+ GR_SPROLEPAM = 8,
97351+ GR_RELOAD = 9,
97352+};
97353+
97354+/* Password setup definitions
97355+ * kernel/grhash.c */
97356+enum {
97357+ GR_PW_LEN = 128,
97358+ GR_SALT_LEN = 16,
97359+ GR_SHA_LEN = 32,
97360+};
97361+
97362+enum {
97363+ GR_SPROLE_LEN = 64,
97364+};
97365+
97366+enum {
97367+ GR_NO_GLOB = 0,
97368+ GR_REG_GLOB,
97369+ GR_CREATE_GLOB
97370+};
97371+
97372+#define GR_NLIMITS 32
97373+
97374+/* Begin Data Structures */
97375+
97376+struct sprole_pw {
97377+ unsigned char *rolename;
97378+ unsigned char salt[GR_SALT_LEN];
97379+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
97380+};
97381+
97382+struct name_entry {
97383+ __u32 key;
97384+ u64 inode;
97385+ dev_t device;
97386+ char *name;
97387+ __u16 len;
97388+ __u8 deleted;
97389+ struct name_entry *prev;
97390+ struct name_entry *next;
97391+};
97392+
97393+struct inodev_entry {
97394+ struct name_entry *nentry;
97395+ struct inodev_entry *prev;
97396+ struct inodev_entry *next;
97397+};
97398+
97399+struct acl_role_db {
97400+ struct acl_role_label **r_hash;
97401+ __u32 r_size;
97402+};
97403+
97404+struct inodev_db {
97405+ struct inodev_entry **i_hash;
97406+ __u32 i_size;
97407+};
97408+
97409+struct name_db {
97410+ struct name_entry **n_hash;
97411+ __u32 n_size;
97412+};
97413+
97414+struct crash_uid {
97415+ uid_t uid;
97416+ unsigned long expires;
97417+};
97418+
97419+struct gr_hash_struct {
97420+ void **table;
97421+ void **nametable;
97422+ void *first;
97423+ __u32 table_size;
97424+ __u32 used_size;
97425+ int type;
97426+};
97427+
97428+/* Userspace Grsecurity ACL data structures */
97429+
97430+struct acl_subject_label {
97431+ char *filename;
97432+ u64 inode;
97433+ dev_t device;
97434+ __u32 mode;
97435+ kernel_cap_t cap_mask;
97436+ kernel_cap_t cap_lower;
97437+ kernel_cap_t cap_invert_audit;
97438+
97439+ struct rlimit res[GR_NLIMITS];
97440+ __u32 resmask;
97441+
97442+ __u8 user_trans_type;
97443+ __u8 group_trans_type;
97444+ uid_t *user_transitions;
97445+ gid_t *group_transitions;
97446+ __u16 user_trans_num;
97447+ __u16 group_trans_num;
97448+
97449+ __u32 sock_families[2];
97450+ __u32 ip_proto[8];
97451+ __u32 ip_type;
97452+ struct acl_ip_label **ips;
97453+ __u32 ip_num;
97454+ __u32 inaddr_any_override;
97455+
97456+ __u32 crashes;
97457+ unsigned long expires;
97458+
97459+ struct acl_subject_label *parent_subject;
97460+ struct gr_hash_struct *hash;
97461+ struct acl_subject_label *prev;
97462+ struct acl_subject_label *next;
97463+
97464+ struct acl_object_label **obj_hash;
97465+ __u32 obj_hash_size;
97466+ __u16 pax_flags;
97467+};
97468+
97469+struct role_allowed_ip {
97470+ __u32 addr;
97471+ __u32 netmask;
97472+
97473+ struct role_allowed_ip *prev;
97474+ struct role_allowed_ip *next;
97475+};
97476+
97477+struct role_transition {
97478+ char *rolename;
97479+
97480+ struct role_transition *prev;
97481+ struct role_transition *next;
97482+};
97483+
97484+struct acl_role_label {
97485+ char *rolename;
97486+ uid_t uidgid;
97487+ __u16 roletype;
97488+
97489+ __u16 auth_attempts;
97490+ unsigned long expires;
97491+
97492+ struct acl_subject_label *root_label;
97493+ struct gr_hash_struct *hash;
97494+
97495+ struct acl_role_label *prev;
97496+ struct acl_role_label *next;
97497+
97498+ struct role_transition *transitions;
97499+ struct role_allowed_ip *allowed_ips;
97500+ uid_t *domain_children;
97501+ __u16 domain_child_num;
97502+
97503+ umode_t umask;
97504+
97505+ struct acl_subject_label **subj_hash;
97506+ __u32 subj_hash_size;
97507+};
97508+
97509+struct user_acl_role_db {
97510+ struct acl_role_label **r_table;
97511+ __u32 num_pointers; /* Number of allocations to track */
97512+ __u32 num_roles; /* Number of roles */
97513+ __u32 num_domain_children; /* Number of domain children */
97514+ __u32 num_subjects; /* Number of subjects */
97515+ __u32 num_objects; /* Number of objects */
97516+};
97517+
97518+struct acl_object_label {
97519+ char *filename;
97520+ u64 inode;
97521+ dev_t device;
97522+ __u32 mode;
97523+
97524+ struct acl_subject_label *nested;
97525+ struct acl_object_label *globbed;
97526+
97527+ /* next two structures not used */
97528+
97529+ struct acl_object_label *prev;
97530+ struct acl_object_label *next;
97531+};
97532+
97533+struct acl_ip_label {
97534+ char *iface;
97535+ __u32 addr;
97536+ __u32 netmask;
97537+ __u16 low, high;
97538+ __u8 mode;
97539+ __u32 type;
97540+ __u32 proto[8];
97541+
97542+ /* next two structures not used */
97543+
97544+ struct acl_ip_label *prev;
97545+ struct acl_ip_label *next;
97546+};
97547+
97548+struct gr_arg {
97549+ struct user_acl_role_db role_db;
97550+ unsigned char pw[GR_PW_LEN];
97551+ unsigned char salt[GR_SALT_LEN];
97552+ unsigned char sum[GR_SHA_LEN];
97553+ unsigned char sp_role[GR_SPROLE_LEN];
97554+ struct sprole_pw *sprole_pws;
97555+ dev_t segv_device;
97556+ u64 segv_inode;
97557+ uid_t segv_uid;
97558+ __u16 num_sprole_pws;
97559+ __u16 mode;
97560+};
97561+
97562+struct gr_arg_wrapper {
97563+ struct gr_arg *arg;
97564+ __u32 version;
97565+ __u32 size;
97566+};
97567+
97568+struct subject_map {
97569+ struct acl_subject_label *user;
97570+ struct acl_subject_label *kernel;
97571+ struct subject_map *prev;
97572+ struct subject_map *next;
97573+};
97574+
97575+struct acl_subj_map_db {
97576+ struct subject_map **s_hash;
97577+ __u32 s_size;
97578+};
97579+
97580+struct gr_policy_state {
97581+ struct sprole_pw **acl_special_roles;
97582+ __u16 num_sprole_pws;
97583+ struct acl_role_label *kernel_role;
97584+ struct acl_role_label *role_list;
97585+ struct acl_role_label *default_role;
97586+ struct acl_role_db acl_role_set;
97587+ struct acl_subj_map_db subj_map_set;
97588+ struct name_db name_set;
97589+ struct inodev_db inodev_set;
97590+};
97591+
97592+struct gr_alloc_state {
97593+ unsigned long alloc_stack_next;
97594+ unsigned long alloc_stack_size;
97595+ void **alloc_stack;
97596+};
97597+
97598+struct gr_reload_state {
97599+ struct gr_policy_state oldpolicy;
97600+ struct gr_alloc_state oldalloc;
97601+ struct gr_policy_state newpolicy;
97602+ struct gr_alloc_state newalloc;
97603+ struct gr_policy_state *oldpolicy_ptr;
97604+ struct gr_alloc_state *oldalloc_ptr;
97605+ unsigned char oldmode;
97606+};
97607+
97608+/* End Data Structures Section */
97609+
97610+/* Hash functions generated by empirical testing by Brad Spengler
97611+ Makes good use of the low bits of the inode. Generally 0-1 times
97612+ in loop for successful match. 0-3 for unsuccessful match.
97613+ Shift/add algorithm with modulus of table size and an XOR*/
97614+
97615+static __inline__ unsigned int
97616+gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz)
97617+{
97618+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
97619+}
97620+
97621+ static __inline__ unsigned int
97622+gr_shash(const struct acl_subject_label *userp, const unsigned int sz)
97623+{
97624+ return ((const unsigned long)userp % sz);
97625+}
97626+
97627+static __inline__ unsigned int
97628+gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz)
97629+{
97630+ unsigned int rem;
97631+ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz, &rem);
97632+ return rem;
97633+}
97634+
97635+static __inline__ unsigned int
97636+gr_nhash(const char *name, const __u16 len, const unsigned int sz)
97637+{
97638+ return full_name_hash((const unsigned char *)name, len) % sz;
97639+}
97640+
97641+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
97642+ subj = NULL; \
97643+ iter = 0; \
97644+ while (iter < role->subj_hash_size) { \
97645+ if (subj == NULL) \
97646+ subj = role->subj_hash[iter]; \
97647+ if (subj == NULL) { \
97648+ iter++; \
97649+ continue; \
97650+ }
97651+
97652+#define FOR_EACH_SUBJECT_END(subj,iter) \
97653+ subj = subj->next; \
97654+ if (subj == NULL) \
97655+ iter++; \
97656+ }
97657+
97658+
97659+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
97660+ subj = role->hash->first; \
97661+ while (subj != NULL) {
97662+
97663+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
97664+ subj = subj->next; \
97665+ }
97666+
97667+#endif
97668+
97669diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
97670new file mode 100644
97671index 0000000..af64092
97672--- /dev/null
97673+++ b/include/linux/gracl_compat.h
97674@@ -0,0 +1,156 @@
97675+#ifndef GR_ACL_COMPAT_H
97676+#define GR_ACL_COMPAT_H
97677+
97678+#include <linux/resource.h>
97679+#include <asm/resource.h>
97680+
97681+struct sprole_pw_compat {
97682+ compat_uptr_t rolename;
97683+ unsigned char salt[GR_SALT_LEN];
97684+ unsigned char sum[GR_SHA_LEN];
97685+};
97686+
97687+struct gr_hash_struct_compat {
97688+ compat_uptr_t table;
97689+ compat_uptr_t nametable;
97690+ compat_uptr_t first;
97691+ __u32 table_size;
97692+ __u32 used_size;
97693+ int type;
97694+};
97695+
97696+struct acl_subject_label_compat {
97697+ compat_uptr_t filename;
97698+ compat_u64 inode;
97699+ __u32 device;
97700+ __u32 mode;
97701+ kernel_cap_t cap_mask;
97702+ kernel_cap_t cap_lower;
97703+ kernel_cap_t cap_invert_audit;
97704+
97705+ struct compat_rlimit res[GR_NLIMITS];
97706+ __u32 resmask;
97707+
97708+ __u8 user_trans_type;
97709+ __u8 group_trans_type;
97710+ compat_uptr_t user_transitions;
97711+ compat_uptr_t group_transitions;
97712+ __u16 user_trans_num;
97713+ __u16 group_trans_num;
97714+
97715+ __u32 sock_families[2];
97716+ __u32 ip_proto[8];
97717+ __u32 ip_type;
97718+ compat_uptr_t ips;
97719+ __u32 ip_num;
97720+ __u32 inaddr_any_override;
97721+
97722+ __u32 crashes;
97723+ compat_ulong_t expires;
97724+
97725+ compat_uptr_t parent_subject;
97726+ compat_uptr_t hash;
97727+ compat_uptr_t prev;
97728+ compat_uptr_t next;
97729+
97730+ compat_uptr_t obj_hash;
97731+ __u32 obj_hash_size;
97732+ __u16 pax_flags;
97733+};
97734+
97735+struct role_allowed_ip_compat {
97736+ __u32 addr;
97737+ __u32 netmask;
97738+
97739+ compat_uptr_t prev;
97740+ compat_uptr_t next;
97741+};
97742+
97743+struct role_transition_compat {
97744+ compat_uptr_t rolename;
97745+
97746+ compat_uptr_t prev;
97747+ compat_uptr_t next;
97748+};
97749+
97750+struct acl_role_label_compat {
97751+ compat_uptr_t rolename;
97752+ uid_t uidgid;
97753+ __u16 roletype;
97754+
97755+ __u16 auth_attempts;
97756+ compat_ulong_t expires;
97757+
97758+ compat_uptr_t root_label;
97759+ compat_uptr_t hash;
97760+
97761+ compat_uptr_t prev;
97762+ compat_uptr_t next;
97763+
97764+ compat_uptr_t transitions;
97765+ compat_uptr_t allowed_ips;
97766+ compat_uptr_t domain_children;
97767+ __u16 domain_child_num;
97768+
97769+ umode_t umask;
97770+
97771+ compat_uptr_t subj_hash;
97772+ __u32 subj_hash_size;
97773+};
97774+
97775+struct user_acl_role_db_compat {
97776+ compat_uptr_t r_table;
97777+ __u32 num_pointers;
97778+ __u32 num_roles;
97779+ __u32 num_domain_children;
97780+ __u32 num_subjects;
97781+ __u32 num_objects;
97782+};
97783+
97784+struct acl_object_label_compat {
97785+ compat_uptr_t filename;
97786+ compat_u64 inode;
97787+ __u32 device;
97788+ __u32 mode;
97789+
97790+ compat_uptr_t nested;
97791+ compat_uptr_t globbed;
97792+
97793+ compat_uptr_t prev;
97794+ compat_uptr_t next;
97795+};
97796+
97797+struct acl_ip_label_compat {
97798+ compat_uptr_t iface;
97799+ __u32 addr;
97800+ __u32 netmask;
97801+ __u16 low, high;
97802+ __u8 mode;
97803+ __u32 type;
97804+ __u32 proto[8];
97805+
97806+ compat_uptr_t prev;
97807+ compat_uptr_t next;
97808+};
97809+
97810+struct gr_arg_compat {
97811+ struct user_acl_role_db_compat role_db;
97812+ unsigned char pw[GR_PW_LEN];
97813+ unsigned char salt[GR_SALT_LEN];
97814+ unsigned char sum[GR_SHA_LEN];
97815+ unsigned char sp_role[GR_SPROLE_LEN];
97816+ compat_uptr_t sprole_pws;
97817+ __u32 segv_device;
97818+ compat_u64 segv_inode;
97819+ uid_t segv_uid;
97820+ __u16 num_sprole_pws;
97821+ __u16 mode;
97822+};
97823+
97824+struct gr_arg_wrapper_compat {
97825+ compat_uptr_t arg;
97826+ __u32 version;
97827+ __u32 size;
97828+};
97829+
97830+#endif
97831diff --git a/include/linux/gralloc.h b/include/linux/gralloc.h
97832new file mode 100644
97833index 0000000..323ecf2
97834--- /dev/null
97835+++ b/include/linux/gralloc.h
97836@@ -0,0 +1,9 @@
97837+#ifndef __GRALLOC_H
97838+#define __GRALLOC_H
97839+
97840+void acl_free_all(void);
97841+int acl_alloc_stack_init(unsigned long size);
97842+void *acl_alloc(unsigned long len);
97843+void *acl_alloc_num(unsigned long num, unsigned long len);
97844+
97845+#endif
97846diff --git a/include/linux/grdefs.h b/include/linux/grdefs.h
97847new file mode 100644
97848index 0000000..be66033
97849--- /dev/null
97850+++ b/include/linux/grdefs.h
97851@@ -0,0 +1,140 @@
97852+#ifndef GRDEFS_H
97853+#define GRDEFS_H
97854+
97855+/* Begin grsecurity status declarations */
97856+
97857+enum {
97858+ GR_READY = 0x01,
97859+ GR_STATUS_INIT = 0x00 // disabled state
97860+};
97861+
97862+/* Begin ACL declarations */
97863+
97864+/* Role flags */
97865+
97866+enum {
97867+ GR_ROLE_USER = 0x0001,
97868+ GR_ROLE_GROUP = 0x0002,
97869+ GR_ROLE_DEFAULT = 0x0004,
97870+ GR_ROLE_SPECIAL = 0x0008,
97871+ GR_ROLE_AUTH = 0x0010,
97872+ GR_ROLE_NOPW = 0x0020,
97873+ GR_ROLE_GOD = 0x0040,
97874+ GR_ROLE_LEARN = 0x0080,
97875+ GR_ROLE_TPE = 0x0100,
97876+ GR_ROLE_DOMAIN = 0x0200,
97877+ GR_ROLE_PAM = 0x0400,
97878+ GR_ROLE_PERSIST = 0x0800
97879+};
97880+
97881+/* ACL Subject and Object mode flags */
97882+enum {
97883+ GR_DELETED = 0x80000000
97884+};
97885+
97886+/* ACL Object-only mode flags */
97887+enum {
97888+ GR_READ = 0x00000001,
97889+ GR_APPEND = 0x00000002,
97890+ GR_WRITE = 0x00000004,
97891+ GR_EXEC = 0x00000008,
97892+ GR_FIND = 0x00000010,
97893+ GR_INHERIT = 0x00000020,
97894+ GR_SETID = 0x00000040,
97895+ GR_CREATE = 0x00000080,
97896+ GR_DELETE = 0x00000100,
97897+ GR_LINK = 0x00000200,
97898+ GR_AUDIT_READ = 0x00000400,
97899+ GR_AUDIT_APPEND = 0x00000800,
97900+ GR_AUDIT_WRITE = 0x00001000,
97901+ GR_AUDIT_EXEC = 0x00002000,
97902+ GR_AUDIT_FIND = 0x00004000,
97903+ GR_AUDIT_INHERIT= 0x00008000,
97904+ GR_AUDIT_SETID = 0x00010000,
97905+ GR_AUDIT_CREATE = 0x00020000,
97906+ GR_AUDIT_DELETE = 0x00040000,
97907+ GR_AUDIT_LINK = 0x00080000,
97908+ GR_PTRACERD = 0x00100000,
97909+ GR_NOPTRACE = 0x00200000,
97910+ GR_SUPPRESS = 0x00400000,
97911+ GR_NOLEARN = 0x00800000,
97912+ GR_INIT_TRANSFER= 0x01000000
97913+};
97914+
97915+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
97916+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
97917+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
97918+
97919+/* ACL subject-only mode flags */
97920+enum {
97921+ GR_KILL = 0x00000001,
97922+ GR_VIEW = 0x00000002,
97923+ GR_PROTECTED = 0x00000004,
97924+ GR_LEARN = 0x00000008,
97925+ GR_OVERRIDE = 0x00000010,
97926+ /* just a placeholder, this mode is only used in userspace */
97927+ GR_DUMMY = 0x00000020,
97928+ GR_PROTSHM = 0x00000040,
97929+ GR_KILLPROC = 0x00000080,
97930+ GR_KILLIPPROC = 0x00000100,
97931+ /* just a placeholder, this mode is only used in userspace */
97932+ GR_NOTROJAN = 0x00000200,
97933+ GR_PROTPROCFD = 0x00000400,
97934+ GR_PROCACCT = 0x00000800,
97935+ GR_RELAXPTRACE = 0x00001000,
97936+ //GR_NESTED = 0x00002000,
97937+ GR_INHERITLEARN = 0x00004000,
97938+ GR_PROCFIND = 0x00008000,
97939+ GR_POVERRIDE = 0x00010000,
97940+ GR_KERNELAUTH = 0x00020000,
97941+ GR_ATSECURE = 0x00040000,
97942+ GR_SHMEXEC = 0x00080000
97943+};
97944+
97945+enum {
97946+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
97947+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
97948+ GR_PAX_ENABLE_MPROTECT = 0x0004,
97949+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
97950+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
97951+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
97952+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
97953+ GR_PAX_DISABLE_MPROTECT = 0x0400,
97954+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
97955+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
97956+};
97957+
97958+enum {
97959+ GR_ID_USER = 0x01,
97960+ GR_ID_GROUP = 0x02,
97961+};
97962+
97963+enum {
97964+ GR_ID_ALLOW = 0x01,
97965+ GR_ID_DENY = 0x02,
97966+};
97967+
97968+#define GR_CRASH_RES 31
97969+#define GR_UIDTABLE_MAX 500
97970+
97971+/* begin resource learning section */
97972+enum {
97973+ GR_RLIM_CPU_BUMP = 60,
97974+ GR_RLIM_FSIZE_BUMP = 50000,
97975+ GR_RLIM_DATA_BUMP = 10000,
97976+ GR_RLIM_STACK_BUMP = 1000,
97977+ GR_RLIM_CORE_BUMP = 10000,
97978+ GR_RLIM_RSS_BUMP = 500000,
97979+ GR_RLIM_NPROC_BUMP = 1,
97980+ GR_RLIM_NOFILE_BUMP = 5,
97981+ GR_RLIM_MEMLOCK_BUMP = 50000,
97982+ GR_RLIM_AS_BUMP = 500000,
97983+ GR_RLIM_LOCKS_BUMP = 2,
97984+ GR_RLIM_SIGPENDING_BUMP = 5,
97985+ GR_RLIM_MSGQUEUE_BUMP = 10000,
97986+ GR_RLIM_NICE_BUMP = 1,
97987+ GR_RLIM_RTPRIO_BUMP = 1,
97988+ GR_RLIM_RTTIME_BUMP = 1000000
97989+};
97990+
97991+#endif
97992diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
97993new file mode 100644
97994index 0000000..6245f9e
97995--- /dev/null
97996+++ b/include/linux/grinternal.h
97997@@ -0,0 +1,230 @@
97998+#ifndef __GRINTERNAL_H
97999+#define __GRINTERNAL_H
98000+
98001+#ifdef CONFIG_GRKERNSEC
98002+
98003+#include <linux/fs.h>
98004+#include <linux/mnt_namespace.h>
98005+#include <linux/nsproxy.h>
98006+#include <linux/gracl.h>
98007+#include <linux/grdefs.h>
98008+#include <linux/grmsg.h>
98009+
98010+void gr_add_learn_entry(const char *fmt, ...)
98011+ __attribute__ ((format (printf, 1, 2)));
98012+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
98013+ const struct vfsmount *mnt);
98014+__u32 gr_check_create(const struct dentry *new_dentry,
98015+ const struct dentry *parent,
98016+ const struct vfsmount *mnt, const __u32 mode);
98017+int gr_check_protected_task(const struct task_struct *task);
98018+__u32 to_gr_audit(const __u32 reqmode);
98019+int gr_set_acls(const int type);
98020+int gr_acl_is_enabled(void);
98021+char gr_roletype_to_char(void);
98022+
98023+void gr_handle_alertkill(struct task_struct *task);
98024+char *gr_to_filename(const struct dentry *dentry,
98025+ const struct vfsmount *mnt);
98026+char *gr_to_filename1(const struct dentry *dentry,
98027+ const struct vfsmount *mnt);
98028+char *gr_to_filename2(const struct dentry *dentry,
98029+ const struct vfsmount *mnt);
98030+char *gr_to_filename3(const struct dentry *dentry,
98031+ const struct vfsmount *mnt);
98032+
98033+extern int grsec_enable_ptrace_readexec;
98034+extern int grsec_enable_harden_ptrace;
98035+extern int grsec_enable_link;
98036+extern int grsec_enable_fifo;
98037+extern int grsec_enable_execve;
98038+extern int grsec_enable_shm;
98039+extern int grsec_enable_execlog;
98040+extern int grsec_enable_signal;
98041+extern int grsec_enable_audit_ptrace;
98042+extern int grsec_enable_forkfail;
98043+extern int grsec_enable_time;
98044+extern int grsec_enable_rofs;
98045+extern int grsec_deny_new_usb;
98046+extern int grsec_enable_chroot_shmat;
98047+extern int grsec_enable_chroot_mount;
98048+extern int grsec_enable_chroot_double;
98049+extern int grsec_enable_chroot_pivot;
98050+extern int grsec_enable_chroot_chdir;
98051+extern int grsec_enable_chroot_chmod;
98052+extern int grsec_enable_chroot_mknod;
98053+extern int grsec_enable_chroot_fchdir;
98054+extern int grsec_enable_chroot_nice;
98055+extern int grsec_enable_chroot_execlog;
98056+extern int grsec_enable_chroot_caps;
98057+extern int grsec_enable_chroot_rename;
98058+extern int grsec_enable_chroot_sysctl;
98059+extern int grsec_enable_chroot_unix;
98060+extern int grsec_enable_symlinkown;
98061+extern kgid_t grsec_symlinkown_gid;
98062+extern int grsec_enable_tpe;
98063+extern kgid_t grsec_tpe_gid;
98064+extern int grsec_enable_tpe_all;
98065+extern int grsec_enable_tpe_invert;
98066+extern int grsec_enable_socket_all;
98067+extern kgid_t grsec_socket_all_gid;
98068+extern int grsec_enable_socket_client;
98069+extern kgid_t grsec_socket_client_gid;
98070+extern int grsec_enable_socket_server;
98071+extern kgid_t grsec_socket_server_gid;
98072+extern kgid_t grsec_audit_gid;
98073+extern int grsec_enable_group;
98074+extern int grsec_enable_log_rwxmaps;
98075+extern int grsec_enable_mount;
98076+extern int grsec_enable_chdir;
98077+extern int grsec_resource_logging;
98078+extern int grsec_enable_blackhole;
98079+extern int grsec_lastack_retries;
98080+extern int grsec_enable_brute;
98081+extern int grsec_enable_harden_ipc;
98082+extern int grsec_lock;
98083+
98084+extern spinlock_t grsec_alert_lock;
98085+extern unsigned long grsec_alert_wtime;
98086+extern unsigned long grsec_alert_fyet;
98087+
98088+extern spinlock_t grsec_audit_lock;
98089+
98090+extern rwlock_t grsec_exec_file_lock;
98091+
98092+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
98093+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
98094+ (tsk)->exec_file->f_path.mnt) : "/")
98095+
98096+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
98097+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
98098+ (tsk)->real_parent->exec_file->f_path.mnt) : "/")
98099+
98100+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
98101+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
98102+ (tsk)->exec_file->f_path.mnt) : "/")
98103+
98104+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
98105+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
98106+ (tsk)->real_parent->exec_file->f_path.mnt) : "/")
98107+
98108+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
98109+
98110+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
98111+
98112+static inline bool gr_is_same_file(const struct file *file1, const struct file *file2)
98113+{
98114+ if (file1 && file2) {
98115+ const struct inode *inode1 = file1->f_path.dentry->d_inode;
98116+ const struct inode *inode2 = file2->f_path.dentry->d_inode;
98117+ if (inode1->i_ino == inode2->i_ino && inode1->i_sb->s_dev == inode2->i_sb->s_dev)
98118+ return true;
98119+ }
98120+
98121+ return false;
98122+}
98123+
98124+#define GR_CHROOT_CAPS {{ \
98125+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
98126+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
98127+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
98128+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
98129+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
98130+ CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
98131+ CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
98132+
98133+#define security_learn(normal_msg,args...) \
98134+({ \
98135+ read_lock(&grsec_exec_file_lock); \
98136+ gr_add_learn_entry(normal_msg "\n", ## args); \
98137+ read_unlock(&grsec_exec_file_lock); \
98138+})
98139+
98140+enum {
98141+ GR_DO_AUDIT,
98142+ GR_DONT_AUDIT,
98143+ /* used for non-audit messages that we shouldn't kill the task on */
98144+ GR_DONT_AUDIT_GOOD
98145+};
98146+
98147+enum {
98148+ GR_TTYSNIFF,
98149+ GR_RBAC,
98150+ GR_RBAC_STR,
98151+ GR_STR_RBAC,
98152+ GR_RBAC_MODE2,
98153+ GR_RBAC_MODE3,
98154+ GR_FILENAME,
98155+ GR_SYSCTL_HIDDEN,
98156+ GR_NOARGS,
98157+ GR_ONE_INT,
98158+ GR_ONE_INT_TWO_STR,
98159+ GR_ONE_STR,
98160+ GR_STR_INT,
98161+ GR_TWO_STR_INT,
98162+ GR_TWO_INT,
98163+ GR_TWO_U64,
98164+ GR_THREE_INT,
98165+ GR_FIVE_INT_TWO_STR,
98166+ GR_TWO_STR,
98167+ GR_THREE_STR,
98168+ GR_FOUR_STR,
98169+ GR_STR_FILENAME,
98170+ GR_FILENAME_STR,
98171+ GR_FILENAME_TWO_INT,
98172+ GR_FILENAME_TWO_INT_STR,
98173+ GR_TEXTREL,
98174+ GR_PTRACE,
98175+ GR_RESOURCE,
98176+ GR_CAP,
98177+ GR_SIG,
98178+ GR_SIG2,
98179+ GR_CRASH1,
98180+ GR_CRASH2,
98181+ GR_PSACCT,
98182+ GR_RWXMAP,
98183+ GR_RWXMAPVMA
98184+};
98185+
98186+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
98187+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
98188+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
98189+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
98190+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
98191+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
98192+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
98193+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
98194+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
98195+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
98196+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
98197+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
98198+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
98199+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
98200+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
98201+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
98202+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
98203+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
98204+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
98205+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
98206+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
98207+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
98208+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
98209+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
98210+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
98211+#define gr_log_textrel_ulong_ulong(audit, msg, str, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, str, file, ulong1, ulong2)
98212+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
98213+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
98214+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
98215+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
98216+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
98217+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
98218+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
98219+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
98220+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
98221+#define gr_log_rwxmap_vma(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAPVMA, str)
98222+
98223+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
98224+
98225+#endif
98226+
98227+#endif
98228diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
98229new file mode 100644
98230index 0000000..3092b3c
98231--- /dev/null
98232+++ b/include/linux/grmsg.h
98233@@ -0,0 +1,118 @@
98234+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
98235+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
98236+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
98237+#define GR_STOPMOD_MSG "denied modification of module state by "
98238+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
98239+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
98240+#define GR_IOPERM_MSG "denied use of ioperm() by "
98241+#define GR_IOPL_MSG "denied use of iopl() by "
98242+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
98243+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
98244+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
98245+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
98246+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
98247+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
98248+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
98249+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
98250+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
98251+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
98252+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
98253+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
98254+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
98255+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
98256+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
98257+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
98258+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
98259+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
98260+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
98261+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
98262+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
98263+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
98264+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
98265+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
98266+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
98267+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
98268+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
98269+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
98270+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
98271+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
98272+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
98273+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
98274+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
98275+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
98276+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
98277+#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by "
98278+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
98279+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
98280+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
98281+#define GR_CHROOT_FHANDLE_MSG "denied use of file handles inside chroot by "
98282+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
98283+#define GR_SETXATTR_ACL_MSG "%s setting extended attribute of %.950s by "
98284+#define GR_REMOVEXATTR_ACL_MSG "%s removing extended attribute of %.950s by "
98285+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
98286+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
98287+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
98288+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbage by "
98289+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
98290+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
98291+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
98292+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
98293+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
98294+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
98295+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
98296+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
98297+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
98298+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
98299+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
98300+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
98301+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
98302+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
98303+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
98304+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
98305+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
98306+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
98307+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
98308+#define GR_FAILFORK_MSG "failed fork with errno %s by "
98309+#define GR_NICE_CHROOT_MSG "denied priority change by "
98310+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
98311+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
98312+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
98313+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
98314+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
98315+#define GR_TIME_MSG "time set by "
98316+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
98317+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
98318+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
98319+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
98320+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
98321+#define GR_BIND_MSG "denied bind() by "
98322+#define GR_CONNECT_MSG "denied connect() by "
98323+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
98324+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
98325+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
98326+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
98327+#define GR_CAP_ACL_MSG "use of %s denied for "
98328+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
98329+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
98330+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
98331+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
98332+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
98333+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
98334+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
98335+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
98336+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
98337+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
98338+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
98339+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
98340+#define GR_TEXTREL_AUDIT_MSG "allowed %s text relocation transition in %.950s, VMA:0x%08lx 0x%08lx by "
98341+#define GR_PTGNUSTACK_MSG "denied marking stack executable as requested by PT_GNU_STACK marking in %.950s by "
98342+#define GR_VM86_MSG "denied use of vm86 by "
98343+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
98344+#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by "
98345+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
98346+#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
98347+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
98348+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
98349+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
98350+#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "
98351+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
98352diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
98353new file mode 100644
98354index 0000000..bdf5c8b
98355--- /dev/null
98356+++ b/include/linux/grsecurity.h
98357@@ -0,0 +1,249 @@
98358+#ifndef GR_SECURITY_H
98359+#define GR_SECURITY_H
98360+#include <linux/fs.h>
98361+#include <linux/fs_struct.h>
98362+#include <linux/binfmts.h>
98363+#include <linux/gracl.h>
98364+
98365+/* notify of brain-dead configs */
98366+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
98367+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
98368+#endif
98369+#if defined(CONFIG_GRKERNSEC_PROC) && !defined(CONFIG_GRKERNSEC_PROC_USER) && !defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
98370+#error "CONFIG_GRKERNSEC_PROC enabled, but neither CONFIG_GRKERNSEC_PROC_USER nor CONFIG_GRKERNSEC_PROC_USERGROUP enabled"
98371+#endif
98372+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
98373+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
98374+#endif
98375+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
98376+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
98377+#endif
98378+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
98379+#error "CONFIG_PAX enabled, but no PaX options are enabled."
98380+#endif
98381+
98382+int gr_handle_new_usb(void);
98383+
98384+void gr_handle_brute_attach(int dumpable);
98385+void gr_handle_brute_check(void);
98386+void gr_handle_kernel_exploit(void);
98387+
98388+char gr_roletype_to_char(void);
98389+
98390+int gr_proc_is_restricted(void);
98391+
98392+int gr_acl_enable_at_secure(void);
98393+
98394+int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
98395+int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
98396+
98397+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap);
98398+
98399+void gr_del_task_from_ip_table(struct task_struct *p);
98400+
98401+int gr_pid_is_chrooted(struct task_struct *p);
98402+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
98403+int gr_handle_chroot_nice(void);
98404+int gr_handle_chroot_sysctl(const int op);
98405+int gr_handle_chroot_setpriority(struct task_struct *p,
98406+ const int niceval);
98407+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
98408+int gr_chroot_fhandle(void);
98409+int gr_handle_chroot_chroot(const struct dentry *dentry,
98410+ const struct vfsmount *mnt);
98411+void gr_handle_chroot_chdir(const struct path *path);
98412+int gr_handle_chroot_chmod(const struct dentry *dentry,
98413+ const struct vfsmount *mnt, const int mode);
98414+int gr_handle_chroot_mknod(const struct dentry *dentry,
98415+ const struct vfsmount *mnt, const int mode);
98416+int gr_handle_chroot_mount(const struct dentry *dentry,
98417+ const struct vfsmount *mnt,
98418+ const char *dev_name);
98419+int gr_handle_chroot_pivot(void);
98420+int gr_handle_chroot_unix(const pid_t pid);
98421+
98422+int gr_handle_rawio(const struct inode *inode);
98423+
98424+void gr_handle_ioperm(void);
98425+void gr_handle_iopl(void);
98426+void gr_handle_msr_write(void);
98427+
98428+umode_t gr_acl_umask(void);
98429+
98430+int gr_tpe_allow(const struct file *file);
98431+
98432+void gr_set_chroot_entries(struct task_struct *task, const struct path *path);
98433+void gr_clear_chroot_entries(struct task_struct *task);
98434+
98435+void gr_log_forkfail(const int retval);
98436+void gr_log_timechange(void);
98437+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
98438+void gr_log_chdir(const struct dentry *dentry,
98439+ const struct vfsmount *mnt);
98440+void gr_log_chroot_exec(const struct dentry *dentry,
98441+ const struct vfsmount *mnt);
98442+void gr_log_remount(const char *devname, const int retval);
98443+void gr_log_unmount(const char *devname, const int retval);
98444+void gr_log_mount(const char *from, struct path *to, const int retval);
98445+void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw);
98446+void gr_log_ptgnustack(struct file *file);
98447+void gr_log_rwxmmap(struct file *file);
98448+void gr_log_rwxmprotect(struct vm_area_struct *vma);
98449+
98450+int gr_handle_follow_link(const struct dentry *dentry,
98451+ const struct vfsmount *mnt);
98452+int gr_handle_fifo(const struct dentry *dentry,
98453+ const struct vfsmount *mnt,
98454+ const struct dentry *dir, const int flag,
98455+ const int acc_mode);
98456+int gr_handle_hardlink(const struct dentry *dentry,
98457+ const struct vfsmount *mnt,
98458+ const struct filename *to);
98459+
98460+int gr_is_capable(const int cap);
98461+int gr_is_capable_nolog(const int cap);
98462+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
98463+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap);
98464+
98465+void gr_copy_label(struct task_struct *tsk);
98466+void gr_handle_crash(struct task_struct *task, const int sig);
98467+int gr_handle_signal(const struct task_struct *p, const int sig);
98468+int gr_check_crash_uid(const kuid_t uid);
98469+int gr_check_protected_task(const struct task_struct *task);
98470+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
98471+int gr_acl_handle_mmap(const struct file *file,
98472+ const unsigned long prot);
98473+int gr_acl_handle_mprotect(const struct file *file,
98474+ const unsigned long prot);
98475+int gr_check_hidden_task(const struct task_struct *tsk);
98476+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
98477+ const struct vfsmount *mnt);
98478+__u32 gr_acl_handle_utime(const struct dentry *dentry,
98479+ const struct vfsmount *mnt);
98480+__u32 gr_acl_handle_access(const struct dentry *dentry,
98481+ const struct vfsmount *mnt, const int fmode);
98482+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
98483+ const struct vfsmount *mnt, umode_t *mode);
98484+__u32 gr_acl_handle_chown(const struct dentry *dentry,
98485+ const struct vfsmount *mnt);
98486+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
98487+ const struct vfsmount *mnt);
98488+__u32 gr_acl_handle_removexattr(const struct dentry *dentry,
98489+ const struct vfsmount *mnt);
98490+int gr_handle_ptrace(struct task_struct *task, const long request);
98491+int gr_handle_proc_ptrace(struct task_struct *task);
98492+__u32 gr_acl_handle_execve(const struct dentry *dentry,
98493+ const struct vfsmount *mnt);
98494+int gr_check_crash_exec(const struct file *filp);
98495+int gr_acl_is_enabled(void);
98496+void gr_set_role_label(struct task_struct *task, const kuid_t uid,
98497+ const kgid_t gid);
98498+int gr_set_proc_label(const struct dentry *dentry,
98499+ const struct vfsmount *mnt,
98500+ const int unsafe_flags);
98501+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
98502+ const struct vfsmount *mnt);
98503+__u32 gr_acl_handle_open(const struct dentry *dentry,
98504+ const struct vfsmount *mnt, int acc_mode);
98505+__u32 gr_acl_handle_creat(const struct dentry *dentry,
98506+ const struct dentry *p_dentry,
98507+ const struct vfsmount *p_mnt,
98508+ int open_flags, int acc_mode, const int imode);
98509+void gr_handle_create(const struct dentry *dentry,
98510+ const struct vfsmount *mnt);
98511+void gr_handle_proc_create(const struct dentry *dentry,
98512+ const struct inode *inode);
98513+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
98514+ const struct dentry *parent_dentry,
98515+ const struct vfsmount *parent_mnt,
98516+ const int mode);
98517+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
98518+ const struct dentry *parent_dentry,
98519+ const struct vfsmount *parent_mnt);
98520+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
98521+ const struct vfsmount *mnt);
98522+void gr_handle_delete(const u64 ino, const dev_t dev);
98523+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
98524+ const struct vfsmount *mnt);
98525+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
98526+ const struct dentry *parent_dentry,
98527+ const struct vfsmount *parent_mnt,
98528+ const struct filename *from);
98529+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
98530+ const struct dentry *parent_dentry,
98531+ const struct vfsmount *parent_mnt,
98532+ const struct dentry *old_dentry,
98533+ const struct vfsmount *old_mnt, const struct filename *to);
98534+int gr_handle_symlink_owner(const struct path *link, const struct inode *target);
98535+int gr_acl_handle_rename(struct dentry *new_dentry,
98536+ struct dentry *parent_dentry,
98537+ const struct vfsmount *parent_mnt,
98538+ struct dentry *old_dentry,
98539+ struct inode *old_parent_inode,
98540+ struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags);
98541+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
98542+ struct dentry *old_dentry,
98543+ struct dentry *new_dentry,
98544+ struct vfsmount *mnt, const __u8 replace, unsigned int flags);
98545+__u32 gr_check_link(const struct dentry *new_dentry,
98546+ const struct dentry *parent_dentry,
98547+ const struct vfsmount *parent_mnt,
98548+ const struct dentry *old_dentry,
98549+ const struct vfsmount *old_mnt);
98550+int gr_acl_handle_filldir(const struct file *file, const char *name,
98551+ const unsigned int namelen, const u64 ino);
98552+
98553+__u32 gr_acl_handle_unix(const struct dentry *dentry,
98554+ const struct vfsmount *mnt);
98555+void gr_acl_handle_exit(void);
98556+void gr_acl_handle_psacct(struct task_struct *task, const long code);
98557+int gr_acl_handle_procpidmem(const struct task_struct *task);
98558+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
98559+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
98560+void gr_audit_ptrace(struct task_struct *task);
98561+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
98562+u64 gr_get_ino_from_dentry(struct dentry *dentry);
98563+void gr_put_exec_file(struct task_struct *task);
98564+
98565+int gr_get_symlinkown_enabled(void);
98566+
98567+int gr_ptrace_readexec(struct file *file, int unsafe_flags);
98568+
98569+void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
98570+void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
98571+int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
98572+ struct dentry *newdentry, struct vfsmount *newmnt);
98573+
98574+#ifdef CONFIG_GRKERNSEC_RESLOG
98575+extern void gr_log_resource(const struct task_struct *task, const int res,
98576+ const unsigned long wanted, const int gt);
98577+#else
98578+static inline void gr_log_resource(const struct task_struct *task, const int res,
98579+ const unsigned long wanted, const int gt)
98580+{
98581+}
98582+#endif
98583+
98584+#ifdef CONFIG_GRKERNSEC
98585+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
98586+void gr_handle_vm86(void);
98587+void gr_handle_mem_readwrite(u64 from, u64 to);
98588+
98589+void gr_log_badprocpid(const char *entry);
98590+
98591+extern int grsec_enable_dmesg;
98592+extern int grsec_disable_privio;
98593+
98594+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
98595+extern kgid_t grsec_proc_gid;
98596+#endif
98597+
98598+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
98599+extern int grsec_enable_chroot_findtask;
98600+#endif
98601+#ifdef CONFIG_GRKERNSEC_SETXID
98602+extern int grsec_enable_setxid;
98603+#endif
98604+#endif
98605+
98606+#endif
98607diff --git a/include/linux/grsock.h b/include/linux/grsock.h
98608new file mode 100644
98609index 0000000..e7ffaaf
98610--- /dev/null
98611+++ b/include/linux/grsock.h
98612@@ -0,0 +1,19 @@
98613+#ifndef __GRSOCK_H
98614+#define __GRSOCK_H
98615+
98616+extern void gr_attach_curr_ip(const struct sock *sk);
98617+extern int gr_handle_sock_all(const int family, const int type,
98618+ const int protocol);
98619+extern int gr_handle_sock_server(const struct sockaddr *sck);
98620+extern int gr_handle_sock_server_other(const struct sock *sck);
98621+extern int gr_handle_sock_client(const struct sockaddr *sck);
98622+extern int gr_search_connect(struct socket * sock,
98623+ struct sockaddr_in * addr);
98624+extern int gr_search_bind(struct socket * sock,
98625+ struct sockaddr_in * addr);
98626+extern int gr_search_listen(struct socket * sock);
98627+extern int gr_search_accept(struct socket * sock);
98628+extern int gr_search_socket(const int domain, const int type,
98629+ const int protocol);
98630+
98631+#endif
98632diff --git a/include/linux/highmem.h b/include/linux/highmem.h
98633index 6aefcd0..98b81dc 100644
98634--- a/include/linux/highmem.h
98635+++ b/include/linux/highmem.h
98636@@ -191,6 +191,18 @@ static inline void clear_highpage(struct page *page)
98637 kunmap_atomic(kaddr);
98638 }
98639
98640+static inline void sanitize_highpage(struct page *page)
98641+{
98642+ void *kaddr;
98643+ unsigned long flags;
98644+
98645+ local_irq_save(flags);
98646+ kaddr = kmap_atomic(page);
98647+ clear_page(kaddr);
98648+ kunmap_atomic(kaddr);
98649+ local_irq_restore(flags);
98650+}
98651+
98652 static inline void zero_user_segments(struct page *page,
98653 unsigned start1, unsigned end1,
98654 unsigned start2, unsigned end2)
98655diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h
98656index 1c7b89a..7dda400 100644
98657--- a/include/linux/hwmon-sysfs.h
98658+++ b/include/linux/hwmon-sysfs.h
98659@@ -25,7 +25,8 @@
98660 struct sensor_device_attribute{
98661 struct device_attribute dev_attr;
98662 int index;
98663-};
98664+} __do_const;
98665+typedef struct sensor_device_attribute __no_const sensor_device_attribute_no_const;
98666 #define to_sensor_dev_attr(_dev_attr) \
98667 container_of(_dev_attr, struct sensor_device_attribute, dev_attr)
98668
98669@@ -41,7 +42,8 @@ struct sensor_device_attribute_2 {
98670 struct device_attribute dev_attr;
98671 u8 index;
98672 u8 nr;
98673-};
98674+} __do_const;
98675+typedef struct sensor_device_attribute_2 __no_const sensor_device_attribute_2_no_const;
98676 #define to_sensor_dev_attr_2(_dev_attr) \
98677 container_of(_dev_attr, struct sensor_device_attribute_2, dev_attr)
98678
98679diff --git a/include/linux/i2c.h b/include/linux/i2c.h
98680index e83a738..8b323fa 100644
98681--- a/include/linux/i2c.h
98682+++ b/include/linux/i2c.h
98683@@ -409,6 +409,7 @@ struct i2c_algorithm {
98684 int (*unreg_slave)(struct i2c_client *client);
98685 #endif
98686 };
98687+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
98688
98689 /**
98690 * struct i2c_bus_recovery_info - I2C bus recovery information
98691diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h
98692index b49cf92..0c29072 100644
98693--- a/include/linux/if_pppox.h
98694+++ b/include/linux/if_pppox.h
98695@@ -78,7 +78,7 @@ struct pppox_proto {
98696 int (*ioctl)(struct socket *sock, unsigned int cmd,
98697 unsigned long arg);
98698 struct module *owner;
98699-};
98700+} __do_const;
98701
98702 extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp);
98703 extern void unregister_pppox_proto(int proto_num);
98704diff --git a/include/linux/init.h b/include/linux/init.h
98705index b449f37..61005b3 100644
98706--- a/include/linux/init.h
98707+++ b/include/linux/init.h
98708@@ -37,9 +37,17 @@
98709 * section.
98710 */
98711
98712+#define add_init_latent_entropy __latent_entropy
98713+
98714+#ifdef CONFIG_MEMORY_HOTPLUG
98715+#define add_meminit_latent_entropy
98716+#else
98717+#define add_meminit_latent_entropy __latent_entropy
98718+#endif
98719+
98720 /* These are for everybody (although not all archs will actually
98721 discard it in modules) */
98722-#define __init __section(.init.text) __cold notrace
98723+#define __init __section(.init.text) __cold notrace add_init_latent_entropy
98724 #define __initdata __section(.init.data)
98725 #define __initconst __constsection(.init.rodata)
98726 #define __exitdata __section(.exit.data)
98727@@ -92,7 +100,7 @@
98728 #define __exit __section(.exit.text) __exitused __cold notrace
98729
98730 /* Used for MEMORY_HOTPLUG */
98731-#define __meminit __section(.meminit.text) __cold notrace
98732+#define __meminit __section(.meminit.text) __cold notrace add_meminit_latent_entropy
98733 #define __meminitdata __section(.meminit.data)
98734 #define __meminitconst __constsection(.meminit.rodata)
98735 #define __memexit __section(.memexit.text) __exitused __cold notrace
98736diff --git a/include/linux/init_task.h b/include/linux/init_task.h
98737index e8493fe..8684844 100644
98738--- a/include/linux/init_task.h
98739+++ b/include/linux/init_task.h
98740@@ -149,6 +149,12 @@ extern struct task_group root_task_group;
98741
98742 #define INIT_TASK_COMM "swapper"
98743
98744+#ifdef CONFIG_X86
98745+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
98746+#else
98747+#define INIT_TASK_THREAD_INFO
98748+#endif
98749+
98750 #ifdef CONFIG_RT_MUTEXES
98751 # define INIT_RT_MUTEXES(tsk) \
98752 .pi_waiters = RB_ROOT, \
98753@@ -215,6 +221,7 @@ extern struct task_group root_task_group;
98754 RCU_POINTER_INITIALIZER(cred, &init_cred), \
98755 .comm = INIT_TASK_COMM, \
98756 .thread = INIT_THREAD, \
98757+ INIT_TASK_THREAD_INFO \
98758 .fs = &init_fs, \
98759 .files = &init_files, \
98760 .signal = &init_signals, \
98761diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
98762index be7e75c..09bec77 100644
98763--- a/include/linux/interrupt.h
98764+++ b/include/linux/interrupt.h
98765@@ -433,8 +433,8 @@ extern const char * const softirq_to_name[NR_SOFTIRQS];
98766
98767 struct softirq_action
98768 {
98769- void (*action)(struct softirq_action *);
98770-};
98771+ void (*action)(void);
98772+} __no_const;
98773
98774 asmlinkage void do_softirq(void);
98775 asmlinkage void __do_softirq(void);
98776@@ -448,7 +448,7 @@ static inline void do_softirq_own_stack(void)
98777 }
98778 #endif
98779
98780-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
98781+extern void open_softirq(int nr, void (*action)(void));
98782 extern void softirq_init(void);
98783 extern void __raise_softirq_irqoff(unsigned int nr);
98784
98785diff --git a/include/linux/iommu.h b/include/linux/iommu.h
98786index f9c1b6d..db7d6f5 100644
98787--- a/include/linux/iommu.h
98788+++ b/include/linux/iommu.h
98789@@ -192,7 +192,7 @@ struct iommu_ops {
98790
98791 unsigned long pgsize_bitmap;
98792 void *priv;
98793-};
98794+} __do_const;
98795
98796 #define IOMMU_GROUP_NOTIFY_ADD_DEVICE 1 /* Device added */
98797 #define IOMMU_GROUP_NOTIFY_DEL_DEVICE 2 /* Pre Device removed */
98798diff --git a/include/linux/ioport.h b/include/linux/ioport.h
98799index 388e3ae..d7e45a1 100644
98800--- a/include/linux/ioport.h
98801+++ b/include/linux/ioport.h
98802@@ -161,7 +161,7 @@ struct resource *lookup_resource(struct resource *root, resource_size_t start);
98803 int adjust_resource(struct resource *res, resource_size_t start,
98804 resource_size_t size);
98805 resource_size_t resource_alignment(struct resource *res);
98806-static inline resource_size_t resource_size(const struct resource *res)
98807+static inline resource_size_t __intentional_overflow(-1) resource_size(const struct resource *res)
98808 {
98809 return res->end - res->start + 1;
98810 }
98811diff --git a/include/linux/ipc.h b/include/linux/ipc.h
98812index 9d84942..12d5bdf 100644
98813--- a/include/linux/ipc.h
98814+++ b/include/linux/ipc.h
98815@@ -19,8 +19,8 @@ struct kern_ipc_perm
98816 kuid_t cuid;
98817 kgid_t cgid;
98818 umode_t mode;
98819- unsigned long seq;
98820+ unsigned long seq __intentional_overflow(-1);
98821 void *security;
98822-};
98823+} __randomize_layout;
98824
98825 #endif /* _LINUX_IPC_H */
98826diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
98827index 1eee6bc..9cf4912 100644
98828--- a/include/linux/ipc_namespace.h
98829+++ b/include/linux/ipc_namespace.h
98830@@ -60,7 +60,7 @@ struct ipc_namespace {
98831 struct user_namespace *user_ns;
98832
98833 struct ns_common ns;
98834-};
98835+} __randomize_layout;
98836
98837 extern struct ipc_namespace init_ipc_ns;
98838 extern atomic_t nr_ipc_ns;
98839diff --git a/include/linux/irq.h b/include/linux/irq.h
98840index 51744bc..e902653 100644
98841--- a/include/linux/irq.h
98842+++ b/include/linux/irq.h
98843@@ -383,7 +383,10 @@ struct irq_chip {
98844 int (*irq_set_vcpu_affinity)(struct irq_data *data, void *vcpu_info);
98845
98846 unsigned long flags;
98847-};
98848+} __do_const;
98849+#ifndef _LINUX_IRQDOMAIN_H
98850+typedef struct irq_chip __no_const irq_chip_no_const;
98851+#endif
98852
98853 /*
98854 * irq_chip specific flags
98855diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h
98856index fcea4e4..cff381d 100644
98857--- a/include/linux/irqdesc.h
98858+++ b/include/linux/irqdesc.h
98859@@ -59,7 +59,7 @@ struct irq_desc {
98860 unsigned int irq_count; /* For detecting broken IRQs */
98861 unsigned long last_unhandled; /* Aging timer for unhandled count */
98862 unsigned int irqs_unhandled;
98863- atomic_t threads_handled;
98864+ atomic_unchecked_t threads_handled;
98865 int threads_handled_last;
98866 raw_spinlock_t lock;
98867 struct cpumask *percpu_enabled;
98868diff --git a/include/linux/irqdomain.h b/include/linux/irqdomain.h
98869index 744ac0e..382b1a6 100644
98870--- a/include/linux/irqdomain.h
98871+++ b/include/linux/irqdomain.h
98872@@ -40,6 +40,9 @@ struct device_node;
98873 struct irq_domain;
98874 struct of_device_id;
98875 struct irq_chip;
98876+#ifndef _LINUX_IRQ_H
98877+typedef struct irq_chip __no_const irq_chip_no_const;
98878+#endif
98879 struct irq_data;
98880
98881 /* Number of irqs reserved for a legacy isa controller */
98882diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
98883index 535fd3b..74d73e6 100644
98884--- a/include/linux/jiffies.h
98885+++ b/include/linux/jiffies.h
98886@@ -75,7 +75,7 @@ extern int register_refined_jiffies(long clock_tick_rate);
98887 * get_jiffies_64() will do this for you as appropriate.
98888 */
98889 extern u64 __jiffy_data jiffies_64;
98890-extern unsigned long volatile __jiffy_data jiffies;
98891+extern unsigned long volatile __jiffy_data __intentional_overflow(-1) jiffies;
98892
98893 #if (BITS_PER_LONG < 64)
98894 u64 get_jiffies_64(void);
98895@@ -281,22 +281,22 @@ extern unsigned long preset_lpj;
98896 /*
98897 * Convert various time units to each other:
98898 */
98899-extern unsigned int jiffies_to_msecs(const unsigned long j);
98900-extern unsigned int jiffies_to_usecs(const unsigned long j);
98901+extern unsigned int jiffies_to_msecs(const unsigned long j) __intentional_overflow(-1);
98902+extern unsigned int jiffies_to_usecs(const unsigned long j) __intentional_overflow(-1);
98903
98904-static inline u64 jiffies_to_nsecs(const unsigned long j)
98905+static inline u64 __intentional_overflow(-1) jiffies_to_nsecs(const unsigned long j)
98906 {
98907 return (u64)jiffies_to_usecs(j) * NSEC_PER_USEC;
98908 }
98909
98910-extern unsigned long __msecs_to_jiffies(const unsigned int m);
98911+extern unsigned long __msecs_to_jiffies(const unsigned int m) __intentional_overflow(-1);
98912 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
98913 /*
98914 * HZ is equal to or smaller than 1000, and 1000 is a nice round
98915 * multiple of HZ, divide with the factor between them, but round
98916 * upwards:
98917 */
98918-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
98919+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
98920 {
98921 return (m + (MSEC_PER_SEC / HZ) - 1) / (MSEC_PER_SEC / HZ);
98922 }
98923@@ -307,7 +307,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
98924 *
98925 * But first make sure the multiplication result cannot overflow:
98926 */
98927-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
98928+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
98929 {
98930 if (m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
98931 return MAX_JIFFY_OFFSET;
98932@@ -318,7 +318,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
98933 * Generic case - multiply, round and divide. But first check that if
98934 * we are doing a net multiplication, that we wouldn't overflow:
98935 */
98936-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
98937+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
98938 {
98939 if (HZ > MSEC_PER_SEC && m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
98940 return MAX_JIFFY_OFFSET;
98941@@ -362,21 +362,19 @@ static inline unsigned long msecs_to_jiffies(const unsigned int m)
98942 }
98943 }
98944
98945-extern unsigned long __usecs_to_jiffies(const unsigned int u);
98946+extern unsigned long __usecs_to_jiffies(const unsigned int u) __intentional_overflow(-1);
98947 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
98948-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
98949+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
98950 {
98951 return (u + (USEC_PER_SEC / HZ) - 1) / (USEC_PER_SEC / HZ);
98952 }
98953 #elif HZ > USEC_PER_SEC && !(HZ % USEC_PER_SEC)
98954-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
98955+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
98956 {
98957 return u * (HZ / USEC_PER_SEC);
98958 }
98959-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
98960-{
98961 #else
98962-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
98963+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
98964 {
98965 return (USEC_TO_HZ_MUL32 * u + USEC_TO_HZ_ADJ32)
98966 >> USEC_TO_HZ_SHR32;
98967@@ -418,8 +416,8 @@ static inline unsigned long usecs_to_jiffies(const unsigned int u)
98968
98969 extern unsigned long timespec_to_jiffies(const struct timespec *value);
98970 extern void jiffies_to_timespec(const unsigned long jiffies,
98971- struct timespec *value);
98972-extern unsigned long timeval_to_jiffies(const struct timeval *value);
98973+ struct timespec *value) __intentional_overflow(-1);
98974+extern unsigned long timeval_to_jiffies(const struct timeval *value) __intentional_overflow(-1);
98975 extern void jiffies_to_timeval(const unsigned long jiffies,
98976 struct timeval *value);
98977
98978diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
98979index 6883e19..e854fcb 100644
98980--- a/include/linux/kallsyms.h
98981+++ b/include/linux/kallsyms.h
98982@@ -15,7 +15,8 @@
98983
98984 struct module;
98985
98986-#ifdef CONFIG_KALLSYMS
98987+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
98988+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
98989 /* Lookup the address for a symbol. Returns 0 if not found. */
98990 unsigned long kallsyms_lookup_name(const char *name);
98991
98992@@ -106,6 +107,21 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u
98993 /* Stupid that this does nothing, but I didn't create this mess. */
98994 #define __print_symbol(fmt, addr)
98995 #endif /*CONFIG_KALLSYMS*/
98996+#else /* when included by kallsyms.c, vsnprintf.c, kprobes.c, or
98997+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
98998+extern unsigned long kallsyms_lookup_name(const char *name);
98999+extern void __print_symbol(const char *fmt, unsigned long address);
99000+extern int sprint_backtrace(char *buffer, unsigned long address);
99001+extern int sprint_symbol(char *buffer, unsigned long address);
99002+extern int sprint_symbol_no_offset(char *buffer, unsigned long address);
99003+const char *kallsyms_lookup(unsigned long addr,
99004+ unsigned long *symbolsize,
99005+ unsigned long *offset,
99006+ char **modname, char *namebuf);
99007+extern int kallsyms_lookup_size_offset(unsigned long addr,
99008+ unsigned long *symbolsize,
99009+ unsigned long *offset);
99010+#endif
99011
99012 /* This macro allows us to keep printk typechecking */
99013 static __printf(1, 2)
99014diff --git a/include/linux/kernel.h b/include/linux/kernel.h
99015index 5582410..13ecc80 100644
99016--- a/include/linux/kernel.h
99017+++ b/include/linux/kernel.h
99018@@ -391,7 +391,7 @@ static inline int __must_check kstrtos32_from_user(const char __user *s, size_t
99019 /* Obsolete, do not use. Use kstrto<foo> instead */
99020
99021 extern unsigned long simple_strtoul(const char *,char **,unsigned int);
99022-extern long simple_strtol(const char *,char **,unsigned int);
99023+extern long simple_strtol(const char *,char **,unsigned int) __intentional_overflow(-1);
99024 extern unsigned long long simple_strtoull(const char *,char **,unsigned int);
99025 extern long long simple_strtoll(const char *,char **,unsigned int);
99026
99027diff --git a/include/linux/key-type.h b/include/linux/key-type.h
99028index ff9f1d3..6712be5 100644
99029--- a/include/linux/key-type.h
99030+++ b/include/linux/key-type.h
99031@@ -152,7 +152,7 @@ struct key_type {
99032 /* internal fields */
99033 struct list_head link; /* link in types list */
99034 struct lock_class_key lock_class; /* key->sem lock class */
99035-};
99036+} __do_const;
99037
99038 extern struct key_type key_type_keyring;
99039
99040diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
99041index e465bb1..19f605fd 100644
99042--- a/include/linux/kgdb.h
99043+++ b/include/linux/kgdb.h
99044@@ -52,7 +52,7 @@ extern int kgdb_connected;
99045 extern int kgdb_io_module_registered;
99046
99047 extern atomic_t kgdb_setting_breakpoint;
99048-extern atomic_t kgdb_cpu_doing_single_step;
99049+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
99050
99051 extern struct task_struct *kgdb_usethread;
99052 extern struct task_struct *kgdb_contthread;
99053@@ -254,7 +254,7 @@ struct kgdb_arch {
99054 void (*correct_hw_break)(void);
99055
99056 void (*enable_nmi)(bool on);
99057-};
99058+} __do_const;
99059
99060 /**
99061 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
99062@@ -279,7 +279,7 @@ struct kgdb_io {
99063 void (*pre_exception) (void);
99064 void (*post_exception) (void);
99065 int is_console;
99066-};
99067+} __do_const;
99068
99069 extern struct kgdb_arch arch_kgdb_ops;
99070
99071diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
99072index d0a1f99..0bd8b7c 100644
99073--- a/include/linux/kmemleak.h
99074+++ b/include/linux/kmemleak.h
99075@@ -27,7 +27,7 @@
99076
99077 extern void kmemleak_init(void) __ref;
99078 extern void kmemleak_alloc(const void *ptr, size_t size, int min_count,
99079- gfp_t gfp) __ref;
99080+ gfp_t gfp) __ref __size_overflow(2);
99081 extern void kmemleak_alloc_percpu(const void __percpu *ptr, size_t size,
99082 gfp_t gfp) __ref;
99083 extern void kmemleak_free(const void *ptr) __ref;
99084@@ -63,7 +63,7 @@ static inline void kmemleak_erase(void **ptr)
99085 static inline void kmemleak_init(void)
99086 {
99087 }
99088-static inline void kmemleak_alloc(const void *ptr, size_t size, int min_count,
99089+static inline void __size_overflow(2) kmemleak_alloc(const void *ptr, size_t size, int min_count,
99090 gfp_t gfp)
99091 {
99092 }
99093diff --git a/include/linux/kmod.h b/include/linux/kmod.h
99094index 0555cc6..40116ce 100644
99095--- a/include/linux/kmod.h
99096+++ b/include/linux/kmod.h
99097@@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysctl */
99098 * usually useless though. */
99099 extern __printf(2, 3)
99100 int __request_module(bool wait, const char *name, ...);
99101+extern __printf(3, 4)
99102+int ___request_module(bool wait, char *param_name, const char *name, ...);
99103 #define request_module(mod...) __request_module(true, mod)
99104 #define request_module_nowait(mod...) __request_module(false, mod)
99105 #define try_then_request_module(x, mod...) \
99106@@ -57,6 +59,9 @@ struct subprocess_info {
99107 struct work_struct work;
99108 struct completion *complete;
99109 char *path;
99110+#ifdef CONFIG_GRKERNSEC
99111+ char *origpath;
99112+#endif
99113 char **argv;
99114 char **envp;
99115 int wait;
99116diff --git a/include/linux/kobject.h b/include/linux/kobject.h
99117index 637f670..3d69945 100644
99118--- a/include/linux/kobject.h
99119+++ b/include/linux/kobject.h
99120@@ -119,7 +119,7 @@ struct kobj_type {
99121 struct attribute **default_attrs;
99122 const struct kobj_ns_type_operations *(*child_ns_type)(struct kobject *kobj);
99123 const void *(*namespace)(struct kobject *kobj);
99124-};
99125+} __do_const;
99126
99127 struct kobj_uevent_env {
99128 char *argv[3];
99129@@ -143,6 +143,7 @@ struct kobj_attribute {
99130 ssize_t (*store)(struct kobject *kobj, struct kobj_attribute *attr,
99131 const char *buf, size_t count);
99132 };
99133+typedef struct kobj_attribute __no_const kobj_attribute_no_const;
99134
99135 extern const struct sysfs_ops kobj_sysfs_ops;
99136
99137@@ -170,7 +171,7 @@ struct kset {
99138 spinlock_t list_lock;
99139 struct kobject kobj;
99140 const struct kset_uevent_ops *uevent_ops;
99141-};
99142+} __randomize_layout;
99143
99144 extern void kset_init(struct kset *kset);
99145 extern int __must_check kset_register(struct kset *kset);
99146diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h
99147index df32d25..fb52e27 100644
99148--- a/include/linux/kobject_ns.h
99149+++ b/include/linux/kobject_ns.h
99150@@ -44,7 +44,7 @@ struct kobj_ns_type_operations {
99151 const void *(*netlink_ns)(struct sock *sk);
99152 const void *(*initial_ns)(void);
99153 void (*drop_ns)(void *);
99154-};
99155+} __do_const;
99156
99157 int kobj_ns_type_register(const struct kobj_ns_type_operations *ops);
99158 int kobj_ns_type_registered(enum kobj_ns_type type);
99159diff --git a/include/linux/kref.h b/include/linux/kref.h
99160index 484604d..0f6c5b6 100644
99161--- a/include/linux/kref.h
99162+++ b/include/linux/kref.h
99163@@ -68,7 +68,7 @@ static inline void kref_get(struct kref *kref)
99164 static inline int kref_sub(struct kref *kref, unsigned int count,
99165 void (*release)(struct kref *kref))
99166 {
99167- WARN_ON(release == NULL);
99168+ BUG_ON(release == NULL);
99169
99170 if (atomic_sub_and_test((int) count, &kref->refcount)) {
99171 release(kref);
99172diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
99173index 05e99b8..484b1f97 100644
99174--- a/include/linux/kvm_host.h
99175+++ b/include/linux/kvm_host.h
99176@@ -468,7 +468,7 @@ static inline void kvm_irqfd_exit(void)
99177 {
99178 }
99179 #endif
99180-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
99181+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
99182 struct module *module);
99183 void kvm_exit(void);
99184
99185@@ -678,7 +678,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
99186 struct kvm_guest_debug *dbg);
99187 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
99188
99189-int kvm_arch_init(void *opaque);
99190+int kvm_arch_init(const void *opaque);
99191 void kvm_arch_exit(void);
99192
99193 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
99194diff --git a/include/linux/libata.h b/include/linux/libata.h
99195index c9cfbcd..46986db 100644
99196--- a/include/linux/libata.h
99197+++ b/include/linux/libata.h
99198@@ -990,7 +990,7 @@ struct ata_port_operations {
99199 * fields must be pointers.
99200 */
99201 const struct ata_port_operations *inherits;
99202-};
99203+} __do_const;
99204
99205 struct ata_port_info {
99206 unsigned long flags;
99207diff --git a/include/linux/linkage.h b/include/linux/linkage.h
99208index a6a42dd..6c5ebce 100644
99209--- a/include/linux/linkage.h
99210+++ b/include/linux/linkage.h
99211@@ -36,6 +36,7 @@
99212 #endif
99213
99214 #define __page_aligned_data __section(.data..page_aligned) __aligned(PAGE_SIZE)
99215+#define __page_aligned_rodata __read_only __aligned(PAGE_SIZE)
99216 #define __page_aligned_bss __section(.bss..page_aligned) __aligned(PAGE_SIZE)
99217
99218 /*
99219diff --git a/include/linux/list.h b/include/linux/list.h
99220index feb773c..98f3075 100644
99221--- a/include/linux/list.h
99222+++ b/include/linux/list.h
99223@@ -113,6 +113,19 @@ extern void __list_del_entry(struct list_head *entry);
99224 extern void list_del(struct list_head *entry);
99225 #endif
99226
99227+extern void __pax_list_add(struct list_head *new,
99228+ struct list_head *prev,
99229+ struct list_head *next);
99230+static inline void pax_list_add(struct list_head *new, struct list_head *head)
99231+{
99232+ __pax_list_add(new, head, head->next);
99233+}
99234+static inline void pax_list_add_tail(struct list_head *new, struct list_head *head)
99235+{
99236+ __pax_list_add(new, head->prev, head);
99237+}
99238+extern void pax_list_del(struct list_head *entry);
99239+
99240 /**
99241 * list_replace - replace old entry by new one
99242 * @old : the element to be replaced
99243@@ -146,6 +159,8 @@ static inline void list_del_init(struct list_head *entry)
99244 INIT_LIST_HEAD(entry);
99245 }
99246
99247+extern void pax_list_del_init(struct list_head *entry);
99248+
99249 /**
99250 * list_move - delete from one list and add as another's head
99251 * @list: the entry to move
99252diff --git a/include/linux/lockref.h b/include/linux/lockref.h
99253index b10b122..d37b3de 100644
99254--- a/include/linux/lockref.h
99255+++ b/include/linux/lockref.h
99256@@ -28,7 +28,7 @@ struct lockref {
99257 #endif
99258 struct {
99259 spinlock_t lock;
99260- int count;
99261+ atomic_t count;
99262 };
99263 };
99264 };
99265@@ -43,9 +43,29 @@ extern void lockref_mark_dead(struct lockref *);
99266 extern int lockref_get_not_dead(struct lockref *);
99267
99268 /* Must be called under spinlock for reliable results */
99269-static inline int __lockref_is_dead(const struct lockref *l)
99270+static inline int __lockref_is_dead(const struct lockref *lockref)
99271 {
99272- return ((int)l->count < 0);
99273+ return atomic_read(&lockref->count) < 0;
99274+}
99275+
99276+static inline int __lockref_read(const struct lockref *lockref)
99277+{
99278+ return atomic_read(&lockref->count);
99279+}
99280+
99281+static inline void __lockref_set(struct lockref *lockref, int count)
99282+{
99283+ atomic_set(&lockref->count, count);
99284+}
99285+
99286+static inline void __lockref_inc(struct lockref *lockref)
99287+{
99288+ atomic_inc(&lockref->count);
99289+}
99290+
99291+static inline void __lockref_dec(struct lockref *lockref)
99292+{
99293+ atomic_dec(&lockref->count);
99294 }
99295
99296 #endif /* __LINUX_LOCKREF_H */
99297diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
99298index 9429f05..a5d5425 100644
99299--- a/include/linux/lsm_hooks.h
99300+++ b/include/linux/lsm_hooks.h
99301@@ -1824,7 +1824,7 @@ struct security_hook_heads {
99302 struct list_head audit_rule_match;
99303 struct list_head audit_rule_free;
99304 #endif /* CONFIG_AUDIT */
99305-};
99306+} __randomize_layout;
99307
99308 /*
99309 * Security module hook list structure.
99310@@ -1834,7 +1834,7 @@ struct security_hook_list {
99311 struct list_head list;
99312 struct list_head *head;
99313 union security_list_options hook;
99314-};
99315+} __randomize_layout;
99316
99317 /*
99318 * Initializing a security_hook_list structure takes
99319diff --git a/include/linux/math64.h b/include/linux/math64.h
99320index c45c089..298841c 100644
99321--- a/include/linux/math64.h
99322+++ b/include/linux/math64.h
99323@@ -15,7 +15,7 @@
99324 * This is commonly provided by 32bit archs to provide an optimized 64bit
99325 * divide.
99326 */
99327-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
99328+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
99329 {
99330 *remainder = dividend % divisor;
99331 return dividend / divisor;
99332@@ -42,7 +42,7 @@ static inline u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
99333 /**
99334 * div64_u64 - unsigned 64bit divide with 64bit divisor
99335 */
99336-static inline u64 div64_u64(u64 dividend, u64 divisor)
99337+static inline u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
99338 {
99339 return dividend / divisor;
99340 }
99341@@ -61,7 +61,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor)
99342 #define div64_ul(x, y) div_u64((x), (y))
99343
99344 #ifndef div_u64_rem
99345-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
99346+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
99347 {
99348 *remainder = do_div(dividend, divisor);
99349 return dividend;
99350@@ -77,7 +77,7 @@ extern u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder);
99351 #endif
99352
99353 #ifndef div64_u64
99354-extern u64 div64_u64(u64 dividend, u64 divisor);
99355+extern u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor);
99356 #endif
99357
99358 #ifndef div64_s64
99359@@ -94,7 +94,7 @@ extern s64 div64_s64(s64 dividend, s64 divisor);
99360 * divide.
99361 */
99362 #ifndef div_u64
99363-static inline u64 div_u64(u64 dividend, u32 divisor)
99364+static inline u64 __intentional_overflow(-1) div_u64(u64 dividend, u32 divisor)
99365 {
99366 u32 remainder;
99367 return div_u64_rem(dividend, divisor, &remainder);
99368diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
99369index 3d385c8..deacb6a 100644
99370--- a/include/linux/mempolicy.h
99371+++ b/include/linux/mempolicy.h
99372@@ -91,6 +91,10 @@ static inline struct mempolicy *mpol_dup(struct mempolicy *pol)
99373 }
99374
99375 #define vma_policy(vma) ((vma)->vm_policy)
99376+static inline void set_vma_policy(struct vm_area_struct *vma, struct mempolicy *pol)
99377+{
99378+ vma->vm_policy = pol;
99379+}
99380
99381 static inline void mpol_get(struct mempolicy *pol)
99382 {
99383@@ -229,6 +233,9 @@ static inline void mpol_free_shared_policy(struct shared_policy *p)
99384 }
99385
99386 #define vma_policy(vma) NULL
99387+static inline void set_vma_policy(struct vm_area_struct *vma, struct mempolicy *pol)
99388+{
99389+}
99390
99391 static inline int
99392 vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
99393diff --git a/include/linux/mm.h b/include/linux/mm.h
99394index bf6f117..0bcd7ea 100644
99395--- a/include/linux/mm.h
99396+++ b/include/linux/mm.h
99397@@ -136,6 +136,11 @@ extern unsigned int kobjsize(const void *objp);
99398
99399 #define VM_DONTCOPY 0x00020000 /* Do not copy this vma on fork */
99400 #define VM_DONTEXPAND 0x00040000 /* Cannot expand with mremap() */
99401+
99402+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
99403+#define VM_PAGEEXEC 0x00080000 /* vma->vm_page_prot needs special handling */
99404+#endif
99405+
99406 #define VM_ACCOUNT 0x00100000 /* Is a VM accounted object */
99407 #define VM_NORESERVE 0x00200000 /* should the VM suppress accounting */
99408 #define VM_HUGETLB 0x00400000 /* Huge TLB Page VM */
99409@@ -258,8 +263,8 @@ struct vm_operations_struct {
99410 /* called by access_process_vm when get_user_pages() fails, typically
99411 * for use by special VMAs that can switch between memory and hardware
99412 */
99413- int (*access)(struct vm_area_struct *vma, unsigned long addr,
99414- void *buf, int len, int write);
99415+ ssize_t (*access)(struct vm_area_struct *vma, unsigned long addr,
99416+ void *buf, size_t len, int write);
99417
99418 /* Called by the /proc/PID/maps code to ask the vma whether it
99419 * has a special name. Returning non-NULL will also cause this
99420@@ -297,6 +302,7 @@ struct vm_operations_struct {
99421 struct page *(*find_special_page)(struct vm_area_struct *vma,
99422 unsigned long addr);
99423 };
99424+typedef struct vm_operations_struct __no_const vm_operations_struct_no_const;
99425
99426 struct mmu_gather;
99427 struct inode;
99428@@ -1160,8 +1166,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
99429 unsigned long *pfn);
99430 int follow_phys(struct vm_area_struct *vma, unsigned long address,
99431 unsigned int flags, unsigned long *prot, resource_size_t *phys);
99432-int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
99433- void *buf, int len, int write);
99434+ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
99435+ void *buf, size_t len, int write);
99436
99437 static inline void unmap_shared_mapping_range(struct address_space *mapping,
99438 loff_t const holebegin, loff_t const holelen)
99439@@ -1201,9 +1207,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
99440 }
99441 #endif
99442
99443-extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
99444-extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
99445- void *buf, int len, int write);
99446+extern ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write);
99447+extern ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
99448+ void *buf, size_t len, int write);
99449
99450 long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
99451 unsigned long start, unsigned long nr_pages,
99452@@ -1251,34 +1257,6 @@ int clear_page_dirty_for_io(struct page *page);
99453
99454 int get_cmdline(struct task_struct *task, char *buffer, int buflen);
99455
99456-/* Is the vma a continuation of the stack vma above it? */
99457-static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
99458-{
99459- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
99460-}
99461-
99462-static inline int stack_guard_page_start(struct vm_area_struct *vma,
99463- unsigned long addr)
99464-{
99465- return (vma->vm_flags & VM_GROWSDOWN) &&
99466- (vma->vm_start == addr) &&
99467- !vma_growsdown(vma->vm_prev, addr);
99468-}
99469-
99470-/* Is the vma a continuation of the stack vma below it? */
99471-static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
99472-{
99473- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
99474-}
99475-
99476-static inline int stack_guard_page_end(struct vm_area_struct *vma,
99477- unsigned long addr)
99478-{
99479- return (vma->vm_flags & VM_GROWSUP) &&
99480- (vma->vm_end == addr) &&
99481- !vma_growsup(vma->vm_next, addr);
99482-}
99483-
99484 extern struct task_struct *task_of_stack(struct task_struct *task,
99485 struct vm_area_struct *vma, bool in_group);
99486
99487@@ -1401,8 +1379,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
99488 {
99489 return 0;
99490 }
99491+
99492+static inline int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd,
99493+ unsigned long address)
99494+{
99495+ return 0;
99496+}
99497 #else
99498 int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
99499+int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
99500 #endif
99501
99502 #if defined(__PAGETABLE_PMD_FOLDED) || !defined(CONFIG_MMU)
99503@@ -1412,6 +1397,12 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
99504 return 0;
99505 }
99506
99507+static inline int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud,
99508+ unsigned long address)
99509+{
99510+ return 0;
99511+}
99512+
99513 static inline void mm_nr_pmds_init(struct mm_struct *mm) {}
99514
99515 static inline unsigned long mm_nr_pmds(struct mm_struct *mm)
99516@@ -1424,6 +1415,7 @@ static inline void mm_dec_nr_pmds(struct mm_struct *mm) {}
99517
99518 #else
99519 int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address);
99520+int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address);
99521
99522 static inline void mm_nr_pmds_init(struct mm_struct *mm)
99523 {
99524@@ -1461,11 +1453,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
99525 NULL: pud_offset(pgd, address);
99526 }
99527
99528+static inline pud_t *pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
99529+{
99530+ return (unlikely(pgd_none(*pgd)) && __pud_alloc_kernel(mm, pgd, address))?
99531+ NULL: pud_offset(pgd, address);
99532+}
99533+
99534 static inline pmd_t *pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
99535 {
99536 return (unlikely(pud_none(*pud)) && __pmd_alloc(mm, pud, address))?
99537 NULL: pmd_offset(pud, address);
99538 }
99539+
99540+static inline pmd_t *pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
99541+{
99542+ return (unlikely(pud_none(*pud)) && __pmd_alloc_kernel(mm, pud, address))?
99543+ NULL: pmd_offset(pud, address);
99544+}
99545 #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
99546
99547 #if USE_SPLIT_PTE_PTLOCKS
99548@@ -1846,12 +1850,23 @@ extern struct vm_area_struct *copy_vma(struct vm_area_struct **,
99549 bool *need_rmap_locks);
99550 extern void exit_mmap(struct mm_struct *);
99551
99552+#if defined(CONFIG_GRKERNSEC) && (defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC))
99553+extern void gr_learn_resource(const struct task_struct *task, const int res,
99554+ const unsigned long wanted, const int gt);
99555+#else
99556+static inline void gr_learn_resource(const struct task_struct *task, const int res,
99557+ const unsigned long wanted, const int gt)
99558+{
99559+}
99560+#endif
99561+
99562 static inline int check_data_rlimit(unsigned long rlim,
99563 unsigned long new,
99564 unsigned long start,
99565 unsigned long end_data,
99566 unsigned long start_data)
99567 {
99568+ gr_learn_resource(current, RLIMIT_DATA, (new - start) + (end_data - start_data), 1);
99569 if (rlim < RLIM_INFINITY) {
99570 if (((new - start) + (end_data - start_data)) > rlim)
99571 return -ENOSPC;
99572@@ -1876,7 +1891,7 @@ extern int install_special_mapping(struct mm_struct *mm,
99573 unsigned long addr, unsigned long len,
99574 unsigned long flags, struct page **pages);
99575
99576-extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
99577+extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long) __intentional_overflow(-1);
99578
99579 extern unsigned long mmap_region(struct file *file, unsigned long addr,
99580 unsigned long len, vm_flags_t vm_flags, unsigned long pgoff);
99581@@ -1884,6 +1899,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
99582 unsigned long len, unsigned long prot, unsigned long flags,
99583 unsigned long pgoff, unsigned long *populate);
99584 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
99585+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
99586
99587 #ifdef CONFIG_MMU
99588 extern int __mm_populate(unsigned long addr, unsigned long len,
99589@@ -1912,10 +1928,11 @@ struct vm_unmapped_area_info {
99590 unsigned long high_limit;
99591 unsigned long align_mask;
99592 unsigned long align_offset;
99593+ unsigned long threadstack_offset;
99594 };
99595
99596-extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
99597-extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
99598+extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info);
99599+extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info);
99600
99601 /*
99602 * Search for an unmapped address range.
99603@@ -1927,7 +1944,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
99604 * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
99605 */
99606 static inline unsigned long
99607-vm_unmapped_area(struct vm_unmapped_area_info *info)
99608+vm_unmapped_area(const struct vm_unmapped_area_info *info)
99609 {
99610 if (info->flags & VM_UNMAPPED_AREA_TOPDOWN)
99611 return unmapped_area_topdown(info);
99612@@ -1989,6 +2006,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
99613 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
99614 struct vm_area_struct **pprev);
99615
99616+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
99617+extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
99618+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
99619+
99620 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
99621 NULL if none. Assume start_addr < end_addr. */
99622 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
99623@@ -2018,10 +2039,10 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
99624 }
99625
99626 #ifdef CONFIG_MMU
99627-pgprot_t vm_get_page_prot(unsigned long vm_flags);
99628+pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
99629 void vma_set_page_prot(struct vm_area_struct *vma);
99630 #else
99631-static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
99632+static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
99633 {
99634 return __pgprot(0);
99635 }
99636@@ -2083,6 +2104,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
99637 static inline void vm_stat_account(struct mm_struct *mm,
99638 unsigned long flags, struct file *file, long pages)
99639 {
99640+
99641+#ifdef CONFIG_PAX_RANDMMAP
99642+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
99643+#endif
99644+
99645 mm->total_vm += pages;
99646 }
99647 #endif /* CONFIG_PROC_FS */
99648@@ -2186,7 +2212,7 @@ extern int get_hwpoison_page(struct page *page);
99649 extern int sysctl_memory_failure_early_kill;
99650 extern int sysctl_memory_failure_recovery;
99651 extern void shake_page(struct page *p, int access);
99652-extern atomic_long_t num_poisoned_pages;
99653+extern atomic_long_unchecked_t num_poisoned_pages;
99654 extern int soft_offline_page(struct page *page, int flags);
99655
99656
99657@@ -2271,5 +2297,11 @@ void __init setup_nr_node_ids(void);
99658 static inline void setup_nr_node_ids(void) {}
99659 #endif
99660
99661+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
99662+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
99663+#else
99664+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
99665+#endif
99666+
99667 #endif /* __KERNEL__ */
99668 #endif /* _LINUX_MM_H */
99669diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
99670index 1554957..0973bc5 100644
99671--- a/include/linux/mm_types.h
99672+++ b/include/linux/mm_types.h
99673@@ -322,7 +322,9 @@ struct vm_area_struct {
99674 #ifdef CONFIG_NUMA
99675 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
99676 #endif
99677-};
99678+
99679+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
99680+} __randomize_layout;
99681
99682 struct core_thread {
99683 struct task_struct *task;
99684@@ -475,7 +477,25 @@ struct mm_struct {
99685 /* address of the bounds directory */
99686 void __user *bd_addr;
99687 #endif
99688-};
99689+
99690+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
99691+ unsigned long pax_flags;
99692+#endif
99693+
99694+#ifdef CONFIG_PAX_DLRESOLVE
99695+ unsigned long call_dl_resolve;
99696+#endif
99697+
99698+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
99699+ unsigned long call_syscall;
99700+#endif
99701+
99702+#ifdef CONFIG_PAX_ASLR
99703+ unsigned long delta_mmap; /* randomized offset */
99704+ unsigned long delta_stack; /* randomized offset */
99705+#endif
99706+
99707+} __randomize_layout;
99708
99709 static inline void mm_init_cpumask(struct mm_struct *mm)
99710 {
99711diff --git a/include/linux/mmiotrace.h b/include/linux/mmiotrace.h
99712index 3ba327a..85cd5ce 100644
99713--- a/include/linux/mmiotrace.h
99714+++ b/include/linux/mmiotrace.h
99715@@ -46,7 +46,7 @@ extern int kmmio_handler(struct pt_regs *regs, unsigned long addr);
99716 /* Called from ioremap.c */
99717 extern void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
99718 void __iomem *addr);
99719-extern void mmiotrace_iounmap(volatile void __iomem *addr);
99720+extern void mmiotrace_iounmap(const volatile void __iomem *addr);
99721
99722 /* For anyone to insert markers. Remember trailing newline. */
99723 extern __printf(1, 2) int mmiotrace_printk(const char *fmt, ...);
99724@@ -66,7 +66,7 @@ static inline void mmiotrace_ioremap(resource_size_t offset,
99725 {
99726 }
99727
99728-static inline void mmiotrace_iounmap(volatile void __iomem *addr)
99729+static inline void mmiotrace_iounmap(const volatile void __iomem *addr)
99730 {
99731 }
99732
99733diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
99734index 754c259..7b65ac6 100644
99735--- a/include/linux/mmzone.h
99736+++ b/include/linux/mmzone.h
99737@@ -526,7 +526,7 @@ struct zone {
99738
99739 ZONE_PADDING(_pad3_)
99740 /* Zone statistics */
99741- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
99742+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
99743 } ____cacheline_internodealigned_in_smp;
99744
99745 enum zone_flags {
99746diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
99747index 34f25b7..0586069 100644
99748--- a/include/linux/mod_devicetable.h
99749+++ b/include/linux/mod_devicetable.h
99750@@ -139,7 +139,7 @@ struct usb_device_id {
99751 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
99752 #define USB_DEVICE_ID_MATCH_INT_NUMBER 0x0400
99753
99754-#define HID_ANY_ID (~0)
99755+#define HID_ANY_ID (~0U)
99756 #define HID_BUS_ANY 0xffff
99757 #define HID_GROUP_ANY 0x0000
99758
99759@@ -472,7 +472,7 @@ struct dmi_system_id {
99760 const char *ident;
99761 struct dmi_strmatch matches[4];
99762 void *driver_data;
99763-};
99764+} __do_const;
99765 /*
99766 * struct dmi_device_id appears during expansion of
99767 * "MODULE_DEVICE_TABLE(dmi, x)". Compiler doesn't look inside it
99768diff --git a/include/linux/module.h b/include/linux/module.h
99769index 3a19c79..dea8c47 100644
99770--- a/include/linux/module.h
99771+++ b/include/linux/module.h
99772@@ -19,9 +19,11 @@
99773 #include <linux/jump_label.h>
99774 #include <linux/export.h>
99775 #include <linux/rbtree_latch.h>
99776+#include <linux/fs.h>
99777
99778 #include <linux/percpu.h>
99779 #include <asm/module.h>
99780+#include <asm/pgtable.h>
99781
99782 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
99783 #define MODULE_SIG_STRING "~Module signature appended~\n"
99784@@ -44,7 +46,7 @@ struct module_kobject {
99785 struct kobject *drivers_dir;
99786 struct module_param_attrs *mp;
99787 struct completion *kobj_completion;
99788-};
99789+} __randomize_layout;
99790
99791 struct module_attribute {
99792 struct attribute attr;
99793@@ -56,12 +58,13 @@ struct module_attribute {
99794 int (*test)(struct module *);
99795 void (*free)(struct module *);
99796 };
99797+typedef struct module_attribute __no_const module_attribute_no_const;
99798
99799 struct module_version_attribute {
99800 struct module_attribute mattr;
99801 const char *module_name;
99802 const char *version;
99803-} __attribute__ ((__aligned__(sizeof(void *))));
99804+} __do_const __attribute__ ((__aligned__(sizeof(void *))));
99805
99806 extern ssize_t __modver_version_show(struct module_attribute *,
99807 struct module_kobject *, char *);
99808@@ -313,7 +316,7 @@ struct module {
99809
99810 /* Sysfs stuff. */
99811 struct module_kobject mkobj;
99812- struct module_attribute *modinfo_attrs;
99813+ module_attribute_no_const *modinfo_attrs;
99814 const char *version;
99815 const char *srcversion;
99816 struct kobject *holders_dir;
99817@@ -370,20 +373,21 @@ struct module {
99818 * If this is non-NULL, vfree() after init() returns.
99819 *
99820 * Cacheline align here, such that:
99821- * module_init, module_core, init_size, core_size,
99822+ * module_init_*, module_core_*, init_size_*, core_size_*,
99823 * init_text_size, core_text_size and mtn_core::{mod,node[0]}
99824 * are on the same cacheline.
99825 */
99826- void *module_init ____cacheline_aligned;
99827+ void *module_init_rw ____cacheline_aligned;
99828+ void *module_init_rx;
99829
99830 /* Here is the actual code + data, vfree'd on unload. */
99831- void *module_core;
99832+ void *module_core_rx, *module_core_rw;
99833
99834 /* Here are the sizes of the init and core sections */
99835- unsigned int init_size, core_size;
99836+ unsigned int init_size_rw, core_size_rw;
99837
99838 /* The size of the executable code in each section. */
99839- unsigned int init_text_size, core_text_size;
99840+ unsigned int init_size_rx, core_size_rx;
99841
99842 #ifdef CONFIG_MODULES_TREE_LOOKUP
99843 /*
99844@@ -391,13 +395,12 @@ struct module {
99845 * above entries such that a regular lookup will only touch one
99846 * cacheline.
99847 */
99848- struct mod_tree_node mtn_core;
99849- struct mod_tree_node mtn_init;
99850+ struct mod_tree_node mtn_core_rw;
99851+ struct mod_tree_node mtn_core_rx;
99852+ struct mod_tree_node mtn_init_rw;
99853+ struct mod_tree_node mtn_init_rx;
99854 #endif
99855
99856- /* Size of RO sections of the module (text+rodata) */
99857- unsigned int init_ro_size, core_ro_size;
99858-
99859 /* Arch-specific module values */
99860 struct mod_arch_specific arch;
99861
99862@@ -454,6 +457,10 @@ struct module {
99863 unsigned int num_trace_events;
99864 struct trace_enum_map **trace_enums;
99865 unsigned int num_trace_enums;
99866+ struct file_operations trace_id;
99867+ struct file_operations trace_enable;
99868+ struct file_operations trace_format;
99869+ struct file_operations trace_filter;
99870 #endif
99871 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
99872 unsigned int num_ftrace_callsites;
99873@@ -481,7 +488,8 @@ struct module {
99874 ctor_fn_t *ctors;
99875 unsigned int num_ctors;
99876 #endif
99877-} ____cacheline_aligned;
99878+} ____cacheline_aligned __randomize_layout;
99879+
99880 #ifndef MODULE_ARCH_INIT
99881 #define MODULE_ARCH_INIT {}
99882 #endif
99883@@ -502,18 +510,48 @@ bool is_module_address(unsigned long addr);
99884 bool is_module_percpu_address(unsigned long addr);
99885 bool is_module_text_address(unsigned long addr);
99886
99887+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
99888+{
99889+
99890+#ifdef CONFIG_PAX_KERNEXEC
99891+ if (ktla_ktva(addr) >= (unsigned long)start &&
99892+ ktla_ktva(addr) < (unsigned long)start + size)
99893+ return 1;
99894+#endif
99895+
99896+ return ((void *)addr >= start && (void *)addr < start + size);
99897+}
99898+
99899+static inline int within_module_core_rx(unsigned long addr, const struct module *mod)
99900+{
99901+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
99902+}
99903+
99904+static inline int within_module_core_rw(unsigned long addr, const struct module *mod)
99905+{
99906+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
99907+}
99908+
99909+static inline int within_module_init_rx(unsigned long addr, const struct module *mod)
99910+{
99911+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
99912+}
99913+
99914+static inline int within_module_init_rw(unsigned long addr, const struct module *mod)
99915+{
99916+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
99917+}
99918+
99919 static inline bool within_module_core(unsigned long addr,
99920 const struct module *mod)
99921 {
99922- return (unsigned long)mod->module_core <= addr &&
99923- addr < (unsigned long)mod->module_core + mod->core_size;
99924+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
99925 }
99926
99927 static inline bool within_module_init(unsigned long addr,
99928 const struct module *mod)
99929 {
99930- return (unsigned long)mod->module_init <= addr &&
99931- addr < (unsigned long)mod->module_init + mod->init_size;
99932+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
99933 }
99934
99935 static inline bool within_module(unsigned long addr, const struct module *mod)
99936diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
99937index 4d0cb9b..3169ac7 100644
99938--- a/include/linux/moduleloader.h
99939+++ b/include/linux/moduleloader.h
99940@@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
99941 sections. Returns NULL on failure. */
99942 void *module_alloc(unsigned long size);
99943
99944+#ifdef CONFIG_PAX_KERNEXEC
99945+void *module_alloc_exec(unsigned long size);
99946+#else
99947+#define module_alloc_exec(x) module_alloc(x)
99948+#endif
99949+
99950 /* Free memory returned from module_alloc. */
99951 void module_memfree(void *module_region);
99952
99953+#ifdef CONFIG_PAX_KERNEXEC
99954+void module_memfree_exec(void *module_region);
99955+#else
99956+#define module_memfree_exec(x) module_memfree((x))
99957+#endif
99958+
99959 /*
99960 * Apply the given relocation to the (simplified) ELF. Return -error
99961 * or 0.
99962@@ -45,8 +57,10 @@ static inline int apply_relocate(Elf_Shdr *sechdrs,
99963 unsigned int relsec,
99964 struct module *me)
99965 {
99966+#ifdef CONFIG_MODULES
99967 printk(KERN_ERR "module %s: REL relocation unsupported\n",
99968 module_name(me));
99969+#endif
99970 return -ENOEXEC;
99971 }
99972 #endif
99973@@ -68,8 +82,10 @@ static inline int apply_relocate_add(Elf_Shdr *sechdrs,
99974 unsigned int relsec,
99975 struct module *me)
99976 {
99977+#ifdef CONFIG_MODULES
99978 printk(KERN_ERR "module %s: REL relocation unsupported\n",
99979 module_name(me));
99980+#endif
99981 return -ENOEXEC;
99982 }
99983 #endif
99984diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
99985index c12f214..3ef907f 100644
99986--- a/include/linux/moduleparam.h
99987+++ b/include/linux/moduleparam.h
99988@@ -289,7 +289,7 @@ static inline void kernel_param_unlock(struct module *mod)
99989 * @len is usually just sizeof(string).
99990 */
99991 #define module_param_string(name, string, len, perm) \
99992- static const struct kparam_string __param_string_##name \
99993+ static const struct kparam_string __param_string_##name __used \
99994 = { len, string }; \
99995 __module_param_call(MODULE_PARAM_PREFIX, name, \
99996 &param_ops_string, \
99997@@ -440,7 +440,7 @@ extern int param_set_bint(const char *val, const struct kernel_param *kp);
99998 */
99999 #define module_param_array_named(name, array, type, nump, perm) \
100000 param_check_##type(name, &(array)[0]); \
100001- static const struct kparam_array __param_arr_##name \
100002+ static const struct kparam_array __param_arr_##name __used \
100003 = { .max = ARRAY_SIZE(array), .num = nump, \
100004 .ops = &param_ops_##type, \
100005 .elemsize = sizeof(array[0]), .elem = array }; \
100006diff --git a/include/linux/mount.h b/include/linux/mount.h
100007index f822c3c..958ca0a 100644
100008--- a/include/linux/mount.h
100009+++ b/include/linux/mount.h
100010@@ -67,7 +67,7 @@ struct vfsmount {
100011 struct dentry *mnt_root; /* root of the mounted tree */
100012 struct super_block *mnt_sb; /* pointer to superblock */
100013 int mnt_flags;
100014-};
100015+} __randomize_layout;
100016
100017 struct file; /* forward dec */
100018 struct path;
100019diff --git a/include/linux/net.h b/include/linux/net.h
100020index 04aa068..8a24df5 100644
100021--- a/include/linux/net.h
100022+++ b/include/linux/net.h
100023@@ -189,7 +189,7 @@ struct net_proto_family {
100024 int (*create)(struct net *net, struct socket *sock,
100025 int protocol, int kern);
100026 struct module *owner;
100027-};
100028+} __do_const;
100029
100030 struct iovec;
100031 struct kvec;
100032diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
100033index e20979d..3c7827b 100644
100034--- a/include/linux/netdevice.h
100035+++ b/include/linux/netdevice.h
100036@@ -1212,6 +1212,7 @@ struct net_device_ops {
100037 u32 maxrate);
100038 int (*ndo_get_iflink)(const struct net_device *dev);
100039 };
100040+typedef struct net_device_ops __no_const net_device_ops_no_const;
100041
100042 /**
100043 * enum net_device_priv_flags - &struct net_device priv_flags
100044@@ -1519,7 +1520,7 @@ struct net_device {
100045 unsigned long base_addr;
100046 int irq;
100047
100048- atomic_t carrier_changes;
100049+ atomic_unchecked_t carrier_changes;
100050
100051 /*
100052 * Some hardware also needs these fields (state,dev_list,
100053@@ -1558,8 +1559,8 @@ struct net_device {
100054
100055 struct net_device_stats stats;
100056
100057- atomic_long_t rx_dropped;
100058- atomic_long_t tx_dropped;
100059+ atomic_long_unchecked_t rx_dropped;
100060+ atomic_long_unchecked_t tx_dropped;
100061
100062 #ifdef CONFIG_WIRELESS_EXT
100063 const struct iw_handler_def * wireless_handlers;
100064diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
100065index 00050df..0bc7081 100644
100066--- a/include/linux/netfilter.h
100067+++ b/include/linux/netfilter.h
100068@@ -115,7 +115,7 @@ struct nf_sockopt_ops {
100069 #endif
100070 /* Use the module struct to lock set/get code in place */
100071 struct module *owner;
100072-};
100073+} __do_const;
100074
100075 /* Function to register/unregister hook points. */
100076 int nf_register_hook(struct nf_hook_ops *reg);
100077diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
100078index e955d47..04a5338 100644
100079--- a/include/linux/netfilter/nfnetlink.h
100080+++ b/include/linux/netfilter/nfnetlink.h
100081@@ -19,7 +19,7 @@ struct nfnl_callback {
100082 const struct nlattr * const cda[]);
100083 const struct nla_policy *policy; /* netlink attribute policy */
100084 const u_int16_t attr_count; /* number of nlattr's */
100085-};
100086+} __do_const;
100087
100088 struct nfnetlink_subsystem {
100089 const char *name;
100090diff --git a/include/linux/netfilter/xt_gradm.h b/include/linux/netfilter/xt_gradm.h
100091new file mode 100644
100092index 0000000..33f4af8
100093--- /dev/null
100094+++ b/include/linux/netfilter/xt_gradm.h
100095@@ -0,0 +1,9 @@
100096+#ifndef _LINUX_NETFILTER_XT_GRADM_H
100097+#define _LINUX_NETFILTER_XT_GRADM_H 1
100098+
100099+struct xt_gradm_mtinfo {
100100+ __u16 flags;
100101+ __u16 invflags;
100102+};
100103+
100104+#endif
100105diff --git a/include/linux/nls.h b/include/linux/nls.h
100106index 520681b..2b7fabb 100644
100107--- a/include/linux/nls.h
100108+++ b/include/linux/nls.h
100109@@ -31,7 +31,7 @@ struct nls_table {
100110 const unsigned char *charset2upper;
100111 struct module *owner;
100112 struct nls_table *next;
100113-};
100114+} __do_const;
100115
100116 /* this value hold the maximum octet of charset */
100117 #define NLS_MAX_CHARSET_SIZE 6 /* for UTF-8 */
100118@@ -46,7 +46,7 @@ enum utf16_endian {
100119 /* nls_base.c */
100120 extern int __register_nls(struct nls_table *, struct module *);
100121 extern int unregister_nls(struct nls_table *);
100122-extern struct nls_table *load_nls(char *);
100123+extern struct nls_table *load_nls(const char *);
100124 extern void unload_nls(struct nls_table *);
100125 extern struct nls_table *load_nls_default(void);
100126 #define register_nls(nls) __register_nls((nls), THIS_MODULE)
100127diff --git a/include/linux/notifier.h b/include/linux/notifier.h
100128index d14a4c3..a078786 100644
100129--- a/include/linux/notifier.h
100130+++ b/include/linux/notifier.h
100131@@ -54,7 +54,8 @@ struct notifier_block {
100132 notifier_fn_t notifier_call;
100133 struct notifier_block __rcu *next;
100134 int priority;
100135-};
100136+} __do_const;
100137+typedef struct notifier_block __no_const notifier_block_no_const;
100138
100139 struct atomic_notifier_head {
100140 spinlock_t lock;
100141diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h
100142index b2a0f15..4d7da32 100644
100143--- a/include/linux/oprofile.h
100144+++ b/include/linux/oprofile.h
100145@@ -138,9 +138,9 @@ int oprofilefs_create_ulong(struct dentry * root,
100146 int oprofilefs_create_ro_ulong(struct dentry * root,
100147 char const * name, ulong * val);
100148
100149-/** Create a file for read-only access to an atomic_t. */
100150+/** Create a file for read-only access to an atomic_unchecked_t. */
100151 int oprofilefs_create_ro_atomic(struct dentry * root,
100152- char const * name, atomic_t * val);
100153+ char const * name, atomic_unchecked_t * val);
100154
100155 /** create a directory */
100156 struct dentry *oprofilefs_mkdir(struct dentry *parent, char const *name);
100157diff --git a/include/linux/padata.h b/include/linux/padata.h
100158index 4386946..f50c615 100644
100159--- a/include/linux/padata.h
100160+++ b/include/linux/padata.h
100161@@ -129,7 +129,7 @@ struct parallel_data {
100162 struct padata_serial_queue __percpu *squeue;
100163 atomic_t reorder_objects;
100164 atomic_t refcnt;
100165- atomic_t seq_nr;
100166+ atomic_unchecked_t seq_nr;
100167 struct padata_cpumask cpumask;
100168 spinlock_t lock ____cacheline_aligned;
100169 unsigned int processed;
100170diff --git a/include/linux/path.h b/include/linux/path.h
100171index d137218..be0c176 100644
100172--- a/include/linux/path.h
100173+++ b/include/linux/path.h
100174@@ -1,13 +1,15 @@
100175 #ifndef _LINUX_PATH_H
100176 #define _LINUX_PATH_H
100177
100178+#include <linux/compiler.h>
100179+
100180 struct dentry;
100181 struct vfsmount;
100182
100183 struct path {
100184 struct vfsmount *mnt;
100185 struct dentry *dentry;
100186-};
100187+} __randomize_layout;
100188
100189 extern void path_get(const struct path *);
100190 extern void path_put(const struct path *);
100191diff --git a/include/linux/pci_hotplug.h b/include/linux/pci_hotplug.h
100192index 8c78950..0d74ed9 100644
100193--- a/include/linux/pci_hotplug.h
100194+++ b/include/linux/pci_hotplug.h
100195@@ -71,7 +71,8 @@ struct hotplug_slot_ops {
100196 int (*get_latch_status) (struct hotplug_slot *slot, u8 *value);
100197 int (*get_adapter_status) (struct hotplug_slot *slot, u8 *value);
100198 int (*reset_slot) (struct hotplug_slot *slot, int probe);
100199-};
100200+} __do_const;
100201+typedef struct hotplug_slot_ops __no_const hotplug_slot_ops_no_const;
100202
100203 /**
100204 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
100205diff --git a/include/linux/percpu.h b/include/linux/percpu.h
100206index caebf2a..4c3ae9d 100644
100207--- a/include/linux/percpu.h
100208+++ b/include/linux/percpu.h
100209@@ -34,7 +34,7 @@
100210 * preallocate for this. Keep PERCPU_DYNAMIC_RESERVE equal to or
100211 * larger than PERCPU_DYNAMIC_EARLY_SIZE.
100212 */
100213-#define PERCPU_DYNAMIC_EARLY_SLOTS 128
100214+#define PERCPU_DYNAMIC_EARLY_SLOTS 256
100215 #define PERCPU_DYNAMIC_EARLY_SIZE (12 << 10)
100216
100217 /*
100218diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
100219index 2027809..c9cd38e 100644
100220--- a/include/linux/perf_event.h
100221+++ b/include/linux/perf_event.h
100222@@ -384,8 +384,8 @@ struct perf_event {
100223
100224 enum perf_event_active_state state;
100225 unsigned int attach_state;
100226- local64_t count;
100227- atomic64_t child_count;
100228+ local64_t count; /* PaX: fix it one day */
100229+ atomic64_unchecked_t child_count;
100230
100231 /*
100232 * These are the total time in nanoseconds that the event
100233@@ -436,8 +436,8 @@ struct perf_event {
100234 * These accumulate total time (in nanoseconds) that children
100235 * events have been enabled and running, respectively.
100236 */
100237- atomic64_t child_total_time_enabled;
100238- atomic64_t child_total_time_running;
100239+ atomic64_unchecked_t child_total_time_enabled;
100240+ atomic64_unchecked_t child_total_time_running;
100241
100242 /*
100243 * Protect attach/detach and child_list:
100244@@ -859,7 +859,7 @@ static inline void perf_event_task_sched_out(struct task_struct *prev,
100245
100246 static inline u64 __perf_event_count(struct perf_event *event)
100247 {
100248- return local64_read(&event->count) + atomic64_read(&event->child_count);
100249+ return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
100250 }
100251
100252 extern void perf_event_mmap(struct vm_area_struct *vma);
100253@@ -883,7 +883,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
100254 entry->ip[entry->nr++] = ip;
100255 }
100256
100257-extern int sysctl_perf_event_paranoid;
100258+extern int sysctl_perf_event_legitimately_concerned;
100259 extern int sysctl_perf_event_mlock;
100260 extern int sysctl_perf_event_sample_rate;
100261 extern int sysctl_perf_cpu_time_max_percent;
100262@@ -898,19 +898,24 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
100263 loff_t *ppos);
100264
100265
100266+static inline bool perf_paranoid_any(void)
100267+{
100268+ return sysctl_perf_event_legitimately_concerned > 2;
100269+}
100270+
100271 static inline bool perf_paranoid_tracepoint_raw(void)
100272 {
100273- return sysctl_perf_event_paranoid > -1;
100274+ return sysctl_perf_event_legitimately_concerned > -1;
100275 }
100276
100277 static inline bool perf_paranoid_cpu(void)
100278 {
100279- return sysctl_perf_event_paranoid > 0;
100280+ return sysctl_perf_event_legitimately_concerned > 0;
100281 }
100282
100283 static inline bool perf_paranoid_kernel(void)
100284 {
100285- return sysctl_perf_event_paranoid > 1;
100286+ return sysctl_perf_event_legitimately_concerned > 1;
100287 }
100288
100289 extern void perf_event_init(void);
100290@@ -1066,7 +1071,7 @@ struct perf_pmu_events_attr {
100291 struct device_attribute attr;
100292 u64 id;
100293 const char *event_str;
100294-};
100295+} __do_const;
100296
100297 ssize_t perf_event_sysfs_show(struct device *dev, struct device_attribute *attr,
100298 char *page);
100299diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
100300index 918b117..7af374b7 100644
100301--- a/include/linux/pid_namespace.h
100302+++ b/include/linux/pid_namespace.h
100303@@ -45,7 +45,7 @@ struct pid_namespace {
100304 int hide_pid;
100305 int reboot; /* group exit code if this pidns was rebooted */
100306 struct ns_common ns;
100307-};
100308+} __randomize_layout;
100309
100310 extern struct pid_namespace init_pid_ns;
100311
100312diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
100313index eb8b8ac..62649e1 100644
100314--- a/include/linux/pipe_fs_i.h
100315+++ b/include/linux/pipe_fs_i.h
100316@@ -47,10 +47,10 @@ struct pipe_inode_info {
100317 struct mutex mutex;
100318 wait_queue_head_t wait;
100319 unsigned int nrbufs, curbuf, buffers;
100320- unsigned int readers;
100321- unsigned int writers;
100322- unsigned int files;
100323- unsigned int waiting_writers;
100324+ atomic_t readers;
100325+ atomic_t writers;
100326+ atomic_t files;
100327+ atomic_t waiting_writers;
100328 unsigned int r_counter;
100329 unsigned int w_counter;
100330 struct page *tmp_page;
100331diff --git a/include/linux/pm.h b/include/linux/pm.h
100332index 35d599e..c604209 100644
100333--- a/include/linux/pm.h
100334+++ b/include/linux/pm.h
100335@@ -630,6 +630,7 @@ struct dev_pm_domain {
100336 void (*sync)(struct device *dev);
100337 void (*dismiss)(struct device *dev);
100338 };
100339+typedef struct dev_pm_domain __no_const dev_pm_domain_no_const;
100340
100341 /*
100342 * The PM_EVENT_ messages are also used by drivers implementing the legacy
100343diff --git a/include/linux/pm_domain.h b/include/linux/pm_domain.h
100344index 681ccb0..a90e0b7 100644
100345--- a/include/linux/pm_domain.h
100346+++ b/include/linux/pm_domain.h
100347@@ -39,11 +39,11 @@ struct gpd_dev_ops {
100348 int (*save_state)(struct device *dev);
100349 int (*restore_state)(struct device *dev);
100350 bool (*active_wakeup)(struct device *dev);
100351-};
100352+} __no_const;
100353
100354 struct gpd_cpuidle_data {
100355 unsigned int saved_exit_latency;
100356- struct cpuidle_state *idle_state;
100357+ cpuidle_state_no_const *idle_state;
100358 };
100359
100360 struct generic_pm_domain {
100361diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
100362index 30e84d4..22278b4 100644
100363--- a/include/linux/pm_runtime.h
100364+++ b/include/linux/pm_runtime.h
100365@@ -115,7 +115,7 @@ static inline bool pm_runtime_callbacks_present(struct device *dev)
100366
100367 static inline void pm_runtime_mark_last_busy(struct device *dev)
100368 {
100369- ACCESS_ONCE(dev->power.last_busy) = jiffies;
100370+ ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
100371 }
100372
100373 static inline bool pm_runtime_is_irq_safe(struct device *dev)
100374diff --git a/include/linux/pnp.h b/include/linux/pnp.h
100375index 5df733b..d55f252 100644
100376--- a/include/linux/pnp.h
100377+++ b/include/linux/pnp.h
100378@@ -298,7 +298,7 @@ static inline void pnp_set_drvdata(struct pnp_dev *pdev, void *data)
100379 struct pnp_fixup {
100380 char id[7];
100381 void (*quirk_function) (struct pnp_dev * dev); /* fixup function */
100382-};
100383+} __do_const;
100384
100385 /* config parameters */
100386 #define PNP_CONFIG_NORMAL 0x0001
100387diff --git a/include/linux/poison.h b/include/linux/poison.h
100388index 2110a81..13a11bb 100644
100389--- a/include/linux/poison.h
100390+++ b/include/linux/poison.h
100391@@ -19,8 +19,8 @@
100392 * under normal circumstances, used to verify that nobody uses
100393 * non-initialized list entries.
100394 */
100395-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
100396-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
100397+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
100398+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
100399
100400 /********** include/linux/timer.h **********/
100401 /*
100402diff --git a/include/linux/power/smartreflex.h b/include/linux/power/smartreflex.h
100403index d8b187c3..9a9257a 100644
100404--- a/include/linux/power/smartreflex.h
100405+++ b/include/linux/power/smartreflex.h
100406@@ -238,7 +238,7 @@ struct omap_sr_class_data {
100407 int (*notify)(struct omap_sr *sr, u32 status);
100408 u8 notify_flags;
100409 u8 class_type;
100410-};
100411+} __do_const;
100412
100413 /**
100414 * struct omap_sr_nvalue_table - Smartreflex n-target value info
100415diff --git a/include/linux/ppp-comp.h b/include/linux/ppp-comp.h
100416index 4ea1d37..80f4b33 100644
100417--- a/include/linux/ppp-comp.h
100418+++ b/include/linux/ppp-comp.h
100419@@ -84,7 +84,7 @@ struct compressor {
100420 struct module *owner;
100421 /* Extra skb space needed by the compressor algorithm */
100422 unsigned int comp_extra;
100423-};
100424+} __do_const;
100425
100426 /*
100427 * The return value from decompress routine is the length of the
100428diff --git a/include/linux/preempt.h b/include/linux/preempt.h
100429index 84991f1..6f23603 100644
100430--- a/include/linux/preempt.h
100431+++ b/include/linux/preempt.h
100432@@ -131,11 +131,16 @@ extern void preempt_count_sub(int val);
100433 #define preempt_count_dec_and_test() __preempt_count_dec_and_test()
100434 #endif
100435
100436+#define raw_preempt_count_add(val) __preempt_count_add(val)
100437+#define raw_preempt_count_sub(val) __preempt_count_sub(val)
100438+
100439 #define __preempt_count_inc() __preempt_count_add(1)
100440 #define __preempt_count_dec() __preempt_count_sub(1)
100441
100442 #define preempt_count_inc() preempt_count_add(1)
100443+#define raw_preempt_count_inc() raw_preempt_count_add(1)
100444 #define preempt_count_dec() preempt_count_sub(1)
100445+#define raw_preempt_count_dec() raw_preempt_count_sub(1)
100446
100447 #define preempt_active_enter() \
100448 do { \
100449@@ -157,6 +162,12 @@ do { \
100450 barrier(); \
100451 } while (0)
100452
100453+#define raw_preempt_disable() \
100454+do { \
100455+ raw_preempt_count_inc(); \
100456+ barrier(); \
100457+} while (0)
100458+
100459 #define sched_preempt_enable_no_resched() \
100460 do { \
100461 barrier(); \
100462@@ -165,6 +176,12 @@ do { \
100463
100464 #define preempt_enable_no_resched() sched_preempt_enable_no_resched()
100465
100466+#define raw_preempt_enable_no_resched() \
100467+do { \
100468+ barrier(); \
100469+ raw_preempt_count_dec(); \
100470+} while (0)
100471+
100472 #define preemptible() (preempt_count() == 0 && !irqs_disabled())
100473
100474 #ifdef CONFIG_PREEMPT
100475@@ -225,8 +242,10 @@ do { \
100476 * region.
100477 */
100478 #define preempt_disable() barrier()
100479+#define raw_preempt_disable() barrier()
100480 #define sched_preempt_enable_no_resched() barrier()
100481 #define preempt_enable_no_resched() barrier()
100482+#define raw_preempt_enable_no_resched() barrier()
100483 #define preempt_enable() barrier()
100484 #define preempt_check_resched() do { } while (0)
100485
100486@@ -241,11 +260,13 @@ do { \
100487 /*
100488 * Modules have no business playing preemption tricks.
100489 */
100490+#ifndef CONFIG_PAX_KERNEXEC
100491 #undef sched_preempt_enable_no_resched
100492 #undef preempt_enable_no_resched
100493 #undef preempt_enable_no_resched_notrace
100494 #undef preempt_check_resched
100495 #endif
100496+#endif
100497
100498 #define preempt_set_need_resched() \
100499 do { \
100500diff --git a/include/linux/printk.h b/include/linux/printk.h
100501index a6298b2..57fe982 100644
100502--- a/include/linux/printk.h
100503+++ b/include/linux/printk.h
100504@@ -123,6 +123,7 @@ void early_printk(const char *s, ...) { }
100505 #endif
100506
100507 typedef __printf(1, 0) int (*printk_func_t)(const char *fmt, va_list args);
100508+extern int kptr_restrict;
100509
100510 #ifdef CONFIG_PRINTK
100511 asmlinkage __printf(5, 0)
100512@@ -158,7 +159,6 @@ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
100513
100514 extern int printk_delay_msec;
100515 extern int dmesg_restrict;
100516-extern int kptr_restrict;
100517
100518 extern void wake_up_klogd(void);
100519
100520diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
100521index b97bf2e..f14c92d4 100644
100522--- a/include/linux/proc_fs.h
100523+++ b/include/linux/proc_fs.h
100524@@ -17,8 +17,11 @@ extern void proc_flush_task(struct task_struct *);
100525 extern struct proc_dir_entry *proc_symlink(const char *,
100526 struct proc_dir_entry *, const char *);
100527 extern struct proc_dir_entry *proc_mkdir(const char *, struct proc_dir_entry *);
100528+extern struct proc_dir_entry *proc_mkdir_restrict(const char *, struct proc_dir_entry *);
100529 extern struct proc_dir_entry *proc_mkdir_data(const char *, umode_t,
100530 struct proc_dir_entry *, void *);
100531+extern struct proc_dir_entry *proc_mkdir_data_restrict(const char *, umode_t,
100532+ struct proc_dir_entry *, void *);
100533 extern struct proc_dir_entry *proc_mkdir_mode(const char *, umode_t,
100534 struct proc_dir_entry *);
100535
100536@@ -34,6 +37,19 @@ static inline struct proc_dir_entry *proc_create(
100537 return proc_create_data(name, mode, parent, proc_fops, NULL);
100538 }
100539
100540+static inline struct proc_dir_entry *proc_create_grsec(const char *name, umode_t mode,
100541+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
100542+{
100543+#ifdef CONFIG_GRKERNSEC_PROC_USER
100544+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
100545+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
100546+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
100547+#else
100548+ return proc_create_data(name, mode, parent, proc_fops, NULL);
100549+#endif
100550+}
100551+
100552+
100553 extern void proc_set_size(struct proc_dir_entry *, loff_t);
100554 extern void proc_set_user(struct proc_dir_entry *, kuid_t, kgid_t);
100555 extern void *PDE_DATA(const struct inode *);
100556@@ -56,8 +72,12 @@ static inline struct proc_dir_entry *proc_symlink(const char *name,
100557 struct proc_dir_entry *parent,const char *dest) { return NULL;}
100558 static inline struct proc_dir_entry *proc_mkdir(const char *name,
100559 struct proc_dir_entry *parent) {return NULL;}
100560+static inline struct proc_dir_entry *proc_mkdir_restrict(const char *name,
100561+ struct proc_dir_entry *parent) { return NULL; }
100562 static inline struct proc_dir_entry *proc_mkdir_data(const char *name,
100563 umode_t mode, struct proc_dir_entry *parent, void *data) { return NULL; }
100564+static inline struct proc_dir_entry *proc_mkdir_data_restrict(const char *name,
100565+ umode_t mode, struct proc_dir_entry *parent, void *data) { return NULL; }
100566 static inline struct proc_dir_entry *proc_mkdir_mode(const char *name,
100567 umode_t mode, struct proc_dir_entry *parent) { return NULL; }
100568 #define proc_create(name, mode, parent, proc_fops) ({NULL;})
100569@@ -79,7 +99,7 @@ struct net;
100570 static inline struct proc_dir_entry *proc_net_mkdir(
100571 struct net *net, const char *name, struct proc_dir_entry *parent)
100572 {
100573- return proc_mkdir_data(name, 0, parent, net);
100574+ return proc_mkdir_data_restrict(name, 0, parent, net);
100575 }
100576
100577 #endif /* _LINUX_PROC_FS_H */
100578diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h
100579index 42dfc61..8113a99 100644
100580--- a/include/linux/proc_ns.h
100581+++ b/include/linux/proc_ns.h
100582@@ -16,7 +16,7 @@ struct proc_ns_operations {
100583 struct ns_common *(*get)(struct task_struct *task);
100584 void (*put)(struct ns_common *ns);
100585 int (*install)(struct nsproxy *nsproxy, struct ns_common *ns);
100586-};
100587+} __do_const __randomize_layout;
100588
100589 extern const struct proc_ns_operations netns_operations;
100590 extern const struct proc_ns_operations utsns_operations;
100591diff --git a/include/linux/quota.h b/include/linux/quota.h
100592index b2505ac..5f7ab55 100644
100593--- a/include/linux/quota.h
100594+++ b/include/linux/quota.h
100595@@ -76,7 +76,7 @@ struct kqid { /* Type in which we store the quota identifier */
100596
100597 extern bool qid_eq(struct kqid left, struct kqid right);
100598 extern bool qid_lt(struct kqid left, struct kqid right);
100599-extern qid_t from_kqid(struct user_namespace *to, struct kqid qid);
100600+extern qid_t from_kqid(struct user_namespace *to, struct kqid qid) __intentional_overflow(-1);
100601 extern qid_t from_kqid_munged(struct user_namespace *to, struct kqid qid);
100602 extern bool qid_valid(struct kqid qid);
100603
100604diff --git a/include/linux/random.h b/include/linux/random.h
100605index e651874..8ab1592 100644
100606--- a/include/linux/random.h
100607+++ b/include/linux/random.h
100608@@ -16,9 +16,19 @@ struct random_ready_callback {
100609 };
100610
100611 extern void add_device_randomness(const void *, unsigned int);
100612+
100613+static inline void add_latent_entropy(void)
100614+{
100615+
100616+#ifdef LATENT_ENTROPY_PLUGIN
100617+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
100618+#endif
100619+
100620+}
100621+
100622 extern void add_input_randomness(unsigned int type, unsigned int code,
100623- unsigned int value);
100624-extern void add_interrupt_randomness(int irq, int irq_flags);
100625+ unsigned int value) __latent_entropy;
100626+extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
100627
100628 extern void get_random_bytes(void *buf, int nbytes);
100629 extern int add_random_ready_callback(struct random_ready_callback *rdy);
100630@@ -31,10 +41,10 @@ extern int random_int_secret_init(void);
100631 extern const struct file_operations random_fops, urandom_fops;
100632 #endif
100633
100634-unsigned int get_random_int(void);
100635+unsigned int __intentional_overflow(-1) get_random_int(void);
100636 unsigned long randomize_range(unsigned long start, unsigned long end, unsigned long len);
100637
100638-u32 prandom_u32(void);
100639+u32 prandom_u32(void) __intentional_overflow(-1);
100640 void prandom_bytes(void *buf, size_t nbytes);
100641 void prandom_seed(u32 seed);
100642 void prandom_reseed_late(void);
100643@@ -46,6 +56,11 @@ struct rnd_state {
100644 u32 prandom_u32_state(struct rnd_state *state);
100645 void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
100646
100647+static inline unsigned long __intentional_overflow(-1) pax_get_random_long(void)
100648+{
100649+ return prandom_u32() + (sizeof(long) > 4 ? (unsigned long)prandom_u32() << 32 : 0);
100650+}
100651+
100652 /**
100653 * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)
100654 * @ep_ro: right open interval endpoint
100655@@ -58,7 +73,7 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
100656 *
100657 * Returns: pseudo-random number in interval [0, ep_ro)
100658 */
100659-static inline u32 prandom_u32_max(u32 ep_ro)
100660+static inline u32 __intentional_overflow(-1) prandom_u32_max(u32 ep_ro)
100661 {
100662 return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
100663 }
100664diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h
100665index 14d7b83..a1edf56 100644
100666--- a/include/linux/rbtree_augmented.h
100667+++ b/include/linux/rbtree_augmented.h
100668@@ -90,7 +90,9 @@ rbname ## _rotate(struct rb_node *rb_old, struct rb_node *rb_new) \
100669 old->rbaugmented = rbcompute(old); \
100670 } \
100671 rbstatic const struct rb_augment_callbacks rbname = { \
100672- rbname ## _propagate, rbname ## _copy, rbname ## _rotate \
100673+ .propagate = rbname ## _propagate, \
100674+ .copy = rbname ## _copy, \
100675+ .rotate = rbname ## _rotate \
100676 };
100677
100678
100679diff --git a/include/linux/rculist.h b/include/linux/rculist.h
100680index 17c6b1f..a65e3f8 100644
100681--- a/include/linux/rculist.h
100682+++ b/include/linux/rculist.h
100683@@ -59,6 +59,9 @@ void __list_add_rcu(struct list_head *new,
100684 struct list_head *prev, struct list_head *next);
100685 #endif
100686
100687+void __pax_list_add_rcu(struct list_head *new,
100688+ struct list_head *prev, struct list_head *next);
100689+
100690 /**
100691 * list_add_rcu - add a new entry to rcu-protected list
100692 * @new: new entry to be added
100693@@ -80,6 +83,11 @@ static inline void list_add_rcu(struct list_head *new, struct list_head *head)
100694 __list_add_rcu(new, head, head->next);
100695 }
100696
100697+static inline void pax_list_add_rcu(struct list_head *new, struct list_head *head)
100698+{
100699+ __pax_list_add_rcu(new, head, head->next);
100700+}
100701+
100702 /**
100703 * list_add_tail_rcu - add a new entry to rcu-protected list
100704 * @new: new entry to be added
100705@@ -102,6 +110,12 @@ static inline void list_add_tail_rcu(struct list_head *new,
100706 __list_add_rcu(new, head->prev, head);
100707 }
100708
100709+static inline void pax_list_add_tail_rcu(struct list_head *new,
100710+ struct list_head *head)
100711+{
100712+ __pax_list_add_rcu(new, head->prev, head);
100713+}
100714+
100715 /**
100716 * list_del_rcu - deletes entry from list without re-initialization
100717 * @entry: the element to delete from the list.
100718@@ -132,6 +146,8 @@ static inline void list_del_rcu(struct list_head *entry)
100719 entry->prev = LIST_POISON2;
100720 }
100721
100722+extern void pax_list_del_rcu(struct list_head *entry);
100723+
100724 /**
100725 * hlist_del_init_rcu - deletes entry from hash list with re-initialization
100726 * @n: the element to delete from the hash list.
100727diff --git a/include/linux/reboot.h b/include/linux/reboot.h
100728index a7ff409..03e2fa8 100644
100729--- a/include/linux/reboot.h
100730+++ b/include/linux/reboot.h
100731@@ -47,9 +47,9 @@ extern void do_kernel_restart(char *cmd);
100732 */
100733
100734 extern void migrate_to_reboot_cpu(void);
100735-extern void machine_restart(char *cmd);
100736-extern void machine_halt(void);
100737-extern void machine_power_off(void);
100738+extern void machine_restart(char *cmd) __noreturn;
100739+extern void machine_halt(void) __noreturn;
100740+extern void machine_power_off(void) __noreturn;
100741
100742 extern void machine_shutdown(void);
100743 struct pt_regs;
100744@@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struct pt_regs *);
100745 */
100746
100747 extern void kernel_restart_prepare(char *cmd);
100748-extern void kernel_restart(char *cmd);
100749-extern void kernel_halt(void);
100750-extern void kernel_power_off(void);
100751+extern void kernel_restart(char *cmd) __noreturn;
100752+extern void kernel_halt(void) __noreturn;
100753+extern void kernel_power_off(void) __noreturn;
100754
100755 extern int C_A_D; /* for sysctl */
100756 void ctrl_alt_del(void);
100757@@ -77,7 +77,7 @@ extern void orderly_reboot(void);
100758 * Emergency restart, callable from an interrupt handler.
100759 */
100760
100761-extern void emergency_restart(void);
100762+extern void emergency_restart(void) __noreturn;
100763 #include <asm/emergency-restart.h>
100764
100765 #endif /* _LINUX_REBOOT_H */
100766diff --git a/include/linux/regset.h b/include/linux/regset.h
100767index 8e0c9fe..ac4d221 100644
100768--- a/include/linux/regset.h
100769+++ b/include/linux/regset.h
100770@@ -161,7 +161,8 @@ struct user_regset {
100771 unsigned int align;
100772 unsigned int bias;
100773 unsigned int core_note_type;
100774-};
100775+} __do_const;
100776+typedef struct user_regset __no_const user_regset_no_const;
100777
100778 /**
100779 * struct user_regset_view - available regsets
100780diff --git a/include/linux/relay.h b/include/linux/relay.h
100781index d7c8359..818daf5 100644
100782--- a/include/linux/relay.h
100783+++ b/include/linux/relay.h
100784@@ -157,7 +157,7 @@ struct rchan_callbacks
100785 * The callback should return 0 if successful, negative if not.
100786 */
100787 int (*remove_buf_file)(struct dentry *dentry);
100788-};
100789+} __no_const;
100790
100791 /*
100792 * CONFIG_RELAY kernel API, kernel/relay.c
100793diff --git a/include/linux/rio.h b/include/linux/rio.h
100794index cde976e..ebd6033 100644
100795--- a/include/linux/rio.h
100796+++ b/include/linux/rio.h
100797@@ -358,7 +358,7 @@ struct rio_ops {
100798 int (*map_inb)(struct rio_mport *mport, dma_addr_t lstart,
100799 u64 rstart, u32 size, u32 flags);
100800 void (*unmap_inb)(struct rio_mport *mport, dma_addr_t lstart);
100801-};
100802+} __no_const;
100803
100804 #define RIO_RESOURCE_MEM 0x00000100
100805 #define RIO_RESOURCE_DOORBELL 0x00000200
100806diff --git a/include/linux/rmap.h b/include/linux/rmap.h
100807index c89c53a..aa0a65a 100644
100808--- a/include/linux/rmap.h
100809+++ b/include/linux/rmap.h
100810@@ -146,8 +146,8 @@ static inline void anon_vma_unlock_read(struct anon_vma *anon_vma)
100811 void anon_vma_init(void); /* create anon_vma_cachep */
100812 int anon_vma_prepare(struct vm_area_struct *);
100813 void unlink_anon_vmas(struct vm_area_struct *);
100814-int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
100815-int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
100816+int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
100817+int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
100818
100819 static inline void anon_vma_merge(struct vm_area_struct *vma,
100820 struct vm_area_struct *next)
100821diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
100822index 9b1ef0c..9fa3feb 100644
100823--- a/include/linux/scatterlist.h
100824+++ b/include/linux/scatterlist.h
100825@@ -1,6 +1,7 @@
100826 #ifndef _LINUX_SCATTERLIST_H
100827 #define _LINUX_SCATTERLIST_H
100828
100829+#include <linux/sched.h>
100830 #include <linux/string.h>
100831 #include <linux/types.h>
100832 #include <linux/bug.h>
100833@@ -136,10 +137,17 @@ static inline struct page *sg_page(struct scatterlist *sg)
100834 static inline void sg_set_buf(struct scatterlist *sg, const void *buf,
100835 unsigned int buflen)
100836 {
100837+ const void *realbuf = buf;
100838+
100839+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
100840+ if (object_starts_on_stack(buf))
100841+ realbuf = buf - current->stack + current->lowmem_stack;
100842+#endif
100843+
100844 #ifdef CONFIG_DEBUG_SG
100845- BUG_ON(!virt_addr_valid(buf));
100846+ BUG_ON(!virt_addr_valid(realbuf));
100847 #endif
100848- sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf));
100849+ sg_set_page(sg, virt_to_page(realbuf), buflen, offset_in_page(realbuf));
100850 }
100851
100852 /*
100853diff --git a/include/linux/sched.h b/include/linux/sched.h
100854index 04b5ada..9a2d1d0 100644
100855--- a/include/linux/sched.h
100856+++ b/include/linux/sched.h
100857@@ -7,7 +7,7 @@
100858
100859
100860 struct sched_param {
100861- int sched_priority;
100862+ unsigned int sched_priority;
100863 };
100864
100865 #include <asm/param.h> /* for HZ */
100866@@ -134,6 +134,7 @@ struct perf_event_context;
100867 struct blk_plug;
100868 struct filename;
100869 struct nameidata;
100870+struct linux_binprm;
100871
100872 #define VMACACHE_BITS 2
100873 #define VMACACHE_SIZE (1U << VMACACHE_BITS)
100874@@ -418,7 +419,7 @@ extern char __sched_text_start[], __sched_text_end[];
100875 extern int in_sched_functions(unsigned long addr);
100876
100877 #define MAX_SCHEDULE_TIMEOUT LONG_MAX
100878-extern signed long schedule_timeout(signed long timeout);
100879+extern signed long schedule_timeout(signed long timeout) __intentional_overflow(-1);
100880 extern signed long schedule_timeout_interruptible(signed long timeout);
100881 extern signed long schedule_timeout_killable(signed long timeout);
100882 extern signed long schedule_timeout_uninterruptible(signed long timeout);
100883@@ -436,6 +437,19 @@ struct nsproxy;
100884 struct user_namespace;
100885
100886 #ifdef CONFIG_MMU
100887+
100888+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
100889+extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags);
100890+#else
100891+static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
100892+{
100893+ return 0;
100894+}
100895+#endif
100896+
100897+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset);
100898+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset);
100899+
100900 extern void arch_pick_mmap_layout(struct mm_struct *mm);
100901 extern unsigned long
100902 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
100903@@ -749,6 +763,17 @@ struct signal_struct {
100904 #ifdef CONFIG_TASKSTATS
100905 struct taskstats *stats;
100906 #endif
100907+
100908+#ifdef CONFIG_GRKERNSEC
100909+ u32 curr_ip;
100910+ u32 saved_ip;
100911+ u32 gr_saddr;
100912+ u32 gr_daddr;
100913+ u16 gr_sport;
100914+ u16 gr_dport;
100915+ u8 used_accept:1;
100916+#endif
100917+
100918 #ifdef CONFIG_AUDIT
100919 unsigned audit_tty;
100920 unsigned audit_tty_log_passwd;
100921@@ -763,7 +788,7 @@ struct signal_struct {
100922 struct mutex cred_guard_mutex; /* guard against foreign influences on
100923 * credential calculations
100924 * (notably. ptrace) */
100925-};
100926+} __randomize_layout;
100927
100928 /*
100929 * Bits in flags field of signal_struct.
100930@@ -816,6 +841,14 @@ struct user_struct {
100931 struct key *session_keyring; /* UID's default session keyring */
100932 #endif
100933
100934+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
100935+ unsigned char kernel_banned;
100936+#endif
100937+#ifdef CONFIG_GRKERNSEC_BRUTE
100938+ unsigned char suid_banned;
100939+ unsigned long suid_ban_expires;
100940+#endif
100941+
100942 /* Hash table maintenance information */
100943 struct hlist_node uidhash_node;
100944 kuid_t uid;
100945@@ -823,7 +856,7 @@ struct user_struct {
100946 #ifdef CONFIG_PERF_EVENTS
100947 atomic_long_t locked_vm;
100948 #endif
100949-};
100950+} __randomize_layout;
100951
100952 extern int uids_sysfs_init(void);
100953
100954@@ -1344,6 +1377,9 @@ enum perf_event_task_context {
100955 struct task_struct {
100956 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
100957 void *stack;
100958+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
100959+ void *lowmem_stack;
100960+#endif
100961 atomic_t usage;
100962 unsigned int flags; /* per process flags, defined below */
100963 unsigned int ptrace;
100964@@ -1476,8 +1512,8 @@ struct task_struct {
100965 struct list_head thread_node;
100966
100967 struct completion *vfork_done; /* for vfork() */
100968- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
100969- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
100970+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
100971+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
100972
100973 cputime_t utime, stime, utimescaled, stimescaled;
100974 cputime_t gtime;
100975@@ -1502,11 +1538,6 @@ struct task_struct {
100976 struct task_cputime cputime_expires;
100977 struct list_head cpu_timers[3];
100978
100979-/* process credentials */
100980- const struct cred __rcu *real_cred; /* objective and real subjective task
100981- * credentials (COW) */
100982- const struct cred __rcu *cred; /* effective (overridable) subjective task
100983- * credentials (COW) */
100984 char comm[TASK_COMM_LEN]; /* executable name excluding path
100985 - access with [gs]et_task_comm (which lock
100986 it with task_lock())
100987@@ -1598,6 +1629,10 @@ struct task_struct {
100988 gfp_t lockdep_reclaim_gfp;
100989 #endif
100990
100991+/* process credentials */
100992+ const struct cred __rcu *real_cred; /* objective and real subjective task
100993+ * credentials (COW) */
100994+
100995 /* journalling filesystem info */
100996 void *journal_info;
100997
100998@@ -1636,6 +1671,10 @@ struct task_struct {
100999 /* cg_list protected by css_set_lock and tsk->alloc_lock */
101000 struct list_head cg_list;
101001 #endif
101002+
101003+ const struct cred __rcu *cred; /* effective (overridable) subjective task
101004+ * credentials (COW) */
101005+
101006 #ifdef CONFIG_FUTEX
101007 struct robust_list_head __user *robust_list;
101008 #ifdef CONFIG_COMPAT
101009@@ -1747,7 +1786,7 @@ struct task_struct {
101010 * Number of functions that haven't been traced
101011 * because of depth overrun.
101012 */
101013- atomic_t trace_overrun;
101014+ atomic_unchecked_t trace_overrun;
101015 /* Pause for the tracing */
101016 atomic_t tracing_graph_pause;
101017 #endif
101018@@ -1776,22 +1815,91 @@ struct task_struct {
101019 unsigned long task_state_change;
101020 #endif
101021 int pagefault_disabled;
101022+
101023+#ifdef CONFIG_GRKERNSEC
101024+ /* grsecurity */
101025+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
101026+ u64 exec_id;
101027+#endif
101028+#ifdef CONFIG_GRKERNSEC_SETXID
101029+ const struct cred *delayed_cred;
101030+#endif
101031+ struct dentry *gr_chroot_dentry;
101032+ struct acl_subject_label *acl;
101033+ struct acl_subject_label *tmpacl;
101034+ struct acl_role_label *role;
101035+ struct file *exec_file;
101036+ unsigned long brute_expires;
101037+ u16 acl_role_id;
101038+ u8 inherited;
101039+ /* is this the task that authenticated to the special role */
101040+ u8 acl_sp_role;
101041+ u8 is_writable;
101042+ u8 brute;
101043+ u8 gr_is_chrooted;
101044+#endif
101045+
101046+/* thread_info moved to task_struct */
101047+#ifdef CONFIG_X86
101048+ struct thread_info tinfo;
101049+#endif
101050 /* CPU-specific state of this task */
101051 struct thread_struct thread;
101052-/*
101053- * WARNING: on x86, 'thread_struct' contains a variable-sized
101054- * structure. It *MUST* be at the end of 'task_struct'.
101055- *
101056- * Do not put anything below here!
101057- */
101058-};
101059+} __randomize_layout;
101060
101061 #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
101062-extern int arch_task_struct_size __read_mostly;
101063+extern size_t arch_task_struct_size __read_mostly;
101064 #else
101065 # define arch_task_struct_size (sizeof(struct task_struct))
101066 #endif
101067
101068+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
101069+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
101070+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
101071+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
101072+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
101073+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
101074+
101075+#ifdef CONFIG_PAX_SOFTMODE
101076+extern int pax_softmode;
101077+#endif
101078+
101079+extern int pax_check_flags(unsigned long *);
101080+#define PAX_PARSE_FLAGS_FALLBACK (~0UL)
101081+
101082+/* if tsk != current then task_lock must be held on it */
101083+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
101084+static inline unsigned long pax_get_flags(struct task_struct *tsk)
101085+{
101086+ if (likely(tsk->mm))
101087+ return tsk->mm->pax_flags;
101088+ else
101089+ return 0UL;
101090+}
101091+
101092+/* if tsk != current then task_lock must be held on it */
101093+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
101094+{
101095+ if (likely(tsk->mm)) {
101096+ tsk->mm->pax_flags = flags;
101097+ return 0;
101098+ }
101099+ return -EINVAL;
101100+}
101101+#endif
101102+
101103+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
101104+extern void pax_set_initial_flags(struct linux_binprm *bprm);
101105+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
101106+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
101107+#endif
101108+
101109+struct path;
101110+extern char *pax_get_path(const struct path *path, char *buf, int buflen);
101111+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
101112+extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
101113+extern void pax_report_refcount_overflow(struct pt_regs *regs);
101114+
101115 /* Future-safe accessor for struct task_struct's cpus_allowed. */
101116 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
101117
101118@@ -1873,7 +1981,7 @@ struct pid_namespace;
101119 pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
101120 struct pid_namespace *ns);
101121
101122-static inline pid_t task_pid_nr(struct task_struct *tsk)
101123+static inline pid_t task_pid_nr(const struct task_struct *tsk)
101124 {
101125 return tsk->pid;
101126 }
101127@@ -2241,6 +2349,25 @@ extern u64 sched_clock_cpu(int cpu);
101128
101129 extern void sched_clock_init(void);
101130
101131+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101132+static inline void populate_stack(void)
101133+{
101134+ struct task_struct *curtask = current;
101135+ int c;
101136+ int *ptr = curtask->stack;
101137+ int *end = curtask->stack + THREAD_SIZE;
101138+
101139+ while (ptr < end) {
101140+ c = *(volatile int *)ptr;
101141+ ptr += PAGE_SIZE/sizeof(int);
101142+ }
101143+}
101144+#else
101145+static inline void populate_stack(void)
101146+{
101147+}
101148+#endif
101149+
101150 #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
101151 static inline void sched_clock_tick(void)
101152 {
101153@@ -2369,7 +2496,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
101154 void yield(void);
101155
101156 union thread_union {
101157+#ifndef CONFIG_X86
101158 struct thread_info thread_info;
101159+#endif
101160 unsigned long stack[THREAD_SIZE/sizeof(long)];
101161 };
101162
101163@@ -2402,6 +2531,7 @@ extern struct pid_namespace init_pid_ns;
101164 */
101165
101166 extern struct task_struct *find_task_by_vpid(pid_t nr);
101167+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
101168 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
101169 struct pid_namespace *ns);
101170
101171@@ -2579,7 +2709,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
101172 extern void exit_itimers(struct signal_struct *);
101173 extern void flush_itimer_signals(void);
101174
101175-extern void do_group_exit(int);
101176+extern __noreturn void do_group_exit(int);
101177
101178 extern int do_execve(struct filename *,
101179 const char __user * const __user *,
101180@@ -2784,9 +2914,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
101181 #define task_stack_end_corrupted(task) \
101182 (*(end_of_stack(task)) != STACK_END_MAGIC)
101183
101184-static inline int object_is_on_stack(void *obj)
101185+static inline int object_starts_on_stack(const void *obj)
101186 {
101187- void *stack = task_stack_page(current);
101188+ const void *stack = task_stack_page(current);
101189
101190 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
101191 }
101192diff --git a/include/linux/sched/sysctl.h b/include/linux/sched/sysctl.h
101193index c9e4731..c716293 100644
101194--- a/include/linux/sched/sysctl.h
101195+++ b/include/linux/sched/sysctl.h
101196@@ -34,6 +34,7 @@ enum { sysctl_hung_task_timeout_secs = 0 };
101197 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
101198
101199 extern int sysctl_max_map_count;
101200+extern unsigned long sysctl_heap_stack_gap;
101201
101202 extern unsigned int sysctl_sched_latency;
101203 extern unsigned int sysctl_sched_min_granularity;
101204diff --git a/include/linux/security.h b/include/linux/security.h
101205index 79d85dd..5bc05d7 100644
101206--- a/include/linux/security.h
101207+++ b/include/linux/security.h
101208@@ -28,6 +28,7 @@
101209 #include <linux/err.h>
101210 #include <linux/string.h>
101211 #include <linux/mm.h>
101212+#include <linux/grsecurity.h>
101213
101214 struct linux_binprm;
101215 struct cred;
101216@@ -946,7 +947,7 @@ static inline int security_task_prctl(int option, unsigned long arg2,
101217 unsigned long arg4,
101218 unsigned long arg5)
101219 {
101220- return cap_task_prctl(option, arg2, arg3, arg3, arg5);
101221+ return cap_task_prctl(option, arg2, arg3, arg4, arg5);
101222 }
101223
101224 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
101225diff --git a/include/linux/semaphore.h b/include/linux/semaphore.h
101226index dc368b8..e895209 100644
101227--- a/include/linux/semaphore.h
101228+++ b/include/linux/semaphore.h
101229@@ -37,7 +37,7 @@ static inline void sema_init(struct semaphore *sem, int val)
101230 }
101231
101232 extern void down(struct semaphore *sem);
101233-extern int __must_check down_interruptible(struct semaphore *sem);
101234+extern int __must_check down_interruptible(struct semaphore *sem) __intentional_overflow(-1);
101235 extern int __must_check down_killable(struct semaphore *sem);
101236 extern int __must_check down_trylock(struct semaphore *sem);
101237 extern int __must_check down_timeout(struct semaphore *sem, long jiffies);
101238diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
101239index d4c7271..abf5706 100644
101240--- a/include/linux/seq_file.h
101241+++ b/include/linux/seq_file.h
101242@@ -27,6 +27,9 @@ struct seq_file {
101243 struct mutex lock;
101244 const struct seq_operations *op;
101245 int poll_event;
101246+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
101247+ u64 exec_id;
101248+#endif
101249 #ifdef CONFIG_USER_NS
101250 struct user_namespace *user_ns;
101251 #endif
101252@@ -39,6 +42,7 @@ struct seq_operations {
101253 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
101254 int (*show) (struct seq_file *m, void *v);
101255 };
101256+typedef struct seq_operations __no_const seq_operations_no_const;
101257
101258 #define SEQ_SKIP 1
101259
101260@@ -111,6 +115,7 @@ void seq_pad(struct seq_file *m, char c);
101261
101262 char *mangle_path(char *s, const char *p, const char *esc);
101263 int seq_open(struct file *, const struct seq_operations *);
101264+int seq_open_restrict(struct file *, const struct seq_operations *);
101265 ssize_t seq_read(struct file *, char __user *, size_t, loff_t *);
101266 loff_t seq_lseek(struct file *, loff_t, int);
101267 int seq_release(struct inode *, struct file *);
101268@@ -129,6 +134,7 @@ int seq_path_root(struct seq_file *m, const struct path *path,
101269 const struct path *root, const char *esc);
101270
101271 int single_open(struct file *, int (*)(struct seq_file *, void *), void *);
101272+int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *);
101273 int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t);
101274 int single_release(struct inode *, struct file *);
101275 void *__seq_open_private(struct file *, const struct seq_operations *, int);
101276diff --git a/include/linux/shm.h b/include/linux/shm.h
101277index 6fb8016..2cf60e7 100644
101278--- a/include/linux/shm.h
101279+++ b/include/linux/shm.h
101280@@ -22,7 +22,11 @@ struct shmid_kernel /* private to the kernel */
101281 /* The task created the shm object. NULL if the task is dead. */
101282 struct task_struct *shm_creator;
101283 struct list_head shm_clist; /* list by creator */
101284-};
101285+#ifdef CONFIG_GRKERNSEC
101286+ u64 shm_createtime;
101287+ pid_t shm_lapid;
101288+#endif
101289+} __randomize_layout;
101290
101291 /* shm_mode upper byte flags */
101292 #define SHM_DEST 01000 /* segment will be destroyed on last detach */
101293diff --git a/include/linux/signal.h b/include/linux/signal.h
101294index ab1e039..ad4229e 100644
101295--- a/include/linux/signal.h
101296+++ b/include/linux/signal.h
101297@@ -289,7 +289,7 @@ static inline void allow_signal(int sig)
101298 * know it'll be handled, so that they don't get converted to
101299 * SIGKILL or just silently dropped.
101300 */
101301- kernel_sigaction(sig, (__force __sighandler_t)2);
101302+ kernel_sigaction(sig, (__force_user __sighandler_t)2);
101303 }
101304
101305 static inline void disallow_signal(int sig)
101306diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
101307index 9b88536..6a15c44 100644
101308--- a/include/linux/skbuff.h
101309+++ b/include/linux/skbuff.h
101310@@ -784,7 +784,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
101311 int node);
101312 struct sk_buff *__build_skb(void *data, unsigned int frag_size);
101313 struct sk_buff *build_skb(void *data, unsigned int frag_size);
101314-static inline struct sk_buff *alloc_skb(unsigned int size,
101315+static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size,
101316 gfp_t priority)
101317 {
101318 return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
101319@@ -1979,7 +1979,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
101320 return skb->inner_transport_header - skb->inner_network_header;
101321 }
101322
101323-static inline int skb_network_offset(const struct sk_buff *skb)
101324+static inline int __intentional_overflow(0) skb_network_offset(const struct sk_buff *skb)
101325 {
101326 return skb_network_header(skb) - skb->data;
101327 }
101328@@ -2039,7 +2039,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
101329 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
101330 */
101331 #ifndef NET_SKB_PAD
101332-#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
101333+#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
101334 #endif
101335
101336 int ___pskb_trim(struct sk_buff *skb, unsigned int len);
101337@@ -2682,9 +2682,9 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
101338 int *err);
101339 unsigned int datagram_poll(struct file *file, struct socket *sock,
101340 struct poll_table_struct *wait);
101341-int skb_copy_datagram_iter(const struct sk_buff *from, int offset,
101342+int __intentional_overflow(0) skb_copy_datagram_iter(const struct sk_buff *from, int offset,
101343 struct iov_iter *to, int size);
101344-static inline int skb_copy_datagram_msg(const struct sk_buff *from, int offset,
101345+static inline int __intentional_overflow(2,4) skb_copy_datagram_msg(const struct sk_buff *from, int offset,
101346 struct msghdr *msg, int size)
101347 {
101348 return skb_copy_datagram_iter(from, offset, &msg->msg_iter, size);
101349@@ -3213,6 +3213,9 @@ static inline void nf_reset(struct sk_buff *skb)
101350 nf_bridge_put(skb->nf_bridge);
101351 skb->nf_bridge = NULL;
101352 #endif
101353+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
101354+ skb->nf_trace = 0;
101355+#endif
101356 }
101357
101358 static inline void nf_reset_trace(struct sk_buff *skb)
101359diff --git a/include/linux/slab.h b/include/linux/slab.h
101360index a99f0e5..4efa730 100644
101361--- a/include/linux/slab.h
101362+++ b/include/linux/slab.h
101363@@ -15,14 +15,29 @@
101364 #include <linux/types.h>
101365 #include <linux/workqueue.h>
101366
101367+#include <linux/err.h>
101368
101369 /*
101370 * Flags to pass to kmem_cache_create().
101371 * The ones marked DEBUG are only valid if CONFIG_DEBUG_SLAB is set.
101372 */
101373 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
101374+
101375+#ifdef CONFIG_PAX_USERCOPY_SLABS
101376+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
101377+#else
101378+#define SLAB_USERCOPY 0x00000000UL
101379+#endif
101380+
101381 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
101382 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
101383+
101384+#ifdef CONFIG_PAX_MEMORY_SANITIZE
101385+#define SLAB_NO_SANITIZE 0x00001000UL /* PaX: Do not sanitize objs on free */
101386+#else
101387+#define SLAB_NO_SANITIZE 0x00000000UL
101388+#endif
101389+
101390 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
101391 #define SLAB_CACHE_DMA 0x00004000UL /* Use GFP_DMA memory */
101392 #define SLAB_STORE_USER 0x00010000UL /* DEBUG: Store the last owner for bug hunting */
101393@@ -98,10 +113,13 @@
101394 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
101395 * Both make kfree a no-op.
101396 */
101397-#define ZERO_SIZE_PTR ((void *)16)
101398+#define ZERO_SIZE_PTR \
101399+({ \
101400+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
101401+ (void *)(-MAX_ERRNO-1L); \
101402+})
101403
101404-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
101405- (unsigned long)ZERO_SIZE_PTR)
101406+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
101407
101408 #include <linux/kmemleak.h>
101409 #include <linux/kasan.h>
101410@@ -143,6 +161,8 @@ void * __must_check krealloc(const void *, size_t, gfp_t);
101411 void kfree(const void *);
101412 void kzfree(const void *);
101413 size_t ksize(const void *);
101414+const char *check_heap_object(const void *ptr, unsigned long n);
101415+bool is_usercopy_object(const void *ptr);
101416
101417 /*
101418 * Some archs want to perform DMA into kmalloc caches and need a guaranteed
101419@@ -235,6 +255,10 @@ extern struct kmem_cache *kmalloc_caches[KMALLOC_SHIFT_HIGH + 1];
101420 extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
101421 #endif
101422
101423+#ifdef CONFIG_PAX_USERCOPY_SLABS
101424+extern struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
101425+#endif
101426+
101427 /*
101428 * Figure out which kmalloc slab an allocation of a certain size
101429 * belongs to.
101430@@ -243,7 +267,7 @@ extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
101431 * 2 = 129 .. 192 bytes
101432 * n = 2^(n-1)+1 .. 2^n
101433 */
101434-static __always_inline int kmalloc_index(size_t size)
101435+static __always_inline __size_overflow(1) int kmalloc_index(size_t size)
101436 {
101437 if (!size)
101438 return 0;
101439@@ -286,15 +310,15 @@ static __always_inline int kmalloc_index(size_t size)
101440 }
101441 #endif /* !CONFIG_SLOB */
101442
101443-void *__kmalloc(size_t size, gfp_t flags);
101444+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __size_overflow(1);
101445 void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags);
101446 void kmem_cache_free(struct kmem_cache *, void *);
101447
101448 #ifdef CONFIG_NUMA
101449-void *__kmalloc_node(size_t size, gfp_t flags, int node);
101450+void *__kmalloc_node(size_t size, gfp_t flags, int node) __alloc_size(1) __size_overflow(1);
101451 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
101452 #else
101453-static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node)
101454+static __always_inline void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
101455 {
101456 return __kmalloc(size, flags);
101457 }
101458diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
101459index 33d0490..70a6313 100644
101460--- a/include/linux/slab_def.h
101461+++ b/include/linux/slab_def.h
101462@@ -40,7 +40,7 @@ struct kmem_cache {
101463 /* 4) cache creation/removal */
101464 const char *name;
101465 struct list_head list;
101466- int refcount;
101467+ atomic_t refcount;
101468 int object_size;
101469 int align;
101470
101471@@ -56,10 +56,14 @@ struct kmem_cache {
101472 unsigned long node_allocs;
101473 unsigned long node_frees;
101474 unsigned long node_overflow;
101475- atomic_t allochit;
101476- atomic_t allocmiss;
101477- atomic_t freehit;
101478- atomic_t freemiss;
101479+ atomic_unchecked_t allochit;
101480+ atomic_unchecked_t allocmiss;
101481+ atomic_unchecked_t freehit;
101482+ atomic_unchecked_t freemiss;
101483+#ifdef CONFIG_PAX_MEMORY_SANITIZE
101484+ atomic_unchecked_t sanitized;
101485+ atomic_unchecked_t not_sanitized;
101486+#endif
101487
101488 /*
101489 * If debugging is enabled, then the allocator can add additional
101490diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
101491index 3388511..6252f90 100644
101492--- a/include/linux/slub_def.h
101493+++ b/include/linux/slub_def.h
101494@@ -74,7 +74,7 @@ struct kmem_cache {
101495 struct kmem_cache_order_objects max;
101496 struct kmem_cache_order_objects min;
101497 gfp_t allocflags; /* gfp flags to use on each alloc */
101498- int refcount; /* Refcount for slab cache destroy */
101499+ atomic_t refcount; /* Refcount for slab cache destroy */
101500 void (*ctor)(void *);
101501 int inuse; /* Offset to metadata */
101502 int align; /* Alignment */
101503diff --git a/include/linux/smp.h b/include/linux/smp.h
101504index c441407..f487b83 100644
101505--- a/include/linux/smp.h
101506+++ b/include/linux/smp.h
101507@@ -183,7 +183,9 @@ static inline void smp_init(void) { }
101508 #endif
101509
101510 #define get_cpu() ({ preempt_disable(); smp_processor_id(); })
101511+#define raw_get_cpu() ({ raw_preempt_disable(); raw_smp_processor_id(); })
101512 #define put_cpu() preempt_enable()
101513+#define raw_put_cpu_no_resched() raw_preempt_enable_no_resched()
101514
101515 /*
101516 * Callback to arch code if there's nosmp or maxcpus=0 on the
101517diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
101518index fddebc6..6f0ae39 100644
101519--- a/include/linux/sock_diag.h
101520+++ b/include/linux/sock_diag.h
101521@@ -15,7 +15,7 @@ struct sock_diag_handler {
101522 __u8 family;
101523 int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
101524 int (*get_info)(struct sk_buff *skb, struct sock *sk);
101525-};
101526+} __do_const;
101527
101528 int sock_diag_register(const struct sock_diag_handler *h);
101529 void sock_diag_unregister(const struct sock_diag_handler *h);
101530diff --git a/include/linux/sonet.h b/include/linux/sonet.h
101531index 680f9a3..f13aeb0 100644
101532--- a/include/linux/sonet.h
101533+++ b/include/linux/sonet.h
101534@@ -7,7 +7,7 @@
101535 #include <uapi/linux/sonet.h>
101536
101537 struct k_sonet_stats {
101538-#define __HANDLE_ITEM(i) atomic_t i
101539+#define __HANDLE_ITEM(i) atomic_unchecked_t i
101540 __SONET_ITEMS
101541 #undef __HANDLE_ITEM
101542 };
101543diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h
101544index 07d8e53..dc934c9 100644
101545--- a/include/linux/sunrpc/addr.h
101546+++ b/include/linux/sunrpc/addr.h
101547@@ -23,9 +23,9 @@ static inline unsigned short rpc_get_port(const struct sockaddr *sap)
101548 {
101549 switch (sap->sa_family) {
101550 case AF_INET:
101551- return ntohs(((struct sockaddr_in *)sap)->sin_port);
101552+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
101553 case AF_INET6:
101554- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
101555+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
101556 }
101557 return 0;
101558 }
101559@@ -58,7 +58,7 @@ static inline bool __rpc_cmp_addr4(const struct sockaddr *sap1,
101560 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
101561 const struct sockaddr *src)
101562 {
101563- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
101564+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
101565 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
101566
101567 dsin->sin_family = ssin->sin_family;
101568@@ -164,7 +164,7 @@ static inline u32 rpc_get_scope_id(const struct sockaddr *sa)
101569 if (sa->sa_family != AF_INET6)
101570 return 0;
101571
101572- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
101573+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
101574 }
101575
101576 #endif /* _LINUX_SUNRPC_ADDR_H */
101577diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h
101578index 131032f..5f9378a 100644
101579--- a/include/linux/sunrpc/clnt.h
101580+++ b/include/linux/sunrpc/clnt.h
101581@@ -101,7 +101,7 @@ struct rpc_procinfo {
101582 unsigned int p_timer; /* Which RTT timer to use */
101583 u32 p_statidx; /* Which procedure to account */
101584 const char * p_name; /* name of procedure */
101585-};
101586+} __do_const;
101587
101588 #ifdef __KERNEL__
101589
101590diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
101591index fae6fb9..023fbcd 100644
101592--- a/include/linux/sunrpc/svc.h
101593+++ b/include/linux/sunrpc/svc.h
101594@@ -420,7 +420,7 @@ struct svc_procedure {
101595 unsigned int pc_count; /* call count */
101596 unsigned int pc_cachetype; /* cache info (NFS) */
101597 unsigned int pc_xdrressize; /* maximum size of XDR reply */
101598-};
101599+} __do_const;
101600
101601 /*
101602 * Function prototypes.
101603diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h
101604index 4929a8a..b8f29e9 100644
101605--- a/include/linux/sunrpc/svc_rdma.h
101606+++ b/include/linux/sunrpc/svc_rdma.h
101607@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
101608 extern unsigned int svcrdma_max_requests;
101609 extern unsigned int svcrdma_max_req_size;
101610
101611-extern atomic_t rdma_stat_recv;
101612-extern atomic_t rdma_stat_read;
101613-extern atomic_t rdma_stat_write;
101614-extern atomic_t rdma_stat_sq_starve;
101615-extern atomic_t rdma_stat_rq_starve;
101616-extern atomic_t rdma_stat_rq_poll;
101617-extern atomic_t rdma_stat_rq_prod;
101618-extern atomic_t rdma_stat_sq_poll;
101619-extern atomic_t rdma_stat_sq_prod;
101620+extern atomic_unchecked_t rdma_stat_recv;
101621+extern atomic_unchecked_t rdma_stat_read;
101622+extern atomic_unchecked_t rdma_stat_write;
101623+extern atomic_unchecked_t rdma_stat_sq_starve;
101624+extern atomic_unchecked_t rdma_stat_rq_starve;
101625+extern atomic_unchecked_t rdma_stat_rq_poll;
101626+extern atomic_unchecked_t rdma_stat_rq_prod;
101627+extern atomic_unchecked_t rdma_stat_sq_poll;
101628+extern atomic_unchecked_t rdma_stat_sq_prod;
101629
101630 /*
101631 * Contexts are built when an RDMA request is created and are a
101632diff --git a/include/linux/sunrpc/svcauth.h b/include/linux/sunrpc/svcauth.h
101633index 8d71d65..f79586e 100644
101634--- a/include/linux/sunrpc/svcauth.h
101635+++ b/include/linux/sunrpc/svcauth.h
101636@@ -120,7 +120,7 @@ struct auth_ops {
101637 int (*release)(struct svc_rqst *rq);
101638 void (*domain_release)(struct auth_domain *);
101639 int (*set_client)(struct svc_rqst *rq);
101640-};
101641+} __do_const;
101642
101643 #define SVC_GARBAGE 1
101644 #define SVC_SYSERR 2
101645diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
101646index e7a018e..49f8b17 100644
101647--- a/include/linux/swiotlb.h
101648+++ b/include/linux/swiotlb.h
101649@@ -60,7 +60,8 @@ extern void
101650
101651 extern void
101652 swiotlb_free_coherent(struct device *hwdev, size_t size,
101653- void *vaddr, dma_addr_t dma_handle);
101654+ void *vaddr, dma_addr_t dma_handle,
101655+ struct dma_attrs *attrs);
101656
101657 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
101658 unsigned long offset, size_t size,
101659diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
101660index b45c45b..a6ae64c 100644
101661--- a/include/linux/syscalls.h
101662+++ b/include/linux/syscalls.h
101663@@ -102,7 +102,12 @@ union bpf_attr;
101664 #define __TYPE_IS_L(t) (__same_type((t)0, 0L))
101665 #define __TYPE_IS_UL(t) (__same_type((t)0, 0UL))
101666 #define __TYPE_IS_LL(t) (__same_type((t)0, 0LL) || __same_type((t)0, 0ULL))
101667-#define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), 0LL, 0L)) a
101668+#define __SC_LONG(t, a) __typeof__( \
101669+ __builtin_choose_expr( \
101670+ sizeof(t) > sizeof(int), \
101671+ (t) 0, \
101672+ __builtin_choose_expr(__type_is_unsigned(t), 0UL, 0L) \
101673+ )) a
101674 #define __SC_CAST(t, a) (t) a
101675 #define __SC_ARGS(t, a) a
101676 #define __SC_TEST(t, a) (void)BUILD_BUG_ON_ZERO(!__TYPE_IS_LL(t) && sizeof(t) > sizeof(long))
101677@@ -384,11 +389,11 @@ asmlinkage long sys_sync(void);
101678 asmlinkage long sys_fsync(unsigned int fd);
101679 asmlinkage long sys_fdatasync(unsigned int fd);
101680 asmlinkage long sys_bdflush(int func, long data);
101681-asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name,
101682- char __user *type, unsigned long flags,
101683+asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name,
101684+ const char __user *type, unsigned long flags,
101685 void __user *data);
101686-asmlinkage long sys_umount(char __user *name, int flags);
101687-asmlinkage long sys_oldumount(char __user *name);
101688+asmlinkage long sys_umount(const char __user *name, int flags);
101689+asmlinkage long sys_oldumount(const char __user *name);
101690 asmlinkage long sys_truncate(const char __user *path, long length);
101691 asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
101692 asmlinkage long sys_stat(const char __user *filename,
101693@@ -604,7 +609,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *);
101694 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *);
101695 asmlinkage long sys_send(int, void __user *, size_t, unsigned);
101696 asmlinkage long sys_sendto(int, void __user *, size_t, unsigned,
101697- struct sockaddr __user *, int);
101698+ struct sockaddr __user *, int) __intentional_overflow(0);
101699 asmlinkage long sys_sendmsg(int fd, struct user_msghdr __user *msg, unsigned flags);
101700 asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
101701 unsigned int vlen, unsigned flags);
101702@@ -663,10 +668,10 @@ asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
101703
101704 asmlinkage long sys_semget(key_t key, int nsems, int semflg);
101705 asmlinkage long sys_semop(int semid, struct sembuf __user *sops,
101706- unsigned nsops);
101707+ long nsops);
101708 asmlinkage long sys_semctl(int semid, int semnum, int cmd, unsigned long arg);
101709 asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
101710- unsigned nsops,
101711+ long nsops,
101712 const struct timespec __user *timeout);
101713 asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
101714 asmlinkage long sys_shmget(key_t key, size_t size, int flag);
101715diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
101716index 27b3b0b..e093dd9 100644
101717--- a/include/linux/syscore_ops.h
101718+++ b/include/linux/syscore_ops.h
101719@@ -16,7 +16,7 @@ struct syscore_ops {
101720 int (*suspend)(void);
101721 void (*resume)(void);
101722 void (*shutdown)(void);
101723-};
101724+} __do_const;
101725
101726 extern void register_syscore_ops(struct syscore_ops *ops);
101727 extern void unregister_syscore_ops(struct syscore_ops *ops);
101728diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
101729index fa7bc29..0d96561 100644
101730--- a/include/linux/sysctl.h
101731+++ b/include/linux/sysctl.h
101732@@ -39,10 +39,16 @@ typedef int proc_handler (struct ctl_table *ctl, int write,
101733
101734 extern int proc_dostring(struct ctl_table *, int,
101735 void __user *, size_t *, loff_t *);
101736+extern int proc_dostring_modpriv(struct ctl_table *, int,
101737+ void __user *, size_t *, loff_t *);
101738 extern int proc_dointvec(struct ctl_table *, int,
101739 void __user *, size_t *, loff_t *);
101740+extern int proc_dointvec_secure(struct ctl_table *, int,
101741+ void __user *, size_t *, loff_t *);
101742 extern int proc_dointvec_minmax(struct ctl_table *, int,
101743 void __user *, size_t *, loff_t *);
101744+extern int proc_dointvec_minmax_secure(struct ctl_table *, int,
101745+ void __user *, size_t *, loff_t *);
101746 extern int proc_dointvec_jiffies(struct ctl_table *, int,
101747 void __user *, size_t *, loff_t *);
101748 extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
101749@@ -113,7 +119,8 @@ struct ctl_table
101750 struct ctl_table_poll *poll;
101751 void *extra1;
101752 void *extra2;
101753-};
101754+} __do_const __randomize_layout;
101755+typedef struct ctl_table __no_const ctl_table_no_const;
101756
101757 struct ctl_node {
101758 struct rb_node node;
101759diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
101760index 9f65758..487a6f1 100644
101761--- a/include/linux/sysfs.h
101762+++ b/include/linux/sysfs.h
101763@@ -34,7 +34,8 @@ struct attribute {
101764 struct lock_class_key *key;
101765 struct lock_class_key skey;
101766 #endif
101767-};
101768+} __do_const;
101769+typedef struct attribute __no_const attribute_no_const;
101770
101771 /**
101772 * sysfs_attr_init - initialize a dynamically allocated sysfs attribute
101773@@ -78,7 +79,8 @@ struct attribute_group {
101774 struct attribute *, int);
101775 struct attribute **attrs;
101776 struct bin_attribute **bin_attrs;
101777-};
101778+} __do_const;
101779+typedef struct attribute_group __no_const attribute_group_no_const;
101780
101781 /**
101782 * Use these macros to make defining attributes easier. See include/linux/device.h
101783@@ -152,7 +154,8 @@ struct bin_attribute {
101784 char *, loff_t, size_t);
101785 int (*mmap)(struct file *, struct kobject *, struct bin_attribute *attr,
101786 struct vm_area_struct *vma);
101787-};
101788+} __do_const;
101789+typedef struct bin_attribute __no_const bin_attribute_no_const;
101790
101791 /**
101792 * sysfs_bin_attr_init - initialize a dynamically allocated bin_attribute
101793diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
101794index 387fa7d..3fcde6b 100644
101795--- a/include/linux/sysrq.h
101796+++ b/include/linux/sysrq.h
101797@@ -16,6 +16,7 @@
101798
101799 #include <linux/errno.h>
101800 #include <linux/types.h>
101801+#include <linux/compiler.h>
101802
101803 /* Possible values of bitmask for enabling sysrq functions */
101804 /* 0x0001 is reserved for enable everything */
101805@@ -33,7 +34,7 @@ struct sysrq_key_op {
101806 char *help_msg;
101807 char *action_msg;
101808 int enable_mask;
101809-};
101810+} __do_const;
101811
101812 #ifdef CONFIG_MAGIC_SYSRQ
101813
101814diff --git a/include/linux/tcp.h b/include/linux/tcp.h
101815index 48c3696..e7a7ba6 100644
101816--- a/include/linux/tcp.h
101817+++ b/include/linux/tcp.h
101818@@ -63,13 +63,13 @@ struct tcp_fastopen_cookie {
101819
101820 /* This defines a selective acknowledgement block. */
101821 struct tcp_sack_block_wire {
101822- __be32 start_seq;
101823- __be32 end_seq;
101824+ __be32 start_seq __intentional_overflow(-1);
101825+ __be32 end_seq __intentional_overflow(-1);
101826 };
101827
101828 struct tcp_sack_block {
101829- u32 start_seq;
101830- u32 end_seq;
101831+ u32 start_seq __intentional_overflow(-1);
101832+ u32 end_seq __intentional_overflow(-1);
101833 };
101834
101835 /*These are used to set the sack_ok field in struct tcp_options_received */
101836@@ -153,7 +153,7 @@ struct tcp_sock {
101837 * total number of segments in.
101838 */
101839 u32 rcv_nxt; /* What we want to receive next */
101840- u32 copied_seq; /* Head of yet unread data */
101841+ u32 copied_seq __intentional_overflow(-1); /* Head of yet unread data */
101842 u32 rcv_wup; /* rcv_nxt on last window update sent */
101843 u32 snd_nxt; /* Next sequence we send */
101844 u32 segs_out; /* RFC4898 tcpEStatsPerfSegsOut
101845@@ -248,7 +248,7 @@ struct tcp_sock {
101846 u32 prr_out; /* Total number of pkts sent during Recovery. */
101847
101848 u32 rcv_wnd; /* Current receiver window */
101849- u32 write_seq; /* Tail(+1) of data held in tcp send buffer */
101850+ u32 write_seq __intentional_overflow(-1); /* Tail(+1) of data held in tcp send buffer */
101851 u32 notsent_lowat; /* TCP_NOTSENT_LOWAT */
101852 u32 pushed_seq; /* Last pushed seq, required to talk to windows */
101853 u32 lost_out; /* Lost packets */
101854@@ -291,7 +291,7 @@ struct tcp_sock {
101855 int undo_retrans; /* number of undoable retransmissions. */
101856 u32 total_retrans; /* Total retransmits for entire connection */
101857
101858- u32 urg_seq; /* Seq of received urgent pointer */
101859+ u32 urg_seq __intentional_overflow(-1); /* Seq of received urgent pointer */
101860 unsigned int keepalive_time; /* time before keep alive takes place */
101861 unsigned int keepalive_intvl; /* time interval between keep alive probes */
101862
101863diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
101864index ff307b5..f1a4468 100644
101865--- a/include/linux/thread_info.h
101866+++ b/include/linux/thread_info.h
101867@@ -145,6 +145,13 @@ static inline bool test_and_clear_restore_sigmask(void)
101868 #error "no set_restore_sigmask() provided and default one won't work"
101869 #endif
101870
101871+extern void __check_object_size(const void *ptr, unsigned long n, bool to_user, bool const_size);
101872+
101873+static inline void check_object_size(const void *ptr, unsigned long n, bool to_user)
101874+{
101875+ __check_object_size(ptr, n, to_user, __builtin_constant_p(n));
101876+}
101877+
101878 #endif /* __KERNEL__ */
101879
101880 #endif /* _LINUX_THREAD_INFO_H */
101881diff --git a/include/linux/tty.h b/include/linux/tty.h
101882index ad6c891..93a8f45 100644
101883--- a/include/linux/tty.h
101884+++ b/include/linux/tty.h
101885@@ -225,7 +225,7 @@ struct tty_port {
101886 const struct tty_port_operations *ops; /* Port operations */
101887 spinlock_t lock; /* Lock protecting tty field */
101888 int blocked_open; /* Waiting to open */
101889- int count; /* Usage count */
101890+ atomic_t count; /* Usage count */
101891 wait_queue_head_t open_wait; /* Open waiters */
101892 wait_queue_head_t close_wait; /* Close waiters */
101893 wait_queue_head_t delta_msr_wait; /* Modem status change */
101894@@ -313,7 +313,7 @@ struct tty_struct {
101895 /* If the tty has a pending do_SAK, queue it here - akpm */
101896 struct work_struct SAK_work;
101897 struct tty_port *port;
101898-};
101899+} __randomize_layout;
101900
101901 /* Each of a tty's open files has private_data pointing to tty_file_private */
101902 struct tty_file_private {
101903@@ -573,7 +573,7 @@ extern int tty_port_open(struct tty_port *port,
101904 struct tty_struct *tty, struct file *filp);
101905 static inline int tty_port_users(struct tty_port *port)
101906 {
101907- return port->count + port->blocked_open;
101908+ return atomic_read(&port->count) + port->blocked_open;
101909 }
101910
101911 extern int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc);
101912diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
101913index 92e337c..f46757b 100644
101914--- a/include/linux/tty_driver.h
101915+++ b/include/linux/tty_driver.h
101916@@ -291,7 +291,7 @@ struct tty_operations {
101917 void (*poll_put_char)(struct tty_driver *driver, int line, char ch);
101918 #endif
101919 const struct file_operations *proc_fops;
101920-};
101921+} __do_const __randomize_layout;
101922
101923 struct tty_driver {
101924 int magic; /* magic number for this structure */
101925@@ -325,7 +325,7 @@ struct tty_driver {
101926
101927 const struct tty_operations *ops;
101928 struct list_head tty_drivers;
101929-};
101930+} __randomize_layout;
101931
101932 extern struct list_head tty_drivers;
101933
101934diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h
101935index 00c9d68..bc0188b 100644
101936--- a/include/linux/tty_ldisc.h
101937+++ b/include/linux/tty_ldisc.h
101938@@ -215,7 +215,7 @@ struct tty_ldisc_ops {
101939
101940 struct module *owner;
101941
101942- int refcount;
101943+ atomic_t refcount;
101944 };
101945
101946 struct tty_ldisc {
101947diff --git a/include/linux/types.h b/include/linux/types.h
101948index 8715287..1be77ee 100644
101949--- a/include/linux/types.h
101950+++ b/include/linux/types.h
101951@@ -176,10 +176,26 @@ typedef struct {
101952 int counter;
101953 } atomic_t;
101954
101955+#ifdef CONFIG_PAX_REFCOUNT
101956+typedef struct {
101957+ int counter;
101958+} atomic_unchecked_t;
101959+#else
101960+typedef atomic_t atomic_unchecked_t;
101961+#endif
101962+
101963 #ifdef CONFIG_64BIT
101964 typedef struct {
101965 long counter;
101966 } atomic64_t;
101967+
101968+#ifdef CONFIG_PAX_REFCOUNT
101969+typedef struct {
101970+ long counter;
101971+} atomic64_unchecked_t;
101972+#else
101973+typedef atomic64_t atomic64_unchecked_t;
101974+#endif
101975 #endif
101976
101977 struct list_head {
101978diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
101979index ae572c1..73bd4ec 100644
101980--- a/include/linux/uaccess.h
101981+++ b/include/linux/uaccess.h
101982@@ -97,11 +97,11 @@ static inline unsigned long __copy_from_user_nocache(void *to,
101983 long ret; \
101984 mm_segment_t old_fs = get_fs(); \
101985 \
101986- set_fs(KERNEL_DS); \
101987 pagefault_disable(); \
101988- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
101989- pagefault_enable(); \
101990+ set_fs(KERNEL_DS); \
101991+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
101992 set_fs(old_fs); \
101993+ pagefault_enable(); \
101994 ret; \
101995 })
101996
101997diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
101998index 0383552..a0125dd 100644
101999--- a/include/linux/uidgid.h
102000+++ b/include/linux/uidgid.h
102001@@ -187,4 +187,9 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid)
102002
102003 #endif /* CONFIG_USER_NS */
102004
102005+#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x))
102006+#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x))
102007+#define gr_is_global_root(x) uid_eq((x), GLOBAL_ROOT_UID)
102008+#define gr_is_global_nonroot(x) (!uid_eq((x), GLOBAL_ROOT_UID))
102009+
102010 #endif /* _LINUX_UIDGID_H */
102011diff --git a/include/linux/uio_driver.h b/include/linux/uio_driver.h
102012index 32c0e83..671eb35 100644
102013--- a/include/linux/uio_driver.h
102014+++ b/include/linux/uio_driver.h
102015@@ -67,7 +67,7 @@ struct uio_device {
102016 struct module *owner;
102017 struct device *dev;
102018 int minor;
102019- atomic_t event;
102020+ atomic_unchecked_t event;
102021 struct fasync_struct *async_queue;
102022 wait_queue_head_t wait;
102023 struct uio_info *info;
102024diff --git a/include/linux/unaligned/access_ok.h b/include/linux/unaligned/access_ok.h
102025index 99c1b4d..562e6f3 100644
102026--- a/include/linux/unaligned/access_ok.h
102027+++ b/include/linux/unaligned/access_ok.h
102028@@ -4,34 +4,34 @@
102029 #include <linux/kernel.h>
102030 #include <asm/byteorder.h>
102031
102032-static inline u16 get_unaligned_le16(const void *p)
102033+static inline u16 __intentional_overflow(-1) get_unaligned_le16(const void *p)
102034 {
102035- return le16_to_cpup((__le16 *)p);
102036+ return le16_to_cpup((const __le16 *)p);
102037 }
102038
102039-static inline u32 get_unaligned_le32(const void *p)
102040+static inline u32 __intentional_overflow(-1) get_unaligned_le32(const void *p)
102041 {
102042- return le32_to_cpup((__le32 *)p);
102043+ return le32_to_cpup((const __le32 *)p);
102044 }
102045
102046-static inline u64 get_unaligned_le64(const void *p)
102047+static inline u64 __intentional_overflow(-1) get_unaligned_le64(const void *p)
102048 {
102049- return le64_to_cpup((__le64 *)p);
102050+ return le64_to_cpup((const __le64 *)p);
102051 }
102052
102053-static inline u16 get_unaligned_be16(const void *p)
102054+static inline u16 __intentional_overflow(-1) get_unaligned_be16(const void *p)
102055 {
102056- return be16_to_cpup((__be16 *)p);
102057+ return be16_to_cpup((const __be16 *)p);
102058 }
102059
102060-static inline u32 get_unaligned_be32(const void *p)
102061+static inline u32 __intentional_overflow(-1) get_unaligned_be32(const void *p)
102062 {
102063- return be32_to_cpup((__be32 *)p);
102064+ return be32_to_cpup((const __be32 *)p);
102065 }
102066
102067-static inline u64 get_unaligned_be64(const void *p)
102068+static inline u64 __intentional_overflow(-1) get_unaligned_be64(const void *p)
102069 {
102070- return be64_to_cpup((__be64 *)p);
102071+ return be64_to_cpup((const __be64 *)p);
102072 }
102073
102074 static inline void put_unaligned_le16(u16 val, void *p)
102075diff --git a/include/linux/usb.h b/include/linux/usb.h
102076index 447fe29..1424a9a 100644
102077--- a/include/linux/usb.h
102078+++ b/include/linux/usb.h
102079@@ -363,7 +363,7 @@ struct usb_bus {
102080 * with the URB_SHORT_NOT_OK flag set.
102081 */
102082 unsigned no_sg_constraint:1; /* no sg constraint */
102083- unsigned sg_tablesize; /* 0 or largest number of sg list entries */
102084+ unsigned short sg_tablesize; /* 0 or largest number of sg list entries */
102085
102086 int devnum_next; /* Next open device number in
102087 * round-robin allocation */
102088@@ -592,7 +592,7 @@ struct usb_device {
102089 int maxchild;
102090
102091 u32 quirks;
102092- atomic_t urbnum;
102093+ atomic_unchecked_t urbnum;
102094
102095 unsigned long active_duration;
102096
102097@@ -1676,7 +1676,7 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in,
102098
102099 extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
102100 __u8 request, __u8 requesttype, __u16 value, __u16 index,
102101- void *data, __u16 size, int timeout);
102102+ void *data, __u16 size, int timeout) __intentional_overflow(-1);
102103 extern int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
102104 void *data, int len, int *actual_length, int timeout);
102105 extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
102106diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
102107index c9aa779..46d6f69 100644
102108--- a/include/linux/usb/hcd.h
102109+++ b/include/linux/usb/hcd.h
102110@@ -23,6 +23,7 @@
102111
102112 #include <linux/rwsem.h>
102113 #include <linux/interrupt.h>
102114+#include <scsi/scsi_host.h>
102115
102116 #define MAX_TOPO_LEVEL 6
102117
102118diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h
102119index 3dd5a78..ed69d7b 100644
102120--- a/include/linux/usb/renesas_usbhs.h
102121+++ b/include/linux/usb/renesas_usbhs.h
102122@@ -39,7 +39,7 @@ enum {
102123 */
102124 struct renesas_usbhs_driver_callback {
102125 int (*notify_hotplug)(struct platform_device *pdev);
102126-};
102127+} __no_const;
102128
102129 /*
102130 * callback functions for platform
102131diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
102132index 8297e5b..0dfae27 100644
102133--- a/include/linux/user_namespace.h
102134+++ b/include/linux/user_namespace.h
102135@@ -39,7 +39,7 @@ struct user_namespace {
102136 struct key *persistent_keyring_register;
102137 struct rw_semaphore persistent_keyring_register_sem;
102138 #endif
102139-};
102140+} __randomize_layout;
102141
102142 extern struct user_namespace init_user_ns;
102143
102144diff --git a/include/linux/utsname.h b/include/linux/utsname.h
102145index 5093f58..c103e58 100644
102146--- a/include/linux/utsname.h
102147+++ b/include/linux/utsname.h
102148@@ -25,7 +25,7 @@ struct uts_namespace {
102149 struct new_utsname name;
102150 struct user_namespace *user_ns;
102151 struct ns_common ns;
102152-};
102153+} __randomize_layout;
102154 extern struct uts_namespace init_uts_ns;
102155
102156 #ifdef CONFIG_UTS_NS
102157diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
102158index 6f8fbcf..4efc177 100644
102159--- a/include/linux/vermagic.h
102160+++ b/include/linux/vermagic.h
102161@@ -25,9 +25,42 @@
102162 #define MODULE_ARCH_VERMAGIC ""
102163 #endif
102164
102165+#ifdef CONFIG_PAX_REFCOUNT
102166+#define MODULE_PAX_REFCOUNT "REFCOUNT "
102167+#else
102168+#define MODULE_PAX_REFCOUNT ""
102169+#endif
102170+
102171+#ifdef CONSTIFY_PLUGIN
102172+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
102173+#else
102174+#define MODULE_CONSTIFY_PLUGIN ""
102175+#endif
102176+
102177+#ifdef STACKLEAK_PLUGIN
102178+#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
102179+#else
102180+#define MODULE_STACKLEAK_PLUGIN ""
102181+#endif
102182+
102183+#ifdef RANDSTRUCT_PLUGIN
102184+#include <generated/randomize_layout_hash.h>
102185+#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED
102186+#else
102187+#define MODULE_RANDSTRUCT_PLUGIN
102188+#endif
102189+
102190+#ifdef CONFIG_GRKERNSEC
102191+#define MODULE_GRSEC "GRSEC "
102192+#else
102193+#define MODULE_GRSEC ""
102194+#endif
102195+
102196 #define VERMAGIC_STRING \
102197 UTS_RELEASE " " \
102198 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
102199 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
102200- MODULE_ARCH_VERMAGIC
102201+ MODULE_ARCH_VERMAGIC \
102202+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
102203+ MODULE_GRSEC MODULE_RANDSTRUCT_PLUGIN
102204
102205diff --git a/include/linux/vga_switcheroo.h b/include/linux/vga_switcheroo.h
102206index b483abd..af305ad 100644
102207--- a/include/linux/vga_switcheroo.h
102208+++ b/include/linux/vga_switcheroo.h
102209@@ -63,9 +63,9 @@ int vga_switcheroo_get_client_state(struct pci_dev *dev);
102210
102211 void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic);
102212
102213-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain);
102214+int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain);
102215 void vga_switcheroo_fini_domain_pm_ops(struct device *dev);
102216-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain);
102217+int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain);
102218 #else
102219
102220 static inline void vga_switcheroo_unregister_client(struct pci_dev *dev) {}
102221@@ -82,9 +82,9 @@ static inline int vga_switcheroo_get_client_state(struct pci_dev *dev) { return
102222
102223 static inline void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic) {}
102224
102225-static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; }
102226+static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; }
102227 static inline void vga_switcheroo_fini_domain_pm_ops(struct device *dev) {}
102228-static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; }
102229+static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; }
102230
102231 #endif
102232 #endif /* _LINUX_VGA_SWITCHEROO_H_ */
102233diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
102234index 0ec5983..d5888bb 100644
102235--- a/include/linux/vmalloc.h
102236+++ b/include/linux/vmalloc.h
102237@@ -18,6 +18,14 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
102238 #define VM_UNINITIALIZED 0x00000020 /* vm_struct is not fully initialized */
102239 #define VM_NO_GUARD 0x00000040 /* don't add guard page */
102240 #define VM_KASAN 0x00000080 /* has allocated kasan shadow memory */
102241+
102242+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
102243+#define VM_KERNEXEC 0x00000100 /* allocate from executable kernel memory range */
102244+#endif
102245+
102246+#define VM_USERCOPY 0x00000200 /* allocation intended for copies to userland */
102247+
102248+
102249 /* bits [20..32] reserved for arch specific ioremap internals */
102250
102251 /*
102252@@ -67,6 +75,7 @@ static inline void vmalloc_init(void)
102253 #endif
102254
102255 extern void *vmalloc(unsigned long size);
102256+extern void *vmalloc_usercopy(unsigned long size);
102257 extern void *vzalloc(unsigned long size);
102258 extern void *vmalloc_user(unsigned long size);
102259 extern void *vmalloc_node(unsigned long size, int node);
102260@@ -86,6 +95,10 @@ extern void *vmap(struct page **pages, unsigned int count,
102261 unsigned long flags, pgprot_t prot);
102262 extern void vunmap(const void *addr);
102263
102264+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
102265+extern void unmap_process_stacks(struct task_struct *task);
102266+#endif
102267+
102268 extern int remap_vmalloc_range_partial(struct vm_area_struct *vma,
102269 unsigned long uaddr, void *kaddr,
102270 unsigned long size);
102271@@ -150,7 +163,7 @@ extern void free_vm_area(struct vm_struct *area);
102272
102273 /* for /dev/kmem */
102274 extern long vread(char *buf, char *addr, unsigned long count);
102275-extern long vwrite(char *buf, char *addr, unsigned long count);
102276+extern long vwrite(char *buf, char *addr, unsigned long count) __size_overflow(3);
102277
102278 /*
102279 * Internals. Dont't use..
102280diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
102281index 82e7db7..f8ce3d0 100644
102282--- a/include/linux/vmstat.h
102283+++ b/include/linux/vmstat.h
102284@@ -108,18 +108,18 @@ static inline void vm_events_fold_cpu(int cpu)
102285 /*
102286 * Zone based page accounting with per cpu differentials.
102287 */
102288-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
102289+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
102290
102291 static inline void zone_page_state_add(long x, struct zone *zone,
102292 enum zone_stat_item item)
102293 {
102294- atomic_long_add(x, &zone->vm_stat[item]);
102295- atomic_long_add(x, &vm_stat[item]);
102296+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
102297+ atomic_long_add_unchecked(x, &vm_stat[item]);
102298 }
102299
102300-static inline unsigned long global_page_state(enum zone_stat_item item)
102301+static inline unsigned long __intentional_overflow(-1) global_page_state(enum zone_stat_item item)
102302 {
102303- long x = atomic_long_read(&vm_stat[item]);
102304+ long x = atomic_long_read_unchecked(&vm_stat[item]);
102305 #ifdef CONFIG_SMP
102306 if (x < 0)
102307 x = 0;
102308@@ -127,10 +127,10 @@ static inline unsigned long global_page_state(enum zone_stat_item item)
102309 return x;
102310 }
102311
102312-static inline unsigned long zone_page_state(struct zone *zone,
102313+static inline unsigned long __intentional_overflow(-1) zone_page_state(struct zone *zone,
102314 enum zone_stat_item item)
102315 {
102316- long x = atomic_long_read(&zone->vm_stat[item]);
102317+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
102318 #ifdef CONFIG_SMP
102319 if (x < 0)
102320 x = 0;
102321@@ -147,7 +147,7 @@ static inline unsigned long zone_page_state(struct zone *zone,
102322 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
102323 enum zone_stat_item item)
102324 {
102325- long x = atomic_long_read(&zone->vm_stat[item]);
102326+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
102327
102328 #ifdef CONFIG_SMP
102329 int cpu;
102330@@ -234,14 +234,14 @@ static inline void __mod_zone_page_state(struct zone *zone,
102331
102332 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
102333 {
102334- atomic_long_inc(&zone->vm_stat[item]);
102335- atomic_long_inc(&vm_stat[item]);
102336+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
102337+ atomic_long_inc_unchecked(&vm_stat[item]);
102338 }
102339
102340 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
102341 {
102342- atomic_long_dec(&zone->vm_stat[item]);
102343- atomic_long_dec(&vm_stat[item]);
102344+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
102345+ atomic_long_dec_unchecked(&vm_stat[item]);
102346 }
102347
102348 static inline void __inc_zone_page_state(struct page *page,
102349diff --git a/include/linux/xattr.h b/include/linux/xattr.h
102350index 91b0a68..0e9adf6 100644
102351--- a/include/linux/xattr.h
102352+++ b/include/linux/xattr.h
102353@@ -28,7 +28,7 @@ struct xattr_handler {
102354 size_t size, int handler_flags);
102355 int (*set)(struct dentry *dentry, const char *name, const void *buffer,
102356 size_t size, int flags, int handler_flags);
102357-};
102358+} __do_const;
102359
102360 struct xattr {
102361 const char *name;
102362@@ -37,6 +37,9 @@ struct xattr {
102363 };
102364
102365 ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
102366+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
102367+ssize_t pax_getxattr(struct dentry *, void *, size_t);
102368+#endif
102369 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
102370 ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
102371 int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
102372diff --git a/include/linux/zlib.h b/include/linux/zlib.h
102373index 92dbbd3..13ab0b3 100644
102374--- a/include/linux/zlib.h
102375+++ b/include/linux/zlib.h
102376@@ -31,6 +31,7 @@
102377 #define _ZLIB_H
102378
102379 #include <linux/zconf.h>
102380+#include <linux/compiler.h>
102381
102382 /* zlib deflate based on ZLIB_VERSION "1.1.3" */
102383 /* zlib inflate based on ZLIB_VERSION "1.2.3" */
102384@@ -179,7 +180,7 @@ typedef z_stream *z_streamp;
102385
102386 /* basic functions */
102387
102388-extern int zlib_deflate_workspacesize (int windowBits, int memLevel);
102389+extern int zlib_deflate_workspacesize (int windowBits, int memLevel) __intentional_overflow(0);
102390 /*
102391 Returns the number of bytes that needs to be allocated for a per-
102392 stream workspace with the specified parameters. A pointer to this
102393diff --git a/include/media/v4l2-dev.h b/include/media/v4l2-dev.h
102394index acbcd2f..c3abe84 100644
102395--- a/include/media/v4l2-dev.h
102396+++ b/include/media/v4l2-dev.h
102397@@ -74,7 +74,7 @@ struct v4l2_file_operations {
102398 int (*mmap) (struct file *, struct vm_area_struct *);
102399 int (*open) (struct file *);
102400 int (*release) (struct file *);
102401-};
102402+} __do_const;
102403
102404 /*
102405 * Newer version of video_device, handled by videodev2.c
102406diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h
102407index 9c58157..d86ebf5 100644
102408--- a/include/media/v4l2-device.h
102409+++ b/include/media/v4l2-device.h
102410@@ -93,7 +93,7 @@ int __must_check v4l2_device_register(struct device *dev, struct v4l2_device *v4
102411 this function returns 0. If the name ends with a digit (e.g. cx18),
102412 then the name will be set to cx18-0 since cx180 looks really odd. */
102413 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
102414- atomic_t *instance);
102415+ atomic_unchecked_t *instance);
102416
102417 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
102418 Since the parent disappears this ensures that v4l2_dev doesn't have an
102419diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h
102420index 5122b5e..598b440 100644
102421--- a/include/net/9p/transport.h
102422+++ b/include/net/9p/transport.h
102423@@ -62,7 +62,7 @@ struct p9_trans_module {
102424 int (*cancelled)(struct p9_client *, struct p9_req_t *req);
102425 int (*zc_request)(struct p9_client *, struct p9_req_t *,
102426 struct iov_iter *, struct iov_iter *, int , int, int);
102427-};
102428+} __do_const;
102429
102430 void v9fs_register_trans(struct p9_trans_module *m);
102431 void v9fs_unregister_trans(struct p9_trans_module *m);
102432diff --git a/include/net/af_unix.h b/include/net/af_unix.h
102433index 4a167b3..73dcbb3 100644
102434--- a/include/net/af_unix.h
102435+++ b/include/net/af_unix.h
102436@@ -36,7 +36,7 @@ struct unix_skb_parms {
102437 u32 secid; /* Security ID */
102438 #endif
102439 u32 consumed;
102440-};
102441+} __randomize_layout;
102442
102443 #define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
102444
102445diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
102446index 2239a37..a83461f 100644
102447--- a/include/net/bluetooth/l2cap.h
102448+++ b/include/net/bluetooth/l2cap.h
102449@@ -609,7 +609,7 @@ struct l2cap_ops {
102450 struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan,
102451 unsigned long hdr_len,
102452 unsigned long len, int nb);
102453-};
102454+} __do_const;
102455
102456 struct l2cap_conn {
102457 struct hci_conn *hcon;
102458diff --git a/include/net/bonding.h b/include/net/bonding.h
102459index 20defc0..3072903 100644
102460--- a/include/net/bonding.h
102461+++ b/include/net/bonding.h
102462@@ -661,7 +661,7 @@ extern struct rtnl_link_ops bond_link_ops;
102463
102464 static inline void bond_tx_drop(struct net_device *dev, struct sk_buff *skb)
102465 {
102466- atomic_long_inc(&dev->tx_dropped);
102467+ atomic_long_inc_unchecked(&dev->tx_dropped);
102468 dev_kfree_skb_any(skb);
102469 }
102470
102471diff --git a/include/net/caif/cfctrl.h b/include/net/caif/cfctrl.h
102472index f2ae33d..c457cf0 100644
102473--- a/include/net/caif/cfctrl.h
102474+++ b/include/net/caif/cfctrl.h
102475@@ -52,7 +52,7 @@ struct cfctrl_rsp {
102476 void (*radioset_rsp)(void);
102477 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
102478 struct cflayer *client_layer);
102479-};
102480+} __no_const;
102481
102482 /* Link Setup Parameters for CAIF-Links. */
102483 struct cfctrl_link_param {
102484@@ -101,8 +101,8 @@ struct cfctrl_request_info {
102485 struct cfctrl {
102486 struct cfsrvl serv;
102487 struct cfctrl_rsp res;
102488- atomic_t req_seq_no;
102489- atomic_t rsp_seq_no;
102490+ atomic_unchecked_t req_seq_no;
102491+ atomic_unchecked_t rsp_seq_no;
102492 struct list_head list;
102493 /* Protects from simultaneous access to first_req list */
102494 spinlock_t info_list_lock;
102495diff --git a/include/net/flow.h b/include/net/flow.h
102496index 8109a15..504466d 100644
102497--- a/include/net/flow.h
102498+++ b/include/net/flow.h
102499@@ -231,6 +231,6 @@ void flow_cache_fini(struct net *net);
102500
102501 void flow_cache_flush(struct net *net);
102502 void flow_cache_flush_deferred(struct net *net);
102503-extern atomic_t flow_cache_genid;
102504+extern atomic_unchecked_t flow_cache_genid;
102505
102506 #endif
102507diff --git a/include/net/genetlink.h b/include/net/genetlink.h
102508index a9af1cc..1f3fa7b 100644
102509--- a/include/net/genetlink.h
102510+++ b/include/net/genetlink.h
102511@@ -128,7 +128,7 @@ struct genl_ops {
102512 u8 cmd;
102513 u8 internal_flags;
102514 u8 flags;
102515-};
102516+} __do_const;
102517
102518 int __genl_register_family(struct genl_family *family);
102519
102520diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
102521index 0f712c0..cd762c4 100644
102522--- a/include/net/gro_cells.h
102523+++ b/include/net/gro_cells.h
102524@@ -27,7 +27,7 @@ static inline void gro_cells_receive(struct gro_cells *gcells, struct sk_buff *s
102525 cell = this_cpu_ptr(gcells->cells);
102526
102527 if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
102528- atomic_long_inc(&dev->rx_dropped);
102529+ atomic_long_inc_unchecked(&dev->rx_dropped);
102530 kfree_skb(skb);
102531 return;
102532 }
102533diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
102534index 0320bbb..938789c 100644
102535--- a/include/net/inet_connection_sock.h
102536+++ b/include/net/inet_connection_sock.h
102537@@ -63,7 +63,7 @@ struct inet_connection_sock_af_ops {
102538 int (*bind_conflict)(const struct sock *sk,
102539 const struct inet_bind_bucket *tb, bool relax);
102540 void (*mtu_reduced)(struct sock *sk);
102541-};
102542+} __do_const;
102543
102544 /** inet_connection_sock - INET connection oriented sock
102545 *
102546diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
102547index 47eb67b..0e733b2 100644
102548--- a/include/net/inet_sock.h
102549+++ b/include/net/inet_sock.h
102550@@ -43,7 +43,7 @@
102551 struct ip_options {
102552 __be32 faddr;
102553 __be32 nexthop;
102554- unsigned char optlen;
102555+ unsigned char optlen __intentional_overflow(0);
102556 unsigned char srr;
102557 unsigned char rr;
102558 unsigned char ts;
102559diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
102560index d5332dd..10a5c3c 100644
102561--- a/include/net/inetpeer.h
102562+++ b/include/net/inetpeer.h
102563@@ -48,7 +48,7 @@ struct inet_peer {
102564 */
102565 union {
102566 struct {
102567- atomic_t rid; /* Frag reception counter */
102568+ atomic_unchecked_t rid; /* Frag reception counter */
102569 };
102570 struct rcu_head rcu;
102571 struct inet_peer *gc_next;
102572diff --git a/include/net/ip.h b/include/net/ip.h
102573index d5fe9f2..8da10ed 100644
102574--- a/include/net/ip.h
102575+++ b/include/net/ip.h
102576@@ -319,7 +319,7 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
102577 }
102578 }
102579
102580-u32 ip_idents_reserve(u32 hash, int segs);
102581+u32 ip_idents_reserve(u32 hash, int segs) __intentional_overflow(-1);
102582 void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
102583
102584 static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
102585diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
102586index 5fa643b..d871e20 100644
102587--- a/include/net/ip_fib.h
102588+++ b/include/net/ip_fib.h
102589@@ -170,7 +170,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh);
102590
102591 #define FIB_RES_SADDR(net, res) \
102592 ((FIB_RES_NH(res).nh_saddr_genid == \
102593- atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
102594+ atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
102595 FIB_RES_NH(res).nh_saddr : \
102596 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
102597 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
102598diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
102599index 4e3731e..a242e28 100644
102600--- a/include/net/ip_vs.h
102601+++ b/include/net/ip_vs.h
102602@@ -551,7 +551,7 @@ struct ip_vs_conn {
102603 struct ip_vs_conn *control; /* Master control connection */
102604 atomic_t n_control; /* Number of controlled ones */
102605 struct ip_vs_dest *dest; /* real server */
102606- atomic_t in_pkts; /* incoming packet counter */
102607+ atomic_unchecked_t in_pkts; /* incoming packet counter */
102608
102609 /* Packet transmitter for different forwarding methods. If it
102610 * mangles the packet, it must return NF_DROP or better NF_STOLEN,
102611@@ -699,7 +699,7 @@ struct ip_vs_dest {
102612 __be16 port; /* port number of the server */
102613 union nf_inet_addr addr; /* IP address of the server */
102614 volatile unsigned int flags; /* dest status flags */
102615- atomic_t conn_flags; /* flags to copy to conn */
102616+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
102617 atomic_t weight; /* server weight */
102618
102619 atomic_t refcnt; /* reference counter */
102620@@ -946,11 +946,11 @@ struct netns_ipvs {
102621 /* ip_vs_lblc */
102622 int sysctl_lblc_expiration;
102623 struct ctl_table_header *lblc_ctl_header;
102624- struct ctl_table *lblc_ctl_table;
102625+ ctl_table_no_const *lblc_ctl_table;
102626 /* ip_vs_lblcr */
102627 int sysctl_lblcr_expiration;
102628 struct ctl_table_header *lblcr_ctl_header;
102629- struct ctl_table *lblcr_ctl_table;
102630+ ctl_table_no_const *lblcr_ctl_table;
102631 /* ip_vs_est */
102632 struct list_head est_list; /* estimator list */
102633 spinlock_t est_lock;
102634diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h
102635index 8d4f588..2e37ad2 100644
102636--- a/include/net/irda/ircomm_tty.h
102637+++ b/include/net/irda/ircomm_tty.h
102638@@ -33,6 +33,7 @@
102639 #include <linux/termios.h>
102640 #include <linux/timer.h>
102641 #include <linux/tty.h> /* struct tty_struct */
102642+#include <asm/local.h>
102643
102644 #include <net/irda/irias_object.h>
102645 #include <net/irda/ircomm_core.h>
102646diff --git a/include/net/iucv/af_iucv.h b/include/net/iucv/af_iucv.h
102647index 714cc9a..ea05f3e 100644
102648--- a/include/net/iucv/af_iucv.h
102649+++ b/include/net/iucv/af_iucv.h
102650@@ -149,7 +149,7 @@ struct iucv_skb_cb {
102651 struct iucv_sock_list {
102652 struct hlist_head head;
102653 rwlock_t lock;
102654- atomic_t autobind_name;
102655+ atomic_unchecked_t autobind_name;
102656 };
102657
102658 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
102659diff --git a/include/net/llc_c_ac.h b/include/net/llc_c_ac.h
102660index f3be818..bf46196 100644
102661--- a/include/net/llc_c_ac.h
102662+++ b/include/net/llc_c_ac.h
102663@@ -87,7 +87,7 @@
102664 #define LLC_CONN_AC_STOP_SENDACK_TMR 70
102665 #define LLC_CONN_AC_START_SENDACK_TMR_IF_NOT_RUNNING 71
102666
102667-typedef int (*llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
102668+typedef int (* const llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
102669
102670 int llc_conn_ac_clear_remote_busy(struct sock *sk, struct sk_buff *skb);
102671 int llc_conn_ac_conn_ind(struct sock *sk, struct sk_buff *skb);
102672diff --git a/include/net/llc_c_ev.h b/include/net/llc_c_ev.h
102673index 3948cf1..83b28c4 100644
102674--- a/include/net/llc_c_ev.h
102675+++ b/include/net/llc_c_ev.h
102676@@ -125,8 +125,8 @@ static __inline__ struct llc_conn_state_ev *llc_conn_ev(struct sk_buff *skb)
102677 return (struct llc_conn_state_ev *)skb->cb;
102678 }
102679
102680-typedef int (*llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
102681-typedef int (*llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
102682+typedef int (* const llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
102683+typedef int (* const llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
102684
102685 int llc_conn_ev_conn_req(struct sock *sk, struct sk_buff *skb);
102686 int llc_conn_ev_data_req(struct sock *sk, struct sk_buff *skb);
102687diff --git a/include/net/llc_c_st.h b/include/net/llc_c_st.h
102688index 48f3f89..0e92c50 100644
102689--- a/include/net/llc_c_st.h
102690+++ b/include/net/llc_c_st.h
102691@@ -37,7 +37,7 @@ struct llc_conn_state_trans {
102692 u8 next_state;
102693 const llc_conn_ev_qfyr_t *ev_qualifiers;
102694 const llc_conn_action_t *ev_actions;
102695-};
102696+} __do_const;
102697
102698 struct llc_conn_state {
102699 u8 current_state;
102700diff --git a/include/net/llc_s_ac.h b/include/net/llc_s_ac.h
102701index a61b98c..aade1eb 100644
102702--- a/include/net/llc_s_ac.h
102703+++ b/include/net/llc_s_ac.h
102704@@ -23,7 +23,7 @@
102705 #define SAP_ACT_TEST_IND 9
102706
102707 /* All action functions must look like this */
102708-typedef int (*llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
102709+typedef int (* const llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
102710
102711 int llc_sap_action_unitdata_ind(struct llc_sap *sap, struct sk_buff *skb);
102712 int llc_sap_action_send_ui(struct llc_sap *sap, struct sk_buff *skb);
102713diff --git a/include/net/llc_s_st.h b/include/net/llc_s_st.h
102714index c4359e2..76dbc4a 100644
102715--- a/include/net/llc_s_st.h
102716+++ b/include/net/llc_s_st.h
102717@@ -20,7 +20,7 @@ struct llc_sap_state_trans {
102718 llc_sap_ev_t ev;
102719 u8 next_state;
102720 const llc_sap_action_t *ev_actions;
102721-};
102722+} __do_const;
102723
102724 struct llc_sap_state {
102725 u8 curr_state;
102726diff --git a/include/net/mac80211.h b/include/net/mac80211.h
102727index 6b1077c..7b72f67 100644
102728--- a/include/net/mac80211.h
102729+++ b/include/net/mac80211.h
102730@@ -5106,7 +5106,7 @@ struct ieee80211_tx_rate_control {
102731 struct sk_buff *skb;
102732 struct ieee80211_tx_rate reported_rate;
102733 bool rts, short_preamble;
102734- u8 max_rate_idx;
102735+ s8 max_rate_idx;
102736 u32 rate_idx_mask;
102737 u8 *rate_idx_mcs_mask;
102738 bool bss;
102739@@ -5143,7 +5143,7 @@ struct rate_control_ops {
102740 void (*remove_sta_debugfs)(void *priv, void *priv_sta);
102741
102742 u32 (*get_expected_throughput)(void *priv_sta);
102743-};
102744+} __do_const;
102745
102746 static inline int rate_supported(struct ieee80211_sta *sta,
102747 enum ieee80211_band band,
102748diff --git a/include/net/neighbour.h b/include/net/neighbour.h
102749index bd33e66..6508d00 100644
102750--- a/include/net/neighbour.h
102751+++ b/include/net/neighbour.h
102752@@ -162,7 +162,7 @@ struct neigh_ops {
102753 void (*error_report)(struct neighbour *, struct sk_buff *);
102754 int (*output)(struct neighbour *, struct sk_buff *);
102755 int (*connected_output)(struct neighbour *, struct sk_buff *);
102756-};
102757+} __do_const;
102758
102759 struct pneigh_entry {
102760 struct pneigh_entry *next;
102761@@ -216,7 +216,7 @@ struct neigh_table {
102762 struct neigh_statistics __percpu *stats;
102763 struct neigh_hash_table __rcu *nht;
102764 struct pneigh_entry **phash_buckets;
102765-};
102766+} __randomize_layout;
102767
102768 enum {
102769 NEIGH_ARP_TABLE = 0,
102770diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
102771index e951453..0685f5b 100644
102772--- a/include/net/net_namespace.h
102773+++ b/include/net/net_namespace.h
102774@@ -53,7 +53,7 @@ struct net {
102775 */
102776 spinlock_t rules_mod_lock;
102777
102778- atomic64_t cookie_gen;
102779+ atomic64_unchecked_t cookie_gen;
102780
102781 struct list_head list; /* list of network namespaces */
102782 struct list_head cleanup_list; /* namespaces on death row */
102783@@ -135,8 +135,8 @@ struct net {
102784 struct netns_mpls mpls;
102785 #endif
102786 struct sock *diag_nlsk;
102787- atomic_t fnhe_genid;
102788-};
102789+ atomic_unchecked_t fnhe_genid;
102790+} __randomize_layout;
102791
102792 #include <linux/seq_file_net.h>
102793
102794@@ -271,7 +271,11 @@ static inline struct net *read_pnet(const possible_net_t *pnet)
102795 #define __net_init __init
102796 #define __net_exit __exit_refok
102797 #define __net_initdata __initdata
102798+#ifdef CONSTIFY_PLUGIN
102799 #define __net_initconst __initconst
102800+#else
102801+#define __net_initconst __initdata
102802+#endif
102803 #endif
102804
102805 int peernet2id_alloc(struct net *net, struct net *peer);
102806@@ -286,7 +290,7 @@ struct pernet_operations {
102807 void (*exit_batch)(struct list_head *net_exit_list);
102808 int *id;
102809 size_t size;
102810-};
102811+} __do_const;
102812
102813 /*
102814 * Use these carefully. If you implement a network device and it
102815@@ -334,12 +338,12 @@ static inline void unregister_net_sysctl_table(struct ctl_table_header *header)
102816
102817 static inline int rt_genid_ipv4(struct net *net)
102818 {
102819- return atomic_read(&net->ipv4.rt_genid);
102820+ return atomic_read_unchecked(&net->ipv4.rt_genid);
102821 }
102822
102823 static inline void rt_genid_bump_ipv4(struct net *net)
102824 {
102825- atomic_inc(&net->ipv4.rt_genid);
102826+ atomic_inc_unchecked(&net->ipv4.rt_genid);
102827 }
102828
102829 extern void (*__fib6_flush_trees)(struct net *net);
102830@@ -366,12 +370,12 @@ static inline void rt_genid_bump_all(struct net *net)
102831
102832 static inline int fnhe_genid(struct net *net)
102833 {
102834- return atomic_read(&net->fnhe_genid);
102835+ return atomic_read_unchecked(&net->fnhe_genid);
102836 }
102837
102838 static inline void fnhe_genid_bump(struct net *net)
102839 {
102840- atomic_inc(&net->fnhe_genid);
102841+ atomic_inc_unchecked(&net->fnhe_genid);
102842 }
102843
102844 #endif /* __NET_NET_NAMESPACE_H */
102845diff --git a/include/net/netlink.h b/include/net/netlink.h
102846index 2a5dbcc..8243656 100644
102847--- a/include/net/netlink.h
102848+++ b/include/net/netlink.h
102849@@ -521,7 +521,7 @@ static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
102850 {
102851 if (mark) {
102852 WARN_ON((unsigned char *) mark < skb->data);
102853- skb_trim(skb, (unsigned char *) mark - skb->data);
102854+ skb_trim(skb, (const unsigned char *) mark - skb->data);
102855 }
102856 }
102857
102858diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
102859index 723b61c..4386367 100644
102860--- a/include/net/netns/conntrack.h
102861+++ b/include/net/netns/conntrack.h
102862@@ -14,10 +14,10 @@ struct nf_conntrack_ecache;
102863 struct nf_proto_net {
102864 #ifdef CONFIG_SYSCTL
102865 struct ctl_table_header *ctl_table_header;
102866- struct ctl_table *ctl_table;
102867+ ctl_table_no_const *ctl_table;
102868 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
102869 struct ctl_table_header *ctl_compat_header;
102870- struct ctl_table *ctl_compat_table;
102871+ ctl_table_no_const *ctl_compat_table;
102872 #endif
102873 #endif
102874 unsigned int users;
102875@@ -60,7 +60,7 @@ struct nf_ip_net {
102876 struct nf_icmp_net icmpv6;
102877 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
102878 struct ctl_table_header *ctl_table_header;
102879- struct ctl_table *ctl_table;
102880+ ctl_table_no_const *ctl_table;
102881 #endif
102882 };
102883
102884diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
102885index c68926b..106c147 100644
102886--- a/include/net/netns/ipv4.h
102887+++ b/include/net/netns/ipv4.h
102888@@ -93,7 +93,7 @@ struct netns_ipv4 {
102889
102890 struct ping_group_range ping_group_range;
102891
102892- atomic_t dev_addr_genid;
102893+ atomic_unchecked_t dev_addr_genid;
102894
102895 #ifdef CONFIG_SYSCTL
102896 unsigned long *sysctl_local_reserved_ports;
102897@@ -107,6 +107,6 @@ struct netns_ipv4 {
102898 struct fib_rules_ops *mr_rules_ops;
102899 #endif
102900 #endif
102901- atomic_t rt_genid;
102902+ atomic_unchecked_t rt_genid;
102903 };
102904 #endif
102905diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
102906index 8d93544..05c3e89 100644
102907--- a/include/net/netns/ipv6.h
102908+++ b/include/net/netns/ipv6.h
102909@@ -79,8 +79,8 @@ struct netns_ipv6 {
102910 struct fib_rules_ops *mr6_rules_ops;
102911 #endif
102912 #endif
102913- atomic_t dev_addr_genid;
102914- atomic_t fib6_sernum;
102915+ atomic_unchecked_t dev_addr_genid;
102916+ atomic_unchecked_t fib6_sernum;
102917 };
102918
102919 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
102920diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
102921index 730d82a..045f2c4 100644
102922--- a/include/net/netns/xfrm.h
102923+++ b/include/net/netns/xfrm.h
102924@@ -78,7 +78,7 @@ struct netns_xfrm {
102925
102926 /* flow cache part */
102927 struct flow_cache flow_cache_global;
102928- atomic_t flow_cache_genid;
102929+ atomic_unchecked_t flow_cache_genid;
102930 struct list_head flow_cache_gc_list;
102931 spinlock_t flow_cache_gc_lock;
102932 struct work_struct flow_cache_gc_work;
102933diff --git a/include/net/ping.h b/include/net/ping.h
102934index ac80cb4..ec1ed09 100644
102935--- a/include/net/ping.h
102936+++ b/include/net/ping.h
102937@@ -54,7 +54,7 @@ struct ping_iter_state {
102938
102939 extern struct proto ping_prot;
102940 #if IS_ENABLED(CONFIG_IPV6)
102941-extern struct pingv6_ops pingv6_ops;
102942+extern struct pingv6_ops *pingv6_ops;
102943 #endif
102944
102945 struct pingfakehdr {
102946diff --git a/include/net/protocol.h b/include/net/protocol.h
102947index d6fcc1f..ca277058 100644
102948--- a/include/net/protocol.h
102949+++ b/include/net/protocol.h
102950@@ -49,7 +49,7 @@ struct net_protocol {
102951 * socket lookup?
102952 */
102953 icmp_strict_tag_validation:1;
102954-};
102955+} __do_const;
102956
102957 #if IS_ENABLED(CONFIG_IPV6)
102958 struct inet6_protocol {
102959@@ -62,7 +62,7 @@ struct inet6_protocol {
102960 u8 type, u8 code, int offset,
102961 __be32 info);
102962 unsigned int flags; /* INET6_PROTO_xxx */
102963-};
102964+} __do_const;
102965
102966 #define INET6_PROTO_NOPOLICY 0x1
102967 #define INET6_PROTO_FINAL 0x2
102968diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
102969index 343d922..7959cde 100644
102970--- a/include/net/rtnetlink.h
102971+++ b/include/net/rtnetlink.h
102972@@ -95,7 +95,7 @@ struct rtnl_link_ops {
102973 const struct net_device *dev,
102974 const struct net_device *slave_dev);
102975 struct net *(*get_link_net)(const struct net_device *dev);
102976-};
102977+} __do_const;
102978
102979 int __rtnl_link_register(struct rtnl_link_ops *ops);
102980 void __rtnl_link_unregister(struct rtnl_link_ops *ops);
102981diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
102982index 4a5b9a3..ca27d73 100644
102983--- a/include/net/sctp/checksum.h
102984+++ b/include/net/sctp/checksum.h
102985@@ -61,8 +61,8 @@ static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
102986 unsigned int offset)
102987 {
102988 struct sctphdr *sh = sctp_hdr(skb);
102989- __le32 ret, old = sh->checksum;
102990- const struct skb_checksum_ops ops = {
102991+ __le32 ret, old = sh->checksum;
102992+ static const struct skb_checksum_ops ops = {
102993 .update = sctp_csum_update,
102994 .combine = sctp_csum_combine,
102995 };
102996diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
102997index 487ef34..d457f98 100644
102998--- a/include/net/sctp/sm.h
102999+++ b/include/net/sctp/sm.h
103000@@ -80,7 +80,7 @@ typedef void (sctp_timer_event_t) (unsigned long);
103001 typedef struct {
103002 sctp_state_fn_t *fn;
103003 const char *name;
103004-} sctp_sm_table_entry_t;
103005+} __do_const sctp_sm_table_entry_t;
103006
103007 /* A naming convention of "sctp_sf_xxx" applies to all the state functions
103008 * currently in use.
103009@@ -292,7 +292,7 @@ __u32 sctp_generate_tag(const struct sctp_endpoint *);
103010 __u32 sctp_generate_tsn(const struct sctp_endpoint *);
103011
103012 /* Extern declarations for major data structures. */
103013-extern sctp_timer_event_t *sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
103014+extern sctp_timer_event_t * const sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
103015
103016
103017 /* Get the size of a DATA chunk payload. */
103018diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
103019index 495c87e..5b327ff 100644
103020--- a/include/net/sctp/structs.h
103021+++ b/include/net/sctp/structs.h
103022@@ -513,7 +513,7 @@ struct sctp_pf {
103023 void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
103024 void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
103025 struct sctp_af *af;
103026-};
103027+} __do_const;
103028
103029
103030 /* Structure to track chunk fragments that have been acked, but peer
103031diff --git a/include/net/sock.h b/include/net/sock.h
103032index f21f070..29ac73e 100644
103033--- a/include/net/sock.h
103034+++ b/include/net/sock.h
103035@@ -198,7 +198,7 @@ struct sock_common {
103036 struct in6_addr skc_v6_rcv_saddr;
103037 #endif
103038
103039- atomic64_t skc_cookie;
103040+ atomic64_unchecked_t skc_cookie;
103041
103042 /*
103043 * fields between dontcopy_begin/dontcopy_end
103044@@ -364,7 +364,7 @@ struct sock {
103045 unsigned int sk_napi_id;
103046 unsigned int sk_ll_usec;
103047 #endif
103048- atomic_t sk_drops;
103049+ atomic_unchecked_t sk_drops;
103050 int sk_rcvbuf;
103051
103052 struct sk_filter __rcu *sk_filter;
103053@@ -1038,7 +1038,7 @@ struct proto {
103054 void (*destroy_cgroup)(struct mem_cgroup *memcg);
103055 struct cg_proto *(*proto_cgroup)(struct mem_cgroup *memcg);
103056 #endif
103057-};
103058+} __randomize_layout;
103059
103060 /*
103061 * Bits in struct cg_proto.flags
103062@@ -1211,7 +1211,7 @@ static inline void memcg_memory_allocated_sub(struct cg_proto *prot,
103063 page_counter_uncharge(&prot->memory_allocated, amt);
103064 }
103065
103066-static inline long
103067+static inline long __intentional_overflow(-1)
103068 sk_memory_allocated(const struct sock *sk)
103069 {
103070 struct proto *prot = sk->sk_prot;
103071@@ -1776,7 +1776,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags)
103072 }
103073
103074 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
103075- struct iov_iter *from, char *to,
103076+ struct iov_iter *from, unsigned char *to,
103077 int copy, int offset)
103078 {
103079 if (skb->ip_summed == CHECKSUM_NONE) {
103080@@ -2023,7 +2023,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
103081 }
103082 }
103083
103084-struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
103085+struct sk_buff * __intentional_overflow(0) sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
103086 bool force_schedule);
103087
103088 /**
103089@@ -2099,7 +2099,7 @@ struct sock_skb_cb {
103090 static inline void
103091 sock_skb_set_dropcount(const struct sock *sk, struct sk_buff *skb)
103092 {
103093- SOCK_SKB_CB(skb)->dropcount = atomic_read(&sk->sk_drops);
103094+ SOCK_SKB_CB(skb)->dropcount = atomic_read_unchecked(&sk->sk_drops);
103095 }
103096
103097 void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
103098diff --git a/include/net/tcp.h b/include/net/tcp.h
103099index 950cfec..0bf9d85 100644
103100--- a/include/net/tcp.h
103101+++ b/include/net/tcp.h
103102@@ -546,7 +546,7 @@ void tcp_retransmit_timer(struct sock *sk);
103103 void tcp_xmit_retransmit_queue(struct sock *);
103104 void tcp_simple_retransmit(struct sock *);
103105 int tcp_trim_head(struct sock *, struct sk_buff *, u32);
103106-int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int, gfp_t);
103107+int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int, gfp_t) __intentional_overflow(3);
103108
103109 void tcp_send_probe0(struct sock *);
103110 void tcp_send_partial(struct sock *);
103111@@ -724,8 +724,8 @@ static inline u32 tcp_skb_timestamp(const struct sk_buff *skb)
103112 * If this grows please adjust skbuff.h:skbuff->cb[xxx] size appropriately.
103113 */
103114 struct tcp_skb_cb {
103115- __u32 seq; /* Starting sequence number */
103116- __u32 end_seq; /* SEQ + FIN + SYN + datalen */
103117+ __u32 seq __intentional_overflow(-1); /* Starting sequence number */
103118+ __u32 end_seq __intentional_overflow(-1); /* SEQ + FIN + SYN + datalen */
103119 union {
103120 /* Note : tcp_tw_isn is used in input path only
103121 * (isn chosen by tcp_timewait_state_process())
103122@@ -753,7 +753,7 @@ struct tcp_skb_cb {
103123
103124 __u8 ip_dsfield; /* IPv4 tos or IPv6 dsfield */
103125 /* 1 byte hole */
103126- __u32 ack_seq; /* Sequence number ACK'd */
103127+ __u32 ack_seq __intentional_overflow(-1); /* Sequence number ACK'd */
103128 union {
103129 struct inet_skb_parm h4;
103130 #if IS_ENABLED(CONFIG_IPV6)
103131diff --git a/include/net/xfrm.h b/include/net/xfrm.h
103132index f0ee97e..73e2b5a 100644
103133--- a/include/net/xfrm.h
103134+++ b/include/net/xfrm.h
103135@@ -284,7 +284,6 @@ struct xfrm_dst;
103136 struct xfrm_policy_afinfo {
103137 unsigned short family;
103138 struct dst_ops *dst_ops;
103139- void (*garbage_collect)(struct net *net);
103140 struct dst_entry *(*dst_lookup)(struct net *net, int tos,
103141 const xfrm_address_t *saddr,
103142 const xfrm_address_t *daddr);
103143@@ -302,7 +301,7 @@ struct xfrm_policy_afinfo {
103144 struct net_device *dev,
103145 const struct flowi *fl);
103146 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
103147-};
103148+} __do_const;
103149
103150 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
103151 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
103152@@ -341,7 +340,7 @@ struct xfrm_state_afinfo {
103153 int (*transport_finish)(struct sk_buff *skb,
103154 int async);
103155 void (*local_error)(struct sk_buff *skb, u32 mtu);
103156-};
103157+} __do_const;
103158
103159 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
103160 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
103161@@ -436,7 +435,7 @@ struct xfrm_mode {
103162 struct module *owner;
103163 unsigned int encap;
103164 int flags;
103165-};
103166+} __do_const;
103167
103168 /* Flags for xfrm_mode. */
103169 enum {
103170@@ -531,7 +530,7 @@ struct xfrm_policy {
103171 struct timer_list timer;
103172
103173 struct flow_cache_object flo;
103174- atomic_t genid;
103175+ atomic_unchecked_t genid;
103176 u32 priority;
103177 u32 index;
103178 struct xfrm_mark mark;
103179@@ -1164,6 +1163,7 @@ static inline void xfrm_sk_free_policy(struct sock *sk)
103180 }
103181
103182 void xfrm_garbage_collect(struct net *net);
103183+void xfrm_garbage_collect_deferred(struct net *net);
103184
103185 #else
103186
103187@@ -1202,6 +1202,9 @@ static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
103188 static inline void xfrm_garbage_collect(struct net *net)
103189 {
103190 }
103191+static inline void xfrm_garbage_collect_deferred(struct net *net)
103192+{
103193+}
103194 #endif
103195
103196 static __inline__
103197diff --git a/include/rdma/iw_cm.h b/include/rdma/iw_cm.h
103198index 036bd27..c0d7f17 100644
103199--- a/include/rdma/iw_cm.h
103200+++ b/include/rdma/iw_cm.h
103201@@ -123,7 +123,7 @@ struct iw_cm_verbs {
103202 int backlog);
103203
103204 int (*destroy_listen)(struct iw_cm_id *cm_id);
103205-};
103206+} __no_const;
103207
103208 /**
103209 * iw_create_cm_id - Create an IW CM identifier.
103210diff --git a/include/scsi/libfc.h b/include/scsi/libfc.h
103211index 93d14da..734b3d8 100644
103212--- a/include/scsi/libfc.h
103213+++ b/include/scsi/libfc.h
103214@@ -771,6 +771,7 @@ struct libfc_function_template {
103215 */
103216 void (*disc_stop_final) (struct fc_lport *);
103217 };
103218+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
103219
103220 /**
103221 * struct fc_disc - Discovery context
103222@@ -875,7 +876,7 @@ struct fc_lport {
103223 struct fc_vport *vport;
103224
103225 /* Operational Information */
103226- struct libfc_function_template tt;
103227+ libfc_function_template_no_const tt;
103228 u8 link_up;
103229 u8 qfull;
103230 enum fc_lport_state state;
103231diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
103232index ae84b22..7954097 100644
103233--- a/include/scsi/scsi_device.h
103234+++ b/include/scsi/scsi_device.h
103235@@ -185,9 +185,9 @@ struct scsi_device {
103236 unsigned int max_device_blocked; /* what device_blocked counts down from */
103237 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
103238
103239- atomic_t iorequest_cnt;
103240- atomic_t iodone_cnt;
103241- atomic_t ioerr_cnt;
103242+ atomic_unchecked_t iorequest_cnt;
103243+ atomic_unchecked_t iodone_cnt;
103244+ atomic_unchecked_t ioerr_cnt;
103245
103246 struct device sdev_gendev,
103247 sdev_dev;
103248diff --git a/include/scsi/scsi_driver.h b/include/scsi/scsi_driver.h
103249index 891a658..fcd68df 100644
103250--- a/include/scsi/scsi_driver.h
103251+++ b/include/scsi/scsi_driver.h
103252@@ -14,7 +14,7 @@ struct scsi_driver {
103253 void (*rescan)(struct device *);
103254 int (*init_command)(struct scsi_cmnd *);
103255 void (*uninit_command)(struct scsi_cmnd *);
103256- int (*done)(struct scsi_cmnd *);
103257+ unsigned int (*done)(struct scsi_cmnd *);
103258 int (*eh_action)(struct scsi_cmnd *, int);
103259 };
103260 #define to_scsi_driver(drv) \
103261diff --git a/include/scsi/scsi_transport_fc.h b/include/scsi/scsi_transport_fc.h
103262index 784bc2c..855a04c 100644
103263--- a/include/scsi/scsi_transport_fc.h
103264+++ b/include/scsi/scsi_transport_fc.h
103265@@ -757,7 +757,8 @@ struct fc_function_template {
103266 unsigned long show_host_system_hostname:1;
103267
103268 unsigned long disable_target_scan:1;
103269-};
103270+} __do_const;
103271+typedef struct fc_function_template __no_const fc_function_template_no_const;
103272
103273
103274 /**
103275diff --git a/include/scsi/sg.h b/include/scsi/sg.h
103276index 3afec70..b196b43 100644
103277--- a/include/scsi/sg.h
103278+++ b/include/scsi/sg.h
103279@@ -52,7 +52,7 @@ typedef struct sg_io_hdr
103280 or scatter gather list */
103281 unsigned char __user *cmdp; /* [i], [*i] points to command to perform */
103282 void __user *sbp; /* [i], [*o] points to sense_buffer memory */
103283- unsigned int timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
103284+ unsigned int timeout __intentional_overflow(-1); /* [i] MAX_UINT->no timeout (unit: millisec) */
103285 unsigned int flags; /* [i] 0 -> default, see SG_FLAG... */
103286 int pack_id; /* [i->o] unused internally (normally) */
103287 void __user * usr_ptr; /* [i->o] unused internally */
103288diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
103289index fa1d055..3647940 100644
103290--- a/include/sound/compress_driver.h
103291+++ b/include/sound/compress_driver.h
103292@@ -130,7 +130,7 @@ struct snd_compr_ops {
103293 struct snd_compr_caps *caps);
103294 int (*get_codec_caps) (struct snd_compr_stream *stream,
103295 struct snd_compr_codec_caps *codec);
103296-};
103297+} __no_const;
103298
103299 /**
103300 * struct snd_compr: Compressed device
103301diff --git a/include/sound/soc.h b/include/sound/soc.h
103302index 93df8bf..c84577b 100644
103303--- a/include/sound/soc.h
103304+++ b/include/sound/soc.h
103305@@ -883,7 +883,7 @@ struct snd_soc_codec_driver {
103306 enum snd_soc_dapm_type, int);
103307
103308 bool ignore_pmdown_time; /* Doesn't benefit from pmdown delay */
103309-};
103310+} __do_const;
103311
103312 /* SoC platform interface */
103313 struct snd_soc_platform_driver {
103314@@ -910,7 +910,7 @@ struct snd_soc_platform_driver {
103315 const struct snd_compr_ops *compr_ops;
103316
103317 int (*bespoke_trigger)(struct snd_pcm_substream *, int);
103318-};
103319+} __do_const;
103320
103321 struct snd_soc_dai_link_component {
103322 const char *name;
103323diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
103324index 17ae2d6..2c06382 100644
103325--- a/include/target/target_core_base.h
103326+++ b/include/target/target_core_base.h
103327@@ -751,7 +751,7 @@ struct se_device {
103328 atomic_long_t write_bytes;
103329 /* Active commands on this virtual SE device */
103330 atomic_t simple_cmds;
103331- atomic_t dev_ordered_id;
103332+ atomic_unchecked_t dev_ordered_id;
103333 atomic_t dev_ordered_sync;
103334 atomic_t dev_qf_count;
103335 u32 export_count;
103336diff --git a/include/trace/events/fs.h b/include/trace/events/fs.h
103337new file mode 100644
103338index 0000000..fb634b7
103339--- /dev/null
103340+++ b/include/trace/events/fs.h
103341@@ -0,0 +1,53 @@
103342+#undef TRACE_SYSTEM
103343+#define TRACE_SYSTEM fs
103344+
103345+#if !defined(_TRACE_FS_H) || defined(TRACE_HEADER_MULTI_READ)
103346+#define _TRACE_FS_H
103347+
103348+#include <linux/fs.h>
103349+#include <linux/tracepoint.h>
103350+
103351+TRACE_EVENT(do_sys_open,
103352+
103353+ TP_PROTO(const char *filename, int flags, int mode),
103354+
103355+ TP_ARGS(filename, flags, mode),
103356+
103357+ TP_STRUCT__entry(
103358+ __string( filename, filename )
103359+ __field( int, flags )
103360+ __field( int, mode )
103361+ ),
103362+
103363+ TP_fast_assign(
103364+ __assign_str(filename, filename);
103365+ __entry->flags = flags;
103366+ __entry->mode = mode;
103367+ ),
103368+
103369+ TP_printk("\"%s\" %x %o",
103370+ __get_str(filename), __entry->flags, __entry->mode)
103371+);
103372+
103373+TRACE_EVENT(open_exec,
103374+
103375+ TP_PROTO(const char *filename),
103376+
103377+ TP_ARGS(filename),
103378+
103379+ TP_STRUCT__entry(
103380+ __string( filename, filename )
103381+ ),
103382+
103383+ TP_fast_assign(
103384+ __assign_str(filename, filename);
103385+ ),
103386+
103387+ TP_printk("\"%s\"",
103388+ __get_str(filename))
103389+);
103390+
103391+#endif /* _TRACE_FS_H */
103392+
103393+/* This part must be outside protection */
103394+#include <trace/define_trace.h>
103395diff --git a/include/trace/events/irq.h b/include/trace/events/irq.h
103396index ff8f6c0..6b6bae3 100644
103397--- a/include/trace/events/irq.h
103398+++ b/include/trace/events/irq.h
103399@@ -51,7 +51,7 @@ SOFTIRQ_NAME_LIST
103400 */
103401 TRACE_EVENT(irq_handler_entry,
103402
103403- TP_PROTO(int irq, struct irqaction *action),
103404+ TP_PROTO(int irq, const struct irqaction *action),
103405
103406 TP_ARGS(irq, action),
103407
103408@@ -81,7 +81,7 @@ TRACE_EVENT(irq_handler_entry,
103409 */
103410 TRACE_EVENT(irq_handler_exit,
103411
103412- TP_PROTO(int irq, struct irqaction *action, int ret),
103413+ TP_PROTO(int irq, const struct irqaction *action, int ret),
103414
103415 TP_ARGS(irq, action, ret),
103416
103417diff --git a/include/uapi/drm/i915_drm.h b/include/uapi/drm/i915_drm.h
103418index db809b7..05a44aa 100644
103419--- a/include/uapi/drm/i915_drm.h
103420+++ b/include/uapi/drm/i915_drm.h
103421@@ -354,6 +354,7 @@ typedef struct drm_i915_irq_wait {
103422 #define I915_PARAM_REVISION 32
103423 #define I915_PARAM_SUBSLICE_TOTAL 33
103424 #define I915_PARAM_EU_TOTAL 34
103425+#define I915_PARAM_HAS_LEGACY_CONTEXT 35
103426
103427 typedef struct drm_i915_getparam {
103428 int param;
103429diff --git a/include/uapi/linux/a.out.h b/include/uapi/linux/a.out.h
103430index 7caf44c..23c6f27 100644
103431--- a/include/uapi/linux/a.out.h
103432+++ b/include/uapi/linux/a.out.h
103433@@ -39,6 +39,14 @@ enum machine_type {
103434 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
103435 };
103436
103437+/* Constants for the N_FLAGS field */
103438+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
103439+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
103440+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
103441+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
103442+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
103443+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
103444+
103445 #if !defined (N_MAGIC)
103446 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
103447 #endif
103448diff --git a/include/uapi/linux/bcache.h b/include/uapi/linux/bcache.h
103449index 22b6ad3..aeba37e 100644
103450--- a/include/uapi/linux/bcache.h
103451+++ b/include/uapi/linux/bcache.h
103452@@ -5,6 +5,7 @@
103453 * Bcache on disk data structures
103454 */
103455
103456+#include <linux/compiler.h>
103457 #include <asm/types.h>
103458
103459 #define BITMASK(name, type, field, offset, size) \
103460@@ -20,8 +21,8 @@ static inline void SET_##name(type *k, __u64 v) \
103461 /* Btree keys - all units are in sectors */
103462
103463 struct bkey {
103464- __u64 high;
103465- __u64 low;
103466+ __u64 high __intentional_overflow(-1);
103467+ __u64 low __intentional_overflow(-1);
103468 __u64 ptr[];
103469 };
103470
103471diff --git a/include/uapi/linux/byteorder/little_endian.h b/include/uapi/linux/byteorder/little_endian.h
103472index d876736..ccce5c0 100644
103473--- a/include/uapi/linux/byteorder/little_endian.h
103474+++ b/include/uapi/linux/byteorder/little_endian.h
103475@@ -42,51 +42,51 @@
103476
103477 static inline __le64 __cpu_to_le64p(const __u64 *p)
103478 {
103479- return (__force __le64)*p;
103480+ return (__force const __le64)*p;
103481 }
103482-static inline __u64 __le64_to_cpup(const __le64 *p)
103483+static inline __u64 __intentional_overflow(-1) __le64_to_cpup(const __le64 *p)
103484 {
103485- return (__force __u64)*p;
103486+ return (__force const __u64)*p;
103487 }
103488 static inline __le32 __cpu_to_le32p(const __u32 *p)
103489 {
103490- return (__force __le32)*p;
103491+ return (__force const __le32)*p;
103492 }
103493 static inline __u32 __le32_to_cpup(const __le32 *p)
103494 {
103495- return (__force __u32)*p;
103496+ return (__force const __u32)*p;
103497 }
103498 static inline __le16 __cpu_to_le16p(const __u16 *p)
103499 {
103500- return (__force __le16)*p;
103501+ return (__force const __le16)*p;
103502 }
103503 static inline __u16 __le16_to_cpup(const __le16 *p)
103504 {
103505- return (__force __u16)*p;
103506+ return (__force const __u16)*p;
103507 }
103508 static inline __be64 __cpu_to_be64p(const __u64 *p)
103509 {
103510- return (__force __be64)__swab64p(p);
103511+ return (__force const __be64)__swab64p(p);
103512 }
103513 static inline __u64 __be64_to_cpup(const __be64 *p)
103514 {
103515- return __swab64p((__u64 *)p);
103516+ return __swab64p((const __u64 *)p);
103517 }
103518 static inline __be32 __cpu_to_be32p(const __u32 *p)
103519 {
103520- return (__force __be32)__swab32p(p);
103521+ return (__force const __be32)__swab32p(p);
103522 }
103523-static inline __u32 __be32_to_cpup(const __be32 *p)
103524+static inline __u32 __intentional_overflow(-1) __be32_to_cpup(const __be32 *p)
103525 {
103526- return __swab32p((__u32 *)p);
103527+ return __swab32p((const __u32 *)p);
103528 }
103529 static inline __be16 __cpu_to_be16p(const __u16 *p)
103530 {
103531- return (__force __be16)__swab16p(p);
103532+ return (__force const __be16)__swab16p(p);
103533 }
103534 static inline __u16 __be16_to_cpup(const __be16 *p)
103535 {
103536- return __swab16p((__u16 *)p);
103537+ return __swab16p((const __u16 *)p);
103538 }
103539 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
103540 #define __le64_to_cpus(x) do { (void)(x); } while (0)
103541diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h
103542index 4cb2835..cfbc4e2 100644
103543--- a/include/uapi/linux/connector.h
103544+++ b/include/uapi/linux/connector.h
103545@@ -69,7 +69,7 @@ struct cb_id {
103546 struct cn_msg {
103547 struct cb_id id;
103548
103549- __u32 seq;
103550+ __u32 seq __intentional_overflow(-1);
103551 __u32 ack;
103552
103553 __u16 len; /* Length of the following data */
103554diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h
103555index 71e1d0e..6cc9caf 100644
103556--- a/include/uapi/linux/elf.h
103557+++ b/include/uapi/linux/elf.h
103558@@ -37,6 +37,17 @@ typedef __s64 Elf64_Sxword;
103559 #define PT_GNU_EH_FRAME 0x6474e550
103560
103561 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
103562+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
103563+
103564+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
103565+
103566+/* Constants for the e_flags field */
103567+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
103568+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
103569+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
103570+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
103571+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
103572+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
103573
103574 /*
103575 * Extended Numbering
103576@@ -94,6 +105,8 @@ typedef __s64 Elf64_Sxword;
103577 #define DT_DEBUG 21
103578 #define DT_TEXTREL 22
103579 #define DT_JMPREL 23
103580+#define DT_FLAGS 30
103581+ #define DF_TEXTREL 0x00000004
103582 #define DT_ENCODING 32
103583 #define OLD_DT_LOOS 0x60000000
103584 #define DT_LOOS 0x6000000d
103585@@ -240,6 +253,19 @@ typedef struct elf64_hdr {
103586 #define PF_W 0x2
103587 #define PF_X 0x1
103588
103589+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
103590+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
103591+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
103592+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
103593+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
103594+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
103595+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
103596+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
103597+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
103598+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
103599+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
103600+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
103601+
103602 typedef struct elf32_phdr{
103603 Elf32_Word p_type;
103604 Elf32_Off p_offset;
103605@@ -332,6 +358,8 @@ typedef struct elf64_shdr {
103606 #define EI_OSABI 7
103607 #define EI_PAD 8
103608
103609+#define EI_PAX 14
103610+
103611 #define ELFMAG0 0x7f /* EI_MAG */
103612 #define ELFMAG1 'E'
103613 #define ELFMAG2 'L'
103614diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
103615index aa169c4..6a2771d 100644
103616--- a/include/uapi/linux/personality.h
103617+++ b/include/uapi/linux/personality.h
103618@@ -30,6 +30,7 @@ enum {
103619 #define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
103620 ADDR_NO_RANDOMIZE | \
103621 ADDR_COMPAT_LAYOUT | \
103622+ ADDR_LIMIT_3GB | \
103623 MMAP_PAGE_ZERO)
103624
103625 /*
103626diff --git a/include/uapi/linux/screen_info.h b/include/uapi/linux/screen_info.h
103627index 7530e74..e714828 100644
103628--- a/include/uapi/linux/screen_info.h
103629+++ b/include/uapi/linux/screen_info.h
103630@@ -43,7 +43,8 @@ struct screen_info {
103631 __u16 pages; /* 0x32 */
103632 __u16 vesa_attributes; /* 0x34 */
103633 __u32 capabilities; /* 0x36 */
103634- __u8 _reserved[6]; /* 0x3a */
103635+ __u16 vesapm_size; /* 0x3a */
103636+ __u8 _reserved[4]; /* 0x3c */
103637 } __attribute__((packed));
103638
103639 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
103640diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
103641index 0e011eb..82681b1 100644
103642--- a/include/uapi/linux/swab.h
103643+++ b/include/uapi/linux/swab.h
103644@@ -43,7 +43,7 @@
103645 * ___swab16, ___swab32, ___swab64, ___swahw32, ___swahb32
103646 */
103647
103648-static inline __attribute_const__ __u16 __fswab16(__u16 val)
103649+static inline __intentional_overflow(-1) __attribute_const__ __u16 __fswab16(__u16 val)
103650 {
103651 #ifdef __HAVE_BUILTIN_BSWAP16__
103652 return __builtin_bswap16(val);
103653@@ -54,7 +54,7 @@ static inline __attribute_const__ __u16 __fswab16(__u16 val)
103654 #endif
103655 }
103656
103657-static inline __attribute_const__ __u32 __fswab32(__u32 val)
103658+static inline __intentional_overflow(-1) __attribute_const__ __u32 __fswab32(__u32 val)
103659 {
103660 #ifdef __HAVE_BUILTIN_BSWAP32__
103661 return __builtin_bswap32(val);
103662@@ -65,7 +65,7 @@ static inline __attribute_const__ __u32 __fswab32(__u32 val)
103663 #endif
103664 }
103665
103666-static inline __attribute_const__ __u64 __fswab64(__u64 val)
103667+static inline __intentional_overflow(-1) __attribute_const__ __u64 __fswab64(__u64 val)
103668 {
103669 #ifdef __HAVE_BUILTIN_BSWAP64__
103670 return __builtin_bswap64(val);
103671diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
103672index 1590c49..5eab462 100644
103673--- a/include/uapi/linux/xattr.h
103674+++ b/include/uapi/linux/xattr.h
103675@@ -73,5 +73,9 @@
103676 #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
103677 #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
103678
103679+/* User namespace */
103680+#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
103681+#define XATTR_PAX_FLAGS_SUFFIX "flags"
103682+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
103683
103684 #endif /* _UAPI_LINUX_XATTR_H */
103685diff --git a/include/video/udlfb.h b/include/video/udlfb.h
103686index f9466fa..f4e2b81 100644
103687--- a/include/video/udlfb.h
103688+++ b/include/video/udlfb.h
103689@@ -53,10 +53,10 @@ struct dlfb_data {
103690 u32 pseudo_palette[256];
103691 int blank_mode; /*one of FB_BLANK_ */
103692 /* blit-only rendering path metrics, exposed through sysfs */
103693- atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
103694- atomic_t bytes_identical; /* saved effort with backbuffer comparison */
103695- atomic_t bytes_sent; /* to usb, after compression including overhead */
103696- atomic_t cpu_kcycles_used; /* transpired during pixel processing */
103697+ atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
103698+ atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
103699+ atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
103700+ atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
103701 };
103702
103703 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
103704diff --git a/include/video/uvesafb.h b/include/video/uvesafb.h
103705index 30f5362..8ed8ac9 100644
103706--- a/include/video/uvesafb.h
103707+++ b/include/video/uvesafb.h
103708@@ -122,6 +122,7 @@ struct uvesafb_par {
103709 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
103710 u8 pmi_setpal; /* PMI for palette changes */
103711 u16 *pmi_base; /* protected mode interface location */
103712+ u8 *pmi_code; /* protected mode code location */
103713 void *pmi_start;
103714 void *pmi_pal;
103715 u8 *vbe_state_orig; /*
103716diff --git a/init/Kconfig b/init/Kconfig
103717index af09b4f..17fcb78 100644
103718--- a/init/Kconfig
103719+++ b/init/Kconfig
103720@@ -1139,6 +1139,7 @@ endif # CGROUPS
103721 config CHECKPOINT_RESTORE
103722 bool "Checkpoint/restore support" if EXPERT
103723 select PROC_CHILDREN
103724+ depends on !GRKERNSEC
103725 default n
103726 help
103727 Enables additional kernel features in a sake of checkpoint/restore.
103728@@ -1664,7 +1665,7 @@ config SLUB_DEBUG
103729
103730 config COMPAT_BRK
103731 bool "Disable heap randomization"
103732- default y
103733+ default n
103734 help
103735 Randomizing heap placement makes heap exploits harder, but it
103736 also breaks ancient binaries (including anything libc5 based).
103737@@ -1994,7 +1995,7 @@ config INIT_ALL_POSSIBLE
103738 config STOP_MACHINE
103739 bool
103740 default y
103741- depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU
103742+ depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC
103743 help
103744 Need stop_machine() primitive.
103745
103746diff --git a/init/Makefile b/init/Makefile
103747index 7bc47ee..6da2dc7 100644
103748--- a/init/Makefile
103749+++ b/init/Makefile
103750@@ -2,6 +2,9 @@
103751 # Makefile for the linux kernel.
103752 #
103753
103754+ccflags-y := $(GCC_PLUGINS_CFLAGS)
103755+asflags-y := $(GCC_PLUGINS_AFLAGS)
103756+
103757 obj-y := main.o version.o mounts.o
103758 ifneq ($(CONFIG_BLK_DEV_INITRD),y)
103759 obj-y += noinitramfs.o
103760diff --git a/init/do_mounts.c b/init/do_mounts.c
103761index dea5de9..bbdbb5f 100644
103762--- a/init/do_mounts.c
103763+++ b/init/do_mounts.c
103764@@ -363,11 +363,11 @@ static void __init get_fs_names(char *page)
103765 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
103766 {
103767 struct super_block *s;
103768- int err = sys_mount(name, "/root", fs, flags, data);
103769+ int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
103770 if (err)
103771 return err;
103772
103773- sys_chdir("/root");
103774+ sys_chdir((const char __force_user *)"/root");
103775 s = current->fs->pwd.dentry->d_sb;
103776 ROOT_DEV = s->s_dev;
103777 printk(KERN_INFO
103778@@ -490,18 +490,18 @@ void __init change_floppy(char *fmt, ...)
103779 va_start(args, fmt);
103780 vsprintf(buf, fmt, args);
103781 va_end(args);
103782- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
103783+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
103784 if (fd >= 0) {
103785 sys_ioctl(fd, FDEJECT, 0);
103786 sys_close(fd);
103787 }
103788 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
103789- fd = sys_open("/dev/console", O_RDWR, 0);
103790+ fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
103791 if (fd >= 0) {
103792 sys_ioctl(fd, TCGETS, (long)&termios);
103793 termios.c_lflag &= ~ICANON;
103794 sys_ioctl(fd, TCSETSF, (long)&termios);
103795- sys_read(fd, &c, 1);
103796+ sys_read(fd, (char __user *)&c, 1);
103797 termios.c_lflag |= ICANON;
103798 sys_ioctl(fd, TCSETSF, (long)&termios);
103799 sys_close(fd);
103800@@ -600,8 +600,8 @@ void __init prepare_namespace(void)
103801 mount_root();
103802 out:
103803 devtmpfs_mount("dev");
103804- sys_mount(".", "/", NULL, MS_MOVE, NULL);
103805- sys_chroot(".");
103806+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
103807+ sys_chroot((const char __force_user *)".");
103808 }
103809
103810 static bool is_tmpfs;
103811diff --git a/init/do_mounts.h b/init/do_mounts.h
103812index f5b978a..69dbfe8 100644
103813--- a/init/do_mounts.h
103814+++ b/init/do_mounts.h
103815@@ -15,15 +15,15 @@ extern int root_mountflags;
103816
103817 static inline int create_dev(char *name, dev_t dev)
103818 {
103819- sys_unlink(name);
103820- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
103821+ sys_unlink((char __force_user *)name);
103822+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
103823 }
103824
103825 #if BITS_PER_LONG == 32
103826 static inline u32 bstat(char *name)
103827 {
103828 struct stat64 stat;
103829- if (sys_stat64(name, &stat) != 0)
103830+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
103831 return 0;
103832 if (!S_ISBLK(stat.st_mode))
103833 return 0;
103834@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
103835 static inline u32 bstat(char *name)
103836 {
103837 struct stat stat;
103838- if (sys_newstat(name, &stat) != 0)
103839+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
103840 return 0;
103841 if (!S_ISBLK(stat.st_mode))
103842 return 0;
103843diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c
103844index 3e0878e..8a9d7a0 100644
103845--- a/init/do_mounts_initrd.c
103846+++ b/init/do_mounts_initrd.c
103847@@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new)
103848 {
103849 sys_unshare(CLONE_FS | CLONE_FILES);
103850 /* stdin/stdout/stderr for /linuxrc */
103851- sys_open("/dev/console", O_RDWR, 0);
103852+ sys_open((const char __force_user *)"/dev/console", O_RDWR, 0);
103853 sys_dup(0);
103854 sys_dup(0);
103855 /* move initrd over / and chdir/chroot in initrd root */
103856- sys_chdir("/root");
103857- sys_mount(".", "/", NULL, MS_MOVE, NULL);
103858- sys_chroot(".");
103859+ sys_chdir((const char __force_user *)"/root");
103860+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
103861+ sys_chroot((const char __force_user *)".");
103862 sys_setsid();
103863 return 0;
103864 }
103865@@ -59,8 +59,8 @@ static void __init handle_initrd(void)
103866 create_dev("/dev/root.old", Root_RAM0);
103867 /* mount initrd on rootfs' /root */
103868 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
103869- sys_mkdir("/old", 0700);
103870- sys_chdir("/old");
103871+ sys_mkdir((const char __force_user *)"/old", 0700);
103872+ sys_chdir((const char __force_user *)"/old");
103873
103874 /* try loading default modules from initrd */
103875 load_default_modules();
103876@@ -80,31 +80,31 @@ static void __init handle_initrd(void)
103877 current->flags &= ~PF_FREEZER_SKIP;
103878
103879 /* move initrd to rootfs' /old */
103880- sys_mount("..", ".", NULL, MS_MOVE, NULL);
103881+ sys_mount((char __force_user *)"..", (char __force_user *)".", NULL, MS_MOVE, NULL);
103882 /* switch root and cwd back to / of rootfs */
103883- sys_chroot("..");
103884+ sys_chroot((const char __force_user *)"..");
103885
103886 if (new_decode_dev(real_root_dev) == Root_RAM0) {
103887- sys_chdir("/old");
103888+ sys_chdir((const char __force_user *)"/old");
103889 return;
103890 }
103891
103892- sys_chdir("/");
103893+ sys_chdir((const char __force_user *)"/");
103894 ROOT_DEV = new_decode_dev(real_root_dev);
103895 mount_root();
103896
103897 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
103898- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
103899+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
103900 if (!error)
103901 printk("okay\n");
103902 else {
103903- int fd = sys_open("/dev/root.old", O_RDWR, 0);
103904+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
103905 if (error == -ENOENT)
103906 printk("/initrd does not exist. Ignored.\n");
103907 else
103908 printk("failed\n");
103909 printk(KERN_NOTICE "Unmounting old root\n");
103910- sys_umount("/old", MNT_DETACH);
103911+ sys_umount((char __force_user *)"/old", MNT_DETACH);
103912 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
103913 if (fd < 0) {
103914 error = fd;
103915@@ -127,11 +127,11 @@ int __init initrd_load(void)
103916 * mounted in the normal path.
103917 */
103918 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
103919- sys_unlink("/initrd.image");
103920+ sys_unlink((const char __force_user *)"/initrd.image");
103921 handle_initrd();
103922 return 1;
103923 }
103924 }
103925- sys_unlink("/initrd.image");
103926+ sys_unlink((const char __force_user *)"/initrd.image");
103927 return 0;
103928 }
103929diff --git a/init/do_mounts_md.c b/init/do_mounts_md.c
103930index 8cb6db5..d729f50 100644
103931--- a/init/do_mounts_md.c
103932+++ b/init/do_mounts_md.c
103933@@ -180,7 +180,7 @@ static void __init md_setup_drive(void)
103934 partitioned ? "_d" : "", minor,
103935 md_setup_args[ent].device_names);
103936
103937- fd = sys_open(name, 0, 0);
103938+ fd = sys_open((char __force_user *)name, 0, 0);
103939 if (fd < 0) {
103940 printk(KERN_ERR "md: open failed - cannot start "
103941 "array %s\n", name);
103942@@ -243,7 +243,7 @@ static void __init md_setup_drive(void)
103943 * array without it
103944 */
103945 sys_close(fd);
103946- fd = sys_open(name, 0, 0);
103947+ fd = sys_open((char __force_user *)name, 0, 0);
103948 sys_ioctl(fd, BLKRRPART, 0);
103949 }
103950 sys_close(fd);
103951@@ -293,7 +293,7 @@ static void __init autodetect_raid(void)
103952
103953 wait_for_device_probe();
103954
103955- fd = sys_open("/dev/md0", 0, 0);
103956+ fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
103957 if (fd >= 0) {
103958 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
103959 sys_close(fd);
103960diff --git a/init/init_task.c b/init/init_task.c
103961index ba0a7f36..2bcf1d5 100644
103962--- a/init/init_task.c
103963+++ b/init/init_task.c
103964@@ -22,5 +22,9 @@ EXPORT_SYMBOL(init_task);
103965 * Initial thread structure. Alignment of this is handled by a special
103966 * linker map entry.
103967 */
103968+#ifdef CONFIG_X86
103969+union thread_union init_thread_union __init_task_data;
103970+#else
103971 union thread_union init_thread_union __init_task_data =
103972 { INIT_THREAD_INFO(init_task) };
103973+#endif
103974diff --git a/init/initramfs.c b/init/initramfs.c
103975index ad1bd77..dca2c1b 100644
103976--- a/init/initramfs.c
103977+++ b/init/initramfs.c
103978@@ -25,7 +25,7 @@ static ssize_t __init xwrite(int fd, const char *p, size_t count)
103979
103980 /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */
103981 while (count) {
103982- ssize_t rv = sys_write(fd, p, count);
103983+ ssize_t rv = sys_write(fd, (char __force_user *)p, count);
103984
103985 if (rv < 0) {
103986 if (rv == -EINTR || rv == -EAGAIN)
103987@@ -107,7 +107,7 @@ static void __init free_hash(void)
103988 }
103989 }
103990
103991-static long __init do_utime(char *filename, time_t mtime)
103992+static long __init do_utime(char __force_user *filename, time_t mtime)
103993 {
103994 struct timespec t[2];
103995
103996@@ -142,7 +142,7 @@ static void __init dir_utime(void)
103997 struct dir_entry *de, *tmp;
103998 list_for_each_entry_safe(de, tmp, &dir_list, list) {
103999 list_del(&de->list);
104000- do_utime(de->name, de->mtime);
104001+ do_utime((char __force_user *)de->name, de->mtime);
104002 kfree(de->name);
104003 kfree(de);
104004 }
104005@@ -304,7 +304,7 @@ static int __init maybe_link(void)
104006 if (nlink >= 2) {
104007 char *old = find_link(major, minor, ino, mode, collected);
104008 if (old)
104009- return (sys_link(old, collected) < 0) ? -1 : 1;
104010+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
104011 }
104012 return 0;
104013 }
104014@@ -313,11 +313,11 @@ static void __init clean_path(char *path, umode_t fmode)
104015 {
104016 struct stat st;
104017
104018- if (!sys_newlstat(path, &st) && (st.st_mode ^ fmode) & S_IFMT) {
104019+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode ^ fmode) & S_IFMT) {
104020 if (S_ISDIR(st.st_mode))
104021- sys_rmdir(path);
104022+ sys_rmdir((char __force_user *)path);
104023 else
104024- sys_unlink(path);
104025+ sys_unlink((char __force_user *)path);
104026 }
104027 }
104028
104029@@ -338,7 +338,7 @@ static int __init do_name(void)
104030 int openflags = O_WRONLY|O_CREAT;
104031 if (ml != 1)
104032 openflags |= O_TRUNC;
104033- wfd = sys_open(collected, openflags, mode);
104034+ wfd = sys_open((char __force_user *)collected, openflags, mode);
104035
104036 if (wfd >= 0) {
104037 sys_fchown(wfd, uid, gid);
104038@@ -350,17 +350,17 @@ static int __init do_name(void)
104039 }
104040 }
104041 } else if (S_ISDIR(mode)) {
104042- sys_mkdir(collected, mode);
104043- sys_chown(collected, uid, gid);
104044- sys_chmod(collected, mode);
104045+ sys_mkdir((char __force_user *)collected, mode);
104046+ sys_chown((char __force_user *)collected, uid, gid);
104047+ sys_chmod((char __force_user *)collected, mode);
104048 dir_add(collected, mtime);
104049 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
104050 S_ISFIFO(mode) || S_ISSOCK(mode)) {
104051 if (maybe_link() == 0) {
104052- sys_mknod(collected, mode, rdev);
104053- sys_chown(collected, uid, gid);
104054- sys_chmod(collected, mode);
104055- do_utime(collected, mtime);
104056+ sys_mknod((char __force_user *)collected, mode, rdev);
104057+ sys_chown((char __force_user *)collected, uid, gid);
104058+ sys_chmod((char __force_user *)collected, mode);
104059+ do_utime((char __force_user *)collected, mtime);
104060 }
104061 }
104062 return 0;
104063@@ -372,7 +372,7 @@ static int __init do_copy(void)
104064 if (xwrite(wfd, victim, body_len) != body_len)
104065 error("write error");
104066 sys_close(wfd);
104067- do_utime(vcollected, mtime);
104068+ do_utime((char __force_user *)vcollected, mtime);
104069 kfree(vcollected);
104070 eat(body_len);
104071 state = SkipIt;
104072@@ -390,9 +390,9 @@ static int __init do_symlink(void)
104073 {
104074 collected[N_ALIGN(name_len) + body_len] = '\0';
104075 clean_path(collected, 0);
104076- sys_symlink(collected + N_ALIGN(name_len), collected);
104077- sys_lchown(collected, uid, gid);
104078- do_utime(collected, mtime);
104079+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
104080+ sys_lchown((char __force_user *)collected, uid, gid);
104081+ do_utime((char __force_user *)collected, mtime);
104082 state = SkipIt;
104083 next_state = Reset;
104084 return 0;
104085diff --git a/init/main.c b/init/main.c
104086index 5650655..937d1b1 100644
104087--- a/init/main.c
104088+++ b/init/main.c
104089@@ -97,6 +97,8 @@ extern void radix_tree_init(void);
104090 static inline void mark_rodata_ro(void) { }
104091 #endif
104092
104093+extern void grsecurity_init(void);
104094+
104095 /*
104096 * Debug helper: via this flag we know that we are in 'early bootup code'
104097 * where only the boot processor is running with IRQ disabled. This means
104098@@ -158,6 +160,37 @@ static int __init set_reset_devices(char *str)
104099
104100 __setup("reset_devices", set_reset_devices);
104101
104102+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
104103+kgid_t grsec_proc_gid = KGIDT_INIT(CONFIG_GRKERNSEC_PROC_GID);
104104+static int __init setup_grsec_proc_gid(char *str)
104105+{
104106+ grsec_proc_gid = KGIDT_INIT(simple_strtol(str, NULL, 0));
104107+ return 1;
104108+}
104109+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
104110+#endif
104111+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
104112+int grsec_enable_sysfs_restrict = 1;
104113+static int __init setup_grsec_sysfs_restrict(char *str)
104114+{
104115+ if (!simple_strtol(str, NULL, 0))
104116+ grsec_enable_sysfs_restrict = 0;
104117+ return 1;
104118+}
104119+__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
104120+#endif
104121+
104122+#ifdef CONFIG_PAX_SOFTMODE
104123+int pax_softmode;
104124+
104125+static int __init setup_pax_softmode(char *str)
104126+{
104127+ get_option(&str, &pax_softmode);
104128+ return 1;
104129+}
104130+__setup("pax_softmode=", setup_pax_softmode);
104131+#endif
104132+
104133 static const char *argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
104134 const char *envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
104135 static const char *panic_later, *panic_param;
104136@@ -731,7 +764,7 @@ static bool __init_or_module initcall_blacklisted(initcall_t fn)
104137 struct blacklist_entry *entry;
104138 char *fn_name;
104139
104140- fn_name = kasprintf(GFP_KERNEL, "%pf", fn);
104141+ fn_name = kasprintf(GFP_KERNEL, "%pX", fn);
104142 if (!fn_name)
104143 return false;
104144
104145@@ -783,7 +816,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
104146 {
104147 int count = preempt_count();
104148 int ret;
104149- char msgbuf[64];
104150+ const char *msg1 = "", *msg2 = "";
104151
104152 if (initcall_blacklisted(fn))
104153 return -EPERM;
104154@@ -793,18 +826,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
104155 else
104156 ret = fn();
104157
104158- msgbuf[0] = 0;
104159-
104160 if (preempt_count() != count) {
104161- sprintf(msgbuf, "preemption imbalance ");
104162+ msg1 = " preemption imbalance";
104163 preempt_count_set(count);
104164 }
104165 if (irqs_disabled()) {
104166- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
104167+ msg2 = " disabled interrupts";
104168 local_irq_enable();
104169 }
104170- WARN(msgbuf[0], "initcall %pF returned with %s\n", fn, msgbuf);
104171+ WARN(*msg1 || *msg2, "initcall %pF returned with%s%s\n", fn, msg1, msg2);
104172
104173+ add_latent_entropy();
104174 return ret;
104175 }
104176
104177@@ -910,8 +942,8 @@ static int run_init_process(const char *init_filename)
104178 {
104179 argv_init[0] = init_filename;
104180 return do_execve(getname_kernel(init_filename),
104181- (const char __user *const __user *)argv_init,
104182- (const char __user *const __user *)envp_init);
104183+ (const char __user *const __force_user *)argv_init,
104184+ (const char __user *const __force_user *)envp_init);
104185 }
104186
104187 static int try_to_run_init_process(const char *init_filename)
104188@@ -928,6 +960,10 @@ static int try_to_run_init_process(const char *init_filename)
104189 return ret;
104190 }
104191
104192+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
104193+extern int gr_init_ran;
104194+#endif
104195+
104196 static noinline void __init kernel_init_freeable(void);
104197
104198 static int __ref kernel_init(void *unused)
104199@@ -952,6 +988,11 @@ static int __ref kernel_init(void *unused)
104200 ramdisk_execute_command, ret);
104201 }
104202
104203+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
104204+ /* if no initrd was used, be extra sure we enforce chroot restrictions */
104205+ gr_init_ran = 1;
104206+#endif
104207+
104208 /*
104209 * We try each of these until one succeeds.
104210 *
104211@@ -1009,7 +1050,7 @@ static noinline void __init kernel_init_freeable(void)
104212 do_basic_setup();
104213
104214 /* Open the /dev/console on the rootfs, this should never fail */
104215- if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
104216+ if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
104217 pr_err("Warning: unable to open an initial console.\n");
104218
104219 (void) sys_dup(0);
104220@@ -1022,11 +1063,13 @@ static noinline void __init kernel_init_freeable(void)
104221 if (!ramdisk_execute_command)
104222 ramdisk_execute_command = "/init";
104223
104224- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
104225+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
104226 ramdisk_execute_command = NULL;
104227 prepare_namespace();
104228 }
104229
104230+ grsecurity_init();
104231+
104232 /*
104233 * Ok, we have completed the initial bootup, and
104234 * we're essentially up and running. Get rid of the
104235diff --git a/ipc/compat.c b/ipc/compat.c
104236index 9b3c85f..5266b0f 100644
104237--- a/ipc/compat.c
104238+++ b/ipc/compat.c
104239@@ -396,7 +396,7 @@ COMPAT_SYSCALL_DEFINE6(ipc, u32, call, int, first, int, second,
104240 COMPAT_SHMLBA);
104241 if (err < 0)
104242 return err;
104243- return put_user(raddr, (compat_ulong_t *)compat_ptr(third));
104244+ return put_user(raddr, (compat_ulong_t __user *)compat_ptr(third));
104245 }
104246 case SHMDT:
104247 return sys_shmdt(compat_ptr(ptr));
104248@@ -747,7 +747,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, first, int, second, void __user *, uptr)
104249 }
104250
104251 COMPAT_SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsems,
104252- unsigned, nsops,
104253+ compat_long_t, nsops,
104254 const struct compat_timespec __user *, timeout)
104255 {
104256 struct timespec __user *ts64;
104257diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
104258index 8ad93c2..efd80f8 100644
104259--- a/ipc/ipc_sysctl.c
104260+++ b/ipc/ipc_sysctl.c
104261@@ -30,7 +30,7 @@ static void *get_ipc(struct ctl_table *table)
104262 static int proc_ipc_dointvec(struct ctl_table *table, int write,
104263 void __user *buffer, size_t *lenp, loff_t *ppos)
104264 {
104265- struct ctl_table ipc_table;
104266+ ctl_table_no_const ipc_table;
104267
104268 memcpy(&ipc_table, table, sizeof(ipc_table));
104269 ipc_table.data = get_ipc(table);
104270@@ -41,7 +41,7 @@ static int proc_ipc_dointvec(struct ctl_table *table, int write,
104271 static int proc_ipc_dointvec_minmax(struct ctl_table *table, int write,
104272 void __user *buffer, size_t *lenp, loff_t *ppos)
104273 {
104274- struct ctl_table ipc_table;
104275+ ctl_table_no_const ipc_table;
104276
104277 memcpy(&ipc_table, table, sizeof(ipc_table));
104278 ipc_table.data = get_ipc(table);
104279@@ -65,7 +65,7 @@ static int proc_ipc_dointvec_minmax_orphans(struct ctl_table *table, int write,
104280 static int proc_ipc_doulongvec_minmax(struct ctl_table *table, int write,
104281 void __user *buffer, size_t *lenp, loff_t *ppos)
104282 {
104283- struct ctl_table ipc_table;
104284+ ctl_table_no_const ipc_table;
104285 memcpy(&ipc_table, table, sizeof(ipc_table));
104286 ipc_table.data = get_ipc(table);
104287
104288@@ -76,7 +76,7 @@ static int proc_ipc_doulongvec_minmax(struct ctl_table *table, int write,
104289 static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
104290 void __user *buffer, size_t *lenp, loff_t *ppos)
104291 {
104292- struct ctl_table ipc_table;
104293+ ctl_table_no_const ipc_table;
104294 int dummy = 0;
104295
104296 memcpy(&ipc_table, table, sizeof(ipc_table));
104297diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c
104298index 68d4e95..1477ded 100644
104299--- a/ipc/mq_sysctl.c
104300+++ b/ipc/mq_sysctl.c
104301@@ -25,7 +25,7 @@ static void *get_mq(struct ctl_table *table)
104302 static int proc_mq_dointvec(struct ctl_table *table, int write,
104303 void __user *buffer, size_t *lenp, loff_t *ppos)
104304 {
104305- struct ctl_table mq_table;
104306+ ctl_table_no_const mq_table;
104307 memcpy(&mq_table, table, sizeof(mq_table));
104308 mq_table.data = get_mq(table);
104309
104310@@ -35,7 +35,7 @@ static int proc_mq_dointvec(struct ctl_table *table, int write,
104311 static int proc_mq_dointvec_minmax(struct ctl_table *table, int write,
104312 void __user *buffer, size_t *lenp, loff_t *ppos)
104313 {
104314- struct ctl_table mq_table;
104315+ ctl_table_no_const mq_table;
104316 memcpy(&mq_table, table, sizeof(mq_table));
104317 mq_table.data = get_mq(table);
104318
104319diff --git a/ipc/mqueue.c b/ipc/mqueue.c
104320index 161a180..be31d93 100644
104321--- a/ipc/mqueue.c
104322+++ b/ipc/mqueue.c
104323@@ -274,6 +274,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
104324 mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
104325 info->attr.mq_msgsize);
104326
104327+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
104328 spin_lock(&mq_lock);
104329 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
104330 u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
104331diff --git a/ipc/msg.c b/ipc/msg.c
104332index 66c4f56..1471db9 100644
104333--- a/ipc/msg.c
104334+++ b/ipc/msg.c
104335@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
104336 return retval;
104337 }
104338
104339- /* ipc_addid() locks msq upon success. */
104340- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
104341- if (id < 0) {
104342- ipc_rcu_putref(msq, msg_rcu_free);
104343- return id;
104344- }
104345-
104346 msq->q_stime = msq->q_rtime = 0;
104347 msq->q_ctime = get_seconds();
104348 msq->q_cbytes = msq->q_qnum = 0;
104349@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
104350 INIT_LIST_HEAD(&msq->q_receivers);
104351 INIT_LIST_HEAD(&msq->q_senders);
104352
104353+ /* ipc_addid() locks msq upon success. */
104354+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
104355+ if (id < 0) {
104356+ ipc_rcu_putref(msq, msg_rcu_free);
104357+ return id;
104358+ }
104359+
104360 ipc_unlock_object(&msq->q_perm);
104361 rcu_read_unlock();
104362
104363diff --git a/ipc/sem.c b/ipc/sem.c
104364index b471e5a..89aef1d 100644
104365--- a/ipc/sem.c
104366+++ b/ipc/sem.c
104367@@ -1790,7 +1790,7 @@ static int get_queue_result(struct sem_queue *q)
104368 }
104369
104370 SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
104371- unsigned, nsops, const struct timespec __user *, timeout)
104372+ long, nsops, const struct timespec __user *, timeout)
104373 {
104374 int error = -EINVAL;
104375 struct sem_array *sma;
104376@@ -2025,7 +2025,7 @@ out_free:
104377 }
104378
104379 SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
104380- unsigned, nsops)
104381+ long, nsops)
104382 {
104383 return sys_semtimedop(semid, tsops, nsops, NULL);
104384 }
104385diff --git a/ipc/shm.c b/ipc/shm.c
104386index 4aef24d..c545631 100644
104387--- a/ipc/shm.c
104388+++ b/ipc/shm.c
104389@@ -72,6 +72,14 @@ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp);
104390 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
104391 #endif
104392
104393+#ifdef CONFIG_GRKERNSEC
104394+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
104395+ const u64 shm_createtime, const kuid_t cuid,
104396+ const int shmid);
104397+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
104398+ const u64 shm_createtime);
104399+#endif
104400+
104401 void shm_init_ns(struct ipc_namespace *ns)
104402 {
104403 ns->shm_ctlmax = SHMMAX;
104404@@ -551,20 +559,24 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
104405 if (IS_ERR(file))
104406 goto no_file;
104407
104408- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
104409- if (id < 0) {
104410- error = id;
104411- goto no_id;
104412- }
104413-
104414 shp->shm_cprid = task_tgid_vnr(current);
104415 shp->shm_lprid = 0;
104416 shp->shm_atim = shp->shm_dtim = 0;
104417 shp->shm_ctim = get_seconds();
104418+#ifdef CONFIG_GRKERNSEC
104419+ shp->shm_createtime = ktime_get_ns();
104420+#endif
104421 shp->shm_segsz = size;
104422 shp->shm_nattch = 0;
104423 shp->shm_file = file;
104424 shp->shm_creator = current;
104425+
104426+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
104427+ if (id < 0) {
104428+ error = id;
104429+ goto no_id;
104430+ }
104431+
104432 list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
104433
104434 /*
104435@@ -1097,6 +1109,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
104436 f_mode = FMODE_READ | FMODE_WRITE;
104437 }
104438 if (shmflg & SHM_EXEC) {
104439+
104440+#ifdef CONFIG_PAX_MPROTECT
104441+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
104442+ goto out;
104443+#endif
104444+
104445 prot |= PROT_EXEC;
104446 acc_mode |= S_IXUGO;
104447 }
104448@@ -1121,6 +1139,15 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
104449 if (err)
104450 goto out_unlock;
104451
104452+#ifdef CONFIG_GRKERNSEC
104453+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
104454+ shp->shm_perm.cuid, shmid) ||
104455+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
104456+ err = -EACCES;
104457+ goto out_unlock;
104458+ }
104459+#endif
104460+
104461 ipc_lock_object(&shp->shm_perm);
104462
104463 /* check if shm_destroy() is tearing down shp */
104464@@ -1133,6 +1160,9 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
104465 path = shp->shm_file->f_path;
104466 path_get(&path);
104467 shp->shm_nattch++;
104468+#ifdef CONFIG_GRKERNSEC
104469+ shp->shm_lapid = current->pid;
104470+#endif
104471 size = i_size_read(d_inode(path.dentry));
104472 ipc_unlock_object(&shp->shm_perm);
104473 rcu_read_unlock();
104474diff --git a/ipc/util.c b/ipc/util.c
104475index be42300..049b0ff 100644
104476--- a/ipc/util.c
104477+++ b/ipc/util.c
104478@@ -71,6 +71,8 @@ struct ipc_proc_iface {
104479 int (*show)(struct seq_file *, void *);
104480 };
104481
104482+extern int gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode);
104483+
104484 /**
104485 * ipc_init - initialise ipc subsystem
104486 *
104487@@ -237,6 +239,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
104488 rcu_read_lock();
104489 spin_lock(&new->lock);
104490
104491+ current_euid_egid(&euid, &egid);
104492+ new->cuid = new->uid = euid;
104493+ new->gid = new->cgid = egid;
104494+
104495 id = idr_alloc(&ids->ipcs_idr, new,
104496 (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
104497 GFP_NOWAIT);
104498@@ -249,10 +255,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
104499
104500 ids->in_use++;
104501
104502- current_euid_egid(&euid, &egid);
104503- new->cuid = new->uid = euid;
104504- new->gid = new->cgid = egid;
104505-
104506 if (next_id < 0) {
104507 new->seq = ids->seq++;
104508 if (ids->seq > IPCID_SEQ_MAX)
104509@@ -494,6 +496,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
104510 granted_mode >>= 6;
104511 else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
104512 granted_mode >>= 3;
104513+
104514+ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
104515+ return -1;
104516+
104517 /* is there some bit set in requested_mode but not in granted_mode? */
104518 if ((requested_mode & ~granted_mode & 0007) &&
104519 !ns_capable(ns->user_ns, CAP_IPC_OWNER))
104520diff --git a/kernel/audit.c b/kernel/audit.c
104521index f9e6065..3fcb6ab 100644
104522--- a/kernel/audit.c
104523+++ b/kernel/audit.c
104524@@ -124,7 +124,7 @@ u32 audit_sig_sid = 0;
104525 3) suppressed due to audit_rate_limit
104526 4) suppressed due to audit_backlog_limit
104527 */
104528-static atomic_t audit_lost = ATOMIC_INIT(0);
104529+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
104530
104531 /* The netlink socket. */
104532 static struct sock *audit_sock;
104533@@ -258,7 +258,7 @@ void audit_log_lost(const char *message)
104534 unsigned long now;
104535 int print;
104536
104537- atomic_inc(&audit_lost);
104538+ atomic_inc_unchecked(&audit_lost);
104539
104540 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
104541
104542@@ -275,7 +275,7 @@ void audit_log_lost(const char *message)
104543 if (print) {
104544 if (printk_ratelimit())
104545 pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
104546- atomic_read(&audit_lost),
104547+ atomic_read_unchecked(&audit_lost),
104548 audit_rate_limit,
104549 audit_backlog_limit);
104550 audit_panic(message);
104551@@ -833,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
104552 s.pid = audit_pid;
104553 s.rate_limit = audit_rate_limit;
104554 s.backlog_limit = audit_backlog_limit;
104555- s.lost = atomic_read(&audit_lost);
104556+ s.lost = atomic_read_unchecked(&audit_lost);
104557 s.backlog = skb_queue_len(&audit_skb_queue);
104558 s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
104559 s.backlog_wait_time = audit_backlog_wait_time_master;
104560diff --git a/kernel/auditsc.c b/kernel/auditsc.c
104561index e85bdfd..441a638 100644
104562--- a/kernel/auditsc.c
104563+++ b/kernel/auditsc.c
104564@@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
104565 * for strings that are too long, we should not have created
104566 * any.
104567 */
104568- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
104569+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
104570 send_sig(SIGKILL, current, 0);
104571 return -1;
104572 }
104573@@ -1952,7 +1952,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
104574 }
104575
104576 /* global counter which is incremented every time something logs in */
104577-static atomic_t session_id = ATOMIC_INIT(0);
104578+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
104579
104580 static int audit_set_loginuid_perm(kuid_t loginuid)
104581 {
104582@@ -2019,7 +2019,7 @@ int audit_set_loginuid(kuid_t loginuid)
104583
104584 /* are we setting or clearing? */
104585 if (uid_valid(loginuid))
104586- sessionid = (unsigned int)atomic_inc_return(&session_id);
104587+ sessionid = (unsigned int)atomic_inc_return_unchecked(&session_id);
104588
104589 task->sessionid = sessionid;
104590 task->loginuid = loginuid;
104591diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
104592index c5bedc8..6ec8715 100644
104593--- a/kernel/bpf/core.c
104594+++ b/kernel/bpf/core.c
104595@@ -145,14 +145,17 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
104596 * random section of illegal instructions.
104597 */
104598 size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE);
104599- hdr = module_alloc(size);
104600+ hdr = module_alloc_exec(size);
104601 if (hdr == NULL)
104602 return NULL;
104603
104604 /* Fill space with illegal/arch-dep instructions. */
104605 bpf_fill_ill_insns(hdr, size);
104606
104607+ pax_open_kernel();
104608 hdr->pages = size / PAGE_SIZE;
104609+ pax_close_kernel();
104610+
104611 hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),
104612 PAGE_SIZE - sizeof(*hdr));
104613 start = (prandom_u32() % hole) & ~(alignment - 1);
104614@@ -165,7 +168,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
104615
104616 void bpf_jit_binary_free(struct bpf_binary_header *hdr)
104617 {
104618- module_memfree(hdr);
104619+ module_memfree_exec(hdr);
104620 }
104621 #endif /* CONFIG_BPF_JIT */
104622
104623diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
104624index a1b14d1..7dce5d9 100644
104625--- a/kernel/bpf/syscall.c
104626+++ b/kernel/bpf/syscall.c
104627@@ -592,11 +592,15 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
104628 int err;
104629
104630 /* the syscall is limited to root temporarily. This restriction will be
104631- * lifted when security audit is clean. Note that eBPF+tracing must have
104632- * this restriction, since it may pass kernel data to user space
104633+ * lifted by upstream when a half-assed security audit is clean. Note
104634+ * that eBPF+tracing must have this restriction, since it may pass
104635+ * kernel data to user space
104636 */
104637 if (!capable(CAP_SYS_ADMIN))
104638 return -EPERM;
104639+#ifdef CONFIG_GRKERNSEC
104640+ return -EPERM;
104641+#endif
104642
104643 if (!access_ok(VERIFY_READ, uattr, 1))
104644 return -EFAULT;
104645diff --git a/kernel/capability.c b/kernel/capability.c
104646index 45432b5..988f1e4 100644
104647--- a/kernel/capability.c
104648+++ b/kernel/capability.c
104649@@ -193,6 +193,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
104650 * before modification is attempted and the application
104651 * fails.
104652 */
104653+ if (tocopy > ARRAY_SIZE(kdata))
104654+ return -EFAULT;
104655+
104656 if (copy_to_user(dataptr, kdata, tocopy
104657 * sizeof(struct __user_cap_data_struct))) {
104658 return -EFAULT;
104659@@ -298,10 +301,11 @@ bool has_ns_capability(struct task_struct *t,
104660 int ret;
104661
104662 rcu_read_lock();
104663- ret = security_capable(__task_cred(t), ns, cap);
104664+ ret = security_capable(__task_cred(t), ns, cap) == 0 &&
104665+ gr_task_is_capable(t, __task_cred(t), cap);
104666 rcu_read_unlock();
104667
104668- return (ret == 0);
104669+ return ret;
104670 }
104671
104672 /**
104673@@ -338,10 +342,10 @@ bool has_ns_capability_noaudit(struct task_struct *t,
104674 int ret;
104675
104676 rcu_read_lock();
104677- ret = security_capable_noaudit(__task_cred(t), ns, cap);
104678+ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap);
104679 rcu_read_unlock();
104680
104681- return (ret == 0);
104682+ return ret;
104683 }
104684
104685 /**
104686@@ -379,7 +383,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
104687 BUG();
104688 }
104689
104690- if (security_capable(current_cred(), ns, cap) == 0) {
104691+ if (security_capable(current_cred(), ns, cap) == 0 && gr_is_capable(cap)) {
104692 current->flags |= PF_SUPERPRIV;
104693 return true;
104694 }
104695@@ -387,6 +391,20 @@ bool ns_capable(struct user_namespace *ns, int cap)
104696 }
104697 EXPORT_SYMBOL(ns_capable);
104698
104699+bool ns_capable_nolog(struct user_namespace *ns, int cap)
104700+{
104701+ if (unlikely(!cap_valid(cap))) {
104702+ pr_crit("capable_nolog() called with invalid cap=%u\n", cap);
104703+ BUG();
104704+ }
104705+
104706+ if (security_capable_noaudit(current_cred(), ns, cap) == 0 && gr_is_capable_nolog(cap)) {
104707+ current->flags |= PF_SUPERPRIV;
104708+ return true;
104709+ }
104710+ return false;
104711+}
104712+EXPORT_SYMBOL(ns_capable_nolog);
104713
104714 /**
104715 * capable - Determine if the current task has a superior capability in effect
104716@@ -403,6 +421,13 @@ bool capable(int cap)
104717 return ns_capable(&init_user_ns, cap);
104718 }
104719 EXPORT_SYMBOL(capable);
104720+
104721+bool capable_nolog(int cap)
104722+{
104723+ return ns_capable_nolog(&init_user_ns, cap);
104724+}
104725+EXPORT_SYMBOL(capable_nolog);
104726+
104727 #endif /* CONFIG_MULTIUSER */
104728
104729 /**
104730@@ -447,3 +472,12 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
104731 kgid_has_mapping(ns, inode->i_gid);
104732 }
104733 EXPORT_SYMBOL(capable_wrt_inode_uidgid);
104734+
104735+bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap)
104736+{
104737+ struct user_namespace *ns = current_user_ns();
104738+
104739+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
104740+ kgid_has_mapping(ns, inode->i_gid);
104741+}
104742+EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog);
104743diff --git a/kernel/cgroup.c b/kernel/cgroup.c
104744index c6c4240..8af0064 100644
104745--- a/kernel/cgroup.c
104746+++ b/kernel/cgroup.c
104747@@ -5367,6 +5367,9 @@ static void cgroup_release_agent(struct work_struct *work)
104748 if (!pathbuf || !agentbuf)
104749 goto out;
104750
104751+ if (agentbuf[0] == '\0')
104752+ goto out;
104753+
104754 path = cgroup_path(cgrp, pathbuf, PATH_MAX);
104755 if (!path)
104756 goto out;
104757@@ -5552,7 +5555,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
104758 struct task_struct *task;
104759 int count = 0;
104760
104761- seq_printf(seq, "css_set %p\n", cset);
104762+ seq_printf(seq, "css_set %pK\n", cset);
104763
104764 list_for_each_entry(task, &cset->tasks, cg_list) {
104765 if (count++ > MAX_TASKS_SHOWN_PER_CSS)
104766diff --git a/kernel/compat.c b/kernel/compat.c
104767index 333d364..762ec00 100644
104768--- a/kernel/compat.c
104769+++ b/kernel/compat.c
104770@@ -13,6 +13,7 @@
104771
104772 #include <linux/linkage.h>
104773 #include <linux/compat.h>
104774+#include <linux/module.h>
104775 #include <linux/errno.h>
104776 #include <linux/time.h>
104777 #include <linux/signal.h>
104778@@ -220,7 +221,7 @@ static long compat_nanosleep_restart(struct restart_block *restart)
104779 mm_segment_t oldfs;
104780 long ret;
104781
104782- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
104783+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
104784 oldfs = get_fs();
104785 set_fs(KERNEL_DS);
104786 ret = hrtimer_nanosleep_restart(restart);
104787@@ -252,7 +253,7 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp,
104788 oldfs = get_fs();
104789 set_fs(KERNEL_DS);
104790 ret = hrtimer_nanosleep(&tu,
104791- rmtp ? (struct timespec __user *)&rmt : NULL,
104792+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
104793 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
104794 set_fs(oldfs);
104795
104796@@ -378,7 +379,7 @@ COMPAT_SYSCALL_DEFINE1(sigpending, compat_old_sigset_t __user *, set)
104797 mm_segment_t old_fs = get_fs();
104798
104799 set_fs(KERNEL_DS);
104800- ret = sys_sigpending((old_sigset_t __user *) &s);
104801+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
104802 set_fs(old_fs);
104803 if (ret == 0)
104804 ret = put_user(s, set);
104805@@ -468,7 +469,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
104806 mm_segment_t old_fs = get_fs();
104807
104808 set_fs(KERNEL_DS);
104809- ret = sys_old_getrlimit(resource, (struct rlimit __user *)&r);
104810+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
104811 set_fs(old_fs);
104812
104813 if (!ret) {
104814@@ -550,8 +551,8 @@ COMPAT_SYSCALL_DEFINE4(wait4,
104815 set_fs (KERNEL_DS);
104816 ret = sys_wait4(pid,
104817 (stat_addr ?
104818- (unsigned int __user *) &status : NULL),
104819- options, (struct rusage __user *) &r);
104820+ (unsigned int __force_user *) &status : NULL),
104821+ options, (struct rusage __force_user *) &r);
104822 set_fs (old_fs);
104823
104824 if (ret > 0) {
104825@@ -577,8 +578,8 @@ COMPAT_SYSCALL_DEFINE5(waitid,
104826 memset(&info, 0, sizeof(info));
104827
104828 set_fs(KERNEL_DS);
104829- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
104830- uru ? (struct rusage __user *)&ru : NULL);
104831+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
104832+ uru ? (struct rusage __force_user *)&ru : NULL);
104833 set_fs(old_fs);
104834
104835 if ((ret < 0) || (info.si_signo == 0))
104836@@ -712,8 +713,8 @@ COMPAT_SYSCALL_DEFINE4(timer_settime, timer_t, timer_id, int, flags,
104837 oldfs = get_fs();
104838 set_fs(KERNEL_DS);
104839 err = sys_timer_settime(timer_id, flags,
104840- (struct itimerspec __user *) &newts,
104841- (struct itimerspec __user *) &oldts);
104842+ (struct itimerspec __force_user *) &newts,
104843+ (struct itimerspec __force_user *) &oldts);
104844 set_fs(oldfs);
104845 if (!err && old && put_compat_itimerspec(old, &oldts))
104846 return -EFAULT;
104847@@ -730,7 +731,7 @@ COMPAT_SYSCALL_DEFINE2(timer_gettime, timer_t, timer_id,
104848 oldfs = get_fs();
104849 set_fs(KERNEL_DS);
104850 err = sys_timer_gettime(timer_id,
104851- (struct itimerspec __user *) &ts);
104852+ (struct itimerspec __force_user *) &ts);
104853 set_fs(oldfs);
104854 if (!err && put_compat_itimerspec(setting, &ts))
104855 return -EFAULT;
104856@@ -749,7 +750,7 @@ COMPAT_SYSCALL_DEFINE2(clock_settime, clockid_t, which_clock,
104857 oldfs = get_fs();
104858 set_fs(KERNEL_DS);
104859 err = sys_clock_settime(which_clock,
104860- (struct timespec __user *) &ts);
104861+ (struct timespec __force_user *) &ts);
104862 set_fs(oldfs);
104863 return err;
104864 }
104865@@ -764,7 +765,7 @@ COMPAT_SYSCALL_DEFINE2(clock_gettime, clockid_t, which_clock,
104866 oldfs = get_fs();
104867 set_fs(KERNEL_DS);
104868 err = sys_clock_gettime(which_clock,
104869- (struct timespec __user *) &ts);
104870+ (struct timespec __force_user *) &ts);
104871 set_fs(oldfs);
104872 if (!err && compat_put_timespec(&ts, tp))
104873 return -EFAULT;
104874@@ -784,7 +785,7 @@ COMPAT_SYSCALL_DEFINE2(clock_adjtime, clockid_t, which_clock,
104875
104876 oldfs = get_fs();
104877 set_fs(KERNEL_DS);
104878- ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
104879+ ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
104880 set_fs(oldfs);
104881
104882 err = compat_put_timex(utp, &txc);
104883@@ -804,7 +805,7 @@ COMPAT_SYSCALL_DEFINE2(clock_getres, clockid_t, which_clock,
104884 oldfs = get_fs();
104885 set_fs(KERNEL_DS);
104886 err = sys_clock_getres(which_clock,
104887- (struct timespec __user *) &ts);
104888+ (struct timespec __force_user *) &ts);
104889 set_fs(oldfs);
104890 if (!err && tp && compat_put_timespec(&ts, tp))
104891 return -EFAULT;
104892@@ -818,7 +819,7 @@ static long compat_clock_nanosleep_restart(struct restart_block *restart)
104893 struct timespec tu;
104894 struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
104895
104896- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
104897+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
104898 oldfs = get_fs();
104899 set_fs(KERNEL_DS);
104900 err = clock_nanosleep_restart(restart);
104901@@ -850,8 +851,8 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags,
104902 oldfs = get_fs();
104903 set_fs(KERNEL_DS);
104904 err = sys_clock_nanosleep(which_clock, flags,
104905- (struct timespec __user *) &in,
104906- (struct timespec __user *) &out);
104907+ (struct timespec __force_user *) &in,
104908+ (struct timespec __force_user *) &out);
104909 set_fs(oldfs);
104910
104911 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
104912@@ -1147,7 +1148,7 @@ COMPAT_SYSCALL_DEFINE2(sched_rr_get_interval,
104913 mm_segment_t old_fs = get_fs();
104914
104915 set_fs(KERNEL_DS);
104916- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
104917+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
104918 set_fs(old_fs);
104919 if (compat_put_timespec(&t, interval))
104920 return -EFAULT;
104921diff --git a/kernel/configs.c b/kernel/configs.c
104922index c18b1f1..b9a0132 100644
104923--- a/kernel/configs.c
104924+++ b/kernel/configs.c
104925@@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
104926 struct proc_dir_entry *entry;
104927
104928 /* create the current config file */
104929+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
104930+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
104931+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
104932+ &ikconfig_file_ops);
104933+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
104934+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
104935+ &ikconfig_file_ops);
104936+#endif
104937+#else
104938 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
104939 &ikconfig_file_ops);
104940+#endif
104941+
104942 if (!entry)
104943 return -ENOMEM;
104944
104945diff --git a/kernel/cred.c b/kernel/cred.c
104946index ec1c076..7da8a0e 100644
104947--- a/kernel/cred.c
104948+++ b/kernel/cred.c
104949@@ -167,6 +167,15 @@ void exit_creds(struct task_struct *tsk)
104950 validate_creds(cred);
104951 alter_cred_subscribers(cred, -1);
104952 put_cred(cred);
104953+
104954+#ifdef CONFIG_GRKERNSEC_SETXID
104955+ cred = (struct cred *) tsk->delayed_cred;
104956+ if (cred != NULL) {
104957+ tsk->delayed_cred = NULL;
104958+ validate_creds(cred);
104959+ put_cred(cred);
104960+ }
104961+#endif
104962 }
104963
104964 /**
104965@@ -414,7 +423,7 @@ static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
104966 * Always returns 0 thus allowing this function to be tail-called at the end
104967 * of, say, sys_setgid().
104968 */
104969-int commit_creds(struct cred *new)
104970+static int __commit_creds(struct cred *new)
104971 {
104972 struct task_struct *task = current;
104973 const struct cred *old = task->real_cred;
104974@@ -433,6 +442,8 @@ int commit_creds(struct cred *new)
104975
104976 get_cred(new); /* we will require a ref for the subj creds too */
104977
104978+ gr_set_role_label(task, new->uid, new->gid);
104979+
104980 /* dumpability changes */
104981 if (!uid_eq(old->euid, new->euid) ||
104982 !gid_eq(old->egid, new->egid) ||
104983@@ -482,6 +493,105 @@ int commit_creds(struct cred *new)
104984 put_cred(old);
104985 return 0;
104986 }
104987+#ifdef CONFIG_GRKERNSEC_SETXID
104988+extern int set_user(struct cred *new);
104989+
104990+void gr_delayed_cred_worker(void)
104991+{
104992+ const struct cred *new = current->delayed_cred;
104993+ struct cred *ncred;
104994+
104995+ current->delayed_cred = NULL;
104996+
104997+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) && new != NULL) {
104998+ // from doing get_cred on it when queueing this
104999+ put_cred(new);
105000+ return;
105001+ } else if (new == NULL)
105002+ return;
105003+
105004+ ncred = prepare_creds();
105005+ if (!ncred)
105006+ goto die;
105007+ // uids
105008+ ncred->uid = new->uid;
105009+ ncred->euid = new->euid;
105010+ ncred->suid = new->suid;
105011+ ncred->fsuid = new->fsuid;
105012+ // gids
105013+ ncred->gid = new->gid;
105014+ ncred->egid = new->egid;
105015+ ncred->sgid = new->sgid;
105016+ ncred->fsgid = new->fsgid;
105017+ // groups
105018+ set_groups(ncred, new->group_info);
105019+ // caps
105020+ ncred->securebits = new->securebits;
105021+ ncred->cap_inheritable = new->cap_inheritable;
105022+ ncred->cap_permitted = new->cap_permitted;
105023+ ncred->cap_effective = new->cap_effective;
105024+ ncred->cap_bset = new->cap_bset;
105025+
105026+ if (set_user(ncred)) {
105027+ abort_creds(ncred);
105028+ goto die;
105029+ }
105030+
105031+ // from doing get_cred on it when queueing this
105032+ put_cred(new);
105033+
105034+ __commit_creds(ncred);
105035+ return;
105036+die:
105037+ // from doing get_cred on it when queueing this
105038+ put_cred(new);
105039+ do_group_exit(SIGKILL);
105040+}
105041+#endif
105042+
105043+int commit_creds(struct cred *new)
105044+{
105045+#ifdef CONFIG_GRKERNSEC_SETXID
105046+ int ret;
105047+ int schedule_it = 0;
105048+ struct task_struct *t;
105049+ unsigned oldsecurebits = current_cred()->securebits;
105050+
105051+ /* we won't get called with tasklist_lock held for writing
105052+ and interrupts disabled as the cred struct in that case is
105053+ init_cred
105054+ */
105055+ if (grsec_enable_setxid && !current_is_single_threaded() &&
105056+ uid_eq(current_uid(), GLOBAL_ROOT_UID) &&
105057+ !uid_eq(new->uid, GLOBAL_ROOT_UID)) {
105058+ schedule_it = 1;
105059+ }
105060+ ret = __commit_creds(new);
105061+ if (schedule_it) {
105062+ rcu_read_lock();
105063+ read_lock(&tasklist_lock);
105064+ for (t = next_thread(current); t != current;
105065+ t = next_thread(t)) {
105066+ /* we'll check if the thread has uid 0 in
105067+ * the delayed worker routine
105068+ */
105069+ if (task_securebits(t) == oldsecurebits &&
105070+ t->delayed_cred == NULL) {
105071+ t->delayed_cred = get_cred(new);
105072+ set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
105073+ set_tsk_need_resched(t);
105074+ }
105075+ }
105076+ read_unlock(&tasklist_lock);
105077+ rcu_read_unlock();
105078+ }
105079+
105080+ return ret;
105081+#else
105082+ return __commit_creds(new);
105083+#endif
105084+}
105085+
105086 EXPORT_SYMBOL(commit_creds);
105087
105088 /**
105089diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
105090index 0874e2e..5b32cc9 100644
105091--- a/kernel/debug/debug_core.c
105092+++ b/kernel/debug/debug_core.c
105093@@ -127,7 +127,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_lock);
105094 */
105095 static atomic_t masters_in_kgdb;
105096 static atomic_t slaves_in_kgdb;
105097-static atomic_t kgdb_break_tasklet_var;
105098+static atomic_unchecked_t kgdb_break_tasklet_var;
105099 atomic_t kgdb_setting_breakpoint;
105100
105101 struct task_struct *kgdb_usethread;
105102@@ -137,7 +137,7 @@ int kgdb_single_step;
105103 static pid_t kgdb_sstep_pid;
105104
105105 /* to keep track of the CPU which is doing the single stepping*/
105106-atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
105107+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
105108
105109 /*
105110 * If you are debugging a problem where roundup (the collection of
105111@@ -552,7 +552,7 @@ return_normal:
105112 * kernel will only try for the value of sstep_tries before
105113 * giving up and continuing on.
105114 */
105115- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
105116+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
105117 (kgdb_info[cpu].task &&
105118 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
105119 atomic_set(&kgdb_active, -1);
105120@@ -654,8 +654,8 @@ cpu_master_loop:
105121 }
105122
105123 kgdb_restore:
105124- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
105125- int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
105126+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
105127+ int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
105128 if (kgdb_info[sstep_cpu].task)
105129 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
105130 else
105131@@ -949,18 +949,18 @@ static void kgdb_unregister_callbacks(void)
105132 static void kgdb_tasklet_bpt(unsigned long ing)
105133 {
105134 kgdb_breakpoint();
105135- atomic_set(&kgdb_break_tasklet_var, 0);
105136+ atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
105137 }
105138
105139 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
105140
105141 void kgdb_schedule_breakpoint(void)
105142 {
105143- if (atomic_read(&kgdb_break_tasklet_var) ||
105144+ if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
105145 atomic_read(&kgdb_active) != -1 ||
105146 atomic_read(&kgdb_setting_breakpoint))
105147 return;
105148- atomic_inc(&kgdb_break_tasklet_var);
105149+ atomic_inc_unchecked(&kgdb_break_tasklet_var);
105150 tasklet_schedule(&kgdb_tasklet_breakpoint);
105151 }
105152 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
105153diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
105154index 41213454..861e178 100644
105155--- a/kernel/debug/kdb/kdb_main.c
105156+++ b/kernel/debug/kdb/kdb_main.c
105157@@ -2021,7 +2021,7 @@ static int kdb_lsmod(int argc, const char **argv)
105158 continue;
105159
105160 kdb_printf("%-20s%8u 0x%p ", mod->name,
105161- mod->core_size, (void *)mod);
105162+ mod->core_size_rx + mod->core_size_rw, (void *)mod);
105163 #ifdef CONFIG_MODULE_UNLOAD
105164 kdb_printf("%4d ", module_refcount(mod));
105165 #endif
105166@@ -2031,7 +2031,7 @@ static int kdb_lsmod(int argc, const char **argv)
105167 kdb_printf(" (Loading)");
105168 else
105169 kdb_printf(" (Live)");
105170- kdb_printf(" 0x%p", mod->module_core);
105171+ kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
105172
105173 #ifdef CONFIG_MODULE_UNLOAD
105174 {
105175diff --git a/kernel/events/core.c b/kernel/events/core.c
105176index e6feb51..470c853 100644
105177--- a/kernel/events/core.c
105178+++ b/kernel/events/core.c
105179@@ -174,8 +174,15 @@ static struct srcu_struct pmus_srcu;
105180 * 0 - disallow raw tracepoint access for unpriv
105181 * 1 - disallow cpu events for unpriv
105182 * 2 - disallow kernel profiling for unpriv
105183+ * 3 - disallow all unpriv perf event use
105184 */
105185-int sysctl_perf_event_paranoid __read_mostly = 1;
105186+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
105187+int sysctl_perf_event_legitimately_concerned __read_only = 3;
105188+#elif defined(CONFIG_GRKERNSEC_HIDESYM)
105189+int sysctl_perf_event_legitimately_concerned __read_only = 2;
105190+#else
105191+int sysctl_perf_event_legitimately_concerned __read_only = 1;
105192+#endif
105193
105194 /* Minimum for 512 kiB + 1 user control page */
105195 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
105196@@ -201,7 +208,7 @@ void update_perf_cpu_limits(void)
105197
105198 tmp *= sysctl_perf_cpu_time_max_percent;
105199 do_div(tmp, 100);
105200- ACCESS_ONCE(perf_sample_allowed_ns) = tmp;
105201+ ACCESS_ONCE_RW(perf_sample_allowed_ns) = tmp;
105202 }
105203
105204 static int perf_rotate_context(struct perf_cpu_context *cpuctx);
105205@@ -307,7 +314,7 @@ void perf_sample_event_took(u64 sample_len_ns)
105206 }
105207 }
105208
105209-static atomic64_t perf_event_id;
105210+static atomic64_unchecked_t perf_event_id;
105211
105212 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
105213 enum event_type_t event_type);
105214@@ -3753,9 +3760,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
105215 mutex_lock(&event->child_mutex);
105216 total += perf_event_read(event);
105217 *enabled += event->total_time_enabled +
105218- atomic64_read(&event->child_total_time_enabled);
105219+ atomic64_read_unchecked(&event->child_total_time_enabled);
105220 *running += event->total_time_running +
105221- atomic64_read(&event->child_total_time_running);
105222+ atomic64_read_unchecked(&event->child_total_time_running);
105223
105224 list_for_each_entry(child, &event->child_list, child_list) {
105225 total += perf_event_read(child);
105226@@ -4285,10 +4292,10 @@ void perf_event_update_userpage(struct perf_event *event)
105227 userpg->offset -= local64_read(&event->hw.prev_count);
105228
105229 userpg->time_enabled = enabled +
105230- atomic64_read(&event->child_total_time_enabled);
105231+ atomic64_read_unchecked(&event->child_total_time_enabled);
105232
105233 userpg->time_running = running +
105234- atomic64_read(&event->child_total_time_running);
105235+ atomic64_read_unchecked(&event->child_total_time_running);
105236
105237 arch_perf_update_userpage(event, userpg, now);
105238
105239@@ -4963,7 +4970,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
105240
105241 /* Data. */
105242 sp = perf_user_stack_pointer(regs);
105243- rem = __output_copy_user(handle, (void *) sp, dump_size);
105244+ rem = __output_copy_user(handle, (void __user *) sp, dump_size);
105245 dyn_size = dump_size - rem;
105246
105247 perf_output_skip(handle, rem);
105248@@ -5054,11 +5061,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
105249 values[n++] = perf_event_count(event);
105250 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
105251 values[n++] = enabled +
105252- atomic64_read(&event->child_total_time_enabled);
105253+ atomic64_read_unchecked(&event->child_total_time_enabled);
105254 }
105255 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
105256 values[n++] = running +
105257- atomic64_read(&event->child_total_time_running);
105258+ atomic64_read_unchecked(&event->child_total_time_running);
105259 }
105260 if (read_format & PERF_FORMAT_ID)
105261 values[n++] = primary_event_id(event);
105262@@ -7588,7 +7595,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
105263 event->parent = parent_event;
105264
105265 event->ns = get_pid_ns(task_active_pid_ns(current));
105266- event->id = atomic64_inc_return(&perf_event_id);
105267+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
105268
105269 event->state = PERF_EVENT_STATE_INACTIVE;
105270
105271@@ -7947,6 +7954,11 @@ SYSCALL_DEFINE5(perf_event_open,
105272 if (flags & ~PERF_FLAG_ALL)
105273 return -EINVAL;
105274
105275+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
105276+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
105277+ return -EACCES;
105278+#endif
105279+
105280 err = perf_copy_attr(attr_uptr, &attr);
105281 if (err)
105282 return err;
105283@@ -8395,10 +8407,10 @@ static void sync_child_event(struct perf_event *child_event,
105284 /*
105285 * Add back the child's count to the parent's count:
105286 */
105287- atomic64_add(child_val, &parent_event->child_count);
105288- atomic64_add(child_event->total_time_enabled,
105289+ atomic64_add_unchecked(child_val, &parent_event->child_count);
105290+ atomic64_add_unchecked(child_event->total_time_enabled,
105291 &parent_event->child_total_time_enabled);
105292- atomic64_add(child_event->total_time_running,
105293+ atomic64_add_unchecked(child_event->total_time_running,
105294 &parent_event->child_total_time_running);
105295
105296 /*
105297diff --git a/kernel/events/internal.h b/kernel/events/internal.h
105298index 2bbad9c..056f20c 100644
105299--- a/kernel/events/internal.h
105300+++ b/kernel/events/internal.h
105301@@ -115,10 +115,10 @@ static inline unsigned long perf_aux_size(struct ring_buffer *rb)
105302 return rb->aux_nr_pages << PAGE_SHIFT;
105303 }
105304
105305-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
105306+#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
105307 static inline unsigned long \
105308 func_name(struct perf_output_handle *handle, \
105309- const void *buf, unsigned long len) \
105310+ const void user *buf, unsigned long len) \
105311 { \
105312 unsigned long size, written; \
105313 \
105314@@ -151,7 +151,7 @@ memcpy_common(void *dst, const void *src, unsigned long n)
105315 return 0;
105316 }
105317
105318-DEFINE_OUTPUT_COPY(__output_copy, memcpy_common)
105319+DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, )
105320
105321 static inline unsigned long
105322 memcpy_skip(void *dst, const void *src, unsigned long n)
105323@@ -159,7 +159,7 @@ memcpy_skip(void *dst, const void *src, unsigned long n)
105324 return 0;
105325 }
105326
105327-DEFINE_OUTPUT_COPY(__output_skip, memcpy_skip)
105328+DEFINE_OUTPUT_COPY(__output_skip, memcpy_skip, )
105329
105330 #ifndef arch_perf_out_copy_user
105331 #define arch_perf_out_copy_user arch_perf_out_copy_user
105332@@ -177,7 +177,7 @@ arch_perf_out_copy_user(void *dst, const void *src, unsigned long n)
105333 }
105334 #endif
105335
105336-DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user)
105337+DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user)
105338
105339 /* Callchain handling */
105340 extern struct perf_callchain_entry *
105341diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
105342index cb346f2..e4dc317 100644
105343--- a/kernel/events/uprobes.c
105344+++ b/kernel/events/uprobes.c
105345@@ -1670,7 +1670,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
105346 {
105347 struct page *page;
105348 uprobe_opcode_t opcode;
105349- int result;
105350+ long result;
105351
105352 pagefault_disable();
105353 result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
105354diff --git a/kernel/exit.c b/kernel/exit.c
105355index 031325e..c6342c4 100644
105356--- a/kernel/exit.c
105357+++ b/kernel/exit.c
105358@@ -171,6 +171,10 @@ void release_task(struct task_struct *p)
105359 struct task_struct *leader;
105360 int zap_leader;
105361 repeat:
105362+#ifdef CONFIG_NET
105363+ gr_del_task_from_ip_table(p);
105364+#endif
105365+
105366 /* don't need to get the RCU readlock here - the process is dead and
105367 * can't be modifying its own credentials. But shut RCU-lockdep up */
105368 rcu_read_lock();
105369@@ -656,6 +660,8 @@ void do_exit(long code)
105370 int group_dead;
105371 TASKS_RCU(int tasks_rcu_i);
105372
105373+ set_fs(USER_DS);
105374+
105375 profile_task_exit(tsk);
105376
105377 WARN_ON(blk_needs_flush_plug(tsk));
105378@@ -672,7 +678,6 @@ void do_exit(long code)
105379 * mm_release()->clear_child_tid() from writing to a user-controlled
105380 * kernel address.
105381 */
105382- set_fs(USER_DS);
105383
105384 ptrace_event(PTRACE_EVENT_EXIT, code);
105385
105386@@ -730,6 +735,9 @@ void do_exit(long code)
105387 tsk->exit_code = code;
105388 taskstats_exit(tsk, group_dead);
105389
105390+ gr_acl_handle_psacct(tsk, code);
105391+ gr_acl_handle_exit();
105392+
105393 exit_mm(tsk);
105394
105395 if (group_dead)
105396@@ -847,7 +855,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
105397 * Take down every thread in the group. This is called by fatal signals
105398 * as well as by sys_exit_group (below).
105399 */
105400-void
105401+__noreturn void
105402 do_group_exit(int exit_code)
105403 {
105404 struct signal_struct *sig = current->signal;
105405diff --git a/kernel/fork.c b/kernel/fork.c
105406index 26a70dc..74efe33 100644
105407--- a/kernel/fork.c
105408+++ b/kernel/fork.c
105409@@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti)
105410 void thread_info_cache_init(void)
105411 {
105412 thread_info_cache = kmem_cache_create("thread_info", THREAD_SIZE,
105413- THREAD_SIZE, 0, NULL);
105414+ THREAD_SIZE, SLAB_USERCOPY, NULL);
105415 BUG_ON(thread_info_cache == NULL);
105416 }
105417 # endif
105418 #endif
105419
105420+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
105421+static inline struct thread_info *gr_alloc_thread_info_node(struct task_struct *tsk,
105422+ int node, void **lowmem_stack)
105423+{
105424+ struct page *pages[THREAD_SIZE / PAGE_SIZE];
105425+ void *ret = NULL;
105426+ unsigned int i;
105427+
105428+ *lowmem_stack = alloc_thread_info_node(tsk, node);
105429+ if (*lowmem_stack == NULL)
105430+ goto out;
105431+
105432+ for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)
105433+ pages[i] = virt_to_page(*lowmem_stack + (i * PAGE_SIZE));
105434+
105435+ /* use VM_IOREMAP to gain THREAD_SIZE alignment */
105436+ ret = vmap(pages, THREAD_SIZE / PAGE_SIZE, VM_IOREMAP, PAGE_KERNEL);
105437+ if (ret == NULL) {
105438+ free_thread_info(*lowmem_stack);
105439+ *lowmem_stack = NULL;
105440+ }
105441+
105442+out:
105443+ return ret;
105444+}
105445+
105446+static inline void gr_free_thread_info(struct task_struct *tsk, struct thread_info *ti)
105447+{
105448+ unmap_process_stacks(tsk);
105449+}
105450+#else
105451+static inline struct thread_info *gr_alloc_thread_info_node(struct task_struct *tsk,
105452+ int node, void **lowmem_stack)
105453+{
105454+ return alloc_thread_info_node(tsk, node);
105455+}
105456+static inline void gr_free_thread_info(struct task_struct *tsk, struct thread_info *ti)
105457+{
105458+ free_thread_info(ti);
105459+}
105460+#endif
105461+
105462 /* SLAB cache for signal_struct structures (tsk->signal) */
105463 static struct kmem_cache *signal_cachep;
105464
105465@@ -212,18 +254,22 @@ struct kmem_cache *vm_area_cachep;
105466 /* SLAB cache for mm_struct structures (tsk->mm) */
105467 static struct kmem_cache *mm_cachep;
105468
105469-static void account_kernel_stack(struct thread_info *ti, int account)
105470+static void account_kernel_stack(struct task_struct *tsk, struct thread_info *ti, int account)
105471 {
105472+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
105473+ struct zone *zone = page_zone(virt_to_page(tsk->lowmem_stack));
105474+#else
105475 struct zone *zone = page_zone(virt_to_page(ti));
105476+#endif
105477
105478 mod_zone_page_state(zone, NR_KERNEL_STACK, account);
105479 }
105480
105481 void free_task(struct task_struct *tsk)
105482 {
105483- account_kernel_stack(tsk->stack, -1);
105484+ account_kernel_stack(tsk, tsk->stack, -1);
105485 arch_release_thread_info(tsk->stack);
105486- free_thread_info(tsk->stack);
105487+ gr_free_thread_info(tsk, tsk->stack);
105488 rt_mutex_debug_task_free(tsk);
105489 ftrace_graph_exit_task(tsk);
105490 put_seccomp_filter(tsk);
105491@@ -289,7 +335,7 @@ static void set_max_threads(unsigned int max_threads_suggested)
105492
105493 #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
105494 /* Initialized by the architecture: */
105495-int arch_task_struct_size __read_mostly;
105496+size_t arch_task_struct_size __read_mostly;
105497 #endif
105498
105499 void __init fork_init(void)
105500@@ -334,6 +380,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
105501 {
105502 struct task_struct *tsk;
105503 struct thread_info *ti;
105504+ void *lowmem_stack;
105505 int node = tsk_fork_get_node(orig);
105506 int err;
105507
105508@@ -341,7 +388,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
105509 if (!tsk)
105510 return NULL;
105511
105512- ti = alloc_thread_info_node(tsk, node);
105513+ ti = gr_alloc_thread_info_node(tsk, node, &lowmem_stack);
105514 if (!ti)
105515 goto free_tsk;
105516
105517@@ -350,6 +397,9 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
105518 goto free_ti;
105519
105520 tsk->stack = ti;
105521+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
105522+ tsk->lowmem_stack = lowmem_stack;
105523+#endif
105524 #ifdef CONFIG_SECCOMP
105525 /*
105526 * We must handle setting up seccomp filters once we're under
105527@@ -366,7 +416,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
105528 set_task_stack_end_magic(tsk);
105529
105530 #ifdef CONFIG_CC_STACKPROTECTOR
105531- tsk->stack_canary = get_random_int();
105532+ tsk->stack_canary = pax_get_random_long();
105533 #endif
105534
105535 /*
105536@@ -380,24 +430,89 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
105537 tsk->splice_pipe = NULL;
105538 tsk->task_frag.page = NULL;
105539
105540- account_kernel_stack(ti, 1);
105541+ account_kernel_stack(tsk, ti, 1);
105542
105543 return tsk;
105544
105545 free_ti:
105546- free_thread_info(ti);
105547+ gr_free_thread_info(tsk, ti);
105548 free_tsk:
105549 free_task_struct(tsk);
105550 return NULL;
105551 }
105552
105553 #ifdef CONFIG_MMU
105554-static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
105555+static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct mm_struct *oldmm, struct vm_area_struct *mpnt)
105556+{
105557+ struct vm_area_struct *tmp;
105558+ unsigned long charge;
105559+ struct file *file;
105560+ int retval;
105561+
105562+ charge = 0;
105563+ if (mpnt->vm_flags & VM_ACCOUNT) {
105564+ unsigned long len = vma_pages(mpnt);
105565+
105566+ if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
105567+ goto fail_nomem;
105568+ charge = len;
105569+ }
105570+ tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
105571+ if (!tmp)
105572+ goto fail_nomem;
105573+ *tmp = *mpnt;
105574+ tmp->vm_mm = mm;
105575+ INIT_LIST_HEAD(&tmp->anon_vma_chain);
105576+ retval = vma_dup_policy(mpnt, tmp);
105577+ if (retval)
105578+ goto fail_nomem_policy;
105579+ if (anon_vma_fork(tmp, mpnt))
105580+ goto fail_nomem_anon_vma_fork;
105581+ tmp->vm_flags &= ~VM_LOCKED;
105582+ tmp->vm_next = tmp->vm_prev = NULL;
105583+ tmp->vm_mirror = NULL;
105584+ file = tmp->vm_file;
105585+ if (file) {
105586+ struct inode *inode = file_inode(file);
105587+ struct address_space *mapping = file->f_mapping;
105588+
105589+ get_file(file);
105590+ if (tmp->vm_flags & VM_DENYWRITE)
105591+ atomic_dec(&inode->i_writecount);
105592+ i_mmap_lock_write(mapping);
105593+ if (tmp->vm_flags & VM_SHARED)
105594+ atomic_inc(&mapping->i_mmap_writable);
105595+ flush_dcache_mmap_lock(mapping);
105596+ /* insert tmp into the share list, just after mpnt */
105597+ vma_interval_tree_insert_after(tmp, mpnt, &mapping->i_mmap);
105598+ flush_dcache_mmap_unlock(mapping);
105599+ i_mmap_unlock_write(mapping);
105600+ }
105601+
105602+ /*
105603+ * Clear hugetlb-related page reserves for children. This only
105604+ * affects MAP_PRIVATE mappings. Faults generated by the child
105605+ * are not guaranteed to succeed, even if read-only
105606+ */
105607+ if (is_vm_hugetlb_page(tmp))
105608+ reset_vma_resv_huge_pages(tmp);
105609+
105610+ return tmp;
105611+
105612+fail_nomem_anon_vma_fork:
105613+ mpol_put(vma_policy(tmp));
105614+fail_nomem_policy:
105615+ kmem_cache_free(vm_area_cachep, tmp);
105616+fail_nomem:
105617+ vm_unacct_memory(charge);
105618+ return NULL;
105619+}
105620+
105621+static __latent_entropy int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
105622 {
105623 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
105624 struct rb_node **rb_link, *rb_parent;
105625 int retval;
105626- unsigned long charge;
105627
105628 uprobe_start_dup_mmap();
105629 down_write(&oldmm->mmap_sem);
105630@@ -428,51 +543,15 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
105631
105632 prev = NULL;
105633 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
105634- struct file *file;
105635-
105636 if (mpnt->vm_flags & VM_DONTCOPY) {
105637 vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
105638 -vma_pages(mpnt));
105639 continue;
105640 }
105641- charge = 0;
105642- if (mpnt->vm_flags & VM_ACCOUNT) {
105643- unsigned long len = vma_pages(mpnt);
105644-
105645- if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
105646- goto fail_nomem;
105647- charge = len;
105648- }
105649- tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
105650- if (!tmp)
105651- goto fail_nomem;
105652- *tmp = *mpnt;
105653- INIT_LIST_HEAD(&tmp->anon_vma_chain);
105654- retval = vma_dup_policy(mpnt, tmp);
105655- if (retval)
105656- goto fail_nomem_policy;
105657- tmp->vm_mm = mm;
105658- if (anon_vma_fork(tmp, mpnt))
105659- goto fail_nomem_anon_vma_fork;
105660- tmp->vm_flags &= ~VM_LOCKED;
105661- tmp->vm_next = tmp->vm_prev = NULL;
105662- file = tmp->vm_file;
105663- if (file) {
105664- struct inode *inode = file_inode(file);
105665- struct address_space *mapping = file->f_mapping;
105666-
105667- get_file(file);
105668- if (tmp->vm_flags & VM_DENYWRITE)
105669- atomic_dec(&inode->i_writecount);
105670- i_mmap_lock_write(mapping);
105671- if (tmp->vm_flags & VM_SHARED)
105672- atomic_inc(&mapping->i_mmap_writable);
105673- flush_dcache_mmap_lock(mapping);
105674- /* insert tmp into the share list, just after mpnt */
105675- vma_interval_tree_insert_after(tmp, mpnt,
105676- &mapping->i_mmap);
105677- flush_dcache_mmap_unlock(mapping);
105678- i_mmap_unlock_write(mapping);
105679+ tmp = dup_vma(mm, oldmm, mpnt);
105680+ if (!tmp) {
105681+ retval = -ENOMEM;
105682+ goto out;
105683 }
105684
105685 /*
105686@@ -504,6 +583,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
105687 if (retval)
105688 goto out;
105689 }
105690+
105691+#ifdef CONFIG_PAX_SEGMEXEC
105692+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
105693+ struct vm_area_struct *mpnt_m;
105694+
105695+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
105696+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
105697+
105698+ if (!mpnt->vm_mirror)
105699+ continue;
105700+
105701+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
105702+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
105703+ mpnt->vm_mirror = mpnt_m;
105704+ } else {
105705+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
105706+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
105707+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
105708+ mpnt->vm_mirror->vm_mirror = mpnt;
105709+ }
105710+ }
105711+ BUG_ON(mpnt_m);
105712+ }
105713+#endif
105714+
105715 /* a new mm has just been created */
105716 arch_dup_mmap(oldmm, mm);
105717 retval = 0;
105718@@ -513,14 +617,6 @@ out:
105719 up_write(&oldmm->mmap_sem);
105720 uprobe_end_dup_mmap();
105721 return retval;
105722-fail_nomem_anon_vma_fork:
105723- mpol_put(vma_policy(tmp));
105724-fail_nomem_policy:
105725- kmem_cache_free(vm_area_cachep, tmp);
105726-fail_nomem:
105727- retval = -ENOMEM;
105728- vm_unacct_memory(charge);
105729- goto out;
105730 }
105731
105732 static inline int mm_alloc_pgd(struct mm_struct *mm)
105733@@ -795,8 +891,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
105734 return ERR_PTR(err);
105735
105736 mm = get_task_mm(task);
105737- if (mm && mm != current->mm &&
105738- !ptrace_may_access(task, mode)) {
105739+ if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) ||
105740+ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
105741 mmput(mm);
105742 mm = ERR_PTR(-EACCES);
105743 }
105744@@ -997,13 +1093,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
105745 spin_unlock(&fs->lock);
105746 return -EAGAIN;
105747 }
105748- fs->users++;
105749+ atomic_inc(&fs->users);
105750 spin_unlock(&fs->lock);
105751 return 0;
105752 }
105753 tsk->fs = copy_fs_struct(fs);
105754 if (!tsk->fs)
105755 return -ENOMEM;
105756+ /* Carry through gr_chroot_dentry and is_chrooted instead
105757+ of recomputing it here. Already copied when the task struct
105758+ is duplicated. This allows pivot_root to not be treated as
105759+ a chroot
105760+ */
105761+ //gr_set_chroot_entries(tsk, &tsk->fs->root);
105762+
105763 return 0;
105764 }
105765
105766@@ -1234,7 +1337,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
105767 * parts of the process environment (as per the clone
105768 * flags). The actual kick-off is left to the caller.
105769 */
105770-static struct task_struct *copy_process(unsigned long clone_flags,
105771+static __latent_entropy struct task_struct *copy_process(unsigned long clone_flags,
105772 unsigned long stack_start,
105773 unsigned long stack_size,
105774 int __user *child_tidptr,
105775@@ -1306,6 +1409,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
105776 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
105777 #endif
105778 retval = -EAGAIN;
105779+
105780+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
105781+
105782 if (atomic_read(&p->real_cred->user->processes) >=
105783 task_rlimit(p, RLIMIT_NPROC)) {
105784 if (p->real_cred->user != INIT_USER &&
105785@@ -1556,6 +1662,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
105786 goto bad_fork_free_pid;
105787 }
105788
105789+ /* synchronizes with gr_set_acls()
105790+ we need to call this past the point of no return for fork()
105791+ */
105792+ gr_copy_label(p);
105793+
105794 if (likely(p->pid)) {
105795 ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
105796
105797@@ -1645,6 +1756,8 @@ bad_fork_cleanup_count:
105798 bad_fork_free:
105799 free_task(p);
105800 fork_out:
105801+ gr_log_forkfail(retval);
105802+
105803 return ERR_PTR(retval);
105804 }
105805
105806@@ -1707,6 +1820,7 @@ long _do_fork(unsigned long clone_flags,
105807
105808 p = copy_process(clone_flags, stack_start, stack_size,
105809 child_tidptr, NULL, trace, tls);
105810+ add_latent_entropy();
105811 /*
105812 * Do this prior waking up the new thread - the thread pointer
105813 * might get invalid after that point, if the thread exits quickly.
105814@@ -1723,6 +1837,8 @@ long _do_fork(unsigned long clone_flags,
105815 if (clone_flags & CLONE_PARENT_SETTID)
105816 put_user(nr, parent_tidptr);
105817
105818+ gr_handle_brute_check();
105819+
105820 if (clone_flags & CLONE_VFORK) {
105821 p->vfork_done = &vfork;
105822 init_completion(&vfork);
105823@@ -1855,7 +1971,7 @@ void __init proc_caches_init(void)
105824 mm_cachep = kmem_cache_create("mm_struct",
105825 sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
105826 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
105827- vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC);
105828+ vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC | SLAB_NO_SANITIZE);
105829 mmap_init();
105830 nsproxy_cache_init();
105831 }
105832@@ -1903,7 +2019,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
105833 return 0;
105834
105835 /* don't need lock here; in the worst case we'll do useless copy */
105836- if (fs->users == 1)
105837+ if (atomic_read(&fs->users) == 1)
105838 return 0;
105839
105840 *new_fsp = copy_fs_struct(fs);
105841@@ -2015,7 +2131,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
105842 fs = current->fs;
105843 spin_lock(&fs->lock);
105844 current->fs = new_fs;
105845- if (--fs->users)
105846+ gr_set_chroot_entries(current, &current->fs->root);
105847+ if (atomic_dec_return(&fs->users))
105848 new_fs = NULL;
105849 else
105850 new_fs = fs;
105851@@ -2079,7 +2196,7 @@ int unshare_files(struct files_struct **displaced)
105852 int sysctl_max_threads(struct ctl_table *table, int write,
105853 void __user *buffer, size_t *lenp, loff_t *ppos)
105854 {
105855- struct ctl_table t;
105856+ ctl_table_no_const t;
105857 int ret;
105858 int threads = max_threads;
105859 int min = MIN_THREADS;
105860diff --git a/kernel/futex.c b/kernel/futex.c
105861index c4a182f..e789324 100644
105862--- a/kernel/futex.c
105863+++ b/kernel/futex.c
105864@@ -201,7 +201,7 @@ struct futex_pi_state {
105865 atomic_t refcount;
105866
105867 union futex_key key;
105868-};
105869+} __randomize_layout;
105870
105871 /**
105872 * struct futex_q - The hashed futex queue entry, one per waiting task
105873@@ -235,7 +235,7 @@ struct futex_q {
105874 struct rt_mutex_waiter *rt_waiter;
105875 union futex_key *requeue_pi_key;
105876 u32 bitset;
105877-};
105878+} __randomize_layout;
105879
105880 static const struct futex_q futex_q_init = {
105881 /* list gets initialized in queue_me()*/
105882@@ -402,6 +402,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
105883 struct page *page, *page_head;
105884 int err, ro = 0;
105885
105886+#ifdef CONFIG_PAX_SEGMEXEC
105887+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
105888+ return -EFAULT;
105889+#endif
105890+
105891 /*
105892 * The futex address must be "naturally" aligned.
105893 */
105894@@ -601,7 +606,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
105895
105896 static int get_futex_value_locked(u32 *dest, u32 __user *from)
105897 {
105898- int ret;
105899+ unsigned long ret;
105900
105901 pagefault_disable();
105902 ret = __copy_from_user_inatomic(dest, from, sizeof(u32));
105903@@ -3030,6 +3035,7 @@ static void __init futex_detect_cmpxchg(void)
105904 {
105905 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
105906 u32 curval;
105907+ mm_segment_t oldfs;
105908
105909 /*
105910 * This will fail and we want it. Some arch implementations do
105911@@ -3041,8 +3047,11 @@ static void __init futex_detect_cmpxchg(void)
105912 * implementation, the non-functional ones will return
105913 * -ENOSYS.
105914 */
105915+ oldfs = get_fs();
105916+ set_fs(USER_DS);
105917 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
105918 futex_cmpxchg_enabled = 1;
105919+ set_fs(oldfs);
105920 #endif
105921 }
105922
105923diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
105924index 55c8c93..9ba7ad6 100644
105925--- a/kernel/futex_compat.c
105926+++ b/kernel/futex_compat.c
105927@@ -32,7 +32,7 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
105928 return 0;
105929 }
105930
105931-static void __user *futex_uaddr(struct robust_list __user *entry,
105932+static void __user __intentional_overflow(-1) *futex_uaddr(struct robust_list __user *entry,
105933 compat_long_t futex_offset)
105934 {
105935 compat_uptr_t base = ptr_to_compat(entry);
105936diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
105937index 7080ae1..c9b3761 100644
105938--- a/kernel/gcov/base.c
105939+++ b/kernel/gcov/base.c
105940@@ -123,11 +123,6 @@ void gcov_enable_events(void)
105941 }
105942
105943 #ifdef CONFIG_MODULES
105944-static inline int within(void *addr, void *start, unsigned long size)
105945-{
105946- return ((addr >= start) && (addr < start + size));
105947-}
105948-
105949 /* Update list and generate events when modules are unloaded. */
105950 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
105951 void *data)
105952@@ -142,7 +137,7 @@ static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
105953
105954 /* Remove entries located in module from linked list. */
105955 while ((info = gcov_info_next(info))) {
105956- if (within(info, mod->module_core, mod->core_size)) {
105957+ if (within_module_core_rw((unsigned long)info, mod)) {
105958 gcov_info_unlink(prev, info);
105959 if (gcov_events_enabled)
105960 gcov_event(GCOV_REMOVE, info);
105961diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
105962index f974485..c5b8afd 100644
105963--- a/kernel/irq/manage.c
105964+++ b/kernel/irq/manage.c
105965@@ -937,7 +937,7 @@ static int irq_thread(void *data)
105966
105967 action_ret = handler_fn(desc, action);
105968 if (action_ret == IRQ_HANDLED)
105969- atomic_inc(&desc->threads_handled);
105970+ atomic_inc_unchecked(&desc->threads_handled);
105971
105972 wake_threads_waitq(desc);
105973 }
105974diff --git a/kernel/irq/msi.c b/kernel/irq/msi.c
105975index 7bf1f1b..d73e508 100644
105976--- a/kernel/irq/msi.c
105977+++ b/kernel/irq/msi.c
105978@@ -195,16 +195,18 @@ static void msi_domain_update_dom_ops(struct msi_domain_info *info)
105979 return;
105980 }
105981
105982+ pax_open_kernel();
105983 if (ops->get_hwirq == NULL)
105984- ops->get_hwirq = msi_domain_ops_default.get_hwirq;
105985+ *(void **)&ops->get_hwirq = msi_domain_ops_default.get_hwirq;
105986 if (ops->msi_init == NULL)
105987- ops->msi_init = msi_domain_ops_default.msi_init;
105988+ *(void **)&ops->msi_init = msi_domain_ops_default.msi_init;
105989 if (ops->msi_check == NULL)
105990- ops->msi_check = msi_domain_ops_default.msi_check;
105991+ *(void **)&ops->msi_check = msi_domain_ops_default.msi_check;
105992 if (ops->msi_prepare == NULL)
105993- ops->msi_prepare = msi_domain_ops_default.msi_prepare;
105994+ *(void **)&ops->msi_prepare = msi_domain_ops_default.msi_prepare;
105995 if (ops->set_desc == NULL)
105996- ops->set_desc = msi_domain_ops_default.set_desc;
105997+ *(void **)&ops->set_desc = msi_domain_ops_default.set_desc;
105998+ pax_close_kernel();
105999 }
106000
106001 static void msi_domain_update_chip_ops(struct msi_domain_info *info)
106002@@ -212,12 +214,14 @@ static void msi_domain_update_chip_ops(struct msi_domain_info *info)
106003 struct irq_chip *chip = info->chip;
106004
106005 BUG_ON(!chip);
106006+ pax_open_kernel();
106007 if (!chip->irq_mask)
106008- chip->irq_mask = pci_msi_mask_irq;
106009+ *(void **)&chip->irq_mask = pci_msi_mask_irq;
106010 if (!chip->irq_unmask)
106011- chip->irq_unmask = pci_msi_unmask_irq;
106012+ *(void **)&chip->irq_unmask = pci_msi_unmask_irq;
106013 if (!chip->irq_set_affinity)
106014- chip->irq_set_affinity = msi_domain_set_affinity;
106015+ *(void **)&chip->irq_set_affinity = msi_domain_set_affinity;
106016+ pax_close_kernel();
106017 }
106018
106019 /**
106020diff --git a/kernel/irq/spurious.c b/kernel/irq/spurious.c
106021index e2514b0..de3dfe0 100644
106022--- a/kernel/irq/spurious.c
106023+++ b/kernel/irq/spurious.c
106024@@ -337,7 +337,7 @@ void note_interrupt(unsigned int irq, struct irq_desc *desc,
106025 * count. We just care about the count being
106026 * different than the one we saw before.
106027 */
106028- handled = atomic_read(&desc->threads_handled);
106029+ handled = atomic_read_unchecked(&desc->threads_handled);
106030 handled |= SPURIOUS_DEFERRED;
106031 if (handled != desc->threads_handled_last) {
106032 action_ret = IRQ_HANDLED;
106033diff --git a/kernel/jump_label.c b/kernel/jump_label.c
106034index 52ebaca..ec6f5cb 100644
106035--- a/kernel/jump_label.c
106036+++ b/kernel/jump_label.c
106037@@ -14,6 +14,7 @@
106038 #include <linux/err.h>
106039 #include <linux/static_key.h>
106040 #include <linux/jump_label_ratelimit.h>
106041+#include <linux/mm.h>
106042
106043 #ifdef HAVE_JUMP_LABEL
106044
106045@@ -51,7 +52,9 @@ jump_label_sort_entries(struct jump_entry *start, struct jump_entry *stop)
106046
106047 size = (((unsigned long)stop - (unsigned long)start)
106048 / sizeof(struct jump_entry));
106049+ pax_open_kernel();
106050 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
106051+ pax_close_kernel();
106052 }
106053
106054 static void jump_label_update(struct static_key *key, int enable);
106055@@ -363,10 +366,12 @@ static void jump_label_invalidate_module_init(struct module *mod)
106056 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
106057 struct jump_entry *iter;
106058
106059+ pax_open_kernel();
106060 for (iter = iter_start; iter < iter_stop; iter++) {
106061 if (within_module_init(iter->code, mod))
106062 iter->code = 0;
106063 }
106064+ pax_close_kernel();
106065 }
106066
106067 static int
106068diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
106069index 5c5987f..bc502b0 100644
106070--- a/kernel/kallsyms.c
106071+++ b/kernel/kallsyms.c
106072@@ -11,6 +11,9 @@
106073 * Changed the compression method from stem compression to "table lookup"
106074 * compression (see scripts/kallsyms.c for a more complete description)
106075 */
106076+#ifdef CONFIG_GRKERNSEC_HIDESYM
106077+#define __INCLUDED_BY_HIDESYM 1
106078+#endif
106079 #include <linux/kallsyms.h>
106080 #include <linux/module.h>
106081 #include <linux/init.h>
106082@@ -54,12 +57,33 @@ extern const unsigned long kallsyms_markers[] __weak;
106083
106084 static inline int is_kernel_inittext(unsigned long addr)
106085 {
106086+ if (system_state != SYSTEM_BOOTING)
106087+ return 0;
106088+
106089 if (addr >= (unsigned long)_sinittext
106090 && addr <= (unsigned long)_einittext)
106091 return 1;
106092 return 0;
106093 }
106094
106095+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106096+#ifdef CONFIG_MODULES
106097+static inline int is_module_text(unsigned long addr)
106098+{
106099+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
106100+ return 1;
106101+
106102+ addr = ktla_ktva(addr);
106103+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
106104+}
106105+#else
106106+static inline int is_module_text(unsigned long addr)
106107+{
106108+ return 0;
106109+}
106110+#endif
106111+#endif
106112+
106113 static inline int is_kernel_text(unsigned long addr)
106114 {
106115 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
106116@@ -70,13 +94,28 @@ static inline int is_kernel_text(unsigned long addr)
106117
106118 static inline int is_kernel(unsigned long addr)
106119 {
106120+
106121+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106122+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
106123+ return 1;
106124+
106125+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
106126+#else
106127 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
106128+#endif
106129+
106130 return 1;
106131 return in_gate_area_no_mm(addr);
106132 }
106133
106134 static int is_ksym_addr(unsigned long addr)
106135 {
106136+
106137+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106138+ if (is_module_text(addr))
106139+ return 0;
106140+#endif
106141+
106142 if (all_var)
106143 return is_kernel(addr);
106144
106145@@ -481,7 +520,6 @@ static unsigned long get_ksymbol_core(struct kallsym_iter *iter)
106146
106147 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
106148 {
106149- iter->name[0] = '\0';
106150 iter->nameoff = get_symbol_offset(new_pos);
106151 iter->pos = new_pos;
106152 }
106153@@ -529,6 +567,11 @@ static int s_show(struct seq_file *m, void *p)
106154 {
106155 struct kallsym_iter *iter = m->private;
106156
106157+#ifdef CONFIG_GRKERNSEC_HIDESYM
106158+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID))
106159+ return 0;
106160+#endif
106161+
106162 /* Some debugging symbols have no name. Ignore them. */
106163 if (!iter->name[0])
106164 return 0;
106165@@ -542,6 +585,7 @@ static int s_show(struct seq_file *m, void *p)
106166 */
106167 type = iter->exported ? toupper(iter->type) :
106168 tolower(iter->type);
106169+
106170 seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value,
106171 type, iter->name, iter->module_name);
106172 } else
106173diff --git a/kernel/kcmp.c b/kernel/kcmp.c
106174index 0aa69ea..a7fcafb 100644
106175--- a/kernel/kcmp.c
106176+++ b/kernel/kcmp.c
106177@@ -100,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
106178 struct task_struct *task1, *task2;
106179 int ret;
106180
106181+#ifdef CONFIG_GRKERNSEC
106182+ return -ENOSYS;
106183+#endif
106184+
106185 rcu_read_lock();
106186
106187 /*
106188diff --git a/kernel/kexec.c b/kernel/kexec.c
106189index a785c10..6dbb06f 100644
106190--- a/kernel/kexec.c
106191+++ b/kernel/kexec.c
106192@@ -1243,7 +1243,7 @@ static int kimage_load_segment(struct kimage *image,
106193 */
106194 struct kimage *kexec_image;
106195 struct kimage *kexec_crash_image;
106196-int kexec_load_disabled;
106197+int kexec_load_disabled __read_only;
106198
106199 static DEFINE_MUTEX(kexec_mutex);
106200
106201@@ -1359,7 +1359,8 @@ COMPAT_SYSCALL_DEFINE4(kexec_load, compat_ulong_t, entry,
106202 compat_ulong_t, flags)
106203 {
106204 struct compat_kexec_segment in;
106205- struct kexec_segment out, __user *ksegments;
106206+ struct kexec_segment out;
106207+ struct kexec_segment __user *ksegments;
106208 unsigned long i, result;
106209
106210 /* Don't allow clients that don't understand the native
106211diff --git a/kernel/kmod.c b/kernel/kmod.c
106212index 2777f40..a689506 100644
106213--- a/kernel/kmod.c
106214+++ b/kernel/kmod.c
106215@@ -68,7 +68,7 @@ static void free_modprobe_argv(struct subprocess_info *info)
106216 kfree(info->argv);
106217 }
106218
106219-static int call_modprobe(char *module_name, int wait)
106220+static int call_modprobe(char *module_name, char *module_param, int wait)
106221 {
106222 struct subprocess_info *info;
106223 static char *envp[] = {
106224@@ -78,7 +78,7 @@ static int call_modprobe(char *module_name, int wait)
106225 NULL
106226 };
106227
106228- char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
106229+ char **argv = kmalloc(sizeof(char *[6]), GFP_KERNEL);
106230 if (!argv)
106231 goto out;
106232
106233@@ -90,7 +90,8 @@ static int call_modprobe(char *module_name, int wait)
106234 argv[1] = "-q";
106235 argv[2] = "--";
106236 argv[3] = module_name; /* check free_modprobe_argv() */
106237- argv[4] = NULL;
106238+ argv[4] = module_param;
106239+ argv[5] = NULL;
106240
106241 info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,
106242 NULL, free_modprobe_argv, NULL);
106243@@ -122,9 +123,8 @@ out:
106244 * If module auto-loading support is disabled then this function
106245 * becomes a no-operation.
106246 */
106247-int __request_module(bool wait, const char *fmt, ...)
106248+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
106249 {
106250- va_list args;
106251 char module_name[MODULE_NAME_LEN];
106252 unsigned int max_modprobes;
106253 int ret;
106254@@ -143,9 +143,7 @@ int __request_module(bool wait, const char *fmt, ...)
106255 if (!modprobe_path[0])
106256 return 0;
106257
106258- va_start(args, fmt);
106259- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
106260- va_end(args);
106261+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
106262 if (ret >= MODULE_NAME_LEN)
106263 return -ENAMETOOLONG;
106264
106265@@ -153,6 +151,20 @@ int __request_module(bool wait, const char *fmt, ...)
106266 if (ret)
106267 return ret;
106268
106269+#ifdef CONFIG_GRKERNSEC_MODHARDEN
106270+ if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
106271+ /* hack to workaround consolekit/udisks stupidity */
106272+ read_lock(&tasklist_lock);
106273+ if (!strcmp(current->comm, "mount") &&
106274+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
106275+ read_unlock(&tasklist_lock);
106276+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
106277+ return -EPERM;
106278+ }
106279+ read_unlock(&tasklist_lock);
106280+ }
106281+#endif
106282+
106283 /* If modprobe needs a service that is in a module, we get a recursive
106284 * loop. Limit the number of running kmod threads to max_threads/2 or
106285 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
106286@@ -181,16 +193,61 @@ int __request_module(bool wait, const char *fmt, ...)
106287
106288 trace_module_request(module_name, wait, _RET_IP_);
106289
106290- ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
106291+ ret = call_modprobe(module_name, module_param, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
106292
106293 atomic_dec(&kmod_concurrent);
106294 return ret;
106295 }
106296+
106297+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
106298+{
106299+ va_list args;
106300+ int ret;
106301+
106302+ va_start(args, fmt);
106303+ ret = ____request_module(wait, module_param, fmt, args);
106304+ va_end(args);
106305+
106306+ return ret;
106307+}
106308+
106309+int __request_module(bool wait, const char *fmt, ...)
106310+{
106311+ va_list args;
106312+ int ret;
106313+
106314+#ifdef CONFIG_GRKERNSEC_MODHARDEN
106315+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
106316+ char module_param[MODULE_NAME_LEN];
106317+
106318+ memset(module_param, 0, sizeof(module_param));
106319+
106320+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", GR_GLOBAL_UID(current_uid()));
106321+
106322+ va_start(args, fmt);
106323+ ret = ____request_module(wait, module_param, fmt, args);
106324+ va_end(args);
106325+
106326+ return ret;
106327+ }
106328+#endif
106329+
106330+ va_start(args, fmt);
106331+ ret = ____request_module(wait, NULL, fmt, args);
106332+ va_end(args);
106333+
106334+ return ret;
106335+}
106336+
106337 EXPORT_SYMBOL(__request_module);
106338 #endif /* CONFIG_MODULES */
106339
106340 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
106341 {
106342+#ifdef CONFIG_GRKERNSEC
106343+ kfree(info->path);
106344+ info->path = info->origpath;
106345+#endif
106346 if (info->cleanup)
106347 (*info->cleanup)(info);
106348 kfree(info);
106349@@ -232,6 +289,21 @@ static int ____call_usermodehelper(void *data)
106350 */
106351 set_user_nice(current, 0);
106352
106353+#ifdef CONFIG_GRKERNSEC
106354+ /* this is race-free as far as userland is concerned as we copied
106355+ out the path to be used prior to this point and are now operating
106356+ on that copy
106357+ */
106358+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
106359+ strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
106360+ strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
106361+ strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
106362+ printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
106363+ retval = -EPERM;
106364+ goto out;
106365+ }
106366+#endif
106367+
106368 retval = -ENOMEM;
106369 new = prepare_kernel_cred(current);
106370 if (!new)
106371@@ -254,8 +326,8 @@ static int ____call_usermodehelper(void *data)
106372 commit_creds(new);
106373
106374 retval = do_execve(getname_kernel(sub_info->path),
106375- (const char __user *const __user *)sub_info->argv,
106376- (const char __user *const __user *)sub_info->envp);
106377+ (const char __user *const __force_user *)sub_info->argv,
106378+ (const char __user *const __force_user *)sub_info->envp);
106379 out:
106380 sub_info->retval = retval;
106381 /* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */
106382@@ -288,7 +360,7 @@ static int wait_for_helper(void *data)
106383 *
106384 * Thus the __user pointer cast is valid here.
106385 */
106386- sys_wait4(pid, (int __user *)&ret, 0, NULL);
106387+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
106388
106389 /*
106390 * If ret is 0, either ____call_usermodehelper failed and the
106391@@ -510,7 +582,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv,
106392 goto out;
106393
106394 INIT_WORK(&sub_info->work, __call_usermodehelper);
106395+#ifdef CONFIG_GRKERNSEC
106396+ sub_info->origpath = path;
106397+ sub_info->path = kstrdup(path, gfp_mask);
106398+#else
106399 sub_info->path = path;
106400+#endif
106401 sub_info->argv = argv;
106402 sub_info->envp = envp;
106403
106404@@ -612,7 +689,7 @@ EXPORT_SYMBOL(call_usermodehelper);
106405 static int proc_cap_handler(struct ctl_table *table, int write,
106406 void __user *buffer, size_t *lenp, loff_t *ppos)
106407 {
106408- struct ctl_table t;
106409+ ctl_table_no_const t;
106410 unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
106411 kernel_cap_t new_cap;
106412 int err, i;
106413diff --git a/kernel/kprobes.c b/kernel/kprobes.c
106414index c90e417..e6c515d 100644
106415--- a/kernel/kprobes.c
106416+++ b/kernel/kprobes.c
106417@@ -31,6 +31,9 @@
106418 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
106419 * <prasanna@in.ibm.com> added function-return probes.
106420 */
106421+#ifdef CONFIG_GRKERNSEC_HIDESYM
106422+#define __INCLUDED_BY_HIDESYM 1
106423+#endif
106424 #include <linux/kprobes.h>
106425 #include <linux/hash.h>
106426 #include <linux/init.h>
106427@@ -122,12 +125,12 @@ enum kprobe_slot_state {
106428
106429 static void *alloc_insn_page(void)
106430 {
106431- return module_alloc(PAGE_SIZE);
106432+ return module_alloc_exec(PAGE_SIZE);
106433 }
106434
106435 static void free_insn_page(void *page)
106436 {
106437- module_memfree(page);
106438+ module_memfree_exec(page);
106439 }
106440
106441 struct kprobe_insn_cache kprobe_insn_slots = {
106442@@ -2198,11 +2201,11 @@ static void report_probe(struct seq_file *pi, struct kprobe *p,
106443 kprobe_type = "k";
106444
106445 if (sym)
106446- seq_printf(pi, "%p %s %s+0x%x %s ",
106447+ seq_printf(pi, "%pK %s %s+0x%x %s ",
106448 p->addr, kprobe_type, sym, offset,
106449 (modname ? modname : " "));
106450 else
106451- seq_printf(pi, "%p %s %p ",
106452+ seq_printf(pi, "%pK %s %pK ",
106453 p->addr, kprobe_type, p->addr);
106454
106455 if (!pp)
106456diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
106457index 6683cce..daf8999 100644
106458--- a/kernel/ksysfs.c
106459+++ b/kernel/ksysfs.c
106460@@ -50,6 +50,8 @@ static ssize_t uevent_helper_store(struct kobject *kobj,
106461 {
106462 if (count+1 > UEVENT_HELPER_PATH_LEN)
106463 return -ENOENT;
106464+ if (!capable(CAP_SYS_ADMIN))
106465+ return -EPERM;
106466 memcpy(uevent_helper, buf, count);
106467 uevent_helper[count] = '\0';
106468 if (count && uevent_helper[count-1] == '\n')
106469@@ -176,7 +178,7 @@ static ssize_t notes_read(struct file *filp, struct kobject *kobj,
106470 return count;
106471 }
106472
106473-static struct bin_attribute notes_attr = {
106474+static bin_attribute_no_const notes_attr __read_only = {
106475 .attr = {
106476 .name = "notes",
106477 .mode = S_IRUGO,
106478diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
106479index 8acfbf7..0c5a34a 100644
106480--- a/kernel/locking/lockdep.c
106481+++ b/kernel/locking/lockdep.c
106482@@ -613,6 +613,10 @@ static int static_obj(void *obj)
106483 end = (unsigned long) &_end,
106484 addr = (unsigned long) obj;
106485
106486+#ifdef CONFIG_PAX_KERNEXEC
106487+ start = ktla_ktva(start);
106488+#endif
106489+
106490 /*
106491 * static variable?
106492 */
106493@@ -757,6 +761,7 @@ register_lock_class(struct lockdep_map *lock, unsigned int subclass, int force)
106494 if (!static_obj(lock->key)) {
106495 debug_locks_off();
106496 printk("INFO: trying to register non-static key.\n");
106497+ printk("lock:%pS key:%pS.\n", lock, lock->key);
106498 printk("the code is fine but needs lockdep annotation.\n");
106499 printk("turning off the locking correctness validator.\n");
106500 dump_stack();
106501@@ -3102,7 +3107,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
106502 if (!class)
106503 return 0;
106504 }
106505- atomic_inc((atomic_t *)&class->ops);
106506+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)&class->ops);
106507 if (very_verbose(class)) {
106508 printk("\nacquire class [%p] %s", class->key, class->name);
106509 if (class->name_version > 1)
106510diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c
106511index d83d798..ea3120d 100644
106512--- a/kernel/locking/lockdep_proc.c
106513+++ b/kernel/locking/lockdep_proc.c
106514@@ -65,7 +65,7 @@ static int l_show(struct seq_file *m, void *v)
106515 return 0;
106516 }
106517
106518- seq_printf(m, "%p", class->key);
106519+ seq_printf(m, "%pK", class->key);
106520 #ifdef CONFIG_DEBUG_LOCKDEP
106521 seq_printf(m, " OPS:%8ld", class->ops);
106522 #endif
106523@@ -83,7 +83,7 @@ static int l_show(struct seq_file *m, void *v)
106524
106525 list_for_each_entry(entry, &class->locks_after, entry) {
106526 if (entry->distance == 1) {
106527- seq_printf(m, " -> [%p] ", entry->class->key);
106528+ seq_printf(m, " -> [%pK] ", entry->class->key);
106529 print_name(m, entry->class);
106530 seq_puts(m, "\n");
106531 }
106532@@ -152,7 +152,7 @@ static int lc_show(struct seq_file *m, void *v)
106533 if (!class->key)
106534 continue;
106535
106536- seq_printf(m, "[%p] ", class->key);
106537+ seq_printf(m, "[%pK] ", class->key);
106538 print_name(m, class);
106539 seq_puts(m, "\n");
106540 }
106541@@ -508,7 +508,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
106542 if (!i)
106543 seq_line(m, '-', 40-namelen, namelen);
106544
106545- snprintf(ip, sizeof(ip), "[<%p>]",
106546+ snprintf(ip, sizeof(ip), "[<%pK>]",
106547 (void *)class->contention_point[i]);
106548 seq_printf(m, "%40s %14lu %29s %pS\n",
106549 name, stats->contention_point[i],
106550@@ -523,7 +523,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
106551 if (!i)
106552 seq_line(m, '-', 40-namelen, namelen);
106553
106554- snprintf(ip, sizeof(ip), "[<%p>]",
106555+ snprintf(ip, sizeof(ip), "[<%pK>]",
106556 (void *)class->contending_point[i]);
106557 seq_printf(m, "%40s %14lu %29s %pS\n",
106558 name, stats->contending_point[i],
106559diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
106560index 3ef3736..9c951fa 100644
106561--- a/kernel/locking/mutex-debug.c
106562+++ b/kernel/locking/mutex-debug.c
106563@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mutex_waiter *waiter)
106564 }
106565
106566 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
106567- struct thread_info *ti)
106568+ struct task_struct *task)
106569 {
106570 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
106571
106572 /* Mark the current thread as blocked on the lock: */
106573- ti->task->blocked_on = waiter;
106574+ task->blocked_on = waiter;
106575 }
106576
106577 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
106578- struct thread_info *ti)
106579+ struct task_struct *task)
106580 {
106581 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
106582- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
106583- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
106584- ti->task->blocked_on = NULL;
106585+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
106586+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
106587+ task->blocked_on = NULL;
106588
106589 list_del_init(&waiter->list);
106590 waiter->task = NULL;
106591diff --git a/kernel/locking/mutex-debug.h b/kernel/locking/mutex-debug.h
106592index 0799fd3..d06ae3b 100644
106593--- a/kernel/locking/mutex-debug.h
106594+++ b/kernel/locking/mutex-debug.h
106595@@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(struct mutex *lock,
106596 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
106597 extern void debug_mutex_add_waiter(struct mutex *lock,
106598 struct mutex_waiter *waiter,
106599- struct thread_info *ti);
106600+ struct task_struct *task);
106601 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
106602- struct thread_info *ti);
106603+ struct task_struct *task);
106604 extern void debug_mutex_unlock(struct mutex *lock);
106605 extern void debug_mutex_init(struct mutex *lock, const char *name,
106606 struct lock_class_key *key);
106607diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
106608index 4cccea6..4382db9 100644
106609--- a/kernel/locking/mutex.c
106610+++ b/kernel/locking/mutex.c
106611@@ -533,7 +533,7 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
106612 goto skip_wait;
106613
106614 debug_mutex_lock_common(lock, &waiter);
106615- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
106616+ debug_mutex_add_waiter(lock, &waiter, task);
106617
106618 /* add waiting tasks to the end of the waitqueue (FIFO): */
106619 list_add_tail(&waiter.list, &lock->wait_list);
106620@@ -580,7 +580,7 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
106621 }
106622 __set_task_state(task, TASK_RUNNING);
106623
106624- mutex_remove_waiter(lock, &waiter, current_thread_info());
106625+ mutex_remove_waiter(lock, &waiter, task);
106626 /* set it to 0 if there are no waiters left: */
106627 if (likely(list_empty(&lock->wait_list)))
106628 atomic_set(&lock->count, 0);
106629@@ -601,7 +601,7 @@ skip_wait:
106630 return 0;
106631
106632 err:
106633- mutex_remove_waiter(lock, &waiter, task_thread_info(task));
106634+ mutex_remove_waiter(lock, &waiter, task);
106635 spin_unlock_mutex(&lock->wait_lock, flags);
106636 debug_mutex_free_waiter(&waiter);
106637 mutex_release(&lock->dep_map, 1, ip);
106638diff --git a/kernel/locking/rtmutex-tester.c b/kernel/locking/rtmutex-tester.c
106639index 1d96dd0..994ff19 100644
106640--- a/kernel/locking/rtmutex-tester.c
106641+++ b/kernel/locking/rtmutex-tester.c
106642@@ -22,7 +22,7 @@
106643 #define MAX_RT_TEST_MUTEXES 8
106644
106645 static spinlock_t rttest_lock;
106646-static atomic_t rttest_event;
106647+static atomic_unchecked_t rttest_event;
106648
106649 struct test_thread_data {
106650 int opcode;
106651@@ -63,7 +63,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
106652
106653 case RTTEST_LOCKCONT:
106654 td->mutexes[td->opdata] = 1;
106655- td->event = atomic_add_return(1, &rttest_event);
106656+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106657 return 0;
106658
106659 case RTTEST_RESET:
106660@@ -76,7 +76,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
106661 return 0;
106662
106663 case RTTEST_RESETEVENT:
106664- atomic_set(&rttest_event, 0);
106665+ atomic_set_unchecked(&rttest_event, 0);
106666 return 0;
106667
106668 default:
106669@@ -93,9 +93,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
106670 return ret;
106671
106672 td->mutexes[id] = 1;
106673- td->event = atomic_add_return(1, &rttest_event);
106674+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106675 rt_mutex_lock(&mutexes[id]);
106676- td->event = atomic_add_return(1, &rttest_event);
106677+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106678 td->mutexes[id] = 4;
106679 return 0;
106680
106681@@ -106,9 +106,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
106682 return ret;
106683
106684 td->mutexes[id] = 1;
106685- td->event = atomic_add_return(1, &rttest_event);
106686+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106687 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
106688- td->event = atomic_add_return(1, &rttest_event);
106689+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106690 td->mutexes[id] = ret ? 0 : 4;
106691 return ret ? -EINTR : 0;
106692
106693@@ -117,9 +117,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
106694 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
106695 return ret;
106696
106697- td->event = atomic_add_return(1, &rttest_event);
106698+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106699 rt_mutex_unlock(&mutexes[id]);
106700- td->event = atomic_add_return(1, &rttest_event);
106701+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106702 td->mutexes[id] = 0;
106703 return 0;
106704
106705@@ -166,7 +166,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
106706 break;
106707
106708 td->mutexes[dat] = 2;
106709- td->event = atomic_add_return(1, &rttest_event);
106710+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106711 break;
106712
106713 default:
106714@@ -186,7 +186,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
106715 return;
106716
106717 td->mutexes[dat] = 3;
106718- td->event = atomic_add_return(1, &rttest_event);
106719+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106720 break;
106721
106722 case RTTEST_LOCKNOWAIT:
106723@@ -198,7 +198,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
106724 return;
106725
106726 td->mutexes[dat] = 1;
106727- td->event = atomic_add_return(1, &rttest_event);
106728+ td->event = atomic_add_return_unchecked(1, &rttest_event);
106729 return;
106730
106731 default:
106732diff --git a/kernel/module.c b/kernel/module.c
106733index b86b7bf..f5eaa56 100644
106734--- a/kernel/module.c
106735+++ b/kernel/module.c
106736@@ -59,6 +59,7 @@
106737 #include <linux/jump_label.h>
106738 #include <linux/pfn.h>
106739 #include <linux/bsearch.h>
106740+#include <linux/grsecurity.h>
106741 #include <uapi/linux/module.h>
106742 #include "module-internal.h"
106743
106744@@ -108,7 +109,7 @@ static LIST_HEAD(modules);
106745 * Use a latched RB-tree for __module_address(); this allows us to use
106746 * RCU-sched lookups of the address from any context.
106747 *
106748- * Because modules have two address ranges: init and core, we need two
106749+ * Because modules have four address ranges: init_{rw,rx} and core_{rw,rx}, we need four
106750 * latch_tree_nodes entries. Therefore we need the back-pointer from
106751 * mod_tree_node.
106752 *
106753@@ -125,10 +126,14 @@ static __always_inline unsigned long __mod_tree_val(struct latch_tree_node *n)
106754 struct mod_tree_node *mtn = container_of(n, struct mod_tree_node, node);
106755 struct module *mod = mtn->mod;
106756
106757- if (unlikely(mtn == &mod->mtn_init))
106758- return (unsigned long)mod->module_init;
106759+ if (unlikely(mtn == &mod->mtn_init_rw))
106760+ return (unsigned long)mod->module_init_rw;
106761+ if (unlikely(mtn == &mod->mtn_init_rx))
106762+ return (unsigned long)mod->module_init_rx;
106763
106764- return (unsigned long)mod->module_core;
106765+ if (unlikely(mtn == &mod->mtn_core_rw))
106766+ return (unsigned long)mod->module_core_rw;
106767+ return (unsigned long)mod->module_core_rx;
106768 }
106769
106770 static __always_inline unsigned long __mod_tree_size(struct latch_tree_node *n)
106771@@ -136,10 +141,14 @@ static __always_inline unsigned long __mod_tree_size(struct latch_tree_node *n)
106772 struct mod_tree_node *mtn = container_of(n, struct mod_tree_node, node);
106773 struct module *mod = mtn->mod;
106774
106775- if (unlikely(mtn == &mod->mtn_init))
106776- return (unsigned long)mod->init_size;
106777+ if (unlikely(mtn == &mod->mtn_init_rw))
106778+ return (unsigned long)mod->init_size_rw;
106779+ if (unlikely(mtn == &mod->mtn_init_rx))
106780+ return (unsigned long)mod->init_size_rx;
106781
106782- return (unsigned long)mod->core_size;
106783+ if (unlikely(mtn == &mod->mtn_core_rw))
106784+ return (unsigned long)mod->core_size_rw;
106785+ return (unsigned long)mod->core_size_rx;
106786 }
106787
106788 static __always_inline bool
106789@@ -172,14 +181,19 @@ static const struct latch_tree_ops mod_tree_ops = {
106790
106791 static struct mod_tree_root {
106792 struct latch_tree_root root;
106793- unsigned long addr_min;
106794- unsigned long addr_max;
106795+ unsigned long addr_min_rw;
106796+ unsigned long addr_min_rx;
106797+ unsigned long addr_max_rw;
106798+ unsigned long addr_max_rx;
106799 } mod_tree __cacheline_aligned = {
106800- .addr_min = -1UL,
106801+ .addr_min_rw = -1UL,
106802+ .addr_min_rx = -1UL,
106803 };
106804
106805-#define module_addr_min mod_tree.addr_min
106806-#define module_addr_max mod_tree.addr_max
106807+#define module_addr_min_rw mod_tree.addr_min_rw
106808+#define module_addr_min_rx mod_tree.addr_min_rx
106809+#define module_addr_max_rw mod_tree.addr_max_rw
106810+#define module_addr_max_rx mod_tree.addr_max_rx
106811
106812 static noinline void __mod_tree_insert(struct mod_tree_node *node)
106813 {
106814@@ -197,23 +211,31 @@ static void __mod_tree_remove(struct mod_tree_node *node)
106815 */
106816 static void mod_tree_insert(struct module *mod)
106817 {
106818- mod->mtn_core.mod = mod;
106819- mod->mtn_init.mod = mod;
106820+ mod->mtn_core_rw.mod = mod;
106821+ mod->mtn_core_rx.mod = mod;
106822+ mod->mtn_init_rw.mod = mod;
106823+ mod->mtn_init_rx.mod = mod;
106824
106825- __mod_tree_insert(&mod->mtn_core);
106826- if (mod->init_size)
106827- __mod_tree_insert(&mod->mtn_init);
106828+ __mod_tree_insert(&mod->mtn_core_rw);
106829+ __mod_tree_insert(&mod->mtn_core_rx);
106830+ if (mod->init_size_rw)
106831+ __mod_tree_insert(&mod->mtn_init_rw);
106832+ if (mod->init_size_rx)
106833+ __mod_tree_insert(&mod->mtn_init_rx);
106834 }
106835
106836 static void mod_tree_remove_init(struct module *mod)
106837 {
106838- if (mod->init_size)
106839- __mod_tree_remove(&mod->mtn_init);
106840+ if (mod->init_size_rw)
106841+ __mod_tree_remove(&mod->mtn_init_rw);
106842+ if (mod->init_size_rx)
106843+ __mod_tree_remove(&mod->mtn_init_rx);
106844 }
106845
106846 static void mod_tree_remove(struct module *mod)
106847 {
106848- __mod_tree_remove(&mod->mtn_core);
106849+ __mod_tree_remove(&mod->mtn_core_rw);
106850+ __mod_tree_remove(&mod->mtn_core_rx);
106851 mod_tree_remove_init(mod);
106852 }
106853
106854@@ -230,7 +252,8 @@ static struct module *mod_find(unsigned long addr)
106855
106856 #else /* MODULES_TREE_LOOKUP */
106857
106858-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
106859+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
106860+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
106861
106862 static void mod_tree_insert(struct module *mod) { }
106863 static void mod_tree_remove_init(struct module *mod) { }
106864@@ -254,22 +277,36 @@ static struct module *mod_find(unsigned long addr)
106865 * Bounds of module text, for speeding up __module_address.
106866 * Protected by module_mutex.
106867 */
106868-static void __mod_update_bounds(void *base, unsigned int size)
106869+static void __mod_update_bounds_rw(void *base, unsigned int size)
106870 {
106871 unsigned long min = (unsigned long)base;
106872 unsigned long max = min + size;
106873
106874- if (min < module_addr_min)
106875- module_addr_min = min;
106876- if (max > module_addr_max)
106877- module_addr_max = max;
106878+ if (min < module_addr_min_rw)
106879+ module_addr_min_rw = min;
106880+ if (max > module_addr_max_rw)
106881+ module_addr_max_rw = max;
106882+}
106883+
106884+static void __mod_update_bounds_rx(void *base, unsigned int size)
106885+{
106886+ unsigned long min = (unsigned long)base;
106887+ unsigned long max = min + size;
106888+
106889+ if (min < module_addr_min_rx)
106890+ module_addr_min_rx = min;
106891+ if (max > module_addr_max_rx)
106892+ module_addr_max_rx = max;
106893 }
106894
106895 static void mod_update_bounds(struct module *mod)
106896 {
106897- __mod_update_bounds(mod->module_core, mod->core_size);
106898- if (mod->init_size)
106899- __mod_update_bounds(mod->module_init, mod->init_size);
106900+ __mod_update_bounds_rw(mod->module_core_rw, mod->core_size_rw);
106901+ __mod_update_bounds_rx(mod->module_core_rx, mod->core_size_rx);
106902+ if (mod->init_size_rw)
106903+ __mod_update_bounds_rw(mod->module_init_rw, mod->init_size_rw);
106904+ if (mod->init_size_rx)
106905+ __mod_update_bounds_rx(mod->module_init_rx, mod->init_size_rx);
106906 }
106907
106908 #ifdef CONFIG_KGDB_KDB
106909@@ -298,7 +335,7 @@ module_param(sig_enforce, bool_enable_only, 0644);
106910 #endif /* !CONFIG_MODULE_SIG_FORCE */
106911
106912 /* Block module loading/unloading? */
106913-int modules_disabled = 0;
106914+int modules_disabled __read_only = 0;
106915 core_param(nomodule, modules_disabled, bint, 0);
106916
106917 /* Waiting for a module to finish initializing? */
106918@@ -473,7 +510,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
106919 return true;
106920
106921 list_for_each_entry_rcu(mod, &modules, list) {
106922- struct symsearch arr[] = {
106923+ struct symsearch modarr[] = {
106924 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
106925 NOT_GPL_ONLY, false },
106926 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
106927@@ -498,7 +535,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
106928 if (mod->state == MODULE_STATE_UNFORMED)
106929 continue;
106930
106931- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
106932+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
106933 return true;
106934 }
106935 return false;
106936@@ -644,7 +681,7 @@ static int percpu_modalloc(struct module *mod, struct load_info *info)
106937 if (!pcpusec->sh_size)
106938 return 0;
106939
106940- if (align > PAGE_SIZE) {
106941+ if (align-1 >= PAGE_SIZE) {
106942 pr_warn("%s: per-cpu alignment %li > %li\n",
106943 mod->name, align, PAGE_SIZE);
106944 align = PAGE_SIZE;
106945@@ -1210,7 +1247,7 @@ struct module_attribute module_uevent =
106946 static ssize_t show_coresize(struct module_attribute *mattr,
106947 struct module_kobject *mk, char *buffer)
106948 {
106949- return sprintf(buffer, "%u\n", mk->mod->core_size);
106950+ return sprintf(buffer, "%u\n", mk->mod->core_size_rx + mk->mod->core_size_rw);
106951 }
106952
106953 static struct module_attribute modinfo_coresize =
106954@@ -1219,7 +1256,7 @@ static struct module_attribute modinfo_coresize =
106955 static ssize_t show_initsize(struct module_attribute *mattr,
106956 struct module_kobject *mk, char *buffer)
106957 {
106958- return sprintf(buffer, "%u\n", mk->mod->init_size);
106959+ return sprintf(buffer, "%u\n", mk->mod->init_size_rx + mk->mod->init_size_rw);
106960 }
106961
106962 static struct module_attribute modinfo_initsize =
106963@@ -1311,12 +1348,29 @@ static int check_version(Elf_Shdr *sechdrs,
106964 goto bad_version;
106965 }
106966
106967+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
106968+ /*
106969+ * avoid potentially printing jibberish on attempted load
106970+ * of a module randomized with a different seed
106971+ */
106972+ pr_warn("no symbol version for %s\n", symname);
106973+#else
106974 pr_warn("%s: no symbol version for %s\n", mod->name, symname);
106975+#endif
106976 return 0;
106977
106978 bad_version:
106979+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
106980+ /*
106981+ * avoid potentially printing jibberish on attempted load
106982+ * of a module randomized with a different seed
106983+ */
106984+ pr_warn("attempted module disagrees about version of symbol %s\n",
106985+ symname);
106986+#else
106987 pr_warn("%s: disagrees about version of symbol %s\n",
106988 mod->name, symname);
106989+#endif
106990 return 0;
106991 }
106992
106993@@ -1444,7 +1498,7 @@ resolve_symbol_wait(struct module *mod,
106994 */
106995 #ifdef CONFIG_SYSFS
106996
106997-#ifdef CONFIG_KALLSYMS
106998+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
106999 static inline bool sect_empty(const Elf_Shdr *sect)
107000 {
107001 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
107002@@ -1582,7 +1636,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
107003 {
107004 unsigned int notes, loaded, i;
107005 struct module_notes_attrs *notes_attrs;
107006- struct bin_attribute *nattr;
107007+ bin_attribute_no_const *nattr;
107008
107009 /* failed to create section attributes, so can't create notes */
107010 if (!mod->sect_attrs)
107011@@ -1694,7 +1748,7 @@ static void del_usage_links(struct module *mod)
107012 static int module_add_modinfo_attrs(struct module *mod)
107013 {
107014 struct module_attribute *attr;
107015- struct module_attribute *temp_attr;
107016+ module_attribute_no_const *temp_attr;
107017 int error = 0;
107018 int i;
107019
107020@@ -1911,21 +1965,21 @@ static void set_section_ro_nx(void *base,
107021
107022 static void unset_module_core_ro_nx(struct module *mod)
107023 {
107024- set_page_attributes(mod->module_core + mod->core_text_size,
107025- mod->module_core + mod->core_size,
107026+ set_page_attributes(mod->module_core_rw,
107027+ mod->module_core_rw + mod->core_size_rw,
107028 set_memory_x);
107029- set_page_attributes(mod->module_core,
107030- mod->module_core + mod->core_ro_size,
107031+ set_page_attributes(mod->module_core_rx,
107032+ mod->module_core_rx + mod->core_size_rx,
107033 set_memory_rw);
107034 }
107035
107036 static void unset_module_init_ro_nx(struct module *mod)
107037 {
107038- set_page_attributes(mod->module_init + mod->init_text_size,
107039- mod->module_init + mod->init_size,
107040+ set_page_attributes(mod->module_init_rw,
107041+ mod->module_init_rw + mod->init_size_rw,
107042 set_memory_x);
107043- set_page_attributes(mod->module_init,
107044- mod->module_init + mod->init_ro_size,
107045+ set_page_attributes(mod->module_init_rx,
107046+ mod->module_init_rx + mod->init_size_rx,
107047 set_memory_rw);
107048 }
107049
107050@@ -1938,14 +1992,14 @@ void set_all_modules_text_rw(void)
107051 list_for_each_entry_rcu(mod, &modules, list) {
107052 if (mod->state == MODULE_STATE_UNFORMED)
107053 continue;
107054- if ((mod->module_core) && (mod->core_text_size)) {
107055- set_page_attributes(mod->module_core,
107056- mod->module_core + mod->core_text_size,
107057+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
107058+ set_page_attributes(mod->module_core_rx,
107059+ mod->module_core_rx + mod->core_size_rx,
107060 set_memory_rw);
107061 }
107062- if ((mod->module_init) && (mod->init_text_size)) {
107063- set_page_attributes(mod->module_init,
107064- mod->module_init + mod->init_text_size,
107065+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
107066+ set_page_attributes(mod->module_init_rx,
107067+ mod->module_init_rx + mod->init_size_rx,
107068 set_memory_rw);
107069 }
107070 }
107071@@ -1961,14 +2015,14 @@ void set_all_modules_text_ro(void)
107072 list_for_each_entry_rcu(mod, &modules, list) {
107073 if (mod->state == MODULE_STATE_UNFORMED)
107074 continue;
107075- if ((mod->module_core) && (mod->core_text_size)) {
107076- set_page_attributes(mod->module_core,
107077- mod->module_core + mod->core_text_size,
107078+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
107079+ set_page_attributes(mod->module_core_rx,
107080+ mod->module_core_rx + mod->core_size_rx,
107081 set_memory_ro);
107082 }
107083- if ((mod->module_init) && (mod->init_text_size)) {
107084- set_page_attributes(mod->module_init,
107085- mod->module_init + mod->init_text_size,
107086+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
107087+ set_page_attributes(mod->module_init_rx,
107088+ mod->module_init_rx + mod->init_size_rx,
107089 set_memory_ro);
107090 }
107091 }
107092@@ -1977,7 +2031,15 @@ void set_all_modules_text_ro(void)
107093 #else
107094 static inline void set_section_ro_nx(void *base, unsigned long text_size, unsigned long ro_size, unsigned long total_size) { }
107095 static void unset_module_core_ro_nx(struct module *mod) { }
107096-static void unset_module_init_ro_nx(struct module *mod) { }
107097+static void unset_module_init_ro_nx(struct module *mod)
107098+{
107099+
107100+#ifdef CONFIG_PAX_KERNEXEC
107101+ set_memory_nx((unsigned long)mod->module_init_rx, PFN_UP(mod->init_size_rx));
107102+ set_memory_rw((unsigned long)mod->module_init_rx, PFN_UP(mod->init_size_rx));
107103+#endif
107104+
107105+}
107106 #endif
107107
107108 void __weak module_memfree(void *module_region)
107109@@ -2032,16 +2094,19 @@ static void free_module(struct module *mod)
107110 /* This may be NULL, but that's OK */
107111 unset_module_init_ro_nx(mod);
107112 module_arch_freeing_init(mod);
107113- module_memfree(mod->module_init);
107114+ module_memfree(mod->module_init_rw);
107115+ module_memfree_exec(mod->module_init_rx);
107116 kfree(mod->args);
107117 percpu_modfree(mod);
107118
107119 /* Free lock-classes; relies on the preceding sync_rcu(). */
107120- lockdep_free_key_range(mod->module_core, mod->core_size);
107121+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
107122+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
107123
107124 /* Finally, free the core (containing the module structure) */
107125 unset_module_core_ro_nx(mod);
107126- module_memfree(mod->module_core);
107127+ module_memfree_exec(mod->module_core_rx);
107128+ module_memfree(mod->module_core_rw);
107129
107130 #ifdef CONFIG_MPU
107131 update_protections(current->mm);
107132@@ -2110,9 +2175,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107133 int ret = 0;
107134 const struct kernel_symbol *ksym;
107135
107136+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107137+ int is_fs_load = 0;
107138+ int register_filesystem_found = 0;
107139+ char *p;
107140+
107141+ p = strstr(mod->args, "grsec_modharden_fs");
107142+ if (p) {
107143+ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
107144+ /* copy \0 as well */
107145+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
107146+ is_fs_load = 1;
107147+ }
107148+#endif
107149+
107150 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
107151 const char *name = info->strtab + sym[i].st_name;
107152
107153+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107154+ /* it's a real shame this will never get ripped and copied
107155+ upstream! ;(
107156+ */
107157+ if (is_fs_load && !strcmp(name, "register_filesystem"))
107158+ register_filesystem_found = 1;
107159+#endif
107160+
107161 switch (sym[i].st_shndx) {
107162 case SHN_COMMON:
107163 /* Ignore common symbols */
107164@@ -2137,7 +2224,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107165 ksym = resolve_symbol_wait(mod, info, name);
107166 /* Ok if resolved. */
107167 if (ksym && !IS_ERR(ksym)) {
107168+ pax_open_kernel();
107169 sym[i].st_value = ksym->value;
107170+ pax_close_kernel();
107171 break;
107172 }
107173
107174@@ -2156,11 +2245,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107175 secbase = (unsigned long)mod_percpu(mod);
107176 else
107177 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
107178+ pax_open_kernel();
107179 sym[i].st_value += secbase;
107180+ pax_close_kernel();
107181 break;
107182 }
107183 }
107184
107185+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107186+ if (is_fs_load && !register_filesystem_found) {
107187+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
107188+ ret = -EPERM;
107189+ }
107190+#endif
107191+
107192 return ret;
107193 }
107194
107195@@ -2244,22 +2342,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
107196 || s->sh_entsize != ~0UL
107197 || strstarts(sname, ".init"))
107198 continue;
107199- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
107200+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
107201+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
107202+ else
107203+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
107204 pr_debug("\t%s\n", sname);
107205 }
107206- switch (m) {
107207- case 0: /* executable */
107208- mod->core_size = debug_align(mod->core_size);
107209- mod->core_text_size = mod->core_size;
107210- break;
107211- case 1: /* RO: text and ro-data */
107212- mod->core_size = debug_align(mod->core_size);
107213- mod->core_ro_size = mod->core_size;
107214- break;
107215- case 3: /* whole core */
107216- mod->core_size = debug_align(mod->core_size);
107217- break;
107218- }
107219 }
107220
107221 pr_debug("Init section allocation order:\n");
107222@@ -2273,23 +2361,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
107223 || s->sh_entsize != ~0UL
107224 || !strstarts(sname, ".init"))
107225 continue;
107226- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
107227- | INIT_OFFSET_MASK);
107228+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
107229+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
107230+ else
107231+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
107232+ s->sh_entsize |= INIT_OFFSET_MASK;
107233 pr_debug("\t%s\n", sname);
107234 }
107235- switch (m) {
107236- case 0: /* executable */
107237- mod->init_size = debug_align(mod->init_size);
107238- mod->init_text_size = mod->init_size;
107239- break;
107240- case 1: /* RO: text and ro-data */
107241- mod->init_size = debug_align(mod->init_size);
107242- mod->init_ro_size = mod->init_size;
107243- break;
107244- case 3: /* whole init */
107245- mod->init_size = debug_align(mod->init_size);
107246- break;
107247- }
107248 }
107249 }
107250
107251@@ -2462,7 +2540,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
107252
107253 /* Put symbol section at end of init part of module. */
107254 symsect->sh_flags |= SHF_ALLOC;
107255- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
107256+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
107257 info->index.sym) | INIT_OFFSET_MASK;
107258 pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
107259
107260@@ -2479,16 +2557,16 @@ static void layout_symtab(struct module *mod, struct load_info *info)
107261 }
107262
107263 /* Append room for core symbols at end of core part. */
107264- info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
107265- info->stroffs = mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
107266- mod->core_size += strtab_size;
107267- mod->core_size = debug_align(mod->core_size);
107268+ info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
107269+ info->stroffs = mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
107270+ mod->core_size_rx += strtab_size;
107271+ mod->core_size_rx = debug_align(mod->core_size_rx);
107272
107273 /* Put string table section at end of init part of module. */
107274 strsect->sh_flags |= SHF_ALLOC;
107275- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
107276+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
107277 info->index.str) | INIT_OFFSET_MASK;
107278- mod->init_size = debug_align(mod->init_size);
107279+ mod->init_size_rx = debug_align(mod->init_size_rx);
107280 pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
107281 }
107282
107283@@ -2505,12 +2583,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
107284 /* Make sure we get permanent strtab: don't use info->strtab. */
107285 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
107286
107287+ pax_open_kernel();
107288+
107289 /* Set types up while we still have access to sections. */
107290 for (i = 0; i < mod->num_symtab; i++)
107291 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
107292
107293- mod->core_symtab = dst = mod->module_core + info->symoffs;
107294- mod->core_strtab = s = mod->module_core + info->stroffs;
107295+ mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
107296+ mod->core_strtab = s = mod->module_core_rx + info->stroffs;
107297 src = mod->symtab;
107298 for (ndst = i = 0; i < mod->num_symtab; i++) {
107299 if (i == 0 ||
107300@@ -2522,6 +2602,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
107301 }
107302 }
107303 mod->core_num_syms = ndst;
107304+
107305+ pax_close_kernel();
107306 }
107307 #else
107308 static inline void layout_symtab(struct module *mod, struct load_info *info)
107309@@ -2821,7 +2903,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
107310 mod = (void *)info->sechdrs[info->index.mod].sh_addr;
107311
107312 if (info->index.sym == 0) {
107313+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107314+ /*
107315+ * avoid potentially printing jibberish on attempted load
107316+ * of a module randomized with a different seed
107317+ */
107318+ pr_warn("module has no symbols (stripped?)\n");
107319+#else
107320 pr_warn("%s: module has no symbols (stripped?)\n", mod->name);
107321+#endif
107322 return ERR_PTR(-ENOEXEC);
107323 }
107324
107325@@ -2837,8 +2927,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
107326 static int check_modinfo(struct module *mod, struct load_info *info, int flags)
107327 {
107328 const char *modmagic = get_modinfo(info, "vermagic");
107329+ const char *license = get_modinfo(info, "license");
107330 int err;
107331
107332+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
107333+ if (!license || !license_is_gpl_compatible(license))
107334+ return -ENOEXEC;
107335+#endif
107336+
107337 if (flags & MODULE_INIT_IGNORE_VERMAGIC)
107338 modmagic = NULL;
107339
107340@@ -2863,7 +2959,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
107341 }
107342
107343 /* Set up license info based on the info section */
107344- set_license(mod, get_modinfo(info, "license"));
107345+ set_license(mod, license);
107346
107347 return 0;
107348 }
107349@@ -2960,7 +3056,7 @@ static int move_module(struct module *mod, struct load_info *info)
107350 void *ptr;
107351
107352 /* Do the allocs. */
107353- ptr = module_alloc(mod->core_size);
107354+ ptr = module_alloc(mod->core_size_rw);
107355 /*
107356 * The pointer to this block is stored in the module structure
107357 * which is inside the block. Just mark it as not being a
107358@@ -2970,11 +3066,11 @@ static int move_module(struct module *mod, struct load_info *info)
107359 if (!ptr)
107360 return -ENOMEM;
107361
107362- memset(ptr, 0, mod->core_size);
107363- mod->module_core = ptr;
107364+ memset(ptr, 0, mod->core_size_rw);
107365+ mod->module_core_rw = ptr;
107366
107367- if (mod->init_size) {
107368- ptr = module_alloc(mod->init_size);
107369+ if (mod->init_size_rw) {
107370+ ptr = module_alloc(mod->init_size_rw);
107371 /*
107372 * The pointer to this block is stored in the module structure
107373 * which is inside the block. This block doesn't need to be
107374@@ -2983,13 +3079,45 @@ static int move_module(struct module *mod, struct load_info *info)
107375 */
107376 kmemleak_ignore(ptr);
107377 if (!ptr) {
107378- module_memfree(mod->module_core);
107379+ module_memfree(mod->module_core_rw);
107380 return -ENOMEM;
107381 }
107382- memset(ptr, 0, mod->init_size);
107383- mod->module_init = ptr;
107384+ memset(ptr, 0, mod->init_size_rw);
107385+ mod->module_init_rw = ptr;
107386 } else
107387- mod->module_init = NULL;
107388+ mod->module_init_rw = NULL;
107389+
107390+ ptr = module_alloc_exec(mod->core_size_rx);
107391+ kmemleak_not_leak(ptr);
107392+ if (!ptr) {
107393+ if (mod->module_init_rw)
107394+ module_memfree(mod->module_init_rw);
107395+ module_memfree(mod->module_core_rw);
107396+ return -ENOMEM;
107397+ }
107398+
107399+ pax_open_kernel();
107400+ memset(ptr, 0, mod->core_size_rx);
107401+ pax_close_kernel();
107402+ mod->module_core_rx = ptr;
107403+
107404+ if (mod->init_size_rx) {
107405+ ptr = module_alloc_exec(mod->init_size_rx);
107406+ kmemleak_ignore(ptr);
107407+ if (!ptr && mod->init_size_rx) {
107408+ module_memfree_exec(mod->module_core_rx);
107409+ if (mod->module_init_rw)
107410+ module_memfree(mod->module_init_rw);
107411+ module_memfree(mod->module_core_rw);
107412+ return -ENOMEM;
107413+ }
107414+
107415+ pax_open_kernel();
107416+ memset(ptr, 0, mod->init_size_rx);
107417+ pax_close_kernel();
107418+ mod->module_init_rx = ptr;
107419+ } else
107420+ mod->module_init_rx = NULL;
107421
107422 /* Transfer each section which specifies SHF_ALLOC */
107423 pr_debug("final section addresses:\n");
107424@@ -3000,16 +3128,45 @@ static int move_module(struct module *mod, struct load_info *info)
107425 if (!(shdr->sh_flags & SHF_ALLOC))
107426 continue;
107427
107428- if (shdr->sh_entsize & INIT_OFFSET_MASK)
107429- dest = mod->module_init
107430- + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
107431- else
107432- dest = mod->module_core + shdr->sh_entsize;
107433+ if (shdr->sh_entsize & INIT_OFFSET_MASK) {
107434+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
107435+ dest = mod->module_init_rw
107436+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
107437+ else
107438+ dest = mod->module_init_rx
107439+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
107440+ } else {
107441+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
107442+ dest = mod->module_core_rw + shdr->sh_entsize;
107443+ else
107444+ dest = mod->module_core_rx + shdr->sh_entsize;
107445+ }
107446+
107447+ if (shdr->sh_type != SHT_NOBITS) {
107448+
107449+#ifdef CONFIG_PAX_KERNEXEC
107450+#ifdef CONFIG_X86_64
107451+ if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
107452+ set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
107453+#endif
107454+ if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
107455+ pax_open_kernel();
107456+ memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
107457+ pax_close_kernel();
107458+ } else
107459+#endif
107460
107461- if (shdr->sh_type != SHT_NOBITS)
107462 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
107463+ }
107464 /* Update sh_addr to point to copy in image. */
107465- shdr->sh_addr = (unsigned long)dest;
107466+
107467+#ifdef CONFIG_PAX_KERNEXEC
107468+ if (shdr->sh_flags & SHF_EXECINSTR)
107469+ shdr->sh_addr = ktva_ktla((unsigned long)dest);
107470+ else
107471+#endif
107472+
107473+ shdr->sh_addr = (unsigned long)dest;
107474 pr_debug("\t0x%lx %s\n",
107475 (long)shdr->sh_addr, info->secstrings + shdr->sh_name);
107476 }
107477@@ -3066,12 +3223,12 @@ static void flush_module_icache(const struct module *mod)
107478 * Do it before processing of module parameters, so the module
107479 * can provide parameter accessor functions of its own.
107480 */
107481- if (mod->module_init)
107482- flush_icache_range((unsigned long)mod->module_init,
107483- (unsigned long)mod->module_init
107484- + mod->init_size);
107485- flush_icache_range((unsigned long)mod->module_core,
107486- (unsigned long)mod->module_core + mod->core_size);
107487+ if (mod->module_init_rx)
107488+ flush_icache_range((unsigned long)mod->module_init_rx,
107489+ (unsigned long)mod->module_init_rx
107490+ + mod->init_size_rx);
107491+ flush_icache_range((unsigned long)mod->module_core_rx,
107492+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
107493
107494 set_fs(old_fs);
107495 }
107496@@ -3129,8 +3286,10 @@ static void module_deallocate(struct module *mod, struct load_info *info)
107497 {
107498 percpu_modfree(mod);
107499 module_arch_freeing_init(mod);
107500- module_memfree(mod->module_init);
107501- module_memfree(mod->module_core);
107502+ module_memfree_exec(mod->module_init_rx);
107503+ module_memfree_exec(mod->module_core_rx);
107504+ module_memfree(mod->module_init_rw);
107505+ module_memfree(mod->module_core_rw);
107506 }
107507
107508 int __weak module_finalize(const Elf_Ehdr *hdr,
107509@@ -3143,7 +3302,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
107510 static int post_relocation(struct module *mod, const struct load_info *info)
107511 {
107512 /* Sort exception table now relocations are done. */
107513+ pax_open_kernel();
107514 sort_extable(mod->extable, mod->extable + mod->num_exentries);
107515+ pax_close_kernel();
107516
107517 /* Copy relocated percpu area over. */
107518 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
107519@@ -3191,13 +3352,15 @@ static void do_mod_ctors(struct module *mod)
107520 /* For freeing module_init on success, in case kallsyms traversing */
107521 struct mod_initfree {
107522 struct rcu_head rcu;
107523- void *module_init;
107524+ void *module_init_rw;
107525+ void *module_init_rx;
107526 };
107527
107528 static void do_free_init(struct rcu_head *head)
107529 {
107530 struct mod_initfree *m = container_of(head, struct mod_initfree, rcu);
107531- module_memfree(m->module_init);
107532+ module_memfree(m->module_init_rw);
107533+ module_memfree_exec(m->module_init_rx);
107534 kfree(m);
107535 }
107536
107537@@ -3217,7 +3380,8 @@ static noinline int do_init_module(struct module *mod)
107538 ret = -ENOMEM;
107539 goto fail;
107540 }
107541- freeinit->module_init = mod->module_init;
107542+ freeinit->module_init_rw = mod->module_init_rw;
107543+ freeinit->module_init_rx = mod->module_init_rx;
107544
107545 /*
107546 * We want to find out whether @mod uses async during init. Clear
107547@@ -3277,10 +3441,10 @@ static noinline int do_init_module(struct module *mod)
107548 mod_tree_remove_init(mod);
107549 unset_module_init_ro_nx(mod);
107550 module_arch_freeing_init(mod);
107551- mod->module_init = NULL;
107552- mod->init_size = 0;
107553- mod->init_ro_size = 0;
107554- mod->init_text_size = 0;
107555+ mod->module_init_rw = NULL;
107556+ mod->module_init_rx = NULL;
107557+ mod->init_size_rw = 0;
107558+ mod->init_size_rx = 0;
107559 /*
107560 * We want to free module_init, but be aware that kallsyms may be
107561 * walking this with preempt disabled. In all the failure paths, we
107562@@ -3370,16 +3534,16 @@ static int complete_formation(struct module *mod, struct load_info *info)
107563 module_bug_finalize(info->hdr, info->sechdrs, mod);
107564
107565 /* Set RO and NX regions for core */
107566- set_section_ro_nx(mod->module_core,
107567- mod->core_text_size,
107568- mod->core_ro_size,
107569- mod->core_size);
107570+ set_section_ro_nx(mod->module_core_rx,
107571+ mod->core_size_rx,
107572+ mod->core_size_rx,
107573+ mod->core_size_rx);
107574
107575 /* Set RO and NX regions for init */
107576- set_section_ro_nx(mod->module_init,
107577- mod->init_text_size,
107578- mod->init_ro_size,
107579- mod->init_size);
107580+ set_section_ro_nx(mod->module_init_rx,
107581+ mod->init_size_rx,
107582+ mod->init_size_rx,
107583+ mod->init_size_rx);
107584
107585 /* Mark state as coming so strong_try_module_get() ignores us,
107586 * but kallsyms etc. can see us. */
107587@@ -3474,9 +3638,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
107588 if (err)
107589 goto free_unload;
107590
107591+ /* Now copy in args */
107592+ mod->args = strndup_user(uargs, ~0UL >> 1);
107593+ if (IS_ERR(mod->args)) {
107594+ err = PTR_ERR(mod->args);
107595+ goto free_unload;
107596+ }
107597+
107598 /* Set up MODINFO_ATTR fields */
107599 setup_modinfo(mod, info);
107600
107601+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107602+ {
107603+ char *p, *p2;
107604+
107605+ if (strstr(mod->args, "grsec_modharden_netdev")) {
107606+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
107607+ err = -EPERM;
107608+ goto free_modinfo;
107609+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
107610+ p += sizeof("grsec_modharden_normal") - 1;
107611+ p2 = strstr(p, "_");
107612+ if (p2) {
107613+ *p2 = '\0';
107614+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
107615+ *p2 = '_';
107616+ }
107617+ err = -EPERM;
107618+ goto free_modinfo;
107619+ }
107620+ }
107621+#endif
107622+
107623 /* Fix up syms, so that st_value is a pointer to location. */
107624 err = simplify_symbols(mod, info);
107625 if (err < 0)
107626@@ -3492,13 +3685,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
107627
107628 flush_module_icache(mod);
107629
107630- /* Now copy in args */
107631- mod->args = strndup_user(uargs, ~0UL >> 1);
107632- if (IS_ERR(mod->args)) {
107633- err = PTR_ERR(mod->args);
107634- goto free_arch_cleanup;
107635- }
107636-
107637 dynamic_debug_setup(info->debug, info->num_debug);
107638
107639 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
107640@@ -3550,11 +3736,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
107641 ddebug_cleanup:
107642 dynamic_debug_remove(info->debug);
107643 synchronize_sched();
107644- kfree(mod->args);
107645- free_arch_cleanup:
107646 module_arch_cleanup(mod);
107647 free_modinfo:
107648 free_modinfo(mod);
107649+ kfree(mod->args);
107650 free_unload:
107651 module_unload_free(mod);
107652 unlink_mod:
107653@@ -3568,7 +3753,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
107654 mutex_unlock(&module_mutex);
107655 free_module:
107656 /* Free lock-classes; relies on the preceding sync_rcu() */
107657- lockdep_free_key_range(mod->module_core, mod->core_size);
107658+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
107659+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
107660
107661 module_deallocate(mod, info);
107662 free_copy:
107663@@ -3645,10 +3831,16 @@ static const char *get_ksymbol(struct module *mod,
107664 unsigned long nextval;
107665
107666 /* At worse, next value is at end of module */
107667- if (within_module_init(addr, mod))
107668- nextval = (unsigned long)mod->module_init+mod->init_text_size;
107669+ if (within_module_init_rx(addr, mod))
107670+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
107671+ else if (within_module_init_rw(addr, mod))
107672+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
107673+ else if (within_module_core_rx(addr, mod))
107674+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
107675+ else if (within_module_core_rw(addr, mod))
107676+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
107677 else
107678- nextval = (unsigned long)mod->module_core+mod->core_text_size;
107679+ return NULL;
107680
107681 /* Scan for closest preceding symbol, and next symbol. (ELF
107682 starts real symbols at 1). */
107683@@ -3895,7 +4087,7 @@ static int m_show(struct seq_file *m, void *p)
107684 return 0;
107685
107686 seq_printf(m, "%s %u",
107687- mod->name, mod->init_size + mod->core_size);
107688+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
107689 print_unload_info(m, mod);
107690
107691 /* Informative for users. */
107692@@ -3904,7 +4096,7 @@ static int m_show(struct seq_file *m, void *p)
107693 mod->state == MODULE_STATE_COMING ? "Loading" :
107694 "Live");
107695 /* Used by oprofile and other similar tools. */
107696- seq_printf(m, " 0x%pK", mod->module_core);
107697+ seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
107698
107699 /* Taints info */
107700 if (mod->taints)
107701@@ -3940,7 +4132,17 @@ static const struct file_operations proc_modules_operations = {
107702
107703 static int __init proc_modules_init(void)
107704 {
107705+#ifndef CONFIG_GRKERNSEC_HIDESYM
107706+#ifdef CONFIG_GRKERNSEC_PROC_USER
107707+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
107708+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
107709+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
107710+#else
107711 proc_create("modules", 0, NULL, &proc_modules_operations);
107712+#endif
107713+#else
107714+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
107715+#endif
107716 return 0;
107717 }
107718 module_init(proc_modules_init);
107719@@ -4001,7 +4203,8 @@ struct module *__module_address(unsigned long addr)
107720 {
107721 struct module *mod;
107722
107723- if (addr < module_addr_min || addr > module_addr_max)
107724+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
107725+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
107726 return NULL;
107727
107728 module_assert_mutex_or_preempt();
107729@@ -4044,11 +4247,20 @@ bool is_module_text_address(unsigned long addr)
107730 */
107731 struct module *__module_text_address(unsigned long addr)
107732 {
107733- struct module *mod = __module_address(addr);
107734+ struct module *mod;
107735+
107736+#ifdef CONFIG_X86_32
107737+ addr = ktla_ktva(addr);
107738+#endif
107739+
107740+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
107741+ return NULL;
107742+
107743+ mod = __module_address(addr);
107744+
107745 if (mod) {
107746 /* Make sure it's within the text section. */
107747- if (!within(addr, mod->module_init, mod->init_text_size)
107748- && !within(addr, mod->module_core, mod->core_text_size))
107749+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
107750 mod = NULL;
107751 }
107752 return mod;
107753diff --git a/kernel/notifier.c b/kernel/notifier.c
107754index ae9fc7c..5085fbf 100644
107755--- a/kernel/notifier.c
107756+++ b/kernel/notifier.c
107757@@ -5,6 +5,7 @@
107758 #include <linux/rcupdate.h>
107759 #include <linux/vmalloc.h>
107760 #include <linux/reboot.h>
107761+#include <linux/mm.h>
107762
107763 /*
107764 * Notifier list for kernel code which wants to be called
107765@@ -24,10 +25,12 @@ static int notifier_chain_register(struct notifier_block **nl,
107766 while ((*nl) != NULL) {
107767 if (n->priority > (*nl)->priority)
107768 break;
107769- nl = &((*nl)->next);
107770+ nl = (struct notifier_block **)&((*nl)->next);
107771 }
107772- n->next = *nl;
107773+ pax_open_kernel();
107774+ *(const void **)&n->next = *nl;
107775 rcu_assign_pointer(*nl, n);
107776+ pax_close_kernel();
107777 return 0;
107778 }
107779
107780@@ -39,10 +42,12 @@ static int notifier_chain_cond_register(struct notifier_block **nl,
107781 return 0;
107782 if (n->priority > (*nl)->priority)
107783 break;
107784- nl = &((*nl)->next);
107785+ nl = (struct notifier_block **)&((*nl)->next);
107786 }
107787- n->next = *nl;
107788+ pax_open_kernel();
107789+ *(const void **)&n->next = *nl;
107790 rcu_assign_pointer(*nl, n);
107791+ pax_close_kernel();
107792 return 0;
107793 }
107794
107795@@ -51,10 +56,12 @@ static int notifier_chain_unregister(struct notifier_block **nl,
107796 {
107797 while ((*nl) != NULL) {
107798 if ((*nl) == n) {
107799+ pax_open_kernel();
107800 rcu_assign_pointer(*nl, n->next);
107801+ pax_close_kernel();
107802 return 0;
107803 }
107804- nl = &((*nl)->next);
107805+ nl = (struct notifier_block **)&((*nl)->next);
107806 }
107807 return -ENOENT;
107808 }
107809diff --git a/kernel/padata.c b/kernel/padata.c
107810index b38bea9..91acfbe 100644
107811--- a/kernel/padata.c
107812+++ b/kernel/padata.c
107813@@ -54,7 +54,7 @@ static int padata_cpu_hash(struct parallel_data *pd)
107814 * seq_nr mod. number of cpus in use.
107815 */
107816
107817- seq_nr = atomic_inc_return(&pd->seq_nr);
107818+ seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
107819 cpu_index = seq_nr % cpumask_weight(pd->cpumask.pcpu);
107820
107821 return padata_index_to_cpu(pd, cpu_index);
107822@@ -428,7 +428,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
107823 padata_init_pqueues(pd);
107824 padata_init_squeues(pd);
107825 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
107826- atomic_set(&pd->seq_nr, -1);
107827+ atomic_set_unchecked(&pd->seq_nr, -1);
107828 atomic_set(&pd->reorder_objects, 0);
107829 atomic_set(&pd->refcnt, 0);
107830 pd->pinst = pinst;
107831diff --git a/kernel/panic.c b/kernel/panic.c
107832index 04e91ff..2419384 100644
107833--- a/kernel/panic.c
107834+++ b/kernel/panic.c
107835@@ -54,7 +54,7 @@ EXPORT_SYMBOL(panic_blink);
107836 /*
107837 * Stop ourself in panic -- architecture code may override this
107838 */
107839-void __weak panic_smp_self_stop(void)
107840+void __weak __noreturn panic_smp_self_stop(void)
107841 {
107842 while (1)
107843 cpu_relax();
107844@@ -426,7 +426,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
107845 disable_trace_on_warning();
107846
107847 pr_warn("------------[ cut here ]------------\n");
107848- pr_warn("WARNING: CPU: %d PID: %d at %s:%d %pS()\n",
107849+ pr_warn("WARNING: CPU: %d PID: %d at %s:%d %pA()\n",
107850 raw_smp_processor_id(), current->pid, file, line, caller);
107851
107852 if (args)
107853@@ -491,7 +491,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
107854 */
107855 __visible void __stack_chk_fail(void)
107856 {
107857- panic("stack-protector: Kernel stack is corrupted in: %p\n",
107858+ dump_stack();
107859+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
107860 __builtin_return_address(0));
107861 }
107862 EXPORT_SYMBOL(__stack_chk_fail);
107863diff --git a/kernel/pid.c b/kernel/pid.c
107864index 4fd07d5..02bce4f 100644
107865--- a/kernel/pid.c
107866+++ b/kernel/pid.c
107867@@ -33,6 +33,7 @@
107868 #include <linux/rculist.h>
107869 #include <linux/bootmem.h>
107870 #include <linux/hash.h>
107871+#include <linux/security.h>
107872 #include <linux/pid_namespace.h>
107873 #include <linux/init_task.h>
107874 #include <linux/syscalls.h>
107875@@ -47,7 +48,7 @@ struct pid init_struct_pid = INIT_STRUCT_PID;
107876
107877 int pid_max = PID_MAX_DEFAULT;
107878
107879-#define RESERVED_PIDS 300
107880+#define RESERVED_PIDS 500
107881
107882 int pid_max_min = RESERVED_PIDS + 1;
107883 int pid_max_max = PID_MAX_LIMIT;
107884@@ -451,10 +452,18 @@ EXPORT_SYMBOL(pid_task);
107885 */
107886 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
107887 {
107888+ struct task_struct *task;
107889+
107890 rcu_lockdep_assert(rcu_read_lock_held(),
107891 "find_task_by_pid_ns() needs rcu_read_lock()"
107892 " protection");
107893- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
107894+
107895+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
107896+
107897+ if (gr_pid_is_chrooted(task))
107898+ return NULL;
107899+
107900+ return task;
107901 }
107902
107903 struct task_struct *find_task_by_vpid(pid_t vnr)
107904@@ -462,6 +471,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
107905 return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
107906 }
107907
107908+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
107909+{
107910+ rcu_lockdep_assert(rcu_read_lock_held(),
107911+ "find_task_by_pid_ns() needs rcu_read_lock()"
107912+ " protection");
107913+ return pid_task(find_pid_ns(vnr, task_active_pid_ns(current)), PIDTYPE_PID);
107914+}
107915+
107916 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
107917 {
107918 struct pid *pid;
107919diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
107920index a65ba13..f600dbb 100644
107921--- a/kernel/pid_namespace.c
107922+++ b/kernel/pid_namespace.c
107923@@ -274,7 +274,7 @@ static int pid_ns_ctl_handler(struct ctl_table *table, int write,
107924 void __user *buffer, size_t *lenp, loff_t *ppos)
107925 {
107926 struct pid_namespace *pid_ns = task_active_pid_ns(current);
107927- struct ctl_table tmp = *table;
107928+ ctl_table_no_const tmp = *table;
107929
107930 if (write && !ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN))
107931 return -EPERM;
107932diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
107933index 9e30231..75a6d97 100644
107934--- a/kernel/power/Kconfig
107935+++ b/kernel/power/Kconfig
107936@@ -24,6 +24,8 @@ config HIBERNATE_CALLBACKS
107937 config HIBERNATION
107938 bool "Hibernation (aka 'suspend to disk')"
107939 depends on SWAP && ARCH_HIBERNATION_POSSIBLE
107940+ depends on !GRKERNSEC_KMEM
107941+ depends on !PAX_MEMORY_SANITIZE
107942 select HIBERNATE_CALLBACKS
107943 select LZO_COMPRESS
107944 select LZO_DECOMPRESS
107945diff --git a/kernel/power/process.c b/kernel/power/process.c
107946index 564f786..361a18e 100644
107947--- a/kernel/power/process.c
107948+++ b/kernel/power/process.c
107949@@ -35,6 +35,7 @@ static int try_to_freeze_tasks(bool user_only)
107950 unsigned int elapsed_msecs;
107951 bool wakeup = false;
107952 int sleep_usecs = USEC_PER_MSEC;
107953+ bool timedout = false;
107954
107955 do_gettimeofday(&start);
107956
107957@@ -45,13 +46,20 @@ static int try_to_freeze_tasks(bool user_only)
107958
107959 while (true) {
107960 todo = 0;
107961+ if (time_after(jiffies, end_time))
107962+ timedout = true;
107963 read_lock(&tasklist_lock);
107964 for_each_process_thread(g, p) {
107965 if (p == current || !freeze_task(p))
107966 continue;
107967
107968- if (!freezer_should_skip(p))
107969+ if (!freezer_should_skip(p)) {
107970 todo++;
107971+ if (timedout) {
107972+ printk(KERN_ERR "Task refusing to freeze:\n");
107973+ sched_show_task(p);
107974+ }
107975+ }
107976 }
107977 read_unlock(&tasklist_lock);
107978
107979@@ -60,7 +68,7 @@ static int try_to_freeze_tasks(bool user_only)
107980 todo += wq_busy;
107981 }
107982
107983- if (!todo || time_after(jiffies, end_time))
107984+ if (!todo || timedout)
107985 break;
107986
107987 if (pm_wakeup_pending()) {
107988diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
107989index cf8c242..84e7843 100644
107990--- a/kernel/printk/printk.c
107991+++ b/kernel/printk/printk.c
107992@@ -475,7 +475,7 @@ static int log_store(int facility, int level,
107993 return msg->text_len;
107994 }
107995
107996-int dmesg_restrict = IS_ENABLED(CONFIG_SECURITY_DMESG_RESTRICT);
107997+int dmesg_restrict __read_only = IS_ENABLED(CONFIG_SECURITY_DMESG_RESTRICT);
107998
107999 static int syslog_action_restricted(int type)
108000 {
108001@@ -498,6 +498,11 @@ int check_syslog_permissions(int type, int source)
108002 if (source == SYSLOG_FROM_PROC && type != SYSLOG_ACTION_OPEN)
108003 goto ok;
108004
108005+#ifdef CONFIG_GRKERNSEC_DMESG
108006+ if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
108007+ return -EPERM;
108008+#endif
108009+
108010 if (syslog_action_restricted(type)) {
108011 if (capable(CAP_SYSLOG))
108012 goto ok;
108013diff --git a/kernel/profile.c b/kernel/profile.c
108014index a7bcd28..5b368fa 100644
108015--- a/kernel/profile.c
108016+++ b/kernel/profile.c
108017@@ -37,7 +37,7 @@ struct profile_hit {
108018 #define NR_PROFILE_HIT (PAGE_SIZE/sizeof(struct profile_hit))
108019 #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ)
108020
108021-static atomic_t *prof_buffer;
108022+static atomic_unchecked_t *prof_buffer;
108023 static unsigned long prof_len, prof_shift;
108024
108025 int prof_on __read_mostly;
108026@@ -256,7 +256,7 @@ static void profile_flip_buffers(void)
108027 hits[i].pc = 0;
108028 continue;
108029 }
108030- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
108031+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
108032 hits[i].hits = hits[i].pc = 0;
108033 }
108034 }
108035@@ -317,9 +317,9 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
108036 * Add the current hit(s) and flush the write-queue out
108037 * to the global buffer:
108038 */
108039- atomic_add(nr_hits, &prof_buffer[pc]);
108040+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
108041 for (i = 0; i < NR_PROFILE_HIT; ++i) {
108042- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
108043+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
108044 hits[i].pc = hits[i].hits = 0;
108045 }
108046 out:
108047@@ -394,7 +394,7 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
108048 {
108049 unsigned long pc;
108050 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
108051- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
108052+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
108053 }
108054 #endif /* !CONFIG_SMP */
108055
108056@@ -489,7 +489,7 @@ read_profile(struct file *file, char __user *buf, size_t count, loff_t *ppos)
108057 return -EFAULT;
108058 buf++; p++; count--; read++;
108059 }
108060- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
108061+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
108062 if (copy_to_user(buf, (void *)pnt, count))
108063 return -EFAULT;
108064 read += count;
108065@@ -520,7 +520,7 @@ static ssize_t write_profile(struct file *file, const char __user *buf,
108066 }
108067 #endif
108068 profile_discard_flip_buffers();
108069- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
108070+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
108071 return count;
108072 }
108073
108074diff --git a/kernel/ptrace.c b/kernel/ptrace.c
108075index c8e0e05..2be5614 100644
108076--- a/kernel/ptrace.c
108077+++ b/kernel/ptrace.c
108078@@ -321,7 +321,7 @@ static int ptrace_attach(struct task_struct *task, long request,
108079 if (seize)
108080 flags |= PT_SEIZED;
108081 rcu_read_lock();
108082- if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
108083+ if (ns_capable_nolog(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
108084 flags |= PT_PTRACE_CAP;
108085 rcu_read_unlock();
108086 task->ptrace = flags;
108087@@ -514,7 +514,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
108088 break;
108089 return -EIO;
108090 }
108091- if (copy_to_user(dst, buf, retval))
108092+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
108093 return -EFAULT;
108094 copied += retval;
108095 src += retval;
108096@@ -802,7 +802,7 @@ int ptrace_request(struct task_struct *child, long request,
108097 bool seized = child->ptrace & PT_SEIZED;
108098 int ret = -EIO;
108099 siginfo_t siginfo, *si;
108100- void __user *datavp = (void __user *) data;
108101+ void __user *datavp = (__force void __user *) data;
108102 unsigned long __user *datalp = datavp;
108103 unsigned long flags;
108104
108105@@ -1048,14 +1048,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
108106 goto out;
108107 }
108108
108109+ if (gr_handle_ptrace(child, request)) {
108110+ ret = -EPERM;
108111+ goto out_put_task_struct;
108112+ }
108113+
108114 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
108115 ret = ptrace_attach(child, request, addr, data);
108116 /*
108117 * Some architectures need to do book-keeping after
108118 * a ptrace attach.
108119 */
108120- if (!ret)
108121+ if (!ret) {
108122 arch_ptrace_attach(child);
108123+ gr_audit_ptrace(child);
108124+ }
108125 goto out_put_task_struct;
108126 }
108127
108128@@ -1083,7 +1090,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
108129 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
108130 if (copied != sizeof(tmp))
108131 return -EIO;
108132- return put_user(tmp, (unsigned long __user *)data);
108133+ return put_user(tmp, (__force unsigned long __user *)data);
108134 }
108135
108136 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
108137@@ -1176,7 +1183,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
108138 }
108139
108140 COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
108141- compat_long_t, addr, compat_long_t, data)
108142+ compat_ulong_t, addr, compat_ulong_t, data)
108143 {
108144 struct task_struct *child;
108145 long ret;
108146@@ -1192,14 +1199,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
108147 goto out;
108148 }
108149
108150+ if (gr_handle_ptrace(child, request)) {
108151+ ret = -EPERM;
108152+ goto out_put_task_struct;
108153+ }
108154+
108155 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
108156 ret = ptrace_attach(child, request, addr, data);
108157 /*
108158 * Some architectures need to do book-keeping after
108159 * a ptrace attach.
108160 */
108161- if (!ret)
108162+ if (!ret) {
108163 arch_ptrace_attach(child);
108164+ gr_audit_ptrace(child);
108165+ }
108166 goto out_put_task_struct;
108167 }
108168
108169diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
108170index 59e32684..d2eb3d9 100644
108171--- a/kernel/rcu/rcutorture.c
108172+++ b/kernel/rcu/rcutorture.c
108173@@ -134,12 +134,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1],
108174 rcu_torture_count) = { 0 };
108175 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1],
108176 rcu_torture_batch) = { 0 };
108177-static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
108178-static atomic_t n_rcu_torture_alloc;
108179-static atomic_t n_rcu_torture_alloc_fail;
108180-static atomic_t n_rcu_torture_free;
108181-static atomic_t n_rcu_torture_mberror;
108182-static atomic_t n_rcu_torture_error;
108183+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
108184+static atomic_unchecked_t n_rcu_torture_alloc;
108185+static atomic_unchecked_t n_rcu_torture_alloc_fail;
108186+static atomic_unchecked_t n_rcu_torture_free;
108187+static atomic_unchecked_t n_rcu_torture_mberror;
108188+static atomic_unchecked_t n_rcu_torture_error;
108189 static long n_rcu_torture_barrier_error;
108190 static long n_rcu_torture_boost_ktrerror;
108191 static long n_rcu_torture_boost_rterror;
108192@@ -148,7 +148,7 @@ static long n_rcu_torture_boosts;
108193 static long n_rcu_torture_timers;
108194 static long n_barrier_attempts;
108195 static long n_barrier_successes;
108196-static atomic_long_t n_cbfloods;
108197+static atomic_long_unchecked_t n_cbfloods;
108198 static struct list_head rcu_torture_removed;
108199
108200 static int rcu_torture_writer_state;
108201@@ -211,11 +211,11 @@ rcu_torture_alloc(void)
108202
108203 spin_lock_bh(&rcu_torture_lock);
108204 if (list_empty(&rcu_torture_freelist)) {
108205- atomic_inc(&n_rcu_torture_alloc_fail);
108206+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
108207 spin_unlock_bh(&rcu_torture_lock);
108208 return NULL;
108209 }
108210- atomic_inc(&n_rcu_torture_alloc);
108211+ atomic_inc_unchecked(&n_rcu_torture_alloc);
108212 p = rcu_torture_freelist.next;
108213 list_del_init(p);
108214 spin_unlock_bh(&rcu_torture_lock);
108215@@ -228,7 +228,7 @@ rcu_torture_alloc(void)
108216 static void
108217 rcu_torture_free(struct rcu_torture *p)
108218 {
108219- atomic_inc(&n_rcu_torture_free);
108220+ atomic_inc_unchecked(&n_rcu_torture_free);
108221 spin_lock_bh(&rcu_torture_lock);
108222 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
108223 spin_unlock_bh(&rcu_torture_lock);
108224@@ -309,7 +309,7 @@ rcu_torture_pipe_update_one(struct rcu_torture *rp)
108225 i = rp->rtort_pipe_count;
108226 if (i > RCU_TORTURE_PIPE_LEN)
108227 i = RCU_TORTURE_PIPE_LEN;
108228- atomic_inc(&rcu_torture_wcount[i]);
108229+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
108230 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
108231 rp->rtort_mbtest = 0;
108232 return true;
108233@@ -830,7 +830,7 @@ rcu_torture_cbflood(void *arg)
108234 VERBOSE_TOROUT_STRING("rcu_torture_cbflood task started");
108235 do {
108236 schedule_timeout_interruptible(cbflood_inter_holdoff);
108237- atomic_long_inc(&n_cbfloods);
108238+ atomic_long_inc_unchecked(&n_cbfloods);
108239 WARN_ON(signal_pending(current));
108240 for (i = 0; i < cbflood_n_burst; i++) {
108241 for (j = 0; j < cbflood_n_per_burst; j++) {
108242@@ -957,7 +957,7 @@ rcu_torture_writer(void *arg)
108243 i = old_rp->rtort_pipe_count;
108244 if (i > RCU_TORTURE_PIPE_LEN)
108245 i = RCU_TORTURE_PIPE_LEN;
108246- atomic_inc(&rcu_torture_wcount[i]);
108247+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
108248 old_rp->rtort_pipe_count++;
108249 switch (synctype[torture_random(&rand) % nsynctypes]) {
108250 case RTWS_DEF_FREE:
108251@@ -1095,7 +1095,7 @@ static void rcu_torture_timer(unsigned long unused)
108252 return;
108253 }
108254 if (p->rtort_mbtest == 0)
108255- atomic_inc(&n_rcu_torture_mberror);
108256+ atomic_inc_unchecked(&n_rcu_torture_mberror);
108257 spin_lock(&rand_lock);
108258 cur_ops->read_delay(&rand);
108259 n_rcu_torture_timers++;
108260@@ -1170,7 +1170,7 @@ rcu_torture_reader(void *arg)
108261 continue;
108262 }
108263 if (p->rtort_mbtest == 0)
108264- atomic_inc(&n_rcu_torture_mberror);
108265+ atomic_inc_unchecked(&n_rcu_torture_mberror);
108266 cur_ops->read_delay(&rand);
108267 preempt_disable();
108268 pipe_count = p->rtort_pipe_count;
108269@@ -1239,11 +1239,11 @@ rcu_torture_stats_print(void)
108270 rcu_torture_current,
108271 rcu_torture_current_version,
108272 list_empty(&rcu_torture_freelist),
108273- atomic_read(&n_rcu_torture_alloc),
108274- atomic_read(&n_rcu_torture_alloc_fail),
108275- atomic_read(&n_rcu_torture_free));
108276+ atomic_read_unchecked(&n_rcu_torture_alloc),
108277+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
108278+ atomic_read_unchecked(&n_rcu_torture_free));
108279 pr_cont("rtmbe: %d rtbke: %ld rtbre: %ld ",
108280- atomic_read(&n_rcu_torture_mberror),
108281+ atomic_read_unchecked(&n_rcu_torture_mberror),
108282 n_rcu_torture_boost_ktrerror,
108283 n_rcu_torture_boost_rterror);
108284 pr_cont("rtbf: %ld rtb: %ld nt: %ld ",
108285@@ -1255,17 +1255,17 @@ rcu_torture_stats_print(void)
108286 n_barrier_successes,
108287 n_barrier_attempts,
108288 n_rcu_torture_barrier_error);
108289- pr_cont("cbflood: %ld\n", atomic_long_read(&n_cbfloods));
108290+ pr_cont("cbflood: %ld\n", atomic_long_read_unchecked(&n_cbfloods));
108291
108292 pr_alert("%s%s ", torture_type, TORTURE_FLAG);
108293- if (atomic_read(&n_rcu_torture_mberror) != 0 ||
108294+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
108295 n_rcu_torture_barrier_error != 0 ||
108296 n_rcu_torture_boost_ktrerror != 0 ||
108297 n_rcu_torture_boost_rterror != 0 ||
108298 n_rcu_torture_boost_failure != 0 ||
108299 i > 1) {
108300 pr_cont("%s", "!!! ");
108301- atomic_inc(&n_rcu_torture_error);
108302+ atomic_inc_unchecked(&n_rcu_torture_error);
108303 WARN_ON_ONCE(1);
108304 }
108305 pr_cont("Reader Pipe: ");
108306@@ -1282,7 +1282,7 @@ rcu_torture_stats_print(void)
108307 pr_alert("%s%s ", torture_type, TORTURE_FLAG);
108308 pr_cont("Free-Block Circulation: ");
108309 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
108310- pr_cont(" %d", atomic_read(&rcu_torture_wcount[i]));
108311+ pr_cont(" %d", atomic_read_unchecked(&rcu_torture_wcount[i]));
108312 }
108313 pr_cont("\n");
108314
108315@@ -1636,7 +1636,7 @@ rcu_torture_cleanup(void)
108316
108317 rcu_torture_stats_print(); /* -After- the stats thread is stopped! */
108318
108319- if (atomic_read(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
108320+ if (atomic_read_unchecked(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
108321 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
108322 else if (torture_onoff_failures())
108323 rcu_torture_print_module_parms(cur_ops,
108324@@ -1761,18 +1761,18 @@ rcu_torture_init(void)
108325
108326 rcu_torture_current = NULL;
108327 rcu_torture_current_version = 0;
108328- atomic_set(&n_rcu_torture_alloc, 0);
108329- atomic_set(&n_rcu_torture_alloc_fail, 0);
108330- atomic_set(&n_rcu_torture_free, 0);
108331- atomic_set(&n_rcu_torture_mberror, 0);
108332- atomic_set(&n_rcu_torture_error, 0);
108333+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
108334+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
108335+ atomic_set_unchecked(&n_rcu_torture_free, 0);
108336+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
108337+ atomic_set_unchecked(&n_rcu_torture_error, 0);
108338 n_rcu_torture_barrier_error = 0;
108339 n_rcu_torture_boost_ktrerror = 0;
108340 n_rcu_torture_boost_rterror = 0;
108341 n_rcu_torture_boost_failure = 0;
108342 n_rcu_torture_boosts = 0;
108343 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
108344- atomic_set(&rcu_torture_wcount[i], 0);
108345+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
108346 for_each_possible_cpu(cpu) {
108347 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
108348 per_cpu(rcu_torture_count, cpu)[i] = 0;
108349diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c
108350index c291bd6..8a01679 100644
108351--- a/kernel/rcu/tiny.c
108352+++ b/kernel/rcu/tiny.c
108353@@ -42,7 +42,7 @@
108354 /* Forward declarations for tiny_plugin.h. */
108355 struct rcu_ctrlblk;
108356 static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp);
108357-static void rcu_process_callbacks(struct softirq_action *unused);
108358+static void rcu_process_callbacks(void);
108359 static void __call_rcu(struct rcu_head *head,
108360 void (*func)(struct rcu_head *rcu),
108361 struct rcu_ctrlblk *rcp);
108362@@ -170,7 +170,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp)
108363 false));
108364 }
108365
108366-static void rcu_process_callbacks(struct softirq_action *unused)
108367+static __latent_entropy void rcu_process_callbacks(void)
108368 {
108369 __rcu_process_callbacks(&rcu_sched_ctrlblk);
108370 __rcu_process_callbacks(&rcu_bh_ctrlblk);
108371diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
108372index 65137bc..775d7ad 100644
108373--- a/kernel/rcu/tree.c
108374+++ b/kernel/rcu/tree.c
108375@@ -326,7 +326,7 @@ static void rcu_momentary_dyntick_idle(void)
108376 */
108377 rdtp = this_cpu_ptr(&rcu_dynticks);
108378 smp_mb__before_atomic(); /* Earlier stuff before QS. */
108379- atomic_add(2, &rdtp->dynticks); /* QS. */
108380+ atomic_add_unchecked(2, &rdtp->dynticks); /* QS. */
108381 smp_mb__after_atomic(); /* Later stuff after QS. */
108382 break;
108383 }
108384@@ -639,10 +639,10 @@ static void rcu_eqs_enter_common(long long oldval, bool user)
108385 rcu_prepare_for_idle();
108386 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
108387 smp_mb__before_atomic(); /* See above. */
108388- atomic_inc(&rdtp->dynticks);
108389+ atomic_inc_unchecked(&rdtp->dynticks);
108390 smp_mb__after_atomic(); /* Force ordering with next sojourn. */
108391 WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
108392- atomic_read(&rdtp->dynticks) & 0x1);
108393+ atomic_read_unchecked(&rdtp->dynticks) & 0x1);
108394 rcu_dynticks_task_enter();
108395
108396 /*
108397@@ -765,11 +765,11 @@ static void rcu_eqs_exit_common(long long oldval, int user)
108398
108399 rcu_dynticks_task_exit();
108400 smp_mb__before_atomic(); /* Force ordering w/previous sojourn. */
108401- atomic_inc(&rdtp->dynticks);
108402+ atomic_inc_unchecked(&rdtp->dynticks);
108403 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
108404 smp_mb__after_atomic(); /* See above. */
108405 WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
108406- !(atomic_read(&rdtp->dynticks) & 0x1));
108407+ !(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
108408 rcu_cleanup_after_idle();
108409 trace_rcu_dyntick(TPS("End"), oldval, rdtp->dynticks_nesting);
108410 if (IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
108411@@ -905,12 +905,12 @@ void rcu_nmi_enter(void)
108412 * to be in the outermost NMI handler that interrupted an RCU-idle
108413 * period (observation due to Andy Lutomirski).
108414 */
108415- if (!(atomic_read(&rdtp->dynticks) & 0x1)) {
108416+ if (!(atomic_read_unchecked(&rdtp->dynticks) & 0x1)) {
108417 smp_mb__before_atomic(); /* Force delay from prior write. */
108418- atomic_inc(&rdtp->dynticks);
108419+ atomic_inc_unchecked(&rdtp->dynticks);
108420 /* atomic_inc() before later RCU read-side crit sects */
108421 smp_mb__after_atomic(); /* See above. */
108422- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
108423+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
108424 incby = 1;
108425 }
108426 rdtp->dynticks_nmi_nesting += incby;
108427@@ -935,7 +935,7 @@ void rcu_nmi_exit(void)
108428 * to us!)
108429 */
108430 WARN_ON_ONCE(rdtp->dynticks_nmi_nesting <= 0);
108431- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
108432+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
108433
108434 /*
108435 * If the nesting level is not 1, the CPU wasn't RCU-idle, so
108436@@ -950,9 +950,9 @@ void rcu_nmi_exit(void)
108437 rdtp->dynticks_nmi_nesting = 0;
108438 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
108439 smp_mb__before_atomic(); /* See above. */
108440- atomic_inc(&rdtp->dynticks);
108441+ atomic_inc_unchecked(&rdtp->dynticks);
108442 smp_mb__after_atomic(); /* Force delay to next write. */
108443- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
108444+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
108445 }
108446
108447 /**
108448@@ -965,7 +965,7 @@ void rcu_nmi_exit(void)
108449 */
108450 bool notrace __rcu_is_watching(void)
108451 {
108452- return atomic_read(this_cpu_ptr(&rcu_dynticks.dynticks)) & 0x1;
108453+ return atomic_read_unchecked(this_cpu_ptr(&rcu_dynticks.dynticks)) & 0x1;
108454 }
108455
108456 /**
108457@@ -1048,7 +1048,7 @@ static int rcu_is_cpu_rrupt_from_idle(void)
108458 static int dyntick_save_progress_counter(struct rcu_data *rdp,
108459 bool *isidle, unsigned long *maxj)
108460 {
108461- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
108462+ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
108463 rcu_sysidle_check_cpu(rdp, isidle, maxj);
108464 if ((rdp->dynticks_snap & 0x1) == 0) {
108465 trace_rcu_fqs(rdp->rsp->name, rdp->gpnum, rdp->cpu, TPS("dti"));
108466@@ -1074,7 +1074,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp,
108467 int *rcrmp;
108468 unsigned int snap;
108469
108470- curr = (unsigned int)atomic_add_return(0, &rdp->dynticks->dynticks);
108471+ curr = (unsigned int)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
108472 snap = (unsigned int)rdp->dynticks_snap;
108473
108474 /*
108475@@ -2895,7 +2895,7 @@ __rcu_process_callbacks(struct rcu_state *rsp)
108476 /*
108477 * Do RCU core processing for the current CPU.
108478 */
108479-static void rcu_process_callbacks(struct softirq_action *unused)
108480+static void rcu_process_callbacks(void)
108481 {
108482 struct rcu_state *rsp;
108483
108484@@ -3319,11 +3319,11 @@ void synchronize_sched_expedited(void)
108485 * counter wrap on a 32-bit system. Quite a few more CPUs would of
108486 * course be required on a 64-bit system.
108487 */
108488- if (ULONG_CMP_GE((ulong)atomic_long_read(&rsp->expedited_start),
108489+ if (ULONG_CMP_GE((ulong)atomic_long_read_unchecked(&rsp->expedited_start),
108490 (ulong)atomic_long_read(&rsp->expedited_done) +
108491 ULONG_MAX / 8)) {
108492 wait_rcu_gp(call_rcu_sched);
108493- atomic_long_inc(&rsp->expedited_wrap);
108494+ atomic_long_inc_return_unchecked(&rsp->expedited_wrap);
108495 return;
108496 }
108497
108498@@ -3331,12 +3331,12 @@ void synchronize_sched_expedited(void)
108499 * Take a ticket. Note that atomic_inc_return() implies a
108500 * full memory barrier.
108501 */
108502- snap = atomic_long_inc_return(&rsp->expedited_start);
108503+ snap = atomic_long_inc_return_unchecked(&rsp->expedited_start);
108504 firstsnap = snap;
108505 if (!try_get_online_cpus()) {
108506 /* CPU hotplug operation in flight, fall back to normal GP. */
108507 wait_rcu_gp(call_rcu_sched);
108508- atomic_long_inc(&rsp->expedited_normal);
108509+ atomic_long_inc_unchecked(&rsp->expedited_normal);
108510 return;
108511 }
108512 WARN_ON_ONCE(cpu_is_offline(raw_smp_processor_id()));
108513@@ -3349,7 +3349,7 @@ void synchronize_sched_expedited(void)
108514 for_each_cpu(cpu, cm) {
108515 struct rcu_dynticks *rdtp = &per_cpu(rcu_dynticks, cpu);
108516
108517- if (!(atomic_add_return(0, &rdtp->dynticks) & 0x1))
108518+ if (!(atomic_add_return_unchecked(0, &rdtp->dynticks) & 0x1))
108519 cpumask_clear_cpu(cpu, cm);
108520 }
108521 if (cpumask_weight(cm) == 0)
108522@@ -3364,14 +3364,14 @@ void synchronize_sched_expedited(void)
108523 synchronize_sched_expedited_cpu_stop,
108524 NULL) == -EAGAIN) {
108525 put_online_cpus();
108526- atomic_long_inc(&rsp->expedited_tryfail);
108527+ atomic_long_inc_unchecked(&rsp->expedited_tryfail);
108528
108529 /* Check to see if someone else did our work for us. */
108530 s = atomic_long_read(&rsp->expedited_done);
108531 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
108532 /* ensure test happens before caller kfree */
108533 smp_mb__before_atomic(); /* ^^^ */
108534- atomic_long_inc(&rsp->expedited_workdone1);
108535+ atomic_long_inc_unchecked(&rsp->expedited_workdone1);
108536 free_cpumask_var(cm);
108537 return;
108538 }
108539@@ -3381,7 +3381,7 @@ void synchronize_sched_expedited(void)
108540 udelay(trycount * num_online_cpus());
108541 } else {
108542 wait_rcu_gp(call_rcu_sched);
108543- atomic_long_inc(&rsp->expedited_normal);
108544+ atomic_long_inc_unchecked(&rsp->expedited_normal);
108545 free_cpumask_var(cm);
108546 return;
108547 }
108548@@ -3391,7 +3391,7 @@ void synchronize_sched_expedited(void)
108549 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
108550 /* ensure test happens before caller kfree */
108551 smp_mb__before_atomic(); /* ^^^ */
108552- atomic_long_inc(&rsp->expedited_workdone2);
108553+ atomic_long_inc_unchecked(&rsp->expedited_workdone2);
108554 free_cpumask_var(cm);
108555 return;
108556 }
108557@@ -3406,14 +3406,14 @@ void synchronize_sched_expedited(void)
108558 if (!try_get_online_cpus()) {
108559 /* CPU hotplug operation in flight, use normal GP. */
108560 wait_rcu_gp(call_rcu_sched);
108561- atomic_long_inc(&rsp->expedited_normal);
108562+ atomic_long_inc_unchecked(&rsp->expedited_normal);
108563 free_cpumask_var(cm);
108564 return;
108565 }
108566- snap = atomic_long_read(&rsp->expedited_start);
108567+ snap = atomic_long_read_unchecked(&rsp->expedited_start);
108568 smp_mb(); /* ensure read is before try_stop_cpus(). */
108569 }
108570- atomic_long_inc(&rsp->expedited_stoppedcpus);
108571+ atomic_long_inc_unchecked(&rsp->expedited_stoppedcpus);
108572
108573 all_cpus_idle:
108574 free_cpumask_var(cm);
108575@@ -3425,16 +3425,16 @@ all_cpus_idle:
108576 * than we did already did their update.
108577 */
108578 do {
108579- atomic_long_inc(&rsp->expedited_done_tries);
108580+ atomic_long_inc_unchecked(&rsp->expedited_done_tries);
108581 s = atomic_long_read(&rsp->expedited_done);
108582 if (ULONG_CMP_GE((ulong)s, (ulong)snap)) {
108583 /* ensure test happens before caller kfree */
108584 smp_mb__before_atomic(); /* ^^^ */
108585- atomic_long_inc(&rsp->expedited_done_lost);
108586+ atomic_long_inc_unchecked(&rsp->expedited_done_lost);
108587 break;
108588 }
108589 } while (atomic_long_cmpxchg(&rsp->expedited_done, s, snap) != s);
108590- atomic_long_inc(&rsp->expedited_done_exit);
108591+ atomic_long_inc_unchecked(&rsp->expedited_done_exit);
108592
108593 put_online_cpus();
108594 }
108595@@ -3767,7 +3767,7 @@ rcu_boot_init_percpu_data(int cpu, struct rcu_state *rsp)
108596 rdp->grpmask = 1UL << (cpu - rdp->mynode->grplo);
108597 rdp->dynticks = &per_cpu(rcu_dynticks, cpu);
108598 WARN_ON_ONCE(rdp->dynticks->dynticks_nesting != DYNTICK_TASK_EXIT_IDLE);
108599- WARN_ON_ONCE(atomic_read(&rdp->dynticks->dynticks) != 1);
108600+ WARN_ON_ONCE(atomic_read_unchecked(&rdp->dynticks->dynticks) != 1);
108601 rdp->cpu = cpu;
108602 rdp->rsp = rsp;
108603 rcu_boot_init_nocb_percpu_data(rdp);
108604@@ -3798,8 +3798,8 @@ rcu_init_percpu_data(int cpu, struct rcu_state *rsp)
108605 init_callback_list(rdp); /* Re-enable callbacks on this CPU. */
108606 rdp->dynticks->dynticks_nesting = DYNTICK_TASK_EXIT_IDLE;
108607 rcu_sysidle_init_percpu_data(rdp->dynticks);
108608- atomic_set(&rdp->dynticks->dynticks,
108609- (atomic_read(&rdp->dynticks->dynticks) & ~0x1) + 1);
108610+ atomic_set_unchecked(&rdp->dynticks->dynticks,
108611+ (atomic_read_unchecked(&rdp->dynticks->dynticks) & ~0x1) + 1);
108612 raw_spin_unlock(&rnp->lock); /* irqs remain disabled. */
108613
108614 /*
108615diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
108616index 4adb7ca..20910e6 100644
108617--- a/kernel/rcu/tree.h
108618+++ b/kernel/rcu/tree.h
108619@@ -108,11 +108,11 @@ struct rcu_dynticks {
108620 long long dynticks_nesting; /* Track irq/process nesting level. */
108621 /* Process level is worth LLONG_MAX/2. */
108622 int dynticks_nmi_nesting; /* Track NMI nesting level. */
108623- atomic_t dynticks; /* Even value for idle, else odd. */
108624+ atomic_unchecked_t dynticks;/* Even value for idle, else odd. */
108625 #ifdef CONFIG_NO_HZ_FULL_SYSIDLE
108626 long long dynticks_idle_nesting;
108627 /* irq/process nesting level from idle. */
108628- atomic_t dynticks_idle; /* Even value for idle, else odd. */
108629+ atomic_unchecked_t dynticks_idle;/* Even value for idle, else odd. */
108630 /* "Idle" excludes userspace execution. */
108631 unsigned long dynticks_idle_jiffies;
108632 /* End of last non-NMI non-idle period. */
108633@@ -483,17 +483,17 @@ struct rcu_state {
108634 /* _rcu_barrier(). */
108635 /* End of fields guarded by barrier_mutex. */
108636
108637- atomic_long_t expedited_start; /* Starting ticket. */
108638- atomic_long_t expedited_done; /* Done ticket. */
108639- atomic_long_t expedited_wrap; /* # near-wrap incidents. */
108640- atomic_long_t expedited_tryfail; /* # acquisition failures. */
108641- atomic_long_t expedited_workdone1; /* # done by others #1. */
108642- atomic_long_t expedited_workdone2; /* # done by others #2. */
108643- atomic_long_t expedited_normal; /* # fallbacks to normal. */
108644- atomic_long_t expedited_stoppedcpus; /* # successful stop_cpus. */
108645- atomic_long_t expedited_done_tries; /* # tries to update _done. */
108646- atomic_long_t expedited_done_lost; /* # times beaten to _done. */
108647- atomic_long_t expedited_done_exit; /* # times exited _done loop. */
108648+ atomic_long_unchecked_t expedited_start; /* Starting ticket. */
108649+ atomic_long_t expedited_done; /* Done ticket. */
108650+ atomic_long_unchecked_t expedited_wrap; /* # near-wrap incidents. */
108651+ atomic_long_unchecked_t expedited_tryfail; /* # acquisition failures. */
108652+ atomic_long_unchecked_t expedited_workdone1; /* # done by others #1. */
108653+ atomic_long_unchecked_t expedited_workdone2; /* # done by others #2. */
108654+ atomic_long_unchecked_t expedited_normal; /* # fallbacks to normal. */
108655+ atomic_long_unchecked_t expedited_stoppedcpus; /* # successful stop_cpus. */
108656+ atomic_long_unchecked_t expedited_done_tries; /* # tries to update _done. */
108657+ atomic_long_unchecked_t expedited_done_lost; /* # times beaten to _done. */
108658+ atomic_long_unchecked_t expedited_done_exit; /* # times exited _done loop. */
108659
108660 unsigned long jiffies_force_qs; /* Time at which to invoke */
108661 /* force_quiescent_state(). */
108662diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
108663index 013485f..2e678db 100644
108664--- a/kernel/rcu/tree_plugin.h
108665+++ b/kernel/rcu/tree_plugin.h
108666@@ -1294,7 +1294,7 @@ static void rcu_boost_kthread_setaffinity(struct rcu_node *rnp, int outgoingcpu)
108667 free_cpumask_var(cm);
108668 }
108669
108670-static struct smp_hotplug_thread rcu_cpu_thread_spec = {
108671+static struct smp_hotplug_thread rcu_cpu_thread_spec __read_only = {
108672 .store = &rcu_cpu_kthread_task,
108673 .thread_should_run = rcu_cpu_kthread_should_run,
108674 .thread_fn = rcu_cpu_kthread,
108675@@ -1767,7 +1767,7 @@ static void print_cpu_stall_info(struct rcu_state *rsp, int cpu)
108676 print_cpu_stall_fast_no_hz(fast_no_hz, cpu);
108677 pr_err("\t%d: (%lu %s) idle=%03x/%llx/%d softirq=%u/%u fqs=%ld %s\n",
108678 cpu, ticks_value, ticks_title,
108679- atomic_read(&rdtp->dynticks) & 0xfff,
108680+ atomic_read_unchecked(&rdtp->dynticks) & 0xfff,
108681 rdtp->dynticks_nesting, rdtp->dynticks_nmi_nesting,
108682 rdp->softirq_snap, kstat_softirqs_cpu(RCU_SOFTIRQ, cpu),
108683 READ_ONCE(rsp->n_force_qs) - rsp->n_force_qs_gpstart,
108684@@ -2675,9 +2675,9 @@ static void rcu_sysidle_enter(int irq)
108685 j = jiffies;
108686 WRITE_ONCE(rdtp->dynticks_idle_jiffies, j);
108687 smp_mb__before_atomic();
108688- atomic_inc(&rdtp->dynticks_idle);
108689+ atomic_inc_unchecked(&rdtp->dynticks_idle);
108690 smp_mb__after_atomic();
108691- WARN_ON_ONCE(atomic_read(&rdtp->dynticks_idle) & 0x1);
108692+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks_idle) & 0x1);
108693 }
108694
108695 /*
108696@@ -2748,9 +2748,9 @@ static void rcu_sysidle_exit(int irq)
108697
108698 /* Record end of idle period. */
108699 smp_mb__before_atomic();
108700- atomic_inc(&rdtp->dynticks_idle);
108701+ atomic_inc_unchecked(&rdtp->dynticks_idle);
108702 smp_mb__after_atomic();
108703- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks_idle) & 0x1));
108704+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks_idle) & 0x1));
108705
108706 /*
108707 * If we are the timekeeping CPU, we are permitted to be non-idle
108708@@ -2796,7 +2796,7 @@ static void rcu_sysidle_check_cpu(struct rcu_data *rdp, bool *isidle,
108709 WARN_ON_ONCE(smp_processor_id() != tick_do_timer_cpu);
108710
108711 /* Pick up current idle and NMI-nesting counter and check. */
108712- cur = atomic_read(&rdtp->dynticks_idle);
108713+ cur = atomic_read_unchecked(&rdtp->dynticks_idle);
108714 if (cur & 0x1) {
108715 *isidle = false; /* We are not idle! */
108716 return;
108717diff --git a/kernel/rcu/tree_trace.c b/kernel/rcu/tree_trace.c
108718index 3ea7ffc..cb06f2d 100644
108719--- a/kernel/rcu/tree_trace.c
108720+++ b/kernel/rcu/tree_trace.c
108721@@ -125,7 +125,7 @@ static void print_one_rcu_data(struct seq_file *m, struct rcu_data *rdp)
108722 rdp->rcu_qs_ctr_snap == per_cpu(rcu_qs_ctr, rdp->cpu),
108723 rdp->qs_pending);
108724 seq_printf(m, " dt=%d/%llx/%d df=%lu",
108725- atomic_read(&rdp->dynticks->dynticks),
108726+ atomic_read_unchecked(&rdp->dynticks->dynticks),
108727 rdp->dynticks->dynticks_nesting,
108728 rdp->dynticks->dynticks_nmi_nesting,
108729 rdp->dynticks_fqs);
108730@@ -186,17 +186,17 @@ static int show_rcuexp(struct seq_file *m, void *v)
108731 struct rcu_state *rsp = (struct rcu_state *)m->private;
108732
108733 seq_printf(m, "s=%lu d=%lu w=%lu tf=%lu wd1=%lu wd2=%lu n=%lu sc=%lu dt=%lu dl=%lu dx=%lu\n",
108734- atomic_long_read(&rsp->expedited_start),
108735+ atomic_long_read_unchecked(&rsp->expedited_start),
108736 atomic_long_read(&rsp->expedited_done),
108737- atomic_long_read(&rsp->expedited_wrap),
108738- atomic_long_read(&rsp->expedited_tryfail),
108739- atomic_long_read(&rsp->expedited_workdone1),
108740- atomic_long_read(&rsp->expedited_workdone2),
108741- atomic_long_read(&rsp->expedited_normal),
108742- atomic_long_read(&rsp->expedited_stoppedcpus),
108743- atomic_long_read(&rsp->expedited_done_tries),
108744- atomic_long_read(&rsp->expedited_done_lost),
108745- atomic_long_read(&rsp->expedited_done_exit));
108746+ atomic_long_read_unchecked(&rsp->expedited_wrap),
108747+ atomic_long_read_unchecked(&rsp->expedited_tryfail),
108748+ atomic_long_read_unchecked(&rsp->expedited_workdone1),
108749+ atomic_long_read_unchecked(&rsp->expedited_workdone2),
108750+ atomic_long_read_unchecked(&rsp->expedited_normal),
108751+ atomic_long_read_unchecked(&rsp->expedited_stoppedcpus),
108752+ atomic_long_read_unchecked(&rsp->expedited_done_tries),
108753+ atomic_long_read_unchecked(&rsp->expedited_done_lost),
108754+ atomic_long_read_unchecked(&rsp->expedited_done_exit));
108755 return 0;
108756 }
108757
108758diff --git a/kernel/resource.c b/kernel/resource.c
108759index fed052a..ad13346 100644
108760--- a/kernel/resource.c
108761+++ b/kernel/resource.c
108762@@ -162,8 +162,18 @@ static const struct file_operations proc_iomem_operations = {
108763
108764 static int __init ioresources_init(void)
108765 {
108766+#ifdef CONFIG_GRKERNSEC_PROC_ADD
108767+#ifdef CONFIG_GRKERNSEC_PROC_USER
108768+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
108769+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
108770+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
108771+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
108772+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
108773+#endif
108774+#else
108775 proc_create("ioports", 0, NULL, &proc_ioports_operations);
108776 proc_create("iomem", 0, NULL, &proc_iomem_operations);
108777+#endif
108778 return 0;
108779 }
108780 __initcall(ioresources_init);
108781diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
108782index 750ed60..eb01466 100644
108783--- a/kernel/sched/auto_group.c
108784+++ b/kernel/sched/auto_group.c
108785@@ -9,7 +9,7 @@
108786
108787 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
108788 static struct autogroup autogroup_default;
108789-static atomic_t autogroup_seq_nr;
108790+static atomic_unchecked_t autogroup_seq_nr;
108791
108792 void __init autogroup_init(struct task_struct *init_task)
108793 {
108794@@ -77,7 +77,7 @@ static inline struct autogroup *autogroup_create(void)
108795
108796 kref_init(&ag->kref);
108797 init_rwsem(&ag->lock);
108798- ag->id = atomic_inc_return(&autogroup_seq_nr);
108799+ ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
108800 ag->tg = tg;
108801 #ifdef CONFIG_RT_GROUP_SCHED
108802 /*
108803diff --git a/kernel/sched/completion.c b/kernel/sched/completion.c
108804index 8d0f35d..c16360d 100644
108805--- a/kernel/sched/completion.c
108806+++ b/kernel/sched/completion.c
108807@@ -205,7 +205,7 @@ EXPORT_SYMBOL(wait_for_completion_interruptible);
108808 * Return: -ERESTARTSYS if interrupted, 0 if timed out, positive (at least 1,
108809 * or number of jiffies left till timeout) if completed.
108810 */
108811-long __sched
108812+long __sched __intentional_overflow(-1)
108813 wait_for_completion_interruptible_timeout(struct completion *x,
108814 unsigned long timeout)
108815 {
108816@@ -222,7 +222,7 @@ EXPORT_SYMBOL(wait_for_completion_interruptible_timeout);
108817 *
108818 * Return: -ERESTARTSYS if interrupted, 0 if completed.
108819 */
108820-int __sched wait_for_completion_killable(struct completion *x)
108821+int __sched __intentional_overflow(-1) wait_for_completion_killable(struct completion *x)
108822 {
108823 long t = wait_for_common(x, MAX_SCHEDULE_TIMEOUT, TASK_KILLABLE);
108824 if (t == -ERESTARTSYS)
108825@@ -243,7 +243,7 @@ EXPORT_SYMBOL(wait_for_completion_killable);
108826 * Return: -ERESTARTSYS if interrupted, 0 if timed out, positive (at least 1,
108827 * or number of jiffies left till timeout) if completed.
108828 */
108829-long __sched
108830+long __sched __intentional_overflow(-1)
108831 wait_for_completion_killable_timeout(struct completion *x,
108832 unsigned long timeout)
108833 {
108834diff --git a/kernel/sched/core.c b/kernel/sched/core.c
108835index e967343..5064e2f 100644
108836--- a/kernel/sched/core.c
108837+++ b/kernel/sched/core.c
108838@@ -2080,7 +2080,7 @@ void set_numabalancing_state(bool enabled)
108839 int sysctl_numa_balancing(struct ctl_table *table, int write,
108840 void __user *buffer, size_t *lenp, loff_t *ppos)
108841 {
108842- struct ctl_table t;
108843+ ctl_table_no_const t;
108844 int err;
108845 int state = numabalancing_enabled;
108846
108847@@ -2573,8 +2573,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
108848 next->active_mm = oldmm;
108849 atomic_inc(&oldmm->mm_count);
108850 enter_lazy_tlb(oldmm, next);
108851- } else
108852+ } else {
108853 switch_mm(oldmm, mm, next);
108854+ populate_stack();
108855+ }
108856
108857 if (!prev->mm) {
108858 prev->active_mm = NULL;
108859@@ -3386,6 +3388,8 @@ int can_nice(const struct task_struct *p, const int nice)
108860 /* convert nice value [19,-20] to rlimit style value [1,40] */
108861 int nice_rlim = nice_to_rlimit(nice);
108862
108863+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
108864+
108865 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
108866 capable(CAP_SYS_NICE));
108867 }
108868@@ -3412,7 +3416,8 @@ SYSCALL_DEFINE1(nice, int, increment)
108869 nice = task_nice(current) + increment;
108870
108871 nice = clamp_val(nice, MIN_NICE, MAX_NICE);
108872- if (increment < 0 && !can_nice(current, nice))
108873+ if (increment < 0 && (!can_nice(current, nice) ||
108874+ gr_handle_chroot_nice()))
108875 return -EPERM;
108876
108877 retval = security_task_setnice(current, nice);
108878@@ -3724,6 +3729,7 @@ recheck:
108879 if (policy != p->policy && !rlim_rtprio)
108880 return -EPERM;
108881
108882+ gr_learn_resource(p, RLIMIT_RTPRIO, attr->sched_priority, 1);
108883 /* can't increase priority */
108884 if (attr->sched_priority > p->rt_priority &&
108885 attr->sched_priority > rlim_rtprio)
108886@@ -5048,6 +5054,7 @@ void idle_task_exit(void)
108887
108888 if (mm != &init_mm) {
108889 switch_mm(mm, &init_mm, current);
108890+ populate_stack();
108891 finish_arch_post_lock_switch();
108892 }
108893 mmdrop(mm);
108894@@ -5150,7 +5157,7 @@ static void migrate_tasks(struct rq *dead_rq)
108895
108896 #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
108897
108898-static struct ctl_table sd_ctl_dir[] = {
108899+static ctl_table_no_const sd_ctl_dir[] __read_only = {
108900 {
108901 .procname = "sched_domain",
108902 .mode = 0555,
108903@@ -5167,17 +5174,17 @@ static struct ctl_table sd_ctl_root[] = {
108904 {}
108905 };
108906
108907-static struct ctl_table *sd_alloc_ctl_entry(int n)
108908+static ctl_table_no_const *sd_alloc_ctl_entry(int n)
108909 {
108910- struct ctl_table *entry =
108911+ ctl_table_no_const *entry =
108912 kcalloc(n, sizeof(struct ctl_table), GFP_KERNEL);
108913
108914 return entry;
108915 }
108916
108917-static void sd_free_ctl_entry(struct ctl_table **tablep)
108918+static void sd_free_ctl_entry(ctl_table_no_const *tablep)
108919 {
108920- struct ctl_table *entry;
108921+ ctl_table_no_const *entry;
108922
108923 /*
108924 * In the intermediate directories, both the child directory and
108925@@ -5185,22 +5192,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
108926 * will always be set. In the lowest directory the names are
108927 * static strings and all have proc handlers.
108928 */
108929- for (entry = *tablep; entry->mode; entry++) {
108930- if (entry->child)
108931- sd_free_ctl_entry(&entry->child);
108932+ for (entry = tablep; entry->mode; entry++) {
108933+ if (entry->child) {
108934+ sd_free_ctl_entry(entry->child);
108935+ pax_open_kernel();
108936+ entry->child = NULL;
108937+ pax_close_kernel();
108938+ }
108939 if (entry->proc_handler == NULL)
108940 kfree(entry->procname);
108941 }
108942
108943- kfree(*tablep);
108944- *tablep = NULL;
108945+ kfree(tablep);
108946 }
108947
108948 static int min_load_idx = 0;
108949 static int max_load_idx = CPU_LOAD_IDX_MAX-1;
108950
108951 static void
108952-set_table_entry(struct ctl_table *entry,
108953+set_table_entry(ctl_table_no_const *entry,
108954 const char *procname, void *data, int maxlen,
108955 umode_t mode, proc_handler *proc_handler,
108956 bool load_idx)
108957@@ -5220,7 +5230,7 @@ set_table_entry(struct ctl_table *entry,
108958 static struct ctl_table *
108959 sd_alloc_ctl_domain_table(struct sched_domain *sd)
108960 {
108961- struct ctl_table *table = sd_alloc_ctl_entry(14);
108962+ ctl_table_no_const *table = sd_alloc_ctl_entry(14);
108963
108964 if (table == NULL)
108965 return NULL;
108966@@ -5258,9 +5268,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
108967 return table;
108968 }
108969
108970-static struct ctl_table *sd_alloc_ctl_cpu_table(int cpu)
108971+static ctl_table_no_const *sd_alloc_ctl_cpu_table(int cpu)
108972 {
108973- struct ctl_table *entry, *table;
108974+ ctl_table_no_const *entry, *table;
108975 struct sched_domain *sd;
108976 int domain_num = 0, i;
108977 char buf[32];
108978@@ -5287,11 +5297,13 @@ static struct ctl_table_header *sd_sysctl_header;
108979 static void register_sched_domain_sysctl(void)
108980 {
108981 int i, cpu_num = num_possible_cpus();
108982- struct ctl_table *entry = sd_alloc_ctl_entry(cpu_num + 1);
108983+ ctl_table_no_const *entry = sd_alloc_ctl_entry(cpu_num + 1);
108984 char buf[32];
108985
108986 WARN_ON(sd_ctl_dir[0].child);
108987+ pax_open_kernel();
108988 sd_ctl_dir[0].child = entry;
108989+ pax_close_kernel();
108990
108991 if (entry == NULL)
108992 return;
108993@@ -5314,8 +5326,12 @@ static void unregister_sched_domain_sysctl(void)
108994 if (sd_sysctl_header)
108995 unregister_sysctl_table(sd_sysctl_header);
108996 sd_sysctl_header = NULL;
108997- if (sd_ctl_dir[0].child)
108998- sd_free_ctl_entry(&sd_ctl_dir[0].child);
108999+ if (sd_ctl_dir[0].child) {
109000+ sd_free_ctl_entry(sd_ctl_dir[0].child);
109001+ pax_open_kernel();
109002+ sd_ctl_dir[0].child = NULL;
109003+ pax_close_kernel();
109004+ }
109005 }
109006 #else
109007 static void register_sched_domain_sysctl(void)
109008diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
109009index d113c3b..91a6fcc 100644
109010--- a/kernel/sched/fair.c
109011+++ b/kernel/sched/fair.c
109012@@ -7958,7 +7958,7 @@ static void nohz_idle_balance(struct rq *this_rq, enum cpu_idle_type idle) { }
109013 * run_rebalance_domains is triggered when needed from the scheduler tick.
109014 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
109015 */
109016-static void run_rebalance_domains(struct softirq_action *h)
109017+static __latent_entropy void run_rebalance_domains(void)
109018 {
109019 struct rq *this_rq = this_rq();
109020 enum cpu_idle_type idle = this_rq->idle_balance ?
109021diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
109022index 84d4879..cf3ed33 100644
109023--- a/kernel/sched/sched.h
109024+++ b/kernel/sched/sched.h
109025@@ -1241,7 +1241,7 @@ struct sched_class {
109026 #ifdef CONFIG_FAIR_GROUP_SCHED
109027 void (*task_move_group) (struct task_struct *p, int on_rq);
109028 #endif
109029-};
109030+} __do_const;
109031
109032 static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
109033 {
109034diff --git a/kernel/signal.c b/kernel/signal.c
109035index 0f6bbbe..d77d2c3 100644
109036--- a/kernel/signal.c
109037+++ b/kernel/signal.c
109038@@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep;
109039
109040 int print_fatal_signals __read_mostly;
109041
109042-static void __user *sig_handler(struct task_struct *t, int sig)
109043+static __sighandler_t sig_handler(struct task_struct *t, int sig)
109044 {
109045 return t->sighand->action[sig - 1].sa.sa_handler;
109046 }
109047
109048-static int sig_handler_ignored(void __user *handler, int sig)
109049+static int sig_handler_ignored(__sighandler_t handler, int sig)
109050 {
109051 /* Is it explicitly or implicitly ignored? */
109052 return handler == SIG_IGN ||
109053@@ -67,7 +67,7 @@ static int sig_handler_ignored(void __user *handler, int sig)
109054
109055 static int sig_task_ignored(struct task_struct *t, int sig, bool force)
109056 {
109057- void __user *handler;
109058+ __sighandler_t handler;
109059
109060 handler = sig_handler(t, sig);
109061
109062@@ -372,6 +372,9 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t flags, int override_rlimi
109063 atomic_inc(&user->sigpending);
109064 rcu_read_unlock();
109065
109066+ if (!override_rlimit)
109067+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
109068+
109069 if (override_rlimit ||
109070 atomic_read(&user->sigpending) <=
109071 task_rlimit(t, RLIMIT_SIGPENDING)) {
109072@@ -494,7 +497,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
109073
109074 int unhandled_signal(struct task_struct *tsk, int sig)
109075 {
109076- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
109077+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
109078 if (is_global_init(tsk))
109079 return 1;
109080 if (handler != SIG_IGN && handler != SIG_DFL)
109081@@ -788,6 +791,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
109082 }
109083 }
109084
109085+ /* allow glibc communication via tgkill to other threads in our
109086+ thread group */
109087+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
109088+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
109089+ && gr_handle_signal(t, sig))
109090+ return -EPERM;
109091+
109092 return security_task_kill(t, info, sig, 0);
109093 }
109094
109095@@ -1171,7 +1181,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
109096 return send_signal(sig, info, p, 1);
109097 }
109098
109099-static int
109100+int
109101 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109102 {
109103 return send_signal(sig, info, t, 0);
109104@@ -1208,6 +1218,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109105 unsigned long int flags;
109106 int ret, blocked, ignored;
109107 struct k_sigaction *action;
109108+ int is_unhandled = 0;
109109
109110 spin_lock_irqsave(&t->sighand->siglock, flags);
109111 action = &t->sighand->action[sig-1];
109112@@ -1222,9 +1233,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109113 }
109114 if (action->sa.sa_handler == SIG_DFL)
109115 t->signal->flags &= ~SIGNAL_UNKILLABLE;
109116+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
109117+ is_unhandled = 1;
109118 ret = specific_send_sig_info(sig, info, t);
109119 spin_unlock_irqrestore(&t->sighand->siglock, flags);
109120
109121+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
109122+ normal operation */
109123+ if (is_unhandled) {
109124+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
109125+ gr_handle_crash(t, sig);
109126+ }
109127+
109128 return ret;
109129 }
109130
109131@@ -1305,8 +1325,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
109132 ret = check_kill_permission(sig, info, p);
109133 rcu_read_unlock();
109134
109135- if (!ret && sig)
109136+ if (!ret && sig) {
109137 ret = do_send_sig_info(sig, info, p, true);
109138+ if (!ret)
109139+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
109140+ }
109141
109142 return ret;
109143 }
109144@@ -2913,7 +2936,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
109145 int error = -ESRCH;
109146
109147 rcu_read_lock();
109148- p = find_task_by_vpid(pid);
109149+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
109150+ /* allow glibc communication via tgkill to other threads in our
109151+ thread group */
109152+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
109153+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
109154+ p = find_task_by_vpid_unrestricted(pid);
109155+ else
109156+#endif
109157+ p = find_task_by_vpid(pid);
109158 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
109159 error = check_kill_permission(sig, info, p);
109160 /*
109161@@ -3242,8 +3273,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
109162 }
109163 seg = get_fs();
109164 set_fs(KERNEL_DS);
109165- ret = do_sigaltstack((stack_t __force __user *) (uss_ptr ? &uss : NULL),
109166- (stack_t __force __user *) &uoss,
109167+ ret = do_sigaltstack((stack_t __force_user *) (uss_ptr ? &uss : NULL),
109168+ (stack_t __force_user *) &uoss,
109169 compat_user_stack_pointer());
109170 set_fs(seg);
109171 if (ret >= 0 && uoss_ptr) {
109172diff --git a/kernel/smpboot.c b/kernel/smpboot.c
109173index 7c434c3..155d90a 100644
109174--- a/kernel/smpboot.c
109175+++ b/kernel/smpboot.c
109176@@ -305,7 +305,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
109177 }
109178 smpboot_unpark_thread(plug_thread, cpu);
109179 }
109180- list_add(&plug_thread->list, &hotplug_threads);
109181+ pax_list_add(&plug_thread->list, &hotplug_threads);
109182 out:
109183 mutex_unlock(&smpboot_threads_lock);
109184 put_online_cpus();
109185@@ -323,7 +323,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
109186 {
109187 get_online_cpus();
109188 mutex_lock(&smpboot_threads_lock);
109189- list_del(&plug_thread->list);
109190+ pax_list_del(&plug_thread->list);
109191 smpboot_destroy_threads(plug_thread);
109192 mutex_unlock(&smpboot_threads_lock);
109193 put_online_cpus();
109194diff --git a/kernel/softirq.c b/kernel/softirq.c
109195index 479e443..66d845e1 100644
109196--- a/kernel/softirq.c
109197+++ b/kernel/softirq.c
109198@@ -53,7 +53,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
109199 EXPORT_SYMBOL(irq_stat);
109200 #endif
109201
109202-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp;
109203+static struct softirq_action softirq_vec[NR_SOFTIRQS] __read_only __aligned(PAGE_SIZE);
109204
109205 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
109206
109207@@ -270,7 +270,7 @@ restart:
109208 kstat_incr_softirqs_this_cpu(vec_nr);
109209
109210 trace_softirq_entry(vec_nr);
109211- h->action(h);
109212+ h->action();
109213 trace_softirq_exit(vec_nr);
109214 if (unlikely(prev_count != preempt_count())) {
109215 pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n",
109216@@ -430,7 +430,7 @@ void __raise_softirq_irqoff(unsigned int nr)
109217 or_softirq_pending(1UL << nr);
109218 }
109219
109220-void open_softirq(int nr, void (*action)(struct softirq_action *))
109221+void __init open_softirq(int nr, void (*action)(void))
109222 {
109223 softirq_vec[nr].action = action;
109224 }
109225@@ -482,7 +482,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
109226 }
109227 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
109228
109229-static void tasklet_action(struct softirq_action *a)
109230+static void tasklet_action(void)
109231 {
109232 struct tasklet_struct *list;
109233
109234@@ -518,7 +518,7 @@ static void tasklet_action(struct softirq_action *a)
109235 }
109236 }
109237
109238-static void tasklet_hi_action(struct softirq_action *a)
109239+static __latent_entropy void tasklet_hi_action(void)
109240 {
109241 struct tasklet_struct *list;
109242
109243@@ -744,7 +744,7 @@ static struct notifier_block cpu_nfb = {
109244 .notifier_call = cpu_callback
109245 };
109246
109247-static struct smp_hotplug_thread softirq_threads = {
109248+static struct smp_hotplug_thread softirq_threads __read_only = {
109249 .store = &ksoftirqd,
109250 .thread_should_run = ksoftirqd_should_run,
109251 .thread_fn = run_ksoftirqd,
109252diff --git a/kernel/sys.c b/kernel/sys.c
109253index 259fda2..e824a93 100644
109254--- a/kernel/sys.c
109255+++ b/kernel/sys.c
109256@@ -160,6 +160,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
109257 error = -EACCES;
109258 goto out;
109259 }
109260+
109261+ if (gr_handle_chroot_setpriority(p, niceval)) {
109262+ error = -EACCES;
109263+ goto out;
109264+ }
109265+
109266 no_nice = security_task_setnice(p, niceval);
109267 if (no_nice) {
109268 error = no_nice;
109269@@ -366,6 +372,20 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
109270 goto error;
109271 }
109272
109273+ if (gr_check_group_change(new->gid, new->egid, INVALID_GID))
109274+ goto error;
109275+
109276+ if (!gid_eq(new->gid, old->gid)) {
109277+ /* make sure we generate a learn log for what will
109278+ end up being a role transition after a full-learning
109279+ policy is generated
109280+ CAP_SETGID is required to perform a transition
109281+ we may not log a CAP_SETGID check above, e.g.
109282+ in the case where new rgid = old egid
109283+ */
109284+ gr_learn_cap(current, new, CAP_SETGID);
109285+ }
109286+
109287 if (rgid != (gid_t) -1 ||
109288 (egid != (gid_t) -1 && !gid_eq(kegid, old->gid)))
109289 new->sgid = new->egid;
109290@@ -401,6 +421,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
109291 old = current_cred();
109292
109293 retval = -EPERM;
109294+
109295+ if (gr_check_group_change(kgid, kgid, kgid))
109296+ goto error;
109297+
109298 if (ns_capable(old->user_ns, CAP_SETGID))
109299 new->gid = new->egid = new->sgid = new->fsgid = kgid;
109300 else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
109301@@ -418,7 +442,7 @@ error:
109302 /*
109303 * change the user struct in a credentials set to match the new UID
109304 */
109305-static int set_user(struct cred *new)
109306+int set_user(struct cred *new)
109307 {
109308 struct user_struct *new_user;
109309
109310@@ -498,7 +522,18 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
109311 goto error;
109312 }
109313
109314+ if (gr_check_user_change(new->uid, new->euid, INVALID_UID))
109315+ goto error;
109316+
109317 if (!uid_eq(new->uid, old->uid)) {
109318+ /* make sure we generate a learn log for what will
109319+ end up being a role transition after a full-learning
109320+ policy is generated
109321+ CAP_SETUID is required to perform a transition
109322+ we may not log a CAP_SETUID check above, e.g.
109323+ in the case where new ruid = old euid
109324+ */
109325+ gr_learn_cap(current, new, CAP_SETUID);
109326 retval = set_user(new);
109327 if (retval < 0)
109328 goto error;
109329@@ -548,6 +583,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
109330 old = current_cred();
109331
109332 retval = -EPERM;
109333+
109334+ if (gr_check_crash_uid(kuid))
109335+ goto error;
109336+ if (gr_check_user_change(kuid, kuid, kuid))
109337+ goto error;
109338+
109339 if (ns_capable(old->user_ns, CAP_SETUID)) {
109340 new->suid = new->uid = kuid;
109341 if (!uid_eq(kuid, old->uid)) {
109342@@ -617,6 +658,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
109343 goto error;
109344 }
109345
109346+ if (gr_check_user_change(kruid, keuid, INVALID_UID))
109347+ goto error;
109348+
109349 if (ruid != (uid_t) -1) {
109350 new->uid = kruid;
109351 if (!uid_eq(kruid, old->uid)) {
109352@@ -701,6 +745,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
109353 goto error;
109354 }
109355
109356+ if (gr_check_group_change(krgid, kegid, INVALID_GID))
109357+ goto error;
109358+
109359 if (rgid != (gid_t) -1)
109360 new->gid = krgid;
109361 if (egid != (gid_t) -1)
109362@@ -765,12 +812,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
109363 uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) ||
109364 ns_capable(old->user_ns, CAP_SETUID)) {
109365 if (!uid_eq(kuid, old->fsuid)) {
109366+ if (gr_check_user_change(INVALID_UID, INVALID_UID, kuid))
109367+ goto error;
109368+
109369 new->fsuid = kuid;
109370 if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0)
109371 goto change_okay;
109372 }
109373 }
109374
109375+error:
109376 abort_creds(new);
109377 return old_fsuid;
109378
109379@@ -803,12 +854,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
109380 if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
109381 gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
109382 ns_capable(old->user_ns, CAP_SETGID)) {
109383+ if (gr_check_group_change(INVALID_GID, INVALID_GID, kgid))
109384+ goto error;
109385+
109386 if (!gid_eq(kgid, old->fsgid)) {
109387 new->fsgid = kgid;
109388 goto change_okay;
109389 }
109390 }
109391
109392+error:
109393 abort_creds(new);
109394 return old_fsgid;
109395
109396@@ -1187,19 +1242,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
109397 return -EFAULT;
109398
109399 down_read(&uts_sem);
109400- error = __copy_to_user(&name->sysname, &utsname()->sysname,
109401+ error = __copy_to_user(name->sysname, &utsname()->sysname,
109402 __OLD_UTS_LEN);
109403 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
109404- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
109405+ error |= __copy_to_user(name->nodename, &utsname()->nodename,
109406 __OLD_UTS_LEN);
109407 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
109408- error |= __copy_to_user(&name->release, &utsname()->release,
109409+ error |= __copy_to_user(name->release, &utsname()->release,
109410 __OLD_UTS_LEN);
109411 error |= __put_user(0, name->release + __OLD_UTS_LEN);
109412- error |= __copy_to_user(&name->version, &utsname()->version,
109413+ error |= __copy_to_user(name->version, &utsname()->version,
109414 __OLD_UTS_LEN);
109415 error |= __put_user(0, name->version + __OLD_UTS_LEN);
109416- error |= __copy_to_user(&name->machine, &utsname()->machine,
109417+ error |= __copy_to_user(name->machine, &utsname()->machine,
109418 __OLD_UTS_LEN);
109419 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
109420 up_read(&uts_sem);
109421@@ -1400,6 +1455,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
109422 */
109423 new_rlim->rlim_cur = 1;
109424 }
109425+ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
109426+ is changed to a lower value. Since tasks can be created by the same
109427+ user in between this limit change and an execve by this task, force
109428+ a recheck only for this task by setting PF_NPROC_EXCEEDED
109429+ */
109430+ if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
109431+ tsk->flags |= PF_NPROC_EXCEEDED;
109432 }
109433 if (!retval) {
109434 if (old_rlim)
109435diff --git a/kernel/sysctl.c b/kernel/sysctl.c
109436index 19b62b5..74cc287 100644
109437--- a/kernel/sysctl.c
109438+++ b/kernel/sysctl.c
109439@@ -94,7 +94,6 @@
109440 #endif
109441
109442 #if defined(CONFIG_SYSCTL)
109443-
109444 /* External variables not in a header file. */
109445 extern int suid_dumpable;
109446 #ifdef CONFIG_COREDUMP
109447@@ -111,22 +110,24 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
109448 #ifndef CONFIG_MMU
109449 extern int sysctl_nr_trim_pages;
109450 #endif
109451+extern int sysctl_modify_ldt;
109452
109453 /* Constants used for minimum and maximum */
109454 #ifdef CONFIG_LOCKUP_DETECTOR
109455-static int sixty = 60;
109456+static int sixty __read_only = 60;
109457 #endif
109458
109459-static int __maybe_unused neg_one = -1;
109460+static int __maybe_unused neg_one __read_only = -1;
109461
109462-static int zero;
109463-static int __maybe_unused one = 1;
109464-static int __maybe_unused two = 2;
109465-static int __maybe_unused four = 4;
109466-static unsigned long one_ul = 1;
109467-static int one_hundred = 100;
109468+static int zero __read_only = 0;
109469+static int __maybe_unused one __read_only = 1;
109470+static int __maybe_unused two __read_only = 2;
109471+static int __maybe_unused three __read_only = 3;
109472+static int __maybe_unused four __read_only = 4;
109473+static unsigned long one_ul __read_only = 1;
109474+static int one_hundred __read_only = 100;
109475 #ifdef CONFIG_PRINTK
109476-static int ten_thousand = 10000;
109477+static int ten_thousand __read_only = 10000;
109478 #endif
109479
109480 /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
109481@@ -180,10 +181,8 @@ static int proc_taint(struct ctl_table *table, int write,
109482 void __user *buffer, size_t *lenp, loff_t *ppos);
109483 #endif
109484
109485-#ifdef CONFIG_PRINTK
109486-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
109487+static int proc_dointvec_minmax_secure_sysadmin(struct ctl_table *table, int write,
109488 void __user *buffer, size_t *lenp, loff_t *ppos);
109489-#endif
109490
109491 static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
109492 void __user *buffer, size_t *lenp, loff_t *ppos);
109493@@ -214,6 +213,8 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
109494
109495 #endif
109496
109497+extern struct ctl_table grsecurity_table[];
109498+
109499 static struct ctl_table kern_table[];
109500 static struct ctl_table vm_table[];
109501 static struct ctl_table fs_table[];
109502@@ -228,6 +229,20 @@ extern struct ctl_table epoll_table[];
109503 int sysctl_legacy_va_layout;
109504 #endif
109505
109506+#ifdef CONFIG_PAX_SOFTMODE
109507+static struct ctl_table pax_table[] = {
109508+ {
109509+ .procname = "softmode",
109510+ .data = &pax_softmode,
109511+ .maxlen = sizeof(unsigned int),
109512+ .mode = 0600,
109513+ .proc_handler = &proc_dointvec,
109514+ },
109515+
109516+ { }
109517+};
109518+#endif
109519+
109520 /* The default sysctl tables: */
109521
109522 static struct ctl_table sysctl_base_table[] = {
109523@@ -276,6 +291,22 @@ static int max_extfrag_threshold = 1000;
109524 #endif
109525
109526 static struct ctl_table kern_table[] = {
109527+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
109528+ {
109529+ .procname = "grsecurity",
109530+ .mode = 0500,
109531+ .child = grsecurity_table,
109532+ },
109533+#endif
109534+
109535+#ifdef CONFIG_PAX_SOFTMODE
109536+ {
109537+ .procname = "pax",
109538+ .mode = 0500,
109539+ .child = pax_table,
109540+ },
109541+#endif
109542+
109543 {
109544 .procname = "sched_child_runs_first",
109545 .data = &sysctl_sched_child_runs_first,
109546@@ -628,7 +659,7 @@ static struct ctl_table kern_table[] = {
109547 .maxlen = sizeof(int),
109548 .mode = 0644,
109549 /* only handle a transition from default "0" to "1" */
109550- .proc_handler = proc_dointvec_minmax,
109551+ .proc_handler = proc_dointvec_minmax_secure,
109552 .extra1 = &one,
109553 .extra2 = &one,
109554 },
109555@@ -639,7 +670,7 @@ static struct ctl_table kern_table[] = {
109556 .data = &modprobe_path,
109557 .maxlen = KMOD_PATH_LEN,
109558 .mode = 0644,
109559- .proc_handler = proc_dostring,
109560+ .proc_handler = proc_dostring_modpriv,
109561 },
109562 {
109563 .procname = "modules_disabled",
109564@@ -647,7 +678,7 @@ static struct ctl_table kern_table[] = {
109565 .maxlen = sizeof(int),
109566 .mode = 0644,
109567 /* only handle a transition from default "0" to "1" */
109568- .proc_handler = proc_dointvec_minmax,
109569+ .proc_handler = proc_dointvec_minmax_secure,
109570 .extra1 = &one,
109571 .extra2 = &one,
109572 },
109573@@ -802,20 +833,24 @@ static struct ctl_table kern_table[] = {
109574 .data = &dmesg_restrict,
109575 .maxlen = sizeof(int),
109576 .mode = 0644,
109577- .proc_handler = proc_dointvec_minmax_sysadmin,
109578+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
109579 .extra1 = &zero,
109580 .extra2 = &one,
109581 },
109582+#endif
109583 {
109584 .procname = "kptr_restrict",
109585 .data = &kptr_restrict,
109586 .maxlen = sizeof(int),
109587 .mode = 0644,
109588- .proc_handler = proc_dointvec_minmax_sysadmin,
109589+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
109590+#ifdef CONFIG_GRKERNSEC_HIDESYM
109591+ .extra1 = &two,
109592+#else
109593 .extra1 = &zero,
109594+#endif
109595 .extra2 = &two,
109596 },
109597-#endif
109598 {
109599 .procname = "ngroups_max",
109600 .data = &ngroups_max,
109601@@ -960,6 +995,15 @@ static struct ctl_table kern_table[] = {
109602 .mode = 0644,
109603 .proc_handler = proc_dointvec,
109604 },
109605+ {
109606+ .procname = "modify_ldt",
109607+ .data = &sysctl_modify_ldt,
109608+ .maxlen = sizeof(int),
109609+ .mode = 0644,
109610+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
109611+ .extra1 = &zero,
109612+ .extra2 = &one,
109613+ },
109614 #endif
109615 #if defined(CONFIG_MMU)
109616 {
109617@@ -1082,10 +1126,17 @@ static struct ctl_table kern_table[] = {
109618 */
109619 {
109620 .procname = "perf_event_paranoid",
109621- .data = &sysctl_perf_event_paranoid,
109622- .maxlen = sizeof(sysctl_perf_event_paranoid),
109623+ .data = &sysctl_perf_event_legitimately_concerned,
109624+ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
109625 .mode = 0644,
109626- .proc_handler = proc_dointvec,
109627+ /* go ahead, be a hero */
109628+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
109629+ .extra1 = &neg_one,
109630+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
109631+ .extra2 = &three,
109632+#else
109633+ .extra2 = &two,
109634+#endif
109635 },
109636 {
109637 .procname = "perf_event_mlock_kb",
109638@@ -1376,6 +1427,13 @@ static struct ctl_table vm_table[] = {
109639 .proc_handler = proc_dointvec_minmax,
109640 .extra1 = &zero,
109641 },
109642+ {
109643+ .procname = "heap_stack_gap",
109644+ .data = &sysctl_heap_stack_gap,
109645+ .maxlen = sizeof(sysctl_heap_stack_gap),
109646+ .mode = 0644,
109647+ .proc_handler = proc_doulongvec_minmax,
109648+ },
109649 #else
109650 {
109651 .procname = "nr_trim_pages",
109652@@ -1852,6 +1910,16 @@ int proc_dostring(struct ctl_table *table, int write,
109653 (char __user *)buffer, lenp, ppos);
109654 }
109655
109656+int proc_dostring_modpriv(struct ctl_table *table, int write,
109657+ void __user *buffer, size_t *lenp, loff_t *ppos)
109658+{
109659+ if (write && !capable(CAP_SYS_MODULE))
109660+ return -EPERM;
109661+
109662+ return _proc_do_string(table->data, table->maxlen, write,
109663+ buffer, lenp, ppos);
109664+}
109665+
109666 static size_t proc_skip_spaces(char **buf)
109667 {
109668 size_t ret;
109669@@ -1957,6 +2025,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
109670 len = strlen(tmp);
109671 if (len > *size)
109672 len = *size;
109673+ if (len > sizeof(tmp))
109674+ len = sizeof(tmp);
109675 if (copy_to_user(*buf, tmp, len))
109676 return -EFAULT;
109677 *size -= len;
109678@@ -1995,7 +2065,7 @@ static int do_proc_dointvec_conv(bool *negp, unsigned long *lvalp,
109679 int val = *valp;
109680 if (val < 0) {
109681 *negp = true;
109682- *lvalp = (unsigned long)-val;
109683+ *lvalp = -(unsigned long)val;
109684 } else {
109685 *negp = false;
109686 *lvalp = (unsigned long)val;
109687@@ -2135,6 +2205,44 @@ int proc_dointvec(struct ctl_table *table, int write,
109688 NULL,NULL);
109689 }
109690
109691+static int do_proc_dointvec_conv_secure(bool *negp, unsigned long *lvalp,
109692+ int *valp,
109693+ int write, void *data)
109694+{
109695+ if (write) {
109696+ if (*negp) {
109697+ if (*lvalp > (unsigned long) INT_MAX + 1)
109698+ return -EINVAL;
109699+ pax_open_kernel();
109700+ *valp = -*lvalp;
109701+ pax_close_kernel();
109702+ } else {
109703+ if (*lvalp > (unsigned long) INT_MAX)
109704+ return -EINVAL;
109705+ pax_open_kernel();
109706+ *valp = *lvalp;
109707+ pax_close_kernel();
109708+ }
109709+ } else {
109710+ int val = *valp;
109711+ if (val < 0) {
109712+ *negp = true;
109713+ *lvalp = -(unsigned long)val;
109714+ } else {
109715+ *negp = false;
109716+ *lvalp = (unsigned long)val;
109717+ }
109718+ }
109719+ return 0;
109720+}
109721+
109722+int proc_dointvec_secure(struct ctl_table *table, int write,
109723+ void __user *buffer, size_t *lenp, loff_t *ppos)
109724+{
109725+ return do_proc_dointvec(table,write,buffer,lenp,ppos,
109726+ do_proc_dointvec_conv_secure,NULL);
109727+}
109728+
109729 /*
109730 * Taint values can only be increased
109731 * This means we can safely use a temporary.
109732@@ -2142,7 +2250,7 @@ int proc_dointvec(struct ctl_table *table, int write,
109733 static int proc_taint(struct ctl_table *table, int write,
109734 void __user *buffer, size_t *lenp, loff_t *ppos)
109735 {
109736- struct ctl_table t;
109737+ ctl_table_no_const t;
109738 unsigned long tmptaint = get_taint();
109739 int err;
109740
109741@@ -2170,16 +2278,14 @@ static int proc_taint(struct ctl_table *table, int write,
109742 return err;
109743 }
109744
109745-#ifdef CONFIG_PRINTK
109746-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
109747+static int proc_dointvec_minmax_secure_sysadmin(struct ctl_table *table, int write,
109748 void __user *buffer, size_t *lenp, loff_t *ppos)
109749 {
109750 if (write && !capable(CAP_SYS_ADMIN))
109751 return -EPERM;
109752
109753- return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
109754+ return proc_dointvec_minmax_secure(table, write, buffer, lenp, ppos);
109755 }
109756-#endif
109757
109758 struct do_proc_dointvec_minmax_conv_param {
109759 int *min;
109760@@ -2201,7 +2307,33 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp,
109761 int val = *valp;
109762 if (val < 0) {
109763 *negp = true;
109764- *lvalp = (unsigned long)-val;
109765+ *lvalp = -(unsigned long)val;
109766+ } else {
109767+ *negp = false;
109768+ *lvalp = (unsigned long)val;
109769+ }
109770+ }
109771+ return 0;
109772+}
109773+
109774+static int do_proc_dointvec_minmax_conv_secure(bool *negp, unsigned long *lvalp,
109775+ int *valp,
109776+ int write, void *data)
109777+{
109778+ struct do_proc_dointvec_minmax_conv_param *param = data;
109779+ if (write) {
109780+ int val = *negp ? -*lvalp : *lvalp;
109781+ if ((param->min && *param->min > val) ||
109782+ (param->max && *param->max < val))
109783+ return -EINVAL;
109784+ pax_open_kernel();
109785+ *valp = val;
109786+ pax_close_kernel();
109787+ } else {
109788+ int val = *valp;
109789+ if (val < 0) {
109790+ *negp = true;
109791+ *lvalp = -(unsigned long)val;
109792 } else {
109793 *negp = false;
109794 *lvalp = (unsigned long)val;
109795@@ -2237,6 +2369,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
109796 do_proc_dointvec_minmax_conv, &param);
109797 }
109798
109799+int proc_dointvec_minmax_secure(struct ctl_table *table, int write,
109800+ void __user *buffer, size_t *lenp, loff_t *ppos)
109801+{
109802+ struct do_proc_dointvec_minmax_conv_param param = {
109803+ .min = (int *) table->extra1,
109804+ .max = (int *) table->extra2,
109805+ };
109806+ return do_proc_dointvec(table, write, buffer, lenp, ppos,
109807+ do_proc_dointvec_minmax_conv_secure, &param);
109808+}
109809+
109810 static void validate_coredump_safety(void)
109811 {
109812 #ifdef CONFIG_COREDUMP
109813@@ -2436,7 +2579,7 @@ static int do_proc_dointvec_jiffies_conv(bool *negp, unsigned long *lvalp,
109814 unsigned long lval;
109815 if (val < 0) {
109816 *negp = true;
109817- lval = (unsigned long)-val;
109818+ lval = -(unsigned long)val;
109819 } else {
109820 *negp = false;
109821 lval = (unsigned long)val;
109822@@ -2459,7 +2602,7 @@ static int do_proc_dointvec_userhz_jiffies_conv(bool *negp, unsigned long *lvalp
109823 unsigned long lval;
109824 if (val < 0) {
109825 *negp = true;
109826- lval = (unsigned long)-val;
109827+ lval = -(unsigned long)val;
109828 } else {
109829 *negp = false;
109830 lval = (unsigned long)val;
109831@@ -2484,7 +2627,7 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
109832 unsigned long lval;
109833 if (val < 0) {
109834 *negp = true;
109835- lval = (unsigned long)-val;
109836+ lval = -(unsigned long)val;
109837 } else {
109838 *negp = false;
109839 lval = (unsigned long)val;
109840@@ -2739,6 +2882,12 @@ int proc_dostring(struct ctl_table *table, int write,
109841 return -ENOSYS;
109842 }
109843
109844+int proc_dostring_modpriv(struct ctl_table *table, int write,
109845+ void __user *buffer, size_t *lenp, loff_t *ppos)
109846+{
109847+ return -ENOSYS;
109848+}
109849+
109850 int proc_dointvec(struct ctl_table *table, int write,
109851 void __user *buffer, size_t *lenp, loff_t *ppos)
109852 {
109853@@ -2795,5 +2944,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
109854 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
109855 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
109856 EXPORT_SYMBOL(proc_dostring);
109857+EXPORT_SYMBOL(proc_dostring_modpriv);
109858 EXPORT_SYMBOL(proc_doulongvec_minmax);
109859 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
109860diff --git a/kernel/taskstats.c b/kernel/taskstats.c
109861index 21f82c2..c1984e5 100644
109862--- a/kernel/taskstats.c
109863+++ b/kernel/taskstats.c
109864@@ -28,9 +28,12 @@
109865 #include <linux/fs.h>
109866 #include <linux/file.h>
109867 #include <linux/pid_namespace.h>
109868+#include <linux/grsecurity.h>
109869 #include <net/genetlink.h>
109870 #include <linux/atomic.h>
109871
109872+extern int gr_is_taskstats_denied(int pid);
109873+
109874 /*
109875 * Maximum length of a cpumask that can be specified in
109876 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
109877@@ -567,6 +570,9 @@ err:
109878
109879 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
109880 {
109881+ if (gr_is_taskstats_denied(current->pid))
109882+ return -EACCES;
109883+
109884 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
109885 return cmd_attr_register_cpumask(info);
109886 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
109887diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
109888index 7fbba635..7cc64ae 100644
109889--- a/kernel/time/alarmtimer.c
109890+++ b/kernel/time/alarmtimer.c
109891@@ -820,7 +820,7 @@ static int __init alarmtimer_init(void)
109892 struct platform_device *pdev;
109893 int error = 0;
109894 int i;
109895- struct k_clock alarm_clock = {
109896+ static struct k_clock alarm_clock = {
109897 .clock_getres = alarm_clock_getres,
109898 .clock_get = alarm_clock_get,
109899 .timer_create = alarm_timer_create,
109900diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
109901index 892e3da..cb71aa5 100644
109902--- a/kernel/time/posix-cpu-timers.c
109903+++ b/kernel/time/posix-cpu-timers.c
109904@@ -1470,14 +1470,14 @@ struct k_clock clock_posix_cpu = {
109905
109906 static __init int init_posix_cpu_timers(void)
109907 {
109908- struct k_clock process = {
109909+ static struct k_clock process = {
109910 .clock_getres = process_cpu_clock_getres,
109911 .clock_get = process_cpu_clock_get,
109912 .timer_create = process_cpu_timer_create,
109913 .nsleep = process_cpu_nsleep,
109914 .nsleep_restart = process_cpu_nsleep_restart,
109915 };
109916- struct k_clock thread = {
109917+ static struct k_clock thread = {
109918 .clock_getres = thread_cpu_clock_getres,
109919 .clock_get = thread_cpu_clock_get,
109920 .timer_create = thread_cpu_timer_create,
109921diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
109922index 31d11ac..5a3bb13 100644
109923--- a/kernel/time/posix-timers.c
109924+++ b/kernel/time/posix-timers.c
109925@@ -43,6 +43,7 @@
109926 #include <linux/hash.h>
109927 #include <linux/posix-clock.h>
109928 #include <linux/posix-timers.h>
109929+#include <linux/grsecurity.h>
109930 #include <linux/syscalls.h>
109931 #include <linux/wait.h>
109932 #include <linux/workqueue.h>
109933@@ -124,7 +125,7 @@ static DEFINE_SPINLOCK(hash_lock);
109934 * which we beg off on and pass to do_sys_settimeofday().
109935 */
109936
109937-static struct k_clock posix_clocks[MAX_CLOCKS];
109938+static struct k_clock *posix_clocks[MAX_CLOCKS];
109939
109940 /*
109941 * These ones are defined below.
109942@@ -284,7 +285,7 @@ static int posix_get_hrtimer_res(clockid_t which_clock, struct timespec *tp)
109943 */
109944 static __init int init_posix_timers(void)
109945 {
109946- struct k_clock clock_realtime = {
109947+ static struct k_clock clock_realtime = {
109948 .clock_getres = posix_get_hrtimer_res,
109949 .clock_get = posix_clock_realtime_get,
109950 .clock_set = posix_clock_realtime_set,
109951@@ -296,7 +297,7 @@ static __init int init_posix_timers(void)
109952 .timer_get = common_timer_get,
109953 .timer_del = common_timer_del,
109954 };
109955- struct k_clock clock_monotonic = {
109956+ static struct k_clock clock_monotonic = {
109957 .clock_getres = posix_get_hrtimer_res,
109958 .clock_get = posix_ktime_get_ts,
109959 .nsleep = common_nsleep,
109960@@ -306,19 +307,19 @@ static __init int init_posix_timers(void)
109961 .timer_get = common_timer_get,
109962 .timer_del = common_timer_del,
109963 };
109964- struct k_clock clock_monotonic_raw = {
109965+ static struct k_clock clock_monotonic_raw = {
109966 .clock_getres = posix_get_hrtimer_res,
109967 .clock_get = posix_get_monotonic_raw,
109968 };
109969- struct k_clock clock_realtime_coarse = {
109970+ static struct k_clock clock_realtime_coarse = {
109971 .clock_getres = posix_get_coarse_res,
109972 .clock_get = posix_get_realtime_coarse,
109973 };
109974- struct k_clock clock_monotonic_coarse = {
109975+ static struct k_clock clock_monotonic_coarse = {
109976 .clock_getres = posix_get_coarse_res,
109977 .clock_get = posix_get_monotonic_coarse,
109978 };
109979- struct k_clock clock_tai = {
109980+ static struct k_clock clock_tai = {
109981 .clock_getres = posix_get_hrtimer_res,
109982 .clock_get = posix_get_tai,
109983 .nsleep = common_nsleep,
109984@@ -328,7 +329,7 @@ static __init int init_posix_timers(void)
109985 .timer_get = common_timer_get,
109986 .timer_del = common_timer_del,
109987 };
109988- struct k_clock clock_boottime = {
109989+ static struct k_clock clock_boottime = {
109990 .clock_getres = posix_get_hrtimer_res,
109991 .clock_get = posix_get_boottime,
109992 .nsleep = common_nsleep,
109993@@ -540,7 +541,7 @@ void posix_timers_register_clock(const clockid_t clock_id,
109994 return;
109995 }
109996
109997- posix_clocks[clock_id] = *new_clock;
109998+ posix_clocks[clock_id] = new_clock;
109999 }
110000 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
110001
110002@@ -586,9 +587,9 @@ static struct k_clock *clockid_to_kclock(const clockid_t id)
110003 return (id & CLOCKFD_MASK) == CLOCKFD ?
110004 &clock_posix_dynamic : &clock_posix_cpu;
110005
110006- if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
110007+ if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
110008 return NULL;
110009- return &posix_clocks[id];
110010+ return posix_clocks[id];
110011 }
110012
110013 static int common_timer_create(struct k_itimer *new_timer)
110014@@ -606,7 +607,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
110015 struct k_clock *kc = clockid_to_kclock(which_clock);
110016 struct k_itimer *new_timer;
110017 int error, new_timer_id;
110018- sigevent_t event;
110019+ sigevent_t event = { };
110020 int it_id_set = IT_ID_NOT_SET;
110021
110022 if (!kc)
110023@@ -1021,6 +1022,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
110024 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
110025 return -EFAULT;
110026
110027+ /* only the CLOCK_REALTIME clock can be set, all other clocks
110028+ have their clock_set fptr set to a nosettime dummy function
110029+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
110030+ call common_clock_set, which calls do_sys_settimeofday, which
110031+ we hook
110032+ */
110033+
110034 return kc->clock_set(which_clock, &new_tp);
110035 }
110036
110037diff --git a/kernel/time/time.c b/kernel/time/time.c
110038index 85d5bb1..aeca463 100644
110039--- a/kernel/time/time.c
110040+++ b/kernel/time/time.c
110041@@ -177,6 +177,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
110042 if (tz->tz_minuteswest > 15*60 || tz->tz_minuteswest < -15*60)
110043 return -EINVAL;
110044
110045+ /* we log in do_settimeofday called below, so don't log twice
110046+ */
110047+ if (!tv)
110048+ gr_log_timechange();
110049+
110050 sys_tz = *tz;
110051 update_vsyscall_tz();
110052 if (firsttime) {
110053diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
110054index bca3667..2745765 100644
110055--- a/kernel/time/timekeeping.c
110056+++ b/kernel/time/timekeeping.c
110057@@ -15,6 +15,7 @@
110058 #include <linux/init.h>
110059 #include <linux/mm.h>
110060 #include <linux/sched.h>
110061+#include <linux/grsecurity.h>
110062 #include <linux/syscore_ops.h>
110063 #include <linux/clocksource.h>
110064 #include <linux/jiffies.h>
110065@@ -915,6 +916,8 @@ int do_settimeofday64(const struct timespec64 *ts)
110066 if (!timespec64_valid_strict(ts))
110067 return -EINVAL;
110068
110069+ gr_log_timechange();
110070+
110071 raw_spin_lock_irqsave(&timekeeper_lock, flags);
110072 write_seqcount_begin(&tk_core.seq);
110073
110074diff --git a/kernel/time/timer.c b/kernel/time/timer.c
110075index 84190f0..5cd9067 100644
110076--- a/kernel/time/timer.c
110077+++ b/kernel/time/timer.c
110078@@ -1406,7 +1406,7 @@ void update_process_times(int user_tick)
110079 /*
110080 * This function runs timers and the timer-tq in bottom half context.
110081 */
110082-static void run_timer_softirq(struct softirq_action *h)
110083+static __latent_entropy void run_timer_softirq(void)
110084 {
110085 struct tvec_base *base = this_cpu_ptr(&tvec_bases);
110086
110087@@ -1467,7 +1467,7 @@ static void process_timeout(unsigned long __data)
110088 *
110089 * In all cases the return value is guaranteed to be non-negative.
110090 */
110091-signed long __sched schedule_timeout(signed long timeout)
110092+signed long __sched __intentional_overflow(-1) schedule_timeout(signed long timeout)
110093 {
110094 struct timer_list timer;
110095 unsigned long expire;
110096diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
110097index a4536e1..5d8774c 100644
110098--- a/kernel/time/timer_list.c
110099+++ b/kernel/time/timer_list.c
110100@@ -50,12 +50,16 @@ static void SEQ_printf(struct seq_file *m, const char *fmt, ...)
110101
110102 static void print_name_offset(struct seq_file *m, void *sym)
110103 {
110104+#ifdef CONFIG_GRKERNSEC_HIDESYM
110105+ SEQ_printf(m, "<%p>", NULL);
110106+#else
110107 char symname[KSYM_NAME_LEN];
110108
110109 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
110110 SEQ_printf(m, "<%pK>", sym);
110111 else
110112 SEQ_printf(m, "%s", symname);
110113+#endif
110114 }
110115
110116 static void
110117@@ -124,11 +128,14 @@ next_one:
110118 static void
110119 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
110120 {
110121+#ifdef CONFIG_GRKERNSEC_HIDESYM
110122+ SEQ_printf(m, " .base: %p\n", NULL);
110123+#else
110124 SEQ_printf(m, " .base: %pK\n", base);
110125+#endif
110126 SEQ_printf(m, " .index: %d\n", base->index);
110127
110128 SEQ_printf(m, " .resolution: %u nsecs\n", (unsigned) hrtimer_resolution);
110129-
110130 SEQ_printf(m, " .get_time: ");
110131 print_name_offset(m, base->get_time);
110132 SEQ_printf(m, "\n");
110133@@ -399,7 +406,11 @@ static int __init init_timer_list_procfs(void)
110134 {
110135 struct proc_dir_entry *pe;
110136
110137+#ifdef CONFIG_GRKERNSEC_PROC_ADD
110138+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
110139+#else
110140 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
110141+#endif
110142 if (!pe)
110143 return -ENOMEM;
110144 return 0;
110145diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
110146index 1adecb4..b4fb631 100644
110147--- a/kernel/time/timer_stats.c
110148+++ b/kernel/time/timer_stats.c
110149@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
110150 static unsigned long nr_entries;
110151 static struct entry entries[MAX_ENTRIES];
110152
110153-static atomic_t overflow_count;
110154+static atomic_unchecked_t overflow_count;
110155
110156 /*
110157 * The entries are in a hash-table, for fast lookup:
110158@@ -140,7 +140,7 @@ static void reset_entries(void)
110159 nr_entries = 0;
110160 memset(entries, 0, sizeof(entries));
110161 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
110162- atomic_set(&overflow_count, 0);
110163+ atomic_set_unchecked(&overflow_count, 0);
110164 }
110165
110166 static struct entry *alloc_entry(void)
110167@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
110168 if (likely(entry))
110169 entry->count++;
110170 else
110171- atomic_inc(&overflow_count);
110172+ atomic_inc_unchecked(&overflow_count);
110173
110174 out_unlock:
110175 raw_spin_unlock_irqrestore(lock, flags);
110176@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
110177
110178 static void print_name_offset(struct seq_file *m, unsigned long addr)
110179 {
110180+#ifdef CONFIG_GRKERNSEC_HIDESYM
110181+ seq_printf(m, "<%p>", NULL);
110182+#else
110183 char symname[KSYM_NAME_LEN];
110184
110185 if (lookup_symbol_name(addr, symname) < 0)
110186- seq_printf(m, "<%p>", (void *)addr);
110187+ seq_printf(m, "<%pK>", (void *)addr);
110188 else
110189 seq_printf(m, "%s", symname);
110190+#endif
110191 }
110192
110193 static int tstats_show(struct seq_file *m, void *v)
110194@@ -300,8 +304,8 @@ static int tstats_show(struct seq_file *m, void *v)
110195
110196 seq_puts(m, "Timer Stats Version: v0.3\n");
110197 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
110198- if (atomic_read(&overflow_count))
110199- seq_printf(m, "Overflow: %d entries\n", atomic_read(&overflow_count));
110200+ if (atomic_read_unchecked(&overflow_count))
110201+ seq_printf(m, "Overflow: %d entries\n", atomic_read_unchecked(&overflow_count));
110202 seq_printf(m, "Collection: %s\n", timer_stats_active ? "active" : "inactive");
110203
110204 for (i = 0; i < nr_entries; i++) {
110205@@ -417,7 +421,11 @@ static int __init init_tstats_procfs(void)
110206 {
110207 struct proc_dir_entry *pe;
110208
110209+#ifdef CONFIG_GRKERNSEC_PROC_ADD
110210+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
110211+#else
110212 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
110213+#endif
110214 if (!pe)
110215 return -ENOMEM;
110216 return 0;
110217diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
110218index b3e6b39..719099b 100644
110219--- a/kernel/trace/blktrace.c
110220+++ b/kernel/trace/blktrace.c
110221@@ -328,7 +328,7 @@ static ssize_t blk_dropped_read(struct file *filp, char __user *buffer,
110222 struct blk_trace *bt = filp->private_data;
110223 char buf[16];
110224
110225- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
110226+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
110227
110228 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
110229 }
110230@@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(struct rchan_buf *buf, void *subbuf,
110231 return 1;
110232
110233 bt = buf->chan->private_data;
110234- atomic_inc(&bt->dropped);
110235+ atomic_inc_unchecked(&bt->dropped);
110236 return 0;
110237 }
110238
110239@@ -485,7 +485,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
110240
110241 bt->dir = dir;
110242 bt->dev = dev;
110243- atomic_set(&bt->dropped, 0);
110244+ atomic_set_unchecked(&bt->dropped, 0);
110245 INIT_LIST_HEAD(&bt->running_list);
110246
110247 ret = -EIO;
110248diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
110249index eb11011..43adc29 100644
110250--- a/kernel/trace/ftrace.c
110251+++ b/kernel/trace/ftrace.c
110252@@ -2413,12 +2413,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
110253 if (unlikely(ftrace_disabled))
110254 return 0;
110255
110256+ ret = ftrace_arch_code_modify_prepare();
110257+ FTRACE_WARN_ON(ret);
110258+ if (ret)
110259+ return 0;
110260+
110261 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
110262+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
110263 if (ret) {
110264 ftrace_bug(ret, rec);
110265- return 0;
110266 }
110267- return 1;
110268+ return ret ? 0 : 1;
110269 }
110270
110271 /*
110272@@ -4807,8 +4812,10 @@ static int ftrace_process_locs(struct module *mod,
110273 if (!count)
110274 return 0;
110275
110276+ pax_open_kernel();
110277 sort(start, count, sizeof(*start),
110278 ftrace_cmp_ips, ftrace_swap_ips);
110279+ pax_close_kernel();
110280
110281 start_pg = ftrace_allocate_pages(count);
110282 if (!start_pg)
110283@@ -5675,7 +5682,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
110284
110285 if (t->ret_stack == NULL) {
110286 atomic_set(&t->tracing_graph_pause, 0);
110287- atomic_set(&t->trace_overrun, 0);
110288+ atomic_set_unchecked(&t->trace_overrun, 0);
110289 t->curr_ret_stack = -1;
110290 /* Make sure the tasks see the -1 first: */
110291 smp_wmb();
110292@@ -5898,7 +5905,7 @@ static void
110293 graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
110294 {
110295 atomic_set(&t->tracing_graph_pause, 0);
110296- atomic_set(&t->trace_overrun, 0);
110297+ atomic_set_unchecked(&t->trace_overrun, 0);
110298 t->ftrace_timestamp = 0;
110299 /* make curr_ret_stack visible before we add the ret_stack */
110300 smp_wmb();
110301diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
110302index 6260717..b9bd83c 100644
110303--- a/kernel/trace/ring_buffer.c
110304+++ b/kernel/trace/ring_buffer.c
110305@@ -296,9 +296,9 @@ struct buffer_data_page {
110306 */
110307 struct buffer_page {
110308 struct list_head list; /* list of buffer pages */
110309- local_t write; /* index for next write */
110310+ local_unchecked_t write; /* index for next write */
110311 unsigned read; /* index for next read */
110312- local_t entries; /* entries on this page */
110313+ local_unchecked_t entries; /* entries on this page */
110314 unsigned long real_end; /* real end of data */
110315 struct buffer_data_page *page; /* Actual data page */
110316 };
110317@@ -437,11 +437,11 @@ struct ring_buffer_per_cpu {
110318 unsigned long last_overrun;
110319 local_t entries_bytes;
110320 local_t entries;
110321- local_t overrun;
110322- local_t commit_overrun;
110323- local_t dropped_events;
110324+ local_unchecked_t overrun;
110325+ local_unchecked_t commit_overrun;
110326+ local_unchecked_t dropped_events;
110327 local_t committing;
110328- local_t commits;
110329+ local_unchecked_t commits;
110330 unsigned long read;
110331 unsigned long read_bytes;
110332 u64 write_stamp;
110333@@ -1011,8 +1011,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
110334 *
110335 * We add a counter to the write field to denote this.
110336 */
110337- old_write = local_add_return(RB_WRITE_INTCNT, &next_page->write);
110338- old_entries = local_add_return(RB_WRITE_INTCNT, &next_page->entries);
110339+ old_write = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->write);
110340+ old_entries = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->entries);
110341
110342 /*
110343 * Just make sure we have seen our old_write and synchronize
110344@@ -1040,8 +1040,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
110345 * cmpxchg to only update if an interrupt did not already
110346 * do it for us. If the cmpxchg fails, we don't care.
110347 */
110348- (void)local_cmpxchg(&next_page->write, old_write, val);
110349- (void)local_cmpxchg(&next_page->entries, old_entries, eval);
110350+ (void)local_cmpxchg_unchecked(&next_page->write, old_write, val);
110351+ (void)local_cmpxchg_unchecked(&next_page->entries, old_entries, eval);
110352
110353 /*
110354 * No need to worry about races with clearing out the commit.
110355@@ -1409,12 +1409,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
110356
110357 static inline unsigned long rb_page_entries(struct buffer_page *bpage)
110358 {
110359- return local_read(&bpage->entries) & RB_WRITE_MASK;
110360+ return local_read_unchecked(&bpage->entries) & RB_WRITE_MASK;
110361 }
110362
110363 static inline unsigned long rb_page_write(struct buffer_page *bpage)
110364 {
110365- return local_read(&bpage->write) & RB_WRITE_MASK;
110366+ return local_read_unchecked(&bpage->write) & RB_WRITE_MASK;
110367 }
110368
110369 static int
110370@@ -1509,7 +1509,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
110371 * bytes consumed in ring buffer from here.
110372 * Increment overrun to account for the lost events.
110373 */
110374- local_add(page_entries, &cpu_buffer->overrun);
110375+ local_add_unchecked(page_entries, &cpu_buffer->overrun);
110376 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
110377 }
110378
110379@@ -2071,7 +2071,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
110380 * it is our responsibility to update
110381 * the counters.
110382 */
110383- local_add(entries, &cpu_buffer->overrun);
110384+ local_add_unchecked(entries, &cpu_buffer->overrun);
110385 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
110386
110387 /*
110388@@ -2221,7 +2221,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
110389 if (tail == BUF_PAGE_SIZE)
110390 tail_page->real_end = 0;
110391
110392- local_sub(length, &tail_page->write);
110393+ local_sub_unchecked(length, &tail_page->write);
110394 return;
110395 }
110396
110397@@ -2256,7 +2256,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
110398 rb_event_set_padding(event);
110399
110400 /* Set the write back to the previous setting */
110401- local_sub(length, &tail_page->write);
110402+ local_sub_unchecked(length, &tail_page->write);
110403 return;
110404 }
110405
110406@@ -2268,7 +2268,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
110407
110408 /* Set write to end of buffer */
110409 length = (tail + length) - BUF_PAGE_SIZE;
110410- local_sub(length, &tail_page->write);
110411+ local_sub_unchecked(length, &tail_page->write);
110412 }
110413
110414 /*
110415@@ -2294,7 +2294,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
110416 * about it.
110417 */
110418 if (unlikely(next_page == commit_page)) {
110419- local_inc(&cpu_buffer->commit_overrun);
110420+ local_inc_unchecked(&cpu_buffer->commit_overrun);
110421 goto out_reset;
110422 }
110423
110424@@ -2324,7 +2324,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
110425 * this is easy, just stop here.
110426 */
110427 if (!(buffer->flags & RB_FL_OVERWRITE)) {
110428- local_inc(&cpu_buffer->dropped_events);
110429+ local_inc_unchecked(&cpu_buffer->dropped_events);
110430 goto out_reset;
110431 }
110432
110433@@ -2350,7 +2350,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
110434 cpu_buffer->tail_page) &&
110435 (cpu_buffer->commit_page ==
110436 cpu_buffer->reader_page))) {
110437- local_inc(&cpu_buffer->commit_overrun);
110438+ local_inc_unchecked(&cpu_buffer->commit_overrun);
110439 goto out_reset;
110440 }
110441 }
110442@@ -2398,7 +2398,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
110443 length += RB_LEN_TIME_EXTEND;
110444
110445 tail_page = cpu_buffer->tail_page;
110446- write = local_add_return(length, &tail_page->write);
110447+ write = local_add_return_unchecked(length, &tail_page->write);
110448
110449 /* set write to only the index of the write */
110450 write &= RB_WRITE_MASK;
110451@@ -2422,7 +2422,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
110452 kmemcheck_annotate_bitfield(event, bitfield);
110453 rb_update_event(cpu_buffer, event, length, add_timestamp, delta);
110454
110455- local_inc(&tail_page->entries);
110456+ local_inc_unchecked(&tail_page->entries);
110457
110458 /*
110459 * If this is the first commit on the page, then update
110460@@ -2455,7 +2455,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
110461
110462 if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) {
110463 unsigned long write_mask =
110464- local_read(&bpage->write) & ~RB_WRITE_MASK;
110465+ local_read_unchecked(&bpage->write) & ~RB_WRITE_MASK;
110466 unsigned long event_length = rb_event_length(event);
110467 /*
110468 * This is on the tail page. It is possible that
110469@@ -2465,7 +2465,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
110470 */
110471 old_index += write_mask;
110472 new_index += write_mask;
110473- index = local_cmpxchg(&bpage->write, old_index, new_index);
110474+ index = local_cmpxchg_unchecked(&bpage->write, old_index, new_index);
110475 if (index == old_index) {
110476 /* update counters */
110477 local_sub(event_length, &cpu_buffer->entries_bytes);
110478@@ -2480,7 +2480,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
110479 static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
110480 {
110481 local_inc(&cpu_buffer->committing);
110482- local_inc(&cpu_buffer->commits);
110483+ local_inc_unchecked(&cpu_buffer->commits);
110484 }
110485
110486 static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
110487@@ -2492,7 +2492,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
110488 return;
110489
110490 again:
110491- commits = local_read(&cpu_buffer->commits);
110492+ commits = local_read_unchecked(&cpu_buffer->commits);
110493 /* synchronize with interrupts */
110494 barrier();
110495 if (local_read(&cpu_buffer->committing) == 1)
110496@@ -2508,7 +2508,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
110497 * updating of the commit page and the clearing of the
110498 * committing counter.
110499 */
110500- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
110501+ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
110502 !local_read(&cpu_buffer->committing)) {
110503 local_inc(&cpu_buffer->committing);
110504 goto again;
110505@@ -2538,7 +2538,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
110506 barrier();
110507 if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
110508 local_dec(&cpu_buffer->committing);
110509- local_dec(&cpu_buffer->commits);
110510+ local_dec_unchecked(&cpu_buffer->commits);
110511 return NULL;
110512 }
110513 #endif
110514@@ -2852,7 +2852,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
110515
110516 /* Do the likely case first */
110517 if (likely(bpage->page == (void *)addr)) {
110518- local_dec(&bpage->entries);
110519+ local_dec_unchecked(&bpage->entries);
110520 return;
110521 }
110522
110523@@ -2864,7 +2864,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
110524 start = bpage;
110525 do {
110526 if (bpage->page == (void *)addr) {
110527- local_dec(&bpage->entries);
110528+ local_dec_unchecked(&bpage->entries);
110529 return;
110530 }
110531 rb_inc_page(cpu_buffer, &bpage);
110532@@ -3152,7 +3152,7 @@ static inline unsigned long
110533 rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
110534 {
110535 return local_read(&cpu_buffer->entries) -
110536- (local_read(&cpu_buffer->overrun) + cpu_buffer->read);
110537+ (local_read_unchecked(&cpu_buffer->overrun) + cpu_buffer->read);
110538 }
110539
110540 /**
110541@@ -3241,7 +3241,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
110542 return 0;
110543
110544 cpu_buffer = buffer->buffers[cpu];
110545- ret = local_read(&cpu_buffer->overrun);
110546+ ret = local_read_unchecked(&cpu_buffer->overrun);
110547
110548 return ret;
110549 }
110550@@ -3264,7 +3264,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
110551 return 0;
110552
110553 cpu_buffer = buffer->buffers[cpu];
110554- ret = local_read(&cpu_buffer->commit_overrun);
110555+ ret = local_read_unchecked(&cpu_buffer->commit_overrun);
110556
110557 return ret;
110558 }
110559@@ -3286,7 +3286,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
110560 return 0;
110561
110562 cpu_buffer = buffer->buffers[cpu];
110563- ret = local_read(&cpu_buffer->dropped_events);
110564+ ret = local_read_unchecked(&cpu_buffer->dropped_events);
110565
110566 return ret;
110567 }
110568@@ -3349,7 +3349,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
110569 /* if you care about this being correct, lock the buffer */
110570 for_each_buffer_cpu(buffer, cpu) {
110571 cpu_buffer = buffer->buffers[cpu];
110572- overruns += local_read(&cpu_buffer->overrun);
110573+ overruns += local_read_unchecked(&cpu_buffer->overrun);
110574 }
110575
110576 return overruns;
110577@@ -3520,8 +3520,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
110578 /*
110579 * Reset the reader page to size zero.
110580 */
110581- local_set(&cpu_buffer->reader_page->write, 0);
110582- local_set(&cpu_buffer->reader_page->entries, 0);
110583+ local_set_unchecked(&cpu_buffer->reader_page->write, 0);
110584+ local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
110585 local_set(&cpu_buffer->reader_page->page->commit, 0);
110586 cpu_buffer->reader_page->real_end = 0;
110587
110588@@ -3555,7 +3555,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
110589 * want to compare with the last_overrun.
110590 */
110591 smp_mb();
110592- overwrite = local_read(&(cpu_buffer->overrun));
110593+ overwrite = local_read_unchecked(&(cpu_buffer->overrun));
110594
110595 /*
110596 * Here's the tricky part.
110597@@ -4137,8 +4137,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
110598
110599 cpu_buffer->head_page
110600 = list_entry(cpu_buffer->pages, struct buffer_page, list);
110601- local_set(&cpu_buffer->head_page->write, 0);
110602- local_set(&cpu_buffer->head_page->entries, 0);
110603+ local_set_unchecked(&cpu_buffer->head_page->write, 0);
110604+ local_set_unchecked(&cpu_buffer->head_page->entries, 0);
110605 local_set(&cpu_buffer->head_page->page->commit, 0);
110606
110607 cpu_buffer->head_page->read = 0;
110608@@ -4148,18 +4148,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
110609
110610 INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
110611 INIT_LIST_HEAD(&cpu_buffer->new_pages);
110612- local_set(&cpu_buffer->reader_page->write, 0);
110613- local_set(&cpu_buffer->reader_page->entries, 0);
110614+ local_set_unchecked(&cpu_buffer->reader_page->write, 0);
110615+ local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
110616 local_set(&cpu_buffer->reader_page->page->commit, 0);
110617 cpu_buffer->reader_page->read = 0;
110618
110619 local_set(&cpu_buffer->entries_bytes, 0);
110620- local_set(&cpu_buffer->overrun, 0);
110621- local_set(&cpu_buffer->commit_overrun, 0);
110622- local_set(&cpu_buffer->dropped_events, 0);
110623+ local_set_unchecked(&cpu_buffer->overrun, 0);
110624+ local_set_unchecked(&cpu_buffer->commit_overrun, 0);
110625+ local_set_unchecked(&cpu_buffer->dropped_events, 0);
110626 local_set(&cpu_buffer->entries, 0);
110627 local_set(&cpu_buffer->committing, 0);
110628- local_set(&cpu_buffer->commits, 0);
110629+ local_set_unchecked(&cpu_buffer->commits, 0);
110630 cpu_buffer->read = 0;
110631 cpu_buffer->read_bytes = 0;
110632
110633@@ -4549,8 +4549,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
110634 rb_init_page(bpage);
110635 bpage = reader->page;
110636 reader->page = *data_page;
110637- local_set(&reader->write, 0);
110638- local_set(&reader->entries, 0);
110639+ local_set_unchecked(&reader->write, 0);
110640+ local_set_unchecked(&reader->entries, 0);
110641 reader->read = 0;
110642 *data_page = bpage;
110643
110644diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
110645index abcbf7f..ef8b6fe 100644
110646--- a/kernel/trace/trace.c
110647+++ b/kernel/trace/trace.c
110648@@ -3539,7 +3539,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
110649 return 0;
110650 }
110651
110652-int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled)
110653+int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled)
110654 {
110655 /* do nothing if flag is already set */
110656 if (!!(trace_flags & mask) == !!enabled)
110657diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
110658index 74bde81..f9abfd4 100644
110659--- a/kernel/trace/trace.h
110660+++ b/kernel/trace/trace.h
110661@@ -1272,7 +1272,7 @@ extern const char *__stop___tracepoint_str[];
110662 void trace_printk_init_buffers(void);
110663 void trace_printk_start_comm(void);
110664 int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set);
110665-int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled);
110666+int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled);
110667
110668 /*
110669 * Normal trace_printk() and friends allocates special buffers
110670diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
110671index 0f06532..247c8e7 100644
110672--- a/kernel/trace/trace_clock.c
110673+++ b/kernel/trace/trace_clock.c
110674@@ -127,7 +127,7 @@ u64 notrace trace_clock_global(void)
110675 }
110676 EXPORT_SYMBOL_GPL(trace_clock_global);
110677
110678-static atomic64_t trace_counter;
110679+static atomic64_unchecked_t trace_counter;
110680
110681 /*
110682 * trace_clock_counter(): simply an atomic counter.
110683@@ -136,5 +136,5 @@ static atomic64_t trace_counter;
110684 */
110685 u64 notrace trace_clock_counter(void)
110686 {
110687- return atomic64_add_return(1, &trace_counter);
110688+ return atomic64_inc_return_unchecked(&trace_counter);
110689 }
110690diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
110691index 404a372..d9e5547 100644
110692--- a/kernel/trace/trace_events.c
110693+++ b/kernel/trace/trace_events.c
110694@@ -1887,7 +1887,6 @@ __trace_early_add_new_event(struct trace_event_call *call,
110695 return 0;
110696 }
110697
110698-struct ftrace_module_file_ops;
110699 static void __add_event_to_tracers(struct trace_event_call *call);
110700
110701 /* Add an additional event_call dynamically */
110702diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
110703index 8968bf7..e6623fc 100644
110704--- a/kernel/trace/trace_functions_graph.c
110705+++ b/kernel/trace/trace_functions_graph.c
110706@@ -132,7 +132,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
110707
110708 /* The return trace stack is full */
110709 if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) {
110710- atomic_inc(&current->trace_overrun);
110711+ atomic_inc_unchecked(&current->trace_overrun);
110712 return -EBUSY;
110713 }
110714
110715@@ -229,7 +229,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
110716 *ret = current->ret_stack[index].ret;
110717 trace->func = current->ret_stack[index].func;
110718 trace->calltime = current->ret_stack[index].calltime;
110719- trace->overrun = atomic_read(&current->trace_overrun);
110720+ trace->overrun = atomic_read_unchecked(&current->trace_overrun);
110721 trace->depth = index;
110722 }
110723
110724diff --git a/kernel/trace/trace_mmiotrace.c b/kernel/trace/trace_mmiotrace.c
110725index 638e110..99b73b2 100644
110726--- a/kernel/trace/trace_mmiotrace.c
110727+++ b/kernel/trace/trace_mmiotrace.c
110728@@ -24,7 +24,7 @@ struct header_iter {
110729 static struct trace_array *mmio_trace_array;
110730 static bool overrun_detected;
110731 static unsigned long prev_overruns;
110732-static atomic_t dropped_count;
110733+static atomic_unchecked_t dropped_count;
110734
110735 static void mmio_reset_data(struct trace_array *tr)
110736 {
110737@@ -124,7 +124,7 @@ static void mmio_close(struct trace_iterator *iter)
110738
110739 static unsigned long count_overruns(struct trace_iterator *iter)
110740 {
110741- unsigned long cnt = atomic_xchg(&dropped_count, 0);
110742+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
110743 unsigned long over = ring_buffer_overruns(iter->trace_buffer->buffer);
110744
110745 if (over > prev_overruns)
110746@@ -307,7 +307,7 @@ static void __trace_mmiotrace_rw(struct trace_array *tr,
110747 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
110748 sizeof(*entry), 0, pc);
110749 if (!event) {
110750- atomic_inc(&dropped_count);
110751+ atomic_inc_unchecked(&dropped_count);
110752 return;
110753 }
110754 entry = ring_buffer_event_data(event);
110755@@ -337,7 +337,7 @@ static void __trace_mmiotrace_map(struct trace_array *tr,
110756 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
110757 sizeof(*entry), 0, pc);
110758 if (!event) {
110759- atomic_inc(&dropped_count);
110760+ atomic_inc_unchecked(&dropped_count);
110761 return;
110762 }
110763 entry = ring_buffer_event_data(event);
110764diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
110765index dfab253..8e9b477 100644
110766--- a/kernel/trace/trace_output.c
110767+++ b/kernel/trace/trace_output.c
110768@@ -752,14 +752,16 @@ int register_trace_event(struct trace_event *event)
110769 goto out;
110770 }
110771
110772+ pax_open_kernel();
110773 if (event->funcs->trace == NULL)
110774- event->funcs->trace = trace_nop_print;
110775+ *(void **)&event->funcs->trace = trace_nop_print;
110776 if (event->funcs->raw == NULL)
110777- event->funcs->raw = trace_nop_print;
110778+ *(void **)&event->funcs->raw = trace_nop_print;
110779 if (event->funcs->hex == NULL)
110780- event->funcs->hex = trace_nop_print;
110781+ *(void **)&event->funcs->hex = trace_nop_print;
110782 if (event->funcs->binary == NULL)
110783- event->funcs->binary = trace_nop_print;
110784+ *(void **)&event->funcs->binary = trace_nop_print;
110785+ pax_close_kernel();
110786
110787 key = event->type & (EVENT_HASHSIZE - 1);
110788
110789diff --git a/kernel/trace/trace_seq.c b/kernel/trace/trace_seq.c
110790index e694c9f..6775a38 100644
110791--- a/kernel/trace/trace_seq.c
110792+++ b/kernel/trace/trace_seq.c
110793@@ -337,7 +337,7 @@ int trace_seq_path(struct trace_seq *s, const struct path *path)
110794 return 0;
110795 }
110796
110797- seq_buf_path(&s->seq, path, "\n");
110798+ seq_buf_path(&s->seq, path, "\n\\");
110799
110800 if (unlikely(seq_buf_has_overflowed(&s->seq))) {
110801 s->seq.len = save_len;
110802diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
110803index 3f34496..0492d95 100644
110804--- a/kernel/trace/trace_stack.c
110805+++ b/kernel/trace/trace_stack.c
110806@@ -88,7 +88,7 @@ check_stack(unsigned long ip, unsigned long *stack)
110807 return;
110808
110809 /* we do not handle interrupt stacks yet */
110810- if (!object_is_on_stack(stack))
110811+ if (!object_starts_on_stack(stack))
110812 return;
110813
110814 local_irq_save(flags);
110815diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
110816index 7d567a4..407a28d 100644
110817--- a/kernel/trace/trace_syscalls.c
110818+++ b/kernel/trace/trace_syscalls.c
110819@@ -590,6 +590,8 @@ static int perf_sysenter_enable(struct trace_event_call *call)
110820 int num;
110821
110822 num = ((struct syscall_metadata *)call->data)->syscall_nr;
110823+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
110824+ return -EINVAL;
110825
110826 mutex_lock(&syscall_trace_lock);
110827 if (!sys_perf_refcount_enter)
110828@@ -610,6 +612,8 @@ static void perf_sysenter_disable(struct trace_event_call *call)
110829 int num;
110830
110831 num = ((struct syscall_metadata *)call->data)->syscall_nr;
110832+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
110833+ return;
110834
110835 mutex_lock(&syscall_trace_lock);
110836 sys_perf_refcount_enter--;
110837@@ -662,6 +666,8 @@ static int perf_sysexit_enable(struct trace_event_call *call)
110838 int num;
110839
110840 num = ((struct syscall_metadata *)call->data)->syscall_nr;
110841+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
110842+ return -EINVAL;
110843
110844 mutex_lock(&syscall_trace_lock);
110845 if (!sys_perf_refcount_exit)
110846@@ -682,6 +688,8 @@ static void perf_sysexit_disable(struct trace_event_call *call)
110847 int num;
110848
110849 num = ((struct syscall_metadata *)call->data)->syscall_nr;
110850+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
110851+ return;
110852
110853 mutex_lock(&syscall_trace_lock);
110854 sys_perf_refcount_exit--;
110855diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
110856index 4109f83..fe1f830 100644
110857--- a/kernel/user_namespace.c
110858+++ b/kernel/user_namespace.c
110859@@ -83,6 +83,21 @@ int create_user_ns(struct cred *new)
110860 !kgid_has_mapping(parent_ns, group))
110861 return -EPERM;
110862
110863+#ifdef CONFIG_GRKERNSEC
110864+ /*
110865+ * This doesn't really inspire confidence:
110866+ * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
110867+ * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
110868+ * Increases kernel attack surface in areas developers
110869+ * previously cared little about ("low importance due
110870+ * to requiring "root" capability")
110871+ * To be removed when this code receives *proper* review
110872+ */
110873+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
110874+ !capable(CAP_SETGID))
110875+ return -EPERM;
110876+#endif
110877+
110878 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
110879 if (!ns)
110880 return -ENOMEM;
110881@@ -980,7 +995,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
110882 if (atomic_read(&current->mm->mm_users) > 1)
110883 return -EINVAL;
110884
110885- if (current->fs->users != 1)
110886+ if (atomic_read(&current->fs->users) != 1)
110887 return -EINVAL;
110888
110889 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
110890diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
110891index c8eac43..4b5f08f 100644
110892--- a/kernel/utsname_sysctl.c
110893+++ b/kernel/utsname_sysctl.c
110894@@ -47,7 +47,7 @@ static void put_uts(struct ctl_table *table, int write, void *which)
110895 static int proc_do_uts_string(struct ctl_table *table, int write,
110896 void __user *buffer, size_t *lenp, loff_t *ppos)
110897 {
110898- struct ctl_table uts_table;
110899+ ctl_table_no_const uts_table;
110900 int r;
110901 memcpy(&uts_table, table, sizeof(uts_table));
110902 uts_table.data = get_uts(table, write);
110903diff --git a/kernel/watchdog.c b/kernel/watchdog.c
110904index a6ffa43..e48103b 100644
110905--- a/kernel/watchdog.c
110906+++ b/kernel/watchdog.c
110907@@ -655,7 +655,7 @@ void watchdog_nmi_enable_all(void) {}
110908 void watchdog_nmi_disable_all(void) {}
110909 #endif /* CONFIG_HARDLOCKUP_DETECTOR */
110910
110911-static struct smp_hotplug_thread watchdog_threads = {
110912+static struct smp_hotplug_thread watchdog_threads __read_only = {
110913 .store = &softlockup_watchdog,
110914 .thread_should_run = watchdog_should_run,
110915 .thread_fn = watchdog,
110916diff --git a/kernel/workqueue.c b/kernel/workqueue.c
110917index a413acb..9c3d36a 100644
110918--- a/kernel/workqueue.c
110919+++ b/kernel/workqueue.c
110920@@ -4452,7 +4452,7 @@ static void rebind_workers(struct worker_pool *pool)
110921 WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
110922 worker_flags |= WORKER_REBOUND;
110923 worker_flags &= ~WORKER_UNBOUND;
110924- ACCESS_ONCE(worker->flags) = worker_flags;
110925+ ACCESS_ONCE_RW(worker->flags) = worker_flags;
110926 }
110927
110928 spin_unlock_irq(&pool->lock);
110929diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
110930index e2894b2..e841553 100644
110931--- a/lib/Kconfig.debug
110932+++ b/lib/Kconfig.debug
110933@@ -941,7 +941,7 @@ config DEBUG_MUTEXES
110934
110935 config DEBUG_WW_MUTEX_SLOWPATH
110936 bool "Wait/wound mutex debugging: Slowpath testing"
110937- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
110938+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
110939 select DEBUG_LOCK_ALLOC
110940 select DEBUG_SPINLOCK
110941 select DEBUG_MUTEXES
110942@@ -958,7 +958,7 @@ config DEBUG_WW_MUTEX_SLOWPATH
110943
110944 config DEBUG_LOCK_ALLOC
110945 bool "Lock debugging: detect incorrect freeing of live locks"
110946- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
110947+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
110948 select DEBUG_SPINLOCK
110949 select DEBUG_MUTEXES
110950 select LOCKDEP
110951@@ -972,7 +972,7 @@ config DEBUG_LOCK_ALLOC
110952
110953 config PROVE_LOCKING
110954 bool "Lock debugging: prove locking correctness"
110955- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
110956+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
110957 select LOCKDEP
110958 select DEBUG_SPINLOCK
110959 select DEBUG_MUTEXES
110960@@ -1023,7 +1023,7 @@ config LOCKDEP
110961
110962 config LOCK_STAT
110963 bool "Lock usage statistics"
110964- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
110965+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
110966 select LOCKDEP
110967 select DEBUG_SPINLOCK
110968 select DEBUG_MUTEXES
110969@@ -1563,6 +1563,7 @@ config LATENCYTOP
110970 depends on DEBUG_KERNEL
110971 depends on STACKTRACE_SUPPORT
110972 depends on PROC_FS
110973+ depends on !GRKERNSEC_HIDESYM
110974 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND && !ARC
110975 select KALLSYMS
110976 select KALLSYMS_ALL
110977@@ -1579,7 +1580,7 @@ config ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
110978 config DEBUG_STRICT_USER_COPY_CHECKS
110979 bool "Strict user copy size checks"
110980 depends on ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
110981- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
110982+ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW
110983 help
110984 Enabling this option turns a certain set of sanity checks for user
110985 copy operations into compile time failures.
110986@@ -1710,7 +1711,7 @@ endmenu # runtime tests
110987
110988 config PROVIDE_OHCI1394_DMA_INIT
110989 bool "Remote debugging over FireWire early on boot"
110990- depends on PCI && X86
110991+ depends on PCI && X86 && !GRKERNSEC
110992 help
110993 If you want to debug problems which hang or crash the kernel early
110994 on boot and the crashing machine has a FireWire port, you can use
110995diff --git a/lib/Makefile b/lib/Makefile
110996index 6897b52..466bda9 100644
110997--- a/lib/Makefile
110998+++ b/lib/Makefile
110999@@ -62,7 +62,7 @@ obj-$(CONFIG_BTREE) += btree.o
111000 obj-$(CONFIG_INTERVAL_TREE) += interval_tree.o
111001 obj-$(CONFIG_ASSOCIATIVE_ARRAY) += assoc_array.o
111002 obj-$(CONFIG_DEBUG_PREEMPT) += smp_processor_id.o
111003-obj-$(CONFIG_DEBUG_LIST) += list_debug.o
111004+obj-y += list_debug.o
111005 obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o
111006
111007 ifneq ($(CONFIG_HAVE_DEC_LOCK),y)
111008diff --git a/lib/average.c b/lib/average.c
111009index 114d1be..ab0350c 100644
111010--- a/lib/average.c
111011+++ b/lib/average.c
111012@@ -55,7 +55,7 @@ struct ewma *ewma_add(struct ewma *avg, unsigned long val)
111013 {
111014 unsigned long internal = ACCESS_ONCE(avg->internal);
111015
111016- ACCESS_ONCE(avg->internal) = internal ?
111017+ ACCESS_ONCE_RW(avg->internal) = internal ?
111018 (((internal << avg->weight) - internal) +
111019 (val << avg->factor)) >> avg->weight :
111020 (val << avg->factor);
111021diff --git a/lib/bitmap.c b/lib/bitmap.c
111022index a578a01..7d4dcfd 100644
111023--- a/lib/bitmap.c
111024+++ b/lib/bitmap.c
111025@@ -234,7 +234,7 @@ int __bitmap_subset(const unsigned long *bitmap1,
111026 }
111027 EXPORT_SYMBOL(__bitmap_subset);
111028
111029-int __bitmap_weight(const unsigned long *bitmap, unsigned int bits)
111030+int __intentional_overflow(-1) __bitmap_weight(const unsigned long *bitmap, unsigned int bits)
111031 {
111032 unsigned int k, lim = bits/BITS_PER_LONG;
111033 int w = 0;
111034@@ -361,7 +361,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
111035 {
111036 int c, old_c, totaldigits, ndigits, nchunks, nbits;
111037 u32 chunk;
111038- const char __user __force *ubuf = (const char __user __force *)buf;
111039+ const char __user *ubuf = (const char __force_user *)buf;
111040
111041 bitmap_zero(maskp, nmaskbits);
111042
111043@@ -446,7 +446,7 @@ int bitmap_parse_user(const char __user *ubuf,
111044 {
111045 if (!access_ok(VERIFY_READ, ubuf, ulen))
111046 return -EFAULT;
111047- return __bitmap_parse((const char __force *)ubuf,
111048+ return __bitmap_parse((const char __force_kernel *)ubuf,
111049 ulen, 1, maskp, nmaskbits);
111050
111051 }
111052@@ -506,7 +506,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
111053 {
111054 unsigned a, b;
111055 int c, old_c, totaldigits;
111056- const char __user __force *ubuf = (const char __user __force *)buf;
111057+ const char __user *ubuf = (const char __force_user *)buf;
111058 int at_start, in_range;
111059
111060 totaldigits = c = 0;
111061@@ -602,7 +602,7 @@ int bitmap_parselist_user(const char __user *ubuf,
111062 {
111063 if (!access_ok(VERIFY_READ, ubuf, ulen))
111064 return -EFAULT;
111065- return __bitmap_parselist((const char __force *)ubuf,
111066+ return __bitmap_parselist((const char __force_kernel *)ubuf,
111067 ulen, 1, maskp, nmaskbits);
111068 }
111069 EXPORT_SYMBOL(bitmap_parselist_user);
111070diff --git a/lib/bug.c b/lib/bug.c
111071index cff145f..724a0b8 100644
111072--- a/lib/bug.c
111073+++ b/lib/bug.c
111074@@ -148,6 +148,8 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs)
111075 return BUG_TRAP_TYPE_NONE;
111076
111077 bug = find_bug(bugaddr);
111078+ if (!bug)
111079+ return BUG_TRAP_TYPE_NONE;
111080
111081 file = NULL;
111082 line = 0;
111083diff --git a/lib/debugobjects.c b/lib/debugobjects.c
111084index 547f7f9..a6d4ba0 100644
111085--- a/lib/debugobjects.c
111086+++ b/lib/debugobjects.c
111087@@ -289,7 +289,7 @@ static void debug_object_is_on_stack(void *addr, int onstack)
111088 if (limit > 4)
111089 return;
111090
111091- is_on_stack = object_is_on_stack(addr);
111092+ is_on_stack = object_starts_on_stack(addr);
111093 if (is_on_stack == onstack)
111094 return;
111095
111096diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
111097index 0234361..41a411c 100644
111098--- a/lib/decompress_bunzip2.c
111099+++ b/lib/decompress_bunzip2.c
111100@@ -665,7 +665,8 @@ static int INIT start_bunzip(struct bunzip_data **bdp, void *inbuf, long len,
111101
111102 /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
111103 uncompressed data. Allocate intermediate buffer for block. */
111104- bd->dbufSize = 100000*(i-BZh0);
111105+ i -= BZh0;
111106+ bd->dbufSize = 100000 * i;
111107
111108 bd->dbuf = large_malloc(bd->dbufSize * sizeof(int));
111109 if (!bd->dbuf)
111110diff --git a/lib/decompress_unlzma.c b/lib/decompress_unlzma.c
111111index decb646..8d6441a 100644
111112--- a/lib/decompress_unlzma.c
111113+++ b/lib/decompress_unlzma.c
111114@@ -39,10 +39,10 @@
111115
111116 #define MIN(a, b) (((a) < (b)) ? (a) : (b))
111117
111118-static long long INIT read_int(unsigned char *ptr, int size)
111119+static unsigned long long INIT read_int(unsigned char *ptr, int size)
111120 {
111121 int i;
111122- long long ret = 0;
111123+ unsigned long long ret = 0;
111124
111125 for (i = 0; i < size; i++)
111126 ret = (ret << 8) | ptr[size-i-1];
111127diff --git a/lib/div64.c b/lib/div64.c
111128index 19ea7ed..20cac21 100644
111129--- a/lib/div64.c
111130+++ b/lib/div64.c
111131@@ -59,7 +59,7 @@ uint32_t __attribute__((weak)) __div64_32(uint64_t *n, uint32_t base)
111132 EXPORT_SYMBOL(__div64_32);
111133
111134 #ifndef div_s64_rem
111135-s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
111136+s64 __intentional_overflow(-1) div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
111137 {
111138 u64 quotient;
111139
111140@@ -130,7 +130,7 @@ EXPORT_SYMBOL(div64_u64_rem);
111141 * 'http://www.hackersdelight.org/hdcodetxt/divDouble.c.txt'
111142 */
111143 #ifndef div64_u64
111144-u64 div64_u64(u64 dividend, u64 divisor)
111145+u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
111146 {
111147 u32 high = divisor >> 32;
111148 u64 quot;
111149diff --git a/lib/dma-debug.c b/lib/dma-debug.c
111150index dace71f..13da37b 100644
111151--- a/lib/dma-debug.c
111152+++ b/lib/dma-debug.c
111153@@ -982,7 +982,7 @@ static int dma_debug_device_change(struct notifier_block *nb, unsigned long acti
111154
111155 void dma_debug_add_bus(struct bus_type *bus)
111156 {
111157- struct notifier_block *nb;
111158+ notifier_block_no_const *nb;
111159
111160 if (dma_debug_disabled())
111161 return;
111162@@ -1164,7 +1164,7 @@ static void check_unmap(struct dma_debug_entry *ref)
111163
111164 static void check_for_stack(struct device *dev, void *addr)
111165 {
111166- if (object_is_on_stack(addr))
111167+ if (object_starts_on_stack(addr))
111168 err_printk(dev, NULL, "DMA-API: device driver maps memory from "
111169 "stack [addr=%p]\n", addr);
111170 }
111171diff --git a/lib/inflate.c b/lib/inflate.c
111172index 013a761..c28f3fc 100644
111173--- a/lib/inflate.c
111174+++ b/lib/inflate.c
111175@@ -269,7 +269,7 @@ static void free(void *where)
111176 malloc_ptr = free_mem_ptr;
111177 }
111178 #else
111179-#define malloc(a) kmalloc(a, GFP_KERNEL)
111180+#define malloc(a) kmalloc((a), GFP_KERNEL)
111181 #define free(a) kfree(a)
111182 #endif
111183
111184diff --git a/lib/ioremap.c b/lib/ioremap.c
111185index 86c8911..f5bfc34 100644
111186--- a/lib/ioremap.c
111187+++ b/lib/ioremap.c
111188@@ -75,7 +75,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
111189 unsigned long next;
111190
111191 phys_addr -= addr;
111192- pmd = pmd_alloc(&init_mm, pud, addr);
111193+ pmd = pmd_alloc_kernel(&init_mm, pud, addr);
111194 if (!pmd)
111195 return -ENOMEM;
111196 do {
111197@@ -101,7 +101,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
111198 unsigned long next;
111199
111200 phys_addr -= addr;
111201- pud = pud_alloc(&init_mm, pgd, addr);
111202+ pud = pud_alloc_kernel(&init_mm, pgd, addr);
111203 if (!pud)
111204 return -ENOMEM;
111205 do {
111206diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
111207index bd2bea9..6b3c95e 100644
111208--- a/lib/is_single_threaded.c
111209+++ b/lib/is_single_threaded.c
111210@@ -22,6 +22,9 @@ bool current_is_single_threaded(void)
111211 struct task_struct *p, *t;
111212 bool ret;
111213
111214+ if (!mm)
111215+ return true;
111216+
111217 if (atomic_read(&task->signal->live) != 1)
111218 return false;
111219
111220diff --git a/lib/kobject.c b/lib/kobject.c
111221index 3e3a5c3..4a12109 100644
111222--- a/lib/kobject.c
111223+++ b/lib/kobject.c
111224@@ -935,9 +935,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add);
111225
111226
111227 static DEFINE_SPINLOCK(kobj_ns_type_lock);
111228-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES];
111229+static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __read_only;
111230
111231-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
111232+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
111233 {
111234 enum kobj_ns_type type = ops->type;
111235 int error;
111236diff --git a/lib/list_debug.c b/lib/list_debug.c
111237index c24c2f7..f0296f4 100644
111238--- a/lib/list_debug.c
111239+++ b/lib/list_debug.c
111240@@ -11,7 +11,9 @@
111241 #include <linux/bug.h>
111242 #include <linux/kernel.h>
111243 #include <linux/rculist.h>
111244+#include <linux/mm.h>
111245
111246+#ifdef CONFIG_DEBUG_LIST
111247 /*
111248 * Insert a new entry between two known consecutive entries.
111249 *
111250@@ -19,21 +21,40 @@
111251 * the prev/next entries already!
111252 */
111253
111254+static bool __list_add_debug(struct list_head *new,
111255+ struct list_head *prev,
111256+ struct list_head *next)
111257+{
111258+ if (unlikely(next->prev != prev)) {
111259+ printk(KERN_ERR "list_add corruption. next->prev should be "
111260+ "prev (%p), but was %p. (next=%p).\n",
111261+ prev, next->prev, next);
111262+ BUG();
111263+ return false;
111264+ }
111265+ if (unlikely(prev->next != next)) {
111266+ printk(KERN_ERR "list_add corruption. prev->next should be "
111267+ "next (%p), but was %p. (prev=%p).\n",
111268+ next, prev->next, prev);
111269+ BUG();
111270+ return false;
111271+ }
111272+ if (unlikely(new == prev || new == next)) {
111273+ printk(KERN_ERR "list_add double add: new=%p, prev=%p, next=%p.\n",
111274+ new, prev, next);
111275+ BUG();
111276+ return false;
111277+ }
111278+ return true;
111279+}
111280+
111281 void __list_add(struct list_head *new,
111282- struct list_head *prev,
111283- struct list_head *next)
111284+ struct list_head *prev,
111285+ struct list_head *next)
111286 {
111287- WARN(next->prev != prev,
111288- "list_add corruption. next->prev should be "
111289- "prev (%p), but was %p. (next=%p).\n",
111290- prev, next->prev, next);
111291- WARN(prev->next != next,
111292- "list_add corruption. prev->next should be "
111293- "next (%p), but was %p. (prev=%p).\n",
111294- next, prev->next, prev);
111295- WARN(new == prev || new == next,
111296- "list_add double add: new=%p, prev=%p, next=%p.\n",
111297- new, prev, next);
111298+ if (!__list_add_debug(new, prev, next))
111299+ return;
111300+
111301 next->prev = new;
111302 new->next = next;
111303 new->prev = prev;
111304@@ -41,28 +62,46 @@ void __list_add(struct list_head *new,
111305 }
111306 EXPORT_SYMBOL(__list_add);
111307
111308-void __list_del_entry(struct list_head *entry)
111309+static bool __list_del_entry_debug(struct list_head *entry)
111310 {
111311 struct list_head *prev, *next;
111312
111313 prev = entry->prev;
111314 next = entry->next;
111315
111316- if (WARN(next == LIST_POISON1,
111317- "list_del corruption, %p->next is LIST_POISON1 (%p)\n",
111318- entry, LIST_POISON1) ||
111319- WARN(prev == LIST_POISON2,
111320- "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
111321- entry, LIST_POISON2) ||
111322- WARN(prev->next != entry,
111323- "list_del corruption. prev->next should be %p, "
111324- "but was %p\n", entry, prev->next) ||
111325- WARN(next->prev != entry,
111326- "list_del corruption. next->prev should be %p, "
111327- "but was %p\n", entry, next->prev))
111328+ if (unlikely(next == LIST_POISON1)) {
111329+ printk(KERN_ERR "list_del corruption, %p->next is LIST_POISON1 (%p)\n",
111330+ entry, LIST_POISON1);
111331+ BUG();
111332+ return false;
111333+ }
111334+ if (unlikely(prev == LIST_POISON2)) {
111335+ printk(KERN_ERR "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
111336+ entry, LIST_POISON2);
111337+ BUG();
111338+ return false;
111339+ }
111340+ if (unlikely(entry->prev->next != entry)) {
111341+ printk(KERN_ERR "list_del corruption. prev->next should be %p, "
111342+ "but was %p\n", entry, prev->next);
111343+ BUG();
111344+ return false;
111345+ }
111346+ if (unlikely(entry->next->prev != entry)) {
111347+ printk(KERN_ERR "list_del corruption. next->prev should be %p, "
111348+ "but was %p\n", entry, next->prev);
111349+ BUG();
111350+ return false;
111351+ }
111352+ return true;
111353+}
111354+
111355+void __list_del_entry(struct list_head *entry)
111356+{
111357+ if (!__list_del_entry_debug(entry))
111358 return;
111359
111360- __list_del(prev, next);
111361+ __list_del(entry->prev, entry->next);
111362 }
111363 EXPORT_SYMBOL(__list_del_entry);
111364
111365@@ -86,15 +125,85 @@ EXPORT_SYMBOL(list_del);
111366 void __list_add_rcu(struct list_head *new,
111367 struct list_head *prev, struct list_head *next)
111368 {
111369- WARN(next->prev != prev,
111370- "list_add_rcu corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
111371- prev, next->prev, next);
111372- WARN(prev->next != next,
111373- "list_add_rcu corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
111374- next, prev->next, prev);
111375+ if (!__list_add_debug(new, prev, next))
111376+ return;
111377+
111378 new->next = next;
111379 new->prev = prev;
111380 rcu_assign_pointer(list_next_rcu(prev), new);
111381 next->prev = new;
111382 }
111383 EXPORT_SYMBOL(__list_add_rcu);
111384+#endif
111385+
111386+void __pax_list_add(struct list_head *new, struct list_head *prev, struct list_head *next)
111387+{
111388+#ifdef CONFIG_DEBUG_LIST
111389+ if (!__list_add_debug(new, prev, next))
111390+ return;
111391+#endif
111392+
111393+ pax_open_kernel();
111394+ next->prev = new;
111395+ new->next = next;
111396+ new->prev = prev;
111397+ prev->next = new;
111398+ pax_close_kernel();
111399+}
111400+EXPORT_SYMBOL(__pax_list_add);
111401+
111402+void pax_list_del(struct list_head *entry)
111403+{
111404+#ifdef CONFIG_DEBUG_LIST
111405+ if (!__list_del_entry_debug(entry))
111406+ return;
111407+#endif
111408+
111409+ pax_open_kernel();
111410+ __list_del(entry->prev, entry->next);
111411+ entry->next = LIST_POISON1;
111412+ entry->prev = LIST_POISON2;
111413+ pax_close_kernel();
111414+}
111415+EXPORT_SYMBOL(pax_list_del);
111416+
111417+void pax_list_del_init(struct list_head *entry)
111418+{
111419+ pax_open_kernel();
111420+ __list_del(entry->prev, entry->next);
111421+ INIT_LIST_HEAD(entry);
111422+ pax_close_kernel();
111423+}
111424+EXPORT_SYMBOL(pax_list_del_init);
111425+
111426+void __pax_list_add_rcu(struct list_head *new,
111427+ struct list_head *prev, struct list_head *next)
111428+{
111429+#ifdef CONFIG_DEBUG_LIST
111430+ if (!__list_add_debug(new, prev, next))
111431+ return;
111432+#endif
111433+
111434+ pax_open_kernel();
111435+ new->next = next;
111436+ new->prev = prev;
111437+ rcu_assign_pointer(list_next_rcu(prev), new);
111438+ next->prev = new;
111439+ pax_close_kernel();
111440+}
111441+EXPORT_SYMBOL(__pax_list_add_rcu);
111442+
111443+void pax_list_del_rcu(struct list_head *entry)
111444+{
111445+#ifdef CONFIG_DEBUG_LIST
111446+ if (!__list_del_entry_debug(entry))
111447+ return;
111448+#endif
111449+
111450+ pax_open_kernel();
111451+ __list_del(entry->prev, entry->next);
111452+ entry->next = LIST_POISON1;
111453+ entry->prev = LIST_POISON2;
111454+ pax_close_kernel();
111455+}
111456+EXPORT_SYMBOL(pax_list_del_rcu);
111457diff --git a/lib/lockref.c b/lib/lockref.c
111458index 494994b..65caf94 100644
111459--- a/lib/lockref.c
111460+++ b/lib/lockref.c
111461@@ -48,13 +48,13 @@
111462 void lockref_get(struct lockref *lockref)
111463 {
111464 CMPXCHG_LOOP(
111465- new.count++;
111466+ __lockref_inc(&new);
111467 ,
111468 return;
111469 );
111470
111471 spin_lock(&lockref->lock);
111472- lockref->count++;
111473+ __lockref_inc(lockref);
111474 spin_unlock(&lockref->lock);
111475 }
111476 EXPORT_SYMBOL(lockref_get);
111477@@ -69,8 +69,8 @@ int lockref_get_not_zero(struct lockref *lockref)
111478 int retval;
111479
111480 CMPXCHG_LOOP(
111481- new.count++;
111482- if (old.count <= 0)
111483+ __lockref_inc(&new);
111484+ if (__lockref_read(&old) <= 0)
111485 return 0;
111486 ,
111487 return 1;
111488@@ -78,8 +78,8 @@ int lockref_get_not_zero(struct lockref *lockref)
111489
111490 spin_lock(&lockref->lock);
111491 retval = 0;
111492- if (lockref->count > 0) {
111493- lockref->count++;
111494+ if (__lockref_read(lockref) > 0) {
111495+ __lockref_inc(lockref);
111496 retval = 1;
111497 }
111498 spin_unlock(&lockref->lock);
111499@@ -96,17 +96,17 @@ EXPORT_SYMBOL(lockref_get_not_zero);
111500 int lockref_get_or_lock(struct lockref *lockref)
111501 {
111502 CMPXCHG_LOOP(
111503- new.count++;
111504- if (old.count <= 0)
111505+ __lockref_inc(&new);
111506+ if (__lockref_read(&old) <= 0)
111507 break;
111508 ,
111509 return 1;
111510 );
111511
111512 spin_lock(&lockref->lock);
111513- if (lockref->count <= 0)
111514+ if (__lockref_read(lockref) <= 0)
111515 return 0;
111516- lockref->count++;
111517+ __lockref_inc(lockref);
111518 spin_unlock(&lockref->lock);
111519 return 1;
111520 }
111521@@ -122,11 +122,11 @@ EXPORT_SYMBOL(lockref_get_or_lock);
111522 int lockref_put_return(struct lockref *lockref)
111523 {
111524 CMPXCHG_LOOP(
111525- new.count--;
111526- if (old.count <= 0)
111527+ __lockref_dec(&new);
111528+ if (__lockref_read(&old) <= 0)
111529 return -1;
111530 ,
111531- return new.count;
111532+ return __lockref_read(&new);
111533 );
111534 return -1;
111535 }
111536@@ -140,17 +140,17 @@ EXPORT_SYMBOL(lockref_put_return);
111537 int lockref_put_or_lock(struct lockref *lockref)
111538 {
111539 CMPXCHG_LOOP(
111540- new.count--;
111541- if (old.count <= 1)
111542+ __lockref_dec(&new);
111543+ if (__lockref_read(&old) <= 1)
111544 break;
111545 ,
111546 return 1;
111547 );
111548
111549 spin_lock(&lockref->lock);
111550- if (lockref->count <= 1)
111551+ if (__lockref_read(lockref) <= 1)
111552 return 0;
111553- lockref->count--;
111554+ __lockref_dec(lockref);
111555 spin_unlock(&lockref->lock);
111556 return 1;
111557 }
111558@@ -163,7 +163,7 @@ EXPORT_SYMBOL(lockref_put_or_lock);
111559 void lockref_mark_dead(struct lockref *lockref)
111560 {
111561 assert_spin_locked(&lockref->lock);
111562- lockref->count = -128;
111563+ __lockref_set(lockref, -128);
111564 }
111565 EXPORT_SYMBOL(lockref_mark_dead);
111566
111567@@ -177,8 +177,8 @@ int lockref_get_not_dead(struct lockref *lockref)
111568 int retval;
111569
111570 CMPXCHG_LOOP(
111571- new.count++;
111572- if (old.count < 0)
111573+ __lockref_inc(&new);
111574+ if (__lockref_read(&old) < 0)
111575 return 0;
111576 ,
111577 return 1;
111578@@ -186,8 +186,8 @@ int lockref_get_not_dead(struct lockref *lockref)
111579
111580 spin_lock(&lockref->lock);
111581 retval = 0;
111582- if (lockref->count >= 0) {
111583- lockref->count++;
111584+ if (__lockref_read(lockref) >= 0) {
111585+ __lockref_inc(lockref);
111586 retval = 1;
111587 }
111588 spin_unlock(&lockref->lock);
111589diff --git a/lib/nlattr.c b/lib/nlattr.c
111590index f5907d2..36072be 100644
111591--- a/lib/nlattr.c
111592+++ b/lib/nlattr.c
111593@@ -278,6 +278,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count)
111594 {
111595 int minlen = min_t(int, count, nla_len(src));
111596
111597+ BUG_ON(minlen < 0);
111598+
111599 memcpy(dest, nla_data(src), minlen);
111600 if (count > minlen)
111601 memset(dest + minlen, 0, count - minlen);
111602diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
111603index 6111bcb..02e816b 100644
111604--- a/lib/percpu-refcount.c
111605+++ b/lib/percpu-refcount.c
111606@@ -31,7 +31,7 @@
111607 * atomic_long_t can't hit 0 before we've added up all the percpu refs.
111608 */
111609
111610-#define PERCPU_COUNT_BIAS (1LU << (BITS_PER_LONG - 1))
111611+#define PERCPU_COUNT_BIAS (1LU << (BITS_PER_LONG - 2))
111612
111613 static DECLARE_WAIT_QUEUE_HEAD(percpu_ref_switch_waitq);
111614
111615diff --git a/lib/radix-tree.c b/lib/radix-tree.c
111616index f9ebe1c..e985666 100644
111617--- a/lib/radix-tree.c
111618+++ b/lib/radix-tree.c
111619@@ -68,7 +68,7 @@ struct radix_tree_preload {
111620 /* nodes->private_data points to next preallocated node */
111621 struct radix_tree_node *nodes;
111622 };
111623-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
111624+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
111625
111626 static inline void *ptr_to_indirect(void *ptr)
111627 {
111628diff --git a/lib/random32.c b/lib/random32.c
111629index 0bee183..526f12f 100644
111630--- a/lib/random32.c
111631+++ b/lib/random32.c
111632@@ -47,7 +47,7 @@ static inline void prandom_state_selftest(void)
111633 }
111634 #endif
111635
111636-static DEFINE_PER_CPU(struct rnd_state, net_rand_state);
111637+static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
111638
111639 /**
111640 * prandom_u32_state - seeded pseudo-random number generator.
111641diff --git a/lib/rbtree.c b/lib/rbtree.c
111642index 1356454..70ce6c6 100644
111643--- a/lib/rbtree.c
111644+++ b/lib/rbtree.c
111645@@ -412,7 +412,9 @@ static inline void dummy_copy(struct rb_node *old, struct rb_node *new) {}
111646 static inline void dummy_rotate(struct rb_node *old, struct rb_node *new) {}
111647
111648 static const struct rb_augment_callbacks dummy_callbacks = {
111649- dummy_propagate, dummy_copy, dummy_rotate
111650+ .propagate = dummy_propagate,
111651+ .copy = dummy_copy,
111652+ .rotate = dummy_rotate
111653 };
111654
111655 void rb_insert_color(struct rb_node *node, struct rb_root *root)
111656diff --git a/lib/show_mem.c b/lib/show_mem.c
111657index adc98e18..0ce83c2 100644
111658--- a/lib/show_mem.c
111659+++ b/lib/show_mem.c
111660@@ -49,6 +49,6 @@ void show_mem(unsigned int filter)
111661 quicklist_total_size());
111662 #endif
111663 #ifdef CONFIG_MEMORY_FAILURE
111664- printk("%lu pages hwpoisoned\n", atomic_long_read(&num_poisoned_pages));
111665+ printk("%lu pages hwpoisoned\n", atomic_long_read_unchecked(&num_poisoned_pages));
111666 #endif
111667 }
111668diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
111669index e0af6ff..fcc9f15 100644
111670--- a/lib/strncpy_from_user.c
111671+++ b/lib/strncpy_from_user.c
111672@@ -22,7 +22,7 @@
111673 */
111674 static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
111675 {
111676- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
111677+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
111678 long res = 0;
111679
111680 /*
111681diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
111682index 3a5f2b3..102f1ff 100644
111683--- a/lib/strnlen_user.c
111684+++ b/lib/strnlen_user.c
111685@@ -26,7 +26,7 @@
111686 */
111687 static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
111688 {
111689- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
111690+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
111691 long align, res = 0;
111692 unsigned long c;
111693
111694diff --git a/lib/swiotlb.c b/lib/swiotlb.c
111695index 76f29ec..1a5316f 100644
111696--- a/lib/swiotlb.c
111697+++ b/lib/swiotlb.c
111698@@ -690,7 +690,7 @@ EXPORT_SYMBOL(swiotlb_alloc_coherent);
111699
111700 void
111701 swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
111702- dma_addr_t dev_addr)
111703+ dma_addr_t dev_addr, struct dma_attrs *attrs)
111704 {
111705 phys_addr_t paddr = dma_to_phys(hwdev, dev_addr);
111706
111707diff --git a/lib/usercopy.c b/lib/usercopy.c
111708index 4f5b1dd..7cab418 100644
111709--- a/lib/usercopy.c
111710+++ b/lib/usercopy.c
111711@@ -7,3 +7,9 @@ void copy_from_user_overflow(void)
111712 WARN(1, "Buffer overflow detected!\n");
111713 }
111714 EXPORT_SYMBOL(copy_from_user_overflow);
111715+
111716+void copy_to_user_overflow(void)
111717+{
111718+ WARN(1, "Buffer overflow detected!\n");
111719+}
111720+EXPORT_SYMBOL(copy_to_user_overflow);
111721diff --git a/lib/vsprintf.c b/lib/vsprintf.c
111722index da39c60..ac91239 100644
111723--- a/lib/vsprintf.c
111724+++ b/lib/vsprintf.c
111725@@ -16,6 +16,9 @@
111726 * - scnprintf and vscnprintf
111727 */
111728
111729+#ifdef CONFIG_GRKERNSEC_HIDESYM
111730+#define __INCLUDED_BY_HIDESYM 1
111731+#endif
111732 #include <stdarg.h>
111733 #include <linux/clk-provider.h>
111734 #include <linux/module.h> /* for KSYM_SYMBOL_LEN */
111735@@ -628,7 +631,7 @@ char *symbol_string(char *buf, char *end, void *ptr,
111736 #ifdef CONFIG_KALLSYMS
111737 if (*fmt == 'B')
111738 sprint_backtrace(sym, value);
111739- else if (*fmt != 'f' && *fmt != 's')
111740+ else if (*fmt != 'f' && *fmt != 's' && *fmt != 'X')
111741 sprint_symbol(sym, value);
111742 else
111743 sprint_symbol_no_offset(sym, value);
111744@@ -1360,7 +1363,11 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
111745 }
111746 }
111747
111748-int kptr_restrict __read_mostly;
111749+#ifdef CONFIG_GRKERNSEC_HIDESYM
111750+int kptr_restrict __read_only = 2;
111751+#else
111752+int kptr_restrict __read_only;
111753+#endif
111754
111755 /*
111756 * Show a '%p' thing. A kernel extension is that the '%p' is followed
111757@@ -1371,8 +1378,10 @@ int kptr_restrict __read_mostly;
111758 *
111759 * - 'F' For symbolic function descriptor pointers with offset
111760 * - 'f' For simple symbolic function names without offset
111761+ * - 'X' For simple symbolic function names without offset approved for use with GRKERNSEC_HIDESYM
111762 * - 'S' For symbolic direct pointers with offset
111763 * - 's' For symbolic direct pointers without offset
111764+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
111765 * - '[FfSs]R' as above with __builtin_extract_return_addr() translation
111766 * - 'B' For backtraced symbolic direct pointers with offset
111767 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
111768@@ -1460,12 +1469,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
111769
111770 if (!ptr && *fmt != 'K') {
111771 /*
111772- * Print (null) with the same width as a pointer so it makes
111773+ * Print (nil) with the same width as a pointer so it makes
111774 * tabular output look nice.
111775 */
111776 if (spec.field_width == -1)
111777 spec.field_width = default_width;
111778- return string(buf, end, "(null)", spec);
111779+ return string(buf, end, "(nil)", spec);
111780 }
111781
111782 switch (*fmt) {
111783@@ -1475,6 +1484,14 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
111784 /* Fallthrough */
111785 case 'S':
111786 case 's':
111787+#ifdef CONFIG_GRKERNSEC_HIDESYM
111788+ break;
111789+#else
111790+ return symbol_string(buf, end, ptr, spec, fmt);
111791+#endif
111792+ case 'X':
111793+ ptr = dereference_function_descriptor(ptr);
111794+ case 'A':
111795 case 'B':
111796 return symbol_string(buf, end, ptr, spec, fmt);
111797 case 'R':
111798@@ -1539,6 +1556,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
111799 va_end(va);
111800 return buf;
111801 }
111802+ case 'P':
111803+ break;
111804 case 'K':
111805 /*
111806 * %pK cannot be used in IRQ context because its test
111807@@ -1598,6 +1617,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
111808 ((const struct file *)ptr)->f_path.dentry,
111809 spec, fmt);
111810 }
111811+
111812+#ifdef CONFIG_GRKERNSEC_HIDESYM
111813+ /* 'P' = approved pointers to copy to userland,
111814+ as in the /proc/kallsyms case, as we make it display nothing
111815+ for non-root users, and the real contents for root users
111816+ 'X' = approved simple symbols
111817+ Also ignore 'K' pointers, since we force their NULLing for non-root users
111818+ above
111819+ */
111820+ if ((unsigned long)ptr > TASK_SIZE && *fmt != 'P' && *fmt != 'X' && *fmt != 'K' && is_usercopy_object(buf)) {
111821+ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@grsecurity.net.\n");
111822+ dump_stack();
111823+ ptr = NULL;
111824+ }
111825+#endif
111826+
111827 spec.flags |= SMALL;
111828 if (spec.field_width == -1) {
111829 spec.field_width = default_width;
111830@@ -2296,11 +2331,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
111831 typeof(type) value; \
111832 if (sizeof(type) == 8) { \
111833 args = PTR_ALIGN(args, sizeof(u32)); \
111834- *(u32 *)&value = *(u32 *)args; \
111835- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
111836+ *(u32 *)&value = *(const u32 *)args; \
111837+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
111838 } else { \
111839 args = PTR_ALIGN(args, sizeof(type)); \
111840- value = *(typeof(type) *)args; \
111841+ value = *(const typeof(type) *)args; \
111842 } \
111843 args += sizeof(type); \
111844 value; \
111845@@ -2363,7 +2398,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
111846 case FORMAT_TYPE_STR: {
111847 const char *str_arg = args;
111848 args += strlen(str_arg) + 1;
111849- str = string(str, end, (char *)str_arg, spec);
111850+ str = string(str, end, str_arg, spec);
111851 break;
111852 }
111853
111854diff --git a/localversion-grsec b/localversion-grsec
111855new file mode 100644
111856index 0000000..7cd6065
111857--- /dev/null
111858+++ b/localversion-grsec
111859@@ -0,0 +1 @@
111860+-grsec
111861diff --git a/mm/Kconfig b/mm/Kconfig
111862index e79de2b..a1a98eb 100644
111863--- a/mm/Kconfig
111864+++ b/mm/Kconfig
111865@@ -342,10 +342,11 @@ config KSM
111866 root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
111867
111868 config DEFAULT_MMAP_MIN_ADDR
111869- int "Low address space to protect from user allocation"
111870+ int "Low address space to protect from user allocation"
111871 depends on MMU
111872- default 4096
111873- help
111874+ default 32768 if ALPHA || ARM || PARISC || SPARC32
111875+ default 65536
111876+ help
111877 This is the portion of low virtual memory which should be protected
111878 from userspace allocation. Keeping a user from writing to low pages
111879 can help reduce the impact of kernel NULL pointer bugs.
111880@@ -377,7 +378,7 @@ config MEMORY_FAILURE
111881
111882 config HWPOISON_INJECT
111883 tristate "HWPoison pages injector"
111884- depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS
111885+ depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS && !GRKERNSEC
111886 select PROC_PAGE_MONITOR
111887
111888 config NOMMU_INITIAL_TRIM_EXCESS
111889diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
111890index 957d3da..1d34e20 100644
111891--- a/mm/Kconfig.debug
111892+++ b/mm/Kconfig.debug
111893@@ -10,6 +10,7 @@ config PAGE_EXTENSION
111894 config DEBUG_PAGEALLOC
111895 bool "Debug page memory allocations"
111896 depends on DEBUG_KERNEL
111897+ depends on !PAX_MEMORY_SANITIZE
111898 depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC
111899 depends on !KMEMCHECK
111900 select PAGE_EXTENSION
111901diff --git a/mm/backing-dev.c b/mm/backing-dev.c
111902index dac5bf5..d8c02ce 100644
111903--- a/mm/backing-dev.c
111904+++ b/mm/backing-dev.c
111905@@ -12,7 +12,7 @@
111906 #include <linux/device.h>
111907 #include <trace/events/writeback.h>
111908
111909-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
111910+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
111911
111912 struct backing_dev_info noop_backing_dev_info = {
111913 .name = "noop",
111914@@ -855,7 +855,7 @@ int bdi_setup_and_register(struct backing_dev_info *bdi, char *name)
111915 return err;
111916
111917 err = bdi_register(bdi, NULL, "%.28s-%ld", name,
111918- atomic_long_inc_return(&bdi_seq));
111919+ atomic_long_inc_return_unchecked(&bdi_seq));
111920 if (err) {
111921 bdi_destroy(bdi);
111922 return err;
111923diff --git a/mm/dmapool.c b/mm/dmapool.c
111924index fd5fe43..39ea317 100644
111925--- a/mm/dmapool.c
111926+++ b/mm/dmapool.c
111927@@ -386,7 +386,7 @@ static struct dma_page *pool_find_page(struct dma_pool *pool, dma_addr_t dma)
111928 list_for_each_entry(page, &pool->page_list, page_list) {
111929 if (dma < page->dma)
111930 continue;
111931- if (dma < (page->dma + pool->allocation))
111932+ if ((dma - page->dma) < pool->allocation)
111933 return page;
111934 }
111935 return NULL;
111936diff --git a/mm/filemap.c b/mm/filemap.c
111937index 1283fc8..a0347d5 100644
111938--- a/mm/filemap.c
111939+++ b/mm/filemap.c
111940@@ -2122,7 +2122,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
111941 struct address_space *mapping = file->f_mapping;
111942
111943 if (!mapping->a_ops->readpage)
111944- return -ENOEXEC;
111945+ return -ENODEV;
111946 file_accessed(file);
111947 vma->vm_ops = &generic_file_vm_ops;
111948 return 0;
111949@@ -2303,6 +2303,7 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from)
111950 pos = iocb->ki_pos;
111951
111952 if (limit != RLIM_INFINITY) {
111953+ gr_learn_resource(current, RLIMIT_FSIZE, iocb->ki_pos, 0);
111954 if (iocb->ki_pos >= limit) {
111955 send_sig(SIGXFSZ, current, 0);
111956 return -EFBIG;
111957diff --git a/mm/gup.c b/mm/gup.c
111958index 6297f6b..7652403 100644
111959--- a/mm/gup.c
111960+++ b/mm/gup.c
111961@@ -265,11 +265,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
111962 unsigned int fault_flags = 0;
111963 int ret;
111964
111965- /* For mm_populate(), just skip the stack guard page. */
111966- if ((*flags & FOLL_POPULATE) &&
111967- (stack_guard_page_start(vma, address) ||
111968- stack_guard_page_end(vma, address + PAGE_SIZE)))
111969- return -ENOENT;
111970 if (*flags & FOLL_WRITE)
111971 fault_flags |= FAULT_FLAG_WRITE;
111972 if (nonblocking)
111973@@ -435,14 +430,14 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
111974 if (!(gup_flags & FOLL_FORCE))
111975 gup_flags |= FOLL_NUMA;
111976
111977- do {
111978+ while (nr_pages) {
111979 struct page *page;
111980 unsigned int foll_flags = gup_flags;
111981 unsigned int page_increm;
111982
111983 /* first iteration or cross vma bound */
111984 if (!vma || start >= vma->vm_end) {
111985- vma = find_extend_vma(mm, start);
111986+ vma = find_vma(mm, start);
111987 if (!vma && in_gate_area(mm, start)) {
111988 int ret;
111989 ret = get_gate_page(mm, start & PAGE_MASK,
111990@@ -454,7 +449,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
111991 goto next_page;
111992 }
111993
111994- if (!vma || check_vma_flags(vma, gup_flags))
111995+ if (!vma || start < vma->vm_start || check_vma_flags(vma, gup_flags))
111996 return i ? : -EFAULT;
111997 if (is_vm_hugetlb_page(vma)) {
111998 i = follow_hugetlb_page(mm, vma, pages, vmas,
111999@@ -509,7 +504,7 @@ next_page:
112000 i += page_increm;
112001 start += page_increm * PAGE_SIZE;
112002 nr_pages -= page_increm;
112003- } while (nr_pages);
112004+ }
112005 return i;
112006 }
112007 EXPORT_SYMBOL(__get_user_pages);
112008diff --git a/mm/highmem.c b/mm/highmem.c
112009index 123bcd3..07e8516 100644
112010--- a/mm/highmem.c
112011+++ b/mm/highmem.c
112012@@ -196,7 +196,6 @@ static void flush_all_zero_pkmaps(void)
112013 */
112014 page = pte_page(pkmap_page_table[i]);
112015 pte_clear(&init_mm, PKMAP_ADDR(i), &pkmap_page_table[i]);
112016-
112017 set_page_address(page, NULL);
112018 need_flush = 1;
112019 }
112020diff --git a/mm/hugetlb.c b/mm/hugetlb.c
112021index a8c3087..ec431dc 100644
112022--- a/mm/hugetlb.c
112023+++ b/mm/hugetlb.c
112024@@ -2442,6 +2442,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
112025 struct ctl_table *table, int write,
112026 void __user *buffer, size_t *length, loff_t *ppos)
112027 {
112028+ ctl_table_no_const t;
112029 struct hstate *h = &default_hstate;
112030 unsigned long tmp = h->max_huge_pages;
112031 int ret;
112032@@ -2449,9 +2450,10 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
112033 if (!hugepages_supported())
112034 return -ENOTSUPP;
112035
112036- table->data = &tmp;
112037- table->maxlen = sizeof(unsigned long);
112038- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
112039+ t = *table;
112040+ t.data = &tmp;
112041+ t.maxlen = sizeof(unsigned long);
112042+ ret = proc_doulongvec_minmax(&t, write, buffer, length, ppos);
112043 if (ret)
112044 goto out;
112045
112046@@ -2486,6 +2488,7 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
112047 struct hstate *h = &default_hstate;
112048 unsigned long tmp;
112049 int ret;
112050+ ctl_table_no_const hugetlb_table;
112051
112052 if (!hugepages_supported())
112053 return -ENOTSUPP;
112054@@ -2495,9 +2498,10 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
112055 if (write && hstate_is_gigantic(h))
112056 return -EINVAL;
112057
112058- table->data = &tmp;
112059- table->maxlen = sizeof(unsigned long);
112060- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
112061+ hugetlb_table = *table;
112062+ hugetlb_table.data = &tmp;
112063+ hugetlb_table.maxlen = sizeof(unsigned long);
112064+ ret = proc_doulongvec_minmax(&hugetlb_table, write, buffer, length, ppos);
112065 if (ret)
112066 goto out;
112067
112068@@ -2974,6 +2978,14 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
112069 continue;
112070
112071 /*
112072+ * Shared VMAs have their own reserves and do not affect
112073+ * MAP_PRIVATE accounting but it is possible that a shared
112074+ * VMA is using the same page so check and skip such VMAs.
112075+ */
112076+ if (iter_vma->vm_flags & VM_MAYSHARE)
112077+ continue;
112078+
112079+ /*
112080 * Unmap the page from other VMAs without their own reserves.
112081 * They get marked to be SIGKILLed if they fault in these
112082 * areas. This is because a future no-page fault on this VMA
112083@@ -2987,6 +2999,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
112084 i_mmap_unlock_write(mapping);
112085 }
112086
112087+#ifdef CONFIG_PAX_SEGMEXEC
112088+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
112089+{
112090+ struct mm_struct *mm = vma->vm_mm;
112091+ struct vm_area_struct *vma_m;
112092+ unsigned long address_m;
112093+ pte_t *ptep_m;
112094+
112095+ vma_m = pax_find_mirror_vma(vma);
112096+ if (!vma_m)
112097+ return;
112098+
112099+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
112100+ address_m = address + SEGMEXEC_TASK_SIZE;
112101+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
112102+ get_page(page_m);
112103+ hugepage_add_anon_rmap(page_m, vma_m, address_m);
112104+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
112105+}
112106+#endif
112107+
112108 /*
112109 * Hugetlb_cow() should be called with page lock of the original hugepage held.
112110 * Called with hugetlb_instantiation_mutex held and pte_page locked so we
112111@@ -3100,6 +3133,11 @@ retry_avoidcopy:
112112 make_huge_pte(vma, new_page, 1));
112113 page_remove_rmap(old_page);
112114 hugepage_add_new_anon_rmap(new_page, vma, address);
112115+
112116+#ifdef CONFIG_PAX_SEGMEXEC
112117+ pax_mirror_huge_pte(vma, address, new_page);
112118+#endif
112119+
112120 /* Make the old page be freed below */
112121 new_page = old_page;
112122 }
112123@@ -3261,6 +3299,10 @@ retry:
112124 && (vma->vm_flags & VM_SHARED)));
112125 set_huge_pte_at(mm, address, ptep, new_pte);
112126
112127+#ifdef CONFIG_PAX_SEGMEXEC
112128+ pax_mirror_huge_pte(vma, address, page);
112129+#endif
112130+
112131 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
112132 /* Optimization, do the COW without a second fault */
112133 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl);
112134@@ -3328,6 +3370,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
112135 struct address_space *mapping;
112136 int need_wait_lock = 0;
112137
112138+#ifdef CONFIG_PAX_SEGMEXEC
112139+ struct vm_area_struct *vma_m;
112140+#endif
112141+
112142 address &= huge_page_mask(h);
112143
112144 ptep = huge_pte_offset(mm, address);
112145@@ -3341,6 +3387,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
112146 VM_FAULT_SET_HINDEX(hstate_index(h));
112147 }
112148
112149+#ifdef CONFIG_PAX_SEGMEXEC
112150+ vma_m = pax_find_mirror_vma(vma);
112151+ if (vma_m) {
112152+ unsigned long address_m;
112153+
112154+ if (vma->vm_start > vma_m->vm_start) {
112155+ address_m = address;
112156+ address -= SEGMEXEC_TASK_SIZE;
112157+ vma = vma_m;
112158+ h = hstate_vma(vma);
112159+ } else
112160+ address_m = address + SEGMEXEC_TASK_SIZE;
112161+
112162+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
112163+ return VM_FAULT_OOM;
112164+ address_m &= HPAGE_MASK;
112165+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
112166+ }
112167+#endif
112168+
112169 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
112170 if (!ptep)
112171 return VM_FAULT_OOM;
112172diff --git a/mm/internal.h b/mm/internal.h
112173index 36b23f1..0787474 100644
112174--- a/mm/internal.h
112175+++ b/mm/internal.h
112176@@ -157,6 +157,7 @@ __find_buddy_index(unsigned long page_idx, unsigned int order)
112177 extern int __isolate_free_page(struct page *page, unsigned int order);
112178 extern void __free_pages_bootmem(struct page *page, unsigned long pfn,
112179 unsigned int order);
112180+extern void free_compound_page(struct page *page);
112181 extern void prep_compound_page(struct page *page, unsigned long order);
112182 #ifdef CONFIG_MEMORY_FAILURE
112183 extern bool is_free_buddy_page(struct page *page);
112184@@ -406,7 +407,7 @@ extern u32 hwpoison_filter_enable;
112185
112186 extern unsigned long vm_mmap_pgoff(struct file *, unsigned long,
112187 unsigned long, unsigned long,
112188- unsigned long, unsigned long);
112189+ unsigned long, unsigned long) __intentional_overflow(-1);
112190
112191 extern void set_pageblock_order(void);
112192 unsigned long reclaim_clean_pages_from_list(struct zone *zone,
112193diff --git a/mm/kmemleak.c b/mm/kmemleak.c
112194index cf79f11..254224e 100644
112195--- a/mm/kmemleak.c
112196+++ b/mm/kmemleak.c
112197@@ -375,7 +375,7 @@ static void print_unreferenced(struct seq_file *seq,
112198
112199 for (i = 0; i < object->trace_len; i++) {
112200 void *ptr = (void *)object->trace[i];
112201- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
112202+ seq_printf(seq, " [<%pP>] %pA\n", ptr, ptr);
112203 }
112204 }
112205
112206@@ -1966,7 +1966,7 @@ static int __init kmemleak_late_init(void)
112207 return -ENOMEM;
112208 }
112209
112210- dentry = debugfs_create_file("kmemleak", S_IRUGO, NULL, NULL,
112211+ dentry = debugfs_create_file("kmemleak", S_IRUSR, NULL, NULL,
112212 &kmemleak_fops);
112213 if (!dentry)
112214 pr_warning("Failed to create the debugfs kmemleak file\n");
112215diff --git a/mm/maccess.c b/mm/maccess.c
112216index d53adf9..03a24bf 100644
112217--- a/mm/maccess.c
112218+++ b/mm/maccess.c
112219@@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, const void *src, size_t size)
112220 set_fs(KERNEL_DS);
112221 pagefault_disable();
112222 ret = __copy_from_user_inatomic(dst,
112223- (__force const void __user *)src, size);
112224+ (const void __force_user *)src, size);
112225 pagefault_enable();
112226 set_fs(old_fs);
112227
112228@@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
112229
112230 set_fs(KERNEL_DS);
112231 pagefault_disable();
112232- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
112233+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
112234 pagefault_enable();
112235 set_fs(old_fs);
112236
112237diff --git a/mm/madvise.c b/mm/madvise.c
112238index 64bb8a2..68e4be5 100644
112239--- a/mm/madvise.c
112240+++ b/mm/madvise.c
112241@@ -52,6 +52,10 @@ static long madvise_behavior(struct vm_area_struct *vma,
112242 pgoff_t pgoff;
112243 unsigned long new_flags = vma->vm_flags;
112244
112245+#ifdef CONFIG_PAX_SEGMEXEC
112246+ struct vm_area_struct *vma_m;
112247+#endif
112248+
112249 switch (behavior) {
112250 case MADV_NORMAL:
112251 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
112252@@ -127,6 +131,13 @@ success:
112253 /*
112254 * vm_flags is protected by the mmap_sem held in write mode.
112255 */
112256+
112257+#ifdef CONFIG_PAX_SEGMEXEC
112258+ vma_m = pax_find_mirror_vma(vma);
112259+ if (vma_m)
112260+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
112261+#endif
112262+
112263 vma->vm_flags = new_flags;
112264
112265 out:
112266@@ -278,11 +289,27 @@ static long madvise_dontneed(struct vm_area_struct *vma,
112267 struct vm_area_struct **prev,
112268 unsigned long start, unsigned long end)
112269 {
112270+
112271+#ifdef CONFIG_PAX_SEGMEXEC
112272+ struct vm_area_struct *vma_m;
112273+#endif
112274+
112275 *prev = vma;
112276 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
112277 return -EINVAL;
112278
112279 zap_page_range(vma, start, end - start, NULL);
112280+
112281+#ifdef CONFIG_PAX_SEGMEXEC
112282+ vma_m = pax_find_mirror_vma(vma);
112283+ if (vma_m) {
112284+ if (vma_m->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
112285+ return -EINVAL;
112286+
112287+ zap_page_range(vma_m, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
112288+ }
112289+#endif
112290+
112291 return 0;
112292 }
112293
112294@@ -485,6 +512,16 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
112295 if (end < start)
112296 return error;
112297
112298+#ifdef CONFIG_PAX_SEGMEXEC
112299+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
112300+ if (end > SEGMEXEC_TASK_SIZE)
112301+ return error;
112302+ } else
112303+#endif
112304+
112305+ if (end > TASK_SIZE)
112306+ return error;
112307+
112308 error = 0;
112309 if (end == start)
112310 return error;
112311diff --git a/mm/memcontrol.c b/mm/memcontrol.c
112312index acb93c5..237d468 100644
112313--- a/mm/memcontrol.c
112314+++ b/mm/memcontrol.c
112315@@ -806,12 +806,14 @@ mem_cgroup_largest_soft_limit_node(struct mem_cgroup_tree_per_zone *mctz)
112316 }
112317
112318 /*
112319+ * Return page count for single (non recursive) @memcg.
112320+ *
112321 * Implementation Note: reading percpu statistics for memcg.
112322 *
112323 * Both of vmstat[] and percpu_counter has threshold and do periodic
112324 * synchronization to implement "quick" read. There are trade-off between
112325 * reading cost and precision of value. Then, we may have a chance to implement
112326- * a periodic synchronizion of counter in memcg's counter.
112327+ * a periodic synchronization of counter in memcg's counter.
112328 *
112329 * But this _read() function is used for user interface now. The user accounts
112330 * memory usage by memory cgroup and he _always_ requires exact value because
112331@@ -821,17 +823,24 @@ mem_cgroup_largest_soft_limit_node(struct mem_cgroup_tree_per_zone *mctz)
112332 *
112333 * If there are kernel internal actions which can make use of some not-exact
112334 * value, and reading all cpu value can be performance bottleneck in some
112335- * common workload, threashold and synchonization as vmstat[] should be
112336+ * common workload, threshold and synchronization as vmstat[] should be
112337 * implemented.
112338 */
112339-static long mem_cgroup_read_stat(struct mem_cgroup *memcg,
112340- enum mem_cgroup_stat_index idx)
112341+static unsigned long
112342+mem_cgroup_read_stat(struct mem_cgroup *memcg, enum mem_cgroup_stat_index idx)
112343 {
112344 long val = 0;
112345 int cpu;
112346
112347+ /* Per-cpu values can be negative, use a signed accumulator */
112348 for_each_possible_cpu(cpu)
112349 val += per_cpu(memcg->stat->count[idx], cpu);
112350+ /*
112351+ * Summing races with updates, so val may be negative. Avoid exposing
112352+ * transient negative values.
112353+ */
112354+ if (val < 0)
112355+ val = 0;
112356 return val;
112357 }
112358
112359@@ -1498,7 +1507,7 @@ void mem_cgroup_print_oom_info(struct mem_cgroup *memcg, struct task_struct *p)
112360 for (i = 0; i < MEM_CGROUP_STAT_NSTATS; i++) {
112361 if (i == MEM_CGROUP_STAT_SWAP && !do_swap_account)
112362 continue;
112363- pr_cont(" %s:%ldKB", mem_cgroup_stat_names[i],
112364+ pr_cont(" %s:%luKB", mem_cgroup_stat_names[i],
112365 K(mem_cgroup_read_stat(iter, i)));
112366 }
112367
112368@@ -3119,14 +3128,11 @@ static unsigned long tree_stat(struct mem_cgroup *memcg,
112369 enum mem_cgroup_stat_index idx)
112370 {
112371 struct mem_cgroup *iter;
112372- long val = 0;
112373+ unsigned long val = 0;
112374
112375- /* Per-cpu values can be negative, use a signed accumulator */
112376 for_each_mem_cgroup_tree(iter, memcg)
112377 val += mem_cgroup_read_stat(iter, idx);
112378
112379- if (val < 0) /* race ? */
112380- val = 0;
112381 return val;
112382 }
112383
112384@@ -3469,7 +3475,7 @@ static int memcg_stat_show(struct seq_file *m, void *v)
112385 for (i = 0; i < MEM_CGROUP_STAT_NSTATS; i++) {
112386 if (i == MEM_CGROUP_STAT_SWAP && !do_swap_account)
112387 continue;
112388- seq_printf(m, "%s %ld\n", mem_cgroup_stat_names[i],
112389+ seq_printf(m, "%s %lu\n", mem_cgroup_stat_names[i],
112390 mem_cgroup_read_stat(memcg, i) * PAGE_SIZE);
112391 }
112392
112393@@ -3494,13 +3500,13 @@ static int memcg_stat_show(struct seq_file *m, void *v)
112394 (u64)memsw * PAGE_SIZE);
112395
112396 for (i = 0; i < MEM_CGROUP_STAT_NSTATS; i++) {
112397- long long val = 0;
112398+ unsigned long long val = 0;
112399
112400 if (i == MEM_CGROUP_STAT_SWAP && !do_swap_account)
112401 continue;
112402 for_each_mem_cgroup_tree(mi, memcg)
112403 val += mem_cgroup_read_stat(mi, i) * PAGE_SIZE;
112404- seq_printf(m, "total_%s %lld\n", mem_cgroup_stat_names[i], val);
112405+ seq_printf(m, "total_%s %llu\n", mem_cgroup_stat_names[i], val);
112406 }
112407
112408 for (i = 0; i < MEM_CGROUP_EVENTS_NSTATS; i++) {
112409diff --git a/mm/memory-failure.c b/mm/memory-failure.c
112410index 1f4446a..47abb4e 100644
112411--- a/mm/memory-failure.c
112412+++ b/mm/memory-failure.c
112413@@ -63,7 +63,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0;
112414
112415 int sysctl_memory_failure_recovery __read_mostly = 1;
112416
112417-atomic_long_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
112418+atomic_long_unchecked_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
112419
112420 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
112421
112422@@ -200,7 +200,7 @@ static int kill_proc(struct task_struct *t, unsigned long addr, int trapno,
112423 pfn, t->comm, t->pid);
112424 si.si_signo = SIGBUS;
112425 si.si_errno = 0;
112426- si.si_addr = (void *)addr;
112427+ si.si_addr = (void __user *)addr;
112428 #ifdef __ARCH_SI_TRAPNO
112429 si.si_trapno = trapno;
112430 #endif
112431@@ -797,7 +797,7 @@ static struct page_state {
112432 unsigned long res;
112433 enum mf_action_page_type type;
112434 int (*action)(struct page *p, unsigned long pfn);
112435-} error_states[] = {
112436+} __do_const error_states[] = {
112437 { reserved, reserved, MF_MSG_KERNEL, me_kernel },
112438 /*
112439 * free pages are specially detected outside this table:
112440@@ -1100,7 +1100,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112441 nr_pages = 1 << compound_order(hpage);
112442 else /* normal page or thp */
112443 nr_pages = 1;
112444- atomic_long_add(nr_pages, &num_poisoned_pages);
112445+ atomic_long_add_unchecked(nr_pages, &num_poisoned_pages);
112446
112447 /*
112448 * We need/can do nothing about count=0 pages.
112449@@ -1128,7 +1128,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112450 if (PageHWPoison(hpage)) {
112451 if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
112452 || (p != hpage && TestSetPageHWPoison(hpage))) {
112453- atomic_long_sub(nr_pages, &num_poisoned_pages);
112454+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112455 unlock_page(hpage);
112456 return 0;
112457 }
112458@@ -1152,7 +1152,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112459 else
112460 pr_err("MCE: %#lx: thp split failed\n", pfn);
112461 if (TestClearPageHWPoison(p))
112462- atomic_long_sub(nr_pages, &num_poisoned_pages);
112463+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112464 put_page(p);
112465 if (p != hpage)
112466 put_page(hpage);
112467@@ -1214,14 +1214,14 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112468 */
112469 if (!PageHWPoison(p)) {
112470 printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn);
112471- atomic_long_sub(nr_pages, &num_poisoned_pages);
112472+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112473 unlock_page(hpage);
112474 put_page(hpage);
112475 return 0;
112476 }
112477 if (hwpoison_filter(p)) {
112478 if (TestClearPageHWPoison(p))
112479- atomic_long_sub(nr_pages, &num_poisoned_pages);
112480+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112481 unlock_page(hpage);
112482 put_page(hpage);
112483 return 0;
112484@@ -1450,7 +1450,7 @@ int unpoison_memory(unsigned long pfn)
112485 return 0;
112486 }
112487 if (TestClearPageHWPoison(p))
112488- atomic_long_dec(&num_poisoned_pages);
112489+ atomic_long_dec_unchecked(&num_poisoned_pages);
112490 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
112491 return 0;
112492 }
112493@@ -1464,7 +1464,7 @@ int unpoison_memory(unsigned long pfn)
112494 */
112495 if (TestClearPageHWPoison(page)) {
112496 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
112497- atomic_long_sub(nr_pages, &num_poisoned_pages);
112498+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112499 freeit = 1;
112500 if (PageHuge(page))
112501 clear_page_hwpoison_huge_page(page);
112502@@ -1600,11 +1600,11 @@ static int soft_offline_huge_page(struct page *page, int flags)
112503 if (PageHuge(page)) {
112504 set_page_hwpoison_huge_page(hpage);
112505 dequeue_hwpoisoned_huge_page(hpage);
112506- atomic_long_add(1 << compound_order(hpage),
112507+ atomic_long_add_unchecked(1 << compound_order(hpage),
112508 &num_poisoned_pages);
112509 } else {
112510 SetPageHWPoison(page);
112511- atomic_long_inc(&num_poisoned_pages);
112512+ atomic_long_inc_unchecked(&num_poisoned_pages);
112513 }
112514 }
112515 return ret;
112516@@ -1643,7 +1643,7 @@ static int __soft_offline_page(struct page *page, int flags)
112517 put_page(page);
112518 pr_info("soft_offline: %#lx: invalidated\n", pfn);
112519 SetPageHWPoison(page);
112520- atomic_long_inc(&num_poisoned_pages);
112521+ atomic_long_inc_unchecked(&num_poisoned_pages);
112522 return 0;
112523 }
112524
112525@@ -1664,7 +1664,7 @@ static int __soft_offline_page(struct page *page, int flags)
112526 page_is_file_cache(page));
112527 list_add(&page->lru, &pagelist);
112528 if (!TestSetPageHWPoison(page))
112529- atomic_long_inc(&num_poisoned_pages);
112530+ atomic_long_inc_unchecked(&num_poisoned_pages);
112531 ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL,
112532 MIGRATE_SYNC, MR_MEMORY_FAILURE);
112533 if (ret) {
112534@@ -1680,7 +1680,7 @@ static int __soft_offline_page(struct page *page, int flags)
112535 if (ret > 0)
112536 ret = -EIO;
112537 if (TestClearPageHWPoison(page))
112538- atomic_long_dec(&num_poisoned_pages);
112539+ atomic_long_dec_unchecked(&num_poisoned_pages);
112540 }
112541 } else {
112542 pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n",
112543@@ -1742,11 +1742,11 @@ int soft_offline_page(struct page *page, int flags)
112544 if (PageHuge(page)) {
112545 set_page_hwpoison_huge_page(hpage);
112546 if (!dequeue_hwpoisoned_huge_page(hpage))
112547- atomic_long_add(1 << compound_order(hpage),
112548+ atomic_long_add_unchecked(1 << compound_order(hpage),
112549 &num_poisoned_pages);
112550 } else {
112551 if (!TestSetPageHWPoison(page))
112552- atomic_long_inc(&num_poisoned_pages);
112553+ atomic_long_inc_unchecked(&num_poisoned_pages);
112554 }
112555 }
112556 return ret;
112557diff --git a/mm/memory.c b/mm/memory.c
112558index 388dcf9..82aa351 100644
112559--- a/mm/memory.c
112560+++ b/mm/memory.c
112561@@ -414,6 +414,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
112562 free_pte_range(tlb, pmd, addr);
112563 } while (pmd++, addr = next, addr != end);
112564
112565+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
112566 start &= PUD_MASK;
112567 if (start < floor)
112568 return;
112569@@ -429,6 +430,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
112570 pud_clear(pud);
112571 pmd_free_tlb(tlb, pmd, start);
112572 mm_dec_nr_pmds(tlb->mm);
112573+#endif
112574 }
112575
112576 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
112577@@ -448,6 +450,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
112578 free_pmd_range(tlb, pud, addr, next, floor, ceiling);
112579 } while (pud++, addr = next, addr != end);
112580
112581+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
112582 start &= PGDIR_MASK;
112583 if (start < floor)
112584 return;
112585@@ -462,6 +465,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
112586 pud = pud_offset(pgd, start);
112587 pgd_clear(pgd);
112588 pud_free_tlb(tlb, pud, start);
112589+#endif
112590+
112591 }
112592
112593 /*
112594@@ -690,7 +695,7 @@ static void print_bad_pte(struct vm_area_struct *vma, unsigned long addr,
112595 /*
112596 * Choose text because data symbols depend on CONFIG_KALLSYMS_ALL=y
112597 */
112598- pr_alert("file:%pD fault:%pf mmap:%pf readpage:%pf\n",
112599+ pr_alert("file:%pD fault:%pX mmap:%pX readpage:%pX\n",
112600 vma->vm_file,
112601 vma->vm_ops ? vma->vm_ops->fault : NULL,
112602 vma->vm_file ? vma->vm_file->f_op->mmap : NULL,
112603@@ -1463,6 +1468,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
112604 page_add_file_rmap(page);
112605 set_pte_at(mm, addr, pte, mk_pte(page, prot));
112606
112607+#ifdef CONFIG_PAX_SEGMEXEC
112608+ pax_mirror_file_pte(vma, addr, page, ptl);
112609+#endif
112610+
112611 retval = 0;
112612 pte_unmap_unlock(pte, ptl);
112613 return retval;
112614@@ -1507,9 +1516,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
112615 if (!page_count(page))
112616 return -EINVAL;
112617 if (!(vma->vm_flags & VM_MIXEDMAP)) {
112618+
112619+#ifdef CONFIG_PAX_SEGMEXEC
112620+ struct vm_area_struct *vma_m;
112621+#endif
112622+
112623 BUG_ON(down_read_trylock(&vma->vm_mm->mmap_sem));
112624 BUG_ON(vma->vm_flags & VM_PFNMAP);
112625 vma->vm_flags |= VM_MIXEDMAP;
112626+
112627+#ifdef CONFIG_PAX_SEGMEXEC
112628+ vma_m = pax_find_mirror_vma(vma);
112629+ if (vma_m)
112630+ vma_m->vm_flags |= VM_MIXEDMAP;
112631+#endif
112632+
112633 }
112634 return insert_page(vma, addr, page, vma->vm_page_prot);
112635 }
112636@@ -1592,6 +1613,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
112637 unsigned long pfn)
112638 {
112639 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
112640+ BUG_ON(vma->vm_mirror);
112641
112642 if (addr < vma->vm_start || addr >= vma->vm_end)
112643 return -EFAULT;
112644@@ -1839,7 +1861,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
112645
112646 BUG_ON(pud_huge(*pud));
112647
112648- pmd = pmd_alloc(mm, pud, addr);
112649+ pmd = (mm == &init_mm) ?
112650+ pmd_alloc_kernel(mm, pud, addr) :
112651+ pmd_alloc(mm, pud, addr);
112652 if (!pmd)
112653 return -ENOMEM;
112654 do {
112655@@ -1859,7 +1883,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
112656 unsigned long next;
112657 int err;
112658
112659- pud = pud_alloc(mm, pgd, addr);
112660+ pud = (mm == &init_mm) ?
112661+ pud_alloc_kernel(mm, pgd, addr) :
112662+ pud_alloc(mm, pgd, addr);
112663 if (!pud)
112664 return -ENOMEM;
112665 do {
112666@@ -2040,6 +2066,196 @@ static inline int wp_page_reuse(struct mm_struct *mm,
112667 return VM_FAULT_WRITE;
112668 }
112669
112670+#ifdef CONFIG_PAX_SEGMEXEC
112671+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
112672+{
112673+ struct mm_struct *mm = vma->vm_mm;
112674+ spinlock_t *ptl;
112675+ pte_t *pte, entry;
112676+
112677+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
112678+ entry = *pte;
112679+ if (pte_none(entry))
112680+ ;
112681+ else if (!pte_present(entry)) {
112682+ swp_entry_t swapentry;
112683+
112684+ swapentry = pte_to_swp_entry(entry);
112685+ if (!non_swap_entry(swapentry))
112686+ dec_mm_counter_fast(mm, MM_SWAPENTS);
112687+ else if (is_migration_entry(swapentry)) {
112688+ if (PageAnon(migration_entry_to_page(swapentry)))
112689+ dec_mm_counter_fast(mm, MM_ANONPAGES);
112690+ else
112691+ dec_mm_counter_fast(mm, MM_FILEPAGES);
112692+ }
112693+ free_swap_and_cache(swapentry);
112694+ pte_clear_not_present_full(mm, address, pte, 0);
112695+ } else {
112696+ struct page *page;
112697+
112698+ flush_cache_page(vma, address, pte_pfn(entry));
112699+ entry = ptep_clear_flush(vma, address, pte);
112700+ BUG_ON(pte_dirty(entry));
112701+ page = vm_normal_page(vma, address, entry);
112702+ if (page) {
112703+ update_hiwater_rss(mm);
112704+ if (PageAnon(page))
112705+ dec_mm_counter_fast(mm, MM_ANONPAGES);
112706+ else
112707+ dec_mm_counter_fast(mm, MM_FILEPAGES);
112708+ page_remove_rmap(page);
112709+ page_cache_release(page);
112710+ }
112711+ }
112712+ pte_unmap_unlock(pte, ptl);
112713+}
112714+
112715+/* PaX: if vma is mirrored, synchronize the mirror's PTE
112716+ *
112717+ * the ptl of the lower mapped page is held on entry and is not released on exit
112718+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
112719+ */
112720+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
112721+{
112722+ struct mm_struct *mm = vma->vm_mm;
112723+ unsigned long address_m;
112724+ spinlock_t *ptl_m;
112725+ struct vm_area_struct *vma_m;
112726+ pmd_t *pmd_m;
112727+ pte_t *pte_m, entry_m;
112728+
112729+ BUG_ON(!page_m || !PageAnon(page_m));
112730+
112731+ vma_m = pax_find_mirror_vma(vma);
112732+ if (!vma_m)
112733+ return;
112734+
112735+ BUG_ON(!PageLocked(page_m));
112736+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
112737+ address_m = address + SEGMEXEC_TASK_SIZE;
112738+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
112739+ pte_m = pte_offset_map(pmd_m, address_m);
112740+ ptl_m = pte_lockptr(mm, pmd_m);
112741+ if (ptl != ptl_m) {
112742+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
112743+ if (!pte_none(*pte_m))
112744+ goto out;
112745+ }
112746+
112747+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
112748+ page_cache_get(page_m);
112749+ page_add_anon_rmap(page_m, vma_m, address_m);
112750+ inc_mm_counter_fast(mm, MM_ANONPAGES);
112751+ set_pte_at(mm, address_m, pte_m, entry_m);
112752+ update_mmu_cache(vma_m, address_m, pte_m);
112753+out:
112754+ if (ptl != ptl_m)
112755+ spin_unlock(ptl_m);
112756+ pte_unmap(pte_m);
112757+ unlock_page(page_m);
112758+}
112759+
112760+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
112761+{
112762+ struct mm_struct *mm = vma->vm_mm;
112763+ unsigned long address_m;
112764+ spinlock_t *ptl_m;
112765+ struct vm_area_struct *vma_m;
112766+ pmd_t *pmd_m;
112767+ pte_t *pte_m, entry_m;
112768+
112769+ BUG_ON(!page_m || PageAnon(page_m));
112770+
112771+ vma_m = pax_find_mirror_vma(vma);
112772+ if (!vma_m)
112773+ return;
112774+
112775+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
112776+ address_m = address + SEGMEXEC_TASK_SIZE;
112777+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
112778+ pte_m = pte_offset_map(pmd_m, address_m);
112779+ ptl_m = pte_lockptr(mm, pmd_m);
112780+ if (ptl != ptl_m) {
112781+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
112782+ if (!pte_none(*pte_m))
112783+ goto out;
112784+ }
112785+
112786+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
112787+ page_cache_get(page_m);
112788+ page_add_file_rmap(page_m);
112789+ inc_mm_counter_fast(mm, MM_FILEPAGES);
112790+ set_pte_at(mm, address_m, pte_m, entry_m);
112791+ update_mmu_cache(vma_m, address_m, pte_m);
112792+out:
112793+ if (ptl != ptl_m)
112794+ spin_unlock(ptl_m);
112795+ pte_unmap(pte_m);
112796+}
112797+
112798+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
112799+{
112800+ struct mm_struct *mm = vma->vm_mm;
112801+ unsigned long address_m;
112802+ spinlock_t *ptl_m;
112803+ struct vm_area_struct *vma_m;
112804+ pmd_t *pmd_m;
112805+ pte_t *pte_m, entry_m;
112806+
112807+ vma_m = pax_find_mirror_vma(vma);
112808+ if (!vma_m)
112809+ return;
112810+
112811+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
112812+ address_m = address + SEGMEXEC_TASK_SIZE;
112813+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
112814+ pte_m = pte_offset_map(pmd_m, address_m);
112815+ ptl_m = pte_lockptr(mm, pmd_m);
112816+ if (ptl != ptl_m) {
112817+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
112818+ if (!pte_none(*pte_m))
112819+ goto out;
112820+ }
112821+
112822+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
112823+ set_pte_at(mm, address_m, pte_m, entry_m);
112824+out:
112825+ if (ptl != ptl_m)
112826+ spin_unlock(ptl_m);
112827+ pte_unmap(pte_m);
112828+}
112829+
112830+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
112831+{
112832+ struct page *page_m;
112833+ pte_t entry;
112834+
112835+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
112836+ goto out;
112837+
112838+ entry = *pte;
112839+ page_m = vm_normal_page(vma, address, entry);
112840+ if (!page_m)
112841+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
112842+ else if (PageAnon(page_m)) {
112843+ if (pax_find_mirror_vma(vma)) {
112844+ pte_unmap_unlock(pte, ptl);
112845+ lock_page(page_m);
112846+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
112847+ if (pte_same(entry, *pte))
112848+ pax_mirror_anon_pte(vma, address, page_m, ptl);
112849+ else
112850+ unlock_page(page_m);
112851+ }
112852+ } else
112853+ pax_mirror_file_pte(vma, address, page_m, ptl);
112854+
112855+out:
112856+ pte_unmap_unlock(pte, ptl);
112857+}
112858+#endif
112859+
112860 /*
112861 * Handle the case of a page which we actually need to copy to a new page.
112862 *
112863@@ -2094,6 +2310,12 @@ static int wp_page_copy(struct mm_struct *mm, struct vm_area_struct *vma,
112864 */
112865 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
112866 if (likely(pte_same(*page_table, orig_pte))) {
112867+
112868+#ifdef CONFIG_PAX_SEGMEXEC
112869+ if (pax_find_mirror_vma(vma))
112870+ BUG_ON(!trylock_page(new_page));
112871+#endif
112872+
112873 if (old_page) {
112874 if (!PageAnon(old_page)) {
112875 dec_mm_counter_fast(mm, MM_FILEPAGES);
112876@@ -2148,6 +2370,10 @@ static int wp_page_copy(struct mm_struct *mm, struct vm_area_struct *vma,
112877 page_remove_rmap(old_page);
112878 }
112879
112880+#ifdef CONFIG_PAX_SEGMEXEC
112881+ pax_mirror_anon_pte(vma, address, new_page, ptl);
112882+#endif
112883+
112884 /* Free the old page.. */
112885 new_page = old_page;
112886 page_copied = 1;
112887@@ -2579,6 +2805,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
112888 swap_free(entry);
112889 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
112890 try_to_free_swap(page);
112891+
112892+#ifdef CONFIG_PAX_SEGMEXEC
112893+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
112894+#endif
112895+
112896 unlock_page(page);
112897 if (page != swapcache) {
112898 /*
112899@@ -2602,6 +2833,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
112900
112901 /* No need to invalidate - it was non-present before */
112902 update_mmu_cache(vma, address, page_table);
112903+
112904+#ifdef CONFIG_PAX_SEGMEXEC
112905+ pax_mirror_anon_pte(vma, address, page, ptl);
112906+#endif
112907+
112908 unlock:
112909 pte_unmap_unlock(page_table, ptl);
112910 out:
112911@@ -2621,40 +2857,6 @@ out_release:
112912 }
112913
112914 /*
112915- * This is like a special single-page "expand_{down|up}wards()",
112916- * except we must first make sure that 'address{-|+}PAGE_SIZE'
112917- * doesn't hit another vma.
112918- */
112919-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
112920-{
112921- address &= PAGE_MASK;
112922- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
112923- struct vm_area_struct *prev = vma->vm_prev;
112924-
112925- /*
112926- * Is there a mapping abutting this one below?
112927- *
112928- * That's only ok if it's the same stack mapping
112929- * that has gotten split..
112930- */
112931- if (prev && prev->vm_end == address)
112932- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
112933-
112934- return expand_downwards(vma, address - PAGE_SIZE);
112935- }
112936- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
112937- struct vm_area_struct *next = vma->vm_next;
112938-
112939- /* As VM_GROWSDOWN but s/below/above/ */
112940- if (next && next->vm_start == address + PAGE_SIZE)
112941- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
112942-
112943- return expand_upwards(vma, address + PAGE_SIZE);
112944- }
112945- return 0;
112946-}
112947-
112948-/*
112949 * We enter with non-exclusive mmap_sem (to exclude vma changes,
112950 * but allow concurrent faults), and pte mapped but not yet locked.
112951 * We return with mmap_sem still held, but pte unmapped and unlocked.
112952@@ -2664,31 +2866,29 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
112953 unsigned int flags)
112954 {
112955 struct mem_cgroup *memcg;
112956- struct page *page;
112957+ struct page *page = NULL;
112958 spinlock_t *ptl;
112959 pte_t entry;
112960
112961- pte_unmap(page_table);
112962-
112963 /* File mapping without ->vm_ops ? */
112964- if (vma->vm_flags & VM_SHARED)
112965+ if (vma->vm_flags & VM_SHARED) {
112966+ pte_unmap(page_table);
112967 return VM_FAULT_SIGBUS;
112968+ }
112969
112970- /* Check if we need to add a guard page to the stack */
112971- if (check_stack_guard_page(vma, address) < 0)
112972- return VM_FAULT_SIGSEGV;
112973-
112974- /* Use the zero-page for reads */
112975 if (!(flags & FAULT_FLAG_WRITE) && !mm_forbids_zeropage(mm)) {
112976 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
112977 vma->vm_page_prot));
112978- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
112979+ ptl = pte_lockptr(mm, pmd);
112980+ spin_lock(ptl);
112981 if (!pte_none(*page_table))
112982 goto unlock;
112983 goto setpte;
112984 }
112985
112986 /* Allocate our own private page. */
112987+ pte_unmap(page_table);
112988+
112989 if (unlikely(anon_vma_prepare(vma)))
112990 goto oom;
112991 page = alloc_zeroed_user_highpage_movable(vma, address);
112992@@ -2713,6 +2913,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
112993 if (!pte_none(*page_table))
112994 goto release;
112995
112996+#ifdef CONFIG_PAX_SEGMEXEC
112997+ if (pax_find_mirror_vma(vma))
112998+ BUG_ON(!trylock_page(page));
112999+#endif
113000+
113001 inc_mm_counter_fast(mm, MM_ANONPAGES);
113002 page_add_new_anon_rmap(page, vma, address);
113003 mem_cgroup_commit_charge(page, memcg, false);
113004@@ -2722,6 +2927,12 @@ setpte:
113005
113006 /* No need to invalidate - it was non-present before */
113007 update_mmu_cache(vma, address, page_table);
113008+
113009+#ifdef CONFIG_PAX_SEGMEXEC
113010+ if (page)
113011+ pax_mirror_anon_pte(vma, address, page, ptl);
113012+#endif
113013+
113014 unlock:
113015 pte_unmap_unlock(page_table, ptl);
113016 return 0;
113017@@ -2954,6 +3165,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113018 return ret;
113019 }
113020 do_set_pte(vma, address, fault_page, pte, false, false);
113021+
113022+#ifdef CONFIG_PAX_SEGMEXEC
113023+ pax_mirror_file_pte(vma, address, fault_page, ptl);
113024+#endif
113025+
113026 unlock_page(fault_page);
113027 unlock_out:
113028 pte_unmap_unlock(pte, ptl);
113029@@ -3005,7 +3221,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113030 }
113031 goto uncharge_out;
113032 }
113033+
113034+#ifdef CONFIG_PAX_SEGMEXEC
113035+ if (pax_find_mirror_vma(vma))
113036+ BUG_ON(!trylock_page(new_page));
113037+#endif
113038+
113039 do_set_pte(vma, address, new_page, pte, true, true);
113040+
113041+#ifdef CONFIG_PAX_SEGMEXEC
113042+ pax_mirror_anon_pte(vma, address, new_page, ptl);
113043+#endif
113044+
113045 mem_cgroup_commit_charge(new_page, memcg, false);
113046 lru_cache_add_active_or_unevictable(new_page, vma);
113047 pte_unmap_unlock(pte, ptl);
113048@@ -3063,6 +3290,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113049 return ret;
113050 }
113051 do_set_pte(vma, address, fault_page, pte, true, false);
113052+
113053+#ifdef CONFIG_PAX_SEGMEXEC
113054+ pax_mirror_file_pte(vma, address, fault_page, ptl);
113055+#endif
113056+
113057 pte_unmap_unlock(pte, ptl);
113058
113059 if (set_page_dirty(fault_page))
113060@@ -3288,6 +3520,12 @@ static int handle_pte_fault(struct mm_struct *mm,
113061 if (flags & FAULT_FLAG_WRITE)
113062 flush_tlb_fix_spurious_fault(vma, address);
113063 }
113064+
113065+#ifdef CONFIG_PAX_SEGMEXEC
113066+ pax_mirror_pte(vma, address, pte, pmd, ptl);
113067+ return 0;
113068+#endif
113069+
113070 unlock:
113071 pte_unmap_unlock(pte, ptl);
113072 return 0;
113073@@ -3307,9 +3545,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113074 pmd_t *pmd;
113075 pte_t *pte;
113076
113077+#ifdef CONFIG_PAX_SEGMEXEC
113078+ struct vm_area_struct *vma_m;
113079+#endif
113080+
113081 if (unlikely(is_vm_hugetlb_page(vma)))
113082 return hugetlb_fault(mm, vma, address, flags);
113083
113084+#ifdef CONFIG_PAX_SEGMEXEC
113085+ vma_m = pax_find_mirror_vma(vma);
113086+ if (vma_m) {
113087+ unsigned long address_m;
113088+ pgd_t *pgd_m;
113089+ pud_t *pud_m;
113090+ pmd_t *pmd_m;
113091+
113092+ if (vma->vm_start > vma_m->vm_start) {
113093+ address_m = address;
113094+ address -= SEGMEXEC_TASK_SIZE;
113095+ vma = vma_m;
113096+ } else
113097+ address_m = address + SEGMEXEC_TASK_SIZE;
113098+
113099+ pgd_m = pgd_offset(mm, address_m);
113100+ pud_m = pud_alloc(mm, pgd_m, address_m);
113101+ if (!pud_m)
113102+ return VM_FAULT_OOM;
113103+ pmd_m = pmd_alloc(mm, pud_m, address_m);
113104+ if (!pmd_m)
113105+ return VM_FAULT_OOM;
113106+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
113107+ return VM_FAULT_OOM;
113108+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
113109+ }
113110+#endif
113111+
113112 pgd = pgd_offset(mm, address);
113113 pud = pud_alloc(mm, pgd, address);
113114 if (!pud)
113115@@ -3444,6 +3714,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
113116 spin_unlock(&mm->page_table_lock);
113117 return 0;
113118 }
113119+
113120+int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
113121+{
113122+ pud_t *new = pud_alloc_one(mm, address);
113123+ if (!new)
113124+ return -ENOMEM;
113125+
113126+ smp_wmb(); /* See comment in __pte_alloc */
113127+
113128+ spin_lock(&mm->page_table_lock);
113129+ if (pgd_present(*pgd)) /* Another has populated it */
113130+ pud_free(mm, new);
113131+ else
113132+ pgd_populate_kernel(mm, pgd, new);
113133+ spin_unlock(&mm->page_table_lock);
113134+ return 0;
113135+}
113136 #endif /* __PAGETABLE_PUD_FOLDED */
113137
113138 #ifndef __PAGETABLE_PMD_FOLDED
113139@@ -3476,6 +3763,32 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
113140 spin_unlock(&mm->page_table_lock);
113141 return 0;
113142 }
113143+
113144+int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
113145+{
113146+ pmd_t *new = pmd_alloc_one(mm, address);
113147+ if (!new)
113148+ return -ENOMEM;
113149+
113150+ smp_wmb(); /* See comment in __pte_alloc */
113151+
113152+ spin_lock(&mm->page_table_lock);
113153+#ifndef __ARCH_HAS_4LEVEL_HACK
113154+ if (!pud_present(*pud)) {
113155+ mm_inc_nr_pmds(mm);
113156+ pud_populate_kernel(mm, pud, new);
113157+ } else /* Another has populated it */
113158+ pmd_free(mm, new);
113159+#else
113160+ if (!pgd_present(*pud)) {
113161+ mm_inc_nr_pmds(mm);
113162+ pgd_populate_kernel(mm, pud, new);
113163+ } else /* Another has populated it */
113164+ pmd_free(mm, new);
113165+#endif /* __ARCH_HAS_4LEVEL_HACK */
113166+ spin_unlock(&mm->page_table_lock);
113167+ return 0;
113168+}
113169 #endif /* __PAGETABLE_PMD_FOLDED */
113170
113171 static int __follow_pte(struct mm_struct *mm, unsigned long address,
113172@@ -3585,8 +3898,8 @@ out:
113173 return ret;
113174 }
113175
113176-int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
113177- void *buf, int len, int write)
113178+ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
113179+ void *buf, size_t len, int write)
113180 {
113181 resource_size_t phys_addr;
113182 unsigned long prot = 0;
113183@@ -3612,8 +3925,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
113184 * Access another process' address space as given in mm. If non-NULL, use the
113185 * given task for page fault accounting.
113186 */
113187-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113188- unsigned long addr, void *buf, int len, int write)
113189+static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113190+ unsigned long addr, void *buf, size_t len, int write)
113191 {
113192 struct vm_area_struct *vma;
113193 void *old_buf = buf;
113194@@ -3621,7 +3934,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113195 down_read(&mm->mmap_sem);
113196 /* ignore errors, just check how much was successfully transferred */
113197 while (len) {
113198- int bytes, ret, offset;
113199+ ssize_t bytes, ret, offset;
113200 void *maddr;
113201 struct page *page = NULL;
113202
113203@@ -3682,8 +3995,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113204 *
113205 * The caller must hold a reference on @mm.
113206 */
113207-int access_remote_vm(struct mm_struct *mm, unsigned long addr,
113208- void *buf, int len, int write)
113209+ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
113210+ void *buf, size_t len, int write)
113211 {
113212 return __access_remote_vm(NULL, mm, addr, buf, len, write);
113213 }
113214@@ -3693,11 +4006,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
113215 * Source/target buffer must be kernel space,
113216 * Do not walk the page table directly, use get_user_pages
113217 */
113218-int access_process_vm(struct task_struct *tsk, unsigned long addr,
113219- void *buf, int len, int write)
113220+ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr,
113221+ void *buf, size_t len, int write)
113222 {
113223 struct mm_struct *mm;
113224- int ret;
113225+ ssize_t ret;
113226
113227 mm = get_task_mm(tsk);
113228 if (!mm)
113229diff --git a/mm/mempolicy.c b/mm/mempolicy.c
113230index 99d4c1d..a577817 100644
113231--- a/mm/mempolicy.c
113232+++ b/mm/mempolicy.c
113233@@ -703,6 +703,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
113234 unsigned long vmstart;
113235 unsigned long vmend;
113236
113237+#ifdef CONFIG_PAX_SEGMEXEC
113238+ struct vm_area_struct *vma_m;
113239+#endif
113240+
113241 vma = find_vma(mm, start);
113242 if (!vma || vma->vm_start > start)
113243 return -EFAULT;
113244@@ -746,6 +750,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
113245 err = vma_replace_policy(vma, new_pol);
113246 if (err)
113247 goto out;
113248+
113249+#ifdef CONFIG_PAX_SEGMEXEC
113250+ vma_m = pax_find_mirror_vma(vma);
113251+ if (vma_m) {
113252+ err = vma_replace_policy(vma_m, new_pol);
113253+ if (err)
113254+ goto out;
113255+ }
113256+#endif
113257+
113258 }
113259
113260 out:
113261@@ -1161,6 +1175,17 @@ static long do_mbind(unsigned long start, unsigned long len,
113262
113263 if (end < start)
113264 return -EINVAL;
113265+
113266+#ifdef CONFIG_PAX_SEGMEXEC
113267+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
113268+ if (end > SEGMEXEC_TASK_SIZE)
113269+ return -EINVAL;
113270+ } else
113271+#endif
113272+
113273+ if (end > TASK_SIZE)
113274+ return -EINVAL;
113275+
113276 if (end == start)
113277 return 0;
113278
113279@@ -1386,8 +1411,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
113280 */
113281 tcred = __task_cred(task);
113282 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
113283- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
113284- !capable(CAP_SYS_NICE)) {
113285+ !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
113286 rcu_read_unlock();
113287 err = -EPERM;
113288 goto out_put;
113289@@ -1418,6 +1442,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
113290 goto out;
113291 }
113292
113293+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
113294+ if (mm != current->mm &&
113295+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
113296+ mmput(mm);
113297+ err = -EPERM;
113298+ goto out;
113299+ }
113300+#endif
113301+
113302 err = do_migrate_pages(mm, old, new,
113303 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
113304
113305diff --git a/mm/migrate.c b/mm/migrate.c
113306index eb42671..9f2f3ea 100644
113307--- a/mm/migrate.c
113308+++ b/mm/migrate.c
113309@@ -1491,8 +1491,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
113310 */
113311 tcred = __task_cred(task);
113312 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
113313- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
113314- !capable(CAP_SYS_NICE)) {
113315+ !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
113316 rcu_read_unlock();
113317 err = -EPERM;
113318 goto out;
113319diff --git a/mm/mlock.c b/mm/mlock.c
113320index 6fd2cf1..cbae765 100644
113321--- a/mm/mlock.c
113322+++ b/mm/mlock.c
113323@@ -14,6 +14,7 @@
113324 #include <linux/pagevec.h>
113325 #include <linux/mempolicy.h>
113326 #include <linux/syscalls.h>
113327+#include <linux/security.h>
113328 #include <linux/sched.h>
113329 #include <linux/export.h>
113330 #include <linux/rmap.h>
113331@@ -557,7 +558,7 @@ static int do_mlock(unsigned long start, size_t len, int on)
113332 {
113333 unsigned long nstart, end, tmp;
113334 struct vm_area_struct * vma, * prev;
113335- int error;
113336+ int error = 0;
113337
113338 VM_BUG_ON(start & ~PAGE_MASK);
113339 VM_BUG_ON(len != PAGE_ALIGN(len));
113340@@ -566,6 +567,9 @@ static int do_mlock(unsigned long start, size_t len, int on)
113341 return -EINVAL;
113342 if (end == start)
113343 return 0;
113344+ if (end > TASK_SIZE)
113345+ return -EINVAL;
113346+
113347 vma = find_vma(current->mm, start);
113348 if (!vma || vma->vm_start > start)
113349 return -ENOMEM;
113350@@ -577,6 +581,11 @@ static int do_mlock(unsigned long start, size_t len, int on)
113351 for (nstart = start ; ; ) {
113352 vm_flags_t newflags;
113353
113354+#ifdef CONFIG_PAX_SEGMEXEC
113355+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
113356+ break;
113357+#endif
113358+
113359 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
113360
113361 newflags = vma->vm_flags & ~VM_LOCKED;
113362@@ -627,6 +636,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
113363 locked += current->mm->locked_vm;
113364
113365 /* check against resource limits */
113366+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
113367 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
113368 error = do_mlock(start, len, 1);
113369
113370@@ -668,6 +678,11 @@ static int do_mlockall(int flags)
113371 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
113372 vm_flags_t newflags;
113373
113374+#ifdef CONFIG_PAX_SEGMEXEC
113375+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
113376+ break;
113377+#endif
113378+
113379 newflags = vma->vm_flags & ~VM_LOCKED;
113380 if (flags & MCL_CURRENT)
113381 newflags |= VM_LOCKED;
113382@@ -699,8 +714,10 @@ SYSCALL_DEFINE1(mlockall, int, flags)
113383 lock_limit >>= PAGE_SHIFT;
113384
113385 ret = -ENOMEM;
113386+
113387+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
113388+
113389 down_write(&current->mm->mmap_sem);
113390-
113391 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
113392 capable(CAP_IPC_LOCK))
113393 ret = do_mlockall(flags);
113394diff --git a/mm/mm_init.c b/mm/mm_init.c
113395index fdadf91..5f527d1 100644
113396--- a/mm/mm_init.c
113397+++ b/mm/mm_init.c
113398@@ -170,7 +170,7 @@ static int __meminit mm_compute_batch_notifier(struct notifier_block *self,
113399 return NOTIFY_OK;
113400 }
113401
113402-static struct notifier_block compute_batch_nb __meminitdata = {
113403+static struct notifier_block compute_batch_nb __meminitconst = {
113404 .notifier_call = mm_compute_batch_notifier,
113405 .priority = IPC_CALLBACK_PRI, /* use lowest priority */
113406 };
113407diff --git a/mm/mmap.c b/mm/mmap.c
113408index aa632ad..13456342 100644
113409--- a/mm/mmap.c
113410+++ b/mm/mmap.c
113411@@ -41,6 +41,7 @@
113412 #include <linux/notifier.h>
113413 #include <linux/memory.h>
113414 #include <linux/printk.h>
113415+#include <linux/random.h>
113416
113417 #include <asm/uaccess.h>
113418 #include <asm/cacheflush.h>
113419@@ -57,6 +58,16 @@
113420 #define arch_rebalance_pgtables(addr, len) (addr)
113421 #endif
113422
113423+static inline void verify_mm_writelocked(struct mm_struct *mm)
113424+{
113425+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
113426+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
113427+ up_read(&mm->mmap_sem);
113428+ BUG();
113429+ }
113430+#endif
113431+}
113432+
113433 static void unmap_region(struct mm_struct *mm,
113434 struct vm_area_struct *vma, struct vm_area_struct *prev,
113435 unsigned long start, unsigned long end);
113436@@ -76,16 +87,25 @@ static void unmap_region(struct mm_struct *mm,
113437 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
113438 *
113439 */
113440-pgprot_t protection_map[16] = {
113441+pgprot_t protection_map[16] __read_only = {
113442 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
113443 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
113444 };
113445
113446-pgprot_t vm_get_page_prot(unsigned long vm_flags)
113447+pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
113448 {
113449- return __pgprot(pgprot_val(protection_map[vm_flags &
113450+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
113451 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
113452 pgprot_val(arch_vm_get_page_prot(vm_flags)));
113453+
113454+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
113455+ if (!(__supported_pte_mask & _PAGE_NX) &&
113456+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
113457+ (vm_flags & (VM_READ | VM_WRITE)))
113458+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
113459+#endif
113460+
113461+ return prot;
113462 }
113463 EXPORT_SYMBOL(vm_get_page_prot);
113464
113465@@ -114,6 +134,7 @@ unsigned long sysctl_overcommit_kbytes __read_mostly;
113466 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
113467 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
113468 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
113469+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
113470 /*
113471 * Make sure vm_committed_as in one cacheline and not cacheline shared with
113472 * other variables. It can be updated by several CPUs frequently.
113473@@ -271,6 +292,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
113474 struct vm_area_struct *next = vma->vm_next;
113475
113476 might_sleep();
113477+ BUG_ON(vma->vm_mirror);
113478 if (vma->vm_ops && vma->vm_ops->close)
113479 vma->vm_ops->close(vma);
113480 if (vma->vm_file)
113481@@ -284,6 +306,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len);
113482
113483 SYSCALL_DEFINE1(brk, unsigned long, brk)
113484 {
113485+ unsigned long rlim;
113486 unsigned long retval;
113487 unsigned long newbrk, oldbrk;
113488 struct mm_struct *mm = current->mm;
113489@@ -314,7 +337,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
113490 * segment grow beyond its set limit the in case where the limit is
113491 * not page aligned -Ram Gupta
113492 */
113493- if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
113494+ rlim = rlimit(RLIMIT_DATA);
113495+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
113496+ /* force a minimum 16MB brk heap on setuid/setgid binaries */
113497+ if (rlim < PAGE_SIZE && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid()))
113498+ rlim = 4096 * PAGE_SIZE;
113499+#endif
113500+ if (check_data_rlimit(rlim, brk, mm->start_brk,
113501 mm->end_data, mm->start_data))
113502 goto out;
113503
113504@@ -967,6 +996,12 @@ static int
113505 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
113506 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
113507 {
113508+
113509+#ifdef CONFIG_PAX_SEGMEXEC
113510+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
113511+ return 0;
113512+#endif
113513+
113514 if (is_mergeable_vma(vma, file, vm_flags) &&
113515 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
113516 if (vma->vm_pgoff == vm_pgoff)
113517@@ -986,6 +1021,12 @@ static int
113518 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
113519 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
113520 {
113521+
113522+#ifdef CONFIG_PAX_SEGMEXEC
113523+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
113524+ return 0;
113525+#endif
113526+
113527 if (is_mergeable_vma(vma, file, vm_flags) &&
113528 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
113529 pgoff_t vm_pglen;
113530@@ -1035,6 +1076,13 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
113531 struct vm_area_struct *area, *next;
113532 int err;
113533
113534+#ifdef CONFIG_PAX_SEGMEXEC
113535+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
113536+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
113537+
113538+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
113539+#endif
113540+
113541 /*
113542 * We later require that vma->vm_flags == vm_flags,
113543 * so this tests vma->vm_flags & VM_SPECIAL, too.
113544@@ -1050,6 +1098,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
113545 if (next && next->vm_end == end) /* cases 6, 7, 8 */
113546 next = next->vm_next;
113547
113548+#ifdef CONFIG_PAX_SEGMEXEC
113549+ if (prev)
113550+ prev_m = pax_find_mirror_vma(prev);
113551+ if (area)
113552+ area_m = pax_find_mirror_vma(area);
113553+ if (next)
113554+ next_m = pax_find_mirror_vma(next);
113555+#endif
113556+
113557 /*
113558 * Can it merge with the predecessor?
113559 */
113560@@ -1069,9 +1126,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
113561 /* cases 1, 6 */
113562 err = vma_adjust(prev, prev->vm_start,
113563 next->vm_end, prev->vm_pgoff, NULL);
113564- } else /* cases 2, 5, 7 */
113565+
113566+#ifdef CONFIG_PAX_SEGMEXEC
113567+ if (!err && prev_m)
113568+ err = vma_adjust(prev_m, prev_m->vm_start,
113569+ next_m->vm_end, prev_m->vm_pgoff, NULL);
113570+#endif
113571+
113572+ } else { /* cases 2, 5, 7 */
113573 err = vma_adjust(prev, prev->vm_start,
113574 end, prev->vm_pgoff, NULL);
113575+
113576+#ifdef CONFIG_PAX_SEGMEXEC
113577+ if (!err && prev_m)
113578+ err = vma_adjust(prev_m, prev_m->vm_start,
113579+ end_m, prev_m->vm_pgoff, NULL);
113580+#endif
113581+
113582+ }
113583 if (err)
113584 return NULL;
113585 khugepaged_enter_vma_merge(prev, vm_flags);
113586@@ -1085,12 +1157,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
113587 mpol_equal(policy, vma_policy(next)) &&
113588 can_vma_merge_before(next, vm_flags,
113589 anon_vma, file, pgoff+pglen)) {
113590- if (prev && addr < prev->vm_end) /* case 4 */
113591+ if (prev && addr < prev->vm_end) { /* case 4 */
113592 err = vma_adjust(prev, prev->vm_start,
113593 addr, prev->vm_pgoff, NULL);
113594- else /* cases 3, 8 */
113595+
113596+#ifdef CONFIG_PAX_SEGMEXEC
113597+ if (!err && prev_m)
113598+ err = vma_adjust(prev_m, prev_m->vm_start,
113599+ addr_m, prev_m->vm_pgoff, NULL);
113600+#endif
113601+
113602+ } else { /* cases 3, 8 */
113603 err = vma_adjust(area, addr, next->vm_end,
113604 next->vm_pgoff - pglen, NULL);
113605+
113606+#ifdef CONFIG_PAX_SEGMEXEC
113607+ if (!err && area_m)
113608+ err = vma_adjust(area_m, addr_m, next_m->vm_end,
113609+ next_m->vm_pgoff - pglen, NULL);
113610+#endif
113611+
113612+ }
113613 if (err)
113614 return NULL;
113615 khugepaged_enter_vma_merge(area, vm_flags);
113616@@ -1199,8 +1286,10 @@ none:
113617 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
113618 struct file *file, long pages)
113619 {
113620- const unsigned long stack_flags
113621- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
113622+
113623+#ifdef CONFIG_PAX_RANDMMAP
113624+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
113625+#endif
113626
113627 mm->total_vm += pages;
113628
113629@@ -1208,7 +1297,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
113630 mm->shared_vm += pages;
113631 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
113632 mm->exec_vm += pages;
113633- } else if (flags & stack_flags)
113634+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
113635 mm->stack_vm += pages;
113636 }
113637 #endif /* CONFIG_PROC_FS */
113638@@ -1238,6 +1327,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
113639 locked += mm->locked_vm;
113640 lock_limit = rlimit(RLIMIT_MEMLOCK);
113641 lock_limit >>= PAGE_SHIFT;
113642+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
113643 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
113644 return -EAGAIN;
113645 }
113646@@ -1267,7 +1357,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
113647 * (the exception is when the underlying filesystem is noexec
113648 * mounted, in which case we dont add PROT_EXEC.)
113649 */
113650- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
113651+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
113652 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
113653 prot |= PROT_EXEC;
113654
113655@@ -1290,7 +1380,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
113656 /* Obtain the address to map to. we verify (or select) it and ensure
113657 * that it represents a valid section of the address space.
113658 */
113659- addr = get_unmapped_area(file, addr, len, pgoff, flags);
113660+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
113661 if (addr & ~PAGE_MASK)
113662 return addr;
113663
113664@@ -1301,6 +1391,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
113665 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
113666 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
113667
113668+#ifdef CONFIG_PAX_MPROTECT
113669+ if (mm->pax_flags & MF_PAX_MPROTECT) {
113670+
113671+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
113672+ if (file && !pgoff && (vm_flags & VM_EXEC) && mm->binfmt &&
113673+ mm->binfmt->handle_mmap)
113674+ mm->binfmt->handle_mmap(file);
113675+#endif
113676+
113677+#ifndef CONFIG_PAX_MPROTECT_COMPAT
113678+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
113679+ gr_log_rwxmmap(file);
113680+
113681+#ifdef CONFIG_PAX_EMUPLT
113682+ vm_flags &= ~VM_EXEC;
113683+#else
113684+ return -EPERM;
113685+#endif
113686+
113687+ }
113688+
113689+ if (!(vm_flags & VM_EXEC))
113690+ vm_flags &= ~VM_MAYEXEC;
113691+#else
113692+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
113693+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
113694+#endif
113695+ else
113696+ vm_flags &= ~VM_MAYWRITE;
113697+ }
113698+#endif
113699+
113700+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
113701+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
113702+ vm_flags &= ~VM_PAGEEXEC;
113703+#endif
113704+
113705 if (flags & MAP_LOCKED)
113706 if (!can_do_mlock())
113707 return -EPERM;
113708@@ -1388,6 +1515,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
113709 vm_flags |= VM_NORESERVE;
113710 }
113711
113712+ if (!gr_acl_handle_mmap(file, prot))
113713+ return -EACCES;
113714+
113715 addr = mmap_region(file, addr, len, vm_flags, pgoff);
113716 if (!IS_ERR_VALUE(addr) &&
113717 ((vm_flags & VM_LOCKED) ||
113718@@ -1481,7 +1611,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
113719 vm_flags_t vm_flags = vma->vm_flags;
113720
113721 /* If it was private or non-writable, the write bit is already clear */
113722- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
113723+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
113724 return 0;
113725
113726 /* The backer wishes to know when pages are first written to? */
113727@@ -1532,7 +1662,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
113728 struct rb_node **rb_link, *rb_parent;
113729 unsigned long charged = 0;
113730
113731+#ifdef CONFIG_PAX_SEGMEXEC
113732+ struct vm_area_struct *vma_m = NULL;
113733+#endif
113734+
113735+ /*
113736+ * mm->mmap_sem is required to protect against another thread
113737+ * changing the mappings in case we sleep.
113738+ */
113739+ verify_mm_writelocked(mm);
113740+
113741 /* Check against address space limit. */
113742+
113743+#ifdef CONFIG_PAX_RANDMMAP
113744+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
113745+#endif
113746+
113747 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
113748 unsigned long nr_pages;
113749
113750@@ -1555,6 +1700,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
113751 &rb_parent)) {
113752 if (do_munmap(mm, addr, len))
113753 return -ENOMEM;
113754+ BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
113755 }
113756
113757 /*
113758@@ -1586,6 +1732,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
113759 goto unacct_error;
113760 }
113761
113762+#ifdef CONFIG_PAX_SEGMEXEC
113763+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
113764+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
113765+ if (!vma_m) {
113766+ error = -ENOMEM;
113767+ goto free_vma;
113768+ }
113769+ }
113770+#endif
113771+
113772 vma->vm_mm = mm;
113773 vma->vm_start = addr;
113774 vma->vm_end = addr + len;
113775@@ -1616,6 +1772,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
113776 if (error)
113777 goto unmap_and_free_vma;
113778
113779+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
113780+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
113781+ vma->vm_flags |= VM_PAGEEXEC;
113782+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
113783+ }
113784+#endif
113785+
113786 /* Can addr have changed??
113787 *
113788 * Answer: Yes, several device drivers can do it in their
113789@@ -1634,6 +1797,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
113790 }
113791
113792 vma_link(mm, vma, prev, rb_link, rb_parent);
113793+
113794+#ifdef CONFIG_PAX_SEGMEXEC
113795+ if (vma_m)
113796+ BUG_ON(pax_mirror_vma(vma_m, vma));
113797+#endif
113798+
113799 /* Once vma denies write, undo our temporary denial count */
113800 if (file) {
113801 if (vm_flags & VM_SHARED)
113802@@ -1646,6 +1815,7 @@ out:
113803 perf_event_mmap(vma);
113804
113805 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
113806+ track_exec_limit(mm, addr, addr + len, vm_flags);
113807 if (vm_flags & VM_LOCKED) {
113808 if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) ||
113809 vma == get_gate_vma(current->mm)))
113810@@ -1683,6 +1853,12 @@ allow_write_and_free_vma:
113811 if (vm_flags & VM_DENYWRITE)
113812 allow_write_access(file);
113813 free_vma:
113814+
113815+#ifdef CONFIG_PAX_SEGMEXEC
113816+ if (vma_m)
113817+ kmem_cache_free(vm_area_cachep, vma_m);
113818+#endif
113819+
113820 kmem_cache_free(vm_area_cachep, vma);
113821 unacct_error:
113822 if (charged)
113823@@ -1690,7 +1866,63 @@ unacct_error:
113824 return error;
113825 }
113826
113827-unsigned long unmapped_area(struct vm_unmapped_area_info *info)
113828+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
113829+unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
113830+{
113831+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK))
113832+ return ((prandom_u32() & 0xFF) + 1) << PAGE_SHIFT;
113833+
113834+ return 0;
113835+}
113836+#endif
113837+
113838+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset)
113839+{
113840+ if (!vma) {
113841+#ifdef CONFIG_STACK_GROWSUP
113842+ if (addr > sysctl_heap_stack_gap)
113843+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
113844+ else
113845+ vma = find_vma(current->mm, 0);
113846+ if (vma && (vma->vm_flags & VM_GROWSUP))
113847+ return false;
113848+#endif
113849+ return true;
113850+ }
113851+
113852+ if (addr + len > vma->vm_start)
113853+ return false;
113854+
113855+ if (vma->vm_flags & VM_GROWSDOWN)
113856+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
113857+#ifdef CONFIG_STACK_GROWSUP
113858+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
113859+ return addr - vma->vm_prev->vm_end >= sysctl_heap_stack_gap;
113860+#endif
113861+ else if (offset)
113862+ return offset <= vma->vm_start - addr - len;
113863+
113864+ return true;
113865+}
113866+
113867+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset)
113868+{
113869+ if (vma->vm_start < len)
113870+ return -ENOMEM;
113871+
113872+ if (!(vma->vm_flags & VM_GROWSDOWN)) {
113873+ if (offset <= vma->vm_start - len)
113874+ return vma->vm_start - len - offset;
113875+ else
113876+ return -ENOMEM;
113877+ }
113878+
113879+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
113880+ return vma->vm_start - len - sysctl_heap_stack_gap;
113881+ return -ENOMEM;
113882+}
113883+
113884+unsigned long unmapped_area(const struct vm_unmapped_area_info *info)
113885 {
113886 /*
113887 * We implement the search by looking for an rbtree node that
113888@@ -1738,11 +1970,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
113889 }
113890 }
113891
113892- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
113893+ gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0;
113894 check_current:
113895 /* Check if current node has a suitable gap */
113896 if (gap_start > high_limit)
113897 return -ENOMEM;
113898+
113899+ if (gap_end - gap_start > info->threadstack_offset)
113900+ gap_start += info->threadstack_offset;
113901+ else
113902+ gap_start = gap_end;
113903+
113904+ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
113905+ if (gap_end - gap_start > sysctl_heap_stack_gap)
113906+ gap_start += sysctl_heap_stack_gap;
113907+ else
113908+ gap_start = gap_end;
113909+ }
113910+ if (vma->vm_flags & VM_GROWSDOWN) {
113911+ if (gap_end - gap_start > sysctl_heap_stack_gap)
113912+ gap_end -= sysctl_heap_stack_gap;
113913+ else
113914+ gap_end = gap_start;
113915+ }
113916 if (gap_end >= low_limit && gap_end - gap_start >= length)
113917 goto found;
113918
113919@@ -1792,7 +2042,7 @@ found:
113920 return gap_start;
113921 }
113922
113923-unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
113924+unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info)
113925 {
113926 struct mm_struct *mm = current->mm;
113927 struct vm_area_struct *vma;
113928@@ -1846,6 +2096,24 @@ check_current:
113929 gap_end = vma->vm_start;
113930 if (gap_end < low_limit)
113931 return -ENOMEM;
113932+
113933+ if (gap_end - gap_start > info->threadstack_offset)
113934+ gap_end -= info->threadstack_offset;
113935+ else
113936+ gap_end = gap_start;
113937+
113938+ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
113939+ if (gap_end - gap_start > sysctl_heap_stack_gap)
113940+ gap_start += sysctl_heap_stack_gap;
113941+ else
113942+ gap_start = gap_end;
113943+ }
113944+ if (vma->vm_flags & VM_GROWSDOWN) {
113945+ if (gap_end - gap_start > sysctl_heap_stack_gap)
113946+ gap_end -= sysctl_heap_stack_gap;
113947+ else
113948+ gap_end = gap_start;
113949+ }
113950 if (gap_start <= high_limit && gap_end - gap_start >= length)
113951 goto found;
113952
113953@@ -1909,6 +2177,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
113954 struct mm_struct *mm = current->mm;
113955 struct vm_area_struct *vma;
113956 struct vm_unmapped_area_info info;
113957+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
113958
113959 if (len > TASK_SIZE - mmap_min_addr)
113960 return -ENOMEM;
113961@@ -1916,11 +2185,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
113962 if (flags & MAP_FIXED)
113963 return addr;
113964
113965+#ifdef CONFIG_PAX_RANDMMAP
113966+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
113967+#endif
113968+
113969 if (addr) {
113970 addr = PAGE_ALIGN(addr);
113971 vma = find_vma(mm, addr);
113972 if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
113973- (!vma || addr + len <= vma->vm_start))
113974+ check_heap_stack_gap(vma, addr, len, offset))
113975 return addr;
113976 }
113977
113978@@ -1929,6 +2202,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
113979 info.low_limit = mm->mmap_base;
113980 info.high_limit = TASK_SIZE;
113981 info.align_mask = 0;
113982+ info.threadstack_offset = offset;
113983 return vm_unmapped_area(&info);
113984 }
113985 #endif
113986@@ -1947,6 +2221,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
113987 struct mm_struct *mm = current->mm;
113988 unsigned long addr = addr0;
113989 struct vm_unmapped_area_info info;
113990+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
113991
113992 /* requested length too big for entire address space */
113993 if (len > TASK_SIZE - mmap_min_addr)
113994@@ -1955,12 +2230,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
113995 if (flags & MAP_FIXED)
113996 return addr;
113997
113998+#ifdef CONFIG_PAX_RANDMMAP
113999+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
114000+#endif
114001+
114002 /* requesting a specific address */
114003 if (addr) {
114004 addr = PAGE_ALIGN(addr);
114005 vma = find_vma(mm, addr);
114006 if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
114007- (!vma || addr + len <= vma->vm_start))
114008+ check_heap_stack_gap(vma, addr, len, offset))
114009 return addr;
114010 }
114011
114012@@ -1969,6 +2248,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114013 info.low_limit = max(PAGE_SIZE, mmap_min_addr);
114014 info.high_limit = mm->mmap_base;
114015 info.align_mask = 0;
114016+ info.threadstack_offset = offset;
114017 addr = vm_unmapped_area(&info);
114018
114019 /*
114020@@ -1981,6 +2261,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114021 VM_BUG_ON(addr != -ENOMEM);
114022 info.flags = 0;
114023 info.low_limit = TASK_UNMAPPED_BASE;
114024+
114025+#ifdef CONFIG_PAX_RANDMMAP
114026+ if (mm->pax_flags & MF_PAX_RANDMMAP)
114027+ info.low_limit += mm->delta_mmap;
114028+#endif
114029+
114030 info.high_limit = TASK_SIZE;
114031 addr = vm_unmapped_area(&info);
114032 }
114033@@ -2081,6 +2367,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
114034 return vma;
114035 }
114036
114037+#ifdef CONFIG_PAX_SEGMEXEC
114038+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
114039+{
114040+ struct vm_area_struct *vma_m;
114041+
114042+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
114043+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
114044+ BUG_ON(vma->vm_mirror);
114045+ return NULL;
114046+ }
114047+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
114048+ vma_m = vma->vm_mirror;
114049+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
114050+ BUG_ON(vma->vm_file != vma_m->vm_file);
114051+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
114052+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
114053+ BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
114054+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
114055+ return vma_m;
114056+}
114057+#endif
114058+
114059 /*
114060 * Verify that the stack growth is acceptable and
114061 * update accounting. This is shared with both the
114062@@ -2098,8 +2406,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114063
114064 /* Stack limit test */
114065 actual_size = size;
114066- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
114067- actual_size -= PAGE_SIZE;
114068+ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1);
114069 if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
114070 return -ENOMEM;
114071
114072@@ -2110,6 +2417,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114073 locked = mm->locked_vm + grow;
114074 limit = READ_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
114075 limit >>= PAGE_SHIFT;
114076+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
114077 if (locked > limit && !capable(CAP_IPC_LOCK))
114078 return -ENOMEM;
114079 }
114080@@ -2139,37 +2447,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114081 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
114082 * vma is the last one with address > vma->vm_end. Have to extend vma.
114083 */
114084+#ifndef CONFIG_IA64
114085+static
114086+#endif
114087 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
114088 {
114089 int error;
114090+ bool locknext;
114091
114092 if (!(vma->vm_flags & VM_GROWSUP))
114093 return -EFAULT;
114094
114095+ /* Also guard against wrapping around to address 0. */
114096+ if (address < PAGE_ALIGN(address+1))
114097+ address = PAGE_ALIGN(address+1);
114098+ else
114099+ return -ENOMEM;
114100+
114101 /*
114102 * We must make sure the anon_vma is allocated
114103 * so that the anon_vma locking is not a noop.
114104 */
114105 if (unlikely(anon_vma_prepare(vma)))
114106 return -ENOMEM;
114107+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
114108+ if (locknext && anon_vma_prepare(vma->vm_next))
114109+ return -ENOMEM;
114110 vma_lock_anon_vma(vma);
114111+ if (locknext)
114112+ vma_lock_anon_vma(vma->vm_next);
114113
114114 /*
114115 * vma->vm_start/vm_end cannot change under us because the caller
114116 * is required to hold the mmap_sem in read mode. We need the
114117- * anon_vma lock to serialize against concurrent expand_stacks.
114118- * Also guard against wrapping around to address 0.
114119+ * anon_vma locks to serialize against concurrent expand_stacks
114120+ * and expand_upwards.
114121 */
114122- if (address < PAGE_ALIGN(address+4))
114123- address = PAGE_ALIGN(address+4);
114124- else {
114125- vma_unlock_anon_vma(vma);
114126- return -ENOMEM;
114127- }
114128 error = 0;
114129
114130 /* Somebody else might have raced and expanded it already */
114131- if (address > vma->vm_end) {
114132+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
114133+ error = -ENOMEM;
114134+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
114135 unsigned long size, grow;
114136
114137 size = address - vma->vm_start;
114138@@ -2204,6 +2523,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
114139 }
114140 }
114141 }
114142+ if (locknext)
114143+ vma_unlock_anon_vma(vma->vm_next);
114144 vma_unlock_anon_vma(vma);
114145 khugepaged_enter_vma_merge(vma, vma->vm_flags);
114146 validate_mm(vma->vm_mm);
114147@@ -2218,6 +2539,8 @@ int expand_downwards(struct vm_area_struct *vma,
114148 unsigned long address)
114149 {
114150 int error;
114151+ bool lockprev = false;
114152+ struct vm_area_struct *prev;
114153
114154 /*
114155 * We must make sure the anon_vma is allocated
114156@@ -2231,6 +2554,15 @@ int expand_downwards(struct vm_area_struct *vma,
114157 if (error)
114158 return error;
114159
114160+ prev = vma->vm_prev;
114161+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
114162+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
114163+#endif
114164+ if (lockprev && anon_vma_prepare(prev))
114165+ return -ENOMEM;
114166+ if (lockprev)
114167+ vma_lock_anon_vma(prev);
114168+
114169 vma_lock_anon_vma(vma);
114170
114171 /*
114172@@ -2240,9 +2572,17 @@ int expand_downwards(struct vm_area_struct *vma,
114173 */
114174
114175 /* Somebody else might have raced and expanded it already */
114176- if (address < vma->vm_start) {
114177+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
114178+ error = -ENOMEM;
114179+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
114180 unsigned long size, grow;
114181
114182+#ifdef CONFIG_PAX_SEGMEXEC
114183+ struct vm_area_struct *vma_m;
114184+
114185+ vma_m = pax_find_mirror_vma(vma);
114186+#endif
114187+
114188 size = vma->vm_end - address;
114189 grow = (vma->vm_start - address) >> PAGE_SHIFT;
114190
114191@@ -2267,13 +2607,27 @@ int expand_downwards(struct vm_area_struct *vma,
114192 vma->vm_pgoff -= grow;
114193 anon_vma_interval_tree_post_update_vma(vma);
114194 vma_gap_update(vma);
114195+
114196+#ifdef CONFIG_PAX_SEGMEXEC
114197+ if (vma_m) {
114198+ anon_vma_interval_tree_pre_update_vma(vma_m);
114199+ vma_m->vm_start -= grow << PAGE_SHIFT;
114200+ vma_m->vm_pgoff -= grow;
114201+ anon_vma_interval_tree_post_update_vma(vma_m);
114202+ vma_gap_update(vma_m);
114203+ }
114204+#endif
114205+
114206 spin_unlock(&vma->vm_mm->page_table_lock);
114207
114208+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
114209 perf_event_mmap(vma);
114210 }
114211 }
114212 }
114213 vma_unlock_anon_vma(vma);
114214+ if (lockprev)
114215+ vma_unlock_anon_vma(prev);
114216 khugepaged_enter_vma_merge(vma, vma->vm_flags);
114217 validate_mm(vma->vm_mm);
114218 return error;
114219@@ -2373,6 +2727,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
114220 do {
114221 long nrpages = vma_pages(vma);
114222
114223+#ifdef CONFIG_PAX_SEGMEXEC
114224+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
114225+ vma = remove_vma(vma);
114226+ continue;
114227+ }
114228+#endif
114229+
114230 if (vma->vm_flags & VM_ACCOUNT)
114231 nr_accounted += nrpages;
114232 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
114233@@ -2417,6 +2778,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
114234 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
114235 vma->vm_prev = NULL;
114236 do {
114237+
114238+#ifdef CONFIG_PAX_SEGMEXEC
114239+ if (vma->vm_mirror) {
114240+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
114241+ vma->vm_mirror->vm_mirror = NULL;
114242+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
114243+ vma->vm_mirror = NULL;
114244+ }
114245+#endif
114246+
114247 vma_rb_erase(vma, &mm->mm_rb);
114248 mm->map_count--;
114249 tail_vma = vma;
114250@@ -2444,14 +2815,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114251 struct vm_area_struct *new;
114252 int err = -ENOMEM;
114253
114254+#ifdef CONFIG_PAX_SEGMEXEC
114255+ struct vm_area_struct *vma_m, *new_m = NULL;
114256+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
114257+#endif
114258+
114259 if (is_vm_hugetlb_page(vma) && (addr &
114260 ~(huge_page_mask(hstate_vma(vma)))))
114261 return -EINVAL;
114262
114263+#ifdef CONFIG_PAX_SEGMEXEC
114264+ vma_m = pax_find_mirror_vma(vma);
114265+#endif
114266+
114267 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
114268 if (!new)
114269 goto out_err;
114270
114271+#ifdef CONFIG_PAX_SEGMEXEC
114272+ if (vma_m) {
114273+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
114274+ if (!new_m) {
114275+ kmem_cache_free(vm_area_cachep, new);
114276+ goto out_err;
114277+ }
114278+ }
114279+#endif
114280+
114281 /* most fields are the same, copy all, and then fixup */
114282 *new = *vma;
114283
114284@@ -2464,6 +2854,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114285 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
114286 }
114287
114288+#ifdef CONFIG_PAX_SEGMEXEC
114289+ if (vma_m) {
114290+ *new_m = *vma_m;
114291+ INIT_LIST_HEAD(&new_m->anon_vma_chain);
114292+ new_m->vm_mirror = new;
114293+ new->vm_mirror = new_m;
114294+
114295+ if (new_below)
114296+ new_m->vm_end = addr_m;
114297+ else {
114298+ new_m->vm_start = addr_m;
114299+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
114300+ }
114301+ }
114302+#endif
114303+
114304 err = vma_dup_policy(vma, new);
114305 if (err)
114306 goto out_free_vma;
114307@@ -2484,6 +2890,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114308 else
114309 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
114310
114311+#ifdef CONFIG_PAX_SEGMEXEC
114312+ if (!err && vma_m) {
114313+ struct mempolicy *pol = vma_policy(new);
114314+
114315+ if (anon_vma_clone(new_m, vma_m))
114316+ goto out_free_mpol;
114317+
114318+ mpol_get(pol);
114319+ set_vma_policy(new_m, pol);
114320+
114321+ if (new_m->vm_file)
114322+ get_file(new_m->vm_file);
114323+
114324+ if (new_m->vm_ops && new_m->vm_ops->open)
114325+ new_m->vm_ops->open(new_m);
114326+
114327+ if (new_below)
114328+ err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
114329+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
114330+ else
114331+ err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
114332+
114333+ if (err) {
114334+ if (new_m->vm_ops && new_m->vm_ops->close)
114335+ new_m->vm_ops->close(new_m);
114336+ if (new_m->vm_file)
114337+ fput(new_m->vm_file);
114338+ mpol_put(pol);
114339+ }
114340+ }
114341+#endif
114342+
114343 /* Success. */
114344 if (!err)
114345 return 0;
114346@@ -2493,10 +2931,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114347 new->vm_ops->close(new);
114348 if (new->vm_file)
114349 fput(new->vm_file);
114350- unlink_anon_vmas(new);
114351 out_free_mpol:
114352 mpol_put(vma_policy(new));
114353 out_free_vma:
114354+
114355+#ifdef CONFIG_PAX_SEGMEXEC
114356+ if (new_m) {
114357+ unlink_anon_vmas(new_m);
114358+ kmem_cache_free(vm_area_cachep, new_m);
114359+ }
114360+#endif
114361+
114362+ unlink_anon_vmas(new);
114363 kmem_cache_free(vm_area_cachep, new);
114364 out_err:
114365 return err;
114366@@ -2509,6 +2955,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114367 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114368 unsigned long addr, int new_below)
114369 {
114370+
114371+#ifdef CONFIG_PAX_SEGMEXEC
114372+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
114373+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
114374+ if (mm->map_count >= sysctl_max_map_count-1)
114375+ return -ENOMEM;
114376+ } else
114377+#endif
114378+
114379 if (mm->map_count >= sysctl_max_map_count)
114380 return -ENOMEM;
114381
114382@@ -2520,11 +2975,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114383 * work. This now handles partial unmappings.
114384 * Jeremy Fitzhardinge <jeremy@goop.org>
114385 */
114386+#ifdef CONFIG_PAX_SEGMEXEC
114387 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114388 {
114389+ int ret = __do_munmap(mm, start, len);
114390+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
114391+ return ret;
114392+
114393+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
114394+}
114395+
114396+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114397+#else
114398+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114399+#endif
114400+{
114401 unsigned long end;
114402 struct vm_area_struct *vma, *prev, *last;
114403
114404+ /*
114405+ * mm->mmap_sem is required to protect against another thread
114406+ * changing the mappings in case we sleep.
114407+ */
114408+ verify_mm_writelocked(mm);
114409+
114410 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
114411 return -EINVAL;
114412
114413@@ -2602,6 +3076,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114414 /* Fix up all other VM information */
114415 remove_vma_list(mm, vma);
114416
114417+ track_exec_limit(mm, start, end, 0UL);
114418+
114419 return 0;
114420 }
114421
114422@@ -2610,6 +3086,13 @@ int vm_munmap(unsigned long start, size_t len)
114423 int ret;
114424 struct mm_struct *mm = current->mm;
114425
114426+
114427+#ifdef CONFIG_PAX_SEGMEXEC
114428+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
114429+ (len > SEGMEXEC_TASK_SIZE || start > SEGMEXEC_TASK_SIZE-len))
114430+ return -EINVAL;
114431+#endif
114432+
114433 down_write(&mm->mmap_sem);
114434 ret = do_munmap(mm, start, len);
114435 up_write(&mm->mmap_sem);
114436@@ -2656,6 +3139,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
114437 down_write(&mm->mmap_sem);
114438 vma = find_vma(mm, start);
114439
114440+#ifdef CONFIG_PAX_SEGMEXEC
114441+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
114442+ goto out;
114443+#endif
114444+
114445 if (!vma || !(vma->vm_flags & VM_SHARED))
114446 goto out;
114447
114448@@ -2692,16 +3180,6 @@ out:
114449 return ret;
114450 }
114451
114452-static inline void verify_mm_writelocked(struct mm_struct *mm)
114453-{
114454-#ifdef CONFIG_DEBUG_VM
114455- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
114456- WARN_ON(1);
114457- up_read(&mm->mmap_sem);
114458- }
114459-#endif
114460-}
114461-
114462 /*
114463 * this is really a simplified "do_mmap". it only handles
114464 * anonymous maps. eventually we may be able to do some
114465@@ -2715,6 +3193,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114466 struct rb_node **rb_link, *rb_parent;
114467 pgoff_t pgoff = addr >> PAGE_SHIFT;
114468 int error;
114469+ unsigned long charged;
114470
114471 len = PAGE_ALIGN(len);
114472 if (!len)
114473@@ -2722,10 +3201,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114474
114475 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
114476
114477+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
114478+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
114479+ flags &= ~VM_EXEC;
114480+
114481+#ifdef CONFIG_PAX_MPROTECT
114482+ if (mm->pax_flags & MF_PAX_MPROTECT)
114483+ flags &= ~VM_MAYEXEC;
114484+#endif
114485+
114486+ }
114487+#endif
114488+
114489 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
114490 if (error & ~PAGE_MASK)
114491 return error;
114492
114493+ charged = len >> PAGE_SHIFT;
114494+
114495 error = mlock_future_check(mm, mm->def_flags, len);
114496 if (error)
114497 return error;
114498@@ -2743,16 +3236,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114499 &rb_parent)) {
114500 if (do_munmap(mm, addr, len))
114501 return -ENOMEM;
114502+ BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
114503 }
114504
114505 /* Check against address space limits *after* clearing old maps... */
114506- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
114507+ if (!may_expand_vm(mm, charged))
114508 return -ENOMEM;
114509
114510 if (mm->map_count > sysctl_max_map_count)
114511 return -ENOMEM;
114512
114513- if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
114514+ if (security_vm_enough_memory_mm(mm, charged))
114515 return -ENOMEM;
114516
114517 /* Can we just expand an old private anonymous mapping? */
114518@@ -2766,7 +3260,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114519 */
114520 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
114521 if (!vma) {
114522- vm_unacct_memory(len >> PAGE_SHIFT);
114523+ vm_unacct_memory(charged);
114524 return -ENOMEM;
114525 }
114526
114527@@ -2780,10 +3274,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114528 vma_link(mm, vma, prev, rb_link, rb_parent);
114529 out:
114530 perf_event_mmap(vma);
114531- mm->total_vm += len >> PAGE_SHIFT;
114532+ mm->total_vm += charged;
114533 if (flags & VM_LOCKED)
114534- mm->locked_vm += (len >> PAGE_SHIFT);
114535+ mm->locked_vm += charged;
114536 vma->vm_flags |= VM_SOFTDIRTY;
114537+ track_exec_limit(mm, addr, addr + len, flags);
114538 return addr;
114539 }
114540
114541@@ -2845,6 +3340,7 @@ void exit_mmap(struct mm_struct *mm)
114542 while (vma) {
114543 if (vma->vm_flags & VM_ACCOUNT)
114544 nr_accounted += vma_pages(vma);
114545+ vma->vm_mirror = NULL;
114546 vma = remove_vma(vma);
114547 }
114548 vm_unacct_memory(nr_accounted);
114549@@ -2859,6 +3355,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
114550 struct vm_area_struct *prev;
114551 struct rb_node **rb_link, *rb_parent;
114552
114553+#ifdef CONFIG_PAX_SEGMEXEC
114554+ struct vm_area_struct *vma_m = NULL;
114555+#endif
114556+
114557+ if (security_mmap_addr(vma->vm_start))
114558+ return -EPERM;
114559+
114560 /*
114561 * The vm_pgoff of a purely anonymous vma should be irrelevant
114562 * until its first write fault, when page's anon_vma and index
114563@@ -2882,7 +3385,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
114564 security_vm_enough_memory_mm(mm, vma_pages(vma)))
114565 return -ENOMEM;
114566
114567+#ifdef CONFIG_PAX_SEGMEXEC
114568+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
114569+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
114570+ if (!vma_m)
114571+ return -ENOMEM;
114572+ }
114573+#endif
114574+
114575 vma_link(mm, vma, prev, rb_link, rb_parent);
114576+
114577+#ifdef CONFIG_PAX_SEGMEXEC
114578+ if (vma_m)
114579+ BUG_ON(pax_mirror_vma(vma_m, vma));
114580+#endif
114581+
114582 return 0;
114583 }
114584
114585@@ -2901,6 +3418,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
114586 struct rb_node **rb_link, *rb_parent;
114587 bool faulted_in_anon_vma = true;
114588
114589+ BUG_ON(vma->vm_mirror);
114590+
114591 /*
114592 * If anonymous vma has not yet been faulted, update new pgoff
114593 * to match new location, to increase its chance of merging.
114594@@ -2965,6 +3484,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
114595 return NULL;
114596 }
114597
114598+#ifdef CONFIG_PAX_SEGMEXEC
114599+long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
114600+{
114601+ struct vm_area_struct *prev_m;
114602+ struct rb_node **rb_link_m, *rb_parent_m;
114603+ struct mempolicy *pol_m;
114604+
114605+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
114606+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
114607+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
114608+ *vma_m = *vma;
114609+ INIT_LIST_HEAD(&vma_m->anon_vma_chain);
114610+ if (anon_vma_clone(vma_m, vma))
114611+ return -ENOMEM;
114612+ pol_m = vma_policy(vma_m);
114613+ mpol_get(pol_m);
114614+ set_vma_policy(vma_m, pol_m);
114615+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
114616+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
114617+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
114618+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
114619+ if (vma_m->vm_file)
114620+ get_file(vma_m->vm_file);
114621+ if (vma_m->vm_ops && vma_m->vm_ops->open)
114622+ vma_m->vm_ops->open(vma_m);
114623+ BUG_ON(find_vma_links(vma->vm_mm, vma_m->vm_start, vma_m->vm_end, &prev_m, &rb_link_m, &rb_parent_m));
114624+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
114625+ vma_m->vm_mirror = vma;
114626+ vma->vm_mirror = vma_m;
114627+ return 0;
114628+}
114629+#endif
114630+
114631 /*
114632 * Return true if the calling process may expand its vm space by the passed
114633 * number of pages
114634@@ -2976,6 +3528,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
114635
114636 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
114637
114638+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
114639 if (cur + npages > lim)
114640 return 0;
114641 return 1;
114642@@ -3058,6 +3611,22 @@ static struct vm_area_struct *__install_special_mapping(
114643 vma->vm_start = addr;
114644 vma->vm_end = addr + len;
114645
114646+#ifdef CONFIG_PAX_MPROTECT
114647+ if (mm->pax_flags & MF_PAX_MPROTECT) {
114648+#ifndef CONFIG_PAX_MPROTECT_COMPAT
114649+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
114650+ return ERR_PTR(-EPERM);
114651+ if (!(vm_flags & VM_EXEC))
114652+ vm_flags &= ~VM_MAYEXEC;
114653+#else
114654+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
114655+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
114656+#endif
114657+ else
114658+ vm_flags &= ~VM_MAYWRITE;
114659+ }
114660+#endif
114661+
114662 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND | VM_SOFTDIRTY;
114663 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
114664
114665diff --git a/mm/mprotect.c b/mm/mprotect.c
114666index e7d6f11..6116007 100644
114667--- a/mm/mprotect.c
114668+++ b/mm/mprotect.c
114669@@ -24,10 +24,18 @@
114670 #include <linux/migrate.h>
114671 #include <linux/perf_event.h>
114672 #include <linux/ksm.h>
114673+#include <linux/sched/sysctl.h>
114674+
114675+#ifdef CONFIG_PAX_MPROTECT
114676+#include <linux/elf.h>
114677+#include <linux/binfmts.h>
114678+#endif
114679+
114680 #include <asm/uaccess.h>
114681 #include <asm/pgtable.h>
114682 #include <asm/cacheflush.h>
114683 #include <asm/tlbflush.h>
114684+#include <asm/mmu_context.h>
114685
114686 #include "internal.h"
114687
114688@@ -254,6 +262,48 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
114689 return pages;
114690 }
114691
114692+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
114693+/* called while holding the mmap semaphor for writing except stack expansion */
114694+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
114695+{
114696+ unsigned long oldlimit, newlimit = 0UL;
114697+
114698+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
114699+ return;
114700+
114701+ spin_lock(&mm->page_table_lock);
114702+ oldlimit = mm->context.user_cs_limit;
114703+ if ((prot & VM_EXEC) && oldlimit < end)
114704+ /* USER_CS limit moved up */
114705+ newlimit = end;
114706+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
114707+ /* USER_CS limit moved down */
114708+ newlimit = start;
114709+
114710+ if (newlimit) {
114711+ mm->context.user_cs_limit = newlimit;
114712+
114713+#ifdef CONFIG_SMP
114714+ wmb();
114715+ cpumask_clear(&mm->context.cpu_user_cs_mask);
114716+ cpumask_set_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask);
114717+#endif
114718+
114719+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
114720+ }
114721+ spin_unlock(&mm->page_table_lock);
114722+ if (newlimit == end) {
114723+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
114724+
114725+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
114726+ if (is_vm_hugetlb_page(vma))
114727+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
114728+ else
114729+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma), 0);
114730+ }
114731+}
114732+#endif
114733+
114734 int
114735 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
114736 unsigned long start, unsigned long end, unsigned long newflags)
114737@@ -266,11 +316,29 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
114738 int error;
114739 int dirty_accountable = 0;
114740
114741+#ifdef CONFIG_PAX_SEGMEXEC
114742+ struct vm_area_struct *vma_m = NULL;
114743+ unsigned long start_m, end_m;
114744+
114745+ start_m = start + SEGMEXEC_TASK_SIZE;
114746+ end_m = end + SEGMEXEC_TASK_SIZE;
114747+#endif
114748+
114749 if (newflags == oldflags) {
114750 *pprev = vma;
114751 return 0;
114752 }
114753
114754+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
114755+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
114756+
114757+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
114758+ return -ENOMEM;
114759+
114760+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
114761+ return -ENOMEM;
114762+ }
114763+
114764 /*
114765 * If we make a private mapping writable we increase our commit;
114766 * but (without finer accounting) cannot reduce our commit if we
114767@@ -287,6 +355,42 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
114768 }
114769 }
114770
114771+#ifdef CONFIG_PAX_SEGMEXEC
114772+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
114773+ if (start != vma->vm_start) {
114774+ error = split_vma(mm, vma, start, 1);
114775+ if (error)
114776+ goto fail;
114777+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
114778+ *pprev = (*pprev)->vm_next;
114779+ }
114780+
114781+ if (end != vma->vm_end) {
114782+ error = split_vma(mm, vma, end, 0);
114783+ if (error)
114784+ goto fail;
114785+ }
114786+
114787+ if (pax_find_mirror_vma(vma)) {
114788+ error = __do_munmap(mm, start_m, end_m - start_m);
114789+ if (error)
114790+ goto fail;
114791+ } else {
114792+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
114793+ if (!vma_m) {
114794+ error = -ENOMEM;
114795+ goto fail;
114796+ }
114797+ vma->vm_flags = newflags;
114798+ error = pax_mirror_vma(vma_m, vma);
114799+ if (error) {
114800+ vma->vm_flags = oldflags;
114801+ goto fail;
114802+ }
114803+ }
114804+ }
114805+#endif
114806+
114807 /*
114808 * First try to merge with previous and/or next vma.
114809 */
114810@@ -317,7 +421,19 @@ success:
114811 * vm_flags and vm_page_prot are protected by the mmap_sem
114812 * held in write mode.
114813 */
114814+
114815+#ifdef CONFIG_PAX_SEGMEXEC
114816+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
114817+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
114818+#endif
114819+
114820 vma->vm_flags = newflags;
114821+
114822+#ifdef CONFIG_PAX_MPROTECT
114823+ if (mm->binfmt && mm->binfmt->handle_mprotect)
114824+ mm->binfmt->handle_mprotect(vma, newflags);
114825+#endif
114826+
114827 dirty_accountable = vma_wants_writenotify(vma);
114828 vma_set_page_prot(vma);
114829
114830@@ -362,6 +478,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
114831 end = start + len;
114832 if (end <= start)
114833 return -ENOMEM;
114834+
114835+#ifdef CONFIG_PAX_SEGMEXEC
114836+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
114837+ if (end > SEGMEXEC_TASK_SIZE)
114838+ return -EINVAL;
114839+ } else
114840+#endif
114841+
114842+ if (end > TASK_SIZE)
114843+ return -EINVAL;
114844+
114845 if (!arch_validate_prot(prot))
114846 return -EINVAL;
114847
114848@@ -369,7 +496,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
114849 /*
114850 * Does the application expect PROT_READ to imply PROT_EXEC:
114851 */
114852- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
114853+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
114854 prot |= PROT_EXEC;
114855
114856 vm_flags = calc_vm_prot_bits(prot);
114857@@ -401,6 +528,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
114858 if (start > vma->vm_start)
114859 prev = vma;
114860
114861+#ifdef CONFIG_PAX_MPROTECT
114862+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
114863+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
114864+#endif
114865+
114866 for (nstart = start ; ; ) {
114867 unsigned long newflags;
114868
114869@@ -411,6 +543,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
114870
114871 /* newflags >> 4 shift VM_MAY% in place of VM_% */
114872 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
114873+ if (prot & (PROT_WRITE | PROT_EXEC))
114874+ gr_log_rwxmprotect(vma);
114875+
114876+ error = -EACCES;
114877+ goto out;
114878+ }
114879+
114880+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
114881 error = -EACCES;
114882 goto out;
114883 }
114884@@ -425,6 +565,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
114885 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
114886 if (error)
114887 goto out;
114888+
114889+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
114890+
114891 nstart = tmp;
114892
114893 if (nstart < prev->vm_end)
114894diff --git a/mm/mremap.c b/mm/mremap.c
114895index a7c93ec..69c2949 100644
114896--- a/mm/mremap.c
114897+++ b/mm/mremap.c
114898@@ -143,6 +143,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
114899 continue;
114900 pte = ptep_get_and_clear(mm, old_addr, old_pte);
114901 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
114902+
114903+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
114904+ if (!(__supported_pte_mask & _PAGE_NX) && pte_present(pte) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
114905+ pte = pte_exprotect(pte);
114906+#endif
114907+
114908 pte = move_soft_dirty_pte(pte);
114909 set_pte_at(mm, new_addr, new_pte, pte);
114910 }
114911@@ -355,6 +361,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
114912 if (is_vm_hugetlb_page(vma))
114913 return ERR_PTR(-EINVAL);
114914
114915+#ifdef CONFIG_PAX_SEGMEXEC
114916+ if (pax_find_mirror_vma(vma))
114917+ return ERR_PTR(-EINVAL);
114918+#endif
114919+
114920 /* We can't remap across vm area boundaries */
114921 if (old_len > vma->vm_end - addr)
114922 return ERR_PTR(-EFAULT);
114923@@ -401,20 +412,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
114924 unsigned long ret = -EINVAL;
114925 unsigned long charged = 0;
114926 unsigned long map_flags;
114927+ unsigned long pax_task_size = TASK_SIZE;
114928
114929 if (new_addr & ~PAGE_MASK)
114930 goto out;
114931
114932- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
114933+#ifdef CONFIG_PAX_SEGMEXEC
114934+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
114935+ pax_task_size = SEGMEXEC_TASK_SIZE;
114936+#endif
114937+
114938+ pax_task_size -= PAGE_SIZE;
114939+
114940+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
114941 goto out;
114942
114943 /* Check if the location we're moving into overlaps the
114944 * old location at all, and fail if it does.
114945 */
114946- if ((new_addr <= addr) && (new_addr+new_len) > addr)
114947- goto out;
114948-
114949- if ((addr <= new_addr) && (addr+old_len) > new_addr)
114950+ if (addr + old_len > new_addr && new_addr + new_len > addr)
114951 goto out;
114952
114953 ret = do_munmap(mm, new_addr, new_len);
114954@@ -483,6 +499,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
114955 unsigned long ret = -EINVAL;
114956 unsigned long charged = 0;
114957 bool locked = false;
114958+ unsigned long pax_task_size = TASK_SIZE;
114959
114960 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
114961 return ret;
114962@@ -504,6 +521,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
114963 if (!new_len)
114964 return ret;
114965
114966+#ifdef CONFIG_PAX_SEGMEXEC
114967+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
114968+ pax_task_size = SEGMEXEC_TASK_SIZE;
114969+#endif
114970+
114971+ pax_task_size -= PAGE_SIZE;
114972+
114973+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
114974+ old_len > pax_task_size || addr > pax_task_size-old_len)
114975+ return ret;
114976+
114977 down_write(&current->mm->mmap_sem);
114978
114979 if (flags & MREMAP_FIXED) {
114980@@ -554,6 +582,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
114981 new_addr = addr;
114982 }
114983 ret = addr;
114984+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
114985 goto out;
114986 }
114987 }
114988@@ -577,7 +606,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
114989 goto out;
114990 }
114991
114992+ map_flags = vma->vm_flags;
114993 ret = move_vma(vma, addr, old_len, new_len, new_addr, &locked);
114994+ if (!(ret & ~PAGE_MASK)) {
114995+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
114996+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
114997+ }
114998 }
114999 out:
115000 if (ret & ~PAGE_MASK)
115001diff --git a/mm/nommu.c b/mm/nommu.c
115002index 58ea364..7b01d28 100644
115003--- a/mm/nommu.c
115004+++ b/mm/nommu.c
115005@@ -56,7 +56,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
115006 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
115007 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
115008 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
115009-int heap_stack_gap = 0;
115010
115011 atomic_long_t mmap_pages_allocated;
115012
115013@@ -863,15 +862,6 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
115014 EXPORT_SYMBOL(find_vma);
115015
115016 /*
115017- * find a VMA
115018- * - we don't extend stack VMAs under NOMMU conditions
115019- */
115020-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
115021-{
115022- return find_vma(mm, addr);
115023-}
115024-
115025-/*
115026 * expand a stack to a given address
115027 * - not supported under NOMMU conditions
115028 */
115029@@ -1535,6 +1525,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115030
115031 /* most fields are the same, copy all, and then fixup */
115032 *new = *vma;
115033+ INIT_LIST_HEAD(&new->anon_vma_chain);
115034 *region = *vma->vm_region;
115035 new->vm_region = region;
115036
115037@@ -1935,8 +1926,8 @@ void filemap_map_pages(struct vm_area_struct *vma, struct vm_fault *vmf)
115038 }
115039 EXPORT_SYMBOL(filemap_map_pages);
115040
115041-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115042- unsigned long addr, void *buf, int len, int write)
115043+static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115044+ unsigned long addr, void *buf, size_t len, int write)
115045 {
115046 struct vm_area_struct *vma;
115047
115048@@ -1977,8 +1968,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115049 *
115050 * The caller must hold a reference on @mm.
115051 */
115052-int access_remote_vm(struct mm_struct *mm, unsigned long addr,
115053- void *buf, int len, int write)
115054+ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
115055+ void *buf, size_t len, int write)
115056 {
115057 return __access_remote_vm(NULL, mm, addr, buf, len, write);
115058 }
115059@@ -1987,7 +1978,7 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
115060 * Access another process' address space.
115061 * - source/target buffer must be kernel space
115062 */
115063-int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
115064+ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write)
115065 {
115066 struct mm_struct *mm;
115067
115068diff --git a/mm/page-writeback.c b/mm/page-writeback.c
115069index 5cccc12..1872e56 100644
115070--- a/mm/page-writeback.c
115071+++ b/mm/page-writeback.c
115072@@ -852,7 +852,7 @@ static long long pos_ratio_polynom(unsigned long setpoint,
115073 * card's wb_dirty may rush to many times higher than wb_setpoint.
115074 * - the wb dirty thresh drops quickly due to change of JBOD workload
115075 */
115076-static void wb_position_ratio(struct dirty_throttle_control *dtc)
115077+static void __intentional_overflow(-1) wb_position_ratio(struct dirty_throttle_control *dtc)
115078 {
115079 struct bdi_writeback *wb = dtc->wb;
115080 unsigned long write_bw = wb->avg_write_bandwidth;
115081diff --git a/mm/page_alloc.c b/mm/page_alloc.c
115082index 5b5240b..2bc0996 100644
115083--- a/mm/page_alloc.c
115084+++ b/mm/page_alloc.c
115085@@ -62,6 +62,7 @@
115086 #include <linux/sched/rt.h>
115087 #include <linux/page_owner.h>
115088 #include <linux/kthread.h>
115089+#include <linux/random.h>
115090
115091 #include <asm/sections.h>
115092 #include <asm/tlbflush.h>
115093@@ -427,7 +428,7 @@ out:
115094 * This usage means that zero-order pages may not be compound.
115095 */
115096
115097-static void free_compound_page(struct page *page)
115098+void free_compound_page(struct page *page)
115099 {
115100 __free_pages_ok(page, compound_order(page));
115101 }
115102@@ -536,7 +537,7 @@ static inline void clear_page_guard(struct zone *zone, struct page *page,
115103 __mod_zone_freepage_state(zone, (1 << order), migratetype);
115104 }
115105 #else
115106-struct page_ext_operations debug_guardpage_ops = { NULL, };
115107+struct page_ext_operations debug_guardpage_ops = { .need = NULL, .init = NULL };
115108 static inline void set_page_guard(struct zone *zone, struct page *page,
115109 unsigned int order, int migratetype) {}
115110 static inline void clear_page_guard(struct zone *zone, struct page *page,
115111@@ -908,6 +909,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
115112 bool compound = PageCompound(page);
115113 int i, bad = 0;
115114
115115+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115116+ unsigned long index = 1UL << order;
115117+#endif
115118+
115119 VM_BUG_ON_PAGE(PageTail(page), page);
115120 VM_BUG_ON_PAGE(compound && compound_order(page) != order, page);
115121
115122@@ -934,6 +939,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
115123 debug_check_no_obj_freed(page_address(page),
115124 PAGE_SIZE << order);
115125 }
115126+
115127+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115128+ for (; index; --index)
115129+ sanitize_highpage(page + index - 1);
115130+#endif
115131+
115132 arch_free_page(page, order);
115133 kernel_map_pages(page, 1 << order, 0);
115134
115135@@ -957,6 +968,20 @@ static void __free_pages_ok(struct page *page, unsigned int order)
115136 local_irq_restore(flags);
115137 }
115138
115139+#ifdef CONFIG_PAX_LATENT_ENTROPY
115140+bool __meminitdata extra_latent_entropy;
115141+
115142+static int __init setup_pax_extra_latent_entropy(char *str)
115143+{
115144+ extra_latent_entropy = true;
115145+ return 0;
115146+}
115147+early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
115148+
115149+volatile u64 latent_entropy __latent_entropy;
115150+EXPORT_SYMBOL(latent_entropy);
115151+#endif
115152+
115153 static void __init __free_pages_boot_core(struct page *page,
115154 unsigned long pfn, unsigned int order)
115155 {
115156@@ -973,6 +998,19 @@ static void __init __free_pages_boot_core(struct page *page,
115157 __ClearPageReserved(p);
115158 set_page_count(p, 0);
115159
115160+#ifdef CONFIG_PAX_LATENT_ENTROPY
115161+ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
115162+ u64 hash = 0;
115163+ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
115164+ const u64 *data = lowmem_page_address(page);
115165+
115166+ for (index = 0; index < end; index++)
115167+ hash ^= hash + data[index];
115168+ latent_entropy ^= hash;
115169+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
115170+ }
115171+#endif
115172+
115173 page_zone(page)->managed_pages += nr_pages;
115174 set_page_refcounted(page);
115175 __free_pages(page, order);
115176@@ -1029,7 +1067,6 @@ static inline bool __meminit meminit_pfn_in_nid(unsigned long pfn, int node,
115177 }
115178 #endif
115179
115180-
115181 void __init __free_pages_bootmem(struct page *page, unsigned long pfn,
115182 unsigned int order)
115183 {
115184@@ -1333,9 +1370,11 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
115185 kernel_map_pages(page, 1 << order, 1);
115186 kasan_alloc_pages(page, order);
115187
115188+#ifndef CONFIG_PAX_MEMORY_SANITIZE
115189 if (gfp_flags & __GFP_ZERO)
115190 for (i = 0; i < (1 << order); i++)
115191 clear_highpage(page + i);
115192+#endif
115193
115194 if (order && (gfp_flags & __GFP_COMP))
115195 prep_compound_page(page, order);
115196@@ -2116,7 +2155,7 @@ struct page *buffered_rmqueue(struct zone *preferred_zone,
115197 }
115198
115199 __mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order));
115200- if (atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0 &&
115201+ if (atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0 &&
115202 !test_bit(ZONE_FAIR_DEPLETED, &zone->flags))
115203 set_bit(ZONE_FAIR_DEPLETED, &zone->flags);
115204
115205@@ -2435,7 +2474,7 @@ static void reset_alloc_batches(struct zone *preferred_zone)
115206 do {
115207 mod_zone_page_state(zone, NR_ALLOC_BATCH,
115208 high_wmark_pages(zone) - low_wmark_pages(zone) -
115209- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
115210+ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
115211 clear_bit(ZONE_FAIR_DEPLETED, &zone->flags);
115212 } while (zone++ != preferred_zone);
115213 }
115214@@ -6184,7 +6223,7 @@ static void __setup_per_zone_wmarks(void)
115215
115216 __mod_zone_page_state(zone, NR_ALLOC_BATCH,
115217 high_wmark_pages(zone) - low_wmark_pages(zone) -
115218- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
115219+ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
115220
115221 setup_zone_migrate_reserve(zone);
115222 spin_unlock_irqrestore(&zone->lock, flags);
115223diff --git a/mm/percpu.c b/mm/percpu.c
115224index 2dd7448..9bb6305 100644
115225--- a/mm/percpu.c
115226+++ b/mm/percpu.c
115227@@ -131,7 +131,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
115228 static unsigned int pcpu_high_unit_cpu __read_mostly;
115229
115230 /* the address of the first chunk which starts with the kernel static area */
115231-void *pcpu_base_addr __read_mostly;
115232+void *pcpu_base_addr __read_only;
115233 EXPORT_SYMBOL_GPL(pcpu_base_addr);
115234
115235 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
115236diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
115237index e88d071..d80e01a 100644
115238--- a/mm/process_vm_access.c
115239+++ b/mm/process_vm_access.c
115240@@ -13,6 +13,7 @@
115241 #include <linux/uio.h>
115242 #include <linux/sched.h>
115243 #include <linux/highmem.h>
115244+#include <linux/security.h>
115245 #include <linux/ptrace.h>
115246 #include <linux/slab.h>
115247 #include <linux/syscalls.h>
115248@@ -154,19 +155,19 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
115249 ssize_t iov_len;
115250 size_t total_len = iov_iter_count(iter);
115251
115252+ return -ENOSYS; // PaX: until properly audited
115253+
115254 /*
115255 * Work out how many pages of struct pages we're going to need
115256 * when eventually calling get_user_pages
115257 */
115258 for (i = 0; i < riovcnt; i++) {
115259 iov_len = rvec[i].iov_len;
115260- if (iov_len > 0) {
115261- nr_pages_iov = ((unsigned long)rvec[i].iov_base
115262- + iov_len)
115263- / PAGE_SIZE - (unsigned long)rvec[i].iov_base
115264- / PAGE_SIZE + 1;
115265- nr_pages = max(nr_pages, nr_pages_iov);
115266- }
115267+ if (iov_len <= 0)
115268+ continue;
115269+ nr_pages_iov = ((unsigned long)rvec[i].iov_base + iov_len) / PAGE_SIZE -
115270+ (unsigned long)rvec[i].iov_base / PAGE_SIZE + 1;
115271+ nr_pages = max(nr_pages, nr_pages_iov);
115272 }
115273
115274 if (nr_pages == 0)
115275@@ -194,6 +195,11 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
115276 goto free_proc_pages;
115277 }
115278
115279+ if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
115280+ rc = -EPERM;
115281+ goto put_task_struct;
115282+ }
115283+
115284 mm = mm_access(task, PTRACE_MODE_ATTACH);
115285 if (!mm || IS_ERR(mm)) {
115286 rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
115287diff --git a/mm/rmap.c b/mm/rmap.c
115288index 171b687..1a4b7e8 100644
115289--- a/mm/rmap.c
115290+++ b/mm/rmap.c
115291@@ -168,6 +168,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115292 struct anon_vma *anon_vma = vma->anon_vma;
115293 struct anon_vma_chain *avc;
115294
115295+#ifdef CONFIG_PAX_SEGMEXEC
115296+ struct anon_vma_chain *avc_m = NULL;
115297+#endif
115298+
115299 might_sleep();
115300 if (unlikely(!anon_vma)) {
115301 struct mm_struct *mm = vma->vm_mm;
115302@@ -177,6 +181,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115303 if (!avc)
115304 goto out_enomem;
115305
115306+#ifdef CONFIG_PAX_SEGMEXEC
115307+ avc_m = anon_vma_chain_alloc(GFP_KERNEL);
115308+ if (!avc_m)
115309+ goto out_enomem_free_avc;
115310+#endif
115311+
115312 anon_vma = find_mergeable_anon_vma(vma);
115313 allocated = NULL;
115314 if (!anon_vma) {
115315@@ -190,6 +200,19 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115316 /* page_table_lock to protect against threads */
115317 spin_lock(&mm->page_table_lock);
115318 if (likely(!vma->anon_vma)) {
115319+
115320+#ifdef CONFIG_PAX_SEGMEXEC
115321+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
115322+
115323+ if (vma_m) {
115324+ BUG_ON(vma_m->anon_vma);
115325+ vma_m->anon_vma = anon_vma;
115326+ anon_vma_chain_link(vma_m, avc_m, anon_vma);
115327+ anon_vma->degree++;
115328+ avc_m = NULL;
115329+ }
115330+#endif
115331+
115332 vma->anon_vma = anon_vma;
115333 anon_vma_chain_link(vma, avc, anon_vma);
115334 /* vma reference or self-parent link for new root */
115335@@ -202,12 +225,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115336
115337 if (unlikely(allocated))
115338 put_anon_vma(allocated);
115339+
115340+#ifdef CONFIG_PAX_SEGMEXEC
115341+ if (unlikely(avc_m))
115342+ anon_vma_chain_free(avc_m);
115343+#endif
115344+
115345 if (unlikely(avc))
115346 anon_vma_chain_free(avc);
115347 }
115348 return 0;
115349
115350 out_enomem_free_avc:
115351+
115352+#ifdef CONFIG_PAX_SEGMEXEC
115353+ if (avc_m)
115354+ anon_vma_chain_free(avc_m);
115355+#endif
115356+
115357 anon_vma_chain_free(avc);
115358 out_enomem:
115359 return -ENOMEM;
115360@@ -251,7 +286,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
115361 * good chance of avoiding scanning the whole hierarchy when it searches where
115362 * page is mapped.
115363 */
115364-int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
115365+int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
115366 {
115367 struct anon_vma_chain *avc, *pavc;
115368 struct anon_vma *root = NULL;
115369@@ -305,7 +340,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
115370 * the corresponding VMA in the parent process is attached to.
115371 * Returns 0 on success, non-zero on failure.
115372 */
115373-int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
115374+int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
115375 {
115376 struct anon_vma_chain *avc;
115377 struct anon_vma *anon_vma;
115378@@ -425,8 +460,10 @@ static void anon_vma_ctor(void *data)
115379 void __init anon_vma_init(void)
115380 {
115381 anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
115382- 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC, anon_vma_ctor);
115383- anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain, SLAB_PANIC);
115384+ 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC|SLAB_NO_SANITIZE,
115385+ anon_vma_ctor);
115386+ anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain,
115387+ SLAB_PANIC|SLAB_NO_SANITIZE);
115388 }
115389
115390 /*
115391diff --git a/mm/shmem.c b/mm/shmem.c
115392index dbe0c1e..22c16c7 100644
115393--- a/mm/shmem.c
115394+++ b/mm/shmem.c
115395@@ -33,7 +33,7 @@
115396 #include <linux/swap.h>
115397 #include <linux/uio.h>
115398
115399-static struct vfsmount *shm_mnt;
115400+struct vfsmount *shm_mnt;
115401
115402 #ifdef CONFIG_SHMEM
115403 /*
115404@@ -80,7 +80,7 @@ static struct vfsmount *shm_mnt;
115405 #define BOGO_DIRENT_SIZE 20
115406
115407 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */
115408-#define SHORT_SYMLINK_LEN 128
115409+#define SHORT_SYMLINK_LEN 64
115410
115411 /*
115412 * shmem_fallocate communicates with shmem_fault or shmem_writepage via
115413@@ -2549,6 +2549,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
115414 static int shmem_xattr_validate(const char *name)
115415 {
115416 struct { const char *prefix; size_t len; } arr[] = {
115417+
115418+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
115419+ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN},
115420+#endif
115421+
115422 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
115423 { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
115424 };
115425@@ -2604,6 +2609,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
115426 if (err)
115427 return err;
115428
115429+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
115430+ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
115431+ if (strcmp(name, XATTR_NAME_PAX_FLAGS))
115432+ return -EOPNOTSUPP;
115433+ if (size > 8)
115434+ return -EINVAL;
115435+ }
115436+#endif
115437+
115438 return simple_xattr_set(&info->xattrs, name, value, size, flags);
115439 }
115440
115441@@ -2987,8 +3001,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
115442 int err = -ENOMEM;
115443
115444 /* Round up to L1_CACHE_BYTES to resist false sharing */
115445- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
115446- L1_CACHE_BYTES), GFP_KERNEL);
115447+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
115448 if (!sbinfo)
115449 return -ENOMEM;
115450
115451diff --git a/mm/slab.c b/mm/slab.c
115452index bbd0b47..eb6af9e 100644
115453--- a/mm/slab.c
115454+++ b/mm/slab.c
115455@@ -116,6 +116,7 @@
115456 #include <linux/kmemcheck.h>
115457 #include <linux/memory.h>
115458 #include <linux/prefetch.h>
115459+#include <linux/vmalloc.h>
115460
115461 #include <net/sock.h>
115462
115463@@ -314,10 +315,12 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
115464 if ((x)->max_freeable < i) \
115465 (x)->max_freeable = i; \
115466 } while (0)
115467-#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
115468-#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
115469-#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
115470-#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
115471+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
115472+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
115473+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
115474+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
115475+#define STATS_INC_SANITIZED(x) atomic_inc_unchecked(&(x)->sanitized)
115476+#define STATS_INC_NOT_SANITIZED(x) atomic_inc_unchecked(&(x)->not_sanitized)
115477 #else
115478 #define STATS_INC_ACTIVE(x) do { } while (0)
115479 #define STATS_DEC_ACTIVE(x) do { } while (0)
115480@@ -334,6 +337,8 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
115481 #define STATS_INC_ALLOCMISS(x) do { } while (0)
115482 #define STATS_INC_FREEHIT(x) do { } while (0)
115483 #define STATS_INC_FREEMISS(x) do { } while (0)
115484+#define STATS_INC_SANITIZED(x) do { } while (0)
115485+#define STATS_INC_NOT_SANITIZED(x) do { } while (0)
115486 #endif
115487
115488 #if DEBUG
115489@@ -450,7 +455,7 @@ static inline void *index_to_obj(struct kmem_cache *cache, struct page *page,
115490 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
115491 */
115492 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
115493- const struct page *page, void *obj)
115494+ const struct page *page, const void *obj)
115495 {
115496 u32 offset = (obj - page->s_mem);
115497 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
115498@@ -1452,7 +1457,7 @@ void __init kmem_cache_init(void)
115499 * structures first. Without this, further allocations will bug.
115500 */
115501 kmalloc_caches[INDEX_NODE] = create_kmalloc_cache("kmalloc-node",
115502- kmalloc_size(INDEX_NODE), ARCH_KMALLOC_FLAGS);
115503+ kmalloc_size(INDEX_NODE), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS);
115504 slab_state = PARTIAL_NODE;
115505 setup_kmalloc_cache_index_table();
115506
115507@@ -2074,7 +2079,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
115508
115509 cachep = find_mergeable(size, align, flags, name, ctor);
115510 if (cachep) {
115511- cachep->refcount++;
115512+ atomic_inc(&cachep->refcount);
115513
115514 /*
115515 * Adjust the object sizes so that we clear
115516@@ -2190,9 +2195,16 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)
115517 size += BYTES_PER_WORD;
115518 }
115519 #if FORCED_DEBUG && defined(CONFIG_DEBUG_PAGEALLOC)
115520- if (size >= kmalloc_size(INDEX_NODE + 1)
115521- && cachep->object_size > cache_line_size()
115522- && ALIGN(size, cachep->align) < PAGE_SIZE) {
115523+ /*
115524+ * To activate debug pagealloc, off-slab management is necessary
115525+ * requirement. In early phase of initialization, small sized slab
115526+ * doesn't get initialized so it would not be possible. So, we need
115527+ * to check size >= 256. It guarantees that all necessary small
115528+ * sized slab is initialized in current slab initialization sequence.
115529+ */
115530+ if (!slab_early_init && size >= kmalloc_size(INDEX_NODE) &&
115531+ size >= 256 && cachep->object_size > cache_line_size() &&
115532+ ALIGN(size, cachep->align) < PAGE_SIZE) {
115533 cachep->obj_offset += PAGE_SIZE - ALIGN(size, cachep->align);
115534 size = PAGE_SIZE;
115535 }
115536@@ -3372,6 +3384,20 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
115537 struct array_cache *ac = cpu_cache_get(cachep);
115538
115539 check_irq_off();
115540+
115541+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115542+ if (cachep->flags & (SLAB_POISON | SLAB_NO_SANITIZE))
115543+ STATS_INC_NOT_SANITIZED(cachep);
115544+ else {
115545+ memset(objp, PAX_MEMORY_SANITIZE_VALUE, cachep->object_size);
115546+
115547+ if (cachep->ctor)
115548+ cachep->ctor(objp);
115549+
115550+ STATS_INC_SANITIZED(cachep);
115551+ }
115552+#endif
115553+
115554 kmemleak_free_recursive(objp, cachep->flags);
115555 objp = cache_free_debugcheck(cachep, objp, caller);
115556
115557@@ -3484,7 +3510,7 @@ __do_kmalloc_node(size_t size, gfp_t flags, int node, unsigned long caller)
115558 return kmem_cache_alloc_node_trace(cachep, flags, node, size);
115559 }
115560
115561-void *__kmalloc_node(size_t size, gfp_t flags, int node)
115562+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
115563 {
115564 return __do_kmalloc_node(size, flags, node, _RET_IP_);
115565 }
115566@@ -3504,7 +3530,7 @@ EXPORT_SYMBOL(__kmalloc_node_track_caller);
115567 * @flags: the type of memory to allocate (see kmalloc).
115568 * @caller: function caller for debug tracking of the caller
115569 */
115570-static __always_inline void *__do_kmalloc(size_t size, gfp_t flags,
115571+static __always_inline void * __size_overflow(1) __do_kmalloc(size_t size, gfp_t flags,
115572 unsigned long caller)
115573 {
115574 struct kmem_cache *cachep;
115575@@ -3577,6 +3603,7 @@ void kfree(const void *objp)
115576
115577 if (unlikely(ZERO_OR_NULL_PTR(objp)))
115578 return;
115579+ VM_BUG_ON(!virt_addr_valid(objp));
115580 local_irq_save(flags);
115581 kfree_debugcheck(objp);
115582 c = virt_to_cache(objp);
115583@@ -3996,14 +4023,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep)
115584 }
115585 /* cpu stats */
115586 {
115587- unsigned long allochit = atomic_read(&cachep->allochit);
115588- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
115589- unsigned long freehit = atomic_read(&cachep->freehit);
115590- unsigned long freemiss = atomic_read(&cachep->freemiss);
115591+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
115592+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
115593+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
115594+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
115595
115596 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
115597 allochit, allocmiss, freehit, freemiss);
115598 }
115599+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115600+ {
115601+ unsigned long sanitized = atomic_read_unchecked(&cachep->sanitized);
115602+ unsigned long not_sanitized = atomic_read_unchecked(&cachep->not_sanitized);
115603+
115604+ seq_printf(m, " : pax %6lu %6lu", sanitized, not_sanitized);
115605+ }
115606+#endif
115607 #endif
115608 }
115609
115610@@ -4211,13 +4246,80 @@ static const struct file_operations proc_slabstats_operations = {
115611 static int __init slab_proc_init(void)
115612 {
115613 #ifdef CONFIG_DEBUG_SLAB_LEAK
115614- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
115615+ proc_create("slab_allocators", S_IRUSR, NULL, &proc_slabstats_operations);
115616 #endif
115617 return 0;
115618 }
115619 module_init(slab_proc_init);
115620 #endif
115621
115622+bool is_usercopy_object(const void *ptr)
115623+{
115624+ struct page *page;
115625+ struct kmem_cache *cachep;
115626+
115627+ if (ZERO_OR_NULL_PTR(ptr))
115628+ return false;
115629+
115630+ if (!slab_is_available())
115631+ return false;
115632+
115633+ if (is_vmalloc_addr(ptr)
115634+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
115635+ && !object_starts_on_stack(ptr)
115636+#endif
115637+ ) {
115638+ struct vm_struct *vm = find_vm_area(ptr);
115639+ if (vm && (vm->flags & VM_USERCOPY))
115640+ return true;
115641+ return false;
115642+ }
115643+
115644+ if (!virt_addr_valid(ptr))
115645+ return false;
115646+
115647+ page = virt_to_head_page(ptr);
115648+
115649+ if (!PageSlab(page))
115650+ return false;
115651+
115652+ cachep = page->slab_cache;
115653+ return cachep->flags & SLAB_USERCOPY;
115654+}
115655+
115656+#ifdef CONFIG_PAX_USERCOPY
115657+const char *check_heap_object(const void *ptr, unsigned long n)
115658+{
115659+ struct page *page;
115660+ struct kmem_cache *cachep;
115661+ unsigned int objnr;
115662+ unsigned long offset;
115663+
115664+ if (ZERO_OR_NULL_PTR(ptr))
115665+ return "<null>";
115666+
115667+ if (!virt_addr_valid(ptr))
115668+ return NULL;
115669+
115670+ page = virt_to_head_page(ptr);
115671+
115672+ if (!PageSlab(page))
115673+ return NULL;
115674+
115675+ cachep = page->slab_cache;
115676+ if (!(cachep->flags & SLAB_USERCOPY))
115677+ return cachep->name;
115678+
115679+ objnr = obj_to_index(cachep, page, ptr);
115680+ BUG_ON(objnr >= cachep->num);
115681+ offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);
115682+ if (offset <= cachep->object_size && n <= cachep->object_size - offset)
115683+ return NULL;
115684+
115685+ return cachep->name;
115686+}
115687+#endif
115688+
115689 /**
115690 * ksize - get the actual amount of memory allocated for a given object
115691 * @objp: Pointer to the object
115692diff --git a/mm/slab.h b/mm/slab.h
115693index 8da63e4..50c423b 100644
115694--- a/mm/slab.h
115695+++ b/mm/slab.h
115696@@ -22,7 +22,7 @@ struct kmem_cache {
115697 unsigned int align; /* Alignment as calculated */
115698 unsigned long flags; /* Active flags on the slab */
115699 const char *name; /* Slab name for sysfs */
115700- int refcount; /* Use counter */
115701+ atomic_t refcount; /* Use counter */
115702 void (*ctor)(void *); /* Called on object slot creation */
115703 struct list_head list; /* List of all slab caches on the system */
115704 };
115705@@ -66,6 +66,20 @@ extern struct list_head slab_caches;
115706 /* The slab cache that manages slab cache information */
115707 extern struct kmem_cache *kmem_cache;
115708
115709+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115710+#ifdef CONFIG_X86_64
115711+#define PAX_MEMORY_SANITIZE_VALUE '\xfe'
115712+#else
115713+#define PAX_MEMORY_SANITIZE_VALUE '\xff'
115714+#endif
115715+enum pax_sanitize_mode {
115716+ PAX_SANITIZE_SLAB_OFF = 0,
115717+ PAX_SANITIZE_SLAB_FAST,
115718+ PAX_SANITIZE_SLAB_FULL,
115719+};
115720+extern enum pax_sanitize_mode pax_sanitize_slab;
115721+#endif
115722+
115723 unsigned long calculate_alignment(unsigned long flags,
115724 unsigned long align, unsigned long size);
115725
115726@@ -115,7 +129,8 @@ static inline unsigned long kmem_cache_flags(unsigned long object_size,
115727
115728 /* Legal flag mask for kmem_cache_create(), for various configurations */
115729 #define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | SLAB_PANIC | \
115730- SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS )
115731+ SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS | \
115732+ SLAB_USERCOPY | SLAB_NO_SANITIZE)
115733
115734 #if defined(CONFIG_DEBUG_SLAB)
115735 #define SLAB_DEBUG_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
115736@@ -316,6 +331,9 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x)
115737 return s;
115738
115739 page = virt_to_head_page(x);
115740+
115741+ BUG_ON(!PageSlab(page));
115742+
115743 cachep = page->slab_cache;
115744 if (slab_equal_or_root(cachep, s))
115745 return cachep;
115746diff --git a/mm/slab_common.c b/mm/slab_common.c
115747index 8683110..916e2c5 100644
115748--- a/mm/slab_common.c
115749+++ b/mm/slab_common.c
115750@@ -25,11 +25,35 @@
115751
115752 #include "slab.h"
115753
115754-enum slab_state slab_state;
115755+enum slab_state slab_state __read_only;
115756 LIST_HEAD(slab_caches);
115757 DEFINE_MUTEX(slab_mutex);
115758 struct kmem_cache *kmem_cache;
115759
115760+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115761+enum pax_sanitize_mode pax_sanitize_slab __read_only = PAX_SANITIZE_SLAB_FAST;
115762+static int __init pax_sanitize_slab_setup(char *str)
115763+{
115764+ if (!str)
115765+ return 0;
115766+
115767+ if (!strcmp(str, "0") || !strcmp(str, "off")) {
115768+ pr_info("PaX slab sanitization: %s\n", "disabled");
115769+ pax_sanitize_slab = PAX_SANITIZE_SLAB_OFF;
115770+ } else if (!strcmp(str, "1") || !strcmp(str, "fast")) {
115771+ pr_info("PaX slab sanitization: %s\n", "fast");
115772+ pax_sanitize_slab = PAX_SANITIZE_SLAB_FAST;
115773+ } else if (!strcmp(str, "full")) {
115774+ pr_info("PaX slab sanitization: %s\n", "full");
115775+ pax_sanitize_slab = PAX_SANITIZE_SLAB_FULL;
115776+ } else
115777+ pr_err("PaX slab sanitization: unsupported option '%s'\n", str);
115778+
115779+ return 0;
115780+}
115781+early_param("pax_sanitize_slab", pax_sanitize_slab_setup);
115782+#endif
115783+
115784 /*
115785 * Set of flags that will prevent slab merging
115786 */
115787@@ -43,7 +67,7 @@ struct kmem_cache *kmem_cache;
115788 * Merge control. If this is set then no merging of slab caches will occur.
115789 * (Could be removed. This was introduced to pacify the merge skeptics.)
115790 */
115791-static int slab_nomerge;
115792+static int slab_nomerge = 1;
115793
115794 static int __init setup_slab_nomerge(char *str)
115795 {
115796@@ -216,7 +240,7 @@ int slab_unmergeable(struct kmem_cache *s)
115797 /*
115798 * We may have set a slab to be unmergeable during bootstrap.
115799 */
115800- if (s->refcount < 0)
115801+ if (atomic_read(&s->refcount) < 0)
115802 return 1;
115803
115804 return 0;
115805@@ -320,7 +344,7 @@ do_kmem_cache_create(const char *name, size_t object_size, size_t size,
115806 if (err)
115807 goto out_free_cache;
115808
115809- s->refcount = 1;
115810+ atomic_set(&s->refcount, 1);
115811 list_add(&s->list, &slab_caches);
115812 out:
115813 if (err)
115814@@ -385,6 +409,13 @@ kmem_cache_create(const char *name, size_t size, size_t align,
115815 */
115816 flags &= CACHE_CREATE_MASK;
115817
115818+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115819+ if (pax_sanitize_slab == PAX_SANITIZE_SLAB_OFF || (flags & SLAB_DESTROY_BY_RCU))
115820+ flags |= SLAB_NO_SANITIZE;
115821+ else if (pax_sanitize_slab == PAX_SANITIZE_SLAB_FULL)
115822+ flags &= ~SLAB_NO_SANITIZE;
115823+#endif
115824+
115825 s = __kmem_cache_alias(name, size, align, flags, ctor);
115826 if (s)
115827 goto out_unlock;
115828@@ -455,7 +486,7 @@ static void do_kmem_cache_release(struct list_head *release,
115829 rcu_barrier();
115830
115831 list_for_each_entry_safe(s, s2, release, list) {
115832-#ifdef SLAB_SUPPORTS_SYSFS
115833+#if defined(SLAB_SUPPORTS_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
115834 sysfs_slab_remove(s);
115835 #else
115836 slab_kmem_cache_release(s);
115837@@ -624,8 +655,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
115838
115839 mutex_lock(&slab_mutex);
115840
115841- s->refcount--;
115842- if (s->refcount)
115843+ if (!atomic_dec_and_test(&s->refcount))
115844 goto out_unlock;
115845
115846 for_each_memcg_cache_safe(c, c2, s) {
115847@@ -690,7 +720,7 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, size_t siz
115848 panic("Creation of kmalloc slab %s size=%zu failed. Reason %d\n",
115849 name, size, err);
115850
115851- s->refcount = -1; /* Exempt from merging for now */
115852+ atomic_set(&s->refcount, -1); /* Exempt from merging for now */
115853 }
115854
115855 struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
115856@@ -703,7 +733,7 @@ struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
115857
115858 create_boot_cache(s, name, size, flags);
115859 list_add(&s->list, &slab_caches);
115860- s->refcount = 1;
115861+ atomic_set(&s->refcount, 1);
115862 return s;
115863 }
115864
115865@@ -715,6 +745,11 @@ struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
115866 EXPORT_SYMBOL(kmalloc_dma_caches);
115867 #endif
115868
115869+#ifdef CONFIG_PAX_USERCOPY_SLABS
115870+struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
115871+EXPORT_SYMBOL(kmalloc_usercopy_caches);
115872+#endif
115873+
115874 /*
115875 * Conversion table for small slabs sizes / 8 to the index in the
115876 * kmalloc array. This is necessary for slabs < 192 since we have non power
115877@@ -779,6 +814,13 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
115878 return kmalloc_dma_caches[index];
115879
115880 #endif
115881+
115882+#ifdef CONFIG_PAX_USERCOPY_SLABS
115883+ if (unlikely((flags & GFP_USERCOPY)))
115884+ return kmalloc_usercopy_caches[index];
115885+
115886+#endif
115887+
115888 return kmalloc_caches[index];
115889 }
115890
115891@@ -871,7 +913,7 @@ void __init create_kmalloc_caches(unsigned long flags)
115892
115893 for (i = KMALLOC_SHIFT_LOW; i <= KMALLOC_SHIFT_HIGH; i++) {
115894 if (!kmalloc_caches[i])
115895- new_kmalloc_cache(i, flags);
115896+ new_kmalloc_cache(i, SLAB_USERCOPY | flags);
115897
115898 /*
115899 * Caches that are not of the two-to-the-power-of size.
115900@@ -879,9 +921,9 @@ void __init create_kmalloc_caches(unsigned long flags)
115901 * earlier power of two caches
115902 */
115903 if (KMALLOC_MIN_SIZE <= 32 && !kmalloc_caches[1] && i == 6)
115904- new_kmalloc_cache(1, flags);
115905+ new_kmalloc_cache(1, SLAB_USERCOPY | flags);
115906 if (KMALLOC_MIN_SIZE <= 64 && !kmalloc_caches[2] && i == 7)
115907- new_kmalloc_cache(2, flags);
115908+ new_kmalloc_cache(2, SLAB_USERCOPY | flags);
115909 }
115910
115911 /* Kmalloc array is now usable */
115912@@ -902,6 +944,23 @@ void __init create_kmalloc_caches(unsigned long flags)
115913 }
115914 }
115915 #endif
115916+
115917+#ifdef CONFIG_PAX_USERCOPY_SLABS
115918+ for (i = 0; i <= KMALLOC_SHIFT_HIGH; i++) {
115919+ struct kmem_cache *s = kmalloc_caches[i];
115920+
115921+ if (s) {
115922+ int size = kmalloc_size(i);
115923+ char *n = kasprintf(GFP_NOWAIT,
115924+ "usercopy-kmalloc-%d", size);
115925+
115926+ BUG_ON(!n);
115927+ kmalloc_usercopy_caches[i] = create_kmalloc_cache(n,
115928+ size, SLAB_USERCOPY | flags);
115929+ }
115930+ }
115931+#endif
115932+
115933 }
115934 #endif /* !CONFIG_SLOB */
115935
115936@@ -961,6 +1020,9 @@ static void print_slabinfo_header(struct seq_file *m)
115937 seq_puts(m, " : globalstat <listallocs> <maxobjs> <grown> <reaped> "
115938 "<error> <maxfreeable> <nodeallocs> <remotefrees> <alienoverflow>");
115939 seq_puts(m, " : cpustat <allochit> <allocmiss> <freehit> <freemiss>");
115940+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115941+ seq_puts(m, " : pax <sanitized> <not_sanitized>");
115942+#endif
115943 #endif
115944 seq_putc(m, '\n');
115945 }
115946@@ -1090,7 +1152,7 @@ static int __init slab_proc_init(void)
115947 module_init(slab_proc_init);
115948 #endif /* CONFIG_SLABINFO */
115949
115950-static __always_inline void *__do_krealloc(const void *p, size_t new_size,
115951+static __always_inline void * __size_overflow(2) __do_krealloc(const void *p, size_t new_size,
115952 gfp_t flags)
115953 {
115954 void *ret;
115955diff --git a/mm/slob.c b/mm/slob.c
115956index 4765f65..5dec45e 100644
115957--- a/mm/slob.c
115958+++ b/mm/slob.c
115959@@ -67,6 +67,7 @@
115960 #include <linux/rcupdate.h>
115961 #include <linux/list.h>
115962 #include <linux/kmemleak.h>
115963+#include <linux/vmalloc.h>
115964
115965 #include <trace/events/kmem.h>
115966
115967@@ -157,7 +158,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next)
115968 /*
115969 * Return the size of a slob block.
115970 */
115971-static slobidx_t slob_units(slob_t *s)
115972+static slobidx_t slob_units(const slob_t *s)
115973 {
115974 if (s->units > 0)
115975 return s->units;
115976@@ -167,7 +168,7 @@ static slobidx_t slob_units(slob_t *s)
115977 /*
115978 * Return the next free slob block pointer after this one.
115979 */
115980-static slob_t *slob_next(slob_t *s)
115981+static slob_t *slob_next(const slob_t *s)
115982 {
115983 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
115984 slobidx_t next;
115985@@ -182,14 +183,14 @@ static slob_t *slob_next(slob_t *s)
115986 /*
115987 * Returns true if s is the last free block in its page.
115988 */
115989-static int slob_last(slob_t *s)
115990+static int slob_last(const slob_t *s)
115991 {
115992 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
115993 }
115994
115995-static void *slob_new_pages(gfp_t gfp, int order, int node)
115996+static struct page *slob_new_pages(gfp_t gfp, unsigned int order, int node)
115997 {
115998- void *page;
115999+ struct page *page;
116000
116001 #ifdef CONFIG_NUMA
116002 if (node != NUMA_NO_NODE)
116003@@ -201,14 +202,18 @@ static void *slob_new_pages(gfp_t gfp, int order, int node)
116004 if (!page)
116005 return NULL;
116006
116007- return page_address(page);
116008+ __SetPageSlab(page);
116009+ return page;
116010 }
116011
116012-static void slob_free_pages(void *b, int order)
116013+static void slob_free_pages(struct page *sp, int order)
116014 {
116015 if (current->reclaim_state)
116016 current->reclaim_state->reclaimed_slab += 1 << order;
116017- free_pages((unsigned long)b, order);
116018+ __ClearPageSlab(sp);
116019+ page_mapcount_reset(sp);
116020+ sp->private = 0;
116021+ __free_pages(sp, order);
116022 }
116023
116024 /*
116025@@ -313,15 +318,15 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
116026
116027 /* Not enough space: must allocate a new page */
116028 if (!b) {
116029- b = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
116030- if (!b)
116031+ sp = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
116032+ if (!sp)
116033 return NULL;
116034- sp = virt_to_page(b);
116035- __SetPageSlab(sp);
116036+ b = page_address(sp);
116037
116038 spin_lock_irqsave(&slob_lock, flags);
116039 sp->units = SLOB_UNITS(PAGE_SIZE);
116040 sp->freelist = b;
116041+ sp->private = 0;
116042 INIT_LIST_HEAD(&sp->lru);
116043 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
116044 set_slob_page_free(sp, slob_list);
116045@@ -337,7 +342,7 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
116046 /*
116047 * slob_free: entry point into the slob allocator.
116048 */
116049-static void slob_free(void *block, int size)
116050+static void slob_free(struct kmem_cache *c, void *block, int size)
116051 {
116052 struct page *sp;
116053 slob_t *prev, *next, *b = (slob_t *)block;
116054@@ -359,12 +364,15 @@ static void slob_free(void *block, int size)
116055 if (slob_page_free(sp))
116056 clear_slob_page_free(sp);
116057 spin_unlock_irqrestore(&slob_lock, flags);
116058- __ClearPageSlab(sp);
116059- page_mapcount_reset(sp);
116060- slob_free_pages(b, 0);
116061+ slob_free_pages(sp, 0);
116062 return;
116063 }
116064
116065+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116066+ if (pax_sanitize_slab && !(c && (c->flags & SLAB_NO_SANITIZE)))
116067+ memset(block, PAX_MEMORY_SANITIZE_VALUE, size);
116068+#endif
116069+
116070 if (!slob_page_free(sp)) {
116071 /* This slob page is about to become partially free. Easy! */
116072 sp->units = units;
116073@@ -424,11 +432,10 @@ out:
116074 */
116075
116076 static __always_inline void *
116077-__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116078+__do_kmalloc_node_align(size_t size, gfp_t gfp, int node, unsigned long caller, int align)
116079 {
116080- unsigned int *m;
116081- int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116082- void *ret;
116083+ slob_t *m;
116084+ void *ret = NULL;
116085
116086 gfp &= gfp_allowed_mask;
116087
116088@@ -442,27 +449,45 @@ __do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116089
116090 if (!m)
116091 return NULL;
116092- *m = size;
116093+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
116094+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
116095+ m[0].units = size;
116096+ m[1].units = align;
116097 ret = (void *)m + align;
116098
116099 trace_kmalloc_node(caller, ret,
116100 size, size + align, gfp, node);
116101 } else {
116102 unsigned int order = get_order(size);
116103+ struct page *page;
116104
116105 if (likely(order))
116106 gfp |= __GFP_COMP;
116107- ret = slob_new_pages(gfp, order, node);
116108+ page = slob_new_pages(gfp, order, node);
116109+ if (page) {
116110+ ret = page_address(page);
116111+ page->private = size;
116112+ }
116113
116114 trace_kmalloc_node(caller, ret,
116115 size, PAGE_SIZE << order, gfp, node);
116116 }
116117
116118- kmemleak_alloc(ret, size, 1, gfp);
116119 return ret;
116120 }
116121
116122-void *__kmalloc(size_t size, gfp_t gfp)
116123+static __always_inline void *
116124+__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116125+{
116126+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116127+ void *ret = __do_kmalloc_node_align(size, gfp, node, caller, align);
116128+
116129+ if (!ZERO_OR_NULL_PTR(ret))
116130+ kmemleak_alloc(ret, size, 1, gfp);
116131+ return ret;
116132+}
116133+
116134+void * __size_overflow(1) __kmalloc(size_t size, gfp_t gfp)
116135 {
116136 return __do_kmalloc_node(size, gfp, NUMA_NO_NODE, _RET_IP_);
116137 }
116138@@ -491,34 +516,123 @@ void kfree(const void *block)
116139 return;
116140 kmemleak_free(block);
116141
116142+ VM_BUG_ON(!virt_addr_valid(block));
116143 sp = virt_to_page(block);
116144- if (PageSlab(sp)) {
116145+ VM_BUG_ON(!PageSlab(sp));
116146+ if (!sp->private) {
116147 int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116148- unsigned int *m = (unsigned int *)(block - align);
116149- slob_free(m, *m + align);
116150- } else
116151+ slob_t *m = (slob_t *)(block - align);
116152+ slob_free(NULL, m, m[0].units + align);
116153+ } else {
116154+ __ClearPageSlab(sp);
116155+ page_mapcount_reset(sp);
116156+ sp->private = 0;
116157 __free_pages(sp, compound_order(sp));
116158+ }
116159 }
116160 EXPORT_SYMBOL(kfree);
116161
116162+bool is_usercopy_object(const void *ptr)
116163+{
116164+ if (!slab_is_available())
116165+ return false;
116166+
116167+ if (is_vmalloc_addr(ptr)
116168+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116169+ && !object_starts_on_stack(ptr)
116170+#endif
116171+ ) {
116172+ struct vm_struct *vm = find_vm_area(ptr);
116173+ if (vm && (vm->flags & VM_USERCOPY))
116174+ return true;
116175+ return false;
116176+ }
116177+
116178+ // PAX: TODO
116179+
116180+ return false;
116181+}
116182+
116183+#ifdef CONFIG_PAX_USERCOPY
116184+const char *check_heap_object(const void *ptr, unsigned long n)
116185+{
116186+ struct page *page;
116187+ const slob_t *free;
116188+ const void *base;
116189+ unsigned long flags;
116190+
116191+ if (ZERO_OR_NULL_PTR(ptr))
116192+ return "<null>";
116193+
116194+ if (!virt_addr_valid(ptr))
116195+ return NULL;
116196+
116197+ page = virt_to_head_page(ptr);
116198+ if (!PageSlab(page))
116199+ return NULL;
116200+
116201+ if (page->private) {
116202+ base = page;
116203+ if (base <= ptr && n <= page->private - (ptr - base))
116204+ return NULL;
116205+ return "<slob>";
116206+ }
116207+
116208+ /* some tricky double walking to find the chunk */
116209+ spin_lock_irqsave(&slob_lock, flags);
116210+ base = (void *)((unsigned long)ptr & PAGE_MASK);
116211+ free = page->freelist;
116212+
116213+ while (!slob_last(free) && (void *)free <= ptr) {
116214+ base = free + slob_units(free);
116215+ free = slob_next(free);
116216+ }
116217+
116218+ while (base < (void *)free) {
116219+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
116220+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
116221+ int offset;
116222+
116223+ if (ptr < base + align)
116224+ break;
116225+
116226+ offset = ptr - base - align;
116227+ if (offset >= m) {
116228+ base += size;
116229+ continue;
116230+ }
116231+
116232+ if (n > m - offset)
116233+ break;
116234+
116235+ spin_unlock_irqrestore(&slob_lock, flags);
116236+ return NULL;
116237+ }
116238+
116239+ spin_unlock_irqrestore(&slob_lock, flags);
116240+ return "<slob>";
116241+}
116242+#endif
116243+
116244 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
116245 size_t ksize(const void *block)
116246 {
116247 struct page *sp;
116248 int align;
116249- unsigned int *m;
116250+ slob_t *m;
116251
116252 BUG_ON(!block);
116253 if (unlikely(block == ZERO_SIZE_PTR))
116254 return 0;
116255
116256 sp = virt_to_page(block);
116257- if (unlikely(!PageSlab(sp)))
116258- return PAGE_SIZE << compound_order(sp);
116259+ VM_BUG_ON(!PageSlab(sp));
116260+ if (sp->private)
116261+ return sp->private;
116262
116263 align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116264- m = (unsigned int *)(block - align);
116265- return SLOB_UNITS(*m) * SLOB_UNIT;
116266+ m = (slob_t *)(block - align);
116267+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
116268 }
116269 EXPORT_SYMBOL(ksize);
116270
116271@@ -534,23 +648,33 @@ int __kmem_cache_create(struct kmem_cache *c, unsigned long flags)
116272
116273 static void *slob_alloc_node(struct kmem_cache *c, gfp_t flags, int node)
116274 {
116275- void *b;
116276+ void *b = NULL;
116277
116278 flags &= gfp_allowed_mask;
116279
116280 lockdep_trace_alloc(flags);
116281
116282+#ifdef CONFIG_PAX_USERCOPY_SLABS
116283+ b = __do_kmalloc_node_align(c->size, flags, node, _RET_IP_, c->align);
116284+#else
116285 if (c->size < PAGE_SIZE) {
116286 b = slob_alloc(c->size, flags, c->align, node);
116287 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
116288 SLOB_UNITS(c->size) * SLOB_UNIT,
116289 flags, node);
116290 } else {
116291- b = slob_new_pages(flags, get_order(c->size), node);
116292+ struct page *sp;
116293+
116294+ sp = slob_new_pages(flags, get_order(c->size), node);
116295+ if (sp) {
116296+ b = page_address(sp);
116297+ sp->private = c->size;
116298+ }
116299 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
116300 PAGE_SIZE << get_order(c->size),
116301 flags, node);
116302 }
116303+#endif
116304
116305 if (b && c->ctor)
116306 c->ctor(b);
116307@@ -566,7 +690,7 @@ void *kmem_cache_alloc(struct kmem_cache *cachep, gfp_t flags)
116308 EXPORT_SYMBOL(kmem_cache_alloc);
116309
116310 #ifdef CONFIG_NUMA
116311-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
116312+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t gfp, int node)
116313 {
116314 return __do_kmalloc_node(size, gfp, node, _RET_IP_);
116315 }
116316@@ -579,12 +703,16 @@ void *kmem_cache_alloc_node(struct kmem_cache *cachep, gfp_t gfp, int node)
116317 EXPORT_SYMBOL(kmem_cache_alloc_node);
116318 #endif
116319
116320-static void __kmem_cache_free(void *b, int size)
116321+static void __kmem_cache_free(struct kmem_cache *c, void *b, int size)
116322 {
116323- if (size < PAGE_SIZE)
116324- slob_free(b, size);
116325+ struct page *sp;
116326+
116327+ sp = virt_to_page(b);
116328+ BUG_ON(!PageSlab(sp));
116329+ if (!sp->private)
116330+ slob_free(c, b, size);
116331 else
116332- slob_free_pages(b, get_order(size));
116333+ slob_free_pages(sp, get_order(size));
116334 }
116335
116336 static void kmem_rcu_free(struct rcu_head *head)
116337@@ -592,22 +720,36 @@ static void kmem_rcu_free(struct rcu_head *head)
116338 struct slob_rcu *slob_rcu = (struct slob_rcu *)head;
116339 void *b = (void *)slob_rcu - (slob_rcu->size - sizeof(struct slob_rcu));
116340
116341- __kmem_cache_free(b, slob_rcu->size);
116342+ __kmem_cache_free(NULL, b, slob_rcu->size);
116343 }
116344
116345 void kmem_cache_free(struct kmem_cache *c, void *b)
116346 {
116347+ int size = c->size;
116348+
116349+#ifdef CONFIG_PAX_USERCOPY_SLABS
116350+ if (size + c->align < PAGE_SIZE) {
116351+ size += c->align;
116352+ b -= c->align;
116353+ }
116354+#endif
116355+
116356 kmemleak_free_recursive(b, c->flags);
116357 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
116358 struct slob_rcu *slob_rcu;
116359- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
116360- slob_rcu->size = c->size;
116361+ slob_rcu = b + (size - sizeof(struct slob_rcu));
116362+ slob_rcu->size = size;
116363 call_rcu(&slob_rcu->head, kmem_rcu_free);
116364 } else {
116365- __kmem_cache_free(b, c->size);
116366+ __kmem_cache_free(c, b, size);
116367 }
116368
116369+#ifdef CONFIG_PAX_USERCOPY_SLABS
116370+ trace_kfree(_RET_IP_, b);
116371+#else
116372 trace_kmem_cache_free(_RET_IP_, b);
116373+#endif
116374+
116375 }
116376 EXPORT_SYMBOL(kmem_cache_free);
116377
116378diff --git a/mm/slub.c b/mm/slub.c
116379index f68c0e5..eb77178 100644
116380--- a/mm/slub.c
116381+++ b/mm/slub.c
116382@@ -34,6 +34,7 @@
116383 #include <linux/stacktrace.h>
116384 #include <linux/prefetch.h>
116385 #include <linux/memcontrol.h>
116386+#include <linux/vmalloc.h>
116387
116388 #include <trace/events/kmem.h>
116389
116390@@ -198,7 +199,7 @@ struct track {
116391
116392 enum track_item { TRACK_ALLOC, TRACK_FREE };
116393
116394-#ifdef CONFIG_SYSFS
116395+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116396 static int sysfs_slab_add(struct kmem_cache *);
116397 static int sysfs_slab_alias(struct kmem_cache *, const char *);
116398 static void memcg_propagate_slab_attrs(struct kmem_cache *s);
116399@@ -556,7 +557,7 @@ static void print_track(const char *s, struct track *t)
116400 if (!t->addr)
116401 return;
116402
116403- pr_err("INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
116404+ pr_err("INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
116405 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
116406 #ifdef CONFIG_STACKTRACE
116407 {
116408@@ -2707,6 +2708,14 @@ static __always_inline void slab_free(struct kmem_cache *s,
116409
116410 slab_free_hook(s, x);
116411
116412+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116413+ if (!(s->flags & SLAB_NO_SANITIZE)) {
116414+ memset(x, PAX_MEMORY_SANITIZE_VALUE, s->object_size);
116415+ if (s->ctor)
116416+ s->ctor(x);
116417+ }
116418+#endif
116419+
116420 redo:
116421 /*
116422 * Determine the currently cpus per cpu slab.
116423@@ -3048,6 +3057,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
116424 s->inuse = size;
116425
116426 if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
116427+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116428+ (!(flags & SLAB_NO_SANITIZE)) ||
116429+#endif
116430 s->ctor)) {
116431 /*
116432 * Relocate free pointer after the object if it is not
116433@@ -3302,7 +3314,7 @@ static int __init setup_slub_min_objects(char *str)
116434
116435 __setup("slub_min_objects=", setup_slub_min_objects);
116436
116437-void *__kmalloc(size_t size, gfp_t flags)
116438+void * __size_overflow(1) __kmalloc(size_t size, gfp_t flags)
116439 {
116440 struct kmem_cache *s;
116441 void *ret;
116442@@ -3340,7 +3352,7 @@ static void *kmalloc_large_node(size_t size, gfp_t flags, int node)
116443 return ptr;
116444 }
116445
116446-void *__kmalloc_node(size_t size, gfp_t flags, int node)
116447+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
116448 {
116449 struct kmem_cache *s;
116450 void *ret;
116451@@ -3388,6 +3400,70 @@ static size_t __ksize(const void *object)
116452 return slab_ksize(page->slab_cache);
116453 }
116454
116455+bool is_usercopy_object(const void *ptr)
116456+{
116457+ struct page *page;
116458+ struct kmem_cache *s;
116459+
116460+ if (ZERO_OR_NULL_PTR(ptr))
116461+ return false;
116462+
116463+ if (!slab_is_available())
116464+ return false;
116465+
116466+ if (is_vmalloc_addr(ptr)
116467+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116468+ && !object_starts_on_stack(ptr)
116469+#endif
116470+ ) {
116471+ struct vm_struct *vm = find_vm_area(ptr);
116472+ if (vm && (vm->flags & VM_USERCOPY))
116473+ return true;
116474+ return false;
116475+ }
116476+
116477+ if (!virt_addr_valid(ptr))
116478+ return false;
116479+
116480+ page = virt_to_head_page(ptr);
116481+
116482+ if (!PageSlab(page))
116483+ return false;
116484+
116485+ s = page->slab_cache;
116486+ return s->flags & SLAB_USERCOPY;
116487+}
116488+
116489+#ifdef CONFIG_PAX_USERCOPY
116490+const char *check_heap_object(const void *ptr, unsigned long n)
116491+{
116492+ struct page *page;
116493+ struct kmem_cache *s;
116494+ unsigned long offset;
116495+
116496+ if (ZERO_OR_NULL_PTR(ptr))
116497+ return "<null>";
116498+
116499+ if (!virt_addr_valid(ptr))
116500+ return NULL;
116501+
116502+ page = virt_to_head_page(ptr);
116503+
116504+ if (!PageSlab(page))
116505+ return NULL;
116506+
116507+ s = page->slab_cache;
116508+ if (!(s->flags & SLAB_USERCOPY))
116509+ return s->name;
116510+
116511+ offset = (ptr - page_address(page)) % s->size;
116512+ if (offset <= s->object_size && n <= s->object_size - offset)
116513+ return NULL;
116514+
116515+ return s->name;
116516+}
116517+#endif
116518+
116519 size_t ksize(const void *object)
116520 {
116521 size_t size = __ksize(object);
116522@@ -3408,6 +3484,7 @@ void kfree(const void *x)
116523 if (unlikely(ZERO_OR_NULL_PTR(x)))
116524 return;
116525
116526+ VM_BUG_ON(!virt_addr_valid(x));
116527 page = virt_to_head_page(x);
116528 if (unlikely(!PageSlab(page))) {
116529 BUG_ON(!PageCompound(page));
116530@@ -3725,7 +3802,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
116531
116532 s = find_mergeable(size, align, flags, name, ctor);
116533 if (s) {
116534- s->refcount++;
116535+ atomic_inc(&s->refcount);
116536
116537 /*
116538 * Adjust the object sizes so that we clear
116539@@ -3741,7 +3818,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
116540 }
116541
116542 if (sysfs_slab_alias(s, name)) {
116543- s->refcount--;
116544+ atomic_dec(&s->refcount);
116545 s = NULL;
116546 }
116547 }
116548@@ -3858,7 +3935,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags,
116549 }
116550 #endif
116551
116552-#ifdef CONFIG_SYSFS
116553+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116554 static int count_inuse(struct page *page)
116555 {
116556 return page->inuse;
116557@@ -4139,7 +4216,11 @@ static int list_locations(struct kmem_cache *s, char *buf,
116558 len += sprintf(buf + len, "%7ld ", l->count);
116559
116560 if (l->addr)
116561+#ifdef CONFIG_GRKERNSEC_HIDESYM
116562+ len += sprintf(buf + len, "%pS", NULL);
116563+#else
116564 len += sprintf(buf + len, "%pS", (void *)l->addr);
116565+#endif
116566 else
116567 len += sprintf(buf + len, "<not-available>");
116568
116569@@ -4237,12 +4318,12 @@ static void __init resiliency_test(void)
116570 validate_slab_cache(kmalloc_caches[9]);
116571 }
116572 #else
116573-#ifdef CONFIG_SYSFS
116574+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116575 static void resiliency_test(void) {};
116576 #endif
116577 #endif
116578
116579-#ifdef CONFIG_SYSFS
116580+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116581 enum slab_stat_type {
116582 SL_ALL, /* All slabs */
116583 SL_PARTIAL, /* Only partially allocated slabs */
116584@@ -4479,13 +4560,17 @@ static ssize_t ctor_show(struct kmem_cache *s, char *buf)
116585 {
116586 if (!s->ctor)
116587 return 0;
116588+#ifdef CONFIG_GRKERNSEC_HIDESYM
116589+ return sprintf(buf, "%pS\n", NULL);
116590+#else
116591 return sprintf(buf, "%pS\n", s->ctor);
116592+#endif
116593 }
116594 SLAB_ATTR_RO(ctor);
116595
116596 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
116597 {
116598- return sprintf(buf, "%d\n", s->refcount < 0 ? 0 : s->refcount - 1);
116599+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) < 0 ? 0 : atomic_read(&s->refcount) - 1);
116600 }
116601 SLAB_ATTR_RO(aliases);
116602
116603@@ -4573,6 +4658,22 @@ static ssize_t cache_dma_show(struct kmem_cache *s, char *buf)
116604 SLAB_ATTR_RO(cache_dma);
116605 #endif
116606
116607+#ifdef CONFIG_PAX_USERCOPY_SLABS
116608+static ssize_t usercopy_show(struct kmem_cache *s, char *buf)
116609+{
116610+ return sprintf(buf, "%d\n", !!(s->flags & SLAB_USERCOPY));
116611+}
116612+SLAB_ATTR_RO(usercopy);
116613+#endif
116614+
116615+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116616+static ssize_t sanitize_show(struct kmem_cache *s, char *buf)
116617+{
116618+ return sprintf(buf, "%d\n", !(s->flags & SLAB_NO_SANITIZE));
116619+}
116620+SLAB_ATTR_RO(sanitize);
116621+#endif
116622+
116623 static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf)
116624 {
116625 return sprintf(buf, "%d\n", !!(s->flags & SLAB_DESTROY_BY_RCU));
116626@@ -4628,7 +4729,7 @@ static ssize_t trace_store(struct kmem_cache *s, const char *buf,
116627 * as well as cause other issues like converting a mergeable
116628 * cache into an umergeable one.
116629 */
116630- if (s->refcount > 1)
116631+ if (atomic_read(&s->refcount) > 1)
116632 return -EINVAL;
116633
116634 s->flags &= ~SLAB_TRACE;
116635@@ -4748,7 +4849,7 @@ static ssize_t failslab_show(struct kmem_cache *s, char *buf)
116636 static ssize_t failslab_store(struct kmem_cache *s, const char *buf,
116637 size_t length)
116638 {
116639- if (s->refcount > 1)
116640+ if (atomic_read(&s->refcount) > 1)
116641 return -EINVAL;
116642
116643 s->flags &= ~SLAB_FAILSLAB;
116644@@ -4915,6 +5016,12 @@ static struct attribute *slab_attrs[] = {
116645 #ifdef CONFIG_ZONE_DMA
116646 &cache_dma_attr.attr,
116647 #endif
116648+#ifdef CONFIG_PAX_USERCOPY_SLABS
116649+ &usercopy_attr.attr,
116650+#endif
116651+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116652+ &sanitize_attr.attr,
116653+#endif
116654 #ifdef CONFIG_NUMA
116655 &remote_node_defrag_ratio_attr.attr,
116656 #endif
116657@@ -5156,6 +5263,7 @@ static char *create_unique_id(struct kmem_cache *s)
116658 return name;
116659 }
116660
116661+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116662 static int sysfs_slab_add(struct kmem_cache *s)
116663 {
116664 int err;
116665@@ -5229,6 +5337,7 @@ void sysfs_slab_remove(struct kmem_cache *s)
116666 kobject_del(&s->kobj);
116667 kobject_put(&s->kobj);
116668 }
116669+#endif
116670
116671 /*
116672 * Need to buffer aliases during bootup until sysfs becomes
116673@@ -5242,6 +5351,7 @@ struct saved_alias {
116674
116675 static struct saved_alias *alias_list;
116676
116677+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116678 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
116679 {
116680 struct saved_alias *al;
116681@@ -5264,6 +5374,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
116682 alias_list = al;
116683 return 0;
116684 }
116685+#endif
116686
116687 static int __init slab_sysfs_init(void)
116688 {
116689diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c
116690index 4cba9c2..b4f9fcc 100644
116691--- a/mm/sparse-vmemmap.c
116692+++ b/mm/sparse-vmemmap.c
116693@@ -131,7 +131,7 @@ pud_t * __meminit vmemmap_pud_populate(pgd_t *pgd, unsigned long addr, int node)
116694 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
116695 if (!p)
116696 return NULL;
116697- pud_populate(&init_mm, pud, p);
116698+ pud_populate_kernel(&init_mm, pud, p);
116699 }
116700 return pud;
116701 }
116702@@ -143,7 +143,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node)
116703 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
116704 if (!p)
116705 return NULL;
116706- pgd_populate(&init_mm, pgd, p);
116707+ pgd_populate_kernel(&init_mm, pgd, p);
116708 }
116709 return pgd;
116710 }
116711diff --git a/mm/sparse.c b/mm/sparse.c
116712index d1b48b6..6e8590e 100644
116713--- a/mm/sparse.c
116714+++ b/mm/sparse.c
116715@@ -750,7 +750,7 @@ static void clear_hwpoisoned_pages(struct page *memmap, int nr_pages)
116716
116717 for (i = 0; i < PAGES_PER_SECTION; i++) {
116718 if (PageHWPoison(&memmap[i])) {
116719- atomic_long_sub(1, &num_poisoned_pages);
116720+ atomic_long_sub_unchecked(1, &num_poisoned_pages);
116721 ClearPageHWPoison(&memmap[i]);
116722 }
116723 }
116724diff --git a/mm/swap.c b/mm/swap.c
116725index a3a0a2f..915d436 100644
116726--- a/mm/swap.c
116727+++ b/mm/swap.c
116728@@ -85,6 +85,8 @@ static void __put_compound_page(struct page *page)
116729 if (!PageHuge(page))
116730 __page_cache_release(page);
116731 dtor = get_compound_page_dtor(page);
116732+ if (!PageHuge(page))
116733+ BUG_ON(dtor != free_compound_page);
116734 (*dtor)(page);
116735 }
116736
116737diff --git a/mm/swapfile.c b/mm/swapfile.c
116738index 41e4581..6c452c9 100644
116739--- a/mm/swapfile.c
116740+++ b/mm/swapfile.c
116741@@ -84,7 +84,7 @@ static DEFINE_MUTEX(swapon_mutex);
116742
116743 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
116744 /* Activity counter to indicate that a swapon or swapoff has occurred */
116745-static atomic_t proc_poll_event = ATOMIC_INIT(0);
116746+static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
116747
116748 static inline unsigned char swap_count(unsigned char ent)
116749 {
116750@@ -1944,7 +1944,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
116751 spin_unlock(&swap_lock);
116752
116753 err = 0;
116754- atomic_inc(&proc_poll_event);
116755+ atomic_inc_unchecked(&proc_poll_event);
116756 wake_up_interruptible(&proc_poll_wait);
116757
116758 out_dput:
116759@@ -1961,8 +1961,8 @@ static unsigned swaps_poll(struct file *file, poll_table *wait)
116760
116761 poll_wait(file, &proc_poll_wait, wait);
116762
116763- if (seq->poll_event != atomic_read(&proc_poll_event)) {
116764- seq->poll_event = atomic_read(&proc_poll_event);
116765+ if (seq->poll_event != atomic_read_unchecked(&proc_poll_event)) {
116766+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
116767 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
116768 }
116769
116770@@ -2060,7 +2060,7 @@ static int swaps_open(struct inode *inode, struct file *file)
116771 return ret;
116772
116773 seq = file->private_data;
116774- seq->poll_event = atomic_read(&proc_poll_event);
116775+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
116776 return 0;
116777 }
116778
116779@@ -2520,7 +2520,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
116780 (frontswap_map) ? "FS" : "");
116781
116782 mutex_unlock(&swapon_mutex);
116783- atomic_inc(&proc_poll_event);
116784+ atomic_inc_unchecked(&proc_poll_event);
116785 wake_up_interruptible(&proc_poll_wait);
116786
116787 if (S_ISREG(inode->i_mode))
116788diff --git a/mm/util.c b/mm/util.c
116789index 68ff8a5..40c7a70 100644
116790--- a/mm/util.c
116791+++ b/mm/util.c
116792@@ -233,6 +233,12 @@ struct task_struct *task_of_stack(struct task_struct *task,
116793 void arch_pick_mmap_layout(struct mm_struct *mm)
116794 {
116795 mm->mmap_base = TASK_UNMAPPED_BASE;
116796+
116797+#ifdef CONFIG_PAX_RANDMMAP
116798+ if (mm->pax_flags & MF_PAX_RANDMMAP)
116799+ mm->mmap_base += mm->delta_mmap;
116800+#endif
116801+
116802 mm->get_unmapped_area = arch_get_unmapped_area;
116803 }
116804 #endif
116805@@ -434,6 +440,9 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen)
116806 if (!mm->arg_end)
116807 goto out_mm; /* Shh! No looking before we're done */
116808
116809+ if (gr_acl_handle_procpidmem(task))
116810+ goto out_mm;
116811+
116812 len = mm->arg_end - mm->arg_start;
116813
116814 if (len > buflen)
116815diff --git a/mm/vmalloc.c b/mm/vmalloc.c
116816index 2faaa29..14881ba 100644
116817--- a/mm/vmalloc.c
116818+++ b/mm/vmalloc.c
116819@@ -40,20 +40,65 @@ struct vfree_deferred {
116820 struct work_struct wq;
116821 };
116822 static DEFINE_PER_CPU(struct vfree_deferred, vfree_deferred);
116823+static DEFINE_PER_CPU(struct vfree_deferred, vunmap_deferred);
116824+
116825+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116826+struct stack_deferred_llist {
116827+ struct llist_head list;
116828+ void *stack;
116829+ void *lowmem_stack;
116830+};
116831+
116832+struct stack_deferred {
116833+ struct stack_deferred_llist list;
116834+ struct work_struct wq;
116835+};
116836+
116837+static DEFINE_PER_CPU(struct stack_deferred, stack_deferred);
116838+#endif
116839
116840 static void __vunmap(const void *, int);
116841
116842-static void free_work(struct work_struct *w)
116843+static void vfree_work(struct work_struct *w)
116844 {
116845 struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
116846 struct llist_node *llnode = llist_del_all(&p->list);
116847 while (llnode) {
116848- void *p = llnode;
116849+ void *x = llnode;
116850 llnode = llist_next(llnode);
116851- __vunmap(p, 1);
116852+ __vunmap(x, 1);
116853 }
116854 }
116855
116856+static void vunmap_work(struct work_struct *w)
116857+{
116858+ struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
116859+ struct llist_node *llnode = llist_del_all(&p->list);
116860+ while (llnode) {
116861+ void *x = llnode;
116862+ llnode = llist_next(llnode);
116863+ __vunmap(x, 0);
116864+ }
116865+}
116866+
116867+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116868+static void unmap_work(struct work_struct *w)
116869+{
116870+ struct stack_deferred *p = container_of(w, struct stack_deferred, wq);
116871+ struct llist_node *llnode = llist_del_all(&p->list.list);
116872+ while (llnode) {
116873+ struct stack_deferred_llist *x =
116874+ llist_entry((struct llist_head *)llnode,
116875+ struct stack_deferred_llist, list);
116876+ void *stack = ACCESS_ONCE(x->stack);
116877+ void *lowmem_stack = ACCESS_ONCE(x->lowmem_stack);
116878+ llnode = llist_next(llnode);
116879+ __vunmap(stack, 0);
116880+ free_kmem_pages((unsigned long)lowmem_stack, THREAD_SIZE_ORDER);
116881+ }
116882+}
116883+#endif
116884+
116885 /*** Page table manipulation functions ***/
116886
116887 static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
116888@@ -62,8 +107,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
116889
116890 pte = pte_offset_kernel(pmd, addr);
116891 do {
116892- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
116893- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
116894+
116895+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
116896+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
116897+ BUG_ON(!pte_exec(*pte));
116898+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
116899+ continue;
116900+ }
116901+#endif
116902+
116903+ {
116904+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
116905+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
116906+ }
116907 } while (pte++, addr += PAGE_SIZE, addr != end);
116908 }
116909
116910@@ -130,10 +186,18 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr,
116911 do {
116912 struct page *page = pages[*nr];
116913
116914- if (WARN_ON(!pte_none(*pte)))
116915+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
116916+ if (pgprot_val(prot) & _PAGE_NX)
116917+#endif
116918+
116919+ if (!pte_none(*pte)) {
116920+ WARN_ON(1);
116921 return -EBUSY;
116922- if (WARN_ON(!page))
116923+ }
116924+ if (!page) {
116925+ WARN_ON(1);
116926 return -ENOMEM;
116927+ }
116928 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
116929 (*nr)++;
116930 } while (pte++, addr += PAGE_SIZE, addr != end);
116931@@ -146,7 +210,7 @@ static int vmap_pmd_range(pud_t *pud, unsigned long addr,
116932 pmd_t *pmd;
116933 unsigned long next;
116934
116935- pmd = pmd_alloc(&init_mm, pud, addr);
116936+ pmd = pmd_alloc_kernel(&init_mm, pud, addr);
116937 if (!pmd)
116938 return -ENOMEM;
116939 do {
116940@@ -163,7 +227,7 @@ static int vmap_pud_range(pgd_t *pgd, unsigned long addr,
116941 pud_t *pud;
116942 unsigned long next;
116943
116944- pud = pud_alloc(&init_mm, pgd, addr);
116945+ pud = pud_alloc_kernel(&init_mm, pgd, addr);
116946 if (!pud)
116947 return -ENOMEM;
116948 do {
116949@@ -223,6 +287,12 @@ int is_vmalloc_or_module_addr(const void *x)
116950 if (addr >= MODULES_VADDR && addr < MODULES_END)
116951 return 1;
116952 #endif
116953+
116954+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
116955+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
116956+ return 1;
116957+#endif
116958+
116959 return is_vmalloc_addr(x);
116960 }
116961
116962@@ -243,8 +313,14 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
116963
116964 if (!pgd_none(*pgd)) {
116965 pud_t *pud = pud_offset(pgd, addr);
116966+#ifdef CONFIG_X86
116967+ if (!pud_large(*pud))
116968+#endif
116969 if (!pud_none(*pud)) {
116970 pmd_t *pmd = pmd_offset(pud, addr);
116971+#ifdef CONFIG_X86
116972+ if (!pmd_large(*pmd))
116973+#endif
116974 if (!pmd_none(*pmd)) {
116975 pte_t *ptep, pte;
116976
116977@@ -346,7 +422,7 @@ static void purge_vmap_area_lazy(void);
116978 * Allocate a region of KVA of the specified size and alignment, within the
116979 * vstart and vend.
116980 */
116981-static struct vmap_area *alloc_vmap_area(unsigned long size,
116982+static struct vmap_area * __size_overflow(1) alloc_vmap_area(unsigned long size,
116983 unsigned long align,
116984 unsigned long vstart, unsigned long vend,
116985 int node, gfp_t gfp_mask)
116986@@ -1202,13 +1278,27 @@ void __init vmalloc_init(void)
116987 for_each_possible_cpu(i) {
116988 struct vmap_block_queue *vbq;
116989 struct vfree_deferred *p;
116990+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116991+ struct stack_deferred *p2;
116992+#endif
116993
116994 vbq = &per_cpu(vmap_block_queue, i);
116995 spin_lock_init(&vbq->lock);
116996 INIT_LIST_HEAD(&vbq->free);
116997+
116998 p = &per_cpu(vfree_deferred, i);
116999 init_llist_head(&p->list);
117000- INIT_WORK(&p->wq, free_work);
117001+ INIT_WORK(&p->wq, vfree_work);
117002+
117003+ p = &per_cpu(vunmap_deferred, i);
117004+ init_llist_head(&p->list);
117005+ INIT_WORK(&p->wq, vunmap_work);
117006+
117007+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117008+ p2 = &per_cpu(stack_deferred, i);
117009+ init_llist_head(&p2->list.list);
117010+ INIT_WORK(&p2->wq, unmap_work);
117011+#endif
117012 }
117013
117014 /* Import existing vmlist entries. */
117015@@ -1333,6 +1423,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
117016 struct vm_struct *area;
117017
117018 BUG_ON(in_interrupt());
117019+
117020+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117021+ if (flags & VM_KERNEXEC) {
117022+ if (start != VMALLOC_START || end != VMALLOC_END)
117023+ return NULL;
117024+ start = (unsigned long)MODULES_EXEC_VADDR;
117025+ end = (unsigned long)MODULES_EXEC_END;
117026+ }
117027+#endif
117028+
117029 if (flags & VM_IOREMAP)
117030 align = 1ul << clamp_t(int, fls_long(size),
117031 PAGE_SHIFT, IOREMAP_MAX_ORDER);
117032@@ -1531,13 +1631,36 @@ EXPORT_SYMBOL(vfree);
117033 */
117034 void vunmap(const void *addr)
117035 {
117036- BUG_ON(in_interrupt());
117037- might_sleep();
117038- if (addr)
117039+ if (!addr)
117040+ return;
117041+ if (unlikely(in_interrupt())) {
117042+ struct vfree_deferred *p = this_cpu_ptr(&vunmap_deferred);
117043+ if (llist_add((struct llist_node *)addr, &p->list))
117044+ schedule_work(&p->wq);
117045+ } else {
117046+ might_sleep();
117047 __vunmap(addr, 0);
117048+ }
117049 }
117050 EXPORT_SYMBOL(vunmap);
117051
117052+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117053+void unmap_process_stacks(struct task_struct *task)
117054+{
117055+ if (unlikely(in_interrupt())) {
117056+ struct stack_deferred *p = this_cpu_ptr(&stack_deferred);
117057+ struct stack_deferred_llist *list = task->stack;
117058+ list->stack = task->stack;
117059+ list->lowmem_stack = task->lowmem_stack;
117060+ if (llist_add((struct llist_node *)&list->list, &p->list.list))
117061+ schedule_work(&p->wq);
117062+ } else {
117063+ __vunmap(task->stack, 0);
117064+ free_kmem_pages((unsigned long)task->lowmem_stack, THREAD_SIZE_ORDER);
117065+ }
117066+}
117067+#endif
117068+
117069 /**
117070 * vmap - map an array of pages into virtually contiguous space
117071 * @pages: array of page pointers
117072@@ -1558,6 +1681,11 @@ void *vmap(struct page **pages, unsigned int count,
117073 if (count > totalram_pages)
117074 return NULL;
117075
117076+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117077+ if (!(pgprot_val(prot) & _PAGE_NX))
117078+ flags |= VM_KERNEXEC;
117079+#endif
117080+
117081 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
117082 __builtin_return_address(0));
117083 if (!area)
117084@@ -1662,6 +1790,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
117085 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
117086 goto fail;
117087
117088+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117089+ if (!(pgprot_val(prot) & _PAGE_NX)) {
117090+ vm_flags |= VM_KERNEXEC;
117091+ start = VMALLOC_START;
117092+ end = VMALLOC_END;
117093+ }
117094+#endif
117095+
117096 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED |
117097 vm_flags, start, end, node, gfp_mask, caller);
117098 if (!area)
117099@@ -1715,6 +1851,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
117100 gfp_mask, prot, 0, node, caller);
117101 }
117102
117103+void *vmalloc_usercopy(unsigned long size)
117104+{
117105+ return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END,
117106+ GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
117107+ VM_USERCOPY, NUMA_NO_NODE,
117108+ __builtin_return_address(0));
117109+}
117110+
117111 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
117112 {
117113 return __vmalloc_node(size, 1, gfp_mask, prot, NUMA_NO_NODE,
117114@@ -1838,10 +1982,9 @@ EXPORT_SYMBOL(vzalloc_node);
117115 * For tight control over page level allocator and protection flags
117116 * use __vmalloc() instead.
117117 */
117118-
117119 void *vmalloc_exec(unsigned long size)
117120 {
117121- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
117122+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
117123 NUMA_NO_NODE, __builtin_return_address(0));
117124 }
117125
117126@@ -2148,6 +2291,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
117127 {
117128 struct vm_struct *area;
117129
117130+ BUG_ON(vma->vm_mirror);
117131+
117132 size = PAGE_ALIGN(size);
117133
117134 if (!PAGE_ALIGNED(uaddr) || !PAGE_ALIGNED(kaddr))
117135@@ -2630,7 +2775,11 @@ static int s_show(struct seq_file *m, void *p)
117136 v->addr, v->addr + v->size, v->size);
117137
117138 if (v->caller)
117139+#ifdef CONFIG_GRKERNSEC_HIDESYM
117140+ seq_printf(m, " %pK", v->caller);
117141+#else
117142 seq_printf(m, " %pS", v->caller);
117143+#endif
117144
117145 if (v->nr_pages)
117146 seq_printf(m, " pages=%d", v->nr_pages);
117147diff --git a/mm/vmstat.c b/mm/vmstat.c
117148index 4f5cd97..9fb715a 100644
117149--- a/mm/vmstat.c
117150+++ b/mm/vmstat.c
117151@@ -27,6 +27,7 @@
117152 #include <linux/mm_inline.h>
117153 #include <linux/page_ext.h>
117154 #include <linux/page_owner.h>
117155+#include <linux/grsecurity.h>
117156
117157 #include "internal.h"
117158
117159@@ -86,7 +87,7 @@ void vm_events_fold_cpu(int cpu)
117160 *
117161 * vm_stat contains the global counters
117162 */
117163-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
117164+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
117165 EXPORT_SYMBOL(vm_stat);
117166
117167 #ifdef CONFIG_SMP
117168@@ -438,7 +439,7 @@ static int fold_diff(int *diff)
117169
117170 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
117171 if (diff[i]) {
117172- atomic_long_add(diff[i], &vm_stat[i]);
117173+ atomic_long_add_unchecked(diff[i], &vm_stat[i]);
117174 changes++;
117175 }
117176 return changes;
117177@@ -476,7 +477,7 @@ static int refresh_cpu_vm_stats(void)
117178 v = this_cpu_xchg(p->vm_stat_diff[i], 0);
117179 if (v) {
117180
117181- atomic_long_add(v, &zone->vm_stat[i]);
117182+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117183 global_diff[i] += v;
117184 #ifdef CONFIG_NUMA
117185 /* 3 seconds idle till flush */
117186@@ -540,7 +541,7 @@ void cpu_vm_stats_fold(int cpu)
117187
117188 v = p->vm_stat_diff[i];
117189 p->vm_stat_diff[i] = 0;
117190- atomic_long_add(v, &zone->vm_stat[i]);
117191+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117192 global_diff[i] += v;
117193 }
117194 }
117195@@ -560,8 +561,8 @@ void drain_zonestat(struct zone *zone, struct per_cpu_pageset *pset)
117196 if (pset->vm_stat_diff[i]) {
117197 int v = pset->vm_stat_diff[i];
117198 pset->vm_stat_diff[i] = 0;
117199- atomic_long_add(v, &zone->vm_stat[i]);
117200- atomic_long_add(v, &vm_stat[i]);
117201+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117202+ atomic_long_add_unchecked(v, &vm_stat[i]);
117203 }
117204 }
117205 #endif
117206@@ -1293,10 +1294,22 @@ static void *vmstat_start(struct seq_file *m, loff_t *pos)
117207 stat_items_size += sizeof(struct vm_event_state);
117208 #endif
117209
117210- v = kmalloc(stat_items_size, GFP_KERNEL);
117211+ v = kzalloc(stat_items_size, GFP_KERNEL);
117212 m->private = v;
117213 if (!v)
117214 return ERR_PTR(-ENOMEM);
117215+
117216+#ifdef CONFIG_GRKERNSEC_PROC_ADD
117217+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
117218+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
117219+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
117220+ && !in_group_p(grsec_proc_gid)
117221+#endif
117222+ )
117223+ return (unsigned long *)m->private + *pos;
117224+#endif
117225+#endif
117226+
117227 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
117228 v[i] = global_page_state(i);
117229 v += NR_VM_ZONE_STAT_ITEMS;
117230@@ -1528,10 +1541,16 @@ static int __init setup_vmstat(void)
117231 cpu_notifier_register_done();
117232 #endif
117233 #ifdef CONFIG_PROC_FS
117234- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
117235- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
117236- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
117237- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
117238+ {
117239+ mode_t gr_mode = S_IRUGO;
117240+#ifdef CONFIG_GRKERNSEC_PROC_ADD
117241+ gr_mode = S_IRUSR;
117242+#endif
117243+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
117244+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
117245+ proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
117246+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
117247+ }
117248 #endif
117249 return 0;
117250 }
117251diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
117252index d2cd9de..501c186 100644
117253--- a/net/8021q/vlan.c
117254+++ b/net/8021q/vlan.c
117255@@ -491,7 +491,7 @@ out:
117256 return NOTIFY_DONE;
117257 }
117258
117259-static struct notifier_block vlan_notifier_block __read_mostly = {
117260+static struct notifier_block vlan_notifier_block = {
117261 .notifier_call = vlan_device_event,
117262 };
117263
117264@@ -566,8 +566,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg)
117265 err = -EPERM;
117266 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
117267 break;
117268- if ((args.u.name_type >= 0) &&
117269- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
117270+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
117271 struct vlan_net *vn;
117272
117273 vn = net_generic(net, vlan_net_id);
117274diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
117275index c92b52f..006c052 100644
117276--- a/net/8021q/vlan_netlink.c
117277+++ b/net/8021q/vlan_netlink.c
117278@@ -245,7 +245,7 @@ static struct net *vlan_get_link_net(const struct net_device *dev)
117279 return dev_net(real_dev);
117280 }
117281
117282-struct rtnl_link_ops vlan_link_ops __read_mostly = {
117283+struct rtnl_link_ops vlan_link_ops = {
117284 .kind = "vlan",
117285 .maxtype = IFLA_VLAN_MAX,
117286 .policy = vlan_policy,
117287diff --git a/net/9p/mod.c b/net/9p/mod.c
117288index 6ab36ae..6f1841b 100644
117289--- a/net/9p/mod.c
117290+++ b/net/9p/mod.c
117291@@ -84,7 +84,7 @@ static LIST_HEAD(v9fs_trans_list);
117292 void v9fs_register_trans(struct p9_trans_module *m)
117293 {
117294 spin_lock(&v9fs_trans_lock);
117295- list_add_tail(&m->list, &v9fs_trans_list);
117296+ pax_list_add_tail((struct list_head *)&m->list, &v9fs_trans_list);
117297 spin_unlock(&v9fs_trans_lock);
117298 }
117299 EXPORT_SYMBOL(v9fs_register_trans);
117300@@ -97,7 +97,7 @@ EXPORT_SYMBOL(v9fs_register_trans);
117301 void v9fs_unregister_trans(struct p9_trans_module *m)
117302 {
117303 spin_lock(&v9fs_trans_lock);
117304- list_del_init(&m->list);
117305+ pax_list_del_init((struct list_head *)&m->list);
117306 spin_unlock(&v9fs_trans_lock);
117307 }
117308 EXPORT_SYMBOL(v9fs_unregister_trans);
117309diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
117310index bced8c0..ef253b7 100644
117311--- a/net/9p/trans_fd.c
117312+++ b/net/9p/trans_fd.c
117313@@ -428,7 +428,7 @@ static int p9_fd_write(struct p9_client *client, void *v, int len)
117314 oldfs = get_fs();
117315 set_fs(get_ds());
117316 /* The cast to a user pointer is valid due to the set_fs() */
117317- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
117318+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
117319 set_fs(oldfs);
117320
117321 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
117322diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
117323index af46bc4..f9adfcd 100644
117324--- a/net/appletalk/atalk_proc.c
117325+++ b/net/appletalk/atalk_proc.c
117326@@ -256,7 +256,7 @@ int __init atalk_proc_init(void)
117327 struct proc_dir_entry *p;
117328 int rc = -ENOMEM;
117329
117330- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net);
117331+ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net);
117332 if (!atalk_proc_dir)
117333 goto out;
117334
117335diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c
117336index 876fbe8..8bbea9f 100644
117337--- a/net/atm/atm_misc.c
117338+++ b/net/atm/atm_misc.c
117339@@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int truesize)
117340 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
117341 return 1;
117342 atm_return(vcc, truesize);
117343- atomic_inc(&vcc->stats->rx_drop);
117344+ atomic_inc_unchecked(&vcc->stats->rx_drop);
117345 return 0;
117346 }
117347 EXPORT_SYMBOL(atm_charge);
117348@@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct atm_vcc *vcc, int pdu_size,
117349 }
117350 }
117351 atm_return(vcc, guess);
117352- atomic_inc(&vcc->stats->rx_drop);
117353+ atomic_inc_unchecked(&vcc->stats->rx_drop);
117354 return NULL;
117355 }
117356 EXPORT_SYMBOL(atm_alloc_charge);
117357@@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
117358
117359 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
117360 {
117361-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
117362+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
117363 __SONET_ITEMS
117364 #undef __HANDLE_ITEM
117365 }
117366@@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
117367
117368 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
117369 {
117370-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
117371+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
117372 __SONET_ITEMS
117373 #undef __HANDLE_ITEM
117374 }
117375diff --git a/net/atm/lec.c b/net/atm/lec.c
117376index cd3b379..977a3c9 100644
117377--- a/net/atm/lec.c
117378+++ b/net/atm/lec.c
117379@@ -111,9 +111,9 @@ static inline void lec_arp_put(struct lec_arp_table *entry)
117380 }
117381
117382 static struct lane2_ops lane2_ops = {
117383- lane2_resolve, /* resolve, spec 3.1.3 */
117384- lane2_associate_req, /* associate_req, spec 3.1.4 */
117385- NULL /* associate indicator, spec 3.1.5 */
117386+ .resolve = lane2_resolve,
117387+ .associate_req = lane2_associate_req,
117388+ .associate_indicator = NULL
117389 };
117390
117391 static unsigned char bus_mac[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
117392diff --git a/net/atm/lec.h b/net/atm/lec.h
117393index 4149db1..f2ab682 100644
117394--- a/net/atm/lec.h
117395+++ b/net/atm/lec.h
117396@@ -48,7 +48,7 @@ struct lane2_ops {
117397 const u8 *tlvs, u32 sizeoftlvs);
117398 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
117399 const u8 *tlvs, u32 sizeoftlvs);
117400-};
117401+} __no_const;
117402
117403 /*
117404 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
117405diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c
117406index d1b2d9a..d549f7f 100644
117407--- a/net/atm/mpoa_caches.c
117408+++ b/net/atm/mpoa_caches.c
117409@@ -535,30 +535,30 @@ static void eg_destroy_cache(struct mpoa_client *mpc)
117410
117411
117412 static struct in_cache_ops ingress_ops = {
117413- in_cache_add_entry, /* add_entry */
117414- in_cache_get, /* get */
117415- in_cache_get_with_mask, /* get_with_mask */
117416- in_cache_get_by_vcc, /* get_by_vcc */
117417- in_cache_put, /* put */
117418- in_cache_remove_entry, /* remove_entry */
117419- cache_hit, /* cache_hit */
117420- clear_count_and_expired, /* clear_count */
117421- check_resolving_entries, /* check_resolving */
117422- refresh_entries, /* refresh */
117423- in_destroy_cache /* destroy_cache */
117424+ .add_entry = in_cache_add_entry,
117425+ .get = in_cache_get,
117426+ .get_with_mask = in_cache_get_with_mask,
117427+ .get_by_vcc = in_cache_get_by_vcc,
117428+ .put = in_cache_put,
117429+ .remove_entry = in_cache_remove_entry,
117430+ .cache_hit = cache_hit,
117431+ .clear_count = clear_count_and_expired,
117432+ .check_resolving = check_resolving_entries,
117433+ .refresh = refresh_entries,
117434+ .destroy_cache = in_destroy_cache
117435 };
117436
117437 static struct eg_cache_ops egress_ops = {
117438- eg_cache_add_entry, /* add_entry */
117439- eg_cache_get_by_cache_id, /* get_by_cache_id */
117440- eg_cache_get_by_tag, /* get_by_tag */
117441- eg_cache_get_by_vcc, /* get_by_vcc */
117442- eg_cache_get_by_src_ip, /* get_by_src_ip */
117443- eg_cache_put, /* put */
117444- eg_cache_remove_entry, /* remove_entry */
117445- update_eg_cache_entry, /* update */
117446- clear_expired, /* clear_expired */
117447- eg_destroy_cache /* destroy_cache */
117448+ .add_entry = eg_cache_add_entry,
117449+ .get_by_cache_id = eg_cache_get_by_cache_id,
117450+ .get_by_tag = eg_cache_get_by_tag,
117451+ .get_by_vcc = eg_cache_get_by_vcc,
117452+ .get_by_src_ip = eg_cache_get_by_src_ip,
117453+ .put = eg_cache_put,
117454+ .remove_entry = eg_cache_remove_entry,
117455+ .update = update_eg_cache_entry,
117456+ .clear_expired = clear_expired,
117457+ .destroy_cache = eg_destroy_cache
117458 };
117459
117460
117461diff --git a/net/atm/proc.c b/net/atm/proc.c
117462index bbb6461..cf04016 100644
117463--- a/net/atm/proc.c
117464+++ b/net/atm/proc.c
117465@@ -45,9 +45,9 @@ static void add_stats(struct seq_file *seq, const char *aal,
117466 const struct k_atm_aal_stats *stats)
117467 {
117468 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
117469- atomic_read(&stats->tx), atomic_read(&stats->tx_err),
117470- atomic_read(&stats->rx), atomic_read(&stats->rx_err),
117471- atomic_read(&stats->rx_drop));
117472+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
117473+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
117474+ atomic_read_unchecked(&stats->rx_drop));
117475 }
117476
117477 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
117478diff --git a/net/atm/resources.c b/net/atm/resources.c
117479index 0447d5d..3cf4728 100644
117480--- a/net/atm/resources.c
117481+++ b/net/atm/resources.c
117482@@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
117483 static void copy_aal_stats(struct k_atm_aal_stats *from,
117484 struct atm_aal_stats *to)
117485 {
117486-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
117487+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
117488 __AAL_STAT_ITEMS
117489 #undef __HANDLE_ITEM
117490 }
117491@@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_aal_stats *from,
117492 static void subtract_aal_stats(struct k_atm_aal_stats *from,
117493 struct atm_aal_stats *to)
117494 {
117495-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
117496+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
117497 __AAL_STAT_ITEMS
117498 #undef __HANDLE_ITEM
117499 }
117500diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
117501index 919a5ce..cc6b444 100644
117502--- a/net/ax25/sysctl_net_ax25.c
117503+++ b/net/ax25/sysctl_net_ax25.c
117504@@ -152,7 +152,7 @@ int ax25_register_dev_sysctl(ax25_dev *ax25_dev)
117505 {
117506 char path[sizeof("net/ax25/") + IFNAMSIZ];
117507 int k;
117508- struct ctl_table *table;
117509+ ctl_table_no_const *table;
117510
117511 table = kmemdup(ax25_param_table, sizeof(ax25_param_table), GFP_KERNEL);
117512 if (!table)
117513diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
117514index 753383c..32d12d9 100644
117515--- a/net/batman-adv/bat_iv_ogm.c
117516+++ b/net/batman-adv/bat_iv_ogm.c
117517@@ -343,7 +343,7 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
117518
117519 /* randomize initial seqno to avoid collision */
117520 get_random_bytes(&random_seqno, sizeof(random_seqno));
117521- atomic_set(&hard_iface->bat_iv.ogm_seqno, random_seqno);
117522+ atomic_set_unchecked(&hard_iface->bat_iv.ogm_seqno, random_seqno);
117523
117524 hard_iface->bat_iv.ogm_buff_len = BATADV_OGM_HLEN;
117525 ogm_buff = kmalloc(hard_iface->bat_iv.ogm_buff_len, GFP_ATOMIC);
117526@@ -947,9 +947,9 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
117527 batadv_ogm_packet->tvlv_len = htons(tvlv_len);
117528
117529 /* change sequence number to network order */
117530- seqno = (uint32_t)atomic_read(&hard_iface->bat_iv.ogm_seqno);
117531+ seqno = (uint32_t)atomic_read_unchecked(&hard_iface->bat_iv.ogm_seqno);
117532 batadv_ogm_packet->seqno = htonl(seqno);
117533- atomic_inc(&hard_iface->bat_iv.ogm_seqno);
117534+ atomic_inc_unchecked(&hard_iface->bat_iv.ogm_seqno);
117535
117536 batadv_iv_ogm_slide_own_bcast_window(hard_iface);
117537
117538@@ -1626,7 +1626,7 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
117539 return;
117540
117541 /* could be changed by schedule_own_packet() */
117542- if_incoming_seqno = atomic_read(&if_incoming->bat_iv.ogm_seqno);
117543+ if_incoming_seqno = atomic_read_unchecked(&if_incoming->bat_iv.ogm_seqno);
117544
117545 if (ogm_packet->flags & BATADV_DIRECTLINK)
117546 has_directlink_flag = true;
117547diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
117548index c0f0d01..725928a 100644
117549--- a/net/batman-adv/fragmentation.c
117550+++ b/net/batman-adv/fragmentation.c
117551@@ -465,7 +465,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
117552 frag_header.packet_type = BATADV_UNICAST_FRAG;
117553 frag_header.version = BATADV_COMPAT_VERSION;
117554 frag_header.ttl = BATADV_TTL;
117555- frag_header.seqno = htons(atomic_inc_return(&bat_priv->frag_seqno));
117556+ frag_header.seqno = htons(atomic_inc_return_unchecked(&bat_priv->frag_seqno));
117557 frag_header.reserved = 0;
117558 frag_header.no = 0;
117559 frag_header.total_size = htons(skb->len);
117560diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
117561index a2fc843..0f8059e 100644
117562--- a/net/batman-adv/soft-interface.c
117563+++ b/net/batman-adv/soft-interface.c
117564@@ -325,7 +325,7 @@ send:
117565 primary_if->net_dev->dev_addr);
117566
117567 /* set broadcast sequence number */
117568- seqno = atomic_inc_return(&bat_priv->bcast_seqno);
117569+ seqno = atomic_inc_return_unchecked(&bat_priv->bcast_seqno);
117570 bcast_packet->seqno = htonl(seqno);
117571
117572 batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay);
117573@@ -793,7 +793,7 @@ static int batadv_softif_init_late(struct net_device *dev)
117574 atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN);
117575
117576 atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
117577- atomic_set(&bat_priv->bcast_seqno, 1);
117578+ atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
117579 atomic_set(&bat_priv->tt.vn, 0);
117580 atomic_set(&bat_priv->tt.local_changes, 0);
117581 atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
117582@@ -807,7 +807,7 @@ static int batadv_softif_init_late(struct net_device *dev)
117583
117584 /* randomize initial seqno to avoid collision */
117585 get_random_bytes(&random_seqno, sizeof(random_seqno));
117586- atomic_set(&bat_priv->frag_seqno, random_seqno);
117587+ atomic_set_unchecked(&bat_priv->frag_seqno, random_seqno);
117588
117589 bat_priv->primary_if = NULL;
117590 bat_priv->num_ifaces = 0;
117591@@ -1015,7 +1015,7 @@ int batadv_softif_is_valid(const struct net_device *net_dev)
117592 return 0;
117593 }
117594
117595-struct rtnl_link_ops batadv_link_ops __read_mostly = {
117596+struct rtnl_link_ops batadv_link_ops = {
117597 .kind = "batadv",
117598 .priv_size = sizeof(struct batadv_priv),
117599 .setup = batadv_softif_init_early,
117600diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
117601index 67d6348..4358755 100644
117602--- a/net/batman-adv/types.h
117603+++ b/net/batman-adv/types.h
117604@@ -81,7 +81,7 @@ enum batadv_dhcp_recipient {
117605 struct batadv_hard_iface_bat_iv {
117606 unsigned char *ogm_buff;
117607 int ogm_buff_len;
117608- atomic_t ogm_seqno;
117609+ atomic_unchecked_t ogm_seqno;
117610 };
117611
117612 /**
117613@@ -783,7 +783,7 @@ struct batadv_priv {
117614 atomic_t bonding;
117615 atomic_t fragmentation;
117616 atomic_t packet_size_max;
117617- atomic_t frag_seqno;
117618+ atomic_unchecked_t frag_seqno;
117619 #ifdef CONFIG_BATMAN_ADV_BLA
117620 atomic_t bridge_loop_avoidance;
117621 #endif
117622@@ -802,7 +802,7 @@ struct batadv_priv {
117623 #endif
117624 uint32_t isolation_mark;
117625 uint32_t isolation_mark_mask;
117626- atomic_t bcast_seqno;
117627+ atomic_unchecked_t bcast_seqno;
117628 atomic_t bcast_queue_left;
117629 atomic_t batman_queue_left;
117630 char num_ifaces;
117631diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
117632index f2d30d1..0573933 100644
117633--- a/net/bluetooth/hci_sock.c
117634+++ b/net/bluetooth/hci_sock.c
117635@@ -1253,7 +1253,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
117636 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
117637 }
117638
117639- len = min_t(unsigned int, len, sizeof(uf));
117640+ len = min((size_t)len, sizeof(uf));
117641 if (copy_from_user(&uf, optval, len)) {
117642 err = -EFAULT;
117643 break;
117644diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
117645index 45fffa4..c5ad848 100644
117646--- a/net/bluetooth/l2cap_core.c
117647+++ b/net/bluetooth/l2cap_core.c
117648@@ -3537,8 +3537,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
117649 break;
117650
117651 case L2CAP_CONF_RFC:
117652- if (olen == sizeof(rfc))
117653- memcpy(&rfc, (void *)val, olen);
117654+ if (olen != sizeof(rfc))
117655+ break;
117656+
117657+ memcpy(&rfc, (void *)val, olen);
117658
117659 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
117660 rfc.mode != chan->mode)
117661diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
117662index 2442877..24ddcd1 100644
117663--- a/net/bluetooth/l2cap_sock.c
117664+++ b/net/bluetooth/l2cap_sock.c
117665@@ -633,7 +633,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
117666 struct sock *sk = sock->sk;
117667 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
117668 struct l2cap_options opts;
117669- int len, err = 0;
117670+ int err = 0;
117671+ size_t len = optlen;
117672 u32 opt;
117673
117674 BT_DBG("sk %p", sk);
117675@@ -660,7 +661,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
117676 opts.max_tx = chan->max_tx;
117677 opts.txwin_size = chan->tx_win;
117678
117679- len = min_t(unsigned int, sizeof(opts), optlen);
117680+ len = min(sizeof(opts), len);
117681 if (copy_from_user((char *) &opts, optval, len)) {
117682 err = -EFAULT;
117683 break;
117684@@ -747,7 +748,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
117685 struct bt_security sec;
117686 struct bt_power pwr;
117687 struct l2cap_conn *conn;
117688- int len, err = 0;
117689+ int err = 0;
117690+ size_t len = optlen;
117691 u32 opt;
117692
117693 BT_DBG("sk %p", sk);
117694@@ -771,7 +773,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
117695
117696 sec.level = BT_SECURITY_LOW;
117697
117698- len = min_t(unsigned int, sizeof(sec), optlen);
117699+ len = min(sizeof(sec), len);
117700 if (copy_from_user((char *) &sec, optval, len)) {
117701 err = -EFAULT;
117702 break;
117703@@ -867,7 +869,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
117704
117705 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
117706
117707- len = min_t(unsigned int, sizeof(pwr), optlen);
117708+ len = min(sizeof(pwr), len);
117709 if (copy_from_user((char *) &pwr, optval, len)) {
117710 err = -EFAULT;
117711 break;
117712diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
117713index 7511df7..a670df3 100644
117714--- a/net/bluetooth/rfcomm/sock.c
117715+++ b/net/bluetooth/rfcomm/sock.c
117716@@ -690,7 +690,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
117717 struct sock *sk = sock->sk;
117718 struct bt_security sec;
117719 int err = 0;
117720- size_t len;
117721+ size_t len = optlen;
117722 u32 opt;
117723
117724 BT_DBG("sk %p", sk);
117725@@ -712,7 +712,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
117726
117727 sec.level = BT_SECURITY_LOW;
117728
117729- len = min_t(unsigned int, sizeof(sec), optlen);
117730+ len = min(sizeof(sec), len);
117731 if (copy_from_user((char *) &sec, optval, len)) {
117732 err = -EFAULT;
117733 break;
117734diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
117735index 8e385a0..a5bdd8e 100644
117736--- a/net/bluetooth/rfcomm/tty.c
117737+++ b/net/bluetooth/rfcomm/tty.c
117738@@ -752,7 +752,7 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
117739 BT_DBG("tty %p id %d", tty, tty->index);
117740
117741 BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
117742- dev->channel, dev->port.count);
117743+ dev->channel, atomic_read(&dev->port.count));
117744
117745 err = tty_port_open(&dev->port, tty, filp);
117746 if (err)
117747@@ -775,7 +775,7 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
117748 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
117749
117750 BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
117751- dev->port.count);
117752+ atomic_read(&dev->port.count));
117753
117754 tty_port_close(&dev->port, tty, filp);
117755 }
117756diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
117757index 4d74a06..f37f9c2 100644
117758--- a/net/bridge/br_netlink.c
117759+++ b/net/bridge/br_netlink.c
117760@@ -835,7 +835,7 @@ static struct rtnl_af_ops br_af_ops __read_mostly = {
117761 .get_link_af_size = br_get_link_af_size,
117762 };
117763
117764-struct rtnl_link_ops br_link_ops __read_mostly = {
117765+struct rtnl_link_ops br_link_ops = {
117766 .kind = "bridge",
117767 .priv_size = sizeof(struct net_bridge),
117768 .setup = br_dev_setup,
117769diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
117770index 18ca4b2..7e8d731 100644
117771--- a/net/bridge/netfilter/ebtables.c
117772+++ b/net/bridge/netfilter/ebtables.c
117773@@ -1533,7 +1533,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
117774 tmp.valid_hooks = t->table->valid_hooks;
117775 }
117776 mutex_unlock(&ebt_mutex);
117777- if (copy_to_user(user, &tmp, *len) != 0) {
117778+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
117779 BUGPRINT("c2u Didn't work\n");
117780 ret = -EFAULT;
117781 break;
117782@@ -2339,7 +2339,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
117783 goto out;
117784 tmp.valid_hooks = t->valid_hooks;
117785
117786- if (copy_to_user(user, &tmp, *len) != 0) {
117787+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
117788 ret = -EFAULT;
117789 break;
117790 }
117791@@ -2350,7 +2350,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
117792 tmp.entries_size = t->table->entries_size;
117793 tmp.valid_hooks = t->table->valid_hooks;
117794
117795- if (copy_to_user(user, &tmp, *len) != 0) {
117796+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
117797 ret = -EFAULT;
117798 break;
117799 }
117800diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
117801index f5afda1..dcf770a 100644
117802--- a/net/caif/cfctrl.c
117803+++ b/net/caif/cfctrl.c
117804@@ -10,6 +10,7 @@
117805 #include <linux/spinlock.h>
117806 #include <linux/slab.h>
117807 #include <linux/pkt_sched.h>
117808+#include <linux/sched.h>
117809 #include <net/caif/caif_layer.h>
117810 #include <net/caif/cfpkt.h>
117811 #include <net/caif/cfctrl.h>
117812@@ -43,8 +44,8 @@ struct cflayer *cfctrl_create(void)
117813 memset(&dev_info, 0, sizeof(dev_info));
117814 dev_info.id = 0xff;
117815 cfsrvl_init(&this->serv, 0, &dev_info, false);
117816- atomic_set(&this->req_seq_no, 1);
117817- atomic_set(&this->rsp_seq_no, 1);
117818+ atomic_set_unchecked(&this->req_seq_no, 1);
117819+ atomic_set_unchecked(&this->rsp_seq_no, 1);
117820 this->serv.layer.receive = cfctrl_recv;
117821 sprintf(this->serv.layer.name, "ctrl");
117822 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
117823@@ -130,8 +131,8 @@ static void cfctrl_insert_req(struct cfctrl *ctrl,
117824 struct cfctrl_request_info *req)
117825 {
117826 spin_lock_bh(&ctrl->info_list_lock);
117827- atomic_inc(&ctrl->req_seq_no);
117828- req->sequence_no = atomic_read(&ctrl->req_seq_no);
117829+ atomic_inc_unchecked(&ctrl->req_seq_no);
117830+ req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
117831 list_add_tail(&req->list, &ctrl->list);
117832 spin_unlock_bh(&ctrl->info_list_lock);
117833 }
117834@@ -149,7 +150,7 @@ static struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
117835 if (p != first)
117836 pr_warn("Requests are not received in order\n");
117837
117838- atomic_set(&ctrl->rsp_seq_no,
117839+ atomic_set_unchecked(&ctrl->rsp_seq_no,
117840 p->sequence_no);
117841 list_del(&p->list);
117842 goto out;
117843diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
117844index 67a4a36..8d28068 100644
117845--- a/net/caif/chnl_net.c
117846+++ b/net/caif/chnl_net.c
117847@@ -515,7 +515,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = {
117848 };
117849
117850
117851-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = {
117852+static struct rtnl_link_ops ipcaif_link_ops = {
117853 .kind = "caif",
117854 .priv_size = sizeof(struct chnl_net),
117855 .setup = ipcaif_net_setup,
117856diff --git a/net/can/af_can.c b/net/can/af_can.c
117857index 166d436..2920816 100644
117858--- a/net/can/af_can.c
117859+++ b/net/can/af_can.c
117860@@ -890,7 +890,7 @@ static const struct net_proto_family can_family_ops = {
117861 };
117862
117863 /* notifier block for netdevice event */
117864-static struct notifier_block can_netdev_notifier __read_mostly = {
117865+static struct notifier_block can_netdev_notifier = {
117866 .notifier_call = can_notifier,
117867 };
117868
117869diff --git a/net/can/bcm.c b/net/can/bcm.c
117870index a1ba687..aafaec5 100644
117871--- a/net/can/bcm.c
117872+++ b/net/can/bcm.c
117873@@ -1620,7 +1620,7 @@ static int __init bcm_module_init(void)
117874 }
117875
117876 /* create /proc/net/can-bcm directory */
117877- proc_dir = proc_mkdir("can-bcm", init_net.proc_net);
117878+ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net);
117879 return 0;
117880 }
117881
117882diff --git a/net/can/gw.c b/net/can/gw.c
117883index 4551687..4e82e9b 100644
117884--- a/net/can/gw.c
117885+++ b/net/can/gw.c
117886@@ -80,7 +80,6 @@ MODULE_PARM_DESC(max_hops,
117887 "default: " __stringify(CGW_DEFAULT_HOPS) ")");
117888
117889 static HLIST_HEAD(cgw_list);
117890-static struct notifier_block notifier;
117891
117892 static struct kmem_cache *cgw_cache __read_mostly;
117893
117894@@ -992,6 +991,10 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh)
117895 return err;
117896 }
117897
117898+static struct notifier_block notifier = {
117899+ .notifier_call = cgw_notifier
117900+};
117901+
117902 static __init int cgw_module_init(void)
117903 {
117904 /* sanitize given module parameter */
117905@@ -1007,7 +1010,6 @@ static __init int cgw_module_init(void)
117906 return -ENOMEM;
117907
117908 /* set notifier */
117909- notifier.notifier_call = cgw_notifier;
117910 register_netdevice_notifier(&notifier);
117911
117912 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
117913diff --git a/net/can/proc.c b/net/can/proc.c
117914index 1a19b98..df2b4ec 100644
117915--- a/net/can/proc.c
117916+++ b/net/can/proc.c
117917@@ -514,7 +514,7 @@ static void can_remove_proc_readentry(const char *name)
117918 void can_init_proc(void)
117919 {
117920 /* create /proc/net/can directory */
117921- can_dir = proc_mkdir("can", init_net.proc_net);
117922+ can_dir = proc_mkdir_restrict("can", init_net.proc_net);
117923
117924 if (!can_dir) {
117925 printk(KERN_INFO "can: failed to create /proc/net/can . "
117926diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
117927index e3be1d2..254c555 100644
117928--- a/net/ceph/messenger.c
117929+++ b/net/ceph/messenger.c
117930@@ -189,7 +189,7 @@ static void con_fault(struct ceph_connection *con);
117931 #define MAX_ADDR_STR_LEN 64 /* 54 is enough */
117932
117933 static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN];
117934-static atomic_t addr_str_seq = ATOMIC_INIT(0);
117935+static atomic_unchecked_t addr_str_seq = ATOMIC_INIT(0);
117936
117937 static struct page *zero_page; /* used in certain error cases */
117938
117939@@ -200,7 +200,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
117940 struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
117941 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
117942
117943- i = atomic_inc_return(&addr_str_seq) & ADDR_STR_COUNT_MASK;
117944+ i = atomic_inc_return_unchecked(&addr_str_seq) & ADDR_STR_COUNT_MASK;
117945 s = addr_str[i];
117946
117947 switch (ss->ss_family) {
117948diff --git a/net/compat.c b/net/compat.c
117949index 5cfd26a..7e43828 100644
117950--- a/net/compat.c
117951+++ b/net/compat.c
117952@@ -98,20 +98,20 @@ int get_compat_msghdr(struct msghdr *kmsg,
117953
117954 #define CMSG_COMPAT_FIRSTHDR(msg) \
117955 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
117956- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
117957+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
117958 (struct compat_cmsghdr __user *)NULL)
117959
117960 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
117961 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
117962 (ucmlen) <= (unsigned long) \
117963 ((mhdr)->msg_controllen - \
117964- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
117965+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
117966
117967 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
117968 struct compat_cmsghdr __user *cmsg, int cmsg_len)
117969 {
117970 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
117971- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
117972+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
117973 msg->msg_controllen)
117974 return NULL;
117975 return (struct compat_cmsghdr __user *)ptr;
117976@@ -201,7 +201,7 @@ Efault:
117977
117978 int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
117979 {
117980- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
117981+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
117982 struct compat_cmsghdr cmhdr;
117983 struct compat_timeval ctv;
117984 struct compat_timespec cts[3];
117985@@ -257,7 +257,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
117986
117987 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
117988 {
117989- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
117990+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
117991 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
117992 int fdnum = scm->fp->count;
117993 struct file **fp = scm->fp->fp;
117994@@ -345,7 +345,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
117995 return -EFAULT;
117996 old_fs = get_fs();
117997 set_fs(KERNEL_DS);
117998- err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
117999+ err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
118000 set_fs(old_fs);
118001
118002 return err;
118003@@ -406,7 +406,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
118004 len = sizeof(ktime);
118005 old_fs = get_fs();
118006 set_fs(KERNEL_DS);
118007- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
118008+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
118009 set_fs(old_fs);
118010
118011 if (!err) {
118012@@ -549,7 +549,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118013 case MCAST_JOIN_GROUP:
118014 case MCAST_LEAVE_GROUP:
118015 {
118016- struct compat_group_req __user *gr32 = (void *)optval;
118017+ struct compat_group_req __user *gr32 = (void __user *)optval;
118018 struct group_req __user *kgr =
118019 compat_alloc_user_space(sizeof(struct group_req));
118020 u32 interface;
118021@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118022 case MCAST_BLOCK_SOURCE:
118023 case MCAST_UNBLOCK_SOURCE:
118024 {
118025- struct compat_group_source_req __user *gsr32 = (void *)optval;
118026+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
118027 struct group_source_req __user *kgsr = compat_alloc_user_space(
118028 sizeof(struct group_source_req));
118029 u32 interface;
118030@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118031 }
118032 case MCAST_MSFILTER:
118033 {
118034- struct compat_group_filter __user *gf32 = (void *)optval;
118035+ struct compat_group_filter __user *gf32 = (void __user *)optval;
118036 struct group_filter __user *kgf;
118037 u32 interface, fmode, numsrc;
118038
118039@@ -629,7 +629,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
118040 char __user *optval, int __user *optlen,
118041 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
118042 {
118043- struct compat_group_filter __user *gf32 = (void *)optval;
118044+ struct compat_group_filter __user *gf32 = (void __user *)optval;
118045 struct group_filter __user *kgf;
118046 int __user *koptlen;
118047 u32 interface, fmode, numsrc;
118048@@ -773,7 +773,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
118049
118050 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
118051 return -EINVAL;
118052- if (copy_from_user(a, args, nas[call]))
118053+ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
118054 return -EFAULT;
118055 a0 = a[0];
118056 a1 = a[1];
118057diff --git a/net/core/datagram.c b/net/core/datagram.c
118058index 617088a..0364f4f 100644
118059--- a/net/core/datagram.c
118060+++ b/net/core/datagram.c
118061@@ -338,7 +338,7 @@ int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags)
118062 }
118063
118064 kfree_skb(skb);
118065- atomic_inc(&sk->sk_drops);
118066+ atomic_inc_unchecked(&sk->sk_drops);
118067 sk_mem_reclaim_partial(sk);
118068
118069 return err;
118070diff --git a/net/core/dev.c b/net/core/dev.c
118071index a8e4dd4..aab06f7 100644
118072--- a/net/core/dev.c
118073+++ b/net/core/dev.c
118074@@ -1721,7 +1721,7 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
118075 {
118076 if (skb_orphan_frags(skb, GFP_ATOMIC) ||
118077 unlikely(!is_skb_forwardable(dev, skb))) {
118078- atomic_long_inc(&dev->rx_dropped);
118079+ atomic_long_inc_unchecked(&dev->rx_dropped);
118080 kfree_skb(skb);
118081 return NET_RX_DROP;
118082 }
118083@@ -3125,7 +3125,7 @@ recursion_alert:
118084 drop:
118085 rcu_read_unlock_bh();
118086
118087- atomic_long_inc(&dev->tx_dropped);
118088+ atomic_long_inc_unchecked(&dev->tx_dropped);
118089 kfree_skb_list(skb);
118090 return rc;
118091 out:
118092@@ -3477,7 +3477,7 @@ drop:
118093
118094 local_irq_restore(flags);
118095
118096- atomic_long_inc(&skb->dev->rx_dropped);
118097+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
118098 kfree_skb(skb);
118099 return NET_RX_DROP;
118100 }
118101@@ -3554,7 +3554,7 @@ int netif_rx_ni(struct sk_buff *skb)
118102 }
118103 EXPORT_SYMBOL(netif_rx_ni);
118104
118105-static void net_tx_action(struct softirq_action *h)
118106+static __latent_entropy void net_tx_action(void)
118107 {
118108 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
118109
118110@@ -3892,7 +3892,7 @@ ncls:
118111 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
118112 } else {
118113 drop:
118114- atomic_long_inc(&skb->dev->rx_dropped);
118115+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
118116 kfree_skb(skb);
118117 /* Jamal, now you will not able to escape explaining
118118 * me how you were going to use this. :-)
118119@@ -4783,7 +4783,7 @@ out_unlock:
118120 return work;
118121 }
118122
118123-static void net_rx_action(struct softirq_action *h)
118124+static __latent_entropy void net_rx_action(void)
118125 {
118126 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
118127 unsigned long time_limit = jiffies + 2;
118128@@ -6843,8 +6843,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
118129 } else {
118130 netdev_stats_to_stats64(storage, &dev->stats);
118131 }
118132- storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
118133- storage->tx_dropped += atomic_long_read(&dev->tx_dropped);
118134+ storage->rx_dropped += atomic_long_read_unchecked(&dev->rx_dropped);
118135+ storage->tx_dropped += atomic_long_read_unchecked(&dev->tx_dropped);
118136 return storage;
118137 }
118138 EXPORT_SYMBOL(dev_get_stats);
118139diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
118140index b94b1d2..da3ed7c 100644
118141--- a/net/core/dev_ioctl.c
118142+++ b/net/core/dev_ioctl.c
118143@@ -368,8 +368,13 @@ void dev_load(struct net *net, const char *name)
118144 no_module = !dev;
118145 if (no_module && capable(CAP_NET_ADMIN))
118146 no_module = request_module("netdev-%s", name);
118147- if (no_module && capable(CAP_SYS_MODULE))
118148+ if (no_module && capable(CAP_SYS_MODULE)) {
118149+#ifdef CONFIG_GRKERNSEC_MODHARDEN
118150+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
118151+#else
118152 request_module("%s", name);
118153+#endif
118154+ }
118155 }
118156 EXPORT_SYMBOL(dev_load);
118157
118158diff --git a/net/core/filter.c b/net/core/filter.c
118159index be3098f..51ee477 100644
118160--- a/net/core/filter.c
118161+++ b/net/core/filter.c
118162@@ -582,7 +582,11 @@ do_pass:
118163
118164 /* Unknown instruction. */
118165 default:
118166- goto err;
118167+ WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u tf:%u k:%u\n",
118168+ fp->code, fp->jt, fp->jf, fp->k);
118169+ kfree(addrs);
118170+ BUG();
118171+ return -EINVAL;
118172 }
118173
118174 insn++;
118175@@ -626,7 +630,7 @@ static int check_load_and_stores(const struct sock_filter *filter, int flen)
118176 u16 *masks, memvalid = 0; /* One bit per cell, 16 cells */
118177 int pc, ret = 0;
118178
118179- BUILD_BUG_ON(BPF_MEMWORDS > 16);
118180+ BUILD_BUG_ON(BPF_MEMWORDS != 16);
118181
118182 masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL);
118183 if (!masks)
118184@@ -1055,7 +1059,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
118185 if (!fp)
118186 return -ENOMEM;
118187
118188- memcpy(fp->insns, fprog->filter, fsize);
118189+ memcpy(fp->insns, (void __force_kernel *)fprog->filter, fsize);
118190
118191 fp->len = fprog->len;
118192 /* Since unattached filters are not copied back to user
118193@@ -1701,9 +1705,13 @@ int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
118194 goto out;
118195
118196 /* We're copying the filter that has been originally attached,
118197- * so no conversion/decode needed anymore.
118198+ * so no conversion/decode needed anymore. eBPF programs that
118199+ * have no original program cannot be dumped through this.
118200 */
118201+ ret = -EACCES;
118202 fprog = filter->prog->orig_prog;
118203+ if (!fprog)
118204+ goto out;
118205
118206 ret = fprog->len;
118207 if (!len)
118208diff --git a/net/core/flow.c b/net/core/flow.c
118209index 1033725..340f65d 100644
118210--- a/net/core/flow.c
118211+++ b/net/core/flow.c
118212@@ -65,7 +65,7 @@ static void flow_cache_new_hashrnd(unsigned long arg)
118213 static int flow_entry_valid(struct flow_cache_entry *fle,
118214 struct netns_xfrm *xfrm)
118215 {
118216- if (atomic_read(&xfrm->flow_cache_genid) != fle->genid)
118217+ if (atomic_read_unchecked(&xfrm->flow_cache_genid) != fle->genid)
118218 return 0;
118219 if (fle->object && !fle->object->ops->check(fle->object))
118220 return 0;
118221@@ -242,7 +242,7 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
118222 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
118223 fcp->hash_count++;
118224 }
118225- } else if (likely(fle->genid == atomic_read(&net->xfrm.flow_cache_genid))) {
118226+ } else if (likely(fle->genid == atomic_read_unchecked(&net->xfrm.flow_cache_genid))) {
118227 flo = fle->object;
118228 if (!flo)
118229 goto ret_object;
118230@@ -263,7 +263,7 @@ nocache:
118231 }
118232 flo = resolver(net, key, family, dir, flo, ctx);
118233 if (fle) {
118234- fle->genid = atomic_read(&net->xfrm.flow_cache_genid);
118235+ fle->genid = atomic_read_unchecked(&net->xfrm.flow_cache_genid);
118236 if (!IS_ERR(flo))
118237 fle->object = flo;
118238 else
118239diff --git a/net/core/neighbour.c b/net/core/neighbour.c
118240index 84195da..035c7a7 100644
118241--- a/net/core/neighbour.c
118242+++ b/net/core/neighbour.c
118243@@ -2821,7 +2821,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
118244 void __user *buffer, size_t *lenp, loff_t *ppos)
118245 {
118246 int size, ret;
118247- struct ctl_table tmp = *ctl;
118248+ ctl_table_no_const tmp = *ctl;
118249
118250 tmp.extra1 = &zero;
118251 tmp.extra2 = &unres_qlen_max;
118252@@ -2883,7 +2883,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
118253 void __user *buffer,
118254 size_t *lenp, loff_t *ppos)
118255 {
118256- struct ctl_table tmp = *ctl;
118257+ ctl_table_no_const tmp = *ctl;
118258 int ret;
118259
118260 tmp.extra1 = &zero;
118261diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
118262index 2bf8329..2eb1423 100644
118263--- a/net/core/net-procfs.c
118264+++ b/net/core/net-procfs.c
118265@@ -79,7 +79,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
118266 struct rtnl_link_stats64 temp;
118267 const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp);
118268
118269- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
118270+ if (gr_proc_is_restricted())
118271+ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
118272+ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
118273+ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL,
118274+ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL);
118275+ else
118276+ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
118277 "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
118278 dev->name, stats->rx_bytes, stats->rx_packets,
118279 stats->rx_errors,
118280@@ -166,7 +172,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
118281 return 0;
118282 }
118283
118284-static const struct seq_operations dev_seq_ops = {
118285+const struct seq_operations dev_seq_ops = {
118286 .start = dev_seq_start,
118287 .next = dev_seq_next,
118288 .stop = dev_seq_stop,
118289@@ -196,7 +202,7 @@ static const struct seq_operations softnet_seq_ops = {
118290
118291 static int softnet_seq_open(struct inode *inode, struct file *file)
118292 {
118293- return seq_open(file, &softnet_seq_ops);
118294+ return seq_open_restrict(file, &softnet_seq_ops);
118295 }
118296
118297 static const struct file_operations softnet_seq_fops = {
118298@@ -283,8 +289,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
118299 else
118300 seq_printf(seq, "%04x", ntohs(pt->type));
118301
118302+#ifdef CONFIG_GRKERNSEC_HIDESYM
118303+ seq_printf(seq, " %-8s %pf\n",
118304+ pt->dev ? pt->dev->name : "", NULL);
118305+#else
118306 seq_printf(seq, " %-8s %pf\n",
118307 pt->dev ? pt->dev->name : "", pt->func);
118308+#endif
118309 }
118310
118311 return 0;
118312diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
118313index 18b34d7..faecc1d 100644
118314--- a/net/core/net-sysfs.c
118315+++ b/net/core/net-sysfs.c
118316@@ -288,7 +288,7 @@ static ssize_t carrier_changes_show(struct device *dev,
118317 {
118318 struct net_device *netdev = to_net_dev(dev);
118319 return sprintf(buf, fmt_dec,
118320- atomic_read(&netdev->carrier_changes));
118321+ atomic_read_unchecked(&netdev->carrier_changes));
118322 }
118323 static DEVICE_ATTR_RO(carrier_changes);
118324
118325diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
118326index 2c2eb1b..a53be3e 100644
118327--- a/net/core/net_namespace.c
118328+++ b/net/core/net_namespace.c
118329@@ -775,7 +775,7 @@ static int __register_pernet_operations(struct list_head *list,
118330 int error;
118331 LIST_HEAD(net_exit_list);
118332
118333- list_add_tail(&ops->list, list);
118334+ pax_list_add_tail((struct list_head *)&ops->list, list);
118335 if (ops->init || (ops->id && ops->size)) {
118336 for_each_net(net) {
118337 error = ops_init(ops, net);
118338@@ -788,7 +788,7 @@ static int __register_pernet_operations(struct list_head *list,
118339
118340 out_undo:
118341 /* If I have an error cleanup all namespaces I initialized */
118342- list_del(&ops->list);
118343+ pax_list_del((struct list_head *)&ops->list);
118344 ops_exit_list(ops, &net_exit_list);
118345 ops_free_list(ops, &net_exit_list);
118346 return error;
118347@@ -799,7 +799,7 @@ static void __unregister_pernet_operations(struct pernet_operations *ops)
118348 struct net *net;
118349 LIST_HEAD(net_exit_list);
118350
118351- list_del(&ops->list);
118352+ pax_list_del((struct list_head *)&ops->list);
118353 for_each_net(net)
118354 list_add_tail(&net->exit_list, &net_exit_list);
118355 ops_exit_list(ops, &net_exit_list);
118356@@ -933,7 +933,7 @@ int register_pernet_device(struct pernet_operations *ops)
118357 mutex_lock(&net_mutex);
118358 error = register_pernet_operations(&pernet_list, ops);
118359 if (!error && (first_device == &pernet_list))
118360- first_device = &ops->list;
118361+ first_device = (struct list_head *)&ops->list;
118362 mutex_unlock(&net_mutex);
118363 return error;
118364 }
118365diff --git a/net/core/netpoll.c b/net/core/netpoll.c
118366index c126a87..10ad89d 100644
118367--- a/net/core/netpoll.c
118368+++ b/net/core/netpoll.c
118369@@ -377,7 +377,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
118370 struct udphdr *udph;
118371 struct iphdr *iph;
118372 struct ethhdr *eth;
118373- static atomic_t ip_ident;
118374+ static atomic_unchecked_t ip_ident;
118375 struct ipv6hdr *ip6h;
118376
118377 udp_len = len + sizeof(*udph);
118378@@ -448,7 +448,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
118379 put_unaligned(0x45, (unsigned char *)iph);
118380 iph->tos = 0;
118381 put_unaligned(htons(ip_len), &(iph->tot_len));
118382- iph->id = htons(atomic_inc_return(&ip_ident));
118383+ iph->id = htons(atomic_inc_return_unchecked(&ip_ident));
118384 iph->frag_off = 0;
118385 iph->ttl = 64;
118386 iph->protocol = IPPROTO_UDP;
118387diff --git a/net/core/pktgen.c b/net/core/pktgen.c
118388index 1cbd209..9553598 100644
118389--- a/net/core/pktgen.c
118390+++ b/net/core/pktgen.c
118391@@ -3828,7 +3828,7 @@ static int __net_init pg_net_init(struct net *net)
118392 pn->net = net;
118393 INIT_LIST_HEAD(&pn->pktgen_threads);
118394 pn->pktgen_exiting = false;
118395- pn->proc_dir = proc_mkdir(PG_PROC_DIR, pn->net->proc_net);
118396+ pn->proc_dir = proc_mkdir_restrict(PG_PROC_DIR, pn->net->proc_net);
118397 if (!pn->proc_dir) {
118398 pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR);
118399 return -ENODEV;
118400diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
118401index 0861018..1fd388b 100644
118402--- a/net/core/rtnetlink.c
118403+++ b/net/core/rtnetlink.c
118404@@ -61,7 +61,7 @@ struct rtnl_link {
118405 rtnl_doit_func doit;
118406 rtnl_dumpit_func dumpit;
118407 rtnl_calcit_func calcit;
118408-};
118409+} __no_const;
118410
118411 static DEFINE_MUTEX(rtnl_mutex);
118412
118413@@ -307,10 +307,13 @@ int __rtnl_link_register(struct rtnl_link_ops *ops)
118414 * to use the ops for creating device. So do not
118415 * fill up dellink as well. That disables rtnl_dellink.
118416 */
118417- if (ops->setup && !ops->dellink)
118418- ops->dellink = unregister_netdevice_queue;
118419+ if (ops->setup && !ops->dellink) {
118420+ pax_open_kernel();
118421+ *(void **)&ops->dellink = unregister_netdevice_queue;
118422+ pax_close_kernel();
118423+ }
118424
118425- list_add_tail(&ops->list, &link_ops);
118426+ pax_list_add_tail((struct list_head *)&ops->list, &link_ops);
118427 return 0;
118428 }
118429 EXPORT_SYMBOL_GPL(__rtnl_link_register);
118430@@ -357,7 +360,7 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops)
118431 for_each_net(net) {
118432 __rtnl_kill_links(net, ops);
118433 }
118434- list_del(&ops->list);
118435+ pax_list_del((struct list_head *)&ops->list);
118436 }
118437 EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
118438
118439@@ -1082,7 +1085,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
118440 (dev->ifalias &&
118441 nla_put_string(skb, IFLA_IFALIAS, dev->ifalias)) ||
118442 nla_put_u32(skb, IFLA_CARRIER_CHANGES,
118443- atomic_read(&dev->carrier_changes)))
118444+ atomic_read_unchecked(&dev->carrier_changes)))
118445 goto nla_put_failure;
118446
118447 if (1) {
118448diff --git a/net/core/scm.c b/net/core/scm.c
118449index 3b6899b..cf36238 100644
118450--- a/net/core/scm.c
118451+++ b/net/core/scm.c
118452@@ -209,7 +209,7 @@ EXPORT_SYMBOL(__scm_send);
118453 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
118454 {
118455 struct cmsghdr __user *cm
118456- = (__force struct cmsghdr __user *)msg->msg_control;
118457+ = (struct cmsghdr __force_user *)msg->msg_control;
118458 struct cmsghdr cmhdr;
118459 int cmlen = CMSG_LEN(len);
118460 int err;
118461@@ -232,7 +232,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
118462 err = -EFAULT;
118463 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
118464 goto out;
118465- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
118466+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
118467 goto out;
118468 cmlen = CMSG_SPACE(len);
118469 if (msg->msg_controllen < cmlen)
118470@@ -248,7 +248,7 @@ EXPORT_SYMBOL(put_cmsg);
118471 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
118472 {
118473 struct cmsghdr __user *cm
118474- = (__force struct cmsghdr __user*)msg->msg_control;
118475+ = (struct cmsghdr __force_user *)msg->msg_control;
118476
118477 int fdmax = 0;
118478 int fdnum = scm->fp->count;
118479@@ -268,7 +268,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
118480 if (fdnum < fdmax)
118481 fdmax = fdnum;
118482
118483- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
118484+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
118485 i++, cmfptr++)
118486 {
118487 struct socket *sock;
118488diff --git a/net/core/skbuff.c b/net/core/skbuff.c
118489index 7b84330..e0f5a86 100644
118490--- a/net/core/skbuff.c
118491+++ b/net/core/skbuff.c
118492@@ -2103,7 +2103,7 @@ EXPORT_SYMBOL(__skb_checksum);
118493 __wsum skb_checksum(const struct sk_buff *skb, int offset,
118494 int len, __wsum csum)
118495 {
118496- const struct skb_checksum_ops ops = {
118497+ static const struct skb_checksum_ops ops = {
118498 .update = csum_partial_ext,
118499 .combine = csum_block_add_ext,
118500 };
118501@@ -3317,12 +3317,14 @@ void __init skb_init(void)
118502 skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
118503 sizeof(struct sk_buff),
118504 0,
118505- SLAB_HWCACHE_ALIGN|SLAB_PANIC,
118506+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|
118507+ SLAB_NO_SANITIZE,
118508 NULL);
118509 skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
118510 sizeof(struct sk_buff_fclones),
118511 0,
118512- SLAB_HWCACHE_ALIGN|SLAB_PANIC,
118513+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|
118514+ SLAB_NO_SANITIZE,
118515 NULL);
118516 }
118517
118518diff --git a/net/core/sock.c b/net/core/sock.c
118519index 193901d..33094ab 100644
118520--- a/net/core/sock.c
118521+++ b/net/core/sock.c
118522@@ -441,7 +441,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
118523 struct sk_buff_head *list = &sk->sk_receive_queue;
118524
118525 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) {
118526- atomic_inc(&sk->sk_drops);
118527+ atomic_inc_unchecked(&sk->sk_drops);
118528 trace_sock_rcvqueue_full(sk, skb);
118529 return -ENOMEM;
118530 }
118531@@ -451,7 +451,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
118532 return err;
118533
118534 if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
118535- atomic_inc(&sk->sk_drops);
118536+ atomic_inc_unchecked(&sk->sk_drops);
118537 return -ENOBUFS;
118538 }
118539
118540@@ -484,7 +484,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
118541 skb->dev = NULL;
118542
118543 if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
118544- atomic_inc(&sk->sk_drops);
118545+ atomic_inc_unchecked(&sk->sk_drops);
118546 goto discard_and_relse;
118547 }
118548 if (nested)
118549@@ -502,7 +502,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
118550 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
118551 } else if (sk_add_backlog(sk, skb, sk->sk_rcvbuf)) {
118552 bh_unlock_sock(sk);
118553- atomic_inc(&sk->sk_drops);
118554+ atomic_inc_unchecked(&sk->sk_drops);
118555 goto discard_and_relse;
118556 }
118557
118558@@ -908,6 +908,7 @@ set_rcvbuf:
118559 }
118560 break;
118561
118562+#ifndef GRKERNSEC_BPF_HARDEN
118563 case SO_ATTACH_BPF:
118564 ret = -EINVAL;
118565 if (optlen == sizeof(u32)) {
118566@@ -920,7 +921,7 @@ set_rcvbuf:
118567 ret = sk_attach_bpf(ufd, sk);
118568 }
118569 break;
118570-
118571+#endif
118572 case SO_DETACH_FILTER:
118573 ret = sk_detach_filter(sk);
118574 break;
118575@@ -1022,12 +1023,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
118576 struct timeval tm;
118577 } v;
118578
118579- int lv = sizeof(int);
118580- int len;
118581+ unsigned int lv = sizeof(int);
118582+ unsigned int len;
118583
118584 if (get_user(len, optlen))
118585 return -EFAULT;
118586- if (len < 0)
118587+ if (len > INT_MAX)
118588 return -EINVAL;
118589
118590 memset(&v, 0, sizeof(v));
118591@@ -1165,11 +1166,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
118592
118593 case SO_PEERNAME:
118594 {
118595- char address[128];
118596+ char address[_K_SS_MAXSIZE];
118597
118598 if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
118599 return -ENOTCONN;
118600- if (lv < len)
118601+ if (lv < len || sizeof address < len)
118602 return -EINVAL;
118603 if (copy_to_user(optval, address, len))
118604 return -EFAULT;
118605@@ -1257,7 +1258,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
118606
118607 if (len > lv)
118608 len = lv;
118609- if (copy_to_user(optval, &v, len))
118610+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
118611 return -EFAULT;
118612 lenout:
118613 if (put_user(len, optlen))
118614@@ -1550,7 +1551,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
118615 newsk->sk_err = 0;
118616 newsk->sk_priority = 0;
118617 newsk->sk_incoming_cpu = raw_smp_processor_id();
118618- atomic64_set(&newsk->sk_cookie, 0);
118619+ atomic64_set_unchecked(&newsk->sk_cookie, 0);
118620 /*
118621 * Before updating sk_refcnt, we must commit prior changes to memory
118622 * (Documentation/RCU/rculist_nulls.txt for details)
118623@@ -2359,7 +2360,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
118624 */
118625 smp_wmb();
118626 atomic_set(&sk->sk_refcnt, 1);
118627- atomic_set(&sk->sk_drops, 0);
118628+ atomic_set_unchecked(&sk->sk_drops, 0);
118629 }
118630 EXPORT_SYMBOL(sock_init_data);
118631
118632@@ -2487,6 +2488,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
118633 int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
118634 int level, int type)
118635 {
118636+ struct sock_extended_err ee;
118637 struct sock_exterr_skb *serr;
118638 struct sk_buff *skb;
118639 int copied, err;
118640@@ -2508,7 +2510,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
118641 sock_recv_timestamp(msg, sk, skb);
118642
118643 serr = SKB_EXT_ERR(skb);
118644- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee);
118645+ ee = serr->ee;
118646+ put_cmsg(msg, level, type, sizeof ee, &ee);
118647
118648 msg->msg_flags |= MSG_ERRQUEUE;
118649 err = copied;
118650diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
118651index 817622f..2577b26 100644
118652--- a/net/core/sock_diag.c
118653+++ b/net/core/sock_diag.c
118654@@ -12,7 +12,7 @@
118655 #include <linux/inet_diag.h>
118656 #include <linux/sock_diag.h>
118657
118658-static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
118659+static const struct sock_diag_handler *sock_diag_handlers[AF_MAX] __read_only;
118660 static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
118661 static DEFINE_MUTEX(sock_diag_table_mutex);
118662 static struct workqueue_struct *broadcast_wq;
118663@@ -20,12 +20,12 @@ static struct workqueue_struct *broadcast_wq;
118664 static u64 sock_gen_cookie(struct sock *sk)
118665 {
118666 while (1) {
118667- u64 res = atomic64_read(&sk->sk_cookie);
118668+ u64 res = atomic64_read_unchecked(&sk->sk_cookie);
118669
118670 if (res)
118671 return res;
118672- res = atomic64_inc_return(&sock_net(sk)->cookie_gen);
118673- atomic64_cmpxchg(&sk->sk_cookie, 0, res);
118674+ res = atomic64_inc_return_unchecked(&sock_net(sk)->cookie_gen);
118675+ atomic64_cmpxchg_unchecked(&sk->sk_cookie, 0, res);
118676 }
118677 }
118678
118679@@ -190,8 +190,11 @@ int sock_diag_register(const struct sock_diag_handler *hndl)
118680 mutex_lock(&sock_diag_table_mutex);
118681 if (sock_diag_handlers[hndl->family])
118682 err = -EBUSY;
118683- else
118684+ else {
118685+ pax_open_kernel();
118686 sock_diag_handlers[hndl->family] = hndl;
118687+ pax_close_kernel();
118688+ }
118689 mutex_unlock(&sock_diag_table_mutex);
118690
118691 return err;
118692@@ -207,7 +210,9 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
118693
118694 mutex_lock(&sock_diag_table_mutex);
118695 BUG_ON(sock_diag_handlers[family] != hnld);
118696+ pax_open_kernel();
118697 sock_diag_handlers[family] = NULL;
118698+ pax_close_kernel();
118699 mutex_unlock(&sock_diag_table_mutex);
118700 }
118701 EXPORT_SYMBOL_GPL(sock_diag_unregister);
118702diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
118703index 95b6139..3048623 100644
118704--- a/net/core/sysctl_net_core.c
118705+++ b/net/core/sysctl_net_core.c
118706@@ -35,7 +35,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
118707 {
118708 unsigned int orig_size, size;
118709 int ret, i;
118710- struct ctl_table tmp = {
118711+ ctl_table_no_const tmp = {
118712 .data = &size,
118713 .maxlen = sizeof(size),
118714 .mode = table->mode
118715@@ -203,7 +203,7 @@ static int set_default_qdisc(struct ctl_table *table, int write,
118716 void __user *buffer, size_t *lenp, loff_t *ppos)
118717 {
118718 char id[IFNAMSIZ];
118719- struct ctl_table tbl = {
118720+ ctl_table_no_const tbl = {
118721 .data = id,
118722 .maxlen = IFNAMSIZ,
118723 };
118724@@ -221,7 +221,7 @@ static int set_default_qdisc(struct ctl_table *table, int write,
118725 static int proc_do_rss_key(struct ctl_table *table, int write,
118726 void __user *buffer, size_t *lenp, loff_t *ppos)
118727 {
118728- struct ctl_table fake_table;
118729+ ctl_table_no_const fake_table;
118730 char buf[NETDEV_RSS_KEY_LEN * 3];
118731
118732 snprintf(buf, sizeof(buf), "%*phC", NETDEV_RSS_KEY_LEN, netdev_rss_key);
118733@@ -285,7 +285,7 @@ static struct ctl_table net_core_table[] = {
118734 .mode = 0444,
118735 .proc_handler = proc_do_rss_key,
118736 },
118737-#ifdef CONFIG_BPF_JIT
118738+#if defined(CONFIG_BPF_JIT) && !defined(CONFIG_GRKERNSEC_BPF_HARDEN)
118739 {
118740 .procname = "bpf_jit_enable",
118741 .data = &bpf_jit_enable,
118742@@ -409,13 +409,12 @@ static struct ctl_table netns_core_table[] = {
118743
118744 static __net_init int sysctl_core_net_init(struct net *net)
118745 {
118746- struct ctl_table *tbl;
118747+ ctl_table_no_const *tbl = NULL;
118748
118749 net->core.sysctl_somaxconn = SOMAXCONN;
118750
118751- tbl = netns_core_table;
118752 if (!net_eq(net, &init_net)) {
118753- tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
118754+ tbl = kmemdup(netns_core_table, sizeof(netns_core_table), GFP_KERNEL);
118755 if (tbl == NULL)
118756 goto err_dup;
118757
118758@@ -425,17 +424,16 @@ static __net_init int sysctl_core_net_init(struct net *net)
118759 if (net->user_ns != &init_user_ns) {
118760 tbl[0].procname = NULL;
118761 }
118762- }
118763-
118764- net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
118765+ net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
118766+ } else
118767+ net->core.sysctl_hdr = register_net_sysctl(net, "net/core", netns_core_table);
118768 if (net->core.sysctl_hdr == NULL)
118769 goto err_reg;
118770
118771 return 0;
118772
118773 err_reg:
118774- if (tbl != netns_core_table)
118775- kfree(tbl);
118776+ kfree(tbl);
118777 err_dup:
118778 return -ENOMEM;
118779 }
118780@@ -450,7 +448,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
118781 kfree(tbl);
118782 }
118783
118784-static __net_initdata struct pernet_operations sysctl_core_ops = {
118785+static __net_initconst struct pernet_operations sysctl_core_ops = {
118786 .init = sysctl_core_net_init,
118787 .exit = sysctl_core_net_exit,
118788 };
118789diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
118790index 675cf94..9279a75 100644
118791--- a/net/decnet/af_decnet.c
118792+++ b/net/decnet/af_decnet.c
118793@@ -466,6 +466,7 @@ static struct proto dn_proto = {
118794 .sysctl_rmem = sysctl_decnet_rmem,
118795 .max_header = DN_MAX_NSP_DATA_HEADER + 64,
118796 .obj_size = sizeof(struct dn_sock),
118797+ .slab_flags = SLAB_USERCOPY,
118798 };
118799
118800 static struct sock *dn_alloc_sock(struct net *net, struct socket *sock, gfp_t gfp, int kern)
118801diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
118802index b2c26b0..41f803e 100644
118803--- a/net/decnet/dn_dev.c
118804+++ b/net/decnet/dn_dev.c
118805@@ -201,7 +201,7 @@ static struct dn_dev_sysctl_table {
118806 .extra1 = &min_t3,
118807 .extra2 = &max_t3
118808 },
118809- {0}
118810+ { }
118811 },
118812 };
118813
118814diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
118815index 5325b54..a0d4d69 100644
118816--- a/net/decnet/sysctl_net_decnet.c
118817+++ b/net/decnet/sysctl_net_decnet.c
118818@@ -174,7 +174,7 @@ static int dn_node_address_handler(struct ctl_table *table, int write,
118819
118820 if (len > *lenp) len = *lenp;
118821
118822- if (copy_to_user(buffer, addr, len))
118823+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
118824 return -EFAULT;
118825
118826 *lenp = len;
118827@@ -237,7 +237,7 @@ static int dn_def_dev_handler(struct ctl_table *table, int write,
118828
118829 if (len > *lenp) len = *lenp;
118830
118831- if (copy_to_user(buffer, devname, len))
118832+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
118833 return -EFAULT;
118834
118835 *lenp = len;
118836diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
118837index b445d49..13e8538 100644
118838--- a/net/dsa/dsa.c
118839+++ b/net/dsa/dsa.c
118840@@ -851,7 +851,7 @@ static struct packet_type dsa_pack_type __read_mostly = {
118841 .func = dsa_switch_rcv,
118842 };
118843
118844-static struct notifier_block dsa_netdevice_nb __read_mostly = {
118845+static struct notifier_block dsa_netdevice_nb = {
118846 .notifier_call = dsa_slave_netdevice_event,
118847 };
118848
118849diff --git a/net/hsr/hsr_netlink.c b/net/hsr/hsr_netlink.c
118850index a2c7e4c..3dc9f67 100644
118851--- a/net/hsr/hsr_netlink.c
118852+++ b/net/hsr/hsr_netlink.c
118853@@ -102,7 +102,7 @@ nla_put_failure:
118854 return -EMSGSIZE;
118855 }
118856
118857-static struct rtnl_link_ops hsr_link_ops __read_mostly = {
118858+static struct rtnl_link_ops hsr_link_ops = {
118859 .kind = "hsr",
118860 .maxtype = IFLA_HSR_MAX,
118861 .policy = hsr_policy,
118862diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c
118863index f20a387..2058892 100644
118864--- a/net/ieee802154/6lowpan/core.c
118865+++ b/net/ieee802154/6lowpan/core.c
118866@@ -191,7 +191,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head)
118867 dev_put(real_dev);
118868 }
118869
118870-static struct rtnl_link_ops lowpan_link_ops __read_mostly = {
118871+static struct rtnl_link_ops lowpan_link_ops = {
118872 .kind = "lowpan",
118873 .priv_size = sizeof(struct lowpan_dev_info),
118874 .setup = lowpan_setup,
118875diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
118876index 214d44a..dcb7f86 100644
118877--- a/net/ieee802154/6lowpan/reassembly.c
118878+++ b/net/ieee802154/6lowpan/reassembly.c
118879@@ -435,14 +435,13 @@ static struct ctl_table lowpan_frags_ctl_table[] = {
118880
118881 static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
118882 {
118883- struct ctl_table *table;
118884+ ctl_table_no_const *table = NULL;
118885 struct ctl_table_header *hdr;
118886 struct netns_ieee802154_lowpan *ieee802154_lowpan =
118887 net_ieee802154_lowpan(net);
118888
118889- table = lowpan_frags_ns_ctl_table;
118890 if (!net_eq(net, &init_net)) {
118891- table = kmemdup(table, sizeof(lowpan_frags_ns_ctl_table),
118892+ table = kmemdup(lowpan_frags_ns_ctl_table, sizeof(lowpan_frags_ns_ctl_table),
118893 GFP_KERNEL);
118894 if (table == NULL)
118895 goto err_alloc;
118896@@ -457,9 +456,9 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
118897 /* Don't export sysctls to unprivileged users */
118898 if (net->user_ns != &init_user_ns)
118899 table[0].procname = NULL;
118900- }
118901-
118902- hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table);
118903+ hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table);
118904+ } else
118905+ hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", lowpan_frags_ns_ctl_table);
118906 if (hdr == NULL)
118907 goto err_reg;
118908
118909@@ -467,8 +466,7 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
118910 return 0;
118911
118912 err_reg:
118913- if (!net_eq(net, &init_net))
118914- kfree(table);
118915+ kfree(table);
118916 err_alloc:
118917 return -ENOMEM;
118918 }
118919diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
118920index 9532ee8..020410a 100644
118921--- a/net/ipv4/af_inet.c
118922+++ b/net/ipv4/af_inet.c
118923@@ -1392,7 +1392,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
118924 return ip_recv_error(sk, msg, len, addr_len);
118925 #if IS_ENABLED(CONFIG_IPV6)
118926 if (sk->sk_family == AF_INET6)
118927- return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len);
118928+ return pingv6_ops->ipv6_recv_error(sk, msg, len, addr_len);
118929 #endif
118930 return -EINVAL;
118931 }
118932diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
118933index 2d9cb17..20ae904 100644
118934--- a/net/ipv4/devinet.c
118935+++ b/net/ipv4/devinet.c
118936@@ -69,7 +69,8 @@
118937
118938 static struct ipv4_devconf ipv4_devconf = {
118939 .data = {
118940- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
118941+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0,
118942+ [IPV4_DEVCONF_RP_FILTER - 1] = 1,
118943 [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1,
118944 [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1,
118945 [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1,
118946@@ -80,7 +81,8 @@ static struct ipv4_devconf ipv4_devconf = {
118947
118948 static struct ipv4_devconf ipv4_devconf_dflt = {
118949 .data = {
118950- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
118951+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0,
118952+ [IPV4_DEVCONF_RP_FILTER - 1] = 1,
118953 [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1,
118954 [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1,
118955 [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1,
118956@@ -1579,7 +1581,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
118957 idx = 0;
118958 head = &net->dev_index_head[h];
118959 rcu_read_lock();
118960- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
118961+ cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
118962 net->dev_base_seq;
118963 hlist_for_each_entry_rcu(dev, head, index_hlist) {
118964 if (idx < s_idx)
118965@@ -1905,7 +1907,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb,
118966 idx = 0;
118967 head = &net->dev_index_head[h];
118968 rcu_read_lock();
118969- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
118970+ cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
118971 net->dev_base_seq;
118972 hlist_for_each_entry_rcu(dev, head, index_hlist) {
118973 if (idx < s_idx)
118974@@ -2146,7 +2148,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write,
118975 #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \
118976 DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush)
118977
118978-static struct devinet_sysctl_table {
118979+static const struct devinet_sysctl_table {
118980 struct ctl_table_header *sysctl_header;
118981 struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX];
118982 } devinet_sysctl = {
118983@@ -2280,7 +2282,7 @@ static __net_init int devinet_init_net(struct net *net)
118984 int err;
118985 struct ipv4_devconf *all, *dflt;
118986 #ifdef CONFIG_SYSCTL
118987- struct ctl_table *tbl = ctl_forward_entry;
118988+ ctl_table_no_const *tbl = NULL;
118989 struct ctl_table_header *forw_hdr;
118990 #endif
118991
118992@@ -2298,7 +2300,7 @@ static __net_init int devinet_init_net(struct net *net)
118993 goto err_alloc_dflt;
118994
118995 #ifdef CONFIG_SYSCTL
118996- tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL);
118997+ tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL);
118998 if (!tbl)
118999 goto err_alloc_ctl;
119000
119001@@ -2318,7 +2320,10 @@ static __net_init int devinet_init_net(struct net *net)
119002 goto err_reg_dflt;
119003
119004 err = -ENOMEM;
119005- forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
119006+ if (!net_eq(net, &init_net))
119007+ forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
119008+ else
119009+ forw_hdr = register_net_sysctl(net, "net/ipv4", ctl_forward_entry);
119010 if (!forw_hdr)
119011 goto err_reg_ctl;
119012 net->ipv4.forw_hdr = forw_hdr;
119013@@ -2334,8 +2339,7 @@ err_reg_ctl:
119014 err_reg_dflt:
119015 __devinet_sysctl_unregister(all);
119016 err_reg_all:
119017- if (tbl != ctl_forward_entry)
119018- kfree(tbl);
119019+ kfree(tbl);
119020 err_alloc_ctl:
119021 #endif
119022 if (dflt != &ipv4_devconf_dflt)
119023diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
119024index 6bbc549..28d74951 100644
119025--- a/net/ipv4/fib_frontend.c
119026+++ b/net/ipv4/fib_frontend.c
119027@@ -1083,12 +1083,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
119028 #ifdef CONFIG_IP_ROUTE_MULTIPATH
119029 fib_sync_up(dev, RTNH_F_DEAD);
119030 #endif
119031- atomic_inc(&net->ipv4.dev_addr_genid);
119032+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119033 rt_cache_flush(dev_net(dev));
119034 break;
119035 case NETDEV_DOWN:
119036 fib_del_ifaddr(ifa, NULL);
119037- atomic_inc(&net->ipv4.dev_addr_genid);
119038+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119039 if (!ifa->ifa_dev->ifa_list) {
119040 /* Last address was deleted from this interface.
119041 * Disable IP.
119042@@ -1127,7 +1127,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
119043 #ifdef CONFIG_IP_ROUTE_MULTIPATH
119044 fib_sync_up(dev, RTNH_F_DEAD);
119045 #endif
119046- atomic_inc(&net->ipv4.dev_addr_genid);
119047+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119048 rt_cache_flush(net);
119049 break;
119050 case NETDEV_DOWN:
119051diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
119052index 3a06586..1020c5b 100644
119053--- a/net/ipv4/fib_semantics.c
119054+++ b/net/ipv4/fib_semantics.c
119055@@ -755,7 +755,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
119056 nh->nh_saddr = inet_select_addr(nh->nh_dev,
119057 nh->nh_gw,
119058 nh->nh_parent->fib_scope);
119059- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
119060+ nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
119061
119062 return nh->nh_saddr;
119063 }
119064diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
119065index 1349571..e136d6e 100644
119066--- a/net/ipv4/inet_connection_sock.c
119067+++ b/net/ipv4/inet_connection_sock.c
119068@@ -728,8 +728,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
119069 newsk->sk_write_space = sk_stream_write_space;
119070
119071 newsk->sk_mark = inet_rsk(req)->ir_mark;
119072- atomic64_set(&newsk->sk_cookie,
119073- atomic64_read(&inet_rsk(req)->ir_cookie));
119074+ atomic64_set_unchecked(&newsk->sk_cookie,
119075+ atomic64_read_unchecked(&inet_rsk(req)->ir_cookie));
119076
119077 newicsk->icsk_retransmits = 0;
119078 newicsk->icsk_backoff = 0;
119079diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
119080index 0cb9165..8589720 100644
119081--- a/net/ipv4/inet_hashtables.c
119082+++ b/net/ipv4/inet_hashtables.c
119083@@ -19,6 +19,7 @@
119084 #include <linux/slab.h>
119085 #include <linux/wait.h>
119086 #include <linux/vmalloc.h>
119087+#include <linux/security.h>
119088
119089 #include <net/inet_connection_sock.h>
119090 #include <net/inet_hashtables.h>
119091@@ -54,6 +55,8 @@ u32 sk_ehashfn(const struct sock *sk)
119092 sk->sk_daddr, sk->sk_dport);
119093 }
119094
119095+extern void gr_update_task_in_ip_table(const struct inet_sock *inet);
119096+
119097 /*
119098 * Allocate and initialize a new local port bind bucket.
119099 * The bindhash mutex for snum's hash chain must be held here.
119100@@ -566,6 +569,8 @@ ok:
119101 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
119102 spin_unlock(&head->lock);
119103
119104+ gr_update_task_in_ip_table(inet_sk(sk));
119105+
119106 if (tw) {
119107 inet_twsk_deschedule(tw);
119108 while (twrefcnt) {
119109diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
119110index 2ffbd16..6e94995 100644
119111--- a/net/ipv4/inet_timewait_sock.c
119112+++ b/net/ipv4/inet_timewait_sock.c
119113@@ -214,7 +214,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
119114 tw->tw_ipv6only = 0;
119115 tw->tw_transparent = inet->transparent;
119116 tw->tw_prot = sk->sk_prot_creator;
119117- atomic64_set(&tw->tw_cookie, atomic64_read(&sk->sk_cookie));
119118+ atomic64_set_unchecked(&tw->tw_cookie, atomic64_read_unchecked(&sk->sk_cookie));
119119 twsk_net_set(tw, sock_net(sk));
119120 setup_timer(&tw->tw_timer, tw_timer_handler, (unsigned long)tw);
119121 /*
119122diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
119123index 241afd7..31b95d5 100644
119124--- a/net/ipv4/inetpeer.c
119125+++ b/net/ipv4/inetpeer.c
119126@@ -461,7 +461,7 @@ relookup:
119127 if (p) {
119128 p->daddr = *daddr;
119129 atomic_set(&p->refcnt, 1);
119130- atomic_set(&p->rid, 0);
119131+ atomic_set_unchecked(&p->rid, 0);
119132 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
119133 p->rate_tokens = 0;
119134 /* 60*HZ is arbitrary, but chosen enough high so that the first
119135diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
119136index 921138f..1e011ff 100644
119137--- a/net/ipv4/ip_fragment.c
119138+++ b/net/ipv4/ip_fragment.c
119139@@ -276,7 +276,7 @@ static int ip_frag_too_far(struct ipq *qp)
119140 return 0;
119141
119142 start = qp->rid;
119143- end = atomic_inc_return(&peer->rid);
119144+ end = atomic_inc_return_unchecked(&peer->rid);
119145 qp->rid = end;
119146
119147 rc = qp->q.fragments && (end - start) > max;
119148@@ -780,12 +780,11 @@ static struct ctl_table ip4_frags_ctl_table[] = {
119149
119150 static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119151 {
119152- struct ctl_table *table;
119153+ ctl_table_no_const *table = NULL;
119154 struct ctl_table_header *hdr;
119155
119156- table = ip4_frags_ns_ctl_table;
119157 if (!net_eq(net, &init_net)) {
119158- table = kmemdup(table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
119159+ table = kmemdup(ip4_frags_ns_ctl_table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
119160 if (!table)
119161 goto err_alloc;
119162
119163@@ -799,9 +798,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119164 /* Don't export sysctls to unprivileged users */
119165 if (net->user_ns != &init_user_ns)
119166 table[0].procname = NULL;
119167- }
119168+ hdr = register_net_sysctl(net, "net/ipv4", table);
119169+ } else
119170+ hdr = register_net_sysctl(net, "net/ipv4", ip4_frags_ns_ctl_table);
119171
119172- hdr = register_net_sysctl(net, "net/ipv4", table);
119173 if (!hdr)
119174 goto err_reg;
119175
119176@@ -809,8 +809,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119177 return 0;
119178
119179 err_reg:
119180- if (!net_eq(net, &init_net))
119181- kfree(table);
119182+ kfree(table);
119183 err_alloc:
119184 return -ENOMEM;
119185 }
119186diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
119187index 5fd7064..d13d75f 100644
119188--- a/net/ipv4/ip_gre.c
119189+++ b/net/ipv4/ip_gre.c
119190@@ -115,7 +115,7 @@ static bool log_ecn_error = true;
119191 module_param(log_ecn_error, bool, 0644);
119192 MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
119193
119194-static struct rtnl_link_ops ipgre_link_ops __read_mostly;
119195+static struct rtnl_link_ops ipgre_link_ops;
119196 static int ipgre_tunnel_init(struct net_device *dev);
119197
119198 static int ipgre_net_id __read_mostly;
119199@@ -819,7 +819,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
119200 [IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 },
119201 };
119202
119203-static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
119204+static struct rtnl_link_ops ipgre_link_ops = {
119205 .kind = "gre",
119206 .maxtype = IFLA_GRE_MAX,
119207 .policy = ipgre_policy,
119208@@ -834,7 +834,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
119209 .get_link_net = ip_tunnel_get_link_net,
119210 };
119211
119212-static struct rtnl_link_ops ipgre_tap_ops __read_mostly = {
119213+static struct rtnl_link_ops ipgre_tap_ops = {
119214 .kind = "gretap",
119215 .maxtype = IFLA_GRE_MAX,
119216 .policy = ipgre_policy,
119217diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
119218index 2db4c87..4db9282 100644
119219--- a/net/ipv4/ip_input.c
119220+++ b/net/ipv4/ip_input.c
119221@@ -147,6 +147,10 @@
119222 #include <linux/mroute.h>
119223 #include <linux/netlink.h>
119224
119225+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119226+extern int grsec_enable_blackhole;
119227+#endif
119228+
119229 /*
119230 * Process Router Attention IP option (RFC 2113)
119231 */
119232@@ -223,6 +227,9 @@ static int ip_local_deliver_finish(struct sock *sk, struct sk_buff *skb)
119233 if (!raw) {
119234 if (xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
119235 IP_INC_STATS_BH(net, IPSTATS_MIB_INUNKNOWNPROTOS);
119236+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119237+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
119238+#endif
119239 icmp_send(skb, ICMP_DEST_UNREACH,
119240 ICMP_PROT_UNREACH, 0);
119241 }
119242diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
119243index c3c359a..504edc6 100644
119244--- a/net/ipv4/ip_sockglue.c
119245+++ b/net/ipv4/ip_sockglue.c
119246@@ -1295,7 +1295,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
119247 len = min_t(unsigned int, len, opt->optlen);
119248 if (put_user(len, optlen))
119249 return -EFAULT;
119250- if (copy_to_user(optval, opt->__data, len))
119251+ if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
119252+ copy_to_user(optval, opt->__data, len))
119253 return -EFAULT;
119254 return 0;
119255 }
119256@@ -1432,7 +1433,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
119257 if (sk->sk_type != SOCK_STREAM)
119258 return -ENOPROTOOPT;
119259
119260- msg.msg_control = (__force void *) optval;
119261+ msg.msg_control = (__force_kernel void *) optval;
119262 msg.msg_controllen = len;
119263 msg.msg_flags = flags;
119264
119265diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
119266index 0c15208..a3a76c5 100644
119267--- a/net/ipv4/ip_vti.c
119268+++ b/net/ipv4/ip_vti.c
119269@@ -45,7 +45,7 @@
119270 #include <net/net_namespace.h>
119271 #include <net/netns/generic.h>
119272
119273-static struct rtnl_link_ops vti_link_ops __read_mostly;
119274+static struct rtnl_link_ops vti_link_ops;
119275
119276 static int vti_net_id __read_mostly;
119277 static int vti_tunnel_init(struct net_device *dev);
119278@@ -525,7 +525,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
119279 [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
119280 };
119281
119282-static struct rtnl_link_ops vti_link_ops __read_mostly = {
119283+static struct rtnl_link_ops vti_link_ops = {
119284 .kind = "vti",
119285 .maxtype = IFLA_VTI_MAX,
119286 .policy = vti_policy,
119287diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
119288index 8e7328c..9bd7ed3 100644
119289--- a/net/ipv4/ipconfig.c
119290+++ b/net/ipv4/ipconfig.c
119291@@ -333,7 +333,7 @@ static int __init ic_devinet_ioctl(unsigned int cmd, struct ifreq *arg)
119292
119293 mm_segment_t oldfs = get_fs();
119294 set_fs(get_ds());
119295- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
119296+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
119297 set_fs(oldfs);
119298 return res;
119299 }
119300@@ -344,7 +344,7 @@ static int __init ic_dev_ioctl(unsigned int cmd, struct ifreq *arg)
119301
119302 mm_segment_t oldfs = get_fs();
119303 set_fs(get_ds());
119304- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
119305+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
119306 set_fs(oldfs);
119307 return res;
119308 }
119309@@ -355,7 +355,7 @@ static int __init ic_route_ioctl(unsigned int cmd, struct rtentry *arg)
119310
119311 mm_segment_t oldfs = get_fs();
119312 set_fs(get_ds());
119313- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
119314+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
119315 set_fs(oldfs);
119316 return res;
119317 }
119318diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
119319index 254238d..82c19a2 100644
119320--- a/net/ipv4/ipip.c
119321+++ b/net/ipv4/ipip.c
119322@@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
119323 static int ipip_net_id __read_mostly;
119324
119325 static int ipip_tunnel_init(struct net_device *dev);
119326-static struct rtnl_link_ops ipip_link_ops __read_mostly;
119327+static struct rtnl_link_ops ipip_link_ops;
119328
119329 static int ipip_err(struct sk_buff *skb, u32 info)
119330 {
119331@@ -488,7 +488,7 @@ static const struct nla_policy ipip_policy[IFLA_IPTUN_MAX + 1] = {
119332 [IFLA_IPTUN_ENCAP_DPORT] = { .type = NLA_U16 },
119333 };
119334
119335-static struct rtnl_link_ops ipip_link_ops __read_mostly = {
119336+static struct rtnl_link_ops ipip_link_ops = {
119337 .kind = "ipip",
119338 .maxtype = IFLA_IPTUN_MAX,
119339 .policy = ipip_policy,
119340diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
119341index 92305a1..0a5b349 100644
119342--- a/net/ipv4/netfilter/arp_tables.c
119343+++ b/net/ipv4/netfilter/arp_tables.c
119344@@ -896,14 +896,14 @@ static int compat_table_info(const struct xt_table_info *info,
119345 #endif
119346
119347 static int get_info(struct net *net, void __user *user,
119348- const int *len, int compat)
119349+ int len, int compat)
119350 {
119351 char name[XT_TABLE_MAXNAMELEN];
119352 struct xt_table *t;
119353 int ret;
119354
119355- if (*len != sizeof(struct arpt_getinfo)) {
119356- duprintf("length %u != %Zu\n", *len,
119357+ if (len != sizeof(struct arpt_getinfo)) {
119358+ duprintf("length %u != %Zu\n", len,
119359 sizeof(struct arpt_getinfo));
119360 return -EINVAL;
119361 }
119362@@ -940,7 +940,7 @@ static int get_info(struct net *net, void __user *user,
119363 info.size = private->size;
119364 strcpy(info.name, name);
119365
119366- if (copy_to_user(user, &info, *len) != 0)
119367+ if (copy_to_user(user, &info, len) != 0)
119368 ret = -EFAULT;
119369 else
119370 ret = 0;
119371@@ -1705,7 +1705,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
119372
119373 switch (cmd) {
119374 case ARPT_SO_GET_INFO:
119375- ret = get_info(sock_net(sk), user, len, 1);
119376+ ret = get_info(sock_net(sk), user, *len, 1);
119377 break;
119378 case ARPT_SO_GET_ENTRIES:
119379 ret = compat_get_entries(sock_net(sk), user, len);
119380@@ -1750,7 +1750,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
119381
119382 switch (cmd) {
119383 case ARPT_SO_GET_INFO:
119384- ret = get_info(sock_net(sk), user, len, 0);
119385+ ret = get_info(sock_net(sk), user, *len, 0);
119386 break;
119387
119388 case ARPT_SO_GET_ENTRIES:
119389diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
119390index 6c72fbb..ce47b05 100644
119391--- a/net/ipv4/netfilter/ip_tables.c
119392+++ b/net/ipv4/netfilter/ip_tables.c
119393@@ -1073,14 +1073,14 @@ static int compat_table_info(const struct xt_table_info *info,
119394 #endif
119395
119396 static int get_info(struct net *net, void __user *user,
119397- const int *len, int compat)
119398+ int len, int compat)
119399 {
119400 char name[XT_TABLE_MAXNAMELEN];
119401 struct xt_table *t;
119402 int ret;
119403
119404- if (*len != sizeof(struct ipt_getinfo)) {
119405- duprintf("length %u != %zu\n", *len,
119406+ if (len != sizeof(struct ipt_getinfo)) {
119407+ duprintf("length %u != %zu\n", len,
119408 sizeof(struct ipt_getinfo));
119409 return -EINVAL;
119410 }
119411@@ -1117,7 +1117,7 @@ static int get_info(struct net *net, void __user *user,
119412 info.size = private->size;
119413 strcpy(info.name, name);
119414
119415- if (copy_to_user(user, &info, *len) != 0)
119416+ if (copy_to_user(user, &info, len) != 0)
119417 ret = -EFAULT;
119418 else
119419 ret = 0;
119420@@ -1968,7 +1968,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
119421
119422 switch (cmd) {
119423 case IPT_SO_GET_INFO:
119424- ret = get_info(sock_net(sk), user, len, 1);
119425+ ret = get_info(sock_net(sk), user, *len, 1);
119426 break;
119427 case IPT_SO_GET_ENTRIES:
119428 ret = compat_get_entries(sock_net(sk), user, len);
119429@@ -2015,7 +2015,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
119430
119431 switch (cmd) {
119432 case IPT_SO_GET_INFO:
119433- ret = get_info(sock_net(sk), user, len, 0);
119434+ ret = get_info(sock_net(sk), user, *len, 0);
119435 break;
119436
119437 case IPT_SO_GET_ENTRIES:
119438diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
119439index 45cb16a..cef4ecd 100644
119440--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
119441+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
119442@@ -730,7 +730,7 @@ static int clusterip_net_init(struct net *net)
119443 spin_lock_init(&cn->lock);
119444
119445 #ifdef CONFIG_PROC_FS
119446- cn->procdir = proc_mkdir("ipt_CLUSTERIP", net->proc_net);
119447+ cn->procdir = proc_mkdir_restrict("ipt_CLUSTERIP", net->proc_net);
119448 if (!cn->procdir) {
119449 pr_err("Unable to proc dir entry\n");
119450 return -ENOMEM;
119451diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
119452index 05ff44b..da00000 100644
119453--- a/net/ipv4/ping.c
119454+++ b/net/ipv4/ping.c
119455@@ -59,7 +59,7 @@ struct ping_table {
119456 };
119457
119458 static struct ping_table ping_table;
119459-struct pingv6_ops pingv6_ops;
119460+struct pingv6_ops *pingv6_ops;
119461 EXPORT_SYMBOL_GPL(pingv6_ops);
119462
119463 static u16 ping_port_rover;
119464@@ -359,7 +359,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk,
119465 return -ENODEV;
119466 }
119467 }
119468- has_addr = pingv6_ops.ipv6_chk_addr(net, &addr->sin6_addr, dev,
119469+ has_addr = pingv6_ops->ipv6_chk_addr(net, &addr->sin6_addr, dev,
119470 scoped);
119471 rcu_read_unlock();
119472
119473@@ -567,7 +567,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info)
119474 }
119475 #if IS_ENABLED(CONFIG_IPV6)
119476 } else if (skb->protocol == htons(ETH_P_IPV6)) {
119477- harderr = pingv6_ops.icmpv6_err_convert(type, code, &err);
119478+ harderr = pingv6_ops->icmpv6_err_convert(type, code, &err);
119479 #endif
119480 }
119481
119482@@ -585,7 +585,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info)
119483 info, (u8 *)icmph);
119484 #if IS_ENABLED(CONFIG_IPV6)
119485 } else if (family == AF_INET6) {
119486- pingv6_ops.ipv6_icmp_error(sk, skb, err, 0,
119487+ pingv6_ops->ipv6_icmp_error(sk, skb, err, 0,
119488 info, (u8 *)icmph);
119489 #endif
119490 }
119491@@ -918,10 +918,10 @@ int ping_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
119492 }
119493
119494 if (inet6_sk(sk)->rxopt.all)
119495- pingv6_ops.ip6_datagram_recv_common_ctl(sk, msg, skb);
119496+ pingv6_ops->ip6_datagram_recv_common_ctl(sk, msg, skb);
119497 if (skb->protocol == htons(ETH_P_IPV6) &&
119498 inet6_sk(sk)->rxopt.all)
119499- pingv6_ops.ip6_datagram_recv_specific_ctl(sk, msg, skb);
119500+ pingv6_ops->ip6_datagram_recv_specific_ctl(sk, msg, skb);
119501 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags)
119502 ip_cmsg_recv(msg, skb);
119503 #endif
119504@@ -1116,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
119505 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
119506 0, sock_i_ino(sp),
119507 atomic_read(&sp->sk_refcnt), sp,
119508- atomic_read(&sp->sk_drops));
119509+ atomic_read_unchecked(&sp->sk_drops));
119510 }
119511
119512 static int ping_v4_seq_show(struct seq_file *seq, void *v)
119513diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
119514index 561cd4b..a32a155 100644
119515--- a/net/ipv4/raw.c
119516+++ b/net/ipv4/raw.c
119517@@ -323,7 +323,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
119518 int raw_rcv(struct sock *sk, struct sk_buff *skb)
119519 {
119520 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
119521- atomic_inc(&sk->sk_drops);
119522+ atomic_inc_unchecked(&sk->sk_drops);
119523 kfree_skb(skb);
119524 return NET_RX_DROP;
119525 }
119526@@ -771,16 +771,20 @@ static int raw_init(struct sock *sk)
119527
119528 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
119529 {
119530+ struct icmp_filter filter;
119531+
119532 if (optlen > sizeof(struct icmp_filter))
119533 optlen = sizeof(struct icmp_filter);
119534- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
119535+ if (copy_from_user(&filter, optval, optlen))
119536 return -EFAULT;
119537+ raw_sk(sk)->filter = filter;
119538 return 0;
119539 }
119540
119541 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
119542 {
119543 int len, ret = -EFAULT;
119544+ struct icmp_filter filter;
119545
119546 if (get_user(len, optlen))
119547 goto out;
119548@@ -790,8 +794,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
119549 if (len > sizeof(struct icmp_filter))
119550 len = sizeof(struct icmp_filter);
119551 ret = -EFAULT;
119552- if (put_user(len, optlen) ||
119553- copy_to_user(optval, &raw_sk(sk)->filter, len))
119554+ filter = raw_sk(sk)->filter;
119555+ if (put_user(len, optlen) || len > sizeof filter || copy_to_user(optval, &filter, len))
119556 goto out;
119557 ret = 0;
119558 out: return ret;
119559@@ -1020,7 +1024,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
119560 0, 0L, 0,
119561 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
119562 0, sock_i_ino(sp),
119563- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
119564+ atomic_read(&sp->sk_refcnt), sp, atomic_read_unchecked(&sp->sk_drops));
119565 }
119566
119567 static int raw_seq_show(struct seq_file *seq, void *v)
119568diff --git a/net/ipv4/route.c b/net/ipv4/route.c
119569index e681b85..8a43a65 100644
119570--- a/net/ipv4/route.c
119571+++ b/net/ipv4/route.c
119572@@ -227,7 +227,7 @@ static const struct seq_operations rt_cache_seq_ops = {
119573
119574 static int rt_cache_seq_open(struct inode *inode, struct file *file)
119575 {
119576- return seq_open(file, &rt_cache_seq_ops);
119577+ return seq_open_restrict(file, &rt_cache_seq_ops);
119578 }
119579
119580 static const struct file_operations rt_cache_seq_fops = {
119581@@ -318,7 +318,7 @@ static const struct seq_operations rt_cpu_seq_ops = {
119582
119583 static int rt_cpu_seq_open(struct inode *inode, struct file *file)
119584 {
119585- return seq_open(file, &rt_cpu_seq_ops);
119586+ return seq_open_restrict(file, &rt_cpu_seq_ops);
119587 }
119588
119589 static const struct file_operations rt_cpu_seq_fops = {
119590@@ -356,7 +356,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v)
119591
119592 static int rt_acct_proc_open(struct inode *inode, struct file *file)
119593 {
119594- return single_open(file, rt_acct_proc_show, NULL);
119595+ return single_open_restrict(file, rt_acct_proc_show, NULL);
119596 }
119597
119598 static const struct file_operations rt_acct_proc_fops = {
119599@@ -458,7 +458,7 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
119600
119601 #define IP_IDENTS_SZ 2048u
119602
119603-static atomic_t *ip_idents __read_mostly;
119604+static atomic_unchecked_t ip_idents[IP_IDENTS_SZ] __read_mostly;
119605 static u32 *ip_tstamps __read_mostly;
119606
119607 /* In order to protect privacy, we add a perturbation to identifiers
119608@@ -468,7 +468,7 @@ static u32 *ip_tstamps __read_mostly;
119609 u32 ip_idents_reserve(u32 hash, int segs)
119610 {
119611 u32 *p_tstamp = ip_tstamps + hash % IP_IDENTS_SZ;
119612- atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
119613+ atomic_unchecked_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
119614 u32 old = ACCESS_ONCE(*p_tstamp);
119615 u32 now = (u32)jiffies;
119616 u32 delta = 0;
119617@@ -476,7 +476,7 @@ u32 ip_idents_reserve(u32 hash, int segs)
119618 if (old != now && cmpxchg(p_tstamp, old, now) == old)
119619 delta = prandom_u32_max(now - old);
119620
119621- return atomic_add_return(segs + delta, p_id) - segs;
119622+ return atomic_add_return_unchecked(segs + delta, p_id) - segs;
119623 }
119624 EXPORT_SYMBOL(ip_idents_reserve);
119625
119626@@ -2640,34 +2640,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
119627 .maxlen = sizeof(int),
119628 .mode = 0200,
119629 .proc_handler = ipv4_sysctl_rtcache_flush,
119630+ .extra1 = &init_net,
119631 },
119632 { },
119633 };
119634
119635 static __net_init int sysctl_route_net_init(struct net *net)
119636 {
119637- struct ctl_table *tbl;
119638+ ctl_table_no_const *tbl = NULL;
119639
119640- tbl = ipv4_route_flush_table;
119641 if (!net_eq(net, &init_net)) {
119642- tbl = kmemdup(tbl, sizeof(ipv4_route_flush_table), GFP_KERNEL);
119643+ tbl = kmemdup(ipv4_route_flush_table, sizeof(ipv4_route_flush_table), GFP_KERNEL);
119644 if (!tbl)
119645 goto err_dup;
119646
119647 /* Don't export sysctls to unprivileged users */
119648 if (net->user_ns != &init_user_ns)
119649 tbl[0].procname = NULL;
119650- }
119651- tbl[0].extra1 = net;
119652+ tbl[0].extra1 = net;
119653+ net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
119654+ } else
119655+ net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", ipv4_route_flush_table);
119656
119657- net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
119658 if (!net->ipv4.route_hdr)
119659 goto err_reg;
119660 return 0;
119661
119662 err_reg:
119663- if (tbl != ipv4_route_flush_table)
119664- kfree(tbl);
119665+ kfree(tbl);
119666 err_dup:
119667 return -ENOMEM;
119668 }
119669@@ -2690,8 +2690,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
119670
119671 static __net_init int rt_genid_init(struct net *net)
119672 {
119673- atomic_set(&net->ipv4.rt_genid, 0);
119674- atomic_set(&net->fnhe_genid, 0);
119675+ atomic_set_unchecked(&net->ipv4.rt_genid, 0);
119676+ atomic_set_unchecked(&net->fnhe_genid, 0);
119677 get_random_bytes(&net->ipv4.dev_addr_genid,
119678 sizeof(net->ipv4.dev_addr_genid));
119679 return 0;
119680@@ -2735,11 +2735,7 @@ int __init ip_rt_init(void)
119681 int rc = 0;
119682 int cpu;
119683
119684- ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL);
119685- if (!ip_idents)
119686- panic("IP: failed to allocate ip_idents\n");
119687-
119688- prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents));
119689+ prandom_bytes(ip_idents, sizeof(ip_idents));
119690
119691 ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL);
119692 if (!ip_tstamps)
119693diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
119694index 0330ab2..4745d2c 100644
119695--- a/net/ipv4/sysctl_net_ipv4.c
119696+++ b/net/ipv4/sysctl_net_ipv4.c
119697@@ -66,7 +66,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
119698 container_of(table->data, struct net, ipv4.ip_local_ports.range);
119699 int ret;
119700 int range[2];
119701- struct ctl_table tmp = {
119702+ ctl_table_no_const tmp = {
119703 .data = &range,
119704 .maxlen = sizeof(range),
119705 .mode = table->mode,
119706@@ -124,7 +124,7 @@ static int ipv4_ping_group_range(struct ctl_table *table, int write,
119707 int ret;
119708 gid_t urange[2];
119709 kgid_t low, high;
119710- struct ctl_table tmp = {
119711+ ctl_table_no_const tmp = {
119712 .data = &urange,
119713 .maxlen = sizeof(urange),
119714 .mode = table->mode,
119715@@ -155,7 +155,7 @@ static int proc_tcp_congestion_control(struct ctl_table *ctl, int write,
119716 void __user *buffer, size_t *lenp, loff_t *ppos)
119717 {
119718 char val[TCP_CA_NAME_MAX];
119719- struct ctl_table tbl = {
119720+ ctl_table_no_const tbl = {
119721 .data = val,
119722 .maxlen = TCP_CA_NAME_MAX,
119723 };
119724@@ -174,7 +174,7 @@ static int proc_tcp_available_congestion_control(struct ctl_table *ctl,
119725 void __user *buffer, size_t *lenp,
119726 loff_t *ppos)
119727 {
119728- struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, };
119729+ ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX, };
119730 int ret;
119731
119732 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
119733@@ -191,7 +191,7 @@ static int proc_allowed_congestion_control(struct ctl_table *ctl,
119734 void __user *buffer, size_t *lenp,
119735 loff_t *ppos)
119736 {
119737- struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
119738+ ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX };
119739 int ret;
119740
119741 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
119742@@ -210,7 +210,7 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write,
119743 void __user *buffer, size_t *lenp,
119744 loff_t *ppos)
119745 {
119746- struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
119747+ ctl_table_no_const tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
119748 struct tcp_fastopen_context *ctxt;
119749 int ret;
119750 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
119751@@ -915,13 +915,12 @@ static struct ctl_table ipv4_net_table[] = {
119752
119753 static __net_init int ipv4_sysctl_init_net(struct net *net)
119754 {
119755- struct ctl_table *table;
119756+ ctl_table_no_const *table = NULL;
119757
119758- table = ipv4_net_table;
119759 if (!net_eq(net, &init_net)) {
119760 int i;
119761
119762- table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL);
119763+ table = kmemdup(ipv4_net_table, sizeof(ipv4_net_table), GFP_KERNEL);
119764 if (!table)
119765 goto err_alloc;
119766
119767@@ -930,7 +929,10 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
119768 table[i].data += (void *)net - (void *)&init_net;
119769 }
119770
119771- net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
119772+ if (!net_eq(net, &init_net))
119773+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
119774+ else
119775+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", ipv4_net_table);
119776 if (!net->ipv4.ipv4_hdr)
119777 goto err_reg;
119778
119779diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
119780index 728f5b3..dc51cbe 100644
119781--- a/net/ipv4/tcp_input.c
119782+++ b/net/ipv4/tcp_input.c
119783@@ -767,7 +767,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
119784 * without any lock. We want to make sure compiler wont store
119785 * intermediate values in this location.
119786 */
119787- ACCESS_ONCE(sk->sk_pacing_rate) = min_t(u64, rate,
119788+ ACCESS_ONCE_RW(sk->sk_pacing_rate) = min_t(u64, rate,
119789 sk->sk_max_pacing_rate);
119790 }
119791
119792@@ -4608,7 +4608,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
119793 * simplifies code)
119794 */
119795 static void
119796-tcp_collapse(struct sock *sk, struct sk_buff_head *list,
119797+__intentional_overflow(5,6) tcp_collapse(struct sock *sk, struct sk_buff_head *list,
119798 struct sk_buff *head, struct sk_buff *tail,
119799 u32 start, u32 end)
119800 {
119801@@ -5603,6 +5603,7 @@ discard:
119802 tcp_paws_reject(&tp->rx_opt, 0))
119803 goto discard_and_undo;
119804
119805+#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
119806 if (th->syn) {
119807 /* We see SYN without ACK. It is attempt of
119808 * simultaneous connect with crossed SYNs.
119809@@ -5653,6 +5654,7 @@ discard:
119810 goto discard;
119811 #endif
119812 }
119813+#endif
119814 /* "fifth, if neither of the SYN or RST bits is set then
119815 * drop the segment and return."
119816 */
119817@@ -5699,7 +5701,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
119818 goto discard;
119819
119820 if (th->syn) {
119821- if (th->fin)
119822+ if (th->fin || th->urg || th->psh)
119823 goto discard;
119824 if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
119825 return 1;
119826@@ -6026,7 +6028,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
119827
119828 kmemcheck_annotate_bitfield(ireq, flags);
119829 ireq->opt = NULL;
119830- atomic64_set(&ireq->ir_cookie, 0);
119831+ atomic64_set_unchecked(&ireq->ir_cookie, 0);
119832 ireq->ireq_state = TCP_NEW_SYN_RECV;
119833 write_pnet(&ireq->ireq_net, sock_net(sk_listener));
119834 ireq->ireq_family = sk_listener->sk_family;
119835diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
119836index 0ea2e1c..a4d1c48 100644
119837--- a/net/ipv4/tcp_ipv4.c
119838+++ b/net/ipv4/tcp_ipv4.c
119839@@ -89,6 +89,10 @@ int sysctl_tcp_tw_reuse __read_mostly;
119840 int sysctl_tcp_low_latency __read_mostly;
119841 EXPORT_SYMBOL(sysctl_tcp_low_latency);
119842
119843+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119844+extern int grsec_enable_blackhole;
119845+#endif
119846+
119847 #ifdef CONFIG_TCP_MD5SIG
119848 static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
119849 __be32 daddr, __be32 saddr, const struct tcphdr *th);
119850@@ -1427,6 +1431,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
119851 return 0;
119852
119853 reset:
119854+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119855+ if (!grsec_enable_blackhole)
119856+#endif
119857 tcp_v4_send_reset(rsk, skb);
119858 discard:
119859 kfree_skb(skb);
119860@@ -1591,12 +1598,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
119861 TCP_SKB_CB(skb)->sacked = 0;
119862
119863 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
119864- if (!sk)
119865+ if (!sk) {
119866+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119867+ ret = 1;
119868+#endif
119869 goto no_tcp_socket;
119870-
119871+ }
119872 process:
119873- if (sk->sk_state == TCP_TIME_WAIT)
119874+ if (sk->sk_state == TCP_TIME_WAIT) {
119875+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119876+ ret = 2;
119877+#endif
119878 goto do_time_wait;
119879+ }
119880
119881 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
119882 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
119883@@ -1653,6 +1667,10 @@ csum_error:
119884 bad_packet:
119885 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
119886 } else {
119887+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119888+ if (!grsec_enable_blackhole || (ret == 1 &&
119889+ (skb->dev->flags & IFF_LOOPBACK)))
119890+#endif
119891 tcp_v4_send_reset(NULL, skb);
119892 }
119893
119894diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
119895index 4bc00cb..d024adf 100644
119896--- a/net/ipv4/tcp_minisocks.c
119897+++ b/net/ipv4/tcp_minisocks.c
119898@@ -27,6 +27,10 @@
119899 #include <net/inet_common.h>
119900 #include <net/xfrm.h>
119901
119902+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119903+extern int grsec_enable_blackhole;
119904+#endif
119905+
119906 int sysctl_tcp_syncookies __read_mostly = 1;
119907 EXPORT_SYMBOL(sysctl_tcp_syncookies);
119908
119909@@ -782,7 +786,10 @@ embryonic_reset:
119910 * avoid becoming vulnerable to outside attack aiming at
119911 * resetting legit local connections.
119912 */
119913- req->rsk_ops->send_reset(sk, skb);
119914+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119915+ if (!grsec_enable_blackhole)
119916+#endif
119917+ req->rsk_ops->send_reset(sk, skb);
119918 } else if (fastopen) { /* received a valid RST pkt */
119919 reqsk_fastopen_remove(sk, req, true);
119920 tcp_reset(sk);
119921diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
119922index ebf5ff5..4d1ff32 100644
119923--- a/net/ipv4/tcp_probe.c
119924+++ b/net/ipv4/tcp_probe.c
119925@@ -236,7 +236,7 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
119926 if (cnt + width >= len)
119927 break;
119928
119929- if (copy_to_user(buf + cnt, tbuf, width))
119930+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
119931 return -EFAULT;
119932 cnt += width;
119933 }
119934diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
119935index 5b752f5..9594bb2 100644
119936--- a/net/ipv4/tcp_timer.c
119937+++ b/net/ipv4/tcp_timer.c
119938@@ -22,6 +22,10 @@
119939 #include <linux/gfp.h>
119940 #include <net/tcp.h>
119941
119942+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119943+extern int grsec_lastack_retries;
119944+#endif
119945+
119946 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
119947 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
119948 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
119949@@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock *sk)
119950 }
119951 }
119952
119953+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119954+ if ((sk->sk_state == TCP_LAST_ACK) &&
119955+ (grsec_lastack_retries > 0) &&
119956+ (grsec_lastack_retries < retry_until))
119957+ retry_until = grsec_lastack_retries;
119958+#endif
119959+
119960 if (retransmits_timed_out(sk, retry_until,
119961 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
119962 /* Has it gone just too far? */
119963diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
119964index 1b8c5ba..e1f0542 100644
119965--- a/net/ipv4/udp.c
119966+++ b/net/ipv4/udp.c
119967@@ -87,6 +87,7 @@
119968 #include <linux/types.h>
119969 #include <linux/fcntl.h>
119970 #include <linux/module.h>
119971+#include <linux/security.h>
119972 #include <linux/socket.h>
119973 #include <linux/sockios.h>
119974 #include <linux/igmp.h>
119975@@ -115,6 +116,10 @@
119976 #include <net/busy_poll.h>
119977 #include "udp_impl.h"
119978
119979+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119980+extern int grsec_enable_blackhole;
119981+#endif
119982+
119983 struct udp_table udp_table __read_mostly;
119984 EXPORT_SYMBOL(udp_table);
119985
119986@@ -608,6 +613,9 @@ static inline bool __udp_is_mcast_sock(struct net *net, struct sock *sk,
119987 return true;
119988 }
119989
119990+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
119991+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
119992+
119993 /*
119994 * This routine is called by the ICMP module when it gets some
119995 * sort of error condition. If err < 0 then the socket should
119996@@ -944,9 +952,18 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
119997 dport = usin->sin_port;
119998 if (dport == 0)
119999 return -EINVAL;
120000+
120001+ err = gr_search_udp_sendmsg(sk, usin);
120002+ if (err)
120003+ return err;
120004 } else {
120005 if (sk->sk_state != TCP_ESTABLISHED)
120006 return -EDESTADDRREQ;
120007+
120008+ err = gr_search_udp_sendmsg(sk, NULL);
120009+ if (err)
120010+ return err;
120011+
120012 daddr = inet->inet_daddr;
120013 dport = inet->inet_dport;
120014 /* Open fast path for connected socket.
120015@@ -1193,7 +1210,7 @@ static unsigned int first_packet_length(struct sock *sk)
120016 IS_UDPLITE(sk));
120017 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120018 IS_UDPLITE(sk));
120019- atomic_inc(&sk->sk_drops);
120020+ atomic_inc_unchecked(&sk->sk_drops);
120021 __skb_unlink(skb, rcvq);
120022 __skb_queue_tail(&list_kill, skb);
120023 }
120024@@ -1273,6 +1290,10 @@ try_again:
120025 if (!skb)
120026 goto out;
120027
120028+ err = gr_search_udp_recvmsg(sk, skb);
120029+ if (err)
120030+ goto out_free;
120031+
120032 ulen = skb->len - sizeof(struct udphdr);
120033 copied = len;
120034 if (copied > ulen)
120035@@ -1305,7 +1326,7 @@ try_again:
120036 if (unlikely(err)) {
120037 trace_kfree_skb(skb, udp_recvmsg);
120038 if (!peeked) {
120039- atomic_inc(&sk->sk_drops);
120040+ atomic_inc_unchecked(&sk->sk_drops);
120041 UDP_INC_STATS_USER(sock_net(sk),
120042 UDP_MIB_INERRORS, is_udplite);
120043 }
120044@@ -1599,7 +1620,7 @@ csum_error:
120045 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
120046 drop:
120047 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
120048- atomic_inc(&sk->sk_drops);
120049+ atomic_inc_unchecked(&sk->sk_drops);
120050 kfree_skb(skb);
120051 return -1;
120052 }
120053@@ -1617,7 +1638,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
120054 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
120055
120056 if (!skb1) {
120057- atomic_inc(&sk->sk_drops);
120058+ atomic_inc_unchecked(&sk->sk_drops);
120059 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
120060 IS_UDPLITE(sk));
120061 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120062@@ -1823,6 +1844,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
120063 goto csum_error;
120064
120065 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
120066+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120067+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
120068+#endif
120069 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
120070
120071 /*
120072@@ -2427,7 +2451,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
120073 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
120074 0, sock_i_ino(sp),
120075 atomic_read(&sp->sk_refcnt), sp,
120076- atomic_read(&sp->sk_drops));
120077+ atomic_read_unchecked(&sp->sk_drops));
120078 }
120079
120080 int udp4_seq_show(struct seq_file *seq, void *v)
120081diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
120082index bff6974..c63736c 100644
120083--- a/net/ipv4/xfrm4_policy.c
120084+++ b/net/ipv4/xfrm4_policy.c
120085@@ -186,11 +186,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
120086 fl4->flowi4_tos = iph->tos;
120087 }
120088
120089-static inline int xfrm4_garbage_collect(struct dst_ops *ops)
120090+static int xfrm4_garbage_collect(struct dst_ops *ops)
120091 {
120092 struct net *net = container_of(ops, struct net, xfrm.xfrm4_dst_ops);
120093
120094- xfrm4_policy_afinfo.garbage_collect(net);
120095+ xfrm_garbage_collect_deferred(net);
120096 return (dst_entries_get_slow(ops) > ops->gc_thresh * 2);
120097 }
120098
120099@@ -268,19 +268,18 @@ static struct ctl_table xfrm4_policy_table[] = {
120100
120101 static int __net_init xfrm4_net_init(struct net *net)
120102 {
120103- struct ctl_table *table;
120104+ ctl_table_no_const *table = NULL;
120105 struct ctl_table_header *hdr;
120106
120107- table = xfrm4_policy_table;
120108 if (!net_eq(net, &init_net)) {
120109- table = kmemdup(table, sizeof(xfrm4_policy_table), GFP_KERNEL);
120110+ table = kmemdup(xfrm4_policy_table, sizeof(xfrm4_policy_table), GFP_KERNEL);
120111 if (!table)
120112 goto err_alloc;
120113
120114 table[0].data = &net->xfrm.xfrm4_dst_ops.gc_thresh;
120115- }
120116-
120117- hdr = register_net_sysctl(net, "net/ipv4", table);
120118+ hdr = register_net_sysctl(net, "net/ipv4", table);
120119+ } else
120120+ hdr = register_net_sysctl(net, "net/ipv4", xfrm4_policy_table);
120121 if (!hdr)
120122 goto err_reg;
120123
120124@@ -288,8 +287,7 @@ static int __net_init xfrm4_net_init(struct net *net)
120125 return 0;
120126
120127 err_reg:
120128- if (!net_eq(net, &init_net))
120129- kfree(table);
120130+ kfree(table);
120131 err_alloc:
120132 return -ENOMEM;
120133 }
120134diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
120135index 21c2c81..373c1ba 100644
120136--- a/net/ipv6/addrconf.c
120137+++ b/net/ipv6/addrconf.c
120138@@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
120139 .hop_limit = IPV6_DEFAULT_HOPLIMIT,
120140 .mtu6 = IPV6_MIN_MTU,
120141 .accept_ra = 1,
120142- .accept_redirects = 1,
120143+ .accept_redirects = 0,
120144 .autoconf = 1,
120145 .force_mld_version = 0,
120146 .mldv1_unsolicited_report_interval = 10 * HZ,
120147@@ -219,7 +219,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
120148 .hop_limit = IPV6_DEFAULT_HOPLIMIT,
120149 .mtu6 = IPV6_MIN_MTU,
120150 .accept_ra = 1,
120151- .accept_redirects = 1,
120152+ .accept_redirects = 0,
120153 .autoconf = 1,
120154 .force_mld_version = 0,
120155 .mldv1_unsolicited_report_interval = 10 * HZ,
120156@@ -620,7 +620,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
120157 idx = 0;
120158 head = &net->dev_index_head[h];
120159 rcu_read_lock();
120160- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^
120161+ cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^
120162 net->dev_base_seq;
120163 hlist_for_each_entry_rcu(dev, head, index_hlist) {
120164 if (idx < s_idx)
120165@@ -2508,7 +2508,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
120166 p.iph.ihl = 5;
120167 p.iph.protocol = IPPROTO_IPV6;
120168 p.iph.ttl = 64;
120169- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
120170+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
120171
120172 if (ops->ndo_do_ioctl) {
120173 mm_segment_t oldfs = get_fs();
120174@@ -3774,16 +3774,23 @@ static const struct file_operations if6_fops = {
120175 .release = seq_release_net,
120176 };
120177
120178+extern void register_ipv6_seq_ops_addr(struct seq_operations *addr);
120179+extern void unregister_ipv6_seq_ops_addr(void);
120180+
120181 static int __net_init if6_proc_net_init(struct net *net)
120182 {
120183- if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops))
120184+ register_ipv6_seq_ops_addr(&if6_seq_ops);
120185+ if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops)) {
120186+ unregister_ipv6_seq_ops_addr();
120187 return -ENOMEM;
120188+ }
120189 return 0;
120190 }
120191
120192 static void __net_exit if6_proc_net_exit(struct net *net)
120193 {
120194 remove_proc_entry("if_inet6", net->proc_net);
120195+ unregister_ipv6_seq_ops_addr();
120196 }
120197
120198 static struct pernet_operations if6_proc_net_ops = {
120199@@ -4402,7 +4409,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
120200 s_ip_idx = ip_idx = cb->args[2];
120201
120202 rcu_read_lock();
120203- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
120204+ cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
120205 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
120206 idx = 0;
120207 head = &net->dev_index_head[h];
120208@@ -5059,7 +5066,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
120209 rt_genid_bump_ipv6(net);
120210 break;
120211 }
120212- atomic_inc(&net->ipv6.dev_addr_genid);
120213+ atomic_inc_unchecked(&net->ipv6.dev_addr_genid);
120214 }
120215
120216 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
120217@@ -5079,7 +5086,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
120218 int *valp = ctl->data;
120219 int val = *valp;
120220 loff_t pos = *ppos;
120221- struct ctl_table lctl;
120222+ ctl_table_no_const lctl;
120223 int ret;
120224
120225 /*
120226@@ -5104,7 +5111,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
120227 {
120228 struct inet6_dev *idev = ctl->extra1;
120229 int min_mtu = IPV6_MIN_MTU;
120230- struct ctl_table lctl;
120231+ ctl_table_no_const lctl;
120232
120233 lctl = *ctl;
120234 lctl.extra1 = &min_mtu;
120235@@ -5179,7 +5186,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
120236 int *valp = ctl->data;
120237 int val = *valp;
120238 loff_t pos = *ppos;
120239- struct ctl_table lctl;
120240+ ctl_table_no_const lctl;
120241 int ret;
120242
120243 /*
120244@@ -5244,7 +5251,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
120245 int err;
120246 struct in6_addr addr;
120247 char str[IPV6_MAX_STRLEN];
120248- struct ctl_table lctl = *ctl;
120249+ ctl_table_no_const lctl = *ctl;
120250 struct net *net = ctl->extra2;
120251 struct ipv6_stable_secret *secret = ctl->data;
120252
120253diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
120254index 7de52b6..ce7fb94 100644
120255--- a/net/ipv6/af_inet6.c
120256+++ b/net/ipv6/af_inet6.c
120257@@ -770,7 +770,7 @@ static int __net_init inet6_net_init(struct net *net)
120258 net->ipv6.sysctl.idgen_retries = 3;
120259 net->ipv6.sysctl.idgen_delay = 1 * HZ;
120260 net->ipv6.sysctl.flowlabel_state_ranges = 1;
120261- atomic_set(&net->ipv6.fib6_sernum, 1);
120262+ atomic_set_unchecked(&net->ipv6.fib6_sernum, 1);
120263
120264 err = ipv6_init_mibs(net);
120265 if (err)
120266diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
120267index b10a889..e881e1f 100644
120268--- a/net/ipv6/datagram.c
120269+++ b/net/ipv6/datagram.c
120270@@ -977,5 +977,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
120271 0,
120272 sock_i_ino(sp),
120273 atomic_read(&sp->sk_refcnt), sp,
120274- atomic_read(&sp->sk_drops));
120275+ atomic_read_unchecked(&sp->sk_drops));
120276 }
120277diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
120278index 713d743..8eec687 100644
120279--- a/net/ipv6/icmp.c
120280+++ b/net/ipv6/icmp.c
120281@@ -1004,7 +1004,7 @@ static struct ctl_table ipv6_icmp_table_template[] = {
120282
120283 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
120284 {
120285- struct ctl_table *table;
120286+ ctl_table_no_const *table;
120287
120288 table = kmemdup(ipv6_icmp_table_template,
120289 sizeof(ipv6_icmp_table_template),
120290diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
120291index 548c623..bc8ec4f 100644
120292--- a/net/ipv6/ip6_fib.c
120293+++ b/net/ipv6/ip6_fib.c
120294@@ -99,9 +99,9 @@ static int fib6_new_sernum(struct net *net)
120295 int new, old;
120296
120297 do {
120298- old = atomic_read(&net->ipv6.fib6_sernum);
120299+ old = atomic_read_unchecked(&net->ipv6.fib6_sernum);
120300 new = old < INT_MAX ? old + 1 : 1;
120301- } while (atomic_cmpxchg(&net->ipv6.fib6_sernum,
120302+ } while (atomic_cmpxchg_unchecked(&net->ipv6.fib6_sernum,
120303 old, new) != old);
120304 return new;
120305 }
120306diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
120307index 69f4f68..1f97524 100644
120308--- a/net/ipv6/ip6_gre.c
120309+++ b/net/ipv6/ip6_gre.c
120310@@ -71,8 +71,8 @@ struct ip6gre_net {
120311 struct net_device *fb_tunnel_dev;
120312 };
120313
120314-static struct rtnl_link_ops ip6gre_link_ops __read_mostly;
120315-static struct rtnl_link_ops ip6gre_tap_ops __read_mostly;
120316+static struct rtnl_link_ops ip6gre_link_ops;
120317+static struct rtnl_link_ops ip6gre_tap_ops;
120318 static int ip6gre_tunnel_init(struct net_device *dev);
120319 static void ip6gre_tunnel_setup(struct net_device *dev);
120320 static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
120321@@ -1281,7 +1281,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
120322 }
120323
120324
120325-static struct inet6_protocol ip6gre_protocol __read_mostly = {
120326+static struct inet6_protocol ip6gre_protocol = {
120327 .handler = ip6gre_rcv,
120328 .err_handler = ip6gre_err,
120329 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
120330@@ -1640,7 +1640,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = {
120331 [IFLA_GRE_FLAGS] = { .type = NLA_U32 },
120332 };
120333
120334-static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
120335+static struct rtnl_link_ops ip6gre_link_ops = {
120336 .kind = "ip6gre",
120337 .maxtype = IFLA_GRE_MAX,
120338 .policy = ip6gre_policy,
120339@@ -1655,7 +1655,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
120340 .get_link_net = ip6_tnl_get_link_net,
120341 };
120342
120343-static struct rtnl_link_ops ip6gre_tap_ops __read_mostly = {
120344+static struct rtnl_link_ops ip6gre_tap_ops = {
120345 .kind = "ip6gretap",
120346 .maxtype = IFLA_GRE_MAX,
120347 .policy = ip6gre_policy,
120348diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
120349index 2e67b66..b816b34 100644
120350--- a/net/ipv6/ip6_tunnel.c
120351+++ b/net/ipv6/ip6_tunnel.c
120352@@ -80,7 +80,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
120353
120354 static int ip6_tnl_dev_init(struct net_device *dev);
120355 static void ip6_tnl_dev_setup(struct net_device *dev);
120356-static struct rtnl_link_ops ip6_link_ops __read_mostly;
120357+static struct rtnl_link_ops ip6_link_ops;
120358
120359 static int ip6_tnl_net_id __read_mostly;
120360 struct ip6_tnl_net {
120361@@ -1776,7 +1776,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = {
120362 [IFLA_IPTUN_PROTO] = { .type = NLA_U8 },
120363 };
120364
120365-static struct rtnl_link_ops ip6_link_ops __read_mostly = {
120366+static struct rtnl_link_ops ip6_link_ops = {
120367 .kind = "ip6tnl",
120368 .maxtype = IFLA_IPTUN_MAX,
120369 .policy = ip6_tnl_policy,
120370diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
120371index 0224c03..c5ec3d9 100644
120372--- a/net/ipv6/ip6_vti.c
120373+++ b/net/ipv6/ip6_vti.c
120374@@ -62,7 +62,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
120375
120376 static int vti6_dev_init(struct net_device *dev);
120377 static void vti6_dev_setup(struct net_device *dev);
120378-static struct rtnl_link_ops vti6_link_ops __read_mostly;
120379+static struct rtnl_link_ops vti6_link_ops;
120380
120381 static int vti6_net_id __read_mostly;
120382 struct vti6_net {
120383@@ -1019,7 +1019,7 @@ static const struct nla_policy vti6_policy[IFLA_VTI_MAX + 1] = {
120384 [IFLA_VTI_OKEY] = { .type = NLA_U32 },
120385 };
120386
120387-static struct rtnl_link_ops vti6_link_ops __read_mostly = {
120388+static struct rtnl_link_ops vti6_link_ops = {
120389 .kind = "vti6",
120390 .maxtype = IFLA_VTI_MAX,
120391 .policy = vti6_policy,
120392diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
120393index 63e6956..ebbbcf6 100644
120394--- a/net/ipv6/ipv6_sockglue.c
120395+++ b/net/ipv6/ipv6_sockglue.c
120396@@ -1015,7 +1015,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
120397 if (sk->sk_type != SOCK_STREAM)
120398 return -ENOPROTOOPT;
120399
120400- msg.msg_control = optval;
120401+ msg.msg_control = (void __force_kernel *)optval;
120402 msg.msg_controllen = len;
120403 msg.msg_flags = flags;
120404
120405diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
120406index 3c35ced..2e6882f 100644
120407--- a/net/ipv6/netfilter/ip6_tables.c
120408+++ b/net/ipv6/netfilter/ip6_tables.c
120409@@ -1086,14 +1086,14 @@ static int compat_table_info(const struct xt_table_info *info,
120410 #endif
120411
120412 static int get_info(struct net *net, void __user *user,
120413- const int *len, int compat)
120414+ int len, int compat)
120415 {
120416 char name[XT_TABLE_MAXNAMELEN];
120417 struct xt_table *t;
120418 int ret;
120419
120420- if (*len != sizeof(struct ip6t_getinfo)) {
120421- duprintf("length %u != %zu\n", *len,
120422+ if (len != sizeof(struct ip6t_getinfo)) {
120423+ duprintf("length %u != %zu\n", len,
120424 sizeof(struct ip6t_getinfo));
120425 return -EINVAL;
120426 }
120427@@ -1130,7 +1130,7 @@ static int get_info(struct net *net, void __user *user,
120428 info.size = private->size;
120429 strcpy(info.name, name);
120430
120431- if (copy_to_user(user, &info, *len) != 0)
120432+ if (copy_to_user(user, &info, len) != 0)
120433 ret = -EFAULT;
120434 else
120435 ret = 0;
120436@@ -1978,7 +1978,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
120437
120438 switch (cmd) {
120439 case IP6T_SO_GET_INFO:
120440- ret = get_info(sock_net(sk), user, len, 1);
120441+ ret = get_info(sock_net(sk), user, *len, 1);
120442 break;
120443 case IP6T_SO_GET_ENTRIES:
120444 ret = compat_get_entries(sock_net(sk), user, len);
120445@@ -2025,7 +2025,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
120446
120447 switch (cmd) {
120448 case IP6T_SO_GET_INFO:
120449- ret = get_info(sock_net(sk), user, len, 0);
120450+ ret = get_info(sock_net(sk), user, *len, 0);
120451 break;
120452
120453 case IP6T_SO_GET_ENTRIES:
120454diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
120455index 6d02498..55e564f 100644
120456--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
120457+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
120458@@ -96,12 +96,11 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
120459
120460 static int nf_ct_frag6_sysctl_register(struct net *net)
120461 {
120462- struct ctl_table *table;
120463+ ctl_table_no_const *table = NULL;
120464 struct ctl_table_header *hdr;
120465
120466- table = nf_ct_frag6_sysctl_table;
120467 if (!net_eq(net, &init_net)) {
120468- table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table),
120469+ table = kmemdup(nf_ct_frag6_sysctl_table, sizeof(nf_ct_frag6_sysctl_table),
120470 GFP_KERNEL);
120471 if (table == NULL)
120472 goto err_alloc;
120473@@ -112,9 +111,9 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
120474 table[2].data = &net->nf_frag.frags.high_thresh;
120475 table[2].extra1 = &net->nf_frag.frags.low_thresh;
120476 table[2].extra2 = &init_net.nf_frag.frags.high_thresh;
120477- }
120478-
120479- hdr = register_net_sysctl(net, "net/netfilter", table);
120480+ hdr = register_net_sysctl(net, "net/netfilter", table);
120481+ } else
120482+ hdr = register_net_sysctl(net, "net/netfilter", nf_ct_frag6_sysctl_table);
120483 if (hdr == NULL)
120484 goto err_reg;
120485
120486@@ -122,8 +121,7 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
120487 return 0;
120488
120489 err_reg:
120490- if (!net_eq(net, &init_net))
120491- kfree(table);
120492+ kfree(table);
120493 err_alloc:
120494 return -ENOMEM;
120495 }
120496diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
120497index 263a516..692f738 100644
120498--- a/net/ipv6/ping.c
120499+++ b/net/ipv6/ping.c
120500@@ -240,6 +240,24 @@ static struct pernet_operations ping_v6_net_ops = {
120501 };
120502 #endif
120503
120504+static struct pingv6_ops real_pingv6_ops = {
120505+ .ipv6_recv_error = ipv6_recv_error,
120506+ .ip6_datagram_recv_common_ctl = ip6_datagram_recv_common_ctl,
120507+ .ip6_datagram_recv_specific_ctl = ip6_datagram_recv_specific_ctl,
120508+ .icmpv6_err_convert = icmpv6_err_convert,
120509+ .ipv6_icmp_error = ipv6_icmp_error,
120510+ .ipv6_chk_addr = ipv6_chk_addr,
120511+};
120512+
120513+static struct pingv6_ops dummy_pingv6_ops = {
120514+ .ipv6_recv_error = dummy_ipv6_recv_error,
120515+ .ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl,
120516+ .ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl,
120517+ .icmpv6_err_convert = dummy_icmpv6_err_convert,
120518+ .ipv6_icmp_error = dummy_ipv6_icmp_error,
120519+ .ipv6_chk_addr = dummy_ipv6_chk_addr,
120520+};
120521+
120522 int __init pingv6_init(void)
120523 {
120524 #ifdef CONFIG_PROC_FS
120525@@ -247,13 +265,7 @@ int __init pingv6_init(void)
120526 if (ret)
120527 return ret;
120528 #endif
120529- pingv6_ops.ipv6_recv_error = ipv6_recv_error;
120530- pingv6_ops.ip6_datagram_recv_common_ctl = ip6_datagram_recv_common_ctl;
120531- pingv6_ops.ip6_datagram_recv_specific_ctl =
120532- ip6_datagram_recv_specific_ctl;
120533- pingv6_ops.icmpv6_err_convert = icmpv6_err_convert;
120534- pingv6_ops.ipv6_icmp_error = ipv6_icmp_error;
120535- pingv6_ops.ipv6_chk_addr = ipv6_chk_addr;
120536+ pingv6_ops = &real_pingv6_ops;
120537 return inet6_register_protosw(&pingv6_protosw);
120538 }
120539
120540@@ -262,14 +274,9 @@ int __init pingv6_init(void)
120541 */
120542 void pingv6_exit(void)
120543 {
120544- pingv6_ops.ipv6_recv_error = dummy_ipv6_recv_error;
120545- pingv6_ops.ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl;
120546- pingv6_ops.ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl;
120547- pingv6_ops.icmpv6_err_convert = dummy_icmpv6_err_convert;
120548- pingv6_ops.ipv6_icmp_error = dummy_ipv6_icmp_error;
120549- pingv6_ops.ipv6_chk_addr = dummy_ipv6_chk_addr;
120550 #ifdef CONFIG_PROC_FS
120551 unregister_pernet_subsys(&ping_v6_net_ops);
120552 #endif
120553+ pingv6_ops = &dummy_pingv6_ops;
120554 inet6_unregister_protosw(&pingv6_protosw);
120555 }
120556diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
120557index 679253d0..70b653c 100644
120558--- a/net/ipv6/proc.c
120559+++ b/net/ipv6/proc.c
120560@@ -310,7 +310,7 @@ static int __net_init ipv6_proc_init_net(struct net *net)
120561 if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops))
120562 goto proc_snmp6_fail;
120563
120564- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net);
120565+ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net);
120566 if (!net->mib.proc_net_devsnmp6)
120567 goto proc_dev_snmp6_fail;
120568 return 0;
120569diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
120570index ca4700c..e44c0f9 100644
120571--- a/net/ipv6/raw.c
120572+++ b/net/ipv6/raw.c
120573@@ -388,7 +388,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
120574 {
120575 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
120576 skb_checksum_complete(skb)) {
120577- atomic_inc(&sk->sk_drops);
120578+ atomic_inc_unchecked(&sk->sk_drops);
120579 kfree_skb(skb);
120580 return NET_RX_DROP;
120581 }
120582@@ -416,7 +416,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
120583 struct raw6_sock *rp = raw6_sk(sk);
120584
120585 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
120586- atomic_inc(&sk->sk_drops);
120587+ atomic_inc_unchecked(&sk->sk_drops);
120588 kfree_skb(skb);
120589 return NET_RX_DROP;
120590 }
120591@@ -440,7 +440,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
120592
120593 if (inet->hdrincl) {
120594 if (skb_checksum_complete(skb)) {
120595- atomic_inc(&sk->sk_drops);
120596+ atomic_inc_unchecked(&sk->sk_drops);
120597 kfree_skb(skb);
120598 return NET_RX_DROP;
120599 }
120600@@ -608,7 +608,7 @@ out:
120601 return err;
120602 }
120603
120604-static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
120605+static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, unsigned int length,
120606 struct flowi6 *fl6, struct dst_entry **dstp,
120607 unsigned int flags)
120608 {
120609@@ -916,12 +916,15 @@ do_confirm:
120610 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
120611 char __user *optval, int optlen)
120612 {
120613+ struct icmp6_filter filter;
120614+
120615 switch (optname) {
120616 case ICMPV6_FILTER:
120617 if (optlen > sizeof(struct icmp6_filter))
120618 optlen = sizeof(struct icmp6_filter);
120619- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
120620+ if (copy_from_user(&filter, optval, optlen))
120621 return -EFAULT;
120622+ raw6_sk(sk)->filter = filter;
120623 return 0;
120624 default:
120625 return -ENOPROTOOPT;
120626@@ -934,6 +937,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
120627 char __user *optval, int __user *optlen)
120628 {
120629 int len;
120630+ struct icmp6_filter filter;
120631
120632 switch (optname) {
120633 case ICMPV6_FILTER:
120634@@ -945,7 +949,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
120635 len = sizeof(struct icmp6_filter);
120636 if (put_user(len, optlen))
120637 return -EFAULT;
120638- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
120639+ filter = raw6_sk(sk)->filter;
120640+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
120641 return -EFAULT;
120642 return 0;
120643 default:
120644diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
120645index f1159bb..0db5dad 100644
120646--- a/net/ipv6/reassembly.c
120647+++ b/net/ipv6/reassembly.c
120648@@ -626,12 +626,11 @@ static struct ctl_table ip6_frags_ctl_table[] = {
120649
120650 static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
120651 {
120652- struct ctl_table *table;
120653+ ctl_table_no_const *table = NULL;
120654 struct ctl_table_header *hdr;
120655
120656- table = ip6_frags_ns_ctl_table;
120657 if (!net_eq(net, &init_net)) {
120658- table = kmemdup(table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
120659+ table = kmemdup(ip6_frags_ns_ctl_table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
120660 if (!table)
120661 goto err_alloc;
120662
120663@@ -645,9 +644,10 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
120664 /* Don't export sysctls to unprivileged users */
120665 if (net->user_ns != &init_user_ns)
120666 table[0].procname = NULL;
120667- }
120668+ hdr = register_net_sysctl(net, "net/ipv6", table);
120669+ } else
120670+ hdr = register_net_sysctl(net, "net/ipv6", ip6_frags_ns_ctl_table);
120671
120672- hdr = register_net_sysctl(net, "net/ipv6", table);
120673 if (!hdr)
120674 goto err_reg;
120675
120676@@ -655,8 +655,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
120677 return 0;
120678
120679 err_reg:
120680- if (!net_eq(net, &init_net))
120681- kfree(table);
120682+ kfree(table);
120683 err_alloc:
120684 return -ENOMEM;
120685 }
120686diff --git a/net/ipv6/route.c b/net/ipv6/route.c
120687index 00b64d4..da5099e 100644
120688--- a/net/ipv6/route.c
120689+++ b/net/ipv6/route.c
120690@@ -3430,7 +3430,7 @@ struct ctl_table ipv6_route_table_template[] = {
120691
120692 struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
120693 {
120694- struct ctl_table *table;
120695+ ctl_table_no_const *table;
120696
120697 table = kmemdup(ipv6_route_table_template,
120698 sizeof(ipv6_route_table_template),
120699diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
120700index ac35a28..070cc8c 100644
120701--- a/net/ipv6/sit.c
120702+++ b/net/ipv6/sit.c
120703@@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
120704 static void ipip6_dev_free(struct net_device *dev);
120705 static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
120706 __be32 *v4dst);
120707-static struct rtnl_link_ops sit_link_ops __read_mostly;
120708+static struct rtnl_link_ops sit_link_ops;
120709
120710 static int sit_net_id __read_mostly;
120711 struct sit_net {
120712@@ -1749,7 +1749,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head)
120713 unregister_netdevice_queue(dev, head);
120714 }
120715
120716-static struct rtnl_link_ops sit_link_ops __read_mostly = {
120717+static struct rtnl_link_ops sit_link_ops = {
120718 .kind = "sit",
120719 .maxtype = IFLA_IPTUN_MAX,
120720 .policy = ipip6_policy,
120721diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
120722index 4e705ad..9ba8db8 100644
120723--- a/net/ipv6/sysctl_net_ipv6.c
120724+++ b/net/ipv6/sysctl_net_ipv6.c
120725@@ -99,7 +99,7 @@ static struct ctl_table ipv6_rotable[] = {
120726
120727 static int __net_init ipv6_sysctl_net_init(struct net *net)
120728 {
120729- struct ctl_table *ipv6_table;
120730+ ctl_table_no_const *ipv6_table;
120731 struct ctl_table *ipv6_route_table;
120732 struct ctl_table *ipv6_icmp_table;
120733 int err;
120734diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
120735index 7a6cea5..1a99e26 100644
120736--- a/net/ipv6/tcp_ipv6.c
120737+++ b/net/ipv6/tcp_ipv6.c
120738@@ -103,6 +103,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
120739 }
120740 }
120741
120742+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120743+extern int grsec_enable_blackhole;
120744+#endif
120745+
120746 static __u32 tcp_v6_init_sequence(const struct sk_buff *skb)
120747 {
120748 return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
120749@@ -1280,6 +1284,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
120750 return 0;
120751
120752 reset:
120753+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120754+ if (!grsec_enable_blackhole)
120755+#endif
120756 tcp_v6_send_reset(sk, skb);
120757 discard:
120758 if (opt_skb)
120759@@ -1389,12 +1396,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
120760
120761 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
120762 inet6_iif(skb));
120763- if (!sk)
120764+ if (!sk) {
120765+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120766+ ret = 1;
120767+#endif
120768 goto no_tcp_socket;
120769+ }
120770
120771 process:
120772- if (sk->sk_state == TCP_TIME_WAIT)
120773+ if (sk->sk_state == TCP_TIME_WAIT) {
120774+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120775+ ret = 2;
120776+#endif
120777 goto do_time_wait;
120778+ }
120779
120780 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
120781 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
120782@@ -1446,6 +1461,10 @@ csum_error:
120783 bad_packet:
120784 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
120785 } else {
120786+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120787+ if (!grsec_enable_blackhole || (ret == 1 &&
120788+ (skb->dev->flags & IFF_LOOPBACK)))
120789+#endif
120790 tcp_v6_send_reset(NULL, skb);
120791 }
120792
120793diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
120794index e51fc3e..8f04229 100644
120795--- a/net/ipv6/udp.c
120796+++ b/net/ipv6/udp.c
120797@@ -76,6 +76,10 @@ static u32 udp6_ehashfn(const struct net *net,
120798 udp_ipv6_hash_secret + net_hash_mix(net));
120799 }
120800
120801+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120802+extern int grsec_enable_blackhole;
120803+#endif
120804+
120805 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
120806 {
120807 const struct in6_addr *sk2_rcv_saddr6 = inet6_rcv_saddr(sk2);
120808@@ -445,7 +449,7 @@ try_again:
120809 if (unlikely(err)) {
120810 trace_kfree_skb(skb, udpv6_recvmsg);
120811 if (!peeked) {
120812- atomic_inc(&sk->sk_drops);
120813+ atomic_inc_unchecked(&sk->sk_drops);
120814 if (is_udp4)
120815 UDP_INC_STATS_USER(sock_net(sk),
120816 UDP_MIB_INERRORS,
120817@@ -709,7 +713,7 @@ csum_error:
120818 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
120819 drop:
120820 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
120821- atomic_inc(&sk->sk_drops);
120822+ atomic_inc_unchecked(&sk->sk_drops);
120823 kfree_skb(skb);
120824 return -1;
120825 }
120826@@ -750,7 +754,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
120827 if (likely(!skb1))
120828 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
120829 if (!skb1) {
120830- atomic_inc(&sk->sk_drops);
120831+ atomic_inc_unchecked(&sk->sk_drops);
120832 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
120833 IS_UDPLITE(sk));
120834 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120835@@ -934,6 +938,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
120836 goto csum_error;
120837
120838 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
120839+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120840+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
120841+#endif
120842 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
120843
120844 kfree_skb(skb);
120845diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
120846index ed0583c..606962a 100644
120847--- a/net/ipv6/xfrm6_policy.c
120848+++ b/net/ipv6/xfrm6_policy.c
120849@@ -174,7 +174,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
120850 return;
120851
120852 case IPPROTO_ICMPV6:
120853- if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
120854+ if (!onlyproto && (nh + offset + 2 < skb->data ||
120855+ pskb_may_pull(skb, nh + offset + 2 - skb->data))) {
120856 u8 *icmp;
120857
120858 nh = skb_network_header(skb);
120859@@ -188,7 +189,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
120860 #if IS_ENABLED(CONFIG_IPV6_MIP6)
120861 case IPPROTO_MH:
120862 offset += ipv6_optlen(exthdr);
120863- if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
120864+ if (!onlyproto && (nh + offset + 3 < skb->data ||
120865+ pskb_may_pull(skb, nh + offset + 3 - skb->data))) {
120866 struct ip6_mh *mh;
120867
120868 nh = skb_network_header(skb);
120869@@ -211,11 +213,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
120870 }
120871 }
120872
120873-static inline int xfrm6_garbage_collect(struct dst_ops *ops)
120874+static int xfrm6_garbage_collect(struct dst_ops *ops)
120875 {
120876 struct net *net = container_of(ops, struct net, xfrm.xfrm6_dst_ops);
120877
120878- xfrm6_policy_afinfo.garbage_collect(net);
120879+ xfrm_garbage_collect_deferred(net);
120880 return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
120881 }
120882
120883@@ -322,19 +324,19 @@ static struct ctl_table xfrm6_policy_table[] = {
120884
120885 static int __net_init xfrm6_net_init(struct net *net)
120886 {
120887- struct ctl_table *table;
120888+ ctl_table_no_const *table = NULL;
120889 struct ctl_table_header *hdr;
120890
120891- table = xfrm6_policy_table;
120892 if (!net_eq(net, &init_net)) {
120893- table = kmemdup(table, sizeof(xfrm6_policy_table), GFP_KERNEL);
120894+ table = kmemdup(xfrm6_policy_table, sizeof(xfrm6_policy_table), GFP_KERNEL);
120895 if (!table)
120896 goto err_alloc;
120897
120898 table[0].data = &net->xfrm.xfrm6_dst_ops.gc_thresh;
120899- }
120900+ hdr = register_net_sysctl(net, "net/ipv6", table);
120901+ } else
120902+ hdr = register_net_sysctl(net, "net/ipv6", xfrm6_policy_table);
120903
120904- hdr = register_net_sysctl(net, "net/ipv6", table);
120905 if (!hdr)
120906 goto err_reg;
120907
120908@@ -342,8 +344,7 @@ static int __net_init xfrm6_net_init(struct net *net)
120909 return 0;
120910
120911 err_reg:
120912- if (!net_eq(net, &init_net))
120913- kfree(table);
120914+ kfree(table);
120915 err_alloc:
120916 return -ENOMEM;
120917 }
120918diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
120919index c1d247e..9e5949d 100644
120920--- a/net/ipx/ipx_proc.c
120921+++ b/net/ipx/ipx_proc.c
120922@@ -289,7 +289,7 @@ int __init ipx_proc_init(void)
120923 struct proc_dir_entry *p;
120924 int rc = -ENOMEM;
120925
120926- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net);
120927+ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net);
120928
120929 if (!ipx_proc_dir)
120930 goto out;
120931diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
120932index 683346d..cb0e12d 100644
120933--- a/net/irda/ircomm/ircomm_tty.c
120934+++ b/net/irda/ircomm/ircomm_tty.c
120935@@ -310,10 +310,10 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
120936 add_wait_queue(&port->open_wait, &wait);
120937
120938 pr_debug("%s(%d):block_til_ready before block on %s open_count=%d\n",
120939- __FILE__, __LINE__, tty->driver->name, port->count);
120940+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
120941
120942 spin_lock_irqsave(&port->lock, flags);
120943- port->count--;
120944+ atomic_dec(&port->count);
120945 port->blocked_open++;
120946 spin_unlock_irqrestore(&port->lock, flags);
120947
120948@@ -348,7 +348,7 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
120949 }
120950
120951 pr_debug("%s(%d):block_til_ready blocking on %s open_count=%d\n",
120952- __FILE__, __LINE__, tty->driver->name, port->count);
120953+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
120954
120955 schedule();
120956 }
120957@@ -358,12 +358,12 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
120958
120959 spin_lock_irqsave(&port->lock, flags);
120960 if (!tty_hung_up_p(filp))
120961- port->count++;
120962+ atomic_inc(&port->count);
120963 port->blocked_open--;
120964 spin_unlock_irqrestore(&port->lock, flags);
120965
120966 pr_debug("%s(%d):block_til_ready after blocking on %s open_count=%d\n",
120967- __FILE__, __LINE__, tty->driver->name, port->count);
120968+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
120969
120970 if (!retval)
120971 port->flags |= ASYNC_NORMAL_ACTIVE;
120972@@ -433,12 +433,12 @@ static int ircomm_tty_open(struct tty_struct *tty, struct file *filp)
120973
120974 /* ++ is not atomic, so this should be protected - Jean II */
120975 spin_lock_irqsave(&self->port.lock, flags);
120976- self->port.count++;
120977+ atomic_inc(&self->port.count);
120978 spin_unlock_irqrestore(&self->port.lock, flags);
120979 tty_port_tty_set(&self->port, tty);
120980
120981 pr_debug("%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
120982- self->line, self->port.count);
120983+ self->line, atomic_read(&self->port.count));
120984
120985 /* Not really used by us, but lets do it anyway */
120986 self->port.low_latency = (self->port.flags & ASYNC_LOW_LATENCY) ? 1 : 0;
120987@@ -961,7 +961,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty)
120988 tty_kref_put(port->tty);
120989 }
120990 port->tty = NULL;
120991- port->count = 0;
120992+ atomic_set(&port->count, 0);
120993 spin_unlock_irqrestore(&port->lock, flags);
120994
120995 wake_up_interruptible(&port->open_wait);
120996@@ -1308,7 +1308,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m)
120997 seq_putc(m, '\n');
120998
120999 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
121000- seq_printf(m, "Open count: %d\n", self->port.count);
121001+ seq_printf(m, "Open count: %d\n", atomic_read(&self->port.count));
121002 seq_printf(m, "Max data size: %d\n", self->max_data_size);
121003 seq_printf(m, "Max header size: %d\n", self->max_header_size);
121004
121005diff --git a/net/irda/irproc.c b/net/irda/irproc.c
121006index b9ac598..f88cc56 100644
121007--- a/net/irda/irproc.c
121008+++ b/net/irda/irproc.c
121009@@ -66,7 +66,7 @@ void __init irda_proc_register(void)
121010 {
121011 int i;
121012
121013- proc_irda = proc_mkdir("irda", init_net.proc_net);
121014+ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net);
121015 if (proc_irda == NULL)
121016 return;
121017
121018diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
121019index 918151c..5bbe95a 100644
121020--- a/net/iucv/af_iucv.c
121021+++ b/net/iucv/af_iucv.c
121022@@ -686,10 +686,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv)
121023 {
121024 char name[12];
121025
121026- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
121027+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
121028 while (__iucv_get_sock_by_name(name)) {
121029 sprintf(name, "%08x",
121030- atomic_inc_return(&iucv_sk_list.autobind_name));
121031+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
121032 }
121033 memcpy(iucv->src_name, name, 8);
121034 }
121035diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
121036index 2a6a1fd..6c112b0 100644
121037--- a/net/iucv/iucv.c
121038+++ b/net/iucv/iucv.c
121039@@ -702,7 +702,7 @@ static int iucv_cpu_notify(struct notifier_block *self,
121040 return NOTIFY_OK;
121041 }
121042
121043-static struct notifier_block __refdata iucv_cpu_notifier = {
121044+static struct notifier_block iucv_cpu_notifier = {
121045 .notifier_call = iucv_cpu_notify,
121046 };
121047
121048diff --git a/net/key/af_key.c b/net/key/af_key.c
121049index 83a7068..facf2f0 100644
121050--- a/net/key/af_key.c
121051+++ b/net/key/af_key.c
121052@@ -3050,10 +3050,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
121053 static u32 get_acqseq(void)
121054 {
121055 u32 res;
121056- static atomic_t acqseq;
121057+ static atomic_unchecked_t acqseq;
121058
121059 do {
121060- res = atomic_inc_return(&acqseq);
121061+ res = atomic_inc_return_unchecked(&acqseq);
121062 } while (!res);
121063 return res;
121064 }
121065diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
121066index 4b55287..bd247f7 100644
121067--- a/net/l2tp/l2tp_eth.c
121068+++ b/net/l2tp/l2tp_eth.c
121069@@ -42,12 +42,12 @@ struct l2tp_eth {
121070 struct sock *tunnel_sock;
121071 struct l2tp_session *session;
121072 struct list_head list;
121073- atomic_long_t tx_bytes;
121074- atomic_long_t tx_packets;
121075- atomic_long_t tx_dropped;
121076- atomic_long_t rx_bytes;
121077- atomic_long_t rx_packets;
121078- atomic_long_t rx_errors;
121079+ atomic_long_unchecked_t tx_bytes;
121080+ atomic_long_unchecked_t tx_packets;
121081+ atomic_long_unchecked_t tx_dropped;
121082+ atomic_long_unchecked_t rx_bytes;
121083+ atomic_long_unchecked_t rx_packets;
121084+ atomic_long_unchecked_t rx_errors;
121085 };
121086
121087 /* via l2tp_session_priv() */
121088@@ -98,10 +98,10 @@ static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
121089 int ret = l2tp_xmit_skb(session, skb, session->hdr_len);
121090
121091 if (likely(ret == NET_XMIT_SUCCESS)) {
121092- atomic_long_add(len, &priv->tx_bytes);
121093- atomic_long_inc(&priv->tx_packets);
121094+ atomic_long_add_unchecked(len, &priv->tx_bytes);
121095+ atomic_long_inc_unchecked(&priv->tx_packets);
121096 } else {
121097- atomic_long_inc(&priv->tx_dropped);
121098+ atomic_long_inc_unchecked(&priv->tx_dropped);
121099 }
121100 return NETDEV_TX_OK;
121101 }
121102@@ -111,12 +111,12 @@ static struct rtnl_link_stats64 *l2tp_eth_get_stats64(struct net_device *dev,
121103 {
121104 struct l2tp_eth *priv = netdev_priv(dev);
121105
121106- stats->tx_bytes = atomic_long_read(&priv->tx_bytes);
121107- stats->tx_packets = atomic_long_read(&priv->tx_packets);
121108- stats->tx_dropped = atomic_long_read(&priv->tx_dropped);
121109- stats->rx_bytes = atomic_long_read(&priv->rx_bytes);
121110- stats->rx_packets = atomic_long_read(&priv->rx_packets);
121111- stats->rx_errors = atomic_long_read(&priv->rx_errors);
121112+ stats->tx_bytes = atomic_long_read_unchecked(&priv->tx_bytes);
121113+ stats->tx_packets = atomic_long_read_unchecked(&priv->tx_packets);
121114+ stats->tx_dropped = atomic_long_read_unchecked(&priv->tx_dropped);
121115+ stats->rx_bytes = atomic_long_read_unchecked(&priv->rx_bytes);
121116+ stats->rx_packets = atomic_long_read_unchecked(&priv->rx_packets);
121117+ stats->rx_errors = atomic_long_read_unchecked(&priv->rx_errors);
121118 return stats;
121119 }
121120
121121@@ -167,15 +167,15 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
121122 nf_reset(skb);
121123
121124 if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
121125- atomic_long_inc(&priv->rx_packets);
121126- atomic_long_add(data_len, &priv->rx_bytes);
121127+ atomic_long_inc_unchecked(&priv->rx_packets);
121128+ atomic_long_add_unchecked(data_len, &priv->rx_bytes);
121129 } else {
121130- atomic_long_inc(&priv->rx_errors);
121131+ atomic_long_inc_unchecked(&priv->rx_errors);
121132 }
121133 return;
121134
121135 error:
121136- atomic_long_inc(&priv->rx_errors);
121137+ atomic_long_inc_unchecked(&priv->rx_errors);
121138 kfree_skb(skb);
121139 }
121140
121141diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
121142index 7964993..2c48a3a 100644
121143--- a/net/l2tp/l2tp_ip.c
121144+++ b/net/l2tp/l2tp_ip.c
121145@@ -608,7 +608,7 @@ static struct inet_protosw l2tp_ip_protosw = {
121146 .ops = &l2tp_ip_ops,
121147 };
121148
121149-static struct net_protocol l2tp_ip_protocol __read_mostly = {
121150+static const struct net_protocol l2tp_ip_protocol = {
121151 .handler = l2tp_ip_recv,
121152 .netns_ok = 1,
121153 };
121154diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
121155index d1ded37..c0d1e49 100644
121156--- a/net/l2tp/l2tp_ip6.c
121157+++ b/net/l2tp/l2tp_ip6.c
121158@@ -755,7 +755,7 @@ static struct inet_protosw l2tp_ip6_protosw = {
121159 .ops = &l2tp_ip6_ops,
121160 };
121161
121162-static struct inet6_protocol l2tp_ip6_protocol __read_mostly = {
121163+static const struct inet6_protocol l2tp_ip6_protocol = {
121164 .handler = l2tp_ip6_recv,
121165 };
121166
121167diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
121168index 1a3c7e0..80f8b0c 100644
121169--- a/net/llc/llc_proc.c
121170+++ b/net/llc/llc_proc.c
121171@@ -247,7 +247,7 @@ int __init llc_proc_init(void)
121172 int rc = -ENOMEM;
121173 struct proc_dir_entry *p;
121174
121175- llc_proc_dir = proc_mkdir("llc", init_net.proc_net);
121176+ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net);
121177 if (!llc_proc_dir)
121178 goto out;
121179
121180diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
121181index bf7023f..86a5bc6 100644
121182--- a/net/mac80211/cfg.c
121183+++ b/net/mac80211/cfg.c
121184@@ -580,7 +580,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
121185 ret = ieee80211_vif_use_channel(sdata, chandef,
121186 IEEE80211_CHANCTX_EXCLUSIVE);
121187 }
121188- } else if (local->open_count == local->monitors) {
121189+ } else if (local_read(&local->open_count) == local->monitors) {
121190 local->_oper_chandef = *chandef;
121191 ieee80211_hw_config(local, 0);
121192 }
121193@@ -3488,7 +3488,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
121194 else
121195 local->probe_req_reg--;
121196
121197- if (!local->open_count)
121198+ if (!local_read(&local->open_count))
121199 break;
121200
121201 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
121202@@ -3637,8 +3637,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
121203 if (chanctx_conf) {
121204 *chandef = sdata->vif.bss_conf.chandef;
121205 ret = 0;
121206- } else if (local->open_count > 0 &&
121207- local->open_count == local->monitors &&
121208+ } else if (local_read(&local->open_count) > 0 &&
121209+ local_read(&local->open_count) == local->monitors &&
121210 sdata->vif.type == NL80211_IFTYPE_MONITOR) {
121211 if (local->use_chanctx)
121212 *chandef = local->monitor_chandef;
121213diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
121214index b12f615..a264a60 100644
121215--- a/net/mac80211/ieee80211_i.h
121216+++ b/net/mac80211/ieee80211_i.h
121217@@ -30,6 +30,7 @@
121218 #include <net/ieee80211_radiotap.h>
121219 #include <net/cfg80211.h>
121220 #include <net/mac80211.h>
121221+#include <asm/local.h>
121222 #include "key.h"
121223 #include "sta_info.h"
121224 #include "debug.h"
121225@@ -1112,7 +1113,7 @@ struct ieee80211_local {
121226 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
121227 spinlock_t queue_stop_reason_lock;
121228
121229- int open_count;
121230+ local_t open_count;
121231 int monitors, cooked_mntrs;
121232 /* number of interfaces with corresponding FIF_ flags */
121233 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
121234diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
121235index 553ac6d..d2480da 100644
121236--- a/net/mac80211/iface.c
121237+++ b/net/mac80211/iface.c
121238@@ -550,7 +550,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121239 break;
121240 }
121241
121242- if (local->open_count == 0) {
121243+ if (local_read(&local->open_count) == 0) {
121244 res = drv_start(local);
121245 if (res)
121246 goto err_del_bss;
121247@@ -597,7 +597,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121248 res = drv_add_interface(local, sdata);
121249 if (res)
121250 goto err_stop;
121251- } else if (local->monitors == 0 && local->open_count == 0) {
121252+ } else if (local->monitors == 0 && local_read(&local->open_count) == 0) {
121253 res = ieee80211_add_virtual_monitor(local);
121254 if (res)
121255 goto err_stop;
121256@@ -704,7 +704,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121257 atomic_inc(&local->iff_allmultis);
121258
121259 if (coming_up)
121260- local->open_count++;
121261+ local_inc(&local->open_count);
121262
121263 if (hw_reconf_flags)
121264 ieee80211_hw_config(local, hw_reconf_flags);
121265@@ -742,7 +742,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121266 err_del_interface:
121267 drv_remove_interface(local, sdata);
121268 err_stop:
121269- if (!local->open_count)
121270+ if (!local_read(&local->open_count))
121271 drv_stop(local);
121272 err_del_bss:
121273 sdata->bss = NULL;
121274@@ -909,7 +909,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121275 }
121276
121277 if (going_down)
121278- local->open_count--;
121279+ local_dec(&local->open_count);
121280
121281 switch (sdata->vif.type) {
121282 case NL80211_IFTYPE_AP_VLAN:
121283@@ -978,7 +978,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121284 atomic_set(&sdata->txqs_len[txqi->txq.ac], 0);
121285 }
121286
121287- if (local->open_count == 0)
121288+ if (local_read(&local->open_count) == 0)
121289 ieee80211_clear_tx_pending(local);
121290
121291 /*
121292@@ -1021,7 +1021,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121293 if (cancel_scan)
121294 flush_delayed_work(&local->scan_work);
121295
121296- if (local->open_count == 0) {
121297+ if (local_read(&local->open_count) == 0) {
121298 ieee80211_stop_device(local);
121299
121300 /* no reconfiguring after stop! */
121301@@ -1032,7 +1032,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121302 ieee80211_configure_filter(local);
121303 ieee80211_hw_config(local, hw_reconf_flags);
121304
121305- if (local->monitors == local->open_count)
121306+ if (local->monitors == local_read(&local->open_count))
121307 ieee80211_add_virtual_monitor(local);
121308 }
121309
121310@@ -1884,8 +1884,8 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
121311 */
121312 cfg80211_shutdown_all_interfaces(local->hw.wiphy);
121313
121314- WARN(local->open_count, "%s: open count remains %d\n",
121315- wiphy_name(local->hw.wiphy), local->open_count);
121316+ WARN(local_read(&local->open_count), "%s: open count remains %ld\n",
121317+ wiphy_name(local->hw.wiphy), local_read(&local->open_count));
121318
121319 mutex_lock(&local->iflist_mtx);
121320 list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
121321diff --git a/net/mac80211/main.c b/net/mac80211/main.c
121322index 3c63468..b5c285f 100644
121323--- a/net/mac80211/main.c
121324+++ b/net/mac80211/main.c
121325@@ -172,7 +172,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
121326 changed &= ~(IEEE80211_CONF_CHANGE_CHANNEL |
121327 IEEE80211_CONF_CHANGE_POWER);
121328
121329- if (changed && local->open_count) {
121330+ if (changed && local_read(&local->open_count)) {
121331 ret = drv_config(local, changed);
121332 /*
121333 * Goal:
121334diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
121335index b676b9f..395dd95 100644
121336--- a/net/mac80211/pm.c
121337+++ b/net/mac80211/pm.c
121338@@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
121339 struct ieee80211_sub_if_data *sdata;
121340 struct sta_info *sta;
121341
121342- if (!local->open_count)
121343+ if (!local_read(&local->open_count))
121344 goto suspend;
121345
121346 ieee80211_scan_cancel(local);
121347@@ -166,7 +166,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
121348 WARN_ON(!list_empty(&local->chanctx_list));
121349
121350 /* stop hardware - this must stop RX */
121351- if (local->open_count)
121352+ if (local_read(&local->open_count))
121353 ieee80211_stop_device(local);
121354
121355 suspend:
121356diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
121357index fda33f9..0e7d4c0 100644
121358--- a/net/mac80211/rate.c
121359+++ b/net/mac80211/rate.c
121360@@ -730,7 +730,7 @@ int ieee80211_init_rate_ctrl_alg(struct ieee80211_local *local,
121361
121362 ASSERT_RTNL();
121363
121364- if (local->open_count)
121365+ if (local_read(&local->open_count))
121366 return -EBUSY;
121367
121368 if (ieee80211_hw_check(&local->hw, HAS_RATE_CONTROL)) {
121369diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
121370index 666ddac..0cad93b 100644
121371--- a/net/mac80211/sta_info.c
121372+++ b/net/mac80211/sta_info.c
121373@@ -341,7 +341,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
121374 int size = sizeof(struct txq_info) +
121375 ALIGN(hw->txq_data_size, sizeof(void *));
121376
121377- txq_data = kcalloc(ARRAY_SIZE(sta->sta.txq), size, gfp);
121378+ txq_data = kcalloc(size, ARRAY_SIZE(sta->sta.txq), gfp);
121379 if (!txq_data)
121380 goto free;
121381
121382diff --git a/net/mac80211/util.c b/net/mac80211/util.c
121383index 43e5aad..d117c3a 100644
121384--- a/net/mac80211/util.c
121385+++ b/net/mac80211/util.c
121386@@ -1761,7 +1761,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
121387 bool sched_scan_stopped = false;
121388
121389 /* nothing to do if HW shouldn't run */
121390- if (!local->open_count)
121391+ if (!local_read(&local->open_count))
121392 goto wake_up;
121393
121394 #ifdef CONFIG_PM
121395@@ -2033,7 +2033,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
121396 local->in_reconfig = false;
121397 barrier();
121398
121399- if (local->monitors == local->open_count && local->monitors > 0)
121400+ if (local->monitors == local_read(&local->open_count) && local->monitors > 0)
121401 ieee80211_add_virtual_monitor(local);
121402
121403 /*
121404@@ -2088,7 +2088,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
121405 * If this is for hw restart things are still running.
121406 * We may want to change that later, however.
121407 */
121408- if (local->open_count && (!local->suspended || reconfig_due_to_wowlan))
121409+ if (local_read(&local->open_count) && (!local->suspended || reconfig_due_to_wowlan))
121410 drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
121411
121412 if (!local->suspended)
121413@@ -2112,7 +2112,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
121414 flush_delayed_work(&local->scan_work);
121415 }
121416
121417- if (local->open_count && !reconfig_due_to_wowlan)
121418+ if (local_read(&local->open_count) && !reconfig_due_to_wowlan)
121419 drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_SUSPEND);
121420
121421 list_for_each_entry(sdata, &local->interfaces, list) {
121422diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
121423index 1f93a59..96faa29 100644
121424--- a/net/mpls/af_mpls.c
121425+++ b/net/mpls/af_mpls.c
121426@@ -456,7 +456,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev,
121427 struct mpls_dev *mdev)
121428 {
121429 char path[sizeof("net/mpls/conf/") + IFNAMSIZ];
121430- struct ctl_table *table;
121431+ ctl_table_no_const *table;
121432 int i;
121433
121434 table = kmemdup(&mpls_dev_table, sizeof(mpls_dev_table), GFP_KERNEL);
121435@@ -1025,7 +1025,7 @@ static int mpls_platform_labels(struct ctl_table *table, int write,
121436 struct net *net = table->data;
121437 int platform_labels = net->mpls.platform_labels;
121438 int ret;
121439- struct ctl_table tmp = {
121440+ ctl_table_no_const tmp = {
121441 .procname = table->procname,
121442 .data = &platform_labels,
121443 .maxlen = sizeof(int),
121444@@ -1055,7 +1055,7 @@ static const struct ctl_table mpls_table[] = {
121445
121446 static int mpls_net_init(struct net *net)
121447 {
121448- struct ctl_table *table;
121449+ ctl_table_no_const *table;
121450
121451 net->mpls.platform_labels = 0;
121452 net->mpls.platform_label = NULL;
121453diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
121454index 6eae69a..ccccba8 100644
121455--- a/net/netfilter/Kconfig
121456+++ b/net/netfilter/Kconfig
121457@@ -1125,6 +1125,16 @@ config NETFILTER_XT_MATCH_ESP
121458
121459 To compile it as a module, choose M here. If unsure, say N.
121460
121461+config NETFILTER_XT_MATCH_GRADM
121462+ tristate '"gradm" match support'
121463+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
121464+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
121465+ ---help---
121466+ The gradm match allows to match on grsecurity RBAC being enabled.
121467+ It is useful when iptables rules are applied early on bootup to
121468+ prevent connections to the machine (except from a trusted host)
121469+ while the RBAC system is disabled.
121470+
121471 config NETFILTER_XT_MATCH_HASHLIMIT
121472 tristate '"hashlimit" match support'
121473 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
121474diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
121475index 70d026d..c400590 100644
121476--- a/net/netfilter/Makefile
121477+++ b/net/netfilter/Makefile
121478@@ -140,6 +140,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
121479 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
121480 obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
121481 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
121482+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
121483 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
121484 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
121485 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
121486diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
121487index 338b404..839dcb0 100644
121488--- a/net/netfilter/ipset/ip_set_core.c
121489+++ b/net/netfilter/ipset/ip_set_core.c
121490@@ -1998,7 +1998,7 @@ done:
121491 return ret;
121492 }
121493
121494-static struct nf_sockopt_ops so_set __read_mostly = {
121495+static struct nf_sockopt_ops so_set = {
121496 .pf = PF_INET,
121497 .get_optmin = SO_IP_SET,
121498 .get_optmax = SO_IP_SET + 1,
121499diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
121500index b0f7b62..0541842 100644
121501--- a/net/netfilter/ipvs/ip_vs_conn.c
121502+++ b/net/netfilter/ipvs/ip_vs_conn.c
121503@@ -572,7 +572,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
121504 /* Increase the refcnt counter of the dest */
121505 ip_vs_dest_hold(dest);
121506
121507- conn_flags = atomic_read(&dest->conn_flags);
121508+ conn_flags = atomic_read_unchecked(&dest->conn_flags);
121509 if (cp->protocol != IPPROTO_UDP)
121510 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
121511 flags = cp->flags;
121512@@ -922,7 +922,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af,
121513
121514 cp->control = NULL;
121515 atomic_set(&cp->n_control, 0);
121516- atomic_set(&cp->in_pkts, 0);
121517+ atomic_set_unchecked(&cp->in_pkts, 0);
121518
121519 cp->packet_xmit = NULL;
121520 cp->app = NULL;
121521@@ -1229,7 +1229,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
121522
121523 /* Don't drop the entry if its number of incoming packets is not
121524 located in [0, 8] */
121525- i = atomic_read(&cp->in_pkts);
121526+ i = atomic_read_unchecked(&cp->in_pkts);
121527 if (i > 8 || i < 0) return 0;
121528
121529 if (!todrop_rate[i]) return 0;
121530diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
121531index 38fbc19..4272cb4 100644
121532--- a/net/netfilter/ipvs/ip_vs_core.c
121533+++ b/net/netfilter/ipvs/ip_vs_core.c
121534@@ -586,7 +586,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
121535 ret = cp->packet_xmit(skb, cp, pd->pp, iph);
121536 /* do not touch skb anymore */
121537
121538- atomic_inc(&cp->in_pkts);
121539+ atomic_inc_unchecked(&cp->in_pkts);
121540 ip_vs_conn_put(cp);
121541 return ret;
121542 }
121543@@ -1762,7 +1762,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
121544 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
121545 pkts = sysctl_sync_threshold(ipvs);
121546 else
121547- pkts = atomic_add_return(1, &cp->in_pkts);
121548+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
121549
121550 if (ipvs->sync_state & IP_VS_STATE_MASTER)
121551 ip_vs_sync_conn(net, cp, pkts);
121552diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
121553index 24c5542..e9fd3e5 100644
121554--- a/net/netfilter/ipvs/ip_vs_ctl.c
121555+++ b/net/netfilter/ipvs/ip_vs_ctl.c
121556@@ -814,7 +814,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
121557 */
121558 ip_vs_rs_hash(ipvs, dest);
121559 }
121560- atomic_set(&dest->conn_flags, conn_flags);
121561+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
121562
121563 /* bind the service */
121564 old_svc = rcu_dereference_protected(dest->svc, 1);
121565@@ -1694,7 +1694,7 @@ proc_do_sync_ports(struct ctl_table *table, int write,
121566 * align with netns init in ip_vs_control_net_init()
121567 */
121568
121569-static struct ctl_table vs_vars[] = {
121570+static ctl_table_no_const vs_vars[] __read_only = {
121571 {
121572 .procname = "amemthresh",
121573 .maxlen = sizeof(int),
121574@@ -2036,7 +2036,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
121575 " %-7s %-6d %-10d %-10d\n",
121576 &dest->addr.in6,
121577 ntohs(dest->port),
121578- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
121579+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
121580 atomic_read(&dest->weight),
121581 atomic_read(&dest->activeconns),
121582 atomic_read(&dest->inactconns));
121583@@ -2047,7 +2047,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
121584 "%-7s %-6d %-10d %-10d\n",
121585 ntohl(dest->addr.ip),
121586 ntohs(dest->port),
121587- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
121588+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
121589 atomic_read(&dest->weight),
121590 atomic_read(&dest->activeconns),
121591 atomic_read(&dest->inactconns));
121592@@ -2546,7 +2546,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
121593
121594 entry.addr = dest->addr.ip;
121595 entry.port = dest->port;
121596- entry.conn_flags = atomic_read(&dest->conn_flags);
121597+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
121598 entry.weight = atomic_read(&dest->weight);
121599 entry.u_threshold = dest->u_threshold;
121600 entry.l_threshold = dest->l_threshold;
121601@@ -3121,7 +3121,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
121602 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
121603 nla_put_be16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
121604 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
121605- (atomic_read(&dest->conn_flags) &
121606+ (atomic_read_unchecked(&dest->conn_flags) &
121607 IP_VS_CONN_F_FWD_MASK)) ||
121608 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
121609 atomic_read(&dest->weight)) ||
121610@@ -3759,7 +3759,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
121611 {
121612 int idx;
121613 struct netns_ipvs *ipvs = net_ipvs(net);
121614- struct ctl_table *tbl;
121615+ ctl_table_no_const *tbl;
121616
121617 atomic_set(&ipvs->dropentry, 0);
121618 spin_lock_init(&ipvs->dropentry_lock);
121619diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
121620index 127f140..553d652 100644
121621--- a/net/netfilter/ipvs/ip_vs_lblc.c
121622+++ b/net/netfilter/ipvs/ip_vs_lblc.c
121623@@ -118,7 +118,7 @@ struct ip_vs_lblc_table {
121624 * IPVS LBLC sysctl table
121625 */
121626 #ifdef CONFIG_SYSCTL
121627-static struct ctl_table vs_vars_table[] = {
121628+static ctl_table_no_const vs_vars_table[] __read_only = {
121629 {
121630 .procname = "lblc_expiration",
121631 .data = NULL,
121632diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
121633index 2229d2d..b32b785 100644
121634--- a/net/netfilter/ipvs/ip_vs_lblcr.c
121635+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
121636@@ -289,7 +289,7 @@ struct ip_vs_lblcr_table {
121637 * IPVS LBLCR sysctl table
121638 */
121639
121640-static struct ctl_table vs_vars_table[] = {
121641+static ctl_table_no_const vs_vars_table[] __read_only = {
121642 {
121643 .procname = "lblcr_expiration",
121644 .data = NULL,
121645diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
121646index d99ad93..09bd6dc 100644
121647--- a/net/netfilter/ipvs/ip_vs_sync.c
121648+++ b/net/netfilter/ipvs/ip_vs_sync.c
121649@@ -609,7 +609,7 @@ static void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp,
121650 cp = cp->control;
121651 if (cp) {
121652 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
121653- pkts = atomic_add_return(1, &cp->in_pkts);
121654+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
121655 else
121656 pkts = sysctl_sync_threshold(ipvs);
121657 ip_vs_sync_conn(net, cp, pkts);
121658@@ -771,7 +771,7 @@ control:
121659 if (!cp)
121660 return;
121661 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
121662- pkts = atomic_add_return(1, &cp->in_pkts);
121663+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
121664 else
121665 pkts = sysctl_sync_threshold(ipvs);
121666 goto sloop;
121667@@ -919,7 +919,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
121668
121669 if (opt)
121670 memcpy(&cp->in_seq, opt, sizeof(*opt));
121671- atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
121672+ atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
121673 cp->state = state;
121674 cp->old_state = cp->state;
121675 /*
121676diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
121677index 258a0b0..2082f50 100644
121678--- a/net/netfilter/ipvs/ip_vs_xmit.c
121679+++ b/net/netfilter/ipvs/ip_vs_xmit.c
121680@@ -1259,7 +1259,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
121681 else
121682 rc = NF_ACCEPT;
121683 /* do not touch skb anymore */
121684- atomic_inc(&cp->in_pkts);
121685+ atomic_inc_unchecked(&cp->in_pkts);
121686 goto out;
121687 }
121688
121689@@ -1352,7 +1352,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
121690 else
121691 rc = NF_ACCEPT;
121692 /* do not touch skb anymore */
121693- atomic_inc(&cp->in_pkts);
121694+ atomic_inc_unchecked(&cp->in_pkts);
121695 goto out;
121696 }
121697
121698diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
121699index 45da11a..ef3e5dc 100644
121700--- a/net/netfilter/nf_conntrack_acct.c
121701+++ b/net/netfilter/nf_conntrack_acct.c
121702@@ -64,7 +64,7 @@ static struct nf_ct_ext_type acct_extend __read_mostly = {
121703 #ifdef CONFIG_SYSCTL
121704 static int nf_conntrack_acct_init_sysctl(struct net *net)
121705 {
121706- struct ctl_table *table;
121707+ ctl_table_no_const *table;
121708
121709 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
121710 GFP_KERNEL);
121711diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
121712index 3c20d02..b7e071a 100644
121713--- a/net/netfilter/nf_conntrack_core.c
121714+++ b/net/netfilter/nf_conntrack_core.c
121715@@ -1753,6 +1753,10 @@ void nf_conntrack_init_end(void)
121716 #define DYING_NULLS_VAL ((1<<30)+1)
121717 #define TEMPLATE_NULLS_VAL ((1<<30)+2)
121718
121719+#ifdef CONFIG_GRKERNSEC_HIDESYM
121720+static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
121721+#endif
121722+
121723 int nf_conntrack_init_net(struct net *net)
121724 {
121725 int ret = -ENOMEM;
121726@@ -1777,7 +1781,11 @@ int nf_conntrack_init_net(struct net *net)
121727 if (!net->ct.stat)
121728 goto err_pcpu_lists;
121729
121730+#ifdef CONFIG_GRKERNSEC_HIDESYM
121731+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08x", atomic_inc_return_unchecked(&conntrack_cache_id));
121732+#else
121733 net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
121734+#endif
121735 if (!net->ct.slabname)
121736 goto err_slabname;
121737
121738diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
121739index 4e78c57..ec8fb74 100644
121740--- a/net/netfilter/nf_conntrack_ecache.c
121741+++ b/net/netfilter/nf_conntrack_ecache.c
121742@@ -264,7 +264,7 @@ static struct nf_ct_ext_type event_extend __read_mostly = {
121743 #ifdef CONFIG_SYSCTL
121744 static int nf_conntrack_event_init_sysctl(struct net *net)
121745 {
121746- struct ctl_table *table;
121747+ ctl_table_no_const *table;
121748
121749 table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table),
121750 GFP_KERNEL);
121751diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
121752index bd9d315..989947e 100644
121753--- a/net/netfilter/nf_conntrack_helper.c
121754+++ b/net/netfilter/nf_conntrack_helper.c
121755@@ -57,7 +57,7 @@ static struct ctl_table helper_sysctl_table[] = {
121756
121757 static int nf_conntrack_helper_init_sysctl(struct net *net)
121758 {
121759- struct ctl_table *table;
121760+ ctl_table_no_const *table;
121761
121762 table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
121763 GFP_KERNEL);
121764diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
121765index b65d586..beec902 100644
121766--- a/net/netfilter/nf_conntrack_proto.c
121767+++ b/net/netfilter/nf_conntrack_proto.c
121768@@ -52,7 +52,7 @@ nf_ct_register_sysctl(struct net *net,
121769
121770 static void
121771 nf_ct_unregister_sysctl(struct ctl_table_header **header,
121772- struct ctl_table **table,
121773+ ctl_table_no_const **table,
121774 unsigned int users)
121775 {
121776 if (users > 0)
121777diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
121778index fc823fa..8311af3 100644
121779--- a/net/netfilter/nf_conntrack_standalone.c
121780+++ b/net/netfilter/nf_conntrack_standalone.c
121781@@ -468,7 +468,7 @@ static struct ctl_table nf_ct_netfilter_table[] = {
121782
121783 static int nf_conntrack_standalone_init_sysctl(struct net *net)
121784 {
121785- struct ctl_table *table;
121786+ ctl_table_no_const *table;
121787
121788 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
121789 GFP_KERNEL);
121790diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
121791index 7a394df..bd91a8a 100644
121792--- a/net/netfilter/nf_conntrack_timestamp.c
121793+++ b/net/netfilter/nf_conntrack_timestamp.c
121794@@ -42,7 +42,7 @@ static struct nf_ct_ext_type tstamp_extend __read_mostly = {
121795 #ifdef CONFIG_SYSCTL
121796 static int nf_conntrack_tstamp_init_sysctl(struct net *net)
121797 {
121798- struct ctl_table *table;
121799+ ctl_table_no_const *table;
121800
121801 table = kmemdup(tstamp_sysctl_table, sizeof(tstamp_sysctl_table),
121802 GFP_KERNEL);
121803diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
121804index 675d12c..b36e825 100644
121805--- a/net/netfilter/nf_log.c
121806+++ b/net/netfilter/nf_log.c
121807@@ -386,7 +386,7 @@ static const struct file_operations nflog_file_ops = {
121808
121809 #ifdef CONFIG_SYSCTL
121810 static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
121811-static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
121812+static ctl_table_no_const nf_log_sysctl_table[NFPROTO_NUMPROTO+1] __read_only;
121813
121814 static int nf_log_proc_dostring(struct ctl_table *table, int write,
121815 void __user *buffer, size_t *lenp, loff_t *ppos)
121816@@ -417,13 +417,15 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
121817 rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
121818 mutex_unlock(&nf_log_mutex);
121819 } else {
121820+ ctl_table_no_const nf_log_table = *table;
121821+
121822 mutex_lock(&nf_log_mutex);
121823 logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
121824 if (!logger)
121825- table->data = "NONE";
121826+ nf_log_table.data = "NONE";
121827 else
121828- table->data = logger->name;
121829- r = proc_dostring(table, write, buffer, lenp, ppos);
121830+ nf_log_table.data = logger->name;
121831+ r = proc_dostring(&nf_log_table, write, buffer, lenp, ppos);
121832 mutex_unlock(&nf_log_mutex);
121833 }
121834
121835diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
121836index c68c1e5..8b5d670 100644
121837--- a/net/netfilter/nf_sockopt.c
121838+++ b/net/netfilter/nf_sockopt.c
121839@@ -43,7 +43,7 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg)
121840 }
121841 }
121842
121843- list_add(&reg->list, &nf_sockopts);
121844+ pax_list_add((struct list_head *)&reg->list, &nf_sockopts);
121845 out:
121846 mutex_unlock(&nf_sockopt_mutex);
121847 return ret;
121848@@ -53,7 +53,7 @@ EXPORT_SYMBOL(nf_register_sockopt);
121849 void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
121850 {
121851 mutex_lock(&nf_sockopt_mutex);
121852- list_del(&reg->list);
121853+ pax_list_del((struct list_head *)&reg->list);
121854 mutex_unlock(&nf_sockopt_mutex);
121855 }
121856 EXPORT_SYMBOL(nf_unregister_sockopt);
121857diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
121858index 4670821..a6c3c47d 100644
121859--- a/net/netfilter/nfnetlink_log.c
121860+++ b/net/netfilter/nfnetlink_log.c
121861@@ -84,7 +84,7 @@ static int nfnl_log_net_id __read_mostly;
121862 struct nfnl_log_net {
121863 spinlock_t instances_lock;
121864 struct hlist_head instance_table[INSTANCE_BUCKETS];
121865- atomic_t global_seq;
121866+ atomic_unchecked_t global_seq;
121867 };
121868
121869 static struct nfnl_log_net *nfnl_log_pernet(struct net *net)
121870@@ -572,7 +572,7 @@ __build_packet_message(struct nfnl_log_net *log,
121871 /* global sequence number */
121872 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
121873 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL,
121874- htonl(atomic_inc_return(&log->global_seq))))
121875+ htonl(atomic_inc_return_unchecked(&log->global_seq))))
121876 goto nla_put_failure;
121877
121878 if (data_len) {
121879diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
121880index 66def31..d64a66d 100644
121881--- a/net/netfilter/nft_compat.c
121882+++ b/net/netfilter/nft_compat.c
121883@@ -322,14 +322,7 @@ static void nft_match_eval(const struct nft_expr *expr,
121884 return;
121885 }
121886
121887- switch (ret ? 1 : 0) {
121888- case 1:
121889- regs->verdict.code = NFT_CONTINUE;
121890- break;
121891- case 0:
121892- regs->verdict.code = NFT_BREAK;
121893- break;
121894- }
121895+ regs->verdict.code = ret ? NFT_CONTINUE : NFT_BREAK;
121896 }
121897
121898 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
121899diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
121900new file mode 100644
121901index 0000000..c566332
121902--- /dev/null
121903+++ b/net/netfilter/xt_gradm.c
121904@@ -0,0 +1,51 @@
121905+/*
121906+ * gradm match for netfilter
121907