]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/grsecurity-3.1-4.2.3-201510190716.patch
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-3.1-4.2.3-201510190716.patch
CommitLineData
ed16389b
PK		 1diff --git a/Documentation/dontdiff b/Documentation/dontdiff
2index 9de9813..1462492 100644
3--- a/Documentation/dontdiff
4+++ b/Documentation/dontdiff
5@@ -3,9 +3,11 @@
6 *.bc
7 *.bin
8 *.bz2
9+*.c.[012]*.*
10 *.cis
11 *.cpio
12 *.csp
13+*.dbg
14 *.dsp
15 *.dvi
16 *.elf
17@@ -15,6 +17,7 @@
18 *.gcov
19 *.gen.S
20 *.gif
21+*.gmo
22 *.grep
23 *.grp
24 *.gz
25@@ -51,14 +54,17 @@
26 *.tab.h
27 *.tex
28 *.ver
29+*.vim
30 *.xml
31 *.xz
32 *_MODULES
33+*_reg_safe.h
34 *_vga16.c
35 *~
36 \#*#
37 *.9
38-.*
39+.[^g]*
40+.gen*
41 .*.d
42 .mm
43 53c700_d.h
44@@ -72,9 +78,11 @@ Image
45 Module.markers
46 Module.symvers
47 PENDING
48+PERF*
49 SCCS
50 System.map*
51 TAGS
52+TRACEEVENT-CFLAGS
53 aconf
54 af_names.h
55 aic7*reg.h*
56@@ -83,6 +91,7 @@ aic7*seq.h*
57 aicasm
58 aicdb.h*
59 altivec*.c
60+ashldi3.S
61 asm-offsets.h
62 asm_offsets.h
63 autoconf.h*
64@@ -95,32 +104,40 @@ bounds.h
65 bsetup
66 btfixupprep
67 build
68+builtin-policy.h
69 bvmlinux
70 bzImage*
71 capability_names.h
72 capflags.c
73 classlist.h*
74+clut_vga16.c
75+common-cmds.h
76 comp*.log
77 compile.h*
78 conf
79 config
80 config-*
81 config_data.h*
82+config.c
83 config.mak
84 config.mak.autogen
85+config.tmp
86 conmakehash
87 consolemap_deftbl.c*
88 cpustr.h
89 crc32table.h*
90 cscope.*
91 defkeymap.c
92+devicetable-offsets.h
93 devlist.h*
94 dnotify_test
95 docproc
96 dslm
97+dtc-lexer.lex.c
98 elf2ecoff
99 elfconfig.h*
100 evergreen_reg_safe.h
101+exception_policy.conf
102 fixdep
103 flask.h
104 fore200e_mkfirm
105@@ -128,12 +145,15 @@ fore200e_pca_fw.c*
106 gconf
107 gconf.glade.h
108 gen-devlist
109+gen-kdb_cmds.c
110 gen_crc32table
111 gen_init_cpio
112 generated
113 genheaders
114 genksyms
115 *_gray256.c
116+hash
117+hid-example
118 hpet_example
119 hugepage-mmap
120 hugepage-shm
121@@ -148,14 +168,14 @@ int32.c
122 int4.c
123 int8.c
124 kallsyms
125-kconfig
126+kern_constants.h
127 keywords.c
128 ksym.c*
129 ksym.h*
130 kxgettext
131 lex.c
132 lex.*.c
133-linux
134+lib1funcs.S
135 logo_*.c
136 logo_*_clut224.c
137 logo_*_mono.c
138@@ -165,14 +185,15 @@ mach-types.h
139 machtypes.h
140 map
141 map_hugetlb
142-media
143 mconf
144+mdp
145 miboot*
146 mk_elfconfig
147 mkboot
148 mkbugboot
149 mkcpustr
150 mkdep
151+mkpiggy
152 mkprep
153 mkregtable
154 mktables
155@@ -188,6 +209,8 @@ oui.c*
156 page-types
157 parse.c
158 parse.h
159+parse-events*
160+pasyms.h
161 patches*
162 pca200e.bin
163 pca200e_ecd.bin2
164@@ -197,6 +220,7 @@ perf-archive
165 piggyback
166 piggy.gzip
167 piggy.S
168+pmu-*
169 pnmtologo
170 ppc_defs.h*
171 pss_boot.h
172@@ -206,7 +230,12 @@ r200_reg_safe.h
173 r300_reg_safe.h
174 r420_reg_safe.h
175 r600_reg_safe.h
176+randomize_layout_hash.h
177+randomize_layout_seed.h
178+realmode.lds
179+realmode.relocs
180 recordmcount
181+regdb.c
182 relocs
183 rlim_names.h
184 rn50_reg_safe.h
185@@ -216,8 +245,12 @@ series
186 setup
187 setup.bin
188 setup.elf
189+signing_key*
190+size_overflow_hash.h
191 sImage
192+slabinfo
193 sm_tbl*
194+sortextable
195 split-include
196 syscalltab.h
197 tables.c
198@@ -227,6 +260,7 @@ tftpboot.img
199 timeconst.h
200 times.h*
201 trix_boot.h
202+user_constants.h
203 utsrelease.h*
204 vdso-syms.lds
205 vdso.lds
206@@ -238,13 +272,17 @@ vdso32.lds
207 vdso32.so.dbg
208 vdso64.lds
209 vdso64.so.dbg
210+vdsox32.lds
211+vdsox32-syms.lds
212 version.h*
213 vmImage
214 vmlinux
215 vmlinux-*
216 vmlinux.aout
217 vmlinux.bin.all
218+vmlinux.bin.bz2
219 vmlinux.lds
220+vmlinux.relocs
221 vmlinuz
222 voffset.h
223 vsyscall.lds
224@@ -252,9 +290,12 @@ vsyscall_32.lds
225 wanxlfw.inc
226 uImage
227 unifdef
228+utsrelease.h
229 wakeup.bin
230 wakeup.elf
231 wakeup.lds
232+x509*
233 zImage*
234 zconf.hash.c
235+zconf.lex.c
236 zoffset.h
237diff --git a/Documentation/kbuild/makefiles.txt b/Documentation/kbuild/makefiles.txt
238index 13f888a..250729b 100644
239--- a/Documentation/kbuild/makefiles.txt
240+++ b/Documentation/kbuild/makefiles.txt
241@@ -23,10 +23,11 @@ This document describes the Linux kernel Makefiles.
242 === 4 Host Program support
243 --- 4.1 Simple Host Program
244 --- 4.2 Composite Host Programs
245- --- 4.3 Using C++ for host programs
246- --- 4.4 Controlling compiler options for host programs
247- --- 4.5 When host programs are actually built
248- --- 4.6 Using hostprogs-$(CONFIG_FOO)
249+ --- 4.3 Defining shared libraries
250+ --- 4.4 Using C++ for host programs
251+ --- 4.5 Controlling compiler options for host programs
252+ --- 4.6 When host programs are actually built
253+ --- 4.7 Using hostprogs-$(CONFIG_FOO)
254
255 === 5 Kbuild clean infrastructure
256
257@@ -643,7 +644,29 @@ Both possibilities are described in the following.
258 Finally, the two .o files are linked to the executable, lxdialog.
259 Note: The syntax <executable>-y is not permitted for host-programs.
260
261---- 4.3 Using C++ for host programs
262+--- 4.3 Defining shared libraries
263+
264+ Objects with extension .so are considered shared libraries, and
265+ will be compiled as position independent objects.
266+ Kbuild provides support for shared libraries, but the usage
267+ shall be restricted.
268+ In the following example the libkconfig.so shared library is used
269+ to link the executable conf.
270+
271+ Example:
272+ #scripts/kconfig/Makefile
273+ hostprogs-y := conf
274+ conf-objs := conf.o libkconfig.so
275+ libkconfig-objs := expr.o type.o
276+
277+ Shared libraries always require a corresponding -objs line, and
278+ in the example above the shared library libkconfig is composed by
279+ the two objects expr.o and type.o.
280+ expr.o and type.o will be built as position independent code and
281+ linked as a shared library libkconfig.so. C++ is not supported for
282+ shared libraries.
283+
284+--- 4.4 Using C++ for host programs
285
286 kbuild offers support for host programs written in C++. This was
287 introduced solely to support kconfig, and is not recommended
288@@ -666,7 +689,7 @@ Both possibilities are described in the following.
289 qconf-cxxobjs := qconf.o
290 qconf-objs := check.o
291
292---- 4.4 Controlling compiler options for host programs
293+--- 4.5 Controlling compiler options for host programs
294
295 When compiling host programs, it is possible to set specific flags.
296 The programs will always be compiled utilising $(HOSTCC) passed
297@@ -694,7 +717,7 @@ Both possibilities are described in the following.
298 When linking qconf, it will be passed the extra option
299 "-L$(QTDIR)/lib".
300
301---- 4.5 When host programs are actually built
302+--- 4.6 When host programs are actually built
303
304 Kbuild will only build host-programs when they are referenced
305 as a prerequisite.
306@@ -725,7 +748,7 @@ Both possibilities are described in the following.
307 This will tell kbuild to build lxdialog even if not referenced in
308 any rule.
309
310---- 4.6 Using hostprogs-$(CONFIG_FOO)
311+--- 4.7 Using hostprogs-$(CONFIG_FOO)
312
313 A typical pattern in a Kbuild file looks like this:
314
315diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
316index 1d6f045..2714987 100644
317--- a/Documentation/kernel-parameters.txt
318+++ b/Documentation/kernel-parameters.txt
319@@ -1244,6 +1244,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
320 Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0.
321 Default: 1024
322
323+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
324+ ignore grsecurity's /proc restrictions
325+
326+ grsec_sysfs_restrict= Format: 0 | 1
327+ Default: 1
328+ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
329+
330 hashdist= [KNL,NUMA] Large hashes allocated during boot
331 are distributed across NUMA nodes. Defaults on
332 for 64-bit NUMA, off otherwise.
333@@ -2364,6 +2371,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
334 noexec=on: enable non-executable mappings (default)
335 noexec=off: disable non-executable mappings
336
337+ nopcid [X86-64]
338+ Disable PCID (Process-Context IDentifier) even if it
339+ is supported by the processor.
340+
341 nosmap [X86]
342 Disable SMAP (Supervisor Mode Access Prevention)
343 even if it is supported by processor.
344@@ -2662,6 +2673,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
345 the specified number of seconds. This is to be used if
346 your oopses keep scrolling off the screen.
347
348+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
349+ virtualization environments that don't cope well with the
350+ expand down segment used by UDEREF on X86-32 or the frequent
351+ page table updates on X86-64.
352+
353+ pax_sanitize_slab=
354+ Format: { 0 | 1 | off | fast | full }
355+ Options '0' and '1' are only provided for backward
356+ compatibility, 'off' or 'fast' should be used instead.
357+ 0|off : disable slab object sanitization
358+ 1|fast: enable slab object sanitization excluding
359+ whitelisted slabs (default)
360+ full : sanitize all slabs, even the whitelisted ones
361+
362+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
363+
364+ pax_extra_latent_entropy
365+ Enable a very simple form of latent entropy extraction
366+ from the first 4GB of memory as the bootmem allocator
367+ passes the memory pages to the buddy allocator.
368+
369+ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF
370+ when the processor supports PCID.
371+
372 pcbit= [HW,ISDN]
373
374 pcd. [PARIDE]
375diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
376index 6fccb69..60c7c7a 100644
377--- a/Documentation/sysctl/kernel.txt
378+++ b/Documentation/sysctl/kernel.txt
379@@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
380 - kptr_restrict
381 - kstack_depth_to_print [ X86 only ]
382 - l2cr [ PPC only ]
383+- modify_ldt [ X86 only ]
384 - modprobe ==> Documentation/debugging-modules.txt
385 - modules_disabled
386 - msg_next_id [ sysv ipc ]
387@@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If
388
389 ==============================================================
390
391+modify_ldt: (X86 only)
392+
393+Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
394+(Local Descriptor Table) may be needed to run a 16-bit or segmented code
395+such as Dosemu or Wine. This is done via a system call which is not needed
396+to run portable applications, and which can sometimes be abused to exploit
397+some weaknesses of the architecture, opening new vulnerabilities.
398+
399+This sysctl allows one to increase the system's security by disabling the
400+system call, or to restore compatibility with specific applications when it
401+was already disabled.
402+
403+==============================================================
404+
405 modules_disabled:
406
407 A toggle value indicating if modules are allowed to be loaded
408diff --git a/Makefile b/Makefile
409index a6edbb1..5ac7686 100644
410--- a/Makefile
411+++ b/Makefile
412@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
413 HOSTCC = gcc
414 HOSTCXX = g++
415 HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89
416-HOSTCXXFLAGS = -O2
417+HOSTCFLAGS = -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
418+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
419+HOSTCXXFLAGS = -O2 -Wall -W -Wno-array-bounds
420
421 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1)
422 HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \
423@@ -434,8 +436,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \
424 # Rules shared between *config targets and build targets
425
426 # Basic helpers built in scripts/
427-PHONY += scripts_basic
428-scripts_basic:
429+PHONY += scripts_basic gcc-plugins
430+scripts_basic: gcc-plugins
431 $(Q)$(MAKE) $(build)=scripts/basic
432 $(Q)rm -f .tmp_quiet_recordmcount
433
434@@ -615,6 +617,74 @@ endif
435 # Tell gcc to never replace conditional load with a non-conditional one
436 KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
437
438+ifndef DISABLE_PAX_PLUGINS
439+ifeq ($(call cc-ifversion, -ge, 0408, y), y)
440+PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCXX)" "$(HOSTCXX)" "$(CC)")
441+else
442+PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(HOSTCXX)" "$(CC)")
443+endif
444+ifneq ($(PLUGINCC),)
445+ifdef CONFIG_PAX_CONSTIFY_PLUGIN
446+CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
447+endif
448+ifdef CONFIG_PAX_MEMORY_STACKLEAK
449+STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
450+STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
451+endif
452+ifdef CONFIG_KALLOCSTAT_PLUGIN
453+KALLOCSTAT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
454+endif
455+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
456+KERNEXEC_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
457+KERNEXEC_PLUGIN_CFLAGS += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) -DKERNEXEC_PLUGIN
458+KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN
459+endif
460+ifdef CONFIG_GRKERNSEC_RANDSTRUCT
461+RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN
462+ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
463+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode
464+endif
465+endif
466+ifdef CONFIG_CHECKER_PLUGIN
467+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
468+CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
469+endif
470+endif
471+COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
472+ifdef CONFIG_PAX_SIZE_OVERFLOW
473+SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN
474+endif
475+ifdef CONFIG_PAX_LATENT_ENTROPY
476+LATENT_ENTROPY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/latent_entropy_plugin.so -DLATENT_ENTROPY_PLUGIN
477+endif
478+ifdef CONFIG_PAX_MEMORY_STRUCTLEAK
479+STRUCTLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/structleak_plugin.so -DSTRUCTLEAK_PLUGIN
480+endif
481+INITIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/initify_plugin.so -DINITIFY_PLUGIN
482+GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS)
483+GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS)
484+GCC_PLUGINS_CFLAGS += $(SIZE_OVERFLOW_PLUGIN_CFLAGS) $(LATENT_ENTROPY_PLUGIN_CFLAGS) $(STRUCTLEAK_PLUGIN_CFLAGS)
485+GCC_PLUGINS_CFLAGS += $(INITIFY_PLUGIN_CFLAGS)
486+GCC_PLUGINS_CFLAGS += $(RANDSTRUCT_PLUGIN_CFLAGS)
487+GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS)
488+export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS CONSTIFY_PLUGIN LATENT_ENTROPY_PLUGIN_CFLAGS
489+ifeq ($(KBUILD_EXTMOD),)
490+gcc-plugins:
491+ $(Q)$(MAKE) $(build)=tools/gcc
492+else
493+gcc-plugins: ;
494+endif
495+else
496+gcc-plugins:
497+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
498+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.))
499+else
500+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
501+endif
502+ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
503+endif
504+endif
505+
506 ifdef CONFIG_READABLE_ASM
507 # Disable optimizations that make assembler listings hard to read.
508 # reorder blocks reorders the control in the function
509@@ -714,7 +784,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
510 else
511 KBUILD_CFLAGS += -g
512 endif
513-KBUILD_AFLAGS += -Wa,-gdwarf-2
514+KBUILD_AFLAGS += -Wa,--gdwarf-2
515 endif
516 ifdef CONFIG_DEBUG_INFO_DWARF4
517 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
518@@ -886,7 +956,7 @@ export mod_sign_cmd
519
520
521 ifeq ($(KBUILD_EXTMOD),)
522-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
523+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
524
525 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
526 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
527@@ -936,6 +1006,8 @@ endif
528
529 # The actual objects are generated when descending,
530 # make sure no implicit rule kicks in
531+$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
532+$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
533 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
534
535 # Handle descending into subdirectories listed in $(vmlinux-dirs)
536@@ -945,7 +1017,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
537 # Error messages still appears in the original language
538
539 PHONY += $(vmlinux-dirs)
540-$(vmlinux-dirs): prepare scripts
541+$(vmlinux-dirs): gcc-plugins prepare scripts
542 $(Q)$(MAKE) $(build)=$@
543
544 define filechk_kernel.release
545@@ -988,10 +1060,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
546
547 archprepare: archheaders archscripts prepare1 scripts_basic
548
549+prepare0: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
550+prepare0: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
551 prepare0: archprepare FORCE
552 $(Q)$(MAKE) $(build)=.
553
554 # All the preparing..
555+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
556 prepare: prepare0
557
558 # Generate some files
559@@ -1099,6 +1174,8 @@ all: modules
560 # using awk while concatenating to the final file.
561
562 PHONY += modules
563+modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
564+modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
565 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
566 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
567 @$(kecho) ' Building modules, stage 2.';
568@@ -1114,7 +1191,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
569
570 # Target to prepare building external modules
571 PHONY += modules_prepare
572-modules_prepare: prepare scripts
573+modules_prepare: gcc-plugins prepare scripts
574
575 # Target to install modules
576 PHONY += modules_install
577@@ -1180,7 +1257,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
578 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
579 signing_key.priv signing_key.x509 x509.genkey \
580 extra_certificates signing_key.x509.keyid \
581- signing_key.x509.signer vmlinux-gdb.py
582+ signing_key.x509.signer vmlinux-gdb.py \
583+ tools/gcc/size_overflow_plugin/size_overflow_hash_aux.h \
584+ tools/gcc/size_overflow_plugin/size_overflow_hash.h \
585+ tools/gcc/randomize_layout_seed.h
586
587 # clean - Delete most, but leave enough to build external modules
588 #
589@@ -1219,7 +1299,7 @@ distclean: mrproper
590 @find $(srctree) $(RCS_FIND_IGNORE) \
591 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
592 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
593- -o -name '.*.rej' -o -name '*%' -o -name 'core' \) \
594+ -o -name '.*.rej' -o -name '*.so' -o -name '*%' -o -name 'core' \) \
595 -type f -print | xargs rm -f
596
597
598@@ -1385,6 +1465,8 @@ PHONY += $(module-dirs) modules
599 $(module-dirs): crmodverdir $(objtree)/Module.symvers
600 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
601
602+modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
603+modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
604 modules: $(module-dirs)
605 @$(kecho) ' Building modules, stage 2.';
606 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
607@@ -1525,17 +1607,21 @@ else
608 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
609 endif
610
611-%.s: %.c prepare scripts FORCE
612+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
613+%.s: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
614+%.s: %.c gcc-plugins prepare scripts FORCE
615 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
616 %.i: %.c prepare scripts FORCE
617 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
618-%.o: %.c prepare scripts FORCE
619+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
620+%.o: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
621+%.o: %.c gcc-plugins prepare scripts FORCE
622 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
623 %.lst: %.c prepare scripts FORCE
624 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
625-%.s: %.S prepare scripts FORCE
626+%.s: %.S gcc-plugins prepare scripts FORCE
627 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
628-%.o: %.S prepare scripts FORCE
629+%.o: %.S gcc-plugins prepare scripts FORCE
630 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
631 %.symtypes: %.c prepare scripts FORCE
632 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
633@@ -1547,11 +1633,15 @@ endif
634 $(build)=$(build-dir)
635 # Make sure the latest headers are built for Documentation
636 Documentation/: headers_install
637-%/: prepare scripts FORCE
638+%/: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
639+%/: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
640+%/: gcc-plugins prepare scripts FORCE
641 $(cmd_crmodverdir)
642 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
643 $(build)=$(build-dir)
644-%.ko: prepare scripts FORCE
645+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
646+%.ko: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
647+%.ko: gcc-plugins prepare scripts FORCE
648 $(cmd_crmodverdir)
649 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
650 $(build)=$(build-dir) $(@:.ko=.o)
651diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h
652index 8f8eafb..3405f46 100644
653--- a/arch/alpha/include/asm/atomic.h
654+++ b/arch/alpha/include/asm/atomic.h
655@@ -239,4 +239,14 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
656 #define atomic_dec(v) atomic_sub(1,(v))
657 #define atomic64_dec(v) atomic64_sub(1,(v))
658
659+#define atomic64_read_unchecked(v) atomic64_read(v)
660+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
661+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
662+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
663+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
664+#define atomic64_inc_unchecked(v) atomic64_inc(v)
665+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
666+#define atomic64_dec_unchecked(v) atomic64_dec(v)
667+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
668+
669 #endif /* _ALPHA_ATOMIC_H */
670diff --git a/arch/alpha/include/asm/cache.h b/arch/alpha/include/asm/cache.h
671index ad368a9..fbe0f25 100644
672--- a/arch/alpha/include/asm/cache.h
673+++ b/arch/alpha/include/asm/cache.h
674@@ -4,19 +4,19 @@
675 #ifndef __ARCH_ALPHA_CACHE_H
676 #define __ARCH_ALPHA_CACHE_H
677
678+#include <linux/const.h>
679
680 /* Bytes per L1 (data) cache line. */
681 #if defined(CONFIG_ALPHA_GENERIC) || defined(CONFIG_ALPHA_EV6)
682-# define L1_CACHE_BYTES 64
683 # define L1_CACHE_SHIFT 6
684 #else
685 /* Both EV4 and EV5 are write-through, read-allocate,
686 direct-mapped, physical.
687 */
688-# define L1_CACHE_BYTES 32
689 # define L1_CACHE_SHIFT 5
690 #endif
691
692+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
693 #define SMP_CACHE_BYTES L1_CACHE_BYTES
694
695 #endif
696diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h
697index 968d999..d36b2df 100644
698--- a/arch/alpha/include/asm/elf.h
699+++ b/arch/alpha/include/asm/elf.h
700@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
701
702 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
703
704+#ifdef CONFIG_PAX_ASLR
705+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
706+
707+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
708+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
709+#endif
710+
711 /* $0 is set by ld.so to a pointer to a function which might be
712 registered using atexit. This provides a mean for the dynamic
713 linker to call DT_FINI functions for shared libraries that have
714diff --git a/arch/alpha/include/asm/pgalloc.h b/arch/alpha/include/asm/pgalloc.h
715index aab14a0..b4fa3e7 100644
716--- a/arch/alpha/include/asm/pgalloc.h
717+++ b/arch/alpha/include/asm/pgalloc.h
718@@ -29,6 +29,12 @@ pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
719 pgd_set(pgd, pmd);
720 }
721
722+static inline void
723+pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
724+{
725+ pgd_populate(mm, pgd, pmd);
726+}
727+
728 extern pgd_t *pgd_alloc(struct mm_struct *mm);
729
730 static inline void
731diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h
732index a9a1195..e9b8417 100644
733--- a/arch/alpha/include/asm/pgtable.h
734+++ b/arch/alpha/include/asm/pgtable.h
735@@ -101,6 +101,17 @@ struct vm_area_struct;
736 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
737 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
738 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
739+
740+#ifdef CONFIG_PAX_PAGEEXEC
741+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
742+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
743+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
744+#else
745+# define PAGE_SHARED_NOEXEC PAGE_SHARED
746+# define PAGE_COPY_NOEXEC PAGE_COPY
747+# define PAGE_READONLY_NOEXEC PAGE_READONLY
748+#endif
749+
750 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
751
752 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
753diff --git a/arch/alpha/kernel/module.c b/arch/alpha/kernel/module.c
754index 2fd00b7..cfd5069 100644
755--- a/arch/alpha/kernel/module.c
756+++ b/arch/alpha/kernel/module.c
757@@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab,
758
759 /* The small sections were sorted to the end of the segment.
760 The following should definitely cover them. */
761- gp = (u64)me->module_core + me->core_size - 0x8000;
762+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
763 got = sechdrs[me->arch.gotsecindex].sh_addr;
764
765 for (i = 0; i < n; i++) {
766diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
767index 36dc91a..6769cb0 100644
768--- a/arch/alpha/kernel/osf_sys.c
769+++ b/arch/alpha/kernel/osf_sys.c
770@@ -1295,10 +1295,11 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)
771 generic version except that we know how to honor ADDR_LIMIT_32BIT. */
772
773 static unsigned long
774-arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
775- unsigned long limit)
776+arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len,
777+ unsigned long limit, unsigned long flags)
778 {
779 struct vm_unmapped_area_info info;
780+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
781
782 info.flags = 0;
783 info.length = len;
784@@ -1306,6 +1307,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
785 info.high_limit = limit;
786 info.align_mask = 0;
787 info.align_offset = 0;
788+ info.threadstack_offset = offset;
789 return vm_unmapped_area(&info);
790 }
791
792@@ -1338,20 +1340,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
793 merely specific addresses, but regions of memory -- perhaps
794 this feature should be incorporated into all ports? */
795
796+#ifdef CONFIG_PAX_RANDMMAP
797+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
798+#endif
799+
800 if (addr) {
801- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
802+ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags);
803 if (addr != (unsigned long) -ENOMEM)
804 return addr;
805 }
806
807 /* Next, try allocating at TASK_UNMAPPED_BASE. */
808- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
809- len, limit);
810+ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags);
811+
812 if (addr != (unsigned long) -ENOMEM)
813 return addr;
814
815 /* Finally, try allocating in low memory. */
816- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit);
817+ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags);
818
819 return addr;
820 }
821diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
822index 4a905bd..0a4da53 100644
823--- a/arch/alpha/mm/fault.c
824+++ b/arch/alpha/mm/fault.c
825@@ -52,6 +52,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
826 __reload_thread(pcb);
827 }
828
829+#ifdef CONFIG_PAX_PAGEEXEC
830+/*
831+ * PaX: decide what to do with offenders (regs->pc = fault address)
832+ *
833+ * returns 1 when task should be killed
834+ * 2 when patched PLT trampoline was detected
835+ * 3 when unpatched PLT trampoline was detected
836+ */
837+static int pax_handle_fetch_fault(struct pt_regs *regs)
838+{
839+
840+#ifdef CONFIG_PAX_EMUPLT
841+ int err;
842+
843+ do { /* PaX: patched PLT emulation #1 */
844+ unsigned int ldah, ldq, jmp;
845+
846+ err = get_user(ldah, (unsigned int *)regs->pc);
847+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
848+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
849+
850+ if (err)
851+ break;
852+
853+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
854+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
855+ jmp == 0x6BFB0000U)
856+ {
857+ unsigned long r27, addr;
858+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
859+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
860+
861+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
862+ err = get_user(r27, (unsigned long *)addr);
863+ if (err)
864+ break;
865+
866+ regs->r27 = r27;
867+ regs->pc = r27;
868+ return 2;
869+ }
870+ } while (0);
871+
872+ do { /* PaX: patched PLT emulation #2 */
873+ unsigned int ldah, lda, br;
874+
875+ err = get_user(ldah, (unsigned int *)regs->pc);
876+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
877+ err |= get_user(br, (unsigned int *)(regs->pc+8));
878+
879+ if (err)
880+ break;
881+
882+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
883+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
884+ (br & 0xFFE00000U) == 0xC3E00000U)
885+ {
886+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
887+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
888+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
889+
890+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
891+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
892+ return 2;
893+ }
894+ } while (0);
895+
896+ do { /* PaX: unpatched PLT emulation */
897+ unsigned int br;
898+
899+ err = get_user(br, (unsigned int *)regs->pc);
900+
901+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
902+ unsigned int br2, ldq, nop, jmp;
903+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
904+
905+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
906+ err = get_user(br2, (unsigned int *)addr);
907+ err |= get_user(ldq, (unsigned int *)(addr+4));
908+ err |= get_user(nop, (unsigned int *)(addr+8));
909+ err |= get_user(jmp, (unsigned int *)(addr+12));
910+ err |= get_user(resolver, (unsigned long *)(addr+16));
911+
912+ if (err)
913+ break;
914+
915+ if (br2 == 0xC3600000U &&
916+ ldq == 0xA77B000CU &&
917+ nop == 0x47FF041FU &&
918+ jmp == 0x6B7B0000U)
919+ {
920+ regs->r28 = regs->pc+4;
921+ regs->r27 = addr+16;
922+ regs->pc = resolver;
923+ return 3;
924+ }
925+ }
926+ } while (0);
927+#endif
928+
929+ return 1;
930+}
931+
932+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
933+{
934+ unsigned long i;
935+
936+ printk(KERN_ERR "PAX: bytes at PC: ");
937+ for (i = 0; i < 5; i++) {
938+ unsigned int c;
939+ if (get_user(c, (unsigned int *)pc+i))
940+ printk(KERN_CONT "???????? ");
941+ else
942+ printk(KERN_CONT "%08x ", c);
943+ }
944+ printk("\n");
945+}
946+#endif
947
948 /*
949 * This routine handles page faults. It determines the address,
950@@ -132,8 +250,29 @@ retry:
951 good_area:
952 si_code = SEGV_ACCERR;
953 if (cause < 0) {
954- if (!(vma->vm_flags & VM_EXEC))
955+ if (!(vma->vm_flags & VM_EXEC)) {
956+
957+#ifdef CONFIG_PAX_PAGEEXEC
958+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
959+ goto bad_area;
960+
961+ up_read(&mm->mmap_sem);
962+ switch (pax_handle_fetch_fault(regs)) {
963+
964+#ifdef CONFIG_PAX_EMUPLT
965+ case 2:
966+ case 3:
967+ return;
968+#endif
969+
970+ }
971+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
972+ do_group_exit(SIGKILL);
973+#else
974 goto bad_area;
975+#endif
976+
977+ }
978 } else if (!cause) {
979 /* Allow reads even for write-only mappings */
980 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
981diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
982index bd4670d..920c97a 100644
983--- a/arch/arc/Kconfig
984+++ b/arch/arc/Kconfig
985@@ -485,6 +485,7 @@ config ARC_DBG_TLB_MISS_COUNT
986 bool "Profile TLB Misses"
987 default n
988 select DEBUG_FS
989+ depends on !GRKERNSEC_KMEM
990 help
991 Counts number of I and D TLB Misses and exports them via Debugfs
992 The counters can be cleared via Debugfs as well
993diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
994index ede2526..9e12300 100644
995--- a/arch/arm/Kconfig
996+++ b/arch/arm/Kconfig
997@@ -1770,7 +1770,7 @@ config ALIGNMENT_TRAP
998
999 config UACCESS_WITH_MEMCPY
1000 bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
1001- depends on MMU
1002+ depends on MMU && !PAX_MEMORY_UDEREF
1003 default y if CPU_FEROCEON
1004 help
1005 Implement faster copy_to_user and clear_user methods for CPU
1006@@ -2006,6 +2006,7 @@ config KEXEC
1007 bool "Kexec system call (EXPERIMENTAL)"
1008 depends on (!SMP || PM_SLEEP_SMP)
1009 depends on !CPU_V7M
1010+ depends on !GRKERNSEC_KMEM
1011 help
1012 kexec is a system call that implements the ability to shutdown your
1013 current kernel, and to start another kernel. It is like a reboot
1014diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
1015index a2e16f9..b26e911 100644
1016--- a/arch/arm/Kconfig.debug
1017+++ b/arch/arm/Kconfig.debug
1018@@ -7,6 +7,7 @@ config ARM_PTDUMP
1019 depends on DEBUG_KERNEL
1020 depends on MMU
1021 select DEBUG_FS
1022+ depends on !GRKERNSEC_KMEM
1023 ---help---
1024 Say Y here if you want to show the kernel pagetable layout in a
1025 debugfs file. This information is only useful for kernel developers
1026diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
1027index e22c119..abe7041 100644
1028--- a/arch/arm/include/asm/atomic.h
1029+++ b/arch/arm/include/asm/atomic.h
1030@@ -18,17 +18,41 @@
1031 #include <asm/barrier.h>
1032 #include <asm/cmpxchg.h>
1033
1034+#ifdef CONFIG_GENERIC_ATOMIC64
1035+#include <asm-generic/atomic64.h>
1036+#endif
1037+
1038 #define ATOMIC_INIT(i) { (i) }
1039
1040 #ifdef __KERNEL__
1041
1042+#ifdef CONFIG_THUMB2_KERNEL
1043+#define REFCOUNT_TRAP_INSN "bkpt 0xf1"
1044+#else
1045+#define REFCOUNT_TRAP_INSN "bkpt 0xf103"
1046+#endif
1047+
1048+#define _ASM_EXTABLE(from, to) \
1049+" .pushsection __ex_table,\"a\"\n"\
1050+" .align 3\n" \
1051+" .long " #from ", " #to"\n" \
1052+" .popsection"
1053+
1054 /*
1055 * On ARM, ordinary assignment (str instruction) doesn't clear the local
1056 * strex/ldrex monitor on some implementations. The reason we can use it for
1057 * atomic_set() is the clrex or dummy strex done on every exception return.
1058 */
1059 #define atomic_read(v) ACCESS_ONCE((v)->counter)
1060+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
1061+{
1062+ return ACCESS_ONCE(v->counter);
1063+}
1064 #define atomic_set(v,i) (((v)->counter) = (i))
1065+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
1066+{
1067+ v->counter = i;
1068+}
1069
1070 #if __LINUX_ARM_ARCH__ >= 6
1071
1072@@ -38,26 +62,50 @@
1073 * to ensure that the update happens.
1074 */
1075
1076-#define ATOMIC_OP(op, c_op, asm_op) \
1077-static inline void atomic_##op(int i, atomic_t *v) \
1078+#ifdef CONFIG_PAX_REFCOUNT
1079+#define __OVERFLOW_POST \
1080+ " bvc 3f\n" \
1081+ "2: " REFCOUNT_TRAP_INSN "\n"\
1082+ "3:\n"
1083+#define __OVERFLOW_POST_RETURN \
1084+ " bvc 3f\n" \
1085+" mov %0, %1\n" \
1086+ "2: " REFCOUNT_TRAP_INSN "\n"\
1087+ "3:\n"
1088+#define __OVERFLOW_EXTABLE \
1089+ "4:\n" \
1090+ _ASM_EXTABLE(2b, 4b)
1091+#else
1092+#define __OVERFLOW_POST
1093+#define __OVERFLOW_POST_RETURN
1094+#define __OVERFLOW_EXTABLE
1095+#endif
1096+
1097+#define __ATOMIC_OP(op, suffix, c_op, asm_op, post_op, extable) \
1098+static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
1099 { \
1100 unsigned long tmp; \
1101 int result; \
1102 \
1103 prefetchw(&v->counter); \
1104- __asm__ __volatile__("@ atomic_" #op "\n" \
1105+ __asm__ __volatile__("@ atomic_" #op #suffix "\n" \
1106 "1: ldrex %0, [%3]\n" \
1107 " " #asm_op " %0, %0, %4\n" \
1108+ post_op \
1109 " strex %1, %0, [%3]\n" \
1110 " teq %1, #0\n" \
1111-" bne 1b" \
1112+" bne 1b\n" \
1113+ extable \
1114 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1115 : "r" (&v->counter), "Ir" (i) \
1116 : "cc"); \
1117 } \
1118
1119-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
1120-static inline int atomic_##op##_return(int i, atomic_t *v) \
1121+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, _unchecked, c_op, asm_op, , )\
1122+ __ATOMIC_OP(op, , c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
1123+
1124+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op, post_op, extable) \
1125+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
1126 { \
1127 unsigned long tmp; \
1128 int result; \
1129@@ -65,12 +113,14 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1130 smp_mb(); \
1131 prefetchw(&v->counter); \
1132 \
1133- __asm__ __volatile__("@ atomic_" #op "_return\n" \
1134+ __asm__ __volatile__("@ atomic_" #op "_return" #suffix "\n" \
1135 "1: ldrex %0, [%3]\n" \
1136 " " #asm_op " %0, %0, %4\n" \
1137+ post_op \
1138 " strex %1, %0, [%3]\n" \
1139 " teq %1, #0\n" \
1140-" bne 1b" \
1141+" bne 1b\n" \
1142+ extable \
1143 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1144 : "r" (&v->counter), "Ir" (i) \
1145 : "cc"); \
1146@@ -80,6 +130,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1147 return result; \
1148 }
1149
1150+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op, , )\
1151+ __ATOMIC_OP_RETURN(op, , c_op, asm_op##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
1152+
1153 static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new)
1154 {
1155 int oldval;
1156@@ -115,12 +168,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1157 __asm__ __volatile__ ("@ atomic_add_unless\n"
1158 "1: ldrex %0, [%4]\n"
1159 " teq %0, %5\n"
1160-" beq 2f\n"
1161-" add %1, %0, %6\n"
1162+" beq 4f\n"
1163+" adds %1, %0, %6\n"
1164+
1165+#ifdef CONFIG_PAX_REFCOUNT
1166+" bvc 3f\n"
1167+"2: " REFCOUNT_TRAP_INSN "\n"
1168+"3:\n"
1169+#endif
1170+
1171 " strex %2, %1, [%4]\n"
1172 " teq %2, #0\n"
1173 " bne 1b\n"
1174-"2:"
1175+"4:"
1176+
1177+#ifdef CONFIG_PAX_REFCOUNT
1178+ _ASM_EXTABLE(2b, 4b)
1179+#endif
1180+
1181 : "=&r" (oldval), "=&r" (newval), "=&r" (tmp), "+Qo" (v->counter)
1182 : "r" (&v->counter), "r" (u), "r" (a)
1183 : "cc");
1184@@ -131,14 +196,36 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1185 return oldval;
1186 }
1187
1188+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *ptr, int old, int new)
1189+{
1190+ unsigned long oldval, res;
1191+
1192+ smp_mb();
1193+
1194+ do {
1195+ __asm__ __volatile__("@ atomic_cmpxchg_unchecked\n"
1196+ "ldrex %1, [%3]\n"
1197+ "mov %0, #0\n"
1198+ "teq %1, %4\n"
1199+ "strexeq %0, %5, [%3]\n"
1200+ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1201+ : "r" (&ptr->counter), "Ir" (old), "r" (new)
1202+ : "cc");
1203+ } while (res);
1204+
1205+ smp_mb();
1206+
1207+ return oldval;
1208+}
1209+
1210 #else /* ARM_ARCH_6 */
1211
1212 #ifdef CONFIG_SMP
1213 #error SMP not supported on pre-ARMv6 CPUs
1214 #endif
1215
1216-#define ATOMIC_OP(op, c_op, asm_op) \
1217-static inline void atomic_##op(int i, atomic_t *v) \
1218+#define __ATOMIC_OP(op, suffix, c_op, asm_op) \
1219+static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
1220 { \
1221 unsigned long flags; \
1222 \
1223@@ -147,8 +234,11 @@ static inline void atomic_##op(int i, atomic_t *v) \
1224 raw_local_irq_restore(flags); \
1225 } \
1226
1227-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
1228-static inline int atomic_##op##_return(int i, atomic_t *v) \
1229+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op) \
1230+ __ATOMIC_OP(op, _unchecked, c_op, asm_op)
1231+
1232+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op) \
1233+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
1234 { \
1235 unsigned long flags; \
1236 int val; \
1237@@ -161,6 +251,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1238 return val; \
1239 }
1240
1241+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op)\
1242+ __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op)
1243+
1244 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1245 {
1246 int ret;
1247@@ -175,6 +268,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1248 return ret;
1249 }
1250
1251+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
1252+{
1253+ return atomic_cmpxchg((atomic_t *)v, old, new);
1254+}
1255+
1256 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1257 {
1258 int c, old;
1259@@ -196,16 +294,38 @@ ATOMIC_OPS(sub, -=, sub)
1260
1261 #undef ATOMIC_OPS
1262 #undef ATOMIC_OP_RETURN
1263+#undef __ATOMIC_OP_RETURN
1264 #undef ATOMIC_OP
1265+#undef __ATOMIC_OP
1266
1267 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
1268+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
1269+{
1270+ return xchg(&v->counter, new);
1271+}
1272
1273 #define atomic_inc(v) atomic_add(1, v)
1274+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
1275+{
1276+ atomic_add_unchecked(1, v);
1277+}
1278 #define atomic_dec(v) atomic_sub(1, v)
1279+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
1280+{
1281+ atomic_sub_unchecked(1, v);
1282+}
1283
1284 #define atomic_inc_and_test(v) (atomic_add_return(1, v) == 0)
1285+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
1286+{
1287+ return atomic_add_return_unchecked(1, v) == 0;
1288+}
1289 #define atomic_dec_and_test(v) (atomic_sub_return(1, v) == 0)
1290 #define atomic_inc_return(v) (atomic_add_return(1, v))
1291+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
1292+{
1293+ return atomic_add_return_unchecked(1, v);
1294+}
1295 #define atomic_dec_return(v) (atomic_sub_return(1, v))
1296 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
1297
1298@@ -216,6 +336,14 @@ typedef struct {
1299 long long counter;
1300 } atomic64_t;
1301
1302+#ifdef CONFIG_PAX_REFCOUNT
1303+typedef struct {
1304+ long long counter;
1305+} atomic64_unchecked_t;
1306+#else
1307+typedef atomic64_t atomic64_unchecked_t;
1308+#endif
1309+
1310 #define ATOMIC64_INIT(i) { (i) }
1311
1312 #ifdef CONFIG_ARM_LPAE
1313@@ -232,6 +360,19 @@ static inline long long atomic64_read(const atomic64_t *v)
1314 return result;
1315 }
1316
1317+static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
1318+{
1319+ long long result;
1320+
1321+ __asm__ __volatile__("@ atomic64_read_unchecked\n"
1322+" ldrd %0, %H0, [%1]"
1323+ : "=&r" (result)
1324+ : "r" (&v->counter), "Qo" (v->counter)
1325+ );
1326+
1327+ return result;
1328+}
1329+
1330 static inline void atomic64_set(atomic64_t *v, long long i)
1331 {
1332 __asm__ __volatile__("@ atomic64_set\n"
1333@@ -240,6 +381,15 @@ static inline void atomic64_set(atomic64_t *v, long long i)
1334 : "r" (&v->counter), "r" (i)
1335 );
1336 }
1337+
1338+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
1339+{
1340+ __asm__ __volatile__("@ atomic64_set_unchecked\n"
1341+" strd %2, %H2, [%1]"
1342+ : "=Qo" (v->counter)
1343+ : "r" (&v->counter), "r" (i)
1344+ );
1345+}
1346 #else
1347 static inline long long atomic64_read(const atomic64_t *v)
1348 {
1349@@ -254,6 +404,19 @@ static inline long long atomic64_read(const atomic64_t *v)
1350 return result;
1351 }
1352
1353+static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
1354+{
1355+ long long result;
1356+
1357+ __asm__ __volatile__("@ atomic64_read_unchecked\n"
1358+" ldrexd %0, %H0, [%1]"
1359+ : "=&r" (result)
1360+ : "r" (&v->counter), "Qo" (v->counter)
1361+ );
1362+
1363+ return result;
1364+}
1365+
1366 static inline void atomic64_set(atomic64_t *v, long long i)
1367 {
1368 long long tmp;
1369@@ -268,29 +431,57 @@ static inline void atomic64_set(atomic64_t *v, long long i)
1370 : "r" (&v->counter), "r" (i)
1371 : "cc");
1372 }
1373+
1374+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
1375+{
1376+ long long tmp;
1377+
1378+ prefetchw(&v->counter);
1379+ __asm__ __volatile__("@ atomic64_set_unchecked\n"
1380+"1: ldrexd %0, %H0, [%2]\n"
1381+" strexd %0, %3, %H3, [%2]\n"
1382+" teq %0, #0\n"
1383+" bne 1b"
1384+ : "=&r" (tmp), "=Qo" (v->counter)
1385+ : "r" (&v->counter), "r" (i)
1386+ : "cc");
1387+}
1388 #endif
1389
1390-#define ATOMIC64_OP(op, op1, op2) \
1391-static inline void atomic64_##op(long long i, atomic64_t *v) \
1392+#undef __OVERFLOW_POST_RETURN
1393+#define __OVERFLOW_POST_RETURN \
1394+ " bvc 3f\n" \
1395+" mov %0, %1\n" \
1396+" mov %H0, %H1\n" \
1397+ "2: " REFCOUNT_TRAP_INSN "\n"\
1398+ "3:\n"
1399+
1400+#define __ATOMIC64_OP(op, suffix, op1, op2, post_op, extable) \
1401+static inline void atomic64_##op##suffix(long long i, atomic64##suffix##_t *v)\
1402 { \
1403 long long result; \
1404 unsigned long tmp; \
1405 \
1406 prefetchw(&v->counter); \
1407- __asm__ __volatile__("@ atomic64_" #op "\n" \
1408+ __asm__ __volatile__("@ atomic64_" #op #suffix "\n" \
1409 "1: ldrexd %0, %H0, [%3]\n" \
1410 " " #op1 " %Q0, %Q0, %Q4\n" \
1411 " " #op2 " %R0, %R0, %R4\n" \
1412+ post_op \
1413 " strexd %1, %0, %H0, [%3]\n" \
1414 " teq %1, #0\n" \
1415-" bne 1b" \
1416+" bne 1b\n" \
1417+ extable \
1418 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1419 : "r" (&v->counter), "r" (i) \
1420 : "cc"); \
1421 } \
1422
1423-#define ATOMIC64_OP_RETURN(op, op1, op2) \
1424-static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1425+#define ATOMIC64_OP(op, op1, op2) __ATOMIC64_OP(op, _unchecked, op1, op2, , ) \
1426+ __ATOMIC64_OP(op, , op1, op2##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
1427+
1428+#define __ATOMIC64_OP_RETURN(op, suffix, op1, op2, post_op, extable) \
1429+static inline long long atomic64_##op##_return##suffix(long long i, atomic64##suffix##_t *v) \
1430 { \
1431 long long result; \
1432 unsigned long tmp; \
1433@@ -298,13 +489,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1434 smp_mb(); \
1435 prefetchw(&v->counter); \
1436 \
1437- __asm__ __volatile__("@ atomic64_" #op "_return\n" \
1438+ __asm__ __volatile__("@ atomic64_" #op "_return" #suffix "\n" \
1439 "1: ldrexd %0, %H0, [%3]\n" \
1440 " " #op1 " %Q0, %Q0, %Q4\n" \
1441 " " #op2 " %R0, %R0, %R4\n" \
1442+ post_op \
1443 " strexd %1, %0, %H0, [%3]\n" \
1444 " teq %1, #0\n" \
1445-" bne 1b" \
1446+" bne 1b\n" \
1447+ extable \
1448 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1449 : "r" (&v->counter), "r" (i) \
1450 : "cc"); \
1451@@ -314,6 +507,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1452 return result; \
1453 }
1454
1455+#define ATOMIC64_OP_RETURN(op, op1, op2) __ATOMIC64_OP_RETURN(op, _unchecked, op1, op2, , ) \
1456+ __ATOMIC64_OP_RETURN(op, , op1, op2##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
1457+
1458 #define ATOMIC64_OPS(op, op1, op2) \
1459 ATOMIC64_OP(op, op1, op2) \
1460 ATOMIC64_OP_RETURN(op, op1, op2)
1461@@ -323,7 +519,12 @@ ATOMIC64_OPS(sub, subs, sbc)
1462
1463 #undef ATOMIC64_OPS
1464 #undef ATOMIC64_OP_RETURN
1465+#undef __ATOMIC64_OP_RETURN
1466 #undef ATOMIC64_OP
1467+#undef __ATOMIC64_OP
1468+#undef __OVERFLOW_EXTABLE
1469+#undef __OVERFLOW_POST_RETURN
1470+#undef __OVERFLOW_POST
1471
1472 static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
1473 long long new)
1474@@ -351,6 +552,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
1475 return oldval;
1476 }
1477
1478+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, long long old,
1479+ long long new)
1480+{
1481+ long long oldval;
1482+ unsigned long res;
1483+
1484+ smp_mb();
1485+
1486+ do {
1487+ __asm__ __volatile__("@ atomic64_cmpxchg_unchecked\n"
1488+ "ldrexd %1, %H1, [%3]\n"
1489+ "mov %0, #0\n"
1490+ "teq %1, %4\n"
1491+ "teqeq %H1, %H4\n"
1492+ "strexdeq %0, %5, %H5, [%3]"
1493+ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1494+ : "r" (&ptr->counter), "r" (old), "r" (new)
1495+ : "cc");
1496+ } while (res);
1497+
1498+ smp_mb();
1499+
1500+ return oldval;
1501+}
1502+
1503 static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
1504 {
1505 long long result;
1506@@ -376,21 +602,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
1507 static inline long long atomic64_dec_if_positive(atomic64_t *v)
1508 {
1509 long long result;
1510- unsigned long tmp;
1511+ u64 tmp;
1512
1513 smp_mb();
1514 prefetchw(&v->counter);
1515
1516 __asm__ __volatile__("@ atomic64_dec_if_positive\n"
1517-"1: ldrexd %0, %H0, [%3]\n"
1518-" subs %Q0, %Q0, #1\n"
1519-" sbc %R0, %R0, #0\n"
1520+"1: ldrexd %1, %H1, [%3]\n"
1521+" subs %Q0, %Q1, #1\n"
1522+" sbcs %R0, %R1, #0\n"
1523+
1524+#ifdef CONFIG_PAX_REFCOUNT
1525+" bvc 3f\n"
1526+" mov %Q0, %Q1\n"
1527+" mov %R0, %R1\n"
1528+"2: " REFCOUNT_TRAP_INSN "\n"
1529+"3:\n"
1530+#endif
1531+
1532 " teq %R0, #0\n"
1533-" bmi 2f\n"
1534+" bmi 4f\n"
1535 " strexd %1, %0, %H0, [%3]\n"
1536 " teq %1, #0\n"
1537 " bne 1b\n"
1538-"2:"
1539+"4:\n"
1540+
1541+#ifdef CONFIG_PAX_REFCOUNT
1542+ _ASM_EXTABLE(2b, 4b)
1543+#endif
1544+
1545 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1546 : "r" (&v->counter)
1547 : "cc");
1548@@ -414,13 +654,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
1549 " teq %0, %5\n"
1550 " teqeq %H0, %H5\n"
1551 " moveq %1, #0\n"
1552-" beq 2f\n"
1553+" beq 4f\n"
1554 " adds %Q0, %Q0, %Q6\n"
1555-" adc %R0, %R0, %R6\n"
1556+" adcs %R0, %R0, %R6\n"
1557+
1558+#ifdef CONFIG_PAX_REFCOUNT
1559+" bvc 3f\n"
1560+"2: " REFCOUNT_TRAP_INSN "\n"
1561+"3:\n"
1562+#endif
1563+
1564 " strexd %2, %0, %H0, [%4]\n"
1565 " teq %2, #0\n"
1566 " bne 1b\n"
1567-"2:"
1568+"4:\n"
1569+
1570+#ifdef CONFIG_PAX_REFCOUNT
1571+ _ASM_EXTABLE(2b, 4b)
1572+#endif
1573+
1574 : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
1575 : "r" (&v->counter), "r" (u), "r" (a)
1576 : "cc");
1577@@ -433,10 +685,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
1578
1579 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
1580 #define atomic64_inc(v) atomic64_add(1LL, (v))
1581+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1LL, (v))
1582 #define atomic64_inc_return(v) atomic64_add_return(1LL, (v))
1583+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1LL, (v))
1584 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
1585 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
1586 #define atomic64_dec(v) atomic64_sub(1LL, (v))
1587+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1LL, (v))
1588 #define atomic64_dec_return(v) atomic64_sub_return(1LL, (v))
1589 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
1590 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
1591diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h
1592index 6c2327e..85beac4 100644
1593--- a/arch/arm/include/asm/barrier.h
1594+++ b/arch/arm/include/asm/barrier.h
1595@@ -67,7 +67,7 @@
1596 do { \
1597 compiletime_assert_atomic_type(*p); \
1598 smp_mb(); \
1599- ACCESS_ONCE(*p) = (v); \
1600+ ACCESS_ONCE_RW(*p) = (v); \
1601 } while (0)
1602
1603 #define smp_load_acquire(p) \
1604diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h
1605index 75fe66b..ba3dee4 100644
1606--- a/arch/arm/include/asm/cache.h
1607+++ b/arch/arm/include/asm/cache.h
1608@@ -4,8 +4,10 @@
1609 #ifndef __ASMARM_CACHE_H
1610 #define __ASMARM_CACHE_H
1611
1612+#include <linux/const.h>
1613+
1614 #define L1_CACHE_SHIFT CONFIG_ARM_L1_CACHE_SHIFT
1615-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
1616+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
1617
1618 /*
1619 * Memory returned by kmalloc() may be used for DMA, so we must make
1620@@ -24,5 +26,6 @@
1621 #endif
1622
1623 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
1624+#define __read_only __attribute__ ((__section__(".data..read_only")))
1625
1626 #endif
1627diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
1628index 4812cda..9da8116 100644
1629--- a/arch/arm/include/asm/cacheflush.h
1630+++ b/arch/arm/include/asm/cacheflush.h
1631@@ -116,7 +116,7 @@ struct cpu_cache_fns {
1632 void (*dma_unmap_area)(const void *, size_t, int);
1633
1634 void (*dma_flush_range)(const void *, const void *);
1635-};
1636+} __no_const;
1637
1638 /*
1639 * Select the calling method
1640diff --git a/arch/arm/include/asm/checksum.h b/arch/arm/include/asm/checksum.h
1641index 5233151..87a71fa 100644
1642--- a/arch/arm/include/asm/checksum.h
1643+++ b/arch/arm/include/asm/checksum.h
1644@@ -37,7 +37,19 @@ __wsum
1645 csum_partial_copy_nocheck(const void *src, void *dst, int len, __wsum sum);
1646
1647 __wsum
1648-csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1649+__csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1650+
1651+static inline __wsum
1652+csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr)
1653+{
1654+ __wsum ret;
1655+ pax_open_userland();
1656+ ret = __csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
1657+ pax_close_userland();
1658+ return ret;
1659+}
1660+
1661+
1662
1663 /*
1664 * Fold a partial checksum without adding pseudo headers
1665diff --git a/arch/arm/include/asm/cmpxchg.h b/arch/arm/include/asm/cmpxchg.h
1666index 1692a05..1835802 100644
1667--- a/arch/arm/include/asm/cmpxchg.h
1668+++ b/arch/arm/include/asm/cmpxchg.h
1669@@ -107,6 +107,10 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size
1670 (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), \
1671 sizeof(*(ptr))); \
1672 })
1673+#define xchg_unchecked(ptr, x) ({ \
1674+ (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), \
1675+ sizeof(*(ptr))); \
1676+})
1677
1678 #include <asm-generic/cmpxchg-local.h>
1679
1680diff --git a/arch/arm/include/asm/cpuidle.h b/arch/arm/include/asm/cpuidle.h
1681index 0f84249..8e83c55 100644
1682--- a/arch/arm/include/asm/cpuidle.h
1683+++ b/arch/arm/include/asm/cpuidle.h
1684@@ -32,7 +32,7 @@ struct device_node;
1685 struct cpuidle_ops {
1686 int (*suspend)(int cpu, unsigned long arg);
1687 int (*init)(struct device_node *, int cpu);
1688-};
1689+} __no_const;
1690
1691 struct of_cpuidle_method {
1692 const char *method;
1693diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h
1694index 6ddbe44..b5e38b1a 100644
1695--- a/arch/arm/include/asm/domain.h
1696+++ b/arch/arm/include/asm/domain.h
1697@@ -48,18 +48,37 @@
1698 * Domain types
1699 */
1700 #define DOMAIN_NOACCESS 0
1701-#define DOMAIN_CLIENT 1
1702 #ifdef CONFIG_CPU_USE_DOMAINS
1703+#define DOMAIN_USERCLIENT 1
1704+#define DOMAIN_KERNELCLIENT 1
1705 #define DOMAIN_MANAGER 3
1706+#define DOMAIN_VECTORS DOMAIN_USER
1707 #else
1708+
1709+#ifdef CONFIG_PAX_KERNEXEC
1710 #define DOMAIN_MANAGER 1
1711+#define DOMAIN_KERNEXEC 3
1712+#else
1713+#define DOMAIN_MANAGER 1
1714+#endif
1715+
1716+#ifdef CONFIG_PAX_MEMORY_UDEREF
1717+#define DOMAIN_USERCLIENT 0
1718+#define DOMAIN_UDEREF 1
1719+#define DOMAIN_VECTORS DOMAIN_KERNEL
1720+#else
1721+#define DOMAIN_USERCLIENT 1
1722+#define DOMAIN_VECTORS DOMAIN_USER
1723+#endif
1724+#define DOMAIN_KERNELCLIENT 1
1725+
1726 #endif
1727
1728 #define domain_val(dom,type) ((type) << (2*(dom)))
1729
1730 #ifndef __ASSEMBLY__
1731
1732-#ifdef CONFIG_CPU_USE_DOMAINS
1733+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1734 static inline void set_domain(unsigned val)
1735 {
1736 asm volatile(
1737@@ -68,15 +87,7 @@ static inline void set_domain(unsigned val)
1738 isb();
1739 }
1740
1741-#define modify_domain(dom,type) \
1742- do { \
1743- struct thread_info *thread = current_thread_info(); \
1744- unsigned int domain = thread->cpu_domain; \
1745- domain &= ~domain_val(dom, DOMAIN_MANAGER); \
1746- thread->cpu_domain = domain | domain_val(dom, type); \
1747- set_domain(thread->cpu_domain); \
1748- } while (0)
1749-
1750+extern void modify_domain(unsigned int dom, unsigned int type);
1751 #else
1752 static inline void set_domain(unsigned val) { }
1753 static inline void modify_domain(unsigned dom, unsigned type) { }
1754diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
1755index d2315ff..f60b47b 100644
1756--- a/arch/arm/include/asm/elf.h
1757+++ b/arch/arm/include/asm/elf.h
1758@@ -117,7 +117,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
1759 the loader. We need to make sure that it is out of the way of the program
1760 that it will "exec", and that there is sufficient room for the brk. */
1761
1762-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1763+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1764+
1765+#ifdef CONFIG_PAX_ASLR
1766+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
1767+
1768+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1769+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1770+#endif
1771
1772 /* When the program starts, a1 contains a pointer to a function to be
1773 registered with atexit, as per the SVR4 ABI. A value of 0 means we
1774diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h
1775index de53547..52b9a28 100644
1776--- a/arch/arm/include/asm/fncpy.h
1777+++ b/arch/arm/include/asm/fncpy.h
1778@@ -81,7 +81,9 @@
1779 BUG_ON((uintptr_t)(dest_buf) & (FNCPY_ALIGN - 1) || \
1780 (__funcp_address & ~(uintptr_t)1 & (FNCPY_ALIGN - 1))); \
1781 \
1782+ pax_open_kernel(); \
1783 memcpy(dest_buf, (void const *)(__funcp_address & ~1), size); \
1784+ pax_close_kernel(); \
1785 flush_icache_range((unsigned long)(dest_buf), \
1786 (unsigned long)(dest_buf) + (size)); \
1787 \
1788diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
1789index 5eed828..365e018 100644
1790--- a/arch/arm/include/asm/futex.h
1791+++ b/arch/arm/include/asm/futex.h
1792@@ -46,6 +46,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1793 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
1794 return -EFAULT;
1795
1796+ pax_open_userland();
1797+
1798 smp_mb();
1799 /* Prefetching cannot fault */
1800 prefetchw(uaddr);
1801@@ -63,6 +65,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1802 : "cc", "memory");
1803 smp_mb();
1804
1805+ pax_close_userland();
1806+
1807 *uval = val;
1808 return ret;
1809 }
1810@@ -94,6 +98,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1811 return -EFAULT;
1812
1813 preempt_disable();
1814+ pax_open_userland();
1815+
1816 __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
1817 "1: " TUSER(ldr) " %1, [%4]\n"
1818 " teq %1, %2\n"
1819@@ -104,6 +110,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1820 : "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT)
1821 : "cc", "memory");
1822
1823+ pax_close_userland();
1824+
1825 *uval = val;
1826 preempt_enable();
1827
1828@@ -131,6 +139,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1829 preempt_disable();
1830 #endif
1831 pagefault_disable();
1832+ pax_open_userland();
1833
1834 switch (op) {
1835 case FUTEX_OP_SET:
1836@@ -152,6 +161,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1837 ret = -ENOSYS;
1838 }
1839
1840+ pax_close_userland();
1841 pagefault_enable();
1842 #ifndef CONFIG_SMP
1843 preempt_enable();
1844diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h
1845index 83eb2f7..ed77159 100644
1846--- a/arch/arm/include/asm/kmap_types.h
1847+++ b/arch/arm/include/asm/kmap_types.h
1848@@ -4,6 +4,6 @@
1849 /*
1850 * This is the "bare minimum". AIO seems to require this.
1851 */
1852-#define KM_TYPE_NR 16
1853+#define KM_TYPE_NR 17
1854
1855 #endif
1856diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h
1857index 9e614a1..3302cca 100644
1858--- a/arch/arm/include/asm/mach/dma.h
1859+++ b/arch/arm/include/asm/mach/dma.h
1860@@ -22,7 +22,7 @@ struct dma_ops {
1861 int (*residue)(unsigned int, dma_t *); /* optional */
1862 int (*setspeed)(unsigned int, dma_t *, int); /* optional */
1863 const char *type;
1864-};
1865+} __do_const;
1866
1867 struct dma_struct {
1868 void *addr; /* single DMA address */
1869diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h
1870index f98c7f3..e5c626d 100644
1871--- a/arch/arm/include/asm/mach/map.h
1872+++ b/arch/arm/include/asm/mach/map.h
1873@@ -23,17 +23,19 @@ struct map_desc {
1874
1875 /* types 0-3 are defined in asm/io.h */
1876 enum {
1877- MT_UNCACHED = 4,
1878- MT_CACHECLEAN,
1879- MT_MINICLEAN,
1880+ MT_UNCACHED_RW = 4,
1881+ MT_CACHECLEAN_RO,
1882+ MT_MINICLEAN_RO,
1883 MT_LOW_VECTORS,
1884 MT_HIGH_VECTORS,
1885- MT_MEMORY_RWX,
1886+ __MT_MEMORY_RWX,
1887 MT_MEMORY_RW,
1888- MT_ROM,
1889- MT_MEMORY_RWX_NONCACHED,
1890+ MT_MEMORY_RX,
1891+ MT_ROM_RX,
1892+ MT_MEMORY_RW_NONCACHED,
1893+ MT_MEMORY_RX_NONCACHED,
1894 MT_MEMORY_RW_DTCM,
1895- MT_MEMORY_RWX_ITCM,
1896+ MT_MEMORY_RX_ITCM,
1897 MT_MEMORY_RW_SO,
1898 MT_MEMORY_DMA_READY,
1899 };
1900diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h
1901index 563b92f..689d58e 100644
1902--- a/arch/arm/include/asm/outercache.h
1903+++ b/arch/arm/include/asm/outercache.h
1904@@ -39,7 +39,7 @@ struct outer_cache_fns {
1905 /* This is an ARM L2C thing */
1906 void (*write_sec)(unsigned long, unsigned);
1907 void (*configure)(const struct l2x0_regs *);
1908-};
1909+} __no_const;
1910
1911 extern struct outer_cache_fns outer_cache;
1912
1913diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
1914index 4355f0e..cd9168e 100644
1915--- a/arch/arm/include/asm/page.h
1916+++ b/arch/arm/include/asm/page.h
1917@@ -23,6 +23,7 @@
1918
1919 #else
1920
1921+#include <linux/compiler.h>
1922 #include <asm/glue.h>
1923
1924 /*
1925@@ -114,7 +115,7 @@ struct cpu_user_fns {
1926 void (*cpu_clear_user_highpage)(struct page *page, unsigned long vaddr);
1927 void (*cpu_copy_user_highpage)(struct page *to, struct page *from,
1928 unsigned long vaddr, struct vm_area_struct *vma);
1929-};
1930+} __no_const;
1931
1932 #ifdef MULTI_USER
1933 extern struct cpu_user_fns cpu_user;
1934diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h
1935index 19cfab5..3f5c7e9 100644
1936--- a/arch/arm/include/asm/pgalloc.h
1937+++ b/arch/arm/include/asm/pgalloc.h
1938@@ -17,6 +17,7 @@
1939 #include <asm/processor.h>
1940 #include <asm/cacheflush.h>
1941 #include <asm/tlbflush.h>
1942+#include <asm/system_info.h>
1943
1944 #define check_pgt_cache() do { } while (0)
1945
1946@@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1947 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
1948 }
1949
1950+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1951+{
1952+ pud_populate(mm, pud, pmd);
1953+}
1954+
1955 #else /* !CONFIG_ARM_LPAE */
1956
1957 /*
1958@@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1959 #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); })
1960 #define pmd_free(mm, pmd) do { } while (0)
1961 #define pud_populate(mm,pmd,pte) BUG()
1962+#define pud_populate_kernel(mm,pmd,pte) BUG()
1963
1964 #endif /* CONFIG_ARM_LPAE */
1965
1966@@ -128,6 +135,19 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte)
1967 __free_page(pte);
1968 }
1969
1970+static inline void __section_update(pmd_t *pmdp, unsigned long addr, pmdval_t prot)
1971+{
1972+#ifdef CONFIG_ARM_LPAE
1973+ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1974+#else
1975+ if (addr & SECTION_SIZE)
1976+ pmdp[1] = __pmd(pmd_val(pmdp[1]) | prot);
1977+ else
1978+ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1979+#endif
1980+ flush_pmd_entry(pmdp);
1981+}
1982+
1983 static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte,
1984 pmdval_t prot)
1985 {
1986diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h
1987index 5e68278..1869bae 100644
1988--- a/arch/arm/include/asm/pgtable-2level-hwdef.h
1989+++ b/arch/arm/include/asm/pgtable-2level-hwdef.h
1990@@ -27,7 +27,7 @@
1991 /*
1992 * - section
1993 */
1994-#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1995+#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1996 #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2)
1997 #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3)
1998 #define PMD_SECT_XN (_AT(pmdval_t, 1) << 4) /* v6 */
1999@@ -39,6 +39,7 @@
2000 #define PMD_SECT_nG (_AT(pmdval_t, 1) << 17) /* v6 */
2001 #define PMD_SECT_SUPER (_AT(pmdval_t, 1) << 18) /* v6 */
2002 #define PMD_SECT_AF (_AT(pmdval_t, 0))
2003+#define PMD_SECT_RDONLY (_AT(pmdval_t, 0))
2004
2005 #define PMD_SECT_UNCACHED (_AT(pmdval_t, 0))
2006 #define PMD_SECT_BUFFERED (PMD_SECT_BUFFERABLE)
2007@@ -68,6 +69,7 @@
2008 * - extended small page/tiny page
2009 */
2010 #define PTE_EXT_XN (_AT(pteval_t, 1) << 0) /* v6 */
2011+#define PTE_EXT_PXN (_AT(pteval_t, 1) << 2) /* v7 */
2012 #define PTE_EXT_AP_MASK (_AT(pteval_t, 3) << 4)
2013 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4)
2014 #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4)
2015diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
2016index aeddd28..207745c 100644
2017--- a/arch/arm/include/asm/pgtable-2level.h
2018+++ b/arch/arm/include/asm/pgtable-2level.h
2019@@ -127,6 +127,9 @@
2020 #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */
2021 #define L_PTE_NONE (_AT(pteval_t, 1) << 11)
2022
2023+/* Two-level page tables only have PXN in the PGD, not in the PTE. */
2024+#define L_PTE_PXN (_AT(pteval_t, 0))
2025+
2026 /*
2027 * These are the memory types, defined to be compatible with
2028 * pre-ARMv6 CPUs cacheable and bufferable bits: n/a,n/a,C,B
2029diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
2030index a745a2a..481350a 100644
2031--- a/arch/arm/include/asm/pgtable-3level.h
2032+++ b/arch/arm/include/asm/pgtable-3level.h
2033@@ -80,6 +80,7 @@
2034 #define L_PTE_USER (_AT(pteval_t, 1) << 6) /* AP[1] */
2035 #define L_PTE_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
2036 #define L_PTE_YOUNG (_AT(pteval_t, 1) << 10) /* AF */
2037+#define L_PTE_PXN (_AT(pteval_t, 1) << 53) /* PXN */
2038 #define L_PTE_XN (_AT(pteval_t, 1) << 54) /* XN */
2039 #define L_PTE_DIRTY (_AT(pteval_t, 1) << 55)
2040 #define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56)
2041@@ -91,10 +92,12 @@
2042 #define L_PMD_SECT_SPLITTING (_AT(pmdval_t, 1) << 56)
2043 #define L_PMD_SECT_NONE (_AT(pmdval_t, 1) << 57)
2044 #define L_PMD_SECT_RDONLY (_AT(pteval_t, 1) << 58)
2045+#define PMD_SECT_RDONLY PMD_SECT_AP2
2046
2047 /*
2048 * To be used in assembly code with the upper page attributes.
2049 */
2050+#define L_PTE_PXN_HIGH (1 << (53 - 32))
2051 #define L_PTE_XN_HIGH (1 << (54 - 32))
2052 #define L_PTE_DIRTY_HIGH (1 << (55 - 32))
2053
2054diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
2055index f403541..b10df68 100644
2056--- a/arch/arm/include/asm/pgtable.h
2057+++ b/arch/arm/include/asm/pgtable.h
2058@@ -33,6 +33,9 @@
2059 #include <asm/pgtable-2level.h>
2060 #endif
2061
2062+#define ktla_ktva(addr) (addr)
2063+#define ktva_ktla(addr) (addr)
2064+
2065 /*
2066 * Just any arbitrary offset to the start of the vmalloc VM area: the
2067 * current 8MB value just means that there will be a 8MB "hole" after the
2068@@ -48,6 +51,9 @@
2069 #define LIBRARY_TEXT_START 0x0c000000
2070
2071 #ifndef __ASSEMBLY__
2072+extern pteval_t __supported_pte_mask;
2073+extern pmdval_t __supported_pmd_mask;
2074+
2075 extern void __pte_error(const char *file, int line, pte_t);
2076 extern void __pmd_error(const char *file, int line, pmd_t);
2077 extern void __pgd_error(const char *file, int line, pgd_t);
2078@@ -56,6 +62,48 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2079 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd)
2080 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd)
2081
2082+#define __HAVE_ARCH_PAX_OPEN_KERNEL
2083+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
2084+
2085+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2086+#include <asm/domain.h>
2087+#include <linux/thread_info.h>
2088+#include <linux/preempt.h>
2089+
2090+static inline int test_domain(int domain, int domaintype)
2091+{
2092+ return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
2093+}
2094+#endif
2095+
2096+#ifdef CONFIG_PAX_KERNEXEC
2097+static inline unsigned long pax_open_kernel(void) {
2098+#ifdef CONFIG_ARM_LPAE
2099+ /* TODO */
2100+#else
2101+ preempt_disable();
2102+ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC));
2103+ modify_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC);
2104+#endif
2105+ return 0;
2106+}
2107+
2108+static inline unsigned long pax_close_kernel(void) {
2109+#ifdef CONFIG_ARM_LPAE
2110+ /* TODO */
2111+#else
2112+ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_MANAGER));
2113+ /* DOMAIN_MANAGER = "client" under KERNEXEC */
2114+ modify_domain(DOMAIN_KERNEL, DOMAIN_MANAGER);
2115+ preempt_enable_no_resched();
2116+#endif
2117+ return 0;
2118+}
2119+#else
2120+static inline unsigned long pax_open_kernel(void) { return 0; }
2121+static inline unsigned long pax_close_kernel(void) { return 0; }
2122+#endif
2123+
2124 /*
2125 * This is the lowest virtual address we can permit any user space
2126 * mapping to be mapped at. This is particularly important for
2127@@ -75,8 +123,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2128 /*
2129 * The pgprot_* and protection_map entries will be fixed up in runtime
2130 * to include the cachable and bufferable bits based on memory policy,
2131- * as well as any architecture dependent bits like global/ASID and SMP
2132- * shared mapping bits.
2133+ * as well as any architecture dependent bits like global/ASID, PXN,
2134+ * and SMP shared mapping bits.
2135 */
2136 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
2137
2138@@ -307,7 +355,7 @@ static inline pte_t pte_mknexec(pte_t pte)
2139 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
2140 {
2141 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
2142- L_PTE_NONE | L_PTE_VALID;
2143+ L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
2144 pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
2145 return pte;
2146 }
2147diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
2148index c25ef3e..735f14b 100644
2149--- a/arch/arm/include/asm/psci.h
2150+++ b/arch/arm/include/asm/psci.h
2151@@ -32,7 +32,7 @@ struct psci_operations {
2152 int (*affinity_info)(unsigned long target_affinity,
2153 unsigned long lowest_affinity_level);
2154 int (*migrate_info_type)(void);
2155-};
2156+} __no_const;
2157
2158 extern struct psci_operations psci_ops;
2159 extern struct smp_operations psci_smp_ops;
2160diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
2161index 2f3ac1b..67182ae0 100644
2162--- a/arch/arm/include/asm/smp.h
2163+++ b/arch/arm/include/asm/smp.h
2164@@ -108,7 +108,7 @@ struct smp_operations {
2165 int (*cpu_disable)(unsigned int cpu);
2166 #endif
2167 #endif
2168-};
2169+} __no_const;
2170
2171 struct of_cpu_method {
2172 const char *method;
2173diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
2174index bd32ede..bd90a0b 100644
2175--- a/arch/arm/include/asm/thread_info.h
2176+++ b/arch/arm/include/asm/thread_info.h
2177@@ -74,9 +74,9 @@ struct thread_info {
2178 .flags = 0, \
2179 .preempt_count = INIT_PREEMPT_COUNT, \
2180 .addr_limit = KERNEL_DS, \
2181- .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2182- domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2183- domain_val(DOMAIN_IO, DOMAIN_CLIENT), \
2184+ .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
2185+ domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \
2186+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \
2187 }
2188
2189 #define init_thread_info (init_thread_union.thread_info)
2190@@ -152,7 +152,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2191 #define TIF_SYSCALL_AUDIT 9
2192 #define TIF_SYSCALL_TRACEPOINT 10
2193 #define TIF_SECCOMP 11 /* seccomp syscall filtering active */
2194-#define TIF_NOHZ 12 /* in adaptive nohz mode */
2195+/* within 8 bits of TIF_SYSCALL_TRACE
2196+ * to meet flexible second operand requirements
2197+ */
2198+#define TIF_GRSEC_SETXID 12
2199+#define TIF_NOHZ 13 /* in adaptive nohz mode */
2200 #define TIF_USING_IWMMXT 17
2201 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
2202 #define TIF_RESTORE_SIGMASK 20
2203@@ -166,10 +170,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2204 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
2205 #define _TIF_SECCOMP (1 << TIF_SECCOMP)
2206 #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
2207+#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
2208
2209 /* Checks for any syscall work in entry-common.S */
2210 #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
2211- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
2212+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | _TIF_GRSEC_SETXID)
2213
2214 /*
2215 * Change these and you break ASM code in entry-common.S
2216diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
2217index 5f833f7..76e6644 100644
2218--- a/arch/arm/include/asm/tls.h
2219+++ b/arch/arm/include/asm/tls.h
2220@@ -3,6 +3,7 @@
2221
2222 #include <linux/compiler.h>
2223 #include <asm/thread_info.h>
2224+#include <asm/pgtable.h>
2225
2226 #ifdef __ASSEMBLY__
2227 #include <asm/asm-offsets.h>
2228@@ -89,7 +90,9 @@ static inline void set_tls(unsigned long val)
2229 * at 0xffff0fe0 must be used instead. (see
2230 * entry-armv.S for details)
2231 */
2232+ pax_open_kernel();
2233 *((unsigned int *)0xffff0ff0) = val;
2234+ pax_close_kernel();
2235 #endif
2236 }
2237
2238diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
2239index 74b17d0..7e6da4b 100644
2240--- a/arch/arm/include/asm/uaccess.h
2241+++ b/arch/arm/include/asm/uaccess.h
2242@@ -18,6 +18,7 @@
2243 #include <asm/domain.h>
2244 #include <asm/unified.h>
2245 #include <asm/compiler.h>
2246+#include <asm/pgtable.h>
2247
2248 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2249 #include <asm-generic/uaccess-unaligned.h>
2250@@ -70,11 +71,38 @@ extern int __put_user_bad(void);
2251 static inline void set_fs(mm_segment_t fs)
2252 {
2253 current_thread_info()->addr_limit = fs;
2254- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
2255+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
2256 }
2257
2258 #define segment_eq(a, b) ((a) == (b))
2259
2260+#define __HAVE_ARCH_PAX_OPEN_USERLAND
2261+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
2262+
2263+static inline void pax_open_userland(void)
2264+{
2265+
2266+#ifdef CONFIG_PAX_MEMORY_UDEREF
2267+ if (segment_eq(get_fs(), USER_DS)) {
2268+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF));
2269+ modify_domain(DOMAIN_USER, DOMAIN_UDEREF);
2270+ }
2271+#endif
2272+
2273+}
2274+
2275+static inline void pax_close_userland(void)
2276+{
2277+
2278+#ifdef CONFIG_PAX_MEMORY_UDEREF
2279+ if (segment_eq(get_fs(), USER_DS)) {
2280+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS));
2281+ modify_domain(DOMAIN_USER, DOMAIN_NOACCESS);
2282+ }
2283+#endif
2284+
2285+}
2286+
2287 #define __addr_ok(addr) ({ \
2288 unsigned long flag; \
2289 __asm__("cmp %2, %0; movlo %0, #0" \
2290@@ -198,8 +226,12 @@ extern int __get_user_64t_4(void *);
2291
2292 #define get_user(x, p) \
2293 ({ \
2294+ int __e; \
2295 might_fault(); \
2296- __get_user_check(x, p); \
2297+ pax_open_userland(); \
2298+ __e = __get_user_check((x), (p)); \
2299+ pax_close_userland(); \
2300+ __e; \
2301 })
2302
2303 extern int __put_user_1(void *, unsigned int);
2304@@ -244,8 +276,12 @@ extern int __put_user_8(void *, unsigned long long);
2305
2306 #define put_user(x, p) \
2307 ({ \
2308+ int __e; \
2309 might_fault(); \
2310- __put_user_check(x, p); \
2311+ pax_open_userland(); \
2312+ __e = __put_user_check((x), (p)); \
2313+ pax_close_userland(); \
2314+ __e; \
2315 })
2316
2317 #else /* CONFIG_MMU */
2318@@ -269,6 +305,7 @@ static inline void set_fs(mm_segment_t fs)
2319
2320 #endif /* CONFIG_MMU */
2321
2322+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
2323 #define access_ok(type, addr, size) (__range_ok(addr, size) == 0)
2324
2325 #define user_addr_max() \
2326@@ -286,13 +323,17 @@ static inline void set_fs(mm_segment_t fs)
2327 #define __get_user(x, ptr) \
2328 ({ \
2329 long __gu_err = 0; \
2330+ pax_open_userland(); \
2331 __get_user_err((x), (ptr), __gu_err); \
2332+ pax_close_userland(); \
2333 __gu_err; \
2334 })
2335
2336 #define __get_user_error(x, ptr, err) \
2337 ({ \
2338+ pax_open_userland(); \
2339 __get_user_err((x), (ptr), err); \
2340+ pax_close_userland(); \
2341 (void) 0; \
2342 })
2343
2344@@ -368,13 +409,17 @@ do { \
2345 #define __put_user(x, ptr) \
2346 ({ \
2347 long __pu_err = 0; \
2348+ pax_open_userland(); \
2349 __put_user_err((x), (ptr), __pu_err); \
2350+ pax_close_userland(); \
2351 __pu_err; \
2352 })
2353
2354 #define __put_user_error(x, ptr, err) \
2355 ({ \
2356+ pax_open_userland(); \
2357 __put_user_err((x), (ptr), err); \
2358+ pax_close_userland(); \
2359 (void) 0; \
2360 })
2361
2362@@ -474,11 +519,44 @@ do { \
2363
2364
2365 #ifdef CONFIG_MMU
2366-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
2367-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
2368-extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2369-extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
2370-extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
2371+extern unsigned long __must_check __size_overflow(3) ___copy_from_user(void *to, const void __user *from, unsigned long n);
2372+extern unsigned long __must_check __size_overflow(3) ___copy_to_user(void __user *to, const void *from, unsigned long n);
2373+
2374+static inline unsigned long __must_check __size_overflow(3) __copy_from_user(void *to, const void __user *from, unsigned long n)
2375+{
2376+ unsigned long ret;
2377+
2378+ check_object_size(to, n, false);
2379+ pax_open_userland();
2380+ ret = ___copy_from_user(to, from, n);
2381+ pax_close_userland();
2382+ return ret;
2383+}
2384+
2385+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
2386+{
2387+ unsigned long ret;
2388+
2389+ check_object_size(from, n, true);
2390+ pax_open_userland();
2391+ ret = ___copy_to_user(to, from, n);
2392+ pax_close_userland();
2393+ return ret;
2394+}
2395+
2396+extern unsigned long __must_check __size_overflow(3) __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2397+extern unsigned long __must_check __size_overflow(2) ___clear_user(void __user *addr, unsigned long n);
2398+extern unsigned long __must_check __size_overflow(2) __clear_user_std(void __user *addr, unsigned long n);
2399+
2400+static inline unsigned long __must_check __clear_user(void __user *addr, unsigned long n)
2401+{
2402+ unsigned long ret;
2403+ pax_open_userland();
2404+ ret = ___clear_user(addr, n);
2405+ pax_close_userland();
2406+ return ret;
2407+}
2408+
2409 #else
2410 #define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0)
2411 #define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0)
2412@@ -487,6 +565,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l
2413
2414 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2415 {
2416+ if ((long)n < 0)
2417+ return n;
2418+
2419 if (access_ok(VERIFY_READ, from, n))
2420 n = __copy_from_user(to, from, n);
2421 else /* security hole - plug it */
2422@@ -496,6 +577,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
2423
2424 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2425 {
2426+ if ((long)n < 0)
2427+ return n;
2428+
2429 if (access_ok(VERIFY_WRITE, to, n))
2430 n = __copy_to_user(to, from, n);
2431 return n;
2432diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h
2433index 5af0ed1..cea83883 100644
2434--- a/arch/arm/include/uapi/asm/ptrace.h
2435+++ b/arch/arm/include/uapi/asm/ptrace.h
2436@@ -92,7 +92,7 @@
2437 * ARMv7 groups of PSR bits
2438 */
2439 #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */
2440-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */
2441+#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */
2442 #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */
2443 #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */
2444
2445diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c
2446index 5e5a51a..b21eeef 100644
2447--- a/arch/arm/kernel/armksyms.c
2448+++ b/arch/arm/kernel/armksyms.c
2449@@ -58,7 +58,7 @@ EXPORT_SYMBOL(arm_delay_ops);
2450
2451 /* networking */
2452 EXPORT_SYMBOL(csum_partial);
2453-EXPORT_SYMBOL(csum_partial_copy_from_user);
2454+EXPORT_SYMBOL(__csum_partial_copy_from_user);
2455 EXPORT_SYMBOL(csum_partial_copy_nocheck);
2456 EXPORT_SYMBOL(__csum_ipv6_magic);
2457
2458@@ -97,9 +97,9 @@ EXPORT_SYMBOL(mmiocpy);
2459 #ifdef CONFIG_MMU
2460 EXPORT_SYMBOL(copy_page);
2461
2462-EXPORT_SYMBOL(__copy_from_user);
2463-EXPORT_SYMBOL(__copy_to_user);
2464-EXPORT_SYMBOL(__clear_user);
2465+EXPORT_SYMBOL(___copy_from_user);
2466+EXPORT_SYMBOL(___copy_to_user);
2467+EXPORT_SYMBOL(___clear_user);
2468
2469 EXPORT_SYMBOL(__get_user_1);
2470 EXPORT_SYMBOL(__get_user_2);
2471diff --git a/arch/arm/kernel/cpuidle.c b/arch/arm/kernel/cpuidle.c
2472index 318da33..373689f 100644
2473--- a/arch/arm/kernel/cpuidle.c
2474+++ b/arch/arm/kernel/cpuidle.c
2475@@ -19,7 +19,7 @@ extern struct of_cpuidle_method __cpuidle_method_of_table[];
2476 static const struct of_cpuidle_method __cpuidle_method_of_table_sentinel
2477 __used __section(__cpuidle_method_of_table_end);
2478
2479-static struct cpuidle_ops cpuidle_ops[NR_CPUS];
2480+static struct cpuidle_ops cpuidle_ops[NR_CPUS] __read_only;
2481
2482 /**
2483 * arm_cpuidle_simple_enter() - a wrapper to cpu_do_idle()
2484diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
2485index cb4fb1e..dc7fcaf 100644
2486--- a/arch/arm/kernel/entry-armv.S
2487+++ b/arch/arm/kernel/entry-armv.S
2488@@ -50,6 +50,87 @@
2489 9997:
2490 .endm
2491
2492+ .macro pax_enter_kernel
2493+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2494+ @ make aligned space for saved DACR
2495+ sub sp, sp, #8
2496+ @ save regs
2497+ stmdb sp!, {r1, r2}
2498+ @ read DACR from cpu_domain into r1
2499+ mov r2, sp
2500+ @ assume 8K pages, since we have to split the immediate in two
2501+ bic r2, r2, #(0x1fc0)
2502+ bic r2, r2, #(0x3f)
2503+ ldr r1, [r2, #TI_CPU_DOMAIN]
2504+ @ store old DACR on stack
2505+ str r1, [sp, #8]
2506+#ifdef CONFIG_PAX_KERNEXEC
2507+ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2508+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2509+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2510+#endif
2511+#ifdef CONFIG_PAX_MEMORY_UDEREF
2512+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2513+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2514+#endif
2515+ @ write r1 to current_thread_info()->cpu_domain
2516+ str r1, [r2, #TI_CPU_DOMAIN]
2517+ @ write r1 to DACR
2518+ mcr p15, 0, r1, c3, c0, 0
2519+ @ instruction sync
2520+ instr_sync
2521+ @ restore regs
2522+ ldmia sp!, {r1, r2}
2523+#endif
2524+ .endm
2525+
2526+ .macro pax_open_userland
2527+#ifdef CONFIG_PAX_MEMORY_UDEREF
2528+ @ save regs
2529+ stmdb sp!, {r0, r1}
2530+ @ read DACR from cpu_domain into r1
2531+ mov r0, sp
2532+ @ assume 8K pages, since we have to split the immediate in two
2533+ bic r0, r0, #(0x1fc0)
2534+ bic r0, r0, #(0x3f)
2535+ ldr r1, [r0, #TI_CPU_DOMAIN]
2536+ @ set current DOMAIN_USER to DOMAIN_CLIENT
2537+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2538+ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2539+ @ write r1 to current_thread_info()->cpu_domain
2540+ str r1, [r0, #TI_CPU_DOMAIN]
2541+ @ write r1 to DACR
2542+ mcr p15, 0, r1, c3, c0, 0
2543+ @ instruction sync
2544+ instr_sync
2545+ @ restore regs
2546+ ldmia sp!, {r0, r1}
2547+#endif
2548+ .endm
2549+
2550+ .macro pax_close_userland
2551+#ifdef CONFIG_PAX_MEMORY_UDEREF
2552+ @ save regs
2553+ stmdb sp!, {r0, r1}
2554+ @ read DACR from cpu_domain into r1
2555+ mov r0, sp
2556+ @ assume 8K pages, since we have to split the immediate in two
2557+ bic r0, r0, #(0x1fc0)
2558+ bic r0, r0, #(0x3f)
2559+ ldr r1, [r0, #TI_CPU_DOMAIN]
2560+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2561+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2562+ @ write r1 to current_thread_info()->cpu_domain
2563+ str r1, [r0, #TI_CPU_DOMAIN]
2564+ @ write r1 to DACR
2565+ mcr p15, 0, r1, c3, c0, 0
2566+ @ instruction sync
2567+ instr_sync
2568+ @ restore regs
2569+ ldmia sp!, {r0, r1}
2570+#endif
2571+ .endm
2572+
2573 .macro pabt_helper
2574 @ PABORT handler takes pt_regs in r2, fault address in r4 and psr in r5
2575 #ifdef MULTI_PABORT
2576@@ -92,11 +173,15 @@
2577 * Invalid mode handlers
2578 */
2579 .macro inv_entry, reason
2580+
2581+ pax_enter_kernel
2582+
2583 sub sp, sp, #S_FRAME_SIZE
2584 ARM( stmib sp, {r1 - lr} )
2585 THUMB( stmia sp, {r0 - r12} )
2586 THUMB( str sp, [sp, #S_SP] )
2587 THUMB( str lr, [sp, #S_LR] )
2588+
2589 mov r1, #\reason
2590 .endm
2591
2592@@ -152,7 +237,11 @@ ENDPROC(__und_invalid)
2593 .macro svc_entry, stack_hole=0, trace=1
2594 UNWIND(.fnstart )
2595 UNWIND(.save {r0 - pc} )
2596+
2597+ pax_enter_kernel
2598+
2599 sub sp, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2600+
2601 #ifdef CONFIG_THUMB2_KERNEL
2602 SPFIX( str r0, [sp] ) @ temporarily saved
2603 SPFIX( mov r0, sp )
2604@@ -167,7 +256,12 @@ ENDPROC(__und_invalid)
2605 ldmia r0, {r3 - r5}
2606 add r7, sp, #S_SP - 4 @ here for interlock avoidance
2607 mov r6, #-1 @ "" "" "" ""
2608+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2609+ @ offset sp by 8 as done in pax_enter_kernel
2610+ add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4)
2611+#else
2612 add r2, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2613+#endif
2614 SPFIX( addeq r2, r2, #4 )
2615 str r3, [sp, #-4]! @ save the "real" r0 copied
2616 @ from the exception stack
2617@@ -371,6 +465,9 @@ ENDPROC(__fiq_abt)
2618 .macro usr_entry, trace=1
2619 UNWIND(.fnstart )
2620 UNWIND(.cantunwind ) @ don't unwind the user space
2621+
2622+ pax_enter_kernel_user
2623+
2624 sub sp, sp, #S_FRAME_SIZE
2625 ARM( stmib sp, {r1 - r12} )
2626 THUMB( stmia sp, {r0 - r12} )
2627@@ -481,7 +578,9 @@ __und_usr:
2628 tst r3, #PSR_T_BIT @ Thumb mode?
2629 bne __und_usr_thumb
2630 sub r4, r2, #4 @ ARM instr at LR - 4
2631+ pax_open_userland
2632 1: ldrt r0, [r4]
2633+ pax_close_userland
2634 ARM_BE8(rev r0, r0) @ little endian instruction
2635
2636 @ r0 = 32-bit ARM instruction which caused the exception
2637@@ -515,11 +614,15 @@ __und_usr_thumb:
2638 */
2639 .arch armv6t2
2640 #endif
2641+ pax_open_userland
2642 2: ldrht r5, [r4]
2643+ pax_close_userland
2644 ARM_BE8(rev16 r5, r5) @ little endian instruction
2645 cmp r5, #0xe800 @ 32bit instruction if xx != 0
2646 blo __und_usr_fault_16 @ 16bit undefined instruction
2647+ pax_open_userland
2648 3: ldrht r0, [r2]
2649+ pax_close_userland
2650 ARM_BE8(rev16 r0, r0) @ little endian instruction
2651 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4
2652 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update
2653@@ -549,7 +652,8 @@ ENDPROC(__und_usr)
2654 */
2655 .pushsection .text.fixup, "ax"
2656 .align 2
2657-4: str r4, [sp, #S_PC] @ retry current instruction
2658+4: pax_close_userland
2659+ str r4, [sp, #S_PC] @ retry current instruction
2660 ret r9
2661 .popsection
2662 .pushsection __ex_table,"a"
2663@@ -769,7 +873,7 @@ ENTRY(__switch_to)
2664 THUMB( str lr, [ip], #4 )
2665 ldr r4, [r2, #TI_TP_VALUE]
2666 ldr r5, [r2, #TI_TP_VALUE + 4]
2667-#ifdef CONFIG_CPU_USE_DOMAINS
2668+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2669 ldr r6, [r2, #TI_CPU_DOMAIN]
2670 #endif
2671 switch_tls r1, r4, r5, r3, r7
2672@@ -778,7 +882,7 @@ ENTRY(__switch_to)
2673 ldr r8, =__stack_chk_guard
2674 ldr r7, [r7, #TSK_STACK_CANARY]
2675 #endif
2676-#ifdef CONFIG_CPU_USE_DOMAINS
2677+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2678 mcr p15, 0, r6, c3, c0, 0 @ Set domain register
2679 #endif
2680 mov r5, r0
2681diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
2682index b48dd4f..9f9a72f 100644
2683--- a/arch/arm/kernel/entry-common.S
2684+++ b/arch/arm/kernel/entry-common.S
2685@@ -11,18 +11,46 @@
2686 #include <asm/assembler.h>
2687 #include <asm/unistd.h>
2688 #include <asm/ftrace.h>
2689+#include <asm/domain.h>
2690 #include <asm/unwind.h>
2691
2692+#include "entry-header.S"
2693+
2694 #ifdef CONFIG_NEED_RET_TO_USER
2695 #include <mach/entry-macro.S>
2696 #else
2697 .macro arch_ret_to_user, tmp1, tmp2
2698+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2699+ @ save regs
2700+ stmdb sp!, {r1, r2}
2701+ @ read DACR from cpu_domain into r1
2702+ mov r2, sp
2703+ @ assume 8K pages, since we have to split the immediate in two
2704+ bic r2, r2, #(0x1fc0)
2705+ bic r2, r2, #(0x3f)
2706+ ldr r1, [r2, #TI_CPU_DOMAIN]
2707+#ifdef CONFIG_PAX_KERNEXEC
2708+ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2709+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2710+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2711+#endif
2712+#ifdef CONFIG_PAX_MEMORY_UDEREF
2713+ @ set current DOMAIN_USER to DOMAIN_UDEREF
2714+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2715+ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2716+#endif
2717+ @ write r1 to current_thread_info()->cpu_domain
2718+ str r1, [r2, #TI_CPU_DOMAIN]
2719+ @ write r1 to DACR
2720+ mcr p15, 0, r1, c3, c0, 0
2721+ @ instruction sync
2722+ instr_sync
2723+ @ restore regs
2724+ ldmia sp!, {r1, r2}
2725+#endif
2726 .endm
2727 #endif
2728
2729-#include "entry-header.S"
2730-
2731-
2732 .align 5
2733 /*
2734 * This is the fast syscall return path. We do as little as
2735@@ -174,6 +202,12 @@ ENTRY(vector_swi)
2736 USER( ldr scno, [lr, #-4] ) @ get SWI instruction
2737 #endif
2738
2739+ /*
2740+ * do this here to avoid a performance hit of wrapping the code above
2741+ * that directly dereferences userland to parse the SWI instruction
2742+ */
2743+ pax_enter_kernel_user
2744+
2745 adr tbl, sys_call_table @ load syscall table pointer
2746
2747 #if defined(CONFIG_OABI_COMPAT)
2748diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
2749index 1a0045a..9b4f34d 100644
2750--- a/arch/arm/kernel/entry-header.S
2751+++ b/arch/arm/kernel/entry-header.S
2752@@ -196,6 +196,60 @@
2753 msr cpsr_c, \rtemp @ switch back to the SVC mode
2754 .endm
2755
2756+ .macro pax_enter_kernel_user
2757+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2758+ @ save regs
2759+ stmdb sp!, {r0, r1}
2760+ @ read DACR from cpu_domain into r1
2761+ mov r0, sp
2762+ @ assume 8K pages, since we have to split the immediate in two
2763+ bic r0, r0, #(0x1fc0)
2764+ bic r0, r0, #(0x3f)
2765+ ldr r1, [r0, #TI_CPU_DOMAIN]
2766+#ifdef CONFIG_PAX_MEMORY_UDEREF
2767+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2768+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2769+#endif
2770+#ifdef CONFIG_PAX_KERNEXEC
2771+ @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2772+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2773+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2774+#endif
2775+ @ write r1 to current_thread_info()->cpu_domain
2776+ str r1, [r0, #TI_CPU_DOMAIN]
2777+ @ write r1 to DACR
2778+ mcr p15, 0, r1, c3, c0, 0
2779+ @ instruction sync
2780+ instr_sync
2781+ @ restore regs
2782+ ldmia sp!, {r0, r1}
2783+#endif
2784+ .endm
2785+
2786+ .macro pax_exit_kernel
2787+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2788+ @ save regs
2789+ stmdb sp!, {r0, r1}
2790+ @ read old DACR from stack into r1
2791+ ldr r1, [sp, #(8 + S_SP)]
2792+ sub r1, r1, #8
2793+ ldr r1, [r1]
2794+
2795+ @ write r1 to current_thread_info()->cpu_domain
2796+ mov r0, sp
2797+ @ assume 8K pages, since we have to split the immediate in two
2798+ bic r0, r0, #(0x1fc0)
2799+ bic r0, r0, #(0x3f)
2800+ str r1, [r0, #TI_CPU_DOMAIN]
2801+ @ write r1 to DACR
2802+ mcr p15, 0, r1, c3, c0, 0
2803+ @ instruction sync
2804+ instr_sync
2805+ @ restore regs
2806+ ldmia sp!, {r0, r1}
2807+#endif
2808+ .endm
2809+
2810 #ifndef CONFIG_THUMB2_KERNEL
2811 .macro svc_exit, rpsr, irq = 0
2812 .if \irq != 0
2813@@ -215,6 +269,9 @@
2814 blne trace_hardirqs_off
2815 #endif
2816 .endif
2817+
2818+ pax_exit_kernel
2819+
2820 msr spsr_cxsf, \rpsr
2821 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
2822 @ We must avoid clrex due to Cortex-A15 erratum #830321
2823@@ -291,6 +348,9 @@
2824 blne trace_hardirqs_off
2825 #endif
2826 .endif
2827+
2828+ pax_exit_kernel
2829+
2830 ldr lr, [sp, #S_SP] @ top of the stack
2831 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc
2832
2833diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
2834index 059c3da..8e45cfc 100644
2835--- a/arch/arm/kernel/fiq.c
2836+++ b/arch/arm/kernel/fiq.c
2837@@ -95,7 +95,10 @@ void set_fiq_handler(void *start, unsigned int length)
2838 void *base = vectors_page;
2839 unsigned offset = FIQ_OFFSET;
2840
2841+ pax_open_kernel();
2842 memcpy(base + offset, start, length);
2843+ pax_close_kernel();
2844+
2845 if (!cache_is_vipt_nonaliasing())
2846 flush_icache_range((unsigned long)base + offset, offset +
2847 length);
2848diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
2849index 29e2991..7bc5757 100644
2850--- a/arch/arm/kernel/head.S
2851+++ b/arch/arm/kernel/head.S
2852@@ -467,7 +467,7 @@ __enable_mmu:
2853 mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2854 domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2855 domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \
2856- domain_val(DOMAIN_IO, DOMAIN_CLIENT))
2857+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT))
2858 mcr p15, 0, r5, c3, c0, 0 @ load domain access register
2859 mcr p15, 0, r4, c2, c0, 0 @ load page table pointer
2860 #endif
2861diff --git a/arch/arm/kernel/module-plts.c b/arch/arm/kernel/module-plts.c
2862index 097e2e2..3927085 100644
2863--- a/arch/arm/kernel/module-plts.c
2864+++ b/arch/arm/kernel/module-plts.c
2865@@ -30,17 +30,12 @@ struct plt_entries {
2866 u32 lit[PLT_ENT_COUNT];
2867 };
2868
2869-static bool in_init(const struct module *mod, u32 addr)
2870-{
2871- return addr - (u32)mod->module_init < mod->init_size;
2872-}
2873-
2874 u32 get_module_plt(struct module *mod, unsigned long loc, Elf32_Addr val)
2875 {
2876 struct plt_entries *plt, *plt_end;
2877 int c, *count;
2878
2879- if (in_init(mod, loc)) {
2880+ if (within_module_init(loc, mod)) {
2881 plt = (void *)mod->arch.init_plt->sh_addr;
2882 plt_end = (void *)plt + mod->arch.init_plt->sh_size;
2883 count = &mod->arch.init_plt_count;
2884diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
2885index efdddcb..35e58f6 100644
2886--- a/arch/arm/kernel/module.c
2887+++ b/arch/arm/kernel/module.c
2888@@ -38,17 +38,47 @@
2889 #endif
2890
2891 #ifdef CONFIG_MMU
2892-void *module_alloc(unsigned long size)
2893+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
2894 {
2895- void *p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2896- GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
2897+ void *p;
2898+
2899+ if (!size || (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) && PAGE_ALIGN(size) > MODULES_END - MODULES_VADDR))
2900+ return NULL;
2901+
2902+ p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2903+ GFP_KERNEL, prot, 0, NUMA_NO_NODE,
2904 __builtin_return_address(0));
2905 if (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) || p)
2906 return p;
2907 return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END,
2908- GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
2909+ GFP_KERNEL, prot, 0, NUMA_NO_NODE,
2910 __builtin_return_address(0));
2911 }
2912+
2913+void *module_alloc(unsigned long size)
2914+{
2915+
2916+#ifdef CONFIG_PAX_KERNEXEC
2917+ return __module_alloc(size, PAGE_KERNEL);
2918+#else
2919+ return __module_alloc(size, PAGE_KERNEL_EXEC);
2920+#endif
2921+
2922+}
2923+
2924+#ifdef CONFIG_PAX_KERNEXEC
2925+void module_memfree_exec(void *module_region)
2926+{
2927+ module_memfree(module_region);
2928+}
2929+EXPORT_SYMBOL(module_memfree_exec);
2930+
2931+void *module_alloc_exec(unsigned long size)
2932+{
2933+ return __module_alloc(size, PAGE_KERNEL_EXEC);
2934+}
2935+EXPORT_SYMBOL(module_alloc_exec);
2936+#endif
2937 #endif
2938
2939 int
2940diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
2941index 69bda1a..755113a 100644
2942--- a/arch/arm/kernel/patch.c
2943+++ b/arch/arm/kernel/patch.c
2944@@ -66,6 +66,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
2945 else
2946 __acquire(&patch_lock);
2947
2948+ pax_open_kernel();
2949 if (thumb2 && __opcode_is_thumb16(insn)) {
2950 *(u16 *)waddr = __opcode_to_mem_thumb16(insn);
2951 size = sizeof(u16);
2952@@ -97,6 +98,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
2953 *(u32 *)waddr = insn;
2954 size = sizeof(u32);
2955 }
2956+ pax_close_kernel();
2957
2958 if (waddr != addr) {
2959 flush_kernel_vmap_range(waddr, twopage ? size / 2 : size);
2960diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
2961index f192a2a..1a40523 100644
2962--- a/arch/arm/kernel/process.c
2963+++ b/arch/arm/kernel/process.c
2964@@ -105,8 +105,8 @@ void __show_regs(struct pt_regs *regs)
2965
2966 show_regs_print_info(KERN_DEFAULT);
2967
2968- print_symbol("PC is at %s\n", instruction_pointer(regs));
2969- print_symbol("LR is at %s\n", regs->ARM_lr);
2970+ printk("PC is at %pA\n", (void *)instruction_pointer(regs));
2971+ printk("LR is at %pA\n", (void *)regs->ARM_lr);
2972 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
2973 "sp : %08lx ip : %08lx fp : %08lx\n",
2974 regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
2975@@ -283,12 +283,6 @@ unsigned long get_wchan(struct task_struct *p)
2976 return 0;
2977 }
2978
2979-unsigned long arch_randomize_brk(struct mm_struct *mm)
2980-{
2981- unsigned long range_end = mm->brk + 0x02000000;
2982- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
2983-}
2984-
2985 #ifdef CONFIG_MMU
2986 #ifdef CONFIG_KUSER_HELPERS
2987 /*
2988@@ -304,7 +298,7 @@ static struct vm_area_struct gate_vma = {
2989
2990 static int __init gate_vma_init(void)
2991 {
2992- gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
2993+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
2994 return 0;
2995 }
2996 arch_initcall(gate_vma_init);
2997@@ -333,91 +327,13 @@ const char *arch_vma_name(struct vm_area_struct *vma)
2998 return is_gate_vma(vma) ? "[vectors]" : NULL;
2999 }
3000
3001-/* If possible, provide a placement hint at a random offset from the
3002- * stack for the sigpage and vdso pages.
3003- */
3004-static unsigned long sigpage_addr(const struct mm_struct *mm,
3005- unsigned int npages)
3006-{
3007- unsigned long offset;
3008- unsigned long first;
3009- unsigned long last;
3010- unsigned long addr;
3011- unsigned int slots;
3012-
3013- first = PAGE_ALIGN(mm->start_stack);
3014-
3015- last = TASK_SIZE - (npages << PAGE_SHIFT);
3016-
3017- /* No room after stack? */
3018- if (first > last)
3019- return 0;
3020-
3021- /* Just enough room? */
3022- if (first == last)
3023- return first;
3024-
3025- slots = ((last - first) >> PAGE_SHIFT) + 1;
3026-
3027- offset = get_random_int() % slots;
3028-
3029- addr = first + (offset << PAGE_SHIFT);
3030-
3031- return addr;
3032-}
3033-
3034-static struct page *signal_page;
3035-extern struct page *get_signal_page(void);
3036-
3037-static const struct vm_special_mapping sigpage_mapping = {
3038- .name = "[sigpage]",
3039- .pages = &signal_page,
3040-};
3041-
3042 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
3043 {
3044 struct mm_struct *mm = current->mm;
3045- struct vm_area_struct *vma;
3046- unsigned long npages;
3047- unsigned long addr;
3048- unsigned long hint;
3049- int ret = 0;
3050-
3051- if (!signal_page)
3052- signal_page = get_signal_page();
3053- if (!signal_page)
3054- return -ENOMEM;
3055-
3056- npages = 1; /* for sigpage */
3057- npages += vdso_total_pages;
3058
3059 down_write(&mm->mmap_sem);
3060- hint = sigpage_addr(mm, npages);
3061- addr = get_unmapped_area(NULL, hint, npages << PAGE_SHIFT, 0, 0);
3062- if (IS_ERR_VALUE(addr)) {
3063- ret = addr;
3064- goto up_fail;
3065- }
3066-
3067- vma = _install_special_mapping(mm, addr, PAGE_SIZE,
3068- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
3069- &sigpage_mapping);
3070-
3071- if (IS_ERR(vma)) {
3072- ret = PTR_ERR(vma);
3073- goto up_fail;
3074- }
3075-
3076- mm->context.sigpage = addr;
3077-
3078- /* Unlike the sigpage, failure to install the vdso is unlikely
3079- * to be fatal to the process, so no error check needed
3080- * here.
3081- */
3082- arm_install_vdso(mm, addr + PAGE_SIZE);
3083-
3084- up_fail:
3085+ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC;
3086 up_write(&mm->mmap_sem);
3087- return ret;
3088+ return 0;
3089 }
3090 #endif
3091diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c
3092index f90fdf4..24e8c84 100644
3093--- a/arch/arm/kernel/psci.c
3094+++ b/arch/arm/kernel/psci.c
3095@@ -26,7 +26,7 @@
3096 #include <asm/psci.h>
3097 #include <asm/system_misc.h>
3098
3099-struct psci_operations psci_ops;
3100+struct psci_operations psci_ops __read_only;
3101
3102 static int (*invoke_psci_fn)(u32, u32, u32, u32);
3103 typedef int (*psci_initcall_t)(const struct device_node *);
3104diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
3105index ef9119f..31995a3 100644
3106--- a/arch/arm/kernel/ptrace.c
3107+++ b/arch/arm/kernel/ptrace.c
3108@@ -928,10 +928,19 @@ static void tracehook_report_syscall(struct pt_regs *regs,
3109 regs->ARM_ip = ip;
3110 }
3111
3112+#ifdef CONFIG_GRKERNSEC_SETXID
3113+extern void gr_delayed_cred_worker(void);
3114+#endif
3115+
3116 asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
3117 {
3118 current_thread_info()->syscall = scno;
3119
3120+#ifdef CONFIG_GRKERNSEC_SETXID
3121+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
3122+ gr_delayed_cred_worker();
3123+#endif
3124+
3125 /* Do the secure computing check first; failures should be fast. */
3126 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
3127 if (secure_computing() == -1)
3128diff --git a/arch/arm/kernel/reboot.c b/arch/arm/kernel/reboot.c
3129index 3826935..8ed63ed 100644
3130--- a/arch/arm/kernel/reboot.c
3131+++ b/arch/arm/kernel/reboot.c
3132@@ -122,6 +122,7 @@ void machine_power_off(void)
3133
3134 if (pm_power_off)
3135 pm_power_off();
3136+ while (1);
3137 }
3138
3139 /*
3140diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
3141index 36c18b7..0d78292 100644
3142--- a/arch/arm/kernel/setup.c
3143+++ b/arch/arm/kernel/setup.c
3144@@ -108,21 +108,23 @@ EXPORT_SYMBOL(elf_hwcap);
3145 unsigned int elf_hwcap2 __read_mostly;
3146 EXPORT_SYMBOL(elf_hwcap2);
3147
3148+pteval_t __supported_pte_mask __read_only;
3149+pmdval_t __supported_pmd_mask __read_only;
3150
3151 #ifdef MULTI_CPU
3152-struct processor processor __read_mostly;
3153+struct processor processor __read_only;
3154 #endif
3155 #ifdef MULTI_TLB
3156-struct cpu_tlb_fns cpu_tlb __read_mostly;
3157+struct cpu_tlb_fns cpu_tlb __read_only;
3158 #endif
3159 #ifdef MULTI_USER
3160-struct cpu_user_fns cpu_user __read_mostly;
3161+struct cpu_user_fns cpu_user __read_only;
3162 #endif
3163 #ifdef MULTI_CACHE
3164-struct cpu_cache_fns cpu_cache __read_mostly;
3165+struct cpu_cache_fns cpu_cache __read_only;
3166 #endif
3167 #ifdef CONFIG_OUTER_CACHE
3168-struct outer_cache_fns outer_cache __read_mostly;
3169+struct outer_cache_fns outer_cache __read_only;
3170 EXPORT_SYMBOL(outer_cache);
3171 #endif
3172
3173@@ -253,9 +255,13 @@ static int __get_cpu_architecture(void)
3174 * Register 0 and check for VMSAv7 or PMSAv7 */
3175 unsigned int mmfr0 = read_cpuid_ext(CPUID_EXT_MMFR0);
3176 if ((mmfr0 & 0x0000000f) >= 0x00000003 ||
3177- (mmfr0 & 0x000000f0) >= 0x00000030)
3178+ (mmfr0 & 0x000000f0) >= 0x00000030) {
3179 cpu_arch = CPU_ARCH_ARMv7;
3180- else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3181+ if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) {
3182+ __supported_pte_mask |= L_PTE_PXN;
3183+ __supported_pmd_mask |= PMD_PXNTABLE;
3184+ }
3185+ } else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3186 (mmfr0 & 0x000000f0) == 0x00000020)
3187 cpu_arch = CPU_ARCH_ARMv6;
3188 else
3189diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
3190index 423663e..bfeb0ff 100644
3191--- a/arch/arm/kernel/signal.c
3192+++ b/arch/arm/kernel/signal.c
3193@@ -24,8 +24,6 @@
3194
3195 extern const unsigned long sigreturn_codes[7];
3196
3197-static unsigned long signal_return_offset;
3198-
3199 #ifdef CONFIG_CRUNCH
3200 static int preserve_crunch_context(struct crunch_sigframe __user *frame)
3201 {
3202@@ -385,8 +383,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig,
3203 * except when the MPU has protected the vectors
3204 * page from PL0
3205 */
3206- retcode = mm->context.sigpage + signal_return_offset +
3207- (idx << 2) + thumb;
3208+ retcode = mm->context.sigpage + (idx << 2) + thumb;
3209 } else
3210 #endif
3211 {
3212@@ -592,33 +589,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
3213 } while (thread_flags & _TIF_WORK_MASK);
3214 return 0;
3215 }
3216-
3217-struct page *get_signal_page(void)
3218-{
3219- unsigned long ptr;
3220- unsigned offset;
3221- struct page *page;
3222- void *addr;
3223-
3224- page = alloc_pages(GFP_KERNEL, 0);
3225-
3226- if (!page)
3227- return NULL;
3228-
3229- addr = page_address(page);
3230-
3231- /* Give the signal return code some randomness */
3232- offset = 0x200 + (get_random_int() & 0x7fc);
3233- signal_return_offset = offset;
3234-
3235- /*
3236- * Copy signal return handlers into the vector page, and
3237- * set sigreturn to be a pointer to these.
3238- */
3239- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
3240-
3241- ptr = (unsigned long)addr + offset;
3242- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
3243-
3244- return page;
3245-}
3246diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
3247index 3d6b782..8b3baeb 100644
3248--- a/arch/arm/kernel/smp.c
3249+++ b/arch/arm/kernel/smp.c
3250@@ -76,7 +76,7 @@ enum ipi_msg_type {
3251
3252 static DECLARE_COMPLETION(cpu_running);
3253
3254-static struct smp_operations smp_ops;
3255+static struct smp_operations smp_ops __read_only;
3256
3257 void __init smp_set_ops(struct smp_operations *ops)
3258 {
3259diff --git a/arch/arm/kernel/tcm.c b/arch/arm/kernel/tcm.c
3260index b10e136..cb5edf9 100644
3261--- a/arch/arm/kernel/tcm.c
3262+++ b/arch/arm/kernel/tcm.c
3263@@ -64,7 +64,7 @@ static struct map_desc itcm_iomap[] __initdata = {
3264 .virtual = ITCM_OFFSET,
3265 .pfn = __phys_to_pfn(ITCM_OFFSET),
3266 .length = 0,
3267- .type = MT_MEMORY_RWX_ITCM,
3268+ .type = MT_MEMORY_RX_ITCM,
3269 }
3270 };
3271
3272@@ -362,7 +362,9 @@ no_dtcm:
3273 start = &__sitcm_text;
3274 end = &__eitcm_text;
3275 ram = &__itcm_start;
3276+ pax_open_kernel();
3277 memcpy(start, ram, itcm_code_sz);
3278+ pax_close_kernel();
3279 pr_debug("CPU ITCM: copied code from %p - %p\n",
3280 start, end);
3281 itcm_present = true;
3282diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
3283index d358226..bfd4019 100644
3284--- a/arch/arm/kernel/traps.c
3285+++ b/arch/arm/kernel/traps.c
3286@@ -65,7 +65,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
3287 void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
3288 {
3289 #ifdef CONFIG_KALLSYMS
3290- printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from);
3291+ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from);
3292 #else
3293 printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
3294 #endif
3295@@ -267,6 +267,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
3296 static int die_owner = -1;
3297 static unsigned int die_nest_count;
3298
3299+extern void gr_handle_kernel_exploit(void);
3300+
3301 static unsigned long oops_begin(void)
3302 {
3303 int cpu;
3304@@ -309,6 +311,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
3305 panic("Fatal exception in interrupt");
3306 if (panic_on_oops)
3307 panic("Fatal exception");
3308+
3309+ gr_handle_kernel_exploit();
3310+
3311 if (signr)
3312 do_exit(signr);
3313 }
3314@@ -870,7 +875,11 @@ void __init early_trap_init(void *vectors_base)
3315 kuser_init(vectors_base);
3316
3317 flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
3318- modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
3319+
3320+#ifndef CONFIG_PAX_MEMORY_UDEREF
3321+ modify_domain(DOMAIN_USER, DOMAIN_USERCLIENT);
3322+#endif
3323+
3324 #else /* ifndef CONFIG_CPU_V7M */
3325 /*
3326 * on V7-M there is no need to copy the vector table to a dedicated
3327diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
3328index 8b60fde..8d986dd 100644
3329--- a/arch/arm/kernel/vmlinux.lds.S
3330+++ b/arch/arm/kernel/vmlinux.lds.S
3331@@ -37,7 +37,7 @@
3332 #endif
3333
3334 #if (defined(CONFIG_SMP_ON_UP) && !defined(CONFIG_DEBUG_SPINLOCK)) || \
3335- defined(CONFIG_GENERIC_BUG)
3336+ defined(CONFIG_GENERIC_BUG) || defined(CONFIG_PAX_REFCOUNT)
3337 #define ARM_EXIT_KEEP(x) x
3338 #define ARM_EXIT_DISCARD(x)
3339 #else
3340@@ -120,6 +120,8 @@ SECTIONS
3341 #ifdef CONFIG_DEBUG_RODATA
3342 . = ALIGN(1<<SECTION_SHIFT);
3343 #endif
3344+ _etext = .; /* End of text section */
3345+
3346 RO_DATA(PAGE_SIZE)
3347
3348 . = ALIGN(4);
3349@@ -150,8 +152,6 @@ SECTIONS
3350
3351 NOTES
3352
3353- _etext = .; /* End of text and rodata section */
3354-
3355 #ifndef CONFIG_XIP_KERNEL
3356 # ifdef CONFIG_ARM_KERNMEM_PERMS
3357 . = ALIGN(1<<SECTION_SHIFT);
3358diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
3359index f9c341c..7430436 100644
3360--- a/arch/arm/kvm/arm.c
3361+++ b/arch/arm/kvm/arm.c
3362@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
3363 static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
3364
3365 /* The VMID used in the VTTBR */
3366-static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
3367+static atomic64_unchecked_t kvm_vmid_gen = ATOMIC64_INIT(1);
3368 static u8 kvm_next_vmid;
3369 static DEFINE_SPINLOCK(kvm_vmid_lock);
3370
3371@@ -372,7 +372,7 @@ void force_vm_exit(const cpumask_t *mask)
3372 */
3373 static bool need_new_vmid_gen(struct kvm *kvm)
3374 {
3375- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
3376+ return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen));
3377 }
3378
3379 /**
3380@@ -405,7 +405,7 @@ static void update_vttbr(struct kvm *kvm)
3381
3382 /* First user of a new VMID generation? */
3383 if (unlikely(kvm_next_vmid == 0)) {
3384- atomic64_inc(&kvm_vmid_gen);
3385+ atomic64_inc_unchecked(&kvm_vmid_gen);
3386 kvm_next_vmid = 1;
3387
3388 /*
3389@@ -422,7 +422,7 @@ static void update_vttbr(struct kvm *kvm)
3390 kvm_call_hyp(__kvm_flush_vm_context);
3391 }
3392
3393- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
3394+ kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen);
3395 kvm->arch.vmid = kvm_next_vmid;
3396 kvm_next_vmid++;
3397
3398@@ -1110,7 +1110,7 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr)
3399 /**
3400 * Initialize Hyp-mode and memory mappings on all CPUs.
3401 */
3402-int kvm_arch_init(void *opaque)
3403+int kvm_arch_init(const void *opaque)
3404 {
3405 int err;
3406 int ret, cpu;
3407diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S
3408index 1710fd7..ec3e014 100644
3409--- a/arch/arm/lib/clear_user.S
3410+++ b/arch/arm/lib/clear_user.S
3411@@ -12,14 +12,14 @@
3412
3413 .text
3414
3415-/* Prototype: int __clear_user(void *addr, size_t sz)
3416+/* Prototype: int ___clear_user(void *addr, size_t sz)
3417 * Purpose : clear some user memory
3418 * Params : addr - user memory address to clear
3419 * : sz - number of bytes to clear
3420 * Returns : number of bytes NOT cleared
3421 */
3422 ENTRY(__clear_user_std)
3423-WEAK(__clear_user)
3424+WEAK(___clear_user)
3425 stmfd sp!, {r1, lr}
3426 mov r2, #0
3427 cmp r1, #4
3428@@ -44,7 +44,7 @@ WEAK(__clear_user)
3429 USER( strnebt r2, [r0])
3430 mov r0, #0
3431 ldmfd sp!, {r1, pc}
3432-ENDPROC(__clear_user)
3433+ENDPROC(___clear_user)
3434 ENDPROC(__clear_user_std)
3435
3436 .pushsection .text.fixup,"ax"
3437diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
3438index 7a235b9..73a0556 100644
3439--- a/arch/arm/lib/copy_from_user.S
3440+++ b/arch/arm/lib/copy_from_user.S
3441@@ -17,7 +17,7 @@
3442 /*
3443 * Prototype:
3444 *
3445- * size_t __copy_from_user(void *to, const void *from, size_t n)
3446+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
3447 *
3448 * Purpose:
3449 *
3450@@ -89,11 +89,11 @@
3451
3452 .text
3453
3454-ENTRY(__copy_from_user)
3455+ENTRY(___copy_from_user)
3456
3457 #include "copy_template.S"
3458
3459-ENDPROC(__copy_from_user)
3460+ENDPROC(___copy_from_user)
3461
3462 .pushsection .fixup,"ax"
3463 .align 0
3464diff --git a/arch/arm/lib/copy_page.S b/arch/arm/lib/copy_page.S
3465index 6ee2f67..d1cce76 100644
3466--- a/arch/arm/lib/copy_page.S
3467+++ b/arch/arm/lib/copy_page.S
3468@@ -10,6 +10,7 @@
3469 * ASM optimised string functions
3470 */
3471 #include <linux/linkage.h>
3472+#include <linux/const.h>
3473 #include <asm/assembler.h>
3474 #include <asm/asm-offsets.h>
3475 #include <asm/cache.h>
3476diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S
3477index 9648b06..19c333c 100644
3478--- a/arch/arm/lib/copy_to_user.S
3479+++ b/arch/arm/lib/copy_to_user.S
3480@@ -17,7 +17,7 @@
3481 /*
3482 * Prototype:
3483 *
3484- * size_t __copy_to_user(void *to, const void *from, size_t n)
3485+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
3486 *
3487 * Purpose:
3488 *
3489@@ -93,11 +93,11 @@
3490 .text
3491
3492 ENTRY(__copy_to_user_std)
3493-WEAK(__copy_to_user)
3494+WEAK(___copy_to_user)
3495
3496 #include "copy_template.S"
3497
3498-ENDPROC(__copy_to_user)
3499+ENDPROC(___copy_to_user)
3500 ENDPROC(__copy_to_user_std)
3501
3502 .pushsection .text.fixup,"ax"
3503diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
3504index 1d0957e..f708846 100644
3505--- a/arch/arm/lib/csumpartialcopyuser.S
3506+++ b/arch/arm/lib/csumpartialcopyuser.S
3507@@ -57,8 +57,8 @@
3508 * Returns : r0 = checksum, [[sp, #0], #0] = 0 or -EFAULT
3509 */
3510
3511-#define FN_ENTRY ENTRY(csum_partial_copy_from_user)
3512-#define FN_EXIT ENDPROC(csum_partial_copy_from_user)
3513+#define FN_ENTRY ENTRY(__csum_partial_copy_from_user)
3514+#define FN_EXIT ENDPROC(__csum_partial_copy_from_user)
3515
3516 #include "csumpartialcopygeneric.S"
3517
3518diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
3519index 8044591..c9b2609 100644
3520--- a/arch/arm/lib/delay.c
3521+++ b/arch/arm/lib/delay.c
3522@@ -29,7 +29,7 @@
3523 /*
3524 * Default to the loop-based delay implementation.
3525 */
3526-struct arm_delay_ops arm_delay_ops = {
3527+struct arm_delay_ops arm_delay_ops __read_only = {
3528 .delay = __loop_delay,
3529 .const_udelay = __loop_const_udelay,
3530 .udelay = __loop_udelay,
3531diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
3532index 4b39af2..9ae747d 100644
3533--- a/arch/arm/lib/uaccess_with_memcpy.c
3534+++ b/arch/arm/lib/uaccess_with_memcpy.c
3535@@ -85,7 +85,7 @@ pin_page_for_write(const void __user *_addr, pte_t **ptep, spinlock_t **ptlp)
3536 return 1;
3537 }
3538
3539-static unsigned long noinline
3540+static unsigned long noinline __size_overflow(3)
3541 __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
3542 {
3543 int atomic;
3544@@ -136,7 +136,7 @@ out:
3545 }
3546
3547 unsigned long
3548-__copy_to_user(void __user *to, const void *from, unsigned long n)
3549+___copy_to_user(void __user *to, const void *from, unsigned long n)
3550 {
3551 /*
3552 * This test is stubbed out of the main function above to keep
3553@@ -150,7 +150,7 @@ __copy_to_user(void __user *to, const void *from, unsigned long n)
3554 return __copy_to_user_memcpy(to, from, n);
3555 }
3556
3557-static unsigned long noinline
3558+static unsigned long noinline __size_overflow(2)
3559 __clear_user_memset(void __user *addr, unsigned long n)
3560 {
3561 if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
3562@@ -190,7 +190,7 @@ out:
3563 return n;
3564 }
3565
3566-unsigned long __clear_user(void __user *addr, unsigned long n)
3567+unsigned long ___clear_user(void __user *addr, unsigned long n)
3568 {
3569 /* See rational for this in __copy_to_user() above. */
3570 if (n < 64)
3571diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
3572index f572219..2cf36d5 100644
3573--- a/arch/arm/mach-exynos/suspend.c
3574+++ b/arch/arm/mach-exynos/suspend.c
3575@@ -732,8 +732,10 @@ void __init exynos_pm_init(void)
3576 tmp |= pm_data->wake_disable_mask;
3577 pmu_raw_writel(tmp, S5P_WAKEUP_MASK);
3578
3579- exynos_pm_syscore_ops.suspend = pm_data->pm_suspend;
3580- exynos_pm_syscore_ops.resume = pm_data->pm_resume;
3581+ pax_open_kernel();
3582+ *(void **)&exynos_pm_syscore_ops.suspend = pm_data->pm_suspend;
3583+ *(void **)&exynos_pm_syscore_ops.resume = pm_data->pm_resume;
3584+ pax_close_kernel();
3585
3586 register_syscore_ops(&exynos_pm_syscore_ops);
3587 suspend_set_ops(&exynos_suspend_ops);
3588diff --git a/arch/arm/mach-mvebu/coherency.c b/arch/arm/mach-mvebu/coherency.c
3589index e46e9ea..9141c83 100644
3590--- a/arch/arm/mach-mvebu/coherency.c
3591+++ b/arch/arm/mach-mvebu/coherency.c
3592@@ -117,7 +117,7 @@ static void __init armada_370_coherency_init(struct device_node *np)
3593
3594 /*
3595 * This ioremap hook is used on Armada 375/38x to ensure that PCIe
3596- * memory areas are mapped as MT_UNCACHED instead of MT_DEVICE. This
3597+ * memory areas are mapped as MT_UNCACHED_RW instead of MT_DEVICE. This
3598 * is needed as a workaround for a deadlock issue between the PCIe
3599 * interface and the cache controller.
3600 */
3601@@ -130,7 +130,7 @@ armada_pcie_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
3602 mvebu_mbus_get_pcie_mem_aperture(&pcie_mem);
3603
3604 if (pcie_mem.start <= phys_addr && (phys_addr + size) <= pcie_mem.end)
3605- mtype = MT_UNCACHED;
3606+ mtype = MT_UNCACHED_RW;
3607
3608 return __arm_ioremap_caller(phys_addr, size, mtype, caller);
3609 }
3610diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
3611index b6443a4..20a0b74 100644
3612--- a/arch/arm/mach-omap2/board-n8x0.c
3613+++ b/arch/arm/mach-omap2/board-n8x0.c
3614@@ -569,7 +569,7 @@ static int n8x0_menelaus_late_init(struct device *dev)
3615 }
3616 #endif
3617
3618-struct menelaus_platform_data n8x0_menelaus_platform_data __initdata = {
3619+struct menelaus_platform_data n8x0_menelaus_platform_data __initconst = {
3620 .late_init = n8x0_menelaus_late_init,
3621 };
3622
3623diff --git a/arch/arm/mach-omap2/omap-mpuss-lowpower.c b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3624index 79f49d9..70bf184 100644
3625--- a/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3626+++ b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3627@@ -86,7 +86,7 @@ struct cpu_pm_ops {
3628 void (*resume)(void);
3629 void (*scu_prepare)(unsigned int cpu_id, unsigned int cpu_state);
3630 void (*hotplug_restart)(void);
3631-};
3632+} __no_const;
3633
3634 static DEFINE_PER_CPU(struct omap4_cpu_pm_info, omap4_pm_info);
3635 static struct powerdomain *mpuss_pd;
3636@@ -105,7 +105,7 @@ static void dummy_cpu_resume(void)
3637 static void dummy_scu_prepare(unsigned int cpu_id, unsigned int cpu_state)
3638 {}
3639
3640-struct cpu_pm_ops omap_pm_ops = {
3641+static struct cpu_pm_ops omap_pm_ops __read_only = {
3642 .finish_suspend = default_finish_suspend,
3643 .resume = dummy_cpu_resume,
3644 .scu_prepare = dummy_scu_prepare,
3645diff --git a/arch/arm/mach-omap2/omap-smp.c b/arch/arm/mach-omap2/omap-smp.c
3646index 5305ec7..6d74045 100644
3647--- a/arch/arm/mach-omap2/omap-smp.c
3648+++ b/arch/arm/mach-omap2/omap-smp.c
3649@@ -19,6 +19,7 @@
3650 #include <linux/device.h>
3651 #include <linux/smp.h>
3652 #include <linux/io.h>
3653+#include <linux/irq.h>
3654 #include <linux/irqchip/arm-gic.h>
3655
3656 #include <asm/smp_scu.h>
3657diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
3658index e1d2e99..d9b3177 100644
3659--- a/arch/arm/mach-omap2/omap-wakeupgen.c
3660+++ b/arch/arm/mach-omap2/omap-wakeupgen.c
3661@@ -330,7 +330,7 @@ static int irq_cpu_hotplug_notify(struct notifier_block *self,
3662 return NOTIFY_OK;
3663 }
3664
3665-static struct notifier_block __refdata irq_hotplug_notifier = {
3666+static struct notifier_block irq_hotplug_notifier = {
3667 .notifier_call = irq_cpu_hotplug_notify,
3668 };
3669
3670diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
3671index 4cb8fd9..5ce65bc 100644
3672--- a/arch/arm/mach-omap2/omap_device.c
3673+++ b/arch/arm/mach-omap2/omap_device.c
3674@@ -504,7 +504,7 @@ void omap_device_delete(struct omap_device *od)
3675 struct platform_device __init *omap_device_build(const char *pdev_name,
3676 int pdev_id,
3677 struct omap_hwmod *oh,
3678- void *pdata, int pdata_len)
3679+ const void *pdata, int pdata_len)
3680 {
3681 struct omap_hwmod *ohs[] = { oh };
3682
3683@@ -532,7 +532,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name,
3684 struct platform_device __init *omap_device_build_ss(const char *pdev_name,
3685 int pdev_id,
3686 struct omap_hwmod **ohs,
3687- int oh_cnt, void *pdata,
3688+ int oh_cnt, const void *pdata,
3689 int pdata_len)
3690 {
3691 int ret = -ENOMEM;
3692diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
3693index 78c02b3..c94109a 100644
3694--- a/arch/arm/mach-omap2/omap_device.h
3695+++ b/arch/arm/mach-omap2/omap_device.h
3696@@ -72,12 +72,12 @@ int omap_device_idle(struct platform_device *pdev);
3697 /* Core code interface */
3698
3699 struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
3700- struct omap_hwmod *oh, void *pdata,
3701+ struct omap_hwmod *oh, const void *pdata,
3702 int pdata_len);
3703
3704 struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
3705 struct omap_hwmod **oh, int oh_cnt,
3706- void *pdata, int pdata_len);
3707+ const void *pdata, int pdata_len);
3708
3709 struct omap_device *omap_device_alloc(struct platform_device *pdev,
3710 struct omap_hwmod **ohs, int oh_cnt);
3711diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
3712index 486cc4d..8d1a0b7 100644
3713--- a/arch/arm/mach-omap2/omap_hwmod.c
3714+++ b/arch/arm/mach-omap2/omap_hwmod.c
3715@@ -199,10 +199,10 @@ struct omap_hwmod_soc_ops {
3716 int (*init_clkdm)(struct omap_hwmod *oh);
3717 void (*update_context_lost)(struct omap_hwmod *oh);
3718 int (*get_context_lost)(struct omap_hwmod *oh);
3719-};
3720+} __no_const;
3721
3722 /* soc_ops: adapts the omap_hwmod code to the currently-booted SoC */
3723-static struct omap_hwmod_soc_ops soc_ops;
3724+static struct omap_hwmod_soc_ops soc_ops __read_only;
3725
3726 /* omap_hwmod_list contains all registered struct omap_hwmods */
3727 static LIST_HEAD(omap_hwmod_list);
3728diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c
3729index 95fee54..cfa9cf1 100644
3730--- a/arch/arm/mach-omap2/powerdomains43xx_data.c
3731+++ b/arch/arm/mach-omap2/powerdomains43xx_data.c
3732@@ -10,6 +10,7 @@
3733
3734 #include <linux/kernel.h>
3735 #include <linux/init.h>
3736+#include <asm/pgtable.h>
3737
3738 #include "powerdomain.h"
3739
3740@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void)
3741
3742 void __init am43xx_powerdomains_init(void)
3743 {
3744- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
3745+ pax_open_kernel();
3746+ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
3747+ pax_close_kernel();
3748 pwrdm_register_platform_funcs(&omap4_pwrdm_operations);
3749 pwrdm_register_pwrdms(powerdomains_am43xx);
3750 pwrdm_complete_init();
3751diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c
3752index ff0a68c..b312aa0 100644
3753--- a/arch/arm/mach-omap2/wd_timer.c
3754+++ b/arch/arm/mach-omap2/wd_timer.c
3755@@ -110,7 +110,9 @@ static int __init omap_init_wdt(void)
3756 struct omap_hwmod *oh;
3757 char *oh_name = "wd_timer2";
3758 char *dev_name = "omap_wdt";
3759- struct omap_wd_timer_platform_data pdata;
3760+ static struct omap_wd_timer_platform_data pdata = {
3761+ .read_reset_sources = prm_read_reset_sources
3762+ };
3763
3764 if (!cpu_class_is_omap2() || of_have_populated_dt())
3765 return 0;
3766@@ -121,8 +123,6 @@ static int __init omap_init_wdt(void)
3767 return -EINVAL;
3768 }
3769
3770- pdata.read_reset_sources = prm_read_reset_sources;
3771-
3772 pdev = omap_device_build(dev_name, id, oh, &pdata,
3773 sizeof(struct omap_wd_timer_platform_data));
3774 WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
3775diff --git a/arch/arm/mach-shmobile/platsmp-apmu.c b/arch/arm/mach-shmobile/platsmp-apmu.c
3776index b0790fc..71eb21f 100644
3777--- a/arch/arm/mach-shmobile/platsmp-apmu.c
3778+++ b/arch/arm/mach-shmobile/platsmp-apmu.c
3779@@ -22,6 +22,7 @@
3780 #include <asm/proc-fns.h>
3781 #include <asm/smp_plat.h>
3782 #include <asm/suspend.h>
3783+#include <asm/pgtable.h>
3784 #include "common.h"
3785 #include "platsmp-apmu.h"
3786
3787@@ -233,6 +234,8 @@ static int shmobile_smp_apmu_enter_suspend(suspend_state_t state)
3788
3789 void __init shmobile_smp_apmu_suspend_init(void)
3790 {
3791- shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
3792+ pax_open_kernel();
3793+ *(void **)&shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
3794+ pax_close_kernel();
3795 }
3796 #endif
3797diff --git a/arch/arm/mach-shmobile/pm-r8a7740.c b/arch/arm/mach-shmobile/pm-r8a7740.c
3798index 34608fc..344d7c0 100644
3799--- a/arch/arm/mach-shmobile/pm-r8a7740.c
3800+++ b/arch/arm/mach-shmobile/pm-r8a7740.c
3801@@ -11,6 +11,7 @@
3802 #include <linux/console.h>
3803 #include <linux/io.h>
3804 #include <linux/suspend.h>
3805+#include <asm/pgtable.h>
3806
3807 #include "common.h"
3808 #include "pm-rmobile.h"
3809@@ -117,7 +118,9 @@ static int r8a7740_enter_suspend(suspend_state_t suspend_state)
3810
3811 static void r8a7740_suspend_init(void)
3812 {
3813- shmobile_suspend_ops.enter = r8a7740_enter_suspend;
3814+ pax_open_kernel();
3815+ *(void **)&shmobile_suspend_ops.enter = r8a7740_enter_suspend;
3816+ pax_close_kernel();
3817 }
3818 #else
3819 static void r8a7740_suspend_init(void) {}
3820diff --git a/arch/arm/mach-shmobile/pm-sh73a0.c b/arch/arm/mach-shmobile/pm-sh73a0.c
3821index a7e4668..83334f33 100644
3822--- a/arch/arm/mach-shmobile/pm-sh73a0.c
3823+++ b/arch/arm/mach-shmobile/pm-sh73a0.c
3824@@ -9,6 +9,7 @@
3825 */
3826
3827 #include <linux/suspend.h>
3828+#include <asm/pgtable.h>
3829 #include "common.h"
3830
3831 #ifdef CONFIG_SUSPEND
3832@@ -20,7 +21,9 @@ static int sh73a0_enter_suspend(suspend_state_t suspend_state)
3833
3834 static void sh73a0_suspend_init(void)
3835 {
3836- shmobile_suspend_ops.enter = sh73a0_enter_suspend;
3837+ pax_open_kernel();
3838+ *(void **)&shmobile_suspend_ops.enter = sh73a0_enter_suspend;
3839+ pax_close_kernel();
3840 }
3841 #else
3842 static void sh73a0_suspend_init(void) {}
3843diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
3844index 7469347..1ecc350 100644
3845--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
3846+++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
3847@@ -177,7 +177,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
3848 bool entered_lp2 = false;
3849
3850 if (tegra_pending_sgi())
3851- ACCESS_ONCE(abort_flag) = true;
3852+ ACCESS_ONCE_RW(abort_flag) = true;
3853
3854 cpuidle_coupled_parallel_barrier(dev, &abort_barrier);
3855
3856diff --git a/arch/arm/mach-tegra/irq.c b/arch/arm/mach-tegra/irq.c
3857index 3b9098d..15b390f 100644
3858--- a/arch/arm/mach-tegra/irq.c
3859+++ b/arch/arm/mach-tegra/irq.c
3860@@ -20,6 +20,7 @@
3861 #include <linux/cpu_pm.h>
3862 #include <linux/interrupt.h>
3863 #include <linux/io.h>
3864+#include <linux/irq.h>
3865 #include <linux/irqchip/arm-gic.h>
3866 #include <linux/irq.h>
3867 #include <linux/kernel.h>
3868diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
3869index 8538910..2f39bc4 100644
3870--- a/arch/arm/mach-ux500/pm.c
3871+++ b/arch/arm/mach-ux500/pm.c
3872@@ -10,6 +10,7 @@
3873 */
3874
3875 #include <linux/kernel.h>
3876+#include <linux/irq.h>
3877 #include <linux/irqchip/arm-gic.h>
3878 #include <linux/delay.h>
3879 #include <linux/io.h>
3880diff --git a/arch/arm/mach-zynq/platsmp.c b/arch/arm/mach-zynq/platsmp.c
3881index f66816c..228b951 100644
3882--- a/arch/arm/mach-zynq/platsmp.c
3883+++ b/arch/arm/mach-zynq/platsmp.c
3884@@ -24,6 +24,7 @@
3885 #include <linux/io.h>
3886 #include <asm/cacheflush.h>
3887 #include <asm/smp_scu.h>
3888+#include <linux/irq.h>
3889 #include <linux/irqchip/arm-gic.h>
3890 #include "common.h"
3891
3892diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
3893index 7c6b976..055db09 100644
3894--- a/arch/arm/mm/Kconfig
3895+++ b/arch/arm/mm/Kconfig
3896@@ -446,6 +446,7 @@ config CPU_32v5
3897
3898 config CPU_32v6
3899 bool
3900+ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3901 select TLS_REG_EMUL if !CPU_32v6K && !MMU
3902
3903 config CPU_32v6K
3904@@ -600,6 +601,7 @@ config CPU_CP15_MPU
3905
3906 config CPU_USE_DOMAINS
3907 bool
3908+ depends on !ARM_LPAE && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3909 help
3910 This option enables or disables the use of domain switching
3911 via the set_fs() function.
3912@@ -818,7 +820,7 @@ config NEED_KUSER_HELPERS
3913
3914 config KUSER_HELPERS
3915 bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
3916- depends on MMU
3917+ depends on MMU && (!(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND)
3918 default y
3919 help
3920 Warning: disabling this option may break user programs.
3921@@ -832,7 +834,7 @@ config KUSER_HELPERS
3922 See Documentation/arm/kernel_user_helpers.txt for details.
3923
3924 However, the fixed address nature of these helpers can be used
3925- by ROP (return orientated programming) authors when creating
3926+ by ROP (Return Oriented Programming) authors when creating
3927 exploits.
3928
3929 If all of the binaries and libraries which run on your platform
3930diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
3931index 9769f1e..16aaa55 100644
3932--- a/arch/arm/mm/alignment.c
3933+++ b/arch/arm/mm/alignment.c
3934@@ -216,10 +216,12 @@ union offset_union {
3935 #define __get16_unaligned_check(ins,val,addr) \
3936 do { \
3937 unsigned int err = 0, v, a = addr; \
3938+ pax_open_userland(); \
3939 __get8_unaligned_check(ins,v,a,err); \
3940 val = v << ((BE) ? 8 : 0); \
3941 __get8_unaligned_check(ins,v,a,err); \
3942 val |= v << ((BE) ? 0 : 8); \
3943+ pax_close_userland(); \
3944 if (err) \
3945 goto fault; \
3946 } while (0)
3947@@ -233,6 +235,7 @@ union offset_union {
3948 #define __get32_unaligned_check(ins,val,addr) \
3949 do { \
3950 unsigned int err = 0, v, a = addr; \
3951+ pax_open_userland(); \
3952 __get8_unaligned_check(ins,v,a,err); \
3953 val = v << ((BE) ? 24 : 0); \
3954 __get8_unaligned_check(ins,v,a,err); \
3955@@ -241,6 +244,7 @@ union offset_union {
3956 val |= v << ((BE) ? 8 : 16); \
3957 __get8_unaligned_check(ins,v,a,err); \
3958 val |= v << ((BE) ? 0 : 24); \
3959+ pax_close_userland(); \
3960 if (err) \
3961 goto fault; \
3962 } while (0)
3963@@ -254,6 +258,7 @@ union offset_union {
3964 #define __put16_unaligned_check(ins,val,addr) \
3965 do { \
3966 unsigned int err = 0, v = val, a = addr; \
3967+ pax_open_userland(); \
3968 __asm__( FIRST_BYTE_16 \
3969 ARM( "1: "ins" %1, [%2], #1\n" ) \
3970 THUMB( "1: "ins" %1, [%2]\n" ) \
3971@@ -273,6 +278,7 @@ union offset_union {
3972 " .popsection\n" \
3973 : "=r" (err), "=&r" (v), "=&r" (a) \
3974 : "0" (err), "1" (v), "2" (a)); \
3975+ pax_close_userland(); \
3976 if (err) \
3977 goto fault; \
3978 } while (0)
3979@@ -286,6 +292,7 @@ union offset_union {
3980 #define __put32_unaligned_check(ins,val,addr) \
3981 do { \
3982 unsigned int err = 0, v = val, a = addr; \
3983+ pax_open_userland(); \
3984 __asm__( FIRST_BYTE_32 \
3985 ARM( "1: "ins" %1, [%2], #1\n" ) \
3986 THUMB( "1: "ins" %1, [%2]\n" ) \
3987@@ -315,6 +322,7 @@ union offset_union {
3988 " .popsection\n" \
3989 : "=r" (err), "=&r" (v), "=&r" (a) \
3990 : "0" (err), "1" (v), "2" (a)); \
3991+ pax_close_userland(); \
3992 if (err) \
3993 goto fault; \
3994 } while (0)
3995diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
3996index 71b3d33..8af9ade 100644
3997--- a/arch/arm/mm/cache-l2x0.c
3998+++ b/arch/arm/mm/cache-l2x0.c
3999@@ -44,7 +44,7 @@ struct l2c_init_data {
4000 void (*configure)(void __iomem *);
4001 void (*unlock)(void __iomem *, unsigned);
4002 struct outer_cache_fns outer_cache;
4003-};
4004+} __do_const;
4005
4006 #define CACHE_LINE_SIZE 32
4007
4008diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
4009index 845769e..4278fd7 100644
4010--- a/arch/arm/mm/context.c
4011+++ b/arch/arm/mm/context.c
4012@@ -43,7 +43,7 @@
4013 #define NUM_USER_ASIDS ASID_FIRST_VERSION
4014
4015 static DEFINE_RAW_SPINLOCK(cpu_asid_lock);
4016-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
4017+static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
4018 static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
4019
4020 static DEFINE_PER_CPU(atomic64_t, active_asids);
4021@@ -178,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
4022 {
4023 static u32 cur_idx = 1;
4024 u64 asid = atomic64_read(&mm->context.id);
4025- u64 generation = atomic64_read(&asid_generation);
4026+ u64 generation = atomic64_read_unchecked(&asid_generation);
4027
4028 if (asid != 0) {
4029 /*
4030@@ -208,7 +208,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
4031 */
4032 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
4033 if (asid == NUM_USER_ASIDS) {
4034- generation = atomic64_add_return(ASID_FIRST_VERSION,
4035+ generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION,
4036 &asid_generation);
4037 flush_context(cpu);
4038 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
4039@@ -240,14 +240,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
4040 cpu_set_reserved_ttbr0();
4041
4042 asid = atomic64_read(&mm->context.id);
4043- if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS)
4044+ if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS)
4045 && atomic64_xchg(&per_cpu(active_asids, cpu), asid))
4046 goto switch_mm_fastpath;
4047
4048 raw_spin_lock_irqsave(&cpu_asid_lock, flags);
4049 /* Check that our ASID belongs to the current generation. */
4050 asid = atomic64_read(&mm->context.id);
4051- if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) {
4052+ if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) {
4053 asid = new_context(mm, cpu);
4054 atomic64_set(&mm->context.id, asid);
4055 }
4056diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
4057index 0d629b8..01867c8 100644
4058--- a/arch/arm/mm/fault.c
4059+++ b/arch/arm/mm/fault.c
4060@@ -25,6 +25,7 @@
4061 #include <asm/system_misc.h>
4062 #include <asm/system_info.h>
4063 #include <asm/tlbflush.h>
4064+#include <asm/sections.h>
4065
4066 #include "fault.h"
4067
4068@@ -138,6 +139,31 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
4069 if (fixup_exception(regs))
4070 return;
4071
4072+#ifdef CONFIG_PAX_MEMORY_UDEREF
4073+ if (addr < TASK_SIZE) {
4074+ if (current->signal->curr_ip)
4075+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4076+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4077+ else
4078+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
4079+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4080+ }
4081+#endif
4082+
4083+#ifdef CONFIG_PAX_KERNEXEC
4084+ if ((fsr & FSR_WRITE) &&
4085+ (((unsigned long)_stext <= addr && addr < init_mm.end_code) ||
4086+ (MODULES_VADDR <= addr && addr < MODULES_END)))
4087+ {
4088+ if (current->signal->curr_ip)
4089+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4090+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
4091+ else
4092+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
4093+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
4094+ }
4095+#endif
4096+
4097 /*
4098 * No handler, we'll have to terminate things with extreme prejudice.
4099 */
4100@@ -173,6 +199,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr,
4101 }
4102 #endif
4103
4104+#ifdef CONFIG_PAX_PAGEEXEC
4105+ if (fsr & FSR_LNX_PF) {
4106+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
4107+ do_group_exit(SIGKILL);
4108+ }
4109+#endif
4110+
4111 tsk->thread.address = addr;
4112 tsk->thread.error_code = fsr;
4113 tsk->thread.trap_no = 14;
4114@@ -400,6 +433,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
4115 }
4116 #endif /* CONFIG_MMU */
4117
4118+#ifdef CONFIG_PAX_PAGEEXEC
4119+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4120+{
4121+ long i;
4122+
4123+ printk(KERN_ERR "PAX: bytes at PC: ");
4124+ for (i = 0; i < 20; i++) {
4125+ unsigned char c;
4126+ if (get_user(c, (__force unsigned char __user *)pc+i))
4127+ printk(KERN_CONT "?? ");
4128+ else
4129+ printk(KERN_CONT "%02x ", c);
4130+ }
4131+ printk("\n");
4132+
4133+ printk(KERN_ERR "PAX: bytes at SP-4: ");
4134+ for (i = -1; i < 20; i++) {
4135+ unsigned long c;
4136+ if (get_user(c, (__force unsigned long __user *)sp+i))
4137+ printk(KERN_CONT "???????? ");
4138+ else
4139+ printk(KERN_CONT "%08lx ", c);
4140+ }
4141+ printk("\n");
4142+}
4143+#endif
4144+
4145 /*
4146 * First Level Translation Fault Handler
4147 *
4148@@ -547,9 +607,22 @@ do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
4149 const struct fsr_info *inf = fsr_info + fsr_fs(fsr);
4150 struct siginfo info;
4151
4152+#ifdef CONFIG_PAX_MEMORY_UDEREF
4153+ if (addr < TASK_SIZE && is_domain_fault(fsr)) {
4154+ if (current->signal->curr_ip)
4155+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4156+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4157+ else
4158+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
4159+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4160+ goto die;
4161+ }
4162+#endif
4163+
4164 if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
4165 return;
4166
4167+die:
4168 pr_alert("Unhandled fault: %s (0x%03x) at 0x%08lx\n",
4169 inf->name, fsr, addr);
4170 show_pte(current->mm, addr);
4171@@ -574,15 +647,104 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
4172 ifsr_info[nr].name = name;
4173 }
4174
4175+asmlinkage int sys_sigreturn(struct pt_regs *regs);
4176+asmlinkage int sys_rt_sigreturn(struct pt_regs *regs);
4177+
4178 asmlinkage void __exception
4179 do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
4180 {
4181 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
4182 struct siginfo info;
4183+ unsigned long pc = instruction_pointer(regs);
4184+
4185+ if (user_mode(regs)) {
4186+ unsigned long sigpage = current->mm->context.sigpage;
4187+
4188+ if (sigpage <= pc && pc < sigpage + 7*4) {
4189+ if (pc < sigpage + 3*4)
4190+ sys_sigreturn(regs);
4191+ else
4192+ sys_rt_sigreturn(regs);
4193+ return;
4194+ }
4195+ if (pc == 0xffff0f60UL) {
4196+ /*
4197+ * PaX: __kuser_cmpxchg64 emulation
4198+ */
4199+ // TODO
4200+ //regs->ARM_pc = regs->ARM_lr;
4201+ //return;
4202+ }
4203+ if (pc == 0xffff0fa0UL) {
4204+ /*
4205+ * PaX: __kuser_memory_barrier emulation
4206+ */
4207+ // dmb(); implied by the exception
4208+ regs->ARM_pc = regs->ARM_lr;
4209+ return;
4210+ }
4211+ if (pc == 0xffff0fc0UL) {
4212+ /*
4213+ * PaX: __kuser_cmpxchg emulation
4214+ */
4215+ // TODO
4216+ //long new;
4217+ //int op;
4218+
4219+ //op = FUTEX_OP_SET << 28;
4220+ //new = futex_atomic_op_inuser(op, regs->ARM_r2);
4221+ //regs->ARM_r0 = old != new;
4222+ //regs->ARM_pc = regs->ARM_lr;
4223+ //return;
4224+ }
4225+ if (pc == 0xffff0fe0UL) {
4226+ /*
4227+ * PaX: __kuser_get_tls emulation
4228+ */
4229+ regs->ARM_r0 = current_thread_info()->tp_value[0];
4230+ regs->ARM_pc = regs->ARM_lr;
4231+ return;
4232+ }
4233+ }
4234+
4235+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4236+ else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) {
4237+ if (current->signal->curr_ip)
4238+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4239+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
4240+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
4241+ else
4242+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
4243+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
4244+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
4245+ goto die;
4246+ }
4247+#endif
4248+
4249+#ifdef CONFIG_PAX_REFCOUNT
4250+ if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
4251+#ifdef CONFIG_THUMB2_KERNEL
4252+ unsigned short bkpt;
4253+
4254+ if (!probe_kernel_address(pc, bkpt) && cpu_to_le16(bkpt) == 0xbef1) {
4255+#else
4256+ unsigned int bkpt;
4257+
4258+ if (!probe_kernel_address(pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
4259+#endif
4260+ current->thread.error_code = ifsr;
4261+ current->thread.trap_no = 0;
4262+ pax_report_refcount_overflow(regs);
4263+ fixup_exception(regs);
4264+ return;
4265+ }
4266+ }
4267+#endif
4268
4269 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
4270 return;
4271
4272+die:
4273 pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
4274 inf->name, ifsr, addr);
4275
4276diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h
4277index cf08bdf..772656c 100644
4278--- a/arch/arm/mm/fault.h
4279+++ b/arch/arm/mm/fault.h
4280@@ -3,6 +3,7 @@
4281
4282 /*
4283 * Fault status register encodings. We steal bit 31 for our own purposes.
4284+ * Set when the FSR value is from an instruction fault.
4285 */
4286 #define FSR_LNX_PF (1 << 31)
4287 #define FSR_WRITE (1 << 11)
4288@@ -22,6 +23,17 @@ static inline int fsr_fs(unsigned int fsr)
4289 }
4290 #endif
4291
4292+/* valid for LPAE and !LPAE */
4293+static inline int is_xn_fault(unsigned int fsr)
4294+{
4295+ return ((fsr_fs(fsr) & 0x3c) == 0xc);
4296+}
4297+
4298+static inline int is_domain_fault(unsigned int fsr)
4299+{
4300+ return ((fsr_fs(fsr) & 0xD) == 0x9);
4301+}
4302+
4303 void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs);
4304 unsigned long search_exception_table(unsigned long addr);
4305
4306diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
4307index 8a63b4c..6b04370 100644
4308--- a/arch/arm/mm/init.c
4309+++ b/arch/arm/mm/init.c
4310@@ -710,7 +710,46 @@ void free_tcmmem(void)
4311 {
4312 #ifdef CONFIG_HAVE_TCM
4313 extern char __tcm_start, __tcm_end;
4314+#endif
4315
4316+#ifdef CONFIG_PAX_KERNEXEC
4317+ unsigned long addr;
4318+ pgd_t *pgd;
4319+ pud_t *pud;
4320+ pmd_t *pmd;
4321+ int cpu_arch = cpu_architecture();
4322+ unsigned int cr = get_cr();
4323+
4324+ if (cpu_arch >= CPU_ARCH_ARMv6 && (cr & CR_XP)) {
4325+ /* make pages tables, etc before .text NX */
4326+ for (addr = PAGE_OFFSET; addr < (unsigned long)_stext; addr += SECTION_SIZE) {
4327+ pgd = pgd_offset_k(addr);
4328+ pud = pud_offset(pgd, addr);
4329+ pmd = pmd_offset(pud, addr);
4330+ __section_update(pmd, addr, PMD_SECT_XN);
4331+ }
4332+ /* make init NX */
4333+ for (addr = (unsigned long)__init_begin; addr < (unsigned long)_sdata; addr += SECTION_SIZE) {
4334+ pgd = pgd_offset_k(addr);
4335+ pud = pud_offset(pgd, addr);
4336+ pmd = pmd_offset(pud, addr);
4337+ __section_update(pmd, addr, PMD_SECT_XN);
4338+ }
4339+ /* make kernel code/rodata RX */
4340+ for (addr = (unsigned long)_stext; addr < (unsigned long)__init_begin; addr += SECTION_SIZE) {
4341+ pgd = pgd_offset_k(addr);
4342+ pud = pud_offset(pgd, addr);
4343+ pmd = pmd_offset(pud, addr);
4344+#ifdef CONFIG_ARM_LPAE
4345+ __section_update(pmd, addr, PMD_SECT_RDONLY);
4346+#else
4347+ __section_update(pmd, addr, PMD_SECT_APX|PMD_SECT_AP_WRITE);
4348+#endif
4349+ }
4350+ }
4351+#endif
4352+
4353+#ifdef CONFIG_HAVE_TCM
4354 poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start);
4355 free_reserved_area(&__tcm_start, &__tcm_end, -1, "TCM link");
4356 #endif
4357diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
4358index 0c81056..97279f7 100644
4359--- a/arch/arm/mm/ioremap.c
4360+++ b/arch/arm/mm/ioremap.c
4361@@ -405,9 +405,9 @@ __arm_ioremap_exec(phys_addr_t phys_addr, size_t size, bool cached)
4362 unsigned int mtype;
4363
4364 if (cached)
4365- mtype = MT_MEMORY_RWX;
4366+ mtype = MT_MEMORY_RX;
4367 else
4368- mtype = MT_MEMORY_RWX_NONCACHED;
4369+ mtype = MT_MEMORY_RX_NONCACHED;
4370
4371 return __arm_ioremap_caller(phys_addr, size, mtype,
4372 __builtin_return_address(0));
4373diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
4374index 407dc78..047ce9d 100644
4375--- a/arch/arm/mm/mmap.c
4376+++ b/arch/arm/mm/mmap.c
4377@@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4378 struct vm_area_struct *vma;
4379 int do_align = 0;
4380 int aliasing = cache_is_vipt_aliasing();
4381+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4382 struct vm_unmapped_area_info info;
4383
4384 /*
4385@@ -81,6 +82,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4386 if (len > TASK_SIZE)
4387 return -ENOMEM;
4388
4389+#ifdef CONFIG_PAX_RANDMMAP
4390+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4391+#endif
4392+
4393 if (addr) {
4394 if (do_align)
4395 addr = COLOUR_ALIGN(addr, pgoff);
4396@@ -88,8 +93,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4397 addr = PAGE_ALIGN(addr);
4398
4399 vma = find_vma(mm, addr);
4400- if (TASK_SIZE - len >= addr &&
4401- (!vma || addr + len <= vma->vm_start))
4402+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4403 return addr;
4404 }
4405
4406@@ -99,6 +103,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4407 info.high_limit = TASK_SIZE;
4408 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4409 info.align_offset = pgoff << PAGE_SHIFT;
4410+ info.threadstack_offset = offset;
4411 return vm_unmapped_area(&info);
4412 }
4413
4414@@ -112,6 +117,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4415 unsigned long addr = addr0;
4416 int do_align = 0;
4417 int aliasing = cache_is_vipt_aliasing();
4418+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4419 struct vm_unmapped_area_info info;
4420
4421 /*
4422@@ -132,6 +138,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4423 return addr;
4424 }
4425
4426+#ifdef CONFIG_PAX_RANDMMAP
4427+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4428+#endif
4429+
4430 /* requesting a specific address */
4431 if (addr) {
4432 if (do_align)
4433@@ -139,8 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4434 else
4435 addr = PAGE_ALIGN(addr);
4436 vma = find_vma(mm, addr);
4437- if (TASK_SIZE - len >= addr &&
4438- (!vma || addr + len <= vma->vm_start))
4439+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4440 return addr;
4441 }
4442
4443@@ -150,6 +159,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4444 info.high_limit = mm->mmap_base;
4445 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4446 info.align_offset = pgoff << PAGE_SHIFT;
4447+ info.threadstack_offset = offset;
4448 addr = vm_unmapped_area(&info);
4449
4450 /*
4451@@ -183,14 +193,30 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
4452 {
4453 unsigned long random_factor = 0UL;
4454
4455+#ifdef CONFIG_PAX_RANDMMAP
4456+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4457+#endif
4458+
4459 if (current->flags & PF_RANDOMIZE)
4460 random_factor = arch_mmap_rnd();
4461
4462 if (mmap_is_legacy()) {
4463 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4464+
4465+#ifdef CONFIG_PAX_RANDMMAP
4466+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4467+ mm->mmap_base += mm->delta_mmap;
4468+#endif
4469+
4470 mm->get_unmapped_area = arch_get_unmapped_area;
4471 } else {
4472 mm->mmap_base = mmap_base(random_factor);
4473+
4474+#ifdef CONFIG_PAX_RANDMMAP
4475+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4476+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4477+#endif
4478+
4479 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4480 }
4481 }
4482diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
4483index 870838a..070df1d 100644
4484--- a/arch/arm/mm/mmu.c
4485+++ b/arch/arm/mm/mmu.c
4486@@ -41,6 +41,22 @@
4487 #include "mm.h"
4488 #include "tcm.h"
4489
4490+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4491+void modify_domain(unsigned int dom, unsigned int type)
4492+{
4493+ struct thread_info *thread = current_thread_info();
4494+ unsigned int domain = thread->cpu_domain;
4495+ /*
4496+ * DOMAIN_MANAGER might be defined to some other value,
4497+ * use the arch-defined constant
4498+ */
4499+ domain &= ~domain_val(dom, 3);
4500+ thread->cpu_domain = domain | domain_val(dom, type);
4501+ set_domain(thread->cpu_domain);
4502+}
4503+EXPORT_SYMBOL(modify_domain);
4504+#endif
4505+
4506 /*
4507 * empty_zero_page is a special page that is used for
4508 * zero-initialized data and COW.
4509@@ -242,7 +258,15 @@ __setup("noalign", noalign_setup);
4510 #define PROT_PTE_S2_DEVICE PROT_PTE_DEVICE
4511 #define PROT_SECT_DEVICE PMD_TYPE_SECT|PMD_SECT_AP_WRITE
4512
4513-static struct mem_type mem_types[] = {
4514+#ifdef CONFIG_PAX_KERNEXEC
4515+#define L_PTE_KERNEXEC L_PTE_RDONLY
4516+#define PMD_SECT_KERNEXEC PMD_SECT_RDONLY
4517+#else
4518+#define L_PTE_KERNEXEC L_PTE_DIRTY
4519+#define PMD_SECT_KERNEXEC PMD_SECT_AP_WRITE
4520+#endif
4521+
4522+static struct mem_type mem_types[] __read_only = {
4523 [MT_DEVICE] = { /* Strongly ordered / ARMv6 shared device */
4524 .prot_pte = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED |
4525 L_PTE_SHARED,
4526@@ -271,19 +295,19 @@ static struct mem_type mem_types[] = {
4527 .prot_sect = PROT_SECT_DEVICE,
4528 .domain = DOMAIN_IO,
4529 },
4530- [MT_UNCACHED] = {
4531+ [MT_UNCACHED_RW] = {
4532 .prot_pte = PROT_PTE_DEVICE,
4533 .prot_l1 = PMD_TYPE_TABLE,
4534 .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4535 .domain = DOMAIN_IO,
4536 },
4537- [MT_CACHECLEAN] = {
4538- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4539+ [MT_CACHECLEAN_RO] = {
4540+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_RDONLY,
4541 .domain = DOMAIN_KERNEL,
4542 },
4543 #ifndef CONFIG_ARM_LPAE
4544- [MT_MINICLEAN] = {
4545- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_MINICACHE,
4546+ [MT_MINICLEAN_RO] = {
4547+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_MINICACHE | PMD_SECT_XN | PMD_SECT_RDONLY,
4548 .domain = DOMAIN_KERNEL,
4549 },
4550 #endif
4551@@ -291,15 +315,15 @@ static struct mem_type mem_types[] = {
4552 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4553 L_PTE_RDONLY,
4554 .prot_l1 = PMD_TYPE_TABLE,
4555- .domain = DOMAIN_USER,
4556+ .domain = DOMAIN_VECTORS,
4557 },
4558 [MT_HIGH_VECTORS] = {
4559 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4560 L_PTE_USER | L_PTE_RDONLY,
4561 .prot_l1 = PMD_TYPE_TABLE,
4562- .domain = DOMAIN_USER,
4563+ .domain = DOMAIN_VECTORS,
4564 },
4565- [MT_MEMORY_RWX] = {
4566+ [__MT_MEMORY_RWX] = {
4567 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4568 .prot_l1 = PMD_TYPE_TABLE,
4569 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4570@@ -312,17 +336,30 @@ static struct mem_type mem_types[] = {
4571 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4572 .domain = DOMAIN_KERNEL,
4573 },
4574- [MT_ROM] = {
4575- .prot_sect = PMD_TYPE_SECT,
4576+ [MT_MEMORY_RX] = {
4577+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4578+ .prot_l1 = PMD_TYPE_TABLE,
4579+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4580+ .domain = DOMAIN_KERNEL,
4581+ },
4582+ [MT_ROM_RX] = {
4583+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
4584 .domain = DOMAIN_KERNEL,
4585 },
4586- [MT_MEMORY_RWX_NONCACHED] = {
4587+ [MT_MEMORY_RW_NONCACHED] = {
4588 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4589 L_PTE_MT_BUFFERABLE,
4590 .prot_l1 = PMD_TYPE_TABLE,
4591 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4592 .domain = DOMAIN_KERNEL,
4593 },
4594+ [MT_MEMORY_RX_NONCACHED] = {
4595+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC |
4596+ L_PTE_MT_BUFFERABLE,
4597+ .prot_l1 = PMD_TYPE_TABLE,
4598+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4599+ .domain = DOMAIN_KERNEL,
4600+ },
4601 [MT_MEMORY_RW_DTCM] = {
4602 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4603 L_PTE_XN,
4604@@ -330,9 +367,10 @@ static struct mem_type mem_types[] = {
4605 .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4606 .domain = DOMAIN_KERNEL,
4607 },
4608- [MT_MEMORY_RWX_ITCM] = {
4609- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4610+ [MT_MEMORY_RX_ITCM] = {
4611+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4612 .prot_l1 = PMD_TYPE_TABLE,
4613+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4614 .domain = DOMAIN_KERNEL,
4615 },
4616 [MT_MEMORY_RW_SO] = {
4617@@ -544,9 +582,14 @@ static void __init build_mem_type_table(void)
4618 * Mark cache clean areas and XIP ROM read only
4619 * from SVC mode and no access from userspace.
4620 */
4621- mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4622- mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4623- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4624+ mem_types[MT_ROM_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4625+#ifdef CONFIG_PAX_KERNEXEC
4626+ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4627+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4628+ mem_types[MT_MEMORY_RX_ITCM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4629+#endif
4630+ mem_types[MT_MINICLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4631+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4632 #endif
4633
4634 /*
4635@@ -563,13 +606,17 @@ static void __init build_mem_type_table(void)
4636 mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
4637 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
4638 mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
4639- mem_types[MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4640- mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4641+ mem_types[__MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4642+ mem_types[__MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4643 mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S;
4644 mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED;
4645+ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_S;
4646+ mem_types[MT_MEMORY_RX].prot_pte |= L_PTE_SHARED;
4647 mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED;
4648- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_S;
4649- mem_types[MT_MEMORY_RWX_NONCACHED].prot_pte |= L_PTE_SHARED;
4650+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_S;
4651+ mem_types[MT_MEMORY_RW_NONCACHED].prot_pte |= L_PTE_SHARED;
4652+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_S;
4653+ mem_types[MT_MEMORY_RX_NONCACHED].prot_pte |= L_PTE_SHARED;
4654 }
4655 }
4656
4657@@ -580,15 +627,20 @@ static void __init build_mem_type_table(void)
4658 if (cpu_arch >= CPU_ARCH_ARMv6) {
4659 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4660 /* Non-cacheable Normal is XCB = 001 */
4661- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
4662+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
4663+ PMD_SECT_BUFFERED;
4664+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
4665 PMD_SECT_BUFFERED;
4666 } else {
4667 /* For both ARMv6 and non-TEX-remapping ARMv7 */
4668- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
4669+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
4670+ PMD_SECT_TEX(1);
4671+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
4672 PMD_SECT_TEX(1);
4673 }
4674 } else {
4675- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4676+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4677+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4678 }
4679
4680 #ifdef CONFIG_ARM_LPAE
4681@@ -609,6 +661,8 @@ static void __init build_mem_type_table(void)
4682 user_pgprot |= PTE_EXT_PXN;
4683 #endif
4684
4685+ user_pgprot |= __supported_pte_mask;
4686+
4687 for (i = 0; i < 16; i++) {
4688 pteval_t v = pgprot_val(protection_map[i]);
4689 protection_map[i] = __pgprot(v | user_pgprot);
4690@@ -626,21 +680,24 @@ static void __init build_mem_type_table(void)
4691
4692 mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
4693 mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
4694- mem_types[MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4695- mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4696+ mem_types[__MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4697+ mem_types[__MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4698 mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd;
4699 mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot;
4700+ mem_types[MT_MEMORY_RX].prot_sect |= ecc_mask | cp->pmd;
4701+ mem_types[MT_MEMORY_RX].prot_pte |= kern_pgprot;
4702 mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot;
4703- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ecc_mask;
4704- mem_types[MT_ROM].prot_sect |= cp->pmd;
4705+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ecc_mask;
4706+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= ecc_mask;
4707+ mem_types[MT_ROM_RX].prot_sect |= cp->pmd;
4708
4709 switch (cp->pmd) {
4710 case PMD_SECT_WT:
4711- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WT;
4712+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WT;
4713 break;
4714 case PMD_SECT_WB:
4715 case PMD_SECT_WBWA:
4716- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WB;
4717+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WB;
4718 break;
4719 }
4720 pr_info("Memory policy: %sData cache %s\n",
4721@@ -854,7 +911,7 @@ static void __init create_mapping(struct map_desc *md)
4722 return;
4723 }
4724
4725- if ((md->type == MT_DEVICE || md->type == MT_ROM) &&
4726+ if ((md->type == MT_DEVICE || md->type == MT_ROM_RX) &&
4727 md->virtual >= PAGE_OFFSET &&
4728 (md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) {
4729 pr_warn("BUG: mapping for 0x%08llx at 0x%08lx out of vmalloc space\n",
4730@@ -1224,18 +1281,15 @@ void __init arm_mm_memblock_reserve(void)
4731 * called function. This means you can't use any function or debugging
4732 * method which may touch any device, otherwise the kernel _will_ crash.
4733 */
4734+
4735+static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE);
4736+
4737 static void __init devicemaps_init(const struct machine_desc *mdesc)
4738 {
4739 struct map_desc map;
4740 unsigned long addr;
4741- void *vectors;
4742
4743- /*
4744- * Allocate the vector page early.
4745- */
4746- vectors = early_alloc(PAGE_SIZE * 2);
4747-
4748- early_trap_init(vectors);
4749+ early_trap_init(&vectors);
4750
4751 for (addr = VMALLOC_START; addr; addr += PMD_SIZE)
4752 pmd_clear(pmd_off_k(addr));
4753@@ -1248,7 +1302,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4754 map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK);
4755 map.virtual = MODULES_VADDR;
4756 map.length = ((unsigned long)_etext - map.virtual + ~SECTION_MASK) & SECTION_MASK;
4757- map.type = MT_ROM;
4758+ map.type = MT_ROM_RX;
4759 create_mapping(&map);
4760 #endif
4761
4762@@ -1259,14 +1313,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4763 map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS);
4764 map.virtual = FLUSH_BASE;
4765 map.length = SZ_1M;
4766- map.type = MT_CACHECLEAN;
4767+ map.type = MT_CACHECLEAN_RO;
4768 create_mapping(&map);
4769 #endif
4770 #ifdef FLUSH_BASE_MINICACHE
4771 map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS + SZ_1M);
4772 map.virtual = FLUSH_BASE_MINICACHE;
4773 map.length = SZ_1M;
4774- map.type = MT_MINICLEAN;
4775+ map.type = MT_MINICLEAN_RO;
4776 create_mapping(&map);
4777 #endif
4778
4779@@ -1275,7 +1329,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4780 * location (0xffff0000). If we aren't using high-vectors, also
4781 * create a mapping at the low-vectors virtual address.
4782 */
4783- map.pfn = __phys_to_pfn(virt_to_phys(vectors));
4784+ map.pfn = __phys_to_pfn(virt_to_phys(&vectors));
4785 map.virtual = 0xffff0000;
4786 map.length = PAGE_SIZE;
4787 #ifdef CONFIG_KUSER_HELPERS
4788@@ -1335,8 +1389,10 @@ static void __init kmap_init(void)
4789 static void __init map_lowmem(void)
4790 {
4791 struct memblock_region *reg;
4792+#ifndef CONFIG_PAX_KERNEXEC
4793 phys_addr_t kernel_x_start = round_down(__pa(_stext), SECTION_SIZE);
4794 phys_addr_t kernel_x_end = round_up(__pa(__init_end), SECTION_SIZE);
4795+#endif
4796
4797 /* Map all the lowmem memory banks. */
4798 for_each_memblock(memory, reg) {
4799@@ -1349,11 +1405,48 @@ static void __init map_lowmem(void)
4800 if (start >= end)
4801 break;
4802
4803+#ifdef CONFIG_PAX_KERNEXEC
4804+ map.pfn = __phys_to_pfn(start);
4805+ map.virtual = __phys_to_virt(start);
4806+ map.length = end - start;
4807+
4808+ if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) {
4809+ struct map_desc kernel;
4810+ struct map_desc initmap;
4811+
4812+ /* when freeing initmem we will make this RW */
4813+ initmap.pfn = __phys_to_pfn(__pa(__init_begin));
4814+ initmap.virtual = (unsigned long)__init_begin;
4815+ initmap.length = _sdata - __init_begin;
4816+ initmap.type = __MT_MEMORY_RWX;
4817+ create_mapping(&initmap);
4818+
4819+ /* when freeing initmem we will make this RX */
4820+ kernel.pfn = __phys_to_pfn(__pa(_stext));
4821+ kernel.virtual = (unsigned long)_stext;
4822+ kernel.length = __init_begin - _stext;
4823+ kernel.type = __MT_MEMORY_RWX;
4824+ create_mapping(&kernel);
4825+
4826+ if (map.virtual < (unsigned long)_stext) {
4827+ map.length = (unsigned long)_stext - map.virtual;
4828+ map.type = __MT_MEMORY_RWX;
4829+ create_mapping(&map);
4830+ }
4831+
4832+ map.pfn = __phys_to_pfn(__pa(_sdata));
4833+ map.virtual = (unsigned long)_sdata;
4834+ map.length = end - __pa(_sdata);
4835+ }
4836+
4837+ map.type = MT_MEMORY_RW;
4838+ create_mapping(&map);
4839+#else
4840 if (end < kernel_x_start) {
4841 map.pfn = __phys_to_pfn(start);
4842 map.virtual = __phys_to_virt(start);
4843 map.length = end - start;
4844- map.type = MT_MEMORY_RWX;
4845+ map.type = __MT_MEMORY_RWX;
4846
4847 create_mapping(&map);
4848 } else if (start >= kernel_x_end) {
4849@@ -1377,7 +1470,7 @@ static void __init map_lowmem(void)
4850 map.pfn = __phys_to_pfn(kernel_x_start);
4851 map.virtual = __phys_to_virt(kernel_x_start);
4852 map.length = kernel_x_end - kernel_x_start;
4853- map.type = MT_MEMORY_RWX;
4854+ map.type = __MT_MEMORY_RWX;
4855
4856 create_mapping(&map);
4857
4858@@ -1390,6 +1483,7 @@ static void __init map_lowmem(void)
4859 create_mapping(&map);
4860 }
4861 }
4862+#endif
4863 }
4864 }
4865
4866diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
4867index c011e22..92a0260 100644
4868--- a/arch/arm/net/bpf_jit_32.c
4869+++ b/arch/arm/net/bpf_jit_32.c
4870@@ -20,6 +20,7 @@
4871 #include <asm/cacheflush.h>
4872 #include <asm/hwcap.h>
4873 #include <asm/opcodes.h>
4874+#include <asm/pgtable.h>
4875
4876 #include "bpf_jit_32.h"
4877
4878@@ -72,54 +73,38 @@ struct jit_ctx {
4879 #endif
4880 };
4881
4882+#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
4883+int bpf_jit_enable __read_only;
4884+#else
4885 int bpf_jit_enable __read_mostly;
4886+#endif
4887
4888-static inline int call_neg_helper(struct sk_buff *skb, int offset, void *ret,
4889- unsigned int size)
4890-{
4891- void *ptr = bpf_internal_load_pointer_neg_helper(skb, offset, size);
4892-
4893- if (!ptr)
4894- return -EFAULT;
4895- memcpy(ret, ptr, size);
4896- return 0;
4897-}
4898-
4899-static u64 jit_get_skb_b(struct sk_buff *skb, int offset)
4900+static u64 jit_get_skb_b(struct sk_buff *skb, unsigned offset)
4901 {
4902 u8 ret;
4903 int err;
4904
4905- if (offset < 0)
4906- err = call_neg_helper(skb, offset, &ret, 1);
4907- else
4908- err = skb_copy_bits(skb, offset, &ret, 1);
4909+ err = skb_copy_bits(skb, offset, &ret, 1);
4910
4911 return (u64)err << 32 | ret;
4912 }
4913
4914-static u64 jit_get_skb_h(struct sk_buff *skb, int offset)
4915+static u64 jit_get_skb_h(struct sk_buff *skb, unsigned offset)
4916 {
4917 u16 ret;
4918 int err;
4919
4920- if (offset < 0)
4921- err = call_neg_helper(skb, offset, &ret, 2);
4922- else
4923- err = skb_copy_bits(skb, offset, &ret, 2);
4924+ err = skb_copy_bits(skb, offset, &ret, 2);
4925
4926 return (u64)err << 32 | ntohs(ret);
4927 }
4928
4929-static u64 jit_get_skb_w(struct sk_buff *skb, int offset)
4930+static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
4931 {
4932 u32 ret;
4933 int err;
4934
4935- if (offset < 0)
4936- err = call_neg_helper(skb, offset, &ret, 4);
4937- else
4938- err = skb_copy_bits(skb, offset, &ret, 4);
4939+ err = skb_copy_bits(skb, offset, &ret, 4);
4940
4941 return (u64)err << 32 | ntohl(ret);
4942 }
4943@@ -199,8 +184,10 @@ static void jit_fill_hole(void *area, unsigned int size)
4944 {
4945 u32 *ptr;
4946 /* We are guaranteed to have aligned memory. */
4947+ pax_open_kernel();
4948 for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
4949 *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
4950+ pax_close_kernel();
4951 }
4952
4953 static void build_prologue(struct jit_ctx *ctx)
4954@@ -556,6 +543,9 @@ static int build_body(struct jit_ctx *ctx)
4955 case BPF_LD | BPF_B | BPF_ABS:
4956 load_order = 0;
4957 load:
4958+ /* the interpreter will deal with the negative K */
4959+ if ((int)k < 0)
4960+ return -ENOTSUPP;
4961 emit_mov_i(r_off, k, ctx);
4962 load_common:
4963 ctx->seen |= SEEN_DATA | SEEN_CALL;
4964@@ -570,18 +560,6 @@ load_common:
4965 condt = ARM_COND_HI;
4966 }
4967
4968- /*
4969- * test for negative offset, only if we are
4970- * currently scheduled to take the fast
4971- * path. this will update the flags so that
4972- * the slowpath instruction are ignored if the
4973- * offset is negative.
4974- *
4975- * for loard_order == 0 the HI condition will
4976- * make loads at offset 0 take the slow path too.
4977- */
4978- _emit(condt, ARM_CMP_I(r_off, 0), ctx);
4979-
4980 _emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data),
4981 ctx);
4982
4983diff --git a/arch/arm/plat-iop/setup.c b/arch/arm/plat-iop/setup.c
4984index 5b217f4..c23f40e 100644
4985--- a/arch/arm/plat-iop/setup.c
4986+++ b/arch/arm/plat-iop/setup.c
4987@@ -24,7 +24,7 @@ static struct map_desc iop3xx_std_desc[] __initdata = {
4988 .virtual = IOP3XX_PERIPHERAL_VIRT_BASE,
4989 .pfn = __phys_to_pfn(IOP3XX_PERIPHERAL_PHYS_BASE),
4990 .length = IOP3XX_PERIPHERAL_SIZE,
4991- .type = MT_UNCACHED,
4992+ .type = MT_UNCACHED_RW,
4993 },
4994 };
4995
4996diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c
4997index a5bc92d..0bb4730 100644
4998--- a/arch/arm/plat-omap/sram.c
4999+++ b/arch/arm/plat-omap/sram.c
5000@@ -93,6 +93,8 @@ void __init omap_map_sram(unsigned long start, unsigned long size,
5001 * Looks like we need to preserve some bootloader code at the
5002 * beginning of SRAM for jumping to flash for reboot to work...
5003 */
5004+ pax_open_kernel();
5005 memset_io(omap_sram_base + omap_sram_skip, 0,
5006 omap_sram_size - omap_sram_skip);
5007+ pax_close_kernel();
5008 }
5009diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
5010index d6285ef..b684dac 100644
5011--- a/arch/arm64/Kconfig.debug
5012+++ b/arch/arm64/Kconfig.debug
5013@@ -10,6 +10,7 @@ config ARM64_PTDUMP
5014 bool "Export kernel pagetable layout to userspace via debugfs"
5015 depends on DEBUG_KERNEL
5016 select DEBUG_FS
5017+ depends on !GRKERNSEC_KMEM
5018 help
5019 Say Y here if you want to show the kernel pagetable layout in a
5020 debugfs file. This information is only useful for kernel developers
5021diff --git a/arch/arm64/include/asm/atomic.h b/arch/arm64/include/asm/atomic.h
5022index 7047051..44e8675 100644
5023--- a/arch/arm64/include/asm/atomic.h
5024+++ b/arch/arm64/include/asm/atomic.h
5025@@ -252,5 +252,15 @@ static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
5026 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
5027 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
5028
5029+#define atomic64_read_unchecked(v) atomic64_read(v)
5030+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5031+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5032+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5033+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5034+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5035+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5036+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5037+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5038+
5039 #endif
5040 #endif
5041diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h
5042index 0fa47c4..b167938 100644
5043--- a/arch/arm64/include/asm/barrier.h
5044+++ b/arch/arm64/include/asm/barrier.h
5045@@ -44,7 +44,7 @@
5046 do { \
5047 compiletime_assert_atomic_type(*p); \
5048 barrier(); \
5049- ACCESS_ONCE(*p) = (v); \
5050+ ACCESS_ONCE_RW(*p) = (v); \
5051 } while (0)
5052
5053 #define smp_load_acquire(p) \
5054diff --git a/arch/arm64/include/asm/percpu.h b/arch/arm64/include/asm/percpu.h
5055index 4fde8c1..441f84f 100644
5056--- a/arch/arm64/include/asm/percpu.h
5057+++ b/arch/arm64/include/asm/percpu.h
5058@@ -135,16 +135,16 @@ static inline void __percpu_write(void *ptr, unsigned long val, int size)
5059 {
5060 switch (size) {
5061 case 1:
5062- ACCESS_ONCE(*(u8 *)ptr) = (u8)val;
5063+ ACCESS_ONCE_RW(*(u8 *)ptr) = (u8)val;
5064 break;
5065 case 2:
5066- ACCESS_ONCE(*(u16 *)ptr) = (u16)val;
5067+ ACCESS_ONCE_RW(*(u16 *)ptr) = (u16)val;
5068 break;
5069 case 4:
5070- ACCESS_ONCE(*(u32 *)ptr) = (u32)val;
5071+ ACCESS_ONCE_RW(*(u32 *)ptr) = (u32)val;
5072 break;
5073 case 8:
5074- ACCESS_ONCE(*(u64 *)ptr) = (u64)val;
5075+ ACCESS_ONCE_RW(*(u64 *)ptr) = (u64)val;
5076 break;
5077 default:
5078 BUILD_BUG();
5079diff --git a/arch/arm64/include/asm/pgalloc.h b/arch/arm64/include/asm/pgalloc.h
5080index 7642056..bffc904 100644
5081--- a/arch/arm64/include/asm/pgalloc.h
5082+++ b/arch/arm64/include/asm/pgalloc.h
5083@@ -46,6 +46,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5084 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
5085 }
5086
5087+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5088+{
5089+ pud_populate(mm, pud, pmd);
5090+}
5091+
5092 #endif /* CONFIG_PGTABLE_LEVELS > 2 */
5093
5094 #if CONFIG_PGTABLE_LEVELS > 3
5095diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
5096index 07e1ba44..ec8cbbb 100644
5097--- a/arch/arm64/include/asm/uaccess.h
5098+++ b/arch/arm64/include/asm/uaccess.h
5099@@ -99,6 +99,7 @@ static inline void set_fs(mm_segment_t fs)
5100 flag; \
5101 })
5102
5103+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
5104 #define access_ok(type, addr, size) __range_ok(addr, size)
5105 #define user_addr_max get_fs
5106
5107diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
5108index e8ca6ea..13671a9 100644
5109--- a/arch/arm64/kernel/efi.c
5110+++ b/arch/arm64/kernel/efi.c
5111@@ -258,7 +258,8 @@ static bool __init efi_virtmap_init(void)
5112 */
5113 if (!is_normal_ram(md))
5114 prot = __pgprot(PROT_DEVICE_nGnRE);
5115- else if (md->type == EFI_RUNTIME_SERVICES_CODE)
5116+ else if (md->type == EFI_RUNTIME_SERVICES_CODE ||
5117+ !PAGE_ALIGNED(md->phys_addr))
5118 prot = PAGE_KERNEL_EXEC;
5119 else
5120 prot = PAGE_KERNEL;
5121diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
5122index d16a1ce..a5acc60 100644
5123--- a/arch/arm64/mm/dma-mapping.c
5124+++ b/arch/arm64/mm/dma-mapping.c
5125@@ -134,7 +134,7 @@ static void __dma_free_coherent(struct device *dev, size_t size,
5126 phys_to_page(paddr),
5127 size >> PAGE_SHIFT);
5128 if (!freed)
5129- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
5130+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
5131 }
5132
5133 static void *__dma_alloc(struct device *dev, size_t size,
5134diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
5135index c3a58a1..78fbf54 100644
5136--- a/arch/avr32/include/asm/cache.h
5137+++ b/arch/avr32/include/asm/cache.h
5138@@ -1,8 +1,10 @@
5139 #ifndef __ASM_AVR32_CACHE_H
5140 #define __ASM_AVR32_CACHE_H
5141
5142+#include <linux/const.h>
5143+
5144 #define L1_CACHE_SHIFT 5
5145-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5146+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5147
5148 /*
5149 * Memory returned by kmalloc() may be used for DMA, so we must make
5150diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h
5151index 0388ece..87c8df1 100644
5152--- a/arch/avr32/include/asm/elf.h
5153+++ b/arch/avr32/include/asm/elf.h
5154@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t;
5155 the loader. We need to make sure that it is out of the way of the program
5156 that it will "exec", and that there is sufficient room for the brk. */
5157
5158-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5159+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5160
5161+#ifdef CONFIG_PAX_ASLR
5162+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
5163+
5164+#define PAX_DELTA_MMAP_LEN 15
5165+#define PAX_DELTA_STACK_LEN 15
5166+#endif
5167
5168 /* This yields a mask that user programs can use to figure out what
5169 instruction set this CPU supports. This could be done in user space,
5170diff --git a/arch/avr32/include/asm/kmap_types.h b/arch/avr32/include/asm/kmap_types.h
5171index 479330b..53717a8 100644
5172--- a/arch/avr32/include/asm/kmap_types.h
5173+++ b/arch/avr32/include/asm/kmap_types.h
5174@@ -2,9 +2,9 @@
5175 #define __ASM_AVR32_KMAP_TYPES_H
5176
5177 #ifdef CONFIG_DEBUG_HIGHMEM
5178-# define KM_TYPE_NR 29
5179+# define KM_TYPE_NR 30
5180 #else
5181-# define KM_TYPE_NR 14
5182+# define KM_TYPE_NR 15
5183 #endif
5184
5185 #endif /* __ASM_AVR32_KMAP_TYPES_H */
5186diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
5187index c035339..e1fa594 100644
5188--- a/arch/avr32/mm/fault.c
5189+++ b/arch/avr32/mm/fault.c
5190@@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
5191
5192 int exception_trace = 1;
5193
5194+#ifdef CONFIG_PAX_PAGEEXEC
5195+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5196+{
5197+ unsigned long i;
5198+
5199+ printk(KERN_ERR "PAX: bytes at PC: ");
5200+ for (i = 0; i < 20; i++) {
5201+ unsigned char c;
5202+ if (get_user(c, (unsigned char *)pc+i))
5203+ printk(KERN_CONT "???????? ");
5204+ else
5205+ printk(KERN_CONT "%02x ", c);
5206+ }
5207+ printk("\n");
5208+}
5209+#endif
5210+
5211 /*
5212 * This routine handles page faults. It determines the address and the
5213 * problem, and then passes it off to one of the appropriate routines.
5214@@ -178,6 +195,16 @@ bad_area:
5215 up_read(&mm->mmap_sem);
5216
5217 if (user_mode(regs)) {
5218+
5219+#ifdef CONFIG_PAX_PAGEEXEC
5220+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
5221+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
5222+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
5223+ do_group_exit(SIGKILL);
5224+ }
5225+ }
5226+#endif
5227+
5228 if (exception_trace && printk_ratelimit())
5229 printk("%s%s[%d]: segfault at %08lx pc %08lx "
5230 "sp %08lx ecr %lu\n",
5231diff --git a/arch/blackfin/Kconfig.debug b/arch/blackfin/Kconfig.debug
5232index f3337ee..15b6f8d 100644
5233--- a/arch/blackfin/Kconfig.debug
5234+++ b/arch/blackfin/Kconfig.debug
5235@@ -18,6 +18,7 @@ config DEBUG_VERBOSE
5236 config DEBUG_MMRS
5237 tristate "Generate Blackfin MMR tree"
5238 select DEBUG_FS
5239+ depends on !GRKERNSEC_KMEM
5240 help
5241 Create a tree of Blackfin MMRs via the debugfs tree. If
5242 you enable this, you will find all MMRs laid out in the
5243diff --git a/arch/blackfin/include/asm/cache.h b/arch/blackfin/include/asm/cache.h
5244index 568885a..f8008df 100644
5245--- a/arch/blackfin/include/asm/cache.h
5246+++ b/arch/blackfin/include/asm/cache.h
5247@@ -7,6 +7,7 @@
5248 #ifndef __ARCH_BLACKFIN_CACHE_H
5249 #define __ARCH_BLACKFIN_CACHE_H
5250
5251+#include <linux/const.h>
5252 #include <linux/linkage.h> /* for asmlinkage */
5253
5254 /*
5255@@ -14,7 +15,7 @@
5256 * Blackfin loads 32 bytes for cache
5257 */
5258 #define L1_CACHE_SHIFT 5
5259-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5260+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5261 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5262
5263 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5264diff --git a/arch/cris/include/arch-v10/arch/cache.h b/arch/cris/include/arch-v10/arch/cache.h
5265index aea2718..3639a60 100644
5266--- a/arch/cris/include/arch-v10/arch/cache.h
5267+++ b/arch/cris/include/arch-v10/arch/cache.h
5268@@ -1,8 +1,9 @@
5269 #ifndef _ASM_ARCH_CACHE_H
5270 #define _ASM_ARCH_CACHE_H
5271
5272+#include <linux/const.h>
5273 /* Etrax 100LX have 32-byte cache-lines. */
5274-#define L1_CACHE_BYTES 32
5275 #define L1_CACHE_SHIFT 5
5276+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5277
5278 #endif /* _ASM_ARCH_CACHE_H */
5279diff --git a/arch/cris/include/arch-v32/arch/cache.h b/arch/cris/include/arch-v32/arch/cache.h
5280index 7caf25d..ee65ac5 100644
5281--- a/arch/cris/include/arch-v32/arch/cache.h
5282+++ b/arch/cris/include/arch-v32/arch/cache.h
5283@@ -1,11 +1,12 @@
5284 #ifndef _ASM_CRIS_ARCH_CACHE_H
5285 #define _ASM_CRIS_ARCH_CACHE_H
5286
5287+#include <linux/const.h>
5288 #include <arch/hwregs/dma.h>
5289
5290 /* A cache-line is 32 bytes. */
5291-#define L1_CACHE_BYTES 32
5292 #define L1_CACHE_SHIFT 5
5293+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5294
5295 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
5296
5297diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h
5298index 102190a..5334cea 100644
5299--- a/arch/frv/include/asm/atomic.h
5300+++ b/arch/frv/include/asm/atomic.h
5301@@ -181,6 +181,16 @@ static inline void atomic64_dec(atomic64_t *v)
5302 #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter))
5303 #define atomic64_xchg(v, new) (__xchg_64(new, &(v)->counter))
5304
5305+#define atomic64_read_unchecked(v) atomic64_read(v)
5306+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5307+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5308+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5309+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5310+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5311+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5312+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5313+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5314+
5315 static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5316 {
5317 int c, old;
5318diff --git a/arch/frv/include/asm/cache.h b/arch/frv/include/asm/cache.h
5319index 2797163..c2a401df9 100644
5320--- a/arch/frv/include/asm/cache.h
5321+++ b/arch/frv/include/asm/cache.h
5322@@ -12,10 +12,11 @@
5323 #ifndef __ASM_CACHE_H
5324 #define __ASM_CACHE_H
5325
5326+#include <linux/const.h>
5327
5328 /* bytes per L1 cache line */
5329 #define L1_CACHE_SHIFT (CONFIG_FRV_L1_CACHE_SHIFT)
5330-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5331+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5332
5333 #define __cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
5334 #define ____cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
5335diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h
5336index 43901f2..0d8b865 100644
5337--- a/arch/frv/include/asm/kmap_types.h
5338+++ b/arch/frv/include/asm/kmap_types.h
5339@@ -2,6 +2,6 @@
5340 #ifndef _ASM_KMAP_TYPES_H
5341 #define _ASM_KMAP_TYPES_H
5342
5343-#define KM_TYPE_NR 17
5344+#define KM_TYPE_NR 18
5345
5346 #endif
5347diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
5348index 836f147..4cf23f5 100644
5349--- a/arch/frv/mm/elf-fdpic.c
5350+++ b/arch/frv/mm/elf-fdpic.c
5351@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5352 {
5353 struct vm_area_struct *vma;
5354 struct vm_unmapped_area_info info;
5355+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
5356
5357 if (len > TASK_SIZE)
5358 return -ENOMEM;
5359@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5360 if (addr) {
5361 addr = PAGE_ALIGN(addr);
5362 vma = find_vma(current->mm, addr);
5363- if (TASK_SIZE - len >= addr &&
5364- (!vma || addr + len <= vma->vm_start))
5365+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
5366 goto success;
5367 }
5368
5369@@ -85,6 +85,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5370 info.high_limit = (current->mm->start_stack - 0x00200000);
5371 info.align_mask = 0;
5372 info.align_offset = 0;
5373+ info.threadstack_offset = offset;
5374 addr = vm_unmapped_area(&info);
5375 if (!(addr & ~PAGE_MASK))
5376 goto success;
5377diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h
5378index 69952c18..4fa2908 100644
5379--- a/arch/hexagon/include/asm/cache.h
5380+++ b/arch/hexagon/include/asm/cache.h
5381@@ -21,9 +21,11 @@
5382 #ifndef __ASM_CACHE_H
5383 #define __ASM_CACHE_H
5384
5385+#include <linux/const.h>
5386+
5387 /* Bytes per L1 cache line */
5388-#define L1_CACHE_SHIFT (5)
5389-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5390+#define L1_CACHE_SHIFT 5
5391+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5392
5393 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5394
5395diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
5396index 42a91a7..29d446e 100644
5397--- a/arch/ia64/Kconfig
5398+++ b/arch/ia64/Kconfig
5399@@ -518,6 +518,7 @@ source "drivers/sn/Kconfig"
5400 config KEXEC
5401 bool "kexec system call"
5402 depends on !IA64_HP_SIM && (!SMP || HOTPLUG_CPU)
5403+ depends on !GRKERNSEC_KMEM
5404 help
5405 kexec is a system call that implements the ability to shutdown your
5406 current kernel, and to start another kernel. It is like a reboot
5407diff --git a/arch/ia64/Makefile b/arch/ia64/Makefile
5408index 970d0bd..e750b9b 100644
5409--- a/arch/ia64/Makefile
5410+++ b/arch/ia64/Makefile
5411@@ -98,5 +98,6 @@ endef
5412 archprepare: make_nr_irqs_h FORCE
5413 PHONY += make_nr_irqs_h FORCE
5414
5415+make_nr_irqs_h: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
5416 make_nr_irqs_h: FORCE
5417 $(Q)$(MAKE) $(build)=arch/ia64/kernel include/generated/nr-irqs.h
5418diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
5419index 0bf0350..2ad1957 100644
5420--- a/arch/ia64/include/asm/atomic.h
5421+++ b/arch/ia64/include/asm/atomic.h
5422@@ -193,4 +193,14 @@ atomic64_add_negative (__s64 i, atomic64_t *v)
5423 #define atomic64_inc(v) atomic64_add(1, (v))
5424 #define atomic64_dec(v) atomic64_sub(1, (v))
5425
5426+#define atomic64_read_unchecked(v) atomic64_read(v)
5427+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5428+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5429+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5430+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5431+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5432+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5433+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5434+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5435+
5436 #endif /* _ASM_IA64_ATOMIC_H */
5437diff --git a/arch/ia64/include/asm/barrier.h b/arch/ia64/include/asm/barrier.h
5438index 843ba43..fa118fb 100644
5439--- a/arch/ia64/include/asm/barrier.h
5440+++ b/arch/ia64/include/asm/barrier.h
5441@@ -66,7 +66,7 @@
5442 do { \
5443 compiletime_assert_atomic_type(*p); \
5444 barrier(); \
5445- ACCESS_ONCE(*p) = (v); \
5446+ ACCESS_ONCE_RW(*p) = (v); \
5447 } while (0)
5448
5449 #define smp_load_acquire(p) \
5450diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h
5451index 988254a..e1ee885 100644
5452--- a/arch/ia64/include/asm/cache.h
5453+++ b/arch/ia64/include/asm/cache.h
5454@@ -1,6 +1,7 @@
5455 #ifndef _ASM_IA64_CACHE_H
5456 #define _ASM_IA64_CACHE_H
5457
5458+#include <linux/const.h>
5459
5460 /*
5461 * Copyright (C) 1998-2000 Hewlett-Packard Co
5462@@ -9,7 +10,7 @@
5463
5464 /* Bytes per L1 (data) cache line. */
5465 #define L1_CACHE_SHIFT CONFIG_IA64_L1_CACHE_SHIFT
5466-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5467+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5468
5469 #ifdef CONFIG_SMP
5470 # define SMP_CACHE_SHIFT L1_CACHE_SHIFT
5471diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h
5472index 5a83c5c..4d7f553 100644
5473--- a/arch/ia64/include/asm/elf.h
5474+++ b/arch/ia64/include/asm/elf.h
5475@@ -42,6 +42,13 @@
5476 */
5477 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
5478
5479+#ifdef CONFIG_PAX_ASLR
5480+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
5481+
5482+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
5483+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
5484+#endif
5485+
5486 #define PT_IA_64_UNWIND 0x70000001
5487
5488 /* IA-64 relocations: */
5489diff --git a/arch/ia64/include/asm/pgalloc.h b/arch/ia64/include/asm/pgalloc.h
5490index f5e70e9..624fad5 100644
5491--- a/arch/ia64/include/asm/pgalloc.h
5492+++ b/arch/ia64/include/asm/pgalloc.h
5493@@ -39,6 +39,12 @@ pgd_populate(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
5494 pgd_val(*pgd_entry) = __pa(pud);
5495 }
5496
5497+static inline void
5498+pgd_populate_kernel(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
5499+{
5500+ pgd_populate(mm, pgd_entry, pud);
5501+}
5502+
5503 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
5504 {
5505 return quicklist_alloc(0, GFP_KERNEL, NULL);
5506@@ -57,6 +63,12 @@ pud_populate(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
5507 pud_val(*pud_entry) = __pa(pmd);
5508 }
5509
5510+static inline void
5511+pud_populate_kernel(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
5512+{
5513+ pud_populate(mm, pud_entry, pmd);
5514+}
5515+
5516 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
5517 {
5518 return quicklist_alloc(0, GFP_KERNEL, NULL);
5519diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h
5520index 9f3ed9e..c99b418 100644
5521--- a/arch/ia64/include/asm/pgtable.h
5522+++ b/arch/ia64/include/asm/pgtable.h
5523@@ -12,7 +12,7 @@
5524 * David Mosberger-Tang <davidm@hpl.hp.com>
5525 */
5526
5527-
5528+#include <linux/const.h>
5529 #include <asm/mman.h>
5530 #include <asm/page.h>
5531 #include <asm/processor.h>
5532@@ -139,6 +139,17 @@
5533 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5534 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5535 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
5536+
5537+#ifdef CONFIG_PAX_PAGEEXEC
5538+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
5539+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5540+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5541+#else
5542+# define PAGE_SHARED_NOEXEC PAGE_SHARED
5543+# define PAGE_READONLY_NOEXEC PAGE_READONLY
5544+# define PAGE_COPY_NOEXEC PAGE_COPY
5545+#endif
5546+
5547 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
5548 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
5549 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
5550diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
5551index 45698cd..e8e2dbc 100644
5552--- a/arch/ia64/include/asm/spinlock.h
5553+++ b/arch/ia64/include/asm/spinlock.h
5554@@ -71,7 +71,7 @@ static __always_inline void __ticket_spin_unlock(arch_spinlock_t *lock)
5555 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
5556
5557 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
5558- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
5559+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
5560 }
5561
5562 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
5563diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
5564index 4f3fb6cc..254055e 100644
5565--- a/arch/ia64/include/asm/uaccess.h
5566+++ b/arch/ia64/include/asm/uaccess.h
5567@@ -70,6 +70,7 @@
5568 && ((segment).seg == KERNEL_DS.seg \
5569 || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT))); \
5570 })
5571+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
5572 #define access_ok(type, addr, size) __access_ok((addr), (size), get_fs())
5573
5574 /*
5575@@ -241,12 +242,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
5576 static inline unsigned long
5577 __copy_to_user (void __user *to, const void *from, unsigned long count)
5578 {
5579+ if (count > INT_MAX)
5580+ return count;
5581+
5582+ if (!__builtin_constant_p(count))
5583+ check_object_size(from, count, true);
5584+
5585 return __copy_user(to, (__force void __user *) from, count);
5586 }
5587
5588 static inline unsigned long
5589 __copy_from_user (void *to, const void __user *from, unsigned long count)
5590 {
5591+ if (count > INT_MAX)
5592+ return count;
5593+
5594+ if (!__builtin_constant_p(count))
5595+ check_object_size(to, count, false);
5596+
5597 return __copy_user((__force void __user *) to, from, count);
5598 }
5599
5600@@ -256,10 +269,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
5601 ({ \
5602 void __user *__cu_to = (to); \
5603 const void *__cu_from = (from); \
5604- long __cu_len = (n); \
5605+ unsigned long __cu_len = (n); \
5606 \
5607- if (__access_ok(__cu_to, __cu_len, get_fs())) \
5608+ if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) { \
5609+ if (!__builtin_constant_p(n)) \
5610+ check_object_size(__cu_from, __cu_len, true); \
5611 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
5612+ } \
5613 __cu_len; \
5614 })
5615
5616@@ -267,11 +283,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
5617 ({ \
5618 void *__cu_to = (to); \
5619 const void __user *__cu_from = (from); \
5620- long __cu_len = (n); \
5621+ unsigned long __cu_len = (n); \
5622 \
5623 __chk_user_ptr(__cu_from); \
5624- if (__access_ok(__cu_from, __cu_len, get_fs())) \
5625+ if (__cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) { \
5626+ if (!__builtin_constant_p(n)) \
5627+ check_object_size(__cu_to, __cu_len, false); \
5628 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
5629+ } \
5630 __cu_len; \
5631 })
5632
5633diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
5634index b15933c..098b1c8 100644
5635--- a/arch/ia64/kernel/module.c
5636+++ b/arch/ia64/kernel/module.c
5637@@ -484,15 +484,39 @@ module_frob_arch_sections (Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, char *secstrings,
5638 }
5639
5640 static inline int
5641+in_init_rx (const struct module *mod, uint64_t addr)
5642+{
5643+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
5644+}
5645+
5646+static inline int
5647+in_init_rw (const struct module *mod, uint64_t addr)
5648+{
5649+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
5650+}
5651+
5652+static inline int
5653 in_init (const struct module *mod, uint64_t addr)
5654 {
5655- return addr - (uint64_t) mod->module_init < mod->init_size;
5656+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
5657+}
5658+
5659+static inline int
5660+in_core_rx (const struct module *mod, uint64_t addr)
5661+{
5662+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
5663+}
5664+
5665+static inline int
5666+in_core_rw (const struct module *mod, uint64_t addr)
5667+{
5668+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
5669 }
5670
5671 static inline int
5672 in_core (const struct module *mod, uint64_t addr)
5673 {
5674- return addr - (uint64_t) mod->module_core < mod->core_size;
5675+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
5676 }
5677
5678 static inline int
5679@@ -675,7 +699,14 @@ do_reloc (struct module *mod, uint8_t r_type, Elf64_Sym *sym, uint64_t addend,
5680 break;
5681
5682 case RV_BDREL:
5683- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
5684+ if (in_init_rx(mod, val))
5685+ val -= (uint64_t) mod->module_init_rx;
5686+ else if (in_init_rw(mod, val))
5687+ val -= (uint64_t) mod->module_init_rw;
5688+ else if (in_core_rx(mod, val))
5689+ val -= (uint64_t) mod->module_core_rx;
5690+ else if (in_core_rw(mod, val))
5691+ val -= (uint64_t) mod->module_core_rw;
5692 break;
5693
5694 case RV_LTV:
5695@@ -810,15 +841,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, const char *strtab, unsigned int symind
5696 * addresses have been selected...
5697 */
5698 uint64_t gp;
5699- if (mod->core_size > MAX_LTOFF)
5700+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
5701 /*
5702 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
5703 * at the end of the module.
5704 */
5705- gp = mod->core_size - MAX_LTOFF / 2;
5706+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
5707 else
5708- gp = mod->core_size / 2;
5709- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
5710+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
5711+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
5712 mod->arch.gp = gp;
5713 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
5714 }
5715diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
5716index c39c3cd..3c77738 100644
5717--- a/arch/ia64/kernel/palinfo.c
5718+++ b/arch/ia64/kernel/palinfo.c
5719@@ -980,7 +980,7 @@ static int palinfo_cpu_callback(struct notifier_block *nfb,
5720 return NOTIFY_OK;
5721 }
5722
5723-static struct notifier_block __refdata palinfo_cpu_notifier =
5724+static struct notifier_block palinfo_cpu_notifier =
5725 {
5726 .notifier_call = palinfo_cpu_callback,
5727 .priority = 0,
5728diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
5729index 41e33f8..65180b2a 100644
5730--- a/arch/ia64/kernel/sys_ia64.c
5731+++ b/arch/ia64/kernel/sys_ia64.c
5732@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5733 unsigned long align_mask = 0;
5734 struct mm_struct *mm = current->mm;
5735 struct vm_unmapped_area_info info;
5736+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
5737
5738 if (len > RGN_MAP_LIMIT)
5739 return -ENOMEM;
5740@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5741 if (REGION_NUMBER(addr) == RGN_HPAGE)
5742 addr = 0;
5743 #endif
5744+
5745+#ifdef CONFIG_PAX_RANDMMAP
5746+ if (mm->pax_flags & MF_PAX_RANDMMAP)
5747+ addr = mm->free_area_cache;
5748+ else
5749+#endif
5750+
5751 if (!addr)
5752 addr = TASK_UNMAPPED_BASE;
5753
5754@@ -61,6 +69,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5755 info.high_limit = TASK_SIZE;
5756 info.align_mask = align_mask;
5757 info.align_offset = 0;
5758+ info.threadstack_offset = offset;
5759 return vm_unmapped_area(&info);
5760 }
5761
5762diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
5763index dc506b0..39baade 100644
5764--- a/arch/ia64/kernel/vmlinux.lds.S
5765+++ b/arch/ia64/kernel/vmlinux.lds.S
5766@@ -171,7 +171,7 @@ SECTIONS {
5767 /* Per-cpu data: */
5768 . = ALIGN(PERCPU_PAGE_SIZE);
5769 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
5770- __phys_per_cpu_start = __per_cpu_load;
5771+ __phys_per_cpu_start = per_cpu_load;
5772 /*
5773 * ensure percpu data fits
5774 * into percpu page size
5775diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
5776index 70b40d1..01a9a28 100644
5777--- a/arch/ia64/mm/fault.c
5778+++ b/arch/ia64/mm/fault.c
5779@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address)
5780 return pte_present(pte);
5781 }
5782
5783+#ifdef CONFIG_PAX_PAGEEXEC
5784+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5785+{
5786+ unsigned long i;
5787+
5788+ printk(KERN_ERR "PAX: bytes at PC: ");
5789+ for (i = 0; i < 8; i++) {
5790+ unsigned int c;
5791+ if (get_user(c, (unsigned int *)pc+i))
5792+ printk(KERN_CONT "???????? ");
5793+ else
5794+ printk(KERN_CONT "%08x ", c);
5795+ }
5796+ printk("\n");
5797+}
5798+#endif
5799+
5800 # define VM_READ_BIT 0
5801 # define VM_WRITE_BIT 1
5802 # define VM_EXEC_BIT 2
5803@@ -151,8 +168,21 @@ retry:
5804 if (((isr >> IA64_ISR_R_BIT) & 1UL) && (!(vma->vm_flags & (VM_READ | VM_WRITE))))
5805 goto bad_area;
5806
5807- if ((vma->vm_flags & mask) != mask)
5808+ if ((vma->vm_flags & mask) != mask) {
5809+
5810+#ifdef CONFIG_PAX_PAGEEXEC
5811+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
5812+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
5813+ goto bad_area;
5814+
5815+ up_read(&mm->mmap_sem);
5816+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
5817+ do_group_exit(SIGKILL);
5818+ }
5819+#endif
5820+
5821 goto bad_area;
5822+ }
5823
5824 /*
5825 * If for any reason at all we couldn't handle the fault, make
5826diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c
5827index f50d4b3..c7975ee 100644
5828--- a/arch/ia64/mm/hugetlbpage.c
5829+++ b/arch/ia64/mm/hugetlbpage.c
5830@@ -138,6 +138,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5831 unsigned long pgoff, unsigned long flags)
5832 {
5833 struct vm_unmapped_area_info info;
5834+ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags);
5835
5836 if (len > RGN_MAP_LIMIT)
5837 return -ENOMEM;
5838@@ -161,6 +162,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5839 info.high_limit = HPAGE_REGION_BASE + RGN_MAP_LIMIT;
5840 info.align_mask = PAGE_MASK & (HPAGE_SIZE - 1);
5841 info.align_offset = 0;
5842+ info.threadstack_offset = offset;
5843 return vm_unmapped_area(&info);
5844 }
5845
5846diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
5847index 97e48b0..fc59c36 100644
5848--- a/arch/ia64/mm/init.c
5849+++ b/arch/ia64/mm/init.c
5850@@ -119,6 +119,19 @@ ia64_init_addr_space (void)
5851 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
5852 vma->vm_end = vma->vm_start + PAGE_SIZE;
5853 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
5854+
5855+#ifdef CONFIG_PAX_PAGEEXEC
5856+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
5857+ vma->vm_flags &= ~VM_EXEC;
5858+
5859+#ifdef CONFIG_PAX_MPROTECT
5860+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
5861+ vma->vm_flags &= ~VM_MAYEXEC;
5862+#endif
5863+
5864+ }
5865+#endif
5866+
5867 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5868 down_write(&current->mm->mmap_sem);
5869 if (insert_vm_struct(current->mm, vma)) {
5870@@ -279,7 +292,7 @@ static int __init gate_vma_init(void)
5871 gate_vma.vm_start = FIXADDR_USER_START;
5872 gate_vma.vm_end = FIXADDR_USER_END;
5873 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
5874- gate_vma.vm_page_prot = __P101;
5875+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
5876
5877 return 0;
5878 }
5879diff --git a/arch/m32r/include/asm/cache.h b/arch/m32r/include/asm/cache.h
5880index 40b3ee98..8c2c112 100644
5881--- a/arch/m32r/include/asm/cache.h
5882+++ b/arch/m32r/include/asm/cache.h
5883@@ -1,8 +1,10 @@
5884 #ifndef _ASM_M32R_CACHE_H
5885 #define _ASM_M32R_CACHE_H
5886
5887+#include <linux/const.h>
5888+
5889 /* L1 cache line size */
5890 #define L1_CACHE_SHIFT 4
5891-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5892+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5893
5894 #endif /* _ASM_M32R_CACHE_H */
5895diff --git a/arch/m32r/lib/usercopy.c b/arch/m32r/lib/usercopy.c
5896index 82abd15..d95ae5d 100644
5897--- a/arch/m32r/lib/usercopy.c
5898+++ b/arch/m32r/lib/usercopy.c
5899@@ -14,6 +14,9 @@
5900 unsigned long
5901 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5902 {
5903+ if ((long)n < 0)
5904+ return n;
5905+
5906 prefetch(from);
5907 if (access_ok(VERIFY_WRITE, to, n))
5908 __copy_user(to,from,n);
5909@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5910 unsigned long
5911 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
5912 {
5913+ if ((long)n < 0)
5914+ return n;
5915+
5916 prefetchw(to);
5917 if (access_ok(VERIFY_READ, from, n))
5918 __copy_user_zeroing(to,from,n);
5919diff --git a/arch/m68k/include/asm/cache.h b/arch/m68k/include/asm/cache.h
5920index 0395c51..5f26031 100644
5921--- a/arch/m68k/include/asm/cache.h
5922+++ b/arch/m68k/include/asm/cache.h
5923@@ -4,9 +4,11 @@
5924 #ifndef __ARCH_M68K_CACHE_H
5925 #define __ARCH_M68K_CACHE_H
5926
5927+#include <linux/const.h>
5928+
5929 /* bytes per L1 cache line */
5930 #define L1_CACHE_SHIFT 4
5931-#define L1_CACHE_BYTES (1<< L1_CACHE_SHIFT)
5932+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5933
5934 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5935
5936diff --git a/arch/metag/include/asm/barrier.h b/arch/metag/include/asm/barrier.h
5937index 5a696e5..070490d 100644
5938--- a/arch/metag/include/asm/barrier.h
5939+++ b/arch/metag/include/asm/barrier.h
5940@@ -90,7 +90,7 @@ static inline void fence(void)
5941 do { \
5942 compiletime_assert_atomic_type(*p); \
5943 smp_mb(); \
5944- ACCESS_ONCE(*p) = (v); \
5945+ ACCESS_ONCE_RW(*p) = (v); \
5946 } while (0)
5947
5948 #define smp_load_acquire(p) \
5949diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c
5950index 53f0f6c..2dc07fd 100644
5951--- a/arch/metag/mm/hugetlbpage.c
5952+++ b/arch/metag/mm/hugetlbpage.c
5953@@ -189,6 +189,7 @@ hugetlb_get_unmapped_area_new_pmd(unsigned long len)
5954 info.high_limit = TASK_SIZE;
5955 info.align_mask = PAGE_MASK & HUGEPT_MASK;
5956 info.align_offset = 0;
5957+ info.threadstack_offset = 0;
5958 return vm_unmapped_area(&info);
5959 }
5960
5961diff --git a/arch/microblaze/include/asm/cache.h b/arch/microblaze/include/asm/cache.h
5962index 4efe96a..60e8699 100644
5963--- a/arch/microblaze/include/asm/cache.h
5964+++ b/arch/microblaze/include/asm/cache.h
5965@@ -13,11 +13,12 @@
5966 #ifndef _ASM_MICROBLAZE_CACHE_H
5967 #define _ASM_MICROBLAZE_CACHE_H
5968
5969+#include <linux/const.h>
5970 #include <asm/registers.h>
5971
5972 #define L1_CACHE_SHIFT 5
5973 /* word-granular cache in microblaze */
5974-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5975+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5976
5977 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5978
5979diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
5980index 199a835..822b487 100644
5981--- a/arch/mips/Kconfig
5982+++ b/arch/mips/Kconfig
5983@@ -2591,6 +2591,7 @@ source "kernel/Kconfig.preempt"
5984
5985 config KEXEC
5986 bool "Kexec system call"
5987+ depends on !GRKERNSEC_KMEM
5988 help
5989 kexec is a system call that implements the ability to shutdown your
5990 current kernel, and to start another kernel. It is like a reboot
5991diff --git a/arch/mips/cavium-octeon/dma-octeon.c b/arch/mips/cavium-octeon/dma-octeon.c
5992index d8960d4..77dbd31 100644
5993--- a/arch/mips/cavium-octeon/dma-octeon.c
5994+++ b/arch/mips/cavium-octeon/dma-octeon.c
5995@@ -199,7 +199,7 @@ static void octeon_dma_free_coherent(struct device *dev, size_t size,
5996 if (dma_release_from_coherent(dev, order, vaddr))
5997 return;
5998
5999- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
6000+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
6001 }
6002
6003 static dma_addr_t octeon_unity_phys_to_dma(struct device *dev, phys_addr_t paddr)
6004diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
6005index 26d4363..3c9a82e 100644
6006--- a/arch/mips/include/asm/atomic.h
6007+++ b/arch/mips/include/asm/atomic.h
6008@@ -22,15 +22,39 @@
6009 #include <asm/cmpxchg.h>
6010 #include <asm/war.h>
6011
6012+#ifdef CONFIG_GENERIC_ATOMIC64
6013+#include <asm-generic/atomic64.h>
6014+#endif
6015+
6016 #define ATOMIC_INIT(i) { (i) }
6017
6018+#ifdef CONFIG_64BIT
6019+#define _ASM_EXTABLE(from, to) \
6020+" .section __ex_table,\"a\"\n" \
6021+" .dword " #from ", " #to"\n" \
6022+" .previous\n"
6023+#else
6024+#define _ASM_EXTABLE(from, to) \
6025+" .section __ex_table,\"a\"\n" \
6026+" .word " #from ", " #to"\n" \
6027+" .previous\n"
6028+#endif
6029+
6030 /*
6031 * atomic_read - read atomic variable
6032 * @v: pointer of type atomic_t
6033 *
6034 * Atomically reads the value of @v.
6035 */
6036-#define atomic_read(v) ACCESS_ONCE((v)->counter)
6037+static inline int atomic_read(const atomic_t *v)
6038+{
6039+ return ACCESS_ONCE(v->counter);
6040+}
6041+
6042+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6043+{
6044+ return ACCESS_ONCE(v->counter);
6045+}
6046
6047 /*
6048 * atomic_set - set atomic variable
6049@@ -39,47 +63,77 @@
6050 *
6051 * Atomically sets the value of @v to @i.
6052 */
6053-#define atomic_set(v, i) ((v)->counter = (i))
6054+static inline void atomic_set(atomic_t *v, int i)
6055+{
6056+ v->counter = i;
6057+}
6058
6059-#define ATOMIC_OP(op, c_op, asm_op) \
6060-static __inline__ void atomic_##op(int i, atomic_t * v) \
6061+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6062+{
6063+ v->counter = i;
6064+}
6065+
6066+#ifdef CONFIG_PAX_REFCOUNT
6067+#define __OVERFLOW_POST \
6068+ " b 4f \n" \
6069+ " .set noreorder \n" \
6070+ "3: b 5f \n" \
6071+ " move %0, %1 \n" \
6072+ " .set reorder \n"
6073+#define __OVERFLOW_EXTABLE \
6074+ "3:\n" \
6075+ _ASM_EXTABLE(2b, 3b)
6076+#else
6077+#define __OVERFLOW_POST
6078+#define __OVERFLOW_EXTABLE
6079+#endif
6080+
6081+#define __ATOMIC_OP(op, suffix, asm_op, extable) \
6082+static inline void atomic_##op##suffix(int i, atomic##suffix##_t * v) \
6083 { \
6084 if (kernel_uses_llsc && R10000_LLSC_WAR) { \
6085 int temp; \
6086 \
6087 __asm__ __volatile__( \
6088- " .set arch=r4000 \n" \
6089- "1: ll %0, %1 # atomic_" #op " \n" \
6090- " " #asm_op " %0, %2 \n" \
6091+ " .set mips3 \n" \
6092+ "1: ll %0, %1 # atomic_" #op #suffix "\n" \
6093+ "2: " #asm_op " %0, %2 \n" \
6094 " sc %0, %1 \n" \
6095 " beqzl %0, 1b \n" \
6096+ extable \
6097 " .set mips0 \n" \
6098 : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6099 : "Ir" (i)); \
6100 } else if (kernel_uses_llsc) { \
6101 int temp; \
6102 \
6103- do { \
6104- __asm__ __volatile__( \
6105- " .set "MIPS_ISA_LEVEL" \n" \
6106- " ll %0, %1 # atomic_" #op "\n" \
6107- " " #asm_op " %0, %2 \n" \
6108- " sc %0, %1 \n" \
6109- " .set mips0 \n" \
6110- : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6111- : "Ir" (i)); \
6112- } while (unlikely(!temp)); \
6113+ __asm__ __volatile__( \
6114+ " .set "MIPS_ISA_LEVEL" \n" \
6115+ "1: ll %0, %1 # atomic_" #op #suffix "\n" \
6116+ "2: " #asm_op " %0, %2 \n" \
6117+ " sc %0, %1 \n" \
6118+ " beqz %0, 1b \n" \
6119+ extable \
6120+ " .set mips0 \n" \
6121+ : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6122+ : "Ir" (i)); \
6123 } else { \
6124 unsigned long flags; \
6125 \
6126 raw_local_irq_save(flags); \
6127- v->counter c_op i; \
6128+ __asm__ __volatile__( \
6129+ "2: " #asm_op " %0, %1 \n" \
6130+ extable \
6131+ : "+r" (v->counter) : "Ir" (i)); \
6132 raw_local_irq_restore(flags); \
6133 } \
6134 }
6135
6136-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
6137-static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6138+#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, _unchecked, asm_op##u, ) \
6139+ __ATOMIC_OP(op, , asm_op, __OVERFLOW_EXTABLE)
6140+
6141+#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op, extable) \
6142+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t * v) \
6143 { \
6144 int result; \
6145 \
6146@@ -89,12 +143,15 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6147 int temp; \
6148 \
6149 __asm__ __volatile__( \
6150- " .set arch=r4000 \n" \
6151- "1: ll %1, %2 # atomic_" #op "_return \n" \
6152- " " #asm_op " %0, %1, %3 \n" \
6153+ " .set mips3 \n" \
6154+ "1: ll %1, %2 # atomic_" #op "_return" #suffix"\n" \
6155+ "2: " #asm_op " %0, %1, %3 \n" \
6156 " sc %0, %2 \n" \
6157 " beqzl %0, 1b \n" \
6158- " " #asm_op " %0, %1, %3 \n" \
6159+ post_op \
6160+ extable \
6161+ "4: " #asm_op " %0, %1, %3 \n" \
6162+ "5: \n" \
6163 " .set mips0 \n" \
6164 : "=&r" (result), "=&r" (temp), \
6165 "+" GCC_OFF_SMALL_ASM() (v->counter) \
6166@@ -102,26 +159,33 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6167 } else if (kernel_uses_llsc) { \
6168 int temp; \
6169 \
6170- do { \
6171- __asm__ __volatile__( \
6172- " .set "MIPS_ISA_LEVEL" \n" \
6173- " ll %1, %2 # atomic_" #op "_return \n" \
6174- " " #asm_op " %0, %1, %3 \n" \
6175- " sc %0, %2 \n" \
6176- " .set mips0 \n" \
6177- : "=&r" (result), "=&r" (temp), \
6178- "+" GCC_OFF_SMALL_ASM() (v->counter) \
6179- : "Ir" (i)); \
6180- } while (unlikely(!result)); \
6181+ __asm__ __volatile__( \
6182+ " .set "MIPS_ISA_LEVEL" \n" \
6183+ "1: ll %1, %2 # atomic_" #op "_return" #suffix "\n" \
6184+ "2: " #asm_op " %0, %1, %3 \n" \
6185+ " sc %0, %2 \n" \
6186+ post_op \
6187+ extable \
6188+ "4: " #asm_op " %0, %1, %3 \n" \
6189+ "5: \n" \
6190+ " .set mips0 \n" \
6191+ : "=&r" (result), "=&r" (temp), \
6192+ "+" GCC_OFF_SMALL_ASM() (v->counter) \
6193+ : "Ir" (i)); \
6194 \
6195 result = temp; result c_op i; \
6196 } else { \
6197 unsigned long flags; \
6198 \
6199 raw_local_irq_save(flags); \
6200- result = v->counter; \
6201- result c_op i; \
6202- v->counter = result; \
6203+ __asm__ __volatile__( \
6204+ " lw %0, %1 \n" \
6205+ "2: " #asm_op " %0, %1, %2 \n" \
6206+ " sw %0, %1 \n" \
6207+ "3: \n" \
6208+ extable \
6209+ : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6210+ : "Ir" (i)); \
6211 raw_local_irq_restore(flags); \
6212 } \
6213 \
6214@@ -130,16 +194,21 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6215 return result; \
6216 }
6217
6218-#define ATOMIC_OPS(op, c_op, asm_op) \
6219- ATOMIC_OP(op, c_op, asm_op) \
6220- ATOMIC_OP_RETURN(op, c_op, asm_op)
6221+#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, asm_op##u, , ) \
6222+ __ATOMIC_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
6223
6224-ATOMIC_OPS(add, +=, addu)
6225-ATOMIC_OPS(sub, -=, subu)
6226+#define ATOMIC_OPS(op, asm_op) \
6227+ ATOMIC_OP(op, asm_op) \
6228+ ATOMIC_OP_RETURN(op, asm_op)
6229+
6230+ATOMIC_OPS(add, add)
6231+ATOMIC_OPS(sub, sub)
6232
6233 #undef ATOMIC_OPS
6234 #undef ATOMIC_OP_RETURN
6235+#undef __ATOMIC_OP_RETURN
6236 #undef ATOMIC_OP
6237+#undef __ATOMIC_OP
6238
6239 /*
6240 * atomic_sub_if_positive - conditionally subtract integer from atomic variable
6241@@ -149,7 +218,7 @@ ATOMIC_OPS(sub, -=, subu)
6242 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6243 * The function returns the old value of @v minus @i.
6244 */
6245-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6246+static __inline__ int atomic_sub_if_positive(int i, atomic_t *v)
6247 {
6248 int result;
6249
6250@@ -159,7 +228,7 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6251 int temp;
6252
6253 __asm__ __volatile__(
6254- " .set arch=r4000 \n"
6255+ " .set "MIPS_ISA_LEVEL" \n"
6256 "1: ll %1, %2 # atomic_sub_if_positive\n"
6257 " subu %0, %1, %3 \n"
6258 " bltz %0, 1f \n"
6259@@ -208,8 +277,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6260 return result;
6261 }
6262
6263-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
6264-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new)))
6265+static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6266+{
6267+ return cmpxchg(&v->counter, old, new);
6268+}
6269+
6270+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old,
6271+ int new)
6272+{
6273+ return cmpxchg(&(v->counter), old, new);
6274+}
6275+
6276+static inline int atomic_xchg(atomic_t *v, int new)
6277+{
6278+ return xchg(&v->counter, new);
6279+}
6280+
6281+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6282+{
6283+ return xchg(&(v->counter), new);
6284+}
6285
6286 /**
6287 * __atomic_add_unless - add unless the number is a given value
6288@@ -237,6 +324,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6289
6290 #define atomic_dec_return(v) atomic_sub_return(1, (v))
6291 #define atomic_inc_return(v) atomic_add_return(1, (v))
6292+static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6293+{
6294+ return atomic_add_return_unchecked(1, v);
6295+}
6296
6297 /*
6298 * atomic_sub_and_test - subtract value from variable and test result
6299@@ -258,6 +349,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6300 * other cases.
6301 */
6302 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
6303+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6304+{
6305+ return atomic_add_return_unchecked(1, v) == 0;
6306+}
6307
6308 /*
6309 * atomic_dec_and_test - decrement by 1 and test
6310@@ -282,6 +377,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6311 * Atomically increments @v by 1.
6312 */
6313 #define atomic_inc(v) atomic_add(1, (v))
6314+static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v)
6315+{
6316+ atomic_add_unchecked(1, v);
6317+}
6318
6319 /*
6320 * atomic_dec - decrement and test
6321@@ -290,6 +389,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6322 * Atomically decrements @v by 1.
6323 */
6324 #define atomic_dec(v) atomic_sub(1, (v))
6325+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
6326+{
6327+ atomic_sub_unchecked(1, v);
6328+}
6329
6330 /*
6331 * atomic_add_negative - add and test if negative
6332@@ -311,54 +414,77 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6333 * @v: pointer of type atomic64_t
6334 *
6335 */
6336-#define atomic64_read(v) ACCESS_ONCE((v)->counter)
6337+static inline long atomic64_read(const atomic64_t *v)
6338+{
6339+ return ACCESS_ONCE(v->counter);
6340+}
6341+
6342+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6343+{
6344+ return ACCESS_ONCE(v->counter);
6345+}
6346
6347 /*
6348 * atomic64_set - set atomic variable
6349 * @v: pointer of type atomic64_t
6350 * @i: required value
6351 */
6352-#define atomic64_set(v, i) ((v)->counter = (i))
6353+static inline void atomic64_set(atomic64_t *v, long i)
6354+{
6355+ v->counter = i;
6356+}
6357
6358-#define ATOMIC64_OP(op, c_op, asm_op) \
6359-static __inline__ void atomic64_##op(long i, atomic64_t * v) \
6360+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6361+{
6362+ v->counter = i;
6363+}
6364+
6365+#define __ATOMIC64_OP(op, suffix, asm_op, extable) \
6366+static inline void atomic64_##op##suffix(long i, atomic64##suffix##_t * v) \
6367 { \
6368 if (kernel_uses_llsc && R10000_LLSC_WAR) { \
6369 long temp; \
6370 \
6371 __asm__ __volatile__( \
6372- " .set arch=r4000 \n" \
6373- "1: lld %0, %1 # atomic64_" #op " \n" \
6374- " " #asm_op " %0, %2 \n" \
6375+ " .set "MIPS_ISA_LEVEL" \n" \
6376+ "1: lld %0, %1 # atomic64_" #op #suffix "\n" \
6377+ "2: " #asm_op " %0, %2 \n" \
6378 " scd %0, %1 \n" \
6379 " beqzl %0, 1b \n" \
6380+ extable \
6381 " .set mips0 \n" \
6382 : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6383 : "Ir" (i)); \
6384 } else if (kernel_uses_llsc) { \
6385 long temp; \
6386 \
6387- do { \
6388- __asm__ __volatile__( \
6389- " .set "MIPS_ISA_LEVEL" \n" \
6390- " lld %0, %1 # atomic64_" #op "\n" \
6391- " " #asm_op " %0, %2 \n" \
6392- " scd %0, %1 \n" \
6393- " .set mips0 \n" \
6394- : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6395- : "Ir" (i)); \
6396- } while (unlikely(!temp)); \
6397+ __asm__ __volatile__( \
6398+ " .set "MIPS_ISA_LEVEL" \n" \
6399+ "1: lld %0, %1 # atomic64_" #op #suffix "\n" \
6400+ "2: " #asm_op " %0, %2 \n" \
6401+ " scd %0, %1 \n" \
6402+ " beqz %0, 1b \n" \
6403+ extable \
6404+ " .set mips0 \n" \
6405+ : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6406+ : "Ir" (i)); \
6407 } else { \
6408 unsigned long flags; \
6409 \
6410 raw_local_irq_save(flags); \
6411- v->counter c_op i; \
6412+ __asm__ __volatile__( \
6413+ "2: " #asm_op " %0, %1 \n" \
6414+ extable \
6415+ : "+" GCC_OFF_SMALL_ASM() (v->counter) : "Ir" (i)); \
6416 raw_local_irq_restore(flags); \
6417 } \
6418 }
6419
6420-#define ATOMIC64_OP_RETURN(op, c_op, asm_op) \
6421-static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6422+#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, _unchecked, asm_op##u, ) \
6423+ __ATOMIC64_OP(op, , asm_op, __OVERFLOW_EXTABLE)
6424+
6425+#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op, extable) \
6426+static inline long atomic64_##op##_return##suffix(long i, atomic64##suffix##_t * v)\
6427 { \
6428 long result; \
6429 \
6430@@ -368,12 +494,15 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6431 long temp; \
6432 \
6433 __asm__ __volatile__( \
6434- " .set arch=r4000 \n" \
6435+ " .set mips3 \n" \
6436 "1: lld %1, %2 # atomic64_" #op "_return\n" \
6437- " " #asm_op " %0, %1, %3 \n" \
6438+ "2: " #asm_op " %0, %1, %3 \n" \
6439 " scd %0, %2 \n" \
6440 " beqzl %0, 1b \n" \
6441- " " #asm_op " %0, %1, %3 \n" \
6442+ post_op \
6443+ extable \
6444+ "4: " #asm_op " %0, %1, %3 \n" \
6445+ "5: \n" \
6446 " .set mips0 \n" \
6447 : "=&r" (result), "=&r" (temp), \
6448 "+" GCC_OFF_SMALL_ASM() (v->counter) \
6449@@ -381,27 +510,35 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6450 } else if (kernel_uses_llsc) { \
6451 long temp; \
6452 \
6453- do { \
6454- __asm__ __volatile__( \
6455- " .set "MIPS_ISA_LEVEL" \n" \
6456- " lld %1, %2 # atomic64_" #op "_return\n" \
6457- " " #asm_op " %0, %1, %3 \n" \
6458- " scd %0, %2 \n" \
6459- " .set mips0 \n" \
6460- : "=&r" (result), "=&r" (temp), \
6461- "=" GCC_OFF_SMALL_ASM() (v->counter) \
6462- : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter) \
6463- : "memory"); \
6464- } while (unlikely(!result)); \
6465+ __asm__ __volatile__( \
6466+ " .set "MIPS_ISA_LEVEL" \n" \
6467+ "1: lld %1, %2 # atomic64_" #op "_return" #suffix "\n"\
6468+ "2: " #asm_op " %0, %1, %3 \n" \
6469+ " scd %0, %2 \n" \
6470+ " beqz %0, 1b \n" \
6471+ post_op \
6472+ extable \
6473+ "4: " #asm_op " %0, %1, %3 \n" \
6474+ "5: \n" \
6475+ " .set mips0 \n" \
6476+ : "=&r" (result), "=&r" (temp), \
6477+ "=" GCC_OFF_SMALL_ASM() (v->counter) \
6478+ : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter) \
6479+ : "memory"); \
6480 \
6481 result = temp; result c_op i; \
6482 } else { \
6483 unsigned long flags; \
6484 \
6485 raw_local_irq_save(flags); \
6486- result = v->counter; \
6487- result c_op i; \
6488- v->counter = result; \
6489+ __asm__ __volatile__( \
6490+ " ld %0, %1 \n" \
6491+ "2: " #asm_op " %0, %1, %2 \n" \
6492+ " sd %0, %1 \n" \
6493+ "3: \n" \
6494+ extable \
6495+ : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6496+ : "Ir" (i)); \
6497 raw_local_irq_restore(flags); \
6498 } \
6499 \
6500@@ -410,16 +547,23 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6501 return result; \
6502 }
6503
6504-#define ATOMIC64_OPS(op, c_op, asm_op) \
6505- ATOMIC64_OP(op, c_op, asm_op) \
6506- ATOMIC64_OP_RETURN(op, c_op, asm_op)
6507+#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, _unchecked, asm_op##u, , ) \
6508+ __ATOMIC64_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
6509
6510-ATOMIC64_OPS(add, +=, daddu)
6511-ATOMIC64_OPS(sub, -=, dsubu)
6512+#define ATOMIC64_OPS(op, asm_op) \
6513+ ATOMIC64_OP(op, asm_op) \
6514+ ATOMIC64_OP_RETURN(op, asm_op)
6515+
6516+ATOMIC64_OPS(add, dadd)
6517+ATOMIC64_OPS(sub, dsub)
6518
6519 #undef ATOMIC64_OPS
6520 #undef ATOMIC64_OP_RETURN
6521+#undef __ATOMIC64_OP_RETURN
6522 #undef ATOMIC64_OP
6523+#undef __ATOMIC64_OP
6524+#undef __OVERFLOW_EXTABLE
6525+#undef __OVERFLOW_POST
6526
6527 /*
6528 * atomic64_sub_if_positive - conditionally subtract integer from atomic
6529@@ -430,7 +574,7 @@ ATOMIC64_OPS(sub, -=, dsubu)
6530 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6531 * The function returns the old value of @v minus @i.
6532 */
6533-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6534+static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v)
6535 {
6536 long result;
6537
6538@@ -440,7 +584,7 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6539 long temp;
6540
6541 __asm__ __volatile__(
6542- " .set arch=r4000 \n"
6543+ " .set "MIPS_ISA_LEVEL" \n"
6544 "1: lld %1, %2 # atomic64_sub_if_positive\n"
6545 " dsubu %0, %1, %3 \n"
6546 " bltz %0, 1f \n"
6547@@ -489,9 +633,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6548 return result;
6549 }
6550
6551-#define atomic64_cmpxchg(v, o, n) \
6552- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
6553-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new)))
6554+static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6555+{
6556+ return cmpxchg(&v->counter, old, new);
6557+}
6558+
6559+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old,
6560+ long new)
6561+{
6562+ return cmpxchg(&(v->counter), old, new);
6563+}
6564+
6565+static inline long atomic64_xchg(atomic64_t *v, long new)
6566+{
6567+ return xchg(&v->counter, new);
6568+}
6569+
6570+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
6571+{
6572+ return xchg(&(v->counter), new);
6573+}
6574
6575 /**
6576 * atomic64_add_unless - add unless the number is a given value
6577@@ -521,6 +682,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6578
6579 #define atomic64_dec_return(v) atomic64_sub_return(1, (v))
6580 #define atomic64_inc_return(v) atomic64_add_return(1, (v))
6581+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v))
6582
6583 /*
6584 * atomic64_sub_and_test - subtract value from variable and test result
6585@@ -542,6 +704,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6586 * other cases.
6587 */
6588 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
6589+#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0)
6590
6591 /*
6592 * atomic64_dec_and_test - decrement by 1 and test
6593@@ -566,6 +729,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6594 * Atomically increments @v by 1.
6595 */
6596 #define atomic64_inc(v) atomic64_add(1, (v))
6597+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v))
6598
6599 /*
6600 * atomic64_dec - decrement and test
6601@@ -574,6 +738,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6602 * Atomically decrements @v by 1.
6603 */
6604 #define atomic64_dec(v) atomic64_sub(1, (v))
6605+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v))
6606
6607 /*
6608 * atomic64_add_negative - add and test if negative
6609diff --git a/arch/mips/include/asm/barrier.h b/arch/mips/include/asm/barrier.h
6610index 7ecba84..21774af 100644
6611--- a/arch/mips/include/asm/barrier.h
6612+++ b/arch/mips/include/asm/barrier.h
6613@@ -133,7 +133,7 @@
6614 do { \
6615 compiletime_assert_atomic_type(*p); \
6616 smp_mb(); \
6617- ACCESS_ONCE(*p) = (v); \
6618+ ACCESS_ONCE_RW(*p) = (v); \
6619 } while (0)
6620
6621 #define smp_load_acquire(p) \
6622diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
6623index b4db69f..8f3b093 100644
6624--- a/arch/mips/include/asm/cache.h
6625+++ b/arch/mips/include/asm/cache.h
6626@@ -9,10 +9,11 @@
6627 #ifndef _ASM_CACHE_H
6628 #define _ASM_CACHE_H
6629
6630+#include <linux/const.h>
6631 #include <kmalloc.h>
6632
6633 #define L1_CACHE_SHIFT CONFIG_MIPS_L1_CACHE_SHIFT
6634-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6635+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
6636
6637 #define SMP_CACHE_SHIFT L1_CACHE_SHIFT
6638 #define SMP_CACHE_BYTES L1_CACHE_BYTES
6639diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h
6640index f19e890..a4f8177 100644
6641--- a/arch/mips/include/asm/elf.h
6642+++ b/arch/mips/include/asm/elf.h
6643@@ -417,6 +417,13 @@ extern const char *__elf_platform;
6644 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6645 #endif
6646
6647+#ifdef CONFIG_PAX_ASLR
6648+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6649+
6650+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6651+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6652+#endif
6653+
6654 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
6655 struct linux_binprm;
6656 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
6657diff --git a/arch/mips/include/asm/exec.h b/arch/mips/include/asm/exec.h
6658index c1f6afa..38cc6e9 100644
6659--- a/arch/mips/include/asm/exec.h
6660+++ b/arch/mips/include/asm/exec.h
6661@@ -12,6 +12,6 @@
6662 #ifndef _ASM_EXEC_H
6663 #define _ASM_EXEC_H
6664
6665-extern unsigned long arch_align_stack(unsigned long sp);
6666+#define arch_align_stack(x) ((x) & ~0xfUL)
6667
6668 #endif /* _ASM_EXEC_H */
6669diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h
6670index 9e8ef59..1139d6b 100644
6671--- a/arch/mips/include/asm/hw_irq.h
6672+++ b/arch/mips/include/asm/hw_irq.h
6673@@ -10,7 +10,7 @@
6674
6675 #include <linux/atomic.h>
6676
6677-extern atomic_t irq_err_count;
6678+extern atomic_unchecked_t irq_err_count;
6679
6680 /*
6681 * interrupt-retrigger: NOP for now. This may not be appropriate for all
6682diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
6683index 8feaed6..1bd8a64 100644
6684--- a/arch/mips/include/asm/local.h
6685+++ b/arch/mips/include/asm/local.h
6686@@ -13,15 +13,25 @@ typedef struct
6687 atomic_long_t a;
6688 } local_t;
6689
6690+typedef struct {
6691+ atomic_long_unchecked_t a;
6692+} local_unchecked_t;
6693+
6694 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
6695
6696 #define local_read(l) atomic_long_read(&(l)->a)
6697+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
6698 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
6699+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
6700
6701 #define local_add(i, l) atomic_long_add((i), (&(l)->a))
6702+#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a))
6703 #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
6704+#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a))
6705 #define local_inc(l) atomic_long_inc(&(l)->a)
6706+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
6707 #define local_dec(l) atomic_long_dec(&(l)->a)
6708+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
6709
6710 /*
6711 * Same as above, but return the result value
6712@@ -71,6 +81,51 @@ static __inline__ long local_add_return(long i, local_t * l)
6713 return result;
6714 }
6715
6716+static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l)
6717+{
6718+ unsigned long result;
6719+
6720+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6721+ unsigned long temp;
6722+
6723+ __asm__ __volatile__(
6724+ " .set mips3 \n"
6725+ "1:" __LL "%1, %2 # local_add_return \n"
6726+ " addu %0, %1, %3 \n"
6727+ __SC "%0, %2 \n"
6728+ " beqzl %0, 1b \n"
6729+ " addu %0, %1, %3 \n"
6730+ " .set mips0 \n"
6731+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6732+ : "Ir" (i), "m" (l->a.counter)
6733+ : "memory");
6734+ } else if (kernel_uses_llsc) {
6735+ unsigned long temp;
6736+
6737+ __asm__ __volatile__(
6738+ " .set mips3 \n"
6739+ "1:" __LL "%1, %2 # local_add_return \n"
6740+ " addu %0, %1, %3 \n"
6741+ __SC "%0, %2 \n"
6742+ " beqz %0, 1b \n"
6743+ " addu %0, %1, %3 \n"
6744+ " .set mips0 \n"
6745+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6746+ : "Ir" (i), "m" (l->a.counter)
6747+ : "memory");
6748+ } else {
6749+ unsigned long flags;
6750+
6751+ local_irq_save(flags);
6752+ result = l->a.counter;
6753+ result += i;
6754+ l->a.counter = result;
6755+ local_irq_restore(flags);
6756+ }
6757+
6758+ return result;
6759+}
6760+
6761 static __inline__ long local_sub_return(long i, local_t * l)
6762 {
6763 unsigned long result;
6764@@ -118,6 +173,8 @@ static __inline__ long local_sub_return(long i, local_t * l)
6765
6766 #define local_cmpxchg(l, o, n) \
6767 ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6768+#define local_cmpxchg_unchecked(l, o, n) \
6769+ ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6770 #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
6771
6772 /**
6773diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
6774index 89dd7fe..a123c97 100644
6775--- a/arch/mips/include/asm/page.h
6776+++ b/arch/mips/include/asm/page.h
6777@@ -118,7 +118,7 @@ extern void copy_user_highpage(struct page *to, struct page *from,
6778 #ifdef CONFIG_CPU_MIPS32
6779 typedef struct { unsigned long pte_low, pte_high; } pte_t;
6780 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
6781- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
6782+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
6783 #else
6784 typedef struct { unsigned long long pte; } pte_t;
6785 #define pte_val(x) ((x).pte)
6786diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
6787index b336037..5b874cc 100644
6788--- a/arch/mips/include/asm/pgalloc.h
6789+++ b/arch/mips/include/asm/pgalloc.h
6790@@ -37,6 +37,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6791 {
6792 set_pud(pud, __pud((unsigned long)pmd));
6793 }
6794+
6795+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6796+{
6797+ pud_populate(mm, pud, pmd);
6798+}
6799 #endif
6800
6801 /*
6802diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
6803index ae85694..4cdbba8 100644
6804--- a/arch/mips/include/asm/pgtable.h
6805+++ b/arch/mips/include/asm/pgtable.h
6806@@ -20,6 +20,9 @@
6807 #include <asm/io.h>
6808 #include <asm/pgtable-bits.h>
6809
6810+#define ktla_ktva(addr) (addr)
6811+#define ktva_ktla(addr) (addr)
6812+
6813 struct mm_struct;
6814 struct vm_area_struct;
6815
6816diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
6817index 9c0014e..5101ef5 100644
6818--- a/arch/mips/include/asm/thread_info.h
6819+++ b/arch/mips/include/asm/thread_info.h
6820@@ -100,6 +100,9 @@ static inline struct thread_info *current_thread_info(void)
6821 #define TIF_SECCOMP 4 /* secure computing */
6822 #define TIF_NOTIFY_RESUME 5 /* callback before returning to user */
6823 #define TIF_RESTORE_SIGMASK 9 /* restore signal mask in do_signal() */
6824+/* li takes a 32bit immediate */
6825+#define TIF_GRSEC_SETXID 10 /* update credentials on syscall entry/exit */
6826+
6827 #define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
6828 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
6829 #define TIF_NOHZ 19 /* in adaptive nohz mode */
6830@@ -135,14 +138,16 @@ static inline struct thread_info *current_thread_info(void)
6831 #define _TIF_USEDMSA (1<<TIF_USEDMSA)
6832 #define _TIF_MSA_CTX_LIVE (1<<TIF_MSA_CTX_LIVE)
6833 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
6834+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
6835
6836 #define _TIF_WORK_SYSCALL_ENTRY (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
6837 _TIF_SYSCALL_AUDIT | \
6838- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
6839+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | \
6840+ _TIF_GRSEC_SETXID)
6841
6842 /* work to do in syscall_trace_leave() */
6843 #define _TIF_WORK_SYSCALL_EXIT (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
6844- _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
6845+ _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
6846
6847 /* work to do on interrupt/exception return */
6848 #define _TIF_WORK_MASK \
6849@@ -150,7 +155,7 @@ static inline struct thread_info *current_thread_info(void)
6850 /* work to do on any return to u-space */
6851 #define _TIF_ALLWORK_MASK (_TIF_NOHZ | _TIF_WORK_MASK | \
6852 _TIF_WORK_SYSCALL_EXIT | \
6853- _TIF_SYSCALL_TRACEPOINT)
6854+ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
6855
6856 /*
6857 * We stash processor id into a COP0 register to retrieve it fast
6858diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
6859index 5305d69..1da2bf5 100644
6860--- a/arch/mips/include/asm/uaccess.h
6861+++ b/arch/mips/include/asm/uaccess.h
6862@@ -146,6 +146,7 @@ static inline bool eva_kernel_access(void)
6863 __ok == 0; \
6864 })
6865
6866+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
6867 #define access_ok(type, addr, size) \
6868 likely(__access_ok((addr), (size), __access_mask))
6869
6870diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
6871index 1188e00..41cf144 100644
6872--- a/arch/mips/kernel/binfmt_elfn32.c
6873+++ b/arch/mips/kernel/binfmt_elfn32.c
6874@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
6875 #undef ELF_ET_DYN_BASE
6876 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
6877
6878+#ifdef CONFIG_PAX_ASLR
6879+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6880+
6881+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6882+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6883+#endif
6884+
6885 #include <asm/processor.h>
6886 #include <linux/module.h>
6887 #include <linux/elfcore.h>
6888diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c
6889index 9287678..f870e47 100644
6890--- a/arch/mips/kernel/binfmt_elfo32.c
6891+++ b/arch/mips/kernel/binfmt_elfo32.c
6892@@ -70,6 +70,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
6893 #undef ELF_ET_DYN_BASE
6894 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
6895
6896+#ifdef CONFIG_PAX_ASLR
6897+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6898+
6899+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6900+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6901+#endif
6902+
6903 #include <asm/processor.h>
6904
6905 #include <linux/module.h>
6906diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c
6907index 74f6752..f3d7a47 100644
6908--- a/arch/mips/kernel/i8259.c
6909+++ b/arch/mips/kernel/i8259.c
6910@@ -205,7 +205,7 @@ spurious_8259A_irq:
6911 printk(KERN_DEBUG "spurious 8259A interrupt: IRQ%d.\n", irq);
6912 spurious_irq_mask |= irqmask;
6913 }
6914- atomic_inc(&irq_err_count);
6915+ atomic_inc_unchecked(&irq_err_count);
6916 /*
6917 * Theoretically we do not have to handle this IRQ,
6918 * but in Linux this does not cause problems and is
6919diff --git a/arch/mips/kernel/irq-gt641xx.c b/arch/mips/kernel/irq-gt641xx.c
6920index 44a1f79..2bd6aa3 100644
6921--- a/arch/mips/kernel/irq-gt641xx.c
6922+++ b/arch/mips/kernel/irq-gt641xx.c
6923@@ -110,7 +110,7 @@ void gt641xx_irq_dispatch(void)
6924 }
6925 }
6926
6927- atomic_inc(&irq_err_count);
6928+ atomic_inc_unchecked(&irq_err_count);
6929 }
6930
6931 void __init gt641xx_irq_init(void)
6932diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
6933index 8eb5af8..2baf465 100644
6934--- a/arch/mips/kernel/irq.c
6935+++ b/arch/mips/kernel/irq.c
6936@@ -34,17 +34,17 @@ void ack_bad_irq(unsigned int irq)
6937 printk("unexpected IRQ # %d\n", irq);
6938 }
6939
6940-atomic_t irq_err_count;
6941+atomic_unchecked_t irq_err_count;
6942
6943 int arch_show_interrupts(struct seq_file *p, int prec)
6944 {
6945- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
6946+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
6947 return 0;
6948 }
6949
6950 asmlinkage void spurious_interrupt(void)
6951 {
6952- atomic_inc(&irq_err_count);
6953+ atomic_inc_unchecked(&irq_err_count);
6954 }
6955
6956 void __init init_IRQ(void)
6957@@ -58,6 +58,8 @@ void __init init_IRQ(void)
6958 }
6959
6960 #ifdef CONFIG_DEBUG_STACKOVERFLOW
6961+
6962+extern void gr_handle_kernel_exploit(void);
6963 static inline void check_stack_overflow(void)
6964 {
6965 unsigned long sp;
6966@@ -73,6 +75,7 @@ static inline void check_stack_overflow(void)
6967 printk("do_IRQ: stack overflow: %ld\n",
6968 sp - sizeof(struct thread_info));
6969 dump_stack();
6970+ gr_handle_kernel_exploit();
6971 }
6972 }
6973 #else
6974diff --git a/arch/mips/kernel/pm-cps.c b/arch/mips/kernel/pm-cps.c
6975index 0614717..002fa43 100644
6976--- a/arch/mips/kernel/pm-cps.c
6977+++ b/arch/mips/kernel/pm-cps.c
6978@@ -172,7 +172,7 @@ int cps_pm_enter_state(enum cps_pm_state state)
6979 nc_core_ready_count = nc_addr;
6980
6981 /* Ensure ready_count is zero-initialised before the assembly runs */
6982- ACCESS_ONCE(*nc_core_ready_count) = 0;
6983+ ACCESS_ONCE_RW(*nc_core_ready_count) = 0;
6984 coupled_barrier(&per_cpu(pm_barrier, core), online);
6985
6986 /* Run the generated entry code */
6987diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
6988index f2975d4..f61d355 100644
6989--- a/arch/mips/kernel/process.c
6990+++ b/arch/mips/kernel/process.c
6991@@ -541,18 +541,6 @@ out:
6992 return pc;
6993 }
6994
6995-/*
6996- * Don't forget that the stack pointer must be aligned on a 8 bytes
6997- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
6998- */
6999-unsigned long arch_align_stack(unsigned long sp)
7000-{
7001- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7002- sp -= get_random_int() & ~PAGE_MASK;
7003-
7004- return sp & ALMASK;
7005-}
7006-
7007 static void arch_dump_stack(void *info)
7008 {
7009 struct pt_regs *regs;
7010diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
7011index e933a30..0d02625 100644
7012--- a/arch/mips/kernel/ptrace.c
7013+++ b/arch/mips/kernel/ptrace.c
7014@@ -785,6 +785,10 @@ long arch_ptrace(struct task_struct *child, long request,
7015 return ret;
7016 }
7017
7018+#ifdef CONFIG_GRKERNSEC_SETXID
7019+extern void gr_delayed_cred_worker(void);
7020+#endif
7021+
7022 /*
7023 * Notification of system call entry/exit
7024 * - triggered by current->work.syscall_trace
7025@@ -803,6 +807,11 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
7026 tracehook_report_syscall_entry(regs))
7027 ret = -1;
7028
7029+#ifdef CONFIG_GRKERNSEC_SETXID
7030+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
7031+ gr_delayed_cred_worker();
7032+#endif
7033+
7034 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
7035 trace_sys_enter(regs, regs->regs[2]);
7036
7037diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c
7038index 2242bdd..b284048 100644
7039--- a/arch/mips/kernel/sync-r4k.c
7040+++ b/arch/mips/kernel/sync-r4k.c
7041@@ -18,8 +18,8 @@
7042 #include <asm/mipsregs.h>
7043
7044 static atomic_t count_start_flag = ATOMIC_INIT(0);
7045-static atomic_t count_count_start = ATOMIC_INIT(0);
7046-static atomic_t count_count_stop = ATOMIC_INIT(0);
7047+static atomic_unchecked_t count_count_start = ATOMIC_INIT(0);
7048+static atomic_unchecked_t count_count_stop = ATOMIC_INIT(0);
7049 static atomic_t count_reference = ATOMIC_INIT(0);
7050
7051 #define COUNTON 100
7052@@ -58,13 +58,13 @@ void synchronise_count_master(int cpu)
7053
7054 for (i = 0; i < NR_LOOPS; i++) {
7055 /* slaves loop on '!= 2' */
7056- while (atomic_read(&count_count_start) != 1)
7057+ while (atomic_read_unchecked(&count_count_start) != 1)
7058 mb();
7059- atomic_set(&count_count_stop, 0);
7060+ atomic_set_unchecked(&count_count_stop, 0);
7061 smp_wmb();
7062
7063 /* this lets the slaves write their count register */
7064- atomic_inc(&count_count_start);
7065+ atomic_inc_unchecked(&count_count_start);
7066
7067 /*
7068 * Everyone initialises count in the last loop:
7069@@ -75,11 +75,11 @@ void synchronise_count_master(int cpu)
7070 /*
7071 * Wait for all slaves to leave the synchronization point:
7072 */
7073- while (atomic_read(&count_count_stop) != 1)
7074+ while (atomic_read_unchecked(&count_count_stop) != 1)
7075 mb();
7076- atomic_set(&count_count_start, 0);
7077+ atomic_set_unchecked(&count_count_start, 0);
7078 smp_wmb();
7079- atomic_inc(&count_count_stop);
7080+ atomic_inc_unchecked(&count_count_stop);
7081 }
7082 /* Arrange for an interrupt in a short while */
7083 write_c0_compare(read_c0_count() + COUNTON);
7084@@ -112,8 +112,8 @@ void synchronise_count_slave(int cpu)
7085 initcount = atomic_read(&count_reference);
7086
7087 for (i = 0; i < NR_LOOPS; i++) {
7088- atomic_inc(&count_count_start);
7089- while (atomic_read(&count_count_start) != 2)
7090+ atomic_inc_unchecked(&count_count_start);
7091+ while (atomic_read_unchecked(&count_count_start) != 2)
7092 mb();
7093
7094 /*
7095@@ -122,8 +122,8 @@ void synchronise_count_slave(int cpu)
7096 if (i == NR_LOOPS-1)
7097 write_c0_count(initcount);
7098
7099- atomic_inc(&count_count_stop);
7100- while (atomic_read(&count_count_stop) != 2)
7101+ atomic_inc_unchecked(&count_count_stop);
7102+ while (atomic_read_unchecked(&count_count_stop) != 2)
7103 mb();
7104 }
7105 /* Arrange for an interrupt in a short while */
7106diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
7107index 8ea28e6..c8873d5 100644
7108--- a/arch/mips/kernel/traps.c
7109+++ b/arch/mips/kernel/traps.c
7110@@ -697,7 +697,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
7111 siginfo_t info;
7112
7113 prev_state = exception_enter();
7114- die_if_kernel("Integer overflow", regs);
7115+ if (unlikely(!user_mode(regs))) {
7116+
7117+#ifdef CONFIG_PAX_REFCOUNT
7118+ if (fixup_exception(regs)) {
7119+ pax_report_refcount_overflow(regs);
7120+ exception_exit(prev_state);
7121+ return;
7122+ }
7123+#endif
7124+
7125+ die("Integer overflow", regs);
7126+ }
7127
7128 info.si_code = FPE_INTOVF;
7129 info.si_signo = SIGFPE;
7130diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
7131index cd4c129..290c518 100644
7132--- a/arch/mips/kvm/mips.c
7133+++ b/arch/mips/kvm/mips.c
7134@@ -1016,7 +1016,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
7135 return r;
7136 }
7137
7138-int kvm_arch_init(void *opaque)
7139+int kvm_arch_init(const void *opaque)
7140 {
7141 if (kvm_mips_callbacks) {
7142 kvm_err("kvm: module already exists\n");
7143diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
7144index 852a41c..75b9d38 100644
7145--- a/arch/mips/mm/fault.c
7146+++ b/arch/mips/mm/fault.c
7147@@ -31,6 +31,23 @@
7148
7149 int show_unhandled_signals = 1;
7150
7151+#ifdef CONFIG_PAX_PAGEEXEC
7152+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7153+{
7154+ unsigned long i;
7155+
7156+ printk(KERN_ERR "PAX: bytes at PC: ");
7157+ for (i = 0; i < 5; i++) {
7158+ unsigned int c;
7159+ if (get_user(c, (unsigned int *)pc+i))
7160+ printk(KERN_CONT "???????? ");
7161+ else
7162+ printk(KERN_CONT "%08x ", c);
7163+ }
7164+ printk("\n");
7165+}
7166+#endif
7167+
7168 /*
7169 * This routine handles page faults. It determines the address,
7170 * and the problem, and then passes it off to one of the appropriate
7171@@ -207,6 +224,14 @@ bad_area:
7172 bad_area_nosemaphore:
7173 /* User mode accesses just cause a SIGSEGV */
7174 if (user_mode(regs)) {
7175+
7176+#ifdef CONFIG_PAX_PAGEEXEC
7177+ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) {
7178+ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs));
7179+ do_group_exit(SIGKILL);
7180+ }
7181+#endif
7182+
7183 tsk->thread.cp0_badvaddr = address;
7184 tsk->thread.error_code = write;
7185 if (show_unhandled_signals &&
7186diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
7187index 5c81fdd..db158d3 100644
7188--- a/arch/mips/mm/mmap.c
7189+++ b/arch/mips/mm/mmap.c
7190@@ -59,6 +59,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7191 struct vm_area_struct *vma;
7192 unsigned long addr = addr0;
7193 int do_color_align;
7194+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
7195 struct vm_unmapped_area_info info;
7196
7197 if (unlikely(len > TASK_SIZE))
7198@@ -84,6 +85,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7199 do_color_align = 1;
7200
7201 /* requesting a specific address */
7202+
7203+#ifdef CONFIG_PAX_RANDMMAP
7204+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
7205+#endif
7206+
7207 if (addr) {
7208 if (do_color_align)
7209 addr = COLOUR_ALIGN(addr, pgoff);
7210@@ -91,14 +97,14 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7211 addr = PAGE_ALIGN(addr);
7212
7213 vma = find_vma(mm, addr);
7214- if (TASK_SIZE - len >= addr &&
7215- (!vma || addr + len <= vma->vm_start))
7216+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
7217 return addr;
7218 }
7219
7220 info.length = len;
7221 info.align_mask = do_color_align ? (PAGE_MASK & shm_align_mask) : 0;
7222 info.align_offset = pgoff << PAGE_SHIFT;
7223+ info.threadstack_offset = offset;
7224
7225 if (dir == DOWN) {
7226 info.flags = VM_UNMAPPED_AREA_TOPDOWN;
7227@@ -160,45 +166,34 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7228 {
7229 unsigned long random_factor = 0UL;
7230
7231+#ifdef CONFIG_PAX_RANDMMAP
7232+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7233+#endif
7234+
7235 if (current->flags & PF_RANDOMIZE)
7236 random_factor = arch_mmap_rnd();
7237
7238 if (mmap_is_legacy()) {
7239 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
7240+
7241+#ifdef CONFIG_PAX_RANDMMAP
7242+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7243+ mm->mmap_base += mm->delta_mmap;
7244+#endif
7245+
7246 mm->get_unmapped_area = arch_get_unmapped_area;
7247 } else {
7248 mm->mmap_base = mmap_base(random_factor);
7249+
7250+#ifdef CONFIG_PAX_RANDMMAP
7251+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7252+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7253+#endif
7254+
7255 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7256 }
7257 }
7258
7259-static inline unsigned long brk_rnd(void)
7260-{
7261- unsigned long rnd = get_random_int();
7262-
7263- rnd = rnd << PAGE_SHIFT;
7264- /* 8MB for 32bit, 256MB for 64bit */
7265- if (TASK_IS_32BIT_ADDR)
7266- rnd = rnd & 0x7ffffful;
7267- else
7268- rnd = rnd & 0xffffffful;
7269-
7270- return rnd;
7271-}
7272-
7273-unsigned long arch_randomize_brk(struct mm_struct *mm)
7274-{
7275- unsigned long base = mm->brk;
7276- unsigned long ret;
7277-
7278- ret = PAGE_ALIGN(base + brk_rnd());
7279-
7280- if (ret < mm->brk)
7281- return mm->brk;
7282-
7283- return ret;
7284-}
7285-
7286 int __virt_addr_valid(const volatile void *kaddr)
7287 {
7288 return pfn_valid(PFN_DOWN(virt_to_phys(kaddr)));
7289diff --git a/arch/mips/net/bpf_jit_asm.S b/arch/mips/net/bpf_jit_asm.S
7290index e927260..552e6ea 100644
7291--- a/arch/mips/net/bpf_jit_asm.S
7292+++ b/arch/mips/net/bpf_jit_asm.S
7293@@ -62,7 +62,9 @@ sk_load_word_positive:
7294 is_offset_in_header(4, word)
7295 /* Offset within header boundaries */
7296 PTR_ADDU t1, $r_skb_data, offset
7297+ .set reorder
7298 lw $r_A, 0(t1)
7299+ .set noreorder
7300 #ifdef CONFIG_CPU_LITTLE_ENDIAN
7301 wsbh t0, $r_A
7302 rotr $r_A, t0, 16
7303@@ -78,7 +80,9 @@ sk_load_half_positive:
7304 is_offset_in_header(2, half)
7305 /* Offset within header boundaries */
7306 PTR_ADDU t1, $r_skb_data, offset
7307+ .set reorder
7308 lh $r_A, 0(t1)
7309+ .set noreorder
7310 #ifdef CONFIG_CPU_LITTLE_ENDIAN
7311 wsbh t0, $r_A
7312 seh $r_A, t0
7313diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c
7314index a2358b4..7cead4f 100644
7315--- a/arch/mips/sgi-ip27/ip27-nmi.c
7316+++ b/arch/mips/sgi-ip27/ip27-nmi.c
7317@@ -187,9 +187,9 @@ void
7318 cont_nmi_dump(void)
7319 {
7320 #ifndef REAL_NMI_SIGNAL
7321- static atomic_t nmied_cpus = ATOMIC_INIT(0);
7322+ static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0);
7323
7324- atomic_inc(&nmied_cpus);
7325+ atomic_inc_unchecked(&nmied_cpus);
7326 #endif
7327 /*
7328 * Only allow 1 cpu to proceed
7329@@ -233,7 +233,7 @@ cont_nmi_dump(void)
7330 udelay(10000);
7331 }
7332 #else
7333- while (atomic_read(&nmied_cpus) != num_online_cpus());
7334+ while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus());
7335 #endif
7336
7337 /*
7338diff --git a/arch/mips/sni/rm200.c b/arch/mips/sni/rm200.c
7339index a046b30..6799527 100644
7340--- a/arch/mips/sni/rm200.c
7341+++ b/arch/mips/sni/rm200.c
7342@@ -270,7 +270,7 @@ spurious_8259A_irq:
7343 "spurious RM200 8259A interrupt: IRQ%d.\n", irq);
7344 spurious_irq_mask |= irqmask;
7345 }
7346- atomic_inc(&irq_err_count);
7347+ atomic_inc_unchecked(&irq_err_count);
7348 /*
7349 * Theoretically we do not have to handle this IRQ,
7350 * but in Linux this does not cause problems and is
7351diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c
7352index 41e873b..34d33a7 100644
7353--- a/arch/mips/vr41xx/common/icu.c
7354+++ b/arch/mips/vr41xx/common/icu.c
7355@@ -653,7 +653,7 @@ static int icu_get_irq(unsigned int irq)
7356
7357 printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2);
7358
7359- atomic_inc(&irq_err_count);
7360+ atomic_inc_unchecked(&irq_err_count);
7361
7362 return -1;
7363 }
7364diff --git a/arch/mips/vr41xx/common/irq.c b/arch/mips/vr41xx/common/irq.c
7365index ae0e4ee..e8f0692 100644
7366--- a/arch/mips/vr41xx/common/irq.c
7367+++ b/arch/mips/vr41xx/common/irq.c
7368@@ -64,7 +64,7 @@ static void irq_dispatch(unsigned int irq)
7369 irq_cascade_t *cascade;
7370
7371 if (irq >= NR_IRQS) {
7372- atomic_inc(&irq_err_count);
7373+ atomic_inc_unchecked(&irq_err_count);
7374 return;
7375 }
7376
7377@@ -84,7 +84,7 @@ static void irq_dispatch(unsigned int irq)
7378 ret = cascade->get_irq(irq);
7379 irq = ret;
7380 if (ret < 0)
7381- atomic_inc(&irq_err_count);
7382+ atomic_inc_unchecked(&irq_err_count);
7383 else
7384 irq_dispatch(irq);
7385 if (!irqd_irq_disabled(idata) && chip->irq_unmask)
7386diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h
7387index 967d144..db12197 100644
7388--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h
7389+++ b/arch/mn10300/proc-mn103e010/include/proc/cache.h
7390@@ -11,12 +11,14 @@
7391 #ifndef _ASM_PROC_CACHE_H
7392 #define _ASM_PROC_CACHE_H
7393
7394+#include <linux/const.h>
7395+
7396 /* L1 cache */
7397
7398 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
7399 #define L1_CACHE_NENTRIES 256 /* number of entries in each way */
7400-#define L1_CACHE_BYTES 16 /* bytes per entry */
7401 #define L1_CACHE_SHIFT 4 /* shift for bytes per entry */
7402+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
7403 #define L1_CACHE_WAYDISP 0x1000 /* displacement of one way from the next */
7404
7405 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
7406diff --git a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7407index bcb5df2..84fabd2 100644
7408--- a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7409+++ b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7410@@ -16,13 +16,15 @@
7411 #ifndef _ASM_PROC_CACHE_H
7412 #define _ASM_PROC_CACHE_H
7413
7414+#include <linux/const.h>
7415+
7416 /*
7417 * L1 cache
7418 */
7419 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
7420 #define L1_CACHE_NENTRIES 128 /* number of entries in each way */
7421-#define L1_CACHE_BYTES 32 /* bytes per entry */
7422 #define L1_CACHE_SHIFT 5 /* shift for bytes per entry */
7423+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
7424 #define L1_CACHE_WAYDISP 0x1000 /* distance from one way to the next */
7425
7426 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
7427diff --git a/arch/openrisc/include/asm/cache.h b/arch/openrisc/include/asm/cache.h
7428index 4ce7a01..449202a 100644
7429--- a/arch/openrisc/include/asm/cache.h
7430+++ b/arch/openrisc/include/asm/cache.h
7431@@ -19,11 +19,13 @@
7432 #ifndef __ASM_OPENRISC_CACHE_H
7433 #define __ASM_OPENRISC_CACHE_H
7434
7435+#include <linux/const.h>
7436+
7437 /* FIXME: How can we replace these with values from the CPU...
7438 * they shouldn't be hard-coded!
7439 */
7440
7441-#define L1_CACHE_BYTES 16
7442 #define L1_CACHE_SHIFT 4
7443+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7444
7445 #endif /* __ASM_OPENRISC_CACHE_H */
7446diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
7447index 226f8ca9..9d9b87d 100644
7448--- a/arch/parisc/include/asm/atomic.h
7449+++ b/arch/parisc/include/asm/atomic.h
7450@@ -273,6 +273,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
7451 return dec;
7452 }
7453
7454+#define atomic64_read_unchecked(v) atomic64_read(v)
7455+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
7456+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
7457+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
7458+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
7459+#define atomic64_inc_unchecked(v) atomic64_inc(v)
7460+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
7461+#define atomic64_dec_unchecked(v) atomic64_dec(v)
7462+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
7463+
7464 #endif /* !CONFIG_64BIT */
7465
7466
7467diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h
7468index 47f11c7..3420df2 100644
7469--- a/arch/parisc/include/asm/cache.h
7470+++ b/arch/parisc/include/asm/cache.h
7471@@ -5,6 +5,7 @@
7472 #ifndef __ARCH_PARISC_CACHE_H
7473 #define __ARCH_PARISC_CACHE_H
7474
7475+#include <linux/const.h>
7476
7477 /*
7478 * PA 2.0 processors have 64-byte cachelines; PA 1.1 processors have
7479@@ -15,13 +16,13 @@
7480 * just ruin performance.
7481 */
7482 #ifdef CONFIG_PA20
7483-#define L1_CACHE_BYTES 64
7484 #define L1_CACHE_SHIFT 6
7485 #else
7486-#define L1_CACHE_BYTES 32
7487 #define L1_CACHE_SHIFT 5
7488 #endif
7489
7490+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7491+
7492 #ifndef __ASSEMBLY__
7493
7494 #define SMP_CACHE_BYTES L1_CACHE_BYTES
7495diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h
7496index 78c9fd3..42fa66a 100644
7497--- a/arch/parisc/include/asm/elf.h
7498+++ b/arch/parisc/include/asm/elf.h
7499@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration... */
7500
7501 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
7502
7503+#ifdef CONFIG_PAX_ASLR
7504+#define PAX_ELF_ET_DYN_BASE 0x10000UL
7505+
7506+#define PAX_DELTA_MMAP_LEN 16
7507+#define PAX_DELTA_STACK_LEN 16
7508+#endif
7509+
7510 /* This yields a mask that user programs can use to figure out what
7511 instruction set this CPU supports. This could be done in user space,
7512 but it's not easy, and we've already done it here. */
7513diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h
7514index 3edbb9f..08fef28 100644
7515--- a/arch/parisc/include/asm/pgalloc.h
7516+++ b/arch/parisc/include/asm/pgalloc.h
7517@@ -61,6 +61,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
7518 (__u32)(__pa((unsigned long)pmd) >> PxD_VALUE_SHIFT));
7519 }
7520
7521+static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
7522+{
7523+ pgd_populate(mm, pgd, pmd);
7524+}
7525+
7526 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
7527 {
7528 pmd_t *pmd = (pmd_t *)__get_free_pages(GFP_KERNEL|__GFP_REPEAT,
7529@@ -97,6 +102,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
7530 #define pmd_alloc_one(mm, addr) ({ BUG(); ((pmd_t *)2); })
7531 #define pmd_free(mm, x) do { } while (0)
7532 #define pgd_populate(mm, pmd, pte) BUG()
7533+#define pgd_populate_kernel(mm, pmd, pte) BUG()
7534
7535 #endif
7536
7537diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
7538index f93c4a4..cfd5663 100644
7539--- a/arch/parisc/include/asm/pgtable.h
7540+++ b/arch/parisc/include/asm/pgtable.h
7541@@ -231,6 +231,17 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
7542 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
7543 #define PAGE_COPY PAGE_EXECREAD
7544 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
7545+
7546+#ifdef CONFIG_PAX_PAGEEXEC
7547+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
7548+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
7549+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
7550+#else
7551+# define PAGE_SHARED_NOEXEC PAGE_SHARED
7552+# define PAGE_COPY_NOEXEC PAGE_COPY
7553+# define PAGE_READONLY_NOEXEC PAGE_READONLY
7554+#endif
7555+
7556 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
7557 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
7558 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
7559diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
7560index 0abdd4c..1af92f0 100644
7561--- a/arch/parisc/include/asm/uaccess.h
7562+++ b/arch/parisc/include/asm/uaccess.h
7563@@ -243,10 +243,10 @@ static inline unsigned long __must_check copy_from_user(void *to,
7564 const void __user *from,
7565 unsigned long n)
7566 {
7567- int sz = __compiletime_object_size(to);
7568+ size_t sz = __compiletime_object_size(to);
7569 int ret = -EFAULT;
7570
7571- if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
7572+ if (likely(sz == (size_t)-1 || !__builtin_constant_p(n) || sz >= n))
7573 ret = __copy_from_user(to, from, n);
7574 else
7575 copy_from_user_overflow();
7576diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
7577index 3c63a82..b1d6ee9 100644
7578--- a/arch/parisc/kernel/module.c
7579+++ b/arch/parisc/kernel/module.c
7580@@ -98,16 +98,38 @@
7581
7582 /* three functions to determine where in the module core
7583 * or init pieces the location is */
7584+static inline int in_init_rx(struct module *me, void *loc)
7585+{
7586+ return (loc >= me->module_init_rx &&
7587+ loc < (me->module_init_rx + me->init_size_rx));
7588+}
7589+
7590+static inline int in_init_rw(struct module *me, void *loc)
7591+{
7592+ return (loc >= me->module_init_rw &&
7593+ loc < (me->module_init_rw + me->init_size_rw));
7594+}
7595+
7596 static inline int in_init(struct module *me, void *loc)
7597 {
7598- return (loc >= me->module_init &&
7599- loc <= (me->module_init + me->init_size));
7600+ return in_init_rx(me, loc) || in_init_rw(me, loc);
7601+}
7602+
7603+static inline int in_core_rx(struct module *me, void *loc)
7604+{
7605+ return (loc >= me->module_core_rx &&
7606+ loc < (me->module_core_rx + me->core_size_rx));
7607+}
7608+
7609+static inline int in_core_rw(struct module *me, void *loc)
7610+{
7611+ return (loc >= me->module_core_rw &&
7612+ loc < (me->module_core_rw + me->core_size_rw));
7613 }
7614
7615 static inline int in_core(struct module *me, void *loc)
7616 {
7617- return (loc >= me->module_core &&
7618- loc <= (me->module_core + me->core_size));
7619+ return in_core_rx(me, loc) || in_core_rw(me, loc);
7620 }
7621
7622 static inline int in_local(struct module *me, void *loc)
7623@@ -367,13 +389,13 @@ int module_frob_arch_sections(CONST Elf_Ehdr *hdr,
7624 }
7625
7626 /* align things a bit */
7627- me->core_size = ALIGN(me->core_size, 16);
7628- me->arch.got_offset = me->core_size;
7629- me->core_size += gots * sizeof(struct got_entry);
7630+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
7631+ me->arch.got_offset = me->core_size_rw;
7632+ me->core_size_rw += gots * sizeof(struct got_entry);
7633
7634- me->core_size = ALIGN(me->core_size, 16);
7635- me->arch.fdesc_offset = me->core_size;
7636- me->core_size += fdescs * sizeof(Elf_Fdesc);
7637+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
7638+ me->arch.fdesc_offset = me->core_size_rw;
7639+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
7640
7641 me->arch.got_max = gots;
7642 me->arch.fdesc_max = fdescs;
7643@@ -391,7 +413,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
7644
7645 BUG_ON(value == 0);
7646
7647- got = me->module_core + me->arch.got_offset;
7648+ got = me->module_core_rw + me->arch.got_offset;
7649 for (i = 0; got[i].addr; i++)
7650 if (got[i].addr == value)
7651 goto out;
7652@@ -409,7 +431,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
7653 #ifdef CONFIG_64BIT
7654 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
7655 {
7656- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
7657+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
7658
7659 if (!value) {
7660 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
7661@@ -427,7 +449,7 @@ static Elf_Addr get_fdesc(struct module *me, unsigned long value)
7662
7663 /* Create new one */
7664 fdesc->addr = value;
7665- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
7666+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
7667 return (Elf_Addr)fdesc;
7668 }
7669 #endif /* CONFIG_64BIT */
7670@@ -839,7 +861,7 @@ register_unwind_table(struct module *me,
7671
7672 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
7673 end = table + sechdrs[me->arch.unwind_section].sh_size;
7674- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
7675+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
7676
7677 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
7678 me->arch.unwind_section, table, end, gp);
7679diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
7680index 5aba01a..47cdd5a 100644
7681--- a/arch/parisc/kernel/sys_parisc.c
7682+++ b/arch/parisc/kernel/sys_parisc.c
7683@@ -92,6 +92,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7684 unsigned long task_size = TASK_SIZE;
7685 int do_color_align, last_mmap;
7686 struct vm_unmapped_area_info info;
7687+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
7688
7689 if (len > task_size)
7690 return -ENOMEM;
7691@@ -109,6 +110,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7692 goto found_addr;
7693 }
7694
7695+#ifdef CONFIG_PAX_RANDMMAP
7696+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7697+#endif
7698+
7699 if (addr) {
7700 if (do_color_align && last_mmap)
7701 addr = COLOR_ALIGN(addr, last_mmap, pgoff);
7702@@ -127,6 +132,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7703 info.high_limit = mmap_upper_limit();
7704 info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
7705 info.align_offset = shared_align_offset(last_mmap, pgoff);
7706+ info.threadstack_offset = offset;
7707 addr = vm_unmapped_area(&info);
7708
7709 found_addr:
7710@@ -146,6 +152,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7711 unsigned long addr = addr0;
7712 int do_color_align, last_mmap;
7713 struct vm_unmapped_area_info info;
7714+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
7715
7716 #ifdef CONFIG_64BIT
7717 /* This should only ever run for 32-bit processes. */
7718@@ -170,6 +177,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7719 }
7720
7721 /* requesting a specific address */
7722+#ifdef CONFIG_PAX_RANDMMAP
7723+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7724+#endif
7725+
7726 if (addr) {
7727 if (do_color_align && last_mmap)
7728 addr = COLOR_ALIGN(addr, last_mmap, pgoff);
7729@@ -187,6 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7730 info.high_limit = mm->mmap_base;
7731 info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
7732 info.align_offset = shared_align_offset(last_mmap, pgoff);
7733+ info.threadstack_offset = offset;
7734 addr = vm_unmapped_area(&info);
7735 if (!(addr & ~PAGE_MASK))
7736 goto found_addr;
7737@@ -252,6 +264,13 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7738 mm->mmap_legacy_base = mmap_legacy_base();
7739 mm->mmap_base = mmap_upper_limit();
7740
7741+#ifdef CONFIG_PAX_RANDMMAP
7742+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
7743+ mm->mmap_legacy_base += mm->delta_mmap;
7744+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7745+ }
7746+#endif
7747+
7748 if (mmap_is_legacy()) {
7749 mm->mmap_base = mm->mmap_legacy_base;
7750 mm->get_unmapped_area = arch_get_unmapped_area;
7751diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
7752index b99b39f..e3915ae 100644
7753--- a/arch/parisc/kernel/traps.c
7754+++ b/arch/parisc/kernel/traps.c
7755@@ -722,9 +722,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
7756
7757 down_read(&current->mm->mmap_sem);
7758 vma = find_vma(current->mm,regs->iaoq[0]);
7759- if (vma && (regs->iaoq[0] >= vma->vm_start)
7760- && (vma->vm_flags & VM_EXEC)) {
7761-
7762+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
7763 fault_address = regs->iaoq[0];
7764 fault_space = regs->iasq[0];
7765
7766diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
7767index 15503ad..4b1b8b6 100644
7768--- a/arch/parisc/mm/fault.c
7769+++ b/arch/parisc/mm/fault.c
7770@@ -16,6 +16,7 @@
7771 #include <linux/interrupt.h>
7772 #include <linux/module.h>
7773 #include <linux/uaccess.h>
7774+#include <linux/unistd.h>
7775
7776 #include <asm/traps.h>
7777
7778@@ -50,7 +51,7 @@ int show_unhandled_signals = 1;
7779 static unsigned long
7780 parisc_acctyp(unsigned long code, unsigned int inst)
7781 {
7782- if (code == 6 || code == 16)
7783+ if (code == 6 || code == 7 || code == 16)
7784 return VM_EXEC;
7785
7786 switch (inst & 0xf0000000) {
7787@@ -136,6 +137,116 @@ parisc_acctyp(unsigned long code, unsigned int inst)
7788 }
7789 #endif
7790
7791+#ifdef CONFIG_PAX_PAGEEXEC
7792+/*
7793+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
7794+ *
7795+ * returns 1 when task should be killed
7796+ * 2 when rt_sigreturn trampoline was detected
7797+ * 3 when unpatched PLT trampoline was detected
7798+ */
7799+static int pax_handle_fetch_fault(struct pt_regs *regs)
7800+{
7801+
7802+#ifdef CONFIG_PAX_EMUPLT
7803+ int err;
7804+
7805+ do { /* PaX: unpatched PLT emulation */
7806+ unsigned int bl, depwi;
7807+
7808+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
7809+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
7810+
7811+ if (err)
7812+ break;
7813+
7814+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
7815+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
7816+
7817+ err = get_user(ldw, (unsigned int *)addr);
7818+ err |= get_user(bv, (unsigned int *)(addr+4));
7819+ err |= get_user(ldw2, (unsigned int *)(addr+8));
7820+
7821+ if (err)
7822+ break;
7823+
7824+ if (ldw == 0x0E801096U &&
7825+ bv == 0xEAC0C000U &&
7826+ ldw2 == 0x0E881095U)
7827+ {
7828+ unsigned int resolver, map;
7829+
7830+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
7831+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
7832+ if (err)
7833+ break;
7834+
7835+ regs->gr[20] = instruction_pointer(regs)+8;
7836+ regs->gr[21] = map;
7837+ regs->gr[22] = resolver;
7838+ regs->iaoq[0] = resolver | 3UL;
7839+ regs->iaoq[1] = regs->iaoq[0] + 4;
7840+ return 3;
7841+ }
7842+ }
7843+ } while (0);
7844+#endif
7845+
7846+#ifdef CONFIG_PAX_EMUTRAMP
7847+
7848+#ifndef CONFIG_PAX_EMUSIGRT
7849+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
7850+ return 1;
7851+#endif
7852+
7853+ do { /* PaX: rt_sigreturn emulation */
7854+ unsigned int ldi1, ldi2, bel, nop;
7855+
7856+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
7857+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
7858+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
7859+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
7860+
7861+ if (err)
7862+ break;
7863+
7864+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
7865+ ldi2 == 0x3414015AU &&
7866+ bel == 0xE4008200U &&
7867+ nop == 0x08000240U)
7868+ {
7869+ regs->gr[25] = (ldi1 & 2) >> 1;
7870+ regs->gr[20] = __NR_rt_sigreturn;
7871+ regs->gr[31] = regs->iaoq[1] + 16;
7872+ regs->sr[0] = regs->iasq[1];
7873+ regs->iaoq[0] = 0x100UL;
7874+ regs->iaoq[1] = regs->iaoq[0] + 4;
7875+ regs->iasq[0] = regs->sr[2];
7876+ regs->iasq[1] = regs->sr[2];
7877+ return 2;
7878+ }
7879+ } while (0);
7880+#endif
7881+
7882+ return 1;
7883+}
7884+
7885+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7886+{
7887+ unsigned long i;
7888+
7889+ printk(KERN_ERR "PAX: bytes at PC: ");
7890+ for (i = 0; i < 5; i++) {
7891+ unsigned int c;
7892+ if (get_user(c, (unsigned int *)pc+i))
7893+ printk(KERN_CONT "???????? ");
7894+ else
7895+ printk(KERN_CONT "%08x ", c);
7896+ }
7897+ printk("\n");
7898+}
7899+#endif
7900+
7901 int fixup_exception(struct pt_regs *regs)
7902 {
7903 const struct exception_table_entry *fix;
7904@@ -234,8 +345,33 @@ retry:
7905
7906 good_area:
7907
7908- if ((vma->vm_flags & acc_type) != acc_type)
7909+ if ((vma->vm_flags & acc_type) != acc_type) {
7910+
7911+#ifdef CONFIG_PAX_PAGEEXEC
7912+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
7913+ (address & ~3UL) == instruction_pointer(regs))
7914+ {
7915+ up_read(&mm->mmap_sem);
7916+ switch (pax_handle_fetch_fault(regs)) {
7917+
7918+#ifdef CONFIG_PAX_EMUPLT
7919+ case 3:
7920+ return;
7921+#endif
7922+
7923+#ifdef CONFIG_PAX_EMUTRAMP
7924+ case 2:
7925+ return;
7926+#endif
7927+
7928+ }
7929+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
7930+ do_group_exit(SIGKILL);
7931+ }
7932+#endif
7933+
7934 goto bad_area;
7935+ }
7936
7937 /*
7938 * If for any reason at all we couldn't handle the fault, make
7939diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
7940index 5ef2711..21be2c3 100644
7941--- a/arch/powerpc/Kconfig
7942+++ b/arch/powerpc/Kconfig
7943@@ -415,6 +415,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE
7944 config KEXEC
7945 bool "kexec system call"
7946 depends on (PPC_BOOK3S || FSL_BOOKE || (44x && !SMP))
7947+ depends on !GRKERNSEC_KMEM
7948 help
7949 kexec is a system call that implements the ability to shutdown your
7950 current kernel, and to start another kernel. It is like a reboot
7951diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
7952index 512d278..d31fadd 100644
7953--- a/arch/powerpc/include/asm/atomic.h
7954+++ b/arch/powerpc/include/asm/atomic.h
7955@@ -12,6 +12,11 @@
7956
7957 #define ATOMIC_INIT(i) { (i) }
7958
7959+#define _ASM_EXTABLE(from, to) \
7960+" .section __ex_table,\"a\"\n" \
7961+ PPC_LONG" " #from ", " #to"\n" \
7962+" .previous\n"
7963+
7964 static __inline__ int atomic_read(const atomic_t *v)
7965 {
7966 int t;
7967@@ -21,39 +26,80 @@ static __inline__ int atomic_read(const atomic_t *v)
7968 return t;
7969 }
7970
7971+static __inline__ int atomic_read_unchecked(const atomic_unchecked_t *v)
7972+{
7973+ int t;
7974+
7975+ __asm__ __volatile__("lwz%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
7976+
7977+ return t;
7978+}
7979+
7980 static __inline__ void atomic_set(atomic_t *v, int i)
7981 {
7982 __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
7983 }
7984
7985-#define ATOMIC_OP(op, asm_op) \
7986-static __inline__ void atomic_##op(int a, atomic_t *v) \
7987+static __inline__ void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7988+{
7989+ __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
7990+}
7991+
7992+#ifdef CONFIG_PAX_REFCOUNT
7993+#define __REFCOUNT_OP(op) op##o.
7994+#define __OVERFLOW_PRE \
7995+ " mcrxr cr0\n"
7996+#define __OVERFLOW_POST \
7997+ " bf 4*cr0+so, 3f\n" \
7998+ "2: .long 0x00c00b00\n" \
7999+ "3:\n"
8000+#define __OVERFLOW_EXTABLE \
8001+ "\n4:\n"
8002+ _ASM_EXTABLE(2b, 4b)
8003+#else
8004+#define __REFCOUNT_OP(op) op
8005+#define __OVERFLOW_PRE
8006+#define __OVERFLOW_POST
8007+#define __OVERFLOW_EXTABLE
8008+#endif
8009+
8010+#define __ATOMIC_OP(op, suffix, pre_op, asm_op, post_op, extable) \
8011+static inline void atomic_##op##suffix(int a, atomic##suffix##_t *v) \
8012 { \
8013 int t; \
8014 \
8015 __asm__ __volatile__( \
8016-"1: lwarx %0,0,%3 # atomic_" #op "\n" \
8017+"1: lwarx %0,0,%3 # atomic_" #op #suffix "\n" \
8018+ pre_op \
8019 #asm_op " %0,%2,%0\n" \
8020+ post_op \
8021 PPC405_ERR77(0,%3) \
8022 " stwcx. %0,0,%3 \n" \
8023 " bne- 1b\n" \
8024+ extable \
8025 : "=&r" (t), "+m" (v->counter) \
8026 : "r" (a), "r" (&v->counter) \
8027 : "cc"); \
8028 } \
8029
8030-#define ATOMIC_OP_RETURN(op, asm_op) \
8031-static __inline__ int atomic_##op##_return(int a, atomic_t *v) \
8032+#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, , , asm_op, , ) \
8033+ __ATOMIC_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8034+
8035+#define __ATOMIC_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
8036+static inline int atomic_##op##_return##suffix(int a, atomic##suffix##_t *v)\
8037 { \
8038 int t; \
8039 \
8040 __asm__ __volatile__( \
8041 PPC_ATOMIC_ENTRY_BARRIER \
8042-"1: lwarx %0,0,%2 # atomic_" #op "_return\n" \
8043+"1: lwarx %0,0,%2 # atomic_" #op "_return" #suffix "\n" \
8044+ pre_op \
8045 #asm_op " %0,%1,%0\n" \
8046+ post_op \
8047 PPC405_ERR77(0,%2) \
8048 " stwcx. %0,0,%2 \n" \
8049 " bne- 1b\n" \
8050+ extable \
8051 PPC_ATOMIC_EXIT_BARRIER \
8052 : "=&r" (t) \
8053 : "r" (a), "r" (&v->counter) \
8054@@ -62,6 +108,9 @@ static __inline__ int atomic_##op##_return(int a, atomic_t *v) \
8055 return t; \
8056 }
8057
8058+#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, , , asm_op, , )\
8059+ __ATOMIC_OP_RETURN(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8060+
8061 #define ATOMIC_OPS(op, asm_op) ATOMIC_OP(op, asm_op) ATOMIC_OP_RETURN(op, asm_op)
8062
8063 ATOMIC_OPS(add, add)
8064@@ -69,42 +118,29 @@ ATOMIC_OPS(sub, subf)
8065
8066 #undef ATOMIC_OPS
8067 #undef ATOMIC_OP_RETURN
8068+#undef __ATOMIC_OP_RETURN
8069 #undef ATOMIC_OP
8070+#undef __ATOMIC_OP
8071
8072 #define atomic_add_negative(a, v) (atomic_add_return((a), (v)) < 0)
8073
8074-static __inline__ void atomic_inc(atomic_t *v)
8075-{
8076- int t;
8077+/*
8078+ * atomic_inc - increment atomic variable
8079+ * @v: pointer of type atomic_t
8080+ *
8081+ * Automatically increments @v by 1
8082+ */
8083+#define atomic_inc(v) atomic_add(1, (v))
8084+#define atomic_inc_return(v) atomic_add_return(1, (v))
8085
8086- __asm__ __volatile__(
8087-"1: lwarx %0,0,%2 # atomic_inc\n\
8088- addic %0,%0,1\n"
8089- PPC405_ERR77(0,%2)
8090-" stwcx. %0,0,%2 \n\
8091- bne- 1b"
8092- : "=&r" (t), "+m" (v->counter)
8093- : "r" (&v->counter)
8094- : "cc", "xer");
8095+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
8096+{
8097+ atomic_add_unchecked(1, v);
8098 }
8099
8100-static __inline__ int atomic_inc_return(atomic_t *v)
8101+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8102 {
8103- int t;
8104-
8105- __asm__ __volatile__(
8106- PPC_ATOMIC_ENTRY_BARRIER
8107-"1: lwarx %0,0,%1 # atomic_inc_return\n\
8108- addic %0,%0,1\n"
8109- PPC405_ERR77(0,%1)
8110-" stwcx. %0,0,%1 \n\
8111- bne- 1b"
8112- PPC_ATOMIC_EXIT_BARRIER
8113- : "=&r" (t)
8114- : "r" (&v->counter)
8115- : "cc", "xer", "memory");
8116-
8117- return t;
8118+ return atomic_add_return_unchecked(1, v);
8119 }
8120
8121 /*
8122@@ -117,43 +153,38 @@ static __inline__ int atomic_inc_return(atomic_t *v)
8123 */
8124 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
8125
8126-static __inline__ void atomic_dec(atomic_t *v)
8127+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8128 {
8129- int t;
8130-
8131- __asm__ __volatile__(
8132-"1: lwarx %0,0,%2 # atomic_dec\n\
8133- addic %0,%0,-1\n"
8134- PPC405_ERR77(0,%2)\
8135-" stwcx. %0,0,%2\n\
8136- bne- 1b"
8137- : "=&r" (t), "+m" (v->counter)
8138- : "r" (&v->counter)
8139- : "cc", "xer");
8140+ return atomic_add_return_unchecked(1, v) == 0;
8141 }
8142
8143-static __inline__ int atomic_dec_return(atomic_t *v)
8144+/*
8145+ * atomic_dec - decrement atomic variable
8146+ * @v: pointer of type atomic_t
8147+ *
8148+ * Atomically decrements @v by 1
8149+ */
8150+#define atomic_dec(v) atomic_sub(1, (v))
8151+#define atomic_dec_return(v) atomic_sub_return(1, (v))
8152+
8153+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
8154 {
8155- int t;
8156-
8157- __asm__ __volatile__(
8158- PPC_ATOMIC_ENTRY_BARRIER
8159-"1: lwarx %0,0,%1 # atomic_dec_return\n\
8160- addic %0,%0,-1\n"
8161- PPC405_ERR77(0,%1)
8162-" stwcx. %0,0,%1\n\
8163- bne- 1b"
8164- PPC_ATOMIC_EXIT_BARRIER
8165- : "=&r" (t)
8166- : "r" (&v->counter)
8167- : "cc", "xer", "memory");
8168-
8169- return t;
8170+ atomic_sub_unchecked(1, v);
8171 }
8172
8173 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8174 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
8175
8176+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8177+{
8178+ return cmpxchg(&(v->counter), old, new);
8179+}
8180+
8181+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8182+{
8183+ return xchg(&(v->counter), new);
8184+}
8185+
8186 /**
8187 * __atomic_add_unless - add unless the number is a given value
8188 * @v: pointer of type atomic_t
8189@@ -171,11 +202,27 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
8190 PPC_ATOMIC_ENTRY_BARRIER
8191 "1: lwarx %0,0,%1 # __atomic_add_unless\n\
8192 cmpw 0,%0,%3 \n\
8193- beq- 2f \n\
8194- add %0,%2,%0 \n"
8195+ beq- 2f \n"
8196+
8197+#ifdef CONFIG_PAX_REFCOUNT
8198+" mcrxr cr0\n"
8199+" addo. %0,%2,%0\n"
8200+" bf 4*cr0+so, 4f\n"
8201+"3:.long " "0x00c00b00""\n"
8202+"4:\n"
8203+#else
8204+ "add %0,%2,%0 \n"
8205+#endif
8206+
8207 PPC405_ERR77(0,%2)
8208 " stwcx. %0,0,%1 \n\
8209 bne- 1b \n"
8210+"5:"
8211+
8212+#ifdef CONFIG_PAX_REFCOUNT
8213+ _ASM_EXTABLE(3b, 5b)
8214+#endif
8215+
8216 PPC_ATOMIC_EXIT_BARRIER
8217 " subf %0,%2,%0 \n\
8218 2:"
8219@@ -248,6 +295,11 @@ static __inline__ int atomic_dec_if_positive(atomic_t *v)
8220 }
8221 #define atomic_dec_if_positive atomic_dec_if_positive
8222
8223+#define smp_mb__before_atomic_dec() smp_mb()
8224+#define smp_mb__after_atomic_dec() smp_mb()
8225+#define smp_mb__before_atomic_inc() smp_mb()
8226+#define smp_mb__after_atomic_inc() smp_mb()
8227+
8228 #ifdef __powerpc64__
8229
8230 #define ATOMIC64_INIT(i) { (i) }
8231@@ -261,37 +313,60 @@ static __inline__ long atomic64_read(const atomic64_t *v)
8232 return t;
8233 }
8234
8235+static __inline__ long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8236+{
8237+ long t;
8238+
8239+ __asm__ __volatile__("ld%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
8240+
8241+ return t;
8242+}
8243+
8244 static __inline__ void atomic64_set(atomic64_t *v, long i)
8245 {
8246 __asm__ __volatile__("std%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
8247 }
8248
8249-#define ATOMIC64_OP(op, asm_op) \
8250-static __inline__ void atomic64_##op(long a, atomic64_t *v) \
8251+static __inline__ void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8252+{
8253+ __asm__ __volatile__("std%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
8254+}
8255+
8256+#define __ATOMIC64_OP(op, suffix, pre_op, asm_op, post_op, extable) \
8257+static inline void atomic64_##op##suffix(long a, atomic64##suffix##_t *v)\
8258 { \
8259 long t; \
8260 \
8261 __asm__ __volatile__( \
8262 "1: ldarx %0,0,%3 # atomic64_" #op "\n" \
8263+ pre_op \
8264 #asm_op " %0,%2,%0\n" \
8265+ post_op \
8266 " stdcx. %0,0,%3 \n" \
8267 " bne- 1b\n" \
8268+ extable \
8269 : "=&r" (t), "+m" (v->counter) \
8270 : "r" (a), "r" (&v->counter) \
8271 : "cc"); \
8272 }
8273
8274-#define ATOMIC64_OP_RETURN(op, asm_op) \
8275-static __inline__ long atomic64_##op##_return(long a, atomic64_t *v) \
8276+#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, , , asm_op, , ) \
8277+ __ATOMIC64_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8278+
8279+#define __ATOMIC64_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
8280+static inline long atomic64_##op##_return##suffix(long a, atomic64##suffix##_t *v)\
8281 { \
8282 long t; \
8283 \
8284 __asm__ __volatile__( \
8285 PPC_ATOMIC_ENTRY_BARRIER \
8286 "1: ldarx %0,0,%2 # atomic64_" #op "_return\n" \
8287+ pre_op \
8288 #asm_op " %0,%1,%0\n" \
8289+ post_op \
8290 " stdcx. %0,0,%2 \n" \
8291 " bne- 1b\n" \
8292+ extable \
8293 PPC_ATOMIC_EXIT_BARRIER \
8294 : "=&r" (t) \
8295 : "r" (a), "r" (&v->counter) \
8296@@ -300,6 +375,9 @@ static __inline__ long atomic64_##op##_return(long a, atomic64_t *v) \
8297 return t; \
8298 }
8299
8300+#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, , , asm_op, , )\
8301+ __ATOMIC64_OP_RETURN(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8302+
8303 #define ATOMIC64_OPS(op, asm_op) ATOMIC64_OP(op, asm_op) ATOMIC64_OP_RETURN(op, asm_op)
8304
8305 ATOMIC64_OPS(add, add)
8306@@ -307,40 +385,33 @@ ATOMIC64_OPS(sub, subf)
8307
8308 #undef ATOMIC64_OPS
8309 #undef ATOMIC64_OP_RETURN
8310+#undef __ATOMIC64_OP_RETURN
8311 #undef ATOMIC64_OP
8312+#undef __ATOMIC64_OP
8313+#undef __OVERFLOW_EXTABLE
8314+#undef __OVERFLOW_POST
8315+#undef __OVERFLOW_PRE
8316+#undef __REFCOUNT_OP
8317
8318 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
8319
8320-static __inline__ void atomic64_inc(atomic64_t *v)
8321-{
8322- long t;
8323+/*
8324+ * atomic64_inc - increment atomic variable
8325+ * @v: pointer of type atomic64_t
8326+ *
8327+ * Automatically increments @v by 1
8328+ */
8329+#define atomic64_inc(v) atomic64_add(1, (v))
8330+#define atomic64_inc_return(v) atomic64_add_return(1, (v))
8331
8332- __asm__ __volatile__(
8333-"1: ldarx %0,0,%2 # atomic64_inc\n\
8334- addic %0,%0,1\n\
8335- stdcx. %0,0,%2 \n\
8336- bne- 1b"
8337- : "=&r" (t), "+m" (v->counter)
8338- : "r" (&v->counter)
8339- : "cc", "xer");
8340+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8341+{
8342+ atomic64_add_unchecked(1, v);
8343 }
8344
8345-static __inline__ long atomic64_inc_return(atomic64_t *v)
8346+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8347 {
8348- long t;
8349-
8350- __asm__ __volatile__(
8351- PPC_ATOMIC_ENTRY_BARRIER
8352-"1: ldarx %0,0,%1 # atomic64_inc_return\n\
8353- addic %0,%0,1\n\
8354- stdcx. %0,0,%1 \n\
8355- bne- 1b"
8356- PPC_ATOMIC_EXIT_BARRIER
8357- : "=&r" (t)
8358- : "r" (&v->counter)
8359- : "cc", "xer", "memory");
8360-
8361- return t;
8362+ return atomic64_add_return_unchecked(1, v);
8363 }
8364
8365 /*
8366@@ -353,36 +424,18 @@ static __inline__ long atomic64_inc_return(atomic64_t *v)
8367 */
8368 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
8369
8370-static __inline__ void atomic64_dec(atomic64_t *v)
8371+/*
8372+ * atomic64_dec - decrement atomic variable
8373+ * @v: pointer of type atomic64_t
8374+ *
8375+ * Atomically decrements @v by 1
8376+ */
8377+#define atomic64_dec(v) atomic64_sub(1, (v))
8378+#define atomic64_dec_return(v) atomic64_sub_return(1, (v))
8379+
8380+static __inline__ void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8381 {
8382- long t;
8383-
8384- __asm__ __volatile__(
8385-"1: ldarx %0,0,%2 # atomic64_dec\n\
8386- addic %0,%0,-1\n\
8387- stdcx. %0,0,%2\n\
8388- bne- 1b"
8389- : "=&r" (t), "+m" (v->counter)
8390- : "r" (&v->counter)
8391- : "cc", "xer");
8392-}
8393-
8394-static __inline__ long atomic64_dec_return(atomic64_t *v)
8395-{
8396- long t;
8397-
8398- __asm__ __volatile__(
8399- PPC_ATOMIC_ENTRY_BARRIER
8400-"1: ldarx %0,0,%1 # atomic64_dec_return\n\
8401- addic %0,%0,-1\n\
8402- stdcx. %0,0,%1\n\
8403- bne- 1b"
8404- PPC_ATOMIC_EXIT_BARRIER
8405- : "=&r" (t)
8406- : "r" (&v->counter)
8407- : "cc", "xer", "memory");
8408-
8409- return t;
8410+ atomic64_sub_unchecked(1, v);
8411 }
8412
8413 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
8414@@ -415,6 +468,16 @@ static __inline__ long atomic64_dec_if_positive(atomic64_t *v)
8415 #define atomic64_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8416 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
8417
8418+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8419+{
8420+ return cmpxchg(&(v->counter), old, new);
8421+}
8422+
8423+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8424+{
8425+ return xchg(&(v->counter), new);
8426+}
8427+
8428 /**
8429 * atomic64_add_unless - add unless the number is a given value
8430 * @v: pointer of type atomic64_t
8431@@ -430,13 +493,29 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
8432
8433 __asm__ __volatile__ (
8434 PPC_ATOMIC_ENTRY_BARRIER
8435-"1: ldarx %0,0,%1 # __atomic_add_unless\n\
8436+"1: ldarx %0,0,%1 # atomic64_add_unless\n\
8437 cmpd 0,%0,%3 \n\
8438- beq- 2f \n\
8439- add %0,%2,%0 \n"
8440+ beq- 2f \n"
8441+
8442+#ifdef CONFIG_PAX_REFCOUNT
8443+" mcrxr cr0\n"
8444+" addo. %0,%2,%0\n"
8445+" bf 4*cr0+so, 4f\n"
8446+"3:.long " "0x00c00b00""\n"
8447+"4:\n"
8448+#else
8449+ "add %0,%2,%0 \n"
8450+#endif
8451+
8452 " stdcx. %0,0,%1 \n\
8453 bne- 1b \n"
8454 PPC_ATOMIC_EXIT_BARRIER
8455+"5:"
8456+
8457+#ifdef CONFIG_PAX_REFCOUNT
8458+ _ASM_EXTABLE(3b, 5b)
8459+#endif
8460+
8461 " subf %0,%2,%0 \n\
8462 2:"
8463 : "=&r" (t)
8464diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
8465index 51ccc72..35de789 100644
8466--- a/arch/powerpc/include/asm/barrier.h
8467+++ b/arch/powerpc/include/asm/barrier.h
8468@@ -76,7 +76,7 @@
8469 do { \
8470 compiletime_assert_atomic_type(*p); \
8471 smp_lwsync(); \
8472- ACCESS_ONCE(*p) = (v); \
8473+ ACCESS_ONCE_RW(*p) = (v); \
8474 } while (0)
8475
8476 #define smp_load_acquire(p) \
8477diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h
8478index 0dc42c5..b80a3a1 100644
8479--- a/arch/powerpc/include/asm/cache.h
8480+++ b/arch/powerpc/include/asm/cache.h
8481@@ -4,6 +4,7 @@
8482 #ifdef __KERNEL__
8483
8484 #include <asm/reg.h>
8485+#include <linux/const.h>
8486
8487 /* bytes per L1 cache line */
8488 #if defined(CONFIG_8xx) || defined(CONFIG_403GCX)
8489@@ -23,7 +24,7 @@
8490 #define L1_CACHE_SHIFT 7
8491 #endif
8492
8493-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8494+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8495
8496 #define SMP_CACHE_BYTES L1_CACHE_BYTES
8497
8498diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h
8499index ee46ffe..b36c98c 100644
8500--- a/arch/powerpc/include/asm/elf.h
8501+++ b/arch/powerpc/include/asm/elf.h
8502@@ -30,6 +30,18 @@
8503
8504 #define ELF_ET_DYN_BASE 0x20000000
8505
8506+#ifdef CONFIG_PAX_ASLR
8507+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
8508+
8509+#ifdef __powerpc64__
8510+#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
8511+#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
8512+#else
8513+#define PAX_DELTA_MMAP_LEN 15
8514+#define PAX_DELTA_STACK_LEN 15
8515+#endif
8516+#endif
8517+
8518 #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0)
8519
8520 /*
8521diff --git a/arch/powerpc/include/asm/exec.h b/arch/powerpc/include/asm/exec.h
8522index 8196e9c..d83a9f3 100644
8523--- a/arch/powerpc/include/asm/exec.h
8524+++ b/arch/powerpc/include/asm/exec.h
8525@@ -4,6 +4,6 @@
8526 #ifndef _ASM_POWERPC_EXEC_H
8527 #define _ASM_POWERPC_EXEC_H
8528
8529-extern unsigned long arch_align_stack(unsigned long sp);
8530+#define arch_align_stack(x) ((x) & ~0xfUL)
8531
8532 #endif /* _ASM_POWERPC_EXEC_H */
8533diff --git a/arch/powerpc/include/asm/kmap_types.h b/arch/powerpc/include/asm/kmap_types.h
8534index 5acabbd..7ea14fa 100644
8535--- a/arch/powerpc/include/asm/kmap_types.h
8536+++ b/arch/powerpc/include/asm/kmap_types.h
8537@@ -10,7 +10,7 @@
8538 * 2 of the License, or (at your option) any later version.
8539 */
8540
8541-#define KM_TYPE_NR 16
8542+#define KM_TYPE_NR 17
8543
8544 #endif /* __KERNEL__ */
8545 #endif /* _ASM_POWERPC_KMAP_TYPES_H */
8546diff --git a/arch/powerpc/include/asm/local.h b/arch/powerpc/include/asm/local.h
8547index b8da913..c02b593 100644
8548--- a/arch/powerpc/include/asm/local.h
8549+++ b/arch/powerpc/include/asm/local.h
8550@@ -9,21 +9,65 @@ typedef struct
8551 atomic_long_t a;
8552 } local_t;
8553
8554+typedef struct
8555+{
8556+ atomic_long_unchecked_t a;
8557+} local_unchecked_t;
8558+
8559 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
8560
8561 #define local_read(l) atomic_long_read(&(l)->a)
8562+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
8563 #define local_set(l,i) atomic_long_set(&(l)->a, (i))
8564+#define local_set_unchecked(l,i) atomic_long_set_unchecked(&(l)->a, (i))
8565
8566 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
8567+#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
8568 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
8569+#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
8570 #define local_inc(l) atomic_long_inc(&(l)->a)
8571+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
8572 #define local_dec(l) atomic_long_dec(&(l)->a)
8573+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
8574
8575 static __inline__ long local_add_return(long a, local_t *l)
8576 {
8577 long t;
8578
8579 __asm__ __volatile__(
8580+"1:" PPC_LLARX(%0,0,%2,0) " # local_add_return\n"
8581+
8582+#ifdef CONFIG_PAX_REFCOUNT
8583+" mcrxr cr0\n"
8584+" addo. %0,%1,%0\n"
8585+" bf 4*cr0+so, 3f\n"
8586+"2:.long " "0x00c00b00""\n"
8587+#else
8588+" add %0,%1,%0\n"
8589+#endif
8590+
8591+"3:\n"
8592+ PPC405_ERR77(0,%2)
8593+ PPC_STLCX "%0,0,%2 \n\
8594+ bne- 1b"
8595+
8596+#ifdef CONFIG_PAX_REFCOUNT
8597+"\n4:\n"
8598+ _ASM_EXTABLE(2b, 4b)
8599+#endif
8600+
8601+ : "=&r" (t)
8602+ : "r" (a), "r" (&(l->a.counter))
8603+ : "cc", "memory");
8604+
8605+ return t;
8606+}
8607+
8608+static __inline__ long local_add_return_unchecked(long a, local_unchecked_t *l)
8609+{
8610+ long t;
8611+
8612+ __asm__ __volatile__(
8613 "1:" PPC_LLARX(%0,0,%2,0) " # local_add_return\n\
8614 add %0,%1,%0\n"
8615 PPC405_ERR77(0,%2)
8616@@ -101,6 +145,8 @@ static __inline__ long local_dec_return(local_t *l)
8617
8618 #define local_cmpxchg(l, o, n) \
8619 (cmpxchg_local(&((l)->a.counter), (o), (n)))
8620+#define local_cmpxchg_unchecked(l, o, n) \
8621+ (cmpxchg_local(&((l)->a.counter), (o), (n)))
8622 #define local_xchg(l, n) (xchg_local(&((l)->a.counter), (n)))
8623
8624 /**
8625diff --git a/arch/powerpc/include/asm/mman.h b/arch/powerpc/include/asm/mman.h
8626index 8565c25..2865190 100644
8627--- a/arch/powerpc/include/asm/mman.h
8628+++ b/arch/powerpc/include/asm/mman.h
8629@@ -24,7 +24,7 @@ static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot)
8630 }
8631 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
8632
8633-static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
8634+static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
8635 {
8636 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
8637 }
8638diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
8639index 71294a6..9e40aca 100644
8640--- a/arch/powerpc/include/asm/page.h
8641+++ b/arch/powerpc/include/asm/page.h
8642@@ -227,8 +227,9 @@ extern long long virt_phys_offset;
8643 * and needs to be executable. This means the whole heap ends
8644 * up being executable.
8645 */
8646-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
8647- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8648+#define VM_DATA_DEFAULT_FLAGS32 \
8649+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
8650+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8651
8652 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
8653 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8654@@ -256,6 +257,9 @@ extern long long virt_phys_offset;
8655 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
8656 #endif
8657
8658+#define ktla_ktva(addr) (addr)
8659+#define ktva_ktla(addr) (addr)
8660+
8661 #ifndef CONFIG_PPC_BOOK3S_64
8662 /*
8663 * Use the top bit of the higher-level page table entries to indicate whether
8664diff --git a/arch/powerpc/include/asm/page_64.h b/arch/powerpc/include/asm/page_64.h
8665index d908a46..3753f71 100644
8666--- a/arch/powerpc/include/asm/page_64.h
8667+++ b/arch/powerpc/include/asm/page_64.h
8668@@ -172,15 +172,18 @@ do { \
8669 * stack by default, so in the absence of a PT_GNU_STACK program header
8670 * we turn execute permission off.
8671 */
8672-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
8673- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8674+#define VM_STACK_DEFAULT_FLAGS32 \
8675+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
8676+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8677
8678 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
8679 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8680
8681+#ifndef CONFIG_PAX_PAGEEXEC
8682 #define VM_STACK_DEFAULT_FLAGS \
8683 (is_32bit_task() ? \
8684 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
8685+#endif
8686
8687 #include <asm-generic/getorder.h>
8688
8689diff --git a/arch/powerpc/include/asm/pgalloc-64.h b/arch/powerpc/include/asm/pgalloc-64.h
8690index 4b0be20..c15a27d 100644
8691--- a/arch/powerpc/include/asm/pgalloc-64.h
8692+++ b/arch/powerpc/include/asm/pgalloc-64.h
8693@@ -54,6 +54,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd)
8694 #ifndef CONFIG_PPC_64K_PAGES
8695
8696 #define pgd_populate(MM, PGD, PUD) pgd_set(PGD, PUD)
8697+#define pgd_populate_kernel(MM, PGD, PUD) pgd_populate((MM), (PGD), (PUD))
8698
8699 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
8700 {
8701@@ -71,6 +72,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
8702 pud_set(pud, (unsigned long)pmd);
8703 }
8704
8705+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
8706+{
8707+ pud_populate(mm, pud, pmd);
8708+}
8709+
8710 #define pmd_populate(mm, pmd, pte_page) \
8711 pmd_populate_kernel(mm, pmd, page_address(pte_page))
8712 #define pmd_populate_kernel(mm, pmd, pte) pmd_set(pmd, (unsigned long)(pte))
8713@@ -173,6 +179,7 @@ extern void __tlb_remove_table(void *_table);
8714 #endif
8715
8716 #define pud_populate(mm, pud, pmd) pud_set(pud, (unsigned long)pmd)
8717+#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
8718
8719 static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd,
8720 pte_t *pte)
8721diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
8722index 11a3863..108f194 100644
8723--- a/arch/powerpc/include/asm/pgtable.h
8724+++ b/arch/powerpc/include/asm/pgtable.h
8725@@ -2,6 +2,7 @@
8726 #define _ASM_POWERPC_PGTABLE_H
8727 #ifdef __KERNEL__
8728
8729+#include <linux/const.h>
8730 #ifndef __ASSEMBLY__
8731 #include <linux/mmdebug.h>
8732 #include <linux/mmzone.h>
8733diff --git a/arch/powerpc/include/asm/pte-hash32.h b/arch/powerpc/include/asm/pte-hash32.h
8734index 62cfb0c..50c6402 100644
8735--- a/arch/powerpc/include/asm/pte-hash32.h
8736+++ b/arch/powerpc/include/asm/pte-hash32.h
8737@@ -20,6 +20,7 @@
8738 #define _PAGE_HASHPTE 0x002 /* hash_page has made an HPTE for this pte */
8739 #define _PAGE_USER 0x004 /* usermode access allowed */
8740 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
8741+#define _PAGE_EXEC _PAGE_GUARDED
8742 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
8743 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
8744 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
8745diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
8746index af56b5c..f86f3f6 100644
8747--- a/arch/powerpc/include/asm/reg.h
8748+++ b/arch/powerpc/include/asm/reg.h
8749@@ -253,6 +253,7 @@
8750 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
8751 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
8752 #define DSISR_NOHPTE 0x40000000 /* no translation found */
8753+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
8754 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
8755 #define DSISR_ISSTORE 0x02000000 /* access was a store */
8756 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
8757diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h
8758index 825663c..f9e9134 100644
8759--- a/arch/powerpc/include/asm/smp.h
8760+++ b/arch/powerpc/include/asm/smp.h
8761@@ -51,7 +51,7 @@ struct smp_ops_t {
8762 int (*cpu_disable)(void);
8763 void (*cpu_die)(unsigned int nr);
8764 int (*cpu_bootable)(unsigned int nr);
8765-};
8766+} __no_const;
8767
8768 extern void smp_send_debugger_break(void);
8769 extern void start_secondary_resume(void);
8770diff --git a/arch/powerpc/include/asm/spinlock.h b/arch/powerpc/include/asm/spinlock.h
8771index 4dbe072..b803275 100644
8772--- a/arch/powerpc/include/asm/spinlock.h
8773+++ b/arch/powerpc/include/asm/spinlock.h
8774@@ -204,13 +204,29 @@ static inline long __arch_read_trylock(arch_rwlock_t *rw)
8775 __asm__ __volatile__(
8776 "1: " PPC_LWARX(%0,0,%1,1) "\n"
8777 __DO_SIGN_EXTEND
8778-" addic. %0,%0,1\n\
8779- ble- 2f\n"
8780+
8781+#ifdef CONFIG_PAX_REFCOUNT
8782+" mcrxr cr0\n"
8783+" addico. %0,%0,1\n"
8784+" bf 4*cr0+so, 3f\n"
8785+"2:.long " "0x00c00b00""\n"
8786+#else
8787+" addic. %0,%0,1\n"
8788+#endif
8789+
8790+"3:\n"
8791+ "ble- 4f\n"
8792 PPC405_ERR77(0,%1)
8793 " stwcx. %0,0,%1\n\
8794 bne- 1b\n"
8795 PPC_ACQUIRE_BARRIER
8796-"2:" : "=&r" (tmp)
8797+"4:"
8798+
8799+#ifdef CONFIG_PAX_REFCOUNT
8800+ _ASM_EXTABLE(2b,4b)
8801+#endif
8802+
8803+ : "=&r" (tmp)
8804 : "r" (&rw->lock)
8805 : "cr0", "xer", "memory");
8806
8807@@ -286,11 +302,27 @@ static inline void arch_read_unlock(arch_rwlock_t *rw)
8808 __asm__ __volatile__(
8809 "# read_unlock\n\t"
8810 PPC_RELEASE_BARRIER
8811-"1: lwarx %0,0,%1\n\
8812- addic %0,%0,-1\n"
8813+"1: lwarx %0,0,%1\n"
8814+
8815+#ifdef CONFIG_PAX_REFCOUNT
8816+" mcrxr cr0\n"
8817+" addico. %0,%0,-1\n"
8818+" bf 4*cr0+so, 3f\n"
8819+"2:.long " "0x00c00b00""\n"
8820+#else
8821+" addic. %0,%0,-1\n"
8822+#endif
8823+
8824+"3:\n"
8825 PPC405_ERR77(0,%1)
8826 " stwcx. %0,0,%1\n\
8827 bne- 1b"
8828+
8829+#ifdef CONFIG_PAX_REFCOUNT
8830+"\n4:\n"
8831+ _ASM_EXTABLE(2b, 4b)
8832+#endif
8833+
8834 : "=&r"(tmp)
8835 : "r"(&rw->lock)
8836 : "cr0", "xer", "memory");
8837diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
8838index 7efee4a..48d47cc 100644
8839--- a/arch/powerpc/include/asm/thread_info.h
8840+++ b/arch/powerpc/include/asm/thread_info.h
8841@@ -101,6 +101,8 @@ static inline struct thread_info *current_thread_info(void)
8842 #if defined(CONFIG_PPC64)
8843 #define TIF_ELF2ABI 18 /* function descriptors must die! */
8844 #endif
8845+/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
8846+#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */
8847
8848 /* as above, but as bit values */
8849 #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
8850@@ -119,9 +121,10 @@ static inline struct thread_info *current_thread_info(void)
8851 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
8852 #define _TIF_EMULATE_STACK_STORE (1<<TIF_EMULATE_STACK_STORE)
8853 #define _TIF_NOHZ (1<<TIF_NOHZ)
8854+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
8855 #define _TIF_SYSCALL_DOTRACE (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
8856 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT | \
8857- _TIF_NOHZ)
8858+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
8859
8860 #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
8861 _TIF_NOTIFY_RESUME | _TIF_UPROBE | \
8862diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
8863index 2a8ebae..5643c6f 100644
8864--- a/arch/powerpc/include/asm/uaccess.h
8865+++ b/arch/powerpc/include/asm/uaccess.h
8866@@ -58,6 +58,7 @@
8867
8868 #endif
8869
8870+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
8871 #define access_ok(type, addr, size) \
8872 (__chk_user_ptr(addr), \
8873 __access_ok((__force unsigned long)(addr), (size), get_fs()))
8874@@ -318,52 +319,6 @@ do { \
8875 extern unsigned long __copy_tofrom_user(void __user *to,
8876 const void __user *from, unsigned long size);
8877
8878-#ifndef __powerpc64__
8879-
8880-static inline unsigned long copy_from_user(void *to,
8881- const void __user *from, unsigned long n)
8882-{
8883- unsigned long over;
8884-
8885- if (access_ok(VERIFY_READ, from, n))
8886- return __copy_tofrom_user((__force void __user *)to, from, n);
8887- if ((unsigned long)from < TASK_SIZE) {
8888- over = (unsigned long)from + n - TASK_SIZE;
8889- return __copy_tofrom_user((__force void __user *)to, from,
8890- n - over) + over;
8891- }
8892- return n;
8893-}
8894-
8895-static inline unsigned long copy_to_user(void __user *to,
8896- const void *from, unsigned long n)
8897-{
8898- unsigned long over;
8899-
8900- if (access_ok(VERIFY_WRITE, to, n))
8901- return __copy_tofrom_user(to, (__force void __user *)from, n);
8902- if ((unsigned long)to < TASK_SIZE) {
8903- over = (unsigned long)to + n - TASK_SIZE;
8904- return __copy_tofrom_user(to, (__force void __user *)from,
8905- n - over) + over;
8906- }
8907- return n;
8908-}
8909-
8910-#else /* __powerpc64__ */
8911-
8912-#define __copy_in_user(to, from, size) \
8913- __copy_tofrom_user((to), (from), (size))
8914-
8915-extern unsigned long copy_from_user(void *to, const void __user *from,
8916- unsigned long n);
8917-extern unsigned long copy_to_user(void __user *to, const void *from,
8918- unsigned long n);
8919-extern unsigned long copy_in_user(void __user *to, const void __user *from,
8920- unsigned long n);
8921-
8922-#endif /* __powerpc64__ */
8923-
8924 static inline unsigned long __copy_from_user_inatomic(void *to,
8925 const void __user *from, unsigned long n)
8926 {
8927@@ -387,6 +342,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
8928 if (ret == 0)
8929 return 0;
8930 }
8931+
8932+ if (!__builtin_constant_p(n))
8933+ check_object_size(to, n, false);
8934+
8935 return __copy_tofrom_user((__force void __user *)to, from, n);
8936 }
8937
8938@@ -413,6 +372,10 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
8939 if (ret == 0)
8940 return 0;
8941 }
8942+
8943+ if (!__builtin_constant_p(n))
8944+ check_object_size(from, n, true);
8945+
8946 return __copy_tofrom_user(to, (__force const void __user *)from, n);
8947 }
8948
8949@@ -430,6 +393,92 @@ static inline unsigned long __copy_to_user(void __user *to,
8950 return __copy_to_user_inatomic(to, from, size);
8951 }
8952
8953+#ifndef __powerpc64__
8954+
8955+static inline unsigned long __must_check copy_from_user(void *to,
8956+ const void __user *from, unsigned long n)
8957+{
8958+ unsigned long over;
8959+
8960+ if ((long)n < 0)
8961+ return n;
8962+
8963+ if (access_ok(VERIFY_READ, from, n)) {
8964+ if (!__builtin_constant_p(n))
8965+ check_object_size(to, n, false);
8966+ return __copy_tofrom_user((__force void __user *)to, from, n);
8967+ }
8968+ if ((unsigned long)from < TASK_SIZE) {
8969+ over = (unsigned long)from + n - TASK_SIZE;
8970+ if (!__builtin_constant_p(n - over))
8971+ check_object_size(to, n - over, false);
8972+ return __copy_tofrom_user((__force void __user *)to, from,
8973+ n - over) + over;
8974+ }
8975+ return n;
8976+}
8977+
8978+static inline unsigned long __must_check copy_to_user(void __user *to,
8979+ const void *from, unsigned long n)
8980+{
8981+ unsigned long over;
8982+
8983+ if ((long)n < 0)
8984+ return n;
8985+
8986+ if (access_ok(VERIFY_WRITE, to, n)) {
8987+ if (!__builtin_constant_p(n))
8988+ check_object_size(from, n, true);
8989+ return __copy_tofrom_user(to, (__force void __user *)from, n);
8990+ }
8991+ if ((unsigned long)to < TASK_SIZE) {
8992+ over = (unsigned long)to + n - TASK_SIZE;
8993+ if (!__builtin_constant_p(n))
8994+ check_object_size(from, n - over, true);
8995+ return __copy_tofrom_user(to, (__force void __user *)from,
8996+ n - over) + over;
8997+ }
8998+ return n;
8999+}
9000+
9001+#else /* __powerpc64__ */
9002+
9003+#define __copy_in_user(to, from, size) \
9004+ __copy_tofrom_user((to), (from), (size))
9005+
9006+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
9007+{
9008+ if ((long)n < 0 || n > INT_MAX)
9009+ return n;
9010+
9011+ if (!__builtin_constant_p(n))
9012+ check_object_size(to, n, false);
9013+
9014+ if (likely(access_ok(VERIFY_READ, from, n)))
9015+ n = __copy_from_user(to, from, n);
9016+ else
9017+ memset(to, 0, n);
9018+ return n;
9019+}
9020+
9021+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
9022+{
9023+ if ((long)n < 0 || n > INT_MAX)
9024+ return n;
9025+
9026+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
9027+ if (!__builtin_constant_p(n))
9028+ check_object_size(from, n, true);
9029+ n = __copy_to_user(to, from, n);
9030+ }
9031+ return n;
9032+}
9033+
9034+extern unsigned long copy_in_user(void __user *to, const void __user *from,
9035+ unsigned long n);
9036+
9037+#endif /* __powerpc64__ */
9038+
9039 extern unsigned long __clear_user(void __user *addr, unsigned long size);
9040
9041 static inline unsigned long clear_user(void __user *addr, unsigned long size)
9042diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
9043index 12868b1..5155667 100644
9044--- a/arch/powerpc/kernel/Makefile
9045+++ b/arch/powerpc/kernel/Makefile
9046@@ -14,6 +14,11 @@ CFLAGS_prom_init.o += -fPIC
9047 CFLAGS_btext.o += -fPIC
9048 endif
9049
9050+CFLAGS_REMOVE_cputable.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9051+CFLAGS_REMOVE_prom_init.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9052+CFLAGS_REMOVE_btext.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9053+CFLAGS_REMOVE_prom.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9054+
9055 ifdef CONFIG_FUNCTION_TRACER
9056 # Do not trace early boot code
9057 CFLAGS_REMOVE_cputable.o = -pg -mno-sched-epilog
9058@@ -26,6 +31,8 @@ CFLAGS_REMOVE_ftrace.o = -pg -mno-sched-epilog
9059 CFLAGS_REMOVE_time.o = -pg -mno-sched-epilog
9060 endif
9061
9062+CFLAGS_REMOVE_prom_init.o += $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9063+
9064 obj-y := cputable.o ptrace.o syscalls.o \
9065 irq.o align.o signal_32.o pmc.o vdso.o \
9066 process.o systbl.o idle.o \
9067diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
9068index 3e68d1c..72a5ee6 100644
9069--- a/arch/powerpc/kernel/exceptions-64e.S
9070+++ b/arch/powerpc/kernel/exceptions-64e.S
9071@@ -1010,6 +1010,7 @@ storage_fault_common:
9072 std r14,_DAR(r1)
9073 std r15,_DSISR(r1)
9074 addi r3,r1,STACK_FRAME_OVERHEAD
9075+ bl save_nvgprs
9076 mr r4,r14
9077 mr r5,r15
9078 ld r14,PACA_EXGEN+EX_R14(r13)
9079@@ -1018,8 +1019,7 @@ storage_fault_common:
9080 cmpdi r3,0
9081 bne- 1f
9082 b ret_from_except_lite
9083-1: bl save_nvgprs
9084- mr r5,r3
9085+1: mr r5,r3
9086 addi r3,r1,STACK_FRAME_OVERHEAD
9087 ld r4,_DAR(r1)
9088 bl bad_page_fault
9089diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
9090index 0a0399c2..262a2e6 100644
9091--- a/arch/powerpc/kernel/exceptions-64s.S
9092+++ b/arch/powerpc/kernel/exceptions-64s.S
9093@@ -1591,10 +1591,10 @@ handle_page_fault:
9094 11: ld r4,_DAR(r1)
9095 ld r5,_DSISR(r1)
9096 addi r3,r1,STACK_FRAME_OVERHEAD
9097+ bl save_nvgprs
9098 bl do_page_fault
9099 cmpdi r3,0
9100 beq+ 12f
9101- bl save_nvgprs
9102 mr r5,r3
9103 addi r3,r1,STACK_FRAME_OVERHEAD
9104 lwz r4,_DAR(r1)
9105diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
9106index 4509603..cdb491f 100644
9107--- a/arch/powerpc/kernel/irq.c
9108+++ b/arch/powerpc/kernel/irq.c
9109@@ -460,6 +460,8 @@ void migrate_irqs(void)
9110 }
9111 #endif
9112
9113+extern void gr_handle_kernel_exploit(void);
9114+
9115 static inline void check_stack_overflow(void)
9116 {
9117 #ifdef CONFIG_DEBUG_STACKOVERFLOW
9118@@ -472,6 +474,7 @@ static inline void check_stack_overflow(void)
9119 pr_err("do_IRQ: stack overflow: %ld\n",
9120 sp - sizeof(struct thread_info));
9121 dump_stack();
9122+ gr_handle_kernel_exploit();
9123 }
9124 #endif
9125 }
9126diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
9127index c94d2e0..992a9ce 100644
9128--- a/arch/powerpc/kernel/module_32.c
9129+++ b/arch/powerpc/kernel/module_32.c
9130@@ -158,7 +158,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr,
9131 me->arch.core_plt_section = i;
9132 }
9133 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
9134- pr_err("Module doesn't contain .plt or .init.plt sections.\n");
9135+ pr_err("Module $s doesn't contain .plt or .init.plt sections.\n", me->name);
9136 return -ENOEXEC;
9137 }
9138
9139@@ -188,11 +188,16 @@ static uint32_t do_plt_call(void *location,
9140
9141 pr_debug("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
9142 /* Init, or core PLT? */
9143- if (location >= mod->module_core
9144- && location < mod->module_core + mod->core_size)
9145+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
9146+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
9147 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
9148- else
9149+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
9150+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
9151 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
9152+ else {
9153+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
9154+ return ~0UL;
9155+ }
9156
9157 /* Find this entry, or if that fails, the next avail. entry */
9158 while (entry->jump[0]) {
9159@@ -296,7 +301,7 @@ int apply_relocate_add(Elf32_Shdr *sechdrs,
9160 }
9161 #ifdef CONFIG_DYNAMIC_FTRACE
9162 module->arch.tramp =
9163- do_plt_call(module->module_core,
9164+ do_plt_call(module->module_core_rx,
9165 (unsigned long)ftrace_caller,
9166 sechdrs, module);
9167 #endif
9168diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
9169index 64e6e9d..cf90ed5 100644
9170--- a/arch/powerpc/kernel/process.c
9171+++ b/arch/powerpc/kernel/process.c
9172@@ -1033,8 +1033,8 @@ void show_regs(struct pt_regs * regs)
9173 * Lookup NIP late so we have the best change of getting the
9174 * above info out without failing
9175 */
9176- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
9177- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
9178+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
9179+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
9180 #endif
9181 show_stack(current, (unsigned long *) regs->gpr[1]);
9182 if (!user_mode(regs))
9183@@ -1550,10 +1550,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
9184 newsp = stack[0];
9185 ip = stack[STACK_FRAME_LR_SAVE];
9186 if (!firstframe || ip != lr) {
9187- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
9188+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
9189 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
9190 if ((ip == rth) && curr_frame >= 0) {
9191- printk(" (%pS)",
9192+ printk(" (%pA)",
9193 (void *)current->ret_stack[curr_frame].ret);
9194 curr_frame--;
9195 }
9196@@ -1573,7 +1573,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
9197 struct pt_regs *regs = (struct pt_regs *)
9198 (sp + STACK_FRAME_OVERHEAD);
9199 lr = regs->link;
9200- printk("--- interrupt: %lx at %pS\n LR = %pS\n",
9201+ printk("--- interrupt: %lx at %pA\n LR = %pA\n",
9202 regs->trap, (void *)regs->nip, (void *)lr);
9203 firstframe = 1;
9204 }
9205@@ -1609,49 +1609,3 @@ void notrace __ppc64_runlatch_off(void)
9206 mtspr(SPRN_CTRLT, ctrl);
9207 }
9208 #endif /* CONFIG_PPC64 */
9209-
9210-unsigned long arch_align_stack(unsigned long sp)
9211-{
9212- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
9213- sp -= get_random_int() & ~PAGE_MASK;
9214- return sp & ~0xf;
9215-}
9216-
9217-static inline unsigned long brk_rnd(void)
9218-{
9219- unsigned long rnd = 0;
9220-
9221- /* 8MB for 32bit, 1GB for 64bit */
9222- if (is_32bit_task())
9223- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
9224- else
9225- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
9226-
9227- return rnd << PAGE_SHIFT;
9228-}
9229-
9230-unsigned long arch_randomize_brk(struct mm_struct *mm)
9231-{
9232- unsigned long base = mm->brk;
9233- unsigned long ret;
9234-
9235-#ifdef CONFIG_PPC_STD_MMU_64
9236- /*
9237- * If we are using 1TB segments and we are allowed to randomise
9238- * the heap, we can put it above 1TB so it is backed by a 1TB
9239- * segment. Otherwise the heap will be in the bottom 1TB
9240- * which always uses 256MB segments and this may result in a
9241- * performance penalty.
9242- */
9243- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
9244- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
9245-#endif
9246-
9247- ret = PAGE_ALIGN(base + brk_rnd());
9248-
9249- if (ret < mm->brk)
9250- return mm->brk;
9251-
9252- return ret;
9253-}
9254-
9255diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
9256index f21897b..28c0428 100644
9257--- a/arch/powerpc/kernel/ptrace.c
9258+++ b/arch/powerpc/kernel/ptrace.c
9259@@ -1762,6 +1762,10 @@ long arch_ptrace(struct task_struct *child, long request,
9260 return ret;
9261 }
9262
9263+#ifdef CONFIG_GRKERNSEC_SETXID
9264+extern void gr_delayed_cred_worker(void);
9265+#endif
9266+
9267 /*
9268 * We must return the syscall number to actually look up in the table.
9269 * This can be -1L to skip running any syscall at all.
9270@@ -1774,6 +1778,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
9271
9272 secure_computing_strict(regs->gpr[0]);
9273
9274+#ifdef CONFIG_GRKERNSEC_SETXID
9275+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
9276+ gr_delayed_cred_worker();
9277+#endif
9278+
9279 if (test_thread_flag(TIF_SYSCALL_TRACE) &&
9280 tracehook_report_syscall_entry(regs))
9281 /*
9282@@ -1805,6 +1814,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
9283 {
9284 int step;
9285
9286+#ifdef CONFIG_GRKERNSEC_SETXID
9287+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
9288+ gr_delayed_cred_worker();
9289+#endif
9290+
9291 audit_syscall_exit(regs);
9292
9293 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
9294diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
9295index da50e0c..5ff6307 100644
9296--- a/arch/powerpc/kernel/signal_32.c
9297+++ b/arch/powerpc/kernel/signal_32.c
9298@@ -1009,7 +1009,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
9299 /* Save user registers on the stack */
9300 frame = &rt_sf->uc.uc_mcontext;
9301 addr = frame;
9302- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
9303+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9304 sigret = 0;
9305 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
9306 } else {
9307diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
9308index c7c24d2..1bf7039 100644
9309--- a/arch/powerpc/kernel/signal_64.c
9310+++ b/arch/powerpc/kernel/signal_64.c
9311@@ -754,7 +754,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
9312 current->thread.fp_state.fpscr = 0;
9313
9314 /* Set up to return from userspace. */
9315- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
9316+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9317 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
9318 } else {
9319 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
9320diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
9321index 37de90f..12472ac 100644
9322--- a/arch/powerpc/kernel/traps.c
9323+++ b/arch/powerpc/kernel/traps.c
9324@@ -36,6 +36,7 @@
9325 #include <linux/debugfs.h>
9326 #include <linux/ratelimit.h>
9327 #include <linux/context_tracking.h>
9328+#include <linux/uaccess.h>
9329
9330 #include <asm/emulated_ops.h>
9331 #include <asm/pgtable.h>
9332@@ -142,6 +143,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
9333 return flags;
9334 }
9335
9336+extern void gr_handle_kernel_exploit(void);
9337+
9338 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
9339 int signr)
9340 {
9341@@ -191,6 +194,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
9342 panic("Fatal exception in interrupt");
9343 if (panic_on_oops)
9344 panic("Fatal exception");
9345+
9346+ gr_handle_kernel_exploit();
9347+
9348 do_exit(signr);
9349 }
9350
9351@@ -1139,6 +1145,26 @@ void __kprobes program_check_exception(struct pt_regs *regs)
9352 enum ctx_state prev_state = exception_enter();
9353 unsigned int reason = get_reason(regs);
9354
9355+#ifdef CONFIG_PAX_REFCOUNT
9356+ unsigned int bkpt;
9357+ const struct exception_table_entry *entry;
9358+
9359+ if (reason & REASON_ILLEGAL) {
9360+ /* Check if PaX bad instruction */
9361+ if (!probe_kernel_address(regs->nip, bkpt) && bkpt == 0xc00b00) {
9362+ current->thread.trap_nr = 0;
9363+ pax_report_refcount_overflow(regs);
9364+ /* fixup_exception() for PowerPC does not exist, simulate its job */
9365+ if ((entry = search_exception_tables(regs->nip)) != NULL) {
9366+ regs->nip = entry->fixup;
9367+ return;
9368+ }
9369+ /* fixup_exception() could not handle */
9370+ goto bail;
9371+ }
9372+ }
9373+#endif
9374+
9375 /* We can now get here via a FP Unavailable exception if the core
9376 * has no FPU, in that case the reason flags will be 0 */
9377
9378diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
9379index b457bfa..9018cde 100644
9380--- a/arch/powerpc/kernel/vdso.c
9381+++ b/arch/powerpc/kernel/vdso.c
9382@@ -34,6 +34,7 @@
9383 #include <asm/vdso.h>
9384 #include <asm/vdso_datapage.h>
9385 #include <asm/setup.h>
9386+#include <asm/mman.h>
9387
9388 #undef DEBUG
9389
9390@@ -179,7 +180,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
9391 vdso_base = VDSO32_MBASE;
9392 #endif
9393
9394- current->mm->context.vdso_base = 0;
9395+ current->mm->context.vdso_base = ~0UL;
9396
9397 /* vDSO has a problem and was disabled, just don't "enable" it for the
9398 * process
9399@@ -199,7 +200,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
9400 vdso_base = get_unmapped_area(NULL, vdso_base,
9401 (vdso_pages << PAGE_SHIFT) +
9402 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
9403- 0, 0);
9404+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
9405 if (IS_ERR_VALUE(vdso_base)) {
9406 rc = vdso_base;
9407 goto fail_mmapsem;
9408diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
9409index e5dde32..557af3d 100644
9410--- a/arch/powerpc/kvm/powerpc.c
9411+++ b/arch/powerpc/kvm/powerpc.c
9412@@ -1404,7 +1404,7 @@ void kvmppc_init_lpid(unsigned long nr_lpids_param)
9413 }
9414 EXPORT_SYMBOL_GPL(kvmppc_init_lpid);
9415
9416-int kvm_arch_init(void *opaque)
9417+int kvm_arch_init(const void *opaque)
9418 {
9419 return 0;
9420 }
9421diff --git a/arch/powerpc/lib/usercopy_64.c b/arch/powerpc/lib/usercopy_64.c
9422index 5eea6f3..5d10396 100644
9423--- a/arch/powerpc/lib/usercopy_64.c
9424+++ b/arch/powerpc/lib/usercopy_64.c
9425@@ -9,22 +9,6 @@
9426 #include <linux/module.h>
9427 #include <asm/uaccess.h>
9428
9429-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
9430-{
9431- if (likely(access_ok(VERIFY_READ, from, n)))
9432- n = __copy_from_user(to, from, n);
9433- else
9434- memset(to, 0, n);
9435- return n;
9436-}
9437-
9438-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
9439-{
9440- if (likely(access_ok(VERIFY_WRITE, to, n)))
9441- n = __copy_to_user(to, from, n);
9442- return n;
9443-}
9444-
9445 unsigned long copy_in_user(void __user *to, const void __user *from,
9446 unsigned long n)
9447 {
9448@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *to, const void __user *from,
9449 return n;
9450 }
9451
9452-EXPORT_SYMBOL(copy_from_user);
9453-EXPORT_SYMBOL(copy_to_user);
9454 EXPORT_SYMBOL(copy_in_user);
9455
9456diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
9457index a67c6d7..a662e6d 100644
9458--- a/arch/powerpc/mm/fault.c
9459+++ b/arch/powerpc/mm/fault.c
9460@@ -34,6 +34,10 @@
9461 #include <linux/context_tracking.h>
9462 #include <linux/hugetlb.h>
9463 #include <linux/uaccess.h>
9464+#include <linux/slab.h>
9465+#include <linux/pagemap.h>
9466+#include <linux/compiler.h>
9467+#include <linux/unistd.h>
9468
9469 #include <asm/firmware.h>
9470 #include <asm/page.h>
9471@@ -68,6 +72,33 @@ static inline int notify_page_fault(struct pt_regs *regs)
9472 }
9473 #endif
9474
9475+#ifdef CONFIG_PAX_PAGEEXEC
9476+/*
9477+ * PaX: decide what to do with offenders (regs->nip = fault address)
9478+ *
9479+ * returns 1 when task should be killed
9480+ */
9481+static int pax_handle_fetch_fault(struct pt_regs *regs)
9482+{
9483+ return 1;
9484+}
9485+
9486+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
9487+{
9488+ unsigned long i;
9489+
9490+ printk(KERN_ERR "PAX: bytes at PC: ");
9491+ for (i = 0; i < 5; i++) {
9492+ unsigned int c;
9493+ if (get_user(c, (unsigned int __user *)pc+i))
9494+ printk(KERN_CONT "???????? ");
9495+ else
9496+ printk(KERN_CONT "%08x ", c);
9497+ }
9498+ printk("\n");
9499+}
9500+#endif
9501+
9502 /*
9503 * Check whether the instruction at regs->nip is a store using
9504 * an update addressing form which will update r1.
9505@@ -227,7 +258,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
9506 * indicate errors in DSISR but can validly be set in SRR1.
9507 */
9508 if (trap == 0x400)
9509- error_code &= 0x48200000;
9510+ error_code &= 0x58200000;
9511 else
9512 is_write = error_code & DSISR_ISSTORE;
9513 #else
9514@@ -384,12 +415,16 @@ good_area:
9515 * "undefined". Of those that can be set, this is the only
9516 * one which seems bad.
9517 */
9518- if (error_code & 0x10000000)
9519+ if (error_code & DSISR_GUARDED)
9520 /* Guarded storage error. */
9521 goto bad_area;
9522 #endif /* CONFIG_8xx */
9523
9524 if (is_exec) {
9525+#ifdef CONFIG_PPC_STD_MMU
9526+ if (error_code & DSISR_GUARDED)
9527+ goto bad_area;
9528+#endif
9529 /*
9530 * Allow execution from readable areas if the MMU does not
9531 * provide separate controls over reading and executing.
9532@@ -484,6 +519,23 @@ bad_area:
9533 bad_area_nosemaphore:
9534 /* User mode accesses cause a SIGSEGV */
9535 if (user_mode(regs)) {
9536+
9537+#ifdef CONFIG_PAX_PAGEEXEC
9538+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9539+#ifdef CONFIG_PPC_STD_MMU
9540+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
9541+#else
9542+ if (is_exec && regs->nip == address) {
9543+#endif
9544+ switch (pax_handle_fetch_fault(regs)) {
9545+ }
9546+
9547+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
9548+ do_group_exit(SIGKILL);
9549+ }
9550+ }
9551+#endif
9552+
9553 _exception(SIGSEGV, regs, code, address);
9554 goto bail;
9555 }
9556diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
9557index 0f0502e..bc3e7a3 100644
9558--- a/arch/powerpc/mm/mmap.c
9559+++ b/arch/powerpc/mm/mmap.c
9560@@ -86,6 +86,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9561 {
9562 unsigned long random_factor = 0UL;
9563
9564+#ifdef CONFIG_PAX_RANDMMAP
9565+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9566+#endif
9567+
9568 if (current->flags & PF_RANDOMIZE)
9569 random_factor = arch_mmap_rnd();
9570
9571@@ -95,9 +99,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9572 */
9573 if (mmap_is_legacy()) {
9574 mm->mmap_base = TASK_UNMAPPED_BASE;
9575+
9576+#ifdef CONFIG_PAX_RANDMMAP
9577+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9578+ mm->mmap_base += mm->delta_mmap;
9579+#endif
9580+
9581 mm->get_unmapped_area = arch_get_unmapped_area;
9582 } else {
9583 mm->mmap_base = mmap_base(random_factor);
9584+
9585+#ifdef CONFIG_PAX_RANDMMAP
9586+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9587+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9588+#endif
9589+
9590 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
9591 }
9592 }
9593diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
9594index 0f432a7..abfe841 100644
9595--- a/arch/powerpc/mm/slice.c
9596+++ b/arch/powerpc/mm/slice.c
9597@@ -105,7 +105,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
9598 if ((mm->task_size - len) < addr)
9599 return 0;
9600 vma = find_vma(mm, addr);
9601- return (!vma || (addr + len) <= vma->vm_start);
9602+ return check_heap_stack_gap(vma, addr, len, 0);
9603 }
9604
9605 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
9606@@ -277,6 +277,12 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm,
9607 info.align_offset = 0;
9608
9609 addr = TASK_UNMAPPED_BASE;
9610+
9611+#ifdef CONFIG_PAX_RANDMMAP
9612+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9613+ addr += mm->delta_mmap;
9614+#endif
9615+
9616 while (addr < TASK_SIZE) {
9617 info.low_limit = addr;
9618 if (!slice_scan_available(addr, available, 1, &addr))
9619@@ -410,6 +416,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len,
9620 if (fixed && addr > (mm->task_size - len))
9621 return -ENOMEM;
9622
9623+#ifdef CONFIG_PAX_RANDMMAP
9624+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
9625+ addr = 0;
9626+#endif
9627+
9628 /* If hint, make sure it matches our alignment restrictions */
9629 if (!fixed && addr) {
9630 addr = _ALIGN_UP(addr, 1ul << pshift);
9631diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
9632index d966bbe..372124a 100644
9633--- a/arch/powerpc/platforms/cell/spufs/file.c
9634+++ b/arch/powerpc/platforms/cell/spufs/file.c
9635@@ -280,9 +280,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
9636 return VM_FAULT_NOPAGE;
9637 }
9638
9639-static int spufs_mem_mmap_access(struct vm_area_struct *vma,
9640+static ssize_t spufs_mem_mmap_access(struct vm_area_struct *vma,
9641 unsigned long address,
9642- void *buf, int len, int write)
9643+ void *buf, size_t len, int write)
9644 {
9645 struct spu_context *ctx = vma->vm_file->private_data;
9646 unsigned long offset = address - vma->vm_start;
9647diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
9648index c56878e..073d04e 100644
9649--- a/arch/s390/Kconfig.debug
9650+++ b/arch/s390/Kconfig.debug
9651@@ -21,6 +21,7 @@ config S390_PTDUMP
9652 bool "Export kernel pagetable layout to userspace via debugfs"
9653 depends on DEBUG_KERNEL
9654 select DEBUG_FS
9655+ depends on !GRKERNSEC_KMEM
9656 ---help---
9657 Say Y here if you want to show the kernel pagetable layout in a
9658 debugfs file. This information is only useful for kernel developers
9659diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h
9660index adbe380..adb7516 100644
9661--- a/arch/s390/include/asm/atomic.h
9662+++ b/arch/s390/include/asm/atomic.h
9663@@ -317,4 +317,14 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v)
9664 #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0)
9665 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
9666
9667+#define atomic64_read_unchecked(v) atomic64_read(v)
9668+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
9669+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
9670+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
9671+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
9672+#define atomic64_inc_unchecked(v) atomic64_inc(v)
9673+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
9674+#define atomic64_dec_unchecked(v) atomic64_dec(v)
9675+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
9676+
9677 #endif /* __ARCH_S390_ATOMIC__ */
9678diff --git a/arch/s390/include/asm/barrier.h b/arch/s390/include/asm/barrier.h
9679index e6f8615..4a66339 100644
9680--- a/arch/s390/include/asm/barrier.h
9681+++ b/arch/s390/include/asm/barrier.h
9682@@ -42,7 +42,7 @@
9683 do { \
9684 compiletime_assert_atomic_type(*p); \
9685 barrier(); \
9686- ACCESS_ONCE(*p) = (v); \
9687+ ACCESS_ONCE_RW(*p) = (v); \
9688 } while (0)
9689
9690 #define smp_load_acquire(p) \
9691diff --git a/arch/s390/include/asm/cache.h b/arch/s390/include/asm/cache.h
9692index 4d7ccac..d03d0ad 100644
9693--- a/arch/s390/include/asm/cache.h
9694+++ b/arch/s390/include/asm/cache.h
9695@@ -9,8 +9,10 @@
9696 #ifndef __ARCH_S390_CACHE_H
9697 #define __ARCH_S390_CACHE_H
9698
9699-#define L1_CACHE_BYTES 256
9700+#include <linux/const.h>
9701+
9702 #define L1_CACHE_SHIFT 8
9703+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9704 #define NET_SKB_PAD 32
9705
9706 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9707diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
9708index 3ad48f2..64cc6f3 100644
9709--- a/arch/s390/include/asm/elf.h
9710+++ b/arch/s390/include/asm/elf.h
9711@@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
9712 (STACK_TOP / 3 * 2) : \
9713 (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1))
9714
9715+#ifdef CONFIG_PAX_ASLR
9716+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
9717+
9718+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
9719+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
9720+#endif
9721+
9722 /* This yields a mask that user programs can use to figure out what
9723 instruction set this CPU supports. */
9724
9725diff --git a/arch/s390/include/asm/exec.h b/arch/s390/include/asm/exec.h
9726index c4a93d6..4d2a9b4 100644
9727--- a/arch/s390/include/asm/exec.h
9728+++ b/arch/s390/include/asm/exec.h
9729@@ -7,6 +7,6 @@
9730 #ifndef __ASM_EXEC_H
9731 #define __ASM_EXEC_H
9732
9733-extern unsigned long arch_align_stack(unsigned long sp);
9734+#define arch_align_stack(x) ((x) & ~0xfUL)
9735
9736 #endif /* __ASM_EXEC_H */
9737diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
9738index 9dd4cc4..36f4b84 100644
9739--- a/arch/s390/include/asm/uaccess.h
9740+++ b/arch/s390/include/asm/uaccess.h
9741@@ -59,6 +59,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size)
9742 __range_ok((unsigned long)(addr), (size)); \
9743 })
9744
9745+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
9746 #define access_ok(type, addr, size) __access_ok(addr, size)
9747
9748 /*
9749@@ -278,6 +279,10 @@ static inline unsigned long __must_check
9750 copy_to_user(void __user *to, const void *from, unsigned long n)
9751 {
9752 might_fault();
9753+
9754+ if ((long)n < 0)
9755+ return n;
9756+
9757 return __copy_to_user(to, from, n);
9758 }
9759
9760@@ -307,10 +312,14 @@ __compiletime_warning("copy_from_user() buffer size is not provably correct")
9761 static inline unsigned long __must_check
9762 copy_from_user(void *to, const void __user *from, unsigned long n)
9763 {
9764- unsigned int sz = __compiletime_object_size(to);
9765+ size_t sz = __compiletime_object_size(to);
9766
9767 might_fault();
9768- if (unlikely(sz != -1 && sz < n)) {
9769+
9770+ if ((long)n < 0)
9771+ return n;
9772+
9773+ if (unlikely(sz != (size_t)-1 && sz < n)) {
9774 copy_from_user_overflow();
9775 return n;
9776 }
9777diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
9778index 0c1a679..e1df357 100644
9779--- a/arch/s390/kernel/module.c
9780+++ b/arch/s390/kernel/module.c
9781@@ -159,11 +159,11 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
9782
9783 /* Increase core size by size of got & plt and set start
9784 offsets for got and plt. */
9785- me->core_size = ALIGN(me->core_size, 4);
9786- me->arch.got_offset = me->core_size;
9787- me->core_size += me->arch.got_size;
9788- me->arch.plt_offset = me->core_size;
9789- me->core_size += me->arch.plt_size;
9790+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
9791+ me->arch.got_offset = me->core_size_rw;
9792+ me->core_size_rw += me->arch.got_size;
9793+ me->arch.plt_offset = me->core_size_rx;
9794+ me->core_size_rx += me->arch.plt_size;
9795 return 0;
9796 }
9797
9798@@ -279,7 +279,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9799 if (info->got_initialized == 0) {
9800 Elf_Addr *gotent;
9801
9802- gotent = me->module_core + me->arch.got_offset +
9803+ gotent = me->module_core_rw + me->arch.got_offset +
9804 info->got_offset;
9805 *gotent = val;
9806 info->got_initialized = 1;
9807@@ -302,7 +302,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9808 rc = apply_rela_bits(loc, val, 0, 64, 0);
9809 else if (r_type == R_390_GOTENT ||
9810 r_type == R_390_GOTPLTENT) {
9811- val += (Elf_Addr) me->module_core - loc;
9812+ val += (Elf_Addr) me->module_core_rw - loc;
9813 rc = apply_rela_bits(loc, val, 1, 32, 1);
9814 }
9815 break;
9816@@ -315,7 +315,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9817 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
9818 if (info->plt_initialized == 0) {
9819 unsigned int *ip;
9820- ip = me->module_core + me->arch.plt_offset +
9821+ ip = me->module_core_rx + me->arch.plt_offset +
9822 info->plt_offset;
9823 ip[0] = 0x0d10e310; /* basr 1,0; lg 1,10(1); br 1 */
9824 ip[1] = 0x100a0004;
9825@@ -334,7 +334,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9826 val - loc + 0xffffUL < 0x1ffffeUL) ||
9827 (r_type == R_390_PLT32DBL &&
9828 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
9829- val = (Elf_Addr) me->module_core +
9830+ val = (Elf_Addr) me->module_core_rx +
9831 me->arch.plt_offset +
9832 info->plt_offset;
9833 val += rela->r_addend - loc;
9834@@ -356,7 +356,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9835 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
9836 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
9837 val = val + rela->r_addend -
9838- ((Elf_Addr) me->module_core + me->arch.got_offset);
9839+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
9840 if (r_type == R_390_GOTOFF16)
9841 rc = apply_rela_bits(loc, val, 0, 16, 0);
9842 else if (r_type == R_390_GOTOFF32)
9843@@ -366,7 +366,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9844 break;
9845 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
9846 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
9847- val = (Elf_Addr) me->module_core + me->arch.got_offset +
9848+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
9849 rela->r_addend - loc;
9850 if (r_type == R_390_GOTPC)
9851 rc = apply_rela_bits(loc, val, 1, 32, 0);
9852diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
9853index 8f587d8..0642516b 100644
9854--- a/arch/s390/kernel/process.c
9855+++ b/arch/s390/kernel/process.c
9856@@ -200,27 +200,3 @@ unsigned long get_wchan(struct task_struct *p)
9857 }
9858 return 0;
9859 }
9860-
9861-unsigned long arch_align_stack(unsigned long sp)
9862-{
9863- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
9864- sp -= get_random_int() & ~PAGE_MASK;
9865- return sp & ~0xf;
9866-}
9867-
9868-static inline unsigned long brk_rnd(void)
9869-{
9870- /* 8MB for 32bit, 1GB for 64bit */
9871- if (is_32bit_task())
9872- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
9873- else
9874- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
9875-}
9876-
9877-unsigned long arch_randomize_brk(struct mm_struct *mm)
9878-{
9879- unsigned long ret;
9880-
9881- ret = PAGE_ALIGN(mm->brk + brk_rnd());
9882- return (ret > mm->brk) ? ret : mm->brk;
9883-}
9884diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c
9885index 6e552af..3e608a1 100644
9886--- a/arch/s390/mm/mmap.c
9887+++ b/arch/s390/mm/mmap.c
9888@@ -239,6 +239,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9889 {
9890 unsigned long random_factor = 0UL;
9891
9892+#ifdef CONFIG_PAX_RANDMMAP
9893+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9894+#endif
9895+
9896 if (current->flags & PF_RANDOMIZE)
9897 random_factor = arch_mmap_rnd();
9898
9899@@ -248,9 +252,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9900 */
9901 if (mmap_is_legacy()) {
9902 mm->mmap_base = mmap_base_legacy(random_factor);
9903+
9904+#ifdef CONFIG_PAX_RANDMMAP
9905+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9906+ mm->mmap_base += mm->delta_mmap;
9907+#endif
9908+
9909 mm->get_unmapped_area = s390_get_unmapped_area;
9910 } else {
9911 mm->mmap_base = mmap_base(random_factor);
9912+
9913+#ifdef CONFIG_PAX_RANDMMAP
9914+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9915+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9916+#endif
9917+
9918 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
9919 }
9920 }
9921diff --git a/arch/score/include/asm/cache.h b/arch/score/include/asm/cache.h
9922index ae3d59f..f65f075 100644
9923--- a/arch/score/include/asm/cache.h
9924+++ b/arch/score/include/asm/cache.h
9925@@ -1,7 +1,9 @@
9926 #ifndef _ASM_SCORE_CACHE_H
9927 #define _ASM_SCORE_CACHE_H
9928
9929+#include <linux/const.h>
9930+
9931 #define L1_CACHE_SHIFT 4
9932-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9933+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9934
9935 #endif /* _ASM_SCORE_CACHE_H */
9936diff --git a/arch/score/include/asm/exec.h b/arch/score/include/asm/exec.h
9937index f9f3cd5..58ff438 100644
9938--- a/arch/score/include/asm/exec.h
9939+++ b/arch/score/include/asm/exec.h
9940@@ -1,6 +1,6 @@
9941 #ifndef _ASM_SCORE_EXEC_H
9942 #define _ASM_SCORE_EXEC_H
9943
9944-extern unsigned long arch_align_stack(unsigned long sp);
9945+#define arch_align_stack(x) (x)
9946
9947 #endif /* _ASM_SCORE_EXEC_H */
9948diff --git a/arch/score/kernel/process.c b/arch/score/kernel/process.c
9949index a1519ad3..e8ac1ff 100644
9950--- a/arch/score/kernel/process.c
9951+++ b/arch/score/kernel/process.c
9952@@ -116,8 +116,3 @@ unsigned long get_wchan(struct task_struct *task)
9953
9954 return task_pt_regs(task)->cp0_epc;
9955 }
9956-
9957-unsigned long arch_align_stack(unsigned long sp)
9958-{
9959- return sp;
9960-}
9961diff --git a/arch/sh/include/asm/cache.h b/arch/sh/include/asm/cache.h
9962index ef9e555..331bd29 100644
9963--- a/arch/sh/include/asm/cache.h
9964+++ b/arch/sh/include/asm/cache.h
9965@@ -9,10 +9,11 @@
9966 #define __ASM_SH_CACHE_H
9967 #ifdef __KERNEL__
9968
9969+#include <linux/const.h>
9970 #include <linux/init.h>
9971 #include <cpu/cache.h>
9972
9973-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9974+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9975
9976 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9977
9978diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
9979index 6777177..cb5e44f 100644
9980--- a/arch/sh/mm/mmap.c
9981+++ b/arch/sh/mm/mmap.c
9982@@ -36,6 +36,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9983 struct mm_struct *mm = current->mm;
9984 struct vm_area_struct *vma;
9985 int do_colour_align;
9986+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
9987 struct vm_unmapped_area_info info;
9988
9989 if (flags & MAP_FIXED) {
9990@@ -55,6 +56,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9991 if (filp || (flags & MAP_SHARED))
9992 do_colour_align = 1;
9993
9994+#ifdef CONFIG_PAX_RANDMMAP
9995+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9996+#endif
9997+
9998 if (addr) {
9999 if (do_colour_align)
10000 addr = COLOUR_ALIGN(addr, pgoff);
10001@@ -62,14 +67,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
10002 addr = PAGE_ALIGN(addr);
10003
10004 vma = find_vma(mm, addr);
10005- if (TASK_SIZE - len >= addr &&
10006- (!vma || addr + len <= vma->vm_start))
10007+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10008 return addr;
10009 }
10010
10011 info.flags = 0;
10012 info.length = len;
10013- info.low_limit = TASK_UNMAPPED_BASE;
10014+ info.low_limit = mm->mmap_base;
10015 info.high_limit = TASK_SIZE;
10016 info.align_mask = do_colour_align ? (PAGE_MASK & shm_align_mask) : 0;
10017 info.align_offset = pgoff << PAGE_SHIFT;
10018@@ -85,6 +89,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10019 struct mm_struct *mm = current->mm;
10020 unsigned long addr = addr0;
10021 int do_colour_align;
10022+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10023 struct vm_unmapped_area_info info;
10024
10025 if (flags & MAP_FIXED) {
10026@@ -104,6 +109,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10027 if (filp || (flags & MAP_SHARED))
10028 do_colour_align = 1;
10029
10030+#ifdef CONFIG_PAX_RANDMMAP
10031+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10032+#endif
10033+
10034 /* requesting a specific address */
10035 if (addr) {
10036 if (do_colour_align)
10037@@ -112,8 +121,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10038 addr = PAGE_ALIGN(addr);
10039
10040 vma = find_vma(mm, addr);
10041- if (TASK_SIZE - len >= addr &&
10042- (!vma || addr + len <= vma->vm_start))
10043+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10044 return addr;
10045 }
10046
10047@@ -135,6 +143,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10048 VM_BUG_ON(addr != -ENOMEM);
10049 info.flags = 0;
10050 info.low_limit = TASK_UNMAPPED_BASE;
10051+
10052+#ifdef CONFIG_PAX_RANDMMAP
10053+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10054+ info.low_limit += mm->delta_mmap;
10055+#endif
10056+
10057 info.high_limit = TASK_SIZE;
10058 addr = vm_unmapped_area(&info);
10059 }
10060diff --git a/arch/sparc/crypto/aes_glue.c b/arch/sparc/crypto/aes_glue.c
10061index 2e48eb8..c90930d 100644
10062--- a/arch/sparc/crypto/aes_glue.c
10063+++ b/arch/sparc/crypto/aes_glue.c
10064@@ -433,6 +433,7 @@ static struct crypto_alg algs[] = { {
10065 .blkcipher = {
10066 .min_keysize = AES_MIN_KEY_SIZE,
10067 .max_keysize = AES_MAX_KEY_SIZE,
10068+ .ivsize = AES_BLOCK_SIZE,
10069 .setkey = aes_set_key,
10070 .encrypt = cbc_encrypt,
10071 .decrypt = cbc_decrypt,
10072@@ -452,6 +453,7 @@ static struct crypto_alg algs[] = { {
10073 .blkcipher = {
10074 .min_keysize = AES_MIN_KEY_SIZE,
10075 .max_keysize = AES_MAX_KEY_SIZE,
10076+ .ivsize = AES_BLOCK_SIZE,
10077 .setkey = aes_set_key,
10078 .encrypt = ctr_crypt,
10079 .decrypt = ctr_crypt,
10080diff --git a/arch/sparc/crypto/camellia_glue.c b/arch/sparc/crypto/camellia_glue.c
10081index 6bf2479..561a84d 100644
10082--- a/arch/sparc/crypto/camellia_glue.c
10083+++ b/arch/sparc/crypto/camellia_glue.c
10084@@ -274,6 +274,7 @@ static struct crypto_alg algs[] = { {
10085 .blkcipher = {
10086 .min_keysize = CAMELLIA_MIN_KEY_SIZE,
10087 .max_keysize = CAMELLIA_MAX_KEY_SIZE,
10088+ .ivsize = CAMELLIA_BLOCK_SIZE,
10089 .setkey = camellia_set_key,
10090 .encrypt = cbc_encrypt,
10091 .decrypt = cbc_decrypt,
10092diff --git a/arch/sparc/crypto/des_glue.c b/arch/sparc/crypto/des_glue.c
10093index dd6a34f..61af794 100644
10094--- a/arch/sparc/crypto/des_glue.c
10095+++ b/arch/sparc/crypto/des_glue.c
10096@@ -429,6 +429,7 @@ static struct crypto_alg algs[] = { {
10097 .blkcipher = {
10098 .min_keysize = DES_KEY_SIZE,
10099 .max_keysize = DES_KEY_SIZE,
10100+ .ivsize = DES_BLOCK_SIZE,
10101 .setkey = des_set_key,
10102 .encrypt = cbc_encrypt,
10103 .decrypt = cbc_decrypt,
10104@@ -485,6 +486,7 @@ static struct crypto_alg algs[] = { {
10105 .blkcipher = {
10106 .min_keysize = DES3_EDE_KEY_SIZE,
10107 .max_keysize = DES3_EDE_KEY_SIZE,
10108+ .ivsize = DES3_EDE_BLOCK_SIZE,
10109 .setkey = des3_ede_set_key,
10110 .encrypt = cbc3_encrypt,
10111 .decrypt = cbc3_decrypt,
10112diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
10113index 4082749..fd97781 100644
10114--- a/arch/sparc/include/asm/atomic_64.h
10115+++ b/arch/sparc/include/asm/atomic_64.h
10116@@ -15,18 +15,38 @@
10117 #define ATOMIC64_INIT(i) { (i) }
10118
10119 #define atomic_read(v) ACCESS_ONCE((v)->counter)
10120+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
10121+{
10122+ return ACCESS_ONCE(v->counter);
10123+}
10124 #define atomic64_read(v) ACCESS_ONCE((v)->counter)
10125+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
10126+{
10127+ return ACCESS_ONCE(v->counter);
10128+}
10129
10130 #define atomic_set(v, i) (((v)->counter) = i)
10131+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
10132+{
10133+ v->counter = i;
10134+}
10135 #define atomic64_set(v, i) (((v)->counter) = i)
10136+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
10137+{
10138+ v->counter = i;
10139+}
10140
10141-#define ATOMIC_OP(op) \
10142-void atomic_##op(int, atomic_t *); \
10143-void atomic64_##op(long, atomic64_t *);
10144+#define __ATOMIC_OP(op, suffix) \
10145+void atomic_##op##suffix(int, atomic##suffix##_t *); \
10146+void atomic64_##op##suffix(long, atomic64##suffix##_t *);
10147
10148-#define ATOMIC_OP_RETURN(op) \
10149-int atomic_##op##_return(int, atomic_t *); \
10150-long atomic64_##op##_return(long, atomic64_t *);
10151+#define ATOMIC_OP(op) __ATOMIC_OP(op, ) __ATOMIC_OP(op, _unchecked)
10152+
10153+#define __ATOMIC_OP_RETURN(op, suffix) \
10154+int atomic_##op##_return##suffix(int, atomic##suffix##_t *); \
10155+long atomic64_##op##_return##suffix(long, atomic64##suffix##_t *);
10156+
10157+#define ATOMIC_OP_RETURN(op) __ATOMIC_OP_RETURN(op, ) __ATOMIC_OP_RETURN(op, _unchecked)
10158
10159 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
10160
10161@@ -35,13 +55,23 @@ ATOMIC_OPS(sub)
10162
10163 #undef ATOMIC_OPS
10164 #undef ATOMIC_OP_RETURN
10165+#undef __ATOMIC_OP_RETURN
10166 #undef ATOMIC_OP
10167+#undef __ATOMIC_OP
10168
10169 #define atomic_dec_return(v) atomic_sub_return(1, v)
10170 #define atomic64_dec_return(v) atomic64_sub_return(1, v)
10171
10172 #define atomic_inc_return(v) atomic_add_return(1, v)
10173+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
10174+{
10175+ return atomic_add_return_unchecked(1, v);
10176+}
10177 #define atomic64_inc_return(v) atomic64_add_return(1, v)
10178+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
10179+{
10180+ return atomic64_add_return_unchecked(1, v);
10181+}
10182
10183 /*
10184 * atomic_inc_and_test - increment and test
10185@@ -52,6 +82,10 @@ ATOMIC_OPS(sub)
10186 * other cases.
10187 */
10188 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
10189+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
10190+{
10191+ return atomic_inc_return_unchecked(v) == 0;
10192+}
10193 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
10194
10195 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
10196@@ -61,25 +95,60 @@ ATOMIC_OPS(sub)
10197 #define atomic64_dec_and_test(v) (atomic64_sub_return(1, v) == 0)
10198
10199 #define atomic_inc(v) atomic_add(1, v)
10200+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
10201+{
10202+ atomic_add_unchecked(1, v);
10203+}
10204 #define atomic64_inc(v) atomic64_add(1, v)
10205+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
10206+{
10207+ atomic64_add_unchecked(1, v);
10208+}
10209
10210 #define atomic_dec(v) atomic_sub(1, v)
10211+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
10212+{
10213+ atomic_sub_unchecked(1, v);
10214+}
10215 #define atomic64_dec(v) atomic64_sub(1, v)
10216+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
10217+{
10218+ atomic64_sub_unchecked(1, v);
10219+}
10220
10221 #define atomic_add_negative(i, v) (atomic_add_return(i, v) < 0)
10222 #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
10223
10224 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
10225+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
10226+{
10227+ return cmpxchg(&v->counter, old, new);
10228+}
10229 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
10230+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
10231+{
10232+ return xchg(&v->counter, new);
10233+}
10234
10235 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
10236 {
10237- int c, old;
10238+ int c, old, new;
10239 c = atomic_read(v);
10240 for (;;) {
10241- if (unlikely(c == (u)))
10242+ if (unlikely(c == u))
10243 break;
10244- old = atomic_cmpxchg((v), c, c + (a));
10245+
10246+ asm volatile("addcc %2, %0, %0\n"
10247+
10248+#ifdef CONFIG_PAX_REFCOUNT
10249+ "tvs %%icc, 6\n"
10250+#endif
10251+
10252+ : "=r" (new)
10253+ : "0" (c), "ir" (a)
10254+ : "cc");
10255+
10256+ old = atomic_cmpxchg(v, c, new);
10257 if (likely(old == c))
10258 break;
10259 c = old;
10260@@ -90,20 +159,35 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
10261 #define atomic64_cmpxchg(v, o, n) \
10262 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
10263 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
10264+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
10265+{
10266+ return xchg(&v->counter, new);
10267+}
10268
10269 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
10270 {
10271- long c, old;
10272+ long c, old, new;
10273 c = atomic64_read(v);
10274 for (;;) {
10275- if (unlikely(c == (u)))
10276+ if (unlikely(c == u))
10277 break;
10278- old = atomic64_cmpxchg((v), c, c + (a));
10279+
10280+ asm volatile("addcc %2, %0, %0\n"
10281+
10282+#ifdef CONFIG_PAX_REFCOUNT
10283+ "tvs %%xcc, 6\n"
10284+#endif
10285+
10286+ : "=r" (new)
10287+ : "0" (c), "ir" (a)
10288+ : "cc");
10289+
10290+ old = atomic64_cmpxchg(v, c, new);
10291 if (likely(old == c))
10292 break;
10293 c = old;
10294 }
10295- return c != (u);
10296+ return c != u;
10297 }
10298
10299 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
10300diff --git a/arch/sparc/include/asm/barrier_64.h b/arch/sparc/include/asm/barrier_64.h
10301index 809941e..b443309 100644
10302--- a/arch/sparc/include/asm/barrier_64.h
10303+++ b/arch/sparc/include/asm/barrier_64.h
10304@@ -60,7 +60,7 @@ do { __asm__ __volatile__("ba,pt %%xcc, 1f\n\t" \
10305 do { \
10306 compiletime_assert_atomic_type(*p); \
10307 barrier(); \
10308- ACCESS_ONCE(*p) = (v); \
10309+ ACCESS_ONCE_RW(*p) = (v); \
10310 } while (0)
10311
10312 #define smp_load_acquire(p) \
10313diff --git a/arch/sparc/include/asm/cache.h b/arch/sparc/include/asm/cache.h
10314index 5bb6991..5c2132e 100644
10315--- a/arch/sparc/include/asm/cache.h
10316+++ b/arch/sparc/include/asm/cache.h
10317@@ -7,10 +7,12 @@
10318 #ifndef _SPARC_CACHE_H
10319 #define _SPARC_CACHE_H
10320
10321+#include <linux/const.h>
10322+
10323 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
10324
10325 #define L1_CACHE_SHIFT 5
10326-#define L1_CACHE_BYTES 32
10327+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
10328
10329 #ifdef CONFIG_SPARC32
10330 #define SMP_CACHE_BYTES_SHIFT 5
10331diff --git a/arch/sparc/include/asm/elf_32.h b/arch/sparc/include/asm/elf_32.h
10332index a24e41f..47677ff 100644
10333--- a/arch/sparc/include/asm/elf_32.h
10334+++ b/arch/sparc/include/asm/elf_32.h
10335@@ -114,6 +114,13 @@ typedef struct {
10336
10337 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
10338
10339+#ifdef CONFIG_PAX_ASLR
10340+#define PAX_ELF_ET_DYN_BASE 0x10000UL
10341+
10342+#define PAX_DELTA_MMAP_LEN 16
10343+#define PAX_DELTA_STACK_LEN 16
10344+#endif
10345+
10346 /* This yields a mask that user programs can use to figure out what
10347 instruction set this cpu supports. This can NOT be done in userspace
10348 on Sparc. */
10349diff --git a/arch/sparc/include/asm/elf_64.h b/arch/sparc/include/asm/elf_64.h
10350index 370ca1e..d4f4a98 100644
10351--- a/arch/sparc/include/asm/elf_64.h
10352+++ b/arch/sparc/include/asm/elf_64.h
10353@@ -189,6 +189,13 @@ typedef struct {
10354 #define ELF_ET_DYN_BASE 0x0000010000000000UL
10355 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
10356
10357+#ifdef CONFIG_PAX_ASLR
10358+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
10359+
10360+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
10361+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
10362+#endif
10363+
10364 extern unsigned long sparc64_elf_hwcap;
10365 #define ELF_HWCAP sparc64_elf_hwcap
10366
10367diff --git a/arch/sparc/include/asm/pgalloc_32.h b/arch/sparc/include/asm/pgalloc_32.h
10368index a3890da..f6a408e 100644
10369--- a/arch/sparc/include/asm/pgalloc_32.h
10370+++ b/arch/sparc/include/asm/pgalloc_32.h
10371@@ -35,6 +35,7 @@ static inline void pgd_set(pgd_t * pgdp, pmd_t * pmdp)
10372 }
10373
10374 #define pgd_populate(MM, PGD, PMD) pgd_set(PGD, PMD)
10375+#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
10376
10377 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm,
10378 unsigned long address)
10379diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h
10380index 5e31871..13469c6 100644
10381--- a/arch/sparc/include/asm/pgalloc_64.h
10382+++ b/arch/sparc/include/asm/pgalloc_64.h
10383@@ -21,6 +21,7 @@ static inline void __pgd_populate(pgd_t *pgd, pud_t *pud)
10384 }
10385
10386 #define pgd_populate(MM, PGD, PUD) __pgd_populate(PGD, PUD)
10387+#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
10388
10389 static inline pgd_t *pgd_alloc(struct mm_struct *mm)
10390 {
10391@@ -38,6 +39,7 @@ static inline void __pud_populate(pud_t *pud, pmd_t *pmd)
10392 }
10393
10394 #define pud_populate(MM, PUD, PMD) __pud_populate(PUD, PMD)
10395+#define pud_populate_kernel(MM, PUD, PMD) pud_populate((MM), (PUD), (PMD))
10396
10397 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
10398 {
10399diff --git a/arch/sparc/include/asm/pgtable.h b/arch/sparc/include/asm/pgtable.h
10400index 59ba6f6..4518128 100644
10401--- a/arch/sparc/include/asm/pgtable.h
10402+++ b/arch/sparc/include/asm/pgtable.h
10403@@ -5,4 +5,8 @@
10404 #else
10405 #include <asm/pgtable_32.h>
10406 #endif
10407+
10408+#define ktla_ktva(addr) (addr)
10409+#define ktva_ktla(addr) (addr)
10410+
10411 #endif
10412diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
10413index f06b36a..bca3189 100644
10414--- a/arch/sparc/include/asm/pgtable_32.h
10415+++ b/arch/sparc/include/asm/pgtable_32.h
10416@@ -51,6 +51,9 @@ unsigned long __init bootmem_init(unsigned long *pages_avail);
10417 #define PAGE_SHARED SRMMU_PAGE_SHARED
10418 #define PAGE_COPY SRMMU_PAGE_COPY
10419 #define PAGE_READONLY SRMMU_PAGE_RDONLY
10420+#define PAGE_SHARED_NOEXEC SRMMU_PAGE_SHARED_NOEXEC
10421+#define PAGE_COPY_NOEXEC SRMMU_PAGE_COPY_NOEXEC
10422+#define PAGE_READONLY_NOEXEC SRMMU_PAGE_RDONLY_NOEXEC
10423 #define PAGE_KERNEL SRMMU_PAGE_KERNEL
10424
10425 /* Top-level page directory - dummy used by init-mm.
10426@@ -63,18 +66,18 @@ extern unsigned long ptr_in_current_pgd;
10427
10428 /* xwr */
10429 #define __P000 PAGE_NONE
10430-#define __P001 PAGE_READONLY
10431-#define __P010 PAGE_COPY
10432-#define __P011 PAGE_COPY
10433+#define __P001 PAGE_READONLY_NOEXEC
10434+#define __P010 PAGE_COPY_NOEXEC
10435+#define __P011 PAGE_COPY_NOEXEC
10436 #define __P100 PAGE_READONLY
10437 #define __P101 PAGE_READONLY
10438 #define __P110 PAGE_COPY
10439 #define __P111 PAGE_COPY
10440
10441 #define __S000 PAGE_NONE
10442-#define __S001 PAGE_READONLY
10443-#define __S010 PAGE_SHARED
10444-#define __S011 PAGE_SHARED
10445+#define __S001 PAGE_READONLY_NOEXEC
10446+#define __S010 PAGE_SHARED_NOEXEC
10447+#define __S011 PAGE_SHARED_NOEXEC
10448 #define __S100 PAGE_READONLY
10449 #define __S101 PAGE_READONLY
10450 #define __S110 PAGE_SHARED
10451diff --git a/arch/sparc/include/asm/pgtsrmmu.h b/arch/sparc/include/asm/pgtsrmmu.h
10452index ae51a11..eadfd03 100644
10453--- a/arch/sparc/include/asm/pgtsrmmu.h
10454+++ b/arch/sparc/include/asm/pgtsrmmu.h
10455@@ -111,6 +111,11 @@
10456 SRMMU_EXEC | SRMMU_REF)
10457 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
10458 SRMMU_EXEC | SRMMU_REF)
10459+
10460+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
10461+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
10462+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
10463+
10464 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
10465 SRMMU_DIRTY | SRMMU_REF)
10466
10467diff --git a/arch/sparc/include/asm/setup.h b/arch/sparc/include/asm/setup.h
10468index 29d64b1..4272fe8 100644
10469--- a/arch/sparc/include/asm/setup.h
10470+++ b/arch/sparc/include/asm/setup.h
10471@@ -55,8 +55,8 @@ int handle_ldf_stq(u32 insn, struct pt_regs *regs);
10472 void handle_ld_nf(u32 insn, struct pt_regs *regs);
10473
10474 /* init_64.c */
10475-extern atomic_t dcpage_flushes;
10476-extern atomic_t dcpage_flushes_xcall;
10477+extern atomic_unchecked_t dcpage_flushes;
10478+extern atomic_unchecked_t dcpage_flushes_xcall;
10479
10480 extern int sysctl_tsb_ratio;
10481 #endif
10482diff --git a/arch/sparc/include/asm/spinlock_64.h b/arch/sparc/include/asm/spinlock_64.h
10483index 9689176..63c18ea 100644
10484--- a/arch/sparc/include/asm/spinlock_64.h
10485+++ b/arch/sparc/include/asm/spinlock_64.h
10486@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *lock, unsigned long fla
10487
10488 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
10489
10490-static void inline arch_read_lock(arch_rwlock_t *lock)
10491+static inline void arch_read_lock(arch_rwlock_t *lock)
10492 {
10493 unsigned long tmp1, tmp2;
10494
10495 __asm__ __volatile__ (
10496 "1: ldsw [%2], %0\n"
10497 " brlz,pn %0, 2f\n"
10498-"4: add %0, 1, %1\n"
10499+"4: addcc %0, 1, %1\n"
10500+
10501+#ifdef CONFIG_PAX_REFCOUNT
10502+" tvs %%icc, 6\n"
10503+#endif
10504+
10505 " cas [%2], %0, %1\n"
10506 " cmp %0, %1\n"
10507 " bne,pn %%icc, 1b\n"
10508@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_rwlock_t *lock)
10509 " .previous"
10510 : "=&r" (tmp1), "=&r" (tmp2)
10511 : "r" (lock)
10512- : "memory");
10513+ : "memory", "cc");
10514 }
10515
10516-static int inline arch_read_trylock(arch_rwlock_t *lock)
10517+static inline int arch_read_trylock(arch_rwlock_t *lock)
10518 {
10519 int tmp1, tmp2;
10520
10521@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
10522 "1: ldsw [%2], %0\n"
10523 " brlz,a,pn %0, 2f\n"
10524 " mov 0, %0\n"
10525-" add %0, 1, %1\n"
10526+" addcc %0, 1, %1\n"
10527+
10528+#ifdef CONFIG_PAX_REFCOUNT
10529+" tvs %%icc, 6\n"
10530+#endif
10531+
10532 " cas [%2], %0, %1\n"
10533 " cmp %0, %1\n"
10534 " bne,pn %%icc, 1b\n"
10535@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
10536 return tmp1;
10537 }
10538
10539-static void inline arch_read_unlock(arch_rwlock_t *lock)
10540+static inline void arch_read_unlock(arch_rwlock_t *lock)
10541 {
10542 unsigned long tmp1, tmp2;
10543
10544 __asm__ __volatile__(
10545 "1: lduw [%2], %0\n"
10546-" sub %0, 1, %1\n"
10547+" subcc %0, 1, %1\n"
10548+
10549+#ifdef CONFIG_PAX_REFCOUNT
10550+" tvs %%icc, 6\n"
10551+#endif
10552+
10553 " cas [%2], %0, %1\n"
10554 " cmp %0, %1\n"
10555 " bne,pn %%xcc, 1b\n"
10556@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch_rwlock_t *lock)
10557 : "memory");
10558 }
10559
10560-static void inline arch_write_lock(arch_rwlock_t *lock)
10561+static inline void arch_write_lock(arch_rwlock_t *lock)
10562 {
10563 unsigned long mask, tmp1, tmp2;
10564
10565@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_rwlock_t *lock)
10566 : "memory");
10567 }
10568
10569-static void inline arch_write_unlock(arch_rwlock_t *lock)
10570+static inline void arch_write_unlock(arch_rwlock_t *lock)
10571 {
10572 __asm__ __volatile__(
10573 " stw %%g0, [%0]"
10574@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arch_rwlock_t *lock)
10575 : "memory");
10576 }
10577
10578-static int inline arch_write_trylock(arch_rwlock_t *lock)
10579+static inline int arch_write_trylock(arch_rwlock_t *lock)
10580 {
10581 unsigned long mask, tmp1, tmp2, result;
10582
10583diff --git a/arch/sparc/include/asm/thread_info_32.h b/arch/sparc/include/asm/thread_info_32.h
10584index 229475f..2fca9163 100644
10585--- a/arch/sparc/include/asm/thread_info_32.h
10586+++ b/arch/sparc/include/asm/thread_info_32.h
10587@@ -48,6 +48,7 @@ struct thread_info {
10588 struct reg_window32 reg_window[NSWINS]; /* align for ldd! */
10589 unsigned long rwbuf_stkptrs[NSWINS];
10590 unsigned long w_saved;
10591+ unsigned long lowest_stack;
10592 };
10593
10594 /*
10595diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
10596index bde5982..9cbb56d 100644
10597--- a/arch/sparc/include/asm/thread_info_64.h
10598+++ b/arch/sparc/include/asm/thread_info_64.h
10599@@ -59,6 +59,8 @@ struct thread_info {
10600 struct pt_regs *kern_una_regs;
10601 unsigned int kern_una_insn;
10602
10603+ unsigned long lowest_stack;
10604+
10605 unsigned long fpregs[(7 * 256) / sizeof(unsigned long)]
10606 __attribute__ ((aligned(64)));
10607 };
10608@@ -180,12 +182,13 @@ register struct thread_info *current_thread_info_reg asm("g6");
10609 #define TIF_NEED_RESCHED 3 /* rescheduling necessary */
10610 /* flag bit 4 is available */
10611 #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */
10612-/* flag bit 6 is available */
10613+#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */
10614 #define TIF_32BIT 7 /* 32-bit binary */
10615 #define TIF_NOHZ 8 /* in adaptive nohz mode */
10616 #define TIF_SECCOMP 9 /* secure computing */
10617 #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */
10618 #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */
10619+
10620 /* NOTE: Thread flags >= 12 should be ones we have no interest
10621 * in using in assembly, else we can't use the mask as
10622 * an immediate value in instructions such as andcc.
10623@@ -205,12 +208,17 @@ register struct thread_info *current_thread_info_reg asm("g6");
10624 #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
10625 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
10626 #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
10627+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
10628
10629 #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \
10630 _TIF_DO_NOTIFY_RESUME_MASK | \
10631 _TIF_NEED_RESCHED)
10632 #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
10633
10634+#define _TIF_WORK_SYSCALL \
10635+ (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
10636+ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
10637+
10638 #define is_32bit_task() (test_thread_flag(TIF_32BIT))
10639
10640 /*
10641diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
10642index bd56c28..4b63d83 100644
10643--- a/arch/sparc/include/asm/uaccess.h
10644+++ b/arch/sparc/include/asm/uaccess.h
10645@@ -1,5 +1,6 @@
10646 #ifndef ___ASM_SPARC_UACCESS_H
10647 #define ___ASM_SPARC_UACCESS_H
10648+
10649 #if defined(__sparc__) && defined(__arch64__)
10650 #include <asm/uaccess_64.h>
10651 #else
10652diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
10653index 64ee103..388aef0 100644
10654--- a/arch/sparc/include/asm/uaccess_32.h
10655+++ b/arch/sparc/include/asm/uaccess_32.h
10656@@ -47,6 +47,7 @@
10657 #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
10658 #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
10659 #define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size)))
10660+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
10661 #define access_ok(type, addr, size) \
10662 ({ (void)(type); __access_ok((unsigned long)(addr), size); })
10663
10664@@ -313,27 +314,46 @@ unsigned long __copy_user(void __user *to, const void __user *from, unsigned lon
10665
10666 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
10667 {
10668- if (n && __access_ok((unsigned long) to, n))
10669+ if ((long)n < 0)
10670+ return n;
10671+
10672+ if (n && __access_ok((unsigned long) to, n)) {
10673+ if (!__builtin_constant_p(n))
10674+ check_object_size(from, n, true);
10675 return __copy_user(to, (__force void __user *) from, n);
10676- else
10677+ } else
10678 return n;
10679 }
10680
10681 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
10682 {
10683+ if ((long)n < 0)
10684+ return n;
10685+
10686+ if (!__builtin_constant_p(n))
10687+ check_object_size(from, n, true);
10688+
10689 return __copy_user(to, (__force void __user *) from, n);
10690 }
10691
10692 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
10693 {
10694- if (n && __access_ok((unsigned long) from, n))
10695+ if ((long)n < 0)
10696+ return n;
10697+
10698+ if (n && __access_ok((unsigned long) from, n)) {
10699+ if (!__builtin_constant_p(n))
10700+ check_object_size(to, n, false);
10701 return __copy_user((__force void __user *) to, from, n);
10702- else
10703+ } else
10704 return n;
10705 }
10706
10707 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
10708 {
10709+ if ((long)n < 0)
10710+ return n;
10711+
10712 return __copy_user((__force void __user *) to, from, n);
10713 }
10714
10715diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
10716index ea6e9a2..5703598 100644
10717--- a/arch/sparc/include/asm/uaccess_64.h
10718+++ b/arch/sparc/include/asm/uaccess_64.h
10719@@ -10,6 +10,7 @@
10720 #include <linux/compiler.h>
10721 #include <linux/string.h>
10722 #include <linux/thread_info.h>
10723+#include <linux/kernel.h>
10724 #include <asm/asi.h>
10725 #include <asm/spitfire.h>
10726 #include <asm-generic/uaccess-unaligned.h>
10727@@ -76,6 +77,11 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
10728 return 1;
10729 }
10730
10731+static inline int access_ok_noprefault(int type, const void __user * addr, unsigned long size)
10732+{
10733+ return 1;
10734+}
10735+
10736 static inline int access_ok(int type, const void __user * addr, unsigned long size)
10737 {
10738 return 1;
10739@@ -250,8 +256,15 @@ unsigned long copy_from_user_fixup(void *to, const void __user *from,
10740 static inline unsigned long __must_check
10741 copy_from_user(void *to, const void __user *from, unsigned long size)
10742 {
10743- unsigned long ret = ___copy_from_user(to, from, size);
10744+ unsigned long ret;
10745
10746+ if ((long)size < 0 || size > INT_MAX)
10747+ return size;
10748+
10749+ if (!__builtin_constant_p(size))
10750+ check_object_size(to, size, false);
10751+
10752+ ret = ___copy_from_user(to, from, size);
10753 if (unlikely(ret))
10754 ret = copy_from_user_fixup(to, from, size);
10755
10756@@ -267,8 +280,15 @@ unsigned long copy_to_user_fixup(void __user *to, const void *from,
10757 static inline unsigned long __must_check
10758 copy_to_user(void __user *to, const void *from, unsigned long size)
10759 {
10760- unsigned long ret = ___copy_to_user(to, from, size);
10761+ unsigned long ret;
10762
10763+ if ((long)size < 0 || size > INT_MAX)
10764+ return size;
10765+
10766+ if (!__builtin_constant_p(size))
10767+ check_object_size(from, size, true);
10768+
10769+ ret = ___copy_to_user(to, from, size);
10770 if (unlikely(ret))
10771 ret = copy_to_user_fixup(to, from, size);
10772 return ret;
10773diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
10774index 7cf9c6e..6206648 100644
10775--- a/arch/sparc/kernel/Makefile
10776+++ b/arch/sparc/kernel/Makefile
10777@@ -4,7 +4,7 @@
10778 #
10779
10780 asflags-y := -ansi
10781-ccflags-y := -Werror
10782+#ccflags-y := -Werror
10783
10784 extra-y := head_$(BITS).o
10785
10786diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c
10787index 50e7b62..79fae35 100644
10788--- a/arch/sparc/kernel/process_32.c
10789+++ b/arch/sparc/kernel/process_32.c
10790@@ -123,14 +123,14 @@ void show_regs(struct pt_regs *r)
10791
10792 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
10793 r->psr, r->pc, r->npc, r->y, print_tainted());
10794- printk("PC: <%pS>\n", (void *) r->pc);
10795+ printk("PC: <%pA>\n", (void *) r->pc);
10796 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10797 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
10798 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
10799 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10800 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
10801 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
10802- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
10803+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
10804
10805 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10806 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
10807@@ -167,7 +167,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
10808 rw = (struct reg_window32 *) fp;
10809 pc = rw->ins[7];
10810 printk("[%08lx : ", pc);
10811- printk("%pS ] ", (void *) pc);
10812+ printk("%pA ] ", (void *) pc);
10813 fp = rw->ins[6];
10814 } while (++count < 16);
10815 printk("\n");
10816diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c
10817index 46a5964..a35c62c 100644
10818--- a/arch/sparc/kernel/process_64.c
10819+++ b/arch/sparc/kernel/process_64.c
10820@@ -161,7 +161,7 @@ static void show_regwindow(struct pt_regs *regs)
10821 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
10822 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
10823 if (regs->tstate & TSTATE_PRIV)
10824- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
10825+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
10826 }
10827
10828 void show_regs(struct pt_regs *regs)
10829@@ -170,7 +170,7 @@ void show_regs(struct pt_regs *regs)
10830
10831 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
10832 regs->tpc, regs->tnpc, regs->y, print_tainted());
10833- printk("TPC: <%pS>\n", (void *) regs->tpc);
10834+ printk("TPC: <%pA>\n", (void *) regs->tpc);
10835 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
10836 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
10837 regs->u_regs[3]);
10838@@ -183,7 +183,7 @@ void show_regs(struct pt_regs *regs)
10839 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
10840 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
10841 regs->u_regs[15]);
10842- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
10843+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
10844 show_regwindow(regs);
10845 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
10846 }
10847@@ -278,7 +278,7 @@ void arch_trigger_all_cpu_backtrace(bool include_self)
10848 ((tp && tp->task) ? tp->task->pid : -1));
10849
10850 if (gp->tstate & TSTATE_PRIV) {
10851- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
10852+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
10853 (void *) gp->tpc,
10854 (void *) gp->o7,
10855 (void *) gp->i7,
10856diff --git a/arch/sparc/kernel/prom_common.c b/arch/sparc/kernel/prom_common.c
10857index 79cc0d1..ec62734 100644
10858--- a/arch/sparc/kernel/prom_common.c
10859+++ b/arch/sparc/kernel/prom_common.c
10860@@ -144,7 +144,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf)
10861
10862 unsigned int prom_early_allocated __initdata;
10863
10864-static struct of_pdt_ops prom_sparc_ops __initdata = {
10865+static struct of_pdt_ops prom_sparc_ops __initconst = {
10866 .nextprop = prom_common_nextprop,
10867 .getproplen = prom_getproplen,
10868 .getproperty = prom_getproperty,
10869diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
10870index 9ddc492..27a5619 100644
10871--- a/arch/sparc/kernel/ptrace_64.c
10872+++ b/arch/sparc/kernel/ptrace_64.c
10873@@ -1060,6 +1060,10 @@ long arch_ptrace(struct task_struct *child, long request,
10874 return ret;
10875 }
10876
10877+#ifdef CONFIG_GRKERNSEC_SETXID
10878+extern void gr_delayed_cred_worker(void);
10879+#endif
10880+
10881 asmlinkage int syscall_trace_enter(struct pt_regs *regs)
10882 {
10883 int ret = 0;
10884@@ -1070,6 +1074,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
10885 if (test_thread_flag(TIF_NOHZ))
10886 user_exit();
10887
10888+#ifdef CONFIG_GRKERNSEC_SETXID
10889+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
10890+ gr_delayed_cred_worker();
10891+#endif
10892+
10893 if (test_thread_flag(TIF_SYSCALL_TRACE))
10894 ret = tracehook_report_syscall_entry(regs);
10895
10896@@ -1088,6 +1097,11 @@ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
10897 if (test_thread_flag(TIF_NOHZ))
10898 user_exit();
10899
10900+#ifdef CONFIG_GRKERNSEC_SETXID
10901+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
10902+ gr_delayed_cred_worker();
10903+#endif
10904+
10905 audit_syscall_exit(regs);
10906
10907 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
10908diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
10909index 19cd08d..ff21e99 100644
10910--- a/arch/sparc/kernel/smp_64.c
10911+++ b/arch/sparc/kernel/smp_64.c
10912@@ -891,7 +891,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
10913 return;
10914
10915 #ifdef CONFIG_DEBUG_DCFLUSH
10916- atomic_inc(&dcpage_flushes);
10917+ atomic_inc_unchecked(&dcpage_flushes);
10918 #endif
10919
10920 this_cpu = get_cpu();
10921@@ -915,7 +915,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
10922 xcall_deliver(data0, __pa(pg_addr),
10923 (u64) pg_addr, cpumask_of(cpu));
10924 #ifdef CONFIG_DEBUG_DCFLUSH
10925- atomic_inc(&dcpage_flushes_xcall);
10926+ atomic_inc_unchecked(&dcpage_flushes_xcall);
10927 #endif
10928 }
10929 }
10930@@ -934,7 +934,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
10931 preempt_disable();
10932
10933 #ifdef CONFIG_DEBUG_DCFLUSH
10934- atomic_inc(&dcpage_flushes);
10935+ atomic_inc_unchecked(&dcpage_flushes);
10936 #endif
10937 data0 = 0;
10938 pg_addr = page_address(page);
10939@@ -951,7 +951,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
10940 xcall_deliver(data0, __pa(pg_addr),
10941 (u64) pg_addr, cpu_online_mask);
10942 #ifdef CONFIG_DEBUG_DCFLUSH
10943- atomic_inc(&dcpage_flushes_xcall);
10944+ atomic_inc_unchecked(&dcpage_flushes_xcall);
10945 #endif
10946 }
10947 __local_flush_dcache_page(page);
10948diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
10949index 646988d..b88905f 100644
10950--- a/arch/sparc/kernel/sys_sparc_32.c
10951+++ b/arch/sparc/kernel/sys_sparc_32.c
10952@@ -54,7 +54,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10953 if (len > TASK_SIZE - PAGE_SIZE)
10954 return -ENOMEM;
10955 if (!addr)
10956- addr = TASK_UNMAPPED_BASE;
10957+ addr = current->mm->mmap_base;
10958
10959 info.flags = 0;
10960 info.length = len;
10961diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
10962index 30e7ddb..266a3b0 100644
10963--- a/arch/sparc/kernel/sys_sparc_64.c
10964+++ b/arch/sparc/kernel/sys_sparc_64.c
10965@@ -89,13 +89,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10966 struct vm_area_struct * vma;
10967 unsigned long task_size = TASK_SIZE;
10968 int do_color_align;
10969+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10970 struct vm_unmapped_area_info info;
10971
10972 if (flags & MAP_FIXED) {
10973 /* We do not accept a shared mapping if it would violate
10974 * cache aliasing constraints.
10975 */
10976- if ((flags & MAP_SHARED) &&
10977+ if ((filp || (flags & MAP_SHARED)) &&
10978 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10979 return -EINVAL;
10980 return addr;
10981@@ -110,6 +111,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10982 if (filp || (flags & MAP_SHARED))
10983 do_color_align = 1;
10984
10985+#ifdef CONFIG_PAX_RANDMMAP
10986+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10987+#endif
10988+
10989 if (addr) {
10990 if (do_color_align)
10991 addr = COLOR_ALIGN(addr, pgoff);
10992@@ -117,22 +122,28 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10993 addr = PAGE_ALIGN(addr);
10994
10995 vma = find_vma(mm, addr);
10996- if (task_size - len >= addr &&
10997- (!vma || addr + len <= vma->vm_start))
10998+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10999 return addr;
11000 }
11001
11002 info.flags = 0;
11003 info.length = len;
11004- info.low_limit = TASK_UNMAPPED_BASE;
11005+ info.low_limit = mm->mmap_base;
11006 info.high_limit = min(task_size, VA_EXCLUDE_START);
11007 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
11008 info.align_offset = pgoff << PAGE_SHIFT;
11009+ info.threadstack_offset = offset;
11010 addr = vm_unmapped_area(&info);
11011
11012 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
11013 VM_BUG_ON(addr != -ENOMEM);
11014 info.low_limit = VA_EXCLUDE_END;
11015+
11016+#ifdef CONFIG_PAX_RANDMMAP
11017+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11018+ info.low_limit += mm->delta_mmap;
11019+#endif
11020+
11021 info.high_limit = task_size;
11022 addr = vm_unmapped_area(&info);
11023 }
11024@@ -150,6 +161,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11025 unsigned long task_size = STACK_TOP32;
11026 unsigned long addr = addr0;
11027 int do_color_align;
11028+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
11029 struct vm_unmapped_area_info info;
11030
11031 /* This should only ever run for 32-bit processes. */
11032@@ -159,7 +171,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11033 /* We do not accept a shared mapping if it would violate
11034 * cache aliasing constraints.
11035 */
11036- if ((flags & MAP_SHARED) &&
11037+ if ((filp || (flags & MAP_SHARED)) &&
11038 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
11039 return -EINVAL;
11040 return addr;
11041@@ -172,6 +184,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11042 if (filp || (flags & MAP_SHARED))
11043 do_color_align = 1;
11044
11045+#ifdef CONFIG_PAX_RANDMMAP
11046+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11047+#endif
11048+
11049 /* requesting a specific address */
11050 if (addr) {
11051 if (do_color_align)
11052@@ -180,8 +196,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11053 addr = PAGE_ALIGN(addr);
11054
11055 vma = find_vma(mm, addr);
11056- if (task_size - len >= addr &&
11057- (!vma || addr + len <= vma->vm_start))
11058+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
11059 return addr;
11060 }
11061
11062@@ -191,6 +206,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11063 info.high_limit = mm->mmap_base;
11064 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
11065 info.align_offset = pgoff << PAGE_SHIFT;
11066+ info.threadstack_offset = offset;
11067 addr = vm_unmapped_area(&info);
11068
11069 /*
11070@@ -203,6 +219,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11071 VM_BUG_ON(addr != -ENOMEM);
11072 info.flags = 0;
11073 info.low_limit = TASK_UNMAPPED_BASE;
11074+
11075+#ifdef CONFIG_PAX_RANDMMAP
11076+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11077+ info.low_limit += mm->delta_mmap;
11078+#endif
11079+
11080 info.high_limit = STACK_TOP32;
11081 addr = vm_unmapped_area(&info);
11082 }
11083@@ -259,10 +281,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u
11084 EXPORT_SYMBOL(get_fb_unmapped_area);
11085
11086 /* Essentially the same as PowerPC. */
11087-static unsigned long mmap_rnd(void)
11088+static unsigned long mmap_rnd(struct mm_struct *mm)
11089 {
11090 unsigned long rnd = 0UL;
11091
11092+#ifdef CONFIG_PAX_RANDMMAP
11093+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11094+#endif
11095+
11096 if (current->flags & PF_RANDOMIZE) {
11097 unsigned long val = get_random_int();
11098 if (test_thread_flag(TIF_32BIT))
11099@@ -275,7 +301,7 @@ static unsigned long mmap_rnd(void)
11100
11101 void arch_pick_mmap_layout(struct mm_struct *mm)
11102 {
11103- unsigned long random_factor = mmap_rnd();
11104+ unsigned long random_factor = mmap_rnd(mm);
11105 unsigned long gap;
11106
11107 /*
11108@@ -288,6 +314,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
11109 gap == RLIM_INFINITY ||
11110 sysctl_legacy_va_layout) {
11111 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
11112+
11113+#ifdef CONFIG_PAX_RANDMMAP
11114+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11115+ mm->mmap_base += mm->delta_mmap;
11116+#endif
11117+
11118 mm->get_unmapped_area = arch_get_unmapped_area;
11119 } else {
11120 /* We know it's 32-bit */
11121@@ -299,6 +331,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
11122 gap = (task_size / 6 * 5);
11123
11124 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
11125+
11126+#ifdef CONFIG_PAX_RANDMMAP
11127+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11128+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
11129+#endif
11130+
11131 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
11132 }
11133 }
11134diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
11135index bb00089..e0ea580 100644
11136--- a/arch/sparc/kernel/syscalls.S
11137+++ b/arch/sparc/kernel/syscalls.S
11138@@ -62,7 +62,7 @@ sys32_rt_sigreturn:
11139 #endif
11140 .align 32
11141 1: ldx [%g6 + TI_FLAGS], %l5
11142- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11143+ andcc %l5, _TIF_WORK_SYSCALL, %g0
11144 be,pt %icc, rtrap
11145 nop
11146 call syscall_trace_leave
11147@@ -194,7 +194,7 @@ linux_sparc_syscall32:
11148
11149 srl %i3, 0, %o3 ! IEU0
11150 srl %i2, 0, %o2 ! IEU0 Group
11151- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11152+ andcc %l0, _TIF_WORK_SYSCALL, %g0
11153 bne,pn %icc, linux_syscall_trace32 ! CTI
11154 mov %i0, %l5 ! IEU1
11155 5: call %l7 ! CTI Group brk forced
11156@@ -218,7 +218,7 @@ linux_sparc_syscall:
11157
11158 mov %i3, %o3 ! IEU1
11159 mov %i4, %o4 ! IEU0 Group
11160- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11161+ andcc %l0, _TIF_WORK_SYSCALL, %g0
11162 bne,pn %icc, linux_syscall_trace ! CTI Group
11163 mov %i0, %l5 ! IEU0
11164 2: call %l7 ! CTI Group brk forced
11165@@ -233,7 +233,7 @@ ret_sys_call:
11166
11167 cmp %o0, -ERESTART_RESTARTBLOCK
11168 bgeu,pn %xcc, 1f
11169- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11170+ andcc %l0, _TIF_WORK_SYSCALL, %g0
11171 ldx [%sp + PTREGS_OFF + PT_V9_TNPC], %l1 ! pc = npc
11172
11173 2:
11174diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
11175index 4f21df7..0a374da 100644
11176--- a/arch/sparc/kernel/traps_32.c
11177+++ b/arch/sparc/kernel/traps_32.c
11178@@ -44,6 +44,8 @@ static void instruction_dump(unsigned long *pc)
11179 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
11180 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
11181
11182+extern void gr_handle_kernel_exploit(void);
11183+
11184 void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11185 {
11186 static int die_counter;
11187@@ -76,15 +78,17 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11188 count++ < 30 &&
11189 (((unsigned long) rw) >= PAGE_OFFSET) &&
11190 !(((unsigned long) rw) & 0x7)) {
11191- printk("Caller[%08lx]: %pS\n", rw->ins[7],
11192+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
11193 (void *) rw->ins[7]);
11194 rw = (struct reg_window32 *)rw->ins[6];
11195 }
11196 }
11197 printk("Instruction DUMP:");
11198 instruction_dump ((unsigned long *) regs->pc);
11199- if(regs->psr & PSR_PS)
11200+ if(regs->psr & PSR_PS) {
11201+ gr_handle_kernel_exploit();
11202 do_exit(SIGKILL);
11203+ }
11204 do_exit(SIGSEGV);
11205 }
11206
11207diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c
11208index d21cd62..00a4a17 100644
11209--- a/arch/sparc/kernel/traps_64.c
11210+++ b/arch/sparc/kernel/traps_64.c
11211@@ -79,7 +79,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p)
11212 i + 1,
11213 p->trapstack[i].tstate, p->trapstack[i].tpc,
11214 p->trapstack[i].tnpc, p->trapstack[i].tt);
11215- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
11216+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
11217 }
11218 }
11219
11220@@ -99,6 +99,12 @@ void bad_trap(struct pt_regs *regs, long lvl)
11221
11222 lvl -= 0x100;
11223 if (regs->tstate & TSTATE_PRIV) {
11224+
11225+#ifdef CONFIG_PAX_REFCOUNT
11226+ if (lvl == 6)
11227+ pax_report_refcount_overflow(regs);
11228+#endif
11229+
11230 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
11231 die_if_kernel(buffer, regs);
11232 }
11233@@ -117,11 +123,16 @@ void bad_trap(struct pt_regs *regs, long lvl)
11234 void bad_trap_tl1(struct pt_regs *regs, long lvl)
11235 {
11236 char buffer[32];
11237-
11238+
11239 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
11240 0, lvl, SIGTRAP) == NOTIFY_STOP)
11241 return;
11242
11243+#ifdef CONFIG_PAX_REFCOUNT
11244+ if (lvl == 6)
11245+ pax_report_refcount_overflow(regs);
11246+#endif
11247+
11248 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
11249
11250 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
11251@@ -1151,7 +1162,7 @@ static void cheetah_log_errors(struct pt_regs *regs, struct cheetah_err_info *in
11252 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
11253 printk("%s" "ERROR(%d): ",
11254 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
11255- printk("TPC<%pS>\n", (void *) regs->tpc);
11256+ printk("TPC<%pA>\n", (void *) regs->tpc);
11257 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
11258 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
11259 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
11260@@ -1758,7 +1769,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
11261 smp_processor_id(),
11262 (type & 0x1) ? 'I' : 'D',
11263 regs->tpc);
11264- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
11265+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
11266 panic("Irrecoverable Cheetah+ parity error.");
11267 }
11268
11269@@ -1766,7 +1777,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
11270 smp_processor_id(),
11271 (type & 0x1) ? 'I' : 'D',
11272 regs->tpc);
11273- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
11274+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
11275 }
11276
11277 struct sun4v_error_entry {
11278@@ -1839,8 +1850,8 @@ struct sun4v_error_entry {
11279 /*0x38*/u64 reserved_5;
11280 };
11281
11282-static atomic_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
11283-static atomic_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
11284+static atomic_unchecked_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
11285+static atomic_unchecked_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
11286
11287 static const char *sun4v_err_type_to_str(u8 type)
11288 {
11289@@ -1932,7 +1943,7 @@ static void sun4v_report_real_raddr(const char *pfx, struct pt_regs *regs)
11290 }
11291
11292 static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
11293- int cpu, const char *pfx, atomic_t *ocnt)
11294+ int cpu, const char *pfx, atomic_unchecked_t *ocnt)
11295 {
11296 u64 *raw_ptr = (u64 *) ent;
11297 u32 attrs;
11298@@ -1990,8 +2001,8 @@ static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
11299
11300 show_regs(regs);
11301
11302- if ((cnt = atomic_read(ocnt)) != 0) {
11303- atomic_set(ocnt, 0);
11304+ if ((cnt = atomic_read_unchecked(ocnt)) != 0) {
11305+ atomic_set_unchecked(ocnt, 0);
11306 wmb();
11307 printk("%s: Queue overflowed %d times.\n",
11308 pfx, cnt);
11309@@ -2048,7 +2059,7 @@ out:
11310 */
11311 void sun4v_resum_overflow(struct pt_regs *regs)
11312 {
11313- atomic_inc(&sun4v_resum_oflow_cnt);
11314+ atomic_inc_unchecked(&sun4v_resum_oflow_cnt);
11315 }
11316
11317 /* We run with %pil set to PIL_NORMAL_MAX and PSTATE_IE enabled in %pstate.
11318@@ -2101,7 +2112,7 @@ void sun4v_nonresum_overflow(struct pt_regs *regs)
11319 /* XXX Actually even this can make not that much sense. Perhaps
11320 * XXX we should just pull the plug and panic directly from here?
11321 */
11322- atomic_inc(&sun4v_nonresum_oflow_cnt);
11323+ atomic_inc_unchecked(&sun4v_nonresum_oflow_cnt);
11324 }
11325
11326 static void sun4v_tlb_error(struct pt_regs *regs)
11327@@ -2120,9 +2131,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl)
11328
11329 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
11330 regs->tpc, tl);
11331- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
11332+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
11333 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
11334- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
11335+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
11336 (void *) regs->u_regs[UREG_I7]);
11337 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
11338 "pte[%lx] error[%lx]\n",
11339@@ -2143,9 +2154,9 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl)
11340
11341 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
11342 regs->tpc, tl);
11343- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
11344+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
11345 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
11346- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
11347+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
11348 (void *) regs->u_regs[UREG_I7]);
11349 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
11350 "pte[%lx] error[%lx]\n",
11351@@ -2362,13 +2373,13 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
11352 fp = (unsigned long)sf->fp + STACK_BIAS;
11353 }
11354
11355- printk(" [%016lx] %pS\n", pc, (void *) pc);
11356+ printk(" [%016lx] %pA\n", pc, (void *) pc);
11357 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
11358 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
11359 int index = tsk->curr_ret_stack;
11360 if (tsk->ret_stack && index >= graph) {
11361 pc = tsk->ret_stack[index - graph].ret;
11362- printk(" [%016lx] %pS\n", pc, (void *) pc);
11363+ printk(" [%016lx] %pA\n", pc, (void *) pc);
11364 graph++;
11365 }
11366 }
11367@@ -2386,6 +2397,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw)
11368 return (struct reg_window *) (fp + STACK_BIAS);
11369 }
11370
11371+extern void gr_handle_kernel_exploit(void);
11372+
11373 void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11374 {
11375 static int die_counter;
11376@@ -2414,7 +2427,7 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11377 while (rw &&
11378 count++ < 30 &&
11379 kstack_valid(tp, (unsigned long) rw)) {
11380- printk("Caller[%016lx]: %pS\n", rw->ins[7],
11381+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
11382 (void *) rw->ins[7]);
11383
11384 rw = kernel_stack_up(rw);
11385@@ -2429,8 +2442,10 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11386 }
11387 if (panic_on_oops)
11388 panic("Fatal exception");
11389- if (regs->tstate & TSTATE_PRIV)
11390+ if (regs->tstate & TSTATE_PRIV) {
11391+ gr_handle_kernel_exploit();
11392 do_exit(SIGKILL);
11393+ }
11394 do_exit(SIGSEGV);
11395 }
11396 EXPORT_SYMBOL(die_if_kernel);
11397diff --git a/arch/sparc/kernel/unaligned_64.c b/arch/sparc/kernel/unaligned_64.c
11398index 62098a8..547ab2c 100644
11399--- a/arch/sparc/kernel/unaligned_64.c
11400+++ b/arch/sparc/kernel/unaligned_64.c
11401@@ -297,7 +297,7 @@ static void log_unaligned(struct pt_regs *regs)
11402 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
11403
11404 if (__ratelimit(&ratelimit)) {
11405- printk("Kernel unaligned access at TPC[%lx] %pS\n",
11406+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
11407 regs->tpc, (void *) regs->tpc);
11408 }
11409 }
11410diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile
11411index 3269b02..64f5231 100644
11412--- a/arch/sparc/lib/Makefile
11413+++ b/arch/sparc/lib/Makefile
11414@@ -2,7 +2,7 @@
11415 #
11416
11417 asflags-y := -ansi -DST_DIV0=0x02
11418-ccflags-y := -Werror
11419+#ccflags-y := -Werror
11420
11421 lib-$(CONFIG_SPARC32) += ashrdi3.o
11422 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
11423diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S
11424index 05dac43..76f8ed4 100644
11425--- a/arch/sparc/lib/atomic_64.S
11426+++ b/arch/sparc/lib/atomic_64.S
11427@@ -15,11 +15,22 @@
11428 * a value and does the barriers.
11429 */
11430
11431-#define ATOMIC_OP(op) \
11432-ENTRY(atomic_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11433+#ifdef CONFIG_PAX_REFCOUNT
11434+#define __REFCOUNT_OP(op) op##cc
11435+#define __OVERFLOW_IOP tvs %icc, 6;
11436+#define __OVERFLOW_XOP tvs %xcc, 6;
11437+#else
11438+#define __REFCOUNT_OP(op) op
11439+#define __OVERFLOW_IOP
11440+#define __OVERFLOW_XOP
11441+#endif
11442+
11443+#define __ATOMIC_OP(op, suffix, asm_op, post_op) \
11444+ENTRY(atomic_##op##suffix) /* %o0 = increment, %o1 = atomic_ptr */ \
11445 BACKOFF_SETUP(%o2); \
11446 1: lduw [%o1], %g1; \
11447- op %g1, %o0, %g7; \
11448+ asm_op %g1, %o0, %g7; \
11449+ post_op \
11450 cas [%o1], %g1, %g7; \
11451 cmp %g1, %g7; \
11452 bne,pn %icc, BACKOFF_LABEL(2f, 1b); \
11453@@ -29,11 +40,15 @@ ENTRY(atomic_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11454 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11455 ENDPROC(atomic_##op); \
11456
11457-#define ATOMIC_OP_RETURN(op) \
11458-ENTRY(atomic_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11459+#define ATOMIC_OP(op) __ATOMIC_OP(op, , op, ) \
11460+ __ATOMIC_OP(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_IOP)
11461+
11462+#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op) \
11463+ENTRY(atomic_##op##_return##suffix) /* %o0 = increment, %o1 = atomic_ptr */\
11464 BACKOFF_SETUP(%o2); \
11465 1: lduw [%o1], %g1; \
11466- op %g1, %o0, %g7; \
11467+ asm_op %g1, %o0, %g7; \
11468+ post_op \
11469 cas [%o1], %g1, %g7; \
11470 cmp %g1, %g7; \
11471 bne,pn %icc, BACKOFF_LABEL(2f, 1b); \
11472@@ -43,6 +58,9 @@ ENTRY(atomic_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11473 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11474 ENDPROC(atomic_##op##_return);
11475
11476+#define ATOMIC_OP_RETURN(op) __ATOMIC_OP_RETURN(op, , op, ) \
11477+ __ATOMIC_OP_RETURN(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_IOP)
11478+
11479 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
11480
11481 ATOMIC_OPS(add)
11482@@ -50,13 +68,16 @@ ATOMIC_OPS(sub)
11483
11484 #undef ATOMIC_OPS
11485 #undef ATOMIC_OP_RETURN
11486+#undef __ATOMIC_OP_RETURN
11487 #undef ATOMIC_OP
11488+#undef __ATOMIC_OP
11489
11490-#define ATOMIC64_OP(op) \
11491-ENTRY(atomic64_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11492+#define __ATOMIC64_OP(op, suffix, asm_op, post_op) \
11493+ENTRY(atomic64_##op##suffix) /* %o0 = increment, %o1 = atomic_ptr */ \
11494 BACKOFF_SETUP(%o2); \
11495 1: ldx [%o1], %g1; \
11496- op %g1, %o0, %g7; \
11497+ asm_op %g1, %o0, %g7; \
11498+ post_op \
11499 casx [%o1], %g1, %g7; \
11500 cmp %g1, %g7; \
11501 bne,pn %xcc, BACKOFF_LABEL(2f, 1b); \
11502@@ -66,11 +87,15 @@ ENTRY(atomic64_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11503 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11504 ENDPROC(atomic64_##op); \
11505
11506-#define ATOMIC64_OP_RETURN(op) \
11507-ENTRY(atomic64_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11508+#define ATOMIC64_OP(op) __ATOMIC64_OP(op, , op, ) \
11509+ __ATOMIC64_OP(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_XOP)
11510+
11511+#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op) \
11512+ENTRY(atomic64_##op##_return##suffix) /* %o0 = increment, %o1 = atomic_ptr */\
11513 BACKOFF_SETUP(%o2); \
11514 1: ldx [%o1], %g1; \
11515- op %g1, %o0, %g7; \
11516+ asm_op %g1, %o0, %g7; \
11517+ post_op \
11518 casx [%o1], %g1, %g7; \
11519 cmp %g1, %g7; \
11520 bne,pn %xcc, BACKOFF_LABEL(2f, 1b); \
11521@@ -80,6 +105,9 @@ ENTRY(atomic64_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11522 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11523 ENDPROC(atomic64_##op##_return);
11524
11525+#define ATOMIC64_OP_RETURN(op) __ATOMIC64_OP_RETURN(op, , op, ) \
11526+i __ATOMIC64_OP_RETURN(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_XOP)
11527+
11528 #define ATOMIC64_OPS(op) ATOMIC64_OP(op) ATOMIC64_OP_RETURN(op)
11529
11530 ATOMIC64_OPS(add)
11531@@ -87,7 +115,12 @@ ATOMIC64_OPS(sub)
11532
11533 #undef ATOMIC64_OPS
11534 #undef ATOMIC64_OP_RETURN
11535+#undef __ATOMIC64_OP_RETURN
11536 #undef ATOMIC64_OP
11537+#undef __ATOMIC64_OP
11538+#undef __OVERFLOW_XOP
11539+#undef __OVERFLOW_IOP
11540+#undef __REFCOUNT_OP
11541
11542 ENTRY(atomic64_dec_if_positive) /* %o0 = atomic_ptr */
11543 BACKOFF_SETUP(%o2)
11544diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
11545index 8069ce1..c2e23c4 100644
11546--- a/arch/sparc/lib/ksyms.c
11547+++ b/arch/sparc/lib/ksyms.c
11548@@ -101,7 +101,9 @@ EXPORT_SYMBOL(__clear_user);
11549 /* Atomic counter implementation. */
11550 #define ATOMIC_OP(op) \
11551 EXPORT_SYMBOL(atomic_##op); \
11552-EXPORT_SYMBOL(atomic64_##op);
11553+EXPORT_SYMBOL(atomic_##op##_unchecked); \
11554+EXPORT_SYMBOL(atomic64_##op); \
11555+EXPORT_SYMBOL(atomic64_##op##_unchecked);
11556
11557 #define ATOMIC_OP_RETURN(op) \
11558 EXPORT_SYMBOL(atomic_##op##_return); \
11559@@ -110,6 +112,8 @@ EXPORT_SYMBOL(atomic64_##op##_return);
11560 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
11561
11562 ATOMIC_OPS(add)
11563+EXPORT_SYMBOL(atomic_add_ret_unchecked);
11564+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
11565 ATOMIC_OPS(sub)
11566
11567 #undef ATOMIC_OPS
11568diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile
11569index 30c3ecc..736f015 100644
11570--- a/arch/sparc/mm/Makefile
11571+++ b/arch/sparc/mm/Makefile
11572@@ -2,7 +2,7 @@
11573 #
11574
11575 asflags-y := -ansi
11576-ccflags-y := -Werror
11577+#ccflags-y := -Werror
11578
11579 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o
11580 obj-y += fault_$(BITS).o
11581diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
11582index c399e7b..2387414 100644
11583--- a/arch/sparc/mm/fault_32.c
11584+++ b/arch/sparc/mm/fault_32.c
11585@@ -22,6 +22,9 @@
11586 #include <linux/interrupt.h>
11587 #include <linux/kdebug.h>
11588 #include <linux/uaccess.h>
11589+#include <linux/slab.h>
11590+#include <linux/pagemap.h>
11591+#include <linux/compiler.h>
11592
11593 #include <asm/page.h>
11594 #include <asm/pgtable.h>
11595@@ -156,6 +159,277 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault)
11596 return safe_compute_effective_address(regs, insn);
11597 }
11598
11599+#ifdef CONFIG_PAX_PAGEEXEC
11600+#ifdef CONFIG_PAX_DLRESOLVE
11601+static void pax_emuplt_close(struct vm_area_struct *vma)
11602+{
11603+ vma->vm_mm->call_dl_resolve = 0UL;
11604+}
11605+
11606+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
11607+{
11608+ unsigned int *kaddr;
11609+
11610+ vmf->page = alloc_page(GFP_HIGHUSER);
11611+ if (!vmf->page)
11612+ return VM_FAULT_OOM;
11613+
11614+ kaddr = kmap(vmf->page);
11615+ memset(kaddr, 0, PAGE_SIZE);
11616+ kaddr[0] = 0x9DE3BFA8U; /* save */
11617+ flush_dcache_page(vmf->page);
11618+ kunmap(vmf->page);
11619+ return VM_FAULT_MAJOR;
11620+}
11621+
11622+static const struct vm_operations_struct pax_vm_ops = {
11623+ .close = pax_emuplt_close,
11624+ .fault = pax_emuplt_fault
11625+};
11626+
11627+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
11628+{
11629+ int ret;
11630+
11631+ INIT_LIST_HEAD(&vma->anon_vma_chain);
11632+ vma->vm_mm = current->mm;
11633+ vma->vm_start = addr;
11634+ vma->vm_end = addr + PAGE_SIZE;
11635+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
11636+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
11637+ vma->vm_ops = &pax_vm_ops;
11638+
11639+ ret = insert_vm_struct(current->mm, vma);
11640+ if (ret)
11641+ return ret;
11642+
11643+ ++current->mm->total_vm;
11644+ return 0;
11645+}
11646+#endif
11647+
11648+/*
11649+ * PaX: decide what to do with offenders (regs->pc = fault address)
11650+ *
11651+ * returns 1 when task should be killed
11652+ * 2 when patched PLT trampoline was detected
11653+ * 3 when unpatched PLT trampoline was detected
11654+ */
11655+static int pax_handle_fetch_fault(struct pt_regs *regs)
11656+{
11657+
11658+#ifdef CONFIG_PAX_EMUPLT
11659+ int err;
11660+
11661+ do { /* PaX: patched PLT emulation #1 */
11662+ unsigned int sethi1, sethi2, jmpl;
11663+
11664+ err = get_user(sethi1, (unsigned int *)regs->pc);
11665+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
11666+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
11667+
11668+ if (err)
11669+ break;
11670+
11671+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
11672+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
11673+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
11674+ {
11675+ unsigned int addr;
11676+
11677+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
11678+ addr = regs->u_regs[UREG_G1];
11679+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11680+ regs->pc = addr;
11681+ regs->npc = addr+4;
11682+ return 2;
11683+ }
11684+ } while (0);
11685+
11686+ do { /* PaX: patched PLT emulation #2 */
11687+ unsigned int ba;
11688+
11689+ err = get_user(ba, (unsigned int *)regs->pc);
11690+
11691+ if (err)
11692+ break;
11693+
11694+ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
11695+ unsigned int addr;
11696+
11697+ if ((ba & 0xFFC00000U) == 0x30800000U)
11698+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
11699+ else
11700+ addr = regs->pc + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11701+ regs->pc = addr;
11702+ regs->npc = addr+4;
11703+ return 2;
11704+ }
11705+ } while (0);
11706+
11707+ do { /* PaX: patched PLT emulation #3 */
11708+ unsigned int sethi, bajmpl, nop;
11709+
11710+ err = get_user(sethi, (unsigned int *)regs->pc);
11711+ err |= get_user(bajmpl, (unsigned int *)(regs->pc+4));
11712+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
11713+
11714+ if (err)
11715+ break;
11716+
11717+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11718+ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
11719+ nop == 0x01000000U)
11720+ {
11721+ unsigned int addr;
11722+
11723+ addr = (sethi & 0x003FFFFFU) << 10;
11724+ regs->u_regs[UREG_G1] = addr;
11725+ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
11726+ addr += (((bajmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11727+ else
11728+ addr = regs->pc + ((((bajmpl | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11729+ regs->pc = addr;
11730+ regs->npc = addr+4;
11731+ return 2;
11732+ }
11733+ } while (0);
11734+
11735+ do { /* PaX: unpatched PLT emulation step 1 */
11736+ unsigned int sethi, ba, nop;
11737+
11738+ err = get_user(sethi, (unsigned int *)regs->pc);
11739+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
11740+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
11741+
11742+ if (err)
11743+ break;
11744+
11745+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11746+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
11747+ nop == 0x01000000U)
11748+ {
11749+ unsigned int addr, save, call;
11750+
11751+ if ((ba & 0xFFC00000U) == 0x30800000U)
11752+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
11753+ else
11754+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11755+
11756+ err = get_user(save, (unsigned int *)addr);
11757+ err |= get_user(call, (unsigned int *)(addr+4));
11758+ err |= get_user(nop, (unsigned int *)(addr+8));
11759+ if (err)
11760+ break;
11761+
11762+#ifdef CONFIG_PAX_DLRESOLVE
11763+ if (save == 0x9DE3BFA8U &&
11764+ (call & 0xC0000000U) == 0x40000000U &&
11765+ nop == 0x01000000U)
11766+ {
11767+ struct vm_area_struct *vma;
11768+ unsigned long call_dl_resolve;
11769+
11770+ down_read(&current->mm->mmap_sem);
11771+ call_dl_resolve = current->mm->call_dl_resolve;
11772+ up_read(&current->mm->mmap_sem);
11773+ if (likely(call_dl_resolve))
11774+ goto emulate;
11775+
11776+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
11777+
11778+ down_write(&current->mm->mmap_sem);
11779+ if (current->mm->call_dl_resolve) {
11780+ call_dl_resolve = current->mm->call_dl_resolve;
11781+ up_write(&current->mm->mmap_sem);
11782+ if (vma)
11783+ kmem_cache_free(vm_area_cachep, vma);
11784+ goto emulate;
11785+ }
11786+
11787+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
11788+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
11789+ up_write(&current->mm->mmap_sem);
11790+ if (vma)
11791+ kmem_cache_free(vm_area_cachep, vma);
11792+ return 1;
11793+ }
11794+
11795+ if (pax_insert_vma(vma, call_dl_resolve)) {
11796+ up_write(&current->mm->mmap_sem);
11797+ kmem_cache_free(vm_area_cachep, vma);
11798+ return 1;
11799+ }
11800+
11801+ current->mm->call_dl_resolve = call_dl_resolve;
11802+ up_write(&current->mm->mmap_sem);
11803+
11804+emulate:
11805+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
11806+ regs->pc = call_dl_resolve;
11807+ regs->npc = addr+4;
11808+ return 3;
11809+ }
11810+#endif
11811+
11812+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
11813+ if ((save & 0xFFC00000U) == 0x05000000U &&
11814+ (call & 0xFFFFE000U) == 0x85C0A000U &&
11815+ nop == 0x01000000U)
11816+ {
11817+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
11818+ regs->u_regs[UREG_G2] = addr + 4;
11819+ addr = (save & 0x003FFFFFU) << 10;
11820+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11821+ regs->pc = addr;
11822+ regs->npc = addr+4;
11823+ return 3;
11824+ }
11825+ }
11826+ } while (0);
11827+
11828+ do { /* PaX: unpatched PLT emulation step 2 */
11829+ unsigned int save, call, nop;
11830+
11831+ err = get_user(save, (unsigned int *)(regs->pc-4));
11832+ err |= get_user(call, (unsigned int *)regs->pc);
11833+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
11834+ if (err)
11835+ break;
11836+
11837+ if (save == 0x9DE3BFA8U &&
11838+ (call & 0xC0000000U) == 0x40000000U &&
11839+ nop == 0x01000000U)
11840+ {
11841+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
11842+
11843+ regs->u_regs[UREG_RETPC] = regs->pc;
11844+ regs->pc = dl_resolve;
11845+ regs->npc = dl_resolve+4;
11846+ return 3;
11847+ }
11848+ } while (0);
11849+#endif
11850+
11851+ return 1;
11852+}
11853+
11854+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
11855+{
11856+ unsigned long i;
11857+
11858+ printk(KERN_ERR "PAX: bytes at PC: ");
11859+ for (i = 0; i < 8; i++) {
11860+ unsigned int c;
11861+ if (get_user(c, (unsigned int *)pc+i))
11862+ printk(KERN_CONT "???????? ");
11863+ else
11864+ printk(KERN_CONT "%08x ", c);
11865+ }
11866+ printk("\n");
11867+}
11868+#endif
11869+
11870 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
11871 int text_fault)
11872 {
11873@@ -226,6 +500,24 @@ good_area:
11874 if (!(vma->vm_flags & VM_WRITE))
11875 goto bad_area;
11876 } else {
11877+
11878+#ifdef CONFIG_PAX_PAGEEXEC
11879+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
11880+ up_read(&mm->mmap_sem);
11881+ switch (pax_handle_fetch_fault(regs)) {
11882+
11883+#ifdef CONFIG_PAX_EMUPLT
11884+ case 2:
11885+ case 3:
11886+ return;
11887+#endif
11888+
11889+ }
11890+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
11891+ do_group_exit(SIGKILL);
11892+ }
11893+#endif
11894+
11895 /* Allow reads even for write-only mappings */
11896 if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
11897 goto bad_area;
11898diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
11899index dbabe57..d34d315 100644
11900--- a/arch/sparc/mm/fault_64.c
11901+++ b/arch/sparc/mm/fault_64.c
11902@@ -23,6 +23,9 @@
11903 #include <linux/percpu.h>
11904 #include <linux/context_tracking.h>
11905 #include <linux/uaccess.h>
11906+#include <linux/slab.h>
11907+#include <linux/pagemap.h>
11908+#include <linux/compiler.h>
11909
11910 #include <asm/page.h>
11911 #include <asm/pgtable.h>
11912@@ -76,7 +79,7 @@ static void __kprobes bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr)
11913 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
11914 regs->tpc);
11915 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
11916- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
11917+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
11918 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
11919 dump_stack();
11920 unhandled_fault(regs->tpc, current, regs);
11921@@ -279,6 +282,466 @@ static void noinline __kprobes bogus_32bit_fault_tpc(struct pt_regs *regs)
11922 show_regs(regs);
11923 }
11924
11925+#ifdef CONFIG_PAX_PAGEEXEC
11926+#ifdef CONFIG_PAX_DLRESOLVE
11927+static void pax_emuplt_close(struct vm_area_struct *vma)
11928+{
11929+ vma->vm_mm->call_dl_resolve = 0UL;
11930+}
11931+
11932+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
11933+{
11934+ unsigned int *kaddr;
11935+
11936+ vmf->page = alloc_page(GFP_HIGHUSER);
11937+ if (!vmf->page)
11938+ return VM_FAULT_OOM;
11939+
11940+ kaddr = kmap(vmf->page);
11941+ memset(kaddr, 0, PAGE_SIZE);
11942+ kaddr[0] = 0x9DE3BFA8U; /* save */
11943+ flush_dcache_page(vmf->page);
11944+ kunmap(vmf->page);
11945+ return VM_FAULT_MAJOR;
11946+}
11947+
11948+static const struct vm_operations_struct pax_vm_ops = {
11949+ .close = pax_emuplt_close,
11950+ .fault = pax_emuplt_fault
11951+};
11952+
11953+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
11954+{
11955+ int ret;
11956+
11957+ INIT_LIST_HEAD(&vma->anon_vma_chain);
11958+ vma->vm_mm = current->mm;
11959+ vma->vm_start = addr;
11960+ vma->vm_end = addr + PAGE_SIZE;
11961+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
11962+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
11963+ vma->vm_ops = &pax_vm_ops;
11964+
11965+ ret = insert_vm_struct(current->mm, vma);
11966+ if (ret)
11967+ return ret;
11968+
11969+ ++current->mm->total_vm;
11970+ return 0;
11971+}
11972+#endif
11973+
11974+/*
11975+ * PaX: decide what to do with offenders (regs->tpc = fault address)
11976+ *
11977+ * returns 1 when task should be killed
11978+ * 2 when patched PLT trampoline was detected
11979+ * 3 when unpatched PLT trampoline was detected
11980+ */
11981+static int pax_handle_fetch_fault(struct pt_regs *regs)
11982+{
11983+
11984+#ifdef CONFIG_PAX_EMUPLT
11985+ int err;
11986+
11987+ do { /* PaX: patched PLT emulation #1 */
11988+ unsigned int sethi1, sethi2, jmpl;
11989+
11990+ err = get_user(sethi1, (unsigned int *)regs->tpc);
11991+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
11992+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
11993+
11994+ if (err)
11995+ break;
11996+
11997+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
11998+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
11999+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
12000+ {
12001+ unsigned long addr;
12002+
12003+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
12004+ addr = regs->u_regs[UREG_G1];
12005+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
12006+
12007+ if (test_thread_flag(TIF_32BIT))
12008+ addr &= 0xFFFFFFFFUL;
12009+
12010+ regs->tpc = addr;
12011+ regs->tnpc = addr+4;
12012+ return 2;
12013+ }
12014+ } while (0);
12015+
12016+ do { /* PaX: patched PLT emulation #2 */
12017+ unsigned int ba;
12018+
12019+ err = get_user(ba, (unsigned int *)regs->tpc);
12020+
12021+ if (err)
12022+ break;
12023+
12024+ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
12025+ unsigned long addr;
12026+
12027+ if ((ba & 0xFFC00000U) == 0x30800000U)
12028+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
12029+ else
12030+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12031+
12032+ if (test_thread_flag(TIF_32BIT))
12033+ addr &= 0xFFFFFFFFUL;
12034+
12035+ regs->tpc = addr;
12036+ regs->tnpc = addr+4;
12037+ return 2;
12038+ }
12039+ } while (0);
12040+
12041+ do { /* PaX: patched PLT emulation #3 */
12042+ unsigned int sethi, bajmpl, nop;
12043+
12044+ err = get_user(sethi, (unsigned int *)regs->tpc);
12045+ err |= get_user(bajmpl, (unsigned int *)(regs->tpc+4));
12046+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12047+
12048+ if (err)
12049+ break;
12050+
12051+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12052+ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
12053+ nop == 0x01000000U)
12054+ {
12055+ unsigned long addr;
12056+
12057+ addr = (sethi & 0x003FFFFFU) << 10;
12058+ regs->u_regs[UREG_G1] = addr;
12059+ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
12060+ addr += (((bajmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
12061+ else
12062+ addr = regs->tpc + ((((bajmpl | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12063+
12064+ if (test_thread_flag(TIF_32BIT))
12065+ addr &= 0xFFFFFFFFUL;
12066+
12067+ regs->tpc = addr;
12068+ regs->tnpc = addr+4;
12069+ return 2;
12070+ }
12071+ } while (0);
12072+
12073+ do { /* PaX: patched PLT emulation #4 */
12074+ unsigned int sethi, mov1, call, mov2;
12075+
12076+ err = get_user(sethi, (unsigned int *)regs->tpc);
12077+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
12078+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
12079+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
12080+
12081+ if (err)
12082+ break;
12083+
12084+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12085+ mov1 == 0x8210000FU &&
12086+ (call & 0xC0000000U) == 0x40000000U &&
12087+ mov2 == 0x9E100001U)
12088+ {
12089+ unsigned long addr;
12090+
12091+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
12092+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
12093+
12094+ if (test_thread_flag(TIF_32BIT))
12095+ addr &= 0xFFFFFFFFUL;
12096+
12097+ regs->tpc = addr;
12098+ regs->tnpc = addr+4;
12099+ return 2;
12100+ }
12101+ } while (0);
12102+
12103+ do { /* PaX: patched PLT emulation #5 */
12104+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
12105+
12106+ err = get_user(sethi, (unsigned int *)regs->tpc);
12107+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
12108+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
12109+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
12110+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
12111+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
12112+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
12113+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
12114+
12115+ if (err)
12116+ break;
12117+
12118+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12119+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
12120+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12121+ (or1 & 0xFFFFE000U) == 0x82106000U &&
12122+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
12123+ sllx == 0x83287020U &&
12124+ jmpl == 0x81C04005U &&
12125+ nop == 0x01000000U)
12126+ {
12127+ unsigned long addr;
12128+
12129+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
12130+ regs->u_regs[UREG_G1] <<= 32;
12131+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
12132+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
12133+ regs->tpc = addr;
12134+ regs->tnpc = addr+4;
12135+ return 2;
12136+ }
12137+ } while (0);
12138+
12139+ do { /* PaX: patched PLT emulation #6 */
12140+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
12141+
12142+ err = get_user(sethi, (unsigned int *)regs->tpc);
12143+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
12144+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
12145+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
12146+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
12147+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
12148+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
12149+
12150+ if (err)
12151+ break;
12152+
12153+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12154+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
12155+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12156+ sllx == 0x83287020U &&
12157+ (or & 0xFFFFE000U) == 0x8A116000U &&
12158+ jmpl == 0x81C04005U &&
12159+ nop == 0x01000000U)
12160+ {
12161+ unsigned long addr;
12162+
12163+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
12164+ regs->u_regs[UREG_G1] <<= 32;
12165+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
12166+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
12167+ regs->tpc = addr;
12168+ regs->tnpc = addr+4;
12169+ return 2;
12170+ }
12171+ } while (0);
12172+
12173+ do { /* PaX: unpatched PLT emulation step 1 */
12174+ unsigned int sethi, ba, nop;
12175+
12176+ err = get_user(sethi, (unsigned int *)regs->tpc);
12177+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
12178+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12179+
12180+ if (err)
12181+ break;
12182+
12183+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12184+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
12185+ nop == 0x01000000U)
12186+ {
12187+ unsigned long addr;
12188+ unsigned int save, call;
12189+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
12190+
12191+ if ((ba & 0xFFC00000U) == 0x30800000U)
12192+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
12193+ else
12194+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12195+
12196+ if (test_thread_flag(TIF_32BIT))
12197+ addr &= 0xFFFFFFFFUL;
12198+
12199+ err = get_user(save, (unsigned int *)addr);
12200+ err |= get_user(call, (unsigned int *)(addr+4));
12201+ err |= get_user(nop, (unsigned int *)(addr+8));
12202+ if (err)
12203+ break;
12204+
12205+#ifdef CONFIG_PAX_DLRESOLVE
12206+ if (save == 0x9DE3BFA8U &&
12207+ (call & 0xC0000000U) == 0x40000000U &&
12208+ nop == 0x01000000U)
12209+ {
12210+ struct vm_area_struct *vma;
12211+ unsigned long call_dl_resolve;
12212+
12213+ down_read(&current->mm->mmap_sem);
12214+ call_dl_resolve = current->mm->call_dl_resolve;
12215+ up_read(&current->mm->mmap_sem);
12216+ if (likely(call_dl_resolve))
12217+ goto emulate;
12218+
12219+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
12220+
12221+ down_write(&current->mm->mmap_sem);
12222+ if (current->mm->call_dl_resolve) {
12223+ call_dl_resolve = current->mm->call_dl_resolve;
12224+ up_write(&current->mm->mmap_sem);
12225+ if (vma)
12226+ kmem_cache_free(vm_area_cachep, vma);
12227+ goto emulate;
12228+ }
12229+
12230+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
12231+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
12232+ up_write(&current->mm->mmap_sem);
12233+ if (vma)
12234+ kmem_cache_free(vm_area_cachep, vma);
12235+ return 1;
12236+ }
12237+
12238+ if (pax_insert_vma(vma, call_dl_resolve)) {
12239+ up_write(&current->mm->mmap_sem);
12240+ kmem_cache_free(vm_area_cachep, vma);
12241+ return 1;
12242+ }
12243+
12244+ current->mm->call_dl_resolve = call_dl_resolve;
12245+ up_write(&current->mm->mmap_sem);
12246+
12247+emulate:
12248+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12249+ regs->tpc = call_dl_resolve;
12250+ regs->tnpc = addr+4;
12251+ return 3;
12252+ }
12253+#endif
12254+
12255+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
12256+ if ((save & 0xFFC00000U) == 0x05000000U &&
12257+ (call & 0xFFFFE000U) == 0x85C0A000U &&
12258+ nop == 0x01000000U)
12259+ {
12260+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12261+ regs->u_regs[UREG_G2] = addr + 4;
12262+ addr = (save & 0x003FFFFFU) << 10;
12263+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
12264+
12265+ if (test_thread_flag(TIF_32BIT))
12266+ addr &= 0xFFFFFFFFUL;
12267+
12268+ regs->tpc = addr;
12269+ regs->tnpc = addr+4;
12270+ return 3;
12271+ }
12272+
12273+ /* PaX: 64-bit PLT stub */
12274+ err = get_user(sethi1, (unsigned int *)addr);
12275+ err |= get_user(sethi2, (unsigned int *)(addr+4));
12276+ err |= get_user(or1, (unsigned int *)(addr+8));
12277+ err |= get_user(or2, (unsigned int *)(addr+12));
12278+ err |= get_user(sllx, (unsigned int *)(addr+16));
12279+ err |= get_user(add, (unsigned int *)(addr+20));
12280+ err |= get_user(jmpl, (unsigned int *)(addr+24));
12281+ err |= get_user(nop, (unsigned int *)(addr+28));
12282+ if (err)
12283+ break;
12284+
12285+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
12286+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12287+ (or1 & 0xFFFFE000U) == 0x88112000U &&
12288+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
12289+ sllx == 0x89293020U &&
12290+ add == 0x8A010005U &&
12291+ jmpl == 0x89C14000U &&
12292+ nop == 0x01000000U)
12293+ {
12294+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12295+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
12296+ regs->u_regs[UREG_G4] <<= 32;
12297+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
12298+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
12299+ regs->u_regs[UREG_G4] = addr + 24;
12300+ addr = regs->u_regs[UREG_G5];
12301+ regs->tpc = addr;
12302+ regs->tnpc = addr+4;
12303+ return 3;
12304+ }
12305+ }
12306+ } while (0);
12307+
12308+#ifdef CONFIG_PAX_DLRESOLVE
12309+ do { /* PaX: unpatched PLT emulation step 2 */
12310+ unsigned int save, call, nop;
12311+
12312+ err = get_user(save, (unsigned int *)(regs->tpc-4));
12313+ err |= get_user(call, (unsigned int *)regs->tpc);
12314+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
12315+ if (err)
12316+ break;
12317+
12318+ if (save == 0x9DE3BFA8U &&
12319+ (call & 0xC0000000U) == 0x40000000U &&
12320+ nop == 0x01000000U)
12321+ {
12322+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
12323+
12324+ if (test_thread_flag(TIF_32BIT))
12325+ dl_resolve &= 0xFFFFFFFFUL;
12326+
12327+ regs->u_regs[UREG_RETPC] = regs->tpc;
12328+ regs->tpc = dl_resolve;
12329+ regs->tnpc = dl_resolve+4;
12330+ return 3;
12331+ }
12332+ } while (0);
12333+#endif
12334+
12335+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
12336+ unsigned int sethi, ba, nop;
12337+
12338+ err = get_user(sethi, (unsigned int *)regs->tpc);
12339+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
12340+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12341+
12342+ if (err)
12343+ break;
12344+
12345+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12346+ (ba & 0xFFF00000U) == 0x30600000U &&
12347+ nop == 0x01000000U)
12348+ {
12349+ unsigned long addr;
12350+
12351+ addr = (sethi & 0x003FFFFFU) << 10;
12352+ regs->u_regs[UREG_G1] = addr;
12353+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12354+
12355+ if (test_thread_flag(TIF_32BIT))
12356+ addr &= 0xFFFFFFFFUL;
12357+
12358+ regs->tpc = addr;
12359+ regs->tnpc = addr+4;
12360+ return 2;
12361+ }
12362+ } while (0);
12363+
12364+#endif
12365+
12366+ return 1;
12367+}
12368+
12369+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
12370+{
12371+ unsigned long i;
12372+
12373+ printk(KERN_ERR "PAX: bytes at PC: ");
12374+ for (i = 0; i < 8; i++) {
12375+ unsigned int c;
12376+ if (get_user(c, (unsigned int *)pc+i))
12377+ printk(KERN_CONT "???????? ");
12378+ else
12379+ printk(KERN_CONT "%08x ", c);
12380+ }
12381+ printk("\n");
12382+}
12383+#endif
12384+
12385 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
12386 {
12387 enum ctx_state prev_state = exception_enter();
12388@@ -353,6 +816,29 @@ retry:
12389 if (!vma)
12390 goto bad_area;
12391
12392+#ifdef CONFIG_PAX_PAGEEXEC
12393+ /* PaX: detect ITLB misses on non-exec pages */
12394+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
12395+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
12396+ {
12397+ if (address != regs->tpc)
12398+ goto good_area;
12399+
12400+ up_read(&mm->mmap_sem);
12401+ switch (pax_handle_fetch_fault(regs)) {
12402+
12403+#ifdef CONFIG_PAX_EMUPLT
12404+ case 2:
12405+ case 3:
12406+ return;
12407+#endif
12408+
12409+ }
12410+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
12411+ do_group_exit(SIGKILL);
12412+ }
12413+#endif
12414+
12415 /* Pure DTLB misses do not tell us whether the fault causing
12416 * load/store/atomic was a write or not, it only says that there
12417 * was no match. So in such a case we (carefully) read the
12418diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
12419index 131eaf4..285ea31 100644
12420--- a/arch/sparc/mm/hugetlbpage.c
12421+++ b/arch/sparc/mm/hugetlbpage.c
12422@@ -25,8 +25,10 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
12423 unsigned long addr,
12424 unsigned long len,
12425 unsigned long pgoff,
12426- unsigned long flags)
12427+ unsigned long flags,
12428+ unsigned long offset)
12429 {
12430+ struct mm_struct *mm = current->mm;
12431 unsigned long task_size = TASK_SIZE;
12432 struct vm_unmapped_area_info info;
12433
12434@@ -35,15 +37,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
12435
12436 info.flags = 0;
12437 info.length = len;
12438- info.low_limit = TASK_UNMAPPED_BASE;
12439+ info.low_limit = mm->mmap_base;
12440 info.high_limit = min(task_size, VA_EXCLUDE_START);
12441 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
12442 info.align_offset = 0;
12443+ info.threadstack_offset = offset;
12444 addr = vm_unmapped_area(&info);
12445
12446 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
12447 VM_BUG_ON(addr != -ENOMEM);
12448 info.low_limit = VA_EXCLUDE_END;
12449+
12450+#ifdef CONFIG_PAX_RANDMMAP
12451+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12452+ info.low_limit += mm->delta_mmap;
12453+#endif
12454+
12455 info.high_limit = task_size;
12456 addr = vm_unmapped_area(&info);
12457 }
12458@@ -55,7 +64,8 @@ static unsigned long
12459 hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12460 const unsigned long len,
12461 const unsigned long pgoff,
12462- const unsigned long flags)
12463+ const unsigned long flags,
12464+ const unsigned long offset)
12465 {
12466 struct mm_struct *mm = current->mm;
12467 unsigned long addr = addr0;
12468@@ -70,6 +80,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12469 info.high_limit = mm->mmap_base;
12470 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
12471 info.align_offset = 0;
12472+ info.threadstack_offset = offset;
12473 addr = vm_unmapped_area(&info);
12474
12475 /*
12476@@ -82,6 +93,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12477 VM_BUG_ON(addr != -ENOMEM);
12478 info.flags = 0;
12479 info.low_limit = TASK_UNMAPPED_BASE;
12480+
12481+#ifdef CONFIG_PAX_RANDMMAP
12482+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12483+ info.low_limit += mm->delta_mmap;
12484+#endif
12485+
12486 info.high_limit = STACK_TOP32;
12487 addr = vm_unmapped_area(&info);
12488 }
12489@@ -96,6 +113,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
12490 struct mm_struct *mm = current->mm;
12491 struct vm_area_struct *vma;
12492 unsigned long task_size = TASK_SIZE;
12493+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
12494
12495 if (test_thread_flag(TIF_32BIT))
12496 task_size = STACK_TOP32;
12497@@ -111,19 +129,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
12498 return addr;
12499 }
12500
12501+#ifdef CONFIG_PAX_RANDMMAP
12502+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12503+#endif
12504+
12505 if (addr) {
12506 addr = ALIGN(addr, HPAGE_SIZE);
12507 vma = find_vma(mm, addr);
12508- if (task_size - len >= addr &&
12509- (!vma || addr + len <= vma->vm_start))
12510+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
12511 return addr;
12512 }
12513 if (mm->get_unmapped_area == arch_get_unmapped_area)
12514 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
12515- pgoff, flags);
12516+ pgoff, flags, offset);
12517 else
12518 return hugetlb_get_unmapped_area_topdown(file, addr, len,
12519- pgoff, flags);
12520+ pgoff, flags, offset);
12521 }
12522
12523 pte_t *huge_pte_alloc(struct mm_struct *mm,
12524diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
12525index 4ac88b7..bac6cb2 100644
12526--- a/arch/sparc/mm/init_64.c
12527+++ b/arch/sparc/mm/init_64.c
12528@@ -187,9 +187,9 @@ unsigned long sparc64_kern_sec_context __read_mostly;
12529 int num_kernel_image_mappings;
12530
12531 #ifdef CONFIG_DEBUG_DCFLUSH
12532-atomic_t dcpage_flushes = ATOMIC_INIT(0);
12533+atomic_unchecked_t dcpage_flushes = ATOMIC_INIT(0);
12534 #ifdef CONFIG_SMP
12535-atomic_t dcpage_flushes_xcall = ATOMIC_INIT(0);
12536+atomic_unchecked_t dcpage_flushes_xcall = ATOMIC_INIT(0);
12537 #endif
12538 #endif
12539
12540@@ -197,7 +197,7 @@ inline void flush_dcache_page_impl(struct page *page)
12541 {
12542 BUG_ON(tlb_type == hypervisor);
12543 #ifdef CONFIG_DEBUG_DCFLUSH
12544- atomic_inc(&dcpage_flushes);
12545+ atomic_inc_unchecked(&dcpage_flushes);
12546 #endif
12547
12548 #ifdef DCACHE_ALIASING_POSSIBLE
12549@@ -469,10 +469,10 @@ void mmu_info(struct seq_file *m)
12550
12551 #ifdef CONFIG_DEBUG_DCFLUSH
12552 seq_printf(m, "DCPageFlushes\t: %d\n",
12553- atomic_read(&dcpage_flushes));
12554+ atomic_read_unchecked(&dcpage_flushes));
12555 #ifdef CONFIG_SMP
12556 seq_printf(m, "DCPageFlushesXC\t: %d\n",
12557- atomic_read(&dcpage_flushes_xcall));
12558+ atomic_read_unchecked(&dcpage_flushes_xcall));
12559 #endif /* CONFIG_SMP */
12560 #endif /* CONFIG_DEBUG_DCFLUSH */
12561 }
12562diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
12563index 9def1f5..cf0cabc 100644
12564--- a/arch/tile/Kconfig
12565+++ b/arch/tile/Kconfig
12566@@ -204,6 +204,7 @@ source "kernel/Kconfig.hz"
12567
12568 config KEXEC
12569 bool "kexec system call"
12570+ depends on !GRKERNSEC_KMEM
12571 ---help---
12572 kexec is a system call that implements the ability to shutdown your
12573 current kernel, and to start another kernel. It is like a reboot
12574diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h
12575index 0496970..1a57e5f 100644
12576--- a/arch/tile/include/asm/atomic_64.h
12577+++ b/arch/tile/include/asm/atomic_64.h
12578@@ -105,6 +105,16 @@ static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
12579
12580 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
12581
12582+#define atomic64_read_unchecked(v) atomic64_read(v)
12583+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
12584+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
12585+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
12586+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
12587+#define atomic64_inc_unchecked(v) atomic64_inc(v)
12588+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
12589+#define atomic64_dec_unchecked(v) atomic64_dec(v)
12590+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
12591+
12592 #endif /* !__ASSEMBLY__ */
12593
12594 #endif /* _ASM_TILE_ATOMIC_64_H */
12595diff --git a/arch/tile/include/asm/cache.h b/arch/tile/include/asm/cache.h
12596index 6160761..00cac88 100644
12597--- a/arch/tile/include/asm/cache.h
12598+++ b/arch/tile/include/asm/cache.h
12599@@ -15,11 +15,12 @@
12600 #ifndef _ASM_TILE_CACHE_H
12601 #define _ASM_TILE_CACHE_H
12602
12603+#include <linux/const.h>
12604 #include <arch/chip.h>
12605
12606 /* bytes per L1 data cache line */
12607 #define L1_CACHE_SHIFT CHIP_L1D_LOG_LINE_SIZE()
12608-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12609+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12610
12611 /* bytes per L2 cache line */
12612 #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE()
12613diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h
12614index 0a9c4265..bfb62d1 100644
12615--- a/arch/tile/include/asm/uaccess.h
12616+++ b/arch/tile/include/asm/uaccess.h
12617@@ -429,9 +429,9 @@ static inline unsigned long __must_check copy_from_user(void *to,
12618 const void __user *from,
12619 unsigned long n)
12620 {
12621- int sz = __compiletime_object_size(to);
12622+ size_t sz = __compiletime_object_size(to);
12623
12624- if (likely(sz == -1 || sz >= n))
12625+ if (likely(sz == (size_t)-1 || sz >= n))
12626 n = _copy_from_user(to, from, n);
12627 else
12628 copy_from_user_overflow();
12629diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
12630index c034dc3..cf1cc96 100644
12631--- a/arch/tile/mm/hugetlbpage.c
12632+++ b/arch/tile/mm/hugetlbpage.c
12633@@ -174,6 +174,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
12634 info.high_limit = TASK_SIZE;
12635 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
12636 info.align_offset = 0;
12637+ info.threadstack_offset = 0;
12638 return vm_unmapped_area(&info);
12639 }
12640
12641@@ -191,6 +192,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
12642 info.high_limit = current->mm->mmap_base;
12643 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
12644 info.align_offset = 0;
12645+ info.threadstack_offset = 0;
12646 addr = vm_unmapped_area(&info);
12647
12648 /*
12649diff --git a/arch/um/Makefile b/arch/um/Makefile
12650index 098ab33..fc54a33 100644
12651--- a/arch/um/Makefile
12652+++ b/arch/um/Makefile
12653@@ -73,6 +73,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -I%,,$(KBUILD_CFLAGS))) \
12654 -D_FILE_OFFSET_BITS=64 -idirafter include \
12655 -D__KERNEL__ -D__UM_HOST__
12656
12657+ifdef CONSTIFY_PLUGIN
12658+USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify
12659+endif
12660+
12661 #This will adjust *FLAGS accordingly to the platform.
12662 include $(ARCH_DIR)/Makefile-os-$(OS)
12663
12664diff --git a/arch/um/include/asm/cache.h b/arch/um/include/asm/cache.h
12665index 19e1bdd..3665b77 100644
12666--- a/arch/um/include/asm/cache.h
12667+++ b/arch/um/include/asm/cache.h
12668@@ -1,6 +1,7 @@
12669 #ifndef __UM_CACHE_H
12670 #define __UM_CACHE_H
12671
12672+#include <linux/const.h>
12673
12674 #if defined(CONFIG_UML_X86) && !defined(CONFIG_64BIT)
12675 # define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
12676@@ -12,6 +13,6 @@
12677 # define L1_CACHE_SHIFT 5
12678 #endif
12679
12680-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12681+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12682
12683 #endif
12684diff --git a/arch/um/include/asm/kmap_types.h b/arch/um/include/asm/kmap_types.h
12685index 2e0a6b1..a64d0f5 100644
12686--- a/arch/um/include/asm/kmap_types.h
12687+++ b/arch/um/include/asm/kmap_types.h
12688@@ -8,6 +8,6 @@
12689
12690 /* No more #include "asm/arch/kmap_types.h" ! */
12691
12692-#define KM_TYPE_NR 14
12693+#define KM_TYPE_NR 15
12694
12695 #endif
12696diff --git a/arch/um/include/asm/page.h b/arch/um/include/asm/page.h
12697index 71c5d13..4c7b9f1 100644
12698--- a/arch/um/include/asm/page.h
12699+++ b/arch/um/include/asm/page.h
12700@@ -14,6 +14,9 @@
12701 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
12702 #define PAGE_MASK (~(PAGE_SIZE-1))
12703
12704+#define ktla_ktva(addr) (addr)
12705+#define ktva_ktla(addr) (addr)
12706+
12707 #ifndef __ASSEMBLY__
12708
12709 struct page;
12710diff --git a/arch/um/include/asm/pgtable-3level.h b/arch/um/include/asm/pgtable-3level.h
12711index 2b4274e..754fe06 100644
12712--- a/arch/um/include/asm/pgtable-3level.h
12713+++ b/arch/um/include/asm/pgtable-3level.h
12714@@ -58,6 +58,7 @@
12715 #define pud_present(x) (pud_val(x) & _PAGE_PRESENT)
12716 #define pud_populate(mm, pud, pmd) \
12717 set_pud(pud, __pud(_PAGE_TABLE + __pa(pmd)))
12718+#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
12719
12720 #ifdef CONFIG_64BIT
12721 #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval))
12722diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
12723index 68b9119..f72353c 100644
12724--- a/arch/um/kernel/process.c
12725+++ b/arch/um/kernel/process.c
12726@@ -345,22 +345,6 @@ int singlestepping(void * t)
12727 return 2;
12728 }
12729
12730-/*
12731- * Only x86 and x86_64 have an arch_align_stack().
12732- * All other arches have "#define arch_align_stack(x) (x)"
12733- * in their asm/exec.h
12734- * As this is included in UML from asm-um/system-generic.h,
12735- * we can use it to behave as the subarch does.
12736- */
12737-#ifndef arch_align_stack
12738-unsigned long arch_align_stack(unsigned long sp)
12739-{
12740- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
12741- sp -= get_random_int() % 8192;
12742- return sp & ~0xf;
12743-}
12744-#endif
12745-
12746 unsigned long get_wchan(struct task_struct *p)
12747 {
12748 unsigned long stack_page, sp, ip;
12749diff --git a/arch/unicore32/include/asm/cache.h b/arch/unicore32/include/asm/cache.h
12750index ad8f795..2c7eec6 100644
12751--- a/arch/unicore32/include/asm/cache.h
12752+++ b/arch/unicore32/include/asm/cache.h
12753@@ -12,8 +12,10 @@
12754 #ifndef __UNICORE_CACHE_H__
12755 #define __UNICORE_CACHE_H__
12756
12757-#define L1_CACHE_SHIFT (5)
12758-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12759+#include <linux/const.h>
12760+
12761+#define L1_CACHE_SHIFT 5
12762+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12763
12764 /*
12765 * Memory returned by kmalloc() may be used for DMA, so we must make
12766diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
12767index b3a1a5d..8dbc2d6 100644
12768--- a/arch/x86/Kconfig
12769+++ b/arch/x86/Kconfig
12770@@ -35,13 +35,12 @@ config X86
12771 select ARCH_MIGHT_HAVE_PC_SERIO
12772 select ARCH_SUPPORTS_ATOMIC_RMW
12773 select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT
12774- select ARCH_SUPPORTS_INT128 if X86_64
12775+ select ARCH_SUPPORTS_INT128 if X86_64 && !PAX_SIZE_OVERFLOW
12776 select ARCH_SUPPORTS_NUMA_BALANCING if X86_64
12777 select ARCH_USE_BUILTIN_BSWAP
12778 select ARCH_USE_CMPXCHG_LOCKREF if X86_64
12779 select ARCH_USE_QUEUED_RWLOCKS
12780 select ARCH_USE_QUEUED_SPINLOCKS
12781- select ARCH_WANTS_DYNAMIC_TASK_STRUCT
12782 select ARCH_WANT_FRAME_POINTERS
12783 select ARCH_WANT_IPC_PARSE_VERSION if X86_32
12784 select ARCH_WANT_OPTIONAL_GPIOLIB
12785@@ -85,7 +84,7 @@ config X86
12786 select HAVE_ARCH_TRACEHOOK
12787 select HAVE_ARCH_TRANSPARENT_HUGEPAGE
12788 select HAVE_BPF_JIT if X86_64
12789- select HAVE_CC_STACKPROTECTOR
12790+ select HAVE_CC_STACKPROTECTOR if X86_64 || !PAX_MEMORY_UDEREF
12791 select HAVE_CMPXCHG_DOUBLE
12792 select HAVE_CMPXCHG_LOCAL
12793 select HAVE_CONTEXT_TRACKING if X86_64
12794@@ -274,7 +273,7 @@ config X86_64_SMP
12795
12796 config X86_32_LAZY_GS
12797 def_bool y
12798- depends on X86_32 && !CC_STACKPROTECTOR
12799+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12800
12801 config ARCH_HWEIGHT_CFLAGS
12802 string
12803@@ -646,6 +645,7 @@ config SCHED_OMIT_FRAME_POINTER
12804
12805 menuconfig HYPERVISOR_GUEST
12806 bool "Linux guest support"
12807+ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_GUEST || (GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_XEN)
12808 ---help---
12809 Say Y here to enable options for running Linux under various hyper-
12810 visors. This option enables basic hypervisor detection and platform
12811@@ -1014,6 +1014,7 @@ config VM86
12812
12813 config X86_16BIT
12814 bool "Enable support for 16-bit segments" if EXPERT
12815+ depends on !GRKERNSEC
12816 default y
12817 ---help---
12818 This option is required by programs like Wine to run 16-bit
12819@@ -1182,6 +1183,7 @@ choice
12820
12821 config NOHIGHMEM
12822 bool "off"
12823+ depends on !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12824 ---help---
12825 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12826 However, the address space of 32-bit x86 processors is only 4
12827@@ -1218,6 +1220,7 @@ config NOHIGHMEM
12828
12829 config HIGHMEM4G
12830 bool "4GB"
12831+ depends on !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12832 ---help---
12833 Select this if you have a 32-bit processor and between 1 and 4
12834 gigabytes of physical RAM.
12835@@ -1270,7 +1273,7 @@ config PAGE_OFFSET
12836 hex
12837 default 0xB0000000 if VMSPLIT_3G_OPT
12838 default 0x80000000 if VMSPLIT_2G
12839- default 0x78000000 if VMSPLIT_2G_OPT
12840+ default 0x70000000 if VMSPLIT_2G_OPT
12841 default 0x40000000 if VMSPLIT_1G
12842 default 0xC0000000
12843 depends on X86_32
12844@@ -1290,7 +1293,6 @@ config X86_PAE
12845
12846 config ARCH_PHYS_ADDR_T_64BIT
12847 def_bool y
12848- depends on X86_64 || X86_PAE
12849
12850 config ARCH_DMA_ADDR_T_64BIT
12851 def_bool y
12852@@ -1724,6 +1726,7 @@ source kernel/Kconfig.hz
12853
12854 config KEXEC
12855 bool "kexec system call"
12856+ depends on !GRKERNSEC_KMEM
12857 ---help---
12858 kexec is a system call that implements the ability to shutdown your
12859 current kernel, and to start another kernel. It is like a reboot
12860@@ -1906,7 +1909,9 @@ config X86_NEED_RELOCS
12861
12862 config PHYSICAL_ALIGN
12863 hex "Alignment value to which kernel should be aligned"
12864- default "0x200000"
12865+ default "0x1000000"
12866+ range 0x200000 0x1000000 if PAX_KERNEXEC && X86_PAE
12867+ range 0x400000 0x1000000 if PAX_KERNEXEC && !X86_PAE
12868 range 0x2000 0x1000000 if X86_32
12869 range 0x200000 0x1000000 if X86_64
12870 ---help---
12871@@ -1989,6 +1994,7 @@ config COMPAT_VDSO
12872 def_bool n
12873 prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
12874 depends on X86_32 || IA32_EMULATION
12875+ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
12876 ---help---
12877 Certain buggy versions of glibc will crash if they are
12878 presented with a 32-bit vDSO that is not mapped at the address
12879@@ -2053,6 +2059,22 @@ config CMDLINE_OVERRIDE
12880 This is used to work around broken boot loaders. This should
12881 be set to 'N' under normal conditions.
12882
12883+config DEFAULT_MODIFY_LDT_SYSCALL
12884+ bool "Allow userspace to modify the LDT by default"
12885+ default y
12886+
12887+ ---help---
12888+ Modifying the LDT (Local Descriptor Table) may be needed to run a
12889+ 16-bit or segmented code such as Dosemu or Wine. This is done via
12890+ a system call which is not needed to run portable applications,
12891+ and which can sometimes be abused to exploit some weaknesses of
12892+ the architecture, opening new vulnerabilities.
12893+
12894+ For this reason this option allows one to enable or disable the
12895+ feature at runtime. It is recommended to say 'N' here to leave
12896+ the system protected, and to enable it at runtime only if needed
12897+ by setting the sys.kernel.modify_ldt sysctl.
12898+
12899 source "kernel/livepatch/Kconfig"
12900
12901 endmenu
12902diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
12903index 6983314..54ad7e8 100644
12904--- a/arch/x86/Kconfig.cpu
12905+++ b/arch/x86/Kconfig.cpu
12906@@ -319,7 +319,7 @@ config X86_PPRO_FENCE
12907
12908 config X86_F00F_BUG
12909 def_bool y
12910- depends on M586MMX || M586TSC || M586 || M486
12911+ depends on (M586MMX || M586TSC || M586 || M486) && !PAX_KERNEXEC
12912
12913 config X86_INVD_BUG
12914 def_bool y
12915@@ -327,7 +327,7 @@ config X86_INVD_BUG
12916
12917 config X86_ALIGNMENT_16
12918 def_bool y
12919- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12920+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12921
12922 config X86_INTEL_USERCOPY
12923 def_bool y
12924@@ -369,7 +369,7 @@ config X86_CMPXCHG64
12925 # generates cmov.
12926 config X86_CMOV
12927 def_bool y
12928- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12929+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12930
12931 config X86_MINIMUM_CPU_FAMILY
12932 int
12933diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
12934index d8c0d32..28e3117 100644
12935--- a/arch/x86/Kconfig.debug
12936+++ b/arch/x86/Kconfig.debug
12937@@ -69,6 +69,7 @@ config X86_PTDUMP
12938 bool "Export kernel pagetable layout to userspace via debugfs"
12939 depends on DEBUG_KERNEL
12940 select DEBUG_FS
12941+ depends on !GRKERNSEC_KMEM
12942 ---help---
12943 Say Y here if you want to show the kernel pagetable layout in a
12944 debugfs file. This information is only useful for kernel developers
12945@@ -89,7 +90,7 @@ config EFI_PGT_DUMP
12946 config DEBUG_RODATA
12947 bool "Write protect kernel read-only data structures"
12948 default y
12949- depends on DEBUG_KERNEL
12950+ depends on DEBUG_KERNEL && BROKEN
12951 ---help---
12952 Mark the kernel read-only data as write-protected in the pagetables,
12953 in order to catch accidental (and incorrect) writes to such const
12954@@ -107,7 +108,7 @@ config DEBUG_RODATA_TEST
12955
12956 config DEBUG_SET_MODULE_RONX
12957 bool "Set loadable kernel module data as NX and text as RO"
12958- depends on MODULES
12959+ depends on MODULES && BROKEN
12960 ---help---
12961 This option helps catch unintended modifications to loadable
12962 kernel module's text and read-only data. It also prevents execution
12963@@ -359,6 +360,7 @@ config X86_DEBUG_FPU
12964 config PUNIT_ATOM_DEBUG
12965 tristate "ATOM Punit debug driver"
12966 select DEBUG_FS
12967+ depends on !GRKERNSEC_KMEM
12968 select IOSF_MBI
12969 ---help---
12970 This is a debug driver, which gets the power states
12971diff --git a/arch/x86/Makefile b/arch/x86/Makefile
12972index 118e6de..e02efff 100644
12973--- a/arch/x86/Makefile
12974+++ b/arch/x86/Makefile
12975@@ -65,9 +65,6 @@ ifeq ($(CONFIG_X86_32),y)
12976 # CPU-specific tuning. Anything which can be shared with UML should go here.
12977 include arch/x86/Makefile_32.cpu
12978 KBUILD_CFLAGS += $(cflags-y)
12979-
12980- # temporary until string.h is fixed
12981- KBUILD_CFLAGS += -ffreestanding
12982 else
12983 BITS := 64
12984 UTS_MACHINE := x86_64
12985@@ -116,6 +113,9 @@ else
12986 KBUILD_CFLAGS += $(call cc-option,-maccumulate-outgoing-args)
12987 endif
12988
12989+# temporary until string.h is fixed
12990+KBUILD_CFLAGS += -ffreestanding
12991+
12992 # Make sure compiler does not have buggy stack-protector support.
12993 ifdef CONFIG_CC_STACKPROTECTOR
12994 cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
12995@@ -184,6 +184,7 @@ archheaders:
12996 $(Q)$(MAKE) $(build)=arch/x86/entry/syscalls all
12997
12998 archprepare:
12999+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
13000 ifeq ($(CONFIG_KEXEC_FILE),y)
13001 $(Q)$(MAKE) $(build)=arch/x86/purgatory arch/x86/purgatory/kexec-purgatory.c
13002 endif
13003@@ -267,3 +268,9 @@ define archhelp
13004 echo ' FDARGS="..." arguments for the booted kernel'
13005 echo ' FDINITRD=file initrd for the booted kernel'
13006 endef
13007+
13008+define OLD_LD
13009+
13010+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
13011+*** Please upgrade your binutils to 2.18 or newer
13012+endef
13013diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
13014index 57bbf2f..b100fce 100644
13015--- a/arch/x86/boot/Makefile
13016+++ b/arch/x86/boot/Makefile
13017@@ -58,6 +58,9 @@ clean-files += cpustr.h
13018 # ---------------------------------------------------------------------------
13019
13020 KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP
13021+ifdef CONSTIFY_PLUGIN
13022+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
13023+endif
13024 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
13025 GCOV_PROFILE := n
13026
13027diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h
13028index 878e4b9..20537ab 100644
13029--- a/arch/x86/boot/bitops.h
13030+++ b/arch/x86/boot/bitops.h
13031@@ -26,7 +26,7 @@ static inline int variable_test_bit(int nr, const void *addr)
13032 u8 v;
13033 const u32 *p = (const u32 *)addr;
13034
13035- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
13036+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
13037 return v;
13038 }
13039
13040@@ -37,7 +37,7 @@ static inline int variable_test_bit(int nr, const void *addr)
13041
13042 static inline void set_bit(int nr, void *addr)
13043 {
13044- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
13045+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
13046 }
13047
13048 #endif /* BOOT_BITOPS_H */
13049diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h
13050index bd49ec6..94c7f58 100644
13051--- a/arch/x86/boot/boot.h
13052+++ b/arch/x86/boot/boot.h
13053@@ -84,7 +84,7 @@ static inline void io_delay(void)
13054 static inline u16 ds(void)
13055 {
13056 u16 seg;
13057- asm("movw %%ds,%0" : "=rm" (seg));
13058+ asm volatile("movw %%ds,%0" : "=rm" (seg));
13059 return seg;
13060 }
13061
13062diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
13063index 0a291cd..9686efc 100644
13064--- a/arch/x86/boot/compressed/Makefile
13065+++ b/arch/x86/boot/compressed/Makefile
13066@@ -30,6 +30,9 @@ KBUILD_CFLAGS += $(cflags-y)
13067 KBUILD_CFLAGS += -mno-mmx -mno-sse
13068 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
13069 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
13070+ifdef CONSTIFY_PLUGIN
13071+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
13072+endif
13073
13074 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
13075 GCOV_PROFILE := n
13076diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
13077index a53440e..c3dbf1e 100644
13078--- a/arch/x86/boot/compressed/efi_stub_32.S
13079+++ b/arch/x86/boot/compressed/efi_stub_32.S
13080@@ -46,16 +46,13 @@ ENTRY(efi_call_phys)
13081 * parameter 2, ..., param n. To make things easy, we save the return
13082 * address of efi_call_phys in a global variable.
13083 */
13084- popl %ecx
13085- movl %ecx, saved_return_addr(%edx)
13086- /* get the function pointer into ECX*/
13087- popl %ecx
13088- movl %ecx, efi_rt_function_ptr(%edx)
13089+ popl saved_return_addr(%edx)
13090+ popl efi_rt_function_ptr(%edx)
13091
13092 /*
13093 * 3. Call the physical function.
13094 */
13095- call *%ecx
13096+ call *efi_rt_function_ptr(%edx)
13097
13098 /*
13099 * 4. Balance the stack. And because EAX contain the return value,
13100@@ -67,15 +64,12 @@ ENTRY(efi_call_phys)
13101 1: popl %edx
13102 subl $1b, %edx
13103
13104- movl efi_rt_function_ptr(%edx), %ecx
13105- pushl %ecx
13106+ pushl efi_rt_function_ptr(%edx)
13107
13108 /*
13109 * 10. Push the saved return address onto the stack and return.
13110 */
13111- movl saved_return_addr(%edx), %ecx
13112- pushl %ecx
13113- ret
13114+ jmpl *saved_return_addr(%edx)
13115 ENDPROC(efi_call_phys)
13116 .previous
13117
13118diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
13119index 630384a..278e788 100644
13120--- a/arch/x86/boot/compressed/efi_thunk_64.S
13121+++ b/arch/x86/boot/compressed/efi_thunk_64.S
13122@@ -189,8 +189,8 @@ efi_gdt64:
13123 .long 0 /* Filled out by user */
13124 .word 0
13125 .quad 0x0000000000000000 /* NULL descriptor */
13126- .quad 0x00af9a000000ffff /* __KERNEL_CS */
13127- .quad 0x00cf92000000ffff /* __KERNEL_DS */
13128+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
13129+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
13130 .quad 0x0080890000000000 /* TS descriptor */
13131 .quad 0x0000000000000000 /* TS continued */
13132 efi_gdt64_end:
13133diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
13134index 8ef964d..fcfb8aa 100644
13135--- a/arch/x86/boot/compressed/head_32.S
13136+++ b/arch/x86/boot/compressed/head_32.S
13137@@ -141,10 +141,10 @@ preferred_addr:
13138 addl %eax, %ebx
13139 notl %eax
13140 andl %eax, %ebx
13141- cmpl $LOAD_PHYSICAL_ADDR, %ebx
13142+ cmpl $____LOAD_PHYSICAL_ADDR, %ebx
13143 jge 1f
13144 #endif
13145- movl $LOAD_PHYSICAL_ADDR, %ebx
13146+ movl $____LOAD_PHYSICAL_ADDR, %ebx
13147 1:
13148
13149 /* Target address to relocate to for decompression */
13150diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
13151index b0c0d16..3b44ff8 100644
13152--- a/arch/x86/boot/compressed/head_64.S
13153+++ b/arch/x86/boot/compressed/head_64.S
13154@@ -95,10 +95,10 @@ ENTRY(startup_32)
13155 addl %eax, %ebx
13156 notl %eax
13157 andl %eax, %ebx
13158- cmpl $LOAD_PHYSICAL_ADDR, %ebx
13159+ cmpl $____LOAD_PHYSICAL_ADDR, %ebx
13160 jge 1f
13161 #endif
13162- movl $LOAD_PHYSICAL_ADDR, %ebx
13163+ movl $____LOAD_PHYSICAL_ADDR, %ebx
13164 1:
13165
13166 /* Target address to relocate to for decompression */
13167@@ -323,10 +323,10 @@ preferred_addr:
13168 addq %rax, %rbp
13169 notq %rax
13170 andq %rax, %rbp
13171- cmpq $LOAD_PHYSICAL_ADDR, %rbp
13172+ cmpq $____LOAD_PHYSICAL_ADDR, %rbp
13173 jge 1f
13174 #endif
13175- movq $LOAD_PHYSICAL_ADDR, %rbp
13176+ movq $____LOAD_PHYSICAL_ADDR, %rbp
13177 1:
13178
13179 /* Target address to relocate to for decompression */
13180@@ -435,8 +435,8 @@ gdt:
13181 .long gdt
13182 .word 0
13183 .quad 0x0000000000000000 /* NULL descriptor */
13184- .quad 0x00af9a000000ffff /* __KERNEL_CS */
13185- .quad 0x00cf92000000ffff /* __KERNEL_DS */
13186+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
13187+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
13188 .quad 0x0080890000000000 /* TS descriptor */
13189 .quad 0x0000000000000000 /* TS continued */
13190 gdt_end:
13191diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
13192index e28437e..6a17460 100644
13193--- a/arch/x86/boot/compressed/misc.c
13194+++ b/arch/x86/boot/compressed/misc.c
13195@@ -242,7 +242,7 @@ static void handle_relocations(void *output, unsigned long output_len)
13196 * Calculate the delta between where vmlinux was linked to load
13197 * and where it was actually loaded.
13198 */
13199- delta = min_addr - LOAD_PHYSICAL_ADDR;
13200+ delta = min_addr - ____LOAD_PHYSICAL_ADDR;
13201 if (!delta) {
13202 debug_putstr("No relocation needed... ");
13203 return;
13204@@ -324,7 +324,7 @@ static void parse_elf(void *output)
13205 Elf32_Ehdr ehdr;
13206 Elf32_Phdr *phdrs, *phdr;
13207 #endif
13208- void *dest;
13209+ void *dest, *prev;
13210 int i;
13211
13212 memcpy(&ehdr, output, sizeof(ehdr));
13213@@ -351,13 +351,16 @@ static void parse_elf(void *output)
13214 case PT_LOAD:
13215 #ifdef CONFIG_RELOCATABLE
13216 dest = output;
13217- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
13218+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
13219 #else
13220 dest = (void *)(phdr->p_paddr);
13221 #endif
13222 memcpy(dest,
13223 output + phdr->p_offset,
13224 phdr->p_filesz);
13225+ if (i)
13226+ memset(prev, 0xff, dest - prev);
13227+ prev = dest + phdr->p_filesz;
13228 break;
13229 default: /* Ignore other PT_* */ break;
13230 }
13231@@ -419,7 +422,7 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
13232 error("Destination address too large");
13233 #endif
13234 #ifndef CONFIG_RELOCATABLE
13235- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
13236+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
13237 error("Wrong destination address");
13238 #endif
13239
13240diff --git a/arch/x86/boot/cpucheck.c b/arch/x86/boot/cpucheck.c
13241index 1fd7d57..0f7d096 100644
13242--- a/arch/x86/boot/cpucheck.c
13243+++ b/arch/x86/boot/cpucheck.c
13244@@ -125,9 +125,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13245 u32 ecx = MSR_K7_HWCR;
13246 u32 eax, edx;
13247
13248- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13249+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13250 eax &= ~(1 << 15);
13251- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13252+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13253
13254 get_cpuflags(); /* Make sure it really did something */
13255 err = check_cpuflags();
13256@@ -140,9 +140,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13257 u32 ecx = MSR_VIA_FCR;
13258 u32 eax, edx;
13259
13260- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13261+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13262 eax |= (1<<1)|(1<<7);
13263- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13264+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13265
13266 set_bit(X86_FEATURE_CX8, cpu.flags);
13267 err = check_cpuflags();
13268@@ -153,12 +153,12 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13269 u32 eax, edx;
13270 u32 level = 1;
13271
13272- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13273- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
13274- asm("cpuid"
13275+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13276+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
13277+ asm volatile("cpuid"
13278 : "+a" (level), "=d" (cpu.flags[0])
13279 : : "ecx", "ebx");
13280- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13281+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13282
13283 err = check_cpuflags();
13284 } else if (err == 0x01 &&
13285diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
13286index 16ef025..91e033b 100644
13287--- a/arch/x86/boot/header.S
13288+++ b/arch/x86/boot/header.S
13289@@ -438,10 +438,14 @@ setup_data: .quad 0 # 64-bit physical pointer to
13290 # single linked list of
13291 # struct setup_data
13292
13293-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
13294+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
13295
13296 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
13297+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13298+#define VO_INIT_SIZE (VO__end - VO__text - __PAGE_OFFSET - ____LOAD_PHYSICAL_ADDR)
13299+#else
13300 #define VO_INIT_SIZE (VO__end - VO__text)
13301+#endif
13302 #if ZO_INIT_SIZE > VO_INIT_SIZE
13303 #define INIT_SIZE ZO_INIT_SIZE
13304 #else
13305diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c
13306index db75d07..8e6d0af 100644
13307--- a/arch/x86/boot/memory.c
13308+++ b/arch/x86/boot/memory.c
13309@@ -19,7 +19,7 @@
13310
13311 static int detect_memory_e820(void)
13312 {
13313- int count = 0;
13314+ unsigned int count = 0;
13315 struct biosregs ireg, oreg;
13316 struct e820entry *desc = boot_params.e820_map;
13317 static struct e820entry buf; /* static so it is zeroed */
13318diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c
13319index ba3e100..6501b8f 100644
13320--- a/arch/x86/boot/video-vesa.c
13321+++ b/arch/x86/boot/video-vesa.c
13322@@ -201,6 +201,7 @@ static void vesa_store_pm_info(void)
13323
13324 boot_params.screen_info.vesapm_seg = oreg.es;
13325 boot_params.screen_info.vesapm_off = oreg.di;
13326+ boot_params.screen_info.vesapm_size = oreg.cx;
13327 }
13328
13329 /*
13330diff --git a/arch/x86/boot/video.c b/arch/x86/boot/video.c
13331index 05111bb..a1ae1f0 100644
13332--- a/arch/x86/boot/video.c
13333+++ b/arch/x86/boot/video.c
13334@@ -98,7 +98,7 @@ static void store_mode_params(void)
13335 static unsigned int get_entry(void)
13336 {
13337 char entry_buf[4];
13338- int i, len = 0;
13339+ unsigned int i, len = 0;
13340 int key;
13341 unsigned int v;
13342
13343diff --git a/arch/x86/crypto/aes-x86_64-asm_64.S b/arch/x86/crypto/aes-x86_64-asm_64.S
13344index 9105655..41779c1 100644
13345--- a/arch/x86/crypto/aes-x86_64-asm_64.S
13346+++ b/arch/x86/crypto/aes-x86_64-asm_64.S
13347@@ -8,6 +8,8 @@
13348 * including this sentence is retained in full.
13349 */
13350
13351+#include <asm/alternative-asm.h>
13352+
13353 .extern crypto_ft_tab
13354 .extern crypto_it_tab
13355 .extern crypto_fl_tab
13356@@ -70,6 +72,8 @@
13357 je B192; \
13358 leaq 32(r9),r9;
13359
13360+#define ret pax_force_retaddr; ret
13361+
13362 #define epilogue(FUNC,r1,r2,r3,r4,r5,r6,r7,r8,r9) \
13363 movq r1,r2; \
13364 movq r3,r4; \
13365diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S
13366index 6bd2c6c..368c93e 100644
13367--- a/arch/x86/crypto/aesni-intel_asm.S
13368+++ b/arch/x86/crypto/aesni-intel_asm.S
13369@@ -31,6 +31,7 @@
13370
13371 #include <linux/linkage.h>
13372 #include <asm/inst.h>
13373+#include <asm/alternative-asm.h>
13374
13375 /*
13376 * The following macros are used to move an (un)aligned 16 byte value to/from
13377@@ -217,7 +218,7 @@ enc: .octa 0x2
13378 * num_initial_blocks = b mod 4
13379 * encrypt the initial num_initial_blocks blocks and apply ghash on
13380 * the ciphertext
13381-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13382+* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13383 * are clobbered
13384 * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified
13385 */
13386@@ -227,8 +228,8 @@ enc: .octa 0x2
13387 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
13388 MOVADQ SHUF_MASK(%rip), %xmm14
13389 mov arg7, %r10 # %r10 = AAD
13390- mov arg8, %r12 # %r12 = aadLen
13391- mov %r12, %r11
13392+ mov arg8, %r15 # %r15 = aadLen
13393+ mov %r15, %r11
13394 pxor %xmm\i, %xmm\i
13395
13396 _get_AAD_loop\num_initial_blocks\operation:
13397@@ -237,17 +238,17 @@ _get_AAD_loop\num_initial_blocks\operation:
13398 psrldq $4, %xmm\i
13399 pxor \TMP1, %xmm\i
13400 add $4, %r10
13401- sub $4, %r12
13402+ sub $4, %r15
13403 jne _get_AAD_loop\num_initial_blocks\operation
13404
13405 cmp $16, %r11
13406 je _get_AAD_loop2_done\num_initial_blocks\operation
13407
13408- mov $16, %r12
13409+ mov $16, %r15
13410 _get_AAD_loop2\num_initial_blocks\operation:
13411 psrldq $4, %xmm\i
13412- sub $4, %r12
13413- cmp %r11, %r12
13414+ sub $4, %r15
13415+ cmp %r11, %r15
13416 jne _get_AAD_loop2\num_initial_blocks\operation
13417
13418 _get_AAD_loop2_done\num_initial_blocks\operation:
13419@@ -442,7 +443,7 @@ _initial_blocks_done\num_initial_blocks\operation:
13420 * num_initial_blocks = b mod 4
13421 * encrypt the initial num_initial_blocks blocks and apply ghash on
13422 * the ciphertext
13423-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13424+* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13425 * are clobbered
13426 * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified
13427 */
13428@@ -452,8 +453,8 @@ _initial_blocks_done\num_initial_blocks\operation:
13429 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
13430 MOVADQ SHUF_MASK(%rip), %xmm14
13431 mov arg7, %r10 # %r10 = AAD
13432- mov arg8, %r12 # %r12 = aadLen
13433- mov %r12, %r11
13434+ mov arg8, %r15 # %r15 = aadLen
13435+ mov %r15, %r11
13436 pxor %xmm\i, %xmm\i
13437 _get_AAD_loop\num_initial_blocks\operation:
13438 movd (%r10), \TMP1
13439@@ -461,15 +462,15 @@ _get_AAD_loop\num_initial_blocks\operation:
13440 psrldq $4, %xmm\i
13441 pxor \TMP1, %xmm\i
13442 add $4, %r10
13443- sub $4, %r12
13444+ sub $4, %r15
13445 jne _get_AAD_loop\num_initial_blocks\operation
13446 cmp $16, %r11
13447 je _get_AAD_loop2_done\num_initial_blocks\operation
13448- mov $16, %r12
13449+ mov $16, %r15
13450 _get_AAD_loop2\num_initial_blocks\operation:
13451 psrldq $4, %xmm\i
13452- sub $4, %r12
13453- cmp %r11, %r12
13454+ sub $4, %r15
13455+ cmp %r11, %r15
13456 jne _get_AAD_loop2\num_initial_blocks\operation
13457 _get_AAD_loop2_done\num_initial_blocks\operation:
13458 PSHUFB_XMM %xmm14, %xmm\i # byte-reflect the AAD data
13459@@ -1280,7 +1281,7 @@ _esb_loop_\@:
13460 *
13461 *****************************************************************************/
13462 ENTRY(aesni_gcm_dec)
13463- push %r12
13464+ push %r15
13465 push %r13
13466 push %r14
13467 mov %rsp, %r14
13468@@ -1290,8 +1291,8 @@ ENTRY(aesni_gcm_dec)
13469 */
13470 sub $VARIABLE_OFFSET, %rsp
13471 and $~63, %rsp # align rsp to 64 bytes
13472- mov %arg6, %r12
13473- movdqu (%r12), %xmm13 # %xmm13 = HashKey
13474+ mov %arg6, %r15
13475+ movdqu (%r15), %xmm13 # %xmm13 = HashKey
13476 movdqa SHUF_MASK(%rip), %xmm2
13477 PSHUFB_XMM %xmm2, %xmm13
13478
13479@@ -1319,10 +1320,10 @@ ENTRY(aesni_gcm_dec)
13480 movdqa %xmm13, HashKey(%rsp) # store HashKey<<1 (mod poly)
13481 mov %arg4, %r13 # save the number of bytes of plaintext/ciphertext
13482 and $-16, %r13 # %r13 = %r13 - (%r13 mod 16)
13483- mov %r13, %r12
13484- and $(3<<4), %r12
13485+ mov %r13, %r15
13486+ and $(3<<4), %r15
13487 jz _initial_num_blocks_is_0_decrypt
13488- cmp $(2<<4), %r12
13489+ cmp $(2<<4), %r15
13490 jb _initial_num_blocks_is_1_decrypt
13491 je _initial_num_blocks_is_2_decrypt
13492 _initial_num_blocks_is_3_decrypt:
13493@@ -1372,16 +1373,16 @@ _zero_cipher_left_decrypt:
13494 sub $16, %r11
13495 add %r13, %r11
13496 movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte block
13497- lea SHIFT_MASK+16(%rip), %r12
13498- sub %r13, %r12
13499+ lea SHIFT_MASK+16(%rip), %r15
13500+ sub %r13, %r15
13501 # adjust the shuffle mask pointer to be able to shift 16-%r13 bytes
13502 # (%r13 is the number of bytes in plaintext mod 16)
13503- movdqu (%r12), %xmm2 # get the appropriate shuffle mask
13504+ movdqu (%r15), %xmm2 # get the appropriate shuffle mask
13505 PSHUFB_XMM %xmm2, %xmm1 # right shift 16-%r13 butes
13506
13507 movdqa %xmm1, %xmm2
13508 pxor %xmm1, %xmm0 # Ciphertext XOR E(K, Yn)
13509- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
13510+ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1
13511 # get the appropriate mask to mask out top 16-%r13 bytes of %xmm0
13512 pand %xmm1, %xmm0 # mask out top 16-%r13 bytes of %xmm0
13513 pand %xmm1, %xmm2
13514@@ -1410,9 +1411,9 @@ _less_than_8_bytes_left_decrypt:
13515 sub $1, %r13
13516 jne _less_than_8_bytes_left_decrypt
13517 _multiple_of_16_bytes_decrypt:
13518- mov arg8, %r12 # %r13 = aadLen (number of bytes)
13519- shl $3, %r12 # convert into number of bits
13520- movd %r12d, %xmm15 # len(A) in %xmm15
13521+ mov arg8, %r15 # %r13 = aadLen (number of bytes)
13522+ shl $3, %r15 # convert into number of bits
13523+ movd %r15d, %xmm15 # len(A) in %xmm15
13524 shl $3, %arg4 # len(C) in bits (*128)
13525 MOVQ_R64_XMM %arg4, %xmm1
13526 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
13527@@ -1451,7 +1452,8 @@ _return_T_done_decrypt:
13528 mov %r14, %rsp
13529 pop %r14
13530 pop %r13
13531- pop %r12
13532+ pop %r15
13533+ pax_force_retaddr
13534 ret
13535 ENDPROC(aesni_gcm_dec)
13536
13537@@ -1540,7 +1542,7 @@ ENDPROC(aesni_gcm_dec)
13538 * poly = x^128 + x^127 + x^126 + x^121 + 1
13539 ***************************************************************************/
13540 ENTRY(aesni_gcm_enc)
13541- push %r12
13542+ push %r15
13543 push %r13
13544 push %r14
13545 mov %rsp, %r14
13546@@ -1550,8 +1552,8 @@ ENTRY(aesni_gcm_enc)
13547 #
13548 sub $VARIABLE_OFFSET, %rsp
13549 and $~63, %rsp
13550- mov %arg6, %r12
13551- movdqu (%r12), %xmm13
13552+ mov %arg6, %r15
13553+ movdqu (%r15), %xmm13
13554 movdqa SHUF_MASK(%rip), %xmm2
13555 PSHUFB_XMM %xmm2, %xmm13
13556
13557@@ -1575,13 +1577,13 @@ ENTRY(aesni_gcm_enc)
13558 movdqa %xmm13, HashKey(%rsp)
13559 mov %arg4, %r13 # %xmm13 holds HashKey<<1 (mod poly)
13560 and $-16, %r13
13561- mov %r13, %r12
13562+ mov %r13, %r15
13563
13564 # Encrypt first few blocks
13565
13566- and $(3<<4), %r12
13567+ and $(3<<4), %r15
13568 jz _initial_num_blocks_is_0_encrypt
13569- cmp $(2<<4), %r12
13570+ cmp $(2<<4), %r15
13571 jb _initial_num_blocks_is_1_encrypt
13572 je _initial_num_blocks_is_2_encrypt
13573 _initial_num_blocks_is_3_encrypt:
13574@@ -1634,14 +1636,14 @@ _zero_cipher_left_encrypt:
13575 sub $16, %r11
13576 add %r13, %r11
13577 movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte blocks
13578- lea SHIFT_MASK+16(%rip), %r12
13579- sub %r13, %r12
13580+ lea SHIFT_MASK+16(%rip), %r15
13581+ sub %r13, %r15
13582 # adjust the shuffle mask pointer to be able to shift 16-r13 bytes
13583 # (%r13 is the number of bytes in plaintext mod 16)
13584- movdqu (%r12), %xmm2 # get the appropriate shuffle mask
13585+ movdqu (%r15), %xmm2 # get the appropriate shuffle mask
13586 PSHUFB_XMM %xmm2, %xmm1 # shift right 16-r13 byte
13587 pxor %xmm1, %xmm0 # Plaintext XOR Encrypt(K, Yn)
13588- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
13589+ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1
13590 # get the appropriate mask to mask out top 16-r13 bytes of xmm0
13591 pand %xmm1, %xmm0 # mask out top 16-r13 bytes of xmm0
13592 movdqa SHUF_MASK(%rip), %xmm10
13593@@ -1674,9 +1676,9 @@ _less_than_8_bytes_left_encrypt:
13594 sub $1, %r13
13595 jne _less_than_8_bytes_left_encrypt
13596 _multiple_of_16_bytes_encrypt:
13597- mov arg8, %r12 # %r12 = addLen (number of bytes)
13598- shl $3, %r12
13599- movd %r12d, %xmm15 # len(A) in %xmm15
13600+ mov arg8, %r15 # %r15 = addLen (number of bytes)
13601+ shl $3, %r15
13602+ movd %r15d, %xmm15 # len(A) in %xmm15
13603 shl $3, %arg4 # len(C) in bits (*128)
13604 MOVQ_R64_XMM %arg4, %xmm1
13605 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
13606@@ -1715,7 +1717,8 @@ _return_T_done_encrypt:
13607 mov %r14, %rsp
13608 pop %r14
13609 pop %r13
13610- pop %r12
13611+ pop %r15
13612+ pax_force_retaddr
13613 ret
13614 ENDPROC(aesni_gcm_enc)
13615
13616@@ -1733,6 +1736,7 @@ _key_expansion_256a:
13617 pxor %xmm1, %xmm0
13618 movaps %xmm0, (TKEYP)
13619 add $0x10, TKEYP
13620+ pax_force_retaddr
13621 ret
13622 ENDPROC(_key_expansion_128)
13623 ENDPROC(_key_expansion_256a)
13624@@ -1759,6 +1763,7 @@ _key_expansion_192a:
13625 shufps $0b01001110, %xmm2, %xmm1
13626 movaps %xmm1, 0x10(TKEYP)
13627 add $0x20, TKEYP
13628+ pax_force_retaddr
13629 ret
13630 ENDPROC(_key_expansion_192a)
13631
13632@@ -1779,6 +1784,7 @@ _key_expansion_192b:
13633
13634 movaps %xmm0, (TKEYP)
13635 add $0x10, TKEYP
13636+ pax_force_retaddr
13637 ret
13638 ENDPROC(_key_expansion_192b)
13639
13640@@ -1792,6 +1798,7 @@ _key_expansion_256b:
13641 pxor %xmm1, %xmm2
13642 movaps %xmm2, (TKEYP)
13643 add $0x10, TKEYP
13644+ pax_force_retaddr
13645 ret
13646 ENDPROC(_key_expansion_256b)
13647
13648@@ -1905,6 +1912,7 @@ ENTRY(aesni_set_key)
13649 #ifndef __x86_64__
13650 popl KEYP
13651 #endif
13652+ pax_force_retaddr
13653 ret
13654 ENDPROC(aesni_set_key)
13655
13656@@ -1927,6 +1935,7 @@ ENTRY(aesni_enc)
13657 popl KLEN
13658 popl KEYP
13659 #endif
13660+ pax_force_retaddr
13661 ret
13662 ENDPROC(aesni_enc)
13663
13664@@ -1985,6 +1994,7 @@ _aesni_enc1:
13665 AESENC KEY STATE
13666 movaps 0x70(TKEYP), KEY
13667 AESENCLAST KEY STATE
13668+ pax_force_retaddr
13669 ret
13670 ENDPROC(_aesni_enc1)
13671
13672@@ -2094,6 +2104,7 @@ _aesni_enc4:
13673 AESENCLAST KEY STATE2
13674 AESENCLAST KEY STATE3
13675 AESENCLAST KEY STATE4
13676+ pax_force_retaddr
13677 ret
13678 ENDPROC(_aesni_enc4)
13679
13680@@ -2117,6 +2128,7 @@ ENTRY(aesni_dec)
13681 popl KLEN
13682 popl KEYP
13683 #endif
13684+ pax_force_retaddr
13685 ret
13686 ENDPROC(aesni_dec)
13687
13688@@ -2175,6 +2187,7 @@ _aesni_dec1:
13689 AESDEC KEY STATE
13690 movaps 0x70(TKEYP), KEY
13691 AESDECLAST KEY STATE
13692+ pax_force_retaddr
13693 ret
13694 ENDPROC(_aesni_dec1)
13695
13696@@ -2284,6 +2297,7 @@ _aesni_dec4:
13697 AESDECLAST KEY STATE2
13698 AESDECLAST KEY STATE3
13699 AESDECLAST KEY STATE4
13700+ pax_force_retaddr
13701 ret
13702 ENDPROC(_aesni_dec4)
13703
13704@@ -2342,6 +2356,7 @@ ENTRY(aesni_ecb_enc)
13705 popl KEYP
13706 popl LEN
13707 #endif
13708+ pax_force_retaddr
13709 ret
13710 ENDPROC(aesni_ecb_enc)
13711
13712@@ -2401,6 +2416,7 @@ ENTRY(aesni_ecb_dec)
13713 popl KEYP
13714 popl LEN
13715 #endif
13716+ pax_force_retaddr
13717 ret
13718 ENDPROC(aesni_ecb_dec)
13719
13720@@ -2443,6 +2459,7 @@ ENTRY(aesni_cbc_enc)
13721 popl LEN
13722 popl IVP
13723 #endif
13724+ pax_force_retaddr
13725 ret
13726 ENDPROC(aesni_cbc_enc)
13727
13728@@ -2534,6 +2551,7 @@ ENTRY(aesni_cbc_dec)
13729 popl LEN
13730 popl IVP
13731 #endif
13732+ pax_force_retaddr
13733 ret
13734 ENDPROC(aesni_cbc_dec)
13735
13736@@ -2561,6 +2579,7 @@ _aesni_inc_init:
13737 mov $1, TCTR_LOW
13738 MOVQ_R64_XMM TCTR_LOW INC
13739 MOVQ_R64_XMM CTR TCTR_LOW
13740+ pax_force_retaddr
13741 ret
13742 ENDPROC(_aesni_inc_init)
13743
13744@@ -2590,6 +2609,7 @@ _aesni_inc:
13745 .Linc_low:
13746 movaps CTR, IV
13747 PSHUFB_XMM BSWAP_MASK IV
13748+ pax_force_retaddr
13749 ret
13750 ENDPROC(_aesni_inc)
13751
13752@@ -2651,6 +2671,7 @@ ENTRY(aesni_ctr_enc)
13753 .Lctr_enc_ret:
13754 movups IV, (IVP)
13755 .Lctr_enc_just_ret:
13756+ pax_force_retaddr
13757 ret
13758 ENDPROC(aesni_ctr_enc)
13759
13760@@ -2777,6 +2798,7 @@ ENTRY(aesni_xts_crypt8)
13761 pxor INC, STATE4
13762 movdqu STATE4, 0x70(OUTP)
13763
13764+ pax_force_retaddr
13765 ret
13766 ENDPROC(aesni_xts_crypt8)
13767
13768diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S
13769index 246c670..466e2d6 100644
13770--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S
13771+++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S
13772@@ -21,6 +21,7 @@
13773 */
13774
13775 #include <linux/linkage.h>
13776+#include <asm/alternative-asm.h>
13777
13778 .file "blowfish-x86_64-asm.S"
13779 .text
13780@@ -149,9 +150,11 @@ ENTRY(__blowfish_enc_blk)
13781 jnz .L__enc_xor;
13782
13783 write_block();
13784+ pax_force_retaddr
13785 ret;
13786 .L__enc_xor:
13787 xor_block();
13788+ pax_force_retaddr
13789 ret;
13790 ENDPROC(__blowfish_enc_blk)
13791
13792@@ -183,6 +186,7 @@ ENTRY(blowfish_dec_blk)
13793
13794 movq %r11, %rbp;
13795
13796+ pax_force_retaddr
13797 ret;
13798 ENDPROC(blowfish_dec_blk)
13799
13800@@ -334,6 +338,7 @@ ENTRY(__blowfish_enc_blk_4way)
13801
13802 popq %rbx;
13803 popq %rbp;
13804+ pax_force_retaddr
13805 ret;
13806
13807 .L__enc_xor4:
13808@@ -341,6 +346,7 @@ ENTRY(__blowfish_enc_blk_4way)
13809
13810 popq %rbx;
13811 popq %rbp;
13812+ pax_force_retaddr
13813 ret;
13814 ENDPROC(__blowfish_enc_blk_4way)
13815
13816@@ -375,5 +381,6 @@ ENTRY(blowfish_dec_blk_4way)
13817 popq %rbx;
13818 popq %rbp;
13819
13820+ pax_force_retaddr
13821 ret;
13822 ENDPROC(blowfish_dec_blk_4way)
13823diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13824index ce71f92..1dce7ec 100644
13825--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13826+++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13827@@ -16,6 +16,7 @@
13828 */
13829
13830 #include <linux/linkage.h>
13831+#include <asm/alternative-asm.h>
13832
13833 #define CAMELLIA_TABLE_BYTE_LEN 272
13834
13835@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
13836 roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
13837 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15,
13838 %rcx, (%r9));
13839+ pax_force_retaddr
13840 ret;
13841 ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
13842
13843@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
13844 roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3,
13845 %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11,
13846 %rax, (%r9));
13847+ pax_force_retaddr
13848 ret;
13849 ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
13850
13851@@ -780,6 +783,7 @@ __camellia_enc_blk16:
13852 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
13853 %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax));
13854
13855+ pax_force_retaddr
13856 ret;
13857
13858 .align 8
13859@@ -865,6 +869,7 @@ __camellia_dec_blk16:
13860 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
13861 %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax));
13862
13863+ pax_force_retaddr
13864 ret;
13865
13866 .align 8
13867@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way)
13868 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13869 %xmm8, %rsi);
13870
13871+ pax_force_retaddr
13872 ret;
13873 ENDPROC(camellia_ecb_enc_16way)
13874
13875@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way)
13876 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13877 %xmm8, %rsi);
13878
13879+ pax_force_retaddr
13880 ret;
13881 ENDPROC(camellia_ecb_dec_16way)
13882
13883@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way)
13884 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13885 %xmm8, %rsi);
13886
13887+ pax_force_retaddr
13888 ret;
13889 ENDPROC(camellia_cbc_dec_16way)
13890
13891@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way)
13892 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13893 %xmm8, %rsi);
13894
13895+ pax_force_retaddr
13896 ret;
13897 ENDPROC(camellia_ctr_16way)
13898
13899@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way:
13900 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13901 %xmm8, %rsi);
13902
13903+ pax_force_retaddr
13904 ret;
13905 ENDPROC(camellia_xts_crypt_16way)
13906
13907diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13908index 0e0b886..5a3123c 100644
13909--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13910+++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13911@@ -11,6 +11,7 @@
13912 */
13913
13914 #include <linux/linkage.h>
13915+#include <asm/alternative-asm.h>
13916
13917 #define CAMELLIA_TABLE_BYTE_LEN 272
13918
13919@@ -230,6 +231,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
13920 roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
13921 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15,
13922 %rcx, (%r9));
13923+ pax_force_retaddr
13924 ret;
13925 ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
13926
13927@@ -238,6 +240,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
13928 roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3,
13929 %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11,
13930 %rax, (%r9));
13931+ pax_force_retaddr
13932 ret;
13933 ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
13934
13935@@ -820,6 +823,7 @@ __camellia_enc_blk32:
13936 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
13937 %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax));
13938
13939+ pax_force_retaddr
13940 ret;
13941
13942 .align 8
13943@@ -905,6 +909,7 @@ __camellia_dec_blk32:
13944 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
13945 %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax));
13946
13947+ pax_force_retaddr
13948 ret;
13949
13950 .align 8
13951@@ -948,6 +953,7 @@ ENTRY(camellia_ecb_enc_32way)
13952
13953 vzeroupper;
13954
13955+ pax_force_retaddr
13956 ret;
13957 ENDPROC(camellia_ecb_enc_32way)
13958
13959@@ -980,6 +986,7 @@ ENTRY(camellia_ecb_dec_32way)
13960
13961 vzeroupper;
13962
13963+ pax_force_retaddr
13964 ret;
13965 ENDPROC(camellia_ecb_dec_32way)
13966
13967@@ -1046,6 +1053,7 @@ ENTRY(camellia_cbc_dec_32way)
13968
13969 vzeroupper;
13970
13971+ pax_force_retaddr
13972 ret;
13973 ENDPROC(camellia_cbc_dec_32way)
13974
13975@@ -1184,6 +1192,7 @@ ENTRY(camellia_ctr_32way)
13976
13977 vzeroupper;
13978
13979+ pax_force_retaddr
13980 ret;
13981 ENDPROC(camellia_ctr_32way)
13982
13983@@ -1349,6 +1358,7 @@ camellia_xts_crypt_32way:
13984
13985 vzeroupper;
13986
13987+ pax_force_retaddr
13988 ret;
13989 ENDPROC(camellia_xts_crypt_32way)
13990
13991diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S
13992index 310319c..db3d7b5 100644
13993--- a/arch/x86/crypto/camellia-x86_64-asm_64.S
13994+++ b/arch/x86/crypto/camellia-x86_64-asm_64.S
13995@@ -21,6 +21,7 @@
13996 */
13997
13998 #include <linux/linkage.h>
13999+#include <asm/alternative-asm.h>
14000
14001 .file "camellia-x86_64-asm_64.S"
14002 .text
14003@@ -228,12 +229,14 @@ ENTRY(__camellia_enc_blk)
14004 enc_outunpack(mov, RT1);
14005
14006 movq RRBP, %rbp;
14007+ pax_force_retaddr
14008 ret;
14009
14010 .L__enc_xor:
14011 enc_outunpack(xor, RT1);
14012
14013 movq RRBP, %rbp;
14014+ pax_force_retaddr
14015 ret;
14016 ENDPROC(__camellia_enc_blk)
14017
14018@@ -272,6 +275,7 @@ ENTRY(camellia_dec_blk)
14019 dec_outunpack();
14020
14021 movq RRBP, %rbp;
14022+ pax_force_retaddr
14023 ret;
14024 ENDPROC(camellia_dec_blk)
14025
14026@@ -463,6 +467,7 @@ ENTRY(__camellia_enc_blk_2way)
14027
14028 movq RRBP, %rbp;
14029 popq %rbx;
14030+ pax_force_retaddr
14031 ret;
14032
14033 .L__enc2_xor:
14034@@ -470,6 +475,7 @@ ENTRY(__camellia_enc_blk_2way)
14035
14036 movq RRBP, %rbp;
14037 popq %rbx;
14038+ pax_force_retaddr
14039 ret;
14040 ENDPROC(__camellia_enc_blk_2way)
14041
14042@@ -510,5 +516,6 @@ ENTRY(camellia_dec_blk_2way)
14043
14044 movq RRBP, %rbp;
14045 movq RXOR, %rbx;
14046+ pax_force_retaddr
14047 ret;
14048 ENDPROC(camellia_dec_blk_2way)
14049diff --git a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
14050index c35fd5d..2d8c7db 100644
14051--- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
14052+++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
14053@@ -24,6 +24,7 @@
14054 */
14055
14056 #include <linux/linkage.h>
14057+#include <asm/alternative-asm.h>
14058
14059 .file "cast5-avx-x86_64-asm_64.S"
14060
14061@@ -281,6 +282,7 @@ __cast5_enc_blk16:
14062 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
14063 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
14064
14065+ pax_force_retaddr
14066 ret;
14067 ENDPROC(__cast5_enc_blk16)
14068
14069@@ -352,6 +354,7 @@ __cast5_dec_blk16:
14070 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
14071 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
14072
14073+ pax_force_retaddr
14074 ret;
14075
14076 .L__skip_dec:
14077@@ -388,6 +391,7 @@ ENTRY(cast5_ecb_enc_16way)
14078 vmovdqu RR4, (6*4*4)(%r11);
14079 vmovdqu RL4, (7*4*4)(%r11);
14080
14081+ pax_force_retaddr
14082 ret;
14083 ENDPROC(cast5_ecb_enc_16way)
14084
14085@@ -420,6 +424,7 @@ ENTRY(cast5_ecb_dec_16way)
14086 vmovdqu RR4, (6*4*4)(%r11);
14087 vmovdqu RL4, (7*4*4)(%r11);
14088
14089+ pax_force_retaddr
14090 ret;
14091 ENDPROC(cast5_ecb_dec_16way)
14092
14093@@ -430,10 +435,10 @@ ENTRY(cast5_cbc_dec_16way)
14094 * %rdx: src
14095 */
14096
14097- pushq %r12;
14098+ pushq %r14;
14099
14100 movq %rsi, %r11;
14101- movq %rdx, %r12;
14102+ movq %rdx, %r14;
14103
14104 vmovdqu (0*16)(%rdx), RL1;
14105 vmovdqu (1*16)(%rdx), RR1;
14106@@ -447,16 +452,16 @@ ENTRY(cast5_cbc_dec_16way)
14107 call __cast5_dec_blk16;
14108
14109 /* xor with src */
14110- vmovq (%r12), RX;
14111+ vmovq (%r14), RX;
14112 vpshufd $0x4f, RX, RX;
14113 vpxor RX, RR1, RR1;
14114- vpxor 0*16+8(%r12), RL1, RL1;
14115- vpxor 1*16+8(%r12), RR2, RR2;
14116- vpxor 2*16+8(%r12), RL2, RL2;
14117- vpxor 3*16+8(%r12), RR3, RR3;
14118- vpxor 4*16+8(%r12), RL3, RL3;
14119- vpxor 5*16+8(%r12), RR4, RR4;
14120- vpxor 6*16+8(%r12), RL4, RL4;
14121+ vpxor 0*16+8(%r14), RL1, RL1;
14122+ vpxor 1*16+8(%r14), RR2, RR2;
14123+ vpxor 2*16+8(%r14), RL2, RL2;
14124+ vpxor 3*16+8(%r14), RR3, RR3;
14125+ vpxor 4*16+8(%r14), RL3, RL3;
14126+ vpxor 5*16+8(%r14), RR4, RR4;
14127+ vpxor 6*16+8(%r14), RL4, RL4;
14128
14129 vmovdqu RR1, (0*16)(%r11);
14130 vmovdqu RL1, (1*16)(%r11);
14131@@ -467,8 +472,9 @@ ENTRY(cast5_cbc_dec_16way)
14132 vmovdqu RR4, (6*16)(%r11);
14133 vmovdqu RL4, (7*16)(%r11);
14134
14135- popq %r12;
14136+ popq %r14;
14137
14138+ pax_force_retaddr
14139 ret;
14140 ENDPROC(cast5_cbc_dec_16way)
14141
14142@@ -480,10 +486,10 @@ ENTRY(cast5_ctr_16way)
14143 * %rcx: iv (big endian, 64bit)
14144 */
14145
14146- pushq %r12;
14147+ pushq %r14;
14148
14149 movq %rsi, %r11;
14150- movq %rdx, %r12;
14151+ movq %rdx, %r14;
14152
14153 vpcmpeqd RTMP, RTMP, RTMP;
14154 vpsrldq $8, RTMP, RTMP; /* low: -1, high: 0 */
14155@@ -523,14 +529,14 @@ ENTRY(cast5_ctr_16way)
14156 call __cast5_enc_blk16;
14157
14158 /* dst = src ^ iv */
14159- vpxor (0*16)(%r12), RR1, RR1;
14160- vpxor (1*16)(%r12), RL1, RL1;
14161- vpxor (2*16)(%r12), RR2, RR2;
14162- vpxor (3*16)(%r12), RL2, RL2;
14163- vpxor (4*16)(%r12), RR3, RR3;
14164- vpxor (5*16)(%r12), RL3, RL3;
14165- vpxor (6*16)(%r12), RR4, RR4;
14166- vpxor (7*16)(%r12), RL4, RL4;
14167+ vpxor (0*16)(%r14), RR1, RR1;
14168+ vpxor (1*16)(%r14), RL1, RL1;
14169+ vpxor (2*16)(%r14), RR2, RR2;
14170+ vpxor (3*16)(%r14), RL2, RL2;
14171+ vpxor (4*16)(%r14), RR3, RR3;
14172+ vpxor (5*16)(%r14), RL3, RL3;
14173+ vpxor (6*16)(%r14), RR4, RR4;
14174+ vpxor (7*16)(%r14), RL4, RL4;
14175 vmovdqu RR1, (0*16)(%r11);
14176 vmovdqu RL1, (1*16)(%r11);
14177 vmovdqu RR2, (2*16)(%r11);
14178@@ -540,7 +546,8 @@ ENTRY(cast5_ctr_16way)
14179 vmovdqu RR4, (6*16)(%r11);
14180 vmovdqu RL4, (7*16)(%r11);
14181
14182- popq %r12;
14183+ popq %r14;
14184
14185+ pax_force_retaddr
14186 ret;
14187 ENDPROC(cast5_ctr_16way)
14188diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14189index e3531f8..e123f35 100644
14190--- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14191+++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14192@@ -24,6 +24,7 @@
14193 */
14194
14195 #include <linux/linkage.h>
14196+#include <asm/alternative-asm.h>
14197 #include "glue_helper-asm-avx.S"
14198
14199 .file "cast6-avx-x86_64-asm_64.S"
14200@@ -295,6 +296,7 @@ __cast6_enc_blk8:
14201 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
14202 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
14203
14204+ pax_force_retaddr
14205 ret;
14206 ENDPROC(__cast6_enc_blk8)
14207
14208@@ -340,6 +342,7 @@ __cast6_dec_blk8:
14209 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
14210 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
14211
14212+ pax_force_retaddr
14213 ret;
14214 ENDPROC(__cast6_dec_blk8)
14215
14216@@ -358,6 +361,7 @@ ENTRY(cast6_ecb_enc_8way)
14217
14218 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14219
14220+ pax_force_retaddr
14221 ret;
14222 ENDPROC(cast6_ecb_enc_8way)
14223
14224@@ -376,6 +380,7 @@ ENTRY(cast6_ecb_dec_8way)
14225
14226 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14227
14228+ pax_force_retaddr
14229 ret;
14230 ENDPROC(cast6_ecb_dec_8way)
14231
14232@@ -386,19 +391,20 @@ ENTRY(cast6_cbc_dec_8way)
14233 * %rdx: src
14234 */
14235
14236- pushq %r12;
14237+ pushq %r14;
14238
14239 movq %rsi, %r11;
14240- movq %rdx, %r12;
14241+ movq %rdx, %r14;
14242
14243 load_8way(%rdx, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14244
14245 call __cast6_dec_blk8;
14246
14247- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14248+ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14249
14250- popq %r12;
14251+ popq %r14;
14252
14253+ pax_force_retaddr
14254 ret;
14255 ENDPROC(cast6_cbc_dec_8way)
14256
14257@@ -410,20 +416,21 @@ ENTRY(cast6_ctr_8way)
14258 * %rcx: iv (little endian, 128bit)
14259 */
14260
14261- pushq %r12;
14262+ pushq %r14;
14263
14264 movq %rsi, %r11;
14265- movq %rdx, %r12;
14266+ movq %rdx, %r14;
14267
14268 load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2,
14269 RD2, RX, RKR, RKM);
14270
14271 call __cast6_enc_blk8;
14272
14273- store_ctr_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14274+ store_ctr_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14275
14276- popq %r12;
14277+ popq %r14;
14278
14279+ pax_force_retaddr
14280 ret;
14281 ENDPROC(cast6_ctr_8way)
14282
14283@@ -446,6 +453,7 @@ ENTRY(cast6_xts_enc_8way)
14284 /* dst <= regs xor IVs(in dst) */
14285 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14286
14287+ pax_force_retaddr
14288 ret;
14289 ENDPROC(cast6_xts_enc_8way)
14290
14291@@ -468,5 +476,6 @@ ENTRY(cast6_xts_dec_8way)
14292 /* dst <= regs xor IVs(in dst) */
14293 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14294
14295+ pax_force_retaddr
14296 ret;
14297 ENDPROC(cast6_xts_dec_8way)
14298diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14299index 225be06..2885e731 100644
14300--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14301+++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14302@@ -45,6 +45,7 @@
14303
14304 #include <asm/inst.h>
14305 #include <linux/linkage.h>
14306+#include <asm/alternative-asm.h>
14307
14308 ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
14309
14310@@ -309,6 +310,7 @@ do_return:
14311 popq %rsi
14312 popq %rdi
14313 popq %rbx
14314+ pax_force_retaddr
14315 ret
14316
14317 ################################################################
14318@@ -330,7 +332,7 @@ ENDPROC(crc_pcl)
14319 ## PCLMULQDQ tables
14320 ## Table is 128 entries x 2 words (8 bytes) each
14321 ################################################################
14322-.section .rotata, "a", %progbits
14323+.section .rodata, "a", %progbits
14324 .align 8
14325 K_table:
14326 .long 0x493c7d27, 0x00000001
14327diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S
14328index 5d1e007..098cb4f 100644
14329--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S
14330+++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S
14331@@ -18,6 +18,7 @@
14332
14333 #include <linux/linkage.h>
14334 #include <asm/inst.h>
14335+#include <asm/alternative-asm.h>
14336
14337 .data
14338
14339@@ -89,6 +90,7 @@ __clmul_gf128mul_ble:
14340 psrlq $1, T2
14341 pxor T2, T1
14342 pxor T1, DATA
14343+ pax_force_retaddr
14344 ret
14345 ENDPROC(__clmul_gf128mul_ble)
14346
14347@@ -101,6 +103,7 @@ ENTRY(clmul_ghash_mul)
14348 call __clmul_gf128mul_ble
14349 PSHUFB_XMM BSWAP DATA
14350 movups DATA, (%rdi)
14351+ pax_force_retaddr
14352 ret
14353 ENDPROC(clmul_ghash_mul)
14354
14355@@ -128,5 +131,6 @@ ENTRY(clmul_ghash_update)
14356 PSHUFB_XMM BSWAP DATA
14357 movups DATA, (%rdi)
14358 .Lupdate_just_ret:
14359+ pax_force_retaddr
14360 ret
14361 ENDPROC(clmul_ghash_update)
14362diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S
14363index 9279e0b..c4b3d2c 100644
14364--- a/arch/x86/crypto/salsa20-x86_64-asm_64.S
14365+++ b/arch/x86/crypto/salsa20-x86_64-asm_64.S
14366@@ -1,4 +1,5 @@
14367 #include <linux/linkage.h>
14368+#include <asm/alternative-asm.h>
14369
14370 # enter salsa20_encrypt_bytes
14371 ENTRY(salsa20_encrypt_bytes)
14372@@ -789,6 +790,7 @@ ENTRY(salsa20_encrypt_bytes)
14373 add %r11,%rsp
14374 mov %rdi,%rax
14375 mov %rsi,%rdx
14376+ pax_force_retaddr
14377 ret
14378 # bytesatleast65:
14379 ._bytesatleast65:
14380@@ -889,6 +891,7 @@ ENTRY(salsa20_keysetup)
14381 add %r11,%rsp
14382 mov %rdi,%rax
14383 mov %rsi,%rdx
14384+ pax_force_retaddr
14385 ret
14386 ENDPROC(salsa20_keysetup)
14387
14388@@ -914,5 +917,6 @@ ENTRY(salsa20_ivsetup)
14389 add %r11,%rsp
14390 mov %rdi,%rax
14391 mov %rsi,%rdx
14392+ pax_force_retaddr
14393 ret
14394 ENDPROC(salsa20_ivsetup)
14395diff --git a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14396index 2f202f4..d9164d6 100644
14397--- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14398+++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14399@@ -24,6 +24,7 @@
14400 */
14401
14402 #include <linux/linkage.h>
14403+#include <asm/alternative-asm.h>
14404 #include "glue_helper-asm-avx.S"
14405
14406 .file "serpent-avx-x86_64-asm_64.S"
14407@@ -618,6 +619,7 @@ __serpent_enc_blk8_avx:
14408 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14409 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14410
14411+ pax_force_retaddr
14412 ret;
14413 ENDPROC(__serpent_enc_blk8_avx)
14414
14415@@ -672,6 +674,7 @@ __serpent_dec_blk8_avx:
14416 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14417 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14418
14419+ pax_force_retaddr
14420 ret;
14421 ENDPROC(__serpent_dec_blk8_avx)
14422
14423@@ -688,6 +691,7 @@ ENTRY(serpent_ecb_enc_8way_avx)
14424
14425 store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14426
14427+ pax_force_retaddr
14428 ret;
14429 ENDPROC(serpent_ecb_enc_8way_avx)
14430
14431@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_8way_avx)
14432
14433 store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14434
14435+ pax_force_retaddr
14436 ret;
14437 ENDPROC(serpent_ecb_dec_8way_avx)
14438
14439@@ -720,6 +725,7 @@ ENTRY(serpent_cbc_dec_8way_avx)
14440
14441 store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14442
14443+ pax_force_retaddr
14444 ret;
14445 ENDPROC(serpent_cbc_dec_8way_avx)
14446
14447@@ -738,6 +744,7 @@ ENTRY(serpent_ctr_8way_avx)
14448
14449 store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14450
14451+ pax_force_retaddr
14452 ret;
14453 ENDPROC(serpent_ctr_8way_avx)
14454
14455@@ -758,6 +765,7 @@ ENTRY(serpent_xts_enc_8way_avx)
14456 /* dst <= regs xor IVs(in dst) */
14457 store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14458
14459+ pax_force_retaddr
14460 ret;
14461 ENDPROC(serpent_xts_enc_8way_avx)
14462
14463@@ -778,5 +786,6 @@ ENTRY(serpent_xts_dec_8way_avx)
14464 /* dst <= regs xor IVs(in dst) */
14465 store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14466
14467+ pax_force_retaddr
14468 ret;
14469 ENDPROC(serpent_xts_dec_8way_avx)
14470diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S
14471index b222085..abd483c 100644
14472--- a/arch/x86/crypto/serpent-avx2-asm_64.S
14473+++ b/arch/x86/crypto/serpent-avx2-asm_64.S
14474@@ -15,6 +15,7 @@
14475 */
14476
14477 #include <linux/linkage.h>
14478+#include <asm/alternative-asm.h>
14479 #include "glue_helper-asm-avx2.S"
14480
14481 .file "serpent-avx2-asm_64.S"
14482@@ -610,6 +611,7 @@ __serpent_enc_blk16:
14483 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14484 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14485
14486+ pax_force_retaddr
14487 ret;
14488 ENDPROC(__serpent_enc_blk16)
14489
14490@@ -664,6 +666,7 @@ __serpent_dec_blk16:
14491 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14492 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14493
14494+ pax_force_retaddr
14495 ret;
14496 ENDPROC(__serpent_dec_blk16)
14497
14498@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way)
14499
14500 vzeroupper;
14501
14502+ pax_force_retaddr
14503 ret;
14504 ENDPROC(serpent_ecb_enc_16way)
14505
14506@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way)
14507
14508 vzeroupper;
14509
14510+ pax_force_retaddr
14511 ret;
14512 ENDPROC(serpent_ecb_dec_16way)
14513
14514@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way)
14515
14516 vzeroupper;
14517
14518+ pax_force_retaddr
14519 ret;
14520 ENDPROC(serpent_cbc_dec_16way)
14521
14522@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way)
14523
14524 vzeroupper;
14525
14526+ pax_force_retaddr
14527 ret;
14528 ENDPROC(serpent_ctr_16way)
14529
14530@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way)
14531
14532 vzeroupper;
14533
14534+ pax_force_retaddr
14535 ret;
14536 ENDPROC(serpent_xts_enc_16way)
14537
14538@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way)
14539
14540 vzeroupper;
14541
14542+ pax_force_retaddr
14543 ret;
14544 ENDPROC(serpent_xts_dec_16way)
14545diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14546index acc066c..1559cc4 100644
14547--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14548+++ b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14549@@ -25,6 +25,7 @@
14550 */
14551
14552 #include <linux/linkage.h>
14553+#include <asm/alternative-asm.h>
14554
14555 .file "serpent-sse2-x86_64-asm_64.S"
14556 .text
14557@@ -690,12 +691,14 @@ ENTRY(__serpent_enc_blk_8way)
14558 write_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14559 write_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14560
14561+ pax_force_retaddr
14562 ret;
14563
14564 .L__enc_xor8:
14565 xor_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14566 xor_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14567
14568+ pax_force_retaddr
14569 ret;
14570 ENDPROC(__serpent_enc_blk_8way)
14571
14572@@ -750,5 +753,6 @@ ENTRY(serpent_dec_blk_8way)
14573 write_blocks(%rsi, RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14574 write_blocks(%rax, RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14575
14576+ pax_force_retaddr
14577 ret;
14578 ENDPROC(serpent_dec_blk_8way)
14579diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/arch/x86/crypto/sha1_ssse3_asm.S
14580index a410950..9dfe7ad 100644
14581--- a/arch/x86/crypto/sha1_ssse3_asm.S
14582+++ b/arch/x86/crypto/sha1_ssse3_asm.S
14583@@ -29,6 +29,7 @@
14584 */
14585
14586 #include <linux/linkage.h>
14587+#include <asm/alternative-asm.h>
14588
14589 #define CTX %rdi // arg1
14590 #define BUF %rsi // arg2
14591@@ -75,9 +76,9 @@
14592
14593 push %rbx
14594 push %rbp
14595- push %r12
14596+ push %r14
14597
14598- mov %rsp, %r12
14599+ mov %rsp, %r14
14600 sub $64, %rsp # allocate workspace
14601 and $~15, %rsp # align stack
14602
14603@@ -99,11 +100,12 @@
14604 xor %rax, %rax
14605 rep stosq
14606
14607- mov %r12, %rsp # deallocate workspace
14608+ mov %r14, %rsp # deallocate workspace
14609
14610- pop %r12
14611+ pop %r14
14612 pop %rbp
14613 pop %rbx
14614+ pax_force_retaddr
14615 ret
14616
14617 ENDPROC(\name)
14618diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S
14619index 92b3b5d..0dc1dcb 100644
14620--- a/arch/x86/crypto/sha256-avx-asm.S
14621+++ b/arch/x86/crypto/sha256-avx-asm.S
14622@@ -49,6 +49,7 @@
14623
14624 #ifdef CONFIG_AS_AVX
14625 #include <linux/linkage.h>
14626+#include <asm/alternative-asm.h>
14627
14628 ## assume buffers not aligned
14629 #define VMOVDQ vmovdqu
14630@@ -460,6 +461,7 @@ done_hash:
14631 popq %r13
14632 popq %rbp
14633 popq %rbx
14634+ pax_force_retaddr
14635 ret
14636 ENDPROC(sha256_transform_avx)
14637
14638diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
14639index 570ec5e..cf2b625 100644
14640--- a/arch/x86/crypto/sha256-avx2-asm.S
14641+++ b/arch/x86/crypto/sha256-avx2-asm.S
14642@@ -50,6 +50,7 @@
14643
14644 #ifdef CONFIG_AS_AVX2
14645 #include <linux/linkage.h>
14646+#include <asm/alternative-asm.h>
14647
14648 ## assume buffers not aligned
14649 #define VMOVDQ vmovdqu
14650@@ -720,6 +721,7 @@ done_hash:
14651 popq %r12
14652 popq %rbp
14653 popq %rbx
14654+ pax_force_retaddr
14655 ret
14656 ENDPROC(sha256_transform_rorx)
14657
14658diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S
14659index 2cedc44..5144899 100644
14660--- a/arch/x86/crypto/sha256-ssse3-asm.S
14661+++ b/arch/x86/crypto/sha256-ssse3-asm.S
14662@@ -47,6 +47,7 @@
14663 ########################################################################
14664
14665 #include <linux/linkage.h>
14666+#include <asm/alternative-asm.h>
14667
14668 ## assume buffers not aligned
14669 #define MOVDQ movdqu
14670@@ -471,6 +472,7 @@ done_hash:
14671 popq %rbp
14672 popq %rbx
14673
14674+ pax_force_retaddr
14675 ret
14676 ENDPROC(sha256_transform_ssse3)
14677
14678diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S
14679index 565274d..af6bc08 100644
14680--- a/arch/x86/crypto/sha512-avx-asm.S
14681+++ b/arch/x86/crypto/sha512-avx-asm.S
14682@@ -49,6 +49,7 @@
14683
14684 #ifdef CONFIG_AS_AVX
14685 #include <linux/linkage.h>
14686+#include <asm/alternative-asm.h>
14687
14688 .text
14689
14690@@ -364,6 +365,7 @@ updateblock:
14691 mov frame_RSPSAVE(%rsp), %rsp
14692
14693 nowork:
14694+ pax_force_retaddr
14695 ret
14696 ENDPROC(sha512_transform_avx)
14697
14698diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S
14699index 1f20b35..f25c8c1 100644
14700--- a/arch/x86/crypto/sha512-avx2-asm.S
14701+++ b/arch/x86/crypto/sha512-avx2-asm.S
14702@@ -51,6 +51,7 @@
14703
14704 #ifdef CONFIG_AS_AVX2
14705 #include <linux/linkage.h>
14706+#include <asm/alternative-asm.h>
14707
14708 .text
14709
14710@@ -678,6 +679,7 @@ done_hash:
14711
14712 # Restore Stack Pointer
14713 mov frame_RSPSAVE(%rsp), %rsp
14714+ pax_force_retaddr
14715 ret
14716 ENDPROC(sha512_transform_rorx)
14717
14718diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S
14719index e610e29..ffcb5ed 100644
14720--- a/arch/x86/crypto/sha512-ssse3-asm.S
14721+++ b/arch/x86/crypto/sha512-ssse3-asm.S
14722@@ -48,6 +48,7 @@
14723 ########################################################################
14724
14725 #include <linux/linkage.h>
14726+#include <asm/alternative-asm.h>
14727
14728 .text
14729
14730@@ -363,6 +364,7 @@ updateblock:
14731 mov frame_RSPSAVE(%rsp), %rsp
14732
14733 nowork:
14734+ pax_force_retaddr
14735 ret
14736 ENDPROC(sha512_transform_ssse3)
14737
14738diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14739index 0505813..b067311 100644
14740--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14741+++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14742@@ -24,6 +24,7 @@
14743 */
14744
14745 #include <linux/linkage.h>
14746+#include <asm/alternative-asm.h>
14747 #include "glue_helper-asm-avx.S"
14748
14749 .file "twofish-avx-x86_64-asm_64.S"
14750@@ -284,6 +285,7 @@ __twofish_enc_blk8:
14751 outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2);
14752 outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2);
14753
14754+ pax_force_retaddr
14755 ret;
14756 ENDPROC(__twofish_enc_blk8)
14757
14758@@ -324,6 +326,7 @@ __twofish_dec_blk8:
14759 outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2);
14760 outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2);
14761
14762+ pax_force_retaddr
14763 ret;
14764 ENDPROC(__twofish_dec_blk8)
14765
14766@@ -342,6 +345,7 @@ ENTRY(twofish_ecb_enc_8way)
14767
14768 store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14769
14770+ pax_force_retaddr
14771 ret;
14772 ENDPROC(twofish_ecb_enc_8way)
14773
14774@@ -360,6 +364,7 @@ ENTRY(twofish_ecb_dec_8way)
14775
14776 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14777
14778+ pax_force_retaddr
14779 ret;
14780 ENDPROC(twofish_ecb_dec_8way)
14781
14782@@ -370,19 +375,20 @@ ENTRY(twofish_cbc_dec_8way)
14783 * %rdx: src
14784 */
14785
14786- pushq %r12;
14787+ pushq %r14;
14788
14789 movq %rsi, %r11;
14790- movq %rdx, %r12;
14791+ movq %rdx, %r14;
14792
14793 load_8way(%rdx, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14794
14795 call __twofish_dec_blk8;
14796
14797- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14798+ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14799
14800- popq %r12;
14801+ popq %r14;
14802
14803+ pax_force_retaddr
14804 ret;
14805 ENDPROC(twofish_cbc_dec_8way)
14806
14807@@ -394,20 +400,21 @@ ENTRY(twofish_ctr_8way)
14808 * %rcx: iv (little endian, 128bit)
14809 */
14810
14811- pushq %r12;
14812+ pushq %r14;
14813
14814 movq %rsi, %r11;
14815- movq %rdx, %r12;
14816+ movq %rdx, %r14;
14817
14818 load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2,
14819 RD2, RX0, RX1, RY0);
14820
14821 call __twofish_enc_blk8;
14822
14823- store_ctr_8way(%r12, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14824+ store_ctr_8way(%r14, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14825
14826- popq %r12;
14827+ popq %r14;
14828
14829+ pax_force_retaddr
14830 ret;
14831 ENDPROC(twofish_ctr_8way)
14832
14833@@ -430,6 +437,7 @@ ENTRY(twofish_xts_enc_8way)
14834 /* dst <= regs xor IVs(in dst) */
14835 store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14836
14837+ pax_force_retaddr
14838 ret;
14839 ENDPROC(twofish_xts_enc_8way)
14840
14841@@ -452,5 +460,6 @@ ENTRY(twofish_xts_dec_8way)
14842 /* dst <= regs xor IVs(in dst) */
14843 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14844
14845+ pax_force_retaddr
14846 ret;
14847 ENDPROC(twofish_xts_dec_8way)
14848diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14849index 1c3b7ce..02f578d 100644
14850--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14851+++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14852@@ -21,6 +21,7 @@
14853 */
14854
14855 #include <linux/linkage.h>
14856+#include <asm/alternative-asm.h>
14857
14858 .file "twofish-x86_64-asm-3way.S"
14859 .text
14860@@ -258,6 +259,7 @@ ENTRY(__twofish_enc_blk_3way)
14861 popq %r13;
14862 popq %r14;
14863 popq %r15;
14864+ pax_force_retaddr
14865 ret;
14866
14867 .L__enc_xor3:
14868@@ -269,6 +271,7 @@ ENTRY(__twofish_enc_blk_3way)
14869 popq %r13;
14870 popq %r14;
14871 popq %r15;
14872+ pax_force_retaddr
14873 ret;
14874 ENDPROC(__twofish_enc_blk_3way)
14875
14876@@ -308,5 +311,6 @@ ENTRY(twofish_dec_blk_3way)
14877 popq %r13;
14878 popq %r14;
14879 popq %r15;
14880+ pax_force_retaddr
14881 ret;
14882 ENDPROC(twofish_dec_blk_3way)
14883diff --git a/arch/x86/crypto/twofish-x86_64-asm_64.S b/arch/x86/crypto/twofish-x86_64-asm_64.S
14884index a350c99..c1bac24 100644
14885--- a/arch/x86/crypto/twofish-x86_64-asm_64.S
14886+++ b/arch/x86/crypto/twofish-x86_64-asm_64.S
14887@@ -22,6 +22,7 @@
14888
14889 #include <linux/linkage.h>
14890 #include <asm/asm-offsets.h>
14891+#include <asm/alternative-asm.h>
14892
14893 #define a_offset 0
14894 #define b_offset 4
14895@@ -265,6 +266,7 @@ ENTRY(twofish_enc_blk)
14896
14897 popq R1
14898 movl $1,%eax
14899+ pax_force_retaddr
14900 ret
14901 ENDPROC(twofish_enc_blk)
14902
14903@@ -317,5 +319,6 @@ ENTRY(twofish_dec_blk)
14904
14905 popq R1
14906 movl $1,%eax
14907+ pax_force_retaddr
14908 ret
14909 ENDPROC(twofish_dec_blk)
14910diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
14911index f4e6308..7ba29a1 100644
14912--- a/arch/x86/entry/calling.h
14913+++ b/arch/x86/entry/calling.h
14914@@ -93,23 +93,26 @@ For 32-bit we have the following conventions - kernel is built with
14915 .endm
14916
14917 .macro SAVE_C_REGS_HELPER offset=0 rax=1 rcx=1 r8910=1 r11=1
14918+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14919+ movq %r12, R12+\offset(%rsp)
14920+#endif
14921 .if \r11
14922- movq %r11, 6*8+\offset(%rsp)
14923+ movq %r11, R11+\offset(%rsp)
14924 .endif
14925 .if \r8910
14926- movq %r10, 7*8+\offset(%rsp)
14927- movq %r9, 8*8+\offset(%rsp)
14928- movq %r8, 9*8+\offset(%rsp)
14929+ movq %r10, R10+\offset(%rsp)
14930+ movq %r9, R9+\offset(%rsp)
14931+ movq %r8, R8+\offset(%rsp)
14932 .endif
14933 .if \rax
14934- movq %rax, 10*8+\offset(%rsp)
14935+ movq %rax, RAX+\offset(%rsp)
14936 .endif
14937 .if \rcx
14938- movq %rcx, 11*8+\offset(%rsp)
14939+ movq %rcx, RCX+\offset(%rsp)
14940 .endif
14941- movq %rdx, 12*8+\offset(%rsp)
14942- movq %rsi, 13*8+\offset(%rsp)
14943- movq %rdi, 14*8+\offset(%rsp)
14944+ movq %rdx, RDX+\offset(%rsp)
14945+ movq %rsi, RSI+\offset(%rsp)
14946+ movq %rdi, RDI+\offset(%rsp)
14947 .endm
14948 .macro SAVE_C_REGS offset=0
14949 SAVE_C_REGS_HELPER \offset, 1, 1, 1, 1
14950@@ -128,76 +131,87 @@ For 32-bit we have the following conventions - kernel is built with
14951 .endm
14952
14953 .macro SAVE_EXTRA_REGS offset=0
14954- movq %r15, 0*8+\offset(%rsp)
14955- movq %r14, 1*8+\offset(%rsp)
14956- movq %r13, 2*8+\offset(%rsp)
14957- movq %r12, 3*8+\offset(%rsp)
14958- movq %rbp, 4*8+\offset(%rsp)
14959- movq %rbx, 5*8+\offset(%rsp)
14960+ movq %r15, R15+\offset(%rsp)
14961+ movq %r14, R14+\offset(%rsp)
14962+ movq %r13, R13+\offset(%rsp)
14963+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14964+ movq %r12, R12+\offset(%rsp)
14965+#endif
14966+ movq %rbp, RBP+\offset(%rsp)
14967+ movq %rbx, RBX+\offset(%rsp)
14968 .endm
14969 .macro SAVE_EXTRA_REGS_RBP offset=0
14970- movq %rbp, 4*8+\offset(%rsp)
14971+ movq %rbp, RBP+\offset(%rsp)
14972 .endm
14973
14974 .macro RESTORE_EXTRA_REGS offset=0
14975- movq 0*8+\offset(%rsp), %r15
14976- movq 1*8+\offset(%rsp), %r14
14977- movq 2*8+\offset(%rsp), %r13
14978- movq 3*8+\offset(%rsp), %r12
14979- movq 4*8+\offset(%rsp), %rbp
14980- movq 5*8+\offset(%rsp), %rbx
14981+ movq R15+\offset(%rsp), %r15
14982+ movq R14+\offset(%rsp), %r14
14983+ movq R13+\offset(%rsp), %r13
14984+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14985+ movq R12+\offset(%rsp), %r12
14986+#endif
14987+ movq RBP+\offset(%rsp), %rbp
14988+ movq RBX+\offset(%rsp), %rbx
14989 .endm
14990
14991 .macro ZERO_EXTRA_REGS
14992 xorl %r15d, %r15d
14993 xorl %r14d, %r14d
14994 xorl %r13d, %r13d
14995+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14996 xorl %r12d, %r12d
14997+#endif
14998 xorl %ebp, %ebp
14999 xorl %ebx, %ebx
15000 .endm
15001
15002- .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1
15003+ .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1, rstor_r12=1
15004+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
15005+ .if \rstor_r12
15006+ movq R12(%rsp), %r12
15007+ .endif
15008+#endif
15009 .if \rstor_r11
15010- movq 6*8(%rsp), %r11
15011+ movq R11(%rsp), %r11
15012 .endif
15013 .if \rstor_r8910
15014- movq 7*8(%rsp), %r10
15015- movq 8*8(%rsp), %r9
15016- movq 9*8(%rsp), %r8
15017+ movq R10(%rsp), %r10
15018+ movq R9(%rsp), %r9
15019+ movq R8(%rsp), %r8
15020 .endif
15021 .if \rstor_rax
15022- movq 10*8(%rsp), %rax
15023+ movq RAX(%rsp), %rax
15024 .endif
15025 .if \rstor_rcx
15026- movq 11*8(%rsp), %rcx
15027+ movq RCX(%rsp), %rcx
15028 .endif
15029 .if \rstor_rdx
15030- movq 12*8(%rsp), %rdx
15031+ movq RDX(%rsp), %rdx
15032 .endif
15033- movq 13*8(%rsp), %rsi
15034- movq 14*8(%rsp), %rdi
15035+ movq RSI(%rsp), %rsi
15036+ movq RDI(%rsp), %rdi
15037 .endm
15038 .macro RESTORE_C_REGS
15039- RESTORE_C_REGS_HELPER 1,1,1,1,1
15040+ RESTORE_C_REGS_HELPER 1,1,1,1,1,1
15041 .endm
15042 .macro RESTORE_C_REGS_EXCEPT_RAX
15043- RESTORE_C_REGS_HELPER 0,1,1,1,1
15044+ RESTORE_C_REGS_HELPER 0,1,1,1,1,0
15045 .endm
15046 .macro RESTORE_C_REGS_EXCEPT_RCX
15047- RESTORE_C_REGS_HELPER 1,0,1,1,1
15048+ RESTORE_C_REGS_HELPER 1,0,1,1,1,0
15049 .endm
15050 .macro RESTORE_C_REGS_EXCEPT_R11
15051- RESTORE_C_REGS_HELPER 1,1,0,1,1
15052+ RESTORE_C_REGS_HELPER 1,1,0,1,1,1
15053 .endm
15054 .macro RESTORE_C_REGS_EXCEPT_RCX_R11
15055- RESTORE_C_REGS_HELPER 1,0,0,1,1
15056+ RESTORE_C_REGS_HELPER 1,0,0,1,1,1
15057 .endm
15058 .macro RESTORE_RSI_RDI
15059- RESTORE_C_REGS_HELPER 0,0,0,0,0
15060+ RESTORE_C_REGS_HELPER 0,0,0,0,0,1
15061 .endm
15062 .macro RESTORE_RSI_RDI_RDX
15063- RESTORE_C_REGS_HELPER 0,0,0,0,1
15064+ RESTORE_C_REGS_HELPER 0,0,0,0,1,1
15065 .endm
15066
15067 .macro REMOVE_PT_GPREGS_FROM_STACK addskip=0
15068diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
15069index 21dc60a..844def1 100644
15070--- a/arch/x86/entry/entry_32.S
15071+++ b/arch/x86/entry/entry_32.S
15072@@ -157,13 +157,154 @@
15073 movl \reg, PT_GS(%esp)
15074 .endm
15075 .macro SET_KERNEL_GS reg
15076+
15077+#ifdef CONFIG_CC_STACKPROTECTOR
15078 movl $(__KERNEL_STACK_CANARY), \reg
15079+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15080+ movl $(__USER_DS), \reg
15081+#else
15082+ xorl \reg, \reg
15083+#endif
15084+
15085 movl \reg, %gs
15086 .endm
15087
15088 #endif /* CONFIG_X86_32_LAZY_GS */
15089
15090-.macro SAVE_ALL
15091+.macro pax_enter_kernel
15092+#ifdef CONFIG_PAX_KERNEXEC
15093+ call pax_enter_kernel
15094+#endif
15095+.endm
15096+
15097+.macro pax_exit_kernel
15098+#ifdef CONFIG_PAX_KERNEXEC
15099+ call pax_exit_kernel
15100+#endif
15101+.endm
15102+
15103+#ifdef CONFIG_PAX_KERNEXEC
15104+ENTRY(pax_enter_kernel)
15105+#ifdef CONFIG_PARAVIRT
15106+ pushl %eax
15107+ pushl %ecx
15108+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
15109+ mov %eax, %esi
15110+#else
15111+ mov %cr0, %esi
15112+#endif
15113+ bts $X86_CR0_WP_BIT, %esi
15114+ jnc 1f
15115+ mov %cs, %esi
15116+ cmp $__KERNEL_CS, %esi
15117+ jz 3f
15118+ ljmp $__KERNEL_CS, $3f
15119+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
15120+2:
15121+#ifdef CONFIG_PARAVIRT
15122+ mov %esi, %eax
15123+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
15124+#else
15125+ mov %esi, %cr0
15126+#endif
15127+3:
15128+#ifdef CONFIG_PARAVIRT
15129+ popl %ecx
15130+ popl %eax
15131+#endif
15132+ ret
15133+ENDPROC(pax_enter_kernel)
15134+
15135+ENTRY(pax_exit_kernel)
15136+#ifdef CONFIG_PARAVIRT
15137+ pushl %eax
15138+ pushl %ecx
15139+#endif
15140+ mov %cs, %esi
15141+ cmp $__KERNEXEC_KERNEL_CS, %esi
15142+ jnz 2f
15143+#ifdef CONFIG_PARAVIRT
15144+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
15145+ mov %eax, %esi
15146+#else
15147+ mov %cr0, %esi
15148+#endif
15149+ btr $X86_CR0_WP_BIT, %esi
15150+ ljmp $__KERNEL_CS, $1f
15151+1:
15152+#ifdef CONFIG_PARAVIRT
15153+ mov %esi, %eax
15154+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
15155+#else
15156+ mov %esi, %cr0
15157+#endif
15158+2:
15159+#ifdef CONFIG_PARAVIRT
15160+ popl %ecx
15161+ popl %eax
15162+#endif
15163+ ret
15164+ENDPROC(pax_exit_kernel)
15165+#endif
15166+
15167+ .macro pax_erase_kstack
15168+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15169+ call pax_erase_kstack
15170+#endif
15171+ .endm
15172+
15173+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15174+/*
15175+ * ebp: thread_info
15176+ */
15177+ENTRY(pax_erase_kstack)
15178+ pushl %edi
15179+ pushl %ecx
15180+ pushl %eax
15181+
15182+ mov TI_lowest_stack(%ebp), %edi
15183+ mov $-0xBEEF, %eax
15184+ std
15185+
15186+1: mov %edi, %ecx
15187+ and $THREAD_SIZE_asm - 1, %ecx
15188+ shr $2, %ecx
15189+ repne scasl
15190+ jecxz 2f
15191+
15192+ cmp $2*16, %ecx
15193+ jc 2f
15194+
15195+ mov $2*16, %ecx
15196+ repe scasl
15197+ jecxz 2f
15198+ jne 1b
15199+
15200+2: cld
15201+ or $2*4, %edi
15202+ mov %esp, %ecx
15203+ sub %edi, %ecx
15204+
15205+ cmp $THREAD_SIZE_asm, %ecx
15206+ jb 3f
15207+ ud2
15208+3:
15209+
15210+ shr $2, %ecx
15211+ rep stosl
15212+
15213+ mov TI_task_thread_sp0(%ebp), %edi
15214+ sub $128, %edi
15215+ mov %edi, TI_lowest_stack(%ebp)
15216+
15217+ popl %eax
15218+ popl %ecx
15219+ popl %edi
15220+ ret
15221+ENDPROC(pax_erase_kstack)
15222+#endif
15223+
15224+.macro __SAVE_ALL _DS
15225 cld
15226 PUSH_GS
15227 pushl %fs
15228@@ -176,7 +317,7 @@
15229 pushl %edx
15230 pushl %ecx
15231 pushl %ebx
15232- movl $(__USER_DS), %edx
15233+ movl $\_DS, %edx
15234 movl %edx, %ds
15235 movl %edx, %es
15236 movl $(__KERNEL_PERCPU), %edx
15237@@ -184,6 +325,15 @@
15238 SET_KERNEL_GS %edx
15239 .endm
15240
15241+.macro SAVE_ALL
15242+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15243+ __SAVE_ALL __KERNEL_DS
15244+ pax_enter_kernel
15245+#else
15246+ __SAVE_ALL __USER_DS
15247+#endif
15248+.endm
15249+
15250 .macro RESTORE_INT_REGS
15251 popl %ebx
15252 popl %ecx
15253@@ -222,7 +372,7 @@ ENTRY(ret_from_fork)
15254 pushl $0x0202 # Reset kernel eflags
15255 popfl
15256 jmp syscall_exit
15257-END(ret_from_fork)
15258+ENDPROC(ret_from_fork)
15259
15260 ENTRY(ret_from_kernel_thread)
15261 pushl %eax
15262@@ -262,7 +412,15 @@ ret_from_intr:
15263 andl $SEGMENT_RPL_MASK, %eax
15264 #endif
15265 cmpl $USER_RPL, %eax
15266+
15267+#ifdef CONFIG_PAX_KERNEXEC
15268+ jae resume_userspace
15269+
15270+ pax_exit_kernel
15271+ jmp resume_kernel
15272+#else
15273 jb resume_kernel # not returning to v8086 or userspace
15274+#endif
15275
15276 ENTRY(resume_userspace)
15277 LOCKDEP_SYS_EXIT
15278@@ -274,8 +432,8 @@ ENTRY(resume_userspace)
15279 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
15280 # int/exception return?
15281 jne work_pending
15282- jmp restore_all
15283-END(ret_from_exception)
15284+ jmp restore_all_pax
15285+ENDPROC(ret_from_exception)
15286
15287 #ifdef CONFIG_PREEMPT
15288 ENTRY(resume_kernel)
15289@@ -287,7 +445,7 @@ need_resched:
15290 jz restore_all
15291 call preempt_schedule_irq
15292 jmp need_resched
15293-END(resume_kernel)
15294+ENDPROC(resume_kernel)
15295 #endif
15296
15297 /*
15298@@ -312,32 +470,44 @@ sysenter_past_esp:
15299 pushl $__USER_CS
15300 /*
15301 * Push current_thread_info()->sysenter_return to the stack.
15302- * A tiny bit of offset fixup is necessary: TI_sysenter_return
15303- * is relative to thread_info, which is at the bottom of the
15304- * kernel stack page. 4*4 means the 4 words pushed above;
15305- * TOP_OF_KERNEL_STACK_PADDING takes us to the top of the stack;
15306- * and THREAD_SIZE takes us to the bottom.
15307 */
15308- pushl ((TI_sysenter_return) - THREAD_SIZE + TOP_OF_KERNEL_STACK_PADDING + 4*4)(%esp)
15309+ pushl $0
15310
15311 pushl %eax
15312 SAVE_ALL
15313+ GET_THREAD_INFO(%ebp)
15314+ movl TI_sysenter_return(%ebp), %ebp
15315+ movl %ebp, PT_EIP(%esp)
15316 ENABLE_INTERRUPTS(CLBR_NONE)
15317
15318 /*
15319 * Load the potential sixth argument from user stack.
15320 * Careful about security.
15321 */
15322+ movl PT_OLDESP(%esp),%ebp
15323+
15324+#ifdef CONFIG_PAX_MEMORY_UDEREF
15325+ mov PT_OLDSS(%esp), %ds
15326+1: movl %ds:(%ebp), %ebp
15327+ push %ss
15328+ pop %ds
15329+#else
15330 cmpl $__PAGE_OFFSET-3, %ebp
15331 jae syscall_fault
15332 ASM_STAC
15333 1: movl (%ebp), %ebp
15334 ASM_CLAC
15335+#endif
15336+
15337 movl %ebp, PT_EBP(%esp)
15338 _ASM_EXTABLE(1b, syscall_fault)
15339
15340 GET_THREAD_INFO(%ebp)
15341
15342+#ifdef CONFIG_PAX_RANDKSTACK
15343+ pax_erase_kstack
15344+#endif
15345+
15346 testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%ebp)
15347 jnz sysenter_audit
15348 sysenter_do_call:
15349@@ -353,12 +523,24 @@ sysenter_after_call:
15350 testl $_TIF_ALLWORK_MASK, %ecx
15351 jnz sysexit_audit
15352 sysenter_exit:
15353+
15354+#ifdef CONFIG_PAX_RANDKSTACK
15355+ pushl %eax
15356+ movl %esp, %eax
15357+ call pax_randomize_kstack
15358+ popl %eax
15359+#endif
15360+
15361+ pax_erase_kstack
15362+
15363 /* if something modifies registers it must also disable sysexit */
15364 movl PT_EIP(%esp), %edx
15365 movl PT_OLDESP(%esp), %ecx
15366 xorl %ebp, %ebp
15367 TRACE_IRQS_ON
15368 1: mov PT_FS(%esp), %fs
15369+2: mov PT_DS(%esp), %ds
15370+3: mov PT_ES(%esp), %es
15371 PTGS_TO_GS
15372 ENABLE_INTERRUPTS_SYSEXIT
15373
15374@@ -372,6 +554,9 @@ sysenter_audit:
15375 pushl PT_ESI(%esp) /* a3: 5th arg */
15376 pushl PT_EDX+4(%esp) /* a2: 4th arg */
15377 call __audit_syscall_entry
15378+
15379+ pax_erase_kstack
15380+
15381 popl %ecx /* get that remapped edx off the stack */
15382 popl %ecx /* get that remapped esi off the stack */
15383 movl PT_EAX(%esp), %eax /* reload syscall number */
15384@@ -397,10 +582,16 @@ sysexit_audit:
15385 #endif
15386
15387 .pushsection .fixup, "ax"
15388-2: movl $0, PT_FS(%esp)
15389+4: movl $0, PT_FS(%esp)
15390+ jmp 1b
15391+5: movl $0, PT_DS(%esp)
15392+ jmp 1b
15393+6: movl $0, PT_ES(%esp)
15394 jmp 1b
15395 .popsection
15396- _ASM_EXTABLE(1b, 2b)
15397+ _ASM_EXTABLE(1b, 4b)
15398+ _ASM_EXTABLE(2b, 5b)
15399+ _ASM_EXTABLE(3b, 6b)
15400 PTGS_TO_GS_EX
15401 ENDPROC(entry_SYSENTER_32)
15402
15403@@ -410,6 +601,11 @@ ENTRY(entry_INT80_32)
15404 pushl %eax # save orig_eax
15405 SAVE_ALL
15406 GET_THREAD_INFO(%ebp)
15407+
15408+#ifdef CONFIG_PAX_RANDKSTACK
15409+ pax_erase_kstack
15410+#endif
15411+
15412 # system call tracing in operation / emulation
15413 testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%ebp)
15414 jnz syscall_trace_entry
15415@@ -429,6 +625,15 @@ syscall_exit:
15416 testl $_TIF_ALLWORK_MASK, %ecx # current->work
15417 jnz syscall_exit_work
15418
15419+restore_all_pax:
15420+
15421+#ifdef CONFIG_PAX_RANDKSTACK
15422+ movl %esp, %eax
15423+ call pax_randomize_kstack
15424+#endif
15425+
15426+ pax_erase_kstack
15427+
15428 restore_all:
15429 TRACE_IRQS_IRET
15430 restore_all_notrace:
15431@@ -483,14 +688,34 @@ ldt_ss:
15432 * compensating for the offset by changing to the ESPFIX segment with
15433 * a base address that matches for the difference.
15434 */
15435-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
15436+#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
15437 mov %esp, %edx /* load kernel esp */
15438 mov PT_OLDESP(%esp), %eax /* load userspace esp */
15439 mov %dx, %ax /* eax: new kernel esp */
15440 sub %eax, %edx /* offset (low word is 0) */
15441+#ifdef CONFIG_SMP
15442+ movl PER_CPU_VAR(cpu_number), %ebx
15443+ shll $PAGE_SHIFT_asm, %ebx
15444+ addl $cpu_gdt_table, %ebx
15445+#else
15446+ movl $cpu_gdt_table, %ebx
15447+#endif
15448 shr $16, %edx
15449- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
15450- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
15451+
15452+#ifdef CONFIG_PAX_KERNEXEC
15453+ mov %cr0, %esi
15454+ btr $X86_CR0_WP_BIT, %esi
15455+ mov %esi, %cr0
15456+#endif
15457+
15458+ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
15459+ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
15460+
15461+#ifdef CONFIG_PAX_KERNEXEC
15462+ bts $X86_CR0_WP_BIT, %esi
15463+ mov %esi, %cr0
15464+#endif
15465+
15466 pushl $__ESPFIX_SS
15467 pushl %eax /* new kernel esp */
15468 /*
15469@@ -519,20 +744,18 @@ work_resched:
15470 movl TI_flags(%ebp), %ecx
15471 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
15472 # than syscall tracing?
15473- jz restore_all
15474+ jz restore_all_pax
15475 testb $_TIF_NEED_RESCHED, %cl
15476 jnz work_resched
15477
15478 work_notifysig: # deal with pending signals and
15479 # notify-resume requests
15480+ movl %esp, %eax
15481 #ifdef CONFIG_VM86
15482 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
15483- movl %esp, %eax
15484 jnz work_notifysig_v86 # returning to kernel-space or
15485 # vm86-space
15486 1:
15487-#else
15488- movl %esp, %eax
15489 #endif
15490 TRACE_IRQS_ON
15491 ENABLE_INTERRUPTS(CLBR_NONE)
15492@@ -553,7 +776,7 @@ work_notifysig_v86:
15493 movl %eax, %esp
15494 jmp 1b
15495 #endif
15496-END(work_pending)
15497+ENDPROC(work_pending)
15498
15499 # perform syscall exit tracing
15500 ALIGN
15501@@ -561,11 +784,14 @@ syscall_trace_entry:
15502 movl $-ENOSYS, PT_EAX(%esp)
15503 movl %esp, %eax
15504 call syscall_trace_enter
15505+
15506+ pax_erase_kstack
15507+
15508 /* What it returned is what we'll actually use. */
15509 cmpl $(NR_syscalls), %eax
15510 jnae syscall_call
15511 jmp syscall_exit
15512-END(syscall_trace_entry)
15513+ENDPROC(syscall_trace_entry)
15514
15515 # perform syscall exit tracing
15516 ALIGN
15517@@ -578,24 +804,28 @@ syscall_exit_work:
15518 movl %esp, %eax
15519 call syscall_trace_leave
15520 jmp resume_userspace
15521-END(syscall_exit_work)
15522+ENDPROC(syscall_exit_work)
15523
15524 syscall_fault:
15525+#ifdef CONFIG_PAX_MEMORY_UDEREF
15526+ push %ss
15527+ pop %ds
15528+#endif
15529 ASM_CLAC
15530 GET_THREAD_INFO(%ebp)
15531 movl $-EFAULT, PT_EAX(%esp)
15532 jmp resume_userspace
15533-END(syscall_fault)
15534+ENDPROC(syscall_fault)
15535
15536 syscall_badsys:
15537 movl $-ENOSYS, %eax
15538 jmp syscall_after_call
15539-END(syscall_badsys)
15540+ENDPROC(syscall_badsys)
15541
15542 sysenter_badsys:
15543 movl $-ENOSYS, %eax
15544 jmp sysenter_after_call
15545-END(sysenter_badsys)
15546+ENDPROC(sysenter_badsys)
15547
15548 .macro FIXUP_ESPFIX_STACK
15549 /*
15550@@ -607,8 +837,15 @@ END(sysenter_badsys)
15551 */
15552 #ifdef CONFIG_X86_ESPFIX32
15553 /* fixup the stack */
15554- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
15555- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
15556+#ifdef CONFIG_SMP
15557+ movl PER_CPU_VAR(cpu_number), %ebx
15558+ shll $PAGE_SHIFT_asm, %ebx
15559+ addl $cpu_gdt_table, %ebx
15560+#else
15561+ movl $cpu_gdt_table, %ebx
15562+#endif
15563+ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
15564+ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
15565 shl $16, %eax
15566 addl %esp, %eax /* the adjusted stack pointer */
15567 pushl $__KERNEL_DS
15568@@ -644,7 +881,7 @@ ENTRY(irq_entries_start)
15569 jmp common_interrupt
15570 .align 8
15571 .endr
15572-END(irq_entries_start)
15573+ENDPROC(irq_entries_start)
15574
15575 /*
15576 * the CPU automatically disables interrupts when executing an IRQ vector,
15577@@ -691,7 +928,7 @@ ENTRY(coprocessor_error)
15578 pushl $0
15579 pushl $do_coprocessor_error
15580 jmp error_code
15581-END(coprocessor_error)
15582+ENDPROC(coprocessor_error)
15583
15584 ENTRY(simd_coprocessor_error)
15585 ASM_CLAC
15586@@ -705,25 +942,25 @@ ENTRY(simd_coprocessor_error)
15587 pushl $do_simd_coprocessor_error
15588 #endif
15589 jmp error_code
15590-END(simd_coprocessor_error)
15591+ENDPROC(simd_coprocessor_error)
15592
15593 ENTRY(device_not_available)
15594 ASM_CLAC
15595 pushl $-1 # mark this as an int
15596 pushl $do_device_not_available
15597 jmp error_code
15598-END(device_not_available)
15599+ENDPROC(device_not_available)
15600
15601 #ifdef CONFIG_PARAVIRT
15602 ENTRY(native_iret)
15603 iret
15604 _ASM_EXTABLE(native_iret, iret_exc)
15605-END(native_iret)
15606+ENDPROC(native_iret)
15607
15608 ENTRY(native_irq_enable_sysexit)
15609 sti
15610 sysexit
15611-END(native_irq_enable_sysexit)
15612+ENDPROC(native_irq_enable_sysexit)
15613 #endif
15614
15615 ENTRY(overflow)
15616@@ -731,59 +968,59 @@ ENTRY(overflow)
15617 pushl $0
15618 pushl $do_overflow
15619 jmp error_code
15620-END(overflow)
15621+ENDPROC(overflow)
15622
15623 ENTRY(bounds)
15624 ASM_CLAC
15625 pushl $0
15626 pushl $do_bounds
15627 jmp error_code
15628-END(bounds)
15629+ENDPROC(bounds)
15630
15631 ENTRY(invalid_op)
15632 ASM_CLAC
15633 pushl $0
15634 pushl $do_invalid_op
15635 jmp error_code
15636-END(invalid_op)
15637+ENDPROC(invalid_op)
15638
15639 ENTRY(coprocessor_segment_overrun)
15640 ASM_CLAC
15641 pushl $0
15642 pushl $do_coprocessor_segment_overrun
15643 jmp error_code
15644-END(coprocessor_segment_overrun)
15645+ENDPROC(coprocessor_segment_overrun)
15646
15647 ENTRY(invalid_TSS)
15648 ASM_CLAC
15649 pushl $do_invalid_TSS
15650 jmp error_code
15651-END(invalid_TSS)
15652+ENDPROC(invalid_TSS)
15653
15654 ENTRY(segment_not_present)
15655 ASM_CLAC
15656 pushl $do_segment_not_present
15657 jmp error_code
15658-END(segment_not_present)
15659+ENDPROC(segment_not_present)
15660
15661 ENTRY(stack_segment)
15662 ASM_CLAC
15663 pushl $do_stack_segment
15664 jmp error_code
15665-END(stack_segment)
15666+ENDPROC(stack_segment)
15667
15668 ENTRY(alignment_check)
15669 ASM_CLAC
15670 pushl $do_alignment_check
15671 jmp error_code
15672-END(alignment_check)
15673+ENDPROC(alignment_check)
15674
15675 ENTRY(divide_error)
15676 ASM_CLAC
15677 pushl $0 # no error code
15678 pushl $do_divide_error
15679 jmp error_code
15680-END(divide_error)
15681+ENDPROC(divide_error)
15682
15683 #ifdef CONFIG_X86_MCE
15684 ENTRY(machine_check)
15685@@ -791,7 +1028,7 @@ ENTRY(machine_check)
15686 pushl $0
15687 pushl machine_check_vector
15688 jmp error_code
15689-END(machine_check)
15690+ENDPROC(machine_check)
15691 #endif
15692
15693 ENTRY(spurious_interrupt_bug)
15694@@ -799,7 +1036,7 @@ ENTRY(spurious_interrupt_bug)
15695 pushl $0
15696 pushl $do_spurious_interrupt_bug
15697 jmp error_code
15698-END(spurious_interrupt_bug)
15699+ENDPROC(spurious_interrupt_bug)
15700
15701 #ifdef CONFIG_XEN
15702 /*
15703@@ -906,7 +1143,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR,
15704
15705 ENTRY(mcount)
15706 ret
15707-END(mcount)
15708+ENDPROC(mcount)
15709
15710 ENTRY(ftrace_caller)
15711 pushl %eax
15712@@ -936,7 +1173,7 @@ ftrace_graph_call:
15713 .globl ftrace_stub
15714 ftrace_stub:
15715 ret
15716-END(ftrace_caller)
15717+ENDPROC(ftrace_caller)
15718
15719 ENTRY(ftrace_regs_caller)
15720 pushf /* push flags before compare (in cs location) */
15721@@ -1034,7 +1271,7 @@ trace:
15722 popl %ecx
15723 popl %eax
15724 jmp ftrace_stub
15725-END(mcount)
15726+ENDPROC(mcount)
15727 #endif /* CONFIG_DYNAMIC_FTRACE */
15728 #endif /* CONFIG_FUNCTION_TRACER */
15729
15730@@ -1052,7 +1289,7 @@ ENTRY(ftrace_graph_caller)
15731 popl %ecx
15732 popl %eax
15733 ret
15734-END(ftrace_graph_caller)
15735+ENDPROC(ftrace_graph_caller)
15736
15737 .globl return_to_handler
15738 return_to_handler:
15739@@ -1100,14 +1337,17 @@ error_code:
15740 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
15741 REG_TO_PTGS %ecx
15742 SET_KERNEL_GS %ecx
15743- movl $(__USER_DS), %ecx
15744+ movl $(__KERNEL_DS), %ecx
15745 movl %ecx, %ds
15746 movl %ecx, %es
15747+
15748+ pax_enter_kernel
15749+
15750 TRACE_IRQS_OFF
15751 movl %esp, %eax # pt_regs pointer
15752 call *%edi
15753 jmp ret_from_exception
15754-END(page_fault)
15755+ENDPROC(page_fault)
15756
15757 /*
15758 * Debug traps and NMI can happen at the one SYSENTER instruction
15759@@ -1145,7 +1385,7 @@ debug_stack_correct:
15760 movl %esp, %eax # pt_regs pointer
15761 call do_debug
15762 jmp ret_from_exception
15763-END(debug)
15764+ENDPROC(debug)
15765
15766 /*
15767 * NMI is doubly nasty. It can happen _while_ we're handling
15768@@ -1184,6 +1424,9 @@ nmi_stack_correct:
15769 xorl %edx, %edx # zero error code
15770 movl %esp, %eax # pt_regs pointer
15771 call do_nmi
15772+
15773+ pax_exit_kernel
15774+
15775 jmp restore_all_notrace
15776
15777 nmi_stack_fixup:
15778@@ -1217,11 +1460,14 @@ nmi_espfix_stack:
15779 FIXUP_ESPFIX_STACK # %eax == %esp
15780 xorl %edx, %edx # zero error code
15781 call do_nmi
15782+
15783+ pax_exit_kernel
15784+
15785 RESTORE_REGS
15786 lss 12+4(%esp), %esp # back to espfix stack
15787 jmp irq_return
15788 #endif
15789-END(nmi)
15790+ENDPROC(nmi)
15791
15792 ENTRY(int3)
15793 ASM_CLAC
15794@@ -1232,17 +1478,17 @@ ENTRY(int3)
15795 movl %esp, %eax # pt_regs pointer
15796 call do_int3
15797 jmp ret_from_exception
15798-END(int3)
15799+ENDPROC(int3)
15800
15801 ENTRY(general_protection)
15802 pushl $do_general_protection
15803 jmp error_code
15804-END(general_protection)
15805+ENDPROC(general_protection)
15806
15807 #ifdef CONFIG_KVM_GUEST
15808 ENTRY(async_page_fault)
15809 ASM_CLAC
15810 pushl $do_async_page_fault
15811 jmp error_code
15812-END(async_page_fault)
15813+ENDPROC(async_page_fault)
15814 #endif
15815diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
15816index 8cb3e43..a497278 100644
15817--- a/arch/x86/entry/entry_64.S
15818+++ b/arch/x86/entry/entry_64.S
15819@@ -37,6 +37,8 @@
15820 #include <asm/smap.h>
15821 #include <asm/pgtable_types.h>
15822 #include <linux/err.h>
15823+#include <asm/pgtable.h>
15824+#include <asm/alternative-asm.h>
15825
15826 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
15827 #include <linux/elf-em.h>
15828@@ -54,6 +56,402 @@ ENTRY(native_usergs_sysret64)
15829 ENDPROC(native_usergs_sysret64)
15830 #endif /* CONFIG_PARAVIRT */
15831
15832+ .macro ljmpq sel, off
15833+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
15834+ .byte 0x48; ljmp *1234f(%rip)
15835+ .pushsection .rodata
15836+ .align 16
15837+ 1234: .quad \off; .word \sel
15838+ .popsection
15839+#else
15840+ pushq $\sel
15841+ pushq $\off
15842+ lretq
15843+#endif
15844+ .endm
15845+
15846+ .macro pax_enter_kernel
15847+ pax_set_fptr_mask
15848+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15849+ call pax_enter_kernel
15850+#endif
15851+ .endm
15852+
15853+ .macro pax_exit_kernel
15854+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15855+ call pax_exit_kernel
15856+#endif
15857+ .endm
15858+
15859+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15860+ENTRY(pax_enter_kernel)
15861+ pushq %rdi
15862+
15863+#ifdef CONFIG_PARAVIRT
15864+ PV_SAVE_REGS(CLBR_RDI)
15865+#endif
15866+
15867+#ifdef CONFIG_PAX_KERNEXEC
15868+ GET_CR0_INTO_RDI
15869+ bts $X86_CR0_WP_BIT,%rdi
15870+ jnc 3f
15871+ mov %cs,%edi
15872+ cmp $__KERNEL_CS,%edi
15873+ jnz 2f
15874+1:
15875+#endif
15876+
15877+#ifdef CONFIG_PAX_MEMORY_UDEREF
15878+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15879+ GET_CR3_INTO_RDI
15880+ cmp $0,%dil
15881+ jnz 112f
15882+ mov $__KERNEL_DS,%edi
15883+ mov %edi,%ss
15884+ jmp 111f
15885+112: cmp $1,%dil
15886+ jz 113f
15887+ ud2
15888+113: sub $4097,%rdi
15889+ bts $63,%rdi
15890+ SET_RDI_INTO_CR3
15891+ mov $__UDEREF_KERNEL_DS,%edi
15892+ mov %edi,%ss
15893+111:
15894+#endif
15895+
15896+#ifdef CONFIG_PARAVIRT
15897+ PV_RESTORE_REGS(CLBR_RDI)
15898+#endif
15899+
15900+ popq %rdi
15901+ pax_force_retaddr
15902+ retq
15903+
15904+#ifdef CONFIG_PAX_KERNEXEC
15905+2: ljmpq __KERNEL_CS,1b
15906+3: ljmpq __KERNEXEC_KERNEL_CS,4f
15907+4: SET_RDI_INTO_CR0
15908+ jmp 1b
15909+#endif
15910+ENDPROC(pax_enter_kernel)
15911+
15912+ENTRY(pax_exit_kernel)
15913+ pushq %rdi
15914+
15915+#ifdef CONFIG_PARAVIRT
15916+ PV_SAVE_REGS(CLBR_RDI)
15917+#endif
15918+
15919+#ifdef CONFIG_PAX_KERNEXEC
15920+ mov %cs,%rdi
15921+ cmp $__KERNEXEC_KERNEL_CS,%edi
15922+ jz 2f
15923+ GET_CR0_INTO_RDI
15924+ bts $X86_CR0_WP_BIT,%rdi
15925+ jnc 4f
15926+1:
15927+#endif
15928+
15929+#ifdef CONFIG_PAX_MEMORY_UDEREF
15930+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15931+ mov %ss,%edi
15932+ cmp $__UDEREF_KERNEL_DS,%edi
15933+ jnz 111f
15934+ GET_CR3_INTO_RDI
15935+ cmp $0,%dil
15936+ jz 112f
15937+ ud2
15938+112: add $4097,%rdi
15939+ bts $63,%rdi
15940+ SET_RDI_INTO_CR3
15941+ mov $__KERNEL_DS,%edi
15942+ mov %edi,%ss
15943+111:
15944+#endif
15945+
15946+#ifdef CONFIG_PARAVIRT
15947+ PV_RESTORE_REGS(CLBR_RDI);
15948+#endif
15949+
15950+ popq %rdi
15951+ pax_force_retaddr
15952+ retq
15953+
15954+#ifdef CONFIG_PAX_KERNEXEC
15955+2: GET_CR0_INTO_RDI
15956+ btr $X86_CR0_WP_BIT,%rdi
15957+ jnc 4f
15958+ ljmpq __KERNEL_CS,3f
15959+3: SET_RDI_INTO_CR0
15960+ jmp 1b
15961+4: ud2
15962+ jmp 4b
15963+#endif
15964+ENDPROC(pax_exit_kernel)
15965+#endif
15966+
15967+ .macro pax_enter_kernel_user
15968+ pax_set_fptr_mask
15969+#ifdef CONFIG_PAX_MEMORY_UDEREF
15970+ call pax_enter_kernel_user
15971+#endif
15972+ .endm
15973+
15974+ .macro pax_exit_kernel_user
15975+#ifdef CONFIG_PAX_MEMORY_UDEREF
15976+ call pax_exit_kernel_user
15977+#endif
15978+#ifdef CONFIG_PAX_RANDKSTACK
15979+ pushq %rax
15980+ pushq %r11
15981+ call pax_randomize_kstack
15982+ popq %r11
15983+ popq %rax
15984+#endif
15985+ .endm
15986+
15987+#ifdef CONFIG_PAX_MEMORY_UDEREF
15988+ENTRY(pax_enter_kernel_user)
15989+ pushq %rdi
15990+ pushq %rbx
15991+
15992+#ifdef CONFIG_PARAVIRT
15993+ PV_SAVE_REGS(CLBR_RDI)
15994+#endif
15995+
15996+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15997+ GET_CR3_INTO_RDI
15998+ cmp $1,%dil
15999+ jnz 4f
16000+ sub $4097,%rdi
16001+ bts $63,%rdi
16002+ SET_RDI_INTO_CR3
16003+ jmp 3f
16004+111:
16005+
16006+ GET_CR3_INTO_RDI
16007+ mov %rdi,%rbx
16008+ add $__START_KERNEL_map,%rbx
16009+ sub phys_base(%rip),%rbx
16010+
16011+#ifdef CONFIG_PARAVIRT
16012+ cmpl $0, pv_info+PARAVIRT_enabled
16013+ jz 1f
16014+ pushq %rdi
16015+ i = 0
16016+ .rept USER_PGD_PTRS
16017+ mov i*8(%rbx),%rsi
16018+ mov $0,%sil
16019+ lea i*8(%rbx),%rdi
16020+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
16021+ i = i + 1
16022+ .endr
16023+ popq %rdi
16024+ jmp 2f
16025+1:
16026+#endif
16027+
16028+ i = 0
16029+ .rept USER_PGD_PTRS
16030+ movb $0,i*8(%rbx)
16031+ i = i + 1
16032+ .endr
16033+
16034+2: SET_RDI_INTO_CR3
16035+
16036+#ifdef CONFIG_PAX_KERNEXEC
16037+ GET_CR0_INTO_RDI
16038+ bts $X86_CR0_WP_BIT,%rdi
16039+ SET_RDI_INTO_CR0
16040+#endif
16041+
16042+3:
16043+
16044+#ifdef CONFIG_PARAVIRT
16045+ PV_RESTORE_REGS(CLBR_RDI)
16046+#endif
16047+
16048+ popq %rbx
16049+ popq %rdi
16050+ pax_force_retaddr
16051+ retq
16052+4: ud2
16053+ENDPROC(pax_enter_kernel_user)
16054+
16055+ENTRY(pax_exit_kernel_user)
16056+ pushq %rdi
16057+ pushq %rbx
16058+
16059+#ifdef CONFIG_PARAVIRT
16060+ PV_SAVE_REGS(CLBR_RDI)
16061+#endif
16062+
16063+ GET_CR3_INTO_RDI
16064+ ALTERNATIVE "jmp 1f", "", X86_FEATURE_PCID
16065+ cmp $0,%dil
16066+ jnz 3f
16067+ add $4097,%rdi
16068+ bts $63,%rdi
16069+ SET_RDI_INTO_CR3
16070+ jmp 2f
16071+1:
16072+
16073+ mov %rdi,%rbx
16074+
16075+#ifdef CONFIG_PAX_KERNEXEC
16076+ GET_CR0_INTO_RDI
16077+ btr $X86_CR0_WP_BIT,%rdi
16078+ jnc 3f
16079+ SET_RDI_INTO_CR0
16080+#endif
16081+
16082+ add $__START_KERNEL_map,%rbx
16083+ sub phys_base(%rip),%rbx
16084+
16085+#ifdef CONFIG_PARAVIRT
16086+ cmpl $0, pv_info+PARAVIRT_enabled
16087+ jz 1f
16088+ i = 0
16089+ .rept USER_PGD_PTRS
16090+ mov i*8(%rbx),%rsi
16091+ mov $0x67,%sil
16092+ lea i*8(%rbx),%rdi
16093+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
16094+ i = i + 1
16095+ .endr
16096+ jmp 2f
16097+1:
16098+#endif
16099+
16100+ i = 0
16101+ .rept USER_PGD_PTRS
16102+ movb $0x67,i*8(%rbx)
16103+ i = i + 1
16104+ .endr
16105+2:
16106+
16107+#ifdef CONFIG_PARAVIRT
16108+ PV_RESTORE_REGS(CLBR_RDI)
16109+#endif
16110+
16111+ popq %rbx
16112+ popq %rdi
16113+ pax_force_retaddr
16114+ retq
16115+3: ud2
16116+ENDPROC(pax_exit_kernel_user)
16117+#endif
16118+
16119+ .macro pax_enter_kernel_nmi
16120+ pax_set_fptr_mask
16121+
16122+#ifdef CONFIG_PAX_KERNEXEC
16123+ GET_CR0_INTO_RDI
16124+ bts $X86_CR0_WP_BIT,%rdi
16125+ jc 110f
16126+ SET_RDI_INTO_CR0
16127+ or $2,%ebx
16128+110:
16129+#endif
16130+
16131+#ifdef CONFIG_PAX_MEMORY_UDEREF
16132+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
16133+ GET_CR3_INTO_RDI
16134+ cmp $0,%dil
16135+ jz 111f
16136+ sub $4097,%rdi
16137+ or $4,%ebx
16138+ bts $63,%rdi
16139+ SET_RDI_INTO_CR3
16140+ mov $__UDEREF_KERNEL_DS,%edi
16141+ mov %edi,%ss
16142+111:
16143+#endif
16144+ .endm
16145+
16146+ .macro pax_exit_kernel_nmi
16147+#ifdef CONFIG_PAX_KERNEXEC
16148+ btr $1,%ebx
16149+ jnc 110f
16150+ GET_CR0_INTO_RDI
16151+ btr $X86_CR0_WP_BIT,%rdi
16152+ SET_RDI_INTO_CR0
16153+110:
16154+#endif
16155+
16156+#ifdef CONFIG_PAX_MEMORY_UDEREF
16157+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
16158+ btr $2,%ebx
16159+ jnc 111f
16160+ GET_CR3_INTO_RDI
16161+ add $4097,%rdi
16162+ bts $63,%rdi
16163+ SET_RDI_INTO_CR3
16164+ mov $__KERNEL_DS,%edi
16165+ mov %edi,%ss
16166+111:
16167+#endif
16168+ .endm
16169+
16170+ .macro pax_erase_kstack
16171+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16172+ call pax_erase_kstack
16173+#endif
16174+ .endm
16175+
16176+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16177+ENTRY(pax_erase_kstack)
16178+ pushq %rdi
16179+ pushq %rcx
16180+ pushq %rax
16181+ pushq %r11
16182+
16183+ GET_THREAD_INFO(%r11)
16184+ mov TI_lowest_stack(%r11), %rdi
16185+ mov $-0xBEEF, %rax
16186+ std
16187+
16188+1: mov %edi, %ecx
16189+ and $THREAD_SIZE_asm - 1, %ecx
16190+ shr $3, %ecx
16191+ repne scasq
16192+ jecxz 2f
16193+
16194+ cmp $2*8, %ecx
16195+ jc 2f
16196+
16197+ mov $2*8, %ecx
16198+ repe scasq
16199+ jecxz 2f
16200+ jne 1b
16201+
16202+2: cld
16203+ or $2*8, %rdi
16204+ mov %esp, %ecx
16205+ sub %edi, %ecx
16206+
16207+ cmp $THREAD_SIZE_asm, %rcx
16208+ jb 3f
16209+ ud2
16210+3:
16211+
16212+ shr $3, %ecx
16213+ rep stosq
16214+
16215+ mov TI_task_thread_sp0(%r11), %rdi
16216+ sub $256, %rdi
16217+ mov %rdi, TI_lowest_stack(%r11)
16218+
16219+ popq %r11
16220+ popq %rax
16221+ popq %rcx
16222+ popq %rdi
16223+ pax_force_retaddr
16224+ ret
16225+ENDPROC(pax_erase_kstack)
16226+#endif
16227+
16228 .macro TRACE_IRQS_IRETQ
16229 #ifdef CONFIG_TRACE_IRQFLAGS
16230 bt $9, EFLAGS(%rsp) /* interrupts off? */
16231@@ -89,7 +487,7 @@ ENDPROC(native_usergs_sysret64)
16232 .endm
16233
16234 .macro TRACE_IRQS_IRETQ_DEBUG
16235- bt $9, EFLAGS(%rsp) /* interrupts off? */
16236+ bt $X86_EFLAGS_IF_BIT, EFLAGS(%rsp) /* interrupts off? */
16237 jnc 1f
16238 TRACE_IRQS_ON_DEBUG
16239 1:
16240@@ -149,14 +547,6 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
16241 /* Construct struct pt_regs on stack */
16242 pushq $__USER_DS /* pt_regs->ss */
16243 pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
16244- /*
16245- * Re-enable interrupts.
16246- * We use 'rsp_scratch' as a scratch space, hence irq-off block above
16247- * must execute atomically in the face of possible interrupt-driven
16248- * task preemption. We must enable interrupts only after we're done
16249- * with using rsp_scratch:
16250- */
16251- ENABLE_INTERRUPTS(CLBR_NONE)
16252 pushq %r11 /* pt_regs->flags */
16253 pushq $__USER_CS /* pt_regs->cs */
16254 pushq %rcx /* pt_regs->ip */
16255@@ -172,7 +562,27 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
16256 pushq %r11 /* pt_regs->r11 */
16257 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
16258
16259- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16260+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16261+ movq %r12, R12(%rsp)
16262+#endif
16263+
16264+ pax_enter_kernel_user
16265+
16266+#ifdef CONFIG_PAX_RANDKSTACK
16267+ pax_erase_kstack
16268+#endif
16269+
16270+ /*
16271+ * Re-enable interrupts.
16272+ * We use 'rsp_scratch' as a scratch space, hence irq-off block above
16273+ * must execute atomically in the face of possible interrupt-driven
16274+ * task preemption. We must enable interrupts only after we're done
16275+ * with using rsp_scratch:
16276+ */
16277+ ENABLE_INTERRUPTS(CLBR_NONE)
16278+
16279+ GET_THREAD_INFO(%rcx)
16280+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%rcx)
16281 jnz tracesys
16282 entry_SYSCALL_64_fastpath:
16283 #if __SYSCALL_MASK == ~0
16284@@ -205,9 +615,13 @@ entry_SYSCALL_64_fastpath:
16285 * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is
16286 * very bad.
16287 */
16288- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16289+ GET_THREAD_INFO(%rcx)
16290+ testl $_TIF_ALLWORK_MASK, TI_flags(%rcx)
16291 jnz int_ret_from_sys_call_irqs_off /* Go to the slow path */
16292
16293+ pax_exit_kernel_user
16294+ pax_erase_kstack
16295+
16296 RESTORE_C_REGS_EXCEPT_RCX_R11
16297 movq RIP(%rsp), %rcx
16298 movq EFLAGS(%rsp), %r11
16299@@ -236,6 +650,9 @@ tracesys:
16300 call syscall_trace_enter_phase1
16301 test %rax, %rax
16302 jnz tracesys_phase2 /* if needed, run the slow path */
16303+
16304+ pax_erase_kstack
16305+
16306 RESTORE_C_REGS_EXCEPT_RAX /* else restore clobbered regs */
16307 movq ORIG_RAX(%rsp), %rax
16308 jmp entry_SYSCALL_64_fastpath /* and return to the fast path */
16309@@ -247,6 +664,8 @@ tracesys_phase2:
16310 movq %rax, %rdx
16311 call syscall_trace_enter_phase2
16312
16313+ pax_erase_kstack
16314+
16315 /*
16316 * Reload registers from stack in case ptrace changed them.
16317 * We don't reload %rax because syscall_trace_entry_phase2() returned
16318@@ -284,6 +703,8 @@ GLOBAL(int_with_check)
16319 andl %edi, %edx
16320 jnz int_careful
16321 andl $~TS_COMPAT, TI_status(%rcx)
16322+ pax_exit_kernel_user
16323+ pax_erase_kstack
16324 jmp syscall_return
16325
16326 /*
16327@@ -407,14 +828,14 @@ syscall_return_via_sysret:
16328 opportunistic_sysret_failed:
16329 SWAPGS
16330 jmp restore_c_regs_and_iret
16331-END(entry_SYSCALL_64)
16332+ENDPROC(entry_SYSCALL_64)
16333
16334
16335 .macro FORK_LIKE func
16336 ENTRY(stub_\func)
16337 SAVE_EXTRA_REGS 8
16338 jmp sys_\func
16339-END(stub_\func)
16340+ENDPROC(stub_\func)
16341 .endm
16342
16343 FORK_LIKE clone
16344@@ -434,7 +855,7 @@ return_from_execve:
16345 ZERO_EXTRA_REGS
16346 movq %rax, RAX(%rsp)
16347 jmp int_ret_from_sys_call
16348-END(stub_execve)
16349+ENDPROC(stub_execve)
16350 /*
16351 * Remaining execve stubs are only 7 bytes long.
16352 * ENTRY() often aligns to 16 bytes, which in this case has no benefits.
16353@@ -443,7 +864,7 @@ END(stub_execve)
16354 GLOBAL(stub_execveat)
16355 call sys_execveat
16356 jmp return_from_execve
16357-END(stub_execveat)
16358+ENDPROC(stub_execveat)
16359
16360 #if defined(CONFIG_X86_X32_ABI) || defined(CONFIG_IA32_EMULATION)
16361 .align 8
16362@@ -451,15 +872,15 @@ GLOBAL(stub_x32_execve)
16363 GLOBAL(stub32_execve)
16364 call compat_sys_execve
16365 jmp return_from_execve
16366-END(stub32_execve)
16367-END(stub_x32_execve)
16368+ENDPROC(stub32_execve)
16369+ENDPROC(stub_x32_execve)
16370 .align 8
16371 GLOBAL(stub_x32_execveat)
16372 GLOBAL(stub32_execveat)
16373 call compat_sys_execveat
16374 jmp return_from_execve
16375-END(stub32_execveat)
16376-END(stub_x32_execveat)
16377+ENDPROC(stub32_execveat)
16378+ENDPROC(stub_x32_execveat)
16379 #endif
16380
16381 /*
16382@@ -488,7 +909,7 @@ ENTRY(stub_x32_rt_sigreturn)
16383 SAVE_EXTRA_REGS 8
16384 call sys32_x32_rt_sigreturn
16385 jmp return_from_stub
16386-END(stub_x32_rt_sigreturn)
16387+ENDPROC(stub_x32_rt_sigreturn)
16388 #endif
16389
16390 /*
16391@@ -527,7 +948,7 @@ ENTRY(ret_from_fork)
16392 movl $0, RAX(%rsp)
16393 RESTORE_EXTRA_REGS
16394 jmp int_ret_from_sys_call
16395-END(ret_from_fork)
16396+ENDPROC(ret_from_fork)
16397
16398 /*
16399 * Build the entry stubs with some assembler magic.
16400@@ -542,7 +963,7 @@ ENTRY(irq_entries_start)
16401 jmp common_interrupt
16402 .align 8
16403 .endr
16404-END(irq_entries_start)
16405+ENDPROC(irq_entries_start)
16406
16407 /*
16408 * Interrupt entry/exit.
16409@@ -555,21 +976,13 @@ END(irq_entries_start)
16410 /* 0(%rsp): ~(interrupt number) */
16411 .macro interrupt func
16412 cld
16413- /*
16414- * Since nothing in interrupt handling code touches r12...r15 members
16415- * of "struct pt_regs", and since interrupts can nest, we can save
16416- * four stack slots and simultaneously provide
16417- * an unwind-friendly stack layout by saving "truncated" pt_regs
16418- * exactly up to rbp slot, without these members.
16419- */
16420- ALLOC_PT_GPREGS_ON_STACK -RBP
16421- SAVE_C_REGS -RBP
16422- /* this goes to 0(%rsp) for unwinder, not for saving the value: */
16423- SAVE_EXTRA_REGS_RBP -RBP
16424+ ALLOC_PT_GPREGS_ON_STACK
16425+ SAVE_C_REGS
16426+ SAVE_EXTRA_REGS
16427
16428- leaq -RBP(%rsp), %rdi /* arg1 for \func (pointer to pt_regs) */
16429+ movq %rsp, %rdi /* arg1 for \func (pointer to pt_regs) */
16430
16431- testb $3, CS-RBP(%rsp)
16432+ testb $3, CS(%rsp)
16433 jz 1f
16434 SWAPGS
16435 1:
16436@@ -584,6 +997,18 @@ END(irq_entries_start)
16437 incl PER_CPU_VAR(irq_count)
16438 cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp
16439 pushq %rsi
16440+
16441+#ifdef CONFIG_PAX_MEMORY_UDEREF
16442+ testb $3, CS(%rdi)
16443+ jnz 1f
16444+ pax_enter_kernel
16445+ jmp 2f
16446+1: pax_enter_kernel_user
16447+2:
16448+#else
16449+ pax_enter_kernel
16450+#endif
16451+
16452 /* We entered an interrupt context - irqs are off: */
16453 TRACE_IRQS_OFF
16454
16455@@ -608,7 +1033,7 @@ ret_from_intr:
16456 /* Restore saved previous stack */
16457 popq %rsi
16458 /* return code expects complete pt_regs - adjust rsp accordingly: */
16459- leaq -RBP(%rsi), %rsp
16460+ movq %rsi, %rsp
16461
16462 testb $3, CS(%rsp)
16463 jz retint_kernel
16464@@ -630,6 +1055,8 @@ retint_swapgs: /* return to user-space */
16465 * The iretq could re-enable interrupts:
16466 */
16467 DISABLE_INTERRUPTS(CLBR_ANY)
16468+ pax_exit_kernel_user
16469+# pax_erase_kstack
16470 TRACE_IRQS_IRETQ
16471
16472 SWAPGS
16473@@ -648,6 +1075,21 @@ retint_kernel:
16474 jmp 0b
16475 1:
16476 #endif
16477+
16478+ pax_exit_kernel
16479+
16480+#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
16481+ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
16482+ * namely calling EFI runtime services with a phys mapping. We're
16483+ * starting off with NOPs and patch in the real instrumentation
16484+ * (BTS/OR) before starting any userland process; even before starting
16485+ * up the APs.
16486+ */
16487+ ALTERNATIVE "", "pax_force_retaddr 16*8", X86_FEATURE_ALWAYS
16488+#else
16489+ pax_force_retaddr RIP
16490+#endif
16491+
16492 /*
16493 * The iretq could re-enable interrupts:
16494 */
16495@@ -689,15 +1131,15 @@ native_irq_return_ldt:
16496 SWAPGS
16497 movq PER_CPU_VAR(espfix_waddr), %rdi
16498 movq %rax, (0*8)(%rdi) /* RAX */
16499- movq (2*8)(%rsp), %rax /* RIP */
16500+ movq (2*8 + RIP-RIP)(%rsp), %rax /* RIP */
16501 movq %rax, (1*8)(%rdi)
16502- movq (3*8)(%rsp), %rax /* CS */
16503+ movq (2*8 + CS-RIP)(%rsp), %rax /* CS */
16504 movq %rax, (2*8)(%rdi)
16505- movq (4*8)(%rsp), %rax /* RFLAGS */
16506+ movq (2*8 + EFLAGS-RIP)(%rsp), %rax /* RFLAGS */
16507 movq %rax, (3*8)(%rdi)
16508- movq (6*8)(%rsp), %rax /* SS */
16509+ movq (2*8 + SS-RIP)(%rsp), %rax /* SS */
16510 movq %rax, (5*8)(%rdi)
16511- movq (5*8)(%rsp), %rax /* RSP */
16512+ movq (2*8 + RSP-RIP)(%rsp), %rax /* RSP */
16513 movq %rax, (4*8)(%rdi)
16514 andl $0xffff0000, %eax
16515 popq %rdi
16516@@ -738,7 +1180,7 @@ retint_signal:
16517 GET_THREAD_INFO(%rcx)
16518 jmp retint_with_reschedule
16519
16520-END(common_interrupt)
16521+ENDPROC(common_interrupt)
16522
16523 /*
16524 * APIC interrupts.
16525@@ -750,7 +1192,7 @@ ENTRY(\sym)
16526 .Lcommon_\sym:
16527 interrupt \do_sym
16528 jmp ret_from_intr
16529-END(\sym)
16530+ENDPROC(\sym)
16531 .endm
16532
16533 #ifdef CONFIG_TRACING
16534@@ -815,7 +1257,7 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt
16535 /*
16536 * Exception entry points.
16537 */
16538-#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss) + (TSS_ist + ((x) - 1) * 8)
16539+#define CPU_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r13)
16540
16541 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
16542 ENTRY(\sym)
16543@@ -862,6 +1304,12 @@ ENTRY(\sym)
16544 .endif
16545
16546 .if \shift_ist != -1
16547+#ifdef CONFIG_SMP
16548+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r13d
16549+ lea cpu_tss(%r13), %r13
16550+#else
16551+ lea cpu_tss(%rip), %r13
16552+#endif
16553 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
16554 .endif
16555
16556@@ -905,7 +1353,7 @@ ENTRY(\sym)
16557
16558 jmp error_exit /* %ebx: no swapgs flag */
16559 .endif
16560-END(\sym)
16561+ENDPROC(\sym)
16562 .endm
16563
16564 #ifdef CONFIG_TRACING
16565@@ -947,8 +1395,9 @@ gs_change:
16566 2: mfence /* workaround */
16567 SWAPGS
16568 popfq
16569+ pax_force_retaddr
16570 ret
16571-END(native_load_gs_index)
16572+ENDPROC(native_load_gs_index)
16573
16574 _ASM_EXTABLE(gs_change, bad_gs)
16575 .section .fixup, "ax"
16576@@ -970,8 +1419,9 @@ ENTRY(do_softirq_own_stack)
16577 call __do_softirq
16578 leaveq
16579 decl PER_CPU_VAR(irq_count)
16580+ pax_force_retaddr
16581 ret
16582-END(do_softirq_own_stack)
16583+ENDPROC(do_softirq_own_stack)
16584
16585 #ifdef CONFIG_XEN
16586 idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
16587@@ -1007,7 +1457,7 @@ ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */
16588 call xen_maybe_preempt_hcall
16589 #endif
16590 jmp error_exit
16591-END(xen_do_hypervisor_callback)
16592+ENDPROC(xen_do_hypervisor_callback)
16593
16594 /*
16595 * Hypervisor uses this for application faults while it executes.
16596@@ -1052,7 +1502,7 @@ ENTRY(xen_failsafe_callback)
16597 SAVE_C_REGS
16598 SAVE_EXTRA_REGS
16599 jmp error_exit
16600-END(xen_failsafe_callback)
16601+ENDPROC(xen_failsafe_callback)
16602
16603 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
16604 xen_hvm_callback_vector xen_evtchn_do_upcall
16605@@ -1101,8 +1551,36 @@ ENTRY(paranoid_entry)
16606 js 1f /* negative -> in kernel */
16607 SWAPGS
16608 xorl %ebx, %ebx
16609-1: ret
16610-END(paranoid_entry)
16611+1:
16612+#ifdef CONFIG_PAX_MEMORY_UDEREF
16613+ testb $3, CS+8(%rsp)
16614+ jnz 1f
16615+ pax_enter_kernel
16616+ jmp 2f
16617+1: pax_enter_kernel_user
16618+2:
16619+#else
16620+ pax_enter_kernel
16621+#endif
16622+ pax_force_retaddr
16623+ ret
16624+ENDPROC(paranoid_entry)
16625+
16626+ENTRY(paranoid_entry_nmi)
16627+ cld
16628+ SAVE_C_REGS 8
16629+ SAVE_EXTRA_REGS 8
16630+ movl $1, %ebx
16631+ movl $MSR_GS_BASE, %ecx
16632+ rdmsr
16633+ testl %edx, %edx
16634+ js 1f /* negative -> in kernel */
16635+ SWAPGS
16636+ xorl %ebx, %ebx
16637+1: pax_enter_kernel_nmi
16638+ pax_force_retaddr
16639+ ret
16640+ENDPROC(paranoid_entry_nmi)
16641
16642 /*
16643 * "Paranoid" exit path from exception stack. This is invoked
16644@@ -1119,19 +1597,26 @@ END(paranoid_entry)
16645 ENTRY(paranoid_exit)
16646 DISABLE_INTERRUPTS(CLBR_NONE)
16647 TRACE_IRQS_OFF_DEBUG
16648- testl %ebx, %ebx /* swapgs needed? */
16649+ testl $1, %ebx /* swapgs needed? */
16650 jnz paranoid_exit_no_swapgs
16651+#ifdef CONFIG_PAX_MEMORY_UDEREF
16652+ pax_exit_kernel_user
16653+#else
16654+ pax_exit_kernel
16655+#endif
16656 TRACE_IRQS_IRETQ
16657 SWAPGS_UNSAFE_STACK
16658 jmp paranoid_exit_restore
16659 paranoid_exit_no_swapgs:
16660+ pax_exit_kernel
16661 TRACE_IRQS_IRETQ_DEBUG
16662 paranoid_exit_restore:
16663 RESTORE_EXTRA_REGS
16664 RESTORE_C_REGS
16665 REMOVE_PT_GPREGS_FROM_STACK 8
16666+ pax_force_retaddr_bts
16667 INTERRUPT_RETURN
16668-END(paranoid_exit)
16669+ENDPROC(paranoid_exit)
16670
16671 /*
16672 * Save all registers in pt_regs, and switch gs if needed.
16673@@ -1149,7 +1634,18 @@ ENTRY(error_entry)
16674 SWAPGS
16675
16676 error_entry_done:
16677+#ifdef CONFIG_PAX_MEMORY_UDEREF
16678+ testb $3, CS+8(%rsp)
16679+ jnz 1f
16680+ pax_enter_kernel
16681+ jmp 2f
16682+1: pax_enter_kernel_user
16683+2:
16684+#else
16685+ pax_enter_kernel
16686+#endif
16687 TRACE_IRQS_OFF
16688+ pax_force_retaddr
16689 ret
16690
16691 /*
16692@@ -1199,7 +1695,7 @@ error_bad_iret:
16693 mov %rax, %rsp
16694 decl %ebx
16695 jmp error_entry_done
16696-END(error_entry)
16697+ENDPROC(error_entry)
16698
16699
16700 /*
16701@@ -1212,10 +1708,10 @@ ENTRY(error_exit)
16702 RESTORE_EXTRA_REGS
16703 DISABLE_INTERRUPTS(CLBR_NONE)
16704 TRACE_IRQS_OFF
16705- testl %eax, %eax
16706+ testl $1, %eax
16707 jnz retint_kernel
16708 jmp retint_user
16709-END(error_exit)
16710+ENDPROC(error_exit)
16711
16712 /* Runs on exception stack */
16713 ENTRY(nmi)
16714@@ -1258,6 +1754,8 @@ ENTRY(nmi)
16715 * other IST entries.
16716 */
16717
16718+ ASM_CLAC
16719+
16720 /* Use %rdx as our temp variable throughout */
16721 pushq %rdx
16722
16723@@ -1298,6 +1796,12 @@ ENTRY(nmi)
16724 pushq %r14 /* pt_regs->r14 */
16725 pushq %r15 /* pt_regs->r15 */
16726
16727+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
16728+ xorl %ebx, %ebx
16729+#endif
16730+
16731+ pax_enter_kernel_nmi
16732+
16733 /*
16734 * At this point we no longer need to worry about stack damage
16735 * due to nesting -- we're on the normal thread stack and we're
16736@@ -1308,12 +1812,19 @@ ENTRY(nmi)
16737 movq $-1, %rsi
16738 call do_nmi
16739
16740+ pax_exit_kernel_nmi
16741+
16742 /*
16743 * Return back to user mode. We must *not* do the normal exit
16744 * work, because we don't want to enable interrupts. Fortunately,
16745 * do_nmi doesn't modify pt_regs.
16746 */
16747 SWAPGS
16748+
16749+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
16750+ movq RBX(%rsp), %rbx
16751+#endif
16752+
16753 jmp restore_c_regs_and_iret
16754
16755 .Lnmi_from_kernel:
16756@@ -1435,6 +1946,7 @@ nested_nmi_out:
16757 popq %rdx
16758
16759 /* We are returning to kernel mode, so this cannot result in a fault. */
16760+# pax_force_retaddr_bts
16761 INTERRUPT_RETURN
16762
16763 first_nmi:
16764@@ -1508,20 +2020,22 @@ end_repeat_nmi:
16765 ALLOC_PT_GPREGS_ON_STACK
16766
16767 /*
16768- * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
16769+ * Use paranoid_entry_nmi to handle SWAPGS, but no need to use paranoid_exit
16770 * as we should not be calling schedule in NMI context.
16771 * Even with normal interrupts enabled. An NMI should not be
16772 * setting NEED_RESCHED or anything that normal interrupts and
16773 * exceptions might do.
16774 */
16775- call paranoid_entry
16776+ call paranoid_entry_nmi
16777
16778 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
16779 movq %rsp, %rdi
16780 movq $-1, %rsi
16781 call do_nmi
16782
16783- testl %ebx, %ebx /* swapgs needed? */
16784+ pax_exit_kernel_nmi
16785+
16786+ testl $1, %ebx /* swapgs needed? */
16787 jnz nmi_restore
16788 nmi_swapgs:
16789 SWAPGS_UNSAFE_STACK
16790@@ -1532,6 +2046,8 @@ nmi_restore:
16791 /* Point RSP at the "iret" frame. */
16792 REMOVE_PT_GPREGS_FROM_STACK 6*8
16793
16794+ pax_force_retaddr_bts
16795+
16796 /*
16797 * Clear "NMI executing". Set DF first so that we can easily
16798 * distinguish the remaining code between here and IRET from
16799@@ -1549,9 +2065,9 @@ nmi_restore:
16800 * mode, so this cannot result in a fault.
16801 */
16802 INTERRUPT_RETURN
16803-END(nmi)
16804+ENDPROC(nmi)
16805
16806 ENTRY(ignore_sysret)
16807 mov $-ENOSYS, %eax
16808 sysret
16809-END(ignore_sysret)
16810+ENDPROC(ignore_sysret)
16811diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
16812index a7e257d..3a6ad23 100644
16813--- a/arch/x86/entry/entry_64_compat.S
16814+++ b/arch/x86/entry/entry_64_compat.S
16815@@ -13,8 +13,10 @@
16816 #include <asm/irqflags.h>
16817 #include <asm/asm.h>
16818 #include <asm/smap.h>
16819+#include <asm/pgtable.h>
16820 #include <linux/linkage.h>
16821 #include <linux/err.h>
16822+#include <asm/alternative-asm.h>
16823
16824 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
16825 #include <linux/elf-em.h>
16826@@ -35,6 +37,32 @@ ENTRY(native_usergs_sysret32)
16827 ENDPROC(native_usergs_sysret32)
16828 #endif
16829
16830+ .macro pax_enter_kernel_user
16831+ pax_set_fptr_mask
16832+#ifdef CONFIG_PAX_MEMORY_UDEREF
16833+ call pax_enter_kernel_user
16834+#endif
16835+ .endm
16836+
16837+ .macro pax_exit_kernel_user
16838+#ifdef CONFIG_PAX_MEMORY_UDEREF
16839+ call pax_exit_kernel_user
16840+#endif
16841+#ifdef CONFIG_PAX_RANDKSTACK
16842+ pushq %rax
16843+ pushq %r11
16844+ call pax_randomize_kstack
16845+ popq %r11
16846+ popq %rax
16847+#endif
16848+ .endm
16849+
16850+ .macro pax_erase_kstack
16851+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16852+ call pax_erase_kstack
16853+#endif
16854+ .endm
16855+
16856 /*
16857 * 32-bit SYSENTER instruction entry.
16858 *
16859@@ -65,20 +93,21 @@ ENTRY(entry_SYSENTER_compat)
16860 */
16861 SWAPGS_UNSAFE_STACK
16862 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
16863- ENABLE_INTERRUPTS(CLBR_NONE)
16864
16865 /* Zero-extending 32-bit regs, do not remove */
16866 movl %ebp, %ebp
16867 movl %eax, %eax
16868
16869- movl ASM_THREAD_INFO(TI_sysenter_return, %rsp, 0), %r10d
16870+ GET_THREAD_INFO(%r11)
16871+ movl TI_sysenter_return(%r11), %r11d
16872
16873 /* Construct struct pt_regs on stack */
16874 pushq $__USER32_DS /* pt_regs->ss */
16875 pushq %rbp /* pt_regs->sp */
16876 pushfq /* pt_regs->flags */
16877+ orl $X86_EFLAGS_IF,(%rsp)
16878 pushq $__USER32_CS /* pt_regs->cs */
16879- pushq %r10 /* pt_regs->ip = thread_info->sysenter_return */
16880+ pushq %r11 /* pt_regs->ip = thread_info->sysenter_return */
16881 pushq %rax /* pt_regs->orig_ax */
16882 pushq %rdi /* pt_regs->di */
16883 pushq %rsi /* pt_regs->si */
16884@@ -88,15 +117,37 @@ ENTRY(entry_SYSENTER_compat)
16885 cld
16886 sub $(10*8), %rsp /* pt_regs->r8-11, bp, bx, r12-15 not saved */
16887
16888+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16889+ movq %r12, R12(%rsp)
16890+#endif
16891+
16892+ pax_enter_kernel_user
16893+
16894+#ifdef CONFIG_PAX_RANDKSTACK
16895+ pax_erase_kstack
16896+#endif
16897+
16898+ ENABLE_INTERRUPTS(CLBR_NONE)
16899+
16900 /*
16901 * no need to do an access_ok check here because rbp has been
16902 * 32-bit zero extended
16903 */
16904+
16905+#ifdef CONFIG_PAX_MEMORY_UDEREF
16906+ addq pax_user_shadow_base, %rbp
16907+ ASM_PAX_OPEN_USERLAND
16908+#endif
16909+
16910 ASM_STAC
16911 1: movl (%rbp), %ebp
16912 _ASM_EXTABLE(1b, ia32_badarg)
16913 ASM_CLAC
16914
16915+#ifdef CONFIG_PAX_MEMORY_UDEREF
16916+ ASM_PAX_CLOSE_USERLAND
16917+#endif
16918+
16919 /*
16920 * Sysenter doesn't filter flags, so we need to clear NT
16921 * ourselves. To save a few cycles, we can check whether
16922@@ -106,8 +157,9 @@ ENTRY(entry_SYSENTER_compat)
16923 jnz sysenter_fix_flags
16924 sysenter_flags_fixed:
16925
16926- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16927- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16928+ GET_THREAD_INFO(%r11)
16929+ orl $TS_COMPAT, TI_status(%r11)
16930+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%r11)
16931 jnz sysenter_tracesys
16932
16933 sysenter_do_call:
16934@@ -123,9 +175,10 @@ sysenter_dispatch:
16935 call *ia32_sys_call_table(, %rax, 8)
16936 movq %rax, RAX(%rsp)
16937 1:
16938+ GET_THREAD_INFO(%r11)
16939 DISABLE_INTERRUPTS(CLBR_NONE)
16940 TRACE_IRQS_OFF
16941- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16942+ testl $_TIF_ALLWORK_MASK, TI_flags(%r11)
16943 jnz sysexit_audit
16944 sysexit_from_sys_call:
16945 /*
16946@@ -138,7 +191,9 @@ sysexit_from_sys_call:
16947 * This code path is still called 'sysexit' because it pairs
16948 * with 'sysenter' and it uses the SYSENTER calling convention.
16949 */
16950- andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16951+ pax_exit_kernel_user
16952+ pax_erase_kstack
16953+ andl $~TS_COMPAT, TI_status(%r11)
16954 movl RIP(%rsp), %ecx /* User %eip */
16955 movq RAX(%rsp), %rax
16956 RESTORE_RSI_RDI
16957@@ -194,6 +249,8 @@ sysexit_from_sys_call:
16958 movl %eax, %edi /* arg1 (RDI) <= syscall number (EAX) */
16959 call __audit_syscall_entry
16960
16961+ pax_erase_kstack
16962+
16963 /*
16964 * We are going to jump back to the syscall dispatch code.
16965 * Prepare syscall args as required by the 64-bit C ABI.
16966@@ -209,7 +266,7 @@ sysexit_from_sys_call:
16967 .endm
16968
16969 .macro auditsys_exit exit
16970- testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16971+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16972 jnz ia32_ret_from_sys_call
16973 TRACE_IRQS_ON
16974 ENABLE_INTERRUPTS(CLBR_NONE)
16975@@ -220,10 +277,11 @@ sysexit_from_sys_call:
16976 1: setbe %al /* 1 if error, 0 if not */
16977 movzbl %al, %edi /* zero-extend that into %edi */
16978 call __audit_syscall_exit
16979+ GET_THREAD_INFO(%r11)
16980 movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %edi
16981 DISABLE_INTERRUPTS(CLBR_NONE)
16982 TRACE_IRQS_OFF
16983- testl %edi, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16984+ testl %edi, TI_flags(%r11)
16985 jz \exit
16986 xorl %eax, %eax /* Do not leak kernel information */
16987 movq %rax, R11(%rsp)
16988@@ -249,7 +307,7 @@ sysenter_fix_flags:
16989
16990 sysenter_tracesys:
16991 #ifdef CONFIG_AUDITSYSCALL
16992- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16993+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16994 jz sysenter_auditsys
16995 #endif
16996 SAVE_EXTRA_REGS
16997@@ -269,6 +327,9 @@ sysenter_tracesys:
16998 movl %eax, %eax /* zero extension */
16999
17000 RESTORE_EXTRA_REGS
17001+
17002+ pax_erase_kstack
17003+
17004 jmp sysenter_do_call
17005 ENDPROC(entry_SYSENTER_compat)
17006
17007@@ -311,7 +372,6 @@ ENTRY(entry_SYSCALL_compat)
17008 SWAPGS_UNSAFE_STACK
17009 movl %esp, %r8d
17010 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
17011- ENABLE_INTERRUPTS(CLBR_NONE)
17012
17013 /* Zero-extending 32-bit regs, do not remove */
17014 movl %eax, %eax
17015@@ -331,16 +391,41 @@ ENTRY(entry_SYSCALL_compat)
17016 pushq $-ENOSYS /* pt_regs->ax */
17017 sub $(10*8), %rsp /* pt_regs->r8-11, bp, bx, r12-15 not saved */
17018
17019+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
17020+ movq %r12, R12(%rsp)
17021+#endif
17022+
17023+ pax_enter_kernel_user
17024+
17025+#ifdef CONFIG_PAX_RANDKSTACK
17026+ pax_erase_kstack
17027+#endif
17028+
17029+ ENABLE_INTERRUPTS(CLBR_NONE)
17030+
17031 /*
17032 * No need to do an access_ok check here because r8 has been
17033 * 32-bit zero extended:
17034 */
17035+
17036+#ifdef CONFIG_PAX_MEMORY_UDEREF
17037+ ASM_PAX_OPEN_USERLAND
17038+ movq pax_user_shadow_base, %r8
17039+ addq RSP(%rsp), %r8
17040+#endif
17041+
17042 ASM_STAC
17043 1: movl (%r8), %r9d
17044 _ASM_EXTABLE(1b, ia32_badarg)
17045 ASM_CLAC
17046- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
17047- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17048+
17049+#ifdef CONFIG_PAX_MEMORY_UDEREF
17050+ ASM_PAX_CLOSE_USERLAND
17051+#endif
17052+
17053+ GET_THREAD_INFO(%r11)
17054+ orl $TS_COMPAT,TI_status(%r11)
17055+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
17056 jnz cstar_tracesys
17057
17058 cstar_do_call:
17059@@ -358,13 +443,16 @@ cstar_dispatch:
17060 call *ia32_sys_call_table(, %rax, 8)
17061 movq %rax, RAX(%rsp)
17062 1:
17063+ GET_THREAD_INFO(%r11)
17064 DISABLE_INTERRUPTS(CLBR_NONE)
17065 TRACE_IRQS_OFF
17066- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17067+ testl $_TIF_ALLWORK_MASK, TI_flags(%r11)
17068 jnz sysretl_audit
17069
17070 sysretl_from_sys_call:
17071- andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
17072+ pax_exit_kernel_user
17073+ pax_erase_kstack
17074+ andl $~TS_COMPAT, TI_status(%r11)
17075 RESTORE_RSI_RDI_RDX
17076 movl RIP(%rsp), %ecx
17077 movl EFLAGS(%rsp), %r11d
17078@@ -403,7 +491,7 @@ sysretl_audit:
17079
17080 cstar_tracesys:
17081 #ifdef CONFIG_AUDITSYSCALL
17082- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17083+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
17084 jz cstar_auditsys
17085 #endif
17086 xchgl %r9d, %ebp
17087@@ -426,11 +514,19 @@ cstar_tracesys:
17088
17089 RESTORE_EXTRA_REGS
17090 xchgl %ebp, %r9d
17091+
17092+ pax_erase_kstack
17093+
17094 jmp cstar_do_call
17095 END(entry_SYSCALL_compat)
17096
17097 ia32_badarg:
17098 ASM_CLAC
17099+
17100+#ifdef CONFIG_PAX_MEMORY_UDEREF
17101+ ASM_PAX_CLOSE_USERLAND
17102+#endif
17103+
17104 movq $-EFAULT, RAX(%rsp)
17105 ia32_ret_from_sys_call:
17106 xorl %eax, %eax /* Do not leak kernel information */
17107@@ -462,14 +558,8 @@ ia32_ret_from_sys_call:
17108 */
17109
17110 ENTRY(entry_INT80_compat)
17111- /*
17112- * Interrupts are off on entry.
17113- * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
17114- * it is too small to ever cause noticeable irq latency.
17115- */
17116 PARAVIRT_ADJUST_EXCEPTION_FRAME
17117 SWAPGS
17118- ENABLE_INTERRUPTS(CLBR_NONE)
17119
17120 /* Zero-extending 32-bit regs, do not remove */
17121 movl %eax, %eax
17122@@ -488,8 +578,26 @@ ENTRY(entry_INT80_compat)
17123 cld
17124 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
17125
17126- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
17127- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17128+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
17129+ movq %r12, R12(%rsp)
17130+#endif
17131+
17132+ pax_enter_kernel_user
17133+
17134+#ifdef CONFIG_PAX_RANDKSTACK
17135+ pax_erase_kstack
17136+#endif
17137+
17138+ /*
17139+ * Interrupts are off on entry.
17140+ * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
17141+ * it is too small to ever cause noticeable irq latency.
17142+ */
17143+ ENABLE_INTERRUPTS(CLBR_NONE)
17144+
17145+ GET_THREAD_INFO(%r11)
17146+ orl $TS_COMPAT, TI_status(%r11)
17147+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%r11)
17148 jnz ia32_tracesys
17149
17150 ia32_do_call:
17151@@ -524,6 +632,9 @@ ia32_tracesys:
17152 movl RDI(%rsp), %edi
17153 movl %eax, %eax /* zero extension */
17154 RESTORE_EXTRA_REGS
17155+
17156+ pax_erase_kstack
17157+
17158 jmp ia32_do_call
17159 END(entry_INT80_compat)
17160
17161diff --git a/arch/x86/entry/thunk_64.S b/arch/x86/entry/thunk_64.S
17162index efb2b93..8a9cb8e 100644
17163--- a/arch/x86/entry/thunk_64.S
17164+++ b/arch/x86/entry/thunk_64.S
17165@@ -8,6 +8,7 @@
17166 #include <linux/linkage.h>
17167 #include "calling.h"
17168 #include <asm/asm.h>
17169+#include <asm/alternative-asm.h>
17170
17171 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
17172 .macro THUNK name, func, put_ret_addr_in_rdi=0
17173@@ -62,6 +63,7 @@ restore:
17174 popq %rdx
17175 popq %rsi
17176 popq %rdi
17177+ pax_force_retaddr
17178 ret
17179 _ASM_NOKPROBE(restore)
17180 #endif
17181diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
17182index e970320..c006fea 100644
17183--- a/arch/x86/entry/vdso/Makefile
17184+++ b/arch/x86/entry/vdso/Makefile
17185@@ -175,7 +175,7 @@ quiet_cmd_vdso = VDSO $@
17186 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
17187 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
17188
17189-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
17190+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
17191 $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
17192 GCOV_PROFILE := n
17193
17194diff --git a/arch/x86/entry/vdso/vdso2c.h b/arch/x86/entry/vdso/vdso2c.h
17195index 0224987..8deb742 100644
17196--- a/arch/x86/entry/vdso/vdso2c.h
17197+++ b/arch/x86/entry/vdso/vdso2c.h
17198@@ -12,7 +12,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
17199 unsigned long load_size = -1; /* Work around bogus warning */
17200 unsigned long mapping_size;
17201 ELF(Ehdr) *hdr = (ELF(Ehdr) *)raw_addr;
17202- int i;
17203+ unsigned int i;
17204 unsigned long j;
17205 ELF(Shdr) *symtab_hdr = NULL, *strtab_hdr, *secstrings_hdr,
17206 *alt_sec = NULL;
17207@@ -83,7 +83,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
17208 for (i = 0;
17209 i < GET_LE(&symtab_hdr->sh_size) / GET_LE(&symtab_hdr->sh_entsize);
17210 i++) {
17211- int k;
17212+ unsigned int k;
17213 ELF(Sym) *sym = raw_addr + GET_LE(&symtab_hdr->sh_offset) +
17214 GET_LE(&symtab_hdr->sh_entsize) * i;
17215 const char *name = raw_addr + GET_LE(&strtab_hdr->sh_offset) +
17216diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
17217index 1c9f750..cfddb1a 100644
17218--- a/arch/x86/entry/vdso/vma.c
17219+++ b/arch/x86/entry/vdso/vma.c
17220@@ -19,10 +19,7 @@
17221 #include <asm/page.h>
17222 #include <asm/hpet.h>
17223 #include <asm/desc.h>
17224-
17225-#if defined(CONFIG_X86_64)
17226-unsigned int __read_mostly vdso64_enabled = 1;
17227-#endif
17228+#include <asm/mman.h>
17229
17230 void __init init_vdso_image(const struct vdso_image *image)
17231 {
17232@@ -101,6 +98,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17233 .pages = no_pages,
17234 };
17235
17236+#ifdef CONFIG_PAX_RANDMMAP
17237+ if (mm->pax_flags & MF_PAX_RANDMMAP)
17238+ calculate_addr = false;
17239+#endif
17240+
17241 if (calculate_addr) {
17242 addr = vdso_addr(current->mm->start_stack,
17243 image->size - image->sym_vvar_start);
17244@@ -111,14 +113,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17245 down_write(&mm->mmap_sem);
17246
17247 addr = get_unmapped_area(NULL, addr,
17248- image->size - image->sym_vvar_start, 0, 0);
17249+ image->size - image->sym_vvar_start, 0, MAP_EXECUTABLE);
17250 if (IS_ERR_VALUE(addr)) {
17251 ret = addr;
17252 goto up_fail;
17253 }
17254
17255 text_start = addr - image->sym_vvar_start;
17256- current->mm->context.vdso = (void __user *)text_start;
17257+ mm->context.vdso = text_start;
17258
17259 /*
17260 * MAYWRITE to allow gdb to COW and set breakpoints
17261@@ -163,15 +165,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17262 hpet_address >> PAGE_SHIFT,
17263 PAGE_SIZE,
17264 pgprot_noncached(PAGE_READONLY));
17265-
17266- if (ret)
17267- goto up_fail;
17268 }
17269 #endif
17270
17271 up_fail:
17272 if (ret)
17273- current->mm->context.vdso = NULL;
17274+ current->mm->context.vdso = 0;
17275
17276 up_write(&mm->mmap_sem);
17277 return ret;
17278@@ -191,8 +190,8 @@ static int load_vdso32(void)
17279
17280 if (selected_vdso32->sym_VDSO32_SYSENTER_RETURN)
17281 current_thread_info()->sysenter_return =
17282- current->mm->context.vdso +
17283- selected_vdso32->sym_VDSO32_SYSENTER_RETURN;
17284+ (void __force_user *)(current->mm->context.vdso +
17285+ selected_vdso32->sym_VDSO32_SYSENTER_RETURN);
17286
17287 return 0;
17288 }
17289@@ -201,9 +200,6 @@ static int load_vdso32(void)
17290 #ifdef CONFIG_X86_64
17291 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
17292 {
17293- if (!vdso64_enabled)
17294- return 0;
17295-
17296 return map_vdso(&vdso_image_64, true);
17297 }
17298
17299@@ -212,12 +208,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm,
17300 int uses_interp)
17301 {
17302 #ifdef CONFIG_X86_X32_ABI
17303- if (test_thread_flag(TIF_X32)) {
17304- if (!vdso64_enabled)
17305- return 0;
17306-
17307+ if (test_thread_flag(TIF_X32))
17308 return map_vdso(&vdso_image_x32, true);
17309- }
17310 #endif
17311
17312 return load_vdso32();
17313@@ -231,15 +223,6 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
17314 #endif
17315
17316 #ifdef CONFIG_X86_64
17317-static __init int vdso_setup(char *s)
17318-{
17319- vdso64_enabled = simple_strtoul(s, NULL, 0);
17320- return 0;
17321-}
17322-__setup("vdso=", vdso_setup);
17323-#endif
17324-
17325-#ifdef CONFIG_X86_64
17326 static void vgetcpu_cpu_init(void *arg)
17327 {
17328 int cpu = smp_processor_id();
17329diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
17330index 2dcc6ff..082dc7a 100644
17331--- a/arch/x86/entry/vsyscall/vsyscall_64.c
17332+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
17333@@ -38,15 +38,13 @@
17334 #define CREATE_TRACE_POINTS
17335 #include "vsyscall_trace.h"
17336
17337-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
17338+static enum { EMULATE, NONE } vsyscall_mode = EMULATE;
17339
17340 static int __init vsyscall_setup(char *str)
17341 {
17342 if (str) {
17343 if (!strcmp("emulate", str))
17344 vsyscall_mode = EMULATE;
17345- else if (!strcmp("native", str))
17346- vsyscall_mode = NATIVE;
17347 else if (!strcmp("none", str))
17348 vsyscall_mode = NONE;
17349 else
17350@@ -264,8 +262,7 @@ do_ret:
17351 return true;
17352
17353 sigsegv:
17354- force_sig(SIGSEGV, current);
17355- return true;
17356+ do_group_exit(SIGKILL);
17357 }
17358
17359 /*
17360@@ -283,8 +280,8 @@ static struct vm_operations_struct gate_vma_ops = {
17361 static struct vm_area_struct gate_vma = {
17362 .vm_start = VSYSCALL_ADDR,
17363 .vm_end = VSYSCALL_ADDR + PAGE_SIZE,
17364- .vm_page_prot = PAGE_READONLY_EXEC,
17365- .vm_flags = VM_READ | VM_EXEC,
17366+ .vm_page_prot = PAGE_READONLY,
17367+ .vm_flags = VM_READ,
17368 .vm_ops = &gate_vma_ops,
17369 };
17370
17371@@ -325,10 +322,7 @@ void __init map_vsyscall(void)
17372 unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
17373
17374 if (vsyscall_mode != NONE)
17375- __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall,
17376- vsyscall_mode == NATIVE
17377- ? PAGE_KERNEL_VSYSCALL
17378- : PAGE_KERNEL_VVAR);
17379+ __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR);
17380
17381 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
17382 (unsigned long)VSYSCALL_ADDR);
17383diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
17384index ae6aad1..719d6d9 100644
17385--- a/arch/x86/ia32/ia32_aout.c
17386+++ b/arch/x86/ia32/ia32_aout.c
17387@@ -153,6 +153,8 @@ static int aout_core_dump(struct coredump_params *cprm)
17388 unsigned long dump_start, dump_size;
17389 struct user32 dump;
17390
17391+ memset(&dump, 0, sizeof(dump));
17392+
17393 fs = get_fs();
17394 set_fs(KERNEL_DS);
17395 has_dumped = 1;
17396diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
17397index ae3a29a..cea65e9 100644
17398--- a/arch/x86/ia32/ia32_signal.c
17399+++ b/arch/x86/ia32/ia32_signal.c
17400@@ -216,7 +216,7 @@ asmlinkage long sys32_sigreturn(void)
17401 if (__get_user(set.sig[0], &frame->sc.oldmask)
17402 || (_COMPAT_NSIG_WORDS > 1
17403 && __copy_from_user((((char *) &set.sig) + 4),
17404- &frame->extramask,
17405+ frame->extramask,
17406 sizeof(frame->extramask))))
17407 goto badframe;
17408
17409@@ -336,7 +336,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
17410 sp -= frame_size;
17411 /* Align the stack pointer according to the i386 ABI,
17412 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
17413- sp = ((sp + 4) & -16ul) - 4;
17414+ sp = ((sp - 12) & -16ul) - 4;
17415 return (void __user *) sp;
17416 }
17417
17418@@ -381,10 +381,10 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
17419 } else {
17420 /* Return stub is in 32bit vsyscall page */
17421 if (current->mm->context.vdso)
17422- restorer = current->mm->context.vdso +
17423- selected_vdso32->sym___kernel_sigreturn;
17424+ restorer = (void __force_user *)(current->mm->context.vdso +
17425+ selected_vdso32->sym___kernel_sigreturn);
17426 else
17427- restorer = &frame->retcode;
17428+ restorer = frame->retcode;
17429 }
17430
17431 put_user_try {
17432@@ -394,7 +394,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
17433 * These are actually not used anymore, but left because some
17434 * gdb versions depend on them as a marker.
17435 */
17436- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
17437+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
17438 } put_user_catch(err);
17439
17440 if (err)
17441@@ -436,7 +436,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
17442 0xb8,
17443 __NR_ia32_rt_sigreturn,
17444 0x80cd,
17445- 0,
17446+ 0
17447 };
17448
17449 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
17450@@ -459,16 +459,19 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
17451
17452 if (ksig->ka.sa.sa_flags & SA_RESTORER)
17453 restorer = ksig->ka.sa.sa_restorer;
17454+ else if (current->mm->context.vdso)
17455+ /* Return stub is in 32bit vsyscall page */
17456+ restorer = (void __force_user *)(current->mm->context.vdso +
17457+ selected_vdso32->sym___kernel_rt_sigreturn);
17458 else
17459- restorer = current->mm->context.vdso +
17460- selected_vdso32->sym___kernel_rt_sigreturn;
17461+ restorer = frame->retcode;
17462 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
17463
17464 /*
17465 * Not actually used anymore, but left because some gdb
17466 * versions need it.
17467 */
17468- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
17469+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
17470 } put_user_catch(err);
17471
17472 err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
17473diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
17474index 719cd70..72af944 100644
17475--- a/arch/x86/ia32/sys_ia32.c
17476+++ b/arch/x86/ia32/sys_ia32.c
17477@@ -49,18 +49,26 @@
17478
17479 #define AA(__x) ((unsigned long)(__x))
17480
17481+static inline loff_t compose_loff(unsigned int high, unsigned int low)
17482+{
17483+ loff_t retval = low;
17484+
17485+ BUILD_BUG_ON(sizeof retval != sizeof low + sizeof high);
17486+ __builtin_memcpy((unsigned char *)&retval + sizeof low, &high, sizeof high);
17487+ return retval;
17488+}
17489
17490 asmlinkage long sys32_truncate64(const char __user *filename,
17491- unsigned long offset_low,
17492- unsigned long offset_high)
17493+ unsigned int offset_low,
17494+ unsigned int offset_high)
17495 {
17496- return sys_truncate(filename, ((loff_t) offset_high << 32) | offset_low);
17497+ return sys_truncate(filename, compose_loff(offset_high, offset_low));
17498 }
17499
17500-asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
17501- unsigned long offset_high)
17502+asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned int offset_low,
17503+ unsigned int offset_high)
17504 {
17505- return sys_ftruncate(fd, ((loff_t) offset_high << 32) | offset_low);
17506+ return sys_ftruncate(fd, ((unsigned long) offset_high << 32) | offset_low);
17507 }
17508
17509 /*
17510@@ -69,8 +77,8 @@ asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
17511 */
17512 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
17513 {
17514- typeof(ubuf->st_uid) uid = 0;
17515- typeof(ubuf->st_gid) gid = 0;
17516+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
17517+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
17518 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
17519 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
17520 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
17521@@ -196,29 +204,29 @@ long sys32_fadvise64_64(int fd, __u32 offset_low, __u32 offset_high,
17522 __u32 len_low, __u32 len_high, int advice)
17523 {
17524 return sys_fadvise64_64(fd,
17525- (((u64)offset_high)<<32) | offset_low,
17526- (((u64)len_high)<<32) | len_low,
17527+ compose_loff(offset_high, offset_low),
17528+ compose_loff(len_high, len_low),
17529 advice);
17530 }
17531
17532 asmlinkage ssize_t sys32_readahead(int fd, unsigned off_lo, unsigned off_hi,
17533 size_t count)
17534 {
17535- return sys_readahead(fd, ((u64)off_hi << 32) | off_lo, count);
17536+ return sys_readahead(fd, compose_loff(off_hi, off_lo), count);
17537 }
17538
17539 asmlinkage long sys32_sync_file_range(int fd, unsigned off_low, unsigned off_hi,
17540 unsigned n_low, unsigned n_hi, int flags)
17541 {
17542 return sys_sync_file_range(fd,
17543- ((u64)off_hi << 32) | off_low,
17544- ((u64)n_hi << 32) | n_low, flags);
17545+ compose_loff(off_hi, off_low),
17546+ compose_loff(n_hi, n_low), flags);
17547 }
17548
17549 asmlinkage long sys32_fadvise64(int fd, unsigned offset_lo, unsigned offset_hi,
17550- size_t len, int advice)
17551+ int len, int advice)
17552 {
17553- return sys_fadvise64_64(fd, ((u64)offset_hi << 32) | offset_lo,
17554+ return sys_fadvise64_64(fd, compose_loff(offset_hi, offset_lo),
17555 len, advice);
17556 }
17557
17558@@ -226,6 +234,6 @@ asmlinkage long sys32_fallocate(int fd, int mode, unsigned offset_lo,
17559 unsigned offset_hi, unsigned len_lo,
17560 unsigned len_hi)
17561 {
17562- return sys_fallocate(fd, mode, ((u64)offset_hi << 32) | offset_lo,
17563- ((u64)len_hi << 32) | len_lo);
17564+ return sys_fallocate(fd, mode, compose_loff(offset_hi, offset_lo),
17565+ compose_loff(len_hi, len_lo));
17566 }
17567diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h
17568index e7636ba..e1fb78a 100644
17569--- a/arch/x86/include/asm/alternative-asm.h
17570+++ b/arch/x86/include/asm/alternative-asm.h
17571@@ -18,6 +18,45 @@
17572 .endm
17573 #endif
17574
17575+#ifdef KERNEXEC_PLUGIN
17576+ .macro pax_force_retaddr_bts rip=0
17577+ btsq $63,\rip(%rsp)
17578+ .endm
17579+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
17580+ .macro pax_force_retaddr rip=0, reload=0
17581+ btsq $63,\rip(%rsp)
17582+ .endm
17583+ .macro pax_force_fptr ptr
17584+ btsq $63,\ptr
17585+ .endm
17586+ .macro pax_set_fptr_mask
17587+ .endm
17588+#endif
17589+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
17590+ .macro pax_force_retaddr rip=0, reload=0
17591+ .if \reload
17592+ pax_set_fptr_mask
17593+ .endif
17594+ orq %r12,\rip(%rsp)
17595+ .endm
17596+ .macro pax_force_fptr ptr
17597+ orq %r12,\ptr
17598+ .endm
17599+ .macro pax_set_fptr_mask
17600+ movabs $0x8000000000000000,%r12
17601+ .endm
17602+#endif
17603+#else
17604+ .macro pax_force_retaddr rip=0, reload=0
17605+ .endm
17606+ .macro pax_force_fptr ptr
17607+ .endm
17608+ .macro pax_force_retaddr_bts rip=0
17609+ .endm
17610+ .macro pax_set_fptr_mask
17611+ .endm
17612+#endif
17613+
17614 /*
17615 * Issue one struct alt_instr descriptor entry (need to put it into
17616 * the section .altinstructions, see below). This entry contains
17617@@ -50,7 +89,7 @@
17618 altinstruction_entry 140b,143f,\feature,142b-140b,144f-143f,142b-141b
17619 .popsection
17620
17621- .pushsection .altinstr_replacement,"ax"
17622+ .pushsection .altinstr_replacement,"a"
17623 143:
17624 \newinstr
17625 144:
17626@@ -86,7 +125,7 @@
17627 altinstruction_entry 140b,144f,\feature2,142b-140b,145f-144f,142b-141b
17628 .popsection
17629
17630- .pushsection .altinstr_replacement,"ax"
17631+ .pushsection .altinstr_replacement,"a"
17632 143:
17633 \newinstr1
17634 144:
17635diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
17636index 7bfc85b..65d1ec4 100644
17637--- a/arch/x86/include/asm/alternative.h
17638+++ b/arch/x86/include/asm/alternative.h
17639@@ -136,7 +136,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
17640 ".pushsection .altinstructions,\"a\"\n" \
17641 ALTINSTR_ENTRY(feature, 1) \
17642 ".popsection\n" \
17643- ".pushsection .altinstr_replacement, \"ax\"\n" \
17644+ ".pushsection .altinstr_replacement, \"a\"\n" \
17645 ALTINSTR_REPLACEMENT(newinstr, feature, 1) \
17646 ".popsection"
17647
17648@@ -146,7 +146,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
17649 ALTINSTR_ENTRY(feature1, 1) \
17650 ALTINSTR_ENTRY(feature2, 2) \
17651 ".popsection\n" \
17652- ".pushsection .altinstr_replacement, \"ax\"\n" \
17653+ ".pushsection .altinstr_replacement, \"a\"\n" \
17654 ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \
17655 ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \
17656 ".popsection"
17657diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
17658index c839363..b9a8c43 100644
17659--- a/arch/x86/include/asm/apic.h
17660+++ b/arch/x86/include/asm/apic.h
17661@@ -45,7 +45,7 @@ static inline void generic_apic_probe(void)
17662
17663 #ifdef CONFIG_X86_LOCAL_APIC
17664
17665-extern unsigned int apic_verbosity;
17666+extern int apic_verbosity;
17667 extern int local_apic_timer_c2_ok;
17668
17669 extern int disable_apic;
17670diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
17671index 20370c6..a2eb9b0 100644
17672--- a/arch/x86/include/asm/apm.h
17673+++ b/arch/x86/include/asm/apm.h
17674@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
17675 __asm__ __volatile__(APM_DO_ZERO_SEGS
17676 "pushl %%edi\n\t"
17677 "pushl %%ebp\n\t"
17678- "lcall *%%cs:apm_bios_entry\n\t"
17679+ "lcall *%%ss:apm_bios_entry\n\t"
17680 "setc %%al\n\t"
17681 "popl %%ebp\n\t"
17682 "popl %%edi\n\t"
17683@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
17684 __asm__ __volatile__(APM_DO_ZERO_SEGS
17685 "pushl %%edi\n\t"
17686 "pushl %%ebp\n\t"
17687- "lcall *%%cs:apm_bios_entry\n\t"
17688+ "lcall *%%ss:apm_bios_entry\n\t"
17689 "setc %%bl\n\t"
17690 "popl %%ebp\n\t"
17691 "popl %%edi\n\t"
17692diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
17693index e916895..42d729d 100644
17694--- a/arch/x86/include/asm/atomic.h
17695+++ b/arch/x86/include/asm/atomic.h
17696@@ -28,6 +28,17 @@ static __always_inline int atomic_read(const atomic_t *v)
17697 }
17698
17699 /**
17700+ * atomic_read_unchecked - read atomic variable
17701+ * @v: pointer of type atomic_unchecked_t
17702+ *
17703+ * Atomically reads the value of @v.
17704+ */
17705+static __always_inline int __intentional_overflow(-1) atomic_read_unchecked(const atomic_unchecked_t *v)
17706+{
17707+ return ACCESS_ONCE((v)->counter);
17708+}
17709+
17710+/**
17711 * atomic_set - set atomic variable
17712 * @v: pointer of type atomic_t
17713 * @i: required value
17714@@ -40,6 +51,18 @@ static __always_inline void atomic_set(atomic_t *v, int i)
17715 }
17716
17717 /**
17718+ * atomic_set_unchecked - set atomic variable
17719+ * @v: pointer of type atomic_unchecked_t
17720+ * @i: required value
17721+ *
17722+ * Atomically sets the value of @v to @i.
17723+ */
17724+static __always_inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
17725+{
17726+ v->counter = i;
17727+}
17728+
17729+/**
17730 * atomic_add - add integer to atomic variable
17731 * @i: integer value to add
17732 * @v: pointer of type atomic_t
17733@@ -48,7 +71,29 @@ static __always_inline void atomic_set(atomic_t *v, int i)
17734 */
17735 static __always_inline void atomic_add(int i, atomic_t *v)
17736 {
17737- asm volatile(LOCK_PREFIX "addl %1,%0"
17738+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
17739+
17740+#ifdef CONFIG_PAX_REFCOUNT
17741+ "jno 0f\n"
17742+ LOCK_PREFIX "subl %1,%0\n"
17743+ "int $4\n0:\n"
17744+ _ASM_EXTABLE(0b, 0b)
17745+#endif
17746+
17747+ : "+m" (v->counter)
17748+ : "ir" (i));
17749+}
17750+
17751+/**
17752+ * atomic_add_unchecked - add integer to atomic variable
17753+ * @i: integer value to add
17754+ * @v: pointer of type atomic_unchecked_t
17755+ *
17756+ * Atomically adds @i to @v.
17757+ */
17758+static __always_inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
17759+{
17760+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
17761 : "+m" (v->counter)
17762 : "ir" (i));
17763 }
17764@@ -62,7 +107,29 @@ static __always_inline void atomic_add(int i, atomic_t *v)
17765 */
17766 static __always_inline void atomic_sub(int i, atomic_t *v)
17767 {
17768- asm volatile(LOCK_PREFIX "subl %1,%0"
17769+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
17770+
17771+#ifdef CONFIG_PAX_REFCOUNT
17772+ "jno 0f\n"
17773+ LOCK_PREFIX "addl %1,%0\n"
17774+ "int $4\n0:\n"
17775+ _ASM_EXTABLE(0b, 0b)
17776+#endif
17777+
17778+ : "+m" (v->counter)
17779+ : "ir" (i));
17780+}
17781+
17782+/**
17783+ * atomic_sub_unchecked - subtract integer from atomic variable
17784+ * @i: integer value to subtract
17785+ * @v: pointer of type atomic_unchecked_t
17786+ *
17787+ * Atomically subtracts @i from @v.
17788+ */
17789+static __always_inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
17790+{
17791+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
17792 : "+m" (v->counter)
17793 : "ir" (i));
17794 }
17795@@ -78,7 +145,7 @@ static __always_inline void atomic_sub(int i, atomic_t *v)
17796 */
17797 static __always_inline int atomic_sub_and_test(int i, atomic_t *v)
17798 {
17799- GEN_BINARY_RMWcc(LOCK_PREFIX "subl", v->counter, "er", i, "%0", "e");
17800+ GEN_BINARY_RMWcc(LOCK_PREFIX "subl", LOCK_PREFIX "addl", v->counter, "er", i, "%0", "e");
17801 }
17802
17803 /**
17804@@ -89,7 +156,27 @@ static __always_inline int atomic_sub_and_test(int i, atomic_t *v)
17805 */
17806 static __always_inline void atomic_inc(atomic_t *v)
17807 {
17808- asm volatile(LOCK_PREFIX "incl %0"
17809+ asm volatile(LOCK_PREFIX "incl %0\n"
17810+
17811+#ifdef CONFIG_PAX_REFCOUNT
17812+ "jno 0f\n"
17813+ LOCK_PREFIX "decl %0\n"
17814+ "int $4\n0:\n"
17815+ _ASM_EXTABLE(0b, 0b)
17816+#endif
17817+
17818+ : "+m" (v->counter));
17819+}
17820+
17821+/**
17822+ * atomic_inc_unchecked - increment atomic variable
17823+ * @v: pointer of type atomic_unchecked_t
17824+ *
17825+ * Atomically increments @v by 1.
17826+ */
17827+static __always_inline void atomic_inc_unchecked(atomic_unchecked_t *v)
17828+{
17829+ asm volatile(LOCK_PREFIX "incl %0\n"
17830 : "+m" (v->counter));
17831 }
17832
17833@@ -101,7 +188,27 @@ static __always_inline void atomic_inc(atomic_t *v)
17834 */
17835 static __always_inline void atomic_dec(atomic_t *v)
17836 {
17837- asm volatile(LOCK_PREFIX "decl %0"
17838+ asm volatile(LOCK_PREFIX "decl %0\n"
17839+
17840+#ifdef CONFIG_PAX_REFCOUNT
17841+ "jno 0f\n"
17842+ LOCK_PREFIX "incl %0\n"
17843+ "int $4\n0:\n"
17844+ _ASM_EXTABLE(0b, 0b)
17845+#endif
17846+
17847+ : "+m" (v->counter));
17848+}
17849+
17850+/**
17851+ * atomic_dec_unchecked - decrement atomic variable
17852+ * @v: pointer of type atomic_unchecked_t
17853+ *
17854+ * Atomically decrements @v by 1.
17855+ */
17856+static __always_inline void atomic_dec_unchecked(atomic_unchecked_t *v)
17857+{
17858+ asm volatile(LOCK_PREFIX "decl %0\n"
17859 : "+m" (v->counter));
17860 }
17861
17862@@ -115,7 +222,7 @@ static __always_inline void atomic_dec(atomic_t *v)
17863 */
17864 static __always_inline int atomic_dec_and_test(atomic_t *v)
17865 {
17866- GEN_UNARY_RMWcc(LOCK_PREFIX "decl", v->counter, "%0", "e");
17867+ GEN_UNARY_RMWcc(LOCK_PREFIX "decl", LOCK_PREFIX "incl", v->counter, "%0", "e");
17868 }
17869
17870 /**
17871@@ -128,7 +235,20 @@ static __always_inline int atomic_dec_and_test(atomic_t *v)
17872 */
17873 static __always_inline int atomic_inc_and_test(atomic_t *v)
17874 {
17875- GEN_UNARY_RMWcc(LOCK_PREFIX "incl", v->counter, "%0", "e");
17876+ GEN_UNARY_RMWcc(LOCK_PREFIX "incl", LOCK_PREFIX "decl", v->counter, "%0", "e");
17877+}
17878+
17879+/**
17880+ * atomic_inc_and_test_unchecked - increment and test
17881+ * @v: pointer of type atomic_unchecked_t
17882+ *
17883+ * Atomically increments @v by 1
17884+ * and returns true if the result is zero, or false for all
17885+ * other cases.
17886+ */
17887+static __always_inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
17888+{
17889+ GEN_UNARY_RMWcc_unchecked(LOCK_PREFIX "incl", v->counter, "%0", "e");
17890 }
17891
17892 /**
17893@@ -142,7 +262,7 @@ static __always_inline int atomic_inc_and_test(atomic_t *v)
17894 */
17895 static __always_inline int atomic_add_negative(int i, atomic_t *v)
17896 {
17897- GEN_BINARY_RMWcc(LOCK_PREFIX "addl", v->counter, "er", i, "%0", "s");
17898+ GEN_BINARY_RMWcc(LOCK_PREFIX "addl", LOCK_PREFIX "subl", v->counter, "er", i, "%0", "s");
17899 }
17900
17901 /**
17902@@ -152,7 +272,19 @@ static __always_inline int atomic_add_negative(int i, atomic_t *v)
17903 *
17904 * Atomically adds @i to @v and returns @i + @v
17905 */
17906-static __always_inline int atomic_add_return(int i, atomic_t *v)
17907+static __always_inline int __intentional_overflow(-1) atomic_add_return(int i, atomic_t *v)
17908+{
17909+ return i + xadd_check_overflow(&v->counter, i);
17910+}
17911+
17912+/**
17913+ * atomic_add_return_unchecked - add integer and return
17914+ * @i: integer value to add
17915+ * @v: pointer of type atomi_uncheckedc_t
17916+ *
17917+ * Atomically adds @i to @v and returns @i + @v
17918+ */
17919+static __always_inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
17920 {
17921 return i + xadd(&v->counter, i);
17922 }
17923@@ -164,15 +296,24 @@ static __always_inline int atomic_add_return(int i, atomic_t *v)
17924 *
17925 * Atomically subtracts @i from @v and returns @v - @i
17926 */
17927-static __always_inline int atomic_sub_return(int i, atomic_t *v)
17928+static __always_inline int __intentional_overflow(-1) atomic_sub_return(int i, atomic_t *v)
17929 {
17930 return atomic_add_return(-i, v);
17931 }
17932
17933 #define atomic_inc_return(v) (atomic_add_return(1, v))
17934+static __always_inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
17935+{
17936+ return atomic_add_return_unchecked(1, v);
17937+}
17938 #define atomic_dec_return(v) (atomic_sub_return(1, v))
17939
17940-static __always_inline int atomic_cmpxchg(atomic_t *v, int old, int new)
17941+static __always_inline int __intentional_overflow(-1) atomic_cmpxchg(atomic_t *v, int old, int new)
17942+{
17943+ return cmpxchg(&v->counter, old, new);
17944+}
17945+
17946+static __always_inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
17947 {
17948 return cmpxchg(&v->counter, old, new);
17949 }
17950@@ -182,6 +323,11 @@ static inline int atomic_xchg(atomic_t *v, int new)
17951 return xchg(&v->counter, new);
17952 }
17953
17954+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
17955+{
17956+ return xchg(&v->counter, new);
17957+}
17958+
17959 /**
17960 * __atomic_add_unless - add unless the number is already a given value
17961 * @v: pointer of type atomic_t
17962@@ -193,12 +339,25 @@ static inline int atomic_xchg(atomic_t *v, int new)
17963 */
17964 static __always_inline int __atomic_add_unless(atomic_t *v, int a, int u)
17965 {
17966- int c, old;
17967+ int c, old, new;
17968 c = atomic_read(v);
17969 for (;;) {
17970- if (unlikely(c == (u)))
17971+ if (unlikely(c == u))
17972 break;
17973- old = atomic_cmpxchg((v), c, c + (a));
17974+
17975+ asm volatile("addl %2,%0\n"
17976+
17977+#ifdef CONFIG_PAX_REFCOUNT
17978+ "jno 0f\n"
17979+ "subl %2,%0\n"
17980+ "int $4\n0:\n"
17981+ _ASM_EXTABLE(0b, 0b)
17982+#endif
17983+
17984+ : "=r" (new)
17985+ : "0" (c), "ir" (a));
17986+
17987+ old = atomic_cmpxchg(v, c, new);
17988 if (likely(old == c))
17989 break;
17990 c = old;
17991@@ -207,6 +366,49 @@ static __always_inline int __atomic_add_unless(atomic_t *v, int a, int u)
17992 }
17993
17994 /**
17995+ * atomic_inc_not_zero_hint - increment if not null
17996+ * @v: pointer of type atomic_t
17997+ * @hint: probable value of the atomic before the increment
17998+ *
17999+ * This version of atomic_inc_not_zero() gives a hint of probable
18000+ * value of the atomic. This helps processor to not read the memory
18001+ * before doing the atomic read/modify/write cycle, lowering
18002+ * number of bus transactions on some arches.
18003+ *
18004+ * Returns: 0 if increment was not done, 1 otherwise.
18005+ */
18006+#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
18007+static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
18008+{
18009+ int val, c = hint, new;
18010+
18011+ /* sanity test, should be removed by compiler if hint is a constant */
18012+ if (!hint)
18013+ return __atomic_add_unless(v, 1, 0);
18014+
18015+ do {
18016+ asm volatile("incl %0\n"
18017+
18018+#ifdef CONFIG_PAX_REFCOUNT
18019+ "jno 0f\n"
18020+ "decl %0\n"
18021+ "int $4\n0:\n"
18022+ _ASM_EXTABLE(0b, 0b)
18023+#endif
18024+
18025+ : "=r" (new)
18026+ : "0" (c));
18027+
18028+ val = atomic_cmpxchg(v, c, new);
18029+ if (val == c)
18030+ return 1;
18031+ c = val;
18032+ } while (c);
18033+
18034+ return 0;
18035+}
18036+
18037+/**
18038 * atomic_inc_short - increment of a short integer
18039 * @v: pointer to type int
18040 *
18041@@ -220,14 +422,37 @@ static __always_inline short int atomic_inc_short(short int *v)
18042 }
18043
18044 /* These are x86-specific, used by some header files */
18045-#define atomic_clear_mask(mask, addr) \
18046- asm volatile(LOCK_PREFIX "andl %0,%1" \
18047- : : "r" (~(mask)), "m" (*(addr)) : "memory")
18048+static inline void atomic_clear_mask(unsigned int mask, atomic_t *v)
18049+{
18050+ asm volatile(LOCK_PREFIX "andl %1,%0"
18051+ : "+m" (v->counter)
18052+ : "r" (~(mask))
18053+ : "memory");
18054+}
18055
18056-#define atomic_set_mask(mask, addr) \
18057- asm volatile(LOCK_PREFIX "orl %0,%1" \
18058- : : "r" ((unsigned)(mask)), "m" (*(addr)) \
18059- : "memory")
18060+static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
18061+{
18062+ asm volatile(LOCK_PREFIX "andl %1,%0"
18063+ : "+m" (v->counter)
18064+ : "r" (~(mask))
18065+ : "memory");
18066+}
18067+
18068+static inline void atomic_set_mask(unsigned int mask, atomic_t *v)
18069+{
18070+ asm volatile(LOCK_PREFIX "orl %1,%0"
18071+ : "+m" (v->counter)
18072+ : "r" (mask)
18073+ : "memory");
18074+}
18075+
18076+static inline void atomic_set_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
18077+{
18078+ asm volatile(LOCK_PREFIX "orl %1,%0"
18079+ : "+m" (v->counter)
18080+ : "r" (mask)
18081+ : "memory");
18082+}
18083
18084 #ifdef CONFIG_X86_32
18085 # include <asm/atomic64_32.h>
18086diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
18087index b154de7..3dc335d 100644
18088--- a/arch/x86/include/asm/atomic64_32.h
18089+++ b/arch/x86/include/asm/atomic64_32.h
18090@@ -12,6 +12,14 @@ typedef struct {
18091 u64 __aligned(8) counter;
18092 } atomic64_t;
18093
18094+#ifdef CONFIG_PAX_REFCOUNT
18095+typedef struct {
18096+ u64 __aligned(8) counter;
18097+} atomic64_unchecked_t;
18098+#else
18099+typedef atomic64_t atomic64_unchecked_t;
18100+#endif
18101+
18102 #define ATOMIC64_INIT(val) { (val) }
18103
18104 #define __ATOMIC64_DECL(sym) void atomic64_##sym(atomic64_t *, ...)
18105@@ -37,21 +45,31 @@ typedef struct {
18106 ATOMIC64_DECL_ONE(sym##_386)
18107
18108 ATOMIC64_DECL_ONE(add_386);
18109+ATOMIC64_DECL_ONE(add_unchecked_386);
18110 ATOMIC64_DECL_ONE(sub_386);
18111+ATOMIC64_DECL_ONE(sub_unchecked_386);
18112 ATOMIC64_DECL_ONE(inc_386);
18113+ATOMIC64_DECL_ONE(inc_unchecked_386);
18114 ATOMIC64_DECL_ONE(dec_386);
18115+ATOMIC64_DECL_ONE(dec_unchecked_386);
18116 #endif
18117
18118 #define alternative_atomic64(f, out, in...) \
18119 __alternative_atomic64(f, f, ASM_OUTPUT2(out), ## in)
18120
18121 ATOMIC64_DECL(read);
18122+ATOMIC64_DECL(read_unchecked);
18123 ATOMIC64_DECL(set);
18124+ATOMIC64_DECL(set_unchecked);
18125 ATOMIC64_DECL(xchg);
18126 ATOMIC64_DECL(add_return);
18127+ATOMIC64_DECL(add_return_unchecked);
18128 ATOMIC64_DECL(sub_return);
18129+ATOMIC64_DECL(sub_return_unchecked);
18130 ATOMIC64_DECL(inc_return);
18131+ATOMIC64_DECL(inc_return_unchecked);
18132 ATOMIC64_DECL(dec_return);
18133+ATOMIC64_DECL(dec_return_unchecked);
18134 ATOMIC64_DECL(dec_if_positive);
18135 ATOMIC64_DECL(inc_not_zero);
18136 ATOMIC64_DECL(add_unless);
18137@@ -77,6 +95,21 @@ static inline long long atomic64_cmpxchg(atomic64_t *v, long long o, long long n
18138 }
18139
18140 /**
18141+ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
18142+ * @p: pointer to type atomic64_unchecked_t
18143+ * @o: expected value
18144+ * @n: new value
18145+ *
18146+ * Atomically sets @v to @n if it was equal to @o and returns
18147+ * the old value.
18148+ */
18149+
18150+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
18151+{
18152+ return cmpxchg64(&v->counter, o, n);
18153+}
18154+
18155+/**
18156 * atomic64_xchg - xchg atomic64 variable
18157 * @v: pointer to type atomic64_t
18158 * @n: value to assign
18159@@ -112,6 +145,22 @@ static inline void atomic64_set(atomic64_t *v, long long i)
18160 }
18161
18162 /**
18163+ * atomic64_set_unchecked - set atomic64 variable
18164+ * @v: pointer to type atomic64_unchecked_t
18165+ * @n: value to assign
18166+ *
18167+ * Atomically sets the value of @v to @n.
18168+ */
18169+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
18170+{
18171+ unsigned high = (unsigned)(i >> 32);
18172+ unsigned low = (unsigned)i;
18173+ alternative_atomic64(set, /* no output */,
18174+ "S" (v), "b" (low), "c" (high)
18175+ : "eax", "edx", "memory");
18176+}
18177+
18178+/**
18179 * atomic64_read - read atomic64 variable
18180 * @v: pointer to type atomic64_t
18181 *
18182@@ -125,6 +174,19 @@ static inline long long atomic64_read(const atomic64_t *v)
18183 }
18184
18185 /**
18186+ * atomic64_read_unchecked - read atomic64 variable
18187+ * @v: pointer to type atomic64_unchecked_t
18188+ *
18189+ * Atomically reads the value of @v and returns it.
18190+ */
18191+static inline long long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v)
18192+{
18193+ long long r;
18194+ alternative_atomic64(read, "=&A" (r), "c" (v) : "memory");
18195+ return r;
18196+ }
18197+
18198+/**
18199 * atomic64_add_return - add and return
18200 * @i: integer value to add
18201 * @v: pointer to type atomic64_t
18202@@ -139,6 +201,21 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v)
18203 return i;
18204 }
18205
18206+/**
18207+ * atomic64_add_return_unchecked - add and return
18208+ * @i: integer value to add
18209+ * @v: pointer to type atomic64_unchecked_t
18210+ *
18211+ * Atomically adds @i to @v and returns @i + *@v
18212+ */
18213+static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
18214+{
18215+ alternative_atomic64(add_return_unchecked,
18216+ ASM_OUTPUT2("+A" (i), "+c" (v)),
18217+ ASM_NO_INPUT_CLOBBER("memory"));
18218+ return i;
18219+}
18220+
18221 /*
18222 * Other variants with different arithmetic operators:
18223 */
18224@@ -158,6 +235,14 @@ static inline long long atomic64_inc_return(atomic64_t *v)
18225 return a;
18226 }
18227
18228+static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
18229+{
18230+ long long a;
18231+ alternative_atomic64(inc_return_unchecked, "=&A" (a),
18232+ "S" (v) : "memory", "ecx");
18233+ return a;
18234+}
18235+
18236 static inline long long atomic64_dec_return(atomic64_t *v)
18237 {
18238 long long a;
18239@@ -182,6 +267,21 @@ static inline long long atomic64_add(long long i, atomic64_t *v)
18240 }
18241
18242 /**
18243+ * atomic64_add_unchecked - add integer to atomic64 variable
18244+ * @i: integer value to add
18245+ * @v: pointer to type atomic64_unchecked_t
18246+ *
18247+ * Atomically adds @i to @v.
18248+ */
18249+static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
18250+{
18251+ __alternative_atomic64(add_unchecked, add_return_unchecked,
18252+ ASM_OUTPUT2("+A" (i), "+c" (v)),
18253+ ASM_NO_INPUT_CLOBBER("memory"));
18254+ return i;
18255+}
18256+
18257+/**
18258 * atomic64_sub - subtract the atomic64 variable
18259 * @i: integer value to subtract
18260 * @v: pointer to type atomic64_t
18261diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
18262index b965f9e..8e22dd3 100644
18263--- a/arch/x86/include/asm/atomic64_64.h
18264+++ b/arch/x86/include/asm/atomic64_64.h
18265@@ -22,6 +22,18 @@ static inline long atomic64_read(const atomic64_t *v)
18266 }
18267
18268 /**
18269+ * atomic64_read_unchecked - read atomic64 variable
18270+ * @v: pointer of type atomic64_unchecked_t
18271+ *
18272+ * Atomically reads the value of @v.
18273+ * Doesn't imply a read memory barrier.
18274+ */
18275+static inline long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v)
18276+{
18277+ return ACCESS_ONCE((v)->counter);
18278+}
18279+
18280+/**
18281 * atomic64_set - set atomic64 variable
18282 * @v: pointer to type atomic64_t
18283 * @i: required value
18284@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64_t *v, long i)
18285 }
18286
18287 /**
18288+ * atomic64_set_unchecked - set atomic64 variable
18289+ * @v: pointer to type atomic64_unchecked_t
18290+ * @i: required value
18291+ *
18292+ * Atomically sets the value of @v to @i.
18293+ */
18294+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
18295+{
18296+ v->counter = i;
18297+}
18298+
18299+/**
18300 * atomic64_add - add integer to atomic64 variable
18301 * @i: integer value to add
18302 * @v: pointer to type atomic64_t
18303@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64_t *v, long i)
18304 */
18305 static __always_inline void atomic64_add(long i, atomic64_t *v)
18306 {
18307+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
18308+
18309+#ifdef CONFIG_PAX_REFCOUNT
18310+ "jno 0f\n"
18311+ LOCK_PREFIX "subq %1,%0\n"
18312+ "int $4\n0:\n"
18313+ _ASM_EXTABLE(0b, 0b)
18314+#endif
18315+
18316+ : "=m" (v->counter)
18317+ : "er" (i), "m" (v->counter));
18318+}
18319+
18320+/**
18321+ * atomic64_add_unchecked - add integer to atomic64 variable
18322+ * @i: integer value to add
18323+ * @v: pointer to type atomic64_unchecked_t
18324+ *
18325+ * Atomically adds @i to @v.
18326+ */
18327+static __always_inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
18328+{
18329 asm volatile(LOCK_PREFIX "addq %1,%0"
18330 : "=m" (v->counter)
18331 : "er" (i), "m" (v->counter));
18332@@ -56,7 +102,29 @@ static __always_inline void atomic64_add(long i, atomic64_t *v)
18333 */
18334 static inline void atomic64_sub(long i, atomic64_t *v)
18335 {
18336- asm volatile(LOCK_PREFIX "subq %1,%0"
18337+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
18338+
18339+#ifdef CONFIG_PAX_REFCOUNT
18340+ "jno 0f\n"
18341+ LOCK_PREFIX "addq %1,%0\n"
18342+ "int $4\n0:\n"
18343+ _ASM_EXTABLE(0b, 0b)
18344+#endif
18345+
18346+ : "=m" (v->counter)
18347+ : "er" (i), "m" (v->counter));
18348+}
18349+
18350+/**
18351+ * atomic64_sub_unchecked - subtract the atomic64 variable
18352+ * @i: integer value to subtract
18353+ * @v: pointer to type atomic64_unchecked_t
18354+ *
18355+ * Atomically subtracts @i from @v.
18356+ */
18357+static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
18358+{
18359+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
18360 : "=m" (v->counter)
18361 : "er" (i), "m" (v->counter));
18362 }
18363@@ -72,7 +140,7 @@ static inline void atomic64_sub(long i, atomic64_t *v)
18364 */
18365 static inline int atomic64_sub_and_test(long i, atomic64_t *v)
18366 {
18367- GEN_BINARY_RMWcc(LOCK_PREFIX "subq", v->counter, "er", i, "%0", "e");
18368+ GEN_BINARY_RMWcc(LOCK_PREFIX "subq", LOCK_PREFIX "addq", v->counter, "er", i, "%0", "e");
18369 }
18370
18371 /**
18372@@ -83,6 +151,27 @@ static inline int atomic64_sub_and_test(long i, atomic64_t *v)
18373 */
18374 static __always_inline void atomic64_inc(atomic64_t *v)
18375 {
18376+ asm volatile(LOCK_PREFIX "incq %0\n"
18377+
18378+#ifdef CONFIG_PAX_REFCOUNT
18379+ "jno 0f\n"
18380+ LOCK_PREFIX "decq %0\n"
18381+ "int $4\n0:\n"
18382+ _ASM_EXTABLE(0b, 0b)
18383+#endif
18384+
18385+ : "=m" (v->counter)
18386+ : "m" (v->counter));
18387+}
18388+
18389+/**
18390+ * atomic64_inc_unchecked - increment atomic64 variable
18391+ * @v: pointer to type atomic64_unchecked_t
18392+ *
18393+ * Atomically increments @v by 1.
18394+ */
18395+static __always_inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
18396+{
18397 asm volatile(LOCK_PREFIX "incq %0"
18398 : "=m" (v->counter)
18399 : "m" (v->counter));
18400@@ -96,7 +185,28 @@ static __always_inline void atomic64_inc(atomic64_t *v)
18401 */
18402 static __always_inline void atomic64_dec(atomic64_t *v)
18403 {
18404- asm volatile(LOCK_PREFIX "decq %0"
18405+ asm volatile(LOCK_PREFIX "decq %0\n"
18406+
18407+#ifdef CONFIG_PAX_REFCOUNT
18408+ "jno 0f\n"
18409+ LOCK_PREFIX "incq %0\n"
18410+ "int $4\n0:\n"
18411+ _ASM_EXTABLE(0b, 0b)
18412+#endif
18413+
18414+ : "=m" (v->counter)
18415+ : "m" (v->counter));
18416+}
18417+
18418+/**
18419+ * atomic64_dec_unchecked - decrement atomic64 variable
18420+ * @v: pointer to type atomic64_t
18421+ *
18422+ * Atomically decrements @v by 1.
18423+ */
18424+static __always_inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
18425+{
18426+ asm volatile(LOCK_PREFIX "decq %0\n"
18427 : "=m" (v->counter)
18428 : "m" (v->counter));
18429 }
18430@@ -111,7 +221,7 @@ static __always_inline void atomic64_dec(atomic64_t *v)
18431 */
18432 static inline int atomic64_dec_and_test(atomic64_t *v)
18433 {
18434- GEN_UNARY_RMWcc(LOCK_PREFIX "decq", v->counter, "%0", "e");
18435+ GEN_UNARY_RMWcc(LOCK_PREFIX "decq", LOCK_PREFIX "incq", v->counter, "%0", "e");
18436 }
18437
18438 /**
18439@@ -124,7 +234,7 @@ static inline int atomic64_dec_and_test(atomic64_t *v)
18440 */
18441 static inline int atomic64_inc_and_test(atomic64_t *v)
18442 {
18443- GEN_UNARY_RMWcc(LOCK_PREFIX "incq", v->counter, "%0", "e");
18444+ GEN_UNARY_RMWcc(LOCK_PREFIX "incq", LOCK_PREFIX "decq", v->counter, "%0", "e");
18445 }
18446
18447 /**
18448@@ -138,7 +248,7 @@ static inline int atomic64_inc_and_test(atomic64_t *v)
18449 */
18450 static inline int atomic64_add_negative(long i, atomic64_t *v)
18451 {
18452- GEN_BINARY_RMWcc(LOCK_PREFIX "addq", v->counter, "er", i, "%0", "s");
18453+ GEN_BINARY_RMWcc(LOCK_PREFIX "addq", LOCK_PREFIX "subq", v->counter, "er", i, "%0", "s");
18454 }
18455
18456 /**
18457@@ -150,6 +260,18 @@ static inline int atomic64_add_negative(long i, atomic64_t *v)
18458 */
18459 static __always_inline long atomic64_add_return(long i, atomic64_t *v)
18460 {
18461+ return i + xadd_check_overflow(&v->counter, i);
18462+}
18463+
18464+/**
18465+ * atomic64_add_return_unchecked - add and return
18466+ * @i: integer value to add
18467+ * @v: pointer to type atomic64_unchecked_t
18468+ *
18469+ * Atomically adds @i to @v and returns @i + @v
18470+ */
18471+static __always_inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
18472+{
18473 return i + xadd(&v->counter, i);
18474 }
18475
18476@@ -159,6 +281,10 @@ static inline long atomic64_sub_return(long i, atomic64_t *v)
18477 }
18478
18479 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
18480+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
18481+{
18482+ return atomic64_add_return_unchecked(1, v);
18483+}
18484 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
18485
18486 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
18487@@ -166,6 +292,11 @@ static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
18488 return cmpxchg(&v->counter, old, new);
18489 }
18490
18491+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
18492+{
18493+ return cmpxchg(&v->counter, old, new);
18494+}
18495+
18496 static inline long atomic64_xchg(atomic64_t *v, long new)
18497 {
18498 return xchg(&v->counter, new);
18499@@ -182,17 +313,30 @@ static inline long atomic64_xchg(atomic64_t *v, long new)
18500 */
18501 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
18502 {
18503- long c, old;
18504+ long c, old, new;
18505 c = atomic64_read(v);
18506 for (;;) {
18507- if (unlikely(c == (u)))
18508+ if (unlikely(c == u))
18509 break;
18510- old = atomic64_cmpxchg((v), c, c + (a));
18511+
18512+ asm volatile("add %2,%0\n"
18513+
18514+#ifdef CONFIG_PAX_REFCOUNT
18515+ "jno 0f\n"
18516+ "sub %2,%0\n"
18517+ "int $4\n0:\n"
18518+ _ASM_EXTABLE(0b, 0b)
18519+#endif
18520+
18521+ : "=r" (new)
18522+ : "0" (c), "ir" (a));
18523+
18524+ old = atomic64_cmpxchg(v, c, new);
18525 if (likely(old == c))
18526 break;
18527 c = old;
18528 }
18529- return c != (u);
18530+ return c != u;
18531 }
18532
18533 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
18534diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
18535index e51a8f8..ee075df 100644
18536--- a/arch/x86/include/asm/barrier.h
18537+++ b/arch/x86/include/asm/barrier.h
18538@@ -57,7 +57,7 @@
18539 do { \
18540 compiletime_assert_atomic_type(*p); \
18541 smp_mb(); \
18542- ACCESS_ONCE(*p) = (v); \
18543+ ACCESS_ONCE_RW(*p) = (v); \
18544 } while (0)
18545
18546 #define smp_load_acquire(p) \
18547@@ -74,7 +74,7 @@ do { \
18548 do { \
18549 compiletime_assert_atomic_type(*p); \
18550 barrier(); \
18551- ACCESS_ONCE(*p) = (v); \
18552+ ACCESS_ONCE_RW(*p) = (v); \
18553 } while (0)
18554
18555 #define smp_load_acquire(p) \
18556diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
18557index cfe3b95..d01b118 100644
18558--- a/arch/x86/include/asm/bitops.h
18559+++ b/arch/x86/include/asm/bitops.h
18560@@ -50,7 +50,7 @@
18561 * a mask operation on a byte.
18562 */
18563 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
18564-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
18565+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
18566 #define CONST_MASK(nr) (1 << ((nr) & 7))
18567
18568 /**
18569@@ -203,7 +203,7 @@ static inline void change_bit(long nr, volatile unsigned long *addr)
18570 */
18571 static inline int test_and_set_bit(long nr, volatile unsigned long *addr)
18572 {
18573- GEN_BINARY_RMWcc(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c");
18574+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c");
18575 }
18576
18577 /**
18578@@ -249,7 +249,7 @@ static inline int __test_and_set_bit(long nr, volatile unsigned long *addr)
18579 */
18580 static inline int test_and_clear_bit(long nr, volatile unsigned long *addr)
18581 {
18582- GEN_BINARY_RMWcc(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c");
18583+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c");
18584 }
18585
18586 /**
18587@@ -302,7 +302,7 @@ static inline int __test_and_change_bit(long nr, volatile unsigned long *addr)
18588 */
18589 static inline int test_and_change_bit(long nr, volatile unsigned long *addr)
18590 {
18591- GEN_BINARY_RMWcc(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c");
18592+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c");
18593 }
18594
18595 static __always_inline int constant_test_bit(long nr, const volatile unsigned long *addr)
18596@@ -343,7 +343,7 @@ static int test_bit(int nr, const volatile unsigned long *addr);
18597 *
18598 * Undefined if no bit exists, so code should check against 0 first.
18599 */
18600-static inline unsigned long __ffs(unsigned long word)
18601+static inline unsigned long __intentional_overflow(-1) __ffs(unsigned long word)
18602 {
18603 asm("rep; bsf %1,%0"
18604 : "=r" (word)
18605@@ -357,7 +357,7 @@ static inline unsigned long __ffs(unsigned long word)
18606 *
18607 * Undefined if no zero exists, so code should check against ~0UL first.
18608 */
18609-static inline unsigned long ffz(unsigned long word)
18610+static inline unsigned long __intentional_overflow(-1) ffz(unsigned long word)
18611 {
18612 asm("rep; bsf %1,%0"
18613 : "=r" (word)
18614@@ -371,7 +371,7 @@ static inline unsigned long ffz(unsigned long word)
18615 *
18616 * Undefined if no set bit exists, so code should check against 0 first.
18617 */
18618-static inline unsigned long __fls(unsigned long word)
18619+static inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
18620 {
18621 asm("bsr %1,%0"
18622 : "=r" (word)
18623@@ -434,7 +434,7 @@ static inline int ffs(int x)
18624 * set bit if value is nonzero. The last (most significant) bit is
18625 * at position 32.
18626 */
18627-static inline int fls(int x)
18628+static inline int __intentional_overflow(-1) fls(int x)
18629 {
18630 int r;
18631
18632@@ -476,7 +476,7 @@ static inline int fls(int x)
18633 * at position 64.
18634 */
18635 #ifdef CONFIG_X86_64
18636-static __always_inline int fls64(__u64 x)
18637+static __always_inline __intentional_overflow(-1) int fls64(__u64 x)
18638 {
18639 int bitpos = -1;
18640 /*
18641diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
18642index 4fa687a..4ca636f 100644
18643--- a/arch/x86/include/asm/boot.h
18644+++ b/arch/x86/include/asm/boot.h
18645@@ -6,7 +6,7 @@
18646 #include <uapi/asm/boot.h>
18647
18648 /* Physical address where kernel should be loaded. */
18649-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
18650+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
18651 + (CONFIG_PHYSICAL_ALIGN - 1)) \
18652 & ~(CONFIG_PHYSICAL_ALIGN - 1))
18653
18654diff --git a/arch/x86/include/asm/cache.h b/arch/x86/include/asm/cache.h
18655index 48f99f1..d78ebf9 100644
18656--- a/arch/x86/include/asm/cache.h
18657+++ b/arch/x86/include/asm/cache.h
18658@@ -5,12 +5,13 @@
18659
18660 /* L1 cache line size */
18661 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
18662-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
18663+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
18664
18665 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
18666+#define __read_only __attribute__((__section__(".data..read_only")))
18667
18668 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
18669-#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
18670+#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
18671
18672 #ifdef CONFIG_X86_VSMP
18673 #ifdef CONFIG_SMP
18674diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
18675index f50de69..2b0a458 100644
18676--- a/arch/x86/include/asm/checksum_32.h
18677+++ b/arch/x86/include/asm/checksum_32.h
18678@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
18679 int len, __wsum sum,
18680 int *src_err_ptr, int *dst_err_ptr);
18681
18682+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
18683+ int len, __wsum sum,
18684+ int *src_err_ptr, int *dst_err_ptr);
18685+
18686+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
18687+ int len, __wsum sum,
18688+ int *src_err_ptr, int *dst_err_ptr);
18689+
18690 /*
18691 * Note: when you get a NULL pointer exception here this means someone
18692 * passed in an incorrect kernel address to one of these functions.
18693@@ -53,7 +61,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
18694
18695 might_sleep();
18696 stac();
18697- ret = csum_partial_copy_generic((__force void *)src, dst,
18698+ ret = csum_partial_copy_generic_from_user((__force void *)src, dst,
18699 len, sum, err_ptr, NULL);
18700 clac();
18701
18702@@ -187,7 +195,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
18703 might_sleep();
18704 if (access_ok(VERIFY_WRITE, dst, len)) {
18705 stac();
18706- ret = csum_partial_copy_generic(src, (__force void *)dst,
18707+ ret = csum_partial_copy_generic_to_user(src, (__force void *)dst,
18708 len, sum, NULL, err_ptr);
18709 clac();
18710 return ret;
18711diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
18712index ad19841..0784041 100644
18713--- a/arch/x86/include/asm/cmpxchg.h
18714+++ b/arch/x86/include/asm/cmpxchg.h
18715@@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void)
18716 __compiletime_error("Bad argument size for cmpxchg");
18717 extern void __xadd_wrong_size(void)
18718 __compiletime_error("Bad argument size for xadd");
18719+extern void __xadd_check_overflow_wrong_size(void)
18720+ __compiletime_error("Bad argument size for xadd_check_overflow");
18721 extern void __add_wrong_size(void)
18722 __compiletime_error("Bad argument size for add");
18723+extern void __add_check_overflow_wrong_size(void)
18724+ __compiletime_error("Bad argument size for add_check_overflow");
18725
18726 /*
18727 * Constants for operation sizes. On 32-bit, the 64-bit size it set to
18728@@ -67,6 +71,38 @@ extern void __add_wrong_size(void)
18729 __ret; \
18730 })
18731
18732+#ifdef CONFIG_PAX_REFCOUNT
18733+#define __xchg_op_check_overflow(ptr, arg, op, lock) \
18734+ ({ \
18735+ __typeof__ (*(ptr)) __ret = (arg); \
18736+ switch (sizeof(*(ptr))) { \
18737+ case __X86_CASE_L: \
18738+ asm volatile (lock #op "l %0, %1\n" \
18739+ "jno 0f\n" \
18740+ "mov %0,%1\n" \
18741+ "int $4\n0:\n" \
18742+ _ASM_EXTABLE(0b, 0b) \
18743+ : "+r" (__ret), "+m" (*(ptr)) \
18744+ : : "memory", "cc"); \
18745+ break; \
18746+ case __X86_CASE_Q: \
18747+ asm volatile (lock #op "q %q0, %1\n" \
18748+ "jno 0f\n" \
18749+ "mov %0,%1\n" \
18750+ "int $4\n0:\n" \
18751+ _ASM_EXTABLE(0b, 0b) \
18752+ : "+r" (__ret), "+m" (*(ptr)) \
18753+ : : "memory", "cc"); \
18754+ break; \
18755+ default: \
18756+ __ ## op ## _check_overflow_wrong_size(); \
18757+ } \
18758+ __ret; \
18759+ })
18760+#else
18761+#define __xchg_op_check_overflow(ptr, arg, op, lock) __xchg_op(ptr, arg, op, lock)
18762+#endif
18763+
18764 /*
18765 * Note: no "lock" prefix even on SMP: xchg always implies lock anyway.
18766 * Since this is generally used to protect other memory information, we
18767@@ -165,6 +201,9 @@ extern void __add_wrong_size(void)
18768 #define xadd_sync(ptr, inc) __xadd((ptr), (inc), "lock; ")
18769 #define xadd_local(ptr, inc) __xadd((ptr), (inc), "")
18770
18771+#define __xadd_check_overflow(ptr, inc, lock) __xchg_op_check_overflow((ptr), (inc), xadd, lock)
18772+#define xadd_check_overflow(ptr, inc) __xadd_check_overflow((ptr), (inc), LOCK_PREFIX)
18773+
18774 #define __add(ptr, inc, lock) \
18775 ({ \
18776 __typeof__ (*(ptr)) __ret = (inc); \
18777diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
18778index acdee09..a553db3 100644
18779--- a/arch/x86/include/asm/compat.h
18780+++ b/arch/x86/include/asm/compat.h
18781@@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
18782 typedef u32 compat_uint_t;
18783 typedef u32 compat_ulong_t;
18784 typedef u64 __attribute__((aligned(4))) compat_u64;
18785-typedef u32 compat_uptr_t;
18786+typedef u32 __user compat_uptr_t;
18787
18788 struct compat_timespec {
18789 compat_time_t tv_sec;
18790diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
18791index 3d6606f..300641d 100644
18792--- a/arch/x86/include/asm/cpufeature.h
18793+++ b/arch/x86/include/asm/cpufeature.h
18794@@ -214,7 +214,8 @@
18795 #define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */
18796 #define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */
18797 #define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */
18798-
18799+#define X86_FEATURE_PCIDUDEREF ( 8*32+30) /* PaX PCID based UDEREF */
18800+#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */
18801
18802 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
18803 #define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
18804@@ -222,7 +223,7 @@
18805 #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */
18806 #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */
18807 #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */
18808-#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */
18809+#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Prevention */
18810 #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */
18811 #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
18812 #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */
18813@@ -401,6 +402,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
18814 #define cpu_has_eager_fpu boot_cpu_has(X86_FEATURE_EAGER_FPU)
18815 #define cpu_has_topoext boot_cpu_has(X86_FEATURE_TOPOEXT)
18816 #define cpu_has_bpext boot_cpu_has(X86_FEATURE_BPEXT)
18817+#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID)
18818
18819 #if __GNUC__ >= 4
18820 extern void warn_pre_alternatives(void);
18821@@ -454,7 +456,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
18822
18823 #ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
18824 t_warn:
18825- warn_pre_alternatives();
18826+ if (bit != X86_FEATURE_PCID && bit != X86_FEATURE_INVPCID && bit != X86_FEATURE_PCIDUDEREF)
18827+ warn_pre_alternatives();
18828 return false;
18829 #endif
18830
18831@@ -475,7 +478,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
18832 ".section .discard,\"aw\",@progbits\n"
18833 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
18834 ".previous\n"
18835- ".section .altinstr_replacement,\"ax\"\n"
18836+ ".section .altinstr_replacement,\"a\"\n"
18837 "3: movb $1,%0\n"
18838 "4:\n"
18839 ".previous\n"
18840@@ -510,7 +513,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18841 " .byte 5f - 4f\n" /* repl len */
18842 " .byte 3b - 2b\n" /* pad len */
18843 ".previous\n"
18844- ".section .altinstr_replacement,\"ax\"\n"
18845+ ".section .altinstr_replacement,\"a\"\n"
18846 "4: jmp %l[t_no]\n"
18847 "5:\n"
18848 ".previous\n"
18849@@ -545,7 +548,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18850 ".section .discard,\"aw\",@progbits\n"
18851 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
18852 ".previous\n"
18853- ".section .altinstr_replacement,\"ax\"\n"
18854+ ".section .altinstr_replacement,\"a\"\n"
18855 "3: movb $0,%0\n"
18856 "4:\n"
18857 ".previous\n"
18858@@ -560,7 +563,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18859 ".section .discard,\"aw\",@progbits\n"
18860 " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */
18861 ".previous\n"
18862- ".section .altinstr_replacement,\"ax\"\n"
18863+ ".section .altinstr_replacement,\"a\"\n"
18864 "5: movb $1,%0\n"
18865 "6:\n"
18866 ".previous\n"
18867diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
18868index 4e10d73..7319a47 100644
18869--- a/arch/x86/include/asm/desc.h
18870+++ b/arch/x86/include/asm/desc.h
18871@@ -4,6 +4,7 @@
18872 #include <asm/desc_defs.h>
18873 #include <asm/ldt.h>
18874 #include <asm/mmu.h>
18875+#include <asm/pgtable.h>
18876
18877 #include <linux/smp.h>
18878 #include <linux/percpu.h>
18879@@ -17,6 +18,7 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
18880
18881 desc->type = (info->read_exec_only ^ 1) << 1;
18882 desc->type |= info->contents << 2;
18883+ desc->type |= info->seg_not_present ^ 1;
18884
18885 desc->s = 1;
18886 desc->dpl = 0x3;
18887@@ -35,19 +37,14 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
18888 }
18889
18890 extern struct desc_ptr idt_descr;
18891-extern gate_desc idt_table[];
18892-extern struct desc_ptr debug_idt_descr;
18893-extern gate_desc debug_idt_table[];
18894-
18895-struct gdt_page {
18896- struct desc_struct gdt[GDT_ENTRIES];
18897-} __attribute__((aligned(PAGE_SIZE)));
18898-
18899-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
18900+extern gate_desc idt_table[IDT_ENTRIES];
18901+extern const struct desc_ptr debug_idt_descr;
18902+extern gate_desc debug_idt_table[IDT_ENTRIES];
18903
18904+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
18905 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
18906 {
18907- return per_cpu(gdt_page, cpu).gdt;
18908+ return cpu_gdt_table[cpu];
18909 }
18910
18911 #ifdef CONFIG_X86_64
18912@@ -72,8 +69,14 @@ static inline void pack_gate(gate_desc *gate, unsigned char type,
18913 unsigned long base, unsigned dpl, unsigned flags,
18914 unsigned short seg)
18915 {
18916- gate->a = (seg << 16) | (base & 0xffff);
18917- gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
18918+ gate->gate.offset_low = base;
18919+ gate->gate.seg = seg;
18920+ gate->gate.reserved = 0;
18921+ gate->gate.type = type;
18922+ gate->gate.s = 0;
18923+ gate->gate.dpl = dpl;
18924+ gate->gate.p = 1;
18925+ gate->gate.offset_high = base >> 16;
18926 }
18927
18928 #endif
18929@@ -118,12 +121,16 @@ static inline void paravirt_free_ldt(struct desc_struct *ldt, unsigned entries)
18930
18931 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
18932 {
18933+ pax_open_kernel();
18934 memcpy(&idt[entry], gate, sizeof(*gate));
18935+ pax_close_kernel();
18936 }
18937
18938 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
18939 {
18940+ pax_open_kernel();
18941 memcpy(&ldt[entry], desc, 8);
18942+ pax_close_kernel();
18943 }
18944
18945 static inline void
18946@@ -137,7 +144,9 @@ native_write_gdt_entry(struct desc_struct *gdt, int entry, const void *desc, int
18947 default: size = sizeof(*gdt); break;
18948 }
18949
18950+ pax_open_kernel();
18951 memcpy(&gdt[entry], desc, size);
18952+ pax_close_kernel();
18953 }
18954
18955 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
18956@@ -210,7 +219,9 @@ static inline void native_set_ldt(const void *addr, unsigned int entries)
18957
18958 static inline void native_load_tr_desc(void)
18959 {
18960+ pax_open_kernel();
18961 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
18962+ pax_close_kernel();
18963 }
18964
18965 static inline void native_load_gdt(const struct desc_ptr *dtr)
18966@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
18967 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
18968 unsigned int i;
18969
18970+ pax_open_kernel();
18971 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
18972 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
18973+ pax_close_kernel();
18974 }
18975
18976 /* This intentionally ignores lm, since 32-bit apps don't have that field. */
18977@@ -280,7 +293,7 @@ static inline void clear_LDT(void)
18978 set_ldt(NULL, 0);
18979 }
18980
18981-static inline unsigned long get_desc_base(const struct desc_struct *desc)
18982+static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc)
18983 {
18984 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
18985 }
18986@@ -304,7 +317,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
18987 }
18988
18989 #ifdef CONFIG_X86_64
18990-static inline void set_nmi_gate(int gate, void *addr)
18991+static inline void set_nmi_gate(int gate, const void *addr)
18992 {
18993 gate_desc s;
18994
18995@@ -314,14 +327,14 @@ static inline void set_nmi_gate(int gate, void *addr)
18996 #endif
18997
18998 #ifdef CONFIG_TRACING
18999-extern struct desc_ptr trace_idt_descr;
19000-extern gate_desc trace_idt_table[];
19001+extern const struct desc_ptr trace_idt_descr;
19002+extern gate_desc trace_idt_table[IDT_ENTRIES];
19003 static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
19004 {
19005 write_idt_entry(trace_idt_table, entry, gate);
19006 }
19007
19008-static inline void _trace_set_gate(int gate, unsigned type, void *addr,
19009+static inline void _trace_set_gate(int gate, unsigned type, const void *addr,
19010 unsigned dpl, unsigned ist, unsigned seg)
19011 {
19012 gate_desc s;
19013@@ -341,7 +354,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
19014 #define _trace_set_gate(gate, type, addr, dpl, ist, seg)
19015 #endif
19016
19017-static inline void _set_gate(int gate, unsigned type, void *addr,
19018+static inline void _set_gate(int gate, unsigned type, const void *addr,
19019 unsigned dpl, unsigned ist, unsigned seg)
19020 {
19021 gate_desc s;
19022@@ -364,14 +377,14 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
19023 #define set_intr_gate_notrace(n, addr) \
19024 do { \
19025 BUG_ON((unsigned)n > 0xFF); \
19026- _set_gate(n, GATE_INTERRUPT, (void *)addr, 0, 0, \
19027+ _set_gate(n, GATE_INTERRUPT, (const void *)addr, 0, 0, \
19028 __KERNEL_CS); \
19029 } while (0)
19030
19031 #define set_intr_gate(n, addr) \
19032 do { \
19033 set_intr_gate_notrace(n, addr); \
19034- _trace_set_gate(n, GATE_INTERRUPT, (void *)trace_##addr,\
19035+ _trace_set_gate(n, GATE_INTERRUPT, (const void *)trace_##addr,\
19036 0, 0, __KERNEL_CS); \
19037 } while (0)
19038
19039@@ -399,19 +412,19 @@ static inline void alloc_system_vector(int vector)
19040 /*
19041 * This routine sets up an interrupt gate at directory privilege level 3.
19042 */
19043-static inline void set_system_intr_gate(unsigned int n, void *addr)
19044+static inline void set_system_intr_gate(unsigned int n, const void *addr)
19045 {
19046 BUG_ON((unsigned)n > 0xFF);
19047 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
19048 }
19049
19050-static inline void set_system_trap_gate(unsigned int n, void *addr)
19051+static inline void set_system_trap_gate(unsigned int n, const void *addr)
19052 {
19053 BUG_ON((unsigned)n > 0xFF);
19054 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
19055 }
19056
19057-static inline void set_trap_gate(unsigned int n, void *addr)
19058+static inline void set_trap_gate(unsigned int n, const void *addr)
19059 {
19060 BUG_ON((unsigned)n > 0xFF);
19061 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
19062@@ -420,16 +433,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
19063 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
19064 {
19065 BUG_ON((unsigned)n > 0xFF);
19066- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
19067+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
19068 }
19069
19070-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
19071+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
19072 {
19073 BUG_ON((unsigned)n > 0xFF);
19074 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
19075 }
19076
19077-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
19078+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
19079 {
19080 BUG_ON((unsigned)n > 0xFF);
19081 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
19082@@ -501,4 +514,17 @@ static inline void load_current_idt(void)
19083 else
19084 load_idt((const struct desc_ptr *)&idt_descr);
19085 }
19086+
19087+#ifdef CONFIG_X86_32
19088+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
19089+{
19090+ struct desc_struct d;
19091+
19092+ if (likely(limit))
19093+ limit = (limit - 1UL) >> PAGE_SHIFT;
19094+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
19095+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
19096+}
19097+#endif
19098+
19099 #endif /* _ASM_X86_DESC_H */
19100diff --git a/arch/x86/include/asm/desc_defs.h b/arch/x86/include/asm/desc_defs.h
19101index 278441f..b95a174 100644
19102--- a/arch/x86/include/asm/desc_defs.h
19103+++ b/arch/x86/include/asm/desc_defs.h
19104@@ -31,6 +31,12 @@ struct desc_struct {
19105 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
19106 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
19107 };
19108+ struct {
19109+ u16 offset_low;
19110+ u16 seg;
19111+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
19112+ unsigned offset_high: 16;
19113+ } gate;
19114 };
19115 } __attribute__((packed));
19116
19117diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h
19118index ced283a..ffe04cc 100644
19119--- a/arch/x86/include/asm/div64.h
19120+++ b/arch/x86/include/asm/div64.h
19121@@ -39,7 +39,7 @@
19122 __mod; \
19123 })
19124
19125-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
19126+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
19127 {
19128 union {
19129 u64 v64;
19130diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
19131index f161c18..97d43e8 100644
19132--- a/arch/x86/include/asm/elf.h
19133+++ b/arch/x86/include/asm/elf.h
19134@@ -75,9 +75,6 @@ typedef struct user_fxsr_struct elf_fpxregset_t;
19135
19136 #include <asm/vdso.h>
19137
19138-#ifdef CONFIG_X86_64
19139-extern unsigned int vdso64_enabled;
19140-#endif
19141 #if defined(CONFIG_X86_32) || defined(CONFIG_COMPAT)
19142 extern unsigned int vdso32_enabled;
19143 #endif
19144@@ -250,7 +247,25 @@ extern int force_personality32;
19145 the loader. We need to make sure that it is out of the way of the program
19146 that it will "exec", and that there is sufficient room for the brk. */
19147
19148+#ifdef CONFIG_PAX_SEGMEXEC
19149+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
19150+#else
19151 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
19152+#endif
19153+
19154+#ifdef CONFIG_PAX_ASLR
19155+#ifdef CONFIG_X86_32
19156+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
19157+
19158+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
19159+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
19160+#else
19161+#define PAX_ELF_ET_DYN_BASE 0x400000UL
19162+
19163+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
19164+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
19165+#endif
19166+#endif
19167
19168 /* This yields a mask that user programs can use to figure out what
19169 instruction set this CPU supports. This could be done in user space,
19170@@ -299,17 +314,13 @@ do { \
19171
19172 #define ARCH_DLINFO \
19173 do { \
19174- if (vdso64_enabled) \
19175- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
19176- (unsigned long __force)current->mm->context.vdso); \
19177+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
19178 } while (0)
19179
19180 /* As a historical oddity, the x32 and x86_64 vDSOs are controlled together. */
19181 #define ARCH_DLINFO_X32 \
19182 do { \
19183- if (vdso64_enabled) \
19184- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
19185- (unsigned long __force)current->mm->context.vdso); \
19186+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
19187 } while (0)
19188
19189 #define AT_SYSINFO 32
19190@@ -324,10 +335,10 @@ else \
19191
19192 #endif /* !CONFIG_X86_32 */
19193
19194-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
19195+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
19196
19197 #define VDSO_ENTRY \
19198- ((unsigned long)current->mm->context.vdso + \
19199+ (current->mm->context.vdso + \
19200 selected_vdso32->sym___kernel_vsyscall)
19201
19202 struct linux_binprm;
19203diff --git a/arch/x86/include/asm/emergency-restart.h b/arch/x86/include/asm/emergency-restart.h
19204index 77a99ac..39ff7f5 100644
19205--- a/arch/x86/include/asm/emergency-restart.h
19206+++ b/arch/x86/include/asm/emergency-restart.h
19207@@ -1,6 +1,6 @@
19208 #ifndef _ASM_X86_EMERGENCY_RESTART_H
19209 #define _ASM_X86_EMERGENCY_RESTART_H
19210
19211-extern void machine_emergency_restart(void);
19212+extern void machine_emergency_restart(void) __noreturn;
19213
19214 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
19215diff --git a/arch/x86/include/asm/floppy.h b/arch/x86/include/asm/floppy.h
19216index 1c7eefe..d0e4702 100644
19217--- a/arch/x86/include/asm/floppy.h
19218+++ b/arch/x86/include/asm/floppy.h
19219@@ -229,18 +229,18 @@ static struct fd_routine_l {
19220 int (*_dma_setup)(char *addr, unsigned long size, int mode, int io);
19221 } fd_routine[] = {
19222 {
19223- request_dma,
19224- free_dma,
19225- get_dma_residue,
19226- dma_mem_alloc,
19227- hard_dma_setup
19228+ ._request_dma = request_dma,
19229+ ._free_dma = free_dma,
19230+ ._get_dma_residue = get_dma_residue,
19231+ ._dma_mem_alloc = dma_mem_alloc,
19232+ ._dma_setup = hard_dma_setup
19233 },
19234 {
19235- vdma_request_dma,
19236- vdma_nop,
19237- vdma_get_dma_residue,
19238- vdma_mem_alloc,
19239- vdma_dma_setup
19240+ ._request_dma = vdma_request_dma,
19241+ ._free_dma = vdma_nop,
19242+ ._get_dma_residue = vdma_get_dma_residue,
19243+ ._dma_mem_alloc = vdma_mem_alloc,
19244+ ._dma_setup = vdma_dma_setup
19245 }
19246 };
19247
19248diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
19249index 3c3550c..995858d 100644
19250--- a/arch/x86/include/asm/fpu/internal.h
19251+++ b/arch/x86/include/asm/fpu/internal.h
19252@@ -97,8 +97,11 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
19253 #define user_insn(insn, output, input...) \
19254 ({ \
19255 int err; \
19256+ pax_open_userland(); \
19257 asm volatile(ASM_STAC "\n" \
19258- "1:" #insn "\n\t" \
19259+ "1:" \
19260+ __copyuser_seg \
19261+ #insn "\n\t" \
19262 "2: " ASM_CLAC "\n" \
19263 ".section .fixup,\"ax\"\n" \
19264 "3: movl $-1,%[err]\n" \
19265@@ -107,6 +110,7 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
19266 _ASM_EXTABLE(1b, 3b) \
19267 : [err] "=r" (err), output \
19268 : "0"(0), input); \
19269+ pax_close_userland(); \
19270 err; \
19271 })
19272
19273@@ -186,9 +190,9 @@ static inline int copy_user_to_fregs(struct fregs_state __user *fx)
19274 static inline void copy_fxregs_to_kernel(struct fpu *fpu)
19275 {
19276 if (config_enabled(CONFIG_X86_32))
19277- asm volatile( "fxsave %[fx]" : [fx] "=m" (fpu->state.fxsave));
19278+ asm volatile( "fxsave %[fx]" : [fx] "=m" (fpu->state->fxsave));
19279 else if (config_enabled(CONFIG_AS_FXSAVEQ))
19280- asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state.fxsave));
19281+ asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state->fxsave));
19282 else {
19283 /* Using "rex64; fxsave %0" is broken because, if the memory
19284 * operand uses any extended registers for addressing, a second
19285@@ -212,8 +216,8 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
19286 * registers.
19287 */
19288 asm volatile( "rex64/fxsave (%[fx])"
19289- : "=m" (fpu->state.fxsave)
19290- : [fx] "R" (&fpu->state.fxsave));
19291+ : "=m" (fpu->state->fxsave)
19292+ : [fx] "R" (&fpu->state->fxsave));
19293 }
19294 }
19295
19296@@ -388,12 +392,16 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
19297 if (unlikely(err))
19298 return -EFAULT;
19299
19300+ pax_open_userland();
19301 __asm__ __volatile__(ASM_STAC "\n"
19302- "1:"XSAVE"\n"
19303+ "1:"
19304+ __copyuser_seg
19305+ XSAVE"\n"
19306 "2: " ASM_CLAC "\n"
19307 xstate_fault(err)
19308 : "D" (buf), "a" (-1), "d" (-1), "0" (err)
19309 : "memory");
19310+ pax_close_userland();
19311 return err;
19312 }
19313
19314@@ -402,17 +410,21 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
19315 */
19316 static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
19317 {
19318- struct xregs_state *xstate = ((__force struct xregs_state *)buf);
19319+ struct xregs_state *xstate = ((__force_kernel struct xregs_state *)buf);
19320 u32 lmask = mask;
19321 u32 hmask = mask >> 32;
19322 int err = 0;
19323
19324+ pax_open_userland();
19325 __asm__ __volatile__(ASM_STAC "\n"
19326- "1:"XRSTOR"\n"
19327+ "1:"
19328+ __copyuser_seg
19329+ XRSTOR"\n"
19330 "2: " ASM_CLAC "\n"
19331 xstate_fault(err)
19332 : "D" (xstate), "a" (lmask), "d" (hmask), "0" (err)
19333 : "memory"); /* memory required? */
19334+ pax_close_userland();
19335 return err;
19336 }
19337
19338@@ -429,7 +441,7 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
19339 static inline int copy_fpregs_to_fpstate(struct fpu *fpu)
19340 {
19341 if (likely(use_xsave())) {
19342- copy_xregs_to_kernel(&fpu->state.xsave);
19343+ copy_xregs_to_kernel(&fpu->state->xsave);
19344 return 1;
19345 }
19346
19347@@ -442,7 +454,7 @@ static inline int copy_fpregs_to_fpstate(struct fpu *fpu)
19348 * Legacy FPU register saving, FNSAVE always clears FPU registers,
19349 * so we have to mark them inactive:
19350 */
19351- asm volatile("fnsave %[fp]; fwait" : [fp] "=m" (fpu->state.fsave));
19352+ asm volatile("fnsave %[fp]; fwait" : [fp] "=m" (fpu->state->fsave));
19353
19354 return 0;
19355 }
19356@@ -471,7 +483,7 @@ static inline void copy_kernel_to_fpregs(union fpregs_state *fpstate)
19357 "fnclex\n\t"
19358 "emms\n\t"
19359 "fildl %P[addr]" /* set F?P to defined value */
19360- : : [addr] "m" (fpstate));
19361+ : : [addr] "m" (cpu_tss[raw_smp_processor_id()].x86_tss.sp0));
19362 }
19363
19364 __copy_kernel_to_fpregs(fpstate);
19365@@ -643,7 +655,7 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu)
19366 static inline void switch_fpu_finish(struct fpu *new_fpu, fpu_switch_t fpu_switch)
19367 {
19368 if (fpu_switch.preload)
19369- copy_kernel_to_fpregs(&new_fpu->state);
19370+ copy_kernel_to_fpregs(new_fpu->state);
19371 }
19372
19373 /*
19374diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h
19375index c49c517..55ff1d0 100644
19376--- a/arch/x86/include/asm/fpu/types.h
19377+++ b/arch/x86/include/asm/fpu/types.h
19378@@ -287,10 +287,9 @@ struct fpu {
19379 * logic, which unconditionally saves/restores all FPU state
19380 * across context switches. (if FPU state exists.)
19381 */
19382- union fpregs_state state;
19383+ union fpregs_state *state;
19384 /*
19385- * WARNING: 'state' is dynamically-sized. Do not put
19386- * anything after it here.
19387+ * WARNING: 'state' is dynamically-sized.
19388 */
19389 };
19390
19391diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
19392index b4c1f54..e290c08 100644
19393--- a/arch/x86/include/asm/futex.h
19394+++ b/arch/x86/include/asm/futex.h
19395@@ -12,6 +12,7 @@
19396 #include <asm/smap.h>
19397
19398 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
19399+ typecheck(u32 __user *, uaddr); \
19400 asm volatile("\t" ASM_STAC "\n" \
19401 "1:\t" insn "\n" \
19402 "2:\t" ASM_CLAC "\n" \
19403@@ -20,15 +21,16 @@
19404 "\tjmp\t2b\n" \
19405 "\t.previous\n" \
19406 _ASM_EXTABLE(1b, 3b) \
19407- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
19408+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr)) \
19409 : "i" (-EFAULT), "0" (oparg), "1" (0))
19410
19411 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
19412+ typecheck(u32 __user *, uaddr); \
19413 asm volatile("\t" ASM_STAC "\n" \
19414 "1:\tmovl %2, %0\n" \
19415 "\tmovl\t%0, %3\n" \
19416 "\t" insn "\n" \
19417- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \
19418+ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \
19419 "\tjnz\t1b\n" \
19420 "3:\t" ASM_CLAC "\n" \
19421 "\t.section .fixup,\"ax\"\n" \
19422@@ -38,7 +40,7 @@
19423 _ASM_EXTABLE(1b, 4b) \
19424 _ASM_EXTABLE(2b, 4b) \
19425 : "=&a" (oldval), "=&r" (ret), \
19426- "+m" (*uaddr), "=&r" (tem) \
19427+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
19428 : "r" (oparg), "i" (-EFAULT), "1" (0))
19429
19430 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19431@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19432
19433 pagefault_disable();
19434
19435+ pax_open_userland();
19436 switch (op) {
19437 case FUTEX_OP_SET:
19438- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
19439+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
19440 break;
19441 case FUTEX_OP_ADD:
19442- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
19443+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
19444 uaddr, oparg);
19445 break;
19446 case FUTEX_OP_OR:
19447@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19448 default:
19449 ret = -ENOSYS;
19450 }
19451+ pax_close_userland();
19452
19453 pagefault_enable();
19454
19455diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
19456index 6615032..9c233be 100644
19457--- a/arch/x86/include/asm/hw_irq.h
19458+++ b/arch/x86/include/asm/hw_irq.h
19459@@ -158,8 +158,8 @@ static inline void unlock_vector_lock(void) {}
19460 #endif /* CONFIG_X86_LOCAL_APIC */
19461
19462 /* Statistics */
19463-extern atomic_t irq_err_count;
19464-extern atomic_t irq_mis_count;
19465+extern atomic_unchecked_t irq_err_count;
19466+extern atomic_unchecked_t irq_mis_count;
19467
19468 extern void elcr_set_level_irq(unsigned int irq);
19469
19470diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h
19471index ccffa53..3c90c87 100644
19472--- a/arch/x86/include/asm/i8259.h
19473+++ b/arch/x86/include/asm/i8259.h
19474@@ -62,7 +62,7 @@ struct legacy_pic {
19475 void (*init)(int auto_eoi);
19476 int (*irq_pending)(unsigned int irq);
19477 void (*make_irq)(unsigned int irq);
19478-};
19479+} __do_const;
19480
19481 extern struct legacy_pic *legacy_pic;
19482 extern struct legacy_pic null_legacy_pic;
19483diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
19484index cc9c61b..7b17f40 100644
19485--- a/arch/x86/include/asm/io.h
19486+++ b/arch/x86/include/asm/io.h
19487@@ -42,6 +42,7 @@
19488 #include <asm/page.h>
19489 #include <asm/early_ioremap.h>
19490 #include <asm/pgtable_types.h>
19491+#include <asm/processor.h>
19492
19493 #define build_mmio_read(name, size, type, reg, barrier) \
19494 static inline type name(const volatile void __iomem *addr) \
19495@@ -54,12 +55,12 @@ static inline void name(type val, volatile void __iomem *addr) \
19496 "m" (*(volatile type __force *)addr) barrier); }
19497
19498 build_mmio_read(readb, "b", unsigned char, "=q", :"memory")
19499-build_mmio_read(readw, "w", unsigned short, "=r", :"memory")
19500-build_mmio_read(readl, "l", unsigned int, "=r", :"memory")
19501+build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory")
19502+build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory")
19503
19504 build_mmio_read(__readb, "b", unsigned char, "=q", )
19505-build_mmio_read(__readw, "w", unsigned short, "=r", )
19506-build_mmio_read(__readl, "l", unsigned int, "=r", )
19507+build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", )
19508+build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", )
19509
19510 build_mmio_write(writeb, "b", unsigned char, "q", :"memory")
19511 build_mmio_write(writew, "w", unsigned short, "r", :"memory")
19512@@ -115,7 +116,7 @@ build_mmio_write(writeq, "q", unsigned long, "r", :"memory")
19513 * this function
19514 */
19515
19516-static inline phys_addr_t virt_to_phys(volatile void *address)
19517+static inline phys_addr_t __intentional_overflow(-1) virt_to_phys(volatile void *address)
19518 {
19519 return __pa(address);
19520 }
19521@@ -192,7 +193,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size)
19522 return ioremap_nocache(offset, size);
19523 }
19524
19525-extern void iounmap(volatile void __iomem *addr);
19526+extern void iounmap(const volatile void __iomem *addr);
19527
19528 extern void set_iounmap_nonlazy(void);
19529
19530@@ -200,6 +201,17 @@ extern void set_iounmap_nonlazy(void);
19531
19532 #include <asm-generic/iomap.h>
19533
19534+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
19535+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
19536+{
19537+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
19538+}
19539+
19540+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
19541+{
19542+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
19543+}
19544+
19545 /*
19546 * Convert a virtual cached pointer to an uncached pointer
19547 */
19548diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
19549index b77f5ed..a2f791e 100644
19550--- a/arch/x86/include/asm/irqflags.h
19551+++ b/arch/x86/include/asm/irqflags.h
19552@@ -137,6 +137,11 @@ static inline notrace unsigned long arch_local_irq_save(void)
19553 swapgs; \
19554 sysretl
19555
19556+#define GET_CR0_INTO_RDI mov %cr0, %rdi
19557+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
19558+#define GET_CR3_INTO_RDI mov %cr3, %rdi
19559+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
19560+
19561 #else
19562 #define INTERRUPT_RETURN iret
19563 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
19564diff --git a/arch/x86/include/asm/kprobes.h b/arch/x86/include/asm/kprobes.h
19565index 4421b5d..8543006 100644
19566--- a/arch/x86/include/asm/kprobes.h
19567+++ b/arch/x86/include/asm/kprobes.h
19568@@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
19569 #define RELATIVEJUMP_SIZE 5
19570 #define RELATIVECALL_OPCODE 0xe8
19571 #define RELATIVE_ADDR_SIZE 4
19572-#define MAX_STACK_SIZE 64
19573-#define MIN_STACK_SIZE(ADDR) \
19574- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
19575- THREAD_SIZE - (unsigned long)(ADDR))) \
19576- ? (MAX_STACK_SIZE) \
19577- : (((unsigned long)current_thread_info()) + \
19578- THREAD_SIZE - (unsigned long)(ADDR)))
19579+#define MAX_STACK_SIZE 64UL
19580+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
19581
19582 #define flush_insn_slot(p) do { } while (0)
19583
19584diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
19585index 4ad6560..75c7bdd 100644
19586--- a/arch/x86/include/asm/local.h
19587+++ b/arch/x86/include/asm/local.h
19588@@ -10,33 +10,97 @@ typedef struct {
19589 atomic_long_t a;
19590 } local_t;
19591
19592+typedef struct {
19593+ atomic_long_unchecked_t a;
19594+} local_unchecked_t;
19595+
19596 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
19597
19598 #define local_read(l) atomic_long_read(&(l)->a)
19599+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
19600 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
19601+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
19602
19603 static inline void local_inc(local_t *l)
19604 {
19605- asm volatile(_ASM_INC "%0"
19606+ asm volatile(_ASM_INC "%0\n"
19607+
19608+#ifdef CONFIG_PAX_REFCOUNT
19609+ "jno 0f\n"
19610+ _ASM_DEC "%0\n"
19611+ "int $4\n0:\n"
19612+ _ASM_EXTABLE(0b, 0b)
19613+#endif
19614+
19615+ : "+m" (l->a.counter));
19616+}
19617+
19618+static inline void local_inc_unchecked(local_unchecked_t *l)
19619+{
19620+ asm volatile(_ASM_INC "%0\n"
19621 : "+m" (l->a.counter));
19622 }
19623
19624 static inline void local_dec(local_t *l)
19625 {
19626- asm volatile(_ASM_DEC "%0"
19627+ asm volatile(_ASM_DEC "%0\n"
19628+
19629+#ifdef CONFIG_PAX_REFCOUNT
19630+ "jno 0f\n"
19631+ _ASM_INC "%0\n"
19632+ "int $4\n0:\n"
19633+ _ASM_EXTABLE(0b, 0b)
19634+#endif
19635+
19636+ : "+m" (l->a.counter));
19637+}
19638+
19639+static inline void local_dec_unchecked(local_unchecked_t *l)
19640+{
19641+ asm volatile(_ASM_DEC "%0\n"
19642 : "+m" (l->a.counter));
19643 }
19644
19645 static inline void local_add(long i, local_t *l)
19646 {
19647- asm volatile(_ASM_ADD "%1,%0"
19648+ asm volatile(_ASM_ADD "%1,%0\n"
19649+
19650+#ifdef CONFIG_PAX_REFCOUNT
19651+ "jno 0f\n"
19652+ _ASM_SUB "%1,%0\n"
19653+ "int $4\n0:\n"
19654+ _ASM_EXTABLE(0b, 0b)
19655+#endif
19656+
19657+ : "+m" (l->a.counter)
19658+ : "ir" (i));
19659+}
19660+
19661+static inline void local_add_unchecked(long i, local_unchecked_t *l)
19662+{
19663+ asm volatile(_ASM_ADD "%1,%0\n"
19664 : "+m" (l->a.counter)
19665 : "ir" (i));
19666 }
19667
19668 static inline void local_sub(long i, local_t *l)
19669 {
19670- asm volatile(_ASM_SUB "%1,%0"
19671+ asm volatile(_ASM_SUB "%1,%0\n"
19672+
19673+#ifdef CONFIG_PAX_REFCOUNT
19674+ "jno 0f\n"
19675+ _ASM_ADD "%1,%0\n"
19676+ "int $4\n0:\n"
19677+ _ASM_EXTABLE(0b, 0b)
19678+#endif
19679+
19680+ : "+m" (l->a.counter)
19681+ : "ir" (i));
19682+}
19683+
19684+static inline void local_sub_unchecked(long i, local_unchecked_t *l)
19685+{
19686+ asm volatile(_ASM_SUB "%1,%0\n"
19687 : "+m" (l->a.counter)
19688 : "ir" (i));
19689 }
19690@@ -52,7 +116,7 @@ static inline void local_sub(long i, local_t *l)
19691 */
19692 static inline int local_sub_and_test(long i, local_t *l)
19693 {
19694- GEN_BINARY_RMWcc(_ASM_SUB, l->a.counter, "er", i, "%0", "e");
19695+ GEN_BINARY_RMWcc(_ASM_SUB, _ASM_ADD, l->a.counter, "er", i, "%0", "e");
19696 }
19697
19698 /**
19699@@ -65,7 +129,7 @@ static inline int local_sub_and_test(long i, local_t *l)
19700 */
19701 static inline int local_dec_and_test(local_t *l)
19702 {
19703- GEN_UNARY_RMWcc(_ASM_DEC, l->a.counter, "%0", "e");
19704+ GEN_UNARY_RMWcc(_ASM_DEC, _ASM_INC, l->a.counter, "%0", "e");
19705 }
19706
19707 /**
19708@@ -78,7 +142,7 @@ static inline int local_dec_and_test(local_t *l)
19709 */
19710 static inline int local_inc_and_test(local_t *l)
19711 {
19712- GEN_UNARY_RMWcc(_ASM_INC, l->a.counter, "%0", "e");
19713+ GEN_UNARY_RMWcc(_ASM_INC, _ASM_DEC, l->a.counter, "%0", "e");
19714 }
19715
19716 /**
19717@@ -92,7 +156,7 @@ static inline int local_inc_and_test(local_t *l)
19718 */
19719 static inline int local_add_negative(long i, local_t *l)
19720 {
19721- GEN_BINARY_RMWcc(_ASM_ADD, l->a.counter, "er", i, "%0", "s");
19722+ GEN_BINARY_RMWcc(_ASM_ADD, _ASM_SUB, l->a.counter, "er", i, "%0", "s");
19723 }
19724
19725 /**
19726@@ -105,6 +169,30 @@ static inline int local_add_negative(long i, local_t *l)
19727 static inline long local_add_return(long i, local_t *l)
19728 {
19729 long __i = i;
19730+ asm volatile(_ASM_XADD "%0, %1\n"
19731+
19732+#ifdef CONFIG_PAX_REFCOUNT
19733+ "jno 0f\n"
19734+ _ASM_MOV "%0,%1\n"
19735+ "int $4\n0:\n"
19736+ _ASM_EXTABLE(0b, 0b)
19737+#endif
19738+
19739+ : "+r" (i), "+m" (l->a.counter)
19740+ : : "memory");
19741+ return i + __i;
19742+}
19743+
19744+/**
19745+ * local_add_return_unchecked - add and return
19746+ * @i: integer value to add
19747+ * @l: pointer to type local_unchecked_t
19748+ *
19749+ * Atomically adds @i to @l and returns @i + @l
19750+ */
19751+static inline long local_add_return_unchecked(long i, local_unchecked_t *l)
19752+{
19753+ long __i = i;
19754 asm volatile(_ASM_XADD "%0, %1;"
19755 : "+r" (i), "+m" (l->a.counter)
19756 : : "memory");
19757@@ -121,6 +209,8 @@ static inline long local_sub_return(long i, local_t *l)
19758
19759 #define local_cmpxchg(l, o, n) \
19760 (cmpxchg_local(&((l)->a.counter), (o), (n)))
19761+#define local_cmpxchg_unchecked(l, o, n) \
19762+ (cmpxchg_local(&((l)->a.counter), (o), (n)))
19763 /* Always has a lock prefix */
19764 #define local_xchg(l, n) (xchg(&((l)->a.counter), (n)))
19765
19766diff --git a/arch/x86/include/asm/mman.h b/arch/x86/include/asm/mman.h
19767new file mode 100644
19768index 0000000..2bfd3ba
19769--- /dev/null
19770+++ b/arch/x86/include/asm/mman.h
19771@@ -0,0 +1,15 @@
19772+#ifndef _X86_MMAN_H
19773+#define _X86_MMAN_H
19774+
19775+#include <uapi/asm/mman.h>
19776+
19777+#ifdef __KERNEL__
19778+#ifndef __ASSEMBLY__
19779+#ifdef CONFIG_X86_32
19780+#define arch_mmap_check i386_mmap_check
19781+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags);
19782+#endif
19783+#endif
19784+#endif
19785+
19786+#endif /* X86_MMAN_H */
19787diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
19788index 364d274..e51b4bc 100644
19789--- a/arch/x86/include/asm/mmu.h
19790+++ b/arch/x86/include/asm/mmu.h
19791@@ -17,7 +17,19 @@ typedef struct {
19792 #endif
19793
19794 struct mutex lock;
19795- void __user *vdso;
19796+ unsigned long vdso;
19797+
19798+#ifdef CONFIG_X86_32
19799+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19800+ unsigned long user_cs_base;
19801+ unsigned long user_cs_limit;
19802+
19803+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
19804+ cpumask_t cpu_user_cs_mask;
19805+#endif
19806+
19807+#endif
19808+#endif
19809
19810 atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */
19811 } mm_context_t;
19812diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
19813index 984abfe..9996c62 100644
19814--- a/arch/x86/include/asm/mmu_context.h
19815+++ b/arch/x86/include/asm/mmu_context.h
19816@@ -45,7 +45,7 @@ struct ldt_struct {
19817 * allocations, but it's not worth trying to optimize.
19818 */
19819 struct desc_struct *entries;
19820- int size;
19821+ unsigned int size;
19822 };
19823
19824 static inline void load_mm_ldt(struct mm_struct *mm)
19825@@ -86,26 +86,95 @@ void destroy_context(struct mm_struct *mm);
19826
19827 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
19828 {
19829+
19830+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19831+ if (!(static_cpu_has(X86_FEATURE_PCIDUDEREF))) {
19832+ unsigned int i;
19833+ pgd_t *pgd;
19834+
19835+ pax_open_kernel();
19836+ pgd = get_cpu_pgd(smp_processor_id(), kernel);
19837+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
19838+ set_pgd_batched(pgd+i, native_make_pgd(0));
19839+ pax_close_kernel();
19840+ }
19841+#endif
19842+
19843 #ifdef CONFIG_SMP
19844 if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
19845 this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
19846 #endif
19847 }
19848
19849+static inline void pax_switch_mm(struct mm_struct *next, unsigned int cpu)
19850+{
19851+
19852+#ifdef CONFIG_PAX_PER_CPU_PGD
19853+ pax_open_kernel();
19854+
19855+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19856+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF))
19857+ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
19858+ else
19859+#endif
19860+
19861+ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
19862+
19863+ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
19864+
19865+ pax_close_kernel();
19866+
19867+ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
19868+
19869+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19870+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
19871+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
19872+ u64 descriptor[2];
19873+ descriptor[0] = PCID_USER;
19874+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19875+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) {
19876+ descriptor[0] = PCID_KERNEL;
19877+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19878+ }
19879+ } else {
19880+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
19881+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
19882+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
19883+ else
19884+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
19885+ }
19886+ } else
19887+#endif
19888+
19889+ load_cr3(get_cpu_pgd(cpu, kernel));
19890+#endif
19891+
19892+}
19893+
19894 static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19895 struct task_struct *tsk)
19896 {
19897 unsigned cpu = smp_processor_id();
19898+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19899+ int tlbstate = TLBSTATE_OK;
19900+#endif
19901
19902 if (likely(prev != next)) {
19903 #ifdef CONFIG_SMP
19904+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19905+ tlbstate = this_cpu_read(cpu_tlbstate.state);
19906+#endif
19907 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
19908 this_cpu_write(cpu_tlbstate.active_mm, next);
19909 #endif
19910 cpumask_set_cpu(cpu, mm_cpumask(next));
19911
19912 /* Re-load page tables */
19913+#ifdef CONFIG_PAX_PER_CPU_PGD
19914+ pax_switch_mm(next, cpu);
19915+#else
19916 load_cr3(next->pgd);
19917+#endif
19918 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
19919
19920 /* Stop flush ipis for the previous mm */
19921@@ -128,9 +197,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19922 */
19923 if (unlikely(prev->context.ldt != next->context.ldt))
19924 load_mm_ldt(next);
19925+
19926+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
19927+ if (!(__supported_pte_mask & _PAGE_NX)) {
19928+ smp_mb__before_atomic();
19929+ cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
19930+ smp_mb__after_atomic();
19931+ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
19932+ }
19933+#endif
19934+
19935+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19936+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
19937+ prev->context.user_cs_limit != next->context.user_cs_limit))
19938+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19939+#ifdef CONFIG_SMP
19940+ else if (unlikely(tlbstate != TLBSTATE_OK))
19941+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19942+#endif
19943+#endif
19944+
19945 }
19946+ else {
19947+ pax_switch_mm(next, cpu);
19948+
19949 #ifdef CONFIG_SMP
19950- else {
19951 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
19952 BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
19953
19954@@ -147,13 +238,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19955 * tlb flush IPI delivery. We must reload CR3
19956 * to make sure to use no freed page tables.
19957 */
19958+
19959+#ifndef CONFIG_PAX_PER_CPU_PGD
19960 load_cr3(next->pgd);
19961 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
19962+#endif
19963+
19964 load_mm_cr4(next);
19965 load_mm_ldt(next);
19966+
19967+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
19968+ if (!(__supported_pte_mask & _PAGE_NX))
19969+ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
19970+#endif
19971+
19972+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19973+#ifdef CONFIG_PAX_PAGEEXEC
19974+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
19975+#endif
19976+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19977+#endif
19978+
19979 }
19980+#endif
19981 }
19982-#endif
19983 }
19984
19985 #define activate_mm(prev, next) \
19986diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h
19987index e3b7819..b257c64 100644
19988--- a/arch/x86/include/asm/module.h
19989+++ b/arch/x86/include/asm/module.h
19990@@ -5,6 +5,7 @@
19991
19992 #ifdef CONFIG_X86_64
19993 /* X86_64 does not define MODULE_PROC_FAMILY */
19994+#define MODULE_PROC_FAMILY ""
19995 #elif defined CONFIG_M486
19996 #define MODULE_PROC_FAMILY "486 "
19997 #elif defined CONFIG_M586
19998@@ -57,8 +58,20 @@
19999 #error unknown processor family
20000 #endif
20001
20002-#ifdef CONFIG_X86_32
20003-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
20004+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
20005+#define MODULE_PAX_KERNEXEC "KERNEXEC_BTS "
20006+#elif defined(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR)
20007+#define MODULE_PAX_KERNEXEC "KERNEXEC_OR "
20008+#else
20009+#define MODULE_PAX_KERNEXEC ""
20010 #endif
20011
20012+#ifdef CONFIG_PAX_MEMORY_UDEREF
20013+#define MODULE_PAX_UDEREF "UDEREF "
20014+#else
20015+#define MODULE_PAX_UDEREF ""
20016+#endif
20017+
20018+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
20019+
20020 #endif /* _ASM_X86_MODULE_H */
20021diff --git a/arch/x86/include/asm/nmi.h b/arch/x86/include/asm/nmi.h
20022index 5f2fc44..106caa6 100644
20023--- a/arch/x86/include/asm/nmi.h
20024+++ b/arch/x86/include/asm/nmi.h
20025@@ -36,26 +36,35 @@ enum {
20026
20027 typedef int (*nmi_handler_t)(unsigned int, struct pt_regs *);
20028
20029+struct nmiaction;
20030+
20031+struct nmiwork {
20032+ const struct nmiaction *action;
20033+ u64 max_duration;
20034+ struct irq_work irq_work;
20035+};
20036+
20037 struct nmiaction {
20038 struct list_head list;
20039 nmi_handler_t handler;
20040- u64 max_duration;
20041- struct irq_work irq_work;
20042 unsigned long flags;
20043 const char *name;
20044-};
20045+ struct nmiwork *work;
20046+} __do_const;
20047
20048 #define register_nmi_handler(t, fn, fg, n, init...) \
20049 ({ \
20050- static struct nmiaction init fn##_na = { \
20051+ static struct nmiwork fn##_nw; \
20052+ static const struct nmiaction init fn##_na = { \
20053 .handler = (fn), \
20054 .name = (n), \
20055 .flags = (fg), \
20056+ .work = &fn##_nw, \
20057 }; \
20058 __register_nmi_handler((t), &fn##_na); \
20059 })
20060
20061-int __register_nmi_handler(unsigned int, struct nmiaction *);
20062+int __register_nmi_handler(unsigned int, const struct nmiaction *);
20063
20064 void unregister_nmi_handler(unsigned int, const char *);
20065
20066diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
20067index 802dde3..9183e68 100644
20068--- a/arch/x86/include/asm/page.h
20069+++ b/arch/x86/include/asm/page.h
20070@@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
20071 __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x)))
20072
20073 #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))
20074+#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base))
20075
20076 #define __boot_va(x) __va(x)
20077 #define __boot_pa(x) __pa(x)
20078@@ -60,11 +61,21 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
20079 * virt_to_page(kaddr) returns a valid pointer if and only if
20080 * virt_addr_valid(kaddr) returns true.
20081 */
20082-#define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
20083 #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT)
20084 extern bool __virt_addr_valid(unsigned long kaddr);
20085 #define virt_addr_valid(kaddr) __virt_addr_valid((unsigned long) (kaddr))
20086
20087+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
20088+#define virt_to_page(kaddr) \
20089+ ({ \
20090+ const void *__kaddr = (const void *)(kaddr); \
20091+ BUG_ON(!virt_addr_valid(__kaddr)); \
20092+ pfn_to_page(__pa(__kaddr) >> PAGE_SHIFT); \
20093+ })
20094+#else
20095+#define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
20096+#endif
20097+
20098 #endif /* __ASSEMBLY__ */
20099
20100 #include <asm-generic/memory_model.h>
20101diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h
20102index 904f528..b4d0d24 100644
20103--- a/arch/x86/include/asm/page_32.h
20104+++ b/arch/x86/include/asm/page_32.h
20105@@ -7,11 +7,17 @@
20106
20107 #define __phys_addr_nodebug(x) ((x) - PAGE_OFFSET)
20108 #ifdef CONFIG_DEBUG_VIRTUAL
20109-extern unsigned long __phys_addr(unsigned long);
20110+extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
20111 #else
20112-#define __phys_addr(x) __phys_addr_nodebug(x)
20113+static inline unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
20114+{
20115+ return __phys_addr_nodebug(x);
20116+}
20117 #endif
20118-#define __phys_addr_symbol(x) __phys_addr(x)
20119+static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
20120+{
20121+ return __phys_addr(x);
20122+}
20123 #define __phys_reloc_hide(x) RELOC_HIDE((x), 0)
20124
20125 #ifdef CONFIG_FLATMEM
20126diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
20127index b3bebf9..cb419e7 100644
20128--- a/arch/x86/include/asm/page_64.h
20129+++ b/arch/x86/include/asm/page_64.h
20130@@ -7,9 +7,9 @@
20131
20132 /* duplicated to the one in bootmem.h */
20133 extern unsigned long max_pfn;
20134-extern unsigned long phys_base;
20135+extern const unsigned long phys_base;
20136
20137-static inline unsigned long __phys_addr_nodebug(unsigned long x)
20138+static inline unsigned long __intentional_overflow(-1) __phys_addr_nodebug(unsigned long x)
20139 {
20140 unsigned long y = x - __START_KERNEL_map;
20141
20142@@ -20,12 +20,14 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x)
20143 }
20144
20145 #ifdef CONFIG_DEBUG_VIRTUAL
20146-extern unsigned long __phys_addr(unsigned long);
20147-extern unsigned long __phys_addr_symbol(unsigned long);
20148+extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
20149+extern unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long);
20150 #else
20151 #define __phys_addr(x) __phys_addr_nodebug(x)
20152-#define __phys_addr_symbol(x) \
20153- ((unsigned long)(x) - __START_KERNEL_map + phys_base)
20154+static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
20155+{
20156+ return x - __START_KERNEL_map + phys_base;
20157+}
20158 #endif
20159
20160 #define __phys_reloc_hide(x) (x)
20161diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
20162index d143bfa..30d1f41 100644
20163--- a/arch/x86/include/asm/paravirt.h
20164+++ b/arch/x86/include/asm/paravirt.h
20165@@ -560,7 +560,7 @@ static inline pmd_t __pmd(pmdval_t val)
20166 return (pmd_t) { ret };
20167 }
20168
20169-static inline pmdval_t pmd_val(pmd_t pmd)
20170+static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd)
20171 {
20172 pmdval_t ret;
20173
20174@@ -626,6 +626,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
20175 val);
20176 }
20177
20178+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
20179+{
20180+ pgdval_t val = native_pgd_val(pgd);
20181+
20182+ if (sizeof(pgdval_t) > sizeof(long))
20183+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
20184+ val, (u64)val >> 32);
20185+ else
20186+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
20187+ val);
20188+}
20189+
20190 static inline void pgd_clear(pgd_t *pgdp)
20191 {
20192 set_pgd(pgdp, __pgd(0));
20193@@ -710,6 +722,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx,
20194 pv_mmu_ops.set_fixmap(idx, phys, flags);
20195 }
20196
20197+#ifdef CONFIG_PAX_KERNEXEC
20198+static inline unsigned long pax_open_kernel(void)
20199+{
20200+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
20201+}
20202+
20203+static inline unsigned long pax_close_kernel(void)
20204+{
20205+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
20206+}
20207+#else
20208+static inline unsigned long pax_open_kernel(void) { return 0; }
20209+static inline unsigned long pax_close_kernel(void) { return 0; }
20210+#endif
20211+
20212 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
20213
20214 #ifdef CONFIG_QUEUED_SPINLOCKS
20215@@ -933,7 +960,7 @@ extern void default_banner(void);
20216
20217 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
20218 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
20219-#define PARA_INDIRECT(addr) *%cs:addr
20220+#define PARA_INDIRECT(addr) *%ss:addr
20221 #endif
20222
20223 #define INTERRUPT_RETURN \
20224@@ -1003,6 +1030,21 @@ extern void default_banner(void);
20225 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64), \
20226 CLBR_NONE, \
20227 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64))
20228+
20229+#define GET_CR0_INTO_RDI \
20230+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
20231+ mov %rax,%rdi
20232+
20233+#define SET_RDI_INTO_CR0 \
20234+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
20235+
20236+#define GET_CR3_INTO_RDI \
20237+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
20238+ mov %rax,%rdi
20239+
20240+#define SET_RDI_INTO_CR3 \
20241+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
20242+
20243 #endif /* CONFIG_X86_32 */
20244
20245 #endif /* __ASSEMBLY__ */
20246diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
20247index a6b8f9f..fd61ef7 100644
20248--- a/arch/x86/include/asm/paravirt_types.h
20249+++ b/arch/x86/include/asm/paravirt_types.h
20250@@ -84,7 +84,7 @@ struct pv_init_ops {
20251 */
20252 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
20253 unsigned long addr, unsigned len);
20254-};
20255+} __no_const __no_randomize_layout;
20256
20257
20258 struct pv_lazy_ops {
20259@@ -92,13 +92,13 @@ struct pv_lazy_ops {
20260 void (*enter)(void);
20261 void (*leave)(void);
20262 void (*flush)(void);
20263-};
20264+} __no_randomize_layout;
20265
20266 struct pv_time_ops {
20267 unsigned long long (*sched_clock)(void);
20268 unsigned long long (*steal_clock)(int cpu);
20269 unsigned long (*get_tsc_khz)(void);
20270-};
20271+} __no_const __no_randomize_layout;
20272
20273 struct pv_cpu_ops {
20274 /* hooks for various privileged instructions */
20275@@ -193,7 +193,7 @@ struct pv_cpu_ops {
20276
20277 void (*start_context_switch)(struct task_struct *prev);
20278 void (*end_context_switch)(struct task_struct *next);
20279-};
20280+} __no_const __no_randomize_layout;
20281
20282 struct pv_irq_ops {
20283 /*
20284@@ -216,7 +216,7 @@ struct pv_irq_ops {
20285 #ifdef CONFIG_X86_64
20286 void (*adjust_exception_frame)(void);
20287 #endif
20288-};
20289+} __no_randomize_layout;
20290
20291 struct pv_apic_ops {
20292 #ifdef CONFIG_X86_LOCAL_APIC
20293@@ -224,7 +224,7 @@ struct pv_apic_ops {
20294 unsigned long start_eip,
20295 unsigned long start_esp);
20296 #endif
20297-};
20298+} __no_const __no_randomize_layout;
20299
20300 struct pv_mmu_ops {
20301 unsigned long (*read_cr2)(void);
20302@@ -314,6 +314,7 @@ struct pv_mmu_ops {
20303 struct paravirt_callee_save make_pud;
20304
20305 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
20306+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
20307 #endif /* CONFIG_PGTABLE_LEVELS == 4 */
20308 #endif /* CONFIG_PGTABLE_LEVELS >= 3 */
20309
20310@@ -325,7 +326,13 @@ struct pv_mmu_ops {
20311 an mfn. We can tell which is which from the index. */
20312 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
20313 phys_addr_t phys, pgprot_t flags);
20314-};
20315+
20316+#ifdef CONFIG_PAX_KERNEXEC
20317+ unsigned long (*pax_open_kernel)(void);
20318+ unsigned long (*pax_close_kernel)(void);
20319+#endif
20320+
20321+} __no_randomize_layout;
20322
20323 struct arch_spinlock;
20324 #ifdef CONFIG_SMP
20325@@ -347,11 +354,14 @@ struct pv_lock_ops {
20326 struct paravirt_callee_save lock_spinning;
20327 void (*unlock_kick)(struct arch_spinlock *lock, __ticket_t ticket);
20328 #endif /* !CONFIG_QUEUED_SPINLOCKS */
20329-};
20330+} __no_randomize_layout;
20331
20332 /* This contains all the paravirt structures: we get a convenient
20333 * number for each function using the offset which we use to indicate
20334- * what to patch. */
20335+ * what to patch.
20336+ * shouldn't be randomized due to the "NEAT TRICK" in paravirt.c
20337+ */
20338+
20339 struct paravirt_patch_template {
20340 struct pv_init_ops pv_init_ops;
20341 struct pv_time_ops pv_time_ops;
20342@@ -360,7 +370,7 @@ struct paravirt_patch_template {
20343 struct pv_apic_ops pv_apic_ops;
20344 struct pv_mmu_ops pv_mmu_ops;
20345 struct pv_lock_ops pv_lock_ops;
20346-};
20347+} __no_randomize_layout;
20348
20349 extern struct pv_info pv_info;
20350 extern struct pv_init_ops pv_init_ops;
20351diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h
20352index bf7f8b5..ca5799d 100644
20353--- a/arch/x86/include/asm/pgalloc.h
20354+++ b/arch/x86/include/asm/pgalloc.h
20355@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(struct mm_struct *mm,
20356 pmd_t *pmd, pte_t *pte)
20357 {
20358 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
20359+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
20360+}
20361+
20362+static inline void pmd_populate_user(struct mm_struct *mm,
20363+ pmd_t *pmd, pte_t *pte)
20364+{
20365+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
20366 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
20367 }
20368
20369@@ -108,12 +115,22 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmd,
20370
20371 #ifdef CONFIG_X86_PAE
20372 extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd);
20373+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
20374+{
20375+ pud_populate(mm, pudp, pmd);
20376+}
20377 #else /* !CONFIG_X86_PAE */
20378 static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
20379 {
20380 paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
20381 set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)));
20382 }
20383+
20384+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
20385+{
20386+ paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
20387+ set_pud(pud, __pud(_KERNPG_TABLE | __pa(pmd)));
20388+}
20389 #endif /* CONFIG_X86_PAE */
20390
20391 #if CONFIG_PGTABLE_LEVELS > 3
20392@@ -123,6 +140,12 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
20393 set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(pud)));
20394 }
20395
20396+static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
20397+{
20398+ paravirt_alloc_pud(mm, __pa(pud) >> PAGE_SHIFT);
20399+ set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(pud)));
20400+}
20401+
20402 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
20403 {
20404 return (pud_t *)get_zeroed_page(GFP_KERNEL|__GFP_REPEAT);
20405diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
20406index fd74a11..35fd5af 100644
20407--- a/arch/x86/include/asm/pgtable-2level.h
20408+++ b/arch/x86/include/asm/pgtable-2level.h
20409@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t *ptep , pte_t pte)
20410
20411 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20412 {
20413+ pax_open_kernel();
20414 *pmdp = pmd;
20415+ pax_close_kernel();
20416 }
20417
20418 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20419diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h
20420index cdaa58c..ae30f0d 100644
20421--- a/arch/x86/include/asm/pgtable-3level.h
20422+++ b/arch/x86/include/asm/pgtable-3level.h
20423@@ -92,12 +92,16 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20424
20425 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20426 {
20427+ pax_open_kernel();
20428 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
20429+ pax_close_kernel();
20430 }
20431
20432 static inline void native_set_pud(pud_t *pudp, pud_t pud)
20433 {
20434+ pax_open_kernel();
20435 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
20436+ pax_close_kernel();
20437 }
20438
20439 /*
20440@@ -116,9 +120,12 @@ static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
20441 static inline void native_pmd_clear(pmd_t *pmd)
20442 {
20443 u32 *tmp = (u32 *)pmd;
20444+
20445+ pax_open_kernel();
20446 *tmp = 0;
20447 smp_wmb();
20448 *(tmp + 1) = 0;
20449+ pax_close_kernel();
20450 }
20451
20452 static inline void pud_clear(pud_t *pudp)
20453diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
20454index 867da5b..7ec083d 100644
20455--- a/arch/x86/include/asm/pgtable.h
20456+++ b/arch/x86/include/asm/pgtable.h
20457@@ -47,6 +47,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
20458
20459 #ifndef __PAGETABLE_PUD_FOLDED
20460 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
20461+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
20462 #define pgd_clear(pgd) native_pgd_clear(pgd)
20463 #endif
20464
20465@@ -84,12 +85,53 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
20466
20467 #define arch_end_context_switch(prev) do {} while(0)
20468
20469+#define pax_open_kernel() native_pax_open_kernel()
20470+#define pax_close_kernel() native_pax_close_kernel()
20471 #endif /* CONFIG_PARAVIRT */
20472
20473+#define __HAVE_ARCH_PAX_OPEN_KERNEL
20474+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
20475+
20476+#ifdef CONFIG_PAX_KERNEXEC
20477+static inline unsigned long native_pax_open_kernel(void)
20478+{
20479+ unsigned long cr0;
20480+
20481+ preempt_disable();
20482+ barrier();
20483+ cr0 = read_cr0() ^ X86_CR0_WP;
20484+ BUG_ON(cr0 & X86_CR0_WP);
20485+ write_cr0(cr0);
20486+ barrier();
20487+ return cr0 ^ X86_CR0_WP;
20488+}
20489+
20490+static inline unsigned long native_pax_close_kernel(void)
20491+{
20492+ unsigned long cr0;
20493+
20494+ barrier();
20495+ cr0 = read_cr0() ^ X86_CR0_WP;
20496+ BUG_ON(!(cr0 & X86_CR0_WP));
20497+ write_cr0(cr0);
20498+ barrier();
20499+ preempt_enable_no_resched();
20500+ return cr0 ^ X86_CR0_WP;
20501+}
20502+#else
20503+static inline unsigned long native_pax_open_kernel(void) { return 0; }
20504+static inline unsigned long native_pax_close_kernel(void) { return 0; }
20505+#endif
20506+
20507 /*
20508 * The following only work if pte_present() is true.
20509 * Undefined behaviour if not..
20510 */
20511+static inline int pte_user(pte_t pte)
20512+{
20513+ return pte_val(pte) & _PAGE_USER;
20514+}
20515+
20516 static inline int pte_dirty(pte_t pte)
20517 {
20518 return pte_flags(pte) & _PAGE_DIRTY;
20519@@ -150,6 +192,11 @@ static inline unsigned long pud_pfn(pud_t pud)
20520 return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT;
20521 }
20522
20523+static inline unsigned long pgd_pfn(pgd_t pgd)
20524+{
20525+ return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT;
20526+}
20527+
20528 #define pte_page(pte) pfn_to_page(pte_pfn(pte))
20529
20530 static inline int pmd_large(pmd_t pte)
20531@@ -203,9 +250,29 @@ static inline pte_t pte_wrprotect(pte_t pte)
20532 return pte_clear_flags(pte, _PAGE_RW);
20533 }
20534
20535+static inline pte_t pte_mkread(pte_t pte)
20536+{
20537+ return __pte(pte_val(pte) | _PAGE_USER);
20538+}
20539+
20540 static inline pte_t pte_mkexec(pte_t pte)
20541 {
20542- return pte_clear_flags(pte, _PAGE_NX);
20543+#ifdef CONFIG_X86_PAE
20544+ if (__supported_pte_mask & _PAGE_NX)
20545+ return pte_clear_flags(pte, _PAGE_NX);
20546+ else
20547+#endif
20548+ return pte_set_flags(pte, _PAGE_USER);
20549+}
20550+
20551+static inline pte_t pte_exprotect(pte_t pte)
20552+{
20553+#ifdef CONFIG_X86_PAE
20554+ if (__supported_pte_mask & _PAGE_NX)
20555+ return pte_set_flags(pte, _PAGE_NX);
20556+ else
20557+#endif
20558+ return pte_clear_flags(pte, _PAGE_USER);
20559 }
20560
20561 static inline pte_t pte_mkdirty(pte_t pte)
20562@@ -426,6 +493,16 @@ pte_t *populate_extra_pte(unsigned long vaddr);
20563 #endif
20564
20565 #ifndef __ASSEMBLY__
20566+
20567+#ifdef CONFIG_PAX_PER_CPU_PGD
20568+extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD];
20569+enum cpu_pgd_type {kernel = 0, user = 1};
20570+static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type)
20571+{
20572+ return cpu_pgd[cpu][type];
20573+}
20574+#endif
20575+
20576 #include <linux/mm_types.h>
20577 #include <linux/mmdebug.h>
20578 #include <linux/log2.h>
20579@@ -577,7 +654,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud)
20580 * Currently stuck as a macro due to indirect forward reference to
20581 * linux/mmzone.h's __section_mem_map_addr() definition:
20582 */
20583-#define pud_page(pud) pfn_to_page(pud_val(pud) >> PAGE_SHIFT)
20584+#define pud_page(pud) pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT)
20585
20586 /* Find an entry in the second-level page table.. */
20587 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
20588@@ -617,7 +694,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd)
20589 * Currently stuck as a macro due to indirect forward reference to
20590 * linux/mmzone.h's __section_mem_map_addr() definition:
20591 */
20592-#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT)
20593+#define pgd_page(pgd) pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT)
20594
20595 /* to find an entry in a page-table-directory. */
20596 static inline unsigned long pud_index(unsigned long address)
20597@@ -632,7 +709,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
20598
20599 static inline int pgd_bad(pgd_t pgd)
20600 {
20601- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
20602+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
20603 }
20604
20605 static inline int pgd_none(pgd_t pgd)
20606@@ -655,7 +732,12 @@ static inline int pgd_none(pgd_t pgd)
20607 * pgd_offset() returns a (pgd_t *)
20608 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
20609 */
20610-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
20611+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
20612+
20613+#ifdef CONFIG_PAX_PER_CPU_PGD
20614+#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address))
20615+#endif
20616+
20617 /*
20618 * a shortcut which implies the use of the kernel's pgd, instead
20619 * of a process's
20620@@ -666,6 +748,25 @@ static inline int pgd_none(pgd_t pgd)
20621 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
20622 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
20623
20624+#ifdef CONFIG_X86_32
20625+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
20626+#else
20627+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
20628+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
20629+
20630+#ifdef CONFIG_PAX_MEMORY_UDEREF
20631+#ifdef __ASSEMBLY__
20632+#define pax_user_shadow_base pax_user_shadow_base(%rip)
20633+#else
20634+extern unsigned long pax_user_shadow_base;
20635+extern pgdval_t clone_pgd_mask;
20636+#endif
20637+#else
20638+#define pax_user_shadow_base (0UL)
20639+#endif
20640+
20641+#endif
20642+
20643 #ifndef __ASSEMBLY__
20644
20645 extern int direct_gbpages;
20646@@ -832,11 +933,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
20647 * dst and src can be on the same page, but the range must not overlap,
20648 * and must not cross a page boundary.
20649 */
20650-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
20651+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
20652 {
20653- memcpy(dst, src, count * sizeof(pgd_t));
20654+ pax_open_kernel();
20655+ while (count--)
20656+ *dst++ = *src++;
20657+ pax_close_kernel();
20658 }
20659
20660+#ifdef CONFIG_PAX_PER_CPU_PGD
20661+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src);
20662+#endif
20663+
20664+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20665+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src);
20666+#else
20667+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {}
20668+#endif
20669+
20670 #define PTE_SHIFT ilog2(PTRS_PER_PTE)
20671 static inline int page_level_shift(enum pg_level level)
20672 {
20673diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
20674index b6c0b40..3535d47 100644
20675--- a/arch/x86/include/asm/pgtable_32.h
20676+++ b/arch/x86/include/asm/pgtable_32.h
20677@@ -25,9 +25,6 @@
20678 struct mm_struct;
20679 struct vm_area_struct;
20680
20681-extern pgd_t swapper_pg_dir[1024];
20682-extern pgd_t initial_page_table[1024];
20683-
20684 static inline void pgtable_cache_init(void) { }
20685 static inline void check_pgt_cache(void) { }
20686 void paging_init(void);
20687@@ -45,6 +42,12 @@ void paging_init(void);
20688 # include <asm/pgtable-2level.h>
20689 #endif
20690
20691+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
20692+extern pgd_t initial_page_table[PTRS_PER_PGD];
20693+#ifdef CONFIG_X86_PAE
20694+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
20695+#endif
20696+
20697 #if defined(CONFIG_HIGHPTE)
20698 #define pte_offset_map(dir, address) \
20699 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
20700@@ -59,12 +62,17 @@ void paging_init(void);
20701 /* Clear a kernel PTE and flush it from the TLB */
20702 #define kpte_clear_flush(ptep, vaddr) \
20703 do { \
20704+ pax_open_kernel(); \
20705 pte_clear(&init_mm, (vaddr), (ptep)); \
20706+ pax_close_kernel(); \
20707 __flush_tlb_one((vaddr)); \
20708 } while (0)
20709
20710 #endif /* !__ASSEMBLY__ */
20711
20712+#define HAVE_ARCH_UNMAPPED_AREA
20713+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
20714+
20715 /*
20716 * kern_addr_valid() is (1) for FLATMEM and (0) for
20717 * SPARSEMEM and DISCONTIGMEM
20718diff --git a/arch/x86/include/asm/pgtable_32_types.h b/arch/x86/include/asm/pgtable_32_types.h
20719index 9fb2f2b..8e18c70 100644
20720--- a/arch/x86/include/asm/pgtable_32_types.h
20721+++ b/arch/x86/include/asm/pgtable_32_types.h
20722@@ -8,7 +8,7 @@
20723 */
20724 #ifdef CONFIG_X86_PAE
20725 # include <asm/pgtable-3level_types.h>
20726-# define PMD_SIZE (1UL << PMD_SHIFT)
20727+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
20728 # define PMD_MASK (~(PMD_SIZE - 1))
20729 #else
20730 # include <asm/pgtable-2level_types.h>
20731@@ -46,6 +46,28 @@ extern bool __vmalloc_start_set; /* set once high_memory is set */
20732 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
20733 #endif
20734
20735+#ifdef CONFIG_PAX_KERNEXEC
20736+#ifndef __ASSEMBLY__
20737+extern unsigned char MODULES_EXEC_VADDR[];
20738+extern unsigned char MODULES_EXEC_END[];
20739+
20740+extern unsigned char __LOAD_PHYSICAL_ADDR[];
20741+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
20742+static inline unsigned long __intentional_overflow(-1) ktla_ktva(unsigned long addr)
20743+{
20744+ return addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET;
20745+
20746+}
20747+static inline unsigned long __intentional_overflow(-1) ktva_ktla(unsigned long addr)
20748+{
20749+ return addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET;
20750+}
20751+#endif
20752+#else
20753+#define ktla_ktva(addr) (addr)
20754+#define ktva_ktla(addr) (addr)
20755+#endif
20756+
20757 #define MODULES_VADDR VMALLOC_START
20758 #define MODULES_END VMALLOC_END
20759 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
20760diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
20761index 2ee7811..afd76c0 100644
20762--- a/arch/x86/include/asm/pgtable_64.h
20763+++ b/arch/x86/include/asm/pgtable_64.h
20764@@ -16,11 +16,17 @@
20765
20766 extern pud_t level3_kernel_pgt[512];
20767 extern pud_t level3_ident_pgt[512];
20768+extern pud_t level3_vmalloc_start_pgt[512];
20769+extern pud_t level3_vmalloc_end_pgt[512];
20770+extern pud_t level3_vmemmap_pgt[512];
20771+extern pud_t level2_vmemmap_pgt[512];
20772 extern pmd_t level2_kernel_pgt[512];
20773 extern pmd_t level2_fixmap_pgt[512];
20774-extern pmd_t level2_ident_pgt[512];
20775-extern pte_t level1_fixmap_pgt[512];
20776-extern pgd_t init_level4_pgt[];
20777+extern pmd_t level2_ident_pgt[2][512];
20778+extern pte_t level1_modules_pgt[4][512];
20779+extern pte_t level1_fixmap_pgt[3][512];
20780+extern pte_t level1_vsyscall_pgt[512];
20781+extern pgd_t init_level4_pgt[512];
20782
20783 #define swapper_pg_dir init_level4_pgt
20784
20785@@ -62,7 +68,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20786
20787 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20788 {
20789+ pax_open_kernel();
20790 *pmdp = pmd;
20791+ pax_close_kernel();
20792 }
20793
20794 static inline void native_pmd_clear(pmd_t *pmd)
20795@@ -98,7 +106,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
20796
20797 static inline void native_set_pud(pud_t *pudp, pud_t pud)
20798 {
20799+ pax_open_kernel();
20800 *pudp = pud;
20801+ pax_close_kernel();
20802 }
20803
20804 static inline void native_pud_clear(pud_t *pud)
20805@@ -108,6 +118,13 @@ static inline void native_pud_clear(pud_t *pud)
20806
20807 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
20808 {
20809+ pax_open_kernel();
20810+ *pgdp = pgd;
20811+ pax_close_kernel();
20812+}
20813+
20814+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
20815+{
20816 *pgdp = pgd;
20817 }
20818
20819diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
20820index e6844df..432b56e 100644
20821--- a/arch/x86/include/asm/pgtable_64_types.h
20822+++ b/arch/x86/include/asm/pgtable_64_types.h
20823@@ -60,11 +60,16 @@ typedef struct { pteval_t pte; } pte_t;
20824 #define MODULES_VADDR (__START_KERNEL_map + KERNEL_IMAGE_SIZE)
20825 #define MODULES_END _AC(0xffffffffff000000, UL)
20826 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
20827+#define MODULES_EXEC_VADDR MODULES_VADDR
20828+#define MODULES_EXEC_END MODULES_END
20829 #define ESPFIX_PGD_ENTRY _AC(-2, UL)
20830 #define ESPFIX_BASE_ADDR (ESPFIX_PGD_ENTRY << PGDIR_SHIFT)
20831 #define EFI_VA_START ( -4 * (_AC(1, UL) << 30))
20832 #define EFI_VA_END (-68 * (_AC(1, UL) << 30))
20833
20834+#define ktla_ktva(addr) (addr)
20835+#define ktva_ktla(addr) (addr)
20836+
20837 #define EARLY_DYNAMIC_PAGE_TABLES 64
20838
20839 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
20840diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
20841index 13f310b..f0ef42e 100644
20842--- a/arch/x86/include/asm/pgtable_types.h
20843+++ b/arch/x86/include/asm/pgtable_types.h
20844@@ -85,8 +85,10 @@
20845
20846 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20847 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
20848-#else
20849+#elif defined(CONFIG_KMEMCHECK) || defined(CONFIG_MEM_SOFT_DIRTY)
20850 #define _PAGE_NX (_AT(pteval_t, 0))
20851+#else
20852+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
20853 #endif
20854
20855 #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
20856@@ -141,6 +143,9 @@ enum page_cache_mode {
20857 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
20858 _PAGE_ACCESSED)
20859
20860+#define PAGE_READONLY_NOEXEC PAGE_READONLY
20861+#define PAGE_SHARED_NOEXEC PAGE_SHARED
20862+
20863 #define __PAGE_KERNEL_EXEC \
20864 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
20865 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
20866@@ -148,7 +153,7 @@ enum page_cache_mode {
20867 #define __PAGE_KERNEL_RO (__PAGE_KERNEL & ~_PAGE_RW)
20868 #define __PAGE_KERNEL_RX (__PAGE_KERNEL_EXEC & ~_PAGE_RW)
20869 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_NOCACHE)
20870-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
20871+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
20872 #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER)
20873 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
20874 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
20875@@ -194,7 +199,7 @@ enum page_cache_mode {
20876 #ifdef CONFIG_X86_64
20877 #define __PAGE_KERNEL_IDENT_LARGE_EXEC __PAGE_KERNEL_LARGE_EXEC
20878 #else
20879-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
20880+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
20881 #define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
20882 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
20883 #endif
20884@@ -233,7 +238,17 @@ static inline pgdval_t pgd_flags(pgd_t pgd)
20885 {
20886 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
20887 }
20888+#endif
20889
20890+#if CONFIG_PGTABLE_LEVELS == 3
20891+#include <asm-generic/pgtable-nopud.h>
20892+#endif
20893+
20894+#if CONFIG_PGTABLE_LEVELS == 2
20895+#include <asm-generic/pgtable-nopmd.h>
20896+#endif
20897+
20898+#ifndef __ASSEMBLY__
20899 #if CONFIG_PGTABLE_LEVELS > 3
20900 typedef struct { pudval_t pud; } pud_t;
20901
20902@@ -247,8 +262,6 @@ static inline pudval_t native_pud_val(pud_t pud)
20903 return pud.pud;
20904 }
20905 #else
20906-#include <asm-generic/pgtable-nopud.h>
20907-
20908 static inline pudval_t native_pud_val(pud_t pud)
20909 {
20910 return native_pgd_val(pud.pgd);
20911@@ -268,8 +281,6 @@ static inline pmdval_t native_pmd_val(pmd_t pmd)
20912 return pmd.pmd;
20913 }
20914 #else
20915-#include <asm-generic/pgtable-nopmd.h>
20916-
20917 static inline pmdval_t native_pmd_val(pmd_t pmd)
20918 {
20919 return native_pgd_val(pmd.pud.pgd);
20920@@ -362,7 +373,6 @@ typedef struct page *pgtable_t;
20921
20922 extern pteval_t __supported_pte_mask;
20923 extern void set_nx(void);
20924-extern int nx_enabled;
20925
20926 #define pgprot_writecombine pgprot_writecombine
20927 extern pgprot_t pgprot_writecombine(pgprot_t prot);
20928diff --git a/arch/x86/include/asm/preempt.h b/arch/x86/include/asm/preempt.h
20929index dca71714..919d4e1 100644
20930--- a/arch/x86/include/asm/preempt.h
20931+++ b/arch/x86/include/asm/preempt.h
20932@@ -84,7 +84,7 @@ static __always_inline void __preempt_count_sub(int val)
20933 */
20934 static __always_inline bool __preempt_count_dec_and_test(void)
20935 {
20936- GEN_UNARY_RMWcc("decl", __preempt_count, __percpu_arg(0), "e");
20937+ GEN_UNARY_RMWcc("decl", "incl", __preempt_count, __percpu_arg(0), "e");
20938 }
20939
20940 /*
20941diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
20942index 944f178..12f1c25 100644
20943--- a/arch/x86/include/asm/processor.h
20944+++ b/arch/x86/include/asm/processor.h
20945@@ -136,7 +136,7 @@ struct cpuinfo_x86 {
20946 /* Index into per_cpu list: */
20947 u16 cpu_index;
20948 u32 microcode;
20949-};
20950+} __randomize_layout;
20951
20952 #define X86_VENDOR_INTEL 0
20953 #define X86_VENDOR_CYRIX 1
20954@@ -206,9 +206,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
20955 : "memory");
20956 }
20957
20958+/* invpcid (%rdx),%rax */
20959+#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02"
20960+
20961+#define INVPCID_SINGLE_ADDRESS 0UL
20962+#define INVPCID_SINGLE_CONTEXT 1UL
20963+#define INVPCID_ALL_GLOBAL 2UL
20964+#define INVPCID_ALL_NONGLOBAL 3UL
20965+
20966+#define PCID_KERNEL 0UL
20967+#define PCID_USER 1UL
20968+#define PCID_NOFLUSH (1UL << 63)
20969+
20970 static inline void load_cr3(pgd_t *pgdir)
20971 {
20972- write_cr3(__pa(pgdir));
20973+ write_cr3(__pa(pgdir) | PCID_KERNEL);
20974 }
20975
20976 #ifdef CONFIG_X86_32
20977@@ -305,11 +317,9 @@ struct tss_struct {
20978
20979 } ____cacheline_aligned;
20980
20981-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
20982+extern struct tss_struct cpu_tss[NR_CPUS];
20983
20984-#ifdef CONFIG_X86_32
20985 DECLARE_PER_CPU(unsigned long, cpu_current_top_of_stack);
20986-#endif
20987
20988 /*
20989 * Save the original ist values for checking stack pointers during debugging
20990@@ -381,6 +391,7 @@ struct thread_struct {
20991 unsigned short ds;
20992 unsigned short fsindex;
20993 unsigned short gsindex;
20994+ unsigned short ss;
20995 #endif
20996 #ifdef CONFIG_X86_32
20997 unsigned long ip;
20998@@ -463,10 +474,10 @@ static inline void native_swapgs(void)
20999 #endif
21000 }
21001
21002-static inline unsigned long current_top_of_stack(void)
21003+static inline unsigned long current_top_of_stack(unsigned int cpu)
21004 {
21005 #ifdef CONFIG_X86_64
21006- return this_cpu_read_stable(cpu_tss.x86_tss.sp0);
21007+ return cpu_tss[cpu].x86_tss.sp0;
21008 #else
21009 /* sp0 on x86_32 is special in and around vm86 mode. */
21010 return this_cpu_read_stable(cpu_current_top_of_stack);
21011@@ -709,20 +720,30 @@ static inline void spin_lock_prefetch(const void *x)
21012 #define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \
21013 TOP_OF_KERNEL_STACK_PADDING)
21014
21015+extern union fpregs_state init_fpregs_state;
21016+
21017 #ifdef CONFIG_X86_32
21018 /*
21019 * User space process size: 3GB (default).
21020 */
21021 #define TASK_SIZE PAGE_OFFSET
21022 #define TASK_SIZE_MAX TASK_SIZE
21023+
21024+#ifdef CONFIG_PAX_SEGMEXEC
21025+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
21026+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
21027+#else
21028 #define STACK_TOP TASK_SIZE
21029-#define STACK_TOP_MAX STACK_TOP
21030+#endif
21031+
21032+#define STACK_TOP_MAX TASK_SIZE
21033
21034 #define INIT_THREAD { \
21035 .sp0 = TOP_OF_INIT_STACK, \
21036 .vm86_info = NULL, \
21037 .sysenter_cs = __KERNEL_CS, \
21038 .io_bitmap_ptr = NULL, \
21039+ .fpu.state = &init_fpregs_state, \
21040 }
21041
21042 extern unsigned long thread_saved_pc(struct task_struct *tsk);
21043@@ -737,12 +758,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21044 * "struct pt_regs" is possible, but they may contain the
21045 * completely wrong values.
21046 */
21047-#define task_pt_regs(task) \
21048-({ \
21049- unsigned long __ptr = (unsigned long)task_stack_page(task); \
21050- __ptr += THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING; \
21051- ((struct pt_regs *)__ptr) - 1; \
21052-})
21053+#define task_pt_regs(tsk) ((struct pt_regs *)(tsk)->thread.sp0 - 1)
21054
21055 #define KSTK_ESP(task) (task_pt_regs(task)->sp)
21056
21057@@ -756,13 +772,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21058 * particular problem by preventing anything from being mapped
21059 * at the maximum canonical address.
21060 */
21061-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
21062+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
21063
21064 /* This decides where the kernel will search for a free chunk of vm
21065 * space during mmap's.
21066 */
21067 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
21068- 0xc0000000 : 0xFFFFe000)
21069+ 0xc0000000 : 0xFFFFf000)
21070
21071 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
21072 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
21073@@ -773,7 +789,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21074 #define STACK_TOP_MAX TASK_SIZE_MAX
21075
21076 #define INIT_THREAD { \
21077- .sp0 = TOP_OF_INIT_STACK \
21078+ .sp0 = TOP_OF_INIT_STACK, \
21079+ .fpu.state = &init_fpregs_state, \
21080 }
21081
21082 /*
21083@@ -796,6 +813,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
21084 */
21085 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
21086
21087+#ifdef CONFIG_PAX_SEGMEXEC
21088+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
21089+#endif
21090+
21091 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
21092
21093 /* Get/set a process' ability to use the timestamp counter instruction */
21094@@ -841,7 +862,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
21095 return 0;
21096 }
21097
21098-extern unsigned long arch_align_stack(unsigned long sp);
21099+#define arch_align_stack(x) ((x) & ~0xfUL)
21100 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
21101
21102 void default_idle(void);
21103@@ -851,6 +872,6 @@ bool xen_set_default_idle(void);
21104 #define xen_set_default_idle 0
21105 #endif
21106
21107-void stop_this_cpu(void *dummy);
21108+void stop_this_cpu(void *dummy) __noreturn;
21109 void df_debug(struct pt_regs *regs, long error_code);
21110 #endif /* _ASM_X86_PROCESSOR_H */
21111diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
21112index 5fabf13..7388158 100644
21113--- a/arch/x86/include/asm/ptrace.h
21114+++ b/arch/x86/include/asm/ptrace.h
21115@@ -125,15 +125,16 @@ static inline int v8086_mode(struct pt_regs *regs)
21116 #ifdef CONFIG_X86_64
21117 static inline bool user_64bit_mode(struct pt_regs *regs)
21118 {
21119+ unsigned long cs = regs->cs & 0xffff;
21120 #ifndef CONFIG_PARAVIRT
21121 /*
21122 * On non-paravirt systems, this is the only long mode CPL 3
21123 * selector. We do not allow long mode selectors in the LDT.
21124 */
21125- return regs->cs == __USER_CS;
21126+ return cs == __USER_CS;
21127 #else
21128 /* Headers are too twisted for this to go in paravirt.h. */
21129- return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
21130+ return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs;
21131 #endif
21132 }
21133
21134@@ -180,9 +181,11 @@ static inline unsigned long regs_get_register(struct pt_regs *regs,
21135 * Traps from the kernel do not save sp and ss.
21136 * Use the helper function to retrieve sp.
21137 */
21138- if (offset == offsetof(struct pt_regs, sp) &&
21139- regs->cs == __KERNEL_CS)
21140- return kernel_stack_pointer(regs);
21141+ if (offset == offsetof(struct pt_regs, sp)) {
21142+ unsigned long cs = regs->cs & 0xffff;
21143+ if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS)
21144+ return kernel_stack_pointer(regs);
21145+ }
21146 #endif
21147 return *(unsigned long *)((unsigned long)regs + offset);
21148 }
21149diff --git a/arch/x86/include/asm/qrwlock.h b/arch/x86/include/asm/qrwlock.h
21150index ae0e241..e80b10b 100644
21151--- a/arch/x86/include/asm/qrwlock.h
21152+++ b/arch/x86/include/asm/qrwlock.h
21153@@ -7,8 +7,8 @@
21154 #define queue_write_unlock queue_write_unlock
21155 static inline void queue_write_unlock(struct qrwlock *lock)
21156 {
21157- barrier();
21158- ACCESS_ONCE(*(u8 *)&lock->cnts) = 0;
21159+ barrier();
21160+ ACCESS_ONCE_RW(*(u8 *)&lock->cnts) = 0;
21161 }
21162 #endif
21163
21164diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
21165index 9c6b890..5305f53 100644
21166--- a/arch/x86/include/asm/realmode.h
21167+++ b/arch/x86/include/asm/realmode.h
21168@@ -22,16 +22,14 @@ struct real_mode_header {
21169 #endif
21170 /* APM/BIOS reboot */
21171 u32 machine_real_restart_asm;
21172-#ifdef CONFIG_X86_64
21173 u32 machine_real_restart_seg;
21174-#endif
21175 };
21176
21177 /* This must match data at trampoline_32/64.S */
21178 struct trampoline_header {
21179 #ifdef CONFIG_X86_32
21180 u32 start;
21181- u16 gdt_pad;
21182+ u16 boot_cs;
21183 u16 gdt_limit;
21184 u32 gdt_base;
21185 #else
21186diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h
21187index a82c4f1..ac45053 100644
21188--- a/arch/x86/include/asm/reboot.h
21189+++ b/arch/x86/include/asm/reboot.h
21190@@ -6,13 +6,13 @@
21191 struct pt_regs;
21192
21193 struct machine_ops {
21194- void (*restart)(char *cmd);
21195- void (*halt)(void);
21196- void (*power_off)(void);
21197+ void (* __noreturn restart)(char *cmd);
21198+ void (* __noreturn halt)(void);
21199+ void (* __noreturn power_off)(void);
21200 void (*shutdown)(void);
21201 void (*crash_shutdown)(struct pt_regs *);
21202- void (*emergency_restart)(void);
21203-};
21204+ void (* __noreturn emergency_restart)(void);
21205+} __no_const;
21206
21207 extern struct machine_ops machine_ops;
21208
21209diff --git a/arch/x86/include/asm/rmwcc.h b/arch/x86/include/asm/rmwcc.h
21210index 8f7866a..e442f20 100644
21211--- a/arch/x86/include/asm/rmwcc.h
21212+++ b/arch/x86/include/asm/rmwcc.h
21213@@ -3,7 +3,34 @@
21214
21215 #ifdef CC_HAVE_ASM_GOTO
21216
21217-#define __GEN_RMWcc(fullop, var, cc, ...) \
21218+#ifdef CONFIG_PAX_REFCOUNT
21219+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21220+do { \
21221+ asm_volatile_goto (fullop \
21222+ ";jno 0f\n" \
21223+ fullantiop \
21224+ ";int $4\n0:\n" \
21225+ _ASM_EXTABLE(0b, 0b) \
21226+ ";j" cc " %l[cc_label]" \
21227+ : : "m" (var), ## __VA_ARGS__ \
21228+ : "memory" : cc_label); \
21229+ return 0; \
21230+cc_label: \
21231+ return 1; \
21232+} while (0)
21233+#else
21234+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21235+do { \
21236+ asm_volatile_goto (fullop ";j" cc " %l[cc_label]" \
21237+ : : "m" (var), ## __VA_ARGS__ \
21238+ : "memory" : cc_label); \
21239+ return 0; \
21240+cc_label: \
21241+ return 1; \
21242+} while (0)
21243+#endif
21244+
21245+#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \
21246 do { \
21247 asm_volatile_goto (fullop "; j" cc " %l[cc_label]" \
21248 : : "m" (var), ## __VA_ARGS__ \
21249@@ -13,15 +40,46 @@ cc_label: \
21250 return 1; \
21251 } while (0)
21252
21253-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \
21254- __GEN_RMWcc(op " " arg0, var, cc)
21255+#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \
21256+ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc)
21257
21258-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \
21259- __GEN_RMWcc(op " %1, " arg0, var, cc, vcon (val))
21260+#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \
21261+ __GEN_RMWcc_unchecked(op " " arg0, var, cc)
21262+
21263+#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \
21264+ __GEN_RMWcc(op " %1, " arg0, antiop " %1, " arg0, var, cc, vcon (val))
21265+
21266+#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \
21267+ __GEN_RMWcc_unchecked(op " %1, " arg0, var, cc, vcon (val))
21268
21269 #else /* !CC_HAVE_ASM_GOTO */
21270
21271-#define __GEN_RMWcc(fullop, var, cc, ...) \
21272+#ifdef CONFIG_PAX_REFCOUNT
21273+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21274+do { \
21275+ char c; \
21276+ asm volatile (fullop \
21277+ ";jno 0f\n" \
21278+ fullantiop \
21279+ ";int $4\n0:\n" \
21280+ _ASM_EXTABLE(0b, 0b) \
21281+ "; set" cc " %1" \
21282+ : "+m" (var), "=qm" (c) \
21283+ : __VA_ARGS__ : "memory"); \
21284+ return c != 0; \
21285+} while (0)
21286+#else
21287+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21288+do { \
21289+ char c; \
21290+ asm volatile (fullop "; set" cc " %1" \
21291+ : "+m" (var), "=qm" (c) \
21292+ : __VA_ARGS__ : "memory"); \
21293+ return c != 0; \
21294+} while (0)
21295+#endif
21296+
21297+#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \
21298 do { \
21299 char c; \
21300 asm volatile (fullop "; set" cc " %1" \
21301@@ -30,11 +88,17 @@ do { \
21302 return c != 0; \
21303 } while (0)
21304
21305-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \
21306- __GEN_RMWcc(op " " arg0, var, cc)
21307+#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \
21308+ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc)
21309+
21310+#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \
21311+ __GEN_RMWcc_unchecked(op " " arg0, var, cc)
21312+
21313+#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \
21314+ __GEN_RMWcc(op " %2, " arg0, antiop " %2, " arg0, var, cc, vcon (val))
21315
21316-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \
21317- __GEN_RMWcc(op " %2, " arg0, var, cc, vcon (val))
21318+#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \
21319+ __GEN_RMWcc_unchecked(op " %2, " arg0, var, cc, vcon (val))
21320
21321 #endif /* CC_HAVE_ASM_GOTO */
21322
21323diff --git a/arch/x86/include/asm/rwsem.h b/arch/x86/include/asm/rwsem.h
21324index cad82c9..2e5c5c1 100644
21325--- a/arch/x86/include/asm/rwsem.h
21326+++ b/arch/x86/include/asm/rwsem.h
21327@@ -64,6 +64,14 @@ static inline void __down_read(struct rw_semaphore *sem)
21328 {
21329 asm volatile("# beginning down_read\n\t"
21330 LOCK_PREFIX _ASM_INC "(%1)\n\t"
21331+
21332+#ifdef CONFIG_PAX_REFCOUNT
21333+ "jno 0f\n"
21334+ LOCK_PREFIX _ASM_DEC "(%1)\n"
21335+ "int $4\n0:\n"
21336+ _ASM_EXTABLE(0b, 0b)
21337+#endif
21338+
21339 /* adds 0x00000001 */
21340 " jns 1f\n"
21341 " call call_rwsem_down_read_failed\n"
21342@@ -85,6 +93,14 @@ static inline int __down_read_trylock(struct rw_semaphore *sem)
21343 "1:\n\t"
21344 " mov %1,%2\n\t"
21345 " add %3,%2\n\t"
21346+
21347+#ifdef CONFIG_PAX_REFCOUNT
21348+ "jno 0f\n"
21349+ "sub %3,%2\n"
21350+ "int $4\n0:\n"
21351+ _ASM_EXTABLE(0b, 0b)
21352+#endif
21353+
21354 " jle 2f\n\t"
21355 LOCK_PREFIX " cmpxchg %2,%0\n\t"
21356 " jnz 1b\n\t"
21357@@ -104,6 +120,14 @@ static inline void __down_write_nested(struct rw_semaphore *sem, int subclass)
21358 long tmp;
21359 asm volatile("# beginning down_write\n\t"
21360 LOCK_PREFIX " xadd %1,(%2)\n\t"
21361+
21362+#ifdef CONFIG_PAX_REFCOUNT
21363+ "jno 0f\n"
21364+ "mov %1,(%2)\n"
21365+ "int $4\n0:\n"
21366+ _ASM_EXTABLE(0b, 0b)
21367+#endif
21368+
21369 /* adds 0xffff0001, returns the old value */
21370 " test " __ASM_SEL(%w1,%k1) "," __ASM_SEL(%w1,%k1) "\n\t"
21371 /* was the active mask 0 before? */
21372@@ -155,6 +179,14 @@ static inline void __up_read(struct rw_semaphore *sem)
21373 long tmp;
21374 asm volatile("# beginning __up_read\n\t"
21375 LOCK_PREFIX " xadd %1,(%2)\n\t"
21376+
21377+#ifdef CONFIG_PAX_REFCOUNT
21378+ "jno 0f\n"
21379+ "mov %1,(%2)\n"
21380+ "int $4\n0:\n"
21381+ _ASM_EXTABLE(0b, 0b)
21382+#endif
21383+
21384 /* subtracts 1, returns the old value */
21385 " jns 1f\n\t"
21386 " call call_rwsem_wake\n" /* expects old value in %edx */
21387@@ -173,6 +205,14 @@ static inline void __up_write(struct rw_semaphore *sem)
21388 long tmp;
21389 asm volatile("# beginning __up_write\n\t"
21390 LOCK_PREFIX " xadd %1,(%2)\n\t"
21391+
21392+#ifdef CONFIG_PAX_REFCOUNT
21393+ "jno 0f\n"
21394+ "mov %1,(%2)\n"
21395+ "int $4\n0:\n"
21396+ _ASM_EXTABLE(0b, 0b)
21397+#endif
21398+
21399 /* subtracts 0xffff0001, returns the old value */
21400 " jns 1f\n\t"
21401 " call call_rwsem_wake\n" /* expects old value in %edx */
21402@@ -190,6 +230,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
21403 {
21404 asm volatile("# beginning __downgrade_write\n\t"
21405 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
21406+
21407+#ifdef CONFIG_PAX_REFCOUNT
21408+ "jno 0f\n"
21409+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
21410+ "int $4\n0:\n"
21411+ _ASM_EXTABLE(0b, 0b)
21412+#endif
21413+
21414 /*
21415 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
21416 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
21417@@ -208,7 +256,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
21418 */
21419 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
21420 {
21421- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
21422+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
21423+
21424+#ifdef CONFIG_PAX_REFCOUNT
21425+ "jno 0f\n"
21426+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
21427+ "int $4\n0:\n"
21428+ _ASM_EXTABLE(0b, 0b)
21429+#endif
21430+
21431 : "+m" (sem->count)
21432 : "er" (delta));
21433 }
21434@@ -218,7 +274,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
21435 */
21436 static inline long rwsem_atomic_update(long delta, struct rw_semaphore *sem)
21437 {
21438- return delta + xadd(&sem->count, delta);
21439+ return delta + xadd_check_overflow(&sem->count, delta);
21440 }
21441
21442 #endif /* __KERNEL__ */
21443diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
21444index 7d5a192..23ef1aa 100644
21445--- a/arch/x86/include/asm/segment.h
21446+++ b/arch/x86/include/asm/segment.h
21447@@ -82,14 +82,20 @@
21448 * 26 - ESPFIX small SS
21449 * 27 - per-cpu [ offset to per-cpu data area ]
21450 * 28 - stack_canary-20 [ for stack protector ] <=== cacheline #8
21451- * 29 - unused
21452- * 30 - unused
21453+ * 29 - PCI BIOS CS
21454+ * 30 - PCI BIOS DS
21455 * 31 - TSS for double fault handler
21456 */
21457+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
21458+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
21459+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
21460+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
21461+
21462 #define GDT_ENTRY_TLS_MIN 6
21463 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
21464
21465 #define GDT_ENTRY_KERNEL_CS 12
21466+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 4
21467 #define GDT_ENTRY_KERNEL_DS 13
21468 #define GDT_ENTRY_DEFAULT_USER_CS 14
21469 #define GDT_ENTRY_DEFAULT_USER_DS 15
21470@@ -106,6 +112,12 @@
21471 #define GDT_ENTRY_PERCPU 27
21472 #define GDT_ENTRY_STACK_CANARY 28
21473
21474+#define GDT_ENTRY_PCIBIOS_CS 29
21475+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
21476+
21477+#define GDT_ENTRY_PCIBIOS_DS 30
21478+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
21479+
21480 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
21481
21482 /*
21483@@ -118,6 +130,7 @@
21484 */
21485
21486 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
21487+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
21488 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
21489 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3)
21490 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8 + 3)
21491@@ -129,7 +142,7 @@
21492 #define PNP_CS16 (GDT_ENTRY_PNPBIOS_CS16*8)
21493
21494 /* "Is this PNP code selector (PNP_CS32 or PNP_CS16)?" */
21495-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == PNP_CS32)
21496+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
21497
21498 /* data segment for BIOS: */
21499 #define PNP_DS (GDT_ENTRY_PNPBIOS_DS*8)
21500@@ -176,6 +189,8 @@
21501 #define GDT_ENTRY_DEFAULT_USER_DS 5
21502 #define GDT_ENTRY_DEFAULT_USER_CS 6
21503
21504+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
21505+
21506 /* Needs two entries */
21507 #define GDT_ENTRY_TSS 8
21508 /* Needs two entries */
21509@@ -187,10 +202,12 @@
21510 /* Abused to load per CPU data from limit */
21511 #define GDT_ENTRY_PER_CPU 15
21512
21513+#define GDT_ENTRY_UDEREF_KERNEL_DS 16
21514+
21515 /*
21516 * Number of entries in the GDT table:
21517 */
21518-#define GDT_ENTRIES 16
21519+#define GDT_ENTRIES 17
21520
21521 /*
21522 * Segment selector values corresponding to the above entries:
21523@@ -200,7 +217,9 @@
21524 */
21525 #define __KERNEL32_CS (GDT_ENTRY_KERNEL32_CS*8)
21526 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
21527+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
21528 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
21529+#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8)
21530 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8 + 3)
21531 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3)
21532 #define __USER32_DS __USER_DS
21533diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
21534index ba665eb..0f72938 100644
21535--- a/arch/x86/include/asm/smap.h
21536+++ b/arch/x86/include/asm/smap.h
21537@@ -25,6 +25,18 @@
21538
21539 #include <asm/alternative-asm.h>
21540
21541+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21542+#define ASM_PAX_OPEN_USERLAND \
21543+ ALTERNATIVE "", "call __pax_open_userland", X86_FEATURE_STRONGUDEREF
21544+
21545+#define ASM_PAX_CLOSE_USERLAND \
21546+ ALTERNATIVE "", "call __pax_close_userland", X86_FEATURE_STRONGUDEREF
21547+
21548+#else
21549+#define ASM_PAX_OPEN_USERLAND
21550+#define ASM_PAX_CLOSE_USERLAND
21551+#endif
21552+
21553 #ifdef CONFIG_X86_SMAP
21554
21555 #define ASM_CLAC \
21556@@ -44,6 +56,37 @@
21557
21558 #include <asm/alternative.h>
21559
21560+#define __HAVE_ARCH_PAX_OPEN_USERLAND
21561+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
21562+
21563+extern void __pax_open_userland(void);
21564+static __always_inline unsigned long pax_open_userland(void)
21565+{
21566+
21567+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21568+ asm volatile(ALTERNATIVE("", "call %P[open]", X86_FEATURE_STRONGUDEREF)
21569+ :
21570+ : [open] "i" (__pax_open_userland)
21571+ : "memory", "rax");
21572+#endif
21573+
21574+ return 0;
21575+}
21576+
21577+extern void __pax_close_userland(void);
21578+static __always_inline unsigned long pax_close_userland(void)
21579+{
21580+
21581+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21582+ asm volatile(ALTERNATIVE("", "call %P[close]", X86_FEATURE_STRONGUDEREF)
21583+ :
21584+ : [close] "i" (__pax_close_userland)
21585+ : "memory", "rax");
21586+#endif
21587+
21588+ return 0;
21589+}
21590+
21591 #ifdef CONFIG_X86_SMAP
21592
21593 static __always_inline void clac(void)
21594diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
21595index 222a6a3..839da8d 100644
21596--- a/arch/x86/include/asm/smp.h
21597+++ b/arch/x86/include/asm/smp.h
21598@@ -35,7 +35,7 @@ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map);
21599 /* cpus sharing the last level cache: */
21600 DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_llc_shared_map);
21601 DECLARE_PER_CPU_READ_MOSTLY(u16, cpu_llc_id);
21602-DECLARE_PER_CPU_READ_MOSTLY(int, cpu_number);
21603+DECLARE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
21604
21605 static inline struct cpumask *cpu_llc_shared_mask(int cpu)
21606 {
21607@@ -68,7 +68,7 @@ struct smp_ops {
21608
21609 void (*send_call_func_ipi)(const struct cpumask *mask);
21610 void (*send_call_func_single_ipi)(int cpu);
21611-};
21612+} __no_const;
21613
21614 /* Globals due to paravirt */
21615 extern void set_cpu_sibling_map(int cpu);
21616@@ -182,14 +182,8 @@ extern unsigned disabled_cpus;
21617 extern int safe_smp_processor_id(void);
21618
21619 #elif defined(CONFIG_X86_64_SMP)
21620-#define raw_smp_processor_id() (this_cpu_read(cpu_number))
21621-
21622-#define stack_smp_processor_id() \
21623-({ \
21624- struct thread_info *ti; \
21625- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
21626- ti->cpu; \
21627-})
21628+#define raw_smp_processor_id() (this_cpu_read(cpu_number))
21629+#define stack_smp_processor_id() raw_smp_processor_id()
21630 #define safe_smp_processor_id() smp_processor_id()
21631
21632 #endif
21633diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h
21634index c2e00bb..a10266e 100644
21635--- a/arch/x86/include/asm/stackprotector.h
21636+++ b/arch/x86/include/asm/stackprotector.h
21637@@ -49,7 +49,7 @@
21638 * head_32 for boot CPU and setup_per_cpu_areas() for others.
21639 */
21640 #define GDT_STACK_CANARY_INIT \
21641- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
21642+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
21643
21644 /*
21645 * Initialize the stackprotector canary value.
21646@@ -114,7 +114,7 @@ static inline void setup_stack_canary_segment(int cpu)
21647
21648 static inline void load_stack_canary_segment(void)
21649 {
21650-#ifdef CONFIG_X86_32
21651+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
21652 asm volatile ("mov %0, %%gs" : : "r" (0));
21653 #endif
21654 }
21655diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h
21656index 70bbe39..4ae2bd4 100644
21657--- a/arch/x86/include/asm/stacktrace.h
21658+++ b/arch/x86/include/asm/stacktrace.h
21659@@ -11,28 +11,20 @@
21660
21661 extern int kstack_depth_to_print;
21662
21663-struct thread_info;
21664+struct task_struct;
21665 struct stacktrace_ops;
21666
21667-typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
21668- unsigned long *stack,
21669- unsigned long bp,
21670- const struct stacktrace_ops *ops,
21671- void *data,
21672- unsigned long *end,
21673- int *graph);
21674+typedef unsigned long walk_stack_t(struct task_struct *task,
21675+ void *stack_start,
21676+ unsigned long *stack,
21677+ unsigned long bp,
21678+ const struct stacktrace_ops *ops,
21679+ void *data,
21680+ unsigned long *end,
21681+ int *graph);
21682
21683-extern unsigned long
21684-print_context_stack(struct thread_info *tinfo,
21685- unsigned long *stack, unsigned long bp,
21686- const struct stacktrace_ops *ops, void *data,
21687- unsigned long *end, int *graph);
21688-
21689-extern unsigned long
21690-print_context_stack_bp(struct thread_info *tinfo,
21691- unsigned long *stack, unsigned long bp,
21692- const struct stacktrace_ops *ops, void *data,
21693- unsigned long *end, int *graph);
21694+extern walk_stack_t print_context_stack;
21695+extern walk_stack_t print_context_stack_bp;
21696
21697 /* Generic stack tracer with callbacks */
21698
21699@@ -40,7 +32,7 @@ struct stacktrace_ops {
21700 void (*address)(void *data, unsigned long address, int reliable);
21701 /* On negative return stop dumping */
21702 int (*stack)(void *data, char *name);
21703- walk_stack_t walk_stack;
21704+ walk_stack_t *walk_stack;
21705 };
21706
21707 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
21708diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
21709index d7f3b3b..3cc39f1 100644
21710--- a/arch/x86/include/asm/switch_to.h
21711+++ b/arch/x86/include/asm/switch_to.h
21712@@ -108,7 +108,7 @@ do { \
21713 "call __switch_to\n\t" \
21714 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
21715 __switch_canary \
21716- "movq %P[thread_info](%%rsi),%%r8\n\t" \
21717+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
21718 "movq %%rax,%%rdi\n\t" \
21719 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
21720 "jnz ret_from_fork\n\t" \
21721@@ -119,7 +119,7 @@ do { \
21722 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
21723 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
21724 [_tif_fork] "i" (_TIF_FORK), \
21725- [thread_info] "i" (offsetof(struct task_struct, stack)), \
21726+ [thread_info] "m" (current_tinfo), \
21727 [current_task] "m" (current_task) \
21728 __switch_canary_iparam \
21729 : "memory", "cc" __EXTRA_CLOBBER)
21730diff --git a/arch/x86/include/asm/sys_ia32.h b/arch/x86/include/asm/sys_ia32.h
21731index 82c34ee..940fa40 100644
21732--- a/arch/x86/include/asm/sys_ia32.h
21733+++ b/arch/x86/include/asm/sys_ia32.h
21734@@ -20,8 +20,8 @@
21735 #include <asm/ia32.h>
21736
21737 /* ia32/sys_ia32.c */
21738-asmlinkage long sys32_truncate64(const char __user *, unsigned long, unsigned long);
21739-asmlinkage long sys32_ftruncate64(unsigned int, unsigned long, unsigned long);
21740+asmlinkage long sys32_truncate64(const char __user *, unsigned int, unsigned int);
21741+asmlinkage long sys32_ftruncate64(unsigned int, unsigned int, unsigned int);
21742
21743 asmlinkage long sys32_stat64(const char __user *, struct stat64 __user *);
21744 asmlinkage long sys32_lstat64(const char __user *, struct stat64 __user *);
21745@@ -42,7 +42,7 @@ long sys32_vm86_warning(void);
21746 asmlinkage ssize_t sys32_readahead(int, unsigned, unsigned, size_t);
21747 asmlinkage long sys32_sync_file_range(int, unsigned, unsigned,
21748 unsigned, unsigned, int);
21749-asmlinkage long sys32_fadvise64(int, unsigned, unsigned, size_t, int);
21750+asmlinkage long sys32_fadvise64(int, unsigned, unsigned, int, int);
21751 asmlinkage long sys32_fallocate(int, int, unsigned,
21752 unsigned, unsigned, unsigned);
21753
21754diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
21755index 225ee54..fae4566 100644
21756--- a/arch/x86/include/asm/thread_info.h
21757+++ b/arch/x86/include/asm/thread_info.h
21758@@ -36,7 +36,7 @@
21759 #ifdef CONFIG_X86_32
21760 # define TOP_OF_KERNEL_STACK_PADDING 8
21761 #else
21762-# define TOP_OF_KERNEL_STACK_PADDING 0
21763+# define TOP_OF_KERNEL_STACK_PADDING 16
21764 #endif
21765
21766 /*
21767@@ -50,27 +50,26 @@ struct task_struct;
21768 #include <linux/atomic.h>
21769
21770 struct thread_info {
21771- struct task_struct *task; /* main task structure */
21772 __u32 flags; /* low level flags */
21773 __u32 status; /* thread synchronous flags */
21774 __u32 cpu; /* current CPU */
21775 int saved_preempt_count;
21776 mm_segment_t addr_limit;
21777 void __user *sysenter_return;
21778+ unsigned long lowest_stack;
21779 unsigned int sig_on_uaccess_error:1;
21780 unsigned int uaccess_err:1; /* uaccess failed */
21781 };
21782
21783-#define INIT_THREAD_INFO(tsk) \
21784+#define INIT_THREAD_INFO \
21785 { \
21786- .task = &tsk, \
21787 .flags = 0, \
21788 .cpu = 0, \
21789 .saved_preempt_count = INIT_PREEMPT_COUNT, \
21790 .addr_limit = KERNEL_DS, \
21791 }
21792
21793-#define init_thread_info (init_thread_union.thread_info)
21794+#define init_thread_info (init_thread_union.stack)
21795 #define init_stack (init_thread_union.stack)
21796
21797 #else /* !__ASSEMBLY__ */
21798@@ -110,6 +109,7 @@ struct thread_info {
21799 #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */
21800 #define TIF_ADDR32 29 /* 32-bit address space on 64 bits */
21801 #define TIF_X32 30 /* 32-bit native x86-64 binary */
21802+#define TIF_GRSEC_SETXID 31 /* update credentials on syscall entry/exit */
21803
21804 #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
21805 #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
21806@@ -133,17 +133,18 @@ struct thread_info {
21807 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
21808 #define _TIF_ADDR32 (1 << TIF_ADDR32)
21809 #define _TIF_X32 (1 << TIF_X32)
21810+#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
21811
21812 /* work to do in syscall_trace_enter() */
21813 #define _TIF_WORK_SYSCALL_ENTRY \
21814 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \
21815 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | \
21816- _TIF_NOHZ)
21817+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
21818
21819 /* work to do in syscall_trace_leave() */
21820 #define _TIF_WORK_SYSCALL_EXIT \
21821 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \
21822- _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ)
21823+ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
21824
21825 /* work to do on interrupt/exception return */
21826 #define _TIF_WORK_MASK \
21827@@ -154,7 +155,7 @@ struct thread_info {
21828 /* work to do on any return to user space */
21829 #define _TIF_ALLWORK_MASK \
21830 ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \
21831- _TIF_NOHZ)
21832+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
21833
21834 /* Only used for 64 bit */
21835 #define _TIF_DO_NOTIFY_MASK \
21836@@ -177,9 +178,11 @@ struct thread_info {
21837 */
21838 #ifndef __ASSEMBLY__
21839
21840+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
21841+
21842 static inline struct thread_info *current_thread_info(void)
21843 {
21844- return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE);
21845+ return this_cpu_read_stable(current_tinfo);
21846 }
21847
21848 static inline unsigned long current_stack_pointer(void)
21849@@ -195,14 +198,9 @@ static inline unsigned long current_stack_pointer(void)
21850
21851 #else /* !__ASSEMBLY__ */
21852
21853-#ifdef CONFIG_X86_64
21854-# define cpu_current_top_of_stack (cpu_tss + TSS_sp0)
21855-#endif
21856-
21857 /* Load thread_info address into "reg" */
21858 #define GET_THREAD_INFO(reg) \
21859- _ASM_MOV PER_CPU_VAR(cpu_current_top_of_stack),reg ; \
21860- _ASM_SUB $(THREAD_SIZE),reg ;
21861+ _ASM_MOV PER_CPU_VAR(current_tinfo),reg ;
21862
21863 /*
21864 * ASM operand which evaluates to a 'thread_info' address of
21865@@ -295,5 +293,12 @@ static inline bool is_ia32_task(void)
21866 extern void arch_task_cache_init(void);
21867 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
21868 extern void arch_release_task_struct(struct task_struct *tsk);
21869+
21870+#define __HAVE_THREAD_FUNCTIONS
21871+#define task_thread_info(task) (&(task)->tinfo)
21872+#define task_stack_page(task) ((task)->stack)
21873+#define setup_thread_stack(p, org) do {} while (0)
21874+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
21875+
21876 #endif
21877 #endif /* _ASM_X86_THREAD_INFO_H */
21878diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
21879index cd79194..6a9956f 100644
21880--- a/arch/x86/include/asm/tlbflush.h
21881+++ b/arch/x86/include/asm/tlbflush.h
21882@@ -86,18 +86,44 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
21883
21884 static inline void __native_flush_tlb(void)
21885 {
21886+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21887+ u64 descriptor[2];
21888+
21889+ descriptor[0] = PCID_KERNEL;
21890+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_NONGLOBAL) : "memory");
21891+ return;
21892+ }
21893+
21894+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21895+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21896+ unsigned int cpu = raw_get_cpu();
21897+
21898+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
21899+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
21900+ raw_put_cpu_no_resched();
21901+ return;
21902+ }
21903+#endif
21904+
21905 native_write_cr3(native_read_cr3());
21906 }
21907
21908 static inline void __native_flush_tlb_global_irq_disabled(void)
21909 {
21910- unsigned long cr4;
21911+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21912+ u64 descriptor[2];
21913
21914- cr4 = this_cpu_read(cpu_tlbstate.cr4);
21915- /* clear PGE */
21916- native_write_cr4(cr4 & ~X86_CR4_PGE);
21917- /* write old PGE again and flush TLBs */
21918- native_write_cr4(cr4);
21919+ descriptor[0] = PCID_KERNEL;
21920+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
21921+ } else {
21922+ unsigned long cr4;
21923+
21924+ cr4 = this_cpu_read(cpu_tlbstate.cr4);
21925+ /* clear PGE */
21926+ native_write_cr4(cr4 & ~X86_CR4_PGE);
21927+ /* write old PGE again and flush TLBs */
21928+ native_write_cr4(cr4);
21929+ }
21930 }
21931
21932 static inline void __native_flush_tlb_global(void)
21933@@ -118,6 +144,43 @@ static inline void __native_flush_tlb_global(void)
21934
21935 static inline void __native_flush_tlb_single(unsigned long addr)
21936 {
21937+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21938+ u64 descriptor[2];
21939+
21940+ descriptor[0] = PCID_KERNEL;
21941+ descriptor[1] = addr;
21942+
21943+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21944+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21945+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) {
21946+ if (addr < TASK_SIZE_MAX)
21947+ descriptor[1] += pax_user_shadow_base;
21948+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
21949+ }
21950+
21951+ descriptor[0] = PCID_USER;
21952+ descriptor[1] = addr;
21953+ }
21954+#endif
21955+
21956+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
21957+ return;
21958+ }
21959+
21960+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21961+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21962+ unsigned int cpu = raw_get_cpu();
21963+
21964+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
21965+ asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
21966+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
21967+ raw_put_cpu_no_resched();
21968+
21969+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX)
21970+ addr += pax_user_shadow_base;
21971+ }
21972+#endif
21973+
21974 asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
21975 }
21976
21977diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
21978index a8df874..ef0e34f 100644
21979--- a/arch/x86/include/asm/uaccess.h
21980+++ b/arch/x86/include/asm/uaccess.h
21981@@ -7,6 +7,7 @@
21982 #include <linux/compiler.h>
21983 #include <linux/thread_info.h>
21984 #include <linux/string.h>
21985+#include <linux/spinlock.h>
21986 #include <asm/asm.h>
21987 #include <asm/page.h>
21988 #include <asm/smap.h>
21989@@ -29,7 +30,12 @@
21990
21991 #define get_ds() (KERNEL_DS)
21992 #define get_fs() (current_thread_info()->addr_limit)
21993+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
21994+void __set_fs(mm_segment_t x);
21995+void set_fs(mm_segment_t x);
21996+#else
21997 #define set_fs(x) (current_thread_info()->addr_limit = (x))
21998+#endif
21999
22000 #define segment_eq(a, b) ((a).seg == (b).seg)
22001
22002@@ -86,8 +92,36 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
22003 * checks that the pointer is in the user space range - after calling
22004 * this function, memory access functions may still return -EFAULT.
22005 */
22006-#define access_ok(type, addr, size) \
22007- likely(!__range_not_ok(addr, size, user_addr_max()))
22008+extern int _cond_resched(void);
22009+#define access_ok_noprefault(type, addr, size) (likely(!__range_not_ok(addr, size, user_addr_max())))
22010+#define access_ok(type, addr, size) \
22011+({ \
22012+ unsigned long __size = size; \
22013+ unsigned long __addr = (unsigned long)addr; \
22014+ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
22015+ if (__ret_ao && __size) { \
22016+ unsigned long __addr_ao = __addr & PAGE_MASK; \
22017+ unsigned long __end_ao = __addr + __size - 1; \
22018+ if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
22019+ while (__addr_ao <= __end_ao) { \
22020+ char __c_ao; \
22021+ __addr_ao += PAGE_SIZE; \
22022+ if (__size > PAGE_SIZE) \
22023+ _cond_resched(); \
22024+ if (__get_user(__c_ao, (char __user *)__addr)) \
22025+ break; \
22026+ if (type != VERIFY_WRITE) { \
22027+ __addr = __addr_ao; \
22028+ continue; \
22029+ } \
22030+ if (__put_user(__c_ao, (char __user *)__addr)) \
22031+ break; \
22032+ __addr = __addr_ao; \
22033+ } \
22034+ } \
22035+ } \
22036+ __ret_ao; \
22037+})
22038
22039 /*
22040 * The exception table consists of pairs of addresses relative to the
22041@@ -135,11 +169,13 @@ extern int __get_user_8(void);
22042 extern int __get_user_bad(void);
22043
22044 /*
22045- * This is a type: either unsigned long, if the argument fits into
22046- * that type, or otherwise unsigned long long.
22047+ * This is a type: either (un)signed int, if the argument fits into
22048+ * that type, or otherwise (un)signed long long.
22049 */
22050 #define __inttype(x) \
22051-__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22052+__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0U), \
22053+ __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0ULL, 0LL),\
22054+ __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0U, 0)))
22055
22056 /**
22057 * get_user: - Get a simple variable from user space.
22058@@ -178,10 +214,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22059 register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
22060 __chk_user_ptr(ptr); \
22061 might_fault(); \
22062+ pax_open_userland(); \
22063 asm volatile("call __get_user_%P3" \
22064 : "=a" (__ret_gu), "=r" (__val_gu) \
22065 : "0" (ptr), "i" (sizeof(*(ptr)))); \
22066 (x) = (__force __typeof__(*(ptr))) __val_gu; \
22067+ pax_close_userland(); \
22068 __ret_gu; \
22069 })
22070
22071@@ -189,13 +227,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22072 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
22073 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
22074
22075-
22076+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
22077+#define __copyuser_seg "gs;"
22078+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
22079+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
22080+#else
22081+#define __copyuser_seg
22082+#define __COPYUSER_SET_ES
22083+#define __COPYUSER_RESTORE_ES
22084+#endif
22085
22086 #ifdef CONFIG_X86_32
22087 #define __put_user_asm_u64(x, addr, err, errret) \
22088 asm volatile(ASM_STAC "\n" \
22089- "1: movl %%eax,0(%2)\n" \
22090- "2: movl %%edx,4(%2)\n" \
22091+ "1: "__copyuser_seg"movl %%eax,0(%2)\n" \
22092+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
22093 "3: " ASM_CLAC "\n" \
22094 ".section .fixup,\"ax\"\n" \
22095 "4: movl %3,%0\n" \
22096@@ -208,8 +254,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22097
22098 #define __put_user_asm_ex_u64(x, addr) \
22099 asm volatile(ASM_STAC "\n" \
22100- "1: movl %%eax,0(%1)\n" \
22101- "2: movl %%edx,4(%1)\n" \
22102+ "1: "__copyuser_seg"movl %%eax,0(%1)\n" \
22103+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
22104 "3: " ASM_CLAC "\n" \
22105 _ASM_EXTABLE_EX(1b, 2b) \
22106 _ASM_EXTABLE_EX(2b, 3b) \
22107@@ -260,7 +306,8 @@ extern void __put_user_8(void);
22108 __typeof__(*(ptr)) __pu_val; \
22109 __chk_user_ptr(ptr); \
22110 might_fault(); \
22111- __pu_val = x; \
22112+ __pu_val = (x); \
22113+ pax_open_userland(); \
22114 switch (sizeof(*(ptr))) { \
22115 case 1: \
22116 __put_user_x(1, __pu_val, ptr, __ret_pu); \
22117@@ -278,6 +325,7 @@ extern void __put_user_8(void);
22118 __put_user_x(X, __pu_val, ptr, __ret_pu); \
22119 break; \
22120 } \
22121+ pax_close_userland(); \
22122 __ret_pu; \
22123 })
22124
22125@@ -358,8 +406,10 @@ do { \
22126 } while (0)
22127
22128 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
22129+do { \
22130+ pax_open_userland(); \
22131 asm volatile(ASM_STAC "\n" \
22132- "1: mov"itype" %2,%"rtype"1\n" \
22133+ "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
22134 "2: " ASM_CLAC "\n" \
22135 ".section .fixup,\"ax\"\n" \
22136 "3: mov %3,%0\n" \
22137@@ -367,8 +417,10 @@ do { \
22138 " jmp 2b\n" \
22139 ".previous\n" \
22140 _ASM_EXTABLE(1b, 3b) \
22141- : "=r" (err), ltype(x) \
22142- : "m" (__m(addr)), "i" (errret), "0" (err))
22143+ : "=r" (err), ltype (x) \
22144+ : "m" (__m(addr)), "i" (errret), "0" (err)); \
22145+ pax_close_userland(); \
22146+} while (0)
22147
22148 #define __get_user_size_ex(x, ptr, size) \
22149 do { \
22150@@ -392,7 +444,7 @@ do { \
22151 } while (0)
22152
22153 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
22154- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
22155+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
22156 "2:\n" \
22157 _ASM_EXTABLE_EX(1b, 2b) \
22158 : ltype(x) : "m" (__m(addr)))
22159@@ -409,13 +461,24 @@ do { \
22160 int __gu_err; \
22161 unsigned long __gu_val; \
22162 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
22163- (x) = (__force __typeof__(*(ptr)))__gu_val; \
22164+ (x) = (__typeof__(*(ptr)))__gu_val; \
22165 __gu_err; \
22166 })
22167
22168 /* FIXME: this hack is definitely wrong -AK */
22169 struct __large_struct { unsigned long buf[100]; };
22170-#define __m(x) (*(struct __large_struct __user *)(x))
22171+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22172+#define ____m(x) \
22173+({ \
22174+ unsigned long ____x = (unsigned long)(x); \
22175+ if (____x < pax_user_shadow_base) \
22176+ ____x += pax_user_shadow_base; \
22177+ (typeof(x))____x; \
22178+})
22179+#else
22180+#define ____m(x) (x)
22181+#endif
22182+#define __m(x) (*(struct __large_struct __user *)____m(x))
22183
22184 /*
22185 * Tell gcc we read from memory instead of writing: this is because
22186@@ -423,8 +486,10 @@ struct __large_struct { unsigned long buf[100]; };
22187 * aliasing issues.
22188 */
22189 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
22190+do { \
22191+ pax_open_userland(); \
22192 asm volatile(ASM_STAC "\n" \
22193- "1: mov"itype" %"rtype"1,%2\n" \
22194+ "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
22195 "2: " ASM_CLAC "\n" \
22196 ".section .fixup,\"ax\"\n" \
22197 "3: mov %3,%0\n" \
22198@@ -432,10 +497,12 @@ struct __large_struct { unsigned long buf[100]; };
22199 ".previous\n" \
22200 _ASM_EXTABLE(1b, 3b) \
22201 : "=r"(err) \
22202- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
22203+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\
22204+ pax_close_userland(); \
22205+} while (0)
22206
22207 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
22208- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
22209+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
22210 "2:\n" \
22211 _ASM_EXTABLE_EX(1b, 2b) \
22212 : : ltype(x), "m" (__m(addr)))
22213@@ -445,11 +512,13 @@ struct __large_struct { unsigned long buf[100]; };
22214 */
22215 #define uaccess_try do { \
22216 current_thread_info()->uaccess_err = 0; \
22217+ pax_open_userland(); \
22218 stac(); \
22219 barrier();
22220
22221 #define uaccess_catch(err) \
22222 clac(); \
22223+ pax_close_userland(); \
22224 (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
22225 } while (0)
22226
22227@@ -475,8 +544,12 @@ struct __large_struct { unsigned long buf[100]; };
22228 * On error, the variable @x is set to zero.
22229 */
22230
22231+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22232+#define __get_user(x, ptr) get_user((x), (ptr))
22233+#else
22234 #define __get_user(x, ptr) \
22235 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
22236+#endif
22237
22238 /**
22239 * __put_user: - Write a simple value into user space, with less checking.
22240@@ -499,8 +572,12 @@ struct __large_struct { unsigned long buf[100]; };
22241 * Returns zero on success, or -EFAULT on error.
22242 */
22243
22244+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22245+#define __put_user(x, ptr) put_user((x), (ptr))
22246+#else
22247 #define __put_user(x, ptr) \
22248 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
22249+#endif
22250
22251 #define __get_user_unaligned __get_user
22252 #define __put_user_unaligned __put_user
22253@@ -518,7 +595,7 @@ struct __large_struct { unsigned long buf[100]; };
22254 #define get_user_ex(x, ptr) do { \
22255 unsigned long __gue_val; \
22256 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
22257- (x) = (__force __typeof__(*(ptr)))__gue_val; \
22258+ (x) = (__typeof__(*(ptr)))__gue_val; \
22259 } while (0)
22260
22261 #define put_user_try uaccess_try
22262@@ -536,7 +613,7 @@ extern __must_check long strlen_user(const char __user *str);
22263 extern __must_check long strnlen_user(const char __user *str, long n);
22264
22265 unsigned long __must_check clear_user(void __user *mem, unsigned long len);
22266-unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
22267+unsigned long __must_check __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
22268
22269 extern void __cmpxchg_wrong_size(void)
22270 __compiletime_error("Bad argument size for cmpxchg");
22271@@ -547,18 +624,19 @@ extern void __cmpxchg_wrong_size(void)
22272 __typeof__(ptr) __uval = (uval); \
22273 __typeof__(*(ptr)) __old = (old); \
22274 __typeof__(*(ptr)) __new = (new); \
22275+ pax_open_userland(); \
22276 switch (size) { \
22277 case 1: \
22278 { \
22279 asm volatile("\t" ASM_STAC "\n" \
22280- "1:\t" LOCK_PREFIX "cmpxchgb %4, %2\n" \
22281+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgb %4, %2\n"\
22282 "2:\t" ASM_CLAC "\n" \
22283 "\t.section .fixup, \"ax\"\n" \
22284 "3:\tmov %3, %0\n" \
22285 "\tjmp 2b\n" \
22286 "\t.previous\n" \
22287 _ASM_EXTABLE(1b, 3b) \
22288- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22289+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22290 : "i" (-EFAULT), "q" (__new), "1" (__old) \
22291 : "memory" \
22292 ); \
22293@@ -567,14 +645,14 @@ extern void __cmpxchg_wrong_size(void)
22294 case 2: \
22295 { \
22296 asm volatile("\t" ASM_STAC "\n" \
22297- "1:\t" LOCK_PREFIX "cmpxchgw %4, %2\n" \
22298+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgw %4, %2\n"\
22299 "2:\t" ASM_CLAC "\n" \
22300 "\t.section .fixup, \"ax\"\n" \
22301 "3:\tmov %3, %0\n" \
22302 "\tjmp 2b\n" \
22303 "\t.previous\n" \
22304 _ASM_EXTABLE(1b, 3b) \
22305- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22306+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22307 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22308 : "memory" \
22309 ); \
22310@@ -583,14 +661,14 @@ extern void __cmpxchg_wrong_size(void)
22311 case 4: \
22312 { \
22313 asm volatile("\t" ASM_STAC "\n" \
22314- "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" \
22315+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"\
22316 "2:\t" ASM_CLAC "\n" \
22317 "\t.section .fixup, \"ax\"\n" \
22318 "3:\tmov %3, %0\n" \
22319 "\tjmp 2b\n" \
22320 "\t.previous\n" \
22321 _ASM_EXTABLE(1b, 3b) \
22322- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22323+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22324 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22325 : "memory" \
22326 ); \
22327@@ -602,14 +680,14 @@ extern void __cmpxchg_wrong_size(void)
22328 __cmpxchg_wrong_size(); \
22329 \
22330 asm volatile("\t" ASM_STAC "\n" \
22331- "1:\t" LOCK_PREFIX "cmpxchgq %4, %2\n" \
22332+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgq %4, %2\n"\
22333 "2:\t" ASM_CLAC "\n" \
22334 "\t.section .fixup, \"ax\"\n" \
22335 "3:\tmov %3, %0\n" \
22336 "\tjmp 2b\n" \
22337 "\t.previous\n" \
22338 _ASM_EXTABLE(1b, 3b) \
22339- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22340+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22341 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22342 : "memory" \
22343 ); \
22344@@ -618,6 +696,7 @@ extern void __cmpxchg_wrong_size(void)
22345 default: \
22346 __cmpxchg_wrong_size(); \
22347 } \
22348+ pax_close_userland(); \
22349 *__uval = __old; \
22350 __ret; \
22351 })
22352@@ -641,17 +720,6 @@ extern struct movsl_mask {
22353
22354 #define ARCH_HAS_NOCACHE_UACCESS 1
22355
22356-#ifdef CONFIG_X86_32
22357-# include <asm/uaccess_32.h>
22358-#else
22359-# include <asm/uaccess_64.h>
22360-#endif
22361-
22362-unsigned long __must_check _copy_from_user(void *to, const void __user *from,
22363- unsigned n);
22364-unsigned long __must_check _copy_to_user(void __user *to, const void *from,
22365- unsigned n);
22366-
22367 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
22368 # define copy_user_diag __compiletime_error
22369 #else
22370@@ -661,7 +729,7 @@ unsigned long __must_check _copy_to_user(void __user *to, const void *from,
22371 extern void copy_user_diag("copy_from_user() buffer size is too small")
22372 copy_from_user_overflow(void);
22373 extern void copy_user_diag("copy_to_user() buffer size is too small")
22374-copy_to_user_overflow(void) __asm__("copy_from_user_overflow");
22375+copy_to_user_overflow(void);
22376
22377 #undef copy_user_diag
22378
22379@@ -674,7 +742,7 @@ __copy_from_user_overflow(void) __asm__("copy_from_user_overflow");
22380
22381 extern void
22382 __compiletime_warning("copy_to_user() buffer size is not provably correct")
22383-__copy_to_user_overflow(void) __asm__("copy_from_user_overflow");
22384+__copy_to_user_overflow(void) __asm__("copy_to_user_overflow");
22385 #define __copy_to_user_overflow(size, count) __copy_to_user_overflow()
22386
22387 #else
22388@@ -689,10 +757,16 @@ __copy_from_user_overflow(int size, unsigned long count)
22389
22390 #endif
22391
22392+#ifdef CONFIG_X86_32
22393+# include <asm/uaccess_32.h>
22394+#else
22395+# include <asm/uaccess_64.h>
22396+#endif
22397+
22398 static inline unsigned long __must_check
22399 copy_from_user(void *to, const void __user *from, unsigned long n)
22400 {
22401- int sz = __compiletime_object_size(to);
22402+ size_t sz = __compiletime_object_size(to);
22403
22404 might_fault();
22405
22406@@ -714,12 +788,15 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
22407 * case, and do only runtime checking for non-constant sizes.
22408 */
22409
22410- if (likely(sz < 0 || sz >= n))
22411- n = _copy_from_user(to, from, n);
22412- else if(__builtin_constant_p(n))
22413- copy_from_user_overflow();
22414- else
22415- __copy_from_user_overflow(sz, n);
22416+ if (likely(sz != (size_t)-1 && sz < n)) {
22417+ if(__builtin_constant_p(n))
22418+ copy_from_user_overflow();
22419+ else
22420+ __copy_from_user_overflow(sz, n);
22421+ } else if (access_ok(VERIFY_READ, from, n))
22422+ n = __copy_from_user(to, from, n);
22423+ else if ((long)n > 0)
22424+ memset(to, 0, n);
22425
22426 return n;
22427 }
22428@@ -727,17 +804,18 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
22429 static inline unsigned long __must_check
22430 copy_to_user(void __user *to, const void *from, unsigned long n)
22431 {
22432- int sz = __compiletime_object_size(from);
22433+ size_t sz = __compiletime_object_size(from);
22434
22435 might_fault();
22436
22437 /* See the comment in copy_from_user() above. */
22438- if (likely(sz < 0 || sz >= n))
22439- n = _copy_to_user(to, from, n);
22440- else if(__builtin_constant_p(n))
22441- copy_to_user_overflow();
22442- else
22443- __copy_to_user_overflow(sz, n);
22444+ if (likely(sz != (size_t)-1 && sz < n)) {
22445+ if(__builtin_constant_p(n))
22446+ copy_to_user_overflow();
22447+ else
22448+ __copy_to_user_overflow(sz, n);
22449+ } else if (access_ok(VERIFY_WRITE, to, n))
22450+ n = __copy_to_user(to, from, n);
22451
22452 return n;
22453 }
22454diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
22455index f5dcb52..da2c15b 100644
22456--- a/arch/x86/include/asm/uaccess_32.h
22457+++ b/arch/x86/include/asm/uaccess_32.h
22458@@ -40,9 +40,14 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
22459 * anything, so this is accurate.
22460 */
22461
22462-static __always_inline unsigned long __must_check
22463+static __always_inline __size_overflow(3) unsigned long __must_check
22464 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
22465 {
22466+ if ((long)n < 0)
22467+ return n;
22468+
22469+ check_object_size(from, n, true);
22470+
22471 if (__builtin_constant_p(n)) {
22472 unsigned long ret;
22473
22474@@ -87,12 +92,16 @@ static __always_inline unsigned long __must_check
22475 __copy_to_user(void __user *to, const void *from, unsigned long n)
22476 {
22477 might_fault();
22478+
22479 return __copy_to_user_inatomic(to, from, n);
22480 }
22481
22482-static __always_inline unsigned long
22483+static __always_inline __size_overflow(3) unsigned long
22484 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
22485 {
22486+ if ((long)n < 0)
22487+ return n;
22488+
22489 /* Avoid zeroing the tail if the copy fails..
22490 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
22491 * but as the zeroing behaviour is only significant when n is not
22492@@ -143,6 +152,12 @@ static __always_inline unsigned long
22493 __copy_from_user(void *to, const void __user *from, unsigned long n)
22494 {
22495 might_fault();
22496+
22497+ if ((long)n < 0)
22498+ return n;
22499+
22500+ check_object_size(to, n, false);
22501+
22502 if (__builtin_constant_p(n)) {
22503 unsigned long ret;
22504
22505@@ -165,6 +180,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
22506 const void __user *from, unsigned long n)
22507 {
22508 might_fault();
22509+
22510+ if ((long)n < 0)
22511+ return n;
22512+
22513 if (__builtin_constant_p(n)) {
22514 unsigned long ret;
22515
22516@@ -187,7 +206,10 @@ static __always_inline unsigned long
22517 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
22518 unsigned long n)
22519 {
22520- return __copy_from_user_ll_nocache_nozero(to, from, n);
22521+ if ((long)n < 0)
22522+ return n;
22523+
22524+ return __copy_from_user_ll_nocache_nozero(to, from, n);
22525 }
22526
22527 #endif /* _ASM_X86_UACCESS_32_H */
22528diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
22529index f2f9b39..2ae1bf8 100644
22530--- a/arch/x86/include/asm/uaccess_64.h
22531+++ b/arch/x86/include/asm/uaccess_64.h
22532@@ -10,6 +10,9 @@
22533 #include <asm/alternative.h>
22534 #include <asm/cpufeature.h>
22535 #include <asm/page.h>
22536+#include <asm/pgtable.h>
22537+
22538+#define set_fs(x) (current_thread_info()->addr_limit = (x))
22539
22540 /*
22541 * Copy To/From Userspace
22542@@ -23,8 +26,8 @@ copy_user_generic_string(void *to, const void *from, unsigned len);
22543 __must_check unsigned long
22544 copy_user_generic_unrolled(void *to, const void *from, unsigned len);
22545
22546-static __always_inline __must_check unsigned long
22547-copy_user_generic(void *to, const void *from, unsigned len)
22548+static __always_inline __must_check __size_overflow(3) unsigned long
22549+copy_user_generic(void *to, const void *from, unsigned long len)
22550 {
22551 unsigned ret;
22552
22553@@ -46,121 +49,170 @@ copy_user_generic(void *to, const void *from, unsigned len)
22554 }
22555
22556 __must_check unsigned long
22557-copy_in_user(void __user *to, const void __user *from, unsigned len);
22558+copy_in_user(void __user *to, const void __user *from, unsigned long len);
22559
22560 static __always_inline __must_check
22561-int __copy_from_user_nocheck(void *dst, const void __user *src, unsigned size)
22562+unsigned long __copy_from_user_nocheck(void *dst, const void __user *src, unsigned long size)
22563 {
22564- int ret = 0;
22565+ size_t sz = __compiletime_object_size(dst);
22566+ unsigned ret = 0;
22567+
22568+ if (size > INT_MAX)
22569+ return size;
22570+
22571+ check_object_size(dst, size, false);
22572+
22573+#ifdef CONFIG_PAX_MEMORY_UDEREF
22574+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22575+ return size;
22576+#endif
22577+
22578+ if (unlikely(sz != (size_t)-1 && sz < size)) {
22579+ if(__builtin_constant_p(size))
22580+ copy_from_user_overflow();
22581+ else
22582+ __copy_from_user_overflow(sz, size);
22583+ return size;
22584+ }
22585
22586 if (!__builtin_constant_p(size))
22587- return copy_user_generic(dst, (__force void *)src, size);
22588+ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
22589 switch (size) {
22590- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
22591+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
22592 ret, "b", "b", "=q", 1);
22593 return ret;
22594- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
22595+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
22596 ret, "w", "w", "=r", 2);
22597 return ret;
22598- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
22599+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
22600 ret, "l", "k", "=r", 4);
22601 return ret;
22602- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
22603+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22604 ret, "q", "", "=r", 8);
22605 return ret;
22606 case 10:
22607- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
22608+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22609 ret, "q", "", "=r", 10);
22610 if (unlikely(ret))
22611 return ret;
22612 __get_user_asm(*(u16 *)(8 + (char *)dst),
22613- (u16 __user *)(8 + (char __user *)src),
22614+ (const u16 __user *)(8 + (const char __user *)src),
22615 ret, "w", "w", "=r", 2);
22616 return ret;
22617 case 16:
22618- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
22619+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22620 ret, "q", "", "=r", 16);
22621 if (unlikely(ret))
22622 return ret;
22623 __get_user_asm(*(u64 *)(8 + (char *)dst),
22624- (u64 __user *)(8 + (char __user *)src),
22625+ (const u64 __user *)(8 + (const char __user *)src),
22626 ret, "q", "", "=r", 8);
22627 return ret;
22628 default:
22629- return copy_user_generic(dst, (__force void *)src, size);
22630+ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
22631 }
22632 }
22633
22634 static __always_inline __must_check
22635-int __copy_from_user(void *dst, const void __user *src, unsigned size)
22636+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size)
22637 {
22638 might_fault();
22639 return __copy_from_user_nocheck(dst, src, size);
22640 }
22641
22642 static __always_inline __must_check
22643-int __copy_to_user_nocheck(void __user *dst, const void *src, unsigned size)
22644+unsigned long __copy_to_user_nocheck(void __user *dst, const void *src, unsigned long size)
22645 {
22646- int ret = 0;
22647+ size_t sz = __compiletime_object_size(src);
22648+ unsigned ret = 0;
22649+
22650+ if (size > INT_MAX)
22651+ return size;
22652+
22653+ check_object_size(src, size, true);
22654+
22655+#ifdef CONFIG_PAX_MEMORY_UDEREF
22656+ if (!access_ok_noprefault(VERIFY_WRITE, dst, size))
22657+ return size;
22658+#endif
22659+
22660+ if (unlikely(sz != (size_t)-1 && sz < size)) {
22661+ if(__builtin_constant_p(size))
22662+ copy_to_user_overflow();
22663+ else
22664+ __copy_to_user_overflow(sz, size);
22665+ return size;
22666+ }
22667
22668 if (!__builtin_constant_p(size))
22669- return copy_user_generic((__force void *)dst, src, size);
22670+ return copy_user_generic((__force_kernel void *)____m(dst), src, size);
22671 switch (size) {
22672- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
22673+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
22674 ret, "b", "b", "iq", 1);
22675 return ret;
22676- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
22677+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
22678 ret, "w", "w", "ir", 2);
22679 return ret;
22680- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
22681+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
22682 ret, "l", "k", "ir", 4);
22683 return ret;
22684- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
22685+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22686 ret, "q", "", "er", 8);
22687 return ret;
22688 case 10:
22689- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
22690+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22691 ret, "q", "", "er", 10);
22692 if (unlikely(ret))
22693 return ret;
22694 asm("":::"memory");
22695- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
22696+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
22697 ret, "w", "w", "ir", 2);
22698 return ret;
22699 case 16:
22700- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
22701+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22702 ret, "q", "", "er", 16);
22703 if (unlikely(ret))
22704 return ret;
22705 asm("":::"memory");
22706- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
22707+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
22708 ret, "q", "", "er", 8);
22709 return ret;
22710 default:
22711- return copy_user_generic((__force void *)dst, src, size);
22712+ return copy_user_generic((__force_kernel void *)____m(dst), src, size);
22713 }
22714 }
22715
22716 static __always_inline __must_check
22717-int __copy_to_user(void __user *dst, const void *src, unsigned size)
22718+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size)
22719 {
22720 might_fault();
22721 return __copy_to_user_nocheck(dst, src, size);
22722 }
22723
22724 static __always_inline __must_check
22725-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22726+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22727 {
22728- int ret = 0;
22729+ unsigned ret = 0;
22730
22731 might_fault();
22732+
22733+ if (size > INT_MAX)
22734+ return size;
22735+
22736+#ifdef CONFIG_PAX_MEMORY_UDEREF
22737+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22738+ return size;
22739+ if (!access_ok_noprefault(VERIFY_WRITE, dst, size))
22740+ return size;
22741+#endif
22742+
22743 if (!__builtin_constant_p(size))
22744- return copy_user_generic((__force void *)dst,
22745- (__force void *)src, size);
22746+ return copy_user_generic((__force_kernel void *)____m(dst),
22747+ (__force_kernel const void *)____m(src), size);
22748 switch (size) {
22749 case 1: {
22750 u8 tmp;
22751- __get_user_asm(tmp, (u8 __user *)src,
22752+ __get_user_asm(tmp, (const u8 __user *)src,
22753 ret, "b", "b", "=q", 1);
22754 if (likely(!ret))
22755 __put_user_asm(tmp, (u8 __user *)dst,
22756@@ -169,7 +221,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22757 }
22758 case 2: {
22759 u16 tmp;
22760- __get_user_asm(tmp, (u16 __user *)src,
22761+ __get_user_asm(tmp, (const u16 __user *)src,
22762 ret, "w", "w", "=r", 2);
22763 if (likely(!ret))
22764 __put_user_asm(tmp, (u16 __user *)dst,
22765@@ -179,7 +231,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22766
22767 case 4: {
22768 u32 tmp;
22769- __get_user_asm(tmp, (u32 __user *)src,
22770+ __get_user_asm(tmp, (const u32 __user *)src,
22771 ret, "l", "k", "=r", 4);
22772 if (likely(!ret))
22773 __put_user_asm(tmp, (u32 __user *)dst,
22774@@ -188,7 +240,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22775 }
22776 case 8: {
22777 u64 tmp;
22778- __get_user_asm(tmp, (u64 __user *)src,
22779+ __get_user_asm(tmp, (const u64 __user *)src,
22780 ret, "q", "", "=r", 8);
22781 if (likely(!ret))
22782 __put_user_asm(tmp, (u64 __user *)dst,
22783@@ -196,41 +248,58 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22784 return ret;
22785 }
22786 default:
22787- return copy_user_generic((__force void *)dst,
22788- (__force void *)src, size);
22789+ return copy_user_generic((__force_kernel void *)____m(dst),
22790+ (__force_kernel const void *)____m(src), size);
22791 }
22792 }
22793
22794-static __must_check __always_inline int
22795-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
22796+static __must_check __always_inline unsigned long
22797+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
22798 {
22799 return __copy_from_user_nocheck(dst, src, size);
22800 }
22801
22802-static __must_check __always_inline int
22803-__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
22804+static __must_check __always_inline unsigned long
22805+__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size)
22806 {
22807 return __copy_to_user_nocheck(dst, src, size);
22808 }
22809
22810-extern long __copy_user_nocache(void *dst, const void __user *src,
22811- unsigned size, int zerorest);
22812+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
22813+ unsigned long size, int zerorest);
22814
22815-static inline int
22816-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
22817+static inline unsigned long
22818+__copy_from_user_nocache(void *dst, const void __user *src, unsigned long size)
22819 {
22820 might_fault();
22821+
22822+ if (size > INT_MAX)
22823+ return size;
22824+
22825+#ifdef CONFIG_PAX_MEMORY_UDEREF
22826+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22827+ return size;
22828+#endif
22829+
22830 return __copy_user_nocache(dst, src, size, 1);
22831 }
22832
22833-static inline int
22834+static inline unsigned long
22835 __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
22836- unsigned size)
22837+ unsigned long size)
22838 {
22839+ if (size > INT_MAX)
22840+ return size;
22841+
22842+#ifdef CONFIG_PAX_MEMORY_UDEREF
22843+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22844+ return size;
22845+#endif
22846+
22847 return __copy_user_nocache(dst, src, size, 0);
22848 }
22849
22850 unsigned long
22851-copy_user_handle_tail(char *to, char *from, unsigned len);
22852+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len) __size_overflow(3);
22853
22854 #endif /* _ASM_X86_UACCESS_64_H */
22855diff --git a/arch/x86/include/asm/word-at-a-time.h b/arch/x86/include/asm/word-at-a-time.h
22856index 5b238981..77fdd78 100644
22857--- a/arch/x86/include/asm/word-at-a-time.h
22858+++ b/arch/x86/include/asm/word-at-a-time.h
22859@@ -11,7 +11,7 @@
22860 * and shift, for example.
22861 */
22862 struct word_at_a_time {
22863- const unsigned long one_bits, high_bits;
22864+ unsigned long one_bits, high_bits;
22865 };
22866
22867 #define WORD_AT_A_TIME_CONSTANTS { REPEAT_BYTE(0x01), REPEAT_BYTE(0x80) }
22868diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
22869index 48d34d2..90671c7 100644
22870--- a/arch/x86/include/asm/x86_init.h
22871+++ b/arch/x86/include/asm/x86_init.h
22872@@ -129,7 +129,7 @@ struct x86_init_ops {
22873 struct x86_init_timers timers;
22874 struct x86_init_iommu iommu;
22875 struct x86_init_pci pci;
22876-};
22877+} __no_const;
22878
22879 /**
22880 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
22881@@ -140,7 +140,7 @@ struct x86_cpuinit_ops {
22882 void (*setup_percpu_clockev)(void);
22883 void (*early_percpu_clock_init)(void);
22884 void (*fixup_cpu_id)(struct cpuinfo_x86 *c, int node);
22885-};
22886+} __no_const;
22887
22888 struct timespec;
22889
22890@@ -168,7 +168,7 @@ struct x86_platform_ops {
22891 void (*save_sched_clock_state)(void);
22892 void (*restore_sched_clock_state)(void);
22893 void (*apic_post_init)(void);
22894-};
22895+} __no_const;
22896
22897 struct pci_dev;
22898
22899@@ -177,12 +177,12 @@ struct x86_msi_ops {
22900 void (*teardown_msi_irq)(unsigned int irq);
22901 void (*teardown_msi_irqs)(struct pci_dev *dev);
22902 void (*restore_msi_irqs)(struct pci_dev *dev);
22903-};
22904+} __no_const;
22905
22906 struct x86_io_apic_ops {
22907 unsigned int (*read) (unsigned int apic, unsigned int reg);
22908 void (*disable)(void);
22909-};
22910+} __no_const;
22911
22912 extern struct x86_init_ops x86_init;
22913 extern struct x86_cpuinit_ops x86_cpuinit;
22914diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h
22915index c44a5d5..7f83cfc 100644
22916--- a/arch/x86/include/asm/xen/page.h
22917+++ b/arch/x86/include/asm/xen/page.h
22918@@ -82,7 +82,7 @@ static inline int xen_safe_read_ulong(unsigned long *addr, unsigned long *val)
22919 * - get_phys_to_machine() is to be called by __pfn_to_mfn() only in special
22920 * cases needing an extended handling.
22921 */
22922-static inline unsigned long __pfn_to_mfn(unsigned long pfn)
22923+static inline unsigned long __intentional_overflow(-1) __pfn_to_mfn(unsigned long pfn)
22924 {
22925 unsigned long mfn;
22926
22927diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h
22928index 0f457e6..5970c0a 100644
22929--- a/arch/x86/include/uapi/asm/e820.h
22930+++ b/arch/x86/include/uapi/asm/e820.h
22931@@ -69,7 +69,7 @@ struct e820map {
22932 #define ISA_START_ADDRESS 0xa0000
22933 #define ISA_END_ADDRESS 0x100000
22934
22935-#define BIOS_BEGIN 0x000a0000
22936+#define BIOS_BEGIN 0x000c0000
22937 #define BIOS_END 0x00100000
22938
22939 #define BIOS_ROM_BASE 0xffe00000
22940diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
22941index 0f15af4..501a76a 100644
22942--- a/arch/x86/kernel/Makefile
22943+++ b/arch/x86/kernel/Makefile
22944@@ -28,7 +28,7 @@ obj-y += time.o ioport.o ldt.o dumpstack.o nmi.o
22945 obj-y += setup.o x86_init.o i8259.o irqinit.o jump_label.o
22946 obj-$(CONFIG_IRQ_WORK) += irq_work.o
22947 obj-y += probe_roms.o
22948-obj-$(CONFIG_X86_32) += i386_ksyms_32.o
22949+obj-$(CONFIG_X86_32) += sys_i386_32.o i386_ksyms_32.o
22950 obj-$(CONFIG_X86_64) += sys_x86_64.o x8664_ksyms_64.o
22951 obj-$(CONFIG_X86_64) += mcount_64.o
22952 obj-$(CONFIG_X86_ESPFIX64) += espfix_64.o
22953diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
22954index 9393896..adbaa90 100644
22955--- a/arch/x86/kernel/acpi/boot.c
22956+++ b/arch/x86/kernel/acpi/boot.c
22957@@ -1333,7 +1333,7 @@ static void __init acpi_reduced_hw_init(void)
22958 * If your system is blacklisted here, but you find that acpi=force
22959 * works for you, please contact linux-acpi@vger.kernel.org
22960 */
22961-static struct dmi_system_id __initdata acpi_dmi_table[] = {
22962+static const struct dmi_system_id __initconst acpi_dmi_table[] = {
22963 /*
22964 * Boxes that need ACPI disabled
22965 */
22966@@ -1408,7 +1408,7 @@ static struct dmi_system_id __initdata acpi_dmi_table[] = {
22967 };
22968
22969 /* second table for DMI checks that should run after early-quirks */
22970-static struct dmi_system_id __initdata acpi_dmi_table_late[] = {
22971+static const struct dmi_system_id __initconst acpi_dmi_table_late[] = {
22972 /*
22973 * HP laptops which use a DSDT reporting as HP/SB400/10000,
22974 * which includes some code which overrides all temperature
22975diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c
22976index d1daead..acd77e2 100644
22977--- a/arch/x86/kernel/acpi/sleep.c
22978+++ b/arch/x86/kernel/acpi/sleep.c
22979@@ -99,8 +99,12 @@ int x86_acpi_suspend_lowlevel(void)
22980 #else /* CONFIG_64BIT */
22981 #ifdef CONFIG_SMP
22982 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
22983+
22984+ pax_open_kernel();
22985 early_gdt_descr.address =
22986 (unsigned long)get_cpu_gdt_table(smp_processor_id());
22987+ pax_close_kernel();
22988+
22989 initial_gs = per_cpu_offset(smp_processor_id());
22990 #endif
22991 initial_code = (unsigned long)wakeup_long64;
22992diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S
22993index 0c26b1b..a766e85 100644
22994--- a/arch/x86/kernel/acpi/wakeup_32.S
22995+++ b/arch/x86/kernel/acpi/wakeup_32.S
22996@@ -31,13 +31,11 @@ wakeup_pmode_return:
22997 # and restore the stack ... but you need gdt for this to work
22998 movl saved_context_esp, %esp
22999
23000- movl %cs:saved_magic, %eax
23001- cmpl $0x12345678, %eax
23002+ cmpl $0x12345678, saved_magic
23003 jne bogus_magic
23004
23005 # jump to place where we left off
23006- movl saved_eip, %eax
23007- jmp *%eax
23008+ jmp *(saved_eip)
23009
23010 bogus_magic:
23011 jmp bogus_magic
23012diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
23013index c42827e..c2fd50b 100644
23014--- a/arch/x86/kernel/alternative.c
23015+++ b/arch/x86/kernel/alternative.c
23016@@ -20,6 +20,7 @@
23017 #include <asm/tlbflush.h>
23018 #include <asm/io.h>
23019 #include <asm/fixmap.h>
23020+#include <asm/boot.h>
23021
23022 int __read_mostly alternatives_patched;
23023
23024@@ -261,7 +262,9 @@ static void __init_or_module add_nops(void *insns, unsigned int len)
23025 unsigned int noplen = len;
23026 if (noplen > ASM_NOP_MAX)
23027 noplen = ASM_NOP_MAX;
23028+ pax_open_kernel();
23029 memcpy(insns, ideal_nops[noplen], noplen);
23030+ pax_close_kernel();
23031 insns += noplen;
23032 len -= noplen;
23033 }
23034@@ -289,6 +292,13 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf)
23035 if (a->replacementlen != 5)
23036 return;
23037
23038+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23039+ if (orig_insn < (u8 *)_text || (u8 *)_einittext <= orig_insn)
23040+ orig_insn = (u8 *)ktva_ktla((unsigned long)orig_insn);
23041+ else
23042+ orig_insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23043+#endif
23044+
23045 o_dspl = *(s32 *)(insnbuf + 1);
23046
23047 /* next_rip of the replacement JMP */
23048@@ -359,6 +369,7 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
23049 {
23050 struct alt_instr *a;
23051 u8 *instr, *replacement;
23052+ u8 *vinstr, *vreplacement;
23053 u8 insnbuf[MAX_PATCH_LEN];
23054
23055 DPRINTK("alt table %p -> %p", start, end);
23056@@ -374,46 +385,71 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
23057 for (a = start; a < end; a++) {
23058 int insnbuf_sz = 0;
23059
23060- instr = (u8 *)&a->instr_offset + a->instr_offset;
23061- replacement = (u8 *)&a->repl_offset + a->repl_offset;
23062+ vinstr = instr = (u8 *)&a->instr_offset + a->instr_offset;
23063+
23064+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23065+ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= instr &&
23066+ instr < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
23067+ instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23068+ vinstr = (u8 *)ktla_ktva((unsigned long)instr);
23069+ } else if ((u8 *)_text <= instr && instr < (u8 *)_einittext) {
23070+ vinstr = (u8 *)ktla_ktva((unsigned long)instr);
23071+ } else {
23072+ instr = (u8 *)ktva_ktla((unsigned long)instr);
23073+ }
23074+#endif
23075+
23076+ vreplacement = replacement = (u8 *)&a->repl_offset + a->repl_offset;
23077+
23078+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23079+ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= replacement &&
23080+ replacement < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
23081+ replacement += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23082+ vreplacement = (u8 *)ktla_ktva((unsigned long)replacement);
23083+ } else if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) {
23084+ vreplacement = (u8 *)ktla_ktva((unsigned long)replacement);
23085+ } else
23086+ replacement = (u8 *)ktva_ktla((unsigned long)replacement);
23087+#endif
23088+
23089 BUG_ON(a->instrlen > sizeof(insnbuf));
23090 BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
23091 if (!boot_cpu_has(a->cpuid)) {
23092 if (a->padlen > 1)
23093- optimize_nops(a, instr);
23094+ optimize_nops(a, vinstr);
23095
23096 continue;
23097 }
23098
23099- DPRINTK("feat: %d*32+%d, old: (%p, len: %d), repl: (%p, len: %d), pad: %d",
23100+ DPRINTK("feat: %d*32+%d, old: (%p/%p, len: %d), repl: (%p, len: %d), pad: %d",
23101 a->cpuid >> 5,
23102 a->cpuid & 0x1f,
23103- instr, a->instrlen,
23104- replacement, a->replacementlen, a->padlen);
23105+ instr, vinstr, a->instrlen,
23106+ vreplacement, a->replacementlen, a->padlen);
23107
23108- DUMP_BYTES(instr, a->instrlen, "%p: old_insn: ", instr);
23109- DUMP_BYTES(replacement, a->replacementlen, "%p: rpl_insn: ", replacement);
23110+ DUMP_BYTES(vinstr, a->instrlen, "%p: old_insn: ", vinstr);
23111+ DUMP_BYTES(vreplacement, a->replacementlen, "%p: rpl_insn: ", vreplacement);
23112
23113- memcpy(insnbuf, replacement, a->replacementlen);
23114+ memcpy(insnbuf, vreplacement, a->replacementlen);
23115 insnbuf_sz = a->replacementlen;
23116
23117 /* 0xe8 is a relative jump; fix the offset. */
23118 if (*insnbuf == 0xe8 && a->replacementlen == 5) {
23119- *(s32 *)(insnbuf + 1) += replacement - instr;
23120+ *(s32 *)(insnbuf + 1) += vreplacement - vinstr;
23121 DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
23122 *(s32 *)(insnbuf + 1),
23123- (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
23124+ (unsigned long)vinstr + *(s32 *)(insnbuf + 1) + 5);
23125 }
23126
23127- if (a->replacementlen && is_jmp(replacement[0]))
23128- recompute_jump(a, instr, replacement, insnbuf);
23129+ if (a->replacementlen && is_jmp(vreplacement[0]))
23130+ recompute_jump(a, instr, vreplacement, insnbuf);
23131
23132 if (a->instrlen > a->replacementlen) {
23133 add_nops(insnbuf + a->replacementlen,
23134 a->instrlen - a->replacementlen);
23135 insnbuf_sz += a->instrlen - a->replacementlen;
23136 }
23137- DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr);
23138+ DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", vinstr);
23139
23140 text_poke_early(instr, insnbuf, insnbuf_sz);
23141 }
23142@@ -429,10 +465,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end,
23143 for (poff = start; poff < end; poff++) {
23144 u8 *ptr = (u8 *)poff + *poff;
23145
23146+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23147+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23148+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
23149+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23150+#endif
23151+
23152 if (!*poff || ptr < text || ptr >= text_end)
23153 continue;
23154 /* turn DS segment override prefix into lock prefix */
23155- if (*ptr == 0x3e)
23156+ if (*(u8 *)ktla_ktva((unsigned long)ptr) == 0x3e)
23157 text_poke(ptr, ((unsigned char []){0xf0}), 1);
23158 }
23159 mutex_unlock(&text_mutex);
23160@@ -447,10 +489,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end,
23161 for (poff = start; poff < end; poff++) {
23162 u8 *ptr = (u8 *)poff + *poff;
23163
23164+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23165+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23166+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
23167+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23168+#endif
23169+
23170 if (!*poff || ptr < text || ptr >= text_end)
23171 continue;
23172 /* turn lock prefix into DS segment override prefix */
23173- if (*ptr == 0xf0)
23174+ if (*(u8 *)ktla_ktva((unsigned long)ptr) == 0xf0)
23175 text_poke(ptr, ((unsigned char []){0x3E}), 1);
23176 }
23177 mutex_unlock(&text_mutex);
23178@@ -587,7 +635,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
23179
23180 BUG_ON(p->len > MAX_PATCH_LEN);
23181 /* prep the buffer with the original instructions */
23182- memcpy(insnbuf, p->instr, p->len);
23183+ memcpy(insnbuf, (const void *)ktla_ktva((unsigned long)p->instr), p->len);
23184 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
23185 (unsigned long)p->instr, p->len);
23186
23187@@ -634,7 +682,7 @@ void __init alternative_instructions(void)
23188 if (!uniproc_patched || num_possible_cpus() == 1)
23189 free_init_pages("SMP alternatives",
23190 (unsigned long)__smp_locks,
23191- (unsigned long)__smp_locks_end);
23192+ PAGE_ALIGN((unsigned long)__smp_locks_end));
23193 #endif
23194
23195 apply_paravirt(__parainstructions, __parainstructions_end);
23196@@ -655,13 +703,17 @@ void __init alternative_instructions(void)
23197 * instructions. And on the local CPU you need to be protected again NMI or MCE
23198 * handlers seeing an inconsistent instruction while you patch.
23199 */
23200-void *__init_or_module text_poke_early(void *addr, const void *opcode,
23201+void *__kprobes text_poke_early(void *addr, const void *opcode,
23202 size_t len)
23203 {
23204 unsigned long flags;
23205 local_irq_save(flags);
23206- memcpy(addr, opcode, len);
23207+
23208+ pax_open_kernel();
23209+ memcpy((void *)ktla_ktva((unsigned long)addr), opcode, len);
23210 sync_core();
23211+ pax_close_kernel();
23212+
23213 local_irq_restore(flags);
23214 /* Could also do a CLFLUSH here to speed up CPU recovery; but
23215 that causes hangs on some VIA CPUs. */
23216@@ -683,36 +735,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
23217 */
23218 void *text_poke(void *addr, const void *opcode, size_t len)
23219 {
23220- unsigned long flags;
23221- char *vaddr;
23222+ unsigned char *vaddr = (void *)ktla_ktva((unsigned long)addr);
23223 struct page *pages[2];
23224- int i;
23225+ size_t i;
23226
23227 if (!core_kernel_text((unsigned long)addr)) {
23228- pages[0] = vmalloc_to_page(addr);
23229- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
23230+ pages[0] = vmalloc_to_page(vaddr);
23231+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
23232 } else {
23233- pages[0] = virt_to_page(addr);
23234+ pages[0] = virt_to_page(vaddr);
23235 WARN_ON(!PageReserved(pages[0]));
23236- pages[1] = virt_to_page(addr + PAGE_SIZE);
23237+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
23238 }
23239 BUG_ON(!pages[0]);
23240- local_irq_save(flags);
23241- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
23242- if (pages[1])
23243- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
23244- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
23245- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
23246- clear_fixmap(FIX_TEXT_POKE0);
23247- if (pages[1])
23248- clear_fixmap(FIX_TEXT_POKE1);
23249- local_flush_tlb();
23250- sync_core();
23251- /* Could also do a CLFLUSH here to speed up CPU recovery; but
23252- that causes hangs on some VIA CPUs. */
23253+ text_poke_early(addr, opcode, len);
23254 for (i = 0; i < len; i++)
23255- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
23256- local_irq_restore(flags);
23257+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
23258 return addr;
23259 }
23260
23261@@ -766,7 +804,7 @@ int poke_int3_handler(struct pt_regs *regs)
23262 */
23263 void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler)
23264 {
23265- unsigned char int3 = 0xcc;
23266+ const unsigned char int3 = 0xcc;
23267
23268 bp_int3_handler = handler;
23269 bp_int3_addr = (u8 *)addr + sizeof(int3);
23270diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
23271index cde732c..6365ac2 100644
23272--- a/arch/x86/kernel/apic/apic.c
23273+++ b/arch/x86/kernel/apic/apic.c
23274@@ -171,7 +171,7 @@ int first_system_vector = FIRST_SYSTEM_VECTOR;
23275 /*
23276 * Debug level, exported for io_apic.c
23277 */
23278-unsigned int apic_verbosity;
23279+int apic_verbosity;
23280
23281 int pic_mode;
23282
23283@@ -1857,7 +1857,7 @@ static inline void __smp_error_interrupt(struct pt_regs *regs)
23284 apic_write(APIC_ESR, 0);
23285 v = apic_read(APIC_ESR);
23286 ack_APIC_irq();
23287- atomic_inc(&irq_err_count);
23288+ atomic_inc_unchecked(&irq_err_count);
23289
23290 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x",
23291 smp_processor_id(), v);
23292diff --git a/arch/x86/kernel/apic/apic_flat_64.c b/arch/x86/kernel/apic/apic_flat_64.c
23293index de918c4..32eed23 100644
23294--- a/arch/x86/kernel/apic/apic_flat_64.c
23295+++ b/arch/x86/kernel/apic/apic_flat_64.c
23296@@ -154,7 +154,7 @@ static int flat_probe(void)
23297 return 1;
23298 }
23299
23300-static struct apic apic_flat = {
23301+static struct apic apic_flat __read_only = {
23302 .name = "flat",
23303 .probe = flat_probe,
23304 .acpi_madt_oem_check = flat_acpi_madt_oem_check,
23305@@ -260,7 +260,7 @@ static int physflat_probe(void)
23306 return 0;
23307 }
23308
23309-static struct apic apic_physflat = {
23310+static struct apic apic_physflat __read_only = {
23311
23312 .name = "physical flat",
23313 .probe = physflat_probe,
23314diff --git a/arch/x86/kernel/apic/apic_noop.c b/arch/x86/kernel/apic/apic_noop.c
23315index b205cdb..d8503ff 100644
23316--- a/arch/x86/kernel/apic/apic_noop.c
23317+++ b/arch/x86/kernel/apic/apic_noop.c
23318@@ -108,7 +108,7 @@ static void noop_apic_write(u32 reg, u32 v)
23319 WARN_ON_ONCE(cpu_has_apic && !disable_apic);
23320 }
23321
23322-struct apic apic_noop = {
23323+struct apic apic_noop __read_only = {
23324 .name = "noop",
23325 .probe = noop_probe,
23326 .acpi_madt_oem_check = NULL,
23327diff --git a/arch/x86/kernel/apic/bigsmp_32.c b/arch/x86/kernel/apic/bigsmp_32.c
23328index c4a8d63..fe893ac 100644
23329--- a/arch/x86/kernel/apic/bigsmp_32.c
23330+++ b/arch/x86/kernel/apic/bigsmp_32.c
23331@@ -147,7 +147,7 @@ static int probe_bigsmp(void)
23332 return dmi_bigsmp;
23333 }
23334
23335-static struct apic apic_bigsmp = {
23336+static struct apic apic_bigsmp __read_only = {
23337
23338 .name = "bigsmp",
23339 .probe = probe_bigsmp,
23340diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
23341index 206052e..621dfb4 100644
23342--- a/arch/x86/kernel/apic/io_apic.c
23343+++ b/arch/x86/kernel/apic/io_apic.c
23344@@ -1682,7 +1682,7 @@ static unsigned int startup_ioapic_irq(struct irq_data *data)
23345 return was_pending;
23346 }
23347
23348-atomic_t irq_mis_count;
23349+atomic_unchecked_t irq_mis_count;
23350
23351 #ifdef CONFIG_GENERIC_PENDING_IRQ
23352 static bool io_apic_level_ack_pending(struct mp_chip_data *data)
23353@@ -1821,7 +1821,7 @@ static void ioapic_ack_level(struct irq_data *irq_data)
23354 * at the cpu.
23355 */
23356 if (!(v & (1 << (i & 0x1f)))) {
23357- atomic_inc(&irq_mis_count);
23358+ atomic_inc_unchecked(&irq_mis_count);
23359 eoi_ioapic_pin(cfg->vector, irq_data->chip_data);
23360 }
23361
23362@@ -1867,7 +1867,7 @@ static int ioapic_set_affinity(struct irq_data *irq_data,
23363 return ret;
23364 }
23365
23366-static struct irq_chip ioapic_chip __read_mostly = {
23367+static struct irq_chip ioapic_chip = {
23368 .name = "IO-APIC",
23369 .irq_startup = startup_ioapic_irq,
23370 .irq_mask = mask_ioapic_irq,
23371@@ -1936,7 +1936,7 @@ static void ack_lapic_irq(struct irq_data *data)
23372 ack_APIC_irq();
23373 }
23374
23375-static struct irq_chip lapic_chip __read_mostly = {
23376+static struct irq_chip lapic_chip = {
23377 .name = "local-APIC",
23378 .irq_mask = mask_lapic_irq,
23379 .irq_unmask = unmask_lapic_irq,
23380diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
23381index 1a9d735..c58b5c5 100644
23382--- a/arch/x86/kernel/apic/msi.c
23383+++ b/arch/x86/kernel/apic/msi.c
23384@@ -267,7 +267,7 @@ static void hpet_msi_write_msg(struct irq_data *data, struct msi_msg *msg)
23385 hpet_msi_write(data->handler_data, msg);
23386 }
23387
23388-static struct irq_chip hpet_msi_controller = {
23389+static irq_chip_no_const hpet_msi_controller __read_only = {
23390 .name = "HPET-MSI",
23391 .irq_unmask = hpet_msi_unmask,
23392 .irq_mask = hpet_msi_mask,
23393diff --git a/arch/x86/kernel/apic/probe_32.c b/arch/x86/kernel/apic/probe_32.c
23394index bda4886..f9c7195 100644
23395--- a/arch/x86/kernel/apic/probe_32.c
23396+++ b/arch/x86/kernel/apic/probe_32.c
23397@@ -72,7 +72,7 @@ static int probe_default(void)
23398 return 1;
23399 }
23400
23401-static struct apic apic_default = {
23402+static struct apic apic_default __read_only = {
23403
23404 .name = "default",
23405 .probe = probe_default,
23406diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
23407index 2683f36..0bdc74c 100644
23408--- a/arch/x86/kernel/apic/vector.c
23409+++ b/arch/x86/kernel/apic/vector.c
23410@@ -36,7 +36,7 @@ static struct irq_chip lapic_controller;
23411 static struct apic_chip_data *legacy_irq_data[NR_IRQS_LEGACY];
23412 #endif
23413
23414-void lock_vector_lock(void)
23415+void lock_vector_lock(void) __acquires(vector_lock)
23416 {
23417 /* Used to the online set of cpus does not change
23418 * during assign_irq_vector.
23419@@ -44,7 +44,7 @@ void lock_vector_lock(void)
23420 raw_spin_lock(&vector_lock);
23421 }
23422
23423-void unlock_vector_lock(void)
23424+void unlock_vector_lock(void) __releases(vector_lock)
23425 {
23426 raw_spin_unlock(&vector_lock);
23427 }
23428diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
23429index ab3219b..e8033eb 100644
23430--- a/arch/x86/kernel/apic/x2apic_cluster.c
23431+++ b/arch/x86/kernel/apic/x2apic_cluster.c
23432@@ -182,7 +182,7 @@ update_clusterinfo(struct notifier_block *nfb, unsigned long action, void *hcpu)
23433 return notifier_from_errno(err);
23434 }
23435
23436-static struct notifier_block __refdata x2apic_cpu_notifier = {
23437+static struct notifier_block x2apic_cpu_notifier = {
23438 .notifier_call = update_clusterinfo,
23439 };
23440
23441@@ -234,7 +234,7 @@ static void cluster_vector_allocation_domain(int cpu, struct cpumask *retmask,
23442 cpumask_and(retmask, mask, per_cpu(cpus_in_cluster, cpu));
23443 }
23444
23445-static struct apic apic_x2apic_cluster = {
23446+static struct apic apic_x2apic_cluster __read_only = {
23447
23448 .name = "cluster x2apic",
23449 .probe = x2apic_cluster_probe,
23450diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c
23451index 3ffd925..8c0f5a8 100644
23452--- a/arch/x86/kernel/apic/x2apic_phys.c
23453+++ b/arch/x86/kernel/apic/x2apic_phys.c
23454@@ -90,7 +90,7 @@ static int x2apic_phys_probe(void)
23455 return apic == &apic_x2apic_phys;
23456 }
23457
23458-static struct apic apic_x2apic_phys = {
23459+static struct apic apic_x2apic_phys __read_only = {
23460
23461 .name = "physical x2apic",
23462 .probe = x2apic_phys_probe,
23463diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c
23464index c8d9295..9af2d03 100644
23465--- a/arch/x86/kernel/apic/x2apic_uv_x.c
23466+++ b/arch/x86/kernel/apic/x2apic_uv_x.c
23467@@ -375,7 +375,7 @@ static int uv_probe(void)
23468 return apic == &apic_x2apic_uv_x;
23469 }
23470
23471-static struct apic __refdata apic_x2apic_uv_x = {
23472+static struct apic apic_x2apic_uv_x __read_only = {
23473
23474 .name = "UV large system",
23475 .probe = uv_probe,
23476diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c
23477index 927ec92..de68f32 100644
23478--- a/arch/x86/kernel/apm_32.c
23479+++ b/arch/x86/kernel/apm_32.c
23480@@ -432,7 +432,7 @@ static DEFINE_MUTEX(apm_mutex);
23481 * This is for buggy BIOS's that refer to (real mode) segment 0x40
23482 * even though they are called in protected mode.
23483 */
23484-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
23485+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
23486 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
23487
23488 static const char driver_version[] = "1.16ac"; /* no spaces */
23489@@ -610,7 +610,10 @@ static long __apm_bios_call(void *_call)
23490 BUG_ON(cpu != 0);
23491 gdt = get_cpu_gdt_table(cpu);
23492 save_desc_40 = gdt[0x40 / 8];
23493+
23494+ pax_open_kernel();
23495 gdt[0x40 / 8] = bad_bios_desc;
23496+ pax_close_kernel();
23497
23498 apm_irq_save(flags);
23499 APM_DO_SAVE_SEGS;
23500@@ -619,7 +622,11 @@ static long __apm_bios_call(void *_call)
23501 &call->esi);
23502 APM_DO_RESTORE_SEGS;
23503 apm_irq_restore(flags);
23504+
23505+ pax_open_kernel();
23506 gdt[0x40 / 8] = save_desc_40;
23507+ pax_close_kernel();
23508+
23509 put_cpu();
23510
23511 return call->eax & 0xff;
23512@@ -686,7 +693,10 @@ static long __apm_bios_call_simple(void *_call)
23513 BUG_ON(cpu != 0);
23514 gdt = get_cpu_gdt_table(cpu);
23515 save_desc_40 = gdt[0x40 / 8];
23516+
23517+ pax_open_kernel();
23518 gdt[0x40 / 8] = bad_bios_desc;
23519+ pax_close_kernel();
23520
23521 apm_irq_save(flags);
23522 APM_DO_SAVE_SEGS;
23523@@ -694,7 +704,11 @@ static long __apm_bios_call_simple(void *_call)
23524 &call->eax);
23525 APM_DO_RESTORE_SEGS;
23526 apm_irq_restore(flags);
23527+
23528+ pax_open_kernel();
23529 gdt[0x40 / 8] = save_desc_40;
23530+ pax_close_kernel();
23531+
23532 put_cpu();
23533 return error;
23534 }
23535@@ -2039,7 +2053,7 @@ static int __init swab_apm_power_in_minutes(const struct dmi_system_id *d)
23536 return 0;
23537 }
23538
23539-static struct dmi_system_id __initdata apm_dmi_table[] = {
23540+static const struct dmi_system_id __initconst apm_dmi_table[] = {
23541 {
23542 print_if_true,
23543 KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
23544@@ -2349,12 +2363,15 @@ static int __init apm_init(void)
23545 * code to that CPU.
23546 */
23547 gdt = get_cpu_gdt_table(0);
23548+
23549+ pax_open_kernel();
23550 set_desc_base(&gdt[APM_CS >> 3],
23551 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
23552 set_desc_base(&gdt[APM_CS_16 >> 3],
23553 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
23554 set_desc_base(&gdt[APM_DS >> 3],
23555 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
23556+ pax_close_kernel();
23557
23558 proc_create("apm", 0, NULL, &apm_file_ops);
23559
23560diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
23561index 8e3d22a1..37118b6 100644
23562--- a/arch/x86/kernel/asm-offsets.c
23563+++ b/arch/x86/kernel/asm-offsets.c
23564@@ -32,6 +32,8 @@ void common(void) {
23565 OFFSET(TI_flags, thread_info, flags);
23566 OFFSET(TI_status, thread_info, status);
23567 OFFSET(TI_addr_limit, thread_info, addr_limit);
23568+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
23569+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
23570
23571 BLANK();
23572 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
23573@@ -73,8 +75,26 @@ void common(void) {
23574 #endif
23575 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
23576 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
23577+
23578+#ifdef CONFIG_PAX_KERNEXEC
23579+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
23580 #endif
23581
23582+#ifdef CONFIG_PAX_MEMORY_UDEREF
23583+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
23584+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
23585+#ifdef CONFIG_X86_64
23586+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
23587+#endif
23588+#endif
23589+
23590+#endif
23591+
23592+ BLANK();
23593+ DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
23594+ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
23595+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
23596+
23597 #ifdef CONFIG_XEN
23598 BLANK();
23599 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
23600diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c
23601index d8f42f9..a46f1fc 100644
23602--- a/arch/x86/kernel/asm-offsets_64.c
23603+++ b/arch/x86/kernel/asm-offsets_64.c
23604@@ -59,6 +59,7 @@ int main(void)
23605 BLANK();
23606 #undef ENTRY
23607
23608+ DEFINE(TSS_size, sizeof(struct tss_struct));
23609 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
23610 OFFSET(TSS_sp0, tss_struct, x86_tss.sp0);
23611 BLANK();
23612diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
23613index 9bff687..5b899fb 100644
23614--- a/arch/x86/kernel/cpu/Makefile
23615+++ b/arch/x86/kernel/cpu/Makefile
23616@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
23617 CFLAGS_REMOVE_perf_event.o = -pg
23618 endif
23619
23620-# Make sure load_percpu_segment has no stackprotector
23621-nostackp := $(call cc-option, -fno-stack-protector)
23622-CFLAGS_common.o := $(nostackp)
23623-
23624 obj-y := intel_cacheinfo.o scattered.o topology.o
23625 obj-y += common.o
23626 obj-y += rdrand.o
23627diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
23628index dd3a4ba..06672af 100644
23629--- a/arch/x86/kernel/cpu/amd.c
23630+++ b/arch/x86/kernel/cpu/amd.c
23631@@ -750,7 +750,7 @@ static void init_amd(struct cpuinfo_x86 *c)
23632 static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size)
23633 {
23634 /* AMD errata T13 (order #21922) */
23635- if ((c->x86 == 6)) {
23636+ if (c->x86 == 6) {
23637 /* Duron Rev A0 */
23638 if (c->x86_model == 3 && c->x86_mask == 0)
23639 size = 64;
23640diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c
23641index 04f0fe5..3c0598c 100644
23642--- a/arch/x86/kernel/cpu/bugs_64.c
23643+++ b/arch/x86/kernel/cpu/bugs_64.c
23644@@ -10,6 +10,7 @@
23645 #include <asm/processor.h>
23646 #include <asm/mtrr.h>
23647 #include <asm/cacheflush.h>
23648+#include <asm/sections.h>
23649
23650 void __init check_bugs(void)
23651 {
23652@@ -18,6 +19,7 @@ void __init check_bugs(void)
23653 printk(KERN_INFO "CPU: ");
23654 print_cpu_info(&boot_cpu_data);
23655 #endif
23656+ set_memory_nx((unsigned long)_sinitdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sinitdata) >> PAGE_SHIFT);
23657 alternative_instructions();
23658
23659 /*
23660diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
23661index cb9e5df..0d25636 100644
23662--- a/arch/x86/kernel/cpu/common.c
23663+++ b/arch/x86/kernel/cpu/common.c
23664@@ -91,60 +91,6 @@ static const struct cpu_dev default_cpu = {
23665
23666 static const struct cpu_dev *this_cpu = &default_cpu;
23667
23668-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
23669-#ifdef CONFIG_X86_64
23670- /*
23671- * We need valid kernel segments for data and code in long mode too
23672- * IRET will check the segment types kkeil 2000/10/28
23673- * Also sysret mandates a special GDT layout
23674- *
23675- * TLS descriptors are currently at a different place compared to i386.
23676- * Hopefully nobody expects them at a fixed place (Wine?)
23677- */
23678- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
23679- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
23680- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
23681- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
23682- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
23683- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
23684-#else
23685- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
23686- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23687- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
23688- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
23689- /*
23690- * Segments used for calling PnP BIOS have byte granularity.
23691- * They code segments and data segments have fixed 64k limits,
23692- * the transfer segment sizes are set at run time.
23693- */
23694- /* 32-bit code */
23695- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
23696- /* 16-bit code */
23697- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
23698- /* 16-bit data */
23699- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
23700- /* 16-bit data */
23701- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
23702- /* 16-bit data */
23703- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
23704- /*
23705- * The APM segments have byte granularity and their bases
23706- * are set at run time. All have 64k limits.
23707- */
23708- /* 32-bit code */
23709- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
23710- /* 16-bit code */
23711- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
23712- /* data */
23713- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
23714-
23715- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23716- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23717- GDT_STACK_CANARY_INIT
23718-#endif
23719-} };
23720-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
23721-
23722 static int __init x86_mpx_setup(char *s)
23723 {
23724 /* require an exact match without trailing characters */
23725@@ -287,6 +233,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
23726 }
23727 }
23728
23729+#ifdef CONFIG_PAX_MEMORY_UDEREF
23730+#ifdef CONFIG_X86_64
23731+static bool uderef_enabled __read_only = true;
23732+unsigned long pax_user_shadow_base __read_only;
23733+EXPORT_SYMBOL(pax_user_shadow_base);
23734+extern char pax_enter_kernel_user[];
23735+extern char pax_exit_kernel_user[];
23736+
23737+static int __init setup_pax_weakuderef(char *str)
23738+{
23739+ if (uderef_enabled)
23740+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23741+ return 1;
23742+}
23743+__setup("pax_weakuderef", setup_pax_weakuderef);
23744+#endif
23745+
23746+static int __init setup_pax_nouderef(char *str)
23747+{
23748+#ifdef CONFIG_X86_32
23749+ unsigned int cpu;
23750+ struct desc_struct *gdt;
23751+
23752+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
23753+ gdt = get_cpu_gdt_table(cpu);
23754+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
23755+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
23756+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
23757+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
23758+ }
23759+ loadsegment(ds, __KERNEL_DS);
23760+ loadsegment(es, __KERNEL_DS);
23761+ loadsegment(ss, __KERNEL_DS);
23762+#else
23763+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
23764+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
23765+ clone_pgd_mask = ~(pgdval_t)0UL;
23766+ pax_user_shadow_base = 0UL;
23767+ setup_clear_cpu_cap(X86_FEATURE_PCIDUDEREF);
23768+ uderef_enabled = false;
23769+#endif
23770+
23771+ return 0;
23772+}
23773+early_param("pax_nouderef", setup_pax_nouderef);
23774+#endif
23775+
23776+#ifdef CONFIG_X86_64
23777+static __init int setup_disable_pcid(char *arg)
23778+{
23779+ setup_clear_cpu_cap(X86_FEATURE_PCID);
23780+ setup_clear_cpu_cap(X86_FEATURE_INVPCID);
23781+
23782+#ifdef CONFIG_PAX_MEMORY_UDEREF
23783+ if (uderef_enabled)
23784+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23785+#endif
23786+
23787+ return 1;
23788+}
23789+__setup("nopcid", setup_disable_pcid);
23790+
23791+static void setup_pcid(struct cpuinfo_x86 *c)
23792+{
23793+ if (cpu_has(c, X86_FEATURE_PCID)) {
23794+ printk("PAX: PCID detected\n");
23795+ cr4_set_bits(X86_CR4_PCIDE);
23796+ } else
23797+ clear_cpu_cap(c, X86_FEATURE_INVPCID);
23798+
23799+ if (cpu_has(c, X86_FEATURE_INVPCID))
23800+ printk("PAX: INVPCID detected\n");
23801+
23802+#ifdef CONFIG_PAX_MEMORY_UDEREF
23803+ if (!uderef_enabled) {
23804+ printk("PAX: UDEREF disabled\n");
23805+ return;
23806+ }
23807+
23808+ if (!cpu_has(c, X86_FEATURE_PCID)) {
23809+ pax_open_kernel();
23810+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23811+ pax_close_kernel();
23812+ printk("PAX: slow and weak UDEREF enabled\n");
23813+ return;
23814+ }
23815+
23816+ set_cpu_cap(c, X86_FEATURE_PCIDUDEREF);
23817+
23818+ pax_open_kernel();
23819+ clone_pgd_mask = ~(pgdval_t)0UL;
23820+ pax_close_kernel();
23821+ if (pax_user_shadow_base)
23822+ printk("PAX: weak UDEREF enabled\n");
23823+ else {
23824+ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF);
23825+ printk("PAX: strong UDEREF enabled\n");
23826+ }
23827+#endif
23828+
23829+}
23830+#endif
23831+
23832 /*
23833 * Some CPU features depend on higher CPUID levels, which may not always
23834 * be available due to CPUID level capping or broken virtualization
23835@@ -387,7 +436,7 @@ void switch_to_new_gdt(int cpu)
23836 {
23837 struct desc_ptr gdt_descr;
23838
23839- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
23840+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
23841 gdt_descr.size = GDT_SIZE - 1;
23842 load_gdt(&gdt_descr);
23843 /* Reload the per-cpu base */
23844@@ -918,6 +967,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
23845 setup_smep(c);
23846 setup_smap(c);
23847
23848+#ifdef CONFIG_X86_32
23849+#ifdef CONFIG_PAX_PAGEEXEC
23850+ if (!(__supported_pte_mask & _PAGE_NX))
23851+ clear_cpu_cap(c, X86_FEATURE_PSE);
23852+#endif
23853+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
23854+ clear_cpu_cap(c, X86_FEATURE_SEP);
23855+#endif
23856+#endif
23857+
23858+#ifdef CONFIG_X86_64
23859+ setup_pcid(c);
23860+#endif
23861+
23862 /*
23863 * The vendor-specific functions might have changed features.
23864 * Now we do "generic changes."
23865@@ -992,7 +1055,7 @@ void enable_sep_cpu(void)
23866 int cpu;
23867
23868 cpu = get_cpu();
23869- tss = &per_cpu(cpu_tss, cpu);
23870+ tss = cpu_tss + cpu;
23871
23872 if (!boot_cpu_has(X86_FEATURE_SEP))
23873 goto out;
23874@@ -1138,10 +1201,12 @@ static __init int setup_disablecpuid(char *arg)
23875 }
23876 __setup("clearcpuid=", setup_disablecpuid);
23877
23878+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
23879+EXPORT_PER_CPU_SYMBOL(current_tinfo);
23880+
23881 #ifdef CONFIG_X86_64
23882-struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
23883-struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1,
23884- (unsigned long) debug_idt_table };
23885+struct desc_ptr idt_descr __read_only = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
23886+const struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) debug_idt_table };
23887
23888 DEFINE_PER_CPU_FIRST(union irq_stack_union,
23889 irq_stack_union) __aligned(PAGE_SIZE) __visible;
23890@@ -1253,21 +1318,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
23891 DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
23892 EXPORT_PER_CPU_SYMBOL(__preempt_count);
23893
23894+#ifdef CONFIG_CC_STACKPROTECTOR
23895+DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
23896+#endif
23897+
23898+#endif /* CONFIG_X86_64 */
23899+
23900 /*
23901 * On x86_32, vm86 modifies tss.sp0, so sp0 isn't a reliable way to find
23902 * the top of the kernel stack. Use an extra percpu variable to track the
23903 * top of the kernel stack directly.
23904 */
23905 DEFINE_PER_CPU(unsigned long, cpu_current_top_of_stack) =
23906- (unsigned long)&init_thread_union + THREAD_SIZE;
23907+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
23908 EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack);
23909
23910-#ifdef CONFIG_CC_STACKPROTECTOR
23911-DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
23912-#endif
23913-
23914-#endif /* CONFIG_X86_64 */
23915-
23916 /*
23917 * Clear all 6 debug registers:
23918 */
23919@@ -1343,7 +1408,7 @@ void cpu_init(void)
23920 */
23921 load_ucode_ap();
23922
23923- t = &per_cpu(cpu_tss, cpu);
23924+ t = cpu_tss + cpu;
23925 oist = &per_cpu(orig_ist, cpu);
23926
23927 #ifdef CONFIG_NUMA
23928@@ -1375,7 +1440,6 @@ void cpu_init(void)
23929 wrmsrl(MSR_KERNEL_GS_BASE, 0);
23930 barrier();
23931
23932- x86_configure_nx();
23933 x2apic_setup();
23934
23935 /*
23936@@ -1427,7 +1491,7 @@ void cpu_init(void)
23937 {
23938 int cpu = smp_processor_id();
23939 struct task_struct *curr = current;
23940- struct tss_struct *t = &per_cpu(cpu_tss, cpu);
23941+ struct tss_struct *t = cpu_tss + cpu;
23942 struct thread_struct *thread = &curr->thread;
23943
23944 wait_for_master_cpu(cpu);
23945diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
23946index be4febc..f7af533 100644
23947--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
23948+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
23949@@ -519,25 +519,23 @@ cache_private_attrs_is_visible(struct kobject *kobj,
23950 return 0;
23951 }
23952
23953+static struct attribute *amd_l3_attrs[4];
23954+
23955 static struct attribute_group cache_private_group = {
23956 .is_visible = cache_private_attrs_is_visible,
23957+ .attrs = amd_l3_attrs,
23958 };
23959
23960 static void init_amd_l3_attrs(void)
23961 {
23962 int n = 1;
23963- static struct attribute **amd_l3_attrs;
23964-
23965- if (amd_l3_attrs) /* already initialized */
23966- return;
23967
23968 if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE))
23969 n += 2;
23970 if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
23971 n += 1;
23972
23973- amd_l3_attrs = kcalloc(n, sizeof(*amd_l3_attrs), GFP_KERNEL);
23974- if (!amd_l3_attrs)
23975+ if (n > 1 && amd_l3_attrs[0]) /* already initialized */
23976 return;
23977
23978 n = 0;
23979@@ -547,8 +545,6 @@ static void init_amd_l3_attrs(void)
23980 }
23981 if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
23982 amd_l3_attrs[n++] = &dev_attr_subcaches.attr;
23983-
23984- cache_private_group.attrs = amd_l3_attrs;
23985 }
23986
23987 const struct attribute_group *
23988@@ -559,7 +555,7 @@ cache_get_priv_group(struct cacheinfo *this_leaf)
23989 if (this_leaf->level < 3 || !nb)
23990 return NULL;
23991
23992- if (nb && nb->l3_cache.indices)
23993+ if (nb->l3_cache.indices)
23994 init_amd_l3_attrs();
23995
23996 return &cache_private_group;
23997diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
23998index df919ff..3332bf7 100644
23999--- a/arch/x86/kernel/cpu/mcheck/mce.c
24000+++ b/arch/x86/kernel/cpu/mcheck/mce.c
24001@@ -47,6 +47,7 @@
24002 #include <asm/tlbflush.h>
24003 #include <asm/mce.h>
24004 #include <asm/msr.h>
24005+#include <asm/local.h>
24006
24007 #include "mce-internal.h"
24008
24009@@ -259,7 +260,7 @@ static void print_mce(struct mce *m)
24010 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
24011 m->cs, m->ip);
24012
24013- if (m->cs == __KERNEL_CS)
24014+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
24015 print_symbol("{%s}", m->ip);
24016 pr_cont("\n");
24017 }
24018@@ -292,10 +293,10 @@ static void print_mce(struct mce *m)
24019
24020 #define PANIC_TIMEOUT 5 /* 5 seconds */
24021
24022-static atomic_t mce_panicked;
24023+static atomic_unchecked_t mce_panicked;
24024
24025 static int fake_panic;
24026-static atomic_t mce_fake_panicked;
24027+static atomic_unchecked_t mce_fake_panicked;
24028
24029 /* Panic in progress. Enable interrupts and wait for final IPI */
24030 static void wait_for_panic(void)
24031@@ -319,7 +320,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24032 /*
24033 * Make sure only one CPU runs in machine check panic
24034 */
24035- if (atomic_inc_return(&mce_panicked) > 1)
24036+ if (atomic_inc_return_unchecked(&mce_panicked) > 1)
24037 wait_for_panic();
24038 barrier();
24039
24040@@ -327,7 +328,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24041 console_verbose();
24042 } else {
24043 /* Don't log too much for fake panic */
24044- if (atomic_inc_return(&mce_fake_panicked) > 1)
24045+ if (atomic_inc_return_unchecked(&mce_fake_panicked) > 1)
24046 return;
24047 }
24048 /* First print corrected ones that are still unlogged */
24049@@ -366,7 +367,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24050 if (!fake_panic) {
24051 if (panic_timeout == 0)
24052 panic_timeout = mca_cfg.panic_timeout;
24053- panic(msg);
24054+ panic("%s", msg);
24055 } else
24056 pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
24057 }
24058@@ -752,7 +753,7 @@ static int mce_timed_out(u64 *t, const char *msg)
24059 * might have been modified by someone else.
24060 */
24061 rmb();
24062- if (atomic_read(&mce_panicked))
24063+ if (atomic_read_unchecked(&mce_panicked))
24064 wait_for_panic();
24065 if (!mca_cfg.monarch_timeout)
24066 goto out;
24067@@ -1708,7 +1709,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
24068 }
24069
24070 /* Call the installed machine check handler for this CPU setup. */
24071-void (*machine_check_vector)(struct pt_regs *, long error_code) =
24072+void (*machine_check_vector)(struct pt_regs *, long error_code) __read_only =
24073 unexpected_machine_check;
24074
24075 /*
24076@@ -1731,7 +1732,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
24077 return;
24078 }
24079
24080+ pax_open_kernel();
24081 machine_check_vector = do_machine_check;
24082+ pax_close_kernel();
24083
24084 __mcheck_cpu_init_generic();
24085 __mcheck_cpu_init_vendor(c);
24086@@ -1745,7 +1748,7 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
24087 */
24088
24089 static DEFINE_SPINLOCK(mce_chrdev_state_lock);
24090-static int mce_chrdev_open_count; /* #times opened */
24091+static local_t mce_chrdev_open_count; /* #times opened */
24092 static int mce_chrdev_open_exclu; /* already open exclusive? */
24093
24094 static int mce_chrdev_open(struct inode *inode, struct file *file)
24095@@ -1753,7 +1756,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
24096 spin_lock(&mce_chrdev_state_lock);
24097
24098 if (mce_chrdev_open_exclu ||
24099- (mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
24100+ (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) {
24101 spin_unlock(&mce_chrdev_state_lock);
24102
24103 return -EBUSY;
24104@@ -1761,7 +1764,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
24105
24106 if (file->f_flags & O_EXCL)
24107 mce_chrdev_open_exclu = 1;
24108- mce_chrdev_open_count++;
24109+ local_inc(&mce_chrdev_open_count);
24110
24111 spin_unlock(&mce_chrdev_state_lock);
24112
24113@@ -1772,7 +1775,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
24114 {
24115 spin_lock(&mce_chrdev_state_lock);
24116
24117- mce_chrdev_open_count--;
24118+ local_dec(&mce_chrdev_open_count);
24119 mce_chrdev_open_exclu = 0;
24120
24121 spin_unlock(&mce_chrdev_state_lock);
24122@@ -2448,7 +2451,7 @@ static __init void mce_init_banks(void)
24123
24124 for (i = 0; i < mca_cfg.banks; i++) {
24125 struct mce_bank *b = &mce_banks[i];
24126- struct device_attribute *a = &b->attr;
24127+ device_attribute_no_const *a = &b->attr;
24128
24129 sysfs_attr_init(&a->attr);
24130 a->attr.name = b->attrname;
24131@@ -2555,7 +2558,7 @@ struct dentry *mce_get_debugfs_dir(void)
24132 static void mce_reset(void)
24133 {
24134 cpu_missing = 0;
24135- atomic_set(&mce_fake_panicked, 0);
24136+ atomic_set_unchecked(&mce_fake_panicked, 0);
24137 atomic_set(&mce_executing, 0);
24138 atomic_set(&mce_callin, 0);
24139 atomic_set(&global_nwo, 0);
24140diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
24141index 737b0ad..09ec66e 100644
24142--- a/arch/x86/kernel/cpu/mcheck/p5.c
24143+++ b/arch/x86/kernel/cpu/mcheck/p5.c
24144@@ -12,6 +12,7 @@
24145 #include <asm/tlbflush.h>
24146 #include <asm/mce.h>
24147 #include <asm/msr.h>
24148+#include <asm/pgtable.h>
24149
24150 /* By default disabled */
24151 int mce_p5_enabled __read_mostly;
24152@@ -55,7 +56,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
24153 if (!cpu_has(c, X86_FEATURE_MCE))
24154 return;
24155
24156+ pax_open_kernel();
24157 machine_check_vector = pentium_machine_check;
24158+ pax_close_kernel();
24159 /* Make sure the vector pointer is visible before we enable MCEs: */
24160 wmb();
24161
24162diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c
24163index 44f1382..315b292 100644
24164--- a/arch/x86/kernel/cpu/mcheck/winchip.c
24165+++ b/arch/x86/kernel/cpu/mcheck/winchip.c
24166@@ -11,6 +11,7 @@
24167 #include <asm/tlbflush.h>
24168 #include <asm/mce.h>
24169 #include <asm/msr.h>
24170+#include <asm/pgtable.h>
24171
24172 /* Machine check handler for WinChip C6: */
24173 static void winchip_machine_check(struct pt_regs *regs, long error_code)
24174@@ -28,7 +29,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
24175 {
24176 u32 lo, hi;
24177
24178+ pax_open_kernel();
24179 machine_check_vector = winchip_machine_check;
24180+ pax_close_kernel();
24181 /* Make sure the vector pointer is visible before we enable MCEs: */
24182 wmb();
24183
24184diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
24185index 6236a54..532026d 100644
24186--- a/arch/x86/kernel/cpu/microcode/core.c
24187+++ b/arch/x86/kernel/cpu/microcode/core.c
24188@@ -460,7 +460,7 @@ mc_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu)
24189 return NOTIFY_OK;
24190 }
24191
24192-static struct notifier_block __refdata mc_cpu_notifier = {
24193+static struct notifier_block mc_cpu_notifier = {
24194 .notifier_call = mc_cpu_callback,
24195 };
24196
24197diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
24198index 969dc17..a9c3fdd 100644
24199--- a/arch/x86/kernel/cpu/microcode/intel.c
24200+++ b/arch/x86/kernel/cpu/microcode/intel.c
24201@@ -237,13 +237,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
24202
24203 static int get_ucode_user(void *to, const void *from, size_t n)
24204 {
24205- return copy_from_user(to, from, n);
24206+ return copy_from_user(to, (const void __force_user *)from, n);
24207 }
24208
24209 static enum ucode_state
24210 request_microcode_user(int cpu, const void __user *buf, size_t size)
24211 {
24212- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
24213+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
24214 }
24215
24216 static void microcode_fini_cpu(int cpu)
24217diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
24218index e7ed0d8..57a2ab9 100644
24219--- a/arch/x86/kernel/cpu/mtrr/main.c
24220+++ b/arch/x86/kernel/cpu/mtrr/main.c
24221@@ -72,7 +72,7 @@ static DEFINE_MUTEX(mtrr_mutex);
24222 u64 size_or_mask, size_and_mask;
24223 static bool mtrr_aps_delayed_init;
24224
24225-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
24226+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
24227
24228 const struct mtrr_ops *mtrr_if;
24229
24230diff --git a/arch/x86/kernel/cpu/mtrr/mtrr.h b/arch/x86/kernel/cpu/mtrr/mtrr.h
24231index 951884d..4796b75 100644
24232--- a/arch/x86/kernel/cpu/mtrr/mtrr.h
24233+++ b/arch/x86/kernel/cpu/mtrr/mtrr.h
24234@@ -25,7 +25,7 @@ struct mtrr_ops {
24235 int (*validate_add_page)(unsigned long base, unsigned long size,
24236 unsigned int type);
24237 int (*have_wrcomb)(void);
24238-};
24239+} __do_const;
24240
24241 extern int generic_get_free_region(unsigned long base, unsigned long size,
24242 int replace_reg);
24243diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
24244index 9469dfa..2b026bc 100644
24245--- a/arch/x86/kernel/cpu/perf_event.c
24246+++ b/arch/x86/kernel/cpu/perf_event.c
24247@@ -1518,7 +1518,7 @@ static void __init pmu_check_apic(void)
24248
24249 }
24250
24251-static struct attribute_group x86_pmu_format_group = {
24252+static attribute_group_no_const x86_pmu_format_group = {
24253 .name = "format",
24254 .attrs = NULL,
24255 };
24256@@ -1617,7 +1617,7 @@ static struct attribute *events_attr[] = {
24257 NULL,
24258 };
24259
24260-static struct attribute_group x86_pmu_events_group = {
24261+static attribute_group_no_const x86_pmu_events_group = {
24262 .name = "events",
24263 .attrs = events_attr,
24264 };
24265@@ -2176,7 +2176,7 @@ valid_user_frame(const void __user *fp, unsigned long size)
24266 static unsigned long get_segment_base(unsigned int segment)
24267 {
24268 struct desc_struct *desc;
24269- int idx = segment >> 3;
24270+ unsigned int idx = segment >> 3;
24271
24272 if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
24273 struct ldt_struct *ldt;
24274@@ -2194,7 +2194,7 @@ static unsigned long get_segment_base(unsigned int segment)
24275 if (idx > GDT_ENTRIES)
24276 return 0;
24277
24278- desc = raw_cpu_ptr(gdt_page.gdt) + idx;
24279+ desc = get_cpu_gdt_table(smp_processor_id()) + idx;
24280 }
24281
24282 return get_desc_base(desc);
24283@@ -2284,7 +2284,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
24284 break;
24285
24286 perf_callchain_store(entry, frame.return_address);
24287- fp = frame.next_frame;
24288+ fp = (const void __force_user *)frame.next_frame;
24289 }
24290 }
24291
24292diff --git a/arch/x86/kernel/cpu/perf_event_amd_iommu.c b/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24293index 97242a9..cf9c30e 100644
24294--- a/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24295+++ b/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24296@@ -402,7 +402,7 @@ static void perf_iommu_del(struct perf_event *event, int flags)
24297 static __init int _init_events_attrs(struct perf_amd_iommu *perf_iommu)
24298 {
24299 struct attribute **attrs;
24300- struct attribute_group *attr_group;
24301+ attribute_group_no_const *attr_group;
24302 int i = 0, j;
24303
24304 while (amd_iommu_v2_event_descs[i].attr.attr.name)
24305diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
24306index 6326ae2..f092747 100644
24307--- a/arch/x86/kernel/cpu/perf_event_intel.c
24308+++ b/arch/x86/kernel/cpu/perf_event_intel.c
24309@@ -3016,10 +3016,10 @@ __init int intel_pmu_init(void)
24310 x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3);
24311
24312 if (boot_cpu_has(X86_FEATURE_PDCM)) {
24313- u64 capabilities;
24314+ u64 capabilities = x86_pmu.intel_cap.capabilities;
24315
24316- rdmsrl(MSR_IA32_PERF_CAPABILITIES, capabilities);
24317- x86_pmu.intel_cap.capabilities = capabilities;
24318+ if (rdmsrl_safe(MSR_IA32_PERF_CAPABILITIES, &x86_pmu.intel_cap.capabilities))
24319+ x86_pmu.intel_cap.capabilities = capabilities;
24320 }
24321
24322 intel_ds_init();
24323diff --git a/arch/x86/kernel/cpu/perf_event_intel_bts.c b/arch/x86/kernel/cpu/perf_event_intel_bts.c
24324index 43dd672..78c0562 100644
24325--- a/arch/x86/kernel/cpu/perf_event_intel_bts.c
24326+++ b/arch/x86/kernel/cpu/perf_event_intel_bts.c
24327@@ -252,7 +252,7 @@ static void bts_event_start(struct perf_event *event, int flags)
24328 __bts_event_start(event);
24329
24330 /* PMI handler: this counter is running and likely generating PMIs */
24331- ACCESS_ONCE(bts->started) = 1;
24332+ ACCESS_ONCE_RW(bts->started) = 1;
24333 }
24334
24335 static void __bts_event_stop(struct perf_event *event)
24336@@ -266,7 +266,7 @@ static void __bts_event_stop(struct perf_event *event)
24337 if (event->hw.state & PERF_HES_STOPPED)
24338 return;
24339
24340- ACCESS_ONCE(event->hw.state) |= PERF_HES_STOPPED;
24341+ ACCESS_ONCE_RW(event->hw.state) |= PERF_HES_STOPPED;
24342 }
24343
24344 static void bts_event_stop(struct perf_event *event, int flags)
24345@@ -274,7 +274,7 @@ static void bts_event_stop(struct perf_event *event, int flags)
24346 struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
24347
24348 /* PMI handler: don't restart this counter */
24349- ACCESS_ONCE(bts->started) = 0;
24350+ ACCESS_ONCE_RW(bts->started) = 0;
24351
24352 __bts_event_stop(event);
24353
24354diff --git a/arch/x86/kernel/cpu/perf_event_intel_cqm.c b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24355index 377e8f8..2982f48 100644
24356--- a/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24357+++ b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24358@@ -1364,7 +1364,9 @@ static int __init intel_cqm_init(void)
24359 goto out;
24360 }
24361
24362- event_attr_intel_cqm_llc_scale.event_str = str;
24363+ pax_open_kernel();
24364+ *(const char **)&event_attr_intel_cqm_llc_scale.event_str = str;
24365+ pax_close_kernel();
24366
24367 ret = intel_cqm_setup_rmid_cache();
24368 if (ret)
24369diff --git a/arch/x86/kernel/cpu/perf_event_intel_pt.c b/arch/x86/kernel/cpu/perf_event_intel_pt.c
24370index 183de71..bd34d52 100644
24371--- a/arch/x86/kernel/cpu/perf_event_intel_pt.c
24372+++ b/arch/x86/kernel/cpu/perf_event_intel_pt.c
24373@@ -116,16 +116,12 @@ static const struct attribute_group *pt_attr_groups[] = {
24374
24375 static int __init pt_pmu_hw_init(void)
24376 {
24377- struct dev_ext_attribute *de_attrs;
24378- struct attribute **attrs;
24379- size_t size;
24380- int ret;
24381+ static struct dev_ext_attribute de_attrs[ARRAY_SIZE(pt_caps)];
24382+ static struct attribute *attrs[ARRAY_SIZE(pt_caps)];
24383 long i;
24384
24385- attrs = NULL;
24386- ret = -ENODEV;
24387 if (!test_cpu_cap(&boot_cpu_data, X86_FEATURE_INTEL_PT))
24388- goto fail;
24389+ return -ENODEV;
24390
24391 for (i = 0; i < PT_CPUID_LEAVES; i++) {
24392 cpuid_count(20, i,
24393@@ -135,39 +131,25 @@ static int __init pt_pmu_hw_init(void)
24394 &pt_pmu.caps[CR_EDX + i*4]);
24395 }
24396
24397- ret = -ENOMEM;
24398- size = sizeof(struct attribute *) * (ARRAY_SIZE(pt_caps)+1);
24399- attrs = kzalloc(size, GFP_KERNEL);
24400- if (!attrs)
24401- goto fail;
24402-
24403- size = sizeof(struct dev_ext_attribute) * (ARRAY_SIZE(pt_caps)+1);
24404- de_attrs = kzalloc(size, GFP_KERNEL);
24405- if (!de_attrs)
24406- goto fail;
24407-
24408+ pax_open_kernel();
24409 for (i = 0; i < ARRAY_SIZE(pt_caps); i++) {
24410- struct dev_ext_attribute *de_attr = de_attrs + i;
24411+ struct dev_ext_attribute *de_attr = &de_attrs[i];
24412
24413- de_attr->attr.attr.name = pt_caps[i].name;
24414+ *(const char **)&de_attr->attr.attr.name = pt_caps[i].name;
24415
24416 sysfs_attr_init(&de_attr->attr.attr);
24417
24418- de_attr->attr.attr.mode = S_IRUGO;
24419- de_attr->attr.show = pt_cap_show;
24420- de_attr->var = (void *)i;
24421+ *(umode_t *)&de_attr->attr.attr.mode = S_IRUGO;
24422+ *(void **)&de_attr->attr.show = pt_cap_show;
24423+ *(void **)&de_attr->var = (void *)i;
24424
24425 attrs[i] = &de_attr->attr.attr;
24426 }
24427
24428- pt_cap_group.attrs = attrs;
24429+ *(struct attribute ***)&pt_cap_group.attrs = attrs;
24430+ pax_close_kernel();
24431
24432 return 0;
24433-
24434-fail:
24435- kfree(attrs);
24436-
24437- return ret;
24438 }
24439
24440 #define PT_CONFIG_MASK (RTIT_CTL_TSC_EN | RTIT_CTL_DISRETC)
24441@@ -929,7 +911,7 @@ static void pt_event_start(struct perf_event *event, int mode)
24442 return;
24443 }
24444
24445- ACCESS_ONCE(pt->handle_nmi) = 1;
24446+ ACCESS_ONCE_RW(pt->handle_nmi) = 1;
24447 event->hw.state = 0;
24448
24449 pt_config_buffer(buf->cur->table, buf->cur_idx,
24450@@ -946,7 +928,7 @@ static void pt_event_stop(struct perf_event *event, int mode)
24451 * Protect against the PMI racing with disabling wrmsr,
24452 * see comment in intel_pt_interrupt().
24453 */
24454- ACCESS_ONCE(pt->handle_nmi) = 0;
24455+ ACCESS_ONCE_RW(pt->handle_nmi) = 0;
24456 pt_config_start(false);
24457
24458 if (event->hw.state == PERF_HES_STOPPED)
24459diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24460index 5cbd4e6..ee9388a 100644
24461--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24462+++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24463@@ -486,7 +486,7 @@ static struct attribute *rapl_events_hsw_attr[] = {
24464 NULL,
24465 };
24466
24467-static struct attribute_group rapl_pmu_events_group = {
24468+static attribute_group_no_const rapl_pmu_events_group __read_only = {
24469 .name = "events",
24470 .attrs = NULL, /* patched at runtime */
24471 };
24472diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24473index 21b5e38..84f1f82 100644
24474--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24475+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24476@@ -731,7 +731,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
24477 static int __init uncore_type_init(struct intel_uncore_type *type)
24478 {
24479 struct intel_uncore_pmu *pmus;
24480- struct attribute_group *attr_group;
24481+ attribute_group_no_const *attr_group;
24482 struct attribute **attrs;
24483 int i, j;
24484
24485diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24486index 0f77f0a..d3c6b7d 100644
24487--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24488+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24489@@ -115,7 +115,7 @@ struct intel_uncore_box {
24490 struct uncore_event_desc {
24491 struct kobj_attribute attr;
24492 const char *config;
24493-};
24494+} __do_const;
24495
24496 ssize_t uncore_event_show(struct kobject *kobj,
24497 struct kobj_attribute *attr, char *buf);
24498diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c
24499index 83741a7..bd3507d 100644
24500--- a/arch/x86/kernel/cpuid.c
24501+++ b/arch/x86/kernel/cpuid.c
24502@@ -170,7 +170,7 @@ static int cpuid_class_cpu_callback(struct notifier_block *nfb,
24503 return notifier_from_errno(err);
24504 }
24505
24506-static struct notifier_block __refdata cpuid_class_cpu_notifier =
24507+static struct notifier_block cpuid_class_cpu_notifier =
24508 {
24509 .notifier_call = cpuid_class_cpu_callback,
24510 };
24511diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
24512index e068d66..74ca2fe 100644
24513--- a/arch/x86/kernel/crash.c
24514+++ b/arch/x86/kernel/crash.c
24515@@ -185,10 +185,9 @@ void native_machine_crash_shutdown(struct pt_regs *regs)
24516 }
24517
24518 #ifdef CONFIG_KEXEC_FILE
24519-static int get_nr_ram_ranges_callback(unsigned long start_pfn,
24520- unsigned long nr_pfn, void *arg)
24521+static int get_nr_ram_ranges_callback(u64 start, u64 end, void *arg)
24522 {
24523- int *nr_ranges = arg;
24524+ unsigned int *nr_ranges = arg;
24525
24526 (*nr_ranges)++;
24527 return 0;
24528@@ -214,7 +213,7 @@ static void fill_up_crash_elf_data(struct crash_elf_data *ced,
24529
24530 ced->image = image;
24531
24532- walk_system_ram_range(0, -1, &nr_ranges,
24533+ walk_system_ram_res(0, -1, &nr_ranges,
24534 get_nr_ram_ranges_callback);
24535
24536 ced->max_nr_ranges = nr_ranges;
24537diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c
24538index afa64ad..dce67dd 100644
24539--- a/arch/x86/kernel/crash_dump_64.c
24540+++ b/arch/x86/kernel/crash_dump_64.c
24541@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
24542 return -ENOMEM;
24543
24544 if (userbuf) {
24545- if (copy_to_user(buf, vaddr + offset, csize)) {
24546+ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) {
24547 iounmap(vaddr);
24548 return -EFAULT;
24549 }
24550diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c
24551index f6dfd93..892ade4 100644
24552--- a/arch/x86/kernel/doublefault.c
24553+++ b/arch/x86/kernel/doublefault.c
24554@@ -12,7 +12,7 @@
24555
24556 #define DOUBLEFAULT_STACKSIZE (1024)
24557 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
24558-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
24559+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
24560
24561 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
24562
24563@@ -22,7 +22,7 @@ static void doublefault_fn(void)
24564 unsigned long gdt, tss;
24565
24566 native_store_gdt(&gdt_desc);
24567- gdt = gdt_desc.address;
24568+ gdt = (unsigned long)gdt_desc.address;
24569
24570 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
24571
24572@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cacheline_aligned = {
24573 /* 0x2 bit is always set */
24574 .flags = X86_EFLAGS_SF | 0x2,
24575 .sp = STACK_START,
24576- .es = __USER_DS,
24577+ .es = __KERNEL_DS,
24578 .cs = __KERNEL_CS,
24579 .ss = __KERNEL_DS,
24580- .ds = __USER_DS,
24581+ .ds = __KERNEL_DS,
24582 .fs = __KERNEL_PERCPU,
24583
24584 .__cr3 = __pa_nodebug(swapper_pg_dir),
24585diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
24586index 9c30acf..8cf2411 100644
24587--- a/arch/x86/kernel/dumpstack.c
24588+++ b/arch/x86/kernel/dumpstack.c
24589@@ -2,6 +2,9 @@
24590 * Copyright (C) 1991, 1992 Linus Torvalds
24591 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
24592 */
24593+#ifdef CONFIG_GRKERNSEC_HIDESYM
24594+#define __INCLUDED_BY_HIDESYM 1
24595+#endif
24596 #include <linux/kallsyms.h>
24597 #include <linux/kprobes.h>
24598 #include <linux/uaccess.h>
24599@@ -35,23 +38,21 @@ static void printk_stack_address(unsigned long address, int reliable,
24600
24601 void printk_address(unsigned long address)
24602 {
24603- pr_cont(" [<%p>] %pS\n", (void *)address, (void *)address);
24604+ pr_cont(" [<%p>] %pA\n", (void *)address, (void *)address);
24605 }
24606
24607 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
24608 static void
24609 print_ftrace_graph_addr(unsigned long addr, void *data,
24610 const struct stacktrace_ops *ops,
24611- struct thread_info *tinfo, int *graph)
24612+ struct task_struct *task, int *graph)
24613 {
24614- struct task_struct *task;
24615 unsigned long ret_addr;
24616 int index;
24617
24618 if (addr != (unsigned long)return_to_handler)
24619 return;
24620
24621- task = tinfo->task;
24622 index = task->curr_ret_stack;
24623
24624 if (!task->ret_stack || index < *graph)
24625@@ -68,7 +69,7 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
24626 static inline void
24627 print_ftrace_graph_addr(unsigned long addr, void *data,
24628 const struct stacktrace_ops *ops,
24629- struct thread_info *tinfo, int *graph)
24630+ struct task_struct *task, int *graph)
24631 { }
24632 #endif
24633
24634@@ -79,10 +80,8 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
24635 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
24636 */
24637
24638-static inline int valid_stack_ptr(struct thread_info *tinfo,
24639- void *p, unsigned int size, void *end)
24640+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
24641 {
24642- void *t = tinfo;
24643 if (end) {
24644 if (p < end && p >= (end-THREAD_SIZE))
24645 return 1;
24646@@ -93,14 +92,14 @@ static inline int valid_stack_ptr(struct thread_info *tinfo,
24647 }
24648
24649 unsigned long
24650-print_context_stack(struct thread_info *tinfo,
24651+print_context_stack(struct task_struct *task, void *stack_start,
24652 unsigned long *stack, unsigned long bp,
24653 const struct stacktrace_ops *ops, void *data,
24654 unsigned long *end, int *graph)
24655 {
24656 struct stack_frame *frame = (struct stack_frame *)bp;
24657
24658- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
24659+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
24660 unsigned long addr;
24661
24662 addr = *stack;
24663@@ -112,7 +111,7 @@ print_context_stack(struct thread_info *tinfo,
24664 } else {
24665 ops->address(data, addr, 0);
24666 }
24667- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
24668+ print_ftrace_graph_addr(addr, data, ops, task, graph);
24669 }
24670 stack++;
24671 }
24672@@ -121,7 +120,7 @@ print_context_stack(struct thread_info *tinfo,
24673 EXPORT_SYMBOL_GPL(print_context_stack);
24674
24675 unsigned long
24676-print_context_stack_bp(struct thread_info *tinfo,
24677+print_context_stack_bp(struct task_struct *task, void *stack_start,
24678 unsigned long *stack, unsigned long bp,
24679 const struct stacktrace_ops *ops, void *data,
24680 unsigned long *end, int *graph)
24681@@ -129,7 +128,7 @@ print_context_stack_bp(struct thread_info *tinfo,
24682 struct stack_frame *frame = (struct stack_frame *)bp;
24683 unsigned long *ret_addr = &frame->return_address;
24684
24685- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
24686+ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
24687 unsigned long addr = *ret_addr;
24688
24689 if (!__kernel_text_address(addr))
24690@@ -138,7 +137,7 @@ print_context_stack_bp(struct thread_info *tinfo,
24691 ops->address(data, addr, 1);
24692 frame = frame->next_frame;
24693 ret_addr = &frame->return_address;
24694- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
24695+ print_ftrace_graph_addr(addr, data, ops, task, graph);
24696 }
24697
24698 return (unsigned long)frame;
24699@@ -226,6 +225,8 @@ unsigned long oops_begin(void)
24700 EXPORT_SYMBOL_GPL(oops_begin);
24701 NOKPROBE_SYMBOL(oops_begin);
24702
24703+extern void gr_handle_kernel_exploit(void);
24704+
24705 void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
24706 {
24707 if (regs && kexec_should_crash(current))
24708@@ -247,7 +248,10 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
24709 panic("Fatal exception in interrupt");
24710 if (panic_on_oops)
24711 panic("Fatal exception");
24712- do_exit(signr);
24713+
24714+ gr_handle_kernel_exploit();
24715+
24716+ do_group_exit(signr);
24717 }
24718 NOKPROBE_SYMBOL(oops_end);
24719
24720diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
24721index 464ffd6..01f2cda 100644
24722--- a/arch/x86/kernel/dumpstack_32.c
24723+++ b/arch/x86/kernel/dumpstack_32.c
24724@@ -61,15 +61,14 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24725 bp = stack_frame(task, regs);
24726
24727 for (;;) {
24728- struct thread_info *context;
24729+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
24730 void *end_stack;
24731
24732 end_stack = is_hardirq_stack(stack, cpu);
24733 if (!end_stack)
24734 end_stack = is_softirq_stack(stack, cpu);
24735
24736- context = task_thread_info(task);
24737- bp = ops->walk_stack(context, stack, bp, ops, data,
24738+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data,
24739 end_stack, &graph);
24740
24741 /* Stop if not on irq stack */
24742@@ -137,16 +136,17 @@ void show_regs(struct pt_regs *regs)
24743 unsigned int code_len = code_bytes;
24744 unsigned char c;
24745 u8 *ip;
24746+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]);
24747
24748 pr_emerg("Stack:\n");
24749 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
24750
24751 pr_emerg("Code:");
24752
24753- ip = (u8 *)regs->ip - code_prologue;
24754+ ip = (u8 *)regs->ip - code_prologue + cs_base;
24755 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
24756 /* try starting at IP */
24757- ip = (u8 *)regs->ip;
24758+ ip = (u8 *)regs->ip + cs_base;
24759 code_len = code_len - code_prologue + 1;
24760 }
24761 for (i = 0; i < code_len; i++, ip++) {
24762@@ -155,7 +155,7 @@ void show_regs(struct pt_regs *regs)
24763 pr_cont(" Bad EIP value.");
24764 break;
24765 }
24766- if (ip == (u8 *)regs->ip)
24767+ if (ip == (u8 *)regs->ip + cs_base)
24768 pr_cont(" <%02x>", c);
24769 else
24770 pr_cont(" %02x", c);
24771@@ -168,6 +168,7 @@ int is_valid_bugaddr(unsigned long ip)
24772 {
24773 unsigned short ud2;
24774
24775+ ip = ktla_ktva(ip);
24776 if (ip < PAGE_OFFSET)
24777 return 0;
24778 if (probe_kernel_address((unsigned short *)ip, ud2))
24779@@ -175,3 +176,15 @@ int is_valid_bugaddr(unsigned long ip)
24780
24781 return ud2 == 0x0b0f;
24782 }
24783+
24784+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
24785+void __used pax_check_alloca(unsigned long size)
24786+{
24787+ unsigned long sp = (unsigned long)&sp, stack_left;
24788+
24789+ /* all kernel stacks are of the same size */
24790+ stack_left = sp & (THREAD_SIZE - 1);
24791+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24792+}
24793+EXPORT_SYMBOL(pax_check_alloca);
24794+#endif
24795diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
24796index 5f1c626..1cba97e 100644
24797--- a/arch/x86/kernel/dumpstack_64.c
24798+++ b/arch/x86/kernel/dumpstack_64.c
24799@@ -153,12 +153,12 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24800 const struct stacktrace_ops *ops, void *data)
24801 {
24802 const unsigned cpu = get_cpu();
24803- struct thread_info *tinfo;
24804 unsigned long *irq_stack = (unsigned long *)per_cpu(irq_stack_ptr, cpu);
24805 unsigned long dummy;
24806 unsigned used = 0;
24807 int graph = 0;
24808 int done = 0;
24809+ void *stack_start;
24810
24811 if (!task)
24812 task = current;
24813@@ -179,7 +179,6 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24814 * current stack address. If the stacks consist of nested
24815 * exceptions
24816 */
24817- tinfo = task_thread_info(task);
24818 while (!done) {
24819 unsigned long *stack_end;
24820 enum stack_type stype;
24821@@ -202,7 +201,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24822 if (ops->stack(data, id) < 0)
24823 break;
24824
24825- bp = ops->walk_stack(tinfo, stack, bp, ops,
24826+ bp = ops->walk_stack(task, stack_end - EXCEPTION_STKSZ, stack, bp, ops,
24827 data, stack_end, &graph);
24828 ops->stack(data, "<EOE>");
24829 /*
24830@@ -210,6 +209,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24831 * second-to-last pointer (index -2 to end) in the
24832 * exception stack:
24833 */
24834+ if ((u16)stack_end[-1] != __KERNEL_DS)
24835+ goto out;
24836 stack = (unsigned long *) stack_end[-2];
24837 done = 0;
24838 break;
24839@@ -218,7 +219,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24840
24841 if (ops->stack(data, "IRQ") < 0)
24842 break;
24843- bp = ops->walk_stack(tinfo, stack, bp,
24844+ bp = ops->walk_stack(task, irq_stack, stack, bp,
24845 ops, data, stack_end, &graph);
24846 /*
24847 * We link to the next stack (which would be
24848@@ -240,7 +241,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24849 /*
24850 * This handles the process stack:
24851 */
24852- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
24853+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
24854+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
24855+out:
24856 put_cpu();
24857 }
24858 EXPORT_SYMBOL(dump_trace);
24859@@ -347,8 +350,55 @@ int is_valid_bugaddr(unsigned long ip)
24860 {
24861 unsigned short ud2;
24862
24863- if (__copy_from_user(&ud2, (const void __user *) ip, sizeof(ud2)))
24864+ if (probe_kernel_address((unsigned short *)ip, ud2))
24865 return 0;
24866
24867 return ud2 == 0x0b0f;
24868 }
24869+
24870+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
24871+void __used pax_check_alloca(unsigned long size)
24872+{
24873+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
24874+ unsigned cpu, used;
24875+ char *id;
24876+
24877+ /* check the process stack first */
24878+ stack_start = (unsigned long)task_stack_page(current);
24879+ stack_end = stack_start + THREAD_SIZE;
24880+ if (likely(stack_start <= sp && sp < stack_end)) {
24881+ unsigned long stack_left = sp & (THREAD_SIZE - 1);
24882+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24883+ return;
24884+ }
24885+
24886+ cpu = get_cpu();
24887+
24888+ /* check the irq stacks */
24889+ stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
24890+ stack_start = stack_end - IRQ_STACK_SIZE;
24891+ if (stack_start <= sp && sp < stack_end) {
24892+ unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
24893+ put_cpu();
24894+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24895+ return;
24896+ }
24897+
24898+ /* check the exception stacks */
24899+ used = 0;
24900+ stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
24901+ stack_start = stack_end - EXCEPTION_STKSZ;
24902+ if (stack_end && stack_start <= sp && sp < stack_end) {
24903+ unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
24904+ put_cpu();
24905+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24906+ return;
24907+ }
24908+
24909+ put_cpu();
24910+
24911+ /* unknown stack */
24912+ BUG();
24913+}
24914+EXPORT_SYMBOL(pax_check_alloca);
24915+#endif
24916diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
24917index a102564..d1f0b73 100644
24918--- a/arch/x86/kernel/e820.c
24919+++ b/arch/x86/kernel/e820.c
24920@@ -803,8 +803,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void)
24921
24922 static void early_panic(char *msg)
24923 {
24924- early_printk(msg);
24925- panic(msg);
24926+ early_printk("%s", msg);
24927+ panic("%s", msg);
24928 }
24929
24930 static int userdef __initdata;
24931diff --git a/arch/x86/kernel/early_printk.c b/arch/x86/kernel/early_printk.c
24932index eec40f5..4fee808 100644
24933--- a/arch/x86/kernel/early_printk.c
24934+++ b/arch/x86/kernel/early_printk.c
24935@@ -7,6 +7,7 @@
24936 #include <linux/pci_regs.h>
24937 #include <linux/pci_ids.h>
24938 #include <linux/errno.h>
24939+#include <linux/sched.h>
24940 #include <asm/io.h>
24941 #include <asm/processor.h>
24942 #include <asm/fcntl.h>
24943diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
24944index ce95676..af5c012 100644
24945--- a/arch/x86/kernel/espfix_64.c
24946+++ b/arch/x86/kernel/espfix_64.c
24947@@ -41,6 +41,7 @@
24948 #include <asm/pgalloc.h>
24949 #include <asm/setup.h>
24950 #include <asm/espfix.h>
24951+#include <asm/bug.h>
24952
24953 /*
24954 * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
24955@@ -70,8 +71,10 @@ static DEFINE_MUTEX(espfix_init_mutex);
24956 #define ESPFIX_MAX_PAGES DIV_ROUND_UP(CONFIG_NR_CPUS, ESPFIX_STACKS_PER_PAGE)
24957 static void *espfix_pages[ESPFIX_MAX_PAGES];
24958
24959-static __page_aligned_bss pud_t espfix_pud_page[PTRS_PER_PUD]
24960- __aligned(PAGE_SIZE);
24961+static __page_aligned_rodata pud_t espfix_pud_page[PTRS_PER_PUD];
24962+static __page_aligned_rodata pmd_t espfix_pmd_page[PTRS_PER_PMD];
24963+static __page_aligned_rodata pte_t espfix_pte_page[PTRS_PER_PTE];
24964+static __page_aligned_rodata char espfix_stack_page[ESPFIX_MAX_PAGES][PAGE_SIZE];
24965
24966 static unsigned int page_random, slot_random;
24967
24968@@ -122,10 +125,19 @@ static void init_espfix_random(void)
24969 void __init init_espfix_bsp(void)
24970 {
24971 pgd_t *pgd_p;
24972+ pud_t *pud_p;
24973+ unsigned long index = pgd_index(ESPFIX_BASE_ADDR);
24974
24975 /* Install the espfix pud into the kernel page directory */
24976- pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
24977- pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
24978+ pgd_p = &init_level4_pgt[index];
24979+ pud_p = espfix_pud_page;
24980+ paravirt_alloc_pud(&init_mm, __pa(pud_p) >> PAGE_SHIFT);
24981+ set_pgd(pgd_p, __pgd(PGTABLE_PROT | __pa(pud_p)));
24982+
24983+#ifdef CONFIG_PAX_PER_CPU_PGD
24984+ clone_pgd_range(get_cpu_pgd(0, kernel) + index, swapper_pg_dir + index, 1);
24985+ clone_pgd_range(get_cpu_pgd(0, user) + index, swapper_pg_dir + index, 1);
24986+#endif
24987
24988 /* Randomize the locations */
24989 init_espfix_random();
24990@@ -170,35 +182,39 @@ void init_espfix_ap(int cpu)
24991 pud_p = &espfix_pud_page[pud_index(addr)];
24992 pud = *pud_p;
24993 if (!pud_present(pud)) {
24994- struct page *page = alloc_pages_node(node, PGALLOC_GFP, 0);
24995-
24996- pmd_p = (pmd_t *)page_address(page);
24997+ if (cpu)
24998+ pmd_p = page_address(alloc_pages_node(node, PGALLOC_GFP, 0));
24999+ else
25000+ pmd_p = espfix_pmd_page;
25001 pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
25002 paravirt_alloc_pmd(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
25003 for (n = 0; n < ESPFIX_PUD_CLONES; n++)
25004 set_pud(&pud_p[n], pud);
25005- }
25006+ } else
25007+ BUG_ON(!cpu);
25008
25009 pmd_p = pmd_offset(&pud, addr);
25010 pmd = *pmd_p;
25011 if (!pmd_present(pmd)) {
25012- struct page *page = alloc_pages_node(node, PGALLOC_GFP, 0);
25013-
25014- pte_p = (pte_t *)page_address(page);
25015+ if (cpu)
25016+ pte_p = page_address(alloc_pages_node(node, PGALLOC_GFP, 0));
25017+ else
25018+ pte_p = espfix_pte_page;
25019 pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
25020 paravirt_alloc_pte(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
25021 for (n = 0; n < ESPFIX_PMD_CLONES; n++)
25022 set_pmd(&pmd_p[n], pmd);
25023- }
25024+ } else
25025+ BUG_ON(!cpu);
25026
25027 pte_p = pte_offset_kernel(&pmd, addr);
25028- stack_page = page_address(alloc_pages_node(node, GFP_KERNEL, 0));
25029+ stack_page = espfix_stack_page[page];
25030 pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
25031 for (n = 0; n < ESPFIX_PTE_CLONES; n++)
25032 set_pte(&pte_p[n*PTE_STRIDE], pte);
25033
25034 /* Job is done for this CPU and any CPU which shares this page */
25035- ACCESS_ONCE(espfix_pages[page]) = stack_page;
25036+ ACCESS_ONCE_RW(espfix_pages[page]) = stack_page;
25037
25038 unlock_done:
25039 mutex_unlock(&espfix_init_mutex);
25040diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
25041index d25097c..84b0d51 100644
25042--- a/arch/x86/kernel/fpu/core.c
25043+++ b/arch/x86/kernel/fpu/core.c
25044@@ -127,7 +127,7 @@ void __kernel_fpu_end(void)
25045 struct fpu *fpu = &current->thread.fpu;
25046
25047 if (fpu->fpregs_active)
25048- copy_kernel_to_fpregs(&fpu->state);
25049+ copy_kernel_to_fpregs(fpu->state);
25050 else
25051 __fpregs_deactivate_hw();
25052
25053@@ -238,7 +238,7 @@ static void fpu_copy(struct fpu *dst_fpu, struct fpu *src_fpu)
25054 * leak into the child task:
25055 */
25056 if (use_eager_fpu())
25057- memset(&dst_fpu->state.xsave, 0, xstate_size);
25058+ memset(&dst_fpu->state->xsave, 0, xstate_size);
25059
25060 /*
25061 * Save current FPU registers directly into the child
25062@@ -285,7 +285,7 @@ void fpu__activate_curr(struct fpu *fpu)
25063 WARN_ON_FPU(fpu != &current->thread.fpu);
25064
25065 if (!fpu->fpstate_active) {
25066- fpstate_init(&fpu->state);
25067+ fpstate_init(fpu->state);
25068
25069 /* Safe to do for the current task: */
25070 fpu->fpstate_active = 1;
25071@@ -311,7 +311,7 @@ void fpu__activate_fpstate_read(struct fpu *fpu)
25072 fpu__save(fpu);
25073 } else {
25074 if (!fpu->fpstate_active) {
25075- fpstate_init(&fpu->state);
25076+ fpstate_init(fpu->state);
25077
25078 /* Safe to do for current and for stopped child tasks: */
25079 fpu->fpstate_active = 1;
25080@@ -344,7 +344,7 @@ void fpu__activate_fpstate_write(struct fpu *fpu)
25081 /* Invalidate any lazy state: */
25082 fpu->last_cpu = -1;
25083 } else {
25084- fpstate_init(&fpu->state);
25085+ fpstate_init(fpu->state);
25086
25087 /* Safe to do for stopped child tasks: */
25088 fpu->fpstate_active = 1;
25089@@ -368,7 +368,7 @@ void fpu__restore(struct fpu *fpu)
25090 /* Avoid __kernel_fpu_begin() right after fpregs_activate() */
25091 kernel_fpu_disable();
25092 fpregs_activate(fpu);
25093- copy_kernel_to_fpregs(&fpu->state);
25094+ copy_kernel_to_fpregs(fpu->state);
25095 fpu->counter++;
25096 kernel_fpu_enable();
25097 }
25098@@ -442,25 +442,25 @@ void fpu__clear(struct fpu *fpu)
25099 static inline unsigned short get_fpu_cwd(struct fpu *fpu)
25100 {
25101 if (cpu_has_fxsr) {
25102- return fpu->state.fxsave.cwd;
25103+ return fpu->state->fxsave.cwd;
25104 } else {
25105- return (unsigned short)fpu->state.fsave.cwd;
25106+ return (unsigned short)fpu->state->fsave.cwd;
25107 }
25108 }
25109
25110 static inline unsigned short get_fpu_swd(struct fpu *fpu)
25111 {
25112 if (cpu_has_fxsr) {
25113- return fpu->state.fxsave.swd;
25114+ return fpu->state->fxsave.swd;
25115 } else {
25116- return (unsigned short)fpu->state.fsave.swd;
25117+ return (unsigned short)fpu->state->fsave.swd;
25118 }
25119 }
25120
25121 static inline unsigned short get_fpu_mxcsr(struct fpu *fpu)
25122 {
25123 if (cpu_has_xmm) {
25124- return fpu->state.fxsave.mxcsr;
25125+ return fpu->state->fxsave.mxcsr;
25126 } else {
25127 return MXCSR_DEFAULT;
25128 }
25129diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
25130index d14e9ac..8ca141b 100644
25131--- a/arch/x86/kernel/fpu/init.c
25132+++ b/arch/x86/kernel/fpu/init.c
25133@@ -42,7 +42,7 @@ static void fpu__init_cpu_generic(void)
25134 /* Flush out any pending x87 state: */
25135 #ifdef CONFIG_MATH_EMULATION
25136 if (!cpu_has_fpu)
25137- fpstate_init_soft(&current->thread.fpu.state.soft);
25138+ fpstate_init_soft(&current->thread.fpu.state->soft);
25139 else
25140 #endif
25141 asm volatile ("fninit");
25142@@ -147,12 +147,14 @@ EXPORT_SYMBOL_GPL(xstate_size);
25143 #define CHECK_MEMBER_AT_END_OF(TYPE, MEMBER) \
25144 BUILD_BUG_ON(sizeof(TYPE) != offsetofend(TYPE, MEMBER))
25145
25146+union fpregs_state init_fpregs_state;
25147+
25148 /*
25149 * We append the 'struct fpu' to the task_struct:
25150 */
25151 static void __init fpu__init_task_struct_size(void)
25152 {
25153- int task_size = sizeof(struct task_struct);
25154+ size_t task_size = sizeof(struct task_struct);
25155
25156 /*
25157 * Subtract off the static size of the register state.
25158@@ -168,16 +170,12 @@ static void __init fpu__init_task_struct_size(void)
25159
25160 /*
25161 * We dynamically size 'struct fpu', so we require that
25162- * it be at the end of 'thread_struct' and that
25163- * 'thread_struct' be at the end of 'task_struct'. If
25164+ * it be at the end of 'thread_struct'. If
25165 * you hit a compile error here, check the structure to
25166 * see if something got added to the end.
25167 */
25168 CHECK_MEMBER_AT_END_OF(struct fpu, state);
25169 CHECK_MEMBER_AT_END_OF(struct thread_struct, fpu);
25170- CHECK_MEMBER_AT_END_OF(struct task_struct, thread);
25171-
25172- arch_task_struct_size = task_size;
25173 }
25174
25175 /*
25176diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
25177index dc60810..6c8a1fa 100644
25178--- a/arch/x86/kernel/fpu/regset.c
25179+++ b/arch/x86/kernel/fpu/regset.c
25180@@ -37,7 +37,7 @@ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
25181 fpstate_sanitize_xstate(fpu);
25182
25183 return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
25184- &fpu->state.fxsave, 0, -1);
25185+ &fpu->state->fxsave, 0, -1);
25186 }
25187
25188 int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
25189@@ -54,19 +54,19 @@ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
25190 fpstate_sanitize_xstate(fpu);
25191
25192 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
25193- &fpu->state.fxsave, 0, -1);
25194+ &fpu->state->fxsave, 0, -1);
25195
25196 /*
25197 * mxcsr reserved bits must be masked to zero for security reasons.
25198 */
25199- fpu->state.fxsave.mxcsr &= mxcsr_feature_mask;
25200+ fpu->state->fxsave.mxcsr &= mxcsr_feature_mask;
25201
25202 /*
25203 * update the header bits in the xsave header, indicating the
25204 * presence of FP and SSE state.
25205 */
25206 if (cpu_has_xsave)
25207- fpu->state.xsave.header.xfeatures |= XSTATE_FPSSE;
25208+ fpu->state->xsave.header.xfeatures |= XSTATE_FPSSE;
25209
25210 return ret;
25211 }
25212@@ -84,7 +84,7 @@ int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
25213
25214 fpu__activate_fpstate_read(fpu);
25215
25216- xsave = &fpu->state.xsave;
25217+ xsave = &fpu->state->xsave;
25218
25219 /*
25220 * Copy the 48bytes defined by the software first into the xstate
25221@@ -113,7 +113,7 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
25222
25223 fpu__activate_fpstate_write(fpu);
25224
25225- xsave = &fpu->state.xsave;
25226+ xsave = &fpu->state->xsave;
25227
25228 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
25229 /*
25230@@ -204,7 +204,7 @@ static inline u32 twd_fxsr_to_i387(struct fxregs_state *fxsave)
25231 void
25232 convert_from_fxsr(struct user_i387_ia32_struct *env, struct task_struct *tsk)
25233 {
25234- struct fxregs_state *fxsave = &tsk->thread.fpu.state.fxsave;
25235+ struct fxregs_state *fxsave = &tsk->thread.fpu.state->fxsave;
25236 struct _fpreg *to = (struct _fpreg *) &env->st_space[0];
25237 struct _fpxreg *from = (struct _fpxreg *) &fxsave->st_space[0];
25238 int i;
25239@@ -242,7 +242,7 @@ void convert_to_fxsr(struct task_struct *tsk,
25240 const struct user_i387_ia32_struct *env)
25241
25242 {
25243- struct fxregs_state *fxsave = &tsk->thread.fpu.state.fxsave;
25244+ struct fxregs_state *fxsave = &tsk->thread.fpu.state->fxsave;
25245 struct _fpreg *from = (struct _fpreg *) &env->st_space[0];
25246 struct _fpxreg *to = (struct _fpxreg *) &fxsave->st_space[0];
25247 int i;
25248@@ -280,7 +280,7 @@ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
25249
25250 if (!cpu_has_fxsr)
25251 return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
25252- &fpu->state.fsave, 0,
25253+ &fpu->state->fsave, 0,
25254 -1);
25255
25256 fpstate_sanitize_xstate(fpu);
25257@@ -311,7 +311,7 @@ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
25258
25259 if (!cpu_has_fxsr)
25260 return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
25261- &fpu->state.fsave, 0,
25262+ &fpu->state->fsave, 0,
25263 -1);
25264
25265 if (pos > 0 || count < sizeof(env))
25266@@ -326,7 +326,7 @@ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
25267 * presence of FP.
25268 */
25269 if (cpu_has_xsave)
25270- fpu->state.xsave.header.xfeatures |= XSTATE_FP;
25271+ fpu->state->xsave.header.xfeatures |= XSTATE_FP;
25272 return ret;
25273 }
25274
25275diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
25276index 50ec9af..bb871ca 100644
25277--- a/arch/x86/kernel/fpu/signal.c
25278+++ b/arch/x86/kernel/fpu/signal.c
25279@@ -54,7 +54,7 @@ static inline int check_for_xstate(struct fxregs_state __user *buf,
25280 static inline int save_fsave_header(struct task_struct *tsk, void __user *buf)
25281 {
25282 if (use_fxsr()) {
25283- struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
25284+ struct xregs_state *xsave = &tsk->thread.fpu.state->xsave;
25285 struct user_i387_ia32_struct env;
25286 struct _fpstate_ia32 __user *fp = buf;
25287
25288@@ -83,18 +83,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
25289
25290 /* Setup the bytes not touched by the [f]xsave and reserved for SW. */
25291 sw_bytes = ia32_frame ? &fx_sw_reserved_ia32 : &fx_sw_reserved;
25292- err = __copy_to_user(&x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes));
25293+ err = __copy_to_user(x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes));
25294
25295 if (!use_xsave())
25296 return err;
25297
25298- err |= __put_user(FP_XSTATE_MAGIC2, (__u32 *)(buf + xstate_size));
25299+ err |= __put_user(FP_XSTATE_MAGIC2, (__u32 __user *)(buf + xstate_size));
25300
25301 /*
25302 * Read the xfeatures which we copied (directly from the cpu or
25303 * from the state in task struct) to the user buffers.
25304 */
25305- err |= __get_user(xfeatures, (__u32 *)&x->header.xfeatures);
25306+ err |= __get_user(xfeatures, (__u32 __user *)&x->header.xfeatures);
25307
25308 /*
25309 * For legacy compatible, we always set FP/SSE bits in the bit
25310@@ -109,7 +109,7 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
25311 */
25312 xfeatures |= XSTATE_FPSSE;
25313
25314- err |= __put_user(xfeatures, (__u32 *)&x->header.xfeatures);
25315+ err |= __put_user(xfeatures, (__u32 __user *)&x->header.xfeatures);
25316
25317 return err;
25318 }
25319@@ -118,6 +118,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
25320 {
25321 int err;
25322
25323+ buf = (struct xregs_state __user *)____m(buf);
25324 if (use_xsave())
25325 err = copy_xregs_to_user(buf);
25326 else if (use_fxsr())
25327@@ -152,7 +153,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
25328 */
25329 int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
25330 {
25331- struct xregs_state *xsave = &current->thread.fpu.state.xsave;
25332+ struct xregs_state *xsave = &current->thread.fpu.state->xsave;
25333 struct task_struct *tsk = current;
25334 int ia32_fxstate = (buf != buf_fx);
25335
25336@@ -195,7 +196,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25337 struct user_i387_ia32_struct *ia32_env,
25338 u64 xfeatures, int fx_only)
25339 {
25340- struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
25341+ struct xregs_state *xsave = &tsk->thread.fpu.state->xsave;
25342 struct xstate_header *header = &xsave->header;
25343
25344 if (use_xsave()) {
25345@@ -228,6 +229,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25346 */
25347 static inline int copy_user_to_fpregs_zeroing(void __user *buf, u64 xbv, int fx_only)
25348 {
25349+ buf = (void __user *)____m(buf);
25350 if (use_xsave()) {
25351 if ((unsigned long)buf % 64 || fx_only) {
25352 u64 init_bv = xfeatures_mask & ~XSTATE_FPSSE;
25353@@ -308,9 +310,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
25354 */
25355 fpu__drop(fpu);
25356
25357- if (__copy_from_user(&fpu->state.xsave, buf_fx, state_size) ||
25358+ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
25359 __copy_from_user(&env, buf, sizeof(env))) {
25360- fpstate_init(&fpu->state);
25361+ fpstate_init(fpu->state);
25362 err = -1;
25363 } else {
25364 sanitize_restored_xstate(tsk, &env, xfeatures, fx_only);
25365diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
25366index 62fc001..5ce38be 100644
25367--- a/arch/x86/kernel/fpu/xstate.c
25368+++ b/arch/x86/kernel/fpu/xstate.c
25369@@ -93,14 +93,14 @@ EXPORT_SYMBOL_GPL(cpu_has_xfeatures);
25370 */
25371 void fpstate_sanitize_xstate(struct fpu *fpu)
25372 {
25373- struct fxregs_state *fx = &fpu->state.fxsave;
25374+ struct fxregs_state *fx = &fpu->state->fxsave;
25375 int feature_bit;
25376 u64 xfeatures;
25377
25378 if (!use_xsaveopt())
25379 return;
25380
25381- xfeatures = fpu->state.xsave.header.xfeatures;
25382+ xfeatures = fpu->state->xsave.header.xfeatures;
25383
25384 /*
25385 * None of the feature bits are in init state. So nothing else
25386@@ -402,7 +402,7 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
25387 if (!boot_cpu_has(X86_FEATURE_XSAVE))
25388 return NULL;
25389
25390- xsave = &current->thread.fpu.state.xsave;
25391+ xsave = &current->thread.fpu.state->xsave;
25392 /*
25393 * We should not ever be requesting features that we
25394 * have not enabled. Remember that pcntxt_mask is
25395@@ -457,5 +457,5 @@ const void *get_xsave_field_ptr(int xsave_state)
25396 */
25397 fpu__save(fpu);
25398
25399- return get_xsave_addr(&fpu->state.xsave, xsave_state);
25400+ return get_xsave_addr(&fpu->state->xsave, xsave_state);
25401 }
25402diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
25403index 8b7b0a5..02219db 100644
25404--- a/arch/x86/kernel/ftrace.c
25405+++ b/arch/x86/kernel/ftrace.c
25406@@ -89,7 +89,7 @@ static unsigned long text_ip_addr(unsigned long ip)
25407 * kernel identity mapping to modify code.
25408 */
25409 if (within(ip, (unsigned long)_text, (unsigned long)_etext))
25410- ip = (unsigned long)__va(__pa_symbol(ip));
25411+ ip = (unsigned long)__va(__pa_symbol(ktla_ktva(ip)));
25412
25413 return ip;
25414 }
25415@@ -105,6 +105,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code,
25416 {
25417 unsigned char replaced[MCOUNT_INSN_SIZE];
25418
25419+ ip = ktla_ktva(ip);
25420+
25421 /*
25422 * Note: Due to modules and __init, code can
25423 * disappear and change, we need to protect against faulting
25424@@ -230,7 +232,7 @@ static int update_ftrace_func(unsigned long ip, void *new)
25425 unsigned char old[MCOUNT_INSN_SIZE];
25426 int ret;
25427
25428- memcpy(old, (void *)ip, MCOUNT_INSN_SIZE);
25429+ memcpy(old, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE);
25430
25431 ftrace_update_func = ip;
25432 /* Make sure the breakpoints see the ftrace_update_func update */
25433@@ -311,7 +313,7 @@ static int add_break(unsigned long ip, const char *old)
25434 unsigned char replaced[MCOUNT_INSN_SIZE];
25435 unsigned char brk = BREAKPOINT_INSTRUCTION;
25436
25437- if (probe_kernel_read(replaced, (void *)ip, MCOUNT_INSN_SIZE))
25438+ if (probe_kernel_read(replaced, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE))
25439 return -EFAULT;
25440
25441 /* Make sure it is what we expect it to be */
25442@@ -670,11 +672,11 @@ static unsigned char *ftrace_jmp_replace(unsigned long ip, unsigned long addr)
25443 /* Module allocation simplifies allocating memory for code */
25444 static inline void *alloc_tramp(unsigned long size)
25445 {
25446- return module_alloc(size);
25447+ return module_alloc_exec(size);
25448 }
25449 static inline void tramp_free(void *tramp)
25450 {
25451- module_memfree(tramp);
25452+ module_memfree_exec(tramp);
25453 }
25454 #else
25455 /* Trampolines can only be created if modules are supported */
25456@@ -753,7 +755,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25457 *tramp_size = size + MCOUNT_INSN_SIZE + sizeof(void *);
25458
25459 /* Copy ftrace_caller onto the trampoline memory */
25460+ pax_open_kernel();
25461 ret = probe_kernel_read(trampoline, (void *)start_offset, size);
25462+ pax_close_kernel();
25463 if (WARN_ON(ret < 0)) {
25464 tramp_free(trampoline);
25465 return 0;
25466@@ -763,6 +767,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25467
25468 /* The trampoline ends with a jmp to ftrace_return */
25469 jmp = ftrace_jmp_replace(ip, (unsigned long)ftrace_return);
25470+ pax_open_kernel();
25471 memcpy(trampoline + size, jmp, MCOUNT_INSN_SIZE);
25472
25473 /*
25474@@ -775,6 +780,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25475
25476 ptr = (unsigned long *)(trampoline + size + MCOUNT_INSN_SIZE);
25477 *ptr = (unsigned long)ops;
25478+ pax_close_kernel();
25479
25480 op_offset -= start_offset;
25481 memcpy(&op_ptr, trampoline + op_offset, OP_REF_SIZE);
25482@@ -792,7 +798,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25483 op_ptr.offset = offset;
25484
25485 /* put in the new offset to the ftrace_ops */
25486+ pax_open_kernel();
25487 memcpy(trampoline + op_offset, &op_ptr, OP_REF_SIZE);
25488+ pax_close_kernel();
25489
25490 /* ALLOC_TRAMP flags lets us know we created it */
25491 ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
25492diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
25493index f129a9a..af8f6da 100644
25494--- a/arch/x86/kernel/head64.c
25495+++ b/arch/x86/kernel/head64.c
25496@@ -68,12 +68,12 @@ again:
25497 pgd = *pgd_p;
25498
25499 /*
25500- * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is
25501- * critical -- __PAGE_OFFSET would point us back into the dynamic
25502+ * The use of __early_va rather than __va here is critical:
25503+ * __va would point us back into the dynamic
25504 * range and we might end up looping forever...
25505 */
25506 if (pgd)
25507- pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
25508+ pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK));
25509 else {
25510 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
25511 reset_early_page_tables();
25512@@ -83,13 +83,13 @@ again:
25513 pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++];
25514 for (i = 0; i < PTRS_PER_PUD; i++)
25515 pud_p[i] = 0;
25516- *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
25517+ *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE;
25518 }
25519 pud_p += pud_index(address);
25520 pud = *pud_p;
25521
25522 if (pud)
25523- pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
25524+ pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK));
25525 else {
25526 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
25527 reset_early_page_tables();
25528@@ -99,7 +99,7 @@ again:
25529 pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++];
25530 for (i = 0; i < PTRS_PER_PMD; i++)
25531 pmd_p[i] = 0;
25532- *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
25533+ *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE;
25534 }
25535 pmd = (physaddr & PMD_MASK) + early_pmd_flags;
25536 pmd_p[pmd_index(address)] = pmd;
25537@@ -163,8 +163,6 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
25538
25539 clear_bss();
25540
25541- clear_page(init_level4_pgt);
25542-
25543 kasan_early_init();
25544
25545 for (i = 0; i < NUM_EXCEPTION_VECTORS; i++)
25546diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
25547index 0e2d96f..5889003 100644
25548--- a/arch/x86/kernel/head_32.S
25549+++ b/arch/x86/kernel/head_32.S
25550@@ -27,6 +27,12 @@
25551 /* Physical address */
25552 #define pa(X) ((X) - __PAGE_OFFSET)
25553
25554+#ifdef CONFIG_PAX_KERNEXEC
25555+#define ta(X) (X)
25556+#else
25557+#define ta(X) ((X) - __PAGE_OFFSET)
25558+#endif
25559+
25560 /*
25561 * References to members of the new_cpu_data structure.
25562 */
25563@@ -56,11 +62,7 @@
25564 * and small than max_low_pfn, otherwise will waste some page table entries
25565 */
25566
25567-#if PTRS_PER_PMD > 1
25568-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
25569-#else
25570-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
25571-#endif
25572+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
25573
25574 /*
25575 * Number of possible pages in the lowmem region.
25576@@ -86,6 +88,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_PAGES) * PAGE_SIZE
25577 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
25578
25579 /*
25580+ * Real beginning of normal "text" segment
25581+ */
25582+ENTRY(stext)
25583+ENTRY(_stext)
25584+
25585+/*
25586 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
25587 * %esi points to the real-mode code as a 32-bit pointer.
25588 * CS and DS must be 4 GB flat segments, but we don't depend on
25589@@ -93,6 +101,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
25590 * can.
25591 */
25592 __HEAD
25593+
25594+#ifdef CONFIG_PAX_KERNEXEC
25595+ jmp startup_32
25596+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
25597+.fill PAGE_SIZE-5,1,0xcc
25598+#endif
25599+
25600 ENTRY(startup_32)
25601 movl pa(stack_start),%ecx
25602
25603@@ -114,6 +129,66 @@ ENTRY(startup_32)
25604 2:
25605 leal -__PAGE_OFFSET(%ecx),%esp
25606
25607+#ifdef CONFIG_SMP
25608+ movl $pa(cpu_gdt_table),%edi
25609+ movl $__per_cpu_load,%eax
25610+ movw %ax,GDT_ENTRY_PERCPU * 8 + 2(%edi)
25611+ rorl $16,%eax
25612+ movb %al,GDT_ENTRY_PERCPU * 8 + 4(%edi)
25613+ movb %ah,GDT_ENTRY_PERCPU * 8 + 7(%edi)
25614+ movl $__per_cpu_end - 1,%eax
25615+ subl $__per_cpu_start,%eax
25616+ cmpl $0x100000,%eax
25617+ jb 1f
25618+ shrl $PAGE_SHIFT,%eax
25619+ orb $0x80,GDT_ENTRY_PERCPU * 8 + 6(%edi)
25620+1:
25621+ movw %ax,GDT_ENTRY_PERCPU * 8 + 0(%edi)
25622+ shrl $16,%eax
25623+ orb %al,GDT_ENTRY_PERCPU * 8 + 6(%edi)
25624+#endif
25625+
25626+#ifdef CONFIG_PAX_MEMORY_UDEREF
25627+ movl $NR_CPUS,%ecx
25628+ movl $pa(cpu_gdt_table),%edi
25629+1:
25630+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
25631+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
25632+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
25633+ addl $PAGE_SIZE_asm,%edi
25634+ loop 1b
25635+#endif
25636+
25637+#ifdef CONFIG_PAX_KERNEXEC
25638+ movl $pa(boot_gdt),%edi
25639+ movl $__LOAD_PHYSICAL_ADDR,%eax
25640+ movw %ax,GDT_ENTRY_BOOT_CS * 8 + 2(%edi)
25641+ rorl $16,%eax
25642+ movb %al,GDT_ENTRY_BOOT_CS * 8 + 4(%edi)
25643+ movb %ah,GDT_ENTRY_BOOT_CS * 8 + 7(%edi)
25644+ rorl $16,%eax
25645+
25646+ ljmp $(__BOOT_CS),$1f
25647+1:
25648+
25649+ movl $NR_CPUS,%ecx
25650+ movl $pa(cpu_gdt_table),%edi
25651+ addl $__PAGE_OFFSET,%eax
25652+1:
25653+ movb $0xc0,GDT_ENTRY_KERNEL_CS * 8 + 6(%edi)
25654+ movb $0xc0,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 6(%edi)
25655+ movw %ax,GDT_ENTRY_KERNEL_CS * 8 + 2(%edi)
25656+ movw %ax,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 2(%edi)
25657+ rorl $16,%eax
25658+ movb %al,GDT_ENTRY_KERNEL_CS * 8 + 4(%edi)
25659+ movb %al,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 4(%edi)
25660+ movb %ah,GDT_ENTRY_KERNEL_CS * 8 + 7(%edi)
25661+ movb %ah,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 7(%edi)
25662+ rorl $16,%eax
25663+ addl $PAGE_SIZE_asm,%edi
25664+ loop 1b
25665+#endif
25666+
25667 /*
25668 * Clear BSS first so that there are no surprises...
25669 */
25670@@ -209,8 +284,11 @@ ENTRY(startup_32)
25671 movl %eax, pa(max_pfn_mapped)
25672
25673 /* Do early initialization of the fixmap area */
25674- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
25675- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
25676+#ifdef CONFIG_COMPAT_VDSO
25677+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
25678+#else
25679+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
25680+#endif
25681 #else /* Not PAE */
25682
25683 page_pde_offset = (__PAGE_OFFSET >> 20);
25684@@ -240,8 +318,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
25685 movl %eax, pa(max_pfn_mapped)
25686
25687 /* Do early initialization of the fixmap area */
25688- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
25689- movl %eax,pa(initial_page_table+0xffc)
25690+#ifdef CONFIG_COMPAT_VDSO
25691+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
25692+#else
25693+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
25694+#endif
25695 #endif
25696
25697 #ifdef CONFIG_PARAVIRT
25698@@ -255,9 +336,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
25699 cmpl $num_subarch_entries, %eax
25700 jae bad_subarch
25701
25702- movl pa(subarch_entries)(,%eax,4), %eax
25703- subl $__PAGE_OFFSET, %eax
25704- jmp *%eax
25705+ jmp *pa(subarch_entries)(,%eax,4)
25706
25707 bad_subarch:
25708 WEAK(lguest_entry)
25709@@ -269,10 +348,10 @@ WEAK(xen_entry)
25710 __INITDATA
25711
25712 subarch_entries:
25713- .long default_entry /* normal x86/PC */
25714- .long lguest_entry /* lguest hypervisor */
25715- .long xen_entry /* Xen hypervisor */
25716- .long default_entry /* Moorestown MID */
25717+ .long ta(default_entry) /* normal x86/PC */
25718+ .long ta(lguest_entry) /* lguest hypervisor */
25719+ .long ta(xen_entry) /* Xen hypervisor */
25720+ .long ta(default_entry) /* Moorestown MID */
25721 num_subarch_entries = (. - subarch_entries) / 4
25722 .previous
25723 #else
25724@@ -362,6 +441,7 @@ default_entry:
25725 movl pa(mmu_cr4_features),%eax
25726 movl %eax,%cr4
25727
25728+#ifdef CONFIG_X86_PAE
25729 testb $X86_CR4_PAE, %al # check if PAE is enabled
25730 jz enable_paging
25731
25732@@ -390,6 +470,9 @@ default_entry:
25733 /* Make changes effective */
25734 wrmsr
25735
25736+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
25737+#endif
25738+
25739 enable_paging:
25740
25741 /*
25742@@ -457,14 +540,20 @@ is486:
25743 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
25744 movl %eax,%ss # after changing gdt.
25745
25746- movl $(__USER_DS),%eax # DS/ES contains default USER segment
25747+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
25748 movl %eax,%ds
25749 movl %eax,%es
25750
25751 movl $(__KERNEL_PERCPU), %eax
25752 movl %eax,%fs # set this cpu's percpu
25753
25754+#ifdef CONFIG_CC_STACKPROTECTOR
25755 movl $(__KERNEL_STACK_CANARY),%eax
25756+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
25757+ movl $(__USER_DS),%eax
25758+#else
25759+ xorl %eax,%eax
25760+#endif
25761 movl %eax,%gs
25762
25763 xorl %eax,%eax # Clear LDT
25764@@ -521,8 +610,11 @@ setup_once:
25765 * relocation. Manually set base address in stack canary
25766 * segment descriptor.
25767 */
25768- movl $gdt_page,%eax
25769+ movl $cpu_gdt_table,%eax
25770 movl $stack_canary,%ecx
25771+#ifdef CONFIG_SMP
25772+ addl $__per_cpu_load,%ecx
25773+#endif
25774 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
25775 shrl $16, %ecx
25776 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
25777@@ -559,7 +651,7 @@ early_idt_handler_common:
25778 cmpl $2,(%esp) # X86_TRAP_NMI
25779 je .Lis_nmi # Ignore NMI
25780
25781- cmpl $2,%ss:early_recursion_flag
25782+ cmpl $1,%ss:early_recursion_flag
25783 je hlt_loop
25784 incl %ss:early_recursion_flag
25785
25786@@ -597,8 +689,8 @@ early_idt_handler_common:
25787 pushl (20+6*4)(%esp) /* trapno */
25788 pushl $fault_msg
25789 call printk
25790-#endif
25791 call dump_stack
25792+#endif
25793 hlt_loop:
25794 hlt
25795 jmp hlt_loop
25796@@ -618,8 +710,11 @@ ENDPROC(early_idt_handler_common)
25797 /* This is the default interrupt "handler" :-) */
25798 ALIGN
25799 ignore_int:
25800- cld
25801 #ifdef CONFIG_PRINTK
25802+ cmpl $2,%ss:early_recursion_flag
25803+ je hlt_loop
25804+ incl %ss:early_recursion_flag
25805+ cld
25806 pushl %eax
25807 pushl %ecx
25808 pushl %edx
25809@@ -628,9 +723,6 @@ ignore_int:
25810 movl $(__KERNEL_DS),%eax
25811 movl %eax,%ds
25812 movl %eax,%es
25813- cmpl $2,early_recursion_flag
25814- je hlt_loop
25815- incl early_recursion_flag
25816 pushl 16(%esp)
25817 pushl 24(%esp)
25818 pushl 32(%esp)
25819@@ -664,29 +756,34 @@ ENTRY(setup_once_ref)
25820 /*
25821 * BSS section
25822 */
25823-__PAGE_ALIGNED_BSS
25824- .align PAGE_SIZE
25825 #ifdef CONFIG_X86_PAE
25826+.section .initial_pg_pmd,"a",@progbits
25827 initial_pg_pmd:
25828 .fill 1024*KPMDS,4,0
25829 #else
25830+.section .initial_page_table,"a",@progbits
25831 ENTRY(initial_page_table)
25832 .fill 1024,4,0
25833 #endif
25834+.section .initial_pg_fixmap,"a",@progbits
25835 initial_pg_fixmap:
25836 .fill 1024,4,0
25837+.section .empty_zero_page,"a",@progbits
25838 ENTRY(empty_zero_page)
25839 .fill 4096,1,0
25840+.section .swapper_pg_dir,"a",@progbits
25841 ENTRY(swapper_pg_dir)
25842+#ifdef CONFIG_X86_PAE
25843+ .fill 4,8,0
25844+#else
25845 .fill 1024,4,0
25846+#endif
25847
25848 /*
25849 * This starts the data section.
25850 */
25851 #ifdef CONFIG_X86_PAE
25852-__PAGE_ALIGNED_DATA
25853- /* Page-aligned for the benefit of paravirt? */
25854- .align PAGE_SIZE
25855+.section .initial_page_table,"a",@progbits
25856 ENTRY(initial_page_table)
25857 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
25858 # if KPMDS == 3
25859@@ -705,12 +802,20 @@ ENTRY(initial_page_table)
25860 # error "Kernel PMDs should be 1, 2 or 3"
25861 # endif
25862 .align PAGE_SIZE /* needs to be page-sized too */
25863+
25864+#ifdef CONFIG_PAX_PER_CPU_PGD
25865+ENTRY(cpu_pgd)
25866+ .rept 2*NR_CPUS
25867+ .fill 4,8,0
25868+ .endr
25869+#endif
25870+
25871 #endif
25872
25873 .data
25874 .balign 4
25875 ENTRY(stack_start)
25876- .long init_thread_union+THREAD_SIZE
25877+ .long init_thread_union+THREAD_SIZE-8
25878
25879 __INITRODATA
25880 int_msg:
25881@@ -738,7 +843,7 @@ fault_msg:
25882 * segment size, and 32-bit linear address value:
25883 */
25884
25885- .data
25886+.section .rodata,"a",@progbits
25887 .globl boot_gdt_descr
25888 .globl idt_descr
25889
25890@@ -747,7 +852,7 @@ fault_msg:
25891 .word 0 # 32 bit align gdt_desc.address
25892 boot_gdt_descr:
25893 .word __BOOT_DS+7
25894- .long boot_gdt - __PAGE_OFFSET
25895+ .long pa(boot_gdt)
25896
25897 .word 0 # 32-bit align idt_desc.address
25898 idt_descr:
25899@@ -758,7 +863,7 @@ idt_descr:
25900 .word 0 # 32 bit align gdt_desc.address
25901 ENTRY(early_gdt_descr)
25902 .word GDT_ENTRIES*8-1
25903- .long gdt_page /* Overwritten for secondary CPUs */
25904+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
25905
25906 /*
25907 * The boot_gdt must mirror the equivalent in setup.S and is
25908@@ -767,5 +872,65 @@ ENTRY(early_gdt_descr)
25909 .align L1_CACHE_BYTES
25910 ENTRY(boot_gdt)
25911 .fill GDT_ENTRY_BOOT_CS,8,0
25912- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
25913- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
25914+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
25915+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
25916+
25917+ .align PAGE_SIZE_asm
25918+ENTRY(cpu_gdt_table)
25919+ .rept NR_CPUS
25920+ .quad 0x0000000000000000 /* NULL descriptor */
25921+ .quad 0x0000000000000000 /* 0x0b reserved */
25922+ .quad 0x0000000000000000 /* 0x13 reserved */
25923+ .quad 0x0000000000000000 /* 0x1b reserved */
25924+
25925+#ifdef CONFIG_PAX_KERNEXEC
25926+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
25927+#else
25928+ .quad 0x0000000000000000 /* 0x20 unused */
25929+#endif
25930+
25931+ .quad 0x0000000000000000 /* 0x28 unused */
25932+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
25933+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
25934+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
25935+ .quad 0x0000000000000000 /* 0x4b reserved */
25936+ .quad 0x0000000000000000 /* 0x53 reserved */
25937+ .quad 0x0000000000000000 /* 0x5b reserved */
25938+
25939+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
25940+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
25941+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
25942+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
25943+
25944+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
25945+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
25946+
25947+ /*
25948+ * Segments used for calling PnP BIOS have byte granularity.
25949+ * The code segments and data segments have fixed 64k limits,
25950+ * the transfer segment sizes are set at run time.
25951+ */
25952+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
25953+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
25954+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
25955+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
25956+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
25957+
25958+ /*
25959+ * The APM segments have byte granularity and their bases
25960+ * are set at run time. All have 64k limits.
25961+ */
25962+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
25963+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
25964+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
25965+
25966+ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */
25967+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
25968+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
25969+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
25970+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
25971+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
25972+
25973+ /* Be sure this is zeroed to avoid false validations in Xen */
25974+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
25975+ .endr
25976diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
25977index 1d40ca8..4d38dbd 100644
25978--- a/arch/x86/kernel/head_64.S
25979+++ b/arch/x86/kernel/head_64.S
25980@@ -20,6 +20,8 @@
25981 #include <asm/processor-flags.h>
25982 #include <asm/percpu.h>
25983 #include <asm/nops.h>
25984+#include <asm/cpufeature.h>
25985+#include <asm/alternative-asm.h>
25986
25987 #ifdef CONFIG_PARAVIRT
25988 #include <asm/asm-offsets.h>
25989@@ -41,6 +43,12 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET)
25990 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
25991 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
25992 L3_START_KERNEL = pud_index(__START_KERNEL_map)
25993+L4_VMALLOC_START = pgd_index(VMALLOC_START)
25994+L3_VMALLOC_START = pud_index(VMALLOC_START)
25995+L4_VMALLOC_END = pgd_index(VMALLOC_END)
25996+L3_VMALLOC_END = pud_index(VMALLOC_END)
25997+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
25998+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
25999
26000 .text
26001 __HEAD
26002@@ -89,11 +97,33 @@ startup_64:
26003 * Fixup the physical addresses in the page table
26004 */
26005 addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
26006+ addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
26007+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
26008+ addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip)
26009+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
26010+ addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
26011
26012- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
26013- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
26014+ addq %rbp, level3_ident_pgt + (0*8)(%rip)
26015+#ifndef CONFIG_XEN
26016+ addq %rbp, level3_ident_pgt + (1*8)(%rip)
26017+#endif
26018
26019+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
26020+
26021+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
26022+ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip)
26023+
26024+ addq %rbp, level2_ident_pgt + (0*8)(%rip)
26025+
26026+ addq %rbp, level2_fixmap_pgt + (0*8)(%rip)
26027+ addq %rbp, level2_fixmap_pgt + (1*8)(%rip)
26028+ addq %rbp, level2_fixmap_pgt + (2*8)(%rip)
26029+ addq %rbp, level2_fixmap_pgt + (3*8)(%rip)
26030+
26031+ addq %rbp, level2_fixmap_pgt + (504*8)(%rip)
26032+ addq %rbp, level2_fixmap_pgt + (505*8)(%rip)
26033 addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
26034+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
26035
26036 /*
26037 * Set up the identity mapping for the switchover. These
26038@@ -174,11 +204,12 @@ ENTRY(secondary_startup_64)
26039 * after the boot processor executes this code.
26040 */
26041
26042+ orq $-1, %rbp
26043 movq $(init_level4_pgt - __START_KERNEL_map), %rax
26044 1:
26045
26046- /* Enable PAE mode and PGE */
26047- movl $(X86_CR4_PAE | X86_CR4_PGE), %ecx
26048+ /* Enable PAE mode and PSE/PGE */
26049+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %ecx
26050 movq %rcx, %cr4
26051
26052 /* Setup early boot stage 4 level pagetables. */
26053@@ -199,10 +230,21 @@ ENTRY(secondary_startup_64)
26054 movl $MSR_EFER, %ecx
26055 rdmsr
26056 btsl $_EFER_SCE, %eax /* Enable System Call */
26057- btl $20,%edi /* No Execute supported? */
26058+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
26059 jnc 1f
26060 btsl $_EFER_NX, %eax
26061+ cmpq $-1, %rbp
26062+ je 1f
26063 btsq $_PAGE_BIT_NX,early_pmd_flags(%rip)
26064+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip)
26065+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip)
26066+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip)
26067+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip)
26068+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*504(%rip)
26069+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*505(%rip)
26070+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*506(%rip)
26071+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*507(%rip)
26072+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
26073 1: wrmsr /* Make changes effective */
26074
26075 /* Setup cr0 */
26076@@ -282,6 +324,7 @@ ENTRY(secondary_startup_64)
26077 * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
26078 * address given in m16:64.
26079 */
26080+ pax_set_fptr_mask
26081 movq initial_code(%rip),%rax
26082 pushq $0 # fake return address to stop unwinder
26083 pushq $__KERNEL_CS # set correct cs
26084@@ -313,7 +356,7 @@ ENDPROC(start_cpu0)
26085 .quad INIT_PER_CPU_VAR(irq_stack_union)
26086
26087 GLOBAL(stack_start)
26088- .quad init_thread_union+THREAD_SIZE-8
26089+ .quad init_thread_union+THREAD_SIZE-16
26090 .word 0
26091 __FINITDATA
26092
26093@@ -393,7 +436,7 @@ early_idt_handler_common:
26094 call dump_stack
26095 #ifdef CONFIG_KALLSYMS
26096 leaq early_idt_ripmsg(%rip),%rdi
26097- movq 40(%rsp),%rsi # %rip again
26098+ movq 88(%rsp),%rsi # %rip again
26099 call __print_symbol
26100 #endif
26101 #endif /* EARLY_PRINTK */
26102@@ -422,6 +465,7 @@ ENDPROC(early_idt_handler_common)
26103 early_recursion_flag:
26104 .long 0
26105
26106+ .section .rodata,"a",@progbits
26107 #ifdef CONFIG_EARLY_PRINTK
26108 early_idt_msg:
26109 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
26110@@ -444,40 +488,67 @@ GLOBAL(name)
26111 __INITDATA
26112 NEXT_PAGE(early_level4_pgt)
26113 .fill 511,8,0
26114- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
26115+ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26116
26117 NEXT_PAGE(early_dynamic_pgts)
26118 .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
26119
26120- .data
26121+ .section .rodata,"a",@progbits
26122
26123-#ifndef CONFIG_XEN
26124 NEXT_PAGE(init_level4_pgt)
26125- .fill 512,8,0
26126-#else
26127-NEXT_PAGE(init_level4_pgt)
26128- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26129 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
26130 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26131+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
26132+ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + _KERNPG_TABLE
26133+ .org init_level4_pgt + L4_VMALLOC_END*8, 0
26134+ .quad level3_vmalloc_end_pgt - __START_KERNEL_map + _KERNPG_TABLE
26135+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
26136+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26137 .org init_level4_pgt + L4_START_KERNEL*8, 0
26138 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
26139- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
26140+ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26141+
26142+#ifdef CONFIG_PAX_PER_CPU_PGD
26143+NEXT_PAGE(cpu_pgd)
26144+ .rept 2*NR_CPUS
26145+ .fill 512,8,0
26146+ .endr
26147+#endif
26148
26149 NEXT_PAGE(level3_ident_pgt)
26150 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26151+#ifdef CONFIG_XEN
26152 .fill 511, 8, 0
26153+#else
26154+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
26155+ .fill 510,8,0
26156+#endif
26157+
26158+NEXT_PAGE(level3_vmalloc_start_pgt)
26159+ .fill 512,8,0
26160+
26161+NEXT_PAGE(level3_vmalloc_end_pgt)
26162+ .fill 512,8,0
26163+
26164+NEXT_PAGE(level3_vmemmap_pgt)
26165+ .fill L3_VMEMMAP_START,8,0
26166+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26167+
26168 NEXT_PAGE(level2_ident_pgt)
26169- /* Since I easily can, map the first 1G.
26170+ .quad level1_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26171+ /* Since I easily can, map the first 2G.
26172 * Don't set NX because code runs from these pages.
26173 */
26174- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
26175-#endif
26176+ PMDS(PMD_SIZE, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD - 1)
26177
26178 NEXT_PAGE(level3_kernel_pgt)
26179 .fill L3_START_KERNEL,8,0
26180 /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
26181 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26182- .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
26183+ .quad level2_fixmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26184+
26185+NEXT_PAGE(level2_vmemmap_pgt)
26186+ .fill 512,8,0
26187
26188 NEXT_PAGE(level2_kernel_pgt)
26189 /*
26190@@ -494,31 +565,79 @@ NEXT_PAGE(level2_kernel_pgt)
26191 KERNEL_IMAGE_SIZE/PMD_SIZE)
26192
26193 NEXT_PAGE(level2_fixmap_pgt)
26194- .fill 506,8,0
26195- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
26196- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
26197- .fill 5,8,0
26198+ .quad level1_modules_pgt - __START_KERNEL_map + 0 * PAGE_SIZE + _KERNPG_TABLE
26199+ .quad level1_modules_pgt - __START_KERNEL_map + 1 * PAGE_SIZE + _KERNPG_TABLE
26200+ .quad level1_modules_pgt - __START_KERNEL_map + 2 * PAGE_SIZE + _KERNPG_TABLE
26201+ .quad level1_modules_pgt - __START_KERNEL_map + 3 * PAGE_SIZE + _KERNPG_TABLE
26202+ .fill 500,8,0
26203+ .quad level1_fixmap_pgt - __START_KERNEL_map + 0 * PAGE_SIZE + _KERNPG_TABLE
26204+ .quad level1_fixmap_pgt - __START_KERNEL_map + 1 * PAGE_SIZE + _KERNPG_TABLE
26205+ .quad level1_fixmap_pgt - __START_KERNEL_map + 2 * PAGE_SIZE + _KERNPG_TABLE
26206+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _KERNPG_TABLE
26207+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
26208+ .fill 4,8,0
26209+
26210+NEXT_PAGE(level1_ident_pgt)
26211+ .fill 512,8,0
26212+
26213+NEXT_PAGE(level1_modules_pgt)
26214+ .fill 4*512,8,0
26215
26216 NEXT_PAGE(level1_fixmap_pgt)
26217+ .fill 3*512,8,0
26218+
26219+NEXT_PAGE(level1_vsyscall_pgt)
26220 .fill 512,8,0
26221
26222 #undef PMDS
26223
26224- .data
26225+ .align PAGE_SIZE
26226+ENTRY(cpu_gdt_table)
26227+ .rept NR_CPUS
26228+ .quad 0x0000000000000000 /* NULL descriptor */
26229+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
26230+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
26231+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
26232+ .quad 0x00cffb000000ffff /* __USER32_CS */
26233+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
26234+ .quad 0x00affb000000ffff /* __USER_CS */
26235+
26236+#ifdef CONFIG_PAX_KERNEXEC
26237+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
26238+#else
26239+ .quad 0x0 /* unused */
26240+#endif
26241+
26242+ .quad 0,0 /* TSS */
26243+ .quad 0,0 /* LDT */
26244+ .quad 0,0,0 /* three TLS descriptors */
26245+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
26246+ /* asm/segment.h:GDT_ENTRIES must match this */
26247+
26248+#ifdef CONFIG_PAX_MEMORY_UDEREF
26249+ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */
26250+#else
26251+ .quad 0x0 /* unused */
26252+#endif
26253+
26254+ /* zero the remaining page */
26255+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
26256+ .endr
26257+
26258 .align 16
26259 .globl early_gdt_descr
26260 early_gdt_descr:
26261 .word GDT_ENTRIES*8-1
26262 early_gdt_descr_base:
26263- .quad INIT_PER_CPU_VAR(gdt_page)
26264+ .quad cpu_gdt_table
26265
26266 ENTRY(phys_base)
26267 /* This must match the first entry in level2_kernel_pgt */
26268 .quad 0x0000000000000000
26269
26270 #include "../../x86/xen/xen-head.S"
26271-
26272- __PAGE_ALIGNED_BSS
26273+
26274+ .section .rodata,"a",@progbits
26275 NEXT_PAGE(empty_zero_page)
26276 .skip PAGE_SIZE
26277
26278diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
26279index 64341aa..b1e6632 100644
26280--- a/arch/x86/kernel/i386_ksyms_32.c
26281+++ b/arch/x86/kernel/i386_ksyms_32.c
26282@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
26283 EXPORT_SYMBOL(cmpxchg8b_emu);
26284 #endif
26285
26286+EXPORT_SYMBOL_GPL(cpu_gdt_table);
26287+
26288 /* Networking helper routines. */
26289 EXPORT_SYMBOL(csum_partial_copy_generic);
26290+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
26291+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
26292
26293 EXPORT_SYMBOL(__get_user_1);
26294 EXPORT_SYMBOL(__get_user_2);
26295@@ -42,3 +46,11 @@ EXPORT_SYMBOL(empty_zero_page);
26296 EXPORT_SYMBOL(___preempt_schedule);
26297 EXPORT_SYMBOL(___preempt_schedule_notrace);
26298 #endif
26299+
26300+#ifdef CONFIG_PAX_KERNEXEC
26301+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
26302+#endif
26303+
26304+#ifdef CONFIG_PAX_PER_CPU_PGD
26305+EXPORT_SYMBOL(cpu_pgd);
26306+#endif
26307diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
26308index 16cb827..372334f 100644
26309--- a/arch/x86/kernel/i8259.c
26310+++ b/arch/x86/kernel/i8259.c
26311@@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq)
26312 static void make_8259A_irq(unsigned int irq)
26313 {
26314 disable_irq_nosync(irq);
26315- io_apic_irqs &= ~(1<<irq);
26316+ io_apic_irqs &= ~(1UL<<irq);
26317 irq_set_chip_and_handler(irq, &i8259A_chip, handle_level_irq);
26318 enable_irq(irq);
26319 }
26320@@ -208,7 +208,7 @@ spurious_8259A_irq:
26321 "spurious 8259A interrupt: IRQ%d.\n", irq);
26322 spurious_irq_mask |= irqmask;
26323 }
26324- atomic_inc(&irq_err_count);
26325+ atomic_inc_unchecked(&irq_err_count);
26326 /*
26327 * Theoretically we do not have to handle this IRQ,
26328 * but in Linux this does not cause problems and is
26329@@ -349,14 +349,16 @@ static void init_8259A(int auto_eoi)
26330 /* (slave's support for AEOI in flat mode is to be investigated) */
26331 outb_pic(SLAVE_ICW4_DEFAULT, PIC_SLAVE_IMR);
26332
26333+ pax_open_kernel();
26334 if (auto_eoi)
26335 /*
26336 * In AEOI mode we just have to mask the interrupt
26337 * when acking.
26338 */
26339- i8259A_chip.irq_mask_ack = disable_8259A_irq;
26340+ *(void **)&i8259A_chip.irq_mask_ack = disable_8259A_irq;
26341 else
26342- i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
26343+ *(void **)&i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
26344+ pax_close_kernel();
26345
26346 udelay(100); /* wait for 8259A to initialize */
26347
26348diff --git a/arch/x86/kernel/io_delay.c b/arch/x86/kernel/io_delay.c
26349index a979b5b..1d6db75 100644
26350--- a/arch/x86/kernel/io_delay.c
26351+++ b/arch/x86/kernel/io_delay.c
26352@@ -58,7 +58,7 @@ static int __init dmi_io_delay_0xed_port(const struct dmi_system_id *id)
26353 * Quirk table for systems that misbehave (lock up, etc.) if port
26354 * 0x80 is used:
26355 */
26356-static struct dmi_system_id __initdata io_delay_0xed_port_dmi_table[] = {
26357+static const struct dmi_system_id __initconst io_delay_0xed_port_dmi_table[] = {
26358 {
26359 .callback = dmi_io_delay_0xed_port,
26360 .ident = "Compaq Presario V6000",
26361diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
26362index 37dae79..620dd84 100644
26363--- a/arch/x86/kernel/ioport.c
26364+++ b/arch/x86/kernel/ioport.c
26365@@ -6,6 +6,7 @@
26366 #include <linux/sched.h>
26367 #include <linux/kernel.h>
26368 #include <linux/capability.h>
26369+#include <linux/security.h>
26370 #include <linux/errno.h>
26371 #include <linux/types.h>
26372 #include <linux/ioport.h>
26373@@ -30,6 +31,12 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
26374 return -EINVAL;
26375 if (turn_on && !capable(CAP_SYS_RAWIO))
26376 return -EPERM;
26377+#ifdef CONFIG_GRKERNSEC_IO
26378+ if (turn_on && grsec_disable_privio) {
26379+ gr_handle_ioperm();
26380+ return -ENODEV;
26381+ }
26382+#endif
26383
26384 /*
26385 * If it's the first ioperm() call in this thread's lifetime, set the
26386@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
26387 * because the ->io_bitmap_max value must match the bitmap
26388 * contents:
26389 */
26390- tss = &per_cpu(cpu_tss, get_cpu());
26391+ tss = cpu_tss + get_cpu();
26392
26393 if (turn_on)
26394 bitmap_clear(t->io_bitmap_ptr, from, num);
26395@@ -105,6 +112,12 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
26396 if (level > old) {
26397 if (!capable(CAP_SYS_RAWIO))
26398 return -EPERM;
26399+#ifdef CONFIG_GRKERNSEC_IO
26400+ if (grsec_disable_privio) {
26401+ gr_handle_iopl();
26402+ return -ENODEV;
26403+ }
26404+#endif
26405 }
26406 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
26407 t->iopl = level << 12;
26408diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
26409index c7dfe1b..146f63c 100644
26410--- a/arch/x86/kernel/irq.c
26411+++ b/arch/x86/kernel/irq.c
26412@@ -28,7 +28,7 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
26413 DEFINE_PER_CPU(struct pt_regs *, irq_regs);
26414 EXPORT_PER_CPU_SYMBOL(irq_regs);
26415
26416-atomic_t irq_err_count;
26417+atomic_unchecked_t irq_err_count;
26418
26419 /* Function pointer for generic interrupt vector handling */
26420 void (*x86_platform_ipi_callback)(void) = NULL;
26421@@ -144,9 +144,9 @@ int arch_show_interrupts(struct seq_file *p, int prec)
26422 seq_printf(p, "%10u ", irq_stats(j)->irq_hv_callback_count);
26423 seq_puts(p, " Hypervisor callback interrupts\n");
26424 #endif
26425- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
26426+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
26427 #if defined(CONFIG_X86_IO_APIC)
26428- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
26429+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
26430 #endif
26431 #ifdef CONFIG_HAVE_KVM
26432 seq_printf(p, "%*s: ", prec, "PIN");
26433@@ -198,7 +198,7 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
26434
26435 u64 arch_irq_stat(void)
26436 {
26437- u64 sum = atomic_read(&irq_err_count);
26438+ u64 sum = atomic_read_unchecked(&irq_err_count);
26439 return sum;
26440 }
26441
26442diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
26443index cd74f59..588af0b 100644
26444--- a/arch/x86/kernel/irq_32.c
26445+++ b/arch/x86/kernel/irq_32.c
26446@@ -23,6 +23,8 @@
26447
26448 #ifdef CONFIG_DEBUG_STACKOVERFLOW
26449
26450+extern void gr_handle_kernel_exploit(void);
26451+
26452 int sysctl_panic_on_stackoverflow __read_mostly;
26453
26454 /* Debugging check for stack overflow: is there less than 1KB free? */
26455@@ -33,13 +35,14 @@ static int check_stack_overflow(void)
26456 __asm__ __volatile__("andl %%esp,%0" :
26457 "=r" (sp) : "0" (THREAD_SIZE - 1));
26458
26459- return sp < (sizeof(struct thread_info) + STACK_WARN);
26460+ return sp < STACK_WARN;
26461 }
26462
26463 static void print_stack_overflow(void)
26464 {
26465 printk(KERN_WARNING "low stack detected by irq handler\n");
26466 dump_stack();
26467+ gr_handle_kernel_exploit();
26468 if (sysctl_panic_on_stackoverflow)
26469 panic("low stack detected by irq handler - check messages\n");
26470 }
26471@@ -71,10 +74,9 @@ static inline void *current_stack(void)
26472 static inline int
26473 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26474 {
26475- struct irq_stack *curstk, *irqstk;
26476+ struct irq_stack *irqstk;
26477 u32 *isp, *prev_esp, arg1, arg2;
26478
26479- curstk = (struct irq_stack *) current_stack();
26480 irqstk = __this_cpu_read(hardirq_stack);
26481
26482 /*
26483@@ -83,15 +85,19 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26484 * handler) we can't do that and just have to keep using the
26485 * current stack (which is the irq stack already after all)
26486 */
26487- if (unlikely(curstk == irqstk))
26488+ if (unlikely((void *)current_stack_pointer - (void *)irqstk < THREAD_SIZE))
26489 return 0;
26490
26491- isp = (u32 *) ((char *)irqstk + sizeof(*irqstk));
26492+ isp = (u32 *) ((char *)irqstk + sizeof(*irqstk) - 8);
26493
26494 /* Save the next esp at the bottom of the stack */
26495 prev_esp = (u32 *)irqstk;
26496 *prev_esp = current_stack_pointer();
26497
26498+#ifdef CONFIG_PAX_MEMORY_UDEREF
26499+ __set_fs(MAKE_MM_SEG(0));
26500+#endif
26501+
26502 if (unlikely(overflow))
26503 call_on_stack(print_stack_overflow, isp);
26504
26505@@ -102,6 +108,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26506 : "0" (irq), "1" (desc), "2" (isp),
26507 "D" (desc->handle_irq)
26508 : "memory", "cc", "ecx");
26509+
26510+#ifdef CONFIG_PAX_MEMORY_UDEREF
26511+ __set_fs(current_thread_info()->addr_limit);
26512+#endif
26513+
26514 return 1;
26515 }
26516
26517@@ -110,32 +121,18 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26518 */
26519 void irq_ctx_init(int cpu)
26520 {
26521- struct irq_stack *irqstk;
26522-
26523 if (per_cpu(hardirq_stack, cpu))
26524 return;
26525
26526- irqstk = page_address(alloc_pages_node(cpu_to_node(cpu),
26527- THREADINFO_GFP,
26528- THREAD_SIZE_ORDER));
26529- per_cpu(hardirq_stack, cpu) = irqstk;
26530-
26531- irqstk = page_address(alloc_pages_node(cpu_to_node(cpu),
26532- THREADINFO_GFP,
26533- THREAD_SIZE_ORDER));
26534- per_cpu(softirq_stack, cpu) = irqstk;
26535-
26536- printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
26537- cpu, per_cpu(hardirq_stack, cpu), per_cpu(softirq_stack, cpu));
26538+ per_cpu(hardirq_stack, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
26539+ per_cpu(softirq_stack, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
26540 }
26541
26542 void do_softirq_own_stack(void)
26543 {
26544- struct thread_info *curstk;
26545 struct irq_stack *irqstk;
26546 u32 *isp, *prev_esp;
26547
26548- curstk = current_stack();
26549 irqstk = __this_cpu_read(softirq_stack);
26550
26551 /* build the stack frame on the softirq stack */
26552@@ -145,7 +142,16 @@ void do_softirq_own_stack(void)
26553 prev_esp = (u32 *)irqstk;
26554 *prev_esp = current_stack_pointer();
26555
26556+#ifdef CONFIG_PAX_MEMORY_UDEREF
26557+ __set_fs(MAKE_MM_SEG(0));
26558+#endif
26559+
26560 call_on_stack(__do_softirq, isp);
26561+
26562+#ifdef CONFIG_PAX_MEMORY_UDEREF
26563+ __set_fs(current_thread_info()->addr_limit);
26564+#endif
26565+
26566 }
26567
26568 bool handle_irq(unsigned irq, struct pt_regs *regs)
26569diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
26570index bc4604e..0be227d 100644
26571--- a/arch/x86/kernel/irq_64.c
26572+++ b/arch/x86/kernel/irq_64.c
26573@@ -20,6 +20,8 @@
26574 #include <asm/idle.h>
26575 #include <asm/apic.h>
26576
26577+extern void gr_handle_kernel_exploit(void);
26578+
26579 int sysctl_panic_on_stackoverflow;
26580
26581 /*
26582@@ -63,6 +65,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
26583 irq_stack_top, irq_stack_bottom,
26584 estack_top, estack_bottom);
26585
26586+ gr_handle_kernel_exploit();
26587+
26588 if (sysctl_panic_on_stackoverflow)
26589 panic("low stack detected by irq handler - check messages\n");
26590 #endif
26591diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
26592index 26d5a55..063fef8 100644
26593--- a/arch/x86/kernel/jump_label.c
26594+++ b/arch/x86/kernel/jump_label.c
26595@@ -31,6 +31,8 @@ static void bug_at(unsigned char *ip, int line)
26596 * Something went wrong. Crash the box, as something could be
26597 * corrupting the kernel.
26598 */
26599+ ip = (unsigned char *)ktla_ktva((unsigned long)ip);
26600+ pr_warning("Unexpected op at %pS [%p] %s:%d\n", ip, ip, __FILE__, line);
26601 pr_warning("Unexpected op at %pS [%p] (%02x %02x %02x %02x %02x) %s:%d\n",
26602 ip, ip, ip[0], ip[1], ip[2], ip[3], ip[4], __FILE__, line);
26603 BUG();
26604@@ -51,7 +53,7 @@ static void __jump_label_transform(struct jump_entry *entry,
26605 * Jump label is enabled for the first time.
26606 * So we expect a default_nop...
26607 */
26608- if (unlikely(memcmp((void *)entry->code, default_nop, 5)
26609+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5)
26610 != 0))
26611 bug_at((void *)entry->code, __LINE__);
26612 } else {
26613@@ -59,7 +61,7 @@ static void __jump_label_transform(struct jump_entry *entry,
26614 * ...otherwise expect an ideal_nop. Otherwise
26615 * something went horribly wrong.
26616 */
26617- if (unlikely(memcmp((void *)entry->code, ideal_nop, 5)
26618+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), ideal_nop, 5)
26619 != 0))
26620 bug_at((void *)entry->code, __LINE__);
26621 }
26622@@ -75,13 +77,13 @@ static void __jump_label_transform(struct jump_entry *entry,
26623 * are converting the default nop to the ideal nop.
26624 */
26625 if (init) {
26626- if (unlikely(memcmp((void *)entry->code, default_nop, 5) != 0))
26627+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5) != 0))
26628 bug_at((void *)entry->code, __LINE__);
26629 } else {
26630 code.jump = 0xe9;
26631 code.offset = entry->target -
26632 (entry->code + JUMP_LABEL_NOP_SIZE);
26633- if (unlikely(memcmp((void *)entry->code, &code, 5) != 0))
26634+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), &code, 5) != 0))
26635 bug_at((void *)entry->code, __LINE__);
26636 }
26637 memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);
26638diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
26639index d6178d9..598681f 100644
26640--- a/arch/x86/kernel/kgdb.c
26641+++ b/arch/x86/kernel/kgdb.c
26642@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)
26643 bp->attr.bp_addr = breakinfo[breakno].addr;
26644 bp->attr.bp_len = breakinfo[breakno].len;
26645 bp->attr.bp_type = breakinfo[breakno].type;
26646- info->address = breakinfo[breakno].addr;
26647+ if (breakinfo[breakno].type == X86_BREAKPOINT_EXECUTE)
26648+ info->address = ktla_ktva(breakinfo[breakno].addr);
26649+ else
26650+ info->address = breakinfo[breakno].addr;
26651 info->len = breakinfo[breakno].len;
26652 info->type = breakinfo[breakno].type;
26653 val = arch_install_hw_breakpoint(bp);
26654@@ -475,12 +478,12 @@ int kgdb_arch_handle_exception(int e_vector, int signo, int err_code,
26655 case 'k':
26656 /* clear the trace bit */
26657 linux_regs->flags &= ~X86_EFLAGS_TF;
26658- atomic_set(&kgdb_cpu_doing_single_step, -1);
26659+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
26660
26661 /* set the trace bit if we're stepping */
26662 if (remcomInBuffer[0] == 's') {
26663 linux_regs->flags |= X86_EFLAGS_TF;
26664- atomic_set(&kgdb_cpu_doing_single_step,
26665+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
26666 raw_smp_processor_id());
26667 }
26668
26669@@ -545,7 +548,7 @@ static int __kgdb_notify(struct die_args *args, unsigned long cmd)
26670
26671 switch (cmd) {
26672 case DIE_DEBUG:
26673- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
26674+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
26675 if (user_mode(regs))
26676 return single_step_cont(regs, args);
26677 break;
26678@@ -750,11 +753,11 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
26679 #endif /* CONFIG_DEBUG_RODATA */
26680
26681 bpt->type = BP_BREAKPOINT;
26682- err = probe_kernel_read(bpt->saved_instr, (char *)bpt->bpt_addr,
26683+ err = probe_kernel_read(bpt->saved_instr, (const void *)ktla_ktva(bpt->bpt_addr),
26684 BREAK_INSTR_SIZE);
26685 if (err)
26686 return err;
26687- err = probe_kernel_write((char *)bpt->bpt_addr,
26688+ err = probe_kernel_write((void *)ktla_ktva(bpt->bpt_addr),
26689 arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE);
26690 #ifdef CONFIG_DEBUG_RODATA
26691 if (!err)
26692@@ -767,7 +770,7 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
26693 return -EBUSY;
26694 text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
26695 BREAK_INSTR_SIZE);
26696- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
26697+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
26698 if (err)
26699 return err;
26700 if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
26701@@ -792,13 +795,13 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt)
26702 if (mutex_is_locked(&text_mutex))
26703 goto knl_write;
26704 text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
26705- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
26706+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
26707 if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
26708 goto knl_write;
26709 return err;
26710 knl_write:
26711 #endif /* CONFIG_DEBUG_RODATA */
26712- return probe_kernel_write((char *)bpt->bpt_addr,
26713+ return probe_kernel_write((void *)ktla_ktva(bpt->bpt_addr),
26714 (char *)bpt->saved_instr, BREAK_INSTR_SIZE);
26715 }
26716
26717diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
26718index 1deffe6..3be342a 100644
26719--- a/arch/x86/kernel/kprobes/core.c
26720+++ b/arch/x86/kernel/kprobes/core.c
26721@@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op)
26722 s32 raddr;
26723 } __packed *insn;
26724
26725- insn = (struct __arch_relative_insn *)from;
26726+ insn = (struct __arch_relative_insn *)ktla_ktva((unsigned long)from);
26727+
26728+ pax_open_kernel();
26729 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
26730 insn->op = op;
26731+ pax_close_kernel();
26732 }
26733
26734 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
26735@@ -168,7 +171,7 @@ int can_boost(kprobe_opcode_t *opcodes)
26736 kprobe_opcode_t opcode;
26737 kprobe_opcode_t *orig_opcodes = opcodes;
26738
26739- if (search_exception_tables((unsigned long)opcodes))
26740+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
26741 return 0; /* Page fault may occur on this address. */
26742
26743 retry:
26744@@ -260,12 +263,12 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
26745 * Fortunately, we know that the original code is the ideal 5-byte
26746 * long NOP.
26747 */
26748- memcpy(buf, (void *)addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
26749+ memcpy(buf, (void *)ktla_ktva(addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
26750 if (faddr)
26751 memcpy(buf, ideal_nops[NOP_ATOMIC5], 5);
26752 else
26753 buf[0] = kp->opcode;
26754- return (unsigned long)buf;
26755+ return ktva_ktla((unsigned long)buf);
26756 }
26757
26758 /*
26759@@ -367,7 +370,9 @@ int __copy_instruction(u8 *dest, u8 *src)
26760 /* Another subsystem puts a breakpoint, failed to recover */
26761 if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
26762 return 0;
26763+ pax_open_kernel();
26764 memcpy(dest, insn.kaddr, length);
26765+ pax_close_kernel();
26766
26767 #ifdef CONFIG_X86_64
26768 if (insn_rip_relative(&insn)) {
26769@@ -394,7 +399,9 @@ int __copy_instruction(u8 *dest, u8 *src)
26770 return 0;
26771 }
26772 disp = (u8 *) dest + insn_offset_displacement(&insn);
26773+ pax_open_kernel();
26774 *(s32 *) disp = (s32) newdisp;
26775+ pax_close_kernel();
26776 }
26777 #endif
26778 return length;
26779@@ -536,7 +543,7 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
26780 * nor set current_kprobe, because it doesn't use single
26781 * stepping.
26782 */
26783- regs->ip = (unsigned long)p->ainsn.insn;
26784+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
26785 preempt_enable_no_resched();
26786 return;
26787 }
26788@@ -553,9 +560,9 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
26789 regs->flags &= ~X86_EFLAGS_IF;
26790 /* single step inline if the instruction is an int3 */
26791 if (p->opcode == BREAKPOINT_INSTRUCTION)
26792- regs->ip = (unsigned long)p->addr;
26793+ regs->ip = ktla_ktva((unsigned long)p->addr);
26794 else
26795- regs->ip = (unsigned long)p->ainsn.insn;
26796+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
26797 }
26798 NOKPROBE_SYMBOL(setup_singlestep);
26799
26800@@ -640,7 +647,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
26801 setup_singlestep(p, regs, kcb, 0);
26802 return 1;
26803 }
26804- } else if (*addr != BREAKPOINT_INSTRUCTION) {
26805+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
26806 /*
26807 * The breakpoint instruction was removed right
26808 * after we hit it. Another cpu has removed
26809@@ -687,6 +694,9 @@ static void __used kretprobe_trampoline_holder(void)
26810 " movq %rax, 152(%rsp)\n"
26811 RESTORE_REGS_STRING
26812 " popfq\n"
26813+#ifdef KERNEXEC_PLUGIN
26814+ " btsq $63,(%rsp)\n"
26815+#endif
26816 #else
26817 " pushf\n"
26818 SAVE_REGS_STRING
26819@@ -827,7 +837,7 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
26820 struct kprobe_ctlblk *kcb)
26821 {
26822 unsigned long *tos = stack_addr(regs);
26823- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
26824+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
26825 unsigned long orig_ip = (unsigned long)p->addr;
26826 kprobe_opcode_t *insn = p->ainsn.insn;
26827
26828diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
26829index 7b3b9d1..e2478b91 100644
26830--- a/arch/x86/kernel/kprobes/opt.c
26831+++ b/arch/x86/kernel/kprobes/opt.c
26832@@ -79,6 +79,7 @@ found:
26833 /* Insert a move instruction which sets a pointer to eax/rdi (1st arg). */
26834 static void synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
26835 {
26836+ pax_open_kernel();
26837 #ifdef CONFIG_X86_64
26838 *addr++ = 0x48;
26839 *addr++ = 0xbf;
26840@@ -86,6 +87,7 @@ static void synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
26841 *addr++ = 0xb8;
26842 #endif
26843 *(unsigned long *)addr = val;
26844+ pax_close_kernel();
26845 }
26846
26847 asm (
26848@@ -342,7 +344,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
26849 * Verify if the address gap is in 2GB range, because this uses
26850 * a relative jump.
26851 */
26852- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
26853+ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
26854 if (abs(rel) > 0x7fffffff) {
26855 __arch_remove_optimized_kprobe(op, 0);
26856 return -ERANGE;
26857@@ -359,16 +361,18 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
26858 op->optinsn.size = ret;
26859
26860 /* Copy arch-dep-instance from template */
26861- memcpy(buf, &optprobe_template_entry, TMPL_END_IDX);
26862+ pax_open_kernel();
26863+ memcpy(buf, ktla_ktva(&optprobe_template_entry), TMPL_END_IDX);
26864+ pax_close_kernel();
26865
26866 /* Set probe information */
26867 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
26868
26869 /* Set probe function call */
26870- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
26871+ synthesize_relcall(ktva_ktla(buf) + TMPL_CALL_IDX, optimized_callback);
26872
26873 /* Set returning jmp instruction at the tail of out-of-line buffer */
26874- synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
26875+ synthesize_reljump(ktva_ktla(buf) + TMPL_END_IDX + op->optinsn.size,
26876 (u8 *)op->kp.addr + op->optinsn.size);
26877
26878 flush_icache_range((unsigned long) buf,
26879@@ -393,7 +397,7 @@ void arch_optimize_kprobes(struct list_head *oplist)
26880 WARN_ON(kprobe_disabled(&op->kp));
26881
26882 /* Backup instructions which will be replaced by jump address */
26883- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
26884+ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
26885 RELATIVE_ADDR_SIZE);
26886
26887 insn_buf[0] = RELATIVEJUMP_OPCODE;
26888@@ -441,7 +445,7 @@ int setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter)
26889 /* This kprobe is really able to run optimized path. */
26890 op = container_of(p, struct optimized_kprobe, kp);
26891 /* Detour through copied instructions */
26892- regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX;
26893+ regs->ip = ktva_ktla((unsigned long)op->optinsn.insn) + TMPL_END_IDX;
26894 if (!reenter)
26895 reset_current_kprobe();
26896 preempt_enable_no_resched();
26897diff --git a/arch/x86/kernel/ksysfs.c b/arch/x86/kernel/ksysfs.c
26898index c2bedae..25e7ab60 100644
26899--- a/arch/x86/kernel/ksysfs.c
26900+++ b/arch/x86/kernel/ksysfs.c
26901@@ -184,7 +184,7 @@ out:
26902
26903 static struct kobj_attribute type_attr = __ATTR_RO(type);
26904
26905-static struct bin_attribute data_attr = {
26906+static bin_attribute_no_const data_attr __read_only = {
26907 .attr = {
26908 .name = "data",
26909 .mode = S_IRUGO,
26910diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
26911index 49487b4..a94a0d3 100644
26912--- a/arch/x86/kernel/kvmclock.c
26913+++ b/arch/x86/kernel/kvmclock.c
26914@@ -29,7 +29,7 @@
26915 #include <asm/x86_init.h>
26916 #include <asm/reboot.h>
26917
26918-static int kvmclock = 1;
26919+static int kvmclock __read_only = 1;
26920 static int msr_kvm_system_time = MSR_KVM_SYSTEM_TIME;
26921 static int msr_kvm_wall_clock = MSR_KVM_WALL_CLOCK;
26922
26923@@ -41,7 +41,7 @@ static int parse_no_kvmclock(char *arg)
26924 early_param("no-kvmclock", parse_no_kvmclock);
26925
26926 /* The hypervisor will put information about time periodically here */
26927-static struct pvclock_vsyscall_time_info *hv_clock;
26928+static struct pvclock_vsyscall_time_info hv_clock[NR_CPUS] __page_aligned_bss;
26929 static struct pvclock_wall_clock wall_clock;
26930
26931 /*
26932@@ -132,7 +132,7 @@ bool kvm_check_and_clear_guest_paused(void)
26933 struct pvclock_vcpu_time_info *src;
26934 int cpu = smp_processor_id();
26935
26936- if (!hv_clock)
26937+ if (!kvmclock)
26938 return ret;
26939
26940 src = &hv_clock[cpu].pvti;
26941@@ -159,7 +159,7 @@ int kvm_register_clock(char *txt)
26942 int low, high, ret;
26943 struct pvclock_vcpu_time_info *src;
26944
26945- if (!hv_clock)
26946+ if (!kvmclock)
26947 return 0;
26948
26949 src = &hv_clock[cpu].pvti;
26950@@ -219,7 +219,6 @@ static void kvm_shutdown(void)
26951 void __init kvmclock_init(void)
26952 {
26953 struct pvclock_vcpu_time_info *vcpu_time;
26954- unsigned long mem;
26955 int size, cpu;
26956 u8 flags;
26957
26958@@ -237,15 +236,8 @@ void __init kvmclock_init(void)
26959 printk(KERN_INFO "kvm-clock: Using msrs %x and %x",
26960 msr_kvm_system_time, msr_kvm_wall_clock);
26961
26962- mem = memblock_alloc(size, PAGE_SIZE);
26963- if (!mem)
26964- return;
26965- hv_clock = __va(mem);
26966- memset(hv_clock, 0, size);
26967-
26968 if (kvm_register_clock("primary cpu clock")) {
26969- hv_clock = NULL;
26970- memblock_free(mem, size);
26971+ kvmclock = 0;
26972 return;
26973 }
26974 pv_time_ops.sched_clock = kvm_clock_read;
26975@@ -286,7 +278,7 @@ int __init kvm_setup_vsyscall_timeinfo(void)
26976 struct pvclock_vcpu_time_info *vcpu_time;
26977 unsigned int size;
26978
26979- if (!hv_clock)
26980+ if (!kvmclock)
26981 return 0;
26982
26983 size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
26984diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
26985index 2bcc052..864eb84 100644
26986--- a/arch/x86/kernel/ldt.c
26987+++ b/arch/x86/kernel/ldt.c
26988@@ -11,6 +11,7 @@
26989 #include <linux/sched.h>
26990 #include <linux/string.h>
26991 #include <linux/mm.h>
26992+#include <linux/ratelimit.h>
26993 #include <linux/smp.h>
26994 #include <linux/slab.h>
26995 #include <linux/vmalloc.h>
26996@@ -21,6 +22,14 @@
26997 #include <asm/mmu_context.h>
26998 #include <asm/syscalls.h>
26999
27000+#ifdef CONFIG_GRKERNSEC
27001+int sysctl_modify_ldt __read_only = 0;
27002+#elif defined(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL)
27003+int sysctl_modify_ldt __read_only = 1;
27004+#else
27005+int sysctl_modify_ldt __read_only = 0;
27006+#endif
27007+
27008 /* context.lock is held for us, so we don't need any locking. */
27009 static void flush_ldt(void *current_mm)
27010 {
27011@@ -109,6 +118,23 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
27012 struct mm_struct *old_mm;
27013 int retval = 0;
27014
27015+ if (tsk == current) {
27016+ mm->context.vdso = 0;
27017+
27018+#ifdef CONFIG_X86_32
27019+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
27020+ mm->context.user_cs_base = 0UL;
27021+ mm->context.user_cs_limit = ~0UL;
27022+
27023+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
27024+ cpumask_clear(&mm->context.cpu_user_cs_mask);
27025+#endif
27026+
27027+#endif
27028+#endif
27029+
27030+ }
27031+
27032 mutex_init(&mm->context.lock);
27033 old_mm = current->mm;
27034 if (!old_mm) {
27035@@ -235,6 +261,14 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
27036 /* The user wants to clear the entry. */
27037 memset(&ldt, 0, sizeof(ldt));
27038 } else {
27039+
27040+#ifdef CONFIG_PAX_SEGMEXEC
27041+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
27042+ error = -EINVAL;
27043+ goto out;
27044+ }
27045+#endif
27046+
27047 if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
27048 error = -EINVAL;
27049 goto out;
27050@@ -276,6 +310,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
27051 {
27052 int ret = -ENOSYS;
27053
27054+ if (!sysctl_modify_ldt) {
27055+ printk_ratelimited(KERN_INFO
27056+ "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
27057+ " Adjust sysctl if this was not an exploit attempt.\n",
27058+ current->comm, task_pid_nr(current),
27059+ from_kuid_munged(current_user_ns(), current_uid()));
27060+ return ret;
27061+ }
27062+
27063 switch (func) {
27064 case 0:
27065 ret = read_ldt(ptr, bytecount);
27066diff --git a/arch/x86/kernel/livepatch.c b/arch/x86/kernel/livepatch.c
27067index ff3c3101d..d7c0cd8 100644
27068--- a/arch/x86/kernel/livepatch.c
27069+++ b/arch/x86/kernel/livepatch.c
27070@@ -41,9 +41,10 @@ int klp_write_module_reloc(struct module *mod, unsigned long type,
27071 int ret, numpages, size = 4;
27072 bool readonly;
27073 unsigned long val;
27074- unsigned long core = (unsigned long)mod->module_core;
27075- unsigned long core_ro_size = mod->core_ro_size;
27076- unsigned long core_size = mod->core_size;
27077+ unsigned long core_rx = (unsigned long)mod->module_core_rx;
27078+ unsigned long core_rw = (unsigned long)mod->module_core_rw;
27079+ unsigned long core_size_rx = mod->core_size_rx;
27080+ unsigned long core_size_rw = mod->core_size_rw;
27081
27082 switch (type) {
27083 case R_X86_64_NONE:
27084@@ -66,11 +67,12 @@ int klp_write_module_reloc(struct module *mod, unsigned long type,
27085 return -EINVAL;
27086 }
27087
27088- if (loc < core || loc >= core + core_size)
27089+ if ((loc < core_rx || loc >= core_rx + core_size_rx) &&
27090+ (loc < core_rw || loc >= core_rw + core_size_rw))
27091 /* loc does not point to any symbol inside the module */
27092 return -EINVAL;
27093
27094- if (loc < core + core_ro_size)
27095+ if (loc < core_rx + core_size_rx)
27096 readonly = true;
27097 else
27098 readonly = false;
27099diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
27100index 469b23d..5449cfe 100644
27101--- a/arch/x86/kernel/machine_kexec_32.c
27102+++ b/arch/x86/kernel/machine_kexec_32.c
27103@@ -26,7 +26,7 @@
27104 #include <asm/cacheflush.h>
27105 #include <asm/debugreg.h>
27106
27107-static void set_idt(void *newidt, __u16 limit)
27108+static void set_idt(struct desc_struct *newidt, __u16 limit)
27109 {
27110 struct desc_ptr curidt;
27111
27112@@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16 limit)
27113 }
27114
27115
27116-static void set_gdt(void *newgdt, __u16 limit)
27117+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
27118 {
27119 struct desc_ptr curgdt;
27120
27121@@ -216,7 +216,7 @@ void machine_kexec(struct kimage *image)
27122 }
27123
27124 control_page = page_address(image->control_code_page);
27125- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
27126+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
27127
27128 relocate_kernel_ptr = control_page;
27129 page_list[PA_CONTROL_PAGE] = __pa(control_page);
27130diff --git a/arch/x86/kernel/mcount_64.S b/arch/x86/kernel/mcount_64.S
27131index 94ea120..4154cea 100644
27132--- a/arch/x86/kernel/mcount_64.S
27133+++ b/arch/x86/kernel/mcount_64.S
27134@@ -7,7 +7,7 @@
27135 #include <linux/linkage.h>
27136 #include <asm/ptrace.h>
27137 #include <asm/ftrace.h>
27138-
27139+#include <asm/alternative-asm.h>
27140
27141 .code64
27142 .section .entry.text, "ax"
27143@@ -148,8 +148,9 @@
27144 #ifdef CONFIG_DYNAMIC_FTRACE
27145
27146 ENTRY(function_hook)
27147+ pax_force_retaddr
27148 retq
27149-END(function_hook)
27150+ENDPROC(function_hook)
27151
27152 ENTRY(ftrace_caller)
27153 /* save_mcount_regs fills in first two parameters */
27154@@ -181,8 +182,9 @@ GLOBAL(ftrace_graph_call)
27155 #endif
27156
27157 GLOBAL(ftrace_stub)
27158+ pax_force_retaddr
27159 retq
27160-END(ftrace_caller)
27161+ENDPROC(ftrace_caller)
27162
27163 ENTRY(ftrace_regs_caller)
27164 /* Save the current flags before any operations that can change them */
27165@@ -253,7 +255,7 @@ GLOBAL(ftrace_regs_caller_end)
27166
27167 jmp ftrace_return
27168
27169-END(ftrace_regs_caller)
27170+ENDPROC(ftrace_regs_caller)
27171
27172
27173 #else /* ! CONFIG_DYNAMIC_FTRACE */
27174@@ -272,18 +274,20 @@ fgraph_trace:
27175 #endif
27176
27177 GLOBAL(ftrace_stub)
27178+ pax_force_retaddr
27179 retq
27180
27181 trace:
27182 /* save_mcount_regs fills in first two parameters */
27183 save_mcount_regs
27184
27185+ pax_force_fptr ftrace_trace_function
27186 call *ftrace_trace_function
27187
27188 restore_mcount_regs
27189
27190 jmp fgraph_trace
27191-END(function_hook)
27192+ENDPROC(function_hook)
27193 #endif /* CONFIG_DYNAMIC_FTRACE */
27194 #endif /* CONFIG_FUNCTION_TRACER */
27195
27196@@ -305,8 +309,9 @@ ENTRY(ftrace_graph_caller)
27197
27198 restore_mcount_regs
27199
27200+ pax_force_retaddr
27201 retq
27202-END(ftrace_graph_caller)
27203+ENDPROC(ftrace_graph_caller)
27204
27205 GLOBAL(return_to_handler)
27206 subq $24, %rsp
27207@@ -322,5 +327,7 @@ GLOBAL(return_to_handler)
27208 movq 8(%rsp), %rdx
27209 movq (%rsp), %rax
27210 addq $24, %rsp
27211+ pax_force_fptr %rdi
27212 jmp *%rdi
27213+ENDPROC(return_to_handler)
27214 #endif
27215diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
27216index 005c03e..7000fe4 100644
27217--- a/arch/x86/kernel/module.c
27218+++ b/arch/x86/kernel/module.c
27219@@ -75,17 +75,17 @@ static unsigned long int get_module_load_offset(void)
27220 }
27221 #endif
27222
27223-void *module_alloc(unsigned long size)
27224+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
27225 {
27226 void *p;
27227
27228- if (PAGE_ALIGN(size) > MODULES_LEN)
27229+ if (!size || PAGE_ALIGN(size) > MODULES_LEN)
27230 return NULL;
27231
27232 p = __vmalloc_node_range(size, MODULE_ALIGN,
27233 MODULES_VADDR + get_module_load_offset(),
27234- MODULES_END, GFP_KERNEL | __GFP_HIGHMEM,
27235- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
27236+ MODULES_END, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
27237+ prot, 0, NUMA_NO_NODE,
27238 __builtin_return_address(0));
27239 if (p && (kasan_module_alloc(p, size) < 0)) {
27240 vfree(p);
27241@@ -95,6 +95,51 @@ void *module_alloc(unsigned long size)
27242 return p;
27243 }
27244
27245+void *module_alloc(unsigned long size)
27246+{
27247+
27248+#ifdef CONFIG_PAX_KERNEXEC
27249+ return __module_alloc(size, PAGE_KERNEL);
27250+#else
27251+ return __module_alloc(size, PAGE_KERNEL_EXEC);
27252+#endif
27253+
27254+}
27255+
27256+#ifdef CONFIG_PAX_KERNEXEC
27257+#ifdef CONFIG_X86_32
27258+void *module_alloc_exec(unsigned long size)
27259+{
27260+ struct vm_struct *area;
27261+
27262+ if (size == 0)
27263+ return NULL;
27264+
27265+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
27266+return area ? area->addr : NULL;
27267+}
27268+EXPORT_SYMBOL(module_alloc_exec);
27269+
27270+void module_memfree_exec(void *module_region)
27271+{
27272+ vunmap(module_region);
27273+}
27274+EXPORT_SYMBOL(module_memfree_exec);
27275+#else
27276+void module_memfree_exec(void *module_region)
27277+{
27278+ module_memfree(module_region);
27279+}
27280+EXPORT_SYMBOL(module_memfree_exec);
27281+
27282+void *module_alloc_exec(unsigned long size)
27283+{
27284+ return __module_alloc(size, PAGE_KERNEL_RX);
27285+}
27286+EXPORT_SYMBOL(module_alloc_exec);
27287+#endif
27288+#endif
27289+
27290 #ifdef CONFIG_X86_32
27291 int apply_relocate(Elf32_Shdr *sechdrs,
27292 const char *strtab,
27293@@ -105,14 +150,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
27294 unsigned int i;
27295 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
27296 Elf32_Sym *sym;
27297- uint32_t *location;
27298+ uint32_t *plocation, location;
27299
27300 DEBUGP("Applying relocate section %u to %u\n",
27301 relsec, sechdrs[relsec].sh_info);
27302 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
27303 /* This is where to make the change */
27304- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
27305- + rel[i].r_offset;
27306+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
27307+ location = (uint32_t)plocation;
27308+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
27309+ plocation = (uint32_t *)ktla_ktva((unsigned long)plocation);
27310 /* This is the symbol it is referring to. Note that all
27311 undefined symbols have been resolved. */
27312 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
27313@@ -121,11 +168,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
27314 switch (ELF32_R_TYPE(rel[i].r_info)) {
27315 case R_386_32:
27316 /* We add the value into the location given */
27317- *location += sym->st_value;
27318+ pax_open_kernel();
27319+ *plocation += sym->st_value;
27320+ pax_close_kernel();
27321 break;
27322 case R_386_PC32:
27323 /* Add the value, subtract its position */
27324- *location += sym->st_value - (uint32_t)location;
27325+ pax_open_kernel();
27326+ *plocation += sym->st_value - location;
27327+ pax_close_kernel();
27328 break;
27329 default:
27330 pr_err("%s: Unknown relocation: %u\n",
27331@@ -170,21 +221,30 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
27332 case R_X86_64_NONE:
27333 break;
27334 case R_X86_64_64:
27335+ pax_open_kernel();
27336 *(u64 *)loc = val;
27337+ pax_close_kernel();
27338 break;
27339 case R_X86_64_32:
27340+ pax_open_kernel();
27341 *(u32 *)loc = val;
27342+ pax_close_kernel();
27343 if (val != *(u32 *)loc)
27344 goto overflow;
27345 break;
27346 case R_X86_64_32S:
27347+ pax_open_kernel();
27348 *(s32 *)loc = val;
27349+ pax_close_kernel();
27350 if ((s64)val != *(s32 *)loc)
27351 goto overflow;
27352 break;
27353 case R_X86_64_PC32:
27354 val -= (u64)loc;
27355+ pax_open_kernel();
27356 *(u32 *)loc = val;
27357+ pax_close_kernel();
27358+
27359 #if 0
27360 if ((s64)val != *(s32 *)loc)
27361 goto overflow;
27362diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
27363index 113e707..0a690e1 100644
27364--- a/arch/x86/kernel/msr.c
27365+++ b/arch/x86/kernel/msr.c
27366@@ -39,6 +39,7 @@
27367 #include <linux/notifier.h>
27368 #include <linux/uaccess.h>
27369 #include <linux/gfp.h>
27370+#include <linux/grsecurity.h>
27371
27372 #include <asm/processor.h>
27373 #include <asm/msr.h>
27374@@ -105,6 +106,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
27375 int err = 0;
27376 ssize_t bytes = 0;
27377
27378+#ifdef CONFIG_GRKERNSEC_KMEM
27379+ gr_handle_msr_write();
27380+ return -EPERM;
27381+#endif
27382+
27383 if (count % 8)
27384 return -EINVAL; /* Invalid chunk size */
27385
27386@@ -152,6 +158,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
27387 err = -EBADF;
27388 break;
27389 }
27390+#ifdef CONFIG_GRKERNSEC_KMEM
27391+ gr_handle_msr_write();
27392+ return -EPERM;
27393+#endif
27394 if (copy_from_user(&regs, uregs, sizeof regs)) {
27395 err = -EFAULT;
27396 break;
27397@@ -235,7 +245,7 @@ static int msr_class_cpu_callback(struct notifier_block *nfb,
27398 return notifier_from_errno(err);
27399 }
27400
27401-static struct notifier_block __refdata msr_class_cpu_notifier = {
27402+static struct notifier_block msr_class_cpu_notifier = {
27403 .notifier_call = msr_class_cpu_callback,
27404 };
27405
27406diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
27407index d05bd2e..f690edd 100644
27408--- a/arch/x86/kernel/nmi.c
27409+++ b/arch/x86/kernel/nmi.c
27410@@ -98,16 +98,16 @@ fs_initcall(nmi_warning_debugfs);
27411
27412 static void nmi_max_handler(struct irq_work *w)
27413 {
27414- struct nmiaction *a = container_of(w, struct nmiaction, irq_work);
27415+ struct nmiwork *n = container_of(w, struct nmiwork, irq_work);
27416 int remainder_ns, decimal_msecs;
27417- u64 whole_msecs = ACCESS_ONCE(a->max_duration);
27418+ u64 whole_msecs = ACCESS_ONCE(n->max_duration);
27419
27420 remainder_ns = do_div(whole_msecs, (1000 * 1000));
27421 decimal_msecs = remainder_ns / 1000;
27422
27423 printk_ratelimited(KERN_INFO
27424 "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n",
27425- a->handler, whole_msecs, decimal_msecs);
27426+ n->action->handler, whole_msecs, decimal_msecs);
27427 }
27428
27429 static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27430@@ -134,11 +134,11 @@ static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27431 delta = sched_clock() - delta;
27432 trace_nmi_handler(a->handler, (int)delta, thishandled);
27433
27434- if (delta < nmi_longest_ns || delta < a->max_duration)
27435+ if (delta < nmi_longest_ns || delta < a->work->max_duration)
27436 continue;
27437
27438- a->max_duration = delta;
27439- irq_work_queue(&a->irq_work);
27440+ a->work->max_duration = delta;
27441+ irq_work_queue(&a->work->irq_work);
27442 }
27443
27444 rcu_read_unlock();
27445@@ -148,7 +148,7 @@ static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27446 }
27447 NOKPROBE_SYMBOL(nmi_handle);
27448
27449-int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27450+int __register_nmi_handler(unsigned int type, const struct nmiaction *action)
27451 {
27452 struct nmi_desc *desc = nmi_to_desc(type);
27453 unsigned long flags;
27454@@ -156,7 +156,8 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27455 if (!action->handler)
27456 return -EINVAL;
27457
27458- init_irq_work(&action->irq_work, nmi_max_handler);
27459+ action->work->action = action;
27460+ init_irq_work(&action->work->irq_work, nmi_max_handler);
27461
27462 spin_lock_irqsave(&desc->lock, flags);
27463
27464@@ -174,9 +175,9 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27465 * event confuses some handlers (kdump uses this flag)
27466 */
27467 if (action->flags & NMI_FLAG_FIRST)
27468- list_add_rcu(&action->list, &desc->head);
27469+ pax_list_add_rcu((struct list_head *)&action->list, &desc->head);
27470 else
27471- list_add_tail_rcu(&action->list, &desc->head);
27472+ pax_list_add_tail_rcu((struct list_head *)&action->list, &desc->head);
27473
27474 spin_unlock_irqrestore(&desc->lock, flags);
27475 return 0;
27476@@ -199,7 +200,7 @@ void unregister_nmi_handler(unsigned int type, const char *name)
27477 if (!strcmp(n->name, name)) {
27478 WARN(in_nmi(),
27479 "Trying to free NMI (%s) from NMI context!\n", n->name);
27480- list_del_rcu(&n->list);
27481+ pax_list_del_rcu((struct list_head *)&n->list);
27482 break;
27483 }
27484 }
27485@@ -481,6 +482,17 @@ static DEFINE_PER_CPU(int, update_debug_stack);
27486 dotraplinkage notrace void
27487 do_nmi(struct pt_regs *regs, long error_code)
27488 {
27489+
27490+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
27491+ if (!user_mode(regs)) {
27492+ unsigned long cs = regs->cs & 0xFFFF;
27493+ unsigned long ip = ktva_ktla(regs->ip);
27494+
27495+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
27496+ regs->ip = ip;
27497+ }
27498+#endif
27499+
27500 if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
27501 this_cpu_write(nmi_state, NMI_LATCHED);
27502 return;
27503diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c
27504index 6d9582e..f746287 100644
27505--- a/arch/x86/kernel/nmi_selftest.c
27506+++ b/arch/x86/kernel/nmi_selftest.c
27507@@ -43,7 +43,7 @@ static void __init init_nmi_testsuite(void)
27508 {
27509 /* trap all the unknown NMIs we may generate */
27510 register_nmi_handler(NMI_UNKNOWN, nmi_unk_cb, 0, "nmi_selftest_unk",
27511- __initdata);
27512+ __initconst);
27513 }
27514
27515 static void __init cleanup_nmi_testsuite(void)
27516@@ -66,7 +66,7 @@ static void __init test_nmi_ipi(struct cpumask *mask)
27517 unsigned long timeout;
27518
27519 if (register_nmi_handler(NMI_LOCAL, test_nmi_ipi_callback,
27520- NMI_FLAG_FIRST, "nmi_selftest", __initdata)) {
27521+ NMI_FLAG_FIRST, "nmi_selftest", __initconst)) {
27522 nmi_fail = FAILURE;
27523 return;
27524 }
27525diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c
27526index 33ee3e0..da3519a 100644
27527--- a/arch/x86/kernel/paravirt-spinlocks.c
27528+++ b/arch/x86/kernel/paravirt-spinlocks.c
27529@@ -23,7 +23,7 @@ bool pv_is_native_spin_unlock(void)
27530 }
27531 #endif
27532
27533-struct pv_lock_ops pv_lock_ops = {
27534+struct pv_lock_ops pv_lock_ops __read_only = {
27535 #ifdef CONFIG_SMP
27536 #ifdef CONFIG_QUEUED_SPINLOCKS
27537 .queued_spin_lock_slowpath = native_queued_spin_lock_slowpath,
27538diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
27539index 58bcfb6..0adb7d7 100644
27540--- a/arch/x86/kernel/paravirt.c
27541+++ b/arch/x86/kernel/paravirt.c
27542@@ -56,6 +56,9 @@ u64 _paravirt_ident_64(u64 x)
27543 {
27544 return x;
27545 }
27546+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
27547+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
27548+#endif
27549
27550 void __init default_banner(void)
27551 {
27552@@ -142,16 +145,20 @@ unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
27553
27554 if (opfunc == NULL)
27555 /* If there's no function, patch it with a ud2a (BUG) */
27556- ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
27557- else if (opfunc == _paravirt_nop)
27558+ ret = paravirt_patch_insns(insnbuf, len, (const char *)ktva_ktla((unsigned long)ud2a), ud2a+sizeof(ud2a));
27559+ else if (opfunc == (void *)_paravirt_nop)
27560 /* If the operation is a nop, then nop the callsite */
27561 ret = paravirt_patch_nop();
27562
27563 /* identity functions just return their single argument */
27564- else if (opfunc == _paravirt_ident_32)
27565+ else if (opfunc == (void *)_paravirt_ident_32)
27566 ret = paravirt_patch_ident_32(insnbuf, len);
27567- else if (opfunc == _paravirt_ident_64)
27568+ else if (opfunc == (void *)_paravirt_ident_64)
27569 ret = paravirt_patch_ident_64(insnbuf, len);
27570+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
27571+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
27572+ ret = paravirt_patch_ident_64(insnbuf, len);
27573+#endif
27574
27575 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
27576 #ifdef CONFIG_X86_32
27577@@ -178,7 +185,7 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len,
27578 if (insn_len > len || start == NULL)
27579 insn_len = len;
27580 else
27581- memcpy(insnbuf, start, insn_len);
27582+ memcpy(insnbuf, (const char *)ktla_ktva((unsigned long)start), insn_len);
27583
27584 return insn_len;
27585 }
27586@@ -302,7 +309,7 @@ enum paravirt_lazy_mode paravirt_get_lazy_mode(void)
27587 return this_cpu_read(paravirt_lazy_mode);
27588 }
27589
27590-struct pv_info pv_info = {
27591+struct pv_info pv_info __read_only = {
27592 .name = "bare hardware",
27593 .paravirt_enabled = 0,
27594 .kernel_rpl = 0,
27595@@ -313,16 +320,16 @@ struct pv_info pv_info = {
27596 #endif
27597 };
27598
27599-struct pv_init_ops pv_init_ops = {
27600+struct pv_init_ops pv_init_ops __read_only = {
27601 .patch = native_patch,
27602 };
27603
27604-struct pv_time_ops pv_time_ops = {
27605+struct pv_time_ops pv_time_ops __read_only = {
27606 .sched_clock = native_sched_clock,
27607 .steal_clock = native_steal_clock,
27608 };
27609
27610-__visible struct pv_irq_ops pv_irq_ops = {
27611+__visible struct pv_irq_ops pv_irq_ops __read_only = {
27612 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
27613 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
27614 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
27615@@ -334,7 +341,7 @@ __visible struct pv_irq_ops pv_irq_ops = {
27616 #endif
27617 };
27618
27619-__visible struct pv_cpu_ops pv_cpu_ops = {
27620+__visible struct pv_cpu_ops pv_cpu_ops __read_only = {
27621 .cpuid = native_cpuid,
27622 .get_debugreg = native_get_debugreg,
27623 .set_debugreg = native_set_debugreg,
27624@@ -397,21 +404,26 @@ NOKPROBE_SYMBOL(native_get_debugreg);
27625 NOKPROBE_SYMBOL(native_set_debugreg);
27626 NOKPROBE_SYMBOL(native_load_idt);
27627
27628-struct pv_apic_ops pv_apic_ops = {
27629+struct pv_apic_ops pv_apic_ops __read_only= {
27630 #ifdef CONFIG_X86_LOCAL_APIC
27631 .startup_ipi_hook = paravirt_nop,
27632 #endif
27633 };
27634
27635-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
27636+#ifdef CONFIG_X86_32
27637+#ifdef CONFIG_X86_PAE
27638+/* 64-bit pagetable entries */
27639+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
27640+#else
27641 /* 32-bit pagetable entries */
27642 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
27643+#endif
27644 #else
27645 /* 64-bit pagetable entries */
27646 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
27647 #endif
27648
27649-struct pv_mmu_ops pv_mmu_ops = {
27650+struct pv_mmu_ops pv_mmu_ops __read_only = {
27651
27652 .read_cr2 = native_read_cr2,
27653 .write_cr2 = native_write_cr2,
27654@@ -461,6 +473,7 @@ struct pv_mmu_ops pv_mmu_ops = {
27655 .make_pud = PTE_IDENT,
27656
27657 .set_pgd = native_set_pgd,
27658+ .set_pgd_batched = native_set_pgd_batched,
27659 #endif
27660 #endif /* CONFIG_PGTABLE_LEVELS >= 3 */
27661
27662@@ -481,6 +494,12 @@ struct pv_mmu_ops pv_mmu_ops = {
27663 },
27664
27665 .set_fixmap = native_set_fixmap,
27666+
27667+#ifdef CONFIG_PAX_KERNEXEC
27668+ .pax_open_kernel = native_pax_open_kernel,
27669+ .pax_close_kernel = native_pax_close_kernel,
27670+#endif
27671+
27672 };
27673
27674 EXPORT_SYMBOL_GPL(pv_time_ops);
27675diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
27676index 8aa0558..465512e 100644
27677--- a/arch/x86/kernel/paravirt_patch_64.c
27678+++ b/arch/x86/kernel/paravirt_patch_64.c
27679@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
27680 DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
27681 DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
27682 DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
27683+
27684+#ifndef CONFIG_PAX_MEMORY_UDEREF
27685 DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
27686+#endif
27687+
27688 DEF_NATIVE(pv_cpu_ops, clts, "clts");
27689 DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
27690
27691@@ -62,7 +66,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
27692 PATCH_SITE(pv_mmu_ops, read_cr3);
27693 PATCH_SITE(pv_mmu_ops, write_cr3);
27694 PATCH_SITE(pv_cpu_ops, clts);
27695+
27696+#ifndef CONFIG_PAX_MEMORY_UDEREF
27697 PATCH_SITE(pv_mmu_ops, flush_tlb_single);
27698+#endif
27699+
27700 PATCH_SITE(pv_cpu_ops, wbinvd);
27701 #if defined(CONFIG_PARAVIRT_SPINLOCKS) && defined(CONFIG_QUEUED_SPINLOCKS)
27702 case PARAVIRT_PATCH(pv_lock_ops.queued_spin_unlock):
27703diff --git a/arch/x86/kernel/pci-calgary_64.c b/arch/x86/kernel/pci-calgary_64.c
27704index 0497f71..7186c0d 100644
27705--- a/arch/x86/kernel/pci-calgary_64.c
27706+++ b/arch/x86/kernel/pci-calgary_64.c
27707@@ -1347,7 +1347,7 @@ static void __init get_tce_space_from_tar(void)
27708 tce_space = be64_to_cpu(readq(target));
27709 tce_space = tce_space & TAR_SW_BITS;
27710
27711- tce_space = tce_space & (~specified_table_size);
27712+ tce_space = tce_space & (~(unsigned long)specified_table_size);
27713 info->tce_space = (u64 *)__va(tce_space);
27714 }
27715 }
27716diff --git a/arch/x86/kernel/pci-iommu_table.c b/arch/x86/kernel/pci-iommu_table.c
27717index 35ccf75..7a15747 100644
27718--- a/arch/x86/kernel/pci-iommu_table.c
27719+++ b/arch/x86/kernel/pci-iommu_table.c
27720@@ -2,7 +2,7 @@
27721 #include <asm/iommu_table.h>
27722 #include <linux/string.h>
27723 #include <linux/kallsyms.h>
27724-
27725+#include <linux/sched.h>
27726
27727 #define DEBUG 1
27728
27729diff --git a/arch/x86/kernel/pci-swiotlb.c b/arch/x86/kernel/pci-swiotlb.c
27730index adf0392..88a7576 100644
27731--- a/arch/x86/kernel/pci-swiotlb.c
27732+++ b/arch/x86/kernel/pci-swiotlb.c
27733@@ -40,7 +40,7 @@ void x86_swiotlb_free_coherent(struct device *dev, size_t size,
27734 struct dma_attrs *attrs)
27735 {
27736 if (is_swiotlb_buffer(dma_to_phys(dev, dma_addr)))
27737- swiotlb_free_coherent(dev, size, vaddr, dma_addr);
27738+ swiotlb_free_coherent(dev, size, vaddr, dma_addr, attrs);
27739 else
27740 dma_generic_free_coherent(dev, size, vaddr, dma_addr, attrs);
27741 }
27742diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
27743index c27cad7..47e3f47 100644
27744--- a/arch/x86/kernel/process.c
27745+++ b/arch/x86/kernel/process.c
27746@@ -15,6 +15,7 @@
27747 #include <linux/dmi.h>
27748 #include <linux/utsname.h>
27749 #include <linux/stackprotector.h>
27750+#include <linux/kthread.h>
27751 #include <linux/tick.h>
27752 #include <linux/cpuidle.h>
27753 #include <trace/events/power.h>
27754@@ -37,7 +38,8 @@
27755 * section. Since TSS's are completely CPU-local, we want them
27756 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
27757 */
27758-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
27759+struct tss_struct cpu_tss[NR_CPUS] __visible ____cacheline_internodealigned_in_smp = {
27760+ [0 ... NR_CPUS-1] = {
27761 .x86_tss = {
27762 .sp0 = TOP_OF_INIT_STACK,
27763 #ifdef CONFIG_X86_32
27764@@ -55,6 +57,7 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
27765 */
27766 .io_bitmap = { [0 ... IO_BITMAP_LONGS] = ~0 },
27767 #endif
27768+}
27769 };
27770 EXPORT_PER_CPU_SYMBOL(cpu_tss);
27771
27772@@ -75,17 +78,35 @@ void idle_notifier_unregister(struct notifier_block *n)
27773 EXPORT_SYMBOL_GPL(idle_notifier_unregister);
27774 #endif
27775
27776+struct kmem_cache *fpregs_state_cachep;
27777+EXPORT_SYMBOL(fpregs_state_cachep);
27778+
27779+void __init arch_task_cache_init(void)
27780+{
27781+ /* create a slab on which task_structs can be allocated */
27782+ fpregs_state_cachep =
27783+ kmem_cache_create("fpregs_state", xstate_size,
27784+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
27785+}
27786+
27787 /*
27788 * this gets called so that we can store lazy state into memory and copy the
27789 * current task into the new thread.
27790 */
27791 int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
27792 {
27793- memcpy(dst, src, arch_task_struct_size);
27794+ *dst = *src;
27795
27796+ dst->thread.fpu.state = kmem_cache_alloc_node(fpregs_state_cachep, GFP_KERNEL, tsk_fork_get_node(src));
27797 return fpu__copy(&dst->thread.fpu, &src->thread.fpu);
27798 }
27799
27800+void arch_release_task_struct(struct task_struct *tsk)
27801+{
27802+ kmem_cache_free(fpregs_state_cachep, tsk->thread.fpu.state);
27803+ tsk->thread.fpu.state = NULL;
27804+}
27805+
27806 /*
27807 * Free current thread data structures etc..
27808 */
27809@@ -97,7 +118,7 @@ void exit_thread(void)
27810 struct fpu *fpu = &t->fpu;
27811
27812 if (bp) {
27813- struct tss_struct *tss = &per_cpu(cpu_tss, get_cpu());
27814+ struct tss_struct *tss = cpu_tss + get_cpu();
27815
27816 t->io_bitmap_ptr = NULL;
27817 clear_thread_flag(TIF_IO_BITMAP);
27818@@ -117,6 +138,9 @@ void flush_thread(void)
27819 {
27820 struct task_struct *tsk = current;
27821
27822+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
27823+ loadsegment(gs, 0);
27824+#endif
27825 flush_ptrace_hw_breakpoint(tsk);
27826 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
27827
27828@@ -258,7 +282,7 @@ static void __exit_idle(void)
27829 void exit_idle(void)
27830 {
27831 /* idle loop has pid 0 */
27832- if (current->pid)
27833+ if (task_pid_nr(current))
27834 return;
27835 __exit_idle();
27836 }
27837@@ -311,7 +335,7 @@ bool xen_set_default_idle(void)
27838 return ret;
27839 }
27840 #endif
27841-void stop_this_cpu(void *dummy)
27842+__noreturn void stop_this_cpu(void *dummy)
27843 {
27844 local_irq_disable();
27845 /*
27846@@ -488,16 +512,40 @@ static int __init idle_setup(char *str)
27847 }
27848 early_param("idle", idle_setup);
27849
27850-unsigned long arch_align_stack(unsigned long sp)
27851-{
27852- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
27853- sp -= get_random_int() % 8192;
27854- return sp & ~0xf;
27855-}
27856-
27857 unsigned long arch_randomize_brk(struct mm_struct *mm)
27858 {
27859 unsigned long range_end = mm->brk + 0x02000000;
27860 return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
27861 }
27862
27863+#ifdef CONFIG_PAX_RANDKSTACK
27864+void pax_randomize_kstack(struct pt_regs *regs)
27865+{
27866+ struct thread_struct *thread = &current->thread;
27867+ unsigned long time;
27868+
27869+ if (!randomize_va_space)
27870+ return;
27871+
27872+ if (v8086_mode(regs))
27873+ return;
27874+
27875+ rdtscl(time);
27876+
27877+ /* P4 seems to return a 0 LSB, ignore it */
27878+#ifdef CONFIG_MPENTIUM4
27879+ time &= 0x3EUL;
27880+ time <<= 2;
27881+#elif defined(CONFIG_X86_64)
27882+ time &= 0xFUL;
27883+ time <<= 4;
27884+#else
27885+ time &= 0x1FUL;
27886+ time <<= 3;
27887+#endif
27888+
27889+ thread->sp0 ^= time;
27890+ load_sp0(cpu_tss + smp_processor_id(), thread);
27891+ this_cpu_write(cpu_current_top_of_stack, thread->sp0);
27892+}
27893+#endif
27894diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
27895index f73c962..6589332 100644
27896--- a/arch/x86/kernel/process_32.c
27897+++ b/arch/x86/kernel/process_32.c
27898@@ -63,6 +63,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread");
27899 unsigned long thread_saved_pc(struct task_struct *tsk)
27900 {
27901 return ((unsigned long *)tsk->thread.sp)[3];
27902+//XXX return tsk->thread.eip;
27903 }
27904
27905 void __show_regs(struct pt_regs *regs, int all)
27906@@ -75,16 +76,15 @@ void __show_regs(struct pt_regs *regs, int all)
27907 if (user_mode(regs)) {
27908 sp = regs->sp;
27909 ss = regs->ss & 0xffff;
27910- gs = get_user_gs(regs);
27911 } else {
27912 sp = kernel_stack_pointer(regs);
27913 savesegment(ss, ss);
27914- savesegment(gs, gs);
27915 }
27916+ gs = get_user_gs(regs);
27917
27918 printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n",
27919 (u16)regs->cs, regs->ip, regs->flags,
27920- smp_processor_id());
27921+ raw_smp_processor_id());
27922 print_symbol("EIP is at %s\n", regs->ip);
27923
27924 printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n",
27925@@ -131,21 +131,22 @@ void release_thread(struct task_struct *dead_task)
27926 int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
27927 unsigned long arg, struct task_struct *p, unsigned long tls)
27928 {
27929- struct pt_regs *childregs = task_pt_regs(p);
27930+ struct pt_regs *childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
27931 struct task_struct *tsk;
27932 int err;
27933
27934 p->thread.sp = (unsigned long) childregs;
27935 p->thread.sp0 = (unsigned long) (childregs+1);
27936+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
27937 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
27938
27939 if (unlikely(p->flags & PF_KTHREAD)) {
27940 /* kernel thread */
27941 memset(childregs, 0, sizeof(struct pt_regs));
27942 p->thread.ip = (unsigned long) ret_from_kernel_thread;
27943- task_user_gs(p) = __KERNEL_STACK_CANARY;
27944- childregs->ds = __USER_DS;
27945- childregs->es = __USER_DS;
27946+ savesegment(gs, childregs->gs);
27947+ childregs->ds = __KERNEL_DS;
27948+ childregs->es = __KERNEL_DS;
27949 childregs->fs = __KERNEL_PERCPU;
27950 childregs->bx = sp; /* function */
27951 childregs->bp = arg;
27952@@ -245,7 +246,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27953 struct fpu *prev_fpu = &prev->fpu;
27954 struct fpu *next_fpu = &next->fpu;
27955 int cpu = smp_processor_id();
27956- struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
27957+ struct tss_struct *tss = cpu_tss + cpu;
27958 fpu_switch_t fpu_switch;
27959
27960 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
27961@@ -264,6 +265,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27962 */
27963 lazy_save_gs(prev->gs);
27964
27965+#ifdef CONFIG_PAX_MEMORY_UDEREF
27966+ __set_fs(task_thread_info(next_p)->addr_limit);
27967+#endif
27968+
27969 /*
27970 * Load the per-thread Thread-Local Storage descriptor.
27971 */
27972@@ -307,9 +312,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27973 * current_thread_info().
27974 */
27975 load_sp0(tss, next);
27976- this_cpu_write(cpu_current_top_of_stack,
27977- (unsigned long)task_stack_page(next_p) +
27978- THREAD_SIZE);
27979+ this_cpu_write(current_task, next_p);
27980+ this_cpu_write(current_tinfo, &next_p->tinfo);
27981+ this_cpu_write(cpu_current_top_of_stack, next->sp0);
27982
27983 /*
27984 * Restore %gs if needed (which is common)
27985@@ -319,8 +324,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
27986
27987 switch_fpu_finish(next_fpu, fpu_switch);
27988
27989- this_cpu_write(current_task, next_p);
27990-
27991 return prev_p;
27992 }
27993
27994@@ -350,4 +353,3 @@ unsigned long get_wchan(struct task_struct *p)
27995 } while (count++ < 16);
27996 return 0;
27997 }
27998-
27999diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
28000index f6b9163..1ab8c96 100644
28001--- a/arch/x86/kernel/process_64.c
28002+++ b/arch/x86/kernel/process_64.c
28003@@ -157,9 +157,10 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
28004 struct pt_regs *childregs;
28005 struct task_struct *me = current;
28006
28007- p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE;
28008+ p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE - 16;
28009 childregs = task_pt_regs(p);
28010 p->thread.sp = (unsigned long) childregs;
28011+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
28012 set_tsk_thread_flag(p, TIF_FORK);
28013 p->thread.io_bitmap_ptr = NULL;
28014
28015@@ -169,6 +170,8 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
28016 p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs;
28017 savesegment(es, p->thread.es);
28018 savesegment(ds, p->thread.ds);
28019+ savesegment(ss, p->thread.ss);
28020+ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS);
28021 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
28022
28023 if (unlikely(p->flags & PF_KTHREAD)) {
28024@@ -276,7 +279,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28025 struct fpu *prev_fpu = &prev->fpu;
28026 struct fpu *next_fpu = &next->fpu;
28027 int cpu = smp_processor_id();
28028- struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
28029+ struct tss_struct *tss = cpu_tss + cpu;
28030 unsigned fsindex, gsindex;
28031 fpu_switch_t fpu_switch;
28032
28033@@ -327,6 +330,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28034 if (unlikely(next->ds | prev->ds))
28035 loadsegment(ds, next->ds);
28036
28037+ savesegment(ss, prev->ss);
28038+ if (unlikely(next->ss != prev->ss))
28039+ loadsegment(ss, next->ss);
28040+
28041 /*
28042 * Switch FS and GS.
28043 *
28044@@ -398,6 +405,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28045 * Switch the PDA and FPU contexts.
28046 */
28047 this_cpu_write(current_task, next_p);
28048+ this_cpu_write(current_tinfo, &next_p->tinfo);
28049
28050 /*
28051 * If it were not for PREEMPT_ACTIVE we could guarantee that the
28052@@ -410,6 +418,8 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28053 /* Reload esp0 and ss1. This changes current_thread_info(). */
28054 load_sp0(tss, next);
28055
28056+ this_cpu_write(cpu_current_top_of_stack, next->sp0);
28057+
28058 /*
28059 * Now maybe reload the debug registers and handle I/O bitmaps
28060 */
28061@@ -506,12 +516,11 @@ unsigned long get_wchan(struct task_struct *p)
28062 if (!p || p == current || p->state == TASK_RUNNING)
28063 return 0;
28064 stack = (unsigned long)task_stack_page(p);
28065- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
28066+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
28067 return 0;
28068 fp = *(u64 *)(p->thread.sp);
28069 do {
28070- if (fp < (unsigned long)stack ||
28071- fp >= (unsigned long)stack+THREAD_SIZE)
28072+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
28073 return 0;
28074 ip = *(u64 *)(fp+8);
28075 if (!in_sched_functions(ip))
28076diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
28077index 9be72bc..f4329c5 100644
28078--- a/arch/x86/kernel/ptrace.c
28079+++ b/arch/x86/kernel/ptrace.c
28080@@ -186,10 +186,10 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
28081 unsigned long sp = (unsigned long)&regs->sp;
28082 u32 *prev_esp;
28083
28084- if (context == (sp & ~(THREAD_SIZE - 1)))
28085+ if (context == ((sp + 8) & ~(THREAD_SIZE - 1)))
28086 return sp;
28087
28088- prev_esp = (u32 *)(context);
28089+ prev_esp = *(u32 **)(context);
28090 if (prev_esp)
28091 return (unsigned long)prev_esp;
28092
28093@@ -446,6 +446,20 @@ static int putreg(struct task_struct *child,
28094 if (child->thread.gs != value)
28095 return do_arch_prctl(child, ARCH_SET_GS, value);
28096 return 0;
28097+
28098+ case offsetof(struct user_regs_struct,ip):
28099+ /*
28100+ * Protect against any attempt to set ip to an
28101+ * impossible address. There are dragons lurking if the
28102+ * address is noncanonical. (This explicitly allows
28103+ * setting ip to TASK_SIZE_MAX, because user code can do
28104+ * that all by itself by running off the end of its
28105+ * address space.
28106+ */
28107+ if (value > TASK_SIZE_MAX)
28108+ return -EIO;
28109+ break;
28110+
28111 #endif
28112 }
28113
28114@@ -582,7 +596,7 @@ static void ptrace_triggered(struct perf_event *bp,
28115 static unsigned long ptrace_get_dr7(struct perf_event *bp[])
28116 {
28117 int i;
28118- int dr7 = 0;
28119+ unsigned long dr7 = 0;
28120 struct arch_hw_breakpoint *info;
28121
28122 for (i = 0; i < HBP_NUM; i++) {
28123@@ -816,7 +830,7 @@ long arch_ptrace(struct task_struct *child, long request,
28124 unsigned long addr, unsigned long data)
28125 {
28126 int ret;
28127- unsigned long __user *datap = (unsigned long __user *)data;
28128+ unsigned long __user *datap = (__force unsigned long __user *)data;
28129
28130 switch (request) {
28131 /* read the word at location addr in the USER area. */
28132@@ -901,14 +915,14 @@ long arch_ptrace(struct task_struct *child, long request,
28133 if ((int) addr < 0)
28134 return -EIO;
28135 ret = do_get_thread_area(child, addr,
28136- (struct user_desc __user *)data);
28137+ (__force struct user_desc __user *) data);
28138 break;
28139
28140 case PTRACE_SET_THREAD_AREA:
28141 if ((int) addr < 0)
28142 return -EIO;
28143 ret = do_set_thread_area(child, addr,
28144- (struct user_desc __user *)data, 0);
28145+ (__force struct user_desc __user *) data, 0);
28146 break;
28147 #endif
28148
28149@@ -1286,7 +1300,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
28150
28151 #ifdef CONFIG_X86_64
28152
28153-static struct user_regset x86_64_regsets[] __read_mostly = {
28154+static user_regset_no_const x86_64_regsets[] __read_only = {
28155 [REGSET_GENERAL] = {
28156 .core_note_type = NT_PRSTATUS,
28157 .n = sizeof(struct user_regs_struct) / sizeof(long),
28158@@ -1327,7 +1341,7 @@ static const struct user_regset_view user_x86_64_view = {
28159 #endif /* CONFIG_X86_64 */
28160
28161 #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
28162-static struct user_regset x86_32_regsets[] __read_mostly = {
28163+static user_regset_no_const x86_32_regsets[] __read_only = {
28164 [REGSET_GENERAL] = {
28165 .core_note_type = NT_PRSTATUS,
28166 .n = sizeof(struct user_regs_struct32) / sizeof(u32),
28167@@ -1380,7 +1394,7 @@ static const struct user_regset_view user_x86_32_view = {
28168 */
28169 u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
28170
28171-void update_regset_xstate_info(unsigned int size, u64 xstate_mask)
28172+void __init update_regset_xstate_info(unsigned int size, u64 xstate_mask)
28173 {
28174 #ifdef CONFIG_X86_64
28175 x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
28176@@ -1415,7 +1429,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
28177 memset(info, 0, sizeof(*info));
28178 info->si_signo = SIGTRAP;
28179 info->si_code = si_code;
28180- info->si_addr = user_mode(regs) ? (void __user *)regs->ip : NULL;
28181+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
28182 }
28183
28184 void user_single_step_siginfo(struct task_struct *tsk,
28185@@ -1449,6 +1463,10 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch)
28186 }
28187 }
28188
28189+#ifdef CONFIG_GRKERNSEC_SETXID
28190+extern void gr_delayed_cred_worker(void);
28191+#endif
28192+
28193 /*
28194 * We can return 0 to resume the syscall or anything else to go to phase
28195 * 2. If we resume the syscall, we need to put something appropriate in
28196@@ -1556,6 +1574,11 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch,
28197
28198 BUG_ON(regs != task_pt_regs(current));
28199
28200+#ifdef CONFIG_GRKERNSEC_SETXID
28201+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
28202+ gr_delayed_cred_worker();
28203+#endif
28204+
28205 /*
28206 * If we stepped into a sysenter/syscall insn, it trapped in
28207 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
28208@@ -1614,6 +1637,11 @@ void syscall_trace_leave(struct pt_regs *regs)
28209 */
28210 user_exit();
28211
28212+#ifdef CONFIG_GRKERNSEC_SETXID
28213+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
28214+ gr_delayed_cred_worker();
28215+#endif
28216+
28217 audit_syscall_exit(regs);
28218
28219 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
28220diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
28221index 2f355d2..e75ed0a 100644
28222--- a/arch/x86/kernel/pvclock.c
28223+++ b/arch/x86/kernel/pvclock.c
28224@@ -51,11 +51,11 @@ void pvclock_touch_watchdogs(void)
28225 reset_hung_task_detector();
28226 }
28227
28228-static atomic64_t last_value = ATOMIC64_INIT(0);
28229+static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
28230
28231 void pvclock_resume(void)
28232 {
28233- atomic64_set(&last_value, 0);
28234+ atomic64_set_unchecked(&last_value, 0);
28235 }
28236
28237 u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src)
28238@@ -105,11 +105,11 @@ cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
28239 * updating at the same time, and one of them could be slightly behind,
28240 * making the assumption that last_value always go forward fail to hold.
28241 */
28242- last = atomic64_read(&last_value);
28243+ last = atomic64_read_unchecked(&last_value);
28244 do {
28245 if (ret < last)
28246 return last;
28247- last = atomic64_cmpxchg(&last_value, last, ret);
28248+ last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
28249 } while (unlikely(last != ret));
28250
28251 return ret;
28252diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
28253index 86db4bc..a50a54a 100644
28254--- a/arch/x86/kernel/reboot.c
28255+++ b/arch/x86/kernel/reboot.c
28256@@ -70,6 +70,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
28257
28258 void __noreturn machine_real_restart(unsigned int type)
28259 {
28260+
28261+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
28262+ struct desc_struct *gdt;
28263+#endif
28264+
28265 local_irq_disable();
28266
28267 /*
28268@@ -97,7 +102,29 @@ void __noreturn machine_real_restart(unsigned int type)
28269
28270 /* Jump to the identity-mapped low memory code */
28271 #ifdef CONFIG_X86_32
28272- asm volatile("jmpl *%0" : :
28273+
28274+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
28275+ gdt = get_cpu_gdt_table(smp_processor_id());
28276+ pax_open_kernel();
28277+#ifdef CONFIG_PAX_MEMORY_UDEREF
28278+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
28279+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
28280+ loadsegment(ds, __KERNEL_DS);
28281+ loadsegment(es, __KERNEL_DS);
28282+ loadsegment(ss, __KERNEL_DS);
28283+#endif
28284+#ifdef CONFIG_PAX_KERNEXEC
28285+ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
28286+ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
28287+ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
28288+ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
28289+ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
28290+ gdt[GDT_ENTRY_KERNEL_CS].g = 1;
28291+#endif
28292+ pax_close_kernel();
28293+#endif
28294+
28295+ asm volatile("ljmpl *%0" : :
28296 "rm" (real_mode_header->machine_real_restart_asm),
28297 "a" (type));
28298 #else
28299@@ -137,7 +164,7 @@ static int __init set_kbd_reboot(const struct dmi_system_id *d)
28300 /*
28301 * This is a single dmi_table handling all reboot quirks.
28302 */
28303-static struct dmi_system_id __initdata reboot_dmi_table[] = {
28304+static const struct dmi_system_id __initconst reboot_dmi_table[] = {
28305
28306 /* Acer */
28307 { /* Handle reboot issue on Acer Aspire one */
28308@@ -511,7 +538,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
28309 * This means that this function can never return, it can misbehave
28310 * by not rebooting properly and hanging.
28311 */
28312-static void native_machine_emergency_restart(void)
28313+static void __noreturn native_machine_emergency_restart(void)
28314 {
28315 int i;
28316 int attempt = 0;
28317@@ -631,13 +658,13 @@ void native_machine_shutdown(void)
28318 #endif
28319 }
28320
28321-static void __machine_emergency_restart(int emergency)
28322+static void __noreturn __machine_emergency_restart(int emergency)
28323 {
28324 reboot_emergency = emergency;
28325 machine_ops.emergency_restart();
28326 }
28327
28328-static void native_machine_restart(char *__unused)
28329+static void __noreturn native_machine_restart(char *__unused)
28330 {
28331 pr_notice("machine restart\n");
28332
28333@@ -646,7 +673,7 @@ static void native_machine_restart(char *__unused)
28334 __machine_emergency_restart(0);
28335 }
28336
28337-static void native_machine_halt(void)
28338+static void __noreturn native_machine_halt(void)
28339 {
28340 /* Stop other cpus and apics */
28341 machine_shutdown();
28342@@ -656,7 +683,7 @@ static void native_machine_halt(void)
28343 stop_this_cpu(NULL);
28344 }
28345
28346-static void native_machine_power_off(void)
28347+static void __noreturn native_machine_power_off(void)
28348 {
28349 if (pm_power_off) {
28350 if (!reboot_force)
28351@@ -665,9 +692,10 @@ static void native_machine_power_off(void)
28352 }
28353 /* A fallback in case there is no PM info available */
28354 tboot_shutdown(TB_SHUTDOWN_HALT);
28355+ unreachable();
28356 }
28357
28358-struct machine_ops machine_ops = {
28359+struct machine_ops machine_ops __read_only = {
28360 .power_off = native_machine_power_off,
28361 .shutdown = native_machine_shutdown,
28362 .emergency_restart = native_machine_emergency_restart,
28363diff --git a/arch/x86/kernel/reboot_fixups_32.c b/arch/x86/kernel/reboot_fixups_32.c
28364index c8e41e9..64049ef 100644
28365--- a/arch/x86/kernel/reboot_fixups_32.c
28366+++ b/arch/x86/kernel/reboot_fixups_32.c
28367@@ -57,7 +57,7 @@ struct device_fixup {
28368 unsigned int vendor;
28369 unsigned int device;
28370 void (*reboot_fixup)(struct pci_dev *);
28371-};
28372+} __do_const;
28373
28374 /*
28375 * PCI ids solely used for fixups_table go here
28376diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
28377index 98111b3..73ca125 100644
28378--- a/arch/x86/kernel/relocate_kernel_64.S
28379+++ b/arch/x86/kernel/relocate_kernel_64.S
28380@@ -96,8 +96,7 @@ relocate_kernel:
28381
28382 /* jump to identity mapped page */
28383 addq $(identity_mapped - relocate_kernel), %r8
28384- pushq %r8
28385- ret
28386+ jmp *%r8
28387
28388 identity_mapped:
28389 /* set return address to 0 if not preserving context */
28390diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
28391index 80f874b..b3eff67 100644
28392--- a/arch/x86/kernel/setup.c
28393+++ b/arch/x86/kernel/setup.c
28394@@ -111,6 +111,7 @@
28395 #include <asm/mce.h>
28396 #include <asm/alternative.h>
28397 #include <asm/prom.h>
28398+#include <asm/boot.h>
28399
28400 /*
28401 * max_low_pfn_mapped: highest direct mapped pfn under 4GB
28402@@ -206,10 +207,12 @@ EXPORT_SYMBOL(boot_cpu_data);
28403 #endif
28404
28405
28406-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64)
28407-__visible unsigned long mmu_cr4_features;
28408+#ifdef CONFIG_X86_64
28409+__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE;
28410+#elif defined(CONFIG_X86_PAE)
28411+__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PAE;
28412 #else
28413-__visible unsigned long mmu_cr4_features = X86_CR4_PAE;
28414+__visible unsigned long mmu_cr4_features __read_only;
28415 #endif
28416
28417 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */
28418@@ -772,7 +775,7 @@ static void __init trim_bios_range(void)
28419 * area (640->1Mb) as ram even though it is not.
28420 * take them out.
28421 */
28422- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
28423+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
28424
28425 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
28426 }
28427@@ -780,7 +783,7 @@ static void __init trim_bios_range(void)
28428 /* called before trim_bios_range() to spare extra sanitize */
28429 static void __init e820_add_kernel_range(void)
28430 {
28431- u64 start = __pa_symbol(_text);
28432+ u64 start = __pa_symbol(ktla_ktva((unsigned long)_text));
28433 u64 size = __pa_symbol(_end) - start;
28434
28435 /*
28436@@ -861,8 +864,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
28437
28438 void __init setup_arch(char **cmdline_p)
28439 {
28440- memblock_reserve(__pa_symbol(_text),
28441- (unsigned long)__bss_stop - (unsigned long)_text);
28442+ memblock_reserve(__pa_symbol(ktla_ktva((unsigned long)_text)),
28443+ (unsigned long)__bss_stop - ktla_ktva((unsigned long)_text));
28444
28445 early_reserve_initrd();
28446
28447@@ -960,16 +963,16 @@ void __init setup_arch(char **cmdline_p)
28448
28449 if (!boot_params.hdr.root_flags)
28450 root_mountflags &= ~MS_RDONLY;
28451- init_mm.start_code = (unsigned long) _text;
28452- init_mm.end_code = (unsigned long) _etext;
28453- init_mm.end_data = (unsigned long) _edata;
28454+ init_mm.start_code = ktla_ktva((unsigned long)_text);
28455+ init_mm.end_code = ktla_ktva((unsigned long)_etext);
28456+ init_mm.end_data = (unsigned long)_edata;
28457 init_mm.brk = _brk_end;
28458
28459 mpx_mm_init(&init_mm);
28460
28461- code_resource.start = __pa_symbol(_text);
28462- code_resource.end = __pa_symbol(_etext)-1;
28463- data_resource.start = __pa_symbol(_etext);
28464+ code_resource.start = __pa_symbol(ktla_ktva((unsigned long)_text));
28465+ code_resource.end = __pa_symbol(ktla_ktva((unsigned long)_etext))-1;
28466+ data_resource.start = __pa_symbol(_sdata);
28467 data_resource.end = __pa_symbol(_edata)-1;
28468 bss_resource.start = __pa_symbol(__bss_start);
28469 bss_resource.end = __pa_symbol(__bss_stop)-1;
28470diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
28471index e4fcb87..9c06c55 100644
28472--- a/arch/x86/kernel/setup_percpu.c
28473+++ b/arch/x86/kernel/setup_percpu.c
28474@@ -21,19 +21,17 @@
28475 #include <asm/cpu.h>
28476 #include <asm/stackprotector.h>
28477
28478-DEFINE_PER_CPU_READ_MOSTLY(int, cpu_number);
28479+#ifdef CONFIG_SMP
28480+DEFINE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
28481 EXPORT_PER_CPU_SYMBOL(cpu_number);
28482+#endif
28483
28484-#ifdef CONFIG_X86_64
28485 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
28486-#else
28487-#define BOOT_PERCPU_OFFSET 0
28488-#endif
28489
28490 DEFINE_PER_CPU_READ_MOSTLY(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
28491 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
28492
28493-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
28494+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
28495 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
28496 };
28497 EXPORT_SYMBOL(__per_cpu_offset);
28498@@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void)
28499 {
28500 #ifdef CONFIG_NEED_MULTIPLE_NODES
28501 pg_data_t *last = NULL;
28502- unsigned int cpu;
28503+ int cpu;
28504
28505 for_each_possible_cpu(cpu) {
28506 int node = early_cpu_to_node(cpu);
28507@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu)
28508 {
28509 #ifdef CONFIG_X86_32
28510 struct desc_struct gdt;
28511+ unsigned long base = per_cpu_offset(cpu);
28512
28513- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
28514- 0x2 | DESCTYPE_S, 0x8);
28515- gdt.s = 1;
28516+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
28517+ 0x83 | DESCTYPE_S, 0xC);
28518 write_gdt_entry(get_cpu_gdt_table(cpu),
28519 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
28520 #endif
28521@@ -219,6 +217,11 @@ void __init setup_per_cpu_areas(void)
28522 /* alrighty, percpu areas up and running */
28523 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
28524 for_each_possible_cpu(cpu) {
28525+#ifdef CONFIG_CC_STACKPROTECTOR
28526+#ifdef CONFIG_X86_32
28527+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
28528+#endif
28529+#endif
28530 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
28531 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
28532 per_cpu(cpu_number, cpu) = cpu;
28533@@ -259,6 +262,12 @@ void __init setup_per_cpu_areas(void)
28534 */
28535 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
28536 #endif
28537+#ifdef CONFIG_CC_STACKPROTECTOR
28538+#ifdef CONFIG_X86_32
28539+ if (!cpu)
28540+ per_cpu(stack_canary.canary, cpu) = canary;
28541+#endif
28542+#endif
28543 /*
28544 * Up to this point, the boot CPU has been using .init.data
28545 * area. Reload any changed state for the boot CPU.
28546diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
28547index 71820c4..ad16f6b 100644
28548--- a/arch/x86/kernel/signal.c
28549+++ b/arch/x86/kernel/signal.c
28550@@ -189,7 +189,7 @@ static unsigned long align_sigframe(unsigned long sp)
28551 * Align the stack pointer according to the i386 ABI,
28552 * i.e. so that on function entry ((sp + 4) & 15) == 0.
28553 */
28554- sp = ((sp + 4) & -16ul) - 4;
28555+ sp = ((sp - 12) & -16ul) - 4;
28556 #else /* !CONFIG_X86_32 */
28557 sp = round_down(sp, 16) - 8;
28558 #endif
28559@@ -298,10 +298,9 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
28560 }
28561
28562 if (current->mm->context.vdso)
28563- restorer = current->mm->context.vdso +
28564- selected_vdso32->sym___kernel_sigreturn;
28565+ restorer = (void __force_user *)(current->mm->context.vdso + selected_vdso32->sym___kernel_sigreturn);
28566 else
28567- restorer = &frame->retcode;
28568+ restorer = (void __user *)&frame->retcode;
28569 if (ksig->ka.sa.sa_flags & SA_RESTORER)
28570 restorer = ksig->ka.sa.sa_restorer;
28571
28572@@ -315,7 +314,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
28573 * reasons and because gdb uses it as a signature to notice
28574 * signal handler stack frames.
28575 */
28576- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
28577+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
28578
28579 if (err)
28580 return -EFAULT;
28581@@ -362,8 +361,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
28582 save_altstack_ex(&frame->uc.uc_stack, regs->sp);
28583
28584 /* Set up to return from userspace. */
28585- restorer = current->mm->context.vdso +
28586- selected_vdso32->sym___kernel_rt_sigreturn;
28587+ if (current->mm->context.vdso)
28588+ restorer = (void __force_user *)(current->mm->context.vdso + selected_vdso32->sym___kernel_rt_sigreturn);
28589+ else
28590+ restorer = (void __user *)&frame->retcode;
28591 if (ksig->ka.sa.sa_flags & SA_RESTORER)
28592 restorer = ksig->ka.sa.sa_restorer;
28593 put_user_ex(restorer, &frame->pretcode);
28594@@ -375,7 +376,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
28595 * reasons and because gdb uses it as a signature to notice
28596 * signal handler stack frames.
28597 */
28598- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
28599+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
28600 } put_user_catch(err);
28601
28602 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
28603@@ -611,7 +612,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
28604 {
28605 int usig = ksig->sig;
28606 sigset_t *set = sigmask_to_save();
28607- compat_sigset_t *cset = (compat_sigset_t *) set;
28608+ sigset_t sigcopy;
28609+ compat_sigset_t *cset;
28610+
28611+ sigcopy = *set;
28612+
28613+ cset = (compat_sigset_t *) &sigcopy;
28614
28615 /* Set up the stack frame */
28616 if (is_ia32_frame()) {
28617@@ -622,7 +628,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
28618 } else if (is_x32_frame()) {
28619 return x32_setup_rt_frame(ksig, cset, regs);
28620 } else {
28621- return __setup_rt_frame(ksig->sig, ksig, set, regs);
28622+ return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs);
28623 }
28624 }
28625
28626diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
28627index 15aaa69..66103af 100644
28628--- a/arch/x86/kernel/smp.c
28629+++ b/arch/x86/kernel/smp.c
28630@@ -334,7 +334,7 @@ static int __init nonmi_ipi_setup(char *str)
28631
28632 __setup("nonmi_ipi", nonmi_ipi_setup);
28633
28634-struct smp_ops smp_ops = {
28635+struct smp_ops smp_ops __read_only = {
28636 .smp_prepare_boot_cpu = native_smp_prepare_boot_cpu,
28637 .smp_prepare_cpus = native_smp_prepare_cpus,
28638 .smp_cpus_done = native_smp_cpus_done,
28639diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
28640index b1f3ed9c..b76221b 100644
28641--- a/arch/x86/kernel/smpboot.c
28642+++ b/arch/x86/kernel/smpboot.c
28643@@ -220,14 +220,17 @@ static void notrace start_secondary(void *unused)
28644
28645 enable_start_cpu0 = 0;
28646
28647-#ifdef CONFIG_X86_32
28648+ /* otherwise gcc will move up smp_processor_id before the cpu_init */
28649+ barrier();
28650+
28651 /* switch away from the initial page table */
28652+#ifdef CONFIG_PAX_PER_CPU_PGD
28653+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
28654+#else
28655 load_cr3(swapper_pg_dir);
28656+#endif
28657 __flush_tlb_all();
28658-#endif
28659
28660- /* otherwise gcc will move up smp_processor_id before the cpu_init */
28661- barrier();
28662 /*
28663 * Check TSC synchronization with the BP:
28664 */
28665@@ -808,16 +811,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle)
28666 alternatives_enable_smp();
28667
28668 per_cpu(current_task, cpu) = idle;
28669+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
28670
28671 #ifdef CONFIG_X86_32
28672- /* Stack for startup_32 can be just as for start_secondary onwards */
28673 irq_ctx_init(cpu);
28674- per_cpu(cpu_current_top_of_stack, cpu) =
28675- (unsigned long)task_stack_page(idle) + THREAD_SIZE;
28676 #else
28677 clear_tsk_thread_flag(idle, TIF_FORK);
28678 initial_gs = per_cpu_offset(cpu);
28679 #endif
28680+ per_cpu(cpu_current_top_of_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
28681 }
28682
28683 /*
28684@@ -838,9 +840,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
28685 unsigned long timeout;
28686
28687 idle->thread.sp = (unsigned long) (((struct pt_regs *)
28688- (THREAD_SIZE + task_stack_page(idle))) - 1);
28689+ (THREAD_SIZE - 16 + task_stack_page(idle))) - 1);
28690
28691+ pax_open_kernel();
28692 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
28693+ pax_close_kernel();
28694 initial_code = (unsigned long)start_secondary;
28695 stack_start = idle->thread.sp;
28696
28697@@ -992,6 +996,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
28698
28699 common_cpu_up(cpu, tidle);
28700
28701+#ifdef CONFIG_PAX_PER_CPU_PGD
28702+ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY,
28703+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28704+ KERNEL_PGD_PTRS);
28705+ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY,
28706+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28707+ KERNEL_PGD_PTRS);
28708+#endif
28709+
28710 /*
28711 * We have to walk the irq descriptors to setup the vector
28712 * space for the cpu which comes online. Prevent irq
28713diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
28714index 0ccb53a..fbc4759 100644
28715--- a/arch/x86/kernel/step.c
28716+++ b/arch/x86/kernel/step.c
28717@@ -44,7 +44,8 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
28718 addr += base;
28719 }
28720 mutex_unlock(&child->mm->context.lock);
28721- }
28722+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
28723+ addr = ktla_ktva(addr);
28724
28725 return addr;
28726 }
28727@@ -55,6 +56,9 @@ static int is_setting_trap_flag(struct task_struct *child, struct pt_regs *regs)
28728 unsigned char opcode[15];
28729 unsigned long addr = convert_ip_to_linear(child, regs);
28730
28731+ if (addr == -EINVAL)
28732+ return 0;
28733+
28734 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
28735 for (i = 0; i < copied; i++) {
28736 switch (opcode[i]) {
28737diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
28738new file mode 100644
28739index 0000000..5877189
28740--- /dev/null
28741+++ b/arch/x86/kernel/sys_i386_32.c
28742@@ -0,0 +1,189 @@
28743+/*
28744+ * This file contains various random system calls that
28745+ * have a non-standard calling sequence on the Linux/i386
28746+ * platform.
28747+ */
28748+
28749+#include <linux/errno.h>
28750+#include <linux/sched.h>
28751+#include <linux/mm.h>
28752+#include <linux/fs.h>
28753+#include <linux/smp.h>
28754+#include <linux/sem.h>
28755+#include <linux/msg.h>
28756+#include <linux/shm.h>
28757+#include <linux/stat.h>
28758+#include <linux/syscalls.h>
28759+#include <linux/mman.h>
28760+#include <linux/file.h>
28761+#include <linux/utsname.h>
28762+#include <linux/ipc.h>
28763+#include <linux/elf.h>
28764+
28765+#include <linux/uaccess.h>
28766+#include <linux/unistd.h>
28767+
28768+#include <asm/syscalls.h>
28769+
28770+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
28771+{
28772+ unsigned long pax_task_size = TASK_SIZE;
28773+
28774+#ifdef CONFIG_PAX_SEGMEXEC
28775+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
28776+ pax_task_size = SEGMEXEC_TASK_SIZE;
28777+#endif
28778+
28779+ if (flags & MAP_FIXED)
28780+ if (len > pax_task_size || addr > pax_task_size - len)
28781+ return -EINVAL;
28782+
28783+ return 0;
28784+}
28785+
28786+/*
28787+ * Align a virtual address to avoid aliasing in the I$ on AMD F15h.
28788+ */
28789+static unsigned long get_align_mask(void)
28790+{
28791+ if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32))
28792+ return 0;
28793+
28794+ if (!(current->flags & PF_RANDOMIZE))
28795+ return 0;
28796+
28797+ return va_align.mask;
28798+}
28799+
28800+unsigned long
28801+arch_get_unmapped_area(struct file *filp, unsigned long addr,
28802+ unsigned long len, unsigned long pgoff, unsigned long flags)
28803+{
28804+ struct mm_struct *mm = current->mm;
28805+ struct vm_area_struct *vma;
28806+ unsigned long pax_task_size = TASK_SIZE;
28807+ struct vm_unmapped_area_info info;
28808+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28809+
28810+#ifdef CONFIG_PAX_SEGMEXEC
28811+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
28812+ pax_task_size = SEGMEXEC_TASK_SIZE;
28813+#endif
28814+
28815+ pax_task_size -= PAGE_SIZE;
28816+
28817+ if (len > pax_task_size)
28818+ return -ENOMEM;
28819+
28820+ if (flags & MAP_FIXED)
28821+ return addr;
28822+
28823+#ifdef CONFIG_PAX_RANDMMAP
28824+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28825+#endif
28826+
28827+ if (addr) {
28828+ addr = PAGE_ALIGN(addr);
28829+ if (pax_task_size - len >= addr) {
28830+ vma = find_vma(mm, addr);
28831+ if (check_heap_stack_gap(vma, addr, len, offset))
28832+ return addr;
28833+ }
28834+ }
28835+
28836+ info.flags = 0;
28837+ info.length = len;
28838+ info.align_mask = filp ? get_align_mask() : 0;
28839+ info.align_offset = pgoff << PAGE_SHIFT;
28840+ info.threadstack_offset = offset;
28841+
28842+#ifdef CONFIG_PAX_PAGEEXEC
28843+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) {
28844+ info.low_limit = 0x00110000UL;
28845+ info.high_limit = mm->start_code;
28846+
28847+#ifdef CONFIG_PAX_RANDMMAP
28848+ if (mm->pax_flags & MF_PAX_RANDMMAP)
28849+ info.low_limit += mm->delta_mmap & 0x03FFF000UL;
28850+#endif
28851+
28852+ if (info.low_limit < info.high_limit) {
28853+ addr = vm_unmapped_area(&info);
28854+ if (!IS_ERR_VALUE(addr))
28855+ return addr;
28856+ }
28857+ } else
28858+#endif
28859+
28860+ info.low_limit = mm->mmap_base;
28861+ info.high_limit = pax_task_size;
28862+
28863+ return vm_unmapped_area(&info);
28864+}
28865+
28866+unsigned long
28867+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28868+ const unsigned long len, const unsigned long pgoff,
28869+ const unsigned long flags)
28870+{
28871+ struct vm_area_struct *vma;
28872+ struct mm_struct *mm = current->mm;
28873+ unsigned long addr = addr0, pax_task_size = TASK_SIZE;
28874+ struct vm_unmapped_area_info info;
28875+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28876+
28877+#ifdef CONFIG_PAX_SEGMEXEC
28878+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
28879+ pax_task_size = SEGMEXEC_TASK_SIZE;
28880+#endif
28881+
28882+ pax_task_size -= PAGE_SIZE;
28883+
28884+ /* requested length too big for entire address space */
28885+ if (len > pax_task_size)
28886+ return -ENOMEM;
28887+
28888+ if (flags & MAP_FIXED)
28889+ return addr;
28890+
28891+#ifdef CONFIG_PAX_PAGEEXEC
28892+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
28893+ goto bottomup;
28894+#endif
28895+
28896+#ifdef CONFIG_PAX_RANDMMAP
28897+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28898+#endif
28899+
28900+ /* requesting a specific address */
28901+ if (addr) {
28902+ addr = PAGE_ALIGN(addr);
28903+ if (pax_task_size - len >= addr) {
28904+ vma = find_vma(mm, addr);
28905+ if (check_heap_stack_gap(vma, addr, len, offset))
28906+ return addr;
28907+ }
28908+ }
28909+
28910+ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
28911+ info.length = len;
28912+ info.low_limit = PAGE_SIZE;
28913+ info.high_limit = mm->mmap_base;
28914+ info.align_mask = filp ? get_align_mask() : 0;
28915+ info.align_offset = pgoff << PAGE_SHIFT;
28916+ info.threadstack_offset = offset;
28917+
28918+ addr = vm_unmapped_area(&info);
28919+ if (!(addr & ~PAGE_MASK))
28920+ return addr;
28921+ VM_BUG_ON(addr != -ENOMEM);
28922+
28923+bottomup:
28924+ /*
28925+ * A failed mmap() very likely causes application failure,
28926+ * so fall back to the bottom-up function here. This scenario
28927+ * can happen with large stack limits and large mmap()
28928+ * allocations.
28929+ */
28930+ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
28931+}
28932diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
28933index 10e0272..b4bb9a7 100644
28934--- a/arch/x86/kernel/sys_x86_64.c
28935+++ b/arch/x86/kernel/sys_x86_64.c
28936@@ -97,8 +97,8 @@ out:
28937 return error;
28938 }
28939
28940-static void find_start_end(unsigned long flags, unsigned long *begin,
28941- unsigned long *end)
28942+static void find_start_end(struct mm_struct *mm, unsigned long flags,
28943+ unsigned long *begin, unsigned long *end)
28944 {
28945 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) {
28946 unsigned long new_begin;
28947@@ -117,7 +117,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
28948 *begin = new_begin;
28949 }
28950 } else {
28951- *begin = current->mm->mmap_legacy_base;
28952+ *begin = mm->mmap_legacy_base;
28953 *end = TASK_SIZE;
28954 }
28955 }
28956@@ -130,20 +130,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
28957 struct vm_area_struct *vma;
28958 struct vm_unmapped_area_info info;
28959 unsigned long begin, end;
28960+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28961
28962 if (flags & MAP_FIXED)
28963 return addr;
28964
28965- find_start_end(flags, &begin, &end);
28966+ find_start_end(mm, flags, &begin, &end);
28967
28968 if (len > end)
28969 return -ENOMEM;
28970
28971+#ifdef CONFIG_PAX_RANDMMAP
28972+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28973+#endif
28974+
28975 if (addr) {
28976 addr = PAGE_ALIGN(addr);
28977 vma = find_vma(mm, addr);
28978- if (end - len >= addr &&
28979- (!vma || addr + len <= vma->vm_start))
28980+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
28981 return addr;
28982 }
28983
28984@@ -157,6 +161,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
28985 info.align_mask = get_align_mask();
28986 info.align_offset += get_align_bits();
28987 }
28988+ info.threadstack_offset = offset;
28989 return vm_unmapped_area(&info);
28990 }
28991
28992@@ -169,6 +174,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28993 struct mm_struct *mm = current->mm;
28994 unsigned long addr = addr0;
28995 struct vm_unmapped_area_info info;
28996+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28997
28998 /* requested length too big for entire address space */
28999 if (len > TASK_SIZE)
29000@@ -181,12 +187,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
29001 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT))
29002 goto bottomup;
29003
29004+#ifdef CONFIG_PAX_RANDMMAP
29005+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
29006+#endif
29007+
29008 /* requesting a specific address */
29009 if (addr) {
29010 addr = PAGE_ALIGN(addr);
29011 vma = find_vma(mm, addr);
29012- if (TASK_SIZE - len >= addr &&
29013- (!vma || addr + len <= vma->vm_start))
29014+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
29015 return addr;
29016 }
29017
29018@@ -200,6 +209,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
29019 info.align_mask = get_align_mask();
29020 info.align_offset += get_align_bits();
29021 }
29022+ info.threadstack_offset = offset;
29023 addr = vm_unmapped_area(&info);
29024 if (!(addr & ~PAGE_MASK))
29025 return addr;
29026diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
29027index 91a4496..42fc304 100644
29028--- a/arch/x86/kernel/tboot.c
29029+++ b/arch/x86/kernel/tboot.c
29030@@ -44,6 +44,7 @@
29031 #include <asm/setup.h>
29032 #include <asm/e820.h>
29033 #include <asm/io.h>
29034+#include <asm/tlbflush.h>
29035
29036 #include "../realmode/rm/wakeup.h"
29037
29038@@ -221,7 +222,7 @@ static int tboot_setup_sleep(void)
29039
29040 void tboot_shutdown(u32 shutdown_type)
29041 {
29042- void (*shutdown)(void);
29043+ void (* __noreturn shutdown)(void);
29044
29045 if (!tboot_enabled())
29046 return;
29047@@ -242,8 +243,9 @@ void tboot_shutdown(u32 shutdown_type)
29048 tboot->shutdown_type = shutdown_type;
29049
29050 switch_to_tboot_pt();
29051+ cr4_clear_bits(X86_CR4_PCIDE);
29052
29053- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
29054+ shutdown = (void *)(unsigned long)tboot->shutdown_entry;
29055 shutdown();
29056
29057 /* should not reach here */
29058@@ -310,7 +312,7 @@ static int tboot_extended_sleep(u8 sleep_state, u32 val_a, u32 val_b)
29059 return -ENODEV;
29060 }
29061
29062-static atomic_t ap_wfs_count;
29063+static atomic_unchecked_t ap_wfs_count;
29064
29065 static int tboot_wait_for_aps(int num_aps)
29066 {
29067@@ -334,9 +336,9 @@ static int tboot_cpu_callback(struct notifier_block *nfb, unsigned long action,
29068 {
29069 switch (action) {
29070 case CPU_DYING:
29071- atomic_inc(&ap_wfs_count);
29072+ atomic_inc_unchecked(&ap_wfs_count);
29073 if (num_online_cpus() == 1)
29074- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
29075+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
29076 return NOTIFY_BAD;
29077 break;
29078 }
29079@@ -422,7 +424,7 @@ static __init int tboot_late_init(void)
29080
29081 tboot_create_trampoline();
29082
29083- atomic_set(&ap_wfs_count, 0);
29084+ atomic_set_unchecked(&ap_wfs_count, 0);
29085 register_hotcpu_notifier(&tboot_cpu_notifier);
29086
29087 #ifdef CONFIG_DEBUG_FS
29088diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
29089index d39c091..1df4349 100644
29090--- a/arch/x86/kernel/time.c
29091+++ b/arch/x86/kernel/time.c
29092@@ -32,7 +32,7 @@ unsigned long profile_pc(struct pt_regs *regs)
29093
29094 if (!user_mode(regs) && in_lock_functions(pc)) {
29095 #ifdef CONFIG_FRAME_POINTER
29096- return *(unsigned long *)(regs->bp + sizeof(long));
29097+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
29098 #else
29099 unsigned long *sp =
29100 (unsigned long *)kernel_stack_pointer(regs);
29101@@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs *regs)
29102 * or above a saved flags. Eflags has bits 22-31 zero,
29103 * kernel addresses don't.
29104 */
29105+
29106+#ifdef CONFIG_PAX_KERNEXEC
29107+ return ktla_ktva(sp[0]);
29108+#else
29109 if (sp[0] >> 22)
29110 return sp[0];
29111 if (sp[1] >> 22)
29112 return sp[1];
29113 #endif
29114+
29115+#endif
29116 }
29117 return pc;
29118 }
29119diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
29120index 7fc5e84..c6e445a 100644
29121--- a/arch/x86/kernel/tls.c
29122+++ b/arch/x86/kernel/tls.c
29123@@ -139,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
29124 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
29125 return -EINVAL;
29126
29127+#ifdef CONFIG_PAX_SEGMEXEC
29128+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
29129+ return -EINVAL;
29130+#endif
29131+
29132 set_tls_desc(p, idx, &info, 1);
29133
29134 return 0;
29135@@ -256,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
29136
29137 if (kbuf)
29138 info = kbuf;
29139- else if (__copy_from_user(infobuf, ubuf, count))
29140+ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
29141 return -EFAULT;
29142 else
29143 info = infobuf;
29144diff --git a/arch/x86/kernel/tracepoint.c b/arch/x86/kernel/tracepoint.c
29145index 1c113db..287b42e 100644
29146--- a/arch/x86/kernel/tracepoint.c
29147+++ b/arch/x86/kernel/tracepoint.c
29148@@ -9,11 +9,11 @@
29149 #include <linux/atomic.h>
29150
29151 atomic_t trace_idt_ctr = ATOMIC_INIT(0);
29152-struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
29153+const struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
29154 (unsigned long) trace_idt_table };
29155
29156 /* No need to be aligned, but done to keep all IDTs defined the same way. */
29157-gate_desc trace_idt_table[NR_VECTORS] __page_aligned_bss;
29158+gate_desc trace_idt_table[NR_VECTORS] __page_aligned_rodata;
29159
29160 static int trace_irq_vector_refcount;
29161 static DEFINE_MUTEX(irq_vector_mutex);
29162diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
29163index f579192..aed90b8 100644
29164--- a/arch/x86/kernel/traps.c
29165+++ b/arch/x86/kernel/traps.c
29166@@ -69,7 +69,7 @@
29167 #include <asm/proto.h>
29168
29169 /* No need to be aligned, but done to keep all IDTs defined the same way. */
29170-gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss;
29171+gate_desc debug_idt_table[NR_VECTORS] __page_aligned_rodata;
29172 #else
29173 #include <asm/processor-flags.h>
29174 #include <asm/setup.h>
29175@@ -77,7 +77,7 @@ gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss;
29176 #endif
29177
29178 /* Must be page-aligned because the real IDT is used in a fixmap. */
29179-gate_desc idt_table[NR_VECTORS] __page_aligned_bss;
29180+gate_desc idt_table[NR_VECTORS] __page_aligned_rodata;
29181
29182 DECLARE_BITMAP(used_vectors, NR_VECTORS);
29183 EXPORT_SYMBOL_GPL(used_vectors);
29184@@ -174,7 +174,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
29185 * will catch asm bugs and any attempt to use ist_preempt_enable
29186 * from double_fault.
29187 */
29188- BUG_ON((unsigned long)(current_top_of_stack() -
29189+ BUG_ON((unsigned long)(current_top_of_stack(smp_processor_id()) -
29190 current_stack_pointer()) >= THREAD_SIZE);
29191
29192 preempt_count_sub(HARDIRQ_OFFSET);
29193@@ -191,7 +191,7 @@ void ist_end_non_atomic(void)
29194 }
29195
29196 static nokprobe_inline int
29197-do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
29198+do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str,
29199 struct pt_regs *regs, long error_code)
29200 {
29201 if (v8086_mode(regs)) {
29202@@ -211,8 +211,20 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
29203 if (!fixup_exception(regs)) {
29204 tsk->thread.error_code = error_code;
29205 tsk->thread.trap_nr = trapnr;
29206+
29207+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29208+ if (trapnr == X86_TRAP_SS && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
29209+ str = "PAX: suspicious stack segment fault";
29210+#endif
29211+
29212 die(str, regs, error_code);
29213 }
29214+
29215+#ifdef CONFIG_PAX_REFCOUNT
29216+ if (trapnr == X86_TRAP_OF)
29217+ pax_report_refcount_overflow(regs);
29218+#endif
29219+
29220 return 0;
29221 }
29222
29223@@ -251,7 +263,7 @@ static siginfo_t *fill_trap_info(struct pt_regs *regs, int signr, int trapnr,
29224 }
29225
29226 static void
29227-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
29228+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
29229 long error_code, siginfo_t *info)
29230 {
29231 struct task_struct *tsk = current;
29232@@ -275,7 +287,7 @@ do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
29233 if (show_unhandled_signals && unhandled_signal(tsk, signr) &&
29234 printk_ratelimit()) {
29235 pr_info("%s[%d] trap %s ip:%lx sp:%lx error:%lx",
29236- tsk->comm, tsk->pid, str,
29237+ tsk->comm, task_pid_nr(tsk), str,
29238 regs->ip, regs->sp, error_code);
29239 print_vma_addr(" in ", regs->ip);
29240 pr_cont("\n");
29241@@ -357,6 +369,11 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
29242 tsk->thread.error_code = error_code;
29243 tsk->thread.trap_nr = X86_TRAP_DF;
29244
29245+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
29246+ if ((unsigned long)tsk->stack - regs->sp <= PAGE_SIZE)
29247+ die("grsec: kernel stack overflow detected", regs, error_code);
29248+#endif
29249+
29250 #ifdef CONFIG_DOUBLEFAULT
29251 df_debug(regs, error_code);
29252 #endif
29253@@ -473,11 +490,35 @@ do_general_protection(struct pt_regs *regs, long error_code)
29254 tsk->thread.error_code = error_code;
29255 tsk->thread.trap_nr = X86_TRAP_GP;
29256 if (notify_die(DIE_GPF, "general protection fault", regs, error_code,
29257- X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP)
29258+ X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP) {
29259+
29260+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29261+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
29262+ die("PAX: suspicious general protection fault", regs, error_code);
29263+ else
29264+#endif
29265+
29266 die("general protection fault", regs, error_code);
29267+ }
29268 goto exit;
29269 }
29270
29271+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
29272+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
29273+ struct mm_struct *mm = tsk->mm;
29274+ unsigned long limit;
29275+
29276+ down_write(&mm->mmap_sem);
29277+ limit = mm->context.user_cs_limit;
29278+ if (limit < TASK_SIZE) {
29279+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
29280+ up_write(&mm->mmap_sem);
29281+ return;
29282+ }
29283+ up_write(&mm->mmap_sem);
29284+ }
29285+#endif
29286+
29287 tsk->thread.error_code = error_code;
29288 tsk->thread.trap_nr = X86_TRAP_GP;
29289
29290@@ -576,6 +617,9 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
29291 container_of(task_pt_regs(current),
29292 struct bad_iret_stack, regs);
29293
29294+ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE)
29295+ new_stack = s;
29296+
29297 /* Copy the IRET target to the new stack. */
29298 memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
29299
29300diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
29301index 7437b41..45f6250 100644
29302--- a/arch/x86/kernel/tsc.c
29303+++ b/arch/x86/kernel/tsc.c
29304@@ -150,7 +150,7 @@ static void cyc2ns_write_end(int cpu, struct cyc2ns_data *data)
29305 */
29306 smp_wmb();
29307
29308- ACCESS_ONCE(c2n->head) = data;
29309+ ACCESS_ONCE_RW(c2n->head) = data;
29310 }
29311
29312 /*
29313diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
29314index 6647624..2056791 100644
29315--- a/arch/x86/kernel/uprobes.c
29316+++ b/arch/x86/kernel/uprobes.c
29317@@ -978,7 +978,7 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs
29318
29319 if (nleft != rasize) {
29320 pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, "
29321- "%%ip=%#lx\n", current->pid, regs->sp, regs->ip);
29322+ "%%ip=%#lx\n", task_pid_nr(current), regs->sp, regs->ip);
29323
29324 force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
29325 }
29326diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
29327index b9242ba..50c5edd 100644
29328--- a/arch/x86/kernel/verify_cpu.S
29329+++ b/arch/x86/kernel/verify_cpu.S
29330@@ -20,6 +20,7 @@
29331 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
29332 * arch/x86/kernel/trampoline_64.S: secondary processor verification
29333 * arch/x86/kernel/head_32.S: processor startup
29334+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
29335 *
29336 * verify_cpu, returns the status of longmode and SSE in register %eax.
29337 * 0: Success 1: Failure
29338diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
29339index fc9db6e..2c5865d 100644
29340--- a/arch/x86/kernel/vm86_32.c
29341+++ b/arch/x86/kernel/vm86_32.c
29342@@ -44,6 +44,7 @@
29343 #include <linux/ptrace.h>
29344 #include <linux/audit.h>
29345 #include <linux/stddef.h>
29346+#include <linux/grsecurity.h>
29347
29348 #include <asm/uaccess.h>
29349 #include <asm/io.h>
29350@@ -150,7 +151,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
29351 do_exit(SIGSEGV);
29352 }
29353
29354- tss = &per_cpu(cpu_tss, get_cpu());
29355+ tss = cpu_tss + get_cpu();
29356 current->thread.sp0 = current->thread.saved_sp0;
29357 current->thread.sysenter_cs = __KERNEL_CS;
29358 load_sp0(tss, &current->thread);
29359@@ -214,6 +215,14 @@ SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
29360
29361 if (tsk->thread.saved_sp0)
29362 return -EPERM;
29363+
29364+#ifdef CONFIG_GRKERNSEC_VM86
29365+ if (!capable(CAP_SYS_RAWIO)) {
29366+ gr_handle_vm86();
29367+ return -EPERM;
29368+ }
29369+#endif
29370+
29371 tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
29372 offsetof(struct kernel_vm86_struct, vm86plus) -
29373 sizeof(info.regs));
29374@@ -238,6 +247,13 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
29375 int tmp;
29376 struct vm86plus_struct __user *v86;
29377
29378+#ifdef CONFIG_GRKERNSEC_VM86
29379+ if (!capable(CAP_SYS_RAWIO)) {
29380+ gr_handle_vm86();
29381+ return -EPERM;
29382+ }
29383+#endif
29384+
29385 tsk = current;
29386 switch (cmd) {
29387 case VM86_REQUEST_IRQ:
29388@@ -318,7 +334,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
29389 tsk->thread.saved_fs = info->regs32->fs;
29390 tsk->thread.saved_gs = get_user_gs(info->regs32);
29391
29392- tss = &per_cpu(cpu_tss, get_cpu());
29393+ tss = cpu_tss + get_cpu();
29394 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
29395 if (cpu_has_sep)
29396 tsk->thread.sysenter_cs = 0;
29397@@ -525,7 +541,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i,
29398 goto cannot_handle;
29399 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
29400 goto cannot_handle;
29401- intr_ptr = (unsigned long __user *) (i << 2);
29402+ intr_ptr = (__force unsigned long __user *) (i << 2);
29403 if (get_user(segoffs, intr_ptr))
29404 goto cannot_handle;
29405 if ((segoffs >> 16) == BIOSSEG)
29406diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
29407index 00bf300..03e1c3b 100644
29408--- a/arch/x86/kernel/vmlinux.lds.S
29409+++ b/arch/x86/kernel/vmlinux.lds.S
29410@@ -26,6 +26,13 @@
29411 #include <asm/page_types.h>
29412 #include <asm/cache.h>
29413 #include <asm/boot.h>
29414+#include <asm/segment.h>
29415+
29416+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29417+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
29418+#else
29419+#define __KERNEL_TEXT_OFFSET 0
29420+#endif
29421
29422 #undef i386 /* in case the preprocessor is a 32bit one */
29423
29424@@ -69,30 +76,43 @@ jiffies_64 = jiffies;
29425
29426 PHDRS {
29427 text PT_LOAD FLAGS(5); /* R_E */
29428+#ifdef CONFIG_X86_32
29429+ module PT_LOAD FLAGS(5); /* R_E */
29430+#endif
29431+#ifdef CONFIG_XEN
29432+ rodata PT_LOAD FLAGS(5); /* R_E */
29433+#else
29434+ rodata PT_LOAD FLAGS(4); /* R__ */
29435+#endif
29436 data PT_LOAD FLAGS(6); /* RW_ */
29437-#ifdef CONFIG_X86_64
29438+ init.begin PT_LOAD FLAGS(6); /* RW_ */
29439 #ifdef CONFIG_SMP
29440 percpu PT_LOAD FLAGS(6); /* RW_ */
29441 #endif
29442- init PT_LOAD FLAGS(7); /* RWE */
29443-#endif
29444+ text.init PT_LOAD FLAGS(5); /* R_E */
29445+ text.exit PT_LOAD FLAGS(5); /* R_E */
29446+ init PT_LOAD FLAGS(6); /* RW_ */
29447 note PT_NOTE FLAGS(0); /* ___ */
29448 }
29449
29450 SECTIONS
29451 {
29452 #ifdef CONFIG_X86_32
29453- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
29454- phys_startup_32 = startup_32 - LOAD_OFFSET;
29455+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
29456 #else
29457- . = __START_KERNEL;
29458- phys_startup_64 = startup_64 - LOAD_OFFSET;
29459+ . = __START_KERNEL;
29460 #endif
29461
29462 /* Text and read-only data */
29463- .text : AT(ADDR(.text) - LOAD_OFFSET) {
29464- _text = .;
29465+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
29466 /* bootstrapping code */
29467+#ifdef CONFIG_X86_32
29468+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29469+#else
29470+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29471+#endif
29472+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29473+ _text = .;
29474 HEAD_TEXT
29475 . = ALIGN(8);
29476 _stext = .;
29477@@ -104,13 +124,47 @@ SECTIONS
29478 IRQENTRY_TEXT
29479 *(.fixup)
29480 *(.gnu.warning)
29481- /* End of text section */
29482- _etext = .;
29483 } :text = 0x9090
29484
29485- NOTES :text :note
29486+ . += __KERNEL_TEXT_OFFSET;
29487
29488- EXCEPTION_TABLE(16) :text = 0x9090
29489+#ifdef CONFIG_X86_32
29490+ . = ALIGN(PAGE_SIZE);
29491+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
29492+
29493+#ifdef CONFIG_PAX_KERNEXEC
29494+ MODULES_EXEC_VADDR = .;
29495+ BYTE(0)
29496+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
29497+ . = ALIGN(HPAGE_SIZE) - 1;
29498+ MODULES_EXEC_END = .;
29499+#endif
29500+
29501+ } :module
29502+#endif
29503+
29504+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
29505+ /* End of text section */
29506+ BYTE(0)
29507+ _etext = . - __KERNEL_TEXT_OFFSET;
29508+ }
29509+
29510+#ifdef CONFIG_X86_32
29511+ . = ALIGN(PAGE_SIZE);
29512+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
29513+ . = ALIGN(PAGE_SIZE);
29514+ *(.empty_zero_page)
29515+ *(.initial_pg_fixmap)
29516+ *(.initial_pg_pmd)
29517+ *(.initial_page_table)
29518+ *(.swapper_pg_dir)
29519+ } :rodata
29520+#endif
29521+
29522+ . = ALIGN(PAGE_SIZE);
29523+ NOTES :rodata :note
29524+
29525+ EXCEPTION_TABLE(16) :rodata
29526
29527 #if defined(CONFIG_DEBUG_RODATA)
29528 /* .text should occupy whole number of pages */
29529@@ -122,16 +176,20 @@ SECTIONS
29530
29531 /* Data */
29532 .data : AT(ADDR(.data) - LOAD_OFFSET) {
29533+
29534+#ifdef CONFIG_PAX_KERNEXEC
29535+ . = ALIGN(HPAGE_SIZE);
29536+#else
29537+ . = ALIGN(PAGE_SIZE);
29538+#endif
29539+
29540 /* Start of data section */
29541 _sdata = .;
29542
29543 /* init_task */
29544 INIT_TASK_DATA(THREAD_SIZE)
29545
29546-#ifdef CONFIG_X86_32
29547- /* 32 bit has nosave before _edata */
29548 NOSAVE_DATA
29549-#endif
29550
29551 PAGE_ALIGNED_DATA(PAGE_SIZE)
29552
29553@@ -174,12 +232,19 @@ SECTIONS
29554 . = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE);
29555
29556 /* Init code and data - will be freed after init */
29557- . = ALIGN(PAGE_SIZE);
29558 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
29559+ BYTE(0)
29560+
29561+#ifdef CONFIG_PAX_KERNEXEC
29562+ . = ALIGN(HPAGE_SIZE);
29563+#else
29564+ . = ALIGN(PAGE_SIZE);
29565+#endif
29566+
29567 __init_begin = .; /* paired with __init_end */
29568- }
29569+ } :init.begin
29570
29571-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
29572+#ifdef CONFIG_SMP
29573 /*
29574 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
29575 * output PHDR, so the next output section - .init.text - should
29576@@ -190,12 +255,33 @@ SECTIONS
29577 "per-CPU data too large - increase CONFIG_PHYSICAL_START")
29578 #endif
29579
29580- INIT_TEXT_SECTION(PAGE_SIZE)
29581-#ifdef CONFIG_X86_64
29582- :init
29583+ . = ALIGN(PAGE_SIZE);
29584+ init_begin = .;
29585+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
29586+ VMLINUX_SYMBOL(_sinittext) = .;
29587+ INIT_TEXT
29588+ . = ALIGN(PAGE_SIZE);
29589+ } :text.init
29590+
29591+ /*
29592+ * .exit.text is discard at runtime, not link time, to deal with
29593+ * references from .altinstructions and .eh_frame
29594+ */
29595+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
29596+ EXIT_TEXT
29597+ VMLINUX_SYMBOL(_einittext) = .;
29598+
29599+#ifdef CONFIG_PAX_KERNEXEC
29600+ . = ALIGN(HPAGE_SIZE);
29601+#else
29602+ . = ALIGN(16);
29603 #endif
29604
29605- INIT_DATA_SECTION(16)
29606+ } :text.exit
29607+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
29608+
29609+ . = ALIGN(PAGE_SIZE);
29610+ INIT_DATA_SECTION(16) :init
29611
29612 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
29613 __x86_cpu_dev_start = .;
29614@@ -266,19 +352,12 @@ SECTIONS
29615 }
29616
29617 . = ALIGN(8);
29618- /*
29619- * .exit.text is discard at runtime, not link time, to deal with
29620- * references from .altinstructions and .eh_frame
29621- */
29622- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
29623- EXIT_TEXT
29624- }
29625
29626 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
29627 EXIT_DATA
29628 }
29629
29630-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
29631+#ifndef CONFIG_SMP
29632 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
29633 #endif
29634
29635@@ -297,16 +376,10 @@ SECTIONS
29636 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
29637 __smp_locks = .;
29638 *(.smp_locks)
29639- . = ALIGN(PAGE_SIZE);
29640 __smp_locks_end = .;
29641+ . = ALIGN(PAGE_SIZE);
29642 }
29643
29644-#ifdef CONFIG_X86_64
29645- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
29646- NOSAVE_DATA
29647- }
29648-#endif
29649-
29650 /* BSS */
29651 . = ALIGN(PAGE_SIZE);
29652 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
29653@@ -322,6 +395,7 @@ SECTIONS
29654 __brk_base = .;
29655 . += 64 * 1024; /* 64k alignment slop space */
29656 *(.brk_reservation) /* areas brk users have reserved */
29657+ . = ALIGN(HPAGE_SIZE);
29658 __brk_limit = .;
29659 }
29660
29661@@ -348,13 +422,12 @@ SECTIONS
29662 * for the boot processor.
29663 */
29664 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
29665-INIT_PER_CPU(gdt_page);
29666 INIT_PER_CPU(irq_stack_union);
29667
29668 /*
29669 * Build-time check on the image size:
29670 */
29671-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
29672+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
29673 "kernel image bigger than KERNEL_IMAGE_SIZE");
29674
29675 #ifdef CONFIG_SMP
29676diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
29677index a0695be..33e180c 100644
29678--- a/arch/x86/kernel/x8664_ksyms_64.c
29679+++ b/arch/x86/kernel/x8664_ksyms_64.c
29680@@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string);
29681 EXPORT_SYMBOL(copy_user_generic_unrolled);
29682 EXPORT_SYMBOL(copy_user_enhanced_fast_string);
29683 EXPORT_SYMBOL(__copy_user_nocache);
29684-EXPORT_SYMBOL(_copy_from_user);
29685-EXPORT_SYMBOL(_copy_to_user);
29686
29687 EXPORT_SYMBOL(copy_page);
29688 EXPORT_SYMBOL(clear_page);
29689@@ -77,3 +75,7 @@ EXPORT_SYMBOL(native_load_gs_index);
29690 EXPORT_SYMBOL(___preempt_schedule);
29691 EXPORT_SYMBOL(___preempt_schedule_notrace);
29692 #endif
29693+
29694+#ifdef CONFIG_PAX_PER_CPU_PGD
29695+EXPORT_SYMBOL(cpu_pgd);
29696+#endif
29697diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
29698index 3839628..2e5b5b35 100644
29699--- a/arch/x86/kernel/x86_init.c
29700+++ b/arch/x86/kernel/x86_init.c
29701@@ -92,7 +92,7 @@ struct x86_cpuinit_ops x86_cpuinit = {
29702 static void default_nmi_init(void) { };
29703 static int default_i8042_detect(void) { return 1; };
29704
29705-struct x86_platform_ops x86_platform = {
29706+struct x86_platform_ops x86_platform __read_only = {
29707 .calibrate_tsc = native_calibrate_tsc,
29708 .get_wallclock = mach_get_cmos_time,
29709 .set_wallclock = mach_set_rtc_mmss,
29710@@ -108,7 +108,7 @@ struct x86_platform_ops x86_platform = {
29711 EXPORT_SYMBOL_GPL(x86_platform);
29712
29713 #if defined(CONFIG_PCI_MSI)
29714-struct x86_msi_ops x86_msi = {
29715+struct x86_msi_ops x86_msi __read_only = {
29716 .setup_msi_irqs = native_setup_msi_irqs,
29717 .teardown_msi_irq = native_teardown_msi_irq,
29718 .teardown_msi_irqs = default_teardown_msi_irqs,
29719@@ -137,7 +137,7 @@ void arch_restore_msi_irqs(struct pci_dev *dev)
29720 }
29721 #endif
29722
29723-struct x86_io_apic_ops x86_io_apic_ops = {
29724+struct x86_io_apic_ops x86_io_apic_ops __read_only = {
29725 .read = native_io_apic_read,
29726 .disable = native_disable_io_apic,
29727 };
29728diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
29729index 2fbea25..9e0f8c7 100644
29730--- a/arch/x86/kvm/cpuid.c
29731+++ b/arch/x86/kvm/cpuid.c
29732@@ -206,15 +206,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
29733 struct kvm_cpuid2 *cpuid,
29734 struct kvm_cpuid_entry2 __user *entries)
29735 {
29736- int r;
29737+ int r, i;
29738
29739 r = -E2BIG;
29740 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
29741 goto out;
29742 r = -EFAULT;
29743- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
29744- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
29745+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
29746 goto out;
29747+ for (i = 0; i < cpuid->nent; ++i) {
29748+ struct kvm_cpuid_entry2 cpuid_entry;
29749+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
29750+ goto out;
29751+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
29752+ }
29753 vcpu->arch.cpuid_nent = cpuid->nent;
29754 kvm_apic_set_version(vcpu);
29755 kvm_x86_ops->cpuid_update(vcpu);
29756@@ -227,15 +232,19 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
29757 struct kvm_cpuid2 *cpuid,
29758 struct kvm_cpuid_entry2 __user *entries)
29759 {
29760- int r;
29761+ int r, i;
29762
29763 r = -E2BIG;
29764 if (cpuid->nent < vcpu->arch.cpuid_nent)
29765 goto out;
29766 r = -EFAULT;
29767- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
29768- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
29769+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
29770 goto out;
29771+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
29772+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
29773+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
29774+ goto out;
29775+ }
29776 return 0;
29777
29778 out:
29779diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
29780index e7a4fde..623af93 100644
29781--- a/arch/x86/kvm/emulate.c
29782+++ b/arch/x86/kvm/emulate.c
29783@@ -3847,7 +3847,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
29784 int cr = ctxt->modrm_reg;
29785 u64 efer = 0;
29786
29787- static u64 cr_reserved_bits[] = {
29788+ static const u64 cr_reserved_bits[] = {
29789 0xffffffff00000000ULL,
29790 0, 0, 0, /* CR3 checked later */
29791 CR4_RESERVED_BITS,
29792diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
29793index 2a5ca97..ce8577a 100644
29794--- a/arch/x86/kvm/lapic.c
29795+++ b/arch/x86/kvm/lapic.c
29796@@ -56,7 +56,7 @@
29797 #define APIC_BUS_CYCLE_NS 1
29798
29799 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
29800-#define apic_debug(fmt, arg...)
29801+#define apic_debug(fmt, arg...) do {} while (0)
29802
29803 #define APIC_LVT_NUM 6
29804 /* 14 is the version for Xeon and Pentium 8.4.8*/
29805diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
29806index 0f67d7e..4b9fa11 100644
29807--- a/arch/x86/kvm/paging_tmpl.h
29808+++ b/arch/x86/kvm/paging_tmpl.h
29809@@ -343,7 +343,7 @@ retry_walk:
29810 if (unlikely(kvm_is_error_hva(host_addr)))
29811 goto error;
29812
29813- ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
29814+ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
29815 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
29816 goto error;
29817 walker->ptep_user[walker->level - 1] = ptep_user;
29818diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
29819index 8e0c084..bdb9c3b 100644
29820--- a/arch/x86/kvm/svm.c
29821+++ b/arch/x86/kvm/svm.c
29822@@ -3688,7 +3688,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
29823 int cpu = raw_smp_processor_id();
29824
29825 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
29826+
29827+ pax_open_kernel();
29828 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
29829+ pax_close_kernel();
29830+
29831 load_TR_desc();
29832 }
29833
29834@@ -4084,6 +4088,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
29835 #endif
29836 #endif
29837
29838+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
29839+ __set_fs(current_thread_info()->addr_limit);
29840+#endif
29841+
29842 reload_tss(vcpu);
29843
29844 local_irq_disable();
29845diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
29846index 83b7b5c..26d8b1b 100644
29847--- a/arch/x86/kvm/vmx.c
29848+++ b/arch/x86/kvm/vmx.c
29849@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
29850 #endif
29851 }
29852
29853-static void vmcs_clear_bits(unsigned long field, u32 mask)
29854+static void vmcs_clear_bits(unsigned long field, unsigned long mask)
29855 {
29856 vmcs_writel(field, vmcs_readl(field) & ~mask);
29857 }
29858
29859-static void vmcs_set_bits(unsigned long field, u32 mask)
29860+static void vmcs_set_bits(unsigned long field, unsigned long mask)
29861 {
29862 vmcs_writel(field, vmcs_readl(field) | mask);
29863 }
29864@@ -1705,7 +1705,11 @@ static void reload_tss(void)
29865 struct desc_struct *descs;
29866
29867 descs = (void *)gdt->address;
29868+
29869+ pax_open_kernel();
29870 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
29871+ pax_close_kernel();
29872+
29873 load_TR_desc();
29874 }
29875
29876@@ -1941,6 +1945,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
29877 vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
29878 vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */
29879
29880+#ifdef CONFIG_PAX_PER_CPU_PGD
29881+ vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
29882+#endif
29883+
29884 rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
29885 vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
29886 vmx->loaded_vmcs->cpu = cpu;
29887@@ -2232,7 +2240,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
29888 * reads and returns guest's timestamp counter "register"
29889 * guest_tsc = host_tsc + tsc_offset -- 21.3
29890 */
29891-static u64 guest_read_tsc(void)
29892+static u64 __intentional_overflow(-1) guest_read_tsc(void)
29893 {
29894 u64 host_tsc, tsc_offset;
29895
29896@@ -4459,7 +4467,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
29897 unsigned long cr4;
29898
29899 vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
29900+
29901+#ifndef CONFIG_PAX_PER_CPU_PGD
29902 vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
29903+#endif
29904
29905 /* Save the most likely value for this task's CR4 in the VMCS. */
29906 cr4 = cr4_read_shadow();
29907@@ -4486,7 +4497,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
29908 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
29909 vmx->host_idt_base = dt.address;
29910
29911- vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */
29912+ vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */
29913
29914 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
29915 vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
29916@@ -6097,11 +6108,17 @@ static __init int hardware_setup(void)
29917 * page upon invalidation. No need to do anything if not
29918 * using the APIC_ACCESS_ADDR VMCS field.
29919 */
29920- if (!flexpriority_enabled)
29921- kvm_x86_ops->set_apic_access_page_addr = NULL;
29922+ if (!flexpriority_enabled) {
29923+ pax_open_kernel();
29924+ *(void **)&kvm_x86_ops->set_apic_access_page_addr = NULL;
29925+ pax_close_kernel();
29926+ }
29927
29928- if (!cpu_has_vmx_tpr_shadow())
29929- kvm_x86_ops->update_cr8_intercept = NULL;
29930+ if (!cpu_has_vmx_tpr_shadow()) {
29931+ pax_open_kernel();
29932+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
29933+ pax_close_kernel();
29934+ }
29935
29936 if (enable_ept && !cpu_has_vmx_ept_2m_page())
29937 kvm_disable_largepages();
29938@@ -6112,14 +6129,16 @@ static __init int hardware_setup(void)
29939 if (!cpu_has_vmx_apicv())
29940 enable_apicv = 0;
29941
29942+ pax_open_kernel();
29943 if (enable_apicv)
29944- kvm_x86_ops->update_cr8_intercept = NULL;
29945+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
29946 else {
29947- kvm_x86_ops->hwapic_irr_update = NULL;
29948- kvm_x86_ops->hwapic_isr_update = NULL;
29949- kvm_x86_ops->deliver_posted_interrupt = NULL;
29950- kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
29951+ *(void **)&kvm_x86_ops->hwapic_irr_update = NULL;
29952+ *(void **)&kvm_x86_ops->hwapic_isr_update = NULL;
29953+ *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL;
29954+ *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
29955 }
29956+ pax_close_kernel();
29957
29958 vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
29959 vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
29960@@ -6172,10 +6191,12 @@ static __init int hardware_setup(void)
29961 enable_pml = 0;
29962
29963 if (!enable_pml) {
29964- kvm_x86_ops->slot_enable_log_dirty = NULL;
29965- kvm_x86_ops->slot_disable_log_dirty = NULL;
29966- kvm_x86_ops->flush_log_dirty = NULL;
29967- kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
29968+ pax_open_kernel();
29969+ *(void **)&kvm_x86_ops->slot_enable_log_dirty = NULL;
29970+ *(void **)&kvm_x86_ops->slot_disable_log_dirty = NULL;
29971+ *(void **)&kvm_x86_ops->flush_log_dirty = NULL;
29972+ *(void **)&kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
29973+ pax_close_kernel();
29974 }
29975
29976 return alloc_kvm_area();
29977@@ -8378,6 +8399,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
29978 "jmp 2f \n\t"
29979 "1: " __ex(ASM_VMX_VMRESUME) "\n\t"
29980 "2: "
29981+
29982+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29983+ "ljmp %[cs],$3f\n\t"
29984+ "3: "
29985+#endif
29986+
29987 /* Save guest registers, load host registers, keep flags */
29988 "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
29989 "pop %0 \n\t"
29990@@ -8430,6 +8457,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
29991 #endif
29992 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
29993 [wordsize]"i"(sizeof(ulong))
29994+
29995+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29996+ ,[cs]"i"(__KERNEL_CS)
29997+#endif
29998+
29999 : "cc", "memory"
30000 #ifdef CONFIG_X86_64
30001 , "rax", "rbx", "rdi", "rsi"
30002@@ -8443,7 +8475,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
30003 if (debugctlmsr)
30004 update_debugctlmsr(debugctlmsr);
30005
30006-#ifndef CONFIG_X86_64
30007+#ifdef CONFIG_X86_32
30008 /*
30009 * The sysexit path does not restore ds/es, so we must set them to
30010 * a reasonable value ourselves.
30011@@ -8452,8 +8484,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
30012 * may be executed in interrupt context, which saves and restore segments
30013 * around it, nullifying its effect.
30014 */
30015- loadsegment(ds, __USER_DS);
30016- loadsegment(es, __USER_DS);
30017+ loadsegment(ds, __KERNEL_DS);
30018+ loadsegment(es, __KERNEL_DS);
30019+ loadsegment(ss, __KERNEL_DS);
30020+
30021+#ifdef CONFIG_PAX_KERNEXEC
30022+ loadsegment(fs, __KERNEL_PERCPU);
30023+#endif
30024+
30025+#ifdef CONFIG_PAX_MEMORY_UDEREF
30026+ __set_fs(current_thread_info()->addr_limit);
30027+#endif
30028+
30029 #endif
30030
30031 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
30032diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
30033index 8f0f6ec..9cee69e 100644
30034--- a/arch/x86/kvm/x86.c
30035+++ b/arch/x86/kvm/x86.c
30036@@ -1842,8 +1842,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
30037 {
30038 struct kvm *kvm = vcpu->kvm;
30039 int lm = is_long_mode(vcpu);
30040- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
30041- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
30042+ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
30043+ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
30044 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
30045 : kvm->arch.xen_hvm_config.blob_size_32;
30046 u32 page_num = data & ~PAGE_MASK;
30047@@ -2731,6 +2731,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
30048 if (n < msr_list.nmsrs)
30049 goto out;
30050 r = -EFAULT;
30051+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
30052+ goto out;
30053 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
30054 num_msrs_to_save * sizeof(u32)))
30055 goto out;
30056@@ -3091,7 +3093,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
30057
30058 static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
30059 {
30060- struct xregs_state *xsave = &vcpu->arch.guest_fpu.state.xsave;
30061+ struct xregs_state *xsave = &vcpu->arch.guest_fpu.state->xsave;
30062 u64 xstate_bv = xsave->header.xfeatures;
30063 u64 valid;
30064
30065@@ -3127,7 +3129,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
30066
30067 static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
30068 {
30069- struct xregs_state *xsave = &vcpu->arch.guest_fpu.state.xsave;
30070+ struct xregs_state *xsave = &vcpu->arch.guest_fpu.state->xsave;
30071 u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET);
30072 u64 valid;
30073
30074@@ -3171,7 +3173,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
30075 fill_xsave((u8 *) guest_xsave->region, vcpu);
30076 } else {
30077 memcpy(guest_xsave->region,
30078- &vcpu->arch.guest_fpu.state.fxsave,
30079+ &vcpu->arch.guest_fpu.state->fxsave,
30080 sizeof(struct fxregs_state));
30081 *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] =
30082 XSTATE_FPSSE;
30083@@ -3196,7 +3198,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
30084 } else {
30085 if (xstate_bv & ~XSTATE_FPSSE)
30086 return -EINVAL;
30087- memcpy(&vcpu->arch.guest_fpu.state.fxsave,
30088+ memcpy(&vcpu->arch.guest_fpu.state->fxsave,
30089 guest_xsave->region, sizeof(struct fxregs_state));
30090 }
30091 return 0;
30092@@ -5786,7 +5788,7 @@ static struct notifier_block pvclock_gtod_notifier = {
30093 };
30094 #endif
30095
30096-int kvm_arch_init(void *opaque)
30097+int kvm_arch_init(const void *opaque)
30098 {
30099 int r;
30100 struct kvm_x86_ops *ops = opaque;
30101@@ -7210,7 +7212,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
30102 int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30103 {
30104 struct fxregs_state *fxsave =
30105- &vcpu->arch.guest_fpu.state.fxsave;
30106+ &vcpu->arch.guest_fpu.state->fxsave;
30107
30108 memcpy(fpu->fpr, fxsave->st_space, 128);
30109 fpu->fcw = fxsave->cwd;
30110@@ -7227,7 +7229,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30111 int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30112 {
30113 struct fxregs_state *fxsave =
30114- &vcpu->arch.guest_fpu.state.fxsave;
30115+ &vcpu->arch.guest_fpu.state->fxsave;
30116
30117 memcpy(fxsave->st_space, fpu->fpr, 128);
30118 fxsave->cwd = fpu->fcw;
30119@@ -7243,9 +7245,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30120
30121 static void fx_init(struct kvm_vcpu *vcpu)
30122 {
30123- fpstate_init(&vcpu->arch.guest_fpu.state);
30124+ fpstate_init(vcpu->arch.guest_fpu.state);
30125 if (cpu_has_xsaves)
30126- vcpu->arch.guest_fpu.state.xsave.header.xcomp_bv =
30127+ vcpu->arch.guest_fpu.state->xsave.header.xcomp_bv =
30128 host_xcr0 | XSTATE_COMPACTION_ENABLED;
30129
30130 /*
30131@@ -7269,7 +7271,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
30132 kvm_put_guest_xcr0(vcpu);
30133 vcpu->guest_fpu_loaded = 1;
30134 __kernel_fpu_begin();
30135- __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu.state);
30136+ __copy_kernel_to_fpregs(vcpu->arch.guest_fpu.state);
30137 trace_kvm_fpu(1);
30138 }
30139
30140@@ -7547,6 +7549,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
30141
30142 struct static_key kvm_no_apic_vcpu __read_mostly;
30143
30144+extern struct kmem_cache *fpregs_state_cachep;
30145+
30146 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
30147 {
30148 struct page *page;
30149@@ -7563,11 +7567,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
30150 else
30151 vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
30152
30153- page = alloc_page(GFP_KERNEL | __GFP_ZERO);
30154- if (!page) {
30155- r = -ENOMEM;
30156+ r = -ENOMEM;
30157+ vcpu->arch.guest_fpu.state = kmem_cache_alloc(fpregs_state_cachep, GFP_KERNEL);
30158+ if (!vcpu->arch.guest_fpu.state)
30159 goto fail;
30160- }
30161+
30162+ page = alloc_page(GFP_KERNEL | __GFP_ZERO);
30163+ if (!page)
30164+ goto fail_free_fpregs;
30165 vcpu->arch.pio_data = page_address(page);
30166
30167 kvm_set_tsc_khz(vcpu, max_tsc_khz);
30168@@ -7621,6 +7628,9 @@ fail_mmu_destroy:
30169 kvm_mmu_destroy(vcpu);
30170 fail_free_pio_data:
30171 free_page((unsigned long)vcpu->arch.pio_data);
30172+fail_free_fpregs:
30173+ kmem_cache_free(fpregs_state_cachep, vcpu->arch.guest_fpu.state);
30174+ vcpu->arch.guest_fpu.state = NULL;
30175 fail:
30176 return r;
30177 }
30178@@ -7638,6 +7648,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
30179 free_page((unsigned long)vcpu->arch.pio_data);
30180 if (!irqchip_in_kernel(vcpu->kvm))
30181 static_key_slow_dec(&kvm_no_apic_vcpu);
30182+ kmem_cache_free(fpregs_state_cachep, vcpu->arch.guest_fpu.state);
30183+ vcpu->arch.guest_fpu.state = NULL;
30184 }
30185
30186 void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
30187diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
30188index f2dc08c..d85d906 100644
30189--- a/arch/x86/lguest/boot.c
30190+++ b/arch/x86/lguest/boot.c
30191@@ -1341,9 +1341,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count)
30192 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
30193 * Launcher to reboot us.
30194 */
30195-static void lguest_restart(char *reason)
30196+static __noreturn void lguest_restart(char *reason)
30197 {
30198 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
30199+ BUG();
30200 }
30201
30202 /*G:050
30203diff --git a/arch/x86/lib/atomic64_386_32.S b/arch/x86/lib/atomic64_386_32.S
30204index 9b0ca8f..bb4af41 100644
30205--- a/arch/x86/lib/atomic64_386_32.S
30206+++ b/arch/x86/lib/atomic64_386_32.S
30207@@ -45,6 +45,10 @@ BEGIN(read)
30208 movl (v), %eax
30209 movl 4(v), %edx
30210 RET_ENDP
30211+BEGIN(read_unchecked)
30212+ movl (v), %eax
30213+ movl 4(v), %edx
30214+RET_ENDP
30215 #undef v
30216
30217 #define v %esi
30218@@ -52,6 +56,10 @@ BEGIN(set)
30219 movl %ebx, (v)
30220 movl %ecx, 4(v)
30221 RET_ENDP
30222+BEGIN(set_unchecked)
30223+ movl %ebx, (v)
30224+ movl %ecx, 4(v)
30225+RET_ENDP
30226 #undef v
30227
30228 #define v %esi
30229@@ -67,6 +75,20 @@ RET_ENDP
30230 BEGIN(add)
30231 addl %eax, (v)
30232 adcl %edx, 4(v)
30233+
30234+#ifdef CONFIG_PAX_REFCOUNT
30235+ jno 0f
30236+ subl %eax, (v)
30237+ sbbl %edx, 4(v)
30238+ int $4
30239+0:
30240+ _ASM_EXTABLE(0b, 0b)
30241+#endif
30242+
30243+RET_ENDP
30244+BEGIN(add_unchecked)
30245+ addl %eax, (v)
30246+ adcl %edx, 4(v)
30247 RET_ENDP
30248 #undef v
30249
30250@@ -74,6 +96,24 @@ RET_ENDP
30251 BEGIN(add_return)
30252 addl (v), %eax
30253 adcl 4(v), %edx
30254+
30255+#ifdef CONFIG_PAX_REFCOUNT
30256+ into
30257+1234:
30258+ _ASM_EXTABLE(1234b, 2f)
30259+#endif
30260+
30261+ movl %eax, (v)
30262+ movl %edx, 4(v)
30263+
30264+#ifdef CONFIG_PAX_REFCOUNT
30265+2:
30266+#endif
30267+
30268+RET_ENDP
30269+BEGIN(add_return_unchecked)
30270+ addl (v), %eax
30271+ adcl 4(v), %edx
30272 movl %eax, (v)
30273 movl %edx, 4(v)
30274 RET_ENDP
30275@@ -83,6 +123,20 @@ RET_ENDP
30276 BEGIN(sub)
30277 subl %eax, (v)
30278 sbbl %edx, 4(v)
30279+
30280+#ifdef CONFIG_PAX_REFCOUNT
30281+ jno 0f
30282+ addl %eax, (v)
30283+ adcl %edx, 4(v)
30284+ int $4
30285+0:
30286+ _ASM_EXTABLE(0b, 0b)
30287+#endif
30288+
30289+RET_ENDP
30290+BEGIN(sub_unchecked)
30291+ subl %eax, (v)
30292+ sbbl %edx, 4(v)
30293 RET_ENDP
30294 #undef v
30295
30296@@ -93,6 +147,27 @@ BEGIN(sub_return)
30297 sbbl $0, %edx
30298 addl (v), %eax
30299 adcl 4(v), %edx
30300+
30301+#ifdef CONFIG_PAX_REFCOUNT
30302+ into
30303+1234:
30304+ _ASM_EXTABLE(1234b, 2f)
30305+#endif
30306+
30307+ movl %eax, (v)
30308+ movl %edx, 4(v)
30309+
30310+#ifdef CONFIG_PAX_REFCOUNT
30311+2:
30312+#endif
30313+
30314+RET_ENDP
30315+BEGIN(sub_return_unchecked)
30316+ negl %edx
30317+ negl %eax
30318+ sbbl $0, %edx
30319+ addl (v), %eax
30320+ adcl 4(v), %edx
30321 movl %eax, (v)
30322 movl %edx, 4(v)
30323 RET_ENDP
30324@@ -102,6 +177,20 @@ RET_ENDP
30325 BEGIN(inc)
30326 addl $1, (v)
30327 adcl $0, 4(v)
30328+
30329+#ifdef CONFIG_PAX_REFCOUNT
30330+ jno 0f
30331+ subl $1, (v)
30332+ sbbl $0, 4(v)
30333+ int $4
30334+0:
30335+ _ASM_EXTABLE(0b, 0b)
30336+#endif
30337+
30338+RET_ENDP
30339+BEGIN(inc_unchecked)
30340+ addl $1, (v)
30341+ adcl $0, 4(v)
30342 RET_ENDP
30343 #undef v
30344
30345@@ -111,6 +200,26 @@ BEGIN(inc_return)
30346 movl 4(v), %edx
30347 addl $1, %eax
30348 adcl $0, %edx
30349+
30350+#ifdef CONFIG_PAX_REFCOUNT
30351+ into
30352+1234:
30353+ _ASM_EXTABLE(1234b, 2f)
30354+#endif
30355+
30356+ movl %eax, (v)
30357+ movl %edx, 4(v)
30358+
30359+#ifdef CONFIG_PAX_REFCOUNT
30360+2:
30361+#endif
30362+
30363+RET_ENDP
30364+BEGIN(inc_return_unchecked)
30365+ movl (v), %eax
30366+ movl 4(v), %edx
30367+ addl $1, %eax
30368+ adcl $0, %edx
30369 movl %eax, (v)
30370 movl %edx, 4(v)
30371 RET_ENDP
30372@@ -120,6 +229,20 @@ RET_ENDP
30373 BEGIN(dec)
30374 subl $1, (v)
30375 sbbl $0, 4(v)
30376+
30377+#ifdef CONFIG_PAX_REFCOUNT
30378+ jno 0f
30379+ addl $1, (v)
30380+ adcl $0, 4(v)
30381+ int $4
30382+0:
30383+ _ASM_EXTABLE(0b, 0b)
30384+#endif
30385+
30386+RET_ENDP
30387+BEGIN(dec_unchecked)
30388+ subl $1, (v)
30389+ sbbl $0, 4(v)
30390 RET_ENDP
30391 #undef v
30392
30393@@ -129,6 +252,26 @@ BEGIN(dec_return)
30394 movl 4(v), %edx
30395 subl $1, %eax
30396 sbbl $0, %edx
30397+
30398+#ifdef CONFIG_PAX_REFCOUNT
30399+ into
30400+1234:
30401+ _ASM_EXTABLE(1234b, 2f)
30402+#endif
30403+
30404+ movl %eax, (v)
30405+ movl %edx, 4(v)
30406+
30407+#ifdef CONFIG_PAX_REFCOUNT
30408+2:
30409+#endif
30410+
30411+RET_ENDP
30412+BEGIN(dec_return_unchecked)
30413+ movl (v), %eax
30414+ movl 4(v), %edx
30415+ subl $1, %eax
30416+ sbbl $0, %edx
30417 movl %eax, (v)
30418 movl %edx, 4(v)
30419 RET_ENDP
30420@@ -140,6 +283,13 @@ BEGIN(add_unless)
30421 adcl %edx, %edi
30422 addl (v), %eax
30423 adcl 4(v), %edx
30424+
30425+#ifdef CONFIG_PAX_REFCOUNT
30426+ into
30427+1234:
30428+ _ASM_EXTABLE(1234b, 2f)
30429+#endif
30430+
30431 cmpl %eax, %ecx
30432 je 3f
30433 1:
30434@@ -165,6 +315,13 @@ BEGIN(inc_not_zero)
30435 1:
30436 addl $1, %eax
30437 adcl $0, %edx
30438+
30439+#ifdef CONFIG_PAX_REFCOUNT
30440+ into
30441+1234:
30442+ _ASM_EXTABLE(1234b, 2f)
30443+#endif
30444+
30445 movl %eax, (v)
30446 movl %edx, 4(v)
30447 movl $1, %eax
30448@@ -183,6 +340,13 @@ BEGIN(dec_if_positive)
30449 movl 4(v), %edx
30450 subl $1, %eax
30451 sbbl $0, %edx
30452+
30453+#ifdef CONFIG_PAX_REFCOUNT
30454+ into
30455+1234:
30456+ _ASM_EXTABLE(1234b, 1f)
30457+#endif
30458+
30459 js 1f
30460 movl %eax, (v)
30461 movl %edx, 4(v)
30462diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S
30463index db3ae854..b8ad0de 100644
30464--- a/arch/x86/lib/atomic64_cx8_32.S
30465+++ b/arch/x86/lib/atomic64_cx8_32.S
30466@@ -22,9 +22,16 @@
30467
30468 ENTRY(atomic64_read_cx8)
30469 read64 %ecx
30470+ pax_force_retaddr
30471 ret
30472 ENDPROC(atomic64_read_cx8)
30473
30474+ENTRY(atomic64_read_unchecked_cx8)
30475+ read64 %ecx
30476+ pax_force_retaddr
30477+ ret
30478+ENDPROC(atomic64_read_unchecked_cx8)
30479+
30480 ENTRY(atomic64_set_cx8)
30481 1:
30482 /* we don't need LOCK_PREFIX since aligned 64-bit writes
30483@@ -32,20 +39,33 @@ ENTRY(atomic64_set_cx8)
30484 cmpxchg8b (%esi)
30485 jne 1b
30486
30487+ pax_force_retaddr
30488 ret
30489 ENDPROC(atomic64_set_cx8)
30490
30491+ENTRY(atomic64_set_unchecked_cx8)
30492+1:
30493+/* we don't need LOCK_PREFIX since aligned 64-bit writes
30494+ * are atomic on 586 and newer */
30495+ cmpxchg8b (%esi)
30496+ jne 1b
30497+
30498+ pax_force_retaddr
30499+ ret
30500+ENDPROC(atomic64_set_unchecked_cx8)
30501+
30502 ENTRY(atomic64_xchg_cx8)
30503 1:
30504 LOCK_PREFIX
30505 cmpxchg8b (%esi)
30506 jne 1b
30507
30508+ pax_force_retaddr
30509 ret
30510 ENDPROC(atomic64_xchg_cx8)
30511
30512-.macro addsub_return func ins insc
30513-ENTRY(atomic64_\func\()_return_cx8)
30514+.macro addsub_return func ins insc unchecked=""
30515+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
30516 pushl %ebp
30517 pushl %ebx
30518 pushl %esi
30519@@ -61,26 +81,43 @@ ENTRY(atomic64_\func\()_return_cx8)
30520 movl %edx, %ecx
30521 \ins\()l %esi, %ebx
30522 \insc\()l %edi, %ecx
30523+
30524+.ifb \unchecked
30525+#ifdef CONFIG_PAX_REFCOUNT
30526+ into
30527+2:
30528+ _ASM_EXTABLE(2b, 3f)
30529+#endif
30530+.endif
30531+
30532 LOCK_PREFIX
30533 cmpxchg8b (%ebp)
30534 jne 1b
30535-
30536-10:
30537 movl %ebx, %eax
30538 movl %ecx, %edx
30539+
30540+.ifb \unchecked
30541+#ifdef CONFIG_PAX_REFCOUNT
30542+3:
30543+#endif
30544+.endif
30545+
30546 popl %edi
30547 popl %esi
30548 popl %ebx
30549 popl %ebp
30550+ pax_force_retaddr
30551 ret
30552-ENDPROC(atomic64_\func\()_return_cx8)
30553+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
30554 .endm
30555
30556 addsub_return add add adc
30557 addsub_return sub sub sbb
30558+addsub_return add add adc _unchecked
30559+addsub_return sub sub sbb _unchecked
30560
30561-.macro incdec_return func ins insc
30562-ENTRY(atomic64_\func\()_return_cx8)
30563+.macro incdec_return func ins insc unchecked=""
30564+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
30565 pushl %ebx
30566
30567 read64 %esi
30568@@ -89,20 +126,37 @@ ENTRY(atomic64_\func\()_return_cx8)
30569 movl %edx, %ecx
30570 \ins\()l $1, %ebx
30571 \insc\()l $0, %ecx
30572+
30573+.ifb \unchecked
30574+#ifdef CONFIG_PAX_REFCOUNT
30575+ into
30576+2:
30577+ _ASM_EXTABLE(2b, 3f)
30578+#endif
30579+.endif
30580+
30581 LOCK_PREFIX
30582 cmpxchg8b (%esi)
30583 jne 1b
30584-
30585-10:
30586 movl %ebx, %eax
30587 movl %ecx, %edx
30588+
30589+.ifb \unchecked
30590+#ifdef CONFIG_PAX_REFCOUNT
30591+3:
30592+#endif
30593+.endif
30594+
30595 popl %ebx
30596+ pax_force_retaddr
30597 ret
30598-ENDPROC(atomic64_\func\()_return_cx8)
30599+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
30600 .endm
30601
30602 incdec_return inc add adc
30603 incdec_return dec sub sbb
30604+incdec_return inc add adc _unchecked
30605+incdec_return dec sub sbb _unchecked
30606
30607 ENTRY(atomic64_dec_if_positive_cx8)
30608 pushl %ebx
30609@@ -113,6 +167,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
30610 movl %edx, %ecx
30611 subl $1, %ebx
30612 sbb $0, %ecx
30613+
30614+#ifdef CONFIG_PAX_REFCOUNT
30615+ into
30616+1234:
30617+ _ASM_EXTABLE(1234b, 2f)
30618+#endif
30619+
30620 js 2f
30621 LOCK_PREFIX
30622 cmpxchg8b (%esi)
30623@@ -122,6 +183,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
30624 movl %ebx, %eax
30625 movl %ecx, %edx
30626 popl %ebx
30627+ pax_force_retaddr
30628 ret
30629 ENDPROC(atomic64_dec_if_positive_cx8)
30630
30631@@ -144,6 +206,13 @@ ENTRY(atomic64_add_unless_cx8)
30632 movl %edx, %ecx
30633 addl %ebp, %ebx
30634 adcl %edi, %ecx
30635+
30636+#ifdef CONFIG_PAX_REFCOUNT
30637+ into
30638+1234:
30639+ _ASM_EXTABLE(1234b, 3f)
30640+#endif
30641+
30642 LOCK_PREFIX
30643 cmpxchg8b (%esi)
30644 jne 1b
30645@@ -153,6 +222,7 @@ ENTRY(atomic64_add_unless_cx8)
30646 addl $8, %esp
30647 popl %ebx
30648 popl %ebp
30649+ pax_force_retaddr
30650 ret
30651 4:
30652 cmpl %edx, 4(%esp)
30653@@ -173,6 +243,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
30654 xorl %ecx, %ecx
30655 addl $1, %ebx
30656 adcl %edx, %ecx
30657+
30658+#ifdef CONFIG_PAX_REFCOUNT
30659+ into
30660+1234:
30661+ _ASM_EXTABLE(1234b, 3f)
30662+#endif
30663+
30664 LOCK_PREFIX
30665 cmpxchg8b (%esi)
30666 jne 1b
30667@@ -180,5 +257,6 @@ ENTRY(atomic64_inc_not_zero_cx8)
30668 movl $1, %eax
30669 3:
30670 popl %ebx
30671+ pax_force_retaddr
30672 ret
30673 ENDPROC(atomic64_inc_not_zero_cx8)
30674diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
30675index c1e6232..ebbeba7 100644
30676--- a/arch/x86/lib/checksum_32.S
30677+++ b/arch/x86/lib/checksum_32.S
30678@@ -28,7 +28,8 @@
30679 #include <linux/linkage.h>
30680 #include <asm/errno.h>
30681 #include <asm/asm.h>
30682-
30683+#include <asm/segment.h>
30684+
30685 /*
30686 * computes a partial checksum, e.g. for TCP/UDP fragments
30687 */
30688@@ -280,7 +281,22 @@ unsigned int csum_partial_copy_generic (const char *src, char *dst,
30689
30690 #define ARGBASE 16
30691 #define FP 12
30692-
30693+
30694+ENTRY(csum_partial_copy_generic_to_user)
30695+
30696+#ifdef CONFIG_PAX_MEMORY_UDEREF
30697+ pushl %gs
30698+ popl %es
30699+ jmp csum_partial_copy_generic
30700+#endif
30701+
30702+ENTRY(csum_partial_copy_generic_from_user)
30703+
30704+#ifdef CONFIG_PAX_MEMORY_UDEREF
30705+ pushl %gs
30706+ popl %ds
30707+#endif
30708+
30709 ENTRY(csum_partial_copy_generic)
30710 subl $4,%esp
30711 pushl %edi
30712@@ -299,7 +315,7 @@ ENTRY(csum_partial_copy_generic)
30713 jmp 4f
30714 SRC(1: movw (%esi), %bx )
30715 addl $2, %esi
30716-DST( movw %bx, (%edi) )
30717+DST( movw %bx, %es:(%edi) )
30718 addl $2, %edi
30719 addw %bx, %ax
30720 adcl $0, %eax
30721@@ -311,30 +327,30 @@ DST( movw %bx, (%edi) )
30722 SRC(1: movl (%esi), %ebx )
30723 SRC( movl 4(%esi), %edx )
30724 adcl %ebx, %eax
30725-DST( movl %ebx, (%edi) )
30726+DST( movl %ebx, %es:(%edi) )
30727 adcl %edx, %eax
30728-DST( movl %edx, 4(%edi) )
30729+DST( movl %edx, %es:4(%edi) )
30730
30731 SRC( movl 8(%esi), %ebx )
30732 SRC( movl 12(%esi), %edx )
30733 adcl %ebx, %eax
30734-DST( movl %ebx, 8(%edi) )
30735+DST( movl %ebx, %es:8(%edi) )
30736 adcl %edx, %eax
30737-DST( movl %edx, 12(%edi) )
30738+DST( movl %edx, %es:12(%edi) )
30739
30740 SRC( movl 16(%esi), %ebx )
30741 SRC( movl 20(%esi), %edx )
30742 adcl %ebx, %eax
30743-DST( movl %ebx, 16(%edi) )
30744+DST( movl %ebx, %es:16(%edi) )
30745 adcl %edx, %eax
30746-DST( movl %edx, 20(%edi) )
30747+DST( movl %edx, %es:20(%edi) )
30748
30749 SRC( movl 24(%esi), %ebx )
30750 SRC( movl 28(%esi), %edx )
30751 adcl %ebx, %eax
30752-DST( movl %ebx, 24(%edi) )
30753+DST( movl %ebx, %es:24(%edi) )
30754 adcl %edx, %eax
30755-DST( movl %edx, 28(%edi) )
30756+DST( movl %edx, %es:28(%edi) )
30757
30758 lea 32(%esi), %esi
30759 lea 32(%edi), %edi
30760@@ -348,7 +364,7 @@ DST( movl %edx, 28(%edi) )
30761 shrl $2, %edx # This clears CF
30762 SRC(3: movl (%esi), %ebx )
30763 adcl %ebx, %eax
30764-DST( movl %ebx, (%edi) )
30765+DST( movl %ebx, %es:(%edi) )
30766 lea 4(%esi), %esi
30767 lea 4(%edi), %edi
30768 dec %edx
30769@@ -360,12 +376,12 @@ DST( movl %ebx, (%edi) )
30770 jb 5f
30771 SRC( movw (%esi), %cx )
30772 leal 2(%esi), %esi
30773-DST( movw %cx, (%edi) )
30774+DST( movw %cx, %es:(%edi) )
30775 leal 2(%edi), %edi
30776 je 6f
30777 shll $16,%ecx
30778 SRC(5: movb (%esi), %cl )
30779-DST( movb %cl, (%edi) )
30780+DST( movb %cl, %es:(%edi) )
30781 6: addl %ecx, %eax
30782 adcl $0, %eax
30783 7:
30784@@ -376,7 +392,7 @@ DST( movb %cl, (%edi) )
30785
30786 6001:
30787 movl ARGBASE+20(%esp), %ebx # src_err_ptr
30788- movl $-EFAULT, (%ebx)
30789+ movl $-EFAULT, %ss:(%ebx)
30790
30791 # zero the complete destination - computing the rest
30792 # is too much work
30793@@ -389,34 +405,58 @@ DST( movb %cl, (%edi) )
30794
30795 6002:
30796 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
30797- movl $-EFAULT,(%ebx)
30798+ movl $-EFAULT,%ss:(%ebx)
30799 jmp 5000b
30800
30801 .previous
30802
30803+#ifdef CONFIG_PAX_MEMORY_UDEREF
30804+ pushl %ss
30805+ popl %ds
30806+ pushl %ss
30807+ popl %es
30808+#endif
30809+
30810 popl %ebx
30811 popl %esi
30812 popl %edi
30813 popl %ecx # equivalent to addl $4,%esp
30814 ret
30815-ENDPROC(csum_partial_copy_generic)
30816+ENDPROC(csum_partial_copy_generic_to_user)
30817
30818 #else
30819
30820 /* Version for PentiumII/PPro */
30821
30822 #define ROUND1(x) \
30823+ nop; nop; nop; \
30824 SRC(movl x(%esi), %ebx ) ; \
30825 addl %ebx, %eax ; \
30826- DST(movl %ebx, x(%edi) ) ;
30827+ DST(movl %ebx, %es:x(%edi)) ;
30828
30829 #define ROUND(x) \
30830+ nop; nop; nop; \
30831 SRC(movl x(%esi), %ebx ) ; \
30832 adcl %ebx, %eax ; \
30833- DST(movl %ebx, x(%edi) ) ;
30834+ DST(movl %ebx, %es:x(%edi)) ;
30835
30836 #define ARGBASE 12
30837-
30838+
30839+ENTRY(csum_partial_copy_generic_to_user)
30840+
30841+#ifdef CONFIG_PAX_MEMORY_UDEREF
30842+ pushl %gs
30843+ popl %es
30844+ jmp csum_partial_copy_generic
30845+#endif
30846+
30847+ENTRY(csum_partial_copy_generic_from_user)
30848+
30849+#ifdef CONFIG_PAX_MEMORY_UDEREF
30850+ pushl %gs
30851+ popl %ds
30852+#endif
30853+
30854 ENTRY(csum_partial_copy_generic)
30855 pushl %ebx
30856 pushl %edi
30857@@ -435,7 +475,7 @@ ENTRY(csum_partial_copy_generic)
30858 subl %ebx, %edi
30859 lea -1(%esi),%edx
30860 andl $-32,%edx
30861- lea 3f(%ebx,%ebx), %ebx
30862+ lea 3f(%ebx,%ebx,2), %ebx
30863 testl %esi, %esi
30864 jmp *%ebx
30865 1: addl $64,%esi
30866@@ -456,19 +496,19 @@ ENTRY(csum_partial_copy_generic)
30867 jb 5f
30868 SRC( movw (%esi), %dx )
30869 leal 2(%esi), %esi
30870-DST( movw %dx, (%edi) )
30871+DST( movw %dx, %es:(%edi) )
30872 leal 2(%edi), %edi
30873 je 6f
30874 shll $16,%edx
30875 5:
30876 SRC( movb (%esi), %dl )
30877-DST( movb %dl, (%edi) )
30878+DST( movb %dl, %es:(%edi) )
30879 6: addl %edx, %eax
30880 adcl $0, %eax
30881 7:
30882 .section .fixup, "ax"
30883 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
30884- movl $-EFAULT, (%ebx)
30885+ movl $-EFAULT, %ss:(%ebx)
30886 # zero the complete destination (computing the rest is too much work)
30887 movl ARGBASE+8(%esp),%edi # dst
30888 movl ARGBASE+12(%esp),%ecx # len
30889@@ -476,15 +516,22 @@ DST( movb %dl, (%edi) )
30890 rep; stosb
30891 jmp 7b
30892 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
30893- movl $-EFAULT, (%ebx)
30894+ movl $-EFAULT, %ss:(%ebx)
30895 jmp 7b
30896 .previous
30897
30898+#ifdef CONFIG_PAX_MEMORY_UDEREF
30899+ pushl %ss
30900+ popl %ds
30901+ pushl %ss
30902+ popl %es
30903+#endif
30904+
30905 popl %esi
30906 popl %edi
30907 popl %ebx
30908 ret
30909-ENDPROC(csum_partial_copy_generic)
30910+ENDPROC(csum_partial_copy_generic_to_user)
30911
30912 #undef ROUND
30913 #undef ROUND1
30914diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S
30915index a2fe51b..507dab0 100644
30916--- a/arch/x86/lib/clear_page_64.S
30917+++ b/arch/x86/lib/clear_page_64.S
30918@@ -21,6 +21,7 @@ ENTRY(clear_page)
30919 movl $4096/8,%ecx
30920 xorl %eax,%eax
30921 rep stosq
30922+ pax_force_retaddr
30923 ret
30924 ENDPROC(clear_page)
30925
30926@@ -43,6 +44,7 @@ ENTRY(clear_page_orig)
30927 leaq 64(%rdi),%rdi
30928 jnz .Lloop
30929 nop
30930+ pax_force_retaddr
30931 ret
30932 ENDPROC(clear_page_orig)
30933
30934@@ -50,5 +52,6 @@ ENTRY(clear_page_c_e)
30935 movl $4096,%ecx
30936 xorl %eax,%eax
30937 rep stosb
30938+ pax_force_retaddr
30939 ret
30940 ENDPROC(clear_page_c_e)
30941diff --git a/arch/x86/lib/cmpxchg16b_emu.S b/arch/x86/lib/cmpxchg16b_emu.S
30942index 9b33024..e52ee44 100644
30943--- a/arch/x86/lib/cmpxchg16b_emu.S
30944+++ b/arch/x86/lib/cmpxchg16b_emu.S
30945@@ -7,6 +7,7 @@
30946 */
30947 #include <linux/linkage.h>
30948 #include <asm/percpu.h>
30949+#include <asm/alternative-asm.h>
30950
30951 .text
30952
30953@@ -43,11 +44,13 @@ ENTRY(this_cpu_cmpxchg16b_emu)
30954
30955 popfq
30956 mov $1, %al
30957+ pax_force_retaddr
30958 ret
30959
30960 .Lnot_same:
30961 popfq
30962 xor %al,%al
30963+ pax_force_retaddr
30964 ret
30965
30966 ENDPROC(this_cpu_cmpxchg16b_emu)
30967diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S
30968index 009f982..9b3db5e 100644
30969--- a/arch/x86/lib/copy_page_64.S
30970+++ b/arch/x86/lib/copy_page_64.S
30971@@ -15,13 +15,14 @@ ENTRY(copy_page)
30972 ALTERNATIVE "jmp copy_page_regs", "", X86_FEATURE_REP_GOOD
30973 movl $4096/8, %ecx
30974 rep movsq
30975+ pax_force_retaddr
30976 ret
30977 ENDPROC(copy_page)
30978
30979 ENTRY(copy_page_regs)
30980 subq $2*8, %rsp
30981 movq %rbx, (%rsp)
30982- movq %r12, 1*8(%rsp)
30983+ movq %r13, 1*8(%rsp)
30984
30985 movl $(4096/64)-5, %ecx
30986 .p2align 4
30987@@ -34,7 +35,7 @@ ENTRY(copy_page_regs)
30988 movq 0x8*4(%rsi), %r9
30989 movq 0x8*5(%rsi), %r10
30990 movq 0x8*6(%rsi), %r11
30991- movq 0x8*7(%rsi), %r12
30992+ movq 0x8*7(%rsi), %r13
30993
30994 prefetcht0 5*64(%rsi)
30995
30996@@ -45,7 +46,7 @@ ENTRY(copy_page_regs)
30997 movq %r9, 0x8*4(%rdi)
30998 movq %r10, 0x8*5(%rdi)
30999 movq %r11, 0x8*6(%rdi)
31000- movq %r12, 0x8*7(%rdi)
31001+ movq %r13, 0x8*7(%rdi)
31002
31003 leaq 64 (%rsi), %rsi
31004 leaq 64 (%rdi), %rdi
31005@@ -64,7 +65,7 @@ ENTRY(copy_page_regs)
31006 movq 0x8*4(%rsi), %r9
31007 movq 0x8*5(%rsi), %r10
31008 movq 0x8*6(%rsi), %r11
31009- movq 0x8*7(%rsi), %r12
31010+ movq 0x8*7(%rsi), %r13
31011
31012 movq %rax, 0x8*0(%rdi)
31013 movq %rbx, 0x8*1(%rdi)
31014@@ -73,14 +74,15 @@ ENTRY(copy_page_regs)
31015 movq %r9, 0x8*4(%rdi)
31016 movq %r10, 0x8*5(%rdi)
31017 movq %r11, 0x8*6(%rdi)
31018- movq %r12, 0x8*7(%rdi)
31019+ movq %r13, 0x8*7(%rdi)
31020
31021 leaq 64(%rdi), %rdi
31022 leaq 64(%rsi), %rsi
31023 jnz .Loop2
31024
31025 movq (%rsp), %rbx
31026- movq 1*8(%rsp), %r12
31027+ movq 1*8(%rsp), %r13
31028 addq $2*8, %rsp
31029+ pax_force_retaddr
31030 ret
31031 ENDPROC(copy_page_regs)
31032diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
31033index 982ce34..8e14731 100644
31034--- a/arch/x86/lib/copy_user_64.S
31035+++ b/arch/x86/lib/copy_user_64.S
31036@@ -14,50 +14,7 @@
31037 #include <asm/alternative-asm.h>
31038 #include <asm/asm.h>
31039 #include <asm/smap.h>
31040-
31041-/* Standard copy_to_user with segment limit checking */
31042-ENTRY(_copy_to_user)
31043- GET_THREAD_INFO(%rax)
31044- movq %rdi,%rcx
31045- addq %rdx,%rcx
31046- jc bad_to_user
31047- cmpq TI_addr_limit(%rax),%rcx
31048- ja bad_to_user
31049- ALTERNATIVE_2 "jmp copy_user_generic_unrolled", \
31050- "jmp copy_user_generic_string", \
31051- X86_FEATURE_REP_GOOD, \
31052- "jmp copy_user_enhanced_fast_string", \
31053- X86_FEATURE_ERMS
31054-ENDPROC(_copy_to_user)
31055-
31056-/* Standard copy_from_user with segment limit checking */
31057-ENTRY(_copy_from_user)
31058- GET_THREAD_INFO(%rax)
31059- movq %rsi,%rcx
31060- addq %rdx,%rcx
31061- jc bad_from_user
31062- cmpq TI_addr_limit(%rax),%rcx
31063- ja bad_from_user
31064- ALTERNATIVE_2 "jmp copy_user_generic_unrolled", \
31065- "jmp copy_user_generic_string", \
31066- X86_FEATURE_REP_GOOD, \
31067- "jmp copy_user_enhanced_fast_string", \
31068- X86_FEATURE_ERMS
31069-ENDPROC(_copy_from_user)
31070-
31071- .section .fixup,"ax"
31072- /* must zero dest */
31073-ENTRY(bad_from_user)
31074-bad_from_user:
31075- movl %edx,%ecx
31076- xorl %eax,%eax
31077- rep
31078- stosb
31079-bad_to_user:
31080- movl %edx,%eax
31081- ret
31082-ENDPROC(bad_from_user)
31083- .previous
31084+#include <asm/pgtable.h>
31085
31086 /*
31087 * copy_user_generic_unrolled - memory copy with exception handling.
31088@@ -73,6 +30,7 @@ ENDPROC(bad_from_user)
31089 * eax uncopied bytes or 0 if successful.
31090 */
31091 ENTRY(copy_user_generic_unrolled)
31092+ ASM_PAX_OPEN_USERLAND
31093 ASM_STAC
31094 cmpl $8,%edx
31095 jb 20f /* less then 8 bytes, go to byte copy loop */
31096@@ -122,6 +80,8 @@ ENTRY(copy_user_generic_unrolled)
31097 jnz 21b
31098 23: xor %eax,%eax
31099 ASM_CLAC
31100+ ASM_PAX_CLOSE_USERLAND
31101+ pax_force_retaddr
31102 ret
31103
31104 .section .fixup,"ax"
31105@@ -175,6 +135,7 @@ ENDPROC(copy_user_generic_unrolled)
31106 * eax uncopied bytes or 0 if successful.
31107 */
31108 ENTRY(copy_user_generic_string)
31109+ ASM_PAX_OPEN_USERLAND
31110 ASM_STAC
31111 cmpl $8,%edx
31112 jb 2f /* less than 8 bytes, go to byte copy loop */
31113@@ -189,6 +150,8 @@ ENTRY(copy_user_generic_string)
31114 movsb
31115 xorl %eax,%eax
31116 ASM_CLAC
31117+ ASM_PAX_CLOSE_USERLAND
31118+ pax_force_retaddr
31119 ret
31120
31121 .section .fixup,"ax"
31122@@ -214,12 +177,15 @@ ENDPROC(copy_user_generic_string)
31123 * eax uncopied bytes or 0 if successful.
31124 */
31125 ENTRY(copy_user_enhanced_fast_string)
31126+ ASM_PAX_OPEN_USERLAND
31127 ASM_STAC
31128 movl %edx,%ecx
31129 1: rep
31130 movsb
31131 xorl %eax,%eax
31132 ASM_CLAC
31133+ ASM_PAX_CLOSE_USERLAND
31134+ pax_force_retaddr
31135 ret
31136
31137 .section .fixup,"ax"
31138@@ -235,6 +201,16 @@ ENDPROC(copy_user_enhanced_fast_string)
31139 * This will force destination/source out of cache for more performance.
31140 */
31141 ENTRY(__copy_user_nocache)
31142+
31143+#ifdef CONFIG_PAX_MEMORY_UDEREF
31144+ mov pax_user_shadow_base,%rcx
31145+ cmp %rcx,%rsi
31146+ jae 1f
31147+ add %rcx,%rsi
31148+1:
31149+#endif
31150+
31151+ ASM_PAX_OPEN_USERLAND
31152 ASM_STAC
31153 cmpl $8,%edx
31154 jb 20f /* less then 8 bytes, go to byte copy loop */
31155@@ -284,7 +260,9 @@ ENTRY(__copy_user_nocache)
31156 jnz 21b
31157 23: xorl %eax,%eax
31158 ASM_CLAC
31159+ ASM_PAX_CLOSE_USERLAND
31160 sfence
31161+ pax_force_retaddr
31162 ret
31163
31164 .section .fixup,"ax"
31165diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S
31166index 7e48807..cc966ff 100644
31167--- a/arch/x86/lib/csum-copy_64.S
31168+++ b/arch/x86/lib/csum-copy_64.S
31169@@ -8,6 +8,7 @@
31170 #include <linux/linkage.h>
31171 #include <asm/errno.h>
31172 #include <asm/asm.h>
31173+#include <asm/alternative-asm.h>
31174
31175 /*
31176 * Checksum copy with exception handling.
31177@@ -52,7 +53,7 @@ ENTRY(csum_partial_copy_generic)
31178 .Lignore:
31179 subq $7*8, %rsp
31180 movq %rbx, 2*8(%rsp)
31181- movq %r12, 3*8(%rsp)
31182+ movq %r15, 3*8(%rsp)
31183 movq %r14, 4*8(%rsp)
31184 movq %r13, 5*8(%rsp)
31185 movq %rbp, 6*8(%rsp)
31186@@ -64,16 +65,16 @@ ENTRY(csum_partial_copy_generic)
31187 movl %edx, %ecx
31188
31189 xorl %r9d, %r9d
31190- movq %rcx, %r12
31191+ movq %rcx, %r15
31192
31193- shrq $6, %r12
31194+ shrq $6, %r15
31195 jz .Lhandle_tail /* < 64 */
31196
31197 clc
31198
31199 /* main loop. clear in 64 byte blocks */
31200 /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */
31201- /* r11: temp3, rdx: temp4, r12 loopcnt */
31202+ /* r11: temp3, rdx: temp4, r15 loopcnt */
31203 /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */
31204 .p2align 4
31205 .Lloop:
31206@@ -107,7 +108,7 @@ ENTRY(csum_partial_copy_generic)
31207 adcq %r14, %rax
31208 adcq %r13, %rax
31209
31210- decl %r12d
31211+ decl %r15d
31212
31213 dest
31214 movq %rbx, (%rsi)
31215@@ -200,11 +201,12 @@ ENTRY(csum_partial_copy_generic)
31216
31217 .Lende:
31218 movq 2*8(%rsp), %rbx
31219- movq 3*8(%rsp), %r12
31220+ movq 3*8(%rsp), %r15
31221 movq 4*8(%rsp), %r14
31222 movq 5*8(%rsp), %r13
31223 movq 6*8(%rsp), %rbp
31224 addq $7*8, %rsp
31225+ pax_force_retaddr
31226 ret
31227
31228 /* Exception handlers. Very simple, zeroing is done in the wrappers */
31229diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
31230index 1318f75..44c30fd 100644
31231--- a/arch/x86/lib/csum-wrappers_64.c
31232+++ b/arch/x86/lib/csum-wrappers_64.c
31233@@ -52,10 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
31234 len -= 2;
31235 }
31236 }
31237+ pax_open_userland();
31238 stac();
31239- isum = csum_partial_copy_generic((__force const void *)src,
31240+ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src),
31241 dst, len, isum, errp, NULL);
31242 clac();
31243+ pax_close_userland();
31244 if (unlikely(*errp))
31245 goto out_err;
31246
31247@@ -109,10 +111,12 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
31248 }
31249
31250 *errp = 0;
31251+ pax_open_userland();
31252 stac();
31253- ret = csum_partial_copy_generic(src, (void __force *)dst,
31254+ ret = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
31255 len, isum, NULL, errp);
31256 clac();
31257+ pax_close_userland();
31258 return ret;
31259 }
31260 EXPORT_SYMBOL(csum_partial_copy_to_user);
31261diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
31262index 46668cd..a3bdfb9 100644
31263--- a/arch/x86/lib/getuser.S
31264+++ b/arch/x86/lib/getuser.S
31265@@ -32,42 +32,93 @@
31266 #include <asm/thread_info.h>
31267 #include <asm/asm.h>
31268 #include <asm/smap.h>
31269+#include <asm/segment.h>
31270+#include <asm/pgtable.h>
31271+#include <asm/alternative-asm.h>
31272+
31273+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
31274+#define __copyuser_seg gs;
31275+#else
31276+#define __copyuser_seg
31277+#endif
31278
31279 .text
31280 ENTRY(__get_user_1)
31281+
31282+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31283 GET_THREAD_INFO(%_ASM_DX)
31284 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31285 jae bad_get_user
31286+
31287+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31288+ mov pax_user_shadow_base,%_ASM_DX
31289+ cmp %_ASM_DX,%_ASM_AX
31290+ jae 1234f
31291+ add %_ASM_DX,%_ASM_AX
31292+1234:
31293+#endif
31294+
31295+#endif
31296+
31297 ASM_STAC
31298-1: movzbl (%_ASM_AX),%edx
31299+1: __copyuser_seg movzbl (%_ASM_AX),%edx
31300 xor %eax,%eax
31301 ASM_CLAC
31302+ pax_force_retaddr
31303 ret
31304 ENDPROC(__get_user_1)
31305
31306 ENTRY(__get_user_2)
31307 add $1,%_ASM_AX
31308+
31309+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31310 jc bad_get_user
31311 GET_THREAD_INFO(%_ASM_DX)
31312 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31313 jae bad_get_user
31314+
31315+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31316+ mov pax_user_shadow_base,%_ASM_DX
31317+ cmp %_ASM_DX,%_ASM_AX
31318+ jae 1234f
31319+ add %_ASM_DX,%_ASM_AX
31320+1234:
31321+#endif
31322+
31323+#endif
31324+
31325 ASM_STAC
31326-2: movzwl -1(%_ASM_AX),%edx
31327+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
31328 xor %eax,%eax
31329 ASM_CLAC
31330+ pax_force_retaddr
31331 ret
31332 ENDPROC(__get_user_2)
31333
31334 ENTRY(__get_user_4)
31335 add $3,%_ASM_AX
31336+
31337+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31338 jc bad_get_user
31339 GET_THREAD_INFO(%_ASM_DX)
31340 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31341 jae bad_get_user
31342+
31343+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31344+ mov pax_user_shadow_base,%_ASM_DX
31345+ cmp %_ASM_DX,%_ASM_AX
31346+ jae 1234f
31347+ add %_ASM_DX,%_ASM_AX
31348+1234:
31349+#endif
31350+
31351+#endif
31352+
31353 ASM_STAC
31354-3: movl -3(%_ASM_AX),%edx
31355+3: __copyuser_seg movl -3(%_ASM_AX),%edx
31356 xor %eax,%eax
31357 ASM_CLAC
31358+ pax_force_retaddr
31359 ret
31360 ENDPROC(__get_user_4)
31361
31362@@ -78,10 +129,20 @@ ENTRY(__get_user_8)
31363 GET_THREAD_INFO(%_ASM_DX)
31364 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31365 jae bad_get_user
31366+
31367+#ifdef CONFIG_PAX_MEMORY_UDEREF
31368+ mov pax_user_shadow_base,%_ASM_DX
31369+ cmp %_ASM_DX,%_ASM_AX
31370+ jae 1234f
31371+ add %_ASM_DX,%_ASM_AX
31372+1234:
31373+#endif
31374+
31375 ASM_STAC
31376 4: movq -7(%_ASM_AX),%rdx
31377 xor %eax,%eax
31378 ASM_CLAC
31379+ pax_force_retaddr
31380 ret
31381 #else
31382 add $7,%_ASM_AX
31383@@ -90,10 +151,11 @@ ENTRY(__get_user_8)
31384 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31385 jae bad_get_user_8
31386 ASM_STAC
31387-4: movl -7(%_ASM_AX),%edx
31388-5: movl -3(%_ASM_AX),%ecx
31389+4: __copyuser_seg movl -7(%_ASM_AX),%edx
31390+5: __copyuser_seg movl -3(%_ASM_AX),%ecx
31391 xor %eax,%eax
31392 ASM_CLAC
31393+ pax_force_retaddr
31394 ret
31395 #endif
31396 ENDPROC(__get_user_8)
31397@@ -103,6 +165,7 @@ bad_get_user:
31398 xor %edx,%edx
31399 mov $(-EFAULT),%_ASM_AX
31400 ASM_CLAC
31401+ pax_force_retaddr
31402 ret
31403 END(bad_get_user)
31404
31405@@ -112,6 +175,7 @@ bad_get_user_8:
31406 xor %ecx,%ecx
31407 mov $(-EFAULT),%_ASM_AX
31408 ASM_CLAC
31409+ pax_force_retaddr
31410 ret
31411 END(bad_get_user_8)
31412 #endif
31413diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
31414index 8f72b33..4667a46 100644
31415--- a/arch/x86/lib/insn.c
31416+++ b/arch/x86/lib/insn.c
31417@@ -20,8 +20,10 @@
31418
31419 #ifdef __KERNEL__
31420 #include <linux/string.h>
31421+#include <asm/pgtable_types.h>
31422 #else
31423 #include <string.h>
31424+#define ktla_ktva(addr) addr
31425 #endif
31426 #include <asm/inat.h>
31427 #include <asm/insn.h>
31428@@ -60,9 +62,9 @@ void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64)
31429 buf_len = MAX_INSN_SIZE;
31430
31431 memset(insn, 0, sizeof(*insn));
31432- insn->kaddr = kaddr;
31433- insn->end_kaddr = kaddr + buf_len;
31434- insn->next_byte = kaddr;
31435+ insn->kaddr = (void *)ktla_ktva((unsigned long)kaddr);
31436+ insn->end_kaddr = insn->kaddr + buf_len;
31437+ insn->next_byte = insn->kaddr;
31438 insn->x86_64 = x86_64 ? 1 : 0;
31439 insn->opnd_bytes = 4;
31440 if (x86_64)
31441diff --git a/arch/x86/lib/iomap_copy_64.S b/arch/x86/lib/iomap_copy_64.S
31442index 33147fe..12a8815 100644
31443--- a/arch/x86/lib/iomap_copy_64.S
31444+++ b/arch/x86/lib/iomap_copy_64.S
31445@@ -16,6 +16,7 @@
31446 */
31447
31448 #include <linux/linkage.h>
31449+#include <asm/alternative-asm.h>
31450
31451 /*
31452 * override generic version in lib/iomap_copy.c
31453@@ -23,5 +24,6 @@
31454 ENTRY(__iowrite32_copy)
31455 movl %edx,%ecx
31456 rep movsd
31457+ pax_force_retaddr
31458 ret
31459 ENDPROC(__iowrite32_copy)
31460diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
31461index 16698bb..971d300 100644
31462--- a/arch/x86/lib/memcpy_64.S
31463+++ b/arch/x86/lib/memcpy_64.S
31464@@ -36,6 +36,7 @@ ENTRY(memcpy)
31465 rep movsq
31466 movl %edx, %ecx
31467 rep movsb
31468+ pax_force_retaddr
31469 ret
31470 ENDPROC(memcpy)
31471 ENDPROC(__memcpy)
31472@@ -48,6 +49,7 @@ ENTRY(memcpy_erms)
31473 movq %rdi, %rax
31474 movq %rdx, %rcx
31475 rep movsb
31476+ pax_force_retaddr
31477 ret
31478 ENDPROC(memcpy_erms)
31479
31480@@ -132,6 +134,7 @@ ENTRY(memcpy_orig)
31481 movq %r9, 1*8(%rdi)
31482 movq %r10, -2*8(%rdi, %rdx)
31483 movq %r11, -1*8(%rdi, %rdx)
31484+ pax_force_retaddr
31485 retq
31486 .p2align 4
31487 .Lless_16bytes:
31488@@ -144,6 +147,7 @@ ENTRY(memcpy_orig)
31489 movq -1*8(%rsi, %rdx), %r9
31490 movq %r8, 0*8(%rdi)
31491 movq %r9, -1*8(%rdi, %rdx)
31492+ pax_force_retaddr
31493 retq
31494 .p2align 4
31495 .Lless_8bytes:
31496@@ -157,6 +161,7 @@ ENTRY(memcpy_orig)
31497 movl -4(%rsi, %rdx), %r8d
31498 movl %ecx, (%rdi)
31499 movl %r8d, -4(%rdi, %rdx)
31500+ pax_force_retaddr
31501 retq
31502 .p2align 4
31503 .Lless_3bytes:
31504@@ -175,5 +180,6 @@ ENTRY(memcpy_orig)
31505 movb %cl, (%rdi)
31506
31507 .Lend:
31508+ pax_force_retaddr
31509 retq
31510 ENDPROC(memcpy_orig)
31511diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
31512index ca2afdd..2e474fa 100644
31513--- a/arch/x86/lib/memmove_64.S
31514+++ b/arch/x86/lib/memmove_64.S
31515@@ -41,7 +41,7 @@ ENTRY(__memmove)
31516 jg 2f
31517
31518 .Lmemmove_begin_forward:
31519- ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; retq", X86_FEATURE_ERMS
31520+ ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; pax_force_retaddr; retq", X86_FEATURE_ERMS
31521
31522 /*
31523 * movsq instruction have many startup latency
31524@@ -204,6 +204,7 @@ ENTRY(__memmove)
31525 movb (%rsi), %r11b
31526 movb %r11b, (%rdi)
31527 13:
31528+ pax_force_retaddr
31529 retq
31530 ENDPROC(__memmove)
31531 ENDPROC(memmove)
31532diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
31533index 2661fad..b584d5c 100644
31534--- a/arch/x86/lib/memset_64.S
31535+++ b/arch/x86/lib/memset_64.S
31536@@ -40,6 +40,7 @@ ENTRY(__memset)
31537 movl %edx,%ecx
31538 rep stosb
31539 movq %r9,%rax
31540+ pax_force_retaddr
31541 ret
31542 ENDPROC(memset)
31543 ENDPROC(__memset)
31544@@ -61,6 +62,7 @@ ENTRY(memset_erms)
31545 movq %rdx,%rcx
31546 rep stosb
31547 movq %r9,%rax
31548+ pax_force_retaddr
31549 ret
31550 ENDPROC(memset_erms)
31551
31552@@ -123,6 +125,7 @@ ENTRY(memset_orig)
31553
31554 .Lende:
31555 movq %r10,%rax
31556+ pax_force_retaddr
31557 ret
31558
31559 .Lbad_alignment:
31560diff --git a/arch/x86/lib/mmx_32.c b/arch/x86/lib/mmx_32.c
31561index e5e3ed8..d7c08c2 100644
31562--- a/arch/x86/lib/mmx_32.c
31563+++ b/arch/x86/lib/mmx_32.c
31564@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
31565 {
31566 void *p;
31567 int i;
31568+ unsigned long cr0;
31569
31570 if (unlikely(in_interrupt()))
31571 return __memcpy(to, from, len);
31572@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
31573 kernel_fpu_begin();
31574
31575 __asm__ __volatile__ (
31576- "1: prefetch (%0)\n" /* This set is 28 bytes */
31577- " prefetch 64(%0)\n"
31578- " prefetch 128(%0)\n"
31579- " prefetch 192(%0)\n"
31580- " prefetch 256(%0)\n"
31581+ "1: prefetch (%1)\n" /* This set is 28 bytes */
31582+ " prefetch 64(%1)\n"
31583+ " prefetch 128(%1)\n"
31584+ " prefetch 192(%1)\n"
31585+ " prefetch 256(%1)\n"
31586 "2: \n"
31587 ".section .fixup, \"ax\"\n"
31588- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31589+ "3: \n"
31590+
31591+#ifdef CONFIG_PAX_KERNEXEC
31592+ " movl %%cr0, %0\n"
31593+ " movl %0, %%eax\n"
31594+ " andl $0xFFFEFFFF, %%eax\n"
31595+ " movl %%eax, %%cr0\n"
31596+#endif
31597+
31598+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31599+
31600+#ifdef CONFIG_PAX_KERNEXEC
31601+ " movl %0, %%cr0\n"
31602+#endif
31603+
31604 " jmp 2b\n"
31605 ".previous\n"
31606 _ASM_EXTABLE(1b, 3b)
31607- : : "r" (from));
31608+ : "=&r" (cr0) : "r" (from) : "ax");
31609
31610 for ( ; i > 5; i--) {
31611 __asm__ __volatile__ (
31612- "1: prefetch 320(%0)\n"
31613- "2: movq (%0), %%mm0\n"
31614- " movq 8(%0), %%mm1\n"
31615- " movq 16(%0), %%mm2\n"
31616- " movq 24(%0), %%mm3\n"
31617- " movq %%mm0, (%1)\n"
31618- " movq %%mm1, 8(%1)\n"
31619- " movq %%mm2, 16(%1)\n"
31620- " movq %%mm3, 24(%1)\n"
31621- " movq 32(%0), %%mm0\n"
31622- " movq 40(%0), %%mm1\n"
31623- " movq 48(%0), %%mm2\n"
31624- " movq 56(%0), %%mm3\n"
31625- " movq %%mm0, 32(%1)\n"
31626- " movq %%mm1, 40(%1)\n"
31627- " movq %%mm2, 48(%1)\n"
31628- " movq %%mm3, 56(%1)\n"
31629+ "1: prefetch 320(%1)\n"
31630+ "2: movq (%1), %%mm0\n"
31631+ " movq 8(%1), %%mm1\n"
31632+ " movq 16(%1), %%mm2\n"
31633+ " movq 24(%1), %%mm3\n"
31634+ " movq %%mm0, (%2)\n"
31635+ " movq %%mm1, 8(%2)\n"
31636+ " movq %%mm2, 16(%2)\n"
31637+ " movq %%mm3, 24(%2)\n"
31638+ " movq 32(%1), %%mm0\n"
31639+ " movq 40(%1), %%mm1\n"
31640+ " movq 48(%1), %%mm2\n"
31641+ " movq 56(%1), %%mm3\n"
31642+ " movq %%mm0, 32(%2)\n"
31643+ " movq %%mm1, 40(%2)\n"
31644+ " movq %%mm2, 48(%2)\n"
31645+ " movq %%mm3, 56(%2)\n"
31646 ".section .fixup, \"ax\"\n"
31647- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31648+ "3:\n"
31649+
31650+#ifdef CONFIG_PAX_KERNEXEC
31651+ " movl %%cr0, %0\n"
31652+ " movl %0, %%eax\n"
31653+ " andl $0xFFFEFFFF, %%eax\n"
31654+ " movl %%eax, %%cr0\n"
31655+#endif
31656+
31657+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31658+
31659+#ifdef CONFIG_PAX_KERNEXEC
31660+ " movl %0, %%cr0\n"
31661+#endif
31662+
31663 " jmp 2b\n"
31664 ".previous\n"
31665 _ASM_EXTABLE(1b, 3b)
31666- : : "r" (from), "r" (to) : "memory");
31667+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31668
31669 from += 64;
31670 to += 64;
31671@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
31672 static void fast_copy_page(void *to, void *from)
31673 {
31674 int i;
31675+ unsigned long cr0;
31676
31677 kernel_fpu_begin();
31678
31679@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, void *from)
31680 * but that is for later. -AV
31681 */
31682 __asm__ __volatile__(
31683- "1: prefetch (%0)\n"
31684- " prefetch 64(%0)\n"
31685- " prefetch 128(%0)\n"
31686- " prefetch 192(%0)\n"
31687- " prefetch 256(%0)\n"
31688+ "1: prefetch (%1)\n"
31689+ " prefetch 64(%1)\n"
31690+ " prefetch 128(%1)\n"
31691+ " prefetch 192(%1)\n"
31692+ " prefetch 256(%1)\n"
31693 "2: \n"
31694 ".section .fixup, \"ax\"\n"
31695- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31696+ "3: \n"
31697+
31698+#ifdef CONFIG_PAX_KERNEXEC
31699+ " movl %%cr0, %0\n"
31700+ " movl %0, %%eax\n"
31701+ " andl $0xFFFEFFFF, %%eax\n"
31702+ " movl %%eax, %%cr0\n"
31703+#endif
31704+
31705+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31706+
31707+#ifdef CONFIG_PAX_KERNEXEC
31708+ " movl %0, %%cr0\n"
31709+#endif
31710+
31711 " jmp 2b\n"
31712 ".previous\n"
31713- _ASM_EXTABLE(1b, 3b) : : "r" (from));
31714+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
31715
31716 for (i = 0; i < (4096-320)/64; i++) {
31717 __asm__ __volatile__ (
31718- "1: prefetch 320(%0)\n"
31719- "2: movq (%0), %%mm0\n"
31720- " movntq %%mm0, (%1)\n"
31721- " movq 8(%0), %%mm1\n"
31722- " movntq %%mm1, 8(%1)\n"
31723- " movq 16(%0), %%mm2\n"
31724- " movntq %%mm2, 16(%1)\n"
31725- " movq 24(%0), %%mm3\n"
31726- " movntq %%mm3, 24(%1)\n"
31727- " movq 32(%0), %%mm4\n"
31728- " movntq %%mm4, 32(%1)\n"
31729- " movq 40(%0), %%mm5\n"
31730- " movntq %%mm5, 40(%1)\n"
31731- " movq 48(%0), %%mm6\n"
31732- " movntq %%mm6, 48(%1)\n"
31733- " movq 56(%0), %%mm7\n"
31734- " movntq %%mm7, 56(%1)\n"
31735+ "1: prefetch 320(%1)\n"
31736+ "2: movq (%1), %%mm0\n"
31737+ " movntq %%mm0, (%2)\n"
31738+ " movq 8(%1), %%mm1\n"
31739+ " movntq %%mm1, 8(%2)\n"
31740+ " movq 16(%1), %%mm2\n"
31741+ " movntq %%mm2, 16(%2)\n"
31742+ " movq 24(%1), %%mm3\n"
31743+ " movntq %%mm3, 24(%2)\n"
31744+ " movq 32(%1), %%mm4\n"
31745+ " movntq %%mm4, 32(%2)\n"
31746+ " movq 40(%1), %%mm5\n"
31747+ " movntq %%mm5, 40(%2)\n"
31748+ " movq 48(%1), %%mm6\n"
31749+ " movntq %%mm6, 48(%2)\n"
31750+ " movq 56(%1), %%mm7\n"
31751+ " movntq %%mm7, 56(%2)\n"
31752 ".section .fixup, \"ax\"\n"
31753- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31754+ "3:\n"
31755+
31756+#ifdef CONFIG_PAX_KERNEXEC
31757+ " movl %%cr0, %0\n"
31758+ " movl %0, %%eax\n"
31759+ " andl $0xFFFEFFFF, %%eax\n"
31760+ " movl %%eax, %%cr0\n"
31761+#endif
31762+
31763+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31764+
31765+#ifdef CONFIG_PAX_KERNEXEC
31766+ " movl %0, %%cr0\n"
31767+#endif
31768+
31769 " jmp 2b\n"
31770 ".previous\n"
31771- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
31772+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31773
31774 from += 64;
31775 to += 64;
31776@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
31777 static void fast_copy_page(void *to, void *from)
31778 {
31779 int i;
31780+ unsigned long cr0;
31781
31782 kernel_fpu_begin();
31783
31784 __asm__ __volatile__ (
31785- "1: prefetch (%0)\n"
31786- " prefetch 64(%0)\n"
31787- " prefetch 128(%0)\n"
31788- " prefetch 192(%0)\n"
31789- " prefetch 256(%0)\n"
31790+ "1: prefetch (%1)\n"
31791+ " prefetch 64(%1)\n"
31792+ " prefetch 128(%1)\n"
31793+ " prefetch 192(%1)\n"
31794+ " prefetch 256(%1)\n"
31795 "2: \n"
31796 ".section .fixup, \"ax\"\n"
31797- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31798+ "3: \n"
31799+
31800+#ifdef CONFIG_PAX_KERNEXEC
31801+ " movl %%cr0, %0\n"
31802+ " movl %0, %%eax\n"
31803+ " andl $0xFFFEFFFF, %%eax\n"
31804+ " movl %%eax, %%cr0\n"
31805+#endif
31806+
31807+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31808+
31809+#ifdef CONFIG_PAX_KERNEXEC
31810+ " movl %0, %%cr0\n"
31811+#endif
31812+
31813 " jmp 2b\n"
31814 ".previous\n"
31815- _ASM_EXTABLE(1b, 3b) : : "r" (from));
31816+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
31817
31818 for (i = 0; i < 4096/64; i++) {
31819 __asm__ __volatile__ (
31820- "1: prefetch 320(%0)\n"
31821- "2: movq (%0), %%mm0\n"
31822- " movq 8(%0), %%mm1\n"
31823- " movq 16(%0), %%mm2\n"
31824- " movq 24(%0), %%mm3\n"
31825- " movq %%mm0, (%1)\n"
31826- " movq %%mm1, 8(%1)\n"
31827- " movq %%mm2, 16(%1)\n"
31828- " movq %%mm3, 24(%1)\n"
31829- " movq 32(%0), %%mm0\n"
31830- " movq 40(%0), %%mm1\n"
31831- " movq 48(%0), %%mm2\n"
31832- " movq 56(%0), %%mm3\n"
31833- " movq %%mm0, 32(%1)\n"
31834- " movq %%mm1, 40(%1)\n"
31835- " movq %%mm2, 48(%1)\n"
31836- " movq %%mm3, 56(%1)\n"
31837+ "1: prefetch 320(%1)\n"
31838+ "2: movq (%1), %%mm0\n"
31839+ " movq 8(%1), %%mm1\n"
31840+ " movq 16(%1), %%mm2\n"
31841+ " movq 24(%1), %%mm3\n"
31842+ " movq %%mm0, (%2)\n"
31843+ " movq %%mm1, 8(%2)\n"
31844+ " movq %%mm2, 16(%2)\n"
31845+ " movq %%mm3, 24(%2)\n"
31846+ " movq 32(%1), %%mm0\n"
31847+ " movq 40(%1), %%mm1\n"
31848+ " movq 48(%1), %%mm2\n"
31849+ " movq 56(%1), %%mm3\n"
31850+ " movq %%mm0, 32(%2)\n"
31851+ " movq %%mm1, 40(%2)\n"
31852+ " movq %%mm2, 48(%2)\n"
31853+ " movq %%mm3, 56(%2)\n"
31854 ".section .fixup, \"ax\"\n"
31855- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31856+ "3:\n"
31857+
31858+#ifdef CONFIG_PAX_KERNEXEC
31859+ " movl %%cr0, %0\n"
31860+ " movl %0, %%eax\n"
31861+ " andl $0xFFFEFFFF, %%eax\n"
31862+ " movl %%eax, %%cr0\n"
31863+#endif
31864+
31865+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31866+
31867+#ifdef CONFIG_PAX_KERNEXEC
31868+ " movl %0, %%cr0\n"
31869+#endif
31870+
31871 " jmp 2b\n"
31872 ".previous\n"
31873 _ASM_EXTABLE(1b, 3b)
31874- : : "r" (from), "r" (to) : "memory");
31875+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31876
31877 from += 64;
31878 to += 64;
31879diff --git a/arch/x86/lib/msr-reg.S b/arch/x86/lib/msr-reg.S
31880index c815564..303dcfa 100644
31881--- a/arch/x86/lib/msr-reg.S
31882+++ b/arch/x86/lib/msr-reg.S
31883@@ -2,6 +2,7 @@
31884 #include <linux/errno.h>
31885 #include <asm/asm.h>
31886 #include <asm/msr.h>
31887+#include <asm/alternative-asm.h>
31888
31889 #ifdef CONFIG_X86_64
31890 /*
31891@@ -34,6 +35,7 @@ ENTRY(\op\()_safe_regs)
31892 movl %edi, 28(%r10)
31893 popq %rbp
31894 popq %rbx
31895+ pax_force_retaddr
31896 ret
31897 3:
31898 movl $-EIO, %r11d
31899diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
31900index e0817a1..bc9cf66 100644
31901--- a/arch/x86/lib/putuser.S
31902+++ b/arch/x86/lib/putuser.S
31903@@ -15,7 +15,9 @@
31904 #include <asm/errno.h>
31905 #include <asm/asm.h>
31906 #include <asm/smap.h>
31907-
31908+#include <asm/segment.h>
31909+#include <asm/pgtable.h>
31910+#include <asm/alternative-asm.h>
31911
31912 /*
31913 * __put_user_X
31914@@ -29,55 +31,124 @@
31915 * as they get called from within inline assembly.
31916 */
31917
31918-#define ENTER GET_THREAD_INFO(%_ASM_BX)
31919-#define EXIT ASM_CLAC ; \
31920+#define ENTER
31921+#define EXIT ASM_CLAC ; \
31922+ pax_force_retaddr ; \
31923 ret
31924
31925+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31926+#define _DEST %_ASM_CX,%_ASM_BX
31927+#else
31928+#define _DEST %_ASM_CX
31929+#endif
31930+
31931+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
31932+#define __copyuser_seg gs;
31933+#else
31934+#define __copyuser_seg
31935+#endif
31936+
31937 .text
31938 ENTRY(__put_user_1)
31939 ENTER
31940+
31941+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31942+ GET_THREAD_INFO(%_ASM_BX)
31943 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
31944 jae bad_put_user
31945+
31946+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31947+ mov pax_user_shadow_base,%_ASM_BX
31948+ cmp %_ASM_BX,%_ASM_CX
31949+ jb 1234f
31950+ xor %ebx,%ebx
31951+1234:
31952+#endif
31953+
31954+#endif
31955+
31956 ASM_STAC
31957-1: movb %al,(%_ASM_CX)
31958+1: __copyuser_seg movb %al,(_DEST)
31959 xor %eax,%eax
31960 EXIT
31961 ENDPROC(__put_user_1)
31962
31963 ENTRY(__put_user_2)
31964 ENTER
31965+
31966+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31967+ GET_THREAD_INFO(%_ASM_BX)
31968 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
31969 sub $1,%_ASM_BX
31970 cmp %_ASM_BX,%_ASM_CX
31971 jae bad_put_user
31972+
31973+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31974+ mov pax_user_shadow_base,%_ASM_BX
31975+ cmp %_ASM_BX,%_ASM_CX
31976+ jb 1234f
31977+ xor %ebx,%ebx
31978+1234:
31979+#endif
31980+
31981+#endif
31982+
31983 ASM_STAC
31984-2: movw %ax,(%_ASM_CX)
31985+2: __copyuser_seg movw %ax,(_DEST)
31986 xor %eax,%eax
31987 EXIT
31988 ENDPROC(__put_user_2)
31989
31990 ENTRY(__put_user_4)
31991 ENTER
31992+
31993+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31994+ GET_THREAD_INFO(%_ASM_BX)
31995 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
31996 sub $3,%_ASM_BX
31997 cmp %_ASM_BX,%_ASM_CX
31998 jae bad_put_user
31999+
32000+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32001+ mov pax_user_shadow_base,%_ASM_BX
32002+ cmp %_ASM_BX,%_ASM_CX
32003+ jb 1234f
32004+ xor %ebx,%ebx
32005+1234:
32006+#endif
32007+
32008+#endif
32009+
32010 ASM_STAC
32011-3: movl %eax,(%_ASM_CX)
32012+3: __copyuser_seg movl %eax,(_DEST)
32013 xor %eax,%eax
32014 EXIT
32015 ENDPROC(__put_user_4)
32016
32017 ENTRY(__put_user_8)
32018 ENTER
32019+
32020+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
32021+ GET_THREAD_INFO(%_ASM_BX)
32022 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
32023 sub $7,%_ASM_BX
32024 cmp %_ASM_BX,%_ASM_CX
32025 jae bad_put_user
32026+
32027+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32028+ mov pax_user_shadow_base,%_ASM_BX
32029+ cmp %_ASM_BX,%_ASM_CX
32030+ jb 1234f
32031+ xor %ebx,%ebx
32032+1234:
32033+#endif
32034+
32035+#endif
32036+
32037 ASM_STAC
32038-4: mov %_ASM_AX,(%_ASM_CX)
32039+4: __copyuser_seg mov %_ASM_AX,(_DEST)
32040 #ifdef CONFIG_X86_32
32041-5: movl %edx,4(%_ASM_CX)
32042+5: __copyuser_seg movl %edx,4(_DEST)
32043 #endif
32044 xor %eax,%eax
32045 EXIT
32046diff --git a/arch/x86/lib/rwsem.S b/arch/x86/lib/rwsem.S
32047index 40027db..37bb69d 100644
32048--- a/arch/x86/lib/rwsem.S
32049+++ b/arch/x86/lib/rwsem.S
32050@@ -90,6 +90,7 @@ ENTRY(call_rwsem_down_read_failed)
32051 call rwsem_down_read_failed
32052 __ASM_SIZE(pop,) %__ASM_REG(dx)
32053 restore_common_regs
32054+ pax_force_retaddr
32055 ret
32056 ENDPROC(call_rwsem_down_read_failed)
32057
32058@@ -98,6 +99,7 @@ ENTRY(call_rwsem_down_write_failed)
32059 movq %rax,%rdi
32060 call rwsem_down_write_failed
32061 restore_common_regs
32062+ pax_force_retaddr
32063 ret
32064 ENDPROC(call_rwsem_down_write_failed)
32065
32066@@ -109,7 +111,8 @@ ENTRY(call_rwsem_wake)
32067 movq %rax,%rdi
32068 call rwsem_wake
32069 restore_common_regs
32070-1: ret
32071+1: pax_force_retaddr
32072+ ret
32073 ENDPROC(call_rwsem_wake)
32074
32075 ENTRY(call_rwsem_downgrade_wake)
32076@@ -119,5 +122,6 @@ ENTRY(call_rwsem_downgrade_wake)
32077 call rwsem_downgrade_wake
32078 __ASM_SIZE(pop,) %__ASM_REG(dx)
32079 restore_common_regs
32080+ pax_force_retaddr
32081 ret
32082 ENDPROC(call_rwsem_downgrade_wake)
32083diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
32084index 91d93b9..4b22130 100644
32085--- a/arch/x86/lib/usercopy_32.c
32086+++ b/arch/x86/lib/usercopy_32.c
32087@@ -42,11 +42,13 @@ do { \
32088 int __d0; \
32089 might_fault(); \
32090 __asm__ __volatile__( \
32091+ __COPYUSER_SET_ES \
32092 ASM_STAC "\n" \
32093 "0: rep; stosl\n" \
32094 " movl %2,%0\n" \
32095 "1: rep; stosb\n" \
32096 "2: " ASM_CLAC "\n" \
32097+ __COPYUSER_RESTORE_ES \
32098 ".section .fixup,\"ax\"\n" \
32099 "3: lea 0(%2,%0,4),%0\n" \
32100 " jmp 2b\n" \
32101@@ -98,7 +100,7 @@ EXPORT_SYMBOL(__clear_user);
32102
32103 #ifdef CONFIG_X86_INTEL_USERCOPY
32104 static unsigned long
32105-__copy_user_intel(void __user *to, const void *from, unsigned long size)
32106+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
32107 {
32108 int d0, d1;
32109 __asm__ __volatile__(
32110@@ -110,36 +112,36 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
32111 " .align 2,0x90\n"
32112 "3: movl 0(%4), %%eax\n"
32113 "4: movl 4(%4), %%edx\n"
32114- "5: movl %%eax, 0(%3)\n"
32115- "6: movl %%edx, 4(%3)\n"
32116+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
32117+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
32118 "7: movl 8(%4), %%eax\n"
32119 "8: movl 12(%4),%%edx\n"
32120- "9: movl %%eax, 8(%3)\n"
32121- "10: movl %%edx, 12(%3)\n"
32122+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
32123+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
32124 "11: movl 16(%4), %%eax\n"
32125 "12: movl 20(%4), %%edx\n"
32126- "13: movl %%eax, 16(%3)\n"
32127- "14: movl %%edx, 20(%3)\n"
32128+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
32129+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
32130 "15: movl 24(%4), %%eax\n"
32131 "16: movl 28(%4), %%edx\n"
32132- "17: movl %%eax, 24(%3)\n"
32133- "18: movl %%edx, 28(%3)\n"
32134+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
32135+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
32136 "19: movl 32(%4), %%eax\n"
32137 "20: movl 36(%4), %%edx\n"
32138- "21: movl %%eax, 32(%3)\n"
32139- "22: movl %%edx, 36(%3)\n"
32140+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
32141+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
32142 "23: movl 40(%4), %%eax\n"
32143 "24: movl 44(%4), %%edx\n"
32144- "25: movl %%eax, 40(%3)\n"
32145- "26: movl %%edx, 44(%3)\n"
32146+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
32147+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
32148 "27: movl 48(%4), %%eax\n"
32149 "28: movl 52(%4), %%edx\n"
32150- "29: movl %%eax, 48(%3)\n"
32151- "30: movl %%edx, 52(%3)\n"
32152+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
32153+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
32154 "31: movl 56(%4), %%eax\n"
32155 "32: movl 60(%4), %%edx\n"
32156- "33: movl %%eax, 56(%3)\n"
32157- "34: movl %%edx, 60(%3)\n"
32158+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
32159+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
32160 " addl $-64, %0\n"
32161 " addl $64, %4\n"
32162 " addl $64, %3\n"
32163@@ -149,10 +151,116 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
32164 " shrl $2, %0\n"
32165 " andl $3, %%eax\n"
32166 " cld\n"
32167+ __COPYUSER_SET_ES
32168 "99: rep; movsl\n"
32169 "36: movl %%eax, %0\n"
32170 "37: rep; movsb\n"
32171 "100:\n"
32172+ __COPYUSER_RESTORE_ES
32173+ ".section .fixup,\"ax\"\n"
32174+ "101: lea 0(%%eax,%0,4),%0\n"
32175+ " jmp 100b\n"
32176+ ".previous\n"
32177+ _ASM_EXTABLE(1b,100b)
32178+ _ASM_EXTABLE(2b,100b)
32179+ _ASM_EXTABLE(3b,100b)
32180+ _ASM_EXTABLE(4b,100b)
32181+ _ASM_EXTABLE(5b,100b)
32182+ _ASM_EXTABLE(6b,100b)
32183+ _ASM_EXTABLE(7b,100b)
32184+ _ASM_EXTABLE(8b,100b)
32185+ _ASM_EXTABLE(9b,100b)
32186+ _ASM_EXTABLE(10b,100b)
32187+ _ASM_EXTABLE(11b,100b)
32188+ _ASM_EXTABLE(12b,100b)
32189+ _ASM_EXTABLE(13b,100b)
32190+ _ASM_EXTABLE(14b,100b)
32191+ _ASM_EXTABLE(15b,100b)
32192+ _ASM_EXTABLE(16b,100b)
32193+ _ASM_EXTABLE(17b,100b)
32194+ _ASM_EXTABLE(18b,100b)
32195+ _ASM_EXTABLE(19b,100b)
32196+ _ASM_EXTABLE(20b,100b)
32197+ _ASM_EXTABLE(21b,100b)
32198+ _ASM_EXTABLE(22b,100b)
32199+ _ASM_EXTABLE(23b,100b)
32200+ _ASM_EXTABLE(24b,100b)
32201+ _ASM_EXTABLE(25b,100b)
32202+ _ASM_EXTABLE(26b,100b)
32203+ _ASM_EXTABLE(27b,100b)
32204+ _ASM_EXTABLE(28b,100b)
32205+ _ASM_EXTABLE(29b,100b)
32206+ _ASM_EXTABLE(30b,100b)
32207+ _ASM_EXTABLE(31b,100b)
32208+ _ASM_EXTABLE(32b,100b)
32209+ _ASM_EXTABLE(33b,100b)
32210+ _ASM_EXTABLE(34b,100b)
32211+ _ASM_EXTABLE(35b,100b)
32212+ _ASM_EXTABLE(36b,100b)
32213+ _ASM_EXTABLE(37b,100b)
32214+ _ASM_EXTABLE(99b,101b)
32215+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
32216+ : "1"(to), "2"(from), "0"(size)
32217+ : "eax", "edx", "memory");
32218+ return size;
32219+}
32220+
32221+static unsigned long
32222+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
32223+{
32224+ int d0, d1;
32225+ __asm__ __volatile__(
32226+ " .align 2,0x90\n"
32227+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
32228+ " cmpl $67, %0\n"
32229+ " jbe 3f\n"
32230+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
32231+ " .align 2,0x90\n"
32232+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
32233+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
32234+ "5: movl %%eax, 0(%3)\n"
32235+ "6: movl %%edx, 4(%3)\n"
32236+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
32237+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
32238+ "9: movl %%eax, 8(%3)\n"
32239+ "10: movl %%edx, 12(%3)\n"
32240+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
32241+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
32242+ "13: movl %%eax, 16(%3)\n"
32243+ "14: movl %%edx, 20(%3)\n"
32244+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
32245+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
32246+ "17: movl %%eax, 24(%3)\n"
32247+ "18: movl %%edx, 28(%3)\n"
32248+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
32249+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
32250+ "21: movl %%eax, 32(%3)\n"
32251+ "22: movl %%edx, 36(%3)\n"
32252+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
32253+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
32254+ "25: movl %%eax, 40(%3)\n"
32255+ "26: movl %%edx, 44(%3)\n"
32256+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
32257+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
32258+ "29: movl %%eax, 48(%3)\n"
32259+ "30: movl %%edx, 52(%3)\n"
32260+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
32261+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
32262+ "33: movl %%eax, 56(%3)\n"
32263+ "34: movl %%edx, 60(%3)\n"
32264+ " addl $-64, %0\n"
32265+ " addl $64, %4\n"
32266+ " addl $64, %3\n"
32267+ " cmpl $63, %0\n"
32268+ " ja 1b\n"
32269+ "35: movl %0, %%eax\n"
32270+ " shrl $2, %0\n"
32271+ " andl $3, %%eax\n"
32272+ " cld\n"
32273+ "99: rep; "__copyuser_seg" movsl\n"
32274+ "36: movl %%eax, %0\n"
32275+ "37: rep; "__copyuser_seg" movsb\n"
32276+ "100:\n"
32277 ".section .fixup,\"ax\"\n"
32278 "101: lea 0(%%eax,%0,4),%0\n"
32279 " jmp 100b\n"
32280@@ -207,41 +315,41 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
32281 int d0, d1;
32282 __asm__ __volatile__(
32283 " .align 2,0x90\n"
32284- "0: movl 32(%4), %%eax\n"
32285+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32286 " cmpl $67, %0\n"
32287 " jbe 2f\n"
32288- "1: movl 64(%4), %%eax\n"
32289+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32290 " .align 2,0x90\n"
32291- "2: movl 0(%4), %%eax\n"
32292- "21: movl 4(%4), %%edx\n"
32293+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32294+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32295 " movl %%eax, 0(%3)\n"
32296 " movl %%edx, 4(%3)\n"
32297- "3: movl 8(%4), %%eax\n"
32298- "31: movl 12(%4),%%edx\n"
32299+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32300+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32301 " movl %%eax, 8(%3)\n"
32302 " movl %%edx, 12(%3)\n"
32303- "4: movl 16(%4), %%eax\n"
32304- "41: movl 20(%4), %%edx\n"
32305+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32306+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32307 " movl %%eax, 16(%3)\n"
32308 " movl %%edx, 20(%3)\n"
32309- "10: movl 24(%4), %%eax\n"
32310- "51: movl 28(%4), %%edx\n"
32311+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32312+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32313 " movl %%eax, 24(%3)\n"
32314 " movl %%edx, 28(%3)\n"
32315- "11: movl 32(%4), %%eax\n"
32316- "61: movl 36(%4), %%edx\n"
32317+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32318+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32319 " movl %%eax, 32(%3)\n"
32320 " movl %%edx, 36(%3)\n"
32321- "12: movl 40(%4), %%eax\n"
32322- "71: movl 44(%4), %%edx\n"
32323+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32324+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32325 " movl %%eax, 40(%3)\n"
32326 " movl %%edx, 44(%3)\n"
32327- "13: movl 48(%4), %%eax\n"
32328- "81: movl 52(%4), %%edx\n"
32329+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32330+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32331 " movl %%eax, 48(%3)\n"
32332 " movl %%edx, 52(%3)\n"
32333- "14: movl 56(%4), %%eax\n"
32334- "91: movl 60(%4), %%edx\n"
32335+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32336+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32337 " movl %%eax, 56(%3)\n"
32338 " movl %%edx, 60(%3)\n"
32339 " addl $-64, %0\n"
32340@@ -253,9 +361,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
32341 " shrl $2, %0\n"
32342 " andl $3, %%eax\n"
32343 " cld\n"
32344- "6: rep; movsl\n"
32345+ "6: rep; "__copyuser_seg" movsl\n"
32346 " movl %%eax,%0\n"
32347- "7: rep; movsb\n"
32348+ "7: rep; "__copyuser_seg" movsb\n"
32349 "8:\n"
32350 ".section .fixup,\"ax\"\n"
32351 "9: lea 0(%%eax,%0,4),%0\n"
32352@@ -305,41 +413,41 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
32353
32354 __asm__ __volatile__(
32355 " .align 2,0x90\n"
32356- "0: movl 32(%4), %%eax\n"
32357+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32358 " cmpl $67, %0\n"
32359 " jbe 2f\n"
32360- "1: movl 64(%4), %%eax\n"
32361+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32362 " .align 2,0x90\n"
32363- "2: movl 0(%4), %%eax\n"
32364- "21: movl 4(%4), %%edx\n"
32365+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32366+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32367 " movnti %%eax, 0(%3)\n"
32368 " movnti %%edx, 4(%3)\n"
32369- "3: movl 8(%4), %%eax\n"
32370- "31: movl 12(%4),%%edx\n"
32371+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32372+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32373 " movnti %%eax, 8(%3)\n"
32374 " movnti %%edx, 12(%3)\n"
32375- "4: movl 16(%4), %%eax\n"
32376- "41: movl 20(%4), %%edx\n"
32377+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32378+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32379 " movnti %%eax, 16(%3)\n"
32380 " movnti %%edx, 20(%3)\n"
32381- "10: movl 24(%4), %%eax\n"
32382- "51: movl 28(%4), %%edx\n"
32383+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32384+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32385 " movnti %%eax, 24(%3)\n"
32386 " movnti %%edx, 28(%3)\n"
32387- "11: movl 32(%4), %%eax\n"
32388- "61: movl 36(%4), %%edx\n"
32389+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32390+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32391 " movnti %%eax, 32(%3)\n"
32392 " movnti %%edx, 36(%3)\n"
32393- "12: movl 40(%4), %%eax\n"
32394- "71: movl 44(%4), %%edx\n"
32395+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32396+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32397 " movnti %%eax, 40(%3)\n"
32398 " movnti %%edx, 44(%3)\n"
32399- "13: movl 48(%4), %%eax\n"
32400- "81: movl 52(%4), %%edx\n"
32401+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32402+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32403 " movnti %%eax, 48(%3)\n"
32404 " movnti %%edx, 52(%3)\n"
32405- "14: movl 56(%4), %%eax\n"
32406- "91: movl 60(%4), %%edx\n"
32407+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32408+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32409 " movnti %%eax, 56(%3)\n"
32410 " movnti %%edx, 60(%3)\n"
32411 " addl $-64, %0\n"
32412@@ -352,9 +460,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
32413 " shrl $2, %0\n"
32414 " andl $3, %%eax\n"
32415 " cld\n"
32416- "6: rep; movsl\n"
32417+ "6: rep; "__copyuser_seg" movsl\n"
32418 " movl %%eax,%0\n"
32419- "7: rep; movsb\n"
32420+ "7: rep; "__copyuser_seg" movsb\n"
32421 "8:\n"
32422 ".section .fixup,\"ax\"\n"
32423 "9: lea 0(%%eax,%0,4),%0\n"
32424@@ -399,41 +507,41 @@ static unsigned long __copy_user_intel_nocache(void *to,
32425
32426 __asm__ __volatile__(
32427 " .align 2,0x90\n"
32428- "0: movl 32(%4), %%eax\n"
32429+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32430 " cmpl $67, %0\n"
32431 " jbe 2f\n"
32432- "1: movl 64(%4), %%eax\n"
32433+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32434 " .align 2,0x90\n"
32435- "2: movl 0(%4), %%eax\n"
32436- "21: movl 4(%4), %%edx\n"
32437+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32438+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32439 " movnti %%eax, 0(%3)\n"
32440 " movnti %%edx, 4(%3)\n"
32441- "3: movl 8(%4), %%eax\n"
32442- "31: movl 12(%4),%%edx\n"
32443+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32444+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32445 " movnti %%eax, 8(%3)\n"
32446 " movnti %%edx, 12(%3)\n"
32447- "4: movl 16(%4), %%eax\n"
32448- "41: movl 20(%4), %%edx\n"
32449+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32450+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32451 " movnti %%eax, 16(%3)\n"
32452 " movnti %%edx, 20(%3)\n"
32453- "10: movl 24(%4), %%eax\n"
32454- "51: movl 28(%4), %%edx\n"
32455+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32456+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32457 " movnti %%eax, 24(%3)\n"
32458 " movnti %%edx, 28(%3)\n"
32459- "11: movl 32(%4), %%eax\n"
32460- "61: movl 36(%4), %%edx\n"
32461+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32462+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32463 " movnti %%eax, 32(%3)\n"
32464 " movnti %%edx, 36(%3)\n"
32465- "12: movl 40(%4), %%eax\n"
32466- "71: movl 44(%4), %%edx\n"
32467+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32468+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32469 " movnti %%eax, 40(%3)\n"
32470 " movnti %%edx, 44(%3)\n"
32471- "13: movl 48(%4), %%eax\n"
32472- "81: movl 52(%4), %%edx\n"
32473+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32474+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32475 " movnti %%eax, 48(%3)\n"
32476 " movnti %%edx, 52(%3)\n"
32477- "14: movl 56(%4), %%eax\n"
32478- "91: movl 60(%4), %%edx\n"
32479+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32480+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32481 " movnti %%eax, 56(%3)\n"
32482 " movnti %%edx, 60(%3)\n"
32483 " addl $-64, %0\n"
32484@@ -446,9 +554,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
32485 " shrl $2, %0\n"
32486 " andl $3, %%eax\n"
32487 " cld\n"
32488- "6: rep; movsl\n"
32489+ "6: rep; "__copyuser_seg" movsl\n"
32490 " movl %%eax,%0\n"
32491- "7: rep; movsb\n"
32492+ "7: rep; "__copyuser_seg" movsb\n"
32493 "8:\n"
32494 ".section .fixup,\"ax\"\n"
32495 "9: lea 0(%%eax,%0,4),%0\n"
32496@@ -488,32 +596,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
32497 */
32498 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
32499 unsigned long size);
32500-unsigned long __copy_user_intel(void __user *to, const void *from,
32501+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
32502+ unsigned long size);
32503+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
32504 unsigned long size);
32505 unsigned long __copy_user_zeroing_intel_nocache(void *to,
32506 const void __user *from, unsigned long size);
32507 #endif /* CONFIG_X86_INTEL_USERCOPY */
32508
32509 /* Generic arbitrary sized copy. */
32510-#define __copy_user(to, from, size) \
32511+#define __copy_user(to, from, size, prefix, set, restore) \
32512 do { \
32513 int __d0, __d1, __d2; \
32514 __asm__ __volatile__( \
32515+ set \
32516 " cmp $7,%0\n" \
32517 " jbe 1f\n" \
32518 " movl %1,%0\n" \
32519 " negl %0\n" \
32520 " andl $7,%0\n" \
32521 " subl %0,%3\n" \
32522- "4: rep; movsb\n" \
32523+ "4: rep; "prefix"movsb\n" \
32524 " movl %3,%0\n" \
32525 " shrl $2,%0\n" \
32526 " andl $3,%3\n" \
32527 " .align 2,0x90\n" \
32528- "0: rep; movsl\n" \
32529+ "0: rep; "prefix"movsl\n" \
32530 " movl %3,%0\n" \
32531- "1: rep; movsb\n" \
32532+ "1: rep; "prefix"movsb\n" \
32533 "2:\n" \
32534+ restore \
32535 ".section .fixup,\"ax\"\n" \
32536 "5: addl %3,%0\n" \
32537 " jmp 2b\n" \
32538@@ -538,14 +650,14 @@ do { \
32539 " negl %0\n" \
32540 " andl $7,%0\n" \
32541 " subl %0,%3\n" \
32542- "4: rep; movsb\n" \
32543+ "4: rep; "__copyuser_seg"movsb\n" \
32544 " movl %3,%0\n" \
32545 " shrl $2,%0\n" \
32546 " andl $3,%3\n" \
32547 " .align 2,0x90\n" \
32548- "0: rep; movsl\n" \
32549+ "0: rep; "__copyuser_seg"movsl\n" \
32550 " movl %3,%0\n" \
32551- "1: rep; movsb\n" \
32552+ "1: rep; "__copyuser_seg"movsb\n" \
32553 "2:\n" \
32554 ".section .fixup,\"ax\"\n" \
32555 "5: addl %3,%0\n" \
32556@@ -572,9 +684,9 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from,
32557 {
32558 stac();
32559 if (movsl_is_ok(to, from, n))
32560- __copy_user(to, from, n);
32561+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
32562 else
32563- n = __copy_user_intel(to, from, n);
32564+ n = __generic_copy_to_user_intel(to, from, n);
32565 clac();
32566 return n;
32567 }
32568@@ -598,10 +710,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
32569 {
32570 stac();
32571 if (movsl_is_ok(to, from, n))
32572- __copy_user(to, from, n);
32573+ __copy_user(to, from, n, __copyuser_seg, "", "");
32574 else
32575- n = __copy_user_intel((void __user *)to,
32576- (const void *)from, n);
32577+ n = __generic_copy_from_user_intel(to, from, n);
32578 clac();
32579 return n;
32580 }
32581@@ -632,60 +743,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
32582 if (n > 64 && cpu_has_xmm2)
32583 n = __copy_user_intel_nocache(to, from, n);
32584 else
32585- __copy_user(to, from, n);
32586+ __copy_user(to, from, n, __copyuser_seg, "", "");
32587 #else
32588- __copy_user(to, from, n);
32589+ __copy_user(to, from, n, __copyuser_seg, "", "");
32590 #endif
32591 clac();
32592 return n;
32593 }
32594 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
32595
32596-/**
32597- * copy_to_user: - Copy a block of data into user space.
32598- * @to: Destination address, in user space.
32599- * @from: Source address, in kernel space.
32600- * @n: Number of bytes to copy.
32601- *
32602- * Context: User context only. This function may sleep if pagefaults are
32603- * enabled.
32604- *
32605- * Copy data from kernel space to user space.
32606- *
32607- * Returns number of bytes that could not be copied.
32608- * On success, this will be zero.
32609- */
32610-unsigned long _copy_to_user(void __user *to, const void *from, unsigned n)
32611+#ifdef CONFIG_PAX_MEMORY_UDEREF
32612+void __set_fs(mm_segment_t x)
32613 {
32614- if (access_ok(VERIFY_WRITE, to, n))
32615- n = __copy_to_user(to, from, n);
32616- return n;
32617+ switch (x.seg) {
32618+ case 0:
32619+ loadsegment(gs, 0);
32620+ break;
32621+ case TASK_SIZE_MAX:
32622+ loadsegment(gs, __USER_DS);
32623+ break;
32624+ case -1UL:
32625+ loadsegment(gs, __KERNEL_DS);
32626+ break;
32627+ default:
32628+ BUG();
32629+ }
32630 }
32631-EXPORT_SYMBOL(_copy_to_user);
32632+EXPORT_SYMBOL(__set_fs);
32633
32634-/**
32635- * copy_from_user: - Copy a block of data from user space.
32636- * @to: Destination address, in kernel space.
32637- * @from: Source address, in user space.
32638- * @n: Number of bytes to copy.
32639- *
32640- * Context: User context only. This function may sleep if pagefaults are
32641- * enabled.
32642- *
32643- * Copy data from user space to kernel space.
32644- *
32645- * Returns number of bytes that could not be copied.
32646- * On success, this will be zero.
32647- *
32648- * If some data could not be copied, this function will pad the copied
32649- * data to the requested size using zero bytes.
32650- */
32651-unsigned long _copy_from_user(void *to, const void __user *from, unsigned n)
32652+void set_fs(mm_segment_t x)
32653 {
32654- if (access_ok(VERIFY_READ, from, n))
32655- n = __copy_from_user(to, from, n);
32656- else
32657- memset(to, 0, n);
32658- return n;
32659+ current_thread_info()->addr_limit = x;
32660+ __set_fs(x);
32661 }
32662-EXPORT_SYMBOL(_copy_from_user);
32663+EXPORT_SYMBOL(set_fs);
32664+#endif
32665diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
32666index 0a42327..7a82465 100644
32667--- a/arch/x86/lib/usercopy_64.c
32668+++ b/arch/x86/lib/usercopy_64.c
32669@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
32670 might_fault();
32671 /* no memory constraint because it doesn't change any memory gcc knows
32672 about */
32673+ pax_open_userland();
32674 stac();
32675 asm volatile(
32676 " testq %[size8],%[size8]\n"
32677@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
32678 _ASM_EXTABLE(0b,3b)
32679 _ASM_EXTABLE(1b,2b)
32680 : [size8] "=&c"(size), [dst] "=&D" (__d0)
32681- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr),
32682+ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)),
32683 [zero] "r" (0UL), [eight] "r" (8UL));
32684 clac();
32685+ pax_close_userland();
32686 return size;
32687 }
32688 EXPORT_SYMBOL(__clear_user);
32689@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n)
32690 }
32691 EXPORT_SYMBOL(clear_user);
32692
32693-unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
32694+unsigned long copy_in_user(void __user *to, const void __user *from, unsigned long len)
32695 {
32696- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
32697- return copy_user_generic((__force void *)to, (__force void *)from, len);
32698- }
32699- return len;
32700+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len))
32701+ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len);
32702+ return len;
32703 }
32704 EXPORT_SYMBOL(copy_in_user);
32705
32706@@ -69,8 +70,10 @@ EXPORT_SYMBOL(copy_in_user);
32707 * it is not necessary to optimize tail handling.
32708 */
32709 __visible unsigned long
32710-copy_user_handle_tail(char *to, char *from, unsigned len)
32711+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len)
32712 {
32713+ clac();
32714+ pax_close_userland();
32715 for (; len; --len, to++) {
32716 char c;
32717
32718@@ -79,10 +82,9 @@ copy_user_handle_tail(char *to, char *from, unsigned len)
32719 if (__put_user_nocheck(c, to, sizeof(char)))
32720 break;
32721 }
32722- clac();
32723
32724 /* If the destination is a kernel buffer, we always clear the end */
32725- if (!__addr_ok(to))
32726+ if (!__addr_ok(to) && (unsigned long)to >= TASK_SIZE_MAX + pax_user_shadow_base)
32727 memset(to, 0, len);
32728 return len;
32729 }
32730diff --git a/arch/x86/math-emu/fpu_aux.c b/arch/x86/math-emu/fpu_aux.c
32731index dd76a05..df65688 100644
32732--- a/arch/x86/math-emu/fpu_aux.c
32733+++ b/arch/x86/math-emu/fpu_aux.c
32734@@ -52,7 +52,7 @@ void fpstate_init_soft(struct swregs_state *soft)
32735
32736 void finit(void)
32737 {
32738- fpstate_init_soft(&current->thread.fpu.state.soft);
32739+ fpstate_init_soft(&current->thread.fpu.state->soft);
32740 }
32741
32742 /*
32743diff --git a/arch/x86/math-emu/fpu_entry.c b/arch/x86/math-emu/fpu_entry.c
32744index 3d8f2e4..ef7cf4e 100644
32745--- a/arch/x86/math-emu/fpu_entry.c
32746+++ b/arch/x86/math-emu/fpu_entry.c
32747@@ -677,7 +677,7 @@ int fpregs_soft_set(struct task_struct *target,
32748 unsigned int pos, unsigned int count,
32749 const void *kbuf, const void __user *ubuf)
32750 {
32751- struct swregs_state *s387 = &target->thread.fpu.state.soft;
32752+ struct swregs_state *s387 = &target->thread.fpu.state->soft;
32753 void *space = s387->st_space;
32754 int ret;
32755 int offset, other, i, tags, regnr, tag, newtop;
32756@@ -729,7 +729,7 @@ int fpregs_soft_get(struct task_struct *target,
32757 unsigned int pos, unsigned int count,
32758 void *kbuf, void __user *ubuf)
32759 {
32760- struct swregs_state *s387 = &target->thread.fpu.state.soft;
32761+ struct swregs_state *s387 = &target->thread.fpu.state->soft;
32762 const void *space = s387->st_space;
32763 int ret;
32764 int offset = (S387->ftop & 7) * 10, other = 80 - offset;
32765diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
32766index 5e044d5..d342fce 100644
32767--- a/arch/x86/math-emu/fpu_system.h
32768+++ b/arch/x86/math-emu/fpu_system.h
32769@@ -46,7 +46,7 @@ static inline struct desc_struct FPU_get_ldt_descriptor(unsigned seg)
32770 #define SEG_EXPAND_DOWN(s) (((s).b & ((1 << 11) | (1 << 10))) \
32771 == (1 << 10))
32772
32773-#define I387 (&current->thread.fpu.state)
32774+#define I387 (current->thread.fpu.state)
32775 #define FPU_info (I387->soft.info)
32776
32777 #define FPU_CS (*(unsigned short *) &(FPU_info->regs->cs))
32778diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
32779index a482d10..1a6edb5 100644
32780--- a/arch/x86/mm/Makefile
32781+++ b/arch/x86/mm/Makefile
32782@@ -33,3 +33,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
32783 obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
32784
32785 obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
32786+
32787+quote:="
32788+obj-$(CONFIG_X86_64) += uderef_64.o
32789+CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) -fcall-saved-rax
32790diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
32791index 903ec1e..41b4708 100644
32792--- a/arch/x86/mm/extable.c
32793+++ b/arch/x86/mm/extable.c
32794@@ -2,16 +2,29 @@
32795 #include <linux/spinlock.h>
32796 #include <linux/sort.h>
32797 #include <asm/uaccess.h>
32798+#include <asm/boot.h>
32799
32800 static inline unsigned long
32801 ex_insn_addr(const struct exception_table_entry *x)
32802 {
32803- return (unsigned long)&x->insn + x->insn;
32804+ unsigned long reloc = 0;
32805+
32806+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32807+ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32808+#endif
32809+
32810+ return (unsigned long)&x->insn + x->insn + reloc;
32811 }
32812 static inline unsigned long
32813 ex_fixup_addr(const struct exception_table_entry *x)
32814 {
32815- return (unsigned long)&x->fixup + x->fixup;
32816+ unsigned long reloc = 0;
32817+
32818+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32819+ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32820+#endif
32821+
32822+ return (unsigned long)&x->fixup + x->fixup + reloc;
32823 }
32824
32825 int fixup_exception(struct pt_regs *regs)
32826@@ -20,7 +33,7 @@ int fixup_exception(struct pt_regs *regs)
32827 unsigned long new_ip;
32828
32829 #ifdef CONFIG_PNPBIOS
32830- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
32831+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
32832 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
32833 extern u32 pnp_bios_is_utter_crap;
32834 pnp_bios_is_utter_crap = 1;
32835@@ -145,6 +158,13 @@ void sort_extable(struct exception_table_entry *start,
32836 i += 4;
32837 p->fixup -= i;
32838 i += 4;
32839+
32840+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32841+ BUILD_BUG_ON(!IS_ENABLED(CONFIG_BUILDTIME_EXTABLE_SORT));
32842+ p->insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32843+ p->fixup -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32844+#endif
32845+
32846 }
32847 }
32848
32849diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
32850index 9dc9098..938251a 100644
32851--- a/arch/x86/mm/fault.c
32852+++ b/arch/x86/mm/fault.c
32853@@ -14,12 +14,19 @@
32854 #include <linux/prefetch.h> /* prefetchw */
32855 #include <linux/context_tracking.h> /* exception_enter(), ... */
32856 #include <linux/uaccess.h> /* faulthandler_disabled() */
32857+#include <linux/unistd.h>
32858+#include <linux/compiler.h>
32859
32860 #include <asm/traps.h> /* dotraplinkage, ... */
32861 #include <asm/pgalloc.h> /* pgd_*(), ... */
32862 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
32863 #include <asm/fixmap.h> /* VSYSCALL_ADDR */
32864 #include <asm/vsyscall.h> /* emulate_vsyscall */
32865+#include <asm/tlbflush.h>
32866+
32867+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32868+#include <asm/stacktrace.h>
32869+#endif
32870
32871 #define CREATE_TRACE_POINTS
32872 #include <asm/trace/exceptions.h>
32873@@ -121,7 +128,10 @@ check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
32874 return !instr_lo || (instr_lo>>1) == 1;
32875 case 0x00:
32876 /* Prefetch instruction is 0x0F0D or 0x0F18 */
32877- if (probe_kernel_address(instr, opcode))
32878+ if (user_mode(regs)) {
32879+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
32880+ return 0;
32881+ } else if (probe_kernel_address(instr, opcode))
32882 return 0;
32883
32884 *prefetch = (instr_lo == 0xF) &&
32885@@ -155,7 +165,10 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
32886 while (instr < max_instr) {
32887 unsigned char opcode;
32888
32889- if (probe_kernel_address(instr, opcode))
32890+ if (user_mode(regs)) {
32891+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
32892+ break;
32893+ } else if (probe_kernel_address(instr, opcode))
32894 break;
32895
32896 instr++;
32897@@ -186,6 +199,34 @@ force_sig_info_fault(int si_signo, int si_code, unsigned long address,
32898 force_sig_info(si_signo, &info, tsk);
32899 }
32900
32901+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
32902+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
32903+#endif
32904+
32905+#ifdef CONFIG_PAX_EMUTRAMP
32906+static int pax_handle_fetch_fault(struct pt_regs *regs);
32907+#endif
32908+
32909+#ifdef CONFIG_PAX_PAGEEXEC
32910+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
32911+{
32912+ pgd_t *pgd;
32913+ pud_t *pud;
32914+ pmd_t *pmd;
32915+
32916+ pgd = pgd_offset(mm, address);
32917+ if (!pgd_present(*pgd))
32918+ return NULL;
32919+ pud = pud_offset(pgd, address);
32920+ if (!pud_present(*pud))
32921+ return NULL;
32922+ pmd = pmd_offset(pud, address);
32923+ if (!pmd_present(*pmd))
32924+ return NULL;
32925+ return pmd;
32926+}
32927+#endif
32928+
32929 DEFINE_SPINLOCK(pgd_lock);
32930 LIST_HEAD(pgd_list);
32931
32932@@ -236,10 +277,27 @@ void vmalloc_sync_all(void)
32933 for (address = VMALLOC_START & PMD_MASK;
32934 address >= TASK_SIZE && address < FIXADDR_TOP;
32935 address += PMD_SIZE) {
32936+
32937+#ifdef CONFIG_PAX_PER_CPU_PGD
32938+ unsigned long cpu;
32939+#else
32940 struct page *page;
32941+#endif
32942
32943 spin_lock(&pgd_lock);
32944+
32945+#ifdef CONFIG_PAX_PER_CPU_PGD
32946+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
32947+ pgd_t *pgd = get_cpu_pgd(cpu, user);
32948+ pmd_t *ret;
32949+
32950+ ret = vmalloc_sync_one(pgd, address);
32951+ if (!ret)
32952+ break;
32953+ pgd = get_cpu_pgd(cpu, kernel);
32954+#else
32955 list_for_each_entry(page, &pgd_list, lru) {
32956+ pgd_t *pgd;
32957 spinlock_t *pgt_lock;
32958 pmd_t *ret;
32959
32960@@ -247,8 +305,14 @@ void vmalloc_sync_all(void)
32961 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
32962
32963 spin_lock(pgt_lock);
32964- ret = vmalloc_sync_one(page_address(page), address);
32965+ pgd = page_address(page);
32966+#endif
32967+
32968+ ret = vmalloc_sync_one(pgd, address);
32969+
32970+#ifndef CONFIG_PAX_PER_CPU_PGD
32971 spin_unlock(pgt_lock);
32972+#endif
32973
32974 if (!ret)
32975 break;
32976@@ -282,6 +346,12 @@ static noinline int vmalloc_fault(unsigned long address)
32977 * an interrupt in the middle of a task switch..
32978 */
32979 pgd_paddr = read_cr3();
32980+
32981+#ifdef CONFIG_PAX_PER_CPU_PGD
32982+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK));
32983+ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address);
32984+#endif
32985+
32986 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
32987 if (!pmd_k)
32988 return -1;
32989@@ -378,11 +448,25 @@ static noinline int vmalloc_fault(unsigned long address)
32990 * happen within a race in page table update. In the later
32991 * case just flush:
32992 */
32993- pgd = pgd_offset(current->active_mm, address);
32994+
32995 pgd_ref = pgd_offset_k(address);
32996 if (pgd_none(*pgd_ref))
32997 return -1;
32998
32999+#ifdef CONFIG_PAX_PER_CPU_PGD
33000+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK));
33001+ pgd = pgd_offset_cpu(smp_processor_id(), user, address);
33002+ if (pgd_none(*pgd)) {
33003+ set_pgd(pgd, *pgd_ref);
33004+ arch_flush_lazy_mmu_mode();
33005+ } else {
33006+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
33007+ }
33008+ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address);
33009+#else
33010+ pgd = pgd_offset(current->active_mm, address);
33011+#endif
33012+
33013 if (pgd_none(*pgd)) {
33014 set_pgd(pgd, *pgd_ref);
33015 arch_flush_lazy_mmu_mode();
33016@@ -549,7 +633,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address)
33017 static int is_errata100(struct pt_regs *regs, unsigned long address)
33018 {
33019 #ifdef CONFIG_X86_64
33020- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
33021+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
33022 return 1;
33023 #endif
33024 return 0;
33025@@ -576,9 +660,9 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
33026 }
33027
33028 static const char nx_warning[] = KERN_CRIT
33029-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
33030+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
33031 static const char smep_warning[] = KERN_CRIT
33032-"unable to execute userspace code (SMEP?) (uid: %d)\n";
33033+"unable to execute userspace code (SMEP?) (uid: %d, task: %s, pid: %d)\n";
33034
33035 static void
33036 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
33037@@ -587,7 +671,7 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
33038 if (!oops_may_print())
33039 return;
33040
33041- if (error_code & PF_INSTR) {
33042+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
33043 unsigned int level;
33044 pgd_t *pgd;
33045 pte_t *pte;
33046@@ -598,13 +682,25 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
33047 pte = lookup_address_in_pgd(pgd, address, &level);
33048
33049 if (pte && pte_present(*pte) && !pte_exec(*pte))
33050- printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
33051+ printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
33052 if (pte && pte_present(*pte) && pte_exec(*pte) &&
33053 (pgd_flags(*pgd) & _PAGE_USER) &&
33054 (__read_cr4() & X86_CR4_SMEP))
33055- printk(smep_warning, from_kuid(&init_user_ns, current_uid()));
33056+ printk(smep_warning, from_kuid(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
33057 }
33058
33059+#ifdef CONFIG_PAX_KERNEXEC
33060+ if (init_mm.start_code <= address && address < init_mm.end_code) {
33061+ if (current->signal->curr_ip)
33062+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
33063+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
33064+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
33065+ else
33066+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
33067+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
33068+ }
33069+#endif
33070+
33071 printk(KERN_ALERT "BUG: unable to handle kernel ");
33072 if (address < PAGE_SIZE)
33073 printk(KERN_CONT "NULL pointer dereference");
33074@@ -783,6 +879,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
33075 return;
33076 }
33077 #endif
33078+
33079+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33080+ if (pax_is_fetch_fault(regs, error_code, address)) {
33081+
33082+#ifdef CONFIG_PAX_EMUTRAMP
33083+ switch (pax_handle_fetch_fault(regs)) {
33084+ case 2:
33085+ return;
33086+ }
33087+#endif
33088+
33089+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
33090+ do_group_exit(SIGKILL);
33091+ }
33092+#endif
33093+
33094 /* Kernel addresses are always protection faults: */
33095 if (address >= TASK_SIZE)
33096 error_code |= PF_PROT;
33097@@ -865,7 +977,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
33098 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
33099 printk(KERN_ERR
33100 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
33101- tsk->comm, tsk->pid, address);
33102+ tsk->comm, task_pid_nr(tsk), address);
33103 code = BUS_MCEERR_AR;
33104 }
33105 #endif
33106@@ -917,6 +1029,107 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
33107 return 1;
33108 }
33109
33110+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
33111+static inline unsigned long get_limit(unsigned long segment)
33112+{
33113+ unsigned long __limit;
33114+
33115+ asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
33116+ return __limit + 1;
33117+}
33118+
33119+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
33120+{
33121+ pte_t *pte;
33122+ pmd_t *pmd;
33123+ spinlock_t *ptl;
33124+ unsigned char pte_mask;
33125+
33126+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
33127+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
33128+ return 0;
33129+
33130+ /* PaX: it's our fault, let's handle it if we can */
33131+
33132+ /* PaX: take a look at read faults before acquiring any locks */
33133+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
33134+ /* instruction fetch attempt from a protected page in user mode */
33135+ up_read(&mm->mmap_sem);
33136+
33137+#ifdef CONFIG_PAX_EMUTRAMP
33138+ switch (pax_handle_fetch_fault(regs)) {
33139+ case 2:
33140+ return 1;
33141+ }
33142+#endif
33143+
33144+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
33145+ do_group_exit(SIGKILL);
33146+ }
33147+
33148+ pmd = pax_get_pmd(mm, address);
33149+ if (unlikely(!pmd))
33150+ return 0;
33151+
33152+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
33153+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
33154+ pte_unmap_unlock(pte, ptl);
33155+ return 0;
33156+ }
33157+
33158+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
33159+ /* write attempt to a protected page in user mode */
33160+ pte_unmap_unlock(pte, ptl);
33161+ return 0;
33162+ }
33163+
33164+#ifdef CONFIG_SMP
33165+ if (likely(address > get_limit(regs->cs) && cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
33166+#else
33167+ if (likely(address > get_limit(regs->cs)))
33168+#endif
33169+ {
33170+ set_pte(pte, pte_mkread(*pte));
33171+ __flush_tlb_one(address);
33172+ pte_unmap_unlock(pte, ptl);
33173+ up_read(&mm->mmap_sem);
33174+ return 1;
33175+ }
33176+
33177+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
33178+
33179+ /*
33180+ * PaX: fill DTLB with user rights and retry
33181+ */
33182+ __asm__ __volatile__ (
33183+ "orb %2,(%1)\n"
33184+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
33185+/*
33186+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
33187+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
33188+ * page fault when examined during a TLB load attempt. this is true not only
33189+ * for PTEs holding a non-present entry but also present entries that will
33190+ * raise a page fault (such as those set up by PaX, or the copy-on-write
33191+ * mechanism). in effect it means that we do *not* need to flush the TLBs
33192+ * for our target pages since their PTEs are simply not in the TLBs at all.
33193+
33194+ * the best thing in omitting it is that we gain around 15-20% speed in the
33195+ * fast path of the page fault handler and can get rid of tracing since we
33196+ * can no longer flush unintended entries.
33197+ */
33198+ "invlpg (%0)\n"
33199+#endif
33200+ __copyuser_seg"testb $0,(%0)\n"
33201+ "xorb %3,(%1)\n"
33202+ :
33203+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
33204+ : "memory", "cc");
33205+ pte_unmap_unlock(pte, ptl);
33206+ up_read(&mm->mmap_sem);
33207+ return 1;
33208+}
33209+#endif
33210+
33211 /*
33212 * Handle a spurious fault caused by a stale TLB entry.
33213 *
33214@@ -1002,6 +1215,9 @@ int show_unhandled_signals = 1;
33215 static inline int
33216 access_error(unsigned long error_code, struct vm_area_struct *vma)
33217 {
33218+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
33219+ return 1;
33220+
33221 if (error_code & PF_WRITE) {
33222 /* write, present and write, not present: */
33223 if (unlikely(!(vma->vm_flags & VM_WRITE)))
33224@@ -1064,6 +1280,22 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
33225 tsk = current;
33226 mm = tsk->mm;
33227
33228+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
33229+ if (!user_mode(regs) && address < 2 * pax_user_shadow_base) {
33230+ if (!search_exception_tables(regs->ip)) {
33231+ printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n");
33232+ bad_area_nosemaphore(regs, error_code, address);
33233+ return;
33234+ }
33235+ if (address < pax_user_shadow_base) {
33236+ printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n");
33237+ printk(KERN_EMERG "PAX: faulting IP: %pS\n", (void *)regs->ip);
33238+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_EMERG);
33239+ } else
33240+ address -= pax_user_shadow_base;
33241+ }
33242+#endif
33243+
33244 /*
33245 * Detect and handle instructions that would cause a page fault for
33246 * both a tracked kernel page and a userspace page.
33247@@ -1188,6 +1420,11 @@ retry:
33248 might_sleep();
33249 }
33250
33251+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
33252+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
33253+ return;
33254+#endif
33255+
33256 vma = find_vma(mm, address);
33257 if (unlikely(!vma)) {
33258 bad_area(regs, error_code, address);
33259@@ -1199,18 +1436,24 @@ retry:
33260 bad_area(regs, error_code, address);
33261 return;
33262 }
33263- if (error_code & PF_USER) {
33264- /*
33265- * Accessing the stack below %sp is always a bug.
33266- * The large cushion allows instructions like enter
33267- * and pusha to work. ("enter $65535, $31" pushes
33268- * 32 pointers and then decrements %sp by 65535.)
33269- */
33270- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
33271- bad_area(regs, error_code, address);
33272- return;
33273- }
33274+ /*
33275+ * Accessing the stack below %sp is always a bug.
33276+ * The large cushion allows instructions like enter
33277+ * and pusha to work. ("enter $65535, $31" pushes
33278+ * 32 pointers and then decrements %sp by 65535.)
33279+ */
33280+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
33281+ bad_area(regs, error_code, address);
33282+ return;
33283 }
33284+
33285+#ifdef CONFIG_PAX_SEGMEXEC
33286+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
33287+ bad_area(regs, error_code, address);
33288+ return;
33289+ }
33290+#endif
33291+
33292 if (unlikely(expand_stack(vma, address))) {
33293 bad_area(regs, error_code, address);
33294 return;
33295@@ -1330,3 +1573,292 @@ trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
33296 }
33297 NOKPROBE_SYMBOL(trace_do_page_fault);
33298 #endif /* CONFIG_TRACING */
33299+
33300+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33301+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
33302+{
33303+ struct mm_struct *mm = current->mm;
33304+ unsigned long ip = regs->ip;
33305+
33306+ if (v8086_mode(regs))
33307+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
33308+
33309+#ifdef CONFIG_PAX_PAGEEXEC
33310+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
33311+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
33312+ return true;
33313+ if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
33314+ return true;
33315+ return false;
33316+ }
33317+#endif
33318+
33319+#ifdef CONFIG_PAX_SEGMEXEC
33320+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
33321+ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
33322+ return true;
33323+ return false;
33324+ }
33325+#endif
33326+
33327+ return false;
33328+}
33329+#endif
33330+
33331+#ifdef CONFIG_PAX_EMUTRAMP
33332+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
33333+{
33334+ int err;
33335+
33336+ do { /* PaX: libffi trampoline emulation */
33337+ unsigned char mov, jmp;
33338+ unsigned int addr1, addr2;
33339+
33340+#ifdef CONFIG_X86_64
33341+ if ((regs->ip + 9) >> 32)
33342+ break;
33343+#endif
33344+
33345+ err = get_user(mov, (unsigned char __user *)regs->ip);
33346+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33347+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
33348+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33349+
33350+ if (err)
33351+ break;
33352+
33353+ if (mov == 0xB8 && jmp == 0xE9) {
33354+ regs->ax = addr1;
33355+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
33356+ return 2;
33357+ }
33358+ } while (0);
33359+
33360+ do { /* PaX: gcc trampoline emulation #1 */
33361+ unsigned char mov1, mov2;
33362+ unsigned short jmp;
33363+ unsigned int addr1, addr2;
33364+
33365+#ifdef CONFIG_X86_64
33366+ if ((regs->ip + 11) >> 32)
33367+ break;
33368+#endif
33369+
33370+ err = get_user(mov1, (unsigned char __user *)regs->ip);
33371+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33372+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
33373+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33374+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
33375+
33376+ if (err)
33377+ break;
33378+
33379+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
33380+ regs->cx = addr1;
33381+ regs->ax = addr2;
33382+ regs->ip = addr2;
33383+ return 2;
33384+ }
33385+ } while (0);
33386+
33387+ do { /* PaX: gcc trampoline emulation #2 */
33388+ unsigned char mov, jmp;
33389+ unsigned int addr1, addr2;
33390+
33391+#ifdef CONFIG_X86_64
33392+ if ((regs->ip + 9) >> 32)
33393+ break;
33394+#endif
33395+
33396+ err = get_user(mov, (unsigned char __user *)regs->ip);
33397+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33398+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
33399+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33400+
33401+ if (err)
33402+ break;
33403+
33404+ if (mov == 0xB9 && jmp == 0xE9) {
33405+ regs->cx = addr1;
33406+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
33407+ return 2;
33408+ }
33409+ } while (0);
33410+
33411+ return 1; /* PaX in action */
33412+}
33413+
33414+#ifdef CONFIG_X86_64
33415+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
33416+{
33417+ int err;
33418+
33419+ do { /* PaX: libffi trampoline emulation */
33420+ unsigned short mov1, mov2, jmp1;
33421+ unsigned char stcclc, jmp2;
33422+ unsigned long addr1, addr2;
33423+
33424+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33425+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
33426+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
33427+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
33428+ err |= get_user(stcclc, (unsigned char __user *)(regs->ip + 20));
33429+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 21));
33430+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 23));
33431+
33432+ if (err)
33433+ break;
33434+
33435+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && (stcclc == 0xF8 || stcclc == 0xF9) && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33436+ regs->r11 = addr1;
33437+ regs->r10 = addr2;
33438+ if (stcclc == 0xF8)
33439+ regs->flags &= ~X86_EFLAGS_CF;
33440+ else
33441+ regs->flags |= X86_EFLAGS_CF;
33442+ regs->ip = addr1;
33443+ return 2;
33444+ }
33445+ } while (0);
33446+
33447+ do { /* PaX: gcc trampoline emulation #1 */
33448+ unsigned short mov1, mov2, jmp1;
33449+ unsigned char jmp2;
33450+ unsigned int addr1;
33451+ unsigned long addr2;
33452+
33453+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33454+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
33455+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
33456+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
33457+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
33458+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
33459+
33460+ if (err)
33461+ break;
33462+
33463+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33464+ regs->r11 = addr1;
33465+ regs->r10 = addr2;
33466+ regs->ip = addr1;
33467+ return 2;
33468+ }
33469+ } while (0);
33470+
33471+ do { /* PaX: gcc trampoline emulation #2 */
33472+ unsigned short mov1, mov2, jmp1;
33473+ unsigned char jmp2;
33474+ unsigned long addr1, addr2;
33475+
33476+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33477+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
33478+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
33479+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
33480+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
33481+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
33482+
33483+ if (err)
33484+ break;
33485+
33486+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33487+ regs->r11 = addr1;
33488+ regs->r10 = addr2;
33489+ regs->ip = addr1;
33490+ return 2;
33491+ }
33492+ } while (0);
33493+
33494+ return 1; /* PaX in action */
33495+}
33496+#endif
33497+
33498+/*
33499+ * PaX: decide what to do with offenders (regs->ip = fault address)
33500+ *
33501+ * returns 1 when task should be killed
33502+ * 2 when gcc trampoline was detected
33503+ */
33504+static int pax_handle_fetch_fault(struct pt_regs *regs)
33505+{
33506+ if (v8086_mode(regs))
33507+ return 1;
33508+
33509+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
33510+ return 1;
33511+
33512+#ifdef CONFIG_X86_32
33513+ return pax_handle_fetch_fault_32(regs);
33514+#else
33515+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
33516+ return pax_handle_fetch_fault_32(regs);
33517+ else
33518+ return pax_handle_fetch_fault_64(regs);
33519+#endif
33520+}
33521+#endif
33522+
33523+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33524+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
33525+{
33526+ long i;
33527+
33528+ printk(KERN_ERR "PAX: bytes at PC: ");
33529+ for (i = 0; i < 20; i++) {
33530+ unsigned char c;
33531+ if (get_user(c, (unsigned char __force_user *)pc+i))
33532+ printk(KERN_CONT "?? ");
33533+ else
33534+ printk(KERN_CONT "%02x ", c);
33535+ }
33536+ printk("\n");
33537+
33538+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
33539+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
33540+ unsigned long c;
33541+ if (get_user(c, (unsigned long __force_user *)sp+i)) {
33542+#ifdef CONFIG_X86_32
33543+ printk(KERN_CONT "???????? ");
33544+#else
33545+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
33546+ printk(KERN_CONT "???????? ???????? ");
33547+ else
33548+ printk(KERN_CONT "???????????????? ");
33549+#endif
33550+ } else {
33551+#ifdef CONFIG_X86_64
33552+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
33553+ printk(KERN_CONT "%08x ", (unsigned int)c);
33554+ printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
33555+ } else
33556+#endif
33557+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
33558+ }
33559+ }
33560+ printk("\n");
33561+}
33562+#endif
33563+
33564+/**
33565+ * probe_kernel_write(): safely attempt to write to a location
33566+ * @dst: address to write to
33567+ * @src: pointer to the data that shall be written
33568+ * @size: size of the data chunk
33569+ *
33570+ * Safely write to address @dst from the buffer at @src. If a kernel fault
33571+ * happens, handle that and return -EFAULT.
33572+ */
33573+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
33574+{
33575+ long ret;
33576+ mm_segment_t old_fs = get_fs();
33577+
33578+ set_fs(KERNEL_DS);
33579+ pagefault_disable();
33580+ pax_open_kernel();
33581+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
33582+ pax_close_kernel();
33583+ pagefault_enable();
33584+ set_fs(old_fs);
33585+
33586+ return ret ? -EFAULT : 0;
33587+}
33588diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
33589index 81bf3d2..7ef25c2 100644
33590--- a/arch/x86/mm/gup.c
33591+++ b/arch/x86/mm/gup.c
33592@@ -268,7 +268,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
33593 addr = start;
33594 len = (unsigned long) nr_pages << PAGE_SHIFT;
33595 end = start + len;
33596- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
33597+ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ,
33598 (void __user *)start, len)))
33599 return 0;
33600
33601@@ -344,6 +344,10 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
33602 goto slow_irqon;
33603 #endif
33604
33605+ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ,
33606+ (void __user *)start, len)))
33607+ return 0;
33608+
33609 /*
33610 * XXX: batch / limit 'nr', to avoid large irq off latency
33611 * needs some instrumenting to determine the common sizes used by
33612diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
33613index eecb207a..e76b7f4 100644
33614--- a/arch/x86/mm/highmem_32.c
33615+++ b/arch/x86/mm/highmem_32.c
33616@@ -35,6 +35,8 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
33617 unsigned long vaddr;
33618 int idx, type;
33619
33620+ BUG_ON(pgprot_val(prot) & _PAGE_USER);
33621+
33622 preempt_disable();
33623 pagefault_disable();
33624
33625@@ -45,7 +47,11 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
33626 idx = type + KM_TYPE_NR*smp_processor_id();
33627 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
33628 BUG_ON(!pte_none(*(kmap_pte-idx)));
33629+
33630+ pax_open_kernel();
33631 set_pte(kmap_pte-idx, mk_pte(page, prot));
33632+ pax_close_kernel();
33633+
33634 arch_flush_lazy_mmu_mode();
33635
33636 return (void *)vaddr;
33637diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
33638index 42982b2..7168fc3 100644
33639--- a/arch/x86/mm/hugetlbpage.c
33640+++ b/arch/x86/mm/hugetlbpage.c
33641@@ -74,23 +74,24 @@ int pud_huge(pud_t pud)
33642 #ifdef CONFIG_HUGETLB_PAGE
33643 static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
33644 unsigned long addr, unsigned long len,
33645- unsigned long pgoff, unsigned long flags)
33646+ unsigned long pgoff, unsigned long flags, unsigned long offset)
33647 {
33648 struct hstate *h = hstate_file(file);
33649 struct vm_unmapped_area_info info;
33650-
33651+
33652 info.flags = 0;
33653 info.length = len;
33654 info.low_limit = current->mm->mmap_legacy_base;
33655 info.high_limit = TASK_SIZE;
33656 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
33657 info.align_offset = 0;
33658+ info.threadstack_offset = offset;
33659 return vm_unmapped_area(&info);
33660 }
33661
33662 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33663 unsigned long addr0, unsigned long len,
33664- unsigned long pgoff, unsigned long flags)
33665+ unsigned long pgoff, unsigned long flags, unsigned long offset)
33666 {
33667 struct hstate *h = hstate_file(file);
33668 struct vm_unmapped_area_info info;
33669@@ -102,6 +103,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33670 info.high_limit = current->mm->mmap_base;
33671 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
33672 info.align_offset = 0;
33673+ info.threadstack_offset = offset;
33674 addr = vm_unmapped_area(&info);
33675
33676 /*
33677@@ -114,6 +116,12 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33678 VM_BUG_ON(addr != -ENOMEM);
33679 info.flags = 0;
33680 info.low_limit = TASK_UNMAPPED_BASE;
33681+
33682+#ifdef CONFIG_PAX_RANDMMAP
33683+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
33684+ info.low_limit += current->mm->delta_mmap;
33685+#endif
33686+
33687 info.high_limit = TASK_SIZE;
33688 addr = vm_unmapped_area(&info);
33689 }
33690@@ -128,10 +136,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
33691 struct hstate *h = hstate_file(file);
33692 struct mm_struct *mm = current->mm;
33693 struct vm_area_struct *vma;
33694+ unsigned long pax_task_size = TASK_SIZE;
33695+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
33696
33697 if (len & ~huge_page_mask(h))
33698 return -EINVAL;
33699- if (len > TASK_SIZE)
33700+
33701+#ifdef CONFIG_PAX_SEGMEXEC
33702+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
33703+ pax_task_size = SEGMEXEC_TASK_SIZE;
33704+#endif
33705+
33706+ pax_task_size -= PAGE_SIZE;
33707+
33708+ if (len > pax_task_size)
33709 return -ENOMEM;
33710
33711 if (flags & MAP_FIXED) {
33712@@ -140,19 +158,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
33713 return addr;
33714 }
33715
33716+#ifdef CONFIG_PAX_RANDMMAP
33717+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33718+#endif
33719+
33720 if (addr) {
33721 addr = ALIGN(addr, huge_page_size(h));
33722 vma = find_vma(mm, addr);
33723- if (TASK_SIZE - len >= addr &&
33724- (!vma || addr + len <= vma->vm_start))
33725+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
33726 return addr;
33727 }
33728 if (mm->get_unmapped_area == arch_get_unmapped_area)
33729 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
33730- pgoff, flags);
33731+ pgoff, flags, offset);
33732 else
33733 return hugetlb_get_unmapped_area_topdown(file, addr, len,
33734- pgoff, flags);
33735+ pgoff, flags, offset);
33736 }
33737 #endif /* CONFIG_HUGETLB_PAGE */
33738
33739diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
33740index 8533b46..8c83176 100644
33741--- a/arch/x86/mm/init.c
33742+++ b/arch/x86/mm/init.c
33743@@ -4,6 +4,7 @@
33744 #include <linux/swap.h>
33745 #include <linux/memblock.h>
33746 #include <linux/bootmem.h> /* for max_low_pfn */
33747+#include <linux/tboot.h>
33748
33749 #include <asm/cacheflush.h>
33750 #include <asm/e820.h>
33751@@ -17,6 +18,8 @@
33752 #include <asm/proto.h>
33753 #include <asm/dma.h> /* for MAX_DMA_PFN */
33754 #include <asm/microcode.h>
33755+#include <asm/desc.h>
33756+#include <asm/bios_ebda.h>
33757
33758 /*
33759 * We need to define the tracepoints somewhere, and tlb.c
33760@@ -615,7 +618,18 @@ void __init init_mem_mapping(void)
33761 early_ioremap_page_table_range_init();
33762 #endif
33763
33764+#ifdef CONFIG_PAX_PER_CPU_PGD
33765+ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY,
33766+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
33767+ KERNEL_PGD_PTRS);
33768+ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY,
33769+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
33770+ KERNEL_PGD_PTRS);
33771+ load_cr3(get_cpu_pgd(0, kernel));
33772+#else
33773 load_cr3(swapper_pg_dir);
33774+#endif
33775+
33776 __flush_tlb_all();
33777
33778 early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
33779@@ -631,10 +645,40 @@ void __init init_mem_mapping(void)
33780 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
33781 * mmio resources as well as potential bios/acpi data regions.
33782 */
33783+
33784+#ifdef CONFIG_GRKERNSEC_KMEM
33785+static unsigned int ebda_start __read_only;
33786+static unsigned int ebda_end __read_only;
33787+#endif
33788+
33789 int devmem_is_allowed(unsigned long pagenr)
33790 {
33791- if (pagenr < 256)
33792+#ifdef CONFIG_GRKERNSEC_KMEM
33793+ /* allow BDA */
33794+ if (!pagenr)
33795 return 1;
33796+ /* allow EBDA */
33797+ if (pagenr >= ebda_start && pagenr < ebda_end)
33798+ return 1;
33799+ /* if tboot is in use, allow access to its hardcoded serial log range */
33800+ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
33801+ return 1;
33802+#else
33803+ if (!pagenr)
33804+ return 1;
33805+#ifdef CONFIG_VM86
33806+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
33807+ return 1;
33808+#endif
33809+#endif
33810+
33811+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
33812+ return 1;
33813+#ifdef CONFIG_GRKERNSEC_KMEM
33814+ /* throw out everything else below 1MB */
33815+ if (pagenr <= 256)
33816+ return 0;
33817+#endif
33818 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
33819 return 0;
33820 if (!page_is_ram(pagenr))
33821@@ -680,8 +724,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
33822 #endif
33823 }
33824
33825+#ifdef CONFIG_GRKERNSEC_KMEM
33826+static inline void gr_init_ebda(void)
33827+{
33828+ unsigned int ebda_addr;
33829+ unsigned int ebda_size = 0;
33830+
33831+ ebda_addr = get_bios_ebda();
33832+ if (ebda_addr) {
33833+ ebda_size = *(unsigned char *)phys_to_virt(ebda_addr);
33834+ ebda_size <<= 10;
33835+ }
33836+ if (ebda_addr && ebda_size) {
33837+ ebda_start = ebda_addr >> PAGE_SHIFT;
33838+ ebda_end = min((unsigned int)PAGE_ALIGN(ebda_addr + ebda_size), (unsigned int)0xa0000) >> PAGE_SHIFT;
33839+ } else {
33840+ ebda_start = 0x9f000 >> PAGE_SHIFT;
33841+ ebda_end = 0xa0000 >> PAGE_SHIFT;
33842+ }
33843+}
33844+#else
33845+static inline void gr_init_ebda(void) { }
33846+#endif
33847+
33848 void free_initmem(void)
33849 {
33850+#ifdef CONFIG_PAX_KERNEXEC
33851+#ifdef CONFIG_X86_32
33852+ /* PaX: limit KERNEL_CS to actual size */
33853+ unsigned long addr, limit;
33854+ struct desc_struct d;
33855+ int cpu;
33856+#else
33857+ pgd_t *pgd;
33858+ pud_t *pud;
33859+ pmd_t *pmd;
33860+ unsigned long addr, end;
33861+#endif
33862+#endif
33863+
33864+ gr_init_ebda();
33865+
33866+#ifdef CONFIG_PAX_KERNEXEC
33867+#ifdef CONFIG_X86_32
33868+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
33869+ limit = (limit - 1UL) >> PAGE_SHIFT;
33870+
33871+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
33872+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
33873+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
33874+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
33875+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
33876+ }
33877+
33878+ /* PaX: make KERNEL_CS read-only */
33879+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
33880+ if (!paravirt_enabled())
33881+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
33882+/*
33883+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
33884+ pgd = pgd_offset_k(addr);
33885+ pud = pud_offset(pgd, addr);
33886+ pmd = pmd_offset(pud, addr);
33887+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33888+ }
33889+*/
33890+#ifdef CONFIG_X86_PAE
33891+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
33892+/*
33893+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
33894+ pgd = pgd_offset_k(addr);
33895+ pud = pud_offset(pgd, addr);
33896+ pmd = pmd_offset(pud, addr);
33897+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
33898+ }
33899+*/
33900+#endif
33901+
33902+#ifdef CONFIG_MODULES
33903+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
33904+#endif
33905+
33906+#else
33907+ /* PaX: make kernel code/rodata read-only, rest non-executable */
33908+ set_memory_ro((unsigned long)_text, ((unsigned long)(_sdata - _text) >> PAGE_SHIFT));
33909+ set_memory_nx((unsigned long)_sdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sdata) >> PAGE_SHIFT);
33910+
33911+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
33912+ pgd = pgd_offset_k(addr);
33913+ pud = pud_offset(pgd, addr);
33914+ pmd = pmd_offset(pud, addr);
33915+ if (!pmd_present(*pmd))
33916+ continue;
33917+ if (addr >= (unsigned long)_text)
33918+ BUG_ON(!pmd_large(*pmd));
33919+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
33920+ BUG_ON(pmd_write(*pmd));
33921+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33922+ else
33923+ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX));
33924+// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
33925+ }
33926+
33927+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
33928+ end = addr + KERNEL_IMAGE_SIZE;
33929+ for (; addr < end; addr += PMD_SIZE) {
33930+ pgd = pgd_offset_k(addr);
33931+ pud = pud_offset(pgd, addr);
33932+ pmd = pmd_offset(pud, addr);
33933+ if (!pmd_present(*pmd))
33934+ continue;
33935+ if (addr >= (unsigned long)_text)
33936+ BUG_ON(!pmd_large(*pmd));
33937+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
33938+ BUG_ON(pmd_write(*pmd));
33939+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33940+ }
33941+#endif
33942+
33943+ flush_tlb_all();
33944+#endif
33945+
33946 free_init_pages("unused kernel",
33947 (unsigned long)(&__init_begin),
33948 (unsigned long)(&__init_end));
33949diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
33950index 68aec42..95ad5d3 100644
33951--- a/arch/x86/mm/init_32.c
33952+++ b/arch/x86/mm/init_32.c
33953@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
33954 bool __read_mostly __vmalloc_start_set = false;
33955
33956 /*
33957- * Creates a middle page table and puts a pointer to it in the
33958- * given global directory entry. This only returns the gd entry
33959- * in non-PAE compilation mode, since the middle layer is folded.
33960- */
33961-static pmd_t * __init one_md_table_init(pgd_t *pgd)
33962-{
33963- pud_t *pud;
33964- pmd_t *pmd_table;
33965-
33966-#ifdef CONFIG_X86_PAE
33967- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
33968- pmd_table = (pmd_t *)alloc_low_page();
33969- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
33970- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
33971- pud = pud_offset(pgd, 0);
33972- BUG_ON(pmd_table != pmd_offset(pud, 0));
33973-
33974- return pmd_table;
33975- }
33976-#endif
33977- pud = pud_offset(pgd, 0);
33978- pmd_table = pmd_offset(pud, 0);
33979-
33980- return pmd_table;
33981-}
33982-
33983-/*
33984 * Create a page table and place a pointer to it in a middle page
33985 * directory entry:
33986 */
33987@@ -98,13 +71,28 @@ static pte_t * __init one_page_table_init(pmd_t *pmd)
33988 pte_t *page_table = (pte_t *)alloc_low_page();
33989
33990 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
33991+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33992+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
33993+#else
33994 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
33995+#endif
33996 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
33997 }
33998
33999 return pte_offset_kernel(pmd, 0);
34000 }
34001
34002+static pmd_t * __init one_md_table_init(pgd_t *pgd)
34003+{
34004+ pud_t *pud;
34005+ pmd_t *pmd_table;
34006+
34007+ pud = pud_offset(pgd, 0);
34008+ pmd_table = pmd_offset(pud, 0);
34009+
34010+ return pmd_table;
34011+}
34012+
34013 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
34014 {
34015 int pgd_idx = pgd_index(vaddr);
34016@@ -209,6 +197,7 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
34017 int pgd_idx, pmd_idx;
34018 unsigned long vaddr;
34019 pgd_t *pgd;
34020+ pud_t *pud;
34021 pmd_t *pmd;
34022 pte_t *pte = NULL;
34023 unsigned long count = page_table_range_init_count(start, end);
34024@@ -223,8 +212,13 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
34025 pgd = pgd_base + pgd_idx;
34026
34027 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
34028- pmd = one_md_table_init(pgd);
34029- pmd = pmd + pmd_index(vaddr);
34030+ pud = pud_offset(pgd, vaddr);
34031+ pmd = pmd_offset(pud, vaddr);
34032+
34033+#ifdef CONFIG_X86_PAE
34034+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
34035+#endif
34036+
34037 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
34038 pmd++, pmd_idx++) {
34039 pte = page_table_kmap_check(one_page_table_init(pmd),
34040@@ -236,11 +230,20 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
34041 }
34042 }
34043
34044-static inline int is_kernel_text(unsigned long addr)
34045+static inline int is_kernel_text(unsigned long start, unsigned long end)
34046 {
34047- if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
34048- return 1;
34049- return 0;
34050+ if ((start >= ktla_ktva((unsigned long)_etext) ||
34051+ end <= ktla_ktva((unsigned long)_stext)) &&
34052+ (start >= ktla_ktva((unsigned long)_einittext) ||
34053+ end <= ktla_ktva((unsigned long)_sinittext)) &&
34054+
34055+#ifdef CONFIG_ACPI_SLEEP
34056+ (start >= (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
34057+#endif
34058+
34059+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
34060+ return 0;
34061+ return 1;
34062 }
34063
34064 /*
34065@@ -257,9 +260,10 @@ kernel_physical_mapping_init(unsigned long start,
34066 unsigned long last_map_addr = end;
34067 unsigned long start_pfn, end_pfn;
34068 pgd_t *pgd_base = swapper_pg_dir;
34069- int pgd_idx, pmd_idx, pte_ofs;
34070+ unsigned int pgd_idx, pmd_idx, pte_ofs;
34071 unsigned long pfn;
34072 pgd_t *pgd;
34073+ pud_t *pud;
34074 pmd_t *pmd;
34075 pte_t *pte;
34076 unsigned pages_2m, pages_4k;
34077@@ -292,8 +296,13 @@ repeat:
34078 pfn = start_pfn;
34079 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
34080 pgd = pgd_base + pgd_idx;
34081- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
34082- pmd = one_md_table_init(pgd);
34083+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
34084+ pud = pud_offset(pgd, 0);
34085+ pmd = pmd_offset(pud, 0);
34086+
34087+#ifdef CONFIG_X86_PAE
34088+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
34089+#endif
34090
34091 if (pfn >= end_pfn)
34092 continue;
34093@@ -305,14 +314,13 @@ repeat:
34094 #endif
34095 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
34096 pmd++, pmd_idx++) {
34097- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
34098+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
34099
34100 /*
34101 * Map with big pages if possible, otherwise
34102 * create normal page tables:
34103 */
34104 if (use_pse) {
34105- unsigned int addr2;
34106 pgprot_t prot = PAGE_KERNEL_LARGE;
34107 /*
34108 * first pass will use the same initial
34109@@ -323,11 +331,7 @@ repeat:
34110 _PAGE_PSE);
34111
34112 pfn &= PMD_MASK >> PAGE_SHIFT;
34113- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
34114- PAGE_OFFSET + PAGE_SIZE-1;
34115-
34116- if (is_kernel_text(addr) ||
34117- is_kernel_text(addr2))
34118+ if (is_kernel_text(address, address + PMD_SIZE))
34119 prot = PAGE_KERNEL_LARGE_EXEC;
34120
34121 pages_2m++;
34122@@ -344,7 +348,7 @@ repeat:
34123 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
34124 pte += pte_ofs;
34125 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
34126- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
34127+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
34128 pgprot_t prot = PAGE_KERNEL;
34129 /*
34130 * first pass will use the same initial
34131@@ -352,7 +356,7 @@ repeat:
34132 */
34133 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
34134
34135- if (is_kernel_text(addr))
34136+ if (is_kernel_text(address, address + PAGE_SIZE))
34137 prot = PAGE_KERNEL_EXEC;
34138
34139 pages_4k++;
34140@@ -475,7 +479,7 @@ void __init native_pagetable_init(void)
34141
34142 pud = pud_offset(pgd, va);
34143 pmd = pmd_offset(pud, va);
34144- if (!pmd_present(*pmd))
34145+ if (!pmd_present(*pmd)) // PAX TODO || pmd_large(*pmd))
34146 break;
34147
34148 /* should not be large page here */
34149@@ -533,12 +537,10 @@ void __init early_ioremap_page_table_range_init(void)
34150
34151 static void __init pagetable_init(void)
34152 {
34153- pgd_t *pgd_base = swapper_pg_dir;
34154-
34155- permanent_kmaps_init(pgd_base);
34156+ permanent_kmaps_init(swapper_pg_dir);
34157 }
34158
34159-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL);
34160+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL);
34161 EXPORT_SYMBOL_GPL(__supported_pte_mask);
34162
34163 /* user-defined highmem size */
34164@@ -788,10 +790,10 @@ void __init mem_init(void)
34165 ((unsigned long)&__init_end -
34166 (unsigned long)&__init_begin) >> 10,
34167
34168- (unsigned long)&_etext, (unsigned long)&_edata,
34169- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
34170+ (unsigned long)&_sdata, (unsigned long)&_edata,
34171+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
34172
34173- (unsigned long)&_text, (unsigned long)&_etext,
34174+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
34175 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
34176
34177 /*
34178@@ -885,6 +887,7 @@ void set_kernel_text_rw(void)
34179 if (!kernel_set_to_readonly)
34180 return;
34181
34182+ start = ktla_ktva(start);
34183 pr_debug("Set kernel text: %lx - %lx for read write\n",
34184 start, start+size);
34185
34186@@ -899,6 +902,7 @@ void set_kernel_text_ro(void)
34187 if (!kernel_set_to_readonly)
34188 return;
34189
34190+ start = ktla_ktva(start);
34191 pr_debug("Set kernel text: %lx - %lx for read only\n",
34192 start, start+size);
34193
34194@@ -927,6 +931,7 @@ void mark_rodata_ro(void)
34195 unsigned long start = PFN_ALIGN(_text);
34196 unsigned long size = PFN_ALIGN(_etext) - start;
34197
34198+ start = ktla_ktva(start);
34199 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
34200 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
34201 size >> 10);
34202diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
34203index 3fba623..5ee9802 100644
34204--- a/arch/x86/mm/init_64.c
34205+++ b/arch/x86/mm/init_64.c
34206@@ -136,7 +136,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
34207 * around without checking the pgd every time.
34208 */
34209
34210-pteval_t __supported_pte_mask __read_mostly = ~0;
34211+pteval_t __supported_pte_mask __read_only = ~_PAGE_NX;
34212 EXPORT_SYMBOL_GPL(__supported_pte_mask);
34213
34214 int force_personality32;
34215@@ -169,7 +169,12 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34216
34217 for (address = start; address <= end; address += PGDIR_SIZE) {
34218 const pgd_t *pgd_ref = pgd_offset_k(address);
34219+
34220+#ifdef CONFIG_PAX_PER_CPU_PGD
34221+ unsigned long cpu;
34222+#else
34223 struct page *page;
34224+#endif
34225
34226 /*
34227 * When it is called after memory hot remove, pgd_none()
34228@@ -180,6 +185,25 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34229 continue;
34230
34231 spin_lock(&pgd_lock);
34232+
34233+#ifdef CONFIG_PAX_PER_CPU_PGD
34234+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
34235+ pgd_t *pgd = pgd_offset_cpu(cpu, user, address);
34236+
34237+ if (!pgd_none(*pgd_ref) && !pgd_none(*pgd))
34238+ BUG_ON(pgd_page_vaddr(*pgd)
34239+ != pgd_page_vaddr(*pgd_ref));
34240+
34241+ if (removed) {
34242+ if (pgd_none(*pgd_ref) && !pgd_none(*pgd))
34243+ pgd_clear(pgd);
34244+ } else {
34245+ if (pgd_none(*pgd))
34246+ set_pgd(pgd, *pgd_ref);
34247+ }
34248+
34249+ pgd = pgd_offset_cpu(cpu, kernel, address);
34250+#else
34251 list_for_each_entry(page, &pgd_list, lru) {
34252 pgd_t *pgd;
34253 spinlock_t *pgt_lock;
34254@@ -188,6 +212,7 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34255 /* the pgt_lock only for Xen */
34256 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
34257 spin_lock(pgt_lock);
34258+#endif
34259
34260 if (!pgd_none(*pgd_ref) && !pgd_none(*pgd))
34261 BUG_ON(pgd_page_vaddr(*pgd)
34262@@ -201,7 +226,10 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34263 set_pgd(pgd, *pgd_ref);
34264 }
34265
34266+#ifndef CONFIG_PAX_PER_CPU_PGD
34267 spin_unlock(pgt_lock);
34268+#endif
34269+
34270 }
34271 spin_unlock(&pgd_lock);
34272 }
34273@@ -234,7 +262,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr)
34274 {
34275 if (pgd_none(*pgd)) {
34276 pud_t *pud = (pud_t *)spp_getpage();
34277- pgd_populate(&init_mm, pgd, pud);
34278+ pgd_populate_kernel(&init_mm, pgd, pud);
34279 if (pud != pud_offset(pgd, 0))
34280 printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n",
34281 pud, pud_offset(pgd, 0));
34282@@ -246,7 +274,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr)
34283 {
34284 if (pud_none(*pud)) {
34285 pmd_t *pmd = (pmd_t *) spp_getpage();
34286- pud_populate(&init_mm, pud, pmd);
34287+ pud_populate_kernel(&init_mm, pud, pmd);
34288 if (pmd != pmd_offset(pud, 0))
34289 printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n",
34290 pmd, pmd_offset(pud, 0));
34291@@ -275,7 +303,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte)
34292 pmd = fill_pmd(pud, vaddr);
34293 pte = fill_pte(pmd, vaddr);
34294
34295+ pax_open_kernel();
34296 set_pte(pte, new_pte);
34297+ pax_close_kernel();
34298
34299 /*
34300 * It's enough to flush this one mapping.
34301@@ -337,14 +367,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
34302 pgd = pgd_offset_k((unsigned long)__va(phys));
34303 if (pgd_none(*pgd)) {
34304 pud = (pud_t *) spp_getpage();
34305- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
34306- _PAGE_USER));
34307+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
34308 }
34309 pud = pud_offset(pgd, (unsigned long)__va(phys));
34310 if (pud_none(*pud)) {
34311 pmd = (pmd_t *) spp_getpage();
34312- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
34313- _PAGE_USER));
34314+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
34315 }
34316 pmd = pmd_offset(pud, phys);
34317 BUG_ON(!pmd_none(*pmd));
34318@@ -585,7 +613,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
34319 prot);
34320
34321 spin_lock(&init_mm.page_table_lock);
34322- pud_populate(&init_mm, pud, pmd);
34323+ pud_populate_kernel(&init_mm, pud, pmd);
34324 spin_unlock(&init_mm.page_table_lock);
34325 }
34326 __flush_tlb_all();
34327@@ -626,7 +654,7 @@ kernel_physical_mapping_init(unsigned long start,
34328 page_size_mask);
34329
34330 spin_lock(&init_mm.page_table_lock);
34331- pgd_populate(&init_mm, pgd, pud);
34332+ pgd_populate_kernel(&init_mm, pgd, pud);
34333 spin_unlock(&init_mm.page_table_lock);
34334 pgd_changed = true;
34335 }
34336diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c
34337index 9c0ff04..9020d5f 100644
34338--- a/arch/x86/mm/iomap_32.c
34339+++ b/arch/x86/mm/iomap_32.c
34340@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long pfn, pgprot_t prot)
34341 type = kmap_atomic_idx_push();
34342 idx = type + KM_TYPE_NR * smp_processor_id();
34343 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
34344+
34345+ pax_open_kernel();
34346 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
34347+ pax_close_kernel();
34348+
34349 arch_flush_lazy_mmu_mode();
34350
34351 return (void *)vaddr;
34352diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
34353index b9c78f3..9ca7e24 100644
34354--- a/arch/x86/mm/ioremap.c
34355+++ b/arch/x86/mm/ioremap.c
34356@@ -59,8 +59,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
34357 unsigned long i;
34358
34359 for (i = 0; i < nr_pages; ++i)
34360- if (pfn_valid(start_pfn + i) &&
34361- !PageReserved(pfn_to_page(start_pfn + i)))
34362+ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 ||
34363+ !PageReserved(pfn_to_page(start_pfn + i))))
34364 return 1;
34365
34366 return 0;
34367@@ -332,7 +332,7 @@ EXPORT_SYMBOL(ioremap_prot);
34368 *
34369 * Caller must ensure there is only one unmapping for the same pointer.
34370 */
34371-void iounmap(volatile void __iomem *addr)
34372+void iounmap(const volatile void __iomem *addr)
34373 {
34374 struct vm_struct *p, *o;
34375
34376@@ -395,31 +395,37 @@ int __init arch_ioremap_pmd_supported(void)
34377 */
34378 void *xlate_dev_mem_ptr(phys_addr_t phys)
34379 {
34380- unsigned long start = phys & PAGE_MASK;
34381- unsigned long offset = phys & ~PAGE_MASK;
34382- void *vaddr;
34383+ phys_addr_t pfn = phys >> PAGE_SHIFT;
34384
34385- /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
34386- if (page_is_ram(start >> PAGE_SHIFT))
34387- return __va(phys);
34388+ if (page_is_ram(pfn)) {
34389+#ifdef CONFIG_HIGHMEM
34390+ if (pfn >= max_low_pfn)
34391+ return kmap_high(pfn_to_page(pfn));
34392+ else
34393+#endif
34394+ return __va(phys);
34395+ }
34396
34397- vaddr = ioremap_cache(start, PAGE_SIZE);
34398- /* Only add the offset on success and return NULL if the ioremap() failed: */
34399- if (vaddr)
34400- vaddr += offset;
34401-
34402- return vaddr;
34403+ return (void __force *)ioremap_cache(phys, 1);
34404 }
34405
34406 void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr)
34407 {
34408- if (page_is_ram(phys >> PAGE_SHIFT))
34409+ phys_addr_t pfn = phys >> PAGE_SHIFT;
34410+
34411+ if (page_is_ram(pfn)) {
34412+#ifdef CONFIG_HIGHMEM
34413+ if (pfn >= max_low_pfn)
34414+ kunmap_high(pfn_to_page(pfn));
34415+#endif
34416 return;
34417+ }
34418
34419- iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
34420+ iounmap((void __iomem __force *)addr);
34421 }
34422
34423-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
34424+static pte_t __bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
34425+static pte_t *bm_pte __read_only = __bm_pte;
34426
34427 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
34428 {
34429@@ -455,8 +461,14 @@ void __init early_ioremap_init(void)
34430 early_ioremap_setup();
34431
34432 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
34433- memset(bm_pte, 0, sizeof(bm_pte));
34434- pmd_populate_kernel(&init_mm, pmd, bm_pte);
34435+ if (pmd_none(*pmd))
34436+#ifdef CONFIG_COMPAT_VDSO
34437+ pmd_populate_user(&init_mm, pmd, __bm_pte);
34438+#else
34439+ pmd_populate_kernel(&init_mm, pmd, __bm_pte);
34440+#endif
34441+ else
34442+ bm_pte = (pte_t *)pmd_page_vaddr(*pmd);
34443
34444 /*
34445 * The boot-ioremap range spans multiple pmds, for which
34446diff --git a/arch/x86/mm/kmemcheck/kmemcheck.c b/arch/x86/mm/kmemcheck/kmemcheck.c
34447index b4f2e7e..96c9c3e 100644
34448--- a/arch/x86/mm/kmemcheck/kmemcheck.c
34449+++ b/arch/x86/mm/kmemcheck/kmemcheck.c
34450@@ -628,9 +628,9 @@ bool kmemcheck_fault(struct pt_regs *regs, unsigned long address,
34451 * memory (e.g. tracked pages)? For now, we need this to avoid
34452 * invoking kmemcheck for PnP BIOS calls.
34453 */
34454- if (regs->flags & X86_VM_MASK)
34455+ if (v8086_mode(regs))
34456 return false;
34457- if (regs->cs != __KERNEL_CS)
34458+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
34459 return false;
34460
34461 pte = kmemcheck_pte_lookup(address);
34462diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
34463index 844b06d..f363c86 100644
34464--- a/arch/x86/mm/mmap.c
34465+++ b/arch/x86/mm/mmap.c
34466@@ -52,7 +52,7 @@ static unsigned long stack_maxrandom_size(void)
34467 * Leave an at least ~128 MB hole with possible stack randomization.
34468 */
34469 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
34470-#define MAX_GAP (TASK_SIZE/6*5)
34471+#define MAX_GAP (pax_task_size/6*5)
34472
34473 static int mmap_is_legacy(void)
34474 {
34475@@ -81,27 +81,40 @@ unsigned long arch_mmap_rnd(void)
34476 return rnd << PAGE_SHIFT;
34477 }
34478
34479-static unsigned long mmap_base(unsigned long rnd)
34480+static unsigned long mmap_base(struct mm_struct *mm, unsigned long rnd)
34481 {
34482 unsigned long gap = rlimit(RLIMIT_STACK);
34483+ unsigned long pax_task_size = TASK_SIZE;
34484+
34485+#ifdef CONFIG_PAX_SEGMEXEC
34486+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
34487+ pax_task_size = SEGMEXEC_TASK_SIZE;
34488+#endif
34489
34490 if (gap < MIN_GAP)
34491 gap = MIN_GAP;
34492 else if (gap > MAX_GAP)
34493 gap = MAX_GAP;
34494
34495- return PAGE_ALIGN(TASK_SIZE - gap - rnd);
34496+ return PAGE_ALIGN(pax_task_size - gap - rnd);
34497 }
34498
34499 /*
34500 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
34501 * does, but not when emulating X86_32
34502 */
34503-static unsigned long mmap_legacy_base(unsigned long rnd)
34504+static unsigned long mmap_legacy_base(struct mm_struct *mm, unsigned long rnd)
34505 {
34506- if (mmap_is_ia32())
34507+ if (mmap_is_ia32()) {
34508+
34509+#ifdef CONFIG_PAX_SEGMEXEC
34510+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
34511+ return SEGMEXEC_TASK_UNMAPPED_BASE;
34512+ else
34513+#endif
34514+
34515 return TASK_UNMAPPED_BASE;
34516- else
34517+ } else
34518 return TASK_UNMAPPED_BASE + rnd;
34519 }
34520
34521@@ -113,18 +126,29 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
34522 {
34523 unsigned long random_factor = 0UL;
34524
34525+#ifdef CONFIG_PAX_RANDMMAP
34526+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
34527+#endif
34528 if (current->flags & PF_RANDOMIZE)
34529 random_factor = arch_mmap_rnd();
34530
34531- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
34532+ mm->mmap_legacy_base = mmap_legacy_base(mm, random_factor);
34533
34534 if (mmap_is_legacy()) {
34535 mm->mmap_base = mm->mmap_legacy_base;
34536 mm->get_unmapped_area = arch_get_unmapped_area;
34537 } else {
34538- mm->mmap_base = mmap_base(random_factor);
34539+ mm->mmap_base = mmap_base(mm, random_factor);
34540 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
34541 }
34542+
34543+#ifdef CONFIG_PAX_RANDMMAP
34544+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
34545+ mm->mmap_legacy_base += mm->delta_mmap;
34546+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
34547+ }
34548+#endif
34549+
34550 }
34551
34552 const char *arch_vma_name(struct vm_area_struct *vma)
34553diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
34554index 0057a7a..95c7edd 100644
34555--- a/arch/x86/mm/mmio-mod.c
34556+++ b/arch/x86/mm/mmio-mod.c
34557@@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs,
34558 break;
34559 default:
34560 {
34561- unsigned char *ip = (unsigned char *)instptr;
34562+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
34563 my_trace->opcode = MMIO_UNKNOWN_OP;
34564 my_trace->width = 0;
34565 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
34566@@ -234,7 +234,7 @@ static void post(struct kmmio_probe *p, unsigned long condition,
34567 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
34568 void __iomem *addr)
34569 {
34570- static atomic_t next_id;
34571+ static atomic_unchecked_t next_id;
34572 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
34573 /* These are page-unaligned. */
34574 struct mmiotrace_map map = {
34575@@ -258,7 +258,7 @@ static void ioremap_trace_core(resource_size_t offset, unsigned long size,
34576 .private = trace
34577 },
34578 .phys = offset,
34579- .id = atomic_inc_return(&next_id)
34580+ .id = atomic_inc_return_unchecked(&next_id)
34581 };
34582 map.map_id = trace->id;
34583
34584@@ -290,7 +290,7 @@ void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
34585 ioremap_trace_core(offset, size, addr);
34586 }
34587
34588-static void iounmap_trace_core(volatile void __iomem *addr)
34589+static void iounmap_trace_core(const volatile void __iomem *addr)
34590 {
34591 struct mmiotrace_map map = {
34592 .phys = 0,
34593@@ -328,7 +328,7 @@ not_enabled:
34594 }
34595 }
34596
34597-void mmiotrace_iounmap(volatile void __iomem *addr)
34598+void mmiotrace_iounmap(const volatile void __iomem *addr)
34599 {
34600 might_sleep();
34601 if (is_enabled()) /* recheck and proper locking in *_core() */
34602diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
34603index 4053bb5..b1ad3dc 100644
34604--- a/arch/x86/mm/numa.c
34605+++ b/arch/x86/mm/numa.c
34606@@ -506,7 +506,7 @@ static void __init numa_clear_kernel_node_hotplug(void)
34607 }
34608 }
34609
34610-static int __init numa_register_memblks(struct numa_meminfo *mi)
34611+static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi)
34612 {
34613 unsigned long uninitialized_var(pfn_align);
34614 int i, nid;
34615diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
34616index 727158c..54dd3ff 100644
34617--- a/arch/x86/mm/pageattr.c
34618+++ b/arch/x86/mm/pageattr.c
34619@@ -260,7 +260,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34620 */
34621 #ifdef CONFIG_PCI_BIOS
34622 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
34623- pgprot_val(forbidden) |= _PAGE_NX;
34624+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34625 #endif
34626
34627 /*
34628@@ -268,9 +268,10 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34629 * Does not cover __inittext since that is gone later on. On
34630 * 64bit we do not enforce !NX on the low mapping
34631 */
34632- if (within(address, (unsigned long)_text, (unsigned long)_etext))
34633- pgprot_val(forbidden) |= _PAGE_NX;
34634+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
34635+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34636
34637+#ifdef CONFIG_DEBUG_RODATA
34638 /*
34639 * The .rodata section needs to be read-only. Using the pfn
34640 * catches all aliases.
34641@@ -278,6 +279,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34642 if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
34643 __pa_symbol(__end_rodata) >> PAGE_SHIFT))
34644 pgprot_val(forbidden) |= _PAGE_RW;
34645+#endif
34646
34647 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
34648 /*
34649@@ -316,6 +318,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34650 }
34651 #endif
34652
34653+#ifdef CONFIG_PAX_KERNEXEC
34654+ if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)), __pa((unsigned long)&_sdata))) {
34655+ pgprot_val(forbidden) |= _PAGE_RW;
34656+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34657+ }
34658+#endif
34659+
34660 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
34661
34662 return prot;
34663@@ -436,23 +445,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
34664 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
34665 {
34666 /* change init_mm */
34667+ pax_open_kernel();
34668 set_pte_atomic(kpte, pte);
34669+
34670 #ifdef CONFIG_X86_32
34671 if (!SHARED_KERNEL_PMD) {
34672+
34673+#ifdef CONFIG_PAX_PER_CPU_PGD
34674+ unsigned long cpu;
34675+#else
34676 struct page *page;
34677+#endif
34678
34679+#ifdef CONFIG_PAX_PER_CPU_PGD
34680+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
34681+ pgd_t *pgd = get_cpu_pgd(cpu, kernel);
34682+#else
34683 list_for_each_entry(page, &pgd_list, lru) {
34684- pgd_t *pgd;
34685+ pgd_t *pgd = (pgd_t *)page_address(page);
34686+#endif
34687+
34688 pud_t *pud;
34689 pmd_t *pmd;
34690
34691- pgd = (pgd_t *)page_address(page) + pgd_index(address);
34692+ pgd += pgd_index(address);
34693 pud = pud_offset(pgd, address);
34694 pmd = pmd_offset(pud, address);
34695 set_pte_atomic((pte_t *)pmd, pte);
34696 }
34697 }
34698 #endif
34699+ pax_close_kernel();
34700 }
34701
34702 static int
34703@@ -505,7 +528,8 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
34704 * up accordingly.
34705 */
34706 old_pte = *kpte;
34707- old_prot = req_prot = pgprot_large_2_4k(pte_pgprot(old_pte));
34708+ old_prot = pte_pgprot(old_pte);
34709+ req_prot = pgprot_large_2_4k(old_prot);
34710
34711 pgprot_val(req_prot) &= ~pgprot_val(cpa->mask_clr);
34712 pgprot_val(req_prot) |= pgprot_val(cpa->mask_set);
34713@@ -1176,7 +1200,9 @@ repeat:
34714 * Do we really change anything ?
34715 */
34716 if (pte_val(old_pte) != pte_val(new_pte)) {
34717+ pax_open_kernel();
34718 set_pte_atomic(kpte, new_pte);
34719+ pax_close_kernel();
34720 cpa->flags |= CPA_FLUSHTLB;
34721 }
34722 cpa->numpages = 1;
34723diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
34724index 188e3e0..5c75446 100644
34725--- a/arch/x86/mm/pat.c
34726+++ b/arch/x86/mm/pat.c
34727@@ -588,7 +588,7 @@ int free_memtype(u64 start, u64 end)
34728
34729 if (!entry) {
34730 pr_info("x86/PAT: %s:%d freeing invalid memtype [mem %#010Lx-%#010Lx]\n",
34731- current->comm, current->pid, start, end - 1);
34732+ current->comm, task_pid_nr(current), start, end - 1);
34733 return -EINVAL;
34734 }
34735
34736@@ -711,8 +711,8 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
34737
34738 while (cursor < to) {
34739 if (!devmem_is_allowed(pfn)) {
34740- pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx], PAT prevents it\n",
34741- current->comm, from, to - 1);
34742+ pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx] (%#010Lx), PAT prevents it\n",
34743+ current->comm, from, to - 1, cursor);
34744 return 0;
34745 }
34746 cursor += PAGE_SIZE;
34747@@ -782,7 +782,7 @@ int kernel_map_sync_memtype(u64 base, unsigned long size,
34748
34749 if (ioremap_change_attr((unsigned long)__va(base), id_sz, pcm) < 0) {
34750 pr_info("x86/PAT: %s:%d ioremap_change_attr failed %s for [mem %#010Lx-%#010Lx]\n",
34751- current->comm, current->pid,
34752+ current->comm, task_pid_nr(current),
34753 cattr_name(pcm),
34754 base, (unsigned long long)(base + size-1));
34755 return -EINVAL;
34756@@ -817,7 +817,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
34757 pcm = lookup_memtype(paddr);
34758 if (want_pcm != pcm) {
34759 pr_warn("x86/PAT: %s:%d map pfn RAM range req %s for [mem %#010Lx-%#010Lx], got %s\n",
34760- current->comm, current->pid,
34761+ current->comm, task_pid_nr(current),
34762 cattr_name(want_pcm),
34763 (unsigned long long)paddr,
34764 (unsigned long long)(paddr + size - 1),
34765@@ -838,7 +838,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
34766 !is_new_memtype_allowed(paddr, size, want_pcm, pcm)) {
34767 free_memtype(paddr, paddr + size);
34768 pr_err("x86/PAT: %s:%d map pfn expected mapping type %s for [mem %#010Lx-%#010Lx], got %s\n",
34769- current->comm, current->pid,
34770+ current->comm, task_pid_nr(current),
34771 cattr_name(want_pcm),
34772 (unsigned long long)paddr,
34773 (unsigned long long)(paddr + size - 1),
34774diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c
34775index 6393108..890adda 100644
34776--- a/arch/x86/mm/pat_rbtree.c
34777+++ b/arch/x86/mm/pat_rbtree.c
34778@@ -161,7 +161,7 @@ success:
34779
34780 failure:
34781 pr_info("x86/PAT: %s:%d conflicting memory types %Lx-%Lx %s<->%s\n",
34782- current->comm, current->pid, start, end,
34783+ current->comm, task_pid_nr(current), start, end,
34784 cattr_name(found_type), cattr_name(match->type));
34785 return -EBUSY;
34786 }
34787diff --git a/arch/x86/mm/pf_in.c b/arch/x86/mm/pf_in.c
34788index 9f0614d..92ae64a 100644
34789--- a/arch/x86/mm/pf_in.c
34790+++ b/arch/x86/mm/pf_in.c
34791@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned long ins_addr)
34792 int i;
34793 enum reason_type rv = OTHERS;
34794
34795- p = (unsigned char *)ins_addr;
34796+ p = (unsigned char *)ktla_ktva(ins_addr);
34797 p += skip_prefix(p, &prf);
34798 p += get_opcode(p, &opcode);
34799
34800@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(unsigned long ins_addr)
34801 struct prefix_bits prf;
34802 int i;
34803
34804- p = (unsigned char *)ins_addr;
34805+ p = (unsigned char *)ktla_ktva(ins_addr);
34806 p += skip_prefix(p, &prf);
34807 p += get_opcode(p, &opcode);
34808
34809@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned long ins_addr)
34810 struct prefix_bits prf;
34811 int i;
34812
34813- p = (unsigned char *)ins_addr;
34814+ p = (unsigned char *)ktla_ktva(ins_addr);
34815 p += skip_prefix(p, &prf);
34816 p += get_opcode(p, &opcode);
34817
34818@@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned long ins_addr, struct pt_regs *regs)
34819 struct prefix_bits prf;
34820 int i;
34821
34822- p = (unsigned char *)ins_addr;
34823+ p = (unsigned char *)ktla_ktva(ins_addr);
34824 p += skip_prefix(p, &prf);
34825 p += get_opcode(p, &opcode);
34826 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
34827@@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned long ins_addr)
34828 struct prefix_bits prf;
34829 int i;
34830
34831- p = (unsigned char *)ins_addr;
34832+ p = (unsigned char *)ktla_ktva(ins_addr);
34833 p += skip_prefix(p, &prf);
34834 p += get_opcode(p, &opcode);
34835 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
34836diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
34837index fb0a9dd..5ab49c4 100644
34838--- a/arch/x86/mm/pgtable.c
34839+++ b/arch/x86/mm/pgtable.c
34840@@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd)
34841 list_del(&page->lru);
34842 }
34843
34844-#define UNSHARED_PTRS_PER_PGD \
34845- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
34846+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
34847+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
34848
34849+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src)
34850+{
34851+ unsigned int count = USER_PGD_PTRS;
34852
34853+ if (!pax_user_shadow_base)
34854+ return;
34855+
34856+ while (count--)
34857+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
34858+}
34859+#endif
34860+
34861+#ifdef CONFIG_PAX_PER_CPU_PGD
34862+void __clone_user_pgds(pgd_t *dst, const pgd_t *src)
34863+{
34864+ unsigned int count = USER_PGD_PTRS;
34865+
34866+ while (count--) {
34867+ pgd_t pgd;
34868+
34869+#ifdef CONFIG_X86_64
34870+ pgd = __pgd(pgd_val(*src++) | _PAGE_USER);
34871+#else
34872+ pgd = *src++;
34873+#endif
34874+
34875+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
34876+ pgd = __pgd(pgd_val(pgd) & clone_pgd_mask);
34877+#endif
34878+
34879+ *dst++ = pgd;
34880+ }
34881+
34882+}
34883+#endif
34884+
34885+#ifdef CONFIG_X86_64
34886+#define pxd_t pud_t
34887+#define pyd_t pgd_t
34888+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
34889+#define pgtable_pxd_page_ctor(page) true
34890+#define pgtable_pxd_page_dtor(page) do {} while (0)
34891+#define pxd_free(mm, pud) pud_free((mm), (pud))
34892+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
34893+#define pyd_offset(mm, address) pgd_offset((mm), (address))
34894+#define PYD_SIZE PGDIR_SIZE
34895+#define mm_inc_nr_pxds(mm) do {} while (0)
34896+#define mm_dec_nr_pxds(mm) do {} while (0)
34897+#else
34898+#define pxd_t pmd_t
34899+#define pyd_t pud_t
34900+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
34901+#define pgtable_pxd_page_ctor(page) pgtable_pmd_page_ctor(page)
34902+#define pgtable_pxd_page_dtor(page) pgtable_pmd_page_dtor(page)
34903+#define pxd_free(mm, pud) pmd_free((mm), (pud))
34904+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
34905+#define pyd_offset(mm, address) pud_offset((mm), (address))
34906+#define PYD_SIZE PUD_SIZE
34907+#define mm_inc_nr_pxds(mm) mm_inc_nr_pmds(mm)
34908+#define mm_dec_nr_pxds(mm) mm_dec_nr_pmds(mm)
34909+#endif
34910+
34911+#ifdef CONFIG_PAX_PER_CPU_PGD
34912+static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
34913+static inline void pgd_dtor(pgd_t *pgd) {}
34914+#else
34915 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
34916 {
34917 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
34918@@ -142,6 +207,7 @@ static void pgd_dtor(pgd_t *pgd)
34919 pgd_list_del(pgd);
34920 spin_unlock(&pgd_lock);
34921 }
34922+#endif
34923
34924 /*
34925 * List of all pgd's needed for non-PAE so it can invalidate entries
34926@@ -154,7 +220,7 @@ static void pgd_dtor(pgd_t *pgd)
34927 * -- nyc
34928 */
34929
34930-#ifdef CONFIG_X86_PAE
34931+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
34932 /*
34933 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
34934 * updating the top-level pagetable entries to guarantee the
34935@@ -166,7 +232,7 @@ static void pgd_dtor(pgd_t *pgd)
34936 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
34937 * and initialize the kernel pmds here.
34938 */
34939-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
34940+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
34941
34942 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
34943 {
34944@@ -184,46 +250,48 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
34945 */
34946 flush_tlb_mm(mm);
34947 }
34948+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
34949+#define PREALLOCATED_PXDS USER_PGD_PTRS
34950 #else /* !CONFIG_X86_PAE */
34951
34952 /* No need to prepopulate any pagetable entries in non-PAE modes. */
34953-#define PREALLOCATED_PMDS 0
34954+#define PREALLOCATED_PXDS 0
34955
34956 #endif /* CONFIG_X86_PAE */
34957
34958-static void free_pmds(struct mm_struct *mm, pmd_t *pmds[])
34959+static void free_pxds(struct mm_struct *mm, pxd_t *pxds[])
34960 {
34961 int i;
34962
34963- for(i = 0; i < PREALLOCATED_PMDS; i++)
34964- if (pmds[i]) {
34965- pgtable_pmd_page_dtor(virt_to_page(pmds[i]));
34966- free_page((unsigned long)pmds[i]);
34967- mm_dec_nr_pmds(mm);
34968+ for(i = 0; i < PREALLOCATED_PXDS; i++)
34969+ if (pxds[i]) {
34970+ pgtable_pxd_page_dtor(virt_to_page(pxds[i]));
34971+ free_page((unsigned long)pxds[i]);
34972+ mm_dec_nr_pxds(mm);
34973 }
34974 }
34975
34976-static int preallocate_pmds(struct mm_struct *mm, pmd_t *pmds[])
34977+static int preallocate_pxds(struct mm_struct *mm, pxd_t *pxds[])
34978 {
34979 int i;
34980 bool failed = false;
34981
34982- for(i = 0; i < PREALLOCATED_PMDS; i++) {
34983- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
34984- if (!pmd)
34985+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
34986+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
34987+ if (!pxd)
34988 failed = true;
34989- if (pmd && !pgtable_pmd_page_ctor(virt_to_page(pmd))) {
34990- free_page((unsigned long)pmd);
34991- pmd = NULL;
34992+ if (pxd && !pgtable_pxd_page_ctor(virt_to_page(pxd))) {
34993+ free_page((unsigned long)pxd);
34994+ pxd = NULL;
34995 failed = true;
34996 }
34997- if (pmd)
34998- mm_inc_nr_pmds(mm);
34999- pmds[i] = pmd;
35000+ if (pxd)
35001+ mm_inc_nr_pxds(mm);
35002+ pxds[i] = pxd;
35003 }
35004
35005 if (failed) {
35006- free_pmds(mm, pmds);
35007+ free_pxds(mm, pxds);
35008 return -ENOMEM;
35009 }
35010
35011@@ -236,43 +304,47 @@ static int preallocate_pmds(struct mm_struct *mm, pmd_t *pmds[])
35012 * preallocate which never got a corresponding vma will need to be
35013 * freed manually.
35014 */
35015-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
35016+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
35017 {
35018 int i;
35019
35020- for(i = 0; i < PREALLOCATED_PMDS; i++) {
35021+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
35022 pgd_t pgd = pgdp[i];
35023
35024 if (pgd_val(pgd) != 0) {
35025- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
35026+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
35027
35028- pgdp[i] = native_make_pgd(0);
35029+ set_pgd(pgdp + i, native_make_pgd(0));
35030
35031- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
35032- pmd_free(mm, pmd);
35033- mm_dec_nr_pmds(mm);
35034+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
35035+ pxd_free(mm, pxd);
35036+ mm_dec_nr_pxds(mm);
35037 }
35038 }
35039 }
35040
35041-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
35042+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
35043 {
35044- pud_t *pud;
35045+ pyd_t *pyd;
35046 int i;
35047
35048- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
35049+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
35050 return;
35051
35052- pud = pud_offset(pgd, 0);
35053+#ifdef CONFIG_X86_64
35054+ pyd = pyd_offset(mm, 0L);
35055+#else
35056+ pyd = pyd_offset(pgd, 0L);
35057+#endif
35058
35059- for (i = 0; i < PREALLOCATED_PMDS; i++, pud++) {
35060- pmd_t *pmd = pmds[i];
35061+ for (i = 0; i < PREALLOCATED_PXDS; i++, pyd++) {
35062+ pxd_t *pxd = pxds[i];
35063
35064 if (i >= KERNEL_PGD_BOUNDARY)
35065- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
35066- sizeof(pmd_t) * PTRS_PER_PMD);
35067+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
35068+ sizeof(pxd_t) * PTRS_PER_PMD);
35069
35070- pud_populate(mm, pud, pmd);
35071+ pyd_populate(mm, pyd, pxd);
35072 }
35073 }
35074
35075@@ -354,7 +426,7 @@ static inline void _pgd_free(pgd_t *pgd)
35076 pgd_t *pgd_alloc(struct mm_struct *mm)
35077 {
35078 pgd_t *pgd;
35079- pmd_t *pmds[PREALLOCATED_PMDS];
35080+ pxd_t *pxds[PREALLOCATED_PXDS];
35081
35082 pgd = _pgd_alloc();
35083
35084@@ -363,11 +435,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
35085
35086 mm->pgd = pgd;
35087
35088- if (preallocate_pmds(mm, pmds) != 0)
35089+ if (preallocate_pxds(mm, pxds) != 0)
35090 goto out_free_pgd;
35091
35092 if (paravirt_pgd_alloc(mm) != 0)
35093- goto out_free_pmds;
35094+ goto out_free_pxds;
35095
35096 /*
35097 * Make sure that pre-populating the pmds is atomic with
35098@@ -377,14 +449,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
35099 spin_lock(&pgd_lock);
35100
35101 pgd_ctor(mm, pgd);
35102- pgd_prepopulate_pmd(mm, pgd, pmds);
35103+ pgd_prepopulate_pxd(mm, pgd, pxds);
35104
35105 spin_unlock(&pgd_lock);
35106
35107 return pgd;
35108
35109-out_free_pmds:
35110- free_pmds(mm, pmds);
35111+out_free_pxds:
35112+ free_pxds(mm, pxds);
35113 out_free_pgd:
35114 _pgd_free(pgd);
35115 out:
35116@@ -393,7 +465,7 @@ out:
35117
35118 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
35119 {
35120- pgd_mop_up_pmds(mm, pgd);
35121+ pgd_mop_up_pxds(mm, pgd);
35122 pgd_dtor(pgd);
35123 paravirt_pgd_free(mm, pgd);
35124 _pgd_free(pgd);
35125@@ -544,6 +616,55 @@ void __init reserve_top_address(unsigned long reserve)
35126
35127 int fixmaps_set;
35128
35129+static void fix_user_fixmap(enum fixed_addresses idx, unsigned long address)
35130+{
35131+#ifdef CONFIG_X86_64
35132+ pgd_t *pgd;
35133+ pud_t *pud;
35134+ pmd_t *pmd;
35135+
35136+ switch (idx) {
35137+ default:
35138+ return;
35139+
35140+#ifdef CONFIG_X86_VSYSCALL_EMULATION
35141+ case VSYSCALL_PAGE:
35142+ break;
35143+#endif
35144+
35145+#ifdef CONFIG_PARAVIRT_CLOCK
35146+ case PVCLOCK_FIXMAP_BEGIN ... PVCLOCK_FIXMAP_END:
35147+ break;
35148+#endif
35149+ }
35150+
35151+ pgd = pgd_offset_k(address);
35152+ if (!(pgd_val(*pgd) & _PAGE_USER)) {
35153+#ifdef CONFIG_PAX_PER_CPU_PGD
35154+ unsigned int cpu;
35155+ pgd_t *pgd_cpu;
35156+
35157+ for_each_possible_cpu(cpu) {
35158+ pgd_cpu = pgd_offset_cpu(cpu, kernel, address);
35159+ set_pgd(pgd_cpu, __pgd(pgd_val(*pgd_cpu) | _PAGE_USER));
35160+
35161+ pgd_cpu = pgd_offset_cpu(cpu, user, address);
35162+ set_pgd(pgd_cpu, __pgd(pgd_val(*pgd_cpu) | _PAGE_USER));
35163+ }
35164+#endif
35165+ set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
35166+ }
35167+
35168+ pud = pud_offset(pgd, address);
35169+ if (!(pud_val(*pud) & _PAGE_USER))
35170+ set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));
35171+
35172+ pmd = pmd_offset(pud, address);
35173+ if (!(pmd_val(*pmd) & _PAGE_USER))
35174+ set_pmd(pmd, __pmd(pmd_val(*pmd) | _PAGE_USER));
35175+#endif
35176+}
35177+
35178 void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
35179 {
35180 unsigned long address = __fix_to_virt(idx);
35181@@ -554,6 +675,7 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
35182 }
35183 set_pte_vaddr(address, pte);
35184 fixmaps_set++;
35185+ fix_user_fixmap(idx, address);
35186 }
35187
35188 void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys,
35189@@ -620,9 +742,11 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot)
35190
35191 prot = pgprot_4k_2_large(prot);
35192
35193+ pax_open_kernel();
35194 set_pte((pte_t *)pmd, pfn_pte(
35195 (u64)addr >> PAGE_SHIFT,
35196 __pgprot(pgprot_val(prot) | _PAGE_PSE)));
35197+ pax_close_kernel();
35198
35199 return 1;
35200 }
35201diff --git a/arch/x86/mm/pgtable_32.c b/arch/x86/mm/pgtable_32.c
35202index 75cc097..79a097f 100644
35203--- a/arch/x86/mm/pgtable_32.c
35204+++ b/arch/x86/mm/pgtable_32.c
35205@@ -47,10 +47,13 @@ void set_pte_vaddr(unsigned long vaddr, pte_t pteval)
35206 return;
35207 }
35208 pte = pte_offset_kernel(pmd, vaddr);
35209+
35210+ pax_open_kernel();
35211 if (pte_val(pteval))
35212 set_pte_at(&init_mm, vaddr, pte, pteval);
35213 else
35214 pte_clear(&init_mm, vaddr, pte);
35215+ pax_close_kernel();
35216
35217 /*
35218 * It's enough to flush this one mapping.
35219diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
35220index 90555bf..f5f1828 100644
35221--- a/arch/x86/mm/setup_nx.c
35222+++ b/arch/x86/mm/setup_nx.c
35223@@ -5,8 +5,10 @@
35224 #include <asm/pgtable.h>
35225 #include <asm/proto.h>
35226
35227+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
35228 static int disable_nx;
35229
35230+#ifndef CONFIG_PAX_PAGEEXEC
35231 /*
35232 * noexec = on|off
35233 *
35234@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str)
35235 return 0;
35236 }
35237 early_param("noexec", noexec_setup);
35238+#endif
35239+
35240+#endif
35241
35242 void x86_configure_nx(void)
35243 {
35244+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
35245 if (cpu_has_nx && !disable_nx)
35246 __supported_pte_mask |= _PAGE_NX;
35247 else
35248+#endif
35249 __supported_pte_mask &= ~_PAGE_NX;
35250 }
35251
35252diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
35253index 90b924a..4197ac2 100644
35254--- a/arch/x86/mm/tlb.c
35255+++ b/arch/x86/mm/tlb.c
35256@@ -45,7 +45,11 @@ void leave_mm(int cpu)
35257 BUG();
35258 if (cpumask_test_cpu(cpu, mm_cpumask(active_mm))) {
35259 cpumask_clear_cpu(cpu, mm_cpumask(active_mm));
35260+
35261+#ifndef CONFIG_PAX_PER_CPU_PGD
35262 load_cr3(swapper_pg_dir);
35263+#endif
35264+
35265 /*
35266 * This gets called in the idle path where RCU
35267 * functions differently. Tracing normally
35268diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
35269new file mode 100644
35270index 0000000..3fda3f3
35271--- /dev/null
35272+++ b/arch/x86/mm/uderef_64.c
35273@@ -0,0 +1,37 @@
35274+#include <linux/mm.h>
35275+#include <asm/pgtable.h>
35276+#include <asm/uaccess.h>
35277+
35278+#ifdef CONFIG_PAX_MEMORY_UDEREF
35279+/* PaX: due to the special call convention these functions must
35280+ * - remain leaf functions under all configurations,
35281+ * - never be called directly, only dereferenced from the wrappers.
35282+ */
35283+void __used __pax_open_userland(void)
35284+{
35285+ unsigned int cpu;
35286+
35287+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
35288+ return;
35289+
35290+ cpu = raw_get_cpu();
35291+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
35292+ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
35293+ raw_put_cpu_no_resched();
35294+}
35295+EXPORT_SYMBOL(__pax_open_userland);
35296+
35297+void __used __pax_close_userland(void)
35298+{
35299+ unsigned int cpu;
35300+
35301+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
35302+ return;
35303+
35304+ cpu = raw_get_cpu();
35305+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
35306+ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
35307+ raw_put_cpu_no_resched();
35308+}
35309+EXPORT_SYMBOL(__pax_close_userland);
35310+#endif
35311diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S
35312index 4093216..44b6b83 100644
35313--- a/arch/x86/net/bpf_jit.S
35314+++ b/arch/x86/net/bpf_jit.S
35315@@ -8,6 +8,7 @@
35316 * of the License.
35317 */
35318 #include <linux/linkage.h>
35319+#include <asm/alternative-asm.h>
35320
35321 /*
35322 * Calling convention :
35323@@ -37,6 +38,7 @@ sk_load_word_positive_offset:
35324 jle bpf_slow_path_word
35325 mov (SKBDATA,%rsi),%eax
35326 bswap %eax /* ntohl() */
35327+ pax_force_retaddr
35328 ret
35329
35330 sk_load_half:
35331@@ -54,6 +56,7 @@ sk_load_half_positive_offset:
35332 jle bpf_slow_path_half
35333 movzwl (SKBDATA,%rsi),%eax
35334 rol $8,%ax # ntohs()
35335+ pax_force_retaddr
35336 ret
35337
35338 sk_load_byte:
35339@@ -68,6 +71,7 @@ sk_load_byte_positive_offset:
35340 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
35341 jle bpf_slow_path_byte
35342 movzbl (SKBDATA,%rsi),%eax
35343+ pax_force_retaddr
35344 ret
35345
35346 /* rsi contains offset and can be scratched */
35347@@ -89,6 +93,7 @@ bpf_slow_path_word:
35348 js bpf_error
35349 mov - MAX_BPF_STACK + 32(%rbp),%eax
35350 bswap %eax
35351+ pax_force_retaddr
35352 ret
35353
35354 bpf_slow_path_half:
35355@@ -97,12 +102,14 @@ bpf_slow_path_half:
35356 mov - MAX_BPF_STACK + 32(%rbp),%ax
35357 rol $8,%ax
35358 movzwl %ax,%eax
35359+ pax_force_retaddr
35360 ret
35361
35362 bpf_slow_path_byte:
35363 bpf_slow_path_common(1)
35364 js bpf_error
35365 movzbl - MAX_BPF_STACK + 32(%rbp),%eax
35366+ pax_force_retaddr
35367 ret
35368
35369 #define sk_negative_common(SIZE) \
35370@@ -125,6 +132,7 @@ sk_load_word_negative_offset:
35371 sk_negative_common(4)
35372 mov (%rax), %eax
35373 bswap %eax
35374+ pax_force_retaddr
35375 ret
35376
35377 bpf_slow_path_half_neg:
35378@@ -136,6 +144,7 @@ sk_load_half_negative_offset:
35379 mov (%rax),%ax
35380 rol $8,%ax
35381 movzwl %ax,%eax
35382+ pax_force_retaddr
35383 ret
35384
35385 bpf_slow_path_byte_neg:
35386@@ -145,6 +154,7 @@ sk_load_byte_negative_offset:
35387 .globl sk_load_byte_negative_offset
35388 sk_negative_common(1)
35389 movzbl (%rax), %eax
35390+ pax_force_retaddr
35391 ret
35392
35393 bpf_error:
35394@@ -155,4 +165,5 @@ bpf_error:
35395 mov - MAX_BPF_STACK + 16(%rbp),%r14
35396 mov - MAX_BPF_STACK + 24(%rbp),%r15
35397 leaveq
35398+ pax_force_retaddr
35399 ret
35400diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
35401index be2e7a2..e6960dd 100644
35402--- a/arch/x86/net/bpf_jit_comp.c
35403+++ b/arch/x86/net/bpf_jit_comp.c
35404@@ -14,7 +14,11 @@
35405 #include <asm/cacheflush.h>
35406 #include <linux/bpf.h>
35407
35408+#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
35409+int bpf_jit_enable __read_only;
35410+#else
35411 int bpf_jit_enable __read_mostly;
35412+#endif
35413
35414 /*
35415 * assembly code in arch/x86/net/bpf_jit.S
35416@@ -176,7 +180,9 @@ static u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
35417 static void jit_fill_hole(void *area, unsigned int size)
35418 {
35419 /* fill whole space with int3 instructions */
35420+ pax_open_kernel();
35421 memset(area, 0xcc, size);
35422+ pax_close_kernel();
35423 }
35424
35425 struct jit_context {
35426@@ -1026,7 +1032,9 @@ common_load:
35427 pr_err("bpf_jit_compile fatal error\n");
35428 return -EFAULT;
35429 }
35430+ pax_open_kernel();
35431 memcpy(image + proglen, temp, ilen);
35432+ pax_close_kernel();
35433 }
35434 proglen += ilen;
35435 addrs[i] = proglen;
35436@@ -1103,7 +1111,6 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
35437
35438 if (image) {
35439 bpf_flush_icache(header, image + proglen);
35440- set_memory_ro((unsigned long)header, header->pages);
35441 prog->bpf_func = (void *)image;
35442 prog->jited = true;
35443 }
35444@@ -1116,12 +1123,8 @@ void bpf_jit_free(struct bpf_prog *fp)
35445 unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
35446 struct bpf_binary_header *header = (void *)addr;
35447
35448- if (!fp->jited)
35449- goto free_filter;
35450+ if (fp->jited)
35451+ bpf_jit_binary_free(header);
35452
35453- set_memory_rw(addr, header->pages);
35454- bpf_jit_binary_free(header);
35455-
35456-free_filter:
35457 bpf_prog_unlock_free(fp);
35458 }
35459diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
35460index 4e664bd..2beeaa2 100644
35461--- a/arch/x86/oprofile/backtrace.c
35462+++ b/arch/x86/oprofile/backtrace.c
35463@@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_frame_ia32 *head)
35464 struct stack_frame_ia32 *fp;
35465 unsigned long bytes;
35466
35467- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
35468+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
35469 if (bytes != 0)
35470 return NULL;
35471
35472- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
35473+ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
35474
35475 oprofile_add_trace(bufhead[0].return_address);
35476
35477@@ -92,7 +92,7 @@ static struct stack_frame *dump_user_backtrace(struct stack_frame *head)
35478 struct stack_frame bufhead[2];
35479 unsigned long bytes;
35480
35481- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
35482+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
35483 if (bytes != 0)
35484 return NULL;
35485
35486diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
35487index 1d2e639..f6ef82a 100644
35488--- a/arch/x86/oprofile/nmi_int.c
35489+++ b/arch/x86/oprofile/nmi_int.c
35490@@ -23,6 +23,7 @@
35491 #include <asm/nmi.h>
35492 #include <asm/msr.h>
35493 #include <asm/apic.h>
35494+#include <asm/pgtable.h>
35495
35496 #include "op_counter.h"
35497 #include "op_x86_model.h"
35498@@ -785,8 +786,11 @@ int __init op_nmi_init(struct oprofile_operations *ops)
35499 if (ret)
35500 return ret;
35501
35502- if (!model->num_virt_counters)
35503- model->num_virt_counters = model->num_counters;
35504+ if (!model->num_virt_counters) {
35505+ pax_open_kernel();
35506+ *(unsigned int *)&model->num_virt_counters = model->num_counters;
35507+ pax_close_kernel();
35508+ }
35509
35510 mux_init(ops);
35511
35512diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c
35513index 50d86c0..7985318 100644
35514--- a/arch/x86/oprofile/op_model_amd.c
35515+++ b/arch/x86/oprofile/op_model_amd.c
35516@@ -519,9 +519,11 @@ static int op_amd_init(struct oprofile_operations *ops)
35517 num_counters = AMD64_NUM_COUNTERS;
35518 }
35519
35520- op_amd_spec.num_counters = num_counters;
35521- op_amd_spec.num_controls = num_counters;
35522- op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
35523+ pax_open_kernel();
35524+ *(unsigned int *)&op_amd_spec.num_counters = num_counters;
35525+ *(unsigned int *)&op_amd_spec.num_controls = num_counters;
35526+ *(unsigned int *)&op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
35527+ pax_close_kernel();
35528
35529 return 0;
35530 }
35531diff --git a/arch/x86/oprofile/op_model_ppro.c b/arch/x86/oprofile/op_model_ppro.c
35532index d90528e..0127e2b 100644
35533--- a/arch/x86/oprofile/op_model_ppro.c
35534+++ b/arch/x86/oprofile/op_model_ppro.c
35535@@ -19,6 +19,7 @@
35536 #include <asm/msr.h>
35537 #include <asm/apic.h>
35538 #include <asm/nmi.h>
35539+#include <asm/pgtable.h>
35540
35541 #include "op_x86_model.h"
35542 #include "op_counter.h"
35543@@ -221,8 +222,10 @@ static void arch_perfmon_setup_counters(void)
35544
35545 num_counters = min((int)eax.split.num_counters, OP_MAX_COUNTER);
35546
35547- op_arch_perfmon_spec.num_counters = num_counters;
35548- op_arch_perfmon_spec.num_controls = num_counters;
35549+ pax_open_kernel();
35550+ *(unsigned int *)&op_arch_perfmon_spec.num_counters = num_counters;
35551+ *(unsigned int *)&op_arch_perfmon_spec.num_controls = num_counters;
35552+ pax_close_kernel();
35553 }
35554
35555 static int arch_perfmon_init(struct oprofile_operations *ignore)
35556diff --git a/arch/x86/oprofile/op_x86_model.h b/arch/x86/oprofile/op_x86_model.h
35557index 71e8a67..6a313bb 100644
35558--- a/arch/x86/oprofile/op_x86_model.h
35559+++ b/arch/x86/oprofile/op_x86_model.h
35560@@ -52,7 +52,7 @@ struct op_x86_model_spec {
35561 void (*switch_ctrl)(struct op_x86_model_spec const *model,
35562 struct op_msrs const * const msrs);
35563 #endif
35564-};
35565+} __do_const;
35566
35567 struct op_counter_config;
35568
35569diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c
35570index 2706230..74b4d9f 100644
35571--- a/arch/x86/pci/intel_mid_pci.c
35572+++ b/arch/x86/pci/intel_mid_pci.c
35573@@ -258,7 +258,7 @@ int __init intel_mid_pci_init(void)
35574 pci_mmcfg_late_init();
35575 pcibios_enable_irq = intel_mid_pci_irq_enable;
35576 pcibios_disable_irq = intel_mid_pci_irq_disable;
35577- pci_root_ops = intel_mid_pci_ops;
35578+ memcpy((void *)&pci_root_ops, &intel_mid_pci_ops, sizeof pci_root_ops);
35579 pci_soc_mode = 1;
35580 /* Continue with standard init */
35581 return 1;
35582diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
35583index 9bd1154..e9d4656 100644
35584--- a/arch/x86/pci/irq.c
35585+++ b/arch/x86/pci/irq.c
35586@@ -51,7 +51,7 @@ struct irq_router {
35587 struct irq_router_handler {
35588 u16 vendor;
35589 int (*probe)(struct irq_router *r, struct pci_dev *router, u16 device);
35590-};
35591+} __do_const;
35592
35593 int (*pcibios_enable_irq)(struct pci_dev *dev) = pirq_enable_irq;
35594 void (*pcibios_disable_irq)(struct pci_dev *dev) = pirq_disable_irq;
35595@@ -792,7 +792,7 @@ static __init int pico_router_probe(struct irq_router *r, struct pci_dev *router
35596 return 0;
35597 }
35598
35599-static __initdata struct irq_router_handler pirq_routers[] = {
35600+static __initconst const struct irq_router_handler pirq_routers[] = {
35601 { PCI_VENDOR_ID_INTEL, intel_router_probe },
35602 { PCI_VENDOR_ID_AL, ali_router_probe },
35603 { PCI_VENDOR_ID_ITE, ite_router_probe },
35604@@ -819,7 +819,7 @@ static struct pci_dev *pirq_router_dev;
35605 static void __init pirq_find_router(struct irq_router *r)
35606 {
35607 struct irq_routing_table *rt = pirq_table;
35608- struct irq_router_handler *h;
35609+ const struct irq_router_handler *h;
35610
35611 #ifdef CONFIG_PCI_BIOS
35612 if (!rt->signature) {
35613@@ -1092,7 +1092,7 @@ static int __init fix_acer_tm360_irqrouting(const struct dmi_system_id *d)
35614 return 0;
35615 }
35616
35617-static struct dmi_system_id __initdata pciirq_dmi_table[] = {
35618+static const struct dmi_system_id __initconst pciirq_dmi_table[] = {
35619 {
35620 .callback = fix_broken_hp_bios_irq9,
35621 .ident = "HP Pavilion N5400 Series Laptop",
35622diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c
35623index 9b83b90..2c256c5 100644
35624--- a/arch/x86/pci/pcbios.c
35625+++ b/arch/x86/pci/pcbios.c
35626@@ -79,7 +79,7 @@ union bios32 {
35627 static struct {
35628 unsigned long address;
35629 unsigned short segment;
35630-} bios32_indirect __initdata = { 0, __KERNEL_CS };
35631+} bios32_indirect __initdata = { 0, __PCIBIOS_CS };
35632
35633 /*
35634 * Returns the entry point for the given service, NULL on error
35635@@ -92,37 +92,80 @@ static unsigned long __init bios32_service(unsigned long service)
35636 unsigned long length; /* %ecx */
35637 unsigned long entry; /* %edx */
35638 unsigned long flags;
35639+ struct desc_struct d, *gdt;
35640
35641 local_irq_save(flags);
35642- __asm__("lcall *(%%edi); cld"
35643+
35644+ gdt = get_cpu_gdt_table(smp_processor_id());
35645+
35646+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
35647+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
35648+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
35649+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
35650+
35651+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
35652 : "=a" (return_code),
35653 "=b" (address),
35654 "=c" (length),
35655 "=d" (entry)
35656 : "0" (service),
35657 "1" (0),
35658- "D" (&bios32_indirect));
35659+ "D" (&bios32_indirect),
35660+ "r"(__PCIBIOS_DS)
35661+ : "memory");
35662+
35663+ pax_open_kernel();
35664+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
35665+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
35666+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
35667+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
35668+ pax_close_kernel();
35669+
35670 local_irq_restore(flags);
35671
35672 switch (return_code) {
35673- case 0:
35674- return address + entry;
35675- case 0x80: /* Not present */
35676- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
35677- return 0;
35678- default: /* Shouldn't happen */
35679- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
35680- service, return_code);
35681+ case 0: {
35682+ int cpu;
35683+ unsigned char flags;
35684+
35685+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
35686+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
35687+ printk(KERN_WARNING "bios32_service: not valid\n");
35688 return 0;
35689+ }
35690+ address = address + PAGE_OFFSET;
35691+ length += 16UL; /* some BIOSs underreport this... */
35692+ flags = 4;
35693+ if (length >= 64*1024*1024) {
35694+ length >>= PAGE_SHIFT;
35695+ flags |= 8;
35696+ }
35697+
35698+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
35699+ gdt = get_cpu_gdt_table(cpu);
35700+ pack_descriptor(&d, address, length, 0x9b, flags);
35701+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
35702+ pack_descriptor(&d, address, length, 0x93, flags);
35703+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
35704+ }
35705+ return entry;
35706+ }
35707+ case 0x80: /* Not present */
35708+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
35709+ return 0;
35710+ default: /* Shouldn't happen */
35711+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
35712+ service, return_code);
35713+ return 0;
35714 }
35715 }
35716
35717 static struct {
35718 unsigned long address;
35719 unsigned short segment;
35720-} pci_indirect = { 0, __KERNEL_CS };
35721+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
35722
35723-static int pci_bios_present;
35724+static int pci_bios_present __read_only;
35725
35726 static int __init check_pcibios(void)
35727 {
35728@@ -131,11 +174,13 @@ static int __init check_pcibios(void)
35729 unsigned long flags, pcibios_entry;
35730
35731 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
35732- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
35733+ pci_indirect.address = pcibios_entry;
35734
35735 local_irq_save(flags);
35736- __asm__(
35737- "lcall *(%%edi); cld\n\t"
35738+ __asm__("movw %w6, %%ds\n\t"
35739+ "lcall *%%ss:(%%edi); cld\n\t"
35740+ "push %%ss\n\t"
35741+ "pop %%ds\n\t"
35742 "jc 1f\n\t"
35743 "xor %%ah, %%ah\n"
35744 "1:"
35745@@ -144,7 +189,8 @@ static int __init check_pcibios(void)
35746 "=b" (ebx),
35747 "=c" (ecx)
35748 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
35749- "D" (&pci_indirect)
35750+ "D" (&pci_indirect),
35751+ "r" (__PCIBIOS_DS)
35752 : "memory");
35753 local_irq_restore(flags);
35754
35755@@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35756
35757 switch (len) {
35758 case 1:
35759- __asm__("lcall *(%%esi); cld\n\t"
35760+ __asm__("movw %w6, %%ds\n\t"
35761+ "lcall *%%ss:(%%esi); cld\n\t"
35762+ "push %%ss\n\t"
35763+ "pop %%ds\n\t"
35764 "jc 1f\n\t"
35765 "xor %%ah, %%ah\n"
35766 "1:"
35767@@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35768 : "1" (PCIBIOS_READ_CONFIG_BYTE),
35769 "b" (bx),
35770 "D" ((long)reg),
35771- "S" (&pci_indirect));
35772+ "S" (&pci_indirect),
35773+ "r" (__PCIBIOS_DS));
35774 /*
35775 * Zero-extend the result beyond 8 bits, do not trust the
35776 * BIOS having done it:
35777@@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35778 *value &= 0xff;
35779 break;
35780 case 2:
35781- __asm__("lcall *(%%esi); cld\n\t"
35782+ __asm__("movw %w6, %%ds\n\t"
35783+ "lcall *%%ss:(%%esi); cld\n\t"
35784+ "push %%ss\n\t"
35785+ "pop %%ds\n\t"
35786 "jc 1f\n\t"
35787 "xor %%ah, %%ah\n"
35788 "1:"
35789@@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35790 : "1" (PCIBIOS_READ_CONFIG_WORD),
35791 "b" (bx),
35792 "D" ((long)reg),
35793- "S" (&pci_indirect));
35794+ "S" (&pci_indirect),
35795+ "r" (__PCIBIOS_DS));
35796 /*
35797 * Zero-extend the result beyond 16 bits, do not trust the
35798 * BIOS having done it:
35799@@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35800 *value &= 0xffff;
35801 break;
35802 case 4:
35803- __asm__("lcall *(%%esi); cld\n\t"
35804+ __asm__("movw %w6, %%ds\n\t"
35805+ "lcall *%%ss:(%%esi); cld\n\t"
35806+ "push %%ss\n\t"
35807+ "pop %%ds\n\t"
35808 "jc 1f\n\t"
35809 "xor %%ah, %%ah\n"
35810 "1:"
35811@@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35812 : "1" (PCIBIOS_READ_CONFIG_DWORD),
35813 "b" (bx),
35814 "D" ((long)reg),
35815- "S" (&pci_indirect));
35816+ "S" (&pci_indirect),
35817+ "r" (__PCIBIOS_DS));
35818 break;
35819 }
35820
35821@@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35822
35823 switch (len) {
35824 case 1:
35825- __asm__("lcall *(%%esi); cld\n\t"
35826+ __asm__("movw %w6, %%ds\n\t"
35827+ "lcall *%%ss:(%%esi); cld\n\t"
35828+ "push %%ss\n\t"
35829+ "pop %%ds\n\t"
35830 "jc 1f\n\t"
35831 "xor %%ah, %%ah\n"
35832 "1:"
35833@@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35834 "c" (value),
35835 "b" (bx),
35836 "D" ((long)reg),
35837- "S" (&pci_indirect));
35838+ "S" (&pci_indirect),
35839+ "r" (__PCIBIOS_DS));
35840 break;
35841 case 2:
35842- __asm__("lcall *(%%esi); cld\n\t"
35843+ __asm__("movw %w6, %%ds\n\t"
35844+ "lcall *%%ss:(%%esi); cld\n\t"
35845+ "push %%ss\n\t"
35846+ "pop %%ds\n\t"
35847 "jc 1f\n\t"
35848 "xor %%ah, %%ah\n"
35849 "1:"
35850@@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35851 "c" (value),
35852 "b" (bx),
35853 "D" ((long)reg),
35854- "S" (&pci_indirect));
35855+ "S" (&pci_indirect),
35856+ "r" (__PCIBIOS_DS));
35857 break;
35858 case 4:
35859- __asm__("lcall *(%%esi); cld\n\t"
35860+ __asm__("movw %w6, %%ds\n\t"
35861+ "lcall *%%ss:(%%esi); cld\n\t"
35862+ "push %%ss\n\t"
35863+ "pop %%ds\n\t"
35864 "jc 1f\n\t"
35865 "xor %%ah, %%ah\n"
35866 "1:"
35867@@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35868 "c" (value),
35869 "b" (bx),
35870 "D" ((long)reg),
35871- "S" (&pci_indirect));
35872+ "S" (&pci_indirect),
35873+ "r" (__PCIBIOS_DS));
35874 break;
35875 }
35876
35877@@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
35878
35879 DBG("PCI: Fetching IRQ routing table... ");
35880 __asm__("push %%es\n\t"
35881+ "movw %w8, %%ds\n\t"
35882 "push %%ds\n\t"
35883 "pop %%es\n\t"
35884- "lcall *(%%esi); cld\n\t"
35885+ "lcall *%%ss:(%%esi); cld\n\t"
35886 "pop %%es\n\t"
35887+ "push %%ss\n\t"
35888+ "pop %%ds\n"
35889 "jc 1f\n\t"
35890 "xor %%ah, %%ah\n"
35891 "1:"
35892@@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
35893 "1" (0),
35894 "D" ((long) &opt),
35895 "S" (&pci_indirect),
35896- "m" (opt)
35897+ "m" (opt),
35898+ "r" (__PCIBIOS_DS)
35899 : "memory");
35900 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
35901 if (ret & 0xff00)
35902@@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
35903 {
35904 int ret;
35905
35906- __asm__("lcall *(%%esi); cld\n\t"
35907+ __asm__("movw %w5, %%ds\n\t"
35908+ "lcall *%%ss:(%%esi); cld\n\t"
35909+ "push %%ss\n\t"
35910+ "pop %%ds\n"
35911 "jc 1f\n\t"
35912 "xor %%ah, %%ah\n"
35913 "1:"
35914@@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
35915 : "0" (PCIBIOS_SET_PCI_HW_INT),
35916 "b" ((dev->bus->number << 8) | dev->devfn),
35917 "c" ((irq << 8) | (pin + 10)),
35918- "S" (&pci_indirect));
35919+ "S" (&pci_indirect),
35920+ "r" (__PCIBIOS_DS));
35921 return !(ret & 0xff00);
35922 }
35923 EXPORT_SYMBOL(pcibios_set_irq_routing);
35924diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
35925index e4308fe..c6835bf 100644
35926--- a/arch/x86/platform/efi/efi.c
35927+++ b/arch/x86/platform/efi/efi.c
35928@@ -705,6 +705,70 @@ out:
35929 }
35930
35931 /*
35932+ * Iterate the EFI memory map in reverse order because the regions
35933+ * will be mapped top-down. The end result is the same as if we had
35934+ * mapped things forward, but doesn't require us to change the
35935+ * existing implementation of efi_map_region().
35936+ */
35937+static inline void *efi_map_next_entry_reverse(void *entry)
35938+{
35939+ /* Initial call */
35940+ if (!entry)
35941+ return memmap.map_end - memmap.desc_size;
35942+
35943+ entry -= memmap.desc_size;
35944+ if (entry < memmap.map)
35945+ return NULL;
35946+
35947+ return entry;
35948+}
35949+
35950+/*
35951+ * efi_map_next_entry - Return the next EFI memory map descriptor
35952+ * @entry: Previous EFI memory map descriptor
35953+ *
35954+ * This is a helper function to iterate over the EFI memory map, which
35955+ * we do in different orders depending on the current configuration.
35956+ *
35957+ * To begin traversing the memory map @entry must be %NULL.
35958+ *
35959+ * Returns %NULL when we reach the end of the memory map.
35960+ */
35961+static void *efi_map_next_entry(void *entry)
35962+{
35963+ if (!efi_enabled(EFI_OLD_MEMMAP) && efi_enabled(EFI_64BIT)) {
35964+ /*
35965+ * Starting in UEFI v2.5 the EFI_PROPERTIES_TABLE
35966+ * config table feature requires us to map all entries
35967+ * in the same order as they appear in the EFI memory
35968+ * map. That is to say, entry N must have a lower
35969+ * virtual address than entry N+1. This is because the
35970+ * firmware toolchain leaves relative references in
35971+ * the code/data sections, which are split and become
35972+ * separate EFI memory regions. Mapping things
35973+ * out-of-order leads to the firmware accessing
35974+ * unmapped addresses.
35975+ *
35976+ * Since we need to map things this way whether or not
35977+ * the kernel actually makes use of
35978+ * EFI_PROPERTIES_TABLE, let's just switch to this
35979+ * scheme by default for 64-bit.
35980+ */
35981+ return efi_map_next_entry_reverse(entry);
35982+ }
35983+
35984+ /* Initial call */
35985+ if (!entry)
35986+ return memmap.map;
35987+
35988+ entry += memmap.desc_size;
35989+ if (entry >= memmap.map_end)
35990+ return NULL;
35991+
35992+ return entry;
35993+}
35994+
35995+/*
35996 * Map the efi memory ranges of the runtime services and update new_mmap with
35997 * virtual addresses.
35998 */
35999@@ -714,7 +778,8 @@ static void * __init efi_map_regions(int *count, int *pg_shift)
36000 unsigned long left = 0;
36001 efi_memory_desc_t *md;
36002
36003- for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) {
36004+ p = NULL;
36005+ while ((p = efi_map_next_entry(p))) {
36006 md = p;
36007 if (!(md->attribute & EFI_MEMORY_RUNTIME)) {
36008 #ifdef CONFIG_X86_64
36009diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
36010index ed5b673..24d2d53 100644
36011--- a/arch/x86/platform/efi/efi_32.c
36012+++ b/arch/x86/platform/efi/efi_32.c
36013@@ -61,11 +61,27 @@ pgd_t * __init efi_call_phys_prolog(void)
36014 struct desc_ptr gdt_descr;
36015 pgd_t *save_pgd;
36016
36017+#ifdef CONFIG_PAX_KERNEXEC
36018+ struct desc_struct d;
36019+#endif
36020+
36021 /* Current pgd is swapper_pg_dir, we'll restore it later: */
36022+#ifdef CONFIG_PAX_PER_CPU_PGD
36023+ save_pgd = get_cpu_pgd(smp_processor_id(), kernel);
36024+#else
36025 save_pgd = swapper_pg_dir;
36026+#endif
36027+
36028 load_cr3(initial_page_table);
36029 __flush_tlb_all();
36030
36031+#ifdef CONFIG_PAX_KERNEXEC
36032+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
36033+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
36034+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
36035+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
36036+#endif
36037+
36038 gdt_descr.address = __pa(get_cpu_gdt_table(0));
36039 gdt_descr.size = GDT_SIZE - 1;
36040 load_gdt(&gdt_descr);
36041@@ -77,6 +93,14 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
36042 {
36043 struct desc_ptr gdt_descr;
36044
36045+#ifdef CONFIG_PAX_KERNEXEC
36046+ struct desc_struct d;
36047+
36048+ memset(&d, 0, sizeof d);
36049+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
36050+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
36051+#endif
36052+
36053 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
36054 gdt_descr.size = GDT_SIZE - 1;
36055 load_gdt(&gdt_descr);
36056diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
36057index a0ac0f9..f41d324 100644
36058--- a/arch/x86/platform/efi/efi_64.c
36059+++ b/arch/x86/platform/efi/efi_64.c
36060@@ -96,6 +96,11 @@ pgd_t * __init efi_call_phys_prolog(void)
36061 vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
36062 set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
36063 }
36064+
36065+#ifdef CONFIG_PAX_PER_CPU_PGD
36066+ load_cr3(swapper_pg_dir);
36067+#endif
36068+
36069 __flush_tlb_all();
36070
36071 return save_pgd;
36072@@ -119,6 +124,10 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
36073
36074 kfree(save_pgd);
36075
36076+#ifdef CONFIG_PAX_PER_CPU_PGD
36077+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
36078+#endif
36079+
36080 __flush_tlb_all();
36081 early_code_mapping_set_exec(0);
36082 }
36083@@ -148,8 +157,23 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
36084 unsigned npages;
36085 pgd_t *pgd;
36086
36087- if (efi_enabled(EFI_OLD_MEMMAP))
36088+ if (efi_enabled(EFI_OLD_MEMMAP)) {
36089+ /* PaX: We need to disable the NX bit in the PGD, otherwise we won't be
36090+ * able to execute the EFI services.
36091+ */
36092+ if (__supported_pte_mask & _PAGE_NX) {
36093+ unsigned long addr = (unsigned long) __va(0);
36094+ pgd_t pe = __pgd(pgd_val(*pgd_offset_k(addr)) & ~_PAGE_NX);
36095+
36096+ pr_alert("PAX: Disabling NX protection for low memory map. Try booting without \"efi=old_map\"\n");
36097+#ifdef CONFIG_PAX_PER_CPU_PGD
36098+ set_pgd(pgd_offset_cpu(0, kernel, addr), pe);
36099+#endif
36100+ set_pgd(pgd_offset_k(addr), pe);
36101+ }
36102+
36103 return 0;
36104+ }
36105
36106 efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd;
36107 pgd = __va(efi_scratch.efi_pgt);
36108diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S
36109index 040192b..7d3300f 100644
36110--- a/arch/x86/platform/efi/efi_stub_32.S
36111+++ b/arch/x86/platform/efi/efi_stub_32.S
36112@@ -6,7 +6,9 @@
36113 */
36114
36115 #include <linux/linkage.h>
36116+#include <linux/init.h>
36117 #include <asm/page_types.h>
36118+#include <asm/segment.h>
36119
36120 /*
36121 * efi_call_phys(void *, ...) is a function with variable parameters.
36122@@ -20,7 +22,7 @@
36123 * service functions will comply with gcc calling convention, too.
36124 */
36125
36126-.text
36127+__INIT
36128 ENTRY(efi_call_phys)
36129 /*
36130 * 0. The function can only be called in Linux kernel. So CS has been
36131@@ -36,10 +38,24 @@ ENTRY(efi_call_phys)
36132 * The mapping of lower virtual memory has been created in prolog and
36133 * epilog.
36134 */
36135- movl $1f, %edx
36136- subl $__PAGE_OFFSET, %edx
36137- jmp *%edx
36138+#ifdef CONFIG_PAX_KERNEXEC
36139+ movl $(__KERNEXEC_EFI_DS), %edx
36140+ mov %edx, %ds
36141+ mov %edx, %es
36142+ mov %edx, %ss
36143+ addl $2f,(1f)
36144+ ljmp *(1f)
36145+
36146+__INITDATA
36147+1: .long __LOAD_PHYSICAL_ADDR, __KERNEXEC_EFI_CS
36148+.previous
36149+
36150+2:
36151+ subl $2b,(1b)
36152+#else
36153+ jmp 1f-__PAGE_OFFSET
36154 1:
36155+#endif
36156
36157 /*
36158 * 2. Now on the top of stack is the return
36159@@ -47,14 +63,8 @@ ENTRY(efi_call_phys)
36160 * parameter 2, ..., param n. To make things easy, we save the return
36161 * address of efi_call_phys in a global variable.
36162 */
36163- popl %edx
36164- movl %edx, saved_return_addr
36165- /* get the function pointer into ECX*/
36166- popl %ecx
36167- movl %ecx, efi_rt_function_ptr
36168- movl $2f, %edx
36169- subl $__PAGE_OFFSET, %edx
36170- pushl %edx
36171+ popl (saved_return_addr)
36172+ popl (efi_rt_function_ptr)
36173
36174 /*
36175 * 3. Clear PG bit in %CR0.
36176@@ -73,9 +83,8 @@ ENTRY(efi_call_phys)
36177 /*
36178 * 5. Call the physical function.
36179 */
36180- jmp *%ecx
36181+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
36182
36183-2:
36184 /*
36185 * 6. After EFI runtime service returns, control will return to
36186 * following instruction. We'd better readjust stack pointer first.
36187@@ -88,35 +97,36 @@ ENTRY(efi_call_phys)
36188 movl %cr0, %edx
36189 orl $0x80000000, %edx
36190 movl %edx, %cr0
36191- jmp 1f
36192-1:
36193+
36194 /*
36195 * 8. Now restore the virtual mode from flat mode by
36196 * adding EIP with PAGE_OFFSET.
36197 */
36198- movl $1f, %edx
36199- jmp *%edx
36200+#ifdef CONFIG_PAX_KERNEXEC
36201+ movl $(__KERNEL_DS), %edx
36202+ mov %edx, %ds
36203+ mov %edx, %es
36204+ mov %edx, %ss
36205+ ljmp $(__KERNEL_CS),$1f
36206+#else
36207+ jmp 1f+__PAGE_OFFSET
36208+#endif
36209 1:
36210
36211 /*
36212 * 9. Balance the stack. And because EAX contain the return value,
36213 * we'd better not clobber it.
36214 */
36215- leal efi_rt_function_ptr, %edx
36216- movl (%edx), %ecx
36217- pushl %ecx
36218+ pushl (efi_rt_function_ptr)
36219
36220 /*
36221- * 10. Push the saved return address onto the stack and return.
36222+ * 10. Return to the saved return address.
36223 */
36224- leal saved_return_addr, %edx
36225- movl (%edx), %ecx
36226- pushl %ecx
36227- ret
36228+ jmpl *(saved_return_addr)
36229 ENDPROC(efi_call_phys)
36230 .previous
36231
36232-.data
36233+__INITDATA
36234 saved_return_addr:
36235 .long 0
36236 efi_rt_function_ptr:
36237diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S
36238index 86d0f9e..6d499f4 100644
36239--- a/arch/x86/platform/efi/efi_stub_64.S
36240+++ b/arch/x86/platform/efi/efi_stub_64.S
36241@@ -11,6 +11,7 @@
36242 #include <asm/msr.h>
36243 #include <asm/processor-flags.h>
36244 #include <asm/page_types.h>
36245+#include <asm/alternative-asm.h>
36246
36247 #define SAVE_XMM \
36248 mov %rsp, %rax; \
36249@@ -88,6 +89,7 @@ ENTRY(efi_call)
36250 RESTORE_PGT
36251 addq $48, %rsp
36252 RESTORE_XMM
36253+ pax_force_retaddr 0, 1
36254 ret
36255 ENDPROC(efi_call)
36256
36257diff --git a/arch/x86/platform/intel-mid/intel-mid.c b/arch/x86/platform/intel-mid/intel-mid.c
36258index 01d54ea..ba1d71c 100644
36259--- a/arch/x86/platform/intel-mid/intel-mid.c
36260+++ b/arch/x86/platform/intel-mid/intel-mid.c
36261@@ -63,7 +63,7 @@ enum intel_mid_timer_options intel_mid_timer_options;
36262 /* intel_mid_ops to store sub arch ops */
36263 struct intel_mid_ops *intel_mid_ops;
36264 /* getter function for sub arch ops*/
36265-static void *(*get_intel_mid_ops[])(void) = INTEL_MID_OPS_INIT;
36266+static const void *(*get_intel_mid_ops[])(void) = INTEL_MID_OPS_INIT;
36267 enum intel_mid_cpu_type __intel_mid_cpu_chip;
36268 EXPORT_SYMBOL_GPL(__intel_mid_cpu_chip);
36269
36270@@ -71,9 +71,10 @@ static void intel_mid_power_off(void)
36271 {
36272 };
36273
36274-static void intel_mid_reboot(void)
36275+static void __noreturn intel_mid_reboot(void)
36276 {
36277 intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0);
36278+ BUG();
36279 }
36280
36281 static unsigned long __init intel_mid_calibrate_tsc(void)
36282diff --git a/arch/x86/platform/intel-mid/intel_mid_weak_decls.h b/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
36283index 3c1c386..59a68ed 100644
36284--- a/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
36285+++ b/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
36286@@ -13,6 +13,6 @@
36287 /* For every CPU addition a new get_<cpuname>_ops interface needs
36288 * to be added.
36289 */
36290-extern void *get_penwell_ops(void);
36291-extern void *get_cloverview_ops(void);
36292-extern void *get_tangier_ops(void);
36293+extern const void *get_penwell_ops(void);
36294+extern const void *get_cloverview_ops(void);
36295+extern const void *get_tangier_ops(void);
36296diff --git a/arch/x86/platform/intel-mid/mfld.c b/arch/x86/platform/intel-mid/mfld.c
36297index 23381d2..8ddc10e 100644
36298--- a/arch/x86/platform/intel-mid/mfld.c
36299+++ b/arch/x86/platform/intel-mid/mfld.c
36300@@ -64,12 +64,12 @@ static void __init penwell_arch_setup(void)
36301 pm_power_off = mfld_power_off;
36302 }
36303
36304-void *get_penwell_ops(void)
36305+const void *get_penwell_ops(void)
36306 {
36307 return &penwell_ops;
36308 }
36309
36310-void *get_cloverview_ops(void)
36311+const void *get_cloverview_ops(void)
36312 {
36313 return &penwell_ops;
36314 }
36315diff --git a/arch/x86/platform/intel-mid/mrfl.c b/arch/x86/platform/intel-mid/mrfl.c
36316index aaca917..66eadbc 100644
36317--- a/arch/x86/platform/intel-mid/mrfl.c
36318+++ b/arch/x86/platform/intel-mid/mrfl.c
36319@@ -97,7 +97,7 @@ static struct intel_mid_ops tangier_ops = {
36320 .arch_setup = tangier_arch_setup,
36321 };
36322
36323-void *get_tangier_ops(void)
36324+const void *get_tangier_ops(void)
36325 {
36326 return &tangier_ops;
36327 }
36328diff --git a/arch/x86/platform/intel-quark/imr_selftest.c b/arch/x86/platform/intel-quark/imr_selftest.c
36329index 278e4da..35db1a9 100644
36330--- a/arch/x86/platform/intel-quark/imr_selftest.c
36331+++ b/arch/x86/platform/intel-quark/imr_selftest.c
36332@@ -55,7 +55,7 @@ static void __init imr_self_test_result(int res, const char *fmt, ...)
36333 */
36334 static void __init imr_self_test(void)
36335 {
36336- phys_addr_t base = virt_to_phys(&_text);
36337+ phys_addr_t base = virt_to_phys((void *)ktla_ktva((unsigned long)_text));
36338 size_t size = virt_to_phys(&__end_rodata) - base;
36339 const char *fmt_over = "overlapped IMR @ (0x%08lx - 0x%08lx)\n";
36340 int ret;
36341diff --git a/arch/x86/platform/olpc/olpc_dt.c b/arch/x86/platform/olpc/olpc_dt.c
36342index d6ee929..3637cb5 100644
36343--- a/arch/x86/platform/olpc/olpc_dt.c
36344+++ b/arch/x86/platform/olpc/olpc_dt.c
36345@@ -156,7 +156,7 @@ void * __init prom_early_alloc(unsigned long size)
36346 return res;
36347 }
36348
36349-static struct of_pdt_ops prom_olpc_ops __initdata = {
36350+static struct of_pdt_ops prom_olpc_ops __initconst = {
36351 .nextprop = olpc_dt_nextprop,
36352 .getproplen = olpc_dt_getproplen,
36353 .getproperty = olpc_dt_getproperty,
36354diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
36355index 9ab5279..8ba4611 100644
36356--- a/arch/x86/power/cpu.c
36357+++ b/arch/x86/power/cpu.c
36358@@ -134,11 +134,8 @@ static void do_fpu_end(void)
36359 static void fix_processor_context(void)
36360 {
36361 int cpu = smp_processor_id();
36362- struct tss_struct *t = &per_cpu(cpu_tss, cpu);
36363-#ifdef CONFIG_X86_64
36364- struct desc_struct *desc = get_cpu_gdt_table(cpu);
36365- tss_desc tss;
36366-#endif
36367+ struct tss_struct *t = cpu_tss + cpu;
36368+
36369 set_tss_desc(cpu, t); /*
36370 * This just modifies memory; should not be
36371 * necessary. But... This is necessary, because
36372@@ -147,10 +144,6 @@ static void fix_processor_context(void)
36373 */
36374
36375 #ifdef CONFIG_X86_64
36376- memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
36377- tss.type = 0x9; /* The available 64-bit TSS (see AMD vol 2, pg 91 */
36378- write_gdt_entry(desc, GDT_ENTRY_TSS, &tss, DESC_TSS);
36379-
36380 syscall_init(); /* This sets MSR_*STAR and related */
36381 #endif
36382 load_TR_desc(); /* This does ltr */
36383diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
36384index 0b7a63d..dff2199 100644
36385--- a/arch/x86/realmode/init.c
36386+++ b/arch/x86/realmode/init.c
36387@@ -68,7 +68,13 @@ void __init setup_real_mode(void)
36388 __va(real_mode_header->trampoline_header);
36389
36390 #ifdef CONFIG_X86_32
36391- trampoline_header->start = __pa_symbol(startup_32_smp);
36392+ trampoline_header->start = __pa_symbol(ktla_ktva((unsigned long)startup_32_smp));
36393+
36394+#ifdef CONFIG_PAX_KERNEXEC
36395+ trampoline_header->start -= LOAD_PHYSICAL_ADDR;
36396+#endif
36397+
36398+ trampoline_header->boot_cs = __BOOT_CS;
36399 trampoline_header->gdt_limit = __BOOT_DS + 7;
36400 trampoline_header->gdt_base = __pa_symbol(boot_gdt);
36401 #else
36402@@ -84,7 +90,7 @@ void __init setup_real_mode(void)
36403 *trampoline_cr4_features = __read_cr4();
36404
36405 trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd);
36406- trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd;
36407+ trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd & ~_PAGE_NX;
36408 trampoline_pgd[511] = init_level4_pgt[511].pgd;
36409 #endif
36410 }
36411diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile
36412index 2730d77..2e4cd19 100644
36413--- a/arch/x86/realmode/rm/Makefile
36414+++ b/arch/x86/realmode/rm/Makefile
36415@@ -68,5 +68,8 @@ $(obj)/realmode.relocs: $(obj)/realmode.elf FORCE
36416
36417 KBUILD_CFLAGS := $(LINUXINCLUDE) $(REALMODE_CFLAGS) -D_SETUP -D_WAKEUP \
36418 -I$(srctree)/arch/x86/boot
36419+ifdef CONSTIFY_PLUGIN
36420+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
36421+endif
36422 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
36423 GCOV_PROFILE := n
36424diff --git a/arch/x86/realmode/rm/header.S b/arch/x86/realmode/rm/header.S
36425index a28221d..93c40f1 100644
36426--- a/arch/x86/realmode/rm/header.S
36427+++ b/arch/x86/realmode/rm/header.S
36428@@ -30,7 +30,9 @@ GLOBAL(real_mode_header)
36429 #endif
36430 /* APM/BIOS reboot */
36431 .long pa_machine_real_restart_asm
36432-#ifdef CONFIG_X86_64
36433+#ifdef CONFIG_X86_32
36434+ .long __KERNEL_CS
36435+#else
36436 .long __KERNEL32_CS
36437 #endif
36438 END(real_mode_header)
36439diff --git a/arch/x86/realmode/rm/reboot.S b/arch/x86/realmode/rm/reboot.S
36440index d66c607..3def845 100644
36441--- a/arch/x86/realmode/rm/reboot.S
36442+++ b/arch/x86/realmode/rm/reboot.S
36443@@ -27,6 +27,10 @@ ENTRY(machine_real_restart_asm)
36444 lgdtl pa_tr_gdt
36445
36446 /* Disable paging to drop us out of long mode */
36447+ movl %cr4, %eax
36448+ andl $~X86_CR4_PCIDE, %eax
36449+ movl %eax, %cr4
36450+
36451 movl %cr0, %eax
36452 andl $~X86_CR0_PG, %eax
36453 movl %eax, %cr0
36454diff --git a/arch/x86/realmode/rm/trampoline_32.S b/arch/x86/realmode/rm/trampoline_32.S
36455index 48ddd76..c26749f 100644
36456--- a/arch/x86/realmode/rm/trampoline_32.S
36457+++ b/arch/x86/realmode/rm/trampoline_32.S
36458@@ -24,6 +24,12 @@
36459 #include <asm/page_types.h>
36460 #include "realmode.h"
36461
36462+#ifdef CONFIG_PAX_KERNEXEC
36463+#define ta(X) (X)
36464+#else
36465+#define ta(X) (pa_ ## X)
36466+#endif
36467+
36468 .text
36469 .code16
36470
36471@@ -38,8 +44,6 @@ ENTRY(trampoline_start)
36472
36473 cli # We should be safe anyway
36474
36475- movl tr_start, %eax # where we need to go
36476-
36477 movl $0xA5A5A5A5, trampoline_status
36478 # write marker for master knows we're running
36479
36480@@ -55,7 +59,7 @@ ENTRY(trampoline_start)
36481 movw $1, %dx # protected mode (PE) bit
36482 lmsw %dx # into protected mode
36483
36484- ljmpl $__BOOT_CS, $pa_startup_32
36485+ ljmpl *(trampoline_header)
36486
36487 .section ".text32","ax"
36488 .code32
36489@@ -66,7 +70,7 @@ ENTRY(startup_32) # note: also used from wakeup_asm.S
36490 .balign 8
36491 GLOBAL(trampoline_header)
36492 tr_start: .space 4
36493- tr_gdt_pad: .space 2
36494+ tr_boot_cs: .space 2
36495 tr_gdt: .space 6
36496 END(trampoline_header)
36497
36498diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S
36499index dac7b20..72dbaca 100644
36500--- a/arch/x86/realmode/rm/trampoline_64.S
36501+++ b/arch/x86/realmode/rm/trampoline_64.S
36502@@ -93,6 +93,7 @@ ENTRY(startup_32)
36503 movl %edx, %gs
36504
36505 movl pa_tr_cr4, %eax
36506+ andl $~X86_CR4_PCIDE, %eax
36507 movl %eax, %cr4 # Enable PAE mode
36508
36509 # Setup trampoline 4 level pagetables
36510@@ -106,7 +107,7 @@ ENTRY(startup_32)
36511 wrmsr
36512
36513 # Enable paging and in turn activate Long Mode
36514- movl $(X86_CR0_PG | X86_CR0_WP | X86_CR0_PE), %eax
36515+ movl $(X86_CR0_PG | X86_CR0_PE), %eax
36516 movl %eax, %cr0
36517
36518 /*
36519diff --git a/arch/x86/realmode/rm/wakeup_asm.S b/arch/x86/realmode/rm/wakeup_asm.S
36520index 9e7e147..25a4158 100644
36521--- a/arch/x86/realmode/rm/wakeup_asm.S
36522+++ b/arch/x86/realmode/rm/wakeup_asm.S
36523@@ -126,11 +126,10 @@ ENTRY(wakeup_start)
36524 lgdtl pmode_gdt
36525
36526 /* This really couldn't... */
36527- movl pmode_entry, %eax
36528 movl pmode_cr0, %ecx
36529 movl %ecx, %cr0
36530- ljmpl $__KERNEL_CS, $pa_startup_32
36531- /* -> jmp *%eax in trampoline_32.S */
36532+
36533+ ljmpl *pmode_entry
36534 #else
36535 jmp trampoline_start
36536 #endif
36537diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile
36538index 604a37e..e49702a 100644
36539--- a/arch/x86/tools/Makefile
36540+++ b/arch/x86/tools/Makefile
36541@@ -37,7 +37,7 @@ $(obj)/test_get_len.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/in
36542
36543 $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/inat.c $(srctree)/arch/x86/include/asm/inat_types.h $(srctree)/arch/x86/include/asm/inat.h $(srctree)/arch/x86/include/asm/insn.h $(objtree)/arch/x86/lib/inat-tables.c
36544
36545-HOST_EXTRACFLAGS += -I$(srctree)/tools/include
36546+HOST_EXTRACFLAGS += -I$(srctree)/tools/include -ggdb
36547 hostprogs-y += relocs
36548 relocs-objs := relocs_32.o relocs_64.o relocs_common.o
36549 PHONY += relocs
36550diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
36551index 0c2fae8..88d7719 100644
36552--- a/arch/x86/tools/relocs.c
36553+++ b/arch/x86/tools/relocs.c
36554@@ -1,5 +1,7 @@
36555 /* This is included from relocs_32/64.c */
36556
36557+#include "../../../include/generated/autoconf.h"
36558+
36559 #define ElfW(type) _ElfW(ELF_BITS, type)
36560 #define _ElfW(bits, type) __ElfW(bits, type)
36561 #define __ElfW(bits, type) Elf##bits##_##type
36562@@ -11,6 +13,7 @@
36563 #define Elf_Sym ElfW(Sym)
36564
36565 static Elf_Ehdr ehdr;
36566+static Elf_Phdr *phdr;
36567
36568 struct relocs {
36569 uint32_t *offset;
36570@@ -386,9 +389,39 @@ static void read_ehdr(FILE *fp)
36571 }
36572 }
36573
36574+static void read_phdrs(FILE *fp)
36575+{
36576+ unsigned int i;
36577+
36578+ phdr = calloc(ehdr.e_phnum, sizeof(Elf_Phdr));
36579+ if (!phdr) {
36580+ die("Unable to allocate %d program headers\n",
36581+ ehdr.e_phnum);
36582+ }
36583+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
36584+ die("Seek to %d failed: %s\n",
36585+ ehdr.e_phoff, strerror(errno));
36586+ }
36587+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
36588+ die("Cannot read ELF program headers: %s\n",
36589+ strerror(errno));
36590+ }
36591+ for(i = 0; i < ehdr.e_phnum; i++) {
36592+ phdr[i].p_type = elf_word_to_cpu(phdr[i].p_type);
36593+ phdr[i].p_offset = elf_off_to_cpu(phdr[i].p_offset);
36594+ phdr[i].p_vaddr = elf_addr_to_cpu(phdr[i].p_vaddr);
36595+ phdr[i].p_paddr = elf_addr_to_cpu(phdr[i].p_paddr);
36596+ phdr[i].p_filesz = elf_word_to_cpu(phdr[i].p_filesz);
36597+ phdr[i].p_memsz = elf_word_to_cpu(phdr[i].p_memsz);
36598+ phdr[i].p_flags = elf_word_to_cpu(phdr[i].p_flags);
36599+ phdr[i].p_align = elf_word_to_cpu(phdr[i].p_align);
36600+ }
36601+
36602+}
36603+
36604 static void read_shdrs(FILE *fp)
36605 {
36606- int i;
36607+ unsigned int i;
36608 Elf_Shdr shdr;
36609
36610 secs = calloc(ehdr.e_shnum, sizeof(struct section));
36611@@ -423,7 +456,7 @@ static void read_shdrs(FILE *fp)
36612
36613 static void read_strtabs(FILE *fp)
36614 {
36615- int i;
36616+ unsigned int i;
36617 for (i = 0; i < ehdr.e_shnum; i++) {
36618 struct section *sec = &secs[i];
36619 if (sec->shdr.sh_type != SHT_STRTAB) {
36620@@ -448,7 +481,7 @@ static void read_strtabs(FILE *fp)
36621
36622 static void read_symtabs(FILE *fp)
36623 {
36624- int i,j;
36625+ unsigned int i,j;
36626 for (i = 0; i < ehdr.e_shnum; i++) {
36627 struct section *sec = &secs[i];
36628 if (sec->shdr.sh_type != SHT_SYMTAB) {
36629@@ -479,9 +512,11 @@ static void read_symtabs(FILE *fp)
36630 }
36631
36632
36633-static void read_relocs(FILE *fp)
36634+static void read_relocs(FILE *fp, int use_real_mode)
36635 {
36636- int i,j;
36637+ unsigned int i,j;
36638+ uint32_t base;
36639+
36640 for (i = 0; i < ehdr.e_shnum; i++) {
36641 struct section *sec = &secs[i];
36642 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36643@@ -501,9 +536,22 @@ static void read_relocs(FILE *fp)
36644 die("Cannot read symbol table: %s\n",
36645 strerror(errno));
36646 }
36647+ base = 0;
36648+
36649+#ifdef CONFIG_X86_32
36650+ for (j = 0; !use_real_mode && j < ehdr.e_phnum; j++) {
36651+ if (phdr[j].p_type != PT_LOAD )
36652+ continue;
36653+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
36654+ continue;
36655+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
36656+ break;
36657+ }
36658+#endif
36659+
36660 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) {
36661 Elf_Rel *rel = &sec->reltab[j];
36662- rel->r_offset = elf_addr_to_cpu(rel->r_offset);
36663+ rel->r_offset = elf_addr_to_cpu(rel->r_offset) + base;
36664 rel->r_info = elf_xword_to_cpu(rel->r_info);
36665 #if (SHT_REL_TYPE == SHT_RELA)
36666 rel->r_addend = elf_xword_to_cpu(rel->r_addend);
36667@@ -515,7 +563,7 @@ static void read_relocs(FILE *fp)
36668
36669 static void print_absolute_symbols(void)
36670 {
36671- int i;
36672+ unsigned int i;
36673 const char *format;
36674
36675 if (ELF_BITS == 64)
36676@@ -528,7 +576,7 @@ static void print_absolute_symbols(void)
36677 for (i = 0; i < ehdr.e_shnum; i++) {
36678 struct section *sec = &secs[i];
36679 char *sym_strtab;
36680- int j;
36681+ unsigned int j;
36682
36683 if (sec->shdr.sh_type != SHT_SYMTAB) {
36684 continue;
36685@@ -555,7 +603,7 @@ static void print_absolute_symbols(void)
36686
36687 static void print_absolute_relocs(void)
36688 {
36689- int i, printed = 0;
36690+ unsigned int i, printed = 0;
36691 const char *format;
36692
36693 if (ELF_BITS == 64)
36694@@ -568,7 +616,7 @@ static void print_absolute_relocs(void)
36695 struct section *sec_applies, *sec_symtab;
36696 char *sym_strtab;
36697 Elf_Sym *sh_symtab;
36698- int j;
36699+ unsigned int j;
36700 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36701 continue;
36702 }
36703@@ -645,13 +693,13 @@ static void add_reloc(struct relocs *r, uint32_t offset)
36704 static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
36705 Elf_Sym *sym, const char *symname))
36706 {
36707- int i;
36708+ unsigned int i;
36709 /* Walk through the relocations */
36710 for (i = 0; i < ehdr.e_shnum; i++) {
36711 char *sym_strtab;
36712 Elf_Sym *sh_symtab;
36713 struct section *sec_applies, *sec_symtab;
36714- int j;
36715+ unsigned int j;
36716 struct section *sec = &secs[i];
36717
36718 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36719@@ -697,7 +745,7 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
36720 * kernel data and does not require special treatment.
36721 *
36722 */
36723-static int per_cpu_shndx = -1;
36724+static unsigned int per_cpu_shndx = ~0;
36725 static Elf_Addr per_cpu_load_addr;
36726
36727 static void percpu_init(void)
36728@@ -830,6 +878,23 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
36729 {
36730 unsigned r_type = ELF32_R_TYPE(rel->r_info);
36731 int shn_abs = (sym->st_shndx == SHN_ABS) && !is_reloc(S_REL, symname);
36732+ char *sym_strtab = sec->link->link->strtab;
36733+
36734+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
36735+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
36736+ return 0;
36737+
36738+#ifdef CONFIG_PAX_KERNEXEC
36739+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
36740+ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
36741+ return 0;
36742+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
36743+ return 0;
36744+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
36745+ return 0;
36746+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
36747+ return 0;
36748+#endif
36749
36750 switch (r_type) {
36751 case R_386_NONE:
36752@@ -968,7 +1033,7 @@ static int write32_as_text(uint32_t v, FILE *f)
36753
36754 static void emit_relocs(int as_text, int use_real_mode)
36755 {
36756- int i;
36757+ unsigned int i;
36758 int (*write_reloc)(uint32_t, FILE *) = write32;
36759 int (*do_reloc)(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
36760 const char *symname);
36761@@ -1078,10 +1143,11 @@ void process(FILE *fp, int use_real_mode, int as_text,
36762 {
36763 regex_init(use_real_mode);
36764 read_ehdr(fp);
36765+ read_phdrs(fp);
36766 read_shdrs(fp);
36767 read_strtabs(fp);
36768 read_symtabs(fp);
36769- read_relocs(fp);
36770+ read_relocs(fp, use_real_mode);
36771 if (ELF_BITS == 64)
36772 percpu_init();
36773 if (show_absolute_syms) {
36774diff --git a/arch/x86/um/mem_32.c b/arch/x86/um/mem_32.c
36775index 744afdc..a0b8a0d 100644
36776--- a/arch/x86/um/mem_32.c
36777+++ b/arch/x86/um/mem_32.c
36778@@ -20,7 +20,7 @@ static int __init gate_vma_init(void)
36779 gate_vma.vm_start = FIXADDR_USER_START;
36780 gate_vma.vm_end = FIXADDR_USER_END;
36781 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
36782- gate_vma.vm_page_prot = __P101;
36783+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
36784
36785 return 0;
36786 }
36787diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c
36788index 48e3858..ab4458c 100644
36789--- a/arch/x86/um/tls_32.c
36790+++ b/arch/x86/um/tls_32.c
36791@@ -261,7 +261,7 @@ out:
36792 if (unlikely(task == current &&
36793 !t->arch.tls_array[idx - GDT_ENTRY_TLS_MIN].flushed)) {
36794 printk(KERN_ERR "get_tls_entry: task with pid %d got here "
36795- "without flushed TLS.", current->pid);
36796+ "without flushed TLS.", task_pid_nr(current));
36797 }
36798
36799 return 0;
36800diff --git a/arch/x86/xen/Kconfig b/arch/x86/xen/Kconfig
36801index 4841453..d59a203 100644
36802--- a/arch/x86/xen/Kconfig
36803+++ b/arch/x86/xen/Kconfig
36804@@ -9,6 +9,7 @@ config XEN
36805 select XEN_HAVE_PVMMU
36806 depends on X86_64 || (X86_32 && X86_PAE)
36807 depends on X86_LOCAL_APIC && X86_TSC
36808+ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_XEN
36809 help
36810 This is the Linux Xen port. Enabling this will allow the
36811 kernel to boot in a paravirtualized environment under the
36812diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
36813index 11d6fb4..c581662 100644
36814--- a/arch/x86/xen/enlighten.c
36815+++ b/arch/x86/xen/enlighten.c
36816@@ -125,8 +125,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
36817
36818 struct shared_info xen_dummy_shared_info;
36819
36820-void *xen_initial_gdt;
36821-
36822 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
36823 __read_mostly int xen_have_vector_callback;
36824 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
36825@@ -584,8 +582,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
36826 {
36827 unsigned long va = dtr->address;
36828 unsigned int size = dtr->size + 1;
36829- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
36830- unsigned long frames[pages];
36831+ unsigned long frames[65536 / PAGE_SIZE];
36832 int f;
36833
36834 /*
36835@@ -633,8 +630,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
36836 {
36837 unsigned long va = dtr->address;
36838 unsigned int size = dtr->size + 1;
36839- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
36840- unsigned long frames[pages];
36841+ unsigned long frames[(GDT_SIZE + PAGE_SIZE - 1) / PAGE_SIZE];
36842 int f;
36843
36844 /*
36845@@ -642,7 +638,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
36846 * 8-byte entries, or 16 4k pages..
36847 */
36848
36849- BUG_ON(size > 65536);
36850+ BUG_ON(size > GDT_SIZE);
36851 BUG_ON(va & ~PAGE_MASK);
36852
36853 for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
36854@@ -1264,30 +1260,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
36855 #endif
36856 };
36857
36858-static void xen_reboot(int reason)
36859+static __noreturn void xen_reboot(int reason)
36860 {
36861 struct sched_shutdown r = { .reason = reason };
36862
36863- if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
36864- BUG();
36865+ HYPERVISOR_sched_op(SCHEDOP_shutdown, &r);
36866+ BUG();
36867 }
36868
36869-static void xen_restart(char *msg)
36870+static __noreturn void xen_restart(char *msg)
36871 {
36872 xen_reboot(SHUTDOWN_reboot);
36873 }
36874
36875-static void xen_emergency_restart(void)
36876+static __noreturn void xen_emergency_restart(void)
36877 {
36878 xen_reboot(SHUTDOWN_reboot);
36879 }
36880
36881-static void xen_machine_halt(void)
36882+static __noreturn void xen_machine_halt(void)
36883 {
36884 xen_reboot(SHUTDOWN_poweroff);
36885 }
36886
36887-static void xen_machine_power_off(void)
36888+static __noreturn void xen_machine_power_off(void)
36889 {
36890 if (pm_power_off)
36891 pm_power_off();
36892@@ -1440,8 +1436,11 @@ static void __ref xen_setup_gdt(int cpu)
36893 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
36894 pv_cpu_ops.load_gdt = xen_load_gdt_boot;
36895
36896- setup_stack_canary_segment(0);
36897- switch_to_new_gdt(0);
36898+ setup_stack_canary_segment(cpu);
36899+#ifdef CONFIG_X86_64
36900+ load_percpu_segment(cpu);
36901+#endif
36902+ switch_to_new_gdt(cpu);
36903
36904 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
36905 pv_cpu_ops.load_gdt = xen_load_gdt;
36906@@ -1557,7 +1556,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
36907 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
36908
36909 /* Work out if we support NX */
36910- x86_configure_nx();
36911+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
36912+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
36913+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
36914+ unsigned l, h;
36915+
36916+ __supported_pte_mask |= _PAGE_NX;
36917+ rdmsr(MSR_EFER, l, h);
36918+ l |= EFER_NX;
36919+ wrmsr(MSR_EFER, l, h);
36920+ }
36921+#endif
36922
36923 /* Get mfn list */
36924 xen_build_dynamic_phys_to_machine();
36925@@ -1585,13 +1594,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
36926
36927 machine_ops = xen_machine_ops;
36928
36929- /*
36930- * The only reliable way to retain the initial address of the
36931- * percpu gdt_page is to remember it here, so we can go and
36932- * mark it RW later, when the initial percpu area is freed.
36933- */
36934- xen_initial_gdt = &per_cpu(gdt_page, 0);
36935-
36936 xen_smp_init();
36937
36938 #ifdef CONFIG_ACPI_NUMA
36939diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
36940index dd151b2..3291e38 100644
36941--- a/arch/x86/xen/mmu.c
36942+++ b/arch/x86/xen/mmu.c
36943@@ -1835,7 +1835,11 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
36944 * L3_k[511] -> level2_fixmap_pgt */
36945 convert_pfn_mfn(level3_kernel_pgt);
36946
36947+ convert_pfn_mfn(level3_vmalloc_start_pgt);
36948+ convert_pfn_mfn(level3_vmalloc_end_pgt);
36949+ convert_pfn_mfn(level3_vmemmap_pgt);
36950 /* L3_k[511][506] -> level1_fixmap_pgt */
36951+ /* L3_k[511][507] -> level1_vsyscall_pgt */
36952 convert_pfn_mfn(level2_fixmap_pgt);
36953 }
36954 /* We get [511][511] and have Xen's version of level2_kernel_pgt */
36955@@ -1860,11 +1864,22 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
36956 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
36957 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
36958 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
36959+ set_page_prot(level3_vmalloc_start_pgt, PAGE_KERNEL_RO);
36960+ set_page_prot(level3_vmalloc_end_pgt, PAGE_KERNEL_RO);
36961+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
36962 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
36963 set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO);
36964+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
36965 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
36966 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
36967- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
36968+ set_page_prot(level1_modules_pgt[0], PAGE_KERNEL_RO);
36969+ set_page_prot(level1_modules_pgt[1], PAGE_KERNEL_RO);
36970+ set_page_prot(level1_modules_pgt[2], PAGE_KERNEL_RO);
36971+ set_page_prot(level1_modules_pgt[3], PAGE_KERNEL_RO);
36972+ set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
36973+ set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
36974+ set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
36975+ set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
36976
36977 /* Pin down new L4 */
36978 pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
36979@@ -2048,6 +2063,7 @@ static void __init xen_post_allocator_init(void)
36980 pv_mmu_ops.set_pud = xen_set_pud;
36981 #if CONFIG_PGTABLE_LEVELS == 4
36982 pv_mmu_ops.set_pgd = xen_set_pgd;
36983+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
36984 #endif
36985
36986 /* This will work as long as patching hasn't happened yet
36987@@ -2126,6 +2142,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
36988 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
36989 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
36990 .set_pgd = xen_set_pgd_hyper,
36991+ .set_pgd_batched = xen_set_pgd_hyper,
36992
36993 .alloc_pud = xen_alloc_pmd_init,
36994 .release_pud = xen_release_pmd_init,
36995diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
36996index 8648438..18bac20 100644
36997--- a/arch/x86/xen/smp.c
36998+++ b/arch/x86/xen/smp.c
36999@@ -284,17 +284,13 @@ static void __init xen_smp_prepare_boot_cpu(void)
37000
37001 if (xen_pv_domain()) {
37002 if (!xen_feature(XENFEAT_writable_page_tables))
37003- /* We've switched to the "real" per-cpu gdt, so make
37004- * sure the old memory can be recycled. */
37005- make_lowmem_page_readwrite(xen_initial_gdt);
37006-
37007 #ifdef CONFIG_X86_32
37008 /*
37009 * Xen starts us with XEN_FLAT_RING1_DS, but linux code
37010 * expects __USER_DS
37011 */
37012- loadsegment(ds, __USER_DS);
37013- loadsegment(es, __USER_DS);
37014+ loadsegment(ds, __KERNEL_DS);
37015+ loadsegment(es, __KERNEL_DS);
37016 #endif
37017
37018 xen_filter_cpu_maps();
37019@@ -375,7 +371,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
37020 #ifdef CONFIG_X86_32
37021 /* Note: PVH is not yet supported on x86_32. */
37022 ctxt->user_regs.fs = __KERNEL_PERCPU;
37023- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
37024+ savesegment(gs, ctxt->user_regs.gs);
37025 #endif
37026 memset(&ctxt->fpu_ctxt, 0, sizeof(ctxt->fpu_ctxt));
37027
37028@@ -383,8 +379,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
37029 ctxt->user_regs.eip = (unsigned long)cpu_bringup_and_idle;
37030 ctxt->flags = VGCF_IN_KERNEL;
37031 ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
37032- ctxt->user_regs.ds = __USER_DS;
37033- ctxt->user_regs.es = __USER_DS;
37034+ ctxt->user_regs.ds = __KERNEL_DS;
37035+ ctxt->user_regs.es = __KERNEL_DS;
37036 ctxt->user_regs.ss = __KERNEL_DS;
37037
37038 xen_copy_trap_info(ctxt->trap_ctxt);
37039@@ -720,7 +716,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
37040
37041 void __init xen_smp_init(void)
37042 {
37043- smp_ops = xen_smp_ops;
37044+ memcpy((void *)&smp_ops, &xen_smp_ops, sizeof smp_ops);
37045 xen_fill_possible_map();
37046 }
37047
37048diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
37049index fd92a64..1f72641 100644
37050--- a/arch/x86/xen/xen-asm_32.S
37051+++ b/arch/x86/xen/xen-asm_32.S
37052@@ -99,7 +99,7 @@ ENTRY(xen_iret)
37053 pushw %fs
37054 movl $(__KERNEL_PERCPU), %eax
37055 movl %eax, %fs
37056- movl %fs:xen_vcpu, %eax
37057+ mov PER_CPU_VAR(xen_vcpu), %eax
37058 POP_FS
37059 #else
37060 movl %ss:xen_vcpu, %eax
37061diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
37062index 8afdfcc..79239db 100644
37063--- a/arch/x86/xen/xen-head.S
37064+++ b/arch/x86/xen/xen-head.S
37065@@ -41,6 +41,17 @@ ENTRY(startup_xen)
37066 #ifdef CONFIG_X86_32
37067 mov %esi,xen_start_info
37068 mov $init_thread_union+THREAD_SIZE,%esp
37069+#ifdef CONFIG_SMP
37070+ movl $cpu_gdt_table,%edi
37071+ movl $__per_cpu_load,%eax
37072+ movw %ax,__KERNEL_PERCPU + 2(%edi)
37073+ rorl $16,%eax
37074+ movb %al,__KERNEL_PERCPU + 4(%edi)
37075+ movb %ah,__KERNEL_PERCPU + 7(%edi)
37076+ movl $__per_cpu_end - 1,%eax
37077+ subl $__per_cpu_start,%eax
37078+ movw %ax,__KERNEL_PERCPU + 0(%edi)
37079+#endif
37080 #else
37081 mov %rsi,xen_start_info
37082 mov $init_thread_union+THREAD_SIZE,%rsp
37083diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
37084index 2292721..a9bb18e 100644
37085--- a/arch/x86/xen/xen-ops.h
37086+++ b/arch/x86/xen/xen-ops.h
37087@@ -16,8 +16,6 @@ void xen_syscall_target(void);
37088 void xen_syscall32_target(void);
37089 #endif
37090
37091-extern void *xen_initial_gdt;
37092-
37093 struct trap_info;
37094 void xen_copy_trap_info(struct trap_info *traps);
37095
37096diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h
37097index 525bd3d..ef888b1 100644
37098--- a/arch/xtensa/variants/dc232b/include/variant/core.h
37099+++ b/arch/xtensa/variants/dc232b/include/variant/core.h
37100@@ -119,9 +119,9 @@
37101 ----------------------------------------------------------------------*/
37102
37103 #define XCHAL_ICACHE_LINESIZE 32 /* I-cache line size in bytes */
37104-#define XCHAL_DCACHE_LINESIZE 32 /* D-cache line size in bytes */
37105 #define XCHAL_ICACHE_LINEWIDTH 5 /* log2(I line size in bytes) */
37106 #define XCHAL_DCACHE_LINEWIDTH 5 /* log2(D line size in bytes) */
37107+#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
37108
37109 #define XCHAL_ICACHE_SIZE 16384 /* I-cache size in bytes or 0 */
37110 #define XCHAL_DCACHE_SIZE 16384 /* D-cache size in bytes or 0 */
37111diff --git a/arch/xtensa/variants/fsf/include/variant/core.h b/arch/xtensa/variants/fsf/include/variant/core.h
37112index 2f33760..835e50a 100644
37113--- a/arch/xtensa/variants/fsf/include/variant/core.h
37114+++ b/arch/xtensa/variants/fsf/include/variant/core.h
37115@@ -11,6 +11,7 @@
37116 #ifndef _XTENSA_CORE_H
37117 #define _XTENSA_CORE_H
37118
37119+#include <linux/const.h>
37120
37121 /****************************************************************************
37122 Parameters Useful for Any Code, USER or PRIVILEGED
37123@@ -112,9 +113,9 @@
37124 ----------------------------------------------------------------------*/
37125
37126 #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */
37127-#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */
37128 #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */
37129 #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */
37130+#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
37131
37132 #define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */
37133 #define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */
37134diff --git a/block/bio.c b/block/bio.c
37135index d6e5ba3..2bb142c 100644
37136--- a/block/bio.c
37137+++ b/block/bio.c
37138@@ -1187,7 +1187,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
37139 /*
37140 * Overflow, abort
37141 */
37142- if (end < start)
37143+ if (end < start || end - start > INT_MAX - nr_pages)
37144 return ERR_PTR(-EINVAL);
37145
37146 nr_pages += end - start;
37147@@ -1312,7 +1312,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
37148 /*
37149 * Overflow, abort
37150 */
37151- if (end < start)
37152+ if (end < start || end - start > INT_MAX - nr_pages)
37153 return ERR_PTR(-EINVAL);
37154
37155 nr_pages += end - start;
37156diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
37157index d6283b3..9cc48d1d 100644
37158--- a/block/blk-cgroup.c
37159+++ b/block/blk-cgroup.c
37160@@ -387,6 +387,9 @@ static void blkg_destroy_all(struct request_queue *q)
37161 blkg_destroy(blkg);
37162 spin_unlock(&blkcg->lock);
37163 }
37164+
37165+ q->root_blkg = NULL;
37166+ q->root_rl.blkg = NULL;
37167 }
37168
37169 /*
37170diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
37171index 0736729..2ec3b48 100644
37172--- a/block/blk-iopoll.c
37173+++ b/block/blk-iopoll.c
37174@@ -74,7 +74,7 @@ void blk_iopoll_complete(struct blk_iopoll *iop)
37175 }
37176 EXPORT_SYMBOL(blk_iopoll_complete);
37177
37178-static void blk_iopoll_softirq(struct softirq_action *h)
37179+static __latent_entropy void blk_iopoll_softirq(void)
37180 {
37181 struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll);
37182 int rearm = 0, budget = blk_iopoll_budget;
37183diff --git a/block/blk-map.c b/block/blk-map.c
37184index da310a1..213b5c9 100644
37185--- a/block/blk-map.c
37186+++ b/block/blk-map.c
37187@@ -192,7 +192,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
37188 if (!len || !kbuf)
37189 return -EINVAL;
37190
37191- do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
37192+ do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
37193 if (do_copy)
37194 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
37195 else
37196diff --git a/block/blk-softirq.c b/block/blk-softirq.c
37197index 53b1737..08177d2e 100644
37198--- a/block/blk-softirq.c
37199+++ b/block/blk-softirq.c
37200@@ -18,7 +18,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done);
37201 * Softirq action handler - move entries to local list and loop over them
37202 * while passing them to the queue registered handler.
37203 */
37204-static void blk_done_softirq(struct softirq_action *h)
37205+static __latent_entropy void blk_done_softirq(void)
37206 {
37207 struct list_head *cpu_list, local_list;
37208
37209diff --git a/block/bsg.c b/block/bsg.c
37210index d214e92..9649863 100644
37211--- a/block/bsg.c
37212+++ b/block/bsg.c
37213@@ -140,16 +140,24 @@ static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq,
37214 struct sg_io_v4 *hdr, struct bsg_device *bd,
37215 fmode_t has_write_perm)
37216 {
37217+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37218+ unsigned char *cmdptr;
37219+
37220 if (hdr->request_len > BLK_MAX_CDB) {
37221 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
37222 if (!rq->cmd)
37223 return -ENOMEM;
37224- }
37225+ cmdptr = rq->cmd;
37226+ } else
37227+ cmdptr = tmpcmd;
37228
37229- if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
37230+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
37231 hdr->request_len))
37232 return -EFAULT;
37233
37234+ if (cmdptr != rq->cmd)
37235+ memcpy(rq->cmd, cmdptr, hdr->request_len);
37236+
37237 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
37238 if (blk_verify_command(rq->cmd, has_write_perm))
37239 return -EPERM;
37240diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c
37241index f678c73..f35aa18 100644
37242--- a/block/compat_ioctl.c
37243+++ b/block/compat_ioctl.c
37244@@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode,
37245 cgc = compat_alloc_user_space(sizeof(*cgc));
37246 cgc32 = compat_ptr(arg);
37247
37248- if (copy_in_user(&cgc->cmd, &cgc32->cmd, sizeof(cgc->cmd)) ||
37249+ if (copy_in_user(cgc->cmd, cgc32->cmd, sizeof(cgc->cmd)) ||
37250 get_user(data, &cgc32->buffer) ||
37251 put_user(compat_ptr(data), &cgc->buffer) ||
37252 copy_in_user(&cgc->buflen, &cgc32->buflen,
37253@@ -341,7 +341,7 @@ static int compat_fd_ioctl(struct block_device *bdev, fmode_t mode,
37254 err |= __get_user(f->spec1, &uf->spec1);
37255 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
37256 err |= __get_user(name, &uf->name);
37257- f->name = compat_ptr(name);
37258+ f->name = (void __force_kernel *)compat_ptr(name);
37259 if (err) {
37260 err = -EFAULT;
37261 goto out;
37262diff --git a/block/genhd.c b/block/genhd.c
37263index 59a1395..54ff187 100644
37264--- a/block/genhd.c
37265+++ b/block/genhd.c
37266@@ -470,21 +470,24 @@ static char *bdevt_str(dev_t devt, char *buf)
37267
37268 /*
37269 * Register device numbers dev..(dev+range-1)
37270- * range must be nonzero
37271+ * Noop if @range is zero.
37272 * The hash chain is sorted on range, so that subranges can override.
37273 */
37274 void blk_register_region(dev_t devt, unsigned long range, struct module *module,
37275 struct kobject *(*probe)(dev_t, int *, void *),
37276 int (*lock)(dev_t, void *), void *data)
37277 {
37278- kobj_map(bdev_map, devt, range, module, probe, lock, data);
37279+ if (range)
37280+ kobj_map(bdev_map, devt, range, module, probe, lock, data);
37281 }
37282
37283 EXPORT_SYMBOL(blk_register_region);
37284
37285+/* undo blk_register_region(), noop if @range is zero */
37286 void blk_unregister_region(dev_t devt, unsigned long range)
37287 {
37288- kobj_unmap(bdev_map, devt, range);
37289+ if (range)
37290+ kobj_unmap(bdev_map, devt, range);
37291 }
37292
37293 EXPORT_SYMBOL(blk_unregister_region);
37294diff --git a/block/partitions/efi.c b/block/partitions/efi.c
37295index 26cb624..a49c3a5 100644
37296--- a/block/partitions/efi.c
37297+++ b/block/partitions/efi.c
37298@@ -293,14 +293,14 @@ static gpt_entry *alloc_read_gpt_entries(struct parsed_partitions *state,
37299 if (!gpt)
37300 return NULL;
37301
37302+ if (!le32_to_cpu(gpt->num_partition_entries))
37303+ return NULL;
37304+ pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL);
37305+ if (!pte)
37306+ return NULL;
37307+
37308 count = le32_to_cpu(gpt->num_partition_entries) *
37309 le32_to_cpu(gpt->sizeof_partition_entry);
37310- if (!count)
37311- return NULL;
37312- pte = kmalloc(count, GFP_KERNEL);
37313- if (!pte)
37314- return NULL;
37315-
37316 if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba),
37317 (u8 *) pte, count) < count) {
37318 kfree(pte);
37319diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
37320index dda653c..028a13ee 100644
37321--- a/block/scsi_ioctl.c
37322+++ b/block/scsi_ioctl.c
37323@@ -67,7 +67,7 @@ static int scsi_get_bus(struct request_queue *q, int __user *p)
37324 return put_user(0, p);
37325 }
37326
37327-static int sg_get_timeout(struct request_queue *q)
37328+static int __intentional_overflow(-1) sg_get_timeout(struct request_queue *q)
37329 {
37330 return jiffies_to_clock_t(q->sg_timeout);
37331 }
37332@@ -227,8 +227,20 @@ EXPORT_SYMBOL(blk_verify_command);
37333 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
37334 struct sg_io_hdr *hdr, fmode_t mode)
37335 {
37336- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
37337+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37338+ unsigned char *cmdptr;
37339+
37340+ if (rq->cmd != rq->__cmd)
37341+ cmdptr = rq->cmd;
37342+ else
37343+ cmdptr = tmpcmd;
37344+
37345+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
37346 return -EFAULT;
37347+
37348+ if (cmdptr != rq->cmd)
37349+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
37350+
37351 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
37352 return -EPERM;
37353
37354@@ -420,6 +432,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
37355 int err;
37356 unsigned int in_len, out_len, bytes, opcode, cmdlen;
37357 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
37358+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37359+ unsigned char *cmdptr;
37360
37361 if (!sic)
37362 return -EINVAL;
37363@@ -458,9 +472,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
37364 */
37365 err = -EFAULT;
37366 rq->cmd_len = cmdlen;
37367- if (copy_from_user(rq->cmd, sic->data, cmdlen))
37368+
37369+ if (rq->cmd != rq->__cmd)
37370+ cmdptr = rq->cmd;
37371+ else
37372+ cmdptr = tmpcmd;
37373+
37374+ if (copy_from_user(cmdptr, sic->data, cmdlen))
37375 goto error;
37376
37377+ if (rq->cmd != cmdptr)
37378+ memcpy(rq->cmd, cmdptr, cmdlen);
37379+
37380 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
37381 goto error;
37382
37383diff --git a/crypto/cryptd.c b/crypto/cryptd.c
37384index 22ba81f..1acac67 100644
37385--- a/crypto/cryptd.c
37386+++ b/crypto/cryptd.c
37387@@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
37388
37389 struct cryptd_blkcipher_request_ctx {
37390 crypto_completion_t complete;
37391-};
37392+} __no_const;
37393
37394 struct cryptd_hash_ctx {
37395 struct crypto_shash *child;
37396@@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
37397
37398 struct cryptd_aead_request_ctx {
37399 crypto_completion_t complete;
37400-};
37401+} __no_const;
37402
37403 static void cryptd_queue_worker(struct work_struct *work);
37404
37405diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
37406index 45e7d51..2967121 100644
37407--- a/crypto/pcrypt.c
37408+++ b/crypto/pcrypt.c
37409@@ -385,7 +385,7 @@ static int pcrypt_sysfs_add(struct padata_instance *pinst, const char *name)
37410 int ret;
37411
37412 pinst->kobj.kset = pcrypt_kset;
37413- ret = kobject_add(&pinst->kobj, NULL, name);
37414+ ret = kobject_add(&pinst->kobj, NULL, "%s", name);
37415 if (!ret)
37416 kobject_uevent(&pinst->kobj, KOBJ_ADD);
37417
37418diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
37419index ea5815c..5880da6 100644
37420--- a/crypto/scatterwalk.c
37421+++ b/crypto/scatterwalk.c
37422@@ -109,14 +109,20 @@ void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg,
37423 {
37424 struct scatter_walk walk;
37425 struct scatterlist tmp[2];
37426+ void *realbuf = buf;
37427
37428 if (!nbytes)
37429 return;
37430
37431 sg = scatterwalk_ffwd(tmp, sg, start);
37432
37433- if (sg_page(sg) == virt_to_page(buf) &&
37434- sg->offset == offset_in_page(buf))
37435+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
37436+ if (object_starts_on_stack(buf))
37437+ realbuf = buf - current->stack + current->lowmem_stack;
37438+#endif
37439+
37440+ if (sg_page(sg) == virt_to_page(realbuf) &&
37441+ sg->offset == offset_in_page(realbuf))
37442 return;
37443
37444 scatterwalk_start(&walk, sg);
37445diff --git a/crypto/zlib.c b/crypto/zlib.c
37446index d51a30a..fb1f8af 100644
37447--- a/crypto/zlib.c
37448+++ b/crypto/zlib.c
37449@@ -95,10 +95,10 @@ static int zlib_compress_setup(struct crypto_pcomp *tfm, const void *params,
37450 zlib_comp_exit(ctx);
37451
37452 window_bits = tb[ZLIB_COMP_WINDOWBITS]
37453- ? nla_get_u32(tb[ZLIB_COMP_WINDOWBITS])
37454+ ? nla_get_s32(tb[ZLIB_COMP_WINDOWBITS])
37455 : MAX_WBITS;
37456 mem_level = tb[ZLIB_COMP_MEMLEVEL]
37457- ? nla_get_u32(tb[ZLIB_COMP_MEMLEVEL])
37458+ ? nla_get_s32(tb[ZLIB_COMP_MEMLEVEL])
37459 : DEF_MEM_LEVEL;
37460
37461 workspacesize = zlib_deflate_workspacesize(window_bits, mem_level);
37462diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
37463index 8c2fe2f..fc47c12 100644
37464--- a/drivers/acpi/acpi_video.c
37465+++ b/drivers/acpi/acpi_video.c
37466@@ -398,7 +398,7 @@ static int video_disable_backlight_sysfs_if(
37467 return 0;
37468 }
37469
37470-static struct dmi_system_id video_dmi_table[] = {
37471+static const struct dmi_system_id video_dmi_table[] = {
37472 /*
37473 * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121
37474 */
37475diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c
37476index 52dfd0d..8386baf 100644
37477--- a/drivers/acpi/acpica/hwxfsleep.c
37478+++ b/drivers/acpi/acpica/hwxfsleep.c
37479@@ -70,11 +70,12 @@ static acpi_status acpi_hw_sleep_dispatch(u8 sleep_state, u32 function_id);
37480 /* Legacy functions are optional, based upon ACPI_REDUCED_HARDWARE */
37481
37482 static struct acpi_sleep_functions acpi_sleep_dispatch[] = {
37483- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep),
37484- acpi_hw_extended_sleep},
37485- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep),
37486- acpi_hw_extended_wake_prep},
37487- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake), acpi_hw_extended_wake}
37488+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep),
37489+ .extended_function = acpi_hw_extended_sleep},
37490+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep),
37491+ .extended_function = acpi_hw_extended_wake_prep},
37492+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake),
37493+ .extended_function = acpi_hw_extended_wake}
37494 };
37495
37496 /*
37497diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h
37498index 16129c7..8b675cd 100644
37499--- a/drivers/acpi/apei/apei-internal.h
37500+++ b/drivers/acpi/apei/apei-internal.h
37501@@ -19,7 +19,7 @@ typedef int (*apei_exec_ins_func_t)(struct apei_exec_context *ctx,
37502 struct apei_exec_ins_type {
37503 u32 flags;
37504 apei_exec_ins_func_t run;
37505-};
37506+} __do_const;
37507
37508 struct apei_exec_context {
37509 u32 ip;
37510diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
37511index 2bfd53c..391e9a4 100644
37512--- a/drivers/acpi/apei/ghes.c
37513+++ b/drivers/acpi/apei/ghes.c
37514@@ -478,7 +478,7 @@ static void __ghes_print_estatus(const char *pfx,
37515 const struct acpi_hest_generic *generic,
37516 const struct acpi_hest_generic_status *estatus)
37517 {
37518- static atomic_t seqno;
37519+ static atomic_unchecked_t seqno;
37520 unsigned int curr_seqno;
37521 char pfx_seq[64];
37522
37523@@ -489,7 +489,7 @@ static void __ghes_print_estatus(const char *pfx,
37524 else
37525 pfx = KERN_ERR;
37526 }
37527- curr_seqno = atomic_inc_return(&seqno);
37528+ curr_seqno = atomic_inc_return_unchecked(&seqno);
37529 snprintf(pfx_seq, sizeof(pfx_seq), "%s{%u}" HW_ERR, pfx, curr_seqno);
37530 printk("%s""Hardware error from APEI Generic Hardware Error Source: %d\n",
37531 pfx_seq, generic->header.source_id);
37532diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
37533index a83e3c6..c3d617f 100644
37534--- a/drivers/acpi/bgrt.c
37535+++ b/drivers/acpi/bgrt.c
37536@@ -86,8 +86,10 @@ static int __init bgrt_init(void)
37537 if (!bgrt_image)
37538 return -ENODEV;
37539
37540- bin_attr_image.private = bgrt_image;
37541- bin_attr_image.size = bgrt_image_size;
37542+ pax_open_kernel();
37543+ *(void **)&bin_attr_image.private = bgrt_image;
37544+ *(size_t *)&bin_attr_image.size = bgrt_image_size;
37545+ pax_close_kernel();
37546
37547 bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj);
37548 if (!bgrt_kobj)
37549diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
37550index 278dc4b..976433d 100644
37551--- a/drivers/acpi/blacklist.c
37552+++ b/drivers/acpi/blacklist.c
37553@@ -51,7 +51,7 @@ struct acpi_blacklist_item {
37554 u32 is_critical_error;
37555 };
37556
37557-static struct dmi_system_id acpi_osi_dmi_table[] __initdata;
37558+static const struct dmi_system_id acpi_osi_dmi_table[] __initconst;
37559
37560 /*
37561 * POLICY: If *anything* doesn't work, put it on the blacklist.
37562@@ -172,7 +172,7 @@ static int __init dmi_enable_rev_override(const struct dmi_system_id *d)
37563 }
37564 #endif
37565
37566-static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
37567+static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
37568 {
37569 .callback = dmi_disable_osi_vista,
37570 .ident = "Fujitsu Siemens",
37571diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
37572index 513e7230e..802015a 100644
37573--- a/drivers/acpi/bus.c
37574+++ b/drivers/acpi/bus.c
37575@@ -67,7 +67,7 @@ static int set_copy_dsdt(const struct dmi_system_id *id)
37576 }
37577 #endif
37578
37579-static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37580+static const struct dmi_system_id dsdt_dmi_table[] __initconst = {
37581 /*
37582 * Invoke DSDT corruption work-around on all Toshiba Satellite.
37583 * https://bugzilla.kernel.org/show_bug.cgi?id=14679
37584@@ -83,7 +83,7 @@ static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37585 {}
37586 };
37587 #else
37588-static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37589+static const struct dmi_system_id dsdt_dmi_table[] __initconst = {
37590 {}
37591 };
37592 #endif
37593diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
37594index c68e724..e863008 100644
37595--- a/drivers/acpi/custom_method.c
37596+++ b/drivers/acpi/custom_method.c
37597@@ -29,6 +29,10 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
37598 struct acpi_table_header table;
37599 acpi_status status;
37600
37601+#ifdef CONFIG_GRKERNSEC_KMEM
37602+ return -EPERM;
37603+#endif
37604+
37605 if (!(*ppos)) {
37606 /* parse the table header to get the table length */
37607 if (count <= sizeof(struct acpi_table_header))
37608diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
37609index 88dbbb1..90714c0 100644
37610--- a/drivers/acpi/device_pm.c
37611+++ b/drivers/acpi/device_pm.c
37612@@ -1045,6 +1045,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze);
37613
37614 #endif /* CONFIG_PM_SLEEP */
37615
37616+static void acpi_dev_pm_detach(struct device *dev, bool power_off);
37617+
37618 static struct dev_pm_domain acpi_general_pm_domain = {
37619 .ops = {
37620 .runtime_suspend = acpi_subsys_runtime_suspend,
37621@@ -1061,6 +1063,7 @@ static struct dev_pm_domain acpi_general_pm_domain = {
37622 .restore_early = acpi_subsys_resume_early,
37623 #endif
37624 },
37625+ .detach = acpi_dev_pm_detach
37626 };
37627
37628 /**
37629@@ -1130,7 +1133,6 @@ int acpi_dev_pm_attach(struct device *dev, bool power_on)
37630 acpi_device_wakeup(adev, ACPI_STATE_S0, false);
37631 }
37632
37633- dev->pm_domain->detach = acpi_dev_pm_detach;
37634 return 0;
37635 }
37636 EXPORT_SYMBOL_GPL(acpi_dev_pm_attach);
37637diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
37638index 9d4761d..ece2163 100644
37639--- a/drivers/acpi/ec.c
37640+++ b/drivers/acpi/ec.c
37641@@ -1434,7 +1434,7 @@ static int ec_clear_on_resume(const struct dmi_system_id *id)
37642 return 0;
37643 }
37644
37645-static struct dmi_system_id ec_dmi_table[] __initdata = {
37646+static const struct dmi_system_id ec_dmi_table[] __initconst = {
37647 {
37648 ec_skip_dsdt_scan, "Compal JFL92", {
37649 DMI_MATCH(DMI_BIOS_VENDOR, "COMPAL"),
37650diff --git a/drivers/acpi/pci_slot.c b/drivers/acpi/pci_slot.c
37651index 139d9e4..9a9d799 100644
37652--- a/drivers/acpi/pci_slot.c
37653+++ b/drivers/acpi/pci_slot.c
37654@@ -195,7 +195,7 @@ static int do_sta_before_sun(const struct dmi_system_id *d)
37655 return 0;
37656 }
37657
37658-static struct dmi_system_id acpi_pci_slot_dmi_table[] __initdata = {
37659+static const struct dmi_system_id acpi_pci_slot_dmi_table[] __initconst = {
37660 /*
37661 * Fujitsu Primequest machines will return 1023 to indicate an
37662 * error if the _SUN method is evaluated on SxFy objects that
37663diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c
37664index d9f7158..168e742 100644
37665--- a/drivers/acpi/processor_driver.c
37666+++ b/drivers/acpi/processor_driver.c
37667@@ -159,7 +159,7 @@ static int acpi_cpu_soft_notify(struct notifier_block *nfb,
37668 return NOTIFY_OK;
37669 }
37670
37671-static struct notifier_block __refdata acpi_cpu_notifier = {
37672+static struct notifier_block __refconst acpi_cpu_notifier = {
37673 .notifier_call = acpi_cpu_soft_notify,
37674 };
37675
37676diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
37677index d540f42..d5b32ac 100644
37678--- a/drivers/acpi/processor_idle.c
37679+++ b/drivers/acpi/processor_idle.c
37680@@ -910,7 +910,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr)
37681 {
37682 int i, count = CPUIDLE_DRIVER_STATE_START;
37683 struct acpi_processor_cx *cx;
37684- struct cpuidle_state *state;
37685+ cpuidle_state_no_const *state;
37686 struct cpuidle_driver *drv = &acpi_idle_driver;
37687
37688 if (!pr->flags.power_setup_done)
37689diff --git a/drivers/acpi/processor_pdc.c b/drivers/acpi/processor_pdc.c
37690index 7cfbda4..74f738c 100644
37691--- a/drivers/acpi/processor_pdc.c
37692+++ b/drivers/acpi/processor_pdc.c
37693@@ -173,7 +173,7 @@ static int __init set_no_mwait(const struct dmi_system_id *id)
37694 return 0;
37695 }
37696
37697-static struct dmi_system_id processor_idle_dmi_table[] __initdata = {
37698+static const struct dmi_system_id processor_idle_dmi_table[] __initconst = {
37699 {
37700 set_no_mwait, "Extensa 5220", {
37701 DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37702diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
37703index 2f0d4db..b9e9b15 100644
37704--- a/drivers/acpi/sleep.c
37705+++ b/drivers/acpi/sleep.c
37706@@ -148,7 +148,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
37707 return 0;
37708 }
37709
37710-static struct dmi_system_id acpisleep_dmi_table[] __initdata = {
37711+static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
37712 {
37713 .callback = init_old_suspend_ordering,
37714 .ident = "Abit KN9 (nForce4 variant)",
37715diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
37716index 0876d77b..3ba0127 100644
37717--- a/drivers/acpi/sysfs.c
37718+++ b/drivers/acpi/sysfs.c
37719@@ -423,11 +423,11 @@ static u32 num_counters;
37720 static struct attribute **all_attrs;
37721 static u32 acpi_gpe_count;
37722
37723-static struct attribute_group interrupt_stats_attr_group = {
37724+static attribute_group_no_const interrupt_stats_attr_group = {
37725 .name = "interrupts",
37726 };
37727
37728-static struct kobj_attribute *counter_attrs;
37729+static kobj_attribute_no_const *counter_attrs;
37730
37731 static void delete_gpe_attr_array(void)
37732 {
37733diff --git a/drivers/acpi/thermal.c b/drivers/acpi/thermal.c
37734index 6d4e44e..44fb839 100644
37735--- a/drivers/acpi/thermal.c
37736+++ b/drivers/acpi/thermal.c
37737@@ -1212,7 +1212,7 @@ static int thermal_psv(const struct dmi_system_id *d) {
37738 return 0;
37739 }
37740
37741-static struct dmi_system_id thermal_dmi_table[] __initdata = {
37742+static const struct dmi_system_id thermal_dmi_table[] __initconst = {
37743 /*
37744 * Award BIOS on this AOpen makes thermal control almost worthless.
37745 * http://bugzilla.kernel.org/show_bug.cgi?id=8842
37746diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
37747index 2922f1f..26b0c03 100644
37748--- a/drivers/acpi/video_detect.c
37749+++ b/drivers/acpi/video_detect.c
37750@@ -41,7 +41,6 @@ ACPI_MODULE_NAME("video");
37751 void acpi_video_unregister_backlight(void);
37752
37753 static bool backlight_notifier_registered;
37754-static struct notifier_block backlight_nb;
37755 static struct work_struct backlight_notify_work;
37756
37757 static enum acpi_backlight_type acpi_backlight_cmdline = acpi_backlight_undef;
37758@@ -284,6 +283,10 @@ static int acpi_video_backlight_notify(struct notifier_block *nb,
37759 return NOTIFY_OK;
37760 }
37761
37762+static const struct notifier_block backlight_nb = {
37763+ .notifier_call = acpi_video_backlight_notify,
37764+};
37765+
37766 /*
37767 * Determine which type of backlight interface to use on this system,
37768 * First check cmdline, then dmi quirks, then do autodetect.
37769@@ -314,8 +317,6 @@ enum acpi_backlight_type acpi_video_get_backlight_type(void)
37770 &video_caps, NULL);
37771 INIT_WORK(&backlight_notify_work,
37772 acpi_video_backlight_notify_work);
37773- backlight_nb.notifier_call = acpi_video_backlight_notify;
37774- backlight_nb.priority = 0;
37775 if (backlight_register_notifier(&backlight_nb) == 0)
37776 backlight_notifier_registered = true;
37777 init_done = true;
37778diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
37779index 790e0de..6bae378 100644
37780--- a/drivers/ata/libata-core.c
37781+++ b/drivers/ata/libata-core.c
37782@@ -102,7 +102,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev);
37783 static void ata_dev_xfermask(struct ata_device *dev);
37784 static unsigned long ata_dev_blacklisted(const struct ata_device *dev);
37785
37786-atomic_t ata_print_id = ATOMIC_INIT(0);
37787+atomic_unchecked_t ata_print_id = ATOMIC_INIT(0);
37788
37789 struct ata_force_param {
37790 const char *name;
37791@@ -4800,7 +4800,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
37792 struct ata_port *ap;
37793 unsigned int tag;
37794
37795- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37796+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37797 ap = qc->ap;
37798
37799 qc->flags = 0;
37800@@ -4817,7 +4817,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
37801 struct ata_port *ap;
37802 struct ata_link *link;
37803
37804- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37805+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37806 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
37807 ap = qc->ap;
37808 link = qc->dev->link;
37809@@ -5924,6 +5924,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
37810 return;
37811
37812 spin_lock(&lock);
37813+ pax_open_kernel();
37814
37815 for (cur = ops->inherits; cur; cur = cur->inherits) {
37816 void **inherit = (void **)cur;
37817@@ -5937,8 +5938,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
37818 if (IS_ERR(*pp))
37819 *pp = NULL;
37820
37821- ops->inherits = NULL;
37822+ *(struct ata_port_operations **)&ops->inherits = NULL;
37823
37824+ pax_close_kernel();
37825 spin_unlock(&lock);
37826 }
37827
37828@@ -6134,7 +6136,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
37829
37830 /* give ports names and add SCSI hosts */
37831 for (i = 0; i < host->n_ports; i++) {
37832- host->ports[i]->print_id = atomic_inc_return(&ata_print_id);
37833+ host->ports[i]->print_id = atomic_inc_return_unchecked(&ata_print_id);
37834 host->ports[i]->local_port_no = i + 1;
37835 }
37836
37837diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
37838index 0d7f0da..bc20aa6 100644
37839--- a/drivers/ata/libata-scsi.c
37840+++ b/drivers/ata/libata-scsi.c
37841@@ -4193,7 +4193,7 @@ int ata_sas_port_init(struct ata_port *ap)
37842
37843 if (rc)
37844 return rc;
37845- ap->print_id = atomic_inc_return(&ata_print_id);
37846+ ap->print_id = atomic_inc_return_unchecked(&ata_print_id);
37847 return 0;
37848 }
37849 EXPORT_SYMBOL_GPL(ata_sas_port_init);
37850diff --git a/drivers/ata/libata.h b/drivers/ata/libata.h
37851index f840ca1..edd6ef3 100644
37852--- a/drivers/ata/libata.h
37853+++ b/drivers/ata/libata.h
37854@@ -53,7 +53,7 @@ enum {
37855 ATA_DNXFER_QUIET = (1 << 31),
37856 };
37857
37858-extern atomic_t ata_print_id;
37859+extern atomic_unchecked_t ata_print_id;
37860 extern int atapi_passthru16;
37861 extern int libata_fua;
37862 extern int libata_noacpi;
37863diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
37864index 5d9ee99..8fa2585 100644
37865--- a/drivers/ata/pata_arasan_cf.c
37866+++ b/drivers/ata/pata_arasan_cf.c
37867@@ -865,7 +865,9 @@ static int arasan_cf_probe(struct platform_device *pdev)
37868 /* Handle platform specific quirks */
37869 if (quirk) {
37870 if (quirk & CF_BROKEN_PIO) {
37871- ap->ops->set_piomode = NULL;
37872+ pax_open_kernel();
37873+ *(void **)&ap->ops->set_piomode = NULL;
37874+ pax_close_kernel();
37875 ap->pio_mask = 0;
37876 }
37877 if (quirk & CF_BROKEN_MWDMA)
37878diff --git a/drivers/atm/adummy.c b/drivers/atm/adummy.c
37879index f9b983a..887b9d8 100644
37880--- a/drivers/atm/adummy.c
37881+++ b/drivers/atm/adummy.c
37882@@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct sk_buff *skb)
37883 vcc->pop(vcc, skb);
37884 else
37885 dev_kfree_skb_any(skb);
37886- atomic_inc(&vcc->stats->tx);
37887+ atomic_inc_unchecked(&vcc->stats->tx);
37888
37889 return 0;
37890 }
37891diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
37892index f1a9198..f466a4a 100644
37893--- a/drivers/atm/ambassador.c
37894+++ b/drivers/atm/ambassador.c
37895@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
37896 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
37897
37898 // VC layer stats
37899- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
37900+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
37901
37902 // free the descriptor
37903 kfree (tx_descr);
37904@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
37905 dump_skb ("<<<", vc, skb);
37906
37907 // VC layer stats
37908- atomic_inc(&atm_vcc->stats->rx);
37909+ atomic_inc_unchecked(&atm_vcc->stats->rx);
37910 __net_timestamp(skb);
37911 // end of our responsibility
37912 atm_vcc->push (atm_vcc, skb);
37913@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
37914 } else {
37915 PRINTK (KERN_INFO, "dropped over-size frame");
37916 // should we count this?
37917- atomic_inc(&atm_vcc->stats->rx_drop);
37918+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
37919 }
37920
37921 } else {
37922@@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * atm_vcc, struct sk_buff * skb) {
37923 }
37924
37925 if (check_area (skb->data, skb->len)) {
37926- atomic_inc(&atm_vcc->stats->tx_err);
37927+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
37928 return -ENOMEM; // ?
37929 }
37930
37931diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
37932index 480fa6f..947067c 100644
37933--- a/drivers/atm/atmtcp.c
37934+++ b/drivers/atm/atmtcp.c
37935@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37936 if (vcc->pop) vcc->pop(vcc,skb);
37937 else dev_kfree_skb(skb);
37938 if (dev_data) return 0;
37939- atomic_inc(&vcc->stats->tx_err);
37940+ atomic_inc_unchecked(&vcc->stats->tx_err);
37941 return -ENOLINK;
37942 }
37943 size = skb->len+sizeof(struct atmtcp_hdr);
37944@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37945 if (!new_skb) {
37946 if (vcc->pop) vcc->pop(vcc,skb);
37947 else dev_kfree_skb(skb);
37948- atomic_inc(&vcc->stats->tx_err);
37949+ atomic_inc_unchecked(&vcc->stats->tx_err);
37950 return -ENOBUFS;
37951 }
37952 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
37953@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37954 if (vcc->pop) vcc->pop(vcc,skb);
37955 else dev_kfree_skb(skb);
37956 out_vcc->push(out_vcc,new_skb);
37957- atomic_inc(&vcc->stats->tx);
37958- atomic_inc(&out_vcc->stats->rx);
37959+ atomic_inc_unchecked(&vcc->stats->tx);
37960+ atomic_inc_unchecked(&out_vcc->stats->rx);
37961 return 0;
37962 }
37963
37964@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
37965 read_unlock(&vcc_sklist_lock);
37966 if (!out_vcc) {
37967 result = -EUNATCH;
37968- atomic_inc(&vcc->stats->tx_err);
37969+ atomic_inc_unchecked(&vcc->stats->tx_err);
37970 goto done;
37971 }
37972 skb_pull(skb,sizeof(struct atmtcp_hdr));
37973@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
37974 __net_timestamp(new_skb);
37975 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
37976 out_vcc->push(out_vcc,new_skb);
37977- atomic_inc(&vcc->stats->tx);
37978- atomic_inc(&out_vcc->stats->rx);
37979+ atomic_inc_unchecked(&vcc->stats->tx);
37980+ atomic_inc_unchecked(&out_vcc->stats->rx);
37981 done:
37982 if (vcc->pop) vcc->pop(vcc,skb);
37983 else dev_kfree_skb(skb);
37984diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
37985index 6339efd..2b441d5 100644
37986--- a/drivers/atm/eni.c
37987+++ b/drivers/atm/eni.c
37988@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
37989 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
37990 vcc->dev->number);
37991 length = 0;
37992- atomic_inc(&vcc->stats->rx_err);
37993+ atomic_inc_unchecked(&vcc->stats->rx_err);
37994 }
37995 else {
37996 length = ATM_CELL_SIZE-1; /* no HEC */
37997@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
37998 size);
37999 }
38000 eff = length = 0;
38001- atomic_inc(&vcc->stats->rx_err);
38002+ atomic_inc_unchecked(&vcc->stats->rx_err);
38003 }
38004 else {
38005 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
38006@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
38007 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
38008 vcc->dev->number,vcc->vci,length,size << 2,descr);
38009 length = eff = 0;
38010- atomic_inc(&vcc->stats->rx_err);
38011+ atomic_inc_unchecked(&vcc->stats->rx_err);
38012 }
38013 }
38014 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
38015@@ -770,7 +770,7 @@ rx_dequeued++;
38016 vcc->push(vcc,skb);
38017 pushed++;
38018 }
38019- atomic_inc(&vcc->stats->rx);
38020+ atomic_inc_unchecked(&vcc->stats->rx);
38021 }
38022 wake_up(&eni_dev->rx_wait);
38023 }
38024@@ -1230,7 +1230,7 @@ static void dequeue_tx(struct atm_dev *dev)
38025 DMA_TO_DEVICE);
38026 if (vcc->pop) vcc->pop(vcc,skb);
38027 else dev_kfree_skb_irq(skb);
38028- atomic_inc(&vcc->stats->tx);
38029+ atomic_inc_unchecked(&vcc->stats->tx);
38030 wake_up(&eni_dev->tx_wait);
38031 dma_complete++;
38032 }
38033diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c
38034index 82f2ae0..f205c02 100644
38035--- a/drivers/atm/firestream.c
38036+++ b/drivers/atm/firestream.c
38037@@ -749,7 +749,7 @@ static void process_txdone_queue (struct fs_dev *dev, struct queue *q)
38038 }
38039 }
38040
38041- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
38042+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
38043
38044 fs_dprintk (FS_DEBUG_TXMEM, "i");
38045 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
38046@@ -816,7 +816,7 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
38047 #endif
38048 skb_put (skb, qe->p1 & 0xffff);
38049 ATM_SKB(skb)->vcc = atm_vcc;
38050- atomic_inc(&atm_vcc->stats->rx);
38051+ atomic_inc_unchecked(&atm_vcc->stats->rx);
38052 __net_timestamp(skb);
38053 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
38054 atm_vcc->push (atm_vcc, skb);
38055@@ -837,12 +837,12 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
38056 kfree (pe);
38057 }
38058 if (atm_vcc)
38059- atomic_inc(&atm_vcc->stats->rx_drop);
38060+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
38061 break;
38062 case 0x1f: /* Reassembly abort: no buffers. */
38063 /* Silently increment error counter. */
38064 if (atm_vcc)
38065- atomic_inc(&atm_vcc->stats->rx_drop);
38066+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
38067 break;
38068 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
38069 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
38070diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c
38071index 75dde90..4309ead 100644
38072--- a/drivers/atm/fore200e.c
38073+++ b/drivers/atm/fore200e.c
38074@@ -932,9 +932,9 @@ fore200e_tx_irq(struct fore200e* fore200e)
38075 #endif
38076 /* check error condition */
38077 if (*entry->status & STATUS_ERROR)
38078- atomic_inc(&vcc->stats->tx_err);
38079+ atomic_inc_unchecked(&vcc->stats->tx_err);
38080 else
38081- atomic_inc(&vcc->stats->tx);
38082+ atomic_inc_unchecked(&vcc->stats->tx);
38083 }
38084 }
38085
38086@@ -1083,7 +1083,7 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
38087 if (skb == NULL) {
38088 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
38089
38090- atomic_inc(&vcc->stats->rx_drop);
38091+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38092 return -ENOMEM;
38093 }
38094
38095@@ -1126,14 +1126,14 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
38096
38097 dev_kfree_skb_any(skb);
38098
38099- atomic_inc(&vcc->stats->rx_drop);
38100+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38101 return -ENOMEM;
38102 }
38103
38104 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
38105
38106 vcc->push(vcc, skb);
38107- atomic_inc(&vcc->stats->rx);
38108+ atomic_inc_unchecked(&vcc->stats->rx);
38109
38110 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
38111
38112@@ -1211,7 +1211,7 @@ fore200e_rx_irq(struct fore200e* fore200e)
38113 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
38114 fore200e->atm_dev->number,
38115 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
38116- atomic_inc(&vcc->stats->rx_err);
38117+ atomic_inc_unchecked(&vcc->stats->rx_err);
38118 }
38119 }
38120
38121@@ -1656,7 +1656,7 @@ fore200e_send(struct atm_vcc *vcc, struct sk_buff *skb)
38122 goto retry_here;
38123 }
38124
38125- atomic_inc(&vcc->stats->tx_err);
38126+ atomic_inc_unchecked(&vcc->stats->tx_err);
38127
38128 fore200e->tx_sat++;
38129 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
38130diff --git a/drivers/atm/he.c b/drivers/atm/he.c
38131index a8da3a5..67cf6c2 100644
38132--- a/drivers/atm/he.c
38133+++ b/drivers/atm/he.c
38134@@ -1692,7 +1692,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
38135
38136 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
38137 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
38138- atomic_inc(&vcc->stats->rx_drop);
38139+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38140 goto return_host_buffers;
38141 }
38142
38143@@ -1719,7 +1719,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
38144 RBRQ_LEN_ERR(he_dev->rbrq_head)
38145 ? "LEN_ERR" : "",
38146 vcc->vpi, vcc->vci);
38147- atomic_inc(&vcc->stats->rx_err);
38148+ atomic_inc_unchecked(&vcc->stats->rx_err);
38149 goto return_host_buffers;
38150 }
38151
38152@@ -1771,7 +1771,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
38153 vcc->push(vcc, skb);
38154 spin_lock(&he_dev->global_lock);
38155
38156- atomic_inc(&vcc->stats->rx);
38157+ atomic_inc_unchecked(&vcc->stats->rx);
38158
38159 return_host_buffers:
38160 ++pdus_assembled;
38161@@ -2097,7 +2097,7 @@ __enqueue_tpd(struct he_dev *he_dev, struct he_tpd *tpd, unsigned cid)
38162 tpd->vcc->pop(tpd->vcc, tpd->skb);
38163 else
38164 dev_kfree_skb_any(tpd->skb);
38165- atomic_inc(&tpd->vcc->stats->tx_err);
38166+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
38167 }
38168 dma_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
38169 return;
38170@@ -2509,7 +2509,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38171 vcc->pop(vcc, skb);
38172 else
38173 dev_kfree_skb_any(skb);
38174- atomic_inc(&vcc->stats->tx_err);
38175+ atomic_inc_unchecked(&vcc->stats->tx_err);
38176 return -EINVAL;
38177 }
38178
38179@@ -2520,7 +2520,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38180 vcc->pop(vcc, skb);
38181 else
38182 dev_kfree_skb_any(skb);
38183- atomic_inc(&vcc->stats->tx_err);
38184+ atomic_inc_unchecked(&vcc->stats->tx_err);
38185 return -EINVAL;
38186 }
38187 #endif
38188@@ -2532,7 +2532,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38189 vcc->pop(vcc, skb);
38190 else
38191 dev_kfree_skb_any(skb);
38192- atomic_inc(&vcc->stats->tx_err);
38193+ atomic_inc_unchecked(&vcc->stats->tx_err);
38194 spin_unlock_irqrestore(&he_dev->global_lock, flags);
38195 return -ENOMEM;
38196 }
38197@@ -2574,7 +2574,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38198 vcc->pop(vcc, skb);
38199 else
38200 dev_kfree_skb_any(skb);
38201- atomic_inc(&vcc->stats->tx_err);
38202+ atomic_inc_unchecked(&vcc->stats->tx_err);
38203 spin_unlock_irqrestore(&he_dev->global_lock, flags);
38204 return -ENOMEM;
38205 }
38206@@ -2605,7 +2605,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38207 __enqueue_tpd(he_dev, tpd, cid);
38208 spin_unlock_irqrestore(&he_dev->global_lock, flags);
38209
38210- atomic_inc(&vcc->stats->tx);
38211+ atomic_inc_unchecked(&vcc->stats->tx);
38212
38213 return 0;
38214 }
38215diff --git a/drivers/atm/horizon.c b/drivers/atm/horizon.c
38216index 527bbd5..96570c8 100644
38217--- a/drivers/atm/horizon.c
38218+++ b/drivers/atm/horizon.c
38219@@ -1018,7 +1018,7 @@ static void rx_schedule (hrz_dev * dev, int irq) {
38220 {
38221 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
38222 // VC layer stats
38223- atomic_inc(&vcc->stats->rx);
38224+ atomic_inc_unchecked(&vcc->stats->rx);
38225 __net_timestamp(skb);
38226 // end of our responsibility
38227 vcc->push (vcc, skb);
38228@@ -1170,7 +1170,7 @@ static void tx_schedule (hrz_dev * const dev, int irq) {
38229 dev->tx_iovec = NULL;
38230
38231 // VC layer stats
38232- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
38233+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
38234
38235 // free the skb
38236 hrz_kfree_skb (skb);
38237diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
38238index 074616b..d6b3d5f 100644
38239--- a/drivers/atm/idt77252.c
38240+++ b/drivers/atm/idt77252.c
38241@@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc)
38242 else
38243 dev_kfree_skb(skb);
38244
38245- atomic_inc(&vcc->stats->tx);
38246+ atomic_inc_unchecked(&vcc->stats->tx);
38247 }
38248
38249 atomic_dec(&scq->used);
38250@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38251 if ((sb = dev_alloc_skb(64)) == NULL) {
38252 printk("%s: Can't allocate buffers for aal0.\n",
38253 card->name);
38254- atomic_add(i, &vcc->stats->rx_drop);
38255+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
38256 break;
38257 }
38258 if (!atm_charge(vcc, sb->truesize)) {
38259 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
38260 card->name);
38261- atomic_add(i - 1, &vcc->stats->rx_drop);
38262+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
38263 dev_kfree_skb(sb);
38264 break;
38265 }
38266@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38267 ATM_SKB(sb)->vcc = vcc;
38268 __net_timestamp(sb);
38269 vcc->push(vcc, sb);
38270- atomic_inc(&vcc->stats->rx);
38271+ atomic_inc_unchecked(&vcc->stats->rx);
38272
38273 cell += ATM_CELL_PAYLOAD;
38274 }
38275@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38276 "(CDC: %08x)\n",
38277 card->name, len, rpp->len, readl(SAR_REG_CDC));
38278 recycle_rx_pool_skb(card, rpp);
38279- atomic_inc(&vcc->stats->rx_err);
38280+ atomic_inc_unchecked(&vcc->stats->rx_err);
38281 return;
38282 }
38283 if (stat & SAR_RSQE_CRC) {
38284 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
38285 recycle_rx_pool_skb(card, rpp);
38286- atomic_inc(&vcc->stats->rx_err);
38287+ atomic_inc_unchecked(&vcc->stats->rx_err);
38288 return;
38289 }
38290 if (skb_queue_len(&rpp->queue) > 1) {
38291@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38292 RXPRINTK("%s: Can't alloc RX skb.\n",
38293 card->name);
38294 recycle_rx_pool_skb(card, rpp);
38295- atomic_inc(&vcc->stats->rx_err);
38296+ atomic_inc_unchecked(&vcc->stats->rx_err);
38297 return;
38298 }
38299 if (!atm_charge(vcc, skb->truesize)) {
38300@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38301 __net_timestamp(skb);
38302
38303 vcc->push(vcc, skb);
38304- atomic_inc(&vcc->stats->rx);
38305+ atomic_inc_unchecked(&vcc->stats->rx);
38306
38307 return;
38308 }
38309@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38310 __net_timestamp(skb);
38311
38312 vcc->push(vcc, skb);
38313- atomic_inc(&vcc->stats->rx);
38314+ atomic_inc_unchecked(&vcc->stats->rx);
38315
38316 if (skb->truesize > SAR_FB_SIZE_3)
38317 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
38318@@ -1302,14 +1302,14 @@ idt77252_rx_raw(struct idt77252_dev *card)
38319 if (vcc->qos.aal != ATM_AAL0) {
38320 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
38321 card->name, vpi, vci);
38322- atomic_inc(&vcc->stats->rx_drop);
38323+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38324 goto drop;
38325 }
38326
38327 if ((sb = dev_alloc_skb(64)) == NULL) {
38328 printk("%s: Can't allocate buffers for AAL0.\n",
38329 card->name);
38330- atomic_inc(&vcc->stats->rx_err);
38331+ atomic_inc_unchecked(&vcc->stats->rx_err);
38332 goto drop;
38333 }
38334
38335@@ -1328,7 +1328,7 @@ idt77252_rx_raw(struct idt77252_dev *card)
38336 ATM_SKB(sb)->vcc = vcc;
38337 __net_timestamp(sb);
38338 vcc->push(vcc, sb);
38339- atomic_inc(&vcc->stats->rx);
38340+ atomic_inc_unchecked(&vcc->stats->rx);
38341
38342 drop:
38343 skb_pull(queue, 64);
38344@@ -1953,13 +1953,13 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38345
38346 if (vc == NULL) {
38347 printk("%s: NULL connection in send().\n", card->name);
38348- atomic_inc(&vcc->stats->tx_err);
38349+ atomic_inc_unchecked(&vcc->stats->tx_err);
38350 dev_kfree_skb(skb);
38351 return -EINVAL;
38352 }
38353 if (!test_bit(VCF_TX, &vc->flags)) {
38354 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
38355- atomic_inc(&vcc->stats->tx_err);
38356+ atomic_inc_unchecked(&vcc->stats->tx_err);
38357 dev_kfree_skb(skb);
38358 return -EINVAL;
38359 }
38360@@ -1971,14 +1971,14 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38361 break;
38362 default:
38363 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
38364- atomic_inc(&vcc->stats->tx_err);
38365+ atomic_inc_unchecked(&vcc->stats->tx_err);
38366 dev_kfree_skb(skb);
38367 return -EINVAL;
38368 }
38369
38370 if (skb_shinfo(skb)->nr_frags != 0) {
38371 printk("%s: No scatter-gather yet.\n", card->name);
38372- atomic_inc(&vcc->stats->tx_err);
38373+ atomic_inc_unchecked(&vcc->stats->tx_err);
38374 dev_kfree_skb(skb);
38375 return -EINVAL;
38376 }
38377@@ -1986,7 +1986,7 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38378
38379 err = queue_skb(card, vc, skb, oam);
38380 if (err) {
38381- atomic_inc(&vcc->stats->tx_err);
38382+ atomic_inc_unchecked(&vcc->stats->tx_err);
38383 dev_kfree_skb(skb);
38384 return err;
38385 }
38386@@ -2009,7 +2009,7 @@ idt77252_send_oam(struct atm_vcc *vcc, void *cell, int flags)
38387 skb = dev_alloc_skb(64);
38388 if (!skb) {
38389 printk("%s: Out of memory in send_oam().\n", card->name);
38390- atomic_inc(&vcc->stats->tx_err);
38391+ atomic_inc_unchecked(&vcc->stats->tx_err);
38392 return -ENOMEM;
38393 }
38394 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
38395diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
38396index 65e6590..df77d04 100644
38397--- a/drivers/atm/iphase.c
38398+++ b/drivers/atm/iphase.c
38399@@ -1145,7 +1145,7 @@ static int rx_pkt(struct atm_dev *dev)
38400 status = (u_short) (buf_desc_ptr->desc_mode);
38401 if (status & (RX_CER | RX_PTE | RX_OFL))
38402 {
38403- atomic_inc(&vcc->stats->rx_err);
38404+ atomic_inc_unchecked(&vcc->stats->rx_err);
38405 IF_ERR(printk("IA: bad packet, dropping it");)
38406 if (status & RX_CER) {
38407 IF_ERR(printk(" cause: packet CRC error\n");)
38408@@ -1168,7 +1168,7 @@ static int rx_pkt(struct atm_dev *dev)
38409 len = dma_addr - buf_addr;
38410 if (len > iadev->rx_buf_sz) {
38411 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
38412- atomic_inc(&vcc->stats->rx_err);
38413+ atomic_inc_unchecked(&vcc->stats->rx_err);
38414 goto out_free_desc;
38415 }
38416
38417@@ -1318,7 +1318,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38418 ia_vcc = INPH_IA_VCC(vcc);
38419 if (ia_vcc == NULL)
38420 {
38421- atomic_inc(&vcc->stats->rx_err);
38422+ atomic_inc_unchecked(&vcc->stats->rx_err);
38423 atm_return(vcc, skb->truesize);
38424 dev_kfree_skb_any(skb);
38425 goto INCR_DLE;
38426@@ -1330,7 +1330,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38427 if ((length > iadev->rx_buf_sz) || (length >
38428 (skb->len - sizeof(struct cpcs_trailer))))
38429 {
38430- atomic_inc(&vcc->stats->rx_err);
38431+ atomic_inc_unchecked(&vcc->stats->rx_err);
38432 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
38433 length, skb->len);)
38434 atm_return(vcc, skb->truesize);
38435@@ -1346,7 +1346,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38436
38437 IF_RX(printk("rx_dle_intr: skb push");)
38438 vcc->push(vcc,skb);
38439- atomic_inc(&vcc->stats->rx);
38440+ atomic_inc_unchecked(&vcc->stats->rx);
38441 iadev->rx_pkt_cnt++;
38442 }
38443 INCR_DLE:
38444@@ -2828,15 +2828,15 @@ static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg)
38445 {
38446 struct k_sonet_stats *stats;
38447 stats = &PRIV(_ia_dev[board])->sonet_stats;
38448- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
38449- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
38450- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
38451- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
38452- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
38453- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
38454- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
38455- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
38456- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
38457+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
38458+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
38459+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
38460+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
38461+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
38462+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
38463+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
38464+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
38465+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
38466 }
38467 ia_cmds.status = 0;
38468 break;
38469@@ -2941,7 +2941,7 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
38470 if ((desc == 0) || (desc > iadev->num_tx_desc))
38471 {
38472 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
38473- atomic_inc(&vcc->stats->tx);
38474+ atomic_inc_unchecked(&vcc->stats->tx);
38475 if (vcc->pop)
38476 vcc->pop(vcc, skb);
38477 else
38478@@ -3046,14 +3046,14 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
38479 ATM_DESC(skb) = vcc->vci;
38480 skb_queue_tail(&iadev->tx_dma_q, skb);
38481
38482- atomic_inc(&vcc->stats->tx);
38483+ atomic_inc_unchecked(&vcc->stats->tx);
38484 iadev->tx_pkt_cnt++;
38485 /* Increment transaction counter */
38486 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
38487
38488 #if 0
38489 /* add flow control logic */
38490- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
38491+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
38492 if (iavcc->vc_desc_cnt > 10) {
38493 vcc->tx_quota = vcc->tx_quota * 3 / 4;
38494 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
38495diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c
38496index ce43ae3..969de38 100644
38497--- a/drivers/atm/lanai.c
38498+++ b/drivers/atm/lanai.c
38499@@ -1295,7 +1295,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai,
38500 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
38501 lanai_endtx(lanai, lvcc);
38502 lanai_free_skb(lvcc->tx.atmvcc, skb);
38503- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
38504+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
38505 }
38506
38507 /* Try to fill the buffer - don't call unless there is backlog */
38508@@ -1418,7 +1418,7 @@ static void vcc_rx_aal5(struct lanai_vcc *lvcc, int endptr)
38509 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
38510 __net_timestamp(skb);
38511 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
38512- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
38513+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
38514 out:
38515 lvcc->rx.buf.ptr = end;
38516 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
38517@@ -1659,7 +1659,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38518 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
38519 "vcc %d\n", lanai->number, (unsigned int) s, vci);
38520 lanai->stats.service_rxnotaal5++;
38521- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38522+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38523 return 0;
38524 }
38525 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
38526@@ -1671,7 +1671,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38527 int bytes;
38528 read_unlock(&vcc_sklist_lock);
38529 DPRINTK("got trashed rx pdu on vci %d\n", vci);
38530- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38531+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38532 lvcc->stats.x.aal5.service_trash++;
38533 bytes = (SERVICE_GET_END(s) * 16) -
38534 (((unsigned long) lvcc->rx.buf.ptr) -
38535@@ -1683,7 +1683,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38536 }
38537 if (s & SERVICE_STREAM) {
38538 read_unlock(&vcc_sklist_lock);
38539- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38540+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38541 lvcc->stats.x.aal5.service_stream++;
38542 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
38543 "PDU on VCI %d!\n", lanai->number, vci);
38544@@ -1691,7 +1691,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38545 return 0;
38546 }
38547 DPRINTK("got rx crc error on vci %d\n", vci);
38548- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38549+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38550 lvcc->stats.x.aal5.service_rxcrc++;
38551 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
38552 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
38553diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
38554index ddc4ceb..36e29aa 100644
38555--- a/drivers/atm/nicstar.c
38556+++ b/drivers/atm/nicstar.c
38557@@ -1632,7 +1632,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38558 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
38559 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
38560 card->index);
38561- atomic_inc(&vcc->stats->tx_err);
38562+ atomic_inc_unchecked(&vcc->stats->tx_err);
38563 dev_kfree_skb_any(skb);
38564 return -EINVAL;
38565 }
38566@@ -1640,7 +1640,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38567 if (!vc->tx) {
38568 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
38569 card->index);
38570- atomic_inc(&vcc->stats->tx_err);
38571+ atomic_inc_unchecked(&vcc->stats->tx_err);
38572 dev_kfree_skb_any(skb);
38573 return -EINVAL;
38574 }
38575@@ -1648,14 +1648,14 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38576 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
38577 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
38578 card->index);
38579- atomic_inc(&vcc->stats->tx_err);
38580+ atomic_inc_unchecked(&vcc->stats->tx_err);
38581 dev_kfree_skb_any(skb);
38582 return -EINVAL;
38583 }
38584
38585 if (skb_shinfo(skb)->nr_frags != 0) {
38586 printk("nicstar%d: No scatter-gather yet.\n", card->index);
38587- atomic_inc(&vcc->stats->tx_err);
38588+ atomic_inc_unchecked(&vcc->stats->tx_err);
38589 dev_kfree_skb_any(skb);
38590 return -EINVAL;
38591 }
38592@@ -1703,11 +1703,11 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38593 }
38594
38595 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
38596- atomic_inc(&vcc->stats->tx_err);
38597+ atomic_inc_unchecked(&vcc->stats->tx_err);
38598 dev_kfree_skb_any(skb);
38599 return -EIO;
38600 }
38601- atomic_inc(&vcc->stats->tx);
38602+ atomic_inc_unchecked(&vcc->stats->tx);
38603
38604 return 0;
38605 }
38606@@ -2024,14 +2024,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38607 printk
38608 ("nicstar%d: Can't allocate buffers for aal0.\n",
38609 card->index);
38610- atomic_add(i, &vcc->stats->rx_drop);
38611+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
38612 break;
38613 }
38614 if (!atm_charge(vcc, sb->truesize)) {
38615 RXPRINTK
38616 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
38617 card->index);
38618- atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
38619+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
38620 dev_kfree_skb_any(sb);
38621 break;
38622 }
38623@@ -2046,7 +2046,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38624 ATM_SKB(sb)->vcc = vcc;
38625 __net_timestamp(sb);
38626 vcc->push(vcc, sb);
38627- atomic_inc(&vcc->stats->rx);
38628+ atomic_inc_unchecked(&vcc->stats->rx);
38629 cell += ATM_CELL_PAYLOAD;
38630 }
38631
38632@@ -2063,7 +2063,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38633 if (iovb == NULL) {
38634 printk("nicstar%d: Out of iovec buffers.\n",
38635 card->index);
38636- atomic_inc(&vcc->stats->rx_drop);
38637+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38638 recycle_rx_buf(card, skb);
38639 return;
38640 }
38641@@ -2087,7 +2087,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38642 small or large buffer itself. */
38643 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
38644 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
38645- atomic_inc(&vcc->stats->rx_err);
38646+ atomic_inc_unchecked(&vcc->stats->rx_err);
38647 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38648 NS_MAX_IOVECS);
38649 NS_PRV_IOVCNT(iovb) = 0;
38650@@ -2107,7 +2107,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38651 ("nicstar%d: Expected a small buffer, and this is not one.\n",
38652 card->index);
38653 which_list(card, skb);
38654- atomic_inc(&vcc->stats->rx_err);
38655+ atomic_inc_unchecked(&vcc->stats->rx_err);
38656 recycle_rx_buf(card, skb);
38657 vc->rx_iov = NULL;
38658 recycle_iov_buf(card, iovb);
38659@@ -2120,7 +2120,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38660 ("nicstar%d: Expected a large buffer, and this is not one.\n",
38661 card->index);
38662 which_list(card, skb);
38663- atomic_inc(&vcc->stats->rx_err);
38664+ atomic_inc_unchecked(&vcc->stats->rx_err);
38665 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38666 NS_PRV_IOVCNT(iovb));
38667 vc->rx_iov = NULL;
38668@@ -2143,7 +2143,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38669 printk(" - PDU size mismatch.\n");
38670 else
38671 printk(".\n");
38672- atomic_inc(&vcc->stats->rx_err);
38673+ atomic_inc_unchecked(&vcc->stats->rx_err);
38674 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38675 NS_PRV_IOVCNT(iovb));
38676 vc->rx_iov = NULL;
38677@@ -2157,14 +2157,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38678 /* skb points to a small buffer */
38679 if (!atm_charge(vcc, skb->truesize)) {
38680 push_rxbufs(card, skb);
38681- atomic_inc(&vcc->stats->rx_drop);
38682+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38683 } else {
38684 skb_put(skb, len);
38685 dequeue_sm_buf(card, skb);
38686 ATM_SKB(skb)->vcc = vcc;
38687 __net_timestamp(skb);
38688 vcc->push(vcc, skb);
38689- atomic_inc(&vcc->stats->rx);
38690+ atomic_inc_unchecked(&vcc->stats->rx);
38691 }
38692 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
38693 struct sk_buff *sb;
38694@@ -2175,14 +2175,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38695 if (len <= NS_SMBUFSIZE) {
38696 if (!atm_charge(vcc, sb->truesize)) {
38697 push_rxbufs(card, sb);
38698- atomic_inc(&vcc->stats->rx_drop);
38699+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38700 } else {
38701 skb_put(sb, len);
38702 dequeue_sm_buf(card, sb);
38703 ATM_SKB(sb)->vcc = vcc;
38704 __net_timestamp(sb);
38705 vcc->push(vcc, sb);
38706- atomic_inc(&vcc->stats->rx);
38707+ atomic_inc_unchecked(&vcc->stats->rx);
38708 }
38709
38710 push_rxbufs(card, skb);
38711@@ -2191,7 +2191,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38712
38713 if (!atm_charge(vcc, skb->truesize)) {
38714 push_rxbufs(card, skb);
38715- atomic_inc(&vcc->stats->rx_drop);
38716+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38717 } else {
38718 dequeue_lg_buf(card, skb);
38719 skb_push(skb, NS_SMBUFSIZE);
38720@@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38721 ATM_SKB(skb)->vcc = vcc;
38722 __net_timestamp(skb);
38723 vcc->push(vcc, skb);
38724- atomic_inc(&vcc->stats->rx);
38725+ atomic_inc_unchecked(&vcc->stats->rx);
38726 }
38727
38728 push_rxbufs(card, sb);
38729@@ -2222,7 +2222,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38730 printk
38731 ("nicstar%d: Out of huge buffers.\n",
38732 card->index);
38733- atomic_inc(&vcc->stats->rx_drop);
38734+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38735 recycle_iovec_rx_bufs(card,
38736 (struct iovec *)
38737 iovb->data,
38738@@ -2273,7 +2273,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38739 card->hbpool.count++;
38740 } else
38741 dev_kfree_skb_any(hb);
38742- atomic_inc(&vcc->stats->rx_drop);
38743+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38744 } else {
38745 /* Copy the small buffer to the huge buffer */
38746 sb = (struct sk_buff *)iov->iov_base;
38747@@ -2307,7 +2307,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38748 ATM_SKB(hb)->vcc = vcc;
38749 __net_timestamp(hb);
38750 vcc->push(vcc, hb);
38751- atomic_inc(&vcc->stats->rx);
38752+ atomic_inc_unchecked(&vcc->stats->rx);
38753 }
38754 }
38755
38756diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c
38757index 74e18b0..f16afa0 100644
38758--- a/drivers/atm/solos-pci.c
38759+++ b/drivers/atm/solos-pci.c
38760@@ -838,7 +838,7 @@ static void solos_bh(unsigned long card_arg)
38761 }
38762 atm_charge(vcc, skb->truesize);
38763 vcc->push(vcc, skb);
38764- atomic_inc(&vcc->stats->rx);
38765+ atomic_inc_unchecked(&vcc->stats->rx);
38766 break;
38767
38768 case PKT_STATUS:
38769@@ -1116,7 +1116,7 @@ static uint32_t fpga_tx(struct solos_card *card)
38770 vcc = SKB_CB(oldskb)->vcc;
38771
38772 if (vcc) {
38773- atomic_inc(&vcc->stats->tx);
38774+ atomic_inc_unchecked(&vcc->stats->tx);
38775 solos_pop(vcc, oldskb);
38776 } else {
38777 dev_kfree_skb_irq(oldskb);
38778diff --git a/drivers/atm/suni.c b/drivers/atm/suni.c
38779index 0215934..ce9f5b1 100644
38780--- a/drivers/atm/suni.c
38781+++ b/drivers/atm/suni.c
38782@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
38783
38784
38785 #define ADD_LIMITED(s,v) \
38786- atomic_add((v),&stats->s); \
38787- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
38788+ atomic_add_unchecked((v),&stats->s); \
38789+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
38790
38791
38792 static void suni_hz(unsigned long from_timer)
38793diff --git a/drivers/atm/uPD98402.c b/drivers/atm/uPD98402.c
38794index 5120a96..e2572bd 100644
38795--- a/drivers/atm/uPD98402.c
38796+++ b/drivers/atm/uPD98402.c
38797@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *dev,struct sonet_stats __user *arg,int ze
38798 struct sonet_stats tmp;
38799 int error = 0;
38800
38801- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
38802+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
38803 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
38804 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
38805 if (zero && !error) {
38806@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg)
38807
38808
38809 #define ADD_LIMITED(s,v) \
38810- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
38811- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
38812- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
38813+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
38814+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
38815+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
38816
38817
38818 static void stat_event(struct atm_dev *dev)
38819@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev *dev)
38820 if (reason & uPD98402_INT_PFM) stat_event(dev);
38821 if (reason & uPD98402_INT_PCO) {
38822 (void) GET(PCOCR); /* clear interrupt cause */
38823- atomic_add(GET(HECCT),
38824+ atomic_add_unchecked(GET(HECCT),
38825 &PRIV(dev)->sonet_stats.uncorr_hcs);
38826 }
38827 if ((reason & uPD98402_INT_RFO) &&
38828@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev *dev)
38829 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
38830 uPD98402_INT_LOS),PIMR); /* enable them */
38831 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
38832- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
38833- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
38834- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
38835+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
38836+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
38837+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
38838 return 0;
38839 }
38840
38841diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
38842index cecfb94..87009ec 100644
38843--- a/drivers/atm/zatm.c
38844+++ b/drivers/atm/zatm.c
38845@@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
38846 }
38847 if (!size) {
38848 dev_kfree_skb_irq(skb);
38849- if (vcc) atomic_inc(&vcc->stats->rx_err);
38850+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
38851 continue;
38852 }
38853 if (!atm_charge(vcc,skb->truesize)) {
38854@@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
38855 skb->len = size;
38856 ATM_SKB(skb)->vcc = vcc;
38857 vcc->push(vcc,skb);
38858- atomic_inc(&vcc->stats->rx);
38859+ atomic_inc_unchecked(&vcc->stats->rx);
38860 }
38861 zout(pos & 0xffff,MTA(mbx));
38862 #if 0 /* probably a stupid idea */
38863@@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD_V | uPD98401_TXPD_DP |
38864 skb_queue_head(&zatm_vcc->backlog,skb);
38865 break;
38866 }
38867- atomic_inc(&vcc->stats->tx);
38868+ atomic_inc_unchecked(&vcc->stats->tx);
38869 wake_up(&zatm_vcc->tx_wait);
38870 }
38871
38872diff --git a/drivers/base/bus.c b/drivers/base/bus.c
38873index 5005924..9fc06c4 100644
38874--- a/drivers/base/bus.c
38875+++ b/drivers/base/bus.c
38876@@ -1141,7 +1141,7 @@ int subsys_interface_register(struct subsys_interface *sif)
38877 return -EINVAL;
38878
38879 mutex_lock(&subsys->p->mutex);
38880- list_add_tail(&sif->node, &subsys->p->interfaces);
38881+ pax_list_add_tail((struct list_head *)&sif->node, &subsys->p->interfaces);
38882 if (sif->add_dev) {
38883 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
38884 while ((dev = subsys_dev_iter_next(&iter)))
38885@@ -1166,7 +1166,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
38886 subsys = sif->subsys;
38887
38888 mutex_lock(&subsys->p->mutex);
38889- list_del_init(&sif->node);
38890+ pax_list_del_init((struct list_head *)&sif->node);
38891 if (sif->remove_dev) {
38892 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
38893 while ((dev = subsys_dev_iter_next(&iter)))
38894diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
38895index 68f0314..ca2a609 100644
38896--- a/drivers/base/devtmpfs.c
38897+++ b/drivers/base/devtmpfs.c
38898@@ -354,7 +354,7 @@ int devtmpfs_mount(const char *mntdir)
38899 if (!thread)
38900 return 0;
38901
38902- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
38903+ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
38904 if (err)
38905 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
38906 else
38907@@ -380,11 +380,11 @@ static int devtmpfsd(void *p)
38908 *err = sys_unshare(CLONE_NEWNS);
38909 if (*err)
38910 goto out;
38911- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
38912+ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options);
38913 if (*err)
38914 goto out;
38915- sys_chdir("/.."); /* will traverse into overmounted root */
38916- sys_chroot(".");
38917+ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */
38918+ sys_chroot((char __force_user *)".");
38919 complete(&setup_done);
38920 while (1) {
38921 spin_lock(&req_lock);
38922diff --git a/drivers/base/node.c b/drivers/base/node.c
38923index 560751b..3a4847a 100644
38924--- a/drivers/base/node.c
38925+++ b/drivers/base/node.c
38926@@ -627,7 +627,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf)
38927 struct node_attr {
38928 struct device_attribute attr;
38929 enum node_states state;
38930-};
38931+} __do_const;
38932
38933 static ssize_t show_node_state(struct device *dev,
38934 struct device_attribute *attr, char *buf)
38935diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
38936index 0ee43c1..369dd62 100644
38937--- a/drivers/base/power/domain.c
38938+++ b/drivers/base/power/domain.c
38939@@ -1738,7 +1738,7 @@ int pm_genpd_attach_cpuidle(struct generic_pm_domain *genpd, int state)
38940 {
38941 struct cpuidle_driver *cpuidle_drv;
38942 struct gpd_cpuidle_data *cpuidle_data;
38943- struct cpuidle_state *idle_state;
38944+ cpuidle_state_no_const *idle_state;
38945 int ret = 0;
38946
38947 if (IS_ERR_OR_NULL(genpd) || state < 0)
38948@@ -1806,7 +1806,7 @@ int pm_genpd_name_attach_cpuidle(const char *name, int state)
38949 int pm_genpd_detach_cpuidle(struct generic_pm_domain *genpd)
38950 {
38951 struct gpd_cpuidle_data *cpuidle_data;
38952- struct cpuidle_state *idle_state;
38953+ cpuidle_state_no_const *idle_state;
38954 int ret = 0;
38955
38956 if (IS_ERR_OR_NULL(genpd))
38957@@ -2241,8 +2241,11 @@ int genpd_dev_pm_attach(struct device *dev)
38958 return ret;
38959 }
38960
38961- dev->pm_domain->detach = genpd_dev_pm_detach;
38962- dev->pm_domain->sync = genpd_dev_pm_sync;
38963+ pax_open_kernel();
38964+ *(void **)&dev->pm_domain->detach = genpd_dev_pm_detach;
38965+ *(void **)&dev->pm_domain->sync = genpd_dev_pm_sync;
38966+ pax_close_kernel();
38967+
38968 pm_genpd_poweron(pd);
38969
38970 return 0;
38971diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c
38972index d2be3f9..0a3167a 100644
38973--- a/drivers/base/power/sysfs.c
38974+++ b/drivers/base/power/sysfs.c
38975@@ -181,7 +181,7 @@ static ssize_t rtpm_status_show(struct device *dev,
38976 return -EIO;
38977 }
38978 }
38979- return sprintf(buf, p);
38980+ return sprintf(buf, "%s", p);
38981 }
38982
38983 static DEVICE_ATTR(runtime_status, 0444, rtpm_status_show, NULL);
38984diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
38985index 51f15bc..892a668 100644
38986--- a/drivers/base/power/wakeup.c
38987+++ b/drivers/base/power/wakeup.c
38988@@ -33,14 +33,14 @@ static bool pm_abort_suspend __read_mostly;
38989 * They need to be modified together atomically, so it's better to use one
38990 * atomic variable to hold them both.
38991 */
38992-static atomic_t combined_event_count = ATOMIC_INIT(0);
38993+static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
38994
38995 #define IN_PROGRESS_BITS (sizeof(int) * 4)
38996 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
38997
38998 static void split_counters(unsigned int *cnt, unsigned int *inpr)
38999 {
39000- unsigned int comb = atomic_read(&combined_event_count);
39001+ unsigned int comb = atomic_read_unchecked(&combined_event_count);
39002
39003 *cnt = (comb >> IN_PROGRESS_BITS);
39004 *inpr = comb & MAX_IN_PROGRESS;
39005@@ -537,7 +537,7 @@ static void wakeup_source_activate(struct wakeup_source *ws)
39006 ws->start_prevent_time = ws->last_time;
39007
39008 /* Increment the counter of events in progress. */
39009- cec = atomic_inc_return(&combined_event_count);
39010+ cec = atomic_inc_return_unchecked(&combined_event_count);
39011
39012 trace_wakeup_source_activate(ws->name, cec);
39013 }
39014@@ -663,7 +663,7 @@ static void wakeup_source_deactivate(struct wakeup_source *ws)
39015 * Increment the counter of registered wakeup events and decrement the
39016 * couter of wakeup events in progress simultaneously.
39017 */
39018- cec = atomic_add_return(MAX_IN_PROGRESS, &combined_event_count);
39019+ cec = atomic_add_return_unchecked(MAX_IN_PROGRESS, &combined_event_count);
39020 trace_wakeup_source_deactivate(ws->name, cec);
39021
39022 split_counters(&cnt, &inpr);
39023diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
39024index 5799a0b..f7c7a7e 100644
39025--- a/drivers/base/regmap/regmap-debugfs.c
39026+++ b/drivers/base/regmap/regmap-debugfs.c
39027@@ -30,10 +30,9 @@ static LIST_HEAD(regmap_debugfs_early_list);
39028 static DEFINE_MUTEX(regmap_debugfs_early_lock);
39029
39030 /* Calculate the length of a fixed format */
39031-static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size)
39032+static size_t regmap_calc_reg_len(int max_val)
39033 {
39034- snprintf(buf, buf_size, "%x", max_val);
39035- return strlen(buf);
39036+ return snprintf(NULL, 0, "%x", max_val);
39037 }
39038
39039 static ssize_t regmap_name_read_file(struct file *file,
39040@@ -174,8 +173,7 @@ static inline void regmap_calc_tot_len(struct regmap *map,
39041 {
39042 /* Calculate the length of a fixed format */
39043 if (!map->debugfs_tot_len) {
39044- map->debugfs_reg_len = regmap_calc_reg_len(map->max_register,
39045- buf, count);
39046+ map->debugfs_reg_len = regmap_calc_reg_len(map->max_register);
39047 map->debugfs_val_len = 2 * map->format.val_bytes;
39048 map->debugfs_tot_len = map->debugfs_reg_len +
39049 map->debugfs_val_len + 3; /* : \n */
39050@@ -405,7 +403,7 @@ static ssize_t regmap_access_read_file(struct file *file,
39051 char __user *user_buf, size_t count,
39052 loff_t *ppos)
39053 {
39054- int reg_len, tot_len;
39055+ size_t reg_len, tot_len;
39056 size_t buf_pos = 0;
39057 loff_t p = 0;
39058 ssize_t ret;
39059@@ -421,7 +419,7 @@ static ssize_t regmap_access_read_file(struct file *file,
39060 return -ENOMEM;
39061
39062 /* Calculate the length of a fixed format */
39063- reg_len = regmap_calc_reg_len(map->max_register, buf, count);
39064+ reg_len = regmap_calc_reg_len(map->max_register);
39065 tot_len = reg_len + 10; /* ': R W V P\n' */
39066
39067 for (i = 0; i <= map->max_register; i += map->reg_stride) {
39068@@ -432,7 +430,7 @@ static ssize_t regmap_access_read_file(struct file *file,
39069 /* If we're in the region the user is trying to read */
39070 if (p >= *ppos) {
39071 /* ...but not beyond it */
39072- if (buf_pos >= count - 1 - tot_len)
39073+ if (buf_pos + tot_len + 1 >= count)
39074 break;
39075
39076 /* Format the register */
39077diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c
39078index 8d98a32..61d3165 100644
39079--- a/drivers/base/syscore.c
39080+++ b/drivers/base/syscore.c
39081@@ -22,7 +22,7 @@ static DEFINE_MUTEX(syscore_ops_lock);
39082 void register_syscore_ops(struct syscore_ops *ops)
39083 {
39084 mutex_lock(&syscore_ops_lock);
39085- list_add_tail(&ops->node, &syscore_ops_list);
39086+ pax_list_add_tail((struct list_head *)&ops->node, &syscore_ops_list);
39087 mutex_unlock(&syscore_ops_lock);
39088 }
39089 EXPORT_SYMBOL_GPL(register_syscore_ops);
39090@@ -34,7 +34,7 @@ EXPORT_SYMBOL_GPL(register_syscore_ops);
39091 void unregister_syscore_ops(struct syscore_ops *ops)
39092 {
39093 mutex_lock(&syscore_ops_lock);
39094- list_del(&ops->node);
39095+ pax_list_del((struct list_head *)&ops->node);
39096 mutex_unlock(&syscore_ops_lock);
39097 }
39098 EXPORT_SYMBOL_GPL(unregister_syscore_ops);
39099diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
39100index 0422c47..b222c7a 100644
39101--- a/drivers/block/cciss.c
39102+++ b/drivers/block/cciss.c
39103@@ -3024,7 +3024,7 @@ static void start_io(ctlr_info_t *h)
39104 while (!list_empty(&h->reqQ)) {
39105 c = list_entry(h->reqQ.next, CommandList_struct, list);
39106 /* can't do anything if fifo is full */
39107- if ((h->access.fifo_full(h))) {
39108+ if ((h->access->fifo_full(h))) {
39109 dev_warn(&h->pdev->dev, "fifo full\n");
39110 break;
39111 }
39112@@ -3034,7 +3034,7 @@ static void start_io(ctlr_info_t *h)
39113 h->Qdepth--;
39114
39115 /* Tell the controller execute command */
39116- h->access.submit_command(h, c);
39117+ h->access->submit_command(h, c);
39118
39119 /* Put job onto the completed Q */
39120 addQ(&h->cmpQ, c);
39121@@ -3460,17 +3460,17 @@ startio:
39122
39123 static inline unsigned long get_next_completion(ctlr_info_t *h)
39124 {
39125- return h->access.command_completed(h);
39126+ return h->access->command_completed(h);
39127 }
39128
39129 static inline int interrupt_pending(ctlr_info_t *h)
39130 {
39131- return h->access.intr_pending(h);
39132+ return h->access->intr_pending(h);
39133 }
39134
39135 static inline long interrupt_not_for_us(ctlr_info_t *h)
39136 {
39137- return ((h->access.intr_pending(h) == 0) ||
39138+ return ((h->access->intr_pending(h) == 0) ||
39139 (h->interrupts_enabled == 0));
39140 }
39141
39142@@ -3503,7 +3503,7 @@ static inline u32 next_command(ctlr_info_t *h)
39143 u32 a;
39144
39145 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
39146- return h->access.command_completed(h);
39147+ return h->access->command_completed(h);
39148
39149 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
39150 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
39151@@ -4060,7 +4060,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
39152 trans_support & CFGTBL_Trans_use_short_tags);
39153
39154 /* Change the access methods to the performant access methods */
39155- h->access = SA5_performant_access;
39156+ h->access = &SA5_performant_access;
39157 h->transMethod = CFGTBL_Trans_Performant;
39158
39159 return;
39160@@ -4334,7 +4334,7 @@ static int cciss_pci_init(ctlr_info_t *h)
39161 if (prod_index < 0)
39162 return -ENODEV;
39163 h->product_name = products[prod_index].product_name;
39164- h->access = *(products[prod_index].access);
39165+ h->access = products[prod_index].access;
39166
39167 if (cciss_board_disabled(h)) {
39168 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
39169@@ -5065,7 +5065,7 @@ reinit_after_soft_reset:
39170 }
39171
39172 /* make sure the board interrupts are off */
39173- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39174+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39175 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
39176 if (rc)
39177 goto clean2;
39178@@ -5115,7 +5115,7 @@ reinit_after_soft_reset:
39179 * fake ones to scoop up any residual completions.
39180 */
39181 spin_lock_irqsave(&h->lock, flags);
39182- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39183+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39184 spin_unlock_irqrestore(&h->lock, flags);
39185 free_irq(h->intr[h->intr_mode], h);
39186 rc = cciss_request_irq(h, cciss_msix_discard_completions,
39187@@ -5135,9 +5135,9 @@ reinit_after_soft_reset:
39188 dev_info(&h->pdev->dev, "Board READY.\n");
39189 dev_info(&h->pdev->dev,
39190 "Waiting for stale completions to drain.\n");
39191- h->access.set_intr_mask(h, CCISS_INTR_ON);
39192+ h->access->set_intr_mask(h, CCISS_INTR_ON);
39193 msleep(10000);
39194- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39195+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39196
39197 rc = controller_reset_failed(h->cfgtable);
39198 if (rc)
39199@@ -5160,7 +5160,7 @@ reinit_after_soft_reset:
39200 cciss_scsi_setup(h);
39201
39202 /* Turn the interrupts on so we can service requests */
39203- h->access.set_intr_mask(h, CCISS_INTR_ON);
39204+ h->access->set_intr_mask(h, CCISS_INTR_ON);
39205
39206 /* Get the firmware version */
39207 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
39208@@ -5232,7 +5232,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
39209 kfree(flush_buf);
39210 if (return_code != IO_OK)
39211 dev_warn(&h->pdev->dev, "Error flushing cache\n");
39212- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39213+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39214 free_irq(h->intr[h->intr_mode], h);
39215 }
39216
39217diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h
39218index 7fda30e..2f27946 100644
39219--- a/drivers/block/cciss.h
39220+++ b/drivers/block/cciss.h
39221@@ -101,7 +101,7 @@ struct ctlr_info
39222 /* information about each logical volume */
39223 drive_info_struct *drv[CISS_MAX_LUN];
39224
39225- struct access_method access;
39226+ struct access_method *access;
39227
39228 /* queue and queue Info */
39229 struct list_head reqQ;
39230@@ -402,27 +402,27 @@ static bool SA5_performant_intr_pending(ctlr_info_t *h)
39231 }
39232
39233 static struct access_method SA5_access = {
39234- SA5_submit_command,
39235- SA5_intr_mask,
39236- SA5_fifo_full,
39237- SA5_intr_pending,
39238- SA5_completed,
39239+ .submit_command = SA5_submit_command,
39240+ .set_intr_mask = SA5_intr_mask,
39241+ .fifo_full = SA5_fifo_full,
39242+ .intr_pending = SA5_intr_pending,
39243+ .command_completed = SA5_completed,
39244 };
39245
39246 static struct access_method SA5B_access = {
39247- SA5_submit_command,
39248- SA5B_intr_mask,
39249- SA5_fifo_full,
39250- SA5B_intr_pending,
39251- SA5_completed,
39252+ .submit_command = SA5_submit_command,
39253+ .set_intr_mask = SA5B_intr_mask,
39254+ .fifo_full = SA5_fifo_full,
39255+ .intr_pending = SA5B_intr_pending,
39256+ .command_completed = SA5_completed,
39257 };
39258
39259 static struct access_method SA5_performant_access = {
39260- SA5_submit_command,
39261- SA5_performant_intr_mask,
39262- SA5_fifo_full,
39263- SA5_performant_intr_pending,
39264- SA5_performant_completed,
39265+ .submit_command = SA5_submit_command,
39266+ .set_intr_mask = SA5_performant_intr_mask,
39267+ .fifo_full = SA5_fifo_full,
39268+ .intr_pending = SA5_performant_intr_pending,
39269+ .command_completed = SA5_performant_completed,
39270 };
39271
39272 struct board_type {
39273diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
39274index f749df9..5f8b9c4 100644
39275--- a/drivers/block/cpqarray.c
39276+++ b/drivers/block/cpqarray.c
39277@@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
39278 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
39279 goto Enomem4;
39280 }
39281- hba[i]->access.set_intr_mask(hba[i], 0);
39282+ hba[i]->access->set_intr_mask(hba[i], 0);
39283 if (request_irq(hba[i]->intr, do_ida_intr, IRQF_SHARED,
39284 hba[i]->devname, hba[i]))
39285 {
39286@@ -459,7 +459,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
39287 add_timer(&hba[i]->timer);
39288
39289 /* Enable IRQ now that spinlock and rate limit timer are set up */
39290- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
39291+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
39292
39293 for(j=0; j<NWD; j++) {
39294 struct gendisk *disk = ida_gendisk[i][j];
39295@@ -694,7 +694,7 @@ DBGINFO(
39296 for(i=0; i<NR_PRODUCTS; i++) {
39297 if (board_id == products[i].board_id) {
39298 c->product_name = products[i].product_name;
39299- c->access = *(products[i].access);
39300+ c->access = products[i].access;
39301 break;
39302 }
39303 }
39304@@ -792,7 +792,7 @@ static int cpqarray_eisa_detect(void)
39305 hba[ctlr]->intr = intr;
39306 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
39307 hba[ctlr]->product_name = products[j].product_name;
39308- hba[ctlr]->access = *(products[j].access);
39309+ hba[ctlr]->access = products[j].access;
39310 hba[ctlr]->ctlr = ctlr;
39311 hba[ctlr]->board_id = board_id;
39312 hba[ctlr]->pci_dev = NULL; /* not PCI */
39313@@ -978,7 +978,7 @@ static void start_io(ctlr_info_t *h)
39314
39315 while((c = h->reqQ) != NULL) {
39316 /* Can't do anything if we're busy */
39317- if (h->access.fifo_full(h) == 0)
39318+ if (h->access->fifo_full(h) == 0)
39319 return;
39320
39321 /* Get the first entry from the request Q */
39322@@ -986,7 +986,7 @@ static void start_io(ctlr_info_t *h)
39323 h->Qdepth--;
39324
39325 /* Tell the controller to do our bidding */
39326- h->access.submit_command(h, c);
39327+ h->access->submit_command(h, c);
39328
39329 /* Get onto the completion Q */
39330 addQ(&h->cmpQ, c);
39331@@ -1048,7 +1048,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
39332 unsigned long flags;
39333 __u32 a,a1;
39334
39335- istat = h->access.intr_pending(h);
39336+ istat = h->access->intr_pending(h);
39337 /* Is this interrupt for us? */
39338 if (istat == 0)
39339 return IRQ_NONE;
39340@@ -1059,7 +1059,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
39341 */
39342 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
39343 if (istat & FIFO_NOT_EMPTY) {
39344- while((a = h->access.command_completed(h))) {
39345+ while((a = h->access->command_completed(h))) {
39346 a1 = a; a &= ~3;
39347 if ((c = h->cmpQ) == NULL)
39348 {
39349@@ -1448,11 +1448,11 @@ static int sendcmd(
39350 /*
39351 * Disable interrupt
39352 */
39353- info_p->access.set_intr_mask(info_p, 0);
39354+ info_p->access->set_intr_mask(info_p, 0);
39355 /* Make sure there is room in the command FIFO */
39356 /* Actually it should be completely empty at this time. */
39357 for (i = 200000; i > 0; i--) {
39358- temp = info_p->access.fifo_full(info_p);
39359+ temp = info_p->access->fifo_full(info_p);
39360 if (temp != 0) {
39361 break;
39362 }
39363@@ -1465,7 +1465,7 @@ DBG(
39364 /*
39365 * Send the cmd
39366 */
39367- info_p->access.submit_command(info_p, c);
39368+ info_p->access->submit_command(info_p, c);
39369 complete = pollcomplete(ctlr);
39370
39371 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
39372@@ -1548,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host)
39373 * we check the new geometry. Then turn interrupts back on when
39374 * we're done.
39375 */
39376- host->access.set_intr_mask(host, 0);
39377+ host->access->set_intr_mask(host, 0);
39378 getgeometry(ctlr);
39379- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
39380+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
39381
39382 for(i=0; i<NWD; i++) {
39383 struct gendisk *disk = ida_gendisk[ctlr][i];
39384@@ -1590,7 +1590,7 @@ static int pollcomplete(int ctlr)
39385 /* Wait (up to 2 seconds) for a command to complete */
39386
39387 for (i = 200000; i > 0; i--) {
39388- done = hba[ctlr]->access.command_completed(hba[ctlr]);
39389+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
39390 if (done == 0) {
39391 udelay(10); /* a short fixed delay */
39392 } else
39393diff --git a/drivers/block/cpqarray.h b/drivers/block/cpqarray.h
39394index be73e9d..7fbf140 100644
39395--- a/drivers/block/cpqarray.h
39396+++ b/drivers/block/cpqarray.h
39397@@ -99,7 +99,7 @@ struct ctlr_info {
39398 drv_info_t drv[NWD];
39399 struct proc_dir_entry *proc;
39400
39401- struct access_method access;
39402+ struct access_method *access;
39403
39404 cmdlist_t *reqQ;
39405 cmdlist_t *cmpQ;
39406diff --git a/drivers/block/drbd/drbd_bitmap.c b/drivers/block/drbd/drbd_bitmap.c
39407index 434c77d..6d3219a 100644
39408--- a/drivers/block/drbd/drbd_bitmap.c
39409+++ b/drivers/block/drbd/drbd_bitmap.c
39410@@ -1036,7 +1036,7 @@ static void bm_page_io_async(struct drbd_bm_aio_ctx *ctx, int page_nr) __must_ho
39411 submit_bio(rw, bio);
39412 /* this should not count as user activity and cause the
39413 * resync to throttle -- see drbd_rs_should_slow_down(). */
39414- atomic_add(len >> 9, &device->rs_sect_ev);
39415+ atomic_add_unchecked(len >> 9, &device->rs_sect_ev);
39416 }
39417 }
39418
39419diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
39420index efd19c2..6ccfa94 100644
39421--- a/drivers/block/drbd/drbd_int.h
39422+++ b/drivers/block/drbd/drbd_int.h
39423@@ -386,7 +386,7 @@ struct drbd_epoch {
39424 struct drbd_connection *connection;
39425 struct list_head list;
39426 unsigned int barrier_nr;
39427- atomic_t epoch_size; /* increased on every request added. */
39428+ atomic_unchecked_t epoch_size; /* increased on every request added. */
39429 atomic_t active; /* increased on every req. added, and dec on every finished. */
39430 unsigned long flags;
39431 };
39432@@ -947,7 +947,7 @@ struct drbd_device {
39433 unsigned int al_tr_number;
39434 int al_tr_cycle;
39435 wait_queue_head_t seq_wait;
39436- atomic_t packet_seq;
39437+ atomic_unchecked_t packet_seq;
39438 unsigned int peer_seq;
39439 spinlock_t peer_seq_lock;
39440 unsigned long comm_bm_set; /* communicated number of set bits. */
39441@@ -956,8 +956,8 @@ struct drbd_device {
39442 struct mutex own_state_mutex;
39443 struct mutex *state_mutex; /* either own_state_mutex or first_peer_device(device)->connection->cstate_mutex */
39444 char congestion_reason; /* Why we where congested... */
39445- atomic_t rs_sect_in; /* for incoming resync data rate, SyncTarget */
39446- atomic_t rs_sect_ev; /* for submitted resync data rate, both */
39447+ atomic_unchecked_t rs_sect_in; /* for incoming resync data rate, SyncTarget */
39448+ atomic_unchecked_t rs_sect_ev; /* for submitted resync data rate, both */
39449 int rs_last_sect_ev; /* counter to compare with */
39450 int rs_last_events; /* counter of read or write "events" (unit sectors)
39451 * on the lower level device when we last looked. */
39452diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
39453index a151853..b9b5baa 100644
39454--- a/drivers/block/drbd/drbd_main.c
39455+++ b/drivers/block/drbd/drbd_main.c
39456@@ -1328,7 +1328,7 @@ static int _drbd_send_ack(struct drbd_peer_device *peer_device, enum drbd_packet
39457 p->sector = sector;
39458 p->block_id = block_id;
39459 p->blksize = blksize;
39460- p->seq_num = cpu_to_be32(atomic_inc_return(&peer_device->device->packet_seq));
39461+ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&peer_device->device->packet_seq));
39462 return drbd_send_command(peer_device, sock, cmd, sizeof(*p), NULL, 0);
39463 }
39464
39465@@ -1634,7 +1634,7 @@ int drbd_send_dblock(struct drbd_peer_device *peer_device, struct drbd_request *
39466 return -EIO;
39467 p->sector = cpu_to_be64(req->i.sector);
39468 p->block_id = (unsigned long)req;
39469- p->seq_num = cpu_to_be32(atomic_inc_return(&device->packet_seq));
39470+ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&device->packet_seq));
39471 dp_flags = bio_flags_to_wire(peer_device->connection, req->master_bio->bi_rw);
39472 if (device->state.conn >= C_SYNC_SOURCE &&
39473 device->state.conn <= C_PAUSED_SYNC_T)
39474@@ -1915,8 +1915,8 @@ void drbd_init_set_defaults(struct drbd_device *device)
39475 atomic_set(&device->unacked_cnt, 0);
39476 atomic_set(&device->local_cnt, 0);
39477 atomic_set(&device->pp_in_use_by_net, 0);
39478- atomic_set(&device->rs_sect_in, 0);
39479- atomic_set(&device->rs_sect_ev, 0);
39480+ atomic_set_unchecked(&device->rs_sect_in, 0);
39481+ atomic_set_unchecked(&device->rs_sect_ev, 0);
39482 atomic_set(&device->ap_in_flight, 0);
39483 atomic_set(&device->md_io.in_use, 0);
39484
39485@@ -2683,8 +2683,8 @@ void drbd_destroy_connection(struct kref *kref)
39486 struct drbd_connection *connection = container_of(kref, struct drbd_connection, kref);
39487 struct drbd_resource *resource = connection->resource;
39488
39489- if (atomic_read(&connection->current_epoch->epoch_size) != 0)
39490- drbd_err(connection, "epoch_size:%d\n", atomic_read(&connection->current_epoch->epoch_size));
39491+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size) != 0)
39492+ drbd_err(connection, "epoch_size:%d\n", atomic_read_unchecked(&connection->current_epoch->epoch_size));
39493 kfree(connection->current_epoch);
39494
39495 idr_destroy(&connection->peer_devices);
39496diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
39497index 74df8cf..e41fc24 100644
39498--- a/drivers/block/drbd/drbd_nl.c
39499+++ b/drivers/block/drbd/drbd_nl.c
39500@@ -3637,13 +3637,13 @@ finish:
39501
39502 void drbd_bcast_event(struct drbd_device *device, const struct sib_info *sib)
39503 {
39504- static atomic_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
39505+ static atomic_unchecked_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
39506 struct sk_buff *msg;
39507 struct drbd_genlmsghdr *d_out;
39508 unsigned seq;
39509 int err = -ENOMEM;
39510
39511- seq = atomic_inc_return(&drbd_genl_seq);
39512+ seq = atomic_inc_return_unchecked(&drbd_genl_seq);
39513 msg = genlmsg_new(NLMSG_GOODSIZE, GFP_NOIO);
39514 if (!msg)
39515 goto failed;
39516diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
39517index c097909..13688e1 100644
39518--- a/drivers/block/drbd/drbd_receiver.c
39519+++ b/drivers/block/drbd/drbd_receiver.c
39520@@ -870,7 +870,7 @@ int drbd_connected(struct drbd_peer_device *peer_device)
39521 struct drbd_device *device = peer_device->device;
39522 int err;
39523
39524- atomic_set(&device->packet_seq, 0);
39525+ atomic_set_unchecked(&device->packet_seq, 0);
39526 device->peer_seq = 0;
39527
39528 device->state_mutex = peer_device->connection->agreed_pro_version < 100 ?
39529@@ -1233,7 +1233,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_connection *connectio
39530 do {
39531 next_epoch = NULL;
39532
39533- epoch_size = atomic_read(&epoch->epoch_size);
39534+ epoch_size = atomic_read_unchecked(&epoch->epoch_size);
39535
39536 switch (ev & ~EV_CLEANUP) {
39537 case EV_PUT:
39538@@ -1273,7 +1273,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_connection *connectio
39539 rv = FE_DESTROYED;
39540 } else {
39541 epoch->flags = 0;
39542- atomic_set(&epoch->epoch_size, 0);
39543+ atomic_set_unchecked(&epoch->epoch_size, 0);
39544 /* atomic_set(&epoch->active, 0); is already zero */
39545 if (rv == FE_STILL_LIVE)
39546 rv = FE_RECYCLED;
39547@@ -1550,7 +1550,7 @@ static int receive_Barrier(struct drbd_connection *connection, struct packet_inf
39548 conn_wait_active_ee_empty(connection);
39549 drbd_flush(connection);
39550
39551- if (atomic_read(&connection->current_epoch->epoch_size)) {
39552+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size)) {
39553 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
39554 if (epoch)
39555 break;
39556@@ -1564,11 +1564,11 @@ static int receive_Barrier(struct drbd_connection *connection, struct packet_inf
39557 }
39558
39559 epoch->flags = 0;
39560- atomic_set(&epoch->epoch_size, 0);
39561+ atomic_set_unchecked(&epoch->epoch_size, 0);
39562 atomic_set(&epoch->active, 0);
39563
39564 spin_lock(&connection->epoch_lock);
39565- if (atomic_read(&connection->current_epoch->epoch_size)) {
39566+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size)) {
39567 list_add(&epoch->list, &connection->current_epoch->list);
39568 connection->current_epoch = epoch;
39569 connection->epochs++;
39570@@ -1802,7 +1802,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto
39571 list_add_tail(&peer_req->w.list, &device->sync_ee);
39572 spin_unlock_irq(&device->resource->req_lock);
39573
39574- atomic_add(pi->size >> 9, &device->rs_sect_ev);
39575+ atomic_add_unchecked(pi->size >> 9, &device->rs_sect_ev);
39576 if (drbd_submit_peer_request(device, peer_req, WRITE, DRBD_FAULT_RS_WR) == 0)
39577 return 0;
39578
39579@@ -1900,7 +1900,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet
39580 drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
39581 }
39582
39583- atomic_add(pi->size >> 9, &device->rs_sect_in);
39584+ atomic_add_unchecked(pi->size >> 9, &device->rs_sect_in);
39585
39586 return err;
39587 }
39588@@ -2290,7 +2290,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
39589
39590 err = wait_for_and_update_peer_seq(peer_device, peer_seq);
39591 drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
39592- atomic_inc(&connection->current_epoch->epoch_size);
39593+ atomic_inc_unchecked(&connection->current_epoch->epoch_size);
39594 err2 = drbd_drain_block(peer_device, pi->size);
39595 if (!err)
39596 err = err2;
39597@@ -2334,7 +2334,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
39598
39599 spin_lock(&connection->epoch_lock);
39600 peer_req->epoch = connection->current_epoch;
39601- atomic_inc(&peer_req->epoch->epoch_size);
39602+ atomic_inc_unchecked(&peer_req->epoch->epoch_size);
39603 atomic_inc(&peer_req->epoch->active);
39604 spin_unlock(&connection->epoch_lock);
39605
39606@@ -2479,7 +2479,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device)
39607
39608 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
39609 (int)part_stat_read(&disk->part0, sectors[1]) -
39610- atomic_read(&device->rs_sect_ev);
39611+ atomic_read_unchecked(&device->rs_sect_ev);
39612
39613 if (atomic_read(&device->ap_actlog_cnt)
39614 || curr_events - device->rs_last_events > 64) {
39615@@ -2618,7 +2618,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
39616 device->use_csums = true;
39617 } else if (pi->cmd == P_OV_REPLY) {
39618 /* track progress, we may need to throttle */
39619- atomic_add(size >> 9, &device->rs_sect_in);
39620+ atomic_add_unchecked(size >> 9, &device->rs_sect_in);
39621 peer_req->w.cb = w_e_end_ov_reply;
39622 dec_rs_pending(device);
39623 /* drbd_rs_begin_io done when we sent this request,
39624@@ -2691,7 +2691,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
39625 goto out_free_e;
39626
39627 submit_for_resync:
39628- atomic_add(size >> 9, &device->rs_sect_ev);
39629+ atomic_add_unchecked(size >> 9, &device->rs_sect_ev);
39630
39631 submit:
39632 update_receiver_timing_details(connection, drbd_submit_peer_request);
39633@@ -4564,7 +4564,7 @@ struct data_cmd {
39634 int expect_payload;
39635 size_t pkt_size;
39636 int (*fn)(struct drbd_connection *, struct packet_info *);
39637-};
39638+} __do_const;
39639
39640 static struct data_cmd drbd_cmd_handler[] = {
39641 [P_DATA] = { 1, sizeof(struct p_data), receive_Data },
39642@@ -4678,7 +4678,7 @@ static void conn_disconnect(struct drbd_connection *connection)
39643 if (!list_empty(&connection->current_epoch->list))
39644 drbd_err(connection, "ASSERTION FAILED: connection->current_epoch->list not empty\n");
39645 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
39646- atomic_set(&connection->current_epoch->epoch_size, 0);
39647+ atomic_set_unchecked(&connection->current_epoch->epoch_size, 0);
39648 connection->send.seen_any_write_yet = false;
39649
39650 drbd_info(connection, "Connection closed\n");
39651@@ -5182,7 +5182,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info *
39652 put_ldev(device);
39653 }
39654 dec_rs_pending(device);
39655- atomic_add(blksize >> 9, &device->rs_sect_in);
39656+ atomic_add_unchecked(blksize >> 9, &device->rs_sect_in);
39657
39658 return 0;
39659 }
39660@@ -5470,7 +5470,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection)
39661 struct asender_cmd {
39662 size_t pkt_size;
39663 int (*fn)(struct drbd_connection *connection, struct packet_info *);
39664-};
39665+} __do_const;
39666
39667 static struct asender_cmd asender_tbl[] = {
39668 [P_PING] = { 0, got_Ping },
39669diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
39670index d0fae55..4469096 100644
39671--- a/drivers/block/drbd/drbd_worker.c
39672+++ b/drivers/block/drbd/drbd_worker.c
39673@@ -408,7 +408,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector,
39674 list_add_tail(&peer_req->w.list, &device->read_ee);
39675 spin_unlock_irq(&device->resource->req_lock);
39676
39677- atomic_add(size >> 9, &device->rs_sect_ev);
39678+ atomic_add_unchecked(size >> 9, &device->rs_sect_ev);
39679 if (drbd_submit_peer_request(device, peer_req, READ, DRBD_FAULT_RS_RD) == 0)
39680 return 0;
39681
39682@@ -553,7 +553,7 @@ static int drbd_rs_number_requests(struct drbd_device *device)
39683 unsigned int sect_in; /* Number of sectors that came in since the last turn */
39684 int number, mxb;
39685
39686- sect_in = atomic_xchg(&device->rs_sect_in, 0);
39687+ sect_in = atomic_xchg_unchecked(&device->rs_sect_in, 0);
39688 device->rs_in_flight -= sect_in;
39689
39690 rcu_read_lock();
39691@@ -1595,8 +1595,8 @@ void drbd_rs_controller_reset(struct drbd_device *device)
39692 struct gendisk *disk = device->ldev->backing_bdev->bd_contains->bd_disk;
39693 struct fifo_buffer *plan;
39694
39695- atomic_set(&device->rs_sect_in, 0);
39696- atomic_set(&device->rs_sect_ev, 0);
39697+ atomic_set_unchecked(&device->rs_sect_in, 0);
39698+ atomic_set_unchecked(&device->rs_sect_ev, 0);
39699 device->rs_in_flight = 0;
39700 device->rs_last_events =
39701 (int)part_stat_read(&disk->part0, sectors[0]) +
39702diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
39703index 4c20c22..caef1eb 100644
39704--- a/drivers/block/pktcdvd.c
39705+++ b/drivers/block/pktcdvd.c
39706@@ -109,7 +109,7 @@ static int pkt_seq_show(struct seq_file *m, void *p);
39707
39708 static sector_t get_zone(sector_t sector, struct pktcdvd_device *pd)
39709 {
39710- return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1);
39711+ return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1UL);
39712 }
39713
39714 /*
39715@@ -1891,7 +1891,7 @@ static noinline_for_stack int pkt_probe_settings(struct pktcdvd_device *pd)
39716 return -EROFS;
39717 }
39718 pd->settings.fp = ti.fp;
39719- pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1);
39720+ pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1UL);
39721
39722 if (ti.nwa_v) {
39723 pd->nwa = be32_to_cpu(ti.next_writable);
39724diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
39725index bc67a93..d552e86 100644
39726--- a/drivers/block/rbd.c
39727+++ b/drivers/block/rbd.c
39728@@ -64,7 +64,7 @@
39729 * If the counter is already at its maximum value returns
39730 * -EINVAL without updating it.
39731 */
39732-static int atomic_inc_return_safe(atomic_t *v)
39733+static int __intentional_overflow(-1) atomic_inc_return_safe(atomic_t *v)
39734 {
39735 unsigned int counter;
39736
39737diff --git a/drivers/block/smart1,2.h b/drivers/block/smart1,2.h
39738index e5565fb..71be10b4 100644
39739--- a/drivers/block/smart1,2.h
39740+++ b/drivers/block/smart1,2.h
39741@@ -108,11 +108,11 @@ static unsigned long smart4_intr_pending(ctlr_info_t *h)
39742 }
39743
39744 static struct access_method smart4_access = {
39745- smart4_submit_command,
39746- smart4_intr_mask,
39747- smart4_fifo_full,
39748- smart4_intr_pending,
39749- smart4_completed,
39750+ .submit_command = smart4_submit_command,
39751+ .set_intr_mask = smart4_intr_mask,
39752+ .fifo_full = smart4_fifo_full,
39753+ .intr_pending = smart4_intr_pending,
39754+ .command_completed = smart4_completed,
39755 };
39756
39757 /*
39758@@ -144,11 +144,11 @@ static unsigned long smart2_intr_pending(ctlr_info_t *h)
39759 }
39760
39761 static struct access_method smart2_access = {
39762- smart2_submit_command,
39763- smart2_intr_mask,
39764- smart2_fifo_full,
39765- smart2_intr_pending,
39766- smart2_completed,
39767+ .submit_command = smart2_submit_command,
39768+ .set_intr_mask = smart2_intr_mask,
39769+ .fifo_full = smart2_fifo_full,
39770+ .intr_pending = smart2_intr_pending,
39771+ .command_completed = smart2_completed,
39772 };
39773
39774 /*
39775@@ -180,11 +180,11 @@ static unsigned long smart2e_intr_pending(ctlr_info_t *h)
39776 }
39777
39778 static struct access_method smart2e_access = {
39779- smart2e_submit_command,
39780- smart2e_intr_mask,
39781- smart2e_fifo_full,
39782- smart2e_intr_pending,
39783- smart2e_completed,
39784+ .submit_command = smart2e_submit_command,
39785+ .set_intr_mask = smart2e_intr_mask,
39786+ .fifo_full = smart2e_fifo_full,
39787+ .intr_pending = smart2e_intr_pending,
39788+ .command_completed = smart2e_completed,
39789 };
39790
39791 /*
39792@@ -270,9 +270,9 @@ static unsigned long smart1_intr_pending(ctlr_info_t *h)
39793 }
39794
39795 static struct access_method smart1_access = {
39796- smart1_submit_command,
39797- smart1_intr_mask,
39798- smart1_fifo_full,
39799- smart1_intr_pending,
39800- smart1_completed,
39801+ .submit_command = smart1_submit_command,
39802+ .set_intr_mask = smart1_intr_mask,
39803+ .fifo_full = smart1_fifo_full,
39804+ .intr_pending = smart1_intr_pending,
39805+ .command_completed = smart1_completed,
39806 };
39807diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
39808index 7a722df..54b76ab 100644
39809--- a/drivers/bluetooth/btwilink.c
39810+++ b/drivers/bluetooth/btwilink.c
39811@@ -288,7 +288,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
39812
39813 static int bt_ti_probe(struct platform_device *pdev)
39814 {
39815- static struct ti_st *hst;
39816+ struct ti_st *hst;
39817 struct hci_dev *hdev;
39818 int err;
39819
39820diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
39821index 5d28a45..a538f90 100644
39822--- a/drivers/cdrom/cdrom.c
39823+++ b/drivers/cdrom/cdrom.c
39824@@ -610,7 +610,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
39825 ENSURE(reset, CDC_RESET);
39826 ENSURE(generic_packet, CDC_GENERIC_PACKET);
39827 cdi->mc_flags = 0;
39828- cdo->n_minors = 0;
39829 cdi->options = CDO_USE_FFLAGS;
39830
39831 if (autoclose == 1 && CDROM_CAN(CDC_CLOSE_TRAY))
39832@@ -630,8 +629,11 @@ int register_cdrom(struct cdrom_device_info *cdi)
39833 else
39834 cdi->cdda_method = CDDA_OLD;
39835
39836- if (!cdo->generic_packet)
39837- cdo->generic_packet = cdrom_dummy_generic_packet;
39838+ if (!cdo->generic_packet) {
39839+ pax_open_kernel();
39840+ *(void **)&cdo->generic_packet = cdrom_dummy_generic_packet;
39841+ pax_close_kernel();
39842+ }
39843
39844 cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
39845 mutex_lock(&cdrom_mutex);
39846@@ -652,7 +654,6 @@ void unregister_cdrom(struct cdrom_device_info *cdi)
39847 if (cdi->exit)
39848 cdi->exit(cdi);
39849
39850- cdi->ops->n_minors--;
39851 cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name);
39852 }
39853
39854@@ -2126,7 +2127,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
39855 */
39856 nr = nframes;
39857 do {
39858- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
39859+ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
39860 if (cgc.buffer)
39861 break;
39862
39863@@ -3434,7 +3435,7 @@ static int cdrom_print_info(const char *header, int val, char *info,
39864 struct cdrom_device_info *cdi;
39865 int ret;
39866
39867- ret = scnprintf(info + *pos, max_size - *pos, header);
39868+ ret = scnprintf(info + *pos, max_size - *pos, "%s", header);
39869 if (!ret)
39870 return 1;
39871
39872diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
39873index 584bc31..e64a12c 100644
39874--- a/drivers/cdrom/gdrom.c
39875+++ b/drivers/cdrom/gdrom.c
39876@@ -491,7 +491,6 @@ static struct cdrom_device_ops gdrom_ops = {
39877 .audio_ioctl = gdrom_audio_ioctl,
39878 .capability = CDC_MULTI_SESSION | CDC_MEDIA_CHANGED |
39879 CDC_RESET | CDC_DRIVE_STATUS | CDC_CD_R,
39880- .n_minors = 1,
39881 };
39882
39883 static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
39884diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
39885index a043107..1263e4a 100644
39886--- a/drivers/char/Kconfig
39887+++ b/drivers/char/Kconfig
39888@@ -17,7 +17,8 @@ config DEVMEM
39889
39890 config DEVKMEM
39891 bool "/dev/kmem virtual device support"
39892- default y
39893+ default n
39894+ depends on !GRKERNSEC_KMEM
39895 help
39896 Say Y here if you want to support the /dev/kmem device. The
39897 /dev/kmem device is rarely used, but can be used for certain
39898@@ -586,6 +587,7 @@ config DEVPORT
39899 bool
39900 depends on !M68K
39901 depends on ISA || PCI
39902+ depends on !GRKERNSEC_KMEM
39903 default y
39904
39905 source "drivers/s390/char/Kconfig"
39906diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
39907index a48e05b..6bac831 100644
39908--- a/drivers/char/agp/compat_ioctl.c
39909+++ b/drivers/char/agp/compat_ioctl.c
39910@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user
39911 return -ENOMEM;
39912 }
39913
39914- if (copy_from_user(usegment, (void __user *) ureserve.seg_list,
39915+ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list,
39916 sizeof(*usegment) * ureserve.seg_count)) {
39917 kfree(usegment);
39918 kfree(ksegment);
39919diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
39920index 09f17eb..8531d2f 100644
39921--- a/drivers/char/agp/frontend.c
39922+++ b/drivers/char/agp/frontend.c
39923@@ -806,7 +806,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
39924 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
39925 return -EFAULT;
39926
39927- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
39928+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
39929 return -EFAULT;
39930
39931 client = agp_find_client_by_pid(reserve.pid);
39932@@ -836,7 +836,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
39933 if (segment == NULL)
39934 return -ENOMEM;
39935
39936- if (copy_from_user(segment, (void __user *) reserve.seg_list,
39937+ if (copy_from_user(segment, (void __force_user *) reserve.seg_list,
39938 sizeof(struct agp_segment) * reserve.seg_count)) {
39939 kfree(segment);
39940 return -EFAULT;
39941diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
39942index c6dea3f..72ae4b0 100644
39943--- a/drivers/char/agp/intel-gtt.c
39944+++ b/drivers/char/agp/intel-gtt.c
39945@@ -1408,8 +1408,8 @@ int intel_gmch_probe(struct pci_dev *bridge_pdev, struct pci_dev *gpu_pdev,
39946 }
39947 EXPORT_SYMBOL(intel_gmch_probe);
39948
39949-void intel_gtt_get(size_t *gtt_total, size_t *stolen_size,
39950- phys_addr_t *mappable_base, unsigned long *mappable_end)
39951+void intel_gtt_get(uint64_t *gtt_total, uint64_t *stolen_size,
39952+ uint64_t *mappable_base, uint64_t *mappable_end)
39953 {
39954 *gtt_total = intel_private.gtt_total_entries << PAGE_SHIFT;
39955 *stolen_size = intel_private.stolen_size;
39956diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c
39957index 4f94375..413694e 100644
39958--- a/drivers/char/genrtc.c
39959+++ b/drivers/char/genrtc.c
39960@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *file,
39961 switch (cmd) {
39962
39963 case RTC_PLL_GET:
39964+ memset(&pll, 0, sizeof(pll));
39965 if (get_rtc_pll(&pll))
39966 return -EINVAL;
39967 else
39968diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
39969index 5c0baa9..44011b1 100644
39970--- a/drivers/char/hpet.c
39971+++ b/drivers/char/hpet.c
39972@@ -575,7 +575,7 @@ static inline unsigned long hpet_time_div(struct hpets *hpets,
39973 }
39974
39975 static int
39976-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
39977+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
39978 struct hpet_info *info)
39979 {
39980 struct hpet_timer __iomem *timer;
39981diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
39982index bf75f63..359fa10 100644
39983--- a/drivers/char/ipmi/ipmi_msghandler.c
39984+++ b/drivers/char/ipmi/ipmi_msghandler.c
39985@@ -436,7 +436,7 @@ struct ipmi_smi {
39986 struct proc_dir_entry *proc_dir;
39987 char proc_dir_name[10];
39988
39989- atomic_t stats[IPMI_NUM_STATS];
39990+ atomic_unchecked_t stats[IPMI_NUM_STATS];
39991
39992 /*
39993 * run_to_completion duplicate of smb_info, smi_info
39994@@ -468,9 +468,9 @@ static LIST_HEAD(smi_watchers);
39995 static DEFINE_MUTEX(smi_watchers_mutex);
39996
39997 #define ipmi_inc_stat(intf, stat) \
39998- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
39999+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
40000 #define ipmi_get_stat(intf, stat) \
40001- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
40002+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
40003
40004 static char *addr_src_to_str[] = { "invalid", "hotmod", "hardcoded", "SPMI",
40005 "ACPI", "SMBIOS", "PCI",
40006@@ -2828,7 +2828,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers,
40007 INIT_LIST_HEAD(&intf->cmd_rcvrs);
40008 init_waitqueue_head(&intf->waitq);
40009 for (i = 0; i < IPMI_NUM_STATS; i++)
40010- atomic_set(&intf->stats[i], 0);
40011+ atomic_set_unchecked(&intf->stats[i], 0);
40012
40013 intf->proc_dir = NULL;
40014
40015diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
40016index 8a45e92..e41b1c7 100644
40017--- a/drivers/char/ipmi/ipmi_si_intf.c
40018+++ b/drivers/char/ipmi/ipmi_si_intf.c
40019@@ -289,7 +289,7 @@ struct smi_info {
40020 unsigned char slave_addr;
40021
40022 /* Counters and things for the proc filesystem. */
40023- atomic_t stats[SI_NUM_STATS];
40024+ atomic_unchecked_t stats[SI_NUM_STATS];
40025
40026 struct task_struct *thread;
40027
40028@@ -298,9 +298,9 @@ struct smi_info {
40029 };
40030
40031 #define smi_inc_stat(smi, stat) \
40032- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
40033+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
40034 #define smi_get_stat(smi, stat) \
40035- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
40036+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
40037
40038 #define SI_MAX_PARMS 4
40039
40040@@ -3500,7 +3500,7 @@ static int try_smi_init(struct smi_info *new_smi)
40041 atomic_set(&new_smi->req_events, 0);
40042 new_smi->run_to_completion = false;
40043 for (i = 0; i < SI_NUM_STATS; i++)
40044- atomic_set(&new_smi->stats[i], 0);
40045+ atomic_set_unchecked(&new_smi->stats[i], 0);
40046
40047 new_smi->interrupt_disabled = true;
40048 atomic_set(&new_smi->need_watch, 0);
40049diff --git a/drivers/char/mem.c b/drivers/char/mem.c
40050index 6b1721f..fda9398 100644
40051--- a/drivers/char/mem.c
40052+++ b/drivers/char/mem.c
40053@@ -18,6 +18,7 @@
40054 #include <linux/raw.h>
40055 #include <linux/tty.h>
40056 #include <linux/capability.h>
40057+#include <linux/security.h>
40058 #include <linux/ptrace.h>
40059 #include <linux/device.h>
40060 #include <linux/highmem.h>
40061@@ -36,6 +37,10 @@
40062
40063 #define DEVPORT_MINOR 4
40064
40065+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
40066+extern const struct file_operations grsec_fops;
40067+#endif
40068+
40069 static inline unsigned long size_inside_page(unsigned long start,
40070 unsigned long size)
40071 {
40072@@ -67,9 +72,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40073
40074 while (cursor < to) {
40075 if (!devmem_is_allowed(pfn)) {
40076+#ifdef CONFIG_GRKERNSEC_KMEM
40077+ gr_handle_mem_readwrite(from, to);
40078+#else
40079 printk(KERN_INFO
40080 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
40081 current->comm, from, to);
40082+#endif
40083 return 0;
40084 }
40085 cursor += PAGE_SIZE;
40086@@ -77,6 +86,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40087 }
40088 return 1;
40089 }
40090+#elif defined(CONFIG_GRKERNSEC_KMEM)
40091+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40092+{
40093+ return 0;
40094+}
40095 #else
40096 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40097 {
40098@@ -124,7 +138,8 @@ static ssize_t read_mem(struct file *file, char __user *buf,
40099 #endif
40100
40101 while (count > 0) {
40102- unsigned long remaining;
40103+ unsigned long remaining = 0;
40104+ char *temp;
40105
40106 sz = size_inside_page(p, count);
40107
40108@@ -140,7 +155,24 @@ static ssize_t read_mem(struct file *file, char __user *buf,
40109 if (!ptr)
40110 return -EFAULT;
40111
40112- remaining = copy_to_user(buf, ptr, sz);
40113+#ifdef CONFIG_PAX_USERCOPY
40114+ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
40115+ if (!temp) {
40116+ unxlate_dev_mem_ptr(p, ptr);
40117+ return -ENOMEM;
40118+ }
40119+ remaining = probe_kernel_read(temp, ptr, sz);
40120+#else
40121+ temp = ptr;
40122+#endif
40123+
40124+ if (!remaining)
40125+ remaining = copy_to_user(buf, temp, sz);
40126+
40127+#ifdef CONFIG_PAX_USERCOPY
40128+ kfree(temp);
40129+#endif
40130+
40131 unxlate_dev_mem_ptr(p, ptr);
40132 if (remaining)
40133 return -EFAULT;
40134@@ -380,9 +412,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
40135 size_t count, loff_t *ppos)
40136 {
40137 unsigned long p = *ppos;
40138- ssize_t low_count, read, sz;
40139+ ssize_t low_count, read, sz, err = 0;
40140 char *kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
40141- int err = 0;
40142
40143 read = 0;
40144 if (p < (unsigned long) high_memory) {
40145@@ -404,6 +435,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
40146 }
40147 #endif
40148 while (low_count > 0) {
40149+ char *temp;
40150+
40151 sz = size_inside_page(p, low_count);
40152
40153 /*
40154@@ -413,7 +446,23 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
40155 */
40156 kbuf = xlate_dev_kmem_ptr((void *)p);
40157
40158- if (copy_to_user(buf, kbuf, sz))
40159+#ifdef CONFIG_PAX_USERCOPY
40160+ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
40161+ if (!temp)
40162+ return -ENOMEM;
40163+ err = probe_kernel_read(temp, kbuf, sz);
40164+#else
40165+ temp = kbuf;
40166+#endif
40167+
40168+ if (!err)
40169+ err = copy_to_user(buf, temp, sz);
40170+
40171+#ifdef CONFIG_PAX_USERCOPY
40172+ kfree(temp);
40173+#endif
40174+
40175+ if (err)
40176 return -EFAULT;
40177 buf += sz;
40178 p += sz;
40179@@ -802,6 +851,9 @@ static const struct memdev {
40180 #ifdef CONFIG_PRINTK
40181 [11] = { "kmsg", 0644, &kmsg_fops, 0 },
40182 #endif
40183+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
40184+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, 0 },
40185+#endif
40186 };
40187
40188 static int memory_open(struct inode *inode, struct file *filp)
40189@@ -863,7 +915,7 @@ static int __init chr_dev_init(void)
40190 continue;
40191
40192 device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor),
40193- NULL, devlist[minor].name);
40194+ NULL, "%s", devlist[minor].name);
40195 }
40196
40197 return tty_init();
40198diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
40199index 9df78e2..01ba9ae 100644
40200--- a/drivers/char/nvram.c
40201+++ b/drivers/char/nvram.c
40202@@ -247,7 +247,7 @@ static ssize_t nvram_read(struct file *file, char __user *buf,
40203
40204 spin_unlock_irq(&rtc_lock);
40205
40206- if (copy_to_user(buf, contents, tmp - contents))
40207+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
40208 return -EFAULT;
40209
40210 *ppos = i;
40211diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c
40212index 7680d52..073f799e 100644
40213--- a/drivers/char/pcmcia/synclink_cs.c
40214+++ b/drivers/char/pcmcia/synclink_cs.c
40215@@ -2345,7 +2345,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
40216
40217 if (debug_level >= DEBUG_LEVEL_INFO)
40218 printk("%s(%d):mgslpc_close(%s) entry, count=%d\n",
40219- __FILE__, __LINE__, info->device_name, port->count);
40220+ __FILE__, __LINE__, info->device_name, atomic_read(&port->count));
40221
40222 if (tty_port_close_start(port, tty, filp) == 0)
40223 goto cleanup;
40224@@ -2363,7 +2363,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
40225 cleanup:
40226 if (debug_level >= DEBUG_LEVEL_INFO)
40227 printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__,
40228- tty->driver->name, port->count);
40229+ tty->driver->name, atomic_read(&port->count));
40230 }
40231
40232 /* Wait until the transmitter is empty.
40233@@ -2505,7 +2505,7 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
40234
40235 if (debug_level >= DEBUG_LEVEL_INFO)
40236 printk("%s(%d):mgslpc_open(%s), old ref count = %d\n",
40237- __FILE__, __LINE__, tty->driver->name, port->count);
40238+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
40239
40240 /* If port is closing, signal caller to try again */
40241 if (port->flags & ASYNC_CLOSING){
40242@@ -2525,11 +2525,11 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
40243 goto cleanup;
40244 }
40245 spin_lock(&port->lock);
40246- port->count++;
40247+ atomic_inc(&port->count);
40248 spin_unlock(&port->lock);
40249 spin_unlock_irqrestore(&info->netlock, flags);
40250
40251- if (port->count == 1) {
40252+ if (atomic_read(&port->count) == 1) {
40253 /* 1st open on this device, init hardware */
40254 retval = startup(info, tty);
40255 if (retval < 0)
40256@@ -3918,7 +3918,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
40257 unsigned short new_crctype;
40258
40259 /* return error if TTY interface open */
40260- if (info->port.count)
40261+ if (atomic_read(&info->port.count))
40262 return -EBUSY;
40263
40264 switch (encoding)
40265@@ -4022,7 +4022,7 @@ static int hdlcdev_open(struct net_device *dev)
40266
40267 /* arbitrate between network and tty opens */
40268 spin_lock_irqsave(&info->netlock, flags);
40269- if (info->port.count != 0 || info->netcount != 0) {
40270+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
40271 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
40272 spin_unlock_irqrestore(&info->netlock, flags);
40273 return -EBUSY;
40274@@ -4112,7 +4112,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
40275 printk("%s:hdlcdev_ioctl(%s)\n", __FILE__, dev->name);
40276
40277 /* return error if TTY interface open */
40278- if (info->port.count)
40279+ if (atomic_read(&info->port.count))
40280 return -EBUSY;
40281
40282 if (cmd != SIOCWANDEV)
40283diff --git a/drivers/char/random.c b/drivers/char/random.c
40284index d0da5d8..739fd3a 100644
40285--- a/drivers/char/random.c
40286+++ b/drivers/char/random.c
40287@@ -289,9 +289,6 @@
40288 /*
40289 * To allow fractional bits to be tracked, the entropy_count field is
40290 * denominated in units of 1/8th bits.
40291- *
40292- * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in
40293- * credit_entropy_bits() needs to be 64 bits wide.
40294 */
40295 #define ENTROPY_SHIFT 3
40296 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
40297@@ -442,9 +439,9 @@ struct entropy_store {
40298 };
40299
40300 static void push_to_pool(struct work_struct *work);
40301-static __u32 input_pool_data[INPUT_POOL_WORDS];
40302-static __u32 blocking_pool_data[OUTPUT_POOL_WORDS];
40303-static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS];
40304+static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
40305+static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
40306+static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
40307
40308 static struct entropy_store input_pool = {
40309 .poolinfo = &poolinfo_table[0],
40310@@ -654,7 +651,7 @@ retry:
40311 /* The +2 corresponds to the /4 in the denominator */
40312
40313 do {
40314- unsigned int anfrac = min(pnfrac, pool_size/2);
40315+ u64 anfrac = min(pnfrac, pool_size/2);
40316 unsigned int add =
40317 ((pool_size - entropy_count)*anfrac*3) >> s;
40318
40319@@ -1227,7 +1224,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
40320
40321 extract_buf(r, tmp);
40322 i = min_t(int, nbytes, EXTRACT_SIZE);
40323- if (copy_to_user(buf, tmp, i)) {
40324+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
40325 ret = -EFAULT;
40326 break;
40327 }
40328@@ -1668,7 +1665,7 @@ static char sysctl_bootid[16];
40329 static int proc_do_uuid(struct ctl_table *table, int write,
40330 void __user *buffer, size_t *lenp, loff_t *ppos)
40331 {
40332- struct ctl_table fake_table;
40333+ ctl_table_no_const fake_table;
40334 unsigned char buf[64], tmp_uuid[16], *uuid;
40335
40336 uuid = table->data;
40337@@ -1698,7 +1695,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
40338 static int proc_do_entropy(struct ctl_table *table, int write,
40339 void __user *buffer, size_t *lenp, loff_t *ppos)
40340 {
40341- struct ctl_table fake_table;
40342+ ctl_table_no_const fake_table;
40343 int entropy_count;
40344
40345 entropy_count = *(int *)table->data >> ENTROPY_SHIFT;
40346diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c
40347index e496dae..3db53b6 100644
40348--- a/drivers/char/sonypi.c
40349+++ b/drivers/char/sonypi.c
40350@@ -54,6 +54,7 @@
40351
40352 #include <asm/uaccess.h>
40353 #include <asm/io.h>
40354+#include <asm/local.h>
40355
40356 #include <linux/sonypi.h>
40357
40358@@ -490,7 +491,7 @@ static struct sonypi_device {
40359 spinlock_t fifo_lock;
40360 wait_queue_head_t fifo_proc_list;
40361 struct fasync_struct *fifo_async;
40362- int open_count;
40363+ local_t open_count;
40364 int model;
40365 struct input_dev *input_jog_dev;
40366 struct input_dev *input_key_dev;
40367@@ -892,7 +893,7 @@ static int sonypi_misc_fasync(int fd, struct file *filp, int on)
40368 static int sonypi_misc_release(struct inode *inode, struct file *file)
40369 {
40370 mutex_lock(&sonypi_device.lock);
40371- sonypi_device.open_count--;
40372+ local_dec(&sonypi_device.open_count);
40373 mutex_unlock(&sonypi_device.lock);
40374 return 0;
40375 }
40376@@ -901,9 +902,9 @@ static int sonypi_misc_open(struct inode *inode, struct file *file)
40377 {
40378 mutex_lock(&sonypi_device.lock);
40379 /* Flush input queue on first open */
40380- if (!sonypi_device.open_count)
40381+ if (!local_read(&sonypi_device.open_count))
40382 kfifo_reset(&sonypi_device.fifo);
40383- sonypi_device.open_count++;
40384+ local_inc(&sonypi_device.open_count);
40385 mutex_unlock(&sonypi_device.lock);
40386
40387 return 0;
40388@@ -1491,7 +1492,7 @@ static struct platform_driver sonypi_driver = {
40389
40390 static struct platform_device *sonypi_platform_device;
40391
40392-static struct dmi_system_id __initdata sonypi_dmi_table[] = {
40393+static const struct dmi_system_id __initconst sonypi_dmi_table[] = {
40394 {
40395 .ident = "Sony Vaio",
40396 .matches = {
40397diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c
40398index 565a947..dcdc06e 100644
40399--- a/drivers/char/tpm/tpm_acpi.c
40400+++ b/drivers/char/tpm/tpm_acpi.c
40401@@ -98,11 +98,12 @@ int read_log(struct tpm_bios_log *log)
40402 virt = acpi_os_map_iomem(start, len);
40403 if (!virt) {
40404 kfree(log->bios_event_log);
40405+ log->bios_event_log = NULL;
40406 printk("%s: ERROR - Unable to map memory\n", __func__);
40407 return -EIO;
40408 }
40409
40410- memcpy_fromio(log->bios_event_log, virt, len);
40411+ memcpy_fromio(log->bios_event_log, (const char __force_kernel *)virt, len);
40412
40413 acpi_os_unmap_iomem(virt, len);
40414 return 0;
40415diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
40416index 3a56a13..f8cbd25 100644
40417--- a/drivers/char/tpm/tpm_eventlog.c
40418+++ b/drivers/char/tpm/tpm_eventlog.c
40419@@ -95,7 +95,7 @@ static void *tpm_bios_measurements_start(struct seq_file *m, loff_t *pos)
40420 event = addr;
40421
40422 if ((event->event_type == 0 && event->event_size == 0) ||
40423- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
40424+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
40425 return NULL;
40426
40427 return addr;
40428@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(struct seq_file *m, void *v,
40429 return NULL;
40430
40431 if ((event->event_type == 0 && event->event_size == 0) ||
40432- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
40433+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
40434 return NULL;
40435
40436 (*pos)++;
40437@@ -213,7 +213,8 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
40438 int i;
40439
40440 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
40441- seq_putc(m, data[i]);
40442+ if (!seq_putc(m, data[i]))
40443+ return -EFAULT;
40444
40445 return 0;
40446 }
40447diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
40448index d2406fe..243951a 100644
40449--- a/drivers/char/virtio_console.c
40450+++ b/drivers/char/virtio_console.c
40451@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf,
40452 if (to_user) {
40453 ssize_t ret;
40454
40455- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
40456+ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
40457 if (ret)
40458 return -EFAULT;
40459 } else {
40460@@ -789,7 +789,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
40461 if (!port_has_data(port) && !port->host_connected)
40462 return 0;
40463
40464- return fill_readbuf(port, ubuf, count, true);
40465+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
40466 }
40467
40468 static int wait_port_writable(struct port *port, bool nonblock)
40469diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c
40470index 616f5ae..747bdd0 100644
40471--- a/drivers/clk/clk-composite.c
40472+++ b/drivers/clk/clk-composite.c
40473@@ -197,7 +197,7 @@ struct clk *clk_register_composite(struct device *dev, const char *name,
40474 struct clk *clk;
40475 struct clk_init_data init;
40476 struct clk_composite *composite;
40477- struct clk_ops *clk_composite_ops;
40478+ clk_ops_no_const *clk_composite_ops;
40479
40480 composite = kzalloc(sizeof(*composite), GFP_KERNEL);
40481 if (!composite)
40482diff --git a/drivers/clk/samsung/clk.h b/drivers/clk/samsung/clk.h
40483index b775fc2..2d45b64 100644
40484--- a/drivers/clk/samsung/clk.h
40485+++ b/drivers/clk/samsung/clk.h
40486@@ -260,7 +260,7 @@ struct samsung_gate_clock {
40487 #define GATE_DA(_id, dname, cname, pname, o, b, f, gf, a) \
40488 __GATE(_id, dname, cname, pname, o, b, f, gf, a)
40489
40490-#define PNAME(x) static const char *x[] __initdata
40491+#define PNAME(x) static const char * const x[] __initconst
40492
40493 /**
40494 * struct samsung_clk_reg_dump: register dump of clock controller registers.
40495diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
40496index 82449cd..dcfec30 100644
40497--- a/drivers/clk/socfpga/clk-gate.c
40498+++ b/drivers/clk/socfpga/clk-gate.c
40499@@ -22,6 +22,7 @@
40500 #include <linux/mfd/syscon.h>
40501 #include <linux/of.h>
40502 #include <linux/regmap.h>
40503+#include <asm/pgtable.h>
40504
40505 #include "clk.h"
40506
40507@@ -170,7 +171,7 @@ static int socfpga_clk_prepare(struct clk_hw *hwclk)
40508 return 0;
40509 }
40510
40511-static struct clk_ops gateclk_ops = {
40512+static clk_ops_no_const gateclk_ops __read_only = {
40513 .prepare = socfpga_clk_prepare,
40514 .recalc_rate = socfpga_clk_recalc_rate,
40515 .get_parent = socfpga_clk_get_parent,
40516@@ -203,8 +204,10 @@ static void __init __socfpga_gate_init(struct device_node *node,
40517 socfpga_clk->hw.reg = clk_mgr_base_addr + clk_gate[0];
40518 socfpga_clk->hw.bit_idx = clk_gate[1];
40519
40520- gateclk_ops.enable = clk_gate_ops.enable;
40521- gateclk_ops.disable = clk_gate_ops.disable;
40522+ pax_open_kernel();
40523+ *(void **)&gateclk_ops.enable = clk_gate_ops.enable;
40524+ *(void **)&gateclk_ops.disable = clk_gate_ops.disable;
40525+ pax_close_kernel();
40526 }
40527
40528 rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
40529diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
40530index 8f26b52..29f2a3a 100644
40531--- a/drivers/clk/socfpga/clk-pll.c
40532+++ b/drivers/clk/socfpga/clk-pll.c
40533@@ -21,6 +21,7 @@
40534 #include <linux/io.h>
40535 #include <linux/of.h>
40536 #include <linux/of_address.h>
40537+#include <asm/pgtable.h>
40538
40539 #include "clk.h"
40540
40541@@ -76,7 +77,7 @@ static u8 clk_pll_get_parent(struct clk_hw *hwclk)
40542 CLK_MGR_PLL_CLK_SRC_MASK;
40543 }
40544
40545-static struct clk_ops clk_pll_ops = {
40546+static clk_ops_no_const clk_pll_ops __read_only = {
40547 .recalc_rate = clk_pll_recalc_rate,
40548 .get_parent = clk_pll_get_parent,
40549 };
40550@@ -115,8 +116,10 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node,
40551 pll_clk->hw.hw.init = &init;
40552
40553 pll_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
40554- clk_pll_ops.enable = clk_gate_ops.enable;
40555- clk_pll_ops.disable = clk_gate_ops.disable;
40556+ pax_open_kernel();
40557+ *(void **)&clk_pll_ops.enable = clk_gate_ops.enable;
40558+ *(void **)&clk_pll_ops.disable = clk_gate_ops.disable;
40559+ pax_close_kernel();
40560
40561 clk = clk_register(NULL, &pll_clk->hw.hw);
40562 if (WARN_ON(IS_ERR(clk))) {
40563diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
40564index 0136dfc..4cc55cb 100644
40565--- a/drivers/cpufreq/acpi-cpufreq.c
40566+++ b/drivers/cpufreq/acpi-cpufreq.c
40567@@ -675,8 +675,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
40568 data->acpi_data = per_cpu_ptr(acpi_perf_data, cpu);
40569 per_cpu(acfreq_data, cpu) = data;
40570
40571- if (cpu_has(c, X86_FEATURE_CONSTANT_TSC))
40572- acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
40573+ if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) {
40574+ pax_open_kernel();
40575+ *(u8 *)&acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
40576+ pax_close_kernel();
40577+ }
40578
40579 result = acpi_processor_register_performance(data->acpi_data, cpu);
40580 if (result)
40581@@ -810,7 +813,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
40582 policy->cur = acpi_cpufreq_guess_freq(data, policy->cpu);
40583 break;
40584 case ACPI_ADR_SPACE_FIXED_HARDWARE:
40585- acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
40586+ pax_open_kernel();
40587+ *(void **)&acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
40588+ pax_close_kernel();
40589 break;
40590 default:
40591 break;
40592@@ -904,8 +909,10 @@ static void __init acpi_cpufreq_boost_init(void)
40593 if (!msrs)
40594 return;
40595
40596- acpi_cpufreq_driver.boost_supported = true;
40597- acpi_cpufreq_driver.boost_enabled = boost_state(0);
40598+ pax_open_kernel();
40599+ *(bool *)&acpi_cpufreq_driver.boost_supported = true;
40600+ *(bool *)&acpi_cpufreq_driver.boost_enabled = boost_state(0);
40601+ pax_close_kernel();
40602
40603 cpu_notifier_register_begin();
40604
40605diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c
40606index 528a82bf..78dc025 100644
40607--- a/drivers/cpufreq/cpufreq-dt.c
40608+++ b/drivers/cpufreq/cpufreq-dt.c
40609@@ -392,7 +392,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev)
40610 if (!IS_ERR(cpu_reg))
40611 regulator_put(cpu_reg);
40612
40613- dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
40614+ pax_open_kernel();
40615+ *(void **)&dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
40616+ pax_close_kernel();
40617
40618 ret = cpufreq_register_driver(&dt_cpufreq_driver);
40619 if (ret)
40620diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
40621index 7a3c30c..bac142e 100644
40622--- a/drivers/cpufreq/cpufreq.c
40623+++ b/drivers/cpufreq/cpufreq.c
40624@@ -2197,7 +2197,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor)
40625 read_unlock_irqrestore(&cpufreq_driver_lock, flags);
40626
40627 mutex_lock(&cpufreq_governor_mutex);
40628- list_del(&governor->governor_list);
40629+ pax_list_del(&governor->governor_list);
40630 mutex_unlock(&cpufreq_governor_mutex);
40631 return;
40632 }
40633@@ -2412,7 +2412,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
40634 return NOTIFY_OK;
40635 }
40636
40637-static struct notifier_block __refdata cpufreq_cpu_notifier = {
40638+static struct notifier_block cpufreq_cpu_notifier = {
40639 .notifier_call = cpufreq_cpu_callback,
40640 };
40641
40642@@ -2452,13 +2452,17 @@ int cpufreq_boost_trigger_state(int state)
40643 return 0;
40644
40645 write_lock_irqsave(&cpufreq_driver_lock, flags);
40646- cpufreq_driver->boost_enabled = state;
40647+ pax_open_kernel();
40648+ *(bool *)&cpufreq_driver->boost_enabled = state;
40649+ pax_close_kernel();
40650 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40651
40652 ret = cpufreq_driver->set_boost(state);
40653 if (ret) {
40654 write_lock_irqsave(&cpufreq_driver_lock, flags);
40655- cpufreq_driver->boost_enabled = !state;
40656+ pax_open_kernel();
40657+ *(bool *)&cpufreq_driver->boost_enabled = !state;
40658+ pax_close_kernel();
40659 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40660
40661 pr_err("%s: Cannot %s BOOST\n",
40662@@ -2523,16 +2527,22 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
40663 cpufreq_driver = driver_data;
40664 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40665
40666- if (driver_data->setpolicy)
40667- driver_data->flags |= CPUFREQ_CONST_LOOPS;
40668+ if (driver_data->setpolicy) {
40669+ pax_open_kernel();
40670+ *(u8 *)&driver_data->flags |= CPUFREQ_CONST_LOOPS;
40671+ pax_close_kernel();
40672+ }
40673
40674 if (cpufreq_boost_supported()) {
40675 /*
40676 * Check if driver provides function to enable boost -
40677 * if not, use cpufreq_boost_set_sw as default
40678 */
40679- if (!cpufreq_driver->set_boost)
40680- cpufreq_driver->set_boost = cpufreq_boost_set_sw;
40681+ if (!cpufreq_driver->set_boost) {
40682+ pax_open_kernel();
40683+ *(void **)&cpufreq_driver->set_boost = cpufreq_boost_set_sw;
40684+ pax_close_kernel();
40685+ }
40686
40687 ret = cpufreq_sysfs_create_file(&boost.attr);
40688 if (ret) {
40689diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
40690index 57a39f8..feb9c73 100644
40691--- a/drivers/cpufreq/cpufreq_governor.c
40692+++ b/drivers/cpufreq/cpufreq_governor.c
40693@@ -378,7 +378,7 @@ static int cpufreq_governor_start(struct cpufreq_policy *policy,
40694 cs_dbs_info->enable = 1;
40695 cs_dbs_info->requested_freq = policy->cur;
40696 } else {
40697- struct od_ops *od_ops = cdata->gov_ops;
40698+ const struct od_ops *od_ops = cdata->gov_ops;
40699 struct od_cpu_dbs_info_s *od_dbs_info = cdata->get_cpu_dbs_info_s(cpu);
40700
40701 od_dbs_info->rate_mult = 1;
40702diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h
40703index 34736f5..da8cf4a 100644
40704--- a/drivers/cpufreq/cpufreq_governor.h
40705+++ b/drivers/cpufreq/cpufreq_governor.h
40706@@ -212,7 +212,7 @@ struct common_dbs_data {
40707 void (*exit)(struct dbs_data *dbs_data, bool notify);
40708
40709 /* Governor specific ops, see below */
40710- void *gov_ops;
40711+ const void *gov_ops;
40712
40713 /*
40714 * Protects governor's data (struct dbs_data and struct common_dbs_data)
40715@@ -234,7 +234,7 @@ struct od_ops {
40716 unsigned int (*powersave_bias_target)(struct cpufreq_policy *policy,
40717 unsigned int freq_next, unsigned int relation);
40718 void (*freq_increase)(struct cpufreq_policy *policy, unsigned int freq);
40719-};
40720+} __no_const;
40721
40722 static inline int delay_for_sampling_rate(unsigned int sampling_rate)
40723 {
40724diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c
40725index 3c1e10f..02f17af 100644
40726--- a/drivers/cpufreq/cpufreq_ondemand.c
40727+++ b/drivers/cpufreq/cpufreq_ondemand.c
40728@@ -523,7 +523,7 @@ static void od_exit(struct dbs_data *dbs_data, bool notify)
40729
40730 define_get_cpu_dbs_routines(od_cpu_dbs_info);
40731
40732-static struct od_ops od_ops = {
40733+static struct od_ops od_ops __read_only = {
40734 .powersave_bias_init_cpu = ondemand_powersave_bias_init_cpu,
40735 .powersave_bias_target = generic_powersave_bias_target,
40736 .freq_increase = dbs_freq_increase,
40737@@ -579,14 +579,18 @@ void od_register_powersave_bias_handler(unsigned int (*f)
40738 (struct cpufreq_policy *, unsigned int, unsigned int),
40739 unsigned int powersave_bias)
40740 {
40741- od_ops.powersave_bias_target = f;
40742+ pax_open_kernel();
40743+ *(void **)&od_ops.powersave_bias_target = f;
40744+ pax_close_kernel();
40745 od_set_powersave_bias(powersave_bias);
40746 }
40747 EXPORT_SYMBOL_GPL(od_register_powersave_bias_handler);
40748
40749 void od_unregister_powersave_bias_handler(void)
40750 {
40751- od_ops.powersave_bias_target = generic_powersave_bias_target;
40752+ pax_open_kernel();
40753+ *(void **)&od_ops.powersave_bias_target = generic_powersave_bias_target;
40754+ pax_close_kernel();
40755 od_set_powersave_bias(0);
40756 }
40757 EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
40758diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
40759index fcb929e..e628818 100644
40760--- a/drivers/cpufreq/intel_pstate.c
40761+++ b/drivers/cpufreq/intel_pstate.c
40762@@ -137,10 +137,10 @@ struct pstate_funcs {
40763 struct cpu_defaults {
40764 struct pstate_adjust_policy pid_policy;
40765 struct pstate_funcs funcs;
40766-};
40767+} __do_const;
40768
40769 static struct pstate_adjust_policy pid_params;
40770-static struct pstate_funcs pstate_funcs;
40771+static struct pstate_funcs *pstate_funcs;
40772 static int hwp_active;
40773
40774 struct perf_limits {
40775@@ -726,18 +726,18 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate, bool force)
40776
40777 cpu->pstate.current_pstate = pstate;
40778
40779- pstate_funcs.set(cpu, pstate);
40780+ pstate_funcs->set(cpu, pstate);
40781 }
40782
40783 static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
40784 {
40785- cpu->pstate.min_pstate = pstate_funcs.get_min();
40786- cpu->pstate.max_pstate = pstate_funcs.get_max();
40787- cpu->pstate.turbo_pstate = pstate_funcs.get_turbo();
40788- cpu->pstate.scaling = pstate_funcs.get_scaling();
40789+ cpu->pstate.min_pstate = pstate_funcs->get_min();
40790+ cpu->pstate.max_pstate = pstate_funcs->get_max();
40791+ cpu->pstate.turbo_pstate = pstate_funcs->get_turbo();
40792+ cpu->pstate.scaling = pstate_funcs->get_scaling();
40793
40794- if (pstate_funcs.get_vid)
40795- pstate_funcs.get_vid(cpu);
40796+ if (pstate_funcs->get_vid)
40797+ pstate_funcs->get_vid(cpu);
40798 intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate, false);
40799 }
40800
40801@@ -1070,15 +1070,15 @@ static unsigned int force_load;
40802
40803 static int intel_pstate_msrs_not_valid(void)
40804 {
40805- if (!pstate_funcs.get_max() ||
40806- !pstate_funcs.get_min() ||
40807- !pstate_funcs.get_turbo())
40808+ if (!pstate_funcs->get_max() ||
40809+ !pstate_funcs->get_min() ||
40810+ !pstate_funcs->get_turbo())
40811 return -ENODEV;
40812
40813 return 0;
40814 }
40815
40816-static void copy_pid_params(struct pstate_adjust_policy *policy)
40817+static void copy_pid_params(const struct pstate_adjust_policy *policy)
40818 {
40819 pid_params.sample_rate_ms = policy->sample_rate_ms;
40820 pid_params.p_gain_pct = policy->p_gain_pct;
40821@@ -1090,12 +1090,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
40822
40823 static void copy_cpu_funcs(struct pstate_funcs *funcs)
40824 {
40825- pstate_funcs.get_max = funcs->get_max;
40826- pstate_funcs.get_min = funcs->get_min;
40827- pstate_funcs.get_turbo = funcs->get_turbo;
40828- pstate_funcs.get_scaling = funcs->get_scaling;
40829- pstate_funcs.set = funcs->set;
40830- pstate_funcs.get_vid = funcs->get_vid;
40831+ pstate_funcs = funcs;
40832 }
40833
40834 #if IS_ENABLED(CONFIG_ACPI)
40835diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c
40836index 5dd95da..abc3837 100644
40837--- a/drivers/cpufreq/p4-clockmod.c
40838+++ b/drivers/cpufreq/p4-clockmod.c
40839@@ -134,10 +134,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
40840 case 0x0F: /* Core Duo */
40841 case 0x16: /* Celeron Core */
40842 case 0x1C: /* Atom */
40843- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40844+ pax_open_kernel();
40845+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40846+ pax_close_kernel();
40847 return speedstep_get_frequency(SPEEDSTEP_CPU_PCORE);
40848 case 0x0D: /* Pentium M (Dothan) */
40849- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40850+ pax_open_kernel();
40851+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40852+ pax_close_kernel();
40853 /* fall through */
40854 case 0x09: /* Pentium M (Banias) */
40855 return speedstep_get_frequency(SPEEDSTEP_CPU_PM);
40856@@ -149,7 +153,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
40857
40858 /* on P-4s, the TSC runs with constant frequency independent whether
40859 * throttling is active or not. */
40860- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40861+ pax_open_kernel();
40862+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40863+ pax_close_kernel();
40864
40865 if (speedstep_detect_processor() == SPEEDSTEP_CPU_P4M) {
40866 printk(KERN_WARNING PFX "Warning: Pentium 4-M detected. "
40867diff --git a/drivers/cpufreq/sparc-us3-cpufreq.c b/drivers/cpufreq/sparc-us3-cpufreq.c
40868index 9bb42ba..b01b4a2 100644
40869--- a/drivers/cpufreq/sparc-us3-cpufreq.c
40870+++ b/drivers/cpufreq/sparc-us3-cpufreq.c
40871@@ -18,14 +18,12 @@
40872 #include <asm/head.h>
40873 #include <asm/timer.h>
40874
40875-static struct cpufreq_driver *cpufreq_us3_driver;
40876-
40877 struct us3_freq_percpu_info {
40878 struct cpufreq_frequency_table table[4];
40879 };
40880
40881 /* Indexed by cpu number. */
40882-static struct us3_freq_percpu_info *us3_freq_table;
40883+static struct us3_freq_percpu_info us3_freq_table[NR_CPUS];
40884
40885 /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled
40886 * in the Safari config register.
40887@@ -156,16 +154,27 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy)
40888
40889 static int us3_freq_cpu_exit(struct cpufreq_policy *policy)
40890 {
40891- if (cpufreq_us3_driver)
40892- us3_freq_target(policy, 0);
40893+ us3_freq_target(policy, 0);
40894
40895 return 0;
40896 }
40897
40898+static int __init us3_freq_init(void);
40899+static void __exit us3_freq_exit(void);
40900+
40901+static struct cpufreq_driver cpufreq_us3_driver = {
40902+ .init = us3_freq_cpu_init,
40903+ .verify = cpufreq_generic_frequency_table_verify,
40904+ .target_index = us3_freq_target,
40905+ .get = us3_freq_get,
40906+ .exit = us3_freq_cpu_exit,
40907+ .name = "UltraSPARC-III",
40908+
40909+};
40910+
40911 static int __init us3_freq_init(void)
40912 {
40913 unsigned long manuf, impl, ver;
40914- int ret;
40915
40916 if (tlb_type != cheetah && tlb_type != cheetah_plus)
40917 return -ENODEV;
40918@@ -178,55 +187,15 @@ static int __init us3_freq_init(void)
40919 (impl == CHEETAH_IMPL ||
40920 impl == CHEETAH_PLUS_IMPL ||
40921 impl == JAGUAR_IMPL ||
40922- impl == PANTHER_IMPL)) {
40923- struct cpufreq_driver *driver;
40924-
40925- ret = -ENOMEM;
40926- driver = kzalloc(sizeof(*driver), GFP_KERNEL);
40927- if (!driver)
40928- goto err_out;
40929-
40930- us3_freq_table = kzalloc((NR_CPUS * sizeof(*us3_freq_table)),
40931- GFP_KERNEL);
40932- if (!us3_freq_table)
40933- goto err_out;
40934-
40935- driver->init = us3_freq_cpu_init;
40936- driver->verify = cpufreq_generic_frequency_table_verify;
40937- driver->target_index = us3_freq_target;
40938- driver->get = us3_freq_get;
40939- driver->exit = us3_freq_cpu_exit;
40940- strcpy(driver->name, "UltraSPARC-III");
40941-
40942- cpufreq_us3_driver = driver;
40943- ret = cpufreq_register_driver(driver);
40944- if (ret)
40945- goto err_out;
40946-
40947- return 0;
40948-
40949-err_out:
40950- if (driver) {
40951- kfree(driver);
40952- cpufreq_us3_driver = NULL;
40953- }
40954- kfree(us3_freq_table);
40955- us3_freq_table = NULL;
40956- return ret;
40957- }
40958+ impl == PANTHER_IMPL))
40959+ return cpufreq_register_driver(&cpufreq_us3_driver);
40960
40961 return -ENODEV;
40962 }
40963
40964 static void __exit us3_freq_exit(void)
40965 {
40966- if (cpufreq_us3_driver) {
40967- cpufreq_unregister_driver(cpufreq_us3_driver);
40968- kfree(cpufreq_us3_driver);
40969- cpufreq_us3_driver = NULL;
40970- kfree(us3_freq_table);
40971- us3_freq_table = NULL;
40972- }
40973+ cpufreq_unregister_driver(&cpufreq_us3_driver);
40974 }
40975
40976 MODULE_AUTHOR("David S. Miller <davem@redhat.com>");
40977diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c
40978index 7d4a315..21bb886 100644
40979--- a/drivers/cpufreq/speedstep-centrino.c
40980+++ b/drivers/cpufreq/speedstep-centrino.c
40981@@ -351,8 +351,11 @@ static int centrino_cpu_init(struct cpufreq_policy *policy)
40982 !cpu_has(cpu, X86_FEATURE_EST))
40983 return -ENODEV;
40984
40985- if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC))
40986- centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
40987+ if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC)) {
40988+ pax_open_kernel();
40989+ *(u8 *)&centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
40990+ pax_close_kernel();
40991+ }
40992
40993 if (policy->cpu != 0)
40994 return -ENODEV;
40995diff --git a/drivers/cpuidle/driver.c b/drivers/cpuidle/driver.c
40996index 5db1478..e90e25e 100644
40997--- a/drivers/cpuidle/driver.c
40998+++ b/drivers/cpuidle/driver.c
40999@@ -193,7 +193,7 @@ static int poll_idle(struct cpuidle_device *dev,
41000
41001 static void poll_idle_init(struct cpuidle_driver *drv)
41002 {
41003- struct cpuidle_state *state = &drv->states[0];
41004+ cpuidle_state_no_const *state = &drv->states[0];
41005
41006 snprintf(state->name, CPUIDLE_NAME_LEN, "POLL");
41007 snprintf(state->desc, CPUIDLE_DESC_LEN, "CPUIDLE CORE POLL IDLE");
41008diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
41009index a5c111b..1113002 100644
41010--- a/drivers/cpuidle/dt_idle_states.c
41011+++ b/drivers/cpuidle/dt_idle_states.c
41012@@ -21,7 +21,7 @@
41013
41014 #include "dt_idle_states.h"
41015
41016-static int init_state_node(struct cpuidle_state *idle_state,
41017+static int init_state_node(cpuidle_state_no_const *idle_state,
41018 const struct of_device_id *matches,
41019 struct device_node *state_node)
41020 {
41021diff --git a/drivers/cpuidle/governor.c b/drivers/cpuidle/governor.c
41022index fb9f511..213e6cc 100644
41023--- a/drivers/cpuidle/governor.c
41024+++ b/drivers/cpuidle/governor.c
41025@@ -87,7 +87,7 @@ int cpuidle_register_governor(struct cpuidle_governor *gov)
41026 mutex_lock(&cpuidle_lock);
41027 if (__cpuidle_find_governor(gov->name) == NULL) {
41028 ret = 0;
41029- list_add_tail(&gov->governor_list, &cpuidle_governors);
41030+ pax_list_add_tail((struct list_head *)&gov->governor_list, &cpuidle_governors);
41031 if (!cpuidle_curr_governor ||
41032 cpuidle_curr_governor->rating < gov->rating)
41033 cpuidle_switch_governor(gov);
41034diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
41035index 832a2c3..1794080 100644
41036--- a/drivers/cpuidle/sysfs.c
41037+++ b/drivers/cpuidle/sysfs.c
41038@@ -135,7 +135,7 @@ static struct attribute *cpuidle_switch_attrs[] = {
41039 NULL
41040 };
41041
41042-static struct attribute_group cpuidle_attr_group = {
41043+static attribute_group_no_const cpuidle_attr_group = {
41044 .attrs = cpuidle_default_attrs,
41045 .name = "cpuidle",
41046 };
41047diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
41048index 8d2a772..33826c9 100644
41049--- a/drivers/crypto/hifn_795x.c
41050+++ b/drivers/crypto/hifn_795x.c
41051@@ -51,7 +51,7 @@ module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444);
41052 MODULE_PARM_DESC(hifn_pll_ref,
41053 "PLL reference clock (pci[freq] or ext[freq], default ext)");
41054
41055-static atomic_t hifn_dev_number;
41056+static atomic_unchecked_t hifn_dev_number;
41057
41058 #define ACRYPTO_OP_DECRYPT 0
41059 #define ACRYPTO_OP_ENCRYPT 1
41060@@ -2577,7 +2577,7 @@ static int hifn_probe(struct pci_dev *pdev, const struct pci_device_id *id)
41061 goto err_out_disable_pci_device;
41062
41063 snprintf(name, sizeof(name), "hifn%d",
41064- atomic_inc_return(&hifn_dev_number)-1);
41065+ atomic_inc_return_unchecked(&hifn_dev_number)-1);
41066
41067 err = pci_request_regions(pdev, name);
41068 if (err)
41069diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
41070index ca1b362..01cae6a 100644
41071--- a/drivers/devfreq/devfreq.c
41072+++ b/drivers/devfreq/devfreq.c
41073@@ -672,7 +672,7 @@ int devfreq_add_governor(struct devfreq_governor *governor)
41074 goto err_out;
41075 }
41076
41077- list_add(&governor->node, &devfreq_governor_list);
41078+ pax_list_add((struct list_head *)&governor->node, &devfreq_governor_list);
41079
41080 list_for_each_entry(devfreq, &devfreq_list, node) {
41081 int ret = 0;
41082@@ -760,7 +760,7 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
41083 }
41084 }
41085
41086- list_del(&governor->node);
41087+ pax_list_del((struct list_head *)&governor->node);
41088 err_out:
41089 mutex_unlock(&devfreq_list_lock);
41090
41091diff --git a/drivers/dma/sh/shdma-base.c b/drivers/dma/sh/shdma-base.c
41092index 10fcaba..326f709 100644
41093--- a/drivers/dma/sh/shdma-base.c
41094+++ b/drivers/dma/sh/shdma-base.c
41095@@ -227,8 +227,8 @@ static int shdma_alloc_chan_resources(struct dma_chan *chan)
41096 schan->slave_id = -EINVAL;
41097 }
41098
41099- schan->desc = kcalloc(NR_DESCS_PER_CHANNEL,
41100- sdev->desc_size, GFP_KERNEL);
41101+ schan->desc = kcalloc(sdev->desc_size,
41102+ NR_DESCS_PER_CHANNEL, GFP_KERNEL);
41103 if (!schan->desc) {
41104 ret = -ENOMEM;
41105 goto edescalloc;
41106diff --git a/drivers/dma/sh/shdmac.c b/drivers/dma/sh/shdmac.c
41107index 11707df..2ea96f7 100644
41108--- a/drivers/dma/sh/shdmac.c
41109+++ b/drivers/dma/sh/shdmac.c
41110@@ -513,7 +513,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self,
41111 return ret;
41112 }
41113
41114-static struct notifier_block sh_dmae_nmi_notifier __read_mostly = {
41115+static struct notifier_block sh_dmae_nmi_notifier = {
41116 .notifier_call = sh_dmae_nmi_handler,
41117
41118 /* Run before NMI debug handler and KGDB */
41119diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c
41120index 592af5f..bb1d583 100644
41121--- a/drivers/edac/edac_device.c
41122+++ b/drivers/edac/edac_device.c
41123@@ -477,9 +477,9 @@ void edac_device_reset_delay_period(struct edac_device_ctl_info *edac_dev,
41124 */
41125 int edac_device_alloc_index(void)
41126 {
41127- static atomic_t device_indexes = ATOMIC_INIT(0);
41128+ static atomic_unchecked_t device_indexes = ATOMIC_INIT(0);
41129
41130- return atomic_inc_return(&device_indexes) - 1;
41131+ return atomic_inc_return_unchecked(&device_indexes) - 1;
41132 }
41133 EXPORT_SYMBOL_GPL(edac_device_alloc_index);
41134
41135diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
41136index 33df7d9..0794989 100644
41137--- a/drivers/edac/edac_mc_sysfs.c
41138+++ b/drivers/edac/edac_mc_sysfs.c
41139@@ -154,7 +154,7 @@ static const char * const edac_caps[] = {
41140 struct dev_ch_attribute {
41141 struct device_attribute attr;
41142 int channel;
41143-};
41144+} __do_const;
41145
41146 #define DEVICE_CHANNEL(_name, _mode, _show, _store, _var) \
41147 static struct dev_ch_attribute dev_attr_legacy_##_name = \
41148diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c
41149index 2cf44b4d..6dd2dc7 100644
41150--- a/drivers/edac/edac_pci.c
41151+++ b/drivers/edac/edac_pci.c
41152@@ -29,7 +29,7 @@
41153
41154 static DEFINE_MUTEX(edac_pci_ctls_mutex);
41155 static LIST_HEAD(edac_pci_list);
41156-static atomic_t pci_indexes = ATOMIC_INIT(0);
41157+static atomic_unchecked_t pci_indexes = ATOMIC_INIT(0);
41158
41159 /*
41160 * edac_pci_alloc_ctl_info
41161@@ -315,7 +315,7 @@ EXPORT_SYMBOL_GPL(edac_pci_reset_delay_period);
41162 */
41163 int edac_pci_alloc_index(void)
41164 {
41165- return atomic_inc_return(&pci_indexes) - 1;
41166+ return atomic_inc_return_unchecked(&pci_indexes) - 1;
41167 }
41168 EXPORT_SYMBOL_GPL(edac_pci_alloc_index);
41169
41170diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
41171index 24d877f..4e30133 100644
41172--- a/drivers/edac/edac_pci_sysfs.c
41173+++ b/drivers/edac/edac_pci_sysfs.c
41174@@ -23,8 +23,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */
41175 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
41176 static int edac_pci_poll_msec = 1000; /* one second workq period */
41177
41178-static atomic_t pci_parity_count = ATOMIC_INIT(0);
41179-static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
41180+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
41181+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
41182
41183 static struct kobject *edac_pci_top_main_kobj;
41184 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
41185@@ -232,7 +232,7 @@ struct edac_pci_dev_attribute {
41186 void *value;
41187 ssize_t(*show) (void *, char *);
41188 ssize_t(*store) (void *, const char *, size_t);
41189-};
41190+} __do_const;
41191
41192 /* Set of show/store abstract level functions for PCI Parity object */
41193 static ssize_t edac_pci_dev_show(struct kobject *kobj, struct attribute *attr,
41194@@ -576,7 +576,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41195 edac_printk(KERN_CRIT, EDAC_PCI,
41196 "Signaled System Error on %s\n",
41197 pci_name(dev));
41198- atomic_inc(&pci_nonparity_count);
41199+ atomic_inc_unchecked(&pci_nonparity_count);
41200 }
41201
41202 if (status & (PCI_STATUS_PARITY)) {
41203@@ -584,7 +584,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41204 "Master Data Parity Error on %s\n",
41205 pci_name(dev));
41206
41207- atomic_inc(&pci_parity_count);
41208+ atomic_inc_unchecked(&pci_parity_count);
41209 }
41210
41211 if (status & (PCI_STATUS_DETECTED_PARITY)) {
41212@@ -592,7 +592,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41213 "Detected Parity Error on %s\n",
41214 pci_name(dev));
41215
41216- atomic_inc(&pci_parity_count);
41217+ atomic_inc_unchecked(&pci_parity_count);
41218 }
41219 }
41220
41221@@ -615,7 +615,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41222 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
41223 "Signaled System Error on %s\n",
41224 pci_name(dev));
41225- atomic_inc(&pci_nonparity_count);
41226+ atomic_inc_unchecked(&pci_nonparity_count);
41227 }
41228
41229 if (status & (PCI_STATUS_PARITY)) {
41230@@ -623,7 +623,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41231 "Master Data Parity Error on "
41232 "%s\n", pci_name(dev));
41233
41234- atomic_inc(&pci_parity_count);
41235+ atomic_inc_unchecked(&pci_parity_count);
41236 }
41237
41238 if (status & (PCI_STATUS_DETECTED_PARITY)) {
41239@@ -631,7 +631,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41240 "Detected Parity Error on %s\n",
41241 pci_name(dev));
41242
41243- atomic_inc(&pci_parity_count);
41244+ atomic_inc_unchecked(&pci_parity_count);
41245 }
41246 }
41247 }
41248@@ -669,7 +669,7 @@ void edac_pci_do_parity_check(void)
41249 if (!check_pci_errors)
41250 return;
41251
41252- before_count = atomic_read(&pci_parity_count);
41253+ before_count = atomic_read_unchecked(&pci_parity_count);
41254
41255 /* scan all PCI devices looking for a Parity Error on devices and
41256 * bridges.
41257@@ -681,7 +681,7 @@ void edac_pci_do_parity_check(void)
41258 /* Only if operator has selected panic on PCI Error */
41259 if (edac_pci_get_panic_on_pe()) {
41260 /* If the count is different 'after' from 'before' */
41261- if (before_count != atomic_read(&pci_parity_count))
41262+ if (before_count != atomic_read_unchecked(&pci_parity_count))
41263 panic("EDAC: PCI Parity Error");
41264 }
41265 }
41266diff --git a/drivers/edac/mce_amd.h b/drivers/edac/mce_amd.h
41267index c2359a1..8bd119d 100644
41268--- a/drivers/edac/mce_amd.h
41269+++ b/drivers/edac/mce_amd.h
41270@@ -74,7 +74,7 @@ struct amd_decoder_ops {
41271 bool (*mc0_mce)(u16, u8);
41272 bool (*mc1_mce)(u16, u8);
41273 bool (*mc2_mce)(u16, u8);
41274-};
41275+} __no_const;
41276
41277 void amd_report_gart_errors(bool);
41278 void amd_register_ecc_decoder(void (*f)(int, struct mce *));
41279diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c
41280index 57ea7f4..af06b76 100644
41281--- a/drivers/firewire/core-card.c
41282+++ b/drivers/firewire/core-card.c
41283@@ -528,9 +528,9 @@ void fw_card_initialize(struct fw_card *card,
41284 const struct fw_card_driver *driver,
41285 struct device *device)
41286 {
41287- static atomic_t index = ATOMIC_INIT(-1);
41288+ static atomic_unchecked_t index = ATOMIC_INIT(-1);
41289
41290- card->index = atomic_inc_return(&index);
41291+ card->index = atomic_inc_return_unchecked(&index);
41292 card->driver = driver;
41293 card->device = device;
41294 card->current_tlabel = 0;
41295@@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release);
41296
41297 void fw_core_remove_card(struct fw_card *card)
41298 {
41299- struct fw_card_driver dummy_driver = dummy_driver_template;
41300+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
41301
41302 card->driver->update_phy_reg(card, 4,
41303 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
41304diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
41305index f9e3aee..269dbdb 100644
41306--- a/drivers/firewire/core-device.c
41307+++ b/drivers/firewire/core-device.c
41308@@ -256,7 +256,7 @@ EXPORT_SYMBOL(fw_device_enable_phys_dma);
41309 struct config_rom_attribute {
41310 struct device_attribute attr;
41311 u32 key;
41312-};
41313+} __do_const;
41314
41315 static ssize_t show_immediate(struct device *dev,
41316 struct device_attribute *dattr, char *buf)
41317diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c
41318index d6a09b9..18e90dd 100644
41319--- a/drivers/firewire/core-transaction.c
41320+++ b/drivers/firewire/core-transaction.c
41321@@ -38,6 +38,7 @@
41322 #include <linux/timer.h>
41323 #include <linux/types.h>
41324 #include <linux/workqueue.h>
41325+#include <linux/sched.h>
41326
41327 #include <asm/byteorder.h>
41328
41329diff --git a/drivers/firewire/core.h b/drivers/firewire/core.h
41330index e1480ff6..1a429bd 100644
41331--- a/drivers/firewire/core.h
41332+++ b/drivers/firewire/core.h
41333@@ -111,6 +111,7 @@ struct fw_card_driver {
41334
41335 int (*stop_iso)(struct fw_iso_context *ctx);
41336 };
41337+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
41338
41339 void fw_card_initialize(struct fw_card *card,
41340 const struct fw_card_driver *driver, struct device *device);
41341diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
41342index f51d376..b118e40 100644
41343--- a/drivers/firewire/ohci.c
41344+++ b/drivers/firewire/ohci.c
41345@@ -2049,10 +2049,12 @@ static void bus_reset_work(struct work_struct *work)
41346 be32_to_cpu(ohci->next_header));
41347 }
41348
41349+#ifndef CONFIG_GRKERNSEC
41350 if (param_remote_dma) {
41351 reg_write(ohci, OHCI1394_PhyReqFilterHiSet, ~0);
41352 reg_write(ohci, OHCI1394_PhyReqFilterLoSet, ~0);
41353 }
41354+#endif
41355
41356 spin_unlock_irq(&ohci->lock);
41357
41358@@ -2584,8 +2586,10 @@ static int ohci_enable_phys_dma(struct fw_card *card,
41359 unsigned long flags;
41360 int n, ret = 0;
41361
41362+#ifndef CONFIG_GRKERNSEC
41363 if (param_remote_dma)
41364 return 0;
41365+#endif
41366
41367 /*
41368 * FIXME: Make sure this bitmask is cleared when we clear the busReset
41369diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c
41370index 94a58a0..f5eba42 100644
41371--- a/drivers/firmware/dmi-id.c
41372+++ b/drivers/firmware/dmi-id.c
41373@@ -16,7 +16,7 @@
41374 struct dmi_device_attribute{
41375 struct device_attribute dev_attr;
41376 int field;
41377-};
41378+} __do_const;
41379 #define to_dmi_dev_attr(_dev_attr) \
41380 container_of(_dev_attr, struct dmi_device_attribute, dev_attr)
41381
41382diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
41383index ac1ce4a..321745e 100644
41384--- a/drivers/firmware/dmi_scan.c
41385+++ b/drivers/firmware/dmi_scan.c
41386@@ -690,14 +690,18 @@ static int __init dmi_init(void)
41387 if (!dmi_table)
41388 goto err_tables;
41389
41390- bin_attr_smbios_entry_point.size = smbios_entry_point_size;
41391- bin_attr_smbios_entry_point.private = smbios_entry_point;
41392+ pax_open_kernel();
41393+ *(size_t *)&bin_attr_smbios_entry_point.size = smbios_entry_point_size;
41394+ *(void **)&bin_attr_smbios_entry_point.private = smbios_entry_point;
41395+ pax_close_kernel();
41396 ret = sysfs_create_bin_file(tables_kobj, &bin_attr_smbios_entry_point);
41397 if (ret)
41398 goto err_unmap;
41399
41400- bin_attr_DMI.size = dmi_len;
41401- bin_attr_DMI.private = dmi_table;
41402+ pax_open_kernel();
41403+ *(size_t *)&bin_attr_DMI.size = dmi_len;
41404+ *(void **)&bin_attr_DMI.private = dmi_table;
41405+ pax_close_kernel();
41406 ret = sysfs_create_bin_file(tables_kobj, &bin_attr_DMI);
41407 if (!ret)
41408 return 0;
41409diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
41410index d425374..1da1716 100644
41411--- a/drivers/firmware/efi/cper.c
41412+++ b/drivers/firmware/efi/cper.c
41413@@ -44,12 +44,12 @@ static char rcd_decode_str[CPER_REC_LEN];
41414 */
41415 u64 cper_next_record_id(void)
41416 {
41417- static atomic64_t seq;
41418+ static atomic64_unchecked_t seq;
41419
41420- if (!atomic64_read(&seq))
41421- atomic64_set(&seq, ((u64)get_seconds()) << 32);
41422+ if (!atomic64_read_unchecked(&seq))
41423+ atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
41424
41425- return atomic64_inc_return(&seq);
41426+ return atomic64_inc_return_unchecked(&seq);
41427 }
41428 EXPORT_SYMBOL_GPL(cper_next_record_id);
41429
41430diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
41431index d6144e3..23f9686 100644
41432--- a/drivers/firmware/efi/efi.c
41433+++ b/drivers/firmware/efi/efi.c
41434@@ -170,14 +170,16 @@ static struct attribute_group efi_subsys_attr_group = {
41435 };
41436
41437 static struct efivars generic_efivars;
41438-static struct efivar_operations generic_ops;
41439+static efivar_operations_no_const generic_ops __read_only;
41440
41441 static int generic_ops_register(void)
41442 {
41443- generic_ops.get_variable = efi.get_variable;
41444- generic_ops.set_variable = efi.set_variable;
41445- generic_ops.get_next_variable = efi.get_next_variable;
41446- generic_ops.query_variable_store = efi_query_variable_store;
41447+ pax_open_kernel();
41448+ *(void **)&generic_ops.get_variable = efi.get_variable;
41449+ *(void **)&generic_ops.set_variable = efi.set_variable;
41450+ *(void **)&generic_ops.get_next_variable = efi.get_next_variable;
41451+ *(void **)&generic_ops.query_variable_store = efi_query_variable_store;
41452+ pax_close_kernel();
41453
41454 return efivars_register(&generic_efivars, &generic_ops, efi_kobj);
41455 }
41456diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c
41457index 756eca8..2336d08 100644
41458--- a/drivers/firmware/efi/efivars.c
41459+++ b/drivers/firmware/efi/efivars.c
41460@@ -590,7 +590,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var)
41461 static int
41462 create_efivars_bin_attributes(void)
41463 {
41464- struct bin_attribute *attr;
41465+ bin_attribute_no_const *attr;
41466 int error;
41467
41468 /* new_var */
41469diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
41470index e29560e..950c87f 100644
41471--- a/drivers/firmware/efi/libstub/arm-stub.c
41472+++ b/drivers/firmware/efi/libstub/arm-stub.c
41473@@ -13,6 +13,7 @@
41474 */
41475
41476 #include <linux/efi.h>
41477+#include <linux/sort.h>
41478 #include <asm/efi.h>
41479
41480 #include "efistub.h"
41481@@ -305,6 +306,44 @@ fail:
41482 */
41483 #define EFI_RT_VIRTUAL_BASE 0x40000000
41484
41485+static int cmp_mem_desc(const void *l, const void *r)
41486+{
41487+ const efi_memory_desc_t *left = l, *right = r;
41488+
41489+ return (left->phys_addr > right->phys_addr) ? 1 : -1;
41490+}
41491+
41492+/*
41493+ * Returns whether region @left ends exactly where region @right starts,
41494+ * or false if either argument is NULL.
41495+ */
41496+static bool regions_are_adjacent(efi_memory_desc_t *left,
41497+ efi_memory_desc_t *right)
41498+{
41499+ u64 left_end;
41500+
41501+ if (left == NULL || right == NULL)
41502+ return false;
41503+
41504+ left_end = left->phys_addr + left->num_pages * EFI_PAGE_SIZE;
41505+
41506+ return left_end == right->phys_addr;
41507+}
41508+
41509+/*
41510+ * Returns whether region @left and region @right have compatible memory type
41511+ * mapping attributes, and are both EFI_MEMORY_RUNTIME regions.
41512+ */
41513+static bool regions_have_compatible_memory_type_attrs(efi_memory_desc_t *left,
41514+ efi_memory_desc_t *right)
41515+{
41516+ static const u64 mem_type_mask = EFI_MEMORY_WB | EFI_MEMORY_WT |
41517+ EFI_MEMORY_WC | EFI_MEMORY_UC |
41518+ EFI_MEMORY_RUNTIME;
41519+
41520+ return ((left->attribute ^ right->attribute) & mem_type_mask) == 0;
41521+}
41522+
41523 /*
41524 * efi_get_virtmap() - create a virtual mapping for the EFI memory map
41525 *
41526@@ -317,33 +356,52 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size,
41527 int *count)
41528 {
41529 u64 efi_virt_base = EFI_RT_VIRTUAL_BASE;
41530- efi_memory_desc_t *out = runtime_map;
41531+ efi_memory_desc_t *in, *prev = NULL, *out = runtime_map;
41532 int l;
41533
41534- for (l = 0; l < map_size; l += desc_size) {
41535- efi_memory_desc_t *in = (void *)memory_map + l;
41536+ /*
41537+ * To work around potential issues with the Properties Table feature
41538+ * introduced in UEFI 2.5, which may split PE/COFF executable images
41539+ * in memory into several RuntimeServicesCode and RuntimeServicesData
41540+ * regions, we need to preserve the relative offsets between adjacent
41541+ * EFI_MEMORY_RUNTIME regions with the same memory type attributes.
41542+ * The easiest way to find adjacent regions is to sort the memory map
41543+ * before traversing it.
41544+ */
41545+ sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL);
41546+
41547+ for (l = 0; l < map_size; l += desc_size, prev = in) {
41548 u64 paddr, size;
41549
41550+ in = (void *)memory_map + l;
41551 if (!(in->attribute & EFI_MEMORY_RUNTIME))
41552 continue;
41553
41554+ paddr = in->phys_addr;
41555+ size = in->num_pages * EFI_PAGE_SIZE;
41556+
41557 /*
41558 * Make the mapping compatible with 64k pages: this allows
41559 * a 4k page size kernel to kexec a 64k page size kernel and
41560 * vice versa.
41561 */
41562- paddr = round_down(in->phys_addr, SZ_64K);
41563- size = round_up(in->num_pages * EFI_PAGE_SIZE +
41564- in->phys_addr - paddr, SZ_64K);
41565+ if (!regions_are_adjacent(prev, in) ||
41566+ !regions_have_compatible_memory_type_attrs(prev, in)) {
41567
41568- /*
41569- * Avoid wasting memory on PTEs by choosing a virtual base that
41570- * is compatible with section mappings if this region has the
41571- * appropriate size and physical alignment. (Sections are 2 MB
41572- * on 4k granule kernels)
41573- */
41574- if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
41575- efi_virt_base = round_up(efi_virt_base, SZ_2M);
41576+ paddr = round_down(in->phys_addr, SZ_64K);
41577+ size += in->phys_addr - paddr;
41578+
41579+ /*
41580+ * Avoid wasting memory on PTEs by choosing a virtual
41581+ * base that is compatible with section mappings if this
41582+ * region has the appropriate size and physical
41583+ * alignment. (Sections are 2 MB on 4k granule kernels)
41584+ */
41585+ if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
41586+ efi_virt_base = round_up(efi_virt_base, SZ_2M);
41587+ else
41588+ efi_virt_base = round_up(efi_virt_base, SZ_64K);
41589+ }
41590
41591 in->virt_addr = efi_virt_base + in->phys_addr - paddr;
41592 efi_virt_base += size;
41593diff --git a/drivers/firmware/efi/runtime-map.c b/drivers/firmware/efi/runtime-map.c
41594index 5c55227..97f4978 100644
41595--- a/drivers/firmware/efi/runtime-map.c
41596+++ b/drivers/firmware/efi/runtime-map.c
41597@@ -97,7 +97,7 @@ static void map_release(struct kobject *kobj)
41598 kfree(entry);
41599 }
41600
41601-static struct kobj_type __refdata map_ktype = {
41602+static const struct kobj_type __refconst map_ktype = {
41603 .sysfs_ops = &map_attr_ops,
41604 .default_attrs = def_attrs,
41605 .release = map_release,
41606diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
41607index f1ab05e..ab51228 100644
41608--- a/drivers/firmware/google/gsmi.c
41609+++ b/drivers/firmware/google/gsmi.c
41610@@ -709,7 +709,7 @@ static u32 __init hash_oem_table_id(char s[8])
41611 return local_hash_64(input, 32);
41612 }
41613
41614-static struct dmi_system_id gsmi_dmi_table[] __initdata = {
41615+static const struct dmi_system_id gsmi_dmi_table[] __initconst = {
41616 {
41617 .ident = "Google Board",
41618 .matches = {
41619diff --git a/drivers/firmware/google/memconsole.c b/drivers/firmware/google/memconsole.c
41620index 2f569aa..26e4f39 100644
41621--- a/drivers/firmware/google/memconsole.c
41622+++ b/drivers/firmware/google/memconsole.c
41623@@ -136,7 +136,7 @@ static bool __init found_memconsole(void)
41624 return false;
41625 }
41626
41627-static struct dmi_system_id memconsole_dmi_table[] __initdata = {
41628+static const struct dmi_system_id memconsole_dmi_table[] __initconst = {
41629 {
41630 .ident = "Google Board",
41631 .matches = {
41632@@ -155,7 +155,10 @@ static int __init memconsole_init(void)
41633 if (!found_memconsole())
41634 return -ENODEV;
41635
41636- memconsole_bin_attr.size = memconsole_length;
41637+ pax_open_kernel();
41638+ *(size_t *)&memconsole_bin_attr.size = memconsole_length;
41639+ pax_close_kernel();
41640+
41641 return sysfs_create_bin_file(firmware_kobj, &memconsole_bin_attr);
41642 }
41643
41644diff --git a/drivers/firmware/memmap.c b/drivers/firmware/memmap.c
41645index 5de3ed2..d839c56 100644
41646--- a/drivers/firmware/memmap.c
41647+++ b/drivers/firmware/memmap.c
41648@@ -124,7 +124,7 @@ static void __meminit release_firmware_map_entry(struct kobject *kobj)
41649 kfree(entry);
41650 }
41651
41652-static struct kobj_type __refdata memmap_ktype = {
41653+static const struct kobj_type __refconst memmap_ktype = {
41654 .release = release_firmware_map_entry,
41655 .sysfs_ops = &memmap_attr_ops,
41656 .default_attrs = def_attrs,
41657diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c
41658index c246ac3..6867ca6 100644
41659--- a/drivers/gpio/gpio-davinci.c
41660+++ b/drivers/gpio/gpio-davinci.c
41661@@ -442,9 +442,9 @@ static struct irq_chip *davinci_gpio_get_irq_chip(unsigned int irq)
41662 return &gpio_unbanked.chip;
41663 };
41664
41665-static struct irq_chip *keystone_gpio_get_irq_chip(unsigned int irq)
41666+static irq_chip_no_const *keystone_gpio_get_irq_chip(unsigned int irq)
41667 {
41668- static struct irq_chip gpio_unbanked;
41669+ static irq_chip_no_const gpio_unbanked;
41670
41671 gpio_unbanked = *irq_get_chip(irq);
41672 return &gpio_unbanked;
41673@@ -474,7 +474,7 @@ static int davinci_gpio_irq_setup(struct platform_device *pdev)
41674 struct davinci_gpio_regs __iomem *g;
41675 struct irq_domain *irq_domain = NULL;
41676 const struct of_device_id *match;
41677- struct irq_chip *irq_chip;
41678+ irq_chip_no_const *irq_chip;
41679 gpio_get_irq_chip_cb_t gpio_get_irq_chip;
41680
41681 /*
41682diff --git a/drivers/gpio/gpio-em.c b/drivers/gpio/gpio-em.c
41683index fbf2873..0a37114 100644
41684--- a/drivers/gpio/gpio-em.c
41685+++ b/drivers/gpio/gpio-em.c
41686@@ -278,7 +278,7 @@ static int em_gio_probe(struct platform_device *pdev)
41687 struct em_gio_priv *p;
41688 struct resource *io[2], *irq[2];
41689 struct gpio_chip *gpio_chip;
41690- struct irq_chip *irq_chip;
41691+ irq_chip_no_const *irq_chip;
41692 const char *name = dev_name(&pdev->dev);
41693 int ret;
41694
41695diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c
41696index 4ba7ed5..1536b5d 100644
41697--- a/drivers/gpio/gpio-ich.c
41698+++ b/drivers/gpio/gpio-ich.c
41699@@ -94,7 +94,7 @@ struct ichx_desc {
41700 * this option allows driver caching written output values
41701 */
41702 bool use_outlvl_cache;
41703-};
41704+} __do_const;
41705
41706 static struct {
41707 spinlock_t lock;
41708diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
41709index 61a731f..d5ca6cb 100644
41710--- a/drivers/gpio/gpio-omap.c
41711+++ b/drivers/gpio/gpio-omap.c
41712@@ -1067,7 +1067,7 @@ static void omap_gpio_mod_init(struct gpio_bank *bank)
41713 dev_err(bank->dev, "Could not get gpio dbck\n");
41714 }
41715
41716-static int omap_gpio_chip_init(struct gpio_bank *bank, struct irq_chip *irqc)
41717+static int omap_gpio_chip_init(struct gpio_bank *bank, irq_chip_no_const *irqc)
41718 {
41719 static int gpio;
41720 int irq_base = 0;
41721@@ -1150,7 +1150,7 @@ static int omap_gpio_probe(struct platform_device *pdev)
41722 const struct omap_gpio_platform_data *pdata;
41723 struct resource *res;
41724 struct gpio_bank *bank;
41725- struct irq_chip *irqc;
41726+ irq_chip_no_const *irqc;
41727 int ret;
41728
41729 match = of_match_device(of_match_ptr(omap_gpio_match), dev);
41730diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c
41731index 1e14a6c..0442450 100644
41732--- a/drivers/gpio/gpio-rcar.c
41733+++ b/drivers/gpio/gpio-rcar.c
41734@@ -379,7 +379,7 @@ static int gpio_rcar_probe(struct platform_device *pdev)
41735 struct gpio_rcar_priv *p;
41736 struct resource *io, *irq;
41737 struct gpio_chip *gpio_chip;
41738- struct irq_chip *irq_chip;
41739+ irq_chip_no_const *irq_chip;
41740 struct device *dev = &pdev->dev;
41741 const char *name = dev_name(dev);
41742 int ret;
41743diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c
41744index c1caa45..f0f97d2 100644
41745--- a/drivers/gpio/gpio-vr41xx.c
41746+++ b/drivers/gpio/gpio-vr41xx.c
41747@@ -224,7 +224,7 @@ static int giu_get_irq(unsigned int irq)
41748 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
41749 maskl, pendl, maskh, pendh);
41750
41751- atomic_inc(&irq_err_count);
41752+ atomic_inc_unchecked(&irq_err_count);
41753
41754 return -EINVAL;
41755 }
41756diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
41757index bf4bd1d..51154a3 100644
41758--- a/drivers/gpio/gpiolib.c
41759+++ b/drivers/gpio/gpiolib.c
41760@@ -569,8 +569,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip)
41761 }
41762
41763 if (gpiochip->irqchip) {
41764- gpiochip->irqchip->irq_request_resources = NULL;
41765- gpiochip->irqchip->irq_release_resources = NULL;
41766+ pax_open_kernel();
41767+ *(void **)&gpiochip->irqchip->irq_request_resources = NULL;
41768+ *(void **)&gpiochip->irqchip->irq_release_resources = NULL;
41769+ pax_close_kernel();
41770 gpiochip->irqchip = NULL;
41771 }
41772 }
41773@@ -636,8 +638,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip,
41774 gpiochip->irqchip = NULL;
41775 return -EINVAL;
41776 }
41777- irqchip->irq_request_resources = gpiochip_irq_reqres;
41778- irqchip->irq_release_resources = gpiochip_irq_relres;
41779+
41780+ pax_open_kernel();
41781+ *(void **)&irqchip->irq_request_resources = gpiochip_irq_reqres;
41782+ *(void **)&irqchip->irq_release_resources = gpiochip_irq_relres;
41783+ pax_close_kernel();
41784
41785 /*
41786 * Prepare the mapping since the irqchip shall be orthogonal to
41787diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41788index 99f158e..20b6c4c 100644
41789--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41790+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41791@@ -1071,7 +1071,7 @@ static bool amdgpu_switcheroo_can_switch(struct pci_dev *pdev)
41792 * locking inversion with the driver load path. And the access here is
41793 * completely racy anyway. So don't bother with locking for now.
41794 */
41795- return dev->open_count == 0;
41796+ return local_read(&dev->open_count) == 0;
41797 }
41798
41799 static const struct vga_switcheroo_client_ops amdgpu_switcheroo_ops = {
41800diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41801index c991973..8eb176b 100644
41802--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41803+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41804@@ -419,7 +419,7 @@ static int kfd_ioctl_set_memory_policy(struct file *filep,
41805 (args->alternate_policy == KFD_IOC_CACHE_POLICY_COHERENT)
41806 ? cache_policy_coherent : cache_policy_noncoherent;
41807
41808- if (!dev->dqm->ops.set_cache_memory_policy(dev->dqm,
41809+ if (!dev->dqm->ops->set_cache_memory_policy(dev->dqm,
41810 &pdd->qpd,
41811 default_policy,
41812 alternate_policy,
41813diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41814index 75312c8..e3684e6 100644
41815--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41816+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41817@@ -293,7 +293,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd,
41818 goto device_queue_manager_error;
41819 }
41820
41821- if (kfd->dqm->ops.start(kfd->dqm) != 0) {
41822+ if (kfd->dqm->ops->start(kfd->dqm) != 0) {
41823 dev_err(kfd_device,
41824 "Error starting queuen manager for device (%x:%x)\n",
41825 kfd->pdev->vendor, kfd->pdev->device);
41826@@ -349,7 +349,7 @@ void kgd2kfd_suspend(struct kfd_dev *kfd)
41827 BUG_ON(kfd == NULL);
41828
41829 if (kfd->init_complete) {
41830- kfd->dqm->ops.stop(kfd->dqm);
41831+ kfd->dqm->ops->stop(kfd->dqm);
41832 amd_iommu_set_invalidate_ctx_cb(kfd->pdev, NULL);
41833 amd_iommu_set_invalid_ppr_cb(kfd->pdev, NULL);
41834 amd_iommu_free_device(kfd->pdev);
41835@@ -372,7 +372,7 @@ int kgd2kfd_resume(struct kfd_dev *kfd)
41836 amd_iommu_set_invalidate_ctx_cb(kfd->pdev,
41837 iommu_pasid_shutdown_callback);
41838 amd_iommu_set_invalid_ppr_cb(kfd->pdev, iommu_invalid_ppr_cb);
41839- kfd->dqm->ops.start(kfd->dqm);
41840+ kfd->dqm->ops->start(kfd->dqm);
41841 }
41842
41843 return 0;
41844diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41845index 4bb7f42..320fcac 100644
41846--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41847+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41848@@ -242,7 +242,7 @@ static int create_compute_queue_nocpsch(struct device_queue_manager *dqm,
41849
41850 BUG_ON(!dqm || !q || !qpd);
41851
41852- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41853+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41854 if (mqd == NULL)
41855 return -ENOMEM;
41856
41857@@ -288,14 +288,14 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm,
41858 mutex_lock(&dqm->lock);
41859
41860 if (q->properties.type == KFD_QUEUE_TYPE_COMPUTE) {
41861- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41862+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41863 if (mqd == NULL) {
41864 retval = -ENOMEM;
41865 goto out;
41866 }
41867 deallocate_hqd(dqm, q);
41868 } else if (q->properties.type == KFD_QUEUE_TYPE_SDMA) {
41869- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41870+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41871 if (mqd == NULL) {
41872 retval = -ENOMEM;
41873 goto out;
41874@@ -347,7 +347,7 @@ static int update_queue(struct device_queue_manager *dqm, struct queue *q)
41875 BUG_ON(!dqm || !q || !q->mqd);
41876
41877 mutex_lock(&dqm->lock);
41878- mqd = dqm->ops.get_mqd_manager(dqm,
41879+ mqd = dqm->ops->get_mqd_manager(dqm,
41880 get_mqd_type_from_queue_type(q->properties.type));
41881 if (mqd == NULL) {
41882 mutex_unlock(&dqm->lock);
41883@@ -414,7 +414,7 @@ static int register_process_nocpsch(struct device_queue_manager *dqm,
41884 mutex_lock(&dqm->lock);
41885 list_add(&n->list, &dqm->queues);
41886
41887- retval = dqm->ops_asic_specific.register_process(dqm, qpd);
41888+ retval = dqm->ops_asic_specific->register_process(dqm, qpd);
41889
41890 dqm->processes_count++;
41891
41892@@ -502,7 +502,7 @@ int init_pipelines(struct device_queue_manager *dqm,
41893
41894 memset(hpdptr, 0, CIK_HPD_EOP_BYTES * pipes_num);
41895
41896- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41897+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41898 if (mqd == NULL) {
41899 kfd_gtt_sa_free(dqm->dev, dqm->pipeline_mem);
41900 return -ENOMEM;
41901@@ -635,7 +635,7 @@ static int create_sdma_queue_nocpsch(struct device_queue_manager *dqm,
41902 struct mqd_manager *mqd;
41903 int retval;
41904
41905- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41906+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41907 if (!mqd)
41908 return -ENOMEM;
41909
41910@@ -650,7 +650,7 @@ static int create_sdma_queue_nocpsch(struct device_queue_manager *dqm,
41911 pr_debug(" sdma queue id: %d\n", q->properties.sdma_queue_id);
41912 pr_debug(" sdma engine id: %d\n", q->properties.sdma_engine_id);
41913
41914- dqm->ops_asic_specific.init_sdma_vm(dqm, q, qpd);
41915+ dqm->ops_asic_specific->init_sdma_vm(dqm, q, qpd);
41916 retval = mqd->init_mqd(mqd, &q->mqd, &q->mqd_mem_obj,
41917 &q->gart_mqd_addr, &q->properties);
41918 if (retval != 0) {
41919@@ -712,7 +712,7 @@ static int initialize_cpsch(struct device_queue_manager *dqm)
41920 dqm->queue_count = dqm->processes_count = 0;
41921 dqm->sdma_queue_count = 0;
41922 dqm->active_runlist = false;
41923- retval = dqm->ops_asic_specific.initialize(dqm);
41924+ retval = dqm->ops_asic_specific->initialize(dqm);
41925 if (retval != 0)
41926 goto fail_init_pipelines;
41927
41928@@ -879,7 +879,7 @@ static int create_queue_cpsch(struct device_queue_manager *dqm, struct queue *q,
41929 if (q->properties.type == KFD_QUEUE_TYPE_SDMA)
41930 select_sdma_engine_id(q);
41931
41932- mqd = dqm->ops.get_mqd_manager(dqm,
41933+ mqd = dqm->ops->get_mqd_manager(dqm,
41934 get_mqd_type_from_queue_type(q->properties.type));
41935
41936 if (mqd == NULL) {
41937@@ -887,7 +887,7 @@ static int create_queue_cpsch(struct device_queue_manager *dqm, struct queue *q,
41938 return -ENOMEM;
41939 }
41940
41941- dqm->ops_asic_specific.init_sdma_vm(dqm, q, qpd);
41942+ dqm->ops_asic_specific->init_sdma_vm(dqm, q, qpd);
41943 retval = mqd->init_mqd(mqd, &q->mqd, &q->mqd_mem_obj,
41944 &q->gart_mqd_addr, &q->properties);
41945 if (retval != 0)
41946@@ -1060,7 +1060,7 @@ static int destroy_queue_cpsch(struct device_queue_manager *dqm,
41947
41948 }
41949
41950- mqd = dqm->ops.get_mqd_manager(dqm,
41951+ mqd = dqm->ops->get_mqd_manager(dqm,
41952 get_mqd_type_from_queue_type(q->properties.type));
41953 if (!mqd) {
41954 retval = -ENOMEM;
41955@@ -1149,7 +1149,7 @@ static bool set_cache_memory_policy(struct device_queue_manager *dqm,
41956 qpd->sh_mem_ape1_limit = limit >> 16;
41957 }
41958
41959- retval = dqm->ops_asic_specific.set_cache_memory_policy(
41960+ retval = dqm->ops_asic_specific->set_cache_memory_policy(
41961 dqm,
41962 qpd,
41963 default_policy,
41964@@ -1172,6 +1172,36 @@ out:
41965 return false;
41966 }
41967
41968+static const struct device_queue_manager_ops cp_dqm_ops = {
41969+ .create_queue = create_queue_cpsch,
41970+ .initialize = initialize_cpsch,
41971+ .start = start_cpsch,
41972+ .stop = stop_cpsch,
41973+ .destroy_queue = destroy_queue_cpsch,
41974+ .update_queue = update_queue,
41975+ .get_mqd_manager = get_mqd_manager_nocpsch,
41976+ .register_process = register_process_nocpsch,
41977+ .unregister_process = unregister_process_nocpsch,
41978+ .uninitialize = uninitialize_nocpsch,
41979+ .create_kernel_queue = create_kernel_queue_cpsch,
41980+ .destroy_kernel_queue = destroy_kernel_queue_cpsch,
41981+ .set_cache_memory_policy = set_cache_memory_policy,
41982+};
41983+
41984+static const struct device_queue_manager_ops no_cp_dqm_ops = {
41985+ .start = start_nocpsch,
41986+ .stop = stop_nocpsch,
41987+ .create_queue = create_queue_nocpsch,
41988+ .destroy_queue = destroy_queue_nocpsch,
41989+ .update_queue = update_queue,
41990+ .get_mqd_manager = get_mqd_manager_nocpsch,
41991+ .register_process = register_process_nocpsch,
41992+ .unregister_process = unregister_process_nocpsch,
41993+ .initialize = initialize_nocpsch,
41994+ .uninitialize = uninitialize_nocpsch,
41995+ .set_cache_memory_policy = set_cache_memory_policy,
41996+};
41997+
41998 struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41999 {
42000 struct device_queue_manager *dqm;
42001@@ -1189,33 +1219,11 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
42002 case KFD_SCHED_POLICY_HWS:
42003 case KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION:
42004 /* initialize dqm for cp scheduling */
42005- dqm->ops.create_queue = create_queue_cpsch;
42006- dqm->ops.initialize = initialize_cpsch;
42007- dqm->ops.start = start_cpsch;
42008- dqm->ops.stop = stop_cpsch;
42009- dqm->ops.destroy_queue = destroy_queue_cpsch;
42010- dqm->ops.update_queue = update_queue;
42011- dqm->ops.get_mqd_manager = get_mqd_manager_nocpsch;
42012- dqm->ops.register_process = register_process_nocpsch;
42013- dqm->ops.unregister_process = unregister_process_nocpsch;
42014- dqm->ops.uninitialize = uninitialize_nocpsch;
42015- dqm->ops.create_kernel_queue = create_kernel_queue_cpsch;
42016- dqm->ops.destroy_kernel_queue = destroy_kernel_queue_cpsch;
42017- dqm->ops.set_cache_memory_policy = set_cache_memory_policy;
42018+ dqm->ops = &cp_dqm_ops;
42019 break;
42020 case KFD_SCHED_POLICY_NO_HWS:
42021 /* initialize dqm for no cp scheduling */
42022- dqm->ops.start = start_nocpsch;
42023- dqm->ops.stop = stop_nocpsch;
42024- dqm->ops.create_queue = create_queue_nocpsch;
42025- dqm->ops.destroy_queue = destroy_queue_nocpsch;
42026- dqm->ops.update_queue = update_queue;
42027- dqm->ops.get_mqd_manager = get_mqd_manager_nocpsch;
42028- dqm->ops.register_process = register_process_nocpsch;
42029- dqm->ops.unregister_process = unregister_process_nocpsch;
42030- dqm->ops.initialize = initialize_nocpsch;
42031- dqm->ops.uninitialize = uninitialize_nocpsch;
42032- dqm->ops.set_cache_memory_policy = set_cache_memory_policy;
42033+ dqm->ops = &no_cp_dqm_ops;
42034 break;
42035 default:
42036 BUG();
42037@@ -1224,15 +1232,15 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
42038
42039 switch (dev->device_info->asic_family) {
42040 case CHIP_CARRIZO:
42041- device_queue_manager_init_vi(&dqm->ops_asic_specific);
42042+ device_queue_manager_init_vi(dqm);
42043 break;
42044
42045 case CHIP_KAVERI:
42046- device_queue_manager_init_cik(&dqm->ops_asic_specific);
42047+ device_queue_manager_init_cik(dqm);
42048 break;
42049 }
42050
42051- if (dqm->ops.initialize(dqm) != 0) {
42052+ if (dqm->ops->initialize(dqm) != 0) {
42053 kfree(dqm);
42054 return NULL;
42055 }
42056@@ -1244,6 +1252,6 @@ void device_queue_manager_uninit(struct device_queue_manager *dqm)
42057 {
42058 BUG_ON(!dqm);
42059
42060- dqm->ops.uninitialize(dqm);
42061+ dqm->ops->uninitialize(dqm);
42062 kfree(dqm);
42063 }
42064diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
42065index ec4036a..3ef0646 100644
42066--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
42067+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
42068@@ -154,8 +154,8 @@ struct device_queue_manager_asic_ops {
42069 */
42070
42071 struct device_queue_manager {
42072- struct device_queue_manager_ops ops;
42073- struct device_queue_manager_asic_ops ops_asic_specific;
42074+ struct device_queue_manager_ops *ops;
42075+ struct device_queue_manager_asic_ops *ops_asic_specific;
42076
42077 struct mqd_manager *mqds[KFD_MQD_TYPE_MAX];
42078 struct packet_manager packets;
42079@@ -178,8 +178,8 @@ struct device_queue_manager {
42080 bool active_runlist;
42081 };
42082
42083-void device_queue_manager_init_cik(struct device_queue_manager_asic_ops *ops);
42084-void device_queue_manager_init_vi(struct device_queue_manager_asic_ops *ops);
42085+void device_queue_manager_init_cik(struct device_queue_manager *dqm);
42086+void device_queue_manager_init_vi(struct device_queue_manager *dqm);
42087 void program_sh_mem_settings(struct device_queue_manager *dqm,
42088 struct qcm_process_device *qpd);
42089 int init_pipelines(struct device_queue_manager *dqm,
42090diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
42091index 9ce8a20..1ca4e22 100644
42092--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
42093+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
42094@@ -36,12 +36,16 @@ static int initialize_cpsch_cik(struct device_queue_manager *dqm);
42095 static void init_sdma_vm(struct device_queue_manager *dqm, struct queue *q,
42096 struct qcm_process_device *qpd);
42097
42098-void device_queue_manager_init_cik(struct device_queue_manager_asic_ops *ops)
42099+static const struct device_queue_manager_asic_ops cik_dqm_asic_ops = {
42100+ .set_cache_memory_policy = set_cache_memory_policy_cik,
42101+ .register_process = register_process_cik,
42102+ .initialize = initialize_cpsch_cik,
42103+ .init_sdma_vm = init_sdma_vm,
42104+};
42105+
42106+void device_queue_manager_init_cik(struct device_queue_manager *dqm)
42107 {
42108- ops->set_cache_memory_policy = set_cache_memory_policy_cik;
42109- ops->register_process = register_process_cik;
42110- ops->initialize = initialize_cpsch_cik;
42111- ops->init_sdma_vm = init_sdma_vm;
42112+ dqm->ops_asic_specific = &cik_dqm_asic_ops;
42113 }
42114
42115 static uint32_t compute_sh_mem_bases_64bit(unsigned int top_address_nybble)
42116diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
42117index 4c15212..61bfab8 100644
42118--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
42119+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
42120@@ -35,14 +35,18 @@ static int initialize_cpsch_vi(struct device_queue_manager *dqm);
42121 static void init_sdma_vm(struct device_queue_manager *dqm, struct queue *q,
42122 struct qcm_process_device *qpd);
42123
42124-void device_queue_manager_init_vi(struct device_queue_manager_asic_ops *ops)
42125+static const struct device_queue_manager_asic_ops vi_dqm_asic_ops = {
42126+ .set_cache_memory_policy = set_cache_memory_policy_vi,
42127+ .register_process = register_process_vi,
42128+ .initialize = initialize_cpsch_vi,
42129+ .init_sdma_vm = init_sdma_vm,
42130+};
42131+
42132+void device_queue_manager_init_vi(struct device_queue_manager *dqm)
42133 {
42134 pr_warn("amdkfd: VI DQM is not currently supported\n");
42135
42136- ops->set_cache_memory_policy = set_cache_memory_policy_vi;
42137- ops->register_process = register_process_vi;
42138- ops->initialize = initialize_cpsch_vi;
42139- ops->init_sdma_vm = init_sdma_vm;
42140+ dqm->ops_asic_specific = &vi_dqm_asic_ops;
42141 }
42142
42143 static bool set_cache_memory_policy_vi(struct device_queue_manager *dqm,
42144diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c b/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
42145index 7f134aa..cd34d4a 100644
42146--- a/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
42147+++ b/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
42148@@ -50,8 +50,8 @@ static void interrupt_wq(struct work_struct *);
42149
42150 int kfd_interrupt_init(struct kfd_dev *kfd)
42151 {
42152- void *interrupt_ring = kmalloc_array(KFD_INTERRUPT_RING_SIZE,
42153- kfd->device_info->ih_ring_entry_size,
42154+ void *interrupt_ring = kmalloc_array(kfd->device_info->ih_ring_entry_size,
42155+ KFD_INTERRUPT_RING_SIZE,
42156 GFP_KERNEL);
42157 if (!interrupt_ring)
42158 return -ENOMEM;
42159diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
42160index 8fa8941..5ae07df 100644
42161--- a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
42162+++ b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
42163@@ -56,7 +56,7 @@ static bool initialize(struct kernel_queue *kq, struct kfd_dev *dev,
42164 switch (type) {
42165 case KFD_QUEUE_TYPE_DIQ:
42166 case KFD_QUEUE_TYPE_HIQ:
42167- kq->mqd = dev->dqm->ops.get_mqd_manager(dev->dqm,
42168+ kq->mqd = dev->dqm->ops->get_mqd_manager(dev->dqm,
42169 KFD_MQD_TYPE_HIQ);
42170 break;
42171 default:
42172diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
42173index 5940531..a75b0e5 100644
42174--- a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
42175+++ b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
42176@@ -62,7 +62,7 @@ struct kernel_queue_ops {
42177
42178 void (*submit_packet)(struct kernel_queue *kq);
42179 void (*rollback_packet)(struct kernel_queue *kq);
42180-};
42181+} __no_const;
42182
42183 struct kernel_queue {
42184 struct kernel_queue_ops ops;
42185diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
42186index 7b69070..d7bd78b 100644
42187--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
42188+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
42189@@ -194,7 +194,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
42190
42191 if (list_empty(&pqm->queues)) {
42192 pdd->qpd.pqm = pqm;
42193- dev->dqm->ops.register_process(dev->dqm, &pdd->qpd);
42194+ dev->dqm->ops->register_process(dev->dqm, &pdd->qpd);
42195 }
42196
42197 pqn = kzalloc(sizeof(struct process_queue_node), GFP_KERNEL);
42198@@ -220,7 +220,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
42199 goto err_create_queue;
42200 pqn->q = q;
42201 pqn->kq = NULL;
42202- retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
42203+ retval = dev->dqm->ops->create_queue(dev->dqm, q, &pdd->qpd,
42204 &q->properties.vmid);
42205 pr_debug("DQM returned %d for create_queue\n", retval);
42206 print_queue(q);
42207@@ -234,7 +234,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
42208 kq->queue->properties.queue_id = *qid;
42209 pqn->kq = kq;
42210 pqn->q = NULL;
42211- retval = dev->dqm->ops.create_kernel_queue(dev->dqm,
42212+ retval = dev->dqm->ops->create_kernel_queue(dev->dqm,
42213 kq, &pdd->qpd);
42214 break;
42215 default:
42216@@ -265,7 +265,7 @@ err_allocate_pqn:
42217 /* check if queues list is empty unregister process from device */
42218 clear_bit(*qid, pqm->queue_slot_bitmap);
42219 if (list_empty(&pqm->queues))
42220- dev->dqm->ops.unregister_process(dev->dqm, &pdd->qpd);
42221+ dev->dqm->ops->unregister_process(dev->dqm, &pdd->qpd);
42222 return retval;
42223 }
42224
42225@@ -306,13 +306,13 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
42226 if (pqn->kq) {
42227 /* destroy kernel queue (DIQ) */
42228 dqm = pqn->kq->dev->dqm;
42229- dqm->ops.destroy_kernel_queue(dqm, pqn->kq, &pdd->qpd);
42230+ dqm->ops->destroy_kernel_queue(dqm, pqn->kq, &pdd->qpd);
42231 kernel_queue_uninit(pqn->kq);
42232 }
42233
42234 if (pqn->q) {
42235 dqm = pqn->q->device->dqm;
42236- retval = dqm->ops.destroy_queue(dqm, &pdd->qpd, pqn->q);
42237+ retval = dqm->ops->destroy_queue(dqm, &pdd->qpd, pqn->q);
42238 if (retval != 0)
42239 return retval;
42240
42241@@ -324,7 +324,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
42242 clear_bit(qid, pqm->queue_slot_bitmap);
42243
42244 if (list_empty(&pqm->queues))
42245- dqm->ops.unregister_process(dqm, &pdd->qpd);
42246+ dqm->ops->unregister_process(dqm, &pdd->qpd);
42247
42248 return retval;
42249 }
42250@@ -349,7 +349,7 @@ int pqm_update_queue(struct process_queue_manager *pqm, unsigned int qid,
42251 pqn->q->properties.queue_percent = p->queue_percent;
42252 pqn->q->properties.priority = p->priority;
42253
42254- retval = pqn->q->device->dqm->ops.update_queue(pqn->q->device->dqm,
42255+ retval = pqn->q->device->dqm->ops->update_queue(pqn->q->device->dqm,
42256 pqn->q);
42257 if (retval != 0)
42258 return retval;
42259diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c
42260index 9b23525..65f4110 100644
42261--- a/drivers/gpu/drm/drm_context.c
42262+++ b/drivers/gpu/drm/drm_context.c
42263@@ -53,6 +53,9 @@ struct drm_ctx_list {
42264 */
42265 void drm_legacy_ctxbitmap_free(struct drm_device * dev, int ctx_handle)
42266 {
42267+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42268+ return;
42269+
42270 mutex_lock(&dev->struct_mutex);
42271 idr_remove(&dev->ctx_idr, ctx_handle);
42272 mutex_unlock(&dev->struct_mutex);
42273@@ -87,6 +90,9 @@ static int drm_legacy_ctxbitmap_next(struct drm_device * dev)
42274 */
42275 int drm_legacy_ctxbitmap_init(struct drm_device * dev)
42276 {
42277+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42278+ return -EINVAL;
42279+
42280 idr_init(&dev->ctx_idr);
42281 return 0;
42282 }
42283@@ -101,6 +107,9 @@ int drm_legacy_ctxbitmap_init(struct drm_device * dev)
42284 */
42285 void drm_legacy_ctxbitmap_cleanup(struct drm_device * dev)
42286 {
42287+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42288+ return;
42289+
42290 mutex_lock(&dev->struct_mutex);
42291 idr_destroy(&dev->ctx_idr);
42292 mutex_unlock(&dev->struct_mutex);
42293@@ -119,11 +128,14 @@ void drm_legacy_ctxbitmap_flush(struct drm_device *dev, struct drm_file *file)
42294 {
42295 struct drm_ctx_list *pos, *tmp;
42296
42297+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42298+ return;
42299+
42300 mutex_lock(&dev->ctxlist_mutex);
42301
42302 list_for_each_entry_safe(pos, tmp, &dev->ctxlist, head) {
42303 if (pos->tag == file &&
42304- pos->handle != DRM_KERNEL_CONTEXT) {
42305+ _DRM_LOCKING_CONTEXT(pos->handle) != DRM_KERNEL_CONTEXT) {
42306 if (dev->driver->context_dtor)
42307 dev->driver->context_dtor(dev, pos->handle);
42308
42309@@ -161,6 +173,9 @@ int drm_legacy_getsareactx(struct drm_device *dev, void *data,
42310 struct drm_local_map *map;
42311 struct drm_map_list *_entry;
42312
42313+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42314+ return -EINVAL;
42315+
42316 mutex_lock(&dev->struct_mutex);
42317
42318 map = idr_find(&dev->ctx_idr, request->ctx_id);
42319@@ -205,6 +220,9 @@ int drm_legacy_setsareactx(struct drm_device *dev, void *data,
42320 struct drm_local_map *map = NULL;
42321 struct drm_map_list *r_list = NULL;
42322
42323+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42324+ return -EINVAL;
42325+
42326 mutex_lock(&dev->struct_mutex);
42327 list_for_each_entry(r_list, &dev->maplist, head) {
42328 if (r_list->map
42329@@ -277,7 +295,13 @@ static int drm_context_switch_complete(struct drm_device *dev,
42330 {
42331 dev->last_context = new; /* PRE/POST: This is the _only_ writer. */
42332
42333- if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
42334+ if (file_priv->master->lock.hw_lock == NULL) {
42335+ DRM_ERROR(
42336+ "Device has been unregistered. Hard exit. Process %d\n",
42337+ task_pid_nr(current));
42338+ send_sig(SIGTERM, current, 0);
42339+ return -EPERM;
42340+ } else if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
42341 DRM_ERROR("Lock isn't held after context switch\n");
42342 }
42343
42344@@ -305,6 +329,9 @@ int drm_legacy_resctx(struct drm_device *dev, void *data,
42345 struct drm_ctx ctx;
42346 int i;
42347
42348+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42349+ return -EINVAL;
42350+
42351 if (res->count >= DRM_RESERVED_CONTEXTS) {
42352 memset(&ctx, 0, sizeof(ctx));
42353 for (i = 0; i < DRM_RESERVED_CONTEXTS; i++) {
42354@@ -335,8 +362,11 @@ int drm_legacy_addctx(struct drm_device *dev, void *data,
42355 struct drm_ctx_list *ctx_entry;
42356 struct drm_ctx *ctx = data;
42357
42358+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42359+ return -EINVAL;
42360+
42361 ctx->handle = drm_legacy_ctxbitmap_next(dev);
42362- if (ctx->handle == DRM_KERNEL_CONTEXT) {
42363+ if (_DRM_LOCKING_CONTEXT(ctx->handle) == DRM_KERNEL_CONTEXT) {
42364 /* Skip kernel's context and get a new one. */
42365 ctx->handle = drm_legacy_ctxbitmap_next(dev);
42366 }
42367@@ -378,6 +408,9 @@ int drm_legacy_getctx(struct drm_device *dev, void *data,
42368 {
42369 struct drm_ctx *ctx = data;
42370
42371+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42372+ return -EINVAL;
42373+
42374 /* This is 0, because we don't handle any context flags */
42375 ctx->flags = 0;
42376
42377@@ -400,6 +433,9 @@ int drm_legacy_switchctx(struct drm_device *dev, void *data,
42378 {
42379 struct drm_ctx *ctx = data;
42380
42381+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42382+ return -EINVAL;
42383+
42384 DRM_DEBUG("%d\n", ctx->handle);
42385 return drm_context_switch(dev, dev->last_context, ctx->handle);
42386 }
42387@@ -420,6 +456,9 @@ int drm_legacy_newctx(struct drm_device *dev, void *data,
42388 {
42389 struct drm_ctx *ctx = data;
42390
42391+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42392+ return -EINVAL;
42393+
42394 DRM_DEBUG("%d\n", ctx->handle);
42395 drm_context_switch_complete(dev, file_priv, ctx->handle);
42396
42397@@ -442,8 +481,11 @@ int drm_legacy_rmctx(struct drm_device *dev, void *data,
42398 {
42399 struct drm_ctx *ctx = data;
42400
42401+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42402+ return -EINVAL;
42403+
42404 DRM_DEBUG("%d\n", ctx->handle);
42405- if (ctx->handle != DRM_KERNEL_CONTEXT) {
42406+ if (_DRM_LOCKING_CONTEXT(ctx->handle) != DRM_KERNEL_CONTEXT) {
42407 if (dev->driver->context_dtor)
42408 dev->driver->context_dtor(dev, ctx->handle);
42409 drm_legacy_ctxbitmap_free(dev, ctx->handle);
42410diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
42411index fed7483..5bc0335 100644
42412--- a/drivers/gpu/drm/drm_crtc.c
42413+++ b/drivers/gpu/drm/drm_crtc.c
42414@@ -4174,7 +4174,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
42415 goto done;
42416 }
42417
42418- if (copy_to_user(&enum_ptr[copied].name,
42419+ if (copy_to_user(enum_ptr[copied].name,
42420 &prop_enum->name, DRM_PROP_NAME_LEN)) {
42421 ret = -EFAULT;
42422 goto done;
42423diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
42424index b7bf4ce..585cf3b 100644
42425--- a/drivers/gpu/drm/drm_drv.c
42426+++ b/drivers/gpu/drm/drm_drv.c
42427@@ -434,7 +434,7 @@ void drm_unplug_dev(struct drm_device *dev)
42428
42429 drm_device_set_unplugged(dev);
42430
42431- if (dev->open_count == 0) {
42432+ if (local_read(&dev->open_count) == 0) {
42433 drm_put_dev(dev);
42434 }
42435 mutex_unlock(&drm_global_mutex);
42436@@ -582,10 +582,13 @@ struct drm_device *drm_dev_alloc(struct drm_driver *driver,
42437 if (drm_ht_create(&dev->map_hash, 12))
42438 goto err_minors;
42439
42440- ret = drm_legacy_ctxbitmap_init(dev);
42441- if (ret) {
42442- DRM_ERROR("Cannot allocate memory for context bitmap.\n");
42443- goto err_ht;
42444+ if (drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT)) {
42445+ ret = drm_legacy_ctxbitmap_init(dev);
42446+ if (ret) {
42447+ DRM_ERROR(
42448+ "Cannot allocate memory for context bitmap.\n");
42449+ goto err_ht;
42450+ }
42451 }
42452
42453 if (drm_core_check_feature(dev, DRIVER_GEM)) {
42454diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
42455index c59ce4d..056d413 100644
42456--- a/drivers/gpu/drm/drm_fops.c
42457+++ b/drivers/gpu/drm/drm_fops.c
42458@@ -89,7 +89,7 @@ int drm_open(struct inode *inode, struct file *filp)
42459 return PTR_ERR(minor);
42460
42461 dev = minor->dev;
42462- if (!dev->open_count++)
42463+ if (local_inc_return(&dev->open_count) == 1)
42464 need_setup = 1;
42465
42466 /* share address_space across all char-devs of a single device */
42467@@ -106,7 +106,7 @@ int drm_open(struct inode *inode, struct file *filp)
42468 return 0;
42469
42470 err_undo:
42471- dev->open_count--;
42472+ local_dec(&dev->open_count);
42473 drm_minor_release(minor);
42474 return retcode;
42475 }
42476@@ -377,7 +377,7 @@ int drm_release(struct inode *inode, struct file *filp)
42477
42478 mutex_lock(&drm_global_mutex);
42479
42480- DRM_DEBUG("open_count = %d\n", dev->open_count);
42481+ DRM_DEBUG("open_count = %ld\n", local_read(&dev->open_count));
42482
42483 mutex_lock(&dev->struct_mutex);
42484 list_del(&file_priv->lhead);
42485@@ -392,10 +392,10 @@ int drm_release(struct inode *inode, struct file *filp)
42486 * Begin inline drm_release
42487 */
42488
42489- DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
42490+ DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %ld\n",
42491 task_pid_nr(current),
42492 (long)old_encode_dev(file_priv->minor->kdev->devt),
42493- dev->open_count);
42494+ local_read(&dev->open_count));
42495
42496 /* if the master has gone away we can't do anything with the lock */
42497 if (file_priv->minor->master)
42498@@ -465,7 +465,7 @@ int drm_release(struct inode *inode, struct file *filp)
42499 * End inline drm_release
42500 */
42501
42502- if (!--dev->open_count) {
42503+ if (local_dec_and_test(&dev->open_count)) {
42504 retcode = drm_lastclose(dev);
42505 if (drm_device_is_unplugged(dev))
42506 drm_put_dev(dev);
42507diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c
42508index 3d2e91c..d31c4c9 100644
42509--- a/drivers/gpu/drm/drm_global.c
42510+++ b/drivers/gpu/drm/drm_global.c
42511@@ -36,7 +36,7 @@
42512 struct drm_global_item {
42513 struct mutex mutex;
42514 void *object;
42515- int refcount;
42516+ atomic_t refcount;
42517 };
42518
42519 static struct drm_global_item glob[DRM_GLOBAL_NUM];
42520@@ -49,7 +49,7 @@ void drm_global_init(void)
42521 struct drm_global_item *item = &glob[i];
42522 mutex_init(&item->mutex);
42523 item->object = NULL;
42524- item->refcount = 0;
42525+ atomic_set(&item->refcount, 0);
42526 }
42527 }
42528
42529@@ -59,7 +59,7 @@ void drm_global_release(void)
42530 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
42531 struct drm_global_item *item = &glob[i];
42532 BUG_ON(item->object != NULL);
42533- BUG_ON(item->refcount != 0);
42534+ BUG_ON(atomic_read(&item->refcount) != 0);
42535 }
42536 }
42537
42538@@ -69,7 +69,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
42539 struct drm_global_item *item = &glob[ref->global_type];
42540
42541 mutex_lock(&item->mutex);
42542- if (item->refcount == 0) {
42543+ if (atomic_read(&item->refcount) == 0) {
42544 item->object = kzalloc(ref->size, GFP_KERNEL);
42545 if (unlikely(item->object == NULL)) {
42546 ret = -ENOMEM;
42547@@ -82,7 +82,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
42548 goto out_err;
42549
42550 }
42551- ++item->refcount;
42552+ atomic_inc(&item->refcount);
42553 ref->object = item->object;
42554 mutex_unlock(&item->mutex);
42555 return 0;
42556@@ -98,9 +98,9 @@ void drm_global_item_unref(struct drm_global_reference *ref)
42557 struct drm_global_item *item = &glob[ref->global_type];
42558
42559 mutex_lock(&item->mutex);
42560- BUG_ON(item->refcount == 0);
42561+ BUG_ON(atomic_read(&item->refcount) == 0);
42562 BUG_ON(ref->object != item->object);
42563- if (--item->refcount == 0) {
42564+ if (atomic_dec_and_test(&item->refcount)) {
42565 ref->release(ref);
42566 item->object = NULL;
42567 }
42568diff --git a/drivers/gpu/drm/drm_info.c b/drivers/gpu/drm/drm_info.c
42569index cbb4fc0..5c756cb9 100644
42570--- a/drivers/gpu/drm/drm_info.c
42571+++ b/drivers/gpu/drm/drm_info.c
42572@@ -77,10 +77,13 @@ int drm_vm_info(struct seq_file *m, void *data)
42573 struct drm_local_map *map;
42574 struct drm_map_list *r_list;
42575
42576- /* Hardcoded from _DRM_FRAME_BUFFER,
42577- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
42578- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
42579- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
42580+ static const char * const types[] = {
42581+ [_DRM_FRAME_BUFFER] = "FB",
42582+ [_DRM_REGISTERS] = "REG",
42583+ [_DRM_SHM] = "SHM",
42584+ [_DRM_AGP] = "AGP",
42585+ [_DRM_SCATTER_GATHER] = "SG",
42586+ [_DRM_CONSISTENT] = "PCI"};
42587 const char *type;
42588 int i;
42589
42590@@ -91,7 +94,7 @@ int drm_vm_info(struct seq_file *m, void *data)
42591 map = r_list->map;
42592 if (!map)
42593 continue;
42594- if (map->type < 0 || map->type > 5)
42595+ if (map->type >= ARRAY_SIZE(types))
42596 type = "??";
42597 else
42598 type = types[map->type];
42599diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
42600index 9cfcd0a..7142a7f 100644
42601--- a/drivers/gpu/drm/drm_ioc32.c
42602+++ b/drivers/gpu/drm/drm_ioc32.c
42603@@ -459,7 +459,7 @@ static int compat_drm_infobufs(struct file *file, unsigned int cmd,
42604 request = compat_alloc_user_space(nbytes);
42605 if (!access_ok(VERIFY_WRITE, request, nbytes))
42606 return -EFAULT;
42607- list = (struct drm_buf_desc *) (request + 1);
42608+ list = (struct drm_buf_desc __user *) (request + 1);
42609
42610 if (__put_user(count, &request->count)
42611 || __put_user(list, &request->list))
42612@@ -520,7 +520,7 @@ static int compat_drm_mapbufs(struct file *file, unsigned int cmd,
42613 request = compat_alloc_user_space(nbytes);
42614 if (!access_ok(VERIFY_WRITE, request, nbytes))
42615 return -EFAULT;
42616- list = (struct drm_buf_pub *) (request + 1);
42617+ list = (struct drm_buf_pub __user *) (request + 1);
42618
42619 if (__put_user(count, &request->count)
42620 || __put_user(list, &request->list))
42621@@ -1075,7 +1075,7 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd,
42622 return 0;
42623 }
42624
42625-static drm_ioctl_compat_t *drm_compat_ioctls[] = {
42626+static drm_ioctl_compat_t drm_compat_ioctls[] = {
42627 [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
42628 [DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE32)] = compat_drm_getunique,
42629 [DRM_IOCTL_NR(DRM_IOCTL_GET_MAP32)] = compat_drm_getmap,
42630@@ -1122,7 +1122,6 @@ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
42631 long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42632 {
42633 unsigned int nr = DRM_IOCTL_NR(cmd);
42634- drm_ioctl_compat_t *fn;
42635 int ret;
42636
42637 /* Assume that ioctls without an explicit compat routine will just
42638@@ -1132,10 +1131,8 @@ long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42639 if (nr >= ARRAY_SIZE(drm_compat_ioctls))
42640 return drm_ioctl(filp, cmd, arg);
42641
42642- fn = drm_compat_ioctls[nr];
42643-
42644- if (fn != NULL)
42645- ret = (*fn) (filp, cmd, arg);
42646+ if (drm_compat_ioctls[nr] != NULL)
42647+ ret = (*drm_compat_ioctls[nr]) (filp, cmd, arg);
42648 else
42649 ret = drm_ioctl(filp, cmd, arg);
42650
42651diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
42652index b1d303f..c59012c 100644
42653--- a/drivers/gpu/drm/drm_ioctl.c
42654+++ b/drivers/gpu/drm/drm_ioctl.c
42655@@ -650,7 +650,7 @@ long drm_ioctl(struct file *filp,
42656 struct drm_file *file_priv = filp->private_data;
42657 struct drm_device *dev;
42658 const struct drm_ioctl_desc *ioctl = NULL;
42659- drm_ioctl_t *func;
42660+ drm_ioctl_no_const_t func;
42661 unsigned int nr = DRM_IOCTL_NR(cmd);
42662 int retcode = -EINVAL;
42663 char stack_kdata[128];
42664diff --git a/drivers/gpu/drm/drm_lock.c b/drivers/gpu/drm/drm_lock.c
42665index f861361..b61d4c7 100644
42666--- a/drivers/gpu/drm/drm_lock.c
42667+++ b/drivers/gpu/drm/drm_lock.c
42668@@ -61,9 +61,12 @@ int drm_legacy_lock(struct drm_device *dev, void *data,
42669 struct drm_master *master = file_priv->master;
42670 int ret = 0;
42671
42672+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42673+ return -EINVAL;
42674+
42675 ++file_priv->lock_count;
42676
42677- if (lock->context == DRM_KERNEL_CONTEXT) {
42678+ if (_DRM_LOCKING_CONTEXT(lock->context) == DRM_KERNEL_CONTEXT) {
42679 DRM_ERROR("Process %d using kernel context %d\n",
42680 task_pid_nr(current), lock->context);
42681 return -EINVAL;
42682@@ -153,12 +156,23 @@ int drm_legacy_unlock(struct drm_device *dev, void *data, struct drm_file *file_
42683 struct drm_lock *lock = data;
42684 struct drm_master *master = file_priv->master;
42685
42686- if (lock->context == DRM_KERNEL_CONTEXT) {
42687+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42688+ return -EINVAL;
42689+
42690+ if (_DRM_LOCKING_CONTEXT(lock->context) == DRM_KERNEL_CONTEXT) {
42691 DRM_ERROR("Process %d using kernel context %d\n",
42692 task_pid_nr(current), lock->context);
42693 return -EINVAL;
42694 }
42695
42696+ if (!master->lock.hw_lock) {
42697+ DRM_ERROR(
42698+ "Device has been unregistered. Hard exit. Process %d\n",
42699+ task_pid_nr(current));
42700+ send_sig(SIGTERM, current, 0);
42701+ return -EPERM;
42702+ }
42703+
42704 if (drm_legacy_lock_free(&master->lock, lock->context)) {
42705 /* FIXME: Should really bail out here. */
42706 }
42707diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42708index d4813e0..6c1ab4d 100644
42709--- a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42710+++ b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42711@@ -825,10 +825,16 @@ void mdfld_dsi_dpi_mode_set(struct drm_encoder *encoder,
42712 u32 pipeconf_reg = PIPEACONF;
42713 u32 dspcntr_reg = DSPACNTR;
42714
42715- u32 pipeconf = dev_priv->pipeconf[pipe];
42716- u32 dspcntr = dev_priv->dspcntr[pipe];
42717+ u32 pipeconf;
42718+ u32 dspcntr;
42719 u32 mipi = MIPI_PORT_EN | PASS_FROM_SPHY_TO_AFE | SEL_FLOPPED_HSTX;
42720
42721+ if (pipe == -1)
42722+ return;
42723+
42724+ pipeconf = dev_priv->pipeconf[pipe];
42725+ dspcntr = dev_priv->dspcntr[pipe];
42726+
42727 if (pipe) {
42728 pipeconf_reg = PIPECCONF;
42729 dspcntr_reg = DSPCCNTR;
42730diff --git a/drivers/gpu/drm/i810/i810_drv.h b/drivers/gpu/drm/i810/i810_drv.h
42731index 93ec5dc..82acbaf 100644
42732--- a/drivers/gpu/drm/i810/i810_drv.h
42733+++ b/drivers/gpu/drm/i810/i810_drv.h
42734@@ -110,8 +110,8 @@ typedef struct drm_i810_private {
42735 int page_flipping;
42736
42737 wait_queue_head_t irq_queue;
42738- atomic_t irq_received;
42739- atomic_t irq_emitted;
42740+ atomic_unchecked_t irq_received;
42741+ atomic_unchecked_t irq_emitted;
42742
42743 int front_offset;
42744 } drm_i810_private_t;
42745diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
42746index 82bbe3f..ce004bf 100644
42747--- a/drivers/gpu/drm/i915/i915_debugfs.c
42748+++ b/drivers/gpu/drm/i915/i915_debugfs.c
42749@@ -480,7 +480,7 @@ static int i915_gem_object_info(struct seq_file *m, void* data)
42750 seq_printf(m, "%u fault mappable objects, %zu bytes\n",
42751 count, size);
42752
42753- seq_printf(m, "%zu [%lu] gtt total\n",
42754+ seq_printf(m, "%llu [%llu] gtt total\n",
42755 dev_priv->gtt.base.total,
42756 dev_priv->gtt.mappable_end - dev_priv->gtt.base.start);
42757
42758diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
42759index d2df321..f746478 100644
42760--- a/drivers/gpu/drm/i915/i915_dma.c
42761+++ b/drivers/gpu/drm/i915/i915_dma.c
42762@@ -162,6 +162,8 @@ static int i915_getparam(struct drm_device *dev, void *data,
42763 value = INTEL_INFO(dev)->eu_total;
42764 if (!value)
42765 return -ENODEV;
42766+ case I915_PARAM_HAS_LEGACY_CONTEXT:
42767+ value = drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT);
42768 break;
42769 default:
42770 DRM_DEBUG("Unknown parameter %d\n", param->param);
42771@@ -376,7 +378,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
42772 * locking inversion with the driver load path. And the access here is
42773 * completely racy anyway. So don't bother with locking for now.
42774 */
42775- return dev->open_count == 0;
42776+ return local_read(&dev->open_count) == 0;
42777 }
42778
42779 static const struct vga_switcheroo_client_ops i915_switcheroo_ops = {
42780diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42781index 5e6b4a2..6ba2c85 100644
42782--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42783+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42784@@ -935,12 +935,12 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
42785 static int
42786 validate_exec_list(struct drm_device *dev,
42787 struct drm_i915_gem_exec_object2 *exec,
42788- int count)
42789+ unsigned int count)
42790 {
42791 unsigned relocs_total = 0;
42792 unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
42793 unsigned invalid_flags;
42794- int i;
42795+ unsigned int i;
42796
42797 invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
42798 if (USES_FULL_PPGTT(dev))
42799diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
42800index 31e8269..7055934 100644
42801--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
42802+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
42803@@ -2360,10 +2360,10 @@ static void chv_setup_private_ppat(struct drm_i915_private *dev_priv)
42804 }
42805
42806 static int gen8_gmch_probe(struct drm_device *dev,
42807- size_t *gtt_total,
42808- size_t *stolen,
42809- phys_addr_t *mappable_base,
42810- unsigned long *mappable_end)
42811+ uint64_t *gtt_total,
42812+ uint64_t *stolen,
42813+ uint64_t *mappable_base,
42814+ uint64_t *mappable_end)
42815 {
42816 struct drm_i915_private *dev_priv = dev->dev_private;
42817 unsigned int gtt_size;
42818@@ -2408,10 +2408,10 @@ static int gen8_gmch_probe(struct drm_device *dev,
42819 }
42820
42821 static int gen6_gmch_probe(struct drm_device *dev,
42822- size_t *gtt_total,
42823- size_t *stolen,
42824- phys_addr_t *mappable_base,
42825- unsigned long *mappable_end)
42826+ uint64_t *gtt_total,
42827+ uint64_t *stolen,
42828+ uint64_t *mappable_base,
42829+ uint64_t *mappable_end)
42830 {
42831 struct drm_i915_private *dev_priv = dev->dev_private;
42832 unsigned int gtt_size;
42833@@ -2425,7 +2425,7 @@ static int gen6_gmch_probe(struct drm_device *dev,
42834 * a coarse sanity check.
42835 */
42836 if ((*mappable_end < (64<<20) || (*mappable_end > (512<<20)))) {
42837- DRM_ERROR("Unknown GMADR size (%lx)\n",
42838+ DRM_ERROR("Unknown GMADR size (%llx)\n",
42839 dev_priv->gtt.mappable_end);
42840 return -ENXIO;
42841 }
42842@@ -2459,10 +2459,10 @@ static void gen6_gmch_remove(struct i915_address_space *vm)
42843 }
42844
42845 static int i915_gmch_probe(struct drm_device *dev,
42846- size_t *gtt_total,
42847- size_t *stolen,
42848- phys_addr_t *mappable_base,
42849- unsigned long *mappable_end)
42850+ uint64_t *gtt_total,
42851+ uint64_t *stolen,
42852+ uint64_t *mappable_base,
42853+ uint64_t *mappable_end)
42854 {
42855 struct drm_i915_private *dev_priv = dev->dev_private;
42856 int ret;
42857@@ -2527,10 +2527,10 @@ int i915_gem_gtt_init(struct drm_device *dev)
42858 gtt->base.dev = dev;
42859
42860 /* GMADR is the PCI mmio aperture into the global GTT. */
42861- DRM_INFO("Memory usable by graphics device = %zdM\n",
42862+ DRM_INFO("Memory usable by graphics device = %lldM\n",
42863 gtt->base.total >> 20);
42864- DRM_DEBUG_DRIVER("GMADR size = %ldM\n", gtt->mappable_end >> 20);
42865- DRM_DEBUG_DRIVER("GTT stolen size = %zdM\n", gtt->stolen_size >> 20);
42866+ DRM_DEBUG_DRIVER("GMADR size = %lldM\n", gtt->mappable_end >> 20);
42867+ DRM_DEBUG_DRIVER("GTT stolen size = %lldM\n", gtt->stolen_size >> 20);
42868 #ifdef CONFIG_INTEL_IOMMU
42869 if (intel_iommu_gfx_mapped)
42870 DRM_INFO("VT-d active for gfx access\n");
42871diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
42872index 0d46dd2..1171c00 100644
42873--- a/drivers/gpu/drm/i915/i915_gem_gtt.h
42874+++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
42875@@ -233,8 +233,8 @@ struct i915_address_space {
42876 struct drm_mm mm;
42877 struct drm_device *dev;
42878 struct list_head global_link;
42879- unsigned long start; /* Start offset always 0 for dri2 */
42880- size_t total; /* size addr space maps (ex. 2GB for ggtt) */
42881+ uint64_t start; /* Start offset always 0 for dri2 */
42882+ uint64_t total; /* size addr space maps (ex. 2GB for ggtt) */
42883
42884 struct {
42885 dma_addr_t addr;
42886@@ -300,11 +300,11 @@ struct i915_address_space {
42887 */
42888 struct i915_gtt {
42889 struct i915_address_space base;
42890- size_t stolen_size; /* Total size of stolen memory */
42891+ uint64_t stolen_size; /* Total size of stolen memory */
42892
42893- unsigned long mappable_end; /* End offset that we can CPU map */
42894+ uint64_t mappable_end; /* End offset that we can CPU map */
42895 struct io_mapping *mappable; /* Mapping to our CPU mappable region */
42896- phys_addr_t mappable_base; /* PA of our GMADR */
42897+ uint64_t mappable_base; /* PA of our GMADR */
42898
42899 /** "Graphics Stolen Memory" holds the global PTEs */
42900 void __iomem *gsm;
42901@@ -314,9 +314,9 @@ struct i915_gtt {
42902 int mtrr;
42903
42904 /* global gtt ops */
42905- int (*gtt_probe)(struct drm_device *dev, size_t *gtt_total,
42906- size_t *stolen, phys_addr_t *mappable_base,
42907- unsigned long *mappable_end);
42908+ int (*gtt_probe)(struct drm_device *dev, uint64_t *gtt_total,
42909+ uint64_t *stolen, uint64_t *mappable_base,
42910+ uint64_t *mappable_end);
42911 };
42912
42913 struct i915_hw_ppgtt {
42914diff --git a/drivers/gpu/drm/i915/i915_gem_stolen.c b/drivers/gpu/drm/i915/i915_gem_stolen.c
42915index 8b5b784..78711f6 100644
42916--- a/drivers/gpu/drm/i915/i915_gem_stolen.c
42917+++ b/drivers/gpu/drm/i915/i915_gem_stolen.c
42918@@ -310,7 +310,7 @@ int i915_gem_init_stolen(struct drm_device *dev)
42919 if (dev_priv->mm.stolen_base == 0)
42920 return 0;
42921
42922- DRM_DEBUG_KMS("found %zd bytes of stolen memory at %08lx\n",
42923+ DRM_DEBUG_KMS("found %lld bytes of stolen memory at %08lx\n",
42924 dev_priv->gtt.stolen_size, dev_priv->mm.stolen_base);
42925
42926 if (INTEL_INFO(dev)->gen >= 8) {
42927diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
42928index 23aa04c..1d25960 100644
42929--- a/drivers/gpu/drm/i915/i915_ioc32.c
42930+++ b/drivers/gpu/drm/i915/i915_ioc32.c
42931@@ -62,7 +62,7 @@ static int compat_i915_batchbuffer(struct file *file, unsigned int cmd,
42932 || __put_user(batchbuffer32.DR4, &batchbuffer->DR4)
42933 || __put_user(batchbuffer32.num_cliprects,
42934 &batchbuffer->num_cliprects)
42935- || __put_user((int __user *)(unsigned long)batchbuffer32.cliprects,
42936+ || __put_user((struct drm_clip_rect __user *)(unsigned long)batchbuffer32.cliprects,
42937 &batchbuffer->cliprects))
42938 return -EFAULT;
42939
42940@@ -91,13 +91,13 @@ static int compat_i915_cmdbuffer(struct file *file, unsigned int cmd,
42941
42942 cmdbuffer = compat_alloc_user_space(sizeof(*cmdbuffer));
42943 if (!access_ok(VERIFY_WRITE, cmdbuffer, sizeof(*cmdbuffer))
42944- || __put_user((int __user *)(unsigned long)cmdbuffer32.buf,
42945+ || __put_user((char __user *)(unsigned long)cmdbuffer32.buf,
42946 &cmdbuffer->buf)
42947 || __put_user(cmdbuffer32.sz, &cmdbuffer->sz)
42948 || __put_user(cmdbuffer32.DR1, &cmdbuffer->DR1)
42949 || __put_user(cmdbuffer32.DR4, &cmdbuffer->DR4)
42950 || __put_user(cmdbuffer32.num_cliprects, &cmdbuffer->num_cliprects)
42951- || __put_user((int __user *)(unsigned long)cmdbuffer32.cliprects,
42952+ || __put_user((struct drm_clip_rect __user *)(unsigned long)cmdbuffer32.cliprects,
42953 &cmdbuffer->cliprects))
42954 return -EFAULT;
42955
42956@@ -181,7 +181,7 @@ static int compat_i915_alloc(struct file *file, unsigned int cmd,
42957 (unsigned long)request);
42958 }
42959
42960-static drm_ioctl_compat_t *i915_compat_ioctls[] = {
42961+static drm_ioctl_compat_t i915_compat_ioctls[] = {
42962 [DRM_I915_BATCHBUFFER] = compat_i915_batchbuffer,
42963 [DRM_I915_CMDBUFFER] = compat_i915_cmdbuffer,
42964 [DRM_I915_GETPARAM] = compat_i915_getparam,
42965@@ -201,17 +201,13 @@ static drm_ioctl_compat_t *i915_compat_ioctls[] = {
42966 long i915_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42967 {
42968 unsigned int nr = DRM_IOCTL_NR(cmd);
42969- drm_ioctl_compat_t *fn = NULL;
42970 int ret;
42971
42972 if (nr < DRM_COMMAND_BASE || nr >= DRM_COMMAND_END)
42973 return drm_compat_ioctl(filp, cmd, arg);
42974
42975- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(i915_compat_ioctls))
42976- fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE];
42977-
42978- if (fn != NULL)
42979- ret = (*fn) (filp, cmd, arg);
42980+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(i915_compat_ioctls) && i915_compat_ioctls[nr - DRM_COMMAND_BASE])
42981+ ret = (*i915_compat_ioctls[nr - DRM_COMMAND_BASE])(filp, cmd, arg);
42982 else
42983 ret = drm_ioctl(filp, cmd, arg);
42984
42985diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
42986index 107c6c0..e1926b0 100644
42987--- a/drivers/gpu/drm/i915/intel_display.c
42988+++ b/drivers/gpu/drm/i915/intel_display.c
42989@@ -14501,13 +14501,13 @@ struct intel_quirk {
42990 int subsystem_vendor;
42991 int subsystem_device;
42992 void (*hook)(struct drm_device *dev);
42993-};
42994+} __do_const;
42995
42996 /* For systems that don't have a meaningful PCI subdevice/subvendor ID */
42997 struct intel_dmi_quirk {
42998 void (*hook)(struct drm_device *dev);
42999 const struct dmi_system_id (*dmi_id_list)[];
43000-};
43001+} __do_const;
43002
43003 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
43004 {
43005@@ -14515,18 +14515,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
43006 return 1;
43007 }
43008
43009-static const struct intel_dmi_quirk intel_dmi_quirks[] = {
43010+static const struct dmi_system_id intel_dmi_quirks_table[] = {
43011 {
43012- .dmi_id_list = &(const struct dmi_system_id[]) {
43013- {
43014- .callback = intel_dmi_reverse_brightness,
43015- .ident = "NCR Corporation",
43016- .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
43017- DMI_MATCH(DMI_PRODUCT_NAME, ""),
43018- },
43019- },
43020- { } /* terminating entry */
43021+ .callback = intel_dmi_reverse_brightness,
43022+ .ident = "NCR Corporation",
43023+ .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
43024+ DMI_MATCH(DMI_PRODUCT_NAME, ""),
43025 },
43026+ },
43027+ { } /* terminating entry */
43028+};
43029+
43030+static const struct intel_dmi_quirk intel_dmi_quirks[] = {
43031+ {
43032+ .dmi_id_list = &intel_dmi_quirks_table,
43033 .hook = quirk_invert_brightness,
43034 },
43035 };
43036diff --git a/drivers/gpu/drm/imx/imx-drm-core.c b/drivers/gpu/drm/imx/imx-drm-core.c
43037index 74f505b..21f6914 100644
43038--- a/drivers/gpu/drm/imx/imx-drm-core.c
43039+++ b/drivers/gpu/drm/imx/imx-drm-core.c
43040@@ -355,7 +355,7 @@ int imx_drm_add_crtc(struct drm_device *drm, struct drm_crtc *crtc,
43041 if (imxdrm->pipes >= MAX_CRTC)
43042 return -EINVAL;
43043
43044- if (imxdrm->drm->open_count)
43045+ if (local_read(&imxdrm->drm->open_count))
43046 return -EBUSY;
43047
43048 imx_drm_crtc = kzalloc(sizeof(*imx_drm_crtc), GFP_KERNEL);
43049diff --git a/drivers/gpu/drm/mga/mga_drv.h b/drivers/gpu/drm/mga/mga_drv.h
43050index b4a20149..219ab78 100644
43051--- a/drivers/gpu/drm/mga/mga_drv.h
43052+++ b/drivers/gpu/drm/mga/mga_drv.h
43053@@ -122,9 +122,9 @@ typedef struct drm_mga_private {
43054 u32 clear_cmd;
43055 u32 maccess;
43056
43057- atomic_t vbl_received; /**< Number of vblanks received. */
43058+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
43059 wait_queue_head_t fence_queue;
43060- atomic_t last_fence_retired;
43061+ atomic_unchecked_t last_fence_retired;
43062 u32 next_fence_to_post;
43063
43064 unsigned int fb_cpp;
43065diff --git a/drivers/gpu/drm/mga/mga_ioc32.c b/drivers/gpu/drm/mga/mga_ioc32.c
43066index 729bfd5..14bae78 100644
43067--- a/drivers/gpu/drm/mga/mga_ioc32.c
43068+++ b/drivers/gpu/drm/mga/mga_ioc32.c
43069@@ -190,7 +190,7 @@ static int compat_mga_dma_bootstrap(struct file *file, unsigned int cmd,
43070 return 0;
43071 }
43072
43073-drm_ioctl_compat_t *mga_compat_ioctls[] = {
43074+drm_ioctl_compat_t mga_compat_ioctls[] = {
43075 [DRM_MGA_INIT] = compat_mga_init,
43076 [DRM_MGA_GETPARAM] = compat_mga_getparam,
43077 [DRM_MGA_DMA_BOOTSTRAP] = compat_mga_dma_bootstrap,
43078@@ -208,17 +208,13 @@ drm_ioctl_compat_t *mga_compat_ioctls[] = {
43079 long mga_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43080 {
43081 unsigned int nr = DRM_IOCTL_NR(cmd);
43082- drm_ioctl_compat_t *fn = NULL;
43083 int ret;
43084
43085 if (nr < DRM_COMMAND_BASE)
43086 return drm_compat_ioctl(filp, cmd, arg);
43087
43088- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(mga_compat_ioctls))
43089- fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE];
43090-
43091- if (fn != NULL)
43092- ret = (*fn) (filp, cmd, arg);
43093+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(mga_compat_ioctls) && mga_compat_ioctls[nr - DRM_COMMAND_BASE])
43094+ ret = (*mga_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43095 else
43096 ret = drm_ioctl(filp, cmd, arg);
43097
43098diff --git a/drivers/gpu/drm/mga/mga_irq.c b/drivers/gpu/drm/mga/mga_irq.c
43099index 1b071b8..de8601a 100644
43100--- a/drivers/gpu/drm/mga/mga_irq.c
43101+++ b/drivers/gpu/drm/mga/mga_irq.c
43102@@ -43,7 +43,7 @@ u32 mga_get_vblank_counter(struct drm_device *dev, int crtc)
43103 if (crtc != 0)
43104 return 0;
43105
43106- return atomic_read(&dev_priv->vbl_received);
43107+ return atomic_read_unchecked(&dev_priv->vbl_received);
43108 }
43109
43110
43111@@ -59,7 +59,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg)
43112 /* VBLANK interrupt */
43113 if (status & MGA_VLINEPEN) {
43114 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
43115- atomic_inc(&dev_priv->vbl_received);
43116+ atomic_inc_unchecked(&dev_priv->vbl_received);
43117 drm_handle_vblank(dev, 0);
43118 handled = 1;
43119 }
43120@@ -78,7 +78,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg)
43121 if ((prim_start & ~0x03) != (prim_end & ~0x03))
43122 MGA_WRITE(MGA_PRIMEND, prim_end);
43123
43124- atomic_inc(&dev_priv->last_fence_retired);
43125+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
43126 wake_up(&dev_priv->fence_queue);
43127 handled = 1;
43128 }
43129@@ -129,7 +129,7 @@ int mga_driver_fence_wait(struct drm_device *dev, unsigned int *sequence)
43130 * using fences.
43131 */
43132 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * HZ,
43133- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
43134+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
43135 - *sequence) <= (1 << 23)));
43136
43137 *sequence = cur_fence;
43138diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c
43139index 0190b69..60c3eaf 100644
43140--- a/drivers/gpu/drm/nouveau/nouveau_bios.c
43141+++ b/drivers/gpu/drm/nouveau/nouveau_bios.c
43142@@ -963,7 +963,7 @@ static int parse_bit_tmds_tbl_entry(struct drm_device *dev, struct nvbios *bios,
43143 struct bit_table {
43144 const char id;
43145 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
43146-};
43147+} __no_const;
43148
43149 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
43150
43151diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
43152index 477cbb1..109b826 100644
43153--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
43154+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
43155@@ -946,7 +946,8 @@ static struct drm_driver
43156 driver_stub = {
43157 .driver_features =
43158 DRIVER_USE_AGP |
43159- DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER,
43160+ DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER |
43161+ DRIVER_KMS_LEGACY_CONTEXT,
43162
43163 .load = nouveau_drm_load,
43164 .unload = nouveau_drm_unload,
43165diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h
43166index dd72652..1fd2368 100644
43167--- a/drivers/gpu/drm/nouveau/nouveau_drm.h
43168+++ b/drivers/gpu/drm/nouveau/nouveau_drm.h
43169@@ -123,7 +123,6 @@ struct nouveau_drm {
43170 struct drm_global_reference mem_global_ref;
43171 struct ttm_bo_global_ref bo_global_ref;
43172 struct ttm_bo_device bdev;
43173- atomic_t validate_sequence;
43174 int (*move)(struct nouveau_channel *,
43175 struct ttm_buffer_object *,
43176 struct ttm_mem_reg *, struct ttm_mem_reg *);
43177diff --git a/drivers/gpu/drm/nouveau/nouveau_ioc32.c b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
43178index 462679a..88e32a7 100644
43179--- a/drivers/gpu/drm/nouveau/nouveau_ioc32.c
43180+++ b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
43181@@ -50,7 +50,7 @@ long nouveau_compat_ioctl(struct file *filp, unsigned int cmd,
43182 unsigned long arg)
43183 {
43184 unsigned int nr = DRM_IOCTL_NR(cmd);
43185- drm_ioctl_compat_t *fn = NULL;
43186+ drm_ioctl_compat_t fn = NULL;
43187 int ret;
43188
43189 if (nr < DRM_COMMAND_BASE)
43190diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c
43191index 7464aef3..c63ae4f 100644
43192--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c
43193+++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c
43194@@ -130,11 +130,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
43195 }
43196
43197 const struct ttm_mem_type_manager_func nouveau_vram_manager = {
43198- nouveau_vram_manager_init,
43199- nouveau_vram_manager_fini,
43200- nouveau_vram_manager_new,
43201- nouveau_vram_manager_del,
43202- nouveau_vram_manager_debug
43203+ .init = nouveau_vram_manager_init,
43204+ .takedown = nouveau_vram_manager_fini,
43205+ .get_node = nouveau_vram_manager_new,
43206+ .put_node = nouveau_vram_manager_del,
43207+ .debug = nouveau_vram_manager_debug
43208 };
43209
43210 static int
43211@@ -207,11 +207,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
43212 }
43213
43214 const struct ttm_mem_type_manager_func nouveau_gart_manager = {
43215- nouveau_gart_manager_init,
43216- nouveau_gart_manager_fini,
43217- nouveau_gart_manager_new,
43218- nouveau_gart_manager_del,
43219- nouveau_gart_manager_debug
43220+ .init = nouveau_gart_manager_init,
43221+ .takedown = nouveau_gart_manager_fini,
43222+ .get_node = nouveau_gart_manager_new,
43223+ .put_node = nouveau_gart_manager_del,
43224+ .debug = nouveau_gart_manager_debug
43225 };
43226
43227 /*XXX*/
43228@@ -280,11 +280,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
43229 }
43230
43231 const struct ttm_mem_type_manager_func nv04_gart_manager = {
43232- nv04_gart_manager_init,
43233- nv04_gart_manager_fini,
43234- nv04_gart_manager_new,
43235- nv04_gart_manager_del,
43236- nv04_gart_manager_debug
43237+ .init = nv04_gart_manager_init,
43238+ .takedown = nv04_gart_manager_fini,
43239+ .get_node = nv04_gart_manager_new,
43240+ .put_node = nv04_gart_manager_del,
43241+ .debug = nv04_gart_manager_debug
43242 };
43243
43244 int
43245diff --git a/drivers/gpu/drm/nouveau/nouveau_vga.c b/drivers/gpu/drm/nouveau/nouveau_vga.c
43246index c7592ec..dd45ebc 100644
43247--- a/drivers/gpu/drm/nouveau/nouveau_vga.c
43248+++ b/drivers/gpu/drm/nouveau/nouveau_vga.c
43249@@ -72,7 +72,7 @@ nouveau_switcheroo_can_switch(struct pci_dev *pdev)
43250 * locking inversion with the driver load path. And the access here is
43251 * completely racy anyway. So don't bother with locking for now.
43252 */
43253- return dev->open_count == 0;
43254+ return local_read(&dev->open_count) == 0;
43255 }
43256
43257 static const struct vga_switcheroo_client_ops
43258diff --git a/drivers/gpu/drm/omapdrm/Makefile b/drivers/gpu/drm/omapdrm/Makefile
43259index 778372b..4b81cb4 100644
43260--- a/drivers/gpu/drm/omapdrm/Makefile
43261+++ b/drivers/gpu/drm/omapdrm/Makefile
43262@@ -3,7 +3,7 @@
43263 # Direct Rendering Infrastructure (DRI)
43264 #
43265
43266-ccflags-y := -Iinclude/drm -Werror
43267+ccflags-y := -Iinclude/drm
43268 omapdrm-y := omap_drv.o \
43269 omap_irq.o \
43270 omap_debugfs.o \
43271diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c
43272index fdc1833..f307630 100644
43273--- a/drivers/gpu/drm/qxl/qxl_cmd.c
43274+++ b/drivers/gpu/drm/qxl/qxl_cmd.c
43275@@ -285,27 +285,27 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port,
43276 int ret;
43277
43278 mutex_lock(&qdev->async_io_mutex);
43279- irq_num = atomic_read(&qdev->irq_received_io_cmd);
43280+ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd);
43281 if (qdev->last_sent_io_cmd > irq_num) {
43282 if (intr)
43283 ret = wait_event_interruptible_timeout(qdev->io_cmd_event,
43284- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43285+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43286 else
43287 ret = wait_event_timeout(qdev->io_cmd_event,
43288- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43289+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43290 /* 0 is timeout, just bail the "hw" has gone away */
43291 if (ret <= 0)
43292 goto out;
43293- irq_num = atomic_read(&qdev->irq_received_io_cmd);
43294+ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd);
43295 }
43296 outb(val, addr);
43297 qdev->last_sent_io_cmd = irq_num + 1;
43298 if (intr)
43299 ret = wait_event_interruptible_timeout(qdev->io_cmd_event,
43300- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43301+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43302 else
43303 ret = wait_event_timeout(qdev->io_cmd_event,
43304- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43305+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43306 out:
43307 if (ret > 0)
43308 ret = 0;
43309diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c
43310index 6911b8c..89d6867 100644
43311--- a/drivers/gpu/drm/qxl/qxl_debugfs.c
43312+++ b/drivers/gpu/drm/qxl/qxl_debugfs.c
43313@@ -42,10 +42,10 @@ qxl_debugfs_irq_received(struct seq_file *m, void *data)
43314 struct drm_info_node *node = (struct drm_info_node *) m->private;
43315 struct qxl_device *qdev = node->minor->dev->dev_private;
43316
43317- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received));
43318- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_display));
43319- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_cursor));
43320- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_io_cmd));
43321+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received));
43322+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_display));
43323+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_cursor));
43324+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_io_cmd));
43325 seq_printf(m, "%d\n", qdev->irq_received_error);
43326 return 0;
43327 }
43328diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h
43329index 01a8694..584fb48 100644
43330--- a/drivers/gpu/drm/qxl/qxl_drv.h
43331+++ b/drivers/gpu/drm/qxl/qxl_drv.h
43332@@ -290,10 +290,10 @@ struct qxl_device {
43333 unsigned int last_sent_io_cmd;
43334
43335 /* interrupt handling */
43336- atomic_t irq_received;
43337- atomic_t irq_received_display;
43338- atomic_t irq_received_cursor;
43339- atomic_t irq_received_io_cmd;
43340+ atomic_unchecked_t irq_received;
43341+ atomic_unchecked_t irq_received_display;
43342+ atomic_unchecked_t irq_received_cursor;
43343+ atomic_unchecked_t irq_received_io_cmd;
43344 unsigned irq_received_error;
43345 wait_queue_head_t display_event;
43346 wait_queue_head_t cursor_event;
43347diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
43348index bda5c5f..140ac46 100644
43349--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
43350+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
43351@@ -183,7 +183,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
43352
43353 /* TODO copy slow path code from i915 */
43354 fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE));
43355- unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)cmd->command, cmd->command_size);
43356+ unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void __force_user *)(unsigned long)cmd->command, cmd->command_size);
43357
43358 {
43359 struct qxl_drawable *draw = fb_cmd;
43360@@ -203,7 +203,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
43361 struct drm_qxl_reloc reloc;
43362
43363 if (copy_from_user(&reloc,
43364- &((struct drm_qxl_reloc *)(uintptr_t)cmd->relocs)[i],
43365+ &((struct drm_qxl_reloc __force_user *)(uintptr_t)cmd->relocs)[i],
43366 sizeof(reloc))) {
43367 ret = -EFAULT;
43368 goto out_free_bos;
43369@@ -282,10 +282,10 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data,
43370
43371 for (cmd_num = 0; cmd_num < execbuffer->commands_num; ++cmd_num) {
43372
43373- struct drm_qxl_command *commands =
43374- (struct drm_qxl_command *)(uintptr_t)execbuffer->commands;
43375+ struct drm_qxl_command __user *commands =
43376+ (struct drm_qxl_command __user *)(uintptr_t)execbuffer->commands;
43377
43378- if (copy_from_user(&user_cmd, &commands[cmd_num],
43379+ if (copy_from_user(&user_cmd, (struct drm_qxl_command __force_user *)&commands[cmd_num],
43380 sizeof(user_cmd)))
43381 return -EFAULT;
43382
43383diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c
43384index 0bf1e20..42a7310 100644
43385--- a/drivers/gpu/drm/qxl/qxl_irq.c
43386+++ b/drivers/gpu/drm/qxl/qxl_irq.c
43387@@ -36,19 +36,19 @@ irqreturn_t qxl_irq_handler(int irq, void *arg)
43388 if (!pending)
43389 return IRQ_NONE;
43390
43391- atomic_inc(&qdev->irq_received);
43392+ atomic_inc_unchecked(&qdev->irq_received);
43393
43394 if (pending & QXL_INTERRUPT_DISPLAY) {
43395- atomic_inc(&qdev->irq_received_display);
43396+ atomic_inc_unchecked(&qdev->irq_received_display);
43397 wake_up_all(&qdev->display_event);
43398 qxl_queue_garbage_collect(qdev, false);
43399 }
43400 if (pending & QXL_INTERRUPT_CURSOR) {
43401- atomic_inc(&qdev->irq_received_cursor);
43402+ atomic_inc_unchecked(&qdev->irq_received_cursor);
43403 wake_up_all(&qdev->cursor_event);
43404 }
43405 if (pending & QXL_INTERRUPT_IO_CMD) {
43406- atomic_inc(&qdev->irq_received_io_cmd);
43407+ atomic_inc_unchecked(&qdev->irq_received_io_cmd);
43408 wake_up_all(&qdev->io_cmd_event);
43409 }
43410 if (pending & QXL_INTERRUPT_ERROR) {
43411@@ -85,10 +85,10 @@ int qxl_irq_init(struct qxl_device *qdev)
43412 init_waitqueue_head(&qdev->io_cmd_event);
43413 INIT_WORK(&qdev->client_monitors_config_work,
43414 qxl_client_monitors_config_work_func);
43415- atomic_set(&qdev->irq_received, 0);
43416- atomic_set(&qdev->irq_received_display, 0);
43417- atomic_set(&qdev->irq_received_cursor, 0);
43418- atomic_set(&qdev->irq_received_io_cmd, 0);
43419+ atomic_set_unchecked(&qdev->irq_received, 0);
43420+ atomic_set_unchecked(&qdev->irq_received_display, 0);
43421+ atomic_set_unchecked(&qdev->irq_received_cursor, 0);
43422+ atomic_set_unchecked(&qdev->irq_received_io_cmd, 0);
43423 qdev->irq_received_error = 0;
43424 ret = drm_irq_install(qdev->ddev, qdev->ddev->pdev->irq);
43425 qdev->ram_header->int_mask = QXL_INTERRUPT_MASK;
43426diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c
43427index 0cbc4c9..0e46686 100644
43428--- a/drivers/gpu/drm/qxl/qxl_ttm.c
43429+++ b/drivers/gpu/drm/qxl/qxl_ttm.c
43430@@ -103,7 +103,7 @@ static void qxl_ttm_global_fini(struct qxl_device *qdev)
43431 }
43432 }
43433
43434-static struct vm_operations_struct qxl_ttm_vm_ops;
43435+static vm_operations_struct_no_const qxl_ttm_vm_ops __read_only;
43436 static const struct vm_operations_struct *ttm_vm_ops;
43437
43438 static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
43439@@ -145,8 +145,10 @@ int qxl_mmap(struct file *filp, struct vm_area_struct *vma)
43440 return r;
43441 if (unlikely(ttm_vm_ops == NULL)) {
43442 ttm_vm_ops = vma->vm_ops;
43443+ pax_open_kernel();
43444 qxl_ttm_vm_ops = *ttm_vm_ops;
43445 qxl_ttm_vm_ops.fault = &qxl_ttm_fault;
43446+ pax_close_kernel();
43447 }
43448 vma->vm_ops = &qxl_ttm_vm_ops;
43449 return 0;
43450@@ -464,25 +466,23 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data)
43451 static int qxl_ttm_debugfs_init(struct qxl_device *qdev)
43452 {
43453 #if defined(CONFIG_DEBUG_FS)
43454- static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES];
43455- static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32];
43456- unsigned i;
43457+ static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES] = {
43458+ {
43459+ .name = "qxl_mem_mm",
43460+ .show = &qxl_mm_dump_table,
43461+ },
43462+ {
43463+ .name = "qxl_surf_mm",
43464+ .show = &qxl_mm_dump_table,
43465+ }
43466+ };
43467
43468- for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) {
43469- if (i == 0)
43470- sprintf(qxl_mem_types_names[i], "qxl_mem_mm");
43471- else
43472- sprintf(qxl_mem_types_names[i], "qxl_surf_mm");
43473- qxl_mem_types_list[i].name = qxl_mem_types_names[i];
43474- qxl_mem_types_list[i].show = &qxl_mm_dump_table;
43475- qxl_mem_types_list[i].driver_features = 0;
43476- if (i == 0)
43477- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
43478- else
43479- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
43480+ pax_open_kernel();
43481+ *(void **)&qxl_mem_types_list[0].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
43482+ *(void **)&qxl_mem_types_list[1].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
43483+ pax_close_kernel();
43484
43485- }
43486- return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i);
43487+ return qxl_debugfs_add_files(qdev, qxl_mem_types_list, QXL_DEBUGFS_MEM_TYPES);
43488 #else
43489 return 0;
43490 #endif
43491diff --git a/drivers/gpu/drm/r128/r128_cce.c b/drivers/gpu/drm/r128/r128_cce.c
43492index 2c45ac9..5d740f8 100644
43493--- a/drivers/gpu/drm/r128/r128_cce.c
43494+++ b/drivers/gpu/drm/r128/r128_cce.c
43495@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_device *dev, drm_r128_init_t *init)
43496
43497 /* GH: Simple idle check.
43498 */
43499- atomic_set(&dev_priv->idle_count, 0);
43500+ atomic_set_unchecked(&dev_priv->idle_count, 0);
43501
43502 /* We don't support anything other than bus-mastering ring mode,
43503 * but the ring can be in either AGP or PCI space for the ring
43504diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h
43505index 723e5d6..102dbaf 100644
43506--- a/drivers/gpu/drm/r128/r128_drv.h
43507+++ b/drivers/gpu/drm/r128/r128_drv.h
43508@@ -93,14 +93,14 @@ typedef struct drm_r128_private {
43509 int is_pci;
43510 unsigned long cce_buffers_offset;
43511
43512- atomic_t idle_count;
43513+ atomic_unchecked_t idle_count;
43514
43515 int page_flipping;
43516 int current_page;
43517 u32 crtc_offset;
43518 u32 crtc_offset_cntl;
43519
43520- atomic_t vbl_received;
43521+ atomic_unchecked_t vbl_received;
43522
43523 u32 color_fmt;
43524 unsigned int front_offset;
43525diff --git a/drivers/gpu/drm/r128/r128_ioc32.c b/drivers/gpu/drm/r128/r128_ioc32.c
43526index 663f38c..ec159a1 100644
43527--- a/drivers/gpu/drm/r128/r128_ioc32.c
43528+++ b/drivers/gpu/drm/r128/r128_ioc32.c
43529@@ -178,7 +178,7 @@ static int compat_r128_getparam(struct file *file, unsigned int cmd,
43530 return drm_ioctl(file, DRM_IOCTL_R128_GETPARAM, (unsigned long)getparam);
43531 }
43532
43533-drm_ioctl_compat_t *r128_compat_ioctls[] = {
43534+drm_ioctl_compat_t r128_compat_ioctls[] = {
43535 [DRM_R128_INIT] = compat_r128_init,
43536 [DRM_R128_DEPTH] = compat_r128_depth,
43537 [DRM_R128_STIPPLE] = compat_r128_stipple,
43538@@ -197,17 +197,13 @@ drm_ioctl_compat_t *r128_compat_ioctls[] = {
43539 long r128_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43540 {
43541 unsigned int nr = DRM_IOCTL_NR(cmd);
43542- drm_ioctl_compat_t *fn = NULL;
43543 int ret;
43544
43545 if (nr < DRM_COMMAND_BASE)
43546 return drm_compat_ioctl(filp, cmd, arg);
43547
43548- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(r128_compat_ioctls))
43549- fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE];
43550-
43551- if (fn != NULL)
43552- ret = (*fn) (filp, cmd, arg);
43553+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(r128_compat_ioctls) && r128_compat_ioctls[nr - DRM_COMMAND_BASE])
43554+ ret = (*r128_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43555 else
43556 ret = drm_ioctl(filp, cmd, arg);
43557
43558diff --git a/drivers/gpu/drm/r128/r128_irq.c b/drivers/gpu/drm/r128/r128_irq.c
43559index c2ae496..30b5993 100644
43560--- a/drivers/gpu/drm/r128/r128_irq.c
43561+++ b/drivers/gpu/drm/r128/r128_irq.c
43562@@ -41,7 +41,7 @@ u32 r128_get_vblank_counter(struct drm_device *dev, int crtc)
43563 if (crtc != 0)
43564 return 0;
43565
43566- return atomic_read(&dev_priv->vbl_received);
43567+ return atomic_read_unchecked(&dev_priv->vbl_received);
43568 }
43569
43570 irqreturn_t r128_driver_irq_handler(int irq, void *arg)
43571@@ -55,7 +55,7 @@ irqreturn_t r128_driver_irq_handler(int irq, void *arg)
43572 /* VBLANK interrupt */
43573 if (status & R128_CRTC_VBLANK_INT) {
43574 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
43575- atomic_inc(&dev_priv->vbl_received);
43576+ atomic_inc_unchecked(&dev_priv->vbl_received);
43577 drm_handle_vblank(dev, 0);
43578 return IRQ_HANDLED;
43579 }
43580diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c
43581index 8fd2d9f..18c9660 100644
43582--- a/drivers/gpu/drm/r128/r128_state.c
43583+++ b/drivers/gpu/drm/r128/r128_state.c
43584@@ -320,10 +320,10 @@ static void r128_clear_box(drm_r128_private_t *dev_priv,
43585
43586 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
43587 {
43588- if (atomic_read(&dev_priv->idle_count) == 0)
43589+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
43590 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
43591 else
43592- atomic_set(&dev_priv->idle_count, 0);
43593+ atomic_set_unchecked(&dev_priv->idle_count, 0);
43594 }
43595
43596 #endif
43597diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c
43598index b928c17..e5d9400 100644
43599--- a/drivers/gpu/drm/radeon/mkregtable.c
43600+++ b/drivers/gpu/drm/radeon/mkregtable.c
43601@@ -624,14 +624,14 @@ static int parser_auth(struct table *t, const char *filename)
43602 regex_t mask_rex;
43603 regmatch_t match[4];
43604 char buf[1024];
43605- size_t end;
43606+ long end;
43607 int len;
43608 int done = 0;
43609 int r;
43610 unsigned o;
43611 struct offset *offset;
43612 char last_reg_s[10];
43613- int last_reg;
43614+ unsigned long last_reg;
43615
43616 if (regcomp
43617 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
43618diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
43619index d8319da..d6e066f 100644
43620--- a/drivers/gpu/drm/radeon/radeon_device.c
43621+++ b/drivers/gpu/drm/radeon/radeon_device.c
43622@@ -1253,7 +1253,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
43623 * locking inversion with the driver load path. And the access here is
43624 * completely racy anyway. So don't bother with locking for now.
43625 */
43626- return dev->open_count == 0;
43627+ return local_read(&dev->open_count) == 0;
43628 }
43629
43630 static const struct vga_switcheroo_client_ops radeon_switcheroo_ops = {
43631diff --git a/drivers/gpu/drm/radeon/radeon_drv.h b/drivers/gpu/drm/radeon/radeon_drv.h
43632index 46bd393..6ae4719 100644
43633--- a/drivers/gpu/drm/radeon/radeon_drv.h
43634+++ b/drivers/gpu/drm/radeon/radeon_drv.h
43635@@ -264,7 +264,7 @@ typedef struct drm_radeon_private {
43636
43637 /* SW interrupt */
43638 wait_queue_head_t swi_queue;
43639- atomic_t swi_emitted;
43640+ atomic_unchecked_t swi_emitted;
43641 int vblank_crtc;
43642 uint32_t irq_enable_reg;
43643 uint32_t r500_disp_irq_reg;
43644diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c
43645index 0b98ea1..a3c770f 100644
43646--- a/drivers/gpu/drm/radeon/radeon_ioc32.c
43647+++ b/drivers/gpu/drm/radeon/radeon_ioc32.c
43648@@ -358,7 +358,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
43649 request = compat_alloc_user_space(sizeof(*request));
43650 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
43651 || __put_user(req32.param, &request->param)
43652- || __put_user((void __user *)(unsigned long)req32.value,
43653+ || __put_user((unsigned long)req32.value,
43654 &request->value))
43655 return -EFAULT;
43656
43657@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
43658 #define compat_radeon_cp_setparam NULL
43659 #endif /* X86_64 || IA64 */
43660
43661-static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
43662+static drm_ioctl_compat_t radeon_compat_ioctls[] = {
43663 [DRM_RADEON_CP_INIT] = compat_radeon_cp_init,
43664 [DRM_RADEON_CLEAR] = compat_radeon_cp_clear,
43665 [DRM_RADEON_STIPPLE] = compat_radeon_cp_stipple,
43666@@ -393,17 +393,13 @@ static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
43667 long radeon_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43668 {
43669 unsigned int nr = DRM_IOCTL_NR(cmd);
43670- drm_ioctl_compat_t *fn = NULL;
43671 int ret;
43672
43673 if (nr < DRM_COMMAND_BASE)
43674 return drm_compat_ioctl(filp, cmd, arg);
43675
43676- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(radeon_compat_ioctls))
43677- fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE];
43678-
43679- if (fn != NULL)
43680- ret = (*fn) (filp, cmd, arg);
43681+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(radeon_compat_ioctls) && radeon_compat_ioctls[nr - DRM_COMMAND_BASE])
43682+ ret = (*radeon_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43683 else
43684 ret = drm_ioctl(filp, cmd, arg);
43685
43686diff --git a/drivers/gpu/drm/radeon/radeon_irq.c b/drivers/gpu/drm/radeon/radeon_irq.c
43687index 244b19b..c19226d 100644
43688--- a/drivers/gpu/drm/radeon/radeon_irq.c
43689+++ b/drivers/gpu/drm/radeon/radeon_irq.c
43690@@ -226,8 +226,8 @@ static int radeon_emit_irq(struct drm_device * dev)
43691 unsigned int ret;
43692 RING_LOCALS;
43693
43694- atomic_inc(&dev_priv->swi_emitted);
43695- ret = atomic_read(&dev_priv->swi_emitted);
43696+ atomic_inc_unchecked(&dev_priv->swi_emitted);
43697+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
43698
43699 BEGIN_RING(4);
43700 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
43701@@ -353,7 +353,7 @@ int radeon_driver_irq_postinstall(struct drm_device *dev)
43702 drm_radeon_private_t *dev_priv =
43703 (drm_radeon_private_t *) dev->dev_private;
43704
43705- atomic_set(&dev_priv->swi_emitted, 0);
43706+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
43707 init_waitqueue_head(&dev_priv->swi_queue);
43708
43709 dev->max_vblank_count = 0x001fffff;
43710diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
43711index 15aee72..cda326e 100644
43712--- a/drivers/gpu/drm/radeon/radeon_state.c
43713+++ b/drivers/gpu/drm/radeon/radeon_state.c
43714@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_device *dev, void *data, struct drm_file *
43715 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
43716 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
43717
43718- if (copy_from_user(&depth_boxes, clear->depth_boxes,
43719+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || copy_from_user(&depth_boxes, clear->depth_boxes,
43720 sarea_priv->nbox * sizeof(depth_boxes[0])))
43721 return -EFAULT;
43722
43723@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm_device *dev, void *data, struct drm_fil
43724 {
43725 drm_radeon_private_t *dev_priv = dev->dev_private;
43726 drm_radeon_getparam_t *param = data;
43727- int value;
43728+ int value = 0;
43729
43730 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
43731
43732diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
43733index 06ac59fe..57e0681 100644
43734--- a/drivers/gpu/drm/radeon/radeon_ttm.c
43735+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
43736@@ -961,7 +961,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
43737 man->size = size >> PAGE_SHIFT;
43738 }
43739
43740-static struct vm_operations_struct radeon_ttm_vm_ops;
43741+static vm_operations_struct_no_const radeon_ttm_vm_ops __read_only;
43742 static const struct vm_operations_struct *ttm_vm_ops = NULL;
43743
43744 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
43745@@ -1002,8 +1002,10 @@ int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
43746 }
43747 if (unlikely(ttm_vm_ops == NULL)) {
43748 ttm_vm_ops = vma->vm_ops;
43749+ pax_open_kernel();
43750 radeon_ttm_vm_ops = *ttm_vm_ops;
43751 radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
43752+ pax_close_kernel();
43753 }
43754 vma->vm_ops = &radeon_ttm_vm_ops;
43755 return 0;
43756diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
43757index a287e4f..df1d5dd 100644
43758--- a/drivers/gpu/drm/tegra/dc.c
43759+++ b/drivers/gpu/drm/tegra/dc.c
43760@@ -1594,7 +1594,7 @@ static int tegra_dc_debugfs_init(struct tegra_dc *dc, struct drm_minor *minor)
43761 }
43762
43763 for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
43764- dc->debugfs_files[i].data = dc;
43765+ *(void **)&dc->debugfs_files[i].data = dc;
43766
43767 err = drm_debugfs_create_files(dc->debugfs_files,
43768 ARRAY_SIZE(debugfs_files),
43769diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
43770index ed970f6..4eeea42 100644
43771--- a/drivers/gpu/drm/tegra/dsi.c
43772+++ b/drivers/gpu/drm/tegra/dsi.c
43773@@ -62,7 +62,7 @@ struct tegra_dsi {
43774 struct clk *clk_lp;
43775 struct clk *clk;
43776
43777- struct drm_info_list *debugfs_files;
43778+ drm_info_list_no_const *debugfs_files;
43779 struct drm_minor *minor;
43780 struct dentry *debugfs;
43781
43782diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c
43783index 06ab178..b5324e4 100644
43784--- a/drivers/gpu/drm/tegra/hdmi.c
43785+++ b/drivers/gpu/drm/tegra/hdmi.c
43786@@ -64,7 +64,7 @@ struct tegra_hdmi {
43787 bool stereo;
43788 bool dvi;
43789
43790- struct drm_info_list *debugfs_files;
43791+ drm_info_list_no_const *debugfs_files;
43792 struct drm_minor *minor;
43793 struct dentry *debugfs;
43794 };
43795diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c
43796index 7591d89..463e2b6 100644
43797--- a/drivers/gpu/drm/tegra/sor.c
43798+++ b/drivers/gpu/drm/tegra/sor.c
43799@@ -826,8 +826,11 @@ static int tegra_sor_debugfs_init(struct tegra_sor *sor,
43800 goto remove;
43801 }
43802
43803- for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
43804- sor->debugfs_files[i].data = sor;
43805+ for (i = 0; i < ARRAY_SIZE(debugfs_files); i++) {
43806+ pax_open_kernel();
43807+ *(void **)&sor->debugfs_files[i].data = sor;
43808+ pax_close_kernel();
43809+ }
43810
43811 err = drm_debugfs_create_files(sor->debugfs_files,
43812 ARRAY_SIZE(debugfs_files),
43813diff --git a/drivers/gpu/drm/tilcdc/Makefile b/drivers/gpu/drm/tilcdc/Makefile
43814index deeca48..54e1b6c 100644
43815--- a/drivers/gpu/drm/tilcdc/Makefile
43816+++ b/drivers/gpu/drm/tilcdc/Makefile
43817@@ -1,7 +1,7 @@
43818 ccflags-y := -Iinclude/drm
43819-ifeq (, $(findstring -W,$(EXTRA_CFLAGS)))
43820- ccflags-y += -Werror
43821-endif
43822+#ifeq (, $(findstring -W,$(EXTRA_CFLAGS)))
43823+# ccflags-y += -Werror
43824+#endif
43825
43826 obj-$(CONFIG_DRM_TILCDC_SLAVE_COMPAT) += tilcdc_slave_compat.o \
43827 tilcdc_slave_compat.dtb.o
43828diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c
43829index aa0bd054..aea6a01 100644
43830--- a/drivers/gpu/drm/ttm/ttm_bo_manager.c
43831+++ b/drivers/gpu/drm/ttm/ttm_bo_manager.c
43832@@ -148,10 +148,10 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man,
43833 }
43834
43835 const struct ttm_mem_type_manager_func ttm_bo_manager_func = {
43836- ttm_bo_man_init,
43837- ttm_bo_man_takedown,
43838- ttm_bo_man_get_node,
43839- ttm_bo_man_put_node,
43840- ttm_bo_man_debug
43841+ .init = ttm_bo_man_init,
43842+ .takedown = ttm_bo_man_takedown,
43843+ .get_node = ttm_bo_man_get_node,
43844+ .put_node = ttm_bo_man_put_node,
43845+ .debug = ttm_bo_man_debug
43846 };
43847 EXPORT_SYMBOL(ttm_bo_manager_func);
43848diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
43849index a1803fb..c53f6b0 100644
43850--- a/drivers/gpu/drm/ttm/ttm_memory.c
43851+++ b/drivers/gpu/drm/ttm/ttm_memory.c
43852@@ -264,7 +264,7 @@ static int ttm_mem_init_kernel_zone(struct ttm_mem_global *glob,
43853 zone->glob = glob;
43854 glob->zone_kernel = zone;
43855 ret = kobject_init_and_add(
43856- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
43857+ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
43858 if (unlikely(ret != 0)) {
43859 kobject_put(&zone->kobj);
43860 return ret;
43861@@ -348,7 +348,7 @@ static int ttm_mem_init_dma32_zone(struct ttm_mem_global *glob,
43862 zone->glob = glob;
43863 glob->zone_dma32 = zone;
43864 ret = kobject_init_and_add(
43865- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
43866+ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
43867 if (unlikely(ret != 0)) {
43868 kobject_put(&zone->kobj);
43869 return ret;
43870diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
43871index 025c429..314062f 100644
43872--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
43873+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
43874@@ -54,7 +54,7 @@
43875
43876 #define NUM_PAGES_TO_ALLOC (PAGE_SIZE/sizeof(struct page *))
43877 #define SMALL_ALLOCATION 16
43878-#define FREE_ALL_PAGES (~0U)
43879+#define FREE_ALL_PAGES (~0UL)
43880 /* times are in msecs */
43881 #define PAGE_FREE_INTERVAL 1000
43882
43883@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
43884 * @free_all: If set to true will free all pages in pool
43885 * @use_static: Safe to use static buffer
43886 **/
43887-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
43888+static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
43889 bool use_static)
43890 {
43891 static struct page *static_buf[NUM_PAGES_TO_ALLOC];
43892 unsigned long irq_flags;
43893 struct page *p;
43894 struct page **pages_to_free;
43895- unsigned freed_pages = 0,
43896- npages_to_free = nr_free;
43897+ unsigned long freed_pages = 0, npages_to_free = nr_free;
43898
43899 if (NUM_PAGES_TO_ALLOC < nr_free)
43900 npages_to_free = NUM_PAGES_TO_ALLOC;
43901@@ -371,7 +370,8 @@ restart:
43902 __list_del(&p->lru, &pool->list);
43903
43904 ttm_pool_update_free_locked(pool, freed_pages);
43905- nr_free -= freed_pages;
43906+ if (likely(nr_free != FREE_ALL_PAGES))
43907+ nr_free -= freed_pages;
43908 }
43909
43910 spin_unlock_irqrestore(&pool->lock, irq_flags);
43911@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43912 unsigned i;
43913 unsigned pool_offset;
43914 struct ttm_page_pool *pool;
43915- int shrink_pages = sc->nr_to_scan;
43916+ unsigned long shrink_pages = sc->nr_to_scan;
43917 unsigned long freed = 0;
43918
43919 if (!mutex_trylock(&lock))
43920@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43921 pool_offset = ++start_pool % NUM_POOLS;
43922 /* select start pool in round robin fashion */
43923 for (i = 0; i < NUM_POOLS; ++i) {
43924- unsigned nr_free = shrink_pages;
43925+ unsigned long nr_free = shrink_pages;
43926 if (shrink_pages == 0)
43927 break;
43928 pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
43929@@ -673,7 +673,7 @@ out:
43930 }
43931
43932 /* Put all pages in pages list to correct pool to wait for reuse */
43933-static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
43934+static void ttm_put_pages(struct page **pages, unsigned long npages, int flags,
43935 enum ttm_caching_state cstate)
43936 {
43937 unsigned long irq_flags;
43938@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
43939 struct list_head plist;
43940 struct page *p = NULL;
43941 gfp_t gfp_flags = GFP_USER;
43942- unsigned count;
43943+ unsigned long count;
43944 int r;
43945
43946 /* set zero flag for page allocation if required */
43947diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43948index 624d941..106fa1f 100644
43949--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43950+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43951@@ -56,7 +56,7 @@
43952
43953 #define NUM_PAGES_TO_ALLOC (PAGE_SIZE/sizeof(struct page *))
43954 #define SMALL_ALLOCATION 4
43955-#define FREE_ALL_PAGES (~0U)
43956+#define FREE_ALL_PAGES (~0UL)
43957 /* times are in msecs */
43958 #define IS_UNDEFINED (0)
43959 #define IS_WC (1<<1)
43960@@ -416,7 +416,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
43961 * @nr_free: If set to true will free all pages in pool
43962 * @use_static: Safe to use static buffer
43963 **/
43964-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
43965+static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
43966 bool use_static)
43967 {
43968 static struct page *static_buf[NUM_PAGES_TO_ALLOC];
43969@@ -424,8 +424,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
43970 struct dma_page *dma_p, *tmp;
43971 struct page **pages_to_free;
43972 struct list_head d_pages;
43973- unsigned freed_pages = 0,
43974- npages_to_free = nr_free;
43975+ unsigned long freed_pages = 0, npages_to_free = nr_free;
43976
43977 if (NUM_PAGES_TO_ALLOC < nr_free)
43978 npages_to_free = NUM_PAGES_TO_ALLOC;
43979@@ -502,7 +501,8 @@ restart:
43980 /* remove range of pages from the pool */
43981 if (freed_pages) {
43982 ttm_pool_update_free_locked(pool, freed_pages);
43983- nr_free -= freed_pages;
43984+ if (likely(nr_free != FREE_ALL_PAGES))
43985+ nr_free -= freed_pages;
43986 }
43987
43988 spin_unlock_irqrestore(&pool->lock, irq_flags);
43989@@ -939,7 +939,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
43990 struct dma_page *d_page, *next;
43991 enum pool_type type;
43992 bool is_cached = false;
43993- unsigned count = 0, i, npages = 0;
43994+ unsigned long count = 0, i, npages = 0;
43995 unsigned long irq_flags;
43996
43997 type = ttm_to_type(ttm->page_flags, ttm->caching_state);
43998@@ -1014,7 +1014,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43999 static unsigned start_pool;
44000 unsigned idx = 0;
44001 unsigned pool_offset;
44002- unsigned shrink_pages = sc->nr_to_scan;
44003+ unsigned long shrink_pages = sc->nr_to_scan;
44004 struct device_pools *p;
44005 unsigned long freed = 0;
44006
44007@@ -1027,7 +1027,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
44008 goto out;
44009 pool_offset = ++start_pool % _manager->npools;
44010 list_for_each_entry(p, &_manager->pools, pools) {
44011- unsigned nr_free;
44012+ unsigned long nr_free;
44013
44014 if (!p->dev)
44015 continue;
44016@@ -1041,7 +1041,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
44017 shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true);
44018 freed += nr_free - shrink_pages;
44019
44020- pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
44021+ pr_debug("%s: (%s:%d) Asked to shrink %lu, have %lu more to go\n",
44022 p->pool->dev_name, p->pool->name, current->pid,
44023 nr_free, shrink_pages);
44024 }
44025diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
44026index 5fc16ce..1bd84ec 100644
44027--- a/drivers/gpu/drm/udl/udl_fb.c
44028+++ b/drivers/gpu/drm/udl/udl_fb.c
44029@@ -367,7 +367,6 @@ static int udl_fb_release(struct fb_info *info, int user)
44030 fb_deferred_io_cleanup(info);
44031 kfree(info->fbdefio);
44032 info->fbdefio = NULL;
44033- info->fbops->fb_mmap = udl_fb_mmap;
44034 }
44035
44036 pr_warn("released /dev/fb%d user=%d count=%d\n",
44037diff --git a/drivers/gpu/drm/via/via_drv.h b/drivers/gpu/drm/via/via_drv.h
44038index ef8c500..01030c8 100644
44039--- a/drivers/gpu/drm/via/via_drv.h
44040+++ b/drivers/gpu/drm/via/via_drv.h
44041@@ -53,7 +53,7 @@ typedef struct drm_via_ring_buffer {
44042 typedef uint32_t maskarray_t[5];
44043
44044 typedef struct drm_via_irq {
44045- atomic_t irq_received;
44046+ atomic_unchecked_t irq_received;
44047 uint32_t pending_mask;
44048 uint32_t enable_mask;
44049 wait_queue_head_t irq_queue;
44050@@ -77,7 +77,7 @@ typedef struct drm_via_private {
44051 struct timeval last_vblank;
44052 int last_vblank_valid;
44053 unsigned usec_per_vblank;
44054- atomic_t vbl_received;
44055+ atomic_unchecked_t vbl_received;
44056 drm_via_state_t hc_state;
44057 char pci_buf[VIA_PCI_BUF_SIZE];
44058 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
44059diff --git a/drivers/gpu/drm/via/via_irq.c b/drivers/gpu/drm/via/via_irq.c
44060index 1319433..a993b0c 100644
44061--- a/drivers/gpu/drm/via/via_irq.c
44062+++ b/drivers/gpu/drm/via/via_irq.c
44063@@ -101,7 +101,7 @@ u32 via_get_vblank_counter(struct drm_device *dev, int crtc)
44064 if (crtc != 0)
44065 return 0;
44066
44067- return atomic_read(&dev_priv->vbl_received);
44068+ return atomic_read_unchecked(&dev_priv->vbl_received);
44069 }
44070
44071 irqreturn_t via_driver_irq_handler(int irq, void *arg)
44072@@ -116,8 +116,8 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
44073
44074 status = VIA_READ(VIA_REG_INTERRUPT);
44075 if (status & VIA_IRQ_VBLANK_PENDING) {
44076- atomic_inc(&dev_priv->vbl_received);
44077- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
44078+ atomic_inc_unchecked(&dev_priv->vbl_received);
44079+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
44080 do_gettimeofday(&cur_vblank);
44081 if (dev_priv->last_vblank_valid) {
44082 dev_priv->usec_per_vblank =
44083@@ -127,7 +127,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
44084 dev_priv->last_vblank = cur_vblank;
44085 dev_priv->last_vblank_valid = 1;
44086 }
44087- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
44088+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
44089 DRM_DEBUG("US per vblank is: %u\n",
44090 dev_priv->usec_per_vblank);
44091 }
44092@@ -137,7 +137,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
44093
44094 for (i = 0; i < dev_priv->num_irqs; ++i) {
44095 if (status & cur_irq->pending_mask) {
44096- atomic_inc(&cur_irq->irq_received);
44097+ atomic_inc_unchecked(&cur_irq->irq_received);
44098 wake_up(&cur_irq->irq_queue);
44099 handled = 1;
44100 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
44101@@ -242,11 +242,11 @@ via_driver_irq_wait(struct drm_device *dev, unsigned int irq, int force_sequence
44102 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ,
44103 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
44104 masks[irq][4]));
44105- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
44106+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
44107 } else {
44108 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ,
44109 (((cur_irq_sequence =
44110- atomic_read(&cur_irq->irq_received)) -
44111+ atomic_read_unchecked(&cur_irq->irq_received)) -
44112 *sequence) <= (1 << 23)));
44113 }
44114 *sequence = cur_irq_sequence;
44115@@ -284,7 +284,7 @@ void via_driver_irq_preinstall(struct drm_device *dev)
44116 }
44117
44118 for (i = 0; i < dev_priv->num_irqs; ++i) {
44119- atomic_set(&cur_irq->irq_received, 0);
44120+ atomic_set_unchecked(&cur_irq->irq_received, 0);
44121 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
44122 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
44123 init_waitqueue_head(&cur_irq->irq_queue);
44124@@ -366,7 +366,7 @@ int via_wait_irq(struct drm_device *dev, void *data, struct drm_file *file_priv)
44125 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
44126 case VIA_IRQ_RELATIVE:
44127 irqwait->request.sequence +=
44128- atomic_read(&cur_irq->irq_received);
44129+ atomic_read_unchecked(&cur_irq->irq_received);
44130 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
44131 case VIA_IRQ_ABSOLUTE:
44132 break;
44133diff --git a/drivers/gpu/drm/virtio/virtgpu_debugfs.c b/drivers/gpu/drm/virtio/virtgpu_debugfs.c
44134index db8b491..d87b27c 100644
44135--- a/drivers/gpu/drm/virtio/virtgpu_debugfs.c
44136+++ b/drivers/gpu/drm/virtio/virtgpu_debugfs.c
44137@@ -34,7 +34,7 @@ virtio_gpu_debugfs_irq_info(struct seq_file *m, void *data)
44138 struct drm_info_node *node = (struct drm_info_node *) m->private;
44139 struct virtio_gpu_device *vgdev = node->minor->dev->dev_private;
44140
44141- seq_printf(m, "fence %ld %lld\n",
44142+ seq_printf(m, "fence %lld %lld\n",
44143 atomic64_read(&vgdev->fence_drv.last_seq),
44144 vgdev->fence_drv.sync_seq);
44145 return 0;
44146diff --git a/drivers/gpu/drm/virtio/virtgpu_fence.c b/drivers/gpu/drm/virtio/virtgpu_fence.c
44147index 1da6326..98dd385 100644
44148--- a/drivers/gpu/drm/virtio/virtgpu_fence.c
44149+++ b/drivers/gpu/drm/virtio/virtgpu_fence.c
44150@@ -61,7 +61,7 @@ static void virtio_timeline_value_str(struct fence *f, char *str, int size)
44151 {
44152 struct virtio_gpu_fence *fence = to_virtio_fence(f);
44153
44154- snprintf(str, size, "%lu", atomic64_read(&fence->drv->last_seq));
44155+ snprintf(str, size, "%llu", atomic64_read(&fence->drv->last_seq));
44156 }
44157
44158 static const struct fence_ops virtio_fence_ops = {
44159diff --git a/drivers/gpu/drm/virtio/virtgpu_ttm.c b/drivers/gpu/drm/virtio/virtgpu_ttm.c
44160index b092d7b..3bbecd9 100644
44161--- a/drivers/gpu/drm/virtio/virtgpu_ttm.c
44162+++ b/drivers/gpu/drm/virtio/virtgpu_ttm.c
44163@@ -197,11 +197,11 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man,
44164 }
44165
44166 static const struct ttm_mem_type_manager_func virtio_gpu_bo_manager_func = {
44167- ttm_bo_man_init,
44168- ttm_bo_man_takedown,
44169- ttm_bo_man_get_node,
44170- ttm_bo_man_put_node,
44171- ttm_bo_man_debug
44172+ .init = &ttm_bo_man_init,
44173+ .takedown = &ttm_bo_man_takedown,
44174+ .get_node = &ttm_bo_man_get_node,
44175+ .put_node = &ttm_bo_man_put_node,
44176+ .debug = &ttm_bo_man_debug
44177 };
44178
44179 static int virtio_gpu_init_mem_type(struct ttm_bo_device *bdev, uint32_t type,
44180diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
44181index d26a6da..5fa41ed 100644
44182--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
44183+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
44184@@ -447,7 +447,7 @@ struct vmw_private {
44185 * Fencing and IRQs.
44186 */
44187
44188- atomic_t marker_seq;
44189+ atomic_unchecked_t marker_seq;
44190 wait_queue_head_t fence_queue;
44191 wait_queue_head_t fifo_queue;
44192 spinlock_t waiter_lock;
44193diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
44194index 39f2b03..d1b0a64 100644
44195--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
44196+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
44197@@ -152,7 +152,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo)
44198 (unsigned int) min,
44199 (unsigned int) fifo->capabilities);
44200
44201- atomic_set(&dev_priv->marker_seq, dev_priv->last_read_seqno);
44202+ atomic_set_unchecked(&dev_priv->marker_seq, dev_priv->last_read_seqno);
44203 iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE);
44204 vmw_marker_queue_init(&fifo->marker_queue);
44205 return vmw_fifo_send_fence(dev_priv, &dummy);
44206@@ -372,7 +372,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes)
44207 if (reserveable)
44208 iowrite32(bytes, fifo_mem +
44209 SVGA_FIFO_RESERVED);
44210- return fifo_mem + (next_cmd >> 2);
44211+ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
44212 } else {
44213 need_bounce = true;
44214 }
44215@@ -492,7 +492,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
44216
44217 fm = vmw_fifo_reserve(dev_priv, bytes);
44218 if (unlikely(fm == NULL)) {
44219- *seqno = atomic_read(&dev_priv->marker_seq);
44220+ *seqno = atomic_read_unchecked(&dev_priv->marker_seq);
44221 ret = -ENOMEM;
44222 (void)vmw_fallback_wait(dev_priv, false, true, *seqno,
44223 false, 3*HZ);
44224@@ -500,7 +500,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
44225 }
44226
44227 do {
44228- *seqno = atomic_add_return(1, &dev_priv->marker_seq);
44229+ *seqno = atomic_add_return_unchecked(1, &dev_priv->marker_seq);
44230 } while (*seqno == 0);
44231
44232 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
44233diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
44234index 170b61b..fec7348 100644
44235--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
44236+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
44237@@ -164,9 +164,9 @@ static void vmw_gmrid_man_debug(struct ttm_mem_type_manager *man,
44238 }
44239
44240 const struct ttm_mem_type_manager_func vmw_gmrid_manager_func = {
44241- vmw_gmrid_man_init,
44242- vmw_gmrid_man_takedown,
44243- vmw_gmrid_man_get_node,
44244- vmw_gmrid_man_put_node,
44245- vmw_gmrid_man_debug
44246+ .init = vmw_gmrid_man_init,
44247+ .takedown = vmw_gmrid_man_takedown,
44248+ .get_node = vmw_gmrid_man_get_node,
44249+ .put_node = vmw_gmrid_man_put_node,
44250+ .debug = vmw_gmrid_man_debug
44251 };
44252diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
44253index 69c8ce2..cacb0ab 100644
44254--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
44255+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
44256@@ -235,7 +235,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
44257 int ret;
44258
44259 num_clips = arg->num_clips;
44260- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
44261+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
44262
44263 if (unlikely(num_clips == 0))
44264 return 0;
44265@@ -318,7 +318,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data,
44266 int ret;
44267
44268 num_clips = arg->num_clips;
44269- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
44270+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
44271
44272 if (unlikely(num_clips == 0))
44273 return 0;
44274diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
44275index 9fe9827..0aa2fc0 100644
44276--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
44277+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
44278@@ -102,7 +102,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv,
44279 * emitted. Then the fence is stale and signaled.
44280 */
44281
44282- ret = ((atomic_read(&dev_priv->marker_seq) - seqno)
44283+ ret = ((atomic_read_unchecked(&dev_priv->marker_seq) - seqno)
44284 > VMW_FENCE_WRAP);
44285
44286 return ret;
44287@@ -133,7 +133,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv,
44288
44289 if (fifo_idle)
44290 down_read(&fifo_state->rwsem);
44291- signal_seq = atomic_read(&dev_priv->marker_seq);
44292+ signal_seq = atomic_read_unchecked(&dev_priv->marker_seq);
44293 ret = 0;
44294
44295 for (;;) {
44296diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
44297index efd1ffd..0ae13ca 100644
44298--- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
44299+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
44300@@ -135,7 +135,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv,
44301 while (!vmw_lag_lt(queue, us)) {
44302 spin_lock(&queue->lock);
44303 if (list_empty(&queue->head))
44304- seqno = atomic_read(&dev_priv->marker_seq);
44305+ seqno = atomic_read_unchecked(&dev_priv->marker_seq);
44306 else {
44307 marker = list_first_entry(&queue->head,
44308 struct vmw_marker, head);
44309diff --git a/drivers/gpu/vga/vga_switcheroo.c b/drivers/gpu/vga/vga_switcheroo.c
44310index 37ac7b5..d52a5c9 100644
44311--- a/drivers/gpu/vga/vga_switcheroo.c
44312+++ b/drivers/gpu/vga/vga_switcheroo.c
44313@@ -644,7 +644,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev)
44314
44315 /* this version is for the case where the power switch is separate
44316 to the device being powered down. */
44317-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain)
44318+int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain)
44319 {
44320 /* copy over all the bus versions */
44321 if (dev->bus && dev->bus->pm) {
44322@@ -695,7 +695,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev)
44323 return ret;
44324 }
44325
44326-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain)
44327+int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain)
44328 {
44329 /* copy over all the bus versions */
44330 if (dev->bus && dev->bus->pm) {
44331diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
44332index e6fce23..85949a0 100644
44333--- a/drivers/hid/hid-core.c
44334+++ b/drivers/hid/hid-core.c
44335@@ -2550,7 +2550,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
44336
44337 int hid_add_device(struct hid_device *hdev)
44338 {
44339- static atomic_t id = ATOMIC_INIT(0);
44340+ static atomic_unchecked_t id = ATOMIC_INIT(0);
44341 int ret;
44342
44343 if (WARN_ON(hdev->status & HID_STAT_ADDED))
44344@@ -2593,7 +2593,7 @@ int hid_add_device(struct hid_device *hdev)
44345 /* XXX hack, any other cleaner solution after the driver core
44346 * is converted to allow more than 20 bytes as the device name? */
44347 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
44348- hdev->vendor, hdev->product, atomic_inc_return(&id));
44349+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
44350
44351 hid_debug_register(hdev, dev_name(&hdev->dev));
44352 ret = device_add(&hdev->dev);
44353diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
44354index 5614fee..8a6f5f6 100644
44355--- a/drivers/hid/hid-sensor-custom.c
44356+++ b/drivers/hid/hid-sensor-custom.c
44357@@ -590,7 +590,7 @@ static int hid_sensor_custom_add_attributes(struct hid_sensor_custom
44358 j = 0;
44359 while (j < HID_CUSTOM_TOTAL_ATTRS &&
44360 hid_custom_attrs[j].name) {
44361- struct device_attribute *device_attr;
44362+ device_attribute_no_const *device_attr;
44363
44364 device_attr = &sensor_inst->fields[i].sd_attrs[j];
44365
44366diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
44367index c13fb5b..55a3802 100644
44368--- a/drivers/hid/hid-wiimote-debug.c
44369+++ b/drivers/hid/hid-wiimote-debug.c
44370@@ -66,7 +66,7 @@ static ssize_t wiidebug_eeprom_read(struct file *f, char __user *u, size_t s,
44371 else if (size == 0)
44372 return -EIO;
44373
44374- if (copy_to_user(u, buf, size))
44375+ if (size > sizeof(buf) || copy_to_user(u, buf, size))
44376 return -EFAULT;
44377
44378 *off += size;
44379diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
44380index 603ce97..7f27468 100644
44381--- a/drivers/hv/channel.c
44382+++ b/drivers/hv/channel.c
44383@@ -382,7 +382,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
44384 int ret = 0;
44385
44386 next_gpadl_handle =
44387- (atomic_inc_return(&vmbus_connection.next_gpadl_handle) - 1);
44388+ (atomic_inc_return_unchecked(&vmbus_connection.next_gpadl_handle) - 1);
44389
44390 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
44391 if (ret)
44392diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
44393index d3943bc..597fd1e 100644
44394--- a/drivers/hv/hv.c
44395+++ b/drivers/hv/hv.c
44396@@ -118,7 +118,7 @@ static u64 do_hypercall(u64 control, void *input, void *output)
44397 u64 output_address = (output) ? virt_to_phys(output) : 0;
44398 u32 output_address_hi = output_address >> 32;
44399 u32 output_address_lo = output_address & 0xFFFFFFFF;
44400- void *hypercall_page = hv_context.hypercall_page;
44401+ void *hypercall_page = (void *)ktva_ktla((unsigned long)hv_context.hypercall_page);
44402
44403 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
44404 "=a"(hv_status_lo) : "d" (control_hi),
44405@@ -164,7 +164,7 @@ int hv_init(void)
44406 /* See if the hypercall page is already set */
44407 rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
44408
44409- virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC);
44410+ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX);
44411
44412 if (!virtaddr)
44413 goto cleanup;
44414diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
44415index 8a725cd..91abaf0 100644
44416--- a/drivers/hv/hv_balloon.c
44417+++ b/drivers/hv/hv_balloon.c
44418@@ -469,7 +469,7 @@ MODULE_PARM_DESC(hot_add, "If set attempt memory hot_add");
44419
44420 module_param(pressure_report_delay, uint, (S_IRUGO | S_IWUSR));
44421 MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure");
44422-static atomic_t trans_id = ATOMIC_INIT(0);
44423+static atomic_unchecked_t trans_id = ATOMIC_INIT(0);
44424
44425 static int dm_ring_size = (5 * PAGE_SIZE);
44426
44427@@ -943,7 +943,7 @@ static void hot_add_req(struct work_struct *dummy)
44428 pr_info("Memory hot add failed\n");
44429
44430 dm->state = DM_INITIALIZED;
44431- resp.hdr.trans_id = atomic_inc_return(&trans_id);
44432+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44433 vmbus_sendpacket(dm->dev->channel, &resp,
44434 sizeof(struct dm_hot_add_response),
44435 (unsigned long)NULL,
44436@@ -1024,7 +1024,7 @@ static void post_status(struct hv_dynmem_device *dm)
44437 memset(&status, 0, sizeof(struct dm_status));
44438 status.hdr.type = DM_STATUS_REPORT;
44439 status.hdr.size = sizeof(struct dm_status);
44440- status.hdr.trans_id = atomic_inc_return(&trans_id);
44441+ status.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44442
44443 /*
44444 * The host expects the guest to report free and committed memory.
44445@@ -1048,7 +1048,7 @@ static void post_status(struct hv_dynmem_device *dm)
44446 * send the status. This can happen if we were interrupted
44447 * after we picked our transaction ID.
44448 */
44449- if (status.hdr.trans_id != atomic_read(&trans_id))
44450+ if (status.hdr.trans_id != atomic_read_unchecked(&trans_id))
44451 return;
44452
44453 /*
44454@@ -1193,7 +1193,7 @@ static void balloon_up(struct work_struct *dummy)
44455 */
44456
44457 do {
44458- bl_resp->hdr.trans_id = atomic_inc_return(&trans_id);
44459+ bl_resp->hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44460 ret = vmbus_sendpacket(dm_device.dev->channel,
44461 bl_resp,
44462 bl_resp->hdr.size,
44463@@ -1239,7 +1239,7 @@ static void balloon_down(struct hv_dynmem_device *dm,
44464
44465 memset(&resp, 0, sizeof(struct dm_unballoon_response));
44466 resp.hdr.type = DM_UNBALLOON_RESPONSE;
44467- resp.hdr.trans_id = atomic_inc_return(&trans_id);
44468+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44469 resp.hdr.size = sizeof(struct dm_unballoon_response);
44470
44471 vmbus_sendpacket(dm_device.dev->channel, &resp,
44472@@ -1300,7 +1300,7 @@ static void version_resp(struct hv_dynmem_device *dm,
44473 memset(&version_req, 0, sizeof(struct dm_version_request));
44474 version_req.hdr.type = DM_VERSION_REQUEST;
44475 version_req.hdr.size = sizeof(struct dm_version_request);
44476- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
44477+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44478 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN7;
44479 version_req.is_last_attempt = 1;
44480
44481@@ -1473,7 +1473,7 @@ static int balloon_probe(struct hv_device *dev,
44482 memset(&version_req, 0, sizeof(struct dm_version_request));
44483 version_req.hdr.type = DM_VERSION_REQUEST;
44484 version_req.hdr.size = sizeof(struct dm_version_request);
44485- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
44486+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44487 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN8;
44488 version_req.is_last_attempt = 0;
44489
44490@@ -1504,7 +1504,7 @@ static int balloon_probe(struct hv_device *dev,
44491 memset(&cap_msg, 0, sizeof(struct dm_capabilities));
44492 cap_msg.hdr.type = DM_CAPABILITIES_REPORT;
44493 cap_msg.hdr.size = sizeof(struct dm_capabilities);
44494- cap_msg.hdr.trans_id = atomic_inc_return(&trans_id);
44495+ cap_msg.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44496
44497 cap_msg.caps.cap_bits.balloon = 1;
44498 cap_msg.caps.cap_bits.hot_add = 1;
44499diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
44500index cddc0c9..2eb587d 100644
44501--- a/drivers/hv/hyperv_vmbus.h
44502+++ b/drivers/hv/hyperv_vmbus.h
44503@@ -645,7 +645,7 @@ enum vmbus_connect_state {
44504 struct vmbus_connection {
44505 enum vmbus_connect_state conn_state;
44506
44507- atomic_t next_gpadl_handle;
44508+ atomic_unchecked_t next_gpadl_handle;
44509
44510 struct completion unload_event;
44511 /*
44512diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c
44513index 579bdf9..0dac21d5 100644
44514--- a/drivers/hwmon/acpi_power_meter.c
44515+++ b/drivers/hwmon/acpi_power_meter.c
44516@@ -116,7 +116,7 @@ struct sensor_template {
44517 struct device_attribute *devattr,
44518 const char *buf, size_t count);
44519 int index;
44520-};
44521+} __do_const;
44522
44523 /* Averaging interval */
44524 static int update_avg_interval(struct acpi_power_meter_resource *resource)
44525@@ -631,7 +631,7 @@ static int register_attrs(struct acpi_power_meter_resource *resource,
44526 struct sensor_template *attrs)
44527 {
44528 struct device *dev = &resource->acpi_dev->dev;
44529- struct sensor_device_attribute *sensors =
44530+ sensor_device_attribute_no_const *sensors =
44531 &resource->sensors[resource->num_sensors];
44532 int res = 0;
44533
44534@@ -973,7 +973,7 @@ static int __init enable_cap_knobs(const struct dmi_system_id *d)
44535 return 0;
44536 }
44537
44538-static struct dmi_system_id __initdata pm_dmi_table[] = {
44539+static const struct dmi_system_id __initconst pm_dmi_table[] = {
44540 {
44541 enable_cap_knobs, "IBM Active Energy Manager",
44542 {
44543diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
44544index 0af63da..05a183a 100644
44545--- a/drivers/hwmon/applesmc.c
44546+++ b/drivers/hwmon/applesmc.c
44547@@ -1105,7 +1105,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
44548 {
44549 struct applesmc_node_group *grp;
44550 struct applesmc_dev_attr *node;
44551- struct attribute *attr;
44552+ attribute_no_const *attr;
44553 int ret, i;
44554
44555 for (grp = groups; grp->format; grp++) {
44556diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
44557index cccef87..06ce8ec 100644
44558--- a/drivers/hwmon/asus_atk0110.c
44559+++ b/drivers/hwmon/asus_atk0110.c
44560@@ -147,10 +147,10 @@ MODULE_DEVICE_TABLE(acpi, atk_ids);
44561 struct atk_sensor_data {
44562 struct list_head list;
44563 struct atk_data *data;
44564- struct device_attribute label_attr;
44565- struct device_attribute input_attr;
44566- struct device_attribute limit1_attr;
44567- struct device_attribute limit2_attr;
44568+ device_attribute_no_const label_attr;
44569+ device_attribute_no_const input_attr;
44570+ device_attribute_no_const limit1_attr;
44571+ device_attribute_no_const limit2_attr;
44572 char label_attr_name[ATTR_NAME_SIZE];
44573 char input_attr_name[ATTR_NAME_SIZE];
44574 char limit1_attr_name[ATTR_NAME_SIZE];
44575@@ -270,7 +270,7 @@ static ssize_t atk_name_show(struct device *dev,
44576 static struct device_attribute atk_name_attr =
44577 __ATTR(name, 0444, atk_name_show, NULL);
44578
44579-static void atk_init_attribute(struct device_attribute *attr, char *name,
44580+static void atk_init_attribute(device_attribute_no_const *attr, char *name,
44581 sysfs_show_func show)
44582 {
44583 sysfs_attr_init(&attr->attr);
44584diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
44585index 3e03379..ec521d3 100644
44586--- a/drivers/hwmon/coretemp.c
44587+++ b/drivers/hwmon/coretemp.c
44588@@ -783,7 +783,7 @@ static int coretemp_cpu_callback(struct notifier_block *nfb,
44589 return NOTIFY_OK;
44590 }
44591
44592-static struct notifier_block coretemp_cpu_notifier __refdata = {
44593+static struct notifier_block coretemp_cpu_notifier = {
44594 .notifier_call = coretemp_cpu_callback,
44595 };
44596
44597diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
44598index c848789..e9e9217 100644
44599--- a/drivers/hwmon/dell-smm-hwmon.c
44600+++ b/drivers/hwmon/dell-smm-hwmon.c
44601@@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = {
44602 },
44603 };
44604
44605-static struct dmi_system_id i8k_dmi_table[] __initdata = {
44606+static const struct dmi_system_id i8k_dmi_table[] __initconst = {
44607 {
44608 .ident = "Dell Inspiron",
44609 .matches = {
44610diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
44611index 7a8a6fb..015c1fd 100644
44612--- a/drivers/hwmon/ibmaem.c
44613+++ b/drivers/hwmon/ibmaem.c
44614@@ -924,7 +924,7 @@ static int aem_register_sensors(struct aem_data *data,
44615 struct aem_rw_sensor_template *rw)
44616 {
44617 struct device *dev = &data->pdev->dev;
44618- struct sensor_device_attribute *sensors = data->sensors;
44619+ sensor_device_attribute_no_const *sensors = data->sensors;
44620 int err;
44621
44622 /* Set up read-only sensors */
44623diff --git a/drivers/hwmon/iio_hwmon.c b/drivers/hwmon/iio_hwmon.c
44624index 17ae2eb..21b71dd 100644
44625--- a/drivers/hwmon/iio_hwmon.c
44626+++ b/drivers/hwmon/iio_hwmon.c
44627@@ -61,7 +61,7 @@ static int iio_hwmon_probe(struct platform_device *pdev)
44628 {
44629 struct device *dev = &pdev->dev;
44630 struct iio_hwmon_state *st;
44631- struct sensor_device_attribute *a;
44632+ sensor_device_attribute_no_const *a;
44633 int ret, i;
44634 int in_i = 1, temp_i = 1, curr_i = 1, humidity_i = 1;
44635 enum iio_chan_type type;
44636diff --git a/drivers/hwmon/nct6683.c b/drivers/hwmon/nct6683.c
44637index 37f0170..414ec2c 100644
44638--- a/drivers/hwmon/nct6683.c
44639+++ b/drivers/hwmon/nct6683.c
44640@@ -397,11 +397,11 @@ static struct attribute_group *
44641 nct6683_create_attr_group(struct device *dev, struct sensor_template_group *tg,
44642 int repeat)
44643 {
44644- struct sensor_device_attribute_2 *a2;
44645- struct sensor_device_attribute *a;
44646+ sensor_device_attribute_2_no_const *a2;
44647+ sensor_device_attribute_no_const *a;
44648 struct sensor_device_template **t;
44649 struct sensor_device_attr_u *su;
44650- struct attribute_group *group;
44651+ attribute_group_no_const *group;
44652 struct attribute **attrs;
44653 int i, j, count;
44654
44655diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
44656index bd1c99d..2fa55ad 100644
44657--- a/drivers/hwmon/nct6775.c
44658+++ b/drivers/hwmon/nct6775.c
44659@@ -953,10 +953,10 @@ static struct attribute_group *
44660 nct6775_create_attr_group(struct device *dev, struct sensor_template_group *tg,
44661 int repeat)
44662 {
44663- struct attribute_group *group;
44664+ attribute_group_no_const *group;
44665 struct sensor_device_attr_u *su;
44666- struct sensor_device_attribute *a;
44667- struct sensor_device_attribute_2 *a2;
44668+ sensor_device_attribute_no_const *a;
44669+ sensor_device_attribute_2_no_const *a2;
44670 struct attribute **attrs;
44671 struct sensor_device_template **t;
44672 int i, count;
44673diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
44674index f2e47c7..45d7941 100644
44675--- a/drivers/hwmon/pmbus/pmbus_core.c
44676+++ b/drivers/hwmon/pmbus/pmbus_core.c
44677@@ -816,7 +816,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr)
44678 return 0;
44679 }
44680
44681-static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
44682+static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr,
44683 const char *name,
44684 umode_t mode,
44685 ssize_t (*show)(struct device *dev,
44686@@ -833,7 +833,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
44687 dev_attr->store = store;
44688 }
44689
44690-static void pmbus_attr_init(struct sensor_device_attribute *a,
44691+static void pmbus_attr_init(sensor_device_attribute_no_const *a,
44692 const char *name,
44693 umode_t mode,
44694 ssize_t (*show)(struct device *dev,
44695@@ -855,7 +855,7 @@ static int pmbus_add_boolean(struct pmbus_data *data,
44696 u16 reg, u8 mask)
44697 {
44698 struct pmbus_boolean *boolean;
44699- struct sensor_device_attribute *a;
44700+ sensor_device_attribute_no_const *a;
44701
44702 boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL);
44703 if (!boolean)
44704@@ -880,7 +880,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
44705 bool update, bool readonly)
44706 {
44707 struct pmbus_sensor *sensor;
44708- struct device_attribute *a;
44709+ device_attribute_no_const *a;
44710
44711 sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL);
44712 if (!sensor)
44713@@ -911,7 +911,7 @@ static int pmbus_add_label(struct pmbus_data *data,
44714 const char *lstring, int index)
44715 {
44716 struct pmbus_label *label;
44717- struct device_attribute *a;
44718+ device_attribute_no_const *a;
44719
44720 label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL);
44721 if (!label)
44722diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
44723index 497a7f8..3fffedf 100644
44724--- a/drivers/hwmon/sht15.c
44725+++ b/drivers/hwmon/sht15.c
44726@@ -169,7 +169,7 @@ struct sht15_data {
44727 int supply_uv;
44728 bool supply_uv_valid;
44729 struct work_struct update_supply_work;
44730- atomic_t interrupt_handled;
44731+ atomic_unchecked_t interrupt_handled;
44732 };
44733
44734 /**
44735@@ -542,13 +542,13 @@ static int sht15_measurement(struct sht15_data *data,
44736 ret = gpio_direction_input(data->pdata->gpio_data);
44737 if (ret)
44738 return ret;
44739- atomic_set(&data->interrupt_handled, 0);
44740+ atomic_set_unchecked(&data->interrupt_handled, 0);
44741
44742 enable_irq(gpio_to_irq(data->pdata->gpio_data));
44743 if (gpio_get_value(data->pdata->gpio_data) == 0) {
44744 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
44745 /* Only relevant if the interrupt hasn't occurred. */
44746- if (!atomic_read(&data->interrupt_handled))
44747+ if (!atomic_read_unchecked(&data->interrupt_handled))
44748 schedule_work(&data->read_work);
44749 }
44750 ret = wait_event_timeout(data->wait_queue,
44751@@ -820,7 +820,7 @@ static irqreturn_t sht15_interrupt_fired(int irq, void *d)
44752
44753 /* First disable the interrupt */
44754 disable_irq_nosync(irq);
44755- atomic_inc(&data->interrupt_handled);
44756+ atomic_inc_unchecked(&data->interrupt_handled);
44757 /* Then schedule a reading work struct */
44758 if (data->state != SHT15_READING_NOTHING)
44759 schedule_work(&data->read_work);
44760@@ -842,11 +842,11 @@ static void sht15_bh_read_data(struct work_struct *work_s)
44761 * If not, then start the interrupt again - care here as could
44762 * have gone low in meantime so verify it hasn't!
44763 */
44764- atomic_set(&data->interrupt_handled, 0);
44765+ atomic_set_unchecked(&data->interrupt_handled, 0);
44766 enable_irq(gpio_to_irq(data->pdata->gpio_data));
44767 /* If still not occurred or another handler was scheduled */
44768 if (gpio_get_value(data->pdata->gpio_data)
44769- || atomic_read(&data->interrupt_handled))
44770+ || atomic_read_unchecked(&data->interrupt_handled))
44771 return;
44772 }
44773
44774diff --git a/drivers/hwmon/via-cputemp.c b/drivers/hwmon/via-cputemp.c
44775index ac91c07..8e69663 100644
44776--- a/drivers/hwmon/via-cputemp.c
44777+++ b/drivers/hwmon/via-cputemp.c
44778@@ -295,7 +295,7 @@ static int via_cputemp_cpu_callback(struct notifier_block *nfb,
44779 return NOTIFY_OK;
44780 }
44781
44782-static struct notifier_block via_cputemp_cpu_notifier __refdata = {
44783+static struct notifier_block via_cputemp_cpu_notifier = {
44784 .notifier_call = via_cputemp_cpu_callback,
44785 };
44786
44787diff --git a/drivers/i2c/busses/i2c-amd756-s4882.c b/drivers/i2c/busses/i2c-amd756-s4882.c
44788index 65e3240..e6c511d 100644
44789--- a/drivers/i2c/busses/i2c-amd756-s4882.c
44790+++ b/drivers/i2c/busses/i2c-amd756-s4882.c
44791@@ -39,7 +39,7 @@
44792 extern struct i2c_adapter amd756_smbus;
44793
44794 static struct i2c_adapter *s4882_adapter;
44795-static struct i2c_algorithm *s4882_algo;
44796+static i2c_algorithm_no_const *s4882_algo;
44797
44798 /* Wrapper access functions for multiplexed SMBus */
44799 static DEFINE_MUTEX(amd756_lock);
44800diff --git a/drivers/i2c/busses/i2c-nforce2-s4985.c b/drivers/i2c/busses/i2c-nforce2-s4985.c
44801index 88eda09..cf40434 100644
44802--- a/drivers/i2c/busses/i2c-nforce2-s4985.c
44803+++ b/drivers/i2c/busses/i2c-nforce2-s4985.c
44804@@ -37,7 +37,7 @@
44805 extern struct i2c_adapter *nforce2_smbus;
44806
44807 static struct i2c_adapter *s4985_adapter;
44808-static struct i2c_algorithm *s4985_algo;
44809+static i2c_algorithm_no_const *s4985_algo;
44810
44811 /* Wrapper access functions for multiplexed SMBus */
44812 static DEFINE_MUTEX(nforce2_lock);
44813diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
44814index 71c7a39..71dd3e0 100644
44815--- a/drivers/i2c/i2c-dev.c
44816+++ b/drivers/i2c/i2c-dev.c
44817@@ -272,7 +272,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
44818 break;
44819 }
44820
44821- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
44822+ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf;
44823 rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
44824 if (IS_ERR(rdwr_pa[i].buf)) {
44825 res = PTR_ERR(rdwr_pa[i].buf);
44826diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
44827index 64a6b82..a524354 100644
44828--- a/drivers/ide/ide-cd.c
44829+++ b/drivers/ide/ide-cd.c
44830@@ -768,7 +768,7 @@ static void cdrom_do_block_pc(ide_drive_t *drive, struct request *rq)
44831 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
44832 if ((unsigned long)buf & alignment
44833 || blk_rq_bytes(rq) & q->dma_pad_mask
44834- || object_is_on_stack(buf))
44835+ || object_starts_on_stack(buf))
44836 drive->dma = 0;
44837 }
44838 }
44839diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
44840index 56b9708..980b63b 100644
44841--- a/drivers/ide/ide-disk.c
44842+++ b/drivers/ide/ide-disk.c
44843@@ -178,7 +178,7 @@ static ide_startstop_t __ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44844 * 1073741822 == 549756 MB or 48bit addressing fake drive
44845 */
44846
44847-static ide_startstop_t ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44848+static ide_startstop_t __intentional_overflow(-1) ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44849 sector_t block)
44850 {
44851 ide_hwif_t *hwif = drive->hwif;
44852diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
44853index 3524b0d..8c14520 100644
44854--- a/drivers/iio/industrialio-core.c
44855+++ b/drivers/iio/industrialio-core.c
44856@@ -576,7 +576,7 @@ static ssize_t iio_write_channel_info(struct device *dev,
44857 }
44858
44859 static
44860-int __iio_device_attr_init(struct device_attribute *dev_attr,
44861+int __iio_device_attr_init(device_attribute_no_const *dev_attr,
44862 const char *postfix,
44863 struct iio_chan_spec const *chan,
44864 ssize_t (*readfunc)(struct device *dev,
44865diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
44866index b13936d..65322b2 100644
44867--- a/drivers/iio/magnetometer/ak8975.c
44868+++ b/drivers/iio/magnetometer/ak8975.c
44869@@ -776,7 +776,7 @@ static int ak8975_probe(struct i2c_client *client,
44870 name = id->name;
44871 } else if (ACPI_HANDLE(&client->dev))
44872 name = ak8975_match_acpi_device(&client->dev, &chipset);
44873- else
44874+ if (!name)
44875 return -ENOSYS;
44876
44877 if (chipset >= AK_MAX_TYPE) {
44878diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
44879index 3a972eb..4126183 100644
44880--- a/drivers/infiniband/core/cm.c
44881+++ b/drivers/infiniband/core/cm.c
44882@@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
44883
44884 struct cm_counter_group {
44885 struct kobject obj;
44886- atomic_long_t counter[CM_ATTR_COUNT];
44887+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
44888 };
44889
44890 struct cm_counter_attribute {
44891@@ -1411,7 +1411,7 @@ static void cm_dup_req_handler(struct cm_work *work,
44892 struct ib_mad_send_buf *msg = NULL;
44893 int ret;
44894
44895- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44896+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44897 counter[CM_REQ_COUNTER]);
44898
44899 /* Quick state check to discard duplicate REQs. */
44900@@ -1798,7 +1798,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
44901 if (!cm_id_priv)
44902 return;
44903
44904- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44905+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44906 counter[CM_REP_COUNTER]);
44907 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
44908 if (ret)
44909@@ -1965,7 +1965,7 @@ static int cm_rtu_handler(struct cm_work *work)
44910 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
44911 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
44912 spin_unlock_irq(&cm_id_priv->lock);
44913- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44914+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44915 counter[CM_RTU_COUNTER]);
44916 goto out;
44917 }
44918@@ -2148,7 +2148,7 @@ static int cm_dreq_handler(struct cm_work *work)
44919 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
44920 dreq_msg->local_comm_id);
44921 if (!cm_id_priv) {
44922- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44923+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44924 counter[CM_DREQ_COUNTER]);
44925 cm_issue_drep(work->port, work->mad_recv_wc);
44926 return -EINVAL;
44927@@ -2173,7 +2173,7 @@ static int cm_dreq_handler(struct cm_work *work)
44928 case IB_CM_MRA_REP_RCVD:
44929 break;
44930 case IB_CM_TIMEWAIT:
44931- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44932+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44933 counter[CM_DREQ_COUNTER]);
44934 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
44935 goto unlock;
44936@@ -2187,7 +2187,7 @@ static int cm_dreq_handler(struct cm_work *work)
44937 cm_free_msg(msg);
44938 goto deref;
44939 case IB_CM_DREQ_RCVD:
44940- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44941+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44942 counter[CM_DREQ_COUNTER]);
44943 goto unlock;
44944 default:
44945@@ -2554,7 +2554,7 @@ static int cm_mra_handler(struct cm_work *work)
44946 ib_modify_mad(cm_id_priv->av.port->mad_agent,
44947 cm_id_priv->msg, timeout)) {
44948 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
44949- atomic_long_inc(&work->port->
44950+ atomic_long_inc_unchecked(&work->port->
44951 counter_group[CM_RECV_DUPLICATES].
44952 counter[CM_MRA_COUNTER]);
44953 goto out;
44954@@ -2563,7 +2563,7 @@ static int cm_mra_handler(struct cm_work *work)
44955 break;
44956 case IB_CM_MRA_REQ_RCVD:
44957 case IB_CM_MRA_REP_RCVD:
44958- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44959+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44960 counter[CM_MRA_COUNTER]);
44961 /* fall through */
44962 default:
44963@@ -2725,7 +2725,7 @@ static int cm_lap_handler(struct cm_work *work)
44964 case IB_CM_LAP_IDLE:
44965 break;
44966 case IB_CM_MRA_LAP_SENT:
44967- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44968+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44969 counter[CM_LAP_COUNTER]);
44970 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
44971 goto unlock;
44972@@ -2741,7 +2741,7 @@ static int cm_lap_handler(struct cm_work *work)
44973 cm_free_msg(msg);
44974 goto deref;
44975 case IB_CM_LAP_RCVD:
44976- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44977+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44978 counter[CM_LAP_COUNTER]);
44979 goto unlock;
44980 default:
44981@@ -3025,7 +3025,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
44982 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
44983 if (cur_cm_id_priv) {
44984 spin_unlock_irq(&cm.lock);
44985- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44986+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44987 counter[CM_SIDR_REQ_COUNTER]);
44988 goto out; /* Duplicate message. */
44989 }
44990@@ -3237,10 +3237,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent,
44991 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
44992 msg->retries = 1;
44993
44994- atomic_long_add(1 + msg->retries,
44995+ atomic_long_add_unchecked(1 + msg->retries,
44996 &port->counter_group[CM_XMIT].counter[attr_index]);
44997 if (msg->retries)
44998- atomic_long_add(msg->retries,
44999+ atomic_long_add_unchecked(msg->retries,
45000 &port->counter_group[CM_XMIT_RETRIES].
45001 counter[attr_index]);
45002
45003@@ -3466,7 +3466,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent,
45004 }
45005
45006 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
45007- atomic_long_inc(&port->counter_group[CM_RECV].
45008+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
45009 counter[attr_id - CM_ATTR_ID_OFFSET]);
45010
45011 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
45012@@ -3709,7 +3709,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr,
45013 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
45014
45015 return sprintf(buf, "%ld\n",
45016- atomic_long_read(&group->counter[cm_attr->index]));
45017+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
45018 }
45019
45020 static const struct sysfs_ops cm_counter_ops = {
45021diff --git a/drivers/infiniband/core/fmr_pool.c b/drivers/infiniband/core/fmr_pool.c
45022index 9f5ad7c..588cd84 100644
45023--- a/drivers/infiniband/core/fmr_pool.c
45024+++ b/drivers/infiniband/core/fmr_pool.c
45025@@ -98,8 +98,8 @@ struct ib_fmr_pool {
45026
45027 struct task_struct *thread;
45028
45029- atomic_t req_ser;
45030- atomic_t flush_ser;
45031+ atomic_unchecked_t req_ser;
45032+ atomic_unchecked_t flush_ser;
45033
45034 wait_queue_head_t force_wait;
45035 };
45036@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
45037 struct ib_fmr_pool *pool = pool_ptr;
45038
45039 do {
45040- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
45041+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
45042 ib_fmr_batch_release(pool);
45043
45044- atomic_inc(&pool->flush_ser);
45045+ atomic_inc_unchecked(&pool->flush_ser);
45046 wake_up_interruptible(&pool->force_wait);
45047
45048 if (pool->flush_function)
45049@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
45050 }
45051
45052 set_current_state(TASK_INTERRUPTIBLE);
45053- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
45054+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
45055 !kthread_should_stop())
45056 schedule();
45057 __set_current_state(TASK_RUNNING);
45058@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(struct ib_pd *pd,
45059 pool->dirty_watermark = params->dirty_watermark;
45060 pool->dirty_len = 0;
45061 spin_lock_init(&pool->pool_lock);
45062- atomic_set(&pool->req_ser, 0);
45063- atomic_set(&pool->flush_ser, 0);
45064+ atomic_set_unchecked(&pool->req_ser, 0);
45065+ atomic_set_unchecked(&pool->flush_ser, 0);
45066 init_waitqueue_head(&pool->force_wait);
45067
45068 pool->thread = kthread_run(ib_fmr_cleanup_thread,
45069@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool *pool)
45070 }
45071 spin_unlock_irq(&pool->pool_lock);
45072
45073- serial = atomic_inc_return(&pool->req_ser);
45074+ serial = atomic_inc_return_unchecked(&pool->req_ser);
45075 wake_up_process(pool->thread);
45076
45077 if (wait_event_interruptible(pool->force_wait,
45078- atomic_read(&pool->flush_ser) - serial >= 0))
45079+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
45080 return -EINTR;
45081
45082 return 0;
45083@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr *fmr)
45084 } else {
45085 list_add_tail(&fmr->list, &pool->dirty_list);
45086 if (++pool->dirty_len >= pool->dirty_watermark) {
45087- atomic_inc(&pool->req_ser);
45088+ atomic_inc_unchecked(&pool->req_ser);
45089 wake_up_process(pool->thread);
45090 }
45091 }
45092diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
45093index a6ca83b..bd3a726 100644
45094--- a/drivers/infiniband/core/uverbs_cmd.c
45095+++ b/drivers/infiniband/core/uverbs_cmd.c
45096@@ -951,6 +951,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
45097 if (copy_from_user(&cmd, buf, sizeof cmd))
45098 return -EFAULT;
45099
45100+ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
45101+ return -EFAULT;
45102+
45103 INIT_UDATA(&udata, buf + sizeof cmd,
45104 (unsigned long) cmd.response + sizeof resp,
45105 in_len - sizeof cmd, out_len - sizeof resp);
45106diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
45107index cff815b..75576dd 100644
45108--- a/drivers/infiniband/hw/cxgb4/mem.c
45109+++ b/drivers/infiniband/hw/cxgb4/mem.c
45110@@ -256,7 +256,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
45111 int err;
45112 struct fw_ri_tpte tpt;
45113 u32 stag_idx;
45114- static atomic_t key;
45115+ static atomic_unchecked_t key;
45116
45117 if (c4iw_fatal_error(rdev))
45118 return -EIO;
45119@@ -277,7 +277,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
45120 if (rdev->stats.stag.cur > rdev->stats.stag.max)
45121 rdev->stats.stag.max = rdev->stats.stag.cur;
45122 mutex_unlock(&rdev->stats.lock);
45123- *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
45124+ *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
45125 }
45126 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
45127 __func__, stag_state, type, pdid, stag_idx);
45128diff --git a/drivers/infiniband/hw/ipath/ipath_rc.c b/drivers/infiniband/hw/ipath/ipath_rc.c
45129index 79b3dbc..96e5fcc 100644
45130--- a/drivers/infiniband/hw/ipath/ipath_rc.c
45131+++ b/drivers/infiniband/hw/ipath/ipath_rc.c
45132@@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
45133 struct ib_atomic_eth *ateth;
45134 struct ipath_ack_entry *e;
45135 u64 vaddr;
45136- atomic64_t *maddr;
45137+ atomic64_unchecked_t *maddr;
45138 u64 sdata;
45139 u32 rkey;
45140 u8 next;
45141@@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
45142 IB_ACCESS_REMOTE_ATOMIC)))
45143 goto nack_acc_unlck;
45144 /* Perform atomic OP and save result. */
45145- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
45146+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
45147 sdata = be64_to_cpu(ateth->swap_data);
45148 e = &qp->s_ack_queue[qp->r_head_ack_queue];
45149 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
45150- (u64) atomic64_add_return(sdata, maddr) - sdata :
45151+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
45152 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
45153 be64_to_cpu(ateth->compare_data),
45154 sdata);
45155diff --git a/drivers/infiniband/hw/ipath/ipath_ruc.c b/drivers/infiniband/hw/ipath/ipath_ruc.c
45156index 1f95bba..9530f87 100644
45157--- a/drivers/infiniband/hw/ipath/ipath_ruc.c
45158+++ b/drivers/infiniband/hw/ipath/ipath_ruc.c
45159@@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ipath_qp *sqp)
45160 unsigned long flags;
45161 struct ib_wc wc;
45162 u64 sdata;
45163- atomic64_t *maddr;
45164+ atomic64_unchecked_t *maddr;
45165 enum ib_wc_status send_status;
45166
45167 /*
45168@@ -382,11 +382,11 @@ again:
45169 IB_ACCESS_REMOTE_ATOMIC)))
45170 goto acc_err;
45171 /* Perform atomic OP and save result. */
45172- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
45173+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
45174 sdata = wqe->wr.wr.atomic.compare_add;
45175 *(u64 *) sqp->s_sge.sge.vaddr =
45176 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
45177- (u64) atomic64_add_return(sdata, maddr) - sdata :
45178+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
45179 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
45180 sdata, wqe->wr.wr.atomic.swap);
45181 goto send_comp;
45182diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
45183index 68b3dfa..3e0c511 100644
45184--- a/drivers/infiniband/hw/mlx4/mad.c
45185+++ b/drivers/infiniband/hw/mlx4/mad.c
45186@@ -98,7 +98,7 @@ __be64 mlx4_ib_gen_node_guid(void)
45187
45188 __be64 mlx4_ib_get_new_demux_tid(struct mlx4_ib_demux_ctx *ctx)
45189 {
45190- return cpu_to_be64(atomic_inc_return(&ctx->tid)) |
45191+ return cpu_to_be64(atomic_inc_return_unchecked(&ctx->tid)) |
45192 cpu_to_be64(0xff00000000000000LL);
45193 }
45194
45195diff --git a/drivers/infiniband/hw/mlx4/mcg.c b/drivers/infiniband/hw/mlx4/mcg.c
45196index a0559a8..86a2320 100644
45197--- a/drivers/infiniband/hw/mlx4/mcg.c
45198+++ b/drivers/infiniband/hw/mlx4/mcg.c
45199@@ -1042,7 +1042,7 @@ int mlx4_ib_mcg_port_init(struct mlx4_ib_demux_ctx *ctx)
45200 {
45201 char name[20];
45202
45203- atomic_set(&ctx->tid, 0);
45204+ atomic_set_unchecked(&ctx->tid, 0);
45205 sprintf(name, "mlx4_ib_mcg%d", ctx->port);
45206 ctx->mcg_wq = create_singlethread_workqueue(name);
45207 if (!ctx->mcg_wq)
45208diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h
45209index 334387f..e640d74 100644
45210--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
45211+++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
45212@@ -436,7 +436,7 @@ struct mlx4_ib_demux_ctx {
45213 struct list_head mcg_mgid0_list;
45214 struct workqueue_struct *mcg_wq;
45215 struct mlx4_ib_demux_pv_ctx **tun;
45216- atomic_t tid;
45217+ atomic_unchecked_t tid;
45218 int flushing; /* flushing the work queue */
45219 };
45220
45221diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
45222index c7f49bb..6a021bb 100644
45223--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
45224+++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
45225@@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base)
45226 mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n");
45227 }
45228
45229-int mthca_QUERY_FW(struct mthca_dev *dev)
45230+int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev)
45231 {
45232 struct mthca_mailbox *mailbox;
45233 u32 *outbox;
45234@@ -1612,7 +1612,7 @@ int mthca_HW2SW_MPT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45235 CMD_TIME_CLASS_B);
45236 }
45237
45238-int mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45239+int __intentional_overflow(-1) mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45240 int num_mtt)
45241 {
45242 return mthca_cmd(dev, mailbox->dma, num_mtt, 0, CMD_WRITE_MTT,
45243@@ -1634,7 +1634,7 @@ int mthca_MAP_EQ(struct mthca_dev *dev, u64 event_mask, int unmap,
45244 0, CMD_MAP_EQ, CMD_TIME_CLASS_B);
45245 }
45246
45247-int mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45248+int __intentional_overflow(-1) mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45249 int eq_num)
45250 {
45251 return mthca_cmd(dev, mailbox->dma, eq_num, 0, CMD_SW2HW_EQ,
45252@@ -1857,7 +1857,7 @@ int mthca_CONF_SPECIAL_QP(struct mthca_dev *dev, int type, u32 qpn)
45253 CMD_TIME_CLASS_B);
45254 }
45255
45256-int mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey,
45257+int __intentional_overflow(-1) mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey,
45258 int port, const struct ib_wc *in_wc, const struct ib_grh *in_grh,
45259 const void *in_mad, void *response_mad)
45260 {
45261diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c
45262index ded76c1..0cf0a08 100644
45263--- a/drivers/infiniband/hw/mthca/mthca_main.c
45264+++ b/drivers/infiniband/hw/mthca/mthca_main.c
45265@@ -692,7 +692,7 @@ err_close:
45266 return err;
45267 }
45268
45269-static int mthca_setup_hca(struct mthca_dev *dev)
45270+static int __intentional_overflow(-1) mthca_setup_hca(struct mthca_dev *dev)
45271 {
45272 int err;
45273
45274diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c
45275index ed9a989..6aa5dc2 100644
45276--- a/drivers/infiniband/hw/mthca/mthca_mr.c
45277+++ b/drivers/infiniband/hw/mthca/mthca_mr.c
45278@@ -81,7 +81,7 @@ struct mthca_mpt_entry {
45279 * through the bitmaps)
45280 */
45281
45282-static u32 mthca_buddy_alloc(struct mthca_buddy *buddy, int order)
45283+static u32 __intentional_overflow(-1) mthca_buddy_alloc(struct mthca_buddy *buddy, int order)
45284 {
45285 int o;
45286 int m;
45287@@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key)
45288 return key;
45289 }
45290
45291-int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
45292+int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
45293 u64 iova, u64 total_size, u32 access, struct mthca_mr *mr)
45294 {
45295 struct mthca_mailbox *mailbox;
45296@@ -516,7 +516,7 @@ int mthca_mr_alloc_notrans(struct mthca_dev *dev, u32 pd,
45297 return mthca_mr_alloc(dev, pd, 12, 0, ~0ULL, access, mr);
45298 }
45299
45300-int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
45301+int __intentional_overflow(-1) mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
45302 u64 *buffer_list, int buffer_size_shift,
45303 int list_len, u64 iova, u64 total_size,
45304 u32 access, struct mthca_mr *mr)
45305diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
45306index 93ae51d..84c4a44 100644
45307--- a/drivers/infiniband/hw/mthca/mthca_provider.c
45308+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
45309@@ -771,7 +771,7 @@ unlock:
45310 return 0;
45311 }
45312
45313-static int mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata)
45314+static int __intentional_overflow(-1) mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata)
45315 {
45316 struct mthca_dev *dev = to_mdev(ibcq->device);
45317 struct mthca_cq *cq = to_mcq(ibcq);
45318diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
45319index 9f9d5c5..3c19aac 100644
45320--- a/drivers/infiniband/hw/nes/nes.c
45321+++ b/drivers/infiniband/hw/nes/nes.c
45322@@ -97,7 +97,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limit max read request size to 256 Bytes");
45323 LIST_HEAD(nes_adapter_list);
45324 static LIST_HEAD(nes_dev_list);
45325
45326-atomic_t qps_destroyed;
45327+atomic_unchecked_t qps_destroyed;
45328
45329 static unsigned int ee_flsh_adapter;
45330 static unsigned int sysfs_nonidx_addr;
45331@@ -279,7 +279,7 @@ static void nes_cqp_rem_ref_callback(struct nes_device *nesdev, struct nes_cqp_r
45332 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
45333 struct nes_adapter *nesadapter = nesdev->nesadapter;
45334
45335- atomic_inc(&qps_destroyed);
45336+ atomic_inc_unchecked(&qps_destroyed);
45337
45338 /* Free the control structures */
45339
45340diff --git a/drivers/infiniband/hw/nes/nes.h b/drivers/infiniband/hw/nes/nes.h
45341index bd9d132..70d84f4 100644
45342--- a/drivers/infiniband/hw/nes/nes.h
45343+++ b/drivers/infiniband/hw/nes/nes.h
45344@@ -180,17 +180,17 @@ extern unsigned int nes_debug_level;
45345 extern unsigned int wqm_quanta;
45346 extern struct list_head nes_adapter_list;
45347
45348-extern atomic_t cm_connects;
45349-extern atomic_t cm_accepts;
45350-extern atomic_t cm_disconnects;
45351-extern atomic_t cm_closes;
45352-extern atomic_t cm_connecteds;
45353-extern atomic_t cm_connect_reqs;
45354-extern atomic_t cm_rejects;
45355-extern atomic_t mod_qp_timouts;
45356-extern atomic_t qps_created;
45357-extern atomic_t qps_destroyed;
45358-extern atomic_t sw_qps_destroyed;
45359+extern atomic_unchecked_t cm_connects;
45360+extern atomic_unchecked_t cm_accepts;
45361+extern atomic_unchecked_t cm_disconnects;
45362+extern atomic_unchecked_t cm_closes;
45363+extern atomic_unchecked_t cm_connecteds;
45364+extern atomic_unchecked_t cm_connect_reqs;
45365+extern atomic_unchecked_t cm_rejects;
45366+extern atomic_unchecked_t mod_qp_timouts;
45367+extern atomic_unchecked_t qps_created;
45368+extern atomic_unchecked_t qps_destroyed;
45369+extern atomic_unchecked_t sw_qps_destroyed;
45370 extern u32 mh_detected;
45371 extern u32 mh_pauses_sent;
45372 extern u32 cm_packets_sent;
45373@@ -199,16 +199,16 @@ extern u32 cm_packets_created;
45374 extern u32 cm_packets_received;
45375 extern u32 cm_packets_dropped;
45376 extern u32 cm_packets_retrans;
45377-extern atomic_t cm_listens_created;
45378-extern atomic_t cm_listens_destroyed;
45379+extern atomic_unchecked_t cm_listens_created;
45380+extern atomic_unchecked_t cm_listens_destroyed;
45381 extern u32 cm_backlog_drops;
45382-extern atomic_t cm_loopbacks;
45383-extern atomic_t cm_nodes_created;
45384-extern atomic_t cm_nodes_destroyed;
45385-extern atomic_t cm_accel_dropped_pkts;
45386-extern atomic_t cm_resets_recvd;
45387-extern atomic_t pau_qps_created;
45388-extern atomic_t pau_qps_destroyed;
45389+extern atomic_unchecked_t cm_loopbacks;
45390+extern atomic_unchecked_t cm_nodes_created;
45391+extern atomic_unchecked_t cm_nodes_destroyed;
45392+extern atomic_unchecked_t cm_accel_dropped_pkts;
45393+extern atomic_unchecked_t cm_resets_recvd;
45394+extern atomic_unchecked_t pau_qps_created;
45395+extern atomic_unchecked_t pau_qps_destroyed;
45396
45397 extern u32 int_mod_timer_init;
45398 extern u32 int_mod_cq_depth_256;
45399diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c
45400index 8a3ad17..e1ed4bc 100644
45401--- a/drivers/infiniband/hw/nes/nes_cm.c
45402+++ b/drivers/infiniband/hw/nes/nes_cm.c
45403@@ -69,14 +69,14 @@ u32 cm_packets_dropped;
45404 u32 cm_packets_retrans;
45405 u32 cm_packets_created;
45406 u32 cm_packets_received;
45407-atomic_t cm_listens_created;
45408-atomic_t cm_listens_destroyed;
45409+atomic_unchecked_t cm_listens_created;
45410+atomic_unchecked_t cm_listens_destroyed;
45411 u32 cm_backlog_drops;
45412-atomic_t cm_loopbacks;
45413-atomic_t cm_nodes_created;
45414-atomic_t cm_nodes_destroyed;
45415-atomic_t cm_accel_dropped_pkts;
45416-atomic_t cm_resets_recvd;
45417+atomic_unchecked_t cm_loopbacks;
45418+atomic_unchecked_t cm_nodes_created;
45419+atomic_unchecked_t cm_nodes_destroyed;
45420+atomic_unchecked_t cm_accel_dropped_pkts;
45421+atomic_unchecked_t cm_resets_recvd;
45422
45423 static inline int mini_cm_accelerated(struct nes_cm_core *, struct nes_cm_node *);
45424 static struct nes_cm_listener *mini_cm_listen(struct nes_cm_core *, struct nes_vnic *, struct nes_cm_info *);
45425@@ -135,28 +135,28 @@ static void record_ird_ord(struct nes_cm_node *, u16, u16);
45426 /* instance of function pointers for client API */
45427 /* set address of this instance to cm_core->cm_ops at cm_core alloc */
45428 static struct nes_cm_ops nes_cm_api = {
45429- mini_cm_accelerated,
45430- mini_cm_listen,
45431- mini_cm_del_listen,
45432- mini_cm_connect,
45433- mini_cm_close,
45434- mini_cm_accept,
45435- mini_cm_reject,
45436- mini_cm_recv_pkt,
45437- mini_cm_dealloc_core,
45438- mini_cm_get,
45439- mini_cm_set
45440+ .accelerated = mini_cm_accelerated,
45441+ .listen = mini_cm_listen,
45442+ .stop_listener = mini_cm_del_listen,
45443+ .connect = mini_cm_connect,
45444+ .close = mini_cm_close,
45445+ .accept = mini_cm_accept,
45446+ .reject = mini_cm_reject,
45447+ .recv_pkt = mini_cm_recv_pkt,
45448+ .destroy_cm_core = mini_cm_dealloc_core,
45449+ .get = mini_cm_get,
45450+ .set = mini_cm_set
45451 };
45452
45453 static struct nes_cm_core *g_cm_core;
45454
45455-atomic_t cm_connects;
45456-atomic_t cm_accepts;
45457-atomic_t cm_disconnects;
45458-atomic_t cm_closes;
45459-atomic_t cm_connecteds;
45460-atomic_t cm_connect_reqs;
45461-atomic_t cm_rejects;
45462+atomic_unchecked_t cm_connects;
45463+atomic_unchecked_t cm_accepts;
45464+atomic_unchecked_t cm_disconnects;
45465+atomic_unchecked_t cm_closes;
45466+atomic_unchecked_t cm_connecteds;
45467+atomic_unchecked_t cm_connect_reqs;
45468+atomic_unchecked_t cm_rejects;
45469
45470 int nes_add_ref_cm_node(struct nes_cm_node *cm_node)
45471 {
45472@@ -1461,7 +1461,7 @@ static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core,
45473 kfree(listener);
45474 listener = NULL;
45475 ret = 0;
45476- atomic_inc(&cm_listens_destroyed);
45477+ atomic_inc_unchecked(&cm_listens_destroyed);
45478 } else {
45479 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
45480 }
45481@@ -1670,7 +1670,7 @@ static struct nes_cm_node *make_cm_node(struct nes_cm_core *cm_core,
45482 cm_node->rem_mac);
45483
45484 add_hte_node(cm_core, cm_node);
45485- atomic_inc(&cm_nodes_created);
45486+ atomic_inc_unchecked(&cm_nodes_created);
45487
45488 return cm_node;
45489 }
45490@@ -1731,7 +1731,7 @@ static int rem_ref_cm_node(struct nes_cm_core *cm_core,
45491 }
45492
45493 atomic_dec(&cm_core->node_cnt);
45494- atomic_inc(&cm_nodes_destroyed);
45495+ atomic_inc_unchecked(&cm_nodes_destroyed);
45496 nesqp = cm_node->nesqp;
45497 if (nesqp) {
45498 nesqp->cm_node = NULL;
45499@@ -1795,7 +1795,7 @@ static int process_options(struct nes_cm_node *cm_node, u8 *optionsloc,
45500
45501 static void drop_packet(struct sk_buff *skb)
45502 {
45503- atomic_inc(&cm_accel_dropped_pkts);
45504+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
45505 dev_kfree_skb_any(skb);
45506 }
45507
45508@@ -1858,7 +1858,7 @@ static void handle_rst_pkt(struct nes_cm_node *cm_node, struct sk_buff *skb,
45509 {
45510
45511 int reset = 0; /* whether to send reset in case of err.. */
45512- atomic_inc(&cm_resets_recvd);
45513+ atomic_inc_unchecked(&cm_resets_recvd);
45514 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
45515 " refcnt=%d\n", cm_node, cm_node->state,
45516 atomic_read(&cm_node->ref_count));
45517@@ -2526,7 +2526,7 @@ static struct nes_cm_node *mini_cm_connect(struct nes_cm_core *cm_core,
45518 rem_ref_cm_node(cm_node->cm_core, cm_node);
45519 return NULL;
45520 }
45521- atomic_inc(&cm_loopbacks);
45522+ atomic_inc_unchecked(&cm_loopbacks);
45523 loopbackremotenode->loopbackpartner = cm_node;
45524 loopbackremotenode->tcp_cntxt.rcv_wscale =
45525 NES_CM_DEFAULT_RCV_WND_SCALE;
45526@@ -2807,7 +2807,7 @@ static int mini_cm_recv_pkt(struct nes_cm_core *cm_core,
45527 nes_queue_mgt_skbs(skb, nesvnic, cm_node->nesqp);
45528 else {
45529 rem_ref_cm_node(cm_core, cm_node);
45530- atomic_inc(&cm_accel_dropped_pkts);
45531+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
45532 dev_kfree_skb_any(skb);
45533 }
45534 break;
45535@@ -3118,7 +3118,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
45536
45537 if ((cm_id) && (cm_id->event_handler)) {
45538 if (issue_disconn) {
45539- atomic_inc(&cm_disconnects);
45540+ atomic_inc_unchecked(&cm_disconnects);
45541 cm_event.event = IW_CM_EVENT_DISCONNECT;
45542 cm_event.status = disconn_status;
45543 cm_event.local_addr = cm_id->local_addr;
45544@@ -3140,7 +3140,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
45545 }
45546
45547 if (issue_close) {
45548- atomic_inc(&cm_closes);
45549+ atomic_inc_unchecked(&cm_closes);
45550 nes_disconnect(nesqp, 1);
45551
45552 cm_id->provider_data = nesqp;
45553@@ -3278,7 +3278,7 @@ int nes_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
45554
45555 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
45556 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
45557- atomic_inc(&cm_accepts);
45558+ atomic_inc_unchecked(&cm_accepts);
45559
45560 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
45561 netdev_refcnt_read(nesvnic->netdev));
45562@@ -3476,7 +3476,7 @@ int nes_reject(struct iw_cm_id *cm_id, const void *pdata, u8 pdata_len)
45563 struct nes_cm_core *cm_core;
45564 u8 *start_buff;
45565
45566- atomic_inc(&cm_rejects);
45567+ atomic_inc_unchecked(&cm_rejects);
45568 cm_node = (struct nes_cm_node *)cm_id->provider_data;
45569 loopback = cm_node->loopbackpartner;
45570 cm_core = cm_node->cm_core;
45571@@ -3541,7 +3541,7 @@ int nes_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
45572 ntohs(raddr->sin_port), ntohl(laddr->sin_addr.s_addr),
45573 ntohs(laddr->sin_port));
45574
45575- atomic_inc(&cm_connects);
45576+ atomic_inc_unchecked(&cm_connects);
45577 nesqp->active_conn = 1;
45578
45579 /* cache the cm_id in the qp */
45580@@ -3688,7 +3688,7 @@ int nes_create_listen(struct iw_cm_id *cm_id, int backlog)
45581 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
45582 return err;
45583 }
45584- atomic_inc(&cm_listens_created);
45585+ atomic_inc_unchecked(&cm_listens_created);
45586 }
45587
45588 cm_id->add_ref(cm_id);
45589@@ -3795,7 +3795,7 @@ static void cm_event_connected(struct nes_cm_event *event)
45590
45591 if (nesqp->destroyed)
45592 return;
45593- atomic_inc(&cm_connecteds);
45594+ atomic_inc_unchecked(&cm_connecteds);
45595 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
45596 " local port 0x%04X. jiffies = %lu.\n",
45597 nesqp->hwqp.qp_id, ntohl(raddr->sin_addr.s_addr),
45598@@ -3980,7 +3980,7 @@ static void cm_event_reset(struct nes_cm_event *event)
45599
45600 cm_id->add_ref(cm_id);
45601 ret = cm_id->event_handler(cm_id, &cm_event);
45602- atomic_inc(&cm_closes);
45603+ atomic_inc_unchecked(&cm_closes);
45604 cm_event.event = IW_CM_EVENT_CLOSE;
45605 cm_event.status = 0;
45606 cm_event.provider_data = cm_id->provider_data;
45607@@ -4020,7 +4020,7 @@ static void cm_event_mpa_req(struct nes_cm_event *event)
45608 return;
45609 cm_id = cm_node->cm_id;
45610
45611- atomic_inc(&cm_connect_reqs);
45612+ atomic_inc_unchecked(&cm_connect_reqs);
45613 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
45614 cm_node, cm_id, jiffies);
45615
45616@@ -4069,7 +4069,7 @@ static void cm_event_mpa_reject(struct nes_cm_event *event)
45617 return;
45618 cm_id = cm_node->cm_id;
45619
45620- atomic_inc(&cm_connect_reqs);
45621+ atomic_inc_unchecked(&cm_connect_reqs);
45622 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
45623 cm_node, cm_id, jiffies);
45624
45625diff --git a/drivers/infiniband/hw/nes/nes_mgt.c b/drivers/infiniband/hw/nes/nes_mgt.c
45626index 4166452..fc952c3 100644
45627--- a/drivers/infiniband/hw/nes/nes_mgt.c
45628+++ b/drivers/infiniband/hw/nes/nes_mgt.c
45629@@ -40,8 +40,8 @@
45630 #include "nes.h"
45631 #include "nes_mgt.h"
45632
45633-atomic_t pau_qps_created;
45634-atomic_t pau_qps_destroyed;
45635+atomic_unchecked_t pau_qps_created;
45636+atomic_unchecked_t pau_qps_destroyed;
45637
45638 static void nes_replenish_mgt_rq(struct nes_vnic_mgt *mgtvnic)
45639 {
45640@@ -621,7 +621,7 @@ void nes_destroy_pau_qp(struct nes_device *nesdev, struct nes_qp *nesqp)
45641 {
45642 struct sk_buff *skb;
45643 unsigned long flags;
45644- atomic_inc(&pau_qps_destroyed);
45645+ atomic_inc_unchecked(&pau_qps_destroyed);
45646
45647 /* Free packets that have not yet been forwarded */
45648 /* Lock is acquired by skb_dequeue when removing the skb */
45649@@ -810,7 +810,7 @@ static void nes_mgt_ce_handler(struct nes_device *nesdev, struct nes_hw_nic_cq *
45650 cq->cq_vbase[head].cqe_words[NES_NIC_CQE_HASH_RCVNXT]);
45651 skb_queue_head_init(&nesqp->pau_list);
45652 spin_lock_init(&nesqp->pau_lock);
45653- atomic_inc(&pau_qps_created);
45654+ atomic_inc_unchecked(&pau_qps_created);
45655 nes_change_quad_hash(nesdev, mgtvnic->nesvnic, nesqp);
45656 }
45657
45658diff --git a/drivers/infiniband/hw/nes/nes_nic.c b/drivers/infiniband/hw/nes/nes_nic.c
45659index 70acda9..a96de9d 100644
45660--- a/drivers/infiniband/hw/nes/nes_nic.c
45661+++ b/drivers/infiniband/hw/nes/nes_nic.c
45662@@ -1274,39 +1274,39 @@ static void nes_netdev_get_ethtool_stats(struct net_device *netdev,
45663 target_stat_values[++index] = mh_detected;
45664 target_stat_values[++index] = mh_pauses_sent;
45665 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
45666- target_stat_values[++index] = atomic_read(&cm_connects);
45667- target_stat_values[++index] = atomic_read(&cm_accepts);
45668- target_stat_values[++index] = atomic_read(&cm_disconnects);
45669- target_stat_values[++index] = atomic_read(&cm_connecteds);
45670- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
45671- target_stat_values[++index] = atomic_read(&cm_rejects);
45672- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
45673- target_stat_values[++index] = atomic_read(&qps_created);
45674- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
45675- target_stat_values[++index] = atomic_read(&qps_destroyed);
45676- target_stat_values[++index] = atomic_read(&cm_closes);
45677+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
45678+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
45679+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
45680+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
45681+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
45682+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
45683+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
45684+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
45685+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
45686+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
45687+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
45688 target_stat_values[++index] = cm_packets_sent;
45689 target_stat_values[++index] = cm_packets_bounced;
45690 target_stat_values[++index] = cm_packets_created;
45691 target_stat_values[++index] = cm_packets_received;
45692 target_stat_values[++index] = cm_packets_dropped;
45693 target_stat_values[++index] = cm_packets_retrans;
45694- target_stat_values[++index] = atomic_read(&cm_listens_created);
45695- target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
45696+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
45697+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
45698 target_stat_values[++index] = cm_backlog_drops;
45699- target_stat_values[++index] = atomic_read(&cm_loopbacks);
45700- target_stat_values[++index] = atomic_read(&cm_nodes_created);
45701- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
45702- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
45703- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
45704+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
45705+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
45706+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
45707+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
45708+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
45709 target_stat_values[++index] = nesadapter->free_4kpbl;
45710 target_stat_values[++index] = nesadapter->free_256pbl;
45711 target_stat_values[++index] = int_mod_timer_init;
45712 target_stat_values[++index] = nesvnic->lro_mgr.stats.aggregated;
45713 target_stat_values[++index] = nesvnic->lro_mgr.stats.flushed;
45714 target_stat_values[++index] = nesvnic->lro_mgr.stats.no_desc;
45715- target_stat_values[++index] = atomic_read(&pau_qps_created);
45716- target_stat_values[++index] = atomic_read(&pau_qps_destroyed);
45717+ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_created);
45718+ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_destroyed);
45719 }
45720
45721 /**
45722diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
45723index fbc43e5..3672792 100644
45724--- a/drivers/infiniband/hw/nes/nes_verbs.c
45725+++ b/drivers/infiniband/hw/nes/nes_verbs.c
45726@@ -46,9 +46,9 @@
45727
45728 #include <rdma/ib_umem.h>
45729
45730-atomic_t mod_qp_timouts;
45731-atomic_t qps_created;
45732-atomic_t sw_qps_destroyed;
45733+atomic_unchecked_t mod_qp_timouts;
45734+atomic_unchecked_t qps_created;
45735+atomic_unchecked_t sw_qps_destroyed;
45736
45737 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
45738
45739@@ -1137,7 +1137,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
45740 if (init_attr->create_flags)
45741 return ERR_PTR(-EINVAL);
45742
45743- atomic_inc(&qps_created);
45744+ atomic_inc_unchecked(&qps_created);
45745 switch (init_attr->qp_type) {
45746 case IB_QPT_RC:
45747 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
45748@@ -1471,7 +1471,7 @@ static int nes_destroy_qp(struct ib_qp *ibqp)
45749 struct iw_cm_event cm_event;
45750 int ret = 0;
45751
45752- atomic_inc(&sw_qps_destroyed);
45753+ atomic_inc_unchecked(&sw_qps_destroyed);
45754 nesqp->destroyed = 1;
45755
45756 /* Blow away the connection if it exists. */
45757diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
45758index 7df16f7..7e1b21e 100644
45759--- a/drivers/infiniband/hw/qib/qib.h
45760+++ b/drivers/infiniband/hw/qib/qib.h
45761@@ -52,6 +52,7 @@
45762 #include <linux/kref.h>
45763 #include <linux/sched.h>
45764 #include <linux/kthread.h>
45765+#include <linux/slab.h>
45766
45767 #include "qib_common.h"
45768 #include "qib_verbs.h"
45769diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45770index cdc7df4..a2fdfdb 100644
45771--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45772+++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45773@@ -156,7 +156,7 @@ static size_t ipoib_get_size(const struct net_device *dev)
45774 nla_total_size(2); /* IFLA_IPOIB_UMCAST */
45775 }
45776
45777-static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
45778+static struct rtnl_link_ops ipoib_link_ops = {
45779 .kind = "ipoib",
45780 .maxtype = IFLA_IPOIB_MAX,
45781 .policy = ipoib_policy,
45782diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
45783index e853a21..56fc5a8 100644
45784--- a/drivers/input/gameport/gameport.c
45785+++ b/drivers/input/gameport/gameport.c
45786@@ -527,14 +527,14 @@ EXPORT_SYMBOL(gameport_set_phys);
45787 */
45788 static void gameport_init_port(struct gameport *gameport)
45789 {
45790- static atomic_t gameport_no = ATOMIC_INIT(-1);
45791+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(-1);
45792
45793 __module_get(THIS_MODULE);
45794
45795 mutex_init(&gameport->drv_mutex);
45796 device_initialize(&gameport->dev);
45797 dev_set_name(&gameport->dev, "gameport%lu",
45798- (unsigned long)atomic_inc_return(&gameport_no));
45799+ (unsigned long)atomic_inc_return_unchecked(&gameport_no));
45800 gameport->dev.bus = &gameport_bus;
45801 gameport->dev.release = gameport_release_port;
45802 if (gameport->parent)
45803diff --git a/drivers/input/input.c b/drivers/input/input.c
45804index 78d2499..1f0318e 100644
45805--- a/drivers/input/input.c
45806+++ b/drivers/input/input.c
45807@@ -1775,7 +1775,7 @@ EXPORT_SYMBOL_GPL(input_class);
45808 */
45809 struct input_dev *input_allocate_device(void)
45810 {
45811- static atomic_t input_no = ATOMIC_INIT(-1);
45812+ static atomic_unchecked_t input_no = ATOMIC_INIT(-1);
45813 struct input_dev *dev;
45814
45815 dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL);
45816@@ -1790,7 +1790,7 @@ struct input_dev *input_allocate_device(void)
45817 INIT_LIST_HEAD(&dev->node);
45818
45819 dev_set_name(&dev->dev, "input%lu",
45820- (unsigned long)atomic_inc_return(&input_no));
45821+ (unsigned long)atomic_inc_return_unchecked(&input_no));
45822
45823 __module_get(THIS_MODULE);
45824 }
45825diff --git a/drivers/input/joystick/sidewinder.c b/drivers/input/joystick/sidewinder.c
45826index 4a95b22..874c182 100644
45827--- a/drivers/input/joystick/sidewinder.c
45828+++ b/drivers/input/joystick/sidewinder.c
45829@@ -30,6 +30,7 @@
45830 #include <linux/kernel.h>
45831 #include <linux/module.h>
45832 #include <linux/slab.h>
45833+#include <linux/sched.h>
45834 #include <linux/input.h>
45835 #include <linux/gameport.h>
45836 #include <linux/jiffies.h>
45837diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
45838index f8850f9..9708a2d 100644
45839--- a/drivers/input/joystick/xpad.c
45840+++ b/drivers/input/joystick/xpad.c
45841@@ -959,7 +959,7 @@ static void xpad_led_set(struct led_classdev *led_cdev,
45842
45843 static int xpad_led_probe(struct usb_xpad *xpad)
45844 {
45845- static atomic_t led_seq = ATOMIC_INIT(-1);
45846+ static atomic_unchecked_t led_seq = ATOMIC_INIT(-1);
45847 struct xpad_led *led;
45848 struct led_classdev *led_cdev;
45849 int error;
45850@@ -971,7 +971,7 @@ static int xpad_led_probe(struct usb_xpad *xpad)
45851 if (!led)
45852 return -ENOMEM;
45853
45854- xpad->led_no = atomic_inc_return(&led_seq);
45855+ xpad->led_no = atomic_inc_return_unchecked(&led_seq);
45856
45857 snprintf(led->name, sizeof(led->name), "xpad%lu", xpad->led_no);
45858 led->xpad = xpad;
45859diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
45860index ac1fa5f..5f7502c 100644
45861--- a/drivers/input/misc/ims-pcu.c
45862+++ b/drivers/input/misc/ims-pcu.c
45863@@ -1851,7 +1851,7 @@ static int ims_pcu_identify_type(struct ims_pcu *pcu, u8 *device_id)
45864
45865 static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
45866 {
45867- static atomic_t device_no = ATOMIC_INIT(-1);
45868+ static atomic_unchecked_t device_no = ATOMIC_INIT(-1);
45869
45870 const struct ims_pcu_device_info *info;
45871 int error;
45872@@ -1882,7 +1882,7 @@ static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
45873 }
45874
45875 /* Device appears to be operable, complete initialization */
45876- pcu->device_no = atomic_inc_return(&device_no);
45877+ pcu->device_no = atomic_inc_return_unchecked(&device_no);
45878
45879 /*
45880 * PCU-B devices, both GEN_1 and GEN_2 do not have OFN sensor
45881diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h
45882index ad5a5a1..5eac214 100644
45883--- a/drivers/input/mouse/psmouse.h
45884+++ b/drivers/input/mouse/psmouse.h
45885@@ -125,7 +125,7 @@ struct psmouse_attribute {
45886 ssize_t (*set)(struct psmouse *psmouse, void *data,
45887 const char *buf, size_t count);
45888 bool protect;
45889-};
45890+} __do_const;
45891 #define to_psmouse_attr(a) container_of((a), struct psmouse_attribute, dattr)
45892
45893 ssize_t psmouse_attr_show_helper(struct device *dev, struct device_attribute *attr,
45894diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
45895index b604564..3f14ae4 100644
45896--- a/drivers/input/mousedev.c
45897+++ b/drivers/input/mousedev.c
45898@@ -744,7 +744,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer,
45899
45900 spin_unlock_irq(&client->packet_lock);
45901
45902- if (copy_to_user(buffer, data, count))
45903+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
45904 return -EFAULT;
45905
45906 return count;
45907diff --git a/drivers/input/serio/serio.c b/drivers/input/serio/serio.c
45908index a05a517..323a2fd 100644
45909--- a/drivers/input/serio/serio.c
45910+++ b/drivers/input/serio/serio.c
45911@@ -514,7 +514,7 @@ static void serio_release_port(struct device *dev)
45912 */
45913 static void serio_init_port(struct serio *serio)
45914 {
45915- static atomic_t serio_no = ATOMIC_INIT(-1);
45916+ static atomic_unchecked_t serio_no = ATOMIC_INIT(-1);
45917
45918 __module_get(THIS_MODULE);
45919
45920@@ -525,7 +525,7 @@ static void serio_init_port(struct serio *serio)
45921 mutex_init(&serio->drv_mutex);
45922 device_initialize(&serio->dev);
45923 dev_set_name(&serio->dev, "serio%lu",
45924- (unsigned long)atomic_inc_return(&serio_no));
45925+ (unsigned long)atomic_inc_return_unchecked(&serio_no));
45926 serio->dev.bus = &serio_bus;
45927 serio->dev.release = serio_release_port;
45928 serio->dev.groups = serio_device_attr_groups;
45929diff --git a/drivers/input/serio/serio_raw.c b/drivers/input/serio/serio_raw.c
45930index 71ef5d6..93380a9 100644
45931--- a/drivers/input/serio/serio_raw.c
45932+++ b/drivers/input/serio/serio_raw.c
45933@@ -292,7 +292,7 @@ static irqreturn_t serio_raw_interrupt(struct serio *serio, unsigned char data,
45934
45935 static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
45936 {
45937- static atomic_t serio_raw_no = ATOMIC_INIT(-1);
45938+ static atomic_unchecked_t serio_raw_no = ATOMIC_INIT(-1);
45939 struct serio_raw *serio_raw;
45940 int err;
45941
45942@@ -303,7 +303,7 @@ static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
45943 }
45944
45945 snprintf(serio_raw->name, sizeof(serio_raw->name),
45946- "serio_raw%ld", (long)atomic_inc_return(&serio_raw_no));
45947+ "serio_raw%ld", (long)atomic_inc_return_unchecked(&serio_raw_no));
45948 kref_init(&serio_raw->kref);
45949 INIT_LIST_HEAD(&serio_raw->client_list);
45950 init_waitqueue_head(&serio_raw->wait);
45951diff --git a/drivers/input/touchscreen/htcpen.c b/drivers/input/touchscreen/htcpen.c
45952index 92e2243..8fd9092 100644
45953--- a/drivers/input/touchscreen/htcpen.c
45954+++ b/drivers/input/touchscreen/htcpen.c
45955@@ -219,7 +219,7 @@ static struct isa_driver htcpen_isa_driver = {
45956 }
45957 };
45958
45959-static struct dmi_system_id htcshift_dmi_table[] __initdata = {
45960+static const struct dmi_system_id htcshift_dmi_table[] __initconst = {
45961 {
45962 .ident = "Shift",
45963 .matches = {
45964diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
45965index f1fb1d3..82257cc 100644
45966--- a/drivers/iommu/Kconfig
45967+++ b/drivers/iommu/Kconfig
45968@@ -102,6 +102,7 @@ config AMD_IOMMU_STATS
45969 bool "Export AMD IOMMU statistics to debugfs"
45970 depends on AMD_IOMMU
45971 select DEBUG_FS
45972+ depends on !GRKERNSEC_KMEM
45973 ---help---
45974 This option enables code in the AMD IOMMU driver to collect various
45975 statistics about whats happening in the driver and exports that
45976diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
45977index 658ee39..6fde5be 100644
45978--- a/drivers/iommu/amd_iommu.c
45979+++ b/drivers/iommu/amd_iommu.c
45980@@ -794,11 +794,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
45981
45982 static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
45983 {
45984+ phys_addr_t physaddr;
45985 WARN_ON(address & 0x7ULL);
45986
45987 memset(cmd, 0, sizeof(*cmd));
45988- cmd->data[0] = lower_32_bits(__pa(address)) | CMD_COMPL_WAIT_STORE_MASK;
45989- cmd->data[1] = upper_32_bits(__pa(address));
45990+
45991+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
45992+ if (object_starts_on_stack((void *)address)) {
45993+ void *adjbuf = (void *)address - current->stack + current->lowmem_stack;
45994+ physaddr = __pa((u64)adjbuf);
45995+ } else
45996+#endif
45997+ physaddr = __pa(address);
45998+
45999+ cmd->data[0] = lower_32_bits(physaddr) | CMD_COMPL_WAIT_STORE_MASK;
46000+ cmd->data[1] = upper_32_bits(physaddr);
46001 cmd->data[2] = 1;
46002 CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
46003 }
46004diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
46005index 4cd0c29..afd3cbe 100644
46006--- a/drivers/iommu/arm-smmu.c
46007+++ b/drivers/iommu/arm-smmu.c
46008@@ -330,7 +330,7 @@ enum arm_smmu_domain_stage {
46009
46010 struct arm_smmu_domain {
46011 struct arm_smmu_device *smmu;
46012- struct io_pgtable_ops *pgtbl_ops;
46013+ struct io_pgtable *pgtbl;
46014 spinlock_t pgtbl_lock;
46015 struct arm_smmu_cfg cfg;
46016 enum arm_smmu_domain_stage stage;
46017@@ -816,7 +816,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
46018 {
46019 int irq, start, ret = 0;
46020 unsigned long ias, oas;
46021- struct io_pgtable_ops *pgtbl_ops;
46022+ struct io_pgtable *pgtbl;
46023 struct io_pgtable_cfg pgtbl_cfg;
46024 enum io_pgtable_fmt fmt;
46025 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46026@@ -901,14 +901,16 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
46027 };
46028
46029 smmu_domain->smmu = smmu;
46030- pgtbl_ops = alloc_io_pgtable_ops(fmt, &pgtbl_cfg, smmu_domain);
46031- if (!pgtbl_ops) {
46032+ pgtbl = alloc_io_pgtable(fmt, &pgtbl_cfg, smmu_domain);
46033+ if (!pgtbl) {
46034 ret = -ENOMEM;
46035 goto out_clear_smmu;
46036 }
46037
46038 /* Update our support page sizes to reflect the page table format */
46039- arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
46040+ pax_open_kernel();
46041+ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
46042+ pax_close_kernel();
46043
46044 /* Initialise the context bank with our page table cfg */
46045 arm_smmu_init_context_bank(smmu_domain, &pgtbl_cfg);
46046@@ -929,7 +931,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
46047 mutex_unlock(&smmu_domain->init_mutex);
46048
46049 /* Publish page table ops for map/unmap */
46050- smmu_domain->pgtbl_ops = pgtbl_ops;
46051+ smmu_domain->pgtbl = pgtbl;
46052 return 0;
46053
46054 out_clear_smmu:
46055@@ -962,8 +964,7 @@ static void arm_smmu_destroy_domain_context(struct iommu_domain *domain)
46056 free_irq(irq, domain);
46057 }
46058
46059- if (smmu_domain->pgtbl_ops)
46060- free_io_pgtable_ops(smmu_domain->pgtbl_ops);
46061+ free_io_pgtable(smmu_domain->pgtbl);
46062
46063 __arm_smmu_free_bitmap(smmu->context_map, cfg->cbndx);
46064 }
46065@@ -1189,13 +1190,13 @@ static int arm_smmu_map(struct iommu_domain *domain, unsigned long iova,
46066 int ret;
46067 unsigned long flags;
46068 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46069- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
46070+ struct io_pgtable *iop = smmu_domain->pgtbl;
46071
46072- if (!ops)
46073+ if (!iop)
46074 return -ENODEV;
46075
46076 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
46077- ret = ops->map(ops, iova, paddr, size, prot);
46078+ ret = iop->ops->map(iop, iova, paddr, size, prot);
46079 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
46080 return ret;
46081 }
46082@@ -1206,13 +1207,13 @@ static size_t arm_smmu_unmap(struct iommu_domain *domain, unsigned long iova,
46083 size_t ret;
46084 unsigned long flags;
46085 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46086- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
46087+ struct io_pgtable *iop = smmu_domain->pgtbl;
46088
46089- if (!ops)
46090+ if (!iop)
46091 return 0;
46092
46093 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
46094- ret = ops->unmap(ops, iova, size);
46095+ ret = iop->ops->unmap(iop, iova, size);
46096 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
46097 return ret;
46098 }
46099@@ -1223,7 +1224,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
46100 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46101 struct arm_smmu_device *smmu = smmu_domain->smmu;
46102 struct arm_smmu_cfg *cfg = &smmu_domain->cfg;
46103- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
46104+ struct io_pgtable *iop = smmu_domain->pgtbl;
46105 struct device *dev = smmu->dev;
46106 void __iomem *cb_base;
46107 u32 tmp;
46108@@ -1246,7 +1247,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
46109 dev_err(dev,
46110 "iova to phys timed out on 0x%pad. Falling back to software table walk.\n",
46111 &iova);
46112- return ops->iova_to_phys(ops, iova);
46113+ return iop->ops->iova_to_phys(iop, iova);
46114 }
46115
46116 phys = readl_relaxed(cb_base + ARM_SMMU_CB_PAR_LO);
46117@@ -1267,9 +1268,9 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
46118 phys_addr_t ret;
46119 unsigned long flags;
46120 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46121- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
46122+ struct io_pgtable *iop = smmu_domain->pgtbl;
46123
46124- if (!ops)
46125+ if (!iop)
46126 return 0;
46127
46128 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
46129@@ -1277,7 +1278,7 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
46130 smmu_domain->stage == ARM_SMMU_DOMAIN_S1) {
46131 ret = arm_smmu_iova_to_phys_hard(domain, iova);
46132 } else {
46133- ret = ops->iova_to_phys(ops, iova);
46134+ ret = iop->ops->iova_to_phys(iop, iova);
46135 }
46136
46137 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
46138@@ -1667,7 +1668,9 @@ static int arm_smmu_device_cfg_probe(struct arm_smmu_device *smmu)
46139 size |= SZ_64K | SZ_512M;
46140 }
46141
46142- arm_smmu_ops.pgsize_bitmap &= size;
46143+ pax_open_kernel();
46144+ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap &= size;
46145+ pax_close_kernel();
46146 dev_notice(smmu->dev, "\tSupported page sizes: 0x%08lx\n", size);
46147
46148 if (smmu->features & ARM_SMMU_FEAT_TRANS_S1)
46149diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
46150index e29d5d7..e5eeb3e 100644
46151--- a/drivers/iommu/io-pgtable-arm.c
46152+++ b/drivers/iommu/io-pgtable-arm.c
46153@@ -36,12 +36,6 @@
46154 #define io_pgtable_to_data(x) \
46155 container_of((x), struct arm_lpae_io_pgtable, iop)
46156
46157-#define io_pgtable_ops_to_pgtable(x) \
46158- container_of((x), struct io_pgtable, ops)
46159-
46160-#define io_pgtable_ops_to_data(x) \
46161- io_pgtable_to_data(io_pgtable_ops_to_pgtable(x))
46162-
46163 /*
46164 * For consistency with the architecture, we always consider
46165 * ARM_LPAE_MAX_LEVELS levels, with the walk starting at level n >=0
46166@@ -319,10 +313,10 @@ static arm_lpae_iopte arm_lpae_prot_to_pte(struct arm_lpae_io_pgtable *data,
46167 return pte;
46168 }
46169
46170-static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
46171+static int arm_lpae_map(struct io_pgtable *iop, unsigned long iova,
46172 phys_addr_t paddr, size_t size, int iommu_prot)
46173 {
46174- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46175+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46176 arm_lpae_iopte *ptep = data->pgd;
46177 int lvl = ARM_LPAE_START_LVL(data);
46178 arm_lpae_iopte prot;
46179@@ -462,12 +456,11 @@ static int __arm_lpae_unmap(struct arm_lpae_io_pgtable *data,
46180 return __arm_lpae_unmap(data, iova, size, lvl + 1, ptep);
46181 }
46182
46183-static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
46184+static int arm_lpae_unmap(struct io_pgtable *iop, unsigned long iova,
46185 size_t size)
46186 {
46187 size_t unmapped;
46188- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46189- struct io_pgtable *iop = &data->iop;
46190+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46191 arm_lpae_iopte *ptep = data->pgd;
46192 int lvl = ARM_LPAE_START_LVL(data);
46193
46194@@ -478,10 +471,10 @@ static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
46195 return unmapped;
46196 }
46197
46198-static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable_ops *ops,
46199+static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable *iop,
46200 unsigned long iova)
46201 {
46202- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46203+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46204 arm_lpae_iopte pte, *ptep = data->pgd;
46205 int lvl = ARM_LPAE_START_LVL(data);
46206
46207@@ -548,6 +541,12 @@ static void arm_lpae_restrict_pgsizes(struct io_pgtable_cfg *cfg)
46208 }
46209 }
46210
46211+static struct io_pgtable_ops arm_lpae_io_pgtable_ops = {
46212+ .map = arm_lpae_map,
46213+ .unmap = arm_lpae_unmap,
46214+ .iova_to_phys = arm_lpae_iova_to_phys,
46215+};
46216+
46217 static struct arm_lpae_io_pgtable *
46218 arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
46219 {
46220@@ -579,11 +578,7 @@ arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
46221 pgd_bits = va_bits - (data->bits_per_level * (data->levels - 1));
46222 data->pgd_size = 1UL << (pgd_bits + ilog2(sizeof(arm_lpae_iopte)));
46223
46224- data->iop.ops = (struct io_pgtable_ops) {
46225- .map = arm_lpae_map,
46226- .unmap = arm_lpae_unmap,
46227- .iova_to_phys = arm_lpae_iova_to_phys,
46228- };
46229+ data->iop.ops = &arm_lpae_io_pgtable_ops;
46230
46231 return data;
46232 }
46233@@ -845,9 +840,9 @@ static struct iommu_gather_ops dummy_tlb_ops __initdata = {
46234 .flush_pgtable = dummy_flush_pgtable,
46235 };
46236
46237-static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
46238+static void __init arm_lpae_dump_ops(struct io_pgtable *iop)
46239 {
46240- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46241+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46242 struct io_pgtable_cfg *cfg = &data->iop.cfg;
46243
46244 pr_err("cfg: pgsize_bitmap 0x%lx, ias %u-bit\n",
46245@@ -857,9 +852,9 @@ static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
46246 data->bits_per_level, data->pgd);
46247 }
46248
46249-#define __FAIL(ops, i) ({ \
46250+#define __FAIL(iop, i) ({ \
46251 WARN(1, "selftest: test failed for fmt idx %d\n", (i)); \
46252- arm_lpae_dump_ops(ops); \
46253+ arm_lpae_dump_ops(iop); \
46254 selftest_running = false; \
46255 -EFAULT; \
46256 })
46257@@ -874,30 +869,32 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46258 int i, j;
46259 unsigned long iova;
46260 size_t size;
46261- struct io_pgtable_ops *ops;
46262+ struct io_pgtable *iop;
46263+ const struct io_pgtable_ops *ops;
46264
46265 selftest_running = true;
46266
46267 for (i = 0; i < ARRAY_SIZE(fmts); ++i) {
46268 cfg_cookie = cfg;
46269- ops = alloc_io_pgtable_ops(fmts[i], cfg, cfg);
46270- if (!ops) {
46271+ iop = alloc_io_pgtable(fmts[i], cfg, cfg);
46272+ if (!iop) {
46273 pr_err("selftest: failed to allocate io pgtable ops\n");
46274 return -ENOMEM;
46275 }
46276+ ops = iop->ops;
46277
46278 /*
46279 * Initial sanity checks.
46280 * Empty page tables shouldn't provide any translations.
46281 */
46282- if (ops->iova_to_phys(ops, 42))
46283- return __FAIL(ops, i);
46284+ if (ops->iova_to_phys(iop, 42))
46285+ return __FAIL(iop, i);
46286
46287- if (ops->iova_to_phys(ops, SZ_1G + 42))
46288- return __FAIL(ops, i);
46289+ if (ops->iova_to_phys(iop, SZ_1G + 42))
46290+ return __FAIL(iop, i);
46291
46292- if (ops->iova_to_phys(ops, SZ_2G + 42))
46293- return __FAIL(ops, i);
46294+ if (ops->iova_to_phys(iop, SZ_2G + 42))
46295+ return __FAIL(iop, i);
46296
46297 /*
46298 * Distinct mappings of different granule sizes.
46299@@ -907,19 +904,19 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46300 while (j != BITS_PER_LONG) {
46301 size = 1UL << j;
46302
46303- if (ops->map(ops, iova, iova, size, IOMMU_READ |
46304+ if (ops->map(iop, iova, iova, size, IOMMU_READ |
46305 IOMMU_WRITE |
46306 IOMMU_NOEXEC |
46307 IOMMU_CACHE))
46308- return __FAIL(ops, i);
46309+ return __FAIL(iop, i);
46310
46311 /* Overlapping mappings */
46312- if (!ops->map(ops, iova, iova + size, size,
46313+ if (!ops->map(iop, iova, iova + size, size,
46314 IOMMU_READ | IOMMU_NOEXEC))
46315- return __FAIL(ops, i);
46316+ return __FAIL(iop, i);
46317
46318- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
46319- return __FAIL(ops, i);
46320+ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
46321+ return __FAIL(iop, i);
46322
46323 iova += SZ_1G;
46324 j++;
46325@@ -928,15 +925,15 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46326
46327 /* Partial unmap */
46328 size = 1UL << __ffs(cfg->pgsize_bitmap);
46329- if (ops->unmap(ops, SZ_1G + size, size) != size)
46330- return __FAIL(ops, i);
46331+ if (ops->unmap(iop, SZ_1G + size, size) != size)
46332+ return __FAIL(iop, i);
46333
46334 /* Remap of partial unmap */
46335- if (ops->map(ops, SZ_1G + size, size, size, IOMMU_READ))
46336- return __FAIL(ops, i);
46337+ if (ops->map(iop, SZ_1G + size, size, size, IOMMU_READ))
46338+ return __FAIL(iop, i);
46339
46340- if (ops->iova_to_phys(ops, SZ_1G + size + 42) != (size + 42))
46341- return __FAIL(ops, i);
46342+ if (ops->iova_to_phys(iop, SZ_1G + size + 42) != (size + 42))
46343+ return __FAIL(iop, i);
46344
46345 /* Full unmap */
46346 iova = 0;
46347@@ -944,25 +941,25 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46348 while (j != BITS_PER_LONG) {
46349 size = 1UL << j;
46350
46351- if (ops->unmap(ops, iova, size) != size)
46352- return __FAIL(ops, i);
46353+ if (ops->unmap(iop, iova, size) != size)
46354+ return __FAIL(iop, i);
46355
46356- if (ops->iova_to_phys(ops, iova + 42))
46357- return __FAIL(ops, i);
46358+ if (ops->iova_to_phys(iop, iova + 42))
46359+ return __FAIL(iop, i);
46360
46361 /* Remap full block */
46362- if (ops->map(ops, iova, iova, size, IOMMU_WRITE))
46363- return __FAIL(ops, i);
46364+ if (ops->map(iop, iova, iova, size, IOMMU_WRITE))
46365+ return __FAIL(iop, i);
46366
46367- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
46368- return __FAIL(ops, i);
46369+ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
46370+ return __FAIL(iop, i);
46371
46372 iova += SZ_1G;
46373 j++;
46374 j = find_next_bit(&cfg->pgsize_bitmap, BITS_PER_LONG, j);
46375 }
46376
46377- free_io_pgtable_ops(ops);
46378+ free_io_pgtable(iop);
46379 }
46380
46381 selftest_running = false;
46382diff --git a/drivers/iommu/io-pgtable.c b/drivers/iommu/io-pgtable.c
46383index 6436fe2..088c965 100644
46384--- a/drivers/iommu/io-pgtable.c
46385+++ b/drivers/iommu/io-pgtable.c
46386@@ -40,7 +40,7 @@ io_pgtable_init_table[IO_PGTABLE_NUM_FMTS] =
46387 #endif
46388 };
46389
46390-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46391+struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
46392 struct io_pgtable_cfg *cfg,
46393 void *cookie)
46394 {
46395@@ -62,21 +62,18 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46396 iop->cookie = cookie;
46397 iop->cfg = *cfg;
46398
46399- return &iop->ops;
46400+ return iop;
46401 }
46402
46403 /*
46404 * It is the IOMMU driver's responsibility to ensure that the page table
46405 * is no longer accessible to the walker by this point.
46406 */
46407-void free_io_pgtable_ops(struct io_pgtable_ops *ops)
46408+void free_io_pgtable(struct io_pgtable *iop)
46409 {
46410- struct io_pgtable *iop;
46411-
46412- if (!ops)
46413+ if (!iop)
46414 return;
46415
46416- iop = container_of(ops, struct io_pgtable, ops);
46417 iop->cfg.tlb->tlb_flush_all(iop->cookie);
46418 io_pgtable_init_table[iop->fmt]->free(iop);
46419 }
46420diff --git a/drivers/iommu/io-pgtable.h b/drivers/iommu/io-pgtable.h
46421index 10e32f6..0b276c8 100644
46422--- a/drivers/iommu/io-pgtable.h
46423+++ b/drivers/iommu/io-pgtable.h
46424@@ -75,17 +75,18 @@ struct io_pgtable_cfg {
46425 * These functions map directly onto the iommu_ops member functions with
46426 * the same names.
46427 */
46428+struct io_pgtable;
46429 struct io_pgtable_ops {
46430- int (*map)(struct io_pgtable_ops *ops, unsigned long iova,
46431+ int (*map)(struct io_pgtable *iop, unsigned long iova,
46432 phys_addr_t paddr, size_t size, int prot);
46433- int (*unmap)(struct io_pgtable_ops *ops, unsigned long iova,
46434+ int (*unmap)(struct io_pgtable *iop, unsigned long iova,
46435 size_t size);
46436- phys_addr_t (*iova_to_phys)(struct io_pgtable_ops *ops,
46437+ phys_addr_t (*iova_to_phys)(struct io_pgtable *iop,
46438 unsigned long iova);
46439 };
46440
46441 /**
46442- * alloc_io_pgtable_ops() - Allocate a page table allocator for use by an IOMMU.
46443+ * alloc_io_pgtable() - Allocate a page table allocator for use by an IOMMU.
46444 *
46445 * @fmt: The page table format.
46446 * @cfg: The page table configuration. This will be modified to represent
46447@@ -94,9 +95,9 @@ struct io_pgtable_ops {
46448 * @cookie: An opaque token provided by the IOMMU driver and passed back to
46449 * the callback routines in cfg->tlb.
46450 */
46451-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46452- struct io_pgtable_cfg *cfg,
46453- void *cookie);
46454+struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
46455+ struct io_pgtable_cfg *cfg,
46456+ void *cookie);
46457
46458 /**
46459 * free_io_pgtable_ops() - Free an io_pgtable_ops structure. The caller
46460@@ -105,7 +106,7 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46461 *
46462 * @ops: The ops returned from alloc_io_pgtable_ops.
46463 */
46464-void free_io_pgtable_ops(struct io_pgtable_ops *ops);
46465+void free_io_pgtable(struct io_pgtable *iop);
46466
46467
46468 /*
46469@@ -125,7 +126,7 @@ struct io_pgtable {
46470 enum io_pgtable_fmt fmt;
46471 void *cookie;
46472 struct io_pgtable_cfg cfg;
46473- struct io_pgtable_ops ops;
46474+ const struct io_pgtable_ops *ops;
46475 };
46476
46477 /**
46478diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
46479index f286090..bac3e7e 100644
46480--- a/drivers/iommu/iommu.c
46481+++ b/drivers/iommu/iommu.c
46482@@ -934,7 +934,7 @@ static int iommu_bus_notifier(struct notifier_block *nb,
46483 static int iommu_bus_init(struct bus_type *bus, const struct iommu_ops *ops)
46484 {
46485 int err;
46486- struct notifier_block *nb;
46487+ notifier_block_no_const *nb;
46488 struct iommu_callback_data cb = {
46489 .ops = ops,
46490 };
46491diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c
46492index 1a67c53..23181d8 100644
46493--- a/drivers/iommu/ipmmu-vmsa.c
46494+++ b/drivers/iommu/ipmmu-vmsa.c
46495@@ -41,7 +41,7 @@ struct ipmmu_vmsa_domain {
46496 struct iommu_domain io_domain;
46497
46498 struct io_pgtable_cfg cfg;
46499- struct io_pgtable_ops *iop;
46500+ struct io_pgtable *iop;
46501
46502 unsigned int context_id;
46503 spinlock_t lock; /* Protects mappings */
46504@@ -328,8 +328,7 @@ static int ipmmu_domain_init_context(struct ipmmu_vmsa_domain *domain)
46505 domain->cfg.oas = 40;
46506 domain->cfg.tlb = &ipmmu_gather_ops;
46507
46508- domain->iop = alloc_io_pgtable_ops(ARM_32_LPAE_S1, &domain->cfg,
46509- domain);
46510+ domain->iop = alloc_io_pgtable(ARM_32_LPAE_S1, &domain->cfg, domain);
46511 if (!domain->iop)
46512 return -EINVAL;
46513
46514@@ -487,7 +486,7 @@ static void ipmmu_domain_free(struct iommu_domain *io_domain)
46515 * been detached.
46516 */
46517 ipmmu_domain_destroy_context(domain);
46518- free_io_pgtable_ops(domain->iop);
46519+ free_io_pgtable(domain->iop);
46520 kfree(domain);
46521 }
46522
46523@@ -556,7 +555,7 @@ static int ipmmu_map(struct iommu_domain *io_domain, unsigned long iova,
46524 if (!domain)
46525 return -ENODEV;
46526
46527- return domain->iop->map(domain->iop, iova, paddr, size, prot);
46528+ return domain->iop->ops->map(domain->iop, iova, paddr, size, prot);
46529 }
46530
46531 static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
46532@@ -564,7 +563,7 @@ static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
46533 {
46534 struct ipmmu_vmsa_domain *domain = to_vmsa_domain(io_domain);
46535
46536- return domain->iop->unmap(domain->iop, iova, size);
46537+ return domain->iop->ops->unmap(domain->iop, iova, size);
46538 }
46539
46540 static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
46541@@ -574,7 +573,7 @@ static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
46542
46543 /* TODO: Is locking needed ? */
46544
46545- return domain->iop->iova_to_phys(domain->iop, iova);
46546+ return domain->iop->ops->iova_to_phys(domain->iop, iova);
46547 }
46548
46549 static int ipmmu_find_utlbs(struct ipmmu_vmsa_device *mmu, struct device *dev,
46550diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
46551index 2d99930..b8b358c 100644
46552--- a/drivers/iommu/irq_remapping.c
46553+++ b/drivers/iommu/irq_remapping.c
46554@@ -149,7 +149,7 @@ int __init irq_remap_enable_fault_handling(void)
46555 void panic_if_irq_remap(const char *msg)
46556 {
46557 if (irq_remapping_enabled)
46558- panic(msg);
46559+ panic("%s", msg);
46560 }
46561
46562 void ir_ack_apic_edge(struct irq_data *data)
46563diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
46564index f3d20a2..5dcb85e 100644
46565--- a/drivers/iommu/omap-iommu-debug.c
46566+++ b/drivers/iommu/omap-iommu-debug.c
46567@@ -55,34 +55,22 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf,
46568 return bytes;
46569 }
46570
46571-static ssize_t debug_read_tlb(struct file *file, char __user *userbuf,
46572- size_t count, loff_t *ppos)
46573+static int debug_read_tlb(struct seq_file *s, void *data)
46574 {
46575- struct omap_iommu *obj = file->private_data;
46576- char *p, *buf;
46577- ssize_t bytes, rest;
46578+ struct omap_iommu *obj = s->private;
46579
46580 if (is_omap_iommu_detached(obj))
46581 return -EPERM;
46582
46583- buf = kmalloc(count, GFP_KERNEL);
46584- if (!buf)
46585- return -ENOMEM;
46586- p = buf;
46587-
46588 mutex_lock(&iommu_debug_lock);
46589
46590- p += sprintf(p, "%8s %8s\n", "cam:", "ram:");
46591- p += sprintf(p, "-----------------------------------------\n");
46592- rest = count - (p - buf);
46593- p += omap_dump_tlb_entries(obj, p, rest);
46594-
46595- bytes = simple_read_from_buffer(userbuf, count, ppos, buf, p - buf);
46596+ seq_printf(s, "%8s %8s\n", "cam:", "ram:");
46597+ seq_puts(s, "-----------------------------------------\n");
46598+ omap_dump_tlb_entries(obj, s);
46599
46600 mutex_unlock(&iommu_debug_lock);
46601- kfree(buf);
46602
46603- return bytes;
46604+ return 0;
46605 }
46606
46607 static void dump_ioptable(struct seq_file *s)
46608@@ -157,7 +145,7 @@ static int debug_read_pagetable(struct seq_file *s, void *data)
46609 };
46610
46611 DEBUG_FOPS_RO(regs);
46612-DEBUG_FOPS_RO(tlb);
46613+DEBUG_SEQ_FOPS_RO(tlb);
46614 DEBUG_SEQ_FOPS_RO(pagetable);
46615
46616 #define __DEBUG_ADD_FILE(attr, mode) \
46617diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c
46618index a22c33d..2247075e2 100644
46619--- a/drivers/iommu/omap-iommu.c
46620+++ b/drivers/iommu/omap-iommu.c
46621@@ -546,36 +546,30 @@ __dump_tlb_entries(struct omap_iommu *obj, struct cr_regs *crs, int num)
46622 }
46623
46624 /**
46625- * iotlb_dump_cr - Dump an iommu tlb entry into buf
46626+ * iotlb_dump_cr - Dump an iommu tlb entry into seq_file
46627 * @obj: target iommu
46628 * @cr: contents of cam and ram register
46629- * @buf: output buffer
46630+ * @s: output seq_file
46631 **/
46632 static ssize_t iotlb_dump_cr(struct omap_iommu *obj, struct cr_regs *cr,
46633- char *buf)
46634+ struct seq_file *s)
46635 {
46636- char *p = buf;
46637-
46638 /* FIXME: Need more detail analysis of cam/ram */
46639- p += sprintf(p, "%08x %08x %01x\n", cr->cam, cr->ram,
46640- (cr->cam & MMU_CAM_P) ? 1 : 0);
46641-
46642- return p - buf;
46643+ return seq_printf(s, "%08x %08x %01x\n", cr->cam, cr->ram,
46644+ (cr->cam & MMU_CAM_P) ? 1 : 0);
46645 }
46646
46647 /**
46648- * omap_dump_tlb_entries - dump cr arrays to given buffer
46649+ * omap_dump_tlb_entries - dump cr arrays to given seq_file
46650 * @obj: target iommu
46651- * @buf: output buffer
46652+ * @s: output seq_file
46653 **/
46654-size_t omap_dump_tlb_entries(struct omap_iommu *obj, char *buf, ssize_t bytes)
46655+size_t omap_dump_tlb_entries(struct omap_iommu *obj, struct seq_file *s)
46656 {
46657 int i, num;
46658 struct cr_regs *cr;
46659- char *p = buf;
46660
46661- num = bytes / sizeof(*cr);
46662- num = min(obj->nr_tlb_entries, num);
46663+ num = obj->nr_tlb_entries;
46664
46665 cr = kcalloc(num, sizeof(*cr), GFP_KERNEL);
46666 if (!cr)
46667@@ -583,10 +577,10 @@ size_t omap_dump_tlb_entries(struct omap_iommu *obj, char *buf, ssize_t bytes)
46668
46669 num = __dump_tlb_entries(obj, cr, num);
46670 for (i = 0; i < num; i++)
46671- p += iotlb_dump_cr(obj, cr + i, p);
46672+ iotlb_dump_cr(obj, cr + i, s);
46673 kfree(cr);
46674
46675- return p - buf;
46676+ return 0;
46677 }
46678
46679 #endif /* CONFIG_OMAP_IOMMU_DEBUG */
46680diff --git a/drivers/iommu/omap-iommu.h b/drivers/iommu/omap-iommu.h
46681index d736630..5df9755 100644
46682--- a/drivers/iommu/omap-iommu.h
46683+++ b/drivers/iommu/omap-iommu.h
46684@@ -193,8 +193,7 @@ static inline struct omap_iommu *dev_to_omap_iommu(struct device *dev)
46685 #ifdef CONFIG_OMAP_IOMMU_DEBUG
46686 extern ssize_t
46687 omap_iommu_dump_ctx(struct omap_iommu *obj, char *buf, ssize_t len);
46688-extern size_t
46689-omap_dump_tlb_entries(struct omap_iommu *obj, char *buf, ssize_t len);
46690+extern size_t omap_dump_tlb_entries(struct omap_iommu *obj, struct seq_file *s);
46691
46692 void omap_iommu_debugfs_init(void);
46693 void omap_iommu_debugfs_exit(void);
46694diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
46695index 4dd8826..1f33400 100644
46696--- a/drivers/irqchip/irq-gic.c
46697+++ b/drivers/irqchip/irq-gic.c
46698@@ -313,7 +313,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc)
46699 chained_irq_exit(chip, desc);
46700 }
46701
46702-static struct irq_chip gic_chip = {
46703+static irq_chip_no_const gic_chip __read_only = {
46704 .name = "GIC",
46705 .irq_mask = gic_mask_irq,
46706 .irq_unmask = gic_unmask_irq,
46707diff --git a/drivers/irqchip/irq-renesas-intc-irqpin.c b/drivers/irqchip/irq-renesas-intc-irqpin.c
46708index 0670ab4..1094651 100644
46709--- a/drivers/irqchip/irq-renesas-intc-irqpin.c
46710+++ b/drivers/irqchip/irq-renesas-intc-irqpin.c
46711@@ -373,7 +373,7 @@ static int intc_irqpin_probe(struct platform_device *pdev)
46712 struct intc_irqpin_iomem *i;
46713 struct resource *io[INTC_IRQPIN_REG_NR];
46714 struct resource *irq;
46715- struct irq_chip *irq_chip;
46716+ irq_chip_no_const *irq_chip;
46717 void (*enable_fn)(struct irq_data *d);
46718 void (*disable_fn)(struct irq_data *d);
46719 const char *name = dev_name(dev);
46720diff --git a/drivers/irqchip/irq-renesas-irqc.c b/drivers/irqchip/irq-renesas-irqc.c
46721index 778bd07..0397152 100644
46722--- a/drivers/irqchip/irq-renesas-irqc.c
46723+++ b/drivers/irqchip/irq-renesas-irqc.c
46724@@ -176,7 +176,7 @@ static int irqc_probe(struct platform_device *pdev)
46725 struct irqc_priv *p;
46726 struct resource *io;
46727 struct resource *irq;
46728- struct irq_chip *irq_chip;
46729+ irq_chip_no_const *irq_chip;
46730 const char *name = dev_name(&pdev->dev);
46731 int ret;
46732 int k;
46733diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c
46734index 6a2df32..dc962f1 100644
46735--- a/drivers/isdn/capi/capi.c
46736+++ b/drivers/isdn/capi/capi.c
46737@@ -81,8 +81,8 @@ struct capiminor {
46738
46739 struct capi20_appl *ap;
46740 u32 ncci;
46741- atomic_t datahandle;
46742- atomic_t msgid;
46743+ atomic_unchecked_t datahandle;
46744+ atomic_unchecked_t msgid;
46745
46746 struct tty_port port;
46747 int ttyinstop;
46748@@ -391,7 +391,7 @@ gen_data_b3_resp_for(struct capiminor *mp, struct sk_buff *skb)
46749 capimsg_setu16(s, 2, mp->ap->applid);
46750 capimsg_setu8 (s, 4, CAPI_DATA_B3);
46751 capimsg_setu8 (s, 5, CAPI_RESP);
46752- capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
46753+ capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
46754 capimsg_setu32(s, 8, mp->ncci);
46755 capimsg_setu16(s, 12, datahandle);
46756 }
46757@@ -512,14 +512,14 @@ static void handle_minor_send(struct capiminor *mp)
46758 mp->outbytes -= len;
46759 spin_unlock_bh(&mp->outlock);
46760
46761- datahandle = atomic_inc_return(&mp->datahandle);
46762+ datahandle = atomic_inc_return_unchecked(&mp->datahandle);
46763 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
46764 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
46765 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
46766 capimsg_setu16(skb->data, 2, mp->ap->applid);
46767 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
46768 capimsg_setu8 (skb->data, 5, CAPI_REQ);
46769- capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
46770+ capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
46771 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
46772 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
46773 capimsg_setu16(skb->data, 16, len); /* Data length */
46774diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
46775index aecec6d..11e13c5 100644
46776--- a/drivers/isdn/gigaset/bas-gigaset.c
46777+++ b/drivers/isdn/gigaset/bas-gigaset.c
46778@@ -2565,22 +2565,22 @@ static int gigaset_post_reset(struct usb_interface *intf)
46779
46780
46781 static const struct gigaset_ops gigops = {
46782- gigaset_write_cmd,
46783- gigaset_write_room,
46784- gigaset_chars_in_buffer,
46785- gigaset_brkchars,
46786- gigaset_init_bchannel,
46787- gigaset_close_bchannel,
46788- gigaset_initbcshw,
46789- gigaset_freebcshw,
46790- gigaset_reinitbcshw,
46791- gigaset_initcshw,
46792- gigaset_freecshw,
46793- gigaset_set_modem_ctrl,
46794- gigaset_baud_rate,
46795- gigaset_set_line_ctrl,
46796- gigaset_isoc_send_skb,
46797- gigaset_isoc_input,
46798+ .write_cmd = gigaset_write_cmd,
46799+ .write_room = gigaset_write_room,
46800+ .chars_in_buffer = gigaset_chars_in_buffer,
46801+ .brkchars = gigaset_brkchars,
46802+ .init_bchannel = gigaset_init_bchannel,
46803+ .close_bchannel = gigaset_close_bchannel,
46804+ .initbcshw = gigaset_initbcshw,
46805+ .freebcshw = gigaset_freebcshw,
46806+ .reinitbcshw = gigaset_reinitbcshw,
46807+ .initcshw = gigaset_initcshw,
46808+ .freecshw = gigaset_freecshw,
46809+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46810+ .baud_rate = gigaset_baud_rate,
46811+ .set_line_ctrl = gigaset_set_line_ctrl,
46812+ .send_skb = gigaset_isoc_send_skb,
46813+ .handle_input = gigaset_isoc_input,
46814 };
46815
46816 /* bas_gigaset_init
46817diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c
46818index 600c79b..3752bab 100644
46819--- a/drivers/isdn/gigaset/interface.c
46820+++ b/drivers/isdn/gigaset/interface.c
46821@@ -130,9 +130,9 @@ static int if_open(struct tty_struct *tty, struct file *filp)
46822 }
46823 tty->driver_data = cs;
46824
46825- ++cs->port.count;
46826+ atomic_inc(&cs->port.count);
46827
46828- if (cs->port.count == 1) {
46829+ if (atomic_read(&cs->port.count) == 1) {
46830 tty_port_tty_set(&cs->port, tty);
46831 cs->port.low_latency = 1;
46832 }
46833@@ -156,9 +156,9 @@ static void if_close(struct tty_struct *tty, struct file *filp)
46834
46835 if (!cs->connected)
46836 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
46837- else if (!cs->port.count)
46838+ else if (!atomic_read(&cs->port.count))
46839 dev_warn(cs->dev, "%s: device not opened\n", __func__);
46840- else if (!--cs->port.count)
46841+ else if (!atomic_dec_return(&cs->port.count))
46842 tty_port_tty_set(&cs->port, NULL);
46843
46844 mutex_unlock(&cs->mutex);
46845diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
46846index 375be50..675293c 100644
46847--- a/drivers/isdn/gigaset/ser-gigaset.c
46848+++ b/drivers/isdn/gigaset/ser-gigaset.c
46849@@ -453,22 +453,22 @@ static int gigaset_set_line_ctrl(struct cardstate *cs, unsigned cflag)
46850 }
46851
46852 static const struct gigaset_ops ops = {
46853- gigaset_write_cmd,
46854- gigaset_write_room,
46855- gigaset_chars_in_buffer,
46856- gigaset_brkchars,
46857- gigaset_init_bchannel,
46858- gigaset_close_bchannel,
46859- gigaset_initbcshw,
46860- gigaset_freebcshw,
46861- gigaset_reinitbcshw,
46862- gigaset_initcshw,
46863- gigaset_freecshw,
46864- gigaset_set_modem_ctrl,
46865- gigaset_baud_rate,
46866- gigaset_set_line_ctrl,
46867- gigaset_m10x_send_skb, /* asyncdata.c */
46868- gigaset_m10x_input, /* asyncdata.c */
46869+ .write_cmd = gigaset_write_cmd,
46870+ .write_room = gigaset_write_room,
46871+ .chars_in_buffer = gigaset_chars_in_buffer,
46872+ .brkchars = gigaset_brkchars,
46873+ .init_bchannel = gigaset_init_bchannel,
46874+ .close_bchannel = gigaset_close_bchannel,
46875+ .initbcshw = gigaset_initbcshw,
46876+ .freebcshw = gigaset_freebcshw,
46877+ .reinitbcshw = gigaset_reinitbcshw,
46878+ .initcshw = gigaset_initcshw,
46879+ .freecshw = gigaset_freecshw,
46880+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46881+ .baud_rate = gigaset_baud_rate,
46882+ .set_line_ctrl = gigaset_set_line_ctrl,
46883+ .send_skb = gigaset_m10x_send_skb, /* asyncdata.c */
46884+ .handle_input = gigaset_m10x_input, /* asyncdata.c */
46885 };
46886
46887
46888diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c
46889index 5f306e2..5342f88 100644
46890--- a/drivers/isdn/gigaset/usb-gigaset.c
46891+++ b/drivers/isdn/gigaset/usb-gigaset.c
46892@@ -543,7 +543,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6])
46893 gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf);
46894 memcpy(cs->hw.usb->bchars, buf, 6);
46895 return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41,
46896- 0, 0, &buf, 6, 2000);
46897+ 0, 0, buf, 6, 2000);
46898 }
46899
46900 static void gigaset_freebcshw(struct bc_state *bcs)
46901@@ -862,22 +862,22 @@ static int gigaset_pre_reset(struct usb_interface *intf)
46902 }
46903
46904 static const struct gigaset_ops ops = {
46905- gigaset_write_cmd,
46906- gigaset_write_room,
46907- gigaset_chars_in_buffer,
46908- gigaset_brkchars,
46909- gigaset_init_bchannel,
46910- gigaset_close_bchannel,
46911- gigaset_initbcshw,
46912- gigaset_freebcshw,
46913- gigaset_reinitbcshw,
46914- gigaset_initcshw,
46915- gigaset_freecshw,
46916- gigaset_set_modem_ctrl,
46917- gigaset_baud_rate,
46918- gigaset_set_line_ctrl,
46919- gigaset_m10x_send_skb,
46920- gigaset_m10x_input,
46921+ .write_cmd = gigaset_write_cmd,
46922+ .write_room = gigaset_write_room,
46923+ .chars_in_buffer = gigaset_chars_in_buffer,
46924+ .brkchars = gigaset_brkchars,
46925+ .init_bchannel = gigaset_init_bchannel,
46926+ .close_bchannel = gigaset_close_bchannel,
46927+ .initbcshw = gigaset_initbcshw,
46928+ .freebcshw = gigaset_freebcshw,
46929+ .reinitbcshw = gigaset_reinitbcshw,
46930+ .initcshw = gigaset_initcshw,
46931+ .freecshw = gigaset_freecshw,
46932+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46933+ .baud_rate = gigaset_baud_rate,
46934+ .set_line_ctrl = gigaset_set_line_ctrl,
46935+ .send_skb = gigaset_m10x_send_skb,
46936+ .handle_input = gigaset_m10x_input,
46937 };
46938
46939 /*
46940diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c
46941index 4d9b195..455075c 100644
46942--- a/drivers/isdn/hardware/avm/b1.c
46943+++ b/drivers/isdn/hardware/avm/b1.c
46944@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart *t4file)
46945 }
46946 if (left) {
46947 if (t4file->user) {
46948- if (copy_from_user(buf, dp, left))
46949+ if (left > sizeof buf || copy_from_user(buf, dp, left))
46950 return -EFAULT;
46951 } else {
46952 memcpy(buf, dp, left);
46953@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capiloaddatapart *config)
46954 }
46955 if (left) {
46956 if (config->user) {
46957- if (copy_from_user(buf, dp, left))
46958+ if (left > sizeof buf || copy_from_user(buf, dp, left))
46959 return -EFAULT;
46960 } else {
46961 memcpy(buf, dp, left);
46962diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
46963index 9b856e1..fa03c92 100644
46964--- a/drivers/isdn/i4l/isdn_common.c
46965+++ b/drivers/isdn/i4l/isdn_common.c
46966@@ -1654,6 +1654,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
46967 } else
46968 return -EINVAL;
46969 case IIOCDBGVAR:
46970+ if (!capable(CAP_SYS_RAWIO))
46971+ return -EPERM;
46972 if (arg) {
46973 if (copy_to_user(argp, &dev, sizeof(ulong)))
46974 return -EFAULT;
46975diff --git a/drivers/isdn/i4l/isdn_concap.c b/drivers/isdn/i4l/isdn_concap.c
46976index 91d5730..336523e 100644
46977--- a/drivers/isdn/i4l/isdn_concap.c
46978+++ b/drivers/isdn/i4l/isdn_concap.c
46979@@ -80,9 +80,9 @@ static int isdn_concap_dl_disconn_req(struct concap_proto *concap)
46980 }
46981
46982 struct concap_device_ops isdn_concap_reliable_dl_dops = {
46983- &isdn_concap_dl_data_req,
46984- &isdn_concap_dl_connect_req,
46985- &isdn_concap_dl_disconn_req
46986+ .data_req = &isdn_concap_dl_data_req,
46987+ .connect_req = &isdn_concap_dl_connect_req,
46988+ .disconn_req = &isdn_concap_dl_disconn_req
46989 };
46990
46991 /* The following should better go into a dedicated source file such that
46992diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
46993index bc91261..2ef7e36 100644
46994--- a/drivers/isdn/i4l/isdn_tty.c
46995+++ b/drivers/isdn/i4l/isdn_tty.c
46996@@ -1503,9 +1503,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp)
46997
46998 #ifdef ISDN_DEBUG_MODEM_OPEN
46999 printk(KERN_DEBUG "isdn_tty_open %s, count = %d\n", tty->name,
47000- port->count);
47001+ atomic_read(&port->count));
47002 #endif
47003- port->count++;
47004+ atomic_inc(&port->count);
47005 port->tty = tty;
47006 /*
47007 * Start up serial port
47008@@ -1549,7 +1549,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
47009 #endif
47010 return;
47011 }
47012- if ((tty->count == 1) && (port->count != 1)) {
47013+ if ((tty->count == 1) && (atomic_read(&port->count) != 1)) {
47014 /*
47015 * Uh, oh. tty->count is 1, which means that the tty
47016 * structure will be freed. Info->count should always
47017@@ -1558,15 +1558,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
47018 * serial port won't be shutdown.
47019 */
47020 printk(KERN_ERR "isdn_tty_close: bad port count; tty->count is 1, "
47021- "info->count is %d\n", port->count);
47022- port->count = 1;
47023+ "info->count is %d\n", atomic_read(&port->count));
47024+ atomic_set(&port->count, 1);
47025 }
47026- if (--port->count < 0) {
47027+ if (atomic_dec_return(&port->count) < 0) {
47028 printk(KERN_ERR "isdn_tty_close: bad port count for ttyi%d: %d\n",
47029- info->line, port->count);
47030- port->count = 0;
47031+ info->line, atomic_read(&port->count));
47032+ atomic_set(&port->count, 0);
47033 }
47034- if (port->count) {
47035+ if (atomic_read(&port->count)) {
47036 #ifdef ISDN_DEBUG_MODEM_OPEN
47037 printk(KERN_DEBUG "isdn_tty_close after info->count != 0\n");
47038 #endif
47039@@ -1620,7 +1620,7 @@ isdn_tty_hangup(struct tty_struct *tty)
47040 if (isdn_tty_paranoia_check(info, tty->name, "isdn_tty_hangup"))
47041 return;
47042 isdn_tty_shutdown(info);
47043- port->count = 0;
47044+ atomic_set(&port->count, 0);
47045 port->flags &= ~ASYNC_NORMAL_ACTIVE;
47046 port->tty = NULL;
47047 wake_up_interruptible(&port->open_wait);
47048@@ -1965,7 +1965,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup)
47049 for (i = 0; i < ISDN_MAX_CHANNELS; i++) {
47050 modem_info *info = &dev->mdm.info[i];
47051
47052- if (info->port.count == 0)
47053+ if (atomic_read(&info->port.count) == 0)
47054 continue;
47055 if ((info->emu.mdmreg[REG_SI1] & si2bit[si1]) && /* SI1 is matching */
47056 (info->emu.mdmreg[REG_SI2] == si2)) { /* SI2 is matching */
47057diff --git a/drivers/isdn/i4l/isdn_x25iface.c b/drivers/isdn/i4l/isdn_x25iface.c
47058index e2d4e58..40cd045 100644
47059--- a/drivers/isdn/i4l/isdn_x25iface.c
47060+++ b/drivers/isdn/i4l/isdn_x25iface.c
47061@@ -53,14 +53,14 @@ static int isdn_x25iface_disconn_ind(struct concap_proto *);
47062
47063
47064 static struct concap_proto_ops ix25_pops = {
47065- &isdn_x25iface_proto_new,
47066- &isdn_x25iface_proto_del,
47067- &isdn_x25iface_proto_restart,
47068- &isdn_x25iface_proto_close,
47069- &isdn_x25iface_xmit,
47070- &isdn_x25iface_receive,
47071- &isdn_x25iface_connect_ind,
47072- &isdn_x25iface_disconn_ind
47073+ .proto_new = &isdn_x25iface_proto_new,
47074+ .proto_del = &isdn_x25iface_proto_del,
47075+ .restart = &isdn_x25iface_proto_restart,
47076+ .close = &isdn_x25iface_proto_close,
47077+ .encap_and_xmit = &isdn_x25iface_xmit,
47078+ .data_ind = &isdn_x25iface_receive,
47079+ .connect_ind = &isdn_x25iface_connect_ind,
47080+ .disconn_ind = &isdn_x25iface_disconn_ind
47081 };
47082
47083 /* error message helper function */
47084diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
47085index 358a574..b4987ea 100644
47086--- a/drivers/isdn/icn/icn.c
47087+++ b/drivers/isdn/icn/icn.c
47088@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card)
47089 if (count > len)
47090 count = len;
47091 if (user) {
47092- if (copy_from_user(msg, buf, count))
47093+ if (count > sizeof msg || copy_from_user(msg, buf, count))
47094 return -EFAULT;
47095 } else
47096 memcpy(msg, buf, count);
47097diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c
47098index 52c4382..09e0c7c 100644
47099--- a/drivers/isdn/mISDN/dsp_cmx.c
47100+++ b/drivers/isdn/mISDN/dsp_cmx.c
47101@@ -1625,7 +1625,7 @@ unsigned long dsp_spl_jiffies; /* calculate the next time to fire */
47102 static u16 dsp_count; /* last sample count */
47103 static int dsp_count_valid; /* if we have last sample count */
47104
47105-void
47106+void __intentional_overflow(-1)
47107 dsp_cmx_send(void *arg)
47108 {
47109 struct dsp_conf *conf;
47110diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
47111index 312ffd3..9263d05 100644
47112--- a/drivers/lguest/core.c
47113+++ b/drivers/lguest/core.c
47114@@ -96,9 +96,17 @@ static __init int map_switcher(void)
47115 * The end address needs +1 because __get_vm_area allocates an
47116 * extra guard page, so we need space for that.
47117 */
47118+
47119+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
47120+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
47121+ VM_ALLOC | VM_KERNEXEC, switcher_addr, switcher_addr
47122+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
47123+#else
47124 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
47125 VM_ALLOC, switcher_addr, switcher_addr
47126 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
47127+#endif
47128+
47129 if (!switcher_vma) {
47130 err = -ENOMEM;
47131 printk("lguest: could not map switcher pages high\n");
47132@@ -121,7 +129,7 @@ static __init int map_switcher(void)
47133 * Now the Switcher is mapped at the right address, we can't fail!
47134 * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
47135 */
47136- memcpy(switcher_vma->addr, start_switcher_text,
47137+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
47138 end_switcher_text - start_switcher_text);
47139
47140 printk(KERN_INFO "lguest: mapped switcher at %p\n",
47141diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
47142index e3abebc9..6a35328 100644
47143--- a/drivers/lguest/page_tables.c
47144+++ b/drivers/lguest/page_tables.c
47145@@ -585,7 +585,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr)
47146 /*:*/
47147
47148 #ifdef CONFIG_X86_PAE
47149-static void release_pmd(pmd_t *spmd)
47150+static void __intentional_overflow(-1) release_pmd(pmd_t *spmd)
47151 {
47152 /* If the entry's not present, there's nothing to release. */
47153 if (pmd_flags(*spmd) & _PAGE_PRESENT) {
47154diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
47155index 6a4cd77..c9e2d9f 100644
47156--- a/drivers/lguest/x86/core.c
47157+++ b/drivers/lguest/x86/core.c
47158@@ -60,7 +60,7 @@ static struct {
47159 /* Offset from where switcher.S was compiled to where we've copied it */
47160 static unsigned long switcher_offset(void)
47161 {
47162- return switcher_addr - (unsigned long)start_switcher_text;
47163+ return switcher_addr - ktla_ktva((unsigned long)start_switcher_text);
47164 }
47165
47166 /* This cpu's struct lguest_pages (after the Switcher text page) */
47167@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages)
47168 * These copies are pretty cheap, so we do them unconditionally: */
47169 /* Save the current Host top-level page directory.
47170 */
47171+
47172+#ifdef CONFIG_PAX_PER_CPU_PGD
47173+ pages->state.host_cr3 = read_cr3();
47174+#else
47175 pages->state.host_cr3 = __pa(current->mm->pgd);
47176+#endif
47177+
47178 /*
47179 * Set up the Guest's page tables to see this CPU's pages (and no
47180 * other CPU's pages).
47181@@ -494,7 +500,7 @@ void __init lguest_arch_host_init(void)
47182 * compiled-in switcher code and the high-mapped copy we just made.
47183 */
47184 for (i = 0; i < IDT_ENTRIES; i++)
47185- default_idt_entries[i] += switcher_offset();
47186+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
47187
47188 /*
47189 * Set up the Switcher's per-cpu areas.
47190@@ -577,7 +583,7 @@ void __init lguest_arch_host_init(void)
47191 * it will be undisturbed when we switch. To change %cs and jump we
47192 * need this structure to feed to Intel's "lcall" instruction.
47193 */
47194- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
47195+ lguest_entry.offset = ktla_ktva((unsigned long)switch_to_guest) + switcher_offset();
47196 lguest_entry.segment = LGUEST_CS;
47197
47198 /*
47199diff --git a/drivers/lguest/x86/switcher_32.S b/drivers/lguest/x86/switcher_32.S
47200index 40634b0..4f5855e 100644
47201--- a/drivers/lguest/x86/switcher_32.S
47202+++ b/drivers/lguest/x86/switcher_32.S
47203@@ -87,6 +87,7 @@
47204 #include <asm/page.h>
47205 #include <asm/segment.h>
47206 #include <asm/lguest.h>
47207+#include <asm/processor-flags.h>
47208
47209 // We mark the start of the code to copy
47210 // It's placed in .text tho it's never run here
47211@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
47212 // Changes type when we load it: damn Intel!
47213 // For after we switch over our page tables
47214 // That entry will be read-only: we'd crash.
47215+
47216+#ifdef CONFIG_PAX_KERNEXEC
47217+ mov %cr0, %edx
47218+ xor $X86_CR0_WP, %edx
47219+ mov %edx, %cr0
47220+#endif
47221+
47222 movl $(GDT_ENTRY_TSS*8), %edx
47223 ltr %dx
47224
47225@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
47226 // Let's clear it again for our return.
47227 // The GDT descriptor of the Host
47228 // Points to the table after two "size" bytes
47229- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
47230+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
47231 // Clear "used" from type field (byte 5, bit 2)
47232- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
47233+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
47234+
47235+#ifdef CONFIG_PAX_KERNEXEC
47236+ mov %cr0, %eax
47237+ xor $X86_CR0_WP, %eax
47238+ mov %eax, %cr0
47239+#endif
47240
47241 // Once our page table's switched, the Guest is live!
47242 // The Host fades as we run this final step.
47243@@ -295,13 +309,12 @@ deliver_to_host:
47244 // I consulted gcc, and it gave
47245 // These instructions, which I gladly credit:
47246 leal (%edx,%ebx,8), %eax
47247- movzwl (%eax),%edx
47248- movl 4(%eax), %eax
47249- xorw %ax, %ax
47250- orl %eax, %edx
47251+ movl 4(%eax), %edx
47252+ movw (%eax), %dx
47253 // Now the address of the handler's in %edx
47254 // We call it now: its "iret" drops us home.
47255- jmp *%edx
47256+ ljmp $__KERNEL_CS, $1f
47257+1: jmp *%edx
47258
47259 // Every interrupt can come to us here
47260 // But we must truly tell each apart.
47261diff --git a/drivers/md/bcache/Kconfig b/drivers/md/bcache/Kconfig
47262index 4d20088..de60cb2 100644
47263--- a/drivers/md/bcache/Kconfig
47264+++ b/drivers/md/bcache/Kconfig
47265@@ -20,6 +20,7 @@ config BCACHE_CLOSURES_DEBUG
47266 bool "Debug closures"
47267 depends on BCACHE
47268 select DEBUG_FS
47269+ depends on !GRKERNSEC_KMEM
47270 ---help---
47271 Keeps all active closures in a linked list and provides a debugfs
47272 interface to list them, which makes it possible to see asynchronous
47273diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h
47274index 79a6d63..47acff6 100644
47275--- a/drivers/md/bcache/closure.h
47276+++ b/drivers/md/bcache/closure.h
47277@@ -238,7 +238,7 @@ static inline void closure_set_stopped(struct closure *cl)
47278 static inline void set_closure_fn(struct closure *cl, closure_fn *fn,
47279 struct workqueue_struct *wq)
47280 {
47281- BUG_ON(object_is_on_stack(cl));
47282+ BUG_ON(object_starts_on_stack(cl));
47283 closure_set_ip(cl);
47284 cl->fn = fn;
47285 cl->wq = wq;
47286diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
47287index e51de52..c52ff17 100644
47288--- a/drivers/md/bitmap.c
47289+++ b/drivers/md/bitmap.c
47290@@ -1933,7 +1933,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap)
47291 chunk_kb ? "KB" : "B");
47292 if (bitmap->storage.file) {
47293 seq_printf(seq, ", file: ");
47294- seq_file_path(seq, bitmap->storage.file, " \t\n");
47295+ seq_file_path(seq, bitmap->storage.file, " \t\n\\");
47296 }
47297
47298 seq_printf(seq, "\n");
47299diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
47300index 720ceeb..030f1d4 100644
47301--- a/drivers/md/dm-ioctl.c
47302+++ b/drivers/md/dm-ioctl.c
47303@@ -1773,7 +1773,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
47304 cmd == DM_LIST_VERSIONS_CMD)
47305 return 0;
47306
47307- if ((cmd == DM_DEV_CREATE_CMD)) {
47308+ if (cmd == DM_DEV_CREATE_CMD) {
47309 if (!*param->name) {
47310 DMWARN("name not supplied when creating device");
47311 return -EINVAL;
47312diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
47313index d83696b..44f22f7 100644
47314--- a/drivers/md/dm-raid1.c
47315+++ b/drivers/md/dm-raid1.c
47316@@ -42,7 +42,7 @@ enum dm_raid1_error {
47317
47318 struct mirror {
47319 struct mirror_set *ms;
47320- atomic_t error_count;
47321+ atomic_unchecked_t error_count;
47322 unsigned long error_type;
47323 struct dm_dev *dev;
47324 sector_t offset;
47325@@ -188,7 +188,7 @@ static struct mirror *get_valid_mirror(struct mirror_set *ms)
47326 struct mirror *m;
47327
47328 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
47329- if (!atomic_read(&m->error_count))
47330+ if (!atomic_read_unchecked(&m->error_count))
47331 return m;
47332
47333 return NULL;
47334@@ -220,7 +220,7 @@ static void fail_mirror(struct mirror *m, enum dm_raid1_error error_type)
47335 * simple way to tell if a device has encountered
47336 * errors.
47337 */
47338- atomic_inc(&m->error_count);
47339+ atomic_inc_unchecked(&m->error_count);
47340
47341 if (test_and_set_bit(error_type, &m->error_type))
47342 return;
47343@@ -378,7 +378,7 @@ static void reset_ms_flags(struct mirror_set *ms)
47344
47345 ms->leg_failure = 0;
47346 for (m = 0; m < ms->nr_mirrors; m++) {
47347- atomic_set(&(ms->mirror[m].error_count), 0);
47348+ atomic_set_unchecked(&(ms->mirror[m].error_count), 0);
47349 ms->mirror[m].error_type = 0;
47350 }
47351 }
47352@@ -423,7 +423,7 @@ static struct mirror *choose_mirror(struct mirror_set *ms, sector_t sector)
47353 struct mirror *m = get_default_mirror(ms);
47354
47355 do {
47356- if (likely(!atomic_read(&m->error_count)))
47357+ if (likely(!atomic_read_unchecked(&m->error_count)))
47358 return m;
47359
47360 if (m-- == ms->mirror)
47361@@ -437,7 +437,7 @@ static int default_ok(struct mirror *m)
47362 {
47363 struct mirror *default_mirror = get_default_mirror(m->ms);
47364
47365- return !atomic_read(&default_mirror->error_count);
47366+ return !atomic_read_unchecked(&default_mirror->error_count);
47367 }
47368
47369 static int mirror_available(struct mirror_set *ms, struct bio *bio)
47370@@ -574,7 +574,7 @@ static void do_reads(struct mirror_set *ms, struct bio_list *reads)
47371 */
47372 if (likely(region_in_sync(ms, region, 1)))
47373 m = choose_mirror(ms, bio->bi_iter.bi_sector);
47374- else if (m && atomic_read(&m->error_count))
47375+ else if (m && atomic_read_unchecked(&m->error_count))
47376 m = NULL;
47377
47378 if (likely(m))
47379@@ -956,7 +956,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti,
47380 }
47381
47382 ms->mirror[mirror].ms = ms;
47383- atomic_set(&(ms->mirror[mirror].error_count), 0);
47384+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
47385 ms->mirror[mirror].error_type = 0;
47386 ms->mirror[mirror].offset = offset;
47387
47388@@ -1380,7 +1380,7 @@ static void mirror_resume(struct dm_target *ti)
47389 */
47390 static char device_status_char(struct mirror *m)
47391 {
47392- if (!atomic_read(&(m->error_count)))
47393+ if (!atomic_read_unchecked(&(m->error_count)))
47394 return 'A';
47395
47396 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
47397diff --git a/drivers/md/dm-stats.c b/drivers/md/dm-stats.c
47398index 8289804..12db118 100644
47399--- a/drivers/md/dm-stats.c
47400+++ b/drivers/md/dm-stats.c
47401@@ -435,7 +435,7 @@ do_sync_free:
47402 synchronize_rcu_expedited();
47403 dm_stat_free(&s->rcu_head);
47404 } else {
47405- ACCESS_ONCE(dm_stat_need_rcu_barrier) = 1;
47406+ ACCESS_ONCE_RW(dm_stat_need_rcu_barrier) = 1;
47407 call_rcu(&s->rcu_head, dm_stat_free);
47408 }
47409 return 0;
47410@@ -648,8 +648,8 @@ void dm_stats_account_io(struct dm_stats *stats, unsigned long bi_rw,
47411 ((bi_rw & (REQ_WRITE | REQ_DISCARD)) ==
47412 (ACCESS_ONCE(last->last_rw) & (REQ_WRITE | REQ_DISCARD)))
47413 ));
47414- ACCESS_ONCE(last->last_sector) = end_sector;
47415- ACCESS_ONCE(last->last_rw) = bi_rw;
47416+ ACCESS_ONCE_RW(last->last_sector) = end_sector;
47417+ ACCESS_ONCE_RW(last->last_rw) = bi_rw;
47418 }
47419
47420 rcu_read_lock();
47421diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
47422index a672a15..dc85e99 100644
47423--- a/drivers/md/dm-stripe.c
47424+++ b/drivers/md/dm-stripe.c
47425@@ -21,7 +21,7 @@ struct stripe {
47426 struct dm_dev *dev;
47427 sector_t physical_start;
47428
47429- atomic_t error_count;
47430+ atomic_unchecked_t error_count;
47431 };
47432
47433 struct stripe_c {
47434@@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
47435 kfree(sc);
47436 return r;
47437 }
47438- atomic_set(&(sc->stripe[i].error_count), 0);
47439+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
47440 }
47441
47442 ti->private = sc;
47443@@ -332,7 +332,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
47444 DMEMIT("%d ", sc->stripes);
47445 for (i = 0; i < sc->stripes; i++) {
47446 DMEMIT("%s ", sc->stripe[i].dev->name);
47447- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
47448+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
47449 'D' : 'A';
47450 }
47451 buffer[i] = '\0';
47452@@ -377,8 +377,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
47453 */
47454 for (i = 0; i < sc->stripes; i++)
47455 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
47456- atomic_inc(&(sc->stripe[i].error_count));
47457- if (atomic_read(&(sc->stripe[i].error_count)) <
47458+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
47459+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
47460 DM_IO_ERROR_THRESHOLD)
47461 schedule_work(&sc->trigger_event);
47462 }
47463diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
47464index 16ba55a..31af906 100644
47465--- a/drivers/md/dm-table.c
47466+++ b/drivers/md/dm-table.c
47467@@ -305,7 +305,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
47468 if (!dev_size)
47469 return 0;
47470
47471- if ((start >= dev_size) || (start + len > dev_size)) {
47472+ if ((start >= dev_size) || (len > dev_size - start)) {
47473 DMWARN("%s: %s too small for target: "
47474 "start=%llu, len=%llu, dev_size=%llu",
47475 dm_device_name(ti->table->md), bdevname(bdev, b),
47476diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
47477index 6ba47cf..a870ba2 100644
47478--- a/drivers/md/dm-thin-metadata.c
47479+++ b/drivers/md/dm-thin-metadata.c
47480@@ -403,7 +403,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
47481 {
47482 pmd->info.tm = pmd->tm;
47483 pmd->info.levels = 2;
47484- pmd->info.value_type.context = pmd->data_sm;
47485+ pmd->info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
47486 pmd->info.value_type.size = sizeof(__le64);
47487 pmd->info.value_type.inc = data_block_inc;
47488 pmd->info.value_type.dec = data_block_dec;
47489@@ -422,7 +422,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
47490
47491 pmd->bl_info.tm = pmd->tm;
47492 pmd->bl_info.levels = 1;
47493- pmd->bl_info.value_type.context = pmd->data_sm;
47494+ pmd->bl_info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
47495 pmd->bl_info.value_type.size = sizeof(__le64);
47496 pmd->bl_info.value_type.inc = data_block_inc;
47497 pmd->bl_info.value_type.dec = data_block_dec;
47498diff --git a/drivers/md/dm.c b/drivers/md/dm.c
47499index 0d7ab20..350d006 100644
47500--- a/drivers/md/dm.c
47501+++ b/drivers/md/dm.c
47502@@ -194,9 +194,9 @@ struct mapped_device {
47503 /*
47504 * Event handling.
47505 */
47506- atomic_t event_nr;
47507+ atomic_unchecked_t event_nr;
47508 wait_queue_head_t eventq;
47509- atomic_t uevent_seq;
47510+ atomic_unchecked_t uevent_seq;
47511 struct list_head uevent_list;
47512 spinlock_t uevent_lock; /* Protect access to uevent_list */
47513
47514@@ -2339,8 +2339,8 @@ static struct mapped_device *alloc_dev(int minor)
47515 spin_lock_init(&md->deferred_lock);
47516 atomic_set(&md->holders, 1);
47517 atomic_set(&md->open_count, 0);
47518- atomic_set(&md->event_nr, 0);
47519- atomic_set(&md->uevent_seq, 0);
47520+ atomic_set_unchecked(&md->event_nr, 0);
47521+ atomic_set_unchecked(&md->uevent_seq, 0);
47522 INIT_LIST_HEAD(&md->uevent_list);
47523 INIT_LIST_HEAD(&md->table_devices);
47524 spin_lock_init(&md->uevent_lock);
47525@@ -2481,7 +2481,7 @@ static void event_callback(void *context)
47526
47527 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
47528
47529- atomic_inc(&md->event_nr);
47530+ atomic_inc_unchecked(&md->event_nr);
47531 wake_up(&md->eventq);
47532 }
47533
47534@@ -3481,18 +3481,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
47535
47536 uint32_t dm_next_uevent_seq(struct mapped_device *md)
47537 {
47538- return atomic_add_return(1, &md->uevent_seq);
47539+ return atomic_add_return_unchecked(1, &md->uevent_seq);
47540 }
47541
47542 uint32_t dm_get_event_nr(struct mapped_device *md)
47543 {
47544- return atomic_read(&md->event_nr);
47545+ return atomic_read_unchecked(&md->event_nr);
47546 }
47547
47548 int dm_wait_event(struct mapped_device *md, int event_nr)
47549 {
47550 return wait_event_interruptible(md->eventq,
47551- (event_nr != atomic_read(&md->event_nr)));
47552+ (event_nr != atomic_read_unchecked(&md->event_nr)));
47553 }
47554
47555 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
47556diff --git a/drivers/md/md.c b/drivers/md/md.c
47557index e25f00f..12caa60 100644
47558--- a/drivers/md/md.c
47559+++ b/drivers/md/md.c
47560@@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
47561 * start build, activate spare
47562 */
47563 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
47564-static atomic_t md_event_count;
47565+static atomic_unchecked_t md_event_count;
47566 void md_new_event(struct mddev *mddev)
47567 {
47568- atomic_inc(&md_event_count);
47569+ atomic_inc_unchecked(&md_event_count);
47570 wake_up(&md_event_waiters);
47571 }
47572 EXPORT_SYMBOL_GPL(md_new_event);
47573@@ -210,7 +210,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
47574 */
47575 static void md_new_event_inintr(struct mddev *mddev)
47576 {
47577- atomic_inc(&md_event_count);
47578+ atomic_inc_unchecked(&md_event_count);
47579 wake_up(&md_event_waiters);
47580 }
47581
47582@@ -1449,7 +1449,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
47583 if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
47584 (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
47585 rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
47586- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
47587+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
47588
47589 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
47590 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
47591@@ -1700,7 +1700,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
47592 else
47593 sb->resync_offset = cpu_to_le64(0);
47594
47595- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
47596+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
47597
47598 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
47599 sb->size = cpu_to_le64(mddev->dev_sectors);
47600@@ -2622,7 +2622,7 @@ __ATTR_PREALLOC(state, S_IRUGO|S_IWUSR, state_show, state_store);
47601 static ssize_t
47602 errors_show(struct md_rdev *rdev, char *page)
47603 {
47604- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
47605+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
47606 }
47607
47608 static ssize_t
47609@@ -2634,7 +2634,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
47610 rv = kstrtouint(buf, 10, &n);
47611 if (rv < 0)
47612 return rv;
47613- atomic_set(&rdev->corrected_errors, n);
47614+ atomic_set_unchecked(&rdev->corrected_errors, n);
47615 return len;
47616 }
47617 static struct rdev_sysfs_entry rdev_errors =
47618@@ -3071,8 +3071,8 @@ int md_rdev_init(struct md_rdev *rdev)
47619 rdev->sb_loaded = 0;
47620 rdev->bb_page = NULL;
47621 atomic_set(&rdev->nr_pending, 0);
47622- atomic_set(&rdev->read_errors, 0);
47623- atomic_set(&rdev->corrected_errors, 0);
47624+ atomic_set_unchecked(&rdev->read_errors, 0);
47625+ atomic_set_unchecked(&rdev->corrected_errors, 0);
47626
47627 INIT_LIST_HEAD(&rdev->same_set);
47628 init_waitqueue_head(&rdev->blocked_wait);
47629@@ -7256,7 +7256,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
47630
47631 spin_unlock(&pers_lock);
47632 seq_printf(seq, "\n");
47633- seq->poll_event = atomic_read(&md_event_count);
47634+ seq->poll_event = atomic_read_unchecked(&md_event_count);
47635 return 0;
47636 }
47637 if (v == (void*)2) {
47638@@ -7359,7 +7359,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
47639 return error;
47640
47641 seq = file->private_data;
47642- seq->poll_event = atomic_read(&md_event_count);
47643+ seq->poll_event = atomic_read_unchecked(&md_event_count);
47644 return error;
47645 }
47646
47647@@ -7376,7 +7376,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
47648 /* always allow read */
47649 mask = POLLIN | POLLRDNORM;
47650
47651- if (seq->poll_event != atomic_read(&md_event_count))
47652+ if (seq->poll_event != atomic_read_unchecked(&md_event_count))
47653 mask |= POLLERR | POLLPRI;
47654 return mask;
47655 }
47656@@ -7472,7 +7472,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
47657 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
47658 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
47659 (int)part_stat_read(&disk->part0, sectors[1]) -
47660- atomic_read(&disk->sync_io);
47661+ atomic_read_unchecked(&disk->sync_io);
47662 /* sync IO will cause sync_io to increase before the disk_stats
47663 * as sync_io is counted when a request starts, and
47664 * disk_stats is counted when it completes.
47665diff --git a/drivers/md/md.h b/drivers/md/md.h
47666index 7da6e9c..f0c1f10 100644
47667--- a/drivers/md/md.h
47668+++ b/drivers/md/md.h
47669@@ -96,13 +96,13 @@ struct md_rdev {
47670 * only maintained for arrays that
47671 * support hot removal
47672 */
47673- atomic_t read_errors; /* number of consecutive read errors that
47674+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
47675 * we have tried to ignore.
47676 */
47677 struct timespec last_read_error; /* monotonic time since our
47678 * last read error
47679 */
47680- atomic_t corrected_errors; /* number of corrected read errors,
47681+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
47682 * for reporting to userspace and storing
47683 * in superblock.
47684 */
47685@@ -487,7 +487,7 @@ extern void mddev_unlock(struct mddev *mddev);
47686
47687 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
47688 {
47689- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
47690+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
47691 }
47692
47693 struct md_personality
47694diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
47695index 5309129..7fb096e 100644
47696--- a/drivers/md/persistent-data/dm-space-map-metadata.c
47697+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
47698@@ -691,7 +691,7 @@ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks)
47699 * Flick into a mode where all blocks get allocated in the new area.
47700 */
47701 smm->begin = old_len;
47702- memcpy(sm, &bootstrap_ops, sizeof(*sm));
47703+ memcpy((void *)sm, &bootstrap_ops, sizeof(*sm));
47704
47705 /*
47706 * Extend.
47707@@ -728,7 +728,7 @@ out:
47708 /*
47709 * Switch back to normal behaviour.
47710 */
47711- memcpy(sm, &ops, sizeof(*sm));
47712+ memcpy((void *)sm, &ops, sizeof(*sm));
47713 return r;
47714 }
47715
47716diff --git a/drivers/md/persistent-data/dm-space-map.h b/drivers/md/persistent-data/dm-space-map.h
47717index 3e6d115..ffecdeb 100644
47718--- a/drivers/md/persistent-data/dm-space-map.h
47719+++ b/drivers/md/persistent-data/dm-space-map.h
47720@@ -71,6 +71,7 @@ struct dm_space_map {
47721 dm_sm_threshold_fn fn,
47722 void *context);
47723 };
47724+typedef struct dm_space_map __no_const dm_space_map_no_const;
47725
47726 /*----------------------------------------------------------------*/
47727
47728diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
47729index 967a4ed..002d339 100644
47730--- a/drivers/md/raid1.c
47731+++ b/drivers/md/raid1.c
47732@@ -1937,7 +1937,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
47733 if (r1_sync_page_io(rdev, sect, s,
47734 bio->bi_io_vec[idx].bv_page,
47735 READ) != 0)
47736- atomic_add(s, &rdev->corrected_errors);
47737+ atomic_add_unchecked(s, &rdev->corrected_errors);
47738 }
47739 sectors -= s;
47740 sect += s;
47741@@ -2170,7 +2170,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
47742 !test_bit(Faulty, &rdev->flags)) {
47743 if (r1_sync_page_io(rdev, sect, s,
47744 conf->tmppage, READ)) {
47745- atomic_add(s, &rdev->corrected_errors);
47746+ atomic_add_unchecked(s, &rdev->corrected_errors);
47747 printk(KERN_INFO
47748 "md/raid1:%s: read error corrected "
47749 "(%d sectors at %llu on %s)\n",
47750diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
47751index 38c58e1..89c3e0f 100644
47752--- a/drivers/md/raid10.c
47753+++ b/drivers/md/raid10.c
47754@@ -1934,7 +1934,7 @@ static void end_sync_read(struct bio *bio, int error)
47755 /* The write handler will notice the lack of
47756 * R10BIO_Uptodate and record any errors etc
47757 */
47758- atomic_add(r10_bio->sectors,
47759+ atomic_add_unchecked(r10_bio->sectors,
47760 &conf->mirrors[d].rdev->corrected_errors);
47761
47762 /* for reconstruct, we always reschedule after a read.
47763@@ -2281,7 +2281,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
47764 {
47765 struct timespec cur_time_mon;
47766 unsigned long hours_since_last;
47767- unsigned int read_errors = atomic_read(&rdev->read_errors);
47768+ unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
47769
47770 ktime_get_ts(&cur_time_mon);
47771
47772@@ -2303,9 +2303,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
47773 * overflowing the shift of read_errors by hours_since_last.
47774 */
47775 if (hours_since_last >= 8 * sizeof(read_errors))
47776- atomic_set(&rdev->read_errors, 0);
47777+ atomic_set_unchecked(&rdev->read_errors, 0);
47778 else
47779- atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
47780+ atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
47781 }
47782
47783 static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
47784@@ -2359,8 +2359,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47785 return;
47786
47787 check_decay_read_errors(mddev, rdev);
47788- atomic_inc(&rdev->read_errors);
47789- if (atomic_read(&rdev->read_errors) > max_read_errors) {
47790+ atomic_inc_unchecked(&rdev->read_errors);
47791+ if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
47792 char b[BDEVNAME_SIZE];
47793 bdevname(rdev->bdev, b);
47794
47795@@ -2368,7 +2368,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47796 "md/raid10:%s: %s: Raid device exceeded "
47797 "read_error threshold [cur %d:max %d]\n",
47798 mdname(mddev), b,
47799- atomic_read(&rdev->read_errors), max_read_errors);
47800+ atomic_read_unchecked(&rdev->read_errors), max_read_errors);
47801 printk(KERN_NOTICE
47802 "md/raid10:%s: %s: Failing raid device\n",
47803 mdname(mddev), b);
47804@@ -2523,7 +2523,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47805 sect +
47806 choose_data_offset(r10_bio, rdev)),
47807 bdevname(rdev->bdev, b));
47808- atomic_add(s, &rdev->corrected_errors);
47809+ atomic_add_unchecked(s, &rdev->corrected_errors);
47810 }
47811
47812 rdev_dec_pending(rdev, mddev);
47813diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
47814index f757023..f958632 100644
47815--- a/drivers/md/raid5.c
47816+++ b/drivers/md/raid5.c
47817@@ -1119,23 +1119,23 @@ async_copy_data(int frombio, struct bio *bio, struct page **page,
47818 struct bio_vec bvl;
47819 struct bvec_iter iter;
47820 struct page *bio_page;
47821- int page_offset;
47822+ s64 page_offset;
47823 struct async_submit_ctl submit;
47824 enum async_tx_flags flags = 0;
47825
47826 if (bio->bi_iter.bi_sector >= sector)
47827- page_offset = (signed)(bio->bi_iter.bi_sector - sector) * 512;
47828+ page_offset = (s64)(bio->bi_iter.bi_sector - sector) * 512;
47829 else
47830- page_offset = (signed)(sector - bio->bi_iter.bi_sector) * -512;
47831+ page_offset = (s64)(sector - bio->bi_iter.bi_sector) * -512;
47832
47833 if (frombio)
47834 flags |= ASYNC_TX_FENCE;
47835 init_async_submit(&submit, flags, tx, NULL, NULL, NULL);
47836
47837 bio_for_each_segment(bvl, bio, iter) {
47838- int len = bvl.bv_len;
47839- int clen;
47840- int b_offset = 0;
47841+ s64 len = bvl.bv_len;
47842+ s64 clen;
47843+ s64 b_offset = 0;
47844
47845 if (page_offset < 0) {
47846 b_offset = -page_offset;
47847@@ -2028,6 +2028,10 @@ static int grow_one_stripe(struct r5conf *conf, gfp_t gfp)
47848 return 1;
47849 }
47850
47851+#ifdef CONFIG_GRKERNSEC_HIDESYM
47852+static atomic_unchecked_t raid5_cache_id = ATOMIC_INIT(0);
47853+#endif
47854+
47855 static int grow_stripes(struct r5conf *conf, int num)
47856 {
47857 struct kmem_cache *sc;
47858@@ -2038,7 +2042,11 @@ static int grow_stripes(struct r5conf *conf, int num)
47859 "raid%d-%s", conf->level, mdname(conf->mddev));
47860 else
47861 sprintf(conf->cache_name[0],
47862+#ifdef CONFIG_GRKERNSEC_HIDESYM
47863+ "raid%d-%08lx", conf->level, atomic_inc_return_unchecked(&raid5_cache_id));
47864+#else
47865 "raid%d-%p", conf->level, conf->mddev);
47866+#endif
47867 sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
47868
47869 conf->active_name = 0;
47870@@ -2331,21 +2339,21 @@ static void raid5_end_read_request(struct bio * bi, int error)
47871 mdname(conf->mddev), STRIPE_SECTORS,
47872 (unsigned long long)s,
47873 bdevname(rdev->bdev, b));
47874- atomic_add(STRIPE_SECTORS, &rdev->corrected_errors);
47875+ atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors);
47876 clear_bit(R5_ReadError, &sh->dev[i].flags);
47877 clear_bit(R5_ReWrite, &sh->dev[i].flags);
47878 } else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags))
47879 clear_bit(R5_ReadNoMerge, &sh->dev[i].flags);
47880
47881- if (atomic_read(&rdev->read_errors))
47882- atomic_set(&rdev->read_errors, 0);
47883+ if (atomic_read_unchecked(&rdev->read_errors))
47884+ atomic_set_unchecked(&rdev->read_errors, 0);
47885 } else {
47886 const char *bdn = bdevname(rdev->bdev, b);
47887 int retry = 0;
47888 int set_bad = 0;
47889
47890 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
47891- atomic_inc(&rdev->read_errors);
47892+ atomic_inc_unchecked(&rdev->read_errors);
47893 if (test_bit(R5_ReadRepl, &sh->dev[i].flags))
47894 printk_ratelimited(
47895 KERN_WARNING
47896@@ -2373,7 +2381,7 @@ static void raid5_end_read_request(struct bio * bi, int error)
47897 mdname(conf->mddev),
47898 (unsigned long long)s,
47899 bdn);
47900- } else if (atomic_read(&rdev->read_errors)
47901+ } else if (atomic_read_unchecked(&rdev->read_errors)
47902 > conf->max_nr_stripes)
47903 printk(KERN_WARNING
47904 "md/raid:%s: Too many read errors, failing device %s.\n",
47905diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
47906index 13bb57f..0ca21b2 100644
47907--- a/drivers/media/dvb-core/dvbdev.c
47908+++ b/drivers/media/dvb-core/dvbdev.c
47909@@ -272,7 +272,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
47910 const struct dvb_device *template, void *priv, int type)
47911 {
47912 struct dvb_device *dvbdev;
47913- struct file_operations *dvbdevfops;
47914+ file_operations_no_const *dvbdevfops;
47915 struct device *clsdev;
47916 int minor;
47917 int id;
47918diff --git a/drivers/media/dvb-frontends/af9033.h b/drivers/media/dvb-frontends/af9033.h
47919index 6ad22b6..6e90e2a 100644
47920--- a/drivers/media/dvb-frontends/af9033.h
47921+++ b/drivers/media/dvb-frontends/af9033.h
47922@@ -96,6 +96,6 @@ struct af9033_ops {
47923 int (*pid_filter_ctrl)(struct dvb_frontend *fe, int onoff);
47924 int (*pid_filter)(struct dvb_frontend *fe, int index, u16 pid,
47925 int onoff);
47926-};
47927+} __no_const;
47928
47929 #endif /* AF9033_H */
47930diff --git a/drivers/media/dvb-frontends/dib3000.h b/drivers/media/dvb-frontends/dib3000.h
47931index 6ae9899..07d8543 100644
47932--- a/drivers/media/dvb-frontends/dib3000.h
47933+++ b/drivers/media/dvb-frontends/dib3000.h
47934@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
47935 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
47936 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
47937 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
47938-};
47939+} __no_const;
47940
47941 #if IS_REACHABLE(CONFIG_DVB_DIB3000MB)
47942 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
47943diff --git a/drivers/media/dvb-frontends/dib7000p.h b/drivers/media/dvb-frontends/dib7000p.h
47944index baa2789..c8de7fe 100644
47945--- a/drivers/media/dvb-frontends/dib7000p.h
47946+++ b/drivers/media/dvb-frontends/dib7000p.h
47947@@ -64,7 +64,7 @@ struct dib7000p_ops {
47948 int (*get_adc_power)(struct dvb_frontend *fe);
47949 int (*slave_reset)(struct dvb_frontend *fe);
47950 struct dvb_frontend *(*init)(struct i2c_adapter *i2c_adap, u8 i2c_addr, struct dib7000p_config *cfg);
47951-};
47952+} __no_const;
47953
47954 #if IS_REACHABLE(CONFIG_DVB_DIB7000P)
47955 void *dib7000p_attach(struct dib7000p_ops *ops);
47956diff --git a/drivers/media/dvb-frontends/dib8000.h b/drivers/media/dvb-frontends/dib8000.h
47957index 2b8b4b1..8cef451 100644
47958--- a/drivers/media/dvb-frontends/dib8000.h
47959+++ b/drivers/media/dvb-frontends/dib8000.h
47960@@ -61,7 +61,7 @@ struct dib8000_ops {
47961 int (*pid_filter_ctrl)(struct dvb_frontend *fe, u8 onoff);
47962 int (*pid_filter)(struct dvb_frontend *fe, u8 id, u16 pid, u8 onoff);
47963 struct dvb_frontend *(*init)(struct i2c_adapter *i2c_adap, u8 i2c_addr, struct dib8000_config *cfg);
47964-};
47965+} __no_const;
47966
47967 #if IS_REACHABLE(CONFIG_DVB_DIB8000)
47968 void *dib8000_attach(struct dib8000_ops *ops);
47969diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
47970index 400e5ca..f69f748 100644
47971--- a/drivers/media/pci/cx88/cx88-video.c
47972+++ b/drivers/media/pci/cx88/cx88-video.c
47973@@ -50,9 +50,9 @@ MODULE_VERSION(CX88_VERSION);
47974
47975 /* ------------------------------------------------------------------ */
47976
47977-static unsigned int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47978-static unsigned int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47979-static unsigned int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47980+static int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47981+static int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47982+static int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47983
47984 module_param_array(video_nr, int, NULL, 0444);
47985 module_param_array(vbi_nr, int, NULL, 0444);
47986diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
47987index 8616fa8..e16eeaf 100644
47988--- a/drivers/media/pci/ivtv/ivtv-driver.c
47989+++ b/drivers/media/pci/ivtv/ivtv-driver.c
47990@@ -83,7 +83,7 @@ static struct pci_device_id ivtv_pci_tbl[] = {
47991 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
47992
47993 /* ivtv instance counter */
47994-static atomic_t ivtv_instance = ATOMIC_INIT(0);
47995+static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
47996
47997 /* Parameter declarations */
47998 static int cardtype[IVTV_MAX_CARDS];
47999diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c
48000index 570d119..ed25830 100644
48001--- a/drivers/media/pci/solo6x10/solo6x10-core.c
48002+++ b/drivers/media/pci/solo6x10/solo6x10-core.c
48003@@ -424,7 +424,7 @@ static void solo_device_release(struct device *dev)
48004
48005 static int solo_sysfs_init(struct solo_dev *solo_dev)
48006 {
48007- struct bin_attribute *sdram_attr = &solo_dev->sdram_attr;
48008+ bin_attribute_no_const *sdram_attr = &solo_dev->sdram_attr;
48009 struct device *dev = &solo_dev->dev;
48010 const char *driver;
48011 int i;
48012diff --git a/drivers/media/pci/solo6x10/solo6x10-g723.c b/drivers/media/pci/solo6x10/solo6x10-g723.c
48013index 7ddc767..1c24361 100644
48014--- a/drivers/media/pci/solo6x10/solo6x10-g723.c
48015+++ b/drivers/media/pci/solo6x10/solo6x10-g723.c
48016@@ -351,7 +351,7 @@ static int solo_snd_pcm_init(struct solo_dev *solo_dev)
48017
48018 int solo_g723_init(struct solo_dev *solo_dev)
48019 {
48020- static struct snd_device_ops ops = { NULL };
48021+ static struct snd_device_ops ops = { };
48022 struct snd_card *card;
48023 struct snd_kcontrol_new kctl;
48024 char name[32];
48025diff --git a/drivers/media/pci/solo6x10/solo6x10-p2m.c b/drivers/media/pci/solo6x10/solo6x10-p2m.c
48026index 8c84846..27b4f83 100644
48027--- a/drivers/media/pci/solo6x10/solo6x10-p2m.c
48028+++ b/drivers/media/pci/solo6x10/solo6x10-p2m.c
48029@@ -73,7 +73,7 @@ int solo_p2m_dma_desc(struct solo_dev *solo_dev,
48030
48031 /* Get next ID. According to Softlogic, 6110 has problems on !=0 P2M */
48032 if (solo_dev->type != SOLO_DEV_6110 && multi_p2m) {
48033- p2m_id = atomic_inc_return(&solo_dev->p2m_count) % SOLO_NR_P2M;
48034+ p2m_id = atomic_inc_return_unchecked(&solo_dev->p2m_count) % SOLO_NR_P2M;
48035 if (p2m_id < 0)
48036 p2m_id = -p2m_id;
48037 }
48038diff --git a/drivers/media/pci/solo6x10/solo6x10.h b/drivers/media/pci/solo6x10/solo6x10.h
48039index 1ca54b0..7d7cb9a 100644
48040--- a/drivers/media/pci/solo6x10/solo6x10.h
48041+++ b/drivers/media/pci/solo6x10/solo6x10.h
48042@@ -218,7 +218,7 @@ struct solo_dev {
48043
48044 /* P2M DMA Engine */
48045 struct solo_p2m_dev p2m_dev[SOLO_NR_P2M];
48046- atomic_t p2m_count;
48047+ atomic_unchecked_t p2m_count;
48048 int p2m_jiffies;
48049 unsigned int p2m_timeouts;
48050
48051diff --git a/drivers/media/pci/tw68/tw68-core.c b/drivers/media/pci/tw68/tw68-core.c
48052index c135165..dc69499 100644
48053--- a/drivers/media/pci/tw68/tw68-core.c
48054+++ b/drivers/media/pci/tw68/tw68-core.c
48055@@ -60,7 +60,7 @@ static unsigned int card[] = {[0 ... (TW68_MAXBOARDS - 1)] = UNSET };
48056 module_param_array(card, int, NULL, 0444);
48057 MODULE_PARM_DESC(card, "card type");
48058
48059-static atomic_t tw68_instance = ATOMIC_INIT(0);
48060+static atomic_unchecked_t tw68_instance = ATOMIC_INIT(0);
48061
48062 /* ------------------------------------------------------------------ */
48063
48064diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
48065index f09c5f1..38f6d65 100644
48066--- a/drivers/media/platform/omap/omap_vout.c
48067+++ b/drivers/media/platform/omap/omap_vout.c
48068@@ -63,7 +63,6 @@ enum omap_vout_channels {
48069 OMAP_VIDEO2,
48070 };
48071
48072-static struct videobuf_queue_ops video_vbq_ops;
48073 /* Variables configurable through module params*/
48074 static u32 video1_numbuffers = 3;
48075 static u32 video2_numbuffers = 3;
48076@@ -1008,6 +1007,12 @@ static int omap_vout_open(struct file *file)
48077 {
48078 struct videobuf_queue *q;
48079 struct omap_vout_device *vout = NULL;
48080+ static struct videobuf_queue_ops video_vbq_ops = {
48081+ .buf_setup = omap_vout_buffer_setup,
48082+ .buf_prepare = omap_vout_buffer_prepare,
48083+ .buf_release = omap_vout_buffer_release,
48084+ .buf_queue = omap_vout_buffer_queue,
48085+ };
48086
48087 vout = video_drvdata(file);
48088 v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__);
48089@@ -1025,10 +1030,6 @@ static int omap_vout_open(struct file *file)
48090 vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
48091
48092 q = &vout->vbq;
48093- video_vbq_ops.buf_setup = omap_vout_buffer_setup;
48094- video_vbq_ops.buf_prepare = omap_vout_buffer_prepare;
48095- video_vbq_ops.buf_release = omap_vout_buffer_release;
48096- video_vbq_ops.buf_queue = omap_vout_buffer_queue;
48097 spin_lock_init(&vout->vbq_lock);
48098
48099 videobuf_queue_dma_contig_init(q, &video_vbq_ops, q->dev,
48100diff --git a/drivers/media/platform/s5p-tv/mixer.h b/drivers/media/platform/s5p-tv/mixer.h
48101index fb2acc5..a2fcbdc4 100644
48102--- a/drivers/media/platform/s5p-tv/mixer.h
48103+++ b/drivers/media/platform/s5p-tv/mixer.h
48104@@ -156,7 +156,7 @@ struct mxr_layer {
48105 /** layer index (unique identifier) */
48106 int idx;
48107 /** callbacks for layer methods */
48108- struct mxr_layer_ops ops;
48109+ struct mxr_layer_ops *ops;
48110 /** format array */
48111 const struct mxr_format **fmt_array;
48112 /** size of format array */
48113diff --git a/drivers/media/platform/s5p-tv/mixer_grp_layer.c b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
48114index 74344c7..a39e70e 100644
48115--- a/drivers/media/platform/s5p-tv/mixer_grp_layer.c
48116+++ b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
48117@@ -235,7 +235,7 @@ struct mxr_layer *mxr_graph_layer_create(struct mxr_device *mdev, int idx)
48118 {
48119 struct mxr_layer *layer;
48120 int ret;
48121- struct mxr_layer_ops ops = {
48122+ static struct mxr_layer_ops ops = {
48123 .release = mxr_graph_layer_release,
48124 .buffer_set = mxr_graph_buffer_set,
48125 .stream_set = mxr_graph_stream_set,
48126diff --git a/drivers/media/platform/s5p-tv/mixer_reg.c b/drivers/media/platform/s5p-tv/mixer_reg.c
48127index b713403..53cb5ad 100644
48128--- a/drivers/media/platform/s5p-tv/mixer_reg.c
48129+++ b/drivers/media/platform/s5p-tv/mixer_reg.c
48130@@ -276,7 +276,7 @@ static void mxr_irq_layer_handle(struct mxr_layer *layer)
48131 layer->update_buf = next;
48132 }
48133
48134- layer->ops.buffer_set(layer, layer->update_buf);
48135+ layer->ops->buffer_set(layer, layer->update_buf);
48136
48137 if (done && done != layer->shadow_buf)
48138 vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE);
48139diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c
48140index 751f3b6..d829203 100644
48141--- a/drivers/media/platform/s5p-tv/mixer_video.c
48142+++ b/drivers/media/platform/s5p-tv/mixer_video.c
48143@@ -210,7 +210,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer)
48144 layer->geo.src.height = layer->geo.src.full_height;
48145
48146 mxr_geometry_dump(mdev, &layer->geo);
48147- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48148+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48149 mxr_geometry_dump(mdev, &layer->geo);
48150 }
48151
48152@@ -228,7 +228,7 @@ static void mxr_layer_update_output(struct mxr_layer *layer)
48153 layer->geo.dst.full_width = mbus_fmt.width;
48154 layer->geo.dst.full_height = mbus_fmt.height;
48155 layer->geo.dst.field = mbus_fmt.field;
48156- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48157+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48158
48159 mxr_geometry_dump(mdev, &layer->geo);
48160 }
48161@@ -334,7 +334,7 @@ static int mxr_s_fmt(struct file *file, void *priv,
48162 /* set source size to highest accepted value */
48163 geo->src.full_width = max(geo->dst.full_width, pix->width);
48164 geo->src.full_height = max(geo->dst.full_height, pix->height);
48165- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48166+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48167 mxr_geometry_dump(mdev, &layer->geo);
48168 /* set cropping to total visible screen */
48169 geo->src.width = pix->width;
48170@@ -342,12 +342,12 @@ static int mxr_s_fmt(struct file *file, void *priv,
48171 geo->src.x_offset = 0;
48172 geo->src.y_offset = 0;
48173 /* assure consistency of geometry */
48174- layer->ops.fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
48175+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
48176 mxr_geometry_dump(mdev, &layer->geo);
48177 /* set full size to lowest possible value */
48178 geo->src.full_width = 0;
48179 geo->src.full_height = 0;
48180- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48181+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48182 mxr_geometry_dump(mdev, &layer->geo);
48183
48184 /* returning results */
48185@@ -474,7 +474,7 @@ static int mxr_s_selection(struct file *file, void *fh,
48186 target->width = s->r.width;
48187 target->height = s->r.height;
48188
48189- layer->ops.fix_geometry(layer, stage, s->flags);
48190+ layer->ops->fix_geometry(layer, stage, s->flags);
48191
48192 /* retrieve update selection rectangle */
48193 res.left = target->x_offset;
48194@@ -938,13 +938,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count)
48195 mxr_output_get(mdev);
48196
48197 mxr_layer_update_output(layer);
48198- layer->ops.format_set(layer);
48199+ layer->ops->format_set(layer);
48200 /* enabling layer in hardware */
48201 spin_lock_irqsave(&layer->enq_slock, flags);
48202 layer->state = MXR_LAYER_STREAMING;
48203 spin_unlock_irqrestore(&layer->enq_slock, flags);
48204
48205- layer->ops.stream_set(layer, MXR_ENABLE);
48206+ layer->ops->stream_set(layer, MXR_ENABLE);
48207 mxr_streamer_get(mdev);
48208
48209 return 0;
48210@@ -1014,7 +1014,7 @@ static void stop_streaming(struct vb2_queue *vq)
48211 spin_unlock_irqrestore(&layer->enq_slock, flags);
48212
48213 /* disabling layer in hardware */
48214- layer->ops.stream_set(layer, MXR_DISABLE);
48215+ layer->ops->stream_set(layer, MXR_DISABLE);
48216 /* remove one streamer */
48217 mxr_streamer_put(mdev);
48218 /* allow changes in output configuration */
48219@@ -1052,8 +1052,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer)
48220
48221 void mxr_layer_release(struct mxr_layer *layer)
48222 {
48223- if (layer->ops.release)
48224- layer->ops.release(layer);
48225+ if (layer->ops->release)
48226+ layer->ops->release(layer);
48227 }
48228
48229 void mxr_base_layer_release(struct mxr_layer *layer)
48230@@ -1079,7 +1079,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev,
48231
48232 layer->mdev = mdev;
48233 layer->idx = idx;
48234- layer->ops = *ops;
48235+ layer->ops = ops;
48236
48237 spin_lock_init(&layer->enq_slock);
48238 INIT_LIST_HEAD(&layer->enq_list);
48239diff --git a/drivers/media/platform/s5p-tv/mixer_vp_layer.c b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
48240index c9388c4..ce71ece 100644
48241--- a/drivers/media/platform/s5p-tv/mixer_vp_layer.c
48242+++ b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
48243@@ -206,7 +206,7 @@ struct mxr_layer *mxr_vp_layer_create(struct mxr_device *mdev, int idx)
48244 {
48245 struct mxr_layer *layer;
48246 int ret;
48247- struct mxr_layer_ops ops = {
48248+ static struct mxr_layer_ops ops = {
48249 .release = mxr_vp_layer_release,
48250 .buffer_set = mxr_vp_buffer_set,
48251 .stream_set = mxr_vp_stream_set,
48252diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
48253index 82affae..42833ec 100644
48254--- a/drivers/media/radio/radio-cadet.c
48255+++ b/drivers/media/radio/radio-cadet.c
48256@@ -333,6 +333,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
48257 unsigned char readbuf[RDS_BUFFER];
48258 int i = 0;
48259
48260+ if (count > RDS_BUFFER)
48261+ return -EFAULT;
48262 mutex_lock(&dev->lock);
48263 if (dev->rdsstat == 0)
48264 cadet_start_rds(dev);
48265@@ -349,8 +351,9 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
48266 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
48267 mutex_unlock(&dev->lock);
48268
48269- if (i && copy_to_user(data, readbuf, i))
48270- return -EFAULT;
48271+ if (i > sizeof(readbuf) || (i && copy_to_user(data, readbuf, i)))
48272+ i = -EFAULT;
48273+
48274 return i;
48275 }
48276
48277diff --git a/drivers/media/radio/radio-maxiradio.c b/drivers/media/radio/radio-maxiradio.c
48278index 5236035..c622c74 100644
48279--- a/drivers/media/radio/radio-maxiradio.c
48280+++ b/drivers/media/radio/radio-maxiradio.c
48281@@ -61,7 +61,7 @@ MODULE_PARM_DESC(radio_nr, "Radio device number");
48282 /* TEA5757 pin mappings */
48283 static const int clk = 1, data = 2, wren = 4, mo_st = 8, power = 16;
48284
48285-static atomic_t maxiradio_instance = ATOMIC_INIT(0);
48286+static atomic_unchecked_t maxiradio_instance = ATOMIC_INIT(0);
48287
48288 #define PCI_VENDOR_ID_GUILLEMOT 0x5046
48289 #define PCI_DEVICE_ID_GUILLEMOT_MAXIRADIO 0x1001
48290diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c
48291index 050b3bb..79f62b9 100644
48292--- a/drivers/media/radio/radio-shark.c
48293+++ b/drivers/media/radio/radio-shark.c
48294@@ -79,7 +79,7 @@ struct shark_device {
48295 u32 last_val;
48296 };
48297
48298-static atomic_t shark_instance = ATOMIC_INIT(0);
48299+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
48300
48301 static void shark_write_val(struct snd_tea575x *tea, u32 val)
48302 {
48303diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c
48304index 8654e0d..0608a64 100644
48305--- a/drivers/media/radio/radio-shark2.c
48306+++ b/drivers/media/radio/radio-shark2.c
48307@@ -74,7 +74,7 @@ struct shark_device {
48308 u8 *transfer_buffer;
48309 };
48310
48311-static atomic_t shark_instance = ATOMIC_INIT(0);
48312+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
48313
48314 static int shark_write_reg(struct radio_tea5777 *tea, u64 reg)
48315 {
48316diff --git a/drivers/media/radio/radio-si476x.c b/drivers/media/radio/radio-si476x.c
48317index 9cbb8cd..2bf2ff3 100644
48318--- a/drivers/media/radio/radio-si476x.c
48319+++ b/drivers/media/radio/radio-si476x.c
48320@@ -1445,7 +1445,7 @@ static int si476x_radio_probe(struct platform_device *pdev)
48321 struct si476x_radio *radio;
48322 struct v4l2_ctrl *ctrl;
48323
48324- static atomic_t instance = ATOMIC_INIT(0);
48325+ static atomic_unchecked_t instance = ATOMIC_INIT(0);
48326
48327 radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
48328 if (!radio)
48329diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
48330index 704397f..4d05977 100644
48331--- a/drivers/media/radio/wl128x/fmdrv_common.c
48332+++ b/drivers/media/radio/wl128x/fmdrv_common.c
48333@@ -71,7 +71,7 @@ module_param(default_rds_buf, uint, 0444);
48334 MODULE_PARM_DESC(rds_buf, "RDS buffer entries");
48335
48336 /* Radio Nr */
48337-static u32 radio_nr = -1;
48338+static int radio_nr = -1;
48339 module_param(radio_nr, int, 0444);
48340 MODULE_PARM_DESC(radio_nr, "Radio Nr");
48341
48342diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
48343index 9fd1527..8927230 100644
48344--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
48345+++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
48346@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
48347
48348 static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
48349 {
48350- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
48351- char result[64];
48352- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
48353- sizeof(result), 0);
48354+ char *buf;
48355+ char *result;
48356+ int retval;
48357+
48358+ buf = kmalloc(2, GFP_KERNEL);
48359+ if (buf == NULL)
48360+ return -ENOMEM;
48361+ result = kmalloc(64, GFP_KERNEL);
48362+ if (result == NULL) {
48363+ kfree(buf);
48364+ return -ENOMEM;
48365+ }
48366+
48367+ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
48368+ buf[1] = enable ? 1 : 0;
48369+
48370+ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
48371+
48372+ kfree(buf);
48373+ kfree(result);
48374+ return retval;
48375 }
48376
48377 static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
48378 {
48379- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
48380- char state[3];
48381- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
48382+ char *buf;
48383+ char *state;
48384+ int retval;
48385+
48386+ buf = kmalloc(2, GFP_KERNEL);
48387+ if (buf == NULL)
48388+ return -ENOMEM;
48389+ state = kmalloc(3, GFP_KERNEL);
48390+ if (state == NULL) {
48391+ kfree(buf);
48392+ return -ENOMEM;
48393+ }
48394+
48395+ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
48396+ buf[1] = enable ? 1 : 0;
48397+
48398+ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
48399+
48400+ kfree(buf);
48401+ kfree(state);
48402+ return retval;
48403 }
48404
48405 static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
48406 {
48407- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
48408- char state[3];
48409+ char *query;
48410+ char *state;
48411 int ret;
48412+ query = kmalloc(1, GFP_KERNEL);
48413+ if (query == NULL)
48414+ return -ENOMEM;
48415+ state = kmalloc(3, GFP_KERNEL);
48416+ if (state == NULL) {
48417+ kfree(query);
48418+ return -ENOMEM;
48419+ }
48420+
48421+ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
48422
48423 adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
48424
48425- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
48426- sizeof(state), 0);
48427+ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
48428 if (ret < 0) {
48429 deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
48430 "state info\n");
48431@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
48432
48433 /* Copy this pointer as we are gonna need it in the release phase */
48434 cinergyt2_usb_device = adap->dev;
48435-
48436+ kfree(query);
48437+ kfree(state);
48438 return 0;
48439 }
48440
48441@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
48442 static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
48443 {
48444 struct cinergyt2_state *st = d->priv;
48445- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
48446+ u8 *key, *cmd;
48447 int i;
48448
48449+ cmd = kmalloc(1, GFP_KERNEL);
48450+ if (cmd == NULL)
48451+ return -EINVAL;
48452+ key = kzalloc(5, GFP_KERNEL);
48453+ if (key == NULL) {
48454+ kfree(cmd);
48455+ return -EINVAL;
48456+ }
48457+
48458+ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
48459+
48460 *state = REMOTE_NO_KEY_PRESSED;
48461
48462- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
48463+ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
48464 if (key[4] == 0xff) {
48465 /* key repeat */
48466 st->rc_counter++;
48467@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
48468 *event = d->last_event;
48469 deb_rc("repeat key, event %x\n",
48470 *event);
48471- return 0;
48472+ goto out;
48473 }
48474 }
48475 deb_rc("repeated key (non repeatable)\n");
48476 }
48477- return 0;
48478+ goto out;
48479 }
48480
48481 /* hack to pass checksum on the custom field */
48482@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
48483
48484 deb_rc("key: %*ph\n", 5, key);
48485 }
48486+out:
48487+ kfree(cmd);
48488+ kfree(key);
48489 return 0;
48490 }
48491
48492diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
48493index b3ec743..9c0e418 100644
48494--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
48495+++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
48496@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
48497 enum fe_status *status)
48498 {
48499 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48500- struct dvbt_get_status_msg result;
48501- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48502+ struct dvbt_get_status_msg *result;
48503+ u8 *cmd;
48504 int ret;
48505
48506- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
48507- sizeof(result), 0);
48508+ cmd = kmalloc(1, GFP_KERNEL);
48509+ if (cmd == NULL)
48510+ return -ENOMEM;
48511+ result = kmalloc(sizeof(*result), GFP_KERNEL);
48512+ if (result == NULL) {
48513+ kfree(cmd);
48514+ return -ENOMEM;
48515+ }
48516+
48517+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48518+
48519+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
48520+ sizeof(*result), 0);
48521 if (ret < 0)
48522- return ret;
48523+ goto out;
48524
48525 *status = 0;
48526
48527- if (0xffff - le16_to_cpu(result.gain) > 30)
48528+ if (0xffff - le16_to_cpu(result->gain) > 30)
48529 *status |= FE_HAS_SIGNAL;
48530- if (result.lock_bits & (1 << 6))
48531+ if (result->lock_bits & (1 << 6))
48532 *status |= FE_HAS_LOCK;
48533- if (result.lock_bits & (1 << 5))
48534+ if (result->lock_bits & (1 << 5))
48535 *status |= FE_HAS_SYNC;
48536- if (result.lock_bits & (1 << 4))
48537+ if (result->lock_bits & (1 << 4))
48538 *status |= FE_HAS_CARRIER;
48539- if (result.lock_bits & (1 << 1))
48540+ if (result->lock_bits & (1 << 1))
48541 *status |= FE_HAS_VITERBI;
48542
48543 if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
48544 (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
48545 *status &= ~FE_HAS_LOCK;
48546
48547- return 0;
48548+out:
48549+ kfree(cmd);
48550+ kfree(result);
48551+ return ret;
48552 }
48553
48554 static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
48555 {
48556 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48557- struct dvbt_get_status_msg status;
48558- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48559+ struct dvbt_get_status_msg *status;
48560+ char *cmd;
48561 int ret;
48562
48563- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48564- sizeof(status), 0);
48565+ cmd = kmalloc(1, GFP_KERNEL);
48566+ if (cmd == NULL)
48567+ return -ENOMEM;
48568+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48569+ if (status == NULL) {
48570+ kfree(cmd);
48571+ return -ENOMEM;
48572+ }
48573+
48574+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48575+
48576+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48577+ sizeof(*status), 0);
48578 if (ret < 0)
48579- return ret;
48580+ goto out;
48581
48582- *ber = le32_to_cpu(status.viterbi_error_rate);
48583+ *ber = le32_to_cpu(status->viterbi_error_rate);
48584+out:
48585+ kfree(cmd);
48586+ kfree(status);
48587 return 0;
48588 }
48589
48590 static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
48591 {
48592 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48593- struct dvbt_get_status_msg status;
48594- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48595+ struct dvbt_get_status_msg *status;
48596+ u8 *cmd;
48597 int ret;
48598
48599- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
48600- sizeof(status), 0);
48601+ cmd = kmalloc(1, GFP_KERNEL);
48602+ if (cmd == NULL)
48603+ return -ENOMEM;
48604+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48605+ if (status == NULL) {
48606+ kfree(cmd);
48607+ return -ENOMEM;
48608+ }
48609+
48610+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48611+
48612+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
48613+ sizeof(*status), 0);
48614 if (ret < 0) {
48615 err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
48616 ret);
48617- return ret;
48618+ goto out;
48619 }
48620- *unc = le32_to_cpu(status.uncorrected_block_count);
48621- return 0;
48622+ *unc = le32_to_cpu(status->uncorrected_block_count);
48623+
48624+out:
48625+ kfree(cmd);
48626+ kfree(status);
48627+ return ret;
48628 }
48629
48630 static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
48631 u16 *strength)
48632 {
48633 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48634- struct dvbt_get_status_msg status;
48635- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48636+ struct dvbt_get_status_msg *status;
48637+ char *cmd;
48638 int ret;
48639
48640- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48641- sizeof(status), 0);
48642+ cmd = kmalloc(1, GFP_KERNEL);
48643+ if (cmd == NULL)
48644+ return -ENOMEM;
48645+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48646+ if (status == NULL) {
48647+ kfree(cmd);
48648+ return -ENOMEM;
48649+ }
48650+
48651+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48652+
48653+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48654+ sizeof(*status), 0);
48655 if (ret < 0) {
48656 err("cinergyt2_fe_read_signal_strength() Failed!"
48657 " (Error=%d)\n", ret);
48658- return ret;
48659+ goto out;
48660 }
48661- *strength = (0xffff - le16_to_cpu(status.gain));
48662+ *strength = (0xffff - le16_to_cpu(status->gain));
48663+
48664+out:
48665+ kfree(cmd);
48666+ kfree(status);
48667 return 0;
48668 }
48669
48670 static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
48671 {
48672 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48673- struct dvbt_get_status_msg status;
48674- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48675+ struct dvbt_get_status_msg *status;
48676+ char *cmd;
48677 int ret;
48678
48679- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48680- sizeof(status), 0);
48681+ cmd = kmalloc(1, GFP_KERNEL);
48682+ if (cmd == NULL)
48683+ return -ENOMEM;
48684+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48685+ if (status == NULL) {
48686+ kfree(cmd);
48687+ return -ENOMEM;
48688+ }
48689+
48690+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48691+
48692+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48693+ sizeof(*status), 0);
48694 if (ret < 0) {
48695 err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
48696- return ret;
48697+ goto out;
48698 }
48699- *snr = (status.snr << 8) | status.snr;
48700- return 0;
48701+ *snr = (status->snr << 8) | status->snr;
48702+
48703+out:
48704+ kfree(cmd);
48705+ kfree(status);
48706+ return ret;
48707 }
48708
48709 static int cinergyt2_fe_init(struct dvb_frontend *fe)
48710@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe)
48711 {
48712 struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
48713 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48714- struct dvbt_set_parameters_msg param;
48715- char result[2];
48716+ struct dvbt_set_parameters_msg *param;
48717+ char *result;
48718 int err;
48719
48720- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
48721- param.tps = cpu_to_le16(compute_tps(fep));
48722- param.freq = cpu_to_le32(fep->frequency / 1000);
48723- param.flags = 0;
48724+ result = kmalloc(2, GFP_KERNEL);
48725+ if (result == NULL)
48726+ return -ENOMEM;
48727+ param = kmalloc(sizeof(*param), GFP_KERNEL);
48728+ if (param == NULL) {
48729+ kfree(result);
48730+ return -ENOMEM;
48731+ }
48732+
48733+ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
48734+ param->tps = cpu_to_le16(compute_tps(fep));
48735+ param->freq = cpu_to_le32(fep->frequency / 1000);
48736+ param->flags = 0;
48737
48738 switch (fep->bandwidth_hz) {
48739 default:
48740 case 8000000:
48741- param.bandwidth = 8;
48742+ param->bandwidth = 8;
48743 break;
48744 case 7000000:
48745- param.bandwidth = 7;
48746+ param->bandwidth = 7;
48747 break;
48748 case 6000000:
48749- param.bandwidth = 6;
48750+ param->bandwidth = 6;
48751 break;
48752 }
48753
48754 err = dvb_usb_generic_rw(state->d,
48755- (char *)&param, sizeof(param),
48756- result, sizeof(result), 0);
48757+ (char *)param, sizeof(*param),
48758+ result, 2, 0);
48759 if (err < 0)
48760 err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
48761
48762- return (err < 0) ? err : 0;
48763+ kfree(result);
48764+ kfree(param);
48765+ return err;
48766 }
48767
48768 static void cinergyt2_fe_release(struct dvb_frontend *fe)
48769diff --git a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48770index 733a7ff..f8b52e3 100644
48771--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48772+++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48773@@ -35,42 +35,57 @@ static int usb_cypress_writemem(struct usb_device *udev,u16 addr,u8 *data, u8 le
48774
48775 int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type)
48776 {
48777- struct hexline hx;
48778- u8 reset;
48779+ struct hexline *hx;
48780+ u8 *reset;
48781 int ret,pos=0;
48782
48783+ reset = kmalloc(1, GFP_KERNEL);
48784+ if (reset == NULL)
48785+ return -ENOMEM;
48786+
48787+ hx = kmalloc(sizeof(struct hexline), GFP_KERNEL);
48788+ if (hx == NULL) {
48789+ kfree(reset);
48790+ return -ENOMEM;
48791+ }
48792+
48793 /* stop the CPU */
48794- reset = 1;
48795- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1)
48796+ reset[0] = 1;
48797+ if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1)) != 1)
48798 err("could not stop the USB controller CPU.");
48799
48800- while ((ret = dvb_usb_get_hexline(fw,&hx,&pos)) > 0) {
48801- deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx.addr,hx.len,hx.chk);
48802- ret = usb_cypress_writemem(udev,hx.addr,hx.data,hx.len);
48803+ while ((ret = dvb_usb_get_hexline(fw,hx,&pos)) > 0) {
48804+ deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx->addr,hx->len,hx->chk);
48805+ ret = usb_cypress_writemem(udev,hx->addr,hx->data,hx->len);
48806
48807- if (ret != hx.len) {
48808+ if (ret != hx->len) {
48809 err("error while transferring firmware "
48810 "(transferred size: %d, block size: %d)",
48811- ret,hx.len);
48812+ ret,hx->len);
48813 ret = -EINVAL;
48814 break;
48815 }
48816 }
48817 if (ret < 0) {
48818 err("firmware download failed at %d with %d",pos,ret);
48819+ kfree(reset);
48820+ kfree(hx);
48821 return ret;
48822 }
48823
48824 if (ret == 0) {
48825 /* restart the CPU */
48826- reset = 0;
48827- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) {
48828+ reset[0] = 0;
48829+ if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1) != 1) {
48830 err("could not restart the USB controller CPU.");
48831 ret = -EINVAL;
48832 }
48833 } else
48834 ret = -EIO;
48835
48836+ kfree(reset);
48837+ kfree(hx);
48838+
48839 return ret;
48840 }
48841 EXPORT_SYMBOL(usb_cypress_load_firmware);
48842diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
48843index 03f334d..0986492 100644
48844--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
48845+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
48846@@ -87,8 +87,11 @@ struct technisat_usb2_state {
48847 static int technisat_usb2_i2c_access(struct usb_device *udev,
48848 u8 device_addr, u8 *tx, u8 txlen, u8 *rx, u8 rxlen)
48849 {
48850- u8 b[64];
48851- int ret, actual_length;
48852+ u8 *b = kmalloc(64, GFP_KERNEL);
48853+ int ret, actual_length, error = 0;
48854+
48855+ if (b == NULL)
48856+ return -ENOMEM;
48857
48858 deb_i2c("i2c-access: %02x, tx: ", device_addr);
48859 debug_dump(tx, txlen, deb_i2c);
48860@@ -121,7 +124,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48861
48862 if (ret < 0) {
48863 err("i2c-error: out failed %02x = %d", device_addr, ret);
48864- return -ENODEV;
48865+ error = -ENODEV;
48866+ goto out;
48867 }
48868
48869 ret = usb_bulk_msg(udev,
48870@@ -129,7 +133,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48871 b, 64, &actual_length, 1000);
48872 if (ret < 0) {
48873 err("i2c-error: in failed %02x = %d", device_addr, ret);
48874- return -ENODEV;
48875+ error = -ENODEV;
48876+ goto out;
48877 }
48878
48879 if (b[0] != I2C_STATUS_OK) {
48880@@ -137,8 +142,10 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48881 /* handle tuner-i2c-nak */
48882 if (!(b[0] == I2C_STATUS_NAK &&
48883 device_addr == 0x60
48884- /* && device_is_technisat_usb2 */))
48885- return -ENODEV;
48886+ /* && device_is_technisat_usb2 */)) {
48887+ error = -ENODEV;
48888+ goto out;
48889+ }
48890 }
48891
48892 deb_i2c("status: %d, ", b[0]);
48893@@ -152,7 +159,9 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48894
48895 deb_i2c("\n");
48896
48897- return 0;
48898+out:
48899+ kfree(b);
48900+ return error;
48901 }
48902
48903 static int technisat_usb2_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msg,
48904@@ -224,14 +233,16 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
48905 {
48906 int ret;
48907
48908- u8 led[8] = {
48909- red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
48910- 0
48911- };
48912+ u8 *led = kzalloc(8, GFP_KERNEL);
48913+
48914+ if (led == NULL)
48915+ return -ENOMEM;
48916
48917 if (disable_led_control && state != TECH_LED_OFF)
48918 return 0;
48919
48920+ led[0] = red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST;
48921+
48922 switch (state) {
48923 case TECH_LED_ON:
48924 led[1] = 0x82;
48925@@ -263,16 +274,22 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
48926 red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
48927 USB_TYPE_VENDOR | USB_DIR_OUT,
48928 0, 0,
48929- led, sizeof(led), 500);
48930+ led, 8, 500);
48931
48932 mutex_unlock(&d->i2c_mutex);
48933+
48934+ kfree(led);
48935+
48936 return ret;
48937 }
48938
48939 static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 green)
48940 {
48941 int ret;
48942- u8 b = 0;
48943+ u8 *b = kzalloc(1, GFP_KERNEL);
48944+
48945+ if (b == NULL)
48946+ return -ENOMEM;
48947
48948 if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
48949 return -EAGAIN;
48950@@ -281,10 +298,12 @@ static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 gre
48951 SET_LED_TIMER_DIVIDER_VENDOR_REQUEST,
48952 USB_TYPE_VENDOR | USB_DIR_OUT,
48953 (red << 8) | green, 0,
48954- &b, 1, 500);
48955+ b, 1, 500);
48956
48957 mutex_unlock(&d->i2c_mutex);
48958
48959+ kfree(b);
48960+
48961 return ret;
48962 }
48963
48964@@ -328,7 +347,7 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48965 struct dvb_usb_device_description **desc, int *cold)
48966 {
48967 int ret;
48968- u8 version[3];
48969+ u8 *version = kmalloc(3, GFP_KERNEL);
48970
48971 /* first select the interface */
48972 if (usb_set_interface(udev, 0, 1) != 0)
48973@@ -338,11 +357,14 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48974
48975 *cold = 0; /* by default do not download a firmware - just in case something is wrong */
48976
48977+ if (version == NULL)
48978+ return 0;
48979+
48980 ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
48981 GET_VERSION_INFO_VENDOR_REQUEST,
48982 USB_TYPE_VENDOR | USB_DIR_IN,
48983 0, 0,
48984- version, sizeof(version), 500);
48985+ version, 3, 500);
48986
48987 if (ret < 0)
48988 *cold = 1;
48989@@ -351,6 +373,8 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48990 *cold = 0;
48991 }
48992
48993+ kfree(version);
48994+
48995 return 0;
48996 }
48997
48998@@ -594,10 +618,15 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
48999
49000 static int technisat_usb2_get_ir(struct dvb_usb_device *d)
49001 {
49002- u8 buf[62], *b;
49003+ u8 *buf, *b;
49004 int ret;
49005 struct ir_raw_event ev;
49006
49007+ buf = kmalloc(62, GFP_KERNEL);
49008+
49009+ if (buf == NULL)
49010+ return -ENOMEM;
49011+
49012 buf[0] = GET_IR_DATA_VENDOR_REQUEST;
49013 buf[1] = 0x08;
49014 buf[2] = 0x8f;
49015@@ -620,16 +649,20 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
49016 GET_IR_DATA_VENDOR_REQUEST,
49017 USB_TYPE_VENDOR | USB_DIR_IN,
49018 0x8080, 0,
49019- buf, sizeof(buf), 500);
49020+ buf, 62, 500);
49021
49022 unlock:
49023 mutex_unlock(&d->i2c_mutex);
49024
49025- if (ret < 0)
49026+ if (ret < 0) {
49027+ kfree(buf);
49028 return ret;
49029+ }
49030
49031- if (ret == 1)
49032+ if (ret == 1) {
49033+ kfree(buf);
49034 return 0; /* no key pressed */
49035+ }
49036
49037 /* decoding */
49038 b = buf+1;
49039@@ -656,6 +689,8 @@ unlock:
49040
49041 ir_raw_event_handle(d->rc_dev);
49042
49043+ kfree(buf);
49044+
49045 return 1;
49046 }
49047
49048diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
49049index af63543..0436f20 100644
49050--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
49051+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
49052@@ -429,7 +429,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
49053 * by passing a very big num_planes value */
49054 uplane = compat_alloc_user_space(num_planes *
49055 sizeof(struct v4l2_plane));
49056- kp->m.planes = (__force struct v4l2_plane *)uplane;
49057+ kp->m.planes = (__force_kernel struct v4l2_plane *)uplane;
49058
49059 while (--num_planes >= 0) {
49060 ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
49061@@ -500,7 +500,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
49062 if (num_planes == 0)
49063 return 0;
49064
49065- uplane = (__force struct v4l2_plane __user *)kp->m.planes;
49066+ uplane = (struct v4l2_plane __force_user *)kp->m.planes;
49067 if (get_user(p, &up->m.planes))
49068 return -EFAULT;
49069 uplane32 = compat_ptr(p);
49070@@ -564,7 +564,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame
49071 get_user(kp->flags, &up->flags) ||
49072 copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
49073 return -EFAULT;
49074- kp->base = (__force void *)compat_ptr(tmp);
49075+ kp->base = (__force_kernel void *)compat_ptr(tmp);
49076 return 0;
49077 }
49078
49079@@ -669,7 +669,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
49080 n * sizeof(struct v4l2_ext_control32)))
49081 return -EFAULT;
49082 kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
49083- kp->controls = (__force struct v4l2_ext_control *)kcontrols;
49084+ kp->controls = (__force_kernel struct v4l2_ext_control *)kcontrols;
49085 while (--n >= 0) {
49086 u32 id;
49087
49088@@ -696,7 +696,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
49089 {
49090 struct v4l2_ext_control32 __user *ucontrols;
49091 struct v4l2_ext_control __user *kcontrols =
49092- (__force struct v4l2_ext_control __user *)kp->controls;
49093+ (struct v4l2_ext_control __force_user *)kp->controls;
49094 int n = kp->count;
49095 compat_caddr_t p;
49096
49097@@ -780,7 +780,7 @@ static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
49098 get_user(tmp, &up->edid) ||
49099 copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
49100 return -EFAULT;
49101- kp->edid = (__force u8 *)compat_ptr(tmp);
49102+ kp->edid = (__force_kernel u8 *)compat_ptr(tmp);
49103 return 0;
49104 }
49105
49106diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c
49107index 5b0a30b..1974b38 100644
49108--- a/drivers/media/v4l2-core/v4l2-device.c
49109+++ b/drivers/media/v4l2-core/v4l2-device.c
49110@@ -74,9 +74,9 @@ int v4l2_device_put(struct v4l2_device *v4l2_dev)
49111 EXPORT_SYMBOL_GPL(v4l2_device_put);
49112
49113 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
49114- atomic_t *instance)
49115+ atomic_unchecked_t *instance)
49116 {
49117- int num = atomic_inc_return(instance) - 1;
49118+ int num = atomic_inc_return_unchecked(instance) - 1;
49119 int len = strlen(basename);
49120
49121 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
49122diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
49123index 85de455..4987854 100644
49124--- a/drivers/media/v4l2-core/v4l2-ioctl.c
49125+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
49126@@ -2341,7 +2341,8 @@ struct v4l2_ioctl_info {
49127 struct file *file, void *fh, void *p);
49128 } u;
49129 void (*debug)(const void *arg, bool write_only);
49130-};
49131+} __do_const;
49132+typedef struct v4l2_ioctl_info __no_const v4l2_ioctl_info_no_const;
49133
49134 /* This control needs a priority check */
49135 #define INFO_FL_PRIO (1 << 0)
49136@@ -2525,7 +2526,7 @@ static long __video_do_ioctl(struct file *file,
49137 struct video_device *vfd = video_devdata(file);
49138 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;
49139 bool write_only = false;
49140- struct v4l2_ioctl_info default_info;
49141+ v4l2_ioctl_info_no_const default_info;
49142 const struct v4l2_ioctl_info *info;
49143 void *fh = file->private_data;
49144 struct v4l2_fh *vfh = NULL;
49145@@ -2616,7 +2617,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
49146 ret = -EINVAL;
49147 break;
49148 }
49149- *user_ptr = (void __user *)buf->m.planes;
49150+ *user_ptr = (void __force_user *)buf->m.planes;
49151 *kernel_ptr = (void **)&buf->m.planes;
49152 *array_size = sizeof(struct v4l2_plane) * buf->length;
49153 ret = 1;
49154@@ -2633,7 +2634,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
49155 ret = -EINVAL;
49156 break;
49157 }
49158- *user_ptr = (void __user *)edid->edid;
49159+ *user_ptr = (void __force_user *)edid->edid;
49160 *kernel_ptr = (void **)&edid->edid;
49161 *array_size = edid->blocks * 128;
49162 ret = 1;
49163@@ -2651,7 +2652,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
49164 ret = -EINVAL;
49165 break;
49166 }
49167- *user_ptr = (void __user *)ctrls->controls;
49168+ *user_ptr = (void __force_user *)ctrls->controls;
49169 *kernel_ptr = (void **)&ctrls->controls;
49170 *array_size = sizeof(struct v4l2_ext_control)
49171 * ctrls->count;
49172@@ -2752,7 +2753,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
49173 }
49174
49175 if (has_array_args) {
49176- *kernel_ptr = (void __force *)user_ptr;
49177+ *kernel_ptr = (void __force_kernel *)user_ptr;
49178 if (copy_to_user(user_ptr, mbuf, array_size))
49179 err = -EFAULT;
49180 goto out_array_args;
49181diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
49182index 9426276..9abd11e 100644
49183--- a/drivers/memory/omap-gpmc.c
49184+++ b/drivers/memory/omap-gpmc.c
49185@@ -232,7 +232,6 @@ struct omap3_gpmc_regs {
49186 };
49187
49188 static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ];
49189-static struct irq_chip gpmc_irq_chip;
49190 static int gpmc_irq_start;
49191
49192 static struct resource gpmc_mem_root;
49193@@ -1146,6 +1145,17 @@ static void gpmc_irq_noop(struct irq_data *data) { }
49194
49195 static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; }
49196
49197+static struct irq_chip gpmc_irq_chip = {
49198+ .name = "gpmc",
49199+ .irq_startup = gpmc_irq_noop_ret,
49200+ .irq_enable = gpmc_irq_enable,
49201+ .irq_disable = gpmc_irq_disable,
49202+ .irq_shutdown = gpmc_irq_noop,
49203+ .irq_ack = gpmc_irq_noop,
49204+ .irq_mask = gpmc_irq_noop,
49205+ .irq_unmask = gpmc_irq_noop,
49206+};
49207+
49208 static int gpmc_setup_irq(void)
49209 {
49210 int i;
49211@@ -1160,15 +1170,6 @@ static int gpmc_setup_irq(void)
49212 return gpmc_irq_start;
49213 }
49214
49215- gpmc_irq_chip.name = "gpmc";
49216- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret;
49217- gpmc_irq_chip.irq_enable = gpmc_irq_enable;
49218- gpmc_irq_chip.irq_disable = gpmc_irq_disable;
49219- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop;
49220- gpmc_irq_chip.irq_ack = gpmc_irq_noop;
49221- gpmc_irq_chip.irq_mask = gpmc_irq_noop;
49222- gpmc_irq_chip.irq_unmask = gpmc_irq_noop;
49223-
49224 gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE;
49225 gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT;
49226
49227diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
49228index 5dcc031..e08ecd2 100644
49229--- a/drivers/message/fusion/mptbase.c
49230+++ b/drivers/message/fusion/mptbase.c
49231@@ -6722,8 +6722,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
49232 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
49233 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
49234
49235+#ifdef CONFIG_GRKERNSEC_HIDESYM
49236+ seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
49237+#else
49238 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
49239 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
49240+#endif
49241+
49242 /*
49243 * Rounding UP to nearest 4-kB boundary here...
49244 */
49245@@ -6736,7 +6741,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
49246 ioc->facts.GlobalCredits);
49247
49248 seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n",
49249+#ifdef CONFIG_GRKERNSEC_HIDESYM
49250+ NULL, NULL);
49251+#else
49252 (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
49253+#endif
49254 sz = (ioc->reply_sz * ioc->reply_depth) + 128;
49255 seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
49256 ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
49257diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
49258index 005a88b..5a90fbb 100644
49259--- a/drivers/message/fusion/mptsas.c
49260+++ b/drivers/message/fusion/mptsas.c
49261@@ -446,6 +446,23 @@ mptsas_is_end_device(struct mptsas_devinfo * attached)
49262 return 0;
49263 }
49264
49265+static inline void
49266+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
49267+{
49268+ if (phy_info->port_details) {
49269+ phy_info->port_details->rphy = rphy;
49270+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
49271+ ioc->name, rphy));
49272+ }
49273+
49274+ if (rphy) {
49275+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
49276+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
49277+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
49278+ ioc->name, rphy, rphy->dev.release));
49279+ }
49280+}
49281+
49282 /* no mutex */
49283 static void
49284 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
49285@@ -484,23 +501,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *phy_info)
49286 return NULL;
49287 }
49288
49289-static inline void
49290-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
49291-{
49292- if (phy_info->port_details) {
49293- phy_info->port_details->rphy = rphy;
49294- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
49295- ioc->name, rphy));
49296- }
49297-
49298- if (rphy) {
49299- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
49300- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
49301- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
49302- ioc->name, rphy, rphy->dev.release));
49303- }
49304-}
49305-
49306 static inline struct sas_port *
49307 mptsas_get_port(struct mptsas_phyinfo *phy_info)
49308 {
49309diff --git a/drivers/mfd/ab8500-debugfs.c b/drivers/mfd/ab8500-debugfs.c
49310index 0236cd7..53b10d7 100644
49311--- a/drivers/mfd/ab8500-debugfs.c
49312+++ b/drivers/mfd/ab8500-debugfs.c
49313@@ -100,7 +100,7 @@ static int irq_last;
49314 static u32 *irq_count;
49315 static int num_irqs;
49316
49317-static struct device_attribute **dev_attr;
49318+static device_attribute_no_const **dev_attr;
49319 static char **event_name;
49320
49321 static u8 avg_sample = SAMPLE_16;
49322diff --git a/drivers/mfd/kempld-core.c b/drivers/mfd/kempld-core.c
49323index 8057849..0550fdf 100644
49324--- a/drivers/mfd/kempld-core.c
49325+++ b/drivers/mfd/kempld-core.c
49326@@ -499,7 +499,7 @@ static struct platform_driver kempld_driver = {
49327 .remove = kempld_remove,
49328 };
49329
49330-static struct dmi_system_id kempld_dmi_table[] __initdata = {
49331+static const struct dmi_system_id kempld_dmi_table[] __initconst = {
49332 {
49333 .ident = "BHL6",
49334 .matches = {
49335diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c
49336index c880c89..45a7c68 100644
49337--- a/drivers/mfd/max8925-i2c.c
49338+++ b/drivers/mfd/max8925-i2c.c
49339@@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_client *client,
49340 const struct i2c_device_id *id)
49341 {
49342 struct max8925_platform_data *pdata = dev_get_platdata(&client->dev);
49343- static struct max8925_chip *chip;
49344+ struct max8925_chip *chip;
49345 struct device_node *node = client->dev.of_node;
49346
49347 if (node && !pdata) {
49348diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
49349index 7612d89..70549c2 100644
49350--- a/drivers/mfd/tps65910.c
49351+++ b/drivers/mfd/tps65910.c
49352@@ -230,7 +230,7 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq,
49353 struct tps65910_platform_data *pdata)
49354 {
49355 int ret = 0;
49356- static struct regmap_irq_chip *tps6591x_irqs_chip;
49357+ struct regmap_irq_chip *tps6591x_irqs_chip;
49358
49359 if (!irq) {
49360 dev_warn(tps65910->dev, "No interrupt support, no core IRQ\n");
49361diff --git a/drivers/mfd/twl4030-irq.c b/drivers/mfd/twl4030-irq.c
49362index a3fa7f4..eac02ef 100644
49363--- a/drivers/mfd/twl4030-irq.c
49364+++ b/drivers/mfd/twl4030-irq.c
49365@@ -34,6 +34,7 @@
49366 #include <linux/of.h>
49367 #include <linux/irqdomain.h>
49368 #include <linux/i2c/twl.h>
49369+#include <asm/pgtable.h>
49370
49371 #include "twl-core.h"
49372
49373@@ -729,10 +730,12 @@ int twl4030_init_irq(struct device *dev, int irq_num)
49374 * Install an irq handler for each of the SIH modules;
49375 * clone dummy irq_chip since PIH can't *do* anything
49376 */
49377- twl4030_irq_chip = dummy_irq_chip;
49378- twl4030_irq_chip.name = "twl4030";
49379+ pax_open_kernel();
49380+ memcpy((void *)&twl4030_irq_chip, &dummy_irq_chip, sizeof twl4030_irq_chip);
49381+ *(const char **)&twl4030_irq_chip.name = "twl4030";
49382
49383- twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
49384+ *(void **)&twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
49385+ pax_close_kernel();
49386
49387 for (i = irq_base; i < irq_end; i++) {
49388 irq_set_chip_and_handler(i, &twl4030_irq_chip,
49389diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
49390index 464419b..64bae8d 100644
49391--- a/drivers/misc/c2port/core.c
49392+++ b/drivers/misc/c2port/core.c
49393@@ -922,7 +922,9 @@ struct c2port_device *c2port_device_register(char *name,
49394 goto error_idr_alloc;
49395 c2dev->id = ret;
49396
49397- bin_attr_flash_data.size = ops->blocks_num * ops->block_size;
49398+ pax_open_kernel();
49399+ *(size_t *)&bin_attr_flash_data.size = ops->blocks_num * ops->block_size;
49400+ pax_close_kernel();
49401
49402 c2dev->dev = device_create(c2port_class, NULL, 0, c2dev,
49403 "c2port%d", c2dev->id);
49404diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c
49405index 8385177..2f54635 100644
49406--- a/drivers/misc/eeprom/sunxi_sid.c
49407+++ b/drivers/misc/eeprom/sunxi_sid.c
49408@@ -126,7 +126,9 @@ static int sunxi_sid_probe(struct platform_device *pdev)
49409
49410 platform_set_drvdata(pdev, sid_data);
49411
49412- sid_bin_attr.size = sid_data->keysize;
49413+ pax_open_kernel();
49414+ *(size_t *)&sid_bin_attr.size = sid_data->keysize;
49415+ pax_close_kernel();
49416 if (device_create_bin_file(&pdev->dev, &sid_bin_attr))
49417 return -ENODEV;
49418
49419diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
49420index 9a60bd4..cee2069 100644
49421--- a/drivers/misc/kgdbts.c
49422+++ b/drivers/misc/kgdbts.c
49423@@ -834,7 +834,7 @@ static void run_plant_and_detach_test(int is_early)
49424 char before[BREAK_INSTR_SIZE];
49425 char after[BREAK_INSTR_SIZE];
49426
49427- probe_kernel_read(before, (char *)kgdbts_break_test,
49428+ probe_kernel_read(before, (void *)ktla_ktva((unsigned long)kgdbts_break_test),
49429 BREAK_INSTR_SIZE);
49430 init_simple_test();
49431 ts.tst = plant_and_detach_test;
49432@@ -842,7 +842,7 @@ static void run_plant_and_detach_test(int is_early)
49433 /* Activate test with initial breakpoint */
49434 if (!is_early)
49435 kgdb_breakpoint();
49436- probe_kernel_read(after, (char *)kgdbts_break_test,
49437+ probe_kernel_read(after, (void *)ktla_ktva((unsigned long)kgdbts_break_test),
49438 BREAK_INSTR_SIZE);
49439 if (memcmp(before, after, BREAK_INSTR_SIZE)) {
49440 printk(KERN_CRIT "kgdbts: ERROR kgdb corrupted memory\n");
49441diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c
49442index fb8705f..dc2f679 100644
49443--- a/drivers/misc/lis3lv02d/lis3lv02d.c
49444+++ b/drivers/misc/lis3lv02d/lis3lv02d.c
49445@@ -497,7 +497,7 @@ static irqreturn_t lis302dl_interrupt(int irq, void *data)
49446 * the lid is closed. This leads to interrupts as soon as a little move
49447 * is done.
49448 */
49449- atomic_inc(&lis3->count);
49450+ atomic_inc_unchecked(&lis3->count);
49451
49452 wake_up_interruptible(&lis3->misc_wait);
49453 kill_fasync(&lis3->async_queue, SIGIO, POLL_IN);
49454@@ -583,7 +583,7 @@ static int lis3lv02d_misc_open(struct inode *inode, struct file *file)
49455 if (lis3->pm_dev)
49456 pm_runtime_get_sync(lis3->pm_dev);
49457
49458- atomic_set(&lis3->count, 0);
49459+ atomic_set_unchecked(&lis3->count, 0);
49460 return 0;
49461 }
49462
49463@@ -615,7 +615,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf,
49464 add_wait_queue(&lis3->misc_wait, &wait);
49465 while (true) {
49466 set_current_state(TASK_INTERRUPTIBLE);
49467- data = atomic_xchg(&lis3->count, 0);
49468+ data = atomic_xchg_unchecked(&lis3->count, 0);
49469 if (data)
49470 break;
49471
49472@@ -656,7 +656,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
49473 struct lis3lv02d, miscdev);
49474
49475 poll_wait(file, &lis3->misc_wait, wait);
49476- if (atomic_read(&lis3->count))
49477+ if (atomic_read_unchecked(&lis3->count))
49478 return POLLIN | POLLRDNORM;
49479 return 0;
49480 }
49481diff --git a/drivers/misc/lis3lv02d/lis3lv02d.h b/drivers/misc/lis3lv02d/lis3lv02d.h
49482index c439c82..1f20f57 100644
49483--- a/drivers/misc/lis3lv02d/lis3lv02d.h
49484+++ b/drivers/misc/lis3lv02d/lis3lv02d.h
49485@@ -297,7 +297,7 @@ struct lis3lv02d {
49486 struct input_polled_dev *idev; /* input device */
49487 struct platform_device *pdev; /* platform device */
49488 struct regulator_bulk_data regulators[2];
49489- atomic_t count; /* interrupt count after last read */
49490+ atomic_unchecked_t count; /* interrupt count after last read */
49491 union axis_conversion ac; /* hw -> logical axis */
49492 int mapped_btns[3];
49493
49494diff --git a/drivers/misc/mic/scif/scif_rb.c b/drivers/misc/mic/scif/scif_rb.c
49495index 637cc46..4fb1267 100644
49496--- a/drivers/misc/mic/scif/scif_rb.c
49497+++ b/drivers/misc/mic/scif/scif_rb.c
49498@@ -138,7 +138,7 @@ void scif_rb_commit(struct scif_rb *rb)
49499 * the read barrier in scif_rb_count(..)
49500 */
49501 wmb();
49502- ACCESS_ONCE(*rb->write_ptr) = rb->current_write_offset;
49503+ ACCESS_ONCE_RW(*rb->write_ptr) = rb->current_write_offset;
49504 #ifdef CONFIG_INTEL_MIC_CARD
49505 /*
49506 * X100 Si bug: For the case where a Core is performing an EXT_WR
49507@@ -147,7 +147,7 @@ void scif_rb_commit(struct scif_rb *rb)
49508 * This way, if ordering is violated for the Interrupt Message, it will
49509 * fall just behind the first Posted associated with the first EXT_WR.
49510 */
49511- ACCESS_ONCE(*rb->write_ptr) = rb->current_write_offset;
49512+ ACCESS_ONCE_RW(*rb->write_ptr) = rb->current_write_offset;
49513 #endif
49514 }
49515
49516@@ -210,7 +210,7 @@ void scif_rb_update_read_ptr(struct scif_rb *rb)
49517 * scif_rb_space(..)
49518 */
49519 mb();
49520- ACCESS_ONCE(*rb->read_ptr) = new_offset;
49521+ ACCESS_ONCE_RW(*rb->read_ptr) = new_offset;
49522 #ifdef CONFIG_INTEL_MIC_CARD
49523 /*
49524 * X100 Si Bug: For the case where a Core is performing an EXT_WR
49525@@ -219,7 +219,7 @@ void scif_rb_update_read_ptr(struct scif_rb *rb)
49526 * This way, if ordering is violated for the Interrupt Message, it will
49527 * fall just behind the first Posted associated with the first EXT_WR.
49528 */
49529- ACCESS_ONCE(*rb->read_ptr) = new_offset;
49530+ ACCESS_ONCE_RW(*rb->read_ptr) = new_offset;
49531 #endif
49532 }
49533
49534diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c
49535index 2f30bad..c4c13d0 100644
49536--- a/drivers/misc/sgi-gru/gruhandles.c
49537+++ b/drivers/misc/sgi-gru/gruhandles.c
49538@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op op, unsigned long clks)
49539 unsigned long nsec;
49540
49541 nsec = CLKS2NSEC(clks);
49542- atomic_long_inc(&mcs_op_statistics[op].count);
49543- atomic_long_add(nsec, &mcs_op_statistics[op].total);
49544+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
49545+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
49546 if (mcs_op_statistics[op].max < nsec)
49547 mcs_op_statistics[op].max = nsec;
49548 }
49549diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
49550index 4f76359..cdfcb2e 100644
49551--- a/drivers/misc/sgi-gru/gruprocfs.c
49552+++ b/drivers/misc/sgi-gru/gruprocfs.c
49553@@ -32,9 +32,9 @@
49554
49555 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
49556
49557-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
49558+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
49559 {
49560- unsigned long val = atomic_long_read(v);
49561+ unsigned long val = atomic_long_read_unchecked(v);
49562
49563 seq_printf(s, "%16lu %s\n", val, id);
49564 }
49565@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct seq_file *s, void *p)
49566
49567 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
49568 for (op = 0; op < mcsop_last; op++) {
49569- count = atomic_long_read(&mcs_op_statistics[op].count);
49570- total = atomic_long_read(&mcs_op_statistics[op].total);
49571+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
49572+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
49573 max = mcs_op_statistics[op].max;
49574 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
49575 count ? total / count : 0, max);
49576diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
49577index 5c3ce24..4915ccb 100644
49578--- a/drivers/misc/sgi-gru/grutables.h
49579+++ b/drivers/misc/sgi-gru/grutables.h
49580@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
49581 * GRU statistics.
49582 */
49583 struct gru_stats_s {
49584- atomic_long_t vdata_alloc;
49585- atomic_long_t vdata_free;
49586- atomic_long_t gts_alloc;
49587- atomic_long_t gts_free;
49588- atomic_long_t gms_alloc;
49589- atomic_long_t gms_free;
49590- atomic_long_t gts_double_allocate;
49591- atomic_long_t assign_context;
49592- atomic_long_t assign_context_failed;
49593- atomic_long_t free_context;
49594- atomic_long_t load_user_context;
49595- atomic_long_t load_kernel_context;
49596- atomic_long_t lock_kernel_context;
49597- atomic_long_t unlock_kernel_context;
49598- atomic_long_t steal_user_context;
49599- atomic_long_t steal_kernel_context;
49600- atomic_long_t steal_context_failed;
49601- atomic_long_t nopfn;
49602- atomic_long_t asid_new;
49603- atomic_long_t asid_next;
49604- atomic_long_t asid_wrap;
49605- atomic_long_t asid_reuse;
49606- atomic_long_t intr;
49607- atomic_long_t intr_cbr;
49608- atomic_long_t intr_tfh;
49609- atomic_long_t intr_spurious;
49610- atomic_long_t intr_mm_lock_failed;
49611- atomic_long_t call_os;
49612- atomic_long_t call_os_wait_queue;
49613- atomic_long_t user_flush_tlb;
49614- atomic_long_t user_unload_context;
49615- atomic_long_t user_exception;
49616- atomic_long_t set_context_option;
49617- atomic_long_t check_context_retarget_intr;
49618- atomic_long_t check_context_unload;
49619- atomic_long_t tlb_dropin;
49620- atomic_long_t tlb_preload_page;
49621- atomic_long_t tlb_dropin_fail_no_asid;
49622- atomic_long_t tlb_dropin_fail_upm;
49623- atomic_long_t tlb_dropin_fail_invalid;
49624- atomic_long_t tlb_dropin_fail_range_active;
49625- atomic_long_t tlb_dropin_fail_idle;
49626- atomic_long_t tlb_dropin_fail_fmm;
49627- atomic_long_t tlb_dropin_fail_no_exception;
49628- atomic_long_t tfh_stale_on_fault;
49629- atomic_long_t mmu_invalidate_range;
49630- atomic_long_t mmu_invalidate_page;
49631- atomic_long_t flush_tlb;
49632- atomic_long_t flush_tlb_gru;
49633- atomic_long_t flush_tlb_gru_tgh;
49634- atomic_long_t flush_tlb_gru_zero_asid;
49635+ atomic_long_unchecked_t vdata_alloc;
49636+ atomic_long_unchecked_t vdata_free;
49637+ atomic_long_unchecked_t gts_alloc;
49638+ atomic_long_unchecked_t gts_free;
49639+ atomic_long_unchecked_t gms_alloc;
49640+ atomic_long_unchecked_t gms_free;
49641+ atomic_long_unchecked_t gts_double_allocate;
49642+ atomic_long_unchecked_t assign_context;
49643+ atomic_long_unchecked_t assign_context_failed;
49644+ atomic_long_unchecked_t free_context;
49645+ atomic_long_unchecked_t load_user_context;
49646+ atomic_long_unchecked_t load_kernel_context;
49647+ atomic_long_unchecked_t lock_kernel_context;
49648+ atomic_long_unchecked_t unlock_kernel_context;
49649+ atomic_long_unchecked_t steal_user_context;
49650+ atomic_long_unchecked_t steal_kernel_context;
49651+ atomic_long_unchecked_t steal_context_failed;
49652+ atomic_long_unchecked_t nopfn;
49653+ atomic_long_unchecked_t asid_new;
49654+ atomic_long_unchecked_t asid_next;
49655+ atomic_long_unchecked_t asid_wrap;
49656+ atomic_long_unchecked_t asid_reuse;
49657+ atomic_long_unchecked_t intr;
49658+ atomic_long_unchecked_t intr_cbr;
49659+ atomic_long_unchecked_t intr_tfh;
49660+ atomic_long_unchecked_t intr_spurious;
49661+ atomic_long_unchecked_t intr_mm_lock_failed;
49662+ atomic_long_unchecked_t call_os;
49663+ atomic_long_unchecked_t call_os_wait_queue;
49664+ atomic_long_unchecked_t user_flush_tlb;
49665+ atomic_long_unchecked_t user_unload_context;
49666+ atomic_long_unchecked_t user_exception;
49667+ atomic_long_unchecked_t set_context_option;
49668+ atomic_long_unchecked_t check_context_retarget_intr;
49669+ atomic_long_unchecked_t check_context_unload;
49670+ atomic_long_unchecked_t tlb_dropin;
49671+ atomic_long_unchecked_t tlb_preload_page;
49672+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
49673+ atomic_long_unchecked_t tlb_dropin_fail_upm;
49674+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
49675+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
49676+ atomic_long_unchecked_t tlb_dropin_fail_idle;
49677+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
49678+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
49679+ atomic_long_unchecked_t tfh_stale_on_fault;
49680+ atomic_long_unchecked_t mmu_invalidate_range;
49681+ atomic_long_unchecked_t mmu_invalidate_page;
49682+ atomic_long_unchecked_t flush_tlb;
49683+ atomic_long_unchecked_t flush_tlb_gru;
49684+ atomic_long_unchecked_t flush_tlb_gru_tgh;
49685+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
49686
49687- atomic_long_t copy_gpa;
49688- atomic_long_t read_gpa;
49689+ atomic_long_unchecked_t copy_gpa;
49690+ atomic_long_unchecked_t read_gpa;
49691
49692- atomic_long_t mesq_receive;
49693- atomic_long_t mesq_receive_none;
49694- atomic_long_t mesq_send;
49695- atomic_long_t mesq_send_failed;
49696- atomic_long_t mesq_noop;
49697- atomic_long_t mesq_send_unexpected_error;
49698- atomic_long_t mesq_send_lb_overflow;
49699- atomic_long_t mesq_send_qlimit_reached;
49700- atomic_long_t mesq_send_amo_nacked;
49701- atomic_long_t mesq_send_put_nacked;
49702- atomic_long_t mesq_page_overflow;
49703- atomic_long_t mesq_qf_locked;
49704- atomic_long_t mesq_qf_noop_not_full;
49705- atomic_long_t mesq_qf_switch_head_failed;
49706- atomic_long_t mesq_qf_unexpected_error;
49707- atomic_long_t mesq_noop_unexpected_error;
49708- atomic_long_t mesq_noop_lb_overflow;
49709- atomic_long_t mesq_noop_qlimit_reached;
49710- atomic_long_t mesq_noop_amo_nacked;
49711- atomic_long_t mesq_noop_put_nacked;
49712- atomic_long_t mesq_noop_page_overflow;
49713+ atomic_long_unchecked_t mesq_receive;
49714+ atomic_long_unchecked_t mesq_receive_none;
49715+ atomic_long_unchecked_t mesq_send;
49716+ atomic_long_unchecked_t mesq_send_failed;
49717+ atomic_long_unchecked_t mesq_noop;
49718+ atomic_long_unchecked_t mesq_send_unexpected_error;
49719+ atomic_long_unchecked_t mesq_send_lb_overflow;
49720+ atomic_long_unchecked_t mesq_send_qlimit_reached;
49721+ atomic_long_unchecked_t mesq_send_amo_nacked;
49722+ atomic_long_unchecked_t mesq_send_put_nacked;
49723+ atomic_long_unchecked_t mesq_page_overflow;
49724+ atomic_long_unchecked_t mesq_qf_locked;
49725+ atomic_long_unchecked_t mesq_qf_noop_not_full;
49726+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
49727+ atomic_long_unchecked_t mesq_qf_unexpected_error;
49728+ atomic_long_unchecked_t mesq_noop_unexpected_error;
49729+ atomic_long_unchecked_t mesq_noop_lb_overflow;
49730+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
49731+ atomic_long_unchecked_t mesq_noop_amo_nacked;
49732+ atomic_long_unchecked_t mesq_noop_put_nacked;
49733+ atomic_long_unchecked_t mesq_noop_page_overflow;
49734
49735 };
49736
49737@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start, cchop_interrupt, cchop_interrupt_sync,
49738 tghop_invalidate, mcsop_last};
49739
49740 struct mcs_op_statistic {
49741- atomic_long_t count;
49742- atomic_long_t total;
49743+ atomic_long_unchecked_t count;
49744+ atomic_long_unchecked_t total;
49745 unsigned long max;
49746 };
49747
49748@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_statistics[mcsop_last];
49749
49750 #define STAT(id) do { \
49751 if (gru_options & OPT_STATS) \
49752- atomic_long_inc(&gru_stats.id); \
49753+ atomic_long_inc_unchecked(&gru_stats.id); \
49754 } while (0)
49755
49756 #ifdef CONFIG_SGI_GRU_DEBUG
49757diff --git a/drivers/misc/sgi-xp/xp.h b/drivers/misc/sgi-xp/xp.h
49758index c862cd4..0d176fe 100644
49759--- a/drivers/misc/sgi-xp/xp.h
49760+++ b/drivers/misc/sgi-xp/xp.h
49761@@ -288,7 +288,7 @@ struct xpc_interface {
49762 xpc_notify_func, void *);
49763 void (*received) (short, int, void *);
49764 enum xp_retval (*partid_to_nasids) (short, void *);
49765-};
49766+} __no_const;
49767
49768 extern struct xpc_interface xpc_interface;
49769
49770diff --git a/drivers/misc/sgi-xp/xp_main.c b/drivers/misc/sgi-xp/xp_main.c
49771index 01be66d..e3a0c7e 100644
49772--- a/drivers/misc/sgi-xp/xp_main.c
49773+++ b/drivers/misc/sgi-xp/xp_main.c
49774@@ -78,13 +78,13 @@ xpc_notloaded(void)
49775 }
49776
49777 struct xpc_interface xpc_interface = {
49778- (void (*)(int))xpc_notloaded,
49779- (void (*)(int))xpc_notloaded,
49780- (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded,
49781- (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func,
49782+ .connect = (void (*)(int))xpc_notloaded,
49783+ .disconnect = (void (*)(int))xpc_notloaded,
49784+ .send = (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded,
49785+ .send_notify = (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func,
49786 void *))xpc_notloaded,
49787- (void (*)(short, int, void *))xpc_notloaded,
49788- (enum xp_retval(*)(short, void *))xpc_notloaded
49789+ .received = (void (*)(short, int, void *))xpc_notloaded,
49790+ .partid_to_nasids = (enum xp_retval(*)(short, void *))xpc_notloaded
49791 };
49792 EXPORT_SYMBOL_GPL(xpc_interface);
49793
49794diff --git a/drivers/misc/sgi-xp/xpc.h b/drivers/misc/sgi-xp/xpc.h
49795index b94d5f7..7f494c5 100644
49796--- a/drivers/misc/sgi-xp/xpc.h
49797+++ b/drivers/misc/sgi-xp/xpc.h
49798@@ -835,6 +835,7 @@ struct xpc_arch_operations {
49799 void (*received_payload) (struct xpc_channel *, void *);
49800 void (*notify_senders_of_disconnect) (struct xpc_channel *);
49801 };
49802+typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
49803
49804 /* struct xpc_partition act_state values (for XPC HB) */
49805
49806@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_registrations[];
49807 /* found in xpc_main.c */
49808 extern struct device *xpc_part;
49809 extern struct device *xpc_chan;
49810-extern struct xpc_arch_operations xpc_arch_ops;
49811+extern xpc_arch_operations_no_const xpc_arch_ops;
49812 extern int xpc_disengage_timelimit;
49813 extern int xpc_disengage_timedout;
49814 extern int xpc_activate_IRQ_rcvd;
49815diff --git a/drivers/misc/sgi-xp/xpc_main.c b/drivers/misc/sgi-xp/xpc_main.c
49816index 7f32712..8539ab2 100644
49817--- a/drivers/misc/sgi-xp/xpc_main.c
49818+++ b/drivers/misc/sgi-xp/xpc_main.c
49819@@ -166,7 +166,7 @@ static struct notifier_block xpc_die_notifier = {
49820 .notifier_call = xpc_system_die,
49821 };
49822
49823-struct xpc_arch_operations xpc_arch_ops;
49824+xpc_arch_operations_no_const xpc_arch_ops;
49825
49826 /*
49827 * Timer function to enforce the timelimit on the partition disengage.
49828diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
49829index a1b820f..e299c58 100644
49830--- a/drivers/mmc/card/block.c
49831+++ b/drivers/mmc/card/block.c
49832@@ -579,7 +579,7 @@ static int mmc_blk_ioctl_cmd(struct block_device *bdev,
49833 if (idata->ic.postsleep_min_us)
49834 usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
49835
49836- if (copy_to_user(&(ic_ptr->response), cmd.resp, sizeof(cmd.resp))) {
49837+ if (copy_to_user(ic_ptr->response, cmd.resp, sizeof(cmd.resp))) {
49838 err = -EFAULT;
49839 goto cmd_rel_host;
49840 }
49841diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
49842index 8ce4674..a23c858 100644
49843--- a/drivers/mmc/host/dw_mmc.h
49844+++ b/drivers/mmc/host/dw_mmc.h
49845@@ -286,5 +286,5 @@ struct dw_mci_drv_data {
49846 struct mmc_ios *ios);
49847 int (*switch_voltage)(struct mmc_host *mmc,
49848 struct mmc_ios *ios);
49849-};
49850+} __do_const;
49851 #endif /* _DW_MMC_H_ */
49852diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
49853index fb26674..3172c2b 100644
49854--- a/drivers/mmc/host/mmci.c
49855+++ b/drivers/mmc/host/mmci.c
49856@@ -1633,7 +1633,9 @@ static int mmci_probe(struct amba_device *dev,
49857 mmc->caps |= MMC_CAP_CMD23;
49858
49859 if (variant->busy_detect) {
49860- mmci_ops.card_busy = mmci_card_busy;
49861+ pax_open_kernel();
49862+ *(void **)&mmci_ops.card_busy = mmci_card_busy;
49863+ pax_close_kernel();
49864 mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE);
49865 mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY;
49866 mmc->max_busy_timeout = 0;
49867diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
49868index 4d12032..2b0eb6d 100644
49869--- a/drivers/mmc/host/omap_hsmmc.c
49870+++ b/drivers/mmc/host/omap_hsmmc.c
49871@@ -1984,7 +1984,9 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
49872
49873 if (host->pdata->controller_flags & OMAP_HSMMC_BROKEN_MULTIBLOCK_READ) {
49874 dev_info(&pdev->dev, "multiblock reads disabled due to 35xx erratum 2.1.1.128; MMC read performance may suffer\n");
49875- omap_hsmmc_ops.multi_io_quirk = omap_hsmmc_multi_io_quirk;
49876+ pax_open_kernel();
49877+ *(void **)&omap_hsmmc_ops.multi_io_quirk = omap_hsmmc_multi_io_quirk;
49878+ pax_close_kernel();
49879 }
49880
49881 device_init_wakeup(&pdev->dev, true);
49882diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
49883index c6b9f64..00e656c 100644
49884--- a/drivers/mmc/host/sdhci-esdhc-imx.c
49885+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
49886@@ -1088,9 +1088,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev)
49887 host->ioaddr + 0x6c);
49888 }
49889
49890- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING)
49891- sdhci_esdhc_ops.platform_execute_tuning =
49892+ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) {
49893+ pax_open_kernel();
49894+ *(void **)&sdhci_esdhc_ops.platform_execute_tuning =
49895 esdhc_executing_tuning;
49896+ pax_close_kernel();
49897+ }
49898
49899 if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING)
49900 writel(readl(host->ioaddr + ESDHC_TUNING_CTRL) |
49901diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c
49902index 70c724b..308aafc 100644
49903--- a/drivers/mmc/host/sdhci-s3c.c
49904+++ b/drivers/mmc/host/sdhci-s3c.c
49905@@ -598,9 +598,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev)
49906 * we can use overriding functions instead of default.
49907 */
49908 if (sc->no_divider) {
49909- sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
49910- sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
49911- sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
49912+ pax_open_kernel();
49913+ *(void **)&sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
49914+ *(void **)&sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
49915+ *(void **)&sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
49916+ pax_close_kernel();
49917 }
49918
49919 /* It supports additional host capabilities if needed */
49920diff --git a/drivers/mtd/chips/cfi_cmdset_0020.c b/drivers/mtd/chips/cfi_cmdset_0020.c
49921index 9a1a6ff..b8f1a57 100644
49922--- a/drivers/mtd/chips/cfi_cmdset_0020.c
49923+++ b/drivers/mtd/chips/cfi_cmdset_0020.c
49924@@ -666,7 +666,7 @@ cfi_staa_writev(struct mtd_info *mtd, const struct kvec *vecs,
49925 size_t totlen = 0, thislen;
49926 int ret = 0;
49927 size_t buflen = 0;
49928- static char *buffer;
49929+ char *buffer;
49930
49931 if (!ECCBUF_SIZE) {
49932 /* We should fall back to a general writev implementation.
49933diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c
49934index 870c7fc..c7d6440 100644
49935--- a/drivers/mtd/nand/denali.c
49936+++ b/drivers/mtd/nand/denali.c
49937@@ -24,6 +24,7 @@
49938 #include <linux/slab.h>
49939 #include <linux/mtd/mtd.h>
49940 #include <linux/module.h>
49941+#include <linux/slab.h>
49942
49943 #include "denali.h"
49944
49945diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49946index 1b8f350..990f2e9 100644
49947--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49948+++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49949@@ -386,7 +386,7 @@ void prepare_data_dma(struct gpmi_nand_data *this, enum dma_data_direction dr)
49950
49951 /* first try to map the upper buffer directly */
49952 if (virt_addr_valid(this->upper_buf) &&
49953- !object_is_on_stack(this->upper_buf)) {
49954+ !object_starts_on_stack(this->upper_buf)) {
49955 sg_init_one(sgl, this->upper_buf, this->upper_len);
49956 ret = dma_map_sg(this->dev, sgl, 1, dr);
49957 if (ret == 0)
49958diff --git a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c
49959index a5dfbfb..8042ab4 100644
49960--- a/drivers/mtd/nftlmount.c
49961+++ b/drivers/mtd/nftlmount.c
49962@@ -24,6 +24,7 @@
49963 #include <asm/errno.h>
49964 #include <linux/delay.h>
49965 #include <linux/slab.h>
49966+#include <linux/sched.h>
49967 #include <linux/mtd/mtd.h>
49968 #include <linux/mtd/nand.h>
49969 #include <linux/mtd/nftl.h>
49970diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c
49971index c23184a..4115c41 100644
49972--- a/drivers/mtd/sm_ftl.c
49973+++ b/drivers/mtd/sm_ftl.c
49974@@ -56,7 +56,7 @@ static ssize_t sm_attr_show(struct device *dev, struct device_attribute *attr,
49975 #define SM_CIS_VENDOR_OFFSET 0x59
49976 static struct attribute_group *sm_create_sysfs_attributes(struct sm_ftl *ftl)
49977 {
49978- struct attribute_group *attr_group;
49979+ attribute_group_no_const *attr_group;
49980 struct attribute **attributes;
49981 struct sm_sysfs_attribute *vendor_attribute;
49982 char *vendor;
49983diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
49984index 1bda292..3f4af40 100644
49985--- a/drivers/net/bonding/bond_netlink.c
49986+++ b/drivers/net/bonding/bond_netlink.c
49987@@ -649,7 +649,7 @@ nla_put_failure:
49988 return -EMSGSIZE;
49989 }
49990
49991-struct rtnl_link_ops bond_link_ops __read_mostly = {
49992+struct rtnl_link_ops bond_link_ops = {
49993 .kind = "bond",
49994 .priv_size = sizeof(struct bonding),
49995 .setup = bond_setup,
49996diff --git a/drivers/net/caif/caif_hsi.c b/drivers/net/caif/caif_hsi.c
49997index b3b922a..80bba38 100644
49998--- a/drivers/net/caif/caif_hsi.c
49999+++ b/drivers/net/caif/caif_hsi.c
50000@@ -1444,7 +1444,7 @@ err:
50001 return -ENODEV;
50002 }
50003
50004-static struct rtnl_link_ops caif_hsi_link_ops __read_mostly = {
50005+static struct rtnl_link_ops caif_hsi_link_ops = {
50006 .kind = "cfhsi",
50007 .priv_size = sizeof(struct cfhsi),
50008 .setup = cfhsi_setup,
50009diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig
50010index e8c96b8..516a96c 100644
50011--- a/drivers/net/can/Kconfig
50012+++ b/drivers/net/can/Kconfig
50013@@ -98,7 +98,7 @@ config CAN_JANZ_ICAN3
50014
50015 config CAN_FLEXCAN
50016 tristate "Support for Freescale FLEXCAN based chips"
50017- depends on ARM || PPC
50018+ depends on (ARM && CPU_LITTLE_ENDIAN) || PPC
50019 ---help---
50020 Say Y here if you want to support for Freescale FlexCAN.
50021
50022diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
50023index aede704..b516b4d 100644
50024--- a/drivers/net/can/dev.c
50025+++ b/drivers/net/can/dev.c
50026@@ -961,7 +961,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
50027 return -EOPNOTSUPP;
50028 }
50029
50030-static struct rtnl_link_ops can_link_ops __read_mostly = {
50031+static struct rtnl_link_ops can_link_ops = {
50032 .kind = "can",
50033 .maxtype = IFLA_CAN_MAX,
50034 .policy = can_policy,
50035diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
50036index 674f367..ec3a31f 100644
50037--- a/drivers/net/can/vcan.c
50038+++ b/drivers/net/can/vcan.c
50039@@ -163,7 +163,7 @@ static void vcan_setup(struct net_device *dev)
50040 dev->destructor = free_netdev;
50041 }
50042
50043-static struct rtnl_link_ops vcan_link_ops __read_mostly = {
50044+static struct rtnl_link_ops vcan_link_ops = {
50045 .kind = "vcan",
50046 .setup = vcan_setup,
50047 };
50048diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
50049index 49adbf1..fff7ff8 100644
50050--- a/drivers/net/dummy.c
50051+++ b/drivers/net/dummy.c
50052@@ -164,7 +164,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[])
50053 return 0;
50054 }
50055
50056-static struct rtnl_link_ops dummy_link_ops __read_mostly = {
50057+static struct rtnl_link_ops dummy_link_ops = {
50058 .kind = DRV_NAME,
50059 .setup = dummy_setup,
50060 .validate = dummy_validate,
50061diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
50062index 0443654..4f0aa18 100644
50063--- a/drivers/net/ethernet/8390/ax88796.c
50064+++ b/drivers/net/ethernet/8390/ax88796.c
50065@@ -889,9 +889,11 @@ static int ax_probe(struct platform_device *pdev)
50066 if (ax->plat->reg_offsets)
50067 ei_local->reg_offset = ax->plat->reg_offsets;
50068 else {
50069+ resource_size_t _mem_size = mem_size;
50070+ do_div(_mem_size, 0x18);
50071 ei_local->reg_offset = ax->reg_offsets;
50072 for (ret = 0; ret < 0x18; ret++)
50073- ax->reg_offsets[ret] = (mem_size / 0x18) * ret;
50074+ ax->reg_offsets[ret] = _mem_size * ret;
50075 }
50076
50077 if (!request_mem_region(mem->start, mem_size, pdev->name)) {
50078diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c
50079index 8207877..ce13e99 100644
50080--- a/drivers/net/ethernet/altera/altera_tse_main.c
50081+++ b/drivers/net/ethernet/altera/altera_tse_main.c
50082@@ -1255,7 +1255,7 @@ static int tse_shutdown(struct net_device *dev)
50083 return 0;
50084 }
50085
50086-static struct net_device_ops altera_tse_netdev_ops = {
50087+static net_device_ops_no_const altera_tse_netdev_ops __read_only = {
50088 .ndo_open = tse_open,
50089 .ndo_stop = tse_shutdown,
50090 .ndo_start_xmit = tse_start_xmit,
50091@@ -1492,11 +1492,13 @@ static int altera_tse_probe(struct platform_device *pdev)
50092 ndev->netdev_ops = &altera_tse_netdev_ops;
50093 altera_tse_set_ethtool_ops(ndev);
50094
50095+ pax_open_kernel();
50096 altera_tse_netdev_ops.ndo_set_rx_mode = tse_set_rx_mode;
50097
50098 if (priv->hash_filter)
50099 altera_tse_netdev_ops.ndo_set_rx_mode =
50100 tse_set_rx_mode_hashfilter;
50101+ pax_close_kernel();
50102
50103 /* Scatter/gather IO is not supported,
50104 * so it is turned off
50105diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
50106index b6fa891..31ef157 100644
50107--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
50108+++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
50109@@ -1279,14 +1279,14 @@ do { \
50110 * operations, everything works on mask values.
50111 */
50112 #define XMDIO_READ(_pdata, _mmd, _reg) \
50113- ((_pdata)->hw_if.read_mmd_regs((_pdata), 0, \
50114+ ((_pdata)->hw_if->read_mmd_regs((_pdata), 0, \
50115 MII_ADDR_C45 | (_mmd << 16) | ((_reg) & 0xffff)))
50116
50117 #define XMDIO_READ_BITS(_pdata, _mmd, _reg, _mask) \
50118 (XMDIO_READ((_pdata), _mmd, _reg) & _mask)
50119
50120 #define XMDIO_WRITE(_pdata, _mmd, _reg, _val) \
50121- ((_pdata)->hw_if.write_mmd_regs((_pdata), 0, \
50122+ ((_pdata)->hw_if->write_mmd_regs((_pdata), 0, \
50123 MII_ADDR_C45 | (_mmd << 16) | ((_reg) & 0xffff), (_val)))
50124
50125 #define XMDIO_WRITE_BITS(_pdata, _mmd, _reg, _mask, _val) \
50126diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c b/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
50127index a6b9899..2e5e972 100644
50128--- a/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
50129+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
50130@@ -190,7 +190,7 @@ static int xgbe_dcb_ieee_setets(struct net_device *netdev,
50131
50132 memcpy(pdata->ets, ets, sizeof(*pdata->ets));
50133
50134- pdata->hw_if.config_dcb_tc(pdata);
50135+ pdata->hw_if->config_dcb_tc(pdata);
50136
50137 return 0;
50138 }
50139@@ -230,7 +230,7 @@ static int xgbe_dcb_ieee_setpfc(struct net_device *netdev,
50140
50141 memcpy(pdata->pfc, pfc, sizeof(*pdata->pfc));
50142
50143- pdata->hw_if.config_dcb_pfc(pdata);
50144+ pdata->hw_if->config_dcb_pfc(pdata);
50145
50146 return 0;
50147 }
50148diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
50149index b3bc87f..5bdfdd3 100644
50150--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
50151+++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
50152@@ -353,7 +353,7 @@ static int xgbe_map_rx_buffer(struct xgbe_prv_data *pdata,
50153
50154 static void xgbe_wrapper_tx_descriptor_init(struct xgbe_prv_data *pdata)
50155 {
50156- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50157+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50158 struct xgbe_channel *channel;
50159 struct xgbe_ring *ring;
50160 struct xgbe_ring_data *rdata;
50161@@ -394,7 +394,7 @@ static void xgbe_wrapper_tx_descriptor_init(struct xgbe_prv_data *pdata)
50162
50163 static void xgbe_wrapper_rx_descriptor_init(struct xgbe_prv_data *pdata)
50164 {
50165- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50166+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50167 struct xgbe_channel *channel;
50168 struct xgbe_ring *ring;
50169 struct xgbe_ring_desc *rdesc;
50170@@ -628,17 +628,12 @@ err_out:
50171 return 0;
50172 }
50173
50174-void xgbe_init_function_ptrs_desc(struct xgbe_desc_if *desc_if)
50175-{
50176- DBGPR("-->xgbe_init_function_ptrs_desc\n");
50177-
50178- desc_if->alloc_ring_resources = xgbe_alloc_ring_resources;
50179- desc_if->free_ring_resources = xgbe_free_ring_resources;
50180- desc_if->map_tx_skb = xgbe_map_tx_skb;
50181- desc_if->map_rx_buffer = xgbe_map_rx_buffer;
50182- desc_if->unmap_rdata = xgbe_unmap_rdata;
50183- desc_if->wrapper_tx_desc_init = xgbe_wrapper_tx_descriptor_init;
50184- desc_if->wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init;
50185-
50186- DBGPR("<--xgbe_init_function_ptrs_desc\n");
50187-}
50188+const struct xgbe_desc_if default_xgbe_desc_if = {
50189+ .alloc_ring_resources = xgbe_alloc_ring_resources,
50190+ .free_ring_resources = xgbe_free_ring_resources,
50191+ .map_tx_skb = xgbe_map_tx_skb,
50192+ .map_rx_buffer = xgbe_map_rx_buffer,
50193+ .unmap_rdata = xgbe_unmap_rdata,
50194+ .wrapper_tx_desc_init = xgbe_wrapper_tx_descriptor_init,
50195+ .wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init,
50196+};
50197diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
50198index a4473d8..039a2ab 100644
50199--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
50200+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
50201@@ -2776,7 +2776,7 @@ static void xgbe_powerdown_rx(struct xgbe_prv_data *pdata)
50202
50203 static int xgbe_init(struct xgbe_prv_data *pdata)
50204 {
50205- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50206+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50207 int ret;
50208
50209 DBGPR("-->xgbe_init\n");
50210@@ -2842,106 +2842,101 @@ static int xgbe_init(struct xgbe_prv_data *pdata)
50211 return 0;
50212 }
50213
50214-void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *hw_if)
50215-{
50216- DBGPR("-->xgbe_init_function_ptrs\n");
50217-
50218- hw_if->tx_complete = xgbe_tx_complete;
50219-
50220- hw_if->set_mac_address = xgbe_set_mac_address;
50221- hw_if->config_rx_mode = xgbe_config_rx_mode;
50222-
50223- hw_if->enable_rx_csum = xgbe_enable_rx_csum;
50224- hw_if->disable_rx_csum = xgbe_disable_rx_csum;
50225-
50226- hw_if->enable_rx_vlan_stripping = xgbe_enable_rx_vlan_stripping;
50227- hw_if->disable_rx_vlan_stripping = xgbe_disable_rx_vlan_stripping;
50228- hw_if->enable_rx_vlan_filtering = xgbe_enable_rx_vlan_filtering;
50229- hw_if->disable_rx_vlan_filtering = xgbe_disable_rx_vlan_filtering;
50230- hw_if->update_vlan_hash_table = xgbe_update_vlan_hash_table;
50231-
50232- hw_if->read_mmd_regs = xgbe_read_mmd_regs;
50233- hw_if->write_mmd_regs = xgbe_write_mmd_regs;
50234-
50235- hw_if->set_gmii_speed = xgbe_set_gmii_speed;
50236- hw_if->set_gmii_2500_speed = xgbe_set_gmii_2500_speed;
50237- hw_if->set_xgmii_speed = xgbe_set_xgmii_speed;
50238-
50239- hw_if->enable_tx = xgbe_enable_tx;
50240- hw_if->disable_tx = xgbe_disable_tx;
50241- hw_if->enable_rx = xgbe_enable_rx;
50242- hw_if->disable_rx = xgbe_disable_rx;
50243-
50244- hw_if->powerup_tx = xgbe_powerup_tx;
50245- hw_if->powerdown_tx = xgbe_powerdown_tx;
50246- hw_if->powerup_rx = xgbe_powerup_rx;
50247- hw_if->powerdown_rx = xgbe_powerdown_rx;
50248-
50249- hw_if->dev_xmit = xgbe_dev_xmit;
50250- hw_if->dev_read = xgbe_dev_read;
50251- hw_if->enable_int = xgbe_enable_int;
50252- hw_if->disable_int = xgbe_disable_int;
50253- hw_if->init = xgbe_init;
50254- hw_if->exit = xgbe_exit;
50255+const struct xgbe_hw_if default_xgbe_hw_if = {
50256+ .tx_complete = xgbe_tx_complete,
50257+
50258+ .set_mac_address = xgbe_set_mac_address,
50259+ .config_rx_mode = xgbe_config_rx_mode,
50260+
50261+ .enable_rx_csum = xgbe_enable_rx_csum,
50262+ .disable_rx_csum = xgbe_disable_rx_csum,
50263+
50264+ .enable_rx_vlan_stripping = xgbe_enable_rx_vlan_stripping,
50265+ .disable_rx_vlan_stripping = xgbe_disable_rx_vlan_stripping,
50266+ .enable_rx_vlan_filtering = xgbe_enable_rx_vlan_filtering,
50267+ .disable_rx_vlan_filtering = xgbe_disable_rx_vlan_filtering,
50268+ .update_vlan_hash_table = xgbe_update_vlan_hash_table,
50269+
50270+ .read_mmd_regs = xgbe_read_mmd_regs,
50271+ .write_mmd_regs = xgbe_write_mmd_regs,
50272+
50273+ .set_gmii_speed = xgbe_set_gmii_speed,
50274+ .set_gmii_2500_speed = xgbe_set_gmii_2500_speed,
50275+ .set_xgmii_speed = xgbe_set_xgmii_speed,
50276+
50277+ .enable_tx = xgbe_enable_tx,
50278+ .disable_tx = xgbe_disable_tx,
50279+ .enable_rx = xgbe_enable_rx,
50280+ .disable_rx = xgbe_disable_rx,
50281+
50282+ .powerup_tx = xgbe_powerup_tx,
50283+ .powerdown_tx = xgbe_powerdown_tx,
50284+ .powerup_rx = xgbe_powerup_rx,
50285+ .powerdown_rx = xgbe_powerdown_rx,
50286+
50287+ .dev_xmit = xgbe_dev_xmit,
50288+ .dev_read = xgbe_dev_read,
50289+ .enable_int = xgbe_enable_int,
50290+ .disable_int = xgbe_disable_int,
50291+ .init = xgbe_init,
50292+ .exit = xgbe_exit,
50293
50294 /* Descriptor related Sequences have to be initialized here */
50295- hw_if->tx_desc_init = xgbe_tx_desc_init;
50296- hw_if->rx_desc_init = xgbe_rx_desc_init;
50297- hw_if->tx_desc_reset = xgbe_tx_desc_reset;
50298- hw_if->rx_desc_reset = xgbe_rx_desc_reset;
50299- hw_if->is_last_desc = xgbe_is_last_desc;
50300- hw_if->is_context_desc = xgbe_is_context_desc;
50301- hw_if->tx_start_xmit = xgbe_tx_start_xmit;
50302+ .tx_desc_init = xgbe_tx_desc_init,
50303+ .rx_desc_init = xgbe_rx_desc_init,
50304+ .tx_desc_reset = xgbe_tx_desc_reset,
50305+ .rx_desc_reset = xgbe_rx_desc_reset,
50306+ .is_last_desc = xgbe_is_last_desc,
50307+ .is_context_desc = xgbe_is_context_desc,
50308+ .tx_start_xmit = xgbe_tx_start_xmit,
50309
50310 /* For FLOW ctrl */
50311- hw_if->config_tx_flow_control = xgbe_config_tx_flow_control;
50312- hw_if->config_rx_flow_control = xgbe_config_rx_flow_control;
50313+ .config_tx_flow_control = xgbe_config_tx_flow_control,
50314+ .config_rx_flow_control = xgbe_config_rx_flow_control,
50315
50316 /* For RX coalescing */
50317- hw_if->config_rx_coalesce = xgbe_config_rx_coalesce;
50318- hw_if->config_tx_coalesce = xgbe_config_tx_coalesce;
50319- hw_if->usec_to_riwt = xgbe_usec_to_riwt;
50320- hw_if->riwt_to_usec = xgbe_riwt_to_usec;
50321+ .config_rx_coalesce = xgbe_config_rx_coalesce,
50322+ .config_tx_coalesce = xgbe_config_tx_coalesce,
50323+ .usec_to_riwt = xgbe_usec_to_riwt,
50324+ .riwt_to_usec = xgbe_riwt_to_usec,
50325
50326 /* For RX and TX threshold config */
50327- hw_if->config_rx_threshold = xgbe_config_rx_threshold;
50328- hw_if->config_tx_threshold = xgbe_config_tx_threshold;
50329+ .config_rx_threshold = xgbe_config_rx_threshold,
50330+ .config_tx_threshold = xgbe_config_tx_threshold,
50331
50332 /* For RX and TX Store and Forward Mode config */
50333- hw_if->config_rsf_mode = xgbe_config_rsf_mode;
50334- hw_if->config_tsf_mode = xgbe_config_tsf_mode;
50335+ .config_rsf_mode = xgbe_config_rsf_mode,
50336+ .config_tsf_mode = xgbe_config_tsf_mode,
50337
50338 /* For TX DMA Operating on Second Frame config */
50339- hw_if->config_osp_mode = xgbe_config_osp_mode;
50340+ .config_osp_mode = xgbe_config_osp_mode,
50341
50342 /* For RX and TX PBL config */
50343- hw_if->config_rx_pbl_val = xgbe_config_rx_pbl_val;
50344- hw_if->get_rx_pbl_val = xgbe_get_rx_pbl_val;
50345- hw_if->config_tx_pbl_val = xgbe_config_tx_pbl_val;
50346- hw_if->get_tx_pbl_val = xgbe_get_tx_pbl_val;
50347- hw_if->config_pblx8 = xgbe_config_pblx8;
50348+ .config_rx_pbl_val = xgbe_config_rx_pbl_val,
50349+ .get_rx_pbl_val = xgbe_get_rx_pbl_val,
50350+ .config_tx_pbl_val = xgbe_config_tx_pbl_val,
50351+ .get_tx_pbl_val = xgbe_get_tx_pbl_val,
50352+ .config_pblx8 = xgbe_config_pblx8,
50353
50354 /* For MMC statistics support */
50355- hw_if->tx_mmc_int = xgbe_tx_mmc_int;
50356- hw_if->rx_mmc_int = xgbe_rx_mmc_int;
50357- hw_if->read_mmc_stats = xgbe_read_mmc_stats;
50358+ .tx_mmc_int = xgbe_tx_mmc_int,
50359+ .rx_mmc_int = xgbe_rx_mmc_int,
50360+ .read_mmc_stats = xgbe_read_mmc_stats,
50361
50362 /* For PTP config */
50363- hw_if->config_tstamp = xgbe_config_tstamp;
50364- hw_if->update_tstamp_addend = xgbe_update_tstamp_addend;
50365- hw_if->set_tstamp_time = xgbe_set_tstamp_time;
50366- hw_if->get_tstamp_time = xgbe_get_tstamp_time;
50367- hw_if->get_tx_tstamp = xgbe_get_tx_tstamp;
50368+ .config_tstamp = xgbe_config_tstamp,
50369+ .update_tstamp_addend = xgbe_update_tstamp_addend,
50370+ .set_tstamp_time = xgbe_set_tstamp_time,
50371+ .get_tstamp_time = xgbe_get_tstamp_time,
50372+ .get_tx_tstamp = xgbe_get_tx_tstamp,
50373
50374 /* For Data Center Bridging config */
50375- hw_if->config_dcb_tc = xgbe_config_dcb_tc;
50376- hw_if->config_dcb_pfc = xgbe_config_dcb_pfc;
50377+ .config_dcb_tc = xgbe_config_dcb_tc,
50378+ .config_dcb_pfc = xgbe_config_dcb_pfc,
50379
50380 /* For Receive Side Scaling */
50381- hw_if->enable_rss = xgbe_enable_rss;
50382- hw_if->disable_rss = xgbe_disable_rss;
50383- hw_if->set_rss_hash_key = xgbe_set_rss_hash_key;
50384- hw_if->set_rss_lookup_table = xgbe_set_rss_lookup_table;
50385-
50386- DBGPR("<--xgbe_init_function_ptrs\n");
50387-}
50388+ .enable_rss = xgbe_enable_rss,
50389+ .disable_rss = xgbe_disable_rss,
50390+ .set_rss_hash_key = xgbe_set_rss_hash_key,
50391+ .set_rss_lookup_table = xgbe_set_rss_lookup_table,
50392+};
50393diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
50394index aae9d5e..29ce58d 100644
50395--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
50396+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
50397@@ -245,7 +245,7 @@ static int xgbe_maybe_stop_tx_queue(struct xgbe_channel *channel,
50398 * support, tell it now
50399 */
50400 if (ring->tx.xmit_more)
50401- pdata->hw_if.tx_start_xmit(channel, ring);
50402+ pdata->hw_if->tx_start_xmit(channel, ring);
50403
50404 return NETDEV_TX_BUSY;
50405 }
50406@@ -273,7 +273,7 @@ static int xgbe_calc_rx_buf_size(struct net_device *netdev, unsigned int mtu)
50407
50408 static void xgbe_enable_rx_tx_ints(struct xgbe_prv_data *pdata)
50409 {
50410- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50411+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50412 struct xgbe_channel *channel;
50413 enum xgbe_int int_id;
50414 unsigned int i;
50415@@ -295,7 +295,7 @@ static void xgbe_enable_rx_tx_ints(struct xgbe_prv_data *pdata)
50416
50417 static void xgbe_disable_rx_tx_ints(struct xgbe_prv_data *pdata)
50418 {
50419- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50420+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50421 struct xgbe_channel *channel;
50422 enum xgbe_int int_id;
50423 unsigned int i;
50424@@ -318,7 +318,7 @@ static void xgbe_disable_rx_tx_ints(struct xgbe_prv_data *pdata)
50425 static irqreturn_t xgbe_isr(int irq, void *data)
50426 {
50427 struct xgbe_prv_data *pdata = data;
50428- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50429+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50430 struct xgbe_channel *channel;
50431 unsigned int dma_isr, dma_ch_isr;
50432 unsigned int mac_isr, mac_tssr;
50433@@ -443,7 +443,7 @@ static void xgbe_service(struct work_struct *work)
50434 struct xgbe_prv_data,
50435 service_work);
50436
50437- pdata->phy_if.phy_status(pdata);
50438+ pdata->phy_if->phy_status(pdata);
50439 }
50440
50441 static void xgbe_service_timer(unsigned long data)
50442@@ -702,7 +702,7 @@ static void xgbe_free_irqs(struct xgbe_prv_data *pdata)
50443
50444 void xgbe_init_tx_coalesce(struct xgbe_prv_data *pdata)
50445 {
50446- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50447+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50448
50449 DBGPR("-->xgbe_init_tx_coalesce\n");
50450
50451@@ -716,7 +716,7 @@ void xgbe_init_tx_coalesce(struct xgbe_prv_data *pdata)
50452
50453 void xgbe_init_rx_coalesce(struct xgbe_prv_data *pdata)
50454 {
50455- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50456+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50457
50458 DBGPR("-->xgbe_init_rx_coalesce\n");
50459
50460@@ -731,7 +731,7 @@ void xgbe_init_rx_coalesce(struct xgbe_prv_data *pdata)
50461
50462 static void xgbe_free_tx_data(struct xgbe_prv_data *pdata)
50463 {
50464- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50465+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50466 struct xgbe_channel *channel;
50467 struct xgbe_ring *ring;
50468 struct xgbe_ring_data *rdata;
50469@@ -756,7 +756,7 @@ static void xgbe_free_tx_data(struct xgbe_prv_data *pdata)
50470
50471 static void xgbe_free_rx_data(struct xgbe_prv_data *pdata)
50472 {
50473- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50474+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50475 struct xgbe_channel *channel;
50476 struct xgbe_ring *ring;
50477 struct xgbe_ring_data *rdata;
50478@@ -784,13 +784,13 @@ static int xgbe_phy_init(struct xgbe_prv_data *pdata)
50479 pdata->phy_link = -1;
50480 pdata->phy_speed = SPEED_UNKNOWN;
50481
50482- return pdata->phy_if.phy_reset(pdata);
50483+ return pdata->phy_if->phy_reset(pdata);
50484 }
50485
50486 int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
50487 {
50488 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50489- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50490+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50491 unsigned long flags;
50492
50493 DBGPR("-->xgbe_powerdown\n");
50494@@ -829,7 +829,7 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
50495 int xgbe_powerup(struct net_device *netdev, unsigned int caller)
50496 {
50497 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50498- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50499+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50500 unsigned long flags;
50501
50502 DBGPR("-->xgbe_powerup\n");
50503@@ -866,8 +866,8 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
50504
50505 static int xgbe_start(struct xgbe_prv_data *pdata)
50506 {
50507- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50508- struct xgbe_phy_if *phy_if = &pdata->phy_if;
50509+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50510+ struct xgbe_phy_if *phy_if = pdata->phy_if;
50511 struct net_device *netdev = pdata->netdev;
50512 int ret;
50513
50514@@ -910,8 +910,8 @@ err_phy:
50515
50516 static void xgbe_stop(struct xgbe_prv_data *pdata)
50517 {
50518- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50519- struct xgbe_phy_if *phy_if = &pdata->phy_if;
50520+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50521+ struct xgbe_phy_if *phy_if = pdata->phy_if;
50522 struct xgbe_channel *channel;
50523 struct net_device *netdev = pdata->netdev;
50524 struct netdev_queue *txq;
50525@@ -1139,7 +1139,7 @@ static int xgbe_set_hwtstamp_settings(struct xgbe_prv_data *pdata,
50526 return -ERANGE;
50527 }
50528
50529- pdata->hw_if.config_tstamp(pdata, mac_tscr);
50530+ pdata->hw_if->config_tstamp(pdata, mac_tscr);
50531
50532 memcpy(&pdata->tstamp_config, &config, sizeof(config));
50533
50534@@ -1288,7 +1288,7 @@ static void xgbe_packet_info(struct xgbe_prv_data *pdata,
50535 static int xgbe_open(struct net_device *netdev)
50536 {
50537 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50538- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50539+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50540 int ret;
50541
50542 DBGPR("-->xgbe_open\n");
50543@@ -1360,7 +1360,7 @@ err_sysclk:
50544 static int xgbe_close(struct net_device *netdev)
50545 {
50546 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50547- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50548+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50549
50550 DBGPR("-->xgbe_close\n");
50551
50552@@ -1387,8 +1387,8 @@ static int xgbe_close(struct net_device *netdev)
50553 static int xgbe_xmit(struct sk_buff *skb, struct net_device *netdev)
50554 {
50555 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50556- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50557- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50558+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50559+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50560 struct xgbe_channel *channel;
50561 struct xgbe_ring *ring;
50562 struct xgbe_packet_data *packet;
50563@@ -1457,7 +1457,7 @@ tx_netdev_return:
50564 static void xgbe_set_rx_mode(struct net_device *netdev)
50565 {
50566 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50567- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50568+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50569
50570 DBGPR("-->xgbe_set_rx_mode\n");
50571
50572@@ -1469,7 +1469,7 @@ static void xgbe_set_rx_mode(struct net_device *netdev)
50573 static int xgbe_set_mac_address(struct net_device *netdev, void *addr)
50574 {
50575 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50576- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50577+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50578 struct sockaddr *saddr = addr;
50579
50580 DBGPR("-->xgbe_set_mac_address\n");
50581@@ -1544,7 +1544,7 @@ static struct rtnl_link_stats64 *xgbe_get_stats64(struct net_device *netdev,
50582
50583 DBGPR("-->%s\n", __func__);
50584
50585- pdata->hw_if.read_mmc_stats(pdata);
50586+ pdata->hw_if->read_mmc_stats(pdata);
50587
50588 s->rx_packets = pstats->rxframecount_gb;
50589 s->rx_bytes = pstats->rxoctetcount_gb;
50590@@ -1571,7 +1571,7 @@ static int xgbe_vlan_rx_add_vid(struct net_device *netdev, __be16 proto,
50591 u16 vid)
50592 {
50593 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50594- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50595+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50596
50597 DBGPR("-->%s\n", __func__);
50598
50599@@ -1587,7 +1587,7 @@ static int xgbe_vlan_rx_kill_vid(struct net_device *netdev, __be16 proto,
50600 u16 vid)
50601 {
50602 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50603- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50604+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50605
50606 DBGPR("-->%s\n", __func__);
50607
50608@@ -1654,7 +1654,7 @@ static int xgbe_set_features(struct net_device *netdev,
50609 netdev_features_t features)
50610 {
50611 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50612- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50613+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50614 netdev_features_t rxhash, rxcsum, rxvlan, rxvlan_filter;
50615 int ret = 0;
50616
50617@@ -1720,8 +1720,8 @@ struct net_device_ops *xgbe_get_netdev_ops(void)
50618 static void xgbe_rx_refresh(struct xgbe_channel *channel)
50619 {
50620 struct xgbe_prv_data *pdata = channel->pdata;
50621- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50622- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50623+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50624+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50625 struct xgbe_ring *ring = channel->rx_ring;
50626 struct xgbe_ring_data *rdata;
50627
50628@@ -1798,8 +1798,8 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata,
50629 static int xgbe_tx_poll(struct xgbe_channel *channel)
50630 {
50631 struct xgbe_prv_data *pdata = channel->pdata;
50632- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50633- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50634+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50635+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50636 struct xgbe_ring *ring = channel->tx_ring;
50637 struct xgbe_ring_data *rdata;
50638 struct xgbe_ring_desc *rdesc;
50639@@ -1863,7 +1863,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
50640 static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
50641 {
50642 struct xgbe_prv_data *pdata = channel->pdata;
50643- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50644+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50645 struct xgbe_ring *ring = channel->rx_ring;
50646 struct xgbe_ring_data *rdata;
50647 struct xgbe_packet_data *packet;
50648diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50649index 59e090e..90bc0b4 100644
50650--- a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50651+++ b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50652@@ -211,7 +211,7 @@ static void xgbe_get_ethtool_stats(struct net_device *netdev,
50653
50654 DBGPR("-->%s\n", __func__);
50655
50656- pdata->hw_if.read_mmc_stats(pdata);
50657+ pdata->hw_if->read_mmc_stats(pdata);
50658 for (i = 0; i < XGBE_STATS_COUNT; i++) {
50659 stat = (u8 *)pdata + xgbe_gstring_stats[i].stat_offset;
50660 *data++ = *(u64 *)stat;
50661@@ -284,7 +284,7 @@ static int xgbe_set_pauseparam(struct net_device *netdev,
50662 pdata->phy.advertising ^= ADVERTISED_Asym_Pause;
50663
50664 if (netif_running(netdev))
50665- ret = pdata->phy_if.phy_config_aneg(pdata);
50666+ ret = pdata->phy_if->phy_config_aneg(pdata);
50667
50668 DBGPR("<--xgbe_set_pauseparam\n");
50669
50670@@ -364,7 +364,7 @@ static int xgbe_set_settings(struct net_device *netdev,
50671 pdata->phy.advertising &= ~ADVERTISED_Autoneg;
50672
50673 if (netif_running(netdev))
50674- ret = pdata->phy_if.phy_config_aneg(pdata);
50675+ ret = pdata->phy_if->phy_config_aneg(pdata);
50676
50677 DBGPR("<--xgbe_set_settings\n");
50678
50679@@ -411,7 +411,7 @@ static int xgbe_set_coalesce(struct net_device *netdev,
50680 struct ethtool_coalesce *ec)
50681 {
50682 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50683- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50684+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50685 unsigned int rx_frames, rx_riwt, rx_usecs;
50686 unsigned int tx_frames;
50687
50688@@ -536,7 +536,7 @@ static int xgbe_set_rxfh(struct net_device *netdev, const u32 *indir,
50689 const u8 *key, const u8 hfunc)
50690 {
50691 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50692- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50693+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50694 unsigned int ret;
50695
50696 if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP)
50697diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50698index e83bd76..f2d5d56 100644
50699--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50700+++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50701@@ -202,13 +202,6 @@ static void xgbe_default_config(struct xgbe_prv_data *pdata)
50702 DBGPR("<--xgbe_default_config\n");
50703 }
50704
50705-static void xgbe_init_all_fptrs(struct xgbe_prv_data *pdata)
50706-{
50707- xgbe_init_function_ptrs_dev(&pdata->hw_if);
50708- xgbe_init_function_ptrs_phy(&pdata->phy_if);
50709- xgbe_init_function_ptrs_desc(&pdata->desc_if);
50710-}
50711-
50712 #ifdef CONFIG_ACPI
50713 static int xgbe_acpi_support(struct xgbe_prv_data *pdata)
50714 {
50715@@ -641,10 +634,12 @@ static int xgbe_probe(struct platform_device *pdev)
50716 memcpy(netdev->dev_addr, pdata->mac_addr, netdev->addr_len);
50717
50718 /* Set all the function pointers */
50719- xgbe_init_all_fptrs(pdata);
50720+ pdata->hw_if = &default_xgbe_hw_if;
50721+ pdata->phy_if = &default_xgbe_phy_if;
50722+ pdata->desc_if = &default_xgbe_desc_if;
50723
50724 /* Issue software reset to device */
50725- pdata->hw_if.exit(pdata);
50726+ pdata->hw_if->exit(pdata);
50727
50728 /* Populate the hardware features */
50729 xgbe_get_all_hw_features(pdata);
50730@@ -698,7 +693,7 @@ static int xgbe_probe(struct platform_device *pdev)
50731 XGMAC_SET_BITS(pdata->rss_options, MAC_RSSCR, UDP4TE, 1);
50732
50733 /* Call MDIO/PHY initialization routine */
50734- pdata->phy_if.phy_init(pdata);
50735+ pdata->phy_if->phy_init(pdata);
50736
50737 /* Set device operations */
50738 netdev->netdev_ops = xgbe_get_netdev_ops();
50739diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50740index 9088c3a..2ffe7c4 100644
50741--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50742+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50743@@ -202,7 +202,7 @@ static void xgbe_xgmii_mode(struct xgbe_prv_data *pdata)
50744 xgbe_an_enable_kr_training(pdata);
50745
50746 /* Set MAC to 10G speed */
50747- pdata->hw_if.set_xgmii_speed(pdata);
50748+ pdata->hw_if->set_xgmii_speed(pdata);
50749
50750 /* Set PCS to KR/10G speed */
50751 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50752@@ -250,7 +250,7 @@ static void xgbe_gmii_2500_mode(struct xgbe_prv_data *pdata)
50753 xgbe_an_disable_kr_training(pdata);
50754
50755 /* Set MAC to 2.5G speed */
50756- pdata->hw_if.set_gmii_2500_speed(pdata);
50757+ pdata->hw_if->set_gmii_2500_speed(pdata);
50758
50759 /* Set PCS to KX/1G speed */
50760 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50761@@ -298,7 +298,7 @@ static void xgbe_gmii_mode(struct xgbe_prv_data *pdata)
50762 xgbe_an_disable_kr_training(pdata);
50763
50764 /* Set MAC to 1G speed */
50765- pdata->hw_if.set_gmii_speed(pdata);
50766+ pdata->hw_if->set_gmii_speed(pdata);
50767
50768 /* Set PCS to KX/1G speed */
50769 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50770@@ -872,13 +872,13 @@ static void xgbe_phy_adjust_link(struct xgbe_prv_data *pdata)
50771
50772 if (pdata->tx_pause != pdata->phy.tx_pause) {
50773 new_state = 1;
50774- pdata->hw_if.config_tx_flow_control(pdata);
50775+ pdata->hw_if->config_tx_flow_control(pdata);
50776 pdata->tx_pause = pdata->phy.tx_pause;
50777 }
50778
50779 if (pdata->rx_pause != pdata->phy.rx_pause) {
50780 new_state = 1;
50781- pdata->hw_if.config_rx_flow_control(pdata);
50782+ pdata->hw_if->config_rx_flow_control(pdata);
50783 pdata->rx_pause = pdata->phy.rx_pause;
50784 }
50785
50786@@ -1351,14 +1351,13 @@ static void xgbe_phy_init(struct xgbe_prv_data *pdata)
50787 xgbe_dump_phy_registers(pdata);
50788 }
50789
50790-void xgbe_init_function_ptrs_phy(struct xgbe_phy_if *phy_if)
50791-{
50792- phy_if->phy_init = xgbe_phy_init;
50793+const struct xgbe_phy_if default_xgbe_phy_if = {
50794+ .phy_init = xgbe_phy_init,
50795
50796- phy_if->phy_reset = xgbe_phy_reset;
50797- phy_if->phy_start = xgbe_phy_start;
50798- phy_if->phy_stop = xgbe_phy_stop;
50799+ .phy_reset = xgbe_phy_reset,
50800+ .phy_start = xgbe_phy_start,
50801+ .phy_stop = xgbe_phy_stop,
50802
50803- phy_if->phy_status = xgbe_phy_status;
50804- phy_if->phy_config_aneg = xgbe_phy_config_aneg;
50805-}
50806+ .phy_status = xgbe_phy_status,
50807+ .phy_config_aneg = xgbe_phy_config_aneg,
50808+};
50809diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c b/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50810index b03e4f5..78e4cc4 100644
50811--- a/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50812+++ b/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50813@@ -129,7 +129,7 @@ static cycle_t xgbe_cc_read(const struct cyclecounter *cc)
50814 tstamp_cc);
50815 u64 nsec;
50816
50817- nsec = pdata->hw_if.get_tstamp_time(pdata);
50818+ nsec = pdata->hw_if->get_tstamp_time(pdata);
50819
50820 return nsec;
50821 }
50822@@ -158,7 +158,7 @@ static int xgbe_adjfreq(struct ptp_clock_info *info, s32 delta)
50823
50824 spin_lock_irqsave(&pdata->tstamp_lock, flags);
50825
50826- pdata->hw_if.update_tstamp_addend(pdata, addend);
50827+ pdata->hw_if->update_tstamp_addend(pdata, addend);
50828
50829 spin_unlock_irqrestore(&pdata->tstamp_lock, flags);
50830
50831diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
50832index 717ce21..aacd1f3 100644
50833--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
50834+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
50835@@ -801,9 +801,9 @@ struct xgbe_prv_data {
50836 int dev_irq;
50837 unsigned int per_channel_irq;
50838
50839- struct xgbe_hw_if hw_if;
50840- struct xgbe_phy_if phy_if;
50841- struct xgbe_desc_if desc_if;
50842+ struct xgbe_hw_if *hw_if;
50843+ struct xgbe_phy_if *phy_if;
50844+ struct xgbe_desc_if *desc_if;
50845
50846 /* AXI DMA settings */
50847 unsigned int coherent;
50848@@ -964,6 +964,10 @@ struct xgbe_prv_data {
50849 #endif
50850 };
50851
50852+extern const struct xgbe_hw_if default_xgbe_hw_if;
50853+extern const struct xgbe_phy_if default_xgbe_phy_if;
50854+extern const struct xgbe_desc_if default_xgbe_desc_if;
50855+
50856 /* Function prototypes*/
50857
50858 void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *);
50859diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50860index 03b7404..01ff3b3 100644
50861--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50862+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50863@@ -1082,7 +1082,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp)
50864 static inline void bnx2x_init_bp_objs(struct bnx2x *bp)
50865 {
50866 /* RX_MODE controlling object */
50867- bnx2x_init_rx_mode_obj(bp, &bp->rx_mode_obj);
50868+ bnx2x_init_rx_mode_obj(bp);
50869
50870 /* multicast configuration controlling object */
50871 bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid,
50872diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50873index 4ad415a..8e0a040 100644
50874--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50875+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50876@@ -2329,15 +2329,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp,
50877 return rc;
50878 }
50879
50880-void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
50881- struct bnx2x_rx_mode_obj *o)
50882+void bnx2x_init_rx_mode_obj(struct bnx2x *bp)
50883 {
50884 if (CHIP_IS_E1x(bp)) {
50885- o->wait_comp = bnx2x_empty_rx_mode_wait;
50886- o->config_rx_mode = bnx2x_set_rx_mode_e1x;
50887+ bp->rx_mode_obj.wait_comp = bnx2x_empty_rx_mode_wait;
50888+ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e1x;
50889 } else {
50890- o->wait_comp = bnx2x_wait_rx_mode_comp_e2;
50891- o->config_rx_mode = bnx2x_set_rx_mode_e2;
50892+ bp->rx_mode_obj.wait_comp = bnx2x_wait_rx_mode_comp_e2;
50893+ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e2;
50894 }
50895 }
50896
50897diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50898index 86baecb..ff3bb46 100644
50899--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50900+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50901@@ -1411,8 +1411,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp,
50902
50903 /********************* RX MODE ****************/
50904
50905-void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
50906- struct bnx2x_rx_mode_obj *o);
50907+void bnx2x_init_rx_mode_obj(struct bnx2x *bp);
50908
50909 /**
50910 * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters.
50911diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
50912index 31c9f82..e65e986 100644
50913--- a/drivers/net/ethernet/broadcom/tg3.h
50914+++ b/drivers/net/ethernet/broadcom/tg3.h
50915@@ -150,6 +150,7 @@
50916 #define CHIPREV_ID_5750_A0 0x4000
50917 #define CHIPREV_ID_5750_A1 0x4001
50918 #define CHIPREV_ID_5750_A3 0x4003
50919+#define CHIPREV_ID_5750_C1 0x4201
50920 #define CHIPREV_ID_5750_C2 0x4202
50921 #define CHIPREV_ID_5752_A0_HW 0x5000
50922 #define CHIPREV_ID_5752_A0 0x6000
50923diff --git a/drivers/net/ethernet/brocade/bna/bna_enet.c b/drivers/net/ethernet/brocade/bna/bna_enet.c
50924index 4e5c387..bba8173 100644
50925--- a/drivers/net/ethernet/brocade/bna/bna_enet.c
50926+++ b/drivers/net/ethernet/brocade/bna/bna_enet.c
50927@@ -1676,10 +1676,10 @@ bna_cb_ioceth_reset(void *arg)
50928 }
50929
50930 static struct bfa_ioc_cbfn bna_ioceth_cbfn = {
50931- bna_cb_ioceth_enable,
50932- bna_cb_ioceth_disable,
50933- bna_cb_ioceth_hbfail,
50934- bna_cb_ioceth_reset
50935+ .enable_cbfn = bna_cb_ioceth_enable,
50936+ .disable_cbfn = bna_cb_ioceth_disable,
50937+ .hbfail_cbfn = bna_cb_ioceth_hbfail,
50938+ .reset_cbfn = bna_cb_ioceth_reset
50939 };
50940
50941 static void bna_attr_init(struct bna_ioceth *ioceth)
50942diff --git a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50943index 29f3308..b594c38 100644
50944--- a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50945+++ b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50946@@ -265,9 +265,9 @@ static void octnet_mdio_resp_callback(struct octeon_device *oct,
50947 if (status) {
50948 dev_err(&oct->pci_dev->dev, "MIDO instruction failed. Status: %llx\n",
50949 CVM_CAST64(status));
50950- ACCESS_ONCE(mdio_cmd_ctx->cond) = -1;
50951+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = -1;
50952 } else {
50953- ACCESS_ONCE(mdio_cmd_ctx->cond) = 1;
50954+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = 1;
50955 }
50956 wake_up_interruptible(&mdio_cmd_ctx->wc);
50957 }
50958@@ -298,7 +298,7 @@ octnet_mdio45_access(struct lio *lio, int op, int loc, int *value)
50959 mdio_cmd_rsp = (struct oct_mdio_cmd_resp *)sc->virtrptr;
50960 mdio_cmd = (struct oct_mdio_cmd *)sc->virtdptr;
50961
50962- ACCESS_ONCE(mdio_cmd_ctx->cond) = 0;
50963+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = 0;
50964 mdio_cmd_ctx->octeon_id = lio_get_device_id(oct_dev);
50965 mdio_cmd->op = op;
50966 mdio_cmd->mdio_addr = loc;
50967diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
50968index 0660dee..e07895e 100644
50969--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
50970+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
50971@@ -1727,7 +1727,7 @@ static void if_cfg_callback(struct octeon_device *oct,
50972 if (resp->status)
50973 dev_err(&oct->pci_dev->dev, "nic if cfg instruction failed. Status: %llx\n",
50974 CVM_CAST64(resp->status));
50975- ACCESS_ONCE(ctx->cond) = 1;
50976+ ACCESS_ONCE_RW(ctx->cond) = 1;
50977
50978 /* This barrier is required to be sure that the response has been
50979 * written fully before waking up the handler
50980@@ -3177,7 +3177,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
50981 dev_dbg(&octeon_dev->pci_dev->dev,
50982 "requesting config for interface %d, iqs %d, oqs %d\n",
50983 i, num_iqueues, num_oqueues);
50984- ACCESS_ONCE(ctx->cond) = 0;
50985+ ACCESS_ONCE_RW(ctx->cond) = 0;
50986 ctx->octeon_id = lio_get_device_id(octeon_dev);
50987 init_waitqueue_head(&ctx->wc);
50988
50989@@ -3240,8 +3240,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
50990 props = &octeon_dev->props[i];
50991 props->netdev = netdev;
50992
50993- if (num_iqueues > 1)
50994- lionetdevops.ndo_select_queue = select_q;
50995+ if (num_iqueues > 1) {
50996+ pax_open_kernel();
50997+ *(void **)&lionetdevops.ndo_select_queue = select_q;
50998+ pax_close_kernel();
50999+ }
51000
51001 /* Associate the routines that will handle different
51002 * netdev tasks.
51003diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
51004index 8cffcdf..aadf043 100644
51005--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
51006+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
51007@@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
51008 */
51009 struct l2t_skb_cb {
51010 arp_failure_handler_func arp_failure_handler;
51011-};
51012+} __no_const;
51013
51014 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
51015
51016diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
51017index 8966f31..e15a101 100644
51018--- a/drivers/net/ethernet/dec/tulip/de4x5.c
51019+++ b/drivers/net/ethernet/dec/tulip/de4x5.c
51020@@ -5373,7 +5373,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
51021 for (i=0; i<ETH_ALEN; i++) {
51022 tmp.addr[i] = dev->dev_addr[i];
51023 }
51024- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
51025+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
51026 break;
51027
51028 case DE4X5_SET_HWADDR: /* Set the hardware address */
51029@@ -5413,7 +5413,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
51030 spin_lock_irqsave(&lp->lock, flags);
51031 memcpy(&statbuf, &lp->pktStats, ioc->len);
51032 spin_unlock_irqrestore(&lp->lock, flags);
51033- if (copy_to_user(ioc->data, &statbuf, ioc->len))
51034+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
51035 return -EFAULT;
51036 break;
51037 }
51038diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
51039index 6ca693b..fa18c3f 100644
51040--- a/drivers/net/ethernet/emulex/benet/be_main.c
51041+++ b/drivers/net/ethernet/emulex/benet/be_main.c
51042@@ -551,7 +551,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val)
51043
51044 if (wrapped)
51045 newacc += 65536;
51046- ACCESS_ONCE(*acc) = newacc;
51047+ ACCESS_ONCE_RW(*acc) = newacc;
51048 }
51049
51050 static void populate_erx_stats(struct be_adapter *adapter,
51051diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
51052index 6d0c5d5..55be363 100644
51053--- a/drivers/net/ethernet/faraday/ftgmac100.c
51054+++ b/drivers/net/ethernet/faraday/ftgmac100.c
51055@@ -30,6 +30,8 @@
51056 #include <linux/netdevice.h>
51057 #include <linux/phy.h>
51058 #include <linux/platform_device.h>
51059+#include <linux/interrupt.h>
51060+#include <linux/irqreturn.h>
51061 #include <net/ip.h>
51062
51063 #include "ftgmac100.h"
51064diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c
51065index dce5f7b..2433466 100644
51066--- a/drivers/net/ethernet/faraday/ftmac100.c
51067+++ b/drivers/net/ethernet/faraday/ftmac100.c
51068@@ -31,6 +31,8 @@
51069 #include <linux/module.h>
51070 #include <linux/netdevice.h>
51071 #include <linux/platform_device.h>
51072+#include <linux/interrupt.h>
51073+#include <linux/irqreturn.h>
51074
51075 #include "ftmac100.h"
51076
51077diff --git a/drivers/net/ethernet/intel/i40e/i40e_ptp.c b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
51078index a92b772..250fe69 100644
51079--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
51080+++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
51081@@ -419,7 +419,7 @@ void i40e_ptp_set_increment(struct i40e_pf *pf)
51082 wr32(hw, I40E_PRTTSYN_INC_H, incval >> 32);
51083
51084 /* Update the base adjustement value. */
51085- ACCESS_ONCE(pf->ptp_base_adj) = incval;
51086+ ACCESS_ONCE_RW(pf->ptp_base_adj) = incval;
51087 smp_mb(); /* Force the above update. */
51088 }
51089
51090diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
51091index e5ba040..d47531c 100644
51092--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
51093+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
51094@@ -782,7 +782,7 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
51095 }
51096
51097 /* update the base incval used to calculate frequency adjustment */
51098- ACCESS_ONCE(adapter->base_incval) = incval;
51099+ ACCESS_ONCE_RW(adapter->base_incval) = incval;
51100 smp_mb();
51101
51102 /* need lock to prevent incorrect read while modifying cyclecounter */
51103diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
51104index c10d98f..72914c6 100644
51105--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
51106+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
51107@@ -475,8 +475,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
51108 wmb();
51109
51110 /* we want to dirty this cache line once */
51111- ACCESS_ONCE(ring->last_nr_txbb) = last_nr_txbb;
51112- ACCESS_ONCE(ring->cons) = ring_cons + txbbs_skipped;
51113+ ACCESS_ONCE_RW(ring->last_nr_txbb) = last_nr_txbb;
51114+ ACCESS_ONCE_RW(ring->cons) = ring_cons + txbbs_skipped;
51115
51116 netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
51117
51118diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
51119index 40206da..9d94643 100644
51120--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
51121+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
51122@@ -1734,7 +1734,9 @@ static void mlx5e_build_netdev(struct net_device *netdev)
51123 SET_NETDEV_DEV(netdev, &mdev->pdev->dev);
51124
51125 if (priv->num_tc > 1) {
51126- mlx5e_netdev_ops.ndo_select_queue = mlx5e_select_queue;
51127+ pax_open_kernel();
51128+ *(void **)&mlx5e_netdev_ops.ndo_select_queue = mlx5e_select_queue;
51129+ pax_close_kernel();
51130 }
51131
51132 netdev->netdev_ops = &mlx5e_netdev_ops;
51133diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
51134index 6223930..975033d 100644
51135--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
51136+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
51137@@ -3457,7 +3457,10 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
51138 struct __vxge_hw_fifo *fifo;
51139 struct vxge_hw_fifo_config *config;
51140 u32 txdl_size, txdl_per_memblock;
51141- struct vxge_hw_mempool_cbs fifo_mp_callback;
51142+ static struct vxge_hw_mempool_cbs fifo_mp_callback = {
51143+ .item_func_alloc = __vxge_hw_fifo_mempool_item_alloc,
51144+ };
51145+
51146 struct __vxge_hw_virtualpath *vpath;
51147
51148 if ((vp == NULL) || (attr == NULL)) {
51149@@ -3540,8 +3543,6 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
51150 goto exit;
51151 }
51152
51153- fifo_mp_callback.item_func_alloc = __vxge_hw_fifo_mempool_item_alloc;
51154-
51155 fifo->mempool =
51156 __vxge_hw_mempool_create(vpath->hldev,
51157 fifo->config->memblock_size,
51158diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
51159index 753ea8b..674c39a 100644
51160--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
51161+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
51162@@ -2324,7 +2324,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter)
51163 max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS;
51164 } else if (ret == QLC_83XX_DEFAULT_OPMODE) {
51165 ahw->nic_mode = QLCNIC_DEFAULT_MODE;
51166- adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
51167+ pax_open_kernel();
51168+ *(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
51169+ pax_close_kernel();
51170 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
51171 max_sds_rings = QLCNIC_MAX_SDS_RINGS;
51172 max_tx_rings = QLCNIC_MAX_TX_RINGS;
51173diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
51174index be7d7a6..a8983f8 100644
51175--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
51176+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
51177@@ -207,17 +207,23 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter)
51178 case QLCNIC_NON_PRIV_FUNC:
51179 ahw->op_mode = QLCNIC_NON_PRIV_FUNC;
51180 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
51181- nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
51182+ pax_open_kernel();
51183+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
51184+ pax_close_kernel();
51185 break;
51186 case QLCNIC_PRIV_FUNC:
51187 ahw->op_mode = QLCNIC_PRIV_FUNC;
51188 ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry;
51189- nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
51190+ pax_open_kernel();
51191+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
51192+ pax_close_kernel();
51193 break;
51194 case QLCNIC_MGMT_FUNC:
51195 ahw->op_mode = QLCNIC_MGMT_FUNC;
51196 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
51197- nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
51198+ pax_open_kernel();
51199+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
51200+ pax_close_kernel();
51201 break;
51202 default:
51203 dev_err(&adapter->pdev->dev, "Invalid Virtual NIC opmode\n");
51204diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
51205index 332bb8a..e6adcd1 100644
51206--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
51207+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
51208@@ -1285,7 +1285,7 @@ flash_temp:
51209 int qlcnic_dump_fw(struct qlcnic_adapter *adapter)
51210 {
51211 struct qlcnic_fw_dump *fw_dump = &adapter->ahw->fw_dump;
51212- static const struct qlcnic_dump_operations *fw_dump_ops;
51213+ const struct qlcnic_dump_operations *fw_dump_ops;
51214 struct qlcnic_83xx_dump_template_hdr *hdr_83xx;
51215 u32 entry_offset, dump, no_entries, buf_offset = 0;
51216 int i, k, ops_cnt, ops_index, dump_size = 0;
51217diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
51218index f790f61..f1faafe 100644
51219--- a/drivers/net/ethernet/realtek/r8169.c
51220+++ b/drivers/net/ethernet/realtek/r8169.c
51221@@ -788,22 +788,22 @@ struct rtl8169_private {
51222 struct mdio_ops {
51223 void (*write)(struct rtl8169_private *, int, int);
51224 int (*read)(struct rtl8169_private *, int);
51225- } mdio_ops;
51226+ } __no_const mdio_ops;
51227
51228 struct pll_power_ops {
51229 void (*down)(struct rtl8169_private *);
51230 void (*up)(struct rtl8169_private *);
51231- } pll_power_ops;
51232+ } __no_const pll_power_ops;
51233
51234 struct jumbo_ops {
51235 void (*enable)(struct rtl8169_private *);
51236 void (*disable)(struct rtl8169_private *);
51237- } jumbo_ops;
51238+ } __no_const jumbo_ops;
51239
51240 struct csi_ops {
51241 void (*write)(struct rtl8169_private *, int, int);
51242 u32 (*read)(struct rtl8169_private *, int);
51243- } csi_ops;
51244+ } __no_const csi_ops;
51245
51246 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
51247 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
51248diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
51249index ad62615..a4c124d 100644
51250--- a/drivers/net/ethernet/sfc/ptp.c
51251+++ b/drivers/net/ethernet/sfc/ptp.c
51252@@ -832,7 +832,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings)
51253 ptp->start.dma_addr);
51254
51255 /* Clear flag that signals MC ready */
51256- ACCESS_ONCE(*start) = 0;
51257+ ACCESS_ONCE_RW(*start) = 0;
51258 rc = efx_mcdi_rpc_start(efx, MC_CMD_PTP, synch_buf,
51259 MC_CMD_PTP_IN_SYNCHRONIZE_LEN);
51260 EFX_BUG_ON_PARANOID(rc);
51261diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
51262index 3f20bb1..59add41 100644
51263--- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
51264+++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
51265@@ -140,8 +140,8 @@ void dwmac_mmc_ctrl(void __iomem *ioaddr, unsigned int mode)
51266
51267 writel(value, ioaddr + MMC_CNTRL);
51268
51269- pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
51270- MMC_CNTRL, value);
51271+// pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
51272+// MMC_CNTRL, value);
51273 }
51274
51275 /* To mask all all interrupts.*/
51276diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c
51277index a832637..092da0a 100644
51278--- a/drivers/net/ethernet/via/via-rhine.c
51279+++ b/drivers/net/ethernet/via/via-rhine.c
51280@@ -2599,7 +2599,7 @@ static struct platform_driver rhine_driver_platform = {
51281 }
51282 };
51283
51284-static struct dmi_system_id rhine_dmi_table[] __initdata = {
51285+static const struct dmi_system_id rhine_dmi_table[] __initconst = {
51286 {
51287 .ident = "EPIA-M",
51288 .matches = {
51289diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
51290index dd45440..c5f3cae 100644
51291--- a/drivers/net/hyperv/hyperv_net.h
51292+++ b/drivers/net/hyperv/hyperv_net.h
51293@@ -177,7 +177,7 @@ struct rndis_device {
51294 enum rndis_device_state state;
51295 bool link_state;
51296 bool link_change;
51297- atomic_t new_req_id;
51298+ atomic_unchecked_t new_req_id;
51299
51300 spinlock_t request_lock;
51301 struct list_head req_list;
51302diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
51303index 236aeb7..fd695e2 100644
51304--- a/drivers/net/hyperv/rndis_filter.c
51305+++ b/drivers/net/hyperv/rndis_filter.c
51306@@ -101,7 +101,7 @@ static struct rndis_request *get_rndis_request(struct rndis_device *dev,
51307 * template
51308 */
51309 set = &rndis_msg->msg.set_req;
51310- set->req_id = atomic_inc_return(&dev->new_req_id);
51311+ set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
51312
51313 /* Add to the request list */
51314 spin_lock_irqsave(&dev->request_lock, flags);
51315@@ -924,7 +924,7 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
51316
51317 /* Setup the rndis set */
51318 halt = &request->request_msg.msg.halt_req;
51319- halt->req_id = atomic_inc_return(&dev->new_req_id);
51320+ halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
51321
51322 /* Ignore return since this msg is optional. */
51323 rndis_filter_send_request(dev, request);
51324diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
51325index 94570aa..1a798e1 100644
51326--- a/drivers/net/ifb.c
51327+++ b/drivers/net/ifb.c
51328@@ -253,7 +253,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[])
51329 return 0;
51330 }
51331
51332-static struct rtnl_link_ops ifb_link_ops __read_mostly = {
51333+static struct rtnl_link_ops ifb_link_ops = {
51334 .kind = "ifb",
51335 .priv_size = sizeof(struct ifb_private),
51336 .setup = ifb_setup,
51337diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
51338index 207f62e..af3f5e5 100644
51339--- a/drivers/net/ipvlan/ipvlan_core.c
51340+++ b/drivers/net/ipvlan/ipvlan_core.c
51341@@ -466,7 +466,7 @@ static void ipvlan_multicast_enqueue(struct ipvl_port *port,
51342 schedule_work(&port->wq);
51343 } else {
51344 spin_unlock(&port->backlog.lock);
51345- atomic_long_inc(&skb->dev->rx_dropped);
51346+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
51347 kfree_skb(skb);
51348 }
51349 }
51350diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
51351index 9f59f17..52cb38f 100644
51352--- a/drivers/net/macvlan.c
51353+++ b/drivers/net/macvlan.c
51354@@ -335,7 +335,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
51355 free_nskb:
51356 kfree_skb(nskb);
51357 err:
51358- atomic_long_inc(&skb->dev->rx_dropped);
51359+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
51360 }
51361
51362 static void macvlan_flush_sources(struct macvlan_port *port,
51363@@ -1480,13 +1480,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = {
51364 int macvlan_link_register(struct rtnl_link_ops *ops)
51365 {
51366 /* common fields */
51367- ops->priv_size = sizeof(struct macvlan_dev);
51368- ops->validate = macvlan_validate;
51369- ops->maxtype = IFLA_MACVLAN_MAX;
51370- ops->policy = macvlan_policy;
51371- ops->changelink = macvlan_changelink;
51372- ops->get_size = macvlan_get_size;
51373- ops->fill_info = macvlan_fill_info;
51374+ pax_open_kernel();
51375+ *(size_t *)&ops->priv_size = sizeof(struct macvlan_dev);
51376+ *(void **)&ops->validate = macvlan_validate;
51377+ *(int *)&ops->maxtype = IFLA_MACVLAN_MAX;
51378+ *(const void **)&ops->policy = macvlan_policy;
51379+ *(void **)&ops->changelink = macvlan_changelink;
51380+ *(void **)&ops->get_size = macvlan_get_size;
51381+ *(void **)&ops->fill_info = macvlan_fill_info;
51382+ pax_close_kernel();
51383
51384 return rtnl_link_register(ops);
51385 };
51386@@ -1572,7 +1574,7 @@ static int macvlan_device_event(struct notifier_block *unused,
51387 return NOTIFY_DONE;
51388 }
51389
51390-static struct notifier_block macvlan_notifier_block __read_mostly = {
51391+static struct notifier_block macvlan_notifier_block = {
51392 .notifier_call = macvlan_device_event,
51393 };
51394
51395diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
51396index 248478c..05e8467 100644
51397--- a/drivers/net/macvtap.c
51398+++ b/drivers/net/macvtap.c
51399@@ -485,7 +485,7 @@ static void macvtap_setup(struct net_device *dev)
51400 dev->tx_queue_len = TUN_READQ_SIZE;
51401 }
51402
51403-static struct rtnl_link_ops macvtap_link_ops __read_mostly = {
51404+static struct rtnl_link_ops macvtap_link_ops = {
51405 .kind = "macvtap",
51406 .setup = macvtap_setup,
51407 .newlink = macvtap_newlink,
51408@@ -1090,7 +1090,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
51409
51410 ret = 0;
51411 u = q->flags;
51412- if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
51413+ if (copy_to_user(ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
51414 put_user(u, &ifr->ifr_flags))
51415 ret = -EFAULT;
51416 macvtap_put_vlan(vlan);
51417@@ -1308,7 +1308,7 @@ static int macvtap_device_event(struct notifier_block *unused,
51418 return NOTIFY_DONE;
51419 }
51420
51421-static struct notifier_block macvtap_notifier_block __read_mostly = {
51422+static struct notifier_block macvtap_notifier_block = {
51423 .notifier_call = macvtap_device_event,
51424 };
51425
51426diff --git a/drivers/net/nlmon.c b/drivers/net/nlmon.c
51427index 34924df..a747360 100644
51428--- a/drivers/net/nlmon.c
51429+++ b/drivers/net/nlmon.c
51430@@ -154,7 +154,7 @@ static int nlmon_validate(struct nlattr *tb[], struct nlattr *data[])
51431 return 0;
51432 }
51433
51434-static struct rtnl_link_ops nlmon_link_ops __read_mostly = {
51435+static struct rtnl_link_ops nlmon_link_ops = {
51436 .kind = "nlmon",
51437 .priv_size = sizeof(struct nlmon),
51438 .setup = nlmon_setup,
51439diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
51440index 55f0178..6220e93 100644
51441--- a/drivers/net/phy/phy_device.c
51442+++ b/drivers/net/phy/phy_device.c
51443@@ -218,7 +218,7 @@ EXPORT_SYMBOL(phy_device_create);
51444 * zero on success.
51445 *
51446 */
51447-static int get_phy_c45_ids(struct mii_bus *bus, int addr, u32 *phy_id,
51448+static int get_phy_c45_ids(struct mii_bus *bus, int addr, int *phy_id,
51449 struct phy_c45_device_ids *c45_ids) {
51450 int phy_reg;
51451 int i, reg_addr;
51452@@ -296,7 +296,7 @@ retry: reg_addr = MII_ADDR_C45 | i << 16 | MDIO_DEVS2;
51453 * its return value is in turn returned.
51454 *
51455 */
51456-static int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id,
51457+static int get_phy_id(struct mii_bus *bus, int addr, int *phy_id,
51458 bool is_c45, struct phy_c45_device_ids *c45_ids)
51459 {
51460 int phy_reg;
51461@@ -334,7 +334,7 @@ static int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id,
51462 struct phy_device *get_phy_device(struct mii_bus *bus, int addr, bool is_c45)
51463 {
51464 struct phy_c45_device_ids c45_ids = {0};
51465- u32 phy_id = 0;
51466+ int phy_id = 0;
51467 int r;
51468
51469 r = get_phy_id(bus, addr, &phy_id, is_c45, &c45_ids);
51470diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
51471index 487be20..f4c87bc 100644
51472--- a/drivers/net/ppp/ppp_generic.c
51473+++ b/drivers/net/ppp/ppp_generic.c
51474@@ -1035,7 +1035,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
51475 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
51476 struct ppp_stats stats;
51477 struct ppp_comp_stats cstats;
51478- char *vers;
51479
51480 switch (cmd) {
51481 case SIOCGPPPSTATS:
51482@@ -1057,8 +1056,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
51483 break;
51484
51485 case SIOCGPPPVER:
51486- vers = PPP_VERSION;
51487- if (copy_to_user(addr, vers, strlen(vers) + 1))
51488+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
51489 break;
51490 err = 0;
51491 break;
51492diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
51493index 079f7ad..7e59810 100644
51494--- a/drivers/net/slip/slhc.c
51495+++ b/drivers/net/slip/slhc.c
51496@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots)
51497 register struct cstate *ts;
51498 struct slcompress *comp;
51499
51500+ if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256)
51501+ goto out_fail;
51502+
51503 comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
51504 if (! comp)
51505 goto out_fail;
51506@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
51507 register struct tcphdr *thp;
51508 register struct iphdr *ip;
51509 register struct cstate *cs;
51510- int len, hdrlen;
51511+ long len, hdrlen;
51512 unsigned char *cp = icp;
51513
51514 /* We've got a compressed packet; read the change byte */
51515diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
51516index daa054b..07d6b98 100644
51517--- a/drivers/net/team/team.c
51518+++ b/drivers/net/team/team.c
51519@@ -2107,7 +2107,7 @@ static unsigned int team_get_num_rx_queues(void)
51520 return TEAM_DEFAULT_NUM_RX_QUEUES;
51521 }
51522
51523-static struct rtnl_link_ops team_link_ops __read_mostly = {
51524+static struct rtnl_link_ops team_link_ops = {
51525 .kind = DRV_NAME,
51526 .priv_size = sizeof(struct team),
51527 .setup = team_setup,
51528@@ -2897,7 +2897,7 @@ static int team_device_event(struct notifier_block *unused,
51529 return NOTIFY_DONE;
51530 }
51531
51532-static struct notifier_block team_notifier_block __read_mostly = {
51533+static struct notifier_block team_notifier_block = {
51534 .notifier_call = team_device_event,
51535 };
51536
51537diff --git a/drivers/net/tun.c b/drivers/net/tun.c
51538index 06a0394..1756d18 100644
51539--- a/drivers/net/tun.c
51540+++ b/drivers/net/tun.c
51541@@ -1472,7 +1472,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
51542 return -EINVAL;
51543 }
51544
51545-static struct rtnl_link_ops tun_link_ops __read_mostly = {
51546+static struct rtnl_link_ops tun_link_ops = {
51547 .kind = DRV_NAME,
51548 .priv_size = sizeof(struct tun_struct),
51549 .setup = tun_setup,
51550@@ -1871,7 +1871,7 @@ unlock:
51551 }
51552
51553 static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
51554- unsigned long arg, int ifreq_len)
51555+ unsigned long arg, size_t ifreq_len)
51556 {
51557 struct tun_file *tfile = file->private_data;
51558 struct tun_struct *tun;
51559@@ -1885,6 +1885,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
51560 int le;
51561 int ret;
51562
51563+ if (ifreq_len > sizeof ifr)
51564+ return -EFAULT;
51565+
51566 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
51567 if (copy_from_user(&ifr, argp, ifreq_len))
51568 return -EFAULT;
51569diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
51570index 111d907..1ee643e 100644
51571--- a/drivers/net/usb/hso.c
51572+++ b/drivers/net/usb/hso.c
51573@@ -70,7 +70,7 @@
51574 #include <asm/byteorder.h>
51575 #include <linux/serial_core.h>
51576 #include <linux/serial.h>
51577-
51578+#include <asm/local.h>
51579
51580 #define MOD_AUTHOR "Option Wireless"
51581 #define MOD_DESCRIPTION "USB High Speed Option driver"
51582@@ -1183,7 +1183,7 @@ static void put_rxbuf_data_and_resubmit_ctrl_urb(struct hso_serial *serial)
51583 struct urb *urb;
51584
51585 urb = serial->rx_urb[0];
51586- if (serial->port.count > 0) {
51587+ if (atomic_read(&serial->port.count) > 0) {
51588 count = put_rxbuf_data(urb, serial);
51589 if (count == -1)
51590 return;
51591@@ -1221,7 +1221,7 @@ static void hso_std_serial_read_bulk_callback(struct urb *urb)
51592 DUMP1(urb->transfer_buffer, urb->actual_length);
51593
51594 /* Anyone listening? */
51595- if (serial->port.count == 0)
51596+ if (atomic_read(&serial->port.count) == 0)
51597 return;
51598
51599 if (serial->parent->port_spec & HSO_INFO_CRC_BUG)
51600@@ -1282,8 +1282,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
51601 tty_port_tty_set(&serial->port, tty);
51602
51603 /* check for port already opened, if not set the termios */
51604- serial->port.count++;
51605- if (serial->port.count == 1) {
51606+ if (atomic_inc_return(&serial->port.count) == 1) {
51607 serial->rx_state = RX_IDLE;
51608 /* Force default termio settings */
51609 _hso_serial_set_termios(tty, NULL);
51610@@ -1293,7 +1292,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
51611 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
51612 if (result) {
51613 hso_stop_serial_device(serial->parent);
51614- serial->port.count--;
51615+ atomic_dec(&serial->port.count);
51616 } else {
51617 kref_get(&serial->parent->ref);
51618 }
51619@@ -1331,10 +1330,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp)
51620
51621 /* reset the rts and dtr */
51622 /* do the actual close */
51623- serial->port.count--;
51624+ atomic_dec(&serial->port.count);
51625
51626- if (serial->port.count <= 0) {
51627- serial->port.count = 0;
51628+ if (atomic_read(&serial->port.count) <= 0) {
51629+ atomic_set(&serial->port.count, 0);
51630 tty_port_tty_set(&serial->port, NULL);
51631 if (!usb_gone)
51632 hso_stop_serial_device(serial->parent);
51633@@ -1417,7 +1416,7 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old)
51634
51635 /* the actual setup */
51636 spin_lock_irqsave(&serial->serial_lock, flags);
51637- if (serial->port.count)
51638+ if (atomic_read(&serial->port.count))
51639 _hso_serial_set_termios(tty, old);
51640 else
51641 tty->termios = *old;
51642@@ -1891,7 +1890,7 @@ static void intr_callback(struct urb *urb)
51643 D1("Pending read interrupt on port %d\n", i);
51644 spin_lock(&serial->serial_lock);
51645 if (serial->rx_state == RX_IDLE &&
51646- serial->port.count > 0) {
51647+ atomic_read(&serial->port.count) > 0) {
51648 /* Setup and send a ctrl req read on
51649 * port i */
51650 if (!serial->rx_urb_filled[0]) {
51651@@ -3058,7 +3057,7 @@ static int hso_resume(struct usb_interface *iface)
51652 /* Start all serial ports */
51653 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
51654 if (serial_table[i] && (serial_table[i]->interface == iface)) {
51655- if (dev2ser(serial_table[i])->port.count) {
51656+ if (atomic_read(&dev2ser(serial_table[i])->port.count)) {
51657 result =
51658 hso_start_serial_device(serial_table[i], GFP_NOIO);
51659 hso_kick_transmit(dev2ser(serial_table[i]));
51660diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
51661index ad8cbc6..de80b09 100644
51662--- a/drivers/net/usb/r8152.c
51663+++ b/drivers/net/usb/r8152.c
51664@@ -603,7 +603,7 @@ struct r8152 {
51665 void (*unload)(struct r8152 *);
51666 int (*eee_get)(struct r8152 *, struct ethtool_eee *);
51667 int (*eee_set)(struct r8152 *, struct ethtool_eee *);
51668- } rtl_ops;
51669+ } __no_const rtl_ops;
51670
51671 int intr_interval;
51672 u32 saved_wolopts;
51673diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
51674index a2515887..6d13233 100644
51675--- a/drivers/net/usb/sierra_net.c
51676+++ b/drivers/net/usb/sierra_net.c
51677@@ -51,7 +51,7 @@ static const char driver_name[] = "sierra_net";
51678 /* atomic counter partially included in MAC address to make sure 2 devices
51679 * do not end up with the same MAC - concept breaks in case of > 255 ifaces
51680 */
51681-static atomic_t iface_counter = ATOMIC_INIT(0);
51682+static atomic_unchecked_t iface_counter = ATOMIC_INIT(0);
51683
51684 /*
51685 * SYNC Timer Delay definition used to set the expiry time
51686@@ -697,7 +697,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
51687 dev->net->netdev_ops = &sierra_net_device_ops;
51688
51689 /* change MAC addr to include, ifacenum, and to be unique */
51690- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
51691+ dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return_unchecked(&iface_counter);
51692 dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
51693
51694 /* we will have to manufacture ethernet headers, prepare template */
51695diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
51696index 237f8e5..8dccb91 100644
51697--- a/drivers/net/virtio_net.c
51698+++ b/drivers/net/virtio_net.c
51699@@ -48,7 +48,7 @@ module_param(gso, bool, 0444);
51700 #define RECEIVE_AVG_WEIGHT 64
51701
51702 /* Minimum alignment for mergeable packet buffers. */
51703-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256)
51704+#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256UL)
51705
51706 #define VIRTNET_DRIVER_VERSION "1.0.0"
51707
51708diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
51709index 5bc4b1e..d5769f5 100644
51710--- a/drivers/net/vxlan.c
51711+++ b/drivers/net/vxlan.c
51712@@ -2884,7 +2884,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev)
51713 return vxlan->net;
51714 }
51715
51716-static struct rtnl_link_ops vxlan_link_ops __read_mostly = {
51717+static struct rtnl_link_ops vxlan_link_ops = {
51718 .kind = "vxlan",
51719 .maxtype = IFLA_VXLAN_MAX,
51720 .policy = vxlan_policy,
51721@@ -2932,7 +2932,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
51722 return NOTIFY_DONE;
51723 }
51724
51725-static struct notifier_block vxlan_notifier_block __read_mostly = {
51726+static struct notifier_block vxlan_notifier_block = {
51727 .notifier_call = vxlan_lowerdev_event,
51728 };
51729
51730diff --git a/drivers/net/wan/lmc/lmc_media.c b/drivers/net/wan/lmc/lmc_media.c
51731index 5920c99..ff2e4a5 100644
51732--- a/drivers/net/wan/lmc/lmc_media.c
51733+++ b/drivers/net/wan/lmc/lmc_media.c
51734@@ -95,62 +95,63 @@ static inline void write_av9110_bit (lmc_softc_t *, int);
51735 static void write_av9110(lmc_softc_t *, u32, u32, u32, u32, u32);
51736
51737 lmc_media_t lmc_ds3_media = {
51738- lmc_ds3_init, /* special media init stuff */
51739- lmc_ds3_default, /* reset to default state */
51740- lmc_ds3_set_status, /* reset status to state provided */
51741- lmc_dummy_set_1, /* set clock source */
51742- lmc_dummy_set2_1, /* set line speed */
51743- lmc_ds3_set_100ft, /* set cable length */
51744- lmc_ds3_set_scram, /* set scrambler */
51745- lmc_ds3_get_link_status, /* get link status */
51746- lmc_dummy_set_1, /* set link status */
51747- lmc_ds3_set_crc_length, /* set CRC length */
51748- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51749- lmc_ds3_watchdog
51750+ .init = lmc_ds3_init, /* special media init stuff */
51751+ .defaults = lmc_ds3_default, /* reset to default state */
51752+ .set_status = lmc_ds3_set_status, /* reset status to state provided */
51753+ .set_clock_source = lmc_dummy_set_1, /* set clock source */
51754+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51755+ .set_cable_length = lmc_ds3_set_100ft, /* set cable length */
51756+ .set_scrambler = lmc_ds3_set_scram, /* set scrambler */
51757+ .get_link_status = lmc_ds3_get_link_status, /* get link status */
51758+ .set_link_status = lmc_dummy_set_1, /* set link status */
51759+ .set_crc_length = lmc_ds3_set_crc_length, /* set CRC length */
51760+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51761+ .watchdog = lmc_ds3_watchdog
51762 };
51763
51764 lmc_media_t lmc_hssi_media = {
51765- lmc_hssi_init, /* special media init stuff */
51766- lmc_hssi_default, /* reset to default state */
51767- lmc_hssi_set_status, /* reset status to state provided */
51768- lmc_hssi_set_clock, /* set clock source */
51769- lmc_dummy_set2_1, /* set line speed */
51770- lmc_dummy_set_1, /* set cable length */
51771- lmc_dummy_set_1, /* set scrambler */
51772- lmc_hssi_get_link_status, /* get link status */
51773- lmc_hssi_set_link_status, /* set link status */
51774- lmc_hssi_set_crc_length, /* set CRC length */
51775- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51776- lmc_hssi_watchdog
51777+ .init = lmc_hssi_init, /* special media init stuff */
51778+ .defaults = lmc_hssi_default, /* reset to default state */
51779+ .set_status = lmc_hssi_set_status, /* reset status to state provided */
51780+ .set_clock_source = lmc_hssi_set_clock, /* set clock source */
51781+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51782+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51783+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51784+ .get_link_status = lmc_hssi_get_link_status, /* get link status */
51785+ .set_link_status = lmc_hssi_set_link_status, /* set link status */
51786+ .set_crc_length = lmc_hssi_set_crc_length, /* set CRC length */
51787+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51788+ .watchdog = lmc_hssi_watchdog
51789 };
51790
51791-lmc_media_t lmc_ssi_media = { lmc_ssi_init, /* special media init stuff */
51792- lmc_ssi_default, /* reset to default state */
51793- lmc_ssi_set_status, /* reset status to state provided */
51794- lmc_ssi_set_clock, /* set clock source */
51795- lmc_ssi_set_speed, /* set line speed */
51796- lmc_dummy_set_1, /* set cable length */
51797- lmc_dummy_set_1, /* set scrambler */
51798- lmc_ssi_get_link_status, /* get link status */
51799- lmc_ssi_set_link_status, /* set link status */
51800- lmc_ssi_set_crc_length, /* set CRC length */
51801- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51802- lmc_ssi_watchdog
51803+lmc_media_t lmc_ssi_media = {
51804+ .init = lmc_ssi_init, /* special media init stuff */
51805+ .defaults = lmc_ssi_default, /* reset to default state */
51806+ .set_status = lmc_ssi_set_status, /* reset status to state provided */
51807+ .set_clock_source = lmc_ssi_set_clock, /* set clock source */
51808+ .set_speed = lmc_ssi_set_speed, /* set line speed */
51809+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51810+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51811+ .get_link_status = lmc_ssi_get_link_status, /* get link status */
51812+ .set_link_status = lmc_ssi_set_link_status, /* set link status */
51813+ .set_crc_length = lmc_ssi_set_crc_length, /* set CRC length */
51814+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51815+ .watchdog = lmc_ssi_watchdog
51816 };
51817
51818 lmc_media_t lmc_t1_media = {
51819- lmc_t1_init, /* special media init stuff */
51820- lmc_t1_default, /* reset to default state */
51821- lmc_t1_set_status, /* reset status to state provided */
51822- lmc_t1_set_clock, /* set clock source */
51823- lmc_dummy_set2_1, /* set line speed */
51824- lmc_dummy_set_1, /* set cable length */
51825- lmc_dummy_set_1, /* set scrambler */
51826- lmc_t1_get_link_status, /* get link status */
51827- lmc_dummy_set_1, /* set link status */
51828- lmc_t1_set_crc_length, /* set CRC length */
51829- lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */
51830- lmc_t1_watchdog
51831+ .init = lmc_t1_init, /* special media init stuff */
51832+ .defaults = lmc_t1_default, /* reset to default state */
51833+ .set_status = lmc_t1_set_status, /* reset status to state provided */
51834+ .set_clock_source = lmc_t1_set_clock, /* set clock source */
51835+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51836+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51837+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51838+ .get_link_status = lmc_t1_get_link_status, /* get link status */
51839+ .set_link_status = lmc_dummy_set_1, /* set link status */
51840+ .set_crc_length = lmc_t1_set_crc_length, /* set CRC length */
51841+ .set_circuit_type = lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */
51842+ .watchdog = lmc_t1_watchdog
51843 };
51844
51845 static void
51846diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c
51847index 2f0bd69..e46ed7b 100644
51848--- a/drivers/net/wan/z85230.c
51849+++ b/drivers/net/wan/z85230.c
51850@@ -485,9 +485,9 @@ static void z8530_status(struct z8530_channel *chan)
51851
51852 struct z8530_irqhandler z8530_sync =
51853 {
51854- z8530_rx,
51855- z8530_tx,
51856- z8530_status
51857+ .rx = z8530_rx,
51858+ .tx = z8530_tx,
51859+ .status = z8530_status
51860 };
51861
51862 EXPORT_SYMBOL(z8530_sync);
51863@@ -605,15 +605,15 @@ static void z8530_dma_status(struct z8530_channel *chan)
51864 }
51865
51866 static struct z8530_irqhandler z8530_dma_sync = {
51867- z8530_dma_rx,
51868- z8530_dma_tx,
51869- z8530_dma_status
51870+ .rx = z8530_dma_rx,
51871+ .tx = z8530_dma_tx,
51872+ .status = z8530_dma_status
51873 };
51874
51875 static struct z8530_irqhandler z8530_txdma_sync = {
51876- z8530_rx,
51877- z8530_dma_tx,
51878- z8530_dma_status
51879+ .rx = z8530_rx,
51880+ .tx = z8530_dma_tx,
51881+ .status = z8530_dma_status
51882 };
51883
51884 /**
51885@@ -680,9 +680,9 @@ static void z8530_status_clear(struct z8530_channel *chan)
51886
51887 struct z8530_irqhandler z8530_nop=
51888 {
51889- z8530_rx_clear,
51890- z8530_tx_clear,
51891- z8530_status_clear
51892+ .rx = z8530_rx_clear,
51893+ .tx = z8530_tx_clear,
51894+ .status = z8530_status_clear
51895 };
51896
51897
51898diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c
51899index 0b60295..b8bfa5b 100644
51900--- a/drivers/net/wimax/i2400m/rx.c
51901+++ b/drivers/net/wimax/i2400m/rx.c
51902@@ -1359,7 +1359,7 @@ int i2400m_rx_setup(struct i2400m *i2400m)
51903 if (i2400m->rx_roq == NULL)
51904 goto error_roq_alloc;
51905
51906- rd = kcalloc(I2400M_RO_CIN + 1, sizeof(*i2400m->rx_roq[0].log),
51907+ rd = kcalloc(sizeof(*i2400m->rx_roq[0].log), I2400M_RO_CIN + 1,
51908 GFP_KERNEL);
51909 if (rd == NULL) {
51910 result = -ENOMEM;
51911diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
51912index d0c97c2..108f59b 100644
51913--- a/drivers/net/wireless/airo.c
51914+++ b/drivers/net/wireless/airo.c
51915@@ -7846,7 +7846,7 @@ static int writerids(struct net_device *dev, aironet_ioctl *comp) {
51916 struct airo_info *ai = dev->ml_priv;
51917 int ridcode;
51918 int enabled;
51919- static int (* writer)(struct airo_info *, u16 rid, const void *, int, int);
51920+ int (* writer)(struct airo_info *, u16 rid, const void *, int, int);
51921 unsigned char *iobuf;
51922
51923 /* Only super-user can write RIDs */
51924diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
51925index dab2513..4c4b65d 100644
51926--- a/drivers/net/wireless/at76c50x-usb.c
51927+++ b/drivers/net/wireless/at76c50x-usb.c
51928@@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state)
51929 }
51930
51931 /* Convert timeout from the DFU status to jiffies */
51932-static inline unsigned long at76_get_timeout(struct dfu_status *s)
51933+static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s)
51934 {
51935 return msecs_to_jiffies((s->poll_timeout[2] << 16)
51936 | (s->poll_timeout[1] << 8)
51937diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
51938index 85bfa2a..3f6e72c 100644
51939--- a/drivers/net/wireless/ath/ath10k/htc.c
51940+++ b/drivers/net/wireless/ath/ath10k/htc.c
51941@@ -839,7 +839,10 @@ int ath10k_htc_start(struct ath10k_htc *htc)
51942 /* registered target arrival callback from the HIF layer */
51943 int ath10k_htc_init(struct ath10k *ar)
51944 {
51945- struct ath10k_hif_cb htc_callbacks;
51946+ static struct ath10k_hif_cb htc_callbacks = {
51947+ .rx_completion = ath10k_htc_rx_completion_handler,
51948+ .tx_completion = ath10k_htc_tx_completion_handler,
51949+ };
51950 struct ath10k_htc_ep *ep = NULL;
51951 struct ath10k_htc *htc = &ar->htc;
51952
51953@@ -848,8 +851,6 @@ int ath10k_htc_init(struct ath10k *ar)
51954 ath10k_htc_reset_endpoint_states(htc);
51955
51956 /* setup HIF layer callbacks */
51957- htc_callbacks.rx_completion = ath10k_htc_rx_completion_handler;
51958- htc_callbacks.tx_completion = ath10k_htc_tx_completion_handler;
51959 htc->ar = ar;
51960
51961 /* Get HIF default pipe for HTC message exchange */
51962diff --git a/drivers/net/wireless/ath/ath10k/htc.h b/drivers/net/wireless/ath/ath10k/htc.h
51963index 527179c..a890150 100644
51964--- a/drivers/net/wireless/ath/ath10k/htc.h
51965+++ b/drivers/net/wireless/ath/ath10k/htc.h
51966@@ -270,13 +270,13 @@ enum ath10k_htc_ep_id {
51967
51968 struct ath10k_htc_ops {
51969 void (*target_send_suspend_complete)(struct ath10k *ar);
51970-};
51971+} __no_const;
51972
51973 struct ath10k_htc_ep_ops {
51974 void (*ep_tx_complete)(struct ath10k *, struct sk_buff *);
51975 void (*ep_rx_complete)(struct ath10k *, struct sk_buff *);
51976 void (*ep_tx_credits)(struct ath10k *);
51977-};
51978+} __no_const;
51979
51980 /* service connection information */
51981 struct ath10k_htc_svc_conn_req {
51982diff --git a/drivers/net/wireless/ath/ath9k/Kconfig b/drivers/net/wireless/ath/ath9k/Kconfig
51983index fee0cad..a7a3b63 100644
51984--- a/drivers/net/wireless/ath/ath9k/Kconfig
51985+++ b/drivers/net/wireless/ath/ath9k/Kconfig
51986@@ -3,7 +3,6 @@ config ATH9K_HW
51987 config ATH9K_COMMON
51988 tristate
51989 select ATH_COMMON
51990- select DEBUG_FS
51991 select RELAY
51992 config ATH9K_DFS_DEBUGFS
51993 def_bool y
51994diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51995index f816909..e56cd8b 100644
51996--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51997+++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51998@@ -220,8 +220,8 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51999 ads->ds_txstatus6 = ads->ds_txstatus7 = 0;
52000 ads->ds_txstatus8 = ads->ds_txstatus9 = 0;
52001
52002- ACCESS_ONCE(ads->ds_link) = i->link;
52003- ACCESS_ONCE(ads->ds_data) = i->buf_addr[0];
52004+ ACCESS_ONCE_RW(ads->ds_link) = i->link;
52005+ ACCESS_ONCE_RW(ads->ds_data) = i->buf_addr[0];
52006
52007 ctl1 = i->buf_len[0] | (i->is_last ? 0 : AR_TxMore);
52008 ctl6 = SM(i->keytype, AR_EncrType);
52009@@ -235,26 +235,26 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52010
52011 if ((i->is_first || i->is_last) &&
52012 i->aggr != AGGR_BUF_MIDDLE && i->aggr != AGGR_BUF_LAST) {
52013- ACCESS_ONCE(ads->ds_ctl2) = set11nTries(i->rates, 0)
52014+ ACCESS_ONCE_RW(ads->ds_ctl2) = set11nTries(i->rates, 0)
52015 | set11nTries(i->rates, 1)
52016 | set11nTries(i->rates, 2)
52017 | set11nTries(i->rates, 3)
52018 | (i->dur_update ? AR_DurUpdateEna : 0)
52019 | SM(0, AR_BurstDur);
52020
52021- ACCESS_ONCE(ads->ds_ctl3) = set11nRate(i->rates, 0)
52022+ ACCESS_ONCE_RW(ads->ds_ctl3) = set11nRate(i->rates, 0)
52023 | set11nRate(i->rates, 1)
52024 | set11nRate(i->rates, 2)
52025 | set11nRate(i->rates, 3);
52026 } else {
52027- ACCESS_ONCE(ads->ds_ctl2) = 0;
52028- ACCESS_ONCE(ads->ds_ctl3) = 0;
52029+ ACCESS_ONCE_RW(ads->ds_ctl2) = 0;
52030+ ACCESS_ONCE_RW(ads->ds_ctl3) = 0;
52031 }
52032
52033 if (!i->is_first) {
52034- ACCESS_ONCE(ads->ds_ctl0) = 0;
52035- ACCESS_ONCE(ads->ds_ctl1) = ctl1;
52036- ACCESS_ONCE(ads->ds_ctl6) = ctl6;
52037+ ACCESS_ONCE_RW(ads->ds_ctl0) = 0;
52038+ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
52039+ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
52040 return;
52041 }
52042
52043@@ -279,7 +279,7 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52044 break;
52045 }
52046
52047- ACCESS_ONCE(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
52048+ ACCESS_ONCE_RW(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
52049 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
52050 | SM(i->txpower[0], AR_XmitPower0)
52051 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
52052@@ -289,27 +289,27 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52053 | (i->flags & ATH9K_TXDESC_RTSENA ? AR_RTSEnable :
52054 (i->flags & ATH9K_TXDESC_CTSENA ? AR_CTSEnable : 0));
52055
52056- ACCESS_ONCE(ads->ds_ctl1) = ctl1;
52057- ACCESS_ONCE(ads->ds_ctl6) = ctl6;
52058+ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
52059+ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
52060
52061 if (i->aggr == AGGR_BUF_MIDDLE || i->aggr == AGGR_BUF_LAST)
52062 return;
52063
52064- ACCESS_ONCE(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
52065+ ACCESS_ONCE_RW(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
52066 | set11nPktDurRTSCTS(i->rates, 1);
52067
52068- ACCESS_ONCE(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
52069+ ACCESS_ONCE_RW(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
52070 | set11nPktDurRTSCTS(i->rates, 3);
52071
52072- ACCESS_ONCE(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
52073+ ACCESS_ONCE_RW(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
52074 | set11nRateFlags(i->rates, 1)
52075 | set11nRateFlags(i->rates, 2)
52076 | set11nRateFlags(i->rates, 3)
52077 | SM(i->rtscts_rate, AR_RTSCTSRate);
52078
52079- ACCESS_ONCE(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
52080- ACCESS_ONCE(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
52081- ACCESS_ONCE(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
52082+ ACCESS_ONCE_RW(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
52083+ ACCESS_ONCE_RW(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
52084+ ACCESS_ONCE_RW(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
52085 }
52086
52087 static int ar9002_hw_proc_txdesc(struct ath_hw *ah, void *ds,
52088diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
52089index da84b70..83e4978 100644
52090--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
52091+++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
52092@@ -39,47 +39,47 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52093 (i->qcu << AR_TxQcuNum_S) | desc_len;
52094
52095 checksum += val;
52096- ACCESS_ONCE(ads->info) = val;
52097+ ACCESS_ONCE_RW(ads->info) = val;
52098
52099 checksum += i->link;
52100- ACCESS_ONCE(ads->link) = i->link;
52101+ ACCESS_ONCE_RW(ads->link) = i->link;
52102
52103 checksum += i->buf_addr[0];
52104- ACCESS_ONCE(ads->data0) = i->buf_addr[0];
52105+ ACCESS_ONCE_RW(ads->data0) = i->buf_addr[0];
52106 checksum += i->buf_addr[1];
52107- ACCESS_ONCE(ads->data1) = i->buf_addr[1];
52108+ ACCESS_ONCE_RW(ads->data1) = i->buf_addr[1];
52109 checksum += i->buf_addr[2];
52110- ACCESS_ONCE(ads->data2) = i->buf_addr[2];
52111+ ACCESS_ONCE_RW(ads->data2) = i->buf_addr[2];
52112 checksum += i->buf_addr[3];
52113- ACCESS_ONCE(ads->data3) = i->buf_addr[3];
52114+ ACCESS_ONCE_RW(ads->data3) = i->buf_addr[3];
52115
52116 checksum += (val = (i->buf_len[0] << AR_BufLen_S) & AR_BufLen);
52117- ACCESS_ONCE(ads->ctl3) = val;
52118+ ACCESS_ONCE_RW(ads->ctl3) = val;
52119 checksum += (val = (i->buf_len[1] << AR_BufLen_S) & AR_BufLen);
52120- ACCESS_ONCE(ads->ctl5) = val;
52121+ ACCESS_ONCE_RW(ads->ctl5) = val;
52122 checksum += (val = (i->buf_len[2] << AR_BufLen_S) & AR_BufLen);
52123- ACCESS_ONCE(ads->ctl7) = val;
52124+ ACCESS_ONCE_RW(ads->ctl7) = val;
52125 checksum += (val = (i->buf_len[3] << AR_BufLen_S) & AR_BufLen);
52126- ACCESS_ONCE(ads->ctl9) = val;
52127+ ACCESS_ONCE_RW(ads->ctl9) = val;
52128
52129 checksum = (u16) (((checksum & 0xffff) + (checksum >> 16)) & 0xffff);
52130- ACCESS_ONCE(ads->ctl10) = checksum;
52131+ ACCESS_ONCE_RW(ads->ctl10) = checksum;
52132
52133 if (i->is_first || i->is_last) {
52134- ACCESS_ONCE(ads->ctl13) = set11nTries(i->rates, 0)
52135+ ACCESS_ONCE_RW(ads->ctl13) = set11nTries(i->rates, 0)
52136 | set11nTries(i->rates, 1)
52137 | set11nTries(i->rates, 2)
52138 | set11nTries(i->rates, 3)
52139 | (i->dur_update ? AR_DurUpdateEna : 0)
52140 | SM(0, AR_BurstDur);
52141
52142- ACCESS_ONCE(ads->ctl14) = set11nRate(i->rates, 0)
52143+ ACCESS_ONCE_RW(ads->ctl14) = set11nRate(i->rates, 0)
52144 | set11nRate(i->rates, 1)
52145 | set11nRate(i->rates, 2)
52146 | set11nRate(i->rates, 3);
52147 } else {
52148- ACCESS_ONCE(ads->ctl13) = 0;
52149- ACCESS_ONCE(ads->ctl14) = 0;
52150+ ACCESS_ONCE_RW(ads->ctl13) = 0;
52151+ ACCESS_ONCE_RW(ads->ctl14) = 0;
52152 }
52153
52154 ads->ctl20 = 0;
52155@@ -89,17 +89,17 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52156
52157 ctl17 = SM(i->keytype, AR_EncrType);
52158 if (!i->is_first) {
52159- ACCESS_ONCE(ads->ctl11) = 0;
52160- ACCESS_ONCE(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
52161- ACCESS_ONCE(ads->ctl15) = 0;
52162- ACCESS_ONCE(ads->ctl16) = 0;
52163- ACCESS_ONCE(ads->ctl17) = ctl17;
52164- ACCESS_ONCE(ads->ctl18) = 0;
52165- ACCESS_ONCE(ads->ctl19) = 0;
52166+ ACCESS_ONCE_RW(ads->ctl11) = 0;
52167+ ACCESS_ONCE_RW(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
52168+ ACCESS_ONCE_RW(ads->ctl15) = 0;
52169+ ACCESS_ONCE_RW(ads->ctl16) = 0;
52170+ ACCESS_ONCE_RW(ads->ctl17) = ctl17;
52171+ ACCESS_ONCE_RW(ads->ctl18) = 0;
52172+ ACCESS_ONCE_RW(ads->ctl19) = 0;
52173 return;
52174 }
52175
52176- ACCESS_ONCE(ads->ctl11) = (i->pkt_len & AR_FrameLen)
52177+ ACCESS_ONCE_RW(ads->ctl11) = (i->pkt_len & AR_FrameLen)
52178 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
52179 | SM(i->txpower[0], AR_XmitPower0)
52180 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
52181@@ -135,26 +135,26 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52182 val = (i->flags & ATH9K_TXDESC_PAPRD) >> ATH9K_TXDESC_PAPRD_S;
52183 ctl12 |= SM(val, AR_PAPRDChainMask);
52184
52185- ACCESS_ONCE(ads->ctl12) = ctl12;
52186- ACCESS_ONCE(ads->ctl17) = ctl17;
52187+ ACCESS_ONCE_RW(ads->ctl12) = ctl12;
52188+ ACCESS_ONCE_RW(ads->ctl17) = ctl17;
52189
52190- ACCESS_ONCE(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
52191+ ACCESS_ONCE_RW(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
52192 | set11nPktDurRTSCTS(i->rates, 1);
52193
52194- ACCESS_ONCE(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
52195+ ACCESS_ONCE_RW(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
52196 | set11nPktDurRTSCTS(i->rates, 3);
52197
52198- ACCESS_ONCE(ads->ctl18) = set11nRateFlags(i->rates, 0)
52199+ ACCESS_ONCE_RW(ads->ctl18) = set11nRateFlags(i->rates, 0)
52200 | set11nRateFlags(i->rates, 1)
52201 | set11nRateFlags(i->rates, 2)
52202 | set11nRateFlags(i->rates, 3)
52203 | SM(i->rtscts_rate, AR_RTSCTSRate);
52204
52205- ACCESS_ONCE(ads->ctl19) = AR_Not_Sounding;
52206+ ACCESS_ONCE_RW(ads->ctl19) = AR_Not_Sounding;
52207
52208- ACCESS_ONCE(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
52209- ACCESS_ONCE(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
52210- ACCESS_ONCE(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
52211+ ACCESS_ONCE_RW(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
52212+ ACCESS_ONCE_RW(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
52213+ ACCESS_ONCE_RW(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
52214 }
52215
52216 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
52217diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
52218index e8454db..c7b26fe 100644
52219--- a/drivers/net/wireless/ath/ath9k/hw.h
52220+++ b/drivers/net/wireless/ath/ath9k/hw.h
52221@@ -671,7 +671,7 @@ struct ath_hw_private_ops {
52222 #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT
52223 bool (*is_aic_enabled)(struct ath_hw *ah);
52224 #endif /* CONFIG_ATH9K_BTCOEX_SUPPORT */
52225-};
52226+} __no_const;
52227
52228 /**
52229 * struct ath_spec_scan - parameters for Atheros spectral scan
52230@@ -747,7 +747,7 @@ struct ath_hw_ops {
52231 #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT
52232 void (*set_bt_ant_diversity)(struct ath_hw *hw, bool enable);
52233 #endif
52234-};
52235+} __no_const;
52236
52237 struct ath_nf_limits {
52238 s16 max;
52239diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
52240index cfd45cb..6de2be6 100644
52241--- a/drivers/net/wireless/ath/ath9k/main.c
52242+++ b/drivers/net/wireless/ath/ath9k/main.c
52243@@ -2574,16 +2574,18 @@ void ath9k_fill_chanctx_ops(void)
52244 if (!ath9k_is_chanctx_enabled())
52245 return;
52246
52247- ath9k_ops.hw_scan = ath9k_hw_scan;
52248- ath9k_ops.cancel_hw_scan = ath9k_cancel_hw_scan;
52249- ath9k_ops.remain_on_channel = ath9k_remain_on_channel;
52250- ath9k_ops.cancel_remain_on_channel = ath9k_cancel_remain_on_channel;
52251- ath9k_ops.add_chanctx = ath9k_add_chanctx;
52252- ath9k_ops.remove_chanctx = ath9k_remove_chanctx;
52253- ath9k_ops.change_chanctx = ath9k_change_chanctx;
52254- ath9k_ops.assign_vif_chanctx = ath9k_assign_vif_chanctx;
52255- ath9k_ops.unassign_vif_chanctx = ath9k_unassign_vif_chanctx;
52256- ath9k_ops.mgd_prepare_tx = ath9k_mgd_prepare_tx;
52257+ pax_open_kernel();
52258+ *(void **)&ath9k_ops.hw_scan = ath9k_hw_scan;
52259+ *(void **)&ath9k_ops.cancel_hw_scan = ath9k_cancel_hw_scan;
52260+ *(void **)&ath9k_ops.remain_on_channel = ath9k_remain_on_channel;
52261+ *(void **)&ath9k_ops.cancel_remain_on_channel = ath9k_cancel_remain_on_channel;
52262+ *(void **)&ath9k_ops.add_chanctx = ath9k_add_chanctx;
52263+ *(void **)&ath9k_ops.remove_chanctx = ath9k_remove_chanctx;
52264+ *(void **)&ath9k_ops.change_chanctx = ath9k_change_chanctx;
52265+ *(void **)&ath9k_ops.assign_vif_chanctx = ath9k_assign_vif_chanctx;
52266+ *(void **)&ath9k_ops.unassign_vif_chanctx = ath9k_unassign_vif_chanctx;
52267+ *(void **)&ath9k_ops.mgd_prepare_tx = ath9k_mgd_prepare_tx;
52268+ pax_close_kernel();
52269 }
52270
52271 #endif
52272diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c
52273index 058a9f2..d5cb1ba 100644
52274--- a/drivers/net/wireless/b43/phy_lp.c
52275+++ b/drivers/net/wireless/b43/phy_lp.c
52276@@ -2502,7 +2502,7 @@ static int lpphy_b2063_tune(struct b43_wldev *dev,
52277 {
52278 struct ssb_bus *bus = dev->dev->sdev->bus;
52279
52280- static const struct b206x_channel *chandata = NULL;
52281+ const struct b206x_channel *chandata = NULL;
52282 u32 crystal_freq = bus->chipco.pmu.crystalfreq * 1000;
52283 u32 freqref, vco_freq, val1, val2, val3, timeout, timeoutref, count;
52284 u16 old_comm15, scale;
52285diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
52286index 7f4cb69..16c0825 100644
52287--- a/drivers/net/wireless/iwlegacy/3945-mac.c
52288+++ b/drivers/net/wireless/iwlegacy/3945-mac.c
52289@@ -3633,7 +3633,9 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
52290 */
52291 if (il3945_mod_params.disable_hw_scan) {
52292 D_INFO("Disabling hw_scan\n");
52293- il3945_mac_ops.hw_scan = NULL;
52294+ pax_open_kernel();
52295+ *(void **)&il3945_mac_ops.hw_scan = NULL;
52296+ pax_close_kernel();
52297 }
52298
52299 D_INFO("*** LOAD DRIVER ***\n");
52300diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
52301index 0ffb6ff..c0b7f0e 100644
52302--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
52303+++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
52304@@ -188,7 +188,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
52305 {
52306 struct iwl_priv *priv = file->private_data;
52307 char buf[64];
52308- int buf_size;
52309+ size_t buf_size;
52310 u32 offset, len;
52311
52312 memset(buf, 0, sizeof(buf));
52313@@ -458,7 +458,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
52314 struct iwl_priv *priv = file->private_data;
52315
52316 char buf[8];
52317- int buf_size;
52318+ size_t buf_size;
52319 u32 reset_flag;
52320
52321 memset(buf, 0, sizeof(buf));
52322@@ -539,7 +539,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
52323 {
52324 struct iwl_priv *priv = file->private_data;
52325 char buf[8];
52326- int buf_size;
52327+ size_t buf_size;
52328 int ht40;
52329
52330 memset(buf, 0, sizeof(buf));
52331@@ -591,7 +591,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
52332 {
52333 struct iwl_priv *priv = file->private_data;
52334 char buf[8];
52335- int buf_size;
52336+ size_t buf_size;
52337 int value;
52338
52339 memset(buf, 0, sizeof(buf));
52340@@ -683,10 +683,10 @@ DEBUGFS_READ_FILE_OPS(temperature);
52341 DEBUGFS_READ_WRITE_FILE_OPS(sleep_level_override);
52342 DEBUGFS_READ_FILE_OPS(current_sleep_command);
52343
52344-static const char *fmt_value = " %-30s %10u\n";
52345-static const char *fmt_hex = " %-30s 0x%02X\n";
52346-static const char *fmt_table = " %-30s %10u %10u %10u %10u\n";
52347-static const char *fmt_header =
52348+static const char fmt_value[] = " %-30s %10u\n";
52349+static const char fmt_hex[] = " %-30s 0x%02X\n";
52350+static const char fmt_table[] = " %-30s %10u %10u %10u %10u\n";
52351+static const char fmt_header[] =
52352 "%-32s current cumulative delta max\n";
52353
52354 static int iwl_statistics_flag(struct iwl_priv *priv, char *buf, int bufsz)
52355@@ -1856,7 +1856,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
52356 {
52357 struct iwl_priv *priv = file->private_data;
52358 char buf[8];
52359- int buf_size;
52360+ size_t buf_size;
52361 int clear;
52362
52363 memset(buf, 0, sizeof(buf));
52364@@ -1901,7 +1901,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
52365 {
52366 struct iwl_priv *priv = file->private_data;
52367 char buf[8];
52368- int buf_size;
52369+ size_t buf_size;
52370 int trace;
52371
52372 memset(buf, 0, sizeof(buf));
52373@@ -1972,7 +1972,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
52374 {
52375 struct iwl_priv *priv = file->private_data;
52376 char buf[8];
52377- int buf_size;
52378+ size_t buf_size;
52379 int missed;
52380
52381 memset(buf, 0, sizeof(buf));
52382@@ -2013,7 +2013,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
52383
52384 struct iwl_priv *priv = file->private_data;
52385 char buf[8];
52386- int buf_size;
52387+ size_t buf_size;
52388 int plcp;
52389
52390 memset(buf, 0, sizeof(buf));
52391@@ -2073,7 +2073,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
52392
52393 struct iwl_priv *priv = file->private_data;
52394 char buf[8];
52395- int buf_size;
52396+ size_t buf_size;
52397 int flush;
52398
52399 memset(buf, 0, sizeof(buf));
52400@@ -2163,7 +2163,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
52401
52402 struct iwl_priv *priv = file->private_data;
52403 char buf[8];
52404- int buf_size;
52405+ size_t buf_size;
52406 int rts;
52407
52408 if (!priv->cfg->ht_params)
52409@@ -2204,7 +2204,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
52410 {
52411 struct iwl_priv *priv = file->private_data;
52412 char buf[8];
52413- int buf_size;
52414+ size_t buf_size;
52415
52416 memset(buf, 0, sizeof(buf));
52417 buf_size = min(count, sizeof(buf) - 1);
52418@@ -2238,7 +2238,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file,
52419 struct iwl_priv *priv = file->private_data;
52420 u32 event_log_flag;
52421 char buf[8];
52422- int buf_size;
52423+ size_t buf_size;
52424
52425 /* check that the interface is up */
52426 if (!iwl_is_ready(priv))
52427@@ -2292,7 +2292,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file,
52428 struct iwl_priv *priv = file->private_data;
52429 char buf[8];
52430 u32 calib_disabled;
52431- int buf_size;
52432+ size_t buf_size;
52433
52434 memset(buf, 0, sizeof(buf));
52435 buf_size = min(count, sizeof(buf) - 1);
52436diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
52437index 9e144e7..2f5511a 100644
52438--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
52439+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
52440@@ -1950,7 +1950,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
52441 struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
52442
52443 char buf[8];
52444- int buf_size;
52445+ size_t buf_size;
52446 u32 reset_flag;
52447
52448 memset(buf, 0, sizeof(buf));
52449@@ -1971,7 +1971,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
52450 {
52451 struct iwl_trans *trans = file->private_data;
52452 char buf[8];
52453- int buf_size;
52454+ size_t buf_size;
52455 int csr;
52456
52457 memset(buf, 0, sizeof(buf));
52458diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
52459index 99e873d..0d9aab2 100644
52460--- a/drivers/net/wireless/mac80211_hwsim.c
52461+++ b/drivers/net/wireless/mac80211_hwsim.c
52462@@ -3148,20 +3148,20 @@ static int __init init_mac80211_hwsim(void)
52463 if (channels < 1)
52464 return -EINVAL;
52465
52466- mac80211_hwsim_mchan_ops = mac80211_hwsim_ops;
52467- mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan;
52468- mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
52469- mac80211_hwsim_mchan_ops.sw_scan_start = NULL;
52470- mac80211_hwsim_mchan_ops.sw_scan_complete = NULL;
52471- mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc;
52472- mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
52473- mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx;
52474- mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
52475- mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx;
52476- mac80211_hwsim_mchan_ops.assign_vif_chanctx =
52477- mac80211_hwsim_assign_vif_chanctx;
52478- mac80211_hwsim_mchan_ops.unassign_vif_chanctx =
52479- mac80211_hwsim_unassign_vif_chanctx;
52480+ pax_open_kernel();
52481+ memcpy((void *)&mac80211_hwsim_mchan_ops, &mac80211_hwsim_ops, sizeof mac80211_hwsim_mchan_ops);
52482+ *(void **)&mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan;
52483+ *(void **)&mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
52484+ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_start = NULL;
52485+ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_complete = NULL;
52486+ *(void **)&mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc;
52487+ *(void **)&mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
52488+ *(void **)&mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx;
52489+ *(void **)&mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
52490+ *(void **)&mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx;
52491+ *(void **)&mac80211_hwsim_mchan_ops.assign_vif_chanctx = mac80211_hwsim_assign_vif_chanctx;
52492+ *(void **)&mac80211_hwsim_mchan_ops.unassign_vif_chanctx = mac80211_hwsim_unassign_vif_chanctx;
52493+ pax_close_kernel();
52494
52495 spin_lock_init(&hwsim_radio_lock);
52496 INIT_LIST_HEAD(&hwsim_radios);
52497diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
52498index 71a825c..ce7d6c3 100644
52499--- a/drivers/net/wireless/rndis_wlan.c
52500+++ b/drivers/net/wireless/rndis_wlan.c
52501@@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbnet *usbdev, u32 rts_threshold)
52502
52503 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
52504
52505- if (rts_threshold < 0 || rts_threshold > 2347)
52506+ if (rts_threshold > 2347)
52507 rts_threshold = 2347;
52508
52509 tmp = cpu_to_le32(rts_threshold);
52510diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
52511index 9bb398b..b0cc047 100644
52512--- a/drivers/net/wireless/rt2x00/rt2x00.h
52513+++ b/drivers/net/wireless/rt2x00/rt2x00.h
52514@@ -375,7 +375,7 @@ struct rt2x00_intf {
52515 * for hardware which doesn't support hardware
52516 * sequence counting.
52517 */
52518- atomic_t seqno;
52519+ atomic_unchecked_t seqno;
52520 };
52521
52522 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif)
52523diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
52524index 68b620b..92ecd9e 100644
52525--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
52526+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
52527@@ -224,9 +224,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
52528 * sequence counter given by mac80211.
52529 */
52530 if (test_bit(ENTRY_TXD_FIRST_FRAGMENT, &txdesc->flags))
52531- seqno = atomic_add_return(0x10, &intf->seqno);
52532+ seqno = atomic_add_return_unchecked(0x10, &intf->seqno);
52533 else
52534- seqno = atomic_read(&intf->seqno);
52535+ seqno = atomic_read_unchecked(&intf->seqno);
52536
52537 hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG);
52538 hdr->seq_ctrl |= cpu_to_le16(seqno);
52539diff --git a/drivers/net/wireless/ti/wl1251/sdio.c b/drivers/net/wireless/ti/wl1251/sdio.c
52540index b661f896..ddf7d2b 100644
52541--- a/drivers/net/wireless/ti/wl1251/sdio.c
52542+++ b/drivers/net/wireless/ti/wl1251/sdio.c
52543@@ -282,13 +282,17 @@ static int wl1251_sdio_probe(struct sdio_func *func,
52544
52545 irq_set_irq_type(wl->irq, IRQ_TYPE_EDGE_RISING);
52546
52547- wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
52548- wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
52549+ pax_open_kernel();
52550+ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
52551+ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
52552+ pax_close_kernel();
52553
52554 wl1251_info("using dedicated interrupt line");
52555 } else {
52556- wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
52557- wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
52558+ pax_open_kernel();
52559+ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
52560+ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
52561+ pax_close_kernel();
52562
52563 wl1251_info("using SDIO interrupt");
52564 }
52565diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
52566index af0fe2e..d04986b 100644
52567--- a/drivers/net/wireless/ti/wl12xx/main.c
52568+++ b/drivers/net/wireless/ti/wl12xx/main.c
52569@@ -655,7 +655,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
52570 sizeof(wl->conf.mem));
52571
52572 /* read data preparation is only needed by wl127x */
52573- wl->ops->prepare_read = wl127x_prepare_read;
52574+ pax_open_kernel();
52575+ *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
52576+ pax_close_kernel();
52577
52578 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
52579 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
52580@@ -680,7 +682,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
52581 sizeof(wl->conf.mem));
52582
52583 /* read data preparation is only needed by wl127x */
52584- wl->ops->prepare_read = wl127x_prepare_read;
52585+ pax_open_kernel();
52586+ *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
52587+ pax_close_kernel();
52588
52589 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
52590 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
52591diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c
52592index 49aca2c..3b9c10c 100644
52593--- a/drivers/net/wireless/ti/wl18xx/main.c
52594+++ b/drivers/net/wireless/ti/wl18xx/main.c
52595@@ -1952,8 +1952,10 @@ static int wl18xx_setup(struct wl1271 *wl)
52596 }
52597
52598 if (!checksum_param) {
52599- wl18xx_ops.set_rx_csum = NULL;
52600- wl18xx_ops.init_vif = NULL;
52601+ pax_open_kernel();
52602+ *(void **)&wl18xx_ops.set_rx_csum = NULL;
52603+ *(void **)&wl18xx_ops.init_vif = NULL;
52604+ pax_close_kernel();
52605 }
52606
52607 /* Enable 11a Band only if we have 5G antennas */
52608diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
52609index a912dc0..a8225ba 100644
52610--- a/drivers/net/wireless/zd1211rw/zd_usb.c
52611+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
52612@@ -385,7 +385,7 @@ static inline void handle_regs_int(struct urb *urb)
52613 {
52614 struct zd_usb *usb = urb->context;
52615 struct zd_usb_interrupt *intr = &usb->intr;
52616- int len;
52617+ unsigned int len;
52618 u16 int_num;
52619
52620 ZD_ASSERT(in_interrupt());
52621diff --git a/drivers/nfc/nfcwilink.c b/drivers/nfc/nfcwilink.c
52622index ce2e2cf..f81e500 100644
52623--- a/drivers/nfc/nfcwilink.c
52624+++ b/drivers/nfc/nfcwilink.c
52625@@ -497,7 +497,7 @@ static struct nci_ops nfcwilink_ops = {
52626
52627 static int nfcwilink_probe(struct platform_device *pdev)
52628 {
52629- static struct nfcwilink *drv;
52630+ struct nfcwilink *drv;
52631 int rc;
52632 __u32 protocols;
52633
52634diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
52635index 6e82bc42..ab4145c 100644
52636--- a/drivers/of/fdt.c
52637+++ b/drivers/of/fdt.c
52638@@ -1161,7 +1161,9 @@ static int __init of_fdt_raw_init(void)
52639 pr_warn("fdt: not creating '/sys/firmware/fdt': CRC check failed\n");
52640 return 0;
52641 }
52642- of_fdt_raw_attr.size = fdt_totalsize(initial_boot_params);
52643+ pax_open_kernel();
52644+ *(size_t *)&of_fdt_raw_attr.size = fdt_totalsize(initial_boot_params);
52645+ pax_close_kernel();
52646 return sysfs_create_bin_file(firmware_kobj, &of_fdt_raw_attr);
52647 }
52648 late_initcall(of_fdt_raw_init);
52649diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c
52650index 82f7000..d6d0447 100644
52651--- a/drivers/oprofile/buffer_sync.c
52652+++ b/drivers/oprofile/buffer_sync.c
52653@@ -345,7 +345,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm)
52654 if (cookie == NO_COOKIE)
52655 offset = pc;
52656 if (cookie == INVALID_COOKIE) {
52657- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
52658+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
52659 offset = pc;
52660 }
52661 if (cookie != last_cookie) {
52662@@ -389,14 +389,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel)
52663 /* add userspace sample */
52664
52665 if (!mm) {
52666- atomic_inc(&oprofile_stats.sample_lost_no_mm);
52667+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
52668 return 0;
52669 }
52670
52671 cookie = lookup_dcookie(mm, s->eip, &offset);
52672
52673 if (cookie == INVALID_COOKIE) {
52674- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
52675+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
52676 return 0;
52677 }
52678
52679@@ -554,7 +554,7 @@ void sync_buffer(int cpu)
52680 /* ignore backtraces if failed to add a sample */
52681 if (state == sb_bt_start) {
52682 state = sb_bt_ignore;
52683- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
52684+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
52685 }
52686 }
52687 release_mm(mm);
52688diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c
52689index c0cc4e7..44d4e54 100644
52690--- a/drivers/oprofile/event_buffer.c
52691+++ b/drivers/oprofile/event_buffer.c
52692@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value)
52693 }
52694
52695 if (buffer_pos == buffer_size) {
52696- atomic_inc(&oprofile_stats.event_lost_overflow);
52697+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
52698 return;
52699 }
52700
52701diff --git a/drivers/oprofile/oprof.c b/drivers/oprofile/oprof.c
52702index ed2c3ec..deda85a 100644
52703--- a/drivers/oprofile/oprof.c
52704+++ b/drivers/oprofile/oprof.c
52705@@ -110,7 +110,7 @@ static void switch_worker(struct work_struct *work)
52706 if (oprofile_ops.switch_events())
52707 return;
52708
52709- atomic_inc(&oprofile_stats.multiplex_counter);
52710+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
52711 start_switch_worker();
52712 }
52713
52714diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
52715index 59659ce..6c860a0 100644
52716--- a/drivers/oprofile/oprofile_stats.c
52717+++ b/drivers/oprofile/oprofile_stats.c
52718@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
52719 cpu_buf->sample_invalid_eip = 0;
52720 }
52721
52722- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
52723- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
52724- atomic_set(&oprofile_stats.event_lost_overflow, 0);
52725- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
52726- atomic_set(&oprofile_stats.multiplex_counter, 0);
52727+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
52728+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
52729+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
52730+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
52731+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
52732 }
52733
52734
52735diff --git a/drivers/oprofile/oprofile_stats.h b/drivers/oprofile/oprofile_stats.h
52736index 1fc622b..8c48fc3 100644
52737--- a/drivers/oprofile/oprofile_stats.h
52738+++ b/drivers/oprofile/oprofile_stats.h
52739@@ -13,11 +13,11 @@
52740 #include <linux/atomic.h>
52741
52742 struct oprofile_stat_struct {
52743- atomic_t sample_lost_no_mm;
52744- atomic_t sample_lost_no_mapping;
52745- atomic_t bt_lost_no_mapping;
52746- atomic_t event_lost_overflow;
52747- atomic_t multiplex_counter;
52748+ atomic_unchecked_t sample_lost_no_mm;
52749+ atomic_unchecked_t sample_lost_no_mapping;
52750+ atomic_unchecked_t bt_lost_no_mapping;
52751+ atomic_unchecked_t event_lost_overflow;
52752+ atomic_unchecked_t multiplex_counter;
52753 };
52754
52755 extern struct oprofile_stat_struct oprofile_stats;
52756diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c
52757index dd92c5e..dfc04b5 100644
52758--- a/drivers/oprofile/oprofilefs.c
52759+++ b/drivers/oprofile/oprofilefs.c
52760@@ -176,8 +176,8 @@ int oprofilefs_create_ro_ulong(struct dentry *root,
52761
52762 static ssize_t atomic_read_file(struct file *file, char __user *buf, size_t count, loff_t *offset)
52763 {
52764- atomic_t *val = file->private_data;
52765- return oprofilefs_ulong_to_user(atomic_read(val), buf, count, offset);
52766+ atomic_unchecked_t *val = file->private_data;
52767+ return oprofilefs_ulong_to_user(atomic_read_unchecked(val), buf, count, offset);
52768 }
52769
52770
52771@@ -189,7 +189,7 @@ static const struct file_operations atomic_ro_fops = {
52772
52773
52774 int oprofilefs_create_ro_atomic(struct dentry *root,
52775- char const *name, atomic_t *val)
52776+ char const *name, atomic_unchecked_t *val)
52777 {
52778 return __oprofilefs_create_file(root, name,
52779 &atomic_ro_fops, 0444, val);
52780diff --git a/drivers/oprofile/timer_int.c b/drivers/oprofile/timer_int.c
52781index bdef916..88c7dee 100644
52782--- a/drivers/oprofile/timer_int.c
52783+++ b/drivers/oprofile/timer_int.c
52784@@ -93,7 +93,7 @@ static int oprofile_cpu_notify(struct notifier_block *self,
52785 return NOTIFY_OK;
52786 }
52787
52788-static struct notifier_block __refdata oprofile_cpu_notifier = {
52789+static struct notifier_block oprofile_cpu_notifier = {
52790 .notifier_call = oprofile_cpu_notify,
52791 };
52792
52793diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
52794index c776333..aa6b325 100644
52795--- a/drivers/parport/procfs.c
52796+++ b/drivers/parport/procfs.c
52797@@ -65,7 +65,7 @@ static int do_active_device(struct ctl_table *table, int write,
52798
52799 *ppos += len;
52800
52801- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
52802+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
52803 }
52804
52805 #ifdef CONFIG_PARPORT_1284
52806@@ -107,7 +107,7 @@ static int do_autoprobe(struct ctl_table *table, int write,
52807
52808 *ppos += len;
52809
52810- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
52811+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
52812 }
52813 #endif /* IEEE1284.3 support. */
52814
52815diff --git a/drivers/pci/host/pci-host-generic.c b/drivers/pci/host/pci-host-generic.c
52816index ba46e58..90cfc24 100644
52817--- a/drivers/pci/host/pci-host-generic.c
52818+++ b/drivers/pci/host/pci-host-generic.c
52819@@ -26,9 +26,9 @@
52820 #include <linux/platform_device.h>
52821
52822 struct gen_pci_cfg_bus_ops {
52823+ struct pci_ops ops;
52824 u32 bus_shift;
52825- void __iomem *(*map_bus)(struct pci_bus *, unsigned int, int);
52826-};
52827+} __do_const;
52828
52829 struct gen_pci_cfg_windows {
52830 struct resource res;
52831@@ -56,8 +56,12 @@ static void __iomem *gen_pci_map_cfg_bus_cam(struct pci_bus *bus,
52832 }
52833
52834 static struct gen_pci_cfg_bus_ops gen_pci_cfg_cam_bus_ops = {
52835+ .ops = {
52836+ .map_bus = gen_pci_map_cfg_bus_cam,
52837+ .read = pci_generic_config_read,
52838+ .write = pci_generic_config_write,
52839+ },
52840 .bus_shift = 16,
52841- .map_bus = gen_pci_map_cfg_bus_cam,
52842 };
52843
52844 static void __iomem *gen_pci_map_cfg_bus_ecam(struct pci_bus *bus,
52845@@ -72,13 +76,12 @@ static void __iomem *gen_pci_map_cfg_bus_ecam(struct pci_bus *bus,
52846 }
52847
52848 static struct gen_pci_cfg_bus_ops gen_pci_cfg_ecam_bus_ops = {
52849+ .ops = {
52850+ .map_bus = gen_pci_map_cfg_bus_ecam,
52851+ .read = pci_generic_config_read,
52852+ .write = pci_generic_config_write,
52853+ },
52854 .bus_shift = 20,
52855- .map_bus = gen_pci_map_cfg_bus_ecam,
52856-};
52857-
52858-static struct pci_ops gen_pci_ops = {
52859- .read = pci_generic_config_read,
52860- .write = pci_generic_config_write,
52861 };
52862
52863 static const struct of_device_id gen_pci_of_match[] = {
52864@@ -219,7 +222,6 @@ static int gen_pci_probe(struct platform_device *pdev)
52865 .private_data = (void **)&pci,
52866 .setup = gen_pci_setup,
52867 .map_irq = of_irq_parse_and_map_pci,
52868- .ops = &gen_pci_ops,
52869 };
52870
52871 if (!pci)
52872@@ -241,7 +243,7 @@ static int gen_pci_probe(struct platform_device *pdev)
52873
52874 of_id = of_match_node(gen_pci_of_match, np);
52875 pci->cfg.ops = of_id->data;
52876- gen_pci_ops.map_bus = pci->cfg.ops->map_bus;
52877+ hw.ops = &pci->cfg.ops->ops;
52878 pci->host.dev.parent = dev;
52879 INIT_LIST_HEAD(&pci->host.windows);
52880 INIT_LIST_HEAD(&pci->resources);
52881diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
52882index 6ca2399..68d866b 100644
52883--- a/drivers/pci/hotplug/acpiphp_ibm.c
52884+++ b/drivers/pci/hotplug/acpiphp_ibm.c
52885@@ -452,7 +452,9 @@ static int __init ibm_acpiphp_init(void)
52886 goto init_cleanup;
52887 }
52888
52889- ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
52890+ pax_open_kernel();
52891+ *(size_t *)&ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
52892+ pax_close_kernel();
52893 retval = sysfs_create_bin_file(sysdir, &ibm_apci_table_attr);
52894
52895 return retval;
52896diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c
52897index 66b7bbe..26bee78 100644
52898--- a/drivers/pci/hotplug/cpcihp_generic.c
52899+++ b/drivers/pci/hotplug/cpcihp_generic.c
52900@@ -73,7 +73,6 @@ static u16 port;
52901 static unsigned int enum_bit;
52902 static u8 enum_mask;
52903
52904-static struct cpci_hp_controller_ops generic_hpc_ops;
52905 static struct cpci_hp_controller generic_hpc;
52906
52907 static int __init validate_parameters(void)
52908@@ -139,6 +138,10 @@ static int query_enum(void)
52909 return ((value & enum_mask) == enum_mask);
52910 }
52911
52912+static struct cpci_hp_controller_ops generic_hpc_ops = {
52913+ .query_enum = query_enum,
52914+};
52915+
52916 static int __init cpcihp_generic_init(void)
52917 {
52918 int status;
52919@@ -165,7 +168,6 @@ static int __init cpcihp_generic_init(void)
52920 pci_dev_put(dev);
52921
52922 memset(&generic_hpc, 0, sizeof (struct cpci_hp_controller));
52923- generic_hpc_ops.query_enum = query_enum;
52924 generic_hpc.ops = &generic_hpc_ops;
52925
52926 status = cpci_hp_register_controller(&generic_hpc);
52927diff --git a/drivers/pci/hotplug/cpcihp_zt5550.c b/drivers/pci/hotplug/cpcihp_zt5550.c
52928index 7ecf34e..effed62 100644
52929--- a/drivers/pci/hotplug/cpcihp_zt5550.c
52930+++ b/drivers/pci/hotplug/cpcihp_zt5550.c
52931@@ -59,7 +59,6 @@
52932 /* local variables */
52933 static bool debug;
52934 static bool poll;
52935-static struct cpci_hp_controller_ops zt5550_hpc_ops;
52936 static struct cpci_hp_controller zt5550_hpc;
52937
52938 /* Primary cPCI bus bridge device */
52939@@ -204,6 +203,10 @@ static int zt5550_hc_disable_irq(void)
52940 return 0;
52941 }
52942
52943+static struct cpci_hp_controller_ops zt5550_hpc_ops = {
52944+ .query_enum = zt5550_hc_query_enum,
52945+};
52946+
52947 static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id *ent)
52948 {
52949 int status;
52950@@ -215,16 +218,17 @@ static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id
52951 dbg("returned from zt5550_hc_config");
52952
52953 memset(&zt5550_hpc, 0, sizeof (struct cpci_hp_controller));
52954- zt5550_hpc_ops.query_enum = zt5550_hc_query_enum;
52955 zt5550_hpc.ops = &zt5550_hpc_ops;
52956 if (!poll) {
52957 zt5550_hpc.irq = hc_dev->irq;
52958 zt5550_hpc.irq_flags = IRQF_SHARED;
52959 zt5550_hpc.dev_id = hc_dev;
52960
52961- zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
52962- zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
52963- zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
52964+ pax_open_kernel();
52965+ *(void **)&zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
52966+ *(void **)&zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
52967+ *(void **)&zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
52968+ pax_open_kernel();
52969 } else {
52970 info("using ENUM# polling mode");
52971 }
52972diff --git a/drivers/pci/hotplug/cpqphp_nvram.c b/drivers/pci/hotplug/cpqphp_nvram.c
52973index 1e08ff8c..3cd145f 100644
52974--- a/drivers/pci/hotplug/cpqphp_nvram.c
52975+++ b/drivers/pci/hotplug/cpqphp_nvram.c
52976@@ -425,8 +425,10 @@ static u32 store_HRT (void __iomem *rom_start)
52977
52978 void compaq_nvram_init (void __iomem *rom_start)
52979 {
52980+#ifndef CONFIG_PAX_KERNEXEC
52981 if (rom_start)
52982 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
52983+#endif
52984
52985 dbg("int15 entry = %p\n", compaq_int15_entry_point);
52986
52987diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c
52988index 56d8486..f26113f 100644
52989--- a/drivers/pci/hotplug/pci_hotplug_core.c
52990+++ b/drivers/pci/hotplug/pci_hotplug_core.c
52991@@ -436,8 +436,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus,
52992 return -EINVAL;
52993 }
52994
52995- slot->ops->owner = owner;
52996- slot->ops->mod_name = mod_name;
52997+ pax_open_kernel();
52998+ *(struct module **)&slot->ops->owner = owner;
52999+ *(const char **)&slot->ops->mod_name = mod_name;
53000+ pax_close_kernel();
53001
53002 mutex_lock(&pci_hp_mutex);
53003 /*
53004diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
53005index 612b21a..9494a5e 100644
53006--- a/drivers/pci/hotplug/pciehp_core.c
53007+++ b/drivers/pci/hotplug/pciehp_core.c
53008@@ -87,7 +87,7 @@ static int init_slot(struct controller *ctrl)
53009 struct slot *slot = ctrl->slot;
53010 struct hotplug_slot *hotplug = NULL;
53011 struct hotplug_slot_info *info = NULL;
53012- struct hotplug_slot_ops *ops = NULL;
53013+ hotplug_slot_ops_no_const *ops = NULL;
53014 char name[SLOT_NAME_SIZE];
53015 int retval = -ENOMEM;
53016
53017diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
53018index f66be86..6cbcabb 100644
53019--- a/drivers/pci/msi.c
53020+++ b/drivers/pci/msi.c
53021@@ -492,8 +492,8 @@ static int populate_msi_sysfs(struct pci_dev *pdev)
53022 {
53023 struct attribute **msi_attrs;
53024 struct attribute *msi_attr;
53025- struct device_attribute *msi_dev_attr;
53026- struct attribute_group *msi_irq_group;
53027+ device_attribute_no_const *msi_dev_attr;
53028+ attribute_group_no_const *msi_irq_group;
53029 const struct attribute_group **msi_irq_groups;
53030 struct msi_desc *entry;
53031 int ret = -ENOMEM;
53032@@ -552,7 +552,7 @@ error_attrs:
53033 count = 0;
53034 msi_attr = msi_attrs[count];
53035 while (msi_attr) {
53036- msi_dev_attr = container_of(msi_attr, struct device_attribute, attr);
53037+ msi_dev_attr = container_of(msi_attr, device_attribute_no_const, attr);
53038 kfree(msi_attr->name);
53039 kfree(msi_dev_attr);
53040 ++count;
53041@@ -1236,12 +1236,14 @@ static void pci_msi_domain_update_dom_ops(struct msi_domain_info *info)
53042 if (ops == NULL) {
53043 info->ops = &pci_msi_domain_ops_default;
53044 } else {
53045+ pax_open_kernel();
53046 if (ops->set_desc == NULL)
53047- ops->set_desc = pci_msi_domain_set_desc;
53048+ *(void **)&ops->set_desc = pci_msi_domain_set_desc;
53049 if (ops->msi_check == NULL)
53050- ops->msi_check = pci_msi_domain_check_cap;
53051+ *(void **)&ops->msi_check = pci_msi_domain_check_cap;
53052 if (ops->handle_error == NULL)
53053- ops->handle_error = pci_msi_domain_handle_error;
53054+ *(void **)&ops->handle_error = pci_msi_domain_handle_error;
53055+ pax_close_kernel();
53056 }
53057 }
53058
53059@@ -1250,8 +1252,11 @@ static void pci_msi_domain_update_chip_ops(struct msi_domain_info *info)
53060 struct irq_chip *chip = info->chip;
53061
53062 BUG_ON(!chip);
53063- if (!chip->irq_write_msi_msg)
53064- chip->irq_write_msi_msg = pci_msi_domain_write_msg;
53065+ if (!chip->irq_write_msi_msg) {
53066+ pax_open_kernel();
53067+ *(void **)&chip->irq_write_msi_msg = pci_msi_domain_write_msg;
53068+ pax_close_kernel();
53069+ }
53070 }
53071
53072 /**
53073diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
53074index 312f23a..d21181c 100644
53075--- a/drivers/pci/pci-sysfs.c
53076+++ b/drivers/pci/pci-sysfs.c
53077@@ -1140,7 +1140,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
53078 {
53079 /* allocate attribute structure, piggyback attribute name */
53080 int name_len = write_combine ? 13 : 10;
53081- struct bin_attribute *res_attr;
53082+ bin_attribute_no_const *res_attr;
53083 int retval;
53084
53085 res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);
53086@@ -1317,7 +1317,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
53087 static int pci_create_capabilities_sysfs(struct pci_dev *dev)
53088 {
53089 int retval;
53090- struct bin_attribute *attr;
53091+ bin_attribute_no_const *attr;
53092
53093 /* If the device has VPD, try to expose it in sysfs. */
53094 if (dev->vpd) {
53095@@ -1364,7 +1364,7 @@ int __must_check pci_create_sysfs_dev_files(struct pci_dev *pdev)
53096 {
53097 int retval;
53098 int rom_size = 0;
53099- struct bin_attribute *attr;
53100+ bin_attribute_no_const *attr;
53101
53102 if (!sysfs_initialized)
53103 return -EACCES;
53104diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
53105index 4ff0ff1..e309fb0 100644
53106--- a/drivers/pci/pci.h
53107+++ b/drivers/pci/pci.h
53108@@ -99,7 +99,7 @@ struct pci_vpd_ops {
53109 struct pci_vpd {
53110 unsigned int len;
53111 const struct pci_vpd_ops *ops;
53112- struct bin_attribute *attr; /* descriptor for sysfs VPD entry */
53113+ bin_attribute_no_const *attr; /* descriptor for sysfs VPD entry */
53114 };
53115
53116 int pci_vpd_pci22_init(struct pci_dev *dev);
53117diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
53118index 317e355..21f7b91 100644
53119--- a/drivers/pci/pcie/aspm.c
53120+++ b/drivers/pci/pcie/aspm.c
53121@@ -27,9 +27,9 @@
53122 #define MODULE_PARAM_PREFIX "pcie_aspm."
53123
53124 /* Note: those are not register definitions */
53125-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
53126-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
53127-#define ASPM_STATE_L1 (4) /* L1 state */
53128+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
53129+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
53130+#define ASPM_STATE_L1 (4U) /* L1 state */
53131 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
53132 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
53133
53134diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c
53135index be35da2..ec16cdb 100644
53136--- a/drivers/pci/pcie/portdrv_pci.c
53137+++ b/drivers/pci/pcie/portdrv_pci.c
53138@@ -324,7 +324,7 @@ static int __init dmi_pcie_pme_disable_msi(const struct dmi_system_id *d)
53139 return 0;
53140 }
53141
53142-static struct dmi_system_id __initdata pcie_portdrv_dmi_table[] = {
53143+static const struct dmi_system_id __initconst pcie_portdrv_dmi_table[] = {
53144 /*
53145 * Boxes that should not use MSI for PCIe PME signaling.
53146 */
53147diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
53148index f6ae0d0..af897bc 100644
53149--- a/drivers/pci/probe.c
53150+++ b/drivers/pci/probe.c
53151@@ -176,7 +176,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
53152 u16 orig_cmd;
53153 struct pci_bus_region region, inverted_region;
53154
53155- mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
53156+ mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
53157
53158 /* No printks while decoding is disabled! */
53159 if (!dev->mmio_always_on) {
53160diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
53161index 3f155e7..0f4b1f0 100644
53162--- a/drivers/pci/proc.c
53163+++ b/drivers/pci/proc.c
53164@@ -434,7 +434,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
53165 static int __init pci_proc_init(void)
53166 {
53167 struct pci_dev *dev = NULL;
53168+
53169+#ifdef CONFIG_GRKERNSEC_PROC_ADD
53170+#ifdef CONFIG_GRKERNSEC_PROC_USER
53171+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
53172+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
53173+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
53174+#endif
53175+#else
53176 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
53177+#endif
53178 proc_create("devices", 0, proc_bus_pci_dir,
53179 &proc_bus_pci_dev_operations);
53180 proc_initialized = 1;
53181diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
53182index 2deb130..8194e13 100644
53183--- a/drivers/pinctrl/pinctrl-at91.c
53184+++ b/drivers/pinctrl/pinctrl-at91.c
53185@@ -24,6 +24,7 @@
53186 #include <linux/pinctrl/pinmux.h>
53187 /* Since we request GPIOs from ourself */
53188 #include <linux/pinctrl/consumer.h>
53189+#include <asm/pgtable.h>
53190
53191 #include "pinctrl-at91.h"
53192 #include "core.h"
53193@@ -1656,7 +1657,9 @@ static int at91_gpio_of_irq_setup(struct platform_device *pdev,
53194 at91_gpio->pioc_hwirq = irqd_to_hwirq(d);
53195
53196 /* Setup proper .irq_set_type function */
53197- gpio_irqchip.irq_set_type = at91_gpio->ops->irq_type;
53198+ pax_open_kernel();
53199+ *(void **)&gpio_irqchip.irq_set_type = at91_gpio->ops->irq_type;
53200+ pax_close_kernel();
53201
53202 /* Disable irqs of this PIO controller */
53203 writel_relaxed(~0, at91_gpio->regbase + PIO_IDR);
53204diff --git a/drivers/platform/chrome/chromeos_pstore.c b/drivers/platform/chrome/chromeos_pstore.c
53205index 3474920..acc9581 100644
53206--- a/drivers/platform/chrome/chromeos_pstore.c
53207+++ b/drivers/platform/chrome/chromeos_pstore.c
53208@@ -13,7 +13,7 @@
53209 #include <linux/platform_device.h>
53210 #include <linux/pstore_ram.h>
53211
53212-static struct dmi_system_id chromeos_pstore_dmi_table[] __initdata = {
53213+static const struct dmi_system_id chromeos_pstore_dmi_table[] __initconst = {
53214 {
53215 /*
53216 * Today all Chromebooks/boxes ship with Google_* as version and
53217diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
53218index 1e1e594..8fe59c5 100644
53219--- a/drivers/platform/x86/alienware-wmi.c
53220+++ b/drivers/platform/x86/alienware-wmi.c
53221@@ -150,7 +150,7 @@ struct wmax_led_args {
53222 } __packed;
53223
53224 static struct platform_device *platform_device;
53225-static struct device_attribute *zone_dev_attrs;
53226+static device_attribute_no_const *zone_dev_attrs;
53227 static struct attribute **zone_attrs;
53228 static struct platform_zone *zone_data;
53229
53230@@ -160,7 +160,7 @@ static struct platform_driver platform_driver = {
53231 }
53232 };
53233
53234-static struct attribute_group zone_attribute_group = {
53235+static attribute_group_no_const zone_attribute_group = {
53236 .name = "rgb_zones",
53237 };
53238
53239diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
53240index efbc3f0..18ae682 100644
53241--- a/drivers/platform/x86/asus-wmi.c
53242+++ b/drivers/platform/x86/asus-wmi.c
53243@@ -1868,6 +1868,10 @@ static int show_dsts(struct seq_file *m, void *data)
53244 int err;
53245 u32 retval = -1;
53246
53247+#ifdef CONFIG_GRKERNSEC_KMEM
53248+ return -EPERM;
53249+#endif
53250+
53251 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
53252
53253 if (err < 0)
53254@@ -1884,6 +1888,10 @@ static int show_devs(struct seq_file *m, void *data)
53255 int err;
53256 u32 retval = -1;
53257
53258+#ifdef CONFIG_GRKERNSEC_KMEM
53259+ return -EPERM;
53260+#endif
53261+
53262 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
53263 &retval);
53264
53265@@ -1908,6 +1916,10 @@ static int show_call(struct seq_file *m, void *data)
53266 union acpi_object *obj;
53267 acpi_status status;
53268
53269+#ifdef CONFIG_GRKERNSEC_KMEM
53270+ return -EPERM;
53271+#endif
53272+
53273 status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
53274 1, asus->debug.method_id,
53275 &input, &output);
53276diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
53277index f2706d2..850edfa4 100644
53278--- a/drivers/platform/x86/compal-laptop.c
53279+++ b/drivers/platform/x86/compal-laptop.c
53280@@ -765,7 +765,7 @@ static int dmi_check_cb_extra(const struct dmi_system_id *id)
53281 return 1;
53282 }
53283
53284-static struct dmi_system_id __initdata compal_dmi_table[] = {
53285+static const struct dmi_system_id __initconst compal_dmi_table[] = {
53286 {
53287 .ident = "FL90/IFL90",
53288 .matches = {
53289diff --git a/drivers/platform/x86/hdaps.c b/drivers/platform/x86/hdaps.c
53290index 458e6c9..089aee7 100644
53291--- a/drivers/platform/x86/hdaps.c
53292+++ b/drivers/platform/x86/hdaps.c
53293@@ -514,7 +514,7 @@ static int __init hdaps_dmi_match_invert(const struct dmi_system_id *id)
53294 "ThinkPad T42p", so the order of the entries matters.
53295 If your ThinkPad is not recognized, please update to latest
53296 BIOS. This is especially the case for some R52 ThinkPads. */
53297-static struct dmi_system_id __initdata hdaps_whitelist[] = {
53298+static const struct dmi_system_id __initconst hdaps_whitelist[] = {
53299 HDAPS_DMI_MATCH_INVERT("IBM", "ThinkPad R50p", HDAPS_BOTH_AXES),
53300 HDAPS_DMI_MATCH_NORMAL("IBM", "ThinkPad R50"),
53301 HDAPS_DMI_MATCH_NORMAL("IBM", "ThinkPad R51"),
53302diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
53303index 97c2be1..2ee50ce 100644
53304--- a/drivers/platform/x86/ibm_rtl.c
53305+++ b/drivers/platform/x86/ibm_rtl.c
53306@@ -227,7 +227,7 @@ static void rtl_teardown_sysfs(void) {
53307 }
53308
53309
53310-static struct dmi_system_id __initdata ibm_rtl_dmi_table[] = {
53311+static const struct dmi_system_id __initconst ibm_rtl_dmi_table[] = {
53312 { \
53313 .matches = { \
53314 DMI_MATCH(DMI_SYS_VENDOR, "IBM"), \
53315diff --git a/drivers/platform/x86/intel_oaktrail.c b/drivers/platform/x86/intel_oaktrail.c
53316index 6aa33c4..cfb5425 100644
53317--- a/drivers/platform/x86/intel_oaktrail.c
53318+++ b/drivers/platform/x86/intel_oaktrail.c
53319@@ -299,7 +299,7 @@ static int dmi_check_cb(const struct dmi_system_id *id)
53320 return 0;
53321 }
53322
53323-static struct dmi_system_id __initdata oaktrail_dmi_table[] = {
53324+static const struct dmi_system_id __initconst oaktrail_dmi_table[] = {
53325 {
53326 .ident = "OakTrail platform",
53327 .matches = {
53328diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
53329index 4231770..10a6caf 100644
53330--- a/drivers/platform/x86/msi-laptop.c
53331+++ b/drivers/platform/x86/msi-laptop.c
53332@@ -605,7 +605,7 @@ static int dmi_check_cb(const struct dmi_system_id *dmi)
53333 return 1;
53334 }
53335
53336-static struct dmi_system_id __initdata msi_dmi_table[] = {
53337+static const struct dmi_system_id __initconst msi_dmi_table[] = {
53338 {
53339 .ident = "MSI S270",
53340 .matches = {
53341@@ -1000,12 +1000,14 @@ static int __init load_scm_model_init(struct platform_device *sdev)
53342
53343 if (!quirks->ec_read_only) {
53344 /* allow userland write sysfs file */
53345- dev_attr_bluetooth.store = store_bluetooth;
53346- dev_attr_wlan.store = store_wlan;
53347- dev_attr_threeg.store = store_threeg;
53348- dev_attr_bluetooth.attr.mode |= S_IWUSR;
53349- dev_attr_wlan.attr.mode |= S_IWUSR;
53350- dev_attr_threeg.attr.mode |= S_IWUSR;
53351+ pax_open_kernel();
53352+ *(void **)&dev_attr_bluetooth.store = store_bluetooth;
53353+ *(void **)&dev_attr_wlan.store = store_wlan;
53354+ *(void **)&dev_attr_threeg.store = store_threeg;
53355+ *(umode_t *)&dev_attr_bluetooth.attr.mode |= S_IWUSR;
53356+ *(umode_t *)&dev_attr_wlan.attr.mode |= S_IWUSR;
53357+ *(umode_t *)&dev_attr_threeg.attr.mode |= S_IWUSR;
53358+ pax_close_kernel();
53359 }
53360
53361 /* disable hardware control by fn key */
53362diff --git a/drivers/platform/x86/msi-wmi.c b/drivers/platform/x86/msi-wmi.c
53363index 978e6d6..1f0b37d 100644
53364--- a/drivers/platform/x86/msi-wmi.c
53365+++ b/drivers/platform/x86/msi-wmi.c
53366@@ -184,7 +184,7 @@ static const struct backlight_ops msi_backlight_ops = {
53367 static void msi_wmi_notify(u32 value, void *context)
53368 {
53369 struct acpi_buffer response = { ACPI_ALLOCATE_BUFFER, NULL };
53370- static struct key_entry *key;
53371+ struct key_entry *key;
53372 union acpi_object *obj;
53373 acpi_status status;
53374
53375diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
53376index 8c146e2..356c62e 100644
53377--- a/drivers/platform/x86/samsung-laptop.c
53378+++ b/drivers/platform/x86/samsung-laptop.c
53379@@ -1567,7 +1567,7 @@ static int __init samsung_dmi_matched(const struct dmi_system_id *d)
53380 return 0;
53381 }
53382
53383-static struct dmi_system_id __initdata samsung_dmi_table[] = {
53384+static const struct dmi_system_id __initconst samsung_dmi_table[] = {
53385 {
53386 .matches = {
53387 DMI_MATCH(DMI_SYS_VENDOR,
53388diff --git a/drivers/platform/x86/samsung-q10.c b/drivers/platform/x86/samsung-q10.c
53389index e6aac72..e11ff24 100644
53390--- a/drivers/platform/x86/samsung-q10.c
53391+++ b/drivers/platform/x86/samsung-q10.c
53392@@ -95,7 +95,7 @@ static int __init dmi_check_callback(const struct dmi_system_id *id)
53393 return 1;
53394 }
53395
53396-static struct dmi_system_id __initdata samsungq10_dmi_table[] = {
53397+static const struct dmi_system_id __initconst samsungq10_dmi_table[] = {
53398 {
53399 .ident = "Samsung Q10",
53400 .matches = {
53401diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
53402index aeb80d1..3eb376b 100644
53403--- a/drivers/platform/x86/sony-laptop.c
53404+++ b/drivers/platform/x86/sony-laptop.c
53405@@ -2527,7 +2527,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd)
53406 }
53407
53408 /* High speed charging function */
53409-static struct device_attribute *hsc_handle;
53410+static device_attribute_no_const *hsc_handle;
53411
53412 static ssize_t sony_nc_highspeed_charging_store(struct device *dev,
53413 struct device_attribute *attr,
53414@@ -2601,7 +2601,7 @@ static void sony_nc_highspeed_charging_cleanup(struct platform_device *pd)
53415 }
53416
53417 /* low battery function */
53418-static struct device_attribute *lowbatt_handle;
53419+static device_attribute_no_const *lowbatt_handle;
53420
53421 static ssize_t sony_nc_lowbatt_store(struct device *dev,
53422 struct device_attribute *attr,
53423@@ -2667,7 +2667,7 @@ static void sony_nc_lowbatt_cleanup(struct platform_device *pd)
53424 }
53425
53426 /* fan speed function */
53427-static struct device_attribute *fan_handle, *hsf_handle;
53428+static device_attribute_no_const *fan_handle, *hsf_handle;
53429
53430 static ssize_t sony_nc_hsfan_store(struct device *dev,
53431 struct device_attribute *attr,
53432@@ -2774,7 +2774,7 @@ static void sony_nc_fanspeed_cleanup(struct platform_device *pd)
53433 }
53434
53435 /* USB charge function */
53436-static struct device_attribute *uc_handle;
53437+static device_attribute_no_const *uc_handle;
53438
53439 static ssize_t sony_nc_usb_charge_store(struct device *dev,
53440 struct device_attribute *attr,
53441@@ -2848,7 +2848,7 @@ static void sony_nc_usb_charge_cleanup(struct platform_device *pd)
53442 }
53443
53444 /* Panel ID function */
53445-static struct device_attribute *panel_handle;
53446+static device_attribute_no_const *panel_handle;
53447
53448 static ssize_t sony_nc_panelid_show(struct device *dev,
53449 struct device_attribute *attr, char *buffer)
53450@@ -2895,7 +2895,7 @@ static void sony_nc_panelid_cleanup(struct platform_device *pd)
53451 }
53452
53453 /* smart connect function */
53454-static struct device_attribute *sc_handle;
53455+static device_attribute_no_const *sc_handle;
53456
53457 static ssize_t sony_nc_smart_conn_store(struct device *dev,
53458 struct device_attribute *attr,
53459@@ -4851,7 +4851,7 @@ static struct acpi_driver sony_pic_driver = {
53460 .drv.pm = &sony_pic_pm,
53461 };
53462
53463-static struct dmi_system_id __initdata sonypi_dmi_table[] = {
53464+static const struct dmi_system_id __initconst sonypi_dmi_table[] = {
53465 {
53466 .ident = "Sony Vaio",
53467 .matches = {
53468diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
53469index 33e488c..417aaea 100644
53470--- a/drivers/platform/x86/thinkpad_acpi.c
53471+++ b/drivers/platform/x86/thinkpad_acpi.c
53472@@ -2460,10 +2460,10 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
53473 && !tp_features.bright_unkfw)
53474 TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME);
53475 }
53476+}
53477
53478 #undef TPACPI_COMPARE_KEY
53479 #undef TPACPI_MAY_SEND_KEY
53480-}
53481
53482 /*
53483 * Polling driver
53484diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
53485index 438d4c7..ca8a2fb 100644
53486--- a/drivers/pnp/pnpbios/bioscalls.c
53487+++ b/drivers/pnp/pnpbios/bioscalls.c
53488@@ -59,7 +59,7 @@ do { \
53489 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
53490 } while(0)
53491
53492-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
53493+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
53494 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
53495
53496 /*
53497@@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
53498
53499 cpu = get_cpu();
53500 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
53501+
53502+ pax_open_kernel();
53503 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
53504+ pax_close_kernel();
53505
53506 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
53507 spin_lock_irqsave(&pnp_bios_lock, flags);
53508@@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
53509 :"memory");
53510 spin_unlock_irqrestore(&pnp_bios_lock, flags);
53511
53512+ pax_open_kernel();
53513 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
53514+ pax_close_kernel();
53515+
53516 put_cpu();
53517
53518 /* If we get here and this is set then the PnP BIOS faulted on us. */
53519@@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 nvram_base)
53520 return status;
53521 }
53522
53523-void pnpbios_calls_init(union pnp_bios_install_struct *header)
53524+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
53525 {
53526 int i;
53527
53528@@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
53529 pnp_bios_callpoint.offset = header->fields.pm16offset;
53530 pnp_bios_callpoint.segment = PNP_CS16;
53531
53532+ pax_open_kernel();
53533+
53534 for_each_possible_cpu(i) {
53535 struct desc_struct *gdt = get_cpu_gdt_table(i);
53536 if (!gdt)
53537@@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
53538 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
53539 (unsigned long)__va(header->fields.pm16dseg));
53540 }
53541+
53542+ pax_close_kernel();
53543 }
53544diff --git a/drivers/pnp/pnpbios/core.c b/drivers/pnp/pnpbios/core.c
53545index facd43b..b291260 100644
53546--- a/drivers/pnp/pnpbios/core.c
53547+++ b/drivers/pnp/pnpbios/core.c
53548@@ -494,7 +494,7 @@ static int __init exploding_pnp_bios(const struct dmi_system_id *d)
53549 return 0;
53550 }
53551
53552-static struct dmi_system_id pnpbios_dmi_table[] __initdata = {
53553+static const struct dmi_system_id pnpbios_dmi_table[] __initconst = {
53554 { /* PnPBIOS GPF on boot */
53555 .callback = exploding_pnp_bios,
53556 .ident = "Higraded P14H",
53557diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c
53558index dfe1ee8..67e820c 100644
53559--- a/drivers/power/pda_power.c
53560+++ b/drivers/power/pda_power.c
53561@@ -38,7 +38,11 @@ static struct power_supply *pda_psy_ac, *pda_psy_usb;
53562
53563 #if IS_ENABLED(CONFIG_USB_PHY)
53564 static struct usb_phy *transceiver;
53565-static struct notifier_block otg_nb;
53566+static int otg_handle_notification(struct notifier_block *nb,
53567+ unsigned long event, void *unused);
53568+static struct notifier_block otg_nb = {
53569+ .notifier_call = otg_handle_notification
53570+};
53571 #endif
53572
53573 static struct regulator *ac_draw;
53574@@ -373,7 +377,6 @@ static int pda_power_probe(struct platform_device *pdev)
53575
53576 #if IS_ENABLED(CONFIG_USB_PHY)
53577 if (!IS_ERR_OR_NULL(transceiver) && pdata->use_otg_notifier) {
53578- otg_nb.notifier_call = otg_handle_notification;
53579 ret = usb_register_notifier(transceiver, &otg_nb);
53580 if (ret) {
53581 dev_err(dev, "failure to register otg notifier\n");
53582diff --git a/drivers/power/power_supply.h b/drivers/power/power_supply.h
53583index cc439fd..8fa30df 100644
53584--- a/drivers/power/power_supply.h
53585+++ b/drivers/power/power_supply.h
53586@@ -16,12 +16,12 @@ struct power_supply;
53587
53588 #ifdef CONFIG_SYSFS
53589
53590-extern void power_supply_init_attrs(struct device_type *dev_type);
53591+extern void power_supply_init_attrs(void);
53592 extern int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env);
53593
53594 #else
53595
53596-static inline void power_supply_init_attrs(struct device_type *dev_type) {}
53597+static inline void power_supply_init_attrs(void) {}
53598 #define power_supply_uevent NULL
53599
53600 #endif /* CONFIG_SYSFS */
53601diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c
53602index 869284c..38a812b 100644
53603--- a/drivers/power/power_supply_core.c
53604+++ b/drivers/power/power_supply_core.c
53605@@ -28,7 +28,10 @@ EXPORT_SYMBOL_GPL(power_supply_class);
53606 ATOMIC_NOTIFIER_HEAD(power_supply_notifier);
53607 EXPORT_SYMBOL_GPL(power_supply_notifier);
53608
53609-static struct device_type power_supply_dev_type;
53610+extern const struct attribute_group *power_supply_attr_groups[];
53611+static struct device_type power_supply_dev_type = {
53612+ .groups = power_supply_attr_groups,
53613+};
53614
53615 #define POWER_SUPPLY_DEFERRED_REGISTER_TIME msecs_to_jiffies(10)
53616
53617@@ -960,7 +963,7 @@ static int __init power_supply_class_init(void)
53618 return PTR_ERR(power_supply_class);
53619
53620 power_supply_class->dev_uevent = power_supply_uevent;
53621- power_supply_init_attrs(&power_supply_dev_type);
53622+ power_supply_init_attrs();
53623
53624 return 0;
53625 }
53626diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c
53627index ed2d7fd..266b28f 100644
53628--- a/drivers/power/power_supply_sysfs.c
53629+++ b/drivers/power/power_supply_sysfs.c
53630@@ -238,17 +238,15 @@ static struct attribute_group power_supply_attr_group = {
53631 .is_visible = power_supply_attr_is_visible,
53632 };
53633
53634-static const struct attribute_group *power_supply_attr_groups[] = {
53635+const struct attribute_group *power_supply_attr_groups[] = {
53636 &power_supply_attr_group,
53637 NULL,
53638 };
53639
53640-void power_supply_init_attrs(struct device_type *dev_type)
53641+void power_supply_init_attrs(void)
53642 {
53643 int i;
53644
53645- dev_type->groups = power_supply_attr_groups;
53646-
53647 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++)
53648 __power_supply_attrs[i] = &power_supply_attrs[i].attr;
53649 }
53650diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
53651index 36dc52f..e2e8a4b 100644
53652--- a/drivers/power/reset/at91-reset.c
53653+++ b/drivers/power/reset/at91-reset.c
53654@@ -16,6 +16,7 @@
53655 #include <linux/of_address.h>
53656 #include <linux/platform_device.h>
53657 #include <linux/reboot.h>
53658+#include <asm/pgtable.h>
53659
53660 #include <soc/at91/at91sam9_ddrsdr.h>
53661 #include <soc/at91/at91sam9_sdramc.h>
53662@@ -191,7 +192,9 @@ static int at91_reset_of_probe(struct platform_device *pdev)
53663 }
53664
53665 match = of_match_node(at91_reset_of_match, pdev->dev.of_node);
53666- at91_restart_nb.notifier_call = match->data;
53667+ pax_open_kernel();
53668+ *(void **)&at91_restart_nb.notifier_call = match->data;
53669+ pax_close_kernel();
53670 return register_restart_handler(&at91_restart_nb);
53671 }
53672
53673@@ -219,9 +222,11 @@ static int at91_reset_platform_probe(struct platform_device *pdev)
53674 }
53675
53676 match = platform_get_device_id(pdev);
53677- at91_restart_nb.notifier_call =
53678+ pax_open_kernel();
53679+ *(void **)&at91_restart_nb.notifier_call =
53680 (int (*)(struct notifier_block *,
53681 unsigned long, void *)) match->driver_data;
53682+ pax_close_kernel();
53683
53684 return register_restart_handler(&at91_restart_nb);
53685 }
53686diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
53687index 84419af..268ede8 100644
53688--- a/drivers/powercap/powercap_sys.c
53689+++ b/drivers/powercap/powercap_sys.c
53690@@ -154,8 +154,77 @@ struct powercap_constraint_attr {
53691 struct device_attribute name_attr;
53692 };
53693
53694+static ssize_t show_constraint_name(struct device *dev,
53695+ struct device_attribute *dev_attr,
53696+ char *buf);
53697+
53698 static struct powercap_constraint_attr
53699- constraint_attrs[MAX_CONSTRAINTS_PER_ZONE];
53700+ constraint_attrs[MAX_CONSTRAINTS_PER_ZONE] = {
53701+ [0 ... MAX_CONSTRAINTS_PER_ZONE - 1] = {
53702+ .power_limit_attr = {
53703+ .attr = {
53704+ .name = NULL,
53705+ .mode = S_IWUSR | S_IRUGO
53706+ },
53707+ .show = show_constraint_power_limit_uw,
53708+ .store = store_constraint_power_limit_uw
53709+ },
53710+
53711+ .time_window_attr = {
53712+ .attr = {
53713+ .name = NULL,
53714+ .mode = S_IWUSR | S_IRUGO
53715+ },
53716+ .show = show_constraint_time_window_us,
53717+ .store = store_constraint_time_window_us
53718+ },
53719+
53720+ .max_power_attr = {
53721+ .attr = {
53722+ .name = NULL,
53723+ .mode = S_IRUGO
53724+ },
53725+ .show = show_constraint_max_power_uw,
53726+ .store = NULL
53727+ },
53728+
53729+ .min_power_attr = {
53730+ .attr = {
53731+ .name = NULL,
53732+ .mode = S_IRUGO
53733+ },
53734+ .show = show_constraint_min_power_uw,
53735+ .store = NULL
53736+ },
53737+
53738+ .max_time_window_attr = {
53739+ .attr = {
53740+ .name = NULL,
53741+ .mode = S_IRUGO
53742+ },
53743+ .show = show_constraint_max_time_window_us,
53744+ .store = NULL
53745+ },
53746+
53747+ .min_time_window_attr = {
53748+ .attr = {
53749+ .name = NULL,
53750+ .mode = S_IRUGO
53751+ },
53752+ .show = show_constraint_min_time_window_us,
53753+ .store = NULL
53754+ },
53755+
53756+ .name_attr = {
53757+ .attr = {
53758+ .name = NULL,
53759+ .mode = S_IRUGO
53760+ },
53761+ .show = show_constraint_name,
53762+ .store = NULL
53763+ }
53764+ }
53765+};
53766
53767 /* A list of powercap control_types */
53768 static LIST_HEAD(powercap_cntrl_list);
53769@@ -193,23 +262,16 @@ static ssize_t show_constraint_name(struct device *dev,
53770 }
53771
53772 static int create_constraint_attribute(int id, const char *name,
53773- int mode,
53774- struct device_attribute *dev_attr,
53775- ssize_t (*show)(struct device *,
53776- struct device_attribute *, char *),
53777- ssize_t (*store)(struct device *,
53778- struct device_attribute *,
53779- const char *, size_t)
53780- )
53781+ struct device_attribute *dev_attr)
53782 {
53783+ name = kasprintf(GFP_KERNEL, "constraint_%d_%s", id, name);
53784
53785- dev_attr->attr.name = kasprintf(GFP_KERNEL, "constraint_%d_%s",
53786- id, name);
53787- if (!dev_attr->attr.name)
53788+ if (!name)
53789 return -ENOMEM;
53790- dev_attr->attr.mode = mode;
53791- dev_attr->show = show;
53792- dev_attr->store = store;
53793+
53794+ pax_open_kernel();
53795+ *(const char **)&dev_attr->attr.name = name;
53796+ pax_close_kernel();
53797
53798 return 0;
53799 }
53800@@ -236,49 +298,31 @@ static int seed_constraint_attributes(void)
53801
53802 for (i = 0; i < MAX_CONSTRAINTS_PER_ZONE; ++i) {
53803 ret = create_constraint_attribute(i, "power_limit_uw",
53804- S_IWUSR | S_IRUGO,
53805- &constraint_attrs[i].power_limit_attr,
53806- show_constraint_power_limit_uw,
53807- store_constraint_power_limit_uw);
53808+ &constraint_attrs[i].power_limit_attr);
53809 if (ret)
53810 goto err_alloc;
53811 ret = create_constraint_attribute(i, "time_window_us",
53812- S_IWUSR | S_IRUGO,
53813- &constraint_attrs[i].time_window_attr,
53814- show_constraint_time_window_us,
53815- store_constraint_time_window_us);
53816+ &constraint_attrs[i].time_window_attr);
53817 if (ret)
53818 goto err_alloc;
53819- ret = create_constraint_attribute(i, "name", S_IRUGO,
53820- &constraint_attrs[i].name_attr,
53821- show_constraint_name,
53822- NULL);
53823+ ret = create_constraint_attribute(i, "name",
53824+ &constraint_attrs[i].name_attr);
53825 if (ret)
53826 goto err_alloc;
53827- ret = create_constraint_attribute(i, "max_power_uw", S_IRUGO,
53828- &constraint_attrs[i].max_power_attr,
53829- show_constraint_max_power_uw,
53830- NULL);
53831+ ret = create_constraint_attribute(i, "max_power_uw",
53832+ &constraint_attrs[i].max_power_attr);
53833 if (ret)
53834 goto err_alloc;
53835- ret = create_constraint_attribute(i, "min_power_uw", S_IRUGO,
53836- &constraint_attrs[i].min_power_attr,
53837- show_constraint_min_power_uw,
53838- NULL);
53839+ ret = create_constraint_attribute(i, "min_power_uw",
53840+ &constraint_attrs[i].min_power_attr);
53841 if (ret)
53842 goto err_alloc;
53843 ret = create_constraint_attribute(i, "max_time_window_us",
53844- S_IRUGO,
53845- &constraint_attrs[i].max_time_window_attr,
53846- show_constraint_max_time_window_us,
53847- NULL);
53848+ &constraint_attrs[i].max_time_window_attr);
53849 if (ret)
53850 goto err_alloc;
53851 ret = create_constraint_attribute(i, "min_time_window_us",
53852- S_IRUGO,
53853- &constraint_attrs[i].min_time_window_attr,
53854- show_constraint_min_time_window_us,
53855- NULL);
53856+ &constraint_attrs[i].min_time_window_attr);
53857 if (ret)
53858 goto err_alloc;
53859
53860@@ -378,10 +422,12 @@ static void create_power_zone_common_attributes(
53861 power_zone->zone_dev_attrs[count++] =
53862 &dev_attr_max_energy_range_uj.attr;
53863 if (power_zone->ops->get_energy_uj) {
53864+ pax_open_kernel();
53865 if (power_zone->ops->reset_energy_uj)
53866- dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO;
53867+ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO;
53868 else
53869- dev_attr_energy_uj.attr.mode = S_IRUGO;
53870+ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IRUGO;
53871+ pax_close_kernel();
53872 power_zone->zone_dev_attrs[count++] =
53873 &dev_attr_energy_uj.attr;
53874 }
53875diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
53876index 9c5d414..c7900ce 100644
53877--- a/drivers/ptp/ptp_private.h
53878+++ b/drivers/ptp/ptp_private.h
53879@@ -51,7 +51,7 @@ struct ptp_clock {
53880 struct mutex pincfg_mux; /* protect concurrent info->pin_config access */
53881 wait_queue_head_t tsev_wq;
53882 int defunct; /* tells readers to go away when clock is being removed */
53883- struct device_attribute *pin_dev_attr;
53884+ device_attribute_no_const *pin_dev_attr;
53885 struct attribute **pin_attr;
53886 struct attribute_group pin_attr_group;
53887 };
53888diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
53889index 302e626..12579af 100644
53890--- a/drivers/ptp/ptp_sysfs.c
53891+++ b/drivers/ptp/ptp_sysfs.c
53892@@ -280,7 +280,7 @@ static int ptp_populate_pins(struct ptp_clock *ptp)
53893 goto no_pin_attr;
53894
53895 for (i = 0; i < n_pins; i++) {
53896- struct device_attribute *da = &ptp->pin_dev_attr[i];
53897+ device_attribute_no_const *da = &ptp->pin_dev_attr[i];
53898 sysfs_attr_init(&da->attr);
53899 da->attr.name = info->pin_config[i].name;
53900 da->attr.mode = 0644;
53901diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
53902index 78387a6..faffdc7 100644
53903--- a/drivers/regulator/core.c
53904+++ b/drivers/regulator/core.c
53905@@ -3646,7 +3646,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
53906 const struct regulation_constraints *constraints = NULL;
53907 const struct regulator_init_data *init_data;
53908 struct regulator_config *config = NULL;
53909- static atomic_t regulator_no = ATOMIC_INIT(-1);
53910+ static atomic_unchecked_t regulator_no = ATOMIC_INIT(-1);
53911 struct regulator_dev *rdev;
53912 struct device *dev;
53913 int ret, i;
53914@@ -3729,7 +3729,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
53915 rdev->dev.class = &regulator_class;
53916 rdev->dev.parent = dev;
53917 dev_set_name(&rdev->dev, "regulator.%lu",
53918- (unsigned long) atomic_inc_return(&regulator_no));
53919+ (unsigned long) atomic_inc_return_unchecked(&regulator_no));
53920 ret = device_register(&rdev->dev);
53921 if (ret != 0) {
53922 put_device(&rdev->dev);
53923diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c
53924index 4071d74..260b15a 100644
53925--- a/drivers/regulator/max8660.c
53926+++ b/drivers/regulator/max8660.c
53927@@ -423,8 +423,10 @@ static int max8660_probe(struct i2c_client *client,
53928 max8660->shadow_regs[MAX8660_OVER1] = 5;
53929 } else {
53930 /* Otherwise devices can be toggled via software */
53931- max8660_dcdc_ops.enable = max8660_dcdc_enable;
53932- max8660_dcdc_ops.disable = max8660_dcdc_disable;
53933+ pax_open_kernel();
53934+ *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
53935+ *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
53936+ pax_close_kernel();
53937 }
53938
53939 /*
53940diff --git a/drivers/regulator/max8973-regulator.c b/drivers/regulator/max8973-regulator.c
53941index e94ddcf..bad33ad 100644
53942--- a/drivers/regulator/max8973-regulator.c
53943+++ b/drivers/regulator/max8973-regulator.c
53944@@ -580,9 +580,11 @@ static int max8973_probe(struct i2c_client *client,
53945 if (!pdata->enable_ext_control) {
53946 max->desc.enable_reg = MAX8973_VOUT;
53947 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
53948- max->ops.enable = regulator_enable_regmap;
53949- max->ops.disable = regulator_disable_regmap;
53950- max->ops.is_enabled = regulator_is_enabled_regmap;
53951+ pax_open_kernel();
53952+ *(void **)&max->ops.enable = regulator_enable_regmap;
53953+ *(void **)&max->ops.disable = regulator_disable_regmap;
53954+ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap;
53955+ pax_close_kernel();
53956 break;
53957 }
53958
53959@@ -610,9 +612,11 @@ static int max8973_probe(struct i2c_client *client,
53960
53961 max->desc.enable_reg = MAX8973_VOUT;
53962 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
53963- max->ops.enable = regulator_enable_regmap;
53964- max->ops.disable = regulator_disable_regmap;
53965- max->ops.is_enabled = regulator_is_enabled_regmap;
53966+ pax_open_kernel();
53967+ *(void **)&max->ops.enable = regulator_enable_regmap;
53968+ *(void **)&max->ops.disable = regulator_disable_regmap;
53969+ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap;
53970+ pax_close_kernel();
53971 break;
53972 default:
53973 break;
53974diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c
53975index 0d17c92..a29f627 100644
53976--- a/drivers/regulator/mc13892-regulator.c
53977+++ b/drivers/regulator/mc13892-regulator.c
53978@@ -584,10 +584,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev)
53979 mc13xxx_unlock(mc13892);
53980
53981 /* update mc13892_vcam ops */
53982- memcpy(&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
53983+ pax_open_kernel();
53984+ memcpy((void *)&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
53985 sizeof(struct regulator_ops));
53986- mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
53987- mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
53988+ *(void **)&mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
53989+ *(void **)&mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
53990+ pax_close_kernel();
53991 mc13892_regulators[MC13892_VCAM].desc.ops = &mc13892_vcam_ops;
53992
53993 mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators,
53994diff --git a/drivers/rtc/rtc-armada38x.c b/drivers/rtc/rtc-armada38x.c
53995index 2b08cac..8942201 100644
53996--- a/drivers/rtc/rtc-armada38x.c
53997+++ b/drivers/rtc/rtc-armada38x.c
53998@@ -18,6 +18,7 @@
53999 #include <linux/of.h>
54000 #include <linux/platform_device.h>
54001 #include <linux/rtc.h>
54002+#include <asm/pgtable.h>
54003
54004 #define RTC_STATUS 0x0
54005 #define RTC_STATUS_ALARM1 BIT(0)
54006@@ -254,8 +255,10 @@ static __init int armada38x_rtc_probe(struct platform_device *pdev)
54007 * If there is no interrupt available then we can't
54008 * use the alarm
54009 */
54010- armada38x_rtc_ops.set_alarm = NULL;
54011- armada38x_rtc_ops.alarm_irq_enable = NULL;
54012+ pax_open_kernel();
54013+ *(void **)&armada38x_rtc_ops.set_alarm = NULL;
54014+ *(void **)&armada38x_rtc_ops.alarm_irq_enable = NULL;
54015+ pax_close_kernel();
54016 }
54017 platform_set_drvdata(pdev, rtc);
54018 if (rtc->irq != -1)
54019diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
54020index a82556a0..e842923 100644
54021--- a/drivers/rtc/rtc-cmos.c
54022+++ b/drivers/rtc/rtc-cmos.c
54023@@ -793,7 +793,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
54024 hpet_rtc_timer_init();
54025
54026 /* export at least the first block of NVRAM */
54027- nvram.size = address_space - NVRAM_OFFSET;
54028+ pax_open_kernel();
54029+ *(size_t *)&nvram.size = address_space - NVRAM_OFFSET;
54030+ pax_close_kernel();
54031 retval = sysfs_create_bin_file(&dev->kobj, &nvram);
54032 if (retval < 0) {
54033 dev_dbg(dev, "can't create nvram file? %d\n", retval);
54034diff --git a/drivers/rtc/rtc-dev.c b/drivers/rtc/rtc-dev.c
54035index 799c34b..8e9786a 100644
54036--- a/drivers/rtc/rtc-dev.c
54037+++ b/drivers/rtc/rtc-dev.c
54038@@ -16,6 +16,7 @@
54039 #include <linux/module.h>
54040 #include <linux/rtc.h>
54041 #include <linux/sched.h>
54042+#include <linux/grsecurity.h>
54043 #include "rtc-core.h"
54044
54045 static dev_t rtc_devt;
54046@@ -347,6 +348,8 @@ static long rtc_dev_ioctl(struct file *file,
54047 if (copy_from_user(&tm, uarg, sizeof(tm)))
54048 return -EFAULT;
54049
54050+ gr_log_timechange();
54051+
54052 return rtc_set_time(rtc, &tm);
54053
54054 case RTC_PIE_ON:
54055diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
54056index 6e76de1..d38a1e0 100644
54057--- a/drivers/rtc/rtc-ds1307.c
54058+++ b/drivers/rtc/rtc-ds1307.c
54059@@ -107,7 +107,7 @@ struct ds1307 {
54060 u8 offset; /* register's offset */
54061 u8 regs[11];
54062 u16 nvram_offset;
54063- struct bin_attribute *nvram;
54064+ bin_attribute_no_const *nvram;
54065 enum ds_type type;
54066 unsigned long flags;
54067 #define HAS_NVRAM 0 /* bit 0 == sysfs file active */
54068diff --git a/drivers/rtc/rtc-m48t59.c b/drivers/rtc/rtc-m48t59.c
54069index 90abb5b..e0bf6dd 100644
54070--- a/drivers/rtc/rtc-m48t59.c
54071+++ b/drivers/rtc/rtc-m48t59.c
54072@@ -483,7 +483,9 @@ static int m48t59_rtc_probe(struct platform_device *pdev)
54073 if (IS_ERR(m48t59->rtc))
54074 return PTR_ERR(m48t59->rtc);
54075
54076- m48t59_nvram_attr.size = pdata->offset;
54077+ pax_open_kernel();
54078+ *(size_t *)&m48t59_nvram_attr.size = pdata->offset;
54079+ pax_close_kernel();
54080
54081 ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr);
54082 if (ret)
54083diff --git a/drivers/rtc/rtc-test.c b/drivers/rtc/rtc-test.c
54084index 3a2da4c..e88493c 100644
54085--- a/drivers/rtc/rtc-test.c
54086+++ b/drivers/rtc/rtc-test.c
54087@@ -112,8 +112,10 @@ static int test_probe(struct platform_device *plat_dev)
54088 struct rtc_device *rtc;
54089
54090 if (test_mmss64) {
54091- test_rtc_ops.set_mmss64 = test_rtc_set_mmss64;
54092- test_rtc_ops.set_mmss = NULL;
54093+ pax_open_kernel();
54094+ *(void **)&test_rtc_ops.set_mmss64 = test_rtc_set_mmss64;
54095+ *(void **)&test_rtc_ops.set_mmss = NULL;
54096+ pax_close_kernel();
54097 }
54098
54099 rtc = devm_rtc_device_register(&plat_dev->dev, "test",
54100diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
54101index 7a6dbfb..5cdcd29 100644
54102--- a/drivers/scsi/be2iscsi/be_main.c
54103+++ b/drivers/scsi/be2iscsi/be_main.c
54104@@ -3184,7 +3184,7 @@ be_sgl_create_contiguous(void *virtual_address,
54105 {
54106 WARN_ON(!virtual_address);
54107 WARN_ON(!physical_address);
54108- WARN_ON(!length > 0);
54109+ WARN_ON(!length);
54110 WARN_ON(!sgl);
54111
54112 sgl->va = virtual_address;
54113diff --git a/drivers/scsi/bfa/bfa_fcpim.h b/drivers/scsi/bfa/bfa_fcpim.h
54114index e693af6..2e525b6 100644
54115--- a/drivers/scsi/bfa/bfa_fcpim.h
54116+++ b/drivers/scsi/bfa/bfa_fcpim.h
54117@@ -36,7 +36,7 @@ struct bfa_iotag_s {
54118
54119 struct bfa_itn_s {
54120 bfa_isr_func_t isr;
54121-};
54122+} __no_const;
54123
54124 void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport,
54125 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m));
54126diff --git a/drivers/scsi/bfa/bfa_fcs.c b/drivers/scsi/bfa/bfa_fcs.c
54127index 0f19455..ef7adb5 100644
54128--- a/drivers/scsi/bfa/bfa_fcs.c
54129+++ b/drivers/scsi/bfa/bfa_fcs.c
54130@@ -38,10 +38,21 @@ struct bfa_fcs_mod_s {
54131 #define BFA_FCS_MODULE(_mod) { _mod ## _modinit, _mod ## _modexit }
54132
54133 static struct bfa_fcs_mod_s fcs_modules[] = {
54134- { bfa_fcs_port_attach, NULL, NULL },
54135- { bfa_fcs_uf_attach, NULL, NULL },
54136- { bfa_fcs_fabric_attach, bfa_fcs_fabric_modinit,
54137- bfa_fcs_fabric_modexit },
54138+ {
54139+ .attach = bfa_fcs_port_attach,
54140+ .modinit = NULL,
54141+ .modexit = NULL
54142+ },
54143+ {
54144+ .attach = bfa_fcs_uf_attach,
54145+ .modinit = NULL,
54146+ .modexit = NULL
54147+ },
54148+ {
54149+ .attach = bfa_fcs_fabric_attach,
54150+ .modinit = bfa_fcs_fabric_modinit,
54151+ .modexit = bfa_fcs_fabric_modexit
54152+ },
54153 };
54154
54155 /*
54156diff --git a/drivers/scsi/bfa/bfa_fcs_lport.c b/drivers/scsi/bfa/bfa_fcs_lport.c
54157index ff75ef8..2dfe00a 100644
54158--- a/drivers/scsi/bfa/bfa_fcs_lport.c
54159+++ b/drivers/scsi/bfa/bfa_fcs_lport.c
54160@@ -89,15 +89,26 @@ static struct {
54161 void (*offline) (struct bfa_fcs_lport_s *port);
54162 } __port_action[] = {
54163 {
54164- bfa_fcs_lport_unknown_init, bfa_fcs_lport_unknown_online,
54165- bfa_fcs_lport_unknown_offline}, {
54166- bfa_fcs_lport_fab_init, bfa_fcs_lport_fab_online,
54167- bfa_fcs_lport_fab_offline}, {
54168- bfa_fcs_lport_n2n_init, bfa_fcs_lport_n2n_online,
54169- bfa_fcs_lport_n2n_offline}, {
54170- bfa_fcs_lport_loop_init, bfa_fcs_lport_loop_online,
54171- bfa_fcs_lport_loop_offline},
54172- };
54173+ .init = bfa_fcs_lport_unknown_init,
54174+ .online = bfa_fcs_lport_unknown_online,
54175+ .offline = bfa_fcs_lport_unknown_offline
54176+ },
54177+ {
54178+ .init = bfa_fcs_lport_fab_init,
54179+ .online = bfa_fcs_lport_fab_online,
54180+ .offline = bfa_fcs_lport_fab_offline
54181+ },
54182+ {
54183+ .init = bfa_fcs_lport_n2n_init,
54184+ .online = bfa_fcs_lport_n2n_online,
54185+ .offline = bfa_fcs_lport_n2n_offline
54186+ },
54187+ {
54188+ .init = bfa_fcs_lport_loop_init,
54189+ .online = bfa_fcs_lport_loop_online,
54190+ .offline = bfa_fcs_lport_loop_offline
54191+ },
54192+};
54193
54194 /*
54195 * fcs_port_sm FCS logical port state machine
54196diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h
54197index a38aafa0..fe8f03b 100644
54198--- a/drivers/scsi/bfa/bfa_ioc.h
54199+++ b/drivers/scsi/bfa/bfa_ioc.h
54200@@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s {
54201 bfa_ioc_disable_cbfn_t disable_cbfn;
54202 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
54203 bfa_ioc_reset_cbfn_t reset_cbfn;
54204-};
54205+} __no_const;
54206
54207 /*
54208 * IOC event notification mechanism.
54209@@ -352,7 +352,7 @@ struct bfa_ioc_hwif_s {
54210 void (*ioc_set_alt_fwstate) (struct bfa_ioc_s *ioc,
54211 enum bfi_ioc_state fwstate);
54212 enum bfi_ioc_state (*ioc_get_alt_fwstate) (struct bfa_ioc_s *ioc);
54213-};
54214+} __no_const;
54215
54216 /*
54217 * Queue element to wait for room in request queue. FIFO order is
54218diff --git a/drivers/scsi/bfa/bfa_modules.h b/drivers/scsi/bfa/bfa_modules.h
54219index a14c784..6de6790 100644
54220--- a/drivers/scsi/bfa/bfa_modules.h
54221+++ b/drivers/scsi/bfa/bfa_modules.h
54222@@ -78,12 +78,12 @@ enum {
54223 \
54224 extern struct bfa_module_s hal_mod_ ## __mod; \
54225 struct bfa_module_s hal_mod_ ## __mod = { \
54226- bfa_ ## __mod ## _meminfo, \
54227- bfa_ ## __mod ## _attach, \
54228- bfa_ ## __mod ## _detach, \
54229- bfa_ ## __mod ## _start, \
54230- bfa_ ## __mod ## _stop, \
54231- bfa_ ## __mod ## _iocdisable, \
54232+ .meminfo = bfa_ ## __mod ## _meminfo, \
54233+ .attach = bfa_ ## __mod ## _attach, \
54234+ .detach = bfa_ ## __mod ## _detach, \
54235+ .start = bfa_ ## __mod ## _start, \
54236+ .stop = bfa_ ## __mod ## _stop, \
54237+ .iocdisable = bfa_ ## __mod ## _iocdisable, \
54238 }
54239
54240 #define BFA_CACHELINE_SZ (256)
54241diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
54242index 045c4e1..13de803 100644
54243--- a/drivers/scsi/fcoe/fcoe_sysfs.c
54244+++ b/drivers/scsi/fcoe/fcoe_sysfs.c
54245@@ -33,8 +33,8 @@
54246 */
54247 #include "libfcoe.h"
54248
54249-static atomic_t ctlr_num;
54250-static atomic_t fcf_num;
54251+static atomic_unchecked_t ctlr_num;
54252+static atomic_unchecked_t fcf_num;
54253
54254 /*
54255 * fcoe_fcf_dev_loss_tmo: the default number of seconds that fcoe sysfs
54256@@ -685,7 +685,7 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
54257 if (!ctlr)
54258 goto out;
54259
54260- ctlr->id = atomic_inc_return(&ctlr_num) - 1;
54261+ ctlr->id = atomic_inc_return_unchecked(&ctlr_num) - 1;
54262 ctlr->f = f;
54263 ctlr->mode = FIP_CONN_TYPE_FABRIC;
54264 INIT_LIST_HEAD(&ctlr->fcfs);
54265@@ -902,7 +902,7 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
54266 fcf->dev.parent = &ctlr->dev;
54267 fcf->dev.bus = &fcoe_bus_type;
54268 fcf->dev.type = &fcoe_fcf_device_type;
54269- fcf->id = atomic_inc_return(&fcf_num) - 1;
54270+ fcf->id = atomic_inc_return_unchecked(&fcf_num) - 1;
54271 fcf->state = FCOE_FCF_STATE_UNKNOWN;
54272
54273 fcf->dev_loss_tmo = ctlr->fcf_dev_loss_tmo;
54274@@ -938,8 +938,8 @@ int __init fcoe_sysfs_setup(void)
54275 {
54276 int error;
54277
54278- atomic_set(&ctlr_num, 0);
54279- atomic_set(&fcf_num, 0);
54280+ atomic_set_unchecked(&ctlr_num, 0);
54281+ atomic_set_unchecked(&fcf_num, 0);
54282
54283 error = bus_register(&fcoe_bus_type);
54284 if (error)
54285diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
54286index 8bb173e..20236b4 100644
54287--- a/drivers/scsi/hosts.c
54288+++ b/drivers/scsi/hosts.c
54289@@ -42,7 +42,7 @@
54290 #include "scsi_logging.h"
54291
54292
54293-static atomic_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
54294+static atomic_unchecked_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
54295
54296
54297 static void scsi_host_cls_release(struct device *dev)
54298@@ -392,7 +392,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)
54299 * subtract one because we increment first then return, but we need to
54300 * know what the next host number was before increment
54301 */
54302- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
54303+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
54304 shost->dma_channel = 0xff;
54305
54306 /* These three are default values which can be overridden */
54307diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
54308index 1dafeb4..3da5095 100644
54309--- a/drivers/scsi/hpsa.c
54310+++ b/drivers/scsi/hpsa.c
54311@@ -793,10 +793,10 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
54312 struct reply_queue_buffer *rq = &h->reply_queue[q];
54313
54314 if (h->transMethod & CFGTBL_Trans_io_accel1)
54315- return h->access.command_completed(h, q);
54316+ return h->access->command_completed(h, q);
54317
54318 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
54319- return h->access.command_completed(h, q);
54320+ return h->access->command_completed(h, q);
54321
54322 if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
54323 a = rq->head[rq->current_entry];
54324@@ -978,7 +978,7 @@ static void __enqueue_cmd_and_start_io(struct ctlr_info *h,
54325 break;
54326 default:
54327 set_performant_mode(h, c, reply_queue);
54328- h->access.submit_command(h, c);
54329+ h->access->submit_command(h, c);
54330 }
54331 }
54332
54333@@ -6340,17 +6340,17 @@ static void __iomem *remap_pci_mem(ulong base, ulong size)
54334
54335 static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q)
54336 {
54337- return h->access.command_completed(h, q);
54338+ return h->access->command_completed(h, q);
54339 }
54340
54341 static inline bool interrupt_pending(struct ctlr_info *h)
54342 {
54343- return h->access.intr_pending(h);
54344+ return h->access->intr_pending(h);
54345 }
54346
54347 static inline long interrupt_not_for_us(struct ctlr_info *h)
54348 {
54349- return (h->access.intr_pending(h) == 0) ||
54350+ return (h->access->intr_pending(h) == 0) ||
54351 (h->interrupts_enabled == 0);
54352 }
54353
54354@@ -7288,7 +7288,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
54355 if (prod_index < 0)
54356 return prod_index;
54357 h->product_name = products[prod_index].product_name;
54358- h->access = *(products[prod_index].access);
54359+ h->access = products[prod_index].access;
54360
54361 h->needs_abort_tags_swizzled =
54362 ctlr_needs_abort_tags_swizzled(h->board_id);
54363@@ -7687,7 +7687,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
54364 unsigned long flags;
54365 u32 lockup_detected;
54366
54367- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54368+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54369 spin_lock_irqsave(&h->lock, flags);
54370 lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
54371 if (!lockup_detected) {
54372@@ -7970,7 +7970,7 @@ reinit_after_soft_reset:
54373 }
54374
54375 /* make sure the board interrupts are off */
54376- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54377+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54378
54379 rc = hpsa_request_irqs(h, do_hpsa_intr_msi, do_hpsa_intr_intx);
54380 if (rc)
54381@@ -8029,7 +8029,7 @@ reinit_after_soft_reset:
54382 * fake ones to scoop up any residual completions.
54383 */
54384 spin_lock_irqsave(&h->lock, flags);
54385- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54386+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54387 spin_unlock_irqrestore(&h->lock, flags);
54388 hpsa_free_irqs(h);
54389 rc = hpsa_request_irqs(h, hpsa_msix_discard_completions,
54390@@ -8059,9 +8059,9 @@ reinit_after_soft_reset:
54391 dev_info(&h->pdev->dev, "Board READY.\n");
54392 dev_info(&h->pdev->dev,
54393 "Waiting for stale completions to drain.\n");
54394- h->access.set_intr_mask(h, HPSA_INTR_ON);
54395+ h->access->set_intr_mask(h, HPSA_INTR_ON);
54396 msleep(10000);
54397- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54398+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54399
54400 rc = controller_reset_failed(h->cfgtable);
54401 if (rc)
54402@@ -8086,7 +8086,7 @@ reinit_after_soft_reset:
54403
54404
54405 /* Turn the interrupts on so we can service requests */
54406- h->access.set_intr_mask(h, HPSA_INTR_ON);
54407+ h->access->set_intr_mask(h, HPSA_INTR_ON);
54408
54409 hpsa_hba_inquiry(h);
54410
54411@@ -8104,7 +8104,7 @@ clean9: /* wq, sh, perf, sg, cmd, irq, shost, pci, lu, aer/h */
54412 kfree(h->hba_inquiry_data);
54413 clean7: /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
54414 hpsa_free_performant_mode(h);
54415- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54416+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54417 clean6: /* sg, cmd, irq, pci, lockup, wq/aer/h */
54418 hpsa_free_sg_chain_blocks(h);
54419 clean5: /* cmd, irq, shost, pci, lu, aer/h */
54420@@ -8174,7 +8174,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
54421 * To write all data in the battery backed cache to disks
54422 */
54423 hpsa_flush_cache(h);
54424- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54425+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54426 hpsa_free_irqs(h); /* init_one 4 */
54427 hpsa_disable_interrupt_mode(h); /* pci_init 2 */
54428 }
54429@@ -8306,7 +8306,7 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
54430 CFGTBL_Trans_enable_directed_msix |
54431 (trans_support & (CFGTBL_Trans_io_accel1 |
54432 CFGTBL_Trans_io_accel2));
54433- struct access_method access = SA5_performant_access;
54434+ struct access_method *access = &SA5_performant_access;
54435
54436 /* This is a bit complicated. There are 8 registers on
54437 * the controller which we write to to tell it 8 different
54438@@ -8348,7 +8348,7 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
54439 * perform the superfluous readl() after each command submission.
54440 */
54441 if (trans_support & (CFGTBL_Trans_io_accel1 | CFGTBL_Trans_io_accel2))
54442- access = SA5_performant_access_no_read;
54443+ access = &SA5_performant_access_no_read;
54444
54445 /* Controller spec: zero out this buffer. */
54446 for (i = 0; i < h->nreply_queues; i++)
54447@@ -8378,12 +8378,12 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
54448 * enable outbound interrupt coalescing in accelerator mode;
54449 */
54450 if (trans_support & CFGTBL_Trans_io_accel1) {
54451- access = SA5_ioaccel_mode1_access;
54452+ access = &SA5_ioaccel_mode1_access;
54453 writel(10, &h->cfgtable->HostWrite.CoalIntDelay);
54454 writel(4, &h->cfgtable->HostWrite.CoalIntCount);
54455 } else {
54456 if (trans_support & CFGTBL_Trans_io_accel2) {
54457- access = SA5_ioaccel_mode2_access;
54458+ access = &SA5_ioaccel_mode2_access;
54459 writel(10, &h->cfgtable->HostWrite.CoalIntDelay);
54460 writel(4, &h->cfgtable->HostWrite.CoalIntCount);
54461 }
54462diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
54463index 6ee4da6..dfafb48 100644
54464--- a/drivers/scsi/hpsa.h
54465+++ b/drivers/scsi/hpsa.h
54466@@ -152,7 +152,7 @@ struct ctlr_info {
54467 unsigned int msix_vector;
54468 unsigned int msi_vector;
54469 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
54470- struct access_method access;
54471+ struct access_method *access;
54472 char hba_mode_enabled;
54473
54474 /* queue and queue Info */
54475@@ -542,38 +542,38 @@ static unsigned long SA5_ioaccel_mode1_completed(struct ctlr_info *h, u8 q)
54476 }
54477
54478 static struct access_method SA5_access = {
54479- SA5_submit_command,
54480- SA5_intr_mask,
54481- SA5_intr_pending,
54482- SA5_completed,
54483+ .submit_command = SA5_submit_command,
54484+ .set_intr_mask = SA5_intr_mask,
54485+ .intr_pending = SA5_intr_pending,
54486+ .command_completed = SA5_completed,
54487 };
54488
54489 static struct access_method SA5_ioaccel_mode1_access = {
54490- SA5_submit_command,
54491- SA5_performant_intr_mask,
54492- SA5_ioaccel_mode1_intr_pending,
54493- SA5_ioaccel_mode1_completed,
54494+ .submit_command = SA5_submit_command,
54495+ .set_intr_mask = SA5_performant_intr_mask,
54496+ .intr_pending = SA5_ioaccel_mode1_intr_pending,
54497+ .command_completed = SA5_ioaccel_mode1_completed,
54498 };
54499
54500 static struct access_method SA5_ioaccel_mode2_access = {
54501- SA5_submit_command_ioaccel2,
54502- SA5_performant_intr_mask,
54503- SA5_performant_intr_pending,
54504- SA5_performant_completed,
54505+ .submit_command = SA5_submit_command_ioaccel2,
54506+ .set_intr_mask = SA5_performant_intr_mask,
54507+ .intr_pending = SA5_performant_intr_pending,
54508+ .command_completed = SA5_performant_completed,
54509 };
54510
54511 static struct access_method SA5_performant_access = {
54512- SA5_submit_command,
54513- SA5_performant_intr_mask,
54514- SA5_performant_intr_pending,
54515- SA5_performant_completed,
54516+ .submit_command = SA5_submit_command,
54517+ .set_intr_mask = SA5_performant_intr_mask,
54518+ .intr_pending = SA5_performant_intr_pending,
54519+ .command_completed = SA5_performant_completed,
54520 };
54521
54522 static struct access_method SA5_performant_access_no_read = {
54523- SA5_submit_command_no_read,
54524- SA5_performant_intr_mask,
54525- SA5_performant_intr_pending,
54526- SA5_performant_completed,
54527+ .submit_command = SA5_submit_command_no_read,
54528+ .set_intr_mask = SA5_performant_intr_mask,
54529+ .intr_pending = SA5_performant_intr_pending,
54530+ .command_completed = SA5_performant_completed,
54531 };
54532
54533 struct board_type {
54534diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
54535index 30f9ef0..a1e29ac 100644
54536--- a/drivers/scsi/libfc/fc_exch.c
54537+++ b/drivers/scsi/libfc/fc_exch.c
54538@@ -101,12 +101,12 @@ struct fc_exch_mgr {
54539 u16 pool_max_index;
54540
54541 struct {
54542- atomic_t no_free_exch;
54543- atomic_t no_free_exch_xid;
54544- atomic_t xid_not_found;
54545- atomic_t xid_busy;
54546- atomic_t seq_not_found;
54547- atomic_t non_bls_resp;
54548+ atomic_unchecked_t no_free_exch;
54549+ atomic_unchecked_t no_free_exch_xid;
54550+ atomic_unchecked_t xid_not_found;
54551+ atomic_unchecked_t xid_busy;
54552+ atomic_unchecked_t seq_not_found;
54553+ atomic_unchecked_t non_bls_resp;
54554 } stats;
54555 };
54556
54557@@ -809,7 +809,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport,
54558 /* allocate memory for exchange */
54559 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
54560 if (!ep) {
54561- atomic_inc(&mp->stats.no_free_exch);
54562+ atomic_inc_unchecked(&mp->stats.no_free_exch);
54563 goto out;
54564 }
54565 memset(ep, 0, sizeof(*ep));
54566@@ -872,7 +872,7 @@ out:
54567 return ep;
54568 err:
54569 spin_unlock_bh(&pool->lock);
54570- atomic_inc(&mp->stats.no_free_exch_xid);
54571+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
54572 mempool_free(ep, mp->ep_pool);
54573 return NULL;
54574 }
54575@@ -1021,7 +1021,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54576 xid = ntohs(fh->fh_ox_id); /* we originated exch */
54577 ep = fc_exch_find(mp, xid);
54578 if (!ep) {
54579- atomic_inc(&mp->stats.xid_not_found);
54580+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54581 reject = FC_RJT_OX_ID;
54582 goto out;
54583 }
54584@@ -1051,7 +1051,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54585 ep = fc_exch_find(mp, xid);
54586 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
54587 if (ep) {
54588- atomic_inc(&mp->stats.xid_busy);
54589+ atomic_inc_unchecked(&mp->stats.xid_busy);
54590 reject = FC_RJT_RX_ID;
54591 goto rel;
54592 }
54593@@ -1062,7 +1062,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54594 }
54595 xid = ep->xid; /* get our XID */
54596 } else if (!ep) {
54597- atomic_inc(&mp->stats.xid_not_found);
54598+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54599 reject = FC_RJT_RX_ID; /* XID not found */
54600 goto out;
54601 }
54602@@ -1080,7 +1080,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54603 } else {
54604 sp = &ep->seq;
54605 if (sp->id != fh->fh_seq_id) {
54606- atomic_inc(&mp->stats.seq_not_found);
54607+ atomic_inc_unchecked(&mp->stats.seq_not_found);
54608 if (f_ctl & FC_FC_END_SEQ) {
54609 /*
54610 * Update sequence_id based on incoming last
54611@@ -1531,22 +1531,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54612
54613 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
54614 if (!ep) {
54615- atomic_inc(&mp->stats.xid_not_found);
54616+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54617 goto out;
54618 }
54619 if (ep->esb_stat & ESB_ST_COMPLETE) {
54620- atomic_inc(&mp->stats.xid_not_found);
54621+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54622 goto rel;
54623 }
54624 if (ep->rxid == FC_XID_UNKNOWN)
54625 ep->rxid = ntohs(fh->fh_rx_id);
54626 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
54627- atomic_inc(&mp->stats.xid_not_found);
54628+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54629 goto rel;
54630 }
54631 if (ep->did != ntoh24(fh->fh_s_id) &&
54632 ep->did != FC_FID_FLOGI) {
54633- atomic_inc(&mp->stats.xid_not_found);
54634+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54635 goto rel;
54636 }
54637 sof = fr_sof(fp);
54638@@ -1555,7 +1555,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54639 sp->ssb_stat |= SSB_ST_RESP;
54640 sp->id = fh->fh_seq_id;
54641 } else if (sp->id != fh->fh_seq_id) {
54642- atomic_inc(&mp->stats.seq_not_found);
54643+ atomic_inc_unchecked(&mp->stats.seq_not_found);
54644 goto rel;
54645 }
54646
54647@@ -1618,9 +1618,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54648 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
54649
54650 if (!sp)
54651- atomic_inc(&mp->stats.xid_not_found);
54652+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54653 else
54654- atomic_inc(&mp->stats.non_bls_resp);
54655+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
54656
54657 fc_frame_free(fp);
54658 }
54659@@ -2261,13 +2261,13 @@ void fc_exch_update_stats(struct fc_lport *lport)
54660
54661 list_for_each_entry(ema, &lport->ema_list, ema_list) {
54662 mp = ema->mp;
54663- st->fc_no_free_exch += atomic_read(&mp->stats.no_free_exch);
54664+ st->fc_no_free_exch += atomic_read_unchecked(&mp->stats.no_free_exch);
54665 st->fc_no_free_exch_xid +=
54666- atomic_read(&mp->stats.no_free_exch_xid);
54667- st->fc_xid_not_found += atomic_read(&mp->stats.xid_not_found);
54668- st->fc_xid_busy += atomic_read(&mp->stats.xid_busy);
54669- st->fc_seq_not_found += atomic_read(&mp->stats.seq_not_found);
54670- st->fc_non_bls_resp += atomic_read(&mp->stats.non_bls_resp);
54671+ atomic_read_unchecked(&mp->stats.no_free_exch_xid);
54672+ st->fc_xid_not_found += atomic_read_unchecked(&mp->stats.xid_not_found);
54673+ st->fc_xid_busy += atomic_read_unchecked(&mp->stats.xid_busy);
54674+ st->fc_seq_not_found += atomic_read_unchecked(&mp->stats.seq_not_found);
54675+ st->fc_non_bls_resp += atomic_read_unchecked(&mp->stats.non_bls_resp);
54676 }
54677 }
54678 EXPORT_SYMBOL(fc_exch_update_stats);
54679diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
54680index 9c706d8..d3e3ed2 100644
54681--- a/drivers/scsi/libsas/sas_ata.c
54682+++ b/drivers/scsi/libsas/sas_ata.c
54683@@ -535,7 +535,7 @@ static struct ata_port_operations sas_sata_ops = {
54684 .postreset = ata_std_postreset,
54685 .error_handler = ata_std_error_handler,
54686 .post_internal_cmd = sas_ata_post_internal,
54687- .qc_defer = ata_std_qc_defer,
54688+ .qc_defer = ata_std_qc_defer,
54689 .qc_prep = ata_noop_qc_prep,
54690 .qc_issue = sas_ata_qc_issue,
54691 .qc_fill_rtf = sas_ata_qc_fill_rtf,
54692diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
54693index a5a56fa..43499fd 100644
54694--- a/drivers/scsi/lpfc/lpfc.h
54695+++ b/drivers/scsi/lpfc/lpfc.h
54696@@ -435,7 +435,7 @@ struct lpfc_vport {
54697 struct dentry *debug_nodelist;
54698 struct dentry *vport_debugfs_root;
54699 struct lpfc_debugfs_trc *disc_trc;
54700- atomic_t disc_trc_cnt;
54701+ atomic_unchecked_t disc_trc_cnt;
54702 #endif
54703 uint8_t stat_data_enabled;
54704 uint8_t stat_data_blocked;
54705@@ -885,8 +885,8 @@ struct lpfc_hba {
54706 struct timer_list fabric_block_timer;
54707 unsigned long bit_flags;
54708 #define FABRIC_COMANDS_BLOCKED 0
54709- atomic_t num_rsrc_err;
54710- atomic_t num_cmd_success;
54711+ atomic_unchecked_t num_rsrc_err;
54712+ atomic_unchecked_t num_cmd_success;
54713 unsigned long last_rsrc_error_time;
54714 unsigned long last_ramp_down_time;
54715 #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
54716@@ -921,7 +921,7 @@ struct lpfc_hba {
54717
54718 struct dentry *debug_slow_ring_trc;
54719 struct lpfc_debugfs_trc *slow_ring_trc;
54720- atomic_t slow_ring_trc_cnt;
54721+ atomic_unchecked_t slow_ring_trc_cnt;
54722 /* iDiag debugfs sub-directory */
54723 struct dentry *idiag_root;
54724 struct dentry *idiag_pci_cfg;
54725diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
54726index 25aa9b9..d700a65 100644
54727--- a/drivers/scsi/lpfc/lpfc_debugfs.c
54728+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
54729@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
54730
54731 #include <linux/debugfs.h>
54732
54733-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
54734+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
54735 static unsigned long lpfc_debugfs_start_time = 0L;
54736
54737 /* iDiag */
54738@@ -147,7 +147,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
54739 lpfc_debugfs_enable = 0;
54740
54741 len = 0;
54742- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
54743+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
54744 (lpfc_debugfs_max_disc_trc - 1);
54745 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
54746 dtp = vport->disc_trc + i;
54747@@ -213,7 +213,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
54748 lpfc_debugfs_enable = 0;
54749
54750 len = 0;
54751- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
54752+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
54753 (lpfc_debugfs_max_slow_ring_trc - 1);
54754 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
54755 dtp = phba->slow_ring_trc + i;
54756@@ -646,14 +646,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport *vport, int mask, char *fmt,
54757 !vport || !vport->disc_trc)
54758 return;
54759
54760- index = atomic_inc_return(&vport->disc_trc_cnt) &
54761+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
54762 (lpfc_debugfs_max_disc_trc - 1);
54763 dtp = vport->disc_trc + index;
54764 dtp->fmt = fmt;
54765 dtp->data1 = data1;
54766 dtp->data2 = data2;
54767 dtp->data3 = data3;
54768- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
54769+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
54770 dtp->jif = jiffies;
54771 #endif
54772 return;
54773@@ -684,14 +684,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_hba *phba, char *fmt,
54774 !phba || !phba->slow_ring_trc)
54775 return;
54776
54777- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
54778+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
54779 (lpfc_debugfs_max_slow_ring_trc - 1);
54780 dtp = phba->slow_ring_trc + index;
54781 dtp->fmt = fmt;
54782 dtp->data1 = data1;
54783 dtp->data2 = data2;
54784 dtp->data3 = data3;
54785- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
54786+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
54787 dtp->jif = jiffies;
54788 #endif
54789 return;
54790@@ -4268,7 +4268,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
54791 "slow_ring buffer\n");
54792 goto debug_failed;
54793 }
54794- atomic_set(&phba->slow_ring_trc_cnt, 0);
54795+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
54796 memset(phba->slow_ring_trc, 0,
54797 (sizeof(struct lpfc_debugfs_trc) *
54798 lpfc_debugfs_max_slow_ring_trc));
54799@@ -4314,7 +4314,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
54800 "buffer\n");
54801 goto debug_failed;
54802 }
54803- atomic_set(&vport->disc_trc_cnt, 0);
54804+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
54805
54806 snprintf(name, sizeof(name), "discovery_trace");
54807 vport->debug_disc_trc =
54808diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
54809index f962118..6706983 100644
54810--- a/drivers/scsi/lpfc/lpfc_init.c
54811+++ b/drivers/scsi/lpfc/lpfc_init.c
54812@@ -11416,8 +11416,10 @@ lpfc_init(void)
54813 "misc_register returned with status %d", error);
54814
54815 if (lpfc_enable_npiv) {
54816- lpfc_transport_functions.vport_create = lpfc_vport_create;
54817- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
54818+ pax_open_kernel();
54819+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
54820+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
54821+ pax_close_kernel();
54822 }
54823 lpfc_transport_template =
54824 fc_attach_transport(&lpfc_transport_functions);
54825diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
54826index e5eb40d..056dcd4 100644
54827--- a/drivers/scsi/lpfc/lpfc_scsi.c
54828+++ b/drivers/scsi/lpfc/lpfc_scsi.c
54829@@ -261,7 +261,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba)
54830 unsigned long expires;
54831
54832 spin_lock_irqsave(&phba->hbalock, flags);
54833- atomic_inc(&phba->num_rsrc_err);
54834+ atomic_inc_unchecked(&phba->num_rsrc_err);
54835 phba->last_rsrc_error_time = jiffies;
54836
54837 expires = phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL;
54838@@ -303,8 +303,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
54839 unsigned long num_rsrc_err, num_cmd_success;
54840 int i;
54841
54842- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
54843- num_cmd_success = atomic_read(&phba->num_cmd_success);
54844+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
54845+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
54846
54847 /*
54848 * The error and success command counters are global per
54849@@ -331,8 +331,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
54850 }
54851 }
54852 lpfc_destroy_vport_work_array(phba, vports);
54853- atomic_set(&phba->num_rsrc_err, 0);
54854- atomic_set(&phba->num_cmd_success, 0);
54855+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
54856+ atomic_set_unchecked(&phba->num_cmd_success, 0);
54857 }
54858
54859 /**
54860diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h
54861index 20c3754..1b05e727 100644
54862--- a/drivers/scsi/megaraid/megaraid_sas.h
54863+++ b/drivers/scsi/megaraid/megaraid_sas.h
54864@@ -1700,7 +1700,7 @@ struct megasas_instance {
54865 s8 init_id;
54866
54867 u16 max_num_sge;
54868- u16 max_fw_cmds;
54869+ u16 max_fw_cmds __intentional_overflow(-1);
54870 u16 max_mfi_cmds;
54871 u16 max_scsi_cmds;
54872 u32 max_sectors_per_req;
54873diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54874index 3f26147..ee8efd1 100644
54875--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54876+++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54877@@ -1509,7 +1509,7 @@ _scsih_get_resync(struct device *dev)
54878 {
54879 struct scsi_device *sdev = to_scsi_device(dev);
54880 struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host);
54881- static struct _raid_device *raid_device;
54882+ struct _raid_device *raid_device;
54883 unsigned long flags;
54884 Mpi2RaidVolPage0_t vol_pg0;
54885 Mpi2ConfigReply_t mpi_reply;
54886@@ -1561,7 +1561,7 @@ _scsih_get_state(struct device *dev)
54887 {
54888 struct scsi_device *sdev = to_scsi_device(dev);
54889 struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host);
54890- static struct _raid_device *raid_device;
54891+ struct _raid_device *raid_device;
54892 unsigned long flags;
54893 Mpi2RaidVolPage0_t vol_pg0;
54894 Mpi2ConfigReply_t mpi_reply;
54895@@ -6641,7 +6641,7 @@ _scsih_sas_ir_operation_status_event(struct MPT2SAS_ADAPTER *ioc,
54896 Mpi2EventDataIrOperationStatus_t *event_data =
54897 (Mpi2EventDataIrOperationStatus_t *)
54898 fw_event->event_data;
54899- static struct _raid_device *raid_device;
54900+ struct _raid_device *raid_device;
54901 unsigned long flags;
54902 u16 handle;
54903
54904@@ -7112,7 +7112,7 @@ _scsih_scan_for_devices_after_reset(struct MPT2SAS_ADAPTER *ioc)
54905 u64 sas_address;
54906 struct _sas_device *sas_device;
54907 struct _sas_node *expander_device;
54908- static struct _raid_device *raid_device;
54909+ struct _raid_device *raid_device;
54910 u8 retry_count;
54911 unsigned long flags;
54912
54913diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
54914index ed31d8c..ab856b3 100644
54915--- a/drivers/scsi/pmcraid.c
54916+++ b/drivers/scsi/pmcraid.c
54917@@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev)
54918 res->scsi_dev = scsi_dev;
54919 scsi_dev->hostdata = res;
54920 res->change_detected = 0;
54921- atomic_set(&res->read_failures, 0);
54922- atomic_set(&res->write_failures, 0);
54923+ atomic_set_unchecked(&res->read_failures, 0);
54924+ atomic_set_unchecked(&res->write_failures, 0);
54925 rc = 0;
54926 }
54927 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
54928@@ -2640,9 +2640,9 @@ static int pmcraid_error_handler(struct pmcraid_cmd *cmd)
54929
54930 /* If this was a SCSI read/write command keep count of errors */
54931 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
54932- atomic_inc(&res->read_failures);
54933+ atomic_inc_unchecked(&res->read_failures);
54934 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
54935- atomic_inc(&res->write_failures);
54936+ atomic_inc_unchecked(&res->write_failures);
54937
54938 if (!RES_IS_GSCSI(res->cfg_entry) &&
54939 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
54940@@ -3468,7 +3468,7 @@ static int pmcraid_queuecommand_lck(
54941 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
54942 * hrrq_id assigned here in queuecommand
54943 */
54944- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
54945+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
54946 pinstance->num_hrrq;
54947 cmd->cmd_done = pmcraid_io_done;
54948
54949@@ -3782,7 +3782,7 @@ static long pmcraid_ioctl_passthrough(
54950 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
54951 * hrrq_id assigned here in queuecommand
54952 */
54953- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
54954+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
54955 pinstance->num_hrrq;
54956
54957 if (request_size) {
54958@@ -4420,7 +4420,7 @@ static void pmcraid_worker_function(struct work_struct *workp)
54959
54960 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
54961 /* add resources only after host is added into system */
54962- if (!atomic_read(&pinstance->expose_resources))
54963+ if (!atomic_read_unchecked(&pinstance->expose_resources))
54964 return;
54965
54966 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
54967@@ -5237,8 +5237,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host,
54968 init_waitqueue_head(&pinstance->reset_wait_q);
54969
54970 atomic_set(&pinstance->outstanding_cmds, 0);
54971- atomic_set(&pinstance->last_message_id, 0);
54972- atomic_set(&pinstance->expose_resources, 0);
54973+ atomic_set_unchecked(&pinstance->last_message_id, 0);
54974+ atomic_set_unchecked(&pinstance->expose_resources, 0);
54975
54976 INIT_LIST_HEAD(&pinstance->free_res_q);
54977 INIT_LIST_HEAD(&pinstance->used_res_q);
54978@@ -5951,7 +5951,7 @@ static int pmcraid_probe(struct pci_dev *pdev,
54979 /* Schedule worker thread to handle CCN and take care of adding and
54980 * removing devices to OS
54981 */
54982- atomic_set(&pinstance->expose_resources, 1);
54983+ atomic_set_unchecked(&pinstance->expose_resources, 1);
54984 schedule_work(&pinstance->worker_q);
54985 return rc;
54986
54987diff --git a/drivers/scsi/pmcraid.h b/drivers/scsi/pmcraid.h
54988index e1d150f..6c6df44 100644
54989--- a/drivers/scsi/pmcraid.h
54990+++ b/drivers/scsi/pmcraid.h
54991@@ -748,7 +748,7 @@ struct pmcraid_instance {
54992 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
54993
54994 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
54995- atomic_t last_message_id;
54996+ atomic_unchecked_t last_message_id;
54997
54998 /* configuration table */
54999 struct pmcraid_config_table *cfg_table;
55000@@ -777,7 +777,7 @@ struct pmcraid_instance {
55001 atomic_t outstanding_cmds;
55002
55003 /* should add/delete resources to mid-layer now ?*/
55004- atomic_t expose_resources;
55005+ atomic_unchecked_t expose_resources;
55006
55007
55008
55009@@ -813,8 +813,8 @@ struct pmcraid_resource_entry {
55010 struct pmcraid_config_table_entry_ext cfg_entry_ext;
55011 };
55012 struct scsi_device *scsi_dev; /* Link scsi_device structure */
55013- atomic_t read_failures; /* count of failed READ commands */
55014- atomic_t write_failures; /* count of failed WRITE commands */
55015+ atomic_unchecked_t read_failures; /* count of failed READ commands */
55016+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
55017
55018 /* To indicate add/delete/modify during CCN */
55019 u8 change_detected;
55020diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
55021index 437254e..a66eb82 100644
55022--- a/drivers/scsi/qla2xxx/qla_attr.c
55023+++ b/drivers/scsi/qla2xxx/qla_attr.c
55024@@ -2192,7 +2192,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable)
55025 return 0;
55026 }
55027
55028-struct fc_function_template qla2xxx_transport_functions = {
55029+fc_function_template_no_const qla2xxx_transport_functions = {
55030
55031 .show_host_node_name = 1,
55032 .show_host_port_name = 1,
55033@@ -2240,7 +2240,7 @@ struct fc_function_template qla2xxx_transport_functions = {
55034 .bsg_timeout = qla24xx_bsg_timeout,
55035 };
55036
55037-struct fc_function_template qla2xxx_transport_vport_functions = {
55038+fc_function_template_no_const qla2xxx_transport_vport_functions = {
55039
55040 .show_host_node_name = 1,
55041 .show_host_port_name = 1,
55042diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
55043index 7686bfe..4710893 100644
55044--- a/drivers/scsi/qla2xxx/qla_gbl.h
55045+++ b/drivers/scsi/qla2xxx/qla_gbl.h
55046@@ -571,8 +571,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *, size_t);
55047 struct device_attribute;
55048 extern struct device_attribute *qla2x00_host_attrs[];
55049 struct fc_function_template;
55050-extern struct fc_function_template qla2xxx_transport_functions;
55051-extern struct fc_function_template qla2xxx_transport_vport_functions;
55052+extern fc_function_template_no_const qla2xxx_transport_functions;
55053+extern fc_function_template_no_const qla2xxx_transport_vport_functions;
55054 extern void qla2x00_alloc_sysfs_attr(scsi_qla_host_t *);
55055 extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool);
55056 extern void qla2x00_init_host_attr(scsi_qla_host_t *);
55057diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
55058index 8a5cac8..4eba6ab 100644
55059--- a/drivers/scsi/qla2xxx/qla_os.c
55060+++ b/drivers/scsi/qla2xxx/qla_os.c
55061@@ -1435,8 +1435,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha)
55062 !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) {
55063 /* Ok, a 64bit DMA mask is applicable. */
55064 ha->flags.enable_64bit_addressing = 1;
55065- ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
55066- ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
55067+ pax_open_kernel();
55068+ *(void **)&ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
55069+ *(void **)&ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
55070+ pax_close_kernel();
55071 return;
55072 }
55073 }
55074diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h
55075index a7cfc27..151f483 100644
55076--- a/drivers/scsi/qla4xxx/ql4_def.h
55077+++ b/drivers/scsi/qla4xxx/ql4_def.h
55078@@ -306,7 +306,7 @@ struct ddb_entry {
55079 * (4000 only) */
55080 atomic_t relogin_timer; /* Max Time to wait for
55081 * relogin to complete */
55082- atomic_t relogin_retry_count; /* Num of times relogin has been
55083+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
55084 * retried */
55085 uint32_t default_time2wait; /* Default Min time between
55086 * relogins (+aens) */
55087diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
55088index 6d25879..3031a9f 100644
55089--- a/drivers/scsi/qla4xxx/ql4_os.c
55090+++ b/drivers/scsi/qla4xxx/ql4_os.c
55091@@ -4491,12 +4491,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess)
55092 */
55093 if (!iscsi_is_session_online(cls_sess)) {
55094 /* Reset retry relogin timer */
55095- atomic_inc(&ddb_entry->relogin_retry_count);
55096+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
55097 DEBUG2(ql4_printk(KERN_INFO, ha,
55098 "%s: index[%d] relogin timed out-retrying"
55099 " relogin (%d), retry (%d)\n", __func__,
55100 ddb_entry->fw_ddb_index,
55101- atomic_read(&ddb_entry->relogin_retry_count),
55102+ atomic_read_unchecked(&ddb_entry->relogin_retry_count),
55103 ddb_entry->default_time2wait + 4));
55104 set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags);
55105 atomic_set(&ddb_entry->retry_relogin_timer,
55106@@ -6604,7 +6604,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha,
55107
55108 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
55109 atomic_set(&ddb_entry->relogin_timer, 0);
55110- atomic_set(&ddb_entry->relogin_retry_count, 0);
55111+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
55112 def_timeout = le16_to_cpu(ddb_entry->fw_ddb_entry.def_timeout);
55113 ddb_entry->default_relogin_timeout =
55114 (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ?
55115diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
55116index 207d6a7..bf155b5 100644
55117--- a/drivers/scsi/scsi.c
55118+++ b/drivers/scsi/scsi.c
55119@@ -591,7 +591,7 @@ void scsi_finish_command(struct scsi_cmnd *cmd)
55120
55121 good_bytes = scsi_bufflen(cmd);
55122 if (cmd->request->cmd_type != REQ_TYPE_BLOCK_PC) {
55123- int old_good_bytes = good_bytes;
55124+ unsigned int old_good_bytes = good_bytes;
55125 drv = scsi_cmd_to_driver(cmd);
55126 if (drv->done)
55127 good_bytes = drv->done(cmd);
55128diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
55129index 448ebda..9bd345f 100644
55130--- a/drivers/scsi/scsi_lib.c
55131+++ b/drivers/scsi/scsi_lib.c
55132@@ -1597,7 +1597,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
55133 shost = sdev->host;
55134 scsi_init_cmd_errh(cmd);
55135 cmd->result = DID_NO_CONNECT << 16;
55136- atomic_inc(&cmd->device->iorequest_cnt);
55137+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
55138
55139 /*
55140 * SCSI request completion path will do scsi_device_unbusy(),
55141@@ -1620,9 +1620,9 @@ static void scsi_softirq_done(struct request *rq)
55142
55143 INIT_LIST_HEAD(&cmd->eh_entry);
55144
55145- atomic_inc(&cmd->device->iodone_cnt);
55146+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
55147 if (cmd->result)
55148- atomic_inc(&cmd->device->ioerr_cnt);
55149+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
55150
55151 disposition = scsi_decide_disposition(cmd);
55152 if (disposition != SUCCESS &&
55153@@ -1663,7 +1663,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
55154 struct Scsi_Host *host = cmd->device->host;
55155 int rtn = 0;
55156
55157- atomic_inc(&cmd->device->iorequest_cnt);
55158+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
55159
55160 /* check if the device is still usable */
55161 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
55162diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
55163index 9ad4116..4e736fc 100644
55164--- a/drivers/scsi/scsi_sysfs.c
55165+++ b/drivers/scsi/scsi_sysfs.c
55166@@ -788,7 +788,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \
55167 char *buf) \
55168 { \
55169 struct scsi_device *sdev = to_scsi_device(dev); \
55170- unsigned long long count = atomic_read(&sdev->field); \
55171+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
55172 return snprintf(buf, 20, "0x%llx\n", count); \
55173 } \
55174 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
55175diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
55176index 24eaaf6..de30ec9 100644
55177--- a/drivers/scsi/scsi_transport_fc.c
55178+++ b/drivers/scsi/scsi_transport_fc.c
55179@@ -502,7 +502,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class,
55180 * Netlink Infrastructure
55181 */
55182
55183-static atomic_t fc_event_seq;
55184+static atomic_unchecked_t fc_event_seq;
55185
55186 /**
55187 * fc_get_event_number - Obtain the next sequential FC event number
55188@@ -515,7 +515,7 @@ static atomic_t fc_event_seq;
55189 u32
55190 fc_get_event_number(void)
55191 {
55192- return atomic_add_return(1, &fc_event_seq);
55193+ return atomic_add_return_unchecked(1, &fc_event_seq);
55194 }
55195 EXPORT_SYMBOL(fc_get_event_number);
55196
55197@@ -659,7 +659,7 @@ static __init int fc_transport_init(void)
55198 {
55199 int error;
55200
55201- atomic_set(&fc_event_seq, 0);
55202+ atomic_set_unchecked(&fc_event_seq, 0);
55203
55204 error = transport_class_register(&fc_host_class);
55205 if (error)
55206@@ -849,7 +849,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val)
55207 char *cp;
55208
55209 *val = simple_strtoul(buf, &cp, 0);
55210- if ((*cp && (*cp != '\n')) || (*val < 0))
55211+ if (*cp && (*cp != '\n'))
55212 return -EINVAL;
55213 /*
55214 * Check for overflow; dev_loss_tmo is u32
55215diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
55216index 55647aa..b647d05 100644
55217--- a/drivers/scsi/scsi_transport_iscsi.c
55218+++ b/drivers/scsi/scsi_transport_iscsi.c
55219@@ -79,7 +79,7 @@ struct iscsi_internal {
55220 struct transport_container session_cont;
55221 };
55222
55223-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
55224+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
55225 static struct workqueue_struct *iscsi_eh_timer_workq;
55226
55227 static DEFINE_IDA(iscsi_sess_ida);
55228@@ -2073,7 +2073,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id)
55229 int err;
55230
55231 ihost = shost->shost_data;
55232- session->sid = atomic_add_return(1, &iscsi_session_nr);
55233+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
55234
55235 if (target_id == ISCSI_MAX_TARGET) {
55236 id = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL);
55237@@ -4517,7 +4517,7 @@ static __init int iscsi_transport_init(void)
55238 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
55239 ISCSI_TRANSPORT_VERSION);
55240
55241- atomic_set(&iscsi_session_nr, 0);
55242+ atomic_set_unchecked(&iscsi_session_nr, 0);
55243
55244 err = class_register(&iscsi_transport_class);
55245 if (err)
55246diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c
55247index e3cd3ec..00560ec 100644
55248--- a/drivers/scsi/scsi_transport_srp.c
55249+++ b/drivers/scsi/scsi_transport_srp.c
55250@@ -35,7 +35,7 @@
55251 #include "scsi_priv.h"
55252
55253 struct srp_host_attrs {
55254- atomic_t next_port_id;
55255+ atomic_unchecked_t next_port_id;
55256 };
55257 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
55258
55259@@ -105,7 +105,7 @@ static int srp_host_setup(struct transport_container *tc, struct device *dev,
55260 struct Scsi_Host *shost = dev_to_shost(dev);
55261 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
55262
55263- atomic_set(&srp_host->next_port_id, 0);
55264+ atomic_set_unchecked(&srp_host->next_port_id, 0);
55265 return 0;
55266 }
55267
55268@@ -752,7 +752,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost,
55269 rport_fast_io_fail_timedout);
55270 INIT_DELAYED_WORK(&rport->dev_loss_work, rport_dev_loss_timedout);
55271
55272- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
55273+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
55274 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
55275
55276 transport_setup_device(&rport->dev);
55277diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
55278index a20da8c..7f47bac 100644
55279--- a/drivers/scsi/sd.c
55280+++ b/drivers/scsi/sd.c
55281@@ -111,7 +111,7 @@ static int sd_resume(struct device *);
55282 static void sd_rescan(struct device *);
55283 static int sd_init_command(struct scsi_cmnd *SCpnt);
55284 static void sd_uninit_command(struct scsi_cmnd *SCpnt);
55285-static int sd_done(struct scsi_cmnd *);
55286+static unsigned int sd_done(struct scsi_cmnd *);
55287 static int sd_eh_action(struct scsi_cmnd *, int);
55288 static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer);
55289 static void scsi_disk_release(struct device *cdev);
55290@@ -1646,7 +1646,7 @@ static unsigned int sd_completed_bytes(struct scsi_cmnd *scmd)
55291 *
55292 * Note: potentially run from within an ISR. Must not block.
55293 **/
55294-static int sd_done(struct scsi_cmnd *SCpnt)
55295+static unsigned int sd_done(struct scsi_cmnd *SCpnt)
55296 {
55297 int result = SCpnt->result;
55298 unsigned int good_bytes = result ? 0 : scsi_bufflen(SCpnt);
55299@@ -2973,7 +2973,7 @@ static int sd_probe(struct device *dev)
55300 sdkp->disk = gd;
55301 sdkp->index = index;
55302 atomic_set(&sdkp->openers, 0);
55303- atomic_set(&sdkp->device->ioerr_cnt, 0);
55304+ atomic_set_unchecked(&sdkp->device->ioerr_cnt, 0);
55305
55306 if (!sdp->request_queue->rq_timeout) {
55307 if (sdp->type != TYPE_MOD)
55308diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
55309index 9d7b7db..33ecc51 100644
55310--- a/drivers/scsi/sg.c
55311+++ b/drivers/scsi/sg.c
55312@@ -1083,7 +1083,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
55313 sdp->disk->disk_name,
55314 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
55315 NULL,
55316- (char *)arg);
55317+ (char __user *)arg);
55318 case BLKTRACESTART:
55319 return blk_trace_startstop(sdp->device->request_queue, 1);
55320 case BLKTRACESTOP:
55321diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
55322index 8bd54a6..58fa0d6 100644
55323--- a/drivers/scsi/sr.c
55324+++ b/drivers/scsi/sr.c
55325@@ -80,7 +80,7 @@ static DEFINE_MUTEX(sr_mutex);
55326 static int sr_probe(struct device *);
55327 static int sr_remove(struct device *);
55328 static int sr_init_command(struct scsi_cmnd *SCpnt);
55329-static int sr_done(struct scsi_cmnd *);
55330+static unsigned int sr_done(struct scsi_cmnd *);
55331 static int sr_runtime_suspend(struct device *dev);
55332
55333 static struct dev_pm_ops sr_pm_ops = {
55334@@ -312,13 +312,13 @@ do_tur:
55335 * It will be notified on the end of a SCSI read / write, and will take one
55336 * of several actions based on success or failure.
55337 */
55338-static int sr_done(struct scsi_cmnd *SCpnt)
55339+static unsigned int sr_done(struct scsi_cmnd *SCpnt)
55340 {
55341 int result = SCpnt->result;
55342- int this_count = scsi_bufflen(SCpnt);
55343- int good_bytes = (result == 0 ? this_count : 0);
55344- int block_sectors = 0;
55345- long error_sector;
55346+ unsigned int this_count = scsi_bufflen(SCpnt);
55347+ unsigned int good_bytes = (result == 0 ? this_count : 0);
55348+ unsigned int block_sectors = 0;
55349+ sector_t error_sector;
55350 struct scsi_cd *cd = scsi_cd(SCpnt->request->rq_disk);
55351
55352 #ifdef DEBUG
55353@@ -351,9 +351,12 @@ static int sr_done(struct scsi_cmnd *SCpnt)
55354 if (cd->device->sector_size == 2048)
55355 error_sector <<= 2;
55356 error_sector &= ~(block_sectors - 1);
55357- good_bytes = (error_sector -
55358- blk_rq_pos(SCpnt->request)) << 9;
55359- if (good_bytes < 0 || good_bytes >= this_count)
55360+ if (error_sector >= blk_rq_pos(SCpnt->request)) {
55361+ good_bytes = (error_sector -
55362+ blk_rq_pos(SCpnt->request)) << 9;
55363+ if (good_bytes >= this_count)
55364+ good_bytes = 0;
55365+ } else
55366 good_bytes = 0;
55367 /*
55368 * The SCSI specification allows for the value
55369diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c
55370index c0d660f..24a5854 100644
55371--- a/drivers/soc/tegra/fuse/fuse-tegra.c
55372+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
55373@@ -71,7 +71,7 @@ static ssize_t fuse_read(struct file *fd, struct kobject *kobj,
55374 return i;
55375 }
55376
55377-static struct bin_attribute fuse_bin_attr = {
55378+static bin_attribute_no_const fuse_bin_attr = {
55379 .attr = { .name = "fuse", .mode = S_IRUGO, },
55380 .read = fuse_read,
55381 };
55382diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
55383index cf8b91b..a13d434 100644
55384--- a/drivers/spi/spi.c
55385+++ b/drivers/spi/spi.c
55386@@ -2216,7 +2216,7 @@ int spi_bus_unlock(struct spi_master *master)
55387 EXPORT_SYMBOL_GPL(spi_bus_unlock);
55388
55389 /* portable code must never pass more than 32 bytes */
55390-#define SPI_BUFSIZ max(32, SMP_CACHE_BYTES)
55391+#define SPI_BUFSIZ max(32UL, SMP_CACHE_BYTES)
55392
55393 static u8 *buf;
55394
55395diff --git a/drivers/staging/android/timed_output.c b/drivers/staging/android/timed_output.c
55396index b41429f..2de5373 100644
55397--- a/drivers/staging/android/timed_output.c
55398+++ b/drivers/staging/android/timed_output.c
55399@@ -25,7 +25,7 @@
55400 #include "timed_output.h"
55401
55402 static struct class *timed_output_class;
55403-static atomic_t device_count;
55404+static atomic_unchecked_t device_count;
55405
55406 static ssize_t enable_show(struct device *dev, struct device_attribute *attr,
55407 char *buf)
55408@@ -65,7 +65,7 @@ static int create_timed_output_class(void)
55409 timed_output_class = class_create(THIS_MODULE, "timed_output");
55410 if (IS_ERR(timed_output_class))
55411 return PTR_ERR(timed_output_class);
55412- atomic_set(&device_count, 0);
55413+ atomic_set_unchecked(&device_count, 0);
55414 timed_output_class->dev_groups = timed_output_groups;
55415 }
55416
55417@@ -83,7 +83,7 @@ int timed_output_dev_register(struct timed_output_dev *tdev)
55418 if (ret < 0)
55419 return ret;
55420
55421- tdev->index = atomic_inc_return(&device_count);
55422+ tdev->index = atomic_inc_return_unchecked(&device_count);
55423 tdev->dev = device_create(timed_output_class, NULL,
55424 MKDEV(0, tdev->index), NULL, "%s", tdev->name);
55425 if (IS_ERR(tdev->dev))
55426diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
55427index 985d94b..49c59fb 100644
55428--- a/drivers/staging/comedi/comedi_fops.c
55429+++ b/drivers/staging/comedi/comedi_fops.c
55430@@ -314,8 +314,8 @@ static void comedi_file_reset(struct file *file)
55431 }
55432 cfp->last_attached = dev->attached;
55433 cfp->last_detach_count = dev->detach_count;
55434- ACCESS_ONCE(cfp->read_subdev) = read_s;
55435- ACCESS_ONCE(cfp->write_subdev) = write_s;
55436+ ACCESS_ONCE_RW(cfp->read_subdev) = read_s;
55437+ ACCESS_ONCE_RW(cfp->write_subdev) = write_s;
55438 }
55439
55440 static void comedi_file_check(struct file *file)
55441@@ -1983,7 +1983,7 @@ static int do_setrsubd_ioctl(struct comedi_device *dev, unsigned long arg,
55442 !(s_old->async->cmd.flags & CMDF_WRITE))
55443 return -EBUSY;
55444
55445- ACCESS_ONCE(cfp->read_subdev) = s_new;
55446+ ACCESS_ONCE_RW(cfp->read_subdev) = s_new;
55447 return 0;
55448 }
55449
55450@@ -2025,7 +2025,7 @@ static int do_setwsubd_ioctl(struct comedi_device *dev, unsigned long arg,
55451 (s_old->async->cmd.flags & CMDF_WRITE))
55452 return -EBUSY;
55453
55454- ACCESS_ONCE(cfp->write_subdev) = s_new;
55455+ ACCESS_ONCE_RW(cfp->write_subdev) = s_new;
55456 return 0;
55457 }
55458
55459diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
55460index 9cc8141..ffd5039 100644
55461--- a/drivers/staging/fbtft/fbtft-core.c
55462+++ b/drivers/staging/fbtft/fbtft-core.c
55463@@ -681,7 +681,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
55464 {
55465 struct fb_info *info;
55466 struct fbtft_par *par;
55467- struct fb_ops *fbops = NULL;
55468+ fb_ops_no_const *fbops = NULL;
55469 struct fb_deferred_io *fbdefio = NULL;
55470 struct fbtft_platform_data *pdata = dev->platform_data;
55471 u8 *vmem = NULL;
55472diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h
55473index 7d817eb..d22e49e 100644
55474--- a/drivers/staging/fbtft/fbtft.h
55475+++ b/drivers/staging/fbtft/fbtft.h
55476@@ -106,7 +106,7 @@ struct fbtft_ops {
55477
55478 int (*set_var)(struct fbtft_par *par);
55479 int (*set_gamma)(struct fbtft_par *par, unsigned long *curves);
55480-};
55481+} __no_const;
55482
55483 /**
55484 * struct fbtft_display - Describes the display properties
55485diff --git a/drivers/staging/gdm724x/gdm_tty.c b/drivers/staging/gdm724x/gdm_tty.c
55486index 001348c..cfaac8a 100644
55487--- a/drivers/staging/gdm724x/gdm_tty.c
55488+++ b/drivers/staging/gdm724x/gdm_tty.c
55489@@ -44,7 +44,7 @@
55490 #define gdm_tty_send_control(n, r, v, d, l) (\
55491 n->tty_dev->send_control(n->tty_dev->priv_dev, r, v, d, l))
55492
55493-#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && gdm->port.count)
55494+#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && atomic_read(&gdm->port.count))
55495
55496 static struct tty_driver *gdm_driver[TTY_MAX_COUNT];
55497 static struct gdm *gdm_table[TTY_MAX_COUNT][GDM_TTY_MINOR];
55498diff --git a/drivers/staging/iio/accel/lis3l02dq_ring.c b/drivers/staging/iio/accel/lis3l02dq_ring.c
55499index b892f2c..9b4898a 100644
55500--- a/drivers/staging/iio/accel/lis3l02dq_ring.c
55501+++ b/drivers/staging/iio/accel/lis3l02dq_ring.c
55502@@ -118,7 +118,7 @@ static int lis3l02dq_get_buffer_element(struct iio_dev *indio_dev,
55503 int scan_count = bitmap_weight(indio_dev->active_scan_mask,
55504 indio_dev->masklength);
55505
55506- rx_array = kcalloc(4, scan_count, GFP_KERNEL);
55507+ rx_array = kcalloc(scan_count, 4, GFP_KERNEL);
55508 if (!rx_array)
55509 return -ENOMEM;
55510 ret = lis3l02dq_read_all(indio_dev, rx_array);
55511diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c
55512index d98e229..9c59bc2 100644
55513--- a/drivers/staging/iio/adc/ad7280a.c
55514+++ b/drivers/staging/iio/adc/ad7280a.c
55515@@ -547,8 +547,8 @@ static int ad7280_attr_init(struct ad7280_state *st)
55516 {
55517 int dev, ch, cnt;
55518
55519- st->iio_attr = kcalloc(2, sizeof(*st->iio_attr) *
55520- (st->slave_num + 1) * AD7280A_CELLS_PER_DEV,
55521+ st->iio_attr = kcalloc(sizeof(*st->iio_attr) *
55522+ (st->slave_num + 1) * AD7280A_CELLS_PER_DEV, 2,
55523 GFP_KERNEL);
55524 if (st->iio_attr == NULL)
55525 return -ENOMEM;
55526diff --git a/drivers/staging/lustre/lnet/selftest/brw_test.c b/drivers/staging/lustre/lnet/selftest/brw_test.c
55527index de11f1b..f7181cf 100644
55528--- a/drivers/staging/lustre/lnet/selftest/brw_test.c
55529+++ b/drivers/staging/lustre/lnet/selftest/brw_test.c
55530@@ -487,13 +487,11 @@ brw_server_handle(struct srpc_server_rpc *rpc)
55531 return 0;
55532 }
55533
55534-sfw_test_client_ops_t brw_test_client;
55535-void brw_init_test_client(void)
55536-{
55537- brw_test_client.tso_init = brw_client_init;
55538- brw_test_client.tso_fini = brw_client_fini;
55539- brw_test_client.tso_prep_rpc = brw_client_prep_rpc;
55540- brw_test_client.tso_done_rpc = brw_client_done_rpc;
55541+sfw_test_client_ops_t brw_test_client = {
55542+ .tso_init = brw_client_init,
55543+ .tso_fini = brw_client_fini,
55544+ .tso_prep_rpc = brw_client_prep_rpc,
55545+ .tso_done_rpc = brw_client_done_rpc,
55546 };
55547
55548 srpc_service_t brw_test_service;
55549diff --git a/drivers/staging/lustre/lnet/selftest/framework.c b/drivers/staging/lustre/lnet/selftest/framework.c
55550index 7c5185a..51c2ae7 100644
55551--- a/drivers/staging/lustre/lnet/selftest/framework.c
55552+++ b/drivers/staging/lustre/lnet/selftest/framework.c
55553@@ -1628,12 +1628,10 @@ static srpc_service_t sfw_services[] = {
55554
55555 extern sfw_test_client_ops_t ping_test_client;
55556 extern srpc_service_t ping_test_service;
55557-extern void ping_init_test_client(void);
55558 extern void ping_init_test_service(void);
55559
55560 extern sfw_test_client_ops_t brw_test_client;
55561 extern srpc_service_t brw_test_service;
55562-extern void brw_init_test_client(void);
55563 extern void brw_init_test_service(void);
55564
55565
55566@@ -1675,12 +1673,10 @@ sfw_startup(void)
55567 INIT_LIST_HEAD(&sfw_data.fw_zombie_rpcs);
55568 INIT_LIST_HEAD(&sfw_data.fw_zombie_sessions);
55569
55570- brw_init_test_client();
55571 brw_init_test_service();
55572 rc = sfw_register_test(&brw_test_service, &brw_test_client);
55573 LASSERT(rc == 0);
55574
55575- ping_init_test_client();
55576 ping_init_test_service();
55577 rc = sfw_register_test(&ping_test_service, &ping_test_client);
55578 LASSERT(rc == 0);
55579diff --git a/drivers/staging/lustre/lnet/selftest/ping_test.c b/drivers/staging/lustre/lnet/selftest/ping_test.c
55580index 1dab998..edfe0ac 100644
55581--- a/drivers/staging/lustre/lnet/selftest/ping_test.c
55582+++ b/drivers/staging/lustre/lnet/selftest/ping_test.c
55583@@ -211,14 +211,12 @@ ping_server_handle(struct srpc_server_rpc *rpc)
55584 return 0;
55585 }
55586
55587-sfw_test_client_ops_t ping_test_client;
55588-void ping_init_test_client(void)
55589-{
55590- ping_test_client.tso_init = ping_client_init;
55591- ping_test_client.tso_fini = ping_client_fini;
55592- ping_test_client.tso_prep_rpc = ping_client_prep_rpc;
55593- ping_test_client.tso_done_rpc = ping_client_done_rpc;
55594-}
55595+sfw_test_client_ops_t ping_test_client = {
55596+ .tso_init = ping_client_init,
55597+ .tso_fini = ping_client_fini,
55598+ .tso_prep_rpc = ping_client_prep_rpc,
55599+ .tso_done_rpc = ping_client_done_rpc,
55600+};
55601
55602 srpc_service_t ping_test_service;
55603 void ping_init_test_service(void)
55604diff --git a/drivers/staging/lustre/lustre/include/lustre_dlm.h b/drivers/staging/lustre/lustre/include/lustre_dlm.h
55605index f6f4c03..cdc3556 100644
55606--- a/drivers/staging/lustre/lustre/include/lustre_dlm.h
55607+++ b/drivers/staging/lustre/lustre/include/lustre_dlm.h
55608@@ -1107,7 +1107,7 @@ struct ldlm_callback_suite {
55609 ldlm_completion_callback lcs_completion;
55610 ldlm_blocking_callback lcs_blocking;
55611 ldlm_glimpse_callback lcs_glimpse;
55612-};
55613+} __no_const;
55614
55615 /* ldlm_lockd.c */
55616 int ldlm_del_waiting_lock(struct ldlm_lock *lock);
55617diff --git a/drivers/staging/lustre/lustre/include/obd.h b/drivers/staging/lustre/lustre/include/obd.h
55618index 55452e5..43b0f2f 100644
55619--- a/drivers/staging/lustre/lustre/include/obd.h
55620+++ b/drivers/staging/lustre/lustre/include/obd.h
55621@@ -1364,7 +1364,7 @@ struct md_ops {
55622 * lprocfs_alloc_md_stats() in obdclass/lprocfs_status.c. Also, add a
55623 * wrapper function in include/linux/obd_class.h.
55624 */
55625-};
55626+} __no_const;
55627
55628 struct lsm_operations {
55629 void (*lsm_free)(struct lov_stripe_md *);
55630diff --git a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55631index a4c252f..b21acac 100644
55632--- a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55633+++ b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55634@@ -258,7 +258,7 @@ ldlm_process_flock_lock(struct ldlm_lock *req, __u64 *flags, int first_enq,
55635 int added = (mode == LCK_NL);
55636 int overlaps = 0;
55637 int splitted = 0;
55638- const struct ldlm_callback_suite null_cbs = { NULL };
55639+ const struct ldlm_callback_suite null_cbs = { };
55640
55641 CDEBUG(D_DLMTRACE,
55642 "flags %#llx owner %llu pid %u mode %u start %llu end %llu\n",
55643diff --git a/drivers/staging/lustre/lustre/libcfs/module.c b/drivers/staging/lustre/lustre/libcfs/module.c
55644index e60b2e9..ad9ceb3 100644
55645--- a/drivers/staging/lustre/lustre/libcfs/module.c
55646+++ b/drivers/staging/lustre/lustre/libcfs/module.c
55647@@ -377,11 +377,11 @@ out:
55648
55649
55650 struct cfs_psdev_ops libcfs_psdev_ops = {
55651- libcfs_psdev_open,
55652- libcfs_psdev_release,
55653- NULL,
55654- NULL,
55655- libcfs_ioctl
55656+ .p_open = libcfs_psdev_open,
55657+ .p_close = libcfs_psdev_release,
55658+ .p_read = NULL,
55659+ .p_write = NULL,
55660+ .p_ioctl = libcfs_ioctl
55661 };
55662
55663 static int init_libcfs_module(void)
55664@@ -623,7 +623,7 @@ static int proc_console_max_delay_cs(struct ctl_table *table, int write,
55665 loff_t *ppos)
55666 {
55667 int rc, max_delay_cs;
55668- struct ctl_table dummy = *table;
55669+ ctl_table_no_const dummy = *table;
55670 long d;
55671
55672 dummy.data = &max_delay_cs;
55673@@ -656,7 +656,7 @@ static int proc_console_min_delay_cs(struct ctl_table *table, int write,
55674 loff_t *ppos)
55675 {
55676 int rc, min_delay_cs;
55677- struct ctl_table dummy = *table;
55678+ ctl_table_no_const dummy = *table;
55679 long d;
55680
55681 dummy.data = &min_delay_cs;
55682@@ -688,7 +688,7 @@ static int proc_console_backoff(struct ctl_table *table, int write,
55683 void __user *buffer, size_t *lenp, loff_t *ppos)
55684 {
55685 int rc, backoff;
55686- struct ctl_table dummy = *table;
55687+ ctl_table_no_const dummy = *table;
55688
55689 dummy.data = &backoff;
55690 dummy.proc_handler = &proc_dointvec;
55691diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c
55692index 22853d3..cfa3c49 100644
55693--- a/drivers/staging/octeon/ethernet-rx.c
55694+++ b/drivers/staging/octeon/ethernet-rx.c
55695@@ -335,14 +335,14 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
55696 /* Increment RX stats for virtual ports */
55697 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
55698 #ifdef CONFIG_64BIT
55699- atomic64_add(1,
55700+ atomic64_add_unchecked(1,
55701 (atomic64_t *)&priv->stats.rx_packets);
55702- atomic64_add(skb->len,
55703+ atomic64_add_unchecked(skb->len,
55704 (atomic64_t *)&priv->stats.rx_bytes);
55705 #else
55706- atomic_add(1,
55707+ atomic_add_unchecked(1,
55708 (atomic_t *)&priv->stats.rx_packets);
55709- atomic_add(skb->len,
55710+ atomic_add_unchecked(skb->len,
55711 (atomic_t *)&priv->stats.rx_bytes);
55712 #endif
55713 }
55714@@ -354,10 +354,10 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
55715 dev->name);
55716 */
55717 #ifdef CONFIG_64BIT
55718- atomic64_add(1,
55719+ atomic64_add_unchecked(1,
55720 (atomic64_t *)&priv->stats.rx_dropped);
55721 #else
55722- atomic_add(1,
55723+ atomic_add_unchecked(1,
55724 (atomic_t *)&priv->stats.rx_dropped);
55725 #endif
55726 dev_kfree_skb_irq(skb);
55727diff --git a/drivers/staging/octeon/ethernet.c b/drivers/staging/octeon/ethernet.c
55728index f9dba23..7bc0ef3 100644
55729--- a/drivers/staging/octeon/ethernet.c
55730+++ b/drivers/staging/octeon/ethernet.c
55731@@ -231,11 +231,11 @@ static struct net_device_stats *cvm_oct_common_get_stats(struct net_device *dev)
55732 * since the RX tasklet also increments it.
55733 */
55734 #ifdef CONFIG_64BIT
55735- atomic64_add(rx_status.dropped_packets,
55736- (atomic64_t *)&priv->stats.rx_dropped);
55737+ atomic64_add_unchecked(rx_status.dropped_packets,
55738+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
55739 #else
55740- atomic_add(rx_status.dropped_packets,
55741- (atomic_t *)&priv->stats.rx_dropped);
55742+ atomic_add_unchecked(rx_status.dropped_packets,
55743+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
55744 #endif
55745 }
55746
55747diff --git a/drivers/staging/rtl8188eu/include/hal_intf.h b/drivers/staging/rtl8188eu/include/hal_intf.h
55748index 3b476d8..f522d68 100644
55749--- a/drivers/staging/rtl8188eu/include/hal_intf.h
55750+++ b/drivers/staging/rtl8188eu/include/hal_intf.h
55751@@ -225,7 +225,7 @@ struct hal_ops {
55752
55753 void (*hal_notch_filter)(struct adapter *adapter, bool enable);
55754 void (*hal_reset_security_engine)(struct adapter *adapter);
55755-};
55756+} __no_const;
55757
55758 enum rt_eeprom_type {
55759 EEPROM_93C46,
55760diff --git a/drivers/staging/rtl8712/rtl871x_io.h b/drivers/staging/rtl8712/rtl871x_io.h
55761index 070cc03..6806e37 100644
55762--- a/drivers/staging/rtl8712/rtl871x_io.h
55763+++ b/drivers/staging/rtl8712/rtl871x_io.h
55764@@ -108,7 +108,7 @@ struct _io_ops {
55765 u8 *pmem);
55766 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
55767 u8 *pmem);
55768-};
55769+} __no_const;
55770
55771 struct io_req {
55772 struct list_head list;
55773diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
55774index 8e201f1..bf2a28d 100644
55775--- a/drivers/staging/sm750fb/sm750.c
55776+++ b/drivers/staging/sm750fb/sm750.c
55777@@ -775,6 +775,7 @@ static struct fb_ops lynxfb_ops = {
55778 .fb_set_par = lynxfb_ops_set_par,
55779 .fb_setcolreg = lynxfb_ops_setcolreg,
55780 .fb_blank = lynxfb_ops_blank,
55781+ .fb_pan_display = lynxfb_ops_pan_display,
55782 .fb_fillrect = cfb_fillrect,
55783 .fb_imageblit = cfb_imageblit,
55784 .fb_copyarea = cfb_copyarea,
55785@@ -822,8 +823,10 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55786 par->index = index;
55787 output->channel = &crtc->channel;
55788 sm750fb_set_drv(par);
55789- lynxfb_ops.fb_pan_display = lynxfb_ops_pan_display;
55790
55791+ pax_open_kernel();
55792+ *(void **)&lynxfb_ops.fb_pan_display = lynxfb_ops_pan_display;
55793+ pax_close_kernel();
55794
55795 /* set current cursor variable and proc pointer,
55796 * must be set after crtc member initialized */
55797@@ -845,7 +848,9 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55798 crtc->cursor.share = share;
55799 memset_io(crtc->cursor.vstart, 0, crtc->cursor.size);
55800 if (!g_hwcursor) {
55801- lynxfb_ops.fb_cursor = NULL;
55802+ pax_open_kernel();
55803+ *(void **)&lynxfb_ops.fb_cursor = NULL;
55804+ pax_close_kernel();
55805 crtc->cursor.disable(&crtc->cursor);
55806 }
55807
55808@@ -853,9 +858,11 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55809 /* set info->fbops, must be set before fb_find_mode */
55810 if (!share->accel_off) {
55811 /* use 2d acceleration */
55812- lynxfb_ops.fb_fillrect = lynxfb_ops_fillrect;
55813- lynxfb_ops.fb_copyarea = lynxfb_ops_copyarea;
55814- lynxfb_ops.fb_imageblit = lynxfb_ops_imageblit;
55815+ pax_open_kernel();
55816+ *(void **)&lynxfb_ops.fb_fillrect = lynxfb_ops_fillrect;
55817+ *(void **)&lynxfb_ops.fb_copyarea = lynxfb_ops_copyarea;
55818+ *(void **)&lynxfb_ops.fb_imageblit = lynxfb_ops_imageblit;
55819+ pax_close_kernel();
55820 }
55821 info->fbops = &lynxfb_ops;
55822
55823diff --git a/drivers/staging/unisys/visorbus/visorbus_private.h b/drivers/staging/unisys/visorbus/visorbus_private.h
55824index 2f12483..6e1b50a 100644
55825--- a/drivers/staging/unisys/visorbus/visorbus_private.h
55826+++ b/drivers/staging/unisys/visorbus/visorbus_private.h
55827@@ -35,7 +35,7 @@ struct visorchipset_busdev_notifiers {
55828 void (*device_destroy)(struct visor_device *bus_info);
55829 void (*device_pause)(struct visor_device *bus_info);
55830 void (*device_resume)(struct visor_device *bus_info);
55831-};
55832+} __no_const;
55833
55834 /* These functions live inside visorchipset, and will be called to indicate
55835 * responses to specific events (by code outside of visorchipset).
55836@@ -50,7 +50,7 @@ struct visorchipset_busdev_responders {
55837 void (*device_destroy)(struct visor_device *p, int response);
55838 void (*device_pause)(struct visor_device *p, int response);
55839 void (*device_resume)(struct visor_device *p, int response);
55840-};
55841+} __no_const;
55842
55843 /** Register functions (in the bus driver) to get called by visorchipset
55844 * whenever a bus or device appears for which this guest is to be the
55845diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
55846index 0edf320..49afe95 100644
55847--- a/drivers/target/sbp/sbp_target.c
55848+++ b/drivers/target/sbp/sbp_target.c
55849@@ -60,7 +60,7 @@ static const u32 sbp_unit_directory_template[] = {
55850
55851 #define SESSION_MAINTENANCE_INTERVAL HZ
55852
55853-static atomic_t login_id = ATOMIC_INIT(0);
55854+static atomic_unchecked_t login_id = ATOMIC_INIT(0);
55855
55856 static void session_maintenance_work(struct work_struct *);
55857 static int sbp_run_transaction(struct fw_card *, int, int, int, int,
55858@@ -441,7 +441,7 @@ static void sbp_management_request_login(
55859 login->login_lun = unpacked_lun;
55860 login->status_fifo_addr = sbp2_pointer_to_addr(&req->orb.status_fifo);
55861 login->exclusive = LOGIN_ORB_EXCLUSIVE(be32_to_cpu(req->orb.misc));
55862- login->login_id = atomic_inc_return(&login_id);
55863+ login->login_id = atomic_inc_return_unchecked(&login_id);
55864
55865 login->tgt_agt = sbp_target_agent_register(login);
55866 if (IS_ERR(login->tgt_agt)) {
55867diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
55868index 09e682b..1980042 100644
55869--- a/drivers/target/target_core_device.c
55870+++ b/drivers/target/target_core_device.c
55871@@ -771,7 +771,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
55872 spin_lock_init(&dev->se_tmr_lock);
55873 spin_lock_init(&dev->qf_cmd_lock);
55874 sema_init(&dev->caw_sem, 1);
55875- atomic_set(&dev->dev_ordered_id, 0);
55876+ atomic_set_unchecked(&dev->dev_ordered_id, 0);
55877 INIT_LIST_HEAD(&dev->t10_wwn.t10_vpd_list);
55878 spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
55879 INIT_LIST_HEAD(&dev->t10_pr.registration_list);
55880diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
55881index ce8574b..98d6199 100644
55882--- a/drivers/target/target_core_transport.c
55883+++ b/drivers/target/target_core_transport.c
55884@@ -1181,7 +1181,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
55885 * Used to determine when ORDERED commands should go from
55886 * Dormant to Active status.
55887 */
55888- cmd->se_ordered_id = atomic_inc_return(&dev->dev_ordered_id);
55889+ cmd->se_ordered_id = atomic_inc_return_unchecked(&dev->dev_ordered_id);
55890 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
55891 cmd->se_ordered_id, cmd->sam_task_attr,
55892 dev->transport->name);
55893diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
55894index 620dcd4..b91b5e0 100644
55895--- a/drivers/thermal/cpu_cooling.c
55896+++ b/drivers/thermal/cpu_cooling.c
55897@@ -831,10 +831,11 @@ __cpufreq_cooling_register(struct device_node *np,
55898 cpumask_copy(&cpufreq_dev->allowed_cpus, clip_cpus);
55899
55900 if (capacitance) {
55901- cpufreq_cooling_ops.get_requested_power =
55902- cpufreq_get_requested_power;
55903- cpufreq_cooling_ops.state2power = cpufreq_state2power;
55904- cpufreq_cooling_ops.power2state = cpufreq_power2state;
55905+ pax_open_kernel();
55906+ *(void **)&cpufreq_cooling_ops.get_requested_power = cpufreq_get_requested_power;
55907+ *(void **)&cpufreq_cooling_ops.state2power = cpufreq_state2power;
55908+ *(void **)&cpufreq_cooling_ops.power2state = cpufreq_power2state;
55909+ pax_close_kernel();
55910 cpufreq_dev->plat_get_static_power = plat_static_func;
55911
55912 ret = build_dyn_power_table(cpufreq_dev, capacitance);
55913diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c
55914index 031018e..90981a1 100644
55915--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
55916+++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
55917@@ -272,8 +272,10 @@ static int int3400_thermal_probe(struct platform_device *pdev)
55918 platform_set_drvdata(pdev, priv);
55919
55920 if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) {
55921- int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
55922- int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
55923+ pax_open_kernel();
55924+ *(void **)&int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
55925+ *(void **)&int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
55926+ pax_close_kernel();
55927 }
55928 priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0,
55929 priv, &int3400_thermal_ops,
55930diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c
55931index b295b2b..f7e2a30 100644
55932--- a/drivers/thermal/of-thermal.c
55933+++ b/drivers/thermal/of-thermal.c
55934@@ -31,6 +31,7 @@
55935 #include <linux/export.h>
55936 #include <linux/string.h>
55937 #include <linux/thermal.h>
55938+#include <linux/mm.h>
55939
55940 #include "thermal_core.h"
55941
55942@@ -417,9 +418,11 @@ thermal_zone_of_add_sensor(struct device_node *zone,
55943 tz->ops = ops;
55944 tz->sensor_data = data;
55945
55946- tzd->ops->get_temp = of_thermal_get_temp;
55947- tzd->ops->get_trend = of_thermal_get_trend;
55948- tzd->ops->set_emul_temp = of_thermal_set_emul_temp;
55949+ pax_open_kernel();
55950+ *(void **)&tzd->ops->get_temp = of_thermal_get_temp;
55951+ *(void **)&tzd->ops->get_trend = of_thermal_get_trend;
55952+ *(void **)&tzd->ops->set_emul_temp = of_thermal_set_emul_temp;
55953+ pax_close_kernel();
55954 mutex_unlock(&tzd->lock);
55955
55956 return tzd;
55957@@ -549,9 +552,11 @@ void thermal_zone_of_sensor_unregister(struct device *dev,
55958 return;
55959
55960 mutex_lock(&tzd->lock);
55961- tzd->ops->get_temp = NULL;
55962- tzd->ops->get_trend = NULL;
55963- tzd->ops->set_emul_temp = NULL;
55964+ pax_open_kernel();
55965+ *(void **)&tzd->ops->get_temp = NULL;
55966+ *(void **)&tzd->ops->get_trend = NULL;
55967+ *(void **)&tzd->ops->set_emul_temp = NULL;
55968+ pax_close_kernel();
55969
55970 tz->ops = NULL;
55971 tz->sensor_data = NULL;
55972diff --git a/drivers/thermal/x86_pkg_temp_thermal.c b/drivers/thermal/x86_pkg_temp_thermal.c
55973index 50d1d2c..39c5ce0 100644
55974--- a/drivers/thermal/x86_pkg_temp_thermal.c
55975+++ b/drivers/thermal/x86_pkg_temp_thermal.c
55976@@ -567,7 +567,7 @@ static int pkg_temp_thermal_cpu_callback(struct notifier_block *nfb,
55977 return NOTIFY_OK;
55978 }
55979
55980-static struct notifier_block pkg_temp_thermal_notifier __refdata = {
55981+static struct notifier_block pkg_temp_thermal_notifier __refconst = {
55982 .notifier_call = pkg_temp_thermal_cpu_callback,
55983 };
55984
55985diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
55986index 87f6578..905c8f8 100644
55987--- a/drivers/tty/cyclades.c
55988+++ b/drivers/tty/cyclades.c
55989@@ -1570,10 +1570,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp)
55990 printk(KERN_DEBUG "cyc:cy_open ttyC%d, count = %d\n", info->line,
55991 info->port.count);
55992 #endif
55993- info->port.count++;
55994+ atomic_inc(&info->port.count);
55995 #ifdef CY_DEBUG_COUNT
55996 printk(KERN_DEBUG "cyc:cy_open (%d): incrementing count to %d\n",
55997- current->pid, info->port.count);
55998+ current->pid, atomic_read(&info->port.count));
55999 #endif
56000
56001 /*
56002@@ -3970,7 +3970,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v)
56003 for (j = 0; j < cy_card[i].nports; j++) {
56004 info = &cy_card[i].ports[j];
56005
56006- if (info->port.count) {
56007+ if (atomic_read(&info->port.count)) {
56008 /* XXX is the ldisc num worth this? */
56009 struct tty_struct *tty;
56010 struct tty_ldisc *ld;
56011diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
56012index 4e9c4cc..2199d8f 100644
56013--- a/drivers/tty/hvc/hvc_console.c
56014+++ b/drivers/tty/hvc/hvc_console.c
56015@@ -343,7 +343,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
56016
56017 spin_lock_irqsave(&hp->port.lock, flags);
56018 /* Check and then increment for fast path open. */
56019- if (hp->port.count++ > 0) {
56020+ if (atomic_inc_return(&hp->port.count) > 1) {
56021 spin_unlock_irqrestore(&hp->port.lock, flags);
56022 hvc_kick();
56023 return 0;
56024@@ -398,7 +398,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
56025
56026 spin_lock_irqsave(&hp->port.lock, flags);
56027
56028- if (--hp->port.count == 0) {
56029+ if (atomic_dec_return(&hp->port.count) == 0) {
56030 spin_unlock_irqrestore(&hp->port.lock, flags);
56031 /* We are done with the tty pointer now. */
56032 tty_port_tty_set(&hp->port, NULL);
56033@@ -420,9 +420,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
56034 */
56035 tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT);
56036 } else {
56037- if (hp->port.count < 0)
56038+ if (atomic_read(&hp->port.count) < 0)
56039 printk(KERN_ERR "hvc_close %X: oops, count is %d\n",
56040- hp->vtermno, hp->port.count);
56041+ hp->vtermno, atomic_read(&hp->port.count));
56042 spin_unlock_irqrestore(&hp->port.lock, flags);
56043 }
56044 }
56045@@ -452,12 +452,12 @@ static void hvc_hangup(struct tty_struct *tty)
56046 * open->hangup case this can be called after the final close so prevent
56047 * that from happening for now.
56048 */
56049- if (hp->port.count <= 0) {
56050+ if (atomic_read(&hp->port.count) <= 0) {
56051 spin_unlock_irqrestore(&hp->port.lock, flags);
56052 return;
56053 }
56054
56055- hp->port.count = 0;
56056+ atomic_set(&hp->port.count, 0);
56057 spin_unlock_irqrestore(&hp->port.lock, flags);
56058 tty_port_tty_set(&hp->port, NULL);
56059
56060@@ -505,7 +505,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count
56061 return -EPIPE;
56062
56063 /* FIXME what's this (unprotected) check for? */
56064- if (hp->port.count <= 0)
56065+ if (atomic_read(&hp->port.count) <= 0)
56066 return -EIO;
56067
56068 spin_lock_irqsave(&hp->lock, flags);
56069diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
56070index f7ff97c..0c0ebbf 100644
56071--- a/drivers/tty/hvc/hvcs.c
56072+++ b/drivers/tty/hvc/hvcs.c
56073@@ -83,6 +83,7 @@
56074 #include <asm/hvcserver.h>
56075 #include <asm/uaccess.h>
56076 #include <asm/vio.h>
56077+#include <asm/local.h>
56078
56079 /*
56080 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
56081@@ -416,7 +417,7 @@ static ssize_t hvcs_vterm_state_store(struct device *dev, struct device_attribut
56082
56083 spin_lock_irqsave(&hvcsd->lock, flags);
56084
56085- if (hvcsd->port.count > 0) {
56086+ if (atomic_read(&hvcsd->port.count) > 0) {
56087 spin_unlock_irqrestore(&hvcsd->lock, flags);
56088 printk(KERN_INFO "HVCS: vterm state unchanged. "
56089 "The hvcs device node is still in use.\n");
56090@@ -1127,7 +1128,7 @@ static int hvcs_install(struct tty_driver *driver, struct tty_struct *tty)
56091 }
56092 }
56093
56094- hvcsd->port.count = 0;
56095+ atomic_set(&hvcsd->port.count, 0);
56096 hvcsd->port.tty = tty;
56097 tty->driver_data = hvcsd;
56098
56099@@ -1180,7 +1181,7 @@ static int hvcs_open(struct tty_struct *tty, struct file *filp)
56100 unsigned long flags;
56101
56102 spin_lock_irqsave(&hvcsd->lock, flags);
56103- hvcsd->port.count++;
56104+ atomic_inc(&hvcsd->port.count);
56105 hvcsd->todo_mask |= HVCS_SCHED_READ;
56106 spin_unlock_irqrestore(&hvcsd->lock, flags);
56107
56108@@ -1216,7 +1217,7 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
56109 hvcsd = tty->driver_data;
56110
56111 spin_lock_irqsave(&hvcsd->lock, flags);
56112- if (--hvcsd->port.count == 0) {
56113+ if (atomic_dec_and_test(&hvcsd->port.count)) {
56114
56115 vio_disable_interrupts(hvcsd->vdev);
56116
56117@@ -1241,10 +1242,10 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
56118
56119 free_irq(irq, hvcsd);
56120 return;
56121- } else if (hvcsd->port.count < 0) {
56122+ } else if (atomic_read(&hvcsd->port.count) < 0) {
56123 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
56124 " is missmanaged.\n",
56125- hvcsd->vdev->unit_address, hvcsd->port.count);
56126+ hvcsd->vdev->unit_address, atomic_read(&hvcsd->port.count));
56127 }
56128
56129 spin_unlock_irqrestore(&hvcsd->lock, flags);
56130@@ -1266,7 +1267,7 @@ static void hvcs_hangup(struct tty_struct * tty)
56131
56132 spin_lock_irqsave(&hvcsd->lock, flags);
56133 /* Preserve this so that we know how many kref refs to put */
56134- temp_open_count = hvcsd->port.count;
56135+ temp_open_count = atomic_read(&hvcsd->port.count);
56136
56137 /*
56138 * Don't kref put inside the spinlock because the destruction
56139@@ -1281,7 +1282,7 @@ static void hvcs_hangup(struct tty_struct * tty)
56140 tty->driver_data = NULL;
56141 hvcsd->port.tty = NULL;
56142
56143- hvcsd->port.count = 0;
56144+ atomic_set(&hvcsd->port.count, 0);
56145
56146 /* This will drop any buffered data on the floor which is OK in a hangup
56147 * scenario. */
56148@@ -1352,7 +1353,7 @@ static int hvcs_write(struct tty_struct *tty,
56149 * the middle of a write operation? This is a crummy place to do this
56150 * but we want to keep it all in the spinlock.
56151 */
56152- if (hvcsd->port.count <= 0) {
56153+ if (atomic_read(&hvcsd->port.count) <= 0) {
56154 spin_unlock_irqrestore(&hvcsd->lock, flags);
56155 return -ENODEV;
56156 }
56157@@ -1426,7 +1427,7 @@ static int hvcs_write_room(struct tty_struct *tty)
56158 {
56159 struct hvcs_struct *hvcsd = tty->driver_data;
56160
56161- if (!hvcsd || hvcsd->port.count <= 0)
56162+ if (!hvcsd || atomic_read(&hvcsd->port.count) <= 0)
56163 return 0;
56164
56165 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
56166diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c
56167index 4190199..06d5bfa 100644
56168--- a/drivers/tty/hvc/hvsi.c
56169+++ b/drivers/tty/hvc/hvsi.c
56170@@ -85,7 +85,7 @@ struct hvsi_struct {
56171 int n_outbuf;
56172 uint32_t vtermno;
56173 uint32_t virq;
56174- atomic_t seqno; /* HVSI packet sequence number */
56175+ atomic_unchecked_t seqno; /* HVSI packet sequence number */
56176 uint16_t mctrl;
56177 uint8_t state; /* HVSI protocol state */
56178 uint8_t flags;
56179@@ -295,7 +295,7 @@ static int hvsi_version_respond(struct hvsi_struct *hp, uint16_t query_seqno)
56180
56181 packet.hdr.type = VS_QUERY_RESPONSE_PACKET_HEADER;
56182 packet.hdr.len = sizeof(struct hvsi_query_response);
56183- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56184+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56185 packet.verb = VSV_SEND_VERSION_NUMBER;
56186 packet.u.version = HVSI_VERSION;
56187 packet.query_seqno = query_seqno+1;
56188@@ -555,7 +555,7 @@ static int hvsi_query(struct hvsi_struct *hp, uint16_t verb)
56189
56190 packet.hdr.type = VS_QUERY_PACKET_HEADER;
56191 packet.hdr.len = sizeof(struct hvsi_query);
56192- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56193+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56194 packet.verb = verb;
56195
56196 pr_debug("%s: sending %i bytes\n", __func__, packet.hdr.len);
56197@@ -597,7 +597,7 @@ static int hvsi_set_mctrl(struct hvsi_struct *hp, uint16_t mctrl)
56198 int wrote;
56199
56200 packet.hdr.type = VS_CONTROL_PACKET_HEADER,
56201- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56202+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56203 packet.hdr.len = sizeof(struct hvsi_control);
56204 packet.verb = VSV_SET_MODEM_CTL;
56205 packet.mask = HVSI_TSDTR;
56206@@ -680,7 +680,7 @@ static int hvsi_put_chars(struct hvsi_struct *hp, const char *buf, int count)
56207 BUG_ON(count > HVSI_MAX_OUTGOING_DATA);
56208
56209 packet.hdr.type = VS_DATA_PACKET_HEADER;
56210- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56211+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56212 packet.hdr.len = count + sizeof(struct hvsi_header);
56213 memcpy(&packet.data, buf, count);
56214
56215@@ -697,7 +697,7 @@ static void hvsi_close_protocol(struct hvsi_struct *hp)
56216 struct hvsi_control packet __ALIGNED__;
56217
56218 packet.hdr.type = VS_CONTROL_PACKET_HEADER;
56219- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56220+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56221 packet.hdr.len = 6;
56222 packet.verb = VSV_CLOSE_PROTOCOL;
56223
56224@@ -725,7 +725,7 @@ static int hvsi_open(struct tty_struct *tty, struct file *filp)
56225
56226 tty_port_tty_set(&hp->port, tty);
56227 spin_lock_irqsave(&hp->lock, flags);
56228- hp->port.count++;
56229+ atomic_inc(&hp->port.count);
56230 atomic_set(&hp->seqno, 0);
56231 h_vio_signal(hp->vtermno, VIO_IRQ_ENABLE);
56232 spin_unlock_irqrestore(&hp->lock, flags);
56233@@ -782,7 +782,7 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp)
56234
56235 spin_lock_irqsave(&hp->lock, flags);
56236
56237- if (--hp->port.count == 0) {
56238+ if (atomic_dec_return(&hp->port.count) == 0) {
56239 tty_port_tty_set(&hp->port, NULL);
56240 hp->inbuf_end = hp->inbuf; /* discard remaining partial packets */
56241
56242@@ -815,9 +815,9 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp)
56243
56244 spin_lock_irqsave(&hp->lock, flags);
56245 }
56246- } else if (hp->port.count < 0)
56247+ } else if (atomic_read(&hp->port.count) < 0)
56248 printk(KERN_ERR "hvsi_close %lu: oops, count is %d\n",
56249- hp - hvsi_ports, hp->port.count);
56250+ hp - hvsi_ports, atomic_read(&hp->port.count));
56251
56252 spin_unlock_irqrestore(&hp->lock, flags);
56253 }
56254@@ -832,7 +832,7 @@ static void hvsi_hangup(struct tty_struct *tty)
56255 tty_port_tty_set(&hp->port, NULL);
56256
56257 spin_lock_irqsave(&hp->lock, flags);
56258- hp->port.count = 0;
56259+ atomic_set(&hp->port.count, 0);
56260 hp->n_outbuf = 0;
56261 spin_unlock_irqrestore(&hp->lock, flags);
56262 }
56263diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c
56264index a270f04..7c77b5d 100644
56265--- a/drivers/tty/hvc/hvsi_lib.c
56266+++ b/drivers/tty/hvc/hvsi_lib.c
56267@@ -8,7 +8,7 @@
56268
56269 static int hvsi_send_packet(struct hvsi_priv *pv, struct hvsi_header *packet)
56270 {
56271- packet->seqno = cpu_to_be16(atomic_inc_return(&pv->seqno));
56272+ packet->seqno = cpu_to_be16(atomic_inc_return_unchecked(&pv->seqno));
56273
56274 /* Assumes that always succeeds, works in practice */
56275 return pv->put_chars(pv->termno, (char *)packet, packet->len);
56276@@ -20,7 +20,7 @@ static void hvsi_start_handshake(struct hvsi_priv *pv)
56277
56278 /* Reset state */
56279 pv->established = 0;
56280- atomic_set(&pv->seqno, 0);
56281+ atomic_set_unchecked(&pv->seqno, 0);
56282
56283 pr_devel("HVSI@%x: Handshaking started\n", pv->termno);
56284
56285diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
56286index 345cebb..d5a1e9e 100644
56287--- a/drivers/tty/ipwireless/tty.c
56288+++ b/drivers/tty/ipwireless/tty.c
56289@@ -28,6 +28,7 @@
56290 #include <linux/tty_driver.h>
56291 #include <linux/tty_flip.h>
56292 #include <linux/uaccess.h>
56293+#include <asm/local.h>
56294
56295 #include "tty.h"
56296 #include "network.h"
56297@@ -93,10 +94,10 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
56298 return -ENODEV;
56299
56300 mutex_lock(&tty->ipw_tty_mutex);
56301- if (tty->port.count == 0)
56302+ if (atomic_read(&tty->port.count) == 0)
56303 tty->tx_bytes_queued = 0;
56304
56305- tty->port.count++;
56306+ atomic_inc(&tty->port.count);
56307
56308 tty->port.tty = linux_tty;
56309 linux_tty->driver_data = tty;
56310@@ -112,9 +113,7 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
56311
56312 static void do_ipw_close(struct ipw_tty *tty)
56313 {
56314- tty->port.count--;
56315-
56316- if (tty->port.count == 0) {
56317+ if (atomic_dec_return(&tty->port.count) == 0) {
56318 struct tty_struct *linux_tty = tty->port.tty;
56319
56320 if (linux_tty != NULL) {
56321@@ -135,7 +134,7 @@ static void ipw_hangup(struct tty_struct *linux_tty)
56322 return;
56323
56324 mutex_lock(&tty->ipw_tty_mutex);
56325- if (tty->port.count == 0) {
56326+ if (atomic_read(&tty->port.count) == 0) {
56327 mutex_unlock(&tty->ipw_tty_mutex);
56328 return;
56329 }
56330@@ -158,7 +157,7 @@ void ipwireless_tty_received(struct ipw_tty *tty, unsigned char *data,
56331
56332 mutex_lock(&tty->ipw_tty_mutex);
56333
56334- if (!tty->port.count) {
56335+ if (!atomic_read(&tty->port.count)) {
56336 mutex_unlock(&tty->ipw_tty_mutex);
56337 return;
56338 }
56339@@ -197,7 +196,7 @@ static int ipw_write(struct tty_struct *linux_tty,
56340 return -ENODEV;
56341
56342 mutex_lock(&tty->ipw_tty_mutex);
56343- if (!tty->port.count) {
56344+ if (!atomic_read(&tty->port.count)) {
56345 mutex_unlock(&tty->ipw_tty_mutex);
56346 return -EINVAL;
56347 }
56348@@ -237,7 +236,7 @@ static int ipw_write_room(struct tty_struct *linux_tty)
56349 if (!tty)
56350 return -ENODEV;
56351
56352- if (!tty->port.count)
56353+ if (!atomic_read(&tty->port.count))
56354 return -EINVAL;
56355
56356 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
56357@@ -279,7 +278,7 @@ static int ipw_chars_in_buffer(struct tty_struct *linux_tty)
56358 if (!tty)
56359 return 0;
56360
56361- if (!tty->port.count)
56362+ if (!atomic_read(&tty->port.count))
56363 return 0;
56364
56365 return tty->tx_bytes_queued;
56366@@ -360,7 +359,7 @@ static int ipw_tiocmget(struct tty_struct *linux_tty)
56367 if (!tty)
56368 return -ENODEV;
56369
56370- if (!tty->port.count)
56371+ if (!atomic_read(&tty->port.count))
56372 return -EINVAL;
56373
56374 return get_control_lines(tty);
56375@@ -376,7 +375,7 @@ ipw_tiocmset(struct tty_struct *linux_tty,
56376 if (!tty)
56377 return -ENODEV;
56378
56379- if (!tty->port.count)
56380+ if (!atomic_read(&tty->port.count))
56381 return -EINVAL;
56382
56383 return set_control_lines(tty, set, clear);
56384@@ -390,7 +389,7 @@ static int ipw_ioctl(struct tty_struct *linux_tty,
56385 if (!tty)
56386 return -ENODEV;
56387
56388- if (!tty->port.count)
56389+ if (!atomic_read(&tty->port.count))
56390 return -EINVAL;
56391
56392 /* FIXME: Exactly how is the tty object locked here .. */
56393@@ -546,7 +545,7 @@ void ipwireless_tty_free(struct ipw_tty *tty)
56394 * are gone */
56395 mutex_lock(&ttyj->ipw_tty_mutex);
56396 }
56397- while (ttyj->port.count)
56398+ while (atomic_read(&ttyj->port.count))
56399 do_ipw_close(ttyj);
56400 ipwireless_disassociate_network_ttys(network,
56401 ttyj->channel_idx);
56402diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c
56403index 14c54e0..1efd4f2 100644
56404--- a/drivers/tty/moxa.c
56405+++ b/drivers/tty/moxa.c
56406@@ -1189,7 +1189,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp)
56407 }
56408
56409 ch = &brd->ports[port % MAX_PORTS_PER_BOARD];
56410- ch->port.count++;
56411+ atomic_inc(&ch->port.count);
56412 tty->driver_data = ch;
56413 tty_port_tty_set(&ch->port, tty);
56414 mutex_lock(&ch->port.mutex);
56415diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
56416index 382d3fc..b16d625 100644
56417--- a/drivers/tty/n_gsm.c
56418+++ b/drivers/tty/n_gsm.c
56419@@ -1644,7 +1644,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
56420 spin_lock_init(&dlci->lock);
56421 mutex_init(&dlci->mutex);
56422 dlci->fifo = &dlci->_fifo;
56423- if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
56424+ if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
56425 kfree(dlci);
56426 return NULL;
56427 }
56428@@ -2957,7 +2957,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp)
56429 struct gsm_dlci *dlci = tty->driver_data;
56430 struct tty_port *port = &dlci->port;
56431
56432- port->count++;
56433+ atomic_inc(&port->count);
56434 tty_port_tty_set(port, tty);
56435
56436 dlci->modem_rx = 0;
56437diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
56438index ee8bfac..b605d4b 100644
56439--- a/drivers/tty/n_tty.c
56440+++ b/drivers/tty/n_tty.c
56441@@ -343,8 +343,7 @@ static void n_tty_packet_mode_flush(struct tty_struct *tty)
56442 spin_lock_irqsave(&tty->ctrl_lock, flags);
56443 tty->ctrl_status |= TIOCPKT_FLUSHREAD;
56444 spin_unlock_irqrestore(&tty->ctrl_lock, flags);
56445- if (waitqueue_active(&tty->link->read_wait))
56446- wake_up_interruptible(&tty->link->read_wait);
56447+ wake_up_interruptible(&tty->link->read_wait);
56448 }
56449 }
56450
56451@@ -1382,8 +1381,7 @@ handle_newline:
56452 put_tty_queue(c, ldata);
56453 smp_store_release(&ldata->canon_head, ldata->read_head);
56454 kill_fasync(&tty->fasync, SIGIO, POLL_IN);
56455- if (waitqueue_active(&tty->read_wait))
56456- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
56457+ wake_up_interruptible_poll(&tty->read_wait, POLLIN);
56458 return 0;
56459 }
56460 }
56461@@ -1667,8 +1665,7 @@ static void __receive_buf(struct tty_struct *tty, const unsigned char *cp,
56462
56463 if ((read_cnt(ldata) >= ldata->minimum_to_wake) || L_EXTPROC(tty)) {
56464 kill_fasync(&tty->fasync, SIGIO, POLL_IN);
56465- if (waitqueue_active(&tty->read_wait))
56466- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
56467+ wake_up_interruptible_poll(&tty->read_wait, POLLIN);
56468 }
56469 }
56470
56471@@ -1887,10 +1884,8 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
56472 }
56473
56474 /* The termios change make the tty ready for I/O */
56475- if (waitqueue_active(&tty->write_wait))
56476- wake_up_interruptible(&tty->write_wait);
56477- if (waitqueue_active(&tty->read_wait))
56478- wake_up_interruptible(&tty->read_wait);
56479+ wake_up_interruptible(&tty->write_wait);
56480+ wake_up_interruptible(&tty->read_wait);
56481 }
56482
56483 /**
56484@@ -2579,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
56485 {
56486 *ops = tty_ldisc_N_TTY;
56487 ops->owner = NULL;
56488- ops->refcount = ops->flags = 0;
56489+ atomic_set(&ops->refcount, 0);
56490+ ops->flags = 0;
56491 }
56492 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
56493diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
56494index 4d5e840..a2340a6 100644
56495--- a/drivers/tty/pty.c
56496+++ b/drivers/tty/pty.c
56497@@ -849,8 +849,10 @@ static void __init unix98_pty_init(void)
56498 panic("Couldn't register Unix98 pts driver");
56499
56500 /* Now create the /dev/ptmx special device */
56501+ pax_open_kernel();
56502 tty_default_fops(&ptmx_fops);
56503- ptmx_fops.open = ptmx_open;
56504+ *(void **)&ptmx_fops.open = ptmx_open;
56505+ pax_close_kernel();
56506
56507 cdev_init(&ptmx_cdev, &ptmx_fops);
56508 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
56509diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
56510index c8dd8dc..dca6cfd 100644
56511--- a/drivers/tty/rocket.c
56512+++ b/drivers/tty/rocket.c
56513@@ -914,7 +914,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
56514 tty->driver_data = info;
56515 tty_port_tty_set(port, tty);
56516
56517- if (port->count++ == 0) {
56518+ if (atomic_inc_return(&port->count) == 1) {
56519 atomic_inc(&rp_num_ports_open);
56520
56521 #ifdef ROCKET_DEBUG_OPEN
56522@@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
56523 #endif
56524 }
56525 #ifdef ROCKET_DEBUG_OPEN
56526- printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, info->port.count);
56527+ printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, atomic-read(&info->port.count));
56528 #endif
56529
56530 /*
56531@@ -1515,7 +1515,7 @@ static void rp_hangup(struct tty_struct *tty)
56532 spin_unlock_irqrestore(&info->port.lock, flags);
56533 return;
56534 }
56535- if (info->port.count)
56536+ if (atomic_read(&info->port.count))
56537 atomic_dec(&rp_num_ports_open);
56538 clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]);
56539 spin_unlock_irqrestore(&info->port.lock, flags);
56540diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
56541index 37fff12..1a88ae1 100644
56542--- a/drivers/tty/serial/8250/8250_core.c
56543+++ b/drivers/tty/serial/8250/8250_core.c
56544@@ -3229,9 +3229,9 @@ static void univ8250_release_port(struct uart_port *port)
56545
56546 static void univ8250_rsa_support(struct uart_ops *ops)
56547 {
56548- ops->config_port = univ8250_config_port;
56549- ops->request_port = univ8250_request_port;
56550- ops->release_port = univ8250_release_port;
56551+ *(void **)&ops->config_port = univ8250_config_port;
56552+ *(void **)&ops->request_port = univ8250_request_port;
56553+ *(void **)&ops->release_port = univ8250_release_port;
56554 }
56555
56556 #else
56557@@ -3274,8 +3274,10 @@ static void __init serial8250_isa_init_ports(void)
56558 }
56559
56560 /* chain base port ops to support Remote Supervisor Adapter */
56561- univ8250_port_ops = *base_ops;
56562+ pax_open_kernel();
56563+ memcpy((void *)&univ8250_port_ops, base_ops, sizeof univ8250_port_ops);
56564 univ8250_rsa_support(&univ8250_port_ops);
56565+ pax_close_kernel();
56566
56567 if (share_irqs)
56568 irqflag = IRQF_SHARED;
56569diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c
56570index 536a33b..1b98f43 100644
56571--- a/drivers/tty/serial/ifx6x60.c
56572+++ b/drivers/tty/serial/ifx6x60.c
56573@@ -649,7 +649,7 @@ static void ifx_spi_complete(void *ctx)
56574 struct ifx_spi_device *ifx_dev = ctx;
56575 int length;
56576 int actual_length;
56577- unsigned char more;
56578+ unsigned char more = 0;
56579 unsigned char cts;
56580 int local_write_pending = 0;
56581 int queue_length;
56582diff --git a/drivers/tty/serial/ioc4_serial.c b/drivers/tty/serial/ioc4_serial.c
56583index e5c42fe..f091b02 100644
56584--- a/drivers/tty/serial/ioc4_serial.c
56585+++ b/drivers/tty/serial/ioc4_serial.c
56586@@ -437,7 +437,7 @@ struct ioc4_soft {
56587 } is_intr_info[MAX_IOC4_INTR_ENTS];
56588
56589 /* Number of entries active in the above array */
56590- atomic_t is_num_intrs;
56591+ atomic_unchecked_t is_num_intrs;
56592 } is_intr_type[IOC4_NUM_INTR_TYPES];
56593
56594 /* is_ir_lock must be held while
56595@@ -974,7 +974,7 @@ intr_connect(struct ioc4_soft *soft, int type,
56596 BUG_ON(!((type == IOC4_SIO_INTR_TYPE)
56597 || (type == IOC4_OTHER_INTR_TYPE)));
56598
56599- i = atomic_inc_return(&soft-> is_intr_type[type].is_num_intrs) - 1;
56600+ i = atomic_inc_return_unchecked(&soft-> is_intr_type[type].is_num_intrs) - 1;
56601 BUG_ON(!(i < MAX_IOC4_INTR_ENTS || (printk("i %d\n", i), 0)));
56602
56603 /* Save off the lower level interrupt handler */
56604@@ -1001,7 +1001,7 @@ static irqreturn_t ioc4_intr(int irq, void *arg)
56605
56606 soft = arg;
56607 for (intr_type = 0; intr_type < IOC4_NUM_INTR_TYPES; intr_type++) {
56608- num_intrs = (int)atomic_read(
56609+ num_intrs = (int)atomic_read_unchecked(
56610 &soft->is_intr_type[intr_type].is_num_intrs);
56611
56612 this_mir = this_ir = pending_intrs(soft, intr_type);
56613diff --git a/drivers/tty/serial/kgdb_nmi.c b/drivers/tty/serial/kgdb_nmi.c
56614index 117df15..2f7dfcf 100644
56615--- a/drivers/tty/serial/kgdb_nmi.c
56616+++ b/drivers/tty/serial/kgdb_nmi.c
56617@@ -53,7 +53,9 @@ static int kgdb_nmi_console_setup(struct console *co, char *options)
56618 * I/O utilities that messages sent to the console will automatically
56619 * be displayed on the dbg_io.
56620 */
56621- dbg_io_ops->is_console = true;
56622+ pax_open_kernel();
56623+ *(int *)&dbg_io_ops->is_console = true;
56624+ pax_close_kernel();
56625
56626 return 0;
56627 }
56628diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
56629index a260cde..6b2b5ce 100644
56630--- a/drivers/tty/serial/kgdboc.c
56631+++ b/drivers/tty/serial/kgdboc.c
56632@@ -24,8 +24,9 @@
56633 #define MAX_CONFIG_LEN 40
56634
56635 static struct kgdb_io kgdboc_io_ops;
56636+static struct kgdb_io kgdboc_io_ops_console;
56637
56638-/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
56639+/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
56640 static int configured = -1;
56641
56642 static char config[MAX_CONFIG_LEN];
56643@@ -151,6 +152,8 @@ static void cleanup_kgdboc(void)
56644 kgdboc_unregister_kbd();
56645 if (configured == 1)
56646 kgdb_unregister_io_module(&kgdboc_io_ops);
56647+ else if (configured == 2)
56648+ kgdb_unregister_io_module(&kgdboc_io_ops_console);
56649 }
56650
56651 static int configure_kgdboc(void)
56652@@ -160,13 +163,13 @@ static int configure_kgdboc(void)
56653 int err;
56654 char *cptr = config;
56655 struct console *cons;
56656+ int is_console = 0;
56657
56658 err = kgdboc_option_setup(config);
56659 if (err || !strlen(config) || isspace(config[0]))
56660 goto noconfig;
56661
56662 err = -ENODEV;
56663- kgdboc_io_ops.is_console = 0;
56664 kgdb_tty_driver = NULL;
56665
56666 kgdboc_use_kms = 0;
56667@@ -187,7 +190,7 @@ static int configure_kgdboc(void)
56668 int idx;
56669 if (cons->device && cons->device(cons, &idx) == p &&
56670 idx == tty_line) {
56671- kgdboc_io_ops.is_console = 1;
56672+ is_console = 1;
56673 break;
56674 }
56675 cons = cons->next;
56676@@ -197,7 +200,13 @@ static int configure_kgdboc(void)
56677 kgdb_tty_line = tty_line;
56678
56679 do_register:
56680- err = kgdb_register_io_module(&kgdboc_io_ops);
56681+ if (is_console) {
56682+ err = kgdb_register_io_module(&kgdboc_io_ops_console);
56683+ configured = 2;
56684+ } else {
56685+ err = kgdb_register_io_module(&kgdboc_io_ops);
56686+ configured = 1;
56687+ }
56688 if (err)
56689 goto noconfig;
56690
56691@@ -205,8 +214,6 @@ do_register:
56692 if (err)
56693 goto nmi_con_failed;
56694
56695- configured = 1;
56696-
56697 return 0;
56698
56699 nmi_con_failed:
56700@@ -223,7 +230,7 @@ noconfig:
56701 static int __init init_kgdboc(void)
56702 {
56703 /* Already configured? */
56704- if (configured == 1)
56705+ if (configured >= 1)
56706 return 0;
56707
56708 return configure_kgdboc();
56709@@ -272,7 +279,7 @@ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
56710 if (config[len - 1] == '\n')
56711 config[len - 1] = '\0';
56712
56713- if (configured == 1)
56714+ if (configured >= 1)
56715 cleanup_kgdboc();
56716
56717 /* Go and configure with the new params. */
56718@@ -312,6 +319,15 @@ static struct kgdb_io kgdboc_io_ops = {
56719 .post_exception = kgdboc_post_exp_handler,
56720 };
56721
56722+static struct kgdb_io kgdboc_io_ops_console = {
56723+ .name = "kgdboc",
56724+ .read_char = kgdboc_get_char,
56725+ .write_char = kgdboc_put_char,
56726+ .pre_exception = kgdboc_pre_exp_handler,
56727+ .post_exception = kgdboc_post_exp_handler,
56728+ .is_console = 1
56729+};
56730+
56731 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
56732 /* This is only available if kgdboc is a built in for early debugging */
56733 static int __init kgdboc_early_init(char *opt)
56734diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
56735index b73889c..9f74f0a 100644
56736--- a/drivers/tty/serial/msm_serial.c
56737+++ b/drivers/tty/serial/msm_serial.c
56738@@ -1012,7 +1012,7 @@ static struct uart_driver msm_uart_driver = {
56739 .cons = MSM_CONSOLE,
56740 };
56741
56742-static atomic_t msm_uart_next_id = ATOMIC_INIT(0);
56743+static atomic_unchecked_t msm_uart_next_id = ATOMIC_INIT(0);
56744
56745 static const struct of_device_id msm_uartdm_table[] = {
56746 { .compatible = "qcom,msm-uartdm-v1.1", .data = (void *)UARTDM_1P1 },
56747@@ -1036,7 +1036,7 @@ static int msm_serial_probe(struct platform_device *pdev)
56748 line = pdev->id;
56749
56750 if (line < 0)
56751- line = atomic_inc_return(&msm_uart_next_id) - 1;
56752+ line = atomic_inc_return_unchecked(&msm_uart_next_id) - 1;
56753
56754 if (unlikely(line < 0 || line >= UART_NR))
56755 return -ENXIO;
56756diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
56757index 5916311..1e32415 100644
56758--- a/drivers/tty/serial/samsung.c
56759+++ b/drivers/tty/serial/samsung.c
56760@@ -995,11 +995,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
56761 ourport->tx_in_progress = 0;
56762 }
56763
56764+static int s3c64xx_serial_startup(struct uart_port *port);
56765 static int s3c24xx_serial_startup(struct uart_port *port)
56766 {
56767 struct s3c24xx_uart_port *ourport = to_ourport(port);
56768 int ret;
56769
56770+ /* Startup sequence is different for s3c64xx and higher SoC's */
56771+ if (s3c24xx_serial_has_interrupt_mask(port))
56772+ return s3c64xx_serial_startup(port);
56773+
56774 dbg("s3c24xx_serial_startup: port=%p (%08llx,%p)\n",
56775 port, (unsigned long long)port->mapbase, port->membase);
56776
56777@@ -1706,10 +1711,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
56778 /* setup info for port */
56779 port->dev = &platdev->dev;
56780
56781- /* Startup sequence is different for s3c64xx and higher SoC's */
56782- if (s3c24xx_serial_has_interrupt_mask(port))
56783- s3c24xx_serial_ops.startup = s3c64xx_serial_startup;
56784-
56785 port->uartclk = 1;
56786
56787 if (cfg->uart_flags & UPF_CONS_FLOW) {
56788diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
56789index f368520..c7a703a 100644
56790--- a/drivers/tty/serial/serial_core.c
56791+++ b/drivers/tty/serial/serial_core.c
56792@@ -1385,7 +1385,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
56793 state = drv->state + tty->index;
56794 port = &state->port;
56795 spin_lock_irq(&port->lock);
56796- --port->count;
56797+ atomic_dec(&port->count);
56798 spin_unlock_irq(&port->lock);
56799 return;
56800 }
56801@@ -1395,7 +1395,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
56802
56803 pr_debug("uart_close(%d) called\n", uport ? uport->line : -1);
56804
56805- if (!port->count || tty_port_close_start(port, tty, filp) == 0)
56806+ if (!atomic_read(&port->count) || tty_port_close_start(port, tty, filp) == 0)
56807 return;
56808
56809 /*
56810@@ -1520,7 +1520,7 @@ static void uart_hangup(struct tty_struct *tty)
56811 uart_flush_buffer(tty);
56812 uart_shutdown(tty, state);
56813 spin_lock_irqsave(&port->lock, flags);
56814- port->count = 0;
56815+ atomic_set(&port->count, 0);
56816 clear_bit(ASYNCB_NORMAL_ACTIVE, &port->flags);
56817 spin_unlock_irqrestore(&port->lock, flags);
56818 tty_port_tty_set(port, NULL);
56819@@ -1607,7 +1607,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
56820 pr_debug("uart_open(%d) called\n", line);
56821
56822 spin_lock_irq(&port->lock);
56823- ++port->count;
56824+ atomic_inc(&port->count);
56825 spin_unlock_irq(&port->lock);
56826
56827 /*
56828diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c
56829index b1c6bd3..5f038e2 100644
56830--- a/drivers/tty/serial/uartlite.c
56831+++ b/drivers/tty/serial/uartlite.c
56832@@ -341,13 +341,13 @@ static int ulite_request_port(struct uart_port *port)
56833 return -EBUSY;
56834 }
56835
56836- port->private_data = &uartlite_be;
56837+ port->private_data = (void *)&uartlite_be;
56838 ret = uart_in32(ULITE_CONTROL, port);
56839 uart_out32(ULITE_CONTROL_RST_TX, ULITE_CONTROL, port);
56840 ret = uart_in32(ULITE_STATUS, port);
56841 /* Endianess detection */
56842 if ((ret & ULITE_STATUS_TXEMPTY) != ULITE_STATUS_TXEMPTY)
56843- port->private_data = &uartlite_le;
56844+ port->private_data = (void *)&uartlite_le;
56845
56846 return 0;
56847 }
56848diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c
56849index 2fac712..fcd5268 100644
56850--- a/drivers/tty/synclink.c
56851+++ b/drivers/tty/synclink.c
56852@@ -3090,7 +3090,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
56853
56854 if (debug_level >= DEBUG_LEVEL_INFO)
56855 printk("%s(%d):mgsl_close(%s) entry, count=%d\n",
56856- __FILE__,__LINE__, info->device_name, info->port.count);
56857+ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
56858
56859 if (tty_port_close_start(&info->port, tty, filp) == 0)
56860 goto cleanup;
56861@@ -3108,7 +3108,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
56862 cleanup:
56863 if (debug_level >= DEBUG_LEVEL_INFO)
56864 printk("%s(%d):mgsl_close(%s) exit, count=%d\n", __FILE__,__LINE__,
56865- tty->driver->name, info->port.count);
56866+ tty->driver->name, atomic_read(&info->port.count));
56867
56868 } /* end of mgsl_close() */
56869
56870@@ -3207,8 +3207,8 @@ static void mgsl_hangup(struct tty_struct *tty)
56871
56872 mgsl_flush_buffer(tty);
56873 shutdown(info);
56874-
56875- info->port.count = 0;
56876+
56877+ atomic_set(&info->port.count, 0);
56878 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
56879 info->port.tty = NULL;
56880
56881@@ -3296,10 +3296,10 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56882
56883 if (debug_level >= DEBUG_LEVEL_INFO)
56884 printk("%s(%d):block_til_ready before block on %s count=%d\n",
56885- __FILE__,__LINE__, tty->driver->name, port->count );
56886+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56887
56888 spin_lock_irqsave(&info->irq_spinlock, flags);
56889- port->count--;
56890+ atomic_dec(&port->count);
56891 spin_unlock_irqrestore(&info->irq_spinlock, flags);
56892 port->blocked_open++;
56893
56894@@ -3327,7 +3327,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56895
56896 if (debug_level >= DEBUG_LEVEL_INFO)
56897 printk("%s(%d):block_til_ready blocking on %s count=%d\n",
56898- __FILE__,__LINE__, tty->driver->name, port->count );
56899+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56900
56901 tty_unlock(tty);
56902 schedule();
56903@@ -3339,12 +3339,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56904
56905 /* FIXME: Racy on hangup during close wait */
56906 if (!tty_hung_up_p(filp))
56907- port->count++;
56908+ atomic_inc(&port->count);
56909 port->blocked_open--;
56910
56911 if (debug_level >= DEBUG_LEVEL_INFO)
56912 printk("%s(%d):block_til_ready after blocking on %s count=%d\n",
56913- __FILE__,__LINE__, tty->driver->name, port->count );
56914+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56915
56916 if (!retval)
56917 port->flags |= ASYNC_NORMAL_ACTIVE;
56918@@ -3396,7 +3396,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
56919
56920 if (debug_level >= DEBUG_LEVEL_INFO)
56921 printk("%s(%d):mgsl_open(%s), old ref count = %d\n",
56922- __FILE__,__LINE__,tty->driver->name, info->port.count);
56923+ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
56924
56925 /* If port is closing, signal caller to try again */
56926 if (info->port.flags & ASYNC_CLOSING){
56927@@ -3415,10 +3415,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
56928 spin_unlock_irqrestore(&info->netlock, flags);
56929 goto cleanup;
56930 }
56931- info->port.count++;
56932+ atomic_inc(&info->port.count);
56933 spin_unlock_irqrestore(&info->netlock, flags);
56934
56935- if (info->port.count == 1) {
56936+ if (atomic_read(&info->port.count) == 1) {
56937 /* 1st open on this device, init hardware */
56938 retval = startup(info);
56939 if (retval < 0)
56940@@ -3442,8 +3442,8 @@ cleanup:
56941 if (retval) {
56942 if (tty->count == 1)
56943 info->port.tty = NULL; /* tty layer will release tty struct */
56944- if(info->port.count)
56945- info->port.count--;
56946+ if (atomic_read(&info->port.count))
56947+ atomic_dec(&info->port.count);
56948 }
56949
56950 return retval;
56951@@ -7662,7 +7662,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
56952 unsigned short new_crctype;
56953
56954 /* return error if TTY interface open */
56955- if (info->port.count)
56956+ if (atomic_read(&info->port.count))
56957 return -EBUSY;
56958
56959 switch (encoding)
56960@@ -7758,7 +7758,7 @@ static int hdlcdev_open(struct net_device *dev)
56961
56962 /* arbitrate between network and tty opens */
56963 spin_lock_irqsave(&info->netlock, flags);
56964- if (info->port.count != 0 || info->netcount != 0) {
56965+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
56966 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
56967 spin_unlock_irqrestore(&info->netlock, flags);
56968 return -EBUSY;
56969@@ -7844,7 +7844,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
56970 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
56971
56972 /* return error if TTY interface open */
56973- if (info->port.count)
56974+ if (atomic_read(&info->port.count))
56975 return -EBUSY;
56976
56977 if (cmd != SIOCWANDEV)
56978diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
56979index 0ea8eee..b3f1b8f 100644
56980--- a/drivers/tty/synclink_gt.c
56981+++ b/drivers/tty/synclink_gt.c
56982@@ -670,7 +670,7 @@ static int open(struct tty_struct *tty, struct file *filp)
56983 tty->driver_data = info;
56984 info->port.tty = tty;
56985
56986- DBGINFO(("%s open, old ref count = %d\n", info->device_name, info->port.count));
56987+ DBGINFO(("%s open, old ref count = %d\n", info->device_name, atomic_read(&info->port.count)));
56988
56989 /* If port is closing, signal caller to try again */
56990 if (info->port.flags & ASYNC_CLOSING){
56991@@ -691,10 +691,10 @@ static int open(struct tty_struct *tty, struct file *filp)
56992 mutex_unlock(&info->port.mutex);
56993 goto cleanup;
56994 }
56995- info->port.count++;
56996+ atomic_inc(&info->port.count);
56997 spin_unlock_irqrestore(&info->netlock, flags);
56998
56999- if (info->port.count == 1) {
57000+ if (atomic_read(&info->port.count) == 1) {
57001 /* 1st open on this device, init hardware */
57002 retval = startup(info);
57003 if (retval < 0) {
57004@@ -715,8 +715,8 @@ cleanup:
57005 if (retval) {
57006 if (tty->count == 1)
57007 info->port.tty = NULL; /* tty layer will release tty struct */
57008- if(info->port.count)
57009- info->port.count--;
57010+ if(atomic_read(&info->port.count))
57011+ atomic_dec(&info->port.count);
57012 }
57013
57014 DBGINFO(("%s open rc=%d\n", info->device_name, retval));
57015@@ -729,7 +729,7 @@ static void close(struct tty_struct *tty, struct file *filp)
57016
57017 if (sanity_check(info, tty->name, "close"))
57018 return;
57019- DBGINFO(("%s close entry, count=%d\n", info->device_name, info->port.count));
57020+ DBGINFO(("%s close entry, count=%d\n", info->device_name, atomic_read(&info->port.count)));
57021
57022 if (tty_port_close_start(&info->port, tty, filp) == 0)
57023 goto cleanup;
57024@@ -746,7 +746,7 @@ static void close(struct tty_struct *tty, struct file *filp)
57025 tty_port_close_end(&info->port, tty);
57026 info->port.tty = NULL;
57027 cleanup:
57028- DBGINFO(("%s close exit, count=%d\n", tty->driver->name, info->port.count));
57029+ DBGINFO(("%s close exit, count=%d\n", tty->driver->name, atomic_read(&info->port.count)));
57030 }
57031
57032 static void hangup(struct tty_struct *tty)
57033@@ -764,7 +764,7 @@ static void hangup(struct tty_struct *tty)
57034 shutdown(info);
57035
57036 spin_lock_irqsave(&info->port.lock, flags);
57037- info->port.count = 0;
57038+ atomic_set(&info->port.count, 0);
57039 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
57040 info->port.tty = NULL;
57041 spin_unlock_irqrestore(&info->port.lock, flags);
57042@@ -1449,7 +1449,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
57043 unsigned short new_crctype;
57044
57045 /* return error if TTY interface open */
57046- if (info->port.count)
57047+ if (atomic_read(&info->port.count))
57048 return -EBUSY;
57049
57050 DBGINFO(("%s hdlcdev_attach\n", info->device_name));
57051@@ -1545,7 +1545,7 @@ static int hdlcdev_open(struct net_device *dev)
57052
57053 /* arbitrate between network and tty opens */
57054 spin_lock_irqsave(&info->netlock, flags);
57055- if (info->port.count != 0 || info->netcount != 0) {
57056+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
57057 DBGINFO(("%s hdlc_open busy\n", dev->name));
57058 spin_unlock_irqrestore(&info->netlock, flags);
57059 return -EBUSY;
57060@@ -1630,7 +1630,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
57061 DBGINFO(("%s hdlcdev_ioctl\n", dev->name));
57062
57063 /* return error if TTY interface open */
57064- if (info->port.count)
57065+ if (atomic_read(&info->port.count))
57066 return -EBUSY;
57067
57068 if (cmd != SIOCWANDEV)
57069@@ -2417,7 +2417,7 @@ static irqreturn_t slgt_interrupt(int dummy, void *dev_id)
57070 if (port == NULL)
57071 continue;
57072 spin_lock(&port->lock);
57073- if ((port->port.count || port->netcount) &&
57074+ if ((atomic_read(&port->port.count) || port->netcount) &&
57075 port->pending_bh && !port->bh_running &&
57076 !port->bh_requested) {
57077 DBGISR(("%s bh queued\n", port->device_name));
57078@@ -3303,7 +3303,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57079 add_wait_queue(&port->open_wait, &wait);
57080
57081 spin_lock_irqsave(&info->lock, flags);
57082- port->count--;
57083+ atomic_dec(&port->count);
57084 spin_unlock_irqrestore(&info->lock, flags);
57085 port->blocked_open++;
57086
57087@@ -3339,7 +3339,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57088 remove_wait_queue(&port->open_wait, &wait);
57089
57090 if (!tty_hung_up_p(filp))
57091- port->count++;
57092+ atomic_inc(&port->count);
57093 port->blocked_open--;
57094
57095 if (!retval)
57096diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c
57097index 08633a8..3d56e14 100644
57098--- a/drivers/tty/synclinkmp.c
57099+++ b/drivers/tty/synclinkmp.c
57100@@ -750,7 +750,7 @@ static int open(struct tty_struct *tty, struct file *filp)
57101
57102 if (debug_level >= DEBUG_LEVEL_INFO)
57103 printk("%s(%d):%s open(), old ref count = %d\n",
57104- __FILE__,__LINE__,tty->driver->name, info->port.count);
57105+ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
57106
57107 /* If port is closing, signal caller to try again */
57108 if (info->port.flags & ASYNC_CLOSING){
57109@@ -769,10 +769,10 @@ static int open(struct tty_struct *tty, struct file *filp)
57110 spin_unlock_irqrestore(&info->netlock, flags);
57111 goto cleanup;
57112 }
57113- info->port.count++;
57114+ atomic_inc(&info->port.count);
57115 spin_unlock_irqrestore(&info->netlock, flags);
57116
57117- if (info->port.count == 1) {
57118+ if (atomic_read(&info->port.count) == 1) {
57119 /* 1st open on this device, init hardware */
57120 retval = startup(info);
57121 if (retval < 0)
57122@@ -796,8 +796,8 @@ cleanup:
57123 if (retval) {
57124 if (tty->count == 1)
57125 info->port.tty = NULL; /* tty layer will release tty struct */
57126- if(info->port.count)
57127- info->port.count--;
57128+ if(atomic_read(&info->port.count))
57129+ atomic_dec(&info->port.count);
57130 }
57131
57132 return retval;
57133@@ -815,7 +815,7 @@ static void close(struct tty_struct *tty, struct file *filp)
57134
57135 if (debug_level >= DEBUG_LEVEL_INFO)
57136 printk("%s(%d):%s close() entry, count=%d\n",
57137- __FILE__,__LINE__, info->device_name, info->port.count);
57138+ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
57139
57140 if (tty_port_close_start(&info->port, tty, filp) == 0)
57141 goto cleanup;
57142@@ -834,7 +834,7 @@ static void close(struct tty_struct *tty, struct file *filp)
57143 cleanup:
57144 if (debug_level >= DEBUG_LEVEL_INFO)
57145 printk("%s(%d):%s close() exit, count=%d\n", __FILE__,__LINE__,
57146- tty->driver->name, info->port.count);
57147+ tty->driver->name, atomic_read(&info->port.count));
57148 }
57149
57150 /* Called by tty_hangup() when a hangup is signaled.
57151@@ -857,7 +857,7 @@ static void hangup(struct tty_struct *tty)
57152 shutdown(info);
57153
57154 spin_lock_irqsave(&info->port.lock, flags);
57155- info->port.count = 0;
57156+ atomic_set(&info->port.count, 0);
57157 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
57158 info->port.tty = NULL;
57159 spin_unlock_irqrestore(&info->port.lock, flags);
57160@@ -1565,7 +1565,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
57161 unsigned short new_crctype;
57162
57163 /* return error if TTY interface open */
57164- if (info->port.count)
57165+ if (atomic_read(&info->port.count))
57166 return -EBUSY;
57167
57168 switch (encoding)
57169@@ -1661,7 +1661,7 @@ static int hdlcdev_open(struct net_device *dev)
57170
57171 /* arbitrate between network and tty opens */
57172 spin_lock_irqsave(&info->netlock, flags);
57173- if (info->port.count != 0 || info->netcount != 0) {
57174+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
57175 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
57176 spin_unlock_irqrestore(&info->netlock, flags);
57177 return -EBUSY;
57178@@ -1747,7 +1747,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
57179 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
57180
57181 /* return error if TTY interface open */
57182- if (info->port.count)
57183+ if (atomic_read(&info->port.count))
57184 return -EBUSY;
57185
57186 if (cmd != SIOCWANDEV)
57187@@ -2624,7 +2624,7 @@ static irqreturn_t synclinkmp_interrupt(int dummy, void *dev_id)
57188 * do not request bottom half processing if the
57189 * device is not open in a normal mode.
57190 */
57191- if ( port && (port->port.count || port->netcount) &&
57192+ if ( port && (atomic_read(&port->port.count) || port->netcount) &&
57193 port->pending_bh && !port->bh_running &&
57194 !port->bh_requested ) {
57195 if ( debug_level >= DEBUG_LEVEL_ISR )
57196@@ -3321,10 +3321,10 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57197
57198 if (debug_level >= DEBUG_LEVEL_INFO)
57199 printk("%s(%d):%s block_til_ready() before block, count=%d\n",
57200- __FILE__,__LINE__, tty->driver->name, port->count );
57201+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
57202
57203 spin_lock_irqsave(&info->lock, flags);
57204- port->count--;
57205+ atomic_dec(&port->count);
57206 spin_unlock_irqrestore(&info->lock, flags);
57207 port->blocked_open++;
57208
57209@@ -3352,7 +3352,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57210
57211 if (debug_level >= DEBUG_LEVEL_INFO)
57212 printk("%s(%d):%s block_til_ready() count=%d\n",
57213- __FILE__,__LINE__, tty->driver->name, port->count );
57214+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
57215
57216 tty_unlock(tty);
57217 schedule();
57218@@ -3362,12 +3362,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57219 set_current_state(TASK_RUNNING);
57220 remove_wait_queue(&port->open_wait, &wait);
57221 if (!tty_hung_up_p(filp))
57222- port->count++;
57223+ atomic_inc(&port->count);
57224 port->blocked_open--;
57225
57226 if (debug_level >= DEBUG_LEVEL_INFO)
57227 printk("%s(%d):%s block_til_ready() after, count=%d\n",
57228- __FILE__,__LINE__, tty->driver->name, port->count );
57229+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
57230
57231 if (!retval)
57232 port->flags |= ASYNC_NORMAL_ACTIVE;
57233diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
57234index b5b4278..bb9c7b0 100644
57235--- a/drivers/tty/sysrq.c
57236+++ b/drivers/tty/sysrq.c
57237@@ -1072,7 +1072,7 @@ EXPORT_SYMBOL(unregister_sysrq_key);
57238 static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
57239 size_t count, loff_t *ppos)
57240 {
57241- if (count) {
57242+ if (count && capable(CAP_SYS_ADMIN)) {
57243 char c;
57244
57245 if (get_user(c, buf))
57246diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
57247index 4cf263d..fd011fa 100644
57248--- a/drivers/tty/tty_buffer.c
57249+++ b/drivers/tty/tty_buffer.c
57250@@ -242,7 +242,10 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
57251 atomic_inc(&buf->priority);
57252
57253 mutex_lock(&buf->lock);
57254- while ((next = buf->head->next) != NULL) {
57255+ /* paired w/ release in __tty_buffer_request_room; ensures there are
57256+ * no pending memory accesses to the freed buffer
57257+ */
57258+ while ((next = smp_load_acquire(&buf->head->next)) != NULL) {
57259 tty_buffer_free(port, buf->head);
57260 buf->head = next;
57261 }
57262@@ -290,13 +293,15 @@ static int __tty_buffer_request_room(struct tty_port *port, size_t size,
57263 if (n != NULL) {
57264 n->flags = flags;
57265 buf->tail = n;
57266- b->commit = b->used;
57267- /* paired w/ barrier in flush_to_ldisc(); ensures the
57268+ /* paired w/ acquire in flush_to_ldisc(); ensures
57269+ * flush_to_ldisc() sees buffer data.
57270+ */
57271+ smp_store_release(&b->commit, b->used);
57272+ /* paired w/ acquire in flush_to_ldisc(); ensures the
57273 * latest commit value can be read before the head is
57274 * advanced to the next buffer
57275 */
57276- smp_wmb();
57277- b->next = n;
57278+ smp_store_release(&b->next, n);
57279 } else if (change)
57280 size = 0;
57281 else
57282@@ -394,7 +399,10 @@ void tty_schedule_flip(struct tty_port *port)
57283 {
57284 struct tty_bufhead *buf = &port->buf;
57285
57286- buf->tail->commit = buf->tail->used;
57287+ /* paired w/ acquire in flush_to_ldisc(); ensures
57288+ * flush_to_ldisc() sees buffer data.
57289+ */
57290+ smp_store_release(&buf->tail->commit, buf->tail->used);
57291 schedule_work(&buf->work);
57292 }
57293 EXPORT_SYMBOL(tty_schedule_flip);
57294@@ -469,7 +477,7 @@ static void flush_to_ldisc(struct work_struct *work)
57295 struct tty_struct *tty;
57296 struct tty_ldisc *disc;
57297
57298- tty = port->itty;
57299+ tty = READ_ONCE(port->itty);
57300 if (tty == NULL)
57301 return;
57302
57303@@ -488,13 +496,15 @@ static void flush_to_ldisc(struct work_struct *work)
57304 if (atomic_read(&buf->priority))
57305 break;
57306
57307- next = head->next;
57308- /* paired w/ barrier in __tty_buffer_request_room();
57309+ /* paired w/ release in __tty_buffer_request_room();
57310 * ensures commit value read is not stale if the head
57311 * is advancing to the next buffer
57312 */
57313- smp_rmb();
57314- count = head->commit - head->read;
57315+ next = smp_load_acquire(&head->next);
57316+ /* paired w/ release in __tty_buffer_request_room() or in
57317+ * tty_buffer_flush(); ensures we see the committed buffer data
57318+ */
57319+ count = smp_load_acquire(&head->commit) - head->read;
57320 if (!count) {
57321 if (next == NULL) {
57322 check_other_closed(tty);
57323diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
57324index 57fc6ee..62fa290 100644
57325--- a/drivers/tty/tty_io.c
57326+++ b/drivers/tty/tty_io.c
57327@@ -2136,8 +2136,24 @@ retry_open:
57328 if (!noctty &&
57329 current->signal->leader &&
57330 !current->signal->tty &&
57331- tty->session == NULL)
57332- __proc_set_tty(tty);
57333+ tty->session == NULL) {
57334+ /*
57335+ * Don't let a process that only has write access to the tty
57336+ * obtain the privileges associated with having a tty as
57337+ * controlling terminal (being able to reopen it with full
57338+ * access through /dev/tty, being able to perform pushback).
57339+ * Many distributions set the group of all ttys to "tty" and
57340+ * grant write-only access to all terminals for setgid tty
57341+ * binaries, which should not imply full privileges on all ttys.
57342+ *
57343+ * This could theoretically break old code that performs open()
57344+ * on a write-only file descriptor. In that case, it might be
57345+ * necessary to also permit this if
57346+ * inode_permission(inode, MAY_READ) == 0.
57347+ */
57348+ if (filp->f_mode & FMODE_READ)
57349+ __proc_set_tty(tty);
57350+ }
57351 spin_unlock_irq(&current->sighand->siglock);
57352 read_unlock(&tasklist_lock);
57353 tty_unlock(tty);
57354@@ -2426,7 +2442,7 @@ static int fionbio(struct file *file, int __user *p)
57355 * Takes ->siglock() when updating signal->tty
57356 */
57357
57358-static int tiocsctty(struct tty_struct *tty, int arg)
57359+static int tiocsctty(struct tty_struct *tty, struct file *file, int arg)
57360 {
57361 int ret = 0;
57362
57363@@ -2460,6 +2476,13 @@ static int tiocsctty(struct tty_struct *tty, int arg)
57364 goto unlock;
57365 }
57366 }
57367+
57368+ /* See the comment in tty_open(). */
57369+ if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) {
57370+ ret = -EPERM;
57371+ goto unlock;
57372+ }
57373+
57374 proc_set_tty(tty);
57375 unlock:
57376 read_unlock(&tasklist_lock);
57377@@ -2852,7 +2875,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
57378 no_tty();
57379 return 0;
57380 case TIOCSCTTY:
57381- return tiocsctty(tty, arg);
57382+ return tiocsctty(tty, file, arg);
57383 case TIOCGPGRP:
57384 return tiocgpgrp(tty, real_tty, p);
57385 case TIOCSPGRP:
57386@@ -3501,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum);
57387
57388 void tty_default_fops(struct file_operations *fops)
57389 {
57390- *fops = tty_fops;
57391+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
57392 }
57393
57394 /*
57395diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
57396index c07fb5d..942acf7 100644
57397--- a/drivers/tty/tty_ldisc.c
57398+++ b/drivers/tty/tty_ldisc.c
57399@@ -70,7 +70,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc)
57400 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
57401 tty_ldiscs[disc] = new_ldisc;
57402 new_ldisc->num = disc;
57403- new_ldisc->refcount = 0;
57404+ atomic_set(&new_ldisc->refcount, 0);
57405 raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags);
57406
57407 return ret;
57408@@ -98,7 +98,7 @@ int tty_unregister_ldisc(int disc)
57409 return -EINVAL;
57410
57411 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
57412- if (tty_ldiscs[disc]->refcount)
57413+ if (atomic_read(&tty_ldiscs[disc]->refcount))
57414 ret = -EBUSY;
57415 else
57416 tty_ldiscs[disc] = NULL;
57417@@ -119,7 +119,7 @@ static struct tty_ldisc_ops *get_ldops(int disc)
57418 if (ldops) {
57419 ret = ERR_PTR(-EAGAIN);
57420 if (try_module_get(ldops->owner)) {
57421- ldops->refcount++;
57422+ atomic_inc(&ldops->refcount);
57423 ret = ldops;
57424 }
57425 }
57426@@ -132,7 +132,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops)
57427 unsigned long flags;
57428
57429 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
57430- ldops->refcount--;
57431+ atomic_dec(&ldops->refcount);
57432 module_put(ldops->owner);
57433 raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags);
57434 }
57435diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
57436index 40b31835..94d92ae 100644
57437--- a/drivers/tty/tty_port.c
57438+++ b/drivers/tty/tty_port.c
57439@@ -236,7 +236,7 @@ void tty_port_hangup(struct tty_port *port)
57440 unsigned long flags;
57441
57442 spin_lock_irqsave(&port->lock, flags);
57443- port->count = 0;
57444+ atomic_set(&port->count, 0);
57445 port->flags &= ~ASYNC_NORMAL_ACTIVE;
57446 tty = port->tty;
57447 if (tty)
57448@@ -398,7 +398,7 @@ int tty_port_block_til_ready(struct tty_port *port,
57449
57450 /* The port lock protects the port counts */
57451 spin_lock_irqsave(&port->lock, flags);
57452- port->count--;
57453+ atomic_dec(&port->count);
57454 port->blocked_open++;
57455 spin_unlock_irqrestore(&port->lock, flags);
57456
57457@@ -440,7 +440,7 @@ int tty_port_block_til_ready(struct tty_port *port,
57458 we must not mess that up further */
57459 spin_lock_irqsave(&port->lock, flags);
57460 if (!tty_hung_up_p(filp))
57461- port->count++;
57462+ atomic_inc(&port->count);
57463 port->blocked_open--;
57464 if (retval == 0)
57465 port->flags |= ASYNC_NORMAL_ACTIVE;
57466@@ -476,19 +476,19 @@ int tty_port_close_start(struct tty_port *port,
57467 return 0;
57468
57469 spin_lock_irqsave(&port->lock, flags);
57470- if (tty->count == 1 && port->count != 1) {
57471+ if (tty->count == 1 && atomic_read(&port->count) != 1) {
57472 printk(KERN_WARNING
57473 "tty_port_close_start: tty->count = 1 port count = %d.\n",
57474- port->count);
57475- port->count = 1;
57476+ atomic_read(&port->count));
57477+ atomic_set(&port->count, 1);
57478 }
57479- if (--port->count < 0) {
57480+ if (atomic_dec_return(&port->count) < 0) {
57481 printk(KERN_WARNING "tty_port_close_start: count = %d\n",
57482- port->count);
57483- port->count = 0;
57484+ atomic_read(&port->count));
57485+ atomic_set(&port->count, 0);
57486 }
57487
57488- if (port->count) {
57489+ if (atomic_read(&port->count)) {
57490 spin_unlock_irqrestore(&port->lock, flags);
57491 return 0;
57492 }
57493@@ -590,7 +590,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty,
57494 struct file *filp)
57495 {
57496 spin_lock_irq(&port->lock);
57497- ++port->count;
57498+ atomic_inc(&port->count);
57499 spin_unlock_irq(&port->lock);
57500 tty_port_tty_set(port, tty);
57501
57502diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
57503index 6f0336f..5818bc1 100644
57504--- a/drivers/tty/vt/keyboard.c
57505+++ b/drivers/tty/vt/keyboard.c
57506@@ -642,6 +642,16 @@ static void k_spec(struct vc_data *vc, unsigned char value, char up_flag)
57507 kbd->kbdmode == VC_OFF) &&
57508 value != KVAL(K_SAK))
57509 return; /* SAK is allowed even in raw mode */
57510+
57511+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
57512+ {
57513+ void *func = fn_handler[value];
57514+ if (func == fn_show_state || func == fn_show_ptregs ||
57515+ func == fn_show_mem)
57516+ return;
57517+ }
57518+#endif
57519+
57520 fn_handler[value](vc);
57521 }
57522
57523@@ -1880,9 +1890,6 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
57524 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
57525 return -EFAULT;
57526
57527- if (!capable(CAP_SYS_TTY_CONFIG))
57528- perm = 0;
57529-
57530 switch (cmd) {
57531 case KDGKBENT:
57532 /* Ensure another thread doesn't free it under us */
57533@@ -1897,6 +1904,9 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
57534 spin_unlock_irqrestore(&kbd_event_lock, flags);
57535 return put_user(val, &user_kbe->kb_value);
57536 case KDSKBENT:
57537+ if (!capable(CAP_SYS_TTY_CONFIG))
57538+ perm = 0;
57539+
57540 if (!perm)
57541 return -EPERM;
57542 if (!i && v == K_NOSUCHMAP) {
57543@@ -1987,9 +1997,6 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
57544 int i, j, k;
57545 int ret;
57546
57547- if (!capable(CAP_SYS_TTY_CONFIG))
57548- perm = 0;
57549-
57550 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
57551 if (!kbs) {
57552 ret = -ENOMEM;
57553@@ -2023,6 +2030,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
57554 kfree(kbs);
57555 return ((p && *p) ? -EOVERFLOW : 0);
57556 case KDSKBSENT:
57557+ if (!capable(CAP_SYS_TTY_CONFIG))
57558+ perm = 0;
57559+
57560 if (!perm) {
57561 ret = -EPERM;
57562 goto reterr;
57563diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
57564index 3257d42..b430b06 100644
57565--- a/drivers/uio/uio.c
57566+++ b/drivers/uio/uio.c
57567@@ -25,6 +25,7 @@
57568 #include <linux/kobject.h>
57569 #include <linux/cdev.h>
57570 #include <linux/uio_driver.h>
57571+#include <asm/local.h>
57572
57573 #define UIO_MAX_DEVICES (1U << MINORBITS)
57574
57575@@ -231,7 +232,7 @@ static ssize_t event_show(struct device *dev,
57576 struct device_attribute *attr, char *buf)
57577 {
57578 struct uio_device *idev = dev_get_drvdata(dev);
57579- return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
57580+ return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
57581 }
57582 static DEVICE_ATTR_RO(event);
57583
57584@@ -393,7 +394,7 @@ void uio_event_notify(struct uio_info *info)
57585 {
57586 struct uio_device *idev = info->uio_dev;
57587
57588- atomic_inc(&idev->event);
57589+ atomic_inc_unchecked(&idev->event);
57590 wake_up_interruptible(&idev->wait);
57591 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
57592 }
57593@@ -446,7 +447,7 @@ static int uio_open(struct inode *inode, struct file *filep)
57594 }
57595
57596 listener->dev = idev;
57597- listener->event_count = atomic_read(&idev->event);
57598+ listener->event_count = atomic_read_unchecked(&idev->event);
57599 filep->private_data = listener;
57600
57601 if (idev->info->open) {
57602@@ -497,7 +498,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
57603 return -EIO;
57604
57605 poll_wait(filep, &idev->wait, wait);
57606- if (listener->event_count != atomic_read(&idev->event))
57607+ if (listener->event_count != atomic_read_unchecked(&idev->event))
57608 return POLLIN | POLLRDNORM;
57609 return 0;
57610 }
57611@@ -522,7 +523,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf,
57612 do {
57613 set_current_state(TASK_INTERRUPTIBLE);
57614
57615- event_count = atomic_read(&idev->event);
57616+ event_count = atomic_read_unchecked(&idev->event);
57617 if (event_count != listener->event_count) {
57618 if (copy_to_user(buf, &event_count, count))
57619 retval = -EFAULT;
57620@@ -579,9 +580,13 @@ static ssize_t uio_write(struct file *filep, const char __user *buf,
57621 static int uio_find_mem_index(struct vm_area_struct *vma)
57622 {
57623 struct uio_device *idev = vma->vm_private_data;
57624+ unsigned long size;
57625
57626 if (vma->vm_pgoff < MAX_UIO_MAPS) {
57627- if (idev->info->mem[vma->vm_pgoff].size == 0)
57628+ size = idev->info->mem[vma->vm_pgoff].size;
57629+ if (size == 0)
57630+ return -1;
57631+ if (vma->vm_end - vma->vm_start > size)
57632 return -1;
57633 return (int)vma->vm_pgoff;
57634 }
57635@@ -813,7 +818,7 @@ int __uio_register_device(struct module *owner,
57636 idev->owner = owner;
57637 idev->info = info;
57638 init_waitqueue_head(&idev->wait);
57639- atomic_set(&idev->event, 0);
57640+ atomic_set_unchecked(&idev->event, 0);
57641
57642 ret = uio_get_minor(idev);
57643 if (ret)
57644diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
57645index 813d4d3..a71934f 100644
57646--- a/drivers/usb/atm/cxacru.c
57647+++ b/drivers/usb/atm/cxacru.c
57648@@ -472,7 +472,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev,
57649 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
57650 if (ret < 2)
57651 return -EINVAL;
57652- if (index < 0 || index > 0x7f)
57653+ if (index > 0x7f)
57654 return -EINVAL;
57655 pos += tmp;
57656
57657diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
57658index db322d9..f0f4bc1 100644
57659--- a/drivers/usb/atm/usbatm.c
57660+++ b/drivers/usb/atm/usbatm.c
57661@@ -331,7 +331,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57662 if (printk_ratelimit())
57663 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
57664 __func__, vpi, vci);
57665- atomic_inc(&vcc->stats->rx_err);
57666+ atomic_inc_unchecked(&vcc->stats->rx_err);
57667 return;
57668 }
57669
57670@@ -358,7 +358,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57671 if (length > ATM_MAX_AAL5_PDU) {
57672 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
57673 __func__, length, vcc);
57674- atomic_inc(&vcc->stats->rx_err);
57675+ atomic_inc_unchecked(&vcc->stats->rx_err);
57676 goto out;
57677 }
57678
57679@@ -367,14 +367,14 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57680 if (sarb->len < pdu_length) {
57681 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
57682 __func__, pdu_length, sarb->len, vcc);
57683- atomic_inc(&vcc->stats->rx_err);
57684+ atomic_inc_unchecked(&vcc->stats->rx_err);
57685 goto out;
57686 }
57687
57688 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
57689 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
57690 __func__, vcc);
57691- atomic_inc(&vcc->stats->rx_err);
57692+ atomic_inc_unchecked(&vcc->stats->rx_err);
57693 goto out;
57694 }
57695
57696@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57697 if (printk_ratelimit())
57698 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
57699 __func__, length);
57700- atomic_inc(&vcc->stats->rx_drop);
57701+ atomic_inc_unchecked(&vcc->stats->rx_drop);
57702 goto out;
57703 }
57704
57705@@ -415,7 +415,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57706
57707 vcc->push(vcc, skb);
57708
57709- atomic_inc(&vcc->stats->rx);
57710+ atomic_inc_unchecked(&vcc->stats->rx);
57711 out:
57712 skb_trim(sarb, 0);
57713 }
57714@@ -613,7 +613,7 @@ static void usbatm_tx_process(unsigned long data)
57715 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
57716
57717 usbatm_pop(vcc, skb);
57718- atomic_inc(&vcc->stats->tx);
57719+ atomic_inc_unchecked(&vcc->stats->tx);
57720
57721 skb = skb_dequeue(&instance->sndqueue);
57722 }
57723@@ -757,11 +757,11 @@ static int usbatm_atm_proc_read(struct atm_dev *atm_dev, loff_t *pos, char *page
57724 if (!left--)
57725 return sprintf(page,
57726 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
57727- atomic_read(&atm_dev->stats.aal5.tx),
57728- atomic_read(&atm_dev->stats.aal5.tx_err),
57729- atomic_read(&atm_dev->stats.aal5.rx),
57730- atomic_read(&atm_dev->stats.aal5.rx_err),
57731- atomic_read(&atm_dev->stats.aal5.rx_drop));
57732+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
57733+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
57734+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
57735+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
57736+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
57737
57738 if (!left--) {
57739 if (instance->disconnected)
57740diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
57741index 2a3bbdf..91d72cf 100644
57742--- a/drivers/usb/core/devices.c
57743+++ b/drivers/usb/core/devices.c
57744@@ -126,7 +126,7 @@ static const char format_endpt[] =
57745 * time it gets called.
57746 */
57747 static struct device_connect_event {
57748- atomic_t count;
57749+ atomic_unchecked_t count;
57750 wait_queue_head_t wait;
57751 } device_event = {
57752 .count = ATOMIC_INIT(1),
57753@@ -164,7 +164,7 @@ static const struct class_info clas_info[] = {
57754
57755 void usbfs_conn_disc_event(void)
57756 {
57757- atomic_add(2, &device_event.count);
57758+ atomic_add_unchecked(2, &device_event.count);
57759 wake_up(&device_event.wait);
57760 }
57761
57762@@ -652,7 +652,7 @@ static unsigned int usb_device_poll(struct file *file,
57763
57764 poll_wait(file, &device_event.wait, wait);
57765
57766- event_count = atomic_read(&device_event.count);
57767+ event_count = atomic_read_unchecked(&device_event.count);
57768 if (file->f_version != event_count) {
57769 file->f_version = event_count;
57770 return POLLIN | POLLRDNORM;
57771diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
57772index 986abde..80e8279 100644
57773--- a/drivers/usb/core/devio.c
57774+++ b/drivers/usb/core/devio.c
57775@@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
57776 struct usb_dev_state *ps = file->private_data;
57777 struct usb_device *dev = ps->dev;
57778 ssize_t ret = 0;
57779- unsigned len;
57780+ size_t len;
57781 loff_t pos;
57782 int i;
57783
57784@@ -229,22 +229,22 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
57785 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
57786 struct usb_config_descriptor *config =
57787 (struct usb_config_descriptor *)dev->rawdescriptors[i];
57788- unsigned int length = le16_to_cpu(config->wTotalLength);
57789+ size_t length = le16_to_cpu(config->wTotalLength);
57790
57791 if (*ppos < pos + length) {
57792
57793 /* The descriptor may claim to be longer than it
57794 * really is. Here is the actual allocated length. */
57795- unsigned alloclen =
57796+ size_t alloclen =
57797 le16_to_cpu(dev->config[i].desc.wTotalLength);
57798
57799- len = length - (*ppos - pos);
57800+ len = length + pos - *ppos;
57801 if (len > nbytes)
57802 len = nbytes;
57803
57804 /* Simply don't write (skip over) unallocated parts */
57805 if (alloclen > (*ppos - pos)) {
57806- alloclen -= (*ppos - pos);
57807+ alloclen = alloclen + pos - *ppos;
57808 if (copy_to_user(buf,
57809 dev->rawdescriptors[i] + (*ppos - pos),
57810 min(len, alloclen))) {
57811diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
57812index cbcd092..e783f87 100644
57813--- a/drivers/usb/core/hcd.c
57814+++ b/drivers/usb/core/hcd.c
57815@@ -1554,7 +1554,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
57816 */
57817 usb_get_urb(urb);
57818 atomic_inc(&urb->use_count);
57819- atomic_inc(&urb->dev->urbnum);
57820+ atomic_inc_unchecked(&urb->dev->urbnum);
57821 usbmon_urb_submit(&hcd->self, urb);
57822
57823 /* NOTE requirements on root-hub callers (usbfs and the hub
57824@@ -1581,7 +1581,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
57825 urb->hcpriv = NULL;
57826 INIT_LIST_HEAD(&urb->urb_list);
57827 atomic_dec(&urb->use_count);
57828- atomic_dec(&urb->dev->urbnum);
57829+ atomic_dec_unchecked(&urb->dev->urbnum);
57830 if (atomic_read(&urb->reject))
57831 wake_up(&usb_kill_urb_queue);
57832 usb_put_urb(urb);
57833diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
57834index 73dfa19..c22f1e43 100644
57835--- a/drivers/usb/core/hub.c
57836+++ b/drivers/usb/core/hub.c
57837@@ -26,6 +26,7 @@
57838 #include <linux/mutex.h>
57839 #include <linux/random.h>
57840 #include <linux/pm_qos.h>
57841+#include <linux/grsecurity.h>
57842
57843 #include <asm/uaccess.h>
57844 #include <asm/byteorder.h>
57845@@ -4655,6 +4656,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
57846 goto done;
57847 return;
57848 }
57849+
57850+ if (gr_handle_new_usb())
57851+ goto done;
57852+
57853 if (hub_is_superspeed(hub->hdev))
57854 unit_load = 150;
57855 else
57856diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
57857index d269738..7340cd7 100644
57858--- a/drivers/usb/core/sysfs.c
57859+++ b/drivers/usb/core/sysfs.c
57860@@ -244,7 +244,7 @@ static ssize_t urbnum_show(struct device *dev, struct device_attribute *attr,
57861 struct usb_device *udev;
57862
57863 udev = to_usb_device(dev);
57864- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum));
57865+ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum));
57866 }
57867 static DEVICE_ATTR_RO(urbnum);
57868
57869diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
57870index 8d5b2f4..3896940 100644
57871--- a/drivers/usb/core/usb.c
57872+++ b/drivers/usb/core/usb.c
57873@@ -447,7 +447,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
57874 set_dev_node(&dev->dev, dev_to_node(bus->controller));
57875 dev->state = USB_STATE_ATTACHED;
57876 dev->lpm_disable_count = 1;
57877- atomic_set(&dev->urbnum, 0);
57878+ atomic_set_unchecked(&dev->urbnum, 0);
57879
57880 INIT_LIST_HEAD(&dev->ep0.urb_list);
57881 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
57882diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
57883index 8cfc319..4868255 100644
57884--- a/drivers/usb/early/ehci-dbgp.c
57885+++ b/drivers/usb/early/ehci-dbgp.c
57886@@ -98,7 +98,8 @@ static inline u32 dbgp_len_update(u32 x, u32 len)
57887
57888 #ifdef CONFIG_KGDB
57889 static struct kgdb_io kgdbdbgp_io_ops;
57890-#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
57891+static struct kgdb_io kgdbdbgp_io_ops_console;
57892+#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
57893 #else
57894 #define dbgp_kgdb_mode (0)
57895 #endif
57896@@ -1043,6 +1044,13 @@ static struct kgdb_io kgdbdbgp_io_ops = {
57897 .write_char = kgdbdbgp_write_char,
57898 };
57899
57900+static struct kgdb_io kgdbdbgp_io_ops_console = {
57901+ .name = "kgdbdbgp",
57902+ .read_char = kgdbdbgp_read_char,
57903+ .write_char = kgdbdbgp_write_char,
57904+ .is_console = 1
57905+};
57906+
57907 static int kgdbdbgp_wait_time;
57908
57909 static int __init kgdbdbgp_parse_config(char *str)
57910@@ -1058,8 +1066,10 @@ static int __init kgdbdbgp_parse_config(char *str)
57911 ptr++;
57912 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
57913 }
57914- kgdb_register_io_module(&kgdbdbgp_io_ops);
57915- kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
57916+ if (early_dbgp_console.index != -1)
57917+ kgdb_register_io_module(&kgdbdbgp_io_ops_console);
57918+ else
57919+ kgdb_register_io_module(&kgdbdbgp_io_ops);
57920
57921 return 0;
57922 }
57923diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
57924index 7856b33..8b7fe09 100644
57925--- a/drivers/usb/gadget/function/f_uac1.c
57926+++ b/drivers/usb/gadget/function/f_uac1.c
57927@@ -14,6 +14,7 @@
57928 #include <linux/module.h>
57929 #include <linux/device.h>
57930 #include <linux/atomic.h>
57931+#include <linux/module.h>
57932
57933 #include "u_uac1.h"
57934
57935diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
57936index 7ee05793..2e31e99 100644
57937--- a/drivers/usb/gadget/function/u_serial.c
57938+++ b/drivers/usb/gadget/function/u_serial.c
57939@@ -732,9 +732,9 @@ static int gs_open(struct tty_struct *tty, struct file *file)
57940 spin_lock_irq(&port->port_lock);
57941
57942 /* already open? Great. */
57943- if (port->port.count) {
57944+ if (atomic_read(&port->port.count)) {
57945 status = 0;
57946- port->port.count++;
57947+ atomic_inc(&port->port.count);
57948
57949 /* currently opening/closing? wait ... */
57950 } else if (port->openclose) {
57951@@ -793,7 +793,7 @@ static int gs_open(struct tty_struct *tty, struct file *file)
57952 tty->driver_data = port;
57953 port->port.tty = tty;
57954
57955- port->port.count = 1;
57956+ atomic_set(&port->port.count, 1);
57957 port->openclose = false;
57958
57959 /* if connected, start the I/O stream */
57960@@ -835,11 +835,11 @@ static void gs_close(struct tty_struct *tty, struct file *file)
57961
57962 spin_lock_irq(&port->port_lock);
57963
57964- if (port->port.count != 1) {
57965- if (port->port.count == 0)
57966+ if (atomic_read(&port->port.count) != 1) {
57967+ if (atomic_read(&port->port.count) == 0)
57968 WARN_ON(1);
57969 else
57970- --port->port.count;
57971+ atomic_dec(&port->port.count);
57972 goto exit;
57973 }
57974
57975@@ -849,7 +849,7 @@ static void gs_close(struct tty_struct *tty, struct file *file)
57976 * and sleep if necessary
57977 */
57978 port->openclose = true;
57979- port->port.count = 0;
57980+ atomic_set(&port->port.count, 0);
57981
57982 gser = port->port_usb;
57983 if (gser && gser->disconnect)
57984@@ -1065,7 +1065,7 @@ static int gs_closed(struct gs_port *port)
57985 int cond;
57986
57987 spin_lock_irq(&port->port_lock);
57988- cond = (port->port.count == 0) && !port->openclose;
57989+ cond = (atomic_read(&port->port.count) == 0) && !port->openclose;
57990 spin_unlock_irq(&port->port_lock);
57991 return cond;
57992 }
57993@@ -1208,7 +1208,7 @@ int gserial_connect(struct gserial *gser, u8 port_num)
57994 /* if it's already open, start I/O ... and notify the serial
57995 * protocol about open/close status (connect/disconnect).
57996 */
57997- if (port->port.count) {
57998+ if (atomic_read(&port->port.count)) {
57999 pr_debug("gserial_connect: start ttyGS%d\n", port->port_num);
58000 gs_start_io(port);
58001 if (gser->connect)
58002@@ -1255,7 +1255,7 @@ void gserial_disconnect(struct gserial *gser)
58003
58004 port->port_usb = NULL;
58005 gser->ioport = NULL;
58006- if (port->port.count > 0 || port->openclose) {
58007+ if (atomic_read(&port->port.count) > 0 || port->openclose) {
58008 wake_up_interruptible(&port->drain_wait);
58009 if (port->port.tty)
58010 tty_hangup(port->port.tty);
58011@@ -1271,7 +1271,7 @@ void gserial_disconnect(struct gserial *gser)
58012
58013 /* finally, free any unused/unusable I/O buffers */
58014 spin_lock_irqsave(&port->port_lock, flags);
58015- if (port->port.count == 0 && !port->openclose)
58016+ if (atomic_read(&port->port.count) == 0 && !port->openclose)
58017 gs_buf_free(&port->port_write_buf);
58018 gs_free_requests(gser->out, &port->read_pool, NULL);
58019 gs_free_requests(gser->out, &port->read_queue, NULL);
58020diff --git a/drivers/usb/gadget/function/u_uac1.c b/drivers/usb/gadget/function/u_uac1.c
58021index c78c841..48fd281 100644
58022--- a/drivers/usb/gadget/function/u_uac1.c
58023+++ b/drivers/usb/gadget/function/u_uac1.c
58024@@ -17,6 +17,7 @@
58025 #include <linux/ctype.h>
58026 #include <linux/random.h>
58027 #include <linux/syscalls.h>
58028+#include <linux/module.h>
58029
58030 #include "u_uac1.h"
58031
58032diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
58033index 181112c..036bcab 100644
58034--- a/drivers/usb/gadget/udc/dummy_hcd.c
58035+++ b/drivers/usb/gadget/udc/dummy_hcd.c
58036@@ -2384,7 +2384,7 @@ static int dummy_setup(struct usb_hcd *hcd)
58037 struct dummy *dum;
58038
58039 dum = *((void **)dev_get_platdata(hcd->self.controller));
58040- hcd->self.sg_tablesize = ~0;
58041+ hcd->self.sg_tablesize = SG_ALL;
58042 if (usb_hcd_is_primary_hcd(hcd)) {
58043 dum->hs_hcd = hcd_to_dummy_hcd(hcd);
58044 dum->hs_hcd->dum = dum;
58045diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
58046index c63d82c..a7e8665 100644
58047--- a/drivers/usb/host/ehci-hcd.c
58048+++ b/drivers/usb/host/ehci-hcd.c
58049@@ -564,7 +564,7 @@ static int ehci_init(struct usb_hcd *hcd)
58050
58051 /* Accept arbitrarily long scatter-gather lists */
58052 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58053- hcd->self.sg_tablesize = ~0;
58054+ hcd->self.sg_tablesize = SG_ALL;
58055 return 0;
58056 }
58057
58058diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
58059index 22abb68..50b7b84 100644
58060--- a/drivers/usb/host/ehci-hub.c
58061+++ b/drivers/usb/host/ehci-hub.c
58062@@ -773,7 +773,7 @@ static struct urb *request_single_step_set_feature_urb(
58063 urb->transfer_flags = URB_DIR_IN;
58064 usb_get_urb(urb);
58065 atomic_inc(&urb->use_count);
58066- atomic_inc(&urb->dev->urbnum);
58067+ atomic_inc_unchecked(&urb->dev->urbnum);
58068 urb->setup_dma = dma_map_single(
58069 hcd->self.controller,
58070 urb->setup_packet,
58071@@ -840,7 +840,7 @@ static int ehset_single_step_set_feature(struct usb_hcd *hcd, int port)
58072 urb->status = -EINPROGRESS;
58073 usb_get_urb(urb);
58074 atomic_inc(&urb->use_count);
58075- atomic_inc(&urb->dev->urbnum);
58076+ atomic_inc_unchecked(&urb->dev->urbnum);
58077 retval = submit_single_step_set_feature(hcd, urb, 0);
58078 if (!retval && !wait_for_completion_timeout(&done,
58079 msecs_to_jiffies(2000))) {
58080diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
58081index 54f5332..8b8335c 100644
58082--- a/drivers/usb/host/ehci-q.c
58083+++ b/drivers/usb/host/ehci-q.c
58084@@ -44,9 +44,9 @@
58085
58086 static int
58087 qtd_fill(struct ehci_hcd *ehci, struct ehci_qtd *qtd, dma_addr_t buf,
58088- size_t len, int token, int maxpacket)
58089+ size_t len, u32 token, int maxpacket)
58090 {
58091- int i, count;
58092+ u32 i, count;
58093 u64 addr = buf;
58094
58095 /* one buffer entry per 4K ... first might be short or unaligned */
58096diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
58097index 000ed80..2701154 100644
58098--- a/drivers/usb/host/fotg210-hcd.c
58099+++ b/drivers/usb/host/fotg210-hcd.c
58100@@ -5231,7 +5231,7 @@ static int hcd_fotg210_init(struct usb_hcd *hcd)
58101
58102 /* Accept arbitrarily long scatter-gather lists */
58103 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58104- hcd->self.sg_tablesize = ~0;
58105+ hcd->self.sg_tablesize = SG_ALL;
58106 return 0;
58107 }
58108
58109diff --git a/drivers/usb/host/fusbh200-hcd.c b/drivers/usb/host/fusbh200-hcd.c
58110index 1fd8718..c7ff47c 100644
58111--- a/drivers/usb/host/fusbh200-hcd.c
58112+++ b/drivers/usb/host/fusbh200-hcd.c
58113@@ -5156,7 +5156,7 @@ static int hcd_fusbh200_init(struct usb_hcd *hcd)
58114
58115 /* Accept arbitrarily long scatter-gather lists */
58116 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58117- hcd->self.sg_tablesize = ~0;
58118+ hcd->self.sg_tablesize = SG_ALL;
58119 return 0;
58120 }
58121
58122diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
58123index 1db0626..2e9f5ea 100644
58124--- a/drivers/usb/host/hwa-hc.c
58125+++ b/drivers/usb/host/hwa-hc.c
58126@@ -337,7 +337,10 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
58127 struct hwahc *hwahc = container_of(wusbhc, struct hwahc, wusbhc);
58128 struct wahc *wa = &hwahc->wa;
58129 struct device *dev = &wa->usb_iface->dev;
58130- u8 mas_le[UWB_NUM_MAS/8];
58131+ u8 *mas_le = kmalloc(UWB_NUM_MAS/8, GFP_KERNEL);
58132+
58133+ if (mas_le == NULL)
58134+ return -ENOMEM;
58135
58136 /* Set the stream index */
58137 result = usb_control_msg(wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
58138@@ -356,10 +359,12 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
58139 WUSB_REQ_SET_WUSB_MAS,
58140 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
58141 0, wa->usb_iface->cur_altsetting->desc.bInterfaceNumber,
58142- mas_le, 32, USB_CTRL_SET_TIMEOUT);
58143+ mas_le, UWB_NUM_MAS/8, USB_CTRL_SET_TIMEOUT);
58144 if (result < 0)
58145 dev_err(dev, "Cannot set WUSB MAS allocation: %d\n", result);
58146 out:
58147+ kfree(mas_le);
58148+
58149 return result;
58150 }
58151
58152@@ -812,7 +817,7 @@ static int hwahc_probe(struct usb_interface *usb_iface,
58153 goto error_alloc;
58154 }
58155 usb_hcd->wireless = 1;
58156- usb_hcd->self.sg_tablesize = ~0;
58157+ usb_hcd->self.sg_tablesize = SG_ALL;
58158 wusbhc = usb_hcd_to_wusbhc(usb_hcd);
58159 hwahc = container_of(wusbhc, struct hwahc, wusbhc);
58160 hwahc_init(hwahc);
58161diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
58162index 760cb57..fc7f8ad 100644
58163--- a/drivers/usb/host/ohci-hcd.c
58164+++ b/drivers/usb/host/ohci-hcd.c
58165@@ -444,7 +444,7 @@ static int ohci_init (struct ohci_hcd *ohci)
58166 struct usb_hcd *hcd = ohci_to_hcd(ohci);
58167
58168 /* Accept arbitrarily long scatter-gather lists */
58169- hcd->self.sg_tablesize = ~0;
58170+ hcd->self.sg_tablesize = SG_ALL;
58171
58172 if (distrust_firmware)
58173 ohci->flags |= OHCI_QUIRK_HUB_POWER;
58174diff --git a/drivers/usb/host/r8a66597.h b/drivers/usb/host/r8a66597.h
58175index 672cea3..31a730db 100644
58176--- a/drivers/usb/host/r8a66597.h
58177+++ b/drivers/usb/host/r8a66597.h
58178@@ -125,7 +125,7 @@ struct r8a66597 {
58179 unsigned short interval_map;
58180 unsigned char pipe_cnt[R8A66597_MAX_NUM_PIPE];
58181 unsigned char dma_map;
58182- unsigned int max_root_hub;
58183+ unsigned char max_root_hub;
58184
58185 struct list_head child_device;
58186 unsigned long child_connect_map[4];
58187diff --git a/drivers/usb/host/uhci-hcd.c b/drivers/usb/host/uhci-hcd.c
58188index a7de8e8..e1ef134 100644
58189--- a/drivers/usb/host/uhci-hcd.c
58190+++ b/drivers/usb/host/uhci-hcd.c
58191@@ -570,7 +570,7 @@ static int uhci_start(struct usb_hcd *hcd)
58192 hcd->uses_new_polling = 1;
58193 /* Accept arbitrarily long scatter-gather lists */
58194 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58195- hcd->self.sg_tablesize = ~0;
58196+ hcd->self.sg_tablesize = SG_ALL;
58197
58198 spin_lock_init(&uhci->lock);
58199 setup_timer(&uhci->fsbr_timer, uhci_fsbr_timeout,
58200diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
58201index 5590eac..16d71c5 100644
58202--- a/drivers/usb/host/xhci-pci.c
58203+++ b/drivers/usb/host/xhci-pci.c
58204@@ -30,7 +30,7 @@
58205
58206 #define PORT2_SSIC_CONFIG_REG2 0x883c
58207 #define PROG_DONE (1 << 30)
58208-#define SSIC_PORT_UNUSED (1 << 31)
58209+#define SSIC_PORT_UNUSED (1U << 31)
58210
58211 /* Device for a quirk */
58212 #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
58213diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
58214index 526ebc0..fa8f325 100644
58215--- a/drivers/usb/host/xhci.c
58216+++ b/drivers/usb/host/xhci.c
58217@@ -4834,7 +4834,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
58218 int retval;
58219
58220 /* Accept arbitrarily long scatter-gather lists */
58221- hcd->self.sg_tablesize = ~0;
58222+ hcd->self.sg_tablesize = SG_ALL;
58223
58224 /* support to build packet from discontinuous buffers */
58225 hcd->self.no_sg_constraint = 1;
58226diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
58227index a0a3827..d7ec10b 100644
58228--- a/drivers/usb/misc/appledisplay.c
58229+++ b/drivers/usb/misc/appledisplay.c
58230@@ -84,7 +84,7 @@ struct appledisplay {
58231 struct mutex sysfslock; /* concurrent read and write */
58232 };
58233
58234-static atomic_t count_displays = ATOMIC_INIT(0);
58235+static atomic_unchecked_t count_displays = ATOMIC_INIT(0);
58236 static struct workqueue_struct *wq;
58237
58238 static void appledisplay_complete(struct urb *urb)
58239@@ -288,7 +288,7 @@ static int appledisplay_probe(struct usb_interface *iface,
58240
58241 /* Register backlight device */
58242 snprintf(bl_name, sizeof(bl_name), "appledisplay%d",
58243- atomic_inc_return(&count_displays) - 1);
58244+ atomic_inc_return_unchecked(&count_displays) - 1);
58245 memset(&props, 0, sizeof(struct backlight_properties));
58246 props.type = BACKLIGHT_RAW;
58247 props.max_brightness = 0xff;
58248diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
58249index 3806e70..55c508b 100644
58250--- a/drivers/usb/serial/console.c
58251+++ b/drivers/usb/serial/console.c
58252@@ -126,7 +126,7 @@ static int usb_console_setup(struct console *co, char *options)
58253
58254 info->port = port;
58255
58256- ++port->port.count;
58257+ atomic_inc(&port->port.count);
58258 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
58259 if (serial->type->set_termios) {
58260 /*
58261@@ -175,7 +175,7 @@ static int usb_console_setup(struct console *co, char *options)
58262 }
58263 /* Now that any required fake tty operations are completed restore
58264 * the tty port count */
58265- --port->port.count;
58266+ atomic_dec(&port->port.count);
58267 /* The console is special in terms of closing the device so
58268 * indicate this port is now acting as a system console. */
58269 port->port.console = 1;
58270@@ -188,7 +188,7 @@ static int usb_console_setup(struct console *co, char *options)
58271 put_tty:
58272 tty_kref_put(tty);
58273 reset_open_count:
58274- port->port.count = 0;
58275+ atomic_set(&port->port.count, 0);
58276 usb_autopm_put_interface(serial->interface);
58277 error_get_interface:
58278 usb_serial_put(serial);
58279@@ -199,7 +199,7 @@ static int usb_console_setup(struct console *co, char *options)
58280 static void usb_console_write(struct console *co,
58281 const char *buf, unsigned count)
58282 {
58283- static struct usbcons_info *info = &usbcons_info;
58284+ struct usbcons_info *info = &usbcons_info;
58285 struct usb_serial_port *port = info->port;
58286 struct usb_serial *serial;
58287 int retval = -ENODEV;
58288diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c
58289index 43576ed..583589d 100644
58290--- a/drivers/usb/storage/usb.c
58291+++ b/drivers/usb/storage/usb.c
58292@@ -912,7 +912,7 @@ static void usb_stor_scan_dwork(struct work_struct *work)
58293 clear_bit(US_FLIDX_SCAN_PENDING, &us->dflags);
58294 }
58295
58296-static unsigned int usb_stor_sg_tablesize(struct usb_interface *intf)
58297+static unsigned short usb_stor_sg_tablesize(struct usb_interface *intf)
58298 {
58299 struct usb_device *usb_dev = interface_to_usbdev(intf);
58300
58301diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h
58302index da0ad32..50b5bbe 100644
58303--- a/drivers/usb/storage/usb.h
58304+++ b/drivers/usb/storage/usb.h
58305@@ -63,7 +63,7 @@ struct us_unusual_dev {
58306 __u8 useProtocol;
58307 __u8 useTransport;
58308 int (*initFunction)(struct us_data *);
58309-};
58310+} __do_const;
58311
58312
58313 /* Dynamic bitflag definitions (us->dflags): used in set_bit() etc. */
58314diff --git a/drivers/usb/usbip/vhci.h b/drivers/usb/usbip/vhci.h
58315index a863a98..d272795 100644
58316--- a/drivers/usb/usbip/vhci.h
58317+++ b/drivers/usb/usbip/vhci.h
58318@@ -83,7 +83,7 @@ struct vhci_hcd {
58319 unsigned resuming:1;
58320 unsigned long re_timeout;
58321
58322- atomic_t seqnum;
58323+ atomic_unchecked_t seqnum;
58324
58325 /*
58326 * NOTE:
58327diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
58328index e9ef1ec..c3a0b04 100644
58329--- a/drivers/usb/usbip/vhci_hcd.c
58330+++ b/drivers/usb/usbip/vhci_hcd.c
58331@@ -440,7 +440,7 @@ static void vhci_tx_urb(struct urb *urb)
58332
58333 spin_lock(&vdev->priv_lock);
58334
58335- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
58336+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
58337 if (priv->seqnum == 0xffff)
58338 dev_info(&urb->dev->dev, "seqnum max\n");
58339
58340@@ -685,7 +685,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
58341 return -ENOMEM;
58342 }
58343
58344- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
58345+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
58346 if (unlink->seqnum == 0xffff)
58347 pr_info("seqnum max\n");
58348
58349@@ -889,7 +889,7 @@ static int vhci_start(struct usb_hcd *hcd)
58350 vdev->rhport = rhport;
58351 }
58352
58353- atomic_set(&vhci->seqnum, 0);
58354+ atomic_set_unchecked(&vhci->seqnum, 0);
58355 spin_lock_init(&vhci->lock);
58356
58357 hcd->power_budget = 0; /* no limit */
58358diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
58359index 00e4a54..d676f85 100644
58360--- a/drivers/usb/usbip/vhci_rx.c
58361+++ b/drivers/usb/usbip/vhci_rx.c
58362@@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
58363 if (!urb) {
58364 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
58365 pr_info("max seqnum %d\n",
58366- atomic_read(&the_controller->seqnum));
58367+ atomic_read_unchecked(&the_controller->seqnum));
58368 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
58369 return;
58370 }
58371diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
58372index 211f43f..6c22ae1 100644
58373--- a/drivers/usb/usbip/vhci_sysfs.c
58374+++ b/drivers/usb/usbip/vhci_sysfs.c
58375@@ -59,7 +59,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
58376 if (vdev->ud.status == VDEV_ST_USED) {
58377 out += sprintf(out, "%03u %08x ",
58378 vdev->speed, vdev->devid);
58379- out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
58380+ out += sprintf(out, "%16pK ", vdev->ud.tcp_socket);
58381 out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
58382
58383 } else {
58384diff --git a/drivers/usb/wusbcore/wa-hc.h b/drivers/usb/wusbcore/wa-hc.h
58385index edc7267..9f65ce2 100644
58386--- a/drivers/usb/wusbcore/wa-hc.h
58387+++ b/drivers/usb/wusbcore/wa-hc.h
58388@@ -240,7 +240,7 @@ struct wahc {
58389 spinlock_t xfer_list_lock;
58390 struct work_struct xfer_enqueue_work;
58391 struct work_struct xfer_error_work;
58392- atomic_t xfer_id_count;
58393+ atomic_unchecked_t xfer_id_count;
58394
58395 kernel_ulong_t quirks;
58396 };
58397@@ -305,7 +305,7 @@ static inline void wa_init(struct wahc *wa)
58398 INIT_WORK(&wa->xfer_enqueue_work, wa_urb_enqueue_run);
58399 INIT_WORK(&wa->xfer_error_work, wa_process_errored_transfers_run);
58400 wa->dto_in_use = 0;
58401- atomic_set(&wa->xfer_id_count, 1);
58402+ atomic_set_unchecked(&wa->xfer_id_count, 1);
58403 /* init the buf in URBs */
58404 for (index = 0; index < WA_MAX_BUF_IN_URBS; ++index)
58405 usb_init_urb(&(wa->buf_in_urbs[index]));
58406diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
58407index 69af4fd..da390d7 100644
58408--- a/drivers/usb/wusbcore/wa-xfer.c
58409+++ b/drivers/usb/wusbcore/wa-xfer.c
58410@@ -314,7 +314,7 @@ static void wa_xfer_completion(struct wa_xfer *xfer)
58411 */
58412 static void wa_xfer_id_init(struct wa_xfer *xfer)
58413 {
58414- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
58415+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
58416 }
58417
58418 /* Return the xfer's ID. */
58419diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
58420index 563c510..1fcc957 100644
58421--- a/drivers/vfio/vfio.c
58422+++ b/drivers/vfio/vfio.c
58423@@ -517,7 +517,7 @@ static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev)
58424 return 0;
58425
58426 /* TODO Prevent device auto probing */
58427- WARN("Device %s added to live group %d!\n", dev_name(dev),
58428+ WARN(1, "Device %s added to live group %d!\n", dev_name(dev),
58429 iommu_group_id(group->iommu_group));
58430
58431 return 0;
58432diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
58433index 3bb02c6..a01ff38 100644
58434--- a/drivers/vhost/vringh.c
58435+++ b/drivers/vhost/vringh.c
58436@@ -551,7 +551,7 @@ static inline void __vringh_notify_disable(struct vringh *vrh,
58437 static inline int getu16_user(const struct vringh *vrh, u16 *val, const __virtio16 *p)
58438 {
58439 __virtio16 v = 0;
58440- int rc = get_user(v, (__force __virtio16 __user *)p);
58441+ int rc = get_user(v, (__force_user __virtio16 *)p);
58442 *val = vringh16_to_cpu(vrh, v);
58443 return rc;
58444 }
58445@@ -559,12 +559,12 @@ static inline int getu16_user(const struct vringh *vrh, u16 *val, const __virtio
58446 static inline int putu16_user(const struct vringh *vrh, __virtio16 *p, u16 val)
58447 {
58448 __virtio16 v = cpu_to_vringh16(vrh, val);
58449- return put_user(v, (__force __virtio16 __user *)p);
58450+ return put_user(v, (__force_user __virtio16 *)p);
58451 }
58452
58453 static inline int copydesc_user(void *dst, const void *src, size_t len)
58454 {
58455- return copy_from_user(dst, (__force void __user *)src, len) ?
58456+ return copy_from_user(dst, (void __force_user *)src, len) ?
58457 -EFAULT : 0;
58458 }
58459
58460@@ -572,19 +572,19 @@ static inline int putused_user(struct vring_used_elem *dst,
58461 const struct vring_used_elem *src,
58462 unsigned int num)
58463 {
58464- return copy_to_user((__force void __user *)dst, src,
58465+ return copy_to_user((void __force_user *)dst, src,
58466 sizeof(*dst) * num) ? -EFAULT : 0;
58467 }
58468
58469 static inline int xfer_from_user(void *src, void *dst, size_t len)
58470 {
58471- return copy_from_user(dst, (__force void __user *)src, len) ?
58472+ return copy_from_user(dst, (void __force_user *)src, len) ?
58473 -EFAULT : 0;
58474 }
58475
58476 static inline int xfer_to_user(void *dst, void *src, size_t len)
58477 {
58478- return copy_to_user((__force void __user *)dst, src, len) ?
58479+ return copy_to_user((void __force_user *)dst, src, len) ?
58480 -EFAULT : 0;
58481 }
58482
58483@@ -621,9 +621,9 @@ int vringh_init_user(struct vringh *vrh, u64 features,
58484 vrh->last_used_idx = 0;
58485 vrh->vring.num = num;
58486 /* vring expects kernel addresses, but only used via accessors. */
58487- vrh->vring.desc = (__force struct vring_desc *)desc;
58488- vrh->vring.avail = (__force struct vring_avail *)avail;
58489- vrh->vring.used = (__force struct vring_used *)used;
58490+ vrh->vring.desc = (__force_kernel struct vring_desc *)desc;
58491+ vrh->vring.avail = (__force_kernel struct vring_avail *)avail;
58492+ vrh->vring.used = (__force_kernel struct vring_used *)used;
58493 return 0;
58494 }
58495 EXPORT_SYMBOL(vringh_init_user);
58496@@ -826,7 +826,7 @@ static inline int getu16_kern(const struct vringh *vrh,
58497
58498 static inline int putu16_kern(const struct vringh *vrh, __virtio16 *p, u16 val)
58499 {
58500- ACCESS_ONCE(*p) = cpu_to_vringh16(vrh, val);
58501+ ACCESS_ONCE_RW(*p) = cpu_to_vringh16(vrh, val);
58502 return 0;
58503 }
58504
58505diff --git a/drivers/video/backlight/kb3886_bl.c b/drivers/video/backlight/kb3886_bl.c
58506index 84a110a..96312c3 100644
58507--- a/drivers/video/backlight/kb3886_bl.c
58508+++ b/drivers/video/backlight/kb3886_bl.c
58509@@ -78,7 +78,7 @@ static struct kb3886bl_machinfo *bl_machinfo;
58510 static unsigned long kb3886bl_flags;
58511 #define KB3886BL_SUSPENDED 0x01
58512
58513-static struct dmi_system_id kb3886bl_device_table[] __initdata = {
58514+static const struct dmi_system_id kb3886bl_device_table[] __initconst = {
58515 {
58516 .ident = "Sahara Touch-iT",
58517 .matches = {
58518diff --git a/drivers/video/fbdev/arcfb.c b/drivers/video/fbdev/arcfb.c
58519index 1b0b233..6f34c2c 100644
58520--- a/drivers/video/fbdev/arcfb.c
58521+++ b/drivers/video/fbdev/arcfb.c
58522@@ -458,7 +458,7 @@ static ssize_t arcfb_write(struct fb_info *info, const char __user *buf,
58523 return -ENOSPC;
58524
58525 err = 0;
58526- if ((count + p) > fbmemlength) {
58527+ if (count > (fbmemlength - p)) {
58528 count = fbmemlength - p;
58529 err = -ENOSPC;
58530 }
58531diff --git a/drivers/video/fbdev/aty/aty128fb.c b/drivers/video/fbdev/aty/aty128fb.c
58532index c42ce2f..4c8bc59 100644
58533--- a/drivers/video/fbdev/aty/aty128fb.c
58534+++ b/drivers/video/fbdev/aty/aty128fb.c
58535@@ -145,7 +145,7 @@ enum {
58536 };
58537
58538 /* Must match above enum */
58539-static char * const r128_family[] = {
58540+static const char * const r128_family[] = {
58541 "AGP",
58542 "PCI",
58543 "PRO AGP",
58544diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
58545index 8789e48..698fe4c 100644
58546--- a/drivers/video/fbdev/aty/atyfb_base.c
58547+++ b/drivers/video/fbdev/aty/atyfb_base.c
58548@@ -1326,10 +1326,14 @@ static int atyfb_set_par(struct fb_info *info)
58549 par->accel_flags = var->accel_flags; /* hack */
58550
58551 if (var->accel_flags) {
58552- info->fbops->fb_sync = atyfb_sync;
58553+ pax_open_kernel();
58554+ *(void **)&info->fbops->fb_sync = atyfb_sync;
58555+ pax_close_kernel();
58556 info->flags &= ~FBINFO_HWACCEL_DISABLED;
58557 } else {
58558- info->fbops->fb_sync = NULL;
58559+ pax_open_kernel();
58560+ *(void **)&info->fbops->fb_sync = NULL;
58561+ pax_close_kernel();
58562 info->flags |= FBINFO_HWACCEL_DISABLED;
58563 }
58564
58565diff --git a/drivers/video/fbdev/aty/mach64_cursor.c b/drivers/video/fbdev/aty/mach64_cursor.c
58566index 2fa0317..4983f2a 100644
58567--- a/drivers/video/fbdev/aty/mach64_cursor.c
58568+++ b/drivers/video/fbdev/aty/mach64_cursor.c
58569@@ -8,6 +8,7 @@
58570 #include "../core/fb_draw.h"
58571
58572 #include <asm/io.h>
58573+#include <asm/pgtable.h>
58574
58575 #ifdef __sparc__
58576 #include <asm/fbio.h>
58577@@ -218,7 +219,9 @@ int aty_init_cursor(struct fb_info *info)
58578 info->sprite.buf_align = 16; /* and 64 lines tall. */
58579 info->sprite.flags = FB_PIXMAP_IO;
58580
58581- info->fbops->fb_cursor = atyfb_cursor;
58582+ pax_open_kernel();
58583+ *(void **)&info->fbops->fb_cursor = atyfb_cursor;
58584+ pax_close_kernel();
58585
58586 return 0;
58587 }
58588diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
58589index 3fc63c2..eec5e49 100644
58590--- a/drivers/video/fbdev/core/fb_defio.c
58591+++ b/drivers/video/fbdev/core/fb_defio.c
58592@@ -207,7 +207,9 @@ void fb_deferred_io_init(struct fb_info *info)
58593
58594 BUG_ON(!fbdefio);
58595 mutex_init(&fbdefio->lock);
58596- info->fbops->fb_mmap = fb_deferred_io_mmap;
58597+ pax_open_kernel();
58598+ *(void **)&info->fbops->fb_mmap = fb_deferred_io_mmap;
58599+ pax_close_kernel();
58600 INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
58601 INIT_LIST_HEAD(&fbdefio->pagelist);
58602 if (fbdefio->delay == 0) /* set a default of 1 s */
58603@@ -238,7 +240,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
58604 page->mapping = NULL;
58605 }
58606
58607- info->fbops->fb_mmap = NULL;
58608+ *(void **)&info->fbops->fb_mmap = NULL;
58609 mutex_destroy(&fbdefio->lock);
58610 }
58611 EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
58612diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
58613index 0705d88..d9429bf 100644
58614--- a/drivers/video/fbdev/core/fbmem.c
58615+++ b/drivers/video/fbdev/core/fbmem.c
58616@@ -1301,7 +1301,7 @@ static int do_fscreeninfo_to_user(struct fb_fix_screeninfo *fix,
58617 __u32 data;
58618 int err;
58619
58620- err = copy_to_user(&fix32->id, &fix->id, sizeof(fix32->id));
58621+ err = copy_to_user(fix32->id, &fix->id, sizeof(fix32->id));
58622
58623 data = (__u32) (unsigned long) fix->smem_start;
58624 err |= put_user(data, &fix32->smem_start);
58625diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
58626index 807ee22..7814cd6 100644
58627--- a/drivers/video/fbdev/hyperv_fb.c
58628+++ b/drivers/video/fbdev/hyperv_fb.c
58629@@ -240,7 +240,7 @@ static uint screen_fb_size;
58630 static inline int synthvid_send(struct hv_device *hdev,
58631 struct synthvid_msg *msg)
58632 {
58633- static atomic64_t request_id = ATOMIC64_INIT(0);
58634+ static atomic64_unchecked_t request_id = ATOMIC64_INIT(0);
58635 int ret;
58636
58637 msg->pipe_hdr.type = PIPE_MSG_DATA;
58638@@ -248,7 +248,7 @@ static inline int synthvid_send(struct hv_device *hdev,
58639
58640 ret = vmbus_sendpacket(hdev->channel, msg,
58641 msg->vid_hdr.size + sizeof(struct pipe_msg_hdr),
58642- atomic64_inc_return(&request_id),
58643+ atomic64_inc_return_unchecked(&request_id),
58644 VM_PKT_DATA_INBAND, 0);
58645
58646 if (ret)
58647diff --git a/drivers/video/fbdev/i810/i810_accel.c b/drivers/video/fbdev/i810/i810_accel.c
58648index 7672d2e..b56437f 100644
58649--- a/drivers/video/fbdev/i810/i810_accel.c
58650+++ b/drivers/video/fbdev/i810/i810_accel.c
58651@@ -73,6 +73,7 @@ static inline int wait_for_space(struct fb_info *info, u32 space)
58652 }
58653 }
58654 printk("ringbuffer lockup!!!\n");
58655+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
58656 i810_report_error(mmio);
58657 par->dev_flags |= LOCKUP;
58658 info->pixmap.scan_align = 1;
58659diff --git a/drivers/video/fbdev/matrox/matroxfb_DAC1064.c b/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
58660index a01147f..5d896f8 100644
58661--- a/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
58662+++ b/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
58663@@ -1088,14 +1088,20 @@ static void MGAG100_restore(struct matrox_fb_info *minfo)
58664
58665 #ifdef CONFIG_FB_MATROX_MYSTIQUE
58666 struct matrox_switch matrox_mystique = {
58667- MGA1064_preinit, MGA1064_reset, MGA1064_init, MGA1064_restore,
58668+ .preinit = MGA1064_preinit,
58669+ .reset = MGA1064_reset,
58670+ .init = MGA1064_init,
58671+ .restore = MGA1064_restore,
58672 };
58673 EXPORT_SYMBOL(matrox_mystique);
58674 #endif
58675
58676 #ifdef CONFIG_FB_MATROX_G
58677 struct matrox_switch matrox_G100 = {
58678- MGAG100_preinit, MGAG100_reset, MGAG100_init, MGAG100_restore,
58679+ .preinit = MGAG100_preinit,
58680+ .reset = MGAG100_reset,
58681+ .init = MGAG100_init,
58682+ .restore = MGAG100_restore,
58683 };
58684 EXPORT_SYMBOL(matrox_G100);
58685 #endif
58686diff --git a/drivers/video/fbdev/matrox/matroxfb_Ti3026.c b/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
58687index 195ad7c..09743fc 100644
58688--- a/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
58689+++ b/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
58690@@ -738,7 +738,10 @@ static int Ti3026_preinit(struct matrox_fb_info *minfo)
58691 }
58692
58693 struct matrox_switch matrox_millennium = {
58694- Ti3026_preinit, Ti3026_reset, Ti3026_init, Ti3026_restore
58695+ .preinit = Ti3026_preinit,
58696+ .reset = Ti3026_reset,
58697+ .init = Ti3026_init,
58698+ .restore = Ti3026_restore
58699 };
58700 EXPORT_SYMBOL(matrox_millennium);
58701 #endif
58702diff --git a/drivers/video/fbdev/matrox/matroxfb_base.c b/drivers/video/fbdev/matrox/matroxfb_base.c
58703index 11eb094..622ee31 100644
58704--- a/drivers/video/fbdev/matrox/matroxfb_base.c
58705+++ b/drivers/video/fbdev/matrox/matroxfb_base.c
58706@@ -2176,7 +2176,7 @@ static struct pci_driver matroxfb_driver = {
58707 #define RS1056x480 14 /* 132 x 60 text */
58708 #define RSNoxNo 15
58709 /* 10-FF */
58710-static struct { int xres, yres, left, right, upper, lower, hslen, vslen, vfreq; } timmings[] __initdata = {
58711+static struct { unsigned int xres, yres, left, right, upper, lower, hslen, vslen, vfreq; } timmings[] __initdata = {
58712 { 640, 400, 48, 16, 39, 8, 96, 2, 70 },
58713 { 640, 480, 48, 16, 33, 10, 96, 2, 60 },
58714 { 800, 600, 144, 24, 28, 8, 112, 6, 60 },
58715diff --git a/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c b/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
58716index fe92eed..106e085 100644
58717--- a/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
58718+++ b/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
58719@@ -312,14 +312,18 @@ void mb862xxfb_init_accel(struct fb_info *info, int xres)
58720 struct mb862xxfb_par *par = info->par;
58721
58722 if (info->var.bits_per_pixel == 32) {
58723- info->fbops->fb_fillrect = cfb_fillrect;
58724- info->fbops->fb_copyarea = cfb_copyarea;
58725- info->fbops->fb_imageblit = cfb_imageblit;
58726+ pax_open_kernel();
58727+ *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
58728+ *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
58729+ *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
58730+ pax_close_kernel();
58731 } else {
58732 outreg(disp, GC_L0EM, 3);
58733- info->fbops->fb_fillrect = mb86290fb_fillrect;
58734- info->fbops->fb_copyarea = mb86290fb_copyarea;
58735- info->fbops->fb_imageblit = mb86290fb_imageblit;
58736+ pax_open_kernel();
58737+ *(void **)&info->fbops->fb_fillrect = mb86290fb_fillrect;
58738+ *(void **)&info->fbops->fb_copyarea = mb86290fb_copyarea;
58739+ *(void **)&info->fbops->fb_imageblit = mb86290fb_imageblit;
58740+ pax_close_kernel();
58741 }
58742 outreg(draw, GDC_REG_DRAW_BASE, 0);
58743 outreg(draw, GDC_REG_MODE_MISC, 0x8000);
58744diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
58745index ce7dab7..a87baf8 100644
58746--- a/drivers/video/fbdev/nvidia/nvidia.c
58747+++ b/drivers/video/fbdev/nvidia/nvidia.c
58748@@ -660,19 +660,23 @@ static int nvidiafb_set_par(struct fb_info *info)
58749 info->fix.line_length = (info->var.xres_virtual *
58750 info->var.bits_per_pixel) >> 3;
58751 if (info->var.accel_flags) {
58752- info->fbops->fb_imageblit = nvidiafb_imageblit;
58753- info->fbops->fb_fillrect = nvidiafb_fillrect;
58754- info->fbops->fb_copyarea = nvidiafb_copyarea;
58755- info->fbops->fb_sync = nvidiafb_sync;
58756+ pax_open_kernel();
58757+ *(void **)&info->fbops->fb_imageblit = nvidiafb_imageblit;
58758+ *(void **)&info->fbops->fb_fillrect = nvidiafb_fillrect;
58759+ *(void **)&info->fbops->fb_copyarea = nvidiafb_copyarea;
58760+ *(void **)&info->fbops->fb_sync = nvidiafb_sync;
58761+ pax_close_kernel();
58762 info->pixmap.scan_align = 4;
58763 info->flags &= ~FBINFO_HWACCEL_DISABLED;
58764 info->flags |= FBINFO_READS_FAST;
58765 NVResetGraphics(info);
58766 } else {
58767- info->fbops->fb_imageblit = cfb_imageblit;
58768- info->fbops->fb_fillrect = cfb_fillrect;
58769- info->fbops->fb_copyarea = cfb_copyarea;
58770- info->fbops->fb_sync = NULL;
58771+ pax_open_kernel();
58772+ *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
58773+ *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
58774+ *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
58775+ *(void **)&info->fbops->fb_sync = NULL;
58776+ pax_close_kernel();
58777 info->pixmap.scan_align = 1;
58778 info->flags |= FBINFO_HWACCEL_DISABLED;
58779 info->flags &= ~FBINFO_READS_FAST;
58780@@ -1164,8 +1168,11 @@ static int nvidia_set_fbinfo(struct fb_info *info)
58781 info->pixmap.size = 8 * 1024;
58782 info->pixmap.flags = FB_PIXMAP_SYSTEM;
58783
58784- if (!hwcur)
58785- info->fbops->fb_cursor = NULL;
58786+ if (!hwcur) {
58787+ pax_open_kernel();
58788+ *(void **)&info->fbops->fb_cursor = NULL;
58789+ pax_close_kernel();
58790+ }
58791
58792 info->var.accel_flags = (!noaccel);
58793
58794diff --git a/drivers/video/fbdev/omap2/dss/display.c b/drivers/video/fbdev/omap2/dss/display.c
58795index ef5b902..47cf7f5 100644
58796--- a/drivers/video/fbdev/omap2/dss/display.c
58797+++ b/drivers/video/fbdev/omap2/dss/display.c
58798@@ -161,12 +161,14 @@ int omapdss_register_display(struct omap_dss_device *dssdev)
58799 if (dssdev->name == NULL)
58800 dssdev->name = dssdev->alias;
58801
58802+ pax_open_kernel();
58803 if (drv && drv->get_resolution == NULL)
58804- drv->get_resolution = omapdss_default_get_resolution;
58805+ *(void **)&drv->get_resolution = omapdss_default_get_resolution;
58806 if (drv && drv->get_recommended_bpp == NULL)
58807- drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
58808+ *(void **)&drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
58809 if (drv && drv->get_timings == NULL)
58810- drv->get_timings = omapdss_default_get_timings;
58811+ *(void **)&drv->get_timings = omapdss_default_get_timings;
58812+ pax_close_kernel();
58813
58814 mutex_lock(&panel_list_mutex);
58815 list_add_tail(&dssdev->panel_list, &panel_list);
58816diff --git a/drivers/video/fbdev/s1d13xxxfb.c b/drivers/video/fbdev/s1d13xxxfb.c
58817index 83433cb..71e9b98 100644
58818--- a/drivers/video/fbdev/s1d13xxxfb.c
58819+++ b/drivers/video/fbdev/s1d13xxxfb.c
58820@@ -881,8 +881,10 @@ static int s1d13xxxfb_probe(struct platform_device *pdev)
58821
58822 switch(prod_id) {
58823 case S1D13506_PROD_ID: /* activate acceleration */
58824- s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
58825- s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
58826+ pax_open_kernel();
58827+ *(void **)&s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
58828+ *(void **)&s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
58829+ pax_close_kernel();
58830 info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN |
58831 FBINFO_HWACCEL_FILLRECT | FBINFO_HWACCEL_COPYAREA;
58832 break;
58833diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c
58834index 82c0a8c..42499a1 100644
58835--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c
58836+++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c
58837@@ -439,9 +439,9 @@ static unsigned long lcdc_sys_read_data(void *handle)
58838 }
58839
58840 static struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
58841- lcdc_sys_write_index,
58842- lcdc_sys_write_data,
58843- lcdc_sys_read_data,
58844+ .write_index = lcdc_sys_write_index,
58845+ .write_data = lcdc_sys_write_data,
58846+ .read_data = lcdc_sys_read_data,
58847 };
58848
58849 static int sh_mobile_lcdc_sginit(struct fb_info *info,
58850diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c
58851index 9279e5f..d5f5276 100644
58852--- a/drivers/video/fbdev/smscufx.c
58853+++ b/drivers/video/fbdev/smscufx.c
58854@@ -1174,7 +1174,9 @@ static int ufx_ops_release(struct fb_info *info, int user)
58855 fb_deferred_io_cleanup(info);
58856 kfree(info->fbdefio);
58857 info->fbdefio = NULL;
58858- info->fbops->fb_mmap = ufx_ops_mmap;
58859+ pax_open_kernel();
58860+ *(void **)&info->fbops->fb_mmap = ufx_ops_mmap;
58861+ pax_close_kernel();
58862 }
58863
58864 pr_debug("released /dev/fb%d user=%d count=%d",
58865diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
58866index ff2b873..626a8d5 100644
58867--- a/drivers/video/fbdev/udlfb.c
58868+++ b/drivers/video/fbdev/udlfb.c
58869@@ -623,11 +623,11 @@ static int dlfb_handle_damage(struct dlfb_data *dev, int x, int y,
58870 dlfb_urb_completion(urb);
58871
58872 error:
58873- atomic_add(bytes_sent, &dev->bytes_sent);
58874- atomic_add(bytes_identical, &dev->bytes_identical);
58875- atomic_add(width*height*2, &dev->bytes_rendered);
58876+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
58877+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
58878+ atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
58879 end_cycles = get_cycles();
58880- atomic_add(((unsigned int) ((end_cycles - start_cycles)
58881+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
58882 >> 10)), /* Kcycles */
58883 &dev->cpu_kcycles_used);
58884
58885@@ -748,11 +748,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info,
58886 dlfb_urb_completion(urb);
58887
58888 error:
58889- atomic_add(bytes_sent, &dev->bytes_sent);
58890- atomic_add(bytes_identical, &dev->bytes_identical);
58891- atomic_add(bytes_rendered, &dev->bytes_rendered);
58892+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
58893+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
58894+ atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
58895 end_cycles = get_cycles();
58896- atomic_add(((unsigned int) ((end_cycles - start_cycles)
58897+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
58898 >> 10)), /* Kcycles */
58899 &dev->cpu_kcycles_used);
58900 }
58901@@ -991,7 +991,9 @@ static int dlfb_ops_release(struct fb_info *info, int user)
58902 fb_deferred_io_cleanup(info);
58903 kfree(info->fbdefio);
58904 info->fbdefio = NULL;
58905- info->fbops->fb_mmap = dlfb_ops_mmap;
58906+ pax_open_kernel();
58907+ *(void **)&info->fbops->fb_mmap = dlfb_ops_mmap;
58908+ pax_close_kernel();
58909 }
58910
58911 pr_warn("released /dev/fb%d user=%d count=%d\n",
58912@@ -1373,7 +1375,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev,
58913 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58914 struct dlfb_data *dev = fb_info->par;
58915 return snprintf(buf, PAGE_SIZE, "%u\n",
58916- atomic_read(&dev->bytes_rendered));
58917+ atomic_read_unchecked(&dev->bytes_rendered));
58918 }
58919
58920 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
58921@@ -1381,7 +1383,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev,
58922 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58923 struct dlfb_data *dev = fb_info->par;
58924 return snprintf(buf, PAGE_SIZE, "%u\n",
58925- atomic_read(&dev->bytes_identical));
58926+ atomic_read_unchecked(&dev->bytes_identical));
58927 }
58928
58929 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
58930@@ -1389,7 +1391,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev,
58931 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58932 struct dlfb_data *dev = fb_info->par;
58933 return snprintf(buf, PAGE_SIZE, "%u\n",
58934- atomic_read(&dev->bytes_sent));
58935+ atomic_read_unchecked(&dev->bytes_sent));
58936 }
58937
58938 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
58939@@ -1397,7 +1399,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
58940 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58941 struct dlfb_data *dev = fb_info->par;
58942 return snprintf(buf, PAGE_SIZE, "%u\n",
58943- atomic_read(&dev->cpu_kcycles_used));
58944+ atomic_read_unchecked(&dev->cpu_kcycles_used));
58945 }
58946
58947 static ssize_t edid_show(
58948@@ -1457,10 +1459,10 @@ static ssize_t metrics_reset_store(struct device *fbdev,
58949 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58950 struct dlfb_data *dev = fb_info->par;
58951
58952- atomic_set(&dev->bytes_rendered, 0);
58953- atomic_set(&dev->bytes_identical, 0);
58954- atomic_set(&dev->bytes_sent, 0);
58955- atomic_set(&dev->cpu_kcycles_used, 0);
58956+ atomic_set_unchecked(&dev->bytes_rendered, 0);
58957+ atomic_set_unchecked(&dev->bytes_identical, 0);
58958+ atomic_set_unchecked(&dev->bytes_sent, 0);
58959+ atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
58960
58961 return count;
58962 }
58963diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
58964index 178ae93..624b2eb 100644
58965--- a/drivers/video/fbdev/uvesafb.c
58966+++ b/drivers/video/fbdev/uvesafb.c
58967@@ -19,6 +19,7 @@
58968 #include <linux/io.h>
58969 #include <linux/mutex.h>
58970 #include <linux/slab.h>
58971+#include <linux/moduleloader.h>
58972 #include <video/edid.h>
58973 #include <video/uvesafb.h>
58974 #ifdef CONFIG_X86
58975@@ -565,10 +566,32 @@ static int uvesafb_vbe_getpmi(struct uvesafb_ktask *task,
58976 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
58977 par->pmi_setpal = par->ypan = 0;
58978 } else {
58979+
58980+#ifdef CONFIG_PAX_KERNEXEC
58981+#ifdef CONFIG_MODULES
58982+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
58983+#endif
58984+ if (!par->pmi_code) {
58985+ par->pmi_setpal = par->ypan = 0;
58986+ return 0;
58987+ }
58988+#endif
58989+
58990 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
58991 + task->t.regs.edi);
58992+
58993+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58994+ pax_open_kernel();
58995+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
58996+ pax_close_kernel();
58997+
58998+ par->pmi_start = (void *)ktva_ktla((unsigned long)(par->pmi_code + par->pmi_base[1]));
58999+ par->pmi_pal = (void *)ktva_ktla((unsigned long)(par->pmi_code + par->pmi_base[2]));
59000+#else
59001 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
59002 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
59003+#endif
59004+
59005 printk(KERN_INFO "uvesafb: protected mode interface info at "
59006 "%04x:%04x\n",
59007 (u16)task->t.regs.es, (u16)task->t.regs.edi);
59008@@ -813,13 +836,14 @@ static int uvesafb_vbe_init(struct fb_info *info)
59009 par->ypan = ypan;
59010
59011 if (par->pmi_setpal || par->ypan) {
59012+#if !defined(CONFIG_MODULES) || !defined(CONFIG_PAX_KERNEXEC)
59013 if (__supported_pte_mask & _PAGE_NX) {
59014 par->pmi_setpal = par->ypan = 0;
59015 printk(KERN_WARNING "uvesafb: NX protection is active, "
59016 "better not use the PMI.\n");
59017- } else {
59018+ } else
59019+#endif
59020 uvesafb_vbe_getpmi(task, par);
59021- }
59022 }
59023 #else
59024 /* The protected mode interface is not available on non-x86. */
59025@@ -1452,8 +1476,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
59026 info->fix.ywrapstep = (par->ypan > 1) ? 1 : 0;
59027
59028 /* Disable blanking if the user requested so. */
59029- if (!blank)
59030- info->fbops->fb_blank = NULL;
59031+ if (!blank) {
59032+ pax_open_kernel();
59033+ *(void **)&info->fbops->fb_blank = NULL;
59034+ pax_close_kernel();
59035+ }
59036
59037 /*
59038 * Find out how much IO memory is required for the mode with
59039@@ -1524,8 +1551,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
59040 info->flags = FBINFO_FLAG_DEFAULT |
59041 (par->ypan ? FBINFO_HWACCEL_YPAN : 0);
59042
59043- if (!par->ypan)
59044- info->fbops->fb_pan_display = NULL;
59045+ if (!par->ypan) {
59046+ pax_open_kernel();
59047+ *(void **)&info->fbops->fb_pan_display = NULL;
59048+ pax_close_kernel();
59049+ }
59050 }
59051
59052 static void uvesafb_init_mtrr(struct fb_info *info)
59053@@ -1786,6 +1816,11 @@ out_mode:
59054 out:
59055 kfree(par->vbe_modes);
59056
59057+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59058+ if (par->pmi_code)
59059+ module_memfree_exec(par->pmi_code);
59060+#endif
59061+
59062 framebuffer_release(info);
59063 return err;
59064 }
59065@@ -1810,6 +1845,11 @@ static int uvesafb_remove(struct platform_device *dev)
59066 kfree(par->vbe_state_orig);
59067 kfree(par->vbe_state_saved);
59068
59069+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59070+ if (par->pmi_code)
59071+ module_memfree_exec(par->pmi_code);
59072+#endif
59073+
59074 framebuffer_release(info);
59075 }
59076 return 0;
59077diff --git a/drivers/video/fbdev/vesafb.c b/drivers/video/fbdev/vesafb.c
59078index 528fe91..6fd29fe 100644
59079--- a/drivers/video/fbdev/vesafb.c
59080+++ b/drivers/video/fbdev/vesafb.c
59081@@ -9,6 +9,7 @@
59082 */
59083
59084 #include <linux/module.h>
59085+#include <linux/moduleloader.h>
59086 #include <linux/kernel.h>
59087 #include <linux/errno.h>
59088 #include <linux/string.h>
59089@@ -56,8 +57,8 @@ static int vram_remap; /* Set amount of memory to be used */
59090 static int vram_total; /* Set total amount of memory */
59091 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
59092 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
59093-static void (*pmi_start)(void) __read_mostly;
59094-static void (*pmi_pal) (void) __read_mostly;
59095+static void (*pmi_start)(void) __read_only;
59096+static void (*pmi_pal) (void) __read_only;
59097 static int depth __read_mostly;
59098 static int vga_compat __read_mostly;
59099 /* --------------------------------------------------------------------- */
59100@@ -241,6 +242,7 @@ static int vesafb_probe(struct platform_device *dev)
59101 unsigned int size_remap;
59102 unsigned int size_total;
59103 char *option = NULL;
59104+ void *pmi_code = NULL;
59105
59106 /* ignore error return of fb_get_options */
59107 fb_get_options("vesafb", &option);
59108@@ -287,10 +289,6 @@ static int vesafb_probe(struct platform_device *dev)
59109 size_remap = size_total;
59110 vesafb_fix.smem_len = size_remap;
59111
59112-#ifndef __i386__
59113- screen_info.vesapm_seg = 0;
59114-#endif
59115-
59116 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
59117 printk(KERN_WARNING
59118 "vesafb: cannot reserve video memory at 0x%lx\n",
59119@@ -320,9 +318,21 @@ static int vesafb_probe(struct platform_device *dev)
59120 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
59121 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
59122
59123+#ifdef __i386__
59124+
59125+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59126+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
59127+ if (!pmi_code)
59128+#elif !defined(CONFIG_PAX_KERNEXEC)
59129+ if (0)
59130+#endif
59131+
59132+#endif
59133+ screen_info.vesapm_seg = 0;
59134+
59135 if (screen_info.vesapm_seg) {
59136- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
59137- screen_info.vesapm_seg,screen_info.vesapm_off);
59138+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
59139+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
59140 }
59141
59142 if (screen_info.vesapm_seg < 0xc000)
59143@@ -330,9 +340,25 @@ static int vesafb_probe(struct platform_device *dev)
59144
59145 if (ypan || pmi_setpal) {
59146 unsigned short *pmi_base;
59147+
59148 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
59149- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
59150- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
59151+
59152+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59153+ pax_open_kernel();
59154+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
59155+#else
59156+ pmi_code = pmi_base;
59157+#endif
59158+
59159+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
59160+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
59161+
59162+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59163+ pmi_start = (void *)ktva_ktla((unsigned long)pmi_start);
59164+ pmi_pal = (void *)ktva_ktla((unsigned long)pmi_pal);
59165+ pax_close_kernel();
59166+#endif
59167+
59168 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
59169 if (pmi_base[3]) {
59170 printk(KERN_INFO "vesafb: pmi: ports = ");
59171@@ -452,8 +478,11 @@ static int vesafb_probe(struct platform_device *dev)
59172 info->flags = FBINFO_FLAG_DEFAULT | FBINFO_MISC_FIRMWARE |
59173 (ypan ? FBINFO_HWACCEL_YPAN : 0);
59174
59175- if (!ypan)
59176- info->fbops->fb_pan_display = NULL;
59177+ if (!ypan) {
59178+ pax_open_kernel();
59179+ *(void **)&info->fbops->fb_pan_display = NULL;
59180+ pax_close_kernel();
59181+ }
59182
59183 if (fb_alloc_cmap(&info->cmap, 256, 0) < 0) {
59184 err = -ENOMEM;
59185@@ -467,6 +496,11 @@ static int vesafb_probe(struct platform_device *dev)
59186 fb_info(info, "%s frame buffer device\n", info->fix.id);
59187 return 0;
59188 err:
59189+
59190+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59191+ module_memfree_exec(pmi_code);
59192+#endif
59193+
59194 arch_phys_wc_del(par->wc_cookie);
59195 if (info->screen_base)
59196 iounmap(info->screen_base);
59197diff --git a/drivers/video/fbdev/via/via_clock.h b/drivers/video/fbdev/via/via_clock.h
59198index 88714ae..16c2e11 100644
59199--- a/drivers/video/fbdev/via/via_clock.h
59200+++ b/drivers/video/fbdev/via/via_clock.h
59201@@ -56,7 +56,7 @@ struct via_clock {
59202
59203 void (*set_engine_pll_state)(u8 state);
59204 void (*set_engine_pll)(struct via_pll_config config);
59205-};
59206+} __no_const;
59207
59208
59209 static inline u32 get_pll_internal_frequency(u32 ref_freq,
59210diff --git a/drivers/video/logo/logo_linux_clut224.ppm b/drivers/video/logo/logo_linux_clut224.ppm
59211index 3c14e43..2630570 100644
59212--- a/drivers/video/logo/logo_linux_clut224.ppm
59213+++ b/drivers/video/logo/logo_linux_clut224.ppm
59214@@ -2,1603 +2,1123 @@ P3
59215 # Standard 224-color Linux logo
59216 80 80
59217 255
59218- 0 0 0 0 0 0 0 0 0 0 0 0
59219- 0 0 0 0 0 0 0 0 0 0 0 0
59220- 0 0 0 0 0 0 0 0 0 0 0 0
59221- 0 0 0 0 0 0 0 0 0 0 0 0
59222- 0 0 0 0 0 0 0 0 0 0 0 0
59223- 0 0 0 0 0 0 0 0 0 0 0 0
59224- 0 0 0 0 0 0 0 0 0 0 0 0
59225- 0 0 0 0 0 0 0 0 0 0 0 0
59226- 0 0 0 0 0 0 0 0 0 0 0 0
59227- 6 6 6 6 6 6 10 10 10 10 10 10
59228- 10 10 10 6 6 6 6 6 6 6 6 6
59229- 0 0 0 0 0 0 0 0 0 0 0 0
59230- 0 0 0 0 0 0 0 0 0 0 0 0
59231- 0 0 0 0 0 0 0 0 0 0 0 0
59232- 0 0 0 0 0 0 0 0 0 0 0 0
59233- 0 0 0 0 0 0 0 0 0 0 0 0
59234- 0 0 0 0 0 0 0 0 0 0 0 0
59235- 0 0 0 0 0 0 0 0 0 0 0 0
59236- 0 0 0 0 0 0 0 0 0 0 0 0
59237- 0 0 0 0 0 0 0 0 0 0 0 0
59238- 0 0 0 0 0 0 0 0 0 0 0 0
59239- 0 0 0 0 0 0 0 0 0 0 0 0
59240- 0 0 0 0 0 0 0 0 0 0 0 0
59241- 0 0 0 0 0 0 0 0 0 0 0 0
59242- 0 0 0 0 0 0 0 0 0 0 0 0
59243- 0 0 0 0 0 0 0 0 0 0 0 0
59244- 0 0 0 0 0 0 0 0 0 0 0 0
59245- 0 0 0 0 0 0 0 0 0 0 0 0
59246- 0 0 0 6 6 6 10 10 10 14 14 14
59247- 22 22 22 26 26 26 30 30 30 34 34 34
59248- 30 30 30 30 30 30 26 26 26 18 18 18
59249- 14 14 14 10 10 10 6 6 6 0 0 0
59250- 0 0 0 0 0 0 0 0 0 0 0 0
59251- 0 0 0 0 0 0 0 0 0 0 0 0
59252- 0 0 0 0 0 0 0 0 0 0 0 0
59253- 0 0 0 0 0 0 0 0 0 0 0 0
59254- 0 0 0 0 0 0 0 0 0 0 0 0
59255- 0 0 0 0 0 0 0 0 0 0 0 0
59256- 0 0 0 0 0 0 0 0 0 0 0 0
59257- 0 0 0 0 0 0 0 0 0 0 0 0
59258- 0 0 0 0 0 0 0 0 0 0 0 0
59259- 0 0 0 0 0 1 0 0 1 0 0 0
59260- 0 0 0 0 0 0 0 0 0 0 0 0
59261- 0 0 0 0 0 0 0 0 0 0 0 0
59262- 0 0 0 0 0 0 0 0 0 0 0 0
59263- 0 0 0 0 0 0 0 0 0 0 0 0
59264- 0 0 0 0 0 0 0 0 0 0 0 0
59265- 0 0 0 0 0 0 0 0 0 0 0 0
59266- 6 6 6 14 14 14 26 26 26 42 42 42
59267- 54 54 54 66 66 66 78 78 78 78 78 78
59268- 78 78 78 74 74 74 66 66 66 54 54 54
59269- 42 42 42 26 26 26 18 18 18 10 10 10
59270- 6 6 6 0 0 0 0 0 0 0 0 0
59271- 0 0 0 0 0 0 0 0 0 0 0 0
59272- 0 0 0 0 0 0 0 0 0 0 0 0
59273- 0 0 0 0 0 0 0 0 0 0 0 0
59274- 0 0 0 0 0 0 0 0 0 0 0 0
59275- 0 0 0 0 0 0 0 0 0 0 0 0
59276- 0 0 0 0 0 0 0 0 0 0 0 0
59277- 0 0 0 0 0 0 0 0 0 0 0 0
59278- 0 0 0 0 0 0 0 0 0 0 0 0
59279- 0 0 1 0 0 0 0 0 0 0 0 0
59280- 0 0 0 0 0 0 0 0 0 0 0 0
59281- 0 0 0 0 0 0 0 0 0 0 0 0
59282- 0 0 0 0 0 0 0 0 0 0 0 0
59283- 0 0 0 0 0 0 0 0 0 0 0 0
59284- 0 0 0 0 0 0 0 0 0 0 0 0
59285- 0 0 0 0 0 0 0 0 0 10 10 10
59286- 22 22 22 42 42 42 66 66 66 86 86 86
59287- 66 66 66 38 38 38 38 38 38 22 22 22
59288- 26 26 26 34 34 34 54 54 54 66 66 66
59289- 86 86 86 70 70 70 46 46 46 26 26 26
59290- 14 14 14 6 6 6 0 0 0 0 0 0
59291- 0 0 0 0 0 0 0 0 0 0 0 0
59292- 0 0 0 0 0 0 0 0 0 0 0 0
59293- 0 0 0 0 0 0 0 0 0 0 0 0
59294- 0 0 0 0 0 0 0 0 0 0 0 0
59295- 0 0 0 0 0 0 0 0 0 0 0 0
59296- 0 0 0 0 0 0 0 0 0 0 0 0
59297- 0 0 0 0 0 0 0 0 0 0 0 0
59298- 0 0 0 0 0 0 0 0 0 0 0 0
59299- 0 0 1 0 0 1 0 0 1 0 0 0
59300- 0 0 0 0 0 0 0 0 0 0 0 0
59301- 0 0 0 0 0 0 0 0 0 0 0 0
59302- 0 0 0 0 0 0 0 0 0 0 0 0
59303- 0 0 0 0 0 0 0 0 0 0 0 0
59304- 0 0 0 0 0 0 0 0 0 0 0 0
59305- 0 0 0 0 0 0 10 10 10 26 26 26
59306- 50 50 50 82 82 82 58 58 58 6 6 6
59307- 2 2 6 2 2 6 2 2 6 2 2 6
59308- 2 2 6 2 2 6 2 2 6 2 2 6
59309- 6 6 6 54 54 54 86 86 86 66 66 66
59310- 38 38 38 18 18 18 6 6 6 0 0 0
59311- 0 0 0 0 0 0 0 0 0 0 0 0
59312- 0 0 0 0 0 0 0 0 0 0 0 0
59313- 0 0 0 0 0 0 0 0 0 0 0 0
59314- 0 0 0 0 0 0 0 0 0 0 0 0
59315- 0 0 0 0 0 0 0 0 0 0 0 0
59316- 0 0 0 0 0 0 0 0 0 0 0 0
59317- 0 0 0 0 0 0 0 0 0 0 0 0
59318- 0 0 0 0 0 0 0 0 0 0 0 0
59319- 0 0 0 0 0 0 0 0 0 0 0 0
59320- 0 0 0 0 0 0 0 0 0 0 0 0
59321- 0 0 0 0 0 0 0 0 0 0 0 0
59322- 0 0 0 0 0 0 0 0 0 0 0 0
59323- 0 0 0 0 0 0 0 0 0 0 0 0
59324- 0 0 0 0 0 0 0 0 0 0 0 0
59325- 0 0 0 6 6 6 22 22 22 50 50 50
59326- 78 78 78 34 34 34 2 2 6 2 2 6
59327- 2 2 6 2 2 6 2 2 6 2 2 6
59328- 2 2 6 2 2 6 2 2 6 2 2 6
59329- 2 2 6 2 2 6 6 6 6 70 70 70
59330- 78 78 78 46 46 46 22 22 22 6 6 6
59331- 0 0 0 0 0 0 0 0 0 0 0 0
59332- 0 0 0 0 0 0 0 0 0 0 0 0
59333- 0 0 0 0 0 0 0 0 0 0 0 0
59334- 0 0 0 0 0 0 0 0 0 0 0 0
59335- 0 0 0 0 0 0 0 0 0 0 0 0
59336- 0 0 0 0 0 0 0 0 0 0 0 0
59337- 0 0 0 0 0 0 0 0 0 0 0 0
59338- 0 0 0 0 0 0 0 0 0 0 0 0
59339- 0 0 1 0 0 1 0 0 1 0 0 0
59340- 0 0 0 0 0 0 0 0 0 0 0 0
59341- 0 0 0 0 0 0 0 0 0 0 0 0
59342- 0 0 0 0 0 0 0 0 0 0 0 0
59343- 0 0 0 0 0 0 0 0 0 0 0 0
59344- 0 0 0 0 0 0 0 0 0 0 0 0
59345- 6 6 6 18 18 18 42 42 42 82 82 82
59346- 26 26 26 2 2 6 2 2 6 2 2 6
59347- 2 2 6 2 2 6 2 2 6 2 2 6
59348- 2 2 6 2 2 6 2 2 6 14 14 14
59349- 46 46 46 34 34 34 6 6 6 2 2 6
59350- 42 42 42 78 78 78 42 42 42 18 18 18
59351- 6 6 6 0 0 0 0 0 0 0 0 0
59352- 0 0 0 0 0 0 0 0 0 0 0 0
59353- 0 0 0 0 0 0 0 0 0 0 0 0
59354- 0 0 0 0 0 0 0 0 0 0 0 0
59355- 0 0 0 0 0 0 0 0 0 0 0 0
59356- 0 0 0 0 0 0 0 0 0 0 0 0
59357- 0 0 0 0 0 0 0 0 0 0 0 0
59358- 0 0 0 0 0 0 0 0 0 0 0 0
59359- 0 0 1 0 0 0 0 0 1 0 0 0
59360- 0 0 0 0 0 0 0 0 0 0 0 0
59361- 0 0 0 0 0 0 0 0 0 0 0 0
59362- 0 0 0 0 0 0 0 0 0 0 0 0
59363- 0 0 0 0 0 0 0 0 0 0 0 0
59364- 0 0 0 0 0 0 0 0 0 0 0 0
59365- 10 10 10 30 30 30 66 66 66 58 58 58
59366- 2 2 6 2 2 6 2 2 6 2 2 6
59367- 2 2 6 2 2 6 2 2 6 2 2 6
59368- 2 2 6 2 2 6 2 2 6 26 26 26
59369- 86 86 86 101 101 101 46 46 46 10 10 10
59370- 2 2 6 58 58 58 70 70 70 34 34 34
59371- 10 10 10 0 0 0 0 0 0 0 0 0
59372- 0 0 0 0 0 0 0 0 0 0 0 0
59373- 0 0 0 0 0 0 0 0 0 0 0 0
59374- 0 0 0 0 0 0 0 0 0 0 0 0
59375- 0 0 0 0 0 0 0 0 0 0 0 0
59376- 0 0 0 0 0 0 0 0 0 0 0 0
59377- 0 0 0 0 0 0 0 0 0 0 0 0
59378- 0 0 0 0 0 0 0 0 0 0 0 0
59379- 0 0 1 0 0 1 0 0 1 0 0 0
59380- 0 0 0 0 0 0 0 0 0 0 0 0
59381- 0 0 0 0 0 0 0 0 0 0 0 0
59382- 0 0 0 0 0 0 0 0 0 0 0 0
59383- 0 0 0 0 0 0 0 0 0 0 0 0
59384- 0 0 0 0 0 0 0 0 0 0 0 0
59385- 14 14 14 42 42 42 86 86 86 10 10 10
59386- 2 2 6 2 2 6 2 2 6 2 2 6
59387- 2 2 6 2 2 6 2 2 6 2 2 6
59388- 2 2 6 2 2 6 2 2 6 30 30 30
59389- 94 94 94 94 94 94 58 58 58 26 26 26
59390- 2 2 6 6 6 6 78 78 78 54 54 54
59391- 22 22 22 6 6 6 0 0 0 0 0 0
59392- 0 0 0 0 0 0 0 0 0 0 0 0
59393- 0 0 0 0 0 0 0 0 0 0 0 0
59394- 0 0 0 0 0 0 0 0 0 0 0 0
59395- 0 0 0 0 0 0 0 0 0 0 0 0
59396- 0 0 0 0 0 0 0 0 0 0 0 0
59397- 0 0 0 0 0 0 0 0 0 0 0 0
59398- 0 0 0 0 0 0 0 0 0 0 0 0
59399- 0 0 0 0 0 0 0 0 0 0 0 0
59400- 0 0 0 0 0 0 0 0 0 0 0 0
59401- 0 0 0 0 0 0 0 0 0 0 0 0
59402- 0 0 0 0 0 0 0 0 0 0 0 0
59403- 0 0 0 0 0 0 0 0 0 0 0 0
59404- 0 0 0 0 0 0 0 0 0 6 6 6
59405- 22 22 22 62 62 62 62 62 62 2 2 6
59406- 2 2 6 2 2 6 2 2 6 2 2 6
59407- 2 2 6 2 2 6 2 2 6 2 2 6
59408- 2 2 6 2 2 6 2 2 6 26 26 26
59409- 54 54 54 38 38 38 18 18 18 10 10 10
59410- 2 2 6 2 2 6 34 34 34 82 82 82
59411- 38 38 38 14 14 14 0 0 0 0 0 0
59412- 0 0 0 0 0 0 0 0 0 0 0 0
59413- 0 0 0 0 0 0 0 0 0 0 0 0
59414- 0 0 0 0 0 0 0 0 0 0 0 0
59415- 0 0 0 0 0 0 0 0 0 0 0 0
59416- 0 0 0 0 0 0 0 0 0 0 0 0
59417- 0 0 0 0 0 0 0 0 0 0 0 0
59418- 0 0 0 0 0 0 0 0 0 0 0 0
59419- 0 0 0 0 0 1 0 0 1 0 0 0
59420- 0 0 0 0 0 0 0 0 0 0 0 0
59421- 0 0 0 0 0 0 0 0 0 0 0 0
59422- 0 0 0 0 0 0 0 0 0 0 0 0
59423- 0 0 0 0 0 0 0 0 0 0 0 0
59424- 0 0 0 0 0 0 0 0 0 6 6 6
59425- 30 30 30 78 78 78 30 30 30 2 2 6
59426- 2 2 6 2 2 6 2 2 6 2 2 6
59427- 2 2 6 2 2 6 2 2 6 2 2 6
59428- 2 2 6 2 2 6 2 2 6 10 10 10
59429- 10 10 10 2 2 6 2 2 6 2 2 6
59430- 2 2 6 2 2 6 2 2 6 78 78 78
59431- 50 50 50 18 18 18 6 6 6 0 0 0
59432- 0 0 0 0 0 0 0 0 0 0 0 0
59433- 0 0 0 0 0 0 0 0 0 0 0 0
59434- 0 0 0 0 0 0 0 0 0 0 0 0
59435- 0 0 0 0 0 0 0 0 0 0 0 0
59436- 0 0 0 0 0 0 0 0 0 0 0 0
59437- 0 0 0 0 0 0 0 0 0 0 0 0
59438- 0 0 0 0 0 0 0 0 0 0 0 0
59439- 0 0 1 0 0 0 0 0 0 0 0 0
59440- 0 0 0 0 0 0 0 0 0 0 0 0
59441- 0 0 0 0 0 0 0 0 0 0 0 0
59442- 0 0 0 0 0 0 0 0 0 0 0 0
59443- 0 0 0 0 0 0 0 0 0 0 0 0
59444- 0 0 0 0 0 0 0 0 0 10 10 10
59445- 38 38 38 86 86 86 14 14 14 2 2 6
59446- 2 2 6 2 2 6 2 2 6 2 2 6
59447- 2 2 6 2 2 6 2 2 6 2 2 6
59448- 2 2 6 2 2 6 2 2 6 2 2 6
59449- 2 2 6 2 2 6 2 2 6 2 2 6
59450- 2 2 6 2 2 6 2 2 6 54 54 54
59451- 66 66 66 26 26 26 6 6 6 0 0 0
59452- 0 0 0 0 0 0 0 0 0 0 0 0
59453- 0 0 0 0 0 0 0 0 0 0 0 0
59454- 0 0 0 0 0 0 0 0 0 0 0 0
59455- 0 0 0 0 0 0 0 0 0 0 0 0
59456- 0 0 0 0 0 0 0 0 0 0 0 0
59457- 0 0 0 0 0 0 0 0 0 0 0 0
59458- 0 0 0 0 0 0 0 0 0 0 0 0
59459- 0 0 0 0 0 1 0 0 1 0 0 0
59460- 0 0 0 0 0 0 0 0 0 0 0 0
59461- 0 0 0 0 0 0 0 0 0 0 0 0
59462- 0 0 0 0 0 0 0 0 0 0 0 0
59463- 0 0 0 0 0 0 0 0 0 0 0 0
59464- 0 0 0 0 0 0 0 0 0 14 14 14
59465- 42 42 42 82 82 82 2 2 6 2 2 6
59466- 2 2 6 6 6 6 10 10 10 2 2 6
59467- 2 2 6 2 2 6 2 2 6 2 2 6
59468- 2 2 6 2 2 6 2 2 6 6 6 6
59469- 14 14 14 10 10 10 2 2 6 2 2 6
59470- 2 2 6 2 2 6 2 2 6 18 18 18
59471- 82 82 82 34 34 34 10 10 10 0 0 0
59472- 0 0 0 0 0 0 0 0 0 0 0 0
59473- 0 0 0 0 0 0 0 0 0 0 0 0
59474- 0 0 0 0 0 0 0 0 0 0 0 0
59475- 0 0 0 0 0 0 0 0 0 0 0 0
59476- 0 0 0 0 0 0 0 0 0 0 0 0
59477- 0 0 0 0 0 0 0 0 0 0 0 0
59478- 0 0 0 0 0 0 0 0 0 0 0 0
59479- 0 0 1 0 0 0 0 0 0 0 0 0
59480- 0 0 0 0 0 0 0 0 0 0 0 0
59481- 0 0 0 0 0 0 0 0 0 0 0 0
59482- 0 0 0 0 0 0 0 0 0 0 0 0
59483- 0 0 0 0 0 0 0 0 0 0 0 0
59484- 0 0 0 0 0 0 0 0 0 14 14 14
59485- 46 46 46 86 86 86 2 2 6 2 2 6
59486- 6 6 6 6 6 6 22 22 22 34 34 34
59487- 6 6 6 2 2 6 2 2 6 2 2 6
59488- 2 2 6 2 2 6 18 18 18 34 34 34
59489- 10 10 10 50 50 50 22 22 22 2 2 6
59490- 2 2 6 2 2 6 2 2 6 10 10 10
59491- 86 86 86 42 42 42 14 14 14 0 0 0
59492- 0 0 0 0 0 0 0 0 0 0 0 0
59493- 0 0 0 0 0 0 0 0 0 0 0 0
59494- 0 0 0 0 0 0 0 0 0 0 0 0
59495- 0 0 0 0 0 0 0 0 0 0 0 0
59496- 0 0 0 0 0 0 0 0 0 0 0 0
59497- 0 0 0 0 0 0 0 0 0 0 0 0
59498- 0 0 0 0 0 0 0 0 0 0 0 0
59499- 0 0 1 0 0 1 0 0 1 0 0 0
59500- 0 0 0 0 0 0 0 0 0 0 0 0
59501- 0 0 0 0 0 0 0 0 0 0 0 0
59502- 0 0 0 0 0 0 0 0 0 0 0 0
59503- 0 0 0 0 0 0 0 0 0 0 0 0
59504- 0 0 0 0 0 0 0 0 0 14 14 14
59505- 46 46 46 86 86 86 2 2 6 2 2 6
59506- 38 38 38 116 116 116 94 94 94 22 22 22
59507- 22 22 22 2 2 6 2 2 6 2 2 6
59508- 14 14 14 86 86 86 138 138 138 162 162 162
59509-154 154 154 38 38 38 26 26 26 6 6 6
59510- 2 2 6 2 2 6 2 2 6 2 2 6
59511- 86 86 86 46 46 46 14 14 14 0 0 0
59512- 0 0 0 0 0 0 0 0 0 0 0 0
59513- 0 0 0 0 0 0 0 0 0 0 0 0
59514- 0 0 0 0 0 0 0 0 0 0 0 0
59515- 0 0 0 0 0 0 0 0 0 0 0 0
59516- 0 0 0 0 0 0 0 0 0 0 0 0
59517- 0 0 0 0 0 0 0 0 0 0 0 0
59518- 0 0 0 0 0 0 0 0 0 0 0 0
59519- 0 0 0 0 0 0 0 0 0 0 0 0
59520- 0 0 0 0 0 0 0 0 0 0 0 0
59521- 0 0 0 0 0 0 0 0 0 0 0 0
59522- 0 0 0 0 0 0 0 0 0 0 0 0
59523- 0 0 0 0 0 0 0 0 0 0 0 0
59524- 0 0 0 0 0 0 0 0 0 14 14 14
59525- 46 46 46 86 86 86 2 2 6 14 14 14
59526-134 134 134 198 198 198 195 195 195 116 116 116
59527- 10 10 10 2 2 6 2 2 6 6 6 6
59528-101 98 89 187 187 187 210 210 210 218 218 218
59529-214 214 214 134 134 134 14 14 14 6 6 6
59530- 2 2 6 2 2 6 2 2 6 2 2 6
59531- 86 86 86 50 50 50 18 18 18 6 6 6
59532- 0 0 0 0 0 0 0 0 0 0 0 0
59533- 0 0 0 0 0 0 0 0 0 0 0 0
59534- 0 0 0 0 0 0 0 0 0 0 0 0
59535- 0 0 0 0 0 0 0 0 0 0 0 0
59536- 0 0 0 0 0 0 0 0 0 0 0 0
59537- 0 0 0 0 0 0 0 0 0 0 0 0
59538- 0 0 0 0 0 0 0 0 1 0 0 0
59539- 0 0 1 0 0 1 0 0 1 0 0 0
59540- 0 0 0 0 0 0 0 0 0 0 0 0
59541- 0 0 0 0 0 0 0 0 0 0 0 0
59542- 0 0 0 0 0 0 0 0 0 0 0 0
59543- 0 0 0 0 0 0 0 0 0 0 0 0
59544- 0 0 0 0 0 0 0 0 0 14 14 14
59545- 46 46 46 86 86 86 2 2 6 54 54 54
59546-218 218 218 195 195 195 226 226 226 246 246 246
59547- 58 58 58 2 2 6 2 2 6 30 30 30
59548-210 210 210 253 253 253 174 174 174 123 123 123
59549-221 221 221 234 234 234 74 74 74 2 2 6
59550- 2 2 6 2 2 6 2 2 6 2 2 6
59551- 70 70 70 58 58 58 22 22 22 6 6 6
59552- 0 0 0 0 0 0 0 0 0 0 0 0
59553- 0 0 0 0 0 0 0 0 0 0 0 0
59554- 0 0 0 0 0 0 0 0 0 0 0 0
59555- 0 0 0 0 0 0 0 0 0 0 0 0
59556- 0 0 0 0 0 0 0 0 0 0 0 0
59557- 0 0 0 0 0 0 0 0 0 0 0 0
59558- 0 0 0 0 0 0 0 0 0 0 0 0
59559- 0 0 0 0 0 0 0 0 0 0 0 0
59560- 0 0 0 0 0 0 0 0 0 0 0 0
59561- 0 0 0 0 0 0 0 0 0 0 0 0
59562- 0 0 0 0 0 0 0 0 0 0 0 0
59563- 0 0 0 0 0 0 0 0 0 0 0 0
59564- 0 0 0 0 0 0 0 0 0 14 14 14
59565- 46 46 46 82 82 82 2 2 6 106 106 106
59566-170 170 170 26 26 26 86 86 86 226 226 226
59567-123 123 123 10 10 10 14 14 14 46 46 46
59568-231 231 231 190 190 190 6 6 6 70 70 70
59569- 90 90 90 238 238 238 158 158 158 2 2 6
59570- 2 2 6 2 2 6 2 2 6 2 2 6
59571- 70 70 70 58 58 58 22 22 22 6 6 6
59572- 0 0 0 0 0 0 0 0 0 0 0 0
59573- 0 0 0 0 0 0 0 0 0 0 0 0
59574- 0 0 0 0 0 0 0 0 0 0 0 0
59575- 0 0 0 0 0 0 0 0 0 0 0 0
59576- 0 0 0 0 0 0 0 0 0 0 0 0
59577- 0 0 0 0 0 0 0 0 0 0 0 0
59578- 0 0 0 0 0 0 0 0 1 0 0 0
59579- 0 0 1 0 0 1 0 0 1 0 0 0
59580- 0 0 0 0 0 0 0 0 0 0 0 0
59581- 0 0 0 0 0 0 0 0 0 0 0 0
59582- 0 0 0 0 0 0 0 0 0 0 0 0
59583- 0 0 0 0 0 0 0 0 0 0 0 0
59584- 0 0 0 0 0 0 0 0 0 14 14 14
59585- 42 42 42 86 86 86 6 6 6 116 116 116
59586-106 106 106 6 6 6 70 70 70 149 149 149
59587-128 128 128 18 18 18 38 38 38 54 54 54
59588-221 221 221 106 106 106 2 2 6 14 14 14
59589- 46 46 46 190 190 190 198 198 198 2 2 6
59590- 2 2 6 2 2 6 2 2 6 2 2 6
59591- 74 74 74 62 62 62 22 22 22 6 6 6
59592- 0 0 0 0 0 0 0 0 0 0 0 0
59593- 0 0 0 0 0 0 0 0 0 0 0 0
59594- 0 0 0 0 0 0 0 0 0 0 0 0
59595- 0 0 0 0 0 0 0 0 0 0 0 0
59596- 0 0 0 0 0 0 0 0 0 0 0 0
59597- 0 0 0 0 0 0 0 0 0 0 0 0
59598- 0 0 0 0 0 0 0 0 1 0 0 0
59599- 0 0 1 0 0 0 0 0 1 0 0 0
59600- 0 0 0 0 0 0 0 0 0 0 0 0
59601- 0 0 0 0 0 0 0 0 0 0 0 0
59602- 0 0 0 0 0 0 0 0 0 0 0 0
59603- 0 0 0 0 0 0 0 0 0 0 0 0
59604- 0 0 0 0 0 0 0 0 0 14 14 14
59605- 42 42 42 94 94 94 14 14 14 101 101 101
59606-128 128 128 2 2 6 18 18 18 116 116 116
59607-118 98 46 121 92 8 121 92 8 98 78 10
59608-162 162 162 106 106 106 2 2 6 2 2 6
59609- 2 2 6 195 195 195 195 195 195 6 6 6
59610- 2 2 6 2 2 6 2 2 6 2 2 6
59611- 74 74 74 62 62 62 22 22 22 6 6 6
59612- 0 0 0 0 0 0 0 0 0 0 0 0
59613- 0 0 0 0 0 0 0 0 0 0 0 0
59614- 0 0 0 0 0 0 0 0 0 0 0 0
59615- 0 0 0 0 0 0 0 0 0 0 0 0
59616- 0 0 0 0 0 0 0 0 0 0 0 0
59617- 0 0 0 0 0 0 0 0 0 0 0 0
59618- 0 0 0 0 0 0 0 0 1 0 0 1
59619- 0 0 1 0 0 0 0 0 1 0 0 0
59620- 0 0 0 0 0 0 0 0 0 0 0 0
59621- 0 0 0 0 0 0 0 0 0 0 0 0
59622- 0 0 0 0 0 0 0 0 0 0 0 0
59623- 0 0 0 0 0 0 0 0 0 0 0 0
59624- 0 0 0 0 0 0 0 0 0 10 10 10
59625- 38 38 38 90 90 90 14 14 14 58 58 58
59626-210 210 210 26 26 26 54 38 6 154 114 10
59627-226 170 11 236 186 11 225 175 15 184 144 12
59628-215 174 15 175 146 61 37 26 9 2 2 6
59629- 70 70 70 246 246 246 138 138 138 2 2 6
59630- 2 2 6 2 2 6 2 2 6 2 2 6
59631- 70 70 70 66 66 66 26 26 26 6 6 6
59632- 0 0 0 0 0 0 0 0 0 0 0 0
59633- 0 0 0 0 0 0 0 0 0 0 0 0
59634- 0 0 0 0 0 0 0 0 0 0 0 0
59635- 0 0 0 0 0 0 0 0 0 0 0 0
59636- 0 0 0 0 0 0 0 0 0 0 0 0
59637- 0 0 0 0 0 0 0 0 0 0 0 0
59638- 0 0 0 0 0 0 0 0 0 0 0 0
59639- 0 0 0 0 0 0 0 0 0 0 0 0
59640- 0 0 0 0 0 0 0 0 0 0 0 0
59641- 0 0 0 0 0 0 0 0 0 0 0 0
59642- 0 0 0 0 0 0 0 0 0 0 0 0
59643- 0 0 0 0 0 0 0 0 0 0 0 0
59644- 0 0 0 0 0 0 0 0 0 10 10 10
59645- 38 38 38 86 86 86 14 14 14 10 10 10
59646-195 195 195 188 164 115 192 133 9 225 175 15
59647-239 182 13 234 190 10 232 195 16 232 200 30
59648-245 207 45 241 208 19 232 195 16 184 144 12
59649-218 194 134 211 206 186 42 42 42 2 2 6
59650- 2 2 6 2 2 6 2 2 6 2 2 6
59651- 50 50 50 74 74 74 30 30 30 6 6 6
59652- 0 0 0 0 0 0 0 0 0 0 0 0
59653- 0 0 0 0 0 0 0 0 0 0 0 0
59654- 0 0 0 0 0 0 0 0 0 0 0 0
59655- 0 0 0 0 0 0 0 0 0 0 0 0
59656- 0 0 0 0 0 0 0 0 0 0 0 0
59657- 0 0 0 0 0 0 0 0 0 0 0 0
59658- 0 0 0 0 0 0 0 0 0 0 0 0
59659- 0 0 0 0 0 0 0 0 0 0 0 0
59660- 0 0 0 0 0 0 0 0 0 0 0 0
59661- 0 0 0 0 0 0 0 0 0 0 0 0
59662- 0 0 0 0 0 0 0 0 0 0 0 0
59663- 0 0 0 0 0 0 0 0 0 0 0 0
59664- 0 0 0 0 0 0 0 0 0 10 10 10
59665- 34 34 34 86 86 86 14 14 14 2 2 6
59666-121 87 25 192 133 9 219 162 10 239 182 13
59667-236 186 11 232 195 16 241 208 19 244 214 54
59668-246 218 60 246 218 38 246 215 20 241 208 19
59669-241 208 19 226 184 13 121 87 25 2 2 6
59670- 2 2 6 2 2 6 2 2 6 2 2 6
59671- 50 50 50 82 82 82 34 34 34 10 10 10
59672- 0 0 0 0 0 0 0 0 0 0 0 0
59673- 0 0 0 0 0 0 0 0 0 0 0 0
59674- 0 0 0 0 0 0 0 0 0 0 0 0
59675- 0 0 0 0 0 0 0 0 0 0 0 0
59676- 0 0 0 0 0 0 0 0 0 0 0 0
59677- 0 0 0 0 0 0 0 0 0 0 0 0
59678- 0 0 0 0 0 0 0 0 0 0 0 0
59679- 0 0 0 0 0 0 0 0 0 0 0 0
59680- 0 0 0 0 0 0 0 0 0 0 0 0
59681- 0 0 0 0 0 0 0 0 0 0 0 0
59682- 0 0 0 0 0 0 0 0 0 0 0 0
59683- 0 0 0 0 0 0 0 0 0 0 0 0
59684- 0 0 0 0 0 0 0 0 0 10 10 10
59685- 34 34 34 82 82 82 30 30 30 61 42 6
59686-180 123 7 206 145 10 230 174 11 239 182 13
59687-234 190 10 238 202 15 241 208 19 246 218 74
59688-246 218 38 246 215 20 246 215 20 246 215 20
59689-226 184 13 215 174 15 184 144 12 6 6 6
59690- 2 2 6 2 2 6 2 2 6 2 2 6
59691- 26 26 26 94 94 94 42 42 42 14 14 14
59692- 0 0 0 0 0 0 0 0 0 0 0 0
59693- 0 0 0 0 0 0 0 0 0 0 0 0
59694- 0 0 0 0 0 0 0 0 0 0 0 0
59695- 0 0 0 0 0 0 0 0 0 0 0 0
59696- 0 0 0 0 0 0 0 0 0 0 0 0
59697- 0 0 0 0 0 0 0 0 0 0 0 0
59698- 0 0 0 0 0 0 0 0 0 0 0 0
59699- 0 0 0 0 0 0 0 0 0 0 0 0
59700- 0 0 0 0 0 0 0 0 0 0 0 0
59701- 0 0 0 0 0 0 0 0 0 0 0 0
59702- 0 0 0 0 0 0 0 0 0 0 0 0
59703- 0 0 0 0 0 0 0 0 0 0 0 0
59704- 0 0 0 0 0 0 0 0 0 10 10 10
59705- 30 30 30 78 78 78 50 50 50 104 69 6
59706-192 133 9 216 158 10 236 178 12 236 186 11
59707-232 195 16 241 208 19 244 214 54 245 215 43
59708-246 215 20 246 215 20 241 208 19 198 155 10
59709-200 144 11 216 158 10 156 118 10 2 2 6
59710- 2 2 6 2 2 6 2 2 6 2 2 6
59711- 6 6 6 90 90 90 54 54 54 18 18 18
59712- 6 6 6 0 0 0 0 0 0 0 0 0
59713- 0 0 0 0 0 0 0 0 0 0 0 0
59714- 0 0 0 0 0 0 0 0 0 0 0 0
59715- 0 0 0 0 0 0 0 0 0 0 0 0
59716- 0 0 0 0 0 0 0 0 0 0 0 0
59717- 0 0 0 0 0 0 0 0 0 0 0 0
59718- 0 0 0 0 0 0 0 0 0 0 0 0
59719- 0 0 0 0 0 0 0 0 0 0 0 0
59720- 0 0 0 0 0 0 0 0 0 0 0 0
59721- 0 0 0 0 0 0 0 0 0 0 0 0
59722- 0 0 0 0 0 0 0 0 0 0 0 0
59723- 0 0 0 0 0 0 0 0 0 0 0 0
59724- 0 0 0 0 0 0 0 0 0 10 10 10
59725- 30 30 30 78 78 78 46 46 46 22 22 22
59726-137 92 6 210 162 10 239 182 13 238 190 10
59727-238 202 15 241 208 19 246 215 20 246 215 20
59728-241 208 19 203 166 17 185 133 11 210 150 10
59729-216 158 10 210 150 10 102 78 10 2 2 6
59730- 6 6 6 54 54 54 14 14 14 2 2 6
59731- 2 2 6 62 62 62 74 74 74 30 30 30
59732- 10 10 10 0 0 0 0 0 0 0 0 0
59733- 0 0 0 0 0 0 0 0 0 0 0 0
59734- 0 0 0 0 0 0 0 0 0 0 0 0
59735- 0 0 0 0 0 0 0 0 0 0 0 0
59736- 0 0 0 0 0 0 0 0 0 0 0 0
59737- 0 0 0 0 0 0 0 0 0 0 0 0
59738- 0 0 0 0 0 0 0 0 0 0 0 0
59739- 0 0 0 0 0 0 0 0 0 0 0 0
59740- 0 0 0 0 0 0 0 0 0 0 0 0
59741- 0 0 0 0 0 0 0 0 0 0 0 0
59742- 0 0 0 0 0 0 0 0 0 0 0 0
59743- 0 0 0 0 0 0 0 0 0 0 0 0
59744- 0 0 0 0 0 0 0 0 0 10 10 10
59745- 34 34 34 78 78 78 50 50 50 6 6 6
59746- 94 70 30 139 102 15 190 146 13 226 184 13
59747-232 200 30 232 195 16 215 174 15 190 146 13
59748-168 122 10 192 133 9 210 150 10 213 154 11
59749-202 150 34 182 157 106 101 98 89 2 2 6
59750- 2 2 6 78 78 78 116 116 116 58 58 58
59751- 2 2 6 22 22 22 90 90 90 46 46 46
59752- 18 18 18 6 6 6 0 0 0 0 0 0
59753- 0 0 0 0 0 0 0 0 0 0 0 0
59754- 0 0 0 0 0 0 0 0 0 0 0 0
59755- 0 0 0 0 0 0 0 0 0 0 0 0
59756- 0 0 0 0 0 0 0 0 0 0 0 0
59757- 0 0 0 0 0 0 0 0 0 0 0 0
59758- 0 0 0 0 0 0 0 0 0 0 0 0
59759- 0 0 0 0 0 0 0 0 0 0 0 0
59760- 0 0 0 0 0 0 0 0 0 0 0 0
59761- 0 0 0 0 0 0 0 0 0 0 0 0
59762- 0 0 0 0 0 0 0 0 0 0 0 0
59763- 0 0 0 0 0 0 0 0 0 0 0 0
59764- 0 0 0 0 0 0 0 0 0 10 10 10
59765- 38 38 38 86 86 86 50 50 50 6 6 6
59766-128 128 128 174 154 114 156 107 11 168 122 10
59767-198 155 10 184 144 12 197 138 11 200 144 11
59768-206 145 10 206 145 10 197 138 11 188 164 115
59769-195 195 195 198 198 198 174 174 174 14 14 14
59770- 2 2 6 22 22 22 116 116 116 116 116 116
59771- 22 22 22 2 2 6 74 74 74 70 70 70
59772- 30 30 30 10 10 10 0 0 0 0 0 0
59773- 0 0 0 0 0 0 0 0 0 0 0 0
59774- 0 0 0 0 0 0 0 0 0 0 0 0
59775- 0 0 0 0 0 0 0 0 0 0 0 0
59776- 0 0 0 0 0 0 0 0 0 0 0 0
59777- 0 0 0 0 0 0 0 0 0 0 0 0
59778- 0 0 0 0 0 0 0 0 0 0 0 0
59779- 0 0 0 0 0 0 0 0 0 0 0 0
59780- 0 0 0 0 0 0 0 0 0 0 0 0
59781- 0 0 0 0 0 0 0 0 0 0 0 0
59782- 0 0 0 0 0 0 0 0 0 0 0 0
59783- 0 0 0 0 0 0 0 0 0 0 0 0
59784- 0 0 0 0 0 0 6 6 6 18 18 18
59785- 50 50 50 101 101 101 26 26 26 10 10 10
59786-138 138 138 190 190 190 174 154 114 156 107 11
59787-197 138 11 200 144 11 197 138 11 192 133 9
59788-180 123 7 190 142 34 190 178 144 187 187 187
59789-202 202 202 221 221 221 214 214 214 66 66 66
59790- 2 2 6 2 2 6 50 50 50 62 62 62
59791- 6 6 6 2 2 6 10 10 10 90 90 90
59792- 50 50 50 18 18 18 6 6 6 0 0 0
59793- 0 0 0 0 0 0 0 0 0 0 0 0
59794- 0 0 0 0 0 0 0 0 0 0 0 0
59795- 0 0 0 0 0 0 0 0 0 0 0 0
59796- 0 0 0 0 0 0 0 0 0 0 0 0
59797- 0 0 0 0 0 0 0 0 0 0 0 0
59798- 0 0 0 0 0 0 0 0 0 0 0 0
59799- 0 0 0 0 0 0 0 0 0 0 0 0
59800- 0 0 0 0 0 0 0 0 0 0 0 0
59801- 0 0 0 0 0 0 0 0 0 0 0 0
59802- 0 0 0 0 0 0 0 0 0 0 0 0
59803- 0 0 0 0 0 0 0 0 0 0 0 0
59804- 0 0 0 0 0 0 10 10 10 34 34 34
59805- 74 74 74 74 74 74 2 2 6 6 6 6
59806-144 144 144 198 198 198 190 190 190 178 166 146
59807-154 121 60 156 107 11 156 107 11 168 124 44
59808-174 154 114 187 187 187 190 190 190 210 210 210
59809-246 246 246 253 253 253 253 253 253 182 182 182
59810- 6 6 6 2 2 6 2 2 6 2 2 6
59811- 2 2 6 2 2 6 2 2 6 62 62 62
59812- 74 74 74 34 34 34 14 14 14 0 0 0
59813- 0 0 0 0 0 0 0 0 0 0 0 0
59814- 0 0 0 0 0 0 0 0 0 0 0 0
59815- 0 0 0 0 0 0 0 0 0 0 0 0
59816- 0 0 0 0 0 0 0 0 0 0 0 0
59817- 0 0 0 0 0 0 0 0 0 0 0 0
59818- 0 0 0 0 0 0 0 0 0 0 0 0
59819- 0 0 0 0 0 0 0 0 0 0 0 0
59820- 0 0 0 0 0 0 0 0 0 0 0 0
59821- 0 0 0 0 0 0 0 0 0 0 0 0
59822- 0 0 0 0 0 0 0 0 0 0 0 0
59823- 0 0 0 0 0 0 0 0 0 0 0 0
59824- 0 0 0 10 10 10 22 22 22 54 54 54
59825- 94 94 94 18 18 18 2 2 6 46 46 46
59826-234 234 234 221 221 221 190 190 190 190 190 190
59827-190 190 190 187 187 187 187 187 187 190 190 190
59828-190 190 190 195 195 195 214 214 214 242 242 242
59829-253 253 253 253 253 253 253 253 253 253 253 253
59830- 82 82 82 2 2 6 2 2 6 2 2 6
59831- 2 2 6 2 2 6 2 2 6 14 14 14
59832- 86 86 86 54 54 54 22 22 22 6 6 6
59833- 0 0 0 0 0 0 0 0 0 0 0 0
59834- 0 0 0 0 0 0 0 0 0 0 0 0
59835- 0 0 0 0 0 0 0 0 0 0 0 0
59836- 0 0 0 0 0 0 0 0 0 0 0 0
59837- 0 0 0 0 0 0 0 0 0 0 0 0
59838- 0 0 0 0 0 0 0 0 0 0 0 0
59839- 0 0 0 0 0 0 0 0 0 0 0 0
59840- 0 0 0 0 0 0 0 0 0 0 0 0
59841- 0 0 0 0 0 0 0 0 0 0 0 0
59842- 0 0 0 0 0 0 0 0 0 0 0 0
59843- 0 0 0 0 0 0 0 0 0 0 0 0
59844- 6 6 6 18 18 18 46 46 46 90 90 90
59845- 46 46 46 18 18 18 6 6 6 182 182 182
59846-253 253 253 246 246 246 206 206 206 190 190 190
59847-190 190 190 190 190 190 190 190 190 190 190 190
59848-206 206 206 231 231 231 250 250 250 253 253 253
59849-253 253 253 253 253 253 253 253 253 253 253 253
59850-202 202 202 14 14 14 2 2 6 2 2 6
59851- 2 2 6 2 2 6 2 2 6 2 2 6
59852- 42 42 42 86 86 86 42 42 42 18 18 18
59853- 6 6 6 0 0 0 0 0 0 0 0 0
59854- 0 0 0 0 0 0 0 0 0 0 0 0
59855- 0 0 0 0 0 0 0 0 0 0 0 0
59856- 0 0 0 0 0 0 0 0 0 0 0 0
59857- 0 0 0 0 0 0 0 0 0 0 0 0
59858- 0 0 0 0 0 0 0 0 0 0 0 0
59859- 0 0 0 0 0 0 0 0 0 0 0 0
59860- 0 0 0 0 0 0 0 0 0 0 0 0
59861- 0 0 0 0 0 0 0 0 0 0 0 0
59862- 0 0 0 0 0 0 0 0 0 0 0 0
59863- 0 0 0 0 0 0 0 0 0 6 6 6
59864- 14 14 14 38 38 38 74 74 74 66 66 66
59865- 2 2 6 6 6 6 90 90 90 250 250 250
59866-253 253 253 253 253 253 238 238 238 198 198 198
59867-190 190 190 190 190 190 195 195 195 221 221 221
59868-246 246 246 253 253 253 253 253 253 253 253 253
59869-253 253 253 253 253 253 253 253 253 253 253 253
59870-253 253 253 82 82 82 2 2 6 2 2 6
59871- 2 2 6 2 2 6 2 2 6 2 2 6
59872- 2 2 6 78 78 78 70 70 70 34 34 34
59873- 14 14 14 6 6 6 0 0 0 0 0 0
59874- 0 0 0 0 0 0 0 0 0 0 0 0
59875- 0 0 0 0 0 0 0 0 0 0 0 0
59876- 0 0 0 0 0 0 0 0 0 0 0 0
59877- 0 0 0 0 0 0 0 0 0 0 0 0
59878- 0 0 0 0 0 0 0 0 0 0 0 0
59879- 0 0 0 0 0 0 0 0 0 0 0 0
59880- 0 0 0 0 0 0 0 0 0 0 0 0
59881- 0 0 0 0 0 0 0 0 0 0 0 0
59882- 0 0 0 0 0 0 0 0 0 0 0 0
59883- 0 0 0 0 0 0 0 0 0 14 14 14
59884- 34 34 34 66 66 66 78 78 78 6 6 6
59885- 2 2 6 18 18 18 218 218 218 253 253 253
59886-253 253 253 253 253 253 253 253 253 246 246 246
59887-226 226 226 231 231 231 246 246 246 253 253 253
59888-253 253 253 253 253 253 253 253 253 253 253 253
59889-253 253 253 253 253 253 253 253 253 253 253 253
59890-253 253 253 178 178 178 2 2 6 2 2 6
59891- 2 2 6 2 2 6 2 2 6 2 2 6
59892- 2 2 6 18 18 18 90 90 90 62 62 62
59893- 30 30 30 10 10 10 0 0 0 0 0 0
59894- 0 0 0 0 0 0 0 0 0 0 0 0
59895- 0 0 0 0 0 0 0 0 0 0 0 0
59896- 0 0 0 0 0 0 0 0 0 0 0 0
59897- 0 0 0 0 0 0 0 0 0 0 0 0
59898- 0 0 0 0 0 0 0 0 0 0 0 0
59899- 0 0 0 0 0 0 0 0 0 0 0 0
59900- 0 0 0 0 0 0 0 0 0 0 0 0
59901- 0 0 0 0 0 0 0 0 0 0 0 0
59902- 0 0 0 0 0 0 0 0 0 0 0 0
59903- 0 0 0 0 0 0 10 10 10 26 26 26
59904- 58 58 58 90 90 90 18 18 18 2 2 6
59905- 2 2 6 110 110 110 253 253 253 253 253 253
59906-253 253 253 253 253 253 253 253 253 253 253 253
59907-250 250 250 253 253 253 253 253 253 253 253 253
59908-253 253 253 253 253 253 253 253 253 253 253 253
59909-253 253 253 253 253 253 253 253 253 253 253 253
59910-253 253 253 231 231 231 18 18 18 2 2 6
59911- 2 2 6 2 2 6 2 2 6 2 2 6
59912- 2 2 6 2 2 6 18 18 18 94 94 94
59913- 54 54 54 26 26 26 10 10 10 0 0 0
59914- 0 0 0 0 0 0 0 0 0 0 0 0
59915- 0 0 0 0 0 0 0 0 0 0 0 0
59916- 0 0 0 0 0 0 0 0 0 0 0 0
59917- 0 0 0 0 0 0 0 0 0 0 0 0
59918- 0 0 0 0 0 0 0 0 0 0 0 0
59919- 0 0 0 0 0 0 0 0 0 0 0 0
59920- 0 0 0 0 0 0 0 0 0 0 0 0
59921- 0 0 0 0 0 0 0 0 0 0 0 0
59922- 0 0 0 0 0 0 0 0 0 0 0 0
59923- 0 0 0 6 6 6 22 22 22 50 50 50
59924- 90 90 90 26 26 26 2 2 6 2 2 6
59925- 14 14 14 195 195 195 250 250 250 253 253 253
59926-253 253 253 253 253 253 253 253 253 253 253 253
59927-253 253 253 253 253 253 253 253 253 253 253 253
59928-253 253 253 253 253 253 253 253 253 253 253 253
59929-253 253 253 253 253 253 253 253 253 253 253 253
59930-250 250 250 242 242 242 54 54 54 2 2 6
59931- 2 2 6 2 2 6 2 2 6 2 2 6
59932- 2 2 6 2 2 6 2 2 6 38 38 38
59933- 86 86 86 50 50 50 22 22 22 6 6 6
59934- 0 0 0 0 0 0 0 0 0 0 0 0
59935- 0 0 0 0 0 0 0 0 0 0 0 0
59936- 0 0 0 0 0 0 0 0 0 0 0 0
59937- 0 0 0 0 0 0 0 0 0 0 0 0
59938- 0 0 0 0 0 0 0 0 0 0 0 0
59939- 0 0 0 0 0 0 0 0 0 0 0 0
59940- 0 0 0 0 0 0 0 0 0 0 0 0
59941- 0 0 0 0 0 0 0 0 0 0 0 0
59942- 0 0 0 0 0 0 0 0 0 0 0 0
59943- 6 6 6 14 14 14 38 38 38 82 82 82
59944- 34 34 34 2 2 6 2 2 6 2 2 6
59945- 42 42 42 195 195 195 246 246 246 253 253 253
59946-253 253 253 253 253 253 253 253 253 250 250 250
59947-242 242 242 242 242 242 250 250 250 253 253 253
59948-253 253 253 253 253 253 253 253 253 253 253 253
59949-253 253 253 250 250 250 246 246 246 238 238 238
59950-226 226 226 231 231 231 101 101 101 6 6 6
59951- 2 2 6 2 2 6 2 2 6 2 2 6
59952- 2 2 6 2 2 6 2 2 6 2 2 6
59953- 38 38 38 82 82 82 42 42 42 14 14 14
59954- 6 6 6 0 0 0 0 0 0 0 0 0
59955- 0 0 0 0 0 0 0 0 0 0 0 0
59956- 0 0 0 0 0 0 0 0 0 0 0 0
59957- 0 0 0 0 0 0 0 0 0 0 0 0
59958- 0 0 0 0 0 0 0 0 0 0 0 0
59959- 0 0 0 0 0 0 0 0 0 0 0 0
59960- 0 0 0 0 0 0 0 0 0 0 0 0
59961- 0 0 0 0 0 0 0 0 0 0 0 0
59962- 0 0 0 0 0 0 0 0 0 0 0 0
59963- 10 10 10 26 26 26 62 62 62 66 66 66
59964- 2 2 6 2 2 6 2 2 6 6 6 6
59965- 70 70 70 170 170 170 206 206 206 234 234 234
59966-246 246 246 250 250 250 250 250 250 238 238 238
59967-226 226 226 231 231 231 238 238 238 250 250 250
59968-250 250 250 250 250 250 246 246 246 231 231 231
59969-214 214 214 206 206 206 202 202 202 202 202 202
59970-198 198 198 202 202 202 182 182 182 18 18 18
59971- 2 2 6 2 2 6 2 2 6 2 2 6
59972- 2 2 6 2 2 6 2 2 6 2 2 6
59973- 2 2 6 62 62 62 66 66 66 30 30 30
59974- 10 10 10 0 0 0 0 0 0 0 0 0
59975- 0 0 0 0 0 0 0 0 0 0 0 0
59976- 0 0 0 0 0 0 0 0 0 0 0 0
59977- 0 0 0 0 0 0 0 0 0 0 0 0
59978- 0 0 0 0 0 0 0 0 0 0 0 0
59979- 0 0 0 0 0 0 0 0 0 0 0 0
59980- 0 0 0 0 0 0 0 0 0 0 0 0
59981- 0 0 0 0 0 0 0 0 0 0 0 0
59982- 0 0 0 0 0 0 0 0 0 0 0 0
59983- 14 14 14 42 42 42 82 82 82 18 18 18
59984- 2 2 6 2 2 6 2 2 6 10 10 10
59985- 94 94 94 182 182 182 218 218 218 242 242 242
59986-250 250 250 253 253 253 253 253 253 250 250 250
59987-234 234 234 253 253 253 253 253 253 253 253 253
59988-253 253 253 253 253 253 253 253 253 246 246 246
59989-238 238 238 226 226 226 210 210 210 202 202 202
59990-195 195 195 195 195 195 210 210 210 158 158 158
59991- 6 6 6 14 14 14 50 50 50 14 14 14
59992- 2 2 6 2 2 6 2 2 6 2 2 6
59993- 2 2 6 6 6 6 86 86 86 46 46 46
59994- 18 18 18 6 6 6 0 0 0 0 0 0
59995- 0 0 0 0 0 0 0 0 0 0 0 0
59996- 0 0 0 0 0 0 0 0 0 0 0 0
59997- 0 0 0 0 0 0 0 0 0 0 0 0
59998- 0 0 0 0 0 0 0 0 0 0 0 0
59999- 0 0 0 0 0 0 0 0 0 0 0 0
60000- 0 0 0 0 0 0 0 0 0 0 0 0
60001- 0 0 0 0 0 0 0 0 0 0 0 0
60002- 0 0 0 0 0 0 0 0 0 6 6 6
60003- 22 22 22 54 54 54 70 70 70 2 2 6
60004- 2 2 6 10 10 10 2 2 6 22 22 22
60005-166 166 166 231 231 231 250 250 250 253 253 253
60006-253 253 253 253 253 253 253 253 253 250 250 250
60007-242 242 242 253 253 253 253 253 253 253 253 253
60008-253 253 253 253 253 253 253 253 253 253 253 253
60009-253 253 253 253 253 253 253 253 253 246 246 246
60010-231 231 231 206 206 206 198 198 198 226 226 226
60011- 94 94 94 2 2 6 6 6 6 38 38 38
60012- 30 30 30 2 2 6 2 2 6 2 2 6
60013- 2 2 6 2 2 6 62 62 62 66 66 66
60014- 26 26 26 10 10 10 0 0 0 0 0 0
60015- 0 0 0 0 0 0 0 0 0 0 0 0
60016- 0 0 0 0 0 0 0 0 0 0 0 0
60017- 0 0 0 0 0 0 0 0 0 0 0 0
60018- 0 0 0 0 0 0 0 0 0 0 0 0
60019- 0 0 0 0 0 0 0 0 0 0 0 0
60020- 0 0 0 0 0 0 0 0 0 0 0 0
60021- 0 0 0 0 0 0 0 0 0 0 0 0
60022- 0 0 0 0 0 0 0 0 0 10 10 10
60023- 30 30 30 74 74 74 50 50 50 2 2 6
60024- 26 26 26 26 26 26 2 2 6 106 106 106
60025-238 238 238 253 253 253 253 253 253 253 253 253
60026-253 253 253 253 253 253 253 253 253 253 253 253
60027-253 253 253 253 253 253 253 253 253 253 253 253
60028-253 253 253 253 253 253 253 253 253 253 253 253
60029-253 253 253 253 253 253 253 253 253 253 253 253
60030-253 253 253 246 246 246 218 218 218 202 202 202
60031-210 210 210 14 14 14 2 2 6 2 2 6
60032- 30 30 30 22 22 22 2 2 6 2 2 6
60033- 2 2 6 2 2 6 18 18 18 86 86 86
60034- 42 42 42 14 14 14 0 0 0 0 0 0
60035- 0 0 0 0 0 0 0 0 0 0 0 0
60036- 0 0 0 0 0 0 0 0 0 0 0 0
60037- 0 0 0 0 0 0 0 0 0 0 0 0
60038- 0 0 0 0 0 0 0 0 0 0 0 0
60039- 0 0 0 0 0 0 0 0 0 0 0 0
60040- 0 0 0 0 0 0 0 0 0 0 0 0
60041- 0 0 0 0 0 0 0 0 0 0 0 0
60042- 0 0 0 0 0 0 0 0 0 14 14 14
60043- 42 42 42 90 90 90 22 22 22 2 2 6
60044- 42 42 42 2 2 6 18 18 18 218 218 218
60045-253 253 253 253 253 253 253 253 253 253 253 253
60046-253 253 253 253 253 253 253 253 253 253 253 253
60047-253 253 253 253 253 253 253 253 253 253 253 253
60048-253 253 253 253 253 253 253 253 253 253 253 253
60049-253 253 253 253 253 253 253 253 253 253 253 253
60050-253 253 253 253 253 253 250 250 250 221 221 221
60051-218 218 218 101 101 101 2 2 6 14 14 14
60052- 18 18 18 38 38 38 10 10 10 2 2 6
60053- 2 2 6 2 2 6 2 2 6 78 78 78
60054- 58 58 58 22 22 22 6 6 6 0 0 0
60055- 0 0 0 0 0 0 0 0 0 0 0 0
60056- 0 0 0 0 0 0 0 0 0 0 0 0
60057- 0 0 0 0 0 0 0 0 0 0 0 0
60058- 0 0 0 0 0 0 0 0 0 0 0 0
60059- 0 0 0 0 0 0 0 0 0 0 0 0
60060- 0 0 0 0 0 0 0 0 0 0 0 0
60061- 0 0 0 0 0 0 0 0 0 0 0 0
60062- 0 0 0 0 0 0 6 6 6 18 18 18
60063- 54 54 54 82 82 82 2 2 6 26 26 26
60064- 22 22 22 2 2 6 123 123 123 253 253 253
60065-253 253 253 253 253 253 253 253 253 253 253 253
60066-253 253 253 253 253 253 253 253 253 253 253 253
60067-253 253 253 253 253 253 253 253 253 253 253 253
60068-253 253 253 253 253 253 253 253 253 253 253 253
60069-253 253 253 253 253 253 253 253 253 253 253 253
60070-253 253 253 253 253 253 253 253 253 250 250 250
60071-238 238 238 198 198 198 6 6 6 38 38 38
60072- 58 58 58 26 26 26 38 38 38 2 2 6
60073- 2 2 6 2 2 6 2 2 6 46 46 46
60074- 78 78 78 30 30 30 10 10 10 0 0 0
60075- 0 0 0 0 0 0 0 0 0 0 0 0
60076- 0 0 0 0 0 0 0 0 0 0 0 0
60077- 0 0 0 0 0 0 0 0 0 0 0 0
60078- 0 0 0 0 0 0 0 0 0 0 0 0
60079- 0 0 0 0 0 0 0 0 0 0 0 0
60080- 0 0 0 0 0 0 0 0 0 0 0 0
60081- 0 0 0 0 0 0 0 0 0 0 0 0
60082- 0 0 0 0 0 0 10 10 10 30 30 30
60083- 74 74 74 58 58 58 2 2 6 42 42 42
60084- 2 2 6 22 22 22 231 231 231 253 253 253
60085-253 253 253 253 253 253 253 253 253 253 253 253
60086-253 253 253 253 253 253 253 253 253 250 250 250
60087-253 253 253 253 253 253 253 253 253 253 253 253
60088-253 253 253 253 253 253 253 253 253 253 253 253
60089-253 253 253 253 253 253 253 253 253 253 253 253
60090-253 253 253 253 253 253 253 253 253 253 253 253
60091-253 253 253 246 246 246 46 46 46 38 38 38
60092- 42 42 42 14 14 14 38 38 38 14 14 14
60093- 2 2 6 2 2 6 2 2 6 6 6 6
60094- 86 86 86 46 46 46 14 14 14 0 0 0
60095- 0 0 0 0 0 0 0 0 0 0 0 0
60096- 0 0 0 0 0 0 0 0 0 0 0 0
60097- 0 0 0 0 0 0 0 0 0 0 0 0
60098- 0 0 0 0 0 0 0 0 0 0 0 0
60099- 0 0 0 0 0 0 0 0 0 0 0 0
60100- 0 0 0 0 0 0 0 0 0 0 0 0
60101- 0 0 0 0 0 0 0 0 0 0 0 0
60102- 0 0 0 6 6 6 14 14 14 42 42 42
60103- 90 90 90 18 18 18 18 18 18 26 26 26
60104- 2 2 6 116 116 116 253 253 253 253 253 253
60105-253 253 253 253 253 253 253 253 253 253 253 253
60106-253 253 253 253 253 253 250 250 250 238 238 238
60107-253 253 253 253 253 253 253 253 253 253 253 253
60108-253 253 253 253 253 253 253 253 253 253 253 253
60109-253 253 253 253 253 253 253 253 253 253 253 253
60110-253 253 253 253 253 253 253 253 253 253 253 253
60111-253 253 253 253 253 253 94 94 94 6 6 6
60112- 2 2 6 2 2 6 10 10 10 34 34 34
60113- 2 2 6 2 2 6 2 2 6 2 2 6
60114- 74 74 74 58 58 58 22 22 22 6 6 6
60115- 0 0 0 0 0 0 0 0 0 0 0 0
60116- 0 0 0 0 0 0 0 0 0 0 0 0
60117- 0 0 0 0 0 0 0 0 0 0 0 0
60118- 0 0 0 0 0 0 0 0 0 0 0 0
60119- 0 0 0 0 0 0 0 0 0 0 0 0
60120- 0 0 0 0 0 0 0 0 0 0 0 0
60121- 0 0 0 0 0 0 0 0 0 0 0 0
60122- 0 0 0 10 10 10 26 26 26 66 66 66
60123- 82 82 82 2 2 6 38 38 38 6 6 6
60124- 14 14 14 210 210 210 253 253 253 253 253 253
60125-253 253 253 253 253 253 253 253 253 253 253 253
60126-253 253 253 253 253 253 246 246 246 242 242 242
60127-253 253 253 253 253 253 253 253 253 253 253 253
60128-253 253 253 253 253 253 253 253 253 253 253 253
60129-253 253 253 253 253 253 253 253 253 253 253 253
60130-253 253 253 253 253 253 253 253 253 253 253 253
60131-253 253 253 253 253 253 144 144 144 2 2 6
60132- 2 2 6 2 2 6 2 2 6 46 46 46
60133- 2 2 6 2 2 6 2 2 6 2 2 6
60134- 42 42 42 74 74 74 30 30 30 10 10 10
60135- 0 0 0 0 0 0 0 0 0 0 0 0
60136- 0 0 0 0 0 0 0 0 0 0 0 0
60137- 0 0 0 0 0 0 0 0 0 0 0 0
60138- 0 0 0 0 0 0 0 0 0 0 0 0
60139- 0 0 0 0 0 0 0 0 0 0 0 0
60140- 0 0 0 0 0 0 0 0 0 0 0 0
60141- 0 0 0 0 0 0 0 0 0 0 0 0
60142- 6 6 6 14 14 14 42 42 42 90 90 90
60143- 26 26 26 6 6 6 42 42 42 2 2 6
60144- 74 74 74 250 250 250 253 253 253 253 253 253
60145-253 253 253 253 253 253 253 253 253 253 253 253
60146-253 253 253 253 253 253 242 242 242 242 242 242
60147-253 253 253 253 253 253 253 253 253 253 253 253
60148-253 253 253 253 253 253 253 253 253 253 253 253
60149-253 253 253 253 253 253 253 253 253 253 253 253
60150-253 253 253 253 253 253 253 253 253 253 253 253
60151-253 253 253 253 253 253 182 182 182 2 2 6
60152- 2 2 6 2 2 6 2 2 6 46 46 46
60153- 2 2 6 2 2 6 2 2 6 2 2 6
60154- 10 10 10 86 86 86 38 38 38 10 10 10
60155- 0 0 0 0 0 0 0 0 0 0 0 0
60156- 0 0 0 0 0 0 0 0 0 0 0 0
60157- 0 0 0 0 0 0 0 0 0 0 0 0
60158- 0 0 0 0 0 0 0 0 0 0 0 0
60159- 0 0 0 0 0 0 0 0 0 0 0 0
60160- 0 0 0 0 0 0 0 0 0 0 0 0
60161- 0 0 0 0 0 0 0 0 0 0 0 0
60162- 10 10 10 26 26 26 66 66 66 82 82 82
60163- 2 2 6 22 22 22 18 18 18 2 2 6
60164-149 149 149 253 253 253 253 253 253 253 253 253
60165-253 253 253 253 253 253 253 253 253 253 253 253
60166-253 253 253 253 253 253 234 234 234 242 242 242
60167-253 253 253 253 253 253 253 253 253 253 253 253
60168-253 253 253 253 253 253 253 253 253 253 253 253
60169-253 253 253 253 253 253 253 253 253 253 253 253
60170-253 253 253 253 253 253 253 253 253 253 253 253
60171-253 253 253 253 253 253 206 206 206 2 2 6
60172- 2 2 6 2 2 6 2 2 6 38 38 38
60173- 2 2 6 2 2 6 2 2 6 2 2 6
60174- 6 6 6 86 86 86 46 46 46 14 14 14
60175- 0 0 0 0 0 0 0 0 0 0 0 0
60176- 0 0 0 0 0 0 0 0 0 0 0 0
60177- 0 0 0 0 0 0 0 0 0 0 0 0
60178- 0 0 0 0 0 0 0 0 0 0 0 0
60179- 0 0 0 0 0 0 0 0 0 0 0 0
60180- 0 0 0 0 0 0 0 0 0 0 0 0
60181- 0 0 0 0 0 0 0 0 0 6 6 6
60182- 18 18 18 46 46 46 86 86 86 18 18 18
60183- 2 2 6 34 34 34 10 10 10 6 6 6
60184-210 210 210 253 253 253 253 253 253 253 253 253
60185-253 253 253 253 253 253 253 253 253 253 253 253
60186-253 253 253 253 253 253 234 234 234 242 242 242
60187-253 253 253 253 253 253 253 253 253 253 253 253
60188-253 253 253 253 253 253 253 253 253 253 253 253
60189-253 253 253 253 253 253 253 253 253 253 253 253
60190-253 253 253 253 253 253 253 253 253 253 253 253
60191-253 253 253 253 253 253 221 221 221 6 6 6
60192- 2 2 6 2 2 6 6 6 6 30 30 30
60193- 2 2 6 2 2 6 2 2 6 2 2 6
60194- 2 2 6 82 82 82 54 54 54 18 18 18
60195- 6 6 6 0 0 0 0 0 0 0 0 0
60196- 0 0 0 0 0 0 0 0 0 0 0 0
60197- 0 0 0 0 0 0 0 0 0 0 0 0
60198- 0 0 0 0 0 0 0 0 0 0 0 0
60199- 0 0 0 0 0 0 0 0 0 0 0 0
60200- 0 0 0 0 0 0 0 0 0 0 0 0
60201- 0 0 0 0 0 0 0 0 0 10 10 10
60202- 26 26 26 66 66 66 62 62 62 2 2 6
60203- 2 2 6 38 38 38 10 10 10 26 26 26
60204-238 238 238 253 253 253 253 253 253 253 253 253
60205-253 253 253 253 253 253 253 253 253 253 253 253
60206-253 253 253 253 253 253 231 231 231 238 238 238
60207-253 253 253 253 253 253 253 253 253 253 253 253
60208-253 253 253 253 253 253 253 253 253 253 253 253
60209-253 253 253 253 253 253 253 253 253 253 253 253
60210-253 253 253 253 253 253 253 253 253 253 253 253
60211-253 253 253 253 253 253 231 231 231 6 6 6
60212- 2 2 6 2 2 6 10 10 10 30 30 30
60213- 2 2 6 2 2 6 2 2 6 2 2 6
60214- 2 2 6 66 66 66 58 58 58 22 22 22
60215- 6 6 6 0 0 0 0 0 0 0 0 0
60216- 0 0 0 0 0 0 0 0 0 0 0 0
60217- 0 0 0 0 0 0 0 0 0 0 0 0
60218- 0 0 0 0 0 0 0 0 0 0 0 0
60219- 0 0 0 0 0 0 0 0 0 0 0 0
60220- 0 0 0 0 0 0 0 0 0 0 0 0
60221- 0 0 0 0 0 0 0 0 0 10 10 10
60222- 38 38 38 78 78 78 6 6 6 2 2 6
60223- 2 2 6 46 46 46 14 14 14 42 42 42
60224-246 246 246 253 253 253 253 253 253 253 253 253
60225-253 253 253 253 253 253 253 253 253 253 253 253
60226-253 253 253 253 253 253 231 231 231 242 242 242
60227-253 253 253 253 253 253 253 253 253 253 253 253
60228-253 253 253 253 253 253 253 253 253 253 253 253
60229-253 253 253 253 253 253 253 253 253 253 253 253
60230-253 253 253 253 253 253 253 253 253 253 253 253
60231-253 253 253 253 253 253 234 234 234 10 10 10
60232- 2 2 6 2 2 6 22 22 22 14 14 14
60233- 2 2 6 2 2 6 2 2 6 2 2 6
60234- 2 2 6 66 66 66 62 62 62 22 22 22
60235- 6 6 6 0 0 0 0 0 0 0 0 0
60236- 0 0 0 0 0 0 0 0 0 0 0 0
60237- 0 0 0 0 0 0 0 0 0 0 0 0
60238- 0 0 0 0 0 0 0 0 0 0 0 0
60239- 0 0 0 0 0 0 0 0 0 0 0 0
60240- 0 0 0 0 0 0 0 0 0 0 0 0
60241- 0 0 0 0 0 0 6 6 6 18 18 18
60242- 50 50 50 74 74 74 2 2 6 2 2 6
60243- 14 14 14 70 70 70 34 34 34 62 62 62
60244-250 250 250 253 253 253 253 253 253 253 253 253
60245-253 253 253 253 253 253 253 253 253 253 253 253
60246-253 253 253 253 253 253 231 231 231 246 246 246
60247-253 253 253 253 253 253 253 253 253 253 253 253
60248-253 253 253 253 253 253 253 253 253 253 253 253
60249-253 253 253 253 253 253 253 253 253 253 253 253
60250-253 253 253 253 253 253 253 253 253 253 253 253
60251-253 253 253 253 253 253 234 234 234 14 14 14
60252- 2 2 6 2 2 6 30 30 30 2 2 6
60253- 2 2 6 2 2 6 2 2 6 2 2 6
60254- 2 2 6 66 66 66 62 62 62 22 22 22
60255- 6 6 6 0 0 0 0 0 0 0 0 0
60256- 0 0 0 0 0 0 0 0 0 0 0 0
60257- 0 0 0 0 0 0 0 0 0 0 0 0
60258- 0 0 0 0 0 0 0 0 0 0 0 0
60259- 0 0 0 0 0 0 0 0 0 0 0 0
60260- 0 0 0 0 0 0 0 0 0 0 0 0
60261- 0 0 0 0 0 0 6 6 6 18 18 18
60262- 54 54 54 62 62 62 2 2 6 2 2 6
60263- 2 2 6 30 30 30 46 46 46 70 70 70
60264-250 250 250 253 253 253 253 253 253 253 253 253
60265-253 253 253 253 253 253 253 253 253 253 253 253
60266-253 253 253 253 253 253 231 231 231 246 246 246
60267-253 253 253 253 253 253 253 253 253 253 253 253
60268-253 253 253 253 253 253 253 253 253 253 253 253
60269-253 253 253 253 253 253 253 253 253 253 253 253
60270-253 253 253 253 253 253 253 253 253 253 253 253
60271-253 253 253 253 253 253 226 226 226 10 10 10
60272- 2 2 6 6 6 6 30 30 30 2 2 6
60273- 2 2 6 2 2 6 2 2 6 2 2 6
60274- 2 2 6 66 66 66 58 58 58 22 22 22
60275- 6 6 6 0 0 0 0 0 0 0 0 0
60276- 0 0 0 0 0 0 0 0 0 0 0 0
60277- 0 0 0 0 0 0 0 0 0 0 0 0
60278- 0 0 0 0 0 0 0 0 0 0 0 0
60279- 0 0 0 0 0 0 0 0 0 0 0 0
60280- 0 0 0 0 0 0 0 0 0 0 0 0
60281- 0 0 0 0 0 0 6 6 6 22 22 22
60282- 58 58 58 62 62 62 2 2 6 2 2 6
60283- 2 2 6 2 2 6 30 30 30 78 78 78
60284-250 250 250 253 253 253 253 253 253 253 253 253
60285-253 253 253 253 253 253 253 253 253 253 253 253
60286-253 253 253 253 253 253 231 231 231 246 246 246
60287-253 253 253 253 253 253 253 253 253 253 253 253
60288-253 253 253 253 253 253 253 253 253 253 253 253
60289-253 253 253 253 253 253 253 253 253 253 253 253
60290-253 253 253 253 253 253 253 253 253 253 253 253
60291-253 253 253 253 253 253 206 206 206 2 2 6
60292- 22 22 22 34 34 34 18 14 6 22 22 22
60293- 26 26 26 18 18 18 6 6 6 2 2 6
60294- 2 2 6 82 82 82 54 54 54 18 18 18
60295- 6 6 6 0 0 0 0 0 0 0 0 0
60296- 0 0 0 0 0 0 0 0 0 0 0 0
60297- 0 0 0 0 0 0 0 0 0 0 0 0
60298- 0 0 0 0 0 0 0 0 0 0 0 0
60299- 0 0 0 0 0 0 0 0 0 0 0 0
60300- 0 0 0 0 0 0 0 0 0 0 0 0
60301- 0 0 0 0 0 0 6 6 6 26 26 26
60302- 62 62 62 106 106 106 74 54 14 185 133 11
60303-210 162 10 121 92 8 6 6 6 62 62 62
60304-238 238 238 253 253 253 253 253 253 253 253 253
60305-253 253 253 253 253 253 253 253 253 253 253 253
60306-253 253 253 253 253 253 231 231 231 246 246 246
60307-253 253 253 253 253 253 253 253 253 253 253 253
60308-253 253 253 253 253 253 253 253 253 253 253 253
60309-253 253 253 253 253 253 253 253 253 253 253 253
60310-253 253 253 253 253 253 253 253 253 253 253 253
60311-253 253 253 253 253 253 158 158 158 18 18 18
60312- 14 14 14 2 2 6 2 2 6 2 2 6
60313- 6 6 6 18 18 18 66 66 66 38 38 38
60314- 6 6 6 94 94 94 50 50 50 18 18 18
60315- 6 6 6 0 0 0 0 0 0 0 0 0
60316- 0 0 0 0 0 0 0 0 0 0 0 0
60317- 0 0 0 0 0 0 0 0 0 0 0 0
60318- 0 0 0 0 0 0 0 0 0 0 0 0
60319- 0 0 0 0 0 0 0 0 0 0 0 0
60320- 0 0 0 0 0 0 0 0 0 6 6 6
60321- 10 10 10 10 10 10 18 18 18 38 38 38
60322- 78 78 78 142 134 106 216 158 10 242 186 14
60323-246 190 14 246 190 14 156 118 10 10 10 10
60324- 90 90 90 238 238 238 253 253 253 253 253 253
60325-253 253 253 253 253 253 253 253 253 253 253 253
60326-253 253 253 253 253 253 231 231 231 250 250 250
60327-253 253 253 253 253 253 253 253 253 253 253 253
60328-253 253 253 253 253 253 253 253 253 253 253 253
60329-253 253 253 253 253 253 253 253 253 253 253 253
60330-253 253 253 253 253 253 253 253 253 246 230 190
60331-238 204 91 238 204 91 181 142 44 37 26 9
60332- 2 2 6 2 2 6 2 2 6 2 2 6
60333- 2 2 6 2 2 6 38 38 38 46 46 46
60334- 26 26 26 106 106 106 54 54 54 18 18 18
60335- 6 6 6 0 0 0 0 0 0 0 0 0
60336- 0 0 0 0 0 0 0 0 0 0 0 0
60337- 0 0 0 0 0 0 0 0 0 0 0 0
60338- 0 0 0 0 0 0 0 0 0 0 0 0
60339- 0 0 0 0 0 0 0 0 0 0 0 0
60340- 0 0 0 6 6 6 14 14 14 22 22 22
60341- 30 30 30 38 38 38 50 50 50 70 70 70
60342-106 106 106 190 142 34 226 170 11 242 186 14
60343-246 190 14 246 190 14 246 190 14 154 114 10
60344- 6 6 6 74 74 74 226 226 226 253 253 253
60345-253 253 253 253 253 253 253 253 253 253 253 253
60346-253 253 253 253 253 253 231 231 231 250 250 250
60347-253 253 253 253 253 253 253 253 253 253 253 253
60348-253 253 253 253 253 253 253 253 253 253 253 253
60349-253 253 253 253 253 253 253 253 253 253 253 253
60350-253 253 253 253 253 253 253 253 253 228 184 62
60351-241 196 14 241 208 19 232 195 16 38 30 10
60352- 2 2 6 2 2 6 2 2 6 2 2 6
60353- 2 2 6 6 6 6 30 30 30 26 26 26
60354-203 166 17 154 142 90 66 66 66 26 26 26
60355- 6 6 6 0 0 0 0 0 0 0 0 0
60356- 0 0 0 0 0 0 0 0 0 0 0 0
60357- 0 0 0 0 0 0 0 0 0 0 0 0
60358- 0 0 0 0 0 0 0 0 0 0 0 0
60359- 0 0 0 0 0 0 0 0 0 0 0 0
60360- 6 6 6 18 18 18 38 38 38 58 58 58
60361- 78 78 78 86 86 86 101 101 101 123 123 123
60362-175 146 61 210 150 10 234 174 13 246 186 14
60363-246 190 14 246 190 14 246 190 14 238 190 10
60364-102 78 10 2 2 6 46 46 46 198 198 198
60365-253 253 253 253 253 253 253 253 253 253 253 253
60366-253 253 253 253 253 253 234 234 234 242 242 242
60367-253 253 253 253 253 253 253 253 253 253 253 253
60368-253 253 253 253 253 253 253 253 253 253 253 253
60369-253 253 253 253 253 253 253 253 253 253 253 253
60370-253 253 253 253 253 253 253 253 253 224 178 62
60371-242 186 14 241 196 14 210 166 10 22 18 6
60372- 2 2 6 2 2 6 2 2 6 2 2 6
60373- 2 2 6 2 2 6 6 6 6 121 92 8
60374-238 202 15 232 195 16 82 82 82 34 34 34
60375- 10 10 10 0 0 0 0 0 0 0 0 0
60376- 0 0 0 0 0 0 0 0 0 0 0 0
60377- 0 0 0 0 0 0 0 0 0 0 0 0
60378- 0 0 0 0 0 0 0 0 0 0 0 0
60379- 0 0 0 0 0 0 0 0 0 0 0 0
60380- 14 14 14 38 38 38 70 70 70 154 122 46
60381-190 142 34 200 144 11 197 138 11 197 138 11
60382-213 154 11 226 170 11 242 186 14 246 190 14
60383-246 190 14 246 190 14 246 190 14 246 190 14
60384-225 175 15 46 32 6 2 2 6 22 22 22
60385-158 158 158 250 250 250 253 253 253 253 253 253
60386-253 253 253 253 253 253 253 253 253 253 253 253
60387-253 253 253 253 253 253 253 253 253 253 253 253
60388-253 253 253 253 253 253 253 253 253 253 253 253
60389-253 253 253 253 253 253 253 253 253 253 253 253
60390-253 253 253 250 250 250 242 242 242 224 178 62
60391-239 182 13 236 186 11 213 154 11 46 32 6
60392- 2 2 6 2 2 6 2 2 6 2 2 6
60393- 2 2 6 2 2 6 61 42 6 225 175 15
60394-238 190 10 236 186 11 112 100 78 42 42 42
60395- 14 14 14 0 0 0 0 0 0 0 0 0
60396- 0 0 0 0 0 0 0 0 0 0 0 0
60397- 0 0 0 0 0 0 0 0 0 0 0 0
60398- 0 0 0 0 0 0 0 0 0 0 0 0
60399- 0 0 0 0 0 0 0 0 0 6 6 6
60400- 22 22 22 54 54 54 154 122 46 213 154 11
60401-226 170 11 230 174 11 226 170 11 226 170 11
60402-236 178 12 242 186 14 246 190 14 246 190 14
60403-246 190 14 246 190 14 246 190 14 246 190 14
60404-241 196 14 184 144 12 10 10 10 2 2 6
60405- 6 6 6 116 116 116 242 242 242 253 253 253
60406-253 253 253 253 253 253 253 253 253 253 253 253
60407-253 253 253 253 253 253 253 253 253 253 253 253
60408-253 253 253 253 253 253 253 253 253 253 253 253
60409-253 253 253 253 253 253 253 253 253 253 253 253
60410-253 253 253 231 231 231 198 198 198 214 170 54
60411-236 178 12 236 178 12 210 150 10 137 92 6
60412- 18 14 6 2 2 6 2 2 6 2 2 6
60413- 6 6 6 70 47 6 200 144 11 236 178 12
60414-239 182 13 239 182 13 124 112 88 58 58 58
60415- 22 22 22 6 6 6 0 0 0 0 0 0
60416- 0 0 0 0 0 0 0 0 0 0 0 0
60417- 0 0 0 0 0 0 0 0 0 0 0 0
60418- 0 0 0 0 0 0 0 0 0 0 0 0
60419- 0 0 0 0 0 0 0 0 0 10 10 10
60420- 30 30 30 70 70 70 180 133 36 226 170 11
60421-239 182 13 242 186 14 242 186 14 246 186 14
60422-246 190 14 246 190 14 246 190 14 246 190 14
60423-246 190 14 246 190 14 246 190 14 246 190 14
60424-246 190 14 232 195 16 98 70 6 2 2 6
60425- 2 2 6 2 2 6 66 66 66 221 221 221
60426-253 253 253 253 253 253 253 253 253 253 253 253
60427-253 253 253 253 253 253 253 253 253 253 253 253
60428-253 253 253 253 253 253 253 253 253 253 253 253
60429-253 253 253 253 253 253 253 253 253 253 253 253
60430-253 253 253 206 206 206 198 198 198 214 166 58
60431-230 174 11 230 174 11 216 158 10 192 133 9
60432-163 110 8 116 81 8 102 78 10 116 81 8
60433-167 114 7 197 138 11 226 170 11 239 182 13
60434-242 186 14 242 186 14 162 146 94 78 78 78
60435- 34 34 34 14 14 14 6 6 6 0 0 0
60436- 0 0 0 0 0 0 0 0 0 0 0 0
60437- 0 0 0 0 0 0 0 0 0 0 0 0
60438- 0 0 0 0 0 0 0 0 0 0 0 0
60439- 0 0 0 0 0 0 0 0 0 6 6 6
60440- 30 30 30 78 78 78 190 142 34 226 170 11
60441-239 182 13 246 190 14 246 190 14 246 190 14
60442-246 190 14 246 190 14 246 190 14 246 190 14
60443-246 190 14 246 190 14 246 190 14 246 190 14
60444-246 190 14 241 196 14 203 166 17 22 18 6
60445- 2 2 6 2 2 6 2 2 6 38 38 38
60446-218 218 218 253 253 253 253 253 253 253 253 253
60447-253 253 253 253 253 253 253 253 253 253 253 253
60448-253 253 253 253 253 253 253 253 253 253 253 253
60449-253 253 253 253 253 253 253 253 253 253 253 253
60450-250 250 250 206 206 206 198 198 198 202 162 69
60451-226 170 11 236 178 12 224 166 10 210 150 10
60452-200 144 11 197 138 11 192 133 9 197 138 11
60453-210 150 10 226 170 11 242 186 14 246 190 14
60454-246 190 14 246 186 14 225 175 15 124 112 88
60455- 62 62 62 30 30 30 14 14 14 6 6 6
60456- 0 0 0 0 0 0 0 0 0 0 0 0
60457- 0 0 0 0 0 0 0 0 0 0 0 0
60458- 0 0 0 0 0 0 0 0 0 0 0 0
60459- 0 0 0 0 0 0 0 0 0 10 10 10
60460- 30 30 30 78 78 78 174 135 50 224 166 10
60461-239 182 13 246 190 14 246 190 14 246 190 14
60462-246 190 14 246 190 14 246 190 14 246 190 14
60463-246 190 14 246 190 14 246 190 14 246 190 14
60464-246 190 14 246 190 14 241 196 14 139 102 15
60465- 2 2 6 2 2 6 2 2 6 2 2 6
60466- 78 78 78 250 250 250 253 253 253 253 253 253
60467-253 253 253 253 253 253 253 253 253 253 253 253
60468-253 253 253 253 253 253 253 253 253 253 253 253
60469-253 253 253 253 253 253 253 253 253 253 253 253
60470-250 250 250 214 214 214 198 198 198 190 150 46
60471-219 162 10 236 178 12 234 174 13 224 166 10
60472-216 158 10 213 154 11 213 154 11 216 158 10
60473-226 170 11 239 182 13 246 190 14 246 190 14
60474-246 190 14 246 190 14 242 186 14 206 162 42
60475-101 101 101 58 58 58 30 30 30 14 14 14
60476- 6 6 6 0 0 0 0 0 0 0 0 0
60477- 0 0 0 0 0 0 0 0 0 0 0 0
60478- 0 0 0 0 0 0 0 0 0 0 0 0
60479- 0 0 0 0 0 0 0 0 0 10 10 10
60480- 30 30 30 74 74 74 174 135 50 216 158 10
60481-236 178 12 246 190 14 246 190 14 246 190 14
60482-246 190 14 246 190 14 246 190 14 246 190 14
60483-246 190 14 246 190 14 246 190 14 246 190 14
60484-246 190 14 246 190 14 241 196 14 226 184 13
60485- 61 42 6 2 2 6 2 2 6 2 2 6
60486- 22 22 22 238 238 238 253 253 253 253 253 253
60487-253 253 253 253 253 253 253 253 253 253 253 253
60488-253 253 253 253 253 253 253 253 253 253 253 253
60489-253 253 253 253 253 253 253 253 253 253 253 253
60490-253 253 253 226 226 226 187 187 187 180 133 36
60491-216 158 10 236 178 12 239 182 13 236 178 12
60492-230 174 11 226 170 11 226 170 11 230 174 11
60493-236 178 12 242 186 14 246 190 14 246 190 14
60494-246 190 14 246 190 14 246 186 14 239 182 13
60495-206 162 42 106 106 106 66 66 66 34 34 34
60496- 14 14 14 6 6 6 0 0 0 0 0 0
60497- 0 0 0 0 0 0 0 0 0 0 0 0
60498- 0 0 0 0 0 0 0 0 0 0 0 0
60499- 0 0 0 0 0 0 0 0 0 6 6 6
60500- 26 26 26 70 70 70 163 133 67 213 154 11
60501-236 178 12 246 190 14 246 190 14 246 190 14
60502-246 190 14 246 190 14 246 190 14 246 190 14
60503-246 190 14 246 190 14 246 190 14 246 190 14
60504-246 190 14 246 190 14 246 190 14 241 196 14
60505-190 146 13 18 14 6 2 2 6 2 2 6
60506- 46 46 46 246 246 246 253 253 253 253 253 253
60507-253 253 253 253 253 253 253 253 253 253 253 253
60508-253 253 253 253 253 253 253 253 253 253 253 253
60509-253 253 253 253 253 253 253 253 253 253 253 253
60510-253 253 253 221 221 221 86 86 86 156 107 11
60511-216 158 10 236 178 12 242 186 14 246 186 14
60512-242 186 14 239 182 13 239 182 13 242 186 14
60513-242 186 14 246 186 14 246 190 14 246 190 14
60514-246 190 14 246 190 14 246 190 14 246 190 14
60515-242 186 14 225 175 15 142 122 72 66 66 66
60516- 30 30 30 10 10 10 0 0 0 0 0 0
60517- 0 0 0 0 0 0 0 0 0 0 0 0
60518- 0 0 0 0 0 0 0 0 0 0 0 0
60519- 0 0 0 0 0 0 0 0 0 6 6 6
60520- 26 26 26 70 70 70 163 133 67 210 150 10
60521-236 178 12 246 190 14 246 190 14 246 190 14
60522-246 190 14 246 190 14 246 190 14 246 190 14
60523-246 190 14 246 190 14 246 190 14 246 190 14
60524-246 190 14 246 190 14 246 190 14 246 190 14
60525-232 195 16 121 92 8 34 34 34 106 106 106
60526-221 221 221 253 253 253 253 253 253 253 253 253
60527-253 253 253 253 253 253 253 253 253 253 253 253
60528-253 253 253 253 253 253 253 253 253 253 253 253
60529-253 253 253 253 253 253 253 253 253 253 253 253
60530-242 242 242 82 82 82 18 14 6 163 110 8
60531-216 158 10 236 178 12 242 186 14 246 190 14
60532-246 190 14 246 190 14 246 190 14 246 190 14
60533-246 190 14 246 190 14 246 190 14 246 190 14
60534-246 190 14 246 190 14 246 190 14 246 190 14
60535-246 190 14 246 190 14 242 186 14 163 133 67
60536- 46 46 46 18 18 18 6 6 6 0 0 0
60537- 0 0 0 0 0 0 0 0 0 0 0 0
60538- 0 0 0 0 0 0 0 0 0 0 0 0
60539- 0 0 0 0 0 0 0 0 0 10 10 10
60540- 30 30 30 78 78 78 163 133 67 210 150 10
60541-236 178 12 246 186 14 246 190 14 246 190 14
60542-246 190 14 246 190 14 246 190 14 246 190 14
60543-246 190 14 246 190 14 246 190 14 246 190 14
60544-246 190 14 246 190 14 246 190 14 246 190 14
60545-241 196 14 215 174 15 190 178 144 253 253 253
60546-253 253 253 253 253 253 253 253 253 253 253 253
60547-253 253 253 253 253 253 253 253 253 253 253 253
60548-253 253 253 253 253 253 253 253 253 253 253 253
60549-253 253 253 253 253 253 253 253 253 218 218 218
60550- 58 58 58 2 2 6 22 18 6 167 114 7
60551-216 158 10 236 178 12 246 186 14 246 190 14
60552-246 190 14 246 190 14 246 190 14 246 190 14
60553-246 190 14 246 190 14 246 190 14 246 190 14
60554-246 190 14 246 190 14 246 190 14 246 190 14
60555-246 190 14 246 186 14 242 186 14 190 150 46
60556- 54 54 54 22 22 22 6 6 6 0 0 0
60557- 0 0 0 0 0 0 0 0 0 0 0 0
60558- 0 0 0 0 0 0 0 0 0 0 0 0
60559- 0 0 0 0 0 0 0 0 0 14 14 14
60560- 38 38 38 86 86 86 180 133 36 213 154 11
60561-236 178 12 246 186 14 246 190 14 246 190 14
60562-246 190 14 246 190 14 246 190 14 246 190 14
60563-246 190 14 246 190 14 246 190 14 246 190 14
60564-246 190 14 246 190 14 246 190 14 246 190 14
60565-246 190 14 232 195 16 190 146 13 214 214 214
60566-253 253 253 253 253 253 253 253 253 253 253 253
60567-253 253 253 253 253 253 253 253 253 253 253 253
60568-253 253 253 253 253 253 253 253 253 253 253 253
60569-253 253 253 250 250 250 170 170 170 26 26 26
60570- 2 2 6 2 2 6 37 26 9 163 110 8
60571-219 162 10 239 182 13 246 186 14 246 190 14
60572-246 190 14 246 190 14 246 190 14 246 190 14
60573-246 190 14 246 190 14 246 190 14 246 190 14
60574-246 190 14 246 190 14 246 190 14 246 190 14
60575-246 186 14 236 178 12 224 166 10 142 122 72
60576- 46 46 46 18 18 18 6 6 6 0 0 0
60577- 0 0 0 0 0 0 0 0 0 0 0 0
60578- 0 0 0 0 0 0 0 0 0 0 0 0
60579- 0 0 0 0 0 0 6 6 6 18 18 18
60580- 50 50 50 109 106 95 192 133 9 224 166 10
60581-242 186 14 246 190 14 246 190 14 246 190 14
60582-246 190 14 246 190 14 246 190 14 246 190 14
60583-246 190 14 246 190 14 246 190 14 246 190 14
60584-246 190 14 246 190 14 246 190 14 246 190 14
60585-242 186 14 226 184 13 210 162 10 142 110 46
60586-226 226 226 253 253 253 253 253 253 253 253 253
60587-253 253 253 253 253 253 253 253 253 253 253 253
60588-253 253 253 253 253 253 253 253 253 253 253 253
60589-198 198 198 66 66 66 2 2 6 2 2 6
60590- 2 2 6 2 2 6 50 34 6 156 107 11
60591-219 162 10 239 182 13 246 186 14 246 190 14
60592-246 190 14 246 190 14 246 190 14 246 190 14
60593-246 190 14 246 190 14 246 190 14 246 190 14
60594-246 190 14 246 190 14 246 190 14 242 186 14
60595-234 174 13 213 154 11 154 122 46 66 66 66
60596- 30 30 30 10 10 10 0 0 0 0 0 0
60597- 0 0 0 0 0 0 0 0 0 0 0 0
60598- 0 0 0 0 0 0 0 0 0 0 0 0
60599- 0 0 0 0 0 0 6 6 6 22 22 22
60600- 58 58 58 154 121 60 206 145 10 234 174 13
60601-242 186 14 246 186 14 246 190 14 246 190 14
60602-246 190 14 246 190 14 246 190 14 246 190 14
60603-246 190 14 246 190 14 246 190 14 246 190 14
60604-246 190 14 246 190 14 246 190 14 246 190 14
60605-246 186 14 236 178 12 210 162 10 163 110 8
60606- 61 42 6 138 138 138 218 218 218 250 250 250
60607-253 253 253 253 253 253 253 253 253 250 250 250
60608-242 242 242 210 210 210 144 144 144 66 66 66
60609- 6 6 6 2 2 6 2 2 6 2 2 6
60610- 2 2 6 2 2 6 61 42 6 163 110 8
60611-216 158 10 236 178 12 246 190 14 246 190 14
60612-246 190 14 246 190 14 246 190 14 246 190 14
60613-246 190 14 246 190 14 246 190 14 246 190 14
60614-246 190 14 239 182 13 230 174 11 216 158 10
60615-190 142 34 124 112 88 70 70 70 38 38 38
60616- 18 18 18 6 6 6 0 0 0 0 0 0
60617- 0 0 0 0 0 0 0 0 0 0 0 0
60618- 0 0 0 0 0 0 0 0 0 0 0 0
60619- 0 0 0 0 0 0 6 6 6 22 22 22
60620- 62 62 62 168 124 44 206 145 10 224 166 10
60621-236 178 12 239 182 13 242 186 14 242 186 14
60622-246 186 14 246 190 14 246 190 14 246 190 14
60623-246 190 14 246 190 14 246 190 14 246 190 14
60624-246 190 14 246 190 14 246 190 14 246 190 14
60625-246 190 14 236 178 12 216 158 10 175 118 6
60626- 80 54 7 2 2 6 6 6 6 30 30 30
60627- 54 54 54 62 62 62 50 50 50 38 38 38
60628- 14 14 14 2 2 6 2 2 6 2 2 6
60629- 2 2 6 2 2 6 2 2 6 2 2 6
60630- 2 2 6 6 6 6 80 54 7 167 114 7
60631-213 154 11 236 178 12 246 190 14 246 190 14
60632-246 190 14 246 190 14 246 190 14 246 190 14
60633-246 190 14 242 186 14 239 182 13 239 182 13
60634-230 174 11 210 150 10 174 135 50 124 112 88
60635- 82 82 82 54 54 54 34 34 34 18 18 18
60636- 6 6 6 0 0 0 0 0 0 0 0 0
60637- 0 0 0 0 0 0 0 0 0 0 0 0
60638- 0 0 0 0 0 0 0 0 0 0 0 0
60639- 0 0 0 0 0 0 6 6 6 18 18 18
60640- 50 50 50 158 118 36 192 133 9 200 144 11
60641-216 158 10 219 162 10 224 166 10 226 170 11
60642-230 174 11 236 178 12 239 182 13 239 182 13
60643-242 186 14 246 186 14 246 190 14 246 190 14
60644-246 190 14 246 190 14 246 190 14 246 190 14
60645-246 186 14 230 174 11 210 150 10 163 110 8
60646-104 69 6 10 10 10 2 2 6 2 2 6
60647- 2 2 6 2 2 6 2 2 6 2 2 6
60648- 2 2 6 2 2 6 2 2 6 2 2 6
60649- 2 2 6 2 2 6 2 2 6 2 2 6
60650- 2 2 6 6 6 6 91 60 6 167 114 7
60651-206 145 10 230 174 11 242 186 14 246 190 14
60652-246 190 14 246 190 14 246 186 14 242 186 14
60653-239 182 13 230 174 11 224 166 10 213 154 11
60654-180 133 36 124 112 88 86 86 86 58 58 58
60655- 38 38 38 22 22 22 10 10 10 6 6 6
60656- 0 0 0 0 0 0 0 0 0 0 0 0
60657- 0 0 0 0 0 0 0 0 0 0 0 0
60658- 0 0 0 0 0 0 0 0 0 0 0 0
60659- 0 0 0 0 0 0 0 0 0 14 14 14
60660- 34 34 34 70 70 70 138 110 50 158 118 36
60661-167 114 7 180 123 7 192 133 9 197 138 11
60662-200 144 11 206 145 10 213 154 11 219 162 10
60663-224 166 10 230 174 11 239 182 13 242 186 14
60664-246 186 14 246 186 14 246 186 14 246 186 14
60665-239 182 13 216 158 10 185 133 11 152 99 6
60666-104 69 6 18 14 6 2 2 6 2 2 6
60667- 2 2 6 2 2 6 2 2 6 2 2 6
60668- 2 2 6 2 2 6 2 2 6 2 2 6
60669- 2 2 6 2 2 6 2 2 6 2 2 6
60670- 2 2 6 6 6 6 80 54 7 152 99 6
60671-192 133 9 219 162 10 236 178 12 239 182 13
60672-246 186 14 242 186 14 239 182 13 236 178 12
60673-224 166 10 206 145 10 192 133 9 154 121 60
60674- 94 94 94 62 62 62 42 42 42 22 22 22
60675- 14 14 14 6 6 6 0 0 0 0 0 0
60676- 0 0 0 0 0 0 0 0 0 0 0 0
60677- 0 0 0 0 0 0 0 0 0 0 0 0
60678- 0 0 0 0 0 0 0 0 0 0 0 0
60679- 0 0 0 0 0 0 0 0 0 6 6 6
60680- 18 18 18 34 34 34 58 58 58 78 78 78
60681-101 98 89 124 112 88 142 110 46 156 107 11
60682-163 110 8 167 114 7 175 118 6 180 123 7
60683-185 133 11 197 138 11 210 150 10 219 162 10
60684-226 170 11 236 178 12 236 178 12 234 174 13
60685-219 162 10 197 138 11 163 110 8 130 83 6
60686- 91 60 6 10 10 10 2 2 6 2 2 6
60687- 18 18 18 38 38 38 38 38 38 38 38 38
60688- 38 38 38 38 38 38 38 38 38 38 38 38
60689- 38 38 38 38 38 38 26 26 26 2 2 6
60690- 2 2 6 6 6 6 70 47 6 137 92 6
60691-175 118 6 200 144 11 219 162 10 230 174 11
60692-234 174 13 230 174 11 219 162 10 210 150 10
60693-192 133 9 163 110 8 124 112 88 82 82 82
60694- 50 50 50 30 30 30 14 14 14 6 6 6
60695- 0 0 0 0 0 0 0 0 0 0 0 0
60696- 0 0 0 0 0 0 0 0 0 0 0 0
60697- 0 0 0 0 0 0 0 0 0 0 0 0
60698- 0 0 0 0 0 0 0 0 0 0 0 0
60699- 0 0 0 0 0 0 0 0 0 0 0 0
60700- 6 6 6 14 14 14 22 22 22 34 34 34
60701- 42 42 42 58 58 58 74 74 74 86 86 86
60702-101 98 89 122 102 70 130 98 46 121 87 25
60703-137 92 6 152 99 6 163 110 8 180 123 7
60704-185 133 11 197 138 11 206 145 10 200 144 11
60705-180 123 7 156 107 11 130 83 6 104 69 6
60706- 50 34 6 54 54 54 110 110 110 101 98 89
60707- 86 86 86 82 82 82 78 78 78 78 78 78
60708- 78 78 78 78 78 78 78 78 78 78 78 78
60709- 78 78 78 82 82 82 86 86 86 94 94 94
60710-106 106 106 101 101 101 86 66 34 124 80 6
60711-156 107 11 180 123 7 192 133 9 200 144 11
60712-206 145 10 200 144 11 192 133 9 175 118 6
60713-139 102 15 109 106 95 70 70 70 42 42 42
60714- 22 22 22 10 10 10 0 0 0 0 0 0
60715- 0 0 0 0 0 0 0 0 0 0 0 0
60716- 0 0 0 0 0 0 0 0 0 0 0 0
60717- 0 0 0 0 0 0 0 0 0 0 0 0
60718- 0 0 0 0 0 0 0 0 0 0 0 0
60719- 0 0 0 0 0 0 0 0 0 0 0 0
60720- 0 0 0 0 0 0 6 6 6 10 10 10
60721- 14 14 14 22 22 22 30 30 30 38 38 38
60722- 50 50 50 62 62 62 74 74 74 90 90 90
60723-101 98 89 112 100 78 121 87 25 124 80 6
60724-137 92 6 152 99 6 152 99 6 152 99 6
60725-138 86 6 124 80 6 98 70 6 86 66 30
60726-101 98 89 82 82 82 58 58 58 46 46 46
60727- 38 38 38 34 34 34 34 34 34 34 34 34
60728- 34 34 34 34 34 34 34 34 34 34 34 34
60729- 34 34 34 34 34 34 38 38 38 42 42 42
60730- 54 54 54 82 82 82 94 86 76 91 60 6
60731-134 86 6 156 107 11 167 114 7 175 118 6
60732-175 118 6 167 114 7 152 99 6 121 87 25
60733-101 98 89 62 62 62 34 34 34 18 18 18
60734- 6 6 6 0 0 0 0 0 0 0 0 0
60735- 0 0 0 0 0 0 0 0 0 0 0 0
60736- 0 0 0 0 0 0 0 0 0 0 0 0
60737- 0 0 0 0 0 0 0 0 0 0 0 0
60738- 0 0 0 0 0 0 0 0 0 0 0 0
60739- 0 0 0 0 0 0 0 0 0 0 0 0
60740- 0 0 0 0 0 0 0 0 0 0 0 0
60741- 0 0 0 6 6 6 6 6 6 10 10 10
60742- 18 18 18 22 22 22 30 30 30 42 42 42
60743- 50 50 50 66 66 66 86 86 86 101 98 89
60744-106 86 58 98 70 6 104 69 6 104 69 6
60745-104 69 6 91 60 6 82 62 34 90 90 90
60746- 62 62 62 38 38 38 22 22 22 14 14 14
60747- 10 10 10 10 10 10 10 10 10 10 10 10
60748- 10 10 10 10 10 10 6 6 6 10 10 10
60749- 10 10 10 10 10 10 10 10 10 14 14 14
60750- 22 22 22 42 42 42 70 70 70 89 81 66
60751- 80 54 7 104 69 6 124 80 6 137 92 6
60752-134 86 6 116 81 8 100 82 52 86 86 86
60753- 58 58 58 30 30 30 14 14 14 6 6 6
60754- 0 0 0 0 0 0 0 0 0 0 0 0
60755- 0 0 0 0 0 0 0 0 0 0 0 0
60756- 0 0 0 0 0 0 0 0 0 0 0 0
60757- 0 0 0 0 0 0 0 0 0 0 0 0
60758- 0 0 0 0 0 0 0 0 0 0 0 0
60759- 0 0 0 0 0 0 0 0 0 0 0 0
60760- 0 0 0 0 0 0 0 0 0 0 0 0
60761- 0 0 0 0 0 0 0 0 0 0 0 0
60762- 0 0 0 6 6 6 10 10 10 14 14 14
60763- 18 18 18 26 26 26 38 38 38 54 54 54
60764- 70 70 70 86 86 86 94 86 76 89 81 66
60765- 89 81 66 86 86 86 74 74 74 50 50 50
60766- 30 30 30 14 14 14 6 6 6 0 0 0
60767- 0 0 0 0 0 0 0 0 0 0 0 0
60768- 0 0 0 0 0 0 0 0 0 0 0 0
60769- 0 0 0 0 0 0 0 0 0 0 0 0
60770- 6 6 6 18 18 18 34 34 34 58 58 58
60771- 82 82 82 89 81 66 89 81 66 89 81 66
60772- 94 86 66 94 86 76 74 74 74 50 50 50
60773- 26 26 26 14 14 14 6 6 6 0 0 0
60774- 0 0 0 0 0 0 0 0 0 0 0 0
60775- 0 0 0 0 0 0 0 0 0 0 0 0
60776- 0 0 0 0 0 0 0 0 0 0 0 0
60777- 0 0 0 0 0 0 0 0 0 0 0 0
60778- 0 0 0 0 0 0 0 0 0 0 0 0
60779- 0 0 0 0 0 0 0 0 0 0 0 0
60780- 0 0 0 0 0 0 0 0 0 0 0 0
60781- 0 0 0 0 0 0 0 0 0 0 0 0
60782- 0 0 0 0 0 0 0 0 0 0 0 0
60783- 6 6 6 6 6 6 14 14 14 18 18 18
60784- 30 30 30 38 38 38 46 46 46 54 54 54
60785- 50 50 50 42 42 42 30 30 30 18 18 18
60786- 10 10 10 0 0 0 0 0 0 0 0 0
60787- 0 0 0 0 0 0 0 0 0 0 0 0
60788- 0 0 0 0 0 0 0 0 0 0 0 0
60789- 0 0 0 0 0 0 0 0 0 0 0 0
60790- 0 0 0 6 6 6 14 14 14 26 26 26
60791- 38 38 38 50 50 50 58 58 58 58 58 58
60792- 54 54 54 42 42 42 30 30 30 18 18 18
60793- 10 10 10 0 0 0 0 0 0 0 0 0
60794- 0 0 0 0 0 0 0 0 0 0 0 0
60795- 0 0 0 0 0 0 0 0 0 0 0 0
60796- 0 0 0 0 0 0 0 0 0 0 0 0
60797- 0 0 0 0 0 0 0 0 0 0 0 0
60798- 0 0 0 0 0 0 0 0 0 0 0 0
60799- 0 0 0 0 0 0 0 0 0 0 0 0
60800- 0 0 0 0 0 0 0 0 0 0 0 0
60801- 0 0 0 0 0 0 0 0 0 0 0 0
60802- 0 0 0 0 0 0 0 0 0 0 0 0
60803- 0 0 0 0 0 0 0 0 0 6 6 6
60804- 6 6 6 10 10 10 14 14 14 18 18 18
60805- 18 18 18 14 14 14 10 10 10 6 6 6
60806- 0 0 0 0 0 0 0 0 0 0 0 0
60807- 0 0 0 0 0 0 0 0 0 0 0 0
60808- 0 0 0 0 0 0 0 0 0 0 0 0
60809- 0 0 0 0 0 0 0 0 0 0 0 0
60810- 0 0 0 0 0 0 0 0 0 6 6 6
60811- 14 14 14 18 18 18 22 22 22 22 22 22
60812- 18 18 18 14 14 14 10 10 10 6 6 6
60813- 0 0 0 0 0 0 0 0 0 0 0 0
60814- 0 0 0 0 0 0 0 0 0 0 0 0
60815- 0 0 0 0 0 0 0 0 0 0 0 0
60816- 0 0 0 0 0 0 0 0 0 0 0 0
60817- 0 0 0 0 0 0 0 0 0 0 0 0
60818+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60820+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60821+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60822+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60823+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60824+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60825+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60826+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60827+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60828+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60829+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60830+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60831+4 4 4 4 4 4
60832+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60834+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60835+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60836+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60837+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60838+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60839+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60840+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60841+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60842+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60843+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60844+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60845+4 4 4 4 4 4
60846+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60847+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60848+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60849+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60850+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60851+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60852+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60853+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60854+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60855+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60856+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60857+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60858+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60859+4 4 4 4 4 4
60860+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60861+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60862+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60863+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60864+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60865+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60866+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60867+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60868+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60869+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60870+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60871+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60872+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60873+4 4 4 4 4 4
60874+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60875+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60876+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60877+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60878+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60879+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60880+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60881+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60882+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60883+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60884+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60885+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60886+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60887+4 4 4 4 4 4
60888+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60889+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60890+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60891+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60892+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60893+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60894+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60895+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60896+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60897+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60898+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60899+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60900+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60901+4 4 4 4 4 4
60902+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60903+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60904+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60905+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60906+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
60907+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
60908+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60909+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60910+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60911+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
60912+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60913+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
60914+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60915+4 4 4 4 4 4
60916+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60917+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60918+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60919+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60920+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
60921+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
60922+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60923+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60924+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60925+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
60926+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
60927+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
60928+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60929+4 4 4 4 4 4
60930+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60931+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60932+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60933+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60934+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
60935+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
60936+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60937+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60938+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60939+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
60940+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
60941+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
60942+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
60943+4 4 4 4 4 4
60944+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60945+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60946+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60947+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
60948+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
60949+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
60950+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
60951+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60952+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
60953+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
60954+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
60955+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
60956+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
60957+4 4 4 4 4 4
60958+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60959+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60960+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60961+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
60962+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
60963+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
60964+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
60965+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
60966+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
60967+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
60968+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
60969+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
60970+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
60971+4 4 4 4 4 4
60972+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60973+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60974+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
60975+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
60976+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
60977+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
60978+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
60979+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
60980+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
60981+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
60982+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
60983+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
60984+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
60985+4 4 4 4 4 4
60986+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60987+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60988+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
60989+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
60990+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
60991+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
60992+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
60993+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
60994+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
60995+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
60996+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
60997+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
60998+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
60999+4 4 4 4 4 4
61000+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61001+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61002+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
61003+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
61004+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
61005+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
61006+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
61007+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
61008+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
61009+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
61010+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
61011+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
61012+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
61013+4 4 4 4 4 4
61014+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61015+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61016+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
61017+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
61018+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
61019+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
61020+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
61021+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
61022+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
61023+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
61024+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
61025+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
61026+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
61027+4 4 4 4 4 4
61028+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61029+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61030+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
61031+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
61032+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
61033+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
61034+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
61035+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
61036+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
61037+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
61038+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
61039+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
61040+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
61041+4 4 4 4 4 4
61042+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61043+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
61044+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
61045+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
61046+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
61047+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
61048+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
61049+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
61050+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
61051+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
61052+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
61053+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
61054+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
61055+4 4 4 4 4 4
61056+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61057+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
61058+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
61059+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
61060+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
61061+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
61062+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
61063+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
61064+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
61065+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
61066+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
61067+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
61068+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
61069+0 0 0 4 4 4
61070+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
61071+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
61072+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
61073+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
61074+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
61075+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
61076+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
61077+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
61078+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
61079+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
61080+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
61081+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
61082+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
61083+2 0 0 0 0 0
61084+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
61085+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
61086+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
61087+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
61088+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
61089+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
61090+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
61091+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
61092+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
61093+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
61094+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
61095+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
61096+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
61097+37 38 37 0 0 0
61098+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
61099+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
61100+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
61101+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
61102+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
61103+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
61104+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
61105+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
61106+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
61107+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
61108+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
61109+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
61110+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
61111+85 115 134 4 0 0
61112+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
61113+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
61114+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
61115+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
61116+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
61117+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
61118+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
61119+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
61120+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
61121+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
61122+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
61123+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
61124+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
61125+60 73 81 4 0 0
61126+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
61127+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
61128+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
61129+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
61130+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
61131+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
61132+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
61133+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
61134+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
61135+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
61136+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
61137+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
61138+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
61139+16 19 21 4 0 0
61140+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
61141+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
61142+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
61143+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
61144+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
61145+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
61146+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
61147+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
61148+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
61149+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
61150+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
61151+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
61152+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
61153+4 0 0 4 3 3
61154+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
61155+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
61156+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
61157+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
61158+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
61159+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
61160+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
61161+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
61162+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
61163+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
61164+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
61165+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
61166+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
61167+3 2 2 4 4 4
61168+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
61169+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
61170+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
61171+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
61172+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
61173+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
61174+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
61175+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
61176+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
61177+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
61178+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
61179+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
61180+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
61181+4 4 4 4 4 4
61182+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
61183+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
61184+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
61185+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
61186+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
61187+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
61188+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
61189+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
61190+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
61191+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
61192+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
61193+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
61194+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
61195+4 4 4 4 4 4
61196+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
61197+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
61198+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
61199+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
61200+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
61201+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
61202+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
61203+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
61204+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
61205+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
61206+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
61207+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
61208+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
61209+5 5 5 5 5 5
61210+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
61211+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
61212+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
61213+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
61214+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
61215+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61216+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
61217+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
61218+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
61219+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
61220+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
61221+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
61222+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
61223+5 5 5 4 4 4
61224+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
61225+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
61226+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
61227+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
61228+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
61229+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
61230+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
61231+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
61232+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
61233+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
61234+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
61235+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
61236+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61237+4 4 4 4 4 4
61238+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
61239+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
61240+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
61241+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
61242+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
61243+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61244+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61245+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
61246+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
61247+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
61248+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
61249+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
61250+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61251+4 4 4 4 4 4
61252+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
61253+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
61254+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
61255+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
61256+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
61257+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
61258+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
61259+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
61260+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
61261+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
61262+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
61263+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61264+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61265+4 4 4 4 4 4
61266+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
61267+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
61268+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
61269+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
61270+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
61271+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61272+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61273+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
61274+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
61275+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
61276+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
61277+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61278+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61279+4 4 4 4 4 4
61280+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
61281+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
61282+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
61283+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
61284+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
61285+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
61286+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
61287+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
61288+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
61289+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
61290+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61291+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61292+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61293+4 4 4 4 4 4
61294+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
61295+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
61296+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
61297+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
61298+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
61299+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
61300+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
61301+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
61302+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
61303+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
61304+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
61305+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61306+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61307+4 4 4 4 4 4
61308+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
61309+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
61310+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
61311+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
61312+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
61313+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
61314+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
61315+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
61316+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
61317+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
61318+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
61319+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61320+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61321+4 4 4 4 4 4
61322+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
61323+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
61324+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
61325+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
61326+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
61327+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
61328+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
61329+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
61330+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
61331+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
61332+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61333+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61334+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61335+4 4 4 4 4 4
61336+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
61337+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
61338+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
61339+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
61340+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61341+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
61342+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
61343+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
61344+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
61345+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
61346+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61347+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61348+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61349+4 4 4 4 4 4
61350+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
61351+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
61352+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
61353+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
61354+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61355+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
61356+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
61357+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
61358+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
61359+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
61360+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61361+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61362+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61363+4 4 4 4 4 4
61364+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
61365+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
61366+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
61367+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
61368+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61369+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
61370+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
61371+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
61372+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
61373+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61374+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61375+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61376+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61377+4 4 4 4 4 4
61378+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
61379+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
61380+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
61381+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
61382+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
61383+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
61384+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
61385+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
61386+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61387+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61388+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61389+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61390+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61391+4 4 4 4 4 4
61392+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
61393+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
61394+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
61395+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
61396+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61397+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
61398+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
61399+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
61400+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
61401+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61402+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61403+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61404+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61405+4 4 4 4 4 4
61406+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
61407+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
61408+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
61409+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
61410+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
61411+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
61412+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
61413+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
61414+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61415+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61416+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61417+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61418+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61419+4 4 4 4 4 4
61420+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
61421+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
61422+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
61423+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
61424+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
61425+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
61426+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
61427+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
61428+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
61429+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61430+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61431+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61432+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61433+4 4 4 4 4 4
61434+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
61435+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
61436+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
61437+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
61438+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
61439+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
61440+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
61441+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
61442+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61443+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61444+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61445+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61446+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61447+4 4 4 4 4 4
61448+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
61449+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
61450+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
61451+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
61452+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
61453+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
61454+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
61455+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
61456+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
61457+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61458+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61459+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61460+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61461+4 4 4 4 4 4
61462+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
61463+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
61464+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
61465+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
61466+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
61467+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
61468+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
61469+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
61470+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61471+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61472+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61473+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61474+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61475+4 4 4 4 4 4
61476+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61477+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
61478+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
61479+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
61480+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
61481+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
61482+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
61483+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
61484+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
61485+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61486+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61487+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61488+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61489+4 4 4 4 4 4
61490+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
61491+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
61492+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
61493+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
61494+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
61495+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
61496+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61497+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
61498+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61499+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61500+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61501+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61502+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61503+4 4 4 4 4 4
61504+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61505+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
61506+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
61507+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
61508+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
61509+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
61510+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61511+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
61512+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
61513+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61514+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61515+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61516+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61517+4 4 4 4 4 4
61518+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
61519+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
61520+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
61521+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
61522+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
61523+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
61524+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
61525+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
61526+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
61527+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61528+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61529+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61530+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61531+4 4 4 4 4 4
61532+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61533+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
61534+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
61535+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
61536+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
61537+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
61538+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
61539+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
61540+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
61541+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61542+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61543+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61544+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61545+4 4 4 4 4 4
61546+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
61547+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
61548+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
61549+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
61550+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
61551+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
61552+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
61553+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
61554+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
61555+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61556+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61557+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61558+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61559+4 4 4 4 4 4
61560+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61561+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
61562+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
61563+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
61564+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
61565+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
61566+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
61567+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
61568+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
61569+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61570+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61571+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61572+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61573+4 4 4 4 4 4
61574+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
61575+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
61576+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
61577+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
61578+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
61579+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
61580+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
61581+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
61582+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
61583+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
61584+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61585+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61586+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61587+4 4 4 4 4 4
61588+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
61589+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
61590+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
61591+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
61592+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
61593+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
61594+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
61595+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
61596+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
61597+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
61598+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61599+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61600+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61601+4 4 4 4 4 4
61602+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
61603+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
61604+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
61605+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
61606+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
61607+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
61608+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61609+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
61610+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
61611+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
61612+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61613+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61614+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61615+4 4 4 4 4 4
61616+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
61617+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
61618+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
61619+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
61620+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
61621+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
61622+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
61623+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
61624+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
61625+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
61626+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61627+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61628+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61629+4 4 4 4 4 4
61630+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
61631+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
61632+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
61633+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
61634+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
61635+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
61636+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
61637+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
61638+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
61639+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
61640+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61641+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61642+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61643+4 4 4 4 4 4
61644+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61645+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
61646+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
61647+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
61648+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
61649+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
61650+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
61651+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
61652+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
61653+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
61654+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61655+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61656+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61657+4 4 4 4 4 4
61658+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
61659+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
61660+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
61661+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
61662+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
61663+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
61664+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
61665+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
61666+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
61667+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
61668+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61669+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61670+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61671+4 4 4 4 4 4
61672+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
61673+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
61674+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
61675+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
61676+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
61677+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
61678+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
61679+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
61680+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
61681+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61682+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61683+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61684+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61685+4 4 4 4 4 4
61686+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
61687+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61688+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
61689+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
61690+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
61691+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
61692+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
61693+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
61694+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
61695+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61696+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61697+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61698+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61699+4 4 4 4 4 4
61700+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
61701+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
61702+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
61703+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
61704+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
61705+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
61706+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
61707+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
61708+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
61709+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61710+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61711+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61712+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61713+4 4 4 4 4 4
61714+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
61715+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
61716+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
61717+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
61718+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
61719+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
61720+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
61721+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
61722+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61723+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61724+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61725+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61726+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61727+4 4 4 4 4 4
61728+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
61729+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
61730+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
61731+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
61732+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
61733+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
61734+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
61735+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
61736+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61737+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61738+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61739+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61740+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61741+4 4 4 4 4 4
61742+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
61743+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
61744+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
61745+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
61746+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
61747+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
61748+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
61749+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
61750+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61751+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61752+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61753+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61754+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61755+4 4 4 4 4 4
61756+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61757+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
61758+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61759+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
61760+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
61761+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
61762+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
61763+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
61764+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61765+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61766+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61767+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61768+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61769+4 4 4 4 4 4
61770+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61771+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
61772+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
61773+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
61774+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
61775+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
61776+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
61777+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
61778+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61779+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61780+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61781+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61782+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61783+4 4 4 4 4 4
61784+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61785+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
61786+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
61787+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
61788+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
61789+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
61790+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
61791+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61792+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61793+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61794+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61795+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61796+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61797+4 4 4 4 4 4
61798+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61799+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61800+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
61801+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
61802+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
61803+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
61804+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
61805+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61806+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61807+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61808+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61809+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61810+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61811+4 4 4 4 4 4
61812+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61813+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61814+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61815+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61816+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
61817+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
61818+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
61819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61820+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61821+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61822+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61823+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61824+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61825+4 4 4 4 4 4
61826+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61827+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61828+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61829+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
61830+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
61831+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
61832+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
61833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61834+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61835+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61836+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61837+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61838+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61839+4 4 4 4 4 4
61840+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61841+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61842+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61843+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
61844+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61845+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
61846+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
61847+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61848+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61849+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61850+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61851+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61852+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61853+4 4 4 4 4 4
61854+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61855+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61856+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61857+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
61858+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
61859+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
61860+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
61861+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61862+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61863+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61864+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61865+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61866+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61867+4 4 4 4 4 4
61868+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61869+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61870+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61871+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61872+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
61873+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61874+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61875+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61876+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61877+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61878+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61879+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61880+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61881+4 4 4 4 4 4
61882+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61883+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61884+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61885+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61886+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
61887+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
61888+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
61889+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61890+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61891+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61892+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61893+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61894+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61895+4 4 4 4 4 4
61896+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61897+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61898+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61899+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61900+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
61901+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
61902+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61903+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61904+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61905+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61906+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61907+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61908+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61909+4 4 4 4 4 4
61910+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61911+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61912+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61913+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61914+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
61915+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
61916+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61917+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61918+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61919+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61920+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61921+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61922+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61923+4 4 4 4 4 4
61924+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61925+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61926+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61927+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61928+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
61929+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
61930+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61931+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61932+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61933+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61934+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61935+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61936+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61937+4 4 4 4 4 4
61938diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
61939index 96093ae..b9eed29 100644
61940--- a/drivers/xen/events/events_base.c
61941+++ b/drivers/xen/events/events_base.c
61942@@ -1568,7 +1568,7 @@ void xen_irq_resume(void)
61943 restore_pirqs();
61944 }
61945
61946-static struct irq_chip xen_dynamic_chip __read_mostly = {
61947+static struct irq_chip xen_dynamic_chip = {
61948 .name = "xen-dyn",
61949
61950 .irq_disable = disable_dynirq,
61951@@ -1582,7 +1582,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = {
61952 .irq_retrigger = retrigger_dynirq,
61953 };
61954
61955-static struct irq_chip xen_pirq_chip __read_mostly = {
61956+static struct irq_chip xen_pirq_chip = {
61957 .name = "xen-pirq",
61958
61959 .irq_startup = startup_pirq,
61960@@ -1602,7 +1602,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = {
61961 .irq_retrigger = retrigger_dynirq,
61962 };
61963
61964-static struct irq_chip xen_percpu_chip __read_mostly = {
61965+static struct irq_chip xen_percpu_chip = {
61966 .name = "xen-percpu",
61967
61968 .irq_disable = disable_dynirq,
61969diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c
61970index 00f40f0..e3c0b15 100644
61971--- a/drivers/xen/evtchn.c
61972+++ b/drivers/xen/evtchn.c
61973@@ -201,8 +201,8 @@ static ssize_t evtchn_read(struct file *file, char __user *buf,
61974
61975 /* Byte lengths of two chunks. Chunk split (if any) is at ring wrap. */
61976 if (((c ^ p) & EVTCHN_RING_SIZE) != 0) {
61977- bytes1 = (EVTCHN_RING_SIZE - EVTCHN_RING_MASK(c)) *
61978- sizeof(evtchn_port_t);
61979+ bytes1 = EVTCHN_RING_SIZE - EVTCHN_RING_MASK(c);
61980+ bytes1 *= sizeof(evtchn_port_t);
61981 bytes2 = EVTCHN_RING_MASK(p) * sizeof(evtchn_port_t);
61982 } else {
61983 bytes1 = (p - c) * sizeof(evtchn_port_t);
61984diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
61985index fef20db..d28b1ab 100644
61986--- a/drivers/xen/xenfs/xenstored.c
61987+++ b/drivers/xen/xenfs/xenstored.c
61988@@ -24,7 +24,12 @@ static int xsd_release(struct inode *inode, struct file *file)
61989 static int xsd_kva_open(struct inode *inode, struct file *file)
61990 {
61991 file->private_data = (void *)kasprintf(GFP_KERNEL, "0x%p",
61992+#ifdef CONFIG_GRKERNSEC_HIDESYM
61993+ NULL);
61994+#else
61995 xen_store_interface);
61996+#endif
61997+
61998 if (!file->private_data)
61999 return -ENOMEM;
62000 return 0;
62001diff --git a/firmware/Makefile b/firmware/Makefile
62002index e297e1b..aeb0982 100644
62003--- a/firmware/Makefile
62004+++ b/firmware/Makefile
62005@@ -35,9 +35,11 @@ fw-shipped-$(CONFIG_BNX2X) += bnx2x/bnx2x-e1-6.2.9.0.fw \
62006 bnx2x/bnx2x-e1h-6.2.9.0.fw \
62007 bnx2x/bnx2x-e2-6.2.9.0.fw
62008 fw-shipped-$(CONFIG_BNX2) += bnx2/bnx2-mips-09-6.2.1a.fw \
62009+ bnx2/bnx2-mips-09-6.2.1b.fw \
62010 bnx2/bnx2-rv2p-09-6.0.17.fw \
62011 bnx2/bnx2-rv2p-09ax-6.0.17.fw \
62012 bnx2/bnx2-mips-06-6.2.1.fw \
62013+ bnx2/bnx2-mips-06-6.2.3.fw \
62014 bnx2/bnx2-rv2p-06-6.0.15.fw
62015 fw-shipped-$(CONFIG_CASSINI) += sun/cassini.bin
62016 fw-shipped-$(CONFIG_CHELSIO_T3) += cxgb3/t3b_psram-1.1.0.bin \
62017diff --git a/firmware/WHENCE b/firmware/WHENCE
62018index 0c4d96d..b17700f 100644
62019--- a/firmware/WHENCE
62020+++ b/firmware/WHENCE
62021@@ -653,21 +653,23 @@ Found in hex form in kernel source.
62022 Driver: BNX2 - Broadcom NetXtremeII
62023
62024 File: bnx2/bnx2-mips-06-6.2.1.fw
62025+File: bnx2/bnx2-mips-06-6.2.3.fw
62026 File: bnx2/bnx2-rv2p-06-6.0.15.fw
62027 File: bnx2/bnx2-mips-09-6.2.1a.fw
62028+File: bnx2/bnx2-mips-09-6.2.1b.fw
62029 File: bnx2/bnx2-rv2p-09-6.0.17.fw
62030 File: bnx2/bnx2-rv2p-09ax-6.0.17.fw
62031
62032 Licence:
62033-
62034- This file contains firmware data derived from proprietary unpublished
62035- source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
62036-
62037- Permission is hereby granted for the distribution of this firmware data
62038- in hexadecimal or equivalent format, provided this copyright notice is
62039- accompanying it.
62040-
62041-Found in hex form in kernel source.
62042+
62043+ This file contains firmware data derived from proprietary unpublished
62044+ source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
62045+
62046+ Permission is hereby granted for the distribution of this firmware data
62047+ in hexadecimal or equivalent format, provided this copyright notice is
62048+ accompanying it.
62049+
62050+Found in hex form in kernel source.
62051
62052 --------------------------------------------------------------------------
62053
62054diff --git a/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
62055new file mode 100644
62056index 0000000..da72bf1
62057--- /dev/null
62058+++ b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
62059@@ -0,0 +1,5804 @@
62060+:10000000080001180800000000004A68000000C84D
62061+:1000100000000000000000000000000008004A6826
62062+:100020000000001400004B30080000A00800000091
62063+:100030000000569400004B44080058200000008443
62064+:100040000000A1D808005694000001580000A25CEE
62065+:100050000800321008000000000072F00000A3B495
62066+:10006000000000000000000000000000080072F026
62067+:1000700000000024000116A40800049008000400F9
62068+:10008000000017D4000116C80000000000000000A6
62069+:100090000000000000000000000000000000000060
62070+:1000A000080000A80800000000003BFC00012E9C96
62071+:1000B0000000000000000000000000000000000040
62072+:1000C00000000000000000000A00004600000000E0
62073+:1000D000000000000000000D636F6D362E322E33DD
62074+:1000E0000000000006020302000000000000000300
62075+:1000F000000000C800000032000000030000000003
62076+:1001000000000000000000000000000000000000EF
62077+:1001100000000010000001360000EA600000000549
62078+:1001200000000000000000000000000000000008C7
62079+:1001300000000000000000000000000000000000BF
62080+:1001400000000000000000000000000000000000AF
62081+:10015000000000000000000000000000000000009F
62082+:10016000000000020000000000000000000000008D
62083+:10017000000000000000000000000000000000007F
62084+:10018000000000000000000000000010000000005F
62085+:10019000000000000000000000000000000000005F
62086+:1001A000000000000000000000000000000000004F
62087+:1001B000000000000000000000000000000000003F
62088+:1001C000000000000000000000000000000000002F
62089+:1001D000000000000000000000000000000000001F
62090+:1001E0000000000010000003000000000000000DEF
62091+:1001F0000000000D3C02080024424AA03C03080015
62092+:1002000024634B9CAC4000000043202B1480FFFD76
62093+:10021000244200043C1D080037BD7FFC03A0F021F0
62094+:100220003C100800261001183C1C0800279C4AA01E
62095+:100230000E000168000000000000000D27470100CB
62096+:1002400090E3000B2402001A94E5000814620028D1
62097+:10025000000020218CE200003C0308008C63004475
62098+:1002600094E60014000211C20002104030A4000203
62099+:10027000005A10212463000130A50004A446008028
62100+:100280003C010800AC23004410A000190004202BFE
62101+:100290008F4202B804410008240400013C02080017
62102+:1002A0008C420060244200013C010800AC22006046
62103+:1002B00003E00008008010218CE2002094E3001687
62104+:1002C00000002021AF4202808CE20004A743028498
62105+:1002D000AF4202883C021000AF4202B83C02080064
62106+:1002E0008C42005C244200013C010800AC22005C0E
62107+:1002F00003E00008008010212747010090E3000B75
62108+:100300002402000394E50008146200280000202164
62109+:100310008CE200003C0308008C63004494E6001467
62110+:10032000000211C20002104030A40002005A102145
62111+:100330002463000130A50004A44600803C010800AD
62112+:10034000AC23004410A000190004202B8F4202B8F7
62113+:1003500004410008240400013C0208008C420060B3
62114+:10036000244200013C010800AC22006003E00008C8
62115+:10037000008010218CE2002094E300160000202170
62116+:10038000AF4202808CE20004A7430284AF4202889D
62117+:100390003C021000AF4202B83C0208008C42005CF4
62118+:1003A000244200013C010800AC22005C03E000088C
62119+:1003B000008010218F4301002402010050620003DD
62120+:1003C000000311C20000000D000311C20002104022
62121+:1003D000005A1021A440008003E000080000102112
62122+:1003E0009362000003E00008AF80000003E0000813
62123+:1003F0000000102103E00008000010212402010089
62124+:1004000014820008000000003C0208008C4200FC3E
62125+:10041000244200013C010800AC2200FC0A0000DD7F
62126+:1004200030A200203C0208008C42008424420001DB
62127+:100430003C010800AC22008430A2002010400008DB
62128+:1004400030A300103C0208008C4201082442000145
62129+:100450003C010800AC22010803E000080000000095
62130+:1004600010600008000000003C0208008C420104FB
62131+:10047000244200013C010800AC22010403E0000812
62132+:10048000000000003C0208008C42010024420001F0
62133+:100490003C010800AC22010003E00008000000005D
62134+:1004A00027BDFFE8AFBF0010274401009483000878
62135+:1004B000306200041040001B306600028F4202B818
62136+:1004C00004410008240500013C0208008C42006041
62137+:1004D000244200013C010800AC2200600A0001290E
62138+:1004E0008FBF00108C82002094830016000028210A
62139+:1004F000AF4202808C820004A7430284AF4202888C
62140+:100500003C021000AF4202B83C0208008C42005C82
62141+:10051000244200013C010800AC22005C0A000129D1
62142+:100520008FBF001010C00006006028218F4401001A
62143+:100530000E0000CD000000000A0001282405000183
62144+:100540008F8200088F4301045043000700002821D8
62145+:100550008F4401000E0000CD000000008F42010416
62146+:10056000AF820008000028218FBF001000A01021DA
62147+:1005700003E0000827BD001827BDFFE8AFBF001447
62148+:10058000AFB00010974201083043700024022000F1
62149+:100590001062000B286220011440002F000010217F
62150+:1005A00024024000106200250000000024026000C8
62151+:1005B00010620026000010210A0001658FBF0014A0
62152+:1005C00027500100920200091040001A2403000184
62153+:1005D0003C0208008C420020104000160000182148
62154+:1005E0000E00049300000000960300083C0608007B
62155+:1005F00094C64B5E8E0400188F8200209605000C76
62156+:1006000000031C0000661825AC440000AC45000443
62157+:1006100024040001AC400008AC40000CAC400010C9
62158+:10062000AC400014AC4000180E0004B8AC43001CF1
62159+:10063000000018210A000164006010210E0003254B
62160+:10064000000000000A000164000010210E000EE905
62161+:1006500000000000000010218FBF00148FB00010B8
62162+:1006600003E0000827BD001827BDFFE0AFB2001867
62163+:100670003C036010AFBF001CAFB10014AFB000105E
62164+:100680008C6450002402FF7F3C1A800000822024EA
62165+:100690003484380C24020037AC6450003C1208004B
62166+:1006A00026524AD8AF42000824020C80AF420024F0
62167+:1006B0003C1B80083C06080024C60324024010218D
62168+:1006C0002404001D2484FFFFAC4600000481FFFDCC
62169+:1006D000244200043C020800244204B03C0108000B
62170+:1006E000AC224AE03C020800244202303C010800EF
62171+:1006F000AC224AE43C020800244201743C03080096
62172+:100700002463032C3C040800248403D83C0508001F
62173+:1007100024A538F03C010800AC224B403C02080004
62174+:10072000244202EC3C010800AC264B243C010800AA
62175+:10073000AC254B343C010800AC234B3C3C01080089
62176+:10074000AC244B443C010800AC224B483C0108005F
62177+:10075000AC234ADC3C010800AC204AE83C0108001C
62178+:10076000AC204AEC3C010800AC204AF03C010800F7
62179+:10077000AC204AF43C010800AC204AF83C010800D7
62180+:10078000AC204AFC3C010800AC204B003C010800B6
62181+:10079000AC244B043C010800AC204B083C01080091
62182+:1007A000AC204B0C3C010800AC204B103C01080075
62183+:1007B000AC204B143C010800AC204B183C01080055
62184+:1007C000AC264B1C3C010800AC264B203C01080029
62185+:1007D000AC254B303C010800AC234B380E000623FF
62186+:1007E000000000003C028000344200708C42000097
62187+:1007F000AF8200143C0308008C6300208F82000449
62188+:10080000104300043C0280000E00045BAF83000430
62189+:100810003C028000344600703C0308008C6300A05A
62190+:100820003C0208008C4200A4104300048F84001492
62191+:100830003C010800AC2300A4A743009E8CCA000022
62192+:100840003C0308008C6300BC3C0208008C4200B8EA
62193+:100850000144202300641821000040210064202B63
62194+:1008600000481021004410213C010800AC2300BCCA
62195+:100870003C010800AC2200B88F5100003222000772
62196+:100880001040FFDCAF8A00148CC600003C05080055
62197+:100890008CA500BC3C0408008C8400B800CA30233E
62198+:1008A00000A628210000102100A6302B0082202164
62199+:1008B00000862021322700013C010800AC2500BC45
62200+:1008C0003C010800AC2400B810E0001F32220002F6
62201+:1008D0008F420100AF4200208F420104AF4200A8C6
62202+:1008E0009342010B0E0000C6305000FF2E02001E86
62203+:1008F00054400004001010800E0000C90A000213CA
62204+:1009000000000000005210218C4200000040F80955
62205+:1009100000000000104000053C0240008F4301042D
62206+:100920003C026020AC4300143C024000AF4201385E
62207+:100930003C0208008C420034244200013C010800C3
62208+:10094000AC220034322200021040000E3222000499
62209+:100950008F4201400E0000C6AF4200200E000295FB
62210+:10096000000000003C024000AF4201783C02080059
62211+:100970008C420038244200013C010800AC220038BF
62212+:10098000322200041040FF983C0280008F42018018
62213+:100990000E0000C6AF4200208F43018024020F00EA
62214+:1009A00014620005000000008F420188A742009CED
62215+:1009B0000A0002483C0240009362000024030050F9
62216+:1009C000304200FF144300083C0240000E00027B4E
62217+:1009D00000000000544000043C0240000E000D7571
62218+:1009E000000000003C024000AF4201B83C02080099
62219+:1009F0008C42003C244200013C010800AC22003C37
62220+:100A00000A0001C83C0280003C0290003442000110
62221+:100A100000822025AF4400208F4200200440FFFECA
62222+:100A20000000000003E00008000000003C0280001D
62223+:100A3000344200010082202503E00008AF4400207A
62224+:100A400027BDFFE0AFB10014AFB0001000808821D7
62225+:100A5000AFBF00180E00025030B000FF9362007D5F
62226+:100A60000220202102028025A370007D8F70007477
62227+:100A70003C0280000E000259020280241600000988
62228+:100A80008FBF00188F4201F80440FFFE24020002CD
62229+:100A9000AF5101C0A34201C43C021000AF4201F8B3
62230+:100AA0008FBF00188FB100148FB0001003E0000852
62231+:100AB00027BD002027BDFFE8AFBF0010974201848B
62232+:100AC0008F440188304202001040000500002821B8
62233+:100AD0000E000FAA000000000A00028D240500018C
62234+:100AE0003C02FF0004800005008218243C02040040
62235+:100AF000506200019362003E240500018FBF001088
62236+:100B000000A0102103E0000827BD0018A360002208
62237+:100B10008F4401400A00025E2405000127BDFFE862
62238+:100B2000AFBF0014AFB0001093620000304400FF6C
62239+:100B300038830020388200300003182B0002102B6D
62240+:100B40000062182410600003240200501482008008
62241+:100B50008FBF001493620005304200011040007CFA
62242+:100B60008FBF0014934201482443FFFF2C6200050D
62243+:100B7000104000788FB00010000310803C03080084
62244+:100B800024634A68004310218C42000000400008A2
62245+:100B9000000000000E0002508F4401408F70000CD6
62246+:100BA0008F4201441602000224020001AF62000CD1
62247+:100BB0000E0002598F4401408F420144145000043A
62248+:100BC0008FBF00148FB000100A000F2027BD00183F
62249+:100BD0008F62000C0A0003040000000097620010FE
62250+:100BE0008F4301443042FFFF1462001A00000000EE
62251+:100BF00024020001A76200108F4202380443001053
62252+:100C00008F4201403C02003F3446F0003C0560004A
62253+:100C10003C04FFC08CA22BBC0044182400461024C6
62254+:100C20000002130200031D82106200390000000060
62255+:100C30008F4202380440FFF7000000008F4201405D
62256+:100C4000AF4202003C021000AF4202380A00032209
62257+:100C50008FBF0014976200100A0003040000000018
62258+:100C60000E0002508F440140976200128F430144EE
62259+:100C70003050FFFF1603000224020001A762001299
62260+:100C80000E0002598F4401408F42014416020004B5
62261+:100C90008FBF00148FB000100A00029127BD00180A
62262+:100CA000976200120A00030400000000976200141B
62263+:100CB0008F4301443042FFFF14620006240200010A
62264+:100CC0008FBF00148FB00010A76200140A00124AF0
62265+:100CD00027BD0018976200141440001D8FBF001438
62266+:100CE0000A00031C00000000976200168F430144B5
62267+:100CF0003042FFFF1462000B240200018FBF00147A
62268+:100D00008FB00010A76200160A000B1227BD001852
62269+:100D10009742007824420004A76200100A000322D0
62270+:100D20008FBF001497620016240300013042FFFFBA
62271+:100D3000144300078FBF00143C0208008C4200706F
62272+:100D4000244200013C010800AC2200708FBF001457
62273+:100D50008FB0001003E0000827BD001827BDFFE892
62274+:100D6000AFBF0014AFB000108F50010093620000BD
62275+:100D700093430109304400FF2402001F106200A5C4
62276+:100D80002862002010400018240200382862000A5F
62277+:100D90001040000C2402000B286200081040002CB8
62278+:100DA00000000000046000E52862000214400028F2
62279+:100DB00024020006106200268FBF00140A00041FE0
62280+:100DC0008FB000101062005E2862000B144000DC3F
62281+:100DD0008FBF00142402000E106200738FB0001049
62282+:100DE0000A00041F00000000106200C028620039E1
62283+:100DF0001040000A2402008024020036106200CA5B
62284+:100E000028620037104000B424020035106200C18F
62285+:100E10008FBF00140A00041F8FB000101062002B57
62286+:100E20002862008110400006240200C82402003914
62287+:100E3000106200B48FBF00140A00041F8FB00010AE
62288+:100E4000106200998FBF00140A00041F8FB00010B9
62289+:100E50003C0208008C420020104000B98FBF0014F3
62290+:100E60000E000493000000008F4201008F830020D9
62291+:100E70009745010C97460108AC6200008F420104BF
62292+:100E80003C04080094844B5E00052C00AC62000416
62293+:100E90008F4201180006340000C43025AC620008FF
62294+:100EA0008F42011C24040001AC62000C9342010A31
62295+:100EB00000A22825AC650010AC600014AC600018DE
62296+:100EC000AC66001C0A0003F58FBF00143C0208004A
62297+:100ED0008C4200201040009A8FBF00140E00049333
62298+:100EE00000000000974401083C03080094634B5E37
62299+:100EF0009745010C000422029746010E8F820020C4
62300+:100F0000000426000083202500052C003C030080FF
62301+:100F100000A6282500832025AC400000AC4000043A
62302+:100F2000AC400008AC40000CAC450010AC400014D4
62303+:100F3000AC400018AC44001C0A0003F42404000177
62304+:100F40009742010C14400015000000009362000558
62305+:100F50003042001014400011000000000E0002504A
62306+:100F6000020020219362000502002021344200107B
62307+:100F70000E000259A36200059362000024030020C2
62308+:100F8000304200FF1043006D020020218FBF00148B
62309+:100F90008FB000100A000FC027BD00180000000D20
62310+:100FA0000A00041E8FBF00143C0208008C4200207F
62311+:100FB000104000638FBF00140E0004930000000077
62312+:100FC0008F4201048F8300209744010C3C050800E8
62313+:100FD00094A54B5EAC6200009762002C00042400D4
62314+:100FE0003042FFFF008220253C02400E00A228254F
62315+:100FF000AC640004AC600008AC60000CAC60001095
62316+:10100000AC600014AC600018AC65001C0A0003F46E
62317+:10101000240400010E00025002002021A7600008F5
62318+:101020000E00025902002021020020210E00025E63
62319+:10103000240500013C0208008C42002010400040C2
62320+:101040008FBF00140E000493000000009742010CB3
62321+:101050008F8300203C05080094A54B5E000214001D
62322+:10106000AC700000AC620004AC6000088F64004CFF
62323+:101070003C02401F00A22825AC64000C8F62005087
62324+:1010800024040001AC6200108F620054AC620014B2
62325+:10109000AC600018AC65001C8FBF00148FB000104E
62326+:1010A0000A0004B827BD0018240200205082002541
62327+:1010B0008FB000100E000F0A020020211040002007
62328+:1010C0008FBF0014020020218FB0001000002821E3
62329+:1010D0000A00025E27BD0018020020218FBF001405
62330+:1010E0008FB000100A00058027BD00189745010C3D
62331+:1010F000020020218FBF00148FB000100A0005A04D
62332+:1011000027BD0018020020218FB000100A0005C57D
62333+:1011100027BD00189345010D020020218FB000105B
62334+:101120000A00060F27BD0018020020218FBF0014FF
62335+:101130008FB000100A0005EB27BD00188FBF001408
62336+:101140008FB0001003E0000827BD00188F4202781E
62337+:101150000440FFFE2402000234840080AF440240B9
62338+:10116000A34202443C02100003E00008AF420278B0
62339+:101170003C04080094844B6A3C0208008C424B7487
62340+:101180003083FFFF000318C000431021AF42003C32
62341+:101190003C0208008C424B70AF4200383C020050C9
62342+:1011A00034420008AF4200300000000000000000A0
62343+:1011B000000000008F420000304200201040FFFD80
62344+:1011C000000000008F4204003C010800AC224B608C
62345+:1011D0008F4204043C010800AC224B643C02002016
62346+:1011E000AF420030000000003C02080094424B680F
62347+:1011F0003C03080094634B6C3C05080094A54B6EBF
62348+:1012000024840001004310213083FFFF3C010800CB
62349+:10121000A4224B683C010800A4244B6A1465000317
62350+:10122000000000003C010800A4204B6A03E0000815
62351+:10123000000000003C05000A27BDFFE80345282107
62352+:101240003C04080024844B50AFBF00100E00051D65
62353+:101250002406000A3C02080094424B523C0308005A
62354+:1012600094634B6E3042000F244200030043180485
62355+:1012700024027FFF0043102B10400002AF83001CAC
62356+:101280000000000D0E00042A000000003C020800CF
62357+:1012900094424B5A8FBF001027BD001803E000088E
62358+:1012A000A74200A23C02000A034210219443000618
62359+:1012B0003C02080094424B5A3C010800A4234B56C0
62360+:1012C000004310238F83001C00021400000214034B
62361+:1012D0000043102B03E000083842000127BDFFE85F
62362+:1012E000AFBF00103C02000A0342102194420006E6
62363+:1012F0003C010800A4224B560E00047700000000B9
62364+:101300005440FFF93C02000A8FBF001003E00008C0
62365+:1013100027BD001827BDFFE8AFBF00100E000477FF
62366+:101320000000000010400003000000000E000485D3
62367+:10133000000000003C0208008C424B608FBF001090
62368+:1013400027430400AF4200383C0208008C424B6443
62369+:1013500027BD0018AF830020AF42003C3C020005CF
62370+:10136000AF42003003E00008AF8000188F82001801
62371+:101370003C0300060002114000431025AF4200303C
62372+:101380000000000000000000000000008F4200008C
62373+:10139000304200101040FFFD27420400AF820020C1
62374+:1013A00003E00008AF8000183C0608008CC64B64C0
62375+:1013B0008F8500188F8300203C02080094424B5A0E
62376+:1013C00027BDFFE024A50001246300202442000182
62377+:1013D00024C70020AFB10014AFB00010AFBF001899
62378+:1013E000AF850018AF8300203C010800A4224B5AAF
62379+:1013F000309000FF3C010800AC274B6404C100089A
62380+:101400000000882104E00006000000003C02080003
62381+:101410008C424B60244200013C010800AC224B602E
62382+:101420003C02080094424B5A3C03080094634B680A
62383+:101430000010202B004310262C42000100441025F0
62384+:10144000144000048F830018240200101462000F5F
62385+:10145000000000000E0004A9241100013C03080054
62386+:1014600094634B5A3C02080094424B681462000398
62387+:10147000000000000E00042A000000001600000317
62388+:10148000000000000E000493000000003C03080070
62389+:1014900094634B5E3C02080094424B5C2463000161
62390+:1014A0003064FFFF3C010800A4234B5E148200035C
62391+:1014B000000000003C010800A4204B5E1200000662
62392+:1014C000000000003C02080094424B5AA74200A2D0
62393+:1014D0000A00050B022010210E0004770000000016
62394+:1014E00010400004022010210E00048500000000BE
62395+:1014F000022010218FBF00188FB100148FB0001090
62396+:1015000003E0000827BD00203084FFFF30A5FFFF67
62397+:101510000000182110800007000000003082000148
62398+:101520001040000200042042006518210A00051343
62399+:101530000005284003E000080060102110C00006EC
62400+:1015400024C6FFFF8CA2000024A50004AC8200008A
62401+:101550000A00051D2484000403E0000800000000C8
62402+:1015600010A0000824A3FFFFAC86000000000000CC
62403+:10157000000000002402FFFF2463FFFF1462FFFA53
62404+:101580002484000403E0000800000000240200019D
62405+:10159000AF62000CA7620010A7620012A7620014DD
62406+:1015A00003E00008A76200163082007F034210218A
62407+:1015B0003C08000E004818213C0208008C42002024
62408+:1015C00027BDFFD82407FF80AFB3001CAFB20018BF
62409+:1015D000AFB10014AFB00010AFBF00200080802179
62410+:1015E00030B100FF0087202430D200FF1040002FD0
62411+:1015F00000009821AF44002C9062000024030050AA
62412+:10160000304200FF1443000E000000003C020800BE
62413+:101610008C4200E00202102100471024AF42002C4F
62414+:101620003C0208008C4200E0020210213042007FA0
62415+:101630000342102100481021944200D43053FFFF90
62416+:101640000E000493000000003C02080094424B5E30
62417+:101650008F8300200011340000C2302500122C00BE
62418+:101660003C02400000C2302534A50001AC700000EF
62419+:101670008FBF0020AC6000048FB20018AC7300086C
62420+:101680008FB10014AC60000C8FB3001CAC6500106F
62421+:101690008FB00010AC60001424040001AC6000188E
62422+:1016A00027BD00280A0004B8AC66001C8FBF0020CC
62423+:1016B0008FB3001C8FB200188FB100148FB00010D0
62424+:1016C00003E0000827BD00289343010F2402001007
62425+:1016D0001062000E2865001110A0000724020012FD
62426+:1016E000240200082405003A1062000600003021A0
62427+:1016F00003E0000800000000240500351462FFFC30
62428+:10170000000030210A000538000000008F420074FC
62429+:1017100024420FA003E00008AF62000C27BDFFE8E1
62430+:10172000AFBF00100E00025E240500018FBF001045
62431+:1017300024020001A762001227BD00182402000144
62432+:1017400003E00008A360002227BDFFE0AFB1001452
62433+:10175000AFB00010AFBF001830B1FFFF0E00025055
62434+:10176000008080219362003F24030004304200FF88
62435+:101770001443000C02002021122000082402000A59
62436+:101780000E00053100000000936200052403FFFEF7
62437+:1017900000431024A362000524020012A362003F4C
62438+:1017A000020020210E000259A360008116200003D0
62439+:1017B000020020210E0005950000000002002021FB
62440+:1017C000322600FF8FBF00188FB100148FB00010B9
62441+:1017D000240500380A00053827BD002027BDFFE09A
62442+:1017E000AFBF001CAFB20018AFB10014AFB0001013
62443+:1017F0000E000250008080210E0005310000000024
62444+:101800009362003F24120018305100FF123200038F
62445+:101810000200202124020012A362003F936200050F
62446+:101820002403FFFE004310240E000259A3620005AA
62447+:10183000020020212405002016320007000030217C
62448+:101840008FBF001C8FB200188FB100148FB0001032
62449+:101850000A00025E27BD00208FBF001C8FB2001857
62450+:101860008FB100148FB00010240500390A0005382C
62451+:1018700027BD002027BDFFE8AFB00010AFBF0014A8
62452+:101880009742010C2405003600808021144000108E
62453+:10189000304600FF0E00025000000000240200123B
62454+:1018A000A362003F93620005344200100E00053130
62455+:1018B000A36200050E00025902002021020020212F
62456+:1018C0000E00025E240500200A000604000000004D
62457+:1018D0000E000538000000000E000250020020211A
62458+:1018E000936200232403FF9F020020210043102461
62459+:1018F0008FBF00148FB00010A36200230A000259AA
62460+:1019000027BD001827BDFFE0AFBF0018AFB100141E
62461+:10191000AFB0001030B100FF0E00025000808021F7
62462+:10192000240200120E000531A362003F0E0002598E
62463+:101930000200202102002021022030218FBF001848
62464+:101940008FB100148FB00010240500350A0005384F
62465+:1019500027BD0020A380002C03E00008A380002DF9
62466+:101960008F4202780440FFFE8F820034AF42024073
62467+:1019700024020002A34202443C02100003E00008DB
62468+:10198000AF4202783C0360008C6254003042000891
62469+:101990001440FFFD000000008C625408AF82000C70
62470+:1019A00024020052AC605408AC645430AC6254342D
62471+:1019B0002402000803E00008AC6254003C0260000E
62472+:1019C0008C42540030420008104000053C03600087
62473+:1019D0008C625400304200081440FFFD00000000FB
62474+:1019E0008F83000C3C02600003E00008AC43540805
62475+:1019F00090A3000024020005008040213063003FD6
62476+:101A000000004821146200050000502190A2001C33
62477+:101A100094A3001E304900FF306AFFFFAD00000CA8
62478+:101A2000AD000010AD000024950200148D05001CCF
62479+:101A30008D0400183042FFFF0049102300021100FE
62480+:101A4000000237C3004038210086202300A2102B5B
62481+:101A50000082202300A72823AD05001CAD04001838
62482+:101A6000A5090014A5090020A50A001603E0000836
62483+:101A7000A50A00228F4201F80440FFFE2402000262
62484+:101A8000AF4401C0A34201C43C02100003E00008BF
62485+:101A9000AF4201F83C0208008C4200B427BDFFE8C9
62486+:101AA000AFBF001424420001AFB000103C01080099
62487+:101AB000AC2200B48F4300243C02001F30AA00FF78
62488+:101AC0003442FF8030D800FF006280240080F8217B
62489+:101AD00030EF00FF1158003B01405821240CFF80DB
62490+:101AE0003C19000A3163007F000310C00003194055
62491+:101AF000006218213C0208008C4200DC25680001CD
62492+:101B0000310D007F03E21021004310213043007F9C
62493+:101B100003431821004C102400794821AF420024CF
62494+:101B20008D220024016C1824006C7026AD22000C5C
62495+:101B30008D220024310800FFAD22001095220014F0
62496+:101B4000952300208D27001C3042FFFF3063FFFFEC
62497+:101B50008D2600180043102300021100000227C345
62498+:101B60000040282100C4302300E2102B00C23023A3
62499+:101B700000E53823AD27001CAD2600189522002073
62500+:101B8000A522001495220022154B000AA52200165A
62501+:101B90008D2300248D220008254600013145008058
62502+:101BA0001462000430C4007F108F000238AA008045
62503+:101BB00000C0502151AF000131C800FF1518FFC906
62504+:101BC000010058218F8400343082007F03421821A5
62505+:101BD0003C02000A006218212402FF8000822024B7
62506+:101BE000AF440024A06A0079A06A00838C62005090
62507+:101BF0008F840034AC6200708C6500743C027FFFFF
62508+:101C00003442FFFF00A228240E00066BAC6500746E
62509+:101C1000AF5000248FBF00148FB0001003E0000805
62510+:101C200027BD001827BDFFC0AFBE0038AFB70034D6
62511+:101C3000AFB5002CAFB20020AFB1001CAFB00018A0
62512+:101C4000AFBF003CAFB60030AFB40028AFB3002444
62513+:101C50008F4500248F4600288F43002C3C02001F34
62514+:101C60003442FF800062182400C230240080A82182
62515+:101C7000AFA3001400A2F0240E00062FAFA60010A0
62516+:101C80003C0208008C4200E02410FF8003608821A1
62517+:101C900002A2102100501024AF4200243C02080090
62518+:101CA0008C4200E002A210213042007F0342182142
62519+:101CB0003C02000A00629021924200D293630084A9
62520+:101CC000305700FF306300FF24020001106200342F
62521+:101CD000036020212402000214620036000000008C
62522+:101CE0000E001216024028219223008392220083C4
62523+:101CF0003063007F3042007F000210C000031940B3
62524+:101D0000006218213C0208008C4200DC02A2102173
62525+:101D10000043382100F01024AF42002892250078BB
62526+:101D20009224008330E2007F034218213C02000C21
62527+:101D300014850007006280212402FFFFA24200F107
62528+:101D40002402FFFFA64200F20A0007272402FFFF39
62529+:101D500096020020A24200F196020022A64200F262
62530+:101D60008E020024AE4200F492220083A24200F0D0
62531+:101D70008E4200C8AE4200FC8E4200C4AE4200F863
62532+:101D80008E220050AE4201008E4200CCAE420104D1
62533+:101D9000922200853042003F0A0007823442004010
62534+:101DA0000E00123902402821922200850A00078283
62535+:101DB0003042003F936200852403FFDF3042003F42
62536+:101DC000A36200859362008500431024A36200850E
62537+:101DD0009363008393620078307400FF304200FF09
62538+:101DE00010540036240AFF803C0C000C3283007F24
62539+:101DF000000310C000031940006218213C020800D3
62540+:101E00008C4200DC268800013109007F02A21021EB
62541+:101E10000043382130E2007F0342182100EA1024F9
62542+:101E2000AF420028006C80218E020024028A182410
62543+:101E3000006A5826AE02000C8E020024310800FF12
62544+:101E4000AE02001096020014960300208E07001CBC
62545+:101E50003042FFFF3063FFFF8E060018004310235F
62546+:101E600000021100000227C30040282100C43023D3
62547+:101E700000E2102B00C2302300E53823AE07001C1F
62548+:101E8000AE06001896020020A60200149602002258
62549+:101E9000A602001692220079304200FF105400077B
62550+:101EA0000000000051370001316800FF92220078E5
62551+:101EB000304200FF1448FFCD0100A0219222008390
62552+:101EC000A22200798E2200500A0007E2AE220070A2
62553+:101ED000A22200858E22004C2405FF80AE42010C18
62554+:101EE0009222008534420020A2220085924200D135
62555+:101EF0003C0308008C6300DC305400FF3C02080007
62556+:101F00008C4200E400143140001420C002A31821C8
62557+:101F100000C4202102A210210064382100461021B3
62558+:101F20000045182400E52824AF450028AF43002CC5
62559+:101F30003042007F924400D030E3007F03422821EA
62560+:101F4000034318213C02000C006280213C02000E79
62561+:101F5000309600FF00A298211296002A000000008F
62562+:101F60008E02000C02002021026028211040002572
62563+:101F7000261000280E00064A000000009262000DA4
62564+:101F800026830001307400FF3042007FA262000D02
62565+:101F90002404FF801697FFF0267300203C020800FF
62566+:101FA0008C4200DC0000A02102A210210044102479
62567+:101FB000AF4200283C0208008C4200E43C030800C9
62568+:101FC0008C6300DC02A2102100441024AF42002CDC
62569+:101FD0003C0208008C4200E402A318213063007F19
62570+:101FE00002A210213042007F034220210343182126
62571+:101FF0003C02000C006280213C02000E0A0007A493
62572+:10200000008298218E4200D8AE2200508E4200D825
62573+:10201000AE22007092250083924600D19223008365
62574+:10202000924400D12402FF8000A228243063007F64
62575+:10203000308400FF00A628250064182A10600002E2
62576+:1020400030A500FF38A50080A2250083A2250079D5
62577+:102050000E00063D000000009222007E02A020211A
62578+:10206000A222007A8E2300743C027FFF3442FFFFDD
62579+:10207000006218240E00066BAE2300748FA20010BD
62580+:10208000AF5E00248FBF003CAF4200288FBE0038F7
62581+:102090008FA200148FB700348FB600308FB5002C9C
62582+:1020A0008FB400288FB300248FB200208FB1001CA2
62583+:1020B0008FB0001827BD004003E00008AF42002C9D
62584+:1020C00090A2000024420001A0A200003C030800EE
62585+:1020D0008C6300F4304200FF1443000F0080302175
62586+:1020E000A0A000003C0208008C4200E48F84003471
62587+:1020F000008220213082007F034218213C02000C24
62588+:10210000006218212402FF8000822024ACC300005A
62589+:1021100003E00008AF4400288C8200002442002025
62590+:1021200003E00008AC82000094C200003C080800F4
62591+:10213000950800CA30E7FFFF008048210102102106
62592+:10214000A4C2000094C200003042FFFF00E2102B46
62593+:1021500054400001A4C7000094A200003C03080002
62594+:102160008C6300CC24420001A4A2000094A20000D1
62595+:102170003042FFFF544300078F8600280107102BD1
62596+:10218000A4A000005440000101003821A4C70000B1
62597+:102190008F8600288CC4001CAF44003C94A2000031
62598+:1021A0008F43003C3042FFFF000210C00062182144
62599+:1021B000AF43003C8F42003C008220231880000483
62600+:1021C000000000008CC200180A00084324420001ED
62601+:1021D0008CC20018AF4200383C020050344200105C
62602+:1021E000AF420030000000000000000000000000CE
62603+:1021F0008F420000304200201040FFFD0000000030
62604+:102200008F420404AD2200048F420400AD2200007E
62605+:102210003C020020AF42003003E000080000000054
62606+:1022200027BDFFE0AFB20018AFB10014AFB000108F
62607+:10223000AFBF001C94C2000000C080213C12080007
62608+:10224000965200C624420001A60200009603000038
62609+:1022500094E2000000E03021144300058FB100300B
62610+:102260000E000818024038210A000875000000001E
62611+:102270008C8300048C820004244200400461000727
62612+:10228000AC8200048C8200040440000400000000C2
62613+:102290008C82000024420001AC8200009602000003
62614+:1022A0003042FFFF50520001A600000096220000BD
62615+:1022B00024420001A62200008F82002896230000FD
62616+:1022C00094420016144300048FBF001C2402000136
62617+:1022D000A62200008FBF001C8FB200188FB100141F
62618+:1022E0008FB0001003E0000827BD00208F89002870
62619+:1022F00027BDFFE0AFBF00188D220028274804004B
62620+:1023000030E700FFAF4200388D22002CAF8800304C
62621+:10231000AF42003C3C020005AF420030000000002C
62622+:1023200000000000000000000000000000000000AD
62623+:10233000000000008C82000C8C82000CAD020000BA
62624+:102340008C820010AD0200048C820018AD020008DF
62625+:102350008C82001CAD02000C8CA20014AD02001097
62626+:102360008C820020AD02001490820005304200FFF4
62627+:1023700000021200AD0200188CA20018AD02001C71
62628+:102380008CA2000CAD0200208CA20010AD02002433
62629+:102390008CA2001CAD0200288CA20020AD02002CF3
62630+:1023A000AD060030AD000034978300263402FFFFF5
62631+:1023B00014620002006020213404FFFF10E00011CD
62632+:1023C000AD04003895230036952400362402000120
62633+:1023D0003063FFFF000318C20069182190650040B8
62634+:1023E000308400070082100400451025A0620040E0
62635+:1023F0008F820028944200563042FFFF0A0008DC1A
62636+:10240000AD02003C952300369524003624020001DD
62637+:102410003063FFFF000318C2006918219065004077
62638+:1024200030840007008210040002102700451024A9
62639+:10243000A0620040AD00003C000000000000000071
62640+:10244000000000003C02000634420040AF42003071
62641+:102450000000000000000000000000008F420000AB
62642+:10246000304200101040FFFD8F860028AF880030FA
62643+:1024700024C2005624C7003C24C4002824C50032CE
62644+:1024800024C600360E000856AFA200108FBF0018F9
62645+:1024900003E0000827BD00208F8300243C060800CD
62646+:1024A0008CC600E88F82003430633FFF0003198040
62647+:1024B00000461021004310212403FF803046007F96
62648+:1024C00000431024AF420028034618213C02000CB0
62649+:1024D0000062302190C2000D30A500FF00003821BD
62650+:1024E00034420010A0C2000D8F8900288F8A00247A
62651+:1024F00095230036000A13823048000324020001AD
62652+:10250000A4C3000E1102000B2902000210400005B6
62653+:10251000240200021100000C240300010A0009201B
62654+:102520000000182111020006000000000A00092026
62655+:10253000000018218CC2002C0A000920244300014D
62656+:102540008CC20014244300018CC200180043102BDD
62657+:1025500050400009240700012402002714A20003B0
62658+:10256000000000000A00092C240700019522003E0B
62659+:1025700024420001A522003E000A138230430003DA
62660+:102580002C62000210400009008028211460000421
62661+:102590000000000094C200360A00093C3046FFFFEC
62662+:1025A0008CC600380A00093C008028210000302138
62663+:1025B0003C04080024844B780A00088900000000CD
62664+:1025C000274901008D22000C9523000601202021BF
62665+:1025D000000216023046003F3063FFFF240200274E
62666+:1025E00000C0282128C7002810C2000EAF83002495
62667+:1025F00010E00008240200312402002110C200096A
62668+:102600002402002510C200079382002D0A00095BF6
62669+:102610000000000010C200059382002D0A00095B33
62670+:10262000000000000A0008F4000000000A0006266E
62671+:102630000000000095230006912400058D25000C64
62672+:102640008D2600108D2700188D28001C8D29002054
62673+:10265000244200013C010800A4234B7E3C010800F9
62674+:10266000A0244B7D3C010800AC254B843C010800B4
62675+:10267000AC264B883C010800AC274B903C0108007D
62676+:10268000AC284B943C010800AC294B9803E00008AF
62677+:10269000A382002D8F87002827BDFFC0AFB3003471
62678+:1026A000AFB20030AFB1002CAFB00028AFBF0038E0
62679+:1026B0003C0208008C4200D094E3003030B0FFFFB1
62680+:1026C000005010073045FFFF3063FFFF00C0982126
62681+:1026D000A7A200103C110800963100C614A3000602
62682+:1026E0003092FFFF8CE2002424420030AF42003CD5
62683+:1026F0000A0009948CE2002094E200323042FFFF8D
62684+:1027000054A2000827A400188CE2002C24420030B8
62685+:10271000AF42003C8CE20028AF4200380A0009A218
62686+:102720008F84002827A5001027A60020022038212A
62687+:102730000E000818A7A000208FA200182442003025
62688+:10274000AF4200388FA2001CAF42003C8F840028AB
62689+:102750003C020005AF42003094820034274304005D
62690+:102760003042FFFF0202102B14400007AF830030FD
62691+:1027700094820054948300340202102100431023F9
62692+:102780000A0009B63043FFFF94830054948200345A
62693+:102790000223182100501023006218233063FFFF2A
62694+:1027A000948200163042FFFF144300030000000033
62695+:1027B0000A0009C424030001948200163042FFFF7E
62696+:1027C0000043102B104000058F82003094820016C9
62697+:1027D000006210233043FFFF8F820030AC530000B3
62698+:1027E000AC400004AC520008AC43000C3C020006B4
62699+:1027F00034420010AF420030000000000000000032
62700+:10280000000000008F420000304200101040FFFD29
62701+:10281000001018C2006418219065004032040007BF
62702+:10282000240200018FBF00388FB300348FB2003014
62703+:102830008FB1002C8FB000280082100400451025B5
62704+:1028400027BD004003E00008A062004027BDFFA8AC
62705+:10285000AFB60050AFB5004CAFB40048AFB30044C2
62706+:10286000AFB1003CAFBF0054AFB20040AFB00038D2
62707+:102870008C9000003C0208008C4200E88F860034F7
62708+:10288000960300022413FF8000C2302130633FFF13
62709+:102890000003198000C3382100F3102490B2000017
62710+:1028A000AF42002C9203000230E2007F034230214D
62711+:1028B0003C02000E00C28821306300C024020040A8
62712+:1028C0000080A82100A0B021146200260000A021F1
62713+:1028D0008E3400388E2200181440000224020001B9
62714+:1028E000AE2200189202000D304200201440001564
62715+:1028F0008F8200343C0308008C6300DC001238C077
62716+:10290000001231400043102100C730210046382119
62717+:1029100030E300073C02008030E6007800C230253A
62718+:102920000343182100F31024AF4208002463090078
62719+:10293000AF4608108E2200188C6300080043102157
62720+:10294000AE2200188E22002C8E2300182442000193
62721+:102950000062182B1060003D000000000A000A7899
62722+:1029600000000000920300022402FFC00043102474
62723+:10297000304200FF1440000524020001AE2200187E
62724+:10298000962200360A000A613054FFFF8E2200149E
62725+:1029900024420001AE22001892020000000216003C
62726+:1029A0000002160304410029000000009602000204
62727+:1029B00027A4001000802821A7A20016960200027A
62728+:1029C00024070001000030213042FFFFAF820024C5
62729+:1029D0000E000889AFA0001C960300023C0408000A
62730+:1029E0008C8400E88F82003430633FFF000319803D
62731+:1029F00000441021004310213043007F3C05000CAF
62732+:102A00000053102403431821AF4200280065182109
62733+:102A10009062000D001221403042007FA062000D44
62734+:102A20003C0308008C6300E48F82003400431021D3
62735+:102A30000044382130E2007F03421021004510217C
62736+:102A400000F31824AF430028AEA200009222000D2C
62737+:102A5000304200101040001302A020218F83002874
62738+:102A60008EA40000028030219462003E2442FFFFC9
62739+:102A7000A462003E948400029625000E3084FFFF7D
62740+:102A80000E00097330A5FFFF8F82002894430034A5
62741+:102A90009622000E1443000302A02021240200010C
62742+:102AA000A382002C02C028210E0007FE00000000B7
62743+:102AB0008FBF00548FB600508FB5004C8FB40048C4
62744+:102AC0008FB300448FB200408FB1003C8FB000380C
62745+:102AD00003E0000827BD00588F82002827BDFFD0E3
62746+:102AE000AFB40028AFB20020AFBF002CAFB30024BA
62747+:102AF000AFB1001CAFB00018904400D0904300D19B
62748+:102B00000000A021309200FFA3A30010306300FF5B
62749+:102B10008C5100D88C5300DC1072002B2402000171
62750+:102B20003C0308008C6300E493A400108F820034FF
62751+:102B30002406FF800004214000431021004410219E
62752+:102B40003043007F00461024AF4200280343182181
62753+:102B50003C02000C006218218C62000427A40014BF
62754+:102B600027A50010022280210270102304400015C6
62755+:102B7000AFA300149062000D00C21024304200FF89
62756+:102B800014400007020088219062000D344200408A
62757+:102B90000E0007FEA062000D0A000ABD93A20010FD
62758+:102BA0000E0009E1241400018F830028AC7000D8C6
62759+:102BB00093A20010A06200D193A200101452FFD87B
62760+:102BC0000000000024020001168200048FBF002CC8
62761+:102BD0000E000626000000008FBF002C8FB40028D6
62762+:102BE0008FB300248FB200208FB1001C8FB000186B
62763+:102BF00003E0000827BD003027BDFFD8AFB3001C9D
62764+:102C0000AFB20018AFB10014AFB00010AFBF0020DA
62765+:102C10000080982100E0802130B1FFFF0E00049376
62766+:102C200030D200FF000000000000000000000000A3
62767+:102C30008F820020AC510000AC520004AC5300085D
62768+:102C4000AC40000CAC400010AC400014AC4000188C
62769+:102C50003C03080094634B5E02038025AC50001CCB
62770+:102C6000000000000000000000000000240400013B
62771+:102C70008FBF00208FB3001C8FB200188FB10014DB
62772+:102C80008FB000100A0004B827BD002827BDFFE858
62773+:102C9000AFB00010AFBF001430A5FFFF30C600FF7B
62774+:102CA0000080802124020C80AF420024000000003C
62775+:102CB0000000000000000000000000000000000014
62776+:102CC0000E000ACC000000003C040800248400E050
62777+:102CD0008C8200002403FF808FBF001402021021A9
62778+:102CE00000431024AF4200248C8200003C03000A01
62779+:102CF000020280213210007F035010218FB000109B
62780+:102D00000043102127BD001803E00008AF8200280F
62781+:102D100027BDFFE8AFBF00108F4401403C0308000F
62782+:102D20008C6300E02402FF80AF840034008318210C
62783+:102D300000621024AF4200243C02000803424021FC
62784+:102D4000950500023063007F3C02000A034318210E
62785+:102D50000062182130A5FFFF3402FFFF0000302180
62786+:102D60003C07602010A20006AF8300282402FFFF6A
62787+:102D7000A5020002946500D40E000AF130A5FFFF01
62788+:102D80008FBF001024020C8027BD001803E000084C
62789+:102D9000AF4200243C020008034240219502000299
62790+:102DA0003C0A0800954A00C63046FFFF14C00007E1
62791+:102DB0003402FFFF8F8200288F8400343C0760209C
62792+:102DC000944500D40A000B5A30A5FFFF10C200241E
62793+:102DD0008F87002894E2005494E400163045FFFFEA
62794+:102DE00000A6102300A6182B3089FFFF10600004F6
62795+:102DF0003044FFFF00C51023012210233044FFFFA1
62796+:102E0000008A102B1040000C012A1023240200011C
62797+:102E1000A50200162402FFFFA502000294E500D4DB
62798+:102E20008F8400340000302130A5FFFF3C07602074
62799+:102E30000A000AF1000000000044102A10400008B7
62800+:102E4000000000009502001630420001104000040E
62801+:102E5000000000009742007E24420014A5020016E4
62802+:102E600003E00008000000008F84002827BDFFE079
62803+:102E7000AFBF0018948200349483003E1060001AA3
62804+:102E80003048FFFF9383002C2402000114620027C6
62805+:102E90008FBF00188F820028000818C23108000771
62806+:102EA000006218212447003A244900542444002099
62807+:102EB000244500302446003490620040304200FF38
62808+:102EC0000102100730420001104000168FBF0018A9
62809+:102ED0000E000856AFA900108F82002894420034DB
62810+:102EE0000A000B733048FFFF94830036948200344D
62811+:102EF0001043000E8FBF001894820036A482003465
62812+:102F000094820056A48200548C82002CAC8200244F
62813+:102F100094820032A48200309482003CA482003A61
62814+:102F20008FBF00180A000B3327BD002003E0000804
62815+:102F300027BD002027BDFFE8AFBF00108F4A01006A
62816+:102F40003C0508008CA500E03C02080090424B8440
62817+:102F50003C0C0800958C4B7E01452821304B003FEE
62818+:102F600030A2007F03424021396900323C02000A4E
62819+:102F70003963003F2C630001010240212D2900012B
62820+:102F80002402FF8000A2282401234825AF8A0034B0
62821+:102F900000801821AF450024000030210080282146
62822+:102FA00024070001AF8800283C04080024844B78E3
62823+:102FB000AF8C002415200007A380002D24020020E0
62824+:102FC0005562000F006020213402FFFF5582000C83
62825+:102FD000006020212402002015620005000000008E
62826+:102FE0008C6300142402FFFF106200070000000041
62827+:102FF0000E000889000000000A000BD0000000004D
62828+:103000000E0008F4016028210E000B68000000008B
62829+:103010008FBF001024020C8027BD001803E00008B9
62830+:10302000AF4200243C0208008C4200E027BDFFA014
62831+:10303000AFB1003C008210212411FF80AFBE0058C8
62832+:10304000AFB70054AFB20040AFB00038AFBF005CC4
62833+:10305000AFB60050AFB5004CAFB40048AFB30044BA
62834+:10306000005110248F4800248F4900288F470028E2
62835+:10307000AF4200243C0208008C4200E00080902116
62836+:1030800024060006008210213042007F03421821EE
62837+:103090003C02000A006280213C02001F3442FF8093
62838+:1030A00000E2382427A40010260500F00122F024B5
62839+:1030B0000102B8240E00051DAFA700308FA2001832
62840+:1030C000AE0200C48FA2001CAE0200C88FA2002472
62841+:1030D000AE0200CC93A40010920300D12402FF8022
62842+:1030E0000082102400431025304900FF3083007F08
62843+:1030F0003122007F0062102A10400004000310C03B
62844+:1031000001311026304900FF000310C000031940B0
62845+:10311000006218213C0208008C4200DC920400D2BC
62846+:10312000024210210043102100511024AF42002818
62847+:1031300093A300103063007F000310C00003194008
62848+:10314000006218213C0208008C4200DC024210217F
62849+:10315000004310213042007F034218213C02000C42
62850+:10316000006240218FA300142402FFFF1062003090
62851+:10317000309500FF93A2001195030014304400FF26
62852+:103180003063FFFF0064182B1060000D000000008A
62853+:10319000950400148D07001C8D0600183084FFFF75
62854+:1031A00000442023000421000000102100E4382105
62855+:1031B00000E4202B00C230210A000C4A00C4302158
62856+:1031C000950400148D07001C8D0600183084FFFF45
62857+:1031D000008220230004210000001021008018211B
62858+:1031E00000C2302300E4202B00C4302300E3382346
62859+:1031F000AD07001CAD06001893A20011A502001433
62860+:1032000097A20012A50200168FA20014AD020010B2
62861+:103210008FA20014AD02000C93A20011A5020020A1
62862+:1032200097A20012A50200228FA20014AD02002472
62863+:103230002406FF80024610243256007FAF4200244D
62864+:10324000035618213C02000A006280218E02004CC5
62865+:103250008FA200203124007F000428C0AE0200505D
62866+:103260008FA200200004214000852821AE020070BA
62867+:1032700093A2001001208821A202008393A20010D3
62868+:10328000A2020079920200853042003FA20200852E
62869+:103290003C0208008C4200DC024210210045102153
62870+:1032A00000461024AF42002C3C0208008C4200E48F
62871+:1032B0003C0308008C6300DC024210210044102112
62872+:1032C00000461024AF4200283C0208008C4200E473
62873+:1032D00002431821006518210242102100441021E8
62874+:1032E0003042007F3063007F93A50010034220210D
62875+:1032F000034318213C02000E006240213C02000CF6
62876+:1033000010B1008C008248213233007F1660001912
62877+:103310002404FF803C0208008C4200DC02421021A1
62878+:1033200000441024AF42002C3C0208008C4200E410
62879+:103330003C0308008C6300DC02421021004410248E
62880+:10334000AF4200283C0208008C4200E402431821EE
62881+:103350003063007F024210213042007F034220216F
62882+:10336000034318213C02000E006240213C02000C85
62883+:10337000008248219124000D2414FF8000001021B8
62884+:1033800000942025A124000D950400029505001449
62885+:103390008D07001C3084FFFF30A5FFFF8D0600184D
62886+:1033A000008520230004210000E4382100C23021E0
62887+:1033B00000E4202B00C43021AD07001CAD0600182E
62888+:1033C00095020002A5020014A50000168D02000857
62889+:1033D000AD0200108D020008AD02000C9502000243
62890+:1033E000A5020020A50000228D020008AD020024E5
62891+:1033F0009122000D30420040104000422622000180
62892+:103400003C0208008C4200E0A3B300283C10000AF4
62893+:103410000242102100541024AF4200243C02080054
62894+:103420008C4200E0A380002C27A4002C0242102133
62895+:103430003042007F03421821007018218C6200D8AE
62896+:103440008D26000427A50028AFA9002C00461021D6
62897+:10345000AC6200D80E0009E1AF83002893A30028D6
62898+:103460008F8200280E000626A04300D10E000B68B4
62899+:103470000000000002541024AF4200243C02080067
62900+:103480008C4200DC00132940001320C000A420213E
62901+:10349000024210210044102100541024AF42002C9D
62902+:1034A0003C0208008C4200E43C0308008C6300DC12
62903+:1034B00003563021024210210045102100541024EF
62904+:1034C000AF4200283C0208008C4200E4024318216D
62905+:1034D0000064182102421021004510213042007F73
62906+:1034E0003063007F03422021034318213C02000E79
62907+:1034F000006240213C02000C00D080210082482163
62908+:10350000262200013043007F14750005304400FF7F
62909+:103510002403FF800223102400431026304400FFC0
62910+:1035200093A2001000808821250800281444FF760B
62911+:103530002529002093A400108FA300142402FFFF6C
62912+:103540001062000A308900FF2482000124830001F8
62913+:103550003042007F14550005306900FF2403FF80CE
62914+:103560000083102400431026304900FF92020078A7
62915+:10357000305300FF11330032012088213C02080043
62916+:103580008C4200DC3225007F000520C00005294068
62917+:1035900000A42021024210212406FF8000441021B3
62918+:1035A00000461024AF42002C3C0308008C6300DC72
62919+:1035B0003C0208008C4200E4024318210242102120
62920+:1035C0000045102100641821004610243063007F5C
62921+:1035D000AF420028034318213C02000E0062402144
62922+:1035E0003C0208008C4200E48D06000C0100202102
62923+:1035F00002421021004510213042007F0342182171
62924+:103600003C02000C0062482110C0000D012028215E
62925+:103610000E00064A000000002402FF800222182447
62926+:1036200026240001006228263082007F1455000203
62927+:10363000308300FF30A300FF1473FFD000608821A7
62928+:103640008E0300743C027FFF3442FFFF00621824A7
62929+:10365000AE0300740E00066B02402021AF57002419
62930+:103660008FA20030AF5E00288FBF005C8FBE005875
62931+:103670008FB700548FB600508FB5004C8FB4004800
62932+:103680008FB300448FB200408FB1003C8FB0003840
62933+:1036900027BD006003E00008AF42002C27BDFFD823
62934+:1036A000AFB1001CAFBF0020AFB000182751018898
62935+:1036B000922200032408FF803C03000A3047007F69
62936+:1036C000A3A700108F4601803C0208008C4200E056
62937+:1036D000AF86003400C2282100A81024AF42002485
62938+:1036E0009224000030A2007F0342102100431021E9
62939+:1036F000AF8200283084007F24020002148200255B
62940+:10370000000719403C0208008C4200E400C210216E
62941+:103710000043282130A2007F0342182100A8102472
62942+:10372000AF4200283C02000C006218219062000D9C
62943+:10373000AFA3001400481025A062000D8FA3001451
62944+:103740009062000D304200405040006A8FBF002060
62945+:103750008F860028A380002C27A400148CC200D8D8
62946+:103760008C63000427A50010004310210E0009E11E
62947+:10377000ACC200D893A300108F8200280E0006264A
62948+:10378000A04300D10E000B68000000000A000E0BE1
62949+:103790008FBF00200E00062F00C020210E00063D26
62950+:1037A000000000003C020008034280219223000137
62951+:1037B0009202007B1443004F8FBF00209222000032
62952+:1037C0003044007F24020004108200172882000584
62953+:1037D00010400006240200052402000310820007A6
62954+:1037E0008FB1001C0A000E0C0000000010820012B5
62955+:1037F0008FBF00200A000E0C8FB1001C92050083C1
62956+:10380000920600788E0700748F84003430A500FF84
62957+:1038100000073E0230C600FF0E00067330E7007F4F
62958+:103820000A000E0B8FBF00200E000BD78F840034D0
62959+:103830000A000E0B8FBF002024020C80AF42002430
62960+:103840009202003E30420040104000200000000084
62961+:103850009202003E00021600000216030441000618
62962+:10386000000000008F8400340E0005A024050093A2
62963+:103870000A000E0B8FBF00209202003F24030018A5
62964+:10388000304200FF1443000C8F84003424050039BB
62965+:103890000E000538000030210E0002508F840034E5
62966+:1038A00024020012A202003F0E0002598F8400344D
62967+:1038B0000A000E0B8FBF0020240500360E000538CD
62968+:1038C000000030210A000E0B8FBF00200E000250B6
62969+:1038D0008F8400349202000534420020A2020005C9
62970+:1038E0000E0002598F8400340E000FC08F84003404
62971+:1038F0008FBF00208FB1001C8FB0001824020C80F5
62972+:1039000027BD002803E00008AF42002427BDFFE8E0
62973+:10391000AFB00010AFBF001427430100946200084D
62974+:103920000002140000021403044100020000802180
62975+:103930002410000194620008304200801040001AF8
62976+:10394000020010219462000830422000104000164E
62977+:10395000020010218C6300183C021C2D344219ED2A
62978+:10396000240600061062000F3C0760213C0208009C
62979+:103970008C4200D4104000078F8200288F830028DB
62980+:10398000906200623042000F34420040A062006248
62981+:103990008F8200288F840034944500D40E000AF1F1
62982+:1039A00030A5FFFF020010218FBF00148FB0001060
62983+:1039B00003E0000827BD001827BDFFE0AFB10014E9
62984+:1039C000AFB00010A380002CAFBF00188F450100DE
62985+:1039D0003C0308008C6300E02402FF80AF850034C4
62986+:1039E00000A318213064007F0344202100621824C2
62987+:1039F0003C02000A00822021AF430024275001002E
62988+:103A00008E0200148C8300DCAF8400280043102356
62989+:103A100018400004000088218E0200140E000A8461
62990+:103A2000AC8200DC9202000B24030002304200FF53
62991+:103A30001443002F0000000096020008304300FFEE
62992+:103A40002402008214620005240200840E00093E54
62993+:103A5000000000000A000E97000000001462000938
62994+:103A6000240200818F8200288F8400343C0760216B
62995+:103A7000944500D49206000530A5FFFF0A000E868B
62996+:103A800030C600FF14620027000000009202000A06
62997+:103A9000304300FF306200201040000430620040DC
62998+:103AA0008F8400340A000E82240600401040000477
62999+:103AB000000316008F8400340A000E8224060041A1
63000+:103AC00000021603044100178F84003424060042CC
63001+:103AD0008F8200283C076019944500D430A5FFFF71
63002+:103AE0000E000AF1000000000A000E97000000001E
63003+:103AF0009202000B24030016304200FF1043000620
63004+:103B0000000000009202000B24030017304200FF67
63005+:103B100014430004000000000E000E11000000001D
63006+:103B2000004088210E000B68000000009202000A8D
63007+:103B3000304200081040000624020C808F850028C7
63008+:103B40003C0400080E0011EE0344202124020C80E6
63009+:103B5000AF4200248FBF0018022010218FB0001048
63010+:103B60008FB1001403E0000827BD002027BDFFE847
63011+:103B7000AFBF0014AFB000108F5000243C0308000A
63012+:103B80008C6300E08F4501002402FF8000A3182110
63013+:103B90003064007F03442021006218243C02000AA4
63014+:103BA00000822021AF850034AF4300249082006260
63015+:103BB000AF8400283042000F34420050A0820062DF
63016+:103BC0003C02001F3442FF800E00062602028024C1
63017+:103BD000AF5000248FBF00148FB0001003E0000826
63018+:103BE00027BD00183C0208008C4200201040001D38
63019+:103BF0002745010090A300093C0200080342202150
63020+:103C000024020018546200033C0200080A000ED887
63021+:103C10002402000803422021240200161462000539
63022+:103C20002402001724020012A082003F0A000EE2C4
63023+:103C300094A700085462000694A700089362000548
63024+:103C40002403FFFE00431024A362000594A700088C
63025+:103C500090A6001B8CA4000094A500060A000ACCC4
63026+:103C600000073C0003E000080000000027440100BA
63027+:103C700094820008304500FF38A3008238A20084F7
63028+:103C80002C6300012C420001006218251060000620
63029+:103C9000240200839382002D1040000D00000000DC
63030+:103CA0000A000B9B0000000014A2000524A2FF8064
63031+:103CB0008F4301043C02602003E00008AC43001481
63032+:103CC000304200FF2C420002104000032402002278
63033+:103CD0000A000E3C0000000014A2000300000000D7
63034+:103CE0000A000EA9000000000A000EC70000000034
63035+:103CF0009363007E9362007A144300090000202140
63036+:103D00009362000024030050304200FF144300047B
63037+:103D1000240400019362007E24420001A362007E1D
63038+:103D200003E00008008010218F4201F80440FFFEEC
63039+:103D300024020002AF4401C0A34201C43C021000AF
63040+:103D400003E00008AF4201F827BDFFE8AFBF001055
63041+:103D50009362003F2403000A304200FF14430046F0
63042+:103D6000000000008F6300548F62004C1062007DE1
63043+:103D7000036030219362000024030050304200FFB2
63044+:103D80001443002F000000008F4401403C02080053
63045+:103D90008C4200E02403FF800082102100431024A5
63046+:103DA000AF4200243C0208008C4200E08F650054C2
63047+:103DB0003C03000A008220213084007F034410214C
63048+:103DC00000431021AC4501089762003C8F63004C12
63049+:103DD0003042FFFF0002104000621821AF63005C18
63050+:103DE0008F6300548F64004C9762003C006418237A
63051+:103DF0003042FFFF00031843000210400043102A26
63052+:103E000010400006000000008F6200548F63004CD9
63053+:103E1000004310230A000F58000210439762003C31
63054+:103E20003042FFFF00021040ACC2006424020001D7
63055+:103E3000A0C0007CA0C2008424020C80AF420024F9
63056+:103E40000E000F0A8F440140104000478FBF001042
63057+:103E50008F4301408F4201F80440FFFE240200021C
63058+:103E6000AF4301C0A34201C43C021000AF4201F8BD
63059+:103E70000A000FA88FBF00109362003F24030010B8
63060+:103E8000304200FF14430004000000008F44014052
63061+:103E90000A000F94000028219362003F24030016BB
63062+:103EA000304200FF1443000424020014A362003FC8
63063+:103EB0000A000FA2000000008F62004C8F630050C8
63064+:103EC00000431023044100288FBF0010936200813B
63065+:103ED00024420001A3620081936200812C4200040D
63066+:103EE00014400010000000009362003F240300040F
63067+:103EF000304200FF14430006000000008F440140E0
63068+:103F00008FBF0010240500930A0005A027BD0018EC
63069+:103F10008F440140240500938FBF00100A00060F54
63070+:103F200027BD00188F4401400E0002500000000021
63071+:103F30008F6200542442FFFFAF6200548F62005032
63072+:103F40002442FFFFAF6200500E0002598F4401402F
63073+:103F50008F4401408FBF0010240500040A00025E58
63074+:103F600027BD00188FBF001003E0000827BD001810
63075+:103F70008F4201889363007E00021402304400FFE8
63076+:103F8000306300FF1464000D0000000093620080A5
63077+:103F9000304200FF1044000900000000A3640080CC
63078+:103FA0009362000024030050304200FF14430004D9
63079+:103FB000000000000A0006D78F440180A36400803F
63080+:103FC00003E000080000000027BDFFE8AFB00010CC
63081+:103FD000AFBF00149362000524030030304200306C
63082+:103FE00014430089008080213C0208008C4200209C
63083+:103FF00010400080020020210E0004930000000009
63084+:104000008F850020ACB000009362003E9363003FB8
63085+:10401000304200FF00021200306300FF0043102511
63086+:10402000ACA2000493620082000216000002160394
63087+:1040300004410005000000003C0308008C630048B8
63088+:104040000A000FE6000000009362003E304200408C
63089+:10405000144000030000182193620081304300FFE8
63090+:104060009362008200031E00304200FF0002140031
63091+:1040700000621825ACA300088F620040ACA2000CBF
63092+:104080008F620048ACA200108F62004CACA20014FA
63093+:104090008F6200508F63004C0043102304410003E3
63094+:1040A000000000000A000FFA8F62004C8F6200507F
63095+:1040B000ACA200183C02080094424B5E3C03C00BCB
63096+:1040C00000002021004310250E0004B8ACA2001C03
63097+:1040D0008F6200548F840020AC8200008F620058F1
63098+:1040E000AC8200048F62005CAC8200088F620060CA
63099+:1040F0008F43007400431021AC82000C8F62006477
63100+:10410000AC820010976300689762006A00031C008D
63101+:104110003042FFFF00621825AC83001493620082D6
63102+:1041200024030080304200FF14430003000000001D
63103+:104130000A00102EAC8000188F63000C24020001CE
63104+:104140001062000E2402FFFF9362003E30420040E6
63105+:104150001440000A2402FFFF8F63000C8F4200749A
63106+:10416000006218233C020800006210241440000280
63107+:10417000000028210060282100051043AC820018AF
63108+:104180003C02080094424B5E3C03C00C000020211E
63109+:10419000004310258F8300200E0004B8AC62001C81
63110+:1041A0008F6200188F8300203C05080094A54B5EA9
63111+:1041B00024040001AC620000AC6000048F66006C57
63112+:1041C0003C02400D00A22825AC6600088F6200DC8E
63113+:1041D000AC62000CAC600010936200050002160097
63114+:1041E000AC620014AC6000180E0004B8AC65001C92
63115+:1041F000020020218FBF00148FB00010A3600005C3
63116+:104200000A00042127BD00188FBF00148FB00010D2
63117+:1042100003E0000827BD00189742007C30C600FF6D
63118+:10422000A08600843047FFFF2402000514C2000B63
63119+:1042300024E3465090A201122C42000710400007D0
63120+:1042400024E30A0090A30112240200140062100467
63121+:1042500000E210210A0010663047FFFF3067FFFFC1
63122+:1042600003E00008A4870014AC87004C8CA201086E
63123+:104270000080402100A0482100E2102330C600FF4A
63124+:104280001840000393AA001324E2FFFCACA201082B
63125+:1042900030C2000110400008000000008D020050F4
63126+:1042A00000E2102304410013240600058D0200548F
63127+:1042B00010E20010000000008D02005414E2001A09
63128+:1042C000000000003C0208008C4200D83042002070
63129+:1042D0001040000A2402000191030078910200833B
63130+:1042E000144300062402000101002021012028219E
63131+:1042F000240600040A00105400000000A1000084FD
63132+:1043000011400009A50200148F4301008F4201F8FB
63133+:104310000440FFFE24020002AF4301C0A34201C4D7
63134+:104320003C021000AF4201F803E00008000000006A
63135+:1043300027BDFFE88FA90028AFBF001000804021F3
63136+:1043400000E918231860007330C600FFA080007CCD
63137+:10435000A08000818CA2010800E210230440004DDF
63138+:10436000000000008C8200509483003C8C84006428
63139+:10437000004748233063FFFF012318210083202BCF
63140+:1043800010800004000000008D0200640A0010B7D5
63141+:1043900000E210219502003C3042FFFF0122102173
63142+:1043A00000E21021AD02005C9502003C8D03005C30
63143+:1043B0003042FFFF0002104000E210210043102BAA
63144+:1043C00010400003000000000A0010C68D02005CCF
63145+:1043D0009502003C3042FFFF0002104000E2102135
63146+:1043E000AD02005CA1000084AD07004C8CA2010866
63147+:1043F00000E210231840000224E2FFFCACA20108F6
63148+:1044000030C200011040000A000000008D02005080
63149+:1044100000E2102304410004010020218D02005419
63150+:1044200014E20003000000000A0010E82406000562
63151+:104430008D02005414E200478FBF00103C020800B8
63152+:104440008C4200D8304200201040000A24020001B3
63153+:1044500091030078910200831443000624020001B6
63154+:1044600001002021240600048FBF00100A00105410
63155+:1044700027BD0018A1000084A50200148F4301008D
63156+:104480008F4201F80440FFFE240200020A00110DD1
63157+:10449000000000008C82005C004910230043102BB8
63158+:1044A00054400001AC87005C9502003C3042FFFFA5
63159+:1044B0000062102B14400007240200029502003C09
63160+:1044C0008D03005C3042FFFF00621821AD03005CE9
63161+:1044D00024020002AD07004CA10200840E000F0A66
63162+:1044E0008F4401001040001B8FBF00108F4301005C
63163+:1044F0008F4201F80440FFFE24020002AF4301C0D6
63164+:10450000A34201C43C021000AF4201F80A0011238B
63165+:104510008FBF001030C200101040000E8FBF00107F
63166+:104520008C83005C9482003C006918233042FFFFBA
63167+:10453000006218213C023FFF3444FFFF0083102B30
63168+:10454000544000010080182101231021AD02005CBD
63169+:104550008FBF001003E0000827BD001827BDFFE84B
63170+:104560008FAA0028AFBF00100080402100EA482336
63171+:104570001920002130C600FF8C83005C8C8200640F
63172+:10458000006A18230043102B5040001000691821C6
63173+:1045900094A2011001221021A4A2011094A20110E2
63174+:1045A0003042FFFF0043102B1440000A3C023FFF43
63175+:1045B00094A2011000431023A4A201109482003C95
63176+:1045C0003042FFFF0A00114200621821A4A001102E
63177+:1045D0003C023FFF3444FFFF0083102B5440000196
63178+:1045E0000080182100671021AD02005CA100007C52
63179+:1045F0000A00118AA100008130C200101040003C66
63180+:10460000000000008C820050004A1023184000383F
63181+:10461000000000009082007C24420001A082007C07
63182+:104620009082007C3C0308008C630024304200FF31
63183+:104630000043102B1440005C8FBF00108CA20108B7
63184+:1046400000E2102318400058000000008C83005442
63185+:104650009482003C006A18233042FFFF0003184395
63186+:10466000000210400043102A104000050000000026
63187+:104670008C820054004A10230A001171000210437A
63188+:104680009482003C3042FFFF00021040AD02006403
63189+:104690009502003C8D0400649503003C3042FFFF0E
63190+:1046A00000021040008220213063FFFF00831821A8
63191+:1046B00001431021AD02005C8D020054ACA2010840
63192+:1046C00024020002A10200840E000F0A8F440100A0
63193+:1046D000104000358FBF00108F4301008F4201F85A
63194+:1046E0000440FFFE240200020A0011B30000000093
63195+:1046F000AD07004C8CA2010800E210231840000214
63196+:1047000024E2FFFCACA2010830C200011040000A04
63197+:10471000000000008D02005000E21023044100045C
63198+:10472000010020218D02005414E20003000000006B
63199+:104730000A0011AA240600058D02005414E2001A92
63200+:104740008FBF00103C0208008C4200D8304200208D
63201+:104750001040000A240200019103007891020083B6
63202+:104760001443000624020001010020212406000455
63203+:104770008FBF00100A00105427BD0018A10000844C
63204+:10478000A50200148F4301008F4201F80440FFFE90
63205+:1047900024020002AF4301C0A34201C43C02100046
63206+:1047A000AF4201F88FBF001003E0000827BD0018DA
63207+:1047B0008FAA00108C8200500080402130C600FF7C
63208+:1047C000004A102300A048211840000700E01821EB
63209+:1047D00024020001A0800084A0A00112A482001481
63210+:1047E0000A001125AFAA0010A0800081AD07004C7F
63211+:1047F0008CA2010800E210231840000224E2FFFC12
63212+:10480000ACA2010830C20001104000080000000006
63213+:104810008D0200500062102304410013240600059D
63214+:104820008D02005410620010000000008D02005440
63215+:1048300014620011000000003C0208008C4200D805
63216+:10484000304200201040000A240200019103007849
63217+:10485000910200831443000624020001010020217C
63218+:1048600001202821240600040A0010540000000042
63219+:10487000A1000084A502001403E00008000000006D
63220+:1048800027BDFFE0AFBF0018274201009046000A95
63221+:104890008C4800148C8B004C9082008430C900FF3F
63222+:1048A00001681823304A00FF1C60001A2D460006DC
63223+:1048B000240200010142100410C00016304300031E
63224+:1048C000012030210100382114600007304C000C19
63225+:1048D00015800009304200301440000B8FBF0018D3
63226+:1048E0000A001214000000000E001125AFAB0010EA
63227+:1048F0000A0012148FBF00180E00109AAFAB001000
63228+:104900000A0012148FBF0018AFAB00100E0011BACE
63229+:10491000AFAA00148FBF001803E0000827BD0020D5
63230+:1049200024020003A08200848C82005403E000086B
63231+:10493000ACA201083C0200080342182190620081E9
63232+:10494000240600433C07601924420001A062008154
63233+:10495000906300813C0208008C4200C0306300FF7D
63234+:10496000146200102403FF803C0208008C4200E027
63235+:104970000082102100431024AF4200243C020800B2
63236+:104980008C4200E03C03000A008210213042007F8C
63237+:104990000342102100431021944500D40A000AF17B
63238+:1049A00030A5FFFF03E000080000000027BDFFE086
63239+:1049B000AFBF0018AFB10014AFB000108F4201803C
63240+:1049C0000080802100A088210E00121B00402021C1
63241+:1049D000A20000848E0200548FBF00188FB0001018
63242+:1049E000AE2201088FB1001403E0000827BD0020AB
63243+:1049F00027BDFFE03C020008AFB00010AFBF0018B9
63244+:104A0000AFB10014034280218F5101409203008412
63245+:104A10008E0400508E02004C14820040306600FF6D
63246+:104A20003C0208008C4200E02403FF800222102197
63247+:104A300000431024AF4200243C0208008C4200E0F6
63248+:104A40009744007C92050081022210213042007FB1
63249+:104A5000034218213C02000A0062182114A0000B36
63250+:104A60003084FFFF2402000554C20014248205DCB8
63251+:104A70009062011224420001A062011224020C8003
63252+:104A8000AF4200240A00127324020005A060011244
63253+:104A90002402000514C20009248205DC9202008170
63254+:104AA0002C4200075040000524820A009203008136
63255+:104AB0002402001400621004008210213044FFFF21
63256+:104AC000A60400140E00121B022020219602003CB6
63257+:104AD0008E03004C022020213042FFFF00021040D4
63258+:104AE000006218210E000250AE03005C9202007DAD
63259+:104AF00002202021344200400E000259A202007D13
63260+:104B00008F4201F80440FFFE24020002AF5101C0B1
63261+:104B1000A34201C43C021000AF4201F88FBF00184D
63262+:104B20008FB100148FB0001003E0000827BD0020F3
63263+:104B300008000ACC08000B1408000B9808000BE4CE
63264+:104B400008000C200A0000280000000000000000FF
63265+:104B50000000000D6370362E322E3300000000007E
63266+:104B60000602030400000000000000000000000036
63267+:104B70000000000000000000000000000000000035
63268+:104B80000000000000000000000000000000002005
63269+:104B90000000000000000000000000000000000015
63270+:104BA0000000000000000000000000000000000005
63271+:104BB00000000000000000000000000000000001F4
63272+:104BC0000000002B000000000000000400030D4066
63273+:104BD00000000000000000000000000000000000D5
63274+:104BE00000000000000000001000000300000000B2
63275+:104BF0000000000D0000000D3C020800244258A4F3
63276+:104C00003C03080024635F70AC4000000043202B8D
63277+:104C10001480FFFD244200043C1D080037BD7FFCCA
63278+:104C200003A0F0213C100800261000A03C1C080046
63279+:104C3000279C58A40E0001AC000000000000000DED
63280+:104C400027BDFFE83C096018AFBF00108D2C500055
63281+:104C5000240DFF7F24080031018D5824356A380C5B
63282+:104C600024070C003C1A8000AD2A50003C04800A46
63283+:104C7000AF4800083C1B8008AF4700240E00091510
63284+:104C8000AF8400100E0008D8000000000E000825B8
63285+:104C9000000000000E001252000000003C046016EC
63286+:104CA0008C8500003C06FFFF3C02535300A61824ED
63287+:104CB0001062004734867C0094C201F2A780002C69
63288+:104CC00010400003A78000CC38581E1EA798002C67
63289+:104CD00094C201F810400004978300CC38591E1E7E
63290+:104CE000A79900CC978300CC2C7F006753E000018C
63291+:104CF000240300669784002C2C82040114400002D7
63292+:104D000000602821240404003C0760008CE904387A
63293+:104D10002403103C3128FFFF1103001F30B9FFFFAF
63294+:104D200057200010A38000CE24020050A38200CEA2
63295+:104D3000939F00CE53E0000FA78500CCA78000CC46
63296+:104D4000978500CC8FBF0010A780002CA78000346F
63297+:104D5000A78000E63C010800AC25008003E00008C5
63298+:104D600027BD0018939F00CE57E0FFF5A78000CC29
63299+:104D7000A78500CC978500CC8FBF0010A784002C9E
63300+:104D8000A7800034A78000E63C010800AC25008025
63301+:104D900003E0000827BD0018A38000CE8CCB003CA8
63302+:104DA000316A00011140000E0000000030A7FFFF33
63303+:104DB00010E0FFDE240200508CCC00C831860001D8
63304+:104DC00014C0FFDC939F00CE0A00007A2402005139
63305+:104DD0008C8F00043C0E60000A00005D01EE302163
63306+:104DE0008CEF0808240D5708000F740211CD000441
63307+:104DF00030B8FFFF240500660A00007B240404008D
63308+:104E00001700FFCC939F00CE0A00007A24020050C6
63309+:104E10008F8600103089FFFF000939408CC30010D5
63310+:104E20003C08005000E82025AF4300388CC5001432
63311+:104E300027420400AF82001CAF45003CAF44003065
63312+:104E40000000000000000000000000000000000062
63313+:104E50000000000000000000000000000000000052
63314+:104E60008F4B0000316A00201140FFFD0000000060
63315+:104E700003E00008000000008F840010948A001AEC
63316+:104E80008C8700243149FFFF000940C000E8302131
63317+:104E9000AF46003C8C8500248F43003C00A31023C8
63318+:104EA00018400029000000008C8B002025620001C2
63319+:104EB0003C0D005035AC0008AF420038AF4C00301C
63320+:104EC00000000000000000000000000000000000E2
63321+:104ED00000000000000000000000000000000000D2
63322+:104EE0008F4F000031EE002011C0FFFD00000000D8
63323+:104EF0008F4A04003C080020AC8A00108F4904044B
63324+:104F0000AC890014AF4800300000000094860018FF
63325+:104F10009487001C00C71821A48300189485001AE8
63326+:104F200024A20001A482001A9498001A9499001EE9
63327+:104F3000133800030000000003E000080000000038
63328+:104F400003E00008A480001A8C8200200A0000DC24
63329+:104F50003C0D00500A0000CD000000003C0308009A
63330+:104F60008C6300208F82001827BDFFE810620008C4
63331+:104F7000AFBF00100E000104AF8300183C0308000F
63332+:104F80008C63002024040001106400048F89001049
63333+:104F90008FBF001003E0000827BD00188FBF00106E
63334+:104FA0003C076012A520000A9528000A34E500108D
63335+:104FB00027BD00183106FFFF03E00008ACA60090F3
63336+:104FC0003C0208008C42002027BDFFC8AFBF003460
63337+:104FD000AFBE0030AFB7002CAFB60028AFB500248D
63338+:104FE000AFB40020AFB3001CAFB20018AFB10014D3
63339+:104FF00010400050AFB000108F840010948600065F
63340+:105000009483000A00C3282330B6FFFF12C0004A71
63341+:105010008FBF003494890018948A000A012A402323
63342+:105020003102FFFF02C2382B14E0000202C020212F
63343+:10503000004020212C8C0005158000020080A0215A
63344+:10504000241400040E0000B3028020218F8700107A
63345+:1050500002809821AF80001494ED000A028088211C
63346+:105060001280004E31B2FFFF3C1770003C1540002B
63347+:105070003C1E60008F8F001C8DEE000001D71824AD
63348+:10508000507500500220202102A3802B160000350D
63349+:105090003C182000507800470220202124100001F5
63350+:1050A0008F83001414600039029158230230F823D2
63351+:1050B0000250C82133F1FFFF1620FFEE3332FFFF0D
63352+:1050C0008F8700103C110020AF510030000000001D
63353+:1050D00094E6000A3C1E601237D5001002662821B3
63354+:1050E000A4E5000A94E2000A94F2000A94F400187D
63355+:1050F0003057FFFF1292003BAEB700908CED0014CA
63356+:105100008CE400100013714001AE4021000E5FC31B
63357+:10511000010E502B008B4821012A1821ACE8001405
63358+:10512000ACE3001002D3382330F6FFFF16C0FFB9FE
63359+:105130008F8400108FBF00348FBE00308FB7002CDB
63360+:105140008FB600288FB500248FB400208FB3001CC9
63361+:105150008FB200188FB100148FB0001003E0000868
63362+:1051600027BD0038107E001B000000001477FFCC24
63363+:10517000241000010E00159B000000008F83001416
63364+:105180001060FFCB0230F823029158238F87001064
63365+:10519000017020210A0001973093FFFF8F830014D4
63366+:1051A0001460FFCB3C110020AF5100300A000163B6
63367+:1051B000000000000E00077D024028210A00015770
63368+:1051C000004080210E00033A024028210A000157C6
63369+:1051D000004080210E001463022020210A000157A4
63370+:1051E000004080210E0000CD000000000A0001797F
63371+:1051F00002D3382327BDFFE8AFB00010AFBF0014C3
63372+:105200000E00003F000000003C028000345000709F
63373+:105210000A0001BA8E0600008F4F000039EE00012F
63374+:1052200031C20001104000248F8600A88E070000C4
63375+:105230003C0C08008D8C003C3C0908008D2900388E
63376+:1052400000E66823018D28210000502100AD302B9D
63377+:10525000012A4021010620213C010800AC25003C28
63378+:10526000AF8700A83C010800AC2400380E000106FE
63379+:10527000000000003C0308008C6300701060FFE633
63380+:10528000006020213C0508008CA500683C06080051
63381+:105290008CC6006C0E00152A000000003C010800BE
63382+:1052A000AC2000708F4F000039EE000131C20001C8
63383+:1052B0001440FFDE8F8600A88E0A00008F8B00A8A6
63384+:1052C0003C0508008CA5003C3C0408008C84003898
63385+:1052D000014B482300A938210082182100E9402B06
63386+:1052E000006810213C010800AC27003C3C0108008C
63387+:1052F000AC2200388F5F01002419FF0024180C0035
63388+:1053000003F9202410980012AF840000AF4400205D
63389+:10531000936D0000240C002031A600FF10CC001279
63390+:10532000240E005010CE00043C194000AF59013843
63391+:105330000A0001B3000000000E0011C800000000C8
63392+:105340003C194000AF5901380A0001B300000000C9
63393+:105350000E00011F000000003C194000AF59013849
63394+:105360000A0001B3000000008F58010000802821CE
63395+:10537000330F00FF01E020210E0002F1AF8F000487
63396+:105380003C194000AF5901380A0001B30000000089
63397+:1053900000A4102B2403000110400009000030215C
63398+:1053A0000005284000A4102B04A0000300031840AF
63399+:1053B0005440FFFC000528405060000A0004182BF0
63400+:1053C0000085382B54E000040003184200C3302548
63401+:1053D00000852023000318421460FFF900052842CD
63402+:1053E0000004182B03E0000800C310218F4201B80D
63403+:1053F0000440FFFE00000000AF4401803C031000A9
63404+:1054000024040040AF450184A3440188A3460189D8
63405+:10541000A747018A03E00008AF4301B83084FFFFCB
63406+:105420000080382130A5FFFF000020210A00022A59
63407+:10543000240600803087FFFF8CA40000240600387B
63408+:105440000A00022A000028218F8300388F8600304E
63409+:105450001066000B008040213C07080024E75A1822
63410+:10546000000328C000A710218C4400002463000121
63411+:10547000108800053063000F5466FFFA000328C04F
63412+:1054800003E00008000010213C07080024E75A1C34
63413+:1054900000A7302103E000088CC200003C0390000C
63414+:1054A0003462000100822025AF4400208F45002097
63415+:1054B00004A0FFFE0000000003E000080000000060
63416+:1054C0003C038000346200010082202503E00008D4
63417+:1054D000AF44002027BDFFE0AFB100143091FFFFC3
63418+:1054E000AFB00010AFBF00181220001300A0802141
63419+:1054F0008CA2000024040002240601401040000F8A
63420+:10550000004028210E000C5C00000000000010216B
63421+:10551000AE000000022038218FBF00188FB10014A8
63422+:105520008FB0001000402021000028210000302111
63423+:105530000A00022A27BD00208CA200000220382188
63424+:105540008FBF00188FB100148FB0001000402021D1
63425+:1055500000002821000030210A00022A27BD002077
63426+:1055600000A010213087FFFF8CA500048C440000B0
63427+:105570000A00022A2406000627BDFFE0AFB0001093
63428+:10558000AFBF0018AFB100149363003E00808021CC
63429+:105590000080282130620040000020211040000FD0
63430+:1055A0008E1100000E000851022020219367000098
63431+:1055B0002404005030E500FF50A400128E0F0000BC
63432+:1055C000022020218FBF00188FB100148FB000106F
63433+:1055D000A762013C0A00091127BD00200E000287C6
63434+:1055E000000000000E0008510220202193670000F7
63435+:1055F0002404005030E500FF14A4FFF20220202113
63436+:105600008E0F00003C1008008E1000503C0D000C66
63437+:10561000240BFF8001F05021314E007F01DA602120
63438+:10562000018D4021014B4824AF4900280220202150
63439+:105630008FBF00188FB100148FB00010A50200D6E4
63440+:1056400027BD00200A000911AF8800D027BDFFE068
63441+:10565000AFBF0018AFB10014AFB0001093660001E7
63442+:10566000008080210E00025630D1000493640005B2
63443+:10567000001029C2A765000034830040A363000521
63444+:105680000E00025F020020210E00091302002021FB
63445+:1056900024020001AF62000C02002821A762001062
63446+:1056A00024040002A762001224060140A76200142D
63447+:1056B0000E000C5CA76200161620000F8FBF0018AA
63448+:1056C000978C00343C0B08008D6B00782588FFFF19
63449+:1056D0003109FFFF256A0001012A382B10E000067E
63450+:1056E000A78800343C0F6006240E001635ED00102C
63451+:1056F000ADAE00508FBF00188FB100148FB00010F6
63452+:1057000003E0000827BD002027BDFFE0AFB1001473
63453+:10571000AFBF0018AFB0001000A088211080000AB1
63454+:105720003C03600024020080108200120000000090
63455+:105730000000000D8FBF00188FB100148FB0001053
63456+:1057400003E0000827BD00208C682BF80500FFFE51
63457+:1057500000000000AC712BC08FBF00188FB1001487
63458+:105760008FB000103C09100027BD002003E00008A6
63459+:10577000AC692BF80E00025600A0202193650005AD
63460+:10578000022020210E00025F30B000FF2403003E03
63461+:105790001603FFE7000000008F4401780480FFFE3D
63462+:1057A000240700073C061000AF51014002202021D1
63463+:1057B000A34701448FBF00188FB100148FB00010B1
63464+:1057C000AF4601780A0002C227BD002027BDFFE8CE
63465+:1057D000AFBF0014AFB000108F50002000000000D9
63466+:1057E0000E000913AF440020AF5000208FBF0014FB
63467+:1057F0008FB0001003E0000827BD00183084FFFFC1
63468+:10580000008038212406003500A020210A00022A49
63469+:10581000000028213084FFFF008038212406003654
63470+:1058200000A020210A00022A0000282127BDFFD065
63471+:10583000AFB3001C3093FFFFAFB50024AFB2001828
63472+:10584000AFBF0028AFB40020AFB10014AFB000105C
63473+:1058500030B5FFFF12600027000090218F90001CE0
63474+:105860008E0300003C0680002402004000033E023C
63475+:1058700000032C0230E4007F006688241482001D9F
63476+:1058800030A500FF8F8300282C68000A510000100B
63477+:105890008F910014000358803C0C0800258C56940E
63478+:1058A000016C50218D49000001200008000000001B
63479+:1058B00002B210213045FFFF0E000236240400849E
63480+:1058C000162000028F90001CAF8000288F910014DA
63481+:1058D000260C002026430001018080213072FFFF4A
63482+:1058E00016200004AF8C001C0253502B1540FFDC27
63483+:1058F00000000000024010218FBF00288FB5002457
63484+:105900008FB400208FB3001C8FB200188FB1001429
63485+:105910008FB0001003E0000827BD0030240E0034D3
63486+:1059200014AE00F9000000009203000E241F168040
63487+:105930003C07000CA36300219202000D0347C8211D
63488+:105940003C066000A3620020961100123C0A7FFF13
63489+:10595000354CFFFFA771003C960B00102403000597
63490+:105960003168FFFFAF6800848E05001CAF5F002820
63491+:105970008F3800008CC4444803057826008F3021FE
63492+:10598000AF66004C8F69004C24CE00013C057F00BF
63493+:10599000AF6900508F740050AF740054AF66007050
63494+:1059A000AF6E00588F6D005824140050AF6D005C2E
63495+:1059B000A3600023AF6C0064A36300378E02001461
63496+:1059C000AF6200488F710048AF7100248E0B001841
63497+:1059D000AF6B006C9208000CA3680036937F003E0A
63498+:1059E00037F90020A379003E8F78007403058024E6
63499+:1059F000360F4000AF6F007493640000308900FFE1
63500+:105A0000513402452404FF803C04080024845A9841
63501+:105A10000E00028D000000003C1008008E105A9805
63502+:105A20000E00025602002021240600042407000173
63503+:105A3000A366007D020020210E00025FA36700051F
63504+:105A40008F5F017807E0FFFE240B0002AF5001409A
63505+:105A5000A34B01448F90001C3C081000AF48017814
63506+:105A60000A000362AF8000282CAD003751A0FF98D8
63507+:105A70008F9100140005A0803C180800271856BC20
63508+:105A8000029878218DEE000001C00008000000009F
63509+:105A90002418000614B80011000000003C0808009B
63510+:105AA0008D085A9824040005AF4800208E1F001866
63511+:105AB000AF7F00188F79004CAF79001C8F650050C4
63512+:105AC000122000C0AF6500700A000362AF84002896
63513+:105AD0002406000710A60083240300063C050800E6
63514+:105AE00024A55A980E000264240400818F90001CA3
63515+:105AF0000011102B0A000362AF8200282407000463
63516+:105B000014A7FFF6240500503C1808008F185A9877
63517+:105B1000AF5800208E0F0008AF6F00408E090008BC
63518+:105B2000AF6900448E14000CAF7400488E0E001054
63519+:105B3000AF6E004C8E0D0010AF6D00848E0A001405
63520+:105B4000AF6A00508E0C0018AF6C00548E04001C1D
63521+:105B5000AF64005893630000306B00FF116501D8FB
63522+:105B6000000000008F7400488F6900400289702394
63523+:105B700005C000042404008C1620FFDE240200036C
63524+:105B8000240400823C05080024A55A980E000287D0
63525+:105B9000000000008F90001C000010210A0003622A
63526+:105BA000AF820028240F000514AFFFCC240520008D
63527+:105BB0003C0708008CE75A98AF4700208E06000487
63528+:105BC000AF66005C9208000824100008A36800215A
63529+:105BD0008F9F001C93F90009A37900208F86001C79
63530+:105BE00090D8000A330400FF10900011000000005C
63531+:105BF0002885000914A0006924020002240A00205C
63532+:105C0000108A000B34058000288D002115A00008A3
63533+:105C100024054000240E0040108E00053C050001C4
63534+:105C200024140080109400023C050002240540006A
63535+:105C30008F7800743C19FF00031980240205782531
63536+:105C4000AF6F007490C4000BA36400818F84001CAC
63537+:105C50009489000C11200192000000009490000C27
63538+:105C60002406FFBF24050004A770003C908F000E9F
63539+:105C7000A36F003E8F84001C9089000FA369003F32
63540+:105C80008F8B001C8D6E00108F54007401D468231C
63541+:105C9000AF6D00608D6A0014AF6A0064956C0018E7
63542+:105CA000A76C00689563001AA763006A8D62001CE8
63543+:105CB000AF62006C9167000EA367003E9368003EE0
63544+:105CC0000106F8241220014BA37F003E8F90001C98
63545+:105CD0000A000362AF8500282407002214A7FF7F73
63546+:105CE000240300073C0B08008D6B5A981220000C0F
63547+:105CF000AF4B00200A000362AF830028240C00335E
63548+:105D000010AC0014240A00283C05080024A55A9869
63549+:105D10000E00023C240400810A0003EB8F90001C5B
63550+:105D20003C04080024845A980E00028D00000000F4
63551+:105D30009363000024110050306200FF10510135C0
63552+:105D4000000000008F90001C000018210A00036270
63553+:105D5000AF8300283C0D08008DAD5A9824040081C3
63554+:105D6000AF4D00203C05080024A55A980E00023CC7
63555+:105D7000A36A00348F90001C240200090A00036209
63556+:105D8000AF82002802B288213225FFFF0E000236C2
63557+:105D9000240400840A0003628F90001C1082FFA478
63558+:105DA00024050400288B000311600170240C0004FA
63559+:105DB000240300015483FF9E240540000A00043B95
63560+:105DC000240501003C04080024845A988F62004C8A
63561+:105DD0000E00028D8F6300508F90001C0000202168
63562+:105DE0000A000362AF8400288E1000042404008A95
63563+:105DF000AF50002093790005333800021700015F8F
63564+:105E0000020028219368002302002821311F00206E
63565+:105E100017E0015A2404008D9367003F2406001206
63566+:105E200030E200FF10460155240400810E000256A6
63567+:105E30000200202193630023240500040200202196
63568+:105E4000346B0042A36B00230E00025FA365007D4C
63569+:105E50008F4401780480FFFE240A0002AF50014005
63570+:105E6000A34A01448F90001C3C0C1000AF4C0178F9
63571+:105E70000A0003EC0011102B8E1000042404008A89
63572+:105E8000AF500020936E000531CD000215A0001622
63573+:105E900002002821936F003F2414000402002821EF
63574+:105EA00031E900FF11340010240400810E00025675
63575+:105EB000020020219362002324080012241FFFFE09
63576+:105EC00034460020A3660023A368003F93790005B1
63577+:105ED00002002021033FC0240E00025FA3780005CA
63578+:105EE00002002821000020210E00033400000000E1
63579+:105EF0000A0003EB8F90001C8E1000043C03000886
63580+:105F00000343A021AF500020928B000024050050D5
63581+:105F1000316400FF10850161240700880200202100
63582+:105F2000000028210E00022A2406000E928D000097
63583+:105F3000240EFF800200282101AE8025A2900000DF
63584+:105F4000240400040E000C5C240600300A0003EB5D
63585+:105F50008F90001C8E0800043C14080026945A9868
63586+:105F60003C010800AC285A98AF480020921F00035B
63587+:105F700033F9000413200002240200122402000658
63588+:105F8000A362003F920B001B2404FFC03165003F59
63589+:105F900000A43825A367003E9206000330C200012A
63590+:105FA00014400132000000008E020008AE8200089A
63591+:105FB0003C0208008C425AA010400131000249C244
63592+:105FC000A76900088E14000C240C0001240300149F
63593+:105FD000AF74002C8E0E0010AF6E0030960D0016C0
63594+:105FE000A76D0038960A0014A76A003AAF6C000C3F
63595+:105FF000A76C0010A76C0012A76C0014A76C001609
63596+:1060000012200136A3630034920F000331F0000226
63597+:106010002E1100018F90001C262200080A00036246
63598+:10602000AF8200288E0400043C0E0008034E30218D
63599+:10603000AF4400208E05000890CD0000240C0050D5
63600+:1060400031AA00FF114C00862407008824060009AD
63601+:106050000E00022A000000000A0003EB8F90001CD3
63602+:106060008E04001C0E00024100000000104000F4ED
63603+:10607000004050218F89001C240700890140202105
63604+:106080008D25001C240600010E00022A00000000DD
63605+:106090000A0003EB8F90001C960D00023C140800D0
63606+:1060A00026945A9831AA0004514000B83C10600070
63607+:1060B0008E0E001C3C010800AC2E5A98AF4E0020FA
63608+:1060C000920700102408001430E200FF144800D6A4
63609+:1060D00000000000960B00023163000114600165AE
63610+:1060E000000000008E020004AE8200083C1408008C
63611+:1060F0008E945AA01280015B000000008F7400741F
63612+:106100003C0380002404000102835825AF6B007417
63613+:10611000A3600005AF64000C3C0708008CE75AA0A0
63614+:106120008F86001CA7640010000711C2A76400122C
63615+:10613000A7640014A7640016A76200088CC80008B2
63616+:1061400024040002AF68002C8CC5000CAF65003041
63617+:1061500090DF0010A37F00348F99001C9330001152
63618+:10616000A37000358F98001C930F0012A36F0036A8
63619+:106170008F89001C912E0013A36E00378F90001C96
63620+:10618000960D0014A76D0038960A0016A76A003A0B
63621+:106190008E0C0018AF6C00245620FDCCAF84002874
63622+:1061A0003C05080024A55A980E0002640000202136
63623+:1061B0008F90001C0A0004A7000020218E1000040C
63624+:1061C00024070081AF500020936900233134001070
63625+:1061D000128000170000000002002021000028218A
63626+:1061E0002406001F0E00022A000000000A0003EB34
63627+:1061F0008F90001C3C05080024A55A980E000287C9
63628+:10620000240400828F90001C000028210A000362F1
63629+:10621000AF8500283C0408008C845A980E0014E8CE
63630+:10622000000000008F90001C0A000482000018216A
63631+:106230000E00025602002021937800230200202144
63632+:10624000370F00100E00025FA36F002300003821FB
63633+:1062500002002021000028210A0005A82406001FB2
63634+:10626000920F000C31E90001112000030000000032
63635+:106270009618000EA4D8002C921F000C33F90002CF
63636+:1062800013200005000038218E0200149608001229
63637+:10629000ACC2001CA4C8001A0A0005432406000969
63638+:1062A0003C05080024A55A980E0002872404008BA0
63639+:1062B0008F90001C0011282B0A000362AF85002874
63640+:1062C000AF6000843C0A08008D4A5A983C0D0800D3
63641+:1062D0008DAD0050240CFF803C02000C014D1821B4
63642+:1062E000006C2024AF4400288E070014306B007F20
63643+:1062F000017A282100A2C821AF2700D88E060014F9
63644+:10630000AF9900D0AF2600DC8E080010251FFFFEDD
63645+:106310000A000408AF3F01083C0508008CA55A9804
63646+:106320003C1908008F39005024CCFFFE00B9C02171
63647+:1063300003047824AF4F00283C1408008E945A9828
63648+:106340003C0908008D2900500289702131CD007F61
63649+:1063500001BA502101478021AE0600D8AF9000D08D
63650+:10636000AE0000DC0A0003B1AE0C0108548CFE3014
63651+:10637000240540000A00043B240510000E00032EF3
63652+:10638000000000000A0003EB8F90001C8E0F442CCD
63653+:106390003C186C62370979703C010800AC205A98AF
63654+:1063A00015E9000824050140979F00349786002CCA
63655+:1063B0000280282103E6C82B132000112404009238
63656+:1063C000240501400E000C7A240400023C01080060
63657+:1063D000AC225A98AF4200203C0508008CA55A9880
63658+:1063E00010A00005240400830E00084500000000F2
63659+:1063F00010400009240400833C05080024A55A9895
63660+:106400000E000264000000008F90001C0011202B81
63661+:106410000A000362AF8400280E0008490000000053
63662+:106420000A00055F8F90001C0E00084D0000000060
63663+:106430003C05080024A55A980A00062F2404008B66
63664+:10644000240400040E000C7A240500301440002AB5
63665+:10645000004050218F89001C240700830140202127
63666+:106460008D25001C0A000551240600018E04000839
63667+:106470000E000241000000000A00051BAE82000869
63668+:106480003C05080024A55A980E00023C240400870D
63669+:106490008F90001C0A0005360011102B8F830038E6
63670+:1064A0008F8600301066FE9D000038213C070800F2
63671+:1064B00024E75A1C000320C0008728218CAC000070
63672+:1064C00011900061246A00013143000F5466FFFA05
63673+:1064D000000320C00A0004F6000038213C05080033
63674+:1064E00024A55A980E000287240400828F90001C75
63675+:1064F0000A000536000010213C0B0008034B202148
63676+:106500002403005024070001AF420020A0830000B4
63677+:10651000A08700018F82001C90480004A08800180A
63678+:106520008F85001C90A60005A08600198F9F001C77
63679+:1065300093F90006A099001A8F90001C921800078A
63680+:10654000A098001B8F94001C928F0008A08F001C45
63681+:106550008F89001C912E0009A08E001D8F8D001CBC
63682+:1065600091AC000AA08C001E8F8B001C3C0C080014
63683+:10657000258C5A1C9163000B3C0B0800256B5A18A4
63684+:10658000A083001F8F87001C90E8000CA0880020CB
63685+:106590008F82001C9045000D24024646A0850021F4
63686+:1065A0008F86001C90DF000EA09F00228F99001C98
63687+:1065B0009330000FA09000238F98001C93140010BC
63688+:1065C000A09400248F8F001C91E90011A089002560
63689+:1065D0008F89001C8F8E00308F900038952D00140D
63690+:1065E000000E18C025C80001A48D002895270016AC
63691+:1065F000006C3021006BC821A487002A9525001863
63692+:106600003108000FA485002CA482002E8D3F001CB1
63693+:10661000ACCA0000AF88003011100006AF3F000088
63694+:10662000000038218D25001C014020210A00055161
63695+:1066300024060001250C00013184000F00003821E0
63696+:106640000A0006B8AF8400383C07080024E75A184F
63697+:106650000087302100003821ACA000000A0004F6B9
63698+:10666000ACC000003C05080024A55A980A00062F7B
63699+:10667000240400878E0400040E0002410000000084
63700+:106680000A00056AAE8200083084FFFF30C600FFB2
63701+:106690008F4201B80440FFFE00064400010430258B
63702+:1066A0003C07200000C720253C031000AF400180BC
63703+:1066B000AF450184AF44018803E00008AF4301B84F
63704+:1066C00027BDFFE8AFB00010AFBF00143C0760006B
63705+:1066D000240600021080000600A080210010102B6C
63706+:1066E0008FBF00148FB0001003E0000827BD001812
63707+:1066F0003C09600EAD2000348CE5201C8F82001C0C
63708+:106700002408FFFC00A81824ACE3201C0E0006D1CE
63709+:106710008C45000C0010102B8FBF00148FB00010A0
63710+:1067200003E0000827BD00183C02600E344701005A
63711+:1067300024090018274A040000000000000000009F
63712+:10674000000000003C06005034C30200AF44003893
63713+:10675000AF45003CAF430030014018218F4B000093
63714+:10676000316800201100FFFD2406007F2408FFFF90
63715+:106770008C6C000024C6FFFF24630004ACEC000016
63716+:1067800014C8FFFB24E70004000000000000000024
63717+:10679000000000003C0F0020AF4F00300000000060
63718+:1067A00024AD020001A5702B2529FFFF008E2021BA
63719+:1067B0001520FFE101A0282103E0000800000000EF
63720+:1067C00027BDFFE0AFB10014AFBF0018AFB000109D
63721+:1067D0003C05600E8CA20034008088211440000625
63722+:1067E0003C0460008C87201C2408FFFC00E8302457
63723+:1067F00034C30001AC83201C8F8B001C24090001D2
63724+:10680000ACA90034956900028D6500148D70000CF0
63725+:106810002D2400818D6700048D660008108000071C
63726+:106820008D6A00102D2C00041580000E30CE00075C
63727+:10683000312D000311A0000B000000002404008B88
63728+:10684000020028210E0006D1240600030011102B9F
63729+:106850008FBF00188FB100148FB0001003E0000844
63730+:1068600027BD002015C0FFF62404008B3C03002048
63731+:10687000AF4300300000000024020001AF8200148A
63732+:106880000000000000000000000000003C1F01505C
63733+:10689000013FC825253800033C0F600EAF47003884
63734+:1068A00000181882AF46003C35E8003CAF59003074
63735+:1068B000274704008F4400003086002010C0FFFDF1
63736+:1068C00000000000106000082466FFFF2403FFFFA3
63737+:1068D0008CEB000024C6FFFF24E70004AD0B000092
63738+:1068E00014C3FFFB250800043C08600EAD09003806
63739+:1068F0000000000000000000000000003C07002035
63740+:10690000AF470030000000000E0006F901402021D2
63741+:1069100002002821000020210E0006D124060003D9
63742+:106920000011102B8FBF00188FB100148FB0001012
63743+:1069300003E0000827BD002027BDFFE0AFB200182C
63744+:106940003092FFFFAFB10014AFBF001CAFB000101A
63745+:106950001640000D000088210A0007AA022010211D
63746+:1069600024050001508500278CE5000C0000000D77
63747+:10697000262300013071FFFF24E200200232382B71
63748+:1069800010E00019AF82001C8F8200141440001622
63749+:106990008F87001C3C0670003C0320008CE5000043
63750+:1069A00000A62024148300108F84003C00054402BC
63751+:1069B0003C09800000A980241480FFE9310600FF13
63752+:1069C0002CCA00095140FFEB262300010006688015
63753+:1069D0003C0E080025CE579801AE60218D8B00003B
63754+:1069E0000160000800000000022010218FBF001C81
63755+:1069F0008FB200188FB100148FB0001003E00008B0
63756+:106A000027BD00200E0006D1240400841600FFD804
63757+:106A10008F87001C0A00078BAF80003C90EF0002BC
63758+:106A200000002021240600090E0006D1000F2E00D0
63759+:106A30008F87001C0010102B0A00078BAF82003CD0
63760+:106A4000020028210E0006DF240400018F87001CAD
63761+:106A50000A00078BAF82003C020028210E0006DFEF
63762+:106A6000000020210A0007C38F87001C0E00071FAB
63763+:106A7000020020210A0007C38F87001C30B0FFFFEF
63764+:106A8000001019C08F5801B80700FFFE3C1F2004FA
63765+:106A90003C191000AF430180AF400184AF5F018813
63766+:106AA000AF5901B80A00078C262300013082FFFF8E
63767+:106AB00014400003000018210004240224030010E5
63768+:106AC000308500FF14A000053087000F2466000801
63769+:106AD0000004220230C300FF3087000F14E00005DD
63770+:106AE000308900032468000400042102310300FF00
63771+:106AF0003089000315200005388B0001246A00024C
63772+:106B000000042082314300FF388B00013164000112
63773+:106B100010800002246C0001318300FF03E00008B4
63774+:106B200000601021308BFFFF000B394230E600FF80
63775+:106B30003C09080025295998000640800109602178
63776+:106B40008D8700003164001F240A0001008A1804A8
63777+:106B500030A500FF00E3202514A000020003102749
63778+:106B600000E22024240F000100CF700401096821F5
63779+:106B7000000E282714800005ADA400008F86000CAD
63780+:106B800000A6102403E00008AF82000C8F88000CE0
63781+:106B900001C8102503E00008AF82000C3C06001F6E
63782+:106BA0003C0360003084FFFF34C5FF8024020020D6
63783+:106BB000AC602008AC60200CAC602010AC652014E8
63784+:106BC000AC642018AC62200000000000000000004F
63785+:106BD00003E000080000000027BDFFE82402FFFFDB
63786+:106BE000AFBF0010AF82000C000020213C0608005F
63787+:106BF00024C659982405FFFF248900010004408021
63788+:106C00003124FFFF010618212C87002014E0FFFA31
63789+:106C1000AC6500000E0008160000202124020001CF
63790+:106C20003C04600024050020AC822018AC852000C4
63791+:106C3000000000000000000000000000244A0001E5
63792+:106C40003142FFFF2C46040014C0FFF78FBF001035
63793+:106C500003E0000827BD00188F8300082C620400A1
63794+:106C600003E00008384200018F830008246200011D
63795+:106C700003E00008AF8200088F8300082462FFFF52
63796+:106C800003E00008AF82000827BDFFE0AFB10014A9
63797+:106C9000AFBF0018AFB000108F6B00303C06600033
63798+:106CA00000808821ACCB20088F6A002C3C02800039
63799+:106CB00024030008ACCA200C9769003A9768003892
63800+:106CC00000092C003107FFFF00A72025ACC42010CD
63801+:106CD000ACC22014ACC32000000000000000000083
63802+:106CE000000000003C0360008C6D200031AC000807
63803+:106CF0001580FFF9000000008C6E201405C00020F4
63804+:106D0000000000000E0007DA8F84000C00024080B3
63805+:106D10003C09080025295998010938218CE4000014
63806+:106D20000E0007DA00028140020220213090FFFFAE
63807+:106D3000020020210E0007F8000028213C0C8000F2
63808+:106D4000022C58253210FFFF3C116000240A00205D
63809+:106D5000AE2B2014AE302018AE2A20000000000018
63810+:106D60000000000000000000020010218FBF00188A
63811+:106D70008FB100148FB0001003E0000827BD002081
63812+:106D80008C6620143C02001F3443FF803C1FFFE848
63813+:106D900000C3C02437F9080003198021001079C20C
63814+:106DA0003C0C8000022C582531F0FFFF3C116000A4
63815+:106DB000240A0020AE2B2014AE302018AE2A20006A
63816+:106DC0000000000000000000000000000200102190
63817+:106DD0008FBF00188FB100148FB0001003E00008BF
63818+:106DE00027BD002027BDFFE8AFB000103402FFFF31
63819+:106DF0003090FFFFAFBF00141202000602002021F6
63820+:106E00000E00081600000000020020210E0007F806
63821+:106E1000240500018F8400088FBF00148FB000107C
63822+:106E20002483FFFF27BD001803E00008AF8300089C
63823+:106E3000000439C230E6003F00043B42000718401E
63824+:106E4000240210002CC4002024C8FFE0AF42002C14
63825+:106E5000246300011480000330A900FF00071840DC
63826+:106E6000310600FF0003608024080001019A5821C8
63827+:106E70003C0A000E00C82804016A382111200005D0
63828+:106E8000000530278CE900000125302503E00008CB
63829+:106E9000ACE600008CEE000001C6682403E00008A8
63830+:106EA000ACED000027BDFFE8AFBF0014AFB000108D
63831+:106EB0003C0460008C8508083403F00030A2F00028
63832+:106EC00050430006240200018C8708083404E000C7
63833+:106ED00030E6F00010C4001E24020002AF82004021
63834+:106EE0003C1060003C0A0200AE0A0814240910009D
63835+:106EF0003C08000E8E03440003482021AF49002CBB
63836+:106F0000240501200E000CC0000030218F830040BA
63837+:106F1000106000043C021691240B0001106B000E5F
63838+:106F20003C023D2C344F0090AE0F44088FBF00143C
63839+:106F30008FB000103C0C6000240E10003C0D0200CD
63840+:106F400027BD0018AD8E442003E00008AD8D081069
63841+:106F50000A0008E7AF8000403C0218DA344F009086
63842+:106F6000AE0F44088FBF00148FB000103C0C6000BF
63843+:106F7000240E10003C0D020027BD0018AD8E4420E9
63844+:106F800003E00008AD8D08100A0008BB24050001CD
63845+:106F90000A0008BB000028213C08080025085DA461
63846+:106FA0002404FFFF010018212402001E2442FFFFD9
63847+:106FB000AC6400000441FFFD246300043C070800AA
63848+:106FC00024E75E208CE5FFFC2404001C240600015D
63849+:106FD000308A001F0146480424840001000910275C
63850+:106FE0002C8300201460FFFA00A22824ACE5FFFCEB
63851+:106FF0003C05666634A4616E3C06080024C65EE06B
63852+:10700000AF840058AF88009C2404FFFF00C0182103
63853+:107010002402001F2442FFFFAC6400000441FFFD76
63854+:10702000246300043C0766663C05080024A55EA0B6
63855+:10703000AF86004834E6616EAF8600982404FFFFF7
63856+:1070400000A018212402000F2442FFFFAC640000BE
63857+:107050000441FFFD246300043C0B66663C06080007
63858+:1070600024C65E203568616EAF8500A4AF880070CD
63859+:107070002404FFFF00C018212402001F2442FFFF48
63860+:10708000AC6400000441FFFD246300043C0D66660F
63861+:107090003C0A0800254A5F6035AC616EAF860090FF
63862+:1070A000AF8C005C2404FFFF014018212402000380
63863+:1070B0002442FFFFAC6400000441FFFD2463000490
63864+:1070C0003C09080025295F708D27FFFC2404000679
63865+:1070D000240500013099001F0325C0042484000109
63866+:1070E000001878272C8E002015C0FFFA00EF3824F6
63867+:1070F000AD27FFFC3C09666624030400240403DC7E
63868+:1071000024050200240600663522616E3C08080052
63869+:1071100025085AA4AF820074AF830044AF83006C8B
63870+:10712000AF830050AF830084AF8A008CAF840064CB
63871+:10713000AF85004CAF860054AF840078AF85006007
63872+:10714000AF86008001001821240200022442FFFFC4
63873+:10715000AC6000000441FFFD24630004240400032C
63874+:107160002403000C3C0A0800254A5AB0AF8A006884
63875+:107170000A00098E2405FFFF000418802484000102
63876+:10718000006858212C8700C014E0FFFBAD650000AB
63877+:107190003C0E666635CD616E240C17A024081800DD
63878+:1071A000AF8D0088AF8C009403E00008AF88007CAE
63879+:1071B0002484007F000421C200004021000030210F
63880+:1071C00000003821000028210A0009A5AF8400A092
63881+:1071D0001060000624E7000100C4302124A500014E
63882+:1071E0002CC20BF51440FFFA2CA300663C090800E2
63883+:1071F00025295F6001201821240200032442FFFF9B
63884+:10720000AC6000000441FFFD2463000410E0001A9C
63885+:1072100024E3FFFF0003294210A0000A0000202100
63886+:107220002406FFFF3C03080024635F602484000100
63887+:107230000085502BAC660000250800011540FFFBBF
63888+:107240002463000430E2001F10400008000868803A
63889+:10725000240C0001004C38040008588001692821E2
63890+:1072600024E6FFFF03E00008ACA6000001A94021CE
63891+:107270002409FFFFAD09000003E000080000000042
63892+:10728000AF4400283C04000C034420210005288260
63893+:107290000A000CC000003021000421803C03600083
63894+:1072A000AC6410080000000000052980AC65100CDB
63895+:1072B0000000000003E000088C62100C27BDFFE80E
63896+:1072C0000080282124040038AFBF00140E0009D527
63897+:1072D000AFB0001024040E00AF4400283C10000C96
63898+:1072E00003502021240500100E000CC000003021A6
63899+:1072F00003501021AC400000AC40000424040038CE
63900+:107300008FBF00148FB0001024053FFF27BD001869
63901+:107310000A0009D58C430000000421803C03600072
63902+:10732000AC641008000000008C62100C03E0000840
63903+:107330000002118227BDFFC8AFB400208F940068FF
63904+:10734000AFBE0030AFB7002CAFB600280000B821A8
63905+:107350000080B021241E00C0AFBF0034AFB50024B0
63906+:10736000AFB3001CAFB20018AFB10014AFB0001043
63907+:107370000A000A12AFA5003C504000018F9400683B
63908+:1073800027DEFFFF13C00028269400048E92000021
63909+:107390003C03080024635DA01240FFF70283102B1A
63910+:1073A0003C04080024845AA4028410230002A8C0CC
63911+:1073B000000098210A000A212411000100118840D0
63912+:1073C000122000260000000002B380210251282470
63913+:1073D0000200202110A0FFF9267300010E0009DE33
63914+:1073E000000000000016684032EC000101AC2021D2
63915+:1073F0000E0009D5020028218F89009426F700018C
63916+:107400008FA6003C3AEB0001316A00012528FFFFFE
63917+:107410000011382702CAB021AF88009416E6FFE7B2
63918+:1074200002479024AE92000002E010218FBF00348A
63919+:107430008FBE00308FB7002C8FB600288FB5002488
63920+:107440008FB400208FB3001C8FB200188FB10014CE
63921+:107450008FB0001003E0000827BD00383C0E080084
63922+:1074600025CE5DA0028E102B0A000A0DAE92000000
63923+:1074700027BDFFD8AFB10014AFB00010AFBF0020E0
63924+:10748000AFB3001CAFB2001800A0882110A0001FED
63925+:10749000000480403C13080026735AA40A000A5ACC
63926+:1074A0002412000112200019261000010E0009F517
63927+:1074B00002002021000231422444FFA0000618806F
63928+:1074C0003045001F2C8217A1007318212631FFFFC1
63929+:1074D0001040FFF400B230048C690000020020214B
63930+:1074E00024053FFF012640241500FFEE0126382524
63931+:1074F0000E0009D5AC6700008F8A009426100001A9
63932+:10750000254700011620FFE9AF8700948FBF0020B8
63933+:107510008FB3001C8FB200188FB100148FB0001011
63934+:1075200003E0000827BD00288F85009C00805821BB
63935+:107530000000402100004821240A001F3C0C0800E4
63936+:10754000258C5E1C3C0D080025AD5DA48CA60000BA
63937+:1075500050C000140000402100AD1023000238C0CC
63938+:10756000240300010A000A930000202115000003F3
63939+:1075700000E410212448202400004821252900018E
63940+:10758000512B00132506DFDC106000062484000167
63941+:1075900000C3702415C0FFF5000318400A000A91CB
63942+:1075A0000000402110AC002624A300040060282124
63943+:1075B000254AFFFF1540FFE5AF85009C512B0004D5
63944+:1075C0002506DFDC0000402103E000080100102157
63945+:1075D0000006614230C5001F000C50803C070800C7
63946+:1075E00024E75DA424040001014730211120000F8D
63947+:1075F00000A420043C05080024A55E20148000059A
63948+:107600002529FFFF24C6000410C50011000000005A
63949+:10761000240400018CCF00000004C0270004204097
63950+:1076200001F868241520FFF5ACCD00008F99007893
63951+:1076300001001021032B482303E00008AF890078E4
63952+:107640003C05080024A55DA40A000A9B0000402117
63953+:107650003C06080024C65DA40A000AB42404000104
63954+:10766000308800FF240200021102000A24030003F4
63955+:107670001103005C8F8900A4240400041104005F3E
63956+:1076800024050005110500670000182103E000082B
63957+:10769000006010218F8900483C0C0800258C5EE0BA
63958+:1076A0003C04080024845F60240300201060000F65
63959+:1076B00000005821240D0002240E00033C0F080096
63960+:1076C00025EF5EE08D27000014E0000B30F9FFFF8E
63961+:1076D000252900040124C02B53000001018048210A
63962+:1076E0002463FFFF5460FFF88D270000016018211C
63963+:1076F00003E0000800601021132000323C0500FF69
63964+:1077000030E200FF004030211040004200005021D4
63965+:1077100024050001000020210005C84000A6C02467
63966+:1077200017000003332500FF14A0FFFB2484000191
63967+:10773000012CC023001828C000AA6021008C502111
63968+:107740003144001F240C0001008C18040003102792
63969+:1077500000E23024110D0041AD260000110E004C56
63970+:10776000000A1840110D00368F87006C510E00562C
63971+:107770008F8C0060240D0004110D005A8F8E008440
63972+:10778000240E0005150EFFDA01601821240B1430B9
63973+:1077900011400006000018218F8400A0246300011E
63974+:1077A000006A402B1500FFFD016458218F8A00807C
63975+:1077B000AF89008C016018212549FFFF0A000AEB00
63976+:1077C000AF89008000E52024000736021080FFD03A
63977+:1077D000240A001800075402314600FF0A000AF389
63978+:1077E000240A00103C0C0800258C5EA03C04080014
63979+:1077F00024845EE00A000ADA240300103C0C08002E
63980+:10780000258C5E203C04080024845EA00A000AD96E
63981+:107810008F89009000071A02306600FF0A000AF301
63982+:10782000240A00088F89008C3C0C0800258C5F60BE
63983+:107830003C04080024845F700A000ADA2403000470
63984+:10784000000A4080250B003024E6FFFF016018216C
63985+:10785000AF8900480A000AEBAF86006C000AC982B3
63986+:10786000001978803C07080024E75EA001E720218A
63987+:10787000000A18428C8F00003079001F032C380456
63988+:107880000007C02701F860240A000B08AC8C000038
63989+:10789000000331420006288000AF28213062001F1B
63990+:1078A0008CB8000024630001004CC804000321428E
63991+:1078B000001938270004108003073024004F2021CE
63992+:1078C0000A000B4CACA60000000A68C025AB0032D1
63993+:1078D000258AFFFF01601821AF8900A40A000AEB86
63994+:1078E000AF8A0060254B1030AF89009001601821ED
63995+:1078F00025C9FFFF0A000AEBAF8900843086000724
63996+:107900002CC2000610400014000000000006408059
63997+:107910003C030800246357BC010338218CE40000B9
63998+:1079200000800008000000002409000310A9000ED8
63999+:1079300000000000240A000510AA000B000000004F
64000+:10794000240B000110AB0008000000008F8C00A089
64001+:1079500010AC00050000000003E00008000010214A
64002+:107960000A000A7900A020210A000AC700C02021CD
64003+:1079700027BDFFE8308400FF240300021083000BC2
64004+:10798000AFBF0010240600031086003A240800044C
64005+:1079900010880068240E0005108E007F2CAF143074
64006+:1079A0008FBF001003E0000827BD00182CA2003094
64007+:1079B0001440FFFC8FBF001024A5FFD0000531C28A
64008+:1079C000000668803C07080024E75EE001A730213C
64009+:1079D0008CC900000005288230AC001F240B000178
64010+:1079E000018B50048F840048012A4025ACC8000058
64011+:1079F0008C83000050600001AF8600488F98006CB7
64012+:107A000030AE000124A6FFFF270F000115C00002C1
64013+:107A1000AF8F006C24A600010006414200082080C0
64014+:107A2000008718218C79000030C2001F2406000155
64015+:107A30000046F804033F382410E0FFDA8FBF00103F
64016+:107A40000005C182001870803C0F080025EF5EA081
64017+:107A500001CF48218D2B00000005684231A5001F91
64018+:107A600000A66004016C502527BD001803E0000843
64019+:107A7000AD2A00002CA7003014E0FFCA8FBF001011
64020+:107A800030B900071723FFC724A8FFCE00086A02F9
64021+:107A9000000D60803C0B0800256B5EA0018B30213F
64022+:107AA0008CC40000000828C230AA001F240800016E
64023+:107AB000014848048F8200A400891825ACC3000047
64024+:107AC0008C5F000053E00001AF8600A40005704009
64025+:107AD000000E7942000F28803C04080024845EE0F8
64026+:107AE00000A418218C6B000025DF000131CD001FA0
64027+:107AF000001F514201A86004016C4825000A108053
64028+:107B0000AC690000004428218CA600008F9800601A
64029+:107B100033F9001F8FBF00100328380400C77825F1
64030+:107B2000270E000127BD0018ACAF000003E00008DD
64031+:107B3000AF8E006024A5EFD02CB804001300FF998D
64032+:107B40008FBF001000053142000658803C0A080033
64033+:107B5000254A5E20016A30218CC4000030A3001F3A
64034+:107B600024090001006910048F9900900082F82513
64035+:107B7000ACDF00008F27000050E00001AF860090CE
64036+:107B80008F8D00848FBF001027BD001825AC000129
64037+:107B900003E00008AF8C008415E0FF828FBF001067
64038+:107BA0008F8600A0000610400046F821001F21002B
64039+:107BB00003E4C8210019384024F8143000B8402BE1
64040+:107BC0001100FF788FBF001024A4EBD00E00021329
64041+:107BD00000C0282100027942000F70803C0D08008F
64042+:107BE00025AD5F6001CD20218C8B0000304C001F43
64043+:107BF00024060001018618048F89008C016350253A
64044+:107C0000AC8A00008D25000050A00001AF84008CDC
64045+:107C10008F9800808FBF001027BD00182708000133
64046+:107C200003E00008AF88008030A5000724030003AC
64047+:107C300010A3001028A2000414400008240700022A
64048+:107C40002403000410A300152408000510A8000F49
64049+:107C50008F8500A003E000080000000014A7FFFDCE
64050+:107C60000080282114C3FFFB240400020A000B8BB0
64051+:107C700000000000240900050080282110C9FFFB36
64052+:107C80002404000303E000080000000014C5FFF115
64053+:107C9000008028210A000B8B24040005240A00011F
64054+:107CA0000080282110CAFFF12404000403E000082A
64055+:107CB0000000000027BDFFE0AFB00010000581C24A
64056+:107CC0002603FFD024C5003F2C6223D024C6007FAA
64057+:107CD000AFB20018AFB10014AFBF001C309100FF6D
64058+:107CE000000691C2000529820200202110400008F0
64059+:107CF0002403FFFF0E000A4B0000000002002021B9
64060+:107D0000022028210E000C390240302100001821E9
64061+:107D10008FBF001C8FB200188FB100148FB00010FD
64062+:107D20000060102103E0000827BD002027BDFFD818
64063+:107D300024A2007FAFB3001CAFB20018000299C2AA
64064+:107D4000309200FF24A3003F02402021026028213E
64065+:107D5000AFB10014AFB00010AFBF00200E000B6E2B
64066+:107D60000003898200408021004020210220282138
64067+:107D700014400009000018218FBF00208FB3001CA1
64068+:107D80008FB200188FB100148FB000100060102166
64069+:107D900003E0000827BD00280E0009FC00000000D9
64070+:107DA00000402821020020211051FFF3001019C0CB
64071+:107DB0000E000A4B00000000020020210240282192
64072+:107DC0000E000C39026030218FBF00208FB3001CE1
64073+:107DD0008FB200188FB100148FB00010000018216E
64074+:107DE0000060102103E0000827BD00283084FFFF59
64075+:107DF00030A5FFFF1080000700001821308200012D
64076+:107E00001040000200042042006518211480FFFB8E
64077+:107E10000005284003E000080060102110C00007A2
64078+:107E2000000000008CA2000024C6FFFF24A500046F
64079+:107E3000AC82000014C0FFFB2484000403E00008AF
64080+:107E40000000000010A0000824A3FFFFAC86000083
64081+:107E500000000000000000002402FFFF2463FFFF79
64082+:107E60001462FFFA2484000403E00008000000000C
64083+:107E700030A5FFFF8F4201B80440FFFE3C076015AC
64084+:107E800000A730253C031000AF440180AF400184BF
64085+:107E9000AF46018803E00008AF4301B88F8500D0EA
64086+:107EA0002C864000008018218CA700840087102BAE
64087+:107EB00014400010000000008CA800842D06400033
64088+:107EC00050C0000F240340008CAA0084008A482B75
64089+:107ED000512000018CA3008400035A42000B208033
64090+:107EE0003C05080024A558200085182103E000085F
64091+:107EF0008C62000014C0FFF4000000002403400066
64092+:107F000000035A42000B20803C05080024A558209D
64093+:107F10000085182103E000088C6200008F8300D0E8
64094+:107F2000906600D024C50001A06500D08F8500D0E8
64095+:107F3000906400D090A200D210440017000000000E
64096+:107F4000936C00788F8B00BC318A00FFA16A000C13
64097+:107F500025490001938700C4312200FF3048007F8B
64098+:107F60001107000B00026827A36200788F4E01788A
64099+:107F700005C0FFFE8F9900B0241800023C0F1000CE
64100+:107F8000AF590140A358014403E00008AF4F017806
64101+:107F90000A000D0931A20080A0A000D00A000CFF49
64102+:107FA000000000008F8700D027BDFFC8AFBF0030A2
64103+:107FB000AFB7002CAFB60028AFB50024AFB4002097
64104+:107FC000AFB3001CAFB20018AFB10014AFB00010D7
64105+:107FD00094E300E094E200E2104300D72405FFFFA1
64106+:107FE0003C047FFF3497FFFF2415FF800A000DF04B
64107+:107FF0003C16000E108A00D18FBF00308F9100B068
64108+:108000003C1808008F18005C001230C0001291402C
64109+:108010000311702101D57824AF4F002C94EC00E2BD
64110+:1080200031CD007F01BA5821318A7FFF0176482186
64111+:10803000000A804002091021945300003C08080007
64112+:108040008D0800580246C02132733FFF001319808B
64113+:10805000010320210224282130BF007F03FAC82118
64114+:1080600000B5A024AF54002C0336A0218E87001049
64115+:108070008E8F003003785821256D008800EF702323
64116+:10808000240C0002AE8E0010AF8D00ACA16C0088F5
64117+:10809000976A003C8E8400308F9100AC0E000CD6A5
64118+:1080A0003150FFFF00024B80020940253C02420094
64119+:1080B00001022025AE2400048E8300048F8D00ACC5
64120+:1080C0008E860000240E0008ADA3001CADA600188B
64121+:1080D000ADA0000CADA00010929F000A33F900FF84
64122+:1080E000A5B90014968500083C1F000CA5A5001634
64123+:1080F0009298000A331100FFA5B100209690000865
64124+:1081000024180005A5B00022ADA00024928F000B1A
64125+:108110002410C00031E700FFA5A70002A1AE0001B6
64126+:108120008E8C00308F8B00AC8F8400B0AD6C00085B
64127+:108130003C0A08008D4A005401444821013540247E
64128+:10814000AF4800283C0208008C4200540044302113
64129+:1081500030C3007F007AC821033F282102458821CF
64130+:10816000AF9100BCAF8500C0A23800008F8A00BC70
64131+:108170002403FFBF2418FFDF954F000201F03824CD
64132+:1081800000F37025A54E0002914D000231AC003F76
64133+:10819000358B0040A14B00028F8600BC8F8900D038
64134+:1081A000ACC000048D28007C3C098000ACC80008ED
64135+:1081B00090C4000D3082007FA0C2000D8F8500BCEE
64136+:1081C00090BF000D03E3C824A0B9000D8F9100BC3F
64137+:1081D0009233000D02789024A232000D8E9000346C
64138+:1081E0008F8B00BCAD7000108E87002C8E8F0030FE
64139+:1081F00000EF7023AD6E0014916D001831AC007F5C
64140+:10820000A16C00188F9F00BC8E8A00308FE8001888
64141+:10821000015720240109302400C41025AFE20018C2
64142+:108220009283000AA3E3001C969900088F8500BC86
64143+:108230008F9800D0A4B9001E8E9000308E8400303C
64144+:108240000E0002138F0500848F8500D0000291403C
64145+:108250000002990090AF00BC0253882100403021F9
64146+:1082600031E7000210E0000302118021000290803B
64147+:108270000212802190B900BC3327000410E00002F4
64148+:108280000006F880021F80218E9800308F8B00BC82
64149+:1082900024068000330F0003000F702331CD00034C
64150+:1082A000020D6021AD6C000494A400E294AA00E2E7
64151+:1082B00094B000E231497FFF2522000130537FFF57
64152+:1082C0000206182400734025A4A800E294A400E24A
64153+:1082D0003C1408008E94006030917FFF123400221D
64154+:1082E000000000000E000CF6000000008F8700D098
64155+:1082F0000000282194F300E094F000E21213000F34
64156+:108300008FBF003090E900D090E800D1313200FFFB
64157+:10831000310400FF0244302B14C0FF36264A00010E
64158+:1083200090EE00D2264B000131CD00FF008D602180
64159+:10833000158BFF338F9100B08FBF00308FB7002CAB
64160+:108340008FB600288FB500248FB400208FB3001C97
64161+:108350008FB200188FB100148FB0001000A0102150
64162+:1083600003E0000827BD003894A300E20066402423
64163+:10837000A4A800E290A400E290B900E2309100FFCE
64164+:108380000011A1C20014F827001F39C03332007F4A
64165+:10839000024730250A000DE8A0A600E23084FFFF66
64166+:1083A00030A5FFFFAF440018AF45001C03E00008F4
64167+:1083B0008F42001427BDFFB8AFB000208F9000D0CF
64168+:1083C0003084FFFFAFA40010AFBF0044AFBE004039
64169+:1083D000AFB7003CAFB60038AFB50034AFB4003033
64170+:1083E000AFB3002CAFB20028AFB10024A7A0001893
64171+:1083F000920600D1920500D030C400FF30A300FFE8
64172+:108400000064102B10400122AFA00014920900D08C
64173+:108410008FB50010312800FF0088382324F4FFFFB7
64174+:108420000014882B0015982B02339024524001260B
64175+:108430008FB40014961E0012961F00108FB7001004
64176+:1084400003DFC823001714000019C400000224032E
64177+:108450000018140302E2B02A52C00001004020219B
64178+:108460000284282B10A0000200801821028018210D
64179+:1084700000033C0000071C033064FFFF2C8600094A
64180+:1084800014C000020060B821241700088E0A0008FA
64181+:10849000001769808E09000C31ABFFFF3C0C001007
64182+:1084A000016C402527520400AF4A0038AF9200B853
64183+:1084B000AF49003CAF480030000000000000000061
64184+:1084C00000000000000000000000000000000000AC
64185+:1084D00000000000000000008F4F000031EE00207F
64186+:1084E00011C0FFFD0017982A027110240A000E83A4
64187+:1084F0000000B02155E001019258000131130080C5
64188+:10850000126001CF012020219655001232A5FFFFF5
64189+:108510000E000CCBA7B500188F9000D00291A023BD
64190+:1085200026CD00018F9100B8000DB4000016B403F1
64191+:108530002638004002D7582A0014882B2405000151
64192+:108540000300902101711024AF9800B8AFA500146A
64193+:10855000104001BC8F8900B03C0C08008D8C005489
64194+:10856000240BFF80921E00D001895021014B28244A
64195+:10857000921900D0AF4500288E4700103C08080033
64196+:108580008D0800583C1808008F18005430E33FFF56
64197+:108590000003218001043021012658212402FF809C
64198+:1085A0000162F824920C00D0AF5F002C92480000CA
64199+:1085B00033D100FF333500FF0309982100117140CA
64200+:1085C000001578C0326D007F01CF382101BA282113
64201+:1085D000318300FF3164007F3C0A000C00AA88212F
64202+:1085E0000367F02100033140009A10213108003F59
64203+:1085F0003C1F000E00D1C021005F982127D90088C0
64204+:108600002D150008AF9100C0AF9900ACAF9800BC29
64205+:10861000AF9300B412A0018A00008821240E00014B
64206+:10862000010E4004310D005D11A0FFB2310F0002B8
64207+:108630008E4A00283C0300803C04FFEFAE6A000035
64208+:108640008E450024A260000A3488FFFFAE65000456
64209+:108650009247002C3C1FFF9F37FEFFFFA267000CD4
64210+:108660008E62000C3C180040A267000B00433025CE
64211+:1086700000C8C824033E88240238A825AE75000C23
64212+:108680008E490004AE6000183C0F00FFAE69001474
64213+:108690008E4D002C35EEFFFF8F8B00B001AE6024B5
64214+:1086A000AE6C00108E470008A660000896450012C8
64215+:1086B000AE6700208E42000C30B03FFF00105180AA
64216+:1086C000AE6200248E5E0014014B182130A400011C
64217+:1086D000AE7E00288E590018000331C2000443808A
64218+:1086E000AE79002C8E51001C00C8F821A67F001C1A
64219+:1086F000AE710030965800028E550020A678001EFC
64220+:10870000AE75003492490033313000045600000544
64221+:10871000925000008F8C00D08D8B007CAE6B0030AF
64222+:10872000925000008F8F00BCA1F00000924E0033E9
64223+:1087300031CD000251A00007925E00018F8900BC7C
64224+:108740002418FF80913100000311A825A1350000F5
64225+:10875000925E00018F9900BC2409FFBF240BFFDF4C
64226+:10876000A33E00018F9500BC92B8000D3311007F2D
64227+:10877000A2B1000D8F8E00BC91D0000D02097824AB
64228+:10878000A1CF000D8F8800BC8E6D0014910A000DE2
64229+:108790002DAC0001000C2940014B382400E51825C0
64230+:1087A000A103000D964200128F8800BC8F8700D075
64231+:1087B000A50200028E45000490FF00BC30A4000317
64232+:1087C0000004302330DE000300BE102133F9000224
64233+:1087D00017200002244400342444003090E200BCFE
64234+:1087E00000A2302430DF000417E0000224830004DC
64235+:1087F000008018218F8F00AC24090002AD03000413
64236+:10880000A1E90000924E003F8F8D00ACA1AE0001A7
64237+:108810008F9500AC924C003F8E440004A6AC000241
64238+:10882000976B003C0E000CD63170FFFF00025380A6
64239+:10883000020A38253C05420000E51825AEA30004D5
64240+:108840008F8600AC8E480038ACC800188E440034C7
64241+:10885000ACC4001CACC0000CACC00010A4C0001420
64242+:10886000A4C00016A4C00020A4C00022ACC00024F4
64243+:108870008E6400145080000124040001ACC4000880
64244+:108880000E000CF6241100010A000E768F9000D025
64245+:10889000920F00D2920E00D08FB5001031EB00FF86
64246+:1088A00031CD00FF008D6023016C50212554FFFF66
64247+:1088B0000014882B0015982B023390241640FEDDFF
64248+:1088C000000000008FB400148FBF00448FBE004032
64249+:1088D0003A8200018FB7003C8FB600388FB5003464
64250+:1088E0008FB400308FB3002C8FB200288FB10024DA
64251+:1088F0008FB0002003E0000827BD0048331100209E
64252+:10890000122000EF24150001921E00BC241F00015C
64253+:108910000000A82133D900011320000DAFBF001CB7
64254+:108920008E4400148E0800840088102B144000022E
64255+:10893000008030218E0600848E03006400C3A82BC3
64256+:1089400016A0000200C020218E0400640080A8212F
64257+:108950008E4700148E05006400E5302B14C0000221
64258+:1089600000E020218E0400640095F02313C0000471
64259+:108970008FAC001C240A0002AFAA001C8FAC001CA4
64260+:10898000028C582B156000A8000018218E4F00386B
64261+:108990008E6D000C3C0E0080AE6F00008E4A0034DD
64262+:1089A0003C10FF9F01AE5825AE6A00049246003F7E
64263+:1089B000360CFFFF016C38243C0500203C03FFEF20
64264+:1089C000A266000B00E510253468FFFF8F8700B812
64265+:1089D0000048F8243C04000803E4C825AE79000CE4
64266+:1089E0008CF80014AE60001802BE7821AE78001436
64267+:1089F0008CF10018AE71001C8CE90008AE690024EF
64268+:108A00008CEE000CAE6F002CAE600028AE6E002025
64269+:108A1000A6600038A660003A8CED001401B58023F2
64270+:108A2000021E902312400011AE72001090EA003D29
64271+:108A30008E6500048E640000000A310000A6C82183
64272+:108A4000000010210326402B0082F82103E8C021FA
64273+:108A5000AE790004AE78000090F1003DA271000AEA
64274+:108A60008F8900B895320006A67200088F9800AC76
64275+:108A70002419000202A02021A31900009769003CDC
64276+:108A80008F9200AC0E000CD63131FFFF00027B80CC
64277+:108A90008F8500B8022F68253C0E420001AE80256C
64278+:108AA000AE5000048F8400AC8CAC0038AC8C001845
64279+:108AB0008CAB0034AC8B001CAC80000CAC80001084
64280+:108AC000A4800014A4800016A4800020A4800022AA
64281+:108AD000AC80002490A7003FA487000212A00135BB
64282+:108AE0002403000153C0000290A2003D90A2003E6A
64283+:108AF00024480001A08800018F9F00ACAFF500085A
64284+:108B00008F8300D024070034906600BC30C500027B
64285+:108B100050A00001240700308F9200B88F8A00BC5B
64286+:108B2000906D00BC924B00002412C00032A50003DF
64287+:108B3000A14B00008F8600B88F8800BC240200047F
64288+:108B400090C400010045182330790003A1040001FE
64289+:108B50008F8A00BC8F9F00B800F53821955800021D
64290+:108B600097E9001200F9382103128824312F3FFFC2
64291+:108B7000022F7025A54E00029150000231A800047A
64292+:108B8000320C003F358B0040A14B000212A00002C6
64293+:108B90008F8500BC00E838218F8E00D0ACA7000480
64294+:108BA000240BFFBF8DCD007C2EA400012403FFDF2A
64295+:108BB000ACAD000890B0000D00044140320C007FC5
64296+:108BC000A0AC000D8F8600BC90CA000D014B102494
64297+:108BD000A0C2000D8F8700BC90E5000D00A3F82413
64298+:108BE00003E8C825A0F9000D8F9100B88F8D00BC57
64299+:108BF0008E380020ADB800108E290024ADA90014D5
64300+:108C00008E2F0028ADAF00188E2E002C0E000CF613
64301+:108C1000ADAE001C8FB0001C240C0002120C00EE44
64302+:108C20008F9000D08FA3001C006088211460000288
64303+:108C30000060A8210000A02156A0FE390291A023C7
64304+:108C40000014882B8FA90010960700103C1E0020EE
64305+:108C50000136402302C750213112FFFFA60A00103F
64306+:108C6000AFB20010AF5E0030000000009617001099
64307+:108C7000961300121277008F000000008E05000C82
64308+:108C80008E0B00080016698000AD7021000DC7C36F
64309+:108C900001CDA82B0178782101F56021AE0E000CE2
64310+:108CA000AE0C00088FB300100013B82B02378024DD
64311+:108CB0001200FF048F9000D00A000E3C000000005C
64312+:108CC0008E4D0038A6600008240B0003AE6D000036
64313+:108CD0008E500034A260000A8F9800B8AE70000475
64314+:108CE0003C0500809311003FA26B000C8E6F000CBE
64315+:108CF0003C0EFF9FA271000B01E5102535CCFFFF54
64316+:108D00003C03FFEF8F9200B8004C30243464FFFF27
64317+:108D100000C4F824AE7F000C8E590014964800124F
64318+:108D20008F8A00B0AE7900108E490014AE60001832
64319+:108D3000AE600020AE690014AE6000248E470018BB
64320+:108D400031093FFF0009F180AE6700288E4D000811
64321+:108D500003CA802131180001AE6D00308E4F000C27
64322+:108D60008F8C00AC001089C200185B80022B282178
64323+:108D7000240E0002A665001CA6600036AE6F002C13
64324+:108D8000A18E00009763003C8F8A00AC3C04420037
64325+:108D90003062FFFF00443025AD4600048F9F00B8CD
64326+:108DA000240700012411C0008FF30038240600348A
64327+:108DB000AD5300188FF90034AD59001CAD40000CC4
64328+:108DC000AD400010A5400014A5400016A5400020AD
64329+:108DD000A5400022AD400024A5550002A147000196
64330+:108DE0008F9E00AC8F8800B88F9200BCAFD5000872
64331+:108DF000910D0000A24D00008F9000B88F8B00BC39
64332+:108E000092180001A17800018F8400BC94850002B3
64333+:108E100000B1782401E97025A48E0002908C000234
64334+:108E20003183003FA08300028F8300D08F8400BC79
64335+:108E3000906200BC305300025260000124060030F2
64336+:108E4000AC8600048C6F007C2403FFBF02A0882145
64337+:108E5000AC8F0008908E000D31CC007FA08C000DEF
64338+:108E60008F8600BC90C2000D00432024A0C4000DDA
64339+:108E70008F8900BC913F000D37F90020A139000D0A
64340+:108E80008F8800B88F9300BC8D070020AE6700105C
64341+:108E90008D0A0024AE6A00148D1E0028AE7E0018D4
64342+:108EA0008D12002C0E000CF6AE72001C0A00103D54
64343+:108EB0008F9000D0960E00148E03000431CCFFFF7B
64344+:108EC000000C10C000622021AF44003C8E1F000443
64345+:108ED0008F46003C03E6C8231B20003C0000000036
64346+:108EE0008E0F000025E200013C05001034B500089B
64347+:108EF000AF420038AF550030000000000000000015
64348+:108F00000000000000000000000000000000000061
64349+:108F100000000000000000008F580000330B00200C
64350+:108F20001160FFFD000000008F5304003C0D002085
64351+:108F3000AE1300088F570404AE17000CAF4D00307D
64352+:108F4000000000003C0608008CC600442416000106
64353+:108F500010D600BD00000000961F00123C0508005E
64354+:108F60008CA5004000BFC821A61900129609001464
64355+:108F700025270001A6070014960A00143144FFFFBC
64356+:108F80005486FF498FB30010A60000140E000E1681
64357+:108F900030A5FFFF3C0408008C84002496030012D7
64358+:108FA0000044102300623023A60600120A00105964
64359+:108FB0008FB30010A08300018F8200AC2404000155
64360+:108FC000AC4400080A000FF08F8300D08E0200002E
64361+:108FD0000A0010EA3C0500108F8200C08FA7001C19
64362+:108FE000921800D0920B00D0920E00D0331100FFE7
64363+:108FF000316900FF00117940000928C001E56021B6
64364+:1090000031C300FF036C50210003314000C2C8216E
64365+:10901000255F0088AF9F00ACAF9900BCA1470088D6
64366+:109020009768003C03C020218F9100AC0E000CD645
64367+:109030003110FFFF00026B80020DC0253C0442008E
64368+:109040008F8D00B803045825AE2B00048DA900387D
64369+:109050008F8B00AC0000882100118100AD690018E1
64370+:109060008DAF00343C087FFF3504FFFFAD6F001C5F
64371+:1090700091AC003E8D65001C8D660018000C190037
64372+:10908000000C770200A33821020E102500E3F82B14
64373+:1090900000C2C821033F5021AD67001CAD6A001813
64374+:1090A000AD60000CAD60001091B8003E24050005D5
64375+:1090B00003C45024A578001495A9000403C02021FE
64376+:1090C000A569001691AF003EA56F002095B1000480
64377+:1090D000A5710022AD60002491AE003FA56E000294
64378+:1090E00091B0003E91AC003D01901023244300015B
64379+:1090F000A16300018F8600AC8F9F00BCACDE00082E
64380+:10910000A3E500008F9000BC8F9900B82405FFBF35
64381+:1091100096070002973800120247782433093FFF70
64382+:1091200001E98825A6110002921200022418FFDF2F
64383+:10913000324E003F35CD0040A20D00028F8600BCAC
64384+:109140008F8C00D02412FFFFACC000048D8B007CFC
64385+:109150003C0C8000ACCB000890C2000D3043007F77
64386+:10916000A0C3000D8F8700BC90FF000D03E5C8244D
64387+:10917000A0F9000D8F9100BC9229000D01387824D0
64388+:10918000A22F000D8F9000BCAE120010AE1500147F
64389+:10919000920E00182415FF8002AE6825A20D00185B
64390+:1091A0008F8500BC8F8300B88CAB0018016C102435
64391+:1091B000004A3025ACA600189068003EA0A8001C0C
64392+:1091C0008F9F00B88F8700BC8F9800D097F900045C
64393+:1091D000A4F9001E0E0002138F0500848F8600D0B4
64394+:1091E000000279400002490090D200BC01E98821C8
64395+:1091F000004028213255000212A0000303D1202193
64396+:109200000002A8800095202190CD00BC31B200045E
64397+:109210001240000333DF0003000540800088202156
64398+:10922000240600048F9E00BC00DFC8233327000300
64399+:1092300000875021AFCA00040E000CF6A665003866
64400+:109240000A0010388F9000D0961E00123C080800CB
64401+:109250008D080024011E9021A61200120A00105948
64402+:109260008FB3001027BDFFE03C1808008F18005096
64403+:10927000AFB00010AFBF0018AFB10014AF8400B0A2
64404+:1092800093710074030478212410FF8031EE007F75
64405+:109290003225007F01F0582401DA68213C0C000AD5
64406+:1092A000A38500C401AC2821AF4B002494A9001071
64407+:1092B0009768000690A600620080382124020030E2
64408+:1092C0000109202330C300F0AF8500D010620019DF
64409+:1092D0003090FFFF90AE0062240DFFF0240A005092
64410+:1092E00001AE6024318B00FF116A002F00000000E6
64411+:1092F00016000007241F0C00AF5F00248FB100147C
64412+:109300008FBF00188FB0001003E0000827BD0020B9
64413+:109310000E000E1C02002021241F0C00AF5F002451
64414+:109320008FB100148FBF00188FB0001003E0000849
64415+:1093300027BD002094A200E094A400E290BF011396
64416+:10934000008218263079FFFF33E700C014E00009DF
64417+:109350002F31000116000038000000005620FFE603
64418+:10936000241F0C000E000D18000000000A0011ED73
64419+:10937000241F0C001620FFDE000000000E000D1858
64420+:10938000000000001440FFDC241F0C001600002227
64421+:109390008F8300D0906901133122003FA062011336
64422+:1093A0000A0011ED241F0C0094AF00D48F8600D466
64423+:1093B00000E02821240400050E000C5C31F0FFFFC2
64424+:1093C0001440000524030003979100E600001821D3
64425+:1093D0002625FFFFA78500E68F5801B80700FFFE8E
64426+:1093E0003C196013AF400180241F0C00AF50018472
64427+:1093F000007938253C101000AF4701888FB1001468
64428+:10940000AF5001B8AF5F00248FB000108FBF0018BD
64429+:1094100003E0000827BD00200E000E1C02002021E2
64430+:109420005040FFB5241F0C008F8300D090690113BA
64431+:109430000A0012163122003F0E000E1C02002021ED
64432+:109440001440FFAD241F0C00122000078F8300D0B2
64433+:10945000906801133106003F34C20040A06201133E
64434+:109460000A0011ED241F0C000E000D180000000072
64435+:109470005040FFA1241F0C008F8300D0906801137F
64436+:109480003106003F0A00124634C20040AF9B00C8BC
64437+:1094900003E00008AF8000EC3089FFFF0009404284
64438+:1094A0002D020041000921801440000200095040B3
64439+:1094B00024080040000830C0000811400046582130
64440+:1094C000256701A800E2C821272F007F2418FF800C
64441+:1094D00001F818240064302100CA702125CC00FF57
64442+:1094E000240DFF00018D202425650088240A0088B2
64443+:1094F0003C010800AC2A004C3C010800AC2500509F
64444+:10950000AF8400D43C010800AC2900603C01080095
64445+:10951000AC2800643C010800AC2700543C01080062
64446+:10952000AC2300583C010800AC26005C03E00008B6
64447+:1095300000000000308300FF30C6FFFF30E400FF72
64448+:109540008F4201B80440FFFE00034C00012438257F
64449+:109550003C08600000E820253C031000AF45018076
64450+:10956000AF460184AF44018803E00008AF4301B86F
64451+:109570008F86001C3C096012352700108CCB00043C
64452+:109580003C0C600E35850010316A00062D48000144
64453+:10959000ACE800C48CC40004ACA431808CC20008C8
64454+:1095A00094C30002ACA2318403E00008A78300E466
64455+:1095B0003C0308008C6300508F8400E88F86001CF9
64456+:1095C0002402FF800064C0210302C824AF59002890
64457+:1095D0008CCD00043305007F00BA78213C0E000CCE
64458+:1095E00001EE2821ACAD00588CC80008AF8500D032
64459+:1095F0003C076012ACA8005C8CCC001034E8001072
64460+:10960000ACAC000C8CCB000CACAB000894AA0014E2
64461+:109610003C0208008C42004425490001A4A9001422
64462+:1096200094A400143083FFFF106200178F8400D0D1
64463+:109630003C0A08008D4A0040A4AA00128CCE0018F3
64464+:10964000AC8E00248CCD0014AC8D00208CC700188B
64465+:10965000AC87002C8CCC001424060001AC8C0028B4
64466+:109660008D0B00BC5166001A8D0200B48D0200B84B
64467+:10967000A482003A948F003AA48F003C948800D4CE
64468+:1096800003E000083102FFFF3C0908008D29002497
64469+:10969000A4A000148F8400D0A4A900128CCE0018BE
64470+:1096A000AC8E00248CCD0014AC8D00208CC700182B
64471+:1096B000AC87002C8CCC001424060001AC8C002854
64472+:1096C0008D0B00BC5566FFEA8D0200B88D0200B418
64473+:1096D000A482003A948F003AA48F003C948800D46E
64474+:1096E00003E000083102FFFF8F86001C3C0C0800DD
64475+:1096F0008D8C0050240BFF808CCD00083C03000CA7
64476+:10970000000D51C0018A4021010B4824AF8A00E8B6
64477+:10971000AF49002890C700073105007F00BA10212B
64478+:109720000043282130E4000410800039AF8500D0C8
64479+:1097300090CF000731EE000811C000380000000093
64480+:109740008CD9000C8CC400140324C02B13000030EF
64481+:10975000000000008CC2000CACA200648CCD00188C
64482+:109760002402FFF8ACAD00688CCC0010ACAC0080DB
64483+:109770008CCB000CACAB00848CCA001CACAA007C67
64484+:1097800090A900BC01224024A0A800BC90C30007FF
64485+:109790003067000810E000048F8500D090AF00BC57
64486+:1097A00035EE0001A0AE00BC90D9000733380001AF
64487+:1097B000130000088F8300D08F8700D0240400346A
64488+:1097C00090E800BC35030002A0E300BC8F8300D00A
64489+:1097D000AC6400C090C900073126000210C000052B
64490+:1097E00000000000906A00BC35420004A06200BC8A
64491+:1097F0008F8300D09065011330AD003FA06D011341
64492+:109800008F8C00D0958B00D403E000083162FFFFFD
64493+:109810008CC200140A001305000000000A001306A1
64494+:10982000ACA0006427BDFFD8AFB000108F90001C23
64495+:10983000AFBF0024AFB40020AFB20018AFB1001426
64496+:10984000AFB3001C9613000E3C07600A3C14600680
64497+:109850003264FFFF369300100E00125534F40410EA
64498+:109860008F8400D43C11600E0E00099B363100102D
64499+:10987000920E00153C0708008CE700603C12601255
64500+:1098800031CD000FA38D00F08E0E00048E0D000868
64501+:1098900096080012961F00109619001A9618001EBE
64502+:1098A000960F001C310CFFFF33EBFFFF332AFFFF45
64503+:1098B0003309FFFF31E6FFFF3C010800AC2B0040FD
64504+:1098C0003C010800AC2C00243C010800AC2A0044F8
64505+:1098D000AE293178AE26317C92020015960300162F
64506+:1098E00036520010304400FF3065FFFF3C06080090
64507+:1098F0008CC60064AE243188AE4500B492080014D2
64508+:1099000096190018241F0001011FC004332FFFFF08
64509+:109910003C0508008CA50058AE5800B8AE4F00BCFE
64510+:10992000920C0014AF8E00D8AF8D00DC318B00FF9D
64511+:10993000AE4B00C0920A0015AE670048AE66004C00
64512+:10994000314900FFAE4900C8AE65007C3C03080009
64513+:109950008C6300503C0408008C84004C3C080800D8
64514+:109960008D0800543C0208008C42005C8FBF00242C
64515+:10997000AE6300808FB00010AE8300748FB3001C04
64516+:10998000AE22319CAE4200DCAE2731A0AE2631A41F
64517+:10999000AE24318CAE233190AE283194AE2531986F
64518+:1099A000AE870050AE860054AE8500708FB10014B3
64519+:1099B000AE4700E0AE4600E4AE4400CCAE4300D07B
64520+:1099C000AE4800D4AE4500D88FB400208FB2001846
64521+:1099D00003E0000827BD002827BDFFE0AFB1001459
64522+:1099E000AFBF0018241100010E000845AFB00010F1
64523+:1099F00010510005978400E6978300CC0083102B5C
64524+:109A0000144000088F8500D4240700028FBF00187F
64525+:109A10008FB100148FB0001000E0102103E00008A7
64526+:109A200027BD00200E000C7A24040005AF8200E858
64527+:109A30001040FFF6240700020E0008498F90001C1A
64528+:109A4000979F00E68F9900E88F8D00C827EF0001EF
64529+:109A5000240E0050AF590020A78F00E6A1AE0000F1
64530+:109A60003C0C08008D8C00648F8600C8240A80009E
64531+:109A7000000C5E00ACCB0074A4C0000694C9000AC0
64532+:109A8000241FFF803C0D000C012AC024A4D8000A2A
64533+:109A900090C8000A24182000011F1825A0C3000A3E
64534+:109AA0008F8700C8A0E000788F8500C800003821AB
64535+:109AB000A0A000833C0208008C4200508F8400E884
64536+:109AC0000044782101FFC824AF590028960B0002FA
64537+:109AD00031EE007F01DA6021018D3021A4CB00D46A
64538+:109AE000960A0002AF8600D03C0E000425492401EE
64539+:109AF000A4C900E68E080004ACC800048E03000868
64540+:109B0000ACC30000A4C00010A4C00014A0C000D0CA
64541+:109B10008F8500D02403FFBFA0A000D13C04080023
64542+:109B20008C8400648F8200D0A04400D28E1F000C71
64543+:109B30008F8A00D0978F00E4AD5F001C8E19001053
64544+:109B400024100030AD590018A5400030A551005434
64545+:109B5000A5510056A54F0016AD4E0068AD580080C7
64546+:109B6000AD580084914D006231AC000F358B001070
64547+:109B7000A14B00628F8600D090C900633128007F1E
64548+:109B8000A0C800638F8400D02406FFFF9085006387
64549+:109B900000A31024A08200638F9100D000E0102168
64550+:109BA000923F00BC37F90001A23900BC8F8A00D077
64551+:109BB000938F00F0AD580064AD5000C0914E00D3BB
64552+:109BC000000F690031CC000F018D5825A14B00D347
64553+:109BD0008F8500D08F8900DCACA900E88F8800D881
64554+:109BE0008FBF00188FB100148FB0001027BD002068
64555+:109BF000ACA800ECA4A600D6A4A000E0A4A000E2BB
64556+:109C000003E000080000000027BDFFE0AFB0001037
64557+:109C10008F90001CAFB10014AFBF00188E19000464
64558+:109C20003C1808008F180050240FFF80001989C0CD
64559+:109C30000238702131CD007F01CF602401BA50215C
64560+:109C40003C0B000CAF4C0028014B4021950900D47F
64561+:109C5000950400D68E0700043131FFFFAF8800D095
64562+:109C60000E000913000721C08E0600048F8300C870
64563+:109C7000000629C0AF4500209064003E30820040BD
64564+:109C8000144000068F8400D0341FFFFF948300D659
64565+:109C90003062FFFF145F000400000000948400D6CF
64566+:109CA0000E0008A83084FFFF8E050004022030213A
64567+:109CB0008FBF00188FB100148FB000102404002251
64568+:109CC00000003821000529C00A00127C27BD0020B1
64569+:109CD00027BDFFE0AFB100143091FFFFAFB000101F
64570+:109CE000AFBF00181220001D000080218F86001CCD
64571+:109CF0008CC500002403000600053F020005140285
64572+:109D000030E4000714830015304500FF2CA800063E
64573+:109D10001100004D000558803C0C0800258C57D4DC
64574+:109D2000016C50218D490000012000080000000056
64575+:109D30008F8E00EC240D000111CD005900000000B1
64576+:109D4000260B00013170FFFF24CA00200211202BD6
64577+:109D5000014030211480FFE6AF8A001C0200102170
64578+:109D60008FBF00188FB100148FB0001003E00008FF
64579+:109D700027BD0020938700CE14E00038240400148F
64580+:109D80000E001338000000008F86001C2402000122
64581+:109D90000A00147FAF8200EC8F8900EC24080002D7
64582+:109DA0001128003B2404001300002821000030216A
64583+:109DB000240700010E00127C000000000A00147F3E
64584+:109DC0008F86001C8F8700EC2405000214E5FFF647
64585+:109DD000240400120E0012E9000000008F8500E844
64586+:109DE00000403021240400120E00127C00003821B3
64587+:109DF0000A00147F8F86001C8F8300EC241F000351
64588+:109E0000147FFFD0260B00010E00129B0000000003
64589+:109E10008F8500E800403021240200022404001055
64590+:109E200000003821AF8200EC0E00127C0000000020
64591+:109E30000A00147F8F86001C8F8F00EC240600021E
64592+:109E400011E6000B0000000024040010000028218F
64593+:109E5000000030210A00149C240700010000282182
64594+:109E60000E00127C000030210A00147F8F86001C37
64595+:109E70000E0013A500000000144000128F99001C72
64596+:109E80008F86001C240200030A00147FAF8200ECBE
64597+:109E90000E001431000000000A00147F8F86001CA1
64598+:109EA0000E00128B000000002402000224040014A3
64599+:109EB0000000282100003021000038210A0014B9D8
64600+:109EC000AF8200EC004038212404001097380002D3
64601+:109ED000000028210E00127C3306FFFF0A00147FC9
64602+:109EE0008F86001C8F8400C83C077FFF34E6FFFF8D
64603+:109EF0008C8500742402000100A61824AC83007431
64604+:109F000003E00008A082000510A000362CA200800B
64605+:109F1000274A04003C0B000524090080104000077C
64606+:109F20002408008030A6000F00C540212D030081C9
64607+:109F30001460000200A0482124080080AF4B0030CC
64608+:109F400000000000000000000000000011000009F7
64609+:109F500000003821014030218C8D000024E70004EE
64610+:109F600000E8602BACCD0000248400041580FFFACB
64611+:109F700024C60004000000000000000000000000F3
64612+:109F80003C0E0006010E3825AF47003000000000EF
64613+:109F900000000000000000008F4F000031E80010BA
64614+:109FA0001100FFFD000000008F42003C8F43003C89
64615+:109FB0000049C8210323C02B130000040000000047
64616+:109FC0008F4C003825860001AF4600388F47003C93
64617+:109FD00000A9282300E96821AF4D003C14A0FFCE62
64618+:109FE0002CA2008003E000080000000027BDFFD085
64619+:109FF0003C020002AFB100143C11000CAF45003828
64620+:10A00000AFB3001CAF46003C00809821AF42003047
64621+:10A0100024050088AF44002803512021AFBF002849
64622+:10A02000AFB50024AFB40020AFB200180E0014F199
64623+:10A03000AFB000103C1F08008FFF004C3C18080018
64624+:10A040008F1800642410FF8003F3A82132B9007F29
64625+:10A0500002B078240018A0C0033A70210018914083
64626+:10A0600001D12021AF4F00280E0014F10254282105
64627+:10A070003C0D08008DAD00502405012001B358218E
64628+:10A08000316C007F01705024019A48210131202158
64629+:10A090000E0014F1AF4A00283C0808008D08005457
64630+:10A0A0003C0508008CA500640113382130E6007FD0
64631+:10A0B00000F0182400DA202100912021AF4300286D
64632+:10A0C0000E0014F1000529403C0208008C420058A3
64633+:10A0D0003C1008008E1000601200001C0053882104
64634+:10A0E0002415FF800A0015743C14000C3226007FF2
64635+:10A0F0000235182400DA202102402821AF4300282D
64636+:10A10000009420210E0014F12610FFC01200000F51
64637+:10A11000023288212E05004110A0FFF42412100005
64638+:10A120003226007F001091800235182400DA2021A9
64639+:10A1300002402821AF430028009420210E0014F192
64640+:10A14000000080211600FFF3023288213C0B08003A
64641+:10A150008D6B005C240AFF802405000201734021FE
64642+:10A16000010A4824AF4900283C0408009484006296
64643+:10A170003110007F021A88213C07000C0E000CAA47
64644+:10A180000227982100402821026020218FBF00284B
64645+:10A190008FB500248FB400208FB3001C8FB200183D
64646+:10A1A0008FB100148FB000100A0014F127BD0030E9
64647+:10A1B0008F83001C8C62000410400003000000002C
64648+:10A1C00003E00008000000008C6400108C650008AB
64649+:10A1D0000A00152A8C66000C000000000000001B1D
64650+:10A1E0000000000F0000000A000000080000000648
64651+:10A1F000000000050000000500000004000000044D
64652+:10A200000000000300000003000000030000000342
64653+:10A210000000000300000002000000020000000235
64654+:10A220000000000200000002000000020000000226
64655+:10A230000000000200000002000000020000000216
64656+:10A240000000000200000002000000020000000206
64657+:10A2500000000001000000010000000108000F24C0
64658+:10A2600008000D6C08000FB80800106008000F4CC3
64659+:10A2700008000F8C0800119408000D88080011B820
64660+:10A2800008000DD8080015540800151C08000D889A
64661+:10A2900008000D8808000D880800124008001240D0
64662+:10A2A00008000D8808000D88080014E008000D88DB
64663+:10A2B00008000D8808000D8808000D88080013B4F8
64664+:10A2C00008000D8808000D8808000D8808000D881A
64665+:10A2D00008000D8808000D8808000D8808000D880A
64666+:10A2E00008000D8808000D8808000D8808000D88FA
64667+:10A2F00008000D8808000D8808000FAC08000D88C4
64668+:10A3000008000D880800167808000D8808000D88E0
64669+:10A3100008000D8808000D8808000D8808000D88C9
64670+:10A3200008000D8808000D8808000D8808000D88B9
64671+:10A3300008000D8808000D8808000D8808000D88A9
64672+:10A3400008000D8808000D8808000D88080014100A
64673+:10A3500008000D8808000D8808001334080012A4B6
64674+:10A3600008001E2C08001EFC08001F1408001F28EF
64675+:10A3700008001F3808001E2C08001E2C08001E2C88
64676+:10A3800008001ED808002E1408002E1C08002DE41A
64677+:10A3900008002DF008002DFC08002E08080052F4DB
64678+:10A3A000080052B40800528008005254080052308D
64679+:10A3B000080051EC0A000C840000000000000000BE
64680+:10A3C0000000000D727870362E322E33000000002F
64681+:10A3D000060203030000000000000001000000006E
64682+:10A3E000000000000000000000000000000000006D
64683+:10A3F000000000000000000000000000000000005D
64684+:10A40000000000000000000000000000000000004C
64685+:10A41000000000000000000000000000000000003C
64686+:10A42000000000000000000000000000000000002C
64687+:10A43000000000000000000000000000000000001C
64688+:10A44000000000000000000000000000000000000C
64689+:10A4500000000000000000000000000000000000FC
64690+:10A4600000000000000000000000000000000000EC
64691+:10A4700000000000000000000000000000000000DC
64692+:10A4800000000000000000000000000000000000CC
64693+:10A4900000000000000000000000000000000000BC
64694+:10A4A00000000000000000000000000000000000AC
64695+:10A4B000000000000000000000000000000000009C
64696+:10A4C000000000000000000000000000000000008C
64697+:10A4D000000000000000000000000000000000007C
64698+:10A4E000000000000000000000000000000000006C
64699+:10A4F000000000000000000000000000000000005C
64700+:10A50000000000000000000000000000000000004B
64701+:10A51000000000000000000000000000000000003B
64702+:10A52000000000000000000000000000000000002B
64703+:10A53000000000000000000000000000000000001B
64704+:10A54000000000000000000000000000000000000B
64705+:10A5500000000000000000000000000000000000FB
64706+:10A5600000000000000000000000000000000000EB
64707+:10A5700000000000000000000000000000000000DB
64708+:10A5800000000000000000000000000000000000CB
64709+:10A5900000000000000000000000000000000000BB
64710+:10A5A00000000000000000000000000000000000AB
64711+:10A5B000000000000000000000000000000000009B
64712+:10A5C000000000000000000000000000000000008B
64713+:10A5D000000000000000000000000000000000007B
64714+:10A5E000000000000000000000000000000000006B
64715+:10A5F000000000000000000000000000000000005B
64716+:10A60000000000000000000000000000000000004A
64717+:10A61000000000000000000000000000000000003A
64718+:10A62000000000000000000000000000000000002A
64719+:10A63000000000000000000000000000000000001A
64720+:10A64000000000000000000000000000000000000A
64721+:10A6500000000000000000000000000000000000FA
64722+:10A6600000000000000000000000000000000000EA
64723+:10A6700000000000000000000000000000000000DA
64724+:10A6800000000000000000000000000000000000CA
64725+:10A6900000000000000000000000000000000000BA
64726+:10A6A00000000000000000000000000000000000AA
64727+:10A6B000000000000000000000000000000000009A
64728+:10A6C000000000000000000000000000000000008A
64729+:10A6D000000000000000000000000000000000007A
64730+:10A6E000000000000000000000000000000000006A
64731+:10A6F000000000000000000000000000000000005A
64732+:10A700000000000000000000000000000000000049
64733+:10A710000000000000000000000000000000000039
64734+:10A720000000000000000000000000000000000029
64735+:10A730000000000000000000000000000000000019
64736+:10A740000000000000000000000000000000000009
64737+:10A7500000000000000000000000000000000000F9
64738+:10A7600000000000000000000000000000000000E9
64739+:10A7700000000000000000000000000000000000D9
64740+:10A7800000000000000000000000000000000000C9
64741+:10A7900000000000000000000000000000000000B9
64742+:10A7A00000000000000000000000000000000000A9
64743+:10A7B0000000000000000000000000000000000099
64744+:10A7C0000000000000000000000000000000000089
64745+:10A7D0000000000000000000000000000000000079
64746+:10A7E0000000000000000000000000000000000069
64747+:10A7F0000000000000000000000000000000000059
64748+:10A800000000000000000000000000000000000048
64749+:10A810000000000000000000000000000000000038
64750+:10A820000000000000000000000000000000000028
64751+:10A830000000000000000000000000000000000018
64752+:10A840000000000000000000000000000000000008
64753+:10A8500000000000000000000000000000000000F8
64754+:10A8600000000000000000000000000000000000E8
64755+:10A8700000000000000000000000000000000000D8
64756+:10A8800000000000000000000000000000000000C8
64757+:10A8900000000000000000000000000000000000B8
64758+:10A8A00000000000000000000000000000000000A8
64759+:10A8B0000000000000000000000000000000000098
64760+:10A8C0000000000000000000000000000000000088
64761+:10A8D0000000000000000000000000000000000078
64762+:10A8E0000000000000000000000000000000000068
64763+:10A8F0000000000000000000000000000000000058
64764+:10A900000000000000000000000000000000000047
64765+:10A910000000000000000000000000000000000037
64766+:10A920000000000000000000000000000000000027
64767+:10A930000000000000000000000000000000000017
64768+:10A940000000000000000000000000000000000007
64769+:10A9500000000000000000000000000000000000F7
64770+:10A9600000000000000000000000000000000000E7
64771+:10A9700000000000000000000000000000000000D7
64772+:10A9800000000000000000000000000000000000C7
64773+:10A9900000000000000000000000000000000000B7
64774+:10A9A00000000000000000000000000000000000A7
64775+:10A9B0000000000000000000000000000000000097
64776+:10A9C0000000000000000000000000000000000087
64777+:10A9D0000000000000000000000000000000000077
64778+:10A9E0000000000000000000000000000000000067
64779+:10A9F0000000000000000000000000000000000057
64780+:10AA00000000000000000000000000000000000046
64781+:10AA10000000000000000000000000000000000036
64782+:10AA20000000000000000000000000000000000026
64783+:10AA30000000000000000000000000000000000016
64784+:10AA40000000000000000000000000000000000006
64785+:10AA500000000000000000000000000000000000F6
64786+:10AA600000000000000000000000000000000000E6
64787+:10AA700000000000000000000000000000000000D6
64788+:10AA800000000000000000000000000000000000C6
64789+:10AA900000000000000000000000000000000000B6
64790+:10AAA00000000000000000000000000000000000A6
64791+:10AAB0000000000000000000000000000000000096
64792+:10AAC0000000000000000000000000000000000086
64793+:10AAD0000000000000000000000000000000000076
64794+:10AAE0000000000000000000000000000000000066
64795+:10AAF0000000000000000000000000000000000056
64796+:10AB00000000000000000000000000000000000045
64797+:10AB10000000000000000000000000000000000035
64798+:10AB20000000000000000000000000000000000025
64799+:10AB30000000000000000000000000000000000015
64800+:10AB40000000000000000000000000000000000005
64801+:10AB500000000000000000000000000000000000F5
64802+:10AB600000000000000000000000000000000000E5
64803+:10AB700000000000000000000000000000000000D5
64804+:10AB800000000000000000000000000000000000C5
64805+:10AB900000000000000000000000000000000000B5
64806+:10ABA00000000000000000000000000000000000A5
64807+:10ABB0000000000000000000000000000000000095
64808+:10ABC0000000000000000000000000000000000085
64809+:10ABD0000000000000000000000000000000000075
64810+:10ABE0000000000000000000000000000000000065
64811+:10ABF0000000000000000000000000000000000055
64812+:10AC00000000000000000000000000000000000044
64813+:10AC10000000000000000000000000000000000034
64814+:10AC20000000000000000000000000000000000024
64815+:10AC30000000000000000000000000000000000014
64816+:10AC40000000000000000000000000000000000004
64817+:10AC500000000000000000000000000000000000F4
64818+:10AC600000000000000000000000000000000000E4
64819+:10AC700000000000000000000000000000000000D4
64820+:10AC800000000000000000000000000000000000C4
64821+:10AC900000000000000000000000000000000000B4
64822+:10ACA00000000000000000000000000000000000A4
64823+:10ACB0000000000000000000000000000000000094
64824+:10ACC0000000000000000000000000000000000084
64825+:10ACD0000000000000000000000000000000000074
64826+:10ACE0000000000000000000000000000000000064
64827+:10ACF0000000000000000000000000000000000054
64828+:10AD00000000000000000000000000000000000043
64829+:10AD10000000000000000000000000000000000033
64830+:10AD20000000000000000000000000000000000023
64831+:10AD30000000000000000000000000000000000013
64832+:10AD40000000000000000000000000000000000003
64833+:10AD500000000000000000000000000000000000F3
64834+:10AD600000000000000000000000000000000000E3
64835+:10AD700000000000000000000000000000000000D3
64836+:10AD800000000000000000000000000000000000C3
64837+:10AD900000000000000000000000000000000000B3
64838+:10ADA00000000000000000000000000000000000A3
64839+:10ADB0000000000000000000000000000000000093
64840+:10ADC0000000000000000000000000000000000083
64841+:10ADD0000000000000000000000000000000000073
64842+:10ADE0000000000000000000000000000000000063
64843+:10ADF0000000000000000000000000000000000053
64844+:10AE00000000000000000000000000000000000042
64845+:10AE10000000000000000000000000000000000032
64846+:10AE20000000000000000000000000000000000022
64847+:10AE30000000000000000000000000000000000012
64848+:10AE40000000000000000000000000000000000002
64849+:10AE500000000000000000000000000000000000F2
64850+:10AE600000000000000000000000000000000000E2
64851+:10AE700000000000000000000000000000000000D2
64852+:10AE800000000000000000000000000000000000C2
64853+:10AE900000000000000000000000000000000000B2
64854+:10AEA00000000000000000000000000000000000A2
64855+:10AEB0000000000000000000000000000000000092
64856+:10AEC0000000000000000000000000000000000082
64857+:10AED0000000000000000000000000000000000072
64858+:10AEE0000000000000000000000000000000000062
64859+:10AEF0000000000000000000000000000000000052
64860+:10AF00000000000000000000000000000000000041
64861+:10AF10000000000000000000000000000000000031
64862+:10AF20000000000000000000000000000000000021
64863+:10AF30000000000000000000000000000000000011
64864+:10AF40000000000000000000000000000000000001
64865+:10AF500000000000000000000000000000000000F1
64866+:10AF600000000000000000000000000000000000E1
64867+:10AF700000000000000000000000000000000000D1
64868+:10AF800000000000000000000000000000000000C1
64869+:10AF900000000000000000000000000000000000B1
64870+:10AFA00000000000000000000000000000000000A1
64871+:10AFB0000000000000000000000000000000000091
64872+:10AFC0000000000000000000000000000000000081
64873+:10AFD0000000000000000000000000000000000071
64874+:10AFE0000000000000000000000000000000000061
64875+:10AFF0000000000000000000000000000000000051
64876+:10B000000000000000000000000000000000000040
64877+:10B010000000000000000000000000000000000030
64878+:10B020000000000000000000000000000000000020
64879+:10B030000000000000000000000000000000000010
64880+:10B040000000000000000000000000000000000000
64881+:10B0500000000000000000000000000000000000F0
64882+:10B0600000000000000000000000000000000000E0
64883+:10B0700000000000000000000000000000000000D0
64884+:10B0800000000000000000000000000000000000C0
64885+:10B0900000000000000000000000000000000000B0
64886+:10B0A00000000000000000000000000000000000A0
64887+:10B0B0000000000000000000000000000000000090
64888+:10B0C0000000000000000000000000000000000080
64889+:10B0D0000000000000000000000000000000000070
64890+:10B0E0000000000000000000000000000000000060
64891+:10B0F0000000000000000000000000000000000050
64892+:10B10000000000000000000000000000000000003F
64893+:10B11000000000000000000000000000000000002F
64894+:10B12000000000000000000000000000000000001F
64895+:10B13000000000000000000000000000000000000F
64896+:10B1400000000000000000000000000000000000FF
64897+:10B1500000000000000000000000000000000000EF
64898+:10B1600000000000000000000000000000000000DF
64899+:10B1700000000000000000000000000000000000CF
64900+:10B1800000000000000000000000000000000000BF
64901+:10B1900000000000000000000000000000000000AF
64902+:10B1A000000000000000000000000000000000009F
64903+:10B1B000000000000000000000000000000000008F
64904+:10B1C000000000000000000000000000000000007F
64905+:10B1D000000000000000000000000000000000006F
64906+:10B1E000000000000000000000000000000000005F
64907+:10B1F000000000000000000000000000000000004F
64908+:10B20000000000000000000000000000000000003E
64909+:10B21000000000000000000000000000000000002E
64910+:10B22000000000000000000000000000000000001E
64911+:10B23000000000000000000000000000000000000E
64912+:10B2400000000000000000000000000000000000FE
64913+:10B2500000000000000000000000000000000000EE
64914+:10B2600000000000000000000000000000000000DE
64915+:10B2700000000000000000000000000000000000CE
64916+:10B2800000000000000000000000000000000000BE
64917+:10B2900000000000000000000000000000000000AE
64918+:10B2A000000000000000000000000000000000009E
64919+:10B2B000000000000000000000000000000000008E
64920+:10B2C000000000000000000000000000000000007E
64921+:10B2D000000000000000000000000000000000006E
64922+:10B2E000000000000000000000000000000000005E
64923+:10B2F000000000000000000000000000000000004E
64924+:10B30000000000000000000000000000000000003D
64925+:10B31000000000000000000000000000000000002D
64926+:10B32000000000000000000000000000000000001D
64927+:10B33000000000000000000000000000000000000D
64928+:10B3400000000000000000000000000000000000FD
64929+:10B3500000000000000000000000000000000000ED
64930+:10B3600000000000000000000000000000000000DD
64931+:10B3700000000000000000000000000000000000CD
64932+:10B3800000000000000000000000000000000000BD
64933+:10B3900000000000000000000000000000000000AD
64934+:10B3A000000000000000000000000000000000009D
64935+:10B3B000000000000000000000000000000000008D
64936+:10B3C000000000000000000000000000000000007D
64937+:10B3D000000000000000000000000000000000006D
64938+:10B3E000000000000000000000000000000000005D
64939+:10B3F000000000000000000000000000000000004D
64940+:10B40000000000000000000000000000000000003C
64941+:10B41000000000000000000000000000000000002C
64942+:10B42000000000000000000000000000000000001C
64943+:10B43000000000000000000000000000000000000C
64944+:10B4400000000000000000000000000000000000FC
64945+:10B4500000000000000000000000000000000000EC
64946+:10B4600000000000000000000000000000000000DC
64947+:10B4700000000000000000000000000000000000CC
64948+:10B4800000000000000000000000000000000000BC
64949+:10B4900000000000000000000000000000000000AC
64950+:10B4A000000000000000000000000000000000009C
64951+:10B4B000000000000000000000000000000000008C
64952+:10B4C000000000000000000000000000000000007C
64953+:10B4D000000000000000000000000000000000006C
64954+:10B4E000000000000000000000000000000000005C
64955+:10B4F000000000000000000000000000000000004C
64956+:10B50000000000000000000000000000000000003B
64957+:10B51000000000000000000000000000000000002B
64958+:10B52000000000000000000000000000000000001B
64959+:10B53000000000000000000000000000000000000B
64960+:10B5400000000000000000000000000000000000FB
64961+:10B5500000000000000000000000000000000000EB
64962+:10B5600000000000000000000000000000000000DB
64963+:10B5700000000000000000000000000000000000CB
64964+:10B5800000000000000000000000000000000000BB
64965+:10B5900000000000000000000000000000000000AB
64966+:10B5A000000000000000000000000000000000009B
64967+:10B5B000000000000000000000000000000000008B
64968+:10B5C000000000000000000000000000000000007B
64969+:10B5D000000000000000000000000000000000006B
64970+:10B5E000000000000000000000000000000000005B
64971+:10B5F000000000000000000000000000000000004B
64972+:10B60000000000000000000000000000000000003A
64973+:10B61000000000000000000000000000000000002A
64974+:10B62000000000000000000000000000000000001A
64975+:10B63000000000000000000000000000000000000A
64976+:10B6400000000000000000000000000000000000FA
64977+:10B6500000000000000000000000000000000000EA
64978+:10B6600000000000000000000000000000000000DA
64979+:10B6700000000000000000000000000000000000CA
64980+:10B6800000000000000000000000000000000000BA
64981+:10B6900000000000000000000000000000000000AA
64982+:10B6A000000000000000000000000000000000009A
64983+:10B6B000000000000000000000000000000000008A
64984+:10B6C000000000000000000000000000000000007A
64985+:10B6D000000000000000000000000000000000006A
64986+:10B6E000000000000000000000000000000000005A
64987+:10B6F000000000000000000000000000000000004A
64988+:10B700000000000000000000000000000000000039
64989+:10B710000000000000000000000000000000000029
64990+:10B720000000000000000000000000000000000019
64991+:10B730000000000000000000000000000000000009
64992+:10B7400000000000000000000000000000000000F9
64993+:10B7500000000000000000000000000000000000E9
64994+:10B7600000000000000000000000000000000000D9
64995+:10B7700000000000000000000000000000000000C9
64996+:10B7800000000000000000000000000000000000B9
64997+:10B7900000000000000000000000000000000000A9
64998+:10B7A0000000000000000000000000000000000099
64999+:10B7B0000000000000000000000000000000000089
65000+:10B7C0000000000000000000000000000000000079
65001+:10B7D0000000000000000000000000000000000069
65002+:10B7E0000000000000000000000000000000000059
65003+:10B7F0000000000000000000000000000000000049
65004+:10B800000000000000000000000000000000000038
65005+:10B810000000000000000000000000000000000028
65006+:10B820000000000000000000000000000000000018
65007+:10B830000000000000000000000000000000000008
65008+:10B8400000000000000000000000000000000000F8
65009+:10B8500000000000000000000000000000000000E8
65010+:10B8600000000000000000000000000000000000D8
65011+:10B8700000000000000000000000000000000000C8
65012+:10B8800000000000000000000000000000000000B8
65013+:10B8900000000000000000000000000000000000A8
65014+:10B8A0000000000000000000000000000000000098
65015+:10B8B0000000000000000000000000000000000088
65016+:10B8C0000000000000000000000000000000000078
65017+:10B8D0000000000000000000000000000000000068
65018+:10B8E0000000000000000000000000000000000058
65019+:10B8F0000000000000000000000000000000000048
65020+:10B900000000000000000000000000000000000037
65021+:10B910000000000000000000000000000000000027
65022+:10B920000000000000000000000000000000000017
65023+:10B930000000000000000000000000000000000007
65024+:10B9400000000000000000000000000000000000F7
65025+:10B9500000000000000000000000000000000000E7
65026+:10B9600000000000000000000000000000000000D7
65027+:10B9700000000000000000000000000000000000C7
65028+:10B9800000000000000000000000000000000000B7
65029+:10B9900000000000000000000000000000000000A7
65030+:10B9A0000000000000000000000000000000000097
65031+:10B9B0000000000000000000000000000000000087
65032+:10B9C0000000000000000000000000000000000077
65033+:10B9D0000000000000000000000000000000000067
65034+:10B9E0000000000000000000000000000000000057
65035+:10B9F0000000000000000000000000000000000047
65036+:10BA00000000000000000000000000000000000036
65037+:10BA10000000000000000000000000000000000026
65038+:10BA20000000000000000000000000000000000016
65039+:10BA30000000000000000000000000000000000006
65040+:10BA400000000000000000000000000000000000F6
65041+:10BA500000000000000000000000000000000000E6
65042+:10BA600000000000000000000000000000000000D6
65043+:10BA700000000000000000000000000000000000C6
65044+:10BA800000000000000000000000000000000000B6
65045+:10BA900000000000000000000000000000000000A6
65046+:10BAA0000000000000000000000000000000000096
65047+:10BAB0000000000000000000000000000000000086
65048+:10BAC0000000000000000000000000000000000076
65049+:10BAD0000000000000000000000000000000000066
65050+:10BAE0000000000000000000000000000000000056
65051+:10BAF0000000000000000000000000000000000046
65052+:10BB00000000000000000000000000000000000035
65053+:10BB10000000000000000000000000000000000025
65054+:10BB20000000000000000000000000000000000015
65055+:10BB30000000000000000000000000000000000005
65056+:10BB400000000000000000000000000000000000F5
65057+:10BB500000000000000000000000000000000000E5
65058+:10BB600000000000000000000000000000000000D5
65059+:10BB700000000000000000000000000000000000C5
65060+:10BB800000000000000000000000000000000000B5
65061+:10BB900000000000000000000000000000000000A5
65062+:10BBA0000000000000000000000000000000000095
65063+:10BBB0000000000000000000000000000000000085
65064+:10BBC0000000000000000000000000000000000075
65065+:10BBD0000000000000000000000000000000000065
65066+:10BBE0000000000000000000000000000000000055
65067+:10BBF0000000000000000000000000000000000045
65068+:10BC00000000000000000000000000000000000034
65069+:10BC10000000000000000000000000000000000024
65070+:10BC20000000000000000000000000000000000014
65071+:10BC30000000000000000000000000000000000004
65072+:10BC400000000000000000000000000000000000F4
65073+:10BC500000000000000000000000000000000000E4
65074+:10BC600000000000000000000000000000000000D4
65075+:10BC700000000000000000000000000000000000C4
65076+:10BC800000000000000000000000000000000000B4
65077+:10BC900000000000000000000000000000000000A4
65078+:10BCA0000000000000000000000000000000000094
65079+:10BCB0000000000000000000000000000000000084
65080+:10BCC0000000000000000000000000000000000074
65081+:10BCD0000000000000000000000000000000000064
65082+:10BCE0000000000000000000000000000000000054
65083+:10BCF0000000000000000000000000000000000044
65084+:10BD00000000000000000000000000000000000033
65085+:10BD10000000000000000000000000000000000023
65086+:10BD20000000000000000000000000000000000013
65087+:10BD30000000000000000000000000000000000003
65088+:10BD400000000000000000000000000000000000F3
65089+:10BD500000000000000000000000000000000000E3
65090+:10BD600000000000000000000000000000000000D3
65091+:10BD700000000000000000000000000000000000C3
65092+:10BD800000000000000000000000000000000000B3
65093+:10BD900000000000000000000000000000000000A3
65094+:10BDA0000000000000000000000000000000000093
65095+:10BDB0000000000000000000000000000000000083
65096+:10BDC0000000000000000000000000000000000073
65097+:10BDD0000000000000000000000000000000000063
65098+:10BDE0000000000000000000000000000000000053
65099+:10BDF0000000000000000000000000000000000043
65100+:10BE00000000000000000000000000000000000032
65101+:10BE10000000000000000000000000000000000022
65102+:10BE20000000000000000000000000000000000012
65103+:10BE30000000000000000000000000000000000002
65104+:10BE400000000000000000000000000000000000F2
65105+:10BE500000000000000000000000000000000000E2
65106+:10BE600000000000000000000000000000000000D2
65107+:10BE700000000000000000000000000000000000C2
65108+:10BE800000000000000000000000000000000000B2
65109+:10BE900000000000000000000000000000000000A2
65110+:10BEA0000000000000000000000000000000000092
65111+:10BEB0000000000000000000000000000000000082
65112+:10BEC0000000000000000000000000000000000072
65113+:10BED0000000000000000000000000000000000062
65114+:10BEE0000000000000000000000000000000000052
65115+:10BEF0000000000000000000000000000000000042
65116+:10BF00000000000000000000000000000000000031
65117+:10BF10000000000000000000000000000000000021
65118+:10BF20000000000000000000000000000000000011
65119+:10BF30000000000000000000000000000000000001
65120+:10BF400000000000000000000000000000000000F1
65121+:10BF500000000000000000000000000000000000E1
65122+:10BF600000000000000000000000000000000000D1
65123+:10BF700000000000000000000000000000000000C1
65124+:10BF800000000000000000000000000000000000B1
65125+:10BF900000000000000000000000000000000000A1
65126+:10BFA0000000000000000000000000000000000091
65127+:10BFB0000000000000000000000000000000000081
65128+:10BFC0000000000000000000000000000000000071
65129+:10BFD0000000000000000000000000000000000061
65130+:10BFE0000000000000000000000000000000000051
65131+:10BFF0000000000000000000000000000000000041
65132+:10C000000000000000000000000000000000000030
65133+:10C010000000000000000000000000000000000020
65134+:10C020000000000000000000000000000000000010
65135+:10C030000000000000000000000000000000000000
65136+:10C0400000000000000000000000000000000000F0
65137+:10C0500000000000000000000000000000000000E0
65138+:10C0600000000000000000000000000000000000D0
65139+:10C0700000000000000000000000000000000000C0
65140+:10C0800000000000000000000000000000000000B0
65141+:10C0900000000000000000000000000000000000A0
65142+:10C0A0000000000000000000000000000000000090
65143+:10C0B0000000000000000000000000000000000080
65144+:10C0C0000000000000000000000000000000000070
65145+:10C0D0000000000000000000000000000000000060
65146+:10C0E0000000000000000000000000000000000050
65147+:10C0F0000000000000000000000000000000000040
65148+:10C10000000000000000000000000000000000002F
65149+:10C11000000000000000000000000000000000001F
65150+:10C12000000000000000000000000000000000000F
65151+:10C1300000000000000000000000000000000000FF
65152+:10C1400000000000000000000000000000000000EF
65153+:10C1500000000000000000000000000000000000DF
65154+:10C1600000000000000000000000000000000000CF
65155+:10C1700000000000000000000000000000000000BF
65156+:10C1800000000000000000000000000000000000AF
65157+:10C19000000000000000000000000000000000009F
65158+:10C1A000000000000000000000000000000000008F
65159+:10C1B000000000000000000000000000000000007F
65160+:10C1C000000000000000000000000000000000006F
65161+:10C1D000000000000000000000000000000000005F
65162+:10C1E000000000000000000000000000000000004F
65163+:10C1F000000000000000000000000000000000003F
65164+:10C20000000000000000000000000000000000002E
65165+:10C21000000000000000000000000000000000001E
65166+:10C22000000000000000000000000000000000000E
65167+:10C2300000000000000000000000000000000000FE
65168+:10C2400000000000000000000000000000000000EE
65169+:10C2500000000000000000000000000000000000DE
65170+:10C2600000000000000000000000000000000000CE
65171+:10C2700000000000000000000000000000000000BE
65172+:10C2800000000000000000000000000000000000AE
65173+:10C29000000000000000000000000000000000009E
65174+:10C2A000000000000000000000000000000000008E
65175+:10C2B000000000000000000000000000000000007E
65176+:10C2C000000000000000000000000000000000006E
65177+:10C2D000000000000000000000000000000000005E
65178+:10C2E000000000000000000000000000000000004E
65179+:10C2F000000000000000000000000000000000003E
65180+:10C30000000000000000000000000000000000002D
65181+:10C31000000000000000000000000000000000001D
65182+:10C32000000000000000000000000000000000000D
65183+:10C3300000000000000000000000000000000000FD
65184+:10C3400000000000000000000000000000000000ED
65185+:10C3500000000000000000000000000000000000DD
65186+:10C3600000000000000000000000000000000000CD
65187+:10C3700000000000000000000000000000000000BD
65188+:10C3800000000000000000000000000000000000AD
65189+:10C39000000000000000000000000000000000009D
65190+:10C3A000000000000000000000000000000000008D
65191+:10C3B000000000000000000000000000000000007D
65192+:10C3C000000000000000000000000000000000006D
65193+:10C3D000000000000000000000000000000000005D
65194+:10C3E000000000000000000000000000000000004D
65195+:10C3F000000000000000000000000000000000003D
65196+:10C40000000000000000000000000000000000002C
65197+:10C41000000000000000000000000000000000001C
65198+:10C42000000000000000000000000000000000000C
65199+:10C4300000000000000000000000000000000000FC
65200+:10C4400000000000000000000000000000000000EC
65201+:10C4500000000000000000000000000000000000DC
65202+:10C4600000000000000000000000000000000000CC
65203+:10C4700000000000000000000000000000000000BC
65204+:10C4800000000000000000000000000000000000AC
65205+:10C49000000000000000000000000000000000009C
65206+:10C4A000000000000000000000000000000000008C
65207+:10C4B000000000000000000000000000000000007C
65208+:10C4C000000000000000000000000000000000006C
65209+:10C4D000000000000000000000000000000000005C
65210+:10C4E000000000000000000000000000000000004C
65211+:10C4F000000000000000000000000000000000003C
65212+:10C50000000000000000000000000000000000002B
65213+:10C51000000000000000000000000000000000001B
65214+:10C52000000000000000000000000000000000000B
65215+:10C5300000000000000000000000000000000000FB
65216+:10C5400000000000000000000000000000000000EB
65217+:10C5500000000000000000000000000000000000DB
65218+:10C5600000000000000000000000000000000000CB
65219+:10C5700000000000000000000000000000000000BB
65220+:10C5800000000000000000000000000000000000AB
65221+:10C59000000000000000000000000000000000009B
65222+:10C5A000000000000000000000000000000000008B
65223+:10C5B000000000000000000000000000000000007B
65224+:10C5C000000000000000000000000000000000006B
65225+:10C5D000000000000000000000000000000000005B
65226+:10C5E000000000000000000000000000000000004B
65227+:10C5F000000000000000000000000000000000003B
65228+:10C60000000000000000000000000000000000002A
65229+:10C61000000000000000000000000000000000001A
65230+:10C62000000000000000000000000000000000000A
65231+:10C6300000000000000000000000000000000000FA
65232+:10C6400000000000000000000000000000000000EA
65233+:10C6500000000000000000000000000000000000DA
65234+:10C6600000000000000000000000000000000000CA
65235+:10C6700000000000000000000000000000000000BA
65236+:10C6800000000000000000000000000000000000AA
65237+:10C69000000000000000000000000000000000009A
65238+:10C6A000000000000000000000000000000000008A
65239+:10C6B000000000000000000000000000000000007A
65240+:10C6C000000000000000000000000000000000006A
65241+:10C6D000000000000000000000000000000000005A
65242+:10C6E000000000000000000000000000000000004A
65243+:10C6F000000000000000000000000000000000003A
65244+:10C700000000000000000000000000000000000029
65245+:10C710000000000000000000000000000000000019
65246+:10C720000000000000000000000000000000000009
65247+:10C7300000000000000000000000000000000000F9
65248+:10C7400000000000000000000000000000000000E9
65249+:10C7500000000000000000000000000000000000D9
65250+:10C7600000000000000000000000000000000000C9
65251+:10C7700000000000000000000000000000000000B9
65252+:10C7800000000000000000000000000000000000A9
65253+:10C790000000000000000000000000000000000099
65254+:10C7A0000000000000000000000000000000000089
65255+:10C7B0000000000000000000000000000000000079
65256+:10C7C0000000000000000000000000000000000069
65257+:10C7D0000000000000000000000000000000000059
65258+:10C7E0000000000000000000000000000000000049
65259+:10C7F0000000000000000000000000000000000039
65260+:10C800000000000000000000000000000000000028
65261+:10C810000000000000000000000000000000000018
65262+:10C820000000000000000000000000000000000008
65263+:10C8300000000000000000000000000000000000F8
65264+:10C8400000000000000000000000000000000000E8
65265+:10C8500000000000000000000000000000000000D8
65266+:10C8600000000000000000000000000000000000C8
65267+:10C8700000000000000000000000000000000000B8
65268+:10C8800000000000000000000000000000000000A8
65269+:10C890000000000000000000000000000000000098
65270+:10C8A0000000000000000000000000000000000088
65271+:10C8B0000000000000000000000000000000000078
65272+:10C8C0000000000000000000000000000000000068
65273+:10C8D0000000000000000000000000000000000058
65274+:10C8E0000000000000000000000000000000000048
65275+:10C8F0000000000000000000000000000000000038
65276+:10C900000000000000000000000000000000000027
65277+:10C910000000000000000000000000000000000017
65278+:10C920000000000000000000000000000000000007
65279+:10C9300000000000000000000000000000000000F7
65280+:10C9400000000000000000000000000000000000E7
65281+:10C9500000000000000000000000000000000000D7
65282+:10C9600000000000000000000000000000000000C7
65283+:10C9700000000000000000000000000000000000B7
65284+:10C9800000000000000000000000000000000000A7
65285+:10C990000000000000000000000000000000000097
65286+:10C9A0000000000000000000000000000000000087
65287+:10C9B0000000000000000000000000000000000077
65288+:10C9C0000000000000000000000000000000000067
65289+:10C9D0000000000000000000000000000000000057
65290+:10C9E0000000000000000000000000000000000047
65291+:10C9F0000000000000000000000000000000000037
65292+:10CA00000000000000000000000000000000000026
65293+:10CA10000000000000000000000000000000000016
65294+:10CA20000000000000000000000000000000000006
65295+:10CA300000000000000000000000000000000000F6
65296+:10CA400000000000000000000000000000000000E6
65297+:10CA500000000000000000000000000000000000D6
65298+:10CA600000000000000000000000000000000000C6
65299+:10CA700000000000000000000000000000000000B6
65300+:10CA800000000000000000000000000000000000A6
65301+:10CA90000000000000000000000000000000000096
65302+:10CAA0000000000000000000000000000000000086
65303+:10CAB0000000000000000000000000000000000076
65304+:10CAC0000000000000000000000000000000000066
65305+:10CAD0000000000000000000000000000000000056
65306+:10CAE0000000000000000000000000000000000046
65307+:10CAF0000000000000000000000000000000000036
65308+:10CB00000000000000000000000000000000000025
65309+:10CB10000000000000000000000000000000000015
65310+:10CB20000000000000000000000000000000000005
65311+:10CB300000000000000000000000000000000000F5
65312+:10CB400000000000000000000000000000000000E5
65313+:10CB500000000000000000000000000000000000D5
65314+:10CB600000000000000000000000000000000000C5
65315+:10CB700000000000000000000000000000000000B5
65316+:10CB800000000000000000000000000000000000A5
65317+:10CB90000000000000000000000000000000000095
65318+:10CBA0000000000000000000000000000000000085
65319+:10CBB0000000000000000000000000000000000075
65320+:10CBC0000000000000000000000000000000000065
65321+:10CBD0000000000000000000000000000000000055
65322+:10CBE0000000000000000000000000000000000045
65323+:10CBF0000000000000000000000000000000000035
65324+:10CC00000000000000000000000000000000000024
65325+:10CC10000000000000000000000000000000000014
65326+:10CC20000000000000000000000000000000000004
65327+:10CC300000000000000000000000000000000000F4
65328+:10CC400000000000000000000000000000000000E4
65329+:10CC500000000000000000000000000000000000D4
65330+:10CC600000000000000000000000000000000000C4
65331+:10CC700000000000000000000000000000000000B4
65332+:10CC800000000000000000000000000000000000A4
65333+:10CC90000000000000000000000000000000000094
65334+:10CCA0000000000000000000000000000000000084
65335+:10CCB0000000000000000000000000000000000074
65336+:10CCC0000000000000000000000000000000000064
65337+:10CCD0000000000000000000000000000000000054
65338+:10CCE0000000000000000000000000000000000044
65339+:10CCF0000000000000000000000000000000000034
65340+:10CD00000000000000000000000000000000000023
65341+:10CD10000000000000000000000000000000000013
65342+:10CD20000000000000000000000000000000000003
65343+:10CD300000000000000000000000000000000000F3
65344+:10CD400000000000000000000000000000000000E3
65345+:10CD500000000000000000000000000000000000D3
65346+:10CD600000000000000000000000000000000000C3
65347+:10CD700000000000000000000000000000000000B3
65348+:10CD800000000000000000000000000000000000A3
65349+:10CD90000000000000000000000000000000000093
65350+:10CDA0000000000000000000000000000000000083
65351+:10CDB0000000000000000000000000000000000073
65352+:10CDC0000000000000000000000000000000000063
65353+:10CDD0000000000000000000000000000000000053
65354+:10CDE0000000000000000000000000000000000043
65355+:10CDF0000000000000000000000000000000000033
65356+:10CE00000000000000000000000000000000000022
65357+:10CE10000000000000000000000000000000000012
65358+:10CE20000000000000000000000000000000000002
65359+:10CE300000000000000000000000000000000000F2
65360+:10CE400000000000000000000000000000000000E2
65361+:10CE500000000000000000000000000000000000D2
65362+:10CE600000000000000000000000000000000000C2
65363+:10CE700000000000000000000000000000000000B2
65364+:10CE800000000000000000000000000000000000A2
65365+:10CE90000000000000000000000000000000000092
65366+:10CEA0000000000000000000000000000000000082
65367+:10CEB0000000000000000000000000000000000072
65368+:10CEC0000000000000000000000000000000000062
65369+:10CED0000000000000000000000000000000000052
65370+:10CEE0000000000000000000000000000000000042
65371+:10CEF0000000000000000000000000000000000032
65372+:10CF00000000000000000000000000000000000021
65373+:10CF10000000000000000000000000000000000011
65374+:10CF20000000000000000000000000000000000001
65375+:10CF300000000000000000000000000000000000F1
65376+:10CF400000000000000000000000000000000000E1
65377+:10CF500000000000000000000000000000000000D1
65378+:10CF600000000000000000000000000000000000C1
65379+:10CF700000000000000000000000000000000000B1
65380+:10CF800000000000000000000000000000000000A1
65381+:10CF90000000000000000000000000000000000091
65382+:10CFA0000000000000000000000000000000000081
65383+:10CFB0000000000000000000000000000000000071
65384+:10CFC0000000000000000000000000000000000061
65385+:10CFD0000000000000000000000000000000000051
65386+:10CFE0000000000000000000000000000000000041
65387+:10CFF0000000000000000000000000000000000031
65388+:10D000000000000000000000000000000000000020
65389+:10D010000000000000000000000000000000000010
65390+:10D020000000000000000000000000000000000000
65391+:10D0300000000000000000000000000000000000F0
65392+:10D0400000000000000000000000000000000000E0
65393+:10D0500000000000000000000000000000000000D0
65394+:10D0600000000000000000000000000000000000C0
65395+:10D0700000000000000000000000000000000000B0
65396+:10D0800000000000000000000000000000000000A0
65397+:10D090000000000000000000000000000000000090
65398+:10D0A0000000000000000000000000000000000080
65399+:10D0B0000000000000000000000000000000000070
65400+:10D0C0000000000000000000000000000000000060
65401+:10D0D0000000000000000000000000000000000050
65402+:10D0E0000000000000000000000000000000000040
65403+:10D0F0000000000000000000000000000000000030
65404+:10D10000000000000000000000000000000000001F
65405+:10D11000000000000000000000000000000000000F
65406+:10D1200000000000000000000000000000000000FF
65407+:10D1300000000000000000000000000000000000EF
65408+:10D1400000000000000000000000000000000000DF
65409+:10D1500000000000000000000000000000000000CF
65410+:10D1600000000000000000000000000000000000BF
65411+:10D1700000000000000000000000000000000000AF
65412+:10D18000000000000000000000000000000000009F
65413+:10D19000000000000000000000000000000000008F
65414+:10D1A000000000000000000000000000000000007F
65415+:10D1B000000000000000000000000000000000006F
65416+:10D1C000000000000000000000000000000000005F
65417+:10D1D000000000000000000000000000000000004F
65418+:10D1E000000000000000000000000000000000003F
65419+:10D1F000000000000000000000000000000000002F
65420+:10D20000000000000000000000000000000000001E
65421+:10D21000000000000000000000000000000000000E
65422+:10D2200000000000000000000000000000000000FE
65423+:10D2300000000000000000000000000000000000EE
65424+:10D2400000000000000000000000000000000000DE
65425+:10D2500000000000000000000000000000000000CE
65426+:10D2600000000000000000000000000000000000BE
65427+:10D2700000000000000000000000000000000000AE
65428+:10D28000000000000000000000000000000000009E
65429+:10D29000000000000000000000000000000000008E
65430+:10D2A000000000000000000000000000000000007E
65431+:10D2B000000000000000000000000000000000006E
65432+:10D2C000000000000000000000000000000000005E
65433+:10D2D000000000000000000000000000000000004E
65434+:10D2E000000000000000000000000000000000003E
65435+:10D2F000000000000000000000000000000000002E
65436+:10D30000000000000000000000000000000000001D
65437+:10D31000000000000000000000000000000000000D
65438+:10D3200000000000000000000000000000000000FD
65439+:10D3300000000000000000000000000000000000ED
65440+:10D3400000000000000000000000000000000000DD
65441+:10D3500000000000000000000000000000000000CD
65442+:10D3600000000000000000000000000000000000BD
65443+:10D3700000000000000000000000000000000000AD
65444+:10D38000000000000000000000000000000000009D
65445+:10D39000000000000000000000000000000000008D
65446+:10D3A000000000000000000000000000000000007D
65447+:10D3B000000000000000000000000000000000006D
65448+:10D3C000000000000000000000000000000000005D
65449+:10D3D000000000000000000000000000000000004D
65450+:10D3E000000000000000000000000000000000003D
65451+:10D3F000000000000000000000000000000000002D
65452+:10D40000000000000000000000000000000000001C
65453+:10D41000000000000000000000000000000000000C
65454+:10D4200000000000000000000000000000000000FC
65455+:10D4300000000000000000000000000000000000EC
65456+:10D4400000000000000000000000000000000000DC
65457+:10D4500000000000000000000000000000000000CC
65458+:10D4600000000000000000000000000000000000BC
65459+:10D4700000000000000000000000000000000000AC
65460+:10D48000000000000000000000000000000000009C
65461+:10D49000000000000000000000000000000000008C
65462+:10D4A000000000000000000000000000000000007C
65463+:10D4B000000000000000000000000000000000006C
65464+:10D4C000000000000000000000000000000000005C
65465+:10D4D000000000000000000000000000000000004C
65466+:10D4E000000000000000000000000000000000003C
65467+:10D4F000000000000000000000000000000000002C
65468+:10D50000000000000000000000000000000000001B
65469+:10D51000000000000000000000000000000000000B
65470+:10D5200000000000000000000000000000000000FB
65471+:10D5300000000000000000000000000000000000EB
65472+:10D5400000000000000000000000000000000000DB
65473+:10D5500000000000000000000000000000000000CB
65474+:10D5600000000000000000000000000000000000BB
65475+:10D5700000000000000000000000000000000000AB
65476+:10D58000000000000000000000000000000000009B
65477+:10D59000000000000000008000000000000000000B
65478+:10D5A000000000000000000000000000000000007B
65479+:10D5B00000000000000000000000000A0000000061
65480+:10D5C0000000000000000000100000030000000048
65481+:10D5D0000000000D0000000D3C02080024427340D2
65482+:10D5E0003C030800246377CCAC4000000043202BB0
65483+:10D5F0001480FFFD244200043C1D080037BD7FFC61
65484+:10D6000003A0F0213C100800261032103C1C08003A
65485+:10D61000279C73400E0010FE000000000000000D6B
65486+:10D6200030A5FFFF30C600FF274301808F4201B8BD
65487+:10D630000440FFFE24020002AC640000A465000860
65488+:10D64000A066000AA062000B3C021000AC67001844
65489+:10D6500003E00008AF4201B83C0360008C624FF861
65490+:10D660000440FFFE3C020200AC644FC0AC624FC4F9
65491+:10D670003C02100003E00008AC624FF89482000CFA
65492+:10D680002486001400A0382100021302000210803A
65493+:10D690000082402100C8102B1040005700000000FD
65494+:10D6A00090C300002C6200095040005190C200015C
65495+:10D6B000000310803C030800246372F00043102133
65496+:10D6C0008C420000004000080000000090C30001F0
65497+:10D6D0002402000A1462003A000000000106102330
65498+:10D6E0002C42000A1440003624C600028CE20000DE
65499+:10D6F00034420100ACE2000090C2000090C300017F
65500+:10D7000090C4000290C5000300031C000002160034
65501+:10D710000043102500042200004410250045102578
65502+:10D7200024C60004ACE2000490C2000090C30001D3
65503+:10D7300090C4000290C500030002160000031C0004
65504+:10D740000043102500042200004410250045102548
65505+:10D7500024C600040A000CB8ACE2000890C3000123
65506+:10D76000240200041462001624C6000290C20000C5
65507+:10D7700090C400018CE30000000212000044102558
65508+:10D780003463000424C60002ACE2000C0A000CB8AA
65509+:10D79000ACE3000090C300012402000314620008FF
65510+:10D7A00024C600028CE2000090C3000024C60001E1
65511+:10D7B00034420008A0E300100A000CB8ACE20000FC
65512+:10D7C00003E000082402000190C3000124020002CB
65513+:10D7D0001062000224C40002010020210A000CB8DB
65514+:10D7E000008030210A000CB824C6000190C200015C
65515+:10D7F0000A000CB800C2302103E00008000010212C
65516+:10D8000027BDFFE8AFBF0014AFB000100E00130239
65517+:10D8100000808021936200052403FFFE0200202186
65518+:10D82000004310248FBF00148FB00010A3620005C6
65519+:10D830000A00130B27BD001827BDFFE8AFB000108A
65520+:10D84000AFBF00140E000F3C0080802193620000E7
65521+:10D8500024030050304200FF14430004240201005E
65522+:10D86000AF4201800A000D3002002021AF4001804C
65523+:10D87000020020218FBF00148FB000100A000FE7B4
65524+:10D8800027BD001827BDFF80AFBE0078AFB700747A
65525+:10D89000AFB20060AFBF007CAFB60070AFB5006C38
65526+:10D8A000AFB40068AFB30064AFB1005CAFB0005874
65527+:10D8B0008F5001283C0208008C4231A02403FF80D5
65528+:10D8C0009365003F0202102100431024AF42002460
65529+:10D8D0003C0208008C4231A09364000530B200FF86
65530+:10D8E000020210213042007F034218210004202749
65531+:10D8F0003C02000A0062182130840001AF8300144A
65532+:10D900000000F0210000B82114800053AFA00050A7
65533+:10D9100093430116934401128F450104306300FFC5
65534+:10D920003C020001308400FF00A2282403431021A0
65535+:10D9300003441821245640002467400014A001CD60
65536+:10D940002402000193620000304300FF2402002003
65537+:10D950001062000524020050106200060000000062
65538+:10D960000A000D74000000000000000D0A000D7D8B
65539+:10D97000AFA000303C1E080027DE738C0A000D7D2E
65540+:10D98000AFA000303C0208008C4200DC24420001C1
65541+:10D990003C010800AC2200DC0E00139F00000000D8
65542+:10D9A0000A000F318FBF007C8F4201043C0300202E
65543+:10D9B00092D3000D004310240002202B00042140CC
65544+:10D9C000AFA400308F4301043C02004000621824E1
65545+:10D9D000146000023485004000802821326200205B
65546+:10D9E000AFA500301440000234A6008000A0302112
65547+:10D9F00010C0000BAFA6003093C500088F67004C25
65548+:10DA00000200202100052B0034A5008130A5F08103
65549+:10DA10000E000C9B30C600FF0A000F2E0000000015
65550+:10DA20009362003E304200401040000F2402000488
65551+:10DA300056420007240200120200202100E02821A3
65552+:10DA40000E0013F702C030210A000F318FBF007C97
65553+:10DA500016420005000000000E000D2100002021EC
65554+:10DA60000A000F318FBF007C9743011A96C4000E45
65555+:10DA700093620035326500043075FFFF00442004D6
65556+:10DA8000AFA400548ED1000410A000158ED400085D
65557+:10DA90009362003E3042004010400007000000004A
65558+:10DAA0000E0013E0022020211040000D00000000B5
65559+:10DAB0000A000F2E000000008F6200440222102393
65560+:10DAC0000440016A000000008F6200480222102317
65561+:10DAD00004410166240400160A000E218FC20004CE
65562+:10DAE0008F6200480222102304400008000000005A
65563+:10DAF0003C0208008C423100244200013C01080035
65564+:10DB0000AC2231000A000F23000000008F620040A9
65565+:10DB100002221023184000128F8400143C020800D7
65566+:10DB20008C423100327300FC0000A8212442000125
65567+:10DB30003C010800AC2231008F6300409482011C3C
65568+:10DB4000022318233042FFFF0043102A50400010E8
65569+:10DB50002402000C8F6200400A000DF20222102302
65570+:10DB60009483011C9762003C0043102B1040000678
65571+:10DB7000000000009482011C00551023A482011CA7
65572+:10DB80000A000DF72402000CA480011C2402000CE2
65573+:10DB9000AFA200308F620040005120231880000D9A
65574+:10DBA00002A4102A1440012600000000149500066B
65575+:10DBB00002A410233A620001304200011440012007
65576+:10DBC0000000000002A41023022488210A000E098C
65577+:10DBD0003055FFFF00002021326200021040001A81
65578+:10DBE000326200109362003E30420040504000110B
65579+:10DBF0008FC200040E00130202002021240200182C
65580+:10DC0000A362003F936200052403FFFE020020216F
65581+:10DC1000004310240E00130BA362000524040039F6
65582+:10DC2000000028210E0013C9240600180A000F3036
65583+:10DC300024020001240400170040F809000000003D
65584+:10DC40000A000F302402000110400108000000000B
65585+:10DC50008F63004C8F620054028210231C4001032A
65586+:10DC600002831023044200010060A021AFA4001829
65587+:10DC7000AFB10010AFB50014934201208F65004092
65588+:10DC80009763003C304200FF034210210044102102
65589+:10DC90008FA400543063FFFF244240000083182B00
65590+:10DCA0008FA40030AFA20020AFA50028008320255C
65591+:10DCB000AFA40030AFA50024AFA0002CAFB4003457
65592+:10DCC0009362003E30420008504000118FC20000B5
65593+:10DCD00002C0202127A500380E000CB2AFA00038EA
65594+:10DCE0005440000B8FC200008FA200383042010068
65595+:10DCF000504000078FC200008FA3003C8F6200607D
65596+:10DD00000062102304430001AF6300608FC2000073
65597+:10DD10000040F80927A400108FA200303042000212
65598+:10DD200054400001327300FE9362003E30420040D6
65599+:10DD3000104000378FA200248F6200541682001A10
65600+:10DD40003262000124020014124200102A4200151F
65601+:10DD500010400006240200162402000C12420007A4
65602+:10DD6000326200010A000E7D000000001242000530
65603+:10DD7000326200010A000E7D000000000A000E78E9
65604+:10DD80002417000E0A000E78241700100A000E7CDB
65605+:10DD900024170012936200232403FFBD00431024C4
65606+:10DDA000A362002332620001104000198FA20024F8
65607+:10DDB0002402000C1242000E2A42000D1040000600
65608+:10DDC0002402000E2402000A124200078FA200243F
65609+:10DDD0000A000E9524420001124200088FA200247E
65610+:10DDE0000A000E95244200010A000E932417000831
65611+:10DDF0002402000E16E20002241700162417001059
65612+:10DE00008FA2002424420001AFA200248FA200248C
65613+:10DE10008FA300148F76004000431021AF620040B2
65614+:10DE20008F8200149442011C104000090000000081
65615+:10DE30008F6200488F6400409763003C00441023C9
65616+:10DE40003063FFFF0043102A104000088FA20054E7
65617+:10DE5000936400368F6300403402FFFC008210049C
65618+:10DE600000621821AF6300488FA200548FA60030D3
65619+:10DE70000282902130C200081040000E0000000015
65620+:10DE80008F6200581642000430C600FF9742011A04
65621+:10DE90005040000134C6001093C500088FA700341D
65622+:10DEA0000200202100052B0034A500800E000C9BF1
65623+:10DEB00030A5F0808F620040005610231840001BF0
65624+:10DEC0008FA200183C0208008C42319830420010AA
65625+:10DED0001040000D24020001976200681440000AFF
65626+:10DEE000240200018F8200149442011C1440000699
65627+:10DEF00024020001A76200689742007A244200646D
65628+:10DF00000A000EE9A7620012A76200120E001302B7
65629+:10DF1000020020219362007D2403000102002021E1
65630+:10DF2000344200010A000EE7AFA300501840000A77
65631+:10DF3000000000000E001302020020219362007D09
65632+:10DF40002403000102002021AFA30050344200044A
65633+:10DF50000E00130BA362007D9362003E304200402E
65634+:10DF60001440000C326200011040000A0000000062
65635+:10DF70008F6300408FC20004240400182463000152
65636+:10DF80000040F809AF6300408FA200300A000F3054
65637+:10DF9000304200048F620058105200100000000050
65638+:10DFA0008F620018022210231C4000082404000184
65639+:10DFB0008F62001816220009000000008F62001C0A
65640+:10DFC000028210230440000500000000AF720058D8
65641+:10DFD000AFA40050AF710018AF74001C12E0000B2A
65642+:10DFE0008FA200500E00130202002021A377003FF1
65643+:10DFF0000E00130B0200202102E030212404003720
65644+:10E000000E0013C9000028218FA200501040000309
65645+:10E01000000000000E000CA90200202112A0000543
65646+:10E02000000018218FA2003030420004504000113F
65647+:10E0300000601021240300010A000F30006010214D
65648+:10E040000E001302020020219362007D02002021B5
65649+:10E05000344200040E00130BA362007D0E000CA9D5
65650+:10E06000020020210A000F3024020001AF400044CA
65651+:10E07000240200018FBF007C8FBE00788FB7007430
65652+:10E080008FB600708FB5006C8FB400688FB30064DA
65653+:10E090008FB200608FB1005C8FB0005803E00008C1
65654+:10E0A00027BD00808F4201B80440FFFE2402080013
65655+:10E0B000AF4201B803E00008000000003C02000885
65656+:10E0C00003421021944200483084FFFF2484001250
65657+:10E0D0003045FFFF10A0001700A4102B10400016C1
65658+:10E0E00024020003934201202403001AA343018B5E
65659+:10E0F000304200FF2446FFFE8F82000000A6182B4E
65660+:10E100003863000100021382004310241040000510
65661+:10E110008F84000434820001A746019403E00008C4
65662+:10E12000AF8200042402FFFE0082102403E00008F6
65663+:10E13000AF8200042402000303E00008A342018B25
65664+:10E1400027BDFFE0AFB10014AFB00010AFBF0018A3
65665+:10E1500030B0FFFF30D1FFFF8F4201B80440FFFE17
65666+:10E1600000000000AF440180AF4400200E000F42C9
65667+:10E17000020020218F8300008F840004A750019AA1
65668+:10E18000A750018EA74301908F8300083082800042
65669+:10E19000AF4301A8A75101881040000E8F820004F0
65670+:10E1A00093420116304200FC24420004005A102120
65671+:10E1B0008C4240003042FFFF144000068F82000472
65672+:10E1C0003C02FFFF34427FFF00821024AF82000434
65673+:10E1D0008F8200042403BFFF00431024A74201A63E
65674+:10E1E0009743010C8F42010400031C003042FFFFE3
65675+:10E1F00000621825AF4301AC3C021000AF4201B8E9
65676+:10E200008FBF00188FB100148FB0001003E000081A
65677+:10E2100027BD00208F470070934201128F830000BA
65678+:10E2200027BDFFF0304200FF00022882306201006B
65679+:10E23000000030211040004324A40003306240005D
65680+:10E24000104000103062200000041080005A10219D
65681+:10E250008C43400024A4000400041080AFA30000FD
65682+:10E26000005A10218C424000AFA2000493420116D4
65683+:10E27000304200FC005A10218C4240000A000FC0BE
65684+:10E28000AFA200081040002F0000302100041080D1
65685+:10E29000005A10218C43400024A400040004108084
65686+:10E2A000AFA30000005A10218C424000AFA000082C
65687+:10E2B000AFA200048FA80008000030210000202138
65688+:10E2C000240A00083C0908002529010003A41021A4
65689+:10E2D000148A000300042A001100000A0000000054
65690+:10E2E00090420000248400012C83000C00A2102125
65691+:10E2F00000021080004910218C4200001460FFF3DE
65692+:10E3000000C230263C0408008C8431048F42007027
65693+:10E310002C83002010600009004738233C030800CC
65694+:10E32000246331080004108000431021248300017D
65695+:10E33000AC4700003C010800AC233104AF86000864
65696+:10E340002406000100C0102103E0000827BD0010D2
65697+:10E350003C0208008C42003827BDFFD0AFB5002436
65698+:10E36000AFB40020AFB10014AFBF0028AFB3001CA2
65699+:10E37000AFB20018AFB00010000088213C150800B3
65700+:10E3800026B50038144000022454FFFF0000A021ED
65701+:10E390009742010E8F8400003042FFFF308340001F
65702+:10E3A0001060000A245200043C0200200082102465
65703+:10E3B00050400007308280008F8200042403BFFF9A
65704+:10E3C000008318240A0010103442100030828000AC
65705+:10E3D0001040000A3C020020008210241040000778
65706+:10E3E0008F8200043C03FFFF34637FFF0083182407
65707+:10E3F00034428000AF820004AF8300000E000F980B
65708+:10E400000000000014400007000000009743011EB8
65709+:10E410009742011C3063FFFF0002140000621825C0
65710+:10E42000AF8300089742010C8F4340003045FFFF47
65711+:10E430003402FFFF14620003000000000A001028ED
65712+:10E44000241100208F42400030420100544000015E
65713+:10E45000241100108F8400003082100050400014FE
65714+:10E4600036310001308200201440000B3C021000C5
65715+:10E47000008210245040000E363100013C030E0093
65716+:10E480003C020DFF008318243442FFFF0043102B91
65717+:10E4900050400007363100013C0208008C42002C3D
65718+:10E4A000244200013C010800AC22002C363100055A
65719+:10E4B0003C0608008CC6003454C000238F85000041
65720+:10E4C0008F820004304240005440001F8F850000BE
65721+:10E4D0003C021F01008210243C0310005443001A28
65722+:10E4E0008F85000030A20200144000178F850000C5
65723+:10E4F0003250FFFF363100028F4201B80440FFFE68
65724+:10E5000000000000AF400180020020210E000F42F9
65725+:10E51000AF4000208F8300042402BFFFA750019A60
65726+:10E52000006218248F820000A750018EA751018835
65727+:10E53000A74301A6A74201903C021000AF4201B8D8
65728+:10E540000A0010F5000010213C02100000A2102467
65729+:10E550001040003A0000000010C0000F0000000052
65730+:10E5600030A201001040000C3C0302003C020F00EE
65731+:10E5700000A2102410430008000000008F82000851
65732+:10E58000005410240055102190420004244200043D
65733+:10E590000A00109F000221C00000000000051602C2
65734+:10E5A0003050000F3A0300022E4203EF38420001C0
65735+:10E5B0002C6300010062182414600073240200011F
65736+:10E5C0003C0308008C6300D02E06000C386200016A
65737+:10E5D0002C4200010046102414400015001021C0F8
65738+:10E5E0002602FFFC2C4200045440001100002021B0
65739+:10E5F000386200022C420001004610241040000343
65740+:10E60000000512420A00109F000020210010182B64
65741+:10E610000043102450400006001021C000002021BB
65742+:10E620003245FFFF0E000F633226FFFB001021C0B2
65743+:10E630003245FFFF0A0010F2362600028F424000EA
65744+:10E640003C0308008C630024304201001040004667
65745+:10E6500030620001322200043070000D14400002CC
65746+:10E660002413000424130002000512C238420001E2
65747+:10E670002E4303EF304200013863000100431025B0
65748+:10E68000104000033231FFFB2402FFFB0202802412
65749+:10E6900010C000183202000130A201001040001525
65750+:10E6A000320200013C020F0000A210243C030200D1
65751+:10E6B0001043000F8F8200082403FFFE0203802412
65752+:10E6C00000541024005510219042000402333025DC
65753+:10E6D0002442000412000002000221C03226FFFF83
65754+:10E6E0000E000F633245FFFF1200002700001021CB
65755+:10E6F000320200011040000D320200042402000129
65756+:10E7000012020002023330253226FFFF00002021D2
65757+:10E710000E000F633245FFFF2402FFFE0202802439
65758+:10E7200012000019000010213202000410400016EF
65759+:10E7300024020001240200041202000202333025E8
65760+:10E740003226FFFF3245FFFF0E000F632404010055
65761+:10E750002402FFFB020280241200000B00001021A3
65762+:10E760000A0010F5240200011040000700001021EB
65763+:10E770003245FFFF36260002000020210E000F6305
65764+:10E7800000000000000010218FBF00288FB500247A
65765+:10E790008FB400208FB3001C8FB200188FB100140B
65766+:10E7A0008FB0001003E0000827BD003027BDFFD068
65767+:10E7B000AFB000103C04600CAFBF002CAFB6002817
65768+:10E7C000AFB50024AFB40020AFB3001CAFB2001847
65769+:10E7D000AFB100148C8250002403FF7F3C1A8000EC
65770+:10E7E000004310243442380CAC8250002402000351
65771+:10E7F0003C106000AF4200088E0208083C1B8008F5
65772+:10E800003C010800AC2000203042FFF038420010EC
65773+:10E810002C4200010E001B8DAF8200183C04FFFF4C
65774+:10E820003C020400348308063442000CAE0219484E
65775+:10E83000AE03194C3C0560168E0219808CA30000B3
65776+:10E840003442020000641824AE0219803C02535383
65777+:10E850001462000334A47C008CA200040050202128
65778+:10E860008C82007C8C830078AF820010AF83000C18
65779+:10E870008F55000032A200031040FFFD32A20001BC
65780+:10E880001040013D32A200028F420128AF42002019
65781+:10E890008F4201048F430100AF8200000E000F3C45
65782+:10E8A000AF8300043C0208008C4200C01040000806
65783+:10E8B0008F8400003C0208008C4200C42442000106
65784+:10E8C0003C010800AC2200C40A00126900000000EC
65785+:10E8D0003C020010008210241440010C8F830004BD
65786+:10E8E0003C0208008C4200203C0308008C63003886
65787+:10E8F00000008821244200013C010800AC220020D5
65788+:10E900003C16080026D60038146000022474FFFF6D
65789+:10E910000000A0219742010E308340003042FFFFEB
65790+:10E920001060000A245200043C02002000821024DF
65791+:10E9300050400007308280008F8200042403BFFF14
65792+:10E94000008318240A0011703442100030828000C5
65793+:10E950001040000A3C0200200082102410400007F2
65794+:10E960008F8200043C03FFFF34637FFF0083182481
65795+:10E9700034428000AF820004AF8300000E000F9885
65796+:10E980000000000014400007000000009743011E33
65797+:10E990009742011C3063FFFF00021400006218253B
65798+:10E9A000AF8300089742010C8F4340003045FFFFC2
65799+:10E9B0003402FFFF14620003000000000A00118807
65800+:10E9C000241100208F4240003042010054400001D9
65801+:10E9D000241100108F840000308210005040001479
65802+:10E9E00036310001308200201440000B3C02100040
65803+:10E9F000008210245040000E363100013C030E000E
65804+:10EA00003C020DFF008318243442FFFF0043102B0B
65805+:10EA100050400007363100013C0208008C42002CB7
65806+:10EA2000244200013C010800AC22002C36310005D4
65807+:10EA30003C0608008CC6003454C000238F850000BB
65808+:10EA40008F820004304240005440001F8F85000038
65809+:10EA50003C021F01008210243C0310005443001AA2
65810+:10EA60008F85000030A20200144000178F8500003F
65811+:10EA70003250FFFF363100028F4201B80440FFFEE2
65812+:10EA800000000000AF400180020020210E000F4274
65813+:10EA9000AF4000208F8300042402BFFFA750019ADB
65814+:10EAA000006218248F820000A750018EA7510188B0
65815+:10EAB000A74301A6A74201903C021000AF4201B853
65816+:10EAC0000A001267000010213C02100000A210246E
65817+:10EAD0001040003A0000000010C0000F00000000CD
65818+:10EAE00030A201001040000C3C0302003C020F0069
65819+:10EAF00000A2102410430008000000008F820008CC
65820+:10EB000000541024005610219042000424420004B6
65821+:10EB10000A0011FF000221C00000000000051602DB
65822+:10EB20003050000F3A0300022E4203EF384200013A
65823+:10EB30002C63000100621824146000852402000187
65824+:10EB40003C0308008C6300D02E06000C38620001E4
65825+:10EB50002C4200010046102414400015001021C072
65826+:10EB60002602FFFC2C42000454400011000020212A
65827+:10EB7000386200022C42000100461024504000037D
65828+:10EB8000000512420A0011FF000020210010182B7E
65829+:10EB90000043102450400006001021C00000202136
65830+:10EBA0003245FFFF0E000F633226FFFB001021C02D
65831+:10EBB0003245FFFF0A001252362600028F42400003
65832+:10EBC0003C0308008C6300243042010010400046E2
65833+:10EBD00030620001322200043070000D1440000247
65834+:10EBE0002413000424130002000512C2384200015D
65835+:10EBF0002E4303EF3042000138630001004310252B
65836+:10EC0000104000033231FFFB2402FFFB020280248C
65837+:10EC100010C000183202000130A20100104000159F
65838+:10EC2000320200013C020F0000A210243C0302004B
65839+:10EC30001043000F8F8200082403FFFE020380248C
65840+:10EC40000054102400561021904200040233302555
65841+:10EC50002442000412000002000221C03226FFFFFD
65842+:10EC60000E000F633245FFFF120000390000102133
65843+:10EC7000320200011040000D3202000424020001A3
65844+:10EC800012020002023330253226FFFF000020214D
65845+:10EC90000E000F633245FFFF2402FFFE02028024B4
65846+:10ECA0001200002B00001021320200041040002846
65847+:10ECB0002402000124020004120200020233302563
65848+:10ECC0003226FFFF3245FFFF0E000F6324040100D0
65849+:10ECD0002402FFFB020280241200001D000010210C
65850+:10ECE0000A001267240200015040001900001021A0
65851+:10ECF0003245FFFF36260002000020210E000F6380
65852+:10ED0000000000000A001267000010212402BFFF6B
65853+:10ED1000006210241040000800000000240287FF59
65854+:10ED200000621024144000083C020060008210249D
65855+:10ED300010400005000000000E000D34000000002F
65856+:10ED40000A001267000000000E0012C70000000059
65857+:10ED5000104000063C0240008F4301243C0260202A
65858+:10ED6000AC430014000000003C024000AF420138F8
65859+:10ED70000000000032A200021040FEBD00000000B2
65860+:10ED80008F4201403C044000AF4200208F430148C5
65861+:10ED90003C02700000621824106400420000000071
65862+:10EDA0000083102B144000063C0260003C0220004F
65863+:10EDB000106200073C0240000A0012C3000000007D
65864+:10EDC0001062003C3C0240000A0012C30000000038
65865+:10EDD0008F4501408F4601448F42014800021402D2
65866+:10EDE000304300FF240200041462000A274401801B
65867+:10EDF0008F4201B80440FFFE2402001CAC850000D5
65868+:10EE0000A082000B3C021000AF4201B80A0012C3FE
65869+:10EE10003C0240002402000914620012000616029F
65870+:10EE2000000229C0AF4500208F4201B80440FFFE18
65871+:10EE30002402000124030003AF450180A343018B9A
65872+:10EE4000A740018EA740019AA7400190AF4001A8BA
65873+:10EE5000A7420188A74201A6AF4001AC3C021000C6
65874+:10EE6000AF4201B88F4201B80440FFFE000000002D
65875+:10EE7000AC8500008F42014800021402A482000801
65876+:10EE800024020002A082000B8F420148A4820010DD
65877+:10EE90003C021000AC860024AF4201B80A0012C345
65878+:10EEA0003C0240000E001310000000000A0012C3D4
65879+:10EEB0003C0240000E001BC2000000003C0240006B
65880+:10EEC000AF420178000000000A00112F000000008E
65881+:10EED0008F4201003042003E144000112402000124
65882+:10EEE000AF4000488F420100304207C0104000058B
65883+:10EEF00000000000AF40004CAF40005003E00008AD
65884+:10EF000024020001AF400054AF4000408F42010096
65885+:10EF10003042380054400001AF4000442402000158
65886+:10EF200003E00008000000008F4201B80440FFFE2B
65887+:10EF300024020001AF440180AF400184A74501884D
65888+:10EF4000A342018A24020002A342018B9742014A94
65889+:10EF500014C00004A7420190AF4001A40A0012EFC0
65890+:10EF60003C0210008F420144AF4201A43C02100059
65891+:10EF7000AF4001A803E00008AF4201B88F4201B8DA
65892+:10EF80000440FFFE24020002AF440180AF4401842C
65893+:10EF9000A7450188A342018AA342018B9742014AF7
65894+:10EFA000A7420190AF4001A48F420144AF4201A8A3
65895+:10EFB0003C02100003E00008AF4201B83C029000A0
65896+:10EFC0003442000100822025AF4400208F420020FF
65897+:10EFD0000440FFFE0000000003E000080000000005
65898+:10EFE0003C028000344200010082202503E000083A
65899+:10EFF000AF44002027BDFFE8AFBF0014AFB0001042
65900+:10F000008F50014093430149934201489344014882
65901+:10F01000306300FF304200FF00021200006228252A
65902+:10F020002402001910620076308400802862001AE1
65903+:10F030001040001C24020020240200081062007707
65904+:10F04000286200091040000E2402000B2402000177
65905+:10F0500010620034286200025040000524020006BD
65906+:10F0600050600034020020210A00139A00000000C2
65907+:10F0700010620030020020210A00139A00000000F4
65908+:10F080001062003B2862000C504000022402000E77
65909+:10F090002402000910620056020020210A00139A7F
65910+:10F0A0000000000010620056286200211040000F8E
65911+:10F0B000240200382402001C106200582862001D3F
65912+:10F0C000104000062402001F2402001B1062004CA6
65913+:10F0D000000000000A00139A000000001062004ABD
65914+:10F0E000020020210A00139A00000000106200456F
65915+:10F0F0002862003910400007240200802462FFCB00
65916+:10F100002C42000210400045020020210A00139604
65917+:10F110000000302110620009000000000A00139A6C
65918+:10F12000000000001480003D020020210A0013901E
65919+:10F130008FBF00140A001396240600018F4201B805
65920+:10F140000440FFFE24020002A342018BA745018870
65921+:10F150009742014AA74201908F420144A74201927F
65922+:10F160003C021000AF4201B80A00139C8FBF00148C
65923+:10F170009742014A144000290000000093620005F4
65924+:10F180003042000414400025000000000E0013026D
65925+:10F190000200202193620005020020213442000475
65926+:10F1A0000E00130BA36200059362000530420004B9
65927+:10F1B00014400002000000000000000D93620000F7
65928+:10F1C00024030020304200FF14430014000000001C
65929+:10F1D0008F4201B80440FFFE24020005AF500180B9
65930+:10F1E000A342018B3C0210000A00139AAF4201B8FF
65931+:10F1F0008FBF00148FB000100A0012F227BD001854
65932+:10F200000000000D02002021000030218FBF0014FB
65933+:10F210008FB000100A0012DD27BD00180000000D9D
65934+:10F220008FBF00148FB0001003E0000827BD001846
65935+:10F2300027BDFFE8AFBF00100E000F3C000000002C
65936+:10F24000AF4001808FBF0010000020210A000FE7AF
65937+:10F2500027BD00183084FFFF30A5FFFF00001821F4
65938+:10F260001080000700000000308200011040000202
65939+:10F2700000042042006518210A0013AB0005284055
65940+:10F2800003E000080060102110C0000624C6FFFF44
65941+:10F290008CA2000024A50004AC8200000A0013B573
65942+:10F2A0002484000403E000080000000010A000080F
65943+:10F2B00024A3FFFFAC860000000000000000000057
65944+:10F2C0002402FFFF2463FFFF1462FFFA248400047A
65945+:10F2D00003E0000800000000308300FF30A500FFBD
65946+:10F2E00030C600FF274701808F4201B80440FFFE6F
65947+:10F2F000000000008F42012834634000ACE20000AF
65948+:10F3000024020001ACE00004A4E30008A0E2000A2B
65949+:10F3100024020002A0E2000B3C021000A4E5001051
65950+:10F32000ACE00024ACE00028A4E6001203E00008F2
65951+:10F33000AF4201B827BDFFE8AFBF00109362003FA6
65952+:10F3400024030012304200FF1043000D00803021E2
65953+:10F350008F620044008210230440000A8FBF001017
65954+:10F360008F620048240400390000282100C21023C5
65955+:10F3700004410004240600120E0013C9000000001E
65956+:10F380008FBF00102402000103E0000827BD001811
65957+:10F3900027BDFFC8AFB20030AFB1002CAFBF003403
65958+:10F3A000AFB0002890C5000D0080902130A400105F
65959+:10F3B0001080000B00C088218CC300088F620054AD
65960+:10F3C0001062000730A20005144000B524040001BB
65961+:10F3D0000E000D21000020210A0014BB0040202156
65962+:10F3E00030A200051040000930A30012108000ACCC
65963+:10F3F000240400018E2300088F620054146200A9C7
65964+:10F400008FBF00340A00142C240400382402001298
65965+:10F41000146200A3240400010220202127A500106B
65966+:10F420000E000CB2AFA000101040001102402021CD
65967+:10F430008E220008AF620084AF6000400E0013020D
65968+:10F44000000000009362007D024020213442002031
65969+:10F450000E00130BA362007D0E000CA902402021B8
65970+:10F46000240400382405008D0A0014B82406001274
65971+:10F470009362003E304200081040000F8FA200103F
65972+:10F4800030420100104000078FA300148F6200601B
65973+:10F490000062102304430008AF6300600A001441B7
65974+:10F4A00000000000AF6000609362003E2403FFF79D
65975+:10F4B00000431024A362003E9362003E30420008E5
65976+:10F4C000144000022406000300003021936200343F
65977+:10F4D000936300378F640084304200FF306300FF85
65978+:10F4E00000661821000318800043282100A4202B67
65979+:10F4F0001080000B000000009763003C8F620084C6
65980+:10F500003063FFFF004510230062182B14600004D5
65981+:10F51000000000008F6200840A00145D0045802313
65982+:10F520009762003C3050FFFF8FA300103062000450
65983+:10F5300010400004000628808FA2001C0A001465F9
65984+:10F540000202102B2E02021850400003240202185F
65985+:10F550000A00146E020510233063000410600003DB
65986+:10F56000004510238FA2001C00451023004080217D
65987+:10F570002C42008054400001241000800E00130231
65988+:10F580000240202124020001AF62000C9362003E81
65989+:10F59000001020403042007FA362003E8E22000413
65990+:10F5A00024420001AF620040A770003C8F6200500F
65991+:10F5B0009623000E00431021AF6200588F62005066
65992+:10F5C00000441021AF62005C8E220004AF6200187C
65993+:10F5D0008E220008AF62001C8FA20010304200088B
65994+:10F5E0005440000A93A20020A360003693620036C4
65995+:10F5F0002403FFDFA36200359362003E0043102422
65996+:10F60000A362003E0A0014988E220008A36200350F
65997+:10F610008E220008AF62004C8F6200248F6300408E
65998+:10F6200000431021AF6200489362000024030050A1
65999+:10F63000304200FF144300122403FF803C02080004
66000+:10F640008C4231A00242102100431024AF42002816
66001+:10F650003C0208008C4231A08E2400083C03000CC0
66002+:10F66000024210213042007F03421021004310214A
66003+:10F67000AC4400D88E230008AF820014AC4300DCF9
66004+:10F680000E00130B02402021240400380000282122
66005+:10F690002406000A0E0013C9000000002404000123
66006+:10F6A0008FBF00348FB200308FB1002C8FB0002894
66007+:10F6B0000080102103E0000827BD003827BDFFF8B7
66008+:10F6C00027420180AFA20000308A00FF8F4201B8BC
66009+:10F6D0000440FFFE000000008F4601283C020800A5
66010+:10F6E0008C4231A02403FF80AF86004800C2102165
66011+:10F6F00000431024AF4200243C0208008C4231A099
66012+:10F700008FA900008FA8000000C210213042007FA6
66013+:10F71000034218213C02000A00621821946400D4BC
66014+:10F720008FA700008FA5000024020002AF83001401
66015+:10F73000A0A2000B8FA30000354260003084FFFFC1
66016+:10F74000A4E200083C021000AD260000AD04000455
66017+:10F75000AC60002427BD0008AF4201B803E00008F8
66018+:10F76000240200018F88003C938200288F830014BC
66019+:10F770003C07080024E7779800481023304200FF38
66020+:10F78000304900FC246500888F860040304A000321
66021+:10F790001120000900002021248200048CA3000015
66022+:10F7A000304400FF0089102AACE3000024A50004C7
66023+:10F7B0001440FFF924E70004114000090000202153
66024+:10F7C0002482000190A30000304400FF008A102B27
66025+:10F7D000A0E3000024A500011440FFF924E7000184
66026+:10F7E00030C20003144000048F85003C3102000346
66027+:10F7F0001040000D0000000010A0000900002021B2
66028+:10F800002482000190C30000304400FF0085102BCB
66029+:10F81000A0E3000024C600011440FFF924E7000122
66030+:10F8200003E00008000000001100FFFD000020219F
66031+:10F83000248200048CC30000304400FF0088102B99
66032+:10F84000ACE3000024C600041440FFF924E70004E0
66033+:10F8500003E00008000000008F83003C9382002832
66034+:10F8600030C600FF30A500FF00431023304300FFE7
66035+:10F870008F820014008038210043102114C0000240
66036+:10F88000244800880083382130E20003144000053A
66037+:10F8900030A2000314400003306200031040000D4A
66038+:10F8A0000000000010A000090000202124820001B7
66039+:10F8B00090E30000304400FF0085102BA1030000FE
66040+:10F8C00024E700011440FFF92508000103E00008C7
66041+:10F8D0000000000010A0FFFD000020212482000491
66042+:10F8E0008CE30000304400FF0085102BAD030000C6
66043+:10F8F00024E700041440FFF92508000403E0000891
66044+:10F90000000000000080482130AAFFFF30C600FF41
66045+:10F9100030E7FFFF274801808F4201B80440FFFE17
66046+:10F920008F820048AD0200008F420124AD02000426
66047+:10F930008D220020A5070008A102000A240200165B
66048+:10F94000A102000B934301208D2200088D240004A6
66049+:10F95000306300FF004310219783003A00441021D8
66050+:10F960008D250024004310233C0308008C6331A044
66051+:10F970008F840014A502000C246300E82402FFFF1A
66052+:10F98000A50A000EA5030010A5060012AD0500187B
66053+:10F99000AD020024948201142403FFF73042FFFFDC
66054+:10F9A000AD0200288C820118AD02002C3C02100030
66055+:10F9B000AD000030AF4201B88D220020004310247A
66056+:10F9C00003E00008AD2200208F82001430E7FFFF23
66057+:10F9D00000804821904200D330A5FFFF30C600FFD1
66058+:10F9E0000002110030420F0000E238252748018054
66059+:10F9F0008F4201B80440FFFE8F820048AD02000034
66060+:10FA00008F420124AD0200048D220020A5070008CA
66061+:10FA1000A102000A24020017A102000B9343012057
66062+:10FA20008D2200088D240004306300FF0043102164
66063+:10FA30009783003A004410218F8400140043102360
66064+:10FA40003C0308008C6331A0A502000CA505000E44
66065+:10FA5000246300E8A5030010A5060012AD00001401
66066+:10FA60008D220024AD0200188C82005CAD02001CC7
66067+:10FA70008C820058AD0200202402FFFFAD0200245A
66068+:10FA8000948200E63042FFFFAD02002894820060BD
66069+:10FA9000948300BE30427FFF3063FFFF00021200FC
66070+:10FAA00000431021AD02002C3C021000AD000030DC
66071+:10FAB000AF4201B8948200BE2403FFF700A21021D8
66072+:10FAC000A48200BE8D2200200043102403E0000821
66073+:10FAD000AD220020274301808F4201B80440FFFE81
66074+:10FAE0008F8200249442001C3042FFFF000211C0AC
66075+:10FAF000AC62000024020019A062000B3C0210005E
66076+:10FB0000AC60003003E00008AF4201B88F87002CE2
66077+:10FB100030C300FF8F4201B80440FFFE8F820048CF
66078+:10FB200034636000ACA2000093820044A0A20005F0
66079+:10FB30008CE20010A4A20006A4A300088C8200207E
66080+:10FB40002403FFF7A0A2000A24020002A0A2000BD7
66081+:10FB50008CE20000ACA200108CE20004ACA2001405
66082+:10FB60008CE2001CACA200248CE20020ACA2002895
66083+:10FB70008CE2002CACA2002C8C820024ACA20018D9
66084+:10FB80003C021000AF4201B88C82002000431024D8
66085+:10FB900003E00008AC8200208F86001427BDFFE838
66086+:10FBA000AFBF0014AFB0001090C20063304200201D
66087+:10FBB0001040000830A500FF8CC2007C2403FFDF4A
66088+:10FBC00024420001ACC2007C90C2006300431024B8
66089+:10FBD000A0C2006310A000238F830014275001806F
66090+:10FBE000020028210E0015D6240600828F82001400
66091+:10FBF000904200633042004050400019A38000440E
66092+:10FC00008F83002C8F4201B80440FFFE8F82004892
66093+:10FC1000AE02000024026082A60200082402000254
66094+:10FC2000A202000B8C620008AE0200108C62000C75
66095+:10FC3000AE0200148C620014AE0200188C62001830
66096+:10FC4000AE0200248C620024AE0200288C620028E0
66097+:10FC5000AE02002C3C021000AF4201B8A380004469
66098+:10FC60008F8300148FBF00148FB000109062006368
66099+:10FC700027BD00183042007FA06200639782003ADF
66100+:10FC80008F86003C8F850014938300280046102344
66101+:10FC9000A782003AA4A000E490A400638F820040F1
66102+:10FCA000AF83003C2403FFBF0046102100832024C3
66103+:10FCB000AF820040A0A400638F820014A04000BD6A
66104+:10FCC0008F82001403E00008A44000BE8F8A001455
66105+:10FCD00027BDFFE0AFB10014AFB000108F88003C2B
66106+:10FCE000AFBF00189389001C954200E430D100FF9B
66107+:10FCF0000109182B0080802130AC00FF3047FFFF46
66108+:10FD00000000582114600003310600FF012030215B
66109+:10FD1000010958239783003A0068102B1440003CD7
66110+:10FD20000000000014680007240200018E02002079
66111+:10FD30002403FFFB34E7800000431024AE020020C0
66112+:10FD40002402000134E70880158200053165FFFFB9
66113+:10FD50000E001554020020210A00169102002021F5
66114+:10FD60000E001585020020218F8400482743018062
66115+:10FD70008F4201B80440FFFE24020018AC6400006A
66116+:10FD8000A062000B8F840014948200E6A46200102D
66117+:10FD90003C021000AC600030AF4201B894820060B9
66118+:10FDA00024420001A4820060948200603C030800A9
66119+:10FDB0008C63318830427FFF5443000F02002021C2
66120+:10FDC000948200602403800000431024A482006019
66121+:10FDD0009082006090830060304200FF000211C2F8
66122+:10FDE00000021027000211C03063007F0062182556
66123+:10FDF000A083006002002021022028218FBF00186C
66124+:10FE00008FB100148FB000100A0015F927BD002033
66125+:10FE1000914200632403FF8000431025A142006348
66126+:10FE20009782003A3048FFFF110000209383001CA6
66127+:10FE30008F840014004B1023304600FF948300E4AD
66128+:10FE40002402EFFF0168282B00621824A48300E439
66129+:10FE500014A000038E020020010058210000302170
66130+:10FE60002403FFFB34E7800000431024AE0200208F
66131+:10FE700024020001158200053165FFFF0E001554B4
66132+:10FE8000020020210A0016B99783003A0E0015855A
66133+:10FE9000020020219783003A8F82003CA780003A1D
66134+:10FEA00000431023AF82003C9383001C8F82001418
66135+:10FEB0008FBF00188FB100148FB0001027BD002035
66136+:10FEC00003E00008A04300BD938200442403000126
66137+:10FED00027BDFFE8004330042C420020AFB00010E3
66138+:10FEE000AFBF00142410FFFE10400005274501801D
66139+:10FEF0003C0208008C4231900A0016D600461024BD
66140+:10FF00003C0208008C423194004610241440000743
66141+:10FF1000240600848F8300142410FFFF9062006287
66142+:10FF20003042000F34420040A06200620E0015D63D
66143+:10FF300000000000020010218FBF00148FB00010DD
66144+:10FF400003E0000827BD00188F83002427BDFFE0D1
66145+:10FF5000AFB20018AFB10014AFB00010AFBF001CBB
66146+:10FF60009062000D00A0902130D100FF3042007F50
66147+:10FF7000A062000D8F8500148E4300180080802140
66148+:10FF80008CA2007C146200052402000E90A2006383
66149+:10FF9000344200200A0016FFA0A200630E0016C51E
66150+:10FFA000A38200442403FFFF104300472404FFFF03
66151+:10FFB00052200045000020218E4300003C0200102A
66152+:10FFC00000621024504000043C020008020020217E
66153+:10FFD0000A00170E24020015006210245040000988
66154+:10FFE0008E45000002002021240200140E0016C5D8
66155+:10FFF000A38200442403FFFF104300332404FFFFC7
66156+:020000021000EC
66157+:100000008E4500003C02000200A2102410400016A1
66158+:100010003C0200048F8600248CC200148CC30010A4
66159+:100020008CC40014004310230044102B50400005E2
66160+:10003000020020218E43002C8CC2001010620003AD
66161+:10004000020020210A00173F240200123C02000493
66162+:1000500000A210245040001C00002021020020219A
66163+:100060000A00173F2402001300A2102410400006CB
66164+:100070008F8300248C620010504000130000202168
66165+:100080000A001739020020218C6200105040000441
66166+:100090008E42002C020020210A00173F240200118A
66167+:1000A00050400009000020210200202124020017F6
66168+:1000B0000E0016C5A38200442403FFFF1043000274
66169+:1000C0002404FFFF000020218FBF001C8FB2001806
66170+:1000D0008FB100148FB000100080102103E00008E1
66171+:1000E00027BD00208F83001427BDFFD8AFB40020A8
66172+:1000F000AFB3001CAFB20018AFB10014AFB0001026
66173+:10010000AFBF0024906200638F91002C2412FFFF88
66174+:100110003442004092250000A06200638E2200104D
66175+:100120000080982130B0003F105200060360A021EB
66176+:100130002402000D0E0016C5A38200441052005484
66177+:100140002404FFFF8F8300148E2200188C63007C30
66178+:1001500010430007026020212402000E0E0016C585
66179+:10016000A38200442403FFFF104300492404FFFF3F
66180+:1001700024040020120400048F83001490620063A2
66181+:1001800034420020A06200638F85003410A000205C
66182+:1001900000000000560400048F8200140260202139
66183+:1001A0000A0017902402000A9683000A9442006015
66184+:1001B0003042FFFF144300048F8200202404FFFD1F
66185+:1001C0000A0017B7AF82003C3C0208008C42318C19
66186+:1001D0000045102B14400006026020210000282159
66187+:1001E0000E001646240600010A0017B70000202161
66188+:1001F0002402002D0E0016C5A38200442403FFFF35
66189+:10020000104300232404FFFF0A0017B70000202139
66190+:10021000160400058F8400148E2300142402FFFFAF
66191+:100220005062001802602021948200602442000184
66192+:10023000A4820060948200603C0308008C633188D3
66193+:1002400030427FFF5443000F0260202194820060FF
66194+:100250002403800000431024A48200609082006088
66195+:1002600090830060304200FF000211C2000210279C
66196+:10027000000211C03063007F00621825A083006077
66197+:10028000026020210E0015F9240500010000202144
66198+:100290008FBF00248FB400208FB3001C8FB20018D2
66199+:1002A0008FB100148FB000100080102103E000080F
66200+:1002B00027BD00288F83001427BDFFE8AFB00010D2
66201+:1002C000AFBF0014906200638F87002C00808021F4
66202+:1002D000344200408CE60010A06200633C0308003A
66203+:1002E0008C6331B030C23FFF0043102B1040004EF2
66204+:1002F0008F8500302402FF8090A3000D004310245E
66205+:10030000304200FF504000490200202100061382C5
66206+:10031000304800032402000255020044020020215C
66207+:1003200094A2001C8F85001424030023A4A20114AE
66208+:100330008CE60000000616023042003F1043001019
66209+:100340003C0300838CE300188CA2007C1062000642
66210+:100350002402000E0E0016C5A38200442403FFFFF2
66211+:10036000104300382404FFFF8F8300149062006361
66212+:1003700034420020A06200630A0017FC8F8300242F
66213+:1003800000C31024144300078F83002490A200624E
66214+:100390003042000F34420020A0A20062A38800383F
66215+:1003A0008F8300249062000D3042007FA062000D18
66216+:1003B0008F83003410600018020020218F840030E9
66217+:1003C0008C8200100043102B1040000924020018FA
66218+:1003D000020020210E0016C5A38200442403FFFF63
66219+:1003E000104300182404FFFF0A00182400002021F5
66220+:1003F0008C820010240500010200202100431023FC
66221+:100400008F830024240600010E001646AC62001003
66222+:100410000A001824000020210E0015F9240500010F
66223+:100420000A00182400002021020020212402000DCF
66224+:100430008FBF00148FB0001027BD00180A0016C52A
66225+:10044000A38200448FBF00148FB0001000801021E1
66226+:1004500003E0000827BD001827BDFFC8AFB2002089
66227+:10046000AFBF0034AFB60030AFB5002CAFB400283A
66228+:10047000AFB30024AFB1001CAFB000188F46012805
66229+:100480003C0308008C6331A02402FF80AF86004843
66230+:1004900000C318213065007F03452821006218241D
66231+:1004A0003C02000AAF43002400A2282190A200626F
66232+:1004B00000809021AF850014304200FF000211023D
66233+:1004C000A382003890A200BC304200021440000217
66234+:1004D00024030034240300308F820014A3830028F7
66235+:1004E000938300388C4200C0A3800044AF82003C5C
66236+:1004F000240200041062031C8F84003C8E4400041C
66237+:10050000508003198F84003C8E4200103083FFFF1F
66238+:10051000A784003A106002FFAF8200408F8400146D
66239+:100520002403FF809082006300621024304200FFA9
66240+:10053000144002CF9785003A9383003824020002CA
66241+:1005400030B6FFFF14620005000088219382002866
66242+:100550002403FFFD0A001B19AF82003C8F82003C80
66243+:1005600002C2102B144002A18F8400400E0014EC34
66244+:1005700000000000938300283C040800248477983E
66245+:10058000240200341462002EAF84002C3C0A0800C0
66246+:100590008D4A77C82402FFFFAFA2001000803821E7
66247+:1005A0002405002F3C09080025297398240800FF22
66248+:1005B0002406FFFF90E2000024A3FFFF00062202B2
66249+:1005C00000C21026304200FF0002108000491021B6
66250+:1005D0008C420000306500FF24E7000114A8FFF5FD
66251+:1005E0000082302600061027AFA20014AFA2001030
66252+:1005F0000000282127A7001027A6001400C51023FB
66253+:100600009044000324A2000100A71821304500FFF8
66254+:100610002CA200041440FFF9A06400008FA2001077
66255+:100620001142000724020005024020210E0016C5D9
66256+:10063000A38200442403FFFF104300642404FFFF4F
66257+:100640003C0208009042779C104000098F82001401
66258+:10065000024020212402000C0E0016C5A382004493
66259+:100660002403FFFF104300592404FFFF8F8200146E
66260+:10067000A380001C3C0308008C63779C8C440080A2
66261+:100680003C0200FF3442FFFF006218240083202B4D
66262+:1006900010800008AF83003402402021240200199A
66263+:1006A0000E0016C5A38200442403FFFF1043004739
66264+:1006B0002404FFFF8F87003C9782003A8F85003427
66265+:1006C000AF8700200047202310A0003BA784003AFA
66266+:1006D0008F86001430A200030002102390C300BCD8
66267+:1006E0003050000300B0282100031882307300014D
66268+:1006F0000013108000A228213C0308008C6331A065
66269+:100700008F8200483084FFFF0085202B004310219A
66270+:1007100010800011244200888F84002C1082000E6B
66271+:100720003C033F013C0208008C42779800431024B0
66272+:100730003C0325001443000630E500FF8C820000D6
66273+:10074000ACC200888C8200100A0018E9ACC2009884
66274+:100750000E001529000030219382001C8F850014A3
66275+:100760008F830040020238218F82003CA387001C47
66276+:1007700094A400E4006218218F82003434841000B5
66277+:10078000AF83004000503021A4A400E41260000EAA
66278+:10079000AF86003C24E20004A382001C94A200E483
66279+:1007A00024C30004AF83003C34422000A4A200E430
66280+:1007B0000A001906000020218F820040AF80003C13
66281+:1007C00000471021AF820040000020212414FFFFC9
66282+:1007D000109402112403FFFF3C0808008D0877A83D
66283+:1007E0003C0208008C4231B03C03080090637798CB
66284+:1007F00031043FFF0082102B1040001B3067003F88
66285+:100800003C0208008C4231A88F83004800042180FC
66286+:1008100000621821006418213062007F0342282101
66287+:100820003C02000C00A228213C020080344200015E
66288+:100830003066007800C230252402FF800062102458
66289+:10084000AF42002830640007AF4208048F820014D2
66290+:100850000344202124840940AF460814AF850024B6
66291+:10086000AF840030AC4301189383003824020003A6
66292+:10087000146201CF240200012402002610E201D1FB
66293+:1008800028E2002710400013240200322402002234
66294+:1008900010E201CC28E200231040000824020024CA
66295+:1008A0002402002010E201B82402002110E20147D6
66296+:1008B000024020210A001AFB2402000B10E201C1B1
66297+:1008C0002402002510E20010024020210A001AFB39
66298+:1008D0002402000B10E201AE28E2003310400006B3
66299+:1008E0002402003F2402003110E2009A024020213D
66300+:1008F0000A001AFB2402000B10E201A5024020218D
66301+:100900000A001AFB2402000B8F90002C3C03080005
66302+:100910008C6331B08F8500308E0400100000A82158
66303+:100920008CB3001430823FFF0043102B8CB10020A9
66304+:100930005040018F0240202190A3000D2402FF802F
66305+:1009400000431024304200FF504001890240202122
66306+:10095000000413823042000314400185024020212C
66307+:1009600094A3001C8F8200148E040028A443011459
66308+:100970008CA20010026218231064000302402021A0
66309+:100980000A00197C2402001F8F82003400621021AB
66310+:100990000262102B104000088F83002402402021A7
66311+:1009A000240200180E0016C5A382004410540174DE
66312+:1009B0002404FFFF8F8300248F8400348C62001096
66313+:1009C0000224882100441023AC6200108F8200149E
66314+:1009D000AC7100208C4200680051102B10400009BF
66315+:1009E0008F830030024020212402001D0E0016C516
66316+:1009F000A38200442403FFFF104301612404FFFF8E
66317+:100A00008F8300308E0200248C6300241043000783
66318+:100A1000024020212402001C0E0016C5A3820044BF
66319+:100A20002403FFFF104301562404FFFF8F8400249A
66320+:100A30008C82002424420001AC8200241233000482
66321+:100A40008F8200148C4200685622000E8E02000035
66322+:100A50008E0200003C030080004310241440000D6F
66323+:100A60002402001A024020210E0016C5A382004471
66324+:100A70002403FFFF104301422404FFFF0A0019BAB8
66325+:100A80008E0200143C0300800043102450400003F9
66326+:100A90008E020014AC8000208E0200142411FFFF8F
66327+:100AA0001051000E3C0308003C0208008C423190BB
66328+:100AB000004310242403001B14400007A3830044B8
66329+:100AC0000E0016C5024020211051012D2404FFFF05
66330+:100AD0000A0019CB8E030000A38000448E0300009F
66331+:100AE0003C02000100621024104000123C02008011
66332+:100AF0000062102414400008024020212402001A41
66333+:100B00000E0016C5A38200442403FFFF1043011CFE
66334+:100B10002404FFFF02402021020028210E0016E5D8
66335+:100B2000240600012403FFFF104301152404FFFFE6
66336+:100B3000241500018F83002402A0302102402021CF
66337+:100B40009462003624050001244200010A001ADFE5
66338+:100B5000A46200368F90002C3C0308008C6331B0F7
66339+:100B60008E13001032623FFF0043102B10400089AB
66340+:100B70008F8400302402FF809083000D00431024F6
66341+:100B8000304200FF104000842402000D0013138245
66342+:100B900030420003240300011443007F2402000DAF
66343+:100BA0009082000D30420008544000048F820034CF
66344+:100BB000024020210A001A102402002450400004A0
66345+:100BC0008E03000C024020210A001A102402002784
66346+:100BD0008C82002054620006024020218E0300080F
66347+:100BE0008C820024506200098E02001402402021F1
66348+:100BF000240200200E0016C5A38200441054007188
66349+:100C00002403FFFF0A001A458F8400242411FFFFEC
66350+:100C1000145100048F860014024020210A001A405B
66351+:100C2000240200258E0300188CC2007C1062000391
66352+:100C30002402000E0A001A40024020218E030024E4
66353+:100C40008C82002810620003240200210A001A404E
66354+:100C5000024020218E0500288C82002C10A2000367
66355+:100C60002402001F0A001A40024020218E03002C9B
66356+:100C700014600003240200230A001A4002402021CD
66357+:100C80008CC200680043102B104000032402002691
66358+:100C90000A001A40024020218C82001400651821AD
66359+:100CA0000043102B104000088F84002402402021B4
66360+:100CB000240200220E0016C5A382004410510041F8
66361+:100CC0002403FFFF8F8400242403FFF79082000D8C
66362+:100CD00000431024A082000D8F8600143C030800FE
66363+:100CE0008C6331AC8F82004894C400E08F8500246F
66364+:100CF0000043102130847FFF000420400044102175
66365+:100D00003043007F034320213C03000E0083202159
66366+:100D10002403FF8000431024AF42002CA493000062
66367+:100D20008CA2002824420001ACA200288CA2002C36
66368+:100D30008E03002C00431021ACA2002C8E02002C4C
66369+:100D4000ACA200308E020014ACA2003494A2003A8F
66370+:100D500024420001A4A2003A94C600E03C0208002C
66371+:100D60008C4231B024C4000130837FFF1462000F35
66372+:100D700000803021240280000082302430C2FFFF36
66373+:100D8000000213C2304200FF000210270A001A7E40
66374+:100D9000000233C02402000D024020210E0016C5BF
66375+:100DA000A38200440A001A84004018218F82001494
66376+:100DB00002402021240500010E0015F9A44600E0A0
66377+:100DC000000018210A001B16006088218F90002C5B
66378+:100DD0003C0308008C6331B08E05001030A23FFF49
66379+:100DE0000043102B104000612402FF808F840030EC
66380+:100DF0009083000D00431024304200FF5040005CFF
66381+:100E0000024020218F8200341040000B0005138225
66382+:100E10008F8200149763000A944200603042FFFF03
66383+:100E200014430005000513828F8200202404FFFD77
66384+:100E30000A001AF3AF82003C304200031440000E57
66385+:100E40000000000092020002104000058E03002402
66386+:100E500050600015920300030A001AAF02402021DF
66387+:100E60008C82002450620010920300030240202173
66388+:100E70000A001AB72402000F9082000D30420008C9
66389+:100E80005440000992030003024020212402001074
66390+:100E90000E0016C5A38200442403FFFF1043003850
66391+:100EA0002404FFFF92030003240200025462000C9A
66392+:100EB000920200038F820034544000099202000322
66393+:100EC000024020212402002C0E0016C5A3820044FB
66394+:100ED0002403FFFF1043002A2404FFFF92020003B3
66395+:100EE0000200282102402021384600102CC60001B3
66396+:100EF0002C4200010E0016E5004630252410FFFFAD
66397+:100F00001050001F2404FFFF8F8300341060001373
66398+:100F1000024020213C0208008C42318C0043102BFF
66399+:100F200014400007000000000000282124060001F2
66400+:100F30000E001646000000000A001AF300002021EF
66401+:100F40002402002D0E0016C5A38200441050000C90
66402+:100F50002404FFFF0A001AF3000020210E0015F9F7
66403+:100F6000240500010A001AF300002021024020217C
66404+:100F70002402000D0E0016C5A3820044004020216B
66405+:100F80000A001B16008088211514000E00000000C6
66406+:100F90000E00174C024020210A001B160040882139
66407+:100FA0000E0016C5A38200440A001B1600408821CB
66408+:100FB00014620017022018212402002314E2000505
66409+:100FC0002402000B0E0017C0024020210A001B164D
66410+:100FD0000040882102402021A38200440E0016C553
66411+:100FE0002411FFFF0A001B170220182130A500FF63
66412+:100FF0000E001529240600019783003A8F82003CD9
66413+:10100000A780003A00431023AF82003C0220182141
66414+:101010001220003E9782003A2402FFFD5462003EF7
66415+:101020008E4300208E4200048F830014005610234C
66416+:10103000AE420004906200633042007FA062006311
66417+:101040008E4200208F840014A780003A34420002B0
66418+:10105000AE420020A48000E4908200632403FFBF1E
66419+:1010600000431024A08200630A001B598E43002015
66420+:101070009082006300621024304200FF1040002381
66421+:101080009782003A90820088908300BD2485008872
66422+:101090003042003F2444FFE02C820020A383001C48
66423+:1010A00010400019AF85002C2402000100821804B2
66424+:1010B000306200191440000C3C02800034420002EF
66425+:1010C000006210241440000B306200201040000F1A
66426+:1010D0009782003A90A600010240202124050001D9
66427+:1010E0000A001B5330C60001024020210A001B5297
66428+:1010F00024050001024020210000282124060001CF
66429+:101100000E001646000000009782003A1440FD04CD
66430+:101110008F8400148E4300203062000410400012BF
66431+:101120008F84003C2402FFFB00621024AE420020AA
66432+:10113000274301808F4201B80440FFFE8F820048A0
66433+:10114000AC6200008F420124AC6200042402608380
66434+:10115000A462000824020002A062000B3C021000FE
66435+:10116000AF4201B88F84003C8F8300148FBF0034DE
66436+:101170008FB600308FB5002C8FB400288FB30024B9
66437+:101180008FB200208FB1001C8FB000182402000124
66438+:1011900027BD003803E00008AC6400C030A500FFA4
66439+:1011A0002403000124A900010069102B1040000C49
66440+:1011B00000004021240A000100A31023004A380443
66441+:1011C00024630001308200010069302B10400002CE
66442+:1011D000000420420107402554C0FFF800A310235B
66443+:1011E00003E00008010010213C020800244260A432
66444+:1011F0003C010800AC22738C3C02080024425308D6
66445+:101200003C010800AC2273902402000627BDFFE0D9
66446+:101210003C010800A02273943C021EDCAFB200180F
66447+:10122000AFB10014AFBF001CAFB0001034526F411B
66448+:1012300000008821240500080E001B7A02202021CE
66449+:10124000001180803C07080024E773980002160014
66450+:1012500002071821AC6200000000282124A200012E
66451+:101260003045FFFF8C6200002CA6000804410002FC
66452+:10127000000220400092202614C0FFF8AC64000059
66453+:10128000020780218E0400000E001B7A2405002036
66454+:10129000262300013071FFFF2E2301001460FFE5BB
66455+:1012A000AE0200008FBF001C8FB200188FB1001477
66456+:1012B0008FB0001003E0000827BD002027BDFFD835
66457+:1012C000AFB3001CAFB20018AFBF0020AFB1001425
66458+:1012D000AFB000108F5101408F48014800089402C0
66459+:1012E000324300FF311300FF8F4201B80440FFFE7C
66460+:1012F00027500180AE1100008F420144AE0200046D
66461+:1013000024020002A6120008A202000B240200140C
66462+:10131000AE1300241062002528620015104000085A
66463+:101320002402001524020010106200302402001272
66464+:10133000106200098FBF00200A001CB58FB3001C8B
66465+:101340001062007024020022106200378FBF00205C
66466+:101350000A001CB58FB3001C3C0208008C4231A06F
66467+:101360002403FF800222102100431024AF420024F6
66468+:101370003C0208008C4231A0022210213042007F42
66469+:10138000034218213C02000A00621821166000BCCA
66470+:10139000AF830014906200623042000F344200308C
66471+:1013A000A06200620A001CB48FBF00203C046000F1
66472+:1013B0008C832C083C02F0033442FFFF00621824A7
66473+:1013C000AC832C083C0208008C4231A08C832C0892
66474+:1013D000244200740002108200021480006218256A
66475+:1013E000AC832C080A001CB48FBF00203C0208000C
66476+:1013F0008C4231A02403FF800222102100431024DC
66477+:10140000AF4200243C0208008C4231A03C03000A99
66478+:10141000022210213042007F03421021004310219C
66479+:101420000A001CB3AF8200143C0208008C4231A0B9
66480+:101430002405FF800222102100451024AF42002421
66481+:101440003C0208008C4231A0022210213042007F71
66482+:10145000034218213C02000A0062182190620063D6
66483+:1014600000A21024304200FF10400085AF8300141A
66484+:1014700024620088944300123C0208008C4231A888
66485+:1014800030633FFF00031980022210210043102126
66486+:101490003043007F03432021004510243C03000C0F
66487+:1014A00000832021AF4200289082000D00A210246A
66488+:1014B000304200FF10400072AF8400249082000D83
66489+:1014C000304200101440006F8FBF00200E0015C87E
66490+:1014D000000000008F4201B80440FFFE0000000041
66491+:1014E000AE1100008F420144AE020004240200024B
66492+:1014F000A6120008A202000BAE1300240A001CB4BE
66493+:101500008FBF00202406FF8002261024AF42002057
66494+:101510003C0208008C4231A031043FFF00042180CE
66495+:101520000222102100461024AF4200243C03080090
66496+:101530008C6331A83C0208008C4231A03227007F26
66497+:101540000223182102221021006418213042007F5A
66498+:101550003064007F034228213C02000A0066182400
66499+:1015600000A22821034420213C02000C00822021FB
66500+:10157000AF4300283C020008034718210062902175
66501+:10158000AF850014AF8400240E0015C8010080212F
66502+:101590008F4201B80440FFFE8F8200248F84001424
66503+:1015A000274501809042000DACB10000A4B00006B8
66504+:1015B000000216000002160300021027000237C2C4
66505+:1015C00014C00016248200889442001232033FFFA8
66506+:1015D00030423FFF14430012240260829083006374
66507+:1015E0002402FF8000431024304200FF5040000CD2
66508+:1015F00024026082908200623042000F3442004038
66509+:10160000A082006224026084A4A200082402000DCB
66510+:10161000A0A200050A001C9E3C0227002402608252
66511+:10162000A4A20008A0A000053C02270000061C00A0
66512+:101630000062182524020002A0A2000BACA3001037
66513+:10164000ACA00014ACA00024ACA00028ACA0002CDE
66514+:101650008E42004C8F840024ACA200189083000DB1
66515+:101660002402FF8000431024304200FF1040000598
66516+:101670008FBF00209082000D3042007FA082000DBD
66517+:101680008FBF00208FB3001C8FB200188FB10014E1
66518+:101690008FB000103C02100027BD002803E00008B6
66519+:1016A000AF4201B80800343008003430080033A8D5
66520+:1016B000080033E0080034140800343808003438D7
66521+:1016C00008003438080033180A0001240000000024
66522+:1016D000000000000000000D747061362E322E33C1
66523+:1016E00000000000060203010000000000000000EE
66524+:1016F00000000000000000000000000000000000EA
66525+:1017000000000000000000000000000000000000D9
66526+:1017100000000000000000000000000000000000C9
66527+:1017200000000000000000000000000000000000B9
66528+:1017300000000000000000000000000000000000A9
66529+:101740000000000000000000000000000000000099
66530+:101750000000000000000000000000001000000376
66531+:10176000000000000000000D0000000D3C02080019
66532+:1017700024421C003C03080024632094AC40000079
66533+:101780000043202B1480FFFD244200043C1D080070
66534+:1017900037BD2FFC03A0F0213C1008002610049058
66535+:1017A0003C1C0800279C1C000E00015C000000008F
66536+:1017B0000000000D3084FFFF308200078F85001885
66537+:1017C00010400002248300073064FFF800853021B8
66538+:1017D00030C41FFF03441821247B4000AF85001C48
66539+:1017E000AF84001803E00008AF4400843084FFFF9A
66540+:1017F000308200078F8500208F860028104000026D
66541+:10180000248300073064FFF8008520210086182B10
66542+:1018100014600002AF8500240086202303442821A1
66543+:1018200034068000AF840020AF44008000A6202151
66544+:1018300003E00008AF84003827BDFFD8AFB3001C19
66545+:10184000AFB20018AFB00010AFBF0024AFB400209B
66546+:10185000AFB100143C0860088D1450002418FF7FBD
66547+:101860003C1A8000029898243672380CAD12500051
66548+:101870008F5100083C07601C3C08600036300001B6
66549+:10188000AF500008AF800018AF400080AF40008428
66550+:101890008CE600088D0F08083C0760168CEC0000F1
66551+:1018A00031EEFFF039CA00103C0DFFFF340B800011
66552+:1018B0003C030080034B48212D440001018D282466
66553+:1018C0003C0253533C010800AC230420AF8900388C
66554+:1018D000AF860028AF840010275B400014A20003ED
66555+:1018E00034E37C008CF90004032818218C7F007CF1
66556+:1018F0008C6500783C0280003C0B08008D6B048CEA
66557+:101900003C0A08008D4A048834520070AF85003CC0
66558+:10191000AF9F00403C13080026731C440240A021E6
66559+:101920008E4800008F46000038C30001306400017B
66560+:1019300010800017AF880034028048218D2F0000EE
66561+:101940003C0508008CA5045C3C1808008F1804585E
66562+:1019500001E8102300A280210000C8210202402BD0
66563+:1019600003198821022838213C010800AC30045CAE
66564+:101970003C010800AC2704588F4E000039CD00010F
66565+:1019800031AC00011580FFED01E04021AF8F003444
66566+:101990008E5100003C0708008CE7045C3C0D0800F9
66567+:1019A0008DAD04580228802300F0602100007021D2
66568+:1019B0000190302B01AE1821006620213C01080067
66569+:1019C000AC2C045C3C010800AC2404588F46010890
66570+:1019D0008F47010030C92000AF860000AF87000CA0
66571+:1019E0001120000A00C040213C1808008F18042C68
66572+:1019F000270800013C010800AC28042C3C184000DA
66573+:101A0000AF5801380A000196000000009749010410
66574+:101A100000002821014550213122FFFF0162582199
66575+:101A20000162F82B015F502130D902003C0108000F
66576+:101A3000AC2B048C3C010800AC2A0488172000154C
66577+:101A400024040F0010E400130000000024080D001F
66578+:101A500010E8023B30CD000611A0FFE93C18400021
66579+:101A6000936E00002409001031C400F01089027147
66580+:101A700024020070108202E58F880014250F0001F7
66581+:101A8000AF8F00143C184000AF5801380A0001968F
66582+:101A900000000000974C01041180FFD93C18400061
66583+:101AA00030C34000146000A1000000008F460178A0
66584+:101AB00004C0FFFE8F87003824100800240F0008A0
66585+:101AC0008CE30008AF500178A74F0140A7400142C6
66586+:101AD000974E01048F86000031C9FFFF30CD000111
66587+:101AE00011A002E1012040212531FFFE241800024F
66588+:101AF000A75801463228FFFFA75101483C190800AA
66589+:101B00008F39043C172002D08F8C000C30DF00206E
66590+:101B100017E00002240400092404000130C20C0074
66591+:101B2000240504005045000134840004A744014A00
66592+:101B30003C1108008E3104203C1800483C10000184
66593+:101B40000238182530CF00020070282511E000046B
66594+:101B5000000018213C19010000B9282524030001C8
66595+:101B600030DF000453E00005AF8300083C0600109E
66596+:101B700000A6282524030001AF830008AF4510000C
66597+:101B80000000000000000000000000000000000055
66598+:101B90008F83000810600023000000008F451000B4
66599+:101BA00004A1FFFE000000001060001E0000000005
66600+:101BB0008F4410003C0C0020008C102410400019B1
66601+:101BC0008F8E000031CD000211A000160000000031
66602+:101BD000974F101415E000130000000097591008EB
66603+:101BE0003338FFFF271100060011188200033080F0
66604+:101BF00000C7282132300001322300031200032CD9
66605+:101C00008CA200000000000D00C7F821AFE2000028
66606+:101C10003C0508008CA5043024A600013C01080006
66607+:101C2000AC2604308F6D00003402FFFFAF8D00043E
66608+:101C30008CEC0000118202A6000020218CED000037
66609+:101C400031AC01001180028A000000003C02080053
66610+:101C50008C4204743C0308008C63044C3C1F080055
66611+:101C60008FFF04703C1808008F1804480048382182
66612+:101C70000068802100E8282B03E430210208402B73
66613+:101C80000304882100C57021022878213C01080046
66614+:101C9000AC30044C3C010800AC2F04483C01080067
66615+:101CA000AC2704743C010800AC2E04708F8400182B
66616+:101CB0000120302131290007249F000833F91FFF3C
66617+:101CC00003594021AF84001CAF990018251B400028
66618+:101CD000AF590084112000038F83002024C2000725
66619+:101CE0003046FFF88F84002800C3282100A4302B41
66620+:101CF00014C00002AF83002400A428230345602100
66621+:101D0000340D8000018D10213C0F1000AF850020A4
66622+:101D1000AF820038AF450080AF4F01788F88001444
66623+:101D2000250F00010A0001EFAF8F00148F62000839
66624+:101D30008F670000240500300007760231C300F0F1
66625+:101D4000106500A7240F0040546FFF4C8F880014CB
66626+:101D50008F4B01780560FFFE0000000030CA0200D2
66627+:101D600015400003000612820000000D00061282DA
66628+:101D7000304D0003000D4900012D18210003808023
66629+:101D8000020D402100086080019380218E1F000019
66630+:101D900017E00002000000000000000D8F6E00043C
66631+:101DA00005C202BD92070006920E000592020004D1
66632+:101DB0003C090001000E18800070F8218FED00181A
66633+:101DC000277100082448000501A96021000830821D
66634+:101DD000AFEC0018022020210E00059E26050014FD
66635+:101DE000920A00068F7900043C0B7FFF000A2080D6
66636+:101DF000009178218DF800043566FFFF0326282422
66637+:101E000003053821ADE70004920E0005920D000491
66638+:101E1000960C0008000E10800051C8218F2300008E
66639+:101E2000974901043C07FFFF006758243128FFFF52
66640+:101E3000010DF82103EC50233144FFFF01643025EC
66641+:101E4000AF260000920300072418000110780275E5
66642+:101E5000240F0003106F0285000000008E050010A3
66643+:101E60002419000AA7590140A7450142921800040D
66644+:101E70008F860000240F0001A7580144A7400146A7
66645+:101E80009747010430D100023C050041A7470148B3
66646+:101E900000001821A74F014A1220000330CB000494
66647+:101EA0003C0501412403000151600005AF83000897
66648+:101EB0003C06001000A6282524030001AF8300087B
66649+:101EC000AF4510000000000000000000000000000E
66650+:101ED000000000008F8A000811400004000000008C
66651+:101EE0008F4410000481FFFE000000008F6B000093
66652+:101EF000920800043C1108008E310444AF8B0004AA
66653+:101F000097590104311800FF3C0E08008DCE0440A3
66654+:101F10003325FFFF0305382102276021000010212F
66655+:101F2000250F000A31E8FFFF0187482B01C2682115
66656+:101F300001A9F821311000073C010800AC2C044431
66657+:101F40003C010800AC3F0440120000038F8C0018D5
66658+:101F50002506000730C8FFF8010C682131BF1FFFBC
66659+:101F6000AF8C001CAF9F0018AF5F00849744010442
66660+:101F7000035F80213084FFFF308A00071140000397
66661+:101F8000261B4000248900073124FFF88F8200209F
66662+:101F90008F850028008220210085702B15C000024B
66663+:101FA000AF820024008520233C0B08008D6B048C3D
66664+:101FB0003C0A08008D4A04880344882134038000C9
66665+:101FC000022310213C0F1000AF840020AF820038A4
66666+:101FD000AF440080AF4F01780A0002968F8800144A
66667+:101FE0008F5001780600FFFE30D10200162000035A
66668+:101FF000000612820000000D00061282305F00030E
66669+:10200000001F1900007F302100062080009FC8219A
66670+:1020100000194880013380218E180000130000024F
66671+:10202000000000000000000D8F6C000C058001FB1B
66672+:102030008F870038240E0001AE0E00008CE30008EC
66673+:10204000A20000078F65000400055402314D00FF17
66674+:1020500025A80005000830822CCB00411560000245
66675+:10206000A20A00040000000D8F7800043C03FFFF6B
66676+:1020700000E02821330BFFFF256C000B000C1082C1
66677+:1020800000022080008748218D3F000026040014B4
66678+:10209000A618000803E3C8240E00059EAD39000011
66679+:1020A0008F4F01083C11100001F1382410E001AB02
66680+:1020B00000000000974D01049208000725AAFFECDC
66681+:1020C000350600023144FFFFA2060007960600080D
66682+:1020D0002CC7001354E0000592030007921100077B
66683+:1020E000362F0001A20F00079203000724180001F9
66684+:1020F000107801C224090003106901D58F880038C7
66685+:1021000030CBFFFF257100020011788331E400FF1E
66686+:1021100000042880A20F000500A848218D2D000092
66687+:10212000974A01043C0EFFFF01AEF8243143FFFF44
66688+:10213000006B1023244CFFFE03ECC825AD390000D2
66689+:10214000920600053C03FFF63462FFFF30D800FF23
66690+:102150000018388000F08821922F00143C04FF7F83
66691+:102160003487FFFF31EE000F01C65821316500FFB3
66692+:1021700000055080015068218DAC00200148F821F5
66693+:10218000A20B00060182C824AE0C000CAFF9000CB3
66694+:10219000920900068E11000C032778240009C080E4
66695+:1021A0000310702195C60026030828210227202449
66696+:1021B000AE04000CADCF0020ADC60024ACA60010CC
66697+:1021C0008F8800003C0B08008D6B048C3C0A0800D3
66698+:1021D0008D4A0488241F001024190002A75F0140C3
66699+:1021E000A7400142A7400144A7590146974901046D
66700+:1021F00024070001310600022538FFFEA7580148D8
66701+:102200003C050009A747014A10C00003000018213F
66702+:102210003C05010924030001310C00045180000534
66703+:10222000AF8300083C08001000A828252403000103
66704+:10223000AF830008AF451000000000000000000060
66705+:1022400000000000000000009205000424AE00021F
66706+:1022500031CD0007000D182330620007AE020010D8
66707+:102260008F90000812000004000000008F4F100043
66708+:1022700005E1FFFE000000008F7100008F8E001846
66709+:102280003C0308008C630444AF91000497450104AB
66710+:1022900025CF001031E61FFF30A2FFFFAF8E001CDC
66711+:1022A000AF860018AF4600842449FFFE3C0C0800AE
66712+:1022B0008D8C0440974D010401208021000947C303
66713+:1022C0000070C02131A9FFFF0310F82B0188C8213D
66714+:1022D000033F202103463821313100073C0108002B
66715+:1022E000AC3804443C010800AC2404401220000334
66716+:1022F00024FB40002527000730E9FFF88F860020E7
66717+:102300008F8400280126382100E4C02B170000022A
66718+:10231000AF86002400E438230347202134198000CD
66719+:10232000009910213C0F1000AF870020AF820038C9
66720+:10233000AF470080AF4F01780A0002968F880014E3
66721+:102340009747010410E0FDAE3C1840008F5801781B
66722+:102350000700FFFE30C5400010A000033C1F00082E
66723+:102360000000000D3C1F0008AF5F01402410080072
66724+:102370008F860000AF5001789744010430D90001E6
66725+:10238000132000ED3086FFFF24CCFFFE240D000259
66726+:10239000A74D0146A74C01488F9100182408000D55
66727+:1023A000A748014A8F630000262F000831E21FFF73
66728+:1023B0000342702130C90007AF830004AF91001CB5
66729+:1023C000AF82001800C03821AF4200841120000302
66730+:1023D00025DB400024D800073307FFF88F85002055
66731+:1023E0008F84002800E5302100C4382B14E000025F
66732+:1023F000AF85002400C430238F8400140346F821E5
66733+:10240000340C8000AF86002003EC8021AF460080B2
66734+:10241000249900013C0610003C184000AF460178AA
66735+:10242000AF900038AF990014AF5801380A000196F8
66736+:10243000000000008F630000975101043067FFFF28
66737+:102440003228FFFF8F4F017805E0FFFE30EC0007D8
66738+:10245000000CF82333F0000724F9FFFE2404000ADF
66739+:10246000A7440140A7500142A7590144A740014693
66740+:10247000A74801488F45010830B800201700000226
66741+:10248000240300092403000130CD0002A743014AC0
66742+:102490003C04004111A00003000018213C0401414C
66743+:1024A0002403000130C9000451200005AF83000857
66744+:1024B0003C0600100086202524030001AF8300089D
66745+:1024C000AF44100000000000000000000000000009
66746+:1024D000000000008F8E000811C000040000000002
66747+:1024E0008F4210000441FFFE000000008F7F0000BB
66748+:1024F000276400088F91003CAF9F0004948500087A
66749+:102500009490000A9499000C30AFFFFF0010C400B3
66750+:102510003323FFFF11F100A6030320253C0E080022
66751+:102520008DCE04443C0C08008D8C044000E88821CA
66752+:102530002626FFFE01C628210000682100A6F82BF0
66753+:10254000018D2021009F80213C010800AC2504441E
66754+:102550003C010800AC30044024E200083042FFFF98
66755+:102560003047000710E000038F830018244F000756
66756+:1025700031E2FFF83106FFFF30C800070043802139
66757+:1025800032191FFF0359C021AF83001CAF990018F7
66758+:10259000271B4000AF590084110000038F8C0020DE
66759+:1025A00024C5000730A6FFF88F84002800CC28211E
66760+:1025B00000A4F82B17E00002AF8C002400A428230D
66761+:1025C000AF850020AF4500803C0408008C840434B3
66762+:1025D00003454821340E8000012E6821108000053B
66763+:1025E000AF8D0038939100172406000E12260011BB
66764+:1025F0002407043F3C021000AF4201788F8800148A
66765+:10260000250F00010A0001EFAF8F00140E0005C472
66766+:1026100000E020218F8800143C0B08008D6B048C97
66767+:102620003C0A08008D4A0488250F00010A0001EFCA
66768+:10263000AF8F00143C021000A7470148AF42017859
66769+:102640000A0004CE8F88001424040F001184003D7A
66770+:1026500030CE002015C0000224030009240300012D
66771+:102660000A00021AA743014A0A00020DA7400146C8
66772+:1026700094EF000894F1000A94F0000C8F8C003C59
66773+:10268000001174003207FFFF31EDFFFF11AC00377E
66774+:1026900001C720253C1808008F1804443C0F08008F
66775+:1026A0008DEF0440000080210308682101A8382B29
66776+:1026B00001F0702101C760213C010800AC2D0444E9
66777+:1026C0003C010800AC2C04400A00027A8F840018F8
66778+:1026D0003C0208008C42047C3C0308008C630454D8
66779+:1026E0003C1F08008FFF04783C1808008F18045026
66780+:1026F000004838210068802100E8282B03E43021BD
66781+:102700000208402B0304882100C57021022878218B
66782+:102710003C010800AC3004543C010800AC2F0450CC
66783+:102720003C010800AC27047C3C010800AC2E047876
66784+:102730000A00027A8F840018A74001460A00043577
66785+:102740008F91001830CD002015A0FFC52403000D87
66786+:10275000240300050A00021AA743014A974E010408
66787+:1027600025C5FFF00A00038130A4FFFF8F980040C9
66788+:102770001498FFC8000010213C0508008CA5046CCB
66789+:102780003C1F08008FFF046800A8C8210328302BD5
66790+:1027900003E22021008640213C010800AC39046C92
66791+:1027A0003C010800AC2804680A00027A8F840018F3
66792+:1027B0008F8C0040148CFF5900E8C8213C18080099
66793+:1027C0008F18046C3C1108008E3104682723FFFE2B
66794+:1027D00003034821000010210123302B0222702125
66795+:1027E00001C668213C010800AC29046C3C010800CA
66796+:1027F000AC2D04680A0004A524E200088F88003884
66797+:102800003C03FFFF8D02000C0043F82403E4C825BD
66798+:10281000AD19000C0A00038F30CBFFFF0A0003C381
66799+:10282000AE000000974A0104920400048E26000CBA
66800+:10283000014458212579FFF200C7C0243325FFFF4A
66801+:1028400003053825AE27000C0A0002E68E050010AD
66802+:102850003C0DFFFF8D0A0010014D582401646025D6
66803+:10286000AD0C00100A00038F30CBFFFF974301042B
66804+:10287000920E00048E290010006E1021244DFFEEF0
66805+:102880000127602431A8FFFF0188F825AE3F001022
66806+:102890000A0002E68E0500108E0F000CAE0000004C
66807+:1028A00000078880023028210A0002B8ACAF00205F
66808+:1028B0001460000D3058FFFF3C04FFFF0044682403
66809+:1028C00001A47026000E602B000D102B004CF82484
66810+:1028D00013E00002000000000000000D8CAF0000BB
66811+:1028E0000A00025001E410253B03FFFF0003882B80
66812+:1028F0000018802B0211202410800002000000002C
66813+:102900000000000D8CB900000A0002503722FFFFC2
66814+:102910003084FFFF30A5FFFF108000070000182162
66815+:10292000308200011040000200042042006518219E
66816+:102930001480FFFB0005284003E000080060102120
66817+:1029400010C00007000000008CA2000024C6FFFF9A
66818+:1029500024A50004AC82000014C0FFFB2484000402
66819+:1029600003E000080000000010A0000824A3FFFFFF
66820+:10297000AC86000000000000000000002402FFFF01
66821+:102980002463FFFF1462FFFA2484000403E00008BC
66822+:1029900000000000308EFFFF30D8FFFF00057C00F4
66823+:1029A00001F8602539CDFFFF01AC5021014C582BB7
66824+:1029B000014B4821000944023127FFFF00E8302184
66825+:1029C0000006240230C5FFFF00A418213862FFFF73
66826+:1029D00003E000083042FFFF3C0C08008D8C0484AB
66827+:1029E000240BFF8027BDFFD001845021014B4824D8
66828+:1029F000AF4900203C0808008D080484AFB20020D5
66829+:102A0000AFB00018AFBF0028AFB30024AFB1001CB7
66830+:102A1000936600040104382130E4007F009A1021FD
66831+:102A20003C0300080043902130C500200360802152
66832+:102A30003C080111277B000814A000022646007004
66833+:102A40002646006C9213000497510104920F000473
66834+:102A50003267000F322EFFFF31ED004001C72823FF
66835+:102A600011A0000500004821925900BC3338000431
66836+:102A70001700009000000000924300BC307F00046B
66837+:102A800013E0000F0000000010A0000D0000000087
66838+:102A9000960E0002240AFF8000A7602125CDFFFECC
66839+:102AA000A74D1016920B0004014B2024308200FF2A
66840+:102AB00010400085010C40253C0F0400010F40250B
66841+:102AC0008F5301780660FFFE2404000AA7440140EA
66842+:102AD000960D00022404000931AC0007000C5823B5
66843+:102AE000316A0007A74A0142960200022443FFFE12
66844+:102AF000A7430144A7400146975F0104A75F01482F
66845+:102B00008F590108333800205300000124040001CC
66846+:102B1000920F000431EE001015C000023483001043
66847+:102B200000801821A743014A0000000000000000B7
66848+:102B30000000000000000000AF481000000000008E
66849+:102B40000000000000000000000000008F51100095
66850+:102B50000621FFFE3113FFFF12600003000000009A
66851+:102B60008F481018ACC8000096030006307FFFFFA6
66852+:102B700027F900020019988200138880023B302157
66853+:102B80008CD800001520005700183402920300046E
66854+:102B90002405FF8000A3F82433F100FF1220002C4D
66855+:102BA00000000000924700BC30F2000212400028F2
66856+:102BB00000000000974B100C2562FFFEA742101684
66857+:102BC000000000003C0A040035490030AF49100005
66858+:102BD00000000000000000000000000000000000F5
66859+:102BE0008F4C10000581FFFE000000009749100C7B
66860+:102BF0008F51101C00C020213127FFFF24F200302C
66861+:102C0000001218820003288000BBF8213226FFFF43
66862+:102C1000AFF100000E0005B300112C020013C880B4
66863+:102C2000033B98218E78000000027400AFB80010BA
66864+:102C30008FA80010310FFFFFAFAF00108FA400105E
66865+:102C400001C46825AFAD00108FA60010AE6600006D
66866+:102C500097730008976D000A9766000C8F8A003CF6
66867+:102C6000000D5C0030CCFFFF3262FFFF104A0036DF
66868+:102C7000016C2025960600023C10100024D30008A9
66869+:102C80000E00013B3264FFFF974C01040E00014926
66870+:102C90003184FFFFAF5001788FBF00288FB300242D
66871+:102CA0008FB200208FB1001C8FB0001803E0000825
66872+:102CB00027BD003010A0FF700000000024A5FFFC1D
66873+:102CC0000A0005EC240900048CD10000AF51101853
66874+:102CD0008F5301780660FF7A2404000A0A00060177
66875+:102CE0000000000000A7C8218F8800388F4E101CFC
66876+:102CF0000019C0820018788001E82021AC8E000005
66877+:102D0000000E2C0200C020210E0005B331C6FFFFCB
66878+:102D1000023B28218CAD000000025400004030210D
66879+:102D2000AFAD00108FAC0010318BFFFFAFAB0010C8
66880+:102D30008FA2001001424825AFA900108FA70010F4
66881+:102D40000A000631ACA700008F8F0040148FFFC926
66882+:102D50000000000097420104960B00023C050800A9
66883+:102D60008CA5046C3049FFFF316AFFFF3C1108005D
66884+:102D70008E310468012A382124F2FFFE00B240217E
66885+:102D80000012FFC30112C82B023FC02103192021EA
66886+:102D90003C010800AC28046C3C010800AC24046829
66887+:102DA0000A00066B0000000000A4102B1040000970
66888+:102DB000240300010005284000A4102B04A00003F8
66889+:102DC000000318405440FFFC000528401060000735
66890+:102DD000000000000085302B14C0000200031842E0
66891+:102DE000008520231460FFFB0005284203E0000853
66892+:102DF000008010218F85002C27BDFFE800053027BB
66893+:102E00002CC300012CA400020083102510400003F5
66894+:102E1000AFBF00102405007FAF85002C00052827D8
66895+:102E200030A5FFFF0E000592240426F58F830030A5
66896+:102E3000240402BD004030210083382B10E000093B
66897+:102E400024050001000420400083102B04800003AF
66898+:102E5000000528405440FFFC0004204010A000085A
66899+:102E600000C350210064402B1500000200052842D9
66900+:102E70000064182314A0FFFB0004204200C350216B
66901+:102E80008FBF0010000A4C02312200FF27BD00183E
66902+:102E9000AF8A002C03E00008AF8900300A00002A46
66903+:102EA00000000000000000000000000D7478703683
66904+:102EB0002E322E3300000000060203000000000046
66905+:102EC000000001360000EA60000000000000000081
66906+:102ED00000000000000000000000000000000000F2
66907+:102EE00000000000000000000000000000000000E2
66908+:102EF00000000000000000000000000000000016BC
66909+:102F000000000000000000000000000000000000C1
66910+:102F100000000000000000000000000000000000B1
66911+:102F200000000000000000000000000000000000A1
66912+:102F3000000000000000138800000000000005DC15
66913+:102F4000000000000000000010000003000000006E
66914+:102F50000000000D0000000D3C02080024423C204F
66915+:102F60003C03080024633DD4AC4000000043202B08
66916+:102F70001480FFFD244200043C1D080037BD7FFC87
66917+:102F800003A0F0213C100800261000A83C1C0800FB
66918+:102F9000279C3C200E0002BA000000000000000D3B
66919+:102FA0008F8300383C088000350700708CE50000F6
66920+:102FB000008330253C02900000C22025AF85003000
66921+:102FC000AF4400208F4900200520FFFE3C03800015
66922+:102FD000346200708C4500008F8600303C19080078
66923+:102FE0008F39007C3C0E08008DCE007800A620238F
66924+:102FF00003245821000078210164682B01CF60214F
66925+:10300000018D50213C010800AC2B007C3C010800E4
66926+:10301000AC2A007803E00008000000000A0000412C
66927+:10302000240400018F8400383C05800034A2000194
66928+:103030000082182503E00008AF43002003E00008E9
66929+:10304000000010213084FFFF30A5FFFF1080000733
66930+:1030500000001821308200011040000200042042CC
66931+:10306000006518211480FFFB0005284003E00008DC
66932+:103070000060102110C00007000000008CA20000BA
66933+:1030800024C6FFFF24A50004AC82000014C0FFFB8F
66934+:103090002484000403E000080000000010A00008E1
66935+:1030A00024A3FFFFAC860000000000000000000029
66936+:1030B0002402FFFF2463FFFF1462FFFA248400044C
66937+:1030C00003E0000800000000308AFFFF93A800130F
66938+:1030D000A74A014497490E1630C600FF3C02100073
66939+:1030E000A7490146AF450148A3460152A748015AE6
66940+:1030F000AF4701608FA400188FA30014A7440158A4
66941+:10310000AF43015403E00008AF42017803E0000838
66942+:10311000000000003C038000346200708C49000015
66943+:103120008F8800002484000727BDFFF83084FFF853
66944+:10313000AF890030974D008A31ACFFFFAFAC000083
66945+:103140008FAB0000016850232547FFFF30E61FFFCB
66946+:1031500000C4282B14A0FFF73C0C8000358B0070B6
66947+:103160008D6A00003C0708008CE700843C060800DC
66948+:103170008CC6008000081082014918230002788064
66949+:1031800000E370210000202101C3C82B00C4C0212E
66950+:1031900001FA4021031948212502400027BD0008FB
66951+:1031A0003C010800AC2E00843C010800AC290080E2
66952+:1031B00003E00008000000008F8200002486000762
66953+:1031C00030C5FFF800A2182130641FFF03E000089B
66954+:1031D000AF8400008F8700388F8A004027BDFFB87A
66955+:1031E0008F860044AFB60040AFBF0044AFB5003C8F
66956+:1031F000AFB40038AFB30034AFB20030AFB1002C81
66957+:10320000AFB000288F4501048D4900ACAF47008066
66958+:103210008CC8002000A938230000B021AF480E1050
66959+:103220008F440E1000004821AF440E148CC20024BD
66960+:10323000AF420E188F430E18AF430E1C10E001254D
66961+:103240002D230001936B0008116000D400000000E2
66962+:10325000976E001031CDFFFF00ED602B158000CF81
66963+:103260000000000097700010320FFFFFAF4F0E00FC
66964+:103270008F520000325100081220FFFD00000000B4
66965+:1032800097540E088F460E043285FFFF30B30001BD
66966+:1032900012600132000000000000000D30B8A040B4
66967+:1032A00024150040131500C030A9A0001120012DE5
66968+:1032B00000000000937F000813E0000800000000F9
66969+:1032C00097630010306BFFFF00CB402B1100000311
66970+:1032D00030AC00401180012300000000A785003CB5
66971+:1032E000AF8600349366000800E02821AFA70020D5
66972+:1032F00014C0012427B30020AF60000C9782003C6B
66973+:103300003047400014E00002240300162403000E9E
66974+:1033100024194007A363000AAF790014938A003E82
66975+:103320008F740014315800070018AA4002959025A8
66976+:10333000AF7200149784003C8F700014309100101D
66977+:1033400002117825AF6F0014978E003C31CD000834
66978+:1033500011A00147000028218F6700143C021000D3
66979+:103360003C0C810000E22825AF65001497460E0A48
66980+:103370002408000E3405FFFC30C3FFFF006C582505
66981+:10338000AF6B0004A3680002937F000A27E90004E2
66982+:10339000A369000A9786003C9363000A30CC1F00A3
66983+:1033A000000C598301634021251F0028A37F0009D9
66984+:1033B00097490E0CA769001093790009272A00028B
66985+:1033C000315800070018A82332B10007A371000B81
66986+:1033D00093740009976400108F910034978F003C1C
66987+:1033E000329200FF024480210205702131ED00403D
66988+:1033F00011A0000531C4FFFF0091282B3C12800072
66989+:1034000010A000140000A0210224382B14E0011B9E
66990+:103410008FA500208F4D0E14AF4D0E108F420E1C45
66991+:10342000AF420E18AF440E008F4F000031EE00087F
66992+:1034300011C0FFFD0000000097540E080080882195
66993+:1034400000009021A794003C8F500E04241400012A
66994+:10345000AF900034976400103095FFFF8E68000035
66995+:103460000111F82317E00009AE7F00008F650014FA
66996+:103470008F8B004434A60040AF6600148F4C0E10B2
66997+:10348000AD6C00208F430E18AD63002493670008D5
66998+:1034900014E000D2000000000E00009E2404001082
66999+:1034A0008F8900483C08320000402821312600FF67
67000+:1034B0000006FC0003E8502525390001AF990048BB
67001+:1034C000AC4A0000937800099370000A330400FFAF
67002+:1034D00000047400320F00FF01CF6825AC4D0004DA
67003+:1034E0008F820048064000EAACA20008ACA0000CA5
67004+:1034F0009783003C306B0008156000022628000608
67005+:1035000026280002974E0E148F450E1C8F6700046C
67006+:10351000936D000231C4FFFF31A200FFAFA2001083
67007+:103520008F6C0014AFA800180E00008BAFAC001415
67008+:10353000240400100E0000C7000000008E7200007E
67009+:1035400016400005000000008F6400142405FFBF32
67010+:1035500000859824AF7300148F79000C033538214F
67011+:10356000AF67000C9375000816A00008000000006B
67012+:1035700012800006000000008F7F00143C0BEFFF5C
67013+:103580003568FFFE03E84824AF690014A3740008FF
67014+:103590008FA500200A00024602202021AF470E001E
67015+:1035A0000A0000F5000000008F5901780720FFFE97
67016+:1035B000241F08008F840000AF5F0178974B008ABA
67017+:1035C000316AFFFF014448232528FFFF31021FFF16
67018+:1035D0002C4300081460FFF9000000008F8E0048A3
67019+:1035E0008F8D003800C048210344202125C60001EA
67020+:1035F000240C0F00AF86004800E9382324864000E1
67021+:1036000031CA00FF11AC0005240800019391003E6F
67022+:103610003230000700107A4035E80001000AAC00A3
67023+:103620003C18010002B8A025AC9440008F930048DC
67024+:1036300030B2003630A40008ACD3000410800097EC
67025+:1036400001123025974E0E0A8F8D00003C0281003A
67026+:1036500031CCFFFF25AB0008018240253C03100060
67027+:1036600031651FFF25390006241F000EAF48016099
67028+:1036700000C33025A75F015AAF850000A759015844
67029+:1036800014E0000A8F93003824120F0052720002D7
67030+:103690002416000134C600408F580E108F94004449
67031+:1036A000AE9800208F550E18AE9500248F450E144D
67032+:1036B000AF4501448F590E1CAF590148A34A01522E
67033+:1036C0003C0A1000AF460154AF4A017814E0FEDD19
67034+:1036D0002D2300010076A025128000178FBF004423
67035+:1036E0008F84003824160F0010960084000000001C
67036+:1036F0008F45017804A0FFFE24150F001095006E81
67037+:10370000000000008F470E14240202403C1F1000EE
67038+:10371000AF4701448F440E1CAF440148A3400152FF
67039+:10372000A740015AAF400160A7400158AF42015481
67040+:10373000AF5F01788FBF00448FB600408FB5003C6B
67041+:103740008FB400388FB300348FB200308FB1002CAB
67042+:103750008FB0002803E0000827BD004814C0FED049
67043+:1037600030B8A0408F420E148F84004400004821DE
67044+:10377000AC8200208F510E1CAC9100240A00020E76
67045+:103780002D2300018F910034978A003C3C12800069
67046+:103790000220A821315800401700FF300000A0216E
67047+:1037A000976900108F9200343139FFFF13320035D2
67048+:1037B00000002021008048211480FEA000A03821B4
67049+:1037C0008F420E148F840044AC8200208F510E1C57
67050+:1037D000AC9100240A00020E2D230001936A000917
67051+:1037E0009378000B315000FF330F00FF020F702160
67052+:1037F00025C2000A3050FFFF0E00009E020020216B
67053+:103800008F8600483C1F410024CD0001AF8D004849
67054+:10381000936C000930C600FF00064400318300FFAE
67055+:10382000246B0002010B4825013FC825AC5900005C
67056+:103830008F67000C97440E1400F22825AC45000455
67057+:103840008F450E1C8F670004936A00023084FFFFCF
67058+:10385000315800FFAFB800108F6F0014AFB10018DF
67059+:103860000E00008BAFAF00140A0001A60200202159
67060+:10387000AF6000040A00013EA36000020A00024695
67061+:1038800000002021000090210A0001702414000192
67062+:103890003C1280000A000195ACB2000C8F91000030
67063+:1038A00025240002A744015826300008320F1FFFCC
67064+:1038B0000A0001F9AF8F0000AF40014C1120002C2D
67065+:1038C000000000008F590E10AF5901448F430E18AD
67066+:1038D000240200403C1F1000AF430148A3400152A6
67067+:1038E000A740015AAF400160A7400158AF420154C0
67068+:1038F000AF5F01780A0002278FBF00441120000645
67069+:103900000000000097460E0830CC004015800002F1
67070+:10391000000000000000000D8F4D017805A0FFFEA3
67071+:103920000000000097530E103C120500240E2000EA
67072+:10393000326AFFFF0152C025AF58014C8F4F0E1461
67073+:103940003C021000AF4F01448F500E1CAF50014895
67074+:10395000A34001528F840038A740015AAF40016054
67075+:10396000A7400158AF4E01540A000215AF4201783A
67076+:103970008F490E14AF4901448F430E1C0A00028E7A
67077+:10398000240200403C0E20FF27BDFFE03C1A8000CF
67078+:103990003C0F800835CDFFFDAFBF001CAFB2001853
67079+:1039A000AFB10014AFB00010AF8F0040AF4D0E00AC
67080+:1039B0000000000000000000000000000000000007
67081+:1039C000000000003C0C00FF358BFFFDAF4B0E00EC
67082+:1039D0003C0660048CC95000240AFF7F3C11600043
67083+:1039E000012A40243507380CACC750008E24043817
67084+:1039F00024050009AF4500083083FFFF38622F71AE
67085+:103A00002450C0B3AF8000480E000068AF800000B3
67086+:103A100052000001AE20442C0E0004353C11800001
67087+:103A20000E000ED9363000708F8A00403C1208001C
67088+:103A300026523C88020088218E0800008F5F00001B
67089+:103A40003BF900013338000113000017AF88003044
67090+:103A5000022048218D2700003C0F08008DEF006CEC
67091+:103A60003C0C08008D8C006800E8C02301F8282178
67092+:103A70000000682100B8302B018D582101664021DB
67093+:103A80003C010800AC25006C3C010800AC28006833
67094+:103A90008F44000038830001306200011440FFEDC4
67095+:103AA00000E04021AF8700308E0C00003C0508008C
67096+:103AB0008CA5006C3C0408008C84006801883023CD
67097+:103AC00000A638210000102100E6402B00821821BA
67098+:103AD0000068F8213C010800AC27006C3C0108009C
67099+:103AE000AC3F00688F49010025590088AF99004418
67100+:103AF000AF890038AF4900208E070000AF87003043
67101+:103B00008F4D017805A0FFFE000000008E0600002A
67102+:103B10003C0B08008D6B00743C0408008C84007022
67103+:103B200000C728230165F8210000102103E5402B80
67104+:103B30000082382100E8C821240908003C0108005F
67105+:103B4000AC3F00743C010800AC390070AF4901780B
67106+:103B500093580108A398003E938F003E31EE000178
67107+:103B600015C000158F830038240E0D00106E00194B
67108+:103B7000240F0F00106F001D00000000915900007D
67109+:103B800024180050332900FF113800043C1F400066
67110+:103B9000AF5F01380A0002E7000000000E00090EC6
67111+:103BA000000000008F8A00403C1F4000AF5F0138DA
67112+:103BB0000A0002E700000000938D003E31AC0006D1
67113+:103BC000000C51000E0000CE0152D8210A00034320
67114+:103BD0008F8A00403C1B0800277B3D080E0000CE6A
67115+:103BE000000000000A0003438F8A00403C1B0800CD
67116+:103BF000277B3D280E0000CE000000000A00034392
67117+:103C00008F8A004090AA00018FAB00108CAC00108E
67118+:103C10003C0300FF8D680004AD6C00208CAD0014E7
67119+:103C200000E060213462FFFFAD6D00248CA7001816
67120+:103C30003C09FF000109C024AD6700288CAE001CC0
67121+:103C40000182C82403197825AD6F0004AD6E002CE5
67122+:103C50008CAD0008314A00FFAD6D001C94A9000234
67123+:103C60003128FFFFAD68001090A70000A56000029A
67124+:103C7000A1600004A167000090A30002306200FF71
67125+:103C80000002198210600005240500011065000E75
67126+:103C90000000000003E00008A16A00018CD80028A1
67127+:103CA000354A0080AD7800188CCF0014AD6F001439
67128+:103CB0008CCE0030AD6E00088CC4002CA16A0001CF
67129+:103CC00003E00008AD64000C8CCD001CAD6D001845
67130+:103CD0008CC90014AD6900148CC80024AD680008BC
67131+:103CE0008CC70020AD67000C8CC200148C8300646C
67132+:103CF0000043C82B13200007000000008CC20014F2
67133+:103D0000144CFFE400000000354A008003E0000886
67134+:103D1000A16A00018C8200640A000399000000007F
67135+:103D200090AA000027BDFFF88FA9001CA3AA0000DD
67136+:103D30008FAE00003C0FFF808FA8001835E2FFFF18
67137+:103D40008CCD002C01C26024AFAC0000A120000487
67138+:103D500000E06021A7A000028FB800008D270004BA
67139+:103D60000188182100A0582100C05021006D28268C
67140+:103D70003C06FF7F3C0F00FF2CAD000135EEFFFF3E
67141+:103D800034D9FFFF3C02FF0003193024000D1DC091
67142+:103D9000010EC82400E2C02400C370250319782551
67143+:103DA000AD2E0000AD2F00048D450024AFAE000005
67144+:103DB000AD2500088D4D00202405FFFFAD2D000C22
67145+:103DC000956800023107FFFFAD27001091660018CB
67146+:103DD00030C200FF000219C2506000018D4500345E
67147+:103DE000AD2500148D67000827BD0008AD27001C15
67148+:103DF0008C8B00CCAD2C0028AD20002CAD2B0024EA
67149+:103E0000AD20001803E00008AD20002027BDFFE032
67150+:103E1000AFB20018AFB10014AFB00010AFBF001CBC
67151+:103E20009098000000C088213C0D00FF330F007FF8
67152+:103E3000A0CF0000908E000135ACFFFF3C0AFF00D0
67153+:103E4000A0CE000194A6001EA22000048CAB00149A
67154+:103E50008E29000400A08021016C2824012A40241E
67155+:103E60000080902101052025A6260002AE24000432
67156+:103E700026050020262400080E00007624060002F5
67157+:103E800092470000260500282624001400071E0083
67158+:103E90000003160324060004044000032403FFFF6C
67159+:103EA000965900023323FFFF0E000076AE23001068
67160+:103EB000262400248FBF001C8FB200188FB100147D
67161+:103EC0008FB0001024050003000030210A0000809C
67162+:103ED00027BD002027BDFFD8AFB1001CAFB0001830
67163+:103EE000AFBF002090A80000240200018FB0003C6A
67164+:103EF0003103003F00808821106200148FAA00382F
67165+:103F0000240B0005506B0016AFAA001000A0202162
67166+:103F100000C028210E0003DC02003021922400BCE6
67167+:103F2000308300021060000326060030ACC00000A1
67168+:103F300024C600048FBF00208FB1001C8FB0001872
67169+:103F400000C0102103E0000827BD002801403821EF
67170+:103F50000E00035AAFB000100A0004200000000059
67171+:103F60000E0003A1AFB000140A00042000000000FE
67172+:103F70003C02000A034218213C04080024843D6CE2
67173+:103F80002405001A000030210A000080AF8300548D
67174+:103F90003C038000346200708C48000000A058216F
67175+:103FA00000C04821308A00FFAF8800308F4401787C
67176+:103FB0000480FFFE3C0C8000358600708CC500003C
67177+:103FC0003C0308008C6300743C1808008F180070D4
67178+:103FD00000A82023006468210000C82101A4782BD8
67179+:103FE0000319702101CF60213C010800AC2D007441
67180+:103FF0003C010800AC2C00708F480E14AF480144FF
67181+:10400000AF47014CA34A0152A74B01589346010800
67182+:1040100030C5000854A0000135291000934B090059
67183+:1040200024070050316A00FF11470007000000001C
67184+:104030008F450E1CAF450148AF4901543C091000A3
67185+:1040400003E00008AF490178934D010831A800084A
67186+:104050001100001000000000934F010831EE001025
67187+:1040600051C00001352900083C04080090843DD06F
67188+:10407000A34401508F4309A4AF4301488F4209A0D4
67189+:10408000AF420144AF4901543C09100003E000086D
67190+:10409000AF4901783C1908008F393D8C333800084E
67191+:1040A0005700FFF1352900080A00047300000000E2
67192+:1040B00024070040AF470814AF4008108F4209445E
67193+:1040C0008F4309508F4409548F45095C8F46094C32
67194+:1040D000AF820064AF830050AF84004CAF85005CBA
67195+:1040E00003E00008AF8600609346010930C5007FF9
67196+:1040F000000518C0000521400083102103E00008DE
67197+:10410000244200883C09080091293D9124A800021E
67198+:104110003C05110000093C0000E8302500C51825C9
67199+:1041200024820008AC83000003E00008AC80000497
67200+:104130009347010B8F4A002C974F09083C18000E3B
67201+:104140000358482131EEFFFF000E41C0AF48002C5C
67202+:1041500097430908952C001A008040212403000190
67203+:10416000318BFFFFAC8B00008D2D001C00A058216F
67204+:1041700000C06021AC8D00048D24002030E7004099
67205+:10418000AD04000891220019304400031083004858
67206+:104190002885000214A00062240600021086005642
67207+:1041A00024190003109900660000000010E0003A96
67208+:1041B000000000003C07080094E73D8624E200016F
67209+:1041C000934F0934934709219525002A31EE00FFCA
67210+:1041D000000E488230ED00FF978700580009360036
67211+:1041E000000D1C003044FFFF00C310250044C02513
67212+:1041F00000A778213C19400003197025000F4C00DE
67213+:10420000AD090004AD0E0000934D09203C030006EB
67214+:1042100025090014000D360000C32025AD04000858
67215+:104220008F59092C24E5000130A27FFFAD19000C45
67216+:104230008F580930A782005825020028AD180010B9
67217+:104240008F4F0938AD0F0014AD2B00048F4E09407D
67218+:10425000AD2E0008934D09373C05080090A53D9010
67219+:104260008F4409488F46094031A700FF00EC182110
67220+:10427000008678230003C7000005CC0003196025E1
67221+:1042800031E8FFFC01885825AD2B000CAD20001053
67222+:1042900003E00008AF4A002C3C0D080095AD3D86B8
67223+:1042A0003C0E080095CE3D800A0004C901AE1021E5
67224+:1042B0003C05080094A53D8A3C06080094C63D8054
67225+:1042C0003C18080097183D7C952E002400A6782104
67226+:1042D00001F86823000E240025A2FFF200821825B1
67227+:1042E00024190800AD03000CAD190014AD00001036
67228+:1042F0000A0004C4250800189526002495250028E6
67229+:104300000006C40000057C00370E810035ED080072
67230+:10431000AD0E000CAD0D00100A0004C425080014F9
67231+:104320001480FFA200000000952400240004140063
67232+:1043300034430800AD03000C0A0004C42508001033
67233+:104340003C03080094633D8A3C05080094A53D8029
67234+:104350003C06080094C63D7C953900249538002819
67235+:10436000006520210086782300196C000018740075
67236+:1043700025E2FFEE01C2202535A3810024190800A3
67237+:10438000AD03000CAD040010AD190018AD00001411
67238+:104390000A0004C42508001C03E00008240201F4FC
67239+:1043A00027BDFFE8AFB00010AFBF00140E000060E3
67240+:1043B0000080802124050040AF4508148F83005001
67241+:1043C0008F84004C8F85005C0070182100641023DE
67242+:1043D00018400004AF830050AF6300548F66005450
67243+:1043E000AF86004C1200000C000000008F440074E7
67244+:1043F000936800813409FA002D07000710E00005DA
67245+:1044000000891021936C0081240B01F4018B50046E
67246+:1044100001441021AF62000C8F4E095C01C5682376
67247+:1044200019A000048FBF00148F4F095CAF8F005C90
67248+:104430008FBF00148FB000100A00006227BD001863
67249+:104440008F8400648F8300508F82004CAF640044DF
67250+:10445000AF63005003E00008AF6200543C038000EB
67251+:10446000346200708C43000027BDFFF8308700FFE6
67252+:1044700030A900FF30C800FFAF8300308F440178BF
67253+:104480000480FFFE3C028000345900708F38000029
67254+:10449000A3A700033C0708008CE700748FAC000062
67255+:1044A0003C0608008CC60070030378233C0E7FFF97
67256+:1044B00000EFC82135CDFFFF00005021018D2824D9
67257+:1044C00000CA1821000847C0032F202B00A8102580
67258+:1044D0000064C021AFA200003C010800AC390074A8
67259+:1044E0003C010800AC380070934F010AA3A0000201
67260+:1044F0003C0E80FFA3AF00018FAC0000312B007F8A
67261+:1045000035CDFFFF018D4824000B5600012A4025C0
67262+:10451000240730002406FF803C05100027BD00085A
67263+:10452000AF48014CAF470154A7400158A346015280
67264+:1045300003E00008AF45017827BDFFE8AFBF0014D6
67265+:10454000AFB000108F6500743C068000309000FF13
67266+:1045500000A620250E000060AF6400749363000580
67267+:10456000346200080E000062A362000502002021F0
67268+:104570008FBF00148FB00010240500052406000131
67269+:104580000A00057027BD001827BDFFE03C0380002E
67270+:10459000AFB00010AFBF0018AFB1001434620070AC
67271+:1045A0008C470000309000FF30A800FFAF8700303C
67272+:1045B0008F4401780480FFFE3C18800037110070A2
67273+:1045C0008E2F00003C0D08008DAD00743C0A0800E1
67274+:1045D0008D4A007001E7702301AE282100005821A8
67275+:1045E00000AE302B014B4821012638213C01080048
67276+:1045F000AC250074000088213C010800AC27007045
67277+:104600001100000F000000008F6200742619FFFFE8
67278+:104610003208007F0002FE0233E5007F150000062D
67279+:10462000332200FF2407FF800207202624A3FFFF78
67280+:1046300000838025320200FF0040802124111008F1
67281+:104640000E000060000000008F49081831250004AA
67282+:1046500014A0FFFD3218007F001878C000187140C8
67283+:1046600001CF682125AC0088AF4C0818274A098083
67284+:104670008D4B0020AF4B01448D460024AF460148CE
67285+:10468000A35001500E000062A740015802201021E3
67286+:104690008FBF00188FB100148FB0001003E0000826
67287+:1046A00027BD002027BDFFE8308400FFAFBF00100A
67288+:1046B0000E0005BB30A500FF8F8300508FBF001098
67289+:1046C000344500402404FF903C02100027BD001830
67290+:1046D000AF43014CA3440152AF45015403E000082D
67291+:1046E000AF4201789343093E306200081040000D4C
67292+:1046F0003C0901013528080AAC8800008F47007486
67293+:10470000AC8700043C06080090C63D9030C5001000
67294+:1047100050A00006AC8000088F6A0060AC8A0008D8
67295+:104720002484000C03E00008008010210A00062207
67296+:104730002484000C27BDFFE8AFBF0014AFB0001009
67297+:104740009346093F00A050210005288000853823AA
67298+:1047500030C200FF240300063C09080095293D866D
67299+:1047600024E8FFD824050004104300372406000283
67300+:104770009750093C3C0F020400063400320EFFFF44
67301+:1047800001CF6825AC8D0000934C093E318B002091
67302+:104790001160000800000000934309363C02010349
67303+:1047A000345F0300307900FF033FC0252405000873
67304+:1047B000AC98000493430934935909210005F88209
67305+:1047C000306200FF0002C082332F00FF00186E002D
67306+:1047D000000F740001AE6025018920253C094000CE
67307+:1047E00000898025ACF0FFD8934309378F4F0948E3
67308+:1047F0008F580940306200FF004AC821033F7021F2
67309+:1048000001F86023000E6F0001A650253185FFFCE2
67310+:10481000001F58800145482501683821AD09002056
67311+:104820000E00006024F00028240400040E00006242
67312+:10483000A364003F020010218FBF00148FB000104E
67313+:1048400003E0000827BD00180A0006352406001200
67314+:1048500027BDFFD024090010AFB60028AFB5002453
67315+:10486000AFB40020AFB10014AFB000103C0108009D
67316+:10487000A0293D90AFBF002CAFB3001CAFB2001811
67317+:1048800097480908309400FF3C02000E3107FFFFF3
67318+:10489000000731C0AF46002C974409089344010B30
67319+:1048A00030B500FF03428021308300300000B0218A
67320+:1048B0001060012500008821240C00043C01080040
67321+:1048C000A02C3D90934B093E000B5600000A2E038E
67322+:1048D00004A0016000000000AF400048934F010BAE
67323+:1048E00031EE002011C00006000000009358093E80
67324+:1048F00000189E0000139603064001890000000086
67325+:104900009344010B30830040106000038F930050EC
67326+:104910008F8200502453FFFF9347093E30E6000882
67327+:1049200014C0000224120003000090219619002CEC
67328+:1049300093580934934F0937A7990058330C00FF57
67329+:1049400031EE00FF024E6821000D5880016C5021AD
67330+:10495000015140213C010800A4283D869205001821
67331+:1049600030A900FF010918213C010800A4233D885B
67332+:104970009211001816200002000000000000000D37
67333+:104980003C010800A4233D8A3C010800A4203D808E
67334+:104990003C010800A4203D7C935F010B3063FFFFC6
67335+:1049A00033F00040120000022464000A2464000B6B
67336+:1049B0003091FFFF0E00009E022020219358010B32
67337+:1049C0003C08080095083D8A0040202100185982C3
67338+:1049D000316700010E00049A01072821934C010B56
67339+:1049E0008F4B002C974E09083C0F000E034F4021BF
67340+:1049F00031CDFFFF000D51C0AF4A002C974309088D
67341+:104A00009505001A004038212404000130A9FFFF59
67342+:104A1000AC4900008D06001C00404821318A00404E
67343+:104A2000AC4600048D020020ACE20008910300199E
67344+:104A300030630003106400EC28790002172001188D
67345+:104A4000241000021070010C241F0003107F011EAF
67346+:104A500000000000114000DE000000003C090800DA
67347+:104A600095293D8625220001935F0934934E092143
67348+:104A70009504002A33F900FF0019C08231CF00FFEE
67349+:104A8000978E005800184600000F6C00010D80251D
67350+:104A90003045FFFF02051025008E50213C034000E9
67351+:104AA00000433025000A6400ACEC0004ACE60000D2
67352+:104AB000935F09203C19000624EC0014001FC60077
67353+:104AC00003197825ACEF00088F48092C25CD00018B
67354+:104AD00031A57FFFACE8000C8F500930A785005846
67355+:104AE00024E80028ACF000108F4409380100802130
67356+:104AF000ACE40014AD9300048F530940AD9300085B
67357+:104B0000934A09373C19080093393D908F4309486F
67358+:104B10008F460940314200FF0052F82100667023A1
67359+:104B2000001F7F000019C40001F8282531CDFFFCCB
67360+:104B300000AD2025AD84000CAD800010AF4B002CE3
67361+:104B4000934B093E317300081260000D3C060101D1
67362+:104B500034CC080AACEC00288F530074AD13000469
67363+:104B60003C0B0800916B3D903167001050E0000352
67364+:104B7000AD0000088F6A0060AD0A00082510000C27
67365+:104B800012C0003D000000009343093F24160006B8
67366+:104B900024060004306200FF105600C924070002FA
67367+:104BA0009758093C3C0F0204330DFFFF01AF40252D
67368+:104BB000AE0800009345093E30A400201080000894
67369+:104BC00000000000935309363C0B0103357F0300BE
67370+:104BD000327900FF033F7025AE0E00042406000862
67371+:104BE000934F093493480921312AFFFF31ED00FF2B
67372+:104BF000000D1082310300FF0002B60000032C00FC
67373+:104C000002C56025018A9825001220803C094000D9
67374+:104C10000204502302695825AD4BFFD8935F093732
67375+:104C20008F4F09488F58094033F900FF0332702134
67376+:104C30000006B08201D668210007440001F828234D
67377+:104C4000000D1F000068302530A2FFFC2547FFD86B
67378+:104C500000C260250016808002074821ACEC0020CD
67379+:104C6000253000280E00006024120004A372003FCB
67380+:104C70000E000062000000009347010B30F200407C
67381+:104C8000124000053C1900FF8E180000372EFFFF70
67382+:104C9000030E3024AE0600000E0000C702202021C3
67383+:104CA0003C10080092103D90321100031220000FBA
67384+:104CB00002A028218F89005025330001AF930050B6
67385+:104CC000AF7300508F6B00540173F8231BE0000298
67386+:104CD000026020218F640054AF6400548F4C007434
67387+:104CE000258401F4AF64000C02A028210280202159
67388+:104CF000A76000680E0005BB3C1410008F850050B3
67389+:104D000034550006AF45014C8F8A00488FBF002CF8
67390+:104D10008FB3001C25560001AF9600488FB20018D3
67391+:104D2000A34A01528FB60028AF5501548FB1001429
67392+:104D3000AF5401788FB500248FB400208FB00010DD
67393+:104D400003E0000827BD00309358093E00189E007C
67394+:104D500000139603064200362411000293440923EF
67395+:104D6000308300021060FEDD8F8600608F8200506D
67396+:104D700014C2FEDA000000000E0000600000000017
67397+:104D80009369003F24070016312800FF1107000C2B
67398+:104D9000240500083C0C0800918C3D90358B0001E7
67399+:104DA0003C010800A02B3D90936A003F314300FF77
67400+:104DB00010650065240D000A106D005E2402000CD1
67401+:104DC0000E000062000000000A00069000000000D3
67402+:104DD0003C09080095293D863C0A0800954A3D801B
67403+:104DE0000A0006F3012A10213C09080095293D8A92
67404+:104DF0003C04080094843D803C06080094C63D7C39
67405+:104E000095030024012410210046F8230003CC0060
67406+:104E100027F0FFF20330C025240F0800ACF8000C87
67407+:104E2000ACEF0014ACE000100A0006EE24E7001816
67408+:104E30003C010800A0313D90935F093E241600011B
67409+:104E400033F900201720FEA5241100080A0006905F
67410+:104E5000241100048F6E00848F4D094011A0FE9E26
67411+:104E6000AF8E0050240F00143C010800A02F3D908D
67412+:104E70000A00068F00000000950E0024950D002802
67413+:104E8000000E6400000D2C003589810034A6080056
67414+:104E9000ACE9000CACE600100A0006EE24E70014B2
67415+:104EA0001460FEEC000000009502002400021C00CB
67416+:104EB00034640800ACE4000C0A0006EE24E700109D
67417+:104EC0000A000741240700123C02080094423D8A70
67418+:104ED0003C06080094C63D803C03080094633D7C7A
67419+:104EE00095100024951900280046F82103E3C023FB
67420+:104EF00000106C0000197400270FFFEE01CF282569
67421+:104F000035AC8100ACEC000CACE5001024070800C7
67422+:104F1000AD2700182527001C0A0006EEAD2000145E
67423+:104F20008F7F004CAF7F00548F7900540A000699A0
67424+:104F3000AF790050A362003F0E0000620000000045
67425+:104F40000A00069000000000240200140A0008274E
67426+:104F5000A362003F27BDFFE8308400FFAFBF001011
67427+:104F60000E0005BB30A500FF9378007E9379007F8B
67428+:104F7000936E00809368007A332F00FF001866005C
67429+:104F8000000F6C0031CB00FF018D4825000B520053
67430+:104F90008FBF0010012A3825310600FF344470000D
67431+:104FA00000E628252402FF813C03100027BD0018DD
67432+:104FB000AF45014CAF440154A342015203E0000845
67433+:104FC000AF43017827BDFFD8AFB20018AFB10014CE
67434+:104FD000AFB00010AFBF0020AFB3001C9342010977
67435+:104FE000308600FF30B000FF000618C23204000215
67436+:104FF0003071000114800005305200FF93670005F6
67437+:1050000030E5000810A0000D30C80010024020213B
67438+:105010000E0005A702202821240400018FBF0020D4
67439+:105020008FB3001C8FB200188FB100148FB0001026
67440+:105030000080102103E0000827BD00281500003281
67441+:105040000000000093430109000028213062007F26
67442+:10505000000220C00002F94003E49821267900886C
67443+:10506000033B98218E7800248E6F0008130F0046B2
67444+:10507000000000008F640084241800020004FD82F8
67445+:1050800033F900031338007C0000000093660083AE
67446+:10509000934A0109514600043205007C10A00060CB
67447+:1050A000000000003205007C14A0005302402021C3
67448+:1050B00016200006320400018E7F00248F5901045F
67449+:1050C00017F9FFD600002021320400011080000AE9
67450+:1050D000024020218F4209408F9300641053000644
67451+:1050E000000000000E00066D022028218F430940B9
67452+:1050F000AF630044024020210E0006020220282156
67453+:105100000A000860240400013C0908008D2900649D
67454+:10511000252600013C010800AC26006416000012A0
67455+:10512000000000008F6D00843C0E00C001AE6024C2
67456+:1051300015800005024020210E00082E02202821A3
67457+:105140000A00086024040001240500040E00057014
67458+:1051500024060001024020210E00082E02202821F2
67459+:105160000A000860240400010E000041240400012C
67460+:10517000936B007D020B50250E000062A36A007D38
67461+:105180000A0008A38F6D00848F6600748F480104A5
67462+:105190008E67002400064E021507FFB63126007FF9
67463+:1051A000936B008326440001308A007F1146004340
67464+:1051B000316300FF5464FFB08F6400842645000112
67465+:1051C00030B1007F30A200FF122600042405000148
67466+:1051D000004090210A00087624110001240FFF806E
67467+:1051E000024F702401CF9026324200FF00409021F0
67468+:1051F0000A000876241100010E00066D0220282105
67469+:10520000321800301300FFAA321000820240202121
67470+:105210000E0005A7022028210A00086024040001CE
67471+:105220008F6E00743C0F80002405000301CF902591
67472+:10523000AF72007493710083240600010E000570A4
67473+:10524000322400FF0E00004124040001936D007D14
67474+:10525000020D60250E000062A36C007D3C0B08006F
67475+:105260008D6B0054257000013C010800AC300054E7
67476+:105270000A000860240400018F6800743C09800063
67477+:105280002405000401093825AF6700749363008387
67478+:10529000240600010E000570306400FF0E0000417E
67479+:1052A000240400019362007D020298250E00006232
67480+:1052B000A373007D0A00086024040001324D0080C1
67481+:1052C00039AC0080546CFF6C8F6400840A0008C9FC
67482+:1052D0002645000127BDFFC83C0A0008AFBF0030CB
67483+:1052E000AFB5002CAFB40028AFB30024AFB200209C
67484+:1052F000AFB1001CAFB00018034AD8212409004008
67485+:10530000AF490814AF4008108F4209448F43095039
67486+:105310008F4609548F47095C8F48094C9344010814
67487+:105320009345010BAF820064308400FF30A500FF7D
67488+:10533000AF830050AF86004CAF87005C0E00084A78
67489+:10534000AF8800601440017D8FBF0030A760006807
67490+:10535000934D0900240B00503C15080026B53D482C
67491+:1053600031AC00FF3C12080026523D58118B00035F
67492+:10537000000000000000A8210000902193510109C5
67493+:105380008F9F005024040010322E007F000E68C052
67494+:10539000000E6140018D282124B40088AF54081804
67495+:1053A0008F4901048F4A09A43C0B000E034BC02116
67496+:1053B000012A10233C010800AC223D6C8F430958A0
67497+:1053C0003C010800A0243D9097470908007F302346
67498+:1053D0003C010800AC263D7030E8FFFF0008C9C062
67499+:1053E0003C010800AC3F3D94AF59002C974209089E
67500+:1053F0009710002C8EB10000930F001803749821B1
67501+:10540000A7900058AF9300440220F80931F000FF44
67502+:10541000304E000215C001B2304F000111E0014FC3
67503+:10542000000000009343093E3066000814C00002EB
67504+:10543000241400030000A0218F5809A424130001A4
67505+:105440003C010800AC383D98934F0934935109371B
67506+:1054500031EC00FF322E00FF028E6821000D288003
67507+:1054600000AC5021015058213C010800A42B3D887C
67508+:105470003C010800A42A3D8693490934312200FFEB
67509+:1054800002022021249000103C010800A4303D8439
67510+:10549000240700068F9F00503C010800AC273D8C7C
67511+:1054A0008F88005C8F59095800008021011F282334
67512+:1054B00004A00149033F20230480014700A4302BAE
67513+:1054C00010C00149000000003C010800AC253D70FF
67514+:1054D0008E4200000040F809000000003043000246
67515+:1054E000146000F80040882130440001548000100E
67516+:1054F0008E4200043C0908008D293D743C0AC0001E
67517+:10550000012A8025AF500E008F45000030AB000807
67518+:105510001160FFFD00000000974D0E0824100001EF
67519+:10552000A78D003C8F4C0E04AF8C00348E420004DB
67520+:105530000040F8090000000002228825322E0002F7
67521+:1055400015C00180000000003C09080095293D7C41
67522+:105550003C06080094C63D883C0A0800954A3D7EFA
67523+:105560003C1908008F393D74012660213C18080061
67524+:105570008F183D983C03080094633D92018A2021D6
67525+:105580008F4E09400329F821248F000203E32821CC
67526+:10559000031968213C010800A42C3D8AAF8E0064E9
67527+:1055A0003C010800AC2D3D983C010800A4253D803D
67528+:1055B0000E00009E31E4FFFF8F870048004020214D
67529+:1055C0003C010800A0273D918E42000824E800011C
67530+:1055D000AF8800480040F809000000009344010B28
67531+:1055E0008F4C002C974A09083C0B000E034B4021BE
67532+:1055F0003149FFFF000919C08F8B0050AF43002CC9
67533+:10560000974309089506001A00403821308A004067
67534+:1056100030DFFFFFAC5F00008D19001C0040482107
67535+:10562000AC5900048D180020AC580008910F0019E7
67536+:1056300031E30003107300F0000000002862000254
67537+:105640001440010924050002106500FD240D00032B
67538+:10565000106D010D00000000114000D90000000095
67539+:105660003C0A0800954A3D8625420001934D0934C5
67540+:1056700093580921950E002A31A300FF00032082D0
67541+:10568000331F00FF9798005800047E00001FCC00D5
67542+:1056900001F940253049FFFF0109102501D83021CB
67543+:1056A0003C0540000045502500066C00ACED0004B0
67544+:1056B000ACEA0000934309203C04000624ED0014EA
67545+:1056C0000003FE0003E4C825ACF900088F49092C4B
67546+:1056D000270F000131EE7FFFACE9000C8F48093045
67547+:1056E000A78E005824E90028ACE800108F4509383F
67548+:1056F00001204021ACE50014ADAB00048F4209400D
67549+:10570000ADA20008934B09373C1F080093FF3D9062
67550+:105710008F4309488F4A0940316600FF00D4202199
67551+:10572000006A78230004C700001FCC000319282555
67552+:1057300031EEFFFC00AE1025ADA2000CADA00010B4
67553+:10574000AF4C002C934C093E318B00085160000F88
67554+:105750008E58000C3C06010134CA080AACEA002845
67555+:105760008F4B0074AD2B00043C0C0800918C3D90D5
67556+:105770003187001050E00003AD2000088F62006008
67557+:10578000AD2200082528000C8E58000C0300F809F3
67558+:10579000010020213C19080097393D8A3C1F080070
67559+:1057A00097FF3D7E033F782125E900020E0000C7E8
67560+:1057B0003124FFFF3C0E08008DCE3D6C3C080800F4
67561+:1057C0008D083D7401C828233C010800AC253D6CC0
67562+:1057D00014A00006000000003C0308008C633D8C10
67563+:1057E000346400403C010800AC243D8C1200007081
67564+:1057F0008F8C00448F470E108F900044AE0700201E
67565+:105800008F4D0E18AE0D00243C10080096103D8000
67566+:105810000E0000600000000024020040AF420814A7
67567+:105820008F8600508F8A004C00D01821006A5823C0
67568+:1058300019600004AF830050AF6300548F650054BB
67569+:10584000AF85004C1200000C000000008F44007473
67570+:10585000936800813409FA002D0E000711C000057D
67571+:1058600000891821937F0081241901F403F9780439
67572+:1058700001E41821AF63000C8F44095C8F83005C46
67573+:105880000083C0231B000003000000008F50095C50
67574+:10589000AF90005C0E000062000000008F8C005092
67575+:1058A0008E4700103C010800AC2C3D9400E0F80944
67576+:1058B000000000003C0D08008DAD3D6C55A0FEF5CC
67577+:1058C000240700068F450024975909088F8B006430
67578+:1058D0008F9400503C0F001F978200588F86005411
67579+:1058E0008F93004C3328FFFF35E9FF8000A9502437
67580+:1058F000000871C032320100AF4E0024A4C2002C57
67581+:10590000AF4A0024AF6B0044AF740050AF73005433
67582+:105910001640008032380010570000868EA4000424
67583+:10592000322300405460001B8EB100088EB0000C82
67584+:105930000200F809000000008FBF00308FB5002C76
67585+:105940008FB400288FB300248FB200208FB1001CC9
67586+:105950008FB0001803E0000827BD00389347010905
67587+:105960008F8800380007FE0003E8C825AF59008083
67588+:105970008F5809A08F5309A4AFB80010AF580E1468
67589+:105980008FB40010AF540E10AF530E1C0A00096202
67590+:10599000AF530E180220F809000000008EB0000C72
67591+:1059A0000200F809000000000A000AA88FBF0030BA
67592+:1059B000A5800020A59300220A000A5BAD93002475
67593+:1059C0003C09080095293D863C06080094C63D80A8
67594+:1059D0000A0009F4012610213C010800AC203D70AA
67595+:1059E0000A00098E8E4200003C010800AC243D7084
67596+:1059F0000A00098E8E4200003C03080094633D8A31
67597+:105A00003C04080094843D803C1F080097FF3D7CC7
67598+:105A1000951800240064C821033F782300186C0007
67599+:105A200025EEFFF201AE2825AC45000C240208004B
67600+:105A3000ACE20014ACE000100A0009EF24E7001803
67601+:105A400095060024950900280006240000091C0082
67602+:105A5000349F810034790800ACFF000CACF90010D1
67603+:105A60000A0009EF24E700141460FEFB00000000A8
67604+:105A70009518002400187C0035EE0800ACEE000CF0
67605+:105A80000A0009EF24E700103C07080094E73D8076
67606+:105A90003C04080094843D8A3C03080094633D7CE8
67607+:105AA00095190024951800280087F82103E378232E
67608+:105AB0002407080000192C0000186C0025EEFFEEEA
67609+:105AC00001AE302534A28100AD2700182527001C27
67610+:105AD000AD22000CAD2600100A0009EFAD20001425
67611+:105AE00093520109000028210E000602324400FFF3
67612+:105AF0008FBF00308FB5002C8FB400288FB30024E7
67613+:105B00008FB200208FB1001C8FB0001803E0000896
67614+:105B100027BD0038935F010933E400FF0E00066DD6
67615+:105B200000002821323800105300FF7E322300404D
67616+:105B30008EA400040080F809000000000A000AA2F8
67617+:105B4000322300401200FF5F000000008F540E144B
67618+:105B50008F920044AE5400208F530E1C0A000A8A14
67619+:105B6000AE5300248F82001C008040213C040100C1
67620+:105B70009047008530E3002010600009000000001D
67621+:105B80003C0708008CE73D948F83001800E3202336
67622+:105B9000048000089389000414E30003010020211D
67623+:105BA00003E00008008010213C04010003E000082D
67624+:105BB000008010211120000B006738238F8C0020FB
67625+:105BC00024090034918B00BC316A0002514000016D
67626+:105BD0002409003000E9682B15A0FFF10100202105
67627+:105BE00000E938232419FFFC00B9C02400F9782407
67628+:105BF00000F8702B15C0FFEA01E8202130C2000335
67629+:105C00000002182314C00012306900030000302184
67630+:105C100000A9702101C6682100ED602B1180FFE012
67631+:105C20003C0401002D2F00010006482B01053821FE
67632+:105C300001E9302414C0FFDA24E4FFFC2419FFFC3E
67633+:105C400000B9C0240308202103E0000800801021CF
67634+:105C50008F8B002024060004916A00BC31440004AC
67635+:105C60001480FFEC00A970210A000B5E00003021B7
67636+:105C700027BDFFE8AFBF00108F460100934A01091E
67637+:105C80003C1F08008FFF00902407FF80314F00FF6A
67638+:105C900031E8007F0008614003E6C821032CC021E1
67639+:105CA00027090120012770243C010800A02F3DD0C6
67640+:105CB000AF4E080C3C0D08008DAD00903C040080F8
67641+:105CC0003482000301A65821016C182124650120AB
67642+:105CD00030AA007801424025AF48081C3C1F08004C
67643+:105CE0008FFF00908F88004003E6C0213319000722
67644+:105CF00003074824033A7821AF49002825E909C061
67645+:105D0000952E00023C0D08008DAD008C3C0A080069
67646+:105D10008D4A009031CC3FFF01A61821000C59801C
67647+:105D2000006B282100A72024AF44002C95220002FC
67648+:105D30003C1F08008FFF008C9107008530593FFF02
67649+:105D400003E678210019C1800146702101F868211D
67650+:105D500031CC007F31AB007F019A2821017A50219C
67651+:105D60003C03000C3C04000E00A328210144102138
67652+:105D700030E6002027470980AF82002CAF88001C46
67653+:105D8000AF890024AF85002010C00006AF8700282F
67654+:105D90008D0200508CA4010C0044302318C0007701
67655+:105DA00000000000910C0085240DFFDF018D3824D8
67656+:105DB000A10700858F8B001C8F8900248F87002806
67657+:105DC0008D65004CAF850018912F000D31EE00203D
67658+:105DD00011C000170000000024090001A38900047D
67659+:105DE000AF80000C8CE400248F85000C240A00088E
67660+:105DF000AF800008AF8000103C010800A42A3D7E5F
67661+:105E00003C010800A4203D920E000B32000030211E
67662+:105E10008F8500248FBF0010AF82001490A8000D62
67663+:105E200027BD00180008394203E0000830E20001F5
67664+:105E3000913F00022418000133F900FF001921826C
67665+:105E400010980039240800021088005B8F86002C0F
67666+:105E50008CE5002414A0001B8F9F002091220000DD
67667+:105E6000240A00053046003F10CA00472404000100
67668+:105E70008F860008A3840004AF860010AF86000C54
67669+:105E80008CE400248F85000C240A00083C010800E3
67670+:105E9000A42A3D7E3C010800A4203D920E000B3256
67671+:105EA000000000008F8500248FBF0010AF82001417
67672+:105EB00090A8000D27BD00180008394203E0000833
67673+:105EC00030E200018CF800088CF900248FEE00C449
67674+:105ED000A38000048CE40024AF8E000C8F85000C9E
67675+:105EE0008F86000803197823240A0008AF8F00105A
67676+:105EF0003C010800A42A3D7E3C010800A4203D92FC
67677+:105F00000E000B32000000008F8500248FBF0010B0
67678+:105F1000AF82001490A8000D27BD00180008394278
67679+:105F200003E0000830E20001912300003062003FEE
67680+:105F3000104400278F8500208CE400241480002169
67681+:105F4000000000008D2E00183C187FFF8F85002078
67682+:105F5000370FFFFF01CF1824AF8300088F9F000881
67683+:105F60008CA8008403E8C82B1720000203E020213E
67684+:105F70008CA400840A000BEDAF8400088CA3010CF4
67685+:105F80000A000BCBAF8300188D2C00188F860008F9
67686+:105F90003C0D7FFF8F89002035A3FFFF018358242C
67687+:105FA00024040001AF8B0010AD2000CCA3840004BA
67688+:105FB0000A000BF9AF86000C8CCA00140A000BED26
67689+:105FC000AF8A00088CA300C80A000C30AF83000819
67690+:105FD0008F84002C8CAC00648C8D0014018D582BA8
67691+:105FE00011600004000000008CA200640A000C3064
67692+:105FF000AF8200088C8200140A000C30AF820008C7
67693+:106000008F85000C27BDFFE0AFBF0018AFB10014B3
67694+:1060100014A00007AFB000108F86002424020005F2
67695+:1060200090C400003083003F106200B68F840020CF
67696+:106030008F91000800A080218F8C00283C0508006B
67697+:106040008CA53D708D8B000431663FFF00C5502B41
67698+:106050005540000100C02821938D000411A0007359
67699+:1060600000B0F82B8F98002024040034930F00BC5C
67700+:1060700031EE000251C000012404003000A4C82BFE
67701+:10608000172000D10000000000A4282300B0F82B46
67702+:106090003C010800A4243D7C17E000680200202198
67703+:1060A0003C0308008C633D6C0083102B54400001BE
67704+:1060B000008018218F8800243C010800AC233D7427
67705+:1060C000000048219104000D308300205060000141
67706+:1060D0008F490E188F8300140123382B10E00059CC
67707+:1060E000000000003C0408008C843D7400895821A5
67708+:1060F000006B502B114000560090602B006930233C
67709+:1061000000C020213C010800AC263D7412000003B1
67710+:10611000241FFFFC1090008A32270003009FC82430
67711+:106120003C010800AC393D743C010800A4203D92BC
67712+:106130008F84000C120400078F830020AF910008A9
67713+:10614000020020218C7100CCAF90000C26300001A1
67714+:10615000AC7000CC3C0208008C423D748F8A001069
67715+:10616000240700180082202301422823AF84000C5A
67716+:1061700010800002AF850010240700108F86001CDD
67717+:106180003C010800A0273D902407004090CC0085EA
67718+:10619000318B00C0116700408F8D001414A00015D2
67719+:1061A00000002021934A01098F420974314500FF04
67720+:1061B0000002260224A300013090007F3071007F8E
67721+:1061C0001230007A2407FF80A0C300833C09080036
67722+:1061D0008D293D8C8F880024240D0002352C000869
67723+:1061E0003C010800A02D3DD13C010800AC2C3D8CA9
67724+:1061F00024040010910E000D31C6002010C00005CF
67725+:1062000000801821240800013C010800AC283D74DE
67726+:10621000348300018FBF00188FB100148FB00010BD
67727+:106220000060102103E0000827BD00203C010800A9
67728+:10623000A4203D7C13E0FF9A020020210A000C817B
67729+:1062400000A020213C0408008C843D740090602B49
67730+:106250001180FFAE000000003C0F080095EF3D7C70
67731+:1062600001E4702101C6682B11A000072C820004F4
67732+:106270003C1F60008FF954043338003F1700FFE5DE
67733+:10628000240300422C8200041040FFA0240300429B
67734+:106290000A000CDF8FBF0018152DFFC000000000A2
67735+:1062A0008CDF00743C0380002405FF8003E3C825D5
67736+:1062B000ACD9007490D80085240E0004240400108A
67737+:1062C000330F003F01E54025A0C800858F880024DA
67738+:1062D0003C010800A02E3DD1240300019106000DD1
67739+:1062E00030C9002015200003000000003C03080016
67740+:1062F0008C633D743C010800AC233D6C0A000CD655
67741+:10630000000000008F8700108C88008400E8282B94
67742+:1063100014A0000200E088218C910084240900016F
67743+:10632000A38900048F440E18022028210E000B328E
67744+:1063300002203021022080210A000C67AF82001465
67745+:1063400000071823306600033C010800A4263D9294
67746+:10635000122000058F8C0020918B00BC316A000454
67747+:106360001540001524CD00043C0F080095EF3D9228
67748+:1063700001E4702100AE302B50C0FF6E8F84000C02
67749+:106380002C85000514A0FFA32403004230980003CD
67750+:1063900017000002009818232483FFFC3C0108002A
67751+:1063A000AC233D740A000CA30000000000A7582491
67752+:1063B0000A000CCB016718263C010800A42D3D9271
67753+:1063C0000A000D33000000003C010800AC203D74C1
67754+:1063D0000A000CDE240300428F83001014600007C3
67755+:1063E000000010218F88002424050005910600007C
67756+:1063F00030C400FF108500030000000003E0000827
67757+:1064000000000000910A0018314900FF000939C25C
67758+:1064100014E0FFFA8F85001C3C04080094843D7C46
67759+:106420003C0308008C633D943C1908008F393D748F
67760+:106430003C0F080095EF3D920064C0218CAD0054E4
67761+:106440000319702101CF6021018D58231960001DAF
67762+:1064500000000000910E001C8F8C002C974B0E103A
67763+:1064600031CD00FF8D850004016D30238D88000043
67764+:1064700030CEFFFF000E510000AAC82100003821D5
67765+:1064800001072021032A182B0083C021AD990004A5
67766+:10649000AD980000918F000A01CF6821A18D000AFC
67767+:1064A0008F88002C974B0E12A50B0008950A003818
67768+:1064B00025490001A50900389107000D34E60008C0
67769+:1064C000A106000D03E000080000000027BDFFE06A
67770+:1064D000938700048F8F00248FAD00143C0E7FFF44
67771+:1064E0008F89000C35C8FFFFAFBF001CAFB000188C
67772+:1064F00001A8182491EA000D000717C03C1FBFFF38
67773+:10650000006258252D2E00018F90001837F9FFFFEB
67774+:106510003C1808008F183D943C0F080095EF3D8A09
67775+:1065200001796824000E47803C07EFFF3C05F0FF2F
67776+:1065300001A818253149002034E2FFFF34ACFFFFE9
67777+:106540000310582327A500102406000225EA0002A4
67778+:1065500000621824008080211520000200004021E4
67779+:106560008F480E1CA7AA0012056000372407000000
67780+:1065700030FF00FF001FCF008F8B001C00793825F3
67781+:10658000AFA70014916F00853C08080091083D9169
67782+:106590003C18DFFF31EE00C0370AFFFF000E182B5A
67783+:1065A0003C1F080097FF3D8400EA6824A3A800115F
67784+:1065B0000003174001A248258FB90010AFA90014AD
67785+:1065C0003C0A0800914A3D93A7BF00168FA800140B
67786+:1065D000032CC0243C0B01003C0F0FFF030B1825BC
67787+:1065E0003147000335EEFFFF010C68240007160059
67788+:1065F000006EF8243C09700001A2C82503E9582563
67789+:10660000AFB90014AFAB00100E000076A3A00015C8
67790+:106610008F8C0024260200089186000D30C40020D3
67791+:10662000108000068FBF001C3C05080094A53D802B
67792+:1066300024B0FFFF3C010800A4303D808FB000185B
67793+:1066400003E0000827BD00208F9800140118502B8C
67794+:106650005540FFC7240700010A000DB630FF00FFB8
67795+:106660009382000427BDFFE0AFBF00181040000F69
67796+:10667000008050218F880024240B00058F8900089A
67797+:10668000910700008F8400200100282130E3003FA3
67798+:106690008F86002C106B000800003821AFA9001075
67799+:1066A0000E00040EAFAA0014A38000048FBF0018D0
67800+:1066B00003E0000827BD00208D1900183C0F0800DA
67801+:1066C0008DEF3D748F9800103C027FFF8D08001401
67802+:1066D000345FFFFF033F682401F8702101AE60239F
67803+:1066E00001883821AFA900100E00040EAFAA0014D3
67804+:1066F0000A000E04A38000048F8700243C050800D4
67805+:1067000094A53D923C0208008C423D8C90E6000D21
67806+:106710000005240030C300201060002C00444025F8
67807+:106720008F85001C00006021240B000190A30085D0
67808+:1067300000004821240A00013C0F800035EE007063
67809+:106740008DC70000AF8700308F5801780700FFFE2B
67810+:106750003C038000347900708F3800003C0508004D
67811+:106760008CA500743C0D08008DAD007003077823E4
67812+:1067700000AF38210000102100EF302B01A22021B2
67813+:10678000008618213C010800AC2700743C01080079
67814+:10679000AC230070AF4B01483C1908008F393D9481
67815+:1067A000A7490144A74A0146AF59014C3C0B0800D8
67816+:1067B000916B3D91A34B0152AF4801543C0810002E
67817+:1067C000A74C015803E00008AF4801788F4B0E1C1E
67818+:1067D0003C0A08008D4A3D7497490E16974D0E14D9
67819+:1067E00001456021312AFFFF0A000E2731A9FFFF72
67820+:1067F0008F8300249064000D308200201040002917
67821+:10680000000000000000482100005021000040214D
67822+:106810003C07800034EB00708D670000AF870030CC
67823+:106820008F4C01780580FFFE3C0D800035AC007078
67824+:106830008D8B00003C0508008CA500743C0408000A
67825+:106840008C8400700167302300A67821000010219D
67826+:1068500001E6C82B0082C021031970213C01080009
67827+:10686000AC2F00743C010800AC2E0070AF49014809
67828+:106870003C0D08008DAD3D94A7480144240900401B
67829+:10688000A74A01463C081000240AFF91AF4D014C75
67830+:10689000A34A0152AF490154A740015803E0000840
67831+:1068A000AF4801788F490E1897460E1297450E1083
67832+:1068B00030CAFFFF0A000E5D30A8FFFF8F8300245F
67833+:1068C00027BDFFF89064000D308200201040003A90
67834+:1068D00000000000240B000100004821240A0001F0
67835+:1068E0003C088000350700708CE30000AF83003067
67836+:1068F0008F4C01780580FFFE3C0E80003C040800B0
67837+:1069000090843DD035C700708CEC00003C05080039
67838+:106910008CA50074A3A400033C1908008F390070F3
67839+:106920008FAD00000183302300A638210000102124
67840+:106930000322782100E6C02B01F8602101AE40253A
67841+:10694000AFA800003C010800AC2700743C0108001F
67842+:10695000AC2C00709346010A3C04080090843DD1A1
67843+:10696000A3A00002A3A600018FA300003C0580FFA6
67844+:106970003099007F34A2FFFF006278240019C6001E
67845+:1069800001F87025240D3000AF4E014C27BD0008E2
67846+:10699000AF4D0154A7400158AF4B0148A7490144EE
67847+:1069A000A74A01463C091000240AFF80A34A01526D
67848+:1069B00003E00008AF4901788F4B0E1897460E127E
67849+:1069C00097450E1030CAFFFF0A000E9130A9FFFF55
67850+:1069D0008F85001C2402008090A40085308300C0B5
67851+:1069E000106200058F8600208F8800088F87000CBA
67852+:1069F000ACC800C8ACC700C403E000080000000039
67853+:106A00003C0A0800254A39543C09080025293A2047
67854+:106A10003C08080025082DD43C07080024E73B3437
67855+:106A20003C06080024C637C43C05080024A5353CB4
67856+:106A30003C040800248431643C0308002463385C6F
67857+:106A40003C020800244236303C010800AC2A3D508C
67858+:106A50003C010800AC293D4C3C010800AC283D48F5
67859+:106A60003C010800AC273D543C010800AC263D64C5
67860+:106A70003C010800AC253D5C3C010800AC243D58BD
67861+:106A80003C010800AC233D683C010800AC223D609D
67862+:086A900003E000080000000013
67863+:00000001FF
67864diff --git a/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex b/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex
67865new file mode 100644
67866index 0000000..43d7c4f
67867--- /dev/null
67868+++ b/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex
67869@@ -0,0 +1,6496 @@
67870+:10000000080001180800000000005594000000C816
67871+:1000100000000000000000000000000008005594EF
67872+:10002000000000380000565C080000A00800000036
67873+:100030000000574400005694080059200000008436
67874+:100040000000ADD808005744000001C00000AE5CBD
67875+:100050000800321008000000000092580000B01C98
67876+:10006000000000000000000000000000080092589E
67877+:100070000000033C000142740800049008000400E2
67878+:10008000000012FC000145B000000000000000006C
67879+:1000900000000000080016FC00000004000158AC3D
67880+:1000A000080000A80800000000003D00000158B052
67881+:1000B00000000000000000000000000008003D00FB
67882+:1000C00000000030000195B00A000046000000006A
67883+:1000D000000000000000000D636F6D362E322E31DF
67884+:1000E00062000000060201020000000000000003A0
67885+:1000F000000000C800000032000000030000000003
67886+:1001000000000000000000000000000000000000EF
67887+:1001100000000010000001360000EA600000000549
67888+:1001200000000000000000000000000000000008C7
67889+:1001300000000000000000000000000000000000BF
67890+:1001400000000000000000000000000000000000AF
67891+:10015000000000000000000000000000000000009F
67892+:10016000000000020000000000000000000000008D
67893+:10017000000000000000000000000000000000007F
67894+:10018000000000000000000000000010000000005F
67895+:10019000000000000000000000000000000000005F
67896+:1001A000000000000000000000000000000000004F
67897+:1001B000000000000000000000000000000000003F
67898+:1001C000000000000000000000000000000000002F
67899+:1001D000000000000000000000000000000000001F
67900+:1001E0000000000010000003000000000000000DEF
67901+:1001F0000000000D3C020800244256083C030800A1
67902+:1002000024635754AC4000000043202B1480FFFDB2
67903+:10021000244200043C1D080037BD9FFC03A0F021D0
67904+:100220003C100800261001183C1C0800279C5608AA
67905+:100230000E000256000000000000000D27BDFFB4B4
67906+:10024000AFA10000AFA20004AFA30008AFA4000C50
67907+:10025000AFA50010AFA60014AFA70018AFA8001CF0
67908+:10026000AFA90020AFAA0024AFAB0028AFAC002C90
67909+:10027000AFAD0030AFAE0034AFAF0038AFB8003C28
67910+:10028000AFB90040AFBC0044AFBF00480E001544FA
67911+:10029000000000008FBF00488FBC00448FB90040B1
67912+:1002A0008FB8003C8FAF00388FAE00348FAD003078
67913+:1002B0008FAC002C8FAB00288FAA00248FA90020C0
67914+:1002C0008FA8001C8FA700188FA600148FA5001000
67915+:1002D0008FA4000C8FA300088FA200048FA1000040
67916+:1002E00027BD004C3C1B60108F7A5030377B502864
67917+:1002F00003400008AF7A00008F82002427BDFFE092
67918+:10030000AFB00010AFBF0018AFB100148C42000CAA
67919+:100310003C1080008E110100104000348FBF001887
67920+:100320000E000D84000000008F85002024047FFF54
67921+:100330000091202BACB100008E030104960201084D
67922+:1003400000031C003042FFFF00621825ACA300042C
67923+:100350009202010A96030114304200FF3063FFFF4E
67924+:100360000002140000431025ACA200089603010C03
67925+:100370009602010E00031C003042FFFF00621825A8
67926+:10038000ACA3000C960301109602011200031C009E
67927+:100390003042FFFF00621825ACA300108E02011846
67928+:1003A000ACA200148E02011CACA20018148000083C
67929+:1003B0008F820024978200003C0420050044182509
67930+:1003C00024420001ACA3001C0A0000C6A782000062
67931+:1003D0003C0340189442001E00431025ACA2001CB0
67932+:1003E0000E000DB8240400018FBF00188FB1001457
67933+:1003F0008FB000100000102103E0000827BD00208E
67934+:100400003C0780008CE202B834E50100044100089A
67935+:10041000240300013C0208008C42006024420001D9
67936+:100420003C010800AC22006003E0000800601021DD
67937+:100430003C0208008C42005C8CA4002094A30016AF
67938+:100440008CA6000494A5000E24420001ACE40280B6
67939+:100450002463FFFC3C010800AC22005C3C0210005D
67940+:10046000A4E30284A4E5028600001821ACE6028819
67941+:10047000ACE202B803E000080060102127BDFFE0F5
67942+:100480003C028000AFB0001034420100AFBF001C3E
67943+:10049000AFB20018AFB100148C43000094450008BF
67944+:1004A0002462FE002C42038110400003000381C23D
67945+:1004B0000A00010226100004240201001462000553
67946+:1004C0003C1180003C02800890420004305000FF44
67947+:1004D0003C11800036320100964300143202000FB6
67948+:1004E00000021500004310253C0308008C63004403
67949+:1004F00030A40004AE220080246300013C01080007
67950+:10050000AC2300441080000730A200028FBF001C03
67951+:100510008FB200188FB100148FB000100A0000CE07
67952+:1005200027BD00201040002D0000182130A20080BF
67953+:1005300010400005362200708E44001C0E000C672F
67954+:10054000240500A0362200708C4400008F82000C2D
67955+:10055000008210232C43012C10600004AF82001095
67956+:10056000240300010A000145AF84000C8E42000400
67957+:100570003C036020AF84000CAC6200143C02080015
67958+:100580008C42005850400015000018218C62000475
67959+:10059000240301FE304203FF144300100000182121
67960+:1005A0002E020004104000032E0200080A00014041
67961+:1005B0000000802114400003000000000A000140F8
67962+:1005C0002610FFF90000000D2402000202021004B0
67963+:1005D0003C036000AC626914000018218FBF001C4E
67964+:1005E0008FB200188FB100148FB00010006010217E
67965+:1005F00003E0000827BD00203C0480008C8301003C
67966+:1006000024020100506200033C0280080000000D3B
67967+:100610003C02800890430004000010213063000F6A
67968+:1006200000031D0003E00008AC8300800004188074
67969+:100630002782FF9C00621821000410C00044102390
67970+:100640008C640000000210C03C030800246356E4E0
67971+:10065000004310213C038000AC64009003E00008DC
67972+:10066000AF8200243C0208008C42011410400019A3
67973+:100670003084400030A2007F000231C03C02020002
67974+:100680001080001400A218253C026020AC43001426
67975+:100690003C0408008C8456B83C0308008C630110AD
67976+:1006A0003C02800024050900AC4500200086202182
67977+:1006B000246300013C028008AC4400643C01080053
67978+:1006C000AC2301103C010800AC2456B803E000083C
67979+:1006D000000000003C02602003E00008AC4500146C
67980+:1006E00003E000080000102103E0000800001021D2
67981+:1006F00030A2000810400008240201003C0208005B
67982+:100700008C42010C244200013C010800AC22010C87
67983+:1007100003E0000800000000148200080000000050
67984+:100720003C0208008C4200FC244200013C0108000D
67985+:10073000AC2200FC0A0001A330A200203C02080009
67986+:100740008C420084244200013C010800AC22008459
67987+:1007500030A200201040000830A200103C02080027
67988+:100760008C420108244200013C010800AC2201082F
67989+:1007700003E0000800000000104000080000000036
67990+:100780003C0208008C420104244200013C010800A4
67991+:10079000AC22010403E00008000000003C02080055
67992+:1007A0008C420100244200013C010800AC220100FF
67993+:1007B00003E000080000000027BDFFE0AFB1001417
67994+:1007C0003C118000AFB20018AFBF001CAFB00010EA
67995+:1007D0003632010096500008320200041040000733
67996+:1007E000320300028FBF001C8FB200188FB10014BB
67997+:1007F0008FB000100A0000CE27BD00201060000B53
67998+:10080000020028218E2401000E00018A0000000051
67999+:100810003202008010400003240500A10E000C6786
68000+:100820008E44001C0A0001E3240200018E2301040F
68001+:100830008F82000810430006020028218E24010048
68002+:100840000E00018A000000008E220104AF82000821
68003+:10085000000010218FBF001C8FB200188FB1001450
68004+:100860008FB0001003E0000827BD00202C82000498
68005+:1008700014400002000018212483FFFD240200021E
68006+:10088000006210043C03600003E00008AC626914DD
68007+:1008900027BDFFE0AFBF001CAFB20018AFB100141E
68008+:1008A000AFB000103C048000948201083043700017
68009+:1008B000240220001062000A2862200154400052E5
68010+:1008C0008FBF001C24024000106200482402600018
68011+:1008D0001062004A8FBF001C0A0002518FB200183C
68012+:1008E00034820100904300098C5000189451000C90
68013+:1008F000240200091062001C0000902128620009F7
68014+:10090000144000218F8200242402000A5062001249
68015+:10091000323100FF2402000B1062000F00000000C3
68016+:100920002402000C146200188F8200243C0208008C
68017+:100930008C4256B824030900AC83002000501021DB
68018+:100940003C038008AC6200643C010800AC2256B84D
68019+:100950000A0002508FBF001C0E0001E900102602A1
68020+:100960000A0002308F8200240E0001E900102602E6
68021+:100970003C0380089462001A8C72000C3042FFFF26
68022+:10098000020280258F8200248C42000C5040001E01
68023+:100990008FBF001C0E000D84000000003C02800090
68024+:1009A00034420100944300088F82002400031C009D
68025+:1009B0009444001E8F82002000641825AC50000073
68026+:1009C00024040001AC510004AC520008AC40000CFF
68027+:1009D000AC400010AC400014AC4000180E000DB844
68028+:1009E000AC43001C0A0002508FBF001C0E000440E4
68029+:1009F000000000000A0002508FBF001C0E000C9F78
68030+:100A0000000000008FBF001C8FB200188FB10014CF
68031+:100A10008FB000100000102103E0000827BD002067
68032+:100A200027BDFFD8AFB400203C036010AFBF002447
68033+:100A3000AFB3001CAFB20018AFB10014AFB00010DC
68034+:100A40008C6450002402FF7F3C1408002694563822
68035+:100A5000008220243484380CAC6450003C028000B6
68036+:100A6000240300370E0014B0AC4300083C07080014
68037+:100A700024E70618028010212404001D2484FFFFAF
68038+:100A8000AC4700000481FFFD244200043C02080042
68039+:100A9000244207C83C010800AC2256403C02080032
68040+:100AA000244202303C030800246306203C04080072
68041+:100AB000248403B43C05080024A506F03C06080085
68042+:100AC00024C62C9C3C010800AC2256803C02080045
68043+:100AD000244205303C010800AC2756843C01080044
68044+:100AE000AC2656943C010800AC23569C3C010800FF
68045+:100AF000AC2456A03C010800AC2556A43C010800DB
68046+:100B0000AC2256A83C010800AC23563C3C0108002E
68047+:100B1000AC2456443C010800AC2056603C0108005F
68048+:100B2000AC2556643C010800AC2056703C0108001E
68049+:100B3000AC27567C3C010800AC2656903C010800CE
68050+:100B4000AC2356980E00056E00000000AF80000C2C
68051+:100B50003C0280008C5300008F8300043C0208009C
68052+:100B60008C420020106200213262000700008821C0
68053+:100B70002792FF9C3C100800261056E43C02080017
68054+:100B80008C42002024050001022518040043202483
68055+:100B90008F820004004310245044000C26310001D1
68056+:100BA00010800008AF9000248E4300003C028000BB
68057+:100BB000AC4300900E000D4BAE05000C0A0002C1C4
68058+:100BC00026310001AE00000C263100012E22000269
68059+:100BD000261000381440FFE9265200043C020800A9
68060+:100BE0008C420020AF820004326200071040FFD91F
68061+:100BF0003C028000326200011040002D326200028F
68062+:100C00003C0580008CA2010000002021ACA2002045
68063+:100C10008CA301042C42078110400008ACA300A85B
68064+:100C200094A2010824032000304270001443000302
68065+:100C30003C02800890420005304400FF0E0001593C
68066+:100C4000000000003C0280009042010B304300FF96
68067+:100C50002C62001E54400004000310800E00018628
68068+:100C60000A0002EC00000000005410218C42000039
68069+:100C70000040F80900000000104000043C02800021
68070+:100C80008C4301043C026020AC4300143C02080089
68071+:100C90008C4200343C0440003C03800024420001AC
68072+:100CA000AC6401383C010800AC220034326200021E
68073+:100CB00010400010326200043C1080008E0201409F
68074+:100CC000000020210E000159AE0200200E00038317
68075+:100CD000000000003C024000AE0201783C02080027
68076+:100CE0008C420038244200013C010800AC2200384C
68077+:100CF000326200041040FF973C0280003C108000EC
68078+:100D00008E020180000020210E000159AE02002059
68079+:100D10008E03018024020F00546200073C02800809
68080+:100D20008E0201883C0300E03042FFFF00431025A3
68081+:100D30000A000328AE020080344200809042000086
68082+:100D400024030050304200FF14430007000000005D
68083+:100D50000E000362000000001440000300000000C9
68084+:100D60000E000971000000003C0208008C42003CAB
68085+:100D70003C0440003C03800024420001AC6401B804
68086+:100D80003C010800AC22003C0A0002A33C028000A7
68087+:100D90003C02900034420001008220253C02800089
68088+:100DA000AC4400203C0380008C6200200440FFFE25
68089+:100DB0000000000003E00008000000003C0280008A
68090+:100DC000344300010083202503E00008AC440020E8
68091+:100DD00027BDFFE0AFB10014AFB000100080882144
68092+:100DE000AFBF00180E00033230B000FF8F83FF94B6
68093+:100DF000022020219062002502028025A07000259B
68094+:100E00008C7000183C0280000E00033D020280241A
68095+:100E10001600000B8FBF00183C0480008C8201F884
68096+:100E20000440FFFE348201C024030002AC510000E4
68097+:100E3000A04300043C021000AC8201F88FBF0018F0
68098+:100E40008FB100148FB0001003E0000827BD002010
68099+:100E500027BDFFE83C028000AFBF00103442018094
68100+:100E6000944300048C4400083063020010600005C5
68101+:100E7000000028210E00100C000000000A0003787A
68102+:100E8000240500013C02FF000480000700821824B2
68103+:100E90003C02040014620004240500018F82FF94C8
68104+:100EA00090420008240500018FBF001000A010210F
68105+:100EB00003E0000827BD00188F82FF982405000179
68106+:100EC000A040001A3C028000344201400A00034264
68107+:100ED0008C4400008F85FF9427BDFFE0AFBF001C4E
68108+:100EE000AFB20018AFB10014AFB0001090A2000074
68109+:100EF000304400FF38830020388200300003182B74
68110+:100F00000002102B0062182410600003240200501D
68111+:100F1000148200A88FBF001C90A20005304200017F
68112+:100F2000104000A48FBF001C3C02800034420140EE
68113+:100F3000904200082443FFFF2C6200051040009EF1
68114+:100F40008FB20018000310803C030800246355ACE6
68115+:100F5000004310218C420000004000080000000007
68116+:100F60003C028000345101400E0003328E24000008
68117+:100F70008F92FF948E2200048E50000C1602000205
68118+:100F800024020001AE42000C0E00033D8E2400003E
68119+:100F90008E220004145000068FBF001C8FB2001870
68120+:100FA0008FB100148FB000100A000F7827BD002009
68121+:100FB0008E42000C0A000419000000003C0480006E
68122+:100FC0003482014094A300108C4200043063FFFF80
68123+:100FD0001443001C0000000024020001A4A2001021
68124+:100FE0008C8202380441000F3C0380003C02003F29
68125+:100FF0003448F0003C0760003C06FFC08CE22BBC8C
68126+:1010000000461824004810240002130200031D8229
68127+:10101000106200583C0280008C8202380440FFF7C6
68128+:101020003C038000346201408C44000034620200C2
68129+:10103000AC4400003C021000AC6202380A00043BE1
68130+:101040008FBF001C94A200100A00041900000000C9
68131+:10105000240200201482000F3C0280003C03800028
68132+:1010600094A20012346301408C6300043042FFFFFD
68133+:10107000146200050000000024020001A4A2001276
68134+:101080000A0004028FBF001C94A200120A00041977
68135+:1010900000000000345101400E0003328E24000095
68136+:1010A0008F92FF948E230004964200123050FFFF6F
68137+:1010B0001603000224020001A64200120E00033DA6
68138+:1010C0008E2400008E220004160200068FBF001C32
68139+:1010D0008FB200188FB100148FB000100A00037C8B
68140+:1010E00027BD0020964200120A00041900000000EB
68141+:1010F0003C03800094A20014346301408C6300041C
68142+:101100003042FFFF14620008240200018FBF001C60
68143+:101110008FB200188FB100148FB00010A4A2001479
68144+:101120000A00146327BD002094A20014144000217B
68145+:101130008FBF001C0A000435000000003C03800043
68146+:1011400094A20016346301408C6300043042FFFF18
68147+:101150001462000D240200018FBF001C8FB2001822
68148+:101160008FB100148FB00010A4A200160A000B1457
68149+:1011700027BD00209442007824420004A4A200105D
68150+:101180000A00043B8FBF001C94A200162403000138
68151+:101190003042FFFF144300078FBF001C3C020800D1
68152+:1011A0008C420070244200013C010800AC22007017
68153+:1011B0008FBF001C8FB200188FB100148FB00010C9
68154+:1011C00003E0000827BD002027BDFFD8AFB20018FC
68155+:1011D0008F92FF94AFB10014AFBF0020AFB3001CDB
68156+:1011E000AFB000103C028000345101008C5001006F
68157+:1011F0009242000092230009304400FF2402001FA5
68158+:10120000106200AB28620020104000192402003850
68159+:101210002862000A1040000D2402000B286200081A
68160+:101220001040002E8F820024046001042862000216
68161+:101230001440002A8F820024240200061062002637
68162+:101240008FBF00200A00055F8FB3001C1062006092
68163+:101250002862000B144000FA8FBF00202402000E09
68164+:10126000106200788F8200240A00055F8FB3001C93
68165+:10127000106200D2286200391040000A2402008067
68166+:1012800024020036106200E528620037104000C3D7
68167+:1012900024020035106200D98FBF00200A00055FCC
68168+:1012A0008FB3001C1062002D2862008110400006E0
68169+:1012B000240200C824020039106200C98FBF002038
68170+:1012C0000A00055F8FB3001C106200A28FBF0020D0
68171+:1012D0000A00055F8FB3001C8F8200248C42000C33
68172+:1012E000104000D78FBF00200E000D8400000000CA
68173+:1012F0003C038000346301008C6200008F85002075
68174+:10130000946700089466000CACA200008C64000492
68175+:101310008F82002400063400ACA400049448001E10
68176+:101320008C62001800073C0000E83825ACA20008D9
68177+:101330008C62001C24040001ACA2000C9062000A24
68178+:1013400000C23025ACA60010ACA00014ACA0001860
68179+:10135000ACA7001C0A00051D8FBF00208F8200244F
68180+:101360008C42000C104000B68FBF00200E000D8490
68181+:10137000000000008F820024962400089625000CAF
68182+:101380009443001E000422029626000E8F82002045
68183+:10139000000426000083202500052C003C0300806B
68184+:1013A00000A6282500832025AC400000AC400004A6
68185+:1013B000AC400008AC40000CAC450010AC40001440
68186+:1013C000AC400018AC44001C0A00051C24040001B9
68187+:1013D0009622000C14400018000000009242000504
68188+:1013E0003042001014400014000000000E000332D0
68189+:1013F0000200202192420005020020213442001008
68190+:101400000E00033DA242000592420000240300208A
68191+:10141000304200FF10430089020020218FBF0020CE
68192+:101420008FB3001C8FB200188FB100148FB0001062
68193+:101430000A00107527BD00280000000D0A00055E97
68194+:101440008FBF00208C42000C1040007D8FBF002019
68195+:101450000E000D84000000008E2200048F84002006
68196+:101460009623000CAC8200003C0280089445002CBE
68197+:101470008F82002400031C0030A5FFFF9446001E4D
68198+:101480003C02400E0065182500C23025AC830004E4
68199+:10149000AC800008AC80000CAC800010AC80001464
68200+:1014A000AC800018AC86001C0A00051C2404000156
68201+:1014B0000E000332020020218F93FF9802002021AA
68202+:1014C0000E00033DA660000C020020210E00034226
68203+:1014D000240500018F8200248C42000C104000582B
68204+:1014E0008FBF00200E000D84000000009622000C2B
68205+:1014F0008F83002000021400AC700000AC62000476
68206+:10150000AC6000088E4400388F820024AC64000C6C
68207+:101510008E46003C9445001E3C02401FAC66001005
68208+:1015200000A228258E62000424040001AC6200148D
68209+:10153000AC600018AC65001C8FBF00208FB3001C8E
68210+:101540008FB200188FB100148FB000100A000DB8D0
68211+:1015500027BD0028240200201082003A8FB3001C0F
68212+:101560000E000F5E00000000104000358FBF00200D
68213+:101570003C0480008C8201F80440FFFE348201C0EC
68214+:1015800024030002AC500000A04300043C02100001
68215+:10159000AC8201F80A00055E8FBF00200200202106
68216+:1015A0008FBF00208FB3001C8FB200188FB10014C2
68217+:1015B0008FB000100A000EA727BD00289625000C4A
68218+:1015C000020020218FBF00208FB3001C8FB20018B3
68219+:1015D0008FB100148FB000100A000ECC27BD002878
68220+:1015E000020020218FB3001C8FB200188FB10014AD
68221+:1015F0008FB000100A000EF727BD00289225000DBD
68222+:10160000020020218FB3001C8FB200188FB100148C
68223+:101610008FB000100A000F4827BD002802002021CB
68224+:101620008FBF00208FB3001C8FB200188FB1001441
68225+:101630008FB000100A000F1F27BD00288FBF0020A9
68226+:101640008FB3001C8FB200188FB100148FB0001040
68227+:1016500003E0000827BD00283C0580008CA202782A
68228+:101660000440FFFE34A2024024030002AC44000008
68229+:10167000A04300043C02100003E00008ACA2027882
68230+:10168000A380001803E00008A38000193C03800039
68231+:101690008C6202780440FFFE8F82001CAC62024024
68232+:1016A00024020002A06202443C02100003E0000891
68233+:1016B000AC6202783C02600003E000088C425404F3
68234+:1016C0009083003024020005008040213063003FF9
68235+:1016D0000000482114620005000050219082004C57
68236+:1016E0009483004E304900FF306AFFFFAD00000CCC
68237+:1016F000AD000010AD000024950200148D05001C03
68238+:101700008D0400183042FFFF004910230002110031
68239+:10171000000237C3004038210086202300A2102B8E
68240+:101720000082202300A72823AD05001CAD0400186B
68241+:10173000A5090014A5090020A50A001603E0000869
68242+:10174000A50A002203E000080000000027BDFFD822
68243+:10175000AFB200183C128008AFB40020AFB3001C39
68244+:10176000AFB10014AFBF0024AFB00010365101007C
68245+:101770003C0260008C4254049222000C3C1408008D
68246+:10178000929400F7304300FF2402000110620032FF
68247+:101790000080982124020002146200353650008037
68248+:1017A0000E00143D000000009202004C2403FF8054
68249+:1017B0003C0480003042007F000211C024420240FD
68250+:1017C0000262102100431824AC8300949245000863
68251+:1017D0009204004C3042007F3C03800614850007D1
68252+:1017E000004380212402FFFFA22200112402FFFFF8
68253+:1017F000A62200120A0005D22402FFFF9602002052
68254+:10180000A222001196020022A62200128E020024BB
68255+:101810003C048008AE2200143485008090A2004C65
68256+:1018200034830100A06200108CA2003CAC6200185E
68257+:101830008C820068AC6200F48C820064AC6200F0C0
68258+:101840008C82006CAC6200F824020001A0A2006847
68259+:101850000A0005EE3C0480080E001456000000004B
68260+:1018600036420080A04000680A0005EE3C04800873
68261+:10187000A2000068A20000690A0006293C02800854
68262+:10188000348300808C62003834850100AC62006CC7
68263+:1018900024020001A062006990A200D59083000894
68264+:1018A000305100FF3072007F12320019001111C058
68265+:1018B00024420240026210212403FF8000431824C6
68266+:1018C0003C048000AC8300943042007F3C038006DF
68267+:1018D000004380218E02000C1040000D02002021E8
68268+:1018E0000E00057E0000000026220001305100FF9E
68269+:1018F0009203003C023410260002102B0002102339
68270+:101900003063007F022288240A0005F8A203003C0D
68271+:101910003C088008350401008C8200E03507008017
68272+:10192000ACE2003C8C8200E0AD02000090E5004C8F
68273+:10193000908600D590E3004C908400D52402FF806F
68274+:1019400000A228243063007F308400FF00A62825F1
68275+:101950000064182A1060000230A500FF38A500803E
68276+:10196000A0E5004CA10500093C0280089043000E50
68277+:10197000344400803C058000A043000A8C8300189A
68278+:101980003C027FFF3442FFFF00621824AC83001842
68279+:101990008CA201F80440FFFE00000000ACB301C0BF
68280+:1019A0008FBF00248FB400208FB3001C8FB20018AB
68281+:1019B0008FB100148FB0001024020002A0A201C455
68282+:1019C00027BD00283C02100003E00008ACA201F88B
68283+:1019D00090A2000024420001A0A200003C030800E5
68284+:1019E0008C6300F4304200FF144300020080302179
68285+:1019F000A0A0000090A200008F84001C000211C073
68286+:101A00002442024024830040008220212402FF80DF
68287+:101A1000008220243063007F3C02800A006218218B
68288+:101A20003C028000AC44002403E00008ACC300008A
68289+:101A300094820006908300058C85000C8C86001033
68290+:101A40008C8700188C88001C8C8400203C010800C6
68291+:101A5000A42256C63C010800A02356C53C0108003C
68292+:101A6000AC2556CC3C010800AC2656D03C01080001
68293+:101A7000AC2756D83C010800AC2856DC3C010800D5
68294+:101A8000AC2456E003E00008000000003C0280089F
68295+:101A9000344201008C4400343C038000346504006F
68296+:101AA000AC6400388C420038AF850028AC62003C42
68297+:101AB0003C020005AC6200300000000000000000A5
68298+:101AC00003E00008000000003C020006308400FF34
68299+:101AD000008220253C028000AC4400300000000061
68300+:101AE00000000000000000003C0380008C62000049
68301+:101AF000304200101040FFFD3462040003E0000893
68302+:101B0000AF82002894C200003C080800950800CA73
68303+:101B100030E7FFFF0080482101021021A4C200002D
68304+:101B200094C200003042FFFF00E2102B544000013D
68305+:101B3000A4C7000094A200003C0308008C6300CC02
68306+:101B400024420001A4A2000094A200003042FFFF42
68307+:101B5000144300073C0280080107102BA4A00000DA
68308+:101B60005440000101003821A4C700003C02800855
68309+:101B7000344601008CC3002894A200003C0480007D
68310+:101B80003042FFFE000210C000621021AC82003C17
68311+:101B90008C82003C006218231860000400000000E2
68312+:101BA0008CC200240A0006BA244200018CC2002420
68313+:101BB000AC8200383C020050344200103C038000EC
68314+:101BC000AC620030000000000000000000000000D7
68315+:101BD0008C620000304200201040FFFD0000000039
68316+:101BE00094A200003C04800030420001000210C0BA
68317+:101BF000004410218C430400AD2300008C420404F7
68318+:101C0000AD2200043C02002003E00008AC8200305A
68319+:101C100027BDFFE0AFB20018AFB10014AFB00010A5
68320+:101C2000AFBF001C94C2000000C080213C1208001D
68321+:101C3000965200C624420001A6020000960300004E
68322+:101C400094E2000000E03021144300058FB1003021
68323+:101C50000E00068F024038210A0006F10000000045
68324+:101C60008C8300048C82000424420040046100073D
68325+:101C7000AC8200048C8200040440000400000000D8
68326+:101C80008C82000024420001AC8200009602000019
68327+:101C90003042FFFF50520001A600000096220000D3
68328+:101CA00024420001A62200003C02800834420100C8
68329+:101CB000962300009442003C144300048FBF001C94
68330+:101CC00024020001A62200008FBF001C8FB2001862
68331+:101CD0008FB100148FB0001003E0000827BD002072
68332+:101CE00027BDFFE03C028008AFBF0018344201006E
68333+:101CF0008C4800343C03800034690400AC68003830
68334+:101D00008C42003830E700FFAF890028AC62003C0D
68335+:101D10003C020005AC620030000000000000000042
68336+:101D200000000000000000000000000000000000B3
68337+:101D30008C82000C8C82000C97830016AD22000070
68338+:101D40008C82001000604021AD2200048C820018BB
68339+:101D5000AD2200088C82001CAD22000C8CA2001465
68340+:101D6000AD2200108C820020AD220014908200056C
68341+:101D7000304200FF00021200AD2200188CA20018B1
68342+:101D8000AD22001C8CA2000CAD2200208CA2001001
68343+:101D9000AD2200248CA2001CAD2200288CA20020C1
68344+:101DA000AD22002C3402FFFFAD260030AD20003400
68345+:101DB000506200013408FFFFAD28003850E00011E8
68346+:101DC0003C0280083C048008348401009482005066
68347+:101DD0003042FFFFAD22003C9483004494850044D0
68348+:101DE000240200013063FFFF000318C200641821C1
68349+:101DF0009064006430A5000700A210040A00075C8C
68350+:101E00000044102534420100AD20003C94430044BE
68351+:101E1000944400443063FFFF000318C2006218219D
68352+:101E200030840007906500642402000100821004E1
68353+:101E30000002102700451024A0620064000000008A
68354+:101E400000000000000000003C0200063442004098
68355+:101E50003C038000AC620030000000000000000085
68356+:101E6000000000008C620000304200101040FFFDB6
68357+:101E70003C06800834C201503463040034C7014A70
68358+:101E800034C4013434C5014034C60144AFA200104B
68359+:101E90000E0006D2AF8300288FBF001803E00008B1
68360+:101EA00027BD00208F8300143C0608008CC600E884
68361+:101EB0008F82001C30633FFF000319800046102111
68362+:101EC000004310212403FF80004318243C068000B7
68363+:101ED000ACC300283042007F3C03800C004330211B
68364+:101EE00090C2000D30A500FF0000382134420010E0
68365+:101EF000A0C2000D8F8900143C028008344201000A
68366+:101F00009443004400091382304800032402000176
68367+:101F1000A4C3000E1102000B2902000210400005AC
68368+:101F2000240200021100000C240300010A0007A48F
68369+:101F30000000182111020006000000000A0007A49A
68370+:101F4000000018218CC2002C0A0007A424430001C1
68371+:101F50008CC20014244300018CC200180043102BD3
68372+:101F60005040000A240700012402002714A20003A5
68373+:101F70003C0380080A0007B1240700013463010014
68374+:101F80009462004C24420001A462004C00091382B8
68375+:101F9000304300032C620002104000090080282119
68376+:101FA000146000040000000094C200340A0007C15D
68377+:101FB0003046FFFF8CC600380A0007C10080282188
68378+:101FC000000030213C040800248456C00A000706A3
68379+:101FD0000000000027BDFF90AFB60068AFB50064F9
68380+:101FE000AFB40060AFB3005CAFB20058AFB1005403
68381+:101FF000AFBF006CAFB000508C9000000080B021EB
68382+:102000003C0208008C4200E8960400328F83001CDA
68383+:102010002414FF8030843FFF0062182100042180D7
68384+:1020200000641821007410243C13800000A090214B
68385+:1020300090A50000AE620028920400323C02800CA1
68386+:102040003063007F00628821308400C02402004099
68387+:10205000148200320000A8218E3500388E2200182C
68388+:102060001440000224020001AE2200189202003C3B
68389+:10207000304200201440000E8F83001C000511C068
68390+:102080002442024000621821306400783C02008043
68391+:102090000082202500741824AE630800AE64081086
68392+:1020A0008E2200188E03000800431021AE22001873
68393+:1020B0008E22002C8E230018244200010062182B6F
68394+:1020C0001060004300000000924200002442000122
68395+:1020D000A24200003C0308008C6300F4304200FF81
68396+:1020E00050430001A2400000924200008F84001C77
68397+:1020F000000211C024420240248300403063007F6C
68398+:10210000008220213C02800A0094202400621821D1
68399+:10211000AE6400240A0008D2AEC30000920300326D
68400+:102120002402FFC000431024304200FF1440000589
68401+:1021300024020001AE220018962200340A00084250
68402+:102140003055FFFF8E22001424420001AE220018F9
68403+:102150009202003000021600000216030441001C27
68404+:10216000000000009602003227A400100080282101
68405+:10217000A7A20016960200320000302124070001B9
68406+:102180003042FFFFAF8200140E000706AFA0001C14
68407+:10219000960200328F83001C3C0408008C8400E807
68408+:1021A00030423FFF000211800064182100621821B4
68409+:1021B00000741024AE62002C3063007F3C02800E5D
68410+:1021C000006218219062000D3042007FA062000D75
68411+:1021D0009222000D304200105040007892420000E0
68412+:1021E0003C028008344401009482004C8EC30000FD
68413+:1021F0003C130800967300C62442FFFFA482004CE3
68414+:10220000946200329623000E3054FFFF3070FFFFBF
68415+:102210003C0308008C6300D000701807A7A30038A7
68416+:102220009482003E3063FFFF3042FFFF14620007DC
68417+:10223000000000008C8200303C038000244200300B
68418+:10224000AC62003C0A00086A8C82002C9482004038
68419+:102250003042FFFF5462000927A400408C820038FE
68420+:102260003C03800024420030AC62003C8C8200348D
68421+:10227000AC6200380A0008793C03800027A50038CA
68422+:1022800027A60048026038210E00068FA7A000484C
68423+:102290008FA300403C02800024630030AC43003830
68424+:1022A0008FA30044AC43003C3C0380003C0200058B
68425+:1022B000AC6200303C028008344401009482004249
68426+:1022C000346304003042FFFF0202102B1440000769
68427+:1022D000AF8300289482004E9483004202021021B2
68428+:1022E000004310230A00088F3043FFFF9483004E01
68429+:1022F00094820042026318210050102300621823C8
68430+:102300003063FFFF3C028008344401009482003CAB
68431+:102310003042FFFF14430003000000000A00089F42
68432+:10232000240300019482003C3042FFFF0062102B26
68433+:10233000144000058F8200289482003C0062102324
68434+:102340003043FFFF8F820028AC550000AC400004F2
68435+:10235000AC540008AC43000C3C02000634420010B0
68436+:102360003C038000AC620030000000000000000070
68437+:10237000000000008C620000304200101040FFFDA1
68438+:102380003C04800834840100001018C20064182145
68439+:102390009065006432020007240600010046100424
68440+:1023A00000451025A0620064948300429622000E2E
68441+:1023B00050430001A386001892420000244200010D
68442+:1023C000A24200003C0308008C6300F4304200FF8E
68443+:1023D00050430001A2400000924200008F84001C84
68444+:1023E000000211C0244202402483004000822021C8
68445+:1023F0002402FF80008220243063007F3C02800A98
68446+:10240000006218213C028000AC440024AEC30000EE
68447+:102410008FBF006C8FB600688FB500648FB400600A
68448+:102420008FB3005C8FB200588FB100548FB0005052
68449+:1024300003E0000827BD007027BDFFD8AFB3001C24
68450+:10244000AFB20018AFB10014AFB00010AFBF0020A2
68451+:102450000080982100E0802130B1FFFF0E000D8444
68452+:1024600030D200FF0000000000000000000000006B
68453+:102470008F8200208F830024AC510000AC520004F6
68454+:10248000AC530008AC40000CAC400010AC40001451
68455+:10249000AC4000189463001E02038025AC50001C61
68456+:1024A0000000000000000000000000002404000103
68457+:1024B0008FBF00208FB3001C8FB200188FB10014A3
68458+:1024C0008FB000100A000DB827BD002830A5FFFF0F
68459+:1024D0000A0008DC30C600FF3C02800834430100DB
68460+:1024E0009462000E3C080800950800C63046FFFFC5
68461+:1024F00014C000043402FFFF946500EA0A000929B1
68462+:102500008F84001C10C20027000000009462004E5F
68463+:102510009464003C3045FFFF00A6102300A6182B52
68464+:102520003087FFFF106000043044FFFF00C5102318
68465+:1025300000E210233044FFFF0088102B1040000EF3
68466+:1025400000E810233C028008344401002403000109
68467+:1025500034420080A44300162402FFFFA482000E30
68468+:10256000948500EA8F84001C0000302130A5FFFF15
68469+:102570000A0009013C0760200044102A10400009AD
68470+:102580003C0280083443008094620016304200010F
68471+:10259000104000043C0280009442007E244200145B
68472+:1025A000A462001603E000080000000027BDFFE061
68473+:1025B0003C028008AFBF001CAFB0001834420100DD
68474+:1025C000944300429442004C104000193068FFFFD1
68475+:1025D0009383001824020001146200298FBF001C9D
68476+:1025E0003C06800834D00100000810C200501021C1
68477+:1025F000904200643103000734C70148304200FFB5
68478+:10260000006210073042000134C9014E34C4012C6D
68479+:1026100034C5013E1040001634C601420E0006D2F9
68480+:10262000AFA90010960200420A0009463048FFFF99
68481+:102630003C028008344401009483004494820042A8
68482+:102640001043000F8FBF001C94820044A4820042FC
68483+:1026500094820050A482004E8C820038AC820030FC
68484+:1026600094820040A482003E9482004AA4820048E2
68485+:102670008FBF001C8FB000180A00090427BD00207E
68486+:102680008FB0001803E0000827BD002027BDFFA081
68487+:10269000AFB1004C3C118000AFBF0058AFB3005445
68488+:1026A000AFB20050AFB000483626018890C2000398
68489+:1026B0003044007FA3A400108E32018090C200003D
68490+:1026C0003043007F240200031062003BAF92001CE5
68491+:1026D00028620004104000062402000424020002C4
68492+:1026E000106200098FBF00580A000B0F8FB300540F
68493+:1026F0001062004D240200051062014E8FBF005889
68494+:102700000A000B0F8FB30054000411C002421021C5
68495+:102710002404FF8024420240004410242643004049
68496+:10272000AE2200243063007F3C02800A0062182140
68497+:102730009062003CAFA3003C00441025A062003C26
68498+:102740008FA3003C9062003C304200401040016C7E
68499+:102750008FBF00583C108008A3800018361001007D
68500+:102760008E0200E08C63003427A4003C27A50010F3
68501+:10277000004310210E0007C3AE0200E093A2001038
68502+:102780003C038000A20200D58C6202780440FFFE68
68503+:102790008F82001CAC62024024020002A06202444C
68504+:1027A0003C021000AC6202780E0009390000000003
68505+:1027B0000A000B0E8FBF00583C05800890C3000133
68506+:1027C00090A2000B1443014E8FBF005834A4008028
68507+:1027D0008C8200189082004C90A200083C0260009D
68508+:1027E0008C4254048C8300183C027FFF3442FFFF6C
68509+:1027F000006218243C0208008C4200B4AC8300182C
68510+:102800003C038000244200013C010800AC2200B4DB
68511+:102810008C6201F80440FFFE8F82001CAC6201C094
68512+:102820000A000AD6240200023C10800890C300016E
68513+:102830009202000B144301328FBF005827A40018E6
68514+:1028400036050110240600033C0260008C4254044B
68515+:102850000E000E470000000027A40028360501F0F6
68516+:102860000E000E47240600038FA200283603010045
68517+:10287000AE0200648FA2002CAE0200688FA200306E
68518+:10288000AE02006C93A40018906300D52402FF8070
68519+:102890000082102400431025304900FF3084007F5F
68520+:1028A0003122007F0082102A544000013929008023
68521+:1028B000000411C0244202402403FF800242102180
68522+:1028C00000431024AE220094264200403042007F94
68523+:1028D0003C038006004340218FA3001C2402FFFF1D
68524+:1028E000AFA800403C130800927300F71062003359
68525+:1028F00093A2001995030014304400FF3063FFFFDA
68526+:102900000064182B106000100000000095040014F3
68527+:102910008D07001C8D0600183084FFFF0044202323
68528+:102920000004210000E438210000102100E4202BE5
68529+:1029300000C2302100C43021AD07001CAD060018D4
68530+:102940000A000A2F93A20019950400148D07001C99
68531+:102950008D0600183084FFFF008220230004210030
68532+:10296000000010210080182100C2302300E4202B39
68533+:1029700000C4302300E33823AD07001CAD06001867
68534+:1029800093A200198FA30040A462001497A2001A1A
68535+:10299000A46200168FA2001CAC6200108FA2001C63
68536+:1029A000AC62000C93A20019A462002097A2001A46
68537+:1029B000A46200228FA2001CAC6200243C048008A8
68538+:1029C000348300808C6200388FA20020012088218F
68539+:1029D000AC62003C8FA20020AC82000093A20018E1
68540+:1029E000A062004C93A20018A0820009A0600068B9
68541+:1029F00093A20018105100512407FF803229007F54
68542+:102A0000000911C024420240024210213046007FDA
68543+:102A10003C03800000471024AC6200943C02800616
68544+:102A200000C2302190C2003CAFA60040000020212F
68545+:102A300000471025A0C2003C8FA80040950200026C
68546+:102A4000950300148D07001C3042FFFF3063FFFF29
68547+:102A50008D060018004310230002110000E2382107
68548+:102A600000E2102B00C4302100C23021AD07001C51
68549+:102A7000AD06001895020002A5020014A50000167C
68550+:102A80008D020008AD0200108D020008AD02000C9E
68551+:102A900095020002A5020020A50000228D02000878
68552+:102AA000AD0200249102003C304200401040001A68
68553+:102AB000262200013C108008A3A90038A38000183A
68554+:102AC000361001008E0200E08D03003427A4004080
68555+:102AD00027A50038004310210E0007C3AE0200E016
68556+:102AE00093A200383C038000A20200D58C620278D9
68557+:102AF0000440FFFE8F82001CAC62024024020002F0
68558+:102B0000A06202443C021000AC6202780E00093957
68559+:102B100000000000262200013043007F14730004EF
68560+:102B2000004020212403FF8002231024004320269C
68561+:102B300093A200180A000A4B309100FF93A40018DA
68562+:102B40008FA3001C2402FFFF1062000A308900FFDF
68563+:102B500024820001248300013042007F14530005C9
68564+:102B6000306900FF2403FF800083102400431026F7
68565+:102B7000304900FF3C028008904200080120882173
68566+:102B8000305000FF123000193222007F000211C0C5
68567+:102B900002421021244202402403FF8000431824F3
68568+:102BA0003C048000AC8300943042007F3C038006EC
68569+:102BB000004310218C43000C004020211060000BCA
68570+:102BC000AFA200400E00057E000000002623000199
68571+:102BD0002405FF803062007F145300020225202468
68572+:102BE000008518260A000AAF307100FF3C048008F7
68573+:102BF000348400808C8300183C027FFF3442FFFF46
68574+:102C000000621824AC8300183C0380008C6201F839
68575+:102C10000440FFFE00000000AC7201C0240200026C
68576+:102C2000A06201C43C021000AC6201F80A000B0E65
68577+:102C30008FBF00583C04800890C300019082000BB5
68578+:102C40001443002F8FBF0058349000809202000878
68579+:102C500030420040104000200000000092020008B6
68580+:102C60000002160000021603044100050240202164
68581+:102C70000E000ECC240500930A000B0E8FBF0058E7
68582+:102C80009202000924030018304200FF1443000D93
68583+:102C900002402021240500390E000E64000030217E
68584+:102CA0000E0003328F84001C8F82FF9424030012D5
68585+:102CB000A04300090E00033D8F84001C0A000B0E88
68586+:102CC0008FBF0058240500360E000E64000030212E
68587+:102CD0000A000B0E8FBF00580E0003320240202165
68588+:102CE000920200058F84001C344200200E00033D38
68589+:102CF000A20200050E0010758F84001C8FBF0058C3
68590+:102D00008FB300548FB200508FB1004C8FB0004889
68591+:102D100003E0000827BD00603C0280083445010044
68592+:102D20003C0280008C42014094A3000E0000302140
68593+:102D300000402021AF82001C3063FFFF3402FFFF00
68594+:102D4000106200063C0760202402FFFFA4A2000ED0
68595+:102D500094A500EA0A00090130A5FFFF03E000087E
68596+:102D60000000000027BDFFC83C0280003C06800830
68597+:102D7000AFB5002CAFB1001CAFBF0030AFB400281E
68598+:102D8000AFB30024AFB20020AFB00018345101003F
68599+:102D900034C501008C4301008E2200148CA400E491
68600+:102DA0000000A821AF83001C0044102318400052EB
68601+:102DB000A38000188E22001400005021ACA200E471
68602+:102DC00090C3000890A200D53073007FA3A200102A
68603+:102DD0008CB200E08CB400E4304200FF1053003BA2
68604+:102DE00093A200108F83001C2407FF80000211C0F3
68605+:102DF0000062102124420240246300400047102456
68606+:102E00003063007F3C0980003C08800A006818217C
68607+:102E1000AD2200248C62003427A4001427A50010E2
68608+:102E2000024280210290102304400028AFA3001426
68609+:102E30009062003C00E21024304200FF1440001970
68610+:102E4000020090219062003C34420040A062003CAD
68611+:102E50008F86001C93A3001024C200403042007FE4
68612+:102E6000004828213C0208008C4200F42463000141
68613+:102E7000306400FF14820002A3A30010A3A000107E
68614+:102E800093A20010AFA50014000211C0244202401A
68615+:102E900000C2102100471024AD2200240A000B4577
68616+:102EA00093A200100E0007C3000000003C0280083F
68617+:102EB00034420100AC5000E093A30010240A00014A
68618+:102EC000A04300D50A000B4593A200102402000184
68619+:102ED000154200093C0380008C6202780440FFFE2A
68620+:102EE0008F82001CAC62024024020002A0620244F5
68621+:102EF0003C021000AC6202789222000B2403000214
68622+:102F0000304200FF144300720000000096220008C7
68623+:102F1000304300FF24020082146200402402008437
68624+:102F20003C028000344901008D22000C95230006EC
68625+:102F3000000216023063FFFF3045003F24020027E5
68626+:102F400010A2000FAF83001428A200281040000830
68627+:102F5000240200312402002110A2000924020025CD
68628+:102F600010A20007938200190A000BBD00000000A8
68629+:102F700010A20007938200190A000BBD0000000098
68630+:102F80000E000777012020210A000C3D0000000000
68631+:102F90003C0380008C6202780440FFFE8F82001C9C
68632+:102FA000AC62024024020002A06202443C02100013
68633+:102FB000AC6202780A000C3D000000009523000678
68634+:102FC000912400058D25000C8D2600108D270018FA
68635+:102FD0008D28001C8D290020244200013C0108009E
68636+:102FE000A42356C63C010800A02456C53C01080095
68637+:102FF000AC2556CC3C010800AC2656D03C0108005C
68638+:10300000AC2756D83C010800AC2856DC3C0108002F
68639+:10301000AC2956E00A000C3DA38200191462000A94
68640+:10302000240200813C02800834420100944500EAF9
68641+:10303000922600058F84001C30A5FFFF30C600FFDC
68642+:103040000A000BFE3C0760211462005C00000000D7
68643+:103050009222000A304300FF306200201040000737
68644+:10306000306200403C02800834420100944500EA8E
68645+:103070008F84001C0A000BFC24060040104000074F
68646+:10308000000316003C02800834420100944500EA27
68647+:103090008F84001C0A000BFC24060041000216036A
68648+:1030A000044100463C02800834420100944500EA95
68649+:1030B0008F84001C2406004230A5FFFF3C076019E6
68650+:1030C0000E000901000000000A000C3D0000000095
68651+:1030D0009222000B24040016304200FF1044000628
68652+:1030E0003C0680009222000B24030017304200FFB0
68653+:1030F000144300320000000034C5010090A2000B10
68654+:10310000304200FF1444000B000080218CA20020FC
68655+:103110008CA400202403FF800043102400021140EF
68656+:103120003084007F004410253C032000004310251C
68657+:10313000ACC2083094A2000800021400000214037C
68658+:10314000044200012410000194A2000830420080D3
68659+:103150005040001A0200A82194A20008304220002A
68660+:10316000504000160200A8218CA300183C021C2D20
68661+:10317000344219ED106200110200A8213C0208003F
68662+:103180008C4200D4104000053C0280082403000457
68663+:1031900034420100A04300FC3C028008344201009C
68664+:1031A000944500EA8F84001C2406000630A5FFFF2A
68665+:1031B0000E0009013C0760210200A8210E00093918
68666+:1031C000000000009222000A304200081040000473
68667+:1031D00002A010210E0013790000000002A01021AF
68668+:1031E0008FBF00308FB5002C8FB400288FB3002420
68669+:1031F0008FB200208FB1001C8FB0001803E00008D0
68670+:1032000027BD00382402FF80008220243C02900069
68671+:1032100034420007008220253C028000AC4400209C
68672+:103220003C0380008C6200200440FFFE0000000090
68673+:1032300003E00008000000003C0380002402FF803F
68674+:10324000008220243462000700822025AC64002024
68675+:103250008C6200200440FFFE0000000003E0000834
68676+:103260000000000027BDFFD8AFB3001CAFB10014B1
68677+:10327000AFB00010AFBF0020AFB200183C1180000B
68678+:103280003C0280088E32002034530100AE2400201E
68679+:10329000966300EA000514003C074000004738250B
68680+:1032A00000A08021000030210E0009013065FFFFE1
68681+:1032B000240200A1160200022402FFFFA2620009FC
68682+:1032C000AE3200208FBF00208FB3001C8FB20018D9
68683+:1032D0008FB100148FB0001003E0000827BD002854
68684+:1032E0003C0280082403000527BDFFE834420100AA
68685+:1032F000A04300FCAFBF00103C0280008C420100E4
68686+:10330000240500A1004020210E000C67AF82001CA4
68687+:103310003C0380008C6202780440FFFE8F82001C18
68688+:103320008FBF001027BD0018AC62024024020002CB
68689+:10333000A06202443C021000AC62027803E0000884
68690+:103340000000000027BDFFE83C068000AFBF001072
68691+:1033500034C7010094E20008304400FF3883008243
68692+:10336000388200842C6300012C4200010062182581
68693+:103370001060002D24020083938200195040003B0E
68694+:103380008FBF00103C020800904256CC8CC4010054
68695+:103390003C06080094C656C63045003F38A30032AC
68696+:1033A00038A2003F2C6300012C4200010062182566
68697+:1033B000AF84001CAF860014A380001914600007BE
68698+:1033C00000E020212402002014A2001200000000CE
68699+:1033D0003402FFFF14C2000F00000000240200208E
68700+:1033E00014A2000500E028218CE300142402FFFF52
68701+:1033F0005062000B8FBF00103C040800248456C0AC
68702+:10340000000030210E000706240700010A000CD638
68703+:103410008FBF00100E000777000000008FBF001064
68704+:103420000A00093927BD001814820004240200850F
68705+:103430008CC501040A000CE1000020211482000662
68706+:103440002482FF808CC50104240440008FBF00103B
68707+:103450000A00016727BD0018304200FF2C4200021D
68708+:1034600010400004240200228FBF00100A000B2726
68709+:1034700027BD0018148200048F8200248FBF001023
68710+:103480000A000C8627BD00188C42000C1040001E5C
68711+:1034900000E0282190E300092402001814620003D0
68712+:1034A000240200160A000CFC240300081462000722
68713+:1034B00024020017240300123C02800834420080DA
68714+:1034C000A04300090A000D0994A7000854620007F0
68715+:1034D00094A700088F82FF942404FFFE9043000508
68716+:1034E00000641824A043000594A7000890A6001BC0
68717+:1034F0008CA4000094A500068FBF001000073C00BC
68718+:103500000A0008DC27BD00188FBF001003E0000888
68719+:1035100027BD00188F8500243C04800094A2002A57
68720+:103520008CA30034000230C02402FFF000C210243B
68721+:1035300000621821AC83003C8CA200303C03800068
68722+:10354000AC8200383C02005034420010AC620030C3
68723+:103550000000000000000000000000008C6200007D
68724+:10356000304200201040FFFD30C20008104000062D
68725+:103570003C0280008C620408ACA200208C62040C27
68726+:103580000A000D34ACA200248C430400ACA300203C
68727+:103590008C420404ACA200243C0300203C028000C6
68728+:1035A000AC4300303C0480008C8200300043102487
68729+:1035B0001440FFFD8F8600243C020040AC820030A6
68730+:1035C00094C3002A94C2002894C4002C94C5002EF1
68731+:1035D00024630001004410213064FFFFA4C20028CE
68732+:1035E00014850002A4C3002AA4C0002A03E0000836
68733+:1035F000000000008F84002427BDFFE83C05800404
68734+:1036000024840010AFBF00100E000E472406000AED
68735+:103610008F840024948200129483002E3042000F85
68736+:10362000244200030043180424027FFF0043102BB0
68737+:1036300010400002AC8300000000000D0E000D13CE
68738+:10364000000000008F8300248FBF001027BD0018EA
68739+:10365000946200149463001A3042000F00021500B7
68740+:10366000006218253C02800003E00008AC4300A083
68741+:103670008F8300243C028004944400069462001A64
68742+:103680008C650000A4640016004410233042FFFF44
68743+:103690000045102B03E00008384200018F8400240D
68744+:1036A0003C0780049486001A8C85000094E2000692
68745+:1036B000A482001694E3000600C310233042FFFFEB
68746+:1036C0000045102B384200011440FFF8A483001677
68747+:1036D00003E00008000000008F8400243C02800406
68748+:1036E000944200069483001A8C850000A482001680
68749+:1036F000006210233042FFFF0045102B38420001CA
68750+:103700005040000D8F850024006030213C0780046C
68751+:1037100094E20006A482001694E3000600C310237E
68752+:103720003042FFFF0045102B384200011440FFF8E3
68753+:10373000A48300168F8500243C03800034620400BB
68754+:103740008CA40020AF820020AC6400388CA200243E
68755+:10375000AC62003C3C020005AC62003003E00008B3
68756+:10376000ACA000048F8400243C0300068C8200047B
68757+:1037700000021140004310253C038000AC62003081
68758+:103780000000000000000000000000008C6200004B
68759+:10379000304200101040FFFD34620400AC80000491
68760+:1037A00003E00008AF8200208F86002427BDFFE0E1
68761+:1037B000AFB10014AFB00010AFBF00188CC300044D
68762+:1037C0008CC500248F820020309000FF94C4001A22
68763+:1037D00024630001244200202484000124A7002047
68764+:1037E000ACC30004AF820020A4C4001AACC70024FC
68765+:1037F00004A100060000882104E2000594C2001A1A
68766+:103800008CC2002024420001ACC2002094C2001AE5
68767+:1038100094C300282E040001004310262C4200010E
68768+:10382000004410245040000594C2001A24020001F4
68769+:10383000ACC2000894C2001A94C300280010202BC8
68770+:10384000004310262C4200010044102514400007BC
68771+:10385000000000008CC20008144000042402001084
68772+:103860008CC300041462000F8F8500240E000DA786
68773+:10387000241100018F820024944300289442001AEE
68774+:1038800014430003000000000E000D1300000000B0
68775+:10389000160000048F8500240E000D840000000037
68776+:1038A0008F85002494A2001E94A4001C24420001D1
68777+:1038B0003043FFFF14640002A4A2001EA4A0001E57
68778+:1038C0001200000A3C02800494A2001494A3001A7F
68779+:1038D0003042000F00021500006218253C028000F3
68780+:1038E000AC4300A00A000E1EACA0000894420006E3
68781+:1038F00094A3001A8CA40000A4A200160062102356
68782+:103900003042FFFF0044102B384200011040000DF0
68783+:1039100002201021006030213C07800494E2000660
68784+:10392000A4A2001694E3000600C310233042FFFF58
68785+:103930000044102B384200011440FFF8A4A30016E5
68786+:10394000022010218FBF00188FB100148FB000101B
68787+:1039500003E0000827BD002003E00008000000008D
68788+:103960008F82002C3C03000600021140004310250A
68789+:103970003C038000AC62003000000000000000004A
68790+:10398000000000008C620000304200101040FFFD7B
68791+:1039900034620400AF82002803E00008AF80002CEE
68792+:1039A00003E000080000102103E000080000000010
68793+:1039B0003084FFFF30A5FFFF0000182110800007B2
68794+:1039C000000000003082000110400002000420428C
68795+:1039D000006518210A000E3D0005284003E000089C
68796+:1039E0000060102110C0000624C6FFFF8CA200005A
68797+:1039F00024A50004AC8200000A000E4724840004C1
68798+:103A000003E000080000000010A0000824A3FFFF4E
68799+:103A1000AC86000000000000000000002402FFFF50
68800+:103A20002463FFFF1462FFFA2484000403E000080B
68801+:103A3000000000003C0280083442008024030001A2
68802+:103A4000AC43000CA4430010A4430012A443001490
68803+:103A500003E00008A44300168F82002427BDFFD88E
68804+:103A6000AFB3001CAFB20018AFB10014AFB000107C
68805+:103A7000AFBF00208C47000C248200802409FF8007
68806+:103A80003C08800E3043007F008080213C0A80008B
68807+:103A9000004920240068182130B100FF30D200FF17
68808+:103AA00010E000290000982126020100AD44002CFE
68809+:103AB000004928243042007F004820219062000005
68810+:103AC00024030050304200FF1443000400000000B3
68811+:103AD000AD45002C948200EA3053FFFF0E000D84A8
68812+:103AE000000000008F8200248F83002000112C0032
68813+:103AF0009442001E001224003484000100A22825F4
68814+:103B00003C02400000A22825AC7000008FBF0020BE
68815+:103B1000AC6000048FB20018AC7300088FB10014C1
68816+:103B2000AC60000C8FB3001CAC6400108FB00010B0
68817+:103B3000AC60001424040001AC60001827BD00280C
68818+:103B40000A000DB8AC65001C8FBF00208FB3001CAD
68819+:103B50008FB200188FB100148FB0001003E000087E
68820+:103B600027BD00283C06800034C201009043000FAE
68821+:103B7000240200101062000E2865001110A000073A
68822+:103B800024020012240200082405003A10620006F4
68823+:103B90000000302103E0000800000000240500358B
68824+:103BA0001462FFFC000030210A000E6400000000D7
68825+:103BB0008CC200748F83FF9424420FA003E000089E
68826+:103BC000AC62000C27BDFFE8AFBF00100E0003423F
68827+:103BD000240500013C0480088FBF0010240200016E
68828+:103BE00034830080A462001227BD00182402000163
68829+:103BF00003E00008A080001A27BDFFE0AFB2001864
68830+:103C0000AFB10014AFB00010AFBF001C30B2FFFF67
68831+:103C10000E000332008088213C028008345000806E
68832+:103C20009202000924030004304200FF1443000CF8
68833+:103C30003C028008124000082402000A0E000E5BBD
68834+:103C400000000000920200052403FFFE0043102440
68835+:103C5000A202000524020012A20200093C02800810
68836+:103C600034420080022020210E00033DA0400027A6
68837+:103C700016400003022020210E000EBF00000000AD
68838+:103C800002202021324600FF8FBF001C8FB2001897
68839+:103C90008FB100148FB00010240500380A000E64A4
68840+:103CA00027BD002027BDFFE0AFBF001CAFB200184A
68841+:103CB000AFB10014AFB000100E00033200808021BD
68842+:103CC0000E000E5B000000003C02800834450080BE
68843+:103CD00090A2000924120018305100FF1232000394
68844+:103CE0000200202124020012A0A2000990A20005D7
68845+:103CF0002403FFFE004310240E00033DA0A2000594
68846+:103D00000200202124050020163200070000302187
68847+:103D10008FBF001C8FB200188FB100148FB000103D
68848+:103D20000A00034227BD00208FBF001C8FB200187D
68849+:103D30008FB100148FB00010240500390A000E6402
68850+:103D400027BD002027BDFFE83C028000AFB0001077
68851+:103D5000AFBF0014344201009442000C2405003629
68852+:103D60000080802114400012304600FF0E00033214
68853+:103D7000000000003C02800834420080240300124E
68854+:103D8000A043000990430005346300100E000E5B51
68855+:103D9000A04300050E00033D020020210200202167
68856+:103DA0000E000342240500200A000F3C0000000022
68857+:103DB0000E000E64000000000E00033202002021FD
68858+:103DC0003C0280089043001B2405FF9F0200202135
68859+:103DD000006518248FBF00148FB00010A043001B93
68860+:103DE0000A00033D27BD001827BDFFE0AFBF001844
68861+:103DF000AFB10014AFB0001030B100FF0E000332BD
68862+:103E0000008080213C02800824030012344200809C
68863+:103E10000E000E5BA04300090E00033D02002021AE
68864+:103E200002002021022030218FBF00188FB1001422
68865+:103E30008FB00010240500350A000E6427BD002055
68866+:103E40003C0480089083000E9082000A1443000B0B
68867+:103E5000000028218F82FF942403005024050001D4
68868+:103E600090420000304200FF1443000400000000B4
68869+:103E70009082000E24420001A082000E03E00008A0
68870+:103E800000A010213C0380008C6201F80440FFFE7A
68871+:103E900024020002AC6401C0A06201C43C02100014
68872+:103EA00003E00008AC6201F827BDFFE0AFB20018E4
68873+:103EB0003C128008AFB10014AFBF001CAFB00010BF
68874+:103EC00036510080922200092403000A304200FF8C
68875+:103ED0001443003E000000008E4300048E22003890
68876+:103EE000506200808FBF001C92220000240300500B
68877+:103EF000304200FF144300253C0280008C42014008
68878+:103F00008E4300043642010002202821AC43001CED
68879+:103F10009622005C8E2300383042FFFF00021040E2
68880+:103F200000621821AE23001C8E4300048E2400384A
68881+:103F30009622005C006418233042FFFF0003184300
68882+:103F4000000210400043102A10400006000000004C
68883+:103F50008E4200048E230038004310230A000FAA6B
68884+:103F6000000220439622005C3042FFFF0002204006
68885+:103F70003C0280083443010034420080ACA4002C91
68886+:103F8000A040002424020001A062000C0E000F5E7D
68887+:103F900000000000104000538FBF001C3C02800056
68888+:103FA0008C4401403C0380008C6201F80440FFFE19
68889+:103FB00024020002AC6401C0A06201C43C021000F3
68890+:103FC000AC6201F80A0010078FBF001C92220009A2
68891+:103FD00024030010304200FF144300043C02800020
68892+:103FE0008C4401400A000FEE0000282192220009B3
68893+:103FF00024030016304200FF14430006240200147C
68894+:10400000A22200093C0280008C4401400A001001F9
68895+:104010008FBF001C8E2200388E23003C00431023EB
68896+:10402000044100308FBF001C92220027244200016F
68897+:10403000A2220027922200272C42000414400016DE
68898+:104040003C1080009222000924030004304200FF4B
68899+:10405000144300093C0280008C4401408FBF001CC7
68900+:104060008FB200188FB100148FB000102405009398
68901+:104070000A000ECC27BD00208C440140240500938B
68902+:104080008FBF001C8FB200188FB100148FB00010CA
68903+:104090000A000F4827BD00208E0401400E000332A5
68904+:1040A000000000008E4200042442FFFFAE420004E4
68905+:1040B0008E22003C2442FFFFAE22003C0E00033D56
68906+:1040C0008E0401408E0401408FBF001C8FB2001887
68907+:1040D0008FB100148FB00010240500040A000342C1
68908+:1040E00027BD00208FB200188FB100148FB00010D0
68909+:1040F00003E0000827BD00203C0680008CC2018838
68910+:104100003C038008346500809063000E00021402B6
68911+:10411000304400FF306300FF1464000E3C0280084E
68912+:1041200090A20026304200FF104400098F82FF94C5
68913+:10413000A0A400262403005090420000304200FF5B
68914+:1041400014430006000000000A0005A18CC4018091
68915+:104150003C02800834420080A044002603E00008AE
68916+:104160000000000027BDFFE030E700FFAFB20018FD
68917+:10417000AFBF001CAFB10014AFB0001000809021A1
68918+:1041800014E0000630C600FF000000000000000D33
68919+:10419000000000000A001060240001163C038008A3
68920+:1041A0009062000E304200FF14460023346200800B
68921+:1041B00090420026304200FF1446001F000000001D
68922+:1041C0009062000F304200FF1446001B0000000008
68923+:1041D0009062000A304200FF144600038F90FF9463
68924+:1041E0000000000D8F90FF948F82FF983C1180009B
68925+:1041F000AE05003CAC450000A066000A0E0003328C
68926+:104200008E240100A20000240E00033D8E24010034
68927+:104210003C0380008C6201F80440FFFE240200028F
68928+:10422000AC7201C0A06201C43C021000AC6201F893
68929+:104230000A0010618FBF001C000000000000000D8C
68930+:10424000000000002400013F8FBF001C8FB2001847
68931+:104250008FB100148FB0001003E0000827BD0020CC
68932+:104260008F83FF943C0280008C44010034420100A3
68933+:104270008C65003C9046001B0A00102724070001B3
68934+:104280003C0280089043000E9042000A0043102632
68935+:10429000304200FF03E000080002102B27BDFFE0C2
68936+:1042A0003C028008AFB10014AFB00010AFBF0018DF
68937+:1042B0003450008092020005240300303042003068
68938+:1042C00014430085008088218F8200248C42000CDA
68939+:1042D000104000828FBF00180E000D840000000007
68940+:1042E0008F860020ACD100009202000892030009E2
68941+:1042F000304200FF00021200306300FF004310252F
68942+:10430000ACC200049202004D000216000002160327
68943+:1043100004410005000000003C0308008C630048D5
68944+:104320000A00109F3C1080089202000830420040B2
68945+:10433000144000030000182192020027304300FFC0
68946+:104340003C108008361100809222004D00031E00B0
68947+:10435000304200FF0002140000621825ACC30008C0
68948+:104360008E2400308F820024ACC4000C8E250034D3
68949+:104370009443001E3C02C00BACC50010006218251F
68950+:104380008E22003800002021ACC200148E22003C96
68951+:10439000ACC200180E000DB8ACC3001C8E020004A5
68952+:1043A0008F8400203C058000AC8200008E2200201B
68953+:1043B000AC8200048E22001CAC8200088E220058C1
68954+:1043C0008CA3007400431021AC82000C8E22002CC0
68955+:1043D000AC8200108E2200408E23004400021400A4
68956+:1043E00000431025AC8200149222004D240300806B
68957+:1043F000304200FF1443000400000000AC800018AD
68958+:104400000A0010E38F8200248E23000C2402000196
68959+:104410001062000E2402FFFF92220008304200408A
68960+:104420001440000A2402FFFF8E23000C8CA20074AB
68961+:10443000006218233C0208000062102414400002AD
68962+:10444000000028210060282100051043AC820018DC
68963+:104450008F820024000020219443001E3C02C00CE7
68964+:10446000006218258F8200200E000DB8AC43001C9E
68965+:104470003C038008346201008C4200008F850020DC
68966+:10448000346300808FBF0018ACA20000ACA0000411
68967+:104490008C6400488F8200248FB10014ACA4000803
68968+:1044A000ACA0000CACA00010906300059446001E68
68969+:1044B0003C02400D00031E0000C23025ACA30014D6
68970+:1044C0008FB00010ACA0001824040001ACA6001CA2
68971+:1044D0000A000DB827BD00208FBF00188FB100144F
68972+:1044E0008FB0001003E0000827BD00203C028000D0
68973+:1044F0009443007C3C02800834460100308400FF75
68974+:104500003065FFFF2402000524A34650A0C4000C20
68975+:104510005482000C3065FFFF90C2000D2C42000752
68976+:104520001040000724A30A0090C3000D24020014C9
68977+:104530000062100400A210210A00111F3045FFFF85
68978+:104540003065FFFF3C0280083442008003E0000831
68979+:10455000A44500143C03800834680080AD05003891
68980+:10456000346701008CE2001C308400FF00A210239D
68981+:104570001840000330C600FF24A2FFFCACE2001C80
68982+:1045800030820001504000083C0380088D02003C4E
68983+:1045900000A2102304410012240400058C620004D0
68984+:1045A00010A2000F3C0380088C62000414A2001EBD
68985+:1045B000000000003C0208008C4200D8304200207D
68986+:1045C000104000093C0280083462008090630008BB
68987+:1045D0009042004C144300043C0280082404000470
68988+:1045E0000A00110900000000344300803442010039
68989+:1045F000A040000C24020001A462001410C0000AB4
68990+:104600003C0280008C4401003C0380008C6201F875
68991+:104610000440FFFE24020002AC6401C0A06201C499
68992+:104620003C021000AC6201F803E00008000000004A
68993+:1046300027BDFFE800A61823AFBF00101860008058
68994+:10464000308800FF3C02800834470080A0E000244E
68995+:1046500034440100A0E000278C82001C00A210233B
68996+:1046600004400056000000008CE2003C94E3005C33
68997+:104670008CE4002C004530233063FFFF00C3182179
68998+:104680000083202B1080000400E018218CE2002C15
68999+:104690000A00117800A2102194E2005C3042FFFF72
69000+:1046A00000C2102100A21021AC62001C3C02800854
69001+:1046B000344400809482005C8C83001C3042FFFFF5
69002+:1046C0000002104000A210210043102B10400004F3
69003+:1046D000000000008C82001C0A00118B3C06800840
69004+:1046E0009482005C3042FFFF0002104000A21021C3
69005+:1046F0003C06800834C3010034C70080AC82001C33
69006+:10470000A060000CACE500388C62001C00A21023F5
69007+:104710001840000224A2FFFCAC62001C3102000120
69008+:10472000104000083C0380088CE2003C00A21023EB
69009+:1047300004410012240400058CC2000410A20010E1
69010+:104740008FBF00108C62000414A2004F8FBF0010B6
69011+:104750003C0208008C4200D8304200201040000A81
69012+:104760003C02800834620080906300089042004C54
69013+:10477000144300053C028008240400048FBF00108D
69014+:104780000A00110927BD001834430080344201009B
69015+:10479000A040000C24020001A46200143C0280002E
69016+:1047A0008C4401003C0380008C6201F80440FFFE51
69017+:1047B000240200020A0011D8000000008CE2001C54
69018+:1047C000004610230043102B54400001ACE5001CB0
69019+:1047D00094E2005C3042FFFF0062102B144000079F
69020+:1047E0002402000294E2005C8CE3001C3042FFFFD4
69021+:1047F00000621821ACE3001C24020002ACE5003882
69022+:104800000E000F5EA082000C1040001F8FBF001032
69023+:104810003C0280008C4401003C0380008C6201F863
69024+:104820000440FFFE24020002AC6401C0A06201C487
69025+:104830003C021000AC6201F80A0011F08FBF0010BA
69026+:1048400031020010104000108FBF00103C028008A1
69027+:10485000344500808CA3001C94A2005C00661823E1
69028+:104860003042FFFF006218213C023FFF3444FFFF4B
69029+:104870000083102B544000010080182100C3102138
69030+:10488000ACA2001C8FBF001003E0000827BD001879
69031+:1048900027BDFFE800C0402100A63023AFBF0010B5
69032+:1048A00018C00026308A00FF3C028008344900808E
69033+:1048B0008D24001C8D23002C008820230064182BDD
69034+:1048C0001060000F344701008CE2002000461021E8
69035+:1048D000ACE200208CE200200044102B1440000BBE
69036+:1048E0003C023FFF8CE2002000441023ACE2002099
69037+:1048F0009522005C3042FFFF0A0012100082202146
69038+:10490000ACE00020008620213C023FFF3443FFFF43
69039+:104910000064102B54400001006020213C028008FC
69040+:104920003442008000851821AC43001CA0400024C4
69041+:10493000A04000270A0012623C03800831420010A8
69042+:10494000104000433C0380083C06800834C40080CB
69043+:104950008C82003C004810235840003E34660080A2
69044+:104960009082002424420001A0820024908200242E
69045+:104970003C0308008C630024304200FF0043102BEE
69046+:10498000144000688FBF001034C201008C42001C2C
69047+:1049900000A2102318400063000000008CC3000434
69048+:1049A0009482005C006818233042FFFF0003184324
69049+:1049B000000210400043102A1040000500000000D3
69050+:1049C0008CC20004004810230A0012450002104364
69051+:1049D0009482005C3042FFFF000210403C068008D9
69052+:1049E000AC82002C34C5008094A2005C8CA4002C06
69053+:1049F00094A3005C3042FFFF00021040008220219F
69054+:104A00003063FFFF0083202101041021ACA2001CB1
69055+:104A10008CC2000434C60100ACC2001C2402000297
69056+:104A20000E000F5EA0C2000C1040003E8FBF0010B1
69057+:104A30003C0280008C4401003C0380008C6201F841
69058+:104A40000440FFFE240200020A001292000000004F
69059+:104A500034660080ACC50038346401008C82001CD0
69060+:104A600000A210231840000224A2FFFCAC82001C0C
69061+:104A7000314200015040000A3C0380088CC2003CD7
69062+:104A800000A2102304430014240400058C620004D7
69063+:104A900014A200033C0380080A00128424040005C9
69064+:104AA0008C62000414A2001F8FBF00103C0208009B
69065+:104AB0008C4200D8304200201040000A3C0280089E
69066+:104AC00034620080906300089042004C144300055B
69067+:104AD0003C028008240400048FBF00100A00110962
69068+:104AE00027BD00183443008034420100A040000C70
69069+:104AF00024020001A46200143C0280008C440100E6
69070+:104B00003C0380008C6201F80440FFFE2402000296
69071+:104B1000AC6401C0A06201C43C021000AC6201F8A8
69072+:104B20008FBF001003E0000827BD001827BDFFE875
69073+:104B30003C0A8008AFBF0010354900808D22003C40
69074+:104B400000C04021308400FF004610231840009D23
69075+:104B500030E700FF354701002402000100A63023A2
69076+:104B6000A0E0000CA0E0000DA522001418C0002455
69077+:104B7000308200108D23001C8D22002C0068182329
69078+:104B80000043102B1040000F000000008CE20020BA
69079+:104B900000461021ACE200208CE200200043102BE4
69080+:104BA0001440000B3C023FFF8CE200200043102326
69081+:104BB000ACE200209522005C3042FFFF0A0012C1E7
69082+:104BC00000621821ACE00020006618213C023FFF83
69083+:104BD0003446FFFF00C3102B5440000100C01821D1
69084+:104BE0003C0280083442008000651821AC43001C60
69085+:104BF000A0400024A04000270A00130F3C038008B7
69086+:104C0000104000403C0380088D22003C00481023E7
69087+:104C10005840003D34670080912200242442000166
69088+:104C2000A1220024912200243C0308008C6300246C
69089+:104C3000304200FF0043102B1440009A8FBF001039
69090+:104C40008CE2001C00A21023184000960000000017
69091+:104C50008D4300049522005C006818233042FFFF5A
69092+:104C600000031843000210400043102A10400005C2
69093+:104C7000012020218D420004004810230A0012F276
69094+:104C8000000210439522005C3042FFFF00021040FA
69095+:104C90003C068008AC82002C34C5008094A2005CE5
69096+:104CA0008CA4002C94A3005C3042FFFF0002104053
69097+:104CB000008220213063FFFF0083182101031021AF
69098+:104CC000ACA2001C8CC2000434C60100ACC2001CA3
69099+:104CD000240200020E000F5EA0C2000C1040007102
69100+:104CE0008FBF00103C0280008C4401003C03800018
69101+:104CF0008C6201F80440FFFE240200020A0013390E
69102+:104D00000000000034670080ACE500383466010024
69103+:104D10008CC2001C00A210231840000224A2FFFC39
69104+:104D2000ACC2001C30820001504000083C038008E7
69105+:104D30008CE2003C00A2102304430051240400052F
69106+:104D40008C62000410A2003E3C0380088C620004C8
69107+:104D500054A200548FBF00103C0208008C4200D8BF
69108+:104D600030420020104000063C028008346200807F
69109+:104D7000906300089042004C104300403C028008C1
69110+:104D80003443008034420100A040000C24020001A2
69111+:104D9000A46200143C0280008C4401003C038000AB
69112+:104DA0008C6201F80440FFFE24020002AC6401C0E2
69113+:104DB000A06201C43C021000AC6201F80A00137743
69114+:104DC0008FBF001024020005A120002714E2000A72
69115+:104DD0003C038008354301009062000D2C42000620
69116+:104DE000504000053C0380089062000D2442000101
69117+:104DF000A062000D3C03800834670080ACE50038F9
69118+:104E0000346601008CC2001C00A21023184000026E
69119+:104E100024A2FFFCACC2001C308200015040000AFA
69120+:104E20003C0380088CE2003C00A2102304410014E3
69121+:104E3000240400058C62000414A200033C038008D3
69122+:104E40000A00136E240400058C62000414A20015ED
69123+:104E50008FBF00103C0208008C4200D83042002076
69124+:104E60001040000A3C028008346200809063000811
69125+:104E70009042004C144300053C02800824040004C6
69126+:104E80008FBF00100A00110927BD001834430080AD
69127+:104E900034420100A040000C24020001A46200146E
69128+:104EA0008FBF001003E0000827BD00183C0B8008EE
69129+:104EB00027BDFFE83C028000AFBF00103442010074
69130+:104EC000356A00809044000A356901008C45001461
69131+:104ED0008D4800389123000C308400FF0105102319
69132+:104EE0001C4000B3306700FF2CE20006504000B1C8
69133+:104EF0008FBF00102402000100E2300430C2000322
69134+:104F00005440000800A8302330C2000C144000A117
69135+:104F100030C20030144000A38FBF00100A00143BC1
69136+:104F20000000000018C00024308200108D43001CD7
69137+:104F30008D42002C006818230043102B1040000FF6
69138+:104F4000000000008D22002000461021AD2200202C
69139+:104F50008D2200200043102B1440000B3C023FFF29
69140+:104F60008D22002000431023AD2200209542005CDA
69141+:104F70003042FFFF0A0013AF00621821AD2000206D
69142+:104F8000006618213C023FFF3446FFFF00C3102B90
69143+:104F90005440000100C018213C02800834420080C7
69144+:104FA00000651821AC43001CA0400024A04000274D
69145+:104FB0000A0013FD3C038008104000403C038008B9
69146+:104FC0008D42003C004810231840003D34670080AB
69147+:104FD0009142002424420001A14200249142002475
69148+:104FE0003C0308008C630024304200FF0043102B78
69149+:104FF000144000708FBF00108D22001C00A21023EF
69150+:105000001840006C000000008D6300049542005CB5
69151+:10501000006818233042FFFF0003184300021040CD
69152+:105020000043102A10400005014020218D62000439
69153+:10503000004810230A0013E0000210439542005C70
69154+:105040003042FFFF000210403C068008AC82002C7A
69155+:1050500034C5008094A2005C8CA4002C94A3005C56
69156+:105060003042FFFF00021040008220213063FFFF2A
69157+:105070000083182101031021ACA2001C8CC2000483
69158+:1050800034C60100ACC2001C240200020E000F5EF8
69159+:10509000A0C2000C104000478FBF00103C028000EF
69160+:1050A0008C4401003C0380008C6201F80440FFFE48
69161+:1050B000240200020A00142D000000003467008062
69162+:1050C000ACE50038346601008CC2001C00A210233D
69163+:1050D0001840000224A2FFFCACC2001C3082000178
69164+:1050E0005040000A3C0380088CE2003C00A21023E0
69165+:1050F00004430014240400058C62000414A200037D
69166+:105100003C0380080A00141F240400058C6200047C
69167+:1051100014A200288FBF00103C0208008C4200D867
69168+:10512000304200201040000A3C02800834620080B7
69169+:10513000906300089042004C144300053C02800834
69170+:10514000240400048FBF00100A00110927BD0018B5
69171+:105150003443008034420100A040000C24020001CE
69172+:10516000A46200143C0280008C4401003C038000D7
69173+:105170008C6201F80440FFFE24020002AC6401C00E
69174+:10518000A06201C43C021000AC6201F80A00143BAA
69175+:105190008FBF00108FBF0010010030210A00115A8C
69176+:1051A00027BD0018010030210A00129927BD001800
69177+:1051B0008FBF001003E0000827BD00183C038008E3
69178+:1051C0003464010024020003A082000C8C620004FD
69179+:1051D00003E00008AC82001C3C05800834A300807A
69180+:1051E0009062002734A501002406004324420001F8
69181+:1051F000A0620027906300273C0208008C42004810
69182+:10520000306300FF146200043C07602194A500EAAB
69183+:105210000A00090130A5FFFF03E0000800000000BC
69184+:1052200027BDFFE8AFBF00103C0280000E00144411
69185+:105230008C4401803C02800834430100A060000CD3
69186+:105240008C4200048FBF001027BD001803E0000847
69187+:10525000AC62001C27BDFFE03C028008AFBF001815
69188+:10526000AFB10014AFB000103445008034460100E7
69189+:105270003C0880008D09014090C3000C8CA4003CC8
69190+:105280008CA200381482003B306700FF9502007C3E
69191+:1052900090A30027146000093045FFFF2402000599
69192+:1052A00054E200083C04800890C2000D2442000132
69193+:1052B000A0C2000D0A00147F3C048008A0C0000DAD
69194+:1052C0003C048008348201009042000C2403000555
69195+:1052D000304200FF1443000A24A205DC348300801E
69196+:1052E000906200272C4200075040000524A20A00CB
69197+:1052F00090630027240200140062100400A2102111
69198+:105300003C108008361000803045FFFF012020212E
69199+:105310000E001444A60500149602005C8E030038AB
69200+:105320003C1180003042FFFF000210400062182153
69201+:10533000AE03001C0E0003328E24014092020025B1
69202+:1053400034420040A20200250E00033D8E2401409D
69203+:105350008E2401403C0380008C6201F80440FFFE73
69204+:1053600024020002AC6401C0A06201C43C0210002F
69205+:10537000AC6201F88FBF00188FB100148FB000101D
69206+:1053800003E0000827BD00203C0360103C02080039
69207+:1053900024420174AC62502C8C6250003C048000AA
69208+:1053A00034420080AC6250003C0208002442547C2D
69209+:1053B0003C010800AC2256003C020800244254384C
69210+:1053C0003C010800AC2256043C020002AC840008F8
69211+:1053D000AC82000C03E000082402000100A0302190
69212+:1053E0003C1C0800279C56083C0200023C050400B7
69213+:1053F00000852826008220260004102B2CA5000101
69214+:105400002C840001000210803C0308002463560035
69215+:105410000085202500431821108000030000102182
69216+:10542000AC6600002402000103E000080000000058
69217+:105430003C1C0800279C56083C0200023C05040066
69218+:1054400000852826008220260004102B2CA50001B0
69219+:105450002C840001000210803C03080024635600E5
69220+:105460000085202500431821108000050000102130
69221+:105470003C02080024425438AC62000024020001BF
69222+:1054800003E00008000000003C0200023C030400AE
69223+:1054900000821026008318262C4200012C63000194
69224+:1054A000004310251040000B000028213C1C080080
69225+:1054B000279C56083C0380008C62000824050001EC
69226+:1054C00000431025AC6200088C62000C00441025DB
69227+:1054D000AC62000C03E0000800A010213C1C080096
69228+:1054E000279C56083C0580008CA3000C0004202754
69229+:1054F000240200010064182403E00008ACA3000C9F
69230+:105500003C020002148200063C0560008CA208D018
69231+:105510002403FFFE0043102403E00008ACA208D0DF
69232+:105520003C02040014820005000000008CA208D098
69233+:105530002403FFFD00431024ACA208D003E00008C0
69234+:10554000000000003C02601A344200108C430080CE
69235+:1055500027BDFFF88C440084AFA3000093A3000094
69236+:10556000240200041462001AAFA4000493A20001F4
69237+:105570001040000797A300023062FFFC3C0380004C
69238+:10558000004310218C4200000A001536AFA200042F
69239+:105590003062FFFC3C03800000431021AC4400005B
69240+:1055A000A3A000003C0560008CA208D02403FFFEED
69241+:1055B0003C04601A00431024ACA208D08FA300045E
69242+:1055C0008FA2000034840010AC830084AC82008081
69243+:1055D00003E0000827BD000827BDFFE8AFBF0010AB
69244+:1055E0003C1C0800279C56083C0280008C43000CA1
69245+:1055F0008C420004004318243C0200021060001496
69246+:10560000006228243C0204003C04000210A00005B3
69247+:10561000006210243C0208008C4256000A00155B10
69248+:1056200000000000104000073C0404003C02080099
69249+:105630008C4256040040F809000000000A00156082
69250+:10564000000000000000000D3C1C0800279C5608CC
69251+:105650008FBF001003E0000827BD0018800802403B
69252+:1056600080080100800800808008000000000C8095
69253+:105670000000320008000E9808000EF408000F88A1
69254+:1056800008001028080010748008010080080080BD
69255+:10569000800800000A000028000000000000000050
69256+:1056A0000000000D6370362E322E316200000000C3
69257+:1056B00006020104000000000000000000000000DD
69258+:1056C000000000000000000038003C000000000066
69259+:1056D00000000000000000000000000000000020AA
69260+:1056E00000000000000000000000000000000000BA
69261+:1056F00000000000000000000000000000000000AA
69262+:10570000000000000000000021003800000000013F
69263+:105710000000002B000000000000000400030D400A
69264+:105720000000000000000000000000000000000079
69265+:105730000000000000000000100000030000000056
69266+:105740000000000D0000000D3C020800244259AC8E
69267+:105750003C03080024635BF4AC4000000043202BB2
69268+:105760001480FFFD244200043C1D080037BD9FFC4F
69269+:1057700003A0F0213C100800261000A03C1C0800EB
69270+:10578000279C59AC0E0002F6000000000000000D3E
69271+:1057900027BDFFB4AFA10000AFA20004AFA3000873
69272+:1057A000AFA4000CAFA50010AFA60014AFA700185F
69273+:1057B000AFA8001CAFA90020AFAA0024AFAB0028FF
69274+:1057C000AFAC002CAFAD0030AFAE0034AFAF00389F
69275+:1057D000AFB8003CAFB90040AFBC0044AFBF004819
69276+:1057E0000E000820000000008FBF00488FBC00445E
69277+:1057F0008FB900408FB8003C8FAF00388FAE0034B7
69278+:105800008FAD00308FAC002C8FAB00288FAA002406
69279+:105810008FA900208FA8001C8FA700188FA6001446
69280+:105820008FA500108FA4000C8FA300088FA2000486
69281+:105830008FA1000027BD004C3C1B60188F7A5030B0
69282+:10584000377B502803400008AF7A000000A01821E1
69283+:1058500000801021008028213C0460003C0760008B
69284+:105860002406000810600006348420788C42000072
69285+:10587000ACE220088C63000003E00008ACE3200CDD
69286+:105880000A000F8100000000240300403C02600079
69287+:1058900003E00008AC4320003C0760008F86000452
69288+:1058A0008CE520740086102100A2182B14600007DC
69289+:1058B000000028218F8AFDA024050001A1440013C7
69290+:1058C0008F89000401244021AF88000403E0000810
69291+:1058D00000A010218F84FDA08F8500049086001306
69292+:1058E00030C300FF00A31023AF82000403E00008D0
69293+:1058F000A08000138F84FDA027BDFFE8AFB000108B
69294+:10590000AFBF001490890011908700112402002875
69295+:10591000312800FF3906002830E300FF2485002CE1
69296+:105920002CD00001106200162484001C0E00006EB2
69297+:10593000000000008F8FFDA03C05600024020204DF
69298+:1059400095EE003E95ED003C000E5C0031ACFFFF93
69299+:10595000016C5025ACAA2010520000012402000462
69300+:10596000ACA22000000000000000000000000000C9
69301+:105970008FBF00148FB0001003E0000827BD00188F
69302+:105980000A0000A6000028218F85FDA027BDFFD8B2
69303+:10599000AFBF0020AFB3001CAFB20018AFB100140E
69304+:1059A000AFB000100080982190A4001124B0001C1A
69305+:1059B00024B1002C308300FF386200280E000090D4
69306+:1059C0002C5200010E00009800000000020020216F
69307+:1059D0001240000202202821000028210E00006E43
69308+:1059E000000000008F8DFDA03C0880003C05600099
69309+:1059F00095AC003E95AB003C02683025000C4C0095
69310+:105A0000316AFFFF012A3825ACA7201024020202C8
69311+:105A1000ACA6201452400001240200028FBF0020D7
69312+:105A20008FB3001C8FB200188FB100148FB000101C
69313+:105A300027BD002803E00008ACA2200027BDFFE03E
69314+:105A4000AFB20018AFB10014AFB00010AFBF001C70
69315+:105A50003C1160008E2320748F82000430D0FFFF41
69316+:105A600030F2FFFF1062000C2406008F0E00006E63
69317+:105A7000000000003C06801F0010440034C5FF00F9
69318+:105A80000112382524040002AE2720100000302126
69319+:105A9000AE252014AE2420008FBF001C8FB200184A
69320+:105AA0008FB100148FB0001000C0102103E0000877
69321+:105AB00027BD002027BDFFE0AFB0001030D0FFFFB2
69322+:105AC000AFBF0018AFB100140E00006E30F1FFFF41
69323+:105AD00000102400009180253C036000AC70201071
69324+:105AE0008FBF00188FB100148FB000102402000483
69325+:105AF000AC62200027BD002003E000080000102158
69326+:105B000027BDFFE03C046018AFBF0018AFB1001420
69327+:105B1000AFB000108C8850002403FF7F34028071E6
69328+:105B20000103382434E5380C241F00313C1980006F
69329+:105B3000AC8550003C11800AAC8253BCAF3F0008DA
69330+:105B40000E00054CAF9100400E00050A3C116000AC
69331+:105B50000E00007D000000008E3008083C0F570941
69332+:105B60002418FFF00218602435EEE00035EDF00057
69333+:105B7000018E5026018D58262D4600012D69000109
69334+:105B8000AF86004C0E000D09AF8900503C06601630
69335+:105B90008CC700003C0860148D0500A03C03FFFF8B
69336+:105BA00000E320243C02535300052FC2108200550D
69337+:105BB00034D07C00960201F2A780006C10400003F4
69338+:105BC000A780007C384B1E1EA78B006C960201F844
69339+:105BD000104000048F8D0050384C1E1EA78C007C96
69340+:105BE0008F8D005011A000058F83004C240E0020E3
69341+:105BF000A78E007CA78E006C8F83004C1060000580
69342+:105C00009785007C240F0020A78F007CA78F006C55
69343+:105C10009785007C2CB8008153000001240500808A
69344+:105C20009784006C2C91040152200001240404008C
69345+:105C30001060000B3C0260008FBF00188FB1001491
69346+:105C40008FB0001027BD0020A784006CA785007CC2
69347+:105C5000A380007EA780007403E00008A780009264
69348+:105C60008C4704382419103C30FFFFFF13F9000360
69349+:105C700030A8FFFF1100004624030050A380007EDF
69350+:105C80009386007E50C00024A785007CA780007CFE
69351+:105C90009798007CA780006CA7800074A780009272
69352+:105CA0003C010800AC3800800E00078700000000AF
69353+:105CB0003C0F60008DED0808240EFFF03C0B600ED9
69354+:105CC000260C0388356A00100000482100002821B6
69355+:105CD00001AE20243C105709AF8C0010AF8A004859
69356+:105CE000AF89001810900023AF8500148FBF0018F3
69357+:105CF0008FB100148FB0001027BD002003E0000812
69358+:105D0000AF80005400055080014648218D260004D4
69359+:105D10000A00014800D180219798007CA784006C7C
69360+:105D2000A7800074A78000923C010800AC38008076
69361+:105D30000E000787000000003C0F60008DED080892
69362+:105D4000240EFFF03C0B600E260C0388356A001011
69363+:105D5000000048210000282101AE20243C105709F2
69364+:105D6000AF8C0010AF8A0048AF8900181490FFDF95
69365+:105D7000AF85001424110001AF9100548FBF0018AB
69366+:105D80008FB100148FB0001003E0000827BD002081
69367+:105D90000A00017BA383007E3083FFFF8F880040D1
69368+:105DA0008F87003C000321403C0580003C020050EE
69369+:105DB000008248253C0660003C0A010034AC040027
69370+:105DC0008CCD08E001AA58241160000500000000F5
69371+:105DD0008CCF08E024E7000101EA7025ACCE08E092
69372+:105DE0008D19001001805821ACB900388D180014AD
69373+:105DF000ACB8003CACA9003000000000000000007E
69374+:105E00000000000000000000000000000000000092
69375+:105E100000000000000000003C0380008C640000D3
69376+:105E2000308200201040FFFD3C0F60008DED08E047
69377+:105E30003C0E010001AE18241460FFE100000000D8
69378+:105E4000AF87003C03E00008AF8B00588F8500400F
69379+:105E5000240BFFF03C06800094A7001A8CA90024B4
69380+:105E600030ECFFFF000C38C000EB5024012A402129
69381+:105E7000ACC8003C8CA400248CC3003C00831023DD
69382+:105E800018400033000000008CAD002025A2000166
69383+:105E90003C0F0050ACC2003835EE00103C068000CC
69384+:105EA000ACCE003000000000000000000000000048
69385+:105EB00000000000000000000000000000000000E2
69386+:105EC000000000003C0480008C9900003338002062
69387+:105ED0001300FFFD30E20008104000173C0980006D
69388+:105EE0008C880408ACA800108C83040CACA30014AC
69389+:105EF0003C1900203C188000AF19003094AE001807
69390+:105F000094AF001C01CF3021A4A6001894AD001A54
69391+:105F100025A70001A4A7001A94AB001A94AC001E98
69392+:105F2000118B00030000000003E0000800000000E7
69393+:105F300003E00008A4A0001A8D2A0400ACAA0010F7
69394+:105F40008D240404ACA400140A0002183C1900209B
69395+:105F50008CA200200A0002003C0F00500A0001EE53
69396+:105F60000000000027BDFFE8AFBF00100E000232A6
69397+:105F7000000000008F8900408FBF00103C038000AC
69398+:105F8000A520000A9528000A9527000427BD0018BF
69399+:105F90003105FFFF30E6000F0006150000A22025A6
69400+:105FA00003E00008AC6400803C0508008CA50020DC
69401+:105FB0008F83000C27BDFFE8AFB00010AFBF001407
69402+:105FC00010A300100000802124040001020430040A
69403+:105FD00000A6202400C3102450440006261000010F
69404+:105FE000001018802787FDA41480000A006718217C
69405+:105FF000261000012E0900025520FFF38F83000CAC
69406+:10600000AF85000C8FBF00148FB0001003E00008B4
69407+:1060100027BD00188C6800003C058000ACA8002457
69408+:106020000E000234261000013C0508008CA500205B
69409+:106030000A0002592E0900022405000100851804F7
69410+:106040003C0408008C84002027BDFFC8AFBF00348B
69411+:1060500000831024AFBE0030AFB7002CAFB60028CD
69412+:10606000AFB50024AFB40020AFB3001CAFB200182E
69413+:10607000AFB1001410400051AFB000108F84004049
69414+:10608000948700069488000A00E8302330D5FFFF8B
69415+:1060900012A0004B8FBF0034948B0018948C000A20
69416+:1060A000016C50233142FFFF02A2482B1520000251
69417+:1060B00002A02021004020212C8F000515E00002C5
69418+:1060C00000809821241300040E0001C102602021E9
69419+:1060D0008F87004002609021AF80004494F4000A52
69420+:1060E000026080211260004E3291FFFF3C1670006A
69421+:1060F0003C1440003C1E20003C1760008F99005863
69422+:106100008F380000031618241074004F0283F82BF8
69423+:1061100017E0003600000000107E00478F86004424
69424+:1061200014C0003A2403000102031023022320219B
69425+:106130003050FFFF1600FFF13091FFFF8F870040C6
69426+:106140003C1100203C108000AE11003094EB000A9E
69427+:106150003C178000024B5021A4EA000A94E9000A8F
69428+:1061600094E800043123FFFF3106000F00062D00E4
69429+:106170000065F025AEFE008094F3000A94F6001846
69430+:1061800012D30036001221408CFF00148CF4001052
69431+:1061900003E468210000C02101A4782B029870213B
69432+:1061A00001CF6021ACED0014ACEC001002B238233A
69433+:1061B00030F5FFFF16A0FFB88F8400408FBF00347A
69434+:1061C0008FBE00308FB7002C8FB600288FB500240B
69435+:1061D0008FB400208FB3001C8FB200188FB1001451
69436+:1061E0008FB0001003E0000827BD00381477FFCC03
69437+:1061F0008F8600440E000EE202002021004018218C
69438+:106200008F86004410C0FFC9020310230270702360
69439+:106210008F87004001C368210A0002E431B2FFFF0A
69440+:106220008F86004414C0FFC93C1100203C10800040
69441+:106230000A0002AEAE1100300E00046602002021FA
69442+:106240000A0002DB00401821020020210E0009395B
69443+:10625000022028210A0002DB004018210E0001EE76
69444+:10626000000000000A0002C702B2382327BDFFC8A1
69445+:10627000AFB7002CAFB60028AFB50024AFB40020F4
69446+:10628000AFB3001CAFB20018AFB10014AFB0001034
69447+:10629000AFBF00300E00011B241300013C047FFF40
69448+:1062A0003C0380083C0220003C010800AC20007048
69449+:1062B0003496FFFF34770080345200033C1512C03F
69450+:1062C000241400013C1080002411FF800E000245C0
69451+:1062D000000000008F8700488F8B00188F89001402
69452+:1062E0008CEA00EC8CE800E8014B302B01092823F4
69453+:1062F00000A6102314400006014B18231440000E82
69454+:106300003C05800002A3602B1180000B0000000000
69455+:106310003C0560008CEE00EC8CED00E88CA4180CC1
69456+:10632000AF8E001804800053AF8D00148F8F0010C3
69457+:10633000ADF400003C0580008CBF00003BF900017B
69458+:10634000333800011700FFE13C0380008C6201003C
69459+:1063500024060C0010460009000000008C680100B3
69460+:106360002D043080548000103C0480008C690100B2
69461+:106370002D2331811060000C3C0480008CAA0100A8
69462+:1063800011460004000020218CA6010024C5FF81D5
69463+:1063900030A400FF8E0B01000E000269AE0B00243A
69464+:1063A0000A00034F3C0480008C8D01002DAC3300AB
69465+:1063B00011800022000000003C0708008CE70098D4
69466+:1063C00024EE00013C010800AC2E00983C04800043
69467+:1063D0008C8201001440000300000000566000148D
69468+:1063E0003C0440008C9F01008C9801000000982123
69469+:1063F00003F1C82400193940330F007F00EF7025E6
69470+:1064000001D26825AC8D08308C8C01008C85010090
69471+:10641000258B0100017130240006514030A3007F1C
69472+:106420000143482501324025AC8808303C04400037
69473+:10643000AE0401380A00030E000000008C99010030
69474+:10644000240F0020AC99002092F80000330300FFD5
69475+:10645000106F000C241F0050547FFFDD3C048000AF
69476+:106460008C8401000E00154E000000000A00034F4E
69477+:106470003C04800000963824ACA7180C0A000327BF
69478+:106480008F8F00108C8501000E0008F72404008017
69479+:106490000A00034F3C04800000A4102B24030001D9
69480+:1064A00010400009000030210005284000A4102BF6
69481+:1064B00004A00003000318405440FFFC00052840DE
69482+:1064C0005060000A0004182B0085382B54E00004AB
69483+:1064D0000003184200C33025008520230003184222
69484+:1064E0001460FFF9000528420004182B03E000089F
69485+:1064F00000C310213084FFFF30C600FF3C0780003E
69486+:106500008CE201B80440FFFE00064C000124302557
69487+:106510003C08200000C820253C031000ACE00180AE
69488+:10652000ACE50184ACE4018803E00008ACE301B809
69489+:106530003C0660008CC5201C2402FFF03083020062
69490+:10654000308601001060000E00A2282434A500014E
69491+:106550003087300010E0000530830C0034A50004C3
69492+:106560003C04600003E00008AC85201C1060FFFDC7
69493+:106570003C04600034A5000803E00008AC85201C42
69494+:1065800054C0FFF334A500020A0003B03087300086
69495+:1065900027BDFFE8AFB00010AFBF00143C0760009C
69496+:1065A000240600021080001100A080218F83005873
69497+:1065B0000E0003A78C6400188F8200580000202171
69498+:1065C000240600018C45000C0E000398000000001A
69499+:1065D0001600000224020003000010218FBF0014E7
69500+:1065E0008FB0001003E0000827BD00188CE8201CC5
69501+:1065F0002409FFF001092824ACE5201C8F870058EE
69502+:106600000A0003CD8CE5000C3C02600E00804021A6
69503+:1066100034460100240900180000000000000000BA
69504+:10662000000000003C0A00503C0380003547020097
69505+:10663000AC68003834640400AC65003CAC670030E2
69506+:106640008C6C0000318B00201160FFFD2407FFFFE0
69507+:106650002403007F8C8D00002463FFFF248400044A
69508+:10666000ACCD00001467FFFB24C60004000000004E
69509+:10667000000000000000000024A402000085282B78
69510+:106680003C0300203C0E80002529FFFF010540212E
69511+:10669000ADC300301520FFE00080282103E0000892
69512+:1066A000000000008F82005827BDFFD8AFB3001C48
69513+:1066B000AFBF0020AFB20018AFB10014AFB00010F0
69514+:1066C00094460002008098218C5200182CC300814F
69515+:1066D0008C4800048C4700088C51000C8C49001039
69516+:1066E000106000078C4A00142CC4000414800013AE
69517+:1066F00030EB000730C5000310A0001000000000C0
69518+:106700002410008B02002021022028210E00039873
69519+:10671000240600031660000224020003000010217A
69520+:106720008FBF00208FB3001C8FB200188FB10014F0
69521+:106730008FB0001003E0000827BD00281560FFF1AE
69522+:106740002410008B3C0C80003C030020241F00011F
69523+:10675000AD830030AF9F0044000000000000000047
69524+:10676000000000002419FFF024D8000F031978243A
69525+:106770003C1000D0AD88003801F0702524CD000316
69526+:106780003C08600EAD87003C35850400AD8E0030BE
69527+:10679000000D38823504003C3C0380008C6B000007
69528+:1067A000316200201040FFFD0000000010E00008F2
69529+:1067B00024E3FFFF2407FFFF8CA800002463FFFFF2
69530+:1067C00024A50004AC8800001467FFFB24840004A7
69531+:1067D0003C05600EACA60038000000000000000080
69532+:1067E000000000008F8600543C0400203C0780001D
69533+:1067F000ACE4003054C000060120202102402021DA
69534+:106800000E0003A7000080210A00041D02002021C1
69535+:106810000E0003DD01402821024020210E0003A7C5
69536+:10682000000080210A00041D0200202127BDFFE096
69537+:10683000AFB200183092FFFFAFB10014AFBF001C21
69538+:10684000AFB000101640000D000088210A0004932C
69539+:106850000220102124050003508500278CE5000C40
69540+:106860000000000D262800013111FFFF24E2002066
69541+:106870000232802B12000019AF8200588F82004430
69542+:10688000144000168F8700583C0670003C0320001F
69543+:106890008CE5000000A62024148300108F84006083
69544+:1068A000000544023C09800000A980241480FFE90F
69545+:1068B000310600FF2CCA000B5140FFEB26280001D7
69546+:1068C000000668803C0E080025CE575801AE6021B6
69547+:1068D0008D8B0000016000080000000002201021E4
69548+:1068E0008FBF001C8FB200188FB100148FB0001042
69549+:1068F00003E0000827BD00200E0003982404008454
69550+:106900001600FFD88F8700580A000474AF8000601B
69551+:10691000020028210E0003BF240400018F870058C5
69552+:106920000A000474AF820060020028210E0003BF39
69553+:10693000000020210A0004A38F8700580E000404E1
69554+:10694000020020218F8700580A000474AF82006083
69555+:1069500030AFFFFF000F19C03C0480008C9001B8DD
69556+:106960000600FFFE3C1920043C181000AC83018097
69557+:10697000AC800184AC990188AC9801B80A00047518
69558+:106980002628000190E2000390E30002000020218D
69559+:106990000002FE0000033A0000FF2825240600083C
69560+:1069A0000E000398000000001600FFDC2402000324
69561+:1069B0008F870058000010210A000474AF82006025
69562+:1069C00090E8000200002021240600090A0004C308
69563+:1069D00000082E0090E4000C240900FF308500FF21
69564+:1069E00010A900150000302190F9000290F8000372
69565+:1069F000308F00FF94EB000400196E000018740043
69566+:106A0000000F62000186202501AE5025014B28258C
69567+:106A10003084FF8B0A0004C32406000A90E30002BE
69568+:106A200090FF0004000020210003360000DF28252D
69569+:106A30000A0004C32406000B0A0004D52406008BB8
69570+:106A4000000449C23127003F000443423C02800059
69571+:106A500000082040240316802CE60020AC43002CC4
69572+:106A600024EAFFE02482000114C0000330A900FFE3
69573+:106A700000801021314700FF000260803C0D800043
69574+:106A8000240A0001018D20213C0B000E00EA28049D
69575+:106A9000008B302111200005000538278CCE000026
69576+:106AA00001C5382503E00008ACC700008CD8000001
69577+:106AB0000307782403E00008ACCF000027BDFFE007
69578+:106AC000AFB10014AFB00010AFBF00183C076000BA
69579+:106AD0008CE408083402F0003C1160003083F000C0
69580+:106AE000240501C03C04800E000030211062000625
69581+:106AF000241000018CEA08083149F0003928E00030
69582+:106B00000008382B000780403C0D0200AE2D081411
69583+:106B1000240C16803C0B80008E2744000E000F8B47
69584+:106B2000AD6C002C120000043C02169124050001FB
69585+:106B3000120500103C023D2C345800E0AE384408E9
69586+:106B40003C1108008E31007C8FBF00183C066000AD
69587+:106B500000118540360F16808FB100148FB00010E1
69588+:106B60003C0E020027BD0020ACCF442003E000080B
69589+:106B7000ACCE08103C0218DA345800E0AE384408B5
69590+:106B80003C1108008E31007C8FBF00183C0660006D
69591+:106B900000118540360F16808FB100148FB00010A1
69592+:106BA0003C0E020027BD0020ACCF442003E00008CB
69593+:106BB000ACCE08100A0004EB240500010A0004EB27
69594+:106BC0000000282124020400A7820024A780001CC2
69595+:106BD000000020213C06080024C65A582405FFFF67
69596+:106BE00024890001000440803124FFFF01061821A0
69597+:106BF0002C87002014E0FFFAAC6500002404040098
69598+:106C0000A7840026A780001E000020213C06080063
69599+:106C100024C65AD82405FFFF248D0001000460809B
69600+:106C200031A4FFFF018658212C8A00201540FFFA6D
69601+:106C3000AD650000A7800028A7800020A780002263
69602+:106C4000000020213C06080024C65B582405FFFFF5
69603+:106C5000249900010004C0803324FFFF030678213B
69604+:106C60002C8E000415C0FFFAADE500003C05600065
69605+:106C70008CA73D002403E08F00E31024344601403C
69606+:106C800003E00008ACA63D002487007F000731C266
69607+:106C900024C5FFFF000518C2246400013082FFFFF5
69608+:106CA000000238C0A78400303C010800AC27003047
69609+:106CB000AF80002C0000282100002021000030219E
69610+:106CC0002489000100A728213124FFFF2CA81701E7
69611+:106CD000110000032C8300801460FFF924C600011A
69612+:106CE00000C02821AF86002C10C0001DA786002AF6
69613+:106CF00024CAFFFF000A11423C08080025085B581F
69614+:106D00001040000A00002021004030212407FFFF2E
69615+:106D1000248E00010004688031C4FFFF01A86021B7
69616+:106D20000086582B1560FFFAAD87000030A2001FC7
69617+:106D30005040000800043080240300010043C804D0
69618+:106D400000041080004878212738FFFF03E0000886
69619+:106D5000ADF8000000C820212405FFFFAC8500002D
69620+:106D600003E000080000000030A5FFFF30C6FFFF71
69621+:106D700030A8001F0080602130E700FF0005294295
69622+:106D80000000502110C0001D24090001240B000147
69623+:106D900025180001010B2004330800FF0126782686
69624+:106DA000390E00202DED00012DC2000101A2182591
69625+:106DB0001060000D014450250005C880032C4021BF
69626+:106DC0000100182110E0000F000A20278D040000A8
69627+:106DD000008A1825AD03000024AD00010000402109
69628+:106DE0000000502131A5FFFF252E000131C9FFFF12
69629+:106DF00000C9102B1040FFE72518000103E0000830
69630+:106E0000000000008D0A0000014440240A0005D162
69631+:106E1000AC68000027BDFFE830A5FFFF30C6FFFFCC
69632+:106E2000AFB00010AFBF001430E7FFFF00005021EB
69633+:106E30003410FFFF0000602124AF001F00C0482174
69634+:106E4000241800012419002005E0001601E010219B
69635+:106E50000002F943019F682A0009702B01AE40240B
69636+:106E600011000017000C18800064102110E00005CC
69637+:106E70008C4B000000F840040008382301675824B8
69638+:106E800000003821154000410000402155600016E7
69639+:106E90003169FFFF258B0001316CFFFF05E1FFEC3D
69640+:106EA00001E0102124A2003E0002F943019F682A5C
69641+:106EB0000009702B01AE40241500FFEB000C188078
69642+:106EC000154600053402FFFF020028210E0005B51B
69643+:106ED00000003821020010218FBF00148FB0001075
69644+:106EE00003E0000827BD00181520000301601821E9
69645+:106EF000000B1C0224080010306A00FF154000053A
69646+:106F0000306E000F250D000800031A0231A800FFA3
69647+:106F1000306E000F15C00005307F000325100004FF
69648+:106F200000031902320800FF307F000317E000055C
69649+:106F3000386900012502000200031882304800FF72
69650+:106F4000386900013123000110600004310300FFA3
69651+:106F5000250A0001314800FF310300FF000C6940A1
69652+:106F600001A34021240A000110CAFFD53110FFFF00
69653+:106F7000246E000131C800FF1119FFC638C9000195
69654+:106F80002D1F002053E0001C258B0001240D000163
69655+:106F90000A000648240E002051460017258B0001E8
69656+:106FA00025090001312800FF2D0900205120001281
69657+:106FB000258B000125430001010D5004014B1024D5
69658+:106FC000250900011440FFF4306AFFFF3127FFFF5D
69659+:106FD00010EE000C2582FFFF304CFFFF0000502117
69660+:106FE0003410FFFF312800FF2D0900205520FFF24B
69661+:106FF00025430001258B0001014648260A000602B0
69662+:10700000316CFFFF00003821000050210A000654B7
69663+:107010003410FFFF27BDFFD8AFB0001030F0FFFFE6
69664+:10702000AFB10014001039423211FFE000071080A8
69665+:10703000AFB3001C00B1282330D3FFFFAFB200185C
69666+:1070400030A5FFFF00809021026030210044202104
69667+:10705000AFBF00200E0005E03207001F022288218A
69668+:107060003403FFFF0240202102002821026030216A
69669+:1070700000003821104300093231FFFF02201021A7
69670+:107080008FBF00208FB3001C8FB200188FB1001487
69671+:107090008FB0001003E0000827BD00280E0005E0B7
69672+:1070A0000000000000408821022010218FBF002036
69673+:1070B0008FB3001C8FB200188FB100148FB0001076
69674+:1070C00003E0000827BD0028000424003C03600002
69675+:1070D000AC603D0810A00002348210063482101605
69676+:1070E00003E00008AC623D0427BDFFE0AFB0001034
69677+:1070F000309000FF2E020006AFBF001810400008BD
69678+:10710000AFB10014001030803C03080024635784A2
69679+:1071100000C328218CA400000080000800000000AB
69680+:10712000000020218FBF00188FB100148FB0001015
69681+:107130000080102103E0000827BD00209791002A5D
69682+:1071400016200051000020213C020800904200332C
69683+:107150000A0006BB00000000978D002615A0003134
69684+:10716000000020210A0006BB2402000897870024A3
69685+:1071700014E0001A00001821006020212402000100
69686+:107180001080FFE98FBF0018000429C2004530219C
69687+:1071900000A6582B1160FFE43C0880003C0720004B
69688+:1071A000000569C001A76025AD0C00203C038008E4
69689+:1071B0002402001F2442FFFFAC6000000441FFFDD9
69690+:1071C0002463000424A5000100A6702B15C0FFF560
69691+:1071D000000569C00A0006A58FBF00189787001C2C
69692+:1071E0003C04080024845A58240504000E0006605C
69693+:1071F00024060001978B002424440001308AFFFFFD
69694+:107200002569FFFF2D48040000402821150000409B
69695+:10721000A789002424AC3800000C19C00A0006B964
69696+:10722000A780001C9787001E3C04080024845AD8BD
69697+:10723000240504000E00066024060001979900262C
69698+:10724000244400013098FFFF272FFFFF2F0E04007A
69699+:107250000040882115C0002CA78F0026A780001EA3
69700+:107260003A020003262401003084FFFF0E00068D41
69701+:107270002C4500010011F8C027F00100001021C0CA
69702+:107280000A0006BB240200089785002E978700227B
69703+:107290003C04080024845B580E00066024060001AC
69704+:1072A0009787002A8F89002C2445000130A8FFFF12
69705+:1072B00024E3FFFF0109302B0040802114C0001897
69706+:1072C000A783002AA7800022978500300E000F7543
69707+:1072D00002002021244A05003144FFFF0E00068DE4
69708+:1072E000240500013C05080094A500320E000F752E
69709+:1072F00002002021244521003C0208009042003376
69710+:107300000A0006BB000521C00A0006F3A784001E80
69711+:1073100024AC3800000C19C00A0006B9A784001C70
69712+:107320000A00070DA7850022308400FF27BDFFE873
69713+:107330002C820006AFBF0014AFB000101040001543
69714+:1073400000A03821000440803C0308002463579CBF
69715+:10735000010328218CA40000008000080000000028
69716+:1073600024CC007F000751C2000C59C23170FFFFCE
69717+:107370002547C40030E5FFFF2784001C02003021B0
69718+:107380000E0005B52407000197860028020620217B
69719+:10739000A78400288FBF00148FB0001003E00008FE
69720+:1073A00027BD00183C0508008CA50030000779C2F5
69721+:1073B0000E00038125E4DF003045FFFF3C04080098
69722+:1073C00024845B58240600010E0005B52407000143
69723+:1073D000978E002A8FBF00148FB0001025CD0001BA
69724+:1073E00027BD001803E00008A78D002A0007C9C2C6
69725+:1073F0002738FF00001878C231F0FFFF3C04080076
69726+:1074000024845AD802002821240600010E0005B564
69727+:1074100024070001978D0026260E0100000E84002F
69728+:1074200025AC00013C0B6000A78C0026AD603D0838
69729+:1074300036040006000030213C0760008CE23D0469
69730+:10744000305F000617E0FFFD24C9000100061B00A5
69731+:10745000312600FF006440252CC50004ACE83D0443
69732+:1074600014A0FFF68FBF00148FB0001003E00008D7
69733+:1074700027BD0018000751C22549C8002406000195
69734+:10748000240700013C04080024845A580E0005B566
69735+:107490003125FFFF978700248FBF00148FB00010A5
69736+:1074A00024E6000127BD001803E00008A786002499
69737+:1074B0003C0660183C090800252900FCACC9502C8A
69738+:1074C0008CC850003C0580003C020002350700805B
69739+:1074D000ACC750003C04080024841FE03C030800B3
69740+:1074E00024631F98ACA50008ACA2000C3C01080066
69741+:1074F000AC2459A43C010800AC2359A803E00008BF
69742+:107500002402000100A030213C1C0800279C59AC3B
69743+:107510003C0C04003C0B0002008B3826008C4026FB
69744+:107520002CE200010007502B2D050001000A4880C5
69745+:107530003C030800246359A4004520250123182199
69746+:107540001080000300001021AC660000240200013E
69747+:1075500003E00008000000003C1C0800279C59AC18
69748+:107560003C0B04003C0A0002008A3026008B3826BF
69749+:107570002CC200010006482B2CE5000100094080C8
69750+:107580003C030800246359A4004520250103182169
69751+:1075900010800005000010213C0C0800258C1F986D
69752+:1075A000AC6C00002402000103E0000800000000B1
69753+:1075B0003C0900023C080400008830260089382677
69754+:1075C0002CC30001008028212CE400010083102539
69755+:1075D0001040000B000030213C1C0800279C59ACD7
69756+:1075E0003C0A80008D4E00082406000101CA68256F
69757+:1075F000AD4D00088D4C000C01855825AD4B000C9D
69758+:1076000003E0000800C010213C1C0800279C59AC76
69759+:107610003C0580008CA6000C0004202724020001F9
69760+:1076200000C4182403E00008ACA3000C3C020002D4
69761+:107630001082000B3C0560003C070400108700032B
69762+:107640000000000003E00008000000008CA908D042
69763+:10765000240AFFFD012A402403E00008ACA808D05A
69764+:107660008CA408D02406FFFE0086182403E000083E
69765+:10767000ACA308D03C05601A34A600108CC300806F
69766+:1076800027BDFFF88CC50084AFA3000093A40000C1
69767+:107690002402001010820003AFA5000403E00008DC
69768+:1076A00027BD000893A7000114E0001497AC000266
69769+:1076B00097B800023C0F8000330EFFFC01CF682119
69770+:1076C000ADA50000A3A000003C0660008CC708D058
69771+:1076D0002408FFFE3C04601A00E82824ACC508D04A
69772+:1076E0008FA300048FA200003499001027BD00086A
69773+:1076F000AF22008003E00008AF2300843C0B800031
69774+:10770000318AFFFC014B48218D2800000A00080C3B
69775+:10771000AFA8000427BDFFE8AFBF00103C1C080065
69776+:10772000279C59AC3C0580008CA4000C8CA2000462
69777+:107730003C0300020044282410A0000A00A31824DF
69778+:107740003C0604003C0400021460000900A610245A
69779+:107750001440000F3C0404000000000D3C1C080015
69780+:10776000279C59AC8FBF001003E0000827BD00180C
69781+:107770003C0208008C4259A40040F80900000000B7
69782+:107780003C1C0800279C59AC0A0008358FBF00102C
69783+:107790003C0208008C4259A80040F8090000000093
69784+:1077A0000A00083B000000003C0880008D0201B880
69785+:1077B0000440FFFE35090180AD2400003C031000A9
69786+:1077C00024040040AD250004A1240008A1260009DE
69787+:1077D000A527000A03E00008AD0301B83084FFFFCD
69788+:1077E0000080382130A5FFFF000020210A00084555
69789+:1077F000240600803087FFFF8CA400002406003898
69790+:107800000A000845000028218F8300788F860070C9
69791+:107810001066000B008040213C07080024E75B68ED
69792+:10782000000328C000A710218C440000246300013D
69793+:10783000108800053063000F5466FFFA000328C06B
69794+:1078400003E00008000010213C07080024E75B6CFF
69795+:1078500000A7302103E000088CC200003C03900028
69796+:1078600034620001008220253C038000AC640020CB
69797+:107870008C65002004A0FFFE0000000003E000086B
69798+:10788000000000003C0280003443000100832025FA
69799+:1078900003E00008AC44002027BDFFE0AFB10014B6
69800+:1078A0003091FFFFAFB00010AFBF001812200013DF
69801+:1078B00000A080218CA20000240400022406020003
69802+:1078C0001040000F004028210E0007250000000096
69803+:1078D00000001021AE000000022038218FBF0018E8
69804+:1078E0008FB100148FB0001000402021000028212B
69805+:1078F000000030210A00084527BD00208CA20000AE
69806+:10790000022038218FBF00188FB100148FB00010F3
69807+:107910000040202100002821000030210A000845F5
69808+:1079200027BD002000A010213087FFFF8CA5000498
69809+:107930008C4400000A000845240600068F83FD9C45
69810+:1079400027BDFFE8AFBF0014AFB00010906700087C
69811+:10795000008010210080282130E600400000202116
69812+:1079600010C000088C5000000E0000BD0200202155
69813+:10797000020020218FBF00148FB000100A000548BC
69814+:1079800027BD00180E0008A4000000000E0000BD76
69815+:1079900002002021020020218FBF00148FB00010B0
69816+:1079A0000A00054827BD001827BDFFE0AFB0001052
69817+:1079B0008F90FD9CAFBF001CAFB20018AFB1001498
69818+:1079C00092060001008088210E00087230D2000467
69819+:1079D00092040005001129C2A6050000348300406E
69820+:1079E000A20300050E00087C022020210E00054A9B
69821+:1079F0000220202124020001AE02000C02202821D6
69822+:107A0000A602001024040002A602001224060200AE
69823+:107A1000A60200140E000725A60200161640000F4D
69824+:107A20008FBF001C978C00743C0B08008D6B007896
69825+:107A30002588FFFF3109FFFF256A0001012A382B45
69826+:107A400010E00006A78800743C0F6006240E0016A4
69827+:107A500035ED0010ADAE00508FBF001C8FB2001886
69828+:107A60008FB100148FB0001003E0000827BD002084
69829+:107A700027BDFFE0AFB10014AFBF0018AFB00010DA
69830+:107A80001080000400A088212402008010820007DA
69831+:107A9000000000000000000D8FBF00188FB100141F
69832+:107AA0008FB0001003E0000827BD00200E00087210
69833+:107AB00000A020218F86FD9C0220202190C500057A
69834+:107AC0000E00087C30B000FF2403003E1603FFF1D7
69835+:107AD0003C0680008CC401780480FFFE34C801405D
69836+:107AE000240900073C071000AD11000002202021EE
69837+:107AF000A10900048FBF00188FB100148FB00010CF
69838+:107B0000ACC701780A0008C527BD002027BDFFE0EB
69839+:107B1000AFB00010AFBF0018AFB100143C10800030
69840+:107B20008E110020000000000E00054AAE04002067
69841+:107B3000AE1100208FBF00188FB100148FB000105D
69842+:107B400003E0000827BD00203084FFFF00803821BB
69843+:107B50002406003500A020210A0008450000282145
69844+:107B60003084FFFF008038212406003600A0202149
69845+:107B70000A0008450000282127BDFFD0AFB500242A
69846+:107B80003095FFFFAFB60028AFB40020AFBF002C88
69847+:107B9000AFB3001CAFB20018AFB10014AFB000100B
69848+:107BA00030B6FFFF12A000270000A0218F920058DE
69849+:107BB0008E4300003C0680002402004000033E0289
69850+:107BC00000032C0230E4007F006698241482001D1C
69851+:107BD00030A500FF8F8300682C68000A1100001098
69852+:107BE0008F8D0044000358803C0C0800258C57B84A
69853+:107BF000016C50218D4900000120000800000000A8
69854+:107C000002D4302130C5FFFF0E0008522404008446
69855+:107C1000166000028F920058AF8000688F8D00447C
69856+:107C20002659002026980001032090213314FFFFDD
69857+:107C300015A00004AF9900580295202B1480FFDC9A
69858+:107C400000000000028010218FBF002C8FB600289A
69859+:107C50008FB500248FB400208FB3001C8FB20018A2
69860+:107C60008FB100148FB0001003E0000827BD003072
69861+:107C70002407003414A70149000000009247000EB9
69862+:107C80008F9FFDA08F90FD9C24181600A3E700197C
69863+:107C90009242000D3C0880003C07800CA3E20018D3
69864+:107CA000964A00123C0D60003C117FFFA60A005C62
69865+:107CB000964400103623FFFF240200053099FFFF91
69866+:107CC000AE1900548E46001CAD1800288CEF000041
69867+:107CD0008DAE444801E6482601C93021AE06003881
69868+:107CE0008E05003824CB00013C0E7F00AE05003C21
69869+:107CF0008E0C003CAFEC0004AE0B00208E13002075
69870+:107D0000AE13001CA3E0001BAE03002CA3E2001284
69871+:107D10008E4A001424130050AE0A00348E0400343E
69872+:107D2000AFE400148E590018AE1900489258000CA8
69873+:107D3000A218004E920D000835AF0020A20F0008D7
69874+:107D40008E090018012E282434AC4000AE0C001817
69875+:107D5000920B0000317200FF1253027F2403FF8058
69876+:107D60003C04080024845BE80E0008AA0000000020
69877+:107D70003C1108008E315BE80E00087202202021C1
69878+:107D80002405000424080001A2050025022020216A
69879+:107D90000E00087CA20800053C0580008CB001782C
69880+:107DA0000600FFFE8F92005834AE0140240F0002FF
69881+:107DB0003C091000ADD10000A1CF0004ACA90178AE
69882+:107DC0000A000962AF8000682CAD003751A0FF9413
69883+:107DD0008F8D0044000580803C110800263157E05B
69884+:107DE000021178218DEE000001C0000800000000A3
69885+:107DF0002411000414B1008C3C0780003C080800EA
69886+:107E00008D085BE88F86FD9CACE800208E4500085D
69887+:107E10008F99FDA0240D0050ACC500308E4C000899
69888+:107E2000ACCC00508E4B000CACCB00348E43001019
69889+:107E3000ACC300388E4A0010ACCA00548E42001405
69890+:107E4000ACC2003C8E5F0018AF3F00048E50001C97
69891+:107E5000ACD0002090C40000309800FF130D024AFF
69892+:107E6000000000008CC400348CD00030009030231F
69893+:107E700004C000F12404008C126000EE2402000310
69894+:107E80000A000962AF8200682419000514B900666F
69895+:107E90003C0580003C0808008D085BE88F86FD9C4F
69896+:107EA000ACA800208E4C00048F8AFDA0240720007F
69897+:107EB000ACCC001C924B000824120008A14B001906
69898+:107EC0008F82005890430009A14300188F85005805
69899+:107ED00090BF000A33E400FF1092001028890009C7
69900+:107EE000152000BA240E0002240D0020108D000B76
69901+:107EF000340780002898002117000008240740005C
69902+:107F000024100040109000053C0700012419008057
69903+:107F1000109900023C070002240740008CC20018A0
69904+:107F20003C03FF00004350240147F825ACDF001854
69905+:107F300090B2000BA0D200278F8300589464000CED
69906+:107F4000108001FE000000009467000C3C1F8000C0
69907+:107F50002405FFBFA4C7005C9063000E2407000443
69908+:107F6000A0C300088F820058904A000FA0CA0009E1
69909+:107F70008F8900588D3200108FE400740244C823AA
69910+:107F8000ACD900588D300014ACD0002C95380018B6
69911+:107F9000330DFFFFACCD00409531001A322FFFFFAB
69912+:107FA000ACCF00448D2E001CACCE00489128000EB2
69913+:107FB000A0C8000890CC000801855824126001B6C2
69914+:107FC000A0CB00088F9200580A000962AF870068B2
69915+:107FD0002406000614A600143C0E80003C0F080086
69916+:107FE0008DEF5BE88F85FD98ADCF00208E4900189E
69917+:107FF0008F86FD9C8F8BFDA0ACA900008CC800383B
69918+:1080000024040005ACA800048CCC003C1260008164
69919+:10801000AD6C00000A000962AF84006824110007FB
69920+:1080200010B1004B240400063C05080024A55BE8C1
69921+:108030000E000881240400818F9200580013102B39
69922+:108040000A000962AF820068241F002314BFFFF6F4
69923+:108050003C0C80003C0508008CA55BE88F8BFDA0E4
69924+:10806000AD8500208F91FD9C8E4600042564002084
69925+:1080700026450014AE260028240600030E000F81BA
69926+:10808000257000308F87005802002021240600034D
69927+:108090000E000F8124E500083C04080024845BE8FE
69928+:1080A0000E0008AA0000000092230000240A0050DD
69929+:1080B000306200FF544AFFE18F9200580E000F6CAF
69930+:1080C000000000000A000A6A8F920058240800335A
69931+:1080D00014A800323C0380003C1108008E315BE89C
69932+:1080E0008F8FFDA0AC7100208E420008240D002867
69933+:1080F0008F89FD9CADE200308E4A000C24060009F9
69934+:10810000ADEA00348E5F0010ADFF00388E440014DD
69935+:10811000ADE400208E590018ADF900248E58001CE3
69936+:10812000ADF80028A1ED00118E4E00041260003160
69937+:10813000AD2E00288F9200580A000962AF860068B1
69938+:10814000240D002214ADFFB8000000002404000735
69939+:108150003C1008008E105BE83C188000AF10002037
69940+:108160005660FEAEAF8400683C04080024845BE8DF
69941+:108170000E0008AA241300508F84FD9C90920000EA
69942+:10818000325900FF1333014B000000008F9200585A
69943+:10819000000020210A000962AF8400683C05080045
69944+:1081A00024A55BE80E000858240400810A000A6A2E
69945+:1081B0008F92005802D498213265FFFF0E000852BA
69946+:1081C000240400840A0009628F920058108EFF5325
69947+:1081D000240704002887000310E00179241100041B
69948+:1081E000240F0001548FFF4D240740000A000A228B
69949+:1081F000240701003C05080024A55BE80E0008A444
69950+:10820000240400828F920058000030210A00096285
69951+:10821000AF8600683C04080024845BE88CC2003808
69952+:108220000E0008AA8CC3003C8F9200580A000AC0B6
69953+:1082300000002021240400823C05080024A55BE8FE
69954+:108240000E0008A4000000008F92005800001021CA
69955+:108250000A000962AF8200688E5000048F91FD9C75
69956+:108260003C078000ACF00020922C00050200282181
69957+:10827000318B0002156001562404008A8F92FDA004
69958+:108280002404008D9245001B30A6002014C001502C
69959+:1082900002002821922E00092408001231C900FF93
69960+:1082A0001128014B240400810E00087202002021D5
69961+:1082B0009258001B240F000402002021370D0042B9
69962+:1082C000A24D001B0E00087CA22F00253C0580005B
69963+:1082D0008CA401780480FFFE34B90140241F000201
69964+:1082E000AF300000A33F00048F9200583C101000F4
69965+:1082F000ACB001780A000A6B0013102B8E500004FA
69966+:108300008F91FD9C3C038000AC700020922A0005F8
69967+:108310000200282131420002144000172404008A80
69968+:10832000922C00092412000402002821318B00FF46
69969+:1083300011720011240400810E0008720200202135
69970+:108340008F89FDA0240800122405FFFE912F001B39
69971+:108350000200202135EE0020A12E001BA2280009DA
69972+:108360009226000500C538240E00087CA2270005CF
69973+:1083700002002821000020210E0009330000000027
69974+:108380000A000A6A8F9200588E4C00043C07800055
69975+:108390003C10080026105BE8ACEC00203C01080013
69976+:1083A000AC2C5BE8924B0003317100041220013BBE
69977+:1083B0008F84FD9C24020006A0820009924F001BBE
69978+:1083C000240EFFC031E9003F012E4025A08800089F
69979+:1083D0009245000330A6000114C0013200000000E5
69980+:1083E0008E420008AE0200083C0208008C425BF09E
69981+:1083F000104001318F90FDA0000219C28F8DFD9CAD
69982+:10840000A603000C8E4A000C24180001240400145A
69983+:10841000AE0A002C8E420010AE02001C965F0016C1
69984+:10842000A61F003C96590014A619003EADB8000CDA
69985+:10843000A5B80010A5B80012A5B80014A5B800167C
69986+:1084400012600144A2040011925100033232000272
69987+:108450002E5300018F920058266200080A0009621C
69988+:10846000AF8200688E4400043C1980003C068008FE
69989+:10847000AF2400208E45000890D80000240D005045
69990+:10848000331100FF122D009C2407008824060009E8
69991+:108490000E000845000000000A000A6A8F9200588A
69992+:1084A0008E5000043C0980003C118008AD30002053
69993+:1084B0009228000024050050310400FF10850110AF
69994+:1084C0002407008802002021000028210E00084512
69995+:1084D0002406000E922D00002418FF80020028219F
69996+:1084E00001B8802524040004240600300E0007256E
69997+:1084F000A23000000A000A6A8F9200588E500004D1
69998+:108500008F91FDA03C028000AC500020923F001BE8
69999+:1085100033F900101320006C240700810200202191
70000+:10852000000028212406001F0E000845000000005E
70001+:108530000A000A6A8F9200588E44001C0E00085DE3
70002+:1085400000000000104000E3004048218F880058E0
70003+:1085500024070089012020218D05001C240600012C
70004+:108560000E000845000000000A000A6A8F920058B9
70005+:10857000964900023C10080026105BE831280004F0
70006+:10858000110000973C0460008E4E001C3C0F8000E0
70007+:10859000ADEE00203C010800AC2E5BE896470002DF
70008+:1085A00030E40001148000E6000000008E42000468
70009+:1085B000AE0200083C1008008E105BF0120000ECC8
70010+:1085C0003C0F80008F92FD9C241000018E4E0018FD
70011+:1085D0008F8DFDA08F9FFD9801CF4825AE490018D3
70012+:1085E000A2400005AE50000C3C0808008D085BF06E
70013+:1085F0008F840058A6500010000839C2A6500012FF
70014+:10860000A6500014A6500016A5A7000C8C8C0008DC
70015+:108610008F8B00588F8A0058ADAC002C8D63000CF6
70016+:1086200024070002ADA3001C91460010A1A6001172
70017+:108630008F82005890450011A3E500088F990058DB
70018+:1086400093380012A258004E8F910058922F0013B9
70019+:10865000A1AF00128F920058964E0014A5AE003CB8
70020+:1086600096490016A5A9003E8E480018ADA8001432
70021+:108670005660FD6AAF8700683C05080024A55BE8EA
70022+:108680000E000881000020218F9200580000382140
70023+:108690000A000962AF8700683C05080024A55BE872
70024+:1086A0000E0008A4240400828F9200580A000A4D8C
70025+:1086B000000038210E000F6C000000008F9200585F
70026+:1086C0000A000AC0000020210E00087202002021CA
70027+:1086D0009223001B02002021346A00100E00087C47
70028+:1086E000A22A001B000038210200202100002821BE
70029+:1086F0000A000BA52406001F9242000C305F000107
70030+:1087000013E0000300000000964A000EA4CA002CEB
70031+:10871000924B000C316300025060000600003821CB
70032+:108720008E470014964C0012ACC7001CA4CC001A53
70033+:10873000000038210A000B7F240600093C050800D0
70034+:1087400024A55BE80E0008A42404008B8F92005837
70035+:108750000A000A4D0013382B3C0C08008D8C5BE896
70036+:1087600024DFFFFE25930100326B007F016790211B
70037+:1087700002638824AD110028AE4600E0AE4000E45C
70038+:108780000A0009B3AE5F001CACC000543C0D0800E9
70039+:108790008DAD5BE83C18800C37090100ACED00287A
70040+:1087A0008E510014AD3100E08E4F0014AD2F00E467
70041+:1087B0008E4E001025C7FFFE0A0009F4AD27001CED
70042+:1087C0005491FDD6240740000A000A222407100015
70043+:1087D0000E00092D000000000A000A6A8F9200585E
70044+:1087E0008C83442C3C12DEAD3651BEEF3C010800B8
70045+:1087F000AC205BE810710062000000003C196C6264
70046+:1088000037387970147800082404000297850074C2
70047+:108810009782006C2404009200A2F82B13E0001948
70048+:1088200002002821240400020E00069524050200FF
70049+:108830003C068000ACC200203C010800AC225BE892
70050+:108840001040000D8F8C0058240A002824040003D7
70051+:10885000918B0010316300FF546A00012404000171
70052+:108860000E0000810000000010400004240400837A
70053+:108870000A000BC28F920058240400833C050800B4
70054+:1088800024A55BE80E000881000000008F920058CC
70055+:108890000013382B0A000962AF8700680A000B49F1
70056+:1088A000240200128E4400080E00085D0000000043
70057+:1088B0000A000B55AE0200083C05080024A55BE841
70058+:1088C0000E000858240400878F9200580A000B728B
70059+:1088D0000013102B240400040E000695240500301C
70060+:1088E0001440002A004048218F8800582407008344
70061+:1088F000012020218D05001C0A000BB32406000175
70062+:108900008F8300788F8600701066FEEE000038219D
70063+:108910003C07080024E75B6C000320C00087282187
70064+:108920008CAE000011D0005D246F000131E3000F18
70065+:108930005466FFFA000320C00A000B8C00003821A7
70066+:108940008E4400040E00085D000000000A000BC801
70067+:10895000AE0200083C05080024A55BE80E0008A450
70068+:10896000240400828F9200580A000B72000010212C
70069+:108970003C05080024A55BE80A000C7C2404008761
70070+:108980008C83442C0A000C5B3C196C628F88005865
70071+:108990003C0780083C0C8000240B0050240A000196
70072+:1089A000AD820020A0EB0000A0EA000191030004CA
70073+:1089B000A0E3001891040005A0E400199106000648
70074+:1089C0003C04080024845B6CA0E6001A91020007B6
70075+:1089D0003C06080024C65B68A0E2001B9105000865
70076+:1089E000A0E5001C911F0009A0FF001D9119000ABD
70077+:1089F000A0F9001E9118000BA0F8001F9112000CA6
70078+:108A0000A0F200209111000DA0F100219110000EA4
70079+:108A1000A0F00022910F000FA0EF0023910E001094
70080+:108A2000A0EE0024910D0011A0ED0025950C00147E
70081+:108A3000A4EC0028950B00168F8A00708F920078A6
70082+:108A4000A4EB002A95030018000A10C02545000178
70083+:108A5000A4E3002C8D1F001C0044C0210046C82147
70084+:108A600030A5000FAF3F0000AF09000010B20006B4
70085+:108A7000AF850070000038218D05001C01202021E9
70086+:108A80000A000BB32406000124AD000131A7000F3A
70087+:108A9000AF8700780A000CF9000038213C06080076
70088+:108AA00024C65B680086902100003821ACA000003D
70089+:108AB0000A000B8CAE4000003C0482013C036000C5
70090+:108AC00034820E02AC603D68AF80009803E000087D
70091+:108AD000AC623D6C27BDFFE8AFB000103090FFFFE7
70092+:108AE000001018422C620041AFBF00141440000275
70093+:108AF00024040080240300403C010800AC300060E6
70094+:108B00003C010800AC2300640E000F7500602821B2
70095+:108B1000244802BF2409FF8001092824001039805D
70096+:108B2000001030408FBF00148FB0001000A720212C
70097+:108B300000861821AF8300803C010800AC25005856
70098+:108B40003C010800AC24005C03E0000827BD0018CD
70099+:108B5000308300FF30C6FFFF30E400FF3C08800098
70100+:108B60008D0201B80440FFFE000354000144382583
70101+:108B70003C09600000E920253C031000AD050180A0
70102+:108B8000AD060184AD04018803E00008AD0301B81F
70103+:108B90008F8500583C0A6012354800108CAC0004E8
70104+:108BA0003C0D600E35A60010318B00062D690001CA
70105+:108BB000AD0900C48CA70004ACC731808CA20008AA
70106+:108BC00094A40002ACC231848CA3001C0460000396
70107+:108BD000A784009003E00008000000008CAF00189C
70108+:108BE000ACCF31D08CAE001C03E00008ACCE31D449
70109+:108BF0008F8500588F87FF288F86FF308CAE00044A
70110+:108C00003C0F601235E80010ACEE00788CAD000827
70111+:108C1000ACED007C8CAC0010ACCC004C8CAB000CF0
70112+:108C2000ACCB004894CA00543C0208008C4200447B
70113+:108C300025490001A4C9005494C400543083FFFFA7
70114+:108C400010620017000000003C0208008C42004047
70115+:108C5000A4C200528CA30018ACE300308CA2001414
70116+:108C6000ACE2002C8CB90018ACF900388CB80014B8
70117+:108C700024050001ACF800348D0600BC50C5001975
70118+:108C80008D0200B48D0200B8A4E2004894E40048CC
70119+:108C9000A4E4004A94E800EA03E000083102FFFF80
70120+:108CA0003C0208008C420024A4C00054A4C200521C
70121+:108CB0008CA30018ACE300308CA20014ACE2002CB2
70122+:108CC0008CB90018ACF900388CB8001424050001E8
70123+:108CD000ACF800348D0600BC54C5FFEB8D0200B823
70124+:108CE0008D0200B4A4E2004894E40048A4E4004AE1
70125+:108CF00094E800EA03E000083102FFFF8F86005885
70126+:108D00003C0480008CC900088CC80008000929C0F8
70127+:108D1000000839C0AC87002090C30007306200040F
70128+:108D20001040003EAF85009490CB0007316A0008E8
70129+:108D30001140003D8F87FF2C8CCD000C8CCE001491
70130+:108D400001AE602B11800036000000008CC2000CC8
70131+:108D5000ACE200708CCB00188F85FF288F88FF3025
70132+:108D6000ACEB00748CCA00102402FFF8ACAA00D847
70133+:108D70008CC9000CAD0900608CC4001CACA400D0F0
70134+:108D800090E3007C0062C824A0F9007C90D8000722
70135+:108D9000330F000811E000040000000090ED007C9B
70136+:108DA00035AC0001A0EC007C90CF000731EE000153
70137+:108DB00011C000060000000090E3007C241800347D
70138+:108DC00034790002A0F9007CACB800DC90C2000746
70139+:108DD0003046000210C000040000000090E8007C53
70140+:108DE00035040004A0E4007C90ED007D3C0B600E97
70141+:108DF000356A001031AC003FA0EC007D8D4931D4C4
70142+:108E00003127000110E00002240E0001A0AE00098D
70143+:108E100094AF00EA03E0000831E2FFFF8F87FF2CE8
70144+:108E20000A000DAF8CC200140A000DB0ACE0007057
70145+:108E30008F8C005827BDFFD8AFB3001CAFB200180D
70146+:108E4000AFB00010AFBF0020AFB10014918F00157C
70147+:108E50003C13600E3673001031EB000FA38B009CA7
70148+:108E60008D8F00048D8B0008959F0012959900103E
70149+:108E70009584001A9598001E958E001C33EDFFFF17
70150+:108E8000332AFFFF3089FFFF3308FFFF31C7FFFFA1
70151+:108E90003C010800AC2D00243C010800AC29004432
70152+:108EA0003C010800AC2A0040AE683178AE67317CE6
70153+:108EB00091850015959100163C12601236520010F3
70154+:108EC00030A200FF3230FFFFAE623188AE5000B4F6
70155+:108ED00091830014959F0018240600010066C804C1
70156+:108EE00033F8FFFFAE5900B8AE5800BC918E0014A5
70157+:108EF000AF8F00843C08600631CD00FFAE4D00C04E
70158+:108F0000918A00159584000E3C07600A314900FFE4
70159+:108F1000AF8B00883084FFFFAE4900C835110010C8
70160+:108F20000E000D1034F004103C0208008C4200606A
70161+:108F30003C0308008C6300643C0608008CC60058A3
70162+:108F40003C0508008CA5005C8F8400808FBF00204A
70163+:108F5000AE23004CAE65319CAE030054AE4500DC40
70164+:108F6000AE6231A0AE6331A4AE663198AE22004845
70165+:108F70008FB3001CAE0200508FB10014AE4200E06F
70166+:108F8000AE4300E4AE4600D88FB000108FB2001898
70167+:108F90000A00057D27BD0028978500929783007CF5
70168+:108FA00027BDFFE8AFB0001000A3102BAFBF001427
70169+:108FB000240400058F900058104000552409000239
70170+:108FC0000E0006958F850080AF8200942404000374
70171+:108FD0001040004F240900023C0680000E00008172
70172+:108FE000ACC2002024070001240820001040004DDE
70173+:108FF00024040005978E00928F8AFF2C24090050CC
70174+:1090000025C50001A7850092A14900003C0D08007C
70175+:109010008DAD0064240380008F84FF28000D66005E
70176+:10902000AD4C0018A5400006954B000A8F85FF3017
70177+:109030002402FF8001633024A546000A915F000AE4
70178+:109040000000482103E2C825A159000AA0A0000899
70179+:10905000A140004CA08000D5961800029783009094
70180+:109060003C020004A49800EA960F00022418FFBFF7
70181+:1090700025EE2401A48E00BE8E0D0004ACAD00448C
70182+:109080008E0C0008ACAC0040A4A00050A4A000547A
70183+:109090008E0B000C240C0030AC8B00288E060010C8
70184+:1090A000AC860024A480003EA487004EA487005014
70185+:1090B000A483003CAD420074AC8800D8ACA800602A
70186+:1090C000A08700FC909F00D433F9007FA09900D4C2
70187+:1090D000909000D402187824A08F00D4914E007C88
70188+:1090E00035CD0001A14D007C938B009CAD480070F4
70189+:1090F000AC8C00DCA08B00D68F8800888F87008422
70190+:10910000AC8800C4AC8700C8A5400078A540007AB0
70191+:109110008FBF00148FB000100120102103E0000861
70192+:1091200027BD00188F8500940E0007258F860080CC
70193+:109130000A000E9F2409000227BDFFE0AFB0001017
70194+:109140008F900058AFB10014AFBF00188E09000413
70195+:109150000E00054A000921C08E0800048F84FF28F4
70196+:109160008F82FF30000839C03C068000ACC7002069
70197+:10917000948500EA904300131460001C30B1FFFF97
70198+:109180008F8CFF2C918B0008316A00401540000B3A
70199+:10919000000000008E0D0004022030218FBF001857
70200+:1091A0008FB100148FB00010240400220000382179
70201+:1091B000000D29C00A000D2F27BD00200E000098C9
70202+:1091C000000000008E0D0004022030218FBF001827
70203+:1091D0008FB100148FB00010240400220000382149
70204+:1091E000000D29C00A000D2F27BD00200E000090A1
70205+:1091F000000000008E0D0004022030218FBF0018F7
70206+:109200008FB100148FB00010240400220000382118
70207+:10921000000D29C00A000D2F27BD002027BDFFE04B
70208+:10922000AFB200183092FFFFAFB00010AFBF001C0C
70209+:10923000AFB100141240001E000080218F8600583C
70210+:109240008CC500002403000600053F02000514023F
70211+:1092500030E4000714830016304500FF2CA80006F8
70212+:1092600011000040000558803C0C0800258C58BCBB
70213+:10927000016C50218D490000012000080000000011
70214+:109280008F8E0098240D000111CD005024020002A1
70215+:10929000AF820098260900013130FFFF24C800206A
70216+:1092A0000212202B010030211480FFE5AF88005806
70217+:1092B000020010218FBF001C8FB200188FB1001464
70218+:1092C0008FB0001003E0000827BD00209387007EC8
70219+:1092D00054E00034000030210E000DE700000000D3
70220+:1092E0008F8600580A000EFF240200018F87009825
70221+:1092F0002405000210E50031240400130000282199
70222+:1093000000003021240700010E000D2F0000000096
70223+:109310000A000F008F8600588F83009824020002F5
70224+:109320001462FFF6240400120E000D9A00000000E3
70225+:109330008F85009400403021240400120E000D2F70
70226+:10934000000038210A000F008F8600588F83009894
70227+:109350002411000310710029241F0002107FFFCE8A
70228+:1093600026090001240400100000282100003021FB
70229+:109370000A000F1D240700018F91009824060002A7
70230+:109380001626FFF9240400100E000E410000000014
70231+:10939000144000238F9800588F8600580A000EFF53
70232+:1093A00024020003240400140E000D2F00002821C5
70233+:1093B0008F8600580A000EFF240200020E000EA93C
70234+:1093C000000000000A000F008F8600580E000D3FBD
70235+:1093D00000000000241900022404001400002821C9
70236+:1093E0000000302100003821AF9900980E000D2FA9
70237+:1093F000000000000A000F008F8600580E000D5775
70238+:10940000000000008F8500942419000200403021E4
70239+:1094100024040010000038210A000F56AF9900986C
70240+:109420000040382124040010970F0002000028217A
70241+:109430000E000D2F31E6FFFF8F8600580A000F0047
70242+:10944000AF9100988F84FF2C3C077FFF34E6FFFF2D
70243+:109450008C8500182402000100A61824AC83001893
70244+:1094600003E00008A08200053084FFFF30A5FFFF65
70245+:109470001080000700001821308200011040000217
70246+:1094800000042042006518211480FFFB00052840DD
70247+:1094900003E000080060102110C000070000000079
70248+:1094A0008CA2000024C6FFFF24A50004AC820000AB
70249+:1094B00014C0FFFB2484000403E000080000000047
70250+:1094C00010A0000824A3FFFFAC86000000000000ED
70251+:1094D000000000002402FFFF2463FFFF1462FFFA74
70252+:1094E0002484000403E0000800000000000411C010
70253+:1094F00003E000082442024027BDFFE8AFB000109F
70254+:1095000000808021AFBF00140E000F9600A0202124
70255+:1095100000504821240AFF808FBF00148FB0001034
70256+:10952000012A30243127007F3C08800A3C042100B6
70257+:1095300000E8102100C428253C03800027BD001846
70258+:10954000AC650024AF820038AC400000AC6500245C
70259+:1095500003E00008AC4000403C0D08008DAD005811
70260+:1095600000056180240AFF8001A45821016C482174
70261+:10957000012A30243127007F3C08800C3C04210064
70262+:1095800000E8102100C428253C038000AC650028B9
70263+:10959000AF82003403E00008AC40002430A5FFFF98
70264+:1095A0003C0680008CC201B80440FFFE3C086015F8
70265+:1095B00000A838253C031000ACC40180ACC0018475
70266+:1095C000ACC7018803E00008ACC301B83C0D08003B
70267+:1095D0008DAD005800056180240AFF8001A4582148
70268+:1095E000016C4021010A4824000931403107007F05
70269+:1095F00000C728253C04200000A418253C02800058
70270+:10960000AC43083003E00008AF80003427BDFFE81A
70271+:10961000AFB0001000808021AFBF00140E000F9685
70272+:1096200000A0202100504821240BFF80012B502452
70273+:10963000000A39403128007F3C0620008FBF00140B
70274+:109640008FB0001000E8282534C2000100A21825C0
70275+:109650003C04800027BD0018AC83083003E00008FC
70276+:10966000AF8000383C0580088CA700603C0680086D
70277+:109670000087102B144000112C8340008CA8006040
70278+:109680002D0340001060000F240340008CC90060CF
70279+:109690000089282B14A00002008018218CC30060D0
70280+:1096A00000035A42000B30803C0A0800254A59202A
70281+:1096B00000CA202103E000088C8200001460FFF340
70282+:1096C0002403400000035A42000B30803C0A08008B
70283+:1096D000254A592000CA202103E000088C8200009E
70284+:1096E0003C05800890A60008938400AB24C20001CA
70285+:1096F000304200FF3043007F1064000C0002382726
70286+:10970000A0A200083C0480008C85017804A0FFFE24
70287+:109710008F8A00A0240900023C081000AC8A014096
70288+:10972000A089014403E00008AC8801780A00101BFE
70289+:1097300030E2008027BDFFD8AFB200188F9200A49E
70290+:10974000AFBF0020AFB3001CAFB00010AFB100142A
70291+:109750008F9300348E5900283C1000803C0EFFEFA0
70292+:10976000AE7900008E580024A260000A35CDFFFFBC
70293+:10977000AE7800049251002C3C0BFF9F356AFFFF2E
70294+:10978000A271000C8E6F000C3C080040A271000B0F
70295+:1097900001F06025018D4824012A382400E8302595
70296+:1097A000AE66000C8E450004AE6000183C0400FF5D
70297+:1097B000AE6500148E43002C3482FFFFA6600008C3
70298+:1097C0000062F824AE7F00108E5900088F9000A030
70299+:1097D000964E0012AE7900208E51000C31D83FFF1A
70300+:1097E00000187980AE7100248E4D001401F06021C4
70301+:1097F00031CB0001AE6D00288E4A0018000C41C22A
70302+:10980000000B4B80AE6A002C8E46001C01093821EB
70303+:10981000A667001CAE660030964500028E4400200C
70304+:10982000A665001EAE64003492430033306200042B
70305+:1098300054400006924700003C0280083443010077
70306+:109840008C7F00D0AE7F0030924700008F860038BA
70307+:10985000A0C700309245003330A4000250800007BA
70308+:10986000925100018F880038240BFF80910A00304C
70309+:10987000014B4825A1090030925100018F9000381A
70310+:10988000240CFFBF2404FFDFA21100318F8D0038AC
70311+:109890003C1880083711008091AF003C31EE007F0A
70312+:1098A000A1AE003C8F890038912B003C016C502404
70313+:1098B000A12A003C8F9F00388E68001493E6003C7C
70314+:1098C0002D0700010007114000C4282400A218251C
70315+:1098D000A3E3003C8F87003896590012A4F90032A8
70316+:1098E0008E450004922E007C30B0000300107823D7
70317+:1098F00031ED000300AD102131CC000215800002D3
70318+:1099000024460034244600303C0280083443008062
70319+:10991000907F007C00BFC824333800041700000289
70320+:1099200024C2000400C010218F98003824190002BE
70321+:10993000ACE20034A3190000924F003F8F8E003834
70322+:109940003C0C8008358B0080A1CF00018F9100383E
70323+:10995000924D003F8E440004A62D0002956A005CE3
70324+:109960000E000FF43150FFFF00024B800209382532
70325+:109970003C08420000E82825AE2500048E4400384B
70326+:109980008F850038ACA400188E460034ACA6001CAD
70327+:10999000ACA0000CACA00010A4A00014A4A0001661
70328+:1099A000A4A00020A4A00022ACA000248E62001479
70329+:1099B00050400001240200018FBF00208FB3001C23
70330+:1099C0008FB200188FB100148FB00010ACA2000845
70331+:1099D0000A00101327BD002827BDFFC83C058008DA
70332+:1099E00034A40080AFBF0034AFBE0030AFB7002C4E
70333+:1099F000AFB60028AFB50024AFB40020AFB3001C51
70334+:109A0000AFB20018AFB10014AFB00010948300786B
70335+:109A10009482007A104300512405FFFF0080F0215A
70336+:109A20000A0011230080B821108B004D8FBF003435
70337+:109A30008F8600A03C1808008F18005C2411FF805E
70338+:109A40003C1680000306782101F18024AED0002C62
70339+:109A500096EE007A31EC007F3C0D800E31CB7FFF1B
70340+:109A6000018D5021000B4840012AA82196A4000036
70341+:109A70003C0808008D0800582405FF8030953FFF02
70342+:109A800001061821001539800067C8210325F82434
70343+:109A90003C02010003E290253338007F3C11800C2A
70344+:109AA000AED20028031190219250000D320F000415
70345+:109AB00011E0003702E0982196E3007A96E8007AF8
70346+:109AC00096E5007A2404800031077FFF24E300013B
70347+:109AD00030627FFF00A4F82403E2C825A6F9007ACB
70348+:109AE00096E6007A3C1408008E94006030D67FFF22
70349+:109AF00012D400C1000000008E5800188F8400A00E
70350+:109B000002A028212713FFFF0E000FCEAE53002C1A
70351+:109B100097D5007897D4007A12950010000028217C
70352+:109B20003C098008352401003C0A8008914800085F
70353+:109B3000908700D53114007F30E400FF0284302B81
70354+:109B400014C0FFB9268B0001938E00AB268C000158
70355+:109B5000008E682115ACFFB78F8600A08FBF003440
70356+:109B60008FBE00308FB7002C8FB600288FB5002431
70357+:109B70008FB400208FB3001C8FB200188FB1001477
70358+:109B80008FB0001000A0102103E0000827BD0038AE
70359+:109B900000C020210E000F99028028218E4B00105A
70360+:109BA0008E4C00308F84003824090002016C502351
70361+:109BB000AE4A0010A089000096E3005C8E4400309D
70362+:109BC0008F9100380E000FF43070FFFF00024380C9
70363+:109BD000020838253C02420000E22825AE25000498
70364+:109BE0008E5F00048F8A00388E590000240B000815
70365+:109BF000AD5F001CAD590018AD40000CAD40001029
70366+:109C00009246000A240400052408C00030D000FF5A
70367+:109C1000A550001496580008A55800169251000A45
70368+:109C20003C188008322F00FFA54F0020964E0008F8
70369+:109C300037110100A54E0022AD400024924D000BCB
70370+:109C400031AC00FFA54C0002A14B00018E49003051
70371+:109C50008F830038240BFFBFAC690008A06400307C
70372+:109C60008F9000382403FFDF9607003200E8282495
70373+:109C700000B51025A6020032921F003233F9003FD2
70374+:109C800037260040A20600328F8C0038AD800034A9
70375+:109C90008E2F00D0AD8F0038918E003C3C0F7FFF9F
70376+:109CA00031CD007FA18D003C8F84003835EEFFFF61
70377+:109CB000908A003C014B4824A089003C8F850038E5
70378+:109CC00090A8003C01033824A0A7003C8E42003439
70379+:109CD0008F9100383C038008AE2200408E59002C42
70380+:109CE0008E5F0030033F3023AE26004492300048A0
70381+:109CF0003218007FA23800488F8800388E4D00301F
70382+:109D00008D0C004801AE582401965024014B482583
70383+:109D1000AD0900489244000AA104004C964700088F
70384+:109D20008F850038A4A7004E8E5000308E4400303E
70385+:109D30000E0003818C65006092F9007C0002F940FE
70386+:109D4000004028210002110003E2302133360002D6
70387+:109D500012C00003020680210005B0800216802197
70388+:109D6000926D007C31B30004126000020005708027
70389+:109D7000020E80218E4B00308F8800382405800031
70390+:109D8000316A0003000A4823312400030204182129
70391+:109D9000AD03003496E4007A96F0007A96F1007AEA
70392+:109DA00032027FFF2447000130FF7FFF0225C824D5
70393+:109DB000033F3025A6E6007A96F8007A3C120800A8
70394+:109DC0008E520060330F7FFF11F200180000000078
70395+:109DD0008F8400A00E000FCE02A028218F8400A047
70396+:109DE0000E000FDE028028210E001013000000007C
70397+:109DF0000A00111F0000000096F1007A022480245E
70398+:109E0000A6F0007A92EF007A92EB007A31EE00FF32
70399+:109E1000000E69C2000D6027000C51C03169007F3F
70400+:109E2000012A20250A001119A2E4007A96E6007A98
70401+:109E300000C5C024A6F8007A92EF007A92F3007A67
70402+:109E400031F200FF001271C2000E6827000DB1C090
70403+:109E5000326C007F01962825A2E5007A0A0011D015
70404+:109E60008F8400A03C0380003084FFFF30A5FFFFFB
70405+:109E7000AC640018AC65001C03E000088C620014A0
70406+:109E800027BDFFA03C068008AFBF005CAFBE0058F6
70407+:109E9000AFB70054AFB60050AFB5004CAFB40048F8
70408+:109EA000AFB30044AFB20040AFB1003CAFB0003838
70409+:109EB00034C80100910500D590C700083084FFFF29
70410+:109EC00030A500FF30E2007F0045182AAFA4001043
70411+:109ED000A7A00018A7A0002610600055AFA000148E
70412+:109EE00090CA00083149007F00A9302324D3FFFF26
70413+:109EF0000013802B8FB400100014902B02128824C2
70414+:109F0000522000888FB300143C03800894790052DB
70415+:109F1000947E00508FB60010033EC0230018BC0092
70416+:109F2000001714030016FC0002C2A82A16A00002A3
70417+:109F3000001F2C030040282100133C0000072403CD
70418+:109F400000A4102A5440000100A020212885000907
70419+:109F500014A000020080A021241400083C0C8008FA
70420+:109F60008D860048001459808D88004C3C03800089
70421+:109F70003169FFFF3C0A0010012A202534710400DA
70422+:109F8000AC660038AF9100A4AC68003CAC64003013
70423+:109F900000000000000000000000000000000000C1
70424+:109FA00000000000000000000000000000000000B1
70425+:109FB0008C6E000031CD002011A0FFFD0014782A26
70426+:109FC00001F01024104000390000A8213C16800840
70427+:109FD00092D700083C1280008E44010032F6007FC8
70428+:109FE0000E000F9902C028218E3900108E44010006
70429+:109FF0000000902133373FFF0E000FB102E028210F
70430+:10A00000923800003302003F2C500008520000102C
70431+:10A0100000008821000210803C030800246358E4FB
70432+:10A020000043F8218FFE000003C00008000000007C
70433+:10A0300090CF0008938C00AB31EE007F00AE682318
70434+:10A04000018D58210A0012172573FFFF0000882197
70435+:10A050003C1E80008FC401000E000FCE02E02821BC
70436+:10A060008FC401000E000FDE02C028211220000F55
70437+:10A070000013802B8F8B00A426A400010004AC00E9
70438+:10A08000027298230015AC032578004002B4B02A70
70439+:10A090000013802B241700010300882102D0102414
70440+:10A0A000AF9800A41440FFC9AFB700143C07800864
70441+:10A0B00094E200508FAE00103C05800002A288217F
70442+:10A0C0003C060020A4F10050ACA6003094F40050EF
70443+:10A0D00094EF005201D51823306CFFFF11F4001EDD
70444+:10A0E000AFAC00108CEF004C001561808CF500487F
70445+:10A0F00001EC28210000202100AC582B02A4C02133
70446+:10A10000030BB021ACE5004CACF600488FB4001056
70447+:10A110000014902B021288241620FF7C3C03800838
70448+:10A120008FB300148FBF005C8FBE00583A620001ED
70449+:10A130008FB700548FB600508FB5004C8FB40048D5
70450+:10A140008FB300448FB200408FB1003C8FB0003815
70451+:10A1500003E0000827BD006094FE00548CF2004428
70452+:10A1600033C9FFFE0009C8C00259F821ACBF003C4A
70453+:10A170008CE800448CAD003C010D50231940003B9D
70454+:10A18000000000008CF7004026E20001ACA200387D
70455+:10A190003C05005034A700103C038000AC67003041
70456+:10A1A00000000000000000000000000000000000AF
70457+:10A1B000000000000000000000000000000000009F
70458+:10A1C0008C7800003316002012C0FFFD3C1180087F
70459+:10A1D000962200543C1580003C068008304E000159
70460+:10A1E000000E18C0007578218DEC04003C070800B3
70461+:10A1F0008CE700443C040020ACCC00488DF40404FF
70462+:10A20000240B0001ACD4004C10EB0260AEA4003073
70463+:10A21000963900523C0508008CA5004000B99021F9
70464+:10A22000A6320052963F005427ED0001A62D00549F
70465+:10A230009626005430C4FFFF5487FF2F8FB40010C0
70466+:10A2400030A5FFFF0E0011F4A62000543C070800C3
70467+:10A250008CE70024963E00520047B82303D74823DA
70468+:10A26000A62900520A0012198FB400108CE2004097
70469+:10A270000A0012BE00000000922400012407000121
70470+:10A280003085007F14A7001C97AD00268E2B00148C
70471+:10A29000240CC000316A3FFF01AC48243C06080092
70472+:10A2A0008CC60060012A402531043FFF0086882BC0
70473+:10A2B00012200011A7A800263C0508008CA5005814
70474+:10A2C0008F9100A0000439802402FF8000B1182182
70475+:10A2D0000067F82103E2F02433F8007F3C1280008D
70476+:10A2E0003C19800EAE5E002C0319702191D0000D38
70477+:10A2F000360F0004A1CF000D0E001028241200011B
70478+:10A30000241100013C1E80008FC401000E000FCEFE
70479+:10A3100002E028218FC401000E000FDE02C02821B8
70480+:10A320001620FF558F8B00A40A0012860013802B85
70481+:10A330008F8600A490C80001310400201080019194
70482+:10A34000241000013C048008348B0080916A007C5A
70483+:10A350008F9E0034AFA0002C314900011120000F66
70484+:10A36000AFB000288CCD00148C8E006001AE602B45
70485+:10A370001580000201A038218C8700603C188008FD
70486+:10A38000370300808C70007000F0782B15E000021D
70487+:10A3900000E020218C640070AFA4002C3C028008F7
70488+:10A3A000344500808CD200148CBF0070025FC82B33
70489+:10A3B00017200002024020218CA400708FA7002CDF
70490+:10A3C0000087182310600003AFA3003024050002AB
70491+:10A3D000AFA500288FA400280264882B162000BA9D
70492+:10A3E000000018218CD000388FCE000C3C0F00806C
70493+:10A3F000AFD000008CCD00343C0CFF9F01CF58251E
70494+:10A40000AFCD000490CA003F3586FFFF01662024CF
70495+:10A410003C0900203C08FFEFA3CA000B0089382547
70496+:10A420003511FFFF00F118243C0500088F8700A4B8
70497+:10A430000065C825AFD9000C8CE20014AFC000182D
70498+:10A440008FA60030AFC200148CF800188FB0002C1B
70499+:10A450003C1FFFFBAFD8001C8CEF000837F2FFFF5A
70500+:10A4600003326824AFCF00248CEC000C020670216C
70501+:10A47000AFCD000CA7C00038A7C0003AAFCE002C6B
70502+:10A48000AFCC0020AFC000288CEA00148FAB002CAA
70503+:10A49000014B48230126402311000011AFC80010D2
70504+:10A4A00090EB003D8FC900048FC80000000B5100E5
70505+:10A4B000012A28210000102100AA882B010218215E
70506+:10A4C0000071F821AFC50004AFDF000090F2003D3D
70507+:10A4D000A3D2000A8F9900A497380006A7D80008D5
70508+:10A4E0008F910038240800023C038008A228000055
70509+:10A4F0003465008094BF005C8FA4002C33F0FFFF14
70510+:10A500000E000FF48F9200380002CB808F8500A4DC
70511+:10A51000021978253C18420001F87025AE4E00045F
70512+:10A520008F8400388CAD0038AC8D00188CAC0034B2
70513+:10A53000AC8C001CAC80000CAC800010A48000141B
70514+:10A54000A4800016A4800020A4800022AC800024F7
70515+:10A5500090A6003F8FA7002CA486000250E0019235
70516+:10A56000240700018FA200305040000290A2003D5D
70517+:10A5700090A2003E244A0001A08A00018F84003886
70518+:10A580008FA9002CAC8900083C128008364D008051
70519+:10A5900091AC007C3186000214C000022407003414
70520+:10A5A000240700308F8500A43C198008373F0080C5
70521+:10A5B00090B0000093F9007C240E0004A0900030BD
70522+:10A5C0008F8F00A48FB8002C8F8D003891F200017E
70523+:10A5D0003304000301C46023A1B200318F8E003820
70524+:10A5E0008F8600A42402C00095CA003294C90012CC
70525+:10A5F0008FAB002C0142402431233FFF010388250B
70526+:10A60000A5D1003291D000323185000300EBF82152
70527+:10A610003218003F370F0040A1CF00328FA4002C2A
70528+:10A6200003E5382133280004108000028F850038AC
70529+:10A6300000E838213C0A8008ACA700343549010005
70530+:10A640008D2800D08FA3002C2419FFBFACA80038A0
70531+:10A6500090B1003C2C640001240FFFDF3227007F03
70532+:10A66000A0A7003C8F98003800049140931F003C45
70533+:10A6700003F98024A310003C8F8C0038918E003C9D
70534+:10A6800001CF682401B23025A186003C8F8900A447
70535+:10A690008F8800388D2B0020AD0B00408D220024C8
70536+:10A6A000AD0200448D2A0028AD0A00488D23002CFD
70537+:10A6B0000E001013AD03004C8FB1002824070002D8
70538+:10A6C000122700118FA300280003282B00058023E8
70539+:10A6D0000270982400608021006090210A00126FAF
70540+:10A6E0000010882B962900128F8400A00000902172
70541+:10A6F0003125FFFFA7A900180E000FC22411000189
70542+:10A700000A00131D3C1E80003C0B80003C12800898
70543+:10A710008D640100924900088F92FF340E000F995A
70544+:10A720003125007F8F9900388FA700288FA4003033
70545+:10A73000A3270000965F005C33F0FFFF0E000FF4CC
70546+:10A740008F91003800026B80020D80253C0842008A
70547+:10A750008F8D00A402085025AE2A00048DA5003874
70548+:10A760008F8A003800007821000F1100AD450018D5
70549+:10A770008DB800343C047FFF3488FFFFAD58001CC7
70550+:10A7800091A6003E8D4C001C8D4900180006190052
70551+:10A79000000677020183C821004E58250323882B29
70552+:10A7A000012B382100F1F821AD59001CAD5F0018D4
70553+:10A7B000AD40000CAD40001091B0003E8FA40030C1
70554+:10A7C00024090005A550001495A500042419C00013
70555+:10A7D00000884024A545001691B8003EA5580020E9
70556+:10A7E00095AF0004A54F0022AD40002491AE003F7C
70557+:10A7F000A54E000291A6003E91AC003D01861023BB
70558+:10A80000244B0001A14B00018F9100388FA3003031
70559+:10A810003C028008344B0100AE230008A22900301E
70560+:10A820008F8C00388F8700A4959F003294F000121F
70561+:10A830002407FFBF033FC02432053FFF03057825EF
70562+:10A84000A58F0032918E00322418FFDF31CD003FFA
70563+:10A8500035A60040A18600328F910038240DFFFFFD
70564+:10A86000240CFF80AE2000348D6A00D0AE2A003860
70565+:10A870009223003C3069007FA229003C8F90003871
70566+:10A880003C0380009219003C0327F824A21F003CDF
70567+:10A890008F8E003891C5003C00B87824A1CF003CD1
70568+:10A8A0008F8A00383C0E8008AD4D00408FA6002CEA
70569+:10A8B000AD46004491420048004C5825A14B004849
70570+:10A8C0008F9000388F9900A48E09004801238824B6
70571+:10A8D00002283825AE070048933F003EA21F004CD7
70572+:10A8E0008F9800A48F8F003897050004A5E5004ECF
70573+:10A8F0000E0003818DC500609246007C8FAC003055
70574+:10A9000000026940000291000040282130CB000283
70575+:10A9100001B21021156000AA018230213C0E80088E
70576+:10A9200035C20080904C007C31830004106000032D
70577+:10A930008FB900300005788000CF3021241F00043B
70578+:10A940008F910038332D000303ED8023320800037C
70579+:10A9500000C85021AE2A00343C188000A7C500383A
70580+:10A960003C0680088F04010090DE00080E000FDE18
70581+:10A9700033C5007F0E001013000000000A00140D04
70582+:10A980008FA300288F9800348CC90038241F00033F
70583+:10A99000A7000008AF0900008CC50034A300000A1E
70584+:10A9A0008F9900A4AF0500043C080080932D003F60
70585+:10A9B000A31F000C8F0A000C3C02FF9FA30D000B8D
70586+:10A9C0000148F0253451FFFF3C12FFEF8F9900A49E
70587+:10A9D00003D170243646FFFF01C61824AF03000CD4
70588+:10A9E0008F2C0014972900128F8400A0AF0C001048
70589+:10A9F0008F2F0014AF000018AF000020AF0F00141D
70590+:10AA0000AF0000248F270018312F3FFF000F59801F
70591+:10AA1000AF0700288F2500080164F821312D0001BF
70592+:10AA2000AF0500308F31000C8F920038001F51C2EB
70593+:10AA3000000D438001481021241E00023C068008BE
70594+:10AA4000A702001CA7000034AF11002CA25E00007A
70595+:10AA500034D20080964E005C8F9900383C0342004F
70596+:10AA600031CCFFFF01833825AF2700048F8B00A472
70597+:10AA7000240500012402C0008D640038240700343E
70598+:10AA8000AF2400188D690034AF29001CAF20000CE2
70599+:10AA9000AF200010A7200014A7200016A720002038
70600+:10AAA000A7200022AF200024A7300002A325000128
70601+:10AAB0008F8800388F9F00A4AD10000893ED000030
70602+:10AAC000A10D00308F8A00A48F98003891510001A9
70603+:10AAD000A31100318F8B0038957E003203C27024A1
70604+:10AAE00001CF6025A56C0032916300323064003FD5
70605+:10AAF000A16400329249007C3125000214A00002BA
70606+:10AB00008F840038240700303C198008AC8700345B
70607+:10AB1000373201008E5F00D0240AFFBF020090216F
70608+:10AB2000AC9F0038908D003C31A8007FA088003C8D
70609+:10AB30008F9E003893C2003C004A8824A3D1003C79
70610+:10AB40008F8300380010882B9066003C34CE0020A4
70611+:10AB5000A06E003C8F8400A48F9800388C8C00205D
70612+:10AB6000AF0C00408C8F0024AF0F00448C8700286E
70613+:10AB7000AF0700488C8B002CAF0B004C0E0010135D
70614+:10AB80003C1E80000A0012700000000094C80052B1
70615+:10AB90003C0A08008D4A002401488821A4D10052B3
70616+:10ABA0000A0012198FB40010A08700018F840038AA
70617+:10ABB000240B0001AC8B00080A0013BE3C12800875
70618+:10ABC000000520800A0014A200C4302127BDFFE048
70619+:10ABD0003C0D8008AFB20018AFB00010AFBF001C32
70620+:10ABE000AFB1001435B200808E4C001835A80100BA
70621+:10ABF000964B000695A70050910900FC000C5602E8
70622+:10AC0000016728233143007F312600FF240200031F
70623+:10AC1000AF8300A8AF8400A010C2001B30B0FFFFBC
70624+:10AC2000910600FC2412000530C200FF10520033D0
70625+:10AC300000000000160000098FBF001C8FB2001832
70626+:10AC40008FB100148FB00010240D0C003C0C80005C
70627+:10AC500027BD002003E00008AD8D00240E0011FB8D
70628+:10AC6000020020218FBF001C8FB200188FB100148A
70629+:10AC70008FB00010240D0C003C0C800027BD00207C
70630+:10AC800003E00008AD8D0024965800789651007AB4
70631+:10AC9000924E007D0238782631E8FFFF31C400C0B3
70632+:10ACA000148000092D11000116000037000000007B
70633+:10ACB0005620FFE28FBF001C0E0010D100000000E4
70634+:10ACC0000A00156A8FBF001C1620FFDA0000000082
70635+:10ACD0000E0010D1000000001440FFD88FBF001CF0
70636+:10ACE0001600002200000000925F007D33E2003F6A
70637+:10ACF000A242007D0A00156A8FBF001C950900EA78
70638+:10AD00008F86008000802821240400050E0007257E
70639+:10AD10003130FFFF978300923C0480002465FFFFE1
70640+:10AD2000A78500928C8A01B80540FFFE0000000054
70641+:10AD3000AC8001808FBF001CAC9001848FB20018E2
70642+:10AD40008FB100148FB000103C0760133C0B100053
70643+:10AD5000240D0C003C0C800027BD0020AC8701882E
70644+:10AD6000AC8B01B803E00008AD8D00240E0011FB90
70645+:10AD7000020020215040FFB18FBF001C925F007D78
70646+:10AD80000A00159733E2003F0E0011FB020020215C
70647+:10AD90001440FFAA8FBF001C122000070000000013
70648+:10ADA0009259007D3330003F36020040A242007DC0
70649+:10ADB0000A00156A8FBF001C0E0010D100000000B1
70650+:10ADC0005040FF9E8FBF001C9259007D3330003FE2
70651+:10ADD0000A0015C636020040000000000000001BFB
70652+:10ADE0000000000F0000000A00000008000000063C
70653+:10ADF0000000000500000005000000040000000441
70654+:10AE00000000000300000003000000030000000336
70655+:10AE10000000000300000002000000020000000229
70656+:10AE2000000000020000000200000002000000021A
70657+:10AE3000000000020000000200000002000000020A
70658+:10AE400000000002000000020000000200000002FA
70659+:10AE50000000000100000001000000018008010066
70660+:10AE6000800800808008000000000C000000308096
70661+:10AE7000080011D00800127C08001294080012A8E3
70662+:10AE8000080012BC080011D0080011D0080012F010
70663+:10AE90000800132C080013400800138808001A8CBF
70664+:10AEA00008001A8C08001AC408001AC408001AD82E
70665+:10AEB00008001AA808001D0008001CCC08001D5836
70666+:10AEC00008001D5808001DE008001D108008024001
70667+:10AED000080027340800256C0800275C080027F4C8
70668+:10AEE0000800293C0800298808002AAC080029B479
70669+:10AEF00008002A38080025DC08002EDC08002EA4F3
70670+:10AF000008002588080025880800258808002B20CF
70671+:10AF100008002B20080025880800258808002DD06F
70672+:10AF2000080025880800258808002588080025884D
70673+:10AF300008002E0C080025880800258808002588B0
70674+:10AF4000080025880800258808002588080025882D
70675+:10AF5000080025880800258808002588080025881D
70676+:10AF6000080025880800258808002588080029A8E9
70677+:10AF7000080025880800258808002E680800258814
70678+:10AF800008002588080025880800258808002588ED
70679+:10AF900008002588080025880800258808002588DD
70680+:10AFA00008002588080025880800258808002588CD
70681+:10AFB00008002588080025880800258808002588BD
70682+:10AFC00008002CF4080025880800258808002C6853
70683+:10AFD00008002BC408003CE408003CB808003C848E
70684+:10AFE00008003C5808003C3808003BEC8008010091
70685+:10AFF00080080080800800008008008008004C6401
70686+:10B0000008004C9C08004BE408004C6408004C64A9
70687+:10B01000080049B808004C64080050500A000C842D
70688+:10B0200000000000000000000000000D7278703683
70689+:10B030002E322E31620000000602010300000000E3
70690+:10B0400000000001000000000000000000000000FF
70691+:10B0500000000000000000000000000000000000F0
70692+:10B0600000000000000000000000000000000000E0
70693+:10B0700000000000000000000000000000000000D0
70694+:10B0800000000000000000000000000000000000C0
70695+:10B0900000000000000000000000000000000000B0
70696+:10B0A00000000000000000000000000000000000A0
70697+:10B0B0000000000000000000000000000000000090
70698+:10B0C0000000000000000000000000000000000080
70699+:10B0D0000000000000000000000000000000000070
70700+:10B0E0000000000000000000000000000000000060
70701+:10B0F0000000000000000000000000000000000050
70702+:10B10000000000000000000000000000000000003F
70703+:10B11000000000000000000000000000000000002F
70704+:10B12000000000000000000000000000000000001F
70705+:10B13000000000000000000000000000000000000F
70706+:10B1400000000000000000000000000000000000FF
70707+:10B1500000000000000000000000000000000000EF
70708+:10B1600000000000000000000000000000000000DF
70709+:10B1700000000000000000000000000000000000CF
70710+:10B1800000000000000000000000000000000000BF
70711+:10B1900000000000000000000000000000000000AF
70712+:10B1A000000000000000000000000000000000009F
70713+:10B1B000000000000000000000000000000000008F
70714+:10B1C000000000000000000000000000000000007F
70715+:10B1D000000000000000000000000000000000006F
70716+:10B1E000000000000000000000000000000000005F
70717+:10B1F000000000000000000000000000000000004F
70718+:10B20000000000000000000000000000000000003E
70719+:10B21000000000000000000000000000000000002E
70720+:10B22000000000000000000000000000000000001E
70721+:10B23000000000000000000000000000000000000E
70722+:10B2400000000000000000000000000000000000FE
70723+:10B2500000000000000000000000000000000000EE
70724+:10B2600000000000000000000000000000000000DE
70725+:10B2700000000000000000000000000000000000CE
70726+:10B2800000000000000000000000000000000000BE
70727+:10B2900000000000000000000000000000000000AE
70728+:10B2A000000000000000000000000000000000009E
70729+:10B2B000000000000000000000000000000000008E
70730+:10B2C000000000000000000000000000000000007E
70731+:10B2D000000000000000000000000000000000006E
70732+:10B2E000000000000000000000000000000000005E
70733+:10B2F000000000000000000000000000000000004E
70734+:10B30000000000000000000000000000000000003D
70735+:10B31000000000000000000000000000000000002D
70736+:10B32000000000000000000000000000000000001D
70737+:10B33000000000000000000000000000000000000D
70738+:10B3400000000000000000000000000000000000FD
70739+:10B3500000000000000000000000000000000000ED
70740+:10B3600000000000000000000000000000000000DD
70741+:10B3700000000000000000000000000000000000CD
70742+:10B3800000000000000000000000000000000000BD
70743+:10B3900000000000000000000000000000000000AD
70744+:10B3A000000000000000000000000000000000009D
70745+:10B3B000000000000000000000000000000000008D
70746+:10B3C000000000000000000000000000000000007D
70747+:10B3D000000000000000000000000000000000006D
70748+:10B3E000000000000000000000000000000000005D
70749+:10B3F000000000000000000000000000000000004D
70750+:10B40000000000000000000000000000000000003C
70751+:10B41000000000000000000000000000000000002C
70752+:10B42000000000000000000000000000000000001C
70753+:10B43000000000000000000000000000000000000C
70754+:10B4400000000000000000000000000000000000FC
70755+:10B4500000000000000000000000000000000000EC
70756+:10B4600000000000000000000000000000000000DC
70757+:10B4700000000000000000000000000000000000CC
70758+:10B4800000000000000000000000000000000000BC
70759+:10B4900000000000000000000000000000000000AC
70760+:10B4A000000000000000000000000000000000009C
70761+:10B4B000000000000000000000000000000000008C
70762+:10B4C000000000000000000000000000000000007C
70763+:10B4D000000000000000000000000000000000006C
70764+:10B4E000000000000000000000000000000000005C
70765+:10B4F000000000000000000000000000000000004C
70766+:10B50000000000000000000000000000000000003B
70767+:10B51000000000000000000000000000000000002B
70768+:10B52000000000000000000000000000000000001B
70769+:10B53000000000000000000000000000000000000B
70770+:10B5400000000000000000000000000000000000FB
70771+:10B5500000000000000000000000000000000000EB
70772+:10B5600000000000000000000000000000000000DB
70773+:10B5700000000000000000000000000000000000CB
70774+:10B5800000000000000000000000000000000000BB
70775+:10B5900000000000000000000000000000000000AB
70776+:10B5A000000000000000000000000000000000009B
70777+:10B5B000000000000000000000000000000000008B
70778+:10B5C000000000000000000000000000000000007B
70779+:10B5D000000000000000000000000000000000006B
70780+:10B5E000000000000000000000000000000000005B
70781+:10B5F000000000000000000000000000000000004B
70782+:10B60000000000000000000000000000000000003A
70783+:10B61000000000000000000000000000000000002A
70784+:10B62000000000000000000000000000000000001A
70785+:10B63000000000000000000000000000000000000A
70786+:10B6400000000000000000000000000000000000FA
70787+:10B6500000000000000000000000000000000000EA
70788+:10B6600000000000000000000000000000000000DA
70789+:10B6700000000000000000000000000000000000CA
70790+:10B6800000000000000000000000000000000000BA
70791+:10B6900000000000000000000000000000000000AA
70792+:10B6A000000000000000000000000000000000009A
70793+:10B6B000000000000000000000000000000000008A
70794+:10B6C000000000000000000000000000000000007A
70795+:10B6D000000000000000000000000000000000006A
70796+:10B6E000000000000000000000000000000000005A
70797+:10B6F000000000000000000000000000000000004A
70798+:10B700000000000000000000000000000000000039
70799+:10B710000000000000000000000000000000000029
70800+:10B720000000000000000000000000000000000019
70801+:10B730000000000000000000000000000000000009
70802+:10B7400000000000000000000000000000000000F9
70803+:10B7500000000000000000000000000000000000E9
70804+:10B7600000000000000000000000000000000000D9
70805+:10B7700000000000000000000000000000000000C9
70806+:10B7800000000000000000000000000000000000B9
70807+:10B7900000000000000000000000000000000000A9
70808+:10B7A0000000000000000000000000000000000099
70809+:10B7B0000000000000000000000000000000000089
70810+:10B7C0000000000000000000000000000000000079
70811+:10B7D0000000000000000000000000000000000069
70812+:10B7E0000000000000000000000000000000000059
70813+:10B7F0000000000000000000000000000000000049
70814+:10B800000000000000000000000000000000000038
70815+:10B810000000000000000000000000000000000028
70816+:10B820000000000000000000000000000000000018
70817+:10B830000000000000000000000000000000000008
70818+:10B8400000000000000000000000000000000000F8
70819+:10B8500000000000000000000000000000000000E8
70820+:10B8600000000000000000000000000000000000D8
70821+:10B8700000000000000000000000000000000000C8
70822+:10B8800000000000000000000000000000000000B8
70823+:10B8900000000000000000000000000000000000A8
70824+:10B8A0000000000000000000000000000000000098
70825+:10B8B0000000000000000000000000000000000088
70826+:10B8C0000000000000000000000000000000000078
70827+:10B8D0000000000000000000000000000000000068
70828+:10B8E0000000000000000000000000000000000058
70829+:10B8F0000000000000000000000000000000000048
70830+:10B900000000000000000000000000000000000037
70831+:10B910000000000000000000000000000000000027
70832+:10B920000000000000000000000000000000000017
70833+:10B930000000000000000000000000000000000007
70834+:10B9400000000000000000000000000000000000F7
70835+:10B9500000000000000000000000000000000000E7
70836+:10B9600000000000000000000000000000000000D7
70837+:10B9700000000000000000000000000000000000C7
70838+:10B9800000000000000000000000000000000000B7
70839+:10B9900000000000000000000000000000000000A7
70840+:10B9A0000000000000000000000000000000000097
70841+:10B9B0000000000000000000000000000000000087
70842+:10B9C0000000000000000000000000000000000077
70843+:10B9D0000000000000000000000000000000000067
70844+:10B9E0000000000000000000000000000000000057
70845+:10B9F0000000000000000000000000000000000047
70846+:10BA00000000000000000000000000000000000036
70847+:10BA10000000000000000000000000000000000026
70848+:10BA20000000000000000000000000000000000016
70849+:10BA30000000000000000000000000000000000006
70850+:10BA400000000000000000000000000000000000F6
70851+:10BA500000000000000000000000000000000000E6
70852+:10BA600000000000000000000000000000000000D6
70853+:10BA700000000000000000000000000000000000C6
70854+:10BA800000000000000000000000000000000000B6
70855+:10BA900000000000000000000000000000000000A6
70856+:10BAA0000000000000000000000000000000000096
70857+:10BAB0000000000000000000000000000000000086
70858+:10BAC0000000000000000000000000000000000076
70859+:10BAD0000000000000000000000000000000000066
70860+:10BAE0000000000000000000000000000000000056
70861+:10BAF0000000000000000000000000000000000046
70862+:10BB00000000000000000000000000000000000035
70863+:10BB10000000000000000000000000000000000025
70864+:10BB20000000000000000000000000000000000015
70865+:10BB30000000000000000000000000000000000005
70866+:10BB400000000000000000000000000000000000F5
70867+:10BB500000000000000000000000000000000000E5
70868+:10BB600000000000000000000000000000000000D5
70869+:10BB700000000000000000000000000000000000C5
70870+:10BB800000000000000000000000000000000000B5
70871+:10BB900000000000000000000000000000000000A5
70872+:10BBA0000000000000000000000000000000000095
70873+:10BBB0000000000000000000000000000000000085
70874+:10BBC0000000000000000000000000000000000075
70875+:10BBD0000000000000000000000000000000000065
70876+:10BBE0000000000000000000000000000000000055
70877+:10BBF0000000000000000000000000000000000045
70878+:10BC00000000000000000000000000000000000034
70879+:10BC10000000000000000000000000000000000024
70880+:10BC20000000000000000000000000000000000014
70881+:10BC30000000000000000000000000000000000004
70882+:10BC400000000000000000000000000000000000F4
70883+:10BC500000000000000000000000000000000000E4
70884+:10BC600000000000000000000000000000000000D4
70885+:10BC700000000000000000000000000000000000C4
70886+:10BC800000000000000000000000000000000000B4
70887+:10BC900000000000000000000000000000000000A4
70888+:10BCA0000000000000000000000000000000000094
70889+:10BCB0000000000000000000000000000000000084
70890+:10BCC0000000000000000000000000000000000074
70891+:10BCD0000000000000000000000000000000000064
70892+:10BCE0000000000000000000000000000000000054
70893+:10BCF0000000000000000000000000000000000044
70894+:10BD00000000000000000000000000000000000033
70895+:10BD10000000000000000000000000000000000023
70896+:10BD20000000000000000000000000000000000013
70897+:10BD30000000000000000000000000000000000003
70898+:10BD400000000000000000000000000000000000F3
70899+:10BD500000000000000000000000000000000000E3
70900+:10BD600000000000000000000000000000000000D3
70901+:10BD700000000000000000000000000000000000C3
70902+:10BD800000000000000000000000000000000000B3
70903+:10BD900000000000000000000000000000000000A3
70904+:10BDA0000000000000000000000000000000000093
70905+:10BDB0000000000000000000000000000000000083
70906+:10BDC0000000000000000000000000000000000073
70907+:10BDD0000000000000000000000000000000000063
70908+:10BDE0000000000000000000000000000000000053
70909+:10BDF0000000000000000000000000000000000043
70910+:10BE00000000000000000000000000000000000032
70911+:10BE10000000000000000000000000000000000022
70912+:10BE20000000000000000000000000000000000012
70913+:10BE30000000000000000000000000000000000002
70914+:10BE400000000000000000000000000000000000F2
70915+:10BE500000000000000000000000000000000000E2
70916+:10BE600000000000000000000000000000000000D2
70917+:10BE700000000000000000000000000000000000C2
70918+:10BE800000000000000000000000000000000000B2
70919+:10BE900000000000000000000000000000000000A2
70920+:10BEA0000000000000000000000000000000000092
70921+:10BEB0000000000000000000000000000000000082
70922+:10BEC0000000000000000000000000000000000072
70923+:10BED0000000000000000000000000000000000062
70924+:10BEE0000000000000000000000000000000000052
70925+:10BEF0000000000000000000000000000000000042
70926+:10BF00000000000000000000000000000000000031
70927+:10BF10000000000000000000000000000000000021
70928+:10BF20000000000000000000000000000000000011
70929+:10BF30000000000000000000000000000000000001
70930+:10BF400000000000000000000000000000000000F1
70931+:10BF500000000000000000000000000000000000E1
70932+:10BF600000000000000000000000000000000000D1
70933+:10BF700000000000000000000000000000000000C1
70934+:10BF800000000000000000000000000000000000B1
70935+:10BF900000000000000000000000000000000000A1
70936+:10BFA0000000000000000000000000000000000091
70937+:10BFB0000000000000000000000000000000000081
70938+:10BFC0000000000000000000000000000000000071
70939+:10BFD0000000000000000000000000000000000061
70940+:10BFE0000000000000000000000000000000000051
70941+:10BFF0000000000000000000000000000000000041
70942+:10C000000000000000000000000000000000000030
70943+:10C010000000000000000000000000000000000020
70944+:10C020000000000000000000000000000000000010
70945+:10C030000000000000000000000000000000000000
70946+:10C0400000000000000000000000000000000000F0
70947+:10C0500000000000000000000000000000000000E0
70948+:10C0600000000000000000000000000000000000D0
70949+:10C0700000000000000000000000000000000000C0
70950+:10C0800000000000000000000000000000000000B0
70951+:10C0900000000000000000000000000000000000A0
70952+:10C0A0000000000000000000000000000000000090
70953+:10C0B0000000000000000000000000000000000080
70954+:10C0C0000000000000000000000000000000000070
70955+:10C0D0000000000000000000000000000000000060
70956+:10C0E0000000000000000000000000000000000050
70957+:10C0F0000000000000000000000000000000000040
70958+:10C10000000000000000000000000000000000002F
70959+:10C11000000000000000000000000000000000001F
70960+:10C12000000000000000000000000000000000000F
70961+:10C1300000000000000000000000000000000000FF
70962+:10C1400000000000000000000000000000000000EF
70963+:10C1500000000000000000000000000000000000DF
70964+:10C1600000000000000000000000000000000000CF
70965+:10C1700000000000000000000000000000000000BF
70966+:10C1800000000000000000000000000000000000AF
70967+:10C19000000000000000000000000000000000009F
70968+:10C1A000000000000000000000000000000000008F
70969+:10C1B000000000000000000000000000000000007F
70970+:10C1C000000000000000000000000000000000006F
70971+:10C1D000000000000000000000000000000000005F
70972+:10C1E000000000000000000000000000000000004F
70973+:10C1F000000000000000000000000000000000003F
70974+:10C20000000000000000000000000000000000002E
70975+:10C21000000000000000000000000000000000001E
70976+:10C22000000000000000000000000000000000000E
70977+:10C2300000000000000000000000000000000000FE
70978+:10C2400000000000000000000000000000000000EE
70979+:10C2500000000000000000000000000000000000DE
70980+:10C2600000000000000000000000000000000000CE
70981+:10C2700000000000000000000000000000000000BE
70982+:10C2800000000000000000000000000000000000AE
70983+:10C29000000000000000000000000000000000009E
70984+:10C2A000000000000000000000000000000000008E
70985+:10C2B000000000000000000000000000000000007E
70986+:10C2C000000000000000000000000000000000006E
70987+:10C2D000000000000000000000000000000000005E
70988+:10C2E000000000000000000000000000000000004E
70989+:10C2F000000000000000000000000000000000003E
70990+:10C30000000000000000000000000000000000002D
70991+:10C31000000000000000000000000000000000001D
70992+:10C32000000000000000000000000000000000000D
70993+:10C3300000000000000000000000000000000000FD
70994+:10C3400000000000000000000000000000000000ED
70995+:10C3500000000000000000000000000000000000DD
70996+:10C3600000000000000000000000000000000000CD
70997+:10C3700000000000000000000000000000000000BD
70998+:10C3800000000000000000000000000000000000AD
70999+:10C39000000000000000000000000000000000009D
71000+:10C3A000000000000000000000000000000000008D
71001+:10C3B000000000000000000000000000000000007D
71002+:10C3C000000000000000000000000000000000006D
71003+:10C3D000000000000000000000000000000000005D
71004+:10C3E000000000000000000000000000000000004D
71005+:10C3F000000000000000000000000000000000003D
71006+:10C40000000000000000000000000000000000002C
71007+:10C41000000000000000000000000000000000001C
71008+:10C42000000000000000000000000000000000000C
71009+:10C4300000000000000000000000000000000000FC
71010+:10C4400000000000000000000000000000000000EC
71011+:10C4500000000000000000000000000000000000DC
71012+:10C4600000000000000000000000000000000000CC
71013+:10C4700000000000000000000000000000000000BC
71014+:10C4800000000000000000000000000000000000AC
71015+:10C49000000000000000000000000000000000009C
71016+:10C4A000000000000000000000000000000000008C
71017+:10C4B000000000000000000000000000000000007C
71018+:10C4C000000000000000000000000000000000006C
71019+:10C4D000000000000000000000000000000000005C
71020+:10C4E000000000000000000000000000000000004C
71021+:10C4F000000000000000000000000000000000003C
71022+:10C50000000000000000000000000000000000002B
71023+:10C51000000000000000000000000000000000001B
71024+:10C52000000000000000000000000000000000000B
71025+:10C5300000000000000000000000000000000000FB
71026+:10C5400000000000000000000000000000000000EB
71027+:10C5500000000000000000000000000000000000DB
71028+:10C5600000000000000000000000000000000000CB
71029+:10C5700000000000000000000000000000000000BB
71030+:10C5800000000000000000000000000000000000AB
71031+:10C59000000000000000000000000000000000009B
71032+:10C5A000000000000000000000000000000000008B
71033+:10C5B000000000000000000000000000000000007B
71034+:10C5C000000000000000000000000000000000006B
71035+:10C5D000000000000000000000000000000000005B
71036+:10C5E000000000000000000000000000000000004B
71037+:10C5F000000000000000000000000000000000003B
71038+:10C60000000000000000000000000000000000002A
71039+:10C61000000000000000000000000000000000001A
71040+:10C62000000000000000000000000000000000000A
71041+:10C6300000000000000000000000000000000000FA
71042+:10C6400000000000000000000000000000000000EA
71043+:10C6500000000000000000000000000000000000DA
71044+:10C6600000000000000000000000000000000000CA
71045+:10C6700000000000000000000000000000000000BA
71046+:10C6800000000000000000000000000000000000AA
71047+:10C69000000000000000000000000000000000009A
71048+:10C6A000000000000000000000000000000000008A
71049+:10C6B000000000000000000000000000000000007A
71050+:10C6C000000000000000000000000000000000006A
71051+:10C6D000000000000000000000000000000000005A
71052+:10C6E000000000000000000000000000000000004A
71053+:10C6F000000000000000000000000000000000003A
71054+:10C700000000000000000000000000000000000029
71055+:10C710000000000000000000000000000000000019
71056+:10C720000000000000000000000000000000000009
71057+:10C7300000000000000000000000000000000000F9
71058+:10C7400000000000000000000000000000000000E9
71059+:10C7500000000000000000000000000000000000D9
71060+:10C7600000000000000000000000000000000000C9
71061+:10C7700000000000000000000000000000000000B9
71062+:10C7800000000000000000000000000000000000A9
71063+:10C790000000000000000000000000000000000099
71064+:10C7A0000000000000000000000000000000000089
71065+:10C7B0000000000000000000000000000000000079
71066+:10C7C0000000000000000000000000000000000069
71067+:10C7D0000000000000000000000000000000000059
71068+:10C7E0000000000000000000000000000000000049
71069+:10C7F0000000000000000000000000000000000039
71070+:10C800000000000000000000000000000000000028
71071+:10C810000000000000000000000000000000000018
71072+:10C820000000000000000000000000000000000008
71073+:10C8300000000000000000000000000000000000F8
71074+:10C8400000000000000000000000000000000000E8
71075+:10C8500000000000000000000000000000000000D8
71076+:10C8600000000000000000000000000000000000C8
71077+:10C8700000000000000000000000000000000000B8
71078+:10C8800000000000000000000000000000000000A8
71079+:10C890000000000000000000000000000000000098
71080+:10C8A0000000000000000000000000000000000088
71081+:10C8B0000000000000000000000000000000000078
71082+:10C8C0000000000000000000000000000000000068
71083+:10C8D0000000000000000000000000000000000058
71084+:10C8E0000000000000000000000000000000000048
71085+:10C8F0000000000000000000000000000000000038
71086+:10C900000000000000000000000000000000000027
71087+:10C910000000000000000000000000000000000017
71088+:10C920000000000000000000000000000000000007
71089+:10C9300000000000000000000000000000000000F7
71090+:10C9400000000000000000000000000000000000E7
71091+:10C9500000000000000000000000000000000000D7
71092+:10C9600000000000000000000000000000000000C7
71093+:10C9700000000000000000000000000000000000B7
71094+:10C9800000000000000000000000000000000000A7
71095+:10C990000000000000000000000000000000000097
71096+:10C9A0000000000000000000000000000000000087
71097+:10C9B0000000000000000000000000000000000077
71098+:10C9C0000000000000000000000000000000000067
71099+:10C9D0000000000000000000000000000000000057
71100+:10C9E0000000000000000000000000000000000047
71101+:10C9F0000000000000000000000000000000000037
71102+:10CA00000000000000000000000000000000000026
71103+:10CA10000000000000000000000000000000000016
71104+:10CA20000000000000000000000000000000000006
71105+:10CA300000000000000000000000000000000000F6
71106+:10CA400000000000000000000000000000000000E6
71107+:10CA500000000000000000000000000000000000D6
71108+:10CA600000000000000000000000000000000000C6
71109+:10CA700000000000000000000000000000000000B6
71110+:10CA800000000000000000000000000000000000A6
71111+:10CA90000000000000000000000000000000000096
71112+:10CAA0000000000000000000000000000000000086
71113+:10CAB0000000000000000000000000000000000076
71114+:10CAC0000000000000000000000000000000000066
71115+:10CAD0000000000000000000000000000000000056
71116+:10CAE0000000000000000000000000000000000046
71117+:10CAF0000000000000000000000000000000000036
71118+:10CB00000000000000000000000000000000000025
71119+:10CB10000000000000000000000000000000000015
71120+:10CB20000000000000000000000000000000000005
71121+:10CB300000000000000000000000000000000000F5
71122+:10CB400000000000000000000000000000000000E5
71123+:10CB500000000000000000000000000000000000D5
71124+:10CB600000000000000000000000000000000000C5
71125+:10CB700000000000000000000000000000000000B5
71126+:10CB800000000000000000000000000000000000A5
71127+:10CB90000000000000000000000000000000000095
71128+:10CBA0000000000000000000000000000000000085
71129+:10CBB0000000000000000000000000000000000075
71130+:10CBC0000000000000000000000000000000000065
71131+:10CBD0000000000000000000000000000000000055
71132+:10CBE0000000000000000000000000000000000045
71133+:10CBF0000000000000000000000000000000000035
71134+:10CC00000000000000000000000000000000000024
71135+:10CC10000000000000000000000000000000000014
71136+:10CC20000000000000000000000000000000000004
71137+:10CC300000000000000000000000000000000000F4
71138+:10CC400000000000000000000000000000000000E4
71139+:10CC500000000000000000000000000000000000D4
71140+:10CC600000000000000000000000000000000000C4
71141+:10CC700000000000000000000000000000000000B4
71142+:10CC800000000000000000000000000000000000A4
71143+:10CC90000000000000000000000000000000000094
71144+:10CCA0000000000000000000000000000000000084
71145+:10CCB0000000000000000000000000000000000074
71146+:10CCC0000000000000000000000000000000000064
71147+:10CCD0000000000000000000000000000000000054
71148+:10CCE0000000000000000000000000000000000044
71149+:10CCF0000000000000000000000000000000000034
71150+:10CD00000000000000000000000000000000000023
71151+:10CD10000000000000000000000000000000000013
71152+:10CD20000000000000000000000000000000000003
71153+:10CD300000000000000000000000000000000000F3
71154+:10CD400000000000000000000000000000000000E3
71155+:10CD500000000000000000000000000000000000D3
71156+:10CD600000000000000000000000000000000000C3
71157+:10CD700000000000000000000000000000000000B3
71158+:10CD800000000000000000000000000000000000A3
71159+:10CD90000000000000000000000000000000000093
71160+:10CDA0000000000000000000000000000000000083
71161+:10CDB0000000000000000000000000000000000073
71162+:10CDC0000000000000000000000000000000000063
71163+:10CDD0000000000000000000000000000000000053
71164+:10CDE0000000000000000000000000000000000043
71165+:10CDF0000000000000000000000000000000000033
71166+:10CE00000000000000000000000000000000000022
71167+:10CE10000000000000000000000000000000000012
71168+:10CE20000000000000000000000000000000000002
71169+:10CE300000000000000000000000000000000000F2
71170+:10CE400000000000000000000000000000000000E2
71171+:10CE500000000000000000000000000000000000D2
71172+:10CE600000000000000000000000000000000000C2
71173+:10CE700000000000000000000000000000000000B2
71174+:10CE800000000000000000000000000000000000A2
71175+:10CE90000000000000000000000000000000000092
71176+:10CEA0000000000000000000000000000000000082
71177+:10CEB0000000000000000000000000000000000072
71178+:10CEC0000000000000000000000000000000000062
71179+:10CED0000000000000000000000000000000000052
71180+:10CEE0000000000000000000000000000000000042
71181+:10CEF0000000000000000000000000000000000032
71182+:10CF00000000000000000000000000000000000021
71183+:10CF10000000000000000000000000000000000011
71184+:10CF20000000000000000000000000000000000001
71185+:10CF300000000000000000000000000000000000F1
71186+:10CF400000000000000000000000000000000000E1
71187+:10CF500000000000000000000000000000000000D1
71188+:10CF600000000000000000000000000000000000C1
71189+:10CF700000000000000000000000000000000000B1
71190+:10CF800000000000000000000000000000000000A1
71191+:10CF90000000000000000000000000000000000091
71192+:10CFA0000000000000000000000000000000000081
71193+:10CFB0000000000000000000000000000000000071
71194+:10CFC0000000000000000000000000000000000061
71195+:10CFD0000000000000000000000000000000000051
71196+:10CFE0000000000000000000000000000000000041
71197+:10CFF0000000000000000000000000000000000031
71198+:10D000000000000000000000000000000000000020
71199+:10D010000000000000000000000000000000000010
71200+:10D020000000000000000000000000000000000000
71201+:10D0300000000000000000000000000000000000F0
71202+:10D0400000000000000000000000000000000000E0
71203+:10D0500000000000000000000000000000000000D0
71204+:10D0600000000000000000000000000000000000C0
71205+:10D0700000000000000000000000000000000000B0
71206+:10D0800000000000000000000000000000000000A0
71207+:10D090000000000000000000000000000000000090
71208+:10D0A0000000000000000000000000000000000080
71209+:10D0B0000000000000000000000000000000000070
71210+:10D0C0000000000000000000000000000000000060
71211+:10D0D0000000000000000000000000000000000050
71212+:10D0E0000000000000000000000000000000000040
71213+:10D0F0000000000000000000000000000000000030
71214+:10D10000000000000000000000000000000000001F
71215+:10D11000000000000000000000000000000000000F
71216+:10D1200000000000000000000000000000000000FF
71217+:10D1300000000000000000000000000000000000EF
71218+:10D1400000000000000000000000000000000000DF
71219+:10D1500000000000000000000000000000000000CF
71220+:10D1600000000000000000000000000000000000BF
71221+:10D1700000000000000000000000000000000000AF
71222+:10D18000000000000000000000000000000000009F
71223+:10D19000000000000000000000000000000000008F
71224+:10D1A000000000000000000000000000000000007F
71225+:10D1B000000000000000000000000000000000006F
71226+:10D1C000000000000000000000000000000000005F
71227+:10D1D000000000000000000000000000000000004F
71228+:10D1E000000000000000000000000000000000003F
71229+:10D1F000000000000000000000000000000000002F
71230+:10D20000000000000000000000000000000000001E
71231+:10D21000000000000000000000000000000000000E
71232+:10D2200000000000000000000000000000000000FE
71233+:10D2300000000000000000000000000000000000EE
71234+:10D2400000000000000000000000000000000000DE
71235+:10D2500000000000000000000000000000000000CE
71236+:10D2600000000000000000000000000000000000BE
71237+:10D2700000000000000000000000000000000000AE
71238+:10D28000000000000000000000000000000000009E
71239+:10D29000000000000000000000000000000000008E
71240+:10D2A000000000000000000000000000000000007E
71241+:10D2B000000000000000000000000000000000006E
71242+:10D2C000000000000000000000000000000000005E
71243+:10D2D000000000000000000000000000000000004E
71244+:10D2E000000000000000000000000000000000003E
71245+:10D2F000000000000000000000000000000000002E
71246+:10D30000000000000000000000000000000000001D
71247+:10D31000000000000000000000000000000000000D
71248+:10D3200000000000000000000000000000000000FD
71249+:10D3300000000000000000000000000000000000ED
71250+:10D3400000000000000000000000000000000000DD
71251+:10D3500000000000000000000000000000000000CD
71252+:10D3600000000000000000000000000000000000BD
71253+:10D3700000000000000000000000000000000000AD
71254+:10D38000000000000000000000000000000000009D
71255+:10D39000000000000000000000000000000000008D
71256+:10D3A000000000000000000000000000000000007D
71257+:10D3B000000000000000000000000000000000006D
71258+:10D3C000000000000000000000000000000000005D
71259+:10D3D000000000000000000000000000000000004D
71260+:10D3E000000000000000000000000000000000003D
71261+:10D3F000000000000000000000000000000000002D
71262+:10D40000000000000000000000000000000000001C
71263+:10D41000000000000000000000000000000000000C
71264+:10D4200000000000000000000000000000000000FC
71265+:10D4300000000000000000000000000000000000EC
71266+:10D4400000000000000000000000000000000000DC
71267+:10D4500000000000000000000000000000000000CC
71268+:10D4600000000000000000000000000000000000BC
71269+:10D4700000000000000000000000000000000000AC
71270+:10D48000000000000000000000000000000000009C
71271+:10D49000000000000000000000000000000000008C
71272+:10D4A000000000000000000000000000000000007C
71273+:10D4B000000000000000000000000000000000006C
71274+:10D4C000000000000000000000000000000000005C
71275+:10D4D000000000000000000000000000000000004C
71276+:10D4E000000000000000000000000000000000003C
71277+:10D4F000000000000000000000000000000000002C
71278+:10D50000000000000000000000000000000000001B
71279+:10D51000000000000000000000000000000000000B
71280+:10D5200000000000000000000000000000000000FB
71281+:10D5300000000000000000000000000000000000EB
71282+:10D5400000000000000000000000000000000000DB
71283+:10D5500000000000000000000000000000000000CB
71284+:10D5600000000000000000000000000000000000BB
71285+:10D5700000000000000000000000000000000000AB
71286+:10D58000000000000000000000000000000000009B
71287+:10D59000000000000000000000000000000000008B
71288+:10D5A000000000000000000000000000000000007B
71289+:10D5B000000000000000000000000000000000006B
71290+:10D5C000000000000000000000000000000000005B
71291+:10D5D000000000000000000000000000000000004B
71292+:10D5E000000000000000000000000000000000003B
71293+:10D5F000000000000000000000000000000000002B
71294+:10D60000000000000000000000000000000000001A
71295+:10D61000000000000000000000000000000000000A
71296+:10D6200000000000000000000000000000000000FA
71297+:10D6300000000000000000000000000000000000EA
71298+:10D6400000000000000000000000000000000000DA
71299+:10D6500000000000000000000000000000000000CA
71300+:10D6600000000000000000000000000000000000BA
71301+:10D6700000000000000000000000000000000000AA
71302+:10D68000000000000000000000000000000000009A
71303+:10D69000000000000000000000000000000000008A
71304+:10D6A000000000000000000000000000000000007A
71305+:10D6B000000000000000000000000000000000006A
71306+:10D6C000000000000000000000000000000000005A
71307+:10D6D000000000000000000000000000000000004A
71308+:10D6E000000000000000000000000000000000003A
71309+:10D6F000000000000000000000000000000000002A
71310+:10D700000000000000000000000000000000000019
71311+:10D710000000000000000000000000000000000009
71312+:10D7200000000000000000000000000000000000F9
71313+:10D7300000000000000000000000000000000000E9
71314+:10D7400000000000000000000000000000000000D9
71315+:10D7500000000000000000000000000000000000C9
71316+:10D7600000000000000000000000000000000000B9
71317+:10D7700000000000000000000000000000000000A9
71318+:10D780000000000000000000000000000000000099
71319+:10D790000000000000000000000000000000000089
71320+:10D7A0000000000000000000000000000000000079
71321+:10D7B0000000000000000000000000000000000069
71322+:10D7C0000000000000000000000000000000000059
71323+:10D7D0000000000000000000000000000000000049
71324+:10D7E0000000000000000000000000000000000039
71325+:10D7F0000000000000000000000000000000000029
71326+:10D800000000000000000000000000000000000018
71327+:10D810000000000000000000000000000000000008
71328+:10D8200000000000000000000000000000000000F8
71329+:10D8300000000000000000000000000000000000E8
71330+:10D8400000000000000000000000000000000000D8
71331+:10D8500000000000000000000000000000000000C8
71332+:10D8600000000000000000000000000000000000B8
71333+:10D8700000000000000000000000000000000000A8
71334+:10D880000000000000000000000000000000000098
71335+:10D890000000000000000000000000000000000088
71336+:10D8A0000000000000000000000000000000000078
71337+:10D8B0000000000000000000000000000000000068
71338+:10D8C0000000000000000000000000000000000058
71339+:10D8D0000000000000000000000000000000000048
71340+:10D8E0000000000000000000000000000000000038
71341+:10D8F0000000000000000000000000000000000028
71342+:10D900000000000000000000000000000000000017
71343+:10D910000000000000000000000000000000000007
71344+:10D9200000000000000000000000000000000000F7
71345+:10D9300000000000000000000000000000000000E7
71346+:10D9400000000000000000000000000000000000D7
71347+:10D9500000000000000000000000000000000000C7
71348+:10D9600000000000000000000000000000000000B7
71349+:10D9700000000000000000000000000000000000A7
71350+:10D980000000000000000000000000000000000097
71351+:10D990000000000000000000000000000000000087
71352+:10D9A0000000000000000000000000000000000077
71353+:10D9B0000000000000000000000000000000000067
71354+:10D9C0000000000000000000000000000000000057
71355+:10D9D0000000000000000000000000000000000047
71356+:10D9E0000000000000000000000000000000000037
71357+:10D9F0000000000000000000000000000000000027
71358+:10DA00000000000000000000000000000000000016
71359+:10DA10000000000000000000000000000000000006
71360+:10DA200000000000000000000000000000000000F6
71361+:10DA300000000000000000000000000000000000E6
71362+:10DA400000000000000000000000000000000000D6
71363+:10DA500000000000000000000000000000000000C6
71364+:10DA600000000000000000000000000000000000B6
71365+:10DA700000000000000000000000000000000000A6
71366+:10DA80000000000000000000000000000000000096
71367+:10DA90000000000000000000000000000000000086
71368+:10DAA0000000000000000000000000000000000076
71369+:10DAB0000000000000000000000000000000000066
71370+:10DAC0000000000000000000000000000000000056
71371+:10DAD0000000000000000000000000000000000046
71372+:10DAE0000000000000000000000000000000000036
71373+:10DAF0000000000000000000000000000000000026
71374+:10DB00000000000000000000000000000000000015
71375+:10DB10000000000000000000000000000000000005
71376+:10DB200000000000000000000000000000000000F5
71377+:10DB300000000000000000000000000000000000E5
71378+:10DB400000000000000000000000000000000000D5
71379+:10DB500000000000000000000000000000000000C5
71380+:10DB600000000000000000000000000000000000B5
71381+:10DB700000000000000000000000000000000000A5
71382+:10DB80000000000000000000000000000000000095
71383+:10DB90000000000000000000000000000000000085
71384+:10DBA0000000000000000000000000000000000075
71385+:10DBB0000000000000000000000000000000000065
71386+:10DBC0000000000000000000000000000000000055
71387+:10DBD0000000000000000000000000000000000045
71388+:10DBE0000000000000000000000000000000000035
71389+:10DBF0000000000000000000000000000000000025
71390+:10DC00000000000000000000000000000000000014
71391+:10DC10000000000000000000000000000000000004
71392+:10DC200000000000000000000000000000000000F4
71393+:10DC300000000000000000000000000000000000E4
71394+:10DC400000000000000000000000000000000000D4
71395+:10DC500000000000000000000000000000000000C4
71396+:10DC600000000000000000000000000000000000B4
71397+:10DC700000000000000000000000000000000000A4
71398+:10DC80000000000000000000000000000000000094
71399+:10DC90000000000000000000000000000000000084
71400+:10DCA0000000000000000000000000000000000074
71401+:10DCB0000000000000000000000000000000000064
71402+:10DCC0000000000000000000000000000000000054
71403+:10DCD0000000000000000000000000000000000044
71404+:10DCE0000000000000000000000000000000000034
71405+:10DCF0000000000000000000000000000000000024
71406+:10DD00000000000000000000000000000000000013
71407+:10DD10000000000000000000000000000000000003
71408+:10DD200000000000000000000000000000000000F3
71409+:10DD300000000000000000000000000000000000E3
71410+:10DD400000000000000000000000000000000000D3
71411+:10DD500000000000000000000000000000000000C3
71412+:10DD600000000000000000000000000000000000B3
71413+:10DD700000000000000000000000000000000000A3
71414+:10DD80000000000000000000000000000000000093
71415+:10DD90000000000000000000000000000000000083
71416+:10DDA0000000000000000000000000000000000073
71417+:10DDB0000000000000000000000000000000000063
71418+:10DDC0000000000000000000000000000000000053
71419+:10DDD0000000000000000000000000000000000043
71420+:10DDE0000000000000000000000000000000000033
71421+:10DDF0000000000000000000000000000000000023
71422+:10DE00000000000000000000000000000000000012
71423+:10DE10000000000000000000000000000000000002
71424+:10DE200000000000000000000000000000000000F2
71425+:10DE300000000000000000000000000000000000E2
71426+:10DE400000000000000000000000000000000000D2
71427+:10DE500000000000000000000000000000000000C2
71428+:10DE600000000000000000000000000000000000B2
71429+:10DE700000000000000000000000000000000000A2
71430+:10DE80000000000000000000000000000000000092
71431+:10DE90000000000000000000000000000000000082
71432+:10DEA0000000000000000000000000000000000072
71433+:10DEB0000000000000000000000000000000000062
71434+:10DEC0000000000000000000000000000000000052
71435+:10DED0000000000000000000000000000000000042
71436+:10DEE0000000000000000000000000000000000032
71437+:10DEF0000000000000000000000000000000000022
71438+:10DF00000000000000000000000000000000000011
71439+:10DF10000000000000000000000000000000000001
71440+:10DF200000000000000000000000000000000000F1
71441+:10DF300000000000000000000000000000000000E1
71442+:10DF400000000000000000000000000000000000D1
71443+:10DF500000000000000000000000000000000000C1
71444+:10DF600000000000000000000000000000000000B1
71445+:10DF700000000000000000000000000000000000A1
71446+:10DF80000000000000000000000000000000000091
71447+:10DF90000000000000000000000000000000000081
71448+:10DFA0000000000000000000000000000000000071
71449+:10DFB0000000000000000000000000000000000061
71450+:10DFC0000000000000000000000000000000000051
71451+:10DFD0000000000000000000000000000000000041
71452+:10DFE0000000000000000000000000000000000031
71453+:10DFF0000000000000000000000000000000000021
71454+:10E000000000000000000000000000000000000010
71455+:10E010000000000000000000000000000000000000
71456+:10E0200000000000000000000000000000000000F0
71457+:10E0300000000000000000000000000000000000E0
71458+:10E0400000000000000000000000000000000000D0
71459+:10E0500000000000000000000000000000000000C0
71460+:10E0600000000000000000000000000000000000B0
71461+:10E0700000000000000000000000000000000000A0
71462+:10E080000000000000000000000000000000000090
71463+:10E090000000000000000000000000000000000080
71464+:10E0A0000000000000000000000000000000000070
71465+:10E0B0000000000000000000000000000000000060
71466+:10E0C0000000000000000000000000000000000050
71467+:10E0D0000000000000000000000000000000000040
71468+:10E0E0000000000000000000000000000000000030
71469+:10E0F0000000000000000000000000000000000020
71470+:10E10000000000000000000000000000000000000F
71471+:10E1100000000000000000000000000000000000FF
71472+:10E1200000000000000000000000000000000000EF
71473+:10E1300000000000000000000000000000000000DF
71474+:10E1400000000000000000000000000000000000CF
71475+:10E1500000000000000000000000000000000000BF
71476+:10E1600000000000000000000000000000000000AF
71477+:10E17000000000000000000000000000000000009F
71478+:10E18000000000000000000000000000000000008F
71479+:10E19000000000000000000000000000000000007F
71480+:10E1A000000000000000000000000000000000006F
71481+:10E1B000000000000000000000000000000000005F
71482+:10E1C000000000000000000000000000000000004F
71483+:10E1D000000000000000000000000000000000003F
71484+:10E1E000000000000000000000000000000000002F
71485+:10E1F000000000000000000000000000000000809F
71486+:10E20000000000000000000000000000000000000E
71487+:10E2100000000000000000000000000000000000FE
71488+:10E220000000000A000000000000000000000000E4
71489+:10E2300010000003000000000000000D0000000DB1
71490+:10E240003C020801244295C03C030801246397FC6A
71491+:10E25000AC4000000043202B1480FFFD244200044A
71492+:10E260003C1D080037BD9FFC03A0F0213C100800B6
71493+:10E27000261032103C1C0801279C95C00E0012BECF
71494+:10E28000000000000000000D3C02800030A5FFFFF0
71495+:10E2900030C600FF344301803C0880008D0901B87E
71496+:10E2A0000520FFFE00000000AC6400002404000212
71497+:10E2B000A4650008A066000AA064000BAC67001803
71498+:10E2C0003C03100003E00008AD0301B83C0560000A
71499+:10E2D0008CA24FF80440FFFE00000000ACA44FC029
71500+:10E2E0003C0310003C040200ACA44FC403E000084F
71501+:10E2F000ACA34FF89486000C00A050212488001491
71502+:10E3000000062B0200051080004448210109182B4B
71503+:10E310001060001100000000910300002C6400094F
71504+:10E320005080000991190001000360803C0D080134
71505+:10E3300025AD9258018D58218D67000000E000083E
71506+:10E340000000000091190001011940210109302B42
71507+:10E3500054C0FFF29103000003E000080000102108
71508+:10E360000A000CCC25080001910F0001240E000AC0
71509+:10E3700015EE00400128C8232F38000A1700003D81
71510+:10E38000250D00028D580000250F0006370E0100F4
71511+:10E39000AD4E0000910C000291AB000191A400026F
71512+:10E3A00091A60003000C2E00000B3C0000A71025D6
71513+:10E3B00000041A000043C8250326C025AD580004F8
71514+:10E3C000910E000691ED000191E7000291E5000336
71515+:10E3D000000E5E00000D6400016C30250007220075
71516+:10E3E00000C41025004518252508000A0A000CCC99
71517+:10E3F000AD430008910F000125040002240800022B
71518+:10E4000055E80001012020210A000CCC00804021A9
71519+:10E41000910C0001240B0003158B00160000000076
71520+:10E420008D580000910E000225080003370D0008EA
71521+:10E43000A14E00100A000CCCAD4D00009119000156
71522+:10E44000240F0004172F000B0000000091070002AA
71523+:10E45000910400038D43000000072A0000A410254A
71524+:10E460003466000425080004AD42000C0A000CCC00
71525+:10E47000AD46000003E000082402000127BDFFE8CC
71526+:10E48000AFBF0014AFB000100E00164E0080802108
71527+:10E490003C0480083485008090A600052403FFFE1C
71528+:10E4A0000200202100C310248FBF00148FB0001081
71529+:10E4B000A0A200050A00165827BD001827BDFFE8D6
71530+:10E4C000AFB00010AFBF00140E000FD40080802149
71531+:10E4D0003C06800834C5008090A40000240200504F
71532+:10E4E000308300FF106200073C09800002002021F9
71533+:10E4F0008FBF00148FB00010AD2001800A00108F74
71534+:10E5000027BD0018240801003C07800002002021DC
71535+:10E510008FBF00148FB00010ACE801800A00108F8C
71536+:10E5200027BD001827BDFF783C058008AFBE0080DE
71537+:10E53000AFB7007CAFB3006CAFB10064AFBF008475
71538+:10E54000AFB60078AFB50074AFB40070AFB200687A
71539+:10E55000AFB0006034A600803C0580008CB201287A
71540+:10E5600090C400098CA701043C020001309100FF17
71541+:10E5700000E218240000B8210000F021106000071C
71542+:10E58000000098213C0908008D2931F02413000176
71543+:10E59000252800013C010800AC2831F0ACA0008423
71544+:10E5A00090CC0005000C5827316A0001154000721C
71545+:10E5B000AFA0005090CD00002406002031A400FF41
71546+:10E5C00010860018240E0050108E009300000000EA
71547+:10E5D0003C1008008E1000DC260F00013C010800F2
71548+:10E5E000AC2F00DC0E0016C7000000000040182110
71549+:10E5F0008FBF00848FBE00808FB7007C8FB60078FD
71550+:10E600008FB500748FB400708FB3006C8FB2006848
71551+:10E610008FB100648FB000600060102103E000083B
71552+:10E6200027BD00880000000D3C1F8000AFA0003017
71553+:10E6300097E501168FE201043C04002030B9FFFF8A
71554+:10E64000004438240007182B00033140AFA60030E7
71555+:10E650008FF5010437F80C003C1600400338802188
71556+:10E6600002B6A02434C40040128000479215000D69
71557+:10E6700032A800201500000234860080008030217E
71558+:10E6800014C0009FAFA600303C0D800835A6008066
71559+:10E6900090CC0008318B0040516000063C06800899
71560+:10E6A000240E0004122E00A8240F0012122F003294
71561+:10E6B0003C06800834C401003C0280009447011AE3
71562+:10E6C0009619000E909F00088E18000830E3FFFF97
71563+:10E6D00003F9B00432B40004AFB6005CAFA3005835
71564+:10E6E0008E1600041280002EAFB8005434C3008090
71565+:10E6F000906800083105004014A0002500000000CB
71566+:10E700008C70005002D090230640000500000000ED
71567+:10E710008C71003402D1A82306A201678EE20008A2
71568+:10E72000126000063C1280003C1508008EB531F4E2
71569+:10E7300026B600013C010800AC3631F4AE4000447E
71570+:10E74000240300018FBF00848FBE00808FB7007C40
71571+:10E750008FB600788FB500748FB400708FB3006CE3
71572+:10E760008FB200688FB100648FB00060006010212C
71573+:10E7700003E0000827BD00880E000D2800002021BE
71574+:10E780000A000D75004018210A000D9500C02021D7
71575+:10E790000E00171702C020211440FFE10000000006
71576+:10E7A0003C0B8008356400808C8A003402CA482300
71577+:10E7B0000520001D000000003C1E08008FDE310017
71578+:10E7C00027D700013C010800AC3731001260000679
71579+:10E7D000024020213C1408008E9431F42690000160
71580+:10E7E0003C010800AC3031F40E00164E3C1E80088F
71581+:10E7F00037CD008091B700250240202136EE00047D
71582+:10E800000E001658A1AE00250E000CAC02402021CF
71583+:10E810000A000DCA240300013C17080126F796C020
71584+:10E820000A000D843C1F80008C86003002C66023E5
71585+:10E830001980000C2419000C908F004F3C14080024
71586+:10E840008E94310032B500FC35ED0001268E0001BA
71587+:10E850003C010800AC2E3100A08D004FAFA0005845
71588+:10E860002419000CAFB900308C9800300316A02397
71589+:10E870001A80010B8FA300580074F82A17E0FFD309
71590+:10E88000000000001074002A8FA5005802D4B021A7
71591+:10E8900000B410233044FFFFAFA4005832A8000298
71592+:10E8A0001100002E32AB00103C15800836B00080FD
71593+:10E8B0009216000832D30040526000FB8EE200083E
71594+:10E8C0000E00164E02402021240A0018A20A000958
71595+:10E8D000921100052409FFFE024020210229902404
71596+:10E8E0000E001658A2120005240400390000282149
71597+:10E8F0000E0016F2240600180A000DCA24030001B7
71598+:10E9000092FE000C3C0A800835490080001EBB00C6
71599+:10E910008D27003836F10081024020213225F08118
71600+:10E920000E000C9B30C600FF0A000DC10000000065
71601+:10E930003AA7000130E300011460FFA402D4B02123
71602+:10E940000A000E1D00000000024020210E001734B6
71603+:10E95000020028210A000D75004018211160FF7087
71604+:10E960003C0F80083C0D800835EE00808DC40038D7
71605+:10E970008FA300548DA60004006660231D80FF68ED
71606+:10E98000000000000064C02307020001AFA400548F
71607+:10E990003C1F08008FFF31E433F9000113200015FC
71608+:10E9A0008FAC00583C07800094E3011A10600012FD
71609+:10E9B0003C0680080E00216A024020213C03080129
71610+:10E9C000906396F13064000214800145000000005D
71611+:10E9D000306C0004118000078FAC0058306600FBDB
71612+:10E9E0003C010801A02696F132B500FCAFA000580A
71613+:10E9F0008FAC00583C06800834D30080AFB40018B8
71614+:10EA0000AFB60010AFAC00143C088000950B01209D
71615+:10EA10008E6F0030966A005C8FA3005C8FBF003061
71616+:10EA20003169FFFF3144FFFF8FAE005401341021E4
71617+:10EA3000350540000064382B0045C82103E7C02598
71618+:10EA4000AFB90020AFAF0028AFB80030AFAF00249F
71619+:10EA5000AFA0002CAFAE0034926D000831B40008B6
71620+:10EA6000168000BB020020218EE200040040F8095D
71621+:10EA700027A400108FAF003031F300025660000170
71622+:10EA800032B500FE3C048008349F008093F90008F2
71623+:10EA900033380040530000138FA400248C850004F9
71624+:10EAA0008FA7005410A700D52404001432B0000131
71625+:10EAB0001200000C8FA400242414000C1234011A3C
71626+:10EAC0002A2D000D11A001022413000E240E000AAD
71627+:10EAD000522E0001241E00088FAF002425E40001FF
71628+:10EAE000AFA400248FAA00143C0B80083565008079
71629+:10EAF000008A48218CB10030ACA9003090A4004EAF
71630+:10EB00008CA700303408FFFF0088180400E3F821C8
71631+:10EB1000ACBF00348FA600308FB900548FB8005CB2
71632+:10EB200030C200081040000B033898218CAC002044
71633+:10EB3000119300D330C600FF92EE000C8FA7003473
71634+:10EB400002402021000E6B0035B400800E000C9BAB
71635+:10EB50003285F0803C028008345000808E0F0030F7
71636+:10EB600001F1302318C00097264800803C070800B8
71637+:10EB70008CE731E42404FF80010418243118007F5D
71638+:10EB80003C1F80003C19800430F10001AFE300908D
71639+:10EB900012200006031928213C030801906396F116
71640+:10EBA00030690008152000C6306A00F73C10800864
71641+:10EBB00036040080908C004F318B000115600042BC
71642+:10EBC000000000003C0608008CC6319830CE0010D2
71643+:10EBD00051C0004230F9000190AF006B55E0003F9A
71644+:10EBE00030F9000124180001A0B8006B3C1180002E
71645+:10EBF0009622007A24470064A48700123C0D800806
71646+:10EC000035A5008090B40008329000401600000442
71647+:10EC10003C03800832AE000115C0008B00000000EC
71648+:10EC2000346400808C86002010D3000A3463010015
71649+:10EC30008C67000002C7782319E000978FBF00544B
71650+:10EC4000AC93002024130001AC760000AFB3005059
71651+:10EC5000AC7F000417C0004E000000008FA90050D8
71652+:10EC60001520000B000000003C030801906396F1A2
71653+:10EC7000306A00011140002E8FAB0058306400FE56
71654+:10EC80003C010801A02496F10A000D75000018212E
71655+:10EC90000E000CAC024020210A000F1300000000FF
71656+:10ECA0000A000E200000A0210040F80924040017EB
71657+:10ECB0000A000DCA240300010040F80924040016CC
71658+:10ECC0000A000DCA240300019094004F240DFFFE9A
71659+:10ECD000028D2824A085004F30F900011320000682
71660+:10ECE0003C0480083C030801906396F1307F0010DB
71661+:10ECF00017E00051306800EF34900080240A0001D2
71662+:10ED0000024020210E00164EA60A00129203002592
71663+:10ED100024090001AFA90050346200010240202103
71664+:10ED20000E001658A20200250A000EF93C0D8008BC
71665+:10ED30001160FE83000018218FA5003030AC000464
71666+:10ED40001180FE2C8FBF00840A000DCB240300012C
71667+:10ED500027A500380E000CB6AFA000385440FF4382
71668+:10ED60008EE200048FB40038329001005200FF3F61
71669+:10ED70008EE200048FA3003C8E6E0058006E682364
71670+:10ED800005A3FF39AE6300580A000E948EE200041A
71671+:10ED90000E00164E024020213C038008346800809B
71672+:10EDA000024020210E001658A11E000903C0302188
71673+:10EDB000240400370E0016F2000028210A000F116B
71674+:10EDC0008FA900508FAB00185960FF8D3C0D800853
71675+:10EDD0000E00164E02402021920C00252405000151
71676+:10EDE000AFA5005035820004024020210E001658C5
71677+:10EDF000A20200250A000EF93C0D800812240059D9
71678+:10EE00002A2300151060004D240900162408000C68
71679+:10EE10005628FF2732B000013C0A8008914C001BA5
71680+:10EE20002406FFBD241E000E01865824A14B001BA2
71681+:10EE30000A000EA532B000013C010801A02896F19D
71682+:10EE40000A000EF93C0D80088CB500308EFE0008DB
71683+:10EE50002404001826B6000103C0F809ACB600303F
71684+:10EE60003C030801906396F13077000116E0FF81C2
71685+:10EE7000306A00018FB200300A000D753243000481
71686+:10EE80003C1080009605011A50A0FF2B34C60010DC
71687+:10EE90000A000EC892EE000C8C6200001456FF6D42
71688+:10EEA000000000008C7800048FB9005403388823D8
71689+:10EEB0000621FF638FBF00540A000F0E0000000000
71690+:10EEC0003C010801A02A96F10A000F3030F9000138
71691+:10EED0001633FF028FAF00240A000EB0241E00106C
71692+:10EEE0000E00164E024020213C0B80083568008041
71693+:10EEF00091090025240A0001AFAA0050353300040F
71694+:10EF0000024020210E001658A11300253C050801DF
71695+:10EF100090A596F130A200FD3C010801A02296F1D7
71696+:10EF20000A000E6D004018212411000E53D1FEEA94
71697+:10EF3000241E00100A000EAF241E00165629FEDC07
71698+:10EF400032B000013C0A8008914C001B2406FFBD32
71699+:10EF5000241E001001865824A14B001B0A000EA598
71700+:10EF600032B000010A000EA4241E00123C038000EF
71701+:10EF70008C6201B80440FFFE24040800AC6401B8B0
71702+:10EF800003E000080000000030A5FFFF30C6FFFFCF
71703+:10EF90003C0780008CE201B80440FFFE34EA0180A7
71704+:10EFA000AD440000ACE400203C0480089483004899
71705+:10EFB0003068FFFF11000016AF88000824AB001274
71706+:10EFC000010B482B512000133C04800034EF01005A
71707+:10EFD00095EE00208F890000240D001A31CCFFFF30
71708+:10EFE00031274000A14D000B10E000362583FFFEC5
71709+:10EFF0000103C02B170000348F9900048F88000490
71710+:10F00000A5430014350700010A001003AF87000470
71711+:10F010003C04800024030003348201808F890000B7
71712+:10F020008F870004A043000B3C088000350C018052
71713+:10F03000A585000EA585001A8F85000C30EB800099
71714+:10F04000A5890010AD850028A58600081160000F75
71715+:10F050008F85001435190100972A00163158FFFCDE
71716+:10F06000270F000401E870218DCD400031A6FFFF7D
71717+:10F0700014C000072403BFFF3C02FFFF34487FFF9A
71718+:10F0800000E83824AF8700048F8500142403BFFFF5
71719+:10F090003C04800000E3582434830180A46B0026E4
71720+:10F0A000AC69002C10A0000300054C02A465001000
71721+:10F0B000A46900263C071000AC8701B803E00008F3
71722+:10F0C000000000008F990004240AFFFE032A382460
71723+:10F0D0000A001003AF87000427BDFFE88FA20028B5
71724+:10F0E00030A5FFFF30C6FFFFAFBF0010AF87000C99
71725+:10F0F000AF820014AF8000040E000FDBAF80000071
71726+:10F100008FBF001027BD001803E00008AF80001477
71727+:10F110003C06800034C4007034C701008C8A0000B3
71728+:10F1200090E500128F84000027BDFFF030A300FFA0
71729+:10F13000000318823082400010400037246500032D
71730+:10F140000005C8800326C0218F0E4000246F0004F4
71731+:10F15000000F6880AFAE000001A660218D8B4000DB
71732+:10F16000AFAB000494E900163128FFFC01063821FA
71733+:10F170008CE64000AFA600088FA9000800003021EF
71734+:10F18000000028213C07080024E701000A0010675E
71735+:10F19000240800089059000024A500012CAC000CA4
71736+:10F1A0000079C0210018788001E770218DCD000022
71737+:10F1B0001180000600CD302603A5102114A8FFF50C
71738+:10F1C00000051A005520FFF4905900003C0480000F
71739+:10F1D000348700703C0508008CA531048CE30000E6
71740+:10F1E0002CA2002010400009006A38230005488046
71741+:10F1F0003C0B0800256B3108012B402124AA00019B
71742+:10F20000AD0700003C010800AC2A310400C0102109
71743+:10F2100003E0000827BD0010308220001040000BE2
71744+:10F2200000055880016648218D24400024680004B0
71745+:10F2300000083880AFA4000000E618218C6540006B
71746+:10F24000AFA000080A001057AFA500040000000D91
71747+:10F250000A0010588FA9000827BDFFE03C07800076
71748+:10F2600034E60100AFBF001CAFB20018AFB100140C
71749+:10F27000AFB0001094C5000E8F87000030A4FFFFD0
71750+:10F280002483000430E2400010400010AF830028C7
71751+:10F290003C09002000E940241100000D30EC800002
71752+:10F2A0008F8A0004240BBFFF00EB38243543100085
71753+:10F2B000AF87000030F220001640000B3C1900041C
71754+:10F2C000241FFFBF0A0010B7007F102430EC80001D
71755+:10F2D000158000423C0E002030F220001240FFF862
71756+:10F2E0008F8300043C19000400F9C0241300FFF5CB
71757+:10F2F000241FFFBF34620040AF82000430E20100EF
71758+:10F300001040001130F010008F83002C10600006B8
71759+:10F310003C0F80003C05002000E52024148000C044
71760+:10F320003C0800043C0F800035EE010095CD001E26
71761+:10F3300095CC001C31AAFFFF000C5C00014B482556
71762+:10F34000AF89000C30F010001200000824110001F9
71763+:10F3500030F100201620008B3C18100000F890249B
71764+:10F36000164000823C040C002411000130E801002A
71765+:10F370001500000B3C0900018F85000430A94000F6
71766+:10F38000152000073C0900013C0C1F0100EC58242B
71767+:10F390003C0A1000116A01183C1080003C09000171
71768+:10F3A00000E9302410C000173C0B10003C18080086
71769+:10F3B0008F1800243307000214E0014024030001E9
71770+:10F3C0008FBF001C8FB200188FB100148FB00010D7
71771+:10F3D0000060102103E0000827BD002000EE682433
71772+:10F3E00011A0FFBE30F220008F8F00043C11FFFF00
71773+:10F3F00036307FFF00F0382435E380000A0010A685
71774+:10F40000AF87000000EB102450400065AF8000245F
71775+:10F410008F8C002C3C0D0F0000ED18241580008807
71776+:10F42000AF83001030E8010011000086938F0010B8
71777+:10F430003C0A0200106A00833C1280003650010032
71778+:10F44000920500139789002A3626000230AF00FF8C
71779+:10F4500025EE0004000E19C03C0480008C9801B811
71780+:10F460000700FFFE34880180AD0300003C198008CE
71781+:10F47000AC830020973100483225FFFF10A0015CCB
71782+:10F48000AF8500082523001200A3F82B53E0015993
71783+:10F490008F850004348D010095AC00202402001AF1
71784+:10F4A00030E44000318BFFFFA102000B108001927D
71785+:10F4B0002563FFFE00A3502B154001908F8F0004A1
71786+:10F4C000A50300148F88000435050001AF850004F2
71787+:10F4D0003C08800035190180A729000EA729001AD1
71788+:10F4E0008F89000C30B18000A7270010AF290028B9
71789+:10F4F000A72600081220000E3C04800035020100FF
71790+:10F50000944C0016318BFFFC256400040088182100
71791+:10F510008C7F400033E6FFFF14C000053C048000F0
71792+:10F520003C0AFFFF354D7FFF00AD2824AF85000466
71793+:10F53000240EBFFF00AE402434850180A4A800261D
71794+:10F54000ACA7002C3C071000AC8701B800001821C4
71795+:10F550008FBF001C8FB200188FB100148FB0001045
71796+:10F560000060102103E0000827BD00203C020BFFD3
71797+:10F5700000E41824345FFFFF03E3C82B5320FF7B14
71798+:10F58000241100013C0608008CC6002C24C5000193
71799+:10F590003C010800AC25002C0A0010D42411000501
71800+:10F5A0008F85002410A0002FAF80001090A30000D2
71801+:10F5B000146000792419000310A0002A30E601002D
71802+:10F5C00010C000CC8F860010241F000210DF00C97D
71803+:10F5D0008F8B000C3C0708008CE7003824E4FFFF09
71804+:10F5E00014E0000201641824000018213C0D0800FA
71805+:10F5F00025AD0038006D1021904C00048F85002847
71806+:10F6000025830004000321C030A5FFFF3626000239
71807+:10F610000E000FDB000000000A00114D0000182151
71808+:10F6200000E8302414C0FF403C0F80000E00103D65
71809+:10F63000000000008F8700000A0010CAAF82000C93
71810+:10F64000938F00103C18080127189640000F90C0B7
71811+:10F6500002588021AF9000248F85002414A0FFD38E
71812+:10F66000AF8F00103C0480008C86400030C5010044
71813+:10F6700010A000BC322300043C0C08008D8C002438
71814+:10F6800024120004106000C23190000D3C04800080
71815+:10F690008C8D40003402FFFF11A201003231FFFBCC
71816+:10F6A0008C884000310A01005540000124110010EF
71817+:10F6B00030EE080011C000BE2419FFFB8F9800280F
71818+:10F6C0002F0F03EF51E000010219802430E90100FF
71819+:10F6D00011200014320800018F87002C14E000FB79
71820+:10F6E0008F8C000C3C05800034AB0100917F00132F
71821+:10F6F00033E300FF246A00042403FFFE0203802496
71822+:10F70000000A21C012000002023230253226FFFF1B
71823+:10F710000E000FDB9785002A1200FF290000182138
71824+:10F72000320800011100000D32180004240E0001FF
71825+:10F73000120E0002023230253226FFFF9785002A82
71826+:10F740000E000FDB00002021240FFFFE020F80249B
71827+:10F750001200FF1B00001821321800045300FF188C
71828+:10F760002403000102323025241200045612000145
71829+:10F770003226FFFF9785002A0E000FDB24040100CC
71830+:10F780002419FFFB021988241220FF0D0000182104
71831+:10F790000A0010E9240300011079009C00003021C8
71832+:10F7A00090AD00012402000211A200BE30EA004028
71833+:10F7B00090B90001241800011338007F30E900409F
71834+:10F7C0008CA600049785002A00C020210E000FDBC4
71835+:10F7D0003626000200004021010018218FBF001CC6
71836+:10F7E0008FB200188FB100148FB00010006010218C
71837+:10F7F00003E0000827BD0020360F010095EE000C45
71838+:10F8000031CD020015A0FEE63C0900013C1880083D
71839+:10F81000971200489789002A362600023248FFFFD7
71840+:10F82000AF8800083C0380008C7101B80620FFFE01
71841+:10F83000346A0180AD4000001100008E3C0F800052
71842+:10F84000253F0012011FC82B1320008B240E00033C
71843+:10F85000346C0100958B00202402001A30E4400033
71844+:10F860003163FFFFA142000B108000A72463FFFE5D
71845+:10F870000103682B15A000A52408FFFE34A5000194
71846+:10F88000A5430014AF8500043C0480002412BFFF90
71847+:10F8900000B2802434850180A4A9000EA4A9001A16
71848+:10F8A000A4A60008A4B00026A4A700103C071000DE
71849+:10F8B000AC8701B80A00114D000018213C038000FC
71850+:10F8C00034640100949F000E3C1908008F3900D861
71851+:10F8D0002404008033E5FFFF273100013C010800CC
71852+:10F8E000AC3100D80E000FDB240600030A00114DD6
71853+:10F8F00000001821240A000210CA00598F85002830
71854+:10F900003C0308008C6300D0240E0001106E005EE2
71855+:10F910002CCF000C24D2FFFC2E5000041600002136
71856+:10F9200000002021241800021078001B2CD9000CA4
71857+:10F9300024DFFFF82FE900041520FF330000202109
71858+:10F9400030EB020051600004000621C054C00022C8
71859+:10F9500030A5FFFF000621C030A5FFFF0A00117D82
71860+:10F96000362600023C0908008D29002431300001B0
71861+:10F970005200FEF7000018219785002A3626000263
71862+:10F980000E000FDB000020210A00114D000018219D
71863+:10F990000A00119C241200021320FFE624DFFFF866
71864+:10F9A0000000202130A5FFFF0A00117D362600024D
71865+:10F9B0000A0011AC021980245120FF828CA6000499
71866+:10F9C0003C05080190A5964110A0FF7E2408000187
71867+:10F9D0000A0011F0010018210E000FDB3226000191
71868+:10F9E0008F8600108F8500280A00124F000621C064
71869+:10F9F0008F8500043C18800024120003371001801A
71870+:10FA0000A212000B0A00112E3C08800090A30001F6
71871+:10FA1000241100011071FF70240800012409000264
71872+:10FA20005069000430E60040240800010A0011F08B
71873+:10FA30000100182150C0FFFD240800013C0C80008B
71874+:10FA4000358B01009563001094A40002307FFFFF06
71875+:10FA5000509FFF62010018210A001284240800014F
71876+:10FA60002CA803EF1100FE56240300010A001239EE
71877+:10FA700000000000240E000335EA0180A14E000BB7
71878+:10FA80000A00121C3C04800011E0FFA2000621C005
71879+:10FA900030A5FFFF0A00117D362600020A0011A5DD
71880+:10FAA000241100201140FFC63C1280003650010096
71881+:10FAB000960F001094AE000231E80FFF15C8FFC08A
71882+:10FAC000000000000A0011E690B900013C060800A1
71883+:10FAD0008CC6003824C4FFFF14C00002018418241F
71884+:10FAE000000018213C0D080025AD0038006D1021E4
71885+:10FAF0000A0011B6904300048F8F0004240EFFFE0D
71886+:10FB00000A00112C01EE28242408FFFE0A00121A14
71887+:10FB100000A8282427BDFFC8AFB00010AFBF003435
71888+:10FB20003C10600CAFBE0030AFB7002CAFB6002861
71889+:10FB3000AFB50024AFB40020AFB3001CAFB20018C3
71890+:10FB4000AFB100148E0E5000240FFF7F3C068000E2
71891+:10FB500001CF682435AC380C240B0003AE0C5000E8
71892+:10FB6000ACCB00083C010800AC2000200E001819A6
71893+:10FB7000000000003C0A0010354980513C06601628
71894+:10FB8000AE09537C8CC700003C0860148D0500A0B2
71895+:10FB90003C03FFFF00E320243C02535300051FC237
71896+:10FBA0001482000634C57C000003A08002869821E0
71897+:10FBB0008E7200043C116000025128218CBF007C31
71898+:10FBC0008CA200783C1E600037C420203C05080150
71899+:10FBD00024A59288AF820018AF9F001C0E0016DD8E
71900+:10FBE0002406000A3C190001273996403C01080010
71901+:10FBF000AC3931DC0E0020DDAF8000148FD708084F
71902+:10FC00002418FFF03C15570902F8B02412D502F56C
71903+:10FC100024040001AF80002C3C1480003697018042
71904+:10FC20003C1E080127DE9644369301008E900000AA
71905+:10FC30003205000310A0FFFD3207000110E000882C
71906+:10FC4000320600028E7100283C048000AE91002034
71907+:10FC50008E6500048E66000000A0382100C040219F
71908+:10FC60008C8301B80460FFFE3C0B0010240A0800DE
71909+:10FC700000AB4824AC8A01B8552000E0240BBFFF3C
71910+:10FC80009675000E3C1208008E52002030AC4000E9
71911+:10FC900032AFFFFF264E000125ED00043C010800B5
71912+:10FCA000AC2E0020118000E8AF8D00283C18002009
71913+:10FCB00000B8B02412C000E530B980002408BFFFAE
71914+:10FCC00000A8382434C81000AF87000030E62000B8
71915+:10FCD00010C000E92409FFBF3C03000400E328240E
71916+:10FCE00010A00002010910243502004030EA010092
71917+:10FCF00011400010AF8200048F8B002C11600007B0
71918+:10FD00003C0D002000ED6024118000043C0F000435
71919+:10FD100000EF702411C00239000000009668001E38
71920+:10FD20009678001C3115FFFF0018B40002B690252C
71921+:10FD3000AF92000C30F910001320001324150001BD
71922+:10FD400030FF002017E0000A3C04100000E41024FB
71923+:10FD50001040000D3C0A0C003C090BFF00EA18247F
71924+:10FD60003525FFFF00A3302B10C0000830ED010047
71925+:10FD70003C0C08008D8C002C24150005258B0001FF
71926+:10FD80003C010800AC2B002C30ED010015A0000B4D
71927+:10FD90003C0500018F85000430AE400055C00007CF
71928+:10FDA0003C0500013C161F0100F690243C0F10009A
71929+:10FDB000124F01CE000000003C05000100E5302498
71930+:10FDC00010C000AF3C0C10003C1F08008FFF002447
71931+:10FDD00033E90002152000712403000100601021A6
71932+:10FDE000104000083C0680003C08800035180100E7
71933+:10FDF0008F0F00243C056020ACAF00140000000011
71934+:10FE00003C0680003C194000ACD9013800000000DD
71935+:10FE10005220001332060002262B0140262C0080BF
71936+:10FE2000240EFF80016E2024018E6824000D1940ED
71937+:10FE3000318A007F0004A9403172007F3C16200007
71938+:10FE400036C20002006A482502B2382500E2882541
71939+:10FE50000122F825ACDF0830ACD1083032060002B0
71940+:10FE600010C0FF723C188000370501408CA80000CC
71941+:10FE700024100040AF08002090AF000831E300706C
71942+:10FE8000107000D428790041532000082405006038
71943+:10FE9000241100201071000E3C0A40003C09800033
71944+:10FEA000AD2A01780A001304000000001465FFFB6E
71945+:10FEB0003C0A40000E001FFA000000003C0A40000F
71946+:10FEC0003C098000AD2A01780A00130400000000FC
71947+:10FED00090A90009241F00048CA70000312800FF0E
71948+:10FEE000111F01B22503FFFA2C7200061240001404
71949+:10FEF0003C0680008CA9000494A4000A310500FF90
71950+:10FF000000095E022D6A00083086FFFF15400002DE
71951+:10FF10002567000424070003240C000910AC01FA33
71952+:10FF200028AD000A11A001DE2410000A240E0008EA
71953+:10FF300010AE0028000731C000C038213C06800008
71954+:10FF40008CD501B806A0FFFE34D20180AE47000078
71955+:10FF500034CB0140916E0008240300023C0A4000AB
71956+:10FF600031C400FF00046A0001A86025A64C000807
71957+:10FF7000A243000B9562000A3C0810003C09800077
71958+:10FF8000A64200108D670004AE470024ACC801B83B
71959+:10FF9000AD2A01780A001304000000003C0A80002A
71960+:10FFA000354401009483000E3C0208008C4200D8C6
71961+:10FFB000240400803065FFFF245500013C01080047
71962+:10FFC000AC3500D80E000FDB240600030A001370C6
71963+:10FFD000000018210009320230D900FF2418000166
71964+:10FFE0001738FFD5000731C08F910020262200016D
71965+:10FFF000AF8200200A0013C800C0382100CB2024A3
71966+:020000021000EC
71967+:10000000AF85000010800008AF860004240D87FF34
71968+:1000100000CD6024158000083C0E006000AE302446
71969+:1000200010C00005000000000E000D42000000009E
71970+:100030000A001371000000000E0016050000000009
71971+:100040000A0013710000000030B980005320FF1F28
71972+:10005000AF8500003C02002000A2F82453E0FF1B03
71973+:10006000AF8500003C07FFFF34E47FFF00A4382485
71974+:100070000A00132B34C880000A001334010910242D
71975+:1000800000EC58245160005AAF8000248F8D002C62
71976+:100090003C0E0F0000EE182415A00075AF83001071
71977+:1000A00030EF010011E00073939800103C12020041
71978+:1000B000107200703C06800034D9010093280013B0
71979+:1000C0009789002A36A60002311800FF271600047F
71980+:1000D000001619C03C0480008C8501B804A0FFFE06
71981+:1000E00034880180AD0300003C158008AC830020FB
71982+:1000F00096BF004833E5FFFF10A001BCAF850008A4
71983+:100100002523001200A3102B504001B98F85000455
71984+:10011000348D010095AC0020240B001A30E440001F
71985+:10012000318AFFFFA10B000B108001BA2543FFFEAF
71986+:1001300000A3702B15C001B88F9600048F8F0004A8
71987+:10014000A503001435E50001AF8500043C088000DC
71988+:1001500035150180A6A9000EA6A9001A8F89000CEA
71989+:1001600030BF8000A6A70010AEA90028A6A60008F0
71990+:1001700013E0000F3C0F8000350C0100958B00163A
71991+:10018000316AFFFC25440004008818218C6240007D
71992+:100190003046FFFF14C000072416BFFF3C0EFFFFD0
71993+:1001A00035CD7FFF00AD2824AF8500043C0F8000D3
71994+:1001B0002416BFFF00B6902435E50180A4B20026C6
71995+:1001C000ACA7002C3C071000ADE701B80A00137083
71996+:1001D000000018210E00165D000000003C0A4000DF
71997+:1001E0003C098000AD2A01780A00130400000000D9
71998+:1001F0008F85002410A00027AF80001090A300007E
71999+:10020000106000742409000310690101000030210E
72000+:1002100090AE0001240D000211CD014230EF0040EC
72001+:1002200090A90001241F0001113F000930E20040A5
72002+:100230008CA600049785002A00C020210E000FDB49
72003+:1002400036A60002000040210A00137001001821A8
72004+:100250005040FFF88CA600043C07080190E7964147
72005+:1002600010E0FFF4240800010A00137001001821B7
72006+:10027000939800103C1F080127FF96400018C8C043
72007+:10028000033F4021AF8800248F85002414A0FFDBAA
72008+:10029000AF9800103C0480008C86400030C50100FF
72009+:1002A00010A0008732AB00043C0C08008D8C0024A9
72010+:1002B00024160004156000033192000D241600027C
72011+:1002C0003C0480008C8E4000340DFFFF11CD0113E3
72012+:1002D00032B5FFFB8C984000330F010055E0000160
72013+:1002E0002415001030E80800110000382409FFFB35
72014+:1002F0008F9F00282FF903EF53200001024990241B
72015+:1003000030E2010010400014325F00018F87002CA2
72016+:1003100014E0010E8F8C000C3C0480003486010038
72017+:1003200090C5001330AA00FF25430004000321C03C
72018+:100330002419FFFE025990241240000202B6302513
72019+:1003400032A6FFFF0E000FDB9785002A1240FEA3A6
72020+:1003500000001821325F000113E0000D3247000455
72021+:10036000240900011249000202B6302532A6FFFF1F
72022+:100370009785002A0E000FDB000020212402FFFEDB
72023+:10038000024290241240FE950000182132470004DA
72024+:1003900050E0FE922403000102B63025241600042A
72025+:1003A0005656000132A6FFFF9785002A0E000FDB8C
72026+:1003B000240401002403FFFB0243A82412A0FE87AB
72027+:1003C000000018210A001370240300010A0014B968
72028+:1003D0000249902410A0FFAF30E5010010A00017E3
72029+:1003E0008F8600102403000210C300148F84000CB9
72030+:1003F0003C0608008CC6003824CAFFFF14C0000267
72031+:10040000008A1024000010213C0E080025CE003880
72032+:10041000004E682191AC00048F850028258B0004D4
72033+:10042000000B21C030A5FFFF36A600020E000FDB37
72034+:10043000000000000A00137000001821240F0002C1
72035+:1004400010CF0088241600013C0308008C6300D004
72036+:100450001076008D8F85002824D9FFFC2F280004FA
72037+:100460001500006300002021241F0002107F005DA2
72038+:100470002CC9000C24C3FFF82C6200041440FFE9CF
72039+:100480000000202130EA020051400004000621C093
72040+:1004900054C0000530A5FFFF000621C030A5FFFFB6
72041+:1004A0000A00150436A600020E000FDB32A600017A
72042+:1004B0008F8600108F8500280A001520000621C0B5
72043+:1004C0003C0A08008D4A0024315200015240FE438C
72044+:1004D000000018219785002A36A600020E000FDBC7
72045+:1004E000000020210A001370000018219668000CFB
72046+:1004F000311802005700FE313C0500013C1F800806
72047+:1005000097F900489789002A36A600023328FFFF92
72048+:10051000AF8800083C0380008C7501B806A0FFFE80
72049+:100520003C04800034820180AC400000110000B621
72050+:1005300024180003252A0012010A182B106000B2AB
72051+:1005400000000000966F00203C0E8000240D001A71
72052+:1005500031ECFFFF35CA018030EB4000A14D000BAC
72053+:10056000116000B02583FFFE0103902B164000AE02
72054+:100570002416FFFE34A50001A5430014AF85000436
72055+:100580002419BFFF00B94024A6E9000EA6E9001A0D
72056+:10059000A6E60008A6E80026A6E700103C07100023
72057+:1005A000AE8701B80A001370000018213C048000D7
72058+:1005B0008C8201B80440FFFE349601802415001C93
72059+:1005C000AEC70000A2D5000B3C071000AC8701B8F5
72060+:1005D0003C0A40003C098000AD2A01780A0013045F
72061+:1005E000000000005120FFA424C3FFF800002021D8
72062+:1005F00030A5FFFF0A00150436A600020E00103DCC
72063+:10060000000000008F8700000A001346AF82000C34
72064+:1006100090A30001241500011075FF0B24080001B0
72065+:10062000240600021066000430E2004024080001A5
72066+:100630000A001370010018215040FFFD240800013A
72067+:100640003C0C8000358B0100956A001094A40002D8
72068+:100650003143FFFF5083FDE1010018210A00158599
72069+:10066000240800018F8500282CB203EF1240FDDB27
72070+:10067000240300013C0308008C6300D02416000111
72071+:100680001476FF7624D9FFFC2CD8000C1300FF72DF
72072+:10069000000621C030A5FFFF0A00150436A600029F
72073+:1006A00010B00037240F000B14AFFE23000731C039
72074+:1006B000312600FF00065600000A4E0305220047BF
72075+:1006C00030C6007F0006F8C03C16080126D69640CA
72076+:1006D00003F68021A2000001A20000003C0F600090
72077+:1006E0008DF918202405000100C588040011302769
72078+:1006F0000326C024000731C000C03821ADF81820FF
72079+:100700000A0013C8A60000028F850020000731C030
72080+:1007100024A2FFFF0A0013F6AF8200200A0014B2E1
72081+:100720002415002011E0FECC3C1980003728010080
72082+:100730009518001094B6000233120FFF16D2FEC6B1
72083+:10074000000000000A00148290A900013C0B080080
72084+:100750008D6B0038256DFFFF15600002018D1024A0
72085+:10076000000010213C080800250800380048C0217E
72086+:10077000930F000425EE00040A0014C5000E21C0EA
72087+:1007800000065202241F00FF115FFDEB000731C07D
72088+:10079000000A20C03C0E080125CE9640008EA821FC
72089+:1007A000009E602100095C02240D00013C076000EE
72090+:1007B000A2AD0000AD860000A2AB00018CF21820B3
72091+:1007C00024030001014310040242B025ACF61820B6
72092+:1007D00000C038210A0013C8A6A900020A0015AA01
72093+:1007E000AF8000200A0012FFAF84002C8F85000428
72094+:1007F0003C1980002408000337380180A308000B4F
72095+:100800000A00144D3C088000A2F8000B0A00155A9B
72096+:100810002419BFFF8F9600042412FFFE0A00144B18
72097+:1008200002D228242416FFFE0A00155800B62824F8
72098+:100830003C038000346401008C85000030A2003E3F
72099+:100840001440000800000000AC6000488C870000E5
72100+:1008500030E607C010C0000500000000AC60004C8E
72101+:10086000AC60005003E0000824020001AC600054BA
72102+:10087000AC6000408C880000310438001080FFF923
72103+:10088000000000002402000103E00008AC60004406
72104+:100890003C0380008C6201B80440FFFE3467018095
72105+:1008A000ACE4000024080001ACE00004A4E500086A
72106+:1008B00024050002A0E8000A34640140A0E5000B12
72107+:1008C0009483000A14C00008A4E30010ACE00024E4
72108+:1008D0003C07800034E901803C041000AD20002872
72109+:1008E00003E00008ACE401B88C8600043C0410006E
72110+:1008F000ACE600243C07800034E90180AD200028EC
72111+:1009000003E00008ACE401B83C0680008CC201B8EA
72112+:100910000440FFFE34C7018024090002ACE400005B
72113+:10092000ACE40004A4E50008A0E9000A34C50140D5
72114+:10093000A0E9000B94A8000A3C041000A4E80010F1
72115+:10094000ACE000248CA30004ACE3002803E0000822
72116+:10095000ACC401B83C039000346200010082202541
72117+:100960003C038000AC6400208C65002004A0FFFEE6
72118+:100970000000000003E00008000000003C028000CE
72119+:10098000344300010083202503E00008AC4400202C
72120+:1009900027BDFFE03C098000AFBF0018AFB10014D5
72121+:1009A000AFB00010352801408D10000091040009FF
72122+:1009B0009107000891050008308400FF30E600FF31
72123+:1009C00000061A002C820081008330251040002A86
72124+:1009D00030A50080000460803C0D080125AD92B078
72125+:1009E000018D58218D6A00000140000800000000C0
72126+:1009F0003C038000346201409445000A14A0001EAC
72127+:100A00008F91FCC09227000530E6000414C0001A44
72128+:100A1000000000000E00164E02002021922A000560
72129+:100A200002002021354900040E001658A2290005B5
72130+:100A30009228000531040004148000020000000028
72131+:100A40000000000D922D0000240B002031AC00FFAF
72132+:100A5000158B00093C0580008CAE01B805C0FFFE77
72133+:100A600034B10180AE3000003C0F100024100005AE
72134+:100A7000A230000BACAF01B80000000D8FBF001812
72135+:100A80008FB100148FB0001003E0000827BD0020D4
72136+:100A90000200202100C028218FBF00188FB1001450
72137+:100AA0008FB00010240600010A00161D27BD00208B
72138+:100AB0000000000D0200202100C028218FBF001877
72139+:100AC0008FB100148FB00010000030210A00161DF5
72140+:100AD00027BD002014A0FFE8000000000200202134
72141+:100AE0008FBF00188FB100148FB0001000C02821F4
72142+:100AF0000A00163B27BD00203C0780008CEE01B8A1
72143+:100B000005C0FFFE34F00180241F0002A21F000B6D
72144+:100B100034F80140A60600089719000A3C0F10009F
72145+:100B2000A61900108F110004A6110012ACEF01B835
72146+:100B30000A0016998FBF001827BDFFE8AFBF00104D
72147+:100B40000E000FD4000000003C0280008FBF001098
72148+:100B500000002021AC4001800A00108F27BD001842
72149+:100B60003084FFFF30A5FFFF108000070000182130
72150+:100B7000308200011040000200042042006518216C
72151+:100B80001480FFFB0005284003E0000800601021EE
72152+:100B900010C00007000000008CA2000024C6FFFF68
72153+:100BA00024A50004AC82000014C0FFFB24840004D0
72154+:100BB00003E000080000000010A0000824A3FFFFCD
72155+:100BC000AC86000000000000000000002402FFFFCF
72156+:100BD0002463FFFF1462FFFA2484000403E000088A
72157+:100BE000000000003C03800027BDFFF83462018054
72158+:100BF000AFA20000308C00FF30AD00FF30CE00FF10
72159+:100C00003C0B80008D6401B80480FFFE00000000F2
72160+:100C10008FA900008D6801288FAA00008FA700000F
72161+:100C20008FA400002405000124020002A085000A10
72162+:100C30008FA30000359940003C051000A062000B16
72163+:100C40008FB800008FAC00008FA600008FAF0000AF
72164+:100C500027BD0008AD280000AD400004AD80002491
72165+:100C6000ACC00028A4F90008A70D0010A5EE0012E2
72166+:100C700003E00008AD6501B83C06800827BDFFE829
72167+:100C800034C50080AFBF001090A7000924020012F5
72168+:100C900030E300FF1062000B008030218CA8005070
72169+:100CA00000882023048000088FBF00108CAA003425
72170+:100CB000240400390000282100CA4823052000052B
72171+:100CC000240600128FBF00102402000103E0000878
72172+:100CD00027BD00180E0016F2000000008FBF0010A4
72173+:100CE0002402000103E0000827BD001827BDFFC84B
72174+:100CF000AFB20030AFB00028AFBF0034AFB1002CAE
72175+:100D000000A0802190A5000D30A6001010C000109A
72176+:100D1000008090213C0280088C4400048E0300086F
72177+:100D20001064000C30A7000530A6000510C0009329
72178+:100D3000240400018FBF00348FB200308FB1002C2B
72179+:100D40008FB000280080102103E0000827BD003884
72180+:100D500030A7000510E0000F30AB001210C00006F5
72181+:100D6000240400013C0980088E0800088D25000439
72182+:100D70005105009C240400388FBF00348FB200302E
72183+:100D80008FB1002C8FB000280080102103E00008F4
72184+:100D900027BD0038240A0012156AFFE6240400016A
72185+:100DA0000200202127A500100E000CB6AFA00010F5
72186+:100DB0001440007C3C19800837240080909800087B
72187+:100DC000331100081220000A8FA7001030FF010025
72188+:100DD00013E000A48FA300148C8600580066102333
72189+:100DE000044000043C0A8008AC8300588FA7001020
72190+:100DF0003C0A800835480080910900083124000829
72191+:100E00001480000224080003000040213C1F8008D9
72192+:100E100093F1001193F9001237E600808CCC005456
72193+:100E2000333800FF03087821322D00FF000F708057
72194+:100E300001AE282100AC582B1160006F00000000AB
72195+:100E400094CA005C8CC900543144FFFF0125102373
72196+:100E50000082182B14600068000000008CCB005446
72197+:100E60000165182330EC00041180006C000830800C
72198+:100E70008FA8001C0068102B1040006230ED0004A9
72199+:100E8000006610232C46008010C00002004088211C
72200+:100E9000241100800E00164E024020213C0D8008D7
72201+:100EA00035A6008024070001ACC7000C90C80008DC
72202+:100EB0000011484035A70100310C007FA0CC00088C
72203+:100EC0008E05000424AB0001ACCB0030A4D1005C43
72204+:100ED0008CCA003C9602000E01422021ACC40020C6
72205+:100EE0008CC3003C0069F821ACDF001C8E190004A3
72206+:100EF000ACF900008E180008ACF800048FB10010A7
72207+:100F0000322F000855E0004793A60020A0C0004EF5
72208+:100F100090D8004E2411FFDFA0F8000890CF000801
72209+:100F200001F17024A0CE00088E0500083C0B80085B
72210+:100F300035690080AD2500388D6A00148D2200309F
72211+:100F40002419005001422021AD24003491230000D7
72212+:100F5000307F00FF13F90036264F01000E001658AF
72213+:100F60000240202124040038000028210E0016F23F
72214+:100F70002406000A0A001757240400010E000D2859
72215+:100F8000000020218FBF00348FB200308FB1002CC1
72216+:100F90008FB00028004020210080102103E00008CD
72217+:100FA00027BD00388E0E00083C0F800835F0008009
72218+:100FB000AE0E005402402021AE0000300E00164E4E
72219+:100FC00000000000920D00250240202135AC0020D9
72220+:100FD0000E001658A20C00250E000CAC0240202179
72221+:100FE000240400382405008D0E0016F22406001299
72222+:100FF0000A0017572404000194C5005C0A001792E8
72223+:1010000030A3FFFF2407021811A0FF9E00E6102363
72224+:101010008FAE001C0A00179A01C610230A0017970A
72225+:101020002C620218A0E600080A0017C48E0500080A
72226+:101030002406FF8001E6C0243C118000AE38002861
72227+:101040008E0D000831E7007F3C0E800C00EE602121
72228+:10105000AD8D00E08E080008AF8C00380A0017D074
72229+:10106000AD8800E4AC800058908500082403FFF7A9
72230+:1010700000A33824A08700080A0017758FA7001066
72231+:101080003C05080024A560A83C04080024846FF4F3
72232+:101090003C020800244260B0240300063C01080121
72233+:1010A000AC2596C03C010801AC2496C43C01080163
72234+:1010B000AC2296C83C010801A02396CC03E00008AE
72235+:1010C0000000000003E00008240200013C02800050
72236+:1010D000308800FF344701803C0680008CC301B893
72237+:1010E0000460FFFE000000008CC501282418FF806A
72238+:1010F0003C0D800A24AF010001F8702431EC007F20
72239+:10110000ACCE0024018D2021ACE50000948B00EAD8
72240+:101110003509600024080002316AFFFFACEA0004D0
72241+:1011200024020001A4E90008A0E8000BACE00024C0
72242+:101130003C071000ACC701B8AF84003803E00008DA
72243+:10114000AF85006C938800488F8900608F820038DB
72244+:1011500030C600FF0109382330E900FF01221821C1
72245+:1011600030A500FF2468008810C000020124382147
72246+:101170000080382130E400031480000330AA00030B
72247+:101180001140000D312B000310A0000900001021B8
72248+:1011900090ED0000244E000131C200FF0045602B9D
72249+:1011A000A10D000024E700011580FFF925080001CA
72250+:1011B00003E00008000000001560FFF300000000DD
72251+:1011C00010A0FFFB000010218CF80000245900043F
72252+:1011D000332200FF0045782BAD18000024E70004FF
72253+:1011E00015E0FFF92508000403E0000800000000F6
72254+:1011F00093850048938800588F8700600004320070
72255+:101200003103007F00E5102B30C47F001040000F39
72256+:10121000006428258F8400383C0980008C8A00EC0B
72257+:10122000AD2A00A43C03800000A35825AC6B00A0AD
72258+:101230008C6C00A00580FFFE000000008C6D00ACEF
72259+:10124000AC8D00EC03E000088C6200A80A00188254
72260+:101250008F840038938800593C0280000080502120
72261+:10126000310300FEA383005930ABFFFF30CC00FFF9
72262+:1012700030E7FFFF344801803C0980008D2401B82D
72263+:101280000480FFFE8F8D006C24180016AD0D000049
72264+:101290008D2201248F8D0038AD0200048D5900206D
72265+:1012A000A5070008240201C4A119000AA118000B17
72266+:1012B000952F01208D4E00088D4700049783005C18
72267+:1012C0008D59002401CF302100C7282100A32023FD
72268+:1012D0002418FFFFA504000CA50B000EA5020010AA
72269+:1012E000A50C0012AD190018AD18002495AF00E848
72270+:1012F0003C0B10002407FFF731EEFFFFAD0E002876
72271+:101300008DAC0084AD0C002CAD2B01B88D460020B7
72272+:1013100000C7282403E00008AD4500208F8800386E
72273+:101320000080582130E7FFFF910900D63C02800081
72274+:1013300030A5FFFF312400FF00041A00006750258C
72275+:1013400030C600FF344701803C0980008D2C01B875
72276+:101350000580FFFE8F82006C240F0017ACE20000B6
72277+:101360008D390124ACF900048D780020A4EA00082E
72278+:10137000241901C4A0F8000AA0EF000B9523012056
72279+:101380008D6E00088D6D00049784005C01C35021B0
72280+:10139000014D602101841023A4E2000CA4E5000E9D
72281+:1013A000A4F90010A4E60012ACE000148D7800242B
72282+:1013B000240DFFFFACF800188D0F007CACEF001C73
72283+:1013C0008D0E00783C0F1000ACEE0020ACED002438
72284+:1013D000950A00BE240DFFF73146FFFFACE600285A
72285+:1013E000950C00809504008231837FFF0003CA00C2
72286+:1013F0003082FFFF0322C021ACF8002CAD2F01B8D2
72287+:10140000950E00828D6A002000AE3021014D282407
72288+:10141000A506008203E00008AD6500203C028000C4
72289+:10142000344501803C0480008C8301B80460FFFED9
72290+:101430008F8A0044240600199549001C3128FFFFBB
72291+:10144000000839C0ACA70000A0A6000B3C051000A6
72292+:1014500003E00008AC8501B88F87004C0080402174
72293+:1014600030C400FF3C0680008CC201B80440FFFE7F
72294+:101470008F89006C9383006834996000ACA90000E8
72295+:10148000A0A300058CE20010240F00022403FFF744
72296+:10149000A4A20006A4B900088D180020A0B8000A74
72297+:1014A000A0AF000B8CEE0000ACAE00108CED000481
72298+:1014B000ACAD00148CEC001CACAC00248CEB002018
72299+:1014C000ACAB00288CEA002C3C071000ACAA002C26
72300+:1014D0008D090024ACA90018ACC701B88D05002007
72301+:1014E00000A3202403E00008AD0400208F8600380C
72302+:1014F00027BDFFE0AFB10014AFBF0018AFB00010C0
72303+:1015000090C300D430A500FF3062002010400008D6
72304+:10151000008088218CCB00D02409FFDF256A0001E0
72305+:10152000ACCA00D090C800D401093824A0C700D4A8
72306+:1015300014A000403C0C80008F840038908700D4B9
72307+:101540002418FFBF2406FFEF30E3007FA08300D400
72308+:10155000979F005C8F8200608F8D003803E2C82364
72309+:10156000A799005CA5A000BC91AF00D401F870243D
72310+:10157000A1AE00D48F8C0038A18000D78F8A0038AC
72311+:10158000A5400082AD4000EC914500D400A658244F
72312+:10159000A14B00D48F9000348F8400609786005C4C
72313+:1015A0000204282110C0000FAF850034A38000582A
72314+:1015B0003C0780008E2C000894ED01208E2B000447
72315+:1015C000018D5021014B8021020620233086FFFF30
72316+:1015D00030C8000F3909000131310001162000091F
72317+:1015E000A3880058938600488FBF00188FB100145D
72318+:1015F0008FB0001027BD0020AF85006403E0000815
72319+:10160000AF86006000C870238FBF00189386004823
72320+:101610008FB100148FB0001034EF0C00010F28219F
72321+:1016200027BD0020ACEE0084AF85006403E0000815
72322+:10163000AF86006035900180020028210E00190F4E
72323+:10164000240600828F840038908600D430C5004084
72324+:1016500050A0FFBAA38000688F85004C3C06800034
72325+:101660008CCD01B805A0FFFE8F89006C2408608234
72326+:1016700024070002AE090000A6080008A207000B1C
72327+:101680008CA300083C0E1000AE0300108CA2000CCE
72328+:10169000AE0200148CBF0014AE1F00188CB90018E5
72329+:1016A000AE1900248CB80024AE1800288CAF002896
72330+:1016B000AE0F002CACCE01B80A001948A380006818
72331+:1016C0008F8A003827BDFFE0AFB10014AFB0001023
72332+:1016D0008F880060AFBF00189389003C954200BC22
72333+:1016E00030D100FF0109182B0080802130AC00FFB1
72334+:1016F0003047FFFF0000582114600003310600FF4F
72335+:1017000001203021010958239783005C0068202BB9
72336+:101710001480002700000000106800562419000102
72337+:101720001199006334E708803165FFFF0E0018C08F
72338+:10173000020020218F83006C3C07800034E601808A
72339+:101740003C0580008CAB01B80560FFFE240A001840
72340+:101750008F840038ACC30000A0CA000B948900BE7F
72341+:101760003C081000A4C90010ACC00030ACA801B8FF
72342+:101770009482008024430001A4830080949F008011
72343+:101780003C0608008CC6318833EC7FFF1186005E72
72344+:101790000000000002002021022028218FBF001835
72345+:1017A0008FB100148FB000100A00193427BD00203B
72346+:1017B000914400D42403FF8000838825A15100D4E4
72347+:1017C0009784005C3088FFFF51000023938C003C1D
72348+:1017D0008F8500382402EFFF008B782394AE00BC85
72349+:1017E0000168502B31E900FF01C26824A4AD00BCA0
72350+:1017F00051400039010058213C1F800037E60100AC
72351+:101800008CD800043C190001031940245500000144
72352+:1018100034E740008E0A00202403FFFB241100015E
72353+:1018200001432024AE0400201191002D34E78000F4
72354+:1018300002002021012030210E0018C03165FFFF79
72355+:101840009787005C8F890060A780005C0127802358
72356+:10185000AF900060938C003C8F8B00388FBF0018D6
72357+:101860008FB100148FB0001027BD002003E00008E6
72358+:10187000A16C00D73C0D800035AA01008D48000402
72359+:101880003C0900010109282454A0000134E740006C
72360+:101890008E0F00202418FFFB34E7800001F870242D
72361+:1018A00024190001AE0E00201599FF9F34E708802F
72362+:1018B000020020210E00188E3165FFFF020020215A
72363+:1018C000022028218FBF00188FB100148FB00010A4
72364+:1018D0000A00193427BD00200A0019F7000048212A
72365+:1018E00002002021012030210E00188E3165FFFFFB
72366+:1018F0009787005C8F890060A780005C01278023A8
72367+:101900000A001A0EAF900060948C0080241F8000A3
72368+:10191000019F3024A4860080908B0080908F0080EF
72369+:10192000316700FF0007C9C20019C027001871C045
72370+:1019300031ED007F01AE2825A08500800A0019DF67
72371+:1019400002002021938500682403000127BDFFE8E1
72372+:1019500000A330042CA20020AFB00010AFBF0014D1
72373+:1019600000C01821104000132410FFFE3C0708009F
72374+:101970008CE7319000E610243C088000350501809A
72375+:1019800014400005240600848F890038240A0004CE
72376+:101990002410FFFFA12A00FC0E00190F0000000018
72377+:1019A000020010218FBF00148FB0001003E0000868
72378+:1019B00027BD00183C0608008CC631940A001A574F
72379+:1019C00000C310248F87004427BDFFE0AFB200188A
72380+:1019D000AFB10014AFB00010AFBF001C30D000FF9B
72381+:1019E00090E6000D00A088210080902130C5007F86
72382+:1019F000A0E5000D8F8500388E2300188CA200D042
72383+:101A00001062002E240A000E0E001A4AA38A0068F3
72384+:101A10002409FFFF104900222404FFFF5200002088
72385+:101A2000000020218E2600003C0C001000CC582421
72386+:101A3000156000393C0E000800CE682455A0003F18
72387+:101A4000024020213C18000200D880241200001F10
72388+:101A50003C0A00048F8700448CE200148CE30010E1
72389+:101A60008CE500140043F82303E5C82B1320000580
72390+:101A7000024020218E24002C8CF1001010910031A6
72391+:101A80000240202124020012A38200680E001A4A9C
72392+:101A90002412FFFF105200022404FFFF0000202147
72393+:101AA0008FBF001C8FB200188FB100148FB00010D0
72394+:101AB0000080102103E0000827BD002090A800D47A
72395+:101AC000350400200A001A80A0A400D400CA4824CB
72396+:101AD0001520000B8F8B00448F8D00448DAC0010BF
72397+:101AE0001580000B024020218E2E002C51C0FFECEF
72398+:101AF00000002021024020210A001A9B2402001726
72399+:101B00008D66001050C0FFE6000020210240202119
72400+:101B10000A001A9B24020011024020212402001511
72401+:101B20000E001A4AA3820068240FFFFF104FFFDC4B
72402+:101B30002404FFFF0A001A8A8E2600000A001AC138
72403+:101B4000240200143C08000400C8382450E0FFD4EC
72404+:101B500000002021024020210A001A9B24020013C9
72405+:101B60008F85003827BDFFD8AFB3001CAFB2001877
72406+:101B7000AFB10014AFB00010AFBF002090A700D4E9
72407+:101B80008F90004C2412FFFF34E2004092060000C8
72408+:101B9000A0A200D48E0300100080982110720006CD
72409+:101BA00030D1003F2408000D0E001A4AA3880068B7
72410+:101BB000105200252404FFFF8F8A00388E09001878
72411+:101BC0008D4400D01124000702602021240C000E57
72412+:101BD0000E001A4AA38C0068240BFFFF104B001A5A
72413+:101BE0002404FFFF24040020122400048F8D0038F9
72414+:101BF00091AF00D435EE0020A1AE00D48F85005403
72415+:101C000010A00019000000001224004A8F9800382C
72416+:101C10008F92FCC0971000809651000A5230004805
72417+:101C20008F9300403C1F08008FFF318C03E5C82BC9
72418+:101C30001720001E02602021000028210E0019A993
72419+:101C400024060001000020218FBF00208FB3001C5C
72420+:101C50008FB200188FB100148FB0001000801021D7
72421+:101C600003E0000827BD00285224002A8E05001436
72422+:101C70008F840038948A008025490001A48900805F
72423+:101C8000948800803C0208008C42318831077FFF35
72424+:101C900010E2000E00000000026020210E00193446
72425+:101CA000240500010A001B0B000020212402002D46
72426+:101CB0000E001A4AA38200682403FFFF1443FFE1C9
72427+:101CC0002404FFFF0A001B0C8FBF002094990080A2
72428+:101CD000241F800024050001033FC024A498008035
72429+:101CE00090920080908E0080325100FF001181C2DE
72430+:101CF00000107827000F69C031CC007F018D582576
72431+:101D0000A08B00800E001934026020210A001B0BFA
72432+:101D1000000020212406FFFF54A6FFD68F84003840
72433+:101D2000026020210E001934240500010A001B0B5B
72434+:101D300000002021026020210A001B252402000A45
72435+:101D40002404FFFD0A001B0BAF9300608F8800384E
72436+:101D500027BDFFE8AFB00010AFBF0014910A00D458
72437+:101D60008F87004C00808021354900408CE60010B0
72438+:101D7000A10900D43C0208008C4231B030C53FFFBD
72439+:101D800000A2182B106000078F850050240DFF80E3
72440+:101D900090AE000D01AE6024318B00FF156000088D
72441+:101DA0000006C382020020212403000D8FBF00140F
72442+:101DB0008FB0001027BD00180A001A4AA3830068DC
72443+:101DC00033060003240F000254CFFFF70200202146
72444+:101DD00094A2001C8F85003824190023A4A200E8D7
72445+:101DE0008CE8000000081E02307F003F13F9003528
72446+:101DF0003C0A00838CE800188CA600D0110600086D
72447+:101E0000000000002405000E0E001A4AA385006899
72448+:101E10002407FFFF104700182404FFFF8F850038B8
72449+:101E200090A900D435240020A0A400D48F8C0044B5
72450+:101E3000918E000D31CD007FA18D000D8F83005458
72451+:101E40001060001C020020218F8400508C9800102C
72452+:101E50000303782B11E0000D241900180200202143
72453+:101E6000A39900680E001A4A2410FFFF10500002C8
72454+:101E70002404FFFF000020218FBF00148FB000104A
72455+:101E80000080102103E0000827BD00188C86001098
72456+:101E90008F9F00440200202100C31023AFE20010F6
72457+:101EA000240500010E0019A9240600010A001B9751
72458+:101EB000000020210E001934240500010A001B97A0
72459+:101EC00000002021010A5824156AFFD98F8C004494
72460+:101ED000A0A600FC0A001B84A386005A30A500FFC0
72461+:101EE0002406000124A9000100C9102B1040000C99
72462+:101EF00000004021240A000100A61823308B0001B5
72463+:101F000024C60001006A3804000420421160000267
72464+:101F100000C9182B010740251460FFF800A61823FC
72465+:101F200003E000080100102127BDFFD8AFB0001862
72466+:101F30008F90004CAFB1001CAFBF00202403FFFF07
72467+:101F40002411002FAFA30010920600002405000802
72468+:101F500026100001006620260E001BB0308400FF12
72469+:101F600000021E003C021EDC34466F410A001BD8F2
72470+:101F70000000102110A00009008018212445000154
72471+:101F800030A2FFFF2C4500080461FFFA0003204047
72472+:101F90000086202614A0FFF9008018210E001BB037
72473+:101FA000240500208FA300102629FFFF313100FFF8
72474+:101FB00000034202240700FF1627FFE20102182651
72475+:101FC00000035027AFAA0014AFAA00100000302170
72476+:101FD00027A8001027A7001400E6782391ED00033E
72477+:101FE00024CE000100C8602131C600FF2CCB0004C4
72478+:101FF0001560FFF9A18D00008FA200108FBF002097
72479+:102000008FB1001C8FB0001803E0000827BD002826
72480+:1020100027BDFFD0AFB3001CAFB00010AFBF00288A
72481+:10202000AFB50024AFB40020AFB20018AFB10014B8
72482+:102030003C0C80008D880128240FFF803C06800A1C
72483+:1020400025100100250B0080020F68243205007F57
72484+:10205000016F7024AD8E009000A62821AD8D002464
72485+:1020600090A600FC3169007F3C0A8004012A1821F7
72486+:10207000A386005A9067007C00809821AF830030CF
72487+:1020800030E20002AF88006CAF85003800A0182154
72488+:10209000144000022404003424040030A3840048C7
72489+:1020A0008C7200DC30D100FF24040004AF92006089
72490+:1020B00012240004A38000688E7400041680001EA1
72491+:1020C0003C0880009386005930C7000110E0000FE3
72492+:1020D0008F9300608CB000848CA800842404FF805F
72493+:1020E000020410240002F940310A007F03EA482567
72494+:1020F0003C0C2000012C902530CD00FE3C038000DC
72495+:10210000AC720830A38D00598F9300608FBF0028F8
72496+:102110008FB50024ACB300DC8FB400208FB3001C5B
72497+:102120008FB200188FB100148FB00010240200018C
72498+:1021300003E0000827BD00308E7F000895020120D3
72499+:102140008E67001003E2C8213326FFFF30D8000F4E
72500+:1021500033150001AF87003416A00058A39800582B
72501+:1021600035090C000309382100D81823AD03008479
72502+:10217000AF8700648E6A00043148FFFF1100007EC3
72503+:10218000A78A005C90AC00D42407FF8000EC3024C8
72504+:1021900030CB00FF1560004B9786005C938E005A91
72505+:1021A000240D000230D5FFFF11CD02A20000A021B6
72506+:1021B0008F85006002A5802B160000BC9388004824
72507+:1021C0003C11800096240120310400FF1485008812
72508+:1021D0008F8400648F9800343312000356400085CA
72509+:1021E00030A500FF8F900064310C00FF24060034FE
72510+:1021F00011860095AF90004C9204000414800118E1
72511+:102200008F8E0038A380003C8E0D00048DC800D84E
72512+:102210003C0600FF34CCFFFF01AC30240106182B34
72513+:1022200014600120AF8600548F8700609798005C8F
72514+:10223000AF8700400307402310C000C7A788005C99
72515+:102240008F91003030C3000300035823922A007C92
72516+:102250003171000302261021000A20823092000111
72517+:102260000012488000492821311FFFFF03E5C82BD9
72518+:10227000132001208F8800388F8500348F880064F8
72519+:102280001105025A3C0E3F018E0600003C0C250051
72520+:1022900000CE682411AC01638F84004C30E500FF50
72521+:1022A0000E00184A000030218F8800388F870060A8
72522+:1022B0008F8500340A001DB78F8600540A001C5613
72523+:1022C000AF87006490A400D400E48024320200FFB1
72524+:1022D000104000169386005990A6008890AE00D753
72525+:1022E00024A8008830D4003F2686FFE02CD10020AF
72526+:1022F000A38E003C1220000CAF88004C240B000180
72527+:1023000000CB20043095001916A0012B3C0680005C
72528+:1023100034CF0002008FC0241700022E3099002015
72529+:1023200017200234000000009386005930CB0001D2
72530+:102330001160000F9788005C8CBF00848CA900841A
72531+:10234000240AFF8003EA6024000C19403132007F28
72532+:10235000007238253C0D200000EDC82530D800FE65
72533+:102360003C0F8000ADF90830A39800599788005CB5
72534+:102370001500FF84000000008E630020306200041E
72535+:102380001040FF51938600592404FFFB0064802411
72536+:102390003C038000AE700020346601808C7301B86D
72537+:1023A0000660FFFE8F98006C347501003C1400013C
72538+:1023B000ACD800008C6B012424076085ACCB0004F2
72539+:1023C0008EAE000401D488245220000124076083CB
72540+:1023D00024190002A4C700083C0F1000A0D9000B6C
72541+:1023E0003C068000ACCF01B80A001C2B9386005934
72542+:1023F00030A500FF0E00184A240600018F88006CEB
72543+:102400003C05800034A90900250201889388004812
72544+:10241000304A0007304B00783C0340802407FF809F
72545+:102420000163C825014980210047F824310C00FFD1
72546+:1024300024060034ACBF0800AF90004CACB90810C3
72547+:102440005586FF6E920400048F8400388E11003090
72548+:10245000908E00D431CD001015A000108F83006045
72549+:102460002C6F000515E000E400000000909800D4F7
72550+:102470002465FFFC331200101640000830A400FF52
72551+:102480008F9F00648F99003413F90004388700018E
72552+:1024900030E20001144001C8000000000E001BC320
72553+:1024A000000000000A001DF8000000008F84006496
72554+:1024B00030C500FF0E00184A24060001939800481A
72555+:1024C000240B0034130B00A08F8500388F8600602A
72556+:1024D0009783005C306EFFFF00CE8823AF910060D1
72557+:1024E000A780005C1280FF90028018212414FFFD59
72558+:1024F0005474FFA28E6300208E6A00042403FFBF81
72559+:102500002408FFEF0155F823AE7F000490AC00D4FF
72560+:102510003189007FA0A900D48E7200208F8F0038EF
72561+:10252000A780005C364D0002AE6D0020A5E000BC27
72562+:1025300091E500D400A3C824A1F900D48F950038F8
72563+:10254000AEA000EC92B800D403085824A2AB00D48B
72564+:102550000A001CD78F8500388F910034AF8000604F
72565+:1025600002275821AF8B0034000020212403FFFFF5
72566+:10257000108301B48F8500388E0C00103C0D0800CC
72567+:102580008DAD31B09208000031843FFF008D802B6B
72568+:1025900012000023310D003F3C1908008F3931A88B
72569+:1025A0008F9F006C000479802408FF80033F202166
72570+:1025B000008FC821938500590328F8243C06008029
72571+:1025C0003C0F800034D80001001F91403331007F60
72572+:1025D0008F8600380251502535EE0940332B0078A4
72573+:1025E000333000073C0310003C02800C017890253A
72574+:1025F000020E48210143C0250222382134AE0001D9
72575+:10260000ADFF0804AF890050ADF20814AF87004455
72576+:10261000ADFF0028ACD90084ADF80830A38E005976
72577+:102620009383005A24070003106700272407000142
72578+:102630001467FFAC8F8500382411002311B1008589
72579+:1026400000000000240E000B026020210E001A4A38
72580+:10265000A38E00680040A0210A001D328F8500383B
72581+:1026600002602021240B000C0E001A4AA38B006884
72582+:10267000240AFFFF104AFFBD2404FFFF8F8E00389D
72583+:10268000A380003C8E0D00048DC800D83C0600FFDE
72584+:1026900034CCFFFF01AC30240106182B1060FEE2A1
72585+:1026A000AF86005402602021241200190E001A4A3D
72586+:1026B000A3920068240FFFFF104FFFAC2404FFFF1C
72587+:1026C0000A001C838F86005425A3FFE02C74002091
72588+:1026D0001280FFDD240E000B000328803C1108014E
72589+:1026E000263194B400B148218D2D000001A00008CE
72590+:1026F000000000008F85003400A710219385003C66
72591+:10270000AF82003402251821A383003C951F00BC32
72592+:102710000226282137F91000A51900BC5240FF926B
72593+:10272000AF850060246A0004A38A003C950900BCC0
72594+:1027300024A40004AF84006035322000A51200BC40
72595+:102740000A001D54000020218F8600602CC800055F
72596+:102750001500FF609783005C3065FFFF00C5C8234C
72597+:102760002F2F000511E00003306400FF24CDFFFC93
72598+:1027700031A400FF8F8900648F920034113200046D
72599+:10278000389F000133EC0001158001380000000083
72600+:102790008F840038908700D434E60010A08600D4DF
72601+:1027A0008F8500388F8600609783005CACA000ECBA
72602+:1027B0000A001D2F306EFFFF8CB500848CB400849E
72603+:1027C0003C04100002A7302400068940328E007FAE
72604+:1027D000022E8025020410253C08800024050001FB
72605+:1027E00002602021240600010E0019A9AD02083064
72606+:1027F0000A001CC38F8500388C8200EC1222FE7EFA
72607+:102800000260202124090005A38900680E001A4AED
72608+:102810002411FFFF1451FE782404FFFF0A001D5508
72609+:102820002403FFFF8F8F004C8F8800388DF8000045
72610+:10283000AD1800888DE70010AD0700988F87006005
72611+:102840000A001DB78F8600542406FFFF118600057D
72612+:10285000000000000E001B4C026020210A001D8FAA
72613+:102860000040A0210E001AD1026020210A001D8F15
72614+:102870000040A0218F90004C3C0208008C4231B0F7
72615+:102880008E110010322C3FFF0182282B10A0000C6B
72616+:10289000240BFF808F85005090A3000D01637024EE
72617+:1028A00031CA00FF1140000702602021001143825D
72618+:1028B000310600032418000110D8010600000000B2
72619+:1028C000026020212403000D0E001A4AA383006831
72620+:1028D000004020218F8500380A001D320080A02191
72621+:1028E0008F90004C3C0A08008D4A31B08F85005013
72622+:1028F0008E0400100000A0218CB1001430823FFF34
72623+:10290000004A602B8CB200205180FFEE0260202133
72624+:1029100090B8000D240BFF800178702431C300FFB4
72625+:102920005060FFE80260202100044382310600036A
72626+:1029300014C0FFE40260202194BF001C8F9900386E
72627+:102940008E060028A73F00E88CAF0010022F20233E
72628+:1029500014C4013A026020218F83005400C368210F
72629+:10296000022D382B14E00136240200188F8A00440F
72630+:102970008F820030024390218D4B00100163702341
72631+:10298000AD4E0010AD5200208C4C00740192282BEB
72632+:1029900014A0015F026020218F8400508E08002463
72633+:1029A0008C86002411060007026020212419001CD7
72634+:1029B0000E001A4AA3990068240FFFFF104FFFC5AD
72635+:1029C0002404FFFF8F8400448C87002424FF00012F
72636+:1029D000AC9F00241251012F8F8D00308DB10074F7
72637+:1029E0001232012C3C0B00808E0E000001CB5024D3
72638+:1029F00015400075000000008E0300142411FFFF35
72639+:102A0000107100073C0808003C0608008CC6319095
72640+:102A100000C8C0241300015202602021A380006876
72641+:102A20008E0300003C19000100792024108000135F
72642+:102A30003C1F0080007FA02416800009020028218E
72643+:102A4000026020212411001A0E001A4AA391006886
72644+:102A50002407FFFF1047FF9F2404FFFF02002821E7
72645+:102A6000026020210E001A6A240600012410FFFFD4
72646+:102A70001050FF982404FFFF241400018F8D0044A0
72647+:102A8000026020210280302195A900342405000134
72648+:102A9000253200010E0019A9A5B200340000202142
72649+:102AA0008F8500380A001D320080A0218F90004CD5
72650+:102AB0003C1408008E9431B08E07001030E53FFFC3
72651+:102AC00000B4C82B132000618F8600502412FF80B1
72652+:102AD00090C9000D0249682431A400FF5080005CB9
72653+:102AE000026020218F8C00541180000700078B8228
72654+:102AF0008F8500388F82FCC094BF0080944A000A02
72655+:102B0000515F00F78F8600403227000314E0006415
72656+:102B100000000000920E000211C000D8000000006A
72657+:102B20008E0B0024156000D902602021920400035E
72658+:102B300024190002308500FF14B90005308900FF18
72659+:102B40008F940054128000EA240D002C308900FF7D
72660+:102B5000392C00102D8400012D3200010244302553
72661+:102B6000020028210E001A6A026020212410FFFFB3
72662+:102B7000105000BF8F8500388F830054106000D341
72663+:102B8000240500013C0A08008D4A318C0143F82BD2
72664+:102B900017E000B22402002D02602021000028214D
72665+:102BA0000E0019A9240600018F85003800001821A5
72666+:102BB0000A001D320060A0210E0018750000000000
72667+:102BC0000A001DF800000000AC8000200A001E78FA
72668+:102BD0008E03001400002821026020210E0019A994
72669+:102BE000240600010A001CC38F8500380A001DB7A7
72670+:102BF0008F8800388CAA00848CAC00843C031000C1
72671+:102C00000147F824001F91403189007F024968255F
72672+:102C100001A32825ACC50830910700012405000157
72673+:102C2000026020210E0019A930E600010A001CC331
72674+:102C30008F850038938F00482403FFFD0A001D3460
72675+:102C4000AF8F00600A001D342403FFFF02602021C3
72676+:102C50002410000D0E001A4AA390006800401821AD
72677+:102C60008F8500380A001D320060A0210E00187503
72678+:102C7000000000009783005C8F86006000402021E8
72679+:102C80003070FFFF00D010232C4A00051140FE11C8
72680+:102C90008F850038ACA400EC0A001D2F306EFFFFBA
72681+:102CA00090CF000D31E300085460FFA192040003AF
72682+:102CB00002602021240200100E001A4AA38200683C
72683+:102CC0002403FFFF5443FF9A920400030A001F12DB
72684+:102CD0008F85003890A4000D308F000811E000951A
72685+:102CE0008F990054572000A6026020218E1F000CEF
72686+:102CF0008CB4002057F40005026020218E0D0008DE
72687+:102D00008CA7002411A7003A026020212402002091
72688+:102D1000A38200680E001A4A2412FFFF1052FEED33
72689+:102D20002404FFFF8F9F00442402FFF73C14800E11
72690+:102D300093EA000D2419FF803C03800001423824EF
72691+:102D4000A3E7000D8F9F00303C0908008D2931ACAE
72692+:102D50008F8C006C97F200788F870044012C302113
72693+:102D6000324D7FFF000D204000C4782131E5007F07
72694+:102D700000B4C02101F94024AC68002CA711000068
72695+:102D80008CEB0028256E0001ACEE00288CEA002CAC
72696+:102D90008E02002C01426021ACEC002C8E09002C2C
72697+:102DA000ACE900308E120014ACF2003494ED003A1D
72698+:102DB00025A40001A4E4003A97E600783C1108003D
72699+:102DC0008E3131B024C3000130707FFF1211005CDE
72700+:102DD000006030218F8F0030026020212405000127
72701+:102DE0000E001934A5E600780A001EA1000020217B
72702+:102DF0008E0900142412FFFF1132006B8F8A0038F5
72703+:102E00008E0200188D4C00D0144C00650260202109
72704+:102E10008E0B00248CAE0028116E005B2402002172
72705+:102E20000E001A4AA38200681452FFBE2404FFFF5A
72706+:102E30008F8500380A001D320080A0212402001F67
72707+:102E40000E001A4AA38200682409FFFF1049FEA160
72708+:102E50002404FFFF0A001E548F83005402602021C7
72709+:102E60000E001A4AA38200681450FF508F85003864
72710+:102E70002403FFFF0A001D320060A0218CD800242B
72711+:102E80008E0800241118FF29026020210A001F2744
72712+:102E90002402000F8E0900003C05008001259024CB
72713+:102EA0001640FF492402001A026020210E001A4A2F
72714+:102EB000A3820068240CFFFF144CFECF2404FFFF04
72715+:102EC0008F8500380A001D320080A0210E001934C1
72716+:102ED000026020218F8500380A001EE500001821BD
72717+:102EE0002403FFFD0060A0210A001D32AF860060B0
72718+:102EF000026020210E001A4AA38D00682403FFFF00
72719+:102F00001043FF588F8500380A001ECC920400033E
72720+:102F10002418001D0E001A4AA39800682403FFFF1E
72721+:102F20001443FE9D2404FFFF8F8500380A001D32E4
72722+:102F30000080A021026020210A001F3D24020024FD
72723+:102F4000240880000068C024330BFFFF000B73C20D
72724+:102F500031D000FF001088270A001F6E001133C017
72725+:102F6000240F001B0E001A4AA38F00681451FEACF8
72726+:102F70002404FFFF8F8500380A001D320080A02145
72727+:102F80000A001F3D240200278E0600288CA3002C77
72728+:102F900010C30008026020210A001F812402001FC4
72729+:102FA0000A001F812402000E026020210A001F81F6
72730+:102FB000240200258E04002C1080000D8F8F00301D
72731+:102FC0008DE800740104C02B5700000C0260202122
72732+:102FD0008CB900140086A0210334282B10A0FF52C6
72733+:102FE0008F9F0044026020210A001F8124020022DA
72734+:102FF000026020210A001F81240200230A001F8191
72735+:103000002402002627BDFFD8AFB3001CAFB10014C7
72736+:10301000AFBF0020AFB20018AFB000103C0280007C
72737+:103020008C5201408C4B01483C048000000B8C0208
72738+:10303000322300FF317300FF8C8501B804A0FFFE2E
72739+:1030400034900180AE1200008C8701442464FFF0AC
72740+:10305000240600022C830013AE070004A61100080A
72741+:10306000A206000BAE1300241060004F8FBF00209B
72742+:10307000000448803C0A0801254A9534012A402171
72743+:103080008D04000000800008000000003C030800E0
72744+:103090008C6331A831693FFF00099980007280215B
72745+:1030A000021370212405FF80264D0100264C00806C
72746+:1030B0003C02800031B1007F3198007F31CA007F2F
72747+:1030C0003C1F800A3C1980043C0F800C01C5202461
72748+:1030D00001A5302401853824014F1821AC46002475
72749+:1030E000023F402103194821AC470090AC4400281E
72750+:1030F000AF830044AF880038AF8900300E0019005C
72751+:10310000016080213C0380008C6B01B80560FFFEEC
72752+:103110008F8700448F8600383465018090E8000D69
72753+:10312000ACB20000A4B0000600082600000416039C
72754+:1031300000029027001227C21080008124C200885C
72755+:10314000241F6082A4BF0008A0A000052402000282
72756+:10315000A0A2000B8F8B0030000424003C08270045
72757+:1031600000889025ACB20010ACA00014ACA00024E4
72758+:10317000ACA00028ACA0002C8D6900382413FF807F
72759+:10318000ACA9001890E3000D02638024320500FF13
72760+:1031900010A000058FBF002090ED000D31AC007F26
72761+:1031A000A0EC000D8FBF00208FB3001C8FB2001861
72762+:1031B0008FB100148FB000103C0A10003C0E80004C
72763+:1031C00027BD002803E00008ADCA01B8265F010052
72764+:1031D0002405FF8033F8007F3C06800003E5782457
72765+:1031E0003C19800A03192021ACCF0024908E00D412
72766+:1031F00000AE682431AC00FF11800024AF84003899
72767+:10320000248E008895CD00123C0C08008D8C31A8CE
72768+:1032100031AB3FFF01924821000B5180012A402130
72769+:1032200001052024ACC400283107007F3C06800C37
72770+:1032300000E620219083000D00A31024304500FFFC
72771+:1032400010A0FFD8AF8400449098000D330F0010F9
72772+:1032500015E0FFD58FBF00200E0019000000000010
72773+:103260003C0380008C7901B80720FFFE00000000BD
72774+:10327000AE1200008C7F0144AE1F0004A6110008AE
72775+:1032800024110002A211000BAE1300243C1308010C
72776+:10329000927396F0327000015200FFC38FBF00207E
72777+:1032A0000E002146024020210A0020638FBF00202B
72778+:1032B0003C1260008E452C083C03F0033462FFFF93
72779+:1032C00000A2F824AE5F2C088E582C083C1901C0CF
72780+:1032D00003199825AE532C080A0020638FBF0020E5
72781+:1032E000264D010031AF007F3C10800A240EFF8084
72782+:1032F00001F0282101AE60243C0B8000AD6C00245D
72783+:103300001660FFA8AF85003824110003A0B100FCAF
72784+:103310000A0020638FBF002026480100310A007F89
72785+:103320003C0B800A2409FF80014B30210109202435
72786+:103330003C078000ACE400240A002062AF8600381D
72787+:10334000944E0012320C3FFF31CD3FFF15ACFF7D94
72788+:10335000241F608290D900D42418FF800319782498
72789+:1033600031EA00FF1140FF7700000000240700044D
72790+:10337000A0C700FC8F870044241160842406000D40
72791+:10338000A4B10008A0A600050A00204D24020002F6
72792+:103390003C040001248496DC24030014240200FE73
72793+:1033A0003C010800AC2431EC3C010800AC2331E8BE
72794+:1033B0003C010801A42296F83C040801248496F8F4
72795+:1033C0000000182100643021A0C300042463000120
72796+:1033D0002C6500FF54A0FFFC006430213C0708006E
72797+:1033E00024E7010003E00008AF87007800A058211F
72798+:1033F000008048210000102114A00012000050217C
72799+:103400000A002142000000003C010801A42096F8B7
72800+:103410003C05080194A596F88F8200783C0C0801C1
72801+:10342000258C96F800E2182100AC2021014B302BAE
72802+:10343000A089000400001021A460000810C0003919
72803+:10344000010048218F8600780009384000E94021BA
72804+:103450000008388000E6282190A8000B90B9000AE7
72805+:103460000008204000881021000218800066C0215A
72806+:10347000A319000A8F85007800E5782191EE000AF3
72807+:1034800091E6000B000E684001AE6021000C208028
72808+:1034900000851021A046000B3C030801906396F2C2
72809+:1034A000106000222462FFFF8F8300383C01080176
72810+:1034B000A02296F2906C00FF118000040000000032
72811+:1034C000906E00FF25CDFFFFA06D00FF3C190801A5
72812+:1034D000973996F8272300013078FFFF2F0F00FF60
72813+:1034E00011E0FFC9254A00013C010801A42396F818
72814+:1034F0003C05080194A596F88F8200783C0C0801E1
72815+:10350000258C96F800E2182100AC2021014B302BCD
72816+:10351000A089000400001021A460000814C0FFC9A5
72817+:103520000100482103E000080000000003E000085B
72818+:103530002402000227BDFFE0248501002407FF804C
72819+:10354000AFB00010AFBF0018AFB1001400A718242F
72820+:103550003C10800030A4007F3C06800A00862821B1
72821+:103560008E110024AE03002490A200FF1440000836
72822+:10357000AF850038A0A000098FBF0018AE1100244D
72823+:103580008FB100148FB0001003E0000827BD0020A9
72824+:1035900090A900FD90A800FF312400FF0E0020F448
72825+:1035A000310500FF8F8500388FBF0018A0A00009EB
72826+:1035B000AE1100248FB100148FB0001003E000089A
72827+:1035C00027BD002027BDFFD0AFB20020AFB1001C47
72828+:1035D000AFB00018AFBF002CAFB40028AFB30024C9
72829+:1035E0003C0980009533011635320C00952F011AE5
72830+:1035F0003271FFFF023280218E08000431EEFFFF9E
72831+:10360000248B0100010E6821240CFF8025A5FFFFFB
72832+:10361000016C50243166007F3C07800AAD2A0024EB
72833+:1036200000C73021AF850074AF8800703C010801ED
72834+:10363000A02096F190C300090200D02100809821BB
72835+:10364000306300FF2862000510400048AF86003854
72836+:10365000286400021480008E24140001240D00054B
72837+:103660003C010801A02D96D590CC00FD3C0108013D
72838+:10367000A02096D63C010801A02096D790CB000A46
72839+:10368000240AFF80318500FF014B4824312700FFC9
72840+:1036900010E0000C000058213C12800836510080D8
72841+:1036A0008E2F00308CD0005C01F0702305C0018E9D
72842+:1036B0008F87007090D4000A3284007FA0C4000A73
72843+:1036C0008F8600383C118008363000808E0F003025
72844+:1036D0008F87007000EF702319C000EE000000001B
72845+:1036E00090D4000924120002328400FF1092024795
72846+:1036F000000000008CC2005800E2F82327F9FFFF09
72847+:103700001B2001300000000090C5000924080004BF
72848+:1037100030A300FF10680057240A00013C01080193
72849+:10372000A02A96D590C900FF252700013C01080179
72850+:10373000A02796D43C030801906396D52406000583
72851+:103740001066006A2C780005130000C40000902168
72852+:103750000003F8803C0408012484958003E4C82118
72853+:103760008F25000000A0000800000000241800FFC2
72854+:103770001078005C0000000090CC000A90CA00099C
72855+:103780003C080801910896F13187008000EA48253D
72856+:103790003C010801A02996DC90C500FD3C140801FD
72857+:1037A000929496F2311100013C010801A02596DDAA
72858+:1037B00090DF00FE3C010801A03F96DE90D200FFA2
72859+:1037C0003C010801A03296DF8CD900543C0108016D
72860+:1037D000AC3996E08CD000583C010801AC3096E43E
72861+:1037E0008CC3005C3C010801AC3496EC3C01080140
72862+:1037F000AC2396E8162000088FBF002C8FB4002859
72863+:103800008FB300248FB200208FB1001C8FB000183E
72864+:1038100003E0000827BD00303C1180009624010E13
72865+:103820000E000FD43094FFFF3C0B08018D6B96F413
72866+:103830000260382102802821AE2B01803C13080150
72867+:103840008E7396D401602021240600830E00102F71
72868+:10385000AFB300108FBF002C8FB400288FB30024AB
72869+:103860008FB200208FB1001C8FB0001803E0000859
72870+:1038700027BD00303C1808008F1831FC270F0001CD
72871+:103880003C010800AC2F31FC0A0021D700000000E9
72872+:103890001474FFB900000000A0C000FF3C05080040
72873+:1038A0008CA531E43C0308008C6331E03C02080045
72874+:1038B0008C4232048F99003834A80001241F000282
72875+:1038C0003C010801AC2396F43C010801A02896F0C5
72876+:1038D0003C010801A02296F3A33F00090A002190B1
72877+:1038E0008F8600380E002146000000000A0021D714
72878+:1038F0008F8600383C1F080193FF96D424190001DD
72879+:1039000013F902298F8700703C100801921096D895
72880+:103910003C06080190C696D610C000050200A02102
72881+:103920003C040801908496D9109001E48F870078B8
72882+:10393000001088408F9F0078023048210009C8801D
72883+:10394000033F702195D80008270F0001A5CF00087C
72884+:103950003C040801908496D93C05080190A596D6B0
72885+:103960000E0020F4000000008F8700780230202134
72886+:103970000004308000C720218C8500048F820074F1
72887+:1039800000A2402305020006AC8200048C8A0000DD
72888+:103990008F830070014310235C400001AC83000062
72889+:1039A0008F86003890CB00FF2D6C00025580002DD3
72890+:1039B000241400010230F821001F40800107282153
72891+:1039C00090B9000B8CAE00040019C0400319782197
72892+:1039D000000F1880006710218C4D000001AE882375
72893+:1039E0002630FFFF5E00001F241400018C440004F9
72894+:1039F0008CAA0000008A482319200019240E000414
72895+:103A00003C010801A02E96D590AD000B8CAB0004B4
72896+:103A1000000D8840022D80210010108000471021E9
72897+:103A20008C44000401646023058202009443000872
72898+:103A300090DF00FE90B9000B33E500FF54B900049D
72899+:103A40000107A021A0D400FE8F8700780107A021E4
72900+:103A50009284000B0E0020F4240500018F860038AC
72901+:103A600024140001125400962E500001160000424A
72902+:103A70003C08FFFF241900021659FF3F0000000018
72903+:103A8000A0C000FF8F860038A0D200090A0021D70D
72904+:103A90008F86003890C700092404000230E300FF3D
72905+:103AA0001064016F24090004106901528F880074AA
72906+:103AB0008CCE0054010E682325B10001062001754B
72907+:103AC000241800043C010801A03896D53C010801E7
72908+:103AD000A02096D490D400FD90D200FF2E4F00027B
72909+:103AE00015E0FF14328400FF000438408F8900780D
72910+:103AF00090DF00FF00E41021000220800089C8212F
72911+:103B00002FE500029324000B14A0FF0A24070002F3
72912+:103B100000041840006480210010588001692821A9
72913+:103B20008CAC0004010C50230540FF020000000093
72914+:103B30003C030801906396D614600005246F0001D1
72915+:103B40003C010801A02496D93C010801A02796D782
72916+:103B50003C010801A02F96D690CE00FF24E700017B
72917+:103B600031CD00FF01A7882B1220FFE990A4000BA4
72918+:103B70000A0021C6000000003C0508018CA596D46F
72919+:103B80003C12000400A8F82413F2000624020005E9
72920+:103B90003C090801912996D5152000022402000352
72921+:103BA000240200053C010801A02296F190C700FF05
72922+:103BB00014E0012024020002A0C200090A0021D75B
72923+:103BC0008F86003890CC00FF1180FEDA240A0001B5
72924+:103BD0008F8C00748F890078240F00030180682186
72925+:103BE0001160001E240E0002000540400105A021C6
72926+:103BF00000142080008990218E51000401918023BF
72927+:103C00000600FECC000000003C020801904296D65F
72928+:103C100014400005245800013C010801A02A96D751
72929+:103C20003C010801A02596D93C010801A03896D690
72930+:103C300090DF00FF010510210002C88033E500FF7E
72931+:103C4000254A00010329202100AA402B1500FEB9B6
72932+:103C50009085000B1560FFE50005404000054040E1
72933+:103C600001051821000310803C010801A02A96D408
72934+:103C70003C010801A02596D8004918218C64000455
72935+:103C800000E4F82327F9FFFF1F20FFE900000000F0
72936+:103C90008C63000000E358230560013A01A38823E8
72937+:103CA00010E301170184C0231B00FEA200000000E6
72938+:103CB0003C010801A02E96D50A002305240B000123
72939+:103CC000240E0004A0CE00093C0D08008DAD31F893
72940+:103CD0008F86003825A200013C010800AC2231F893
72941+:103CE0000A0021D7000000008CD9005C00F9C02335
72942+:103CF0001F00FE7B000000008CDF005C10FFFF65F2
72943+:103D00008F8400748CC3005C008340232502000173
72944+:103D10001C40FF60000000008CC9005C248700018B
72945+:103D200000E9282B10A0FE943C0D80008DAB01040F
72946+:103D30003C0C0001016C50241140FE8F2402001045
72947+:103D40003C010801A02296F10A0021D700000000E2
72948+:103D50008F9100748F86003826220001ACC2005C6F
72949+:103D60000A002292241400018F8700382404FF8067
72950+:103D70000000882190E9000A241400010124302564
72951+:103D8000A0E6000A3C05080190A596D63C0408016F
72952+:103D9000908496D90E0020F4000000008F86003831
72953+:103DA0008F85007890C800FD310700FF0007404074
72954+:103DB0000107F821001FC0800305C8219323000BD1
72955+:103DC000A0C300FD8F8500788F8600380305602131
72956+:103DD000918F000B000F704001CF6821000D808093
72957+:103DE000020510218C4B0000ACCB00548D840004E4
72958+:103DF0008F83007400645023194000022482000164
72959+:103E00002462000101074821ACC2005C0009308037
72960+:103E100000C5402100E02021240500010E0020F40F
72961+:103E20009110000B8F86003890C500FF10A0FF0C8A
72962+:103E3000001070408F85007801D06821000D10803F
72963+:103E4000004558218D6400008F8C0074018450233C
72964+:103E50002547000104E0FF02263100013C03080170
72965+:103E6000906396D62E2F0002247800013C010801B1
72966+:103E7000A03896D63C010801A03496D711E0FEF890
72967+:103E8000020038210A002365000740408F84003873
72968+:103E90008F8300748C85005800A340230502FE9A8E
72969+:103EA000AC8300580A00223B000000003C070801D8
72970+:103EB00090E796F2240200FF10E200BE8F860038E1
72971+:103EC0003C110801963196FA3C030801246396F8E8
72972+:103ED000262500013230FFFF30ABFFFF02036021D7
72973+:103EE0002D6A00FF1540008D918700043C010801F8
72974+:103EF000A42096FA8F88003800074840012728211F
72975+:103F0000911800FF000530802405000127140001EE
72976+:103F1000A11400FF3C120801925296F28F8800789B
72977+:103F20008F8E0070264F000100C820213C0108013F
72978+:103F3000A02F96F2AC8E00008F8D0074A48500082F
72979+:103F4000AC8D00043C030801906396D414600077A4
72980+:103F5000000090213C010801A02596D4A087000B09
72981+:103F60008F8C007800CC5021A147000A8F82003846
72982+:103F7000A04700FD8F840038A08700FE8F860038A0
72983+:103F80008F9F0070ACDF00548F990074ACD900583B
72984+:103F90008F8D00780127C02100185880016DA02165
72985+:103FA000928F000A000F704001CF18210003888013
72986+:103FB000022D8021A207000B8F8600780166602108
72987+:103FC000918A000B000A1040004A2021000428803A
72988+:103FD00000A64021A107000A3C07800834E90080C0
72989+:103FE0008D2200308F860038ACC2005C0A0022921D
72990+:103FF0002414000190CA00FF1540FEAD8F880074A4
72991+:10400000A0C400090A0021D78F860038A0C000FD97
72992+:104010008F98003824060001A30000FE3C0108012F
72993+:10402000A02696D53C010801A02096D40A0021C6FE
72994+:104030000000000090CB00FF3C040801908496F340
72995+:10404000316C00FF0184502B1540000F2402000347
72996+:1040500024020004A0C200090A0021D78F8600387C
72997+:1040600090C3000A2410FF8002035824316C00FF23
72998+:104070001180FDC1000000003C010801A02096D580
72999+:104080000A0021C600000000A0C200090A0021D7D2
73000+:104090008F86003890D4000A2412FF8002544824EE
73001+:1040A000312800FF1500FFF4240200083C0108013C
73002+:1040B000A02296F10A0021D70000000000108840DD
73003+:1040C0008F8B0070023018210003688001A7202127
73004+:1040D000AC8B00008F8A0074240C0001A48C0008B3
73005+:1040E000AC8A00043C05080190A596D62402000184
73006+:1040F00010A2FE1E24A5FFFF0A0022519084000B8F
73007+:104100000184A0231A80FD8B000000003C010801FF
73008+:10411000A02E96D50A002305240B00013C010801BE
73009+:10412000A42596FA0A0023B78F880038240B0001D3
73010+:10413000106B00228F9800388F85003890BF00FFE9
73011+:1041400033F900FF1079002B000000003C1F08012C
73012+:1041500093FF96D8001FC840033FC0210018A080DD
73013+:104160000288782191EE000AA08E000A8F8D0078D7
73014+:104170003C030801906396D800CD88210A0023DD16
73015+:10418000A223000B263000010600003101A4902379
73016+:104190000640002B240200033C010801A02F96D505
73017+:1041A0000A002305240B00018F8900380A00223BF6
73018+:1041B000AD2700540A00229124120001931400FD3F
73019+:1041C000A094000B8F8800388F8F0078910E00FE2E
73020+:1041D00000CF6821A1AE000A8F910038A22700FD10
73021+:1041E0008F8300708F900038AE0300540A0023DEE6
73022+:1041F0008F8D007890B000FEA090000A8F8B003861
73023+:104200008F8C0078916A00FD00CC1021A04A000B31
73024+:104210008F840038A08700FE8F8600748F85003859
73025+:10422000ACA600580A0023DE8F8D007894B80008F1
73026+:10423000ACA40004030378210A002285A4AF00087F
73027+:104240003C010801A02296D50A0021C6000000000A
73028+:1042500090CF0009240D000431EE00FF11CDFD8543
73029+:10426000240200013C010801A02296D50A0021C6C3
73030+:1042700000000000080033440800334408003420E4
73031+:10428000080033F4080033D8080033280800332826
73032+:10429000080033280800334C8008010080080080A3
73033+:1042A000800800005F865437E4AC62CC50103A4579
73034+:1042B00036621985BF14C0E81BC27A1E84F4B55655
73035+:1042C000094EA6FE7DDA01E7C04D748108005A74DC
73036+:1042D00008005AB808005A5C08005A5C08005A5C8A
73037+:1042E00008005A5C08005A7408005A5C08005A5CBE
73038+:1042F00008005AC008005A5C080059D408005A5CEB
73039+:1043000008005A5C08005AC008005A5C08005A5C51
73040+:1043100008005A5C08005A5C08005A5C08005A5CA5
73041+:1043200008005A5C08005A5C08005A5C08005A5C95
73042+:1043300008005A9408005A5C08005A9408005A5C15
73043+:1043400008005A5C08005A5C08005A9808005A9401
73044+:1043500008005A5C08005A5C08005A5C08005A5C65
73045+:1043600008005A5C08005A5C08005A5C08005A5C55
73046+:1043700008005A5C08005A5C08005A5C08005A5C45
73047+:1043800008005A5C08005A5C08005A5C08005A5C35
73048+:1043900008005A5C08005A5C08005A5C08005A5C25
73049+:1043A00008005A9808005A9808005A5C08005A9861
73050+:1043B00008005A5C08005A5C08005A5C08005A5C05
73051+:1043C00008005A5C08005A5C08005A5C08005A5CF5
73052+:1043D00008005A5C08005A5C08005A5C08005A5CE5
73053+:1043E00008005A5C08005A5C08005A5C08005A5CD5
73054+:1043F00008005A5C08005A5C08005A5C08005A5CC5
73055+:1044000008005A5C08005A5C08005A5C08005A5CB4
73056+:1044100008005A5C08005A5C08005A5C08005A5CA4
73057+:1044200008005A5C08005A5C08005A5C08005A5C94
73058+:1044300008005A5C08005A5C08005A5C08005A5C84
73059+:1044400008005A5C08005A5C08005A5C08005A5C74
73060+:1044500008005A5C08005A5C08005A5C08005A5C64
73061+:1044600008005A5C08005A5C08005A5C08005A5C54
73062+:1044700008005A5C08005A5C08005A5C08005A5C44
73063+:1044800008005A5C08005A5C08005A5C08005A5C34
73064+:1044900008005A5C08005A5C08005A5C08005A5C24
73065+:1044A00008005A5C08005A5C08005A5C08005A5C14
73066+:1044B00008005A5C08005A5C08005A5C08005A5C04
73067+:1044C00008005A5C08005A5C08005A5C08005ADC74
73068+:1044D0000800782C08007A900800783808007628C0
73069+:1044E00008007838080078C4080078380800762872
73070+:1044F0000800762808007628080076280800762824
73071+:104500000800762808007628080076280800762813
73072+:1045100008007628080078580800784808007628AF
73073+:1045200008007628080076280800762808007628F3
73074+:1045300008007628080076280800762808007628E3
73075+:1045400008007628080076280800762808007848B1
73076+:10455000080082FC08008188080082C40800818865
73077+:104560000800829408008070080081880800818813
73078+:1045700008008188080081880800818808008188F7
73079+:1045800008008188080081880800818808008188E7
73080+:104590000800818808008188080081B008008D34F7
73081+:1045A00008008E9008008E70080088D808008D4C96
73082+:1045B0000A00012400000000000000000000000DBF
73083+:1045C000747061362E322E31620000000602010145
73084+:1045D00000000000000000000000000000000000DB
73085+:1045E00000000000000000000000000000000000CB
73086+:1045F00000000000000000000000000000000000BB
73087+:1046000000000000000000000000000000000000AA
73088+:10461000000000000000000000000000000000009A
73089+:10462000000000000000000000000000000000008A
73090+:10463000000000000000000000000000000000007A
73091+:104640000000000010000003000000000000000D4A
73092+:104650000000000D3C020800244217203C03080023
73093+:1046600024632A10AC4000000043202B1480FFFD7F
73094+:10467000244200043C1D080037BD2FFC03A0F0219C
73095+:104680003C100800261004903C1C0800279C1720B2
73096+:104690000E000262000000000000000D2402FF80F6
73097+:1046A00027BDFFE000821024AFB00010AF42002011
73098+:1046B000AFBF0018AFB10014936500043084007FD1
73099+:1046C000034418213C0200080062182130A5002094
73100+:1046D000036080213C080111277B000814A0000220
73101+:1046E0002466005C2466005892020004974301048B
73102+:1046F000920400043047000F3063FFFF3084004015
73103+:10470000006728231080000900004821920200055C
73104+:1047100030420004104000050000000010A000031B
73105+:104720000000000024A5FFFC2409000492020005FB
73106+:1047300030420004104000120000000010A00010E1
73107+:10474000000000009602000200A72021010440257D
73108+:104750002442FFFEA7421016920300042402FF80A9
73109+:1047600000431024304200FF104000033C020400CC
73110+:104770000A000174010240258CC20000AF421018EB
73111+:104780008F4201780440FFFE2402000AA742014044
73112+:1047900096020002240400093042000700021023A0
73113+:1047A00030420007A7420142960200022442FFFE67
73114+:1047B000A7420144A740014697420104A74201488D
73115+:1047C0008F420108304200205040000124040001C3
73116+:1047D00092020004304200101440000234830010A2
73117+:1047E00000801821A743014A0000000000000000DB
73118+:1047F0000000000000000000AF48100000000000B2
73119+:104800000000000000000000000000008F421000C7
73120+:104810000441FFFE3102FFFF1040000700000000CE
73121+:1048200092020004304200401440000300000000E7
73122+:104830008F421018ACC20000960200063042FFFF03
73123+:10484000244200020002104300021040036288214B
73124+:10485000962200001120000D3044FFFF00A7102118
73125+:104860008F8300388F45101C0002108200021080D8
73126+:1048700000431021AC45000030A6FFFF0E00058D5F
73127+:1048800000052C0200402021A62200009203000413
73128+:104890002402FF8000431024304200FF1040001F1C
73129+:1048A0000000000092020005304200021040001B90
73130+:1048B000000000009742100C2442FFFEA742101691
73131+:1048C000000000003C02040034420030AF421000FF
73132+:1048D00000000000000000000000000000000000D8
73133+:1048E0008F4210000441FFFE000000009742100CB0
73134+:1048F0008F45101C3042FFFF24420030000210821E
73135+:1049000000021080005B1021AC45000030A6FFFFC4
73136+:104910000E00058D00052C02A62200009604000260
73137+:10492000248400080E0001E93084FFFF974401044D
73138+:104930000E0001F73084FFFF8FBF00188FB1001405
73139+:104940008FB000103C02100027BD002003E00008DB
73140+:10495000AF4201783084FFFF308200078F8500244A
73141+:1049600010400002248300073064FFF800A41021E7
73142+:1049700030421FFF03421821247B4000AF850028EE
73143+:10498000AF82002403E00008AF4200843084FFFFC0
73144+:104990003082000F8F85002C8F860034104000027B
73145+:1049A0002483000F3064FFF000A410210046182B70
73146+:1049B000AF8500300046202314600002AF82002C37
73147+:1049C000AF84002C8F82002C340480000342182115
73148+:1049D00000641821AF83003803E00008AF42008074
73149+:1049E0008F820014104000088F8200048F82FFDC49
73150+:1049F000144000058F8200043C02FFBF3442FFFFD9
73151+:104A0000008220248F82000430430006240200022A
73152+:104A10001062000F3C0201012C62000350400005AF
73153+:104A2000240200041060000F3C0200010A00023062
73154+:104A30000000000010620005240200061462000C51
73155+:104A40003C0201110A000229008210253C020011DB
73156+:104A500000821025AF421000240200010A0002303B
73157+:104A6000AF82000C00821025AF421000AF80000C16
73158+:104A700000000000000000000000000003E000084B
73159+:104A8000000000008F82000C1040000400000000B5
73160+:104A90008F4210000441FFFE0000000003E0000808
73161+:104AA000000000008F8200102443F800000231C291
73162+:104AB00024C2FFF02C6303011060000300021042C7
73163+:104AC0000A000257AC8200008F85001800C5102B29
73164+:104AD0001440000B0000182100C5102324470001DA
73165+:104AE0008F82001C00A210212442FFFF0046102BE1
73166+:104AF000544000042402FFFF0A000257AC87000064
73167+:104B00002402FFFF0A000260AC8200008C820000D9
73168+:104B10000002194000621821000318800062182169
73169+:104B2000000318803C0208002442175C0062182130
73170+:104B300003E000080060102127BDFFD8AFBF0020B0
73171+:104B4000AFB1001CAFB000183C0460088C8250006C
73172+:104B50002403FF7F3C066000004310243442380CDD
73173+:104B6000AC8250008CC24C1C3C1A80000002160221
73174+:104B70003042000F10400007AF82001C8CC34C1C59
73175+:104B80003C02001F3442FC0000621824000319C2DA
73176+:104B9000AF8300188F420008275B400034420001B9
73177+:104BA000AF420008AF8000243C02601CAF40008090
73178+:104BB000AF4000848C4500088CC308083402800094
73179+:104BC000034220212402FFF0006218243C020080EE
73180+:104BD0003C010800AC2204203C025709AF84003895
73181+:104BE00014620004AF850034240200010A0002921E
73182+:104BF000AF820014AF8000148F42000038420001E1
73183+:104C0000304200011440FFFC8F8200141040001657
73184+:104C10000000000097420104104000058F8300004F
73185+:104C2000146000072462FFFF0A0002A72C62000A3A
73186+:104C30002C620010504000048F83000024620001A9
73187+:104C4000AF8200008F8300002C62000A1440000332
73188+:104C50002C6200070A0002AEAF80FFDC10400002A9
73189+:104C600024020001AF82FFDC8F4301088F44010062
73190+:104C700030622000AF83000410400008AF840010B1
73191+:104C80003C0208008C42042C244200013C01080034
73192+:104C9000AC22042C0A00058A3C0240003065020068
73193+:104CA00014A0000324020F001482026024020D00ED
73194+:104CB00097420104104002C83C02400030624000AC
73195+:104CC000144000AD8F8200388C4400088F42017878
73196+:104CD0000440FFFE24020800AF42017824020008CD
73197+:104CE000A7420140A7400142974201048F8400047B
73198+:104CF0003051FFFF30820001104000070220802168
73199+:104D00002623FFFE240200023070FFFFA742014667
73200+:104D10000A0002DBA7430148A74001463C02080005
73201+:104D20008C42043C1440000D8F8300103082002020
73202+:104D30001440000224030009240300010060202124
73203+:104D40008F830010240209005062000134840004A3
73204+:104D5000A744014A0A0002F60000000024020F00E6
73205+:104D60001462000530820020144000062403000D68
73206+:104D70000A0002F524030005144000022403000980
73207+:104D800024030001A743014A3C0208008C4204208E
73208+:104D90003C0400480E00020C004420250E000235A1
73209+:104DA000000000008F82000C1040003E0000000058
73210+:104DB0008F4210003C0300200043102410400039B3
73211+:104DC0008F820004304200021040003600000000D4
73212+:104DD000974210141440003300000000974210085E
73213+:104DE0008F8800383042FFFF2442000600021882FC
73214+:104DF0000003388000E83021304300018CC40000FB
73215+:104E000010600004304200030000000D0A00033768
73216+:104E100000E81021544000103084FFFF3C05FFFFE4
73217+:104E200000852024008518260003182B0004102B71
73218+:104E300000431024104000050000000000000000A6
73219+:104E40000000000D00000000240002228CC20000BF
73220+:104E50000A000336004520253883FFFF0003182B86
73221+:104E60000004102B00431024104000050000000037
73222+:104E7000000000000000000D000000002400022BD4
73223+:104E80008CC200003444FFFF00E81021AC44000055
73224+:104E90003C0208008C420430244200013C0108001E
73225+:104EA000AC2204308F6200008F840038AF8200088B
73226+:104EB0008C8300003402FFFF1462000F00001021F9
73227+:104EC0003C0508008CA504543C0408008C84045064
73228+:104ED00000B0282100B0302B008220210086202144
73229+:104EE0003C010800AC2504543C010800AC240450EB
73230+:104EF0000A000580240400088C8200003042010072
73231+:104F00001040000F000010213C0508008CA5044C47
73232+:104F10003C0408008C84044800B0282100B0302BE9
73233+:104F200000822021008620213C010800AC25044C91
73234+:104F30003C010800AC2404480A0005802404000851
73235+:104F40003C0508008CA504443C0408008C84044003
73236+:104F500000B0282100B0302B0082202100862021C3
73237+:104F60003C010800AC2504443C010800AC2404408A
73238+:104F70000A000580240400088F6200088F62000088
73239+:104F800000021602304300F02402003010620005D7
73240+:104F900024020040106200E08F8200200A00058891
73241+:104FA0002442000114A000050000000000000000E1
73242+:104FB0000000000D00000000240002568F4201781E
73243+:104FC0000440FFFE000000000E00023D27A4001078
73244+:104FD0001440000500408021000000000000000D8A
73245+:104FE000000000002400025D8E0200001040000559
73246+:104FF00000000000000000000000000D00000000A4
73247+:10500000240002608F62000C0443000324020001AC
73248+:105010000A00042EAE000000AE0200008F820038AD
73249+:105020008C480008A20000078F65000C8F64000404
73250+:1050300030A3FFFF0004240200852023308200FFFC
73251+:105040000043102124420005000230832CC200815D
73252+:10505000A605000A14400005A20400040000000098
73253+:105060000000000D00000000240002788F85003849
73254+:105070000E0005AB260400148F6200048F43010864
73255+:10508000A60200083C02100000621824106000080C
73256+:105090000000000097420104920300072442FFEC45
73257+:1050A000346300023045FFFF0A0003C3A203000778
73258+:1050B000974201042442FFF03045FFFF96060008A6
73259+:1050C0002CC200135440000592030007920200070F
73260+:1050D00034420001A20200079203000724020001EB
73261+:1050E00010620005240200031062000B8F8200385A
73262+:1050F0000A0003E030C6FFFF8F8200383C04FFFF48
73263+:105100008C43000C0064182400651825AC43000C87
73264+:105110000A0003E030C6FFFF3C04FFFF8C43001091
73265+:105120000064182400651825AC43001030C6FFFF4A
73266+:1051300024C2000200021083A20200058F830038FF
73267+:10514000304200FF00021080004328218CA800009C
73268+:105150008CA2000024030004000217021443001272
73269+:1051600000000000974201043C03FFFF01031824E4
73270+:105170003042FFFF004610232442FFFE006240251C
73271+:10518000ACA8000092030005306200FF000210800E
73272+:1051900000501021904200143042000F00431021B3
73273+:1051A0000A000415A20200068CA400049742010420
73274+:1051B0009603000A3088FFFF3042FFFF00461023AD
73275+:1051C0002442FFD60002140001024025ACA80004CE
73276+:1051D000920200079204000524630028000318834C
73277+:1051E0000064182134420004A2030006A202000752
73278+:1051F0008F8200042403FFFB34420002004310248A
73279+:10520000AF820004920300068F87003800031880E5
73280+:10521000007010218C4400203C02FFF63442FFFF56
73281+:105220000082402400671821AE04000CAC68000C1A
73282+:10523000920500063C03FF7F8E02000C00052880CB
73283+:1052400000B020213463FFFF01033024948800263E
73284+:1052500000A7282100431024AE02000CAC860020D9
73285+:10526000AC880024ACA8001024020010A742014022
73286+:1052700024020002A7400142A7400144A742014680
73287+:10528000974201043C0400082442FFFEA742014863
73288+:10529000240200010E00020CA742014A9603000AF4
73289+:1052A0009202000400431021244200023042000711
73290+:1052B00000021023304200070E000235AE0200103B
73291+:1052C0008F6200003C0308008C6304442404001037
73292+:1052D000AF820008974201043042FFFF2442FFFEE4
73293+:1052E00000403821000237C33C0208008C420440D1
73294+:1052F000006718210067282B004610210045102167
73295+:105300003C010800AC2304443C010800AC220440EA
73296+:105310000A0005150000000014A0000500000000B0
73297+:10532000000000000000000D000000002400030A3F
73298+:105330008F4201780440FFFE000000000E00023D95
73299+:1053400027A4001414400005004080210000000044
73300+:105350000000000D00000000240003118E02000078
73301+:105360005440000692020007000000000000000DFB
73302+:10537000000000002400031C9202000730420004D9
73303+:10538000104000058F8200042403FFFB344200021A
73304+:1053900000431024AF8200048F620004044300081D
73305+:1053A00092020007920200068E03000CAE0000007D
73306+:1053B0000002108000501021AC4300209202000730
73307+:1053C00030420004544000099602000A920200058F
73308+:1053D0003C03000100021080005010218C46001890
73309+:1053E00000C33021AC4600189602000A9206000461
73310+:1053F000277100080220202100C2302124C60005A8
73311+:10540000260500140E0005AB00063082920400064B
73312+:105410008F6500043C027FFF000420800091202162
73313+:105420008C8300043442FFFF00A228240065182169
73314+:10543000AC8300049202000792040005920300046A
73315+:10544000304200041040001496070008308400FF2A
73316+:1054500000042080009120218C86000497420104E2
73317+:105460009605000A306300FF3042FFFF0043102121
73318+:105470000045102130E3FFFF004310232442FFD8F2
73319+:1054800030C6FFFF0002140000C23025AC860004C5
73320+:105490000A0004C992030007308500FF0005288038
73321+:1054A00000B128218CA4000097420104306300FF62
73322+:1054B0003042FFFF00431021004710233C03FFFF51
73323+:1054C000008320243042FFFF00822025ACA400008E
73324+:1054D0009203000724020001106200060000000091
73325+:1054E0002402000310620011000000000A0004EC16
73326+:1054F0008E03001097420104920300049605000AEF
73327+:105500008E24000C00431021004510212442FFF29C
73328+:105510003C03FFFF008320243042FFFF0082202550
73329+:10552000AE24000C0A0004EC8E0300109742010424
73330+:10553000920300049605000A8E24001000431021F7
73331+:10554000004510212442FFEE3C03FFFF008320248E
73332+:105550003042FFFF00822025AE2400108E03001091
73333+:105560002402000AA7420140A74301429603000A11
73334+:10557000920200043C04004000431021A742014471
73335+:10558000A740014697420104A742014824020001B6
73336+:105590000E00020CA742014A0E0002350000000076
73337+:1055A0008F6200009203000400002021AF820008F7
73338+:1055B000974201049606000A3042FFFF006218215C
73339+:1055C000006028213C0308008C6304443C0208006E
73340+:1055D0008C42044000651821004410210065382BDE
73341+:1055E000004710213C010800AC2304443C010800A2
73342+:1055F000AC22044092040004008620212484000A86
73343+:105600003084FFFF0E0001E9000000009744010410
73344+:105610003084FFFF0E0001F7000000003C02100084
73345+:10562000AF4201780A0005878F820020148200278C
73346+:105630003062000697420104104000673C024000BF
73347+:105640003062400010400005000000000000000033
73348+:105650000000000D00000000240004208F420178AB
73349+:105660000440FFFE24020800AF4201782402000833
73350+:10567000A7420140A74001428F82000497430104E2
73351+:1056800030420001104000073070FFFF2603FFFE8C
73352+:1056900024020002A7420146A74301480A00053F31
73353+:1056A0002402000DA74001462402000DA742014A32
73354+:1056B0008F62000024040008AF8200080E0001E998
73355+:1056C000000000000A0005190200202110400042DD
73356+:1056D0003C02400093620000304300F024020010BE
73357+:1056E0001062000524020070106200358F820020D5
73358+:1056F0000A000588244200018F62000097430104DC
73359+:105700003050FFFF3071FFFF8F4201780440FFFEF1
73360+:105710003202000700021023304200072403000A6F
73361+:105720002604FFFEA7430140A7420142A7440144CB
73362+:10573000A7400146A75101488F420108304200208E
73363+:10574000144000022403000924030001A743014A76
73364+:105750000E00020C3C0400400E0002350000000068
73365+:105760003C0708008CE70444021110212442FFFE8C
73366+:105770003C0608008CC604400040182100E3382194
73367+:10578000000010218F65000000E3402B00C2302193
73368+:105790002604000800C830213084FFFFAF850008D0
73369+:1057A0003C010800AC2704443C010800AC2604403E
73370+:1057B0000E0001E9000000000A0005190220202166
73371+:1057C0000E00013B000000008F82002024420001F7
73372+:1057D000AF8200203C024000AF4201380A00029232
73373+:1057E000000000003084FFFF30C6FFFF00052C00E2
73374+:1057F00000A628253882FFFF004510210045282BF0
73375+:105800000045102100021C023042FFFF004310211E
73376+:1058100000021C023042FFFF004310213842FFFF0C
73377+:1058200003E000083042FFFF3084FFFF30A5FFFF98
73378+:1058300000001821108000070000000030820001E5
73379+:105840001040000200042042006518210A0005A152
73380+:105850000005284003E000080060102110C0000689
73381+:1058600024C6FFFF8CA2000024A50004AC82000027
73382+:105870000A0005AB2484000403E0000800000000D7
73383+:1058800010A0000824A3FFFFAC8600000000000069
73384+:10589000000000002402FFFF2463FFFF1462FFFAF0
73385+:1058A0002484000403E00008000000000000000160
73386+:1058B0000A00002A00000000000000000000000DA7
73387+:1058C000747870362E322E3162000000060201001C
73388+:1058D00000000000000001360000EA600000000047
73389+:1058E00000000000000000000000000000000000B8
73390+:1058F00000000000000000000000000000000000A8
73391+:105900000000000000000000000000000000000097
73392+:105910000000001600000000000000000000000071
73393+:105920000000000000000000000000000000000077
73394+:105930000000000000000000000000000000000067
73395+:1059400000000000000000000000138800000000BC
73396+:10595000000005DC00000000000000001000000353
73397+:10596000000000000000000D0000000D3C020800D7
73398+:1059700024423D683C0308002463401CAC40000006
73399+:105980000043202B1480FFFD244200043C1D08002E
73400+:1059900037BD7FFC03A0F0213C100800261000A8B2
73401+:1059A0003C1C0800279C3D680E00044E00000000CF
73402+:1059B0000000000D27BDFFB4AFA10000AFA200049E
73403+:1059C000AFA30008AFA4000CAFA50010AFA6001451
73404+:1059D000AFA70018AFA8001CAFA90020AFAA0024F1
73405+:1059E000AFAB0028AFAC002CAFAD0030AFAE003491
73406+:1059F000AFAF0038AFB8003CAFB90040AFBC004417
73407+:105A0000AFBF00480E000591000000008FBF0048A6
73408+:105A10008FBC00448FB900408FB8003C8FAF003876
73409+:105A20008FAE00348FAD00308FAC002C8FAB0028D0
73410+:105A30008FAA00248FA900208FA8001C8FA7001810
73411+:105A40008FA600148FA500108FA4000C8FA3000850
73412+:105A50008FA200048FA1000027BD004C3C1B6004F6
73413+:105A60008F7A5030377B502803400008AF7A00000F
73414+:105A70008F86003C3C0390003C0280000086282575
73415+:105A800000A32025AC4400203C0380008C6700204C
73416+:105A900004E0FFFE0000000003E00008000000003A
73417+:105AA0000A000070240400018F85003C3C04800043
73418+:105AB0003483000100A3102503E00008AC8200201D
73419+:105AC00003E00008000010213084FFFF30A5FFFF35
73420+:105AD00010800007000018213082000110400002F1
73421+:105AE00000042042006518211480FFFB00052840B7
73422+:105AF00003E000080060102110C000070000000053
73423+:105B00008CA2000024C6FFFF24A50004AC82000084
73424+:105B100014C0FFFB2484000403E000080000000020
73425+:105B200010A0000824A3FFFFAC86000000000000C6
73426+:105B3000000000002402FFFF2463FFFF1462FFFA4D
73427+:105B40002484000403E000080000000090AA003153
73428+:105B50008FAB00108CAC00403C0300FF8D6800044C
73429+:105B6000AD6C00208CAD004400E060213462FFFF8A
73430+:105B7000AD6D00248CA700483C09FF000109C0243A
73431+:105B8000AD6700288CAE004C0182C824031978252B
73432+:105B9000AD6F0004AD6E002C8CAD0038314A00FFB3
73433+:105BA000AD6D001C94A900323128FFFFAD680010D4
73434+:105BB00090A70030A5600002A1600004A16700006A
73435+:105BC00090A30032306200FF0002198210600005CD
73436+:105BD000240500011065000E0000000003E000082D
73437+:105BE000A16A00018CD80028354A0080AD780018E1
73438+:105BF0008CCF0014AD6F00148CCE0030AD6E000859
73439+:105C00008CC4002CA16A000103E00008AD64000C04
73440+:105C10008CCD001CAD6D00188CC90014AD6900144A
73441+:105C20008CC80024AD6800088CC70020AD67000C4C
73442+:105C30008CC200148C8300700043C82B1320000713
73443+:105C4000000000008CC20014144CFFE400000000AF
73444+:105C5000354A008003E00008A16A00018C820070D0
73445+:105C60000A0000E6000000009089003027BDFFF820
73446+:105C70008FA8001CA3A900008FA300003C0DFF808B
73447+:105C800035A2FFFF8CAC002C00625824AFAB0000A3
73448+:105C9000A100000400C05821A7A000028D06000446
73449+:105CA00000A048210167C8218FA500000080502175
73450+:105CB0003C18FF7F032C20263C0E00FF2C8C00019B
73451+:105CC000370FFFFF35CDFFFF3C02FF0000AFC824B8
73452+:105CD00000EDC02400C27824000C1DC003236825F9
73453+:105CE00001F87025AD0D0000AD0E00048D240024D8
73454+:105CF000AFAD0000AD0400088D2C00202404FFFF90
73455+:105D0000AD0C000C9547003230E6FFFFAD060010E9
73456+:105D10009145004830A200FF000219C25060000106
73457+:105D20008D240034AD0400148D4700388FAA00186C
73458+:105D300027BD0008AD0B0028AD0A0024AD07001CEC
73459+:105D4000AD00002CAD00001803E00008AD000020FD
73460+:105D500027BDFFE0AFB20018AFB10014AFB0001024
73461+:105D6000AFBF001C9098003000C088213C0D00FFA0
73462+:105D7000330F007FA0CF0000908E003135ACFFFFC5
73463+:105D80003C0AFF00A0CE000194A6001EA220000441
73464+:105D90008CAB00148E29000400A08021016C282403
73465+:105DA000012A40240080902101052025A62600021A
73466+:105DB000AE24000426050020262400080E000092D0
73467+:105DC00024060002924700302605002826240014ED
73468+:105DD00000071E000003160324060004044000030D
73469+:105DE0002403FFFF965900323323FFFF0E00009279
73470+:105DF000AE230010262400248FBF001C8FB2001891
73471+:105E00008FB100148FB00010240500030000302172
73472+:105E10000A00009C27BD002027BDFFD8AFB1001CA1
73473+:105E2000AFB00018AFBF002090A9003024020001DD
73474+:105E300000E050213123003F00A040218FB00040FE
73475+:105E40000080882100C04821106200148FA700380C
73476+:105E5000240B000500A0202100C02821106B001396
73477+:105E6000020030210E000128000000009225007C75
73478+:105E700030A400021080000326030030AE00003082
73479+:105E8000260300348FBF00208FB1001C8FB0001894
73480+:105E90000060102103E0000827BD00280E0000A7C5
73481+:105EA000AFB000100A00016F000000008FA3003C9B
73482+:105EB000010020210120282101403021AFA3001042
73483+:105EC0000E0000EEAFB000140A00016F00000000E9
73484+:105ED0003C06800034C20E008C4400108F850044C4
73485+:105EE000ACA400208C43001803E00008ACA30024FD
73486+:105EF0003C06800034C20E008C4400148F850044A0
73487+:105F0000ACA400208C43001C03E00008ACA30024D8
73488+:105F10009382000C1040001B2483000F2404FFF028
73489+:105F20000064382410E00019978B00109784000E4D
73490+:105F30009389000D3C0A601C0A0001AC01644023F7
73491+:105F400001037021006428231126000231C2FFFFE3
73492+:105F500030A2FFFF0047302B50C0000E00E4482164
73493+:105F60008D4D000C31A3FFFF00036400000C2C03D7
73494+:105F700004A1FFF30000302130637FFF0A0001A479
73495+:105F80002406000103E00008000000009784000ED2
73496+:105F900000E448213123FFFF3168FFFF0068382B00
73497+:105FA00054E0FFF8A783000E938A000D114000050E
73498+:105FB000240F0001006BC023A380000D03E0000844
73499+:105FC000A798000E006BC023A38F000D03E000080C
73500+:105FD000A798000E03E000080000000027BDFFE8BE
73501+:105FE000AFB000103C10800036030140308BFFFF43
73502+:105FF00093AA002BAFBF0014A46B000436040E005C
73503+:106000009488001630C600FF8FA90030A4680006EF
73504+:10601000AC650008A0660012A46A001AAC670020F4
73505+:106020008FA5002CA4690018012020210E000198E2
73506+:10603000AC6500143C021000AE0201788FBF001462
73507+:106040008FB0001003E0000827BD00188F85000006
73508+:106050002484000727BDFFF83084FFF83C06800049
73509+:1060600094CB008A316AFFFFAFAA00008FA900001D
73510+:10607000012540232507FFFF30E31FFF0064102B9D
73511+:106080001440FFF700056882000D288034CC4000E2
73512+:1060900000AC102103E0000827BD00088F8200003B
73513+:1060A0002486000730C5FFF800A2182130641FFFC6
73514+:1060B00003E00008AF8400008F87003C8F84004419
73515+:1060C00027BDFFB0AFB70044AFB40038AFB1002C6C
73516+:1060D000AFBF0048AFB60040AFB5003CAFB300342F
73517+:1060E000AFB20030AFB000283C0B80008C8600249B
73518+:1060F000AD6700808C8A002035670E00356901008D
73519+:10610000ACEA00108C8800248D2500040000B82122
73520+:10611000ACE800188CE3001000A688230000A02142
73521+:10612000ACE300148CE20018ACE2001C122000FE6C
73522+:1061300000E0B021936C0008118000F40000000022
73523+:10614000976F001031EEFFFF022E682B15A000EFB5
73524+:1061500000000000977200103250FFFFAED0000028
73525+:106160003C0380008C740000329300081260FFFD35
73526+:106170000000000096D800088EC700043305FFFF1A
73527+:1061800030B5000112A000E4000000000000000D86
73528+:1061900030BFA0402419004013F9011B30B4A00007
73529+:1061A000128000DF000000009373000812600008F6
73530+:1061B00000000000976D001031ACFFFF00EC202BB9
73531+:1061C0001080000330AE004011C000D50000000078
73532+:1061D000A7850040AF87003893630008022028217C
73533+:1061E000AFB10020146000F527B40020AF60000CB0
73534+:1061F000978F004031F14000162000022403001662
73535+:106200002403000E24054007A363000AAF650014B1
73536+:10621000938A00428F70001431550001001512401E
73537+:1062200002024825AF690014979F00408F78001440
73538+:1062300033F9001003194025AF680014979200400D
73539+:106240003247000810E0016E000000008F67001464
73540+:106250003C1210003C11800000F27825AF6F001452
73541+:1062600036230E00946E000A3C0D81002406000EB9
73542+:1062700031CCFFFF018D2025AF640004A36600022E
73543+:106280009373000A3406FFFC266B0004A36B000A1C
73544+:1062900097980040330820001100015F00000000C3
73545+:1062A0003C05800034A90E00979900409538000CF9
73546+:1062B00097870040001940423312C00031030003A9
73547+:1062C00000127B0330F11000006F6825001172038B
73548+:1062D00001AE6025000C20C0A76400129793004017
73549+:1062E000936A000A001359823175003C02AA1021FA
73550+:1062F0002450003CA3700009953F000C33F93FFF88
73551+:10630000A779001097700012936900090130F821F5
73552+:1063100027E5000230B900070019C0233308000741
73553+:10632000A368000B9371000997720012976F001019
73554+:10633000322700FF8F910038978D004000F218211E
73555+:10634000006F702101C6602131A6004010C0000519
73556+:106350003185FFFF00B1102B3C1280001040001768
73557+:10636000000098210225A82B56A0013E8FA50020F1
73558+:106370003C048000348A0E008D5300143C068000DB
73559+:10638000AD5300108D4B001CAD4B0018AD45000007
73560+:106390008CCD000031AC00081180FFFD34CE0E0022
73561+:1063A00095C3000800A0882100009021A783004029
73562+:1063B0008DC6000424130001AF860038976F0010CB
73563+:1063C00031F5FFFF8E9F000003F1282310A0011F6D
73564+:1063D000AE85000093620008144000DD000000005C
73565+:1063E0000E0001E7240400108F900048004028218F
73566+:1063F0003C023200320600FF000654000142F8253C
73567+:1064000026090001AF890048ACBF0000937900095C
73568+:1064100097780012936F000A332800FF3303FFFFC1
73569+:106420000103382100076C0031EE00FF01AE60254A
73570+:10643000ACAC00048F840048978B0040316A200088
73571+:106440001140010AACA4000897640012308BFFFFD2
73572+:1064500006400108ACAB000C978E004031C5000827
73573+:1064600014A0000226280006262800023C1F8000F7
73574+:1064700037E70E0094F900148CE5001C8F670004C8
73575+:10648000937800023324FFFF330300FFAFA3001013
73576+:106490008F6F0014AFA800180E0001CBAFAF00142F
73577+:1064A000240400100E0001FB000000008E9200008A
73578+:1064B00016400005000000008F7800142403FFBF81
73579+:1064C0000303A024AF7400148F67000C00F5C821EB
73580+:1064D000AF79000C9375000816A0000800000000BA
73581+:1064E00012600006000000008F6800143C0AEFFFF5
73582+:1064F0003549FFFE0109F824AF7F0014A37300089B
73583+:106500008FA500200A00034F02202021AED10000F9
73584+:106510000A00022D3C03800014E0FF1E30BFA040A3
73585+:106520000E0001900000A0212E9100010237B0253D
73586+:1065300012C000188FBF00488F87003C24170F003F
73587+:1065400010F700D43C0680008CD901780720FFFEAC
73588+:10655000241F0F0010FF00F634CA0E008D560014E1
73589+:1065600034C7014024080240ACF600048D49001CE9
73590+:106570003C141000ACE90008A0E00012A4E0001AEE
73591+:10658000ACE00020A4E00018ACE80014ACD4017822
73592+:106590008FBF00488FB700448FB600408FB5003CD6
73593+:1065A0008FB400388FB300348FB200308FB1002C1D
73594+:1065B0008FB0002803E0000827BD00508F910038FD
73595+:1065C000978800403C1280000220A821310700403B
73596+:1065D00014E0FF7C00009821977900108F9200381A
73597+:1065E0003338FFFF131200A8000020210080A021F3
73598+:1065F000108000F300A088211620FECE00000000CD
73599+:106600000A00031F2E9100013C0380008C62017878
73600+:106610000440FFFE240808008F860000AC68017863
73601+:106620003C038000946D008A31ACFFFF0186582343
73602+:10663000256AFFFF31441FFF2C8900081520FFF950
73603+:10664000000000008F8F0048347040008F83003CB2
73604+:1066500000E0A021240E0F0025E70001AF870048CD
73605+:1066600000D03021023488233C08800031F500FF3F
73606+:10667000106E0005240700019398004233130001B7
73607+:106680000013924036470001001524003C0A010027
73608+:10669000008A4825ACC900008F82004830BF003610
73609+:1066A00030B90008ACC200041320009900FF9825FF
73610+:1066B00035120E009650000A8F8700003C0F8100B3
73611+:1066C0003203FFFF24ED000835060140006F60250E
73612+:1066D0003C0E100031AB1FFF269200062405000E71
73613+:1066E000ACCC0020026E9825A4C5001AAF8B000028
73614+:1066F000A4D20018162000083C1080008F89003CAE
73615+:1067000024020F00512200022417000136730040BA
73616+:106710000E0001883C10800036060E008CCB001461
73617+:10672000360A014002402021AD4B00048CC5001CFC
73618+:10673000AD450008A1550012AD5300140E0001989C
73619+:106740003C151000AE1501780A000352000000004D
73620+:10675000936F0009976E0012936D000B31E500FFF7
73621+:1067600000AE202131AC00FF008C80212602000AFF
73622+:106770003050FFFF0E0001E7020020218F86004805
73623+:106780003C0341003C05800024CB0001AF8B004856
73624+:10679000936A00099769001230C600FF315F00FF5D
73625+:1067A0003128FFFF03E8382124F900020006C40065
73626+:1067B0000319782501E37025AC4E00008F6D000CA5
73627+:1067C00034A40E00948B001401B26025AC4C00047C
73628+:1067D0008C85001C8F670004936A00023164FFFF00
73629+:1067E000314900FFAFA900108F680014AFB1001845
73630+:1067F0000E0001CBAFA800140A0002FD0200202108
73631+:10680000AF600004A36000029798004033082000A6
73632+:106810001500FEA300003021A760001297840040FD
73633+:10682000936B000A3C10800030931F0000135183CB
73634+:10683000014BA82126A20028A362000936090E00F8
73635+:10684000953F000C0A000295A77F00108F7000147E
73636+:10685000360900400E000188AF6900140A0002C921
73637+:10686000000000000A00034F000020210641FEFA4C
73638+:10687000ACA0000C8CAC000C3C0D8000018D902570
73639+:106880000A0002EAACB2000C000090210A0002C526
73640+:1068900024130001128000073C028000344B0E00DC
73641+:1068A0009566000830D300401260004900000000E7
73642+:1068B0003C0680008CD001780600FFFE34C50E0037
73643+:1068C00094B500103C03050034CC014032B8FFFF02
73644+:1068D00003039025AD92000C8CAF0014240D200012
73645+:1068E0003C041000AD8F00048CAE001CAD8E00087F
73646+:1068F000A1800012A580001AAD800020A58000189C
73647+:10690000AD8D0014ACC401780A0003263C0680005B
73648+:106910008F9F0000351801402692000227F90008D9
73649+:1069200033281FFFA71200180A000391AF88000048
73650+:106930003C02800034450140ACA0000C1280001BDA
73651+:1069400034530E0034510E008E370010ACB70004E3
73652+:106950008E2400183C0B8000ACA400083570014068
73653+:1069600024040040A20000128FBF0048A600001AB5
73654+:106970008FB70044AE0000208FB60040A60000187C
73655+:106980008FB5003CAE0400148FB400388FB30034D0
73656+:106990008FB200308FB1002C8FB000283C02100065
73657+:1069A00027BD005003E00008AD6201788E66001438
73658+:1069B000ACA600048E64001C0A00042A3C0B800074
73659+:1069C0000E0001902E9100010A0003200237B0252D
73660+:1069D000000000000000000D00000000240003691A
73661+:1069E0000A0004013C06800027BDFFD8AFBF00208D
73662+:1069F0003C0980003C1F20FFAFB200183C0760003C
73663+:106A000035320E002402001037F9FFFDACE23008E9
73664+:106A1000AFB3001CAFB10014AFB00010AE5900000E
73665+:106A20000000000000000000000000000000000066
73666+:106A3000000000003C1800FF3713FFFDAE530000BC
73667+:106A40003C0B60048D7050002411FF7F3C0E00024F
73668+:106A50000211782435EC380C35CD0109ACED4C1819
73669+:106A6000240A0009AD6C50008CE80438AD2A0008F7
73670+:106A7000AD2000148CE54C1C3106FFFF38C42F718B
73671+:106A800000051E023062000F2486C0B310400007CC
73672+:106A9000AF8200088CE54C1C3C09001F3528FC0027
73673+:106AA00000A81824000321C2AF8400048CF1080858
73674+:106AB0003C0F57092412F0000232702435F0001008
73675+:106AC00001D0602601CF68262DAA00012D8B000180
73676+:106AD000014B382550E00009A380000C3C1F601CCE
73677+:106AE0008FF8000824190001A399000C33137C00CF
73678+:106AF000A7930010A780000EA380000DAF80004870
73679+:106B000014C00003AF8000003C066000ACC0442C01
73680+:106B10000E0005B93C1080000E000F1A361101005E
73681+:106B20003C12080026523DD03C13080026733E500C
73682+:106B30008E03000038640001308200011440FFFC25
73683+:106B40003C0B800A8E2600002407FF8024C90240E7
73684+:106B5000312A007F014B402101272824AE06002066
73685+:106B6000AF880044AE0500243C048000AF86003CA2
73686+:106B70008C8C01780580FFFE24180800922F0008F5
73687+:106B8000AC980178A38F0042938E004231CD000172
73688+:106B900011A0000F24050D0024DFF8002FF90301D8
73689+:106BA0001320001C000629C224A4FFF00004104298
73690+:106BB000000231400E00020200D2D8213C02400007
73691+:106BC0003C068000ACC201380A0004A000000000AE
73692+:106BD00010C50023240D0F0010CD00273C1F800896
73693+:106BE00037F9008093380000240E0050330F00FF67
73694+:106BF00015EEFFF33C0240000E000A3600000000D4
73695+:106C00003C0240003C068000ACC201380A0004A0EF
73696+:106C1000000000008F83000400A3402B1500000B30
73697+:106C20008F8B0008006B50212547FFFF00E5482BA4
73698+:106C30001520000600A36023000C19400E0002027C
73699+:106C40000073D8210A0004C43C0240000000000D7B
73700+:106C50000E000202000000000A0004C43C024000D2
73701+:106C60003C1B0800277B3F500E0002020000000082
73702+:106C70000A0004C43C0240003C1B0800277B3F7014
73703+:106C80000E000202000000000A0004C43C024000A2
73704+:106C90003C0660043C09080025290104ACC9502CBD
73705+:106CA0008CC850003C0580003C0200023507008083
73706+:106CB000ACC750003C040800248415A43C03080021
73707+:106CC0002463155CACA50008ACA2000C3C010800D4
73708+:106CD000AC243D603C010800AC233D6403E00008A7
73709+:106CE0002402000100A030213C1C0800279C3D68C4
73710+:106CF0003C0C04003C0B0002008B3826008C402624
73711+:106D00002CE200010007502B2D050001000A4880ED
73712+:106D10003C03080024633D60004520250123182121
73713+:106D20001080000300001021AC6600002402000166
73714+:106D300003E00008000000003C1C0800279C3D68A0
73715+:106D40003C0B04003C0A0002008A3026008B3826E7
73716+:106D50002CC200010006482B2CE5000100094080F0
73717+:106D60003C03080024633D600045202501031821F1
73718+:106D700010800005000010213C0C0800258C155CDB
73719+:106D8000AC6C00002402000103E0000800000000D9
73720+:106D90003C0900023C08040000883026008938269F
73721+:106DA0002CC30001008028212CE400010083102561
73722+:106DB0001040000B000030213C1C0800279C3D685F
73723+:106DC0003C0A80008D4E00082406000101CA682597
73724+:106DD000AD4D00088D4C000C01855825AD4B000CC5
73725+:106DE00003E0000800C010213C1C0800279C3D68FF
73726+:106DF0003C0580008CA6000C000420272402000122
73727+:106E000000C4182403E00008ACA3000C3C020002FC
73728+:106E10001082000B3C0560003C0704001087000353
73729+:106E20000000000003E00008000000008CA908D06A
73730+:106E3000240AFFFD012A402403E00008ACA808D082
73731+:106E40008CA408D02406FFFE0086182403E0000866
73732+:106E5000ACA308D03C05601A34A600108CC3008097
73733+:106E600027BDFFF88CC50084AFA3000093A40000E9
73734+:106E70002402000110820003AFA5000403E0000813
73735+:106E800027BD000893A7000114E0001497AC00028E
73736+:106E900097B800023C0F8000330EFFFC01CF682141
73737+:106EA000ADA50000A3A000003C0660008CC708D080
73738+:106EB0002408FFFE3C04601A00E82824ACC508D072
73739+:106EC0008FA300048FA200003499001027BD000892
73740+:106ED000AF22008003E00008AF2300843C0B800059
73741+:106EE000318AFFFC014B48218D2800000A00057DF6
73742+:106EF000AFA8000427BDFFE8AFBF00103C1C08008E
73743+:106F0000279C3D683C0580008CA4000C8CA20004EA
73744+:106F10003C0300020044282410A0000A00A3182407
73745+:106F20003C0604003C0400021460000900A6102482
73746+:106F30001440000F3C0404000000000D3C1C08003D
73747+:106F4000279C3D688FBF001003E0000827BD001894
73748+:106F50003C0208008C423D600040F809000000003F
73749+:106F60003C1C0800279C3D680A0005A68FBF001046
73750+:106F70003C0208008C423D640040F809000000001B
73751+:106F80000A0005AC00000000000411C003E0000886
73752+:106F9000244202403C04080024843FB42405001A23
73753+:106FA0000A00009C0000302127BDFFE0AFB00010B8
73754+:106FB0003C108000AFBF0018AFB1001436110100C3
73755+:106FC000922200090E0005B63044007F8E3F00007B
73756+:106FD0008F89003C3C0F008003E26021258800403F
73757+:106FE0000049F821240DFF80310E00783198007897
73758+:106FF00035F9000135F100020319382501D1482582
73759+:10700000010D302403ED5824018D2824240A00406A
73760+:1070100024040080240300C0AE0B0024AE0008103E
73761+:10702000AE0A0814AE040818AE03081CAE05080426
73762+:10703000AE070820AE060808AE0908243609090084
73763+:107040009539000C3605098033ED007F3338FFFF9A
73764+:10705000001889C0AE110800AE0F0828952C000C4E
73765+:107060008FBF00188FB10014318BFFFF000B51C090
73766+:10707000AE0A002C8CA400508FB000108CA3003CF2
73767+:107080008D2700048CA8001C8CA600383C0E800ABA
73768+:1070900001AE102127BD0020AF820044AF84005014
73769+:1070A000AF830054AF87004CAF88005C03E000085A
73770+:1070B000AF8600603C09080091293FD924A800024E
73771+:1070C0003C05110000093C0000E8302500C51825EA
73772+:1070D00024820008AC83000003E00008AC800004B8
73773+:1070E0003C098000352309009128010B906A0011AA
73774+:1070F0002402002800804821314700FF00A07021B1
73775+:1071000000C068213108004010E20002340C86DD26
73776+:10711000240C08003C0A800035420A9A944700007B
73777+:10712000354B0A9C35460AA030F9FFFFAD39000007
73778+:107130008D780000354B0A8024040001AD3800042E
73779+:107140008CCF0000AD2F00089165001930A300031B
73780+:107150001064009028640002148000AF240500022F
73781+:107160001065009E240F0003106F00B435450AA47B
73782+:10717000240A0800118A0048000000005100003D68
73783+:107180003C0B80003C0480003483090090670012AF
73784+:1071900030E200FF004D7821000FC8802724000155
73785+:1071A0003C0A8000354F090091E50019354C0980F3
73786+:1071B0008D87002830A300FF0003150000475825E5
73787+:1071C0000004C4003C19600001793025370806FF2F
73788+:1071D000AD260000AD2800048DEA002C25280028EB
73789+:1071E000AD2A00088DEC0030AD2C000C8DE500348C
73790+:1071F000AD2500108DE400383C05800034AC093C1E
73791+:10720000AD2400148DE3001CAD2300188DE7002091
73792+:10721000AD27001C8DE20024AD2200208DF900284E
73793+:1072200034A20100AD3900248D830000AD0E0004AE
73794+:1072300034B90900AD0300008C47000C250200148E
73795+:10724000AD070008932B00123C04080090843FD83F
73796+:10725000AD000010317800FF030D302100064F0013
73797+:1072600000047C00012F702535CDFFFC03E00008F1
73798+:10727000AD0D000C35780900930600123C0508009E
73799+:1072800094A53FC830C800FF010D5021000A60805E
73800+:107290000A00063C018520211500005B000000006B
73801+:1072A0003C08080095083FCE3C06080094C63FC83D
73802+:1072B000010610213C0B800035790900933800113C
73803+:1072C000932A001935660A80330800FF94CF002AFC
73804+:1072D00000086082314500FF978A0058000C1E00AC
73805+:1072E000000524003047FFFF006410250047C0253B
73806+:1072F00001EA30213C0B4000030B402500066400EE
73807+:10730000AD280000AD2C0004932500183C030006B6
73808+:107310002528001400053E0000E31025AD220008DA
73809+:107320008F24002C3C05800034AC093CAD24000CBB
73810+:107330008F38001C34A20100254F0001AD38001029
73811+:107340008D830000AD0E000431EB7FFFAD03000024
73812+:107350008C47000C34B90900A78B0058AD07000812
73813+:10736000932B00123C04080090843FD8250200149F
73814+:10737000317800FF030D302100064F0000047C002F
73815+:10738000012F702535CDFFFCAD00001003E0000893
73816+:10739000AD0D000C3C02080094423FD23C050800B1
73817+:1073A00094A53FC835440AA43C07080094E73FC4AD
73818+:1073B000948B00000045C8210327C023000B1C004C
73819+:1073C0002706FFF200665025AD2A000CAD20001004
73820+:1073D000AD2C00140A00063025290018354F0AA4E8
73821+:1073E00095E50000956400280005140000043C00A9
73822+:1073F0003459810000EC5825AD39000CAD2B00103C
73823+:107400000A000630252900143C0C0800958C3FCE5C
73824+:107410000A000681258200015460FF56240A0800F4
73825+:1074200035580AA49706000000061C00006C502581
73826+:10743000AD2A000C0A000630252900103C03080084
73827+:1074400094633FD23C07080094E73FC83C0F080014
73828+:1074500095EF3FC494A4000095790028006710219F
73829+:10746000004F582300041C00001934002578FFEE5B
73830+:1074700000D87825346A8100AD2A000CAD2F0010A9
73831+:10748000AD200014AD2C00180A0006302529001C80
73832+:1074900003E00008240207D027BDFFE0AFB20018C8
73833+:1074A000AFB10014AFB00010AFBF001C0E00007CE5
73834+:1074B000008088218F8800548F87004C3C0580080D
73835+:1074C00034B20080011128213C1080002402008089
73836+:1074D000240300C000A72023AE0208183C06800841
73837+:1074E000AE03081C18800004AF850054ACC500042E
73838+:1074F0008CC90004AF89004C1220000936040980B1
73839+:107500000E0006F800000000924C00278E0B00745D
73840+:1075100001825004014B3021AE46000C3604098034
73841+:107520008C8E001C8F8F005C01CF682319A0000493
73842+:107530008FBF001C8C90001CAF90005C8FBF001CA4
73843+:107540008FB200188FB100148FB000100A00007EB7
73844+:1075500027BD00208F8600508F8300548F82004CFF
73845+:107560003C05800834A40080AC860050AC83003C0D
73846+:1075700003E00008ACA200043C0308008C63005444
73847+:1075800027BDFFF8308400FF2462000130A500FF12
73848+:107590003C010800AC22005430C600FF3C078000CC
73849+:1075A0008CE801780500FFFE3C0C7FFFA3A40003DC
73850+:1075B0008FAA0000358BFFFF014B4824000627C02F
73851+:1075C00001244025AFA8000034E201009043000AE6
73852+:1075D000A3A000023C1980FFA3A300018FAF00000D
73853+:1075E00030AE007F3738FFFF01F86024000E6E00D8
73854+:1075F0003C0A002034E50140018D58253549200022
73855+:107600002406FF803C04100027BD0008ACAB000C32
73856+:10761000ACA90014A4A00018A0A6001203E0000862
73857+:10762000ACE40178308800FF30A700FF3C03800005
73858+:107630008C6201780440FFFE3C0C8000358A0A0011
73859+:107640008D4B00203584014035850980AC8B0004CA
73860+:107650008D4900240007302B00061540AC89000836
73861+:10766000A088001090A3004CA083002D03E0000828
73862+:10767000A480001827BDFFE8308400FFAFBF0010D2
73863+:107680000E00075D30A500FF8F8300548FBF0010F0
73864+:107690003C06800034C50140344700402404FF907C
73865+:1076A0003C02100027BD0018ACA3000CA0A40012DF
73866+:1076B000ACA7001403E00008ACC2017827BDFFE0CE
73867+:1076C0003C088008AFBF001CAFB20018AFB1001477
73868+:1076D000AFB00010351000808E0600183C07800007
73869+:1076E000309200FF00C72025AE0400180E00007C79
73870+:1076F00030B100FF92030005346200080E00007EE6
73871+:10770000A2020005024020210E000771022028215C
73872+:10771000024020218FBF001C8FB200188FB10014CF
73873+:107720008FB0001024050005240600010A0007326E
73874+:1077300027BD00203C05800034A309809066000826
73875+:1077400030C200081040000F3C0A01013549080A08
73876+:10775000AC8900008CA80074AC8800043C070800C9
73877+:1077600090E73FD830E5001050A00008AC8000083A
73878+:107770003C0D800835AC00808D8B0058AC8B000828
73879+:107780002484000C03E00008008010210A0007B5E3
73880+:107790002484000C27BDFFE83C098000AFB0001036
73881+:1077A000AFBF00143526098090C8000924020006E6
73882+:1077B00000A05821310300FF3527090000808021F7
73883+:1077C000240500041062007B2408000294CF005CB2
73884+:1077D0003C0E020431EDFFFF01AE6025AE0C00004F
73885+:1077E00090CA00083144002010800008000000000A
73886+:1077F00090C2004E3C1F010337F90300305800FFD0
73887+:107800000319302524050008AE06000490F9001184
73888+:1078100090E6001290E40011333800FF00187082E7
73889+:1078200030CF00FF01CF5021014B6821308900FF8C
73890+:1078300031AAFFFF39230028000A60801460002C61
73891+:10784000020C482390E400123C198000372F0100FD
73892+:10785000308C00FF018B1821000310800045F821B7
73893+:10786000001F8400360706FFAD270004373F0900DC
73894+:1078700093EC001193EE0012372609800005C082B8
73895+:107880008DE4000C8CC5003431CD00FF01AB10211C
73896+:107890000058182100A4F8230008840000033F00CA
73897+:1078A00000F0302533F9FFFF318F00FC00D970253F
73898+:1078B0000158202101E9682100045080ADAE000C80
73899+:1078C0000E00007C012A80213C088008240B000463
73900+:1078D000350500800E00007EA0AB000902001021DB
73901+:1078E0008FBF00148FB0001003E0000827BD001800
73902+:1078F00090EC001190E300193C18080097183FCE57
73903+:10790000318200FF0002F882307000FF001FCE00BD
73904+:1079100000103C000327302500D870253C0F4000A4
73905+:1079200001CF68253C198000AD2D0000373F0900CC
73906+:1079300093EC001193EE0012372F010037260980D7
73907+:107940000005C0828DE4000C8CC5003431CD00FFF1
73908+:1079500001AB10210058182100A4F823000884006E
73909+:1079600000033F0000F0302533F9FFFF318F00FCAA
73910+:1079700000D970250158202101E9682100045080B8
73911+:10798000ADAE000C0E00007C012A80213C0880086E
73912+:10799000240B0004350500800E00007EA0AB00091A
73913+:1079A000020010218FBF00148FB0001003E0000808
73914+:1079B00027BD00180A0007C72408001227BDFFD002
73915+:1079C0003C038000AFB60028AFB50024AFB4002060
73916+:1079D000AFB10014AFBF002CAFB3001CAFB20018A2
73917+:1079E000AFB000103467010090E6000B309400FF48
73918+:1079F00030B500FF30C200300000B02110400099C7
73919+:107A000000008821346409809088000800082E0056
73920+:107A100000051E03046000C0240400048F86005487
73921+:107A20003C010800A0243FD83C0C8000AD800048F9
73922+:107A30003C048000348E010091CD000B31A5002064
73923+:107A400010A000073C078000349309809272000860
73924+:107A50000012860000107E0305E000C43C1F800871
73925+:107A600034EC0100918A000B34EB09809169000825
73926+:107A7000314400400004402B3123000800C8982303
73927+:107A80001460000224120003000090213C108000CA
73928+:107A900036180A8036040900970E002C90830011D6
73929+:107AA0009089001293050018307F00FF312800FFF5
73930+:107AB000024810210002C880930D0018033F78216E
73931+:107AC00001F1302130B100FF00D11821A78E0058FC
73932+:107AD0003C010800A4263FCE3C010800A4233FD06F
73933+:107AE00015A00002000000000000000D920B010B29
73934+:107AF0003065FFFF3C010800A4233FD2316A0040FB
73935+:107B00003C010800A4203FC83C010800A4203FC459
73936+:107B10001140000224A4000A24A4000B3091FFFFAE
73937+:107B20000E0001E7022020219206010B3C0C080008
73938+:107B3000958C3FD2004020210006698231A70001C8
73939+:107B40000E00060101872821004020210260282123
73940+:107B50000E00060C024030210E0007A1004020213B
73941+:107B600016C00069004020219212010B32560040DD
73942+:107B700012C000053C0500FF8C93000034AEFFFFEF
73943+:107B8000026E8024AC9000000E0001FB0220202138
73944+:107B90003C0F080091EF3FD831F10003122000168E
73945+:107BA0003C1380088F8200543C09800835280080EF
73946+:107BB000245F0001AD1F003C3C0580088CB9000427
73947+:107BC00003E02021033FC0231B000002AF9F0054AD
73948+:107BD0008CA400040E0006F8ACA400043C0780004E
73949+:107BE0008CEB00743C04800834830080004B5021EF
73950+:107BF000AC6A000C3C1380083670008002802021A3
73951+:107C000002A02821A200006B0E00075D3C1480003A
73952+:107C10008F920054368C0140AD92000C8F86004844
73953+:107C20003C151000344D000624D60001AF960048E4
73954+:107C30008FBF002CA18600128FB60028AD8D0014D6
73955+:107C40008FB3001CAE9501788FB200188FB5002459
73956+:107C50008FB400208FB100148FB0001003E0000833
73957+:107C600027BD003034640980908F0008000F760033
73958+:107C7000000E6E0305A00033347F090093F8001B4B
73959+:107C8000241900103C010800A0393FD8331300022A
73960+:107C90001260FF678F8600548F8200601446FF6574
73961+:107CA0003C0480000E00007C000000003C048008C2
73962+:107CB0003485008090A8000924060016310300FFD7
73963+:107CC0001066000D0000000090AB00093C070800A2
73964+:107CD00090E73FD824090008316400FF34EA00012E
73965+:107CE0003C010800A02A3FD81089002F240C000A6C
73966+:107CF000108C00282402000C0E00007E0000000002
73967+:107D00000A0008608F8600540E0007B9024028213F
73968+:107D10000A0008AE004020213C0B8008356A008034
73969+:107D20008D4600548CE9000C1120FF3DAF860054B5
73970+:107D3000240700143C010800A0273FD80A00085F70
73971+:107D40003C0C800090910008241200023C010800C5
73972+:107D5000A0323FD8323000201200000B2416000160
73973+:107D60008F8600540A0008602411000837F800804C
73974+:107D70008F020038AFE200048FF90004AF19003C15
73975+:107D80000A00086C3C0780008F8600540A000860D7
73976+:107D900024110004A0A200090E00007E00000000D3
73977+:107DA0000A0008608F860054240200140A00093A71
73978+:107DB000A0A2000927BDFFE8AFB000103C10800072
73979+:107DC000AFBF001436020100904400090E00075DA9
73980+:107DD000240500013C0480089099000E3483008043
73981+:107DE000909F000F906F00269089000A33F800FFE3
73982+:107DF00000196E000018740031EC00FF01AE502530
73983+:107E0000000C5A00014B3825312800FF3603014091
73984+:107E10003445600000E830252402FF813C04100056
73985+:107E2000AC66000C8FBF0014AC650014A062001299
73986+:107E3000AE0401788FB0001003E0000827BD0018E1
73987+:107E400027BDFFE8308400FFAFBF00100E00075DC4
73988+:107E500030A500FF3C05800034A4014034470040B9
73989+:107E60002406FF92AC870014A08600128F83005472
73990+:107E70008FBF00103C02100027BD0018AC83000C1F
73991+:107E800003E00008ACA2017827BDFFD8AFB0001016
73992+:107E9000308400FF30B000FF3C058000AFB100141B
73993+:107EA000AFBF0020AFB3001CAFB20018000410C277
73994+:107EB00034A60100320300023051000114600007B3
73995+:107EC00090D200093C098008353300809268000593
73996+:107ED0003107000810E0000C308A00100240202119
73997+:107EE0000E00078302202821240200018FBF0020FA
73998+:107EF0008FB3001C8FB200188FB100148FB0001028
73999+:107F000003E0000827BD00281540003434A50A000E
74000+:107F10008CB800248CAF0008130F004B00003821F0
74001+:107F20003C0D800835B30080926C00682406000286
74002+:107F3000318B00FF116600843C06800034C20100D2
74003+:107F40009263004C90590009307F00FF53F9000400
74004+:107F50003213007C10E00069000000003213007C46
74005+:107F60005660005C0240202116200009320D0001FD
74006+:107F70003C0C800035840100358B0A008D6500249F
74007+:107F80008C86000414A6FFD900001021320D0001D8
74008+:107F900011A0000E024020213C1880003710010083
74009+:107FA0008E0F000C8F8E005011EE000800000000B4
74010+:107FB0000E000843022028218E19000C3C1F800867
74011+:107FC00037F00080AE190050024020210E000771EA
74012+:107FD000022028210A00098F240200013C05080024
74013+:107FE0008CA5006424A400013C010800AC240064BA
74014+:107FF0001600000D00000000022028210E0007716D
74015+:1080000002402021926E0068240C000231CD00FF56
74016+:1080100011AC0022024020210E00094100000000A6
74017+:108020000A00098F240200010E00007024040001E0
74018+:10803000926B0025020B30250E00007EA266002503
74019+:108040000A0009D3022028218E6200188CDF000468
74020+:108050008CB9002400021E0217F9FFB13065007FC1
74021+:108060009268004C264400013093007F1265004066
74022+:10807000310300FF1464FFAB3C0D8008264700016C
74023+:1080800030F1007F30E200FF1225000B24070001D1
74024+:10809000004090210A00099C2411000124050004DD
74025+:1080A0000E000732240600010E0009410000000006
74026+:1080B0000A00098F240200012405FF8002452024C4
74027+:1080C00000859026324200FF004090210A00099C62
74028+:1080D000241100010E00084302202821320700303D
74029+:1080E00010E0FFA132100082024020210E00078321
74030+:1080F000022028210A00098F240200018E6900183D
74031+:108100000240202102202821012640250E0009647A
74032+:10811000AE6800189264004C240500032406000198
74033+:108120000E000732308400FF0E00007024040001AE
74034+:1081300092710025021150250E00007EA26A0025D2
74035+:108140000A00098F240200018E6F00183C1880007D
74036+:108150000240202101F87025022028210E0007711D
74037+:10816000AE6E00189264004C0A000A1B240500043D
74038+:10817000324A0080394900801469FF6A3C0D80084A
74039+:108180000A0009F42647000127BDFFC0AFB0001860
74040+:108190003C108000AFBF0038AFB70034AFB600303E
74041+:1081A000AFB5002CAFB40028AFB30024AFB20020AD
74042+:1081B0000E0005BEAFB1001C360201009045000B59
74043+:1081C0000E00097690440008144000E78FBF003885
74044+:1081D0003C08800835070080A0E0006B3606098067
74045+:1081E00090C50000240300503C17080026F73F907C
74046+:1081F00030A400FF3C13080026733FA01083000347
74047+:108200003C1080000000B82100009821241F0010BD
74048+:108210003611010036120A00361509808E580024E6
74049+:108220008E3400048EAF00208F8C00543C01080077
74050+:10823000A03F3FD836190A80972B002C8EF60000FD
74051+:10824000932A00180298702301EC68233C0108006F
74052+:10825000AC2E3FB43C010800AC2D3FB83C010800F7
74053+:10826000AC2C3FDCA78B005802C0F809315400FF4A
74054+:1082700030490002152000E930420001504000C49E
74055+:108280009227000992A90008312800081500000271
74056+:10829000241500030000A8213C0A80003543090092
74057+:1082A00035440A008C8D00249072001190700012E9
74058+:1082B000907F0011325900FF321100FF02B11021EE
74059+:1082C0000002C08033EF00FF0319B021028F70213C
74060+:1082D00002D4602125CB00103C010800A4363FCE1B
74061+:1082E0003C010800AC2D3FE03C010800A42C3FD02D
74062+:1082F0003C010800A42B3FCC3556010035540980C1
74063+:1083000035510E008F8700548F89005C8E850020C8
74064+:1083100024080006012730233C010800AC283FD484
74065+:1083200000A7282304C000B50000902104A000B3DA
74066+:1083300000C5502B114000B5000000003C010800B2
74067+:10834000AC263FB88E6200000040F8090000000033
74068+:108350003046000214C0007400408021304B000100
74069+:10836000556000118E6200043C0D08008DAD3FBCCD
74070+:108370003C0EC0003C04800001AE6025AE2C000025
74071+:108380008C980000330F000811E0FFFD0000000092
74072+:10839000963F000824120001A79F00408E39000478
74073+:1083A000AF9900388E6200040040F8090000000018
74074+:1083B0000202802532030002146000B300000000B6
74075+:1083C0003C09080095293FC43C06080094C63FD0EC
74076+:1083D0003C0A0800954A3FC63C0708008CE73FBCB2
74077+:1083E000012670213C0308008C633FE03C08080034
74078+:1083F00095083FDA01CA20218ED9000C00E9282116
74079+:10840000249F000200A878210067C02133E4FFFF09
74080+:10841000AF9900503C010800AC383FE03C01080037
74081+:10842000A42F3FC83C010800A42E3FD20E0001E754
74082+:10843000000000008F8D0048004020213C01080012
74083+:10844000A02D3FD98E62000825AC0001AF8C0048FA
74084+:108450000040F809000000008F85005402A0302180
74085+:108460000E00060C004020210E0007A10040202134
74086+:108470008E6B000C0160F809004020213C0A0800C6
74087+:10848000954A3FD23C06080094C63FC601464821A3
74088+:10849000252800020E0001FB3104FFFF3C05080007
74089+:1084A0008CA53FB43C0708008CE73FBC00A7202305
74090+:1084B0003C010800AC243FB414800006000000001A
74091+:1084C0003C0208008C423FD4344B00403C01080081
74092+:1084D000AC2B3FD4124000438F8E00448E2D0010F1
74093+:1084E0008F920044AE4D00208E2C0018AE4C00241C
74094+:1084F0003C04080094843FC80E0006FA0000000007
74095+:108500008F9F00548E6700103C010800AC3F3FDC99
74096+:1085100000E0F809000000003C1908008F393FB462
74097+:108520001720FF798F870054979300583C11800ED5
74098+:10853000321601000E000729A633002C16C0004594
74099+:10854000320300105460004C8EE5000432080040F5
74100+:108550005500001D8EF000088EE4000C0080F80924
74101+:10856000000000008FBF00388FB700348FB6003096
74102+:108570008FB5002C8FB400288FB300248FB2002059
74103+:108580008FB1001C8FB0001803E0000827BD004029
74104+:108590008F86003C36110E0000072E0000A6202515
74105+:1085A000AE0400808E4300208E500024AFA3001044
74106+:1085B000AE2300148FB20010AE320010AE30001C9B
74107+:1085C0000A000A75AE3000180200F8090000000029
74108+:1085D0008EE4000C0080F809000000000A000B2E59
74109+:1085E0008FBF003824180001240F0001A5C000200F
74110+:1085F000A5D800220A000B10ADCF00243C010800D2
74111+:10860000AC203FB80A000AA68E6200003C010800B8
74112+:10861000AC253FB80A000AA68E6200009224000929
74113+:108620000E000771000028218FBF00388FB700347B
74114+:108630008FB600308FB5002C8FB400288FB3002484
74115+:108640008FB200208FB1001C8FB0001803E000082B
74116+:1086500027BD00403C1480009295010900002821AC
74117+:108660000E00084332A400FF320300105060FFB830
74118+:10867000320800408EE5000400A0F8090000000068
74119+:108680000A000B28320800405240FFA89793005878
74120+:108690008E3400148F930044AE7400208E35001C7D
74121+:1086A000AE7500240A000B1F979300588F820014A8
74122+:1086B0000004218003E00008008210213C078008AC
74123+:1086C00034E200809043006900804021106000097E
74124+:1086D0003C0401003C0708008CE73FDC8F8300303E
74125+:1086E00000E32023048000089389001C14E30003A6
74126+:1086F0000100202103E00008008010213C0401005B
74127+:1087000003E00008008010211120000B00673823CF
74128+:108710003C0D800035AC0980918B007C316A0002F1
74129+:10872000114000202409003400E9702B15C0FFF12E
74130+:108730000100202100E938232403FFFC00A3C82402
74131+:1087400000E3C02400F9782B15E0FFEA030820219C
74132+:1087500030C400030004102314C000143049000387
74133+:108760000000302100A9782101E6702100EE682B7D
74134+:1087700011A0FFE03C0401002D3800010006C82BC9
74135+:10878000010548210319382414E0FFDA2524FFFCF1
74136+:108790002402FFFC00A218240068202103E0000846
74137+:1087A000008010210A000B9E240900303C0C800040
74138+:1087B0003586098090CB007C316A00041540FFE9C2
74139+:1087C000240600040A000BAD000030213C03080021
74140+:1087D0008C63005C8F82001827BDFFE0AFBF0018DC
74141+:1087E000AFB1001410620005AFB00010000329C043
74142+:1087F00024A40280AF840014AF8300183C108000D2
74143+:1088000036020A0094450032361101000E000B7F3B
74144+:1088100030A43FFF8E240000241FFF803C11008005
74145+:108820000082C021031F60243309007F000CC9406F
74146+:1088300003294025330E0078362F00033C0D10002D
74147+:10884000010D502501CF5825AE0C002836080980AF
74148+:10885000AE0C080CAE0B082CAE0A08309103006970
74149+:108860003C06800C0126382110600006AF870034DA
74150+:108870008D09003C8D03006C0123382318E0008231
74151+:10888000000000003C0B8008356A00803C1080002E
74152+:10889000A1400069360609808CC200383C06800081
74153+:1088A00034C50A0090A8003C310C00201180001A49
74154+:1088B000AF820030240D00013C0E800035D10A004B
74155+:1088C000A38D001CAF8000248E2400248F850024FB
74156+:1088D000240D0008AF800020AF8000283C01080074
74157+:1088E000A42D3FC63C010800A4203FDA0E000B83F4
74158+:1088F000000030219228003C8FBF00188FB1001477
74159+:108900008FB0001000086142AF82002C27BD00200C
74160+:1089100003E000083182000190B80032240E00010B
74161+:10892000330F00FF000F2182108E00412419000236
74162+:108930001099006434C40AC03C03800034640A0007
74163+:108940008C8F002415E0001E34660900909F0030D3
74164+:108950002418000533F9003F1338004E24030001AA
74165+:108960008F860020A383001CAF860028AF860024DA
74166+:108970003C0E800035D10A008E2400248F8500240F
74167+:10898000240D00083C010800A42D3FC63C0108004E
74168+:10899000A4203FDA0E000B83000000009228003C68
74169+:1089A0008FBF00188FB100148FB000100008614213
74170+:1089B000AF82002C27BD002003E0000831820001B7
74171+:1089C0008C8A00088C8B00248CD000643C0E8000C4
74172+:1089D00035D10A00014B2823AF900024A380001C4E
74173+:1089E000AF8500288E2400248F8600208F850024E8
74174+:1089F000240D00083C010800A42D3FC63C010800DE
74175+:108A0000A4203FDA0E000B83000000009228003CF7
74176+:108A10008FBF00188FB100148FB0001000086142A2
74177+:108A2000AF82002C27BD002003E000083182000146
74178+:108A300090A200303051003F5224002834C50AC0B3
74179+:108A40008CB000241600002234CB09008CA600480C
74180+:108A50003C0A7FFF3545FFFF00C510243C0E800017
74181+:108A6000AF82002035C509008F8800208CAD0060E2
74182+:108A7000010D602B15800002010020218CA40060F4
74183+:108A80000A000C22AF8400208D02006C0A000BFC4F
74184+:108A90003C0680008C8200488F8600203C097FFFC6
74185+:108AA0003527FFFF004788243C0480082403000189
74186+:108AB000AF910028AC80006CA383001C0A000C302E
74187+:108AC000AF8600248C9F00140A000C22AF9F002068
74188+:108AD0008D6200680A000C6C3C0E800034C4098072
74189+:108AE0008C8900708CA300140123382B10E0000443
74190+:108AF000000000008C8200700A000C6C3C0E8000AC
74191+:108B00008CA200140A000C6C3C0E80008F8500249F
74192+:108B100027BDFFE0AFBF0018AFB1001414A00008DC
74193+:108B2000AFB000103C04800034870A0090E60030AB
74194+:108B30002402000530C3003F106200B934840900EC
74195+:108B40008F91002000A080213C048000348E0A0018
74196+:108B50008DCD00043C0608008CC63FB831A73FFF0E
74197+:108B600000E6602B5580000100E03021938F001C4F
74198+:108B700011E0007800D0282B349F098093F9007C05
74199+:108B800033380002130000792403003400C3102B93
74200+:108B9000144000D90000000000C3302300D0282B6F
74201+:108BA0003C010800A4233FC414A0006E0200182159
74202+:108BB0003C0408008C843FB40064402B5500000145
74203+:108BC000006020213C05800034A90A00912A003C65
74204+:108BD0003C010800AC243FBC31430020146000037A
74205+:108BE0000000482134AB0E008D6900188F88002CDE
74206+:108BF0000128202B1080005F000000003C050800C9
74207+:108C00008CA53FBC00A96821010D602B1180005C80
74208+:108C100000B0702B0109382300E028213C01080036
74209+:108C2000AC273FBC12000003240AFFFC10B0008DEB
74210+:108C30003224000300AA18243C010800A4203FDAD3
74211+:108C40003C010800AC233FBC006028218F84002435
74212+:108C5000120400063C0B80088D6C006C0200202181
74213+:108C6000AF91002025900001AD70006C8F8D002821
74214+:108C700000858823AF91002401A52023AF8400281C
74215+:108C80001220000224070018240700103C18800856
74216+:108C90003706008090CF00683C010800A0273FD82D
74217+:108CA0002407000131EE00FF11C70047000000005B
74218+:108CB00014800018000028213C06800034D109806F
74219+:108CC00034CD010091A600098E2C001824C40001A7
74220+:108CD000000C86023205007F308B007F1165007F1B
74221+:108CE0002407FF803C19800837290080A124004C0C
74222+:108CF0003C0808008D083FD4241800023C010800FD
74223+:108D0000A0384019350F00083C010800AC2F3FD4B3
74224+:108D1000240500103C02800034440A009083003C8B
74225+:108D2000307F002013E0000500A02021240A00016C
74226+:108D30003C010800AC2A3FBC34A400018FBF0018DE
74227+:108D40008FB100148FB000100080102103E00008E4
74228+:108D500027BD00203C010800A4203FC410A0FF94C0
74229+:108D6000020018210A000CC000C018210A000CB72C
74230+:108D7000240300303C0508008CA53FBC00B0702BDC
74231+:108D800011C0FFA8000000003C19080097393FC43B
74232+:108D90000325C0210307782B11E000072CAA00044B
74233+:108DA0003C0360008C625404305F003F17E0FFE337
74234+:108DB000240400422CAA00041140FF9A240400421B
74235+:108DC0000A000D248FBF00181528FFB9000000000D
74236+:108DD0008CCA00183C1F800024020002015F182585
74237+:108DE000ACC3001837F90A00A0C200689329003C00
74238+:108DF0002404000400A01021312800203C010800B8
74239+:108E0000A0244019110000022405001024020001D2
74240+:108E10003C010800AC223FB40A000D1A3C0280005D
74241+:108E20008F8800288C8900600109282B14A000027B
74242+:108E3000010088218C9100603C048000348B0E007E
74243+:108E40008D640018240A000102202821022030210C
74244+:108E5000A38A001C0E000B83022080210A000CA6AE
74245+:108E6000AF82002C00045823122000073164000355
74246+:108E70003C0E800035C7098090ED007C31AC0004C9
74247+:108E800015800019248F00043C010800A4243FDA57
74248+:108E90003C1F080097FF3FDA03E5C82100D9C02B2B
74249+:108EA0001300FF6B8F8400242CA6000514C0FFA3C1
74250+:108EB0002404004230A200031440000200A2182340
74251+:108EC00024A3FFFC3C010800AC233FBC3C0108008C
74252+:108ED000A4203FDA0A000CE70060282100C77024B4
74253+:108EE0000A000D0D01C720263C010800A42F3FDA1F
74254+:108EF0000A000D78000000003C010800AC203FBCD7
74255+:108F00000A000D23240400428F8300283C058000C2
74256+:108F100034AA0A00146000060000102191470030B6
74257+:108F20002406000530E400FF108600030000000066
74258+:108F300003E0000800000000914B0048316900FF89
74259+:108F4000000941C21500FFFA3C0680083C040800F5
74260+:108F500094843FC43C0308008C633FDC3C19080048
74261+:108F60008F393FBC3C0F080095EF3FDA0064C02109
74262+:108F70008CCD00040319702101CF602134AB0E00A9
74263+:108F8000018D282318A0001D00000000914F004C07
74264+:108F90008F8C0034956D001031EE00FF8D89000438
74265+:108FA00001AE30238D8A000030CEFFFF000E290075
74266+:108FB0000125C82100003821014720210325182B55
74267+:108FC0000083C021AD990004AD980000918F000A84
74268+:108FD00001CF6821A18D000A956500128F8A0034A7
74269+:108FE000A5450008954B003825690001A5490038C2
74270+:108FF0009148000D35070008A147000D03E0000867
74271+:109000000000000027BDFFD8AFB000189388001CF7
74272+:109010008FB000143C0A80003C197FFF8F8700242A
74273+:109020003738FFFFAFBF0020AFB1001C355F0A002B
74274+:109030000218182493EB003C00087FC03C02BFFFDD
74275+:10904000006F60252CF000013449FFFF3C1F080031
74276+:109050008FFF3FDC8F9900303C18080097183FD2F3
74277+:1090600001897824001047803C07EFFF3C05F0FFA2
74278+:1090700001E818253C1180003169002034E2FFFF2F
74279+:1090800034ADFFFF362E098027A50010240600020C
74280+:1090900003F96023270B0002354A0E0000621824F2
74281+:1090A0000080802115200002000040218D48001C16
74282+:1090B000A7AB0012058000392407000030E800FF4C
74283+:1090C00000083F00006758253C028008AFAB001441
74284+:1090D000344F008091EA00683C08080091083FD9AD
74285+:1090E0003C09DFFF352CFFFF000AF82B3C0208008B
74286+:1090F00094423FCCA3A80011016CC024001FCF40B4
74287+:10910000031918258FA70010AFA300143C0C08000A
74288+:10911000918C3FDBA7A200168FAB001400ED482412
74289+:109120003C0F01003C0A0FFF012FC82531980003B6
74290+:10913000355FFFFF016D40243C027000033F38247F
74291+:1091400000181E0000E2482501037825AFAF001487
74292+:10915000AFA9001091CC007C0E000092A3AC0015CA
74293+:10916000362D0A0091A6003C30C400201080000675
74294+:10917000260200083C11080096313FC8262EFFFF4A
74295+:109180003C010800A42E3FC88FBF00208FB1001CF7
74296+:109190008FB0001803E0000827BD00288F8B002C3B
74297+:1091A000010B502B5540FFC5240700010A000E0497
74298+:1091B00030E800FF9383001C3C02800027BDFFD8ED
74299+:1091C00034480A0000805021AFBF002034460AC056
74300+:1091D000010028211060000E3444098091070030FE
74301+:1091E000240B00058F89002030EC003F118B000B11
74302+:1091F00000003821AFA900103C0B80088D69006C7D
74303+:10920000AFAA00180E00015AAFA90014A380001CD9
74304+:109210008FBF002003E0000827BD00288D1F0048F5
74305+:109220003C1808008F183FBC8F9900283C027FFF34
74306+:109230008D0800443443FFFFAFA900103C0B8008A9
74307+:109240008D69006C03E370240319782101CF682332
74308+:1092500001A83821AFAA00180E00015AAFA90014C6
74309+:109260000A000E58A380001C3C05800034A60A00AA
74310+:1092700090C7003C3C06080094C63FDA3C02080058
74311+:109280008C423FD430E30020000624001060001E12
74312+:10929000004438253C0880083505008090A300680C
74313+:1092A00000004821240800010000282124040001B6
74314+:1092B0003C0680008CCD017805A0FFFE34CF014034
74315+:1092C000ADE800083C0208008C423FDCA5E5000444
74316+:1092D000A5E40006ADE2000C3C04080090843FD9F0
74317+:1092E0003C03800834790080A1E40012ADE700144B
74318+:1092F000A5E900189338004C3C0E1000A1F8002D91
74319+:1093000003E00008ACCE017834A90E008D28001CC3
74320+:109310003C0C08008D8C3FBC952B0016952A001440
74321+:10932000018648213164FFFF0A000E803145FFFFAE
74322+:109330003C04800034830A009065003C30A2002089
74323+:109340001040001934870E00000040210000382131
74324+:10935000000020213C0680008CC901780520FFFE1A
74325+:1093600034CA014034CF010091EB0009AD48000838
74326+:109370003C0E08008DCE3FDC240DFF91240C0040F4
74327+:109380003C081000A5440004A5470006AD4E000CA3
74328+:10939000A14D0012AD4C0014A5400018A14B002DAA
74329+:1093A00003E00008ACC801788CE8001894E60012CD
74330+:1093B00094E4001030C7FFFF0A000EA93084FFFFBD
74331+:1093C0003C04800034830A009065003C30A20020F9
74332+:1093D0001040002727BDFFF82409000100003821B4
74333+:1093E000240800013C0680008CCA01780540FFFE7D
74334+:1093F0003C0280FF34C40100908D00093C0C080041
74335+:10940000918C4019A3AD00038FAB00003185007F24
74336+:109410003459FFFF01665025AFAA00009083000A6F
74337+:10942000A3A0000200057E00A3A300018FB80000E6
74338+:1094300034CB0140240C30000319702401CF68257F
74339+:10944000AD6D000C27BD0008AD6C0014A5600018C0
74340+:10945000AD690008A56700042409FF80A56800061F
74341+:109460003C081000A169001203E00008ACC80178B4
74342+:1094700034870E008CE9001894E6001294E4001082
74343+:1094800030C8FFFF0A000ECD3087FFFF27BDFFE089
74344+:10949000AFB100143C118000AFB00010AFBF001896
74345+:1094A00036380A00970F0032363001000E000B7F6D
74346+:1094B00031E43FFF8E0E0000240DFF803C042000AD
74347+:1094C00001C25821016D6024000C4940316A007FBF
74348+:1094D000012A4025010438253C048008AE270830C5
74349+:1094E0003486008090C500682403000230A200FF8B
74350+:1094F000104300048F9F00208F990024AC9F0068C8
74351+:10950000AC9900648FBF00188FB100148FB00010A9
74352+:1095100003E0000827BD00203C0A0800254A3A80E5
74353+:109520003C09080025293B103C08080025082F1C91
74354+:109530003C07080024E73BDC3C06080024C639044D
74355+:109540003C05080024A536583C0408002484325CFD
74356+:109550003C030800246339B83C0208002442375415
74357+:109560003C010800AC2A3F983C010800AC293F941C
74358+:109570003C010800AC283F903C010800AC273F9C10
74359+:109580003C010800AC263FAC3C010800AC253FA4E0
74360+:109590003C010800AC243FA03C010800AC233FB0D4
74361+:1095A0003C010800AC223FA803E0000800000000D6
74362+:1095B00080000940800009008008010080080080C8
74363+:1095C00080080000800E00008008008080080000F5
74364+:1095D00080000A8080000A00800009808000090065
74365+:00000001FF
74366diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
74367index 2d0cbbd..a6d6149 100644
74368--- a/fs/Kconfig.binfmt
74369+++ b/fs/Kconfig.binfmt
74370@@ -103,7 +103,7 @@ config HAVE_AOUT
74371
74372 config BINFMT_AOUT
74373 tristate "Kernel support for a.out and ECOFF binaries"
74374- depends on HAVE_AOUT
74375+ depends on HAVE_AOUT && BROKEN
74376 ---help---
74377 A.out (Assembler.OUTput) is a set of formats for libraries and
74378 executables used in the earliest versions of UNIX. Linux used
74379diff --git a/fs/afs/inode.c b/fs/afs/inode.c
74380index e06f5a2..81d07ac 100644
74381--- a/fs/afs/inode.c
74382+++ b/fs/afs/inode.c
74383@@ -141,7 +141,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
74384 struct afs_vnode *vnode;
74385 struct super_block *sb;
74386 struct inode *inode;
74387- static atomic_t afs_autocell_ino;
74388+ static atomic_unchecked_t afs_autocell_ino;
74389
74390 _enter("{%x:%u},%*.*s,",
74391 AFS_FS_I(dir)->fid.vid, AFS_FS_I(dir)->fid.vnode,
74392@@ -154,7 +154,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
74393 data.fid.unique = 0;
74394 data.fid.vnode = 0;
74395
74396- inode = iget5_locked(sb, atomic_inc_return(&afs_autocell_ino),
74397+ inode = iget5_locked(sb, atomic_inc_return_unchecked(&afs_autocell_ino),
74398 afs_iget5_autocell_test, afs_iget5_set,
74399 &data);
74400 if (!inode) {
74401diff --git a/fs/aio.c b/fs/aio.c
74402index 480440f..623fd88 100644
74403--- a/fs/aio.c
74404+++ b/fs/aio.c
74405@@ -441,7 +441,7 @@ static int aio_setup_ring(struct kioctx *ctx)
74406 size += sizeof(struct io_event) * nr_events;
74407
74408 nr_pages = PFN_UP(size);
74409- if (nr_pages < 0)
74410+ if (nr_pages <= 0)
74411 return -EINVAL;
74412
74413 file = aio_private_file(ctx, nr_pages);
74414diff --git a/fs/attr.c b/fs/attr.c
74415index 6530ced..4a827e2 100644
74416--- a/fs/attr.c
74417+++ b/fs/attr.c
74418@@ -102,6 +102,7 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
74419 unsigned long limit;
74420
74421 limit = rlimit(RLIMIT_FSIZE);
74422+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
74423 if (limit != RLIM_INFINITY && offset > limit)
74424 goto out_sig;
74425 if (offset > inode->i_sb->s_maxbytes)
74426diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
74427index 35b755e..f4b9e0a 100644
74428--- a/fs/autofs4/waitq.c
74429+++ b/fs/autofs4/waitq.c
74430@@ -59,7 +59,7 @@ static int autofs4_write(struct autofs_sb_info *sbi,
74431 {
74432 unsigned long sigpipe, flags;
74433 mm_segment_t fs;
74434- const char *data = (const char *)addr;
74435+ const char __user *data = (const char __force_user *)addr;
74436 ssize_t wr = 0;
74437
74438 sigpipe = sigismember(&current->pending.signal, SIGPIPE);
74439@@ -340,6 +340,10 @@ static int validate_request(struct autofs_wait_queue **wait,
74440 return 1;
74441 }
74442
74443+#ifdef CONFIG_GRKERNSEC_HIDESYM
74444+static atomic_unchecked_t autofs_dummy_name_id = ATOMIC_INIT(0);
74445+#endif
74446+
74447 int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
74448 enum autofs_notify notify)
74449 {
74450@@ -385,7 +389,12 @@ int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
74451
74452 /* If this is a direct mount request create a dummy name */
74453 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
74454+#ifdef CONFIG_GRKERNSEC_HIDESYM
74455+ /* this name does get written to userland via autofs4_write() */
74456+ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
74457+#else
74458 qstr.len = sprintf(name, "%p", dentry);
74459+#endif
74460 else {
74461 qstr.len = autofs4_getpath(sbi, dentry, &name);
74462 if (!qstr.len) {
74463diff --git a/fs/befs/endian.h b/fs/befs/endian.h
74464index 2722387..56059b5 100644
74465--- a/fs/befs/endian.h
74466+++ b/fs/befs/endian.h
74467@@ -11,7 +11,7 @@
74468
74469 #include <asm/byteorder.h>
74470
74471-static inline u64
74472+static inline u64 __intentional_overflow(-1)
74473 fs64_to_cpu(const struct super_block *sb, fs64 n)
74474 {
74475 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
74476@@ -29,7 +29,7 @@ cpu_to_fs64(const struct super_block *sb, u64 n)
74477 return (__force fs64)cpu_to_be64(n);
74478 }
74479
74480-static inline u32
74481+static inline u32 __intentional_overflow(-1)
74482 fs32_to_cpu(const struct super_block *sb, fs32 n)
74483 {
74484 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
74485@@ -47,7 +47,7 @@ cpu_to_fs32(const struct super_block *sb, u32 n)
74486 return (__force fs32)cpu_to_be32(n);
74487 }
74488
74489-static inline u16
74490+static inline u16 __intentional_overflow(-1)
74491 fs16_to_cpu(const struct super_block *sb, fs16 n)
74492 {
74493 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
74494diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
74495index 4c55668..eeae150 100644
74496--- a/fs/binfmt_aout.c
74497+++ b/fs/binfmt_aout.c
74498@@ -16,6 +16,7 @@
74499 #include <linux/string.h>
74500 #include <linux/fs.h>
74501 #include <linux/file.h>
74502+#include <linux/security.h>
74503 #include <linux/stat.h>
74504 #include <linux/fcntl.h>
74505 #include <linux/ptrace.h>
74506@@ -58,6 +59,8 @@ static int aout_core_dump(struct coredump_params *cprm)
74507 #endif
74508 # define START_STACK(u) ((void __user *)u.start_stack)
74509
74510+ memset(&dump, 0, sizeof(dump));
74511+
74512 fs = get_fs();
74513 set_fs(KERNEL_DS);
74514 has_dumped = 1;
74515@@ -68,10 +71,12 @@ static int aout_core_dump(struct coredump_params *cprm)
74516
74517 /* If the size of the dump file exceeds the rlimit, then see what would happen
74518 if we wrote the stack, but not the data area. */
74519+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
74520 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
74521 dump.u_dsize = 0;
74522
74523 /* Make sure we have enough room to write the stack and data areas. */
74524+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
74525 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
74526 dump.u_ssize = 0;
74527
74528@@ -232,6 +237,8 @@ static int load_aout_binary(struct linux_binprm * bprm)
74529 rlim = rlimit(RLIMIT_DATA);
74530 if (rlim >= RLIM_INFINITY)
74531 rlim = ~0;
74532+
74533+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
74534 if (ex.a_data + ex.a_bss > rlim)
74535 return -ENOMEM;
74536
74537@@ -261,6 +268,27 @@ static int load_aout_binary(struct linux_binprm * bprm)
74538
74539 install_exec_creds(bprm);
74540
74541+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74542+ current->mm->pax_flags = 0UL;
74543+#endif
74544+
74545+#ifdef CONFIG_PAX_PAGEEXEC
74546+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
74547+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
74548+
74549+#ifdef CONFIG_PAX_EMUTRAMP
74550+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
74551+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
74552+#endif
74553+
74554+#ifdef CONFIG_PAX_MPROTECT
74555+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
74556+ current->mm->pax_flags |= MF_PAX_MPROTECT;
74557+#endif
74558+
74559+ }
74560+#endif
74561+
74562 if (N_MAGIC(ex) == OMAGIC) {
74563 unsigned long text_addr, map_size;
74564 loff_t pos;
74565@@ -312,7 +340,7 @@ static int load_aout_binary(struct linux_binprm * bprm)
74566 return error;
74567
74568 error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
74569- PROT_READ | PROT_WRITE | PROT_EXEC,
74570+ PROT_READ | PROT_WRITE,
74571 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
74572 fd_offset + ex.a_text);
74573 if (error != N_DATADDR(ex))
74574diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
74575index 6b65996..17bd3c4 100644
74576--- a/fs/binfmt_elf.c
74577+++ b/fs/binfmt_elf.c
74578@@ -35,6 +35,7 @@
74579 #include <linux/utsname.h>
74580 #include <linux/coredump.h>
74581 #include <linux/sched.h>
74582+#include <linux/xattr.h>
74583 #include <asm/uaccess.h>
74584 #include <asm/param.h>
74585 #include <asm/page.h>
74586@@ -66,6 +67,14 @@ static int elf_core_dump(struct coredump_params *cprm);
74587 #define elf_core_dump NULL
74588 #endif
74589
74590+#ifdef CONFIG_PAX_MPROTECT
74591+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
74592+#endif
74593+
74594+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
74595+static void elf_handle_mmap(struct file *file);
74596+#endif
74597+
74598 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
74599 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
74600 #else
74601@@ -85,6 +94,15 @@ static struct linux_binfmt elf_format = {
74602 .load_binary = load_elf_binary,
74603 .load_shlib = load_elf_library,
74604 .core_dump = elf_core_dump,
74605+
74606+#ifdef CONFIG_PAX_MPROTECT
74607+ .handle_mprotect= elf_handle_mprotect,
74608+#endif
74609+
74610+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
74611+ .handle_mmap = elf_handle_mmap,
74612+#endif
74613+
74614 .min_coredump = ELF_EXEC_PAGESIZE,
74615 };
74616
74617@@ -92,6 +110,8 @@ static struct linux_binfmt elf_format = {
74618
74619 static int set_brk(unsigned long start, unsigned long end)
74620 {
74621+ unsigned long e = end;
74622+
74623 start = ELF_PAGEALIGN(start);
74624 end = ELF_PAGEALIGN(end);
74625 if (end > start) {
74626@@ -100,7 +120,7 @@ static int set_brk(unsigned long start, unsigned long end)
74627 if (BAD_ADDR(addr))
74628 return addr;
74629 }
74630- current->mm->start_brk = current->mm->brk = end;
74631+ current->mm->start_brk = current->mm->brk = e;
74632 return 0;
74633 }
74634
74635@@ -161,12 +181,13 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
74636 elf_addr_t __user *u_rand_bytes;
74637 const char *k_platform = ELF_PLATFORM;
74638 const char *k_base_platform = ELF_BASE_PLATFORM;
74639- unsigned char k_rand_bytes[16];
74640+ u32 k_rand_bytes[4];
74641 int items;
74642 elf_addr_t *elf_info;
74643 int ei_index = 0;
74644 const struct cred *cred = current_cred();
74645 struct vm_area_struct *vma;
74646+ unsigned long saved_auxv[AT_VECTOR_SIZE];
74647
74648 /*
74649 * In some cases (e.g. Hyper-Threading), we want to avoid L1
74650@@ -208,8 +229,12 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
74651 * Generate 16 random bytes for userspace PRNG seeding.
74652 */
74653 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
74654- u_rand_bytes = (elf_addr_t __user *)
74655- STACK_ALLOC(p, sizeof(k_rand_bytes));
74656+ prandom_seed(k_rand_bytes[0] ^ prandom_u32());
74657+ prandom_seed(k_rand_bytes[1] ^ prandom_u32());
74658+ prandom_seed(k_rand_bytes[2] ^ prandom_u32());
74659+ prandom_seed(k_rand_bytes[3] ^ prandom_u32());
74660+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
74661+ u_rand_bytes = (elf_addr_t __user *) p;
74662 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
74663 return -EFAULT;
74664
74665@@ -324,9 +349,11 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
74666 return -EFAULT;
74667 current->mm->env_end = p;
74668
74669+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
74670+
74671 /* Put the elf_info on the stack in the right place. */
74672 sp = (elf_addr_t __user *)envp + 1;
74673- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
74674+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
74675 return -EFAULT;
74676 return 0;
74677 }
74678@@ -515,14 +542,14 @@ static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
74679 an ELF header */
74680
74681 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74682- struct file *interpreter, unsigned long *interp_map_addr,
74683+ struct file *interpreter,
74684 unsigned long no_base, struct elf_phdr *interp_elf_phdata)
74685 {
74686 struct elf_phdr *eppnt;
74687- unsigned long load_addr = 0;
74688+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
74689 int load_addr_set = 0;
74690 unsigned long last_bss = 0, elf_bss = 0;
74691- unsigned long error = ~0UL;
74692+ unsigned long error = -EINVAL;
74693 unsigned long total_size;
74694 int i;
74695
74696@@ -542,6 +569,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74697 goto out;
74698 }
74699
74700+#ifdef CONFIG_PAX_SEGMEXEC
74701+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
74702+ pax_task_size = SEGMEXEC_TASK_SIZE;
74703+#endif
74704+
74705 eppnt = interp_elf_phdata;
74706 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
74707 if (eppnt->p_type == PT_LOAD) {
74708@@ -565,8 +597,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74709 map_addr = elf_map(interpreter, load_addr + vaddr,
74710 eppnt, elf_prot, elf_type, total_size);
74711 total_size = 0;
74712- if (!*interp_map_addr)
74713- *interp_map_addr = map_addr;
74714 error = map_addr;
74715 if (BAD_ADDR(map_addr))
74716 goto out;
74717@@ -585,8 +615,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74718 k = load_addr + eppnt->p_vaddr;
74719 if (BAD_ADDR(k) ||
74720 eppnt->p_filesz > eppnt->p_memsz ||
74721- eppnt->p_memsz > TASK_SIZE ||
74722- TASK_SIZE - eppnt->p_memsz < k) {
74723+ eppnt->p_memsz > pax_task_size ||
74724+ pax_task_size - eppnt->p_memsz < k) {
74725 error = -ENOMEM;
74726 goto out;
74727 }
74728@@ -625,9 +655,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74729 elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
74730
74731 /* Map the last of the bss segment */
74732- error = vm_brk(elf_bss, last_bss - elf_bss);
74733- if (BAD_ADDR(error))
74734- goto out;
74735+ if (last_bss > elf_bss) {
74736+ error = vm_brk(elf_bss, last_bss - elf_bss);
74737+ if (BAD_ADDR(error))
74738+ goto out;
74739+ }
74740 }
74741
74742 error = load_addr;
74743@@ -635,6 +667,336 @@ out:
74744 return error;
74745 }
74746
74747+#ifdef CONFIG_PAX_PT_PAX_FLAGS
74748+#ifdef CONFIG_PAX_SOFTMODE
74749+static unsigned long pax_parse_pt_pax_softmode(const struct elf_phdr * const elf_phdata)
74750+{
74751+ unsigned long pax_flags = 0UL;
74752+
74753+#ifdef CONFIG_PAX_PAGEEXEC
74754+ if (elf_phdata->p_flags & PF_PAGEEXEC)
74755+ pax_flags |= MF_PAX_PAGEEXEC;
74756+#endif
74757+
74758+#ifdef CONFIG_PAX_SEGMEXEC
74759+ if (elf_phdata->p_flags & PF_SEGMEXEC)
74760+ pax_flags |= MF_PAX_SEGMEXEC;
74761+#endif
74762+
74763+#ifdef CONFIG_PAX_EMUTRAMP
74764+ if ((elf_phdata->p_flags & PF_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
74765+ pax_flags |= MF_PAX_EMUTRAMP;
74766+#endif
74767+
74768+#ifdef CONFIG_PAX_MPROTECT
74769+ if (elf_phdata->p_flags & PF_MPROTECT)
74770+ pax_flags |= MF_PAX_MPROTECT;
74771+#endif
74772+
74773+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74774+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
74775+ pax_flags |= MF_PAX_RANDMMAP;
74776+#endif
74777+
74778+ return pax_flags;
74779+}
74780+#endif
74781+
74782+static unsigned long pax_parse_pt_pax_hardmode(const struct elf_phdr * const elf_phdata)
74783+{
74784+ unsigned long pax_flags = 0UL;
74785+
74786+#ifdef CONFIG_PAX_PAGEEXEC
74787+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
74788+ pax_flags |= MF_PAX_PAGEEXEC;
74789+#endif
74790+
74791+#ifdef CONFIG_PAX_SEGMEXEC
74792+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
74793+ pax_flags |= MF_PAX_SEGMEXEC;
74794+#endif
74795+
74796+#ifdef CONFIG_PAX_EMUTRAMP
74797+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
74798+ pax_flags |= MF_PAX_EMUTRAMP;
74799+#endif
74800+
74801+#ifdef CONFIG_PAX_MPROTECT
74802+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
74803+ pax_flags |= MF_PAX_MPROTECT;
74804+#endif
74805+
74806+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74807+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
74808+ pax_flags |= MF_PAX_RANDMMAP;
74809+#endif
74810+
74811+ return pax_flags;
74812+}
74813+#endif
74814+
74815+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
74816+#ifdef CONFIG_PAX_SOFTMODE
74817+static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode)
74818+{
74819+ unsigned long pax_flags = 0UL;
74820+
74821+#ifdef CONFIG_PAX_PAGEEXEC
74822+ if (pax_flags_softmode & MF_PAX_PAGEEXEC)
74823+ pax_flags |= MF_PAX_PAGEEXEC;
74824+#endif
74825+
74826+#ifdef CONFIG_PAX_SEGMEXEC
74827+ if (pax_flags_softmode & MF_PAX_SEGMEXEC)
74828+ pax_flags |= MF_PAX_SEGMEXEC;
74829+#endif
74830+
74831+#ifdef CONFIG_PAX_EMUTRAMP
74832+ if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
74833+ pax_flags |= MF_PAX_EMUTRAMP;
74834+#endif
74835+
74836+#ifdef CONFIG_PAX_MPROTECT
74837+ if (pax_flags_softmode & MF_PAX_MPROTECT)
74838+ pax_flags |= MF_PAX_MPROTECT;
74839+#endif
74840+
74841+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74842+ if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP))
74843+ pax_flags |= MF_PAX_RANDMMAP;
74844+#endif
74845+
74846+ return pax_flags;
74847+}
74848+#endif
74849+
74850+static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode)
74851+{
74852+ unsigned long pax_flags = 0UL;
74853+
74854+#ifdef CONFIG_PAX_PAGEEXEC
74855+ if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC))
74856+ pax_flags |= MF_PAX_PAGEEXEC;
74857+#endif
74858+
74859+#ifdef CONFIG_PAX_SEGMEXEC
74860+ if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC))
74861+ pax_flags |= MF_PAX_SEGMEXEC;
74862+#endif
74863+
74864+#ifdef CONFIG_PAX_EMUTRAMP
74865+ if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP))
74866+ pax_flags |= MF_PAX_EMUTRAMP;
74867+#endif
74868+
74869+#ifdef CONFIG_PAX_MPROTECT
74870+ if (!(pax_flags_hardmode & MF_PAX_MPROTECT))
74871+ pax_flags |= MF_PAX_MPROTECT;
74872+#endif
74873+
74874+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74875+ if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP))
74876+ pax_flags |= MF_PAX_RANDMMAP;
74877+#endif
74878+
74879+ return pax_flags;
74880+}
74881+#endif
74882+
74883+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74884+static unsigned long pax_parse_defaults(void)
74885+{
74886+ unsigned long pax_flags = 0UL;
74887+
74888+#ifdef CONFIG_PAX_SOFTMODE
74889+ if (pax_softmode)
74890+ return pax_flags;
74891+#endif
74892+
74893+#ifdef CONFIG_PAX_PAGEEXEC
74894+ pax_flags |= MF_PAX_PAGEEXEC;
74895+#endif
74896+
74897+#ifdef CONFIG_PAX_SEGMEXEC
74898+ pax_flags |= MF_PAX_SEGMEXEC;
74899+#endif
74900+
74901+#ifdef CONFIG_PAX_MPROTECT
74902+ pax_flags |= MF_PAX_MPROTECT;
74903+#endif
74904+
74905+#ifdef CONFIG_PAX_RANDMMAP
74906+ if (randomize_va_space)
74907+ pax_flags |= MF_PAX_RANDMMAP;
74908+#endif
74909+
74910+ return pax_flags;
74911+}
74912+
74913+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
74914+{
74915+ unsigned long pax_flags = PAX_PARSE_FLAGS_FALLBACK;
74916+
74917+#ifdef CONFIG_PAX_EI_PAX
74918+
74919+#ifdef CONFIG_PAX_SOFTMODE
74920+ if (pax_softmode)
74921+ return pax_flags;
74922+#endif
74923+
74924+ pax_flags = 0UL;
74925+
74926+#ifdef CONFIG_PAX_PAGEEXEC
74927+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
74928+ pax_flags |= MF_PAX_PAGEEXEC;
74929+#endif
74930+
74931+#ifdef CONFIG_PAX_SEGMEXEC
74932+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
74933+ pax_flags |= MF_PAX_SEGMEXEC;
74934+#endif
74935+
74936+#ifdef CONFIG_PAX_EMUTRAMP
74937+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
74938+ pax_flags |= MF_PAX_EMUTRAMP;
74939+#endif
74940+
74941+#ifdef CONFIG_PAX_MPROTECT
74942+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
74943+ pax_flags |= MF_PAX_MPROTECT;
74944+#endif
74945+
74946+#ifdef CONFIG_PAX_ASLR
74947+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
74948+ pax_flags |= MF_PAX_RANDMMAP;
74949+#endif
74950+
74951+#endif
74952+
74953+ return pax_flags;
74954+
74955+}
74956+
74957+static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
74958+{
74959+
74960+#ifdef CONFIG_PAX_PT_PAX_FLAGS
74961+ unsigned long i;
74962+
74963+ for (i = 0UL; i < elf_ex->e_phnum; i++)
74964+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
74965+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
74966+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
74967+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
74968+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
74969+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
74970+ return PAX_PARSE_FLAGS_FALLBACK;
74971+
74972+#ifdef CONFIG_PAX_SOFTMODE
74973+ if (pax_softmode)
74974+ return pax_parse_pt_pax_softmode(&elf_phdata[i]);
74975+ else
74976+#endif
74977+
74978+ return pax_parse_pt_pax_hardmode(&elf_phdata[i]);
74979+ break;
74980+ }
74981+#endif
74982+
74983+ return PAX_PARSE_FLAGS_FALLBACK;
74984+}
74985+
74986+static unsigned long pax_parse_xattr_pax(struct file * const file)
74987+{
74988+
74989+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
74990+ ssize_t xattr_size, i;
74991+ unsigned char xattr_value[sizeof("pemrs") - 1];
74992+ unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL;
74993+
74994+ xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value);
74995+ if (xattr_size < 0 || xattr_size > sizeof xattr_value)
74996+ return PAX_PARSE_FLAGS_FALLBACK;
74997+
74998+ for (i = 0; i < xattr_size; i++)
74999+ switch (xattr_value[i]) {
75000+ default:
75001+ return PAX_PARSE_FLAGS_FALLBACK;
75002+
75003+#define parse_flag(option1, option2, flag) \
75004+ case option1: \
75005+ if (pax_flags_hardmode & MF_PAX_##flag) \
75006+ return PAX_PARSE_FLAGS_FALLBACK;\
75007+ pax_flags_hardmode |= MF_PAX_##flag; \
75008+ break; \
75009+ case option2: \
75010+ if (pax_flags_softmode & MF_PAX_##flag) \
75011+ return PAX_PARSE_FLAGS_FALLBACK;\
75012+ pax_flags_softmode |= MF_PAX_##flag; \
75013+ break;
75014+
75015+ parse_flag('p', 'P', PAGEEXEC);
75016+ parse_flag('e', 'E', EMUTRAMP);
75017+ parse_flag('m', 'M', MPROTECT);
75018+ parse_flag('r', 'R', RANDMMAP);
75019+ parse_flag('s', 'S', SEGMEXEC);
75020+
75021+#undef parse_flag
75022+ }
75023+
75024+ if (pax_flags_hardmode & pax_flags_softmode)
75025+ return PAX_PARSE_FLAGS_FALLBACK;
75026+
75027+#ifdef CONFIG_PAX_SOFTMODE
75028+ if (pax_softmode)
75029+ return pax_parse_xattr_pax_softmode(pax_flags_softmode);
75030+ else
75031+#endif
75032+
75033+ return pax_parse_xattr_pax_hardmode(pax_flags_hardmode);
75034+#else
75035+ return PAX_PARSE_FLAGS_FALLBACK;
75036+#endif
75037+
75038+}
75039+
75040+static long pax_parse_pax_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata, struct file * const file)
75041+{
75042+ unsigned long pax_flags, ei_pax_flags, pt_pax_flags, xattr_pax_flags;
75043+
75044+ pax_flags = pax_parse_defaults();
75045+ ei_pax_flags = pax_parse_ei_pax(elf_ex);
75046+ pt_pax_flags = pax_parse_pt_pax(elf_ex, elf_phdata);
75047+ xattr_pax_flags = pax_parse_xattr_pax(file);
75048+
75049+ if (pt_pax_flags != PAX_PARSE_FLAGS_FALLBACK &&
75050+ xattr_pax_flags != PAX_PARSE_FLAGS_FALLBACK &&
75051+ pt_pax_flags != xattr_pax_flags)
75052+ return -EINVAL;
75053+ if (xattr_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
75054+ pax_flags = xattr_pax_flags;
75055+ else if (pt_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
75056+ pax_flags = pt_pax_flags;
75057+ else if (ei_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
75058+ pax_flags = ei_pax_flags;
75059+
75060+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
75061+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75062+ if ((__supported_pte_mask & _PAGE_NX))
75063+ pax_flags &= ~MF_PAX_SEGMEXEC;
75064+ else
75065+ pax_flags &= ~MF_PAX_PAGEEXEC;
75066+ }
75067+#endif
75068+
75069+ if (0 > pax_check_flags(&pax_flags))
75070+ return -EINVAL;
75071+
75072+ current->mm->pax_flags = pax_flags;
75073+ return 0;
75074+}
75075+#endif
75076+
75077 /*
75078 * These are the functions used to load ELF style executables and shared
75079 * libraries. There is no binary dependent code anywhere else.
75080@@ -648,6 +1010,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
75081 {
75082 unsigned long random_variable = 0;
75083
75084+#ifdef CONFIG_PAX_RANDUSTACK
75085+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
75086+ return stack_top - current->mm->delta_stack;
75087+#endif
75088+
75089 if ((current->flags & PF_RANDOMIZE) &&
75090 !(current->personality & ADDR_NO_RANDOMIZE)) {
75091 random_variable = (unsigned long) get_random_int();
75092@@ -667,7 +1034,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75093 unsigned long load_addr = 0, load_bias = 0;
75094 int load_addr_set = 0;
75095 char * elf_interpreter = NULL;
75096- unsigned long error;
75097+ unsigned long error = 0;
75098 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
75099 unsigned long elf_bss, elf_brk;
75100 int retval, i;
75101@@ -682,6 +1049,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75102 struct elfhdr interp_elf_ex;
75103 } *loc;
75104 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
75105+ unsigned long pax_task_size;
75106
75107 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
75108 if (!loc) {
75109@@ -840,6 +1208,77 @@ static int load_elf_binary(struct linux_binprm *bprm)
75110 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
75111 may depend on the personality. */
75112 SET_PERSONALITY2(loc->elf_ex, &arch_state);
75113+
75114+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
75115+ current->mm->pax_flags = 0UL;
75116+#endif
75117+
75118+#ifdef CONFIG_PAX_DLRESOLVE
75119+ current->mm->call_dl_resolve = 0UL;
75120+#endif
75121+
75122+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
75123+ current->mm->call_syscall = 0UL;
75124+#endif
75125+
75126+#ifdef CONFIG_PAX_ASLR
75127+ current->mm->delta_mmap = 0UL;
75128+ current->mm->delta_stack = 0UL;
75129+#endif
75130+
75131+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
75132+ if (0 > pax_parse_pax_flags(&loc->elf_ex, elf_phdata, bprm->file)) {
75133+ retval = -EINVAL;
75134+ goto out_free_dentry;
75135+ }
75136+#endif
75137+
75138+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
75139+ pax_set_initial_flags(bprm);
75140+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
75141+ if (pax_set_initial_flags_func)
75142+ (pax_set_initial_flags_func)(bprm);
75143+#endif
75144+
75145+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
75146+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
75147+ current->mm->context.user_cs_limit = PAGE_SIZE;
75148+ current->mm->def_flags |= VM_PAGEEXEC | VM_NOHUGEPAGE;
75149+ }
75150+#endif
75151+
75152+#ifdef CONFIG_PAX_SEGMEXEC
75153+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
75154+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
75155+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
75156+ pax_task_size = SEGMEXEC_TASK_SIZE;
75157+ current->mm->def_flags |= VM_NOHUGEPAGE;
75158+ } else
75159+#endif
75160+
75161+ pax_task_size = TASK_SIZE;
75162+
75163+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
75164+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75165+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
75166+ put_cpu();
75167+ }
75168+#endif
75169+
75170+#ifdef CONFIG_PAX_ASLR
75171+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
75172+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
75173+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
75174+ }
75175+#endif
75176+
75177+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
75178+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75179+ executable_stack = EXSTACK_DISABLE_X;
75180+ current->personality &= ~READ_IMPLIES_EXEC;
75181+ } else
75182+#endif
75183+
75184 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
75185 current->personality |= READ_IMPLIES_EXEC;
75186
75187@@ -915,8 +1354,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
75188 if (current->flags & PF_RANDOMIZE)
75189 load_bias += arch_mmap_rnd();
75190 load_bias = ELF_PAGESTART(load_bias);
75191- total_size = total_mapping_size(elf_phdata,
75192- loc->elf_ex.e_phnum);
75193+
75194+#ifdef CONFIG_PAX_RANDMMAP
75195+ /* PaX: randomize base address at the default exe base if requested */
75196+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
75197+#ifdef CONFIG_SPARC64
75198+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
75199+#else
75200+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
75201+#endif
75202+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
75203+ elf_flags |= MAP_FIXED;
75204+ }
75205+#endif
75206+
75207+ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum);
75208 if (!total_size) {
75209 retval = -EINVAL;
75210 goto out_free_dentry;
75211@@ -952,9 +1404,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
75212 * allowed task size. Note that p_filesz must always be
75213 * <= p_memsz so it is only necessary to check p_memsz.
75214 */
75215- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
75216- elf_ppnt->p_memsz > TASK_SIZE ||
75217- TASK_SIZE - elf_ppnt->p_memsz < k) {
75218+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
75219+ elf_ppnt->p_memsz > pax_task_size ||
75220+ pax_task_size - elf_ppnt->p_memsz < k) {
75221 /* set_brk can never work. Avoid overflows. */
75222 retval = -EINVAL;
75223 goto out_free_dentry;
75224@@ -990,16 +1442,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
75225 if (retval)
75226 goto out_free_dentry;
75227 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
75228- retval = -EFAULT; /* Nobody gets to see this, but.. */
75229- goto out_free_dentry;
75230+ /*
75231+ * This bss-zeroing can fail if the ELF
75232+ * file specifies odd protections. So
75233+ * we don't check the return value
75234+ */
75235 }
75236
75237+#ifdef CONFIG_PAX_RANDMMAP
75238+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
75239+ unsigned long start, size, flags;
75240+ vm_flags_t vm_flags;
75241+
75242+ start = ELF_PAGEALIGN(elf_brk);
75243+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
75244+ flags = MAP_FIXED | MAP_PRIVATE;
75245+ vm_flags = VM_DONTEXPAND | VM_DONTDUMP;
75246+
75247+ down_write(&current->mm->mmap_sem);
75248+ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
75249+ retval = -ENOMEM;
75250+ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
75251+// if (current->personality & ADDR_NO_RANDOMIZE)
75252+// vm_flags |= VM_READ | VM_MAYREAD;
75253+ start = mmap_region(NULL, start, PAGE_ALIGN(size), vm_flags, 0);
75254+ retval = IS_ERR_VALUE(start) ? start : 0;
75255+ }
75256+ up_write(&current->mm->mmap_sem);
75257+ if (retval == 0)
75258+ retval = set_brk(start + size, start + size + PAGE_SIZE);
75259+ if (retval < 0)
75260+ goto out_free_dentry;
75261+ }
75262+#endif
75263+
75264 if (elf_interpreter) {
75265- unsigned long interp_map_addr = 0;
75266-
75267 elf_entry = load_elf_interp(&loc->interp_elf_ex,
75268 interpreter,
75269- &interp_map_addr,
75270 load_bias, interp_elf_phdata);
75271 if (!IS_ERR((void *)elf_entry)) {
75272 /*
75273@@ -1050,6 +1529,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75274 current->mm->end_data = end_data;
75275 current->mm->start_stack = bprm->p;
75276
75277+#ifndef CONFIG_PAX_RANDMMAP
75278 if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
75279 current->mm->brk = current->mm->start_brk =
75280 arch_randomize_brk(current->mm);
75281@@ -1057,6 +1537,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75282 current->brk_randomized = 1;
75283 #endif
75284 }
75285+#endif
75286
75287 if (current->personality & MMAP_PAGE_ZERO) {
75288 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
75289@@ -1225,7 +1706,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
75290 * Decide what to dump of a segment, part, all or none.
75291 */
75292 static unsigned long vma_dump_size(struct vm_area_struct *vma,
75293- unsigned long mm_flags)
75294+ unsigned long mm_flags, long signr)
75295 {
75296 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
75297
75298@@ -1263,7 +1744,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
75299 if (vma->vm_file == NULL)
75300 return 0;
75301
75302- if (FILTER(MAPPED_PRIVATE))
75303+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
75304 goto whole;
75305
75306 /*
75307@@ -1363,7 +1844,7 @@ static void fill_elf_header(struct elfhdr *elf, int segs,
75308 return;
75309 }
75310
75311-static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
75312+static void fill_elf_note_phdr(struct elf_phdr *phdr, size_t sz, loff_t offset)
75313 {
75314 phdr->p_type = PT_NOTE;
75315 phdr->p_offset = offset;
75316@@ -1470,9 +1951,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
75317 {
75318 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
75319 int i = 0;
75320- do
75321+ do {
75322 i += 2;
75323- while (auxv[i - 2] != AT_NULL);
75324+ } while (auxv[i - 2] != AT_NULL);
75325 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
75326 }
75327
75328@@ -1481,7 +1962,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
75329 {
75330 mm_segment_t old_fs = get_fs();
75331 set_fs(KERNEL_DS);
75332- copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
75333+ copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo);
75334 set_fs(old_fs);
75335 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
75336 }
75337@@ -2201,7 +2682,7 @@ static int elf_core_dump(struct coredump_params *cprm)
75338 vma = next_vma(vma, gate_vma)) {
75339 unsigned long dump_size;
75340
75341- dump_size = vma_dump_size(vma, cprm->mm_flags);
75342+ dump_size = vma_dump_size(vma, cprm->mm_flags, cprm->siginfo->si_signo);
75343 vma_filesz[i++] = dump_size;
75344 vma_data_size += dump_size;
75345 }
75346@@ -2309,6 +2790,167 @@ out:
75347
75348 #endif /* CONFIG_ELF_CORE */
75349
75350+#ifdef CONFIG_PAX_MPROTECT
75351+/* PaX: non-PIC ELF libraries need relocations on their executable segments
75352+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
75353+ * we'll remove VM_MAYWRITE for good on RELRO segments.
75354+ *
75355+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
75356+ * basis because we want to allow the common case and not the special ones.
75357+ */
75358+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
75359+{
75360+ struct elfhdr elf_h;
75361+ struct elf_phdr elf_p;
75362+ unsigned long i;
75363+ unsigned long oldflags;
75364+ bool is_textrel_rw, is_textrel_rx, is_relro;
75365+
75366+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT) || !vma->vm_file)
75367+ return;
75368+
75369+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
75370+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
75371+
75372+#ifdef CONFIG_PAX_ELFRELOCS
75373+ /* possible TEXTREL */
75374+ is_textrel_rw = !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
75375+ is_textrel_rx = vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
75376+#else
75377+ is_textrel_rw = false;
75378+ is_textrel_rx = false;
75379+#endif
75380+
75381+ /* possible RELRO */
75382+ is_relro = vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
75383+
75384+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
75385+ return;
75386+
75387+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
75388+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
75389+
75390+#ifdef CONFIG_PAX_ETEXECRELOCS
75391+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
75392+#else
75393+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
75394+#endif
75395+
75396+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
75397+ !elf_check_arch(&elf_h) ||
75398+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
75399+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
75400+ return;
75401+
75402+ for (i = 0UL; i < elf_h.e_phnum; i++) {
75403+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
75404+ return;
75405+ switch (elf_p.p_type) {
75406+ case PT_DYNAMIC:
75407+ if (!is_textrel_rw && !is_textrel_rx)
75408+ continue;
75409+ i = 0UL;
75410+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
75411+ elf_dyn dyn;
75412+
75413+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
75414+ break;
75415+ if (dyn.d_tag == DT_NULL)
75416+ break;
75417+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
75418+ gr_log_textrel(vma, is_textrel_rw);
75419+ if (is_textrel_rw)
75420+ vma->vm_flags |= VM_MAYWRITE;
75421+ else
75422+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
75423+ vma->vm_flags &= ~VM_MAYWRITE;
75424+ break;
75425+ }
75426+ i++;
75427+ }
75428+ is_textrel_rw = false;
75429+ is_textrel_rx = false;
75430+ continue;
75431+
75432+ case PT_GNU_RELRO:
75433+ if (!is_relro)
75434+ continue;
75435+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
75436+ vma->vm_flags &= ~VM_MAYWRITE;
75437+ is_relro = false;
75438+ continue;
75439+
75440+#ifdef CONFIG_PAX_PT_PAX_FLAGS
75441+ case PT_PAX_FLAGS: {
75442+ const char *msg_mprotect = "", *msg_emutramp = "";
75443+ char *buffer_lib, *buffer_exe;
75444+
75445+ if (elf_p.p_flags & PF_NOMPROTECT)
75446+ msg_mprotect = "MPROTECT disabled";
75447+
75448+#ifdef CONFIG_PAX_EMUTRAMP
75449+ if (!(vma->vm_mm->pax_flags & MF_PAX_EMUTRAMP) && !(elf_p.p_flags & PF_NOEMUTRAMP))
75450+ msg_emutramp = "EMUTRAMP enabled";
75451+#endif
75452+
75453+ if (!msg_mprotect[0] && !msg_emutramp[0])
75454+ continue;
75455+
75456+ if (!printk_ratelimit())
75457+ continue;
75458+
75459+ buffer_lib = (char *)__get_free_page(GFP_KERNEL);
75460+ buffer_exe = (char *)__get_free_page(GFP_KERNEL);
75461+ if (buffer_lib && buffer_exe) {
75462+ char *path_lib, *path_exe;
75463+
75464+ path_lib = pax_get_path(&vma->vm_file->f_path, buffer_lib, PAGE_SIZE);
75465+ path_exe = pax_get_path(&vma->vm_mm->exe_file->f_path, buffer_exe, PAGE_SIZE);
75466+
75467+ pr_info("PAX: %s wants %s%s%s on %s\n", path_lib, msg_mprotect,
75468+ (msg_mprotect[0] && msg_emutramp[0] ? " and " : ""), msg_emutramp, path_exe);
75469+
75470+ }
75471+ free_page((unsigned long)buffer_exe);
75472+ free_page((unsigned long)buffer_lib);
75473+ continue;
75474+ }
75475+#endif
75476+
75477+ }
75478+ }
75479+}
75480+#endif
75481+
75482+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
75483+
75484+extern int grsec_enable_log_rwxmaps;
75485+
75486+static void elf_handle_mmap(struct file *file)
75487+{
75488+ struct elfhdr elf_h;
75489+ struct elf_phdr elf_p;
75490+ unsigned long i;
75491+
75492+ if (!grsec_enable_log_rwxmaps)
75493+ return;
75494+
75495+ if (sizeof(elf_h) != kernel_read(file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
75496+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
75497+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) || !elf_check_arch(&elf_h) ||
75498+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
75499+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
75500+ return;
75501+
75502+ for (i = 0UL; i < elf_h.e_phnum; i++) {
75503+ if (sizeof(elf_p) != kernel_read(file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
75504+ return;
75505+ if (elf_p.p_type == PT_GNU_STACK && (elf_p.p_flags & PF_X))
75506+ gr_log_ptgnustack(file);
75507+ }
75508+}
75509+#endif
75510+
75511 static int __init init_elf_binfmt(void)
75512 {
75513 register_binfmt(&elf_format);
75514diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
75515index d3634bf..10fc244 100644
75516--- a/fs/binfmt_elf_fdpic.c
75517+++ b/fs/binfmt_elf_fdpic.c
75518@@ -1296,7 +1296,7 @@ static inline void fill_elf_fdpic_header(struct elfhdr *elf, int segs)
75519 return;
75520 }
75521
75522-static inline void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
75523+static inline void fill_elf_note_phdr(struct elf_phdr *phdr, size_t sz, loff_t offset)
75524 {
75525 phdr->p_type = PT_NOTE;
75526 phdr->p_offset = offset;
75527@@ -1667,7 +1667,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm)
75528
75529 /* Write notes phdr entry */
75530 {
75531- int sz = 0;
75532+ size_t sz = 0;
75533
75534 for (i = 0; i < numnote; i++)
75535 sz += notesize(notes + i);
75536diff --git a/fs/block_dev.c b/fs/block_dev.c
75537index 1982437..dc80c28 100644
75538--- a/fs/block_dev.c
75539+++ b/fs/block_dev.c
75540@@ -738,7 +738,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
75541 else if (bdev->bd_contains == bdev)
75542 return true; /* is a whole device which isn't held */
75543
75544- else if (whole->bd_holder == bd_may_claim)
75545+ else if (whole->bd_holder == (void *)bd_may_claim)
75546 return true; /* is a partition of a device that is being partitioned */
75547 else if (whole->bd_holder != NULL)
75548 return false; /* is a partition of a held device */
75549diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
75550index 54114b4..580cfc9 100644
75551--- a/fs/btrfs/ctree.c
75552+++ b/fs/btrfs/ctree.c
75553@@ -1180,9 +1180,12 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans,
75554 free_extent_buffer(buf);
75555 add_root_to_dirty_list(root);
75556 } else {
75557- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
75558- parent_start = parent->start;
75559- else
75560+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
75561+ if (parent)
75562+ parent_start = parent->start;
75563+ else
75564+ parent_start = 0;
75565+ } else
75566 parent_start = 0;
75567
75568 WARN_ON(trans->transid != btrfs_header_generation(parent));
75569diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
75570index a2ae427..53c2e98 100644
75571--- a/fs/btrfs/delayed-inode.c
75572+++ b/fs/btrfs/delayed-inode.c
75573@@ -462,7 +462,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
75574
75575 static void finish_one_item(struct btrfs_delayed_root *delayed_root)
75576 {
75577- int seq = atomic_inc_return(&delayed_root->items_seq);
75578+ int seq = atomic_inc_return_unchecked(&delayed_root->items_seq);
75579 if ((atomic_dec_return(&delayed_root->items) <
75580 BTRFS_DELAYED_BACKGROUND || seq % BTRFS_DELAYED_BATCH == 0) &&
75581 waitqueue_active(&delayed_root->wait))
75582@@ -1412,7 +1412,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root)
75583
75584 static int could_end_wait(struct btrfs_delayed_root *delayed_root, int seq)
75585 {
75586- int val = atomic_read(&delayed_root->items_seq);
75587+ int val = atomic_read_unchecked(&delayed_root->items_seq);
75588
75589 if (val < seq || val >= seq + BTRFS_DELAYED_BATCH)
75590 return 1;
75591@@ -1437,7 +1437,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root)
75592 int seq;
75593 int ret;
75594
75595- seq = atomic_read(&delayed_root->items_seq);
75596+ seq = atomic_read_unchecked(&delayed_root->items_seq);
75597
75598 ret = btrfs_wq_run_delayed_node(delayed_root, fs_info, 0);
75599 if (ret)
75600diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
75601index f70119f..ab5894d 100644
75602--- a/fs/btrfs/delayed-inode.h
75603+++ b/fs/btrfs/delayed-inode.h
75604@@ -43,7 +43,7 @@ struct btrfs_delayed_root {
75605 */
75606 struct list_head prepare_list;
75607 atomic_t items; /* for delayed items */
75608- atomic_t items_seq; /* for delayed items */
75609+ atomic_unchecked_t items_seq; /* for delayed items */
75610 int nodes; /* for delayed nodes */
75611 wait_queue_head_t wait;
75612 };
75613@@ -90,7 +90,7 @@ static inline void btrfs_init_delayed_root(
75614 struct btrfs_delayed_root *delayed_root)
75615 {
75616 atomic_set(&delayed_root->items, 0);
75617- atomic_set(&delayed_root->items_seq, 0);
75618+ atomic_set_unchecked(&delayed_root->items_seq, 0);
75619 delayed_root->nodes = 0;
75620 spin_lock_init(&delayed_root->lock);
75621 init_waitqueue_head(&delayed_root->wait);
75622diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
75623index cd7ef34..1e31ae3 100644
75624--- a/fs/btrfs/super.c
75625+++ b/fs/btrfs/super.c
75626@@ -265,7 +265,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans,
75627 function, line, errstr);
75628 return;
75629 }
75630- ACCESS_ONCE(trans->transaction->aborted) = errno;
75631+ ACCESS_ONCE_RW(trans->transaction->aborted) = errno;
75632 /* Wake up anybody who may be waiting on this transaction */
75633 wake_up(&root->fs_info->transaction_wait);
75634 wake_up(&root->fs_info->transaction_blocked_wait);
75635diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
75636index 603b0cc..8e3f600 100644
75637--- a/fs/btrfs/sysfs.c
75638+++ b/fs/btrfs/sysfs.c
75639@@ -481,7 +481,7 @@ static int addrm_unknown_feature_attrs(struct btrfs_fs_info *fs_info, bool add)
75640 for (set = 0; set < FEAT_MAX; set++) {
75641 int i;
75642 struct attribute *attrs[2];
75643- struct attribute_group agroup = {
75644+ attribute_group_no_const agroup = {
75645 .name = "features",
75646 .attrs = attrs,
75647 };
75648diff --git a/fs/btrfs/tests/free-space-tests.c b/fs/btrfs/tests/free-space-tests.c
75649index 2299bfd..4098e72 100644
75650--- a/fs/btrfs/tests/free-space-tests.c
75651+++ b/fs/btrfs/tests/free-space-tests.c
75652@@ -463,7 +463,9 @@ test_steal_space_from_bitmap_to_extent(struct btrfs_block_group_cache *cache)
75653 * extent entry.
75654 */
75655 use_bitmap_op = cache->free_space_ctl->op->use_bitmap;
75656- cache->free_space_ctl->op->use_bitmap = test_use_bitmap;
75657+ pax_open_kernel();
75658+ *(void **)&cache->free_space_ctl->op->use_bitmap = test_use_bitmap;
75659+ pax_close_kernel();
75660
75661 /*
75662 * Extent entry covering free space range [128Mb - 256Kb, 128Mb - 128Kb[
75663@@ -870,7 +872,9 @@ test_steal_space_from_bitmap_to_extent(struct btrfs_block_group_cache *cache)
75664 if (ret)
75665 return ret;
75666
75667- cache->free_space_ctl->op->use_bitmap = use_bitmap_op;
75668+ pax_open_kernel();
75669+ *(void **)&cache->free_space_ctl->op->use_bitmap = use_bitmap_op;
75670+ pax_close_kernel();
75671 __btrfs_remove_free_space_cache(cache->free_space_ctl);
75672
75673 return 0;
75674diff --git a/fs/btrfs/tree-log.h b/fs/btrfs/tree-log.h
75675index 6916a78..4598936 100644
75676--- a/fs/btrfs/tree-log.h
75677+++ b/fs/btrfs/tree-log.h
75678@@ -45,7 +45,7 @@ static inline void btrfs_init_log_ctx(struct btrfs_log_ctx *ctx)
75679 static inline void btrfs_set_log_full_commit(struct btrfs_fs_info *fs_info,
75680 struct btrfs_trans_handle *trans)
75681 {
75682- ACCESS_ONCE(fs_info->last_trans_log_full_commit) = trans->transid;
75683+ ACCESS_ONCE_RW(fs_info->last_trans_log_full_commit) = trans->transid;
75684 }
75685
75686 static inline int btrfs_need_log_full_commit(struct btrfs_fs_info *fs_info,
75687diff --git a/fs/buffer.c b/fs/buffer.c
75688index 1cf7a53..b49f8c0 100644
75689--- a/fs/buffer.c
75690+++ b/fs/buffer.c
75691@@ -3440,7 +3440,7 @@ void __init buffer_init(void)
75692 bh_cachep = kmem_cache_create("buffer_head",
75693 sizeof(struct buffer_head), 0,
75694 (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
75695- SLAB_MEM_SPREAD),
75696+ SLAB_MEM_SPREAD|SLAB_NO_SANITIZE),
75697 NULL);
75698
75699 /*
75700diff --git a/fs/cachefiles/bind.c b/fs/cachefiles/bind.c
75701index 6af790f..ec4c1e6 100644
75702--- a/fs/cachefiles/bind.c
75703+++ b/fs/cachefiles/bind.c
75704@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachefiles_cache *cache, char *args)
75705 args);
75706
75707 /* start by checking things over */
75708- ASSERT(cache->fstop_percent >= 0 &&
75709- cache->fstop_percent < cache->fcull_percent &&
75710+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
75711 cache->fcull_percent < cache->frun_percent &&
75712 cache->frun_percent < 100);
75713
75714- ASSERT(cache->bstop_percent >= 0 &&
75715- cache->bstop_percent < cache->bcull_percent &&
75716+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
75717 cache->bcull_percent < cache->brun_percent &&
75718 cache->brun_percent < 100);
75719
75720diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
75721index f601def..b2cf704 100644
75722--- a/fs/cachefiles/daemon.c
75723+++ b/fs/cachefiles/daemon.c
75724@@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(struct file *file, char __user *_buffer,
75725 if (n > buflen)
75726 return -EMSGSIZE;
75727
75728- if (copy_to_user(_buffer, buffer, n) != 0)
75729+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
75730 return -EFAULT;
75731
75732 return n;
75733@@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(struct file *file,
75734 if (test_bit(CACHEFILES_DEAD, &cache->flags))
75735 return -EIO;
75736
75737- if (datalen < 0 || datalen > PAGE_SIZE - 1)
75738+ if (datalen > PAGE_SIZE - 1)
75739 return -EOPNOTSUPP;
75740
75741 /* drag the command string into the kernel so we can parse it */
75742@@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struct cachefiles_cache *cache, char *args)
75743 if (args[0] != '%' || args[1] != '\0')
75744 return -EINVAL;
75745
75746- if (fstop < 0 || fstop >= cache->fcull_percent)
75747+ if (fstop >= cache->fcull_percent)
75748 return cachefiles_daemon_range_error(cache, args);
75749
75750 cache->fstop_percent = fstop;
75751@@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struct cachefiles_cache *cache, char *args)
75752 if (args[0] != '%' || args[1] != '\0')
75753 return -EINVAL;
75754
75755- if (bstop < 0 || bstop >= cache->bcull_percent)
75756+ if (bstop >= cache->bcull_percent)
75757 return cachefiles_daemon_range_error(cache, args);
75758
75759 cache->bstop_percent = bstop;
75760diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
75761index aecd085..3584e2f 100644
75762--- a/fs/cachefiles/internal.h
75763+++ b/fs/cachefiles/internal.h
75764@@ -65,7 +65,7 @@ struct cachefiles_cache {
75765 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
75766 struct rb_root active_nodes; /* active nodes (can't be culled) */
75767 rwlock_t active_lock; /* lock for active_nodes */
75768- atomic_t gravecounter; /* graveyard uniquifier */
75769+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
75770 unsigned frun_percent; /* when to stop culling (% files) */
75771 unsigned fcull_percent; /* when to start culling (% files) */
75772 unsigned fstop_percent; /* when to stop allocating (% files) */
75773@@ -177,19 +177,19 @@ extern int cachefiles_check_in_use(struct cachefiles_cache *cache,
75774 * proc.c
75775 */
75776 #ifdef CONFIG_CACHEFILES_HISTOGRAM
75777-extern atomic_t cachefiles_lookup_histogram[HZ];
75778-extern atomic_t cachefiles_mkdir_histogram[HZ];
75779-extern atomic_t cachefiles_create_histogram[HZ];
75780+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
75781+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
75782+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
75783
75784 extern int __init cachefiles_proc_init(void);
75785 extern void cachefiles_proc_cleanup(void);
75786 static inline
75787-void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
75788+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
75789 {
75790 unsigned long jif = jiffies - start_jif;
75791 if (jif >= HZ)
75792 jif = HZ - 1;
75793- atomic_inc(&histogram[jif]);
75794+ atomic_inc_unchecked(&histogram[jif]);
75795 }
75796
75797 #else
75798diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
75799index fc1056f..501a546 100644
75800--- a/fs/cachefiles/namei.c
75801+++ b/fs/cachefiles/namei.c
75802@@ -312,7 +312,7 @@ try_again:
75803 /* first step is to make up a grave dentry in the graveyard */
75804 sprintf(nbuffer, "%08x%08x",
75805 (uint32_t) get_seconds(),
75806- (uint32_t) atomic_inc_return(&cache->gravecounter));
75807+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
75808
75809 /* do the multiway lock magic */
75810 trap = lock_rename(cache->graveyard, dir);
75811diff --git a/fs/cachefiles/proc.c b/fs/cachefiles/proc.c
75812index eccd339..4c1d995 100644
75813--- a/fs/cachefiles/proc.c
75814+++ b/fs/cachefiles/proc.c
75815@@ -14,9 +14,9 @@
75816 #include <linux/seq_file.h>
75817 #include "internal.h"
75818
75819-atomic_t cachefiles_lookup_histogram[HZ];
75820-atomic_t cachefiles_mkdir_histogram[HZ];
75821-atomic_t cachefiles_create_histogram[HZ];
75822+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
75823+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
75824+atomic_unchecked_t cachefiles_create_histogram[HZ];
75825
75826 /*
75827 * display the latency histogram
75828@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(struct seq_file *m, void *v)
75829 return 0;
75830 default:
75831 index = (unsigned long) v - 3;
75832- x = atomic_read(&cachefiles_lookup_histogram[index]);
75833- y = atomic_read(&cachefiles_mkdir_histogram[index]);
75834- z = atomic_read(&cachefiles_create_histogram[index]);
75835+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
75836+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
75837+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
75838 if (x == 0 && y == 0 && z == 0)
75839 return 0;
75840
75841diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
75842index 9314b4e..4a1f602 100644
75843--- a/fs/ceph/dir.c
75844+++ b/fs/ceph/dir.c
75845@@ -214,10 +214,18 @@ static int __dcache_readdir(struct file *file, struct dir_context *ctx,
75846 spin_unlock(&dentry->d_lock);
75847
75848 if (emit_dentry) {
75849+ char d_name[DNAME_INLINE_LEN];
75850+ const unsigned char *name;
75851+
75852 dout(" %llu (%llu) dentry %p %pd %p\n", di->offset, ctx->pos,
75853 dentry, dentry, d_inode(dentry));
75854 ctx->pos = di->offset;
75855- if (!dir_emit(ctx, dentry->d_name.name,
75856+ name = dentry->d_name.name;
75857+ if (name == dentry->d_iname) {
75858+ memcpy(d_name, name, dentry->d_name.len);
75859+ name = d_name;
75860+ }
75861+ if (!dir_emit(ctx, name,
75862 dentry->d_name.len,
75863 ceph_translate_ino(dentry->d_sb,
75864 d_inode(dentry)->i_ino),
75865@@ -259,7 +267,7 @@ static int ceph_readdir(struct file *file, struct dir_context *ctx)
75866 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
75867 struct ceph_mds_client *mdsc = fsc->mdsc;
75868 unsigned frag = fpos_frag(ctx->pos);
75869- int off = fpos_off(ctx->pos);
75870+ unsigned int off = fpos_off(ctx->pos);
75871 int err;
75872 u32 ftype;
75873 struct ceph_mds_reply_info_parsed *rinfo;
75874diff --git a/fs/ceph/super.c b/fs/ceph/super.c
75875index 7b6bfcb..f8d5416 100644
75876--- a/fs/ceph/super.c
75877+++ b/fs/ceph/super.c
75878@@ -906,7 +906,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
75879 /*
75880 * construct our own bdi so we can control readahead, etc.
75881 */
75882-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
75883+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
75884
75885 static int ceph_register_bdi(struct super_block *sb,
75886 struct ceph_fs_client *fsc)
75887@@ -923,7 +923,7 @@ static int ceph_register_bdi(struct super_block *sb,
75888 VM_MAX_READAHEAD * 1024 / PAGE_CACHE_SIZE;
75889
75890 err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%ld",
75891- atomic_long_inc_return(&bdi_seq));
75892+ atomic_long_inc_return_unchecked(&bdi_seq));
75893 if (!err)
75894 sb->s_bdi = &fsc->backing_dev_info;
75895 return err;
75896diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
75897index 7febcf2..62a5721 100644
75898--- a/fs/cifs/cifs_debug.c
75899+++ b/fs/cifs/cifs_debug.c
75900@@ -269,8 +269,8 @@ static ssize_t cifs_stats_proc_write(struct file *file,
75901
75902 if (strtobool(&c, &bv) == 0) {
75903 #ifdef CONFIG_CIFS_STATS2
75904- atomic_set(&totBufAllocCount, 0);
75905- atomic_set(&totSmBufAllocCount, 0);
75906+ atomic_set_unchecked(&totBufAllocCount, 0);
75907+ atomic_set_unchecked(&totSmBufAllocCount, 0);
75908 #endif /* CONFIG_CIFS_STATS2 */
75909 spin_lock(&cifs_tcp_ses_lock);
75910 list_for_each(tmp1, &cifs_tcp_ses_list) {
75911@@ -283,7 +283,7 @@ static ssize_t cifs_stats_proc_write(struct file *file,
75912 tcon = list_entry(tmp3,
75913 struct cifs_tcon,
75914 tcon_list);
75915- atomic_set(&tcon->num_smbs_sent, 0);
75916+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
75917 if (server->ops->clear_stats)
75918 server->ops->clear_stats(tcon);
75919 }
75920@@ -315,8 +315,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
75921 smBufAllocCount.counter, cifs_min_small);
75922 #ifdef CONFIG_CIFS_STATS2
75923 seq_printf(m, "Total Large %d Small %d Allocations\n",
75924- atomic_read(&totBufAllocCount),
75925- atomic_read(&totSmBufAllocCount));
75926+ atomic_read_unchecked(&totBufAllocCount),
75927+ atomic_read_unchecked(&totSmBufAllocCount));
75928 #endif /* CONFIG_CIFS_STATS2 */
75929
75930 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
75931@@ -345,7 +345,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
75932 if (tcon->need_reconnect)
75933 seq_puts(m, "\tDISCONNECTED ");
75934 seq_printf(m, "\nSMBs: %d",
75935- atomic_read(&tcon->num_smbs_sent));
75936+ atomic_read_unchecked(&tcon->num_smbs_sent));
75937 if (server->ops->print_stats)
75938 server->ops->print_stats(m, tcon);
75939 }
75940diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
75941index 6a1119e..b2f2160 100644
75942--- a/fs/cifs/cifsfs.c
75943+++ b/fs/cifs/cifsfs.c
75944@@ -1082,7 +1082,7 @@ cifs_init_request_bufs(void)
75945 */
75946 cifs_req_cachep = kmem_cache_create("cifs_request",
75947 CIFSMaxBufSize + max_hdr_size, 0,
75948- SLAB_HWCACHE_ALIGN, NULL);
75949+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
75950 if (cifs_req_cachep == NULL)
75951 return -ENOMEM;
75952
75953@@ -1109,7 +1109,7 @@ cifs_init_request_bufs(void)
75954 efficient to alloc 1 per page off the slab compared to 17K (5page)
75955 alloc of large cifs buffers even when page debugging is on */
75956 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
75957- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
75958+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
75959 NULL);
75960 if (cifs_sm_req_cachep == NULL) {
75961 mempool_destroy(cifs_req_poolp);
75962@@ -1194,8 +1194,8 @@ init_cifs(void)
75963 atomic_set(&bufAllocCount, 0);
75964 atomic_set(&smBufAllocCount, 0);
75965 #ifdef CONFIG_CIFS_STATS2
75966- atomic_set(&totBufAllocCount, 0);
75967- atomic_set(&totSmBufAllocCount, 0);
75968+ atomic_set_unchecked(&totBufAllocCount, 0);
75969+ atomic_set_unchecked(&totSmBufAllocCount, 0);
75970 #endif /* CONFIG_CIFS_STATS2 */
75971
75972 atomic_set(&midCount, 0);
75973diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
75974index b406a32..243eb1c 100644
75975--- a/fs/cifs/cifsglob.h
75976+++ b/fs/cifs/cifsglob.h
75977@@ -832,35 +832,35 @@ struct cifs_tcon {
75978 __u16 Flags; /* optional support bits */
75979 enum statusEnum tidStatus;
75980 #ifdef CONFIG_CIFS_STATS
75981- atomic_t num_smbs_sent;
75982+ atomic_unchecked_t num_smbs_sent;
75983 union {
75984 struct {
75985- atomic_t num_writes;
75986- atomic_t num_reads;
75987- atomic_t num_flushes;
75988- atomic_t num_oplock_brks;
75989- atomic_t num_opens;
75990- atomic_t num_closes;
75991- atomic_t num_deletes;
75992- atomic_t num_mkdirs;
75993- atomic_t num_posixopens;
75994- atomic_t num_posixmkdirs;
75995- atomic_t num_rmdirs;
75996- atomic_t num_renames;
75997- atomic_t num_t2renames;
75998- atomic_t num_ffirst;
75999- atomic_t num_fnext;
76000- atomic_t num_fclose;
76001- atomic_t num_hardlinks;
76002- atomic_t num_symlinks;
76003- atomic_t num_locks;
76004- atomic_t num_acl_get;
76005- atomic_t num_acl_set;
76006+ atomic_unchecked_t num_writes;
76007+ atomic_unchecked_t num_reads;
76008+ atomic_unchecked_t num_flushes;
76009+ atomic_unchecked_t num_oplock_brks;
76010+ atomic_unchecked_t num_opens;
76011+ atomic_unchecked_t num_closes;
76012+ atomic_unchecked_t num_deletes;
76013+ atomic_unchecked_t num_mkdirs;
76014+ atomic_unchecked_t num_posixopens;
76015+ atomic_unchecked_t num_posixmkdirs;
76016+ atomic_unchecked_t num_rmdirs;
76017+ atomic_unchecked_t num_renames;
76018+ atomic_unchecked_t num_t2renames;
76019+ atomic_unchecked_t num_ffirst;
76020+ atomic_unchecked_t num_fnext;
76021+ atomic_unchecked_t num_fclose;
76022+ atomic_unchecked_t num_hardlinks;
76023+ atomic_unchecked_t num_symlinks;
76024+ atomic_unchecked_t num_locks;
76025+ atomic_unchecked_t num_acl_get;
76026+ atomic_unchecked_t num_acl_set;
76027 } cifs_stats;
76028 #ifdef CONFIG_CIFS_SMB2
76029 struct {
76030- atomic_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
76031- atomic_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
76032+ atomic_unchecked_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
76033+ atomic_unchecked_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
76034 } smb2_stats;
76035 #endif /* CONFIG_CIFS_SMB2 */
76036 } stats;
76037@@ -1207,7 +1207,7 @@ convert_delimiter(char *path, char delim)
76038 }
76039
76040 #ifdef CONFIG_CIFS_STATS
76041-#define cifs_stats_inc atomic_inc
76042+#define cifs_stats_inc atomic_inc_unchecked
76043
76044 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
76045 unsigned int bytes)
76046@@ -1574,8 +1574,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount;
76047 /* Various Debug counters */
76048 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
76049 #ifdef CONFIG_CIFS_STATS2
76050-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
76051-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
76052+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
76053+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
76054 #endif
76055 GLOBAL_EXTERN atomic_t smBufAllocCount;
76056 GLOBAL_EXTERN atomic_t midCount;
76057diff --git a/fs/cifs/file.c b/fs/cifs/file.c
76058index 3f50cee..7741620 100644
76059--- a/fs/cifs/file.c
76060+++ b/fs/cifs/file.c
76061@@ -2054,10 +2054,14 @@ static int cifs_writepages(struct address_space *mapping,
76062 index = mapping->writeback_index; /* Start from prev offset */
76063 end = -1;
76064 } else {
76065- index = wbc->range_start >> PAGE_CACHE_SHIFT;
76066- end = wbc->range_end >> PAGE_CACHE_SHIFT;
76067- if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
76068+ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) {
76069 range_whole = true;
76070+ index = 0;
76071+ end = ULONG_MAX;
76072+ } else {
76073+ index = wbc->range_start >> PAGE_CACHE_SHIFT;
76074+ end = wbc->range_end >> PAGE_CACHE_SHIFT;
76075+ }
76076 scanned = true;
76077 }
76078 server = cifs_sb_master_tcon(cifs_sb)->ses->server;
76079diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
76080index f621b44..6b66dd5 100644
76081--- a/fs/cifs/inode.c
76082+++ b/fs/cifs/inode.c
76083@@ -2034,7 +2034,6 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
76084 struct tcon_link *tlink = NULL;
76085 struct cifs_tcon *tcon = NULL;
76086 struct TCP_Server_Info *server;
76087- struct cifs_io_parms io_parms;
76088
76089 /*
76090 * To avoid spurious oplock breaks from server, in the case of
76091@@ -2056,18 +2055,6 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
76092 rc = -ENOSYS;
76093 cifsFileInfo_put(open_file);
76094 cifs_dbg(FYI, "SetFSize for attrs rc = %d\n", rc);
76095- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
76096- unsigned int bytes_written;
76097-
76098- io_parms.netfid = open_file->fid.netfid;
76099- io_parms.pid = open_file->pid;
76100- io_parms.tcon = tcon;
76101- io_parms.offset = 0;
76102- io_parms.length = attrs->ia_size;
76103- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written,
76104- NULL, NULL, 1);
76105- cifs_dbg(FYI, "Wrt seteof rc %d\n", rc);
76106- }
76107 } else
76108 rc = -EINVAL;
76109
76110@@ -2093,28 +2080,7 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
76111 else
76112 rc = -ENOSYS;
76113 cifs_dbg(FYI, "SetEOF by path (setattrs) rc = %d\n", rc);
76114- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
76115- __u16 netfid;
76116- int oplock = 0;
76117
76118- rc = SMBLegacyOpen(xid, tcon, full_path, FILE_OPEN,
76119- GENERIC_WRITE, CREATE_NOT_DIR, &netfid,
76120- &oplock, NULL, cifs_sb->local_nls,
76121- cifs_remap(cifs_sb));
76122- if (rc == 0) {
76123- unsigned int bytes_written;
76124-
76125- io_parms.netfid = netfid;
76126- io_parms.pid = current->tgid;
76127- io_parms.tcon = tcon;
76128- io_parms.offset = 0;
76129- io_parms.length = attrs->ia_size;
76130- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, NULL,
76131- NULL, 1);
76132- cifs_dbg(FYI, "wrt seteof rc %d\n", rc);
76133- CIFSSMBClose(xid, tcon, netfid);
76134- }
76135- }
76136 if (tlink)
76137 cifs_put_tlink(tlink);
76138
76139diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
76140index 8442b8b..ea6986f 100644
76141--- a/fs/cifs/misc.c
76142+++ b/fs/cifs/misc.c
76143@@ -170,7 +170,7 @@ cifs_buf_get(void)
76144 memset(ret_buf, 0, buf_size + 3);
76145 atomic_inc(&bufAllocCount);
76146 #ifdef CONFIG_CIFS_STATS2
76147- atomic_inc(&totBufAllocCount);
76148+ atomic_inc_unchecked(&totBufAllocCount);
76149 #endif /* CONFIG_CIFS_STATS2 */
76150 }
76151
76152@@ -205,7 +205,7 @@ cifs_small_buf_get(void)
76153 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
76154 atomic_inc(&smBufAllocCount);
76155 #ifdef CONFIG_CIFS_STATS2
76156- atomic_inc(&totSmBufAllocCount);
76157+ atomic_inc_unchecked(&totSmBufAllocCount);
76158 #endif /* CONFIG_CIFS_STATS2 */
76159
76160 }
76161diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
76162index fc537c2..47d654c 100644
76163--- a/fs/cifs/smb1ops.c
76164+++ b/fs/cifs/smb1ops.c
76165@@ -622,27 +622,27 @@ static void
76166 cifs_clear_stats(struct cifs_tcon *tcon)
76167 {
76168 #ifdef CONFIG_CIFS_STATS
76169- atomic_set(&tcon->stats.cifs_stats.num_writes, 0);
76170- atomic_set(&tcon->stats.cifs_stats.num_reads, 0);
76171- atomic_set(&tcon->stats.cifs_stats.num_flushes, 0);
76172- atomic_set(&tcon->stats.cifs_stats.num_oplock_brks, 0);
76173- atomic_set(&tcon->stats.cifs_stats.num_opens, 0);
76174- atomic_set(&tcon->stats.cifs_stats.num_posixopens, 0);
76175- atomic_set(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
76176- atomic_set(&tcon->stats.cifs_stats.num_closes, 0);
76177- atomic_set(&tcon->stats.cifs_stats.num_deletes, 0);
76178- atomic_set(&tcon->stats.cifs_stats.num_mkdirs, 0);
76179- atomic_set(&tcon->stats.cifs_stats.num_rmdirs, 0);
76180- atomic_set(&tcon->stats.cifs_stats.num_renames, 0);
76181- atomic_set(&tcon->stats.cifs_stats.num_t2renames, 0);
76182- atomic_set(&tcon->stats.cifs_stats.num_ffirst, 0);
76183- atomic_set(&tcon->stats.cifs_stats.num_fnext, 0);
76184- atomic_set(&tcon->stats.cifs_stats.num_fclose, 0);
76185- atomic_set(&tcon->stats.cifs_stats.num_hardlinks, 0);
76186- atomic_set(&tcon->stats.cifs_stats.num_symlinks, 0);
76187- atomic_set(&tcon->stats.cifs_stats.num_locks, 0);
76188- atomic_set(&tcon->stats.cifs_stats.num_acl_get, 0);
76189- atomic_set(&tcon->stats.cifs_stats.num_acl_set, 0);
76190+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_writes, 0);
76191+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_reads, 0);
76192+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_flushes, 0);
76193+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_oplock_brks, 0);
76194+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_opens, 0);
76195+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixopens, 0);
76196+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
76197+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_closes, 0);
76198+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_deletes, 0);
76199+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_mkdirs, 0);
76200+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_rmdirs, 0);
76201+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_renames, 0);
76202+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_t2renames, 0);
76203+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_ffirst, 0);
76204+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_fnext, 0);
76205+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_fclose, 0);
76206+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_hardlinks, 0);
76207+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_symlinks, 0);
76208+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_locks, 0);
76209+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_get, 0);
76210+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_set, 0);
76211 #endif
76212 }
76213
76214@@ -651,36 +651,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
76215 {
76216 #ifdef CONFIG_CIFS_STATS
76217 seq_printf(m, " Oplocks breaks: %d",
76218- atomic_read(&tcon->stats.cifs_stats.num_oplock_brks));
76219+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_oplock_brks));
76220 seq_printf(m, "\nReads: %d Bytes: %llu",
76221- atomic_read(&tcon->stats.cifs_stats.num_reads),
76222+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_reads),
76223 (long long)(tcon->bytes_read));
76224 seq_printf(m, "\nWrites: %d Bytes: %llu",
76225- atomic_read(&tcon->stats.cifs_stats.num_writes),
76226+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_writes),
76227 (long long)(tcon->bytes_written));
76228 seq_printf(m, "\nFlushes: %d",
76229- atomic_read(&tcon->stats.cifs_stats.num_flushes));
76230+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_flushes));
76231 seq_printf(m, "\nLocks: %d HardLinks: %d Symlinks: %d",
76232- atomic_read(&tcon->stats.cifs_stats.num_locks),
76233- atomic_read(&tcon->stats.cifs_stats.num_hardlinks),
76234- atomic_read(&tcon->stats.cifs_stats.num_symlinks));
76235+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_locks),
76236+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_hardlinks),
76237+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_symlinks));
76238 seq_printf(m, "\nOpens: %d Closes: %d Deletes: %d",
76239- atomic_read(&tcon->stats.cifs_stats.num_opens),
76240- atomic_read(&tcon->stats.cifs_stats.num_closes),
76241- atomic_read(&tcon->stats.cifs_stats.num_deletes));
76242+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_opens),
76243+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_closes),
76244+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_deletes));
76245 seq_printf(m, "\nPosix Opens: %d Posix Mkdirs: %d",
76246- atomic_read(&tcon->stats.cifs_stats.num_posixopens),
76247- atomic_read(&tcon->stats.cifs_stats.num_posixmkdirs));
76248+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixopens),
76249+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs));
76250 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
76251- atomic_read(&tcon->stats.cifs_stats.num_mkdirs),
76252- atomic_read(&tcon->stats.cifs_stats.num_rmdirs));
76253+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_mkdirs),
76254+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_rmdirs));
76255 seq_printf(m, "\nRenames: %d T2 Renames %d",
76256- atomic_read(&tcon->stats.cifs_stats.num_renames),
76257- atomic_read(&tcon->stats.cifs_stats.num_t2renames));
76258+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_renames),
76259+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_t2renames));
76260 seq_printf(m, "\nFindFirst: %d FNext %d FClose %d",
76261- atomic_read(&tcon->stats.cifs_stats.num_ffirst),
76262- atomic_read(&tcon->stats.cifs_stats.num_fnext),
76263- atomic_read(&tcon->stats.cifs_stats.num_fclose));
76264+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_ffirst),
76265+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_fnext),
76266+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_fclose));
76267 #endif
76268 }
76269
76270diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
76271index df91bcf..c499de7 100644
76272--- a/fs/cifs/smb2ops.c
76273+++ b/fs/cifs/smb2ops.c
76274@@ -418,8 +418,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
76275 #ifdef CONFIG_CIFS_STATS
76276 int i;
76277 for (i = 0; i < NUMBER_OF_SMB2_COMMANDS; i++) {
76278- atomic_set(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
76279- atomic_set(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
76280+ atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
76281+ atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
76282 }
76283 #endif
76284 }
76285@@ -459,65 +459,65 @@ static void
76286 smb2_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
76287 {
76288 #ifdef CONFIG_CIFS_STATS
76289- atomic_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
76290- atomic_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
76291+ atomic_unchecked_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
76292+ atomic_unchecked_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
76293 seq_printf(m, "\nNegotiates: %d sent %d failed",
76294- atomic_read(&sent[SMB2_NEGOTIATE_HE]),
76295- atomic_read(&failed[SMB2_NEGOTIATE_HE]));
76296+ atomic_read_unchecked(&sent[SMB2_NEGOTIATE_HE]),
76297+ atomic_read_unchecked(&failed[SMB2_NEGOTIATE_HE]));
76298 seq_printf(m, "\nSessionSetups: %d sent %d failed",
76299- atomic_read(&sent[SMB2_SESSION_SETUP_HE]),
76300- atomic_read(&failed[SMB2_SESSION_SETUP_HE]));
76301+ atomic_read_unchecked(&sent[SMB2_SESSION_SETUP_HE]),
76302+ atomic_read_unchecked(&failed[SMB2_SESSION_SETUP_HE]));
76303 seq_printf(m, "\nLogoffs: %d sent %d failed",
76304- atomic_read(&sent[SMB2_LOGOFF_HE]),
76305- atomic_read(&failed[SMB2_LOGOFF_HE]));
76306+ atomic_read_unchecked(&sent[SMB2_LOGOFF_HE]),
76307+ atomic_read_unchecked(&failed[SMB2_LOGOFF_HE]));
76308 seq_printf(m, "\nTreeConnects: %d sent %d failed",
76309- atomic_read(&sent[SMB2_TREE_CONNECT_HE]),
76310- atomic_read(&failed[SMB2_TREE_CONNECT_HE]));
76311+ atomic_read_unchecked(&sent[SMB2_TREE_CONNECT_HE]),
76312+ atomic_read_unchecked(&failed[SMB2_TREE_CONNECT_HE]));
76313 seq_printf(m, "\nTreeDisconnects: %d sent %d failed",
76314- atomic_read(&sent[SMB2_TREE_DISCONNECT_HE]),
76315- atomic_read(&failed[SMB2_TREE_DISCONNECT_HE]));
76316+ atomic_read_unchecked(&sent[SMB2_TREE_DISCONNECT_HE]),
76317+ atomic_read_unchecked(&failed[SMB2_TREE_DISCONNECT_HE]));
76318 seq_printf(m, "\nCreates: %d sent %d failed",
76319- atomic_read(&sent[SMB2_CREATE_HE]),
76320- atomic_read(&failed[SMB2_CREATE_HE]));
76321+ atomic_read_unchecked(&sent[SMB2_CREATE_HE]),
76322+ atomic_read_unchecked(&failed[SMB2_CREATE_HE]));
76323 seq_printf(m, "\nCloses: %d sent %d failed",
76324- atomic_read(&sent[SMB2_CLOSE_HE]),
76325- atomic_read(&failed[SMB2_CLOSE_HE]));
76326+ atomic_read_unchecked(&sent[SMB2_CLOSE_HE]),
76327+ atomic_read_unchecked(&failed[SMB2_CLOSE_HE]));
76328 seq_printf(m, "\nFlushes: %d sent %d failed",
76329- atomic_read(&sent[SMB2_FLUSH_HE]),
76330- atomic_read(&failed[SMB2_FLUSH_HE]));
76331+ atomic_read_unchecked(&sent[SMB2_FLUSH_HE]),
76332+ atomic_read_unchecked(&failed[SMB2_FLUSH_HE]));
76333 seq_printf(m, "\nReads: %d sent %d failed",
76334- atomic_read(&sent[SMB2_READ_HE]),
76335- atomic_read(&failed[SMB2_READ_HE]));
76336+ atomic_read_unchecked(&sent[SMB2_READ_HE]),
76337+ atomic_read_unchecked(&failed[SMB2_READ_HE]));
76338 seq_printf(m, "\nWrites: %d sent %d failed",
76339- atomic_read(&sent[SMB2_WRITE_HE]),
76340- atomic_read(&failed[SMB2_WRITE_HE]));
76341+ atomic_read_unchecked(&sent[SMB2_WRITE_HE]),
76342+ atomic_read_unchecked(&failed[SMB2_WRITE_HE]));
76343 seq_printf(m, "\nLocks: %d sent %d failed",
76344- atomic_read(&sent[SMB2_LOCK_HE]),
76345- atomic_read(&failed[SMB2_LOCK_HE]));
76346+ atomic_read_unchecked(&sent[SMB2_LOCK_HE]),
76347+ atomic_read_unchecked(&failed[SMB2_LOCK_HE]));
76348 seq_printf(m, "\nIOCTLs: %d sent %d failed",
76349- atomic_read(&sent[SMB2_IOCTL_HE]),
76350- atomic_read(&failed[SMB2_IOCTL_HE]));
76351+ atomic_read_unchecked(&sent[SMB2_IOCTL_HE]),
76352+ atomic_read_unchecked(&failed[SMB2_IOCTL_HE]));
76353 seq_printf(m, "\nCancels: %d sent %d failed",
76354- atomic_read(&sent[SMB2_CANCEL_HE]),
76355- atomic_read(&failed[SMB2_CANCEL_HE]));
76356+ atomic_read_unchecked(&sent[SMB2_CANCEL_HE]),
76357+ atomic_read_unchecked(&failed[SMB2_CANCEL_HE]));
76358 seq_printf(m, "\nEchos: %d sent %d failed",
76359- atomic_read(&sent[SMB2_ECHO_HE]),
76360- atomic_read(&failed[SMB2_ECHO_HE]));
76361+ atomic_read_unchecked(&sent[SMB2_ECHO_HE]),
76362+ atomic_read_unchecked(&failed[SMB2_ECHO_HE]));
76363 seq_printf(m, "\nQueryDirectories: %d sent %d failed",
76364- atomic_read(&sent[SMB2_QUERY_DIRECTORY_HE]),
76365- atomic_read(&failed[SMB2_QUERY_DIRECTORY_HE]));
76366+ atomic_read_unchecked(&sent[SMB2_QUERY_DIRECTORY_HE]),
76367+ atomic_read_unchecked(&failed[SMB2_QUERY_DIRECTORY_HE]));
76368 seq_printf(m, "\nChangeNotifies: %d sent %d failed",
76369- atomic_read(&sent[SMB2_CHANGE_NOTIFY_HE]),
76370- atomic_read(&failed[SMB2_CHANGE_NOTIFY_HE]));
76371+ atomic_read_unchecked(&sent[SMB2_CHANGE_NOTIFY_HE]),
76372+ atomic_read_unchecked(&failed[SMB2_CHANGE_NOTIFY_HE]));
76373 seq_printf(m, "\nQueryInfos: %d sent %d failed",
76374- atomic_read(&sent[SMB2_QUERY_INFO_HE]),
76375- atomic_read(&failed[SMB2_QUERY_INFO_HE]));
76376+ atomic_read_unchecked(&sent[SMB2_QUERY_INFO_HE]),
76377+ atomic_read_unchecked(&failed[SMB2_QUERY_INFO_HE]));
76378 seq_printf(m, "\nSetInfos: %d sent %d failed",
76379- atomic_read(&sent[SMB2_SET_INFO_HE]),
76380- atomic_read(&failed[SMB2_SET_INFO_HE]));
76381+ atomic_read_unchecked(&sent[SMB2_SET_INFO_HE]),
76382+ atomic_read_unchecked(&failed[SMB2_SET_INFO_HE]));
76383 seq_printf(m, "\nOplockBreaks: %d sent %d failed",
76384- atomic_read(&sent[SMB2_OPLOCK_BREAK_HE]),
76385- atomic_read(&failed[SMB2_OPLOCK_BREAK_HE]));
76386+ atomic_read_unchecked(&sent[SMB2_OPLOCK_BREAK_HE]),
76387+ atomic_read_unchecked(&failed[SMB2_OPLOCK_BREAK_HE]));
76388 #endif
76389 }
76390
76391diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
76392index b8b4f08..6e84a23 100644
76393--- a/fs/cifs/smb2pdu.c
76394+++ b/fs/cifs/smb2pdu.c
76395@@ -2206,8 +2206,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon,
76396 default:
76397 cifs_dbg(VFS, "info level %u isn't supported\n",
76398 srch_inf->info_level);
76399- rc = -EINVAL;
76400- goto qdir_exit;
76401+ return -EINVAL;
76402 }
76403
76404 req->FileIndex = cpu_to_le32(index);
76405diff --git a/fs/coda/cache.c b/fs/coda/cache.c
76406index 5bb630a..043dc70 100644
76407--- a/fs/coda/cache.c
76408+++ b/fs/coda/cache.c
76409@@ -24,7 +24,7 @@
76410 #include "coda_linux.h"
76411 #include "coda_cache.h"
76412
76413-static atomic_t permission_epoch = ATOMIC_INIT(0);
76414+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
76415
76416 /* replace or extend an acl cache hit */
76417 void coda_cache_enter(struct inode *inode, int mask)
76418@@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inode, int mask)
76419 struct coda_inode_info *cii = ITOC(inode);
76420
76421 spin_lock(&cii->c_lock);
76422- cii->c_cached_epoch = atomic_read(&permission_epoch);
76423+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
76424 if (!uid_eq(cii->c_uid, current_fsuid())) {
76425 cii->c_uid = current_fsuid();
76426 cii->c_cached_perm = mask;
76427@@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode *inode)
76428 {
76429 struct coda_inode_info *cii = ITOC(inode);
76430 spin_lock(&cii->c_lock);
76431- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
76432+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
76433 spin_unlock(&cii->c_lock);
76434 }
76435
76436 /* remove all acl caches */
76437 void coda_cache_clear_all(struct super_block *sb)
76438 {
76439- atomic_inc(&permission_epoch);
76440+ atomic_inc_unchecked(&permission_epoch);
76441 }
76442
76443
76444@@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode, int mask)
76445 spin_lock(&cii->c_lock);
76446 hit = (mask & cii->c_cached_perm) == mask &&
76447 uid_eq(cii->c_uid, current_fsuid()) &&
76448- cii->c_cached_epoch == atomic_read(&permission_epoch);
76449+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
76450 spin_unlock(&cii->c_lock);
76451
76452 return hit;
76453diff --git a/fs/compat.c b/fs/compat.c
76454index 6fd272d..dd34ba2 100644
76455--- a/fs/compat.c
76456+++ b/fs/compat.c
76457@@ -54,7 +54,7 @@
76458 #include <asm/ioctls.h>
76459 #include "internal.h"
76460
76461-int compat_log = 1;
76462+int compat_log = 0;
76463
76464 int compat_printk(const char *fmt, ...)
76465 {
76466@@ -512,7 +512,7 @@ COMPAT_SYSCALL_DEFINE2(io_setup, unsigned, nr_reqs, u32 __user *, ctx32p)
76467
76468 set_fs(KERNEL_DS);
76469 /* The __user pointer cast is valid because of the set_fs() */
76470- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
76471+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
76472 set_fs(oldfs);
76473 /* truncating is ok because it's a user address */
76474 if (!ret)
76475@@ -562,7 +562,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
76476 goto out;
76477
76478 ret = -EINVAL;
76479- if (nr_segs > UIO_MAXIOV || nr_segs < 0)
76480+ if (nr_segs > UIO_MAXIOV)
76481 goto out;
76482 if (nr_segs > fast_segs) {
76483 ret = -ENOMEM;
76484@@ -844,6 +844,7 @@ struct compat_old_linux_dirent {
76485 struct compat_readdir_callback {
76486 struct dir_context ctx;
76487 struct compat_old_linux_dirent __user *dirent;
76488+ struct file * file;
76489 int result;
76490 };
76491
76492@@ -863,6 +864,10 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
76493 buf->result = -EOVERFLOW;
76494 return -EOVERFLOW;
76495 }
76496+
76497+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
76498+ return 0;
76499+
76500 buf->result++;
76501 dirent = buf->dirent;
76502 if (!access_ok(VERIFY_WRITE, dirent,
76503@@ -894,6 +899,7 @@ COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
76504 if (!f.file)
76505 return -EBADF;
76506
76507+ buf.file = f.file;
76508 error = iterate_dir(f.file, &buf.ctx);
76509 if (buf.result)
76510 error = buf.result;
76511@@ -913,6 +919,7 @@ struct compat_getdents_callback {
76512 struct dir_context ctx;
76513 struct compat_linux_dirent __user *current_dir;
76514 struct compat_linux_dirent __user *previous;
76515+ struct file * file;
76516 int count;
76517 int error;
76518 };
76519@@ -935,6 +942,10 @@ static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
76520 buf->error = -EOVERFLOW;
76521 return -EOVERFLOW;
76522 }
76523+
76524+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
76525+ return 0;
76526+
76527 dirent = buf->previous;
76528 if (dirent) {
76529 if (__put_user(offset, &dirent->d_off))
76530@@ -980,6 +991,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
76531 if (!f.file)
76532 return -EBADF;
76533
76534+ buf.file = f.file;
76535 error = iterate_dir(f.file, &buf.ctx);
76536 if (error >= 0)
76537 error = buf.error;
76538@@ -1000,6 +1012,7 @@ struct compat_getdents_callback64 {
76539 struct dir_context ctx;
76540 struct linux_dirent64 __user *current_dir;
76541 struct linux_dirent64 __user *previous;
76542+ struct file * file;
76543 int count;
76544 int error;
76545 };
76546@@ -1018,6 +1031,10 @@ static int compat_filldir64(struct dir_context *ctx, const char *name,
76547 buf->error = -EINVAL; /* only used if we fail.. */
76548 if (reclen > buf->count)
76549 return -EINVAL;
76550+
76551+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
76552+ return 0;
76553+
76554 dirent = buf->previous;
76555
76556 if (dirent) {
76557@@ -1067,6 +1084,7 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd,
76558 if (!f.file)
76559 return -EBADF;
76560
76561+ buf.file = f.file;
76562 error = iterate_dir(f.file, &buf.ctx);
76563 if (error >= 0)
76564 error = buf.error;
76565diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
76566index 4d24d17..4f8c09e 100644
76567--- a/fs/compat_binfmt_elf.c
76568+++ b/fs/compat_binfmt_elf.c
76569@@ -30,11 +30,13 @@
76570 #undef elf_phdr
76571 #undef elf_shdr
76572 #undef elf_note
76573+#undef elf_dyn
76574 #undef elf_addr_t
76575 #define elfhdr elf32_hdr
76576 #define elf_phdr elf32_phdr
76577 #define elf_shdr elf32_shdr
76578 #define elf_note elf32_note
76579+#define elf_dyn Elf32_Dyn
76580 #define elf_addr_t Elf32_Addr
76581
76582 /*
76583diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
76584index 48851f6..6c79d32 100644
76585--- a/fs/compat_ioctl.c
76586+++ b/fs/compat_ioctl.c
76587@@ -622,7 +622,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
76588 return -EFAULT;
76589 if (__get_user(udata, &ss32->iomem_base))
76590 return -EFAULT;
76591- ss.iomem_base = compat_ptr(udata);
76592+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
76593 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
76594 __get_user(ss.port_high, &ss32->port_high))
76595 return -EFAULT;
76596@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
76597 for (i = 0; i < nmsgs; i++) {
76598 if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
76599 return -EFAULT;
76600- if (get_user(datap, &umsgs[i].buf) ||
76601- put_user(compat_ptr(datap), &tmsgs[i].buf))
76602+ if (get_user(datap, (compat_caddr_t __user *)&umsgs[i].buf) ||
76603+ put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
76604 return -EFAULT;
76605 }
76606 return sys_ioctl(fd, cmd, (unsigned long)tdata);
76607@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
76608 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
76609 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
76610 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
76611- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
76612+ copy_in_user(p->l_pad, p32->l_pad, 4*sizeof(u32)))
76613 return -EFAULT;
76614
76615 return ioctl_preallocate(file, p);
76616@@ -1621,8 +1621,8 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd,
76617 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
76618 {
76619 unsigned int a, b;
76620- a = *(unsigned int *)p;
76621- b = *(unsigned int *)q;
76622+ a = *(const unsigned int *)p;
76623+ b = *(const unsigned int *)q;
76624 if (a > b)
76625 return 1;
76626 if (a < b)
76627diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
76628index c81ce7f..f3de5fd 100644
76629--- a/fs/configfs/dir.c
76630+++ b/fs/configfs/dir.c
76631@@ -1540,7 +1540,8 @@ static int configfs_readdir(struct file *file, struct dir_context *ctx)
76632 }
76633 for (p = q->next; p != &parent_sd->s_children; p = p->next) {
76634 struct configfs_dirent *next;
76635- const char *name;
76636+ const unsigned char * name;
76637+ char d_name[sizeof(next->s_dentry->d_iname)];
76638 int len;
76639 struct inode *inode = NULL;
76640
76641@@ -1549,7 +1550,12 @@ static int configfs_readdir(struct file *file, struct dir_context *ctx)
76642 continue;
76643
76644 name = configfs_get_name(next);
76645- len = strlen(name);
76646+ if (next->s_dentry && name == next->s_dentry->d_iname) {
76647+ len = next->s_dentry->d_name.len;
76648+ memcpy(d_name, name, len);
76649+ name = d_name;
76650+ } else
76651+ len = strlen(name);
76652
76653 /*
76654 * We'll have a dentry and an inode for
76655diff --git a/fs/coredump.c b/fs/coredump.c
76656index a8f7564..3dde349 100644
76657--- a/fs/coredump.c
76658+++ b/fs/coredump.c
76659@@ -457,8 +457,8 @@ static void wait_for_dump_helpers(struct file *file)
76660 struct pipe_inode_info *pipe = file->private_data;
76661
76662 pipe_lock(pipe);
76663- pipe->readers++;
76664- pipe->writers--;
76665+ atomic_inc(&pipe->readers);
76666+ atomic_dec(&pipe->writers);
76667 wake_up_interruptible_sync(&pipe->wait);
76668 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
76669 pipe_unlock(pipe);
76670@@ -467,11 +467,11 @@ static void wait_for_dump_helpers(struct file *file)
76671 * We actually want wait_event_freezable() but then we need
76672 * to clear TIF_SIGPENDING and improve dump_interrupted().
76673 */
76674- wait_event_interruptible(pipe->wait, pipe->readers == 1);
76675+ wait_event_interruptible(pipe->wait, atomic_read(&pipe->readers) == 1);
76676
76677 pipe_lock(pipe);
76678- pipe->readers--;
76679- pipe->writers++;
76680+ atomic_dec(&pipe->readers);
76681+ atomic_inc(&pipe->writers);
76682 pipe_unlock(pipe);
76683 }
76684
76685@@ -518,7 +518,9 @@ void do_coredump(const siginfo_t *siginfo)
76686 /* require nonrelative corefile path and be extra careful */
76687 bool need_suid_safe = false;
76688 bool core_dumped = false;
76689- static atomic_t core_dump_count = ATOMIC_INIT(0);
76690+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
76691+ long signr = siginfo->si_signo;
76692+ int dumpable;
76693 struct coredump_params cprm = {
76694 .siginfo = siginfo,
76695 .regs = signal_pt_regs(),
76696@@ -531,12 +533,17 @@ void do_coredump(const siginfo_t *siginfo)
76697 .mm_flags = mm->flags,
76698 };
76699
76700- audit_core_dumps(siginfo->si_signo);
76701+ audit_core_dumps(signr);
76702+
76703+ dumpable = __get_dumpable(cprm.mm_flags);
76704+
76705+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
76706+ gr_handle_brute_attach(dumpable);
76707
76708 binfmt = mm->binfmt;
76709 if (!binfmt || !binfmt->core_dump)
76710 goto fail;
76711- if (!__get_dumpable(cprm.mm_flags))
76712+ if (!dumpable)
76713 goto fail;
76714
76715 cred = prepare_creds();
76716@@ -554,7 +561,7 @@ void do_coredump(const siginfo_t *siginfo)
76717 need_suid_safe = true;
76718 }
76719
76720- retval = coredump_wait(siginfo->si_signo, &core_state);
76721+ retval = coredump_wait(signr, &core_state);
76722 if (retval < 0)
76723 goto fail_creds;
76724
76725@@ -597,7 +604,7 @@ void do_coredump(const siginfo_t *siginfo)
76726 }
76727 cprm.limit = RLIM_INFINITY;
76728
76729- dump_count = atomic_inc_return(&core_dump_count);
76730+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
76731 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
76732 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
76733 task_tgid_vnr(current), current->comm);
76734@@ -629,6 +636,8 @@ void do_coredump(const siginfo_t *siginfo)
76735 } else {
76736 struct inode *inode;
76737
76738+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
76739+
76740 if (cprm.limit < binfmt->min_coredump)
76741 goto fail_unlock;
76742
76743@@ -718,7 +727,7 @@ close_fail:
76744 filp_close(cprm.file, NULL);
76745 fail_dropcount:
76746 if (ispipe)
76747- atomic_dec(&core_dump_count);
76748+ atomic_dec_unchecked(&core_dump_count);
76749 fail_unlock:
76750 kfree(cn.corename);
76751 coredump_finish(mm, core_dumped);
76752@@ -739,6 +748,8 @@ int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
76753 struct file *file = cprm->file;
76754 loff_t pos = file->f_pos;
76755 ssize_t n;
76756+
76757+ gr_learn_resource(current, RLIMIT_CORE, cprm->written + nr, 1);
76758 if (cprm->written + nr > cprm->limit)
76759 return 0;
76760 while (nr) {
76761diff --git a/fs/dcache.c b/fs/dcache.c
76762index 9b5fe50..8e7901e 100644
76763--- a/fs/dcache.c
76764+++ b/fs/dcache.c
76765@@ -545,7 +545,7 @@ static void __dentry_kill(struct dentry *dentry)
76766 * dentry_iput drops the locks, at which point nobody (except
76767 * transient RCU lookups) can reach this dentry.
76768 */
76769- BUG_ON(dentry->d_lockref.count > 0);
76770+ BUG_ON(__lockref_read(&dentry->d_lockref) > 0);
76771 this_cpu_dec(nr_dentry);
76772 if (dentry->d_op && dentry->d_op->d_release)
76773 dentry->d_op->d_release(dentry);
76774@@ -598,7 +598,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry)
76775 struct dentry *parent = dentry->d_parent;
76776 if (IS_ROOT(dentry))
76777 return NULL;
76778- if (unlikely(dentry->d_lockref.count < 0))
76779+ if (unlikely(__lockref_read(&dentry->d_lockref) < 0))
76780 return NULL;
76781 if (likely(spin_trylock(&parent->d_lock)))
76782 return parent;
76783@@ -660,8 +660,8 @@ static inline bool fast_dput(struct dentry *dentry)
76784 */
76785 if (unlikely(ret < 0)) {
76786 spin_lock(&dentry->d_lock);
76787- if (dentry->d_lockref.count > 1) {
76788- dentry->d_lockref.count--;
76789+ if (__lockref_read(&dentry->d_lockref) > 1) {
76790+ __lockref_dec(&dentry->d_lockref);
76791 spin_unlock(&dentry->d_lock);
76792 return 1;
76793 }
76794@@ -716,7 +716,7 @@ static inline bool fast_dput(struct dentry *dentry)
76795 * else could have killed it and marked it dead. Either way, we
76796 * don't need to do anything else.
76797 */
76798- if (dentry->d_lockref.count) {
76799+ if (__lockref_read(&dentry->d_lockref)) {
76800 spin_unlock(&dentry->d_lock);
76801 return 1;
76802 }
76803@@ -726,7 +726,7 @@ static inline bool fast_dput(struct dentry *dentry)
76804 * lock, and we just tested that it was zero, so we can just
76805 * set it to 1.
76806 */
76807- dentry->d_lockref.count = 1;
76808+ __lockref_set(&dentry->d_lockref, 1);
76809 return 0;
76810 }
76811
76812@@ -788,7 +788,7 @@ repeat:
76813 dentry->d_flags |= DCACHE_REFERENCED;
76814 dentry_lru_add(dentry);
76815
76816- dentry->d_lockref.count--;
76817+ __lockref_dec(&dentry->d_lockref);
76818 spin_unlock(&dentry->d_lock);
76819 return;
76820
76821@@ -803,7 +803,7 @@ EXPORT_SYMBOL(dput);
76822 /* This must be called with d_lock held */
76823 static inline void __dget_dlock(struct dentry *dentry)
76824 {
76825- dentry->d_lockref.count++;
76826+ __lockref_inc(&dentry->d_lockref);
76827 }
76828
76829 static inline void __dget(struct dentry *dentry)
76830@@ -844,8 +844,8 @@ repeat:
76831 goto repeat;
76832 }
76833 rcu_read_unlock();
76834- BUG_ON(!ret->d_lockref.count);
76835- ret->d_lockref.count++;
76836+ BUG_ON(!__lockref_read(&ret->d_lockref));
76837+ __lockref_inc(&ret->d_lockref);
76838 spin_unlock(&ret->d_lock);
76839 return ret;
76840 }
76841@@ -923,9 +923,9 @@ restart:
76842 spin_lock(&inode->i_lock);
76843 hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
76844 spin_lock(&dentry->d_lock);
76845- if (!dentry->d_lockref.count) {
76846+ if (!__lockref_read(&dentry->d_lockref)) {
76847 struct dentry *parent = lock_parent(dentry);
76848- if (likely(!dentry->d_lockref.count)) {
76849+ if (likely(!__lockref_read(&dentry->d_lockref))) {
76850 __dentry_kill(dentry);
76851 dput(parent);
76852 goto restart;
76853@@ -960,7 +960,7 @@ static void shrink_dentry_list(struct list_head *list)
76854 * We found an inuse dentry which was not removed from
76855 * the LRU because of laziness during lookup. Do not free it.
76856 */
76857- if (dentry->d_lockref.count > 0) {
76858+ if (__lockref_read(&dentry->d_lockref) > 0) {
76859 spin_unlock(&dentry->d_lock);
76860 if (parent)
76861 spin_unlock(&parent->d_lock);
76862@@ -998,8 +998,8 @@ static void shrink_dentry_list(struct list_head *list)
76863 dentry = parent;
76864 while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) {
76865 parent = lock_parent(dentry);
76866- if (dentry->d_lockref.count != 1) {
76867- dentry->d_lockref.count--;
76868+ if (__lockref_read(&dentry->d_lockref) != 1) {
76869+ __lockref_inc(&dentry->d_lockref);
76870 spin_unlock(&dentry->d_lock);
76871 if (parent)
76872 spin_unlock(&parent->d_lock);
76873@@ -1039,7 +1039,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
76874 * counts, just remove them from the LRU. Otherwise give them
76875 * another pass through the LRU.
76876 */
76877- if (dentry->d_lockref.count) {
76878+ if (__lockref_read(&dentry->d_lockref)) {
76879 d_lru_isolate(lru, dentry);
76880 spin_unlock(&dentry->d_lock);
76881 return LRU_REMOVED;
76882@@ -1373,7 +1373,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
76883 } else {
76884 if (dentry->d_flags & DCACHE_LRU_LIST)
76885 d_lru_del(dentry);
76886- if (!dentry->d_lockref.count) {
76887+ if (!__lockref_read(&dentry->d_lockref)) {
76888 d_shrink_add(dentry, &data->dispose);
76889 data->found++;
76890 }
76891@@ -1421,7 +1421,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
76892 return D_WALK_CONTINUE;
76893
76894 /* root with refcount 1 is fine */
76895- if (dentry == _data && dentry->d_lockref.count == 1)
76896+ if (dentry == _data && __lockref_read(&dentry->d_lockref) == 1)
76897 return D_WALK_CONTINUE;
76898
76899 printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
76900@@ -1430,7 +1430,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
76901 dentry->d_inode ?
76902 dentry->d_inode->i_ino : 0UL,
76903 dentry,
76904- dentry->d_lockref.count,
76905+ __lockref_read(&dentry->d_lockref),
76906 dentry->d_sb->s_type->name,
76907 dentry->d_sb->s_id);
76908 WARN_ON(1);
76909@@ -1571,7 +1571,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76910 dentry->d_iname[DNAME_INLINE_LEN-1] = 0;
76911 if (name->len > DNAME_INLINE_LEN-1) {
76912 size_t size = offsetof(struct external_name, name[1]);
76913- struct external_name *p = kmalloc(size + name->len, GFP_KERNEL);
76914+ struct external_name *p = kmalloc(round_up(size + name->len, sizeof(unsigned long)), GFP_KERNEL);
76915 if (!p) {
76916 kmem_cache_free(dentry_cache, dentry);
76917 return NULL;
76918@@ -1594,7 +1594,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76919 smp_wmb();
76920 dentry->d_name.name = dname;
76921
76922- dentry->d_lockref.count = 1;
76923+ __lockref_set(&dentry->d_lockref, 1);
76924 dentry->d_flags = 0;
76925 spin_lock_init(&dentry->d_lock);
76926 seqcount_init(&dentry->d_seq);
76927@@ -1603,6 +1603,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76928 dentry->d_sb = sb;
76929 dentry->d_op = NULL;
76930 dentry->d_fsdata = NULL;
76931+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
76932+ atomic_set(&dentry->chroot_refcnt, 0);
76933+#endif
76934 INIT_HLIST_BL_NODE(&dentry->d_hash);
76935 INIT_LIST_HEAD(&dentry->d_lru);
76936 INIT_LIST_HEAD(&dentry->d_subdirs);
76937@@ -2327,7 +2330,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
76938 goto next;
76939 }
76940
76941- dentry->d_lockref.count++;
76942+ __lockref_inc(&dentry->d_lockref);
76943 found = dentry;
76944 spin_unlock(&dentry->d_lock);
76945 break;
76946@@ -2395,7 +2398,7 @@ again:
76947 spin_lock(&dentry->d_lock);
76948 inode = dentry->d_inode;
76949 isdir = S_ISDIR(inode->i_mode);
76950- if (dentry->d_lockref.count == 1) {
76951+ if (__lockref_read(&dentry->d_lockref) == 1) {
76952 if (!spin_trylock(&inode->i_lock)) {
76953 spin_unlock(&dentry->d_lock);
76954 cpu_relax();
76955@@ -3337,7 +3340,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
76956
76957 if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
76958 dentry->d_flags |= DCACHE_GENOCIDE;
76959- dentry->d_lockref.count--;
76960+ __lockref_dec(&dentry->d_lockref);
76961 }
76962 }
76963 return D_WALK_CONTINUE;
76964@@ -3445,7 +3448,8 @@ void __init vfs_caches_init_early(void)
76965 void __init vfs_caches_init(void)
76966 {
76967 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
76968- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
76969+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY|
76970+ SLAB_NO_SANITIZE, NULL);
76971
76972 dcache_init();
76973 inode_init();
76974diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
76975index c711be8..23b8df9 100644
76976--- a/fs/debugfs/inode.c
76977+++ b/fs/debugfs/inode.c
76978@@ -402,6 +402,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size);
76979 * If debugfs is not enabled in the kernel, the value -%ENODEV will be
76980 * returned.
76981 */
76982+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
76983+extern int grsec_enable_sysfs_restrict;
76984+#endif
76985+
76986 struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
76987 {
76988 struct dentry *dentry = start_creating(name, parent);
76989@@ -414,7 +418,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
76990 if (unlikely(!inode))
76991 return failed_creating(dentry);
76992
76993- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
76994+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
76995+ if (grsec_enable_sysfs_restrict)
76996+ inode->i_mode = S_IFDIR | S_IRWXU;
76997+ else
76998+#endif
76999+ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
77000 inode->i_op = &simple_dir_inode_operations;
77001 inode->i_fop = &simple_dir_operations;
77002
77003diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
77004index 3c4db11..a43976f 100644
77005--- a/fs/ecryptfs/inode.c
77006+++ b/fs/ecryptfs/inode.c
77007@@ -662,7 +662,7 @@ static char *ecryptfs_readlink_lower(struct dentry *dentry, size_t *bufsiz)
77008 old_fs = get_fs();
77009 set_fs(get_ds());
77010 rc = d_inode(lower_dentry)->i_op->readlink(lower_dentry,
77011- (char __user *)lower_buf,
77012+ (char __force_user *)lower_buf,
77013 PATH_MAX);
77014 set_fs(old_fs);
77015 if (rc < 0)
77016diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
77017index e4141f2..d8263e8 100644
77018--- a/fs/ecryptfs/miscdev.c
77019+++ b/fs/ecryptfs/miscdev.c
77020@@ -304,7 +304,7 @@ check_list:
77021 goto out_unlock_msg_ctx;
77022 i = PKT_TYPE_SIZE + PKT_CTR_SIZE;
77023 if (msg_ctx->msg) {
77024- if (copy_to_user(&buf[i], packet_length, packet_length_size))
77025+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
77026 goto out_unlock_msg_ctx;
77027 i += packet_length_size;
77028 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
77029diff --git a/fs/exec.c b/fs/exec.c
77030index 1977c2a..40e7f8f 100644
77031--- a/fs/exec.c
77032+++ b/fs/exec.c
77033@@ -56,8 +56,20 @@
77034 #include <linux/pipe_fs_i.h>
77035 #include <linux/oom.h>
77036 #include <linux/compat.h>
77037+#include <linux/random.h>
77038+#include <linux/seq_file.h>
77039+#include <linux/coredump.h>
77040+#include <linux/mman.h>
77041+
77042+#ifdef CONFIG_PAX_REFCOUNT
77043+#include <linux/kallsyms.h>
77044+#include <linux/kdebug.h>
77045+#endif
77046+
77047+#include <trace/events/fs.h>
77048
77049 #include <asm/uaccess.h>
77050+#include <asm/sections.h>
77051 #include <asm/mmu_context.h>
77052 #include <asm/tlb.h>
77053
77054@@ -66,19 +78,34 @@
77055
77056 #include <trace/events/sched.h>
77057
77058+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
77059+void __weak pax_set_initial_flags(struct linux_binprm *bprm)
77060+{
77061+ pr_warn_once("PAX: PAX_HAVE_ACL_FLAGS was enabled without providing the pax_set_initial_flags callback, this is probably not what you wanted.\n");
77062+}
77063+#endif
77064+
77065+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
77066+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
77067+EXPORT_SYMBOL(pax_set_initial_flags_func);
77068+#endif
77069+
77070 int suid_dumpable = 0;
77071
77072 static LIST_HEAD(formats);
77073 static DEFINE_RWLOCK(binfmt_lock);
77074
77075+extern int gr_process_kernel_exec_ban(void);
77076+extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm);
77077+
77078 void __register_binfmt(struct linux_binfmt * fmt, int insert)
77079 {
77080 BUG_ON(!fmt);
77081 if (WARN_ON(!fmt->load_binary))
77082 return;
77083 write_lock(&binfmt_lock);
77084- insert ? list_add(&fmt->lh, &formats) :
77085- list_add_tail(&fmt->lh, &formats);
77086+ insert ? pax_list_add((struct list_head *)&fmt->lh, &formats) :
77087+ pax_list_add_tail((struct list_head *)&fmt->lh, &formats);
77088 write_unlock(&binfmt_lock);
77089 }
77090
77091@@ -87,7 +114,7 @@ EXPORT_SYMBOL(__register_binfmt);
77092 void unregister_binfmt(struct linux_binfmt * fmt)
77093 {
77094 write_lock(&binfmt_lock);
77095- list_del(&fmt->lh);
77096+ pax_list_del((struct list_head *)&fmt->lh);
77097 write_unlock(&binfmt_lock);
77098 }
77099
77100@@ -183,18 +210,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
77101 int write)
77102 {
77103 struct page *page;
77104- int ret;
77105
77106-#ifdef CONFIG_STACK_GROWSUP
77107- if (write) {
77108- ret = expand_downwards(bprm->vma, pos);
77109- if (ret < 0)
77110- return NULL;
77111- }
77112-#endif
77113- ret = get_user_pages(current, bprm->mm, pos,
77114- 1, write, 1, &page, NULL);
77115- if (ret <= 0)
77116+ if (0 > expand_downwards(bprm->vma, pos))
77117+ return NULL;
77118+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
77119 return NULL;
77120
77121 if (write) {
77122@@ -210,6 +229,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
77123 if (size <= ARG_MAX)
77124 return page;
77125
77126+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
77127+ // only allow 512KB for argv+env on suid/sgid binaries
77128+ // to prevent easy ASLR exhaustion
77129+ if (((!uid_eq(bprm->cred->euid, current_euid())) ||
77130+ (!gid_eq(bprm->cred->egid, current_egid()))) &&
77131+ (size > (512 * 1024))) {
77132+ put_page(page);
77133+ return NULL;
77134+ }
77135+#endif
77136+
77137 /*
77138 * Limit to 1/4-th the stack size for the argv+env strings.
77139 * This ensures that:
77140@@ -269,6 +299,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
77141 vma->vm_end = STACK_TOP_MAX;
77142 vma->vm_start = vma->vm_end - PAGE_SIZE;
77143 vma->vm_flags = VM_SOFTDIRTY | VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
77144+
77145+#ifdef CONFIG_PAX_SEGMEXEC
77146+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
77147+#endif
77148+
77149 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
77150 INIT_LIST_HEAD(&vma->anon_vma_chain);
77151
77152@@ -280,6 +315,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
77153 arch_bprm_mm_init(mm, vma);
77154 up_write(&mm->mmap_sem);
77155 bprm->p = vma->vm_end - sizeof(void *);
77156+
77157+#ifdef CONFIG_PAX_RANDUSTACK
77158+ if (randomize_va_space)
77159+ bprm->p ^= prandom_u32() & ~PAGE_MASK;
77160+#endif
77161+
77162 return 0;
77163 err:
77164 up_write(&mm->mmap_sem);
77165@@ -396,7 +437,7 @@ struct user_arg_ptr {
77166 } ptr;
77167 };
77168
77169-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
77170+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
77171 {
77172 const char __user *native;
77173
77174@@ -405,14 +446,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
77175 compat_uptr_t compat;
77176
77177 if (get_user(compat, argv.ptr.compat + nr))
77178- return ERR_PTR(-EFAULT);
77179+ return (const char __force_user *)ERR_PTR(-EFAULT);
77180
77181 return compat_ptr(compat);
77182 }
77183 #endif
77184
77185 if (get_user(native, argv.ptr.native + nr))
77186- return ERR_PTR(-EFAULT);
77187+ return (const char __force_user *)ERR_PTR(-EFAULT);
77188
77189 return native;
77190 }
77191@@ -431,7 +472,7 @@ static int count(struct user_arg_ptr argv, int max)
77192 if (!p)
77193 break;
77194
77195- if (IS_ERR(p))
77196+ if (IS_ERR((const char __force_kernel *)p))
77197 return -EFAULT;
77198
77199 if (i >= max)
77200@@ -466,7 +507,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
77201
77202 ret = -EFAULT;
77203 str = get_user_arg_ptr(argv, argc);
77204- if (IS_ERR(str))
77205+ if (IS_ERR((const char __force_kernel *)str))
77206 goto out;
77207
77208 len = strnlen_user(str, MAX_ARG_STRLEN);
77209@@ -548,7 +589,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
77210 int r;
77211 mm_segment_t oldfs = get_fs();
77212 struct user_arg_ptr argv = {
77213- .ptr.native = (const char __user *const __user *)__argv,
77214+ .ptr.native = (const char __user * const __force_user *)__argv,
77215 };
77216
77217 set_fs(KERNEL_DS);
77218@@ -583,7 +624,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
77219 unsigned long new_end = old_end - shift;
77220 struct mmu_gather tlb;
77221
77222- BUG_ON(new_start > new_end);
77223+ if (new_start >= new_end || new_start < mmap_min_addr)
77224+ return -ENOMEM;
77225
77226 /*
77227 * ensure there are no vmas between where we want to go
77228@@ -592,6 +634,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
77229 if (vma != find_vma(mm, new_start))
77230 return -EFAULT;
77231
77232+#ifdef CONFIG_PAX_SEGMEXEC
77233+ BUG_ON(pax_find_mirror_vma(vma));
77234+#endif
77235+
77236 /*
77237 * cover the whole range: [new_start, old_end)
77238 */
77239@@ -675,10 +721,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
77240 stack_top = arch_align_stack(stack_top);
77241 stack_top = PAGE_ALIGN(stack_top);
77242
77243- if (unlikely(stack_top < mmap_min_addr) ||
77244- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
77245- return -ENOMEM;
77246-
77247 stack_shift = vma->vm_end - stack_top;
77248
77249 bprm->p -= stack_shift;
77250@@ -690,8 +732,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
77251 bprm->exec -= stack_shift;
77252
77253 down_write(&mm->mmap_sem);
77254+
77255+ /* Move stack pages down in memory. */
77256+ if (stack_shift) {
77257+ ret = shift_arg_pages(vma, stack_shift);
77258+ if (ret)
77259+ goto out_unlock;
77260+ }
77261+
77262 vm_flags = VM_STACK_FLAGS;
77263
77264+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
77265+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
77266+ vm_flags &= ~VM_EXEC;
77267+
77268+#ifdef CONFIG_PAX_MPROTECT
77269+ if (mm->pax_flags & MF_PAX_MPROTECT)
77270+ vm_flags &= ~VM_MAYEXEC;
77271+#endif
77272+
77273+ }
77274+#endif
77275+
77276 /*
77277 * Adjust stack execute permissions; explicitly enable for
77278 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
77279@@ -710,13 +772,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
77280 goto out_unlock;
77281 BUG_ON(prev != vma);
77282
77283- /* Move stack pages down in memory. */
77284- if (stack_shift) {
77285- ret = shift_arg_pages(vma, stack_shift);
77286- if (ret)
77287- goto out_unlock;
77288- }
77289-
77290 /* mprotect_fixup is overkill to remove the temporary stack flags */
77291 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
77292
77293@@ -740,6 +795,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
77294 #endif
77295 current->mm->start_stack = bprm->p;
77296 ret = expand_stack(vma, stack_base);
77297+
77298+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
77299+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
77300+ unsigned long size;
77301+ vm_flags_t vm_flags;
77302+
77303+ size = STACK_TOP - vma->vm_end;
77304+ vm_flags = VM_NONE | VM_DONTEXPAND | VM_DONTDUMP;
77305+
77306+ ret = vma->vm_end != mmap_region(NULL, vma->vm_end, size, vm_flags, 0);
77307+
77308+#ifdef CONFIG_X86
77309+ if (!ret) {
77310+ size = PAGE_SIZE + mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
77311+ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), vm_flags, 0);
77312+ }
77313+#endif
77314+
77315+ }
77316+#endif
77317+
77318 if (ret)
77319 ret = -EFAULT;
77320
77321@@ -784,8 +860,10 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
77322 if (err)
77323 goto exit;
77324
77325- if (name->name[0] != '\0')
77326+ if (name->name[0] != '\0') {
77327 fsnotify_open(file);
77328+ trace_open_exec(name->name);
77329+ }
77330
77331 out:
77332 return file;
77333@@ -818,7 +896,7 @@ int kernel_read(struct file *file, loff_t offset,
77334 old_fs = get_fs();
77335 set_fs(get_ds());
77336 /* The cast to a user pointer is valid due to the set_fs() */
77337- result = vfs_read(file, (void __user *)addr, count, &pos);
77338+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
77339 set_fs(old_fs);
77340 return result;
77341 }
77342@@ -863,6 +941,7 @@ static int exec_mmap(struct mm_struct *mm)
77343 tsk->mm = mm;
77344 tsk->active_mm = mm;
77345 activate_mm(active_mm, mm);
77346+ populate_stack();
77347 tsk->mm->vmacache_seqnum = 0;
77348 vmacache_flush(tsk);
77349 task_unlock(tsk);
77350@@ -1271,7 +1350,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
77351 }
77352 rcu_read_unlock();
77353
77354- if (p->fs->users > n_fs)
77355+ if (atomic_read(&p->fs->users) > n_fs)
77356 bprm->unsafe |= LSM_UNSAFE_SHARE;
77357 else
77358 p->fs->in_exec = 1;
77359@@ -1472,6 +1551,31 @@ static int exec_binprm(struct linux_binprm *bprm)
77360 return ret;
77361 }
77362
77363+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
77364+static DEFINE_PER_CPU(u64, exec_counter);
77365+static int __init init_exec_counters(void)
77366+{
77367+ unsigned int cpu;
77368+
77369+ for_each_possible_cpu(cpu) {
77370+ per_cpu(exec_counter, cpu) = (u64)cpu;
77371+ }
77372+
77373+ return 0;
77374+}
77375+early_initcall(init_exec_counters);
77376+static inline void increment_exec_counter(void)
77377+{
77378+ BUILD_BUG_ON(NR_CPUS > (1 << 16));
77379+ current->exec_id = this_cpu_add_return(exec_counter, 1 << 16);
77380+}
77381+#else
77382+static inline void increment_exec_counter(void) {}
77383+#endif
77384+
77385+extern void gr_handle_exec_args(struct linux_binprm *bprm,
77386+ struct user_arg_ptr argv);
77387+
77388 /*
77389 * sys_execve() executes a new program.
77390 */
77391@@ -1480,6 +1584,11 @@ static int do_execveat_common(int fd, struct filename *filename,
77392 struct user_arg_ptr envp,
77393 int flags)
77394 {
77395+#ifdef CONFIG_GRKERNSEC
77396+ struct file *old_exec_file;
77397+ struct acl_subject_label *old_acl;
77398+ struct rlimit old_rlim[RLIM_NLIMITS];
77399+#endif
77400 char *pathbuf = NULL;
77401 struct linux_binprm *bprm;
77402 struct file *file;
77403@@ -1489,6 +1598,8 @@ static int do_execveat_common(int fd, struct filename *filename,
77404 if (IS_ERR(filename))
77405 return PTR_ERR(filename);
77406
77407+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current_user()->processes), 1);
77408+
77409 /*
77410 * We move the actual failure in case of RLIMIT_NPROC excess from
77411 * set*uid() to execve() because too many poorly written programs
77412@@ -1526,6 +1637,11 @@ static int do_execveat_common(int fd, struct filename *filename,
77413 if (IS_ERR(file))
77414 goto out_unmark;
77415
77416+ if (gr_ptrace_readexec(file, bprm->unsafe)) {
77417+ retval = -EPERM;
77418+ goto out_unmark;
77419+ }
77420+
77421 sched_exec();
77422
77423 bprm->file = file;
77424@@ -1552,6 +1668,11 @@ static int do_execveat_common(int fd, struct filename *filename,
77425 }
77426 bprm->interp = bprm->filename;
77427
77428+ if (!gr_acl_handle_execve(file->f_path.dentry, file->f_path.mnt)) {
77429+ retval = -EACCES;
77430+ goto out_unmark;
77431+ }
77432+
77433 retval = bprm_mm_init(bprm);
77434 if (retval)
77435 goto out_unmark;
77436@@ -1568,24 +1689,70 @@ static int do_execveat_common(int fd, struct filename *filename,
77437 if (retval < 0)
77438 goto out;
77439
77440+#ifdef CONFIG_GRKERNSEC
77441+ old_acl = current->acl;
77442+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
77443+ old_exec_file = current->exec_file;
77444+ get_file(file);
77445+ current->exec_file = file;
77446+#endif
77447+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
77448+ /* limit suid stack to 8MB
77449+ * we saved the old limits above and will restore them if this exec fails
77450+ */
77451+ if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) &&
77452+ (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024)))
77453+ current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
77454+#endif
77455+
77456+ if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) {
77457+ retval = -EPERM;
77458+ goto out_fail;
77459+ }
77460+
77461+ if (!gr_tpe_allow(file)) {
77462+ retval = -EACCES;
77463+ goto out_fail;
77464+ }
77465+
77466+ if (gr_check_crash_exec(file)) {
77467+ retval = -EACCES;
77468+ goto out_fail;
77469+ }
77470+
77471+ retval = gr_set_proc_label(file->f_path.dentry, file->f_path.mnt,
77472+ bprm->unsafe);
77473+ if (retval < 0)
77474+ goto out_fail;
77475+
77476 retval = copy_strings_kernel(1, &bprm->filename, bprm);
77477 if (retval < 0)
77478- goto out;
77479+ goto out_fail;
77480
77481 bprm->exec = bprm->p;
77482 retval = copy_strings(bprm->envc, envp, bprm);
77483 if (retval < 0)
77484- goto out;
77485+ goto out_fail;
77486
77487 retval = copy_strings(bprm->argc, argv, bprm);
77488 if (retval < 0)
77489- goto out;
77490+ goto out_fail;
77491+
77492+ gr_log_chroot_exec(file->f_path.dentry, file->f_path.mnt);
77493+
77494+ gr_handle_exec_args(bprm, argv);
77495
77496 retval = exec_binprm(bprm);
77497 if (retval < 0)
77498- goto out;
77499+ goto out_fail;
77500+#ifdef CONFIG_GRKERNSEC
77501+ if (old_exec_file)
77502+ fput(old_exec_file);
77503+#endif
77504
77505 /* execve succeeded */
77506+
77507+ increment_exec_counter();
77508 current->fs->in_exec = 0;
77509 current->in_execve = 0;
77510 acct_update_integrals(current);
77511@@ -1597,6 +1764,14 @@ static int do_execveat_common(int fd, struct filename *filename,
77512 put_files_struct(displaced);
77513 return retval;
77514
77515+out_fail:
77516+#ifdef CONFIG_GRKERNSEC
77517+ current->acl = old_acl;
77518+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
77519+ fput(current->exec_file);
77520+ current->exec_file = old_exec_file;
77521+#endif
77522+
77523 out:
77524 if (bprm->mm) {
77525 acct_arg_size(bprm, 0);
77526@@ -1743,3 +1918,312 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
77527 argv, envp, flags);
77528 }
77529 #endif
77530+
77531+int pax_check_flags(unsigned long *flags)
77532+{
77533+ int retval = 0;
77534+
77535+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
77536+ if (*flags & MF_PAX_SEGMEXEC)
77537+ {
77538+ *flags &= ~MF_PAX_SEGMEXEC;
77539+ retval = -EINVAL;
77540+ }
77541+#endif
77542+
77543+ if ((*flags & MF_PAX_PAGEEXEC)
77544+
77545+#ifdef CONFIG_PAX_PAGEEXEC
77546+ && (*flags & MF_PAX_SEGMEXEC)
77547+#endif
77548+
77549+ )
77550+ {
77551+ *flags &= ~MF_PAX_PAGEEXEC;
77552+ retval = -EINVAL;
77553+ }
77554+
77555+ if ((*flags & MF_PAX_MPROTECT)
77556+
77557+#ifdef CONFIG_PAX_MPROTECT
77558+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
77559+#endif
77560+
77561+ )
77562+ {
77563+ *flags &= ~MF_PAX_MPROTECT;
77564+ retval = -EINVAL;
77565+ }
77566+
77567+ if ((*flags & MF_PAX_EMUTRAMP)
77568+
77569+#ifdef CONFIG_PAX_EMUTRAMP
77570+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
77571+#endif
77572+
77573+ )
77574+ {
77575+ *flags &= ~MF_PAX_EMUTRAMP;
77576+ retval = -EINVAL;
77577+ }
77578+
77579+ return retval;
77580+}
77581+
77582+EXPORT_SYMBOL(pax_check_flags);
77583+
77584+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
77585+char *pax_get_path(const struct path *path, char *buf, int buflen)
77586+{
77587+ char *pathname = d_path(path, buf, buflen);
77588+
77589+ if (IS_ERR(pathname))
77590+ goto toolong;
77591+
77592+ pathname = mangle_path(buf, pathname, "\t\n\\");
77593+ if (!pathname)
77594+ goto toolong;
77595+
77596+ *pathname = 0;
77597+ return buf;
77598+
77599+toolong:
77600+ return "<path too long>";
77601+}
77602+EXPORT_SYMBOL(pax_get_path);
77603+
77604+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
77605+{
77606+ struct task_struct *tsk = current;
77607+ struct mm_struct *mm = current->mm;
77608+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
77609+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
77610+ char *path_exec = NULL;
77611+ char *path_fault = NULL;
77612+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
77613+ siginfo_t info = { };
77614+
77615+ if (buffer_exec && buffer_fault) {
77616+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
77617+
77618+ down_read(&mm->mmap_sem);
77619+ vma = mm->mmap;
77620+ while (vma && (!vma_exec || !vma_fault)) {
77621+ if (vma->vm_file && mm->exe_file == vma->vm_file && (vma->vm_flags & VM_EXEC))
77622+ vma_exec = vma;
77623+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
77624+ vma_fault = vma;
77625+ vma = vma->vm_next;
77626+ }
77627+ if (vma_exec)
77628+ path_exec = pax_get_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
77629+ if (vma_fault) {
77630+ start = vma_fault->vm_start;
77631+ end = vma_fault->vm_end;
77632+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
77633+ if (vma_fault->vm_file)
77634+ path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
77635+ else if ((unsigned long)pc >= mm->start_brk && (unsigned long)pc < mm->brk)
77636+ path_fault = "<heap>";
77637+ else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
77638+ path_fault = "<stack>";
77639+ else
77640+ path_fault = "<anonymous mapping>";
77641+ }
77642+ up_read(&mm->mmap_sem);
77643+ }
77644+ if (tsk->signal->curr_ip)
77645+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
77646+ else
77647+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
77648+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
77649+ from_kuid_munged(&init_user_ns, task_uid(tsk)), from_kuid_munged(&init_user_ns, task_euid(tsk)), pc, sp);
77650+ free_page((unsigned long)buffer_exec);
77651+ free_page((unsigned long)buffer_fault);
77652+ pax_report_insns(regs, pc, sp);
77653+ info.si_signo = SIGKILL;
77654+ info.si_errno = 0;
77655+ info.si_code = SI_KERNEL;
77656+ info.si_pid = 0;
77657+ info.si_uid = 0;
77658+ do_coredump(&info);
77659+}
77660+#endif
77661+
77662+#ifdef CONFIG_PAX_REFCOUNT
77663+void pax_report_refcount_overflow(struct pt_regs *regs)
77664+{
77665+ if (current->signal->curr_ip)
77666+ printk(KERN_EMERG "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
77667+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
77668+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
77669+ else
77670+ printk(KERN_EMERG "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
77671+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
77672+ print_symbol(KERN_EMERG "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
77673+ preempt_disable();
77674+ show_regs(regs);
77675+ preempt_enable();
77676+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
77677+}
77678+#endif
77679+
77680+#ifdef CONFIG_PAX_USERCOPY
77681+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
77682+static noinline int check_stack_object(const void *obj, unsigned long len)
77683+{
77684+ const void * const stack = task_stack_page(current);
77685+ const void * const stackend = stack + THREAD_SIZE;
77686+
77687+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
77688+ const void *frame = NULL;
77689+ const void *oldframe;
77690+#endif
77691+
77692+ if (obj + len < obj)
77693+ return -1;
77694+
77695+ if (obj + len <= stack || stackend <= obj)
77696+ return 0;
77697+
77698+ if (obj < stack || stackend < obj + len)
77699+ return -1;
77700+
77701+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
77702+ oldframe = __builtin_frame_address(1);
77703+ if (oldframe)
77704+ frame = __builtin_frame_address(2);
77705+ /*
77706+ low ----------------------------------------------> high
77707+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
77708+ ^----------------^
77709+ allow copies only within here
77710+ */
77711+ while (stack <= frame && frame < stackend) {
77712+ /* if obj + len extends past the last frame, this
77713+ check won't pass and the next frame will be 0,
77714+ causing us to bail out and correctly report
77715+ the copy as invalid
77716+ */
77717+ if (obj + len <= frame)
77718+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
77719+ oldframe = frame;
77720+ frame = *(const void * const *)frame;
77721+ }
77722+ return -1;
77723+#else
77724+ return 1;
77725+#endif
77726+}
77727+
77728+static __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to_user, const char *type)
77729+{
77730+ if (current->signal->curr_ip)
77731+ printk(KERN_EMERG "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
77732+ &current->signal->curr_ip, to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
77733+ else
77734+ printk(KERN_EMERG "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
77735+ to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
77736+ dump_stack();
77737+ gr_handle_kernel_exploit();
77738+ do_group_exit(SIGKILL);
77739+}
77740+#endif
77741+
77742+#ifdef CONFIG_PAX_USERCOPY
77743+
77744+static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
77745+{
77746+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
77747+ unsigned long textlow = ktla_ktva((unsigned long)_stext);
77748+#ifdef CONFIG_MODULES
77749+ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
77750+#else
77751+ unsigned long texthigh = ktla_ktva((unsigned long)_etext);
77752+#endif
77753+
77754+#else
77755+ unsigned long textlow = (unsigned long)_stext;
77756+ unsigned long texthigh = (unsigned long)_etext;
77757+
77758+#ifdef CONFIG_X86_64
77759+ /* check against linear mapping as well */
77760+ if (high > (unsigned long)__va(__pa(textlow)) &&
77761+ low < (unsigned long)__va(__pa(texthigh)))
77762+ return true;
77763+#endif
77764+
77765+#endif
77766+
77767+ if (high <= textlow || low >= texthigh)
77768+ return false;
77769+ else
77770+ return true;
77771+}
77772+#endif
77773+
77774+void __check_object_size(const void *ptr, unsigned long n, bool to_user, bool const_size)
77775+{
77776+#ifdef CONFIG_PAX_USERCOPY
77777+ const char *type;
77778+#endif
77779+
77780+#if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_X86_64)
77781+ unsigned long stackstart = (unsigned long)task_stack_page(current);
77782+ unsigned long currentsp = (unsigned long)&stackstart;
77783+ if (unlikely((currentsp < stackstart + 512 ||
77784+ currentsp >= stackstart + THREAD_SIZE) && !in_interrupt()))
77785+ BUG();
77786+#endif
77787+
77788+#ifndef CONFIG_PAX_USERCOPY_DEBUG
77789+ if (const_size)
77790+ return;
77791+#endif
77792+
77793+#ifdef CONFIG_PAX_USERCOPY
77794+ if (!n)
77795+ return;
77796+
77797+ type = check_heap_object(ptr, n);
77798+ if (!type) {
77799+ int ret = check_stack_object(ptr, n);
77800+ if (ret == 1 || ret == 2)
77801+ return;
77802+ if (ret == 0) {
77803+ if (check_kernel_text_object((unsigned long)ptr, (unsigned long)ptr + n))
77804+ type = "<kernel text>";
77805+ else
77806+ return;
77807+ } else
77808+ type = "<process stack>";
77809+ }
77810+
77811+ pax_report_usercopy(ptr, n, to_user, type);
77812+#endif
77813+
77814+}
77815+EXPORT_SYMBOL(__check_object_size);
77816+
77817+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
77818+void __used pax_track_stack(void)
77819+{
77820+ unsigned long sp = (unsigned long)&sp;
77821+ if (sp < current_thread_info()->lowest_stack &&
77822+ sp >= (unsigned long)task_stack_page(current) + 2 * sizeof(unsigned long))
77823+ current_thread_info()->lowest_stack = sp;
77824+ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
77825+ BUG();
77826+}
77827+EXPORT_SYMBOL(pax_track_stack);
77828+#endif
77829+
77830+#ifdef CONFIG_PAX_SIZE_OVERFLOW
77831+void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
77832+{
77833+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
77834+ dump_stack();
77835+ do_group_exit(SIGKILL);
77836+}
77837+EXPORT_SYMBOL(report_size_overflow);
77838+#endif
77839diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c
77840index 9f9992b..8b59411 100644
77841--- a/fs/ext2/balloc.c
77842+++ b/fs/ext2/balloc.c
77843@@ -1184,10 +1184,10 @@ static int ext2_has_free_blocks(struct ext2_sb_info *sbi)
77844
77845 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
77846 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
77847- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
77848+ if (free_blocks < root_blocks + 1 &&
77849 !uid_eq(sbi->s_resuid, current_fsuid()) &&
77850 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
77851- !in_group_p (sbi->s_resgid))) {
77852+ !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
77853 return 0;
77854 }
77855 return 1;
77856diff --git a/fs/ext2/super.c b/fs/ext2/super.c
77857index 900e19c..f7dc2b8 100644
77858--- a/fs/ext2/super.c
77859+++ b/fs/ext2/super.c
77860@@ -267,10 +267,8 @@ static int ext2_show_options(struct seq_file *seq, struct dentry *root)
77861 #ifdef CONFIG_EXT2_FS_XATTR
77862 if (test_opt(sb, XATTR_USER))
77863 seq_puts(seq, ",user_xattr");
77864- if (!test_opt(sb, XATTR_USER) &&
77865- (def_mount_opts & EXT2_DEFM_XATTR_USER)) {
77866+ if (!test_opt(sb, XATTR_USER))
77867 seq_puts(seq, ",nouser_xattr");
77868- }
77869 #endif
77870
77871 #ifdef CONFIG_EXT2_FS_POSIX_ACL
77872@@ -856,8 +854,8 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
77873 if (def_mount_opts & EXT2_DEFM_UID16)
77874 set_opt(sbi->s_mount_opt, NO_UID32);
77875 #ifdef CONFIG_EXT2_FS_XATTR
77876- if (def_mount_opts & EXT2_DEFM_XATTR_USER)
77877- set_opt(sbi->s_mount_opt, XATTR_USER);
77878+ /* always enable user xattrs */
77879+ set_opt(sbi->s_mount_opt, XATTR_USER);
77880 #endif
77881 #ifdef CONFIG_EXT2_FS_POSIX_ACL
77882 if (def_mount_opts & EXT2_DEFM_ACL)
77883diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
77884index 0b6bfd3..93a2964 100644
77885--- a/fs/ext2/xattr.c
77886+++ b/fs/ext2/xattr.c
77887@@ -247,7 +247,7 @@ ext2_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
77888 struct buffer_head *bh = NULL;
77889 struct ext2_xattr_entry *entry;
77890 char *end;
77891- size_t rest = buffer_size;
77892+ size_t rest = buffer_size, total_size = 0;
77893 int error;
77894
77895 ea_idebug(inode, "buffer=%p, buffer_size=%ld",
77896@@ -305,9 +305,10 @@ bad_block: ext2_error(inode->i_sb, "ext2_xattr_list",
77897 buffer += size;
77898 }
77899 rest -= size;
77900+ total_size += size;
77901 }
77902 }
77903- error = buffer_size - rest; /* total size */
77904+ error = total_size;
77905
77906 cleanup:
77907 brelse(bh);
77908diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
77909index 158b5d4..2432610 100644
77910--- a/fs/ext3/balloc.c
77911+++ b/fs/ext3/balloc.c
77912@@ -1438,10 +1438,10 @@ static int ext3_has_free_blocks(struct ext3_sb_info *sbi, int use_reservation)
77913
77914 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
77915 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
77916- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
77917+ if (free_blocks < root_blocks + 1 &&
77918 !use_reservation && !uid_eq(sbi->s_resuid, current_fsuid()) &&
77919 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
77920- !in_group_p (sbi->s_resgid))) {
77921+ !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
77922 return 0;
77923 }
77924 return 1;
77925diff --git a/fs/ext3/super.c b/fs/ext3/super.c
77926index 5ed0044..656e3d2 100644
77927--- a/fs/ext3/super.c
77928+++ b/fs/ext3/super.c
77929@@ -655,10 +655,8 @@ static int ext3_show_options(struct seq_file *seq, struct dentry *root)
77930 #ifdef CONFIG_EXT3_FS_XATTR
77931 if (test_opt(sb, XATTR_USER))
77932 seq_puts(seq, ",user_xattr");
77933- if (!test_opt(sb, XATTR_USER) &&
77934- (def_mount_opts & EXT3_DEFM_XATTR_USER)) {
77935+ if (!test_opt(sb, XATTR_USER))
77936 seq_puts(seq, ",nouser_xattr");
77937- }
77938 #endif
77939 #ifdef CONFIG_EXT3_FS_POSIX_ACL
77940 if (test_opt(sb, POSIX_ACL))
77941@@ -1760,8 +1758,8 @@ static int ext3_fill_super (struct super_block *sb, void *data, int silent)
77942 if (def_mount_opts & EXT3_DEFM_UID16)
77943 set_opt(sbi->s_mount_opt, NO_UID32);
77944 #ifdef CONFIG_EXT3_FS_XATTR
77945- if (def_mount_opts & EXT3_DEFM_XATTR_USER)
77946- set_opt(sbi->s_mount_opt, XATTR_USER);
77947+ /* always enable user xattrs */
77948+ set_opt(sbi->s_mount_opt, XATTR_USER);
77949 #endif
77950 #ifdef CONFIG_EXT3_FS_POSIX_ACL
77951 if (def_mount_opts & EXT3_DEFM_ACL)
77952diff --git a/fs/ext3/xattr.c b/fs/ext3/xattr.c
77953index 7cf3650..e3f4a51 100644
77954--- a/fs/ext3/xattr.c
77955+++ b/fs/ext3/xattr.c
77956@@ -330,7 +330,7 @@ static int
77957 ext3_xattr_list_entries(struct dentry *dentry, struct ext3_xattr_entry *entry,
77958 char *buffer, size_t buffer_size)
77959 {
77960- size_t rest = buffer_size;
77961+ size_t rest = buffer_size, total_size = 0;
77962
77963 for (; !IS_LAST_ENTRY(entry); entry = EXT3_XATTR_NEXT(entry)) {
77964 const struct xattr_handler *handler =
77965@@ -347,9 +347,10 @@ ext3_xattr_list_entries(struct dentry *dentry, struct ext3_xattr_entry *entry,
77966 buffer += size;
77967 }
77968 rest -= size;
77969+ total_size += size;
77970 }
77971 }
77972- return buffer_size - rest;
77973+ return total_size;
77974 }
77975
77976 static int
77977diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
77978index cd6ea29..1cd2a97 100644
77979--- a/fs/ext4/balloc.c
77980+++ b/fs/ext4/balloc.c
77981@@ -556,8 +556,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
77982 /* Hm, nope. Are (enough) root reserved clusters available? */
77983 if (uid_eq(sbi->s_resuid, current_fsuid()) ||
77984 (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
77985- capable(CAP_SYS_RESOURCE) ||
77986- (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
77987+ (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
77988+ capable_nolog(CAP_SYS_RESOURCE)) {
77989
77990 if (free_clusters >= (nclusters + dirty_clusters +
77991 resv_clusters))
77992diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
77993index f5e9f04..91296b9 100644
77994--- a/fs/ext4/ext4.h
77995+++ b/fs/ext4/ext4.h
77996@@ -1305,19 +1305,19 @@ struct ext4_sb_info {
77997 unsigned long s_mb_last_start;
77998
77999 /* stats for buddy allocator */
78000- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
78001- atomic_t s_bal_success; /* we found long enough chunks */
78002- atomic_t s_bal_allocated; /* in blocks */
78003- atomic_t s_bal_ex_scanned; /* total extents scanned */
78004- atomic_t s_bal_goals; /* goal hits */
78005- atomic_t s_bal_breaks; /* too long searches */
78006- atomic_t s_bal_2orders; /* 2^order hits */
78007+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
78008+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
78009+ atomic_unchecked_t s_bal_allocated; /* in blocks */
78010+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
78011+ atomic_unchecked_t s_bal_goals; /* goal hits */
78012+ atomic_unchecked_t s_bal_breaks; /* too long searches */
78013+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
78014 spinlock_t s_bal_lock;
78015 unsigned long s_mb_buddies_generated;
78016 unsigned long long s_mb_generation_time;
78017- atomic_t s_mb_lost_chunks;
78018- atomic_t s_mb_preallocated;
78019- atomic_t s_mb_discarded;
78020+ atomic_unchecked_t s_mb_lost_chunks;
78021+ atomic_unchecked_t s_mb_preallocated;
78022+ atomic_unchecked_t s_mb_discarded;
78023 atomic_t s_lock_busy;
78024
78025 /* locality groups */
78026diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
78027index 34b610e..ecc47cb 100644
78028--- a/fs/ext4/mballoc.c
78029+++ b/fs/ext4/mballoc.c
78030@@ -1905,7 +1905,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
78031 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
78032
78033 if (EXT4_SB(sb)->s_mb_stats)
78034- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
78035+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
78036
78037 break;
78038 }
78039@@ -2228,7 +2228,7 @@ repeat:
78040 ac->ac_status = AC_STATUS_CONTINUE;
78041 ac->ac_flags |= EXT4_MB_HINT_FIRST;
78042 cr = 3;
78043- atomic_inc(&sbi->s_mb_lost_chunks);
78044+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
78045 goto repeat;
78046 }
78047 }
78048@@ -2732,25 +2732,25 @@ int ext4_mb_release(struct super_block *sb)
78049 if (sbi->s_mb_stats) {
78050 ext4_msg(sb, KERN_INFO,
78051 "mballoc: %u blocks %u reqs (%u success)",
78052- atomic_read(&sbi->s_bal_allocated),
78053- atomic_read(&sbi->s_bal_reqs),
78054- atomic_read(&sbi->s_bal_success));
78055+ atomic_read_unchecked(&sbi->s_bal_allocated),
78056+ atomic_read_unchecked(&sbi->s_bal_reqs),
78057+ atomic_read_unchecked(&sbi->s_bal_success));
78058 ext4_msg(sb, KERN_INFO,
78059 "mballoc: %u extents scanned, %u goal hits, "
78060 "%u 2^N hits, %u breaks, %u lost",
78061- atomic_read(&sbi->s_bal_ex_scanned),
78062- atomic_read(&sbi->s_bal_goals),
78063- atomic_read(&sbi->s_bal_2orders),
78064- atomic_read(&sbi->s_bal_breaks),
78065- atomic_read(&sbi->s_mb_lost_chunks));
78066+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
78067+ atomic_read_unchecked(&sbi->s_bal_goals),
78068+ atomic_read_unchecked(&sbi->s_bal_2orders),
78069+ atomic_read_unchecked(&sbi->s_bal_breaks),
78070+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
78071 ext4_msg(sb, KERN_INFO,
78072 "mballoc: %lu generated and it took %Lu",
78073 sbi->s_mb_buddies_generated,
78074 sbi->s_mb_generation_time);
78075 ext4_msg(sb, KERN_INFO,
78076 "mballoc: %u preallocated, %u discarded",
78077- atomic_read(&sbi->s_mb_preallocated),
78078- atomic_read(&sbi->s_mb_discarded));
78079+ atomic_read_unchecked(&sbi->s_mb_preallocated),
78080+ atomic_read_unchecked(&sbi->s_mb_discarded));
78081 }
78082
78083 free_percpu(sbi->s_locality_groups);
78084@@ -3206,16 +3206,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
78085 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
78086
78087 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
78088- atomic_inc(&sbi->s_bal_reqs);
78089- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
78090+ atomic_inc_unchecked(&sbi->s_bal_reqs);
78091+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
78092 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
78093- atomic_inc(&sbi->s_bal_success);
78094- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
78095+ atomic_inc_unchecked(&sbi->s_bal_success);
78096+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
78097 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
78098 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
78099- atomic_inc(&sbi->s_bal_goals);
78100+ atomic_inc_unchecked(&sbi->s_bal_goals);
78101 if (ac->ac_found > sbi->s_mb_max_to_scan)
78102- atomic_inc(&sbi->s_bal_breaks);
78103+ atomic_inc_unchecked(&sbi->s_bal_breaks);
78104 }
78105
78106 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
78107@@ -3642,7 +3642,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
78108 trace_ext4_mb_new_inode_pa(ac, pa);
78109
78110 ext4_mb_use_inode_pa(ac, pa);
78111- atomic_add(pa->pa_free, &sbi->s_mb_preallocated);
78112+ atomic_add_unchecked(pa->pa_free, &sbi->s_mb_preallocated);
78113
78114 ei = EXT4_I(ac->ac_inode);
78115 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
78116@@ -3702,7 +3702,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
78117 trace_ext4_mb_new_group_pa(ac, pa);
78118
78119 ext4_mb_use_group_pa(ac, pa);
78120- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
78121+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
78122
78123 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
78124 lg = ac->ac_lg;
78125@@ -3791,7 +3791,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh,
78126 * from the bitmap and continue.
78127 */
78128 }
78129- atomic_add(free, &sbi->s_mb_discarded);
78130+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
78131
78132 return err;
78133 }
78134@@ -3809,7 +3809,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b,
78135 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
78136 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
78137 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
78138- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
78139+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
78140 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
78141
78142 return 0;
78143diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
78144index 8313ca3..8a37d08 100644
78145--- a/fs/ext4/mmp.c
78146+++ b/fs/ext4/mmp.c
78147@@ -111,7 +111,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
78148 void __dump_mmp_msg(struct super_block *sb, struct mmp_struct *mmp,
78149 const char *function, unsigned int line, const char *msg)
78150 {
78151- __ext4_warning(sb, function, line, msg);
78152+ __ext4_warning(sb, function, line, "%s", msg);
78153 __ext4_warning(sb, function, line,
78154 "MMP failure info: last update time: %llu, last update "
78155 "node: %s, last update device: %s\n",
78156diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
78157index cf0c472..ddf284d 100644
78158--- a/fs/ext4/resize.c
78159+++ b/fs/ext4/resize.c
78160@@ -413,7 +413,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
78161
78162 ext4_debug("mark blocks [%llu/%u] used\n", block, count);
78163 for (count2 = count; count > 0; count -= count2, block += count2) {
78164- ext4_fsblk_t start;
78165+ ext4_fsblk_t start, diff;
78166 struct buffer_head *bh;
78167 ext4_group_t group;
78168 int err;
78169@@ -422,10 +422,6 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
78170 start = ext4_group_first_block_no(sb, group);
78171 group -= flex_gd->groups[0].group;
78172
78173- count2 = EXT4_BLOCKS_PER_GROUP(sb) - (block - start);
78174- if (count2 > count)
78175- count2 = count;
78176-
78177 if (flex_gd->bg_flags[group] & EXT4_BG_BLOCK_UNINIT) {
78178 BUG_ON(flex_gd->count > 1);
78179 continue;
78180@@ -443,9 +439,15 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
78181 err = ext4_journal_get_write_access(handle, bh);
78182 if (err)
78183 return err;
78184+
78185+ diff = block - start;
78186+ count2 = EXT4_BLOCKS_PER_GROUP(sb) - diff;
78187+ if (count2 > count)
78188+ count2 = count;
78189+
78190 ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
78191- block - start, count2);
78192- ext4_set_bits(bh->b_data, block - start, count2);
78193+ diff, count2);
78194+ ext4_set_bits(bh->b_data, diff, count2);
78195
78196 err = ext4_handle_dirty_metadata(handle, NULL, bh);
78197 if (unlikely(err))
78198diff --git a/fs/ext4/super.c b/fs/ext4/super.c
78199index a5e8c74..a7711a8 100644
78200--- a/fs/ext4/super.c
78201+++ b/fs/ext4/super.c
78202@@ -1274,7 +1274,7 @@ static ext4_fsblk_t get_sb_block(void **data)
78203 }
78204
78205 #define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3))
78206-static char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
78207+static const char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
78208 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
78209
78210 #ifdef CONFIG_QUOTA
78211@@ -2484,7 +2484,7 @@ struct ext4_attr {
78212 int offset;
78213 int deprecated_val;
78214 } u;
78215-};
78216+} __do_const;
78217
78218 static int parse_strtoull(const char *buf,
78219 unsigned long long max, unsigned long long *value)
78220diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
78221index 16e28c0..728c282 100644
78222--- a/fs/ext4/xattr.c
78223+++ b/fs/ext4/xattr.c
78224@@ -398,7 +398,7 @@ static int
78225 ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
78226 char *buffer, size_t buffer_size)
78227 {
78228- size_t rest = buffer_size;
78229+ size_t rest = buffer_size, total_size = 0;
78230
78231 for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
78232 const struct xattr_handler *handler =
78233@@ -415,9 +415,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
78234 buffer += size;
78235 }
78236 rest -= size;
78237+ total_size += size;
78238 }
78239 }
78240- return buffer_size - rest;
78241+ return total_size;
78242 }
78243
78244 static int
78245diff --git a/fs/fcntl.c b/fs/fcntl.c
78246index ee85cd4..9dd0d20 100644
78247--- a/fs/fcntl.c
78248+++ b/fs/fcntl.c
78249@@ -102,6 +102,10 @@ void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
78250 int force)
78251 {
78252 security_file_set_fowner(filp);
78253+ if (gr_handle_chroot_fowner(pid, type))
78254+ return;
78255+ if (gr_check_protected_task_fowner(pid, type))
78256+ return;
78257 f_modown(filp, pid, type, force);
78258 }
78259 EXPORT_SYMBOL(__f_setown);
78260diff --git a/fs/fhandle.c b/fs/fhandle.c
78261index d59712d..2281df9 100644
78262--- a/fs/fhandle.c
78263+++ b/fs/fhandle.c
78264@@ -8,6 +8,7 @@
78265 #include <linux/fs_struct.h>
78266 #include <linux/fsnotify.h>
78267 #include <linux/personality.h>
78268+#include <linux/grsecurity.h>
78269 #include <asm/uaccess.h>
78270 #include "internal.h"
78271 #include "mount.h"
78272@@ -67,8 +68,7 @@ static long do_sys_name_to_handle(struct path *path,
78273 } else
78274 retval = 0;
78275 /* copy the mount id */
78276- if (copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id,
78277- sizeof(*mnt_id)) ||
78278+ if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) ||
78279 copy_to_user(ufh, handle,
78280 sizeof(struct file_handle) + handle_bytes))
78281 retval = -EFAULT;
78282@@ -175,7 +175,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
78283 * the directory. Ideally we would like CAP_DAC_SEARCH.
78284 * But we don't have that
78285 */
78286- if (!capable(CAP_DAC_READ_SEARCH)) {
78287+ if (!capable(CAP_DAC_READ_SEARCH) || !gr_chroot_fhandle()) {
78288 retval = -EPERM;
78289 goto out_err;
78290 }
78291diff --git a/fs/file.c b/fs/file.c
78292index 6c672ad..bf787b0 100644
78293--- a/fs/file.c
78294+++ b/fs/file.c
78295@@ -16,6 +16,7 @@
78296 #include <linux/slab.h>
78297 #include <linux/vmalloc.h>
78298 #include <linux/file.h>
78299+#include <linux/security.h>
78300 #include <linux/fdtable.h>
78301 #include <linux/bitops.h>
78302 #include <linux/interrupt.h>
78303@@ -139,7 +140,7 @@ out:
78304 * Return <0 error code on error; 1 on successful completion.
78305 * The files->file_lock should be held on entry, and will be held on exit.
78306 */
78307-static int expand_fdtable(struct files_struct *files, int nr)
78308+static int expand_fdtable(struct files_struct *files, unsigned int nr)
78309 __releases(files->file_lock)
78310 __acquires(files->file_lock)
78311 {
78312@@ -184,7 +185,7 @@ static int expand_fdtable(struct files_struct *files, int nr)
78313 * expanded and execution may have blocked.
78314 * The files->file_lock should be held on entry, and will be held on exit.
78315 */
78316-static int expand_files(struct files_struct *files, int nr)
78317+static int expand_files(struct files_struct *files, unsigned int nr)
78318 __releases(files->file_lock)
78319 __acquires(files->file_lock)
78320 {
78321@@ -834,6 +835,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
78322 if (!file)
78323 return __close_fd(files, fd);
78324
78325+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
78326 if (fd >= rlimit(RLIMIT_NOFILE))
78327 return -EBADF;
78328
78329@@ -860,6 +862,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
78330 if (unlikely(oldfd == newfd))
78331 return -EINVAL;
78332
78333+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
78334 if (newfd >= rlimit(RLIMIT_NOFILE))
78335 return -EBADF;
78336
78337@@ -915,6 +918,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes)
78338 int f_dupfd(unsigned int from, struct file *file, unsigned flags)
78339 {
78340 int err;
78341+ gr_learn_resource(current, RLIMIT_NOFILE, from, 0);
78342 if (from >= rlimit(RLIMIT_NOFILE))
78343 return -EINVAL;
78344 err = alloc_fd(from, flags);
78345diff --git a/fs/filesystems.c b/fs/filesystems.c
78346index 5797d45..7d7d79a 100644
78347--- a/fs/filesystems.c
78348+++ b/fs/filesystems.c
78349@@ -275,7 +275,11 @@ struct file_system_type *get_fs_type(const char *name)
78350 int len = dot ? dot - name : strlen(name);
78351
78352 fs = __get_fs_type(name, len);
78353+#ifdef CONFIG_GRKERNSEC_MODHARDEN
78354+ if (!fs && (___request_module(true, "grsec_modharden_fs", "fs-%.*s", len, name) == 0))
78355+#else
78356 if (!fs && (request_module("fs-%.*s", len, name) == 0))
78357+#endif
78358 fs = __get_fs_type(name, len);
78359
78360 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
78361diff --git a/fs/fs_struct.c b/fs/fs_struct.c
78362index 7dca743..1ff87ae 100644
78363--- a/fs/fs_struct.c
78364+++ b/fs/fs_struct.c
78365@@ -4,6 +4,7 @@
78366 #include <linux/path.h>
78367 #include <linux/slab.h>
78368 #include <linux/fs_struct.h>
78369+#include <linux/grsecurity.h>
78370 #include "internal.h"
78371
78372 /*
78373@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
78374 struct path old_root;
78375
78376 path_get(path);
78377+ gr_inc_chroot_refcnts(path->dentry, path->mnt);
78378 spin_lock(&fs->lock);
78379 write_seqcount_begin(&fs->seq);
78380 old_root = fs->root;
78381 fs->root = *path;
78382+ gr_set_chroot_entries(current, path);
78383 write_seqcount_end(&fs->seq);
78384 spin_unlock(&fs->lock);
78385- if (old_root.dentry)
78386+ if (old_root.dentry) {
78387+ gr_dec_chroot_refcnts(old_root.dentry, old_root.mnt);
78388 path_put(&old_root);
78389+ }
78390 }
78391
78392 /*
78393@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
78394 int hits = 0;
78395 spin_lock(&fs->lock);
78396 write_seqcount_begin(&fs->seq);
78397+ /* this root replacement is only done by pivot_root,
78398+ leave grsec's chroot tagging alone for this task
78399+ so that a pivoted root isn't treated as a chroot
78400+ */
78401 hits += replace_path(&fs->root, old_root, new_root);
78402 hits += replace_path(&fs->pwd, old_root, new_root);
78403 write_seqcount_end(&fs->seq);
78404@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
78405
78406 void free_fs_struct(struct fs_struct *fs)
78407 {
78408+ gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt);
78409 path_put(&fs->root);
78410 path_put(&fs->pwd);
78411 kmem_cache_free(fs_cachep, fs);
78412@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk)
78413 task_lock(tsk);
78414 spin_lock(&fs->lock);
78415 tsk->fs = NULL;
78416- kill = !--fs->users;
78417+ gr_clear_chroot_entries(tsk);
78418+ kill = !atomic_dec_return(&fs->users);
78419 spin_unlock(&fs->lock);
78420 task_unlock(tsk);
78421 if (kill)
78422@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
78423 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
78424 /* We don't need to lock fs - think why ;-) */
78425 if (fs) {
78426- fs->users = 1;
78427+ atomic_set(&fs->users, 1);
78428 fs->in_exec = 0;
78429 spin_lock_init(&fs->lock);
78430 seqcount_init(&fs->seq);
78431@@ -121,9 +132,13 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
78432 spin_lock(&old->lock);
78433 fs->root = old->root;
78434 path_get(&fs->root);
78435+ /* instead of calling gr_set_chroot_entries here,
78436+ we call it from every caller of this function
78437+ */
78438 fs->pwd = old->pwd;
78439 path_get(&fs->pwd);
78440 spin_unlock(&old->lock);
78441+ gr_inc_chroot_refcnts(fs->root.dentry, fs->root.mnt);
78442 }
78443 return fs;
78444 }
78445@@ -139,8 +154,9 @@ int unshare_fs_struct(void)
78446
78447 task_lock(current);
78448 spin_lock(&fs->lock);
78449- kill = !--fs->users;
78450+ kill = !atomic_dec_return(&fs->users);
78451 current->fs = new_fs;
78452+ gr_set_chroot_entries(current, &new_fs->root);
78453 spin_unlock(&fs->lock);
78454 task_unlock(current);
78455
78456@@ -153,13 +169,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
78457
78458 int current_umask(void)
78459 {
78460- return current->fs->umask;
78461+ return current->fs->umask | gr_acl_umask();
78462 }
78463 EXPORT_SYMBOL(current_umask);
78464
78465 /* to be mentioned only in INIT_TASK */
78466 struct fs_struct init_fs = {
78467- .users = 1,
78468+ .users = ATOMIC_INIT(1),
78469 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
78470 .seq = SEQCNT_ZERO(init_fs.seq),
78471 .umask = 0022,
78472diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
78473index d403c69..30be0a9 100644
78474--- a/fs/fscache/cookie.c
78475+++ b/fs/fscache/cookie.c
78476@@ -19,7 +19,7 @@
78477
78478 struct kmem_cache *fscache_cookie_jar;
78479
78480-static atomic_t fscache_object_debug_id = ATOMIC_INIT(0);
78481+static atomic_unchecked_t fscache_object_debug_id = ATOMIC_INIT(0);
78482
78483 static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie);
78484 static int fscache_alloc_object(struct fscache_cache *cache,
78485@@ -69,11 +69,11 @@ struct fscache_cookie *__fscache_acquire_cookie(
78486 parent ? (char *) parent->def->name : "<no-parent>",
78487 def->name, netfs_data, enable);
78488
78489- fscache_stat(&fscache_n_acquires);
78490+ fscache_stat_unchecked(&fscache_n_acquires);
78491
78492 /* if there's no parent cookie, then we don't create one here either */
78493 if (!parent) {
78494- fscache_stat(&fscache_n_acquires_null);
78495+ fscache_stat_unchecked(&fscache_n_acquires_null);
78496 _leave(" [no parent]");
78497 return NULL;
78498 }
78499@@ -88,7 +88,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
78500 /* allocate and initialise a cookie */
78501 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
78502 if (!cookie) {
78503- fscache_stat(&fscache_n_acquires_oom);
78504+ fscache_stat_unchecked(&fscache_n_acquires_oom);
78505 _leave(" [ENOMEM]");
78506 return NULL;
78507 }
78508@@ -115,13 +115,13 @@ struct fscache_cookie *__fscache_acquire_cookie(
78509
78510 switch (cookie->def->type) {
78511 case FSCACHE_COOKIE_TYPE_INDEX:
78512- fscache_stat(&fscache_n_cookie_index);
78513+ fscache_stat_unchecked(&fscache_n_cookie_index);
78514 break;
78515 case FSCACHE_COOKIE_TYPE_DATAFILE:
78516- fscache_stat(&fscache_n_cookie_data);
78517+ fscache_stat_unchecked(&fscache_n_cookie_data);
78518 break;
78519 default:
78520- fscache_stat(&fscache_n_cookie_special);
78521+ fscache_stat_unchecked(&fscache_n_cookie_special);
78522 break;
78523 }
78524
78525@@ -135,7 +135,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
78526 } else {
78527 atomic_dec(&parent->n_children);
78528 __fscache_cookie_put(cookie);
78529- fscache_stat(&fscache_n_acquires_nobufs);
78530+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
78531 _leave(" = NULL");
78532 return NULL;
78533 }
78534@@ -144,7 +144,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
78535 }
78536 }
78537
78538- fscache_stat(&fscache_n_acquires_ok);
78539+ fscache_stat_unchecked(&fscache_n_acquires_ok);
78540 _leave(" = %p", cookie);
78541 return cookie;
78542 }
78543@@ -213,7 +213,7 @@ static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie)
78544 cache = fscache_select_cache_for_object(cookie->parent);
78545 if (!cache) {
78546 up_read(&fscache_addremove_sem);
78547- fscache_stat(&fscache_n_acquires_no_cache);
78548+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
78549 _leave(" = -ENOMEDIUM [no cache]");
78550 return -ENOMEDIUM;
78551 }
78552@@ -297,14 +297,14 @@ static int fscache_alloc_object(struct fscache_cache *cache,
78553 object = cache->ops->alloc_object(cache, cookie);
78554 fscache_stat_d(&fscache_n_cop_alloc_object);
78555 if (IS_ERR(object)) {
78556- fscache_stat(&fscache_n_object_no_alloc);
78557+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
78558 ret = PTR_ERR(object);
78559 goto error;
78560 }
78561
78562- fscache_stat(&fscache_n_object_alloc);
78563+ fscache_stat_unchecked(&fscache_n_object_alloc);
78564
78565- object->debug_id = atomic_inc_return(&fscache_object_debug_id);
78566+ object->debug_id = atomic_inc_return_unchecked(&fscache_object_debug_id);
78567
78568 _debug("ALLOC OBJ%x: %s {%lx}",
78569 object->debug_id, cookie->def->name, object->events);
78570@@ -419,7 +419,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie)
78571
78572 _enter("{%s}", cookie->def->name);
78573
78574- fscache_stat(&fscache_n_invalidates);
78575+ fscache_stat_unchecked(&fscache_n_invalidates);
78576
78577 /* Only permit invalidation of data files. Invalidating an index will
78578 * require the caller to release all its attachments to the tree rooted
78579@@ -477,10 +477,10 @@ void __fscache_update_cookie(struct fscache_cookie *cookie)
78580 {
78581 struct fscache_object *object;
78582
78583- fscache_stat(&fscache_n_updates);
78584+ fscache_stat_unchecked(&fscache_n_updates);
78585
78586 if (!cookie) {
78587- fscache_stat(&fscache_n_updates_null);
78588+ fscache_stat_unchecked(&fscache_n_updates_null);
78589 _leave(" [no cookie]");
78590 return;
78591 }
78592@@ -581,12 +581,12 @@ EXPORT_SYMBOL(__fscache_disable_cookie);
78593 */
78594 void __fscache_relinquish_cookie(struct fscache_cookie *cookie, bool retire)
78595 {
78596- fscache_stat(&fscache_n_relinquishes);
78597+ fscache_stat_unchecked(&fscache_n_relinquishes);
78598 if (retire)
78599- fscache_stat(&fscache_n_relinquishes_retire);
78600+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
78601
78602 if (!cookie) {
78603- fscache_stat(&fscache_n_relinquishes_null);
78604+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
78605 _leave(" [no cookie]");
78606 return;
78607 }
78608@@ -687,7 +687,7 @@ int __fscache_check_consistency(struct fscache_cookie *cookie)
78609 if (test_bit(FSCACHE_IOERROR, &object->cache->flags))
78610 goto inconsistent;
78611
78612- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
78613+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
78614
78615 __fscache_use_cookie(cookie);
78616 if (fscache_submit_op(object, op) < 0)
78617diff --git a/fs/fscache/internal.h b/fs/fscache/internal.h
78618index 97ec451..f722cee 100644
78619--- a/fs/fscache/internal.h
78620+++ b/fs/fscache/internal.h
78621@@ -136,8 +136,8 @@ extern void fscache_operation_gc(struct work_struct *);
78622 extern int fscache_wait_for_deferred_lookup(struct fscache_cookie *);
78623 extern int fscache_wait_for_operation_activation(struct fscache_object *,
78624 struct fscache_operation *,
78625- atomic_t *,
78626- atomic_t *);
78627+ atomic_unchecked_t *,
78628+ atomic_unchecked_t *);
78629 extern void fscache_invalidate_writes(struct fscache_cookie *);
78630
78631 /*
78632@@ -155,102 +155,102 @@ extern void fscache_proc_cleanup(void);
78633 * stats.c
78634 */
78635 #ifdef CONFIG_FSCACHE_STATS
78636-extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
78637-extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
78638+extern atomic_unchecked_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
78639+extern atomic_unchecked_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
78640
78641-extern atomic_t fscache_n_op_pend;
78642-extern atomic_t fscache_n_op_run;
78643-extern atomic_t fscache_n_op_enqueue;
78644-extern atomic_t fscache_n_op_deferred_release;
78645-extern atomic_t fscache_n_op_initialised;
78646-extern atomic_t fscache_n_op_release;
78647-extern atomic_t fscache_n_op_gc;
78648-extern atomic_t fscache_n_op_cancelled;
78649-extern atomic_t fscache_n_op_rejected;
78650+extern atomic_unchecked_t fscache_n_op_pend;
78651+extern atomic_unchecked_t fscache_n_op_run;
78652+extern atomic_unchecked_t fscache_n_op_enqueue;
78653+extern atomic_unchecked_t fscache_n_op_deferred_release;
78654+extern atomic_unchecked_t fscache_n_op_initialised;
78655+extern atomic_unchecked_t fscache_n_op_release;
78656+extern atomic_unchecked_t fscache_n_op_gc;
78657+extern atomic_unchecked_t fscache_n_op_cancelled;
78658+extern atomic_unchecked_t fscache_n_op_rejected;
78659
78660-extern atomic_t fscache_n_attr_changed;
78661-extern atomic_t fscache_n_attr_changed_ok;
78662-extern atomic_t fscache_n_attr_changed_nobufs;
78663-extern atomic_t fscache_n_attr_changed_nomem;
78664-extern atomic_t fscache_n_attr_changed_calls;
78665+extern atomic_unchecked_t fscache_n_attr_changed;
78666+extern atomic_unchecked_t fscache_n_attr_changed_ok;
78667+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
78668+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
78669+extern atomic_unchecked_t fscache_n_attr_changed_calls;
78670
78671-extern atomic_t fscache_n_allocs;
78672-extern atomic_t fscache_n_allocs_ok;
78673-extern atomic_t fscache_n_allocs_wait;
78674-extern atomic_t fscache_n_allocs_nobufs;
78675-extern atomic_t fscache_n_allocs_intr;
78676-extern atomic_t fscache_n_allocs_object_dead;
78677-extern atomic_t fscache_n_alloc_ops;
78678-extern atomic_t fscache_n_alloc_op_waits;
78679+extern atomic_unchecked_t fscache_n_allocs;
78680+extern atomic_unchecked_t fscache_n_allocs_ok;
78681+extern atomic_unchecked_t fscache_n_allocs_wait;
78682+extern atomic_unchecked_t fscache_n_allocs_nobufs;
78683+extern atomic_unchecked_t fscache_n_allocs_intr;
78684+extern atomic_unchecked_t fscache_n_allocs_object_dead;
78685+extern atomic_unchecked_t fscache_n_alloc_ops;
78686+extern atomic_unchecked_t fscache_n_alloc_op_waits;
78687
78688-extern atomic_t fscache_n_retrievals;
78689-extern atomic_t fscache_n_retrievals_ok;
78690-extern atomic_t fscache_n_retrievals_wait;
78691-extern atomic_t fscache_n_retrievals_nodata;
78692-extern atomic_t fscache_n_retrievals_nobufs;
78693-extern atomic_t fscache_n_retrievals_intr;
78694-extern atomic_t fscache_n_retrievals_nomem;
78695-extern atomic_t fscache_n_retrievals_object_dead;
78696-extern atomic_t fscache_n_retrieval_ops;
78697-extern atomic_t fscache_n_retrieval_op_waits;
78698+extern atomic_unchecked_t fscache_n_retrievals;
78699+extern atomic_unchecked_t fscache_n_retrievals_ok;
78700+extern atomic_unchecked_t fscache_n_retrievals_wait;
78701+extern atomic_unchecked_t fscache_n_retrievals_nodata;
78702+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
78703+extern atomic_unchecked_t fscache_n_retrievals_intr;
78704+extern atomic_unchecked_t fscache_n_retrievals_nomem;
78705+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
78706+extern atomic_unchecked_t fscache_n_retrieval_ops;
78707+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
78708
78709-extern atomic_t fscache_n_stores;
78710-extern atomic_t fscache_n_stores_ok;
78711-extern atomic_t fscache_n_stores_again;
78712-extern atomic_t fscache_n_stores_nobufs;
78713-extern atomic_t fscache_n_stores_oom;
78714-extern atomic_t fscache_n_store_ops;
78715-extern atomic_t fscache_n_store_calls;
78716-extern atomic_t fscache_n_store_pages;
78717-extern atomic_t fscache_n_store_radix_deletes;
78718-extern atomic_t fscache_n_store_pages_over_limit;
78719+extern atomic_unchecked_t fscache_n_stores;
78720+extern atomic_unchecked_t fscache_n_stores_ok;
78721+extern atomic_unchecked_t fscache_n_stores_again;
78722+extern atomic_unchecked_t fscache_n_stores_nobufs;
78723+extern atomic_unchecked_t fscache_n_stores_oom;
78724+extern atomic_unchecked_t fscache_n_store_ops;
78725+extern atomic_unchecked_t fscache_n_store_calls;
78726+extern atomic_unchecked_t fscache_n_store_pages;
78727+extern atomic_unchecked_t fscache_n_store_radix_deletes;
78728+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
78729
78730-extern atomic_t fscache_n_store_vmscan_not_storing;
78731-extern atomic_t fscache_n_store_vmscan_gone;
78732-extern atomic_t fscache_n_store_vmscan_busy;
78733-extern atomic_t fscache_n_store_vmscan_cancelled;
78734-extern atomic_t fscache_n_store_vmscan_wait;
78735+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
78736+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
78737+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
78738+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
78739+extern atomic_unchecked_t fscache_n_store_vmscan_wait;
78740
78741-extern atomic_t fscache_n_marks;
78742-extern atomic_t fscache_n_uncaches;
78743+extern atomic_unchecked_t fscache_n_marks;
78744+extern atomic_unchecked_t fscache_n_uncaches;
78745
78746-extern atomic_t fscache_n_acquires;
78747-extern atomic_t fscache_n_acquires_null;
78748-extern atomic_t fscache_n_acquires_no_cache;
78749-extern atomic_t fscache_n_acquires_ok;
78750-extern atomic_t fscache_n_acquires_nobufs;
78751-extern atomic_t fscache_n_acquires_oom;
78752+extern atomic_unchecked_t fscache_n_acquires;
78753+extern atomic_unchecked_t fscache_n_acquires_null;
78754+extern atomic_unchecked_t fscache_n_acquires_no_cache;
78755+extern atomic_unchecked_t fscache_n_acquires_ok;
78756+extern atomic_unchecked_t fscache_n_acquires_nobufs;
78757+extern atomic_unchecked_t fscache_n_acquires_oom;
78758
78759-extern atomic_t fscache_n_invalidates;
78760-extern atomic_t fscache_n_invalidates_run;
78761+extern atomic_unchecked_t fscache_n_invalidates;
78762+extern atomic_unchecked_t fscache_n_invalidates_run;
78763
78764-extern atomic_t fscache_n_updates;
78765-extern atomic_t fscache_n_updates_null;
78766-extern atomic_t fscache_n_updates_run;
78767+extern atomic_unchecked_t fscache_n_updates;
78768+extern atomic_unchecked_t fscache_n_updates_null;
78769+extern atomic_unchecked_t fscache_n_updates_run;
78770
78771-extern atomic_t fscache_n_relinquishes;
78772-extern atomic_t fscache_n_relinquishes_null;
78773-extern atomic_t fscache_n_relinquishes_waitcrt;
78774-extern atomic_t fscache_n_relinquishes_retire;
78775+extern atomic_unchecked_t fscache_n_relinquishes;
78776+extern atomic_unchecked_t fscache_n_relinquishes_null;
78777+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
78778+extern atomic_unchecked_t fscache_n_relinquishes_retire;
78779
78780-extern atomic_t fscache_n_cookie_index;
78781-extern atomic_t fscache_n_cookie_data;
78782-extern atomic_t fscache_n_cookie_special;
78783+extern atomic_unchecked_t fscache_n_cookie_index;
78784+extern atomic_unchecked_t fscache_n_cookie_data;
78785+extern atomic_unchecked_t fscache_n_cookie_special;
78786
78787-extern atomic_t fscache_n_object_alloc;
78788-extern atomic_t fscache_n_object_no_alloc;
78789-extern atomic_t fscache_n_object_lookups;
78790-extern atomic_t fscache_n_object_lookups_negative;
78791-extern atomic_t fscache_n_object_lookups_positive;
78792-extern atomic_t fscache_n_object_lookups_timed_out;
78793-extern atomic_t fscache_n_object_created;
78794-extern atomic_t fscache_n_object_avail;
78795-extern atomic_t fscache_n_object_dead;
78796+extern atomic_unchecked_t fscache_n_object_alloc;
78797+extern atomic_unchecked_t fscache_n_object_no_alloc;
78798+extern atomic_unchecked_t fscache_n_object_lookups;
78799+extern atomic_unchecked_t fscache_n_object_lookups_negative;
78800+extern atomic_unchecked_t fscache_n_object_lookups_positive;
78801+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
78802+extern atomic_unchecked_t fscache_n_object_created;
78803+extern atomic_unchecked_t fscache_n_object_avail;
78804+extern atomic_unchecked_t fscache_n_object_dead;
78805
78806-extern atomic_t fscache_n_checkaux_none;
78807-extern atomic_t fscache_n_checkaux_okay;
78808-extern atomic_t fscache_n_checkaux_update;
78809-extern atomic_t fscache_n_checkaux_obsolete;
78810+extern atomic_unchecked_t fscache_n_checkaux_none;
78811+extern atomic_unchecked_t fscache_n_checkaux_okay;
78812+extern atomic_unchecked_t fscache_n_checkaux_update;
78813+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
78814
78815 extern atomic_t fscache_n_cop_alloc_object;
78816 extern atomic_t fscache_n_cop_lookup_object;
78817@@ -280,6 +280,11 @@ static inline void fscache_stat(atomic_t *stat)
78818 atomic_inc(stat);
78819 }
78820
78821+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
78822+{
78823+ atomic_inc_unchecked(stat);
78824+}
78825+
78826 static inline void fscache_stat_d(atomic_t *stat)
78827 {
78828 atomic_dec(stat);
78829@@ -292,6 +297,7 @@ extern const struct file_operations fscache_stats_fops;
78830
78831 #define __fscache_stat(stat) (NULL)
78832 #define fscache_stat(stat) do {} while (0)
78833+#define fscache_stat_unchecked(stat) do {} while (0)
78834 #define fscache_stat_d(stat) do {} while (0)
78835 #endif
78836
78837diff --git a/fs/fscache/object.c b/fs/fscache/object.c
78838index 9e792e3..6b2affb 100644
78839--- a/fs/fscache/object.c
78840+++ b/fs/fscache/object.c
78841@@ -465,7 +465,7 @@ static const struct fscache_state *fscache_look_up_object(struct fscache_object
78842 _debug("LOOKUP \"%s\" in \"%s\"",
78843 cookie->def->name, object->cache->tag->name);
78844
78845- fscache_stat(&fscache_n_object_lookups);
78846+ fscache_stat_unchecked(&fscache_n_object_lookups);
78847 fscache_stat(&fscache_n_cop_lookup_object);
78848 ret = object->cache->ops->lookup_object(object);
78849 fscache_stat_d(&fscache_n_cop_lookup_object);
78850@@ -475,7 +475,7 @@ static const struct fscache_state *fscache_look_up_object(struct fscache_object
78851 if (ret == -ETIMEDOUT) {
78852 /* probably stuck behind another object, so move this one to
78853 * the back of the queue */
78854- fscache_stat(&fscache_n_object_lookups_timed_out);
78855+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
78856 _leave(" [timeout]");
78857 return NO_TRANSIT;
78858 }
78859@@ -503,7 +503,7 @@ void fscache_object_lookup_negative(struct fscache_object *object)
78860 _enter("{OBJ%x,%s}", object->debug_id, object->state->name);
78861
78862 if (!test_and_set_bit(FSCACHE_OBJECT_IS_LOOKED_UP, &object->flags)) {
78863- fscache_stat(&fscache_n_object_lookups_negative);
78864+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
78865
78866 /* Allow write requests to begin stacking up and read requests to begin
78867 * returning ENODATA.
78868@@ -538,7 +538,7 @@ void fscache_obtained_object(struct fscache_object *object)
78869 /* if we were still looking up, then we must have a positive lookup
78870 * result, in which case there may be data available */
78871 if (!test_and_set_bit(FSCACHE_OBJECT_IS_LOOKED_UP, &object->flags)) {
78872- fscache_stat(&fscache_n_object_lookups_positive);
78873+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
78874
78875 /* We do (presumably) have data */
78876 clear_bit_unlock(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
78877@@ -550,7 +550,7 @@ void fscache_obtained_object(struct fscache_object *object)
78878 clear_bit_unlock(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags);
78879 wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP);
78880 } else {
78881- fscache_stat(&fscache_n_object_created);
78882+ fscache_stat_unchecked(&fscache_n_object_created);
78883 }
78884
78885 set_bit(FSCACHE_OBJECT_IS_AVAILABLE, &object->flags);
78886@@ -586,7 +586,7 @@ static const struct fscache_state *fscache_object_available(struct fscache_objec
78887 fscache_stat_d(&fscache_n_cop_lookup_complete);
78888
78889 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
78890- fscache_stat(&fscache_n_object_avail);
78891+ fscache_stat_unchecked(&fscache_n_object_avail);
78892
78893 _leave("");
78894 return transit_to(JUMPSTART_DEPS);
78895@@ -735,7 +735,7 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob
78896
78897 /* this just shifts the object release to the work processor */
78898 fscache_put_object(object);
78899- fscache_stat(&fscache_n_object_dead);
78900+ fscache_stat_unchecked(&fscache_n_object_dead);
78901
78902 _leave("");
78903 return transit_to(OBJECT_DEAD);
78904@@ -900,7 +900,7 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
78905 enum fscache_checkaux result;
78906
78907 if (!object->cookie->def->check_aux) {
78908- fscache_stat(&fscache_n_checkaux_none);
78909+ fscache_stat_unchecked(&fscache_n_checkaux_none);
78910 return FSCACHE_CHECKAUX_OKAY;
78911 }
78912
78913@@ -909,17 +909,17 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
78914 switch (result) {
78915 /* entry okay as is */
78916 case FSCACHE_CHECKAUX_OKAY:
78917- fscache_stat(&fscache_n_checkaux_okay);
78918+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
78919 break;
78920
78921 /* entry requires update */
78922 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
78923- fscache_stat(&fscache_n_checkaux_update);
78924+ fscache_stat_unchecked(&fscache_n_checkaux_update);
78925 break;
78926
78927 /* entry requires deletion */
78928 case FSCACHE_CHECKAUX_OBSOLETE:
78929- fscache_stat(&fscache_n_checkaux_obsolete);
78930+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
78931 break;
78932
78933 default:
78934@@ -1007,7 +1007,7 @@ static const struct fscache_state *fscache_invalidate_object(struct fscache_obje
78935 {
78936 const struct fscache_state *s;
78937
78938- fscache_stat(&fscache_n_invalidates_run);
78939+ fscache_stat_unchecked(&fscache_n_invalidates_run);
78940 fscache_stat(&fscache_n_cop_invalidate_object);
78941 s = _fscache_invalidate_object(object, event);
78942 fscache_stat_d(&fscache_n_cop_invalidate_object);
78943@@ -1022,7 +1022,7 @@ static const struct fscache_state *fscache_update_object(struct fscache_object *
78944 {
78945 _enter("{OBJ%x},%d", object->debug_id, event);
78946
78947- fscache_stat(&fscache_n_updates_run);
78948+ fscache_stat_unchecked(&fscache_n_updates_run);
78949 fscache_stat(&fscache_n_cop_update_object);
78950 object->cache->ops->update_object(object);
78951 fscache_stat_d(&fscache_n_cop_update_object);
78952diff --git a/fs/fscache/operation.c b/fs/fscache/operation.c
78953index de67745..6a3a9b6 100644
78954--- a/fs/fscache/operation.c
78955+++ b/fs/fscache/operation.c
78956@@ -17,7 +17,7 @@
78957 #include <linux/slab.h>
78958 #include "internal.h"
78959
78960-atomic_t fscache_op_debug_id;
78961+atomic_unchecked_t fscache_op_debug_id;
78962 EXPORT_SYMBOL(fscache_op_debug_id);
78963
78964 static void fscache_operation_dummy_cancel(struct fscache_operation *op)
78965@@ -40,12 +40,12 @@ void fscache_operation_init(struct fscache_operation *op,
78966 INIT_WORK(&op->work, fscache_op_work_func);
78967 atomic_set(&op->usage, 1);
78968 op->state = FSCACHE_OP_ST_INITIALISED;
78969- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
78970+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
78971 op->processor = processor;
78972 op->cancel = cancel ?: fscache_operation_dummy_cancel;
78973 op->release = release;
78974 INIT_LIST_HEAD(&op->pend_link);
78975- fscache_stat(&fscache_n_op_initialised);
78976+ fscache_stat_unchecked(&fscache_n_op_initialised);
78977 }
78978 EXPORT_SYMBOL(fscache_operation_init);
78979
78980@@ -68,7 +68,7 @@ void fscache_enqueue_operation(struct fscache_operation *op)
78981 ASSERTCMP(atomic_read(&op->usage), >, 0);
78982 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
78983
78984- fscache_stat(&fscache_n_op_enqueue);
78985+ fscache_stat_unchecked(&fscache_n_op_enqueue);
78986 switch (op->flags & FSCACHE_OP_TYPE) {
78987 case FSCACHE_OP_ASYNC:
78988 _debug("queue async");
78989@@ -101,7 +101,7 @@ static void fscache_run_op(struct fscache_object *object,
78990 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
78991 if (op->processor)
78992 fscache_enqueue_operation(op);
78993- fscache_stat(&fscache_n_op_run);
78994+ fscache_stat_unchecked(&fscache_n_op_run);
78995 }
78996
78997 /*
78998@@ -169,7 +169,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78999 op->state = FSCACHE_OP_ST_PENDING;
79000 flags = READ_ONCE(object->flags);
79001 if (unlikely(!(flags & BIT(FSCACHE_OBJECT_IS_LIVE)))) {
79002- fscache_stat(&fscache_n_op_rejected);
79003+ fscache_stat_unchecked(&fscache_n_op_rejected);
79004 op->cancel(op);
79005 op->state = FSCACHE_OP_ST_CANCELLED;
79006 ret = -ENOBUFS;
79007@@ -185,11 +185,11 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
79008 if (object->n_in_progress > 0) {
79009 atomic_inc(&op->usage);
79010 list_add_tail(&op->pend_link, &object->pending_ops);
79011- fscache_stat(&fscache_n_op_pend);
79012+ fscache_stat_unchecked(&fscache_n_op_pend);
79013 } else if (!list_empty(&object->pending_ops)) {
79014 atomic_inc(&op->usage);
79015 list_add_tail(&op->pend_link, &object->pending_ops);
79016- fscache_stat(&fscache_n_op_pend);
79017+ fscache_stat_unchecked(&fscache_n_op_pend);
79018 fscache_start_operations(object);
79019 } else {
79020 ASSERTCMP(object->n_in_progress, ==, 0);
79021@@ -205,7 +205,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
79022 object->n_exclusive++; /* reads and writes must wait */
79023 atomic_inc(&op->usage);
79024 list_add_tail(&op->pend_link, &object->pending_ops);
79025- fscache_stat(&fscache_n_op_pend);
79026+ fscache_stat_unchecked(&fscache_n_op_pend);
79027 ret = 0;
79028 } else if (flags & BIT(FSCACHE_OBJECT_KILLED_BY_CACHE)) {
79029 op->cancel(op);
79030@@ -254,7 +254,7 @@ int fscache_submit_op(struct fscache_object *object,
79031 op->state = FSCACHE_OP_ST_PENDING;
79032 flags = READ_ONCE(object->flags);
79033 if (unlikely(!(flags & BIT(FSCACHE_OBJECT_IS_LIVE)))) {
79034- fscache_stat(&fscache_n_op_rejected);
79035+ fscache_stat_unchecked(&fscache_n_op_rejected);
79036 op->cancel(op);
79037 op->state = FSCACHE_OP_ST_CANCELLED;
79038 ret = -ENOBUFS;
79039@@ -269,11 +269,11 @@ int fscache_submit_op(struct fscache_object *object,
79040 if (object->n_exclusive > 0) {
79041 atomic_inc(&op->usage);
79042 list_add_tail(&op->pend_link, &object->pending_ops);
79043- fscache_stat(&fscache_n_op_pend);
79044+ fscache_stat_unchecked(&fscache_n_op_pend);
79045 } else if (!list_empty(&object->pending_ops)) {
79046 atomic_inc(&op->usage);
79047 list_add_tail(&op->pend_link, &object->pending_ops);
79048- fscache_stat(&fscache_n_op_pend);
79049+ fscache_stat_unchecked(&fscache_n_op_pend);
79050 fscache_start_operations(object);
79051 } else {
79052 ASSERTCMP(object->n_exclusive, ==, 0);
79053@@ -285,7 +285,7 @@ int fscache_submit_op(struct fscache_object *object,
79054 object->n_ops++;
79055 atomic_inc(&op->usage);
79056 list_add_tail(&op->pend_link, &object->pending_ops);
79057- fscache_stat(&fscache_n_op_pend);
79058+ fscache_stat_unchecked(&fscache_n_op_pend);
79059 ret = 0;
79060 } else if (flags & BIT(FSCACHE_OBJECT_KILLED_BY_CACHE)) {
79061 op->cancel(op);
79062@@ -369,7 +369,7 @@ int fscache_cancel_op(struct fscache_operation *op,
79063 list_del_init(&op->pend_link);
79064 put = true;
79065
79066- fscache_stat(&fscache_n_op_cancelled);
79067+ fscache_stat_unchecked(&fscache_n_op_cancelled);
79068 op->cancel(op);
79069 op->state = FSCACHE_OP_ST_CANCELLED;
79070 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
79071@@ -385,7 +385,7 @@ int fscache_cancel_op(struct fscache_operation *op,
79072 if (object->n_in_progress == 0)
79073 fscache_start_operations(object);
79074
79075- fscache_stat(&fscache_n_op_cancelled);
79076+ fscache_stat_unchecked(&fscache_n_op_cancelled);
79077 op->cancel(op);
79078 op->state = FSCACHE_OP_ST_CANCELLED;
79079 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
79080@@ -416,7 +416,7 @@ void fscache_cancel_all_ops(struct fscache_object *object)
79081 while (!list_empty(&object->pending_ops)) {
79082 op = list_entry(object->pending_ops.next,
79083 struct fscache_operation, pend_link);
79084- fscache_stat(&fscache_n_op_cancelled);
79085+ fscache_stat_unchecked(&fscache_n_op_cancelled);
79086 list_del_init(&op->pend_link);
79087
79088 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_PENDING);
79089@@ -493,7 +493,7 @@ void fscache_put_operation(struct fscache_operation *op)
79090 op->state != FSCACHE_OP_ST_COMPLETE,
79091 op->state, ==, FSCACHE_OP_ST_CANCELLED);
79092
79093- fscache_stat(&fscache_n_op_release);
79094+ fscache_stat_unchecked(&fscache_n_op_release);
79095
79096 if (op->release) {
79097 op->release(op);
79098@@ -513,7 +513,7 @@ void fscache_put_operation(struct fscache_operation *op)
79099 * lock, and defer it otherwise */
79100 if (!spin_trylock(&object->lock)) {
79101 _debug("defer put");
79102- fscache_stat(&fscache_n_op_deferred_release);
79103+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
79104
79105 cache = object->cache;
79106 spin_lock(&cache->op_gc_list_lock);
79107@@ -567,7 +567,7 @@ void fscache_operation_gc(struct work_struct *work)
79108
79109 _debug("GC DEFERRED REL OBJ%x OP%x",
79110 object->debug_id, op->debug_id);
79111- fscache_stat(&fscache_n_op_gc);
79112+ fscache_stat_unchecked(&fscache_n_op_gc);
79113
79114 ASSERTCMP(atomic_read(&op->usage), ==, 0);
79115 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_DEAD);
79116diff --git a/fs/fscache/page.c b/fs/fscache/page.c
79117index 483bbc6..ba36737 100644
79118--- a/fs/fscache/page.c
79119+++ b/fs/fscache/page.c
79120@@ -74,7 +74,7 @@ try_again:
79121 val = radix_tree_lookup(&cookie->stores, page->index);
79122 if (!val) {
79123 rcu_read_unlock();
79124- fscache_stat(&fscache_n_store_vmscan_not_storing);
79125+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
79126 __fscache_uncache_page(cookie, page);
79127 return true;
79128 }
79129@@ -104,11 +104,11 @@ try_again:
79130 spin_unlock(&cookie->stores_lock);
79131
79132 if (xpage) {
79133- fscache_stat(&fscache_n_store_vmscan_cancelled);
79134- fscache_stat(&fscache_n_store_radix_deletes);
79135+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
79136+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
79137 ASSERTCMP(xpage, ==, page);
79138 } else {
79139- fscache_stat(&fscache_n_store_vmscan_gone);
79140+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
79141 }
79142
79143 wake_up_bit(&cookie->flags, 0);
79144@@ -123,11 +123,11 @@ page_busy:
79145 * sleeping on memory allocation, so we may need to impose a timeout
79146 * too. */
79147 if (!(gfp & __GFP_WAIT) || !(gfp & __GFP_FS)) {
79148- fscache_stat(&fscache_n_store_vmscan_busy);
79149+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
79150 return false;
79151 }
79152
79153- fscache_stat(&fscache_n_store_vmscan_wait);
79154+ fscache_stat_unchecked(&fscache_n_store_vmscan_wait);
79155 if (!release_page_wait_timeout(cookie, page))
79156 _debug("fscache writeout timeout page: %p{%lx}",
79157 page, page->index);
79158@@ -156,7 +156,7 @@ static void fscache_end_page_write(struct fscache_object *object,
79159 FSCACHE_COOKIE_STORING_TAG);
79160 if (!radix_tree_tag_get(&cookie->stores, page->index,
79161 FSCACHE_COOKIE_PENDING_TAG)) {
79162- fscache_stat(&fscache_n_store_radix_deletes);
79163+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
79164 xpage = radix_tree_delete(&cookie->stores, page->index);
79165 }
79166 spin_unlock(&cookie->stores_lock);
79167@@ -177,7 +177,7 @@ static void fscache_attr_changed_op(struct fscache_operation *op)
79168
79169 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
79170
79171- fscache_stat(&fscache_n_attr_changed_calls);
79172+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
79173
79174 if (fscache_object_is_active(object)) {
79175 fscache_stat(&fscache_n_cop_attr_changed);
79176@@ -204,11 +204,11 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
79177
79178 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
79179
79180- fscache_stat(&fscache_n_attr_changed);
79181+ fscache_stat_unchecked(&fscache_n_attr_changed);
79182
79183 op = kzalloc(sizeof(*op), GFP_KERNEL);
79184 if (!op) {
79185- fscache_stat(&fscache_n_attr_changed_nomem);
79186+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
79187 _leave(" = -ENOMEM");
79188 return -ENOMEM;
79189 }
79190@@ -230,7 +230,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
79191 if (fscache_submit_exclusive_op(object, op) < 0)
79192 goto nobufs_dec;
79193 spin_unlock(&cookie->lock);
79194- fscache_stat(&fscache_n_attr_changed_ok);
79195+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
79196 fscache_put_operation(op);
79197 _leave(" = 0");
79198 return 0;
79199@@ -242,7 +242,7 @@ nobufs:
79200 fscache_put_operation(op);
79201 if (wake_cookie)
79202 __fscache_wake_unused_cookie(cookie);
79203- fscache_stat(&fscache_n_attr_changed_nobufs);
79204+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
79205 _leave(" = %d", -ENOBUFS);
79206 return -ENOBUFS;
79207 }
79208@@ -293,7 +293,7 @@ static struct fscache_retrieval *fscache_alloc_retrieval(
79209 /* allocate a retrieval operation and attempt to submit it */
79210 op = kzalloc(sizeof(*op), GFP_NOIO);
79211 if (!op) {
79212- fscache_stat(&fscache_n_retrievals_nomem);
79213+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
79214 return NULL;
79215 }
79216
79217@@ -332,12 +332,12 @@ int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
79218 return 0;
79219 }
79220
79221- fscache_stat(&fscache_n_retrievals_wait);
79222+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
79223
79224 jif = jiffies;
79225 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
79226 TASK_INTERRUPTIBLE) != 0) {
79227- fscache_stat(&fscache_n_retrievals_intr);
79228+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
79229 _leave(" = -ERESTARTSYS");
79230 return -ERESTARTSYS;
79231 }
79232@@ -355,8 +355,8 @@ int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
79233 */
79234 int fscache_wait_for_operation_activation(struct fscache_object *object,
79235 struct fscache_operation *op,
79236- atomic_t *stat_op_waits,
79237- atomic_t *stat_object_dead)
79238+ atomic_unchecked_t *stat_op_waits,
79239+ atomic_unchecked_t *stat_object_dead)
79240 {
79241 int ret;
79242
79243@@ -365,7 +365,7 @@ int fscache_wait_for_operation_activation(struct fscache_object *object,
79244
79245 _debug(">>> WT");
79246 if (stat_op_waits)
79247- fscache_stat(stat_op_waits);
79248+ fscache_stat_unchecked(stat_op_waits);
79249 if (wait_on_bit(&op->flags, FSCACHE_OP_WAITING,
79250 TASK_INTERRUPTIBLE) != 0) {
79251 ret = fscache_cancel_op(op, false);
79252@@ -382,7 +382,7 @@ int fscache_wait_for_operation_activation(struct fscache_object *object,
79253 check_if_dead:
79254 if (op->state == FSCACHE_OP_ST_CANCELLED) {
79255 if (stat_object_dead)
79256- fscache_stat(stat_object_dead);
79257+ fscache_stat_unchecked(stat_object_dead);
79258 _leave(" = -ENOBUFS [cancelled]");
79259 return -ENOBUFS;
79260 }
79261@@ -391,7 +391,7 @@ check_if_dead:
79262 enum fscache_operation_state state = op->state;
79263 fscache_cancel_op(op, true);
79264 if (stat_object_dead)
79265- fscache_stat(stat_object_dead);
79266+ fscache_stat_unchecked(stat_object_dead);
79267 _leave(" = -ENOBUFS [obj dead %d]", state);
79268 return -ENOBUFS;
79269 }
79270@@ -420,7 +420,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
79271
79272 _enter("%p,%p,,,", cookie, page);
79273
79274- fscache_stat(&fscache_n_retrievals);
79275+ fscache_stat_unchecked(&fscache_n_retrievals);
79276
79277 if (hlist_empty(&cookie->backing_objects))
79278 goto nobufs;
79279@@ -462,7 +462,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
79280 goto nobufs_unlock_dec;
79281 spin_unlock(&cookie->lock);
79282
79283- fscache_stat(&fscache_n_retrieval_ops);
79284+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
79285
79286 /* we wait for the operation to become active, and then process it
79287 * *here*, in this thread, and not in the thread pool */
79288@@ -488,15 +488,15 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
79289
79290 error:
79291 if (ret == -ENOMEM)
79292- fscache_stat(&fscache_n_retrievals_nomem);
79293+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
79294 else if (ret == -ERESTARTSYS)
79295- fscache_stat(&fscache_n_retrievals_intr);
79296+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
79297 else if (ret == -ENODATA)
79298- fscache_stat(&fscache_n_retrievals_nodata);
79299+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
79300 else if (ret < 0)
79301- fscache_stat(&fscache_n_retrievals_nobufs);
79302+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79303 else
79304- fscache_stat(&fscache_n_retrievals_ok);
79305+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
79306
79307 fscache_put_retrieval(op);
79308 _leave(" = %d", ret);
79309@@ -511,7 +511,7 @@ nobufs_unlock:
79310 __fscache_wake_unused_cookie(cookie);
79311 fscache_put_retrieval(op);
79312 nobufs:
79313- fscache_stat(&fscache_n_retrievals_nobufs);
79314+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79315 _leave(" = -ENOBUFS");
79316 return -ENOBUFS;
79317 }
79318@@ -550,7 +550,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
79319
79320 _enter("%p,,%d,,,", cookie, *nr_pages);
79321
79322- fscache_stat(&fscache_n_retrievals);
79323+ fscache_stat_unchecked(&fscache_n_retrievals);
79324
79325 if (hlist_empty(&cookie->backing_objects))
79326 goto nobufs;
79327@@ -588,7 +588,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
79328 goto nobufs_unlock_dec;
79329 spin_unlock(&cookie->lock);
79330
79331- fscache_stat(&fscache_n_retrieval_ops);
79332+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
79333
79334 /* we wait for the operation to become active, and then process it
79335 * *here*, in this thread, and not in the thread pool */
79336@@ -614,15 +614,15 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
79337
79338 error:
79339 if (ret == -ENOMEM)
79340- fscache_stat(&fscache_n_retrievals_nomem);
79341+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
79342 else if (ret == -ERESTARTSYS)
79343- fscache_stat(&fscache_n_retrievals_intr);
79344+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
79345 else if (ret == -ENODATA)
79346- fscache_stat(&fscache_n_retrievals_nodata);
79347+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
79348 else if (ret < 0)
79349- fscache_stat(&fscache_n_retrievals_nobufs);
79350+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79351 else
79352- fscache_stat(&fscache_n_retrievals_ok);
79353+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
79354
79355 fscache_put_retrieval(op);
79356 _leave(" = %d", ret);
79357@@ -637,7 +637,7 @@ nobufs_unlock:
79358 if (wake_cookie)
79359 __fscache_wake_unused_cookie(cookie);
79360 nobufs:
79361- fscache_stat(&fscache_n_retrievals_nobufs);
79362+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79363 _leave(" = -ENOBUFS");
79364 return -ENOBUFS;
79365 }
79366@@ -662,7 +662,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
79367
79368 _enter("%p,%p,,,", cookie, page);
79369
79370- fscache_stat(&fscache_n_allocs);
79371+ fscache_stat_unchecked(&fscache_n_allocs);
79372
79373 if (hlist_empty(&cookie->backing_objects))
79374 goto nobufs;
79375@@ -696,7 +696,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
79376 goto nobufs_unlock_dec;
79377 spin_unlock(&cookie->lock);
79378
79379- fscache_stat(&fscache_n_alloc_ops);
79380+ fscache_stat_unchecked(&fscache_n_alloc_ops);
79381
79382 ret = fscache_wait_for_operation_activation(
79383 object, &op->op,
79384@@ -712,11 +712,11 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
79385
79386 error:
79387 if (ret == -ERESTARTSYS)
79388- fscache_stat(&fscache_n_allocs_intr);
79389+ fscache_stat_unchecked(&fscache_n_allocs_intr);
79390 else if (ret < 0)
79391- fscache_stat(&fscache_n_allocs_nobufs);
79392+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
79393 else
79394- fscache_stat(&fscache_n_allocs_ok);
79395+ fscache_stat_unchecked(&fscache_n_allocs_ok);
79396
79397 fscache_put_retrieval(op);
79398 _leave(" = %d", ret);
79399@@ -730,7 +730,7 @@ nobufs_unlock:
79400 if (wake_cookie)
79401 __fscache_wake_unused_cookie(cookie);
79402 nobufs:
79403- fscache_stat(&fscache_n_allocs_nobufs);
79404+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
79405 _leave(" = -ENOBUFS");
79406 return -ENOBUFS;
79407 }
79408@@ -806,7 +806,7 @@ static void fscache_write_op(struct fscache_operation *_op)
79409
79410 spin_lock(&cookie->stores_lock);
79411
79412- fscache_stat(&fscache_n_store_calls);
79413+ fscache_stat_unchecked(&fscache_n_store_calls);
79414
79415 /* find a page to store */
79416 page = NULL;
79417@@ -817,7 +817,7 @@ static void fscache_write_op(struct fscache_operation *_op)
79418 page = results[0];
79419 _debug("gang %d [%lx]", n, page->index);
79420 if (page->index > op->store_limit) {
79421- fscache_stat(&fscache_n_store_pages_over_limit);
79422+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
79423 goto superseded;
79424 }
79425
79426@@ -829,7 +829,7 @@ static void fscache_write_op(struct fscache_operation *_op)
79427 spin_unlock(&cookie->stores_lock);
79428 spin_unlock(&object->lock);
79429
79430- fscache_stat(&fscache_n_store_pages);
79431+ fscache_stat_unchecked(&fscache_n_store_pages);
79432 fscache_stat(&fscache_n_cop_write_page);
79433 ret = object->cache->ops->write_page(op, page);
79434 fscache_stat_d(&fscache_n_cop_write_page);
79435@@ -933,7 +933,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79436 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
79437 ASSERT(PageFsCache(page));
79438
79439- fscache_stat(&fscache_n_stores);
79440+ fscache_stat_unchecked(&fscache_n_stores);
79441
79442 if (test_bit(FSCACHE_COOKIE_INVALIDATING, &cookie->flags)) {
79443 _leave(" = -ENOBUFS [invalidating]");
79444@@ -992,7 +992,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79445 spin_unlock(&cookie->stores_lock);
79446 spin_unlock(&object->lock);
79447
79448- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
79449+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
79450 op->store_limit = object->store_limit;
79451
79452 __fscache_use_cookie(cookie);
79453@@ -1001,8 +1001,8 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79454
79455 spin_unlock(&cookie->lock);
79456 radix_tree_preload_end();
79457- fscache_stat(&fscache_n_store_ops);
79458- fscache_stat(&fscache_n_stores_ok);
79459+ fscache_stat_unchecked(&fscache_n_store_ops);
79460+ fscache_stat_unchecked(&fscache_n_stores_ok);
79461
79462 /* the work queue now carries its own ref on the object */
79463 fscache_put_operation(&op->op);
79464@@ -1010,14 +1010,14 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79465 return 0;
79466
79467 already_queued:
79468- fscache_stat(&fscache_n_stores_again);
79469+ fscache_stat_unchecked(&fscache_n_stores_again);
79470 already_pending:
79471 spin_unlock(&cookie->stores_lock);
79472 spin_unlock(&object->lock);
79473 spin_unlock(&cookie->lock);
79474 radix_tree_preload_end();
79475 fscache_put_operation(&op->op);
79476- fscache_stat(&fscache_n_stores_ok);
79477+ fscache_stat_unchecked(&fscache_n_stores_ok);
79478 _leave(" = 0");
79479 return 0;
79480
79481@@ -1039,14 +1039,14 @@ nobufs:
79482 fscache_put_operation(&op->op);
79483 if (wake_cookie)
79484 __fscache_wake_unused_cookie(cookie);
79485- fscache_stat(&fscache_n_stores_nobufs);
79486+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
79487 _leave(" = -ENOBUFS");
79488 return -ENOBUFS;
79489
79490 nomem_free:
79491 fscache_put_operation(&op->op);
79492 nomem:
79493- fscache_stat(&fscache_n_stores_oom);
79494+ fscache_stat_unchecked(&fscache_n_stores_oom);
79495 _leave(" = -ENOMEM");
79496 return -ENOMEM;
79497 }
79498@@ -1064,7 +1064,7 @@ void __fscache_uncache_page(struct fscache_cookie *cookie, struct page *page)
79499 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
79500 ASSERTCMP(page, !=, NULL);
79501
79502- fscache_stat(&fscache_n_uncaches);
79503+ fscache_stat_unchecked(&fscache_n_uncaches);
79504
79505 /* cache withdrawal may beat us to it */
79506 if (!PageFsCache(page))
79507@@ -1115,7 +1115,7 @@ void fscache_mark_page_cached(struct fscache_retrieval *op, struct page *page)
79508 struct fscache_cookie *cookie = op->op.object->cookie;
79509
79510 #ifdef CONFIG_FSCACHE_STATS
79511- atomic_inc(&fscache_n_marks);
79512+ atomic_inc_unchecked(&fscache_n_marks);
79513 #endif
79514
79515 _debug("- mark %p{%lx}", page, page->index);
79516diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c
79517index 7cfa0aa..d5ef97b7 100644
79518--- a/fs/fscache/stats.c
79519+++ b/fs/fscache/stats.c
79520@@ -18,100 +18,100 @@
79521 /*
79522 * operation counters
79523 */
79524-atomic_t fscache_n_op_pend;
79525-atomic_t fscache_n_op_run;
79526-atomic_t fscache_n_op_enqueue;
79527-atomic_t fscache_n_op_requeue;
79528-atomic_t fscache_n_op_deferred_release;
79529-atomic_t fscache_n_op_initialised;
79530-atomic_t fscache_n_op_release;
79531-atomic_t fscache_n_op_gc;
79532-atomic_t fscache_n_op_cancelled;
79533-atomic_t fscache_n_op_rejected;
79534+atomic_unchecked_t fscache_n_op_pend;
79535+atomic_unchecked_t fscache_n_op_run;
79536+atomic_unchecked_t fscache_n_op_enqueue;
79537+atomic_unchecked_t fscache_n_op_requeue;
79538+atomic_unchecked_t fscache_n_op_deferred_release;
79539+atomic_unchecked_t fscache_n_op_initialised;
79540+atomic_unchecked_t fscache_n_op_release;
79541+atomic_unchecked_t fscache_n_op_gc;
79542+atomic_unchecked_t fscache_n_op_cancelled;
79543+atomic_unchecked_t fscache_n_op_rejected;
79544
79545-atomic_t fscache_n_attr_changed;
79546-atomic_t fscache_n_attr_changed_ok;
79547-atomic_t fscache_n_attr_changed_nobufs;
79548-atomic_t fscache_n_attr_changed_nomem;
79549-atomic_t fscache_n_attr_changed_calls;
79550+atomic_unchecked_t fscache_n_attr_changed;
79551+atomic_unchecked_t fscache_n_attr_changed_ok;
79552+atomic_unchecked_t fscache_n_attr_changed_nobufs;
79553+atomic_unchecked_t fscache_n_attr_changed_nomem;
79554+atomic_unchecked_t fscache_n_attr_changed_calls;
79555
79556-atomic_t fscache_n_allocs;
79557-atomic_t fscache_n_allocs_ok;
79558-atomic_t fscache_n_allocs_wait;
79559-atomic_t fscache_n_allocs_nobufs;
79560-atomic_t fscache_n_allocs_intr;
79561-atomic_t fscache_n_allocs_object_dead;
79562-atomic_t fscache_n_alloc_ops;
79563-atomic_t fscache_n_alloc_op_waits;
79564+atomic_unchecked_t fscache_n_allocs;
79565+atomic_unchecked_t fscache_n_allocs_ok;
79566+atomic_unchecked_t fscache_n_allocs_wait;
79567+atomic_unchecked_t fscache_n_allocs_nobufs;
79568+atomic_unchecked_t fscache_n_allocs_intr;
79569+atomic_unchecked_t fscache_n_allocs_object_dead;
79570+atomic_unchecked_t fscache_n_alloc_ops;
79571+atomic_unchecked_t fscache_n_alloc_op_waits;
79572
79573-atomic_t fscache_n_retrievals;
79574-atomic_t fscache_n_retrievals_ok;
79575-atomic_t fscache_n_retrievals_wait;
79576-atomic_t fscache_n_retrievals_nodata;
79577-atomic_t fscache_n_retrievals_nobufs;
79578-atomic_t fscache_n_retrievals_intr;
79579-atomic_t fscache_n_retrievals_nomem;
79580-atomic_t fscache_n_retrievals_object_dead;
79581-atomic_t fscache_n_retrieval_ops;
79582-atomic_t fscache_n_retrieval_op_waits;
79583+atomic_unchecked_t fscache_n_retrievals;
79584+atomic_unchecked_t fscache_n_retrievals_ok;
79585+atomic_unchecked_t fscache_n_retrievals_wait;
79586+atomic_unchecked_t fscache_n_retrievals_nodata;
79587+atomic_unchecked_t fscache_n_retrievals_nobufs;
79588+atomic_unchecked_t fscache_n_retrievals_intr;
79589+atomic_unchecked_t fscache_n_retrievals_nomem;
79590+atomic_unchecked_t fscache_n_retrievals_object_dead;
79591+atomic_unchecked_t fscache_n_retrieval_ops;
79592+atomic_unchecked_t fscache_n_retrieval_op_waits;
79593
79594-atomic_t fscache_n_stores;
79595-atomic_t fscache_n_stores_ok;
79596-atomic_t fscache_n_stores_again;
79597-atomic_t fscache_n_stores_nobufs;
79598-atomic_t fscache_n_stores_oom;
79599-atomic_t fscache_n_store_ops;
79600-atomic_t fscache_n_store_calls;
79601-atomic_t fscache_n_store_pages;
79602-atomic_t fscache_n_store_radix_deletes;
79603-atomic_t fscache_n_store_pages_over_limit;
79604+atomic_unchecked_t fscache_n_stores;
79605+atomic_unchecked_t fscache_n_stores_ok;
79606+atomic_unchecked_t fscache_n_stores_again;
79607+atomic_unchecked_t fscache_n_stores_nobufs;
79608+atomic_unchecked_t fscache_n_stores_oom;
79609+atomic_unchecked_t fscache_n_store_ops;
79610+atomic_unchecked_t fscache_n_store_calls;
79611+atomic_unchecked_t fscache_n_store_pages;
79612+atomic_unchecked_t fscache_n_store_radix_deletes;
79613+atomic_unchecked_t fscache_n_store_pages_over_limit;
79614
79615-atomic_t fscache_n_store_vmscan_not_storing;
79616-atomic_t fscache_n_store_vmscan_gone;
79617-atomic_t fscache_n_store_vmscan_busy;
79618-atomic_t fscache_n_store_vmscan_cancelled;
79619-atomic_t fscache_n_store_vmscan_wait;
79620+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
79621+atomic_unchecked_t fscache_n_store_vmscan_gone;
79622+atomic_unchecked_t fscache_n_store_vmscan_busy;
79623+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
79624+atomic_unchecked_t fscache_n_store_vmscan_wait;
79625
79626-atomic_t fscache_n_marks;
79627-atomic_t fscache_n_uncaches;
79628+atomic_unchecked_t fscache_n_marks;
79629+atomic_unchecked_t fscache_n_uncaches;
79630
79631-atomic_t fscache_n_acquires;
79632-atomic_t fscache_n_acquires_null;
79633-atomic_t fscache_n_acquires_no_cache;
79634-atomic_t fscache_n_acquires_ok;
79635-atomic_t fscache_n_acquires_nobufs;
79636-atomic_t fscache_n_acquires_oom;
79637+atomic_unchecked_t fscache_n_acquires;
79638+atomic_unchecked_t fscache_n_acquires_null;
79639+atomic_unchecked_t fscache_n_acquires_no_cache;
79640+atomic_unchecked_t fscache_n_acquires_ok;
79641+atomic_unchecked_t fscache_n_acquires_nobufs;
79642+atomic_unchecked_t fscache_n_acquires_oom;
79643
79644-atomic_t fscache_n_invalidates;
79645-atomic_t fscache_n_invalidates_run;
79646+atomic_unchecked_t fscache_n_invalidates;
79647+atomic_unchecked_t fscache_n_invalidates_run;
79648
79649-atomic_t fscache_n_updates;
79650-atomic_t fscache_n_updates_null;
79651-atomic_t fscache_n_updates_run;
79652+atomic_unchecked_t fscache_n_updates;
79653+atomic_unchecked_t fscache_n_updates_null;
79654+atomic_unchecked_t fscache_n_updates_run;
79655
79656-atomic_t fscache_n_relinquishes;
79657-atomic_t fscache_n_relinquishes_null;
79658-atomic_t fscache_n_relinquishes_waitcrt;
79659-atomic_t fscache_n_relinquishes_retire;
79660+atomic_unchecked_t fscache_n_relinquishes;
79661+atomic_unchecked_t fscache_n_relinquishes_null;
79662+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
79663+atomic_unchecked_t fscache_n_relinquishes_retire;
79664
79665-atomic_t fscache_n_cookie_index;
79666-atomic_t fscache_n_cookie_data;
79667-atomic_t fscache_n_cookie_special;
79668+atomic_unchecked_t fscache_n_cookie_index;
79669+atomic_unchecked_t fscache_n_cookie_data;
79670+atomic_unchecked_t fscache_n_cookie_special;
79671
79672-atomic_t fscache_n_object_alloc;
79673-atomic_t fscache_n_object_no_alloc;
79674-atomic_t fscache_n_object_lookups;
79675-atomic_t fscache_n_object_lookups_negative;
79676-atomic_t fscache_n_object_lookups_positive;
79677-atomic_t fscache_n_object_lookups_timed_out;
79678-atomic_t fscache_n_object_created;
79679-atomic_t fscache_n_object_avail;
79680-atomic_t fscache_n_object_dead;
79681+atomic_unchecked_t fscache_n_object_alloc;
79682+atomic_unchecked_t fscache_n_object_no_alloc;
79683+atomic_unchecked_t fscache_n_object_lookups;
79684+atomic_unchecked_t fscache_n_object_lookups_negative;
79685+atomic_unchecked_t fscache_n_object_lookups_positive;
79686+atomic_unchecked_t fscache_n_object_lookups_timed_out;
79687+atomic_unchecked_t fscache_n_object_created;
79688+atomic_unchecked_t fscache_n_object_avail;
79689+atomic_unchecked_t fscache_n_object_dead;
79690
79691-atomic_t fscache_n_checkaux_none;
79692-atomic_t fscache_n_checkaux_okay;
79693-atomic_t fscache_n_checkaux_update;
79694-atomic_t fscache_n_checkaux_obsolete;
79695+atomic_unchecked_t fscache_n_checkaux_none;
79696+atomic_unchecked_t fscache_n_checkaux_okay;
79697+atomic_unchecked_t fscache_n_checkaux_update;
79698+atomic_unchecked_t fscache_n_checkaux_obsolete;
79699
79700 atomic_t fscache_n_cop_alloc_object;
79701 atomic_t fscache_n_cop_lookup_object;
79702@@ -144,119 +144,119 @@ static int fscache_stats_show(struct seq_file *m, void *v)
79703 seq_puts(m, "FS-Cache statistics\n");
79704
79705 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
79706- atomic_read(&fscache_n_cookie_index),
79707- atomic_read(&fscache_n_cookie_data),
79708- atomic_read(&fscache_n_cookie_special));
79709+ atomic_read_unchecked(&fscache_n_cookie_index),
79710+ atomic_read_unchecked(&fscache_n_cookie_data),
79711+ atomic_read_unchecked(&fscache_n_cookie_special));
79712
79713 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
79714- atomic_read(&fscache_n_object_alloc),
79715- atomic_read(&fscache_n_object_no_alloc),
79716- atomic_read(&fscache_n_object_avail),
79717- atomic_read(&fscache_n_object_dead));
79718+ atomic_read_unchecked(&fscache_n_object_alloc),
79719+ atomic_read_unchecked(&fscache_n_object_no_alloc),
79720+ atomic_read_unchecked(&fscache_n_object_avail),
79721+ atomic_read_unchecked(&fscache_n_object_dead));
79722 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
79723- atomic_read(&fscache_n_checkaux_none),
79724- atomic_read(&fscache_n_checkaux_okay),
79725- atomic_read(&fscache_n_checkaux_update),
79726- atomic_read(&fscache_n_checkaux_obsolete));
79727+ atomic_read_unchecked(&fscache_n_checkaux_none),
79728+ atomic_read_unchecked(&fscache_n_checkaux_okay),
79729+ atomic_read_unchecked(&fscache_n_checkaux_update),
79730+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
79731
79732 seq_printf(m, "Pages : mrk=%u unc=%u\n",
79733- atomic_read(&fscache_n_marks),
79734- atomic_read(&fscache_n_uncaches));
79735+ atomic_read_unchecked(&fscache_n_marks),
79736+ atomic_read_unchecked(&fscache_n_uncaches));
79737
79738 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
79739 " oom=%u\n",
79740- atomic_read(&fscache_n_acquires),
79741- atomic_read(&fscache_n_acquires_null),
79742- atomic_read(&fscache_n_acquires_no_cache),
79743- atomic_read(&fscache_n_acquires_ok),
79744- atomic_read(&fscache_n_acquires_nobufs),
79745- atomic_read(&fscache_n_acquires_oom));
79746+ atomic_read_unchecked(&fscache_n_acquires),
79747+ atomic_read_unchecked(&fscache_n_acquires_null),
79748+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
79749+ atomic_read_unchecked(&fscache_n_acquires_ok),
79750+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
79751+ atomic_read_unchecked(&fscache_n_acquires_oom));
79752
79753 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
79754- atomic_read(&fscache_n_object_lookups),
79755- atomic_read(&fscache_n_object_lookups_negative),
79756- atomic_read(&fscache_n_object_lookups_positive),
79757- atomic_read(&fscache_n_object_created),
79758- atomic_read(&fscache_n_object_lookups_timed_out));
79759+ atomic_read_unchecked(&fscache_n_object_lookups),
79760+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
79761+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
79762+ atomic_read_unchecked(&fscache_n_object_created),
79763+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
79764
79765 seq_printf(m, "Invals : n=%u run=%u\n",
79766- atomic_read(&fscache_n_invalidates),
79767- atomic_read(&fscache_n_invalidates_run));
79768+ atomic_read_unchecked(&fscache_n_invalidates),
79769+ atomic_read_unchecked(&fscache_n_invalidates_run));
79770
79771 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
79772- atomic_read(&fscache_n_updates),
79773- atomic_read(&fscache_n_updates_null),
79774- atomic_read(&fscache_n_updates_run));
79775+ atomic_read_unchecked(&fscache_n_updates),
79776+ atomic_read_unchecked(&fscache_n_updates_null),
79777+ atomic_read_unchecked(&fscache_n_updates_run));
79778
79779 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
79780- atomic_read(&fscache_n_relinquishes),
79781- atomic_read(&fscache_n_relinquishes_null),
79782- atomic_read(&fscache_n_relinquishes_waitcrt),
79783- atomic_read(&fscache_n_relinquishes_retire));
79784+ atomic_read_unchecked(&fscache_n_relinquishes),
79785+ atomic_read_unchecked(&fscache_n_relinquishes_null),
79786+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
79787+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
79788
79789 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
79790- atomic_read(&fscache_n_attr_changed),
79791- atomic_read(&fscache_n_attr_changed_ok),
79792- atomic_read(&fscache_n_attr_changed_nobufs),
79793- atomic_read(&fscache_n_attr_changed_nomem),
79794- atomic_read(&fscache_n_attr_changed_calls));
79795+ atomic_read_unchecked(&fscache_n_attr_changed),
79796+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
79797+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
79798+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
79799+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
79800
79801 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
79802- atomic_read(&fscache_n_allocs),
79803- atomic_read(&fscache_n_allocs_ok),
79804- atomic_read(&fscache_n_allocs_wait),
79805- atomic_read(&fscache_n_allocs_nobufs),
79806- atomic_read(&fscache_n_allocs_intr));
79807+ atomic_read_unchecked(&fscache_n_allocs),
79808+ atomic_read_unchecked(&fscache_n_allocs_ok),
79809+ atomic_read_unchecked(&fscache_n_allocs_wait),
79810+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
79811+ atomic_read_unchecked(&fscache_n_allocs_intr));
79812 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
79813- atomic_read(&fscache_n_alloc_ops),
79814- atomic_read(&fscache_n_alloc_op_waits),
79815- atomic_read(&fscache_n_allocs_object_dead));
79816+ atomic_read_unchecked(&fscache_n_alloc_ops),
79817+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
79818+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
79819
79820 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
79821 " int=%u oom=%u\n",
79822- atomic_read(&fscache_n_retrievals),
79823- atomic_read(&fscache_n_retrievals_ok),
79824- atomic_read(&fscache_n_retrievals_wait),
79825- atomic_read(&fscache_n_retrievals_nodata),
79826- atomic_read(&fscache_n_retrievals_nobufs),
79827- atomic_read(&fscache_n_retrievals_intr),
79828- atomic_read(&fscache_n_retrievals_nomem));
79829+ atomic_read_unchecked(&fscache_n_retrievals),
79830+ atomic_read_unchecked(&fscache_n_retrievals_ok),
79831+ atomic_read_unchecked(&fscache_n_retrievals_wait),
79832+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
79833+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
79834+ atomic_read_unchecked(&fscache_n_retrievals_intr),
79835+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
79836 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
79837- atomic_read(&fscache_n_retrieval_ops),
79838- atomic_read(&fscache_n_retrieval_op_waits),
79839- atomic_read(&fscache_n_retrievals_object_dead));
79840+ atomic_read_unchecked(&fscache_n_retrieval_ops),
79841+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
79842+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
79843
79844 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
79845- atomic_read(&fscache_n_stores),
79846- atomic_read(&fscache_n_stores_ok),
79847- atomic_read(&fscache_n_stores_again),
79848- atomic_read(&fscache_n_stores_nobufs),
79849- atomic_read(&fscache_n_stores_oom));
79850+ atomic_read_unchecked(&fscache_n_stores),
79851+ atomic_read_unchecked(&fscache_n_stores_ok),
79852+ atomic_read_unchecked(&fscache_n_stores_again),
79853+ atomic_read_unchecked(&fscache_n_stores_nobufs),
79854+ atomic_read_unchecked(&fscache_n_stores_oom));
79855 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
79856- atomic_read(&fscache_n_store_ops),
79857- atomic_read(&fscache_n_store_calls),
79858- atomic_read(&fscache_n_store_pages),
79859- atomic_read(&fscache_n_store_radix_deletes),
79860- atomic_read(&fscache_n_store_pages_over_limit));
79861+ atomic_read_unchecked(&fscache_n_store_ops),
79862+ atomic_read_unchecked(&fscache_n_store_calls),
79863+ atomic_read_unchecked(&fscache_n_store_pages),
79864+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
79865+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
79866
79867 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u wt=%u\n",
79868- atomic_read(&fscache_n_store_vmscan_not_storing),
79869- atomic_read(&fscache_n_store_vmscan_gone),
79870- atomic_read(&fscache_n_store_vmscan_busy),
79871- atomic_read(&fscache_n_store_vmscan_cancelled),
79872- atomic_read(&fscache_n_store_vmscan_wait));
79873+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
79874+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
79875+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
79876+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled),
79877+ atomic_read_unchecked(&fscache_n_store_vmscan_wait));
79878
79879 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
79880- atomic_read(&fscache_n_op_pend),
79881- atomic_read(&fscache_n_op_run),
79882- atomic_read(&fscache_n_op_enqueue),
79883- atomic_read(&fscache_n_op_cancelled),
79884- atomic_read(&fscache_n_op_rejected));
79885+ atomic_read_unchecked(&fscache_n_op_pend),
79886+ atomic_read_unchecked(&fscache_n_op_run),
79887+ atomic_read_unchecked(&fscache_n_op_enqueue),
79888+ atomic_read_unchecked(&fscache_n_op_cancelled),
79889+ atomic_read_unchecked(&fscache_n_op_rejected));
79890 seq_printf(m, "Ops : ini=%u dfr=%u rel=%u gc=%u\n",
79891- atomic_read(&fscache_n_op_initialised),
79892- atomic_read(&fscache_n_op_deferred_release),
79893- atomic_read(&fscache_n_op_release),
79894- atomic_read(&fscache_n_op_gc));
79895+ atomic_read_unchecked(&fscache_n_op_initialised),
79896+ atomic_read_unchecked(&fscache_n_op_deferred_release),
79897+ atomic_read_unchecked(&fscache_n_op_release),
79898+ atomic_read_unchecked(&fscache_n_op_gc));
79899
79900 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
79901 atomic_read(&fscache_n_cop_alloc_object),
79902diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
79903index eae2c11..b277a45 100644
79904--- a/fs/fuse/cuse.c
79905+++ b/fs/fuse/cuse.c
79906@@ -609,10 +609,12 @@ static int __init cuse_init(void)
79907 INIT_LIST_HEAD(&cuse_conntbl[i]);
79908
79909 /* inherit and extend fuse_dev_operations */
79910- cuse_channel_fops = fuse_dev_operations;
79911- cuse_channel_fops.owner = THIS_MODULE;
79912- cuse_channel_fops.open = cuse_channel_open;
79913- cuse_channel_fops.release = cuse_channel_release;
79914+ pax_open_kernel();
79915+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
79916+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
79917+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
79918+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
79919+ pax_close_kernel();
79920
79921 cuse_class = class_create(THIS_MODULE, "cuse");
79922 if (IS_ERR(cuse_class))
79923diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
79924index ebb5e37..beae05b 100644
79925--- a/fs/fuse/dev.c
79926+++ b/fs/fuse/dev.c
79927@@ -1390,7 +1390,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
79928 ret = 0;
79929 pipe_lock(pipe);
79930
79931- if (!pipe->readers) {
79932+ if (!atomic_read(&pipe->readers)) {
79933 send_sig(SIGPIPE, current, 0);
79934 if (!ret)
79935 ret = -EPIPE;
79936@@ -1419,7 +1419,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
79937 page_nr++;
79938 ret += buf->len;
79939
79940- if (pipe->files)
79941+ if (atomic_read(&pipe->files))
79942 do_wakeup = 1;
79943 }
79944
79945diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
79946index a38e38f..6dbdcf6 100644
79947--- a/fs/gfs2/glock.c
79948+++ b/fs/gfs2/glock.c
79949@@ -385,9 +385,9 @@ static void state_change(struct gfs2_glock *gl, unsigned int new_state)
79950 if (held1 != held2) {
79951 GLOCK_BUG_ON(gl, __lockref_is_dead(&gl->gl_lockref));
79952 if (held2)
79953- gl->gl_lockref.count++;
79954+ __lockref_inc(&gl->gl_lockref);
79955 else
79956- gl->gl_lockref.count--;
79957+ __lockref_dec(&gl->gl_lockref);
79958 }
79959 if (held1 && held2 && list_empty(&gl->gl_holders))
79960 clear_bit(GLF_QUEUED, &gl->gl_flags);
79961@@ -614,9 +614,9 @@ out:
79962 out_sched:
79963 clear_bit(GLF_LOCK, &gl->gl_flags);
79964 smp_mb__after_atomic();
79965- gl->gl_lockref.count++;
79966+ __lockref_inc(&gl->gl_lockref);
79967 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79968- gl->gl_lockref.count--;
79969+ __lockref_dec(&gl->gl_lockref);
79970 return;
79971
79972 out_unlock:
79973@@ -742,7 +742,7 @@ int gfs2_glock_get(struct gfs2_sbd *sdp, u64 number,
79974 gl->gl_sbd = sdp;
79975 gl->gl_flags = 0;
79976 gl->gl_name = name;
79977- gl->gl_lockref.count = 1;
79978+ __lockref_set(&gl->gl_lockref, 1);
79979 gl->gl_state = LM_ST_UNLOCKED;
79980 gl->gl_target = LM_ST_UNLOCKED;
79981 gl->gl_demote_state = LM_ST_EXCLUSIVE;
79982@@ -1020,9 +1020,9 @@ int gfs2_glock_nq(struct gfs2_holder *gh)
79983 if (unlikely((LM_FLAG_NOEXP & gh->gh_flags) &&
79984 test_and_clear_bit(GLF_FROZEN, &gl->gl_flags))) {
79985 set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
79986- gl->gl_lockref.count++;
79987+ __lockref_inc(&gl->gl_lockref);
79988 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79989- gl->gl_lockref.count--;
79990+ __lockref_dec(&gl->gl_lockref);
79991 }
79992 run_queue(gl, 1);
79993 spin_unlock(&gl->gl_spin);
79994@@ -1326,7 +1326,7 @@ void gfs2_glock_complete(struct gfs2_glock *gl, int ret)
79995 }
79996 }
79997
79998- gl->gl_lockref.count++;
79999+ __lockref_inc(&gl->gl_lockref);
80000 set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
80001 spin_unlock(&gl->gl_spin);
80002
80003@@ -1385,12 +1385,12 @@ add_back_to_lru:
80004 goto add_back_to_lru;
80005 }
80006 clear_bit(GLF_LRU, &gl->gl_flags);
80007- gl->gl_lockref.count++;
80008+ __lockref_inc(&gl->gl_lockref);
80009 if (demote_ok(gl))
80010 handle_callback(gl, LM_ST_UNLOCKED, 0, false);
80011 WARN_ON(!test_and_clear_bit(GLF_LOCK, &gl->gl_flags));
80012 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
80013- gl->gl_lockref.count--;
80014+ __lockref_dec(&gl->gl_lockref);
80015 spin_unlock(&gl->gl_spin);
80016 cond_resched_lock(&lru_lock);
80017 }
80018@@ -1720,7 +1720,7 @@ void gfs2_dump_glock(struct seq_file *seq, const struct gfs2_glock *gl)
80019 state2str(gl->gl_demote_state), dtime,
80020 atomic_read(&gl->gl_ail_count),
80021 atomic_read(&gl->gl_revokes),
80022- (int)gl->gl_lockref.count, gl->gl_hold_time);
80023+ __lockref_read(&gl->gl_lockref), gl->gl_hold_time);
80024
80025 list_for_each_entry(gh, &gl->gl_holders, gh_list)
80026 dump_holder(seq, gh);
80027diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
80028index fa3fa5e..9fe2272 100644
80029--- a/fs/gfs2/glops.c
80030+++ b/fs/gfs2/glops.c
80031@@ -552,9 +552,9 @@ static void iopen_go_callback(struct gfs2_glock *gl, bool remote)
80032
80033 if (gl->gl_demote_state == LM_ST_UNLOCKED &&
80034 gl->gl_state == LM_ST_SHARED && ip) {
80035- gl->gl_lockref.count++;
80036+ __lockref_inc(&gl->gl_lockref);
80037 if (queue_work(gfs2_delete_workqueue, &gl->gl_delete) == 0)
80038- gl->gl_lockref.count--;
80039+ __lockref_dec(&gl->gl_lockref);
80040 }
80041 }
80042
80043diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
80044index 9b61f92..ab84778 100644
80045--- a/fs/gfs2/quota.c
80046+++ b/fs/gfs2/quota.c
80047@@ -154,7 +154,7 @@ static enum lru_status gfs2_qd_isolate(struct list_head *item,
80048 if (!spin_trylock(&qd->qd_lockref.lock))
80049 return LRU_SKIP;
80050
80051- if (qd->qd_lockref.count == 0) {
80052+ if (__lockref_read(&qd->qd_lockref) == 0) {
80053 lockref_mark_dead(&qd->qd_lockref);
80054 list_lru_isolate_move(lru, &qd->qd_lru, dispose);
80055 }
80056@@ -221,7 +221,7 @@ static struct gfs2_quota_data *qd_alloc(unsigned hash, struct gfs2_sbd *sdp, str
80057 return NULL;
80058
80059 qd->qd_sbd = sdp;
80060- qd->qd_lockref.count = 1;
80061+ __lockref_set(&qd->qd_lockref, 1);
80062 spin_lock_init(&qd->qd_lockref.lock);
80063 qd->qd_id = qid;
80064 qd->qd_slot = -1;
80065@@ -312,7 +312,7 @@ static void qd_put(struct gfs2_quota_data *qd)
80066 if (lockref_put_or_lock(&qd->qd_lockref))
80067 return;
80068
80069- qd->qd_lockref.count = 0;
80070+ __lockref_set(&qd->qd_lockref, 0);
80071 list_lru_add(&gfs2_qd_lru, &qd->qd_lru);
80072 spin_unlock(&qd->qd_lockref.lock);
80073
80074diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
80075index 973c24c..a3cbeb3 100644
80076--- a/fs/hugetlbfs/inode.c
80077+++ b/fs/hugetlbfs/inode.c
80078@@ -150,6 +150,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
80079 struct mm_struct *mm = current->mm;
80080 struct vm_area_struct *vma;
80081 struct hstate *h = hstate_file(file);
80082+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
80083 struct vm_unmapped_area_info info;
80084
80085 if (len & ~huge_page_mask(h))
80086@@ -163,17 +164,26 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
80087 return addr;
80088 }
80089
80090+#ifdef CONFIG_PAX_RANDMMAP
80091+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
80092+#endif
80093+
80094 if (addr) {
80095 addr = ALIGN(addr, huge_page_size(h));
80096 vma = find_vma(mm, addr);
80097- if (TASK_SIZE - len >= addr &&
80098- (!vma || addr + len <= vma->vm_start))
80099+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
80100 return addr;
80101 }
80102
80103 info.flags = 0;
80104 info.length = len;
80105 info.low_limit = TASK_UNMAPPED_BASE;
80106+
80107+#ifdef CONFIG_PAX_RANDMMAP
80108+ if (mm->pax_flags & MF_PAX_RANDMMAP)
80109+ info.low_limit += mm->delta_mmap;
80110+#endif
80111+
80112 info.high_limit = TASK_SIZE;
80113 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
80114 info.align_offset = 0;
80115@@ -938,7 +948,7 @@ static struct file_system_type hugetlbfs_fs_type = {
80116 };
80117 MODULE_ALIAS_FS("hugetlbfs");
80118
80119-static struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
80120+struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
80121
80122 static int can_do_hugetlb_shm(void)
80123 {
80124diff --git a/fs/inode.c b/fs/inode.c
80125index d30640f..9d909a7 100644
80126--- a/fs/inode.c
80127+++ b/fs/inode.c
80128@@ -832,19 +832,19 @@ unsigned int get_next_ino(void)
80129 unsigned int *p = &get_cpu_var(last_ino);
80130 unsigned int res = *p;
80131
80132+start:
80133+
80134 #ifdef CONFIG_SMP
80135 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
80136- static atomic_t shared_last_ino;
80137- int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
80138+ static atomic_unchecked_t shared_last_ino;
80139+ int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
80140
80141 res = next - LAST_INO_BATCH;
80142 }
80143 #endif
80144
80145- res++;
80146- /* get_next_ino should not provide a 0 inode number */
80147- if (unlikely(!res))
80148- res++;
80149+ if (unlikely(!++res))
80150+ goto start; /* never zero */
80151 *p = res;
80152 put_cpu_var(last_ino);
80153 return res;
80154diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
80155index 4a6cf28..d3a29d3 100644
80156--- a/fs/jffs2/erase.c
80157+++ b/fs/jffs2/erase.c
80158@@ -452,7 +452,8 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
80159 struct jffs2_unknown_node marker = {
80160 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
80161 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
80162- .totlen = cpu_to_je32(c->cleanmarker_size)
80163+ .totlen = cpu_to_je32(c->cleanmarker_size),
80164+ .hdr_crc = cpu_to_je32(0)
80165 };
80166
80167 jffs2_prealloc_raw_node_refs(c, jeb, 1);
80168diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c
80169index 09ed551..45684f8 100644
80170--- a/fs/jffs2/wbuf.c
80171+++ b/fs/jffs2/wbuf.c
80172@@ -1023,7 +1023,8 @@ static const struct jffs2_unknown_node oob_cleanmarker =
80173 {
80174 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
80175 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
80176- .totlen = constant_cpu_to_je32(8)
80177+ .totlen = constant_cpu_to_je32(8),
80178+ .hdr_crc = constant_cpu_to_je32(0)
80179 };
80180
80181 /*
80182diff --git a/fs/jfs/super.c b/fs/jfs/super.c
80183index 4cd9798..8dfe86a 100644
80184--- a/fs/jfs/super.c
80185+++ b/fs/jfs/super.c
80186@@ -901,7 +901,7 @@ static int __init init_jfs_fs(void)
80187
80188 jfs_inode_cachep =
80189 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
80190- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
80191+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
80192 init_once);
80193 if (jfs_inode_cachep == NULL)
80194 return -ENOMEM;
80195diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
80196index 2d48d28..82eddad 100644
80197--- a/fs/kernfs/dir.c
80198+++ b/fs/kernfs/dir.c
80199@@ -182,7 +182,7 @@ struct kernfs_node *kernfs_get_parent(struct kernfs_node *kn)
80200 *
80201 * Returns 31 bit hash of ns + name (so it fits in an off_t )
80202 */
80203-static unsigned int kernfs_name_hash(const char *name, const void *ns)
80204+static unsigned int kernfs_name_hash(const unsigned char *name, const void *ns)
80205 {
80206 unsigned long hash = init_name_hash();
80207 unsigned int len = strlen(name);
80208@@ -873,6 +873,12 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry,
80209 ret = scops->mkdir(parent, dentry->d_name.name, mode);
80210
80211 kernfs_put_active(parent);
80212+
80213+ if (!ret) {
80214+ struct dentry *dentry_ret = kernfs_iop_lookup(dir, dentry, 0);
80215+ ret = PTR_ERR_OR_ZERO(dentry_ret);
80216+ }
80217+
80218 return ret;
80219 }
80220
80221diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
80222index 7247252..c73808e 100644
80223--- a/fs/kernfs/file.c
80224+++ b/fs/kernfs/file.c
80225@@ -34,7 +34,7 @@ static DEFINE_MUTEX(kernfs_open_file_mutex);
80226
80227 struct kernfs_open_node {
80228 atomic_t refcnt;
80229- atomic_t event;
80230+ atomic_unchecked_t event;
80231 wait_queue_head_t poll;
80232 struct list_head files; /* goes through kernfs_open_file.list */
80233 };
80234@@ -163,7 +163,7 @@ static int kernfs_seq_show(struct seq_file *sf, void *v)
80235 {
80236 struct kernfs_open_file *of = sf->private;
80237
80238- of->event = atomic_read(&of->kn->attr.open->event);
80239+ of->event = atomic_read_unchecked(&of->kn->attr.open->event);
80240
80241 return of->kn->attr.ops->seq_show(sf, v);
80242 }
80243@@ -207,7 +207,7 @@ static ssize_t kernfs_file_direct_read(struct kernfs_open_file *of,
80244 goto out_free;
80245 }
80246
80247- of->event = atomic_read(&of->kn->attr.open->event);
80248+ of->event = atomic_read_unchecked(&of->kn->attr.open->event);
80249 ops = kernfs_ops(of->kn);
80250 if (ops->read)
80251 len = ops->read(of, buf, len, *ppos);
80252@@ -272,7 +272,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
80253 {
80254 struct kernfs_open_file *of = kernfs_of(file);
80255 const struct kernfs_ops *ops;
80256- size_t len;
80257+ ssize_t len;
80258 char *buf;
80259
80260 if (of->atomic_write_len) {
80261@@ -385,12 +385,12 @@ static int kernfs_vma_page_mkwrite(struct vm_area_struct *vma,
80262 return ret;
80263 }
80264
80265-static int kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,
80266- void *buf, int len, int write)
80267+static ssize_t kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,
80268+ void *buf, size_t len, int write)
80269 {
80270 struct file *file = vma->vm_file;
80271 struct kernfs_open_file *of = kernfs_of(file);
80272- int ret;
80273+ ssize_t ret;
80274
80275 if (!of->vm_ops)
80276 return -EINVAL;
80277@@ -569,7 +569,7 @@ static int kernfs_get_open_node(struct kernfs_node *kn,
80278 return -ENOMEM;
80279
80280 atomic_set(&new_on->refcnt, 0);
80281- atomic_set(&new_on->event, 1);
80282+ atomic_set_unchecked(&new_on->event, 1);
80283 init_waitqueue_head(&new_on->poll);
80284 INIT_LIST_HEAD(&new_on->files);
80285 goto retry;
80286@@ -792,7 +792,7 @@ static unsigned int kernfs_fop_poll(struct file *filp, poll_table *wait)
80287
80288 kernfs_put_active(kn);
80289
80290- if (of->event != atomic_read(&on->event))
80291+ if (of->event != atomic_read_unchecked(&on->event))
80292 goto trigger;
80293
80294 return DEFAULT_POLLMASK;
80295@@ -823,7 +823,7 @@ repeat:
80296
80297 on = kn->attr.open;
80298 if (on) {
80299- atomic_inc(&on->event);
80300+ atomic_inc_unchecked(&on->event);
80301 wake_up_interruptible(&on->poll);
80302 }
80303
80304diff --git a/fs/libfs.c b/fs/libfs.c
80305index c7cbfb0..fc3636d4 100644
80306--- a/fs/libfs.c
80307+++ b/fs/libfs.c
80308@@ -155,6 +155,9 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
80309
80310 for (p = q->next; p != &dentry->d_subdirs; p = p->next) {
80311 struct dentry *next = list_entry(p, struct dentry, d_child);
80312+ char d_name[sizeof(next->d_iname)];
80313+ const unsigned char *name;
80314+
80315 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
80316 if (!simple_positive(next)) {
80317 spin_unlock(&next->d_lock);
80318@@ -163,7 +166,12 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
80319
80320 spin_unlock(&next->d_lock);
80321 spin_unlock(&dentry->d_lock);
80322- if (!dir_emit(ctx, next->d_name.name, next->d_name.len,
80323+ name = next->d_name.name;
80324+ if (name == next->d_iname) {
80325+ memcpy(d_name, name, next->d_name.len);
80326+ name = d_name;
80327+ }
80328+ if (!dir_emit(ctx, name, next->d_name.len,
80329 d_inode(next)->i_ino, dt_type(d_inode(next))))
80330 return 0;
80331 spin_lock(&dentry->d_lock);
80332diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
80333index acd3947..1f896e2 100644
80334--- a/fs/lockd/clntproc.c
80335+++ b/fs/lockd/clntproc.c
80336@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
80337 /*
80338 * Cookie counter for NLM requests
80339 */
80340-static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
80341+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
80342
80343 void nlmclnt_next_cookie(struct nlm_cookie *c)
80344 {
80345- u32 cookie = atomic_inc_return(&nlm_cookie);
80346+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
80347
80348 memcpy(c->data, &cookie, 4);
80349 c->len=4;
80350diff --git a/fs/mount.h b/fs/mount.h
80351index 14db05d..687f6d8 100644
80352--- a/fs/mount.h
80353+++ b/fs/mount.h
80354@@ -13,7 +13,7 @@ struct mnt_namespace {
80355 u64 seq; /* Sequence number to prevent loops */
80356 wait_queue_head_t poll;
80357 u64 event;
80358-};
80359+} __randomize_layout;
80360
80361 struct mnt_pcp {
80362 int mnt_count;
80363@@ -65,7 +65,7 @@ struct mount {
80364 struct hlist_head mnt_pins;
80365 struct fs_pin mnt_umount;
80366 struct dentry *mnt_ex_mountpoint;
80367-};
80368+} __randomize_layout;
80369
80370 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
80371
80372diff --git a/fs/namei.c b/fs/namei.c
80373index 1c2105e..e54c8ab 100644
80374--- a/fs/namei.c
80375+++ b/fs/namei.c
80376@@ -336,17 +336,32 @@ int generic_permission(struct inode *inode, int mask)
80377 if (ret != -EACCES)
80378 return ret;
80379
80380+#ifdef CONFIG_GRKERNSEC
80381+ /* we'll block if we have to log due to a denied capability use */
80382+ if (mask & MAY_NOT_BLOCK)
80383+ return -ECHILD;
80384+#endif
80385+
80386 if (S_ISDIR(inode->i_mode)) {
80387 /* DACs are overridable for directories */
80388- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
80389- return 0;
80390 if (!(mask & MAY_WRITE))
80391- if (capable_wrt_inode_uidgid(inode,
80392- CAP_DAC_READ_SEARCH))
80393+ if (capable_wrt_inode_uidgid_nolog(inode, CAP_DAC_OVERRIDE) ||
80394+ capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
80395 return 0;
80396+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
80397+ return 0;
80398 return -EACCES;
80399 }
80400 /*
80401+ * Searching includes executable on directories, else just read.
80402+ */
80403+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
80404+ if (mask == MAY_READ)
80405+ if (capable_wrt_inode_uidgid_nolog(inode, CAP_DAC_OVERRIDE) ||
80406+ capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
80407+ return 0;
80408+
80409+ /*
80410 * Read/write DACs are always overridable.
80411 * Executable DACs are overridable when there is
80412 * at least one exec bit set.
80413@@ -355,14 +370,6 @@ int generic_permission(struct inode *inode, int mask)
80414 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
80415 return 0;
80416
80417- /*
80418- * Searching includes executable on directories, else just read.
80419- */
80420- mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
80421- if (mask == MAY_READ)
80422- if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
80423- return 0;
80424-
80425 return -EACCES;
80426 }
80427 EXPORT_SYMBOL(generic_permission);
80428@@ -514,12 +521,35 @@ struct nameidata {
80429 struct nameidata *saved;
80430 unsigned root_seq;
80431 int dfd;
80432-};
80433+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80434+ struct path *symlinkown_stack;
80435+ struct path symlinkown_internal[EMBEDDED_LEVELS];
80436+ unsigned symlinkown_depth;
80437+ int symlinkown_enabled;
80438+#endif
80439+} __randomize_layout;
80440+
80441+static int gr_handle_nameidata_symlinkowner(const struct nameidata *nd, const struct inode *target)
80442+{
80443+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80444+ int i;
80445+
80446+ for (i = 0; i < nd->symlinkown_depth; i++) {
80447+ if (gr_handle_symlink_owner(&nd->symlinkown_stack[i], target))
80448+ return -EACCES;
80449+ }
80450+#endif
80451+ return 0;
80452+}
80453
80454 static void set_nameidata(struct nameidata *p, int dfd, struct filename *name)
80455 {
80456 struct nameidata *old = current->nameidata;
80457 p->stack = p->internal;
80458+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80459+ p->symlinkown_stack = p->symlinkown_internal;
80460+ p->symlinkown_enabled = -1;
80461+#endif
80462 p->dfd = dfd;
80463 p->name = name;
80464 p->total_link_count = old ? old->total_link_count : 0;
80465@@ -538,6 +568,12 @@ static void restore_nameidata(void)
80466 kfree(now->stack);
80467 now->stack = now->internal;
80468 }
80469+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80470+ if (now->symlinkown_stack != now->symlinkown_internal) {
80471+ kfree(now->symlinkown_stack);
80472+ now->symlinkown_stack = now->symlinkown_internal;
80473+ }
80474+#endif
80475 }
80476
80477 static int __nd_alloc_stack(struct nameidata *nd)
80478@@ -557,11 +593,36 @@ static int __nd_alloc_stack(struct nameidata *nd)
80479 }
80480 memcpy(p, nd->internal, sizeof(nd->internal));
80481 nd->stack = p;
80482+
80483 return 0;
80484 }
80485
80486+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80487+static int nd_alloc_symlinkown_stack(struct nameidata *nd)
80488+{
80489+ struct path *p;
80490+
80491+ if (likely(nd->symlinkown_depth != EMBEDDED_LEVELS))
80492+ return 0;
80493+ if (nd->symlinkown_stack != nd->symlinkown_internal)
80494+ return 0;
80495+
80496+ p = kmalloc(MAXSYMLINKS * sizeof(struct path), GFP_KERNEL);
80497+ if (unlikely(!p))
80498+ return -ENOMEM;
80499+ memcpy(p, nd->symlinkown_internal, sizeof(nd->symlinkown_internal));
80500+ nd->symlinkown_stack = p;
80501+ return 0;
80502+}
80503+#endif
80504+
80505 static inline int nd_alloc_stack(struct nameidata *nd)
80506 {
80507+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80508+ if (nd->flags & LOOKUP_RCU)
80509+ return -ECHILD;
80510+#endif
80511+
80512 if (likely(nd->depth != EMBEDDED_LEVELS))
80513 return 0;
80514 if (likely(nd->stack != nd->internal))
80515@@ -590,6 +651,14 @@ static void terminate_walk(struct nameidata *nd)
80516 path_put(&nd->path);
80517 for (i = 0; i < nd->depth; i++)
80518 path_put(&nd->stack[i].link);
80519+
80520+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80521+ /* we'll only ever set our values in ref-walk mode */
80522+ for (i = 0; i < nd->symlinkown_depth; i++)
80523+ path_put(&nd->symlinkown_stack[i]);
80524+ nd->symlinkown_depth = 0;
80525+#endif
80526+
80527 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
80528 path_put(&nd->root);
80529 nd->root.mnt = NULL;
80530@@ -986,6 +1055,9 @@ const char *get_link(struct nameidata *nd)
80531 if (unlikely(error))
80532 return ERR_PTR(error);
80533
80534+ if (gr_handle_follow_link(dentry, last->link.mnt))
80535+ return ERR_PTR(-EACCES);
80536+
80537 nd->last_type = LAST_BIND;
80538 res = inode->i_link;
80539 if (!res) {
80540@@ -1535,8 +1607,6 @@ static int lookup_fast(struct nameidata *nd,
80541 negative = d_is_negative(dentry);
80542 if (read_seqcount_retry(&dentry->d_seq, seq))
80543 return -ECHILD;
80544- if (negative)
80545- return -ENOENT;
80546
80547 /*
80548 * This sequence count validates that the parent had no
80549@@ -1557,6 +1627,12 @@ static int lookup_fast(struct nameidata *nd,
80550 goto unlazy;
80551 }
80552 }
80553+ /*
80554+ * Note: do negative dentry check after revalidation in
80555+ * case that drops it.
80556+ */
80557+ if (negative)
80558+ return -ENOENT;
80559 path->mnt = mnt;
80560 path->dentry = dentry;
80561 if (likely(__follow_mount_rcu(nd, path, inode, seqp)))
80562@@ -1665,6 +1741,23 @@ static int pick_link(struct nameidata *nd, struct path *link,
80563 }
80564 }
80565
80566+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80567+ if (unlikely(nd->symlinkown_enabled == -1))
80568+ nd->symlinkown_enabled = gr_get_symlinkown_enabled();
80569+ if (nd->symlinkown_enabled && gr_is_global_nonroot(inode->i_uid)) {
80570+ struct path *symlinkownlast;
80571+ error = nd_alloc_symlinkown_stack(nd);
80572+ if (unlikely(error)) {
80573+ path_put(link);
80574+ return error;
80575+ }
80576+ symlinkownlast = nd->symlinkown_stack + nd->symlinkown_depth++;
80577+ symlinkownlast->dentry = link->dentry;
80578+ symlinkownlast->mnt = link->mnt;
80579+ path_get(symlinkownlast);
80580+ }
80581+#endif
80582+
80583 last = nd->stack + nd->depth++;
80584 last->link = *link;
80585 last->cookie = NULL;
80586@@ -1804,7 +1897,7 @@ EXPORT_SYMBOL(full_name_hash);
80587 static inline u64 hash_name(const char *name)
80588 {
80589 unsigned long a, b, adata, bdata, mask, hash, len;
80590- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
80591+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
80592
80593 hash = a = 0;
80594 len = -sizeof(unsigned long);
80595@@ -1973,6 +2066,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
80596 nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
80597 nd->depth = 0;
80598 nd->total_link_count = 0;
80599+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80600+ nd->symlinkown_depth = 0;
80601+#endif
80602 if (flags & LOOKUP_ROOT) {
80603 struct dentry *root = nd->root.dentry;
80604 struct inode *inode = root->d_inode;
80605@@ -2110,6 +2206,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path
80606 if (!err)
80607 err = complete_walk(nd);
80608
80609+ if (!err && !(nd->flags & LOOKUP_PARENT)) {
80610+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
80611+ err = -ENOENT;
80612+ }
80613+
80614 if (!err && nd->flags & LOOKUP_DIRECTORY)
80615 if (!d_can_lookup(nd->path.dentry))
80616 err = -ENOTDIR;
80617@@ -2158,6 +2259,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags,
80618 err = link_path_walk(s, nd);
80619 if (!err)
80620 err = complete_walk(nd);
80621+
80622+ if (!err && gr_handle_nameidata_symlinkowner(nd, nd->inode))
80623+ err = -EACCES;
80624+
80625 if (!err) {
80626 *parent = nd->path;
80627 nd->path.mnt = NULL;
80628@@ -2689,6 +2794,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
80629 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
80630 return -EPERM;
80631
80632+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode))
80633+ return -EPERM;
80634+ if (gr_handle_rawio(inode))
80635+ return -EPERM;
80636+ if (!gr_acl_handle_open(dentry, path->mnt, acc_mode))
80637+ return -EACCES;
80638+
80639 return 0;
80640 }
80641
80642@@ -2955,6 +3067,18 @@ static int lookup_open(struct nameidata *nd, struct path *path,
80643 /* Negative dentry, just create the file */
80644 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
80645 umode_t mode = op->mode;
80646+
80647+
80648+ if (gr_handle_nameidata_symlinkowner(nd, dir_inode)) {
80649+ error = -EACCES;
80650+ goto out_dput;
80651+ }
80652+
80653+ if (!gr_acl_handle_creat(dentry, dir, nd->path.mnt, op->open_flag, op->acc_mode, mode)) {
80654+ error = -EACCES;
80655+ goto out_dput;
80656+ }
80657+
80658 if (!IS_POSIXACL(dir->d_inode))
80659 mode &= ~current_umask();
80660 /*
80661@@ -2976,6 +3100,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
80662 nd->flags & LOOKUP_EXCL);
80663 if (error)
80664 goto out_dput;
80665+ else
80666+ gr_handle_create(dentry, nd->path.mnt);
80667 }
80668 out_no_open:
80669 path->dentry = dentry;
80670@@ -3039,6 +3165,9 @@ static int do_last(struct nameidata *nd,
80671 if (error)
80672 return error;
80673
80674+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt))
80675+ return -ENOENT;
80676+
80677 audit_inode(nd->name, dir, LOOKUP_PARENT);
80678 /* trailing slashes? */
80679 if (unlikely(nd->last.name[nd->last.len]))
80680@@ -3081,11 +3210,24 @@ retry_lookup:
80681 goto finish_open_created;
80682 }
80683
80684+ if (!gr_acl_handle_hidden_file(path.dentry, nd->path.mnt)) {
80685+ path_to_nameidata(&path, nd);
80686+ return -ENOENT;
80687+ }
80688+
80689 /*
80690 * create/update audit record if it already exists.
80691 */
80692- if (d_is_positive(path.dentry))
80693+ if (d_is_positive(path.dentry)) {
80694+ /* only check if O_CREAT is specified, all other checks need to go
80695+ into may_open */
80696+ if (gr_handle_fifo(path.dentry, path.mnt, dir, open_flag, acc_mode)) {
80697+ path_to_nameidata(&path, nd);
80698+ return -EACCES;
80699+ }
80700+
80701 audit_inode(nd->name, path.dentry, 0);
80702+ }
80703
80704 /*
80705 * If atomic_open() acquired write access it is dropped now due to
80706@@ -3121,6 +3263,11 @@ finish_lookup:
80707 if (unlikely(error))
80708 return error;
80709
80710+ if (gr_handle_nameidata_symlinkowner(nd, inode)) {
80711+ path_to_nameidata(&path, nd);
80712+ return -EACCES;
80713+ }
80714+
80715 if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
80716 path_to_nameidata(&path, nd);
80717 return -ELOOP;
80718@@ -3143,6 +3290,12 @@ finish_open:
80719 path_put(&save_parent);
80720 return error;
80721 }
80722+
80723+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
80724+ error = -ENOENT;
80725+ goto out;
80726+ }
80727+
80728 audit_inode(nd->name, nd->path.dentry, 0);
80729 error = -EISDIR;
80730 if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
80731@@ -3409,9 +3562,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
80732 goto unlock;
80733
80734 error = -EEXIST;
80735- if (d_is_positive(dentry))
80736+ if (d_is_positive(dentry)) {
80737+ if (!gr_acl_handle_hidden_file(dentry, path->mnt))
80738+ error = -ENOENT;
80739 goto fail;
80740-
80741+ }
80742 /*
80743 * Special case - lookup gave negative, but... we had foo/bar/
80744 * From the vfs_mknod() POV we just have a negative dentry -
80745@@ -3465,6 +3620,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname,
80746 }
80747 EXPORT_SYMBOL(user_path_create);
80748
80749+static struct dentry *user_path_create_with_name(int dfd, const char __user *pathname, struct path *path, struct filename **to, unsigned int lookup_flags)
80750+{
80751+ struct filename *tmp = getname(pathname);
80752+ struct dentry *res;
80753+ if (IS_ERR(tmp))
80754+ return ERR_CAST(tmp);
80755+ res = kern_path_create(dfd, tmp->name, path, lookup_flags);
80756+ if (IS_ERR(res))
80757+ putname(tmp);
80758+ else
80759+ *to = tmp;
80760+ return res;
80761+}
80762+
80763 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
80764 {
80765 int error = may_create(dir, dentry);
80766@@ -3528,6 +3697,17 @@ retry:
80767
80768 if (!IS_POSIXACL(path.dentry->d_inode))
80769 mode &= ~current_umask();
80770+
80771+ if (gr_handle_chroot_mknod(dentry, path.mnt, mode)) {
80772+ error = -EPERM;
80773+ goto out;
80774+ }
80775+
80776+ if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
80777+ error = -EACCES;
80778+ goto out;
80779+ }
80780+
80781 error = security_path_mknod(&path, dentry, mode, dev);
80782 if (error)
80783 goto out;
80784@@ -3543,6 +3723,8 @@ retry:
80785 error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
80786 break;
80787 }
80788+ if (!error)
80789+ gr_handle_create(dentry, path.mnt);
80790 out:
80791 done_path_create(&path, dentry);
80792 if (retry_estale(error, lookup_flags)) {
80793@@ -3597,9 +3779,16 @@ retry:
80794
80795 if (!IS_POSIXACL(path.dentry->d_inode))
80796 mode &= ~current_umask();
80797+ if (!gr_acl_handle_mkdir(dentry, path.dentry, path.mnt)) {
80798+ error = -EACCES;
80799+ goto out;
80800+ }
80801 error = security_path_mkdir(&path, dentry, mode);
80802 if (!error)
80803 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
80804+ if (!error)
80805+ gr_handle_create(dentry, path.mnt);
80806+out:
80807 done_path_create(&path, dentry);
80808 if (retry_estale(error, lookup_flags)) {
80809 lookup_flags |= LOOKUP_REVAL;
80810@@ -3632,7 +3821,7 @@ void dentry_unhash(struct dentry *dentry)
80811 {
80812 shrink_dcache_parent(dentry);
80813 spin_lock(&dentry->d_lock);
80814- if (dentry->d_lockref.count == 1)
80815+ if (__lockref_read(&dentry->d_lockref) == 1)
80816 __d_drop(dentry);
80817 spin_unlock(&dentry->d_lock);
80818 }
80819@@ -3685,6 +3874,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
80820 struct path path;
80821 struct qstr last;
80822 int type;
80823+ u64 saved_ino = 0;
80824+ dev_t saved_dev = 0;
80825 unsigned int lookup_flags = 0;
80826 retry:
80827 name = user_path_parent(dfd, pathname,
80828@@ -3717,10 +3908,20 @@ retry:
80829 error = -ENOENT;
80830 goto exit3;
80831 }
80832+ saved_ino = gr_get_ino_from_dentry(dentry);
80833+ saved_dev = gr_get_dev_from_dentry(dentry);
80834+
80835+ if (!gr_acl_handle_rmdir(dentry, path.mnt)) {
80836+ error = -EACCES;
80837+ goto exit3;
80838+ }
80839+
80840 error = security_path_rmdir(&path, dentry);
80841 if (error)
80842 goto exit3;
80843 error = vfs_rmdir(path.dentry->d_inode, dentry);
80844+ if (!error && (saved_dev || saved_ino))
80845+ gr_handle_delete(saved_ino, saved_dev);
80846 exit3:
80847 dput(dentry);
80848 exit2:
80849@@ -3815,6 +4016,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
80850 int type;
80851 struct inode *inode = NULL;
80852 struct inode *delegated_inode = NULL;
80853+ u64 saved_ino = 0;
80854+ dev_t saved_dev = 0;
80855 unsigned int lookup_flags = 0;
80856 retry:
80857 name = user_path_parent(dfd, pathname,
80858@@ -3841,10 +4044,21 @@ retry_deleg:
80859 if (d_is_negative(dentry))
80860 goto slashes;
80861 ihold(inode);
80862+ if (inode->i_nlink <= 1) {
80863+ saved_ino = gr_get_ino_from_dentry(dentry);
80864+ saved_dev = gr_get_dev_from_dentry(dentry);
80865+ }
80866+ if (!gr_acl_handle_unlink(dentry, path.mnt)) {
80867+ error = -EACCES;
80868+ goto exit2;
80869+ }
80870+
80871 error = security_path_unlink(&path, dentry);
80872 if (error)
80873 goto exit2;
80874 error = vfs_unlink(path.dentry->d_inode, dentry, &delegated_inode);
80875+ if (!error && (saved_ino || saved_dev))
80876+ gr_handle_delete(saved_ino, saved_dev);
80877 exit2:
80878 dput(dentry);
80879 }
80880@@ -3933,9 +4147,17 @@ retry:
80881 if (IS_ERR(dentry))
80882 goto out_putname;
80883
80884+ if (!gr_acl_handle_symlink(dentry, path.dentry, path.mnt, from)) {
80885+ error = -EACCES;
80886+ goto out;
80887+ }
80888+
80889 error = security_path_symlink(&path, dentry, from->name);
80890 if (!error)
80891 error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
80892+ if (!error)
80893+ gr_handle_create(dentry, path.mnt);
80894+out:
80895 done_path_create(&path, dentry);
80896 if (retry_estale(error, lookup_flags)) {
80897 lookup_flags |= LOOKUP_REVAL;
80898@@ -4039,6 +4261,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
80899 struct dentry *new_dentry;
80900 struct path old_path, new_path;
80901 struct inode *delegated_inode = NULL;
80902+ struct filename *to = NULL;
80903 int how = 0;
80904 int error;
80905
80906@@ -4062,7 +4285,7 @@ retry:
80907 if (error)
80908 return error;
80909
80910- new_dentry = user_path_create(newdfd, newname, &new_path,
80911+ new_dentry = user_path_create_with_name(newdfd, newname, &new_path, &to,
80912 (how & LOOKUP_REVAL));
80913 error = PTR_ERR(new_dentry);
80914 if (IS_ERR(new_dentry))
80915@@ -4074,11 +4297,26 @@ retry:
80916 error = may_linkat(&old_path);
80917 if (unlikely(error))
80918 goto out_dput;
80919+
80920+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt, to)) {
80921+ error = -EACCES;
80922+ goto out_dput;
80923+ }
80924+
80925+ if (!gr_acl_handle_link(new_dentry, new_path.dentry, new_path.mnt,
80926+ old_path.dentry, old_path.mnt, to)) {
80927+ error = -EACCES;
80928+ goto out_dput;
80929+ }
80930+
80931 error = security_path_link(old_path.dentry, &new_path, new_dentry);
80932 if (error)
80933 goto out_dput;
80934 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
80935+ if (!error)
80936+ gr_handle_create(new_dentry, new_path.mnt);
80937 out_dput:
80938+ putname(to);
80939 done_path_create(&new_path, new_dentry);
80940 if (delegated_inode) {
80941 error = break_deleg_wait(&delegated_inode);
80942@@ -4393,6 +4631,20 @@ retry_deleg:
80943 if (new_dentry == trap)
80944 goto exit5;
80945
80946+ if (gr_bad_chroot_rename(old_dentry, old_path.mnt, new_dentry, new_path.mnt)) {
80947+ /* use EXDEV error to cause 'mv' to switch to an alternative
80948+ * method for usability
80949+ */
80950+ error = -EXDEV;
80951+ goto exit5;
80952+ }
80953+
80954+ error = gr_acl_handle_rename(new_dentry, new_path.dentry, new_path.mnt,
80955+ old_dentry, d_backing_inode(old_path.dentry), old_path.mnt,
80956+ to, flags);
80957+ if (error)
80958+ goto exit5;
80959+
80960 error = security_path_rename(&old_path, old_dentry,
80961 &new_path, new_dentry, flags);
80962 if (error)
80963@@ -4400,6 +4652,9 @@ retry_deleg:
80964 error = vfs_rename(old_path.dentry->d_inode, old_dentry,
80965 new_path.dentry->d_inode, new_dentry,
80966 &delegated_inode, flags);
80967+ if (!error)
80968+ gr_handle_rename(d_backing_inode(old_path.dentry), d_backing_inode(new_path.dentry), old_dentry,
80969+ new_dentry, old_path.mnt, d_is_positive(new_dentry) ? 1 : 0, flags);
80970 exit5:
80971 dput(new_dentry);
80972 exit4:
80973@@ -4456,14 +4711,24 @@ EXPORT_SYMBOL(vfs_whiteout);
80974
80975 int readlink_copy(char __user *buffer, int buflen, const char *link)
80976 {
80977+ char tmpbuf[64];
80978+ const char *newlink;
80979 int len = PTR_ERR(link);
80980+
80981 if (IS_ERR(link))
80982 goto out;
80983
80984 len = strlen(link);
80985 if (len > (unsigned) buflen)
80986 len = buflen;
80987- if (copy_to_user(buffer, link, len))
80988+
80989+ if (len < sizeof(tmpbuf)) {
80990+ memcpy(tmpbuf, link, len);
80991+ newlink = tmpbuf;
80992+ } else
80993+ newlink = link;
80994+
80995+ if (copy_to_user(buffer, newlink, len))
80996 len = -EFAULT;
80997 out:
80998 return len;
80999diff --git a/fs/namespace.c b/fs/namespace.c
81000index 2b8aa15..3230081 100644
81001--- a/fs/namespace.c
81002+++ b/fs/namespace.c
81003@@ -1516,6 +1516,9 @@ static int do_umount(struct mount *mnt, int flags)
81004 if (!(sb->s_flags & MS_RDONLY))
81005 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
81006 up_write(&sb->s_umount);
81007+
81008+ gr_log_remount(mnt->mnt_devname, retval);
81009+
81010 return retval;
81011 }
81012
81013@@ -1538,6 +1541,9 @@ static int do_umount(struct mount *mnt, int flags)
81014 }
81015 unlock_mount_hash();
81016 namespace_unlock();
81017+
81018+ gr_log_unmount(mnt->mnt_devname, retval);
81019+
81020 return retval;
81021 }
81022
81023@@ -1592,7 +1598,7 @@ static inline bool may_mount(void)
81024 * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
81025 */
81026
81027-SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
81028+SYSCALL_DEFINE2(umount, const char __user *, name, int, flags)
81029 {
81030 struct path path;
81031 struct mount *mnt;
81032@@ -1637,7 +1643,7 @@ out:
81033 /*
81034 * The 2.0 compatible umount. No flags.
81035 */
81036-SYSCALL_DEFINE1(oldumount, char __user *, name)
81037+SYSCALL_DEFINE1(oldumount, const char __user *, name)
81038 {
81039 return sys_umount(name, 0);
81040 }
81041@@ -2712,6 +2718,16 @@ long do_mount(const char *dev_name, const char __user *dir_name,
81042 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
81043 MS_STRICTATIME);
81044
81045+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
81046+ retval = -EPERM;
81047+ goto dput_out;
81048+ }
81049+
81050+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
81051+ retval = -EPERM;
81052+ goto dput_out;
81053+ }
81054+
81055 if (flags & MS_REMOUNT)
81056 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
81057 data_page);
81058@@ -2725,7 +2741,10 @@ long do_mount(const char *dev_name, const char __user *dir_name,
81059 retval = do_new_mount(&path, type_page, flags, mnt_flags,
81060 dev_name, data_page);
81061 dput_out:
81062+ gr_log_mount(dev_name, &path, retval);
81063+
81064 path_put(&path);
81065+
81066 return retval;
81067 }
81068
81069@@ -2743,7 +2762,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
81070 * number incrementing at 10Ghz will take 12,427 years to wrap which
81071 * is effectively never, so we can ignore the possibility.
81072 */
81073-static atomic64_t mnt_ns_seq = ATOMIC64_INIT(1);
81074+static atomic64_unchecked_t mnt_ns_seq = ATOMIC64_INIT(1);
81075
81076 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
81077 {
81078@@ -2759,7 +2778,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
81079 return ERR_PTR(ret);
81080 }
81081 new_ns->ns.ops = &mntns_operations;
81082- new_ns->seq = atomic64_add_return(1, &mnt_ns_seq);
81083+ new_ns->seq = atomic64_add_return_unchecked(1, &mnt_ns_seq);
81084 atomic_set(&new_ns->count, 1);
81085 new_ns->root = NULL;
81086 INIT_LIST_HEAD(&new_ns->list);
81087@@ -2769,7 +2788,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
81088 return new_ns;
81089 }
81090
81091-struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
81092+__latent_entropy struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
81093 struct user_namespace *user_ns, struct fs_struct *new_fs)
81094 {
81095 struct mnt_namespace *new_ns;
81096@@ -2890,8 +2909,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
81097 }
81098 EXPORT_SYMBOL(mount_subtree);
81099
81100-SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
81101- char __user *, type, unsigned long, flags, void __user *, data)
81102+SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name,
81103+ const char __user *, type, unsigned long, flags, void __user *, data)
81104 {
81105 int ret;
81106 char *kernel_type;
81107@@ -2997,6 +3016,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
81108 if (error)
81109 goto out2;
81110
81111+ if (gr_handle_chroot_pivot()) {
81112+ error = -EPERM;
81113+ goto out2;
81114+ }
81115+
81116 get_fs_root(current->fs, &root);
81117 old_mp = lock_mount(&old);
81118 error = PTR_ERR(old_mp);
81119@@ -3298,7 +3322,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
81120 !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
81121 return -EPERM;
81122
81123- if (fs->users != 1)
81124+ if (atomic_read(&fs->users) != 1)
81125 return -EINVAL;
81126
81127 get_mnt_ns(mnt_ns);
81128diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
81129index 6b1697a..6d5787c 100644
81130--- a/fs/nfs/callback_xdr.c
81131+++ b/fs/nfs/callback_xdr.c
81132@@ -51,7 +51,7 @@ struct callback_op {
81133 callback_decode_arg_t decode_args;
81134 callback_encode_res_t encode_res;
81135 long res_maxsize;
81136-};
81137+} __do_const;
81138
81139 static struct callback_op callback_ops[];
81140
81141diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
81142index 4afbe13..a6a26ce 100644
81143--- a/fs/nfs/inode.c
81144+++ b/fs/nfs/inode.c
81145@@ -1273,16 +1273,16 @@ static int nfs_check_inode_attributes(struct inode *inode, struct nfs_fattr *fat
81146 return 0;
81147 }
81148
81149-static atomic_long_t nfs_attr_generation_counter;
81150+static atomic_long_unchecked_t nfs_attr_generation_counter;
81151
81152 static unsigned long nfs_read_attr_generation_counter(void)
81153 {
81154- return atomic_long_read(&nfs_attr_generation_counter);
81155+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
81156 }
81157
81158 unsigned long nfs_inc_attr_generation_counter(void)
81159 {
81160- return atomic_long_inc_return(&nfs_attr_generation_counter);
81161+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
81162 }
81163 EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter);
81164
81165diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
81166index 90cfda7..e4b50df 100644
81167--- a/fs/nfsd/nfs4proc.c
81168+++ b/fs/nfsd/nfs4proc.c
81169@@ -1487,7 +1487,7 @@ struct nfsd4_operation {
81170 nfsd4op_rsize op_rsize_bop;
81171 stateid_getter op_get_currentstateid;
81172 stateid_setter op_set_currentstateid;
81173-};
81174+} __do_const;
81175
81176 static struct nfsd4_operation nfsd4_ops[];
81177
81178diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
81179index b81f725..8e36601 100644
81180--- a/fs/nfsd/nfs4xdr.c
81181+++ b/fs/nfsd/nfs4xdr.c
81182@@ -1704,7 +1704,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
81183
81184 typedef __be32(*nfsd4_dec)(struct nfsd4_compoundargs *argp, void *);
81185
81186-static nfsd4_dec nfsd4_dec_ops[] = {
81187+static const nfsd4_dec nfsd4_dec_ops[] = {
81188 [OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
81189 [OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
81190 [OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
81191diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c
81192index 46ec934..f384e41 100644
81193--- a/fs/nfsd/nfscache.c
81194+++ b/fs/nfsd/nfscache.c
81195@@ -541,7 +541,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
81196 struct kvec *resv = &rqstp->rq_res.head[0], *cachv;
81197 u32 hash;
81198 struct nfsd_drc_bucket *b;
81199- int len;
81200+ long len;
81201 size_t bufsize = 0;
81202
81203 if (!rp)
81204@@ -550,11 +550,14 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
81205 hash = nfsd_cache_hash(rp->c_xid);
81206 b = &drc_hashtbl[hash];
81207
81208- len = resv->iov_len - ((char*)statp - (char*)resv->iov_base);
81209- len >>= 2;
81210+ if (statp) {
81211+ len = (char*)statp - (char*)resv->iov_base;
81212+ len = resv->iov_len - len;
81213+ len >>= 2;
81214+ }
81215
81216 /* Don't cache excessive amounts of data and XDR failures */
81217- if (!statp || len > (256 >> 2)) {
81218+ if (!statp || len > (256 >> 2) || len < 0) {
81219 nfsd_reply_cache_free(b, rp);
81220 return;
81221 }
81222@@ -562,7 +565,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
81223 switch (cachetype) {
81224 case RC_REPLSTAT:
81225 if (len != 1)
81226- printk("nfsd: RC_REPLSTAT/reply len %d!\n",len);
81227+ printk("nfsd: RC_REPLSTAT/reply len %ld!\n",len);
81228 rp->c_replstat = *statp;
81229 break;
81230 case RC_REPLBUFF:
81231diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
81232index b5e077a..50cf549 100644
81233--- a/fs/nfsd/vfs.c
81234+++ b/fs/nfsd/vfs.c
81235@@ -855,7 +855,7 @@ __be32 nfsd_readv(struct file *file, loff_t offset, struct kvec *vec, int vlen,
81236
81237 oldfs = get_fs();
81238 set_fs(KERNEL_DS);
81239- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
81240+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
81241 set_fs(oldfs);
81242 return nfsd_finish_read(file, count, host_err);
81243 }
81244@@ -942,7 +942,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
81245
81246 /* Write the data. */
81247 oldfs = get_fs(); set_fs(KERNEL_DS);
81248- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &pos);
81249+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &pos);
81250 set_fs(oldfs);
81251 if (host_err < 0)
81252 goto out_nfserr;
81253@@ -1455,7 +1455,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
81254 */
81255
81256 oldfs = get_fs(); set_fs(KERNEL_DS);
81257- host_err = inode->i_op->readlink(path.dentry, (char __user *)buf, *lenp);
81258+ host_err = inode->i_op->readlink(path.dentry, (char __force_user *)buf, *lenp);
81259 set_fs(oldfs);
81260
81261 if (host_err < 0)
81262diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
81263index 52ccd34..7a6b202 100644
81264--- a/fs/nls/nls_base.c
81265+++ b/fs/nls/nls_base.c
81266@@ -234,21 +234,25 @@ EXPORT_SYMBOL(utf16s_to_utf8s);
81267
81268 int __register_nls(struct nls_table *nls, struct module *owner)
81269 {
81270- struct nls_table ** tmp = &tables;
81271+ struct nls_table *tmp = tables;
81272
81273 if (nls->next)
81274 return -EBUSY;
81275
81276- nls->owner = owner;
81277+ pax_open_kernel();
81278+ *(void **)&nls->owner = owner;
81279+ pax_close_kernel();
81280 spin_lock(&nls_lock);
81281- while (*tmp) {
81282- if (nls == *tmp) {
81283+ while (tmp) {
81284+ if (nls == tmp) {
81285 spin_unlock(&nls_lock);
81286 return -EBUSY;
81287 }
81288- tmp = &(*tmp)->next;
81289+ tmp = tmp->next;
81290 }
81291- nls->next = tables;
81292+ pax_open_kernel();
81293+ *(struct nls_table **)&nls->next = tables;
81294+ pax_close_kernel();
81295 tables = nls;
81296 spin_unlock(&nls_lock);
81297 return 0;
81298@@ -257,12 +261,14 @@ EXPORT_SYMBOL(__register_nls);
81299
81300 int unregister_nls(struct nls_table * nls)
81301 {
81302- struct nls_table ** tmp = &tables;
81303+ struct nls_table * const * tmp = &tables;
81304
81305 spin_lock(&nls_lock);
81306 while (*tmp) {
81307 if (nls == *tmp) {
81308- *tmp = nls->next;
81309+ pax_open_kernel();
81310+ *(struct nls_table **)tmp = nls->next;
81311+ pax_close_kernel();
81312 spin_unlock(&nls_lock);
81313 return 0;
81314 }
81315@@ -272,7 +278,7 @@ int unregister_nls(struct nls_table * nls)
81316 return -EINVAL;
81317 }
81318
81319-static struct nls_table *find_nls(char *charset)
81320+static struct nls_table *find_nls(const char *charset)
81321 {
81322 struct nls_table *nls;
81323 spin_lock(&nls_lock);
81324@@ -288,7 +294,7 @@ static struct nls_table *find_nls(char *charset)
81325 return nls;
81326 }
81327
81328-struct nls_table *load_nls(char *charset)
81329+struct nls_table *load_nls(const char *charset)
81330 {
81331 return try_then_request_module(find_nls(charset), "nls_%s", charset);
81332 }
81333diff --git a/fs/nls/nls_euc-jp.c b/fs/nls/nls_euc-jp.c
81334index 162b3f1..6076a7c 100644
81335--- a/fs/nls/nls_euc-jp.c
81336+++ b/fs/nls/nls_euc-jp.c
81337@@ -560,8 +560,10 @@ static int __init init_nls_euc_jp(void)
81338 p_nls = load_nls("cp932");
81339
81340 if (p_nls) {
81341- table.charset2upper = p_nls->charset2upper;
81342- table.charset2lower = p_nls->charset2lower;
81343+ pax_open_kernel();
81344+ *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
81345+ *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
81346+ pax_close_kernel();
81347 return register_nls(&table);
81348 }
81349
81350diff --git a/fs/nls/nls_koi8-ru.c b/fs/nls/nls_koi8-ru.c
81351index a80a741..7b96e1b 100644
81352--- a/fs/nls/nls_koi8-ru.c
81353+++ b/fs/nls/nls_koi8-ru.c
81354@@ -62,8 +62,10 @@ static int __init init_nls_koi8_ru(void)
81355 p_nls = load_nls("koi8-u");
81356
81357 if (p_nls) {
81358- table.charset2upper = p_nls->charset2upper;
81359- table.charset2lower = p_nls->charset2lower;
81360+ pax_open_kernel();
81361+ *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
81362+ *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
81363+ pax_close_kernel();
81364 return register_nls(&table);
81365 }
81366
81367diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
81368index cf27550..6c70f29d 100644
81369--- a/fs/notify/fanotify/fanotify_user.c
81370+++ b/fs/notify/fanotify/fanotify_user.c
81371@@ -216,8 +216,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
81372
81373 fd = fanotify_event_metadata.fd;
81374 ret = -EFAULT;
81375- if (copy_to_user(buf, &fanotify_event_metadata,
81376- fanotify_event_metadata.event_len))
81377+ if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
81378+ copy_to_user(buf, &fanotify_event_metadata, fanotify_event_metadata.event_len))
81379 goto out_close_fd;
81380
81381 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
81382diff --git a/fs/notify/notification.c b/fs/notify/notification.c
81383index a95d8e0..a91a5fd 100644
81384--- a/fs/notify/notification.c
81385+++ b/fs/notify/notification.c
81386@@ -48,7 +48,7 @@
81387 #include <linux/fsnotify_backend.h>
81388 #include "fsnotify.h"
81389
81390-static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
81391+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
81392
81393 /**
81394 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
81395@@ -56,7 +56,7 @@ static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
81396 */
81397 u32 fsnotify_get_cookie(void)
81398 {
81399- return atomic_inc_return(&fsnotify_sync_cookie);
81400+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
81401 }
81402 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
81403
81404diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c
81405index 9e38daf..5727cae 100644
81406--- a/fs/ntfs/dir.c
81407+++ b/fs/ntfs/dir.c
81408@@ -1310,7 +1310,7 @@ find_next_index_buffer:
81409 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
81410 ~(s64)(ndir->itype.index.block_size - 1)));
81411 /* Bounds checks. */
81412- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
81413+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
81414 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
81415 "inode 0x%lx or driver bug.", vdir->i_ino);
81416 goto err_out;
81417diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
81418index 9e1e112..241a52a 100644
81419--- a/fs/ntfs/super.c
81420+++ b/fs/ntfs/super.c
81421@@ -688,7 +688,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
81422 if (!silent)
81423 ntfs_error(sb, "Primary boot sector is invalid.");
81424 } else if (!silent)
81425- ntfs_error(sb, read_err_str, "primary");
81426+ ntfs_error(sb, read_err_str, "%s", "primary");
81427 if (!(NTFS_SB(sb)->on_errors & ON_ERRORS_RECOVER)) {
81428 if (bh_primary)
81429 brelse(bh_primary);
81430@@ -704,7 +704,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
81431 goto hotfix_primary_boot_sector;
81432 brelse(bh_backup);
81433 } else if (!silent)
81434- ntfs_error(sb, read_err_str, "backup");
81435+ ntfs_error(sb, read_err_str, "%s", "backup");
81436 /* Try to read NT3.51- backup boot sector. */
81437 if ((bh_backup = sb_bread(sb, nr_blocks >> 1))) {
81438 if (is_boot_sector_ntfs(sb, (NTFS_BOOT_SECTOR*)
81439@@ -715,7 +715,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
81440 "sector.");
81441 brelse(bh_backup);
81442 } else if (!silent)
81443- ntfs_error(sb, read_err_str, "backup");
81444+ ntfs_error(sb, read_err_str, "%s", "backup");
81445 /* We failed. Cleanup and return. */
81446 if (bh_primary)
81447 brelse(bh_primary);
81448diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
81449index 857bbbc..3c47d15 100644
81450--- a/fs/ocfs2/localalloc.c
81451+++ b/fs/ocfs2/localalloc.c
81452@@ -1320,7 +1320,7 @@ static int ocfs2_local_alloc_slide_window(struct ocfs2_super *osb,
81453 goto bail;
81454 }
81455
81456- atomic_inc(&osb->alloc_stats.moves);
81457+ atomic_inc_unchecked(&osb->alloc_stats.moves);
81458
81459 bail:
81460 if (handle)
81461diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h
81462index 690ddc6..f2d4c4d 100644
81463--- a/fs/ocfs2/ocfs2.h
81464+++ b/fs/ocfs2/ocfs2.h
81465@@ -247,11 +247,11 @@ enum ocfs2_vol_state
81466
81467 struct ocfs2_alloc_stats
81468 {
81469- atomic_t moves;
81470- atomic_t local_data;
81471- atomic_t bitmap_data;
81472- atomic_t bg_allocs;
81473- atomic_t bg_extends;
81474+ atomic_unchecked_t moves;
81475+ atomic_unchecked_t local_data;
81476+ atomic_unchecked_t bitmap_data;
81477+ atomic_unchecked_t bg_allocs;
81478+ atomic_unchecked_t bg_extends;
81479 };
81480
81481 enum ocfs2_local_alloc_state
81482diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
81483index 4479029..5de740b 100644
81484--- a/fs/ocfs2/suballoc.c
81485+++ b/fs/ocfs2/suballoc.c
81486@@ -867,7 +867,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
81487 mlog_errno(status);
81488 goto bail;
81489 }
81490- atomic_inc(&osb->alloc_stats.bg_extends);
81491+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
81492
81493 /* You should never ask for this much metadata */
81494 BUG_ON(bits_wanted >
81495@@ -2014,7 +2014,7 @@ int ocfs2_claim_metadata(handle_t *handle,
81496 mlog_errno(status);
81497 goto bail;
81498 }
81499- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81500+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81501
81502 *suballoc_loc = res.sr_bg_blkno;
81503 *suballoc_bit_start = res.sr_bit_offset;
81504@@ -2180,7 +2180,7 @@ int ocfs2_claim_new_inode_at_loc(handle_t *handle,
81505 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
81506 res->sr_bits);
81507
81508- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81509+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81510
81511 BUG_ON(res->sr_bits != 1);
81512
81513@@ -2222,7 +2222,7 @@ int ocfs2_claim_new_inode(handle_t *handle,
81514 mlog_errno(status);
81515 goto bail;
81516 }
81517- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81518+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81519
81520 BUG_ON(res.sr_bits != 1);
81521
81522@@ -2326,7 +2326,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
81523 cluster_start,
81524 num_clusters);
81525 if (!status)
81526- atomic_inc(&osb->alloc_stats.local_data);
81527+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
81528 } else {
81529 if (min_clusters > (osb->bitmap_cpg - 1)) {
81530 /* The only paths asking for contiguousness
81531@@ -2352,7 +2352,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
81532 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
81533 res.sr_bg_blkno,
81534 res.sr_bit_offset);
81535- atomic_inc(&osb->alloc_stats.bitmap_data);
81536+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
81537 *num_clusters = res.sr_bits;
81538 }
81539 }
81540diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
81541index a482e31..81b251d 100644
81542--- a/fs/ocfs2/super.c
81543+++ b/fs/ocfs2/super.c
81544@@ -308,11 +308,11 @@ static int ocfs2_osb_dump(struct ocfs2_super *osb, char *buf, int len)
81545 "%10s => GlobalAllocs: %d LocalAllocs: %d "
81546 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
81547 "Stats",
81548- atomic_read(&osb->alloc_stats.bitmap_data),
81549- atomic_read(&osb->alloc_stats.local_data),
81550- atomic_read(&osb->alloc_stats.bg_allocs),
81551- atomic_read(&osb->alloc_stats.moves),
81552- atomic_read(&osb->alloc_stats.bg_extends));
81553+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
81554+ atomic_read_unchecked(&osb->alloc_stats.local_data),
81555+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
81556+ atomic_read_unchecked(&osb->alloc_stats.moves),
81557+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
81558
81559 out += snprintf(buf + out, len - out,
81560 "%10s => State: %u Descriptor: %llu Size: %u bits "
81561@@ -2095,11 +2095,11 @@ static int ocfs2_initialize_super(struct super_block *sb,
81562
81563 mutex_init(&osb->system_file_mutex);
81564
81565- atomic_set(&osb->alloc_stats.moves, 0);
81566- atomic_set(&osb->alloc_stats.local_data, 0);
81567- atomic_set(&osb->alloc_stats.bitmap_data, 0);
81568- atomic_set(&osb->alloc_stats.bg_allocs, 0);
81569- atomic_set(&osb->alloc_stats.bg_extends, 0);
81570+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
81571+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
81572+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
81573+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
81574+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
81575
81576 /* Copy the blockcheck stats from the superblock probe */
81577 osb->osb_ecc_stats = *stats;
81578diff --git a/fs/open.c b/fs/open.c
81579index e33dab2..cdbdad9 100644
81580--- a/fs/open.c
81581+++ b/fs/open.c
81582@@ -32,6 +32,8 @@
81583 #include <linux/dnotify.h>
81584 #include <linux/compat.h>
81585
81586+#define CREATE_TRACE_POINTS
81587+#include <trace/events/fs.h>
81588 #include "internal.h"
81589
81590 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
81591@@ -105,6 +107,8 @@ long vfs_truncate(struct path *path, loff_t length)
81592 error = locks_verify_truncate(inode, NULL, length);
81593 if (!error)
81594 error = security_path_truncate(path);
81595+ if (!error && !gr_acl_handle_truncate(path->dentry, path->mnt))
81596+ error = -EACCES;
81597 if (!error)
81598 error = do_truncate(path->dentry, length, 0, NULL);
81599
81600@@ -189,6 +193,8 @@ static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
81601 error = locks_verify_truncate(inode, f.file, length);
81602 if (!error)
81603 error = security_path_truncate(&f.file->f_path);
81604+ if (!error && !gr_acl_handle_truncate(f.file->f_path.dentry, f.file->f_path.mnt))
81605+ error = -EACCES;
81606 if (!error)
81607 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, f.file);
81608 sb_end_write(inode->i_sb);
81609@@ -398,6 +404,9 @@ retry:
81610 if (__mnt_is_readonly(path.mnt))
81611 res = -EROFS;
81612
81613+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
81614+ res = -EACCES;
81615+
81616 out_path_release:
81617 path_put(&path);
81618 if (retry_estale(res, lookup_flags)) {
81619@@ -429,6 +438,8 @@ retry:
81620 if (error)
81621 goto dput_and_out;
81622
81623+ gr_log_chdir(path.dentry, path.mnt);
81624+
81625 set_fs_pwd(current->fs, &path);
81626
81627 dput_and_out:
81628@@ -458,6 +469,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
81629 goto out_putf;
81630
81631 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
81632+
81633+ if (!error && !gr_chroot_fchdir(f.file->f_path.dentry, f.file->f_path.mnt))
81634+ error = -EPERM;
81635+
81636+ if (!error)
81637+ gr_log_chdir(f.file->f_path.dentry, f.file->f_path.mnt);
81638+
81639 if (!error)
81640 set_fs_pwd(current->fs, &f.file->f_path);
81641 out_putf:
81642@@ -487,7 +505,13 @@ retry:
81643 if (error)
81644 goto dput_and_out;
81645
81646+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
81647+ goto dput_and_out;
81648+
81649 set_fs_root(current->fs, &path);
81650+
81651+ gr_handle_chroot_chdir(&path);
81652+
81653 error = 0;
81654 dput_and_out:
81655 path_put(&path);
81656@@ -511,6 +535,16 @@ static int chmod_common(struct path *path, umode_t mode)
81657 return error;
81658 retry_deleg:
81659 mutex_lock(&inode->i_mutex);
81660+
81661+ if (!gr_acl_handle_chmod(path->dentry, path->mnt, &mode)) {
81662+ error = -EACCES;
81663+ goto out_unlock;
81664+ }
81665+ if (gr_handle_chroot_chmod(path->dentry, path->mnt, mode)) {
81666+ error = -EACCES;
81667+ goto out_unlock;
81668+ }
81669+
81670 error = security_path_chmod(path, mode);
81671 if (error)
81672 goto out_unlock;
81673@@ -576,6 +610,9 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
81674 uid = make_kuid(current_user_ns(), user);
81675 gid = make_kgid(current_user_ns(), group);
81676
81677+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
81678+ return -EACCES;
81679+
81680 retry_deleg:
81681 newattrs.ia_valid = ATTR_CTIME;
81682 if (user != (uid_t) -1) {
81683@@ -1029,6 +1066,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
81684 } else {
81685 fsnotify_open(f);
81686 fd_install(fd, f);
81687+ trace_do_sys_open(tmp->name, flags, mode);
81688 }
81689 }
81690 putname(tmp);
81691diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
81692index d9da5a4..7ced3c7 100644
81693--- a/fs/overlayfs/inode.c
81694+++ b/fs/overlayfs/inode.c
81695@@ -346,6 +346,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
81696 if (d_is_dir(dentry))
81697 return d_backing_inode(dentry);
81698
81699+ if (d_is_dir(dentry))
81700+ return d_backing_inode(dentry);
81701+
81702 type = ovl_path_real(dentry, &realpath);
81703 if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
81704 err = ovl_want_write(dentry);
81705diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
81706index 79073d6..0eb5c27 100644
81707--- a/fs/overlayfs/super.c
81708+++ b/fs/overlayfs/super.c
81709@@ -172,7 +172,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
81710 {
81711 struct ovl_entry *oe = dentry->d_fsdata;
81712
81713- *path = oe->numlower ? oe->lowerstack[0] : (struct path) { NULL, NULL };
81714+ *path = oe->numlower ? oe->lowerstack[0] : (struct path) { .dentry = NULL, .mnt = NULL };
81715 }
81716
81717 int ovl_want_write(struct dentry *dentry)
81718@@ -879,8 +879,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
81719
81720 static int ovl_fill_super(struct super_block *sb, void *data, int silent)
81721 {
81722- struct path upperpath = { NULL, NULL };
81723- struct path workpath = { NULL, NULL };
81724+ struct path upperpath = { .dentry = NULL, .mnt = NULL };
81725+ struct path workpath = { .dentry = NULL, .mnt = NULL };
81726 struct dentry *root_dentry;
81727 struct ovl_entry *oe;
81728 struct ovl_fs *ufs;
81729diff --git a/fs/pipe.c b/fs/pipe.c
81730index 8865f79..bd2c79b 100644
81731--- a/fs/pipe.c
81732+++ b/fs/pipe.c
81733@@ -36,7 +36,7 @@ unsigned int pipe_max_size = 1048576;
81734 /*
81735 * Minimum pipe size, as required by POSIX
81736 */
81737-unsigned int pipe_min_size = PAGE_SIZE;
81738+unsigned int pipe_min_size __read_only = PAGE_SIZE;
81739
81740 /*
81741 * We use a start+len construction, which provides full use of the
81742@@ -55,7 +55,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
81743
81744 static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
81745 {
81746- if (pipe->files)
81747+ if (atomic_read(&pipe->files))
81748 mutex_lock_nested(&pipe->mutex, subclass);
81749 }
81750
81751@@ -70,7 +70,7 @@ EXPORT_SYMBOL(pipe_lock);
81752
81753 void pipe_unlock(struct pipe_inode_info *pipe)
81754 {
81755- if (pipe->files)
81756+ if (atomic_read(&pipe->files))
81757 mutex_unlock(&pipe->mutex);
81758 }
81759 EXPORT_SYMBOL(pipe_unlock);
81760@@ -291,9 +291,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
81761 }
81762 if (bufs) /* More to do? */
81763 continue;
81764- if (!pipe->writers)
81765+ if (!atomic_read(&pipe->writers))
81766 break;
81767- if (!pipe->waiting_writers) {
81768+ if (!atomic_read(&pipe->waiting_writers)) {
81769 /* syscall merging: Usually we must not sleep
81770 * if O_NONBLOCK is set, or if we got some data.
81771 * But if a writer sleeps in kernel space, then
81772@@ -350,7 +350,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81773
81774 __pipe_lock(pipe);
81775
81776- if (!pipe->readers) {
81777+ if (!atomic_read(&pipe->readers)) {
81778 send_sig(SIGPIPE, current, 0);
81779 ret = -EPIPE;
81780 goto out;
81781@@ -386,7 +386,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81782 for (;;) {
81783 int bufs;
81784
81785- if (!pipe->readers) {
81786+ if (!atomic_read(&pipe->readers)) {
81787 send_sig(SIGPIPE, current, 0);
81788 if (!ret)
81789 ret = -EPIPE;
81790@@ -454,9 +454,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81791 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
81792 do_wakeup = 0;
81793 }
81794- pipe->waiting_writers++;
81795+ atomic_inc(&pipe->waiting_writers);
81796 pipe_wait(pipe);
81797- pipe->waiting_writers--;
81798+ atomic_dec(&pipe->waiting_writers);
81799 }
81800 out:
81801 __pipe_unlock(pipe);
81802@@ -511,7 +511,7 @@ pipe_poll(struct file *filp, poll_table *wait)
81803 mask = 0;
81804 if (filp->f_mode & FMODE_READ) {
81805 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
81806- if (!pipe->writers && filp->f_version != pipe->w_counter)
81807+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
81808 mask |= POLLHUP;
81809 }
81810
81811@@ -521,7 +521,7 @@ pipe_poll(struct file *filp, poll_table *wait)
81812 * Most Unices do not set POLLERR for FIFOs but on Linux they
81813 * behave exactly like pipes for poll().
81814 */
81815- if (!pipe->readers)
81816+ if (!atomic_read(&pipe->readers))
81817 mask |= POLLERR;
81818 }
81819
81820@@ -533,7 +533,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
81821 int kill = 0;
81822
81823 spin_lock(&inode->i_lock);
81824- if (!--pipe->files) {
81825+ if (atomic_dec_and_test(&pipe->files)) {
81826 inode->i_pipe = NULL;
81827 kill = 1;
81828 }
81829@@ -550,11 +550,11 @@ pipe_release(struct inode *inode, struct file *file)
81830
81831 __pipe_lock(pipe);
81832 if (file->f_mode & FMODE_READ)
81833- pipe->readers--;
81834+ atomic_dec(&pipe->readers);
81835 if (file->f_mode & FMODE_WRITE)
81836- pipe->writers--;
81837+ atomic_dec(&pipe->writers);
81838
81839- if (pipe->readers || pipe->writers) {
81840+ if (atomic_read(&pipe->readers) || atomic_read(&pipe->writers)) {
81841 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
81842 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
81843 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
81844@@ -619,7 +619,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
81845 kfree(pipe);
81846 }
81847
81848-static struct vfsmount *pipe_mnt __read_mostly;
81849+struct vfsmount *pipe_mnt __read_mostly;
81850
81851 /*
81852 * pipefs_dname() is called from d_path().
81853@@ -649,8 +649,9 @@ static struct inode * get_pipe_inode(void)
81854 goto fail_iput;
81855
81856 inode->i_pipe = pipe;
81857- pipe->files = 2;
81858- pipe->readers = pipe->writers = 1;
81859+ atomic_set(&pipe->files, 2);
81860+ atomic_set(&pipe->readers, 1);
81861+ atomic_set(&pipe->writers, 1);
81862 inode->i_fop = &pipefifo_fops;
81863
81864 /*
81865@@ -829,17 +830,17 @@ static int fifo_open(struct inode *inode, struct file *filp)
81866 spin_lock(&inode->i_lock);
81867 if (inode->i_pipe) {
81868 pipe = inode->i_pipe;
81869- pipe->files++;
81870+ atomic_inc(&pipe->files);
81871 spin_unlock(&inode->i_lock);
81872 } else {
81873 spin_unlock(&inode->i_lock);
81874 pipe = alloc_pipe_info();
81875 if (!pipe)
81876 return -ENOMEM;
81877- pipe->files = 1;
81878+ atomic_set(&pipe->files, 1);
81879 spin_lock(&inode->i_lock);
81880 if (unlikely(inode->i_pipe)) {
81881- inode->i_pipe->files++;
81882+ atomic_inc(&inode->i_pipe->files);
81883 spin_unlock(&inode->i_lock);
81884 free_pipe_info(pipe);
81885 pipe = inode->i_pipe;
81886@@ -864,10 +865,10 @@ static int fifo_open(struct inode *inode, struct file *filp)
81887 * opened, even when there is no process writing the FIFO.
81888 */
81889 pipe->r_counter++;
81890- if (pipe->readers++ == 0)
81891+ if (atomic_inc_return(&pipe->readers) == 1)
81892 wake_up_partner(pipe);
81893
81894- if (!is_pipe && !pipe->writers) {
81895+ if (!is_pipe && !atomic_read(&pipe->writers)) {
81896 if ((filp->f_flags & O_NONBLOCK)) {
81897 /* suppress POLLHUP until we have
81898 * seen a writer */
81899@@ -886,14 +887,14 @@ static int fifo_open(struct inode *inode, struct file *filp)
81900 * errno=ENXIO when there is no process reading the FIFO.
81901 */
81902 ret = -ENXIO;
81903- if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !pipe->readers)
81904+ if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
81905 goto err;
81906
81907 pipe->w_counter++;
81908- if (!pipe->writers++)
81909+ if (atomic_inc_return(&pipe->writers) == 1)
81910 wake_up_partner(pipe);
81911
81912- if (!is_pipe && !pipe->readers) {
81913+ if (!is_pipe && !atomic_read(&pipe->readers)) {
81914 if (wait_for_partner(pipe, &pipe->r_counter))
81915 goto err_wr;
81916 }
81917@@ -907,11 +908,11 @@ static int fifo_open(struct inode *inode, struct file *filp)
81918 * the process can at least talk to itself.
81919 */
81920
81921- pipe->readers++;
81922- pipe->writers++;
81923+ atomic_inc(&pipe->readers);
81924+ atomic_inc(&pipe->writers);
81925 pipe->r_counter++;
81926 pipe->w_counter++;
81927- if (pipe->readers == 1 || pipe->writers == 1)
81928+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
81929 wake_up_partner(pipe);
81930 break;
81931
81932@@ -925,13 +926,13 @@ static int fifo_open(struct inode *inode, struct file *filp)
81933 return 0;
81934
81935 err_rd:
81936- if (!--pipe->readers)
81937+ if (atomic_dec_and_test(&pipe->readers))
81938 wake_up_interruptible(&pipe->wait);
81939 ret = -ERESTARTSYS;
81940 goto err;
81941
81942 err_wr:
81943- if (!--pipe->writers)
81944+ if (atomic_dec_and_test(&pipe->writers))
81945 wake_up_interruptible(&pipe->wait);
81946 ret = -ERESTARTSYS;
81947 goto err;
81948@@ -1007,7 +1008,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
81949 * Currently we rely on the pipe array holding a power-of-2 number
81950 * of pages.
81951 */
81952-static inline unsigned int round_pipe_size(unsigned int size)
81953+static inline unsigned long round_pipe_size(unsigned long size)
81954 {
81955 unsigned long nr_pages;
81956
81957@@ -1055,13 +1056,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
81958
81959 switch (cmd) {
81960 case F_SETPIPE_SZ: {
81961- unsigned int size, nr_pages;
81962+ unsigned long size, nr_pages;
81963+
81964+ ret = -EINVAL;
81965+ if (arg < pipe_min_size)
81966+ goto out;
81967
81968 size = round_pipe_size(arg);
81969 nr_pages = size >> PAGE_SHIFT;
81970
81971- ret = -EINVAL;
81972- if (!nr_pages)
81973+ if (size < pipe_min_size)
81974 goto out;
81975
81976 if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
81977diff --git a/fs/posix_acl.c b/fs/posix_acl.c
81978index 4fb17de..13d8c0f 100644
81979--- a/fs/posix_acl.c
81980+++ b/fs/posix_acl.c
81981@@ -20,6 +20,7 @@
81982 #include <linux/xattr.h>
81983 #include <linux/export.h>
81984 #include <linux/user_namespace.h>
81985+#include <linux/grsecurity.h>
81986
81987 struct posix_acl **acl_by_type(struct inode *inode, int type)
81988 {
81989@@ -277,7 +278,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
81990 }
81991 }
81992 if (mode_p)
81993- *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
81994+ *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
81995 return not_equiv;
81996 }
81997 EXPORT_SYMBOL(posix_acl_equiv_mode);
81998@@ -427,7 +428,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
81999 mode &= (group_obj->e_perm << 3) | ~S_IRWXG;
82000 }
82001
82002- *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
82003+ *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
82004 return not_equiv;
82005 }
82006
82007@@ -485,6 +486,8 @@ __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
82008 struct posix_acl *clone = posix_acl_clone(*acl, gfp);
82009 int err = -ENOMEM;
82010 if (clone) {
82011+ *mode_p &= ~gr_acl_umask();
82012+
82013 err = posix_acl_create_masq(clone, mode_p);
82014 if (err < 0) {
82015 posix_acl_release(clone);
82016@@ -657,11 +660,12 @@ struct posix_acl *
82017 posix_acl_from_xattr(struct user_namespace *user_ns,
82018 const void *value, size_t size)
82019 {
82020- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
82021- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
82022+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
82023+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
82024 int count;
82025 struct posix_acl *acl;
82026 struct posix_acl_entry *acl_e;
82027+ umode_t umask = gr_acl_umask();
82028
82029 if (!value)
82030 return NULL;
82031@@ -687,12 +691,18 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
82032
82033 switch(acl_e->e_tag) {
82034 case ACL_USER_OBJ:
82035+ acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
82036+ break;
82037 case ACL_GROUP_OBJ:
82038 case ACL_MASK:
82039+ acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
82040+ break;
82041 case ACL_OTHER:
82042+ acl_e->e_perm &= ~(umask & S_IRWXO);
82043 break;
82044
82045 case ACL_USER:
82046+ acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
82047 acl_e->e_uid =
82048 make_kuid(user_ns,
82049 le32_to_cpu(entry->e_id));
82050@@ -700,6 +710,7 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
82051 goto fail;
82052 break;
82053 case ACL_GROUP:
82054+ acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
82055 acl_e->e_gid =
82056 make_kgid(user_ns,
82057 le32_to_cpu(entry->e_id));
82058diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
82059index 1ade120..a86f1a2 100644
82060--- a/fs/proc/Kconfig
82061+++ b/fs/proc/Kconfig
82062@@ -30,7 +30,7 @@ config PROC_FS
82063
82064 config PROC_KCORE
82065 bool "/proc/kcore support" if !ARM
82066- depends on PROC_FS && MMU
82067+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
82068 help
82069 Provides a virtual ELF core file of the live kernel. This can
82070 be read with gdb and other ELF tools. No modifications can be
82071@@ -38,8 +38,8 @@ config PROC_KCORE
82072
82073 config PROC_VMCORE
82074 bool "/proc/vmcore support"
82075- depends on PROC_FS && CRASH_DUMP
82076- default y
82077+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
82078+ default n
82079 help
82080 Exports the dump image of crashed kernel in ELF format.
82081
82082@@ -63,8 +63,8 @@ config PROC_SYSCTL
82083 limited in memory.
82084
82085 config PROC_PAGE_MONITOR
82086- default y
82087- depends on PROC_FS && MMU
82088+ default n
82089+ depends on PROC_FS && MMU && !GRKERNSEC
82090 bool "Enable /proc page monitoring" if EXPERT
82091 help
82092 Various /proc files exist to monitor process memory utilization:
82093diff --git a/fs/proc/array.c b/fs/proc/array.c
82094index ce065cf..8974fed 100644
82095--- a/fs/proc/array.c
82096+++ b/fs/proc/array.c
82097@@ -60,6 +60,7 @@
82098 #include <linux/tty.h>
82099 #include <linux/string.h>
82100 #include <linux/mman.h>
82101+#include <linux/grsecurity.h>
82102 #include <linux/proc_fs.h>
82103 #include <linux/ioport.h>
82104 #include <linux/uaccess.h>
82105@@ -348,6 +349,21 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task)
82106 cpumask_pr_args(&task->cpus_allowed));
82107 }
82108
82109+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
82110+static inline void task_pax(struct seq_file *m, struct task_struct *p)
82111+{
82112+ if (p->mm)
82113+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
82114+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
82115+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
82116+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
82117+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
82118+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
82119+ else
82120+ seq_printf(m, "PaX:\t-----\n");
82121+}
82122+#endif
82123+
82124 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
82125 struct pid *pid, struct task_struct *task)
82126 {
82127@@ -366,9 +382,24 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
82128 task_cpus_allowed(m, task);
82129 cpuset_task_status_allowed(m, task);
82130 task_context_switch_counts(m, task);
82131+
82132+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
82133+ task_pax(m, task);
82134+#endif
82135+
82136+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
82137+ task_grsec_rbac(m, task);
82138+#endif
82139+
82140 return 0;
82141 }
82142
82143+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82144+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
82145+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
82146+ _mm->pax_flags & MF_PAX_SEGMEXEC))
82147+#endif
82148+
82149 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82150 struct pid *pid, struct task_struct *task, int whole)
82151 {
82152@@ -390,6 +421,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82153 char tcomm[sizeof(task->comm)];
82154 unsigned long flags;
82155
82156+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82157+ if (current->exec_id != m->exec_id) {
82158+ gr_log_badprocpid("stat");
82159+ return 0;
82160+ }
82161+#endif
82162+
82163 state = *get_task_state(task);
82164 vsize = eip = esp = 0;
82165 permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
82166@@ -460,6 +498,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82167 gtime = task_gtime(task);
82168 }
82169
82170+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82171+ if (PAX_RAND_FLAGS(mm)) {
82172+ eip = 0;
82173+ esp = 0;
82174+ wchan = 0;
82175+ }
82176+#endif
82177+#ifdef CONFIG_GRKERNSEC_HIDESYM
82178+ wchan = 0;
82179+ eip =0;
82180+ esp =0;
82181+#endif
82182+
82183 /* scale priority and nice values from timeslices to -20..20 */
82184 /* to make it look like a "normal" Unix priority/nice value */
82185 priority = task_prio(task);
82186@@ -491,9 +542,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82187 seq_put_decimal_ull(m, ' ', vsize);
82188 seq_put_decimal_ull(m, ' ', mm ? get_mm_rss(mm) : 0);
82189 seq_put_decimal_ull(m, ' ', rsslim);
82190+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82191+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0));
82192+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0));
82193+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0));
82194+#else
82195 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->start_code : 1) : 0);
82196 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->end_code : 1) : 0);
82197 seq_put_decimal_ull(m, ' ', (permitted && mm) ? mm->start_stack : 0);
82198+#endif
82199 seq_put_decimal_ull(m, ' ', esp);
82200 seq_put_decimal_ull(m, ' ', eip);
82201 /* The signal information here is obsolete.
82202@@ -515,7 +572,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82203 seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime));
82204 seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime));
82205
82206- if (mm && permitted) {
82207+ if (mm && permitted
82208+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82209+ && !PAX_RAND_FLAGS(mm)
82210+#endif
82211+ ) {
82212 seq_put_decimal_ull(m, ' ', mm->start_data);
82213 seq_put_decimal_ull(m, ' ', mm->end_data);
82214 seq_put_decimal_ull(m, ' ', mm->start_brk);
82215@@ -553,8 +614,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
82216 struct pid *pid, struct task_struct *task)
82217 {
82218 unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
82219- struct mm_struct *mm = get_task_mm(task);
82220+ struct mm_struct *mm;
82221
82222+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82223+ if (current->exec_id != m->exec_id) {
82224+ gr_log_badprocpid("statm");
82225+ return 0;
82226+ }
82227+#endif
82228+ mm = get_task_mm(task);
82229 if (mm) {
82230 size = task_statm(mm, &shared, &text, &data, &resident);
82231 mmput(mm);
82232@@ -577,6 +645,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
82233 return 0;
82234 }
82235
82236+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82237+int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task)
82238+{
82239+ unsigned long flags;
82240+ u32 curr_ip = 0;
82241+
82242+ if (lock_task_sighand(task, &flags)) {
82243+ curr_ip = task->signal->curr_ip;
82244+ unlock_task_sighand(task, &flags);
82245+ }
82246+ return seq_printf(m, "%pI4\n", &curr_ip);
82247+}
82248+#endif
82249+
82250 #ifdef CONFIG_PROC_CHILDREN
82251 static struct pid *
82252 get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
82253diff --git a/fs/proc/base.c b/fs/proc/base.c
82254index aa50d1a..7a62b7a 100644
82255--- a/fs/proc/base.c
82256+++ b/fs/proc/base.c
82257@@ -113,6 +113,14 @@ struct pid_entry {
82258 union proc_op op;
82259 };
82260
82261+struct getdents_callback {
82262+ struct linux_dirent __user * current_dir;
82263+ struct linux_dirent __user * previous;
82264+ struct file * file;
82265+ int count;
82266+ int error;
82267+};
82268+
82269 #define NOD(NAME, MODE, IOP, FOP, OP) { \
82270 .name = (NAME), \
82271 .len = sizeof(NAME) - 1, \
82272@@ -224,6 +232,11 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
82273 goto out_mmput;
82274 }
82275
82276+ if (gr_acl_handle_procpidmem(tsk)) {
82277+ rv = 0;
82278+ goto out_mmput;
82279+ }
82280+
82281 page = (char *)__get_free_page(GFP_TEMPORARY);
82282 if (!page) {
82283 rv = -ENOMEM;
82284@@ -400,12 +413,28 @@ static const struct file_operations proc_pid_cmdline_ops = {
82285 .llseek = generic_file_llseek,
82286 };
82287
82288+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82289+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
82290+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
82291+ _mm->pax_flags & MF_PAX_SEGMEXEC))
82292+#endif
82293+
82294 static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
82295 struct pid *pid, struct task_struct *task)
82296 {
82297 struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
82298 if (mm && !IS_ERR(mm)) {
82299 unsigned int nwords = 0;
82300+
82301+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82302+ /* allow if we're currently ptracing this task */
82303+ if (PAX_RAND_FLAGS(mm) &&
82304+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
82305+ mmput(mm);
82306+ return 0;
82307+ }
82308+#endif
82309+
82310 do {
82311 nwords += 2;
82312 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
82313@@ -417,7 +446,7 @@ static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
82314 }
82315
82316
82317-#ifdef CONFIG_KALLSYMS
82318+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82319 /*
82320 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
82321 * Returns the resolved symbol. If that fails, simply return the address.
82322@@ -459,7 +488,7 @@ static void unlock_trace(struct task_struct *task)
82323 mutex_unlock(&task->signal->cred_guard_mutex);
82324 }
82325
82326-#ifdef CONFIG_STACKTRACE
82327+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82328
82329 #define MAX_STACK_TRACE_DEPTH 64
82330
82331@@ -657,7 +686,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns,
82332 return 0;
82333 }
82334
82335-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
82336+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
82337 static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
82338 struct pid *pid, struct task_struct *task)
82339 {
82340@@ -690,7 +719,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
82341 /************************************************************************/
82342
82343 /* permission checks */
82344-static int proc_fd_access_allowed(struct inode *inode)
82345+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
82346 {
82347 struct task_struct *task;
82348 int allowed = 0;
82349@@ -700,7 +729,10 @@ static int proc_fd_access_allowed(struct inode *inode)
82350 */
82351 task = get_proc_task(inode);
82352 if (task) {
82353- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
82354+ if (log)
82355+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
82356+ else
82357+ allowed = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
82358 put_task_struct(task);
82359 }
82360 return allowed;
82361@@ -731,10 +763,35 @@ static bool has_pid_permissions(struct pid_namespace *pid,
82362 struct task_struct *task,
82363 int hide_pid_min)
82364 {
82365+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82366+ return false;
82367+
82368+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82369+ rcu_read_lock();
82370+ {
82371+ const struct cred *tmpcred = current_cred();
82372+ const struct cred *cred = __task_cred(task);
82373+
82374+ if (uid_eq(tmpcred->uid, GLOBAL_ROOT_UID) || uid_eq(tmpcred->uid, cred->uid)
82375+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82376+ || in_group_p(grsec_proc_gid)
82377+#endif
82378+ ) {
82379+ rcu_read_unlock();
82380+ return true;
82381+ }
82382+ }
82383+ rcu_read_unlock();
82384+
82385+ if (!pid->hide_pid)
82386+ return false;
82387+#endif
82388+
82389 if (pid->hide_pid < hide_pid_min)
82390 return true;
82391 if (in_group_p(pid->pid_gid))
82392 return true;
82393+
82394 return ptrace_may_access(task, PTRACE_MODE_READ);
82395 }
82396
82397@@ -752,7 +809,11 @@ static int proc_pid_permission(struct inode *inode, int mask)
82398 put_task_struct(task);
82399
82400 if (!has_perms) {
82401+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82402+ {
82403+#else
82404 if (pid->hide_pid == 2) {
82405+#endif
82406 /*
82407 * Let's make getdents(), stat(), and open()
82408 * consistent with each other. If a process
82409@@ -813,6 +874,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
82410
82411 if (task) {
82412 mm = mm_access(task, mode);
82413+ if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) {
82414+ mmput(mm);
82415+ mm = ERR_PTR(-EPERM);
82416+ }
82417 put_task_struct(task);
82418
82419 if (!IS_ERR_OR_NULL(mm)) {
82420@@ -834,6 +899,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
82421 return PTR_ERR(mm);
82422
82423 file->private_data = mm;
82424+
82425+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82426+ file->f_version = current->exec_id;
82427+#endif
82428+
82429 return 0;
82430 }
82431
82432@@ -855,6 +925,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
82433 ssize_t copied;
82434 char *page;
82435
82436+#ifdef CONFIG_GRKERNSEC
82437+ if (write)
82438+ return -EPERM;
82439+#endif
82440+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82441+ if (file->f_version != current->exec_id) {
82442+ gr_log_badprocpid("mem");
82443+ return 0;
82444+ }
82445+#endif
82446+
82447 if (!mm)
82448 return 0;
82449
82450@@ -867,7 +948,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
82451 goto free;
82452
82453 while (count > 0) {
82454- int this_len = min_t(int, count, PAGE_SIZE);
82455+ ssize_t this_len = min_t(ssize_t, count, PAGE_SIZE);
82456
82457 if (write && copy_from_user(page, buf, this_len)) {
82458 copied = -EFAULT;
82459@@ -959,6 +1040,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
82460 if (!mm)
82461 return 0;
82462
82463+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82464+ if (file->f_version != current->exec_id) {
82465+ gr_log_badprocpid("environ");
82466+ return 0;
82467+ }
82468+#endif
82469+
82470 page = (char *)__get_free_page(GFP_TEMPORARY);
82471 if (!page)
82472 return -ENOMEM;
82473@@ -968,7 +1056,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
82474 goto free;
82475 while (count > 0) {
82476 size_t this_len, max_len;
82477- int retval;
82478+ ssize_t retval;
82479
82480 if (src >= (mm->env_end - mm->env_start))
82481 break;
82482@@ -1582,7 +1670,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie)
82483 int error = -EACCES;
82484
82485 /* Are we allowed to snoop on the tasks file descriptors? */
82486- if (!proc_fd_access_allowed(inode))
82487+ if (!proc_fd_access_allowed(inode, 0))
82488 goto out;
82489
82490 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
82491@@ -1626,8 +1714,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
82492 struct path path;
82493
82494 /* Are we allowed to snoop on the tasks file descriptors? */
82495- if (!proc_fd_access_allowed(inode))
82496- goto out;
82497+ /* logging this is needed for learning on chromium to work properly,
82498+ but we don't want to flood the logs from 'ps' which does a readlink
82499+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
82500+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
82501+ */
82502+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
82503+ if (!proc_fd_access_allowed(inode,0))
82504+ goto out;
82505+ } else {
82506+ if (!proc_fd_access_allowed(inode,1))
82507+ goto out;
82508+ }
82509
82510 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
82511 if (error)
82512@@ -1677,7 +1775,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
82513 rcu_read_lock();
82514 cred = __task_cred(task);
82515 inode->i_uid = cred->euid;
82516+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82517+ inode->i_gid = grsec_proc_gid;
82518+#else
82519 inode->i_gid = cred->egid;
82520+#endif
82521 rcu_read_unlock();
82522 }
82523 security_task_to_inode(task, inode);
82524@@ -1713,10 +1815,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
82525 return -ENOENT;
82526 }
82527 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
82528+#ifdef CONFIG_GRKERNSEC_PROC_USER
82529+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
82530+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82531+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
82532+#endif
82533 task_dumpable(task)) {
82534 cred = __task_cred(task);
82535 stat->uid = cred->euid;
82536+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82537+ stat->gid = grsec_proc_gid;
82538+#else
82539 stat->gid = cred->egid;
82540+#endif
82541 }
82542 }
82543 rcu_read_unlock();
82544@@ -1754,11 +1865,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
82545
82546 if (task) {
82547 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
82548+#ifdef CONFIG_GRKERNSEC_PROC_USER
82549+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
82550+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82551+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
82552+#endif
82553 task_dumpable(task)) {
82554 rcu_read_lock();
82555 cred = __task_cred(task);
82556 inode->i_uid = cred->euid;
82557+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82558+ inode->i_gid = grsec_proc_gid;
82559+#else
82560 inode->i_gid = cred->egid;
82561+#endif
82562 rcu_read_unlock();
82563 } else {
82564 inode->i_uid = GLOBAL_ROOT_UID;
82565@@ -2290,6 +2410,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
82566 if (!task)
82567 goto out_no_task;
82568
82569+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82570+ goto out;
82571+
82572 /*
82573 * Yes, it does not scale. And it should not. Don't add
82574 * new entries into /proc/<tgid>/ without very good reasons.
82575@@ -2320,6 +2443,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
82576 if (!task)
82577 return -ENOENT;
82578
82579+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82580+ goto out;
82581+
82582 if (!dir_emit_dots(file, ctx))
82583 goto out;
82584
82585@@ -2764,7 +2890,7 @@ static const struct pid_entry tgid_base_stuff[] = {
82586 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
82587 #endif
82588 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
82589-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
82590+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
82591 ONE("syscall", S_IRUSR, proc_pid_syscall),
82592 #endif
82593 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
82594@@ -2789,10 +2915,10 @@ static const struct pid_entry tgid_base_stuff[] = {
82595 #ifdef CONFIG_SECURITY
82596 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
82597 #endif
82598-#ifdef CONFIG_KALLSYMS
82599+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82600 ONE("wchan", S_IRUGO, proc_pid_wchan),
82601 #endif
82602-#ifdef CONFIG_STACKTRACE
82603+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82604 ONE("stack", S_IRUSR, proc_pid_stack),
82605 #endif
82606 #ifdef CONFIG_SCHED_INFO
82607@@ -2826,6 +2952,9 @@ static const struct pid_entry tgid_base_stuff[] = {
82608 #ifdef CONFIG_HARDWALL
82609 ONE("hardwall", S_IRUGO, proc_pid_hardwall),
82610 #endif
82611+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82612+ ONE("ipaddr", S_IRUSR, proc_pid_ipaddr),
82613+#endif
82614 #ifdef CONFIG_USER_NS
82615 REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
82616 REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
82617@@ -2958,7 +3087,14 @@ static int proc_pid_instantiate(struct inode *dir,
82618 if (!inode)
82619 goto out;
82620
82621+#ifdef CONFIG_GRKERNSEC_PROC_USER
82622+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
82623+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82624+ inode->i_gid = grsec_proc_gid;
82625+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
82626+#else
82627 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
82628+#endif
82629 inode->i_op = &proc_tgid_base_inode_operations;
82630 inode->i_fop = &proc_tgid_base_operations;
82631 inode->i_flags|=S_IMMUTABLE;
82632@@ -2996,7 +3132,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
82633 if (!task)
82634 goto out;
82635
82636+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82637+ goto out_put_task;
82638+
82639 result = proc_pid_instantiate(dir, dentry, task, NULL);
82640+out_put_task:
82641 put_task_struct(task);
82642 out:
82643 return ERR_PTR(result);
82644@@ -3110,7 +3250,7 @@ static const struct pid_entry tid_base_stuff[] = {
82645 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
82646 #endif
82647 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
82648-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
82649+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
82650 ONE("syscall", S_IRUSR, proc_pid_syscall),
82651 #endif
82652 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
82653@@ -3137,10 +3277,10 @@ static const struct pid_entry tid_base_stuff[] = {
82654 #ifdef CONFIG_SECURITY
82655 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
82656 #endif
82657-#ifdef CONFIG_KALLSYMS
82658+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82659 ONE("wchan", S_IRUGO, proc_pid_wchan),
82660 #endif
82661-#ifdef CONFIG_STACKTRACE
82662+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82663 ONE("stack", S_IRUSR, proc_pid_stack),
82664 #endif
82665 #ifdef CONFIG_SCHED_INFO
82666diff --git a/fs/proc/cmdline.c b/fs/proc/cmdline.c
82667index cbd82df..c0407d2 100644
82668--- a/fs/proc/cmdline.c
82669+++ b/fs/proc/cmdline.c
82670@@ -23,7 +23,11 @@ static const struct file_operations cmdline_proc_fops = {
82671
82672 static int __init proc_cmdline_init(void)
82673 {
82674+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82675+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
82676+#else
82677 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
82678+#endif
82679 return 0;
82680 }
82681 fs_initcall(proc_cmdline_init);
82682diff --git a/fs/proc/devices.c b/fs/proc/devices.c
82683index 50493ed..248166b 100644
82684--- a/fs/proc/devices.c
82685+++ b/fs/proc/devices.c
82686@@ -64,7 +64,11 @@ static const struct file_operations proc_devinfo_operations = {
82687
82688 static int __init proc_devices_init(void)
82689 {
82690+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82691+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
82692+#else
82693 proc_create("devices", 0, NULL, &proc_devinfo_operations);
82694+#endif
82695 return 0;
82696 }
82697 fs_initcall(proc_devices_init);
82698diff --git a/fs/proc/fd.c b/fs/proc/fd.c
82699index 6e5fcd0..06ea074 100644
82700--- a/fs/proc/fd.c
82701+++ b/fs/proc/fd.c
82702@@ -27,7 +27,8 @@ static int seq_show(struct seq_file *m, void *v)
82703 if (!task)
82704 return -ENOENT;
82705
82706- files = get_files_struct(task);
82707+ if (!gr_acl_handle_procpidmem(task))
82708+ files = get_files_struct(task);
82709 put_task_struct(task);
82710
82711 if (files) {
82712@@ -291,11 +292,21 @@ static struct dentry *proc_lookupfd(struct inode *dir, struct dentry *dentry,
82713 */
82714 int proc_fd_permission(struct inode *inode, int mask)
82715 {
82716+ struct task_struct *task;
82717 int rv = generic_permission(inode, mask);
82718- if (rv == 0)
82719- return 0;
82720+
82721 if (task_tgid(current) == proc_pid(inode))
82722 rv = 0;
82723+
82724+ task = get_proc_task(inode);
82725+ if (task == NULL)
82726+ return rv;
82727+
82728+ if (gr_acl_handle_procpidmem(task))
82729+ rv = -EACCES;
82730+
82731+ put_task_struct(task);
82732+
82733 return rv;
82734 }
82735
82736diff --git a/fs/proc/generic.c b/fs/proc/generic.c
82737index e5dee5c..dafe21b 100644
82738--- a/fs/proc/generic.c
82739+++ b/fs/proc/generic.c
82740@@ -22,6 +22,7 @@
82741 #include <linux/bitops.h>
82742 #include <linux/spinlock.h>
82743 #include <linux/completion.h>
82744+#include <linux/grsecurity.h>
82745 #include <asm/uaccess.h>
82746
82747 #include "internal.h"
82748@@ -253,6 +254,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry,
82749 return proc_lookup_de(PDE(dir), dir, dentry);
82750 }
82751
82752+struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry,
82753+ unsigned int flags)
82754+{
82755+ if (gr_proc_is_restricted())
82756+ return ERR_PTR(-EACCES);
82757+
82758+ return proc_lookup_de(PDE(dir), dir, dentry);
82759+}
82760+
82761 /*
82762 * This returns non-zero if at EOF, so that the /proc
82763 * root directory can use this and check if it should
82764@@ -310,6 +320,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx)
82765 return proc_readdir_de(PDE(inode), file, ctx);
82766 }
82767
82768+int proc_readdir_restrict(struct file *file, struct dir_context *ctx)
82769+{
82770+ struct inode *inode = file_inode(file);
82771+
82772+ if (gr_proc_is_restricted())
82773+ return -EACCES;
82774+
82775+ return proc_readdir_de(PDE(inode), file, ctx);
82776+}
82777+
82778 /*
82779 * These are the generic /proc directory operations. They
82780 * use the in-memory "struct proc_dir_entry" tree to parse
82781@@ -321,6 +341,12 @@ static const struct file_operations proc_dir_operations = {
82782 .iterate = proc_readdir,
82783 };
82784
82785+static const struct file_operations proc_dir_restricted_operations = {
82786+ .llseek = generic_file_llseek,
82787+ .read = generic_read_dir,
82788+ .iterate = proc_readdir_restrict,
82789+};
82790+
82791 /*
82792 * proc directories can do almost nothing..
82793 */
82794@@ -330,6 +356,12 @@ static const struct inode_operations proc_dir_inode_operations = {
82795 .setattr = proc_notify_change,
82796 };
82797
82798+static const struct inode_operations proc_dir_restricted_inode_operations = {
82799+ .lookup = proc_lookup_restrict,
82800+ .getattr = proc_getattr,
82801+ .setattr = proc_notify_change,
82802+};
82803+
82804 static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp)
82805 {
82806 int ret;
82807@@ -445,6 +477,31 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode,
82808 }
82809 EXPORT_SYMBOL_GPL(proc_mkdir_data);
82810
82811+struct proc_dir_entry *proc_mkdir_data_restrict(const char *name, umode_t mode,
82812+ struct proc_dir_entry *parent, void *data)
82813+{
82814+ struct proc_dir_entry *ent;
82815+
82816+ if (mode == 0)
82817+ mode = S_IRUGO | S_IXUGO;
82818+
82819+ ent = __proc_create(&parent, name, S_IFDIR | mode, 2);
82820+ if (ent) {
82821+ ent->data = data;
82822+ ent->restricted = 1;
82823+ ent->proc_fops = &proc_dir_restricted_operations;
82824+ ent->proc_iops = &proc_dir_restricted_inode_operations;
82825+ parent->nlink++;
82826+ if (proc_register(parent, ent) < 0) {
82827+ kfree(ent);
82828+ parent->nlink--;
82829+ ent = NULL;
82830+ }
82831+ }
82832+ return ent;
82833+}
82834+EXPORT_SYMBOL_GPL(proc_mkdir_data_restrict);
82835+
82836 struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode,
82837 struct proc_dir_entry *parent)
82838 {
82839@@ -459,6 +516,13 @@ struct proc_dir_entry *proc_mkdir(const char *name,
82840 }
82841 EXPORT_SYMBOL(proc_mkdir);
82842
82843+struct proc_dir_entry *proc_mkdir_restrict(const char *name,
82844+ struct proc_dir_entry *parent)
82845+{
82846+ return proc_mkdir_data_restrict(name, 0, parent, NULL);
82847+}
82848+EXPORT_SYMBOL(proc_mkdir_restrict);
82849+
82850 struct proc_dir_entry *proc_create_mount_point(const char *name)
82851 {
82852 umode_t mode = S_IFDIR | S_IRUGO | S_IXUGO;
82853diff --git a/fs/proc/inode.c b/fs/proc/inode.c
82854index bd95b9f..a64a773 100644
82855--- a/fs/proc/inode.c
82856+++ b/fs/proc/inode.c
82857@@ -23,11 +23,17 @@
82858 #include <linux/slab.h>
82859 #include <linux/mount.h>
82860 #include <linux/magic.h>
82861+#include <linux/grsecurity.h>
82862
82863 #include <asm/uaccess.h>
82864
82865 #include "internal.h"
82866
82867+#ifdef CONFIG_PROC_SYSCTL
82868+extern const struct inode_operations proc_sys_inode_operations;
82869+extern const struct inode_operations proc_sys_dir_operations;
82870+#endif
82871+
82872 static void proc_evict_inode(struct inode *inode)
82873 {
82874 struct proc_dir_entry *de;
82875@@ -48,6 +54,13 @@ static void proc_evict_inode(struct inode *inode)
82876 RCU_INIT_POINTER(PROC_I(inode)->sysctl, NULL);
82877 sysctl_head_put(head);
82878 }
82879+
82880+#ifdef CONFIG_PROC_SYSCTL
82881+ if (inode->i_op == &proc_sys_inode_operations ||
82882+ inode->i_op == &proc_sys_dir_operations)
82883+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
82884+#endif
82885+
82886 }
82887
82888 static struct kmem_cache * proc_inode_cachep;
82889@@ -429,7 +442,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
82890 if (de->mode) {
82891 inode->i_mode = de->mode;
82892 inode->i_uid = de->uid;
82893+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82894+ inode->i_gid = grsec_proc_gid;
82895+#else
82896 inode->i_gid = de->gid;
82897+#endif
82898 }
82899 if (de->size)
82900 inode->i_size = de->size;
82901diff --git a/fs/proc/internal.h b/fs/proc/internal.h
82902index aa27810..9f2d3b2 100644
82903--- a/fs/proc/internal.h
82904+++ b/fs/proc/internal.h
82905@@ -47,9 +47,10 @@ struct proc_dir_entry {
82906 struct completion *pde_unload_completion;
82907 struct list_head pde_openers; /* who did ->open, but not ->release */
82908 spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */
82909+ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */
82910 u8 namelen;
82911 char name[];
82912-};
82913+} __randomize_layout;
82914
82915 union proc_op {
82916 int (*proc_get_link)(struct dentry *, struct path *);
82917@@ -67,7 +68,7 @@ struct proc_inode {
82918 struct ctl_table *sysctl_entry;
82919 const struct proc_ns_operations *ns_ops;
82920 struct inode vfs_inode;
82921-};
82922+} __randomize_layout;
82923
82924 /*
82925 * General functions
82926@@ -155,6 +156,10 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *,
82927 struct pid *, struct task_struct *);
82928 extern int proc_pid_statm(struct seq_file *, struct pid_namespace *,
82929 struct pid *, struct task_struct *);
82930+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82931+extern int proc_pid_ipaddr(struct seq_file *, struct pid_namespace *,
82932+ struct pid *, struct task_struct *);
82933+#endif
82934
82935 /*
82936 * base.c
82937@@ -179,9 +184,11 @@ extern bool proc_fill_cache(struct file *, struct dir_context *, const char *, i
82938 * generic.c
82939 */
82940 extern struct dentry *proc_lookup(struct inode *, struct dentry *, unsigned int);
82941+extern struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, unsigned int);
82942 extern struct dentry *proc_lookup_de(struct proc_dir_entry *, struct inode *,
82943 struct dentry *);
82944 extern int proc_readdir(struct file *, struct dir_context *);
82945+extern int proc_readdir_restrict(struct file *, struct dir_context *);
82946 extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *);
82947
82948 static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde)
82949diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
82950index a352d57..cb94a5c 100644
82951--- a/fs/proc/interrupts.c
82952+++ b/fs/proc/interrupts.c
82953@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {
82954
82955 static int __init proc_interrupts_init(void)
82956 {
82957+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82958+ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);
82959+#else
82960 proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
82961+#endif
82962 return 0;
82963 }
82964 fs_initcall(proc_interrupts_init);
82965diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
82966index 92e6726..a600d4fa 100644
82967--- a/fs/proc/kcore.c
82968+++ b/fs/proc/kcore.c
82969@@ -483,9 +483,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82970 * the addresses in the elf_phdr on our list.
82971 */
82972 start = kc_offset_to_vaddr(*fpos - elf_buflen);
82973- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
82974+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
82975+ if (tsz > buflen)
82976 tsz = buflen;
82977-
82978+
82979 while (buflen) {
82980 struct kcore_list *m;
82981
82982@@ -515,19 +516,20 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82983 } else {
82984 if (kern_addr_valid(start)) {
82985 unsigned long n;
82986+ char *elf_buf;
82987+ mm_segment_t oldfs;
82988
82989- n = copy_to_user(buffer, (char *)start, tsz);
82990- /*
82991- * We cannot distinguish between fault on source
82992- * and fault on destination. When this happens
82993- * we clear too and hope it will trigger the
82994- * EFAULT again.
82995- */
82996- if (n) {
82997- if (clear_user(buffer + tsz - n,
82998- n))
82999- return -EFAULT;
83000- }
83001+ elf_buf = kzalloc(tsz, GFP_KERNEL);
83002+ if (!elf_buf)
83003+ return -ENOMEM;
83004+ oldfs = get_fs();
83005+ set_fs(KERNEL_DS);
83006+ n = __copy_from_user(elf_buf, (const void __user *)start, tsz);
83007+ set_fs(oldfs);
83008+ n = copy_to_user(buffer, elf_buf, tsz);
83009+ kfree(elf_buf);
83010+ if (n)
83011+ return -EFAULT;
83012 } else {
83013 if (clear_user(buffer, tsz))
83014 return -EFAULT;
83015@@ -547,6 +549,9 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
83016
83017 static int open_kcore(struct inode *inode, struct file *filp)
83018 {
83019+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
83020+ return -EPERM;
83021+#endif
83022 if (!capable(CAP_SYS_RAWIO))
83023 return -EPERM;
83024 if (kcore_need_update)
83025@@ -580,7 +585,7 @@ static int __meminit kcore_callback(struct notifier_block *self,
83026 return NOTIFY_OK;
83027 }
83028
83029-static struct notifier_block kcore_callback_nb __meminitdata = {
83030+static struct notifier_block kcore_callback_nb __meminitconst = {
83031 .notifier_call = kcore_callback,
83032 .priority = 0,
83033 };
83034diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
83035index d3ebf2e..6ad42d1 100644
83036--- a/fs/proc/meminfo.c
83037+++ b/fs/proc/meminfo.c
83038@@ -194,7 +194,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
83039 vmi.used >> 10,
83040 vmi.largest_chunk >> 10
83041 #ifdef CONFIG_MEMORY_FAILURE
83042- , atomic_long_read(&num_poisoned_pages) << (PAGE_SHIFT - 10)
83043+ , atomic_long_read_unchecked(&num_poisoned_pages) << (PAGE_SHIFT - 10)
83044 #endif
83045 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
83046 , K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
83047diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
83048index f8595e8..e0d13cbd 100644
83049--- a/fs/proc/nommu.c
83050+++ b/fs/proc/nommu.c
83051@@ -64,7 +64,7 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region)
83052
83053 if (file) {
83054 seq_pad(m, ' ');
83055- seq_file_path(m, file, "");
83056+ seq_file_path(m, file, "\n\\");
83057 }
83058
83059 seq_putc(m, '\n');
83060diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
83061index 350984a..0fb02a9 100644
83062--- a/fs/proc/proc_net.c
83063+++ b/fs/proc/proc_net.c
83064@@ -23,9 +23,27 @@
83065 #include <linux/nsproxy.h>
83066 #include <net/net_namespace.h>
83067 #include <linux/seq_file.h>
83068+#include <linux/grsecurity.h>
83069
83070 #include "internal.h"
83071
83072+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
83073+static struct seq_operations *ipv6_seq_ops_addr;
83074+
83075+void register_ipv6_seq_ops_addr(struct seq_operations *addr)
83076+{
83077+ ipv6_seq_ops_addr = addr;
83078+}
83079+
83080+void unregister_ipv6_seq_ops_addr(void)
83081+{
83082+ ipv6_seq_ops_addr = NULL;
83083+}
83084+
83085+EXPORT_SYMBOL_GPL(register_ipv6_seq_ops_addr);
83086+EXPORT_SYMBOL_GPL(unregister_ipv6_seq_ops_addr);
83087+#endif
83088+
83089 static inline struct net *PDE_NET(struct proc_dir_entry *pde)
83090 {
83091 return pde->parent->data;
83092@@ -36,6 +54,8 @@ static struct net *get_proc_net(const struct inode *inode)
83093 return maybe_get_net(PDE_NET(PDE(inode)));
83094 }
83095
83096+extern const struct seq_operations dev_seq_ops;
83097+
83098 int seq_open_net(struct inode *ino, struct file *f,
83099 const struct seq_operations *ops, int size)
83100 {
83101@@ -44,6 +64,14 @@ int seq_open_net(struct inode *ino, struct file *f,
83102
83103 BUG_ON(size < sizeof(*p));
83104
83105+ /* only permit access to /proc/net/dev */
83106+ if (
83107+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
83108+ ops != ipv6_seq_ops_addr &&
83109+#endif
83110+ ops != &dev_seq_ops && gr_proc_is_restricted())
83111+ return -EACCES;
83112+
83113 net = get_proc_net(ino);
83114 if (net == NULL)
83115 return -ENXIO;
83116@@ -66,6 +94,9 @@ int single_open_net(struct inode *inode, struct file *file,
83117 int err;
83118 struct net *net;
83119
83120+ if (gr_proc_is_restricted())
83121+ return -EACCES;
83122+
83123 err = -ENXIO;
83124 net = get_proc_net(inode);
83125 if (net == NULL)
83126diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
83127index fdda62e..cd7c75f 100644
83128--- a/fs/proc/proc_sysctl.c
83129+++ b/fs/proc/proc_sysctl.c
83130@@ -11,13 +11,21 @@
83131 #include <linux/namei.h>
83132 #include <linux/mm.h>
83133 #include <linux/module.h>
83134+#include <linux/nsproxy.h>
83135+#ifdef CONFIG_GRKERNSEC
83136+#include <net/net_namespace.h>
83137+#endif
83138 #include "internal.h"
83139
83140+extern int gr_handle_chroot_sysctl(const int op);
83141+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
83142+ const int op);
83143+
83144 static const struct dentry_operations proc_sys_dentry_operations;
83145 static const struct file_operations proc_sys_file_operations;
83146-static const struct inode_operations proc_sys_inode_operations;
83147+const struct inode_operations proc_sys_inode_operations;
83148 static const struct file_operations proc_sys_dir_file_operations;
83149-static const struct inode_operations proc_sys_dir_operations;
83150+const struct inode_operations proc_sys_dir_operations;
83151
83152 /* Support for permanently empty directories */
83153
83154@@ -32,13 +40,17 @@ static bool is_empty_dir(struct ctl_table_header *head)
83155
83156 static void set_empty_dir(struct ctl_dir *dir)
83157 {
83158- dir->header.ctl_table[0].child = sysctl_mount_point;
83159+ pax_open_kernel();
83160+ *(const void **)&dir->header.ctl_table[0].child = sysctl_mount_point;
83161+ pax_close_kernel();
83162 }
83163
83164 static void clear_empty_dir(struct ctl_dir *dir)
83165
83166 {
83167- dir->header.ctl_table[0].child = NULL;
83168+ pax_open_kernel();
83169+ *(void **)&dir->header.ctl_table[0].child = NULL;
83170+ pax_close_kernel();
83171 }
83172
83173 void proc_sys_poll_notify(struct ctl_table_poll *poll)
83174@@ -504,6 +516,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
83175
83176 err = NULL;
83177 d_set_d_op(dentry, &proc_sys_dentry_operations);
83178+
83179+ gr_handle_proc_create(dentry, inode);
83180+
83181 d_add(dentry, inode);
83182
83183 out:
83184@@ -519,6 +534,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
83185 struct inode *inode = file_inode(filp);
83186 struct ctl_table_header *head = grab_header(inode);
83187 struct ctl_table *table = PROC_I(inode)->sysctl_entry;
83188+ int op = write ? MAY_WRITE : MAY_READ;
83189 ssize_t error;
83190 size_t res;
83191
83192@@ -530,7 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
83193 * and won't be until we finish.
83194 */
83195 error = -EPERM;
83196- if (sysctl_perm(head, table, write ? MAY_WRITE : MAY_READ))
83197+ if (sysctl_perm(head, table, op))
83198 goto out;
83199
83200 /* if that can happen at all, it should be -EINVAL, not -EISDIR */
83201@@ -538,6 +554,27 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
83202 if (!table->proc_handler)
83203 goto out;
83204
83205+#ifdef CONFIG_GRKERNSEC
83206+ error = -EPERM;
83207+ if (gr_handle_chroot_sysctl(op))
83208+ goto out;
83209+ dget(filp->f_path.dentry);
83210+ if (gr_handle_sysctl_mod(filp->f_path.dentry->d_parent->d_name.name, table->procname, op)) {
83211+ dput(filp->f_path.dentry);
83212+ goto out;
83213+ }
83214+ dput(filp->f_path.dentry);
83215+ if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
83216+ goto out;
83217+ if (write) {
83218+ if (current->nsproxy->net_ns != table->extra2) {
83219+ if (!capable(CAP_SYS_ADMIN))
83220+ goto out;
83221+ } else if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
83222+ goto out;
83223+ }
83224+#endif
83225+
83226 /* careful: calling conventions are nasty here */
83227 res = count;
83228 error = table->proc_handler(table, write, buf, &res, ppos);
83229@@ -635,6 +672,9 @@ static bool proc_sys_fill_cache(struct file *file,
83230 return false;
83231 } else {
83232 d_set_d_op(child, &proc_sys_dentry_operations);
83233+
83234+ gr_handle_proc_create(child, inode);
83235+
83236 d_add(child, inode);
83237 }
83238 } else {
83239@@ -678,6 +718,9 @@ static int scan(struct ctl_table_header *head, struct ctl_table *table,
83240 if ((*pos)++ < ctx->pos)
83241 return true;
83242
83243+ if (!gr_acl_handle_hidden_file(file->f_path.dentry, file->f_path.mnt))
83244+ return 0;
83245+
83246 if (unlikely(S_ISLNK(table->mode)))
83247 res = proc_sys_link_fill_cache(file, ctx, head, table);
83248 else
83249@@ -771,6 +814,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
83250 if (IS_ERR(head))
83251 return PTR_ERR(head);
83252
83253+ if (table && !gr_acl_handle_hidden_file(dentry, mnt))
83254+ return -ENOENT;
83255+
83256 generic_fillattr(inode, stat);
83257 if (table)
83258 stat->mode = (stat->mode & S_IFMT) | table->mode;
83259@@ -793,13 +839,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
83260 .llseek = generic_file_llseek,
83261 };
83262
83263-static const struct inode_operations proc_sys_inode_operations = {
83264+const struct inode_operations proc_sys_inode_operations = {
83265 .permission = proc_sys_permission,
83266 .setattr = proc_sys_setattr,
83267 .getattr = proc_sys_getattr,
83268 };
83269
83270-static const struct inode_operations proc_sys_dir_operations = {
83271+const struct inode_operations proc_sys_dir_operations = {
83272 .lookup = proc_sys_lookup,
83273 .permission = proc_sys_permission,
83274 .setattr = proc_sys_setattr,
83275@@ -876,7 +922,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
83276 static struct ctl_dir *new_dir(struct ctl_table_set *set,
83277 const char *name, int namelen)
83278 {
83279- struct ctl_table *table;
83280+ ctl_table_no_const *table;
83281 struct ctl_dir *new;
83282 struct ctl_node *node;
83283 char *new_name;
83284@@ -888,7 +934,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
83285 return NULL;
83286
83287 node = (struct ctl_node *)(new + 1);
83288- table = (struct ctl_table *)(node + 1);
83289+ table = (ctl_table_no_const *)(node + 1);
83290 new_name = (char *)(table + 2);
83291 memcpy(new_name, name, namelen);
83292 new_name[namelen] = '\0';
83293@@ -1057,7 +1103,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
83294 static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table,
83295 struct ctl_table_root *link_root)
83296 {
83297- struct ctl_table *link_table, *entry, *link;
83298+ ctl_table_no_const *link_table, *link;
83299+ struct ctl_table *entry;
83300 struct ctl_table_header *links;
83301 struct ctl_node *node;
83302 char *link_name;
83303@@ -1080,7 +1127,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
83304 return NULL;
83305
83306 node = (struct ctl_node *)(links + 1);
83307- link_table = (struct ctl_table *)(node + nr_entries);
83308+ link_table = (ctl_table_no_const *)(node + nr_entries);
83309 link_name = (char *)&link_table[nr_entries + 1];
83310
83311 for (link = link_table, entry = table; entry->procname; link++, entry++) {
83312@@ -1328,8 +1375,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
83313 struct ctl_table_header ***subheader, struct ctl_table_set *set,
83314 struct ctl_table *table)
83315 {
83316- struct ctl_table *ctl_table_arg = NULL;
83317- struct ctl_table *entry, *files;
83318+ ctl_table_no_const *ctl_table_arg = NULL, *files = NULL;
83319+ struct ctl_table *entry;
83320 int nr_files = 0;
83321 int nr_dirs = 0;
83322 int err = -ENOMEM;
83323@@ -1341,10 +1388,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
83324 nr_files++;
83325 }
83326
83327- files = table;
83328 /* If there are mixed files and directories we need a new table */
83329 if (nr_dirs && nr_files) {
83330- struct ctl_table *new;
83331+ ctl_table_no_const *new;
83332 files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1),
83333 GFP_KERNEL);
83334 if (!files)
83335@@ -1362,7 +1408,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
83336 /* Register everything except a directory full of subdirectories */
83337 if (nr_files || !nr_dirs) {
83338 struct ctl_table_header *header;
83339- header = __register_sysctl_table(set, path, files);
83340+ header = __register_sysctl_table(set, path, files ? files : table);
83341 if (!header) {
83342 kfree(ctl_table_arg);
83343 goto out;
83344diff --git a/fs/proc/root.c b/fs/proc/root.c
83345index 68feb0f..2c04780 100644
83346--- a/fs/proc/root.c
83347+++ b/fs/proc/root.c
83348@@ -185,7 +185,15 @@ void __init proc_root_init(void)
83349 proc_create_mount_point("openprom");
83350 #endif
83351 proc_tty_init();
83352+#ifdef CONFIG_GRKERNSEC_PROC_ADD
83353+#ifdef CONFIG_GRKERNSEC_PROC_USER
83354+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
83355+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
83356+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
83357+#endif
83358+#else
83359 proc_mkdir("bus", NULL);
83360+#endif
83361 proc_sys_init();
83362 }
83363
83364diff --git a/fs/proc/stat.c b/fs/proc/stat.c
83365index 510413eb..34d9a8c 100644
83366--- a/fs/proc/stat.c
83367+++ b/fs/proc/stat.c
83368@@ -11,6 +11,7 @@
83369 #include <linux/irqnr.h>
83370 #include <linux/cputime.h>
83371 #include <linux/tick.h>
83372+#include <linux/grsecurity.h>
83373
83374 #ifndef arch_irq_stat_cpu
83375 #define arch_irq_stat_cpu(cpu) 0
83376@@ -87,6 +88,18 @@ static int show_stat(struct seq_file *p, void *v)
83377 u64 sum_softirq = 0;
83378 unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
83379 struct timespec boottime;
83380+ int unrestricted = 1;
83381+
83382+#ifdef CONFIG_GRKERNSEC_PROC_ADD
83383+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
83384+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
83385+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
83386+ && !in_group_p(grsec_proc_gid)
83387+#endif
83388+ )
83389+ unrestricted = 0;
83390+#endif
83391+#endif
83392
83393 user = nice = system = idle = iowait =
83394 irq = softirq = steal = 0;
83395@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v)
83396 nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
83397 system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
83398 idle += get_idle_time(i);
83399- iowait += get_iowait_time(i);
83400- irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83401- softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83402- steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83403- guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83404- guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83405- sum += kstat_cpu_irqs_sum(i);
83406- sum += arch_irq_stat_cpu(i);
83407+ if (unrestricted) {
83408+ iowait += get_iowait_time(i);
83409+ irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83410+ softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83411+ steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83412+ guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83413+ guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83414+ sum += kstat_cpu_irqs_sum(i);
83415+ sum += arch_irq_stat_cpu(i);
83416+ for (j = 0; j < NR_SOFTIRQS; j++) {
83417+ unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
83418
83419- for (j = 0; j < NR_SOFTIRQS; j++) {
83420- unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
83421-
83422- per_softirq_sums[j] += softirq_stat;
83423- sum_softirq += softirq_stat;
83424+ per_softirq_sums[j] += softirq_stat;
83425+ sum_softirq += softirq_stat;
83426+ }
83427 }
83428 }
83429- sum += arch_irq_stat();
83430+ if (unrestricted)
83431+ sum += arch_irq_stat();
83432
83433 seq_puts(p, "cpu ");
83434 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
83435@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v)
83436 nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
83437 system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
83438 idle = get_idle_time(i);
83439- iowait = get_iowait_time(i);
83440- irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83441- softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83442- steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83443- guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83444- guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83445+ if (unrestricted) {
83446+ iowait = get_iowait_time(i);
83447+ irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83448+ softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83449+ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83450+ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83451+ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83452+ }
83453 seq_printf(p, "cpu%d", i);
83454 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
83455 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice));
83456@@ -159,7 +176,7 @@ static int show_stat(struct seq_file *p, void *v)
83457
83458 /* sum again ? it could be updated? */
83459 for_each_irq_nr(j)
83460- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j));
83461+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL);
83462
83463 seq_printf(p,
83464 "\nctxt %llu\n"
83465@@ -167,11 +184,11 @@ static int show_stat(struct seq_file *p, void *v)
83466 "processes %lu\n"
83467 "procs_running %lu\n"
83468 "procs_blocked %lu\n",
83469- nr_context_switches(),
83470+ unrestricted ? nr_context_switches() : 0ULL,
83471 (unsigned long)jif,
83472- total_forks,
83473- nr_running(),
83474- nr_iowait());
83475+ unrestricted ? total_forks : 0UL,
83476+ unrestricted ? nr_running() : 0UL,
83477+ unrestricted ? nr_iowait() : 0UL);
83478
83479 seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
83480
83481diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
83482index ca1e091..a048795 100644
83483--- a/fs/proc/task_mmu.c
83484+++ b/fs/proc/task_mmu.c
83485@@ -13,12 +13,19 @@
83486 #include <linux/swap.h>
83487 #include <linux/swapops.h>
83488 #include <linux/mmu_notifier.h>
83489+#include <linux/grsecurity.h>
83490
83491 #include <asm/elf.h>
83492 #include <asm/uaccess.h>
83493 #include <asm/tlbflush.h>
83494 #include "internal.h"
83495
83496+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83497+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
83498+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
83499+ _mm->pax_flags & MF_PAX_SEGMEXEC))
83500+#endif
83501+
83502 void task_mem(struct seq_file *m, struct mm_struct *mm)
83503 {
83504 unsigned long data, text, lib, swap, ptes, pmds;
83505@@ -57,8 +64,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
83506 "VmLib:\t%8lu kB\n"
83507 "VmPTE:\t%8lu kB\n"
83508 "VmPMD:\t%8lu kB\n"
83509- "VmSwap:\t%8lu kB\n",
83510- hiwater_vm << (PAGE_SHIFT-10),
83511+ "VmSwap:\t%8lu kB\n"
83512+
83513+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
83514+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
83515+#endif
83516+
83517+ ,hiwater_vm << (PAGE_SHIFT-10),
83518 total_vm << (PAGE_SHIFT-10),
83519 mm->locked_vm << (PAGE_SHIFT-10),
83520 mm->pinned_vm << (PAGE_SHIFT-10),
83521@@ -68,7 +80,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
83522 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
83523 ptes >> 10,
83524 pmds >> 10,
83525- swap << (PAGE_SHIFT-10));
83526+ swap << (PAGE_SHIFT-10)
83527+
83528+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
83529+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83530+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
83531+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
83532+#else
83533+ , mm->context.user_cs_base
83534+ , mm->context.user_cs_limit
83535+#endif
83536+#endif
83537+
83538+ );
83539 }
83540
83541 unsigned long task_vsize(struct mm_struct *mm)
83542@@ -285,13 +309,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83543 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
83544 }
83545
83546- /* We don't show the stack guard page in /proc/maps */
83547+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83548+ start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
83549+ end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
83550+#else
83551 start = vma->vm_start;
83552- if (stack_guard_page_start(vma, start))
83553- start += PAGE_SIZE;
83554 end = vma->vm_end;
83555- if (stack_guard_page_end(vma, end))
83556- end -= PAGE_SIZE;
83557+#endif
83558
83559 seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
83560 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
83561@@ -301,7 +325,11 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83562 flags & VM_WRITE ? 'w' : '-',
83563 flags & VM_EXEC ? 'x' : '-',
83564 flags & VM_MAYSHARE ? 's' : 'p',
83565+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83566+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
83567+#else
83568 pgoff,
83569+#endif
83570 MAJOR(dev), MINOR(dev), ino);
83571
83572 /*
83573@@ -310,7 +338,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83574 */
83575 if (file) {
83576 seq_pad(m, ' ');
83577- seq_file_path(m, file, "\n");
83578+ seq_file_path(m, file, "\n\\");
83579 goto done;
83580 }
83581
83582@@ -341,8 +369,9 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83583 * Thread stack in /proc/PID/task/TID/maps or
83584 * the main process stack.
83585 */
83586- if (!is_pid || (vma->vm_start <= mm->start_stack &&
83587- vma->vm_end >= mm->start_stack)) {
83588+ if (!is_pid || (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
83589+ (vma->vm_start <= mm->start_stack &&
83590+ vma->vm_end >= mm->start_stack)) {
83591 name = "[stack]";
83592 } else {
83593 /* Thread stack in /proc/PID/maps */
83594@@ -362,6 +391,12 @@ done:
83595
83596 static int show_map(struct seq_file *m, void *v, int is_pid)
83597 {
83598+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83599+ if (current->exec_id != m->exec_id) {
83600+ gr_log_badprocpid("maps");
83601+ return 0;
83602+ }
83603+#endif
83604 show_map_vma(m, v, is_pid);
83605 m_cache_vma(m, v);
83606 return 0;
83607@@ -620,9 +655,18 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
83608 .private = &mss,
83609 };
83610
83611+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83612+ if (current->exec_id != m->exec_id) {
83613+ gr_log_badprocpid("smaps");
83614+ return 0;
83615+ }
83616+#endif
83617 memset(&mss, 0, sizeof mss);
83618- /* mmap_sem is held in m_start */
83619- walk_page_vma(vma, &smaps_walk);
83620+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83621+ if (!PAX_RAND_FLAGS(vma->vm_mm))
83622+#endif
83623+ /* mmap_sem is held in m_start */
83624+ walk_page_vma(vma, &smaps_walk);
83625
83626 show_map_vma(m, vma, is_pid);
83627
83628@@ -641,7 +685,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
83629 "KernelPageSize: %8lu kB\n"
83630 "MMUPageSize: %8lu kB\n"
83631 "Locked: %8lu kB\n",
83632+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83633+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
83634+#else
83635 (vma->vm_end - vma->vm_start) >> 10,
83636+#endif
83637 mss.resident >> 10,
83638 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
83639 mss.shared_clean >> 10,
83640@@ -1491,6 +1539,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
83641 char buffer[64];
83642 int nid;
83643
83644+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83645+ if (current->exec_id != m->exec_id) {
83646+ gr_log_badprocpid("numa_maps");
83647+ return 0;
83648+ }
83649+#endif
83650+
83651 if (!mm)
83652 return 0;
83653
83654@@ -1505,11 +1560,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
83655 mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy);
83656 }
83657
83658+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83659+ seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer);
83660+#else
83661 seq_printf(m, "%08lx %s", vma->vm_start, buffer);
83662+#endif
83663
83664 if (file) {
83665 seq_puts(m, " file=");
83666- seq_file_path(m, file, "\n\t= ");
83667+ seq_file_path(m, file, "\n\t\\= ");
83668 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
83669 seq_puts(m, " heap");
83670 } else {
83671diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
83672index e0d64c9..c44c96e 100644
83673--- a/fs/proc/task_nommu.c
83674+++ b/fs/proc/task_nommu.c
83675@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
83676 else
83677 bytes += kobjsize(mm);
83678
83679- if (current->fs && current->fs->users > 1)
83680+ if (current->fs && atomic_read(&current->fs->users) > 1)
83681 sbytes += kobjsize(current->fs);
83682 else
83683 bytes += kobjsize(current->fs);
83684@@ -180,7 +180,7 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
83685
83686 if (file) {
83687 seq_pad(m, ' ');
83688- seq_file_path(m, file, "");
83689+ seq_file_path(m, file, "\n\\");
83690 } else if (mm) {
83691 pid_t tid = pid_of_stack(priv, vma, is_pid);
83692
83693diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
83694index 4e61388..1a2523d 100644
83695--- a/fs/proc/vmcore.c
83696+++ b/fs/proc/vmcore.c
83697@@ -105,9 +105,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count,
83698 nr_bytes = count;
83699
83700 /* If pfn is not ram, return zeros for sparse dump files */
83701- if (pfn_is_ram(pfn) == 0)
83702- memset(buf, 0, nr_bytes);
83703- else {
83704+ if (pfn_is_ram(pfn) == 0) {
83705+ if (userbuf) {
83706+ if (clear_user((char __force_user *)buf, nr_bytes))
83707+ return -EFAULT;
83708+ } else
83709+ memset(buf, 0, nr_bytes);
83710+ } else {
83711 tmp = copy_oldmem_page(pfn, buf, nr_bytes,
83712 offset, userbuf);
83713 if (tmp < 0)
83714@@ -170,7 +174,7 @@ int __weak remap_oldmem_pfn_range(struct vm_area_struct *vma,
83715 static int copy_to(void *target, void *src, size_t size, int userbuf)
83716 {
83717 if (userbuf) {
83718- if (copy_to_user((char __user *) target, src, size))
83719+ if (copy_to_user((char __force_user *) target, src, size))
83720 return -EFAULT;
83721 } else {
83722 memcpy(target, src, size);
83723@@ -233,7 +237,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos,
83724 if (*fpos < m->offset + m->size) {
83725 tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);
83726 start = m->paddr + *fpos - m->offset;
83727- tmp = read_from_oldmem(buffer, tsz, &start, userbuf);
83728+ tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, userbuf);
83729 if (tmp < 0)
83730 return tmp;
83731 buflen -= tsz;
83732@@ -253,7 +257,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos,
83733 static ssize_t read_vmcore(struct file *file, char __user *buffer,
83734 size_t buflen, loff_t *fpos)
83735 {
83736- return __read_vmcore((__force char *) buffer, buflen, fpos, 1);
83737+ return __read_vmcore((__force_kernel char *) buffer, buflen, fpos, 1);
83738 }
83739
83740 /*
83741diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
83742index d3fb2b6..43a8140 100644
83743--- a/fs/qnx6/qnx6.h
83744+++ b/fs/qnx6/qnx6.h
83745@@ -74,7 +74,7 @@ enum {
83746 BYTESEX_BE,
83747 };
83748
83749-static inline __u64 fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
83750+static inline __u64 __intentional_overflow(-1) fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
83751 {
83752 if (sbi->s_bytesex == BYTESEX_LE)
83753 return le64_to_cpu((__force __le64)n);
83754@@ -90,7 +90,7 @@ static inline __fs64 cpu_to_fs64(struct qnx6_sb_info *sbi, __u64 n)
83755 return (__force __fs64)cpu_to_be64(n);
83756 }
83757
83758-static inline __u32 fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
83759+static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
83760 {
83761 if (sbi->s_bytesex == BYTESEX_LE)
83762 return le32_to_cpu((__force __le32)n);
83763diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c
83764index bb2869f..d34ada8 100644
83765--- a/fs/quota/netlink.c
83766+++ b/fs/quota/netlink.c
83767@@ -44,7 +44,7 @@ static struct genl_family quota_genl_family = {
83768 void quota_send_warning(struct kqid qid, dev_t dev,
83769 const char warntype)
83770 {
83771- static atomic_t seq;
83772+ static atomic_unchecked_t seq;
83773 struct sk_buff *skb;
83774 void *msg_head;
83775 int ret;
83776@@ -60,7 +60,7 @@ void quota_send_warning(struct kqid qid, dev_t dev,
83777 "VFS: Not enough memory to send quota warning.\n");
83778 return;
83779 }
83780- msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
83781+ msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
83782 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
83783 if (!msg_head) {
83784 printk(KERN_ERR
83785diff --git a/fs/read_write.c b/fs/read_write.c
83786index 819ef3f..f07222d 100644
83787--- a/fs/read_write.c
83788+++ b/fs/read_write.c
83789@@ -505,7 +505,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t
83790
83791 old_fs = get_fs();
83792 set_fs(get_ds());
83793- p = (__force const char __user *)buf;
83794+ p = (const char __force_user *)buf;
83795 if (count > MAX_RW_COUNT)
83796 count = MAX_RW_COUNT;
83797 ret = __vfs_write(file, p, count, pos);
83798diff --git a/fs/readdir.c b/fs/readdir.c
83799index ced6791..936687b 100644
83800--- a/fs/readdir.c
83801+++ b/fs/readdir.c
83802@@ -18,6 +18,7 @@
83803 #include <linux/security.h>
83804 #include <linux/syscalls.h>
83805 #include <linux/unistd.h>
83806+#include <linux/namei.h>
83807
83808 #include <asm/uaccess.h>
83809
83810@@ -71,6 +72,7 @@ struct old_linux_dirent {
83811 struct readdir_callback {
83812 struct dir_context ctx;
83813 struct old_linux_dirent __user * dirent;
83814+ struct file * file;
83815 int result;
83816 };
83817
83818@@ -89,6 +91,10 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
83819 buf->result = -EOVERFLOW;
83820 return -EOVERFLOW;
83821 }
83822+
83823+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83824+ return 0;
83825+
83826 buf->result++;
83827 dirent = buf->dirent;
83828 if (!access_ok(VERIFY_WRITE, dirent,
83829@@ -120,6 +126,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
83830 if (!f.file)
83831 return -EBADF;
83832
83833+ buf.file = f.file;
83834 error = iterate_dir(f.file, &buf.ctx);
83835 if (buf.result)
83836 error = buf.result;
83837@@ -145,6 +152,7 @@ struct getdents_callback {
83838 struct dir_context ctx;
83839 struct linux_dirent __user * current_dir;
83840 struct linux_dirent __user * previous;
83841+ struct file * file;
83842 int count;
83843 int error;
83844 };
83845@@ -167,6 +175,10 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
83846 buf->error = -EOVERFLOW;
83847 return -EOVERFLOW;
83848 }
83849+
83850+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83851+ return 0;
83852+
83853 dirent = buf->previous;
83854 if (dirent) {
83855 if (__put_user(offset, &dirent->d_off))
83856@@ -212,6 +224,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
83857 if (!f.file)
83858 return -EBADF;
83859
83860+ buf.file = f.file;
83861 error = iterate_dir(f.file, &buf.ctx);
83862 if (error >= 0)
83863 error = buf.error;
83864@@ -230,6 +243,7 @@ struct getdents_callback64 {
83865 struct dir_context ctx;
83866 struct linux_dirent64 __user * current_dir;
83867 struct linux_dirent64 __user * previous;
83868+ struct file *file;
83869 int count;
83870 int error;
83871 };
83872@@ -246,6 +260,10 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
83873 buf->error = -EINVAL; /* only used if we fail.. */
83874 if (reclen > buf->count)
83875 return -EINVAL;
83876+
83877+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83878+ return 0;
83879+
83880 dirent = buf->previous;
83881 if (dirent) {
83882 if (__put_user(offset, &dirent->d_off))
83883@@ -293,6 +311,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
83884 if (!f.file)
83885 return -EBADF;
83886
83887+ buf.file = f.file;
83888 error = iterate_dir(f.file, &buf.ctx);
83889 if (error >= 0)
83890 error = buf.error;
83891diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
83892index 9c02d96..6562c10 100644
83893--- a/fs/reiserfs/do_balan.c
83894+++ b/fs/reiserfs/do_balan.c
83895@@ -1887,7 +1887,7 @@ void do_balance(struct tree_balance *tb, struct item_head *ih,
83896 return;
83897 }
83898
83899- atomic_inc(&fs_generation(tb->tb_sb));
83900+ atomic_inc_unchecked(&fs_generation(tb->tb_sb));
83901 do_balance_starts(tb);
83902
83903 /*
83904diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c
83905index aca73dd..e3c558d 100644
83906--- a/fs/reiserfs/item_ops.c
83907+++ b/fs/reiserfs/item_ops.c
83908@@ -724,18 +724,18 @@ static void errcatch_print_vi(struct virtual_item *vi)
83909 }
83910
83911 static struct item_operations errcatch_ops = {
83912- errcatch_bytes_number,
83913- errcatch_decrement_key,
83914- errcatch_is_left_mergeable,
83915- errcatch_print_item,
83916- errcatch_check_item,
83917+ .bytes_number = errcatch_bytes_number,
83918+ .decrement_key = errcatch_decrement_key,
83919+ .is_left_mergeable = errcatch_is_left_mergeable,
83920+ .print_item = errcatch_print_item,
83921+ .check_item = errcatch_check_item,
83922
83923- errcatch_create_vi,
83924- errcatch_check_left,
83925- errcatch_check_right,
83926- errcatch_part_size,
83927- errcatch_unit_num,
83928- errcatch_print_vi
83929+ .create_vi = errcatch_create_vi,
83930+ .check_left = errcatch_check_left,
83931+ .check_right = errcatch_check_right,
83932+ .part_size = errcatch_part_size,
83933+ .unit_num = errcatch_unit_num,
83934+ .print_vi = errcatch_print_vi
83935 };
83936
83937 #if ! (TYPE_STAT_DATA == 0 && TYPE_INDIRECT == 1 && TYPE_DIRECT == 2 && TYPE_DIRENTRY == 3)
83938diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
83939index 621b9f3..af527fd 100644
83940--- a/fs/reiserfs/procfs.c
83941+++ b/fs/reiserfs/procfs.c
83942@@ -114,7 +114,7 @@ static int show_super(struct seq_file *m, void *unused)
83943 "SMALL_TAILS " : "NO_TAILS ",
83944 replay_only(sb) ? "REPLAY_ONLY " : "",
83945 convert_reiserfs(sb) ? "CONV " : "",
83946- atomic_read(&r->s_generation_counter),
83947+ atomic_read_unchecked(&r->s_generation_counter),
83948 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
83949 SF(s_do_balance), SF(s_unneeded_left_neighbor),
83950 SF(s_good_search_by_key_reada), SF(s_bmaps),
83951diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
83952index 2adcde1..7d27bc8 100644
83953--- a/fs/reiserfs/reiserfs.h
83954+++ b/fs/reiserfs/reiserfs.h
83955@@ -580,7 +580,7 @@ struct reiserfs_sb_info {
83956 /* Comment? -Hans */
83957 wait_queue_head_t s_wait;
83958 /* increased by one every time the tree gets re-balanced */
83959- atomic_t s_generation_counter;
83960+ atomic_unchecked_t s_generation_counter;
83961
83962 /* File system properties. Currently holds on-disk FS format */
83963 unsigned long s_properties;
83964@@ -2300,7 +2300,7 @@ static inline loff_t max_reiserfs_offset(struct inode *inode)
83965 #define REISERFS_USER_MEM 1 /* user memory mode */
83966
83967 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
83968-#define get_generation(s) atomic_read (&fs_generation(s))
83969+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
83970 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
83971 #define __fs_changed(gen,s) (gen != get_generation (s))
83972 #define fs_changed(gen,s) \
83973diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
83974index 4a62fe8..5dc2f5f 100644
83975--- a/fs/reiserfs/super.c
83976+++ b/fs/reiserfs/super.c
83977@@ -1870,6 +1870,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
83978 sbi->s_mount_opt |= (1 << REISERFS_SMALLTAIL);
83979 sbi->s_mount_opt |= (1 << REISERFS_ERROR_RO);
83980 sbi->s_mount_opt |= (1 << REISERFS_BARRIER_FLUSH);
83981+#ifdef CONFIG_REISERFS_FS_XATTR
83982+ /* turn on user xattrs by default */
83983+ sbi->s_mount_opt |= (1 << REISERFS_XATTRS_USER);
83984+#endif
83985 /* no preallocation minimum, be smart in reiserfs_file_write instead */
83986 sbi->s_alloc_options.preallocmin = 0;
83987 /* Preallocate by 16 blocks (17-1) at once */
83988diff --git a/fs/select.c b/fs/select.c
83989index 0155473..29d751f 100644
83990--- a/fs/select.c
83991+++ b/fs/select.c
83992@@ -20,6 +20,7 @@
83993 #include <linux/export.h>
83994 #include <linux/slab.h>
83995 #include <linux/poll.h>
83996+#include <linux/security.h>
83997 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
83998 #include <linux/file.h>
83999 #include <linux/fdtable.h>
84000@@ -880,6 +881,7 @@ int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
84001 struct poll_list *walk = head;
84002 unsigned long todo = nfds;
84003
84004+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
84005 if (nfds > rlimit(RLIMIT_NOFILE))
84006 return -EINVAL;
84007
84008diff --git a/fs/seq_file.c b/fs/seq_file.c
84009index ce9e39f..5c5a436 100644
84010--- a/fs/seq_file.c
84011+++ b/fs/seq_file.c
84012@@ -12,6 +12,8 @@
84013 #include <linux/slab.h>
84014 #include <linux/cred.h>
84015 #include <linux/mm.h>
84016+#include <linux/sched.h>
84017+#include <linux/grsecurity.h>
84018
84019 #include <asm/uaccess.h>
84020 #include <asm/page.h>
84021@@ -29,9 +31,9 @@ static void *seq_buf_alloc(unsigned long size)
84022 * __GFP_NORETRY to avoid oom-killings with high-order allocations -
84023 * it's better to fall back to vmalloc() than to kill things.
84024 */
84025- buf = kmalloc(size, GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN);
84026+ buf = kmalloc(size, GFP_KERNEL | GFP_USERCOPY | __GFP_NORETRY | __GFP_NOWARN);
84027 if (!buf && size > PAGE_SIZE)
84028- buf = vmalloc(size);
84029+ buf = vmalloc_usercopy(size);
84030 return buf;
84031 }
84032
84033@@ -68,6 +70,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
84034 #ifdef CONFIG_USER_NS
84035 p->user_ns = file->f_cred->user_ns;
84036 #endif
84037+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
84038+ p->exec_id = current->exec_id;
84039+#endif
84040
84041 /*
84042 * Wrappers around seq_open(e.g. swaps_open) need to be
84043@@ -90,6 +95,16 @@ int seq_open(struct file *file, const struct seq_operations *op)
84044 }
84045 EXPORT_SYMBOL(seq_open);
84046
84047+
84048+int seq_open_restrict(struct file *file, const struct seq_operations *op)
84049+{
84050+ if (gr_proc_is_restricted())
84051+ return -EACCES;
84052+
84053+ return seq_open(file, op);
84054+}
84055+EXPORT_SYMBOL(seq_open_restrict);
84056+
84057 static int traverse(struct seq_file *m, loff_t offset)
84058 {
84059 loff_t pos = 0, index;
84060@@ -161,7 +176,7 @@ Eoverflow:
84061 ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
84062 {
84063 struct seq_file *m = file->private_data;
84064- size_t copied = 0;
84065+ ssize_t copied = 0;
84066 loff_t pos;
84067 size_t n;
84068 void *p;
84069@@ -575,7 +590,7 @@ static void single_stop(struct seq_file *p, void *v)
84070 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
84071 void *data)
84072 {
84073- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
84074+ seq_operations_no_const *op = kzalloc(sizeof(*op), GFP_KERNEL);
84075 int res = -ENOMEM;
84076
84077 if (op) {
84078@@ -611,6 +626,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
84079 }
84080 EXPORT_SYMBOL(single_open_size);
84081
84082+int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *),
84083+ void *data)
84084+{
84085+ if (gr_proc_is_restricted())
84086+ return -EACCES;
84087+
84088+ return single_open(file, show, data);
84089+}
84090+EXPORT_SYMBOL(single_open_restrict);
84091+
84092+
84093 int single_release(struct inode *inode, struct file *file)
84094 {
84095 const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
84096diff --git a/fs/splice.c b/fs/splice.c
84097index 5fc1e50..6ae8957 100644
84098--- a/fs/splice.c
84099+++ b/fs/splice.c
84100@@ -192,7 +192,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
84101 pipe_lock(pipe);
84102
84103 for (;;) {
84104- if (!pipe->readers) {
84105+ if (!atomic_read(&pipe->readers)) {
84106 send_sig(SIGPIPE, current, 0);
84107 if (!ret)
84108 ret = -EPIPE;
84109@@ -215,7 +215,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
84110 page_nr++;
84111 ret += buf->len;
84112
84113- if (pipe->files)
84114+ if (atomic_read(&pipe->files))
84115 do_wakeup = 1;
84116
84117 if (!--spd->nr_pages)
84118@@ -246,9 +246,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
84119 do_wakeup = 0;
84120 }
84121
84122- pipe->waiting_writers++;
84123+ atomic_inc(&pipe->waiting_writers);
84124 pipe_wait(pipe);
84125- pipe->waiting_writers--;
84126+ atomic_dec(&pipe->waiting_writers);
84127 }
84128
84129 pipe_unlock(pipe);
84130@@ -579,7 +579,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
84131 old_fs = get_fs();
84132 set_fs(get_ds());
84133 /* The cast to a user pointer is valid due to the set_fs() */
84134- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
84135+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
84136 set_fs(old_fs);
84137
84138 return res;
84139@@ -594,7 +594,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count,
84140 old_fs = get_fs();
84141 set_fs(get_ds());
84142 /* The cast to a user pointer is valid due to the set_fs() */
84143- res = vfs_write(file, (__force const char __user *)buf, count, &pos);
84144+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
84145 set_fs(old_fs);
84146
84147 return res;
84148@@ -647,7 +647,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
84149 goto err;
84150
84151 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
84152- vec[i].iov_base = (void __user *) page_address(page);
84153+ vec[i].iov_base = (void __force_user *) page_address(page);
84154 vec[i].iov_len = this_len;
84155 spd.pages[i] = page;
84156 spd.nr_pages++;
84157@@ -786,7 +786,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
84158 ops->release(pipe, buf);
84159 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
84160 pipe->nrbufs--;
84161- if (pipe->files)
84162+ if (atomic_read(&pipe->files))
84163 sd->need_wakeup = true;
84164 }
84165
84166@@ -810,10 +810,10 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
84167 static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
84168 {
84169 while (!pipe->nrbufs) {
84170- if (!pipe->writers)
84171+ if (!atomic_read(&pipe->writers))
84172 return 0;
84173
84174- if (!pipe->waiting_writers && sd->num_spliced)
84175+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
84176 return 0;
84177
84178 if (sd->flags & SPLICE_F_NONBLOCK)
84179@@ -1028,7 +1028,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
84180 ops->release(pipe, buf);
84181 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
84182 pipe->nrbufs--;
84183- if (pipe->files)
84184+ if (atomic_read(&pipe->files))
84185 sd.need_wakeup = true;
84186 } else {
84187 buf->offset += ret;
84188@@ -1188,7 +1188,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
84189 * out of the pipe right after the splice_to_pipe(). So set
84190 * PIPE_READERS appropriately.
84191 */
84192- pipe->readers = 1;
84193+ atomic_set(&pipe->readers, 1);
84194
84195 current->splice_pipe = pipe;
84196 }
84197@@ -1495,6 +1495,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
84198
84199 partial[buffers].offset = off;
84200 partial[buffers].len = plen;
84201+ partial[buffers].private = 0;
84202
84203 off = 0;
84204 len -= plen;
84205@@ -1726,9 +1727,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
84206 ret = -ERESTARTSYS;
84207 break;
84208 }
84209- if (!pipe->writers)
84210+ if (!atomic_read(&pipe->writers))
84211 break;
84212- if (!pipe->waiting_writers) {
84213+ if (!atomic_read(&pipe->waiting_writers)) {
84214 if (flags & SPLICE_F_NONBLOCK) {
84215 ret = -EAGAIN;
84216 break;
84217@@ -1760,7 +1761,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
84218 pipe_lock(pipe);
84219
84220 while (pipe->nrbufs >= pipe->buffers) {
84221- if (!pipe->readers) {
84222+ if (!atomic_read(&pipe->readers)) {
84223 send_sig(SIGPIPE, current, 0);
84224 ret = -EPIPE;
84225 break;
84226@@ -1773,9 +1774,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
84227 ret = -ERESTARTSYS;
84228 break;
84229 }
84230- pipe->waiting_writers++;
84231+ atomic_inc(&pipe->waiting_writers);
84232 pipe_wait(pipe);
84233- pipe->waiting_writers--;
84234+ atomic_dec(&pipe->waiting_writers);
84235 }
84236
84237 pipe_unlock(pipe);
84238@@ -1811,14 +1812,14 @@ retry:
84239 pipe_double_lock(ipipe, opipe);
84240
84241 do {
84242- if (!opipe->readers) {
84243+ if (!atomic_read(&opipe->readers)) {
84244 send_sig(SIGPIPE, current, 0);
84245 if (!ret)
84246 ret = -EPIPE;
84247 break;
84248 }
84249
84250- if (!ipipe->nrbufs && !ipipe->writers)
84251+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
84252 break;
84253
84254 /*
84255@@ -1915,7 +1916,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
84256 pipe_double_lock(ipipe, opipe);
84257
84258 do {
84259- if (!opipe->readers) {
84260+ if (!atomic_read(&opipe->readers)) {
84261 send_sig(SIGPIPE, current, 0);
84262 if (!ret)
84263 ret = -EPIPE;
84264@@ -1960,7 +1961,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
84265 * return EAGAIN if we have the potential of some data in the
84266 * future, otherwise just return 0
84267 */
84268- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
84269+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
84270 ret = -EAGAIN;
84271
84272 pipe_unlock(ipipe);
84273diff --git a/fs/squashfs/xattr.c b/fs/squashfs/xattr.c
84274index e5e0ddf..09598c4 100644
84275--- a/fs/squashfs/xattr.c
84276+++ b/fs/squashfs/xattr.c
84277@@ -46,8 +46,8 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84278 + msblk->xattr_table;
84279 int offset = SQUASHFS_XATTR_OFFSET(squashfs_i(inode)->xattr);
84280 int count = squashfs_i(inode)->xattr_count;
84281- size_t rest = buffer_size;
84282- int err;
84283+ size_t used = 0;
84284+ ssize_t err;
84285
84286 /* check that the file system has xattrs */
84287 if (msblk->xattr_id_table == NULL)
84288@@ -68,11 +68,11 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84289 name_size = le16_to_cpu(entry.size);
84290 handler = squashfs_xattr_handler(le16_to_cpu(entry.type));
84291 if (handler)
84292- prefix_size = handler->list(d, buffer, rest, NULL,
84293+ prefix_size = handler->list(d, buffer, buffer ? buffer_size - used : 0, NULL,
84294 name_size, handler->flags);
84295 if (prefix_size) {
84296 if (buffer) {
84297- if (prefix_size + name_size + 1 > rest) {
84298+ if (prefix_size + name_size + 1 > buffer_size - used) {
84299 err = -ERANGE;
84300 goto failed;
84301 }
84302@@ -86,7 +86,7 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84303 buffer[name_size] = '\0';
84304 buffer += name_size + 1;
84305 }
84306- rest -= prefix_size + name_size + 1;
84307+ used += prefix_size + name_size + 1;
84308 } else {
84309 /* no handler or insuffficient privileges, so skip */
84310 err = squashfs_read_metadata(sb, NULL, &start,
84311@@ -107,7 +107,7 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84312 if (err < 0)
84313 goto failed;
84314 }
84315- err = buffer_size - rest;
84316+ err = used;
84317
84318 failed:
84319 return err;
84320diff --git a/fs/stat.c b/fs/stat.c
84321index cccc1aa..7fe8951 100644
84322--- a/fs/stat.c
84323+++ b/fs/stat.c
84324@@ -28,8 +28,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat)
84325 stat->gid = inode->i_gid;
84326 stat->rdev = inode->i_rdev;
84327 stat->size = i_size_read(inode);
84328- stat->atime = inode->i_atime;
84329- stat->mtime = inode->i_mtime;
84330+ if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
84331+ stat->atime = inode->i_ctime;
84332+ stat->mtime = inode->i_ctime;
84333+ } else {
84334+ stat->atime = inode->i_atime;
84335+ stat->mtime = inode->i_mtime;
84336+ }
84337 stat->ctime = inode->i_ctime;
84338 stat->blksize = (1 << inode->i_blkbits);
84339 stat->blocks = inode->i_blocks;
84340@@ -52,9 +57,16 @@ EXPORT_SYMBOL(generic_fillattr);
84341 int vfs_getattr_nosec(struct path *path, struct kstat *stat)
84342 {
84343 struct inode *inode = d_backing_inode(path->dentry);
84344+ int retval;
84345
84346- if (inode->i_op->getattr)
84347- return inode->i_op->getattr(path->mnt, path->dentry, stat);
84348+ if (inode->i_op->getattr) {
84349+ retval = inode->i_op->getattr(path->mnt, path->dentry, stat);
84350+ if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
84351+ stat->atime = stat->ctime;
84352+ stat->mtime = stat->ctime;
84353+ }
84354+ return retval;
84355+ }
84356
84357 generic_fillattr(inode, stat);
84358 return 0;
84359diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
84360index 94374e4..b5da3a1 100644
84361--- a/fs/sysfs/dir.c
84362+++ b/fs/sysfs/dir.c
84363@@ -33,6 +33,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
84364 kfree(buf);
84365 }
84366
84367+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
84368+extern int grsec_enable_sysfs_restrict;
84369+#endif
84370+
84371 /**
84372 * sysfs_create_dir_ns - create a directory for an object with a namespace tag
84373 * @kobj: object we're creating directory for
84374@@ -41,9 +45,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
84375 int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
84376 {
84377 struct kernfs_node *parent, *kn;
84378+ const char *name;
84379+ umode_t mode = S_IRWXU | S_IRUGO | S_IXUGO;
84380+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
84381+ const char *parent_name;
84382+#endif
84383
84384 BUG_ON(!kobj);
84385
84386+ name = kobject_name(kobj);
84387+
84388 if (kobj->parent)
84389 parent = kobj->parent->sd;
84390 else
84391@@ -52,11 +63,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
84392 if (!parent)
84393 return -ENOENT;
84394
84395- kn = kernfs_create_dir_ns(parent, kobject_name(kobj),
84396- S_IRWXU | S_IRUGO | S_IXUGO, kobj, ns);
84397+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
84398+ parent_name = parent->name;
84399+ mode = S_IRWXU;
84400+
84401+ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
84402+ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
84403+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
84404+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
84405+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
84406+ if (!grsec_enable_sysfs_restrict)
84407+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
84408+#endif
84409+
84410+ kn = kernfs_create_dir_ns(parent, name,
84411+ mode, kobj, ns);
84412 if (IS_ERR(kn)) {
84413 if (PTR_ERR(kn) == -EEXIST)
84414- sysfs_warn_dup(parent, kobject_name(kobj));
84415+ sysfs_warn_dup(parent, name);
84416 return PTR_ERR(kn);
84417 }
84418
84419diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h
84420index 6c21228..9afd5fe 100644
84421--- a/fs/sysv/sysv.h
84422+++ b/fs/sysv/sysv.h
84423@@ -187,7 +187,7 @@ static inline u32 PDP_swab(u32 x)
84424 #endif
84425 }
84426
84427-static inline __u32 fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
84428+static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
84429 {
84430 if (sbi->s_bytesex == BYTESEX_PDP)
84431 return PDP_swab((__force __u32)n);
84432diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
84433index cbc8d5d..56d2600 100644
84434--- a/fs/tracefs/inode.c
84435+++ b/fs/tracefs/inode.c
84436@@ -53,7 +53,7 @@ static const struct file_operations tracefs_file_operations = {
84437 static struct tracefs_dir_ops {
84438 int (*mkdir)(const char *name);
84439 int (*rmdir)(const char *name);
84440-} tracefs_ops;
84441+} __no_const tracefs_ops __read_only;
84442
84443 static char *get_dname(struct dentry *dentry)
84444 {
84445@@ -490,8 +490,10 @@ struct dentry *tracefs_create_instance_dir(const char *name, struct dentry *pare
84446 if (!dentry)
84447 return NULL;
84448
84449- tracefs_ops.mkdir = mkdir;
84450- tracefs_ops.rmdir = rmdir;
84451+ pax_open_kernel();
84452+ *(void **)&tracefs_ops.mkdir = mkdir;
84453+ *(void **)&tracefs_ops.rmdir = rmdir;
84454+ pax_close_kernel();
84455
84456 return dentry;
84457 }
84458diff --git a/fs/udf/misc.c b/fs/udf/misc.c
84459index 71d1c25..084e2ad 100644
84460--- a/fs/udf/misc.c
84461+++ b/fs/udf/misc.c
84462@@ -288,7 +288,7 @@ void udf_new_tag(char *data, uint16_t ident, uint16_t version, uint16_t snum,
84463
84464 u8 udf_tag_checksum(const struct tag *t)
84465 {
84466- u8 *data = (u8 *)t;
84467+ const u8 *data = (const u8 *)t;
84468 u8 checksum = 0;
84469 int i;
84470 for (i = 0; i < sizeof(struct tag); ++i)
84471diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
84472index 8d974c4..b82f6ec 100644
84473--- a/fs/ufs/swab.h
84474+++ b/fs/ufs/swab.h
84475@@ -22,7 +22,7 @@ enum {
84476 BYTESEX_BE
84477 };
84478
84479-static inline u64
84480+static inline u64 __intentional_overflow(-1)
84481 fs64_to_cpu(struct super_block *sbp, __fs64 n)
84482 {
84483 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
84484@@ -40,7 +40,7 @@ cpu_to_fs64(struct super_block *sbp, u64 n)
84485 return (__force __fs64)cpu_to_be64(n);
84486 }
84487
84488-static inline u32
84489+static inline u32 __intentional_overflow(-1)
84490 fs32_to_cpu(struct super_block *sbp, __fs32 n)
84491 {
84492 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
84493diff --git a/fs/utimes.c b/fs/utimes.c
84494index aa138d6..5f3a811 100644
84495--- a/fs/utimes.c
84496+++ b/fs/utimes.c
84497@@ -1,6 +1,7 @@
84498 #include <linux/compiler.h>
84499 #include <linux/file.h>
84500 #include <linux/fs.h>
84501+#include <linux/security.h>
84502 #include <linux/linkage.h>
84503 #include <linux/mount.h>
84504 #include <linux/namei.h>
84505@@ -103,6 +104,12 @@ static int utimes_common(struct path *path, struct timespec *times)
84506 }
84507 }
84508 retry_deleg:
84509+
84510+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
84511+ error = -EACCES;
84512+ goto mnt_drop_write_and_out;
84513+ }
84514+
84515 mutex_lock(&inode->i_mutex);
84516 error = notify_change(path->dentry, &newattrs, &delegated_inode);
84517 mutex_unlock(&inode->i_mutex);
84518diff --git a/fs/xattr.c b/fs/xattr.c
84519index 072fee1..9e497b0 100644
84520--- a/fs/xattr.c
84521+++ b/fs/xattr.c
84522@@ -227,6 +227,27 @@ int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
84523 return rc;
84524 }
84525
84526+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
84527+ssize_t
84528+pax_getxattr(struct dentry *dentry, void *value, size_t size)
84529+{
84530+ struct inode *inode = dentry->d_inode;
84531+ ssize_t error;
84532+
84533+ error = inode_permission(inode, MAY_EXEC);
84534+ if (error)
84535+ return error;
84536+
84537+ if (inode->i_op->getxattr)
84538+ error = inode->i_op->getxattr(dentry, XATTR_NAME_PAX_FLAGS, value, size);
84539+ else
84540+ error = -EOPNOTSUPP;
84541+
84542+ return error;
84543+}
84544+EXPORT_SYMBOL(pax_getxattr);
84545+#endif
84546+
84547 ssize_t
84548 vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
84549 {
84550@@ -319,7 +340,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
84551 * Extended attribute SET operations
84552 */
84553 static long
84554-setxattr(struct dentry *d, const char __user *name, const void __user *value,
84555+setxattr(struct path *path, const char __user *name, const void __user *value,
84556 size_t size, int flags)
84557 {
84558 int error;
84559@@ -355,7 +376,12 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
84560 posix_acl_fix_xattr_from_user(kvalue, size);
84561 }
84562
84563- error = vfs_setxattr(d, kname, kvalue, size, flags);
84564+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
84565+ error = -EACCES;
84566+ goto out;
84567+ }
84568+
84569+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
84570 out:
84571 if (vvalue)
84572 vfree(vvalue);
84573@@ -376,7 +402,7 @@ retry:
84574 return error;
84575 error = mnt_want_write(path.mnt);
84576 if (!error) {
84577- error = setxattr(path.dentry, name, value, size, flags);
84578+ error = setxattr(&path, name, value, size, flags);
84579 mnt_drop_write(path.mnt);
84580 }
84581 path_put(&path);
84582@@ -412,7 +438,7 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
84583 audit_file(f.file);
84584 error = mnt_want_write_file(f.file);
84585 if (!error) {
84586- error = setxattr(f.file->f_path.dentry, name, value, size, flags);
84587+ error = setxattr(&f.file->f_path, name, value, size, flags);
84588 mnt_drop_write_file(f.file);
84589 }
84590 fdput(f);
84591@@ -598,7 +624,7 @@ SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
84592 * Extended attribute REMOVE operations
84593 */
84594 static long
84595-removexattr(struct dentry *d, const char __user *name)
84596+removexattr(struct path *path, const char __user *name)
84597 {
84598 int error;
84599 char kname[XATTR_NAME_MAX + 1];
84600@@ -609,7 +635,10 @@ removexattr(struct dentry *d, const char __user *name)
84601 if (error < 0)
84602 return error;
84603
84604- return vfs_removexattr(d, kname);
84605+ if (!gr_acl_handle_removexattr(path->dentry, path->mnt))
84606+ return -EACCES;
84607+
84608+ return vfs_removexattr(path->dentry, kname);
84609 }
84610
84611 static int path_removexattr(const char __user *pathname,
84612@@ -623,7 +652,7 @@ retry:
84613 return error;
84614 error = mnt_want_write(path.mnt);
84615 if (!error) {
84616- error = removexattr(path.dentry, name);
84617+ error = removexattr(&path, name);
84618 mnt_drop_write(path.mnt);
84619 }
84620 path_put(&path);
84621@@ -649,14 +678,16 @@ SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,
84622 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
84623 {
84624 struct fd f = fdget(fd);
84625+ struct path *path;
84626 int error = -EBADF;
84627
84628 if (!f.file)
84629 return error;
84630+ path = &f.file->f_path;
84631 audit_file(f.file);
84632 error = mnt_want_write_file(f.file);
84633 if (!error) {
84634- error = removexattr(f.file->f_path.dentry, name);
84635+ error = removexattr(path, name);
84636 mnt_drop_write_file(f.file);
84637 }
84638 fdput(f);
84639diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
84640index 63e05b6..249b043 100644
84641--- a/fs/xfs/libxfs/xfs_bmap.c
84642+++ b/fs/xfs/libxfs/xfs_bmap.c
84643@@ -554,7 +554,7 @@ xfs_bmap_validate_ret(
84644
84645 #else
84646 #define xfs_bmap_check_leaf_extents(cur, ip, whichfork) do { } while (0)
84647-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
84648+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do { } while (0)
84649 #endif /* DEBUG */
84650
84651 /*
84652diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c
84653index 098cd78..724d3f8 100644
84654--- a/fs/xfs/xfs_dir2_readdir.c
84655+++ b/fs/xfs/xfs_dir2_readdir.c
84656@@ -140,7 +140,12 @@ xfs_dir2_sf_getdents(
84657 ino = dp->d_ops->sf_get_ino(sfp, sfep);
84658 filetype = dp->d_ops->sf_get_ftype(sfep);
84659 ctx->pos = off & 0x7fffffff;
84660- if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino,
84661+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
84662+ char name[sfep->namelen];
84663+ memcpy(name, sfep->name, sfep->namelen);
84664+ if (!dir_emit(ctx, name, sfep->namelen, ino, xfs_dir3_get_dtype(dp->i_mount, filetype)))
84665+ return 0;
84666+ } else if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino,
84667 xfs_dir3_get_dtype(dp->i_mount, filetype)))
84668 return 0;
84669 sfep = dp->d_ops->sf_nextentry(sfp, sfep);
84670diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
84671index ea7d85a..6d4b24b 100644
84672--- a/fs/xfs/xfs_ioctl.c
84673+++ b/fs/xfs/xfs_ioctl.c
84674@@ -120,7 +120,7 @@ xfs_find_handle(
84675 }
84676
84677 error = -EFAULT;
84678- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
84679+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
84680 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
84681 goto out_put;
84682
84683diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
84684index 85f883d..db6eecc 100644
84685--- a/fs/xfs/xfs_linux.h
84686+++ b/fs/xfs/xfs_linux.h
84687@@ -211,7 +211,7 @@ static inline kgid_t xfs_gid_to_kgid(__uint32_t gid)
84688 * of the compiler which do not like us using do_div in the middle
84689 * of large functions.
84690 */
84691-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
84692+static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
84693 {
84694 __u32 mod;
84695
84696@@ -267,7 +267,7 @@ static inline __u32 xfs_do_mod(void *a, __u32 b, int n)
84697 return 0;
84698 }
84699 #else
84700-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
84701+static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
84702 {
84703 __u32 mod;
84704
84705diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
84706new file mode 100644
84707index 0000000..31f8fe4
84708--- /dev/null
84709+++ b/grsecurity/Kconfig
84710@@ -0,0 +1,1182 @@
84711+#
84712+# grecurity configuration
84713+#
84714+menu "Memory Protections"
84715+depends on GRKERNSEC
84716+
84717+config GRKERNSEC_KMEM
84718+ bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
84719+ default y if GRKERNSEC_CONFIG_AUTO
84720+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
84721+ help
84722+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
84723+ be written to or read from to modify or leak the contents of the running
84724+ kernel. /dev/port will also not be allowed to be opened, writing to
84725+ /dev/cpu/*/msr will be prevented, and support for kexec will be removed.
84726+ If you have module support disabled, enabling this will close up several
84727+ ways that are currently used to insert malicious code into the running
84728+ kernel.
84729+
84730+ Even with this feature enabled, we still highly recommend that
84731+ you use the RBAC system, as it is still possible for an attacker to
84732+ modify the running kernel through other more obscure methods.
84733+
84734+ It is highly recommended that you say Y here if you meet all the
84735+ conditions above.
84736+
84737+config GRKERNSEC_VM86
84738+ bool "Restrict VM86 mode"
84739+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
84740+ depends on X86_32
84741+
84742+ help
84743+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
84744+ make use of a special execution mode on 32bit x86 processors called
84745+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
84746+ video cards and will still work with this option enabled. The purpose
84747+ of the option is to prevent exploitation of emulation errors in
84748+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
84749+ Nearly all users should be able to enable this option.
84750+
84751+config GRKERNSEC_IO
84752+ bool "Disable privileged I/O"
84753+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
84754+ depends on X86
84755+ select RTC_CLASS
84756+ select RTC_INTF_DEV
84757+ select RTC_DRV_CMOS
84758+
84759+ help
84760+ If you say Y here, all ioperm and iopl calls will return an error.
84761+ Ioperm and iopl can be used to modify the running kernel.
84762+ Unfortunately, some programs need this access to operate properly,
84763+ the most notable of which are XFree86 and hwclock. hwclock can be
84764+ remedied by having RTC support in the kernel, so real-time
84765+ clock support is enabled if this option is enabled, to ensure
84766+ that hwclock operates correctly. If hwclock still does not work,
84767+ either update udev or symlink /dev/rtc to /dev/rtc0.
84768+
84769+ If you're using XFree86 or a version of Xorg from 2012 or earlier,
84770+ you may not be able to boot into a graphical environment with this
84771+ option enabled. In this case, you should use the RBAC system instead.
84772+
84773+config GRKERNSEC_BPF_HARDEN
84774+ bool "Harden BPF interpreter"
84775+ default y if GRKERNSEC_CONFIG_AUTO
84776+ help
84777+ Unlike previous versions of grsecurity that hardened both the BPF
84778+ interpreted code against corruption at rest as well as the JIT code
84779+ against JIT-spray attacks and attacker-controlled immediate values
84780+ for ROP, this feature will enforce disabling of the new eBPF JIT engine
84781+ and will ensure the interpreted code is read-only at rest. This feature
84782+ may be removed at a later time when eBPF stabilizes to entirely revert
84783+ back to the more secure pre-3.16 BPF interpreter/JIT.
84784+
84785+ If you're using KERNEXEC, it's recommended that you enable this option
84786+ to supplement the hardening of the kernel.
84787+
84788+config GRKERNSEC_PERF_HARDEN
84789+ bool "Disable unprivileged PERF_EVENTS usage by default"
84790+ default y if GRKERNSEC_CONFIG_AUTO
84791+ depends on PERF_EVENTS
84792+ help
84793+ If you say Y here, the range of acceptable values for the
84794+ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
84795+ default to a new value: 3. When the sysctl is set to this value, no
84796+ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
84797+
84798+ Though PERF_EVENTS can be used legitimately for performance monitoring
84799+ and low-level application profiling, it is forced on regardless of
84800+ configuration, has been at fault for several vulnerabilities, and
84801+ creates new opportunities for side channels and other information leaks.
84802+
84803+ This feature puts PERF_EVENTS into a secure default state and permits
84804+ the administrator to change out of it temporarily if unprivileged
84805+ application profiling is needed.
84806+
84807+config GRKERNSEC_RAND_THREADSTACK
84808+ bool "Insert random gaps between thread stacks"
84809+ default y if GRKERNSEC_CONFIG_AUTO
84810+ depends on PAX_RANDMMAP && !PPC
84811+ help
84812+ If you say Y here, a random-sized gap will be enforced between allocated
84813+ thread stacks. Glibc's NPTL and other threading libraries that
84814+ pass MAP_STACK to the kernel for thread stack allocation are supported.
84815+ The implementation currently provides 8 bits of entropy for the gap.
84816+
84817+ Many distributions do not compile threaded remote services with the
84818+ -fstack-check argument to GCC, causing the variable-sized stack-based
84819+ allocator, alloca(), to not probe the stack on allocation. This
84820+ permits an unbounded alloca() to skip over any guard page and potentially
84821+ modify another thread's stack reliably. An enforced random gap
84822+ reduces the reliability of such an attack and increases the chance
84823+ that such a read/write to another thread's stack instead lands in
84824+ an unmapped area, causing a crash and triggering grsecurity's
84825+ anti-bruteforcing logic.
84826+
84827+config GRKERNSEC_PROC_MEMMAP
84828+ bool "Harden ASLR against information leaks and entropy reduction"
84829+ default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR)
84830+ depends on PAX_NOEXEC || PAX_ASLR
84831+ help
84832+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
84833+ give no information about the addresses of its mappings if
84834+ PaX features that rely on random addresses are enabled on the task.
84835+ In addition to sanitizing this information and disabling other
84836+ dangerous sources of information, this option causes reads of sensitive
84837+ /proc/<pid> entries where the file descriptor was opened in a different
84838+ task than the one performing the read. Such attempts are logged.
84839+ This option also limits argv/env strings for suid/sgid binaries
84840+ to 512KB to prevent a complete exhaustion of the stack entropy provided
84841+ by ASLR. Finally, it places an 8MB stack resource limit on suid/sgid
84842+ binaries to prevent alternative mmap layouts from being abused.
84843+
84844+ If you use PaX it is essential that you say Y here as it closes up
84845+ several holes that make full ASLR useless locally.
84846+
84847+
84848+config GRKERNSEC_KSTACKOVERFLOW
84849+ bool "Prevent kernel stack overflows"
84850+ default y if GRKERNSEC_CONFIG_AUTO
84851+ depends on !IA64 && 64BIT
84852+ help
84853+ If you say Y here, the kernel's process stacks will be allocated
84854+ with vmalloc instead of the kernel's default allocator. This
84855+ introduces guard pages that in combination with the alloca checking
84856+ of the STACKLEAK feature prevents all forms of kernel process stack
84857+ overflow abuse. Note that this is different from kernel stack
84858+ buffer overflows.
84859+
84860+config GRKERNSEC_BRUTE
84861+ bool "Deter exploit bruteforcing"
84862+ default y if GRKERNSEC_CONFIG_AUTO
84863+ help
84864+ If you say Y here, attempts to bruteforce exploits against forking
84865+ daemons such as apache or sshd, as well as against suid/sgid binaries
84866+ will be deterred. When a child of a forking daemon is killed by PaX
84867+ or crashes due to an illegal instruction or other suspicious signal,
84868+ the parent process will be delayed 30 seconds upon every subsequent
84869+ fork until the administrator is able to assess the situation and
84870+ restart the daemon.
84871+ In the suid/sgid case, the attempt is logged, the user has all their
84872+ existing instances of the suid/sgid binary terminated and will
84873+ be unable to execute any suid/sgid binaries for 15 minutes.
84874+
84875+ It is recommended that you also enable signal logging in the auditing
84876+ section so that logs are generated when a process triggers a suspicious
84877+ signal.
84878+ If the sysctl option is enabled, a sysctl option with name
84879+ "deter_bruteforce" is created.
84880+
84881+config GRKERNSEC_MODHARDEN
84882+ bool "Harden module auto-loading"
84883+ default y if GRKERNSEC_CONFIG_AUTO
84884+ depends on MODULES
84885+ help
84886+ If you say Y here, module auto-loading in response to use of some
84887+ feature implemented by an unloaded module will be restricted to
84888+ root users. Enabling this option helps defend against attacks
84889+ by unprivileged users who abuse the auto-loading behavior to
84890+ cause a vulnerable module to load that is then exploited.
84891+
84892+ If this option prevents a legitimate use of auto-loading for a
84893+ non-root user, the administrator can execute modprobe manually
84894+ with the exact name of the module mentioned in the alert log.
84895+ Alternatively, the administrator can add the module to the list
84896+ of modules loaded at boot by modifying init scripts.
84897+
84898+ Modification of init scripts will most likely be needed on
84899+ Ubuntu servers with encrypted home directory support enabled,
84900+ as the first non-root user logging in will cause the ecb(aes),
84901+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
84902+
84903+config GRKERNSEC_HIDESYM
84904+ bool "Hide kernel symbols"
84905+ default y if GRKERNSEC_CONFIG_AUTO
84906+ select PAX_USERCOPY_SLABS
84907+ help
84908+ If you say Y here, getting information on loaded modules, and
84909+ displaying all kernel symbols through a syscall will be restricted
84910+ to users with CAP_SYS_MODULE. For software compatibility reasons,
84911+ /proc/kallsyms will be restricted to the root user. The RBAC
84912+ system can hide that entry even from root.
84913+
84914+ This option also prevents leaking of kernel addresses through
84915+ several /proc entries.
84916+
84917+ Note that this option is only effective provided the following
84918+ conditions are met:
84919+ 1) The kernel using grsecurity is not precompiled by some distribution
84920+ 2) You have also enabled GRKERNSEC_DMESG
84921+ 3) You are using the RBAC system and hiding other files such as your
84922+ kernel image and System.map. Alternatively, enabling this option
84923+ causes the permissions on /boot, /lib/modules, and the kernel
84924+ source directory to change at compile time to prevent
84925+ reading by non-root users.
84926+ If the above conditions are met, this option will aid in providing a
84927+ useful protection against local kernel exploitation of overflows
84928+ and arbitrary read/write vulnerabilities.
84929+
84930+ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
84931+ in addition to this feature.
84932+
84933+config GRKERNSEC_RANDSTRUCT
84934+ bool "Randomize layout of sensitive kernel structures"
84935+ default y if GRKERNSEC_CONFIG_AUTO
84936+ select GRKERNSEC_HIDESYM
84937+ select MODVERSIONS if MODULES
84938+ help
84939+ If you say Y here, the layouts of a number of sensitive kernel
84940+ structures (task, fs, cred, etc) and all structures composed entirely
84941+ of function pointers (aka "ops" structs) will be randomized at compile-time.
84942+ This can introduce the requirement of an additional infoleak
84943+ vulnerability for exploits targeting these structure types.
84944+
84945+ Enabling this feature will introduce some performance impact, slightly
84946+ increase memory usage, and prevent the use of forensic tools like
84947+ Volatility against the system (unless the kernel source tree isn't
84948+ cleaned after kernel installation).
84949+
84950+ The seed used for compilation is located at tools/gcc/randomize_layout_seed.h.
84951+ It remains after a make clean to allow for external modules to be compiled
84952+ with the existing seed and will be removed by a make mrproper or
84953+ make distclean.
84954+
84955+ Note that the implementation requires gcc 4.6.4. or newer. You may need
84956+ to install the supporting headers explicitly in addition to the normal
84957+ gcc package.
84958+
84959+config GRKERNSEC_RANDSTRUCT_PERFORMANCE
84960+ bool "Use cacheline-aware structure randomization"
84961+ depends on GRKERNSEC_RANDSTRUCT
84962+ default y if GRKERNSEC_CONFIG_PRIORITY_PERF
84963+ help
84964+ If you say Y here, the RANDSTRUCT randomization will make a best effort
84965+ at restricting randomization to cacheline-sized groups of elements. It
84966+ will further not randomize bitfields in structures. This reduces the
84967+ performance hit of RANDSTRUCT at the cost of weakened randomization.
84968+
84969+config GRKERNSEC_KERN_LOCKOUT
84970+ bool "Active kernel exploit response"
84971+ default y if GRKERNSEC_CONFIG_AUTO
84972+ depends on X86 || ARM || PPC || SPARC
84973+ help
84974+ If you say Y here, when a PaX alert is triggered due to suspicious
84975+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
84976+ or an OOPS occurs due to bad memory accesses, instead of just
84977+ terminating the offending process (and potentially allowing
84978+ a subsequent exploit from the same user), we will take one of two
84979+ actions:
84980+ If the user was root, we will panic the system
84981+ If the user was non-root, we will log the attempt, terminate
84982+ all processes owned by the user, then prevent them from creating
84983+ any new processes until the system is restarted
84984+ This deters repeated kernel exploitation/bruteforcing attempts
84985+ and is useful for later forensics.
84986+
84987+config GRKERNSEC_OLD_ARM_USERLAND
84988+ bool "Old ARM userland compatibility"
84989+ depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7)
84990+ help
84991+ If you say Y here, stubs of executable code to perform such operations
84992+ as "compare-exchange" will be placed at fixed locations in the ARM vector
84993+ table. This is unfortunately needed for old ARM userland meant to run
84994+ across a wide range of processors. Without this option enabled,
84995+ the get_tls and data memory barrier stubs will be emulated by the kernel,
84996+ which is enough for Linaro userlands or other userlands designed for v6
84997+ and newer ARM CPUs. It's recommended that you try without this option enabled
84998+ first, and only enable it if your userland does not boot (it will likely fail
84999+ at init time).
85000+
85001+endmenu
85002+menu "Role Based Access Control Options"
85003+depends on GRKERNSEC
85004+
85005+config GRKERNSEC_RBAC_DEBUG
85006+ bool
85007+
85008+config GRKERNSEC_NO_RBAC
85009+ bool "Disable RBAC system"
85010+ help
85011+ If you say Y here, the /dev/grsec device will be removed from the kernel,
85012+ preventing the RBAC system from being enabled. You should only say Y
85013+ here if you have no intention of using the RBAC system, so as to prevent
85014+ an attacker with root access from misusing the RBAC system to hide files
85015+ and processes when loadable module support and /dev/[k]mem have been
85016+ locked down.
85017+
85018+config GRKERNSEC_ACL_HIDEKERN
85019+ bool "Hide kernel processes"
85020+ help
85021+ If you say Y here, all kernel threads will be hidden to all
85022+ processes but those whose subject has the "view hidden processes"
85023+ flag.
85024+
85025+config GRKERNSEC_ACL_MAXTRIES
85026+ int "Maximum tries before password lockout"
85027+ default 3
85028+ help
85029+ This option enforces the maximum number of times a user can attempt
85030+ to authorize themselves with the grsecurity RBAC system before being
85031+ denied the ability to attempt authorization again for a specified time.
85032+ The lower the number, the harder it will be to brute-force a password.
85033+
85034+config GRKERNSEC_ACL_TIMEOUT
85035+ int "Time to wait after max password tries, in seconds"
85036+ default 30
85037+ help
85038+ This option specifies the time the user must wait after attempting to
85039+ authorize to the RBAC system with the maximum number of invalid
85040+ passwords. The higher the number, the harder it will be to brute-force
85041+ a password.
85042+
85043+endmenu
85044+menu "Filesystem Protections"
85045+depends on GRKERNSEC
85046+
85047+config GRKERNSEC_PROC
85048+ bool "Proc restrictions"
85049+ default y if GRKERNSEC_CONFIG_AUTO
85050+ help
85051+ If you say Y here, the permissions of the /proc filesystem
85052+ will be altered to enhance system security and privacy. You MUST
85053+ choose either a user only restriction or a user and group restriction.
85054+ Depending upon the option you choose, you can either restrict users to
85055+ see only the processes they themselves run, or choose a group that can
85056+ view all processes and files normally restricted to root if you choose
85057+ the "restrict to user only" option. NOTE: If you're running identd or
85058+ ntpd as a non-root user, you will have to run it as the group you
85059+ specify here.
85060+
85061+config GRKERNSEC_PROC_USER
85062+ bool "Restrict /proc to user only"
85063+ depends on GRKERNSEC_PROC
85064+ help
85065+ If you say Y here, non-root users will only be able to view their own
85066+ processes, and restricts them from viewing network-related information,
85067+ and viewing kernel symbol and module information.
85068+
85069+config GRKERNSEC_PROC_USERGROUP
85070+ bool "Allow special group"
85071+ default y if GRKERNSEC_CONFIG_AUTO
85072+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
85073+ help
85074+ If you say Y here, you will be able to select a group that will be
85075+ able to view all processes and network-related information. If you've
85076+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
85077+ remain hidden. This option is useful if you want to run identd as
85078+ a non-root user. The group you select may also be chosen at boot time
85079+ via "grsec_proc_gid=" on the kernel commandline.
85080+
85081+config GRKERNSEC_PROC_GID
85082+ int "GID for special group"
85083+ depends on GRKERNSEC_PROC_USERGROUP
85084+ default 1001
85085+
85086+config GRKERNSEC_PROC_ADD
85087+ bool "Additional restrictions"
85088+ default y if GRKERNSEC_CONFIG_AUTO
85089+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
85090+ help
85091+ If you say Y here, additional restrictions will be placed on
85092+ /proc that keep normal users from viewing device information and
85093+ slabinfo information that could be useful for exploits.
85094+
85095+config GRKERNSEC_LINK
85096+ bool "Linking restrictions"
85097+ default y if GRKERNSEC_CONFIG_AUTO
85098+ help
85099+ If you say Y here, /tmp race exploits will be prevented, since users
85100+ will no longer be able to follow symlinks owned by other users in
85101+ world-writable +t directories (e.g. /tmp), unless the owner of the
85102+ symlink is the owner of the directory. users will also not be
85103+ able to hardlink to files they do not own. If the sysctl option is
85104+ enabled, a sysctl option with name "linking_restrictions" is created.
85105+
85106+config GRKERNSEC_SYMLINKOWN
85107+ bool "Kernel-enforced SymlinksIfOwnerMatch"
85108+ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
85109+ help
85110+ Apache's SymlinksIfOwnerMatch option has an inherent race condition
85111+ that prevents it from being used as a security feature. As Apache
85112+ verifies the symlink by performing a stat() against the target of
85113+ the symlink before it is followed, an attacker can setup a symlink
85114+ to point to a same-owned file, then replace the symlink with one
85115+ that targets another user's file just after Apache "validates" the
85116+ symlink -- a classic TOCTOU race. If you say Y here, a complete,
85117+ race-free replacement for Apache's "SymlinksIfOwnerMatch" option
85118+ will be in place for the group you specify. If the sysctl option
85119+ is enabled, a sysctl option with name "enforce_symlinksifowner" is
85120+ created.
85121+
85122+config GRKERNSEC_SYMLINKOWN_GID
85123+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
85124+ depends on GRKERNSEC_SYMLINKOWN
85125+ default 1006
85126+ help
85127+ Setting this GID determines what group kernel-enforced
85128+ SymlinksIfOwnerMatch will be enabled for. If the sysctl option
85129+ is enabled, a sysctl option with name "symlinkown_gid" is created.
85130+
85131+config GRKERNSEC_FIFO
85132+ bool "FIFO restrictions"
85133+ default y if GRKERNSEC_CONFIG_AUTO
85134+ help
85135+ If you say Y here, users will not be able to write to FIFOs they don't
85136+ own in world-writable +t directories (e.g. /tmp), unless the owner of
85137+ the FIFO is the same owner of the directory it's held in. If the sysctl
85138+ option is enabled, a sysctl option with name "fifo_restrictions" is
85139+ created.
85140+
85141+config GRKERNSEC_SYSFS_RESTRICT
85142+ bool "Sysfs/debugfs restriction"
85143+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
85144+ depends on SYSFS
85145+ help
85146+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
85147+ any filesystem normally mounted under it (e.g. debugfs) will be
85148+ mostly accessible only by root. These filesystems generally provide access
85149+ to hardware and debug information that isn't appropriate for unprivileged
85150+ users of the system. Sysfs and debugfs have also become a large source
85151+ of new vulnerabilities, ranging from infoleaks to local compromise.
85152+ There has been very little oversight with an eye toward security involved
85153+ in adding new exporters of information to these filesystems, so their
85154+ use is discouraged.
85155+ For reasons of compatibility, a few directories have been whitelisted
85156+ for access by non-root users:
85157+ /sys/fs/selinux
85158+ /sys/fs/fuse
85159+ /sys/devices/system/cpu
85160+
85161+config GRKERNSEC_ROFS
85162+ bool "Runtime read-only mount protection"
85163+ depends on SYSCTL
85164+ help
85165+ If you say Y here, a sysctl option with name "romount_protect" will
85166+ be created. By setting this option to 1 at runtime, filesystems
85167+ will be protected in the following ways:
85168+ * No new writable mounts will be allowed
85169+ * Existing read-only mounts won't be able to be remounted read/write
85170+ * Write operations will be denied on all block devices
85171+ This option acts independently of grsec_lock: once it is set to 1,
85172+ it cannot be turned off. Therefore, please be mindful of the resulting
85173+ behavior if this option is enabled in an init script on a read-only
85174+ filesystem.
85175+ Also be aware that as with other root-focused features, GRKERNSEC_KMEM
85176+ and GRKERNSEC_IO should be enabled and module loading disabled via
85177+ config or at runtime.
85178+ This feature is mainly intended for secure embedded systems.
85179+
85180+
85181+config GRKERNSEC_DEVICE_SIDECHANNEL
85182+ bool "Eliminate stat/notify-based device sidechannels"
85183+ default y if GRKERNSEC_CONFIG_AUTO
85184+ help
85185+ If you say Y here, timing analyses on block or character
85186+ devices like /dev/ptmx using stat or inotify/dnotify/fanotify
85187+ will be thwarted for unprivileged users. If a process without
85188+ CAP_MKNOD stats such a device, the last access and last modify times
85189+ will match the device's create time. No access or modify events
85190+ will be triggered through inotify/dnotify/fanotify for such devices.
85191+ This feature will prevent attacks that may at a minimum
85192+ allow an attacker to determine the administrator's password length.
85193+
85194+config GRKERNSEC_CHROOT
85195+ bool "Chroot jail restrictions"
85196+ default y if GRKERNSEC_CONFIG_AUTO
85197+ help
85198+ If you say Y here, you will be able to choose several options that will
85199+ make breaking out of a chrooted jail much more difficult. If you
85200+ encounter no software incompatibilities with the following options, it
85201+ is recommended that you enable each one.
85202+
85203+ Note that the chroot restrictions are not intended to apply to "chroots"
85204+ to directories that are simple bind mounts of the global root filesystem.
85205+ For several other reasons, a user shouldn't expect any significant
85206+ security by performing such a chroot.
85207+
85208+config GRKERNSEC_CHROOT_MOUNT
85209+ bool "Deny mounts"
85210+ default y if GRKERNSEC_CONFIG_AUTO
85211+ depends on GRKERNSEC_CHROOT
85212+ help
85213+ If you say Y here, processes inside a chroot will not be able to
85214+ mount or remount filesystems. If the sysctl option is enabled, a
85215+ sysctl option with name "chroot_deny_mount" is created.
85216+
85217+config GRKERNSEC_CHROOT_DOUBLE
85218+ bool "Deny double-chroots"
85219+ default y if GRKERNSEC_CONFIG_AUTO
85220+ depends on GRKERNSEC_CHROOT
85221+ help
85222+ If you say Y here, processes inside a chroot will not be able to chroot
85223+ again outside the chroot. This is a widely used method of breaking
85224+ out of a chroot jail and should not be allowed. If the sysctl
85225+ option is enabled, a sysctl option with name
85226+ "chroot_deny_chroot" is created.
85227+
85228+config GRKERNSEC_CHROOT_PIVOT
85229+ bool "Deny pivot_root in chroot"
85230+ default y if GRKERNSEC_CONFIG_AUTO
85231+ depends on GRKERNSEC_CHROOT
85232+ help
85233+ If you say Y here, processes inside a chroot will not be able to use
85234+ a function called pivot_root() that was introduced in Linux 2.3.41. It
85235+ works similar to chroot in that it changes the root filesystem. This
85236+ function could be misused in a chrooted process to attempt to break out
85237+ of the chroot, and therefore should not be allowed. If the sysctl
85238+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
85239+ created.
85240+
85241+config GRKERNSEC_CHROOT_CHDIR
85242+ bool "Enforce chdir(\"/\") on all chroots"
85243+ default y if GRKERNSEC_CONFIG_AUTO
85244+ depends on GRKERNSEC_CHROOT
85245+ help
85246+ If you say Y here, the current working directory of all newly-chrooted
85247+ applications will be set to the the root directory of the chroot.
85248+ The man page on chroot(2) states:
85249+ Note that this call does not change the current working
85250+ directory, so that `.' can be outside the tree rooted at
85251+ `/'. In particular, the super-user can escape from a
85252+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
85253+
85254+ It is recommended that you say Y here, since it's not known to break
85255+ any software. If the sysctl option is enabled, a sysctl option with
85256+ name "chroot_enforce_chdir" is created.
85257+
85258+config GRKERNSEC_CHROOT_CHMOD
85259+ bool "Deny (f)chmod +s"
85260+ default y if GRKERNSEC_CONFIG_AUTO
85261+ depends on GRKERNSEC_CHROOT
85262+ help
85263+ If you say Y here, processes inside a chroot will not be able to chmod
85264+ or fchmod files to make them have suid or sgid bits. This protects
85265+ against another published method of breaking a chroot. If the sysctl
85266+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
85267+ created.
85268+
85269+config GRKERNSEC_CHROOT_FCHDIR
85270+ bool "Deny fchdir and fhandle out of chroot"
85271+ default y if GRKERNSEC_CONFIG_AUTO
85272+ depends on GRKERNSEC_CHROOT
85273+ help
85274+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
85275+ to a file descriptor of the chrooting process that points to a directory
85276+ outside the filesystem will be stopped. Additionally, this option prevents
85277+ use of the recently-created syscall for opening files by a guessable "file
85278+ handle" inside a chroot. If the sysctl option is enabled, a sysctl option
85279+ with name "chroot_deny_fchdir" is created.
85280+
85281+config GRKERNSEC_CHROOT_MKNOD
85282+ bool "Deny mknod"
85283+ default y if GRKERNSEC_CONFIG_AUTO
85284+ depends on GRKERNSEC_CHROOT
85285+ help
85286+ If you say Y here, processes inside a chroot will not be allowed to
85287+ mknod. The problem with using mknod inside a chroot is that it
85288+ would allow an attacker to create a device entry that is the same
85289+ as one on the physical root of your system, which could range from
85290+ anything from the console device to a device for your harddrive (which
85291+ they could then use to wipe the drive or steal data). It is recommended
85292+ that you say Y here, unless you run into software incompatibilities.
85293+ If the sysctl option is enabled, a sysctl option with name
85294+ "chroot_deny_mknod" is created.
85295+
85296+config GRKERNSEC_CHROOT_SHMAT
85297+ bool "Deny shmat() out of chroot"
85298+ default y if GRKERNSEC_CONFIG_AUTO
85299+ depends on GRKERNSEC_CHROOT
85300+ help
85301+ If you say Y here, processes inside a chroot will not be able to attach
85302+ to shared memory segments that were created outside of the chroot jail.
85303+ It is recommended that you say Y here. If the sysctl option is enabled,
85304+ a sysctl option with name "chroot_deny_shmat" is created.
85305+
85306+config GRKERNSEC_CHROOT_UNIX
85307+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
85308+ default y if GRKERNSEC_CONFIG_AUTO
85309+ depends on GRKERNSEC_CHROOT
85310+ help
85311+ If you say Y here, processes inside a chroot will not be able to
85312+ connect to abstract (meaning not belonging to a filesystem) Unix
85313+ domain sockets that were bound outside of a chroot. It is recommended
85314+ that you say Y here. If the sysctl option is enabled, a sysctl option
85315+ with name "chroot_deny_unix" is created.
85316+
85317+config GRKERNSEC_CHROOT_FINDTASK
85318+ bool "Protect outside processes"
85319+ default y if GRKERNSEC_CONFIG_AUTO
85320+ depends on GRKERNSEC_CHROOT
85321+ help
85322+ If you say Y here, processes inside a chroot will not be able to
85323+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
85324+ getsid, or view any process outside of the chroot. If the sysctl
85325+ option is enabled, a sysctl option with name "chroot_findtask" is
85326+ created.
85327+
85328+config GRKERNSEC_CHROOT_NICE
85329+ bool "Restrict priority changes"
85330+ default y if GRKERNSEC_CONFIG_AUTO
85331+ depends on GRKERNSEC_CHROOT
85332+ help
85333+ If you say Y here, processes inside a chroot will not be able to raise
85334+ the priority of processes in the chroot, or alter the priority of
85335+ processes outside the chroot. This provides more security than simply
85336+ removing CAP_SYS_NICE from the process' capability set. If the
85337+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
85338+ is created.
85339+
85340+config GRKERNSEC_CHROOT_SYSCTL
85341+ bool "Deny sysctl writes"
85342+ default y if GRKERNSEC_CONFIG_AUTO
85343+ depends on GRKERNSEC_CHROOT
85344+ help
85345+ If you say Y here, an attacker in a chroot will not be able to
85346+ write to sysctl entries, either by sysctl(2) or through a /proc
85347+ interface. It is strongly recommended that you say Y here. If the
85348+ sysctl option is enabled, a sysctl option with name
85349+ "chroot_deny_sysctl" is created.
85350+
85351+config GRKERNSEC_CHROOT_RENAME
85352+ bool "Deny bad renames"
85353+ default y if GRKERNSEC_CONFIG_AUTO
85354+ depends on GRKERNSEC_CHROOT
85355+ help
85356+ If you say Y here, an attacker in a chroot will not be able to
85357+ abuse the ability to create double chroots to break out of the
85358+ chroot by exploiting a race condition between a rename of a directory
85359+ within a chroot against an open of a symlink with relative path
85360+ components. This feature will likewise prevent an accomplice outside
85361+ a chroot from enabling a user inside the chroot to break out and make
85362+ use of their credentials on the global filesystem. Enabling this
85363+ feature is essential to prevent root users from breaking out of a
85364+ chroot. If the sysctl option is enabled, a sysctl option with name
85365+ "chroot_deny_bad_rename" is created.
85366+
85367+config GRKERNSEC_CHROOT_CAPS
85368+ bool "Capability restrictions"
85369+ default y if GRKERNSEC_CONFIG_AUTO
85370+ depends on GRKERNSEC_CHROOT
85371+ help
85372+ If you say Y here, the capabilities on all processes within a
85373+ chroot jail will be lowered to stop module insertion, raw i/o,
85374+ system and net admin tasks, rebooting the system, modifying immutable
85375+ files, modifying IPC owned by another, and changing the system time.
85376+ This is left an option because it can break some apps. Disable this
85377+ if your chrooted apps are having problems performing those kinds of
85378+ tasks. If the sysctl option is enabled, a sysctl option with
85379+ name "chroot_caps" is created.
85380+
85381+config GRKERNSEC_CHROOT_INITRD
85382+ bool "Exempt initrd tasks from restrictions"
85383+ default y if GRKERNSEC_CONFIG_AUTO
85384+ depends on GRKERNSEC_CHROOT && BLK_DEV_INITRD
85385+ help
85386+ If you say Y here, tasks started prior to init will be exempted from
85387+ grsecurity's chroot restrictions. This option is mainly meant to
85388+ resolve Plymouth's performing privileged operations unnecessarily
85389+ in a chroot.
85390+
85391+endmenu
85392+menu "Kernel Auditing"
85393+depends on GRKERNSEC
85394+
85395+config GRKERNSEC_AUDIT_GROUP
85396+ bool "Single group for auditing"
85397+ help
85398+ If you say Y here, the exec and chdir logging features will only operate
85399+ on a group you specify. This option is recommended if you only want to
85400+ watch certain users instead of having a large amount of logs from the
85401+ entire system. If the sysctl option is enabled, a sysctl option with
85402+ name "audit_group" is created.
85403+
85404+config GRKERNSEC_AUDIT_GID
85405+ int "GID for auditing"
85406+ depends on GRKERNSEC_AUDIT_GROUP
85407+ default 1007
85408+
85409+config GRKERNSEC_EXECLOG
85410+ bool "Exec logging"
85411+ help
85412+ If you say Y here, all execve() calls will be logged (since the
85413+ other exec*() calls are frontends to execve(), all execution
85414+ will be logged). Useful for shell-servers that like to keep track
85415+ of their users. If the sysctl option is enabled, a sysctl option with
85416+ name "exec_logging" is created.
85417+ WARNING: This option when enabled will produce a LOT of logs, especially
85418+ on an active system.
85419+
85420+config GRKERNSEC_RESLOG
85421+ bool "Resource logging"
85422+ default y if GRKERNSEC_CONFIG_AUTO
85423+ help
85424+ If you say Y here, all attempts to overstep resource limits will
85425+ be logged with the resource name, the requested size, and the current
85426+ limit. It is highly recommended that you say Y here. If the sysctl
85427+ option is enabled, a sysctl option with name "resource_logging" is
85428+ created. If the RBAC system is enabled, the sysctl value is ignored.
85429+
85430+config GRKERNSEC_CHROOT_EXECLOG
85431+ bool "Log execs within chroot"
85432+ help
85433+ If you say Y here, all executions inside a chroot jail will be logged
85434+ to syslog. This can cause a large amount of logs if certain
85435+ applications (eg. djb's daemontools) are installed on the system, and
85436+ is therefore left as an option. If the sysctl option is enabled, a
85437+ sysctl option with name "chroot_execlog" is created.
85438+
85439+config GRKERNSEC_AUDIT_PTRACE
85440+ bool "Ptrace logging"
85441+ help
85442+ If you say Y here, all attempts to attach to a process via ptrace
85443+ will be logged. If the sysctl option is enabled, a sysctl option
85444+ with name "audit_ptrace" is created.
85445+
85446+config GRKERNSEC_AUDIT_CHDIR
85447+ bool "Chdir logging"
85448+ help
85449+ If you say Y here, all chdir() calls will be logged. If the sysctl
85450+ option is enabled, a sysctl option with name "audit_chdir" is created.
85451+
85452+config GRKERNSEC_AUDIT_MOUNT
85453+ bool "(Un)Mount logging"
85454+ help
85455+ If you say Y here, all mounts and unmounts will be logged. If the
85456+ sysctl option is enabled, a sysctl option with name "audit_mount" is
85457+ created.
85458+
85459+config GRKERNSEC_SIGNAL
85460+ bool "Signal logging"
85461+ default y if GRKERNSEC_CONFIG_AUTO
85462+ help
85463+ If you say Y here, certain important signals will be logged, such as
85464+ SIGSEGV, which will as a result inform you of when a error in a program
85465+ occurred, which in some cases could mean a possible exploit attempt.
85466+ If the sysctl option is enabled, a sysctl option with name
85467+ "signal_logging" is created.
85468+
85469+config GRKERNSEC_FORKFAIL
85470+ bool "Fork failure logging"
85471+ help
85472+ If you say Y here, all failed fork() attempts will be logged.
85473+ This could suggest a fork bomb, or someone attempting to overstep
85474+ their process limit. If the sysctl option is enabled, a sysctl option
85475+ with name "forkfail_logging" is created.
85476+
85477+config GRKERNSEC_TIME
85478+ bool "Time change logging"
85479+ default y if GRKERNSEC_CONFIG_AUTO
85480+ help
85481+ If you say Y here, any changes of the system clock will be logged.
85482+ If the sysctl option is enabled, a sysctl option with name
85483+ "timechange_logging" is created.
85484+
85485+config GRKERNSEC_PROC_IPADDR
85486+ bool "/proc/<pid>/ipaddr support"
85487+ default y if GRKERNSEC_CONFIG_AUTO
85488+ help
85489+ If you say Y here, a new entry will be added to each /proc/<pid>
85490+ directory that contains the IP address of the person using the task.
85491+ The IP is carried across local TCP and AF_UNIX stream sockets.
85492+ This information can be useful for IDS/IPSes to perform remote response
85493+ to a local attack. The entry is readable by only the owner of the
85494+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
85495+ the RBAC system), and thus does not create privacy concerns.
85496+
85497+config GRKERNSEC_RWXMAP_LOG
85498+ bool 'Denied RWX mmap/mprotect logging'
85499+ default y if GRKERNSEC_CONFIG_AUTO
85500+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
85501+ help
85502+ If you say Y here, calls to mmap() and mprotect() with explicit
85503+ usage of PROT_WRITE and PROT_EXEC together will be logged when
85504+ denied by the PAX_MPROTECT feature. This feature will also
85505+ log other problematic scenarios that can occur when PAX_MPROTECT
85506+ is enabled on a binary, like textrels and PT_GNU_STACK. If the
85507+ sysctl option is enabled, a sysctl option with name "rwxmap_logging"
85508+ is created.
85509+
85510+endmenu
85511+
85512+menu "Executable Protections"
85513+depends on GRKERNSEC
85514+
85515+config GRKERNSEC_DMESG
85516+ bool "Dmesg(8) restriction"
85517+ default y if GRKERNSEC_CONFIG_AUTO
85518+ help
85519+ If you say Y here, non-root users will not be able to use dmesg(8)
85520+ to view the contents of the kernel's circular log buffer.
85521+ The kernel's log buffer often contains kernel addresses and other
85522+ identifying information useful to an attacker in fingerprinting a
85523+ system for a targeted exploit.
85524+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
85525+ created.
85526+
85527+config GRKERNSEC_HARDEN_PTRACE
85528+ bool "Deter ptrace-based process snooping"
85529+ default y if GRKERNSEC_CONFIG_AUTO
85530+ help
85531+ If you say Y here, TTY sniffers and other malicious monitoring
85532+ programs implemented through ptrace will be defeated. If you
85533+ have been using the RBAC system, this option has already been
85534+ enabled for several years for all users, with the ability to make
85535+ fine-grained exceptions.
85536+
85537+ This option only affects the ability of non-root users to ptrace
85538+ processes that are not a descendent of the ptracing process.
85539+ This means that strace ./binary and gdb ./binary will still work,
85540+ but attaching to arbitrary processes will not. If the sysctl
85541+ option is enabled, a sysctl option with name "harden_ptrace" is
85542+ created.
85543+
85544+config GRKERNSEC_PTRACE_READEXEC
85545+ bool "Require read access to ptrace sensitive binaries"
85546+ default y if GRKERNSEC_CONFIG_AUTO
85547+ help
85548+ If you say Y here, unprivileged users will not be able to ptrace unreadable
85549+ binaries. This option is useful in environments that
85550+ remove the read bits (e.g. file mode 4711) from suid binaries to
85551+ prevent infoleaking of their contents. This option adds
85552+ consistency to the use of that file mode, as the binary could normally
85553+ be read out when run without privileges while ptracing.
85554+
85555+ If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
85556+ is created.
85557+
85558+config GRKERNSEC_SETXID
85559+ bool "Enforce consistent multithreaded privileges"
85560+ default y if GRKERNSEC_CONFIG_AUTO
85561+ depends on (X86 || SPARC64 || PPC || ARM || MIPS)
85562+ help
85563+ If you say Y here, a change from a root uid to a non-root uid
85564+ in a multithreaded application will cause the resulting uids,
85565+ gids, supplementary groups, and capabilities in that thread
85566+ to be propagated to the other threads of the process. In most
85567+ cases this is unnecessary, as glibc will emulate this behavior
85568+ on behalf of the application. Other libcs do not act in the
85569+ same way, allowing the other threads of the process to continue
85570+ running with root privileges. If the sysctl option is enabled,
85571+ a sysctl option with name "consistent_setxid" is created.
85572+
85573+config GRKERNSEC_HARDEN_IPC
85574+ bool "Disallow access to overly-permissive IPC objects"
85575+ default y if GRKERNSEC_CONFIG_AUTO
85576+ depends on SYSVIPC
85577+ help
85578+ If you say Y here, access to overly-permissive IPC objects (shared
85579+ memory, message queues, and semaphores) will be denied for processes
85580+ given the following criteria beyond normal permission checks:
85581+ 1) If the IPC object is world-accessible and the euid doesn't match
85582+ that of the creator or current uid for the IPC object
85583+ 2) If the IPC object is group-accessible and the egid doesn't
85584+ match that of the creator or current gid for the IPC object
85585+ It's a common error to grant too much permission to these objects,
85586+ with impact ranging from denial of service and information leaking to
85587+ privilege escalation. This feature was developed in response to
85588+ research by Tim Brown:
85589+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
85590+ who found hundreds of such insecure usages. Processes with
85591+ CAP_IPC_OWNER are still permitted to access these IPC objects.
85592+ If the sysctl option is enabled, a sysctl option with name
85593+ "harden_ipc" is created.
85594+
85595+config GRKERNSEC_TPE
85596+ bool "Trusted Path Execution (TPE)"
85597+ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
85598+ help
85599+ If you say Y here, you will be able to choose a gid to add to the
85600+ supplementary groups of users you want to mark as "untrusted."
85601+ These users will not be able to execute any files that are not in
85602+ root-owned directories writable only by root. If the sysctl option
85603+ is enabled, a sysctl option with name "tpe" is created.
85604+
85605+config GRKERNSEC_TPE_ALL
85606+ bool "Partially restrict all non-root users"
85607+ depends on GRKERNSEC_TPE
85608+ help
85609+ If you say Y here, all non-root users will be covered under
85610+ a weaker TPE restriction. This is separate from, and in addition to,
85611+ the main TPE options that you have selected elsewhere. Thus, if a
85612+ "trusted" GID is chosen, this restriction applies to even that GID.
85613+ Under this restriction, all non-root users will only be allowed to
85614+ execute files in directories they own that are not group or
85615+ world-writable, or in directories owned by root and writable only by
85616+ root. If the sysctl option is enabled, a sysctl option with name
85617+ "tpe_restrict_all" is created.
85618+
85619+config GRKERNSEC_TPE_INVERT
85620+ bool "Invert GID option"
85621+ depends on GRKERNSEC_TPE
85622+ help
85623+ If you say Y here, the group you specify in the TPE configuration will
85624+ decide what group TPE restrictions will be *disabled* for. This
85625+ option is useful if you want TPE restrictions to be applied to most
85626+ users on the system. If the sysctl option is enabled, a sysctl option
85627+ with name "tpe_invert" is created. Unlike other sysctl options, this
85628+ entry will default to on for backward-compatibility.
85629+
85630+config GRKERNSEC_TPE_GID
85631+ int
85632+ default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
85633+ default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
85634+
85635+config GRKERNSEC_TPE_UNTRUSTED_GID
85636+ int "GID for TPE-untrusted users"
85637+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
85638+ default 1005
85639+ help
85640+ Setting this GID determines what group TPE restrictions will be
85641+ *enabled* for. If the sysctl option is enabled, a sysctl option
85642+ with name "tpe_gid" is created.
85643+
85644+config GRKERNSEC_TPE_TRUSTED_GID
85645+ int "GID for TPE-trusted users"
85646+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
85647+ default 1005
85648+ help
85649+ Setting this GID determines what group TPE restrictions will be
85650+ *disabled* for. If the sysctl option is enabled, a sysctl option
85651+ with name "tpe_gid" is created.
85652+
85653+endmenu
85654+menu "Network Protections"
85655+depends on GRKERNSEC
85656+
85657+config GRKERNSEC_BLACKHOLE
85658+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
85659+ default y if GRKERNSEC_CONFIG_AUTO
85660+ depends on NET
85661+ help
85662+ If you say Y here, neither TCP resets nor ICMP
85663+ destination-unreachable packets will be sent in response to packets
85664+ sent to ports for which no associated listening process exists.
85665+ It will also prevent the sending of ICMP protocol unreachable packets
85666+ in response to packets with unknown protocols.
85667+ This feature supports both IPV4 and IPV6 and exempts the
85668+ loopback interface from blackholing. Enabling this feature
85669+ makes a host more resilient to DoS attacks and reduces network
85670+ visibility against scanners.
85671+
85672+ The blackhole feature as-implemented is equivalent to the FreeBSD
85673+ blackhole feature, as it prevents RST responses to all packets, not
85674+ just SYNs. Under most application behavior this causes no
85675+ problems, but applications (like haproxy) may not close certain
85676+ connections in a way that cleanly terminates them on the remote
85677+ end, leaving the remote host in LAST_ACK state. Because of this
85678+ side-effect and to prevent intentional LAST_ACK DoSes, this
85679+ feature also adds automatic mitigation against such attacks.
85680+ The mitigation drastically reduces the amount of time a socket
85681+ can spend in LAST_ACK state. If you're using haproxy and not
85682+ all servers it connects to have this option enabled, consider
85683+ disabling this feature on the haproxy host.
85684+
85685+ If the sysctl option is enabled, two sysctl options with names
85686+ "ip_blackhole" and "lastack_retries" will be created.
85687+ While "ip_blackhole" takes the standard zero/non-zero on/off
85688+ toggle, "lastack_retries" uses the same kinds of values as
85689+ "tcp_retries1" and "tcp_retries2". The default value of 4
85690+ prevents a socket from lasting more than 45 seconds in LAST_ACK
85691+ state.
85692+
85693+config GRKERNSEC_NO_SIMULT_CONNECT
85694+ bool "Disable TCP Simultaneous Connect"
85695+ default y if GRKERNSEC_CONFIG_AUTO
85696+ depends on NET
85697+ help
85698+ If you say Y here, a feature by Willy Tarreau will be enabled that
85699+ removes a weakness in Linux's strict implementation of TCP that
85700+ allows two clients to connect to each other without either entering
85701+ a listening state. The weakness allows an attacker to easily prevent
85702+ a client from connecting to a known server provided the source port
85703+ for the connection is guessed correctly.
85704+
85705+ As the weakness could be used to prevent an antivirus or IPS from
85706+ fetching updates, or prevent an SSL gateway from fetching a CRL,
85707+ it should be eliminated by enabling this option. Though Linux is
85708+ one of few operating systems supporting simultaneous connect, it
85709+ has no legitimate use in practice and is rarely supported by firewalls.
85710+
85711+config GRKERNSEC_SOCKET
85712+ bool "Socket restrictions"
85713+ depends on NET
85714+ help
85715+ If you say Y here, you will be able to choose from several options.
85716+ If you assign a GID on your system and add it to the supplementary
85717+ groups of users you want to restrict socket access to, this patch
85718+ will perform up to three things, based on the option(s) you choose.
85719+
85720+config GRKERNSEC_SOCKET_ALL
85721+ bool "Deny any sockets to group"
85722+ depends on GRKERNSEC_SOCKET
85723+ help
85724+ If you say Y here, you will be able to choose a GID of whose users will
85725+ be unable to connect to other hosts from your machine or run server
85726+ applications from your machine. If the sysctl option is enabled, a
85727+ sysctl option with name "socket_all" is created.
85728+
85729+config GRKERNSEC_SOCKET_ALL_GID
85730+ int "GID to deny all sockets for"
85731+ depends on GRKERNSEC_SOCKET_ALL
85732+ default 1004
85733+ help
85734+ Here you can choose the GID to disable socket access for. Remember to
85735+ add the users you want socket access disabled for to the GID
85736+ specified here. If the sysctl option is enabled, a sysctl option
85737+ with name "socket_all_gid" is created.
85738+
85739+config GRKERNSEC_SOCKET_CLIENT
85740+ bool "Deny client sockets to group"
85741+ depends on GRKERNSEC_SOCKET
85742+ help
85743+ If you say Y here, you will be able to choose a GID of whose users will
85744+ be unable to connect to other hosts from your machine, but will be
85745+ able to run servers. If this option is enabled, all users in the group
85746+ you specify will have to use passive mode when initiating ftp transfers
85747+ from the shell on your machine. If the sysctl option is enabled, a
85748+ sysctl option with name "socket_client" is created.
85749+
85750+config GRKERNSEC_SOCKET_CLIENT_GID
85751+ int "GID to deny client sockets for"
85752+ depends on GRKERNSEC_SOCKET_CLIENT
85753+ default 1003
85754+ help
85755+ Here you can choose the GID to disable client socket access for.
85756+ Remember to add the users you want client socket access disabled for to
85757+ the GID specified here. If the sysctl option is enabled, a sysctl
85758+ option with name "socket_client_gid" is created.
85759+
85760+config GRKERNSEC_SOCKET_SERVER
85761+ bool "Deny server sockets to group"
85762+ depends on GRKERNSEC_SOCKET
85763+ help
85764+ If you say Y here, you will be able to choose a GID of whose users will
85765+ be unable to run server applications from your machine. If the sysctl
85766+ option is enabled, a sysctl option with name "socket_server" is created.
85767+
85768+config GRKERNSEC_SOCKET_SERVER_GID
85769+ int "GID to deny server sockets for"
85770+ depends on GRKERNSEC_SOCKET_SERVER
85771+ default 1002
85772+ help
85773+ Here you can choose the GID to disable server socket access for.
85774+ Remember to add the users you want server socket access disabled for to
85775+ the GID specified here. If the sysctl option is enabled, a sysctl
85776+ option with name "socket_server_gid" is created.
85777+
85778+endmenu
85779+
85780+menu "Physical Protections"
85781+depends on GRKERNSEC
85782+
85783+config GRKERNSEC_DENYUSB
85784+ bool "Deny new USB connections after toggle"
85785+ default y if GRKERNSEC_CONFIG_AUTO
85786+ depends on SYSCTL && USB_SUPPORT
85787+ help
85788+ If you say Y here, a new sysctl option with name "deny_new_usb"
85789+ will be created. Setting its value to 1 will prevent any new
85790+ USB devices from being recognized by the OS. Any attempted USB
85791+ device insertion will be logged. This option is intended to be
85792+ used against custom USB devices designed to exploit vulnerabilities
85793+ in various USB device drivers.
85794+
85795+ For greatest effectiveness, this sysctl should be set after any
85796+ relevant init scripts. This option is safe to enable in distros
85797+ as each user can choose whether or not to toggle the sysctl.
85798+
85799+config GRKERNSEC_DENYUSB_FORCE
85800+ bool "Reject all USB devices not connected at boot"
85801+ select USB
85802+ depends on GRKERNSEC_DENYUSB
85803+ help
85804+ If you say Y here, a variant of GRKERNSEC_DENYUSB will be enabled
85805+ that doesn't involve a sysctl entry. This option should only be
85806+ enabled if you're sure you want to deny all new USB connections
85807+ at runtime and don't want to modify init scripts. This should not
85808+ be enabled by distros. It forces the core USB code to be built
85809+ into the kernel image so that all devices connected at boot time
85810+ can be recognized and new USB device connections can be prevented
85811+ prior to init running.
85812+
85813+endmenu
85814+
85815+menu "Sysctl Support"
85816+depends on GRKERNSEC && SYSCTL
85817+
85818+config GRKERNSEC_SYSCTL
85819+ bool "Sysctl support"
85820+ default y if GRKERNSEC_CONFIG_AUTO
85821+ help
85822+ If you say Y here, you will be able to change the options that
85823+ grsecurity runs with at bootup, without having to recompile your
85824+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
85825+ to enable (1) or disable (0) various features. All the sysctl entries
85826+ are mutable until the "grsec_lock" entry is set to a non-zero value.
85827+ All features enabled in the kernel configuration are disabled at boot
85828+ if you do not say Y to the "Turn on features by default" option.
85829+ All options should be set at startup, and the grsec_lock entry should
85830+ be set to a non-zero value after all the options are set.
85831+ *THIS IS EXTREMELY IMPORTANT*
85832+
85833+config GRKERNSEC_SYSCTL_DISTRO
85834+ bool "Extra sysctl support for distro makers (READ HELP)"
85835+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
85836+ help
85837+ If you say Y here, additional sysctl options will be created
85838+ for features that affect processes running as root. Therefore,
85839+ it is critical when using this option that the grsec_lock entry be
85840+ enabled after boot. Only distros with prebuilt kernel packages
85841+ with this option enabled that can ensure grsec_lock is enabled
85842+ after boot should use this option.
85843+ *Failure to set grsec_lock after boot makes all grsec features
85844+ this option covers useless*
85845+
85846+ Currently this option creates the following sysctl entries:
85847+ "Disable Privileged I/O": "disable_priv_io"
85848+
85849+config GRKERNSEC_SYSCTL_ON
85850+ bool "Turn on features by default"
85851+ default y if GRKERNSEC_CONFIG_AUTO
85852+ depends on GRKERNSEC_SYSCTL
85853+ help
85854+ If you say Y here, instead of having all features enabled in the
85855+ kernel configuration disabled at boot time, the features will be
85856+ enabled at boot time. It is recommended you say Y here unless
85857+ there is some reason you would want all sysctl-tunable features to
85858+ be disabled by default. As mentioned elsewhere, it is important
85859+ to enable the grsec_lock entry once you have finished modifying
85860+ the sysctl entries.
85861+
85862+endmenu
85863+menu "Logging Options"
85864+depends on GRKERNSEC
85865+
85866+config GRKERNSEC_FLOODTIME
85867+ int "Seconds in between log messages (minimum)"
85868+ default 10
85869+ help
85870+ This option allows you to enforce the number of seconds between
85871+ grsecurity log messages. The default should be suitable for most
85872+ people, however, if you choose to change it, choose a value small enough
85873+ to allow informative logs to be produced, but large enough to
85874+ prevent flooding.
85875+
85876+ Setting both this value and GRKERNSEC_FLOODBURST to 0 will disable
85877+ any rate limiting on grsecurity log messages.
85878+
85879+config GRKERNSEC_FLOODBURST
85880+ int "Number of messages in a burst (maximum)"
85881+ default 6
85882+ help
85883+ This option allows you to choose the maximum number of messages allowed
85884+ within the flood time interval you chose in a separate option. The
85885+ default should be suitable for most people, however if you find that
85886+ many of your logs are being interpreted as flooding, you may want to
85887+ raise this value.
85888+
85889+ Setting both this value and GRKERNSEC_FLOODTIME to 0 will disable
85890+ any rate limiting on grsecurity log messages.
85891+
85892+endmenu
85893diff --git a/grsecurity/Makefile b/grsecurity/Makefile
85894new file mode 100644
85895index 0000000..30ababb
85896--- /dev/null
85897+++ b/grsecurity/Makefile
85898@@ -0,0 +1,54 @@
85899+# grsecurity – access control and security hardening for Linux
85900+# All code in this directory and various hooks located throughout the Linux kernel are
85901+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
85902+# http://www.grsecurity.net spender@grsecurity.net
85903+#
85904+# This program is free software; you can redistribute it and/or
85905+# modify it under the terms of the GNU General Public License version 2
85906+# as published by the Free Software Foundation.
85907+#
85908+# This program is distributed in the hope that it will be useful,
85909+# but WITHOUT ANY WARRANTY; without even the implied warranty of
85910+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
85911+# GNU General Public License for more details.
85912+#
85913+# You should have received a copy of the GNU General Public License
85914+# along with this program; if not, write to the Free Software
85915+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
85916+
85917+KBUILD_CFLAGS += -Werror
85918+
85919+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
85920+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
85921+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
85922+ grsec_usb.o grsec_ipc.o grsec_proc.o
85923+
85924+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
85925+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
85926+ gracl_learn.o grsec_log.o gracl_policy.o
85927+ifdef CONFIG_COMPAT
85928+obj-$(CONFIG_GRKERNSEC) += gracl_compat.o
85929+endif
85930+
85931+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
85932+
85933+ifdef CONFIG_NET
85934+obj-y += grsec_sock.o
85935+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
85936+endif
85937+
85938+ifndef CONFIG_GRKERNSEC
85939+obj-y += grsec_disabled.o
85940+endif
85941+
85942+ifdef CONFIG_GRKERNSEC_HIDESYM
85943+extra-y := grsec_hidesym.o
85944+$(obj)/grsec_hidesym.o:
85945+ @-chmod -f 500 /boot
85946+ @-chmod -f 500 /lib/modules
85947+ @-chmod -f 500 /lib64/modules
85948+ @-chmod -f 500 /lib32/modules
85949+ @-chmod -f 700 .
85950+ @-chmod -f 700 $(objtree)
85951+ @echo ' grsec: protected kernel image paths'
85952+endif
85953diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
85954new file mode 100644
85955index 0000000..7ad630a
85956--- /dev/null
85957+++ b/grsecurity/gracl.c
85958@@ -0,0 +1,2757 @@
85959+#include <linux/kernel.h>
85960+#include <linux/module.h>
85961+#include <linux/sched.h>
85962+#include <linux/mm.h>
85963+#include <linux/file.h>
85964+#include <linux/fs.h>
85965+#include <linux/namei.h>
85966+#include <linux/mount.h>
85967+#include <linux/tty.h>
85968+#include <linux/proc_fs.h>
85969+#include <linux/lglock.h>
85970+#include <linux/slab.h>
85971+#include <linux/vmalloc.h>
85972+#include <linux/types.h>
85973+#include <linux/sysctl.h>
85974+#include <linux/netdevice.h>
85975+#include <linux/ptrace.h>
85976+#include <linux/gracl.h>
85977+#include <linux/gralloc.h>
85978+#include <linux/security.h>
85979+#include <linux/grinternal.h>
85980+#include <linux/pid_namespace.h>
85981+#include <linux/stop_machine.h>
85982+#include <linux/fdtable.h>
85983+#include <linux/percpu.h>
85984+#include <linux/lglock.h>
85985+#include <linux/hugetlb.h>
85986+#include <linux/posix-timers.h>
85987+#include <linux/prefetch.h>
85988+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
85989+#include <linux/magic.h>
85990+#include <linux/pagemap.h>
85991+#include "../fs/btrfs/async-thread.h"
85992+#include "../fs/btrfs/ctree.h"
85993+#include "../fs/btrfs/btrfs_inode.h"
85994+#endif
85995+#include "../fs/mount.h"
85996+
85997+#include <asm/uaccess.h>
85998+#include <asm/errno.h>
85999+#include <asm/mman.h>
86000+
86001+#define FOR_EACH_ROLE_START(role) \
86002+ role = running_polstate.role_list; \
86003+ while (role) {
86004+
86005+#define FOR_EACH_ROLE_END(role) \
86006+ role = role->prev; \
86007+ }
86008+
86009+extern struct path gr_real_root;
86010+
86011+static struct gr_policy_state running_polstate;
86012+struct gr_policy_state *polstate = &running_polstate;
86013+extern struct gr_alloc_state *current_alloc_state;
86014+
86015+extern char *gr_shared_page[4];
86016+DEFINE_RWLOCK(gr_inode_lock);
86017+
86018+static unsigned int gr_status __read_only = GR_STATUS_INIT;
86019+
86020+#ifdef CONFIG_NET
86021+extern struct vfsmount *sock_mnt;
86022+#endif
86023+
86024+extern struct vfsmount *pipe_mnt;
86025+extern struct vfsmount *shm_mnt;
86026+
86027+#ifdef CONFIG_HUGETLBFS
86028+extern struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
86029+#endif
86030+
86031+extern u16 acl_sp_role_value;
86032+extern struct acl_object_label *fakefs_obj_rw;
86033+extern struct acl_object_label *fakefs_obj_rwx;
86034+
86035+int gr_acl_is_enabled(void)
86036+{
86037+ return (gr_status & GR_READY);
86038+}
86039+
86040+void gr_enable_rbac_system(void)
86041+{
86042+ pax_open_kernel();
86043+ gr_status |= GR_READY;
86044+ pax_close_kernel();
86045+}
86046+
86047+int gr_rbac_disable(void *unused)
86048+{
86049+ pax_open_kernel();
86050+ gr_status &= ~GR_READY;
86051+ pax_close_kernel();
86052+
86053+ return 0;
86054+}
86055+
86056+static inline dev_t __get_dev(const struct dentry *dentry)
86057+{
86058+ struct dentry *ldentry = d_backing_dentry((struct dentry *)dentry);
86059+
86060+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
86061+ if (ldentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
86062+ return BTRFS_I(d_inode(ldentry))->root->anon_dev;
86063+ else
86064+#endif
86065+ return d_inode(ldentry)->i_sb->s_dev;
86066+}
86067+
86068+static inline u64 __get_ino(const struct dentry *dentry)
86069+{
86070+ struct dentry *ldentry = d_backing_dentry((struct dentry *)dentry);
86071+
86072+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
86073+ if (ldentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
86074+ return btrfs_ino(d_inode(dentry));
86075+ else
86076+#endif
86077+ return d_inode(ldentry)->i_ino;
86078+}
86079+
86080+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
86081+{
86082+ return __get_dev(dentry);
86083+}
86084+
86085+u64 gr_get_ino_from_dentry(struct dentry *dentry)
86086+{
86087+ return __get_ino(dentry);
86088+}
86089+
86090+static char gr_task_roletype_to_char(struct task_struct *task)
86091+{
86092+ switch (task->role->roletype &
86093+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
86094+ GR_ROLE_SPECIAL)) {
86095+ case GR_ROLE_DEFAULT:
86096+ return 'D';
86097+ case GR_ROLE_USER:
86098+ return 'U';
86099+ case GR_ROLE_GROUP:
86100+ return 'G';
86101+ case GR_ROLE_SPECIAL:
86102+ return 'S';
86103+ }
86104+
86105+ return 'X';
86106+}
86107+
86108+char gr_roletype_to_char(void)
86109+{
86110+ return gr_task_roletype_to_char(current);
86111+}
86112+
86113+int
86114+gr_acl_tpe_check(void)
86115+{
86116+ if (unlikely(!(gr_status & GR_READY)))
86117+ return 0;
86118+ if (current->role->roletype & GR_ROLE_TPE)
86119+ return 1;
86120+ else
86121+ return 0;
86122+}
86123+
86124+int
86125+gr_handle_rawio(const struct inode *inode)
86126+{
86127+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
86128+ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
86129+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
86130+ !capable(CAP_SYS_RAWIO))
86131+ return 1;
86132+#endif
86133+ return 0;
86134+}
86135+
86136+int
86137+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
86138+{
86139+ if (likely(lena != lenb))
86140+ return 0;
86141+
86142+ return !memcmp(a, b, lena);
86143+}
86144+
86145+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
86146+{
86147+ *buflen -= namelen;
86148+ if (*buflen < 0)
86149+ return -ENAMETOOLONG;
86150+ *buffer -= namelen;
86151+ memcpy(*buffer, str, namelen);
86152+ return 0;
86153+}
86154+
86155+static int prepend_name(char **buffer, int *buflen, struct qstr *name)
86156+{
86157+ return prepend(buffer, buflen, name->name, name->len);
86158+}
86159+
86160+static int prepend_path(const struct path *path, struct path *root,
86161+ char **buffer, int *buflen)
86162+{
86163+ struct dentry *dentry = path->dentry;
86164+ struct vfsmount *vfsmnt = path->mnt;
86165+ struct mount *mnt = real_mount(vfsmnt);
86166+ bool slash = false;
86167+ int error = 0;
86168+
86169+ while (dentry != root->dentry || vfsmnt != root->mnt) {
86170+ struct dentry * parent;
86171+
86172+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
86173+ /* Global root? */
86174+ if (!mnt_has_parent(mnt)) {
86175+ goto out;
86176+ }
86177+ dentry = mnt->mnt_mountpoint;
86178+ mnt = mnt->mnt_parent;
86179+ vfsmnt = &mnt->mnt;
86180+ continue;
86181+ }
86182+ parent = dentry->d_parent;
86183+ prefetch(parent);
86184+ spin_lock(&dentry->d_lock);
86185+ error = prepend_name(buffer, buflen, &dentry->d_name);
86186+ spin_unlock(&dentry->d_lock);
86187+ if (!error)
86188+ error = prepend(buffer, buflen, "/", 1);
86189+ if (error)
86190+ break;
86191+
86192+ slash = true;
86193+ dentry = parent;
86194+ }
86195+
86196+out:
86197+ if (!error && !slash)
86198+ error = prepend(buffer, buflen, "/", 1);
86199+
86200+ return error;
86201+}
86202+
86203+/* this must be called with mount_lock and rename_lock held */
86204+
86205+static char *__our_d_path(const struct path *path, struct path *root,
86206+ char *buf, int buflen)
86207+{
86208+ char *res = buf + buflen;
86209+ int error;
86210+
86211+ prepend(&res, &buflen, "\0", 1);
86212+ error = prepend_path(path, root, &res, &buflen);
86213+ if (error)
86214+ return ERR_PTR(error);
86215+
86216+ return res;
86217+}
86218+
86219+static char *
86220+gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
86221+{
86222+ char *retval;
86223+
86224+ retval = __our_d_path(path, root, buf, buflen);
86225+ if (unlikely(IS_ERR(retval)))
86226+ retval = strcpy(buf, "<path too long>");
86227+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
86228+ retval[1] = '\0';
86229+
86230+ return retval;
86231+}
86232+
86233+static char *
86234+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
86235+ char *buf, int buflen)
86236+{
86237+ struct path path;
86238+ char *res;
86239+
86240+ path.dentry = (struct dentry *)dentry;
86241+ path.mnt = (struct vfsmount *)vfsmnt;
86242+
86243+ /* we can use gr_real_root.dentry, gr_real_root.mnt, because this is only called
86244+ by the RBAC system */
86245+ res = gen_full_path(&path, &gr_real_root, buf, buflen);
86246+
86247+ return res;
86248+}
86249+
86250+static char *
86251+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
86252+ char *buf, int buflen)
86253+{
86254+ char *res;
86255+ struct path path;
86256+ struct path root;
86257+ struct task_struct *reaper = init_pid_ns.child_reaper;
86258+
86259+ path.dentry = (struct dentry *)dentry;
86260+ path.mnt = (struct vfsmount *)vfsmnt;
86261+
86262+ /* we can't use gr_real_root.dentry, gr_real_root.mnt, because they belong only to the RBAC system */
86263+ get_fs_root(reaper->fs, &root);
86264+
86265+ read_seqlock_excl(&mount_lock);
86266+ write_seqlock(&rename_lock);
86267+ res = gen_full_path(&path, &root, buf, buflen);
86268+ write_sequnlock(&rename_lock);
86269+ read_sequnlock_excl(&mount_lock);
86270+
86271+ path_put(&root);
86272+ return res;
86273+}
86274+
86275+char *
86276+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
86277+{
86278+ char *ret;
86279+ read_seqlock_excl(&mount_lock);
86280+ write_seqlock(&rename_lock);
86281+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
86282+ PAGE_SIZE);
86283+ write_sequnlock(&rename_lock);
86284+ read_sequnlock_excl(&mount_lock);
86285+ return ret;
86286+}
86287+
86288+static char *
86289+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
86290+{
86291+ char *ret;
86292+ char *buf;
86293+ int buflen;
86294+
86295+ read_seqlock_excl(&mount_lock);
86296+ write_seqlock(&rename_lock);
86297+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
86298+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
86299+ buflen = (int)(ret - buf);
86300+ if (buflen >= 5)
86301+ prepend(&ret, &buflen, "/proc", 5);
86302+ else
86303+ ret = strcpy(buf, "<path too long>");
86304+ write_sequnlock(&rename_lock);
86305+ read_sequnlock_excl(&mount_lock);
86306+ return ret;
86307+}
86308+
86309+char *
86310+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
86311+{
86312+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
86313+ PAGE_SIZE);
86314+}
86315+
86316+char *
86317+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
86318+{
86319+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
86320+ PAGE_SIZE);
86321+}
86322+
86323+char *
86324+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
86325+{
86326+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
86327+ PAGE_SIZE);
86328+}
86329+
86330+char *
86331+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
86332+{
86333+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
86334+ PAGE_SIZE);
86335+}
86336+
86337+char *
86338+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
86339+{
86340+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
86341+ PAGE_SIZE);
86342+}
86343+
86344+__u32
86345+to_gr_audit(const __u32 reqmode)
86346+{
86347+ /* masks off auditable permission flags, then shifts them to create
86348+ auditing flags, and adds the special case of append auditing if
86349+ we're requesting write */
86350+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
86351+}
86352+
86353+struct acl_role_label *
86354+__lookup_acl_role_label(const struct gr_policy_state *state, const struct task_struct *task, const uid_t uid,
86355+ const gid_t gid)
86356+{
86357+ unsigned int index = gr_rhash(uid, GR_ROLE_USER, state->acl_role_set.r_size);
86358+ struct acl_role_label *match;
86359+ struct role_allowed_ip *ipp;
86360+ unsigned int x;
86361+ u32 curr_ip = task->signal->saved_ip;
86362+
86363+ match = state->acl_role_set.r_hash[index];
86364+
86365+ while (match) {
86366+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
86367+ for (x = 0; x < match->domain_child_num; x++) {
86368+ if (match->domain_children[x] == uid)
86369+ goto found;
86370+ }
86371+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
86372+ break;
86373+ match = match->next;
86374+ }
86375+found:
86376+ if (match == NULL) {
86377+ try_group:
86378+ index = gr_rhash(gid, GR_ROLE_GROUP, state->acl_role_set.r_size);
86379+ match = state->acl_role_set.r_hash[index];
86380+
86381+ while (match) {
86382+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
86383+ for (x = 0; x < match->domain_child_num; x++) {
86384+ if (match->domain_children[x] == gid)
86385+ goto found2;
86386+ }
86387+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
86388+ break;
86389+ match = match->next;
86390+ }
86391+found2:
86392+ if (match == NULL)
86393+ match = state->default_role;
86394+ if (match->allowed_ips == NULL)
86395+ return match;
86396+ else {
86397+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
86398+ if (likely
86399+ ((ntohl(curr_ip) & ipp->netmask) ==
86400+ (ntohl(ipp->addr) & ipp->netmask)))
86401+ return match;
86402+ }
86403+ match = state->default_role;
86404+ }
86405+ } else if (match->allowed_ips == NULL) {
86406+ return match;
86407+ } else {
86408+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
86409+ if (likely
86410+ ((ntohl(curr_ip) & ipp->netmask) ==
86411+ (ntohl(ipp->addr) & ipp->netmask)))
86412+ return match;
86413+ }
86414+ goto try_group;
86415+ }
86416+
86417+ return match;
86418+}
86419+
86420+static struct acl_role_label *
86421+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
86422+ const gid_t gid)
86423+{
86424+ return __lookup_acl_role_label(&running_polstate, task, uid, gid);
86425+}
86426+
86427+struct acl_subject_label *
86428+lookup_acl_subj_label(const u64 ino, const dev_t dev,
86429+ const struct acl_role_label *role)
86430+{
86431+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
86432+ struct acl_subject_label *match;
86433+
86434+ match = role->subj_hash[index];
86435+
86436+ while (match && (match->inode != ino || match->device != dev ||
86437+ (match->mode & GR_DELETED))) {
86438+ match = match->next;
86439+ }
86440+
86441+ if (match && !(match->mode & GR_DELETED))
86442+ return match;
86443+ else
86444+ return NULL;
86445+}
86446+
86447+struct acl_subject_label *
86448+lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev,
86449+ const struct acl_role_label *role)
86450+{
86451+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
86452+ struct acl_subject_label *match;
86453+
86454+ match = role->subj_hash[index];
86455+
86456+ while (match && (match->inode != ino || match->device != dev ||
86457+ !(match->mode & GR_DELETED))) {
86458+ match = match->next;
86459+ }
86460+
86461+ if (match && (match->mode & GR_DELETED))
86462+ return match;
86463+ else
86464+ return NULL;
86465+}
86466+
86467+static struct acl_object_label *
86468+lookup_acl_obj_label(const u64 ino, const dev_t dev,
86469+ const struct acl_subject_label *subj)
86470+{
86471+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
86472+ struct acl_object_label *match;
86473+
86474+ match = subj->obj_hash[index];
86475+
86476+ while (match && (match->inode != ino || match->device != dev ||
86477+ (match->mode & GR_DELETED))) {
86478+ match = match->next;
86479+ }
86480+
86481+ if (match && !(match->mode & GR_DELETED))
86482+ return match;
86483+ else
86484+ return NULL;
86485+}
86486+
86487+static struct acl_object_label *
86488+lookup_acl_obj_label_create(const u64 ino, const dev_t dev,
86489+ const struct acl_subject_label *subj)
86490+{
86491+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
86492+ struct acl_object_label *match;
86493+
86494+ match = subj->obj_hash[index];
86495+
86496+ while (match && (match->inode != ino || match->device != dev ||
86497+ !(match->mode & GR_DELETED))) {
86498+ match = match->next;
86499+ }
86500+
86501+ if (match && (match->mode & GR_DELETED))
86502+ return match;
86503+
86504+ match = subj->obj_hash[index];
86505+
86506+ while (match && (match->inode != ino || match->device != dev ||
86507+ (match->mode & GR_DELETED))) {
86508+ match = match->next;
86509+ }
86510+
86511+ if (match && !(match->mode & GR_DELETED))
86512+ return match;
86513+ else
86514+ return NULL;
86515+}
86516+
86517+struct name_entry *
86518+__lookup_name_entry(const struct gr_policy_state *state, const char *name)
86519+{
86520+ unsigned int len = strlen(name);
86521+ unsigned int key = full_name_hash(name, len);
86522+ unsigned int index = key % state->name_set.n_size;
86523+ struct name_entry *match;
86524+
86525+ match = state->name_set.n_hash[index];
86526+
86527+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
86528+ match = match->next;
86529+
86530+ return match;
86531+}
86532+
86533+static struct name_entry *
86534+lookup_name_entry(const char *name)
86535+{
86536+ return __lookup_name_entry(&running_polstate, name);
86537+}
86538+
86539+static struct name_entry *
86540+lookup_name_entry_create(const char *name)
86541+{
86542+ unsigned int len = strlen(name);
86543+ unsigned int key = full_name_hash(name, len);
86544+ unsigned int index = key % running_polstate.name_set.n_size;
86545+ struct name_entry *match;
86546+
86547+ match = running_polstate.name_set.n_hash[index];
86548+
86549+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
86550+ !match->deleted))
86551+ match = match->next;
86552+
86553+ if (match && match->deleted)
86554+ return match;
86555+
86556+ match = running_polstate.name_set.n_hash[index];
86557+
86558+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
86559+ match->deleted))
86560+ match = match->next;
86561+
86562+ if (match && !match->deleted)
86563+ return match;
86564+ else
86565+ return NULL;
86566+}
86567+
86568+static struct inodev_entry *
86569+lookup_inodev_entry(const u64 ino, const dev_t dev)
86570+{
86571+ unsigned int index = gr_fhash(ino, dev, running_polstate.inodev_set.i_size);
86572+ struct inodev_entry *match;
86573+
86574+ match = running_polstate.inodev_set.i_hash[index];
86575+
86576+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
86577+ match = match->next;
86578+
86579+ return match;
86580+}
86581+
86582+void
86583+__insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry)
86584+{
86585+ unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device,
86586+ state->inodev_set.i_size);
86587+ struct inodev_entry **curr;
86588+
86589+ entry->prev = NULL;
86590+
86591+ curr = &state->inodev_set.i_hash[index];
86592+ if (*curr != NULL)
86593+ (*curr)->prev = entry;
86594+
86595+ entry->next = *curr;
86596+ *curr = entry;
86597+
86598+ return;
86599+}
86600+
86601+static void
86602+insert_inodev_entry(struct inodev_entry *entry)
86603+{
86604+ __insert_inodev_entry(&running_polstate, entry);
86605+}
86606+
86607+void
86608+insert_acl_obj_label(struct acl_object_label *obj,
86609+ struct acl_subject_label *subj)
86610+{
86611+ unsigned int index =
86612+ gr_fhash(obj->inode, obj->device, subj->obj_hash_size);
86613+ struct acl_object_label **curr;
86614+
86615+ obj->prev = NULL;
86616+
86617+ curr = &subj->obj_hash[index];
86618+ if (*curr != NULL)
86619+ (*curr)->prev = obj;
86620+
86621+ obj->next = *curr;
86622+ *curr = obj;
86623+
86624+ return;
86625+}
86626+
86627+void
86628+insert_acl_subj_label(struct acl_subject_label *obj,
86629+ struct acl_role_label *role)
86630+{
86631+ unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size);
86632+ struct acl_subject_label **curr;
86633+
86634+ obj->prev = NULL;
86635+
86636+ curr = &role->subj_hash[index];
86637+ if (*curr != NULL)
86638+ (*curr)->prev = obj;
86639+
86640+ obj->next = *curr;
86641+ *curr = obj;
86642+
86643+ return;
86644+}
86645+
86646+/* derived from glibc fnmatch() 0: match, 1: no match*/
86647+
86648+static int
86649+glob_match(const char *p, const char *n)
86650+{
86651+ char c;
86652+
86653+ while ((c = *p++) != '\0') {
86654+ switch (c) {
86655+ case '?':
86656+ if (*n == '\0')
86657+ return 1;
86658+ else if (*n == '/')
86659+ return 1;
86660+ break;
86661+ case '\\':
86662+ if (*n != c)
86663+ return 1;
86664+ break;
86665+ case '*':
86666+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
86667+ if (*n == '/')
86668+ return 1;
86669+ else if (c == '?') {
86670+ if (*n == '\0')
86671+ return 1;
86672+ else
86673+ ++n;
86674+ }
86675+ }
86676+ if (c == '\0') {
86677+ return 0;
86678+ } else {
86679+ const char *endp;
86680+
86681+ if ((endp = strchr(n, '/')) == NULL)
86682+ endp = n + strlen(n);
86683+
86684+ if (c == '[') {
86685+ for (--p; n < endp; ++n)
86686+ if (!glob_match(p, n))
86687+ return 0;
86688+ } else if (c == '/') {
86689+ while (*n != '\0' && *n != '/')
86690+ ++n;
86691+ if (*n == '/' && !glob_match(p, n + 1))
86692+ return 0;
86693+ } else {
86694+ for (--p; n < endp; ++n)
86695+ if (*n == c && !glob_match(p, n))
86696+ return 0;
86697+ }
86698+
86699+ return 1;
86700+ }
86701+ case '[':
86702+ {
86703+ int not;
86704+ char cold;
86705+
86706+ if (*n == '\0' || *n == '/')
86707+ return 1;
86708+
86709+ not = (*p == '!' || *p == '^');
86710+ if (not)
86711+ ++p;
86712+
86713+ c = *p++;
86714+ for (;;) {
86715+ unsigned char fn = (unsigned char)*n;
86716+
86717+ if (c == '\0')
86718+ return 1;
86719+ else {
86720+ if (c == fn)
86721+ goto matched;
86722+ cold = c;
86723+ c = *p++;
86724+
86725+ if (c == '-' && *p != ']') {
86726+ unsigned char cend = *p++;
86727+
86728+ if (cend == '\0')
86729+ return 1;
86730+
86731+ if (cold <= fn && fn <= cend)
86732+ goto matched;
86733+
86734+ c = *p++;
86735+ }
86736+ }
86737+
86738+ if (c == ']')
86739+ break;
86740+ }
86741+ if (!not)
86742+ return 1;
86743+ break;
86744+ matched:
86745+ while (c != ']') {
86746+ if (c == '\0')
86747+ return 1;
86748+
86749+ c = *p++;
86750+ }
86751+ if (not)
86752+ return 1;
86753+ }
86754+ break;
86755+ default:
86756+ if (c != *n)
86757+ return 1;
86758+ }
86759+
86760+ ++n;
86761+ }
86762+
86763+ if (*n == '\0')
86764+ return 0;
86765+
86766+ if (*n == '/')
86767+ return 0;
86768+
86769+ return 1;
86770+}
86771+
86772+static struct acl_object_label *
86773+chk_glob_label(struct acl_object_label *globbed,
86774+ const struct dentry *dentry, const struct vfsmount *mnt, char **path)
86775+{
86776+ struct acl_object_label *tmp;
86777+
86778+ if (*path == NULL)
86779+ *path = gr_to_filename_nolock(dentry, mnt);
86780+
86781+ tmp = globbed;
86782+
86783+ while (tmp) {
86784+ if (!glob_match(tmp->filename, *path))
86785+ return tmp;
86786+ tmp = tmp->next;
86787+ }
86788+
86789+ return NULL;
86790+}
86791+
86792+static struct acl_object_label *
86793+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
86794+ const u64 curr_ino, const dev_t curr_dev,
86795+ const struct acl_subject_label *subj, char **path, const int checkglob)
86796+{
86797+ struct acl_subject_label *tmpsubj;
86798+ struct acl_object_label *retval;
86799+ struct acl_object_label *retval2;
86800+
86801+ tmpsubj = (struct acl_subject_label *) subj;
86802+ read_lock(&gr_inode_lock);
86803+ do {
86804+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
86805+ if (retval) {
86806+ if (checkglob && retval->globbed) {
86807+ retval2 = chk_glob_label(retval->globbed, orig_dentry, orig_mnt, path);
86808+ if (retval2)
86809+ retval = retval2;
86810+ }
86811+ break;
86812+ }
86813+ } while ((tmpsubj = tmpsubj->parent_subject));
86814+ read_unlock(&gr_inode_lock);
86815+
86816+ return retval;
86817+}
86818+
86819+static struct acl_object_label *
86820+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
86821+ struct dentry *curr_dentry,
86822+ const struct acl_subject_label *subj, char **path, const int checkglob)
86823+{
86824+ int newglob = checkglob;
86825+ u64 inode;
86826+ dev_t device;
86827+
86828+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
86829+ as we don't want a / * rule to match instead of the / object
86830+ don't do this for create lookups that call this function though, since they're looking up
86831+ on the parent and thus need globbing checks on all paths
86832+ */
86833+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
86834+ newglob = GR_NO_GLOB;
86835+
86836+ spin_lock(&curr_dentry->d_lock);
86837+ inode = __get_ino(curr_dentry);
86838+ device = __get_dev(curr_dentry);
86839+ spin_unlock(&curr_dentry->d_lock);
86840+
86841+ return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
86842+}
86843+
86844+#ifdef CONFIG_HUGETLBFS
86845+static inline bool
86846+is_hugetlbfs_mnt(const struct vfsmount *mnt)
86847+{
86848+ int i;
86849+ for (i = 0; i < HUGE_MAX_HSTATE; i++) {
86850+ if (unlikely(hugetlbfs_vfsmount[i] == mnt))
86851+ return true;
86852+ }
86853+
86854+ return false;
86855+}
86856+#endif
86857+
86858+static struct acl_object_label *
86859+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86860+ const struct acl_subject_label *subj, char *path, const int checkglob)
86861+{
86862+ struct dentry *dentry = (struct dentry *) l_dentry;
86863+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
86864+ struct inode * inode = d_backing_inode(dentry);
86865+ struct mount *real_mnt = real_mount(mnt);
86866+ struct acl_object_label *retval;
86867+ struct dentry *parent;
86868+
86869+ read_seqlock_excl(&mount_lock);
86870+ write_seqlock(&rename_lock);
86871+
86872+ if (unlikely((mnt == shm_mnt && inode->i_nlink == 0) || mnt == pipe_mnt ||
86873+#ifdef CONFIG_NET
86874+ mnt == sock_mnt ||
86875+#endif
86876+#ifdef CONFIG_HUGETLBFS
86877+ (is_hugetlbfs_mnt(mnt) && inode->i_nlink == 0) ||
86878+#endif
86879+ /* ignore Eric Biederman */
86880+ IS_PRIVATE(inode))) {
86881+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
86882+ goto out;
86883+ }
86884+
86885+ for (;;) {
86886+ if (dentry == gr_real_root.dentry && mnt == gr_real_root.mnt)
86887+ break;
86888+
86889+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
86890+ if (!mnt_has_parent(real_mnt))
86891+ break;
86892+
86893+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86894+ if (retval != NULL)
86895+ goto out;
86896+
86897+ dentry = real_mnt->mnt_mountpoint;
86898+ real_mnt = real_mnt->mnt_parent;
86899+ mnt = &real_mnt->mnt;
86900+ continue;
86901+ }
86902+
86903+ parent = dentry->d_parent;
86904+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86905+ if (retval != NULL)
86906+ goto out;
86907+
86908+ dentry = parent;
86909+ }
86910+
86911+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86912+
86913+ /* gr_real_root is pinned so we don't have to hold a reference */
86914+ if (retval == NULL)
86915+ retval = full_lookup(l_dentry, l_mnt, gr_real_root.dentry, subj, &path, checkglob);
86916+out:
86917+ write_sequnlock(&rename_lock);
86918+ read_sequnlock_excl(&mount_lock);
86919+
86920+ BUG_ON(retval == NULL);
86921+
86922+ return retval;
86923+}
86924+
86925+static struct acl_object_label *
86926+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86927+ const struct acl_subject_label *subj)
86928+{
86929+ char *path = NULL;
86930+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
86931+}
86932+
86933+static struct acl_object_label *
86934+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86935+ const struct acl_subject_label *subj)
86936+{
86937+ char *path = NULL;
86938+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
86939+}
86940+
86941+static struct acl_object_label *
86942+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86943+ const struct acl_subject_label *subj, char *path)
86944+{
86945+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
86946+}
86947+
86948+struct acl_subject_label *
86949+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86950+ const struct acl_role_label *role)
86951+{
86952+ struct dentry *dentry = (struct dentry *) l_dentry;
86953+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
86954+ struct mount *real_mnt = real_mount(mnt);
86955+ struct acl_subject_label *retval;
86956+ struct dentry *parent;
86957+
86958+ read_seqlock_excl(&mount_lock);
86959+ write_seqlock(&rename_lock);
86960+
86961+ for (;;) {
86962+ if (dentry == gr_real_root.dentry && mnt == gr_real_root.mnt)
86963+ break;
86964+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
86965+ if (!mnt_has_parent(real_mnt))
86966+ break;
86967+
86968+ spin_lock(&dentry->d_lock);
86969+ read_lock(&gr_inode_lock);
86970+ retval =
86971+ lookup_acl_subj_label(__get_ino(dentry),
86972+ __get_dev(dentry), role);
86973+ read_unlock(&gr_inode_lock);
86974+ spin_unlock(&dentry->d_lock);
86975+ if (retval != NULL)
86976+ goto out;
86977+
86978+ dentry = real_mnt->mnt_mountpoint;
86979+ real_mnt = real_mnt->mnt_parent;
86980+ mnt = &real_mnt->mnt;
86981+ continue;
86982+ }
86983+
86984+ spin_lock(&dentry->d_lock);
86985+ read_lock(&gr_inode_lock);
86986+ retval = lookup_acl_subj_label(__get_ino(dentry),
86987+ __get_dev(dentry), role);
86988+ read_unlock(&gr_inode_lock);
86989+ parent = dentry->d_parent;
86990+ spin_unlock(&dentry->d_lock);
86991+
86992+ if (retval != NULL)
86993+ goto out;
86994+
86995+ dentry = parent;
86996+ }
86997+
86998+ spin_lock(&dentry->d_lock);
86999+ read_lock(&gr_inode_lock);
87000+ retval = lookup_acl_subj_label(__get_ino(dentry),
87001+ __get_dev(dentry), role);
87002+ read_unlock(&gr_inode_lock);
87003+ spin_unlock(&dentry->d_lock);
87004+
87005+ if (unlikely(retval == NULL)) {
87006+ /* gr_real_root is pinned, we don't need to hold a reference */
87007+ read_lock(&gr_inode_lock);
87008+ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry),
87009+ __get_dev(gr_real_root.dentry), role);
87010+ read_unlock(&gr_inode_lock);
87011+ }
87012+out:
87013+ write_sequnlock(&rename_lock);
87014+ read_sequnlock_excl(&mount_lock);
87015+
87016+ BUG_ON(retval == NULL);
87017+
87018+ return retval;
87019+}
87020+
87021+void
87022+assign_special_role(const char *rolename)
87023+{
87024+ struct acl_object_label *obj;
87025+ struct acl_role_label *r;
87026+ struct acl_role_label *assigned = NULL;
87027+ struct task_struct *tsk;
87028+ struct file *filp;
87029+
87030+ FOR_EACH_ROLE_START(r)
87031+ if (!strcmp(rolename, r->rolename) &&
87032+ (r->roletype & GR_ROLE_SPECIAL)) {
87033+ assigned = r;
87034+ break;
87035+ }
87036+ FOR_EACH_ROLE_END(r)
87037+
87038+ if (!assigned)
87039+ return;
87040+
87041+ read_lock(&tasklist_lock);
87042+ read_lock(&grsec_exec_file_lock);
87043+
87044+ tsk = current->real_parent;
87045+ if (tsk == NULL)
87046+ goto out_unlock;
87047+
87048+ filp = tsk->exec_file;
87049+ if (filp == NULL)
87050+ goto out_unlock;
87051+
87052+ tsk->is_writable = 0;
87053+ tsk->inherited = 0;
87054+
87055+ tsk->acl_sp_role = 1;
87056+ tsk->acl_role_id = ++acl_sp_role_value;
87057+ tsk->role = assigned;
87058+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
87059+
87060+ /* ignore additional mmap checks for processes that are writable
87061+ by the default ACL */
87062+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, running_polstate.default_role->root_label);
87063+ if (unlikely(obj->mode & GR_WRITE))
87064+ tsk->is_writable = 1;
87065+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
87066+ if (unlikely(obj->mode & GR_WRITE))
87067+ tsk->is_writable = 1;
87068+
87069+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87070+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename,
87071+ tsk->acl->filename, tsk->comm, task_pid_nr(tsk));
87072+#endif
87073+
87074+out_unlock:
87075+ read_unlock(&grsec_exec_file_lock);
87076+ read_unlock(&tasklist_lock);
87077+ return;
87078+}
87079+
87080+
87081+static void
87082+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
87083+{
87084+ struct task_struct *task = current;
87085+ const struct cred *cred = current_cred();
87086+
87087+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
87088+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
87089+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
87090+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
87091+
87092+ return;
87093+}
87094+
87095+static void
87096+gr_log_learn_uid_change(const kuid_t real, const kuid_t effective, const kuid_t fs)
87097+{
87098+ struct task_struct *task = current;
87099+ const struct cred *cred = current_cred();
87100+
87101+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
87102+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
87103+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
87104+ 'u', GR_GLOBAL_UID(real), GR_GLOBAL_UID(effective), GR_GLOBAL_UID(fs), &task->signal->saved_ip);
87105+
87106+ return;
87107+}
87108+
87109+static void
87110+gr_log_learn_gid_change(const kgid_t real, const kgid_t effective, const kgid_t fs)
87111+{
87112+ struct task_struct *task = current;
87113+ const struct cred *cred = current_cred();
87114+
87115+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
87116+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
87117+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
87118+ 'g', GR_GLOBAL_GID(real), GR_GLOBAL_GID(effective), GR_GLOBAL_GID(fs), &task->signal->saved_ip);
87119+
87120+ return;
87121+}
87122+
87123+static void
87124+gr_set_proc_res(struct task_struct *task)
87125+{
87126+ struct acl_subject_label *proc;
87127+ unsigned short i;
87128+
87129+ proc = task->acl;
87130+
87131+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
87132+ return;
87133+
87134+ for (i = 0; i < RLIM_NLIMITS; i++) {
87135+ unsigned long rlim_cur, rlim_max;
87136+
87137+ if (!(proc->resmask & (1U << i)))
87138+ continue;
87139+
87140+ rlim_cur = proc->res[i].rlim_cur;
87141+ rlim_max = proc->res[i].rlim_max;
87142+
87143+ if (i == RLIMIT_NOFILE) {
87144+ unsigned long saved_sysctl_nr_open = sysctl_nr_open;
87145+ if (rlim_cur > saved_sysctl_nr_open)
87146+ rlim_cur = saved_sysctl_nr_open;
87147+ if (rlim_max > saved_sysctl_nr_open)
87148+ rlim_max = saved_sysctl_nr_open;
87149+ }
87150+
87151+ task->signal->rlim[i].rlim_cur = rlim_cur;
87152+ task->signal->rlim[i].rlim_max = rlim_max;
87153+
87154+ if (i == RLIMIT_CPU)
87155+ update_rlimit_cpu(task, rlim_cur);
87156+ }
87157+
87158+ return;
87159+}
87160+
87161+/* both of the below must be called with
87162+ rcu_read_lock();
87163+ read_lock(&tasklist_lock);
87164+ read_lock(&grsec_exec_file_lock);
87165+ except in the case of gr_set_role_label() (for __gr_get_subject_for_task)
87166+*/
87167+
87168+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback)
87169+{
87170+ char *tmpname;
87171+ struct acl_subject_label *tmpsubj;
87172+ struct file *filp;
87173+ struct name_entry *nmatch;
87174+
87175+ filp = task->exec_file;
87176+ if (filp == NULL)
87177+ return NULL;
87178+
87179+ /* the following is to apply the correct subject
87180+ on binaries running when the RBAC system
87181+ is enabled, when the binaries have been
87182+ replaced or deleted since their execution
87183+ -----
87184+ when the RBAC system starts, the inode/dev
87185+ from exec_file will be one the RBAC system
87186+ is unaware of. It only knows the inode/dev
87187+ of the present file on disk, or the absence
87188+ of it.
87189+ */
87190+
87191+ if (filename)
87192+ nmatch = __lookup_name_entry(state, filename);
87193+ else {
87194+ preempt_disable();
87195+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
87196+
87197+ nmatch = __lookup_name_entry(state, tmpname);
87198+ preempt_enable();
87199+ }
87200+ tmpsubj = NULL;
87201+ if (nmatch) {
87202+ if (nmatch->deleted)
87203+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
87204+ else
87205+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
87206+ }
87207+ /* this also works for the reload case -- if we don't match a potentially inherited subject
87208+ then we fall back to a normal lookup based on the binary's ino/dev
87209+ */
87210+ if (tmpsubj == NULL && fallback)
87211+ tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role);
87212+
87213+ return tmpsubj;
87214+}
87215+
87216+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback)
87217+{
87218+ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback);
87219+}
87220+
87221+void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj)
87222+{
87223+ struct acl_object_label *obj;
87224+ struct file *filp;
87225+
87226+ filp = task->exec_file;
87227+
87228+ task->acl = subj;
87229+ task->is_writable = 0;
87230+ /* ignore additional mmap checks for processes that are writable
87231+ by the default ACL */
87232+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, state->default_role->root_label);
87233+ if (unlikely(obj->mode & GR_WRITE))
87234+ task->is_writable = 1;
87235+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
87236+ if (unlikely(obj->mode & GR_WRITE))
87237+ task->is_writable = 1;
87238+
87239+ gr_set_proc_res(task);
87240+
87241+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87242+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87243+#endif
87244+}
87245+
87246+static void gr_apply_subject_to_task(struct task_struct *task, struct acl_subject_label *subj)
87247+{
87248+ __gr_apply_subject_to_task(&running_polstate, task, subj);
87249+}
87250+
87251+__u32
87252+gr_search_file(const struct dentry * dentry, const __u32 mode,
87253+ const struct vfsmount * mnt)
87254+{
87255+ __u32 retval = mode;
87256+ struct acl_subject_label *curracl;
87257+ struct acl_object_label *currobj;
87258+
87259+ if (unlikely(!(gr_status & GR_READY)))
87260+ return (mode & ~GR_AUDITS);
87261+
87262+ curracl = current->acl;
87263+
87264+ currobj = chk_obj_label(dentry, mnt, curracl);
87265+ retval = currobj->mode & mode;
87266+
87267+ /* if we're opening a specified transfer file for writing
87268+ (e.g. /dev/initctl), then transfer our role to init
87269+ */
87270+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
87271+ current->role->roletype & GR_ROLE_PERSIST)) {
87272+ struct task_struct *task = init_pid_ns.child_reaper;
87273+
87274+ if (task->role != current->role) {
87275+ struct acl_subject_label *subj;
87276+
87277+ task->acl_sp_role = 0;
87278+ task->acl_role_id = current->acl_role_id;
87279+ task->role = current->role;
87280+ rcu_read_lock();
87281+ read_lock(&grsec_exec_file_lock);
87282+ subj = gr_get_subject_for_task(task, NULL, 1);
87283+ gr_apply_subject_to_task(task, subj);
87284+ read_unlock(&grsec_exec_file_lock);
87285+ rcu_read_unlock();
87286+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
87287+ }
87288+ }
87289+
87290+ if (unlikely
87291+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
87292+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
87293+ __u32 new_mode = mode;
87294+
87295+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
87296+
87297+ retval = new_mode;
87298+
87299+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
87300+ new_mode |= GR_INHERIT;
87301+
87302+ if (!(mode & GR_NOLEARN))
87303+ gr_log_learn(dentry, mnt, new_mode);
87304+ }
87305+
87306+ return retval;
87307+}
87308+
87309+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
87310+ const struct dentry *parent,
87311+ const struct vfsmount *mnt)
87312+{
87313+ struct name_entry *match;
87314+ struct acl_object_label *matchpo;
87315+ struct acl_subject_label *curracl;
87316+ char *path;
87317+
87318+ if (unlikely(!(gr_status & GR_READY)))
87319+ return NULL;
87320+
87321+ preempt_disable();
87322+ path = gr_to_filename_rbac(new_dentry, mnt);
87323+ match = lookup_name_entry_create(path);
87324+
87325+ curracl = current->acl;
87326+
87327+ if (match) {
87328+ read_lock(&gr_inode_lock);
87329+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
87330+ read_unlock(&gr_inode_lock);
87331+
87332+ if (matchpo) {
87333+ preempt_enable();
87334+ return matchpo;
87335+ }
87336+ }
87337+
87338+ // lookup parent
87339+
87340+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
87341+
87342+ preempt_enable();
87343+ return matchpo;
87344+}
87345+
87346+__u32
87347+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
87348+ const struct vfsmount * mnt, const __u32 mode)
87349+{
87350+ struct acl_object_label *matchpo;
87351+ __u32 retval;
87352+
87353+ if (unlikely(!(gr_status & GR_READY)))
87354+ return (mode & ~GR_AUDITS);
87355+
87356+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
87357+
87358+ retval = matchpo->mode & mode;
87359+
87360+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
87361+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
87362+ __u32 new_mode = mode;
87363+
87364+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
87365+
87366+ gr_log_learn(new_dentry, mnt, new_mode);
87367+ return new_mode;
87368+ }
87369+
87370+ return retval;
87371+}
87372+
87373+__u32
87374+gr_check_link(const struct dentry * new_dentry,
87375+ const struct dentry * parent_dentry,
87376+ const struct vfsmount * parent_mnt,
87377+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
87378+{
87379+ struct acl_object_label *obj;
87380+ __u32 oldmode, newmode;
87381+ __u32 needmode;
87382+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
87383+ GR_DELETE | GR_INHERIT;
87384+
87385+ if (unlikely(!(gr_status & GR_READY)))
87386+ return (GR_CREATE | GR_LINK);
87387+
87388+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
87389+ oldmode = obj->mode;
87390+
87391+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
87392+ newmode = obj->mode;
87393+
87394+ needmode = newmode & checkmodes;
87395+
87396+ // old name for hardlink must have at least the permissions of the new name
87397+ if ((oldmode & needmode) != needmode)
87398+ goto bad;
87399+
87400+ // if old name had restrictions/auditing, make sure the new name does as well
87401+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
87402+
87403+ // don't allow hardlinking of suid/sgid/fcapped files without permission
87404+ if (is_privileged_binary(old_dentry))
87405+ needmode |= GR_SETID;
87406+
87407+ if ((newmode & needmode) != needmode)
87408+ goto bad;
87409+
87410+ // enforce minimum permissions
87411+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
87412+ return newmode;
87413+bad:
87414+ needmode = oldmode;
87415+ if (is_privileged_binary(old_dentry))
87416+ needmode |= GR_SETID;
87417+
87418+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
87419+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
87420+ return (GR_CREATE | GR_LINK);
87421+ } else if (newmode & GR_SUPPRESS)
87422+ return GR_SUPPRESS;
87423+ else
87424+ return 0;
87425+}
87426+
87427+int
87428+gr_check_hidden_task(const struct task_struct *task)
87429+{
87430+ if (unlikely(!(gr_status & GR_READY)))
87431+ return 0;
87432+
87433+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
87434+ return 1;
87435+
87436+ return 0;
87437+}
87438+
87439+int
87440+gr_check_protected_task(const struct task_struct *task)
87441+{
87442+ if (unlikely(!(gr_status & GR_READY) || !task))
87443+ return 0;
87444+
87445+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
87446+ task->acl != current->acl)
87447+ return 1;
87448+
87449+ return 0;
87450+}
87451+
87452+int
87453+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
87454+{
87455+ struct task_struct *p;
87456+ int ret = 0;
87457+
87458+ if (unlikely(!(gr_status & GR_READY) || !pid))
87459+ return ret;
87460+
87461+ read_lock(&tasklist_lock);
87462+ do_each_pid_task(pid, type, p) {
87463+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
87464+ p->acl != current->acl) {
87465+ ret = 1;
87466+ goto out;
87467+ }
87468+ } while_each_pid_task(pid, type, p);
87469+out:
87470+ read_unlock(&tasklist_lock);
87471+
87472+ return ret;
87473+}
87474+
87475+void
87476+gr_copy_label(struct task_struct *tsk)
87477+{
87478+ struct task_struct *p = current;
87479+
87480+ tsk->inherited = p->inherited;
87481+ tsk->acl_sp_role = 0;
87482+ tsk->acl_role_id = p->acl_role_id;
87483+ tsk->acl = p->acl;
87484+ tsk->role = p->role;
87485+ tsk->signal->used_accept = 0;
87486+ tsk->signal->curr_ip = p->signal->curr_ip;
87487+ tsk->signal->saved_ip = p->signal->saved_ip;
87488+ if (p->exec_file)
87489+ get_file(p->exec_file);
87490+ tsk->exec_file = p->exec_file;
87491+ tsk->is_writable = p->is_writable;
87492+ if (unlikely(p->signal->used_accept)) {
87493+ p->signal->curr_ip = 0;
87494+ p->signal->saved_ip = 0;
87495+ }
87496+
87497+ return;
87498+}
87499+
87500+extern int gr_process_kernel_setuid_ban(struct user_struct *user);
87501+
87502+int
87503+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
87504+{
87505+ unsigned int i;
87506+ __u16 num;
87507+ uid_t *uidlist;
87508+ uid_t curuid;
87509+ int realok = 0;
87510+ int effectiveok = 0;
87511+ int fsok = 0;
87512+ uid_t globalreal, globaleffective, globalfs;
87513+
87514+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT)
87515+ struct user_struct *user;
87516+
87517+ if (!uid_valid(real))
87518+ goto skipit;
87519+
87520+ /* find user based on global namespace */
87521+
87522+ globalreal = GR_GLOBAL_UID(real);
87523+
87524+ user = find_user(make_kuid(&init_user_ns, globalreal));
87525+ if (user == NULL)
87526+ goto skipit;
87527+
87528+ if (gr_process_kernel_setuid_ban(user)) {
87529+ /* for find_user */
87530+ free_uid(user);
87531+ return 1;
87532+ }
87533+
87534+ /* for find_user */
87535+ free_uid(user);
87536+
87537+skipit:
87538+#endif
87539+
87540+ if (unlikely(!(gr_status & GR_READY)))
87541+ return 0;
87542+
87543+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
87544+ gr_log_learn_uid_change(real, effective, fs);
87545+
87546+ num = current->acl->user_trans_num;
87547+ uidlist = current->acl->user_transitions;
87548+
87549+ if (uidlist == NULL)
87550+ return 0;
87551+
87552+ if (!uid_valid(real)) {
87553+ realok = 1;
87554+ globalreal = (uid_t)-1;
87555+ } else {
87556+ globalreal = GR_GLOBAL_UID(real);
87557+ }
87558+ if (!uid_valid(effective)) {
87559+ effectiveok = 1;
87560+ globaleffective = (uid_t)-1;
87561+ } else {
87562+ globaleffective = GR_GLOBAL_UID(effective);
87563+ }
87564+ if (!uid_valid(fs)) {
87565+ fsok = 1;
87566+ globalfs = (uid_t)-1;
87567+ } else {
87568+ globalfs = GR_GLOBAL_UID(fs);
87569+ }
87570+
87571+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
87572+ for (i = 0; i < num; i++) {
87573+ curuid = uidlist[i];
87574+ if (globalreal == curuid)
87575+ realok = 1;
87576+ if (globaleffective == curuid)
87577+ effectiveok = 1;
87578+ if (globalfs == curuid)
87579+ fsok = 1;
87580+ }
87581+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
87582+ for (i = 0; i < num; i++) {
87583+ curuid = uidlist[i];
87584+ if (globalreal == curuid)
87585+ break;
87586+ if (globaleffective == curuid)
87587+ break;
87588+ if (globalfs == curuid)
87589+ break;
87590+ }
87591+ /* not in deny list */
87592+ if (i == num) {
87593+ realok = 1;
87594+ effectiveok = 1;
87595+ fsok = 1;
87596+ }
87597+ }
87598+
87599+ if (realok && effectiveok && fsok)
87600+ return 0;
87601+ else {
87602+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
87603+ return 1;
87604+ }
87605+}
87606+
87607+int
87608+gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
87609+{
87610+ unsigned int i;
87611+ __u16 num;
87612+ gid_t *gidlist;
87613+ gid_t curgid;
87614+ int realok = 0;
87615+ int effectiveok = 0;
87616+ int fsok = 0;
87617+ gid_t globalreal, globaleffective, globalfs;
87618+
87619+ if (unlikely(!(gr_status & GR_READY)))
87620+ return 0;
87621+
87622+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
87623+ gr_log_learn_gid_change(real, effective, fs);
87624+
87625+ num = current->acl->group_trans_num;
87626+ gidlist = current->acl->group_transitions;
87627+
87628+ if (gidlist == NULL)
87629+ return 0;
87630+
87631+ if (!gid_valid(real)) {
87632+ realok = 1;
87633+ globalreal = (gid_t)-1;
87634+ } else {
87635+ globalreal = GR_GLOBAL_GID(real);
87636+ }
87637+ if (!gid_valid(effective)) {
87638+ effectiveok = 1;
87639+ globaleffective = (gid_t)-1;
87640+ } else {
87641+ globaleffective = GR_GLOBAL_GID(effective);
87642+ }
87643+ if (!gid_valid(fs)) {
87644+ fsok = 1;
87645+ globalfs = (gid_t)-1;
87646+ } else {
87647+ globalfs = GR_GLOBAL_GID(fs);
87648+ }
87649+
87650+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
87651+ for (i = 0; i < num; i++) {
87652+ curgid = gidlist[i];
87653+ if (globalreal == curgid)
87654+ realok = 1;
87655+ if (globaleffective == curgid)
87656+ effectiveok = 1;
87657+ if (globalfs == curgid)
87658+ fsok = 1;
87659+ }
87660+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
87661+ for (i = 0; i < num; i++) {
87662+ curgid = gidlist[i];
87663+ if (globalreal == curgid)
87664+ break;
87665+ if (globaleffective == curgid)
87666+ break;
87667+ if (globalfs == curgid)
87668+ break;
87669+ }
87670+ /* not in deny list */
87671+ if (i == num) {
87672+ realok = 1;
87673+ effectiveok = 1;
87674+ fsok = 1;
87675+ }
87676+ }
87677+
87678+ if (realok && effectiveok && fsok)
87679+ return 0;
87680+ else {
87681+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
87682+ return 1;
87683+ }
87684+}
87685+
87686+extern int gr_acl_is_capable(const int cap);
87687+
87688+void
87689+gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid)
87690+{
87691+ struct acl_role_label *role = task->role;
87692+ struct acl_role_label *origrole = role;
87693+ struct acl_subject_label *subj = NULL;
87694+ struct acl_object_label *obj;
87695+ struct file *filp;
87696+ uid_t uid;
87697+ gid_t gid;
87698+
87699+ if (unlikely(!(gr_status & GR_READY)))
87700+ return;
87701+
87702+ uid = GR_GLOBAL_UID(kuid);
87703+ gid = GR_GLOBAL_GID(kgid);
87704+
87705+ filp = task->exec_file;
87706+
87707+ /* kernel process, we'll give them the kernel role */
87708+ if (unlikely(!filp)) {
87709+ task->role = running_polstate.kernel_role;
87710+ task->acl = running_polstate.kernel_role->root_label;
87711+ return;
87712+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) {
87713+ /* save the current ip at time of role lookup so that the proper
87714+ IP will be learned for role_allowed_ip */
87715+ task->signal->saved_ip = task->signal->curr_ip;
87716+ role = lookup_acl_role_label(task, uid, gid);
87717+ }
87718+
87719+ /* don't change the role if we're not a privileged process */
87720+ if (role && task->role != role &&
87721+ (((role->roletype & GR_ROLE_USER) && !gr_acl_is_capable(CAP_SETUID)) ||
87722+ ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
87723+ return;
87724+
87725+ task->role = role;
87726+
87727+ if (task->inherited) {
87728+ /* if we reached our subject through inheritance, then first see
87729+ if there's a subject of the same name in the new role that has
87730+ an object that would result in the same inherited subject
87731+ */
87732+ subj = gr_get_subject_for_task(task, task->acl->filename, 0);
87733+ if (subj) {
87734+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj);
87735+ if (!(obj->mode & GR_INHERIT))
87736+ subj = NULL;
87737+ }
87738+
87739+ }
87740+ if (subj == NULL) {
87741+ /* otherwise:
87742+ perform subject lookup in possibly new role
87743+ we can use this result below in the case where role == task->role
87744+ */
87745+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
87746+ }
87747+
87748+ /* if we changed uid/gid, but result in the same role
87749+ and are using inheritance, don't lose the inherited subject
87750+ if current subject is other than what normal lookup
87751+ would result in, we arrived via inheritance, don't
87752+ lose subject
87753+ */
87754+ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) &&
87755+ (subj == task->acl)))
87756+ task->acl = subj;
87757+
87758+ /* leave task->inherited unaffected */
87759+
87760+ task->is_writable = 0;
87761+
87762+ /* ignore additional mmap checks for processes that are writable
87763+ by the default ACL */
87764+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, running_polstate.default_role->root_label);
87765+ if (unlikely(obj->mode & GR_WRITE))
87766+ task->is_writable = 1;
87767+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
87768+ if (unlikely(obj->mode & GR_WRITE))
87769+ task->is_writable = 1;
87770+
87771+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87772+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87773+#endif
87774+
87775+ gr_set_proc_res(task);
87776+
87777+ return;
87778+}
87779+
87780+int
87781+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
87782+ const int unsafe_flags)
87783+{
87784+ struct task_struct *task = current;
87785+ struct acl_subject_label *newacl;
87786+ struct acl_object_label *obj;
87787+ __u32 retmode;
87788+
87789+ if (unlikely(!(gr_status & GR_READY)))
87790+ return 0;
87791+
87792+ newacl = chk_subj_label(dentry, mnt, task->role);
87793+
87794+ /* special handling for if we did an strace -f -p <pid> from an admin role, where pid then
87795+ did an exec
87796+ */
87797+ rcu_read_lock();
87798+ read_lock(&tasklist_lock);
87799+ if (task->ptrace && task->parent && ((task->parent->role->roletype & GR_ROLE_GOD) ||
87800+ (task->parent->acl->mode & GR_POVERRIDE))) {
87801+ read_unlock(&tasklist_lock);
87802+ rcu_read_unlock();
87803+ goto skip_check;
87804+ }
87805+ read_unlock(&tasklist_lock);
87806+ rcu_read_unlock();
87807+
87808+ if (unsafe_flags && !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
87809+ !(task->role->roletype & GR_ROLE_GOD) &&
87810+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
87811+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
87812+ if (unsafe_flags & LSM_UNSAFE_SHARE)
87813+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
87814+ else
87815+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
87816+ return -EACCES;
87817+ }
87818+
87819+skip_check:
87820+
87821+ obj = chk_obj_label(dentry, mnt, task->acl);
87822+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
87823+
87824+ if (!(task->acl->mode & GR_INHERITLEARN) &&
87825+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
87826+ if (obj->nested)
87827+ task->acl = obj->nested;
87828+ else
87829+ task->acl = newacl;
87830+ task->inherited = 0;
87831+ } else {
87832+ task->inherited = 1;
87833+ if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
87834+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
87835+ }
87836+
87837+ task->is_writable = 0;
87838+
87839+ /* ignore additional mmap checks for processes that are writable
87840+ by the default ACL */
87841+ obj = chk_obj_label(dentry, mnt, running_polstate.default_role->root_label);
87842+ if (unlikely(obj->mode & GR_WRITE))
87843+ task->is_writable = 1;
87844+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
87845+ if (unlikely(obj->mode & GR_WRITE))
87846+ task->is_writable = 1;
87847+
87848+ gr_set_proc_res(task);
87849+
87850+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87851+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87852+#endif
87853+ return 0;
87854+}
87855+
87856+/* always called with valid inodev ptr */
87857+static void
87858+do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev)
87859+{
87860+ struct acl_object_label *matchpo;
87861+ struct acl_subject_label *matchps;
87862+ struct acl_subject_label *subj;
87863+ struct acl_role_label *role;
87864+ unsigned int x;
87865+
87866+ FOR_EACH_ROLE_START(role)
87867+ FOR_EACH_SUBJECT_START(role, subj, x)
87868+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
87869+ matchpo->mode |= GR_DELETED;
87870+ FOR_EACH_SUBJECT_END(subj,x)
87871+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
87872+ /* nested subjects aren't in the role's subj_hash table */
87873+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
87874+ matchpo->mode |= GR_DELETED;
87875+ FOR_EACH_NESTED_SUBJECT_END(subj)
87876+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
87877+ matchps->mode |= GR_DELETED;
87878+ FOR_EACH_ROLE_END(role)
87879+
87880+ inodev->nentry->deleted = 1;
87881+
87882+ return;
87883+}
87884+
87885+void
87886+gr_handle_delete(const u64 ino, const dev_t dev)
87887+{
87888+ struct inodev_entry *inodev;
87889+
87890+ if (unlikely(!(gr_status & GR_READY)))
87891+ return;
87892+
87893+ write_lock(&gr_inode_lock);
87894+ inodev = lookup_inodev_entry(ino, dev);
87895+ if (inodev != NULL)
87896+ do_handle_delete(inodev, ino, dev);
87897+ write_unlock(&gr_inode_lock);
87898+
87899+ return;
87900+}
87901+
87902+static void
87903+update_acl_obj_label(const u64 oldinode, const dev_t olddevice,
87904+ const u64 newinode, const dev_t newdevice,
87905+ struct acl_subject_label *subj)
87906+{
87907+ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
87908+ struct acl_object_label *match;
87909+
87910+ match = subj->obj_hash[index];
87911+
87912+ while (match && (match->inode != oldinode ||
87913+ match->device != olddevice ||
87914+ !(match->mode & GR_DELETED)))
87915+ match = match->next;
87916+
87917+ if (match && (match->inode == oldinode)
87918+ && (match->device == olddevice)
87919+ && (match->mode & GR_DELETED)) {
87920+ if (match->prev == NULL) {
87921+ subj->obj_hash[index] = match->next;
87922+ if (match->next != NULL)
87923+ match->next->prev = NULL;
87924+ } else {
87925+ match->prev->next = match->next;
87926+ if (match->next != NULL)
87927+ match->next->prev = match->prev;
87928+ }
87929+ match->prev = NULL;
87930+ match->next = NULL;
87931+ match->inode = newinode;
87932+ match->device = newdevice;
87933+ match->mode &= ~GR_DELETED;
87934+
87935+ insert_acl_obj_label(match, subj);
87936+ }
87937+
87938+ return;
87939+}
87940+
87941+static void
87942+update_acl_subj_label(const u64 oldinode, const dev_t olddevice,
87943+ const u64 newinode, const dev_t newdevice,
87944+ struct acl_role_label *role)
87945+{
87946+ unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size);
87947+ struct acl_subject_label *match;
87948+
87949+ match = role->subj_hash[index];
87950+
87951+ while (match && (match->inode != oldinode ||
87952+ match->device != olddevice ||
87953+ !(match->mode & GR_DELETED)))
87954+ match = match->next;
87955+
87956+ if (match && (match->inode == oldinode)
87957+ && (match->device == olddevice)
87958+ && (match->mode & GR_DELETED)) {
87959+ if (match->prev == NULL) {
87960+ role->subj_hash[index] = match->next;
87961+ if (match->next != NULL)
87962+ match->next->prev = NULL;
87963+ } else {
87964+ match->prev->next = match->next;
87965+ if (match->next != NULL)
87966+ match->next->prev = match->prev;
87967+ }
87968+ match->prev = NULL;
87969+ match->next = NULL;
87970+ match->inode = newinode;
87971+ match->device = newdevice;
87972+ match->mode &= ~GR_DELETED;
87973+
87974+ insert_acl_subj_label(match, role);
87975+ }
87976+
87977+ return;
87978+}
87979+
87980+static void
87981+update_inodev_entry(const u64 oldinode, const dev_t olddevice,
87982+ const u64 newinode, const dev_t newdevice)
87983+{
87984+ unsigned int index = gr_fhash(oldinode, olddevice, running_polstate.inodev_set.i_size);
87985+ struct inodev_entry *match;
87986+
87987+ match = running_polstate.inodev_set.i_hash[index];
87988+
87989+ while (match && (match->nentry->inode != oldinode ||
87990+ match->nentry->device != olddevice || !match->nentry->deleted))
87991+ match = match->next;
87992+
87993+ if (match && (match->nentry->inode == oldinode)
87994+ && (match->nentry->device == olddevice) &&
87995+ match->nentry->deleted) {
87996+ if (match->prev == NULL) {
87997+ running_polstate.inodev_set.i_hash[index] = match->next;
87998+ if (match->next != NULL)
87999+ match->next->prev = NULL;
88000+ } else {
88001+ match->prev->next = match->next;
88002+ if (match->next != NULL)
88003+ match->next->prev = match->prev;
88004+ }
88005+ match->prev = NULL;
88006+ match->next = NULL;
88007+ match->nentry->inode = newinode;
88008+ match->nentry->device = newdevice;
88009+ match->nentry->deleted = 0;
88010+
88011+ insert_inodev_entry(match);
88012+ }
88013+
88014+ return;
88015+}
88016+
88017+static void
88018+__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev)
88019+{
88020+ struct acl_subject_label *subj;
88021+ struct acl_role_label *role;
88022+ unsigned int x;
88023+
88024+ FOR_EACH_ROLE_START(role)
88025+ update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
88026+
88027+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
88028+ if ((subj->inode == ino) && (subj->device == dev)) {
88029+ subj->inode = ino;
88030+ subj->device = dev;
88031+ }
88032+ /* nested subjects aren't in the role's subj_hash table */
88033+ update_acl_obj_label(matchn->inode, matchn->device,
88034+ ino, dev, subj);
88035+ FOR_EACH_NESTED_SUBJECT_END(subj)
88036+ FOR_EACH_SUBJECT_START(role, subj, x)
88037+ update_acl_obj_label(matchn->inode, matchn->device,
88038+ ino, dev, subj);
88039+ FOR_EACH_SUBJECT_END(subj,x)
88040+ FOR_EACH_ROLE_END(role)
88041+
88042+ update_inodev_entry(matchn->inode, matchn->device, ino, dev);
88043+
88044+ return;
88045+}
88046+
88047+static void
88048+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
88049+ const struct vfsmount *mnt)
88050+{
88051+ u64 ino = __get_ino(dentry);
88052+ dev_t dev = __get_dev(dentry);
88053+
88054+ __do_handle_create(matchn, ino, dev);
88055+
88056+ return;
88057+}
88058+
88059+void
88060+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
88061+{
88062+ struct name_entry *matchn;
88063+
88064+ if (unlikely(!(gr_status & GR_READY)))
88065+ return;
88066+
88067+ preempt_disable();
88068+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
88069+
88070+ if (unlikely((unsigned long)matchn)) {
88071+ write_lock(&gr_inode_lock);
88072+ do_handle_create(matchn, dentry, mnt);
88073+ write_unlock(&gr_inode_lock);
88074+ }
88075+ preempt_enable();
88076+
88077+ return;
88078+}
88079+
88080+void
88081+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
88082+{
88083+ struct name_entry *matchn;
88084+
88085+ if (unlikely(!(gr_status & GR_READY)))
88086+ return;
88087+
88088+ preempt_disable();
88089+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
88090+
88091+ if (unlikely((unsigned long)matchn)) {
88092+ write_lock(&gr_inode_lock);
88093+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
88094+ write_unlock(&gr_inode_lock);
88095+ }
88096+ preempt_enable();
88097+
88098+ return;
88099+}
88100+
88101+void
88102+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
88103+ struct dentry *old_dentry,
88104+ struct dentry *new_dentry,
88105+ struct vfsmount *mnt, const __u8 replace, unsigned int flags)
88106+{
88107+ struct name_entry *matchn;
88108+ struct name_entry *matchn2 = NULL;
88109+ struct inodev_entry *inodev;
88110+ struct inode *inode = d_backing_inode(new_dentry);
88111+ struct inode *old_inode = d_backing_inode(old_dentry);
88112+ u64 old_ino = __get_ino(old_dentry);
88113+ dev_t old_dev = __get_dev(old_dentry);
88114+ unsigned int exchange = flags & RENAME_EXCHANGE;
88115+
88116+ /* vfs_rename swaps the name and parent link for old_dentry and
88117+ new_dentry
88118+ at this point, old_dentry has the new name, parent link, and inode
88119+ for the renamed file
88120+ if a file is being replaced by a rename, new_dentry has the inode
88121+ and name for the replaced file
88122+ */
88123+
88124+ if (unlikely(!(gr_status & GR_READY)))
88125+ return;
88126+
88127+ preempt_disable();
88128+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
88129+
88130+ /* exchange cases:
88131+ a filename exists for the source, but not dest
88132+ do a recreate on source
88133+ a filename exists for the dest, but not source
88134+ do a recreate on dest
88135+ a filename exists for both source and dest
88136+ delete source and dest, then create source and dest
88137+ a filename exists for neither source nor dest
88138+ no updates needed
88139+
88140+ the name entry lookups get us the old inode/dev associated with
88141+ each name, so do the deletes first (if possible) so that when
88142+ we do the create, we pick up on the right entries
88143+ */
88144+
88145+ if (exchange)
88146+ matchn2 = lookup_name_entry(gr_to_filename_rbac(new_dentry, mnt));
88147+
88148+ /* we wouldn't have to check d_inode if it weren't for
88149+ NFS silly-renaming
88150+ */
88151+
88152+ write_lock(&gr_inode_lock);
88153+ if (unlikely((replace || exchange) && inode)) {
88154+ u64 new_ino = __get_ino(new_dentry);
88155+ dev_t new_dev = __get_dev(new_dentry);
88156+
88157+ inodev = lookup_inodev_entry(new_ino, new_dev);
88158+ if (inodev != NULL && ((inode->i_nlink <= 1) || d_is_dir(new_dentry)))
88159+ do_handle_delete(inodev, new_ino, new_dev);
88160+ }
88161+
88162+ inodev = lookup_inodev_entry(old_ino, old_dev);
88163+ if (inodev != NULL && ((old_inode->i_nlink <= 1) || d_is_dir(old_dentry)))
88164+ do_handle_delete(inodev, old_ino, old_dev);
88165+
88166+ if (unlikely(matchn != NULL))
88167+ do_handle_create(matchn, old_dentry, mnt);
88168+
88169+ if (unlikely(matchn2 != NULL))
88170+ do_handle_create(matchn2, new_dentry, mnt);
88171+
88172+ write_unlock(&gr_inode_lock);
88173+ preempt_enable();
88174+
88175+ return;
88176+}
88177+
88178+#if defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC)
88179+static const unsigned long res_learn_bumps[GR_NLIMITS] = {
88180+ [RLIMIT_CPU] = GR_RLIM_CPU_BUMP,
88181+ [RLIMIT_FSIZE] = GR_RLIM_FSIZE_BUMP,
88182+ [RLIMIT_DATA] = GR_RLIM_DATA_BUMP,
88183+ [RLIMIT_STACK] = GR_RLIM_STACK_BUMP,
88184+ [RLIMIT_CORE] = GR_RLIM_CORE_BUMP,
88185+ [RLIMIT_RSS] = GR_RLIM_RSS_BUMP,
88186+ [RLIMIT_NPROC] = GR_RLIM_NPROC_BUMP,
88187+ [RLIMIT_NOFILE] = GR_RLIM_NOFILE_BUMP,
88188+ [RLIMIT_MEMLOCK] = GR_RLIM_MEMLOCK_BUMP,
88189+ [RLIMIT_AS] = GR_RLIM_AS_BUMP,
88190+ [RLIMIT_LOCKS] = GR_RLIM_LOCKS_BUMP,
88191+ [RLIMIT_SIGPENDING] = GR_RLIM_SIGPENDING_BUMP,
88192+ [RLIMIT_MSGQUEUE] = GR_RLIM_MSGQUEUE_BUMP,
88193+ [RLIMIT_NICE] = GR_RLIM_NICE_BUMP,
88194+ [RLIMIT_RTPRIO] = GR_RLIM_RTPRIO_BUMP,
88195+ [RLIMIT_RTTIME] = GR_RLIM_RTTIME_BUMP
88196+};
88197+
88198+void
88199+gr_learn_resource(const struct task_struct *task,
88200+ const int res, const unsigned long wanted, const int gt)
88201+{
88202+ struct acl_subject_label *acl;
88203+ const struct cred *cred;
88204+
88205+ if (unlikely((gr_status & GR_READY) &&
88206+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
88207+ goto skip_reslog;
88208+
88209+ gr_log_resource(task, res, wanted, gt);
88210+skip_reslog:
88211+
88212+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
88213+ return;
88214+
88215+ acl = task->acl;
88216+
88217+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
88218+ !(acl->resmask & (1U << (unsigned short) res))))
88219+ return;
88220+
88221+ if (wanted >= acl->res[res].rlim_cur) {
88222+ unsigned long res_add;
88223+
88224+ res_add = wanted + res_learn_bumps[res];
88225+
88226+ acl->res[res].rlim_cur = res_add;
88227+
88228+ if (wanted > acl->res[res].rlim_max)
88229+ acl->res[res].rlim_max = res_add;
88230+
88231+ /* only log the subject filename, since resource logging is supported for
88232+ single-subject learning only */
88233+ rcu_read_lock();
88234+ cred = __task_cred(task);
88235+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
88236+ task->role->roletype, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), acl->filename,
88237+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
88238+ "", (unsigned long) res, &task->signal->saved_ip);
88239+ rcu_read_unlock();
88240+ }
88241+
88242+ return;
88243+}
88244+EXPORT_SYMBOL_GPL(gr_learn_resource);
88245+#endif
88246+
88247+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
88248+void
88249+pax_set_initial_flags(struct linux_binprm *bprm)
88250+{
88251+ struct task_struct *task = current;
88252+ struct acl_subject_label *proc;
88253+ unsigned long flags;
88254+
88255+ if (unlikely(!(gr_status & GR_READY)))
88256+ return;
88257+
88258+ flags = pax_get_flags(task);
88259+
88260+ proc = task->acl;
88261+
88262+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
88263+ flags &= ~MF_PAX_PAGEEXEC;
88264+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
88265+ flags &= ~MF_PAX_SEGMEXEC;
88266+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
88267+ flags &= ~MF_PAX_RANDMMAP;
88268+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
88269+ flags &= ~MF_PAX_EMUTRAMP;
88270+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
88271+ flags &= ~MF_PAX_MPROTECT;
88272+
88273+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
88274+ flags |= MF_PAX_PAGEEXEC;
88275+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
88276+ flags |= MF_PAX_SEGMEXEC;
88277+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
88278+ flags |= MF_PAX_RANDMMAP;
88279+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
88280+ flags |= MF_PAX_EMUTRAMP;
88281+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
88282+ flags |= MF_PAX_MPROTECT;
88283+
88284+ pax_set_flags(task, flags);
88285+
88286+ return;
88287+}
88288+#endif
88289+
88290+int
88291+gr_handle_proc_ptrace(struct task_struct *task)
88292+{
88293+ struct file *filp;
88294+ struct task_struct *tmp = task;
88295+ struct task_struct *curtemp = current;
88296+ __u32 retmode;
88297+
88298+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
88299+ if (unlikely(!(gr_status & GR_READY)))
88300+ return 0;
88301+#endif
88302+
88303+ read_lock(&tasklist_lock);
88304+ read_lock(&grsec_exec_file_lock);
88305+ filp = task->exec_file;
88306+
88307+ while (task_pid_nr(tmp) > 0) {
88308+ if (tmp == curtemp)
88309+ break;
88310+ tmp = tmp->real_parent;
88311+ }
88312+
88313+ if (!filp || (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
88314+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
88315+ read_unlock(&grsec_exec_file_lock);
88316+ read_unlock(&tasklist_lock);
88317+ return 1;
88318+ }
88319+
88320+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
88321+ if (!(gr_status & GR_READY)) {
88322+ read_unlock(&grsec_exec_file_lock);
88323+ read_unlock(&tasklist_lock);
88324+ return 0;
88325+ }
88326+#endif
88327+
88328+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
88329+ read_unlock(&grsec_exec_file_lock);
88330+ read_unlock(&tasklist_lock);
88331+
88332+ if (retmode & GR_NOPTRACE)
88333+ return 1;
88334+
88335+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
88336+ && (current->acl != task->acl || (current->acl != current->role->root_label
88337+ && task_pid_nr(current) != task_pid_nr(task))))
88338+ return 1;
88339+
88340+ return 0;
88341+}
88342+
88343+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
88344+{
88345+ if (unlikely(!(gr_status & GR_READY)))
88346+ return;
88347+
88348+ if (!(current->role->roletype & GR_ROLE_GOD))
88349+ return;
88350+
88351+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
88352+ p->role->rolename, gr_task_roletype_to_char(p),
88353+ p->acl->filename);
88354+}
88355+
88356+int
88357+gr_handle_ptrace(struct task_struct *task, const long request)
88358+{
88359+ struct task_struct *tmp = task;
88360+ struct task_struct *curtemp = current;
88361+ __u32 retmode;
88362+
88363+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
88364+ if (unlikely(!(gr_status & GR_READY)))
88365+ return 0;
88366+#endif
88367+ if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
88368+ read_lock(&tasklist_lock);
88369+ while (task_pid_nr(tmp) > 0) {
88370+ if (tmp == curtemp)
88371+ break;
88372+ tmp = tmp->real_parent;
88373+ }
88374+
88375+ if (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
88376+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
88377+ read_unlock(&tasklist_lock);
88378+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
88379+ return 1;
88380+ }
88381+ read_unlock(&tasklist_lock);
88382+ }
88383+
88384+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
88385+ if (!(gr_status & GR_READY))
88386+ return 0;
88387+#endif
88388+
88389+ read_lock(&grsec_exec_file_lock);
88390+ if (unlikely(!task->exec_file)) {
88391+ read_unlock(&grsec_exec_file_lock);
88392+ return 0;
88393+ }
88394+
88395+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
88396+ read_unlock(&grsec_exec_file_lock);
88397+
88398+ if (retmode & GR_NOPTRACE) {
88399+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
88400+ return 1;
88401+ }
88402+
88403+ if (retmode & GR_PTRACERD) {
88404+ switch (request) {
88405+ case PTRACE_SEIZE:
88406+ case PTRACE_POKETEXT:
88407+ case PTRACE_POKEDATA:
88408+ case PTRACE_POKEUSR:
88409+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
88410+ case PTRACE_SETREGS:
88411+ case PTRACE_SETFPREGS:
88412+#endif
88413+#ifdef CONFIG_X86
88414+ case PTRACE_SETFPXREGS:
88415+#endif
88416+#ifdef CONFIG_ALTIVEC
88417+ case PTRACE_SETVRREGS:
88418+#endif
88419+ return 1;
88420+ default:
88421+ return 0;
88422+ }
88423+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
88424+ !(current->role->roletype & GR_ROLE_GOD) &&
88425+ (current->acl != task->acl)) {
88426+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
88427+ return 1;
88428+ }
88429+
88430+ return 0;
88431+}
88432+
88433+static int is_writable_mmap(const struct file *filp)
88434+{
88435+ struct task_struct *task = current;
88436+ struct acl_object_label *obj, *obj2;
88437+ struct dentry *dentry = filp->f_path.dentry;
88438+ struct vfsmount *mnt = filp->f_path.mnt;
88439+ struct inode *inode = d_backing_inode(dentry);
88440+
88441+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
88442+ !task->is_writable && d_is_reg(dentry) && (mnt != shm_mnt || (inode->i_nlink > 0))) {
88443+ obj = chk_obj_label(dentry, mnt, running_polstate.default_role->root_label);
88444+ obj2 = chk_obj_label(dentry, mnt, task->role->root_label);
88445+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
88446+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, dentry, mnt);
88447+ return 1;
88448+ }
88449+ }
88450+ return 0;
88451+}
88452+
88453+int
88454+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
88455+{
88456+ __u32 mode;
88457+
88458+ if (unlikely(!file || !(prot & PROT_EXEC)))
88459+ return 1;
88460+
88461+ if (is_writable_mmap(file))
88462+ return 0;
88463+
88464+ mode =
88465+ gr_search_file(file->f_path.dentry,
88466+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
88467+ file->f_path.mnt);
88468+
88469+ if (!gr_tpe_allow(file))
88470+ return 0;
88471+
88472+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
88473+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88474+ return 0;
88475+ } else if (unlikely(!(mode & GR_EXEC))) {
88476+ return 0;
88477+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
88478+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88479+ return 1;
88480+ }
88481+
88482+ return 1;
88483+}
88484+
88485+int
88486+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
88487+{
88488+ __u32 mode;
88489+
88490+ if (unlikely(!file || !(prot & PROT_EXEC)))
88491+ return 1;
88492+
88493+ if (is_writable_mmap(file))
88494+ return 0;
88495+
88496+ mode =
88497+ gr_search_file(file->f_path.dentry,
88498+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
88499+ file->f_path.mnt);
88500+
88501+ if (!gr_tpe_allow(file))
88502+ return 0;
88503+
88504+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
88505+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88506+ return 0;
88507+ } else if (unlikely(!(mode & GR_EXEC))) {
88508+ return 0;
88509+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
88510+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88511+ return 1;
88512+ }
88513+
88514+ return 1;
88515+}
88516+
88517+void
88518+gr_acl_handle_psacct(struct task_struct *task, const long code)
88519+{
88520+ unsigned long runtime, cputime;
88521+ cputime_t utime, stime;
88522+ unsigned int wday, cday;
88523+ __u8 whr, chr;
88524+ __u8 wmin, cmin;
88525+ __u8 wsec, csec;
88526+ struct timespec curtime, starttime;
88527+
88528+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
88529+ !(task->acl->mode & GR_PROCACCT)))
88530+ return;
88531+
88532+ curtime = ns_to_timespec(ktime_get_ns());
88533+ starttime = ns_to_timespec(task->start_time);
88534+ runtime = curtime.tv_sec - starttime.tv_sec;
88535+ wday = runtime / (60 * 60 * 24);
88536+ runtime -= wday * (60 * 60 * 24);
88537+ whr = runtime / (60 * 60);
88538+ runtime -= whr * (60 * 60);
88539+ wmin = runtime / 60;
88540+ runtime -= wmin * 60;
88541+ wsec = runtime;
88542+
88543+ task_cputime(task, &utime, &stime);
88544+ cputime = cputime_to_secs(utime + stime);
88545+ cday = cputime / (60 * 60 * 24);
88546+ cputime -= cday * (60 * 60 * 24);
88547+ chr = cputime / (60 * 60);
88548+ cputime -= chr * (60 * 60);
88549+ cmin = cputime / 60;
88550+ cputime -= cmin * 60;
88551+ csec = cputime;
88552+
88553+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
88554+
88555+ return;
88556+}
88557+
88558+#ifdef CONFIG_TASKSTATS
88559+int gr_is_taskstats_denied(int pid)
88560+{
88561+ struct task_struct *task;
88562+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
88563+ const struct cred *cred;
88564+#endif
88565+ int ret = 0;
88566+
88567+ /* restrict taskstats viewing to un-chrooted root users
88568+ who have the 'view' subject flag if the RBAC system is enabled
88569+ */
88570+
88571+ rcu_read_lock();
88572+ read_lock(&tasklist_lock);
88573+ task = find_task_by_vpid(pid);
88574+ if (task) {
88575+#ifdef CONFIG_GRKERNSEC_CHROOT
88576+ if (proc_is_chrooted(task))
88577+ ret = -EACCES;
88578+#endif
88579+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
88580+ cred = __task_cred(task);
88581+#ifdef CONFIG_GRKERNSEC_PROC_USER
88582+ if (gr_is_global_nonroot(cred->uid))
88583+ ret = -EACCES;
88584+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
88585+ if (gr_is_global_nonroot(cred->uid) && !groups_search(cred->group_info, grsec_proc_gid))
88586+ ret = -EACCES;
88587+#endif
88588+#endif
88589+ if (gr_status & GR_READY) {
88590+ if (!(task->acl->mode & GR_VIEW))
88591+ ret = -EACCES;
88592+ }
88593+ } else
88594+ ret = -ENOENT;
88595+
88596+ read_unlock(&tasklist_lock);
88597+ rcu_read_unlock();
88598+
88599+ return ret;
88600+}
88601+#endif
88602+
88603+/* AUXV entries are filled via a descendant of search_binary_handler
88604+ after we've already applied the subject for the target
88605+*/
88606+int gr_acl_enable_at_secure(void)
88607+{
88608+ if (unlikely(!(gr_status & GR_READY)))
88609+ return 0;
88610+
88611+ if (current->acl->mode & GR_ATSECURE)
88612+ return 1;
88613+
88614+ return 0;
88615+}
88616+
88617+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const u64 ino)
88618+{
88619+ struct task_struct *task = current;
88620+ struct dentry *dentry = file->f_path.dentry;
88621+ struct vfsmount *mnt = file->f_path.mnt;
88622+ struct acl_object_label *obj, *tmp;
88623+ struct acl_subject_label *subj;
88624+ unsigned int bufsize;
88625+ int is_not_root;
88626+ char *path;
88627+ dev_t dev = __get_dev(dentry);
88628+
88629+ if (unlikely(!(gr_status & GR_READY)))
88630+ return 1;
88631+
88632+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
88633+ return 1;
88634+
88635+ /* ignore Eric Biederman */
88636+ if (IS_PRIVATE(d_backing_inode(dentry)))
88637+ return 1;
88638+
88639+ subj = task->acl;
88640+ read_lock(&gr_inode_lock);
88641+ do {
88642+ obj = lookup_acl_obj_label(ino, dev, subj);
88643+ if (obj != NULL) {
88644+ read_unlock(&gr_inode_lock);
88645+ return (obj->mode & GR_FIND) ? 1 : 0;
88646+ }
88647+ } while ((subj = subj->parent_subject));
88648+ read_unlock(&gr_inode_lock);
88649+
88650+ /* this is purely an optimization since we're looking for an object
88651+ for the directory we're doing a readdir on
88652+ if it's possible for any globbed object to match the entry we're
88653+ filling into the directory, then the object we find here will be
88654+ an anchor point with attached globbed objects
88655+ */
88656+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
88657+ if (obj->globbed == NULL)
88658+ return (obj->mode & GR_FIND) ? 1 : 0;
88659+
88660+ is_not_root = ((obj->filename[0] == '/') &&
88661+ (obj->filename[1] == '\0')) ? 0 : 1;
88662+ bufsize = PAGE_SIZE - namelen - is_not_root;
88663+
88664+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
88665+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
88666+ return 1;
88667+
88668+ preempt_disable();
88669+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
88670+ bufsize);
88671+
88672+ bufsize = strlen(path);
88673+
88674+ /* if base is "/", don't append an additional slash */
88675+ if (is_not_root)
88676+ *(path + bufsize) = '/';
88677+ memcpy(path + bufsize + is_not_root, name, namelen);
88678+ *(path + bufsize + namelen + is_not_root) = '\0';
88679+
88680+ tmp = obj->globbed;
88681+ while (tmp) {
88682+ if (!glob_match(tmp->filename, path)) {
88683+ preempt_enable();
88684+ return (tmp->mode & GR_FIND) ? 1 : 0;
88685+ }
88686+ tmp = tmp->next;
88687+ }
88688+ preempt_enable();
88689+ return (obj->mode & GR_FIND) ? 1 : 0;
88690+}
88691+
88692+void gr_put_exec_file(struct task_struct *task)
88693+{
88694+ struct file *filp;
88695+
88696+ write_lock(&grsec_exec_file_lock);
88697+ filp = task->exec_file;
88698+ task->exec_file = NULL;
88699+ write_unlock(&grsec_exec_file_lock);
88700+
88701+ if (filp)
88702+ fput(filp);
88703+
88704+ return;
88705+}
88706+
88707+
88708+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
88709+EXPORT_SYMBOL_GPL(gr_acl_is_enabled);
88710+#endif
88711+#ifdef CONFIG_SECURITY
88712+EXPORT_SYMBOL_GPL(gr_check_user_change);
88713+EXPORT_SYMBOL_GPL(gr_check_group_change);
88714+#endif
88715+
88716diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
88717new file mode 100644
88718index 0000000..9adc75c
88719--- /dev/null
88720+++ b/grsecurity/gracl_alloc.c
88721@@ -0,0 +1,105 @@
88722+#include <linux/kernel.h>
88723+#include <linux/mm.h>
88724+#include <linux/slab.h>
88725+#include <linux/vmalloc.h>
88726+#include <linux/gracl.h>
88727+#include <linux/grsecurity.h>
88728+
88729+static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
88730+struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
88731+
88732+static int
88733+alloc_pop(void)
88734+{
88735+ if (current_alloc_state->alloc_stack_next == 1)
88736+ return 0;
88737+
88738+ kfree(current_alloc_state->alloc_stack[current_alloc_state->alloc_stack_next - 2]);
88739+
88740+ current_alloc_state->alloc_stack_next--;
88741+
88742+ return 1;
88743+}
88744+
88745+static int
88746+alloc_push(void *buf)
88747+{
88748+ if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
88749+ return 1;
88750+
88751+ current_alloc_state->alloc_stack[current_alloc_state->alloc_stack_next - 1] = buf;
88752+
88753+ current_alloc_state->alloc_stack_next++;
88754+
88755+ return 0;
88756+}
88757+
88758+void *
88759+acl_alloc(unsigned long len)
88760+{
88761+ void *ret = NULL;
88762+
88763+ if (!len || len > PAGE_SIZE)
88764+ goto out;
88765+
88766+ ret = kmalloc(len, GFP_KERNEL);
88767+
88768+ if (ret) {
88769+ if (alloc_push(ret)) {
88770+ kfree(ret);
88771+ ret = NULL;
88772+ }
88773+ }
88774+
88775+out:
88776+ return ret;
88777+}
88778+
88779+void *
88780+acl_alloc_num(unsigned long num, unsigned long len)
88781+{
88782+ if (!len || (num > (PAGE_SIZE / len)))
88783+ return NULL;
88784+
88785+ return acl_alloc(num * len);
88786+}
88787+
88788+void
88789+acl_free_all(void)
88790+{
88791+ if (!current_alloc_state->alloc_stack)
88792+ return;
88793+
88794+ while (alloc_pop()) ;
88795+
88796+ if (current_alloc_state->alloc_stack) {
88797+ if ((current_alloc_state->alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
88798+ kfree(current_alloc_state->alloc_stack);
88799+ else
88800+ vfree(current_alloc_state->alloc_stack);
88801+ }
88802+
88803+ current_alloc_state->alloc_stack = NULL;
88804+ current_alloc_state->alloc_stack_size = 1;
88805+ current_alloc_state->alloc_stack_next = 1;
88806+
88807+ return;
88808+}
88809+
88810+int
88811+acl_alloc_stack_init(unsigned long size)
88812+{
88813+ if ((size * sizeof (void *)) <= PAGE_SIZE)
88814+ current_alloc_state->alloc_stack =
88815+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
88816+ else
88817+ current_alloc_state->alloc_stack = (void **) vmalloc(size * sizeof (void *));
88818+
88819+ current_alloc_state->alloc_stack_size = size;
88820+ current_alloc_state->alloc_stack_next = 1;
88821+
88822+ if (!current_alloc_state->alloc_stack)
88823+ return 0;
88824+ else
88825+ return 1;
88826+}
88827diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
88828new file mode 100644
88829index 0000000..1a94c11
88830--- /dev/null
88831+++ b/grsecurity/gracl_cap.c
88832@@ -0,0 +1,127 @@
88833+#include <linux/kernel.h>
88834+#include <linux/module.h>
88835+#include <linux/sched.h>
88836+#include <linux/gracl.h>
88837+#include <linux/grsecurity.h>
88838+#include <linux/grinternal.h>
88839+
88840+extern const char *captab_log[];
88841+extern int captab_log_entries;
88842+
88843+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
88844+{
88845+ struct acl_subject_label *curracl;
88846+
88847+ if (!gr_acl_is_enabled())
88848+ return 1;
88849+
88850+ curracl = task->acl;
88851+
88852+ if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
88853+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
88854+ task->role->roletype, GR_GLOBAL_UID(cred->uid),
88855+ GR_GLOBAL_GID(cred->gid), task->exec_file ?
88856+ gr_to_filename(task->exec_file->f_path.dentry,
88857+ task->exec_file->f_path.mnt) : curracl->filename,
88858+ curracl->filename, 0UL,
88859+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
88860+ return 1;
88861+ }
88862+
88863+ return 0;
88864+}
88865+
88866+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
88867+{
88868+ struct acl_subject_label *curracl;
88869+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
88870+ kernel_cap_t cap_audit = __cap_empty_set;
88871+
88872+ if (!gr_acl_is_enabled())
88873+ return 1;
88874+
88875+ curracl = task->acl;
88876+
88877+ cap_drop = curracl->cap_lower;
88878+ cap_mask = curracl->cap_mask;
88879+ cap_audit = curracl->cap_invert_audit;
88880+
88881+ while ((curracl = curracl->parent_subject)) {
88882+ /* if the cap isn't specified in the current computed mask but is specified in the
88883+ current level subject, and is lowered in the current level subject, then add
88884+ it to the set of dropped capabilities
88885+ otherwise, add the current level subject's mask to the current computed mask
88886+ */
88887+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
88888+ cap_raise(cap_mask, cap);
88889+ if (cap_raised(curracl->cap_lower, cap))
88890+ cap_raise(cap_drop, cap);
88891+ if (cap_raised(curracl->cap_invert_audit, cap))
88892+ cap_raise(cap_audit, cap);
88893+ }
88894+ }
88895+
88896+ if (!cap_raised(cap_drop, cap)) {
88897+ if (cap_raised(cap_audit, cap))
88898+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
88899+ return 1;
88900+ }
88901+
88902+ /* only learn the capability use if the process has the capability in the
88903+ general case, the two uses in sys.c of gr_learn_cap are an exception
88904+ to this rule to ensure any role transition involves what the full-learned
88905+ policy believes in a privileged process
88906+ */
88907+ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap))
88908+ return 1;
88909+
88910+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
88911+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
88912+
88913+ return 0;
88914+}
88915+
88916+int
88917+gr_acl_is_capable(const int cap)
88918+{
88919+ return gr_task_acl_is_capable(current, current_cred(), cap);
88920+}
88921+
88922+int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap)
88923+{
88924+ struct acl_subject_label *curracl;
88925+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
88926+
88927+ if (!gr_acl_is_enabled())
88928+ return 1;
88929+
88930+ curracl = task->acl;
88931+
88932+ cap_drop = curracl->cap_lower;
88933+ cap_mask = curracl->cap_mask;
88934+
88935+ while ((curracl = curracl->parent_subject)) {
88936+ /* if the cap isn't specified in the current computed mask but is specified in the
88937+ current level subject, and is lowered in the current level subject, then add
88938+ it to the set of dropped capabilities
88939+ otherwise, add the current level subject's mask to the current computed mask
88940+ */
88941+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
88942+ cap_raise(cap_mask, cap);
88943+ if (cap_raised(curracl->cap_lower, cap))
88944+ cap_raise(cap_drop, cap);
88945+ }
88946+ }
88947+
88948+ if (!cap_raised(cap_drop, cap))
88949+ return 1;
88950+
88951+ return 0;
88952+}
88953+
88954+int
88955+gr_acl_is_capable_nolog(const int cap)
88956+{
88957+ return gr_task_acl_is_capable_nolog(current, cap);
88958+}
88959+
88960diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
88961new file mode 100644
88962index 0000000..a43dd06
88963--- /dev/null
88964+++ b/grsecurity/gracl_compat.c
88965@@ -0,0 +1,269 @@
88966+#include <linux/kernel.h>
88967+#include <linux/gracl.h>
88968+#include <linux/compat.h>
88969+#include <linux/gracl_compat.h>
88970+
88971+#include <asm/uaccess.h>
88972+
88973+int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap)
88974+{
88975+ struct gr_arg_wrapper_compat uwrapcompat;
88976+
88977+ if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
88978+ return -EFAULT;
88979+
88980+ if ((uwrapcompat.version != GRSECURITY_VERSION) ||
88981+ (uwrapcompat.size != sizeof(struct gr_arg_compat)))
88982+ return -EINVAL;
88983+
88984+ uwrap->arg = compat_ptr(uwrapcompat.arg);
88985+ uwrap->version = uwrapcompat.version;
88986+ uwrap->size = sizeof(struct gr_arg);
88987+
88988+ return 0;
88989+}
88990+
88991+int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg)
88992+{
88993+ struct gr_arg_compat argcompat;
88994+
88995+ if (copy_from_user(&argcompat, buf, sizeof(argcompat)))
88996+ return -EFAULT;
88997+
88998+ arg->role_db.r_table = compat_ptr(argcompat.role_db.r_table);
88999+ arg->role_db.num_pointers = argcompat.role_db.num_pointers;
89000+ arg->role_db.num_roles = argcompat.role_db.num_roles;
89001+ arg->role_db.num_domain_children = argcompat.role_db.num_domain_children;
89002+ arg->role_db.num_subjects = argcompat.role_db.num_subjects;
89003+ arg->role_db.num_objects = argcompat.role_db.num_objects;
89004+
89005+ memcpy(&arg->pw, &argcompat.pw, sizeof(arg->pw));
89006+ memcpy(&arg->salt, &argcompat.salt, sizeof(arg->salt));
89007+ memcpy(&arg->sum, &argcompat.sum, sizeof(arg->sum));
89008+ memcpy(&arg->sp_role, &argcompat.sp_role, sizeof(arg->sp_role));
89009+ arg->sprole_pws = compat_ptr(argcompat.sprole_pws);
89010+ arg->segv_device = argcompat.segv_device;
89011+ arg->segv_inode = argcompat.segv_inode;
89012+ arg->segv_uid = argcompat.segv_uid;
89013+ arg->num_sprole_pws = argcompat.num_sprole_pws;
89014+ arg->mode = argcompat.mode;
89015+
89016+ return 0;
89017+}
89018+
89019+int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp)
89020+{
89021+ struct acl_object_label_compat objcompat;
89022+
89023+ if (copy_from_user(&objcompat, userp, sizeof(objcompat)))
89024+ return -EFAULT;
89025+
89026+ obj->filename = compat_ptr(objcompat.filename);
89027+ obj->inode = objcompat.inode;
89028+ obj->device = objcompat.device;
89029+ obj->mode = objcompat.mode;
89030+
89031+ obj->nested = compat_ptr(objcompat.nested);
89032+ obj->globbed = compat_ptr(objcompat.globbed);
89033+
89034+ obj->prev = compat_ptr(objcompat.prev);
89035+ obj->next = compat_ptr(objcompat.next);
89036+
89037+ return 0;
89038+}
89039+
89040+int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp)
89041+{
89042+ unsigned int i;
89043+ struct acl_subject_label_compat subjcompat;
89044+
89045+ if (copy_from_user(&subjcompat, userp, sizeof(subjcompat)))
89046+ return -EFAULT;
89047+
89048+ subj->filename = compat_ptr(subjcompat.filename);
89049+ subj->inode = subjcompat.inode;
89050+ subj->device = subjcompat.device;
89051+ subj->mode = subjcompat.mode;
89052+ subj->cap_mask = subjcompat.cap_mask;
89053+ subj->cap_lower = subjcompat.cap_lower;
89054+ subj->cap_invert_audit = subjcompat.cap_invert_audit;
89055+
89056+ for (i = 0; i < GR_NLIMITS; i++) {
89057+ if (subjcompat.res[i].rlim_cur == COMPAT_RLIM_INFINITY)
89058+ subj->res[i].rlim_cur = RLIM_INFINITY;
89059+ else
89060+ subj->res[i].rlim_cur = subjcompat.res[i].rlim_cur;
89061+ if (subjcompat.res[i].rlim_max == COMPAT_RLIM_INFINITY)
89062+ subj->res[i].rlim_max = RLIM_INFINITY;
89063+ else
89064+ subj->res[i].rlim_max = subjcompat.res[i].rlim_max;
89065+ }
89066+ subj->resmask = subjcompat.resmask;
89067+
89068+ subj->user_trans_type = subjcompat.user_trans_type;
89069+ subj->group_trans_type = subjcompat.group_trans_type;
89070+ subj->user_transitions = compat_ptr(subjcompat.user_transitions);
89071+ subj->group_transitions = compat_ptr(subjcompat.group_transitions);
89072+ subj->user_trans_num = subjcompat.user_trans_num;
89073+ subj->group_trans_num = subjcompat.group_trans_num;
89074+
89075+ memcpy(&subj->sock_families, &subjcompat.sock_families, sizeof(subj->sock_families));
89076+ memcpy(&subj->ip_proto, &subjcompat.ip_proto, sizeof(subj->ip_proto));
89077+ subj->ip_type = subjcompat.ip_type;
89078+ subj->ips = compat_ptr(subjcompat.ips);
89079+ subj->ip_num = subjcompat.ip_num;
89080+ subj->inaddr_any_override = subjcompat.inaddr_any_override;
89081+
89082+ subj->crashes = subjcompat.crashes;
89083+ subj->expires = subjcompat.expires;
89084+
89085+ subj->parent_subject = compat_ptr(subjcompat.parent_subject);
89086+ subj->hash = compat_ptr(subjcompat.hash);
89087+ subj->prev = compat_ptr(subjcompat.prev);
89088+ subj->next = compat_ptr(subjcompat.next);
89089+
89090+ subj->obj_hash = compat_ptr(subjcompat.obj_hash);
89091+ subj->obj_hash_size = subjcompat.obj_hash_size;
89092+ subj->pax_flags = subjcompat.pax_flags;
89093+
89094+ return 0;
89095+}
89096+
89097+int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp)
89098+{
89099+ struct acl_role_label_compat rolecompat;
89100+
89101+ if (copy_from_user(&rolecompat, userp, sizeof(rolecompat)))
89102+ return -EFAULT;
89103+
89104+ role->rolename = compat_ptr(rolecompat.rolename);
89105+ role->uidgid = rolecompat.uidgid;
89106+ role->roletype = rolecompat.roletype;
89107+
89108+ role->auth_attempts = rolecompat.auth_attempts;
89109+ role->expires = rolecompat.expires;
89110+
89111+ role->root_label = compat_ptr(rolecompat.root_label);
89112+ role->hash = compat_ptr(rolecompat.hash);
89113+
89114+ role->prev = compat_ptr(rolecompat.prev);
89115+ role->next = compat_ptr(rolecompat.next);
89116+
89117+ role->transitions = compat_ptr(rolecompat.transitions);
89118+ role->allowed_ips = compat_ptr(rolecompat.allowed_ips);
89119+ role->domain_children = compat_ptr(rolecompat.domain_children);
89120+ role->domain_child_num = rolecompat.domain_child_num;
89121+
89122+ role->umask = rolecompat.umask;
89123+
89124+ role->subj_hash = compat_ptr(rolecompat.subj_hash);
89125+ role->subj_hash_size = rolecompat.subj_hash_size;
89126+
89127+ return 0;
89128+}
89129+
89130+int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
89131+{
89132+ struct role_allowed_ip_compat roleip_compat;
89133+
89134+ if (copy_from_user(&roleip_compat, userp, sizeof(roleip_compat)))
89135+ return -EFAULT;
89136+
89137+ roleip->addr = roleip_compat.addr;
89138+ roleip->netmask = roleip_compat.netmask;
89139+
89140+ roleip->prev = compat_ptr(roleip_compat.prev);
89141+ roleip->next = compat_ptr(roleip_compat.next);
89142+
89143+ return 0;
89144+}
89145+
89146+int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp)
89147+{
89148+ struct role_transition_compat trans_compat;
89149+
89150+ if (copy_from_user(&trans_compat, userp, sizeof(trans_compat)))
89151+ return -EFAULT;
89152+
89153+ trans->rolename = compat_ptr(trans_compat.rolename);
89154+
89155+ trans->prev = compat_ptr(trans_compat.prev);
89156+ trans->next = compat_ptr(trans_compat.next);
89157+
89158+ return 0;
89159+
89160+}
89161+
89162+int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
89163+{
89164+ struct gr_hash_struct_compat hash_compat;
89165+
89166+ if (copy_from_user(&hash_compat, userp, sizeof(hash_compat)))
89167+ return -EFAULT;
89168+
89169+ hash->table = compat_ptr(hash_compat.table);
89170+ hash->nametable = compat_ptr(hash_compat.nametable);
89171+ hash->first = compat_ptr(hash_compat.first);
89172+
89173+ hash->table_size = hash_compat.table_size;
89174+ hash->used_size = hash_compat.used_size;
89175+
89176+ hash->type = hash_compat.type;
89177+
89178+ return 0;
89179+}
89180+
89181+int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp)
89182+{
89183+ compat_uptr_t ptrcompat;
89184+
89185+ if (copy_from_user(&ptrcompat, userp + (idx * sizeof(ptrcompat)), sizeof(ptrcompat)))
89186+ return -EFAULT;
89187+
89188+ *(void **)ptr = compat_ptr(ptrcompat);
89189+
89190+ return 0;
89191+}
89192+
89193+int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp)
89194+{
89195+ struct acl_ip_label_compat ip_compat;
89196+
89197+ if (copy_from_user(&ip_compat, userp, sizeof(ip_compat)))
89198+ return -EFAULT;
89199+
89200+ ip->iface = compat_ptr(ip_compat.iface);
89201+ ip->addr = ip_compat.addr;
89202+ ip->netmask = ip_compat.netmask;
89203+ ip->low = ip_compat.low;
89204+ ip->high = ip_compat.high;
89205+ ip->mode = ip_compat.mode;
89206+ ip->type = ip_compat.type;
89207+
89208+ memcpy(&ip->proto, &ip_compat.proto, sizeof(ip->proto));
89209+
89210+ ip->prev = compat_ptr(ip_compat.prev);
89211+ ip->next = compat_ptr(ip_compat.next);
89212+
89213+ return 0;
89214+}
89215+
89216+int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
89217+{
89218+ struct sprole_pw_compat pw_compat;
89219+
89220+ if (copy_from_user(&pw_compat, (const void *)userp + (sizeof(pw_compat) * idx), sizeof(pw_compat)))
89221+ return -EFAULT;
89222+
89223+ pw->rolename = compat_ptr(pw_compat.rolename);
89224+ memcpy(&pw->salt, pw_compat.salt, sizeof(pw->salt));
89225+ memcpy(&pw->sum, pw_compat.sum, sizeof(pw->sum));
89226+
89227+ return 0;
89228+}
89229+
89230+size_t get_gr_arg_wrapper_size_compat(void)
89231+{
89232+ return sizeof(struct gr_arg_wrapper_compat);
89233+}
89234+
89235diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c
89236new file mode 100644
89237index 0000000..fce7f71
89238--- /dev/null
89239+++ b/grsecurity/gracl_fs.c
89240@@ -0,0 +1,448 @@
89241+#include <linux/kernel.h>
89242+#include <linux/sched.h>
89243+#include <linux/types.h>
89244+#include <linux/fs.h>
89245+#include <linux/file.h>
89246+#include <linux/stat.h>
89247+#include <linux/grsecurity.h>
89248+#include <linux/grinternal.h>
89249+#include <linux/gracl.h>
89250+
89251+umode_t
89252+gr_acl_umask(void)
89253+{
89254+ if (unlikely(!gr_acl_is_enabled()))
89255+ return 0;
89256+
89257+ return current->role->umask;
89258+}
89259+
89260+__u32
89261+gr_acl_handle_hidden_file(const struct dentry * dentry,
89262+ const struct vfsmount * mnt)
89263+{
89264+ __u32 mode;
89265+
89266+ if (unlikely(d_is_negative(dentry)))
89267+ return GR_FIND;
89268+
89269+ mode =
89270+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
89271+
89272+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
89273+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
89274+ return mode;
89275+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
89276+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
89277+ return 0;
89278+ } else if (unlikely(!(mode & GR_FIND)))
89279+ return 0;
89280+
89281+ return GR_FIND;
89282+}
89283+
89284+__u32
89285+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
89286+ int acc_mode)
89287+{
89288+ __u32 reqmode = GR_FIND;
89289+ __u32 mode;
89290+
89291+ if (unlikely(d_is_negative(dentry)))
89292+ return reqmode;
89293+
89294+ if (acc_mode & MAY_APPEND)
89295+ reqmode |= GR_APPEND;
89296+ else if (acc_mode & MAY_WRITE)
89297+ reqmode |= GR_WRITE;
89298+ if ((acc_mode & MAY_READ) && !d_is_dir(dentry))
89299+ reqmode |= GR_READ;
89300+
89301+ mode =
89302+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
89303+ mnt);
89304+
89305+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
89306+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
89307+ reqmode & GR_READ ? " reading" : "",
89308+ reqmode & GR_WRITE ? " writing" : reqmode &
89309+ GR_APPEND ? " appending" : "");
89310+ return reqmode;
89311+ } else
89312+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
89313+ {
89314+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
89315+ reqmode & GR_READ ? " reading" : "",
89316+ reqmode & GR_WRITE ? " writing" : reqmode &
89317+ GR_APPEND ? " appending" : "");
89318+ return 0;
89319+ } else if (unlikely((mode & reqmode) != reqmode))
89320+ return 0;
89321+
89322+ return reqmode;
89323+}
89324+
89325+__u32
89326+gr_acl_handle_creat(const struct dentry * dentry,
89327+ const struct dentry * p_dentry,
89328+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
89329+ const int imode)
89330+{
89331+ __u32 reqmode = GR_WRITE | GR_CREATE;
89332+ __u32 mode;
89333+
89334+ if (acc_mode & MAY_APPEND)
89335+ reqmode |= GR_APPEND;
89336+ // if a directory was required or the directory already exists, then
89337+ // don't count this open as a read
89338+ if ((acc_mode & MAY_READ) &&
89339+ !((open_flags & O_DIRECTORY) || d_is_dir(dentry)))
89340+ reqmode |= GR_READ;
89341+ if ((open_flags & O_CREAT) &&
89342+ ((imode & S_ISUID) || ((imode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
89343+ reqmode |= GR_SETID;
89344+
89345+ mode =
89346+ gr_check_create(dentry, p_dentry, p_mnt,
89347+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
89348+
89349+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
89350+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
89351+ reqmode & GR_READ ? " reading" : "",
89352+ reqmode & GR_WRITE ? " writing" : reqmode &
89353+ GR_APPEND ? " appending" : "");
89354+ return reqmode;
89355+ } else
89356+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
89357+ {
89358+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
89359+ reqmode & GR_READ ? " reading" : "",
89360+ reqmode & GR_WRITE ? " writing" : reqmode &
89361+ GR_APPEND ? " appending" : "");
89362+ return 0;
89363+ } else if (unlikely((mode & reqmode) != reqmode))
89364+ return 0;
89365+
89366+ return reqmode;
89367+}
89368+
89369+__u32
89370+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
89371+ const int fmode)
89372+{
89373+ __u32 mode, reqmode = GR_FIND;
89374+
89375+ if ((fmode & S_IXOTH) && !d_is_dir(dentry))
89376+ reqmode |= GR_EXEC;
89377+ if (fmode & S_IWOTH)
89378+ reqmode |= GR_WRITE;
89379+ if (fmode & S_IROTH)
89380+ reqmode |= GR_READ;
89381+
89382+ mode =
89383+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
89384+ mnt);
89385+
89386+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
89387+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
89388+ reqmode & GR_READ ? " reading" : "",
89389+ reqmode & GR_WRITE ? " writing" : "",
89390+ reqmode & GR_EXEC ? " executing" : "");
89391+ return reqmode;
89392+ } else
89393+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
89394+ {
89395+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
89396+ reqmode & GR_READ ? " reading" : "",
89397+ reqmode & GR_WRITE ? " writing" : "",
89398+ reqmode & GR_EXEC ? " executing" : "");
89399+ return 0;
89400+ } else if (unlikely((mode & reqmode) != reqmode))
89401+ return 0;
89402+
89403+ return reqmode;
89404+}
89405+
89406+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
89407+{
89408+ __u32 mode;
89409+
89410+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
89411+
89412+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
89413+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
89414+ return mode;
89415+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
89416+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
89417+ return 0;
89418+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
89419+ return 0;
89420+
89421+ return (reqmode);
89422+}
89423+
89424+__u32
89425+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
89426+{
89427+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
89428+}
89429+
89430+__u32
89431+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
89432+{
89433+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
89434+}
89435+
89436+__u32
89437+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
89438+{
89439+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
89440+}
89441+
89442+__u32
89443+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
89444+{
89445+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
89446+}
89447+
89448+__u32
89449+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
89450+ umode_t *modeptr)
89451+{
89452+ umode_t mode;
89453+ struct inode *inode = d_backing_inode(dentry);
89454+
89455+ *modeptr &= ~gr_acl_umask();
89456+ mode = *modeptr;
89457+
89458+ if (unlikely(inode && S_ISSOCK(inode->i_mode)))
89459+ return 1;
89460+
89461+ if (unlikely(!d_is_dir(dentry) &&
89462+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))) {
89463+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
89464+ GR_CHMOD_ACL_MSG);
89465+ } else {
89466+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
89467+ }
89468+}
89469+
89470+__u32
89471+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
89472+{
89473+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
89474+}
89475+
89476+__u32
89477+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
89478+{
89479+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
89480+}
89481+
89482+__u32
89483+gr_acl_handle_removexattr(const struct dentry *dentry, const struct vfsmount *mnt)
89484+{
89485+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_REMOVEXATTR_ACL_MSG);
89486+}
89487+
89488+__u32
89489+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
89490+{
89491+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
89492+}
89493+
89494+__u32
89495+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
89496+{
89497+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
89498+ GR_UNIXCONNECT_ACL_MSG);
89499+}
89500+
89501+/* hardlinks require at minimum create and link permission,
89502+ any additional privilege required is based on the
89503+ privilege of the file being linked to
89504+*/
89505+__u32
89506+gr_acl_handle_link(const struct dentry * new_dentry,
89507+ const struct dentry * parent_dentry,
89508+ const struct vfsmount * parent_mnt,
89509+ const struct dentry * old_dentry,
89510+ const struct vfsmount * old_mnt, const struct filename *to)
89511+{
89512+ __u32 mode;
89513+ __u32 needmode = GR_CREATE | GR_LINK;
89514+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
89515+
89516+ mode =
89517+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
89518+ old_mnt);
89519+
89520+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
89521+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
89522+ return mode;
89523+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
89524+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
89525+ return 0;
89526+ } else if (unlikely((mode & needmode) != needmode))
89527+ return 0;
89528+
89529+ return 1;
89530+}
89531+
89532+__u32
89533+gr_acl_handle_symlink(const struct dentry * new_dentry,
89534+ const struct dentry * parent_dentry,
89535+ const struct vfsmount * parent_mnt, const struct filename *from)
89536+{
89537+ __u32 needmode = GR_WRITE | GR_CREATE;
89538+ __u32 mode;
89539+
89540+ mode =
89541+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
89542+ GR_CREATE | GR_AUDIT_CREATE |
89543+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
89544+
89545+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
89546+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
89547+ return mode;
89548+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
89549+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
89550+ return 0;
89551+ } else if (unlikely((mode & needmode) != needmode))
89552+ return 0;
89553+
89554+ return (GR_WRITE | GR_CREATE);
89555+}
89556+
89557+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
89558+{
89559+ __u32 mode;
89560+
89561+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
89562+
89563+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
89564+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
89565+ return mode;
89566+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
89567+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
89568+ return 0;
89569+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
89570+ return 0;
89571+
89572+ return (reqmode);
89573+}
89574+
89575+__u32
89576+gr_acl_handle_mknod(const struct dentry * new_dentry,
89577+ const struct dentry * parent_dentry,
89578+ const struct vfsmount * parent_mnt,
89579+ const int mode)
89580+{
89581+ __u32 reqmode = GR_WRITE | GR_CREATE;
89582+ if (unlikely((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
89583+ reqmode |= GR_SETID;
89584+
89585+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
89586+ reqmode, GR_MKNOD_ACL_MSG);
89587+}
89588+
89589+__u32
89590+gr_acl_handle_mkdir(const struct dentry *new_dentry,
89591+ const struct dentry *parent_dentry,
89592+ const struct vfsmount *parent_mnt)
89593+{
89594+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
89595+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
89596+}
89597+
89598+#define RENAME_CHECK_SUCCESS(old, new) \
89599+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
89600+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
89601+
89602+int
89603+gr_acl_handle_rename(struct dentry *new_dentry,
89604+ struct dentry *parent_dentry,
89605+ const struct vfsmount *parent_mnt,
89606+ struct dentry *old_dentry,
89607+ struct inode *old_parent_inode,
89608+ struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags)
89609+{
89610+ __u32 comp1, comp2;
89611+ int error = 0;
89612+
89613+ if (unlikely(!gr_acl_is_enabled()))
89614+ return 0;
89615+
89616+ if (flags & RENAME_EXCHANGE) {
89617+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
89618+ GR_AUDIT_READ | GR_AUDIT_WRITE |
89619+ GR_SUPPRESS, parent_mnt);
89620+ comp2 =
89621+ gr_search_file(old_dentry,
89622+ GR_READ | GR_WRITE | GR_AUDIT_READ |
89623+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
89624+ } else if (d_is_negative(new_dentry)) {
89625+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
89626+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
89627+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
89628+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
89629+ GR_DELETE | GR_AUDIT_DELETE |
89630+ GR_AUDIT_READ | GR_AUDIT_WRITE |
89631+ GR_SUPPRESS, old_mnt);
89632+ } else {
89633+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
89634+ GR_CREATE | GR_DELETE |
89635+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
89636+ GR_AUDIT_READ | GR_AUDIT_WRITE |
89637+ GR_SUPPRESS, parent_mnt);
89638+ comp2 =
89639+ gr_search_file(old_dentry,
89640+ GR_READ | GR_WRITE | GR_AUDIT_READ |
89641+ GR_DELETE | GR_AUDIT_DELETE |
89642+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
89643+ }
89644+
89645+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
89646+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
89647+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
89648+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
89649+ && !(comp2 & GR_SUPPRESS)) {
89650+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
89651+ error = -EACCES;
89652+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
89653+ error = -EACCES;
89654+
89655+ return error;
89656+}
89657+
89658+void
89659+gr_acl_handle_exit(void)
89660+{
89661+ u16 id;
89662+ char *rolename;
89663+
89664+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
89665+ !(current->role->roletype & GR_ROLE_PERSIST))) {
89666+ id = current->acl_role_id;
89667+ rolename = current->role->rolename;
89668+ gr_set_acls(1);
89669+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
89670+ }
89671+
89672+ gr_put_exec_file(current);
89673+ return;
89674+}
89675+
89676+int
89677+gr_acl_handle_procpidmem(const struct task_struct *task)
89678+{
89679+ if (unlikely(!gr_acl_is_enabled()))
89680+ return 0;
89681+
89682+ if (task != current && (task->acl->mode & GR_PROTPROCFD) &&
89683+ !(current->acl->mode & GR_POVERRIDE) &&
89684+ !(current->role->roletype & GR_ROLE_GOD))
89685+ return -EACCES;
89686+
89687+ return 0;
89688+}
89689diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
89690new file mode 100644
89691index 0000000..ed6ee43
89692--- /dev/null
89693+++ b/grsecurity/gracl_ip.c
89694@@ -0,0 +1,386 @@
89695+#include <linux/kernel.h>
89696+#include <asm/uaccess.h>
89697+#include <asm/errno.h>
89698+#include <net/sock.h>
89699+#include <linux/file.h>
89700+#include <linux/fs.h>
89701+#include <linux/net.h>
89702+#include <linux/in.h>
89703+#include <linux/skbuff.h>
89704+#include <linux/ip.h>
89705+#include <linux/udp.h>
89706+#include <linux/types.h>
89707+#include <linux/sched.h>
89708+#include <linux/netdevice.h>
89709+#include <linux/inetdevice.h>
89710+#include <linux/gracl.h>
89711+#include <linux/grsecurity.h>
89712+#include <linux/grinternal.h>
89713+
89714+#define GR_BIND 0x01
89715+#define GR_CONNECT 0x02
89716+#define GR_INVERT 0x04
89717+#define GR_BINDOVERRIDE 0x08
89718+#define GR_CONNECTOVERRIDE 0x10
89719+#define GR_SOCK_FAMILY 0x20
89720+
89721+static const char * gr_protocols[IPPROTO_MAX] = {
89722+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
89723+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
89724+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
89725+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
89726+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
89727+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
89728+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
89729+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
89730+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
89731+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
89732+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
89733+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
89734+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
89735+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
89736+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
89737+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
89738+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
89739+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
89740+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
89741+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
89742+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
89743+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
89744+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
89745+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
89746+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
89747+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
89748+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
89749+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
89750+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
89751+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
89752+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
89753+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
89754+ };
89755+
89756+static const char * gr_socktypes[SOCK_MAX] = {
89757+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
89758+ "unknown:7", "unknown:8", "unknown:9", "packet"
89759+ };
89760+
89761+static const char * gr_sockfamilies[AF_MAX+1] = {
89762+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
89763+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
89764+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
89765+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf", "alg", "nfc", "vsock"
89766+ };
89767+
89768+const char *
89769+gr_proto_to_name(unsigned char proto)
89770+{
89771+ return gr_protocols[proto];
89772+}
89773+
89774+const char *
89775+gr_socktype_to_name(unsigned char type)
89776+{
89777+ return gr_socktypes[type];
89778+}
89779+
89780+const char *
89781+gr_sockfamily_to_name(unsigned char family)
89782+{
89783+ return gr_sockfamilies[family];
89784+}
89785+
89786+extern const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
89787+
89788+int
89789+gr_search_socket(const int domain, const int type, const int protocol)
89790+{
89791+ struct acl_subject_label *curr;
89792+ const struct cred *cred = current_cred();
89793+
89794+ if (unlikely(!gr_acl_is_enabled()))
89795+ goto exit;
89796+
89797+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
89798+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
89799+ goto exit; // let the kernel handle it
89800+
89801+ curr = current->acl;
89802+
89803+ if (curr->sock_families[domain / 32] & (1U << (domain % 32))) {
89804+ /* the family is allowed, if this is PF_INET allow it only if
89805+ the extra sock type/protocol checks pass */
89806+ if (domain == PF_INET)
89807+ goto inet_check;
89808+ goto exit;
89809+ } else {
89810+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89811+ __u32 fakeip = 0;
89812+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89813+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89814+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89815+ gr_to_filename(current->exec_file->f_path.dentry,
89816+ current->exec_file->f_path.mnt) :
89817+ curr->filename, curr->filename,
89818+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
89819+ &current->signal->saved_ip);
89820+ goto exit;
89821+ }
89822+ goto exit_fail;
89823+ }
89824+
89825+inet_check:
89826+ /* the rest of this checking is for IPv4 only */
89827+ if (!curr->ips)
89828+ goto exit;
89829+
89830+ if ((curr->ip_type & (1U << type)) &&
89831+ (curr->ip_proto[protocol / 32] & (1U << (protocol % 32))))
89832+ goto exit;
89833+
89834+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89835+ /* we don't place acls on raw sockets , and sometimes
89836+ dgram/ip sockets are opened for ioctl and not
89837+ bind/connect, so we'll fake a bind learn log */
89838+ if (type == SOCK_RAW || type == SOCK_PACKET) {
89839+ __u32 fakeip = 0;
89840+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89841+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89842+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89843+ gr_to_filename(current->exec_file->f_path.dentry,
89844+ current->exec_file->f_path.mnt) :
89845+ curr->filename, curr->filename,
89846+ &fakeip, 0, type,
89847+ protocol, GR_CONNECT, &current->signal->saved_ip);
89848+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
89849+ __u32 fakeip = 0;
89850+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89851+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89852+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89853+ gr_to_filename(current->exec_file->f_path.dentry,
89854+ current->exec_file->f_path.mnt) :
89855+ curr->filename, curr->filename,
89856+ &fakeip, 0, type,
89857+ protocol, GR_BIND, &current->signal->saved_ip);
89858+ }
89859+ /* we'll log when they use connect or bind */
89860+ goto exit;
89861+ }
89862+
89863+exit_fail:
89864+ if (domain == PF_INET)
89865+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
89866+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
89867+ else if (rcu_access_pointer(net_families[domain]) != NULL)
89868+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
89869+ gr_socktype_to_name(type), protocol);
89870+
89871+ return 0;
89872+exit:
89873+ return 1;
89874+}
89875+
89876+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
89877+{
89878+ if ((ip->mode & mode) &&
89879+ (ip_port >= ip->low) &&
89880+ (ip_port <= ip->high) &&
89881+ ((ntohl(ip_addr) & our_netmask) ==
89882+ (ntohl(our_addr) & our_netmask))
89883+ && (ip->proto[protocol / 32] & (1U << (protocol % 32)))
89884+ && (ip->type & (1U << type))) {
89885+ if (ip->mode & GR_INVERT)
89886+ return 2; // specifically denied
89887+ else
89888+ return 1; // allowed
89889+ }
89890+
89891+ return 0; // not specifically allowed, may continue parsing
89892+}
89893+
89894+static int
89895+gr_search_connectbind(const int full_mode, struct sock *sk,
89896+ struct sockaddr_in *addr, const int type)
89897+{
89898+ char iface[IFNAMSIZ] = {0};
89899+ struct acl_subject_label *curr;
89900+ struct acl_ip_label *ip;
89901+ struct inet_sock *isk;
89902+ struct net_device *dev;
89903+ struct in_device *idev;
89904+ unsigned long i;
89905+ int ret;
89906+ int mode = full_mode & (GR_BIND | GR_CONNECT);
89907+ __u32 ip_addr = 0;
89908+ __u32 our_addr;
89909+ __u32 our_netmask;
89910+ char *p;
89911+ __u16 ip_port = 0;
89912+ const struct cred *cred = current_cred();
89913+
89914+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
89915+ return 0;
89916+
89917+ curr = current->acl;
89918+ isk = inet_sk(sk);
89919+
89920+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
89921+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
89922+ addr->sin_addr.s_addr = curr->inaddr_any_override;
89923+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
89924+ struct sockaddr_in saddr;
89925+ int err;
89926+
89927+ saddr.sin_family = AF_INET;
89928+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
89929+ saddr.sin_port = isk->inet_sport;
89930+
89931+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
89932+ if (err)
89933+ return err;
89934+
89935+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
89936+ if (err)
89937+ return err;
89938+ }
89939+
89940+ if (!curr->ips)
89941+ return 0;
89942+
89943+ ip_addr = addr->sin_addr.s_addr;
89944+ ip_port = ntohs(addr->sin_port);
89945+
89946+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89947+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89948+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89949+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89950+ gr_to_filename(current->exec_file->f_path.dentry,
89951+ current->exec_file->f_path.mnt) :
89952+ curr->filename, curr->filename,
89953+ &ip_addr, ip_port, type,
89954+ sk->sk_protocol, mode, &current->signal->saved_ip);
89955+ return 0;
89956+ }
89957+
89958+ for (i = 0; i < curr->ip_num; i++) {
89959+ ip = *(curr->ips + i);
89960+ if (ip->iface != NULL) {
89961+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
89962+ p = strchr(iface, ':');
89963+ if (p != NULL)
89964+ *p = '\0';
89965+ dev = dev_get_by_name(sock_net(sk), iface);
89966+ if (dev == NULL)
89967+ continue;
89968+ idev = in_dev_get(dev);
89969+ if (idev == NULL) {
89970+ dev_put(dev);
89971+ continue;
89972+ }
89973+ rcu_read_lock();
89974+ for_ifa(idev) {
89975+ if (!strcmp(ip->iface, ifa->ifa_label)) {
89976+ our_addr = ifa->ifa_address;
89977+ our_netmask = 0xffffffff;
89978+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
89979+ if (ret == 1) {
89980+ rcu_read_unlock();
89981+ in_dev_put(idev);
89982+ dev_put(dev);
89983+ return 0;
89984+ } else if (ret == 2) {
89985+ rcu_read_unlock();
89986+ in_dev_put(idev);
89987+ dev_put(dev);
89988+ goto denied;
89989+ }
89990+ }
89991+ } endfor_ifa(idev);
89992+ rcu_read_unlock();
89993+ in_dev_put(idev);
89994+ dev_put(dev);
89995+ } else {
89996+ our_addr = ip->addr;
89997+ our_netmask = ip->netmask;
89998+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
89999+ if (ret == 1)
90000+ return 0;
90001+ else if (ret == 2)
90002+ goto denied;
90003+ }
90004+ }
90005+
90006+denied:
90007+ if (mode == GR_BIND)
90008+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
90009+ else if (mode == GR_CONNECT)
90010+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
90011+
90012+ return -EACCES;
90013+}
90014+
90015+int
90016+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
90017+{
90018+ /* always allow disconnection of dgram sockets with connect */
90019+ if (addr->sin_family == AF_UNSPEC)
90020+ return 0;
90021+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
90022+}
90023+
90024+int
90025+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
90026+{
90027+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
90028+}
90029+
90030+int gr_search_listen(struct socket *sock)
90031+{
90032+ struct sock *sk = sock->sk;
90033+ struct sockaddr_in addr;
90034+
90035+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
90036+ addr.sin_port = inet_sk(sk)->inet_sport;
90037+
90038+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
90039+}
90040+
90041+int gr_search_accept(struct socket *sock)
90042+{
90043+ struct sock *sk = sock->sk;
90044+ struct sockaddr_in addr;
90045+
90046+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
90047+ addr.sin_port = inet_sk(sk)->inet_sport;
90048+
90049+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
90050+}
90051+
90052+int
90053+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
90054+{
90055+ if (addr)
90056+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
90057+ else {
90058+ struct sockaddr_in sin;
90059+ const struct inet_sock *inet = inet_sk(sk);
90060+
90061+ sin.sin_addr.s_addr = inet->inet_daddr;
90062+ sin.sin_port = inet->inet_dport;
90063+
90064+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
90065+ }
90066+}
90067+
90068+int
90069+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
90070+{
90071+ struct sockaddr_in sin;
90072+
90073+ if (unlikely(skb->len < sizeof (struct udphdr)))
90074+ return 0; // skip this packet
90075+
90076+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
90077+ sin.sin_port = udp_hdr(skb)->source;
90078+
90079+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
90080+}
90081diff --git a/grsecurity/gracl_learn.c b/grsecurity/gracl_learn.c
90082new file mode 100644
90083index 0000000..25f54ef
90084--- /dev/null
90085+++ b/grsecurity/gracl_learn.c
90086@@ -0,0 +1,207 @@
90087+#include <linux/kernel.h>
90088+#include <linux/mm.h>
90089+#include <linux/sched.h>
90090+#include <linux/poll.h>
90091+#include <linux/string.h>
90092+#include <linux/file.h>
90093+#include <linux/types.h>
90094+#include <linux/vmalloc.h>
90095+#include <linux/grinternal.h>
90096+
90097+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
90098+ size_t count, loff_t *ppos);
90099+extern int gr_acl_is_enabled(void);
90100+
90101+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
90102+static int gr_learn_attached;
90103+
90104+/* use a 512k buffer */
90105+#define LEARN_BUFFER_SIZE (512 * 1024)
90106+
90107+static DEFINE_SPINLOCK(gr_learn_lock);
90108+static DEFINE_MUTEX(gr_learn_user_mutex);
90109+
90110+/* we need to maintain two buffers, so that the kernel context of grlearn
90111+ uses a semaphore around the userspace copying, and the other kernel contexts
90112+ use a spinlock when copying into the buffer, since they cannot sleep
90113+*/
90114+static char *learn_buffer;
90115+static char *learn_buffer_user;
90116+static int learn_buffer_len;
90117+static int learn_buffer_user_len;
90118+
90119+static ssize_t
90120+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
90121+{
90122+ DECLARE_WAITQUEUE(wait, current);
90123+ ssize_t retval = 0;
90124+
90125+ add_wait_queue(&learn_wait, &wait);
90126+ set_current_state(TASK_INTERRUPTIBLE);
90127+ do {
90128+ mutex_lock(&gr_learn_user_mutex);
90129+ spin_lock(&gr_learn_lock);
90130+ if (learn_buffer_len)
90131+ break;
90132+ spin_unlock(&gr_learn_lock);
90133+ mutex_unlock(&gr_learn_user_mutex);
90134+ if (file->f_flags & O_NONBLOCK) {
90135+ retval = -EAGAIN;
90136+ goto out;
90137+ }
90138+ if (signal_pending(current)) {
90139+ retval = -ERESTARTSYS;
90140+ goto out;
90141+ }
90142+
90143+ schedule();
90144+ } while (1);
90145+
90146+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
90147+ learn_buffer_user_len = learn_buffer_len;
90148+ retval = learn_buffer_len;
90149+ learn_buffer_len = 0;
90150+
90151+ spin_unlock(&gr_learn_lock);
90152+
90153+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
90154+ retval = -EFAULT;
90155+
90156+ mutex_unlock(&gr_learn_user_mutex);
90157+out:
90158+ set_current_state(TASK_RUNNING);
90159+ remove_wait_queue(&learn_wait, &wait);
90160+ return retval;
90161+}
90162+
90163+static unsigned int
90164+poll_learn(struct file * file, poll_table * wait)
90165+{
90166+ poll_wait(file, &learn_wait, wait);
90167+
90168+ if (learn_buffer_len)
90169+ return (POLLIN | POLLRDNORM);
90170+
90171+ return 0;
90172+}
90173+
90174+void
90175+gr_clear_learn_entries(void)
90176+{
90177+ char *tmp;
90178+
90179+ mutex_lock(&gr_learn_user_mutex);
90180+ spin_lock(&gr_learn_lock);
90181+ tmp = learn_buffer;
90182+ learn_buffer = NULL;
90183+ spin_unlock(&gr_learn_lock);
90184+ if (tmp)
90185+ vfree(tmp);
90186+ if (learn_buffer_user != NULL) {
90187+ vfree(learn_buffer_user);
90188+ learn_buffer_user = NULL;
90189+ }
90190+ learn_buffer_len = 0;
90191+ mutex_unlock(&gr_learn_user_mutex);
90192+
90193+ return;
90194+}
90195+
90196+void
90197+gr_add_learn_entry(const char *fmt, ...)
90198+{
90199+ va_list args;
90200+ unsigned int len;
90201+
90202+ if (!gr_learn_attached)
90203+ return;
90204+
90205+ spin_lock(&gr_learn_lock);
90206+
90207+ /* leave a gap at the end so we know when it's "full" but don't have to
90208+ compute the exact length of the string we're trying to append
90209+ */
90210+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
90211+ spin_unlock(&gr_learn_lock);
90212+ wake_up_interruptible(&learn_wait);
90213+ return;
90214+ }
90215+ if (learn_buffer == NULL) {
90216+ spin_unlock(&gr_learn_lock);
90217+ return;
90218+ }
90219+
90220+ va_start(args, fmt);
90221+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
90222+ va_end(args);
90223+
90224+ learn_buffer_len += len + 1;
90225+
90226+ spin_unlock(&gr_learn_lock);
90227+ wake_up_interruptible(&learn_wait);
90228+
90229+ return;
90230+}
90231+
90232+static int
90233+open_learn(struct inode *inode, struct file *file)
90234+{
90235+ if (file->f_mode & FMODE_READ && gr_learn_attached)
90236+ return -EBUSY;
90237+ if (file->f_mode & FMODE_READ) {
90238+ int retval = 0;
90239+ mutex_lock(&gr_learn_user_mutex);
90240+ if (learn_buffer == NULL)
90241+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
90242+ if (learn_buffer_user == NULL)
90243+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
90244+ if (learn_buffer == NULL) {
90245+ retval = -ENOMEM;
90246+ goto out_error;
90247+ }
90248+ if (learn_buffer_user == NULL) {
90249+ retval = -ENOMEM;
90250+ goto out_error;
90251+ }
90252+ learn_buffer_len = 0;
90253+ learn_buffer_user_len = 0;
90254+ gr_learn_attached = 1;
90255+out_error:
90256+ mutex_unlock(&gr_learn_user_mutex);
90257+ return retval;
90258+ }
90259+ return 0;
90260+}
90261+
90262+static int
90263+close_learn(struct inode *inode, struct file *file)
90264+{
90265+ if (file->f_mode & FMODE_READ) {
90266+ char *tmp = NULL;
90267+ mutex_lock(&gr_learn_user_mutex);
90268+ spin_lock(&gr_learn_lock);
90269+ tmp = learn_buffer;
90270+ learn_buffer = NULL;
90271+ spin_unlock(&gr_learn_lock);
90272+ if (tmp)
90273+ vfree(tmp);
90274+ if (learn_buffer_user != NULL) {
90275+ vfree(learn_buffer_user);
90276+ learn_buffer_user = NULL;
90277+ }
90278+ learn_buffer_len = 0;
90279+ learn_buffer_user_len = 0;
90280+ gr_learn_attached = 0;
90281+ mutex_unlock(&gr_learn_user_mutex);
90282+ }
90283+
90284+ return 0;
90285+}
90286+
90287+const struct file_operations grsec_fops = {
90288+ .read = read_learn,
90289+ .write = write_grsec_handler,
90290+ .open = open_learn,
90291+ .release = close_learn,
90292+ .poll = poll_learn,
90293+};
90294diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
90295new file mode 100644
90296index 0000000..0773423
90297--- /dev/null
90298+++ b/grsecurity/gracl_policy.c
90299@@ -0,0 +1,1786 @@
90300+#include <linux/kernel.h>
90301+#include <linux/module.h>
90302+#include <linux/sched.h>
90303+#include <linux/mm.h>
90304+#include <linux/file.h>
90305+#include <linux/fs.h>
90306+#include <linux/namei.h>
90307+#include <linux/mount.h>
90308+#include <linux/tty.h>
90309+#include <linux/proc_fs.h>
90310+#include <linux/lglock.h>
90311+#include <linux/slab.h>
90312+#include <linux/vmalloc.h>
90313+#include <linux/types.h>
90314+#include <linux/sysctl.h>
90315+#include <linux/netdevice.h>
90316+#include <linux/ptrace.h>
90317+#include <linux/gracl.h>
90318+#include <linux/gralloc.h>
90319+#include <linux/security.h>
90320+#include <linux/grinternal.h>
90321+#include <linux/pid_namespace.h>
90322+#include <linux/stop_machine.h>
90323+#include <linux/fdtable.h>
90324+#include <linux/percpu.h>
90325+#include <linux/lglock.h>
90326+#include <linux/hugetlb.h>
90327+#include <linux/posix-timers.h>
90328+#include "../fs/mount.h"
90329+
90330+#include <asm/uaccess.h>
90331+#include <asm/errno.h>
90332+#include <asm/mman.h>
90333+
90334+extern struct gr_policy_state *polstate;
90335+
90336+#define FOR_EACH_ROLE_START(role) \
90337+ role = polstate->role_list; \
90338+ while (role) {
90339+
90340+#define FOR_EACH_ROLE_END(role) \
90341+ role = role->prev; \
90342+ }
90343+
90344+struct path gr_real_root;
90345+
90346+extern struct gr_alloc_state *current_alloc_state;
90347+
90348+u16 acl_sp_role_value;
90349+
90350+static DEFINE_MUTEX(gr_dev_mutex);
90351+
90352+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
90353+extern void gr_clear_learn_entries(void);
90354+
90355+struct gr_arg *gr_usermode __read_only;
90356+unsigned char *gr_system_salt __read_only;
90357+unsigned char *gr_system_sum __read_only;
90358+
90359+static unsigned int gr_auth_attempts = 0;
90360+static unsigned long gr_auth_expires = 0UL;
90361+
90362+struct acl_object_label *fakefs_obj_rw;
90363+struct acl_object_label *fakefs_obj_rwx;
90364+
90365+extern int gr_init_uidset(void);
90366+extern void gr_free_uidset(void);
90367+extern void gr_remove_uid(uid_t uid);
90368+extern int gr_find_uid(uid_t uid);
90369+
90370+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback);
90371+extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj);
90372+extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb);
90373+extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry);
90374+extern struct acl_role_label *__lookup_acl_role_label(const struct gr_policy_state *state, const struct task_struct *task, const uid_t uid, const gid_t gid);
90375+extern void insert_acl_obj_label(struct acl_object_label *obj, struct acl_subject_label *subj);
90376+extern void insert_acl_subj_label(struct acl_subject_label *obj, struct acl_role_label *role);
90377+extern struct name_entry * __lookup_name_entry(const struct gr_policy_state *state, const char *name);
90378+extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt);
90379+extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const dev_t dev, const struct acl_role_label *role);
90380+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, const struct acl_role_label *role);
90381+extern void assign_special_role(const char *rolename);
90382+extern struct acl_subject_label *chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role);
90383+extern int gr_rbac_disable(void *unused);
90384+extern void gr_enable_rbac_system(void);
90385+
90386+static int copy_acl_object_label_normal(struct acl_object_label *obj, const struct acl_object_label *userp)
90387+{
90388+ if (copy_from_user(obj, userp, sizeof(struct acl_object_label)))
90389+ return -EFAULT;
90390+
90391+ return 0;
90392+}
90393+
90394+static int copy_acl_ip_label_normal(struct acl_ip_label *ip, const struct acl_ip_label *userp)
90395+{
90396+ if (copy_from_user(ip, userp, sizeof(struct acl_ip_label)))
90397+ return -EFAULT;
90398+
90399+ return 0;
90400+}
90401+
90402+static int copy_acl_subject_label_normal(struct acl_subject_label *subj, const struct acl_subject_label *userp)
90403+{
90404+ if (copy_from_user(subj, userp, sizeof(struct acl_subject_label)))
90405+ return -EFAULT;
90406+
90407+ return 0;
90408+}
90409+
90410+static int copy_acl_role_label_normal(struct acl_role_label *role, const struct acl_role_label *userp)
90411+{
90412+ if (copy_from_user(role, userp, sizeof(struct acl_role_label)))
90413+ return -EFAULT;
90414+
90415+ return 0;
90416+}
90417+
90418+static int copy_role_allowed_ip_normal(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
90419+{
90420+ if (copy_from_user(roleip, userp, sizeof(struct role_allowed_ip)))
90421+ return -EFAULT;
90422+
90423+ return 0;
90424+}
90425+
90426+static int copy_sprole_pw_normal(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
90427+{
90428+ if (copy_from_user(pw, userp + idx, sizeof(struct sprole_pw)))
90429+ return -EFAULT;
90430+
90431+ return 0;
90432+}
90433+
90434+static int copy_gr_hash_struct_normal(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
90435+{
90436+ if (copy_from_user(hash, userp, sizeof(struct gr_hash_struct)))
90437+ return -EFAULT;
90438+
90439+ return 0;
90440+}
90441+
90442+static int copy_role_transition_normal(struct role_transition *trans, const struct role_transition *userp)
90443+{
90444+ if (copy_from_user(trans, userp, sizeof(struct role_transition)))
90445+ return -EFAULT;
90446+
90447+ return 0;
90448+}
90449+
90450+int copy_pointer_from_array_normal(void *ptr, unsigned long idx, const void *userp)
90451+{
90452+ if (copy_from_user(ptr, userp + (idx * sizeof(void *)), sizeof(void *)))
90453+ return -EFAULT;
90454+
90455+ return 0;
90456+}
90457+
90458+static int copy_gr_arg_wrapper_normal(const char __user *buf, struct gr_arg_wrapper *uwrap)
90459+{
90460+ if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
90461+ return -EFAULT;
90462+
90463+ if ((uwrap->version != GRSECURITY_VERSION) ||
90464+ (uwrap->size != sizeof(struct gr_arg)))
90465+ return -EINVAL;
90466+
90467+ return 0;
90468+}
90469+
90470+static int copy_gr_arg_normal(const struct gr_arg __user *buf, struct gr_arg *arg)
90471+{
90472+ if (copy_from_user(arg, buf, sizeof (struct gr_arg)))
90473+ return -EFAULT;
90474+
90475+ return 0;
90476+}
90477+
90478+static size_t get_gr_arg_wrapper_size_normal(void)
90479+{
90480+ return sizeof(struct gr_arg_wrapper);
90481+}
90482+
90483+#ifdef CONFIG_COMPAT
90484+extern int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap);
90485+extern int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg);
90486+extern int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp);
90487+extern int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp);
90488+extern int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp);
90489+extern int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp);
90490+extern int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp);
90491+extern int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp);
90492+extern int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp);
90493+extern int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp);
90494+extern int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp);
90495+extern size_t get_gr_arg_wrapper_size_compat(void);
90496+
90497+int (* copy_gr_arg_wrapper)(const char *buf, struct gr_arg_wrapper *uwrap) __read_only;
90498+int (* copy_gr_arg)(const struct gr_arg *buf, struct gr_arg *arg) __read_only;
90499+int (* copy_acl_object_label)(struct acl_object_label *obj, const struct acl_object_label *userp) __read_only;
90500+int (* copy_acl_subject_label)(struct acl_subject_label *subj, const struct acl_subject_label *userp) __read_only;
90501+int (* copy_acl_role_label)(struct acl_role_label *role, const struct acl_role_label *userp) __read_only;
90502+int (* copy_acl_ip_label)(struct acl_ip_label *ip, const struct acl_ip_label *userp) __read_only;
90503+int (* copy_pointer_from_array)(void *ptr, unsigned long idx, const void *userp) __read_only;
90504+int (* copy_sprole_pw)(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp) __read_only;
90505+int (* copy_gr_hash_struct)(struct gr_hash_struct *hash, const struct gr_hash_struct *userp) __read_only;
90506+int (* copy_role_transition)(struct role_transition *trans, const struct role_transition *userp) __read_only;
90507+int (* copy_role_allowed_ip)(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp) __read_only;
90508+size_t (* get_gr_arg_wrapper_size)(void) __read_only;
90509+
90510+#else
90511+#define copy_gr_arg_wrapper copy_gr_arg_wrapper_normal
90512+#define copy_gr_arg copy_gr_arg_normal
90513+#define copy_gr_hash_struct copy_gr_hash_struct_normal
90514+#define copy_acl_object_label copy_acl_object_label_normal
90515+#define copy_acl_subject_label copy_acl_subject_label_normal
90516+#define copy_acl_role_label copy_acl_role_label_normal
90517+#define copy_acl_ip_label copy_acl_ip_label_normal
90518+#define copy_pointer_from_array copy_pointer_from_array_normal
90519+#define copy_sprole_pw copy_sprole_pw_normal
90520+#define copy_role_transition copy_role_transition_normal
90521+#define copy_role_allowed_ip copy_role_allowed_ip_normal
90522+#define get_gr_arg_wrapper_size get_gr_arg_wrapper_size_normal
90523+#endif
90524+
90525+static struct acl_subject_label *
90526+lookup_subject_map(const struct acl_subject_label *userp)
90527+{
90528+ unsigned int index = gr_shash(userp, polstate->subj_map_set.s_size);
90529+ struct subject_map *match;
90530+
90531+ match = polstate->subj_map_set.s_hash[index];
90532+
90533+ while (match && match->user != userp)
90534+ match = match->next;
90535+
90536+ if (match != NULL)
90537+ return match->kernel;
90538+ else
90539+ return NULL;
90540+}
90541+
90542+static void
90543+insert_subj_map_entry(struct subject_map *subjmap)
90544+{
90545+ unsigned int index = gr_shash(subjmap->user, polstate->subj_map_set.s_size);
90546+ struct subject_map **curr;
90547+
90548+ subjmap->prev = NULL;
90549+
90550+ curr = &polstate->subj_map_set.s_hash[index];
90551+ if (*curr != NULL)
90552+ (*curr)->prev = subjmap;
90553+
90554+ subjmap->next = *curr;
90555+ *curr = subjmap;
90556+
90557+ return;
90558+}
90559+
90560+static void
90561+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
90562+{
90563+ unsigned int index =
90564+ gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), polstate->acl_role_set.r_size);
90565+ struct acl_role_label **curr;
90566+ struct acl_role_label *tmp, *tmp2;
90567+
90568+ curr = &polstate->acl_role_set.r_hash[index];
90569+
90570+ /* simple case, slot is empty, just set it to our role */
90571+ if (*curr == NULL) {
90572+ *curr = role;
90573+ } else {
90574+ /* example:
90575+ 1 -> 2 -> 3 (adding 2 -> 3 to here)
90576+ 2 -> 3
90577+ */
90578+ /* first check to see if we can already be reached via this slot */
90579+ tmp = *curr;
90580+ while (tmp && tmp != role)
90581+ tmp = tmp->next;
90582+ if (tmp == role) {
90583+ /* we don't need to add ourselves to this slot's chain */
90584+ return;
90585+ }
90586+ /* we need to add ourselves to this chain, two cases */
90587+ if (role->next == NULL) {
90588+ /* simple case, append the current chain to our role */
90589+ role->next = *curr;
90590+ *curr = role;
90591+ } else {
90592+ /* 1 -> 2 -> 3 -> 4
90593+ 2 -> 3 -> 4
90594+ 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here)
90595+ */
90596+ /* trickier case: walk our role's chain until we find
90597+ the role for the start of the current slot's chain */
90598+ tmp = role;
90599+ tmp2 = *curr;
90600+ while (tmp->next && tmp->next != tmp2)
90601+ tmp = tmp->next;
90602+ if (tmp->next == tmp2) {
90603+ /* from example above, we found 3, so just
90604+ replace this slot's chain with ours */
90605+ *curr = role;
90606+ } else {
90607+ /* we didn't find a subset of our role's chain
90608+ in the current slot's chain, so append their
90609+ chain to ours, and set us as the first role in
90610+ the slot's chain
90611+
90612+ we could fold this case with the case above,
90613+ but making it explicit for clarity
90614+ */
90615+ tmp->next = tmp2;
90616+ *curr = role;
90617+ }
90618+ }
90619+ }
90620+
90621+ return;
90622+}
90623+
90624+static void
90625+insert_acl_role_label(struct acl_role_label *role)
90626+{
90627+ int i;
90628+
90629+ if (polstate->role_list == NULL) {
90630+ polstate->role_list = role;
90631+ role->prev = NULL;
90632+ } else {
90633+ role->prev = polstate->role_list;
90634+ polstate->role_list = role;
90635+ }
90636+
90637+ /* used for hash chains */
90638+ role->next = NULL;
90639+
90640+ if (role->roletype & GR_ROLE_DOMAIN) {
90641+ for (i = 0; i < role->domain_child_num; i++)
90642+ __insert_acl_role_label(role, role->domain_children[i]);
90643+ } else
90644+ __insert_acl_role_label(role, role->uidgid);
90645+}
90646+
90647+static int
90648+insert_name_entry(char *name, const u64 inode, const dev_t device, __u8 deleted)
90649+{
90650+ struct name_entry **curr, *nentry;
90651+ struct inodev_entry *ientry;
90652+ unsigned int len = strlen(name);
90653+ unsigned int key = full_name_hash(name, len);
90654+ unsigned int index = key % polstate->name_set.n_size;
90655+
90656+ curr = &polstate->name_set.n_hash[index];
90657+
90658+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
90659+ curr = &((*curr)->next);
90660+
90661+ if (*curr != NULL)
90662+ return 1;
90663+
90664+ nentry = acl_alloc(sizeof (struct name_entry));
90665+ if (nentry == NULL)
90666+ return 0;
90667+ ientry = acl_alloc(sizeof (struct inodev_entry));
90668+ if (ientry == NULL)
90669+ return 0;
90670+ ientry->nentry = nentry;
90671+
90672+ nentry->key = key;
90673+ nentry->name = name;
90674+ nentry->inode = inode;
90675+ nentry->device = device;
90676+ nentry->len = len;
90677+ nentry->deleted = deleted;
90678+
90679+ nentry->prev = NULL;
90680+ curr = &polstate->name_set.n_hash[index];
90681+ if (*curr != NULL)
90682+ (*curr)->prev = nentry;
90683+ nentry->next = *curr;
90684+ *curr = nentry;
90685+
90686+ /* insert us into the table searchable by inode/dev */
90687+ __insert_inodev_entry(polstate, ientry);
90688+
90689+ return 1;
90690+}
90691+
90692+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
90693+
90694+static void *
90695+create_table(__u32 * len, int elementsize)
90696+{
90697+ unsigned int table_sizes[] = {
90698+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
90699+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
90700+ 4194301, 8388593, 16777213, 33554393, 67108859
90701+ };
90702+ void *newtable = NULL;
90703+ unsigned int pwr = 0;
90704+
90705+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
90706+ table_sizes[pwr] <= *len)
90707+ pwr++;
90708+
90709+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
90710+ return newtable;
90711+
90712+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
90713+ newtable =
90714+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
90715+ else
90716+ newtable = vmalloc(table_sizes[pwr] * elementsize);
90717+
90718+ *len = table_sizes[pwr];
90719+
90720+ return newtable;
90721+}
90722+
90723+static int
90724+init_variables(const struct gr_arg *arg, bool reload)
90725+{
90726+ struct task_struct *reaper = init_pid_ns.child_reaper;
90727+ unsigned int stacksize;
90728+
90729+ polstate->subj_map_set.s_size = arg->role_db.num_subjects;
90730+ polstate->acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
90731+ polstate->name_set.n_size = arg->role_db.num_objects;
90732+ polstate->inodev_set.i_size = arg->role_db.num_objects;
90733+
90734+ if (!polstate->subj_map_set.s_size || !polstate->acl_role_set.r_size ||
90735+ !polstate->name_set.n_size || !polstate->inodev_set.i_size)
90736+ return 1;
90737+
90738+ if (!reload) {
90739+ if (!gr_init_uidset())
90740+ return 1;
90741+ }
90742+
90743+ /* set up the stack that holds allocation info */
90744+
90745+ stacksize = arg->role_db.num_pointers + 5;
90746+
90747+ if (!acl_alloc_stack_init(stacksize))
90748+ return 1;
90749+
90750+ if (!reload) {
90751+ /* grab reference for the real root dentry and vfsmount */
90752+ get_fs_root(reaper->fs, &gr_real_root);
90753+
90754+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
90755+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", gr_get_dev_from_dentry(gr_real_root.dentry), gr_get_ino_from_dentry(gr_real_root.dentry));
90756+#endif
90757+
90758+ fakefs_obj_rw = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL);
90759+ if (fakefs_obj_rw == NULL)
90760+ return 1;
90761+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
90762+
90763+ fakefs_obj_rwx = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL);
90764+ if (fakefs_obj_rwx == NULL)
90765+ return 1;
90766+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
90767+ }
90768+
90769+ polstate->subj_map_set.s_hash =
90770+ (struct subject_map **) create_table(&polstate->subj_map_set.s_size, sizeof(void *));
90771+ polstate->acl_role_set.r_hash =
90772+ (struct acl_role_label **) create_table(&polstate->acl_role_set.r_size, sizeof(void *));
90773+ polstate->name_set.n_hash = (struct name_entry **) create_table(&polstate->name_set.n_size, sizeof(void *));
90774+ polstate->inodev_set.i_hash =
90775+ (struct inodev_entry **) create_table(&polstate->inodev_set.i_size, sizeof(void *));
90776+
90777+ if (!polstate->subj_map_set.s_hash || !polstate->acl_role_set.r_hash ||
90778+ !polstate->name_set.n_hash || !polstate->inodev_set.i_hash)
90779+ return 1;
90780+
90781+ memset(polstate->subj_map_set.s_hash, 0,
90782+ sizeof(struct subject_map *) * polstate->subj_map_set.s_size);
90783+ memset(polstate->acl_role_set.r_hash, 0,
90784+ sizeof (struct acl_role_label *) * polstate->acl_role_set.r_size);
90785+ memset(polstate->name_set.n_hash, 0,
90786+ sizeof (struct name_entry *) * polstate->name_set.n_size);
90787+ memset(polstate->inodev_set.i_hash, 0,
90788+ sizeof (struct inodev_entry *) * polstate->inodev_set.i_size);
90789+
90790+ return 0;
90791+}
90792+
90793+/* free information not needed after startup
90794+ currently contains user->kernel pointer mappings for subjects
90795+*/
90796+
90797+static void
90798+free_init_variables(void)
90799+{
90800+ __u32 i;
90801+
90802+ if (polstate->subj_map_set.s_hash) {
90803+ for (i = 0; i < polstate->subj_map_set.s_size; i++) {
90804+ if (polstate->subj_map_set.s_hash[i]) {
90805+ kfree(polstate->subj_map_set.s_hash[i]);
90806+ polstate->subj_map_set.s_hash[i] = NULL;
90807+ }
90808+ }
90809+
90810+ if ((polstate->subj_map_set.s_size * sizeof (struct subject_map *)) <=
90811+ PAGE_SIZE)
90812+ kfree(polstate->subj_map_set.s_hash);
90813+ else
90814+ vfree(polstate->subj_map_set.s_hash);
90815+ }
90816+
90817+ return;
90818+}
90819+
90820+static void
90821+free_variables(bool reload)
90822+{
90823+ struct acl_subject_label *s;
90824+ struct acl_role_label *r;
90825+ struct task_struct *task, *task2;
90826+ unsigned int x;
90827+
90828+ if (!reload) {
90829+ gr_clear_learn_entries();
90830+
90831+ read_lock(&tasklist_lock);
90832+ do_each_thread(task2, task) {
90833+ task->acl_sp_role = 0;
90834+ task->acl_role_id = 0;
90835+ task->inherited = 0;
90836+ task->acl = NULL;
90837+ task->role = NULL;
90838+ } while_each_thread(task2, task);
90839+ read_unlock(&tasklist_lock);
90840+
90841+ kfree(fakefs_obj_rw);
90842+ fakefs_obj_rw = NULL;
90843+ kfree(fakefs_obj_rwx);
90844+ fakefs_obj_rwx = NULL;
90845+
90846+ /* release the reference to the real root dentry and vfsmount */
90847+ path_put(&gr_real_root);
90848+ memset(&gr_real_root, 0, sizeof(gr_real_root));
90849+ }
90850+
90851+ /* free all object hash tables */
90852+
90853+ FOR_EACH_ROLE_START(r)
90854+ if (r->subj_hash == NULL)
90855+ goto next_role;
90856+ FOR_EACH_SUBJECT_START(r, s, x)
90857+ if (s->obj_hash == NULL)
90858+ break;
90859+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
90860+ kfree(s->obj_hash);
90861+ else
90862+ vfree(s->obj_hash);
90863+ FOR_EACH_SUBJECT_END(s, x)
90864+ FOR_EACH_NESTED_SUBJECT_START(r, s)
90865+ if (s->obj_hash == NULL)
90866+ break;
90867+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
90868+ kfree(s->obj_hash);
90869+ else
90870+ vfree(s->obj_hash);
90871+ FOR_EACH_NESTED_SUBJECT_END(s)
90872+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
90873+ kfree(r->subj_hash);
90874+ else
90875+ vfree(r->subj_hash);
90876+ r->subj_hash = NULL;
90877+next_role:
90878+ FOR_EACH_ROLE_END(r)
90879+
90880+ acl_free_all();
90881+
90882+ if (polstate->acl_role_set.r_hash) {
90883+ if ((polstate->acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
90884+ PAGE_SIZE)
90885+ kfree(polstate->acl_role_set.r_hash);
90886+ else
90887+ vfree(polstate->acl_role_set.r_hash);
90888+ }
90889+ if (polstate->name_set.n_hash) {
90890+ if ((polstate->name_set.n_size * sizeof (struct name_entry *)) <=
90891+ PAGE_SIZE)
90892+ kfree(polstate->name_set.n_hash);
90893+ else
90894+ vfree(polstate->name_set.n_hash);
90895+ }
90896+
90897+ if (polstate->inodev_set.i_hash) {
90898+ if ((polstate->inodev_set.i_size * sizeof (struct inodev_entry *)) <=
90899+ PAGE_SIZE)
90900+ kfree(polstate->inodev_set.i_hash);
90901+ else
90902+ vfree(polstate->inodev_set.i_hash);
90903+ }
90904+
90905+ if (!reload)
90906+ gr_free_uidset();
90907+
90908+ memset(&polstate->name_set, 0, sizeof (struct name_db));
90909+ memset(&polstate->inodev_set, 0, sizeof (struct inodev_db));
90910+ memset(&polstate->acl_role_set, 0, sizeof (struct acl_role_db));
90911+ memset(&polstate->subj_map_set, 0, sizeof (struct acl_subj_map_db));
90912+
90913+ polstate->default_role = NULL;
90914+ polstate->kernel_role = NULL;
90915+ polstate->role_list = NULL;
90916+
90917+ return;
90918+}
90919+
90920+static struct acl_subject_label *
90921+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
90922+
90923+static int alloc_and_copy_string(char **name, unsigned int maxlen)
90924+{
90925+ unsigned int len = strnlen_user(*name, maxlen);
90926+ char *tmp;
90927+
90928+ if (!len || len >= maxlen)
90929+ return -EINVAL;
90930+
90931+ if ((tmp = (char *) acl_alloc(len)) == NULL)
90932+ return -ENOMEM;
90933+
90934+ if (copy_from_user(tmp, *name, len))
90935+ return -EFAULT;
90936+
90937+ tmp[len-1] = '\0';
90938+ *name = tmp;
90939+
90940+ return 0;
90941+}
90942+
90943+static int
90944+copy_user_glob(struct acl_object_label *obj)
90945+{
90946+ struct acl_object_label *g_tmp, **guser;
90947+ int error;
90948+
90949+ if (obj->globbed == NULL)
90950+ return 0;
90951+
90952+ guser = &obj->globbed;
90953+ while (*guser) {
90954+ g_tmp = (struct acl_object_label *)
90955+ acl_alloc(sizeof (struct acl_object_label));
90956+ if (g_tmp == NULL)
90957+ return -ENOMEM;
90958+
90959+ if (copy_acl_object_label(g_tmp, *guser))
90960+ return -EFAULT;
90961+
90962+ error = alloc_and_copy_string(&g_tmp->filename, PATH_MAX);
90963+ if (error)
90964+ return error;
90965+
90966+ *guser = g_tmp;
90967+ guser = &(g_tmp->next);
90968+ }
90969+
90970+ return 0;
90971+}
90972+
90973+static int
90974+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
90975+ struct acl_role_label *role)
90976+{
90977+ struct acl_object_label *o_tmp;
90978+ int ret;
90979+
90980+ while (userp) {
90981+ if ((o_tmp = (struct acl_object_label *)
90982+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
90983+ return -ENOMEM;
90984+
90985+ if (copy_acl_object_label(o_tmp, userp))
90986+ return -EFAULT;
90987+
90988+ userp = o_tmp->prev;
90989+
90990+ ret = alloc_and_copy_string(&o_tmp->filename, PATH_MAX);
90991+ if (ret)
90992+ return ret;
90993+
90994+ insert_acl_obj_label(o_tmp, subj);
90995+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
90996+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
90997+ return -ENOMEM;
90998+
90999+ ret = copy_user_glob(o_tmp);
91000+ if (ret)
91001+ return ret;
91002+
91003+ if (o_tmp->nested) {
91004+ int already_copied;
91005+
91006+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
91007+ if (IS_ERR(o_tmp->nested))
91008+ return PTR_ERR(o_tmp->nested);
91009+
91010+ /* insert into nested subject list if we haven't copied this one yet
91011+ to prevent duplicate entries */
91012+ if (!already_copied) {
91013+ o_tmp->nested->next = role->hash->first;
91014+ role->hash->first = o_tmp->nested;
91015+ }
91016+ }
91017+ }
91018+
91019+ return 0;
91020+}
91021+
91022+static __u32
91023+count_user_subjs(struct acl_subject_label *userp)
91024+{
91025+ struct acl_subject_label s_tmp;
91026+ __u32 num = 0;
91027+
91028+ while (userp) {
91029+ if (copy_acl_subject_label(&s_tmp, userp))
91030+ break;
91031+
91032+ userp = s_tmp.prev;
91033+ }
91034+
91035+ return num;
91036+}
91037+
91038+static int
91039+copy_user_allowedips(struct acl_role_label *rolep)
91040+{
91041+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
91042+
91043+ ruserip = rolep->allowed_ips;
91044+
91045+ while (ruserip) {
91046+ rlast = rtmp;
91047+
91048+ if ((rtmp = (struct role_allowed_ip *)
91049+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
91050+ return -ENOMEM;
91051+
91052+ if (copy_role_allowed_ip(rtmp, ruserip))
91053+ return -EFAULT;
91054+
91055+ ruserip = rtmp->prev;
91056+
91057+ if (!rlast) {
91058+ rtmp->prev = NULL;
91059+ rolep->allowed_ips = rtmp;
91060+ } else {
91061+ rlast->next = rtmp;
91062+ rtmp->prev = rlast;
91063+ }
91064+
91065+ if (!ruserip)
91066+ rtmp->next = NULL;
91067+ }
91068+
91069+ return 0;
91070+}
91071+
91072+static int
91073+copy_user_transitions(struct acl_role_label *rolep)
91074+{
91075+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
91076+ int error;
91077+
91078+ rusertp = rolep->transitions;
91079+
91080+ while (rusertp) {
91081+ rlast = rtmp;
91082+
91083+ if ((rtmp = (struct role_transition *)
91084+ acl_alloc(sizeof (struct role_transition))) == NULL)
91085+ return -ENOMEM;
91086+
91087+ if (copy_role_transition(rtmp, rusertp))
91088+ return -EFAULT;
91089+
91090+ rusertp = rtmp->prev;
91091+
91092+ error = alloc_and_copy_string(&rtmp->rolename, GR_SPROLE_LEN);
91093+ if (error)
91094+ return error;
91095+
91096+ if (!rlast) {
91097+ rtmp->prev = NULL;
91098+ rolep->transitions = rtmp;
91099+ } else {
91100+ rlast->next = rtmp;
91101+ rtmp->prev = rlast;
91102+ }
91103+
91104+ if (!rusertp)
91105+ rtmp->next = NULL;
91106+ }
91107+
91108+ return 0;
91109+}
91110+
91111+static __u32 count_user_objs(const struct acl_object_label __user *userp)
91112+{
91113+ struct acl_object_label o_tmp;
91114+ __u32 num = 0;
91115+
91116+ while (userp) {
91117+ if (copy_acl_object_label(&o_tmp, userp))
91118+ break;
91119+
91120+ userp = o_tmp.prev;
91121+ num++;
91122+ }
91123+
91124+ return num;
91125+}
91126+
91127+static struct acl_subject_label *
91128+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
91129+{
91130+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
91131+ __u32 num_objs;
91132+ struct acl_ip_label **i_tmp, *i_utmp2;
91133+ struct gr_hash_struct ghash;
91134+ struct subject_map *subjmap;
91135+ unsigned int i_num;
91136+ int err;
91137+
91138+ if (already_copied != NULL)
91139+ *already_copied = 0;
91140+
91141+ s_tmp = lookup_subject_map(userp);
91142+
91143+ /* we've already copied this subject into the kernel, just return
91144+ the reference to it, and don't copy it over again
91145+ */
91146+ if (s_tmp) {
91147+ if (already_copied != NULL)
91148+ *already_copied = 1;
91149+ return(s_tmp);
91150+ }
91151+
91152+ if ((s_tmp = (struct acl_subject_label *)
91153+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
91154+ return ERR_PTR(-ENOMEM);
91155+
91156+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
91157+ if (subjmap == NULL)
91158+ return ERR_PTR(-ENOMEM);
91159+
91160+ subjmap->user = userp;
91161+ subjmap->kernel = s_tmp;
91162+ insert_subj_map_entry(subjmap);
91163+
91164+ if (copy_acl_subject_label(s_tmp, userp))
91165+ return ERR_PTR(-EFAULT);
91166+
91167+ err = alloc_and_copy_string(&s_tmp->filename, PATH_MAX);
91168+ if (err)
91169+ return ERR_PTR(err);
91170+
91171+ if (!strcmp(s_tmp->filename, "/"))
91172+ role->root_label = s_tmp;
91173+
91174+ if (copy_gr_hash_struct(&ghash, s_tmp->hash))
91175+ return ERR_PTR(-EFAULT);
91176+
91177+ /* copy user and group transition tables */
91178+
91179+ if (s_tmp->user_trans_num) {
91180+ uid_t *uidlist;
91181+
91182+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
91183+ if (uidlist == NULL)
91184+ return ERR_PTR(-ENOMEM);
91185+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
91186+ return ERR_PTR(-EFAULT);
91187+
91188+ s_tmp->user_transitions = uidlist;
91189+ }
91190+
91191+ if (s_tmp->group_trans_num) {
91192+ gid_t *gidlist;
91193+
91194+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
91195+ if (gidlist == NULL)
91196+ return ERR_PTR(-ENOMEM);
91197+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
91198+ return ERR_PTR(-EFAULT);
91199+
91200+ s_tmp->group_transitions = gidlist;
91201+ }
91202+
91203+ /* set up object hash table */
91204+ num_objs = count_user_objs(ghash.first);
91205+
91206+ s_tmp->obj_hash_size = num_objs;
91207+ s_tmp->obj_hash =
91208+ (struct acl_object_label **)
91209+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
91210+
91211+ if (!s_tmp->obj_hash)
91212+ return ERR_PTR(-ENOMEM);
91213+
91214+ memset(s_tmp->obj_hash, 0,
91215+ s_tmp->obj_hash_size *
91216+ sizeof (struct acl_object_label *));
91217+
91218+ /* add in objects */
91219+ err = copy_user_objs(ghash.first, s_tmp, role);
91220+
91221+ if (err)
91222+ return ERR_PTR(err);
91223+
91224+ /* set pointer for parent subject */
91225+ if (s_tmp->parent_subject) {
91226+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
91227+
91228+ if (IS_ERR(s_tmp2))
91229+ return s_tmp2;
91230+
91231+ s_tmp->parent_subject = s_tmp2;
91232+ }
91233+
91234+ /* add in ip acls */
91235+
91236+ if (!s_tmp->ip_num) {
91237+ s_tmp->ips = NULL;
91238+ goto insert;
91239+ }
91240+
91241+ i_tmp =
91242+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
91243+ sizeof (struct acl_ip_label *));
91244+
91245+ if (!i_tmp)
91246+ return ERR_PTR(-ENOMEM);
91247+
91248+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
91249+ *(i_tmp + i_num) =
91250+ (struct acl_ip_label *)
91251+ acl_alloc(sizeof (struct acl_ip_label));
91252+ if (!*(i_tmp + i_num))
91253+ return ERR_PTR(-ENOMEM);
91254+
91255+ if (copy_pointer_from_array(&i_utmp2, i_num, s_tmp->ips))
91256+ return ERR_PTR(-EFAULT);
91257+
91258+ if (copy_acl_ip_label(*(i_tmp + i_num), i_utmp2))
91259+ return ERR_PTR(-EFAULT);
91260+
91261+ if ((*(i_tmp + i_num))->iface == NULL)
91262+ continue;
91263+
91264+ err = alloc_and_copy_string(&(*(i_tmp + i_num))->iface, IFNAMSIZ);
91265+ if (err)
91266+ return ERR_PTR(err);
91267+ }
91268+
91269+ s_tmp->ips = i_tmp;
91270+
91271+insert:
91272+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
91273+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
91274+ return ERR_PTR(-ENOMEM);
91275+
91276+ return s_tmp;
91277+}
91278+
91279+static int
91280+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
91281+{
91282+ struct acl_subject_label s_pre;
91283+ struct acl_subject_label * ret;
91284+ int err;
91285+
91286+ while (userp) {
91287+ if (copy_acl_subject_label(&s_pre, userp))
91288+ return -EFAULT;
91289+
91290+ ret = do_copy_user_subj(userp, role, NULL);
91291+
91292+ err = PTR_ERR(ret);
91293+ if (IS_ERR(ret))
91294+ return err;
91295+
91296+ insert_acl_subj_label(ret, role);
91297+
91298+ userp = s_pre.prev;
91299+ }
91300+
91301+ return 0;
91302+}
91303+
91304+static int
91305+copy_user_acl(struct gr_arg *arg)
91306+{
91307+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
91308+ struct acl_subject_label *subj_list;
91309+ struct sprole_pw *sptmp;
91310+ struct gr_hash_struct *ghash;
91311+ uid_t *domainlist;
91312+ unsigned int r_num;
91313+ int err = 0;
91314+ __u16 i;
91315+ __u32 num_subjs;
91316+
91317+ /* we need a default and kernel role */
91318+ if (arg->role_db.num_roles < 2)
91319+ return -EINVAL;
91320+
91321+ /* copy special role authentication info from userspace */
91322+
91323+ polstate->num_sprole_pws = arg->num_sprole_pws;
91324+ polstate->acl_special_roles = (struct sprole_pw **) acl_alloc_num(polstate->num_sprole_pws, sizeof(struct sprole_pw *));
91325+
91326+ if (!polstate->acl_special_roles && polstate->num_sprole_pws)
91327+ return -ENOMEM;
91328+
91329+ for (i = 0; i < polstate->num_sprole_pws; i++) {
91330+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
91331+ if (!sptmp)
91332+ return -ENOMEM;
91333+ if (copy_sprole_pw(sptmp, i, arg->sprole_pws))
91334+ return -EFAULT;
91335+
91336+ err = alloc_and_copy_string((char **)&sptmp->rolename, GR_SPROLE_LEN);
91337+ if (err)
91338+ return err;
91339+
91340+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
91341+ printk(KERN_ALERT "Copying special role %s\n", sptmp->rolename);
91342+#endif
91343+
91344+ polstate->acl_special_roles[i] = sptmp;
91345+ }
91346+
91347+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
91348+
91349+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
91350+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
91351+
91352+ if (!r_tmp)
91353+ return -ENOMEM;
91354+
91355+ if (copy_pointer_from_array(&r_utmp2, r_num, r_utmp))
91356+ return -EFAULT;
91357+
91358+ if (copy_acl_role_label(r_tmp, r_utmp2))
91359+ return -EFAULT;
91360+
91361+ err = alloc_and_copy_string(&r_tmp->rolename, GR_SPROLE_LEN);
91362+ if (err)
91363+ return err;
91364+
91365+ if (!strcmp(r_tmp->rolename, "default")
91366+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
91367+ polstate->default_role = r_tmp;
91368+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
91369+ polstate->kernel_role = r_tmp;
91370+ }
91371+
91372+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL)
91373+ return -ENOMEM;
91374+
91375+ if (copy_gr_hash_struct(ghash, r_tmp->hash))
91376+ return -EFAULT;
91377+
91378+ r_tmp->hash = ghash;
91379+
91380+ num_subjs = count_user_subjs(r_tmp->hash->first);
91381+
91382+ r_tmp->subj_hash_size = num_subjs;
91383+ r_tmp->subj_hash =
91384+ (struct acl_subject_label **)
91385+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
91386+
91387+ if (!r_tmp->subj_hash)
91388+ return -ENOMEM;
91389+
91390+ err = copy_user_allowedips(r_tmp);
91391+ if (err)
91392+ return err;
91393+
91394+ /* copy domain info */
91395+ if (r_tmp->domain_children != NULL) {
91396+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
91397+ if (domainlist == NULL)
91398+ return -ENOMEM;
91399+
91400+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t)))
91401+ return -EFAULT;
91402+
91403+ r_tmp->domain_children = domainlist;
91404+ }
91405+
91406+ err = copy_user_transitions(r_tmp);
91407+ if (err)
91408+ return err;
91409+
91410+ memset(r_tmp->subj_hash, 0,
91411+ r_tmp->subj_hash_size *
91412+ sizeof (struct acl_subject_label *));
91413+
91414+ /* acquire the list of subjects, then NULL out
91415+ the list prior to parsing the subjects for this role,
91416+ as during this parsing the list is replaced with a list
91417+ of *nested* subjects for the role
91418+ */
91419+ subj_list = r_tmp->hash->first;
91420+
91421+ /* set nested subject list to null */
91422+ r_tmp->hash->first = NULL;
91423+
91424+ err = copy_user_subjs(subj_list, r_tmp);
91425+
91426+ if (err)
91427+ return err;
91428+
91429+ insert_acl_role_label(r_tmp);
91430+ }
91431+
91432+ if (polstate->default_role == NULL || polstate->kernel_role == NULL)
91433+ return -EINVAL;
91434+
91435+ return err;
91436+}
91437+
91438+static int gracl_reload_apply_policies(void *reload)
91439+{
91440+ struct gr_reload_state *reload_state = (struct gr_reload_state *)reload;
91441+ struct task_struct *task, *task2;
91442+ struct acl_role_label *role, *rtmp;
91443+ struct acl_subject_label *subj;
91444+ const struct cred *cred;
91445+ int role_applied;
91446+ int ret = 0;
91447+
91448+ memcpy(&reload_state->oldpolicy, reload_state->oldpolicy_ptr, sizeof(struct gr_policy_state));
91449+ memcpy(&reload_state->oldalloc, reload_state->oldalloc_ptr, sizeof(struct gr_alloc_state));
91450+
91451+ /* first make sure we'll be able to apply the new policy cleanly */
91452+ do_each_thread(task2, task) {
91453+ if (task->exec_file == NULL)
91454+ continue;
91455+ role_applied = 0;
91456+ if (!reload_state->oldmode && task->role->roletype & GR_ROLE_SPECIAL) {
91457+ /* preserve special roles */
91458+ FOR_EACH_ROLE_START(role)
91459+ if ((role->roletype & GR_ROLE_SPECIAL) && !strcmp(task->role->rolename, role->rolename)) {
91460+ rtmp = task->role;
91461+ task->role = role;
91462+ role_applied = 1;
91463+ break;
91464+ }
91465+ FOR_EACH_ROLE_END(role)
91466+ }
91467+ if (!role_applied) {
91468+ cred = __task_cred(task);
91469+ rtmp = task->role;
91470+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
91471+ }
91472+ /* this handles non-nested inherited subjects, nested subjects will still
91473+ be dropped currently */
91474+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
91475+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1);
91476+ /* change the role back so that we've made no modifications to the policy */
91477+ task->role = rtmp;
91478+
91479+ if (subj == NULL || task->tmpacl == NULL) {
91480+ ret = -EINVAL;
91481+ goto out;
91482+ }
91483+ } while_each_thread(task2, task);
91484+
91485+ /* now actually apply the policy */
91486+
91487+ do_each_thread(task2, task) {
91488+ if (task->exec_file) {
91489+ role_applied = 0;
91490+ if (!reload_state->oldmode && task->role->roletype & GR_ROLE_SPECIAL) {
91491+ /* preserve special roles */
91492+ FOR_EACH_ROLE_START(role)
91493+ if ((role->roletype & GR_ROLE_SPECIAL) && !strcmp(task->role->rolename, role->rolename)) {
91494+ task->role = role;
91495+ role_applied = 1;
91496+ break;
91497+ }
91498+ FOR_EACH_ROLE_END(role)
91499+ }
91500+ if (!role_applied) {
91501+ cred = __task_cred(task);
91502+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
91503+ }
91504+ /* this handles non-nested inherited subjects, nested subjects will still
91505+ be dropped currently */
91506+ if (!reload_state->oldmode && task->inherited)
91507+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
91508+ else {
91509+ /* looked up and tagged to the task previously */
91510+ subj = task->tmpacl;
91511+ }
91512+ /* subj will be non-null */
91513+ __gr_apply_subject_to_task(polstate, task, subj);
91514+ if (reload_state->oldmode) {
91515+ task->acl_role_id = 0;
91516+ task->acl_sp_role = 0;
91517+ task->inherited = 0;
91518+ }
91519+ } else {
91520+ // it's a kernel process
91521+ task->role = polstate->kernel_role;
91522+ task->acl = polstate->kernel_role->root_label;
91523+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
91524+ task->acl->mode &= ~GR_PROCFIND;
91525+#endif
91526+ }
91527+ } while_each_thread(task2, task);
91528+
91529+ memcpy(reload_state->oldpolicy_ptr, &reload_state->newpolicy, sizeof(struct gr_policy_state));
91530+ memcpy(reload_state->oldalloc_ptr, &reload_state->newalloc, sizeof(struct gr_alloc_state));
91531+
91532+out:
91533+
91534+ return ret;
91535+}
91536+
91537+static int gracl_reload(struct gr_arg *args, unsigned char oldmode)
91538+{
91539+ struct gr_reload_state new_reload_state = { };
91540+ int err;
91541+
91542+ new_reload_state.oldpolicy_ptr = polstate;
91543+ new_reload_state.oldalloc_ptr = current_alloc_state;
91544+ new_reload_state.oldmode = oldmode;
91545+
91546+ current_alloc_state = &new_reload_state.newalloc;
91547+ polstate = &new_reload_state.newpolicy;
91548+
91549+ /* everything relevant is now saved off, copy in the new policy */
91550+ if (init_variables(args, true)) {
91551+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
91552+ err = -ENOMEM;
91553+ goto error;
91554+ }
91555+
91556+ err = copy_user_acl(args);
91557+ free_init_variables();
91558+ if (err)
91559+ goto error;
91560+ /* the new policy is copied in, with the old policy available via saved_state
91561+ first go through applying roles, making sure to preserve special roles
91562+ then apply new subjects, making sure to preserve inherited and nested subjects,
91563+ though currently only inherited subjects will be preserved
91564+ */
91565+ err = stop_machine(gracl_reload_apply_policies, &new_reload_state, NULL);
91566+ if (err)
91567+ goto error;
91568+
91569+ /* we've now applied the new policy, so restore the old policy state to free it */
91570+ polstate = &new_reload_state.oldpolicy;
91571+ current_alloc_state = &new_reload_state.oldalloc;
91572+ free_variables(true);
91573+
91574+ /* oldpolicy/oldalloc_ptr point to the new policy/alloc states as they were copied
91575+ to running_polstate/current_alloc_state inside stop_machine
91576+ */
91577+ err = 0;
91578+ goto out;
91579+error:
91580+ /* on error of loading the new policy, we'll just keep the previous
91581+ policy set around
91582+ */
91583+ free_variables(true);
91584+
91585+ /* doesn't affect runtime, but maintains consistent state */
91586+out:
91587+ polstate = new_reload_state.oldpolicy_ptr;
91588+ current_alloc_state = new_reload_state.oldalloc_ptr;
91589+
91590+ return err;
91591+}
91592+
91593+static int
91594+gracl_init(struct gr_arg *args)
91595+{
91596+ int error = 0;
91597+
91598+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
91599+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
91600+
91601+ if (init_variables(args, false)) {
91602+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
91603+ error = -ENOMEM;
91604+ goto out;
91605+ }
91606+
91607+ error = copy_user_acl(args);
91608+ free_init_variables();
91609+ if (error)
91610+ goto out;
91611+
91612+ error = gr_set_acls(0);
91613+ if (error)
91614+ goto out;
91615+
91616+ gr_enable_rbac_system();
91617+
91618+ return 0;
91619+
91620+out:
91621+ free_variables(false);
91622+ return error;
91623+}
91624+
91625+static int
91626+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
91627+ unsigned char **sum)
91628+{
91629+ struct acl_role_label *r;
91630+ struct role_allowed_ip *ipp;
91631+ struct role_transition *trans;
91632+ unsigned int i;
91633+ int found = 0;
91634+ u32 curr_ip = current->signal->curr_ip;
91635+
91636+ current->signal->saved_ip = curr_ip;
91637+
91638+ /* check transition table */
91639+
91640+ for (trans = current->role->transitions; trans; trans = trans->next) {
91641+ if (!strcmp(rolename, trans->rolename)) {
91642+ found = 1;
91643+ break;
91644+ }
91645+ }
91646+
91647+ if (!found)
91648+ return 0;
91649+
91650+ /* handle special roles that do not require authentication
91651+ and check ip */
91652+
91653+ FOR_EACH_ROLE_START(r)
91654+ if (!strcmp(rolename, r->rolename) &&
91655+ (r->roletype & GR_ROLE_SPECIAL)) {
91656+ found = 0;
91657+ if (r->allowed_ips != NULL) {
91658+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
91659+ if ((ntohl(curr_ip) & ipp->netmask) ==
91660+ (ntohl(ipp->addr) & ipp->netmask))
91661+ found = 1;
91662+ }
91663+ } else
91664+ found = 2;
91665+ if (!found)
91666+ return 0;
91667+
91668+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
91669+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
91670+ *salt = NULL;
91671+ *sum = NULL;
91672+ return 1;
91673+ }
91674+ }
91675+ FOR_EACH_ROLE_END(r)
91676+
91677+ for (i = 0; i < polstate->num_sprole_pws; i++) {
91678+ if (!strcmp(rolename, polstate->acl_special_roles[i]->rolename)) {
91679+ *salt = polstate->acl_special_roles[i]->salt;
91680+ *sum = polstate->acl_special_roles[i]->sum;
91681+ return 1;
91682+ }
91683+ }
91684+
91685+ return 0;
91686+}
91687+
91688+int gr_check_secure_terminal(struct task_struct *task)
91689+{
91690+ struct task_struct *p, *p2, *p3;
91691+ struct files_struct *files;
91692+ struct fdtable *fdt;
91693+ struct file *our_file = NULL, *file;
91694+ struct inode *our_inode = NULL;
91695+ int i;
91696+
91697+ if (task->signal->tty == NULL)
91698+ return 1;
91699+
91700+ files = get_files_struct(task);
91701+ if (files != NULL) {
91702+ rcu_read_lock();
91703+ fdt = files_fdtable(files);
91704+ for (i=0; i < fdt->max_fds; i++) {
91705+ file = fcheck_files(files, i);
91706+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
91707+ get_file(file);
91708+ our_file = file;
91709+ }
91710+ }
91711+ rcu_read_unlock();
91712+ put_files_struct(files);
91713+ }
91714+
91715+ if (our_file == NULL)
91716+ return 1;
91717+
91718+ our_inode = d_backing_inode(our_file->f_path.dentry);
91719+
91720+ read_lock(&tasklist_lock);
91721+ do_each_thread(p2, p) {
91722+ files = get_files_struct(p);
91723+ if (files == NULL ||
91724+ (p->signal && p->signal->tty == task->signal->tty)) {
91725+ if (files != NULL)
91726+ put_files_struct(files);
91727+ continue;
91728+ }
91729+ rcu_read_lock();
91730+ fdt = files_fdtable(files);
91731+ for (i=0; i < fdt->max_fds; i++) {
91732+ struct inode *inode = NULL;
91733+ file = fcheck_files(files, i);
91734+ if (file)
91735+ inode = d_backing_inode(file->f_path.dentry);
91736+ if (inode && S_ISCHR(inode->i_mode) && inode->i_rdev == our_inode->i_rdev) {
91737+ p3 = task;
91738+ while (task_pid_nr(p3) > 0) {
91739+ if (p3 == p)
91740+ break;
91741+ p3 = p3->real_parent;
91742+ }
91743+ if (p3 == p)
91744+ break;
91745+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
91746+ gr_handle_alertkill(p);
91747+ rcu_read_unlock();
91748+ put_files_struct(files);
91749+ read_unlock(&tasklist_lock);
91750+ fput(our_file);
91751+ return 0;
91752+ }
91753+ }
91754+ rcu_read_unlock();
91755+ put_files_struct(files);
91756+ } while_each_thread(p2, p);
91757+ read_unlock(&tasklist_lock);
91758+
91759+ fput(our_file);
91760+ return 1;
91761+}
91762+
91763+ssize_t
91764+write_grsec_handler(struct file *file, const char __user * buf, size_t count, loff_t *ppos)
91765+{
91766+ struct gr_arg_wrapper uwrap;
91767+ unsigned char *sprole_salt = NULL;
91768+ unsigned char *sprole_sum = NULL;
91769+ int error = 0;
91770+ int error2 = 0;
91771+ size_t req_count = 0;
91772+ unsigned char oldmode = 0;
91773+
91774+ mutex_lock(&gr_dev_mutex);
91775+
91776+ if (gr_acl_is_enabled() && !(current->acl->mode & GR_KERNELAUTH)) {
91777+ error = -EPERM;
91778+ goto out;
91779+ }
91780+
91781+#ifdef CONFIG_COMPAT
91782+ pax_open_kernel();
91783+ if (is_compat_task()) {
91784+ copy_gr_arg_wrapper = &copy_gr_arg_wrapper_compat;
91785+ copy_gr_arg = &copy_gr_arg_compat;
91786+ copy_acl_object_label = &copy_acl_object_label_compat;
91787+ copy_acl_subject_label = &copy_acl_subject_label_compat;
91788+ copy_acl_role_label = &copy_acl_role_label_compat;
91789+ copy_acl_ip_label = &copy_acl_ip_label_compat;
91790+ copy_role_allowed_ip = &copy_role_allowed_ip_compat;
91791+ copy_role_transition = &copy_role_transition_compat;
91792+ copy_sprole_pw = &copy_sprole_pw_compat;
91793+ copy_gr_hash_struct = &copy_gr_hash_struct_compat;
91794+ copy_pointer_from_array = &copy_pointer_from_array_compat;
91795+ get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_compat;
91796+ } else {
91797+ copy_gr_arg_wrapper = &copy_gr_arg_wrapper_normal;
91798+ copy_gr_arg = &copy_gr_arg_normal;
91799+ copy_acl_object_label = &copy_acl_object_label_normal;
91800+ copy_acl_subject_label = &copy_acl_subject_label_normal;
91801+ copy_acl_role_label = &copy_acl_role_label_normal;
91802+ copy_acl_ip_label = &copy_acl_ip_label_normal;
91803+ copy_role_allowed_ip = &copy_role_allowed_ip_normal;
91804+ copy_role_transition = &copy_role_transition_normal;
91805+ copy_sprole_pw = &copy_sprole_pw_normal;
91806+ copy_gr_hash_struct = &copy_gr_hash_struct_normal;
91807+ copy_pointer_from_array = &copy_pointer_from_array_normal;
91808+ get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_normal;
91809+ }
91810+ pax_close_kernel();
91811+#endif
91812+
91813+ req_count = get_gr_arg_wrapper_size();
91814+
91815+ if (count != req_count) {
91816+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)req_count);
91817+ error = -EINVAL;
91818+ goto out;
91819+ }
91820+
91821+
91822+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
91823+ gr_auth_expires = 0;
91824+ gr_auth_attempts = 0;
91825+ }
91826+
91827+ error = copy_gr_arg_wrapper(buf, &uwrap);
91828+ if (error)
91829+ goto out;
91830+
91831+ error = copy_gr_arg(uwrap.arg, gr_usermode);
91832+ if (error)
91833+ goto out;
91834+
91835+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
91836+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
91837+ time_after(gr_auth_expires, get_seconds())) {
91838+ error = -EBUSY;
91839+ goto out;
91840+ }
91841+
91842+ /* if non-root trying to do anything other than use a special role,
91843+ do not attempt authentication, do not count towards authentication
91844+ locking
91845+ */
91846+
91847+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
91848+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
91849+ gr_is_global_nonroot(current_uid())) {
91850+ error = -EPERM;
91851+ goto out;
91852+ }
91853+
91854+ /* ensure pw and special role name are null terminated */
91855+
91856+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
91857+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
91858+
91859+ /* Okay.
91860+ * We have our enough of the argument structure..(we have yet
91861+ * to copy_from_user the tables themselves) . Copy the tables
91862+ * only if we need them, i.e. for loading operations. */
91863+
91864+ switch (gr_usermode->mode) {
91865+ case GR_STATUS:
91866+ if (gr_acl_is_enabled()) {
91867+ error = 1;
91868+ if (!gr_check_secure_terminal(current))
91869+ error = 3;
91870+ } else
91871+ error = 2;
91872+ goto out;
91873+ case GR_SHUTDOWN:
91874+ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91875+ stop_machine(gr_rbac_disable, NULL, NULL);
91876+ free_variables(false);
91877+ memset(gr_usermode, 0, sizeof(struct gr_arg));
91878+ memset(gr_system_salt, 0, GR_SALT_LEN);
91879+ memset(gr_system_sum, 0, GR_SHA_LEN);
91880+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
91881+ } else if (gr_acl_is_enabled()) {
91882+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
91883+ error = -EPERM;
91884+ } else {
91885+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
91886+ error = -EAGAIN;
91887+ }
91888+ break;
91889+ case GR_ENABLE:
91890+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode)))
91891+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
91892+ else {
91893+ if (gr_acl_is_enabled())
91894+ error = -EAGAIN;
91895+ else
91896+ error = error2;
91897+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
91898+ }
91899+ break;
91900+ case GR_OLDRELOAD:
91901+ oldmode = 1;
91902+ case GR_RELOAD:
91903+ if (!gr_acl_is_enabled()) {
91904+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
91905+ error = -EAGAIN;
91906+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91907+ error2 = gracl_reload(gr_usermode, oldmode);
91908+ if (!error2)
91909+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
91910+ else {
91911+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
91912+ error = error2;
91913+ }
91914+ } else {
91915+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
91916+ error = -EPERM;
91917+ }
91918+ break;
91919+ case GR_SEGVMOD:
91920+ if (unlikely(!gr_acl_is_enabled())) {
91921+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
91922+ error = -EAGAIN;
91923+ break;
91924+ }
91925+
91926+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91927+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
91928+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
91929+ struct acl_subject_label *segvacl;
91930+ segvacl =
91931+ lookup_acl_subj_label(gr_usermode->segv_inode,
91932+ gr_usermode->segv_device,
91933+ current->role);
91934+ if (segvacl) {
91935+ segvacl->crashes = 0;
91936+ segvacl->expires = 0;
91937+ }
91938+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
91939+ gr_remove_uid(gr_usermode->segv_uid);
91940+ }
91941+ } else {
91942+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
91943+ error = -EPERM;
91944+ }
91945+ break;
91946+ case GR_SPROLE:
91947+ case GR_SPROLEPAM:
91948+ if (unlikely(!gr_acl_is_enabled())) {
91949+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
91950+ error = -EAGAIN;
91951+ break;
91952+ }
91953+
91954+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
91955+ current->role->expires = 0;
91956+ current->role->auth_attempts = 0;
91957+ }
91958+
91959+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
91960+ time_after(current->role->expires, get_seconds())) {
91961+ error = -EBUSY;
91962+ goto out;
91963+ }
91964+
91965+ if (lookup_special_role_auth
91966+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
91967+ && ((!sprole_salt && !sprole_sum)
91968+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
91969+ char *p = "";
91970+ assign_special_role(gr_usermode->sp_role);
91971+ read_lock(&tasklist_lock);
91972+ if (current->real_parent)
91973+ p = current->real_parent->role->rolename;
91974+ read_unlock(&tasklist_lock);
91975+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
91976+ p, acl_sp_role_value);
91977+ } else {
91978+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
91979+ error = -EPERM;
91980+ if(!(current->role->auth_attempts++))
91981+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
91982+
91983+ goto out;
91984+ }
91985+ break;
91986+ case GR_UNSPROLE:
91987+ if (unlikely(!gr_acl_is_enabled())) {
91988+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
91989+ error = -EAGAIN;
91990+ break;
91991+ }
91992+
91993+ if (current->role->roletype & GR_ROLE_SPECIAL) {
91994+ char *p = "";
91995+ int i = 0;
91996+
91997+ read_lock(&tasklist_lock);
91998+ if (current->real_parent) {
91999+ p = current->real_parent->role->rolename;
92000+ i = current->real_parent->acl_role_id;
92001+ }
92002+ read_unlock(&tasklist_lock);
92003+
92004+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
92005+ gr_set_acls(1);
92006+ } else {
92007+ error = -EPERM;
92008+ goto out;
92009+ }
92010+ break;
92011+ default:
92012+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
92013+ error = -EINVAL;
92014+ break;
92015+ }
92016+
92017+ if (error != -EPERM)
92018+ goto out;
92019+
92020+ if(!(gr_auth_attempts++))
92021+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
92022+
92023+ out:
92024+ mutex_unlock(&gr_dev_mutex);
92025+
92026+ if (!error)
92027+ error = req_count;
92028+
92029+ return error;
92030+}
92031+
92032+int
92033+gr_set_acls(const int type)
92034+{
92035+ struct task_struct *task, *task2;
92036+ struct acl_role_label *role = current->role;
92037+ struct acl_subject_label *subj;
92038+ __u16 acl_role_id = current->acl_role_id;
92039+ const struct cred *cred;
92040+ int ret;
92041+
92042+ rcu_read_lock();
92043+ read_lock(&tasklist_lock);
92044+ read_lock(&grsec_exec_file_lock);
92045+ do_each_thread(task2, task) {
92046+ /* check to see if we're called from the exit handler,
92047+ if so, only replace ACLs that have inherited the admin
92048+ ACL */
92049+
92050+ if (type && (task->role != role ||
92051+ task->acl_role_id != acl_role_id))
92052+ continue;
92053+
92054+ task->acl_role_id = 0;
92055+ task->acl_sp_role = 0;
92056+ task->inherited = 0;
92057+
92058+ if (task->exec_file) {
92059+ cred = __task_cred(task);
92060+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
92061+ subj = __gr_get_subject_for_task(polstate, task, NULL, 1);
92062+ if (subj == NULL) {
92063+ ret = -EINVAL;
92064+ read_unlock(&grsec_exec_file_lock);
92065+ read_unlock(&tasklist_lock);
92066+ rcu_read_unlock();
92067+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task_pid_nr(task));
92068+ return ret;
92069+ }
92070+ __gr_apply_subject_to_task(polstate, task, subj);
92071+ } else {
92072+ // it's a kernel process
92073+ task->role = polstate->kernel_role;
92074+ task->acl = polstate->kernel_role->root_label;
92075+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
92076+ task->acl->mode &= ~GR_PROCFIND;
92077+#endif
92078+ }
92079+ } while_each_thread(task2, task);
92080+ read_unlock(&grsec_exec_file_lock);
92081+ read_unlock(&tasklist_lock);
92082+ rcu_read_unlock();
92083+
92084+ return 0;
92085+}
92086diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
92087new file mode 100644
92088index 0000000..39645c9
92089--- /dev/null
92090+++ b/grsecurity/gracl_res.c
92091@@ -0,0 +1,68 @@
92092+#include <linux/kernel.h>
92093+#include <linux/sched.h>
92094+#include <linux/gracl.h>
92095+#include <linux/grinternal.h>
92096+
92097+static const char *restab_log[] = {
92098+ [RLIMIT_CPU] = "RLIMIT_CPU",
92099+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
92100+ [RLIMIT_DATA] = "RLIMIT_DATA",
92101+ [RLIMIT_STACK] = "RLIMIT_STACK",
92102+ [RLIMIT_CORE] = "RLIMIT_CORE",
92103+ [RLIMIT_RSS] = "RLIMIT_RSS",
92104+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
92105+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
92106+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
92107+ [RLIMIT_AS] = "RLIMIT_AS",
92108+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
92109+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
92110+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
92111+ [RLIMIT_NICE] = "RLIMIT_NICE",
92112+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
92113+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
92114+ [GR_CRASH_RES] = "RLIMIT_CRASH"
92115+};
92116+
92117+void
92118+gr_log_resource(const struct task_struct *task,
92119+ const int res, const unsigned long wanted, const int gt)
92120+{
92121+ const struct cred *cred;
92122+ unsigned long rlim;
92123+
92124+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
92125+ return;
92126+
92127+ // not yet supported resource
92128+ if (unlikely(!restab_log[res]))
92129+ return;
92130+
92131+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
92132+ rlim = task_rlimit_max(task, res);
92133+ else
92134+ rlim = task_rlimit(task, res);
92135+
92136+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
92137+ return;
92138+
92139+ rcu_read_lock();
92140+ cred = __task_cred(task);
92141+
92142+ if (res == RLIMIT_NPROC &&
92143+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
92144+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
92145+ goto out_rcu_unlock;
92146+ else if (res == RLIMIT_MEMLOCK &&
92147+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
92148+ goto out_rcu_unlock;
92149+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
92150+ goto out_rcu_unlock;
92151+ rcu_read_unlock();
92152+
92153+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
92154+
92155+ return;
92156+out_rcu_unlock:
92157+ rcu_read_unlock();
92158+ return;
92159+}
92160diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
92161new file mode 100644
92162index 0000000..21646aa
92163--- /dev/null
92164+++ b/grsecurity/gracl_segv.c
92165@@ -0,0 +1,304 @@
92166+#include <linux/kernel.h>
92167+#include <linux/mm.h>
92168+#include <asm/uaccess.h>
92169+#include <asm/errno.h>
92170+#include <asm/mman.h>
92171+#include <net/sock.h>
92172+#include <linux/file.h>
92173+#include <linux/fs.h>
92174+#include <linux/net.h>
92175+#include <linux/in.h>
92176+#include <linux/slab.h>
92177+#include <linux/types.h>
92178+#include <linux/sched.h>
92179+#include <linux/timer.h>
92180+#include <linux/gracl.h>
92181+#include <linux/grsecurity.h>
92182+#include <linux/grinternal.h>
92183+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
92184+#include <linux/magic.h>
92185+#include <linux/pagemap.h>
92186+#include "../fs/btrfs/async-thread.h"
92187+#include "../fs/btrfs/ctree.h"
92188+#include "../fs/btrfs/btrfs_inode.h"
92189+#endif
92190+
92191+static struct crash_uid *uid_set;
92192+static unsigned short uid_used;
92193+static DEFINE_SPINLOCK(gr_uid_lock);
92194+extern rwlock_t gr_inode_lock;
92195+extern struct acl_subject_label *
92196+ lookup_acl_subj_label(const u64 inode, const dev_t dev,
92197+ struct acl_role_label *role);
92198+
92199+int
92200+gr_init_uidset(void)
92201+{
92202+ uid_set =
92203+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
92204+ uid_used = 0;
92205+
92206+ return uid_set ? 1 : 0;
92207+}
92208+
92209+void
92210+gr_free_uidset(void)
92211+{
92212+ if (uid_set) {
92213+ struct crash_uid *tmpset;
92214+ spin_lock(&gr_uid_lock);
92215+ tmpset = uid_set;
92216+ uid_set = NULL;
92217+ uid_used = 0;
92218+ spin_unlock(&gr_uid_lock);
92219+ if (tmpset)
92220+ kfree(tmpset);
92221+ }
92222+
92223+ return;
92224+}
92225+
92226+int
92227+gr_find_uid(const uid_t uid)
92228+{
92229+ struct crash_uid *tmp = uid_set;
92230+ uid_t buid;
92231+ int low = 0, high = uid_used - 1, mid;
92232+
92233+ while (high >= low) {
92234+ mid = (low + high) >> 1;
92235+ buid = tmp[mid].uid;
92236+ if (buid == uid)
92237+ return mid;
92238+ if (buid > uid)
92239+ high = mid - 1;
92240+ if (buid < uid)
92241+ low = mid + 1;
92242+ }
92243+
92244+ return -1;
92245+}
92246+
92247+static void
92248+gr_insertsort(void)
92249+{
92250+ unsigned short i, j;
92251+ struct crash_uid index;
92252+
92253+ for (i = 1; i < uid_used; i++) {
92254+ index = uid_set[i];
92255+ j = i;
92256+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
92257+ uid_set[j] = uid_set[j - 1];
92258+ j--;
92259+ }
92260+ uid_set[j] = index;
92261+ }
92262+
92263+ return;
92264+}
92265+
92266+static void
92267+gr_insert_uid(const kuid_t kuid, const unsigned long expires)
92268+{
92269+ int loc;
92270+ uid_t uid = GR_GLOBAL_UID(kuid);
92271+
92272+ if (uid_used == GR_UIDTABLE_MAX)
92273+ return;
92274+
92275+ loc = gr_find_uid(uid);
92276+
92277+ if (loc >= 0) {
92278+ uid_set[loc].expires = expires;
92279+ return;
92280+ }
92281+
92282+ uid_set[uid_used].uid = uid;
92283+ uid_set[uid_used].expires = expires;
92284+ uid_used++;
92285+
92286+ gr_insertsort();
92287+
92288+ return;
92289+}
92290+
92291+void
92292+gr_remove_uid(const unsigned short loc)
92293+{
92294+ unsigned short i;
92295+
92296+ for (i = loc + 1; i < uid_used; i++)
92297+ uid_set[i - 1] = uid_set[i];
92298+
92299+ uid_used--;
92300+
92301+ return;
92302+}
92303+
92304+int
92305+gr_check_crash_uid(const kuid_t kuid)
92306+{
92307+ int loc;
92308+ int ret = 0;
92309+ uid_t uid;
92310+
92311+ if (unlikely(!gr_acl_is_enabled()))
92312+ return 0;
92313+
92314+ uid = GR_GLOBAL_UID(kuid);
92315+
92316+ spin_lock(&gr_uid_lock);
92317+ loc = gr_find_uid(uid);
92318+
92319+ if (loc < 0)
92320+ goto out_unlock;
92321+
92322+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
92323+ gr_remove_uid(loc);
92324+ else
92325+ ret = 1;
92326+
92327+out_unlock:
92328+ spin_unlock(&gr_uid_lock);
92329+ return ret;
92330+}
92331+
92332+static int
92333+proc_is_setxid(const struct cred *cred)
92334+{
92335+ if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
92336+ !uid_eq(cred->uid, cred->fsuid))
92337+ return 1;
92338+ if (!gid_eq(cred->gid, cred->egid) || !gid_eq(cred->gid, cred->sgid) ||
92339+ !gid_eq(cred->gid, cred->fsgid))
92340+ return 1;
92341+
92342+ return 0;
92343+}
92344+
92345+extern int gr_fake_force_sig(int sig, struct task_struct *t);
92346+
92347+void
92348+gr_handle_crash(struct task_struct *task, const int sig)
92349+{
92350+ struct acl_subject_label *curr;
92351+ struct task_struct *tsk, *tsk2;
92352+ const struct cred *cred;
92353+ const struct cred *cred2;
92354+
92355+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
92356+ return;
92357+
92358+ if (unlikely(!gr_acl_is_enabled()))
92359+ return;
92360+
92361+ curr = task->acl;
92362+
92363+ if (!(curr->resmask & (1U << GR_CRASH_RES)))
92364+ return;
92365+
92366+ if (time_before_eq(curr->expires, get_seconds())) {
92367+ curr->expires = 0;
92368+ curr->crashes = 0;
92369+ }
92370+
92371+ curr->crashes++;
92372+
92373+ if (!curr->expires)
92374+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
92375+
92376+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
92377+ time_after(curr->expires, get_seconds())) {
92378+ rcu_read_lock();
92379+ cred = __task_cred(task);
92380+ if (gr_is_global_nonroot(cred->uid) && proc_is_setxid(cred)) {
92381+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
92382+ spin_lock(&gr_uid_lock);
92383+ gr_insert_uid(cred->uid, curr->expires);
92384+ spin_unlock(&gr_uid_lock);
92385+ curr->expires = 0;
92386+ curr->crashes = 0;
92387+ read_lock(&tasklist_lock);
92388+ do_each_thread(tsk2, tsk) {
92389+ cred2 = __task_cred(tsk);
92390+ if (tsk != task && uid_eq(cred2->uid, cred->uid))
92391+ gr_fake_force_sig(SIGKILL, tsk);
92392+ } while_each_thread(tsk2, tsk);
92393+ read_unlock(&tasklist_lock);
92394+ } else {
92395+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
92396+ read_lock(&tasklist_lock);
92397+ read_lock(&grsec_exec_file_lock);
92398+ do_each_thread(tsk2, tsk) {
92399+ if (likely(tsk != task)) {
92400+ // if this thread has the same subject as the one that triggered
92401+ // RES_CRASH and it's the same binary, kill it
92402+ if (tsk->acl == task->acl && gr_is_same_file(tsk->exec_file, task->exec_file))
92403+ gr_fake_force_sig(SIGKILL, tsk);
92404+ }
92405+ } while_each_thread(tsk2, tsk);
92406+ read_unlock(&grsec_exec_file_lock);
92407+ read_unlock(&tasklist_lock);
92408+ }
92409+ rcu_read_unlock();
92410+ }
92411+
92412+ return;
92413+}
92414+
92415+int
92416+gr_check_crash_exec(const struct file *filp)
92417+{
92418+ struct acl_subject_label *curr;
92419+ struct dentry *dentry;
92420+
92421+ if (unlikely(!gr_acl_is_enabled()))
92422+ return 0;
92423+
92424+ read_lock(&gr_inode_lock);
92425+ dentry = filp->f_path.dentry;
92426+ curr = lookup_acl_subj_label(gr_get_ino_from_dentry(dentry), gr_get_dev_from_dentry(dentry),
92427+ current->role);
92428+ read_unlock(&gr_inode_lock);
92429+
92430+ if (!curr || !(curr->resmask & (1U << GR_CRASH_RES)) ||
92431+ (!curr->crashes && !curr->expires))
92432+ return 0;
92433+
92434+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
92435+ time_after(curr->expires, get_seconds()))
92436+ return 1;
92437+ else if (time_before_eq(curr->expires, get_seconds())) {
92438+ curr->crashes = 0;
92439+ curr->expires = 0;
92440+ }
92441+
92442+ return 0;
92443+}
92444+
92445+void
92446+gr_handle_alertkill(struct task_struct *task)
92447+{
92448+ struct acl_subject_label *curracl;
92449+ __u32 curr_ip;
92450+ struct task_struct *p, *p2;
92451+
92452+ if (unlikely(!gr_acl_is_enabled()))
92453+ return;
92454+
92455+ curracl = task->acl;
92456+ curr_ip = task->signal->curr_ip;
92457+
92458+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
92459+ read_lock(&tasklist_lock);
92460+ do_each_thread(p2, p) {
92461+ if (p->signal->curr_ip == curr_ip)
92462+ gr_fake_force_sig(SIGKILL, p);
92463+ } while_each_thread(p2, p);
92464+ read_unlock(&tasklist_lock);
92465+ } else if (curracl->mode & GR_KILLPROC)
92466+ gr_fake_force_sig(SIGKILL, task);
92467+
92468+ return;
92469+}
92470diff --git a/grsecurity/gracl_shm.c b/grsecurity/gracl_shm.c
92471new file mode 100644
92472index 0000000..6b0c9cc
92473--- /dev/null
92474+++ b/grsecurity/gracl_shm.c
92475@@ -0,0 +1,40 @@
92476+#include <linux/kernel.h>
92477+#include <linux/mm.h>
92478+#include <linux/sched.h>
92479+#include <linux/file.h>
92480+#include <linux/ipc.h>
92481+#include <linux/gracl.h>
92482+#include <linux/grsecurity.h>
92483+#include <linux/grinternal.h>
92484+
92485+int
92486+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
92487+ const u64 shm_createtime, const kuid_t cuid, const int shmid)
92488+{
92489+ struct task_struct *task;
92490+
92491+ if (!gr_acl_is_enabled())
92492+ return 1;
92493+
92494+ rcu_read_lock();
92495+ read_lock(&tasklist_lock);
92496+
92497+ task = find_task_by_vpid(shm_cprid);
92498+
92499+ if (unlikely(!task))
92500+ task = find_task_by_vpid(shm_lapid);
92501+
92502+ if (unlikely(task && (time_before_eq64(task->start_time, shm_createtime) ||
92503+ (task_pid_nr(task) == shm_lapid)) &&
92504+ (task->acl->mode & GR_PROTSHM) &&
92505+ (task->acl != current->acl))) {
92506+ read_unlock(&tasklist_lock);
92507+ rcu_read_unlock();
92508+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, GR_GLOBAL_UID(cuid), shm_cprid, shmid);
92509+ return 0;
92510+ }
92511+ read_unlock(&tasklist_lock);
92512+ rcu_read_unlock();
92513+
92514+ return 1;
92515+}
92516diff --git a/grsecurity/grsec_chdir.c b/grsecurity/grsec_chdir.c
92517new file mode 100644
92518index 0000000..bc0be01
92519--- /dev/null
92520+++ b/grsecurity/grsec_chdir.c
92521@@ -0,0 +1,19 @@
92522+#include <linux/kernel.h>
92523+#include <linux/sched.h>
92524+#include <linux/fs.h>
92525+#include <linux/file.h>
92526+#include <linux/grsecurity.h>
92527+#include <linux/grinternal.h>
92528+
92529+void
92530+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
92531+{
92532+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
92533+ if ((grsec_enable_chdir && grsec_enable_group &&
92534+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
92535+ !grsec_enable_group)) {
92536+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
92537+ }
92538+#endif
92539+ return;
92540+}
92541diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
92542new file mode 100644
92543index 0000000..652ab45
92544--- /dev/null
92545+++ b/grsecurity/grsec_chroot.c
92546@@ -0,0 +1,467 @@
92547+#include <linux/kernel.h>
92548+#include <linux/module.h>
92549+#include <linux/sched.h>
92550+#include <linux/file.h>
92551+#include <linux/fs.h>
92552+#include <linux/mount.h>
92553+#include <linux/types.h>
92554+#include "../fs/mount.h"
92555+#include <linux/grsecurity.h>
92556+#include <linux/grinternal.h>
92557+
92558+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
92559+int gr_init_ran;
92560+#endif
92561+
92562+void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
92563+{
92564+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92565+ struct dentry *tmpd = dentry;
92566+
92567+ read_seqlock_excl(&mount_lock);
92568+ write_seqlock(&rename_lock);
92569+
92570+ while (tmpd != mnt->mnt_root) {
92571+ atomic_inc(&tmpd->chroot_refcnt);
92572+ tmpd = tmpd->d_parent;
92573+ }
92574+ atomic_inc(&tmpd->chroot_refcnt);
92575+
92576+ write_sequnlock(&rename_lock);
92577+ read_sequnlock_excl(&mount_lock);
92578+#endif
92579+}
92580+
92581+void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
92582+{
92583+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92584+ struct dentry *tmpd = dentry;
92585+
92586+ read_seqlock_excl(&mount_lock);
92587+ write_seqlock(&rename_lock);
92588+
92589+ while (tmpd != mnt->mnt_root) {
92590+ atomic_dec(&tmpd->chroot_refcnt);
92591+ tmpd = tmpd->d_parent;
92592+ }
92593+ atomic_dec(&tmpd->chroot_refcnt);
92594+
92595+ write_sequnlock(&rename_lock);
92596+ read_sequnlock_excl(&mount_lock);
92597+#endif
92598+}
92599+
92600+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92601+static struct dentry *get_closest_chroot(struct dentry *dentry)
92602+{
92603+ write_seqlock(&rename_lock);
92604+ do {
92605+ if (atomic_read(&dentry->chroot_refcnt)) {
92606+ write_sequnlock(&rename_lock);
92607+ return dentry;
92608+ }
92609+ dentry = dentry->d_parent;
92610+ } while (!IS_ROOT(dentry));
92611+ write_sequnlock(&rename_lock);
92612+ return NULL;
92613+}
92614+#endif
92615+
92616+int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
92617+ struct dentry *newdentry, struct vfsmount *newmnt)
92618+{
92619+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92620+ struct dentry *chroot;
92621+
92622+ if (unlikely(!grsec_enable_chroot_rename))
92623+ return 0;
92624+
92625+ if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid())))
92626+ return 0;
92627+
92628+ chroot = get_closest_chroot(olddentry);
92629+
92630+ if (chroot == NULL)
92631+ return 0;
92632+
92633+ if (is_subdir(newdentry, chroot))
92634+ return 0;
92635+
92636+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt);
92637+
92638+ return 1;
92639+#else
92640+ return 0;
92641+#endif
92642+}
92643+
92644+void gr_set_chroot_entries(struct task_struct *task, const struct path *path)
92645+{
92646+#ifdef CONFIG_GRKERNSEC
92647+ if (task_pid_nr(task) > 1 && path->dentry != init_task.fs->root.dentry &&
92648+ path->dentry != task->nsproxy->mnt_ns->root->mnt.mnt_root
92649+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
92650+ && gr_init_ran
92651+#endif
92652+ )
92653+ task->gr_is_chrooted = 1;
92654+ else {
92655+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
92656+ if (task_pid_nr(task) == 1 && !gr_init_ran)
92657+ gr_init_ran = 1;
92658+#endif
92659+ task->gr_is_chrooted = 0;
92660+ }
92661+
92662+ task->gr_chroot_dentry = path->dentry;
92663+#endif
92664+ return;
92665+}
92666+
92667+void gr_clear_chroot_entries(struct task_struct *task)
92668+{
92669+#ifdef CONFIG_GRKERNSEC
92670+ task->gr_is_chrooted = 0;
92671+ task->gr_chroot_dentry = NULL;
92672+#endif
92673+ return;
92674+}
92675+
92676+int
92677+gr_handle_chroot_unix(const pid_t pid)
92678+{
92679+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
92680+ struct task_struct *p;
92681+
92682+ if (unlikely(!grsec_enable_chroot_unix))
92683+ return 1;
92684+
92685+ if (likely(!proc_is_chrooted(current)))
92686+ return 1;
92687+
92688+ rcu_read_lock();
92689+ read_lock(&tasklist_lock);
92690+ p = find_task_by_vpid_unrestricted(pid);
92691+ if (unlikely(p && !have_same_root(current, p))) {
92692+ read_unlock(&tasklist_lock);
92693+ rcu_read_unlock();
92694+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
92695+ return 0;
92696+ }
92697+ read_unlock(&tasklist_lock);
92698+ rcu_read_unlock();
92699+#endif
92700+ return 1;
92701+}
92702+
92703+int
92704+gr_handle_chroot_nice(void)
92705+{
92706+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
92707+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
92708+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
92709+ return -EPERM;
92710+ }
92711+#endif
92712+ return 0;
92713+}
92714+
92715+int
92716+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
92717+{
92718+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
92719+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
92720+ && proc_is_chrooted(current)) {
92721+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, task_pid_nr(p));
92722+ return -EACCES;
92723+ }
92724+#endif
92725+ return 0;
92726+}
92727+
92728+int
92729+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
92730+{
92731+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
92732+ struct task_struct *p;
92733+ int ret = 0;
92734+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
92735+ return ret;
92736+
92737+ read_lock(&tasklist_lock);
92738+ do_each_pid_task(pid, type, p) {
92739+ if (!have_same_root(current, p)) {
92740+ ret = 1;
92741+ goto out;
92742+ }
92743+ } while_each_pid_task(pid, type, p);
92744+out:
92745+ read_unlock(&tasklist_lock);
92746+ return ret;
92747+#endif
92748+ return 0;
92749+}
92750+
92751+int
92752+gr_pid_is_chrooted(struct task_struct *p)
92753+{
92754+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
92755+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
92756+ return 0;
92757+
92758+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
92759+ !have_same_root(current, p)) {
92760+ return 1;
92761+ }
92762+#endif
92763+ return 0;
92764+}
92765+
92766+EXPORT_SYMBOL_GPL(gr_pid_is_chrooted);
92767+
92768+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
92769+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
92770+{
92771+ struct path path, currentroot;
92772+ int ret = 0;
92773+
92774+ path.dentry = (struct dentry *)u_dentry;
92775+ path.mnt = (struct vfsmount *)u_mnt;
92776+ get_fs_root(current->fs, &currentroot);
92777+ if (path_is_under(&path, &currentroot))
92778+ ret = 1;
92779+ path_put(&currentroot);
92780+
92781+ return ret;
92782+}
92783+#endif
92784+
92785+int
92786+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
92787+{
92788+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
92789+ if (!grsec_enable_chroot_fchdir)
92790+ return 1;
92791+
92792+ if (!proc_is_chrooted(current))
92793+ return 1;
92794+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
92795+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
92796+ return 0;
92797+ }
92798+#endif
92799+ return 1;
92800+}
92801+
92802+int
92803+gr_chroot_fhandle(void)
92804+{
92805+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
92806+ if (!grsec_enable_chroot_fchdir)
92807+ return 1;
92808+
92809+ if (!proc_is_chrooted(current))
92810+ return 1;
92811+ else {
92812+ gr_log_noargs(GR_DONT_AUDIT, GR_CHROOT_FHANDLE_MSG);
92813+ return 0;
92814+ }
92815+#endif
92816+ return 1;
92817+}
92818+
92819+int
92820+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
92821+ const u64 shm_createtime)
92822+{
92823+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
92824+ struct task_struct *p;
92825+
92826+ if (unlikely(!grsec_enable_chroot_shmat))
92827+ return 1;
92828+
92829+ if (likely(!proc_is_chrooted(current)))
92830+ return 1;
92831+
92832+ rcu_read_lock();
92833+ read_lock(&tasklist_lock);
92834+
92835+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
92836+ if (time_before_eq64(p->start_time, shm_createtime)) {
92837+ if (have_same_root(current, p)) {
92838+ goto allow;
92839+ } else {
92840+ read_unlock(&tasklist_lock);
92841+ rcu_read_unlock();
92842+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
92843+ return 0;
92844+ }
92845+ }
92846+ /* creator exited, pid reuse, fall through to next check */
92847+ }
92848+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
92849+ if (unlikely(!have_same_root(current, p))) {
92850+ read_unlock(&tasklist_lock);
92851+ rcu_read_unlock();
92852+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
92853+ return 0;
92854+ }
92855+ }
92856+
92857+allow:
92858+ read_unlock(&tasklist_lock);
92859+ rcu_read_unlock();
92860+#endif
92861+ return 1;
92862+}
92863+
92864+void
92865+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
92866+{
92867+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
92868+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
92869+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
92870+#endif
92871+ return;
92872+}
92873+
92874+int
92875+gr_handle_chroot_mknod(const struct dentry *dentry,
92876+ const struct vfsmount *mnt, const int mode)
92877+{
92878+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
92879+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
92880+ proc_is_chrooted(current)) {
92881+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
92882+ return -EPERM;
92883+ }
92884+#endif
92885+ return 0;
92886+}
92887+
92888+int
92889+gr_handle_chroot_mount(const struct dentry *dentry,
92890+ const struct vfsmount *mnt, const char *dev_name)
92891+{
92892+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
92893+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
92894+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
92895+ return -EPERM;
92896+ }
92897+#endif
92898+ return 0;
92899+}
92900+
92901+int
92902+gr_handle_chroot_pivot(void)
92903+{
92904+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
92905+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
92906+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
92907+ return -EPERM;
92908+ }
92909+#endif
92910+ return 0;
92911+}
92912+
92913+int
92914+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
92915+{
92916+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
92917+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
92918+ !gr_is_outside_chroot(dentry, mnt)) {
92919+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
92920+ return -EPERM;
92921+ }
92922+#endif
92923+ return 0;
92924+}
92925+
92926+extern const char *captab_log[];
92927+extern int captab_log_entries;
92928+
92929+int
92930+gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
92931+{
92932+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92933+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
92934+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
92935+ if (cap_raised(chroot_caps, cap)) {
92936+ if (cap_raised(cred->cap_effective, cap) && cap < captab_log_entries) {
92937+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, task, captab_log[cap]);
92938+ }
92939+ return 0;
92940+ }
92941+ }
92942+#endif
92943+ return 1;
92944+}
92945+
92946+int
92947+gr_chroot_is_capable(const int cap)
92948+{
92949+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92950+ return gr_task_chroot_is_capable(current, current_cred(), cap);
92951+#endif
92952+ return 1;
92953+}
92954+
92955+int
92956+gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap)
92957+{
92958+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92959+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
92960+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
92961+ if (cap_raised(chroot_caps, cap)) {
92962+ return 0;
92963+ }
92964+ }
92965+#endif
92966+ return 1;
92967+}
92968+
92969+int
92970+gr_chroot_is_capable_nolog(const int cap)
92971+{
92972+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92973+ return gr_task_chroot_is_capable_nolog(current, cap);
92974+#endif
92975+ return 1;
92976+}
92977+
92978+int
92979+gr_handle_chroot_sysctl(const int op)
92980+{
92981+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
92982+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
92983+ proc_is_chrooted(current))
92984+ return -EACCES;
92985+#endif
92986+ return 0;
92987+}
92988+
92989+void
92990+gr_handle_chroot_chdir(const struct path *path)
92991+{
92992+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
92993+ if (grsec_enable_chroot_chdir)
92994+ set_fs_pwd(current->fs, path);
92995+#endif
92996+ return;
92997+}
92998+
92999+int
93000+gr_handle_chroot_chmod(const struct dentry *dentry,
93001+ const struct vfsmount *mnt, const int mode)
93002+{
93003+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
93004+ /* allow chmod +s on directories, but not files */
93005+ if (grsec_enable_chroot_chmod && !d_is_dir(dentry) &&
93006+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
93007+ proc_is_chrooted(current)) {
93008+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
93009+ return -EPERM;
93010+ }
93011+#endif
93012+ return 0;
93013+}
93014diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
93015new file mode 100644
93016index 0000000..e723c08
93017--- /dev/null
93018+++ b/grsecurity/grsec_disabled.c
93019@@ -0,0 +1,445 @@
93020+#include <linux/kernel.h>
93021+#include <linux/module.h>
93022+#include <linux/sched.h>
93023+#include <linux/file.h>
93024+#include <linux/fs.h>
93025+#include <linux/kdev_t.h>
93026+#include <linux/net.h>
93027+#include <linux/in.h>
93028+#include <linux/ip.h>
93029+#include <linux/skbuff.h>
93030+#include <linux/sysctl.h>
93031+
93032+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
93033+void
93034+pax_set_initial_flags(struct linux_binprm *bprm)
93035+{
93036+ return;
93037+}
93038+#endif
93039+
93040+#ifdef CONFIG_SYSCTL
93041+__u32
93042+gr_handle_sysctl(const struct ctl_table * table, const int op)
93043+{
93044+ return 0;
93045+}
93046+#endif
93047+
93048+#ifdef CONFIG_TASKSTATS
93049+int gr_is_taskstats_denied(int pid)
93050+{
93051+ return 0;
93052+}
93053+#endif
93054+
93055+int
93056+gr_acl_is_enabled(void)
93057+{
93058+ return 0;
93059+}
93060+
93061+int
93062+gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
93063+{
93064+ return 0;
93065+}
93066+
93067+void
93068+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
93069+{
93070+ return;
93071+}
93072+
93073+int
93074+gr_handle_rawio(const struct inode *inode)
93075+{
93076+ return 0;
93077+}
93078+
93079+void
93080+gr_acl_handle_psacct(struct task_struct *task, const long code)
93081+{
93082+ return;
93083+}
93084+
93085+int
93086+gr_handle_ptrace(struct task_struct *task, const long request)
93087+{
93088+ return 0;
93089+}
93090+
93091+int
93092+gr_handle_proc_ptrace(struct task_struct *task)
93093+{
93094+ return 0;
93095+}
93096+
93097+int
93098+gr_set_acls(const int type)
93099+{
93100+ return 0;
93101+}
93102+
93103+int
93104+gr_check_hidden_task(const struct task_struct *tsk)
93105+{
93106+ return 0;
93107+}
93108+
93109+int
93110+gr_check_protected_task(const struct task_struct *task)
93111+{
93112+ return 0;
93113+}
93114+
93115+int
93116+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
93117+{
93118+ return 0;
93119+}
93120+
93121+void
93122+gr_copy_label(struct task_struct *tsk)
93123+{
93124+ return;
93125+}
93126+
93127+void
93128+gr_set_pax_flags(struct task_struct *task)
93129+{
93130+ return;
93131+}
93132+
93133+int
93134+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
93135+ const int unsafe_share)
93136+{
93137+ return 0;
93138+}
93139+
93140+void
93141+gr_handle_delete(const u64 ino, const dev_t dev)
93142+{
93143+ return;
93144+}
93145+
93146+void
93147+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
93148+{
93149+ return;
93150+}
93151+
93152+void
93153+gr_handle_crash(struct task_struct *task, const int sig)
93154+{
93155+ return;
93156+}
93157+
93158+int
93159+gr_check_crash_exec(const struct file *filp)
93160+{
93161+ return 0;
93162+}
93163+
93164+int
93165+gr_check_crash_uid(const kuid_t uid)
93166+{
93167+ return 0;
93168+}
93169+
93170+void
93171+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
93172+ struct dentry *old_dentry,
93173+ struct dentry *new_dentry,
93174+ struct vfsmount *mnt, const __u8 replace, unsigned int flags)
93175+{
93176+ return;
93177+}
93178+
93179+int
93180+gr_search_socket(const int family, const int type, const int protocol)
93181+{
93182+ return 1;
93183+}
93184+
93185+int
93186+gr_search_connectbind(const int mode, const struct socket *sock,
93187+ const struct sockaddr_in *addr)
93188+{
93189+ return 0;
93190+}
93191+
93192+void
93193+gr_handle_alertkill(struct task_struct *task)
93194+{
93195+ return;
93196+}
93197+
93198+__u32
93199+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
93200+{
93201+ return 1;
93202+}
93203+
93204+__u32
93205+gr_acl_handle_hidden_file(const struct dentry * dentry,
93206+ const struct vfsmount * mnt)
93207+{
93208+ return 1;
93209+}
93210+
93211+__u32
93212+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
93213+ int acc_mode)
93214+{
93215+ return 1;
93216+}
93217+
93218+__u32
93219+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
93220+{
93221+ return 1;
93222+}
93223+
93224+__u32
93225+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
93226+{
93227+ return 1;
93228+}
93229+
93230+int
93231+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
93232+ unsigned int *vm_flags)
93233+{
93234+ return 1;
93235+}
93236+
93237+__u32
93238+gr_acl_handle_truncate(const struct dentry * dentry,
93239+ const struct vfsmount * mnt)
93240+{
93241+ return 1;
93242+}
93243+
93244+__u32
93245+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
93246+{
93247+ return 1;
93248+}
93249+
93250+__u32
93251+gr_acl_handle_access(const struct dentry * dentry,
93252+ const struct vfsmount * mnt, const int fmode)
93253+{
93254+ return 1;
93255+}
93256+
93257+__u32
93258+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
93259+ umode_t *mode)
93260+{
93261+ return 1;
93262+}
93263+
93264+__u32
93265+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
93266+{
93267+ return 1;
93268+}
93269+
93270+__u32
93271+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
93272+{
93273+ return 1;
93274+}
93275+
93276+__u32
93277+gr_acl_handle_removexattr(const struct dentry * dentry, const struct vfsmount * mnt)
93278+{
93279+ return 1;
93280+}
93281+
93282+void
93283+grsecurity_init(void)
93284+{
93285+ return;
93286+}
93287+
93288+umode_t gr_acl_umask(void)
93289+{
93290+ return 0;
93291+}
93292+
93293+__u32
93294+gr_acl_handle_mknod(const struct dentry * new_dentry,
93295+ const struct dentry * parent_dentry,
93296+ const struct vfsmount * parent_mnt,
93297+ const int mode)
93298+{
93299+ return 1;
93300+}
93301+
93302+__u32
93303+gr_acl_handle_mkdir(const struct dentry * new_dentry,
93304+ const struct dentry * parent_dentry,
93305+ const struct vfsmount * parent_mnt)
93306+{
93307+ return 1;
93308+}
93309+
93310+__u32
93311+gr_acl_handle_symlink(const struct dentry * new_dentry,
93312+ const struct dentry * parent_dentry,
93313+ const struct vfsmount * parent_mnt, const struct filename *from)
93314+{
93315+ return 1;
93316+}
93317+
93318+__u32
93319+gr_acl_handle_link(const struct dentry * new_dentry,
93320+ const struct dentry * parent_dentry,
93321+ const struct vfsmount * parent_mnt,
93322+ const struct dentry * old_dentry,
93323+ const struct vfsmount * old_mnt, const struct filename *to)
93324+{
93325+ return 1;
93326+}
93327+
93328+int
93329+gr_acl_handle_rename(const struct dentry *new_dentry,
93330+ const struct dentry *parent_dentry,
93331+ const struct vfsmount *parent_mnt,
93332+ const struct dentry *old_dentry,
93333+ const struct inode *old_parent_inode,
93334+ const struct vfsmount *old_mnt, const struct filename *newname,
93335+ unsigned int flags)
93336+{
93337+ return 0;
93338+}
93339+
93340+int
93341+gr_acl_handle_filldir(const struct file *file, const char *name,
93342+ const int namelen, const u64 ino)
93343+{
93344+ return 1;
93345+}
93346+
93347+int
93348+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
93349+ const u64 shm_createtime, const kuid_t cuid, const int shmid)
93350+{
93351+ return 1;
93352+}
93353+
93354+int
93355+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
93356+{
93357+ return 0;
93358+}
93359+
93360+int
93361+gr_search_accept(const struct socket *sock)
93362+{
93363+ return 0;
93364+}
93365+
93366+int
93367+gr_search_listen(const struct socket *sock)
93368+{
93369+ return 0;
93370+}
93371+
93372+int
93373+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
93374+{
93375+ return 0;
93376+}
93377+
93378+__u32
93379+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
93380+{
93381+ return 1;
93382+}
93383+
93384+__u32
93385+gr_acl_handle_creat(const struct dentry * dentry,
93386+ const struct dentry * p_dentry,
93387+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
93388+ const int imode)
93389+{
93390+ return 1;
93391+}
93392+
93393+void
93394+gr_acl_handle_exit(void)
93395+{
93396+ return;
93397+}
93398+
93399+int
93400+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
93401+{
93402+ return 1;
93403+}
93404+
93405+void
93406+gr_set_role_label(const kuid_t uid, const kgid_t gid)
93407+{
93408+ return;
93409+}
93410+
93411+int
93412+gr_acl_handle_procpidmem(const struct task_struct *task)
93413+{
93414+ return 0;
93415+}
93416+
93417+int
93418+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
93419+{
93420+ return 0;
93421+}
93422+
93423+int
93424+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
93425+{
93426+ return 0;
93427+}
93428+
93429+int
93430+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
93431+{
93432+ return 0;
93433+}
93434+
93435+int
93436+gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
93437+{
93438+ return 0;
93439+}
93440+
93441+int gr_acl_enable_at_secure(void)
93442+{
93443+ return 0;
93444+}
93445+
93446+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
93447+{
93448+ return d_backing_inode(dentry)->i_sb->s_dev;
93449+}
93450+
93451+u64 gr_get_ino_from_dentry(struct dentry *dentry)
93452+{
93453+ return d_backing_inode(dentry)->i_ino;
93454+}
93455+
93456+void gr_put_exec_file(struct task_struct *task)
93457+{
93458+ return;
93459+}
93460+
93461+#ifdef CONFIG_SECURITY
93462+EXPORT_SYMBOL_GPL(gr_check_user_change);
93463+EXPORT_SYMBOL_GPL(gr_check_group_change);
93464+#endif
93465diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
93466new file mode 100644
93467index 0000000..fb7531e
93468--- /dev/null
93469+++ b/grsecurity/grsec_exec.c
93470@@ -0,0 +1,189 @@
93471+#include <linux/kernel.h>
93472+#include <linux/sched.h>
93473+#include <linux/file.h>
93474+#include <linux/binfmts.h>
93475+#include <linux/fs.h>
93476+#include <linux/types.h>
93477+#include <linux/grdefs.h>
93478+#include <linux/grsecurity.h>
93479+#include <linux/grinternal.h>
93480+#include <linux/capability.h>
93481+#include <linux/module.h>
93482+#include <linux/compat.h>
93483+
93484+#include <asm/uaccess.h>
93485+
93486+#ifdef CONFIG_GRKERNSEC_EXECLOG
93487+static char gr_exec_arg_buf[132];
93488+static DEFINE_MUTEX(gr_exec_arg_mutex);
93489+#endif
93490+
93491+struct user_arg_ptr {
93492+#ifdef CONFIG_COMPAT
93493+ bool is_compat;
93494+#endif
93495+ union {
93496+ const char __user *const __user *native;
93497+#ifdef CONFIG_COMPAT
93498+ const compat_uptr_t __user *compat;
93499+#endif
93500+ } ptr;
93501+};
93502+
93503+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
93504+
93505+void
93506+gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
93507+{
93508+#ifdef CONFIG_GRKERNSEC_EXECLOG
93509+ char *grarg = gr_exec_arg_buf;
93510+ unsigned int i, x, execlen = 0;
93511+ char c;
93512+
93513+ if (!((grsec_enable_execlog && grsec_enable_group &&
93514+ in_group_p(grsec_audit_gid))
93515+ || (grsec_enable_execlog && !grsec_enable_group)))
93516+ return;
93517+
93518+ mutex_lock(&gr_exec_arg_mutex);
93519+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
93520+
93521+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
93522+ const char __user *p;
93523+ unsigned int len;
93524+
93525+ p = get_user_arg_ptr(argv, i);
93526+ if (IS_ERR(p))
93527+ goto log;
93528+
93529+ len = strnlen_user(p, 128 - execlen);
93530+ if (len > 128 - execlen)
93531+ len = 128 - execlen;
93532+ else if (len > 0)
93533+ len--;
93534+ if (copy_from_user(grarg + execlen, p, len))
93535+ goto log;
93536+
93537+ /* rewrite unprintable characters */
93538+ for (x = 0; x < len; x++) {
93539+ c = *(grarg + execlen + x);
93540+ if (c < 32 || c > 126)
93541+ *(grarg + execlen + x) = ' ';
93542+ }
93543+
93544+ execlen += len;
93545+ *(grarg + execlen) = ' ';
93546+ *(grarg + execlen + 1) = '\0';
93547+ execlen++;
93548+ }
93549+
93550+ log:
93551+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
93552+ bprm->file->f_path.mnt, grarg);
93553+ mutex_unlock(&gr_exec_arg_mutex);
93554+#endif
93555+ return;
93556+}
93557+
93558+#ifdef CONFIG_GRKERNSEC
93559+extern int gr_acl_is_capable(const int cap);
93560+extern int gr_acl_is_capable_nolog(const int cap);
93561+extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
93562+extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap);
93563+extern int gr_chroot_is_capable(const int cap);
93564+extern int gr_chroot_is_capable_nolog(const int cap);
93565+extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
93566+extern int gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap);
93567+#endif
93568+
93569+const char *captab_log[] = {
93570+ "CAP_CHOWN",
93571+ "CAP_DAC_OVERRIDE",
93572+ "CAP_DAC_READ_SEARCH",
93573+ "CAP_FOWNER",
93574+ "CAP_FSETID",
93575+ "CAP_KILL",
93576+ "CAP_SETGID",
93577+ "CAP_SETUID",
93578+ "CAP_SETPCAP",
93579+ "CAP_LINUX_IMMUTABLE",
93580+ "CAP_NET_BIND_SERVICE",
93581+ "CAP_NET_BROADCAST",
93582+ "CAP_NET_ADMIN",
93583+ "CAP_NET_RAW",
93584+ "CAP_IPC_LOCK",
93585+ "CAP_IPC_OWNER",
93586+ "CAP_SYS_MODULE",
93587+ "CAP_SYS_RAWIO",
93588+ "CAP_SYS_CHROOT",
93589+ "CAP_SYS_PTRACE",
93590+ "CAP_SYS_PACCT",
93591+ "CAP_SYS_ADMIN",
93592+ "CAP_SYS_BOOT",
93593+ "CAP_SYS_NICE",
93594+ "CAP_SYS_RESOURCE",
93595+ "CAP_SYS_TIME",
93596+ "CAP_SYS_TTY_CONFIG",
93597+ "CAP_MKNOD",
93598+ "CAP_LEASE",
93599+ "CAP_AUDIT_WRITE",
93600+ "CAP_AUDIT_CONTROL",
93601+ "CAP_SETFCAP",
93602+ "CAP_MAC_OVERRIDE",
93603+ "CAP_MAC_ADMIN",
93604+ "CAP_SYSLOG",
93605+ "CAP_WAKE_ALARM",
93606+ "CAP_BLOCK_SUSPEND",
93607+ "CAP_AUDIT_READ"
93608+};
93609+
93610+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
93611+
93612+int gr_is_capable(const int cap)
93613+{
93614+#ifdef CONFIG_GRKERNSEC
93615+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
93616+ return 1;
93617+ return 0;
93618+#else
93619+ return 1;
93620+#endif
93621+}
93622+
93623+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
93624+{
93625+#ifdef CONFIG_GRKERNSEC
93626+ if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap))
93627+ return 1;
93628+ return 0;
93629+#else
93630+ return 1;
93631+#endif
93632+}
93633+
93634+int gr_is_capable_nolog(const int cap)
93635+{
93636+#ifdef CONFIG_GRKERNSEC
93637+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
93638+ return 1;
93639+ return 0;
93640+#else
93641+ return 1;
93642+#endif
93643+}
93644+
93645+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap)
93646+{
93647+#ifdef CONFIG_GRKERNSEC
93648+ if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap))
93649+ return 1;
93650+ return 0;
93651+#else
93652+ return 1;
93653+#endif
93654+}
93655+
93656+EXPORT_SYMBOL_GPL(gr_is_capable);
93657+EXPORT_SYMBOL_GPL(gr_is_capable_nolog);
93658+EXPORT_SYMBOL_GPL(gr_task_is_capable);
93659+EXPORT_SYMBOL_GPL(gr_task_is_capable_nolog);
93660diff --git a/grsecurity/grsec_fifo.c b/grsecurity/grsec_fifo.c
93661new file mode 100644
93662index 0000000..cdec49b
93663--- /dev/null
93664+++ b/grsecurity/grsec_fifo.c
93665@@ -0,0 +1,26 @@
93666+#include <linux/kernel.h>
93667+#include <linux/sched.h>
93668+#include <linux/fs.h>
93669+#include <linux/file.h>
93670+#include <linux/grinternal.h>
93671+
93672+int
93673+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
93674+ const struct dentry *dir, const int flag, const int acc_mode)
93675+{
93676+#ifdef CONFIG_GRKERNSEC_FIFO
93677+ const struct cred *cred = current_cred();
93678+ struct inode *inode = d_backing_inode(dentry);
93679+ struct inode *dir_inode = d_backing_inode(dir);
93680+
93681+ if (grsec_enable_fifo && S_ISFIFO(inode->i_mode) &&
93682+ !(flag & O_EXCL) && (dir_inode->i_mode & S_ISVTX) &&
93683+ !uid_eq(inode->i_uid, dir_inode->i_uid) &&
93684+ !uid_eq(cred->fsuid, inode->i_uid)) {
93685+ if (!inode_permission(inode, acc_mode))
93686+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid));
93687+ return -EACCES;
93688+ }
93689+#endif
93690+ return 0;
93691+}
93692diff --git a/grsecurity/grsec_fork.c b/grsecurity/grsec_fork.c
93693new file mode 100644
93694index 0000000..8ca18bf
93695--- /dev/null
93696+++ b/grsecurity/grsec_fork.c
93697@@ -0,0 +1,23 @@
93698+#include <linux/kernel.h>
93699+#include <linux/sched.h>
93700+#include <linux/grsecurity.h>
93701+#include <linux/grinternal.h>
93702+#include <linux/errno.h>
93703+
93704+void
93705+gr_log_forkfail(const int retval)
93706+{
93707+#ifdef CONFIG_GRKERNSEC_FORKFAIL
93708+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
93709+ switch (retval) {
93710+ case -EAGAIN:
93711+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
93712+ break;
93713+ case -ENOMEM:
93714+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
93715+ break;
93716+ }
93717+ }
93718+#endif
93719+ return;
93720+}
93721diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
93722new file mode 100644
93723index 0000000..a364c58
93724--- /dev/null
93725+++ b/grsecurity/grsec_init.c
93726@@ -0,0 +1,290 @@
93727+#include <linux/kernel.h>
93728+#include <linux/sched.h>
93729+#include <linux/mm.h>
93730+#include <linux/gracl.h>
93731+#include <linux/slab.h>
93732+#include <linux/vmalloc.h>
93733+#include <linux/percpu.h>
93734+#include <linux/module.h>
93735+
93736+int grsec_enable_ptrace_readexec __read_only;
93737+int grsec_enable_setxid __read_only;
93738+int grsec_enable_symlinkown __read_only;
93739+kgid_t grsec_symlinkown_gid __read_only;
93740+int grsec_enable_brute __read_only;
93741+int grsec_enable_link __read_only;
93742+int grsec_enable_dmesg __read_only;
93743+int grsec_enable_harden_ptrace __read_only;
93744+int grsec_enable_harden_ipc __read_only;
93745+int grsec_enable_fifo __read_only;
93746+int grsec_enable_execlog __read_only;
93747+int grsec_enable_signal __read_only;
93748+int grsec_enable_forkfail __read_only;
93749+int grsec_enable_audit_ptrace __read_only;
93750+int grsec_enable_time __read_only;
93751+int grsec_enable_group __read_only;
93752+kgid_t grsec_audit_gid __read_only;
93753+int grsec_enable_chdir __read_only;
93754+int grsec_enable_mount __read_only;
93755+int grsec_enable_rofs __read_only;
93756+int grsec_deny_new_usb __read_only;
93757+int grsec_enable_chroot_findtask __read_only;
93758+int grsec_enable_chroot_mount __read_only;
93759+int grsec_enable_chroot_shmat __read_only;
93760+int grsec_enable_chroot_fchdir __read_only;
93761+int grsec_enable_chroot_double __read_only;
93762+int grsec_enable_chroot_pivot __read_only;
93763+int grsec_enable_chroot_chdir __read_only;
93764+int grsec_enable_chroot_chmod __read_only;
93765+int grsec_enable_chroot_mknod __read_only;
93766+int grsec_enable_chroot_nice __read_only;
93767+int grsec_enable_chroot_execlog __read_only;
93768+int grsec_enable_chroot_caps __read_only;
93769+int grsec_enable_chroot_rename __read_only;
93770+int grsec_enable_chroot_sysctl __read_only;
93771+int grsec_enable_chroot_unix __read_only;
93772+int grsec_enable_tpe __read_only;
93773+kgid_t grsec_tpe_gid __read_only;
93774+int grsec_enable_blackhole __read_only;
93775+#ifdef CONFIG_IPV6_MODULE
93776+EXPORT_SYMBOL_GPL(grsec_enable_blackhole);
93777+#endif
93778+int grsec_lastack_retries __read_only;
93779+int grsec_enable_tpe_all __read_only;
93780+int grsec_enable_tpe_invert __read_only;
93781+int grsec_enable_socket_all __read_only;
93782+kgid_t grsec_socket_all_gid __read_only;
93783+int grsec_enable_socket_client __read_only;
93784+kgid_t grsec_socket_client_gid __read_only;
93785+int grsec_enable_socket_server __read_only;
93786+kgid_t grsec_socket_server_gid __read_only;
93787+int grsec_resource_logging __read_only;
93788+int grsec_disable_privio __read_only;
93789+int grsec_enable_log_rwxmaps __read_only;
93790+int grsec_lock __read_only;
93791+
93792+DEFINE_SPINLOCK(grsec_alert_lock);
93793+unsigned long grsec_alert_wtime = 0;
93794+unsigned long grsec_alert_fyet = 0;
93795+
93796+DEFINE_SPINLOCK(grsec_audit_lock);
93797+
93798+DEFINE_RWLOCK(grsec_exec_file_lock);
93799+
93800+char *gr_shared_page[4];
93801+
93802+char *gr_alert_log_fmt;
93803+char *gr_audit_log_fmt;
93804+char *gr_alert_log_buf;
93805+char *gr_audit_log_buf;
93806+
93807+extern struct gr_arg *gr_usermode;
93808+extern unsigned char *gr_system_salt;
93809+extern unsigned char *gr_system_sum;
93810+
93811+void __init
93812+grsecurity_init(void)
93813+{
93814+ int j;
93815+ /* create the per-cpu shared pages */
93816+
93817+#ifdef CONFIG_X86
93818+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
93819+#endif
93820+
93821+ for (j = 0; j < 4; j++) {
93822+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
93823+ if (gr_shared_page[j] == NULL) {
93824+ panic("Unable to allocate grsecurity shared page");
93825+ return;
93826+ }
93827+ }
93828+
93829+ /* allocate log buffers */
93830+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
93831+ if (!gr_alert_log_fmt) {
93832+ panic("Unable to allocate grsecurity alert log format buffer");
93833+ return;
93834+ }
93835+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
93836+ if (!gr_audit_log_fmt) {
93837+ panic("Unable to allocate grsecurity audit log format buffer");
93838+ return;
93839+ }
93840+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
93841+ if (!gr_alert_log_buf) {
93842+ panic("Unable to allocate grsecurity alert log buffer");
93843+ return;
93844+ }
93845+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
93846+ if (!gr_audit_log_buf) {
93847+ panic("Unable to allocate grsecurity audit log buffer");
93848+ return;
93849+ }
93850+
93851+ /* allocate memory for authentication structure */
93852+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
93853+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
93854+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
93855+
93856+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
93857+ panic("Unable to allocate grsecurity authentication structure");
93858+ return;
93859+ }
93860+
93861+#ifdef CONFIG_GRKERNSEC_IO
93862+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
93863+ grsec_disable_privio = 1;
93864+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
93865+ grsec_disable_privio = 1;
93866+#else
93867+ grsec_disable_privio = 0;
93868+#endif
93869+#endif
93870+
93871+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
93872+ /* for backward compatibility, tpe_invert always defaults to on if
93873+ enabled in the kernel
93874+ */
93875+ grsec_enable_tpe_invert = 1;
93876+#endif
93877+
93878+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
93879+#ifndef CONFIG_GRKERNSEC_SYSCTL
93880+ grsec_lock = 1;
93881+#endif
93882+
93883+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93884+ grsec_enable_log_rwxmaps = 1;
93885+#endif
93886+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
93887+ grsec_enable_group = 1;
93888+ grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID);
93889+#endif
93890+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
93891+ grsec_enable_ptrace_readexec = 1;
93892+#endif
93893+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
93894+ grsec_enable_chdir = 1;
93895+#endif
93896+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
93897+ grsec_enable_harden_ptrace = 1;
93898+#endif
93899+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
93900+ grsec_enable_harden_ipc = 1;
93901+#endif
93902+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
93903+ grsec_enable_mount = 1;
93904+#endif
93905+#ifdef CONFIG_GRKERNSEC_LINK
93906+ grsec_enable_link = 1;
93907+#endif
93908+#ifdef CONFIG_GRKERNSEC_BRUTE
93909+ grsec_enable_brute = 1;
93910+#endif
93911+#ifdef CONFIG_GRKERNSEC_DMESG
93912+ grsec_enable_dmesg = 1;
93913+#endif
93914+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
93915+ grsec_enable_blackhole = 1;
93916+ grsec_lastack_retries = 4;
93917+#endif
93918+#ifdef CONFIG_GRKERNSEC_FIFO
93919+ grsec_enable_fifo = 1;
93920+#endif
93921+#ifdef CONFIG_GRKERNSEC_EXECLOG
93922+ grsec_enable_execlog = 1;
93923+#endif
93924+#ifdef CONFIG_GRKERNSEC_SETXID
93925+ grsec_enable_setxid = 1;
93926+#endif
93927+#ifdef CONFIG_GRKERNSEC_SIGNAL
93928+ grsec_enable_signal = 1;
93929+#endif
93930+#ifdef CONFIG_GRKERNSEC_FORKFAIL
93931+ grsec_enable_forkfail = 1;
93932+#endif
93933+#ifdef CONFIG_GRKERNSEC_TIME
93934+ grsec_enable_time = 1;
93935+#endif
93936+#ifdef CONFIG_GRKERNSEC_RESLOG
93937+ grsec_resource_logging = 1;
93938+#endif
93939+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
93940+ grsec_enable_chroot_findtask = 1;
93941+#endif
93942+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
93943+ grsec_enable_chroot_unix = 1;
93944+#endif
93945+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
93946+ grsec_enable_chroot_mount = 1;
93947+#endif
93948+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
93949+ grsec_enable_chroot_fchdir = 1;
93950+#endif
93951+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
93952+ grsec_enable_chroot_shmat = 1;
93953+#endif
93954+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
93955+ grsec_enable_audit_ptrace = 1;
93956+#endif
93957+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
93958+ grsec_enable_chroot_double = 1;
93959+#endif
93960+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
93961+ grsec_enable_chroot_pivot = 1;
93962+#endif
93963+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
93964+ grsec_enable_chroot_chdir = 1;
93965+#endif
93966+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
93967+ grsec_enable_chroot_chmod = 1;
93968+#endif
93969+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
93970+ grsec_enable_chroot_mknod = 1;
93971+#endif
93972+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
93973+ grsec_enable_chroot_nice = 1;
93974+#endif
93975+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
93976+ grsec_enable_chroot_execlog = 1;
93977+#endif
93978+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
93979+ grsec_enable_chroot_caps = 1;
93980+#endif
93981+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
93982+ grsec_enable_chroot_rename = 1;
93983+#endif
93984+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
93985+ grsec_enable_chroot_sysctl = 1;
93986+#endif
93987+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
93988+ grsec_enable_symlinkown = 1;
93989+ grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID);
93990+#endif
93991+#ifdef CONFIG_GRKERNSEC_TPE
93992+ grsec_enable_tpe = 1;
93993+ grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID);
93994+#ifdef CONFIG_GRKERNSEC_TPE_ALL
93995+ grsec_enable_tpe_all = 1;
93996+#endif
93997+#endif
93998+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
93999+ grsec_enable_socket_all = 1;
94000+ grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID);
94001+#endif
94002+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
94003+ grsec_enable_socket_client = 1;
94004+ grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID);
94005+#endif
94006+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
94007+ grsec_enable_socket_server = 1;
94008+ grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
94009+#endif
94010+#endif
94011+#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
94012+ grsec_deny_new_usb = 1;
94013+#endif
94014+
94015+ return;
94016+}
94017diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c
94018new file mode 100644
94019index 0000000..1773300
94020--- /dev/null
94021+++ b/grsecurity/grsec_ipc.c
94022@@ -0,0 +1,48 @@
94023+#include <linux/kernel.h>
94024+#include <linux/mm.h>
94025+#include <linux/sched.h>
94026+#include <linux/file.h>
94027+#include <linux/ipc.h>
94028+#include <linux/ipc_namespace.h>
94029+#include <linux/grsecurity.h>
94030+#include <linux/grinternal.h>
94031+
94032+int
94033+gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)
94034+{
94035+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
94036+ int write;
94037+ int orig_granted_mode;
94038+ kuid_t euid;
94039+ kgid_t egid;
94040+
94041+ if (!grsec_enable_harden_ipc)
94042+ return 1;
94043+
94044+ euid = current_euid();
94045+ egid = current_egid();
94046+
94047+ write = requested_mode & 00002;
94048+ orig_granted_mode = ipcp->mode;
94049+
94050+ if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))
94051+ orig_granted_mode >>= 6;
94052+ else {
94053+ /* if likely wrong permissions, lock to user */
94054+ if (orig_granted_mode & 0007)
94055+ orig_granted_mode = 0;
94056+ /* otherwise do a egid-only check */
94057+ else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))
94058+ orig_granted_mode >>= 3;
94059+ /* otherwise, no access */
94060+ else
94061+ orig_granted_mode = 0;
94062+ }
94063+ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
94064+ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
94065+ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
94066+ return 0;
94067+ }
94068+#endif
94069+ return 1;
94070+}
94071diff --git a/grsecurity/grsec_link.c b/grsecurity/grsec_link.c
94072new file mode 100644
94073index 0000000..84c44a0
94074--- /dev/null
94075+++ b/grsecurity/grsec_link.c
94076@@ -0,0 +1,65 @@
94077+#include <linux/kernel.h>
94078+#include <linux/sched.h>
94079+#include <linux/fs.h>
94080+#include <linux/file.h>
94081+#include <linux/grinternal.h>
94082+
94083+int gr_get_symlinkown_enabled(void)
94084+{
94085+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
94086+ if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid))
94087+ return 1;
94088+#endif
94089+ return 0;
94090+}
94091+
94092+int gr_handle_symlink_owner(const struct path *link, const struct inode *target)
94093+{
94094+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
94095+ const struct inode *link_inode = d_backing_inode(link->dentry);
94096+
94097+ if (target && !uid_eq(link_inode->i_uid, target->i_uid)) {
94098+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, GR_GLOBAL_UID(link_inode->i_uid), GR_GLOBAL_UID(target->i_uid));
94099+ return 1;
94100+ }
94101+#endif
94102+ return 0;
94103+}
94104+
94105+int
94106+gr_handle_follow_link(const struct dentry *dentry, const struct vfsmount *mnt)
94107+{
94108+#ifdef CONFIG_GRKERNSEC_LINK
94109+ struct inode *inode = d_backing_inode(dentry);
94110+ struct inode *parent = d_backing_inode(dentry->d_parent);
94111+ const struct cred *cred = current_cred();
94112+
94113+ if (grsec_enable_link && d_is_symlink(dentry) &&
94114+ (parent->i_mode & S_ISVTX) && !uid_eq(parent->i_uid, inode->i_uid) &&
94115+ (parent->i_mode & S_IWOTH) && !uid_eq(cred->fsuid, inode->i_uid)) {
94116+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid));
94117+ return -EACCES;
94118+ }
94119+#endif
94120+ return 0;
94121+}
94122+
94123+int
94124+gr_handle_hardlink(const struct dentry *dentry,
94125+ const struct vfsmount *mnt,
94126+ const struct filename *to)
94127+{
94128+#ifdef CONFIG_GRKERNSEC_LINK
94129+ struct inode *inode = d_backing_inode(dentry);
94130+ const struct cred *cred = current_cred();
94131+
94132+ if (grsec_enable_link && !uid_eq(cred->fsuid, inode->i_uid) &&
94133+ (!d_is_reg(dentry) || is_privileged_binary(dentry) ||
94134+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
94135+ !capable(CAP_FOWNER) && gr_is_global_nonroot(cred->uid)) {
94136+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid), to->name);
94137+ return -EPERM;
94138+ }
94139+#endif
94140+ return 0;
94141+}
94142diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c
94143new file mode 100644
94144index 0000000..a24b338
94145--- /dev/null
94146+++ b/grsecurity/grsec_log.c
94147@@ -0,0 +1,340 @@
94148+#include <linux/kernel.h>
94149+#include <linux/sched.h>
94150+#include <linux/file.h>
94151+#include <linux/tty.h>
94152+#include <linux/fs.h>
94153+#include <linux/mm.h>
94154+#include <linux/grinternal.h>
94155+
94156+#ifdef CONFIG_TREE_PREEMPT_RCU
94157+#define DISABLE_PREEMPT() preempt_disable()
94158+#define ENABLE_PREEMPT() preempt_enable()
94159+#else
94160+#define DISABLE_PREEMPT()
94161+#define ENABLE_PREEMPT()
94162+#endif
94163+
94164+#define BEGIN_LOCKS(x) \
94165+ DISABLE_PREEMPT(); \
94166+ rcu_read_lock(); \
94167+ read_lock(&tasklist_lock); \
94168+ read_lock(&grsec_exec_file_lock); \
94169+ if (x != GR_DO_AUDIT) \
94170+ spin_lock(&grsec_alert_lock); \
94171+ else \
94172+ spin_lock(&grsec_audit_lock)
94173+
94174+#define END_LOCKS(x) \
94175+ if (x != GR_DO_AUDIT) \
94176+ spin_unlock(&grsec_alert_lock); \
94177+ else \
94178+ spin_unlock(&grsec_audit_lock); \
94179+ read_unlock(&grsec_exec_file_lock); \
94180+ read_unlock(&tasklist_lock); \
94181+ rcu_read_unlock(); \
94182+ ENABLE_PREEMPT(); \
94183+ if (x == GR_DONT_AUDIT) \
94184+ gr_handle_alertkill(current)
94185+
94186+enum {
94187+ FLOODING,
94188+ NO_FLOODING
94189+};
94190+
94191+extern char *gr_alert_log_fmt;
94192+extern char *gr_audit_log_fmt;
94193+extern char *gr_alert_log_buf;
94194+extern char *gr_audit_log_buf;
94195+
94196+static int gr_log_start(int audit)
94197+{
94198+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
94199+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
94200+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94201+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
94202+ unsigned long curr_secs = get_seconds();
94203+
94204+ if (audit == GR_DO_AUDIT)
94205+ goto set_fmt;
94206+
94207+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
94208+ grsec_alert_wtime = curr_secs;
94209+ grsec_alert_fyet = 0;
94210+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
94211+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
94212+ grsec_alert_fyet++;
94213+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
94214+ grsec_alert_wtime = curr_secs;
94215+ grsec_alert_fyet++;
94216+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
94217+ return FLOODING;
94218+ }
94219+ else return FLOODING;
94220+
94221+set_fmt:
94222+#endif
94223+ memset(buf, 0, PAGE_SIZE);
94224+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
94225+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
94226+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
94227+ } else if (current->signal->curr_ip) {
94228+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
94229+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
94230+ } else if (gr_acl_is_enabled()) {
94231+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
94232+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
94233+ } else {
94234+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
94235+ strcpy(buf, fmt);
94236+ }
94237+
94238+ return NO_FLOODING;
94239+}
94240+
94241+static void gr_log_middle(int audit, const char *msg, va_list ap)
94242+ __attribute__ ((format (printf, 2, 0)));
94243+
94244+static void gr_log_middle(int audit, const char *msg, va_list ap)
94245+{
94246+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94247+ unsigned int len = strlen(buf);
94248+
94249+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
94250+
94251+ return;
94252+}
94253+
94254+static void gr_log_middle_varargs(int audit, const char *msg, ...)
94255+ __attribute__ ((format (printf, 2, 3)));
94256+
94257+static void gr_log_middle_varargs(int audit, const char *msg, ...)
94258+{
94259+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94260+ unsigned int len = strlen(buf);
94261+ va_list ap;
94262+
94263+ va_start(ap, msg);
94264+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
94265+ va_end(ap);
94266+
94267+ return;
94268+}
94269+
94270+static void gr_log_end(int audit, int append_default)
94271+{
94272+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94273+ if (append_default) {
94274+ struct task_struct *task = current;
94275+ struct task_struct *parent = task->real_parent;
94276+ const struct cred *cred = __task_cred(task);
94277+ const struct cred *pcred = __task_cred(parent);
94278+ unsigned int len = strlen(buf);
94279+
94280+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94281+ }
94282+
94283+ printk("%s\n", buf);
94284+
94285+ return;
94286+}
94287+
94288+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
94289+{
94290+ int logtype;
94291+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
94292+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
94293+ void *voidptr = NULL;
94294+ int num1 = 0, num2 = 0;
94295+ unsigned long ulong1 = 0, ulong2 = 0;
94296+ struct dentry *dentry = NULL;
94297+ struct vfsmount *mnt = NULL;
94298+ struct file *file = NULL;
94299+ struct task_struct *task = NULL;
94300+ struct vm_area_struct *vma = NULL;
94301+ const struct cred *cred, *pcred;
94302+ va_list ap;
94303+
94304+ BEGIN_LOCKS(audit);
94305+ logtype = gr_log_start(audit);
94306+ if (logtype == FLOODING) {
94307+ END_LOCKS(audit);
94308+ return;
94309+ }
94310+ va_start(ap, argtypes);
94311+ switch (argtypes) {
94312+ case GR_TTYSNIFF:
94313+ task = va_arg(ap, struct task_struct *);
94314+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task_pid_nr(task), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent));
94315+ break;
94316+ case GR_SYSCTL_HIDDEN:
94317+ str1 = va_arg(ap, char *);
94318+ gr_log_middle_varargs(audit, msg, result, str1);
94319+ break;
94320+ case GR_RBAC:
94321+ dentry = va_arg(ap, struct dentry *);
94322+ mnt = va_arg(ap, struct vfsmount *);
94323+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
94324+ break;
94325+ case GR_RBAC_STR:
94326+ dentry = va_arg(ap, struct dentry *);
94327+ mnt = va_arg(ap, struct vfsmount *);
94328+ str1 = va_arg(ap, char *);
94329+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
94330+ break;
94331+ case GR_STR_RBAC:
94332+ str1 = va_arg(ap, char *);
94333+ dentry = va_arg(ap, struct dentry *);
94334+ mnt = va_arg(ap, struct vfsmount *);
94335+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
94336+ break;
94337+ case GR_RBAC_MODE2:
94338+ dentry = va_arg(ap, struct dentry *);
94339+ mnt = va_arg(ap, struct vfsmount *);
94340+ str1 = va_arg(ap, char *);
94341+ str2 = va_arg(ap, char *);
94342+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
94343+ break;
94344+ case GR_RBAC_MODE3:
94345+ dentry = va_arg(ap, struct dentry *);
94346+ mnt = va_arg(ap, struct vfsmount *);
94347+ str1 = va_arg(ap, char *);
94348+ str2 = va_arg(ap, char *);
94349+ str3 = va_arg(ap, char *);
94350+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
94351+ break;
94352+ case GR_FILENAME:
94353+ dentry = va_arg(ap, struct dentry *);
94354+ mnt = va_arg(ap, struct vfsmount *);
94355+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
94356+ break;
94357+ case GR_STR_FILENAME:
94358+ str1 = va_arg(ap, char *);
94359+ dentry = va_arg(ap, struct dentry *);
94360+ mnt = va_arg(ap, struct vfsmount *);
94361+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
94362+ break;
94363+ case GR_FILENAME_STR:
94364+ dentry = va_arg(ap, struct dentry *);
94365+ mnt = va_arg(ap, struct vfsmount *);
94366+ str1 = va_arg(ap, char *);
94367+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
94368+ break;
94369+ case GR_FILENAME_TWO_INT:
94370+ dentry = va_arg(ap, struct dentry *);
94371+ mnt = va_arg(ap, struct vfsmount *);
94372+ num1 = va_arg(ap, int);
94373+ num2 = va_arg(ap, int);
94374+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
94375+ break;
94376+ case GR_FILENAME_TWO_INT_STR:
94377+ dentry = va_arg(ap, struct dentry *);
94378+ mnt = va_arg(ap, struct vfsmount *);
94379+ num1 = va_arg(ap, int);
94380+ num2 = va_arg(ap, int);
94381+ str1 = va_arg(ap, char *);
94382+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
94383+ break;
94384+ case GR_TEXTREL:
94385+ str1 = va_arg(ap, char *);
94386+ file = va_arg(ap, struct file *);
94387+ ulong1 = va_arg(ap, unsigned long);
94388+ ulong2 = va_arg(ap, unsigned long);
94389+ gr_log_middle_varargs(audit, msg, str1, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
94390+ break;
94391+ case GR_PTRACE:
94392+ task = va_arg(ap, struct task_struct *);
94393+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task_pid_nr(task));
94394+ break;
94395+ case GR_RESOURCE:
94396+ task = va_arg(ap, struct task_struct *);
94397+ cred = __task_cred(task);
94398+ pcred = __task_cred(task->real_parent);
94399+ ulong1 = va_arg(ap, unsigned long);
94400+ str1 = va_arg(ap, char *);
94401+ ulong2 = va_arg(ap, unsigned long);
94402+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94403+ break;
94404+ case GR_CAP:
94405+ task = va_arg(ap, struct task_struct *);
94406+ cred = __task_cred(task);
94407+ pcred = __task_cred(task->real_parent);
94408+ str1 = va_arg(ap, char *);
94409+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94410+ break;
94411+ case GR_SIG:
94412+ str1 = va_arg(ap, char *);
94413+ voidptr = va_arg(ap, void *);
94414+ gr_log_middle_varargs(audit, msg, str1, voidptr);
94415+ break;
94416+ case GR_SIG2:
94417+ task = va_arg(ap, struct task_struct *);
94418+ cred = __task_cred(task);
94419+ pcred = __task_cred(task->real_parent);
94420+ num1 = va_arg(ap, int);
94421+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94422+ break;
94423+ case GR_CRASH1:
94424+ task = va_arg(ap, struct task_struct *);
94425+ cred = __task_cred(task);
94426+ pcred = __task_cred(task->real_parent);
94427+ ulong1 = va_arg(ap, unsigned long);
94428+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), GR_GLOBAL_UID(cred->uid), ulong1);
94429+ break;
94430+ case GR_CRASH2:
94431+ task = va_arg(ap, struct task_struct *);
94432+ cred = __task_cred(task);
94433+ pcred = __task_cred(task->real_parent);
94434+ ulong1 = va_arg(ap, unsigned long);
94435+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), ulong1);
94436+ break;
94437+ case GR_RWXMAP:
94438+ file = va_arg(ap, struct file *);
94439+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
94440+ break;
94441+ case GR_RWXMAPVMA:
94442+ vma = va_arg(ap, struct vm_area_struct *);
94443+ if (vma->vm_file)
94444+ str1 = gr_to_filename(vma->vm_file->f_path.dentry, vma->vm_file->f_path.mnt);
94445+ else if (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
94446+ str1 = "<stack>";
94447+ else if (vma->vm_start <= current->mm->brk &&
94448+ vma->vm_end >= current->mm->start_brk)
94449+ str1 = "<heap>";
94450+ else
94451+ str1 = "<anonymous mapping>";
94452+ gr_log_middle_varargs(audit, msg, str1);
94453+ break;
94454+ case GR_PSACCT:
94455+ {
94456+ unsigned int wday, cday;
94457+ __u8 whr, chr;
94458+ __u8 wmin, cmin;
94459+ __u8 wsec, csec;
94460+
94461+ task = va_arg(ap, struct task_struct *);
94462+ wday = va_arg(ap, unsigned int);
94463+ cday = va_arg(ap, unsigned int);
94464+ whr = va_arg(ap, int);
94465+ chr = va_arg(ap, int);
94466+ wmin = va_arg(ap, int);
94467+ cmin = va_arg(ap, int);
94468+ wsec = va_arg(ap, int);
94469+ csec = va_arg(ap, int);
94470+ ulong1 = va_arg(ap, unsigned long);
94471+ cred = __task_cred(task);
94472+ pcred = __task_cred(task->real_parent);
94473+
94474+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), &task->signal->curr_ip, tty_name(task->signal->tty), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94475+ }
94476+ break;
94477+ default:
94478+ gr_log_middle(audit, msg, ap);
94479+ }
94480+ va_end(ap);
94481+ // these don't need DEFAULTSECARGS printed on the end
94482+ if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
94483+ gr_log_end(audit, 0);
94484+ else
94485+ gr_log_end(audit, 1);
94486+ END_LOCKS(audit);
94487+}
94488diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c
94489new file mode 100644
94490index 0000000..0e39d8c7
94491--- /dev/null
94492+++ b/grsecurity/grsec_mem.c
94493@@ -0,0 +1,48 @@
94494+#include <linux/kernel.h>
94495+#include <linux/sched.h>
94496+#include <linux/mm.h>
94497+#include <linux/mman.h>
94498+#include <linux/module.h>
94499+#include <linux/grinternal.h>
94500+
94501+void gr_handle_msr_write(void)
94502+{
94503+ gr_log_noargs(GR_DONT_AUDIT, GR_MSRWRITE_MSG);
94504+ return;
94505+}
94506+EXPORT_SYMBOL_GPL(gr_handle_msr_write);
94507+
94508+void
94509+gr_handle_ioperm(void)
94510+{
94511+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
94512+ return;
94513+}
94514+
94515+void
94516+gr_handle_iopl(void)
94517+{
94518+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
94519+ return;
94520+}
94521+
94522+void
94523+gr_handle_mem_readwrite(u64 from, u64 to)
94524+{
94525+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
94526+ return;
94527+}
94528+
94529+void
94530+gr_handle_vm86(void)
94531+{
94532+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
94533+ return;
94534+}
94535+
94536+void
94537+gr_log_badprocpid(const char *entry)
94538+{
94539+ gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry);
94540+ return;
94541+}
94542diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
94543new file mode 100644
94544index 0000000..fe02bf4
94545--- /dev/null
94546+++ b/grsecurity/grsec_mount.c
94547@@ -0,0 +1,65 @@
94548+#include <linux/kernel.h>
94549+#include <linux/sched.h>
94550+#include <linux/mount.h>
94551+#include <linux/major.h>
94552+#include <linux/grsecurity.h>
94553+#include <linux/grinternal.h>
94554+
94555+void
94556+gr_log_remount(const char *devname, const int retval)
94557+{
94558+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94559+ if (grsec_enable_mount && (retval >= 0))
94560+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
94561+#endif
94562+ return;
94563+}
94564+
94565+void
94566+gr_log_unmount(const char *devname, const int retval)
94567+{
94568+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94569+ if (grsec_enable_mount && (retval >= 0))
94570+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
94571+#endif
94572+ return;
94573+}
94574+
94575+void
94576+gr_log_mount(const char *from, struct path *to, const int retval)
94577+{
94578+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94579+ if (grsec_enable_mount && (retval >= 0))
94580+ gr_log_str_fs(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to->dentry, to->mnt);
94581+#endif
94582+ return;
94583+}
94584+
94585+int
94586+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
94587+{
94588+#ifdef CONFIG_GRKERNSEC_ROFS
94589+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
94590+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
94591+ return -EPERM;
94592+ } else
94593+ return 0;
94594+#endif
94595+ return 0;
94596+}
94597+
94598+int
94599+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
94600+{
94601+#ifdef CONFIG_GRKERNSEC_ROFS
94602+ struct inode *inode = d_backing_inode(dentry);
94603+
94604+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
94605+ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
94606+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
94607+ return -EPERM;
94608+ } else
94609+ return 0;
94610+#endif
94611+ return 0;
94612+}
94613diff --git a/grsecurity/grsec_pax.c b/grsecurity/grsec_pax.c
94614new file mode 100644
94615index 0000000..2ad7b96
94616--- /dev/null
94617+++ b/grsecurity/grsec_pax.c
94618@@ -0,0 +1,47 @@
94619+#include <linux/kernel.h>
94620+#include <linux/sched.h>
94621+#include <linux/mm.h>
94622+#include <linux/file.h>
94623+#include <linux/grinternal.h>
94624+#include <linux/grsecurity.h>
94625+
94626+void
94627+gr_log_textrel(struct vm_area_struct * vma, bool is_textrel_rw)
94628+{
94629+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94630+ if (grsec_enable_log_rwxmaps)
94631+ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG,
94632+ is_textrel_rw ? "executable to writable" : "writable to executable",
94633+ vma->vm_file, vma->vm_start, vma->vm_pgoff);
94634+#endif
94635+ return;
94636+}
94637+
94638+void gr_log_ptgnustack(struct file *file)
94639+{
94640+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94641+ if (grsec_enable_log_rwxmaps)
94642+ gr_log_rwxmap(GR_DONT_AUDIT, GR_PTGNUSTACK_MSG, file);
94643+#endif
94644+ return;
94645+}
94646+
94647+void
94648+gr_log_rwxmmap(struct file *file)
94649+{
94650+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94651+ if (grsec_enable_log_rwxmaps)
94652+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
94653+#endif
94654+ return;
94655+}
94656+
94657+void
94658+gr_log_rwxmprotect(struct vm_area_struct *vma)
94659+{
94660+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94661+ if (grsec_enable_log_rwxmaps)
94662+ gr_log_rwxmap_vma(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, vma);
94663+#endif
94664+ return;
94665+}
94666diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c
94667new file mode 100644
94668index 0000000..2005a3a
94669--- /dev/null
94670+++ b/grsecurity/grsec_proc.c
94671@@ -0,0 +1,20 @@
94672+#include <linux/kernel.h>
94673+#include <linux/sched.h>
94674+#include <linux/grsecurity.h>
94675+#include <linux/grinternal.h>
94676+
94677+int gr_proc_is_restricted(void)
94678+{
94679+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
94680+ const struct cred *cred = current_cred();
94681+#endif
94682+
94683+#ifdef CONFIG_GRKERNSEC_PROC_USER
94684+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID))
94685+ return -EACCES;
94686+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
94687+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid))
94688+ return -EACCES;
94689+#endif
94690+ return 0;
94691+}
94692diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c
94693new file mode 100644
94694index 0000000..304c518
94695--- /dev/null
94696+++ b/grsecurity/grsec_ptrace.c
94697@@ -0,0 +1,30 @@
94698+#include <linux/kernel.h>
94699+#include <linux/sched.h>
94700+#include <linux/grinternal.h>
94701+#include <linux/security.h>
94702+
94703+void
94704+gr_audit_ptrace(struct task_struct *task)
94705+{
94706+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
94707+ if (grsec_enable_audit_ptrace)
94708+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
94709+#endif
94710+ return;
94711+}
94712+
94713+int
94714+gr_ptrace_readexec(struct file *file, int unsafe_flags)
94715+{
94716+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
94717+ const struct dentry *dentry = file->f_path.dentry;
94718+ const struct vfsmount *mnt = file->f_path.mnt;
94719+
94720+ if (grsec_enable_ptrace_readexec && (unsafe_flags & LSM_UNSAFE_PTRACE) &&
94721+ (inode_permission(d_backing_inode(dentry), MAY_READ) || !gr_acl_handle_open(dentry, mnt, MAY_READ))) {
94722+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_READEXEC_MSG, dentry, mnt);
94723+ return -EACCES;
94724+ }
94725+#endif
94726+ return 0;
94727+}
94728diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
94729new file mode 100644
94730index 0000000..3860c7e
94731--- /dev/null
94732+++ b/grsecurity/grsec_sig.c
94733@@ -0,0 +1,236 @@
94734+#include <linux/kernel.h>
94735+#include <linux/sched.h>
94736+#include <linux/fs.h>
94737+#include <linux/delay.h>
94738+#include <linux/grsecurity.h>
94739+#include <linux/grinternal.h>
94740+#include <linux/hardirq.h>
94741+
94742+char *signames[] = {
94743+ [SIGSEGV] = "Segmentation fault",
94744+ [SIGILL] = "Illegal instruction",
94745+ [SIGABRT] = "Abort",
94746+ [SIGBUS] = "Invalid alignment/Bus error"
94747+};
94748+
94749+void
94750+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
94751+{
94752+#ifdef CONFIG_GRKERNSEC_SIGNAL
94753+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
94754+ (sig == SIGABRT) || (sig == SIGBUS))) {
94755+ if (task_pid_nr(t) == task_pid_nr(current)) {
94756+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
94757+ } else {
94758+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
94759+ }
94760+ }
94761+#endif
94762+ return;
94763+}
94764+
94765+int
94766+gr_handle_signal(const struct task_struct *p, const int sig)
94767+{
94768+#ifdef CONFIG_GRKERNSEC
94769+ /* ignore the 0 signal for protected task checks */
94770+ if (task_pid_nr(current) > 1 && sig && gr_check_protected_task(p)) {
94771+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
94772+ return -EPERM;
94773+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
94774+ return -EPERM;
94775+ }
94776+#endif
94777+ return 0;
94778+}
94779+
94780+#ifdef CONFIG_GRKERNSEC
94781+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
94782+
94783+int gr_fake_force_sig(int sig, struct task_struct *t)
94784+{
94785+ unsigned long int flags;
94786+ int ret, blocked, ignored;
94787+ struct k_sigaction *action;
94788+
94789+ spin_lock_irqsave(&t->sighand->siglock, flags);
94790+ action = &t->sighand->action[sig-1];
94791+ ignored = action->sa.sa_handler == SIG_IGN;
94792+ blocked = sigismember(&t->blocked, sig);
94793+ if (blocked || ignored) {
94794+ action->sa.sa_handler = SIG_DFL;
94795+ if (blocked) {
94796+ sigdelset(&t->blocked, sig);
94797+ recalc_sigpending_and_wake(t);
94798+ }
94799+ }
94800+ if (action->sa.sa_handler == SIG_DFL)
94801+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
94802+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
94803+
94804+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
94805+
94806+ return ret;
94807+}
94808+#endif
94809+
94810+#define GR_USER_BAN_TIME (15 * 60)
94811+#define GR_DAEMON_BRUTE_TIME (30 * 60)
94812+
94813+void gr_handle_brute_attach(int dumpable)
94814+{
94815+#ifdef CONFIG_GRKERNSEC_BRUTE
94816+ struct task_struct *p = current;
94817+ kuid_t uid = GLOBAL_ROOT_UID;
94818+ int daemon = 0;
94819+
94820+ if (!grsec_enable_brute)
94821+ return;
94822+
94823+ rcu_read_lock();
94824+ read_lock(&tasklist_lock);
94825+ read_lock(&grsec_exec_file_lock);
94826+ if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) {
94827+ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
94828+ p->real_parent->brute = 1;
94829+ daemon = 1;
94830+ } else {
94831+ const struct cred *cred = __task_cred(p), *cred2;
94832+ struct task_struct *tsk, *tsk2;
94833+
94834+ if (dumpable != SUID_DUMP_USER && gr_is_global_nonroot(cred->uid)) {
94835+ struct user_struct *user;
94836+
94837+ uid = cred->uid;
94838+
94839+ /* this is put upon execution past expiration */
94840+ user = find_user(uid);
94841+ if (user == NULL)
94842+ goto unlock;
94843+ user->suid_banned = 1;
94844+ user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
94845+ if (user->suid_ban_expires == ~0UL)
94846+ user->suid_ban_expires--;
94847+
94848+ /* only kill other threads of the same binary, from the same user */
94849+ do_each_thread(tsk2, tsk) {
94850+ cred2 = __task_cred(tsk);
94851+ if (tsk != p && uid_eq(cred2->uid, uid) && gr_is_same_file(tsk->exec_file, p->exec_file))
94852+ gr_fake_force_sig(SIGKILL, tsk);
94853+ } while_each_thread(tsk2, tsk);
94854+ }
94855+ }
94856+unlock:
94857+ read_unlock(&grsec_exec_file_lock);
94858+ read_unlock(&tasklist_lock);
94859+ rcu_read_unlock();
94860+
94861+ if (gr_is_global_nonroot(uid))
94862+ gr_log_fs_int2(GR_DONT_AUDIT, GR_BRUTE_SUID_MSG, p->exec_file->f_path.dentry, p->exec_file->f_path.mnt, GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60);
94863+ else if (daemon)
94864+ gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
94865+
94866+#endif
94867+ return;
94868+}
94869+
94870+void gr_handle_brute_check(void)
94871+{
94872+#ifdef CONFIG_GRKERNSEC_BRUTE
94873+ struct task_struct *p = current;
94874+
94875+ if (unlikely(p->brute)) {
94876+ if (!grsec_enable_brute)
94877+ p->brute = 0;
94878+ else if (time_before(get_seconds(), p->brute_expires))
94879+ msleep(30 * 1000);
94880+ }
94881+#endif
94882+ return;
94883+}
94884+
94885+void gr_handle_kernel_exploit(void)
94886+{
94887+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94888+ const struct cred *cred;
94889+ struct task_struct *tsk, *tsk2;
94890+ struct user_struct *user;
94891+ kuid_t uid;
94892+
94893+ if (in_irq() || in_serving_softirq() || in_nmi())
94894+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
94895+
94896+ uid = current_uid();
94897+
94898+ if (gr_is_global_root(uid))
94899+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
94900+ else {
94901+ /* kill all the processes of this user, hold a reference
94902+ to their creds struct, and prevent them from creating
94903+ another process until system reset
94904+ */
94905+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n",
94906+ GR_GLOBAL_UID(uid));
94907+ /* we intentionally leak this ref */
94908+ user = get_uid(current->cred->user);
94909+ if (user)
94910+ user->kernel_banned = 1;
94911+
94912+ /* kill all processes of this user */
94913+ read_lock(&tasklist_lock);
94914+ do_each_thread(tsk2, tsk) {
94915+ cred = __task_cred(tsk);
94916+ if (uid_eq(cred->uid, uid))
94917+ gr_fake_force_sig(SIGKILL, tsk);
94918+ } while_each_thread(tsk2, tsk);
94919+ read_unlock(&tasklist_lock);
94920+ }
94921+#endif
94922+}
94923+
94924+#ifdef CONFIG_GRKERNSEC_BRUTE
94925+static bool suid_ban_expired(struct user_struct *user)
94926+{
94927+ if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) {
94928+ user->suid_banned = 0;
94929+ user->suid_ban_expires = 0;
94930+ free_uid(user);
94931+ return true;
94932+ }
94933+
94934+ return false;
94935+}
94936+#endif
94937+
94938+int gr_process_kernel_exec_ban(void)
94939+{
94940+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94941+ if (unlikely(current->cred->user->kernel_banned))
94942+ return -EPERM;
94943+#endif
94944+ return 0;
94945+}
94946+
94947+int gr_process_kernel_setuid_ban(struct user_struct *user)
94948+{
94949+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94950+ if (unlikely(user->kernel_banned))
94951+ gr_fake_force_sig(SIGKILL, current);
94952+#endif
94953+ return 0;
94954+}
94955+
94956+int gr_process_suid_exec_ban(const struct linux_binprm *bprm)
94957+{
94958+#ifdef CONFIG_GRKERNSEC_BRUTE
94959+ struct user_struct *user = current->cred->user;
94960+ if (unlikely(user->suid_banned)) {
94961+ if (suid_ban_expired(user))
94962+ return 0;
94963+ /* disallow execution of suid binaries only */
94964+ else if (!uid_eq(bprm->cred->euid, current->cred->uid))
94965+ return -EPERM;
94966+ }
94967+#endif
94968+ return 0;
94969+}
94970diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
94971new file mode 100644
94972index 0000000..a523bd2
94973--- /dev/null
94974+++ b/grsecurity/grsec_sock.c
94975@@ -0,0 +1,244 @@
94976+#include <linux/kernel.h>
94977+#include <linux/module.h>
94978+#include <linux/sched.h>
94979+#include <linux/file.h>
94980+#include <linux/net.h>
94981+#include <linux/in.h>
94982+#include <linux/ip.h>
94983+#include <net/sock.h>
94984+#include <net/inet_sock.h>
94985+#include <linux/grsecurity.h>
94986+#include <linux/grinternal.h>
94987+#include <linux/gracl.h>
94988+
94989+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
94990+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
94991+
94992+EXPORT_SYMBOL_GPL(gr_search_udp_recvmsg);
94993+EXPORT_SYMBOL_GPL(gr_search_udp_sendmsg);
94994+
94995+#ifdef CONFIG_UNIX_MODULE
94996+EXPORT_SYMBOL_GPL(gr_acl_handle_unix);
94997+EXPORT_SYMBOL_GPL(gr_acl_handle_mknod);
94998+EXPORT_SYMBOL_GPL(gr_handle_chroot_unix);
94999+EXPORT_SYMBOL_GPL(gr_handle_create);
95000+#endif
95001+
95002+#ifdef CONFIG_GRKERNSEC
95003+#define gr_conn_table_size 32749
95004+struct conn_table_entry {
95005+ struct conn_table_entry *next;
95006+ struct signal_struct *sig;
95007+};
95008+
95009+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
95010+DEFINE_SPINLOCK(gr_conn_table_lock);
95011+
95012+extern const char * gr_socktype_to_name(unsigned char type);
95013+extern const char * gr_proto_to_name(unsigned char proto);
95014+extern const char * gr_sockfamily_to_name(unsigned char family);
95015+
95016+static int
95017+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
95018+{
95019+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
95020+}
95021+
95022+static int
95023+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
95024+ __u16 sport, __u16 dport)
95025+{
95026+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
95027+ sig->gr_sport == sport && sig->gr_dport == dport))
95028+ return 1;
95029+ else
95030+ return 0;
95031+}
95032+
95033+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
95034+{
95035+ struct conn_table_entry **match;
95036+ unsigned int index;
95037+
95038+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
95039+ sig->gr_sport, sig->gr_dport,
95040+ gr_conn_table_size);
95041+
95042+ newent->sig = sig;
95043+
95044+ match = &gr_conn_table[index];
95045+ newent->next = *match;
95046+ *match = newent;
95047+
95048+ return;
95049+}
95050+
95051+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
95052+{
95053+ struct conn_table_entry *match, *last = NULL;
95054+ unsigned int index;
95055+
95056+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
95057+ sig->gr_sport, sig->gr_dport,
95058+ gr_conn_table_size);
95059+
95060+ match = gr_conn_table[index];
95061+ while (match && !conn_match(match->sig,
95062+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
95063+ sig->gr_dport)) {
95064+ last = match;
95065+ match = match->next;
95066+ }
95067+
95068+ if (match) {
95069+ if (last)
95070+ last->next = match->next;
95071+ else
95072+ gr_conn_table[index] = NULL;
95073+ kfree(match);
95074+ }
95075+
95076+ return;
95077+}
95078+
95079+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
95080+ __u16 sport, __u16 dport)
95081+{
95082+ struct conn_table_entry *match;
95083+ unsigned int index;
95084+
95085+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
95086+
95087+ match = gr_conn_table[index];
95088+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
95089+ match = match->next;
95090+
95091+ if (match)
95092+ return match->sig;
95093+ else
95094+ return NULL;
95095+}
95096+
95097+#endif
95098+
95099+void gr_update_task_in_ip_table(const struct inet_sock *inet)
95100+{
95101+#ifdef CONFIG_GRKERNSEC
95102+ struct signal_struct *sig = current->signal;
95103+ struct conn_table_entry *newent;
95104+
95105+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
95106+ if (newent == NULL)
95107+ return;
95108+ /* no bh lock needed since we are called with bh disabled */
95109+ spin_lock(&gr_conn_table_lock);
95110+ gr_del_task_from_ip_table_nolock(sig);
95111+ sig->gr_saddr = inet->inet_rcv_saddr;
95112+ sig->gr_daddr = inet->inet_daddr;
95113+ sig->gr_sport = inet->inet_sport;
95114+ sig->gr_dport = inet->inet_dport;
95115+ gr_add_to_task_ip_table_nolock(sig, newent);
95116+ spin_unlock(&gr_conn_table_lock);
95117+#endif
95118+ return;
95119+}
95120+
95121+void gr_del_task_from_ip_table(struct task_struct *task)
95122+{
95123+#ifdef CONFIG_GRKERNSEC
95124+ spin_lock_bh(&gr_conn_table_lock);
95125+ gr_del_task_from_ip_table_nolock(task->signal);
95126+ spin_unlock_bh(&gr_conn_table_lock);
95127+#endif
95128+ return;
95129+}
95130+
95131+void
95132+gr_attach_curr_ip(const struct sock *sk)
95133+{
95134+#ifdef CONFIG_GRKERNSEC
95135+ struct signal_struct *p, *set;
95136+ const struct inet_sock *inet = inet_sk(sk);
95137+
95138+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
95139+ return;
95140+
95141+ set = current->signal;
95142+
95143+ spin_lock_bh(&gr_conn_table_lock);
95144+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
95145+ inet->inet_dport, inet->inet_sport);
95146+ if (unlikely(p != NULL)) {
95147+ set->curr_ip = p->curr_ip;
95148+ set->used_accept = 1;
95149+ gr_del_task_from_ip_table_nolock(p);
95150+ spin_unlock_bh(&gr_conn_table_lock);
95151+ return;
95152+ }
95153+ spin_unlock_bh(&gr_conn_table_lock);
95154+
95155+ set->curr_ip = inet->inet_daddr;
95156+ set->used_accept = 1;
95157+#endif
95158+ return;
95159+}
95160+
95161+int
95162+gr_handle_sock_all(const int family, const int type, const int protocol)
95163+{
95164+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
95165+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
95166+ (family != AF_UNIX)) {
95167+ if (family == AF_INET)
95168+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
95169+ else
95170+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
95171+ return -EACCES;
95172+ }
95173+#endif
95174+ return 0;
95175+}
95176+
95177+int
95178+gr_handle_sock_server(const struct sockaddr *sck)
95179+{
95180+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
95181+ if (grsec_enable_socket_server &&
95182+ in_group_p(grsec_socket_server_gid) &&
95183+ sck && (sck->sa_family != AF_UNIX) &&
95184+ (sck->sa_family != AF_LOCAL)) {
95185+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
95186+ return -EACCES;
95187+ }
95188+#endif
95189+ return 0;
95190+}
95191+
95192+int
95193+gr_handle_sock_server_other(const struct sock *sck)
95194+{
95195+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
95196+ if (grsec_enable_socket_server &&
95197+ in_group_p(grsec_socket_server_gid) &&
95198+ sck && (sck->sk_family != AF_UNIX) &&
95199+ (sck->sk_family != AF_LOCAL)) {
95200+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
95201+ return -EACCES;
95202+ }
95203+#endif
95204+ return 0;
95205+}
95206+
95207+int
95208+gr_handle_sock_client(const struct sockaddr *sck)
95209+{
95210+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
95211+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
95212+ sck && (sck->sa_family != AF_UNIX) &&
95213+ (sck->sa_family != AF_LOCAL)) {
95214+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
95215+ return -EACCES;
95216+ }
95217+#endif
95218+ return 0;
95219+}
95220diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
95221new file mode 100644
95222index 0000000..aaec43c
95223--- /dev/null
95224+++ b/grsecurity/grsec_sysctl.c
95225@@ -0,0 +1,488 @@
95226+#include <linux/kernel.h>
95227+#include <linux/sched.h>
95228+#include <linux/sysctl.h>
95229+#include <linux/grsecurity.h>
95230+#include <linux/grinternal.h>
95231+
95232+int
95233+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
95234+{
95235+#ifdef CONFIG_GRKERNSEC_SYSCTL
95236+ if (dirname == NULL || name == NULL)
95237+ return 0;
95238+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
95239+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
95240+ return -EACCES;
95241+ }
95242+#endif
95243+ return 0;
95244+}
95245+
95246+#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB)
95247+static int __maybe_unused __read_only one = 1;
95248+#endif
95249+
95250+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \
95251+ defined(CONFIG_GRKERNSEC_DENYUSB)
95252+struct ctl_table grsecurity_table[] = {
95253+#ifdef CONFIG_GRKERNSEC_SYSCTL
95254+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
95255+#ifdef CONFIG_GRKERNSEC_IO
95256+ {
95257+ .procname = "disable_priv_io",
95258+ .data = &grsec_disable_privio,
95259+ .maxlen = sizeof(int),
95260+ .mode = 0600,
95261+ .proc_handler = &proc_dointvec_secure,
95262+ },
95263+#endif
95264+#endif
95265+#ifdef CONFIG_GRKERNSEC_LINK
95266+ {
95267+ .procname = "linking_restrictions",
95268+ .data = &grsec_enable_link,
95269+ .maxlen = sizeof(int),
95270+ .mode = 0600,
95271+ .proc_handler = &proc_dointvec_secure,
95272+ },
95273+#endif
95274+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
95275+ {
95276+ .procname = "enforce_symlinksifowner",
95277+ .data = &grsec_enable_symlinkown,
95278+ .maxlen = sizeof(int),
95279+ .mode = 0600,
95280+ .proc_handler = &proc_dointvec_secure,
95281+ },
95282+ {
95283+ .procname = "symlinkown_gid",
95284+ .data = &grsec_symlinkown_gid,
95285+ .maxlen = sizeof(int),
95286+ .mode = 0600,
95287+ .proc_handler = &proc_dointvec_secure,
95288+ },
95289+#endif
95290+#ifdef CONFIG_GRKERNSEC_BRUTE
95291+ {
95292+ .procname = "deter_bruteforce",
95293+ .data = &grsec_enable_brute,
95294+ .maxlen = sizeof(int),
95295+ .mode = 0600,
95296+ .proc_handler = &proc_dointvec_secure,
95297+ },
95298+#endif
95299+#ifdef CONFIG_GRKERNSEC_FIFO
95300+ {
95301+ .procname = "fifo_restrictions",
95302+ .data = &grsec_enable_fifo,
95303+ .maxlen = sizeof(int),
95304+ .mode = 0600,
95305+ .proc_handler = &proc_dointvec_secure,
95306+ },
95307+#endif
95308+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
95309+ {
95310+ .procname = "ptrace_readexec",
95311+ .data = &grsec_enable_ptrace_readexec,
95312+ .maxlen = sizeof(int),
95313+ .mode = 0600,
95314+ .proc_handler = &proc_dointvec_secure,
95315+ },
95316+#endif
95317+#ifdef CONFIG_GRKERNSEC_SETXID
95318+ {
95319+ .procname = "consistent_setxid",
95320+ .data = &grsec_enable_setxid,
95321+ .maxlen = sizeof(int),
95322+ .mode = 0600,
95323+ .proc_handler = &proc_dointvec_secure,
95324+ },
95325+#endif
95326+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
95327+ {
95328+ .procname = "ip_blackhole",
95329+ .data = &grsec_enable_blackhole,
95330+ .maxlen = sizeof(int),
95331+ .mode = 0600,
95332+ .proc_handler = &proc_dointvec_secure,
95333+ },
95334+ {
95335+ .procname = "lastack_retries",
95336+ .data = &grsec_lastack_retries,
95337+ .maxlen = sizeof(int),
95338+ .mode = 0600,
95339+ .proc_handler = &proc_dointvec_secure,
95340+ },
95341+#endif
95342+#ifdef CONFIG_GRKERNSEC_EXECLOG
95343+ {
95344+ .procname = "exec_logging",
95345+ .data = &grsec_enable_execlog,
95346+ .maxlen = sizeof(int),
95347+ .mode = 0600,
95348+ .proc_handler = &proc_dointvec_secure,
95349+ },
95350+#endif
95351+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
95352+ {
95353+ .procname = "rwxmap_logging",
95354+ .data = &grsec_enable_log_rwxmaps,
95355+ .maxlen = sizeof(int),
95356+ .mode = 0600,
95357+ .proc_handler = &proc_dointvec_secure,
95358+ },
95359+#endif
95360+#ifdef CONFIG_GRKERNSEC_SIGNAL
95361+ {
95362+ .procname = "signal_logging",
95363+ .data = &grsec_enable_signal,
95364+ .maxlen = sizeof(int),
95365+ .mode = 0600,
95366+ .proc_handler = &proc_dointvec_secure,
95367+ },
95368+#endif
95369+#ifdef CONFIG_GRKERNSEC_FORKFAIL
95370+ {
95371+ .procname = "forkfail_logging",
95372+ .data = &grsec_enable_forkfail,
95373+ .maxlen = sizeof(int),
95374+ .mode = 0600,
95375+ .proc_handler = &proc_dointvec_secure,
95376+ },
95377+#endif
95378+#ifdef CONFIG_GRKERNSEC_TIME
95379+ {
95380+ .procname = "timechange_logging",
95381+ .data = &grsec_enable_time,
95382+ .maxlen = sizeof(int),
95383+ .mode = 0600,
95384+ .proc_handler = &proc_dointvec_secure,
95385+ },
95386+#endif
95387+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
95388+ {
95389+ .procname = "chroot_deny_shmat",
95390+ .data = &grsec_enable_chroot_shmat,
95391+ .maxlen = sizeof(int),
95392+ .mode = 0600,
95393+ .proc_handler = &proc_dointvec_secure,
95394+ },
95395+#endif
95396+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
95397+ {
95398+ .procname = "chroot_deny_unix",
95399+ .data = &grsec_enable_chroot_unix,
95400+ .maxlen = sizeof(int),
95401+ .mode = 0600,
95402+ .proc_handler = &proc_dointvec_secure,
95403+ },
95404+#endif
95405+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
95406+ {
95407+ .procname = "chroot_deny_mount",
95408+ .data = &grsec_enable_chroot_mount,
95409+ .maxlen = sizeof(int),
95410+ .mode = 0600,
95411+ .proc_handler = &proc_dointvec_secure,
95412+ },
95413+#endif
95414+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
95415+ {
95416+ .procname = "chroot_deny_fchdir",
95417+ .data = &grsec_enable_chroot_fchdir,
95418+ .maxlen = sizeof(int),
95419+ .mode = 0600,
95420+ .proc_handler = &proc_dointvec_secure,
95421+ },
95422+#endif
95423+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
95424+ {
95425+ .procname = "chroot_deny_chroot",
95426+ .data = &grsec_enable_chroot_double,
95427+ .maxlen = sizeof(int),
95428+ .mode = 0600,
95429+ .proc_handler = &proc_dointvec_secure,
95430+ },
95431+#endif
95432+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
95433+ {
95434+ .procname = "chroot_deny_pivot",
95435+ .data = &grsec_enable_chroot_pivot,
95436+ .maxlen = sizeof(int),
95437+ .mode = 0600,
95438+ .proc_handler = &proc_dointvec_secure,
95439+ },
95440+#endif
95441+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
95442+ {
95443+ .procname = "chroot_enforce_chdir",
95444+ .data = &grsec_enable_chroot_chdir,
95445+ .maxlen = sizeof(int),
95446+ .mode = 0600,
95447+ .proc_handler = &proc_dointvec_secure,
95448+ },
95449+#endif
95450+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
95451+ {
95452+ .procname = "chroot_deny_chmod",
95453+ .data = &grsec_enable_chroot_chmod,
95454+ .maxlen = sizeof(int),
95455+ .mode = 0600,
95456+ .proc_handler = &proc_dointvec_secure,
95457+ },
95458+#endif
95459+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
95460+ {
95461+ .procname = "chroot_deny_mknod",
95462+ .data = &grsec_enable_chroot_mknod,
95463+ .maxlen = sizeof(int),
95464+ .mode = 0600,
95465+ .proc_handler = &proc_dointvec_secure,
95466+ },
95467+#endif
95468+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
95469+ {
95470+ .procname = "chroot_restrict_nice",
95471+ .data = &grsec_enable_chroot_nice,
95472+ .maxlen = sizeof(int),
95473+ .mode = 0600,
95474+ .proc_handler = &proc_dointvec_secure,
95475+ },
95476+#endif
95477+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
95478+ {
95479+ .procname = "chroot_execlog",
95480+ .data = &grsec_enable_chroot_execlog,
95481+ .maxlen = sizeof(int),
95482+ .mode = 0600,
95483+ .proc_handler = &proc_dointvec_secure,
95484+ },
95485+#endif
95486+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
95487+ {
95488+ .procname = "chroot_caps",
95489+ .data = &grsec_enable_chroot_caps,
95490+ .maxlen = sizeof(int),
95491+ .mode = 0600,
95492+ .proc_handler = &proc_dointvec_secure,
95493+ },
95494+#endif
95495+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
95496+ {
95497+ .procname = "chroot_deny_bad_rename",
95498+ .data = &grsec_enable_chroot_rename,
95499+ .maxlen = sizeof(int),
95500+ .mode = 0600,
95501+ .proc_handler = &proc_dointvec_secure,
95502+ },
95503+#endif
95504+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
95505+ {
95506+ .procname = "chroot_deny_sysctl",
95507+ .data = &grsec_enable_chroot_sysctl,
95508+ .maxlen = sizeof(int),
95509+ .mode = 0600,
95510+ .proc_handler = &proc_dointvec_secure,
95511+ },
95512+#endif
95513+#ifdef CONFIG_GRKERNSEC_TPE
95514+ {
95515+ .procname = "tpe",
95516+ .data = &grsec_enable_tpe,
95517+ .maxlen = sizeof(int),
95518+ .mode = 0600,
95519+ .proc_handler = &proc_dointvec_secure,
95520+ },
95521+ {
95522+ .procname = "tpe_gid",
95523+ .data = &grsec_tpe_gid,
95524+ .maxlen = sizeof(int),
95525+ .mode = 0600,
95526+ .proc_handler = &proc_dointvec_secure,
95527+ },
95528+#endif
95529+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
95530+ {
95531+ .procname = "tpe_invert",
95532+ .data = &grsec_enable_tpe_invert,
95533+ .maxlen = sizeof(int),
95534+ .mode = 0600,
95535+ .proc_handler = &proc_dointvec_secure,
95536+ },
95537+#endif
95538+#ifdef CONFIG_GRKERNSEC_TPE_ALL
95539+ {
95540+ .procname = "tpe_restrict_all",
95541+ .data = &grsec_enable_tpe_all,
95542+ .maxlen = sizeof(int),
95543+ .mode = 0600,
95544+ .proc_handler = &proc_dointvec_secure,
95545+ },
95546+#endif
95547+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
95548+ {
95549+ .procname = "socket_all",
95550+ .data = &grsec_enable_socket_all,
95551+ .maxlen = sizeof(int),
95552+ .mode = 0600,
95553+ .proc_handler = &proc_dointvec_secure,
95554+ },
95555+ {
95556+ .procname = "socket_all_gid",
95557+ .data = &grsec_socket_all_gid,
95558+ .maxlen = sizeof(int),
95559+ .mode = 0600,
95560+ .proc_handler = &proc_dointvec_secure,
95561+ },
95562+#endif
95563+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
95564+ {
95565+ .procname = "socket_client",
95566+ .data = &grsec_enable_socket_client,
95567+ .maxlen = sizeof(int),
95568+ .mode = 0600,
95569+ .proc_handler = &proc_dointvec_secure,
95570+ },
95571+ {
95572+ .procname = "socket_client_gid",
95573+ .data = &grsec_socket_client_gid,
95574+ .maxlen = sizeof(int),
95575+ .mode = 0600,
95576+ .proc_handler = &proc_dointvec_secure,
95577+ },
95578+#endif
95579+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
95580+ {
95581+ .procname = "socket_server",
95582+ .data = &grsec_enable_socket_server,
95583+ .maxlen = sizeof(int),
95584+ .mode = 0600,
95585+ .proc_handler = &proc_dointvec_secure,
95586+ },
95587+ {
95588+ .procname = "socket_server_gid",
95589+ .data = &grsec_socket_server_gid,
95590+ .maxlen = sizeof(int),
95591+ .mode = 0600,
95592+ .proc_handler = &proc_dointvec_secure,
95593+ },
95594+#endif
95595+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
95596+ {
95597+ .procname = "audit_group",
95598+ .data = &grsec_enable_group,
95599+ .maxlen = sizeof(int),
95600+ .mode = 0600,
95601+ .proc_handler = &proc_dointvec_secure,
95602+ },
95603+ {
95604+ .procname = "audit_gid",
95605+ .data = &grsec_audit_gid,
95606+ .maxlen = sizeof(int),
95607+ .mode = 0600,
95608+ .proc_handler = &proc_dointvec_secure,
95609+ },
95610+#endif
95611+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
95612+ {
95613+ .procname = "audit_chdir",
95614+ .data = &grsec_enable_chdir,
95615+ .maxlen = sizeof(int),
95616+ .mode = 0600,
95617+ .proc_handler = &proc_dointvec_secure,
95618+ },
95619+#endif
95620+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
95621+ {
95622+ .procname = "audit_mount",
95623+ .data = &grsec_enable_mount,
95624+ .maxlen = sizeof(int),
95625+ .mode = 0600,
95626+ .proc_handler = &proc_dointvec_secure,
95627+ },
95628+#endif
95629+#ifdef CONFIG_GRKERNSEC_DMESG
95630+ {
95631+ .procname = "dmesg",
95632+ .data = &grsec_enable_dmesg,
95633+ .maxlen = sizeof(int),
95634+ .mode = 0600,
95635+ .proc_handler = &proc_dointvec_secure,
95636+ },
95637+#endif
95638+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
95639+ {
95640+ .procname = "chroot_findtask",
95641+ .data = &grsec_enable_chroot_findtask,
95642+ .maxlen = sizeof(int),
95643+ .mode = 0600,
95644+ .proc_handler = &proc_dointvec_secure,
95645+ },
95646+#endif
95647+#ifdef CONFIG_GRKERNSEC_RESLOG
95648+ {
95649+ .procname = "resource_logging",
95650+ .data = &grsec_resource_logging,
95651+ .maxlen = sizeof(int),
95652+ .mode = 0600,
95653+ .proc_handler = &proc_dointvec_secure,
95654+ },
95655+#endif
95656+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
95657+ {
95658+ .procname = "audit_ptrace",
95659+ .data = &grsec_enable_audit_ptrace,
95660+ .maxlen = sizeof(int),
95661+ .mode = 0600,
95662+ .proc_handler = &proc_dointvec_secure,
95663+ },
95664+#endif
95665+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
95666+ {
95667+ .procname = "harden_ptrace",
95668+ .data = &grsec_enable_harden_ptrace,
95669+ .maxlen = sizeof(int),
95670+ .mode = 0600,
95671+ .proc_handler = &proc_dointvec_secure,
95672+ },
95673+#endif
95674+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
95675+ {
95676+ .procname = "harden_ipc",
95677+ .data = &grsec_enable_harden_ipc,
95678+ .maxlen = sizeof(int),
95679+ .mode = 0600,
95680+ .proc_handler = &proc_dointvec_secure,
95681+ },
95682+#endif
95683+ {
95684+ .procname = "grsec_lock",
95685+ .data = &grsec_lock,
95686+ .maxlen = sizeof(int),
95687+ .mode = 0600,
95688+ .proc_handler = &proc_dointvec_secure,
95689+ },
95690+#endif
95691+#ifdef CONFIG_GRKERNSEC_ROFS
95692+ {
95693+ .procname = "romount_protect",
95694+ .data = &grsec_enable_rofs,
95695+ .maxlen = sizeof(int),
95696+ .mode = 0600,
95697+ .proc_handler = &proc_dointvec_minmax_secure,
95698+ .extra1 = &one,
95699+ .extra2 = &one,
95700+ },
95701+#endif
95702+#if defined(CONFIG_GRKERNSEC_DENYUSB) && !defined(CONFIG_GRKERNSEC_DENYUSB_FORCE)
95703+ {
95704+ .procname = "deny_new_usb",
95705+ .data = &grsec_deny_new_usb,
95706+ .maxlen = sizeof(int),
95707+ .mode = 0600,
95708+ .proc_handler = &proc_dointvec_secure,
95709+ },
95710+#endif
95711+ { }
95712+};
95713+#endif
95714diff --git a/grsecurity/grsec_time.c b/grsecurity/grsec_time.c
95715new file mode 100644
95716index 0000000..61b514e
95717--- /dev/null
95718+++ b/grsecurity/grsec_time.c
95719@@ -0,0 +1,16 @@
95720+#include <linux/kernel.h>
95721+#include <linux/sched.h>
95722+#include <linux/grinternal.h>
95723+#include <linux/module.h>
95724+
95725+void
95726+gr_log_timechange(void)
95727+{
95728+#ifdef CONFIG_GRKERNSEC_TIME
95729+ if (grsec_enable_time)
95730+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
95731+#endif
95732+ return;
95733+}
95734+
95735+EXPORT_SYMBOL_GPL(gr_log_timechange);
95736diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
95737new file mode 100644
95738index 0000000..9786671
95739--- /dev/null
95740+++ b/grsecurity/grsec_tpe.c
95741@@ -0,0 +1,78 @@
95742+#include <linux/kernel.h>
95743+#include <linux/sched.h>
95744+#include <linux/file.h>
95745+#include <linux/fs.h>
95746+#include <linux/grinternal.h>
95747+
95748+extern int gr_acl_tpe_check(void);
95749+
95750+int
95751+gr_tpe_allow(const struct file *file)
95752+{
95753+#ifdef CONFIG_GRKERNSEC
95754+ struct inode *inode = d_backing_inode(file->f_path.dentry->d_parent);
95755+ struct inode *file_inode = d_backing_inode(file->f_path.dentry);
95756+ const struct cred *cred = current_cred();
95757+ char *msg = NULL;
95758+ char *msg2 = NULL;
95759+
95760+ // never restrict root
95761+ if (gr_is_global_root(cred->uid))
95762+ return 1;
95763+
95764+ if (grsec_enable_tpe) {
95765+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
95766+ if (grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid))
95767+ msg = "not being in trusted group";
95768+ else if (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid))
95769+ msg = "being in untrusted group";
95770+#else
95771+ if (in_group_p(grsec_tpe_gid))
95772+ msg = "being in untrusted group";
95773+#endif
95774+ }
95775+ if (!msg && gr_acl_tpe_check())
95776+ msg = "being in untrusted role";
95777+
95778+ // not in any affected group/role
95779+ if (!msg)
95780+ goto next_check;
95781+
95782+ if (gr_is_global_nonroot(inode->i_uid))
95783+ msg2 = "file in non-root-owned directory";
95784+ else if (inode->i_mode & S_IWOTH)
95785+ msg2 = "file in world-writable directory";
95786+ else if (inode->i_mode & S_IWGRP)
95787+ msg2 = "file in group-writable directory";
95788+ else if (file_inode->i_mode & S_IWOTH)
95789+ msg2 = "file is world-writable";
95790+
95791+ if (msg && msg2) {
95792+ char fullmsg[70] = {0};
95793+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
95794+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
95795+ return 0;
95796+ }
95797+ msg = NULL;
95798+next_check:
95799+#ifdef CONFIG_GRKERNSEC_TPE_ALL
95800+ if (!grsec_enable_tpe || !grsec_enable_tpe_all)
95801+ return 1;
95802+
95803+ if (gr_is_global_nonroot(inode->i_uid) && !uid_eq(inode->i_uid, cred->uid))
95804+ msg = "directory not owned by user";
95805+ else if (inode->i_mode & S_IWOTH)
95806+ msg = "file in world-writable directory";
95807+ else if (inode->i_mode & S_IWGRP)
95808+ msg = "file in group-writable directory";
95809+ else if (file_inode->i_mode & S_IWOTH)
95810+ msg = "file is world-writable";
95811+
95812+ if (msg) {
95813+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
95814+ return 0;
95815+ }
95816+#endif
95817+#endif
95818+ return 1;
95819+}
95820diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
95821new file mode 100644
95822index 0000000..ae02d8e
95823--- /dev/null
95824+++ b/grsecurity/grsec_usb.c
95825@@ -0,0 +1,15 @@
95826+#include <linux/kernel.h>
95827+#include <linux/grinternal.h>
95828+#include <linux/module.h>
95829+
95830+int gr_handle_new_usb(void)
95831+{
95832+#ifdef CONFIG_GRKERNSEC_DENYUSB
95833+ if (grsec_deny_new_usb) {
95834+ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
95835+ return 1;
95836+ }
95837+#endif
95838+ return 0;
95839+}
95840+EXPORT_SYMBOL_GPL(gr_handle_new_usb);
95841diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
95842new file mode 100644
95843index 0000000..158b330
95844--- /dev/null
95845+++ b/grsecurity/grsum.c
95846@@ -0,0 +1,64 @@
95847+#include <linux/err.h>
95848+#include <linux/kernel.h>
95849+#include <linux/sched.h>
95850+#include <linux/mm.h>
95851+#include <linux/scatterlist.h>
95852+#include <linux/crypto.h>
95853+#include <linux/gracl.h>
95854+
95855+
95856+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
95857+#error "crypto and sha256 must be built into the kernel"
95858+#endif
95859+
95860+int
95861+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
95862+{
95863+ struct crypto_hash *tfm;
95864+ struct hash_desc desc;
95865+ struct scatterlist sg[2];
95866+ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long))));
95867+ unsigned long *tmpsumptr = (unsigned long *)temp_sum;
95868+ unsigned long *sumptr = (unsigned long *)sum;
95869+ int cryptres;
95870+ int retval = 1;
95871+ volatile int mismatched = 0;
95872+ volatile int dummy = 0;
95873+ unsigned int i;
95874+
95875+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
95876+ if (IS_ERR(tfm)) {
95877+ /* should never happen, since sha256 should be built in */
95878+ memset(entry->pw, 0, GR_PW_LEN);
95879+ return 1;
95880+ }
95881+
95882+ sg_init_table(sg, 2);
95883+ sg_set_buf(&sg[0], salt, GR_SALT_LEN);
95884+ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw));
95885+
95886+ desc.tfm = tfm;
95887+ desc.flags = 0;
95888+
95889+ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw),
95890+ temp_sum);
95891+
95892+ memset(entry->pw, 0, GR_PW_LEN);
95893+
95894+ if (cryptres)
95895+ goto out;
95896+
95897+ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++)
95898+ if (sumptr[i] != tmpsumptr[i])
95899+ mismatched = 1;
95900+ else
95901+ dummy = 1; // waste a cycle
95902+
95903+ if (!mismatched)
95904+ retval = dummy - 1;
95905+
95906+out:
95907+ crypto_free_hash(tfm);
95908+
95909+ return retval;
95910+}
95911diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h
95912index 5bdab6b..9ae82fe 100644
95913--- a/include/asm-generic/4level-fixup.h
95914+++ b/include/asm-generic/4level-fixup.h
95915@@ -14,8 +14,10 @@
95916 #define pmd_alloc(mm, pud, address) \
95917 ((unlikely(pgd_none(*(pud))) && __pmd_alloc(mm, pud, address))? \
95918 NULL: pmd_offset(pud, address))
95919+#define pmd_alloc_kernel(mm, pud, address) pmd_alloc((mm), (pud), (address))
95920
95921 #define pud_alloc(mm, pgd, address) (pgd)
95922+#define pud_alloc_kernel(mm, pgd, address) pud_alloc((mm), (pgd), (address))
95923 #define pud_offset(pgd, start) (pgd)
95924 #define pud_none(pud) 0
95925 #define pud_bad(pud) 0
95926diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h
95927index b7babf0..1e4b4f1 100644
95928--- a/include/asm-generic/atomic-long.h
95929+++ b/include/asm-generic/atomic-long.h
95930@@ -22,6 +22,12 @@
95931
95932 typedef atomic64_t atomic_long_t;
95933
95934+#ifdef CONFIG_PAX_REFCOUNT
95935+typedef atomic64_unchecked_t atomic_long_unchecked_t;
95936+#else
95937+typedef atomic64_t atomic_long_unchecked_t;
95938+#endif
95939+
95940 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
95941
95942 static inline long atomic_long_read(atomic_long_t *l)
95943@@ -31,6 +37,15 @@ static inline long atomic_long_read(atomic_long_t *l)
95944 return (long)atomic64_read(v);
95945 }
95946
95947+#ifdef CONFIG_PAX_REFCOUNT
95948+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
95949+{
95950+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95951+
95952+ return (long)atomic64_read_unchecked(v);
95953+}
95954+#endif
95955+
95956 static inline void atomic_long_set(atomic_long_t *l, long i)
95957 {
95958 atomic64_t *v = (atomic64_t *)l;
95959@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
95960 atomic64_set(v, i);
95961 }
95962
95963+#ifdef CONFIG_PAX_REFCOUNT
95964+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
95965+{
95966+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95967+
95968+ atomic64_set_unchecked(v, i);
95969+}
95970+#endif
95971+
95972 static inline void atomic_long_inc(atomic_long_t *l)
95973 {
95974 atomic64_t *v = (atomic64_t *)l;
95975@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
95976 atomic64_inc(v);
95977 }
95978
95979+#ifdef CONFIG_PAX_REFCOUNT
95980+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
95981+{
95982+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95983+
95984+ atomic64_inc_unchecked(v);
95985+}
95986+#endif
95987+
95988 static inline void atomic_long_dec(atomic_long_t *l)
95989 {
95990 atomic64_t *v = (atomic64_t *)l;
95991@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
95992 atomic64_dec(v);
95993 }
95994
95995+#ifdef CONFIG_PAX_REFCOUNT
95996+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
95997+{
95998+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95999+
96000+ atomic64_dec_unchecked(v);
96001+}
96002+#endif
96003+
96004 static inline void atomic_long_add(long i, atomic_long_t *l)
96005 {
96006 atomic64_t *v = (atomic64_t *)l;
96007@@ -59,6 +101,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
96008 atomic64_add(i, v);
96009 }
96010
96011+#ifdef CONFIG_PAX_REFCOUNT
96012+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
96013+{
96014+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
96015+
96016+ atomic64_add_unchecked(i, v);
96017+}
96018+#endif
96019+
96020 static inline void atomic_long_sub(long i, atomic_long_t *l)
96021 {
96022 atomic64_t *v = (atomic64_t *)l;
96023@@ -66,6 +117,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
96024 atomic64_sub(i, v);
96025 }
96026
96027+#ifdef CONFIG_PAX_REFCOUNT
96028+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
96029+{
96030+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
96031+
96032+ atomic64_sub_unchecked(i, v);
96033+}
96034+#endif
96035+
96036 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
96037 {
96038 atomic64_t *v = (atomic64_t *)l;
96039@@ -94,13 +154,22 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
96040 return atomic64_add_negative(i, v);
96041 }
96042
96043-static inline long atomic_long_add_return(long i, atomic_long_t *l)
96044+static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
96045 {
96046 atomic64_t *v = (atomic64_t *)l;
96047
96048 return (long)atomic64_add_return(i, v);
96049 }
96050
96051+#ifdef CONFIG_PAX_REFCOUNT
96052+static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
96053+{
96054+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
96055+
96056+ return (long)atomic64_add_return_unchecked(i, v);
96057+}
96058+#endif
96059+
96060 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
96061 {
96062 atomic64_t *v = (atomic64_t *)l;
96063@@ -115,6 +184,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
96064 return (long)atomic64_inc_return(v);
96065 }
96066
96067+#ifdef CONFIG_PAX_REFCOUNT
96068+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
96069+{
96070+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
96071+
96072+ return (long)atomic64_inc_return_unchecked(v);
96073+}
96074+#endif
96075+
96076 static inline long atomic_long_dec_return(atomic_long_t *l)
96077 {
96078 atomic64_t *v = (atomic64_t *)l;
96079@@ -140,6 +218,12 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
96080
96081 typedef atomic_t atomic_long_t;
96082
96083+#ifdef CONFIG_PAX_REFCOUNT
96084+typedef atomic_unchecked_t atomic_long_unchecked_t;
96085+#else
96086+typedef atomic_t atomic_long_unchecked_t;
96087+#endif
96088+
96089 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
96090 static inline long atomic_long_read(atomic_long_t *l)
96091 {
96092@@ -148,6 +232,15 @@ static inline long atomic_long_read(atomic_long_t *l)
96093 return (long)atomic_read(v);
96094 }
96095
96096+#ifdef CONFIG_PAX_REFCOUNT
96097+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
96098+{
96099+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96100+
96101+ return (long)atomic_read_unchecked(v);
96102+}
96103+#endif
96104+
96105 static inline void atomic_long_set(atomic_long_t *l, long i)
96106 {
96107 atomic_t *v = (atomic_t *)l;
96108@@ -155,6 +248,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
96109 atomic_set(v, i);
96110 }
96111
96112+#ifdef CONFIG_PAX_REFCOUNT
96113+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
96114+{
96115+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96116+
96117+ atomic_set_unchecked(v, i);
96118+}
96119+#endif
96120+
96121 static inline void atomic_long_inc(atomic_long_t *l)
96122 {
96123 atomic_t *v = (atomic_t *)l;
96124@@ -162,6 +264,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
96125 atomic_inc(v);
96126 }
96127
96128+#ifdef CONFIG_PAX_REFCOUNT
96129+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
96130+{
96131+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96132+
96133+ atomic_inc_unchecked(v);
96134+}
96135+#endif
96136+
96137 static inline void atomic_long_dec(atomic_long_t *l)
96138 {
96139 atomic_t *v = (atomic_t *)l;
96140@@ -169,6 +280,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
96141 atomic_dec(v);
96142 }
96143
96144+#ifdef CONFIG_PAX_REFCOUNT
96145+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
96146+{
96147+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96148+
96149+ atomic_dec_unchecked(v);
96150+}
96151+#endif
96152+
96153 static inline void atomic_long_add(long i, atomic_long_t *l)
96154 {
96155 atomic_t *v = (atomic_t *)l;
96156@@ -176,6 +296,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
96157 atomic_add(i, v);
96158 }
96159
96160+#ifdef CONFIG_PAX_REFCOUNT
96161+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
96162+{
96163+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96164+
96165+ atomic_add_unchecked(i, v);
96166+}
96167+#endif
96168+
96169 static inline void atomic_long_sub(long i, atomic_long_t *l)
96170 {
96171 atomic_t *v = (atomic_t *)l;
96172@@ -183,6 +312,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
96173 atomic_sub(i, v);
96174 }
96175
96176+#ifdef CONFIG_PAX_REFCOUNT
96177+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
96178+{
96179+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96180+
96181+ atomic_sub_unchecked(i, v);
96182+}
96183+#endif
96184+
96185 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
96186 {
96187 atomic_t *v = (atomic_t *)l;
96188@@ -211,13 +349,23 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
96189 return atomic_add_negative(i, v);
96190 }
96191
96192-static inline long atomic_long_add_return(long i, atomic_long_t *l)
96193+static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
96194 {
96195 atomic_t *v = (atomic_t *)l;
96196
96197 return (long)atomic_add_return(i, v);
96198 }
96199
96200+#ifdef CONFIG_PAX_REFCOUNT
96201+static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
96202+{
96203+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96204+
96205+ return (long)atomic_add_return_unchecked(i, v);
96206+}
96207+
96208+#endif
96209+
96210 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
96211 {
96212 atomic_t *v = (atomic_t *)l;
96213@@ -232,6 +380,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
96214 return (long)atomic_inc_return(v);
96215 }
96216
96217+#ifdef CONFIG_PAX_REFCOUNT
96218+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
96219+{
96220+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96221+
96222+ return (long)atomic_inc_return_unchecked(v);
96223+}
96224+#endif
96225+
96226 static inline long atomic_long_dec_return(atomic_long_t *l)
96227 {
96228 atomic_t *v = (atomic_t *)l;
96229@@ -255,4 +412,57 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
96230
96231 #endif /* BITS_PER_LONG == 64 */
96232
96233+#ifdef CONFIG_PAX_REFCOUNT
96234+static inline void pax_refcount_needs_these_functions(void)
96235+{
96236+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
96237+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
96238+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
96239+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
96240+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
96241+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
96242+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
96243+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
96244+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
96245+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
96246+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
96247+#ifdef CONFIG_X86
96248+ atomic_clear_mask_unchecked(0, NULL);
96249+ atomic_set_mask_unchecked(0, NULL);
96250+#endif
96251+
96252+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
96253+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
96254+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
96255+ atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
96256+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
96257+ atomic_long_add_return_unchecked(0, (atomic_long_unchecked_t *)NULL);
96258+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
96259+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
96260+}
96261+#else
96262+#define atomic_read_unchecked(v) atomic_read(v)
96263+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
96264+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
96265+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
96266+#define atomic_inc_unchecked(v) atomic_inc(v)
96267+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
96268+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
96269+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
96270+#define atomic_dec_unchecked(v) atomic_dec(v)
96271+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
96272+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
96273+#define atomic_clear_mask_unchecked(mask, v) atomic_clear_mask((mask), (v))
96274+#define atomic_set_mask_unchecked(mask, v) atomic_set_mask((mask), (v))
96275+
96276+#define atomic_long_read_unchecked(v) atomic_long_read(v)
96277+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
96278+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
96279+#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
96280+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
96281+#define atomic_long_add_return_unchecked(i, v) atomic_long_add_return((i), (v))
96282+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
96283+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
96284+#endif
96285+
96286 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
96287diff --git a/include/asm-generic/atomic64.h b/include/asm-generic/atomic64.h
96288index 30ad9c8..c70c170 100644
96289--- a/include/asm-generic/atomic64.h
96290+++ b/include/asm-generic/atomic64.h
96291@@ -16,6 +16,8 @@ typedef struct {
96292 long long counter;
96293 } atomic64_t;
96294
96295+typedef atomic64_t atomic64_unchecked_t;
96296+
96297 #define ATOMIC64_INIT(i) { (i) }
96298
96299 extern long long atomic64_read(const atomic64_t *v);
96300@@ -51,4 +53,14 @@ extern int atomic64_add_unless(atomic64_t *v, long long a, long long u);
96301 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
96302 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
96303
96304+#define atomic64_read_unchecked(v) atomic64_read(v)
96305+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
96306+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
96307+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
96308+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
96309+#define atomic64_inc_unchecked(v) atomic64_inc(v)
96310+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
96311+#define atomic64_dec_unchecked(v) atomic64_dec(v)
96312+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
96313+
96314 #endif /* _ASM_GENERIC_ATOMIC64_H */
96315diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h
96316index 55e3abc..104e2a1 100644
96317--- a/include/asm-generic/barrier.h
96318+++ b/include/asm-generic/barrier.h
96319@@ -108,7 +108,7 @@
96320 do { \
96321 compiletime_assert_atomic_type(*p); \
96322 smp_mb(); \
96323- ACCESS_ONCE(*p) = (v); \
96324+ ACCESS_ONCE_RW(*p) = (v); \
96325 } while (0)
96326
96327 #define smp_load_acquire(p) \
96328diff --git a/include/asm-generic/bitops/__fls.h b/include/asm-generic/bitops/__fls.h
96329index a60a7cc..0fe12f2 100644
96330--- a/include/asm-generic/bitops/__fls.h
96331+++ b/include/asm-generic/bitops/__fls.h
96332@@ -9,7 +9,7 @@
96333 *
96334 * Undefined if no set bit exists, so code should check against 0 first.
96335 */
96336-static __always_inline unsigned long __fls(unsigned long word)
96337+static __always_inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
96338 {
96339 int num = BITS_PER_LONG - 1;
96340
96341diff --git a/include/asm-generic/bitops/fls.h b/include/asm-generic/bitops/fls.h
96342index 0576d1f..dad6c71 100644
96343--- a/include/asm-generic/bitops/fls.h
96344+++ b/include/asm-generic/bitops/fls.h
96345@@ -9,7 +9,7 @@
96346 * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32.
96347 */
96348
96349-static __always_inline int fls(int x)
96350+static __always_inline int __intentional_overflow(-1) fls(int x)
96351 {
96352 int r = 32;
96353
96354diff --git a/include/asm-generic/bitops/fls64.h b/include/asm-generic/bitops/fls64.h
96355index b097cf8..3d40e14 100644
96356--- a/include/asm-generic/bitops/fls64.h
96357+++ b/include/asm-generic/bitops/fls64.h
96358@@ -15,7 +15,7 @@
96359 * at position 64.
96360 */
96361 #if BITS_PER_LONG == 32
96362-static __always_inline int fls64(__u64 x)
96363+static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
96364 {
96365 __u32 h = x >> 32;
96366 if (h)
96367@@ -23,7 +23,7 @@ static __always_inline int fls64(__u64 x)
96368 return fls(x);
96369 }
96370 #elif BITS_PER_LONG == 64
96371-static __always_inline int fls64(__u64 x)
96372+static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
96373 {
96374 if (x == 0)
96375 return 0;
96376diff --git a/include/asm-generic/bug.h b/include/asm-generic/bug.h
96377index 630dd23..8c1dcb6b 100644
96378--- a/include/asm-generic/bug.h
96379+++ b/include/asm-generic/bug.h
96380@@ -62,13 +62,13 @@ struct bug_entry {
96381 * to provide better diagnostics.
96382 */
96383 #ifndef __WARN_TAINT
96384-extern __printf(3, 4)
96385+extern __printf(3, 4) __nocapture(1, 3, 4)
96386 void warn_slowpath_fmt(const char *file, const int line,
96387 const char *fmt, ...);
96388-extern __printf(4, 5)
96389+extern __printf(4, 5) __nocapture(1, 4, 5)
96390 void warn_slowpath_fmt_taint(const char *file, const int line, unsigned taint,
96391 const char *fmt, ...);
96392-extern void warn_slowpath_null(const char *file, const int line);
96393+extern __nocapture(1) void warn_slowpath_null(const char *file, const int line);
96394 #define WANT_WARN_ON_SLOWPATH
96395 #define __WARN() warn_slowpath_null(__FILE__, __LINE__)
96396 #define __WARN_printf(arg...) warn_slowpath_fmt(__FILE__, __LINE__, arg)
96397diff --git a/include/asm-generic/cache.h b/include/asm-generic/cache.h
96398index 1bfcfe5..e04c5c9 100644
96399--- a/include/asm-generic/cache.h
96400+++ b/include/asm-generic/cache.h
96401@@ -6,7 +6,7 @@
96402 * cache lines need to provide their own cache.h.
96403 */
96404
96405-#define L1_CACHE_SHIFT 5
96406-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
96407+#define L1_CACHE_SHIFT 5UL
96408+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
96409
96410 #endif /* __ASM_GENERIC_CACHE_H */
96411diff --git a/include/asm-generic/emergency-restart.h b/include/asm-generic/emergency-restart.h
96412index 0d68a1e..b74a761 100644
96413--- a/include/asm-generic/emergency-restart.h
96414+++ b/include/asm-generic/emergency-restart.h
96415@@ -1,7 +1,7 @@
96416 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
96417 #define _ASM_GENERIC_EMERGENCY_RESTART_H
96418
96419-static inline void machine_emergency_restart(void)
96420+static inline __noreturn void machine_emergency_restart(void)
96421 {
96422 machine_restart(NULL);
96423 }
96424diff --git a/include/asm-generic/kmap_types.h b/include/asm-generic/kmap_types.h
96425index 90f99c7..00ce236 100644
96426--- a/include/asm-generic/kmap_types.h
96427+++ b/include/asm-generic/kmap_types.h
96428@@ -2,9 +2,9 @@
96429 #define _ASM_GENERIC_KMAP_TYPES_H
96430
96431 #ifdef __WITH_KM_FENCE
96432-# define KM_TYPE_NR 41
96433+# define KM_TYPE_NR 42
96434 #else
96435-# define KM_TYPE_NR 20
96436+# define KM_TYPE_NR 21
96437 #endif
96438
96439 #endif
96440diff --git a/include/asm-generic/local.h b/include/asm-generic/local.h
96441index 9ceb03b..62b0b8f 100644
96442--- a/include/asm-generic/local.h
96443+++ b/include/asm-generic/local.h
96444@@ -23,24 +23,37 @@ typedef struct
96445 atomic_long_t a;
96446 } local_t;
96447
96448+typedef struct {
96449+ atomic_long_unchecked_t a;
96450+} local_unchecked_t;
96451+
96452 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
96453
96454 #define local_read(l) atomic_long_read(&(l)->a)
96455+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
96456 #define local_set(l,i) atomic_long_set((&(l)->a),(i))
96457+#define local_set_unchecked(l,i) atomic_long_set_unchecked((&(l)->a),(i))
96458 #define local_inc(l) atomic_long_inc(&(l)->a)
96459+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
96460 #define local_dec(l) atomic_long_dec(&(l)->a)
96461+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
96462 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
96463+#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
96464 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
96465+#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
96466
96467 #define local_sub_and_test(i, l) atomic_long_sub_and_test((i), (&(l)->a))
96468 #define local_dec_and_test(l) atomic_long_dec_and_test(&(l)->a)
96469 #define local_inc_and_test(l) atomic_long_inc_and_test(&(l)->a)
96470 #define local_add_negative(i, l) atomic_long_add_negative((i), (&(l)->a))
96471 #define local_add_return(i, l) atomic_long_add_return((i), (&(l)->a))
96472+#define local_add_return_unchecked(i, l) atomic_long_add_return_unchecked((i), (&(l)->a))
96473 #define local_sub_return(i, l) atomic_long_sub_return((i), (&(l)->a))
96474 #define local_inc_return(l) atomic_long_inc_return(&(l)->a)
96475+#define local_dec_return(l) atomic_long_dec_return(&(l)->a)
96476
96477 #define local_cmpxchg(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
96478+#define local_cmpxchg_unchecked(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
96479 #define local_xchg(l, n) atomic_long_xchg((&(l)->a), (n))
96480 #define local_add_unless(l, _a, u) atomic_long_add_unless((&(l)->a), (_a), (u))
96481 #define local_inc_not_zero(l) atomic_long_inc_not_zero(&(l)->a)
96482diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h
96483index 725612b..9cc513a 100644
96484--- a/include/asm-generic/pgtable-nopmd.h
96485+++ b/include/asm-generic/pgtable-nopmd.h
96486@@ -1,14 +1,19 @@
96487 #ifndef _PGTABLE_NOPMD_H
96488 #define _PGTABLE_NOPMD_H
96489
96490-#ifndef __ASSEMBLY__
96491-
96492 #include <asm-generic/pgtable-nopud.h>
96493
96494-struct mm_struct;
96495-
96496 #define __PAGETABLE_PMD_FOLDED
96497
96498+#define PMD_SHIFT PUD_SHIFT
96499+#define PTRS_PER_PMD 1
96500+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
96501+#define PMD_MASK (~(PMD_SIZE-1))
96502+
96503+#ifndef __ASSEMBLY__
96504+
96505+struct mm_struct;
96506+
96507 /*
96508 * Having the pmd type consist of a pud gets the size right, and allows
96509 * us to conceptually access the pud entry that this pmd is folded into
96510@@ -16,11 +21,6 @@ struct mm_struct;
96511 */
96512 typedef struct { pud_t pud; } pmd_t;
96513
96514-#define PMD_SHIFT PUD_SHIFT
96515-#define PTRS_PER_PMD 1
96516-#define PMD_SIZE (1UL << PMD_SHIFT)
96517-#define PMD_MASK (~(PMD_SIZE-1))
96518-
96519 /*
96520 * The "pud_xxx()" functions here are trivial for a folded two-level
96521 * setup: the pmd is never bad, and a pmd always exists (as it's folded
96522diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h
96523index 810431d..0ec4804f 100644
96524--- a/include/asm-generic/pgtable-nopud.h
96525+++ b/include/asm-generic/pgtable-nopud.h
96526@@ -1,10 +1,15 @@
96527 #ifndef _PGTABLE_NOPUD_H
96528 #define _PGTABLE_NOPUD_H
96529
96530-#ifndef __ASSEMBLY__
96531-
96532 #define __PAGETABLE_PUD_FOLDED
96533
96534+#define PUD_SHIFT PGDIR_SHIFT
96535+#define PTRS_PER_PUD 1
96536+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
96537+#define PUD_MASK (~(PUD_SIZE-1))
96538+
96539+#ifndef __ASSEMBLY__
96540+
96541 /*
96542 * Having the pud type consist of a pgd gets the size right, and allows
96543 * us to conceptually access the pgd entry that this pud is folded into
96544@@ -12,11 +17,6 @@
96545 */
96546 typedef struct { pgd_t pgd; } pud_t;
96547
96548-#define PUD_SHIFT PGDIR_SHIFT
96549-#define PTRS_PER_PUD 1
96550-#define PUD_SIZE (1UL << PUD_SHIFT)
96551-#define PUD_MASK (~(PUD_SIZE-1))
96552-
96553 /*
96554 * The "pgd_xxx()" functions here are trivial for a folded two-level
96555 * setup: the pud is never bad, and a pud always exists (as it's folded
96556@@ -29,6 +29,7 @@ static inline void pgd_clear(pgd_t *pgd) { }
96557 #define pud_ERROR(pud) (pgd_ERROR((pud).pgd))
96558
96559 #define pgd_populate(mm, pgd, pud) do { } while (0)
96560+#define pgd_populate_kernel(mm, pgd, pud) do { } while (0)
96561 /*
96562 * (puds are folded into pgds so this doesn't get actually called,
96563 * but the define is needed for a generic inline function.)
96564diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
96565index 29c57b2..da571a2 100644
96566--- a/include/asm-generic/pgtable.h
96567+++ b/include/asm-generic/pgtable.h
96568@@ -715,6 +715,22 @@ static inline int pmd_protnone(pmd_t pmd)
96569 }
96570 #endif /* CONFIG_NUMA_BALANCING */
96571
96572+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
96573+#ifdef CONFIG_PAX_KERNEXEC
96574+#error KERNEXEC requires pax_open_kernel
96575+#else
96576+static inline unsigned long pax_open_kernel(void) { return 0; }
96577+#endif
96578+#endif
96579+
96580+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
96581+#ifdef CONFIG_PAX_KERNEXEC
96582+#error KERNEXEC requires pax_close_kernel
96583+#else
96584+static inline unsigned long pax_close_kernel(void) { return 0; }
96585+#endif
96586+#endif
96587+
96588 #endif /* CONFIG_MMU */
96589
96590 #ifdef CONFIG_HAVE_ARCH_HUGE_VMAP
96591diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
96592index b58fd66..6cfae67 100644
96593--- a/include/asm-generic/sections.h
96594+++ b/include/asm-generic/sections.h
96595@@ -30,6 +30,7 @@ extern char _data[], _sdata[], _edata[];
96596 extern char __bss_start[], __bss_stop[];
96597 extern char __init_begin[], __init_end[];
96598 extern char _sinittext[], _einittext[];
96599+extern char _sinitdata[], _einitdata[];
96600 extern char _end[];
96601 extern char __per_cpu_load[], __per_cpu_start[], __per_cpu_end[];
96602 extern char __kprobes_text_start[], __kprobes_text_end[];
96603diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
96604index 72d8803..cb9749c 100644
96605--- a/include/asm-generic/uaccess.h
96606+++ b/include/asm-generic/uaccess.h
96607@@ -343,4 +343,20 @@ clear_user(void __user *to, unsigned long n)
96608 return __clear_user(to, n);
96609 }
96610
96611+#ifndef __HAVE_ARCH_PAX_OPEN_USERLAND
96612+#ifdef CONFIG_PAX_MEMORY_UDEREF
96613+#error UDEREF requires pax_open_userland
96614+#else
96615+static inline unsigned long pax_open_userland(void) { return 0; }
96616+#endif
96617+#endif
96618+
96619+#ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND
96620+#ifdef CONFIG_PAX_MEMORY_UDEREF
96621+#error UDEREF requires pax_close_userland
96622+#else
96623+static inline unsigned long pax_close_userland(void) { return 0; }
96624+#endif
96625+#endif
96626+
96627 #endif /* __ASM_GENERIC_UACCESS_H */
96628diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
96629index 8bd374d..2665ce3 100644
96630--- a/include/asm-generic/vmlinux.lds.h
96631+++ b/include/asm-generic/vmlinux.lds.h
96632@@ -246,6 +246,7 @@
96633 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
96634 VMLINUX_SYMBOL(__start_rodata) = .; \
96635 *(.rodata) *(.rodata.*) \
96636+ *(.data..read_only) \
96637 *(__vermagic) /* Kernel version magic */ \
96638 . = ALIGN(8); \
96639 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
96640@@ -504,6 +505,7 @@
96641 KERNEL_CTORS() \
96642 MCOUNT_REC() \
96643 *(.init.rodata) \
96644+ *(.init.rodata.*) \
96645 FTRACE_EVENTS() \
96646 TRACE_SYSCALLS() \
96647 KPROBE_BLACKLIST() \
96648@@ -525,6 +527,8 @@
96649
96650 #define EXIT_DATA \
96651 *(.exit.data) \
96652+ *(.exit.rodata) \
96653+ *(.exit.rodata.*) \
96654 MEM_DISCARD(exit.data) \
96655 MEM_DISCARD(exit.rodata)
96656
96657@@ -741,17 +745,18 @@
96658 * section in the linker script will go there too. @phdr should have
96659 * a leading colon.
96660 *
96661- * Note that this macros defines __per_cpu_load as an absolute symbol.
96662+ * Note that this macros defines per_cpu_load as an absolute symbol.
96663 * If there is no need to put the percpu section at a predetermined
96664 * address, use PERCPU_SECTION.
96665 */
96666 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
96667- VMLINUX_SYMBOL(__per_cpu_load) = .; \
96668- .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
96669+ per_cpu_load = .; \
96670+ .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
96671 - LOAD_OFFSET) { \
96672+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
96673 PERCPU_INPUT(cacheline) \
96674 } phdr \
96675- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
96676+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
96677
96678 /**
96679 * PERCPU_SECTION - define output section for percpu area, simple version
96680@@ -813,12 +818,14 @@
96681
96682 #define INIT_DATA_SECTION(initsetup_align) \
96683 .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { \
96684+ VMLINUX_SYMBOL(_sinitdata) = .; \
96685 INIT_DATA \
96686 INIT_SETUP(initsetup_align) \
96687 INIT_CALLS \
96688 CON_INITCALL \
96689 SECURITY_INITCALL \
96690 INIT_RAM_FS \
96691+ VMLINUX_SYMBOL(_einitdata) = .; \
96692 }
96693
96694 #define BSS_SECTION(sbss_align, bss_align, stop_align) \
96695diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
96696index d4ebf6e..ca4bd35 100644
96697--- a/include/crypto/algapi.h
96698+++ b/include/crypto/algapi.h
96699@@ -35,7 +35,7 @@ struct crypto_type {
96700 unsigned int maskclear;
96701 unsigned int maskset;
96702 unsigned int tfmsize;
96703-};
96704+} __do_const;
96705
96706 struct crypto_instance {
96707 struct crypto_alg alg;
96708diff --git a/include/drm/drmP.h b/include/drm/drmP.h
96709index 5aa5197..e4ca348 100644
96710--- a/include/drm/drmP.h
96711+++ b/include/drm/drmP.h
96712@@ -59,6 +59,7 @@
96713
96714 #include <asm/mman.h>
96715 #include <asm/pgalloc.h>
96716+#include <asm/local.h>
96717 #include <asm/uaccess.h>
96718
96719 #include <uapi/drm/drm.h>
96720@@ -137,17 +138,18 @@ void drm_err(const char *format, ...);
96721 /*@{*/
96722
96723 /* driver capabilities and requirements mask */
96724-#define DRIVER_USE_AGP 0x1
96725-#define DRIVER_PCI_DMA 0x8
96726-#define DRIVER_SG 0x10
96727-#define DRIVER_HAVE_DMA 0x20
96728-#define DRIVER_HAVE_IRQ 0x40
96729-#define DRIVER_IRQ_SHARED 0x80
96730-#define DRIVER_GEM 0x1000
96731-#define DRIVER_MODESET 0x2000
96732-#define DRIVER_PRIME 0x4000
96733-#define DRIVER_RENDER 0x8000
96734-#define DRIVER_ATOMIC 0x10000
96735+#define DRIVER_USE_AGP 0x1
96736+#define DRIVER_PCI_DMA 0x8
96737+#define DRIVER_SG 0x10
96738+#define DRIVER_HAVE_DMA 0x20
96739+#define DRIVER_HAVE_IRQ 0x40
96740+#define DRIVER_IRQ_SHARED 0x80
96741+#define DRIVER_GEM 0x1000
96742+#define DRIVER_MODESET 0x2000
96743+#define DRIVER_PRIME 0x4000
96744+#define DRIVER_RENDER 0x8000
96745+#define DRIVER_ATOMIC 0x10000
96746+#define DRIVER_KMS_LEGACY_CONTEXT 0x20000
96747
96748 /***********************************************************************/
96749 /** \name Macros to make printk easier */
96750@@ -233,10 +235,12 @@ void drm_err(const char *format, ...);
96751 * \param cmd command.
96752 * \param arg argument.
96753 */
96754-typedef int drm_ioctl_t(struct drm_device *dev, void *data,
96755+typedef int (* const drm_ioctl_t)(struct drm_device *dev, void *data,
96756+ struct drm_file *file_priv);
96757+typedef int (* drm_ioctl_no_const_t)(struct drm_device *dev, void *data,
96758 struct drm_file *file_priv);
96759
96760-typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
96761+typedef int (* const drm_ioctl_compat_t)(struct file *filp, unsigned int cmd,
96762 unsigned long arg);
96763
96764 #define DRM_IOCTL_NR(n) _IOC_NR(n)
96765@@ -252,9 +256,9 @@ typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
96766 struct drm_ioctl_desc {
96767 unsigned int cmd;
96768 int flags;
96769- drm_ioctl_t *func;
96770+ drm_ioctl_t func;
96771 const char *name;
96772-};
96773+} __do_const;
96774
96775 /**
96776 * Creates a driver or general drm_ioctl_desc array entry for the given
96777@@ -647,7 +651,8 @@ struct drm_info_list {
96778 int (*show)(struct seq_file*, void*); /** show callback */
96779 u32 driver_features; /**< Required driver features for this entry */
96780 void *data;
96781-};
96782+} __do_const;
96783+typedef struct drm_info_list __no_const drm_info_list_no_const;
96784
96785 /**
96786 * debugfs node structure. This structure represents a debugfs file.
96787@@ -735,7 +740,7 @@ struct drm_device {
96788
96789 /** \name Usage Counters */
96790 /*@{ */
96791- int open_count; /**< Outstanding files open, protected by drm_global_mutex. */
96792+ local_t open_count; /**< Outstanding files open, protected by drm_global_mutex. */
96793 spinlock_t buf_lock; /**< For drm_device::buf_use and a few other things. */
96794 int buf_use; /**< Buffers in use -- cannot alloc */
96795 atomic_t buf_alloc; /**< Buffer allocation in progress */
96796diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h
96797index 918aa68..f162a8a 100644
96798--- a/include/drm/drm_crtc_helper.h
96799+++ b/include/drm/drm_crtc_helper.h
96800@@ -161,7 +161,7 @@ struct drm_encoder_helper_funcs {
96801 int (*atomic_check)(struct drm_encoder *encoder,
96802 struct drm_crtc_state *crtc_state,
96803 struct drm_connector_state *conn_state);
96804-};
96805+} __no_const;
96806
96807 /**
96808 * struct drm_connector_helper_funcs - helper operations for connectors
96809diff --git a/include/drm/drm_mm.h b/include/drm/drm_mm.h
96810index 0de6290..2a2c125 100644
96811--- a/include/drm/drm_mm.h
96812+++ b/include/drm/drm_mm.h
96813@@ -297,7 +297,7 @@ void drm_mm_remove_node(struct drm_mm_node *node);
96814 void drm_mm_replace_node(struct drm_mm_node *old, struct drm_mm_node *new);
96815 void drm_mm_init(struct drm_mm *mm,
96816 u64 start,
96817- u64 size);
96818+ u64 size) __intentional_overflow(3);
96819 void drm_mm_takedown(struct drm_mm *mm);
96820 bool drm_mm_clean(struct drm_mm *mm);
96821
96822diff --git a/include/drm/i915_pciids.h b/include/drm/i915_pciids.h
96823index 17c4456..da0c5eb 100644
96824--- a/include/drm/i915_pciids.h
96825+++ b/include/drm/i915_pciids.h
96826@@ -37,7 +37,7 @@
96827 */
96828 #define INTEL_VGA_DEVICE(id, info) { \
96829 0x8086, id, \
96830- ~0, ~0, \
96831+ PCI_ANY_ID, PCI_ANY_ID, \
96832 0x030000, 0xff0000, \
96833 (unsigned long) info }
96834
96835diff --git a/include/drm/intel-gtt.h b/include/drm/intel-gtt.h
96836index b08bdad..21e6054 100644
96837--- a/include/drm/intel-gtt.h
96838+++ b/include/drm/intel-gtt.h
96839@@ -3,8 +3,8 @@
96840 #ifndef _DRM_INTEL_GTT_H
96841 #define _DRM_INTEL_GTT_H
96842
96843-void intel_gtt_get(size_t *gtt_total, size_t *stolen_size,
96844- phys_addr_t *mappable_base, unsigned long *mappable_end);
96845+void intel_gtt_get(uint64_t *gtt_total, uint64_t *stolen_size,
96846+ uint64_t *mappable_base, uint64_t *mappable_end);
96847
96848 int intel_gmch_probe(struct pci_dev *bridge_pdev, struct pci_dev *gpu_pdev,
96849 struct agp_bridge_data *bridge);
96850diff --git a/include/drm/ttm/ttm_memory.h b/include/drm/ttm/ttm_memory.h
96851index 72dcbe8..8db58d7 100644
96852--- a/include/drm/ttm/ttm_memory.h
96853+++ b/include/drm/ttm/ttm_memory.h
96854@@ -48,7 +48,7 @@
96855
96856 struct ttm_mem_shrink {
96857 int (*do_shrink) (struct ttm_mem_shrink *);
96858-};
96859+} __no_const;
96860
96861 /**
96862 * struct ttm_mem_global - Global memory accounting structure.
96863diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h
96864index 49a8284..9643967 100644
96865--- a/include/drm/ttm/ttm_page_alloc.h
96866+++ b/include/drm/ttm/ttm_page_alloc.h
96867@@ -80,6 +80,7 @@ void ttm_dma_page_alloc_fini(void);
96868 */
96869 extern int ttm_dma_page_alloc_debugfs(struct seq_file *m, void *data);
96870
96871+struct device;
96872 extern int ttm_dma_populate(struct ttm_dma_tt *ttm_dma, struct device *dev);
96873 extern void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev);
96874
96875diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h
96876index 4b840e8..155d235 100644
96877--- a/include/keys/asymmetric-subtype.h
96878+++ b/include/keys/asymmetric-subtype.h
96879@@ -37,7 +37,7 @@ struct asymmetric_key_subtype {
96880 /* Verify the signature on a key of this subtype (optional) */
96881 int (*verify_signature)(const struct key *key,
96882 const struct public_key_signature *sig);
96883-};
96884+} __do_const;
96885
96886 /**
96887 * asymmetric_key_subtype - Get the subtype from an asymmetric key
96888diff --git a/include/linux/atmdev.h b/include/linux/atmdev.h
96889index c1da539..1dcec55 100644
96890--- a/include/linux/atmdev.h
96891+++ b/include/linux/atmdev.h
96892@@ -28,7 +28,7 @@ struct compat_atm_iobuf {
96893 #endif
96894
96895 struct k_atm_aal_stats {
96896-#define __HANDLE_ITEM(i) atomic_t i
96897+#define __HANDLE_ITEM(i) atomic_unchecked_t i
96898 __AAL_STAT_ITEMS
96899 #undef __HANDLE_ITEM
96900 };
96901@@ -200,7 +200,7 @@ struct atmdev_ops { /* only send is required */
96902 int (*change_qos)(struct atm_vcc *vcc,struct atm_qos *qos,int flags);
96903 int (*proc_read)(struct atm_dev *dev,loff_t *pos,char *page);
96904 struct module *owner;
96905-};
96906+} __do_const ;
96907
96908 struct atmphy_ops {
96909 int (*start)(struct atm_dev *dev);
96910diff --git a/include/linux/atomic.h b/include/linux/atomic.h
96911index 5b08a85..60922fb 100644
96912--- a/include/linux/atomic.h
96913+++ b/include/linux/atomic.h
96914@@ -12,7 +12,7 @@
96915 * Atomically adds @a to @v, so long as @v was not already @u.
96916 * Returns non-zero if @v was not @u, and zero otherwise.
96917 */
96918-static inline int atomic_add_unless(atomic_t *v, int a, int u)
96919+static inline int __intentional_overflow(-1) atomic_add_unless(atomic_t *v, int a, int u)
96920 {
96921 return __atomic_add_unless(v, a, u) != u;
96922 }
96923diff --git a/include/linux/audit.h b/include/linux/audit.h
96924index c2e7e3a..8bfc0e1 100644
96925--- a/include/linux/audit.h
96926+++ b/include/linux/audit.h
96927@@ -223,7 +223,7 @@ static inline void audit_ptrace(struct task_struct *t)
96928 extern unsigned int audit_serial(void);
96929 extern int auditsc_get_stamp(struct audit_context *ctx,
96930 struct timespec *t, unsigned int *serial);
96931-extern int audit_set_loginuid(kuid_t loginuid);
96932+extern int __intentional_overflow(-1) audit_set_loginuid(kuid_t loginuid);
96933
96934 static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
96935 {
96936diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
96937index 576e463..28fd926 100644
96938--- a/include/linux/binfmts.h
96939+++ b/include/linux/binfmts.h
96940@@ -44,7 +44,7 @@ struct linux_binprm {
96941 unsigned interp_flags;
96942 unsigned interp_data;
96943 unsigned long loader, exec;
96944-};
96945+} __randomize_layout;
96946
96947 #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
96948 #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
96949@@ -77,8 +77,10 @@ struct linux_binfmt {
96950 int (*load_binary)(struct linux_binprm *);
96951 int (*load_shlib)(struct file *);
96952 int (*core_dump)(struct coredump_params *cprm);
96953+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
96954+ void (*handle_mmap)(struct file *);
96955 unsigned long min_coredump; /* minimal dump size */
96956-};
96957+} __do_const __randomize_layout;
96958
96959 extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
96960
96961diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
96962index ea17cca..dd56e56 100644
96963--- a/include/linux/bitmap.h
96964+++ b/include/linux/bitmap.h
96965@@ -295,7 +295,7 @@ static inline int bitmap_full(const unsigned long *src, unsigned int nbits)
96966 return find_first_zero_bit(src, nbits) == nbits;
96967 }
96968
96969-static inline int bitmap_weight(const unsigned long *src, unsigned int nbits)
96970+static inline int __intentional_overflow(-1) bitmap_weight(const unsigned long *src, unsigned int nbits)
96971 {
96972 if (small_const_nbits(nbits))
96973 return hweight_long(*src & BITMAP_LAST_WORD_MASK(nbits));
96974diff --git a/include/linux/bitops.h b/include/linux/bitops.h
96975index 297f5bd..5892caa 100644
96976--- a/include/linux/bitops.h
96977+++ b/include/linux/bitops.h
96978@@ -75,7 +75,7 @@ static __inline__ int get_count_order(unsigned int count)
96979 return order;
96980 }
96981
96982-static inline unsigned long hweight_long(unsigned long w)
96983+static inline unsigned long __intentional_overflow(-1) hweight_long(unsigned long w)
96984 {
96985 return sizeof(w) == 4 ? hweight32(w) : hweight64(w);
96986 }
96987@@ -105,7 +105,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift)
96988 * @word: value to rotate
96989 * @shift: bits to roll
96990 */
96991-static inline __u32 rol32(__u32 word, unsigned int shift)
96992+static inline __u32 __intentional_overflow(-1) rol32(__u32 word, unsigned int shift)
96993 {
96994 return (word << shift) | (word >> (32 - shift));
96995 }
96996@@ -115,7 +115,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift)
96997 * @word: value to rotate
96998 * @shift: bits to roll
96999 */
97000-static inline __u32 ror32(__u32 word, unsigned int shift)
97001+static inline __u32 __intentional_overflow(-1) ror32(__u32 word, unsigned int shift)
97002 {
97003 return (word >> shift) | (word << (32 - shift));
97004 }
97005@@ -171,7 +171,7 @@ static inline __s32 sign_extend32(__u32 value, int index)
97006 return (__s32)(value << shift) >> shift;
97007 }
97008
97009-static inline unsigned fls_long(unsigned long l)
97010+static inline unsigned __intentional_overflow(-1) fls_long(unsigned long l)
97011 {
97012 if (sizeof(l) == 4)
97013 return fls(l);
97014diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
97015index d4068c1..77159a1 100644
97016--- a/include/linux/blkdev.h
97017+++ b/include/linux/blkdev.h
97018@@ -1567,7 +1567,7 @@ struct block_device_operations {
97019 /* this callback is with swap_lock and sometimes page table lock held */
97020 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
97021 struct module *owner;
97022-};
97023+} __do_const;
97024
97025 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
97026 unsigned long);
97027diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
97028index afc1343..9735539 100644
97029--- a/include/linux/blktrace_api.h
97030+++ b/include/linux/blktrace_api.h
97031@@ -25,7 +25,7 @@ struct blk_trace {
97032 struct dentry *dropped_file;
97033 struct dentry *msg_file;
97034 struct list_head running_list;
97035- atomic_t dropped;
97036+ atomic_unchecked_t dropped;
97037 };
97038
97039 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
97040diff --git a/include/linux/cache.h b/include/linux/cache.h
97041index 17e7e82..1d7da26 100644
97042--- a/include/linux/cache.h
97043+++ b/include/linux/cache.h
97044@@ -16,6 +16,14 @@
97045 #define __read_mostly
97046 #endif
97047
97048+#ifndef __read_only
97049+#ifdef CONFIG_PAX_KERNEXEC
97050+#error KERNEXEC requires __read_only
97051+#else
97052+#define __read_only __read_mostly
97053+#endif
97054+#endif
97055+
97056 #ifndef ____cacheline_aligned
97057 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
97058 #endif
97059diff --git a/include/linux/capability.h b/include/linux/capability.h
97060index af9f0b9..71a5e5c 100644
97061--- a/include/linux/capability.h
97062+++ b/include/linux/capability.h
97063@@ -237,15 +237,28 @@ static inline bool capable(int cap)
97064 {
97065 return true;
97066 }
97067+static inline bool capable_nolog(int cap)
97068+{
97069+ return true;
97070+}
97071 static inline bool ns_capable(struct user_namespace *ns, int cap)
97072 {
97073 return true;
97074 }
97075+static inline bool ns_capable_nolog(struct user_namespace *ns, int cap)
97076+{
97077+ return true;
97078+}
97079 #endif /* CONFIG_MULTIUSER */
97080 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
97081+extern bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap);
97082 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
97083+extern bool capable_nolog(int cap);
97084+extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
97085
97086 /* audit system wants to get cap info from files as well */
97087 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
97088
97089+extern int is_privileged_binary(const struct dentry *dentry);
97090+
97091 #endif /* !_LINUX_CAPABILITY_H */
97092diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
97093index 8609d57..86e4d79 100644
97094--- a/include/linux/cdrom.h
97095+++ b/include/linux/cdrom.h
97096@@ -87,7 +87,6 @@ struct cdrom_device_ops {
97097
97098 /* driver specifications */
97099 const int capability; /* capability flags */
97100- int n_minors; /* number of active minor devices */
97101 /* handle uniform packets for scsi type devices (scsi,atapi) */
97102 int (*generic_packet) (struct cdrom_device_info *,
97103 struct packet_command *);
97104diff --git a/include/linux/cleancache.h b/include/linux/cleancache.h
97105index bda5ec0b4..51d8ea1 100644
97106--- a/include/linux/cleancache.h
97107+++ b/include/linux/cleancache.h
97108@@ -35,7 +35,7 @@ struct cleancache_ops {
97109 void (*invalidate_page)(int, struct cleancache_filekey, pgoff_t);
97110 void (*invalidate_inode)(int, struct cleancache_filekey);
97111 void (*invalidate_fs)(int);
97112-};
97113+} __no_const;
97114
97115 extern int cleancache_register_ops(struct cleancache_ops *ops);
97116 extern void __cleancache_init_fs(struct super_block *);
97117diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h
97118index 78842f4..7e7f81f 100644
97119--- a/include/linux/clk-provider.h
97120+++ b/include/linux/clk-provider.h
97121@@ -196,6 +196,7 @@ struct clk_ops {
97122 void (*init)(struct clk_hw *hw);
97123 int (*debug_init)(struct clk_hw *hw, struct dentry *dentry);
97124 };
97125+typedef struct clk_ops __no_const clk_ops_no_const;
97126
97127 /**
97128 * struct clk_init_data - holds init data that's common to all clocks and is
97129diff --git a/include/linux/compat.h b/include/linux/compat.h
97130index a76c917..63b52db 100644
97131--- a/include/linux/compat.h
97132+++ b/include/linux/compat.h
97133@@ -316,7 +316,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
97134 compat_size_t __user *len_ptr);
97135
97136 asmlinkage long compat_sys_ipc(u32, int, int, u32, compat_uptr_t, u32);
97137-asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg);
97138+asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg) __intentional_overflow(0);
97139 asmlinkage long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
97140 asmlinkage long compat_sys_msgsnd(int msqid, compat_uptr_t msgp,
97141 compat_ssize_t msgsz, int msgflg);
97142@@ -325,7 +325,7 @@ asmlinkage long compat_sys_msgrcv(int msqid, compat_uptr_t msgp,
97143 long compat_sys_msgctl(int first, int second, void __user *uptr);
97144 long compat_sys_shmctl(int first, int second, void __user *uptr);
97145 long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
97146- unsigned nsems, const struct compat_timespec __user *timeout);
97147+ compat_long_t nsems, const struct compat_timespec __user *timeout);
97148 asmlinkage long compat_sys_keyctl(u32 option,
97149 u32 arg2, u32 arg3, u32 arg4, u32 arg5);
97150 asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u32);
97151@@ -439,7 +439,7 @@ extern int compat_ptrace_request(struct task_struct *child,
97152 extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
97153 compat_ulong_t addr, compat_ulong_t data);
97154 asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
97155- compat_long_t addr, compat_long_t data);
97156+ compat_ulong_t addr, compat_ulong_t data);
97157
97158 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, compat_size_t);
97159 /*
97160diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
97161index dfaa7b3..58cebfb 100644
97162--- a/include/linux/compiler-gcc.h
97163+++ b/include/linux/compiler-gcc.h
97164@@ -116,8 +116,8 @@
97165 */
97166 #define __pure __attribute__((pure))
97167 #define __aligned(x) __attribute__((aligned(x)))
97168-#define __printf(a, b) __attribute__((format(printf, a, b)))
97169-#define __scanf(a, b) __attribute__((format(scanf, a, b)))
97170+#define __printf(a, b) __attribute__((format(printf, a, b))) __nocapture(a, b)
97171+#define __scanf(a, b) __attribute__((format(scanf, a, b))) __nocapture(a, b)
97172 #define __attribute_const__ __attribute__((__const__))
97173 #define __maybe_unused __attribute__((unused))
97174 #define __always_unused __attribute__((unused))
97175@@ -184,9 +184,38 @@
97176 # define __compiletime_warning(message) __attribute__((warning(message)))
97177 # define __compiletime_error(message) __attribute__((error(message)))
97178 #endif /* __CHECKER__ */
97179+
97180+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
97181+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
97182+#define __bos0(ptr) __bos((ptr), 0)
97183+#define __bos1(ptr) __bos((ptr), 1)
97184 #endif /* GCC_VERSION >= 40300 */
97185
97186 #if GCC_VERSION >= 40500
97187+
97188+#ifdef RANDSTRUCT_PLUGIN
97189+#define __randomize_layout __attribute__((randomize_layout))
97190+#define __no_randomize_layout __attribute__((no_randomize_layout))
97191+#endif
97192+
97193+#ifdef CONSTIFY_PLUGIN
97194+#define __no_const __attribute__((no_const))
97195+#define __do_const __attribute__((do_const))
97196+#endif
97197+
97198+#ifdef SIZE_OVERFLOW_PLUGIN
97199+#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
97200+#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
97201+#endif
97202+
97203+#ifdef LATENT_ENTROPY_PLUGIN
97204+#define __latent_entropy __attribute__((latent_entropy))
97205+#endif
97206+
97207+#ifdef INITIFY_PLUGIN
97208+#define __nocapture(...) __attribute__((nocapture(__VA_ARGS__)))
97209+#endif
97210+
97211 /*
97212 * Mark a position in code as unreachable. This can be used to
97213 * suppress control flow warnings after asm blocks that transfer
97214diff --git a/include/linux/compiler.h b/include/linux/compiler.h
97215index e08a6ae..2e5e776 100644
97216--- a/include/linux/compiler.h
97217+++ b/include/linux/compiler.h
97218@@ -5,11 +5,14 @@
97219
97220 #ifdef __CHECKER__
97221 # define __user __attribute__((noderef, address_space(1)))
97222+# define __force_user __force __user
97223 # define __kernel __attribute__((address_space(0)))
97224+# define __force_kernel __force __kernel
97225 # define __safe __attribute__((safe))
97226 # define __force __attribute__((force))
97227 # define __nocast __attribute__((nocast))
97228 # define __iomem __attribute__((noderef, address_space(2)))
97229+# define __force_iomem __force __iomem
97230 # define __must_hold(x) __attribute__((context(x,1,1)))
97231 # define __acquires(x) __attribute__((context(x,0,1)))
97232 # define __releases(x) __attribute__((context(x,1,0)))
97233@@ -17,21 +20,39 @@
97234 # define __release(x) __context__(x,-1)
97235 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
97236 # define __percpu __attribute__((noderef, address_space(3)))
97237+# define __force_percpu __force __percpu
97238 # define __pmem __attribute__((noderef, address_space(5)))
97239+# define __force_pmem __force __pmem
97240 #ifdef CONFIG_SPARSE_RCU_POINTER
97241 # define __rcu __attribute__((noderef, address_space(4)))
97242+# define __force_rcu __force __rcu
97243 #else
97244 # define __rcu
97245+# define __force_rcu
97246 #endif
97247 extern void __chk_user_ptr(const volatile void __user *);
97248 extern void __chk_io_ptr(const volatile void __iomem *);
97249 #else
97250-# define __user
97251-# define __kernel
97252+# ifdef CHECKER_PLUGIN
97253+//# define __user
97254+//# define __force_user
97255+//# define __kernel
97256+//# define __force_kernel
97257+# else
97258+# ifdef STRUCTLEAK_PLUGIN
97259+# define __user __attribute__((user))
97260+# else
97261+# define __user
97262+# endif
97263+# define __force_user
97264+# define __kernel
97265+# define __force_kernel
97266+# endif
97267 # define __safe
97268 # define __force
97269 # define __nocast
97270 # define __iomem
97271+# define __force_iomem
97272 # define __chk_user_ptr(x) (void)0
97273 # define __chk_io_ptr(x) (void)0
97274 # define __builtin_warning(x, y...) (1)
97275@@ -42,8 +63,11 @@ extern void __chk_io_ptr(const volatile void __iomem *);
97276 # define __release(x) (void)0
97277 # define __cond_lock(x,c) (c)
97278 # define __percpu
97279+# define __force_percpu
97280 # define __rcu
97281+# define __force_rcu
97282 # define __pmem
97283+# define __force_pmem
97284 #endif
97285
97286 /* Indirect macros required for expanded argument pasting, eg. __LINE__. */
97287@@ -201,27 +225,27 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
97288 static __always_inline void __read_once_size(const volatile void *p, void *res, int size)
97289 {
97290 switch (size) {
97291- case 1: *(__u8 *)res = *(volatile __u8 *)p; break;
97292- case 2: *(__u16 *)res = *(volatile __u16 *)p; break;
97293- case 4: *(__u32 *)res = *(volatile __u32 *)p; break;
97294- case 8: *(__u64 *)res = *(volatile __u64 *)p; break;
97295+ case 1: *(__u8 *)res = *(const volatile __u8 *)p; break;
97296+ case 2: *(__u16 *)res = *(const volatile __u16 *)p; break;
97297+ case 4: *(__u32 *)res = *(const volatile __u32 *)p; break;
97298+ case 8: *(__u64 *)res = *(const volatile __u64 *)p; break;
97299 default:
97300 barrier();
97301- __builtin_memcpy((void *)res, (const void *)p, size);
97302+ __builtin_memcpy(res, (const void *)p, size);
97303 barrier();
97304 }
97305 }
97306
97307-static __always_inline void __write_once_size(volatile void *p, void *res, int size)
97308+static __always_inline void __write_once_size(volatile void *p, const void *res, int size)
97309 {
97310 switch (size) {
97311- case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
97312- case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
97313- case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
97314- case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
97315+ case 1: *(volatile __u8 *)p = *(const __u8 *)res; break;
97316+ case 2: *(volatile __u16 *)p = *(const __u16 *)res; break;
97317+ case 4: *(volatile __u32 *)p = *(const __u32 *)res; break;
97318+ case 8: *(volatile __u64 *)p = *(const __u64 *)res; break;
97319 default:
97320 barrier();
97321- __builtin_memcpy((void *)p, (const void *)res, size);
97322+ __builtin_memcpy((void *)p, res, size);
97323 barrier();
97324 }
97325 }
97326@@ -370,6 +394,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97327 # define __attribute_const__ /* unimplemented */
97328 #endif
97329
97330+#ifndef __randomize_layout
97331+# define __randomize_layout
97332+#endif
97333+
97334+#ifndef __no_randomize_layout
97335+# define __no_randomize_layout
97336+#endif
97337+
97338+#ifndef __no_const
97339+# define __no_const
97340+#endif
97341+
97342+#ifndef __do_const
97343+# define __do_const
97344+#endif
97345+
97346+#ifndef __size_overflow
97347+# define __size_overflow(...)
97348+#endif
97349+
97350+#ifndef __intentional_overflow
97351+# define __intentional_overflow(...)
97352+#endif
97353+
97354+#ifndef __latent_entropy
97355+# define __latent_entropy
97356+#endif
97357+
97358+#ifndef __nocapture
97359+# define __nocapture(...)
97360+#endif
97361+
97362 /*
97363 * Tell gcc if a function is cold. The compiler will assume any path
97364 * directly leading to the call is unlikely.
97365@@ -379,6 +435,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97366 #define __cold
97367 #endif
97368
97369+#ifndef __alloc_size
97370+#define __alloc_size(...)
97371+#endif
97372+
97373+#ifndef __bos
97374+#define __bos(ptr, arg)
97375+#endif
97376+
97377+#ifndef __bos0
97378+#define __bos0(ptr)
97379+#endif
97380+
97381+#ifndef __bos1
97382+#define __bos1(ptr)
97383+#endif
97384+
97385 /* Simple shorthand for a section definition */
97386 #ifndef __section
97387 # define __section(S) __attribute__ ((__section__(#S)))
97388@@ -393,6 +465,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97389 # define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
97390 #endif
97391
97392+#define __type_is_unsigned(t) (__same_type((t)0, 0UL) || __same_type((t)0, 0U) || __same_type((t)0, (unsigned short)0) || __same_type((t)0, (unsigned char)0))
97393+
97394 /* Is this type a native word size -- useful for atomic operations */
97395 #ifndef __native_word
97396 # define __native_word(t) (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
97397@@ -472,8 +546,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97398 */
97399 #define __ACCESS_ONCE(x) ({ \
97400 __maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
97401- (volatile typeof(x) *)&(x); })
97402+ (volatile const typeof(x) *)&(x); })
97403 #define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
97404+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
97405
97406 /**
97407 * lockless_dereference() - safely load a pointer for later dereference
97408diff --git a/include/linux/configfs.h b/include/linux/configfs.h
97409index 63a36e8..26b0825 100644
97410--- a/include/linux/configfs.h
97411+++ b/include/linux/configfs.h
97412@@ -125,7 +125,7 @@ struct configfs_attribute {
97413 const char *ca_name;
97414 struct module *ca_owner;
97415 umode_t ca_mode;
97416-};
97417+} __do_const;
97418
97419 /*
97420 * Users often need to create attribute structures for their configurable
97421diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
97422index bde1e56..168de74 100644
97423--- a/include/linux/cpufreq.h
97424+++ b/include/linux/cpufreq.h
97425@@ -211,6 +211,7 @@ struct global_attr {
97426 ssize_t (*store)(struct kobject *a, struct attribute *b,
97427 const char *c, size_t count);
97428 };
97429+typedef struct global_attr __no_const global_attr_no_const;
97430
97431 #define define_one_global_ro(_name) \
97432 static struct global_attr _name = \
97433@@ -282,7 +283,7 @@ struct cpufreq_driver {
97434 bool boost_supported;
97435 bool boost_enabled;
97436 int (*set_boost)(int state);
97437-};
97438+} __do_const;
97439
97440 /* flags */
97441 #define CPUFREQ_STICKY (1 << 0) /* driver isn't removed even if
97442diff --git a/include/linux/cpuidle.h b/include/linux/cpuidle.h
97443index d075d34..3b6734a 100644
97444--- a/include/linux/cpuidle.h
97445+++ b/include/linux/cpuidle.h
97446@@ -59,7 +59,8 @@ struct cpuidle_state {
97447 void (*enter_freeze) (struct cpuidle_device *dev,
97448 struct cpuidle_driver *drv,
97449 int index);
97450-};
97451+} __do_const;
97452+typedef struct cpuidle_state __no_const cpuidle_state_no_const;
97453
97454 /* Idle State Flags */
97455 #define CPUIDLE_FLAG_COUPLED (0x02) /* state applies to multiple cpus */
97456@@ -235,7 +236,7 @@ struct cpuidle_governor {
97457 void (*reflect) (struct cpuidle_device *dev, int index);
97458
97459 struct module *owner;
97460-};
97461+} __do_const;
97462
97463 #ifdef CONFIG_CPU_IDLE
97464 extern int cpuidle_register_governor(struct cpuidle_governor *gov);
97465diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
97466index 59915ea..81ebec0 100644
97467--- a/include/linux/cpumask.h
97468+++ b/include/linux/cpumask.h
97469@@ -127,17 +127,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
97470 }
97471
97472 /* Valid inputs for n are -1 and 0. */
97473-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
97474+static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
97475 {
97476 return n+1;
97477 }
97478
97479-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
97480+static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
97481 {
97482 return n+1;
97483 }
97484
97485-static inline unsigned int cpumask_next_and(int n,
97486+static inline unsigned int __intentional_overflow(-1) cpumask_next_and(int n,
97487 const struct cpumask *srcp,
97488 const struct cpumask *andp)
97489 {
97490@@ -181,7 +181,7 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
97491 *
97492 * Returns >= nr_cpu_ids if no further cpus set.
97493 */
97494-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
97495+static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
97496 {
97497 /* -1 is a legal arg here. */
97498 if (n != -1)
97499@@ -196,7 +196,7 @@ static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
97500 *
97501 * Returns >= nr_cpu_ids if no further cpus unset.
97502 */
97503-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
97504+static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
97505 {
97506 /* -1 is a legal arg here. */
97507 if (n != -1)
97508@@ -204,7 +204,7 @@ static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
97509 return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1);
97510 }
97511
97512-int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *);
97513+int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *) __intentional_overflow(-1);
97514 int cpumask_any_but(const struct cpumask *mask, unsigned int cpu);
97515 unsigned int cpumask_local_spread(unsigned int i, int node);
97516
97517@@ -471,7 +471,7 @@ static inline bool cpumask_full(const struct cpumask *srcp)
97518 * cpumask_weight - Count of bits in *srcp
97519 * @srcp: the cpumask to count bits (< nr_cpu_ids) in.
97520 */
97521-static inline unsigned int cpumask_weight(const struct cpumask *srcp)
97522+static inline unsigned int __intentional_overflow(-1) cpumask_weight(const struct cpumask *srcp)
97523 {
97524 return bitmap_weight(cpumask_bits(srcp), nr_cpumask_bits);
97525 }
97526diff --git a/include/linux/cred.h b/include/linux/cred.h
97527index 8b6c083..51cb9f5 100644
97528--- a/include/linux/cred.h
97529+++ b/include/linux/cred.h
97530@@ -35,7 +35,7 @@ struct group_info {
97531 int nblocks;
97532 kgid_t small_block[NGROUPS_SMALL];
97533 kgid_t *blocks[0];
97534-};
97535+} __randomize_layout;
97536
97537 /**
97538 * get_group_info - Get a reference to a group info structure
97539@@ -152,7 +152,7 @@ struct cred {
97540 struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
97541 struct group_info *group_info; /* supplementary groups for euid/fsgid */
97542 struct rcu_head rcu; /* RCU deletion hook */
97543-};
97544+} __randomize_layout;
97545
97546 extern void __put_cred(struct cred *);
97547 extern void exit_creds(struct task_struct *);
97548@@ -210,6 +210,9 @@ static inline void validate_creds_for_do_exit(struct task_struct *tsk)
97549 static inline void validate_process_creds(void)
97550 {
97551 }
97552+static inline void validate_task_creds(struct task_struct *task)
97553+{
97554+}
97555 #endif
97556
97557 /**
97558@@ -347,6 +350,7 @@ static inline void put_cred(const struct cred *_cred)
97559
97560 #define task_uid(task) (task_cred_xxx((task), uid))
97561 #define task_euid(task) (task_cred_xxx((task), euid))
97562+#define task_securebits(task) (task_cred_xxx((task), securebits))
97563
97564 #define current_cred_xxx(xxx) \
97565 ({ \
97566diff --git a/include/linux/crypto.h b/include/linux/crypto.h
97567index 81ef938..9ec0fdb 100644
97568--- a/include/linux/crypto.h
97569+++ b/include/linux/crypto.h
97570@@ -569,7 +569,7 @@ struct cipher_tfm {
97571 const u8 *key, unsigned int keylen);
97572 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
97573 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
97574-};
97575+} __no_const;
97576
97577 struct hash_tfm {
97578 int (*init)(struct hash_desc *desc);
97579@@ -590,7 +590,7 @@ struct compress_tfm {
97580 int (*cot_decompress)(struct crypto_tfm *tfm,
97581 const u8 *src, unsigned int slen,
97582 u8 *dst, unsigned int *dlen);
97583-};
97584+} __no_const;
97585
97586 #define crt_ablkcipher crt_u.ablkcipher
97587 #define crt_blkcipher crt_u.blkcipher
97588diff --git a/include/linux/ctype.h b/include/linux/ctype.h
97589index 653589e..4ef254a 100644
97590--- a/include/linux/ctype.h
97591+++ b/include/linux/ctype.h
97592@@ -56,7 +56,7 @@ static inline unsigned char __toupper(unsigned char c)
97593 * Fast implementation of tolower() for internal usage. Do not use in your
97594 * code.
97595 */
97596-static inline char _tolower(const char c)
97597+static inline unsigned char _tolower(const unsigned char c)
97598 {
97599 return c | 0x20;
97600 }
97601diff --git a/include/linux/dcache.h b/include/linux/dcache.h
97602index d67ae11..9ec20d2 100644
97603--- a/include/linux/dcache.h
97604+++ b/include/linux/dcache.h
97605@@ -123,6 +123,9 @@ struct dentry {
97606 unsigned long d_time; /* used by d_revalidate */
97607 void *d_fsdata; /* fs-specific data */
97608
97609+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
97610+ atomic_t chroot_refcnt; /* tracks use of directory in chroot */
97611+#endif
97612 struct list_head d_lru; /* LRU list */
97613 struct list_head d_child; /* child of parent list */
97614 struct list_head d_subdirs; /* our children */
97615@@ -133,7 +136,7 @@ struct dentry {
97616 struct hlist_node d_alias; /* inode alias list */
97617 struct rcu_head d_rcu;
97618 } d_u;
97619-};
97620+} __randomize_layout;
97621
97622 /*
97623 * dentry->d_lock spinlock nesting subclasses:
97624@@ -321,7 +324,7 @@ extern struct dentry *__d_lookup_rcu(const struct dentry *parent,
97625
97626 static inline unsigned d_count(const struct dentry *dentry)
97627 {
97628- return dentry->d_lockref.count;
97629+ return __lockref_read(&dentry->d_lockref);
97630 }
97631
97632 /*
97633@@ -350,7 +353,7 @@ extern char *dentry_path(struct dentry *, char *, int);
97634 static inline struct dentry *dget_dlock(struct dentry *dentry)
97635 {
97636 if (dentry)
97637- dentry->d_lockref.count++;
97638+ __lockref_inc(&dentry->d_lockref);
97639 return dentry;
97640 }
97641
97642diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
97643index 7925bf0..d5143d2 100644
97644--- a/include/linux/decompress/mm.h
97645+++ b/include/linux/decompress/mm.h
97646@@ -77,7 +77,7 @@ static void free(void *where)
97647 * warnings when not needed (indeed large_malloc / large_free are not
97648 * needed by inflate */
97649
97650-#define malloc(a) kmalloc(a, GFP_KERNEL)
97651+#define malloc(a) kmalloc((a), GFP_KERNEL)
97652 #define free(a) kfree(a)
97653
97654 #define large_malloc(a) vmalloc(a)
97655diff --git a/include/linux/devfreq.h b/include/linux/devfreq.h
97656index ce447f0..83c66bd 100644
97657--- a/include/linux/devfreq.h
97658+++ b/include/linux/devfreq.h
97659@@ -114,7 +114,7 @@ struct devfreq_governor {
97660 int (*get_target_freq)(struct devfreq *this, unsigned long *freq);
97661 int (*event_handler)(struct devfreq *devfreq,
97662 unsigned int event, void *data);
97663-};
97664+} __do_const;
97665
97666 /**
97667 * struct devfreq - Device devfreq structure
97668diff --git a/include/linux/device.h b/include/linux/device.h
97669index a2b4ea7..b07dddd 100644
97670--- a/include/linux/device.h
97671+++ b/include/linux/device.h
97672@@ -342,7 +342,7 @@ struct subsys_interface {
97673 struct list_head node;
97674 int (*add_dev)(struct device *dev, struct subsys_interface *sif);
97675 int (*remove_dev)(struct device *dev, struct subsys_interface *sif);
97676-};
97677+} __do_const;
97678
97679 int subsys_interface_register(struct subsys_interface *sif);
97680 void subsys_interface_unregister(struct subsys_interface *sif);
97681@@ -538,7 +538,7 @@ struct device_type {
97682 void (*release)(struct device *dev);
97683
97684 const struct dev_pm_ops *pm;
97685-};
97686+} __do_const;
97687
97688 /* interface for exporting device attributes */
97689 struct device_attribute {
97690@@ -548,11 +548,12 @@ struct device_attribute {
97691 ssize_t (*store)(struct device *dev, struct device_attribute *attr,
97692 const char *buf, size_t count);
97693 };
97694+typedef struct device_attribute __no_const device_attribute_no_const;
97695
97696 struct dev_ext_attribute {
97697 struct device_attribute attr;
97698 void *var;
97699-};
97700+} __do_const;
97701
97702 ssize_t device_show_ulong(struct device *dev, struct device_attribute *attr,
97703 char *buf);
97704diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
97705index ac07ff0..edff186 100644
97706--- a/include/linux/dma-mapping.h
97707+++ b/include/linux/dma-mapping.h
97708@@ -64,7 +64,7 @@ struct dma_map_ops {
97709 u64 (*get_required_mask)(struct device *dev);
97710 #endif
97711 int is_phys;
97712-};
97713+} __do_const;
97714
97715 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
97716
97717diff --git a/include/linux/efi.h b/include/linux/efi.h
97718index 85ef051..2714c3b 100644
97719--- a/include/linux/efi.h
97720+++ b/include/linux/efi.h
97721@@ -1073,6 +1073,7 @@ struct efivar_operations {
97722 efi_set_variable_nonblocking_t *set_variable_nonblocking;
97723 efi_query_variable_store_t *query_variable_store;
97724 };
97725+typedef struct efivar_operations __no_const efivar_operations_no_const;
97726
97727 struct efivars {
97728 /*
97729diff --git a/include/linux/elf.h b/include/linux/elf.h
97730index 20fa8d8..3d0dd18 100644
97731--- a/include/linux/elf.h
97732+++ b/include/linux/elf.h
97733@@ -29,6 +29,7 @@ extern Elf32_Dyn _DYNAMIC [];
97734 #define elf_note elf32_note
97735 #define elf_addr_t Elf32_Off
97736 #define Elf_Half Elf32_Half
97737+#define elf_dyn Elf32_Dyn
97738
97739 #else
97740
97741@@ -39,6 +40,7 @@ extern Elf64_Dyn _DYNAMIC [];
97742 #define elf_note elf64_note
97743 #define elf_addr_t Elf64_Off
97744 #define Elf_Half Elf64_Half
97745+#define elf_dyn Elf64_Dyn
97746
97747 #endif
97748
97749diff --git a/include/linux/err.h b/include/linux/err.h
97750index a729120..6ede2c9 100644
97751--- a/include/linux/err.h
97752+++ b/include/linux/err.h
97753@@ -20,12 +20,12 @@
97754
97755 #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO)
97756
97757-static inline void * __must_check ERR_PTR(long error)
97758+static inline void * __must_check __intentional_overflow(-1) ERR_PTR(long error)
97759 {
97760 return (void *) error;
97761 }
97762
97763-static inline long __must_check PTR_ERR(__force const void *ptr)
97764+static inline long __must_check __intentional_overflow(-1) PTR_ERR(__force const void *ptr)
97765 {
97766 return (long) ptr;
97767 }
97768diff --git a/include/linux/extcon.h b/include/linux/extcon.h
97769index b16d929..d389bf1 100644
97770--- a/include/linux/extcon.h
97771+++ b/include/linux/extcon.h
97772@@ -120,7 +120,7 @@ struct extcon_dev {
97773 /* /sys/class/extcon/.../mutually_exclusive/... */
97774 struct attribute_group attr_g_muex;
97775 struct attribute **attrs_muex;
97776- struct device_attribute *d_attrs_muex;
97777+ device_attribute_no_const *d_attrs_muex;
97778 };
97779
97780 /**
97781diff --git a/include/linux/fb.h b/include/linux/fb.h
97782index 043f328..180ccbf 100644
97783--- a/include/linux/fb.h
97784+++ b/include/linux/fb.h
97785@@ -305,7 +305,8 @@ struct fb_ops {
97786 /* called at KDB enter and leave time to prepare the console */
97787 int (*fb_debug_enter)(struct fb_info *info);
97788 int (*fb_debug_leave)(struct fb_info *info);
97789-};
97790+} __do_const;
97791+typedef struct fb_ops __no_const fb_ops_no_const;
97792
97793 #ifdef CONFIG_FB_TILEBLITTING
97794 #define FB_TILE_CURSOR_NONE 0
97795diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
97796index fbb8874..15c61e7 100644
97797--- a/include/linux/fdtable.h
97798+++ b/include/linux/fdtable.h
97799@@ -103,7 +103,7 @@ struct files_struct *get_files_struct(struct task_struct *);
97800 void put_files_struct(struct files_struct *fs);
97801 void reset_files_struct(struct files_struct *);
97802 int unshare_files(struct files_struct **);
97803-struct files_struct *dup_fd(struct files_struct *, int *);
97804+struct files_struct *dup_fd(struct files_struct *, int *) __latent_entropy;
97805 void do_close_on_exec(struct files_struct *);
97806 int iterate_fd(struct files_struct *, unsigned,
97807 int (*)(const void *, struct file *, unsigned),
97808diff --git a/include/linux/fs.h b/include/linux/fs.h
97809index 84b783f..b31767d 100644
97810--- a/include/linux/fs.h
97811+++ b/include/linux/fs.h
97812@@ -439,7 +439,7 @@ struct address_space {
97813 spinlock_t private_lock; /* for use by the address_space */
97814 struct list_head private_list; /* ditto */
97815 void *private_data; /* ditto */
97816-} __attribute__((aligned(sizeof(long))));
97817+} __attribute__((aligned(sizeof(long)))) __randomize_layout;
97818 /*
97819 * On most architectures that alignment is already the case; but
97820 * must be enforced here for CRIS, to let the least significant bit
97821@@ -482,7 +482,7 @@ struct block_device {
97822 int bd_fsfreeze_count;
97823 /* Mutex for freeze */
97824 struct mutex bd_fsfreeze_mutex;
97825-};
97826+} __randomize_layout;
97827
97828 /*
97829 * Radix-tree tags, for tagging dirty and writeback pages within the pagecache
97830@@ -677,7 +677,7 @@ struct inode {
97831 #endif
97832
97833 void *i_private; /* fs or device private pointer */
97834-};
97835+} __randomize_layout;
97836
97837 static inline int inode_unhashed(struct inode *inode)
97838 {
97839@@ -872,7 +872,7 @@ struct file {
97840 struct list_head f_tfile_llink;
97841 #endif /* #ifdef CONFIG_EPOLL */
97842 struct address_space *f_mapping;
97843-} __attribute__((aligned(4))); /* lest something weird decides that 2 is OK */
97844+} __attribute__((aligned(4))) __randomize_layout; /* lest something weird decides that 2 is OK */
97845
97846 struct file_handle {
97847 __u32 handle_bytes;
97848@@ -1001,7 +1001,7 @@ struct file_lock {
97849 int state; /* state of grant or error if -ve */
97850 } afs;
97851 } fl_u;
97852-};
97853+} __randomize_layout;
97854
97855 struct file_lock_context {
97856 spinlock_t flc_lock;
97857@@ -1380,7 +1380,7 @@ struct super_block {
97858 * Indicates how deep in a filesystem stack this SB is
97859 */
97860 int s_stack_depth;
97861-};
97862+} __randomize_layout;
97863
97864 extern struct timespec current_fs_time(struct super_block *sb);
97865
97866@@ -1632,7 +1632,8 @@ struct file_operations {
97867 #ifndef CONFIG_MMU
97868 unsigned (*mmap_capabilities)(struct file *);
97869 #endif
97870-};
97871+} __do_const __randomize_layout;
97872+typedef struct file_operations __no_const file_operations_no_const;
97873
97874 struct inode_operations {
97875 struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
97876@@ -2341,7 +2342,7 @@ extern int register_chrdev_region(dev_t, unsigned, const char *);
97877 extern int __register_chrdev(unsigned int major, unsigned int baseminor,
97878 unsigned int count, const char *name,
97879 const struct file_operations *fops);
97880-extern void __unregister_chrdev(unsigned int major, unsigned int baseminor,
97881+extern __nocapture(4) void __unregister_chrdev(unsigned int major, unsigned int baseminor,
97882 unsigned int count, const char *name);
97883 extern void unregister_chrdev_region(dev_t, unsigned);
97884 extern void chrdev_show(struct seq_file *,off_t);
97885@@ -3041,4 +3042,14 @@ static inline bool dir_relax(struct inode *inode)
97886 return !IS_DEADDIR(inode);
97887 }
97888
97889+static inline bool is_sidechannel_device(const struct inode *inode)
97890+{
97891+#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL
97892+ umode_t mode = inode->i_mode;
97893+ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH)));
97894+#else
97895+ return false;
97896+#endif
97897+}
97898+
97899 #endif /* _LINUX_FS_H */
97900diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h
97901index 0efc3e6..fd23610 100644
97902--- a/include/linux/fs_struct.h
97903+++ b/include/linux/fs_struct.h
97904@@ -6,13 +6,13 @@
97905 #include <linux/seqlock.h>
97906
97907 struct fs_struct {
97908- int users;
97909+ atomic_t users;
97910 spinlock_t lock;
97911 seqcount_t seq;
97912 int umask;
97913 int in_exec;
97914 struct path root, pwd;
97915-};
97916+} __randomize_layout;
97917
97918 extern struct kmem_cache *fs_cachep;
97919
97920diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h
97921index 604e152..5954d0d 100644
97922--- a/include/linux/fscache-cache.h
97923+++ b/include/linux/fscache-cache.h
97924@@ -117,7 +117,7 @@ struct fscache_operation {
97925 fscache_operation_release_t release;
97926 };
97927
97928-extern atomic_t fscache_op_debug_id;
97929+extern atomic_unchecked_t fscache_op_debug_id;
97930 extern void fscache_op_work_func(struct work_struct *work);
97931
97932 extern void fscache_enqueue_operation(struct fscache_operation *);
97933diff --git a/include/linux/fscache.h b/include/linux/fscache.h
97934index 115bb81..e7b812b 100644
97935--- a/include/linux/fscache.h
97936+++ b/include/linux/fscache.h
97937@@ -152,7 +152,7 @@ struct fscache_cookie_def {
97938 * - this is mandatory for any object that may have data
97939 */
97940 void (*now_uncached)(void *cookie_netfs_data);
97941-};
97942+} __do_const;
97943
97944 /*
97945 * fscache cached network filesystem type
97946diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
97947index 7ee1774..72505b8 100644
97948--- a/include/linux/fsnotify.h
97949+++ b/include/linux/fsnotify.h
97950@@ -197,6 +197,9 @@ static inline void fsnotify_access(struct file *file)
97951 struct inode *inode = file_inode(file);
97952 __u32 mask = FS_ACCESS;
97953
97954+ if (is_sidechannel_device(inode))
97955+ return;
97956+
97957 if (S_ISDIR(inode->i_mode))
97958 mask |= FS_ISDIR;
97959
97960@@ -215,6 +218,9 @@ static inline void fsnotify_modify(struct file *file)
97961 struct inode *inode = file_inode(file);
97962 __u32 mask = FS_MODIFY;
97963
97964+ if (is_sidechannel_device(inode))
97965+ return;
97966+
97967 if (S_ISDIR(inode->i_mode))
97968 mask |= FS_ISDIR;
97969
97970@@ -317,7 +323,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid)
97971 */
97972 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
97973 {
97974- return kstrdup(name, GFP_KERNEL);
97975+ return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
97976 }
97977
97978 /*
97979diff --git a/include/linux/genhd.h b/include/linux/genhd.h
97980index ec274e0..e678159 100644
97981--- a/include/linux/genhd.h
97982+++ b/include/linux/genhd.h
97983@@ -194,7 +194,7 @@ struct gendisk {
97984 struct kobject *slave_dir;
97985
97986 struct timer_rand_state *random;
97987- atomic_t sync_io; /* RAID */
97988+ atomic_unchecked_t sync_io; /* RAID */
97989 struct disk_events *ev;
97990 #ifdef CONFIG_BLK_DEV_INTEGRITY
97991 struct blk_integrity *integrity;
97992@@ -435,7 +435,7 @@ extern void disk_flush_events(struct gendisk *disk, unsigned int mask);
97993 extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask);
97994
97995 /* drivers/char/random.c */
97996-extern void add_disk_randomness(struct gendisk *disk);
97997+extern void add_disk_randomness(struct gendisk *disk) __latent_entropy;
97998 extern void rand_initialize_disk(struct gendisk *disk);
97999
98000 static inline sector_t get_start_sect(struct block_device *bdev)
98001diff --git a/include/linux/genl_magic_func.h b/include/linux/genl_magic_func.h
98002index 667c311..abac2a7 100644
98003--- a/include/linux/genl_magic_func.h
98004+++ b/include/linux/genl_magic_func.h
98005@@ -246,7 +246,7 @@ const char *CONCAT_(GENL_MAGIC_FAMILY, _genl_cmd_to_str)(__u8 cmd)
98006 },
98007
98008 #define ZZZ_genl_ops CONCAT_(GENL_MAGIC_FAMILY, _genl_ops)
98009-static struct genl_ops ZZZ_genl_ops[] __read_mostly = {
98010+static struct genl_ops ZZZ_genl_ops[] = {
98011 #include GENL_MAGIC_INCLUDE_FILE
98012 };
98013
98014diff --git a/include/linux/gfp.h b/include/linux/gfp.h
98015index ad35f30..30b1916 100644
98016--- a/include/linux/gfp.h
98017+++ b/include/linux/gfp.h
98018@@ -35,6 +35,13 @@ struct vm_area_struct;
98019 #define ___GFP_NO_KSWAPD 0x400000u
98020 #define ___GFP_OTHER_NODE 0x800000u
98021 #define ___GFP_WRITE 0x1000000u
98022+
98023+#ifdef CONFIG_PAX_USERCOPY_SLABS
98024+#define ___GFP_USERCOPY 0x2000000u
98025+#else
98026+#define ___GFP_USERCOPY 0
98027+#endif
98028+
98029 /* If the above are modified, __GFP_BITS_SHIFT may need updating */
98030
98031 /*
98032@@ -94,6 +101,7 @@ struct vm_area_struct;
98033 #define __GFP_NO_KSWAPD ((__force gfp_t)___GFP_NO_KSWAPD)
98034 #define __GFP_OTHER_NODE ((__force gfp_t)___GFP_OTHER_NODE) /* On behalf of other node */
98035 #define __GFP_WRITE ((__force gfp_t)___GFP_WRITE) /* Allocator intends to dirty page */
98036+#define __GFP_USERCOPY ((__force gfp_t)___GFP_USERCOPY)/* Allocator intends to copy page to/from userland */
98037
98038 /*
98039 * This may seem redundant, but it's a way of annotating false positives vs.
98040@@ -101,7 +109,7 @@ struct vm_area_struct;
98041 */
98042 #define __GFP_NOTRACK_FALSE_POSITIVE (__GFP_NOTRACK)
98043
98044-#define __GFP_BITS_SHIFT 25 /* Room for N __GFP_FOO bits */
98045+#define __GFP_BITS_SHIFT 26 /* Room for N __GFP_FOO bits */
98046 #define __GFP_BITS_MASK ((__force gfp_t)((1 << __GFP_BITS_SHIFT) - 1))
98047
98048 /* This equals 0, but use constants in case they ever change */
98049@@ -146,6 +154,8 @@ struct vm_area_struct;
98050 /* 4GB DMA on some platforms */
98051 #define GFP_DMA32 __GFP_DMA32
98052
98053+#define GFP_USERCOPY __GFP_USERCOPY
98054+
98055 /* Convert GFP flags to their corresponding migrate type */
98056 static inline int gfpflags_to_migratetype(const gfp_t gfp_flags)
98057 {
98058diff --git a/include/linux/gracl.h b/include/linux/gracl.h
98059new file mode 100644
98060index 0000000..91858e4
98061--- /dev/null
98062+++ b/include/linux/gracl.h
98063@@ -0,0 +1,342 @@
98064+#ifndef GR_ACL_H
98065+#define GR_ACL_H
98066+
98067+#include <linux/grdefs.h>
98068+#include <linux/resource.h>
98069+#include <linux/capability.h>
98070+#include <linux/dcache.h>
98071+#include <asm/resource.h>
98072+
98073+/* Major status information */
98074+
98075+#define GR_VERSION "grsecurity 3.1"
98076+#define GRSECURITY_VERSION 0x3100
98077+
98078+enum {
98079+ GR_SHUTDOWN = 0,
98080+ GR_ENABLE = 1,
98081+ GR_SPROLE = 2,
98082+ GR_OLDRELOAD = 3,
98083+ GR_SEGVMOD = 4,
98084+ GR_STATUS = 5,
98085+ GR_UNSPROLE = 6,
98086+ GR_PASSSET = 7,
98087+ GR_SPROLEPAM = 8,
98088+ GR_RELOAD = 9,
98089+};
98090+
98091+/* Password setup definitions
98092+ * kernel/grhash.c */
98093+enum {
98094+ GR_PW_LEN = 128,
98095+ GR_SALT_LEN = 16,
98096+ GR_SHA_LEN = 32,
98097+};
98098+
98099+enum {
98100+ GR_SPROLE_LEN = 64,
98101+};
98102+
98103+enum {
98104+ GR_NO_GLOB = 0,
98105+ GR_REG_GLOB,
98106+ GR_CREATE_GLOB
98107+};
98108+
98109+#define GR_NLIMITS 32
98110+
98111+/* Begin Data Structures */
98112+
98113+struct sprole_pw {
98114+ unsigned char *rolename;
98115+ unsigned char salt[GR_SALT_LEN];
98116+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
98117+};
98118+
98119+struct name_entry {
98120+ __u32 key;
98121+ u64 inode;
98122+ dev_t device;
98123+ char *name;
98124+ __u16 len;
98125+ __u8 deleted;
98126+ struct name_entry *prev;
98127+ struct name_entry *next;
98128+};
98129+
98130+struct inodev_entry {
98131+ struct name_entry *nentry;
98132+ struct inodev_entry *prev;
98133+ struct inodev_entry *next;
98134+};
98135+
98136+struct acl_role_db {
98137+ struct acl_role_label **r_hash;
98138+ __u32 r_size;
98139+};
98140+
98141+struct inodev_db {
98142+ struct inodev_entry **i_hash;
98143+ __u32 i_size;
98144+};
98145+
98146+struct name_db {
98147+ struct name_entry **n_hash;
98148+ __u32 n_size;
98149+};
98150+
98151+struct crash_uid {
98152+ uid_t uid;
98153+ unsigned long expires;
98154+};
98155+
98156+struct gr_hash_struct {
98157+ void **table;
98158+ void **nametable;
98159+ void *first;
98160+ __u32 table_size;
98161+ __u32 used_size;
98162+ int type;
98163+};
98164+
98165+/* Userspace Grsecurity ACL data structures */
98166+
98167+struct acl_subject_label {
98168+ char *filename;
98169+ u64 inode;
98170+ dev_t device;
98171+ __u32 mode;
98172+ kernel_cap_t cap_mask;
98173+ kernel_cap_t cap_lower;
98174+ kernel_cap_t cap_invert_audit;
98175+
98176+ struct rlimit res[GR_NLIMITS];
98177+ __u32 resmask;
98178+
98179+ __u8 user_trans_type;
98180+ __u8 group_trans_type;
98181+ uid_t *user_transitions;
98182+ gid_t *group_transitions;
98183+ __u16 user_trans_num;
98184+ __u16 group_trans_num;
98185+
98186+ __u32 sock_families[2];
98187+ __u32 ip_proto[8];
98188+ __u32 ip_type;
98189+ struct acl_ip_label **ips;
98190+ __u32 ip_num;
98191+ __u32 inaddr_any_override;
98192+
98193+ __u32 crashes;
98194+ unsigned long expires;
98195+
98196+ struct acl_subject_label *parent_subject;
98197+ struct gr_hash_struct *hash;
98198+ struct acl_subject_label *prev;
98199+ struct acl_subject_label *next;
98200+
98201+ struct acl_object_label **obj_hash;
98202+ __u32 obj_hash_size;
98203+ __u16 pax_flags;
98204+};
98205+
98206+struct role_allowed_ip {
98207+ __u32 addr;
98208+ __u32 netmask;
98209+
98210+ struct role_allowed_ip *prev;
98211+ struct role_allowed_ip *next;
98212+};
98213+
98214+struct role_transition {
98215+ char *rolename;
98216+
98217+ struct role_transition *prev;
98218+ struct role_transition *next;
98219+};
98220+
98221+struct acl_role_label {
98222+ char *rolename;
98223+ uid_t uidgid;
98224+ __u16 roletype;
98225+
98226+ __u16 auth_attempts;
98227+ unsigned long expires;
98228+
98229+ struct acl_subject_label *root_label;
98230+ struct gr_hash_struct *hash;
98231+
98232+ struct acl_role_label *prev;
98233+ struct acl_role_label *next;
98234+
98235+ struct role_transition *transitions;
98236+ struct role_allowed_ip *allowed_ips;
98237+ uid_t *domain_children;
98238+ __u16 domain_child_num;
98239+
98240+ umode_t umask;
98241+
98242+ struct acl_subject_label **subj_hash;
98243+ __u32 subj_hash_size;
98244+};
98245+
98246+struct user_acl_role_db {
98247+ struct acl_role_label **r_table;
98248+ __u32 num_pointers; /* Number of allocations to track */
98249+ __u32 num_roles; /* Number of roles */
98250+ __u32 num_domain_children; /* Number of domain children */
98251+ __u32 num_subjects; /* Number of subjects */
98252+ __u32 num_objects; /* Number of objects */
98253+};
98254+
98255+struct acl_object_label {
98256+ char *filename;
98257+ u64 inode;
98258+ dev_t device;
98259+ __u32 mode;
98260+
98261+ struct acl_subject_label *nested;
98262+ struct acl_object_label *globbed;
98263+
98264+ /* next two structures not used */
98265+
98266+ struct acl_object_label *prev;
98267+ struct acl_object_label *next;
98268+};
98269+
98270+struct acl_ip_label {
98271+ char *iface;
98272+ __u32 addr;
98273+ __u32 netmask;
98274+ __u16 low, high;
98275+ __u8 mode;
98276+ __u32 type;
98277+ __u32 proto[8];
98278+
98279+ /* next two structures not used */
98280+
98281+ struct acl_ip_label *prev;
98282+ struct acl_ip_label *next;
98283+};
98284+
98285+struct gr_arg {
98286+ struct user_acl_role_db role_db;
98287+ unsigned char pw[GR_PW_LEN];
98288+ unsigned char salt[GR_SALT_LEN];
98289+ unsigned char sum[GR_SHA_LEN];
98290+ unsigned char sp_role[GR_SPROLE_LEN];
98291+ struct sprole_pw *sprole_pws;
98292+ dev_t segv_device;
98293+ u64 segv_inode;
98294+ uid_t segv_uid;
98295+ __u16 num_sprole_pws;
98296+ __u16 mode;
98297+};
98298+
98299+struct gr_arg_wrapper {
98300+ struct gr_arg *arg;
98301+ __u32 version;
98302+ __u32 size;
98303+};
98304+
98305+struct subject_map {
98306+ struct acl_subject_label *user;
98307+ struct acl_subject_label *kernel;
98308+ struct subject_map *prev;
98309+ struct subject_map *next;
98310+};
98311+
98312+struct acl_subj_map_db {
98313+ struct subject_map **s_hash;
98314+ __u32 s_size;
98315+};
98316+
98317+struct gr_policy_state {
98318+ struct sprole_pw **acl_special_roles;
98319+ __u16 num_sprole_pws;
98320+ struct acl_role_label *kernel_role;
98321+ struct acl_role_label *role_list;
98322+ struct acl_role_label *default_role;
98323+ struct acl_role_db acl_role_set;
98324+ struct acl_subj_map_db subj_map_set;
98325+ struct name_db name_set;
98326+ struct inodev_db inodev_set;
98327+};
98328+
98329+struct gr_alloc_state {
98330+ unsigned long alloc_stack_next;
98331+ unsigned long alloc_stack_size;
98332+ void **alloc_stack;
98333+};
98334+
98335+struct gr_reload_state {
98336+ struct gr_policy_state oldpolicy;
98337+ struct gr_alloc_state oldalloc;
98338+ struct gr_policy_state newpolicy;
98339+ struct gr_alloc_state newalloc;
98340+ struct gr_policy_state *oldpolicy_ptr;
98341+ struct gr_alloc_state *oldalloc_ptr;
98342+ unsigned char oldmode;
98343+};
98344+
98345+/* End Data Structures Section */
98346+
98347+/* Hash functions generated by empirical testing by Brad Spengler
98348+ Makes good use of the low bits of the inode. Generally 0-1 times
98349+ in loop for successful match. 0-3 for unsuccessful match.
98350+ Shift/add algorithm with modulus of table size and an XOR*/
98351+
98352+static __inline__ unsigned int
98353+gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz)
98354+{
98355+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
98356+}
98357+
98358+ static __inline__ unsigned int
98359+gr_shash(const struct acl_subject_label *userp, const unsigned int sz)
98360+{
98361+ return ((const unsigned long)userp % sz);
98362+}
98363+
98364+static __inline__ unsigned int
98365+gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz)
98366+{
98367+ unsigned int rem;
98368+ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz, &rem);
98369+ return rem;
98370+}
98371+
98372+static __inline__ unsigned int
98373+gr_nhash(const char *name, const __u16 len, const unsigned int sz)
98374+{
98375+ return full_name_hash((const unsigned char *)name, len) % sz;
98376+}
98377+
98378+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
98379+ subj = NULL; \
98380+ iter = 0; \
98381+ while (iter < role->subj_hash_size) { \
98382+ if (subj == NULL) \
98383+ subj = role->subj_hash[iter]; \
98384+ if (subj == NULL) { \
98385+ iter++; \
98386+ continue; \
98387+ }
98388+
98389+#define FOR_EACH_SUBJECT_END(subj,iter) \
98390+ subj = subj->next; \
98391+ if (subj == NULL) \
98392+ iter++; \
98393+ }
98394+
98395+
98396+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
98397+ subj = role->hash->first; \
98398+ while (subj != NULL) {
98399+
98400+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
98401+ subj = subj->next; \
98402+ }
98403+
98404+#endif
98405+
98406diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
98407new file mode 100644
98408index 0000000..af64092
98409--- /dev/null
98410+++ b/include/linux/gracl_compat.h
98411@@ -0,0 +1,156 @@
98412+#ifndef GR_ACL_COMPAT_H
98413+#define GR_ACL_COMPAT_H
98414+
98415+#include <linux/resource.h>
98416+#include <asm/resource.h>
98417+
98418+struct sprole_pw_compat {
98419+ compat_uptr_t rolename;
98420+ unsigned char salt[GR_SALT_LEN];
98421+ unsigned char sum[GR_SHA_LEN];
98422+};
98423+
98424+struct gr_hash_struct_compat {
98425+ compat_uptr_t table;
98426+ compat_uptr_t nametable;
98427+ compat_uptr_t first;
98428+ __u32 table_size;
98429+ __u32 used_size;
98430+ int type;
98431+};
98432+
98433+struct acl_subject_label_compat {
98434+ compat_uptr_t filename;
98435+ compat_u64 inode;
98436+ __u32 device;
98437+ __u32 mode;
98438+ kernel_cap_t cap_mask;
98439+ kernel_cap_t cap_lower;
98440+ kernel_cap_t cap_invert_audit;
98441+
98442+ struct compat_rlimit res[GR_NLIMITS];
98443+ __u32 resmask;
98444+
98445+ __u8 user_trans_type;
98446+ __u8 group_trans_type;
98447+ compat_uptr_t user_transitions;
98448+ compat_uptr_t group_transitions;
98449+ __u16 user_trans_num;
98450+ __u16 group_trans_num;
98451+
98452+ __u32 sock_families[2];
98453+ __u32 ip_proto[8];
98454+ __u32 ip_type;
98455+ compat_uptr_t ips;
98456+ __u32 ip_num;
98457+ __u32 inaddr_any_override;
98458+
98459+ __u32 crashes;
98460+ compat_ulong_t expires;
98461+
98462+ compat_uptr_t parent_subject;
98463+ compat_uptr_t hash;
98464+ compat_uptr_t prev;
98465+ compat_uptr_t next;
98466+
98467+ compat_uptr_t obj_hash;
98468+ __u32 obj_hash_size;
98469+ __u16 pax_flags;
98470+};
98471+
98472+struct role_allowed_ip_compat {
98473+ __u32 addr;
98474+ __u32 netmask;
98475+
98476+ compat_uptr_t prev;
98477+ compat_uptr_t next;
98478+};
98479+
98480+struct role_transition_compat {
98481+ compat_uptr_t rolename;
98482+
98483+ compat_uptr_t prev;
98484+ compat_uptr_t next;
98485+};
98486+
98487+struct acl_role_label_compat {
98488+ compat_uptr_t rolename;
98489+ uid_t uidgid;
98490+ __u16 roletype;
98491+
98492+ __u16 auth_attempts;
98493+ compat_ulong_t expires;
98494+
98495+ compat_uptr_t root_label;
98496+ compat_uptr_t hash;
98497+
98498+ compat_uptr_t prev;
98499+ compat_uptr_t next;
98500+
98501+ compat_uptr_t transitions;
98502+ compat_uptr_t allowed_ips;
98503+ compat_uptr_t domain_children;
98504+ __u16 domain_child_num;
98505+
98506+ umode_t umask;
98507+
98508+ compat_uptr_t subj_hash;
98509+ __u32 subj_hash_size;
98510+};
98511+
98512+struct user_acl_role_db_compat {
98513+ compat_uptr_t r_table;
98514+ __u32 num_pointers;
98515+ __u32 num_roles;
98516+ __u32 num_domain_children;
98517+ __u32 num_subjects;
98518+ __u32 num_objects;
98519+};
98520+
98521+struct acl_object_label_compat {
98522+ compat_uptr_t filename;
98523+ compat_u64 inode;
98524+ __u32 device;
98525+ __u32 mode;
98526+
98527+ compat_uptr_t nested;
98528+ compat_uptr_t globbed;
98529+
98530+ compat_uptr_t prev;
98531+ compat_uptr_t next;
98532+};
98533+
98534+struct acl_ip_label_compat {
98535+ compat_uptr_t iface;
98536+ __u32 addr;
98537+ __u32 netmask;
98538+ __u16 low, high;
98539+ __u8 mode;
98540+ __u32 type;
98541+ __u32 proto[8];
98542+
98543+ compat_uptr_t prev;
98544+ compat_uptr_t next;
98545+};
98546+
98547+struct gr_arg_compat {
98548+ struct user_acl_role_db_compat role_db;
98549+ unsigned char pw[GR_PW_LEN];
98550+ unsigned char salt[GR_SALT_LEN];
98551+ unsigned char sum[GR_SHA_LEN];
98552+ unsigned char sp_role[GR_SPROLE_LEN];
98553+ compat_uptr_t sprole_pws;
98554+ __u32 segv_device;
98555+ compat_u64 segv_inode;
98556+ uid_t segv_uid;
98557+ __u16 num_sprole_pws;
98558+ __u16 mode;
98559+};
98560+
98561+struct gr_arg_wrapper_compat {
98562+ compat_uptr_t arg;
98563+ __u32 version;
98564+ __u32 size;
98565+};
98566+
98567+#endif
98568diff --git a/include/linux/gralloc.h b/include/linux/gralloc.h
98569new file mode 100644
98570index 0000000..323ecf2
98571--- /dev/null
98572+++ b/include/linux/gralloc.h
98573@@ -0,0 +1,9 @@
98574+#ifndef __GRALLOC_H
98575+#define __GRALLOC_H
98576+
98577+void acl_free_all(void);
98578+int acl_alloc_stack_init(unsigned long size);
98579+void *acl_alloc(unsigned long len);
98580+void *acl_alloc_num(unsigned long num, unsigned long len);
98581+
98582+#endif
98583diff --git a/include/linux/grdefs.h b/include/linux/grdefs.h
98584new file mode 100644
98585index 0000000..be66033
98586--- /dev/null
98587+++ b/include/linux/grdefs.h
98588@@ -0,0 +1,140 @@
98589+#ifndef GRDEFS_H
98590+#define GRDEFS_H
98591+
98592+/* Begin grsecurity status declarations */
98593+
98594+enum {
98595+ GR_READY = 0x01,
98596+ GR_STATUS_INIT = 0x00 // disabled state
98597+};
98598+
98599+/* Begin ACL declarations */
98600+
98601+/* Role flags */
98602+
98603+enum {
98604+ GR_ROLE_USER = 0x0001,
98605+ GR_ROLE_GROUP = 0x0002,
98606+ GR_ROLE_DEFAULT = 0x0004,
98607+ GR_ROLE_SPECIAL = 0x0008,
98608+ GR_ROLE_AUTH = 0x0010,
98609+ GR_ROLE_NOPW = 0x0020,
98610+ GR_ROLE_GOD = 0x0040,
98611+ GR_ROLE_LEARN = 0x0080,
98612+ GR_ROLE_TPE = 0x0100,
98613+ GR_ROLE_DOMAIN = 0x0200,
98614+ GR_ROLE_PAM = 0x0400,
98615+ GR_ROLE_PERSIST = 0x0800
98616+};
98617+
98618+/* ACL Subject and Object mode flags */
98619+enum {
98620+ GR_DELETED = 0x80000000
98621+};
98622+
98623+/* ACL Object-only mode flags */
98624+enum {
98625+ GR_READ = 0x00000001,
98626+ GR_APPEND = 0x00000002,
98627+ GR_WRITE = 0x00000004,
98628+ GR_EXEC = 0x00000008,
98629+ GR_FIND = 0x00000010,
98630+ GR_INHERIT = 0x00000020,
98631+ GR_SETID = 0x00000040,
98632+ GR_CREATE = 0x00000080,
98633+ GR_DELETE = 0x00000100,
98634+ GR_LINK = 0x00000200,
98635+ GR_AUDIT_READ = 0x00000400,
98636+ GR_AUDIT_APPEND = 0x00000800,
98637+ GR_AUDIT_WRITE = 0x00001000,
98638+ GR_AUDIT_EXEC = 0x00002000,
98639+ GR_AUDIT_FIND = 0x00004000,
98640+ GR_AUDIT_INHERIT= 0x00008000,
98641+ GR_AUDIT_SETID = 0x00010000,
98642+ GR_AUDIT_CREATE = 0x00020000,
98643+ GR_AUDIT_DELETE = 0x00040000,
98644+ GR_AUDIT_LINK = 0x00080000,
98645+ GR_PTRACERD = 0x00100000,
98646+ GR_NOPTRACE = 0x00200000,
98647+ GR_SUPPRESS = 0x00400000,
98648+ GR_NOLEARN = 0x00800000,
98649+ GR_INIT_TRANSFER= 0x01000000
98650+};
98651+
98652+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
98653+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
98654+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
98655+
98656+/* ACL subject-only mode flags */
98657+enum {
98658+ GR_KILL = 0x00000001,
98659+ GR_VIEW = 0x00000002,
98660+ GR_PROTECTED = 0x00000004,
98661+ GR_LEARN = 0x00000008,
98662+ GR_OVERRIDE = 0x00000010,
98663+ /* just a placeholder, this mode is only used in userspace */
98664+ GR_DUMMY = 0x00000020,
98665+ GR_PROTSHM = 0x00000040,
98666+ GR_KILLPROC = 0x00000080,
98667+ GR_KILLIPPROC = 0x00000100,
98668+ /* just a placeholder, this mode is only used in userspace */
98669+ GR_NOTROJAN = 0x00000200,
98670+ GR_PROTPROCFD = 0x00000400,
98671+ GR_PROCACCT = 0x00000800,
98672+ GR_RELAXPTRACE = 0x00001000,
98673+ //GR_NESTED = 0x00002000,
98674+ GR_INHERITLEARN = 0x00004000,
98675+ GR_PROCFIND = 0x00008000,
98676+ GR_POVERRIDE = 0x00010000,
98677+ GR_KERNELAUTH = 0x00020000,
98678+ GR_ATSECURE = 0x00040000,
98679+ GR_SHMEXEC = 0x00080000
98680+};
98681+
98682+enum {
98683+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
98684+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
98685+ GR_PAX_ENABLE_MPROTECT = 0x0004,
98686+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
98687+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
98688+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
98689+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
98690+ GR_PAX_DISABLE_MPROTECT = 0x0400,
98691+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
98692+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
98693+};
98694+
98695+enum {
98696+ GR_ID_USER = 0x01,
98697+ GR_ID_GROUP = 0x02,
98698+};
98699+
98700+enum {
98701+ GR_ID_ALLOW = 0x01,
98702+ GR_ID_DENY = 0x02,
98703+};
98704+
98705+#define GR_CRASH_RES 31
98706+#define GR_UIDTABLE_MAX 500
98707+
98708+/* begin resource learning section */
98709+enum {
98710+ GR_RLIM_CPU_BUMP = 60,
98711+ GR_RLIM_FSIZE_BUMP = 50000,
98712+ GR_RLIM_DATA_BUMP = 10000,
98713+ GR_RLIM_STACK_BUMP = 1000,
98714+ GR_RLIM_CORE_BUMP = 10000,
98715+ GR_RLIM_RSS_BUMP = 500000,
98716+ GR_RLIM_NPROC_BUMP = 1,
98717+ GR_RLIM_NOFILE_BUMP = 5,
98718+ GR_RLIM_MEMLOCK_BUMP = 50000,
98719+ GR_RLIM_AS_BUMP = 500000,
98720+ GR_RLIM_LOCKS_BUMP = 2,
98721+ GR_RLIM_SIGPENDING_BUMP = 5,
98722+ GR_RLIM_MSGQUEUE_BUMP = 10000,
98723+ GR_RLIM_NICE_BUMP = 1,
98724+ GR_RLIM_RTPRIO_BUMP = 1,
98725+ GR_RLIM_RTTIME_BUMP = 1000000
98726+};
98727+
98728+#endif
98729diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
98730new file mode 100644
98731index 0000000..6245f9e
98732--- /dev/null
98733+++ b/include/linux/grinternal.h
98734@@ -0,0 +1,230 @@
98735+#ifndef __GRINTERNAL_H
98736+#define __GRINTERNAL_H
98737+
98738+#ifdef CONFIG_GRKERNSEC
98739+
98740+#include <linux/fs.h>
98741+#include <linux/mnt_namespace.h>
98742+#include <linux/nsproxy.h>
98743+#include <linux/gracl.h>
98744+#include <linux/grdefs.h>
98745+#include <linux/grmsg.h>
98746+
98747+void gr_add_learn_entry(const char *fmt, ...)
98748+ __attribute__ ((format (printf, 1, 2)));
98749+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
98750+ const struct vfsmount *mnt);
98751+__u32 gr_check_create(const struct dentry *new_dentry,
98752+ const struct dentry *parent,
98753+ const struct vfsmount *mnt, const __u32 mode);
98754+int gr_check_protected_task(const struct task_struct *task);
98755+__u32 to_gr_audit(const __u32 reqmode);
98756+int gr_set_acls(const int type);
98757+int gr_acl_is_enabled(void);
98758+char gr_roletype_to_char(void);
98759+
98760+void gr_handle_alertkill(struct task_struct *task);
98761+char *gr_to_filename(const struct dentry *dentry,
98762+ const struct vfsmount *mnt);
98763+char *gr_to_filename1(const struct dentry *dentry,
98764+ const struct vfsmount *mnt);
98765+char *gr_to_filename2(const struct dentry *dentry,
98766+ const struct vfsmount *mnt);
98767+char *gr_to_filename3(const struct dentry *dentry,
98768+ const struct vfsmount *mnt);
98769+
98770+extern int grsec_enable_ptrace_readexec;
98771+extern int grsec_enable_harden_ptrace;
98772+extern int grsec_enable_link;
98773+extern int grsec_enable_fifo;
98774+extern int grsec_enable_execve;
98775+extern int grsec_enable_shm;
98776+extern int grsec_enable_execlog;
98777+extern int grsec_enable_signal;
98778+extern int grsec_enable_audit_ptrace;
98779+extern int grsec_enable_forkfail;
98780+extern int grsec_enable_time;
98781+extern int grsec_enable_rofs;
98782+extern int grsec_deny_new_usb;
98783+extern int grsec_enable_chroot_shmat;
98784+extern int grsec_enable_chroot_mount;
98785+extern int grsec_enable_chroot_double;
98786+extern int grsec_enable_chroot_pivot;
98787+extern int grsec_enable_chroot_chdir;
98788+extern int grsec_enable_chroot_chmod;
98789+extern int grsec_enable_chroot_mknod;
98790+extern int grsec_enable_chroot_fchdir;
98791+extern int grsec_enable_chroot_nice;
98792+extern int grsec_enable_chroot_execlog;
98793+extern int grsec_enable_chroot_caps;
98794+extern int grsec_enable_chroot_rename;
98795+extern int grsec_enable_chroot_sysctl;
98796+extern int grsec_enable_chroot_unix;
98797+extern int grsec_enable_symlinkown;
98798+extern kgid_t grsec_symlinkown_gid;
98799+extern int grsec_enable_tpe;
98800+extern kgid_t grsec_tpe_gid;
98801+extern int grsec_enable_tpe_all;
98802+extern int grsec_enable_tpe_invert;
98803+extern int grsec_enable_socket_all;
98804+extern kgid_t grsec_socket_all_gid;
98805+extern int grsec_enable_socket_client;
98806+extern kgid_t grsec_socket_client_gid;
98807+extern int grsec_enable_socket_server;
98808+extern kgid_t grsec_socket_server_gid;
98809+extern kgid_t grsec_audit_gid;
98810+extern int grsec_enable_group;
98811+extern int grsec_enable_log_rwxmaps;
98812+extern int grsec_enable_mount;
98813+extern int grsec_enable_chdir;
98814+extern int grsec_resource_logging;
98815+extern int grsec_enable_blackhole;
98816+extern int grsec_lastack_retries;
98817+extern int grsec_enable_brute;
98818+extern int grsec_enable_harden_ipc;
98819+extern int grsec_lock;
98820+
98821+extern spinlock_t grsec_alert_lock;
98822+extern unsigned long grsec_alert_wtime;
98823+extern unsigned long grsec_alert_fyet;
98824+
98825+extern spinlock_t grsec_audit_lock;
98826+
98827+extern rwlock_t grsec_exec_file_lock;
98828+
98829+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
98830+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
98831+ (tsk)->exec_file->f_path.mnt) : "/")
98832+
98833+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
98834+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
98835+ (tsk)->real_parent->exec_file->f_path.mnt) : "/")
98836+
98837+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
98838+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
98839+ (tsk)->exec_file->f_path.mnt) : "/")
98840+
98841+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
98842+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
98843+ (tsk)->real_parent->exec_file->f_path.mnt) : "/")
98844+
98845+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
98846+
98847+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
98848+
98849+static inline bool gr_is_same_file(const struct file *file1, const struct file *file2)
98850+{
98851+ if (file1 && file2) {
98852+ const struct inode *inode1 = file1->f_path.dentry->d_inode;
98853+ const struct inode *inode2 = file2->f_path.dentry->d_inode;
98854+ if (inode1->i_ino == inode2->i_ino && inode1->i_sb->s_dev == inode2->i_sb->s_dev)
98855+ return true;
98856+ }
98857+
98858+ return false;
98859+}
98860+
98861+#define GR_CHROOT_CAPS {{ \
98862+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
98863+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
98864+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
98865+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
98866+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
98867+ CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
98868+ CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
98869+
98870+#define security_learn(normal_msg,args...) \
98871+({ \
98872+ read_lock(&grsec_exec_file_lock); \
98873+ gr_add_learn_entry(normal_msg "\n", ## args); \
98874+ read_unlock(&grsec_exec_file_lock); \
98875+})
98876+
98877+enum {
98878+ GR_DO_AUDIT,
98879+ GR_DONT_AUDIT,
98880+ /* used for non-audit messages that we shouldn't kill the task on */
98881+ GR_DONT_AUDIT_GOOD
98882+};
98883+
98884+enum {
98885+ GR_TTYSNIFF,
98886+ GR_RBAC,
98887+ GR_RBAC_STR,
98888+ GR_STR_RBAC,
98889+ GR_RBAC_MODE2,
98890+ GR_RBAC_MODE3,
98891+ GR_FILENAME,
98892+ GR_SYSCTL_HIDDEN,
98893+ GR_NOARGS,
98894+ GR_ONE_INT,
98895+ GR_ONE_INT_TWO_STR,
98896+ GR_ONE_STR,
98897+ GR_STR_INT,
98898+ GR_TWO_STR_INT,
98899+ GR_TWO_INT,
98900+ GR_TWO_U64,
98901+ GR_THREE_INT,
98902+ GR_FIVE_INT_TWO_STR,
98903+ GR_TWO_STR,
98904+ GR_THREE_STR,
98905+ GR_FOUR_STR,
98906+ GR_STR_FILENAME,
98907+ GR_FILENAME_STR,
98908+ GR_FILENAME_TWO_INT,
98909+ GR_FILENAME_TWO_INT_STR,
98910+ GR_TEXTREL,
98911+ GR_PTRACE,
98912+ GR_RESOURCE,
98913+ GR_CAP,
98914+ GR_SIG,
98915+ GR_SIG2,
98916+ GR_CRASH1,
98917+ GR_CRASH2,
98918+ GR_PSACCT,
98919+ GR_RWXMAP,
98920+ GR_RWXMAPVMA
98921+};
98922+
98923+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
98924+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
98925+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
98926+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
98927+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
98928+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
98929+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
98930+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
98931+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
98932+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
98933+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
98934+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
98935+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
98936+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
98937+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
98938+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
98939+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
98940+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
98941+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
98942+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
98943+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
98944+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
98945+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
98946+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
98947+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
98948+#define gr_log_textrel_ulong_ulong(audit, msg, str, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, str, file, ulong1, ulong2)
98949+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
98950+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
98951+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
98952+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
98953+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
98954+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
98955+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
98956+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
98957+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
98958+#define gr_log_rwxmap_vma(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAPVMA, str)
98959+
98960+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
98961+
98962+#endif
98963+
98964+#endif
98965diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
98966new file mode 100644
98967index 0000000..3092b3c
98968--- /dev/null
98969+++ b/include/linux/grmsg.h
98970@@ -0,0 +1,118 @@
98971+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
98972+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
98973+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
98974+#define GR_STOPMOD_MSG "denied modification of module state by "
98975+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
98976+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
98977+#define GR_IOPERM_MSG "denied use of ioperm() by "
98978+#define GR_IOPL_MSG "denied use of iopl() by "
98979+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
98980+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
98981+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
98982+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
98983+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
98984+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
98985+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
98986+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
98987+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
98988+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
98989+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
98990+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
98991+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
98992+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
98993+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
98994+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
98995+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
98996+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
98997+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
98998+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
98999+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
99000+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
99001+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
99002+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
99003+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
99004+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
99005+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
99006+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
99007+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
99008+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
99009+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
99010+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
99011+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
99012+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
99013+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
99014+#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by "
99015+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
99016+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
99017+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
99018+#define GR_CHROOT_FHANDLE_MSG "denied use of file handles inside chroot by "
99019+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
99020+#define GR_SETXATTR_ACL_MSG "%s setting extended attribute of %.950s by "
99021+#define GR_REMOVEXATTR_ACL_MSG "%s removing extended attribute of %.950s by "
99022+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
99023+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
99024+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
99025+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbage by "
99026+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
99027+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
99028+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
99029+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
99030+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
99031+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
99032+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
99033+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
99034+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
99035+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
99036+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
99037+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
99038+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
99039+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
99040+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
99041+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
99042+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
99043+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
99044+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
99045+#define GR_FAILFORK_MSG "failed fork with errno %s by "
99046+#define GR_NICE_CHROOT_MSG "denied priority change by "
99047+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
99048+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
99049+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
99050+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
99051+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
99052+#define GR_TIME_MSG "time set by "
99053+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
99054+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
99055+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
99056+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
99057+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
99058+#define GR_BIND_MSG "denied bind() by "
99059+#define GR_CONNECT_MSG "denied connect() by "
99060+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
99061+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
99062+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
99063+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
99064+#define GR_CAP_ACL_MSG "use of %s denied for "
99065+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
99066+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
99067+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
99068+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
99069+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
99070+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
99071+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
99072+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
99073+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
99074+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
99075+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
99076+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
99077+#define GR_TEXTREL_AUDIT_MSG "allowed %s text relocation transition in %.950s, VMA:0x%08lx 0x%08lx by "
99078+#define GR_PTGNUSTACK_MSG "denied marking stack executable as requested by PT_GNU_STACK marking in %.950s by "
99079+#define GR_VM86_MSG "denied use of vm86 by "
99080+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
99081+#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by "
99082+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
99083+#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
99084+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
99085+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
99086+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
99087+#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "
99088+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
99089diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
99090new file mode 100644
99091index 0000000..0ea4a82
99092--- /dev/null
99093+++ b/include/linux/grsecurity.h
99094@@ -0,0 +1,255 @@
99095+#ifndef GR_SECURITY_H
99096+#define GR_SECURITY_H
99097+#include <linux/fs.h>
99098+#include <linux/fs_struct.h>
99099+#include <linux/binfmts.h>
99100+#include <linux/gracl.h>
99101+
99102+/* notify of brain-dead configs */
99103+#if defined(CONFIG_DEBUG_FS) && defined(CONFIG_GRKERNSEC_KMEM)
99104+#error "CONFIG_DEBUG_FS being enabled is a security risk when CONFIG_GRKERNSEC_KMEM is enabled"
99105+#endif
99106+#if defined(CONFIG_PROC_PAGE_MONITOR) && defined(CONFIG_GRKERNSEC)
99107+#error "CONFIG_PROC_PAGE_MONITOR is a security risk"
99108+#endif
99109+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
99110+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
99111+#endif
99112+#if defined(CONFIG_GRKERNSEC_PROC) && !defined(CONFIG_GRKERNSEC_PROC_USER) && !defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
99113+#error "CONFIG_GRKERNSEC_PROC enabled, but neither CONFIG_GRKERNSEC_PROC_USER nor CONFIG_GRKERNSEC_PROC_USERGROUP enabled"
99114+#endif
99115+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
99116+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
99117+#endif
99118+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
99119+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
99120+#endif
99121+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
99122+#error "CONFIG_PAX enabled, but no PaX options are enabled."
99123+#endif
99124+
99125+int gr_handle_new_usb(void);
99126+
99127+void gr_handle_brute_attach(int dumpable);
99128+void gr_handle_brute_check(void);
99129+void gr_handle_kernel_exploit(void);
99130+
99131+char gr_roletype_to_char(void);
99132+
99133+int gr_proc_is_restricted(void);
99134+
99135+int gr_acl_enable_at_secure(void);
99136+
99137+int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
99138+int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
99139+
99140+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap);
99141+
99142+void gr_del_task_from_ip_table(struct task_struct *p);
99143+
99144+int gr_pid_is_chrooted(struct task_struct *p);
99145+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
99146+int gr_handle_chroot_nice(void);
99147+int gr_handle_chroot_sysctl(const int op);
99148+int gr_handle_chroot_setpriority(struct task_struct *p,
99149+ const int niceval);
99150+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
99151+int gr_chroot_fhandle(void);
99152+int gr_handle_chroot_chroot(const struct dentry *dentry,
99153+ const struct vfsmount *mnt);
99154+void gr_handle_chroot_chdir(const struct path *path);
99155+int gr_handle_chroot_chmod(const struct dentry *dentry,
99156+ const struct vfsmount *mnt, const int mode);
99157+int gr_handle_chroot_mknod(const struct dentry *dentry,
99158+ const struct vfsmount *mnt, const int mode);
99159+int gr_handle_chroot_mount(const struct dentry *dentry,
99160+ const struct vfsmount *mnt,
99161+ const char *dev_name);
99162+int gr_handle_chroot_pivot(void);
99163+int gr_handle_chroot_unix(const pid_t pid);
99164+
99165+int gr_handle_rawio(const struct inode *inode);
99166+
99167+void gr_handle_ioperm(void);
99168+void gr_handle_iopl(void);
99169+void gr_handle_msr_write(void);
99170+
99171+umode_t gr_acl_umask(void);
99172+
99173+int gr_tpe_allow(const struct file *file);
99174+
99175+void gr_set_chroot_entries(struct task_struct *task, const struct path *path);
99176+void gr_clear_chroot_entries(struct task_struct *task);
99177+
99178+void gr_log_forkfail(const int retval);
99179+void gr_log_timechange(void);
99180+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
99181+void gr_log_chdir(const struct dentry *dentry,
99182+ const struct vfsmount *mnt);
99183+void gr_log_chroot_exec(const struct dentry *dentry,
99184+ const struct vfsmount *mnt);
99185+void gr_log_remount(const char *devname, const int retval);
99186+void gr_log_unmount(const char *devname, const int retval);
99187+void gr_log_mount(const char *from, struct path *to, const int retval);
99188+void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw);
99189+void gr_log_ptgnustack(struct file *file);
99190+void gr_log_rwxmmap(struct file *file);
99191+void gr_log_rwxmprotect(struct vm_area_struct *vma);
99192+
99193+int gr_handle_follow_link(const struct dentry *dentry,
99194+ const struct vfsmount *mnt);
99195+int gr_handle_fifo(const struct dentry *dentry,
99196+ const struct vfsmount *mnt,
99197+ const struct dentry *dir, const int flag,
99198+ const int acc_mode);
99199+int gr_handle_hardlink(const struct dentry *dentry,
99200+ const struct vfsmount *mnt,
99201+ const struct filename *to);
99202+
99203+int gr_is_capable(const int cap);
99204+int gr_is_capable_nolog(const int cap);
99205+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
99206+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap);
99207+
99208+void gr_copy_label(struct task_struct *tsk);
99209+void gr_handle_crash(struct task_struct *task, const int sig);
99210+int gr_handle_signal(const struct task_struct *p, const int sig);
99211+int gr_check_crash_uid(const kuid_t uid);
99212+int gr_check_protected_task(const struct task_struct *task);
99213+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
99214+int gr_acl_handle_mmap(const struct file *file,
99215+ const unsigned long prot);
99216+int gr_acl_handle_mprotect(const struct file *file,
99217+ const unsigned long prot);
99218+int gr_check_hidden_task(const struct task_struct *tsk);
99219+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
99220+ const struct vfsmount *mnt);
99221+__u32 gr_acl_handle_utime(const struct dentry *dentry,
99222+ const struct vfsmount *mnt);
99223+__u32 gr_acl_handle_access(const struct dentry *dentry,
99224+ const struct vfsmount *mnt, const int fmode);
99225+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
99226+ const struct vfsmount *mnt, umode_t *mode);
99227+__u32 gr_acl_handle_chown(const struct dentry *dentry,
99228+ const struct vfsmount *mnt);
99229+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
99230+ const struct vfsmount *mnt);
99231+__u32 gr_acl_handle_removexattr(const struct dentry *dentry,
99232+ const struct vfsmount *mnt);
99233+int gr_handle_ptrace(struct task_struct *task, const long request);
99234+int gr_handle_proc_ptrace(struct task_struct *task);
99235+__u32 gr_acl_handle_execve(const struct dentry *dentry,
99236+ const struct vfsmount *mnt);
99237+int gr_check_crash_exec(const struct file *filp);
99238+int gr_acl_is_enabled(void);
99239+void gr_set_role_label(struct task_struct *task, const kuid_t uid,
99240+ const kgid_t gid);
99241+int gr_set_proc_label(const struct dentry *dentry,
99242+ const struct vfsmount *mnt,
99243+ const int unsafe_flags);
99244+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
99245+ const struct vfsmount *mnt);
99246+__u32 gr_acl_handle_open(const struct dentry *dentry,
99247+ const struct vfsmount *mnt, int acc_mode);
99248+__u32 gr_acl_handle_creat(const struct dentry *dentry,
99249+ const struct dentry *p_dentry,
99250+ const struct vfsmount *p_mnt,
99251+ int open_flags, int acc_mode, const int imode);
99252+void gr_handle_create(const struct dentry *dentry,
99253+ const struct vfsmount *mnt);
99254+void gr_handle_proc_create(const struct dentry *dentry,
99255+ const struct inode *inode);
99256+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
99257+ const struct dentry *parent_dentry,
99258+ const struct vfsmount *parent_mnt,
99259+ const int mode);
99260+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
99261+ const struct dentry *parent_dentry,
99262+ const struct vfsmount *parent_mnt);
99263+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
99264+ const struct vfsmount *mnt);
99265+void gr_handle_delete(const u64 ino, const dev_t dev);
99266+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
99267+ const struct vfsmount *mnt);
99268+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
99269+ const struct dentry *parent_dentry,
99270+ const struct vfsmount *parent_mnt,
99271+ const struct filename *from);
99272+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
99273+ const struct dentry *parent_dentry,
99274+ const struct vfsmount *parent_mnt,
99275+ const struct dentry *old_dentry,
99276+ const struct vfsmount *old_mnt, const struct filename *to);
99277+int gr_handle_symlink_owner(const struct path *link, const struct inode *target);
99278+int gr_acl_handle_rename(struct dentry *new_dentry,
99279+ struct dentry *parent_dentry,
99280+ const struct vfsmount *parent_mnt,
99281+ struct dentry *old_dentry,
99282+ struct inode *old_parent_inode,
99283+ struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags);
99284+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
99285+ struct dentry *old_dentry,
99286+ struct dentry *new_dentry,
99287+ struct vfsmount *mnt, const __u8 replace, unsigned int flags);
99288+__u32 gr_check_link(const struct dentry *new_dentry,
99289+ const struct dentry *parent_dentry,
99290+ const struct vfsmount *parent_mnt,
99291+ const struct dentry *old_dentry,
99292+ const struct vfsmount *old_mnt);
99293+int gr_acl_handle_filldir(const struct file *file, const char *name,
99294+ const unsigned int namelen, const u64 ino);
99295+
99296+__u32 gr_acl_handle_unix(const struct dentry *dentry,
99297+ const struct vfsmount *mnt);
99298+void gr_acl_handle_exit(void);
99299+void gr_acl_handle_psacct(struct task_struct *task, const long code);
99300+int gr_acl_handle_procpidmem(const struct task_struct *task);
99301+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
99302+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
99303+void gr_audit_ptrace(struct task_struct *task);
99304+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
99305+u64 gr_get_ino_from_dentry(struct dentry *dentry);
99306+void gr_put_exec_file(struct task_struct *task);
99307+
99308+int gr_get_symlinkown_enabled(void);
99309+
99310+int gr_ptrace_readexec(struct file *file, int unsafe_flags);
99311+
99312+void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
99313+void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
99314+int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
99315+ struct dentry *newdentry, struct vfsmount *newmnt);
99316+
99317+#ifdef CONFIG_GRKERNSEC_RESLOG
99318+extern void gr_log_resource(const struct task_struct *task, const int res,
99319+ const unsigned long wanted, const int gt);
99320+#else
99321+static inline void gr_log_resource(const struct task_struct *task, const int res,
99322+ const unsigned long wanted, const int gt)
99323+{
99324+}
99325+#endif
99326+
99327+#ifdef CONFIG_GRKERNSEC
99328+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
99329+void gr_handle_vm86(void);
99330+void gr_handle_mem_readwrite(u64 from, u64 to);
99331+
99332+void gr_log_badprocpid(const char *entry);
99333+
99334+extern int grsec_enable_dmesg;
99335+extern int grsec_disable_privio;
99336+
99337+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
99338+extern kgid_t grsec_proc_gid;
99339+#endif
99340+
99341+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
99342+extern int grsec_enable_chroot_findtask;
99343+#endif
99344+#ifdef CONFIG_GRKERNSEC_SETXID
99345+extern int grsec_enable_setxid;
99346+#endif
99347+#endif
99348+
99349+#endif
99350diff --git a/include/linux/grsock.h b/include/linux/grsock.h
99351new file mode 100644
99352index 0000000..e7ffaaf
99353--- /dev/null
99354+++ b/include/linux/grsock.h
99355@@ -0,0 +1,19 @@
99356+#ifndef __GRSOCK_H
99357+#define __GRSOCK_H
99358+
99359+extern void gr_attach_curr_ip(const struct sock *sk);
99360+extern int gr_handle_sock_all(const int family, const int type,
99361+ const int protocol);
99362+extern int gr_handle_sock_server(const struct sockaddr *sck);
99363+extern int gr_handle_sock_server_other(const struct sock *sck);
99364+extern int gr_handle_sock_client(const struct sockaddr *sck);
99365+extern int gr_search_connect(struct socket * sock,
99366+ struct sockaddr_in * addr);
99367+extern int gr_search_bind(struct socket * sock,
99368+ struct sockaddr_in * addr);
99369+extern int gr_search_listen(struct socket * sock);
99370+extern int gr_search_accept(struct socket * sock);
99371+extern int gr_search_socket(const int domain, const int type,
99372+ const int protocol);
99373+
99374+#endif
99375diff --git a/include/linux/highmem.h b/include/linux/highmem.h
99376index 6aefcd0..98b81dc 100644
99377--- a/include/linux/highmem.h
99378+++ b/include/linux/highmem.h
99379@@ -191,6 +191,18 @@ static inline void clear_highpage(struct page *page)
99380 kunmap_atomic(kaddr);
99381 }
99382
99383+static inline void sanitize_highpage(struct page *page)
99384+{
99385+ void *kaddr;
99386+ unsigned long flags;
99387+
99388+ local_irq_save(flags);
99389+ kaddr = kmap_atomic(page);
99390+ clear_page(kaddr);
99391+ kunmap_atomic(kaddr);
99392+ local_irq_restore(flags);
99393+}
99394+
99395 static inline void zero_user_segments(struct page *page,
99396 unsigned start1, unsigned end1,
99397 unsigned start2, unsigned end2)
99398diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h
99399index 1c7b89a..7dda400 100644
99400--- a/include/linux/hwmon-sysfs.h
99401+++ b/include/linux/hwmon-sysfs.h
99402@@ -25,7 +25,8 @@
99403 struct sensor_device_attribute{
99404 struct device_attribute dev_attr;
99405 int index;
99406-};
99407+} __do_const;
99408+typedef struct sensor_device_attribute __no_const sensor_device_attribute_no_const;
99409 #define to_sensor_dev_attr(_dev_attr) \
99410 container_of(_dev_attr, struct sensor_device_attribute, dev_attr)
99411
99412@@ -41,7 +42,8 @@ struct sensor_device_attribute_2 {
99413 struct device_attribute dev_attr;
99414 u8 index;
99415 u8 nr;
99416-};
99417+} __do_const;
99418+typedef struct sensor_device_attribute_2 __no_const sensor_device_attribute_2_no_const;
99419 #define to_sensor_dev_attr_2(_dev_attr) \
99420 container_of(_dev_attr, struct sensor_device_attribute_2, dev_attr)
99421
99422diff --git a/include/linux/i2c.h b/include/linux/i2c.h
99423index e83a738..8b323fa 100644
99424--- a/include/linux/i2c.h
99425+++ b/include/linux/i2c.h
99426@@ -409,6 +409,7 @@ struct i2c_algorithm {
99427 int (*unreg_slave)(struct i2c_client *client);
99428 #endif
99429 };
99430+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
99431
99432 /**
99433 * struct i2c_bus_recovery_info - I2C bus recovery information
99434diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h
99435index b49cf92..0c29072 100644
99436--- a/include/linux/if_pppox.h
99437+++ b/include/linux/if_pppox.h
99438@@ -78,7 +78,7 @@ struct pppox_proto {
99439 int (*ioctl)(struct socket *sock, unsigned int cmd,
99440 unsigned long arg);
99441 struct module *owner;
99442-};
99443+} __do_const;
99444
99445 extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp);
99446 extern void unregister_pppox_proto(int proto_num);
99447diff --git a/include/linux/init.h b/include/linux/init.h
99448index b449f37..61005b3 100644
99449--- a/include/linux/init.h
99450+++ b/include/linux/init.h
99451@@ -37,9 +37,17 @@
99452 * section.
99453 */
99454
99455+#define add_init_latent_entropy __latent_entropy
99456+
99457+#ifdef CONFIG_MEMORY_HOTPLUG
99458+#define add_meminit_latent_entropy
99459+#else
99460+#define add_meminit_latent_entropy __latent_entropy
99461+#endif
99462+
99463 /* These are for everybody (although not all archs will actually
99464 discard it in modules) */
99465-#define __init __section(.init.text) __cold notrace
99466+#define __init __section(.init.text) __cold notrace add_init_latent_entropy
99467 #define __initdata __section(.init.data)
99468 #define __initconst __constsection(.init.rodata)
99469 #define __exitdata __section(.exit.data)
99470@@ -92,7 +100,7 @@
99471 #define __exit __section(.exit.text) __exitused __cold notrace
99472
99473 /* Used for MEMORY_HOTPLUG */
99474-#define __meminit __section(.meminit.text) __cold notrace
99475+#define __meminit __section(.meminit.text) __cold notrace add_meminit_latent_entropy
99476 #define __meminitdata __section(.meminit.data)
99477 #define __meminitconst __constsection(.meminit.rodata)
99478 #define __memexit __section(.memexit.text) __exitused __cold notrace
99479diff --git a/include/linux/init_task.h b/include/linux/init_task.h
99480index e8493fe..8684844 100644
99481--- a/include/linux/init_task.h
99482+++ b/include/linux/init_task.h
99483@@ -149,6 +149,12 @@ extern struct task_group root_task_group;
99484
99485 #define INIT_TASK_COMM "swapper"
99486
99487+#ifdef CONFIG_X86
99488+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
99489+#else
99490+#define INIT_TASK_THREAD_INFO
99491+#endif
99492+
99493 #ifdef CONFIG_RT_MUTEXES
99494 # define INIT_RT_MUTEXES(tsk) \
99495 .pi_waiters = RB_ROOT, \
99496@@ -215,6 +221,7 @@ extern struct task_group root_task_group;
99497 RCU_POINTER_INITIALIZER(cred, &init_cred), \
99498 .comm = INIT_TASK_COMM, \
99499 .thread = INIT_THREAD, \
99500+ INIT_TASK_THREAD_INFO \
99501 .fs = &init_fs, \
99502 .files = &init_files, \
99503 .signal = &init_signals, \
99504diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
99505index be7e75c..09bec77 100644
99506--- a/include/linux/interrupt.h
99507+++ b/include/linux/interrupt.h
99508@@ -433,8 +433,8 @@ extern const char * const softirq_to_name[NR_SOFTIRQS];
99509
99510 struct softirq_action
99511 {
99512- void (*action)(struct softirq_action *);
99513-};
99514+ void (*action)(void);
99515+} __no_const;
99516
99517 asmlinkage void do_softirq(void);
99518 asmlinkage void __do_softirq(void);
99519@@ -448,7 +448,7 @@ static inline void do_softirq_own_stack(void)
99520 }
99521 #endif
99522
99523-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
99524+extern void open_softirq(int nr, void (*action)(void));
99525 extern void softirq_init(void);
99526 extern void __raise_softirq_irqoff(unsigned int nr);
99527
99528diff --git a/include/linux/iommu.h b/include/linux/iommu.h
99529index f9c1b6d..db7d6f5 100644
99530--- a/include/linux/iommu.h
99531+++ b/include/linux/iommu.h
99532@@ -192,7 +192,7 @@ struct iommu_ops {
99533
99534 unsigned long pgsize_bitmap;
99535 void *priv;
99536-};
99537+} __do_const;
99538
99539 #define IOMMU_GROUP_NOTIFY_ADD_DEVICE 1 /* Device added */
99540 #define IOMMU_GROUP_NOTIFY_DEL_DEVICE 2 /* Pre Device removed */
99541diff --git a/include/linux/ioport.h b/include/linux/ioport.h
99542index 388e3ae..d7e45a1 100644
99543--- a/include/linux/ioport.h
99544+++ b/include/linux/ioport.h
99545@@ -161,7 +161,7 @@ struct resource *lookup_resource(struct resource *root, resource_size_t start);
99546 int adjust_resource(struct resource *res, resource_size_t start,
99547 resource_size_t size);
99548 resource_size_t resource_alignment(struct resource *res);
99549-static inline resource_size_t resource_size(const struct resource *res)
99550+static inline resource_size_t __intentional_overflow(-1) resource_size(const struct resource *res)
99551 {
99552 return res->end - res->start + 1;
99553 }
99554diff --git a/include/linux/ipc.h b/include/linux/ipc.h
99555index 9d84942..12d5bdf 100644
99556--- a/include/linux/ipc.h
99557+++ b/include/linux/ipc.h
99558@@ -19,8 +19,8 @@ struct kern_ipc_perm
99559 kuid_t cuid;
99560 kgid_t cgid;
99561 umode_t mode;
99562- unsigned long seq;
99563+ unsigned long seq __intentional_overflow(-1);
99564 void *security;
99565-};
99566+} __randomize_layout;
99567
99568 #endif /* _LINUX_IPC_H */
99569diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
99570index 1eee6bc..9cf4912 100644
99571--- a/include/linux/ipc_namespace.h
99572+++ b/include/linux/ipc_namespace.h
99573@@ -60,7 +60,7 @@ struct ipc_namespace {
99574 struct user_namespace *user_ns;
99575
99576 struct ns_common ns;
99577-};
99578+} __randomize_layout;
99579
99580 extern struct ipc_namespace init_ipc_ns;
99581 extern atomic_t nr_ipc_ns;
99582diff --git a/include/linux/irq.h b/include/linux/irq.h
99583index 51744bc..e902653 100644
99584--- a/include/linux/irq.h
99585+++ b/include/linux/irq.h
99586@@ -383,7 +383,10 @@ struct irq_chip {
99587 int (*irq_set_vcpu_affinity)(struct irq_data *data, void *vcpu_info);
99588
99589 unsigned long flags;
99590-};
99591+} __do_const;
99592+#ifndef _LINUX_IRQDOMAIN_H
99593+typedef struct irq_chip __no_const irq_chip_no_const;
99594+#endif
99595
99596 /*
99597 * irq_chip specific flags
99598diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h
99599index fcea4e4..cff381d 100644
99600--- a/include/linux/irqdesc.h
99601+++ b/include/linux/irqdesc.h
99602@@ -59,7 +59,7 @@ struct irq_desc {
99603 unsigned int irq_count; /* For detecting broken IRQs */
99604 unsigned long last_unhandled; /* Aging timer for unhandled count */
99605 unsigned int irqs_unhandled;
99606- atomic_t threads_handled;
99607+ atomic_unchecked_t threads_handled;
99608 int threads_handled_last;
99609 raw_spinlock_t lock;
99610 struct cpumask *percpu_enabled;
99611diff --git a/include/linux/irqdomain.h b/include/linux/irqdomain.h
99612index 744ac0e..382b1a6 100644
99613--- a/include/linux/irqdomain.h
99614+++ b/include/linux/irqdomain.h
99615@@ -40,6 +40,9 @@ struct device_node;
99616 struct irq_domain;
99617 struct of_device_id;
99618 struct irq_chip;
99619+#ifndef _LINUX_IRQ_H
99620+typedef struct irq_chip __no_const irq_chip_no_const;
99621+#endif
99622 struct irq_data;
99623
99624 /* Number of irqs reserved for a legacy isa controller */
99625diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
99626index 535fd3b..e5c356e 100644
99627--- a/include/linux/jiffies.h
99628+++ b/include/linux/jiffies.h
99629@@ -284,19 +284,19 @@ extern unsigned long preset_lpj;
99630 extern unsigned int jiffies_to_msecs(const unsigned long j);
99631 extern unsigned int jiffies_to_usecs(const unsigned long j);
99632
99633-static inline u64 jiffies_to_nsecs(const unsigned long j)
99634+static inline u64 __intentional_overflow(-1) jiffies_to_nsecs(const unsigned long j)
99635 {
99636 return (u64)jiffies_to_usecs(j) * NSEC_PER_USEC;
99637 }
99638
99639-extern unsigned long __msecs_to_jiffies(const unsigned int m);
99640+extern unsigned long __msecs_to_jiffies(const unsigned int m) __intentional_overflow(-1);
99641 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
99642 /*
99643 * HZ is equal to or smaller than 1000, and 1000 is a nice round
99644 * multiple of HZ, divide with the factor between them, but round
99645 * upwards:
99646 */
99647-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99648+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
99649 {
99650 return (m + (MSEC_PER_SEC / HZ) - 1) / (MSEC_PER_SEC / HZ);
99651 }
99652@@ -307,7 +307,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99653 *
99654 * But first make sure the multiplication result cannot overflow:
99655 */
99656-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99657+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
99658 {
99659 if (m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
99660 return MAX_JIFFY_OFFSET;
99661@@ -318,7 +318,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99662 * Generic case - multiply, round and divide. But first check that if
99663 * we are doing a net multiplication, that we wouldn't overflow:
99664 */
99665-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99666+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
99667 {
99668 if (HZ > MSEC_PER_SEC && m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
99669 return MAX_JIFFY_OFFSET;
99670@@ -362,21 +362,19 @@ static inline unsigned long msecs_to_jiffies(const unsigned int m)
99671 }
99672 }
99673
99674-extern unsigned long __usecs_to_jiffies(const unsigned int u);
99675+extern unsigned long __usecs_to_jiffies(const unsigned int u) __intentional_overflow(-1);
99676 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
99677-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99678+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
99679 {
99680 return (u + (USEC_PER_SEC / HZ) - 1) / (USEC_PER_SEC / HZ);
99681 }
99682 #elif HZ > USEC_PER_SEC && !(HZ % USEC_PER_SEC)
99683-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99684+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
99685 {
99686 return u * (HZ / USEC_PER_SEC);
99687 }
99688-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99689-{
99690 #else
99691-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99692+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
99693 {
99694 return (USEC_TO_HZ_MUL32 * u + USEC_TO_HZ_ADJ32)
99695 >> USEC_TO_HZ_SHR32;
99696diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
99697index 6883e19..e854fcb 100644
99698--- a/include/linux/kallsyms.h
99699+++ b/include/linux/kallsyms.h
99700@@ -15,7 +15,8 @@
99701
99702 struct module;
99703
99704-#ifdef CONFIG_KALLSYMS
99705+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
99706+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
99707 /* Lookup the address for a symbol. Returns 0 if not found. */
99708 unsigned long kallsyms_lookup_name(const char *name);
99709
99710@@ -106,6 +107,21 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u
99711 /* Stupid that this does nothing, but I didn't create this mess. */
99712 #define __print_symbol(fmt, addr)
99713 #endif /*CONFIG_KALLSYMS*/
99714+#else /* when included by kallsyms.c, vsnprintf.c, kprobes.c, or
99715+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
99716+extern unsigned long kallsyms_lookup_name(const char *name);
99717+extern void __print_symbol(const char *fmt, unsigned long address);
99718+extern int sprint_backtrace(char *buffer, unsigned long address);
99719+extern int sprint_symbol(char *buffer, unsigned long address);
99720+extern int sprint_symbol_no_offset(char *buffer, unsigned long address);
99721+const char *kallsyms_lookup(unsigned long addr,
99722+ unsigned long *symbolsize,
99723+ unsigned long *offset,
99724+ char **modname, char *namebuf);
99725+extern int kallsyms_lookup_size_offset(unsigned long addr,
99726+ unsigned long *symbolsize,
99727+ unsigned long *offset);
99728+#endif
99729
99730 /* This macro allows us to keep printk typechecking */
99731 static __printf(1, 2)
99732diff --git a/include/linux/key-type.h b/include/linux/key-type.h
99733index ff9f1d3..6712be5 100644
99734--- a/include/linux/key-type.h
99735+++ b/include/linux/key-type.h
99736@@ -152,7 +152,7 @@ struct key_type {
99737 /* internal fields */
99738 struct list_head link; /* link in types list */
99739 struct lock_class_key lock_class; /* key->sem lock class */
99740-};
99741+} __do_const;
99742
99743 extern struct key_type key_type_keyring;
99744
99745diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
99746index e465bb1..19f605fd 100644
99747--- a/include/linux/kgdb.h
99748+++ b/include/linux/kgdb.h
99749@@ -52,7 +52,7 @@ extern int kgdb_connected;
99750 extern int kgdb_io_module_registered;
99751
99752 extern atomic_t kgdb_setting_breakpoint;
99753-extern atomic_t kgdb_cpu_doing_single_step;
99754+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
99755
99756 extern struct task_struct *kgdb_usethread;
99757 extern struct task_struct *kgdb_contthread;
99758@@ -254,7 +254,7 @@ struct kgdb_arch {
99759 void (*correct_hw_break)(void);
99760
99761 void (*enable_nmi)(bool on);
99762-};
99763+} __do_const;
99764
99765 /**
99766 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
99767@@ -279,7 +279,7 @@ struct kgdb_io {
99768 void (*pre_exception) (void);
99769 void (*post_exception) (void);
99770 int is_console;
99771-};
99772+} __do_const;
99773
99774 extern struct kgdb_arch arch_kgdb_ops;
99775
99776diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
99777index d0a1f99..0bd8b7c 100644
99778--- a/include/linux/kmemleak.h
99779+++ b/include/linux/kmemleak.h
99780@@ -27,7 +27,7 @@
99781
99782 extern void kmemleak_init(void) __ref;
99783 extern void kmemleak_alloc(const void *ptr, size_t size, int min_count,
99784- gfp_t gfp) __ref;
99785+ gfp_t gfp) __ref __size_overflow(2);
99786 extern void kmemleak_alloc_percpu(const void __percpu *ptr, size_t size,
99787 gfp_t gfp) __ref;
99788 extern void kmemleak_free(const void *ptr) __ref;
99789@@ -63,7 +63,7 @@ static inline void kmemleak_erase(void **ptr)
99790 static inline void kmemleak_init(void)
99791 {
99792 }
99793-static inline void kmemleak_alloc(const void *ptr, size_t size, int min_count,
99794+static inline void __size_overflow(2) kmemleak_alloc(const void *ptr, size_t size, int min_count,
99795 gfp_t gfp)
99796 {
99797 }
99798diff --git a/include/linux/kmod.h b/include/linux/kmod.h
99799index 0555cc6..40116ce 100644
99800--- a/include/linux/kmod.h
99801+++ b/include/linux/kmod.h
99802@@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysctl */
99803 * usually useless though. */
99804 extern __printf(2, 3)
99805 int __request_module(bool wait, const char *name, ...);
99806+extern __printf(3, 4)
99807+int ___request_module(bool wait, char *param_name, const char *name, ...);
99808 #define request_module(mod...) __request_module(true, mod)
99809 #define request_module_nowait(mod...) __request_module(false, mod)
99810 #define try_then_request_module(x, mod...) \
99811@@ -57,6 +59,9 @@ struct subprocess_info {
99812 struct work_struct work;
99813 struct completion *complete;
99814 char *path;
99815+#ifdef CONFIG_GRKERNSEC
99816+ char *origpath;
99817+#endif
99818 char **argv;
99819 char **envp;
99820 int wait;
99821diff --git a/include/linux/kobject.h b/include/linux/kobject.h
99822index 637f670..3d69945 100644
99823--- a/include/linux/kobject.h
99824+++ b/include/linux/kobject.h
99825@@ -119,7 +119,7 @@ struct kobj_type {
99826 struct attribute **default_attrs;
99827 const struct kobj_ns_type_operations *(*child_ns_type)(struct kobject *kobj);
99828 const void *(*namespace)(struct kobject *kobj);
99829-};
99830+} __do_const;
99831
99832 struct kobj_uevent_env {
99833 char *argv[3];
99834@@ -143,6 +143,7 @@ struct kobj_attribute {
99835 ssize_t (*store)(struct kobject *kobj, struct kobj_attribute *attr,
99836 const char *buf, size_t count);
99837 };
99838+typedef struct kobj_attribute __no_const kobj_attribute_no_const;
99839
99840 extern const struct sysfs_ops kobj_sysfs_ops;
99841
99842@@ -170,7 +171,7 @@ struct kset {
99843 spinlock_t list_lock;
99844 struct kobject kobj;
99845 const struct kset_uevent_ops *uevent_ops;
99846-};
99847+} __randomize_layout;
99848
99849 extern void kset_init(struct kset *kset);
99850 extern int __must_check kset_register(struct kset *kset);
99851diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h
99852index df32d25..fb52e27 100644
99853--- a/include/linux/kobject_ns.h
99854+++ b/include/linux/kobject_ns.h
99855@@ -44,7 +44,7 @@ struct kobj_ns_type_operations {
99856 const void *(*netlink_ns)(struct sock *sk);
99857 const void *(*initial_ns)(void);
99858 void (*drop_ns)(void *);
99859-};
99860+} __do_const;
99861
99862 int kobj_ns_type_register(const struct kobj_ns_type_operations *ops);
99863 int kobj_ns_type_registered(enum kobj_ns_type type);
99864diff --git a/include/linux/kref.h b/include/linux/kref.h
99865index 484604d..0f6c5b6 100644
99866--- a/include/linux/kref.h
99867+++ b/include/linux/kref.h
99868@@ -68,7 +68,7 @@ static inline void kref_get(struct kref *kref)
99869 static inline int kref_sub(struct kref *kref, unsigned int count,
99870 void (*release)(struct kref *kref))
99871 {
99872- WARN_ON(release == NULL);
99873+ BUG_ON(release == NULL);
99874
99875 if (atomic_sub_and_test((int) count, &kref->refcount)) {
99876 release(kref);
99877diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
99878index 05e99b8..484b1f97 100644
99879--- a/include/linux/kvm_host.h
99880+++ b/include/linux/kvm_host.h
99881@@ -468,7 +468,7 @@ static inline void kvm_irqfd_exit(void)
99882 {
99883 }
99884 #endif
99885-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
99886+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
99887 struct module *module);
99888 void kvm_exit(void);
99889
99890@@ -678,7 +678,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
99891 struct kvm_guest_debug *dbg);
99892 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
99893
99894-int kvm_arch_init(void *opaque);
99895+int kvm_arch_init(const void *opaque);
99896 void kvm_arch_exit(void);
99897
99898 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
99899diff --git a/include/linux/libata.h b/include/linux/libata.h
99900index c9cfbcd..46986db 100644
99901--- a/include/linux/libata.h
99902+++ b/include/linux/libata.h
99903@@ -990,7 +990,7 @@ struct ata_port_operations {
99904 * fields must be pointers.
99905 */
99906 const struct ata_port_operations *inherits;
99907-};
99908+} __do_const;
99909
99910 struct ata_port_info {
99911 unsigned long flags;
99912diff --git a/include/linux/linkage.h b/include/linux/linkage.h
99913index a6a42dd..6c5ebce 100644
99914--- a/include/linux/linkage.h
99915+++ b/include/linux/linkage.h
99916@@ -36,6 +36,7 @@
99917 #endif
99918
99919 #define __page_aligned_data __section(.data..page_aligned) __aligned(PAGE_SIZE)
99920+#define __page_aligned_rodata __read_only __aligned(PAGE_SIZE)
99921 #define __page_aligned_bss __section(.bss..page_aligned) __aligned(PAGE_SIZE)
99922
99923 /*
99924diff --git a/include/linux/list.h b/include/linux/list.h
99925index feb773c..98f3075 100644
99926--- a/include/linux/list.h
99927+++ b/include/linux/list.h
99928@@ -113,6 +113,19 @@ extern void __list_del_entry(struct list_head *entry);
99929 extern void list_del(struct list_head *entry);
99930 #endif
99931
99932+extern void __pax_list_add(struct list_head *new,
99933+ struct list_head *prev,
99934+ struct list_head *next);
99935+static inline void pax_list_add(struct list_head *new, struct list_head *head)
99936+{
99937+ __pax_list_add(new, head, head->next);
99938+}
99939+static inline void pax_list_add_tail(struct list_head *new, struct list_head *head)
99940+{
99941+ __pax_list_add(new, head->prev, head);
99942+}
99943+extern void pax_list_del(struct list_head *entry);
99944+
99945 /**
99946 * list_replace - replace old entry by new one
99947 * @old : the element to be replaced
99948@@ -146,6 +159,8 @@ static inline void list_del_init(struct list_head *entry)
99949 INIT_LIST_HEAD(entry);
99950 }
99951
99952+extern void pax_list_del_init(struct list_head *entry);
99953+
99954 /**
99955 * list_move - delete from one list and add as another's head
99956 * @list: the entry to move
99957diff --git a/include/linux/lockref.h b/include/linux/lockref.h
99958index b10b122..d37b3de 100644
99959--- a/include/linux/lockref.h
99960+++ b/include/linux/lockref.h
99961@@ -28,7 +28,7 @@ struct lockref {
99962 #endif
99963 struct {
99964 spinlock_t lock;
99965- int count;
99966+ atomic_t count;
99967 };
99968 };
99969 };
99970@@ -43,9 +43,29 @@ extern void lockref_mark_dead(struct lockref *);
99971 extern int lockref_get_not_dead(struct lockref *);
99972
99973 /* Must be called under spinlock for reliable results */
99974-static inline int __lockref_is_dead(const struct lockref *l)
99975+static inline int __lockref_is_dead(const struct lockref *lockref)
99976 {
99977- return ((int)l->count < 0);
99978+ return atomic_read(&lockref->count) < 0;
99979+}
99980+
99981+static inline int __lockref_read(const struct lockref *lockref)
99982+{
99983+ return atomic_read(&lockref->count);
99984+}
99985+
99986+static inline void __lockref_set(struct lockref *lockref, int count)
99987+{
99988+ atomic_set(&lockref->count, count);
99989+}
99990+
99991+static inline void __lockref_inc(struct lockref *lockref)
99992+{
99993+ atomic_inc(&lockref->count);
99994+}
99995+
99996+static inline void __lockref_dec(struct lockref *lockref)
99997+{
99998+ atomic_dec(&lockref->count);
99999 }
100000
100001 #endif /* __LINUX_LOCKREF_H */
100002diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
100003index 9429f05..a5d5425 100644
100004--- a/include/linux/lsm_hooks.h
100005+++ b/include/linux/lsm_hooks.h
100006@@ -1824,7 +1824,7 @@ struct security_hook_heads {
100007 struct list_head audit_rule_match;
100008 struct list_head audit_rule_free;
100009 #endif /* CONFIG_AUDIT */
100010-};
100011+} __randomize_layout;
100012
100013 /*
100014 * Security module hook list structure.
100015@@ -1834,7 +1834,7 @@ struct security_hook_list {
100016 struct list_head list;
100017 struct list_head *head;
100018 union security_list_options hook;
100019-};
100020+} __randomize_layout;
100021
100022 /*
100023 * Initializing a security_hook_list structure takes
100024diff --git a/include/linux/math64.h b/include/linux/math64.h
100025index c45c089..298841c 100644
100026--- a/include/linux/math64.h
100027+++ b/include/linux/math64.h
100028@@ -15,7 +15,7 @@
100029 * This is commonly provided by 32bit archs to provide an optimized 64bit
100030 * divide.
100031 */
100032-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
100033+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
100034 {
100035 *remainder = dividend % divisor;
100036 return dividend / divisor;
100037@@ -42,7 +42,7 @@ static inline u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
100038 /**
100039 * div64_u64 - unsigned 64bit divide with 64bit divisor
100040 */
100041-static inline u64 div64_u64(u64 dividend, u64 divisor)
100042+static inline u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
100043 {
100044 return dividend / divisor;
100045 }
100046@@ -61,7 +61,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor)
100047 #define div64_ul(x, y) div_u64((x), (y))
100048
100049 #ifndef div_u64_rem
100050-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
100051+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
100052 {
100053 *remainder = do_div(dividend, divisor);
100054 return dividend;
100055@@ -77,7 +77,7 @@ extern u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder);
100056 #endif
100057
100058 #ifndef div64_u64
100059-extern u64 div64_u64(u64 dividend, u64 divisor);
100060+extern u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor);
100061 #endif
100062
100063 #ifndef div64_s64
100064@@ -94,7 +94,7 @@ extern s64 div64_s64(s64 dividend, s64 divisor);
100065 * divide.
100066 */
100067 #ifndef div_u64
100068-static inline u64 div_u64(u64 dividend, u32 divisor)
100069+static inline u64 __intentional_overflow(-1) div_u64(u64 dividend, u32 divisor)
100070 {
100071 u32 remainder;
100072 return div_u64_rem(dividend, divisor, &remainder);
100073diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
100074index 3d385c8..deacb6a 100644
100075--- a/include/linux/mempolicy.h
100076+++ b/include/linux/mempolicy.h
100077@@ -91,6 +91,10 @@ static inline struct mempolicy *mpol_dup(struct mempolicy *pol)
100078 }
100079
100080 #define vma_policy(vma) ((vma)->vm_policy)
100081+static inline void set_vma_policy(struct vm_area_struct *vma, struct mempolicy *pol)
100082+{
100083+ vma->vm_policy = pol;
100084+}
100085
100086 static inline void mpol_get(struct mempolicy *pol)
100087 {
100088@@ -229,6 +233,9 @@ static inline void mpol_free_shared_policy(struct shared_policy *p)
100089 }
100090
100091 #define vma_policy(vma) NULL
100092+static inline void set_vma_policy(struct vm_area_struct *vma, struct mempolicy *pol)
100093+{
100094+}
100095
100096 static inline int
100097 vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
100098diff --git a/include/linux/mm.h b/include/linux/mm.h
100099index bf6f117..c8abe91 100644
100100--- a/include/linux/mm.h
100101+++ b/include/linux/mm.h
100102@@ -136,6 +136,11 @@ extern unsigned int kobjsize(const void *objp);
100103
100104 #define VM_DONTCOPY 0x00020000 /* Do not copy this vma on fork */
100105 #define VM_DONTEXPAND 0x00040000 /* Cannot expand with mremap() */
100106+
100107+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
100108+#define VM_PAGEEXEC 0x00080000 /* vma->vm_page_prot needs special handling */
100109+#endif
100110+
100111 #define VM_ACCOUNT 0x00100000 /* Is a VM accounted object */
100112 #define VM_NORESERVE 0x00200000 /* should the VM suppress accounting */
100113 #define VM_HUGETLB 0x00400000 /* Huge TLB Page VM */
100114@@ -258,8 +263,8 @@ struct vm_operations_struct {
100115 /* called by access_process_vm when get_user_pages() fails, typically
100116 * for use by special VMAs that can switch between memory and hardware
100117 */
100118- int (*access)(struct vm_area_struct *vma, unsigned long addr,
100119- void *buf, int len, int write);
100120+ ssize_t (*access)(struct vm_area_struct *vma, unsigned long addr,
100121+ void *buf, size_t len, int write);
100122
100123 /* Called by the /proc/PID/maps code to ask the vma whether it
100124 * has a special name. Returning non-NULL will also cause this
100125@@ -297,6 +302,7 @@ struct vm_operations_struct {
100126 struct page *(*find_special_page)(struct vm_area_struct *vma,
100127 unsigned long addr);
100128 };
100129+typedef struct vm_operations_struct __no_const vm_operations_struct_no_const;
100130
100131 struct mmu_gather;
100132 struct inode;
100133@@ -1160,8 +1166,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
100134 unsigned long *pfn);
100135 int follow_phys(struct vm_area_struct *vma, unsigned long address,
100136 unsigned int flags, unsigned long *prot, resource_size_t *phys);
100137-int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
100138- void *buf, int len, int write);
100139+ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
100140+ void *buf, size_t len, int write);
100141
100142 static inline void unmap_shared_mapping_range(struct address_space *mapping,
100143 loff_t const holebegin, loff_t const holelen)
100144@@ -1201,9 +1207,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
100145 }
100146 #endif
100147
100148-extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
100149-extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
100150- void *buf, int len, int write);
100151+extern ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write);
100152+extern ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
100153+ void *buf, size_t len, int write);
100154
100155 long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
100156 unsigned long start, unsigned long nr_pages,
100157@@ -1251,34 +1257,6 @@ int clear_page_dirty_for_io(struct page *page);
100158
100159 int get_cmdline(struct task_struct *task, char *buffer, int buflen);
100160
100161-/* Is the vma a continuation of the stack vma above it? */
100162-static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
100163-{
100164- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
100165-}
100166-
100167-static inline int stack_guard_page_start(struct vm_area_struct *vma,
100168- unsigned long addr)
100169-{
100170- return (vma->vm_flags & VM_GROWSDOWN) &&
100171- (vma->vm_start == addr) &&
100172- !vma_growsdown(vma->vm_prev, addr);
100173-}
100174-
100175-/* Is the vma a continuation of the stack vma below it? */
100176-static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
100177-{
100178- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
100179-}
100180-
100181-static inline int stack_guard_page_end(struct vm_area_struct *vma,
100182- unsigned long addr)
100183-{
100184- return (vma->vm_flags & VM_GROWSUP) &&
100185- (vma->vm_end == addr) &&
100186- !vma_growsup(vma->vm_next, addr);
100187-}
100188-
100189 extern struct task_struct *task_of_stack(struct task_struct *task,
100190 struct vm_area_struct *vma, bool in_group);
100191
100192@@ -1401,8 +1379,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
100193 {
100194 return 0;
100195 }
100196+
100197+static inline int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd,
100198+ unsigned long address)
100199+{
100200+ return 0;
100201+}
100202 #else
100203 int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
100204+int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
100205 #endif
100206
100207 #if defined(__PAGETABLE_PMD_FOLDED) || !defined(CONFIG_MMU)
100208@@ -1412,6 +1397,12 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
100209 return 0;
100210 }
100211
100212+static inline int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud,
100213+ unsigned long address)
100214+{
100215+ return 0;
100216+}
100217+
100218 static inline void mm_nr_pmds_init(struct mm_struct *mm) {}
100219
100220 static inline unsigned long mm_nr_pmds(struct mm_struct *mm)
100221@@ -1424,6 +1415,7 @@ static inline void mm_dec_nr_pmds(struct mm_struct *mm) {}
100222
100223 #else
100224 int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address);
100225+int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address);
100226
100227 static inline void mm_nr_pmds_init(struct mm_struct *mm)
100228 {
100229@@ -1461,11 +1453,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
100230 NULL: pud_offset(pgd, address);
100231 }
100232
100233+static inline pud_t *pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
100234+{
100235+ return (unlikely(pgd_none(*pgd)) && __pud_alloc_kernel(mm, pgd, address))?
100236+ NULL: pud_offset(pgd, address);
100237+}
100238+
100239 static inline pmd_t *pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
100240 {
100241 return (unlikely(pud_none(*pud)) && __pmd_alloc(mm, pud, address))?
100242 NULL: pmd_offset(pud, address);
100243 }
100244+
100245+static inline pmd_t *pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
100246+{
100247+ return (unlikely(pud_none(*pud)) && __pmd_alloc_kernel(mm, pud, address))?
100248+ NULL: pmd_offset(pud, address);
100249+}
100250 #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
100251
100252 #if USE_SPLIT_PTE_PTLOCKS
100253@@ -1846,12 +1850,23 @@ extern struct vm_area_struct *copy_vma(struct vm_area_struct **,
100254 bool *need_rmap_locks);
100255 extern void exit_mmap(struct mm_struct *);
100256
100257+#if defined(CONFIG_GRKERNSEC) && (defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC))
100258+extern void gr_learn_resource(const struct task_struct *task, const int res,
100259+ const unsigned long wanted, const int gt);
100260+#else
100261+static inline void gr_learn_resource(const struct task_struct *task, const int res,
100262+ const unsigned long wanted, const int gt)
100263+{
100264+}
100265+#endif
100266+
100267 static inline int check_data_rlimit(unsigned long rlim,
100268 unsigned long new,
100269 unsigned long start,
100270 unsigned long end_data,
100271 unsigned long start_data)
100272 {
100273+ gr_learn_resource(current, RLIMIT_DATA, (new - start) + (end_data - start_data), 1);
100274 if (rlim < RLIM_INFINITY) {
100275 if (((new - start) + (end_data - start_data)) > rlim)
100276 return -ENOSPC;
100277@@ -1884,6 +1899,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
100278 unsigned long len, unsigned long prot, unsigned long flags,
100279 unsigned long pgoff, unsigned long *populate);
100280 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
100281+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
100282
100283 #ifdef CONFIG_MMU
100284 extern int __mm_populate(unsigned long addr, unsigned long len,
100285@@ -1912,10 +1928,11 @@ struct vm_unmapped_area_info {
100286 unsigned long high_limit;
100287 unsigned long align_mask;
100288 unsigned long align_offset;
100289+ unsigned long threadstack_offset;
100290 };
100291
100292-extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
100293-extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
100294+extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info);
100295+extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info);
100296
100297 /*
100298 * Search for an unmapped address range.
100299@@ -1927,7 +1944,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
100300 * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
100301 */
100302 static inline unsigned long
100303-vm_unmapped_area(struct vm_unmapped_area_info *info)
100304+vm_unmapped_area(const struct vm_unmapped_area_info *info)
100305 {
100306 if (info->flags & VM_UNMAPPED_AREA_TOPDOWN)
100307 return unmapped_area_topdown(info);
100308@@ -1989,6 +2006,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
100309 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
100310 struct vm_area_struct **pprev);
100311
100312+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
100313+extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
100314+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
100315+
100316 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
100317 NULL if none. Assume start_addr < end_addr. */
100318 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
100319@@ -2018,10 +2039,10 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
100320 }
100321
100322 #ifdef CONFIG_MMU
100323-pgprot_t vm_get_page_prot(unsigned long vm_flags);
100324+pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
100325 void vma_set_page_prot(struct vm_area_struct *vma);
100326 #else
100327-static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
100328+static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
100329 {
100330 return __pgprot(0);
100331 }
100332@@ -2083,6 +2104,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
100333 static inline void vm_stat_account(struct mm_struct *mm,
100334 unsigned long flags, struct file *file, long pages)
100335 {
100336+
100337+#ifdef CONFIG_PAX_RANDMMAP
100338+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
100339+#endif
100340+
100341 mm->total_vm += pages;
100342 }
100343 #endif /* CONFIG_PROC_FS */
100344@@ -2186,7 +2212,7 @@ extern int get_hwpoison_page(struct page *page);
100345 extern int sysctl_memory_failure_early_kill;
100346 extern int sysctl_memory_failure_recovery;
100347 extern void shake_page(struct page *p, int access);
100348-extern atomic_long_t num_poisoned_pages;
100349+extern atomic_long_unchecked_t num_poisoned_pages;
100350 extern int soft_offline_page(struct page *page, int flags);
100351
100352
100353@@ -2271,5 +2297,11 @@ void __init setup_nr_node_ids(void);
100354 static inline void setup_nr_node_ids(void) {}
100355 #endif
100356
100357+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
100358+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
100359+#else
100360+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
100361+#endif
100362+
100363 #endif /* __KERNEL__ */
100364 #endif /* _LINUX_MM_H */
100365diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
100366index 1554957..0973bc5 100644
100367--- a/include/linux/mm_types.h
100368+++ b/include/linux/mm_types.h
100369@@ -322,7 +322,9 @@ struct vm_area_struct {
100370 #ifdef CONFIG_NUMA
100371 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
100372 #endif
100373-};
100374+
100375+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
100376+} __randomize_layout;
100377
100378 struct core_thread {
100379 struct task_struct *task;
100380@@ -475,7 +477,25 @@ struct mm_struct {
100381 /* address of the bounds directory */
100382 void __user *bd_addr;
100383 #endif
100384-};
100385+
100386+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
100387+ unsigned long pax_flags;
100388+#endif
100389+
100390+#ifdef CONFIG_PAX_DLRESOLVE
100391+ unsigned long call_dl_resolve;
100392+#endif
100393+
100394+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
100395+ unsigned long call_syscall;
100396+#endif
100397+
100398+#ifdef CONFIG_PAX_ASLR
100399+ unsigned long delta_mmap; /* randomized offset */
100400+ unsigned long delta_stack; /* randomized offset */
100401+#endif
100402+
100403+} __randomize_layout;
100404
100405 static inline void mm_init_cpumask(struct mm_struct *mm)
100406 {
100407diff --git a/include/linux/mmiotrace.h b/include/linux/mmiotrace.h
100408index 3ba327a..85cd5ce 100644
100409--- a/include/linux/mmiotrace.h
100410+++ b/include/linux/mmiotrace.h
100411@@ -46,7 +46,7 @@ extern int kmmio_handler(struct pt_regs *regs, unsigned long addr);
100412 /* Called from ioremap.c */
100413 extern void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
100414 void __iomem *addr);
100415-extern void mmiotrace_iounmap(volatile void __iomem *addr);
100416+extern void mmiotrace_iounmap(const volatile void __iomem *addr);
100417
100418 /* For anyone to insert markers. Remember trailing newline. */
100419 extern __printf(1, 2) int mmiotrace_printk(const char *fmt, ...);
100420@@ -66,7 +66,7 @@ static inline void mmiotrace_ioremap(resource_size_t offset,
100421 {
100422 }
100423
100424-static inline void mmiotrace_iounmap(volatile void __iomem *addr)
100425+static inline void mmiotrace_iounmap(const volatile void __iomem *addr)
100426 {
100427 }
100428
100429diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
100430index 754c259..7b65ac6 100644
100431--- a/include/linux/mmzone.h
100432+++ b/include/linux/mmzone.h
100433@@ -526,7 +526,7 @@ struct zone {
100434
100435 ZONE_PADDING(_pad3_)
100436 /* Zone statistics */
100437- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
100438+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
100439 } ____cacheline_internodealigned_in_smp;
100440
100441 enum zone_flags {
100442diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
100443index 34f25b7..0586069 100644
100444--- a/include/linux/mod_devicetable.h
100445+++ b/include/linux/mod_devicetable.h
100446@@ -139,7 +139,7 @@ struct usb_device_id {
100447 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
100448 #define USB_DEVICE_ID_MATCH_INT_NUMBER 0x0400
100449
100450-#define HID_ANY_ID (~0)
100451+#define HID_ANY_ID (~0U)
100452 #define HID_BUS_ANY 0xffff
100453 #define HID_GROUP_ANY 0x0000
100454
100455@@ -472,7 +472,7 @@ struct dmi_system_id {
100456 const char *ident;
100457 struct dmi_strmatch matches[4];
100458 void *driver_data;
100459-};
100460+} __do_const;
100461 /*
100462 * struct dmi_device_id appears during expansion of
100463 * "MODULE_DEVICE_TABLE(dmi, x)". Compiler doesn't look inside it
100464diff --git a/include/linux/module.h b/include/linux/module.h
100465index 3a19c79..dea8c47 100644
100466--- a/include/linux/module.h
100467+++ b/include/linux/module.h
100468@@ -19,9 +19,11 @@
100469 #include <linux/jump_label.h>
100470 #include <linux/export.h>
100471 #include <linux/rbtree_latch.h>
100472+#include <linux/fs.h>
100473
100474 #include <linux/percpu.h>
100475 #include <asm/module.h>
100476+#include <asm/pgtable.h>
100477
100478 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
100479 #define MODULE_SIG_STRING "~Module signature appended~\n"
100480@@ -44,7 +46,7 @@ struct module_kobject {
100481 struct kobject *drivers_dir;
100482 struct module_param_attrs *mp;
100483 struct completion *kobj_completion;
100484-};
100485+} __randomize_layout;
100486
100487 struct module_attribute {
100488 struct attribute attr;
100489@@ -56,12 +58,13 @@ struct module_attribute {
100490 int (*test)(struct module *);
100491 void (*free)(struct module *);
100492 };
100493+typedef struct module_attribute __no_const module_attribute_no_const;
100494
100495 struct module_version_attribute {
100496 struct module_attribute mattr;
100497 const char *module_name;
100498 const char *version;
100499-} __attribute__ ((__aligned__(sizeof(void *))));
100500+} __do_const __attribute__ ((__aligned__(sizeof(void *))));
100501
100502 extern ssize_t __modver_version_show(struct module_attribute *,
100503 struct module_kobject *, char *);
100504@@ -313,7 +316,7 @@ struct module {
100505
100506 /* Sysfs stuff. */
100507 struct module_kobject mkobj;
100508- struct module_attribute *modinfo_attrs;
100509+ module_attribute_no_const *modinfo_attrs;
100510 const char *version;
100511 const char *srcversion;
100512 struct kobject *holders_dir;
100513@@ -370,20 +373,21 @@ struct module {
100514 * If this is non-NULL, vfree() after init() returns.
100515 *
100516 * Cacheline align here, such that:
100517- * module_init, module_core, init_size, core_size,
100518+ * module_init_*, module_core_*, init_size_*, core_size_*,
100519 * init_text_size, core_text_size and mtn_core::{mod,node[0]}
100520 * are on the same cacheline.
100521 */
100522- void *module_init ____cacheline_aligned;
100523+ void *module_init_rw ____cacheline_aligned;
100524+ void *module_init_rx;
100525
100526 /* Here is the actual code + data, vfree'd on unload. */
100527- void *module_core;
100528+ void *module_core_rx, *module_core_rw;
100529
100530 /* Here are the sizes of the init and core sections */
100531- unsigned int init_size, core_size;
100532+ unsigned int init_size_rw, core_size_rw;
100533
100534 /* The size of the executable code in each section. */
100535- unsigned int init_text_size, core_text_size;
100536+ unsigned int init_size_rx, core_size_rx;
100537
100538 #ifdef CONFIG_MODULES_TREE_LOOKUP
100539 /*
100540@@ -391,13 +395,12 @@ struct module {
100541 * above entries such that a regular lookup will only touch one
100542 * cacheline.
100543 */
100544- struct mod_tree_node mtn_core;
100545- struct mod_tree_node mtn_init;
100546+ struct mod_tree_node mtn_core_rw;
100547+ struct mod_tree_node mtn_core_rx;
100548+ struct mod_tree_node mtn_init_rw;
100549+ struct mod_tree_node mtn_init_rx;
100550 #endif
100551
100552- /* Size of RO sections of the module (text+rodata) */
100553- unsigned int init_ro_size, core_ro_size;
100554-
100555 /* Arch-specific module values */
100556 struct mod_arch_specific arch;
100557
100558@@ -454,6 +457,10 @@ struct module {
100559 unsigned int num_trace_events;
100560 struct trace_enum_map **trace_enums;
100561 unsigned int num_trace_enums;
100562+ struct file_operations trace_id;
100563+ struct file_operations trace_enable;
100564+ struct file_operations trace_format;
100565+ struct file_operations trace_filter;
100566 #endif
100567 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
100568 unsigned int num_ftrace_callsites;
100569@@ -481,7 +488,8 @@ struct module {
100570 ctor_fn_t *ctors;
100571 unsigned int num_ctors;
100572 #endif
100573-} ____cacheline_aligned;
100574+} ____cacheline_aligned __randomize_layout;
100575+
100576 #ifndef MODULE_ARCH_INIT
100577 #define MODULE_ARCH_INIT {}
100578 #endif
100579@@ -502,18 +510,48 @@ bool is_module_address(unsigned long addr);
100580 bool is_module_percpu_address(unsigned long addr);
100581 bool is_module_text_address(unsigned long addr);
100582
100583+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
100584+{
100585+
100586+#ifdef CONFIG_PAX_KERNEXEC
100587+ if (ktla_ktva(addr) >= (unsigned long)start &&
100588+ ktla_ktva(addr) < (unsigned long)start + size)
100589+ return 1;
100590+#endif
100591+
100592+ return ((void *)addr >= start && (void *)addr < start + size);
100593+}
100594+
100595+static inline int within_module_core_rx(unsigned long addr, const struct module *mod)
100596+{
100597+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
100598+}
100599+
100600+static inline int within_module_core_rw(unsigned long addr, const struct module *mod)
100601+{
100602+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
100603+}
100604+
100605+static inline int within_module_init_rx(unsigned long addr, const struct module *mod)
100606+{
100607+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
100608+}
100609+
100610+static inline int within_module_init_rw(unsigned long addr, const struct module *mod)
100611+{
100612+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
100613+}
100614+
100615 static inline bool within_module_core(unsigned long addr,
100616 const struct module *mod)
100617 {
100618- return (unsigned long)mod->module_core <= addr &&
100619- addr < (unsigned long)mod->module_core + mod->core_size;
100620+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
100621 }
100622
100623 static inline bool within_module_init(unsigned long addr,
100624 const struct module *mod)
100625 {
100626- return (unsigned long)mod->module_init <= addr &&
100627- addr < (unsigned long)mod->module_init + mod->init_size;
100628+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
100629 }
100630
100631 static inline bool within_module(unsigned long addr, const struct module *mod)
100632diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
100633index 4d0cb9b..3169ac7 100644
100634--- a/include/linux/moduleloader.h
100635+++ b/include/linux/moduleloader.h
100636@@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
100637 sections. Returns NULL on failure. */
100638 void *module_alloc(unsigned long size);
100639
100640+#ifdef CONFIG_PAX_KERNEXEC
100641+void *module_alloc_exec(unsigned long size);
100642+#else
100643+#define module_alloc_exec(x) module_alloc(x)
100644+#endif
100645+
100646 /* Free memory returned from module_alloc. */
100647 void module_memfree(void *module_region);
100648
100649+#ifdef CONFIG_PAX_KERNEXEC
100650+void module_memfree_exec(void *module_region);
100651+#else
100652+#define module_memfree_exec(x) module_memfree((x))
100653+#endif
100654+
100655 /*
100656 * Apply the given relocation to the (simplified) ELF. Return -error
100657 * or 0.
100658@@ -45,8 +57,10 @@ static inline int apply_relocate(Elf_Shdr *sechdrs,
100659 unsigned int relsec,
100660 struct module *me)
100661 {
100662+#ifdef CONFIG_MODULES
100663 printk(KERN_ERR "module %s: REL relocation unsupported\n",
100664 module_name(me));
100665+#endif
100666 return -ENOEXEC;
100667 }
100668 #endif
100669@@ -68,8 +82,10 @@ static inline int apply_relocate_add(Elf_Shdr *sechdrs,
100670 unsigned int relsec,
100671 struct module *me)
100672 {
100673+#ifdef CONFIG_MODULES
100674 printk(KERN_ERR "module %s: REL relocation unsupported\n",
100675 module_name(me));
100676+#endif
100677 return -ENOEXEC;
100678 }
100679 #endif
100680diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
100681index c12f214..3ef907f 100644
100682--- a/include/linux/moduleparam.h
100683+++ b/include/linux/moduleparam.h
100684@@ -289,7 +289,7 @@ static inline void kernel_param_unlock(struct module *mod)
100685 * @len is usually just sizeof(string).
100686 */
100687 #define module_param_string(name, string, len, perm) \
100688- static const struct kparam_string __param_string_##name \
100689+ static const struct kparam_string __param_string_##name __used \
100690 = { len, string }; \
100691 __module_param_call(MODULE_PARAM_PREFIX, name, \
100692 &param_ops_string, \
100693@@ -440,7 +440,7 @@ extern int param_set_bint(const char *val, const struct kernel_param *kp);
100694 */
100695 #define module_param_array_named(name, array, type, nump, perm) \
100696 param_check_##type(name, &(array)[0]); \
100697- static const struct kparam_array __param_arr_##name \
100698+ static const struct kparam_array __param_arr_##name __used \
100699 = { .max = ARRAY_SIZE(array), .num = nump, \
100700 .ops = &param_ops_##type, \
100701 .elemsize = sizeof(array[0]), .elem = array }; \
100702diff --git a/include/linux/mount.h b/include/linux/mount.h
100703index f822c3c..958ca0a 100644
100704--- a/include/linux/mount.h
100705+++ b/include/linux/mount.h
100706@@ -67,7 +67,7 @@ struct vfsmount {
100707 struct dentry *mnt_root; /* root of the mounted tree */
100708 struct super_block *mnt_sb; /* pointer to superblock */
100709 int mnt_flags;
100710-};
100711+} __randomize_layout;
100712
100713 struct file; /* forward dec */
100714 struct path;
100715diff --git a/include/linux/net.h b/include/linux/net.h
100716index 04aa068..8a24df5 100644
100717--- a/include/linux/net.h
100718+++ b/include/linux/net.h
100719@@ -189,7 +189,7 @@ struct net_proto_family {
100720 int (*create)(struct net *net, struct socket *sock,
100721 int protocol, int kern);
100722 struct module *owner;
100723-};
100724+} __do_const;
100725
100726 struct iovec;
100727 struct kvec;
100728diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
100729index e20979d..3c7827b 100644
100730--- a/include/linux/netdevice.h
100731+++ b/include/linux/netdevice.h
100732@@ -1212,6 +1212,7 @@ struct net_device_ops {
100733 u32 maxrate);
100734 int (*ndo_get_iflink)(const struct net_device *dev);
100735 };
100736+typedef struct net_device_ops __no_const net_device_ops_no_const;
100737
100738 /**
100739 * enum net_device_priv_flags - &struct net_device priv_flags
100740@@ -1519,7 +1520,7 @@ struct net_device {
100741 unsigned long base_addr;
100742 int irq;
100743
100744- atomic_t carrier_changes;
100745+ atomic_unchecked_t carrier_changes;
100746
100747 /*
100748 * Some hardware also needs these fields (state,dev_list,
100749@@ -1558,8 +1559,8 @@ struct net_device {
100750
100751 struct net_device_stats stats;
100752
100753- atomic_long_t rx_dropped;
100754- atomic_long_t tx_dropped;
100755+ atomic_long_unchecked_t rx_dropped;
100756+ atomic_long_unchecked_t tx_dropped;
100757
100758 #ifdef CONFIG_WIRELESS_EXT
100759 const struct iw_handler_def * wireless_handlers;
100760diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
100761index 00050df..0bc7081 100644
100762--- a/include/linux/netfilter.h
100763+++ b/include/linux/netfilter.h
100764@@ -115,7 +115,7 @@ struct nf_sockopt_ops {
100765 #endif
100766 /* Use the module struct to lock set/get code in place */
100767 struct module *owner;
100768-};
100769+} __do_const;
100770
100771 /* Function to register/unregister hook points. */
100772 int nf_register_hook(struct nf_hook_ops *reg);
100773diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
100774index e955d47..04a5338 100644
100775--- a/include/linux/netfilter/nfnetlink.h
100776+++ b/include/linux/netfilter/nfnetlink.h
100777@@ -19,7 +19,7 @@ struct nfnl_callback {
100778 const struct nlattr * const cda[]);
100779 const struct nla_policy *policy; /* netlink attribute policy */
100780 const u_int16_t attr_count; /* number of nlattr's */
100781-};
100782+} __do_const;
100783
100784 struct nfnetlink_subsystem {
100785 const char *name;
100786diff --git a/include/linux/netfilter/xt_gradm.h b/include/linux/netfilter/xt_gradm.h
100787new file mode 100644
100788index 0000000..33f4af8
100789--- /dev/null
100790+++ b/include/linux/netfilter/xt_gradm.h
100791@@ -0,0 +1,9 @@
100792+#ifndef _LINUX_NETFILTER_XT_GRADM_H
100793+#define _LINUX_NETFILTER_XT_GRADM_H 1
100794+
100795+struct xt_gradm_mtinfo {
100796+ __u16 flags;
100797+ __u16 invflags;
100798+};
100799+
100800+#endif
100801diff --git a/include/linux/nls.h b/include/linux/nls.h
100802index 520681b..2b7fabb 100644
100803--- a/include/linux/nls.h
100804+++ b/include/linux/nls.h
100805@@ -31,7 +31,7 @@ struct nls_table {
100806 const unsigned char *charset2upper;
100807 struct module *owner;
100808 struct nls_table *next;
100809-};
100810+} __do_const;
100811
100812 /* this value hold the maximum octet of charset */
100813 #define NLS_MAX_CHARSET_SIZE 6 /* for UTF-8 */
100814@@ -46,7 +46,7 @@ enum utf16_endian {
100815 /* nls_base.c */
100816 extern int __register_nls(struct nls_table *, struct module *);
100817 extern int unregister_nls(struct nls_table *);
100818-extern struct nls_table *load_nls(char *);
100819+extern struct nls_table *load_nls(const char *);
100820 extern void unload_nls(struct nls_table *);
100821 extern struct nls_table *load_nls_default(void);
100822 #define register_nls(nls) __register_nls((nls), THIS_MODULE)
100823diff --git a/include/linux/notifier.h b/include/linux/notifier.h
100824index d14a4c3..a078786 100644
100825--- a/include/linux/notifier.h
100826+++ b/include/linux/notifier.h
100827@@ -54,7 +54,8 @@ struct notifier_block {
100828 notifier_fn_t notifier_call;
100829 struct notifier_block __rcu *next;
100830 int priority;
100831-};
100832+} __do_const;
100833+typedef struct notifier_block __no_const notifier_block_no_const;
100834
100835 struct atomic_notifier_head {
100836 spinlock_t lock;
100837diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h
100838index b2a0f15..4d7da32 100644
100839--- a/include/linux/oprofile.h
100840+++ b/include/linux/oprofile.h
100841@@ -138,9 +138,9 @@ int oprofilefs_create_ulong(struct dentry * root,
100842 int oprofilefs_create_ro_ulong(struct dentry * root,
100843 char const * name, ulong * val);
100844
100845-/** Create a file for read-only access to an atomic_t. */
100846+/** Create a file for read-only access to an atomic_unchecked_t. */
100847 int oprofilefs_create_ro_atomic(struct dentry * root,
100848- char const * name, atomic_t * val);
100849+ char const * name, atomic_unchecked_t * val);
100850
100851 /** create a directory */
100852 struct dentry *oprofilefs_mkdir(struct dentry *parent, char const *name);
100853diff --git a/include/linux/padata.h b/include/linux/padata.h
100854index 4386946..f50c615 100644
100855--- a/include/linux/padata.h
100856+++ b/include/linux/padata.h
100857@@ -129,7 +129,7 @@ struct parallel_data {
100858 struct padata_serial_queue __percpu *squeue;
100859 atomic_t reorder_objects;
100860 atomic_t refcnt;
100861- atomic_t seq_nr;
100862+ atomic_unchecked_t seq_nr;
100863 struct padata_cpumask cpumask;
100864 spinlock_t lock ____cacheline_aligned;
100865 unsigned int processed;
100866diff --git a/include/linux/path.h b/include/linux/path.h
100867index d137218..be0c176 100644
100868--- a/include/linux/path.h
100869+++ b/include/linux/path.h
100870@@ -1,13 +1,15 @@
100871 #ifndef _LINUX_PATH_H
100872 #define _LINUX_PATH_H
100873
100874+#include <linux/compiler.h>
100875+
100876 struct dentry;
100877 struct vfsmount;
100878
100879 struct path {
100880 struct vfsmount *mnt;
100881 struct dentry *dentry;
100882-};
100883+} __randomize_layout;
100884
100885 extern void path_get(const struct path *);
100886 extern void path_put(const struct path *);
100887diff --git a/include/linux/pci_hotplug.h b/include/linux/pci_hotplug.h
100888index 8c78950..0d74ed9 100644
100889--- a/include/linux/pci_hotplug.h
100890+++ b/include/linux/pci_hotplug.h
100891@@ -71,7 +71,8 @@ struct hotplug_slot_ops {
100892 int (*get_latch_status) (struct hotplug_slot *slot, u8 *value);
100893 int (*get_adapter_status) (struct hotplug_slot *slot, u8 *value);
100894 int (*reset_slot) (struct hotplug_slot *slot, int probe);
100895-};
100896+} __do_const;
100897+typedef struct hotplug_slot_ops __no_const hotplug_slot_ops_no_const;
100898
100899 /**
100900 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
100901diff --git a/include/linux/percpu.h b/include/linux/percpu.h
100902index caebf2a..4c3ae9d 100644
100903--- a/include/linux/percpu.h
100904+++ b/include/linux/percpu.h
100905@@ -34,7 +34,7 @@
100906 * preallocate for this. Keep PERCPU_DYNAMIC_RESERVE equal to or
100907 * larger than PERCPU_DYNAMIC_EARLY_SIZE.
100908 */
100909-#define PERCPU_DYNAMIC_EARLY_SLOTS 128
100910+#define PERCPU_DYNAMIC_EARLY_SLOTS 256
100911 #define PERCPU_DYNAMIC_EARLY_SIZE (12 << 10)
100912
100913 /*
100914diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
100915index 2027809..c9cd38e 100644
100916--- a/include/linux/perf_event.h
100917+++ b/include/linux/perf_event.h
100918@@ -384,8 +384,8 @@ struct perf_event {
100919
100920 enum perf_event_active_state state;
100921 unsigned int attach_state;
100922- local64_t count;
100923- atomic64_t child_count;
100924+ local64_t count; /* PaX: fix it one day */
100925+ atomic64_unchecked_t child_count;
100926
100927 /*
100928 * These are the total time in nanoseconds that the event
100929@@ -436,8 +436,8 @@ struct perf_event {
100930 * These accumulate total time (in nanoseconds) that children
100931 * events have been enabled and running, respectively.
100932 */
100933- atomic64_t child_total_time_enabled;
100934- atomic64_t child_total_time_running;
100935+ atomic64_unchecked_t child_total_time_enabled;
100936+ atomic64_unchecked_t child_total_time_running;
100937
100938 /*
100939 * Protect attach/detach and child_list:
100940@@ -859,7 +859,7 @@ static inline void perf_event_task_sched_out(struct task_struct *prev,
100941
100942 static inline u64 __perf_event_count(struct perf_event *event)
100943 {
100944- return local64_read(&event->count) + atomic64_read(&event->child_count);
100945+ return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
100946 }
100947
100948 extern void perf_event_mmap(struct vm_area_struct *vma);
100949@@ -883,7 +883,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
100950 entry->ip[entry->nr++] = ip;
100951 }
100952
100953-extern int sysctl_perf_event_paranoid;
100954+extern int sysctl_perf_event_legitimately_concerned;
100955 extern int sysctl_perf_event_mlock;
100956 extern int sysctl_perf_event_sample_rate;
100957 extern int sysctl_perf_cpu_time_max_percent;
100958@@ -898,19 +898,24 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
100959 loff_t *ppos);
100960
100961
100962+static inline bool perf_paranoid_any(void)
100963+{
100964+ return sysctl_perf_event_legitimately_concerned > 2;
100965+}
100966+
100967 static inline bool perf_paranoid_tracepoint_raw(void)
100968 {
100969- return sysctl_perf_event_paranoid > -1;
100970+ return sysctl_perf_event_legitimately_concerned > -1;
100971 }
100972
100973 static inline bool perf_paranoid_cpu(void)
100974 {
100975- return sysctl_perf_event_paranoid > 0;
100976+ return sysctl_perf_event_legitimately_concerned > 0;
100977 }
100978
100979 static inline bool perf_paranoid_kernel(void)
100980 {
100981- return sysctl_perf_event_paranoid > 1;
100982+ return sysctl_perf_event_legitimately_concerned > 1;
100983 }
100984
100985 extern void perf_event_init(void);
100986@@ -1066,7 +1071,7 @@ struct perf_pmu_events_attr {
100987 struct device_attribute attr;
100988 u64 id;
100989 const char *event_str;
100990-};
100991+} __do_const;
100992
100993 ssize_t perf_event_sysfs_show(struct device *dev, struct device_attribute *attr,
100994 char *page);
100995diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
100996index 918b117..7af374b7 100644
100997--- a/include/linux/pid_namespace.h
100998+++ b/include/linux/pid_namespace.h
100999@@ -45,7 +45,7 @@ struct pid_namespace {
101000 int hide_pid;
101001 int reboot; /* group exit code if this pidns was rebooted */
101002 struct ns_common ns;
101003-};
101004+} __randomize_layout;
101005
101006 extern struct pid_namespace init_pid_ns;
101007
101008diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
101009index eb8b8ac..62649e1 100644
101010--- a/include/linux/pipe_fs_i.h
101011+++ b/include/linux/pipe_fs_i.h
101012@@ -47,10 +47,10 @@ struct pipe_inode_info {
101013 struct mutex mutex;
101014 wait_queue_head_t wait;
101015 unsigned int nrbufs, curbuf, buffers;
101016- unsigned int readers;
101017- unsigned int writers;
101018- unsigned int files;
101019- unsigned int waiting_writers;
101020+ atomic_t readers;
101021+ atomic_t writers;
101022+ atomic_t files;
101023+ atomic_t waiting_writers;
101024 unsigned int r_counter;
101025 unsigned int w_counter;
101026 struct page *tmp_page;
101027diff --git a/include/linux/pm.h b/include/linux/pm.h
101028index 35d599e..c604209 100644
101029--- a/include/linux/pm.h
101030+++ b/include/linux/pm.h
101031@@ -630,6 +630,7 @@ struct dev_pm_domain {
101032 void (*sync)(struct device *dev);
101033 void (*dismiss)(struct device *dev);
101034 };
101035+typedef struct dev_pm_domain __no_const dev_pm_domain_no_const;
101036
101037 /*
101038 * The PM_EVENT_ messages are also used by drivers implementing the legacy
101039diff --git a/include/linux/pm_domain.h b/include/linux/pm_domain.h
101040index 681ccb0..a90e0b7 100644
101041--- a/include/linux/pm_domain.h
101042+++ b/include/linux/pm_domain.h
101043@@ -39,11 +39,11 @@ struct gpd_dev_ops {
101044 int (*save_state)(struct device *dev);
101045 int (*restore_state)(struct device *dev);
101046 bool (*active_wakeup)(struct device *dev);
101047-};
101048+} __no_const;
101049
101050 struct gpd_cpuidle_data {
101051 unsigned int saved_exit_latency;
101052- struct cpuidle_state *idle_state;
101053+ cpuidle_state_no_const *idle_state;
101054 };
101055
101056 struct generic_pm_domain {
101057diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
101058index 30e84d4..22278b4 100644
101059--- a/include/linux/pm_runtime.h
101060+++ b/include/linux/pm_runtime.h
101061@@ -115,7 +115,7 @@ static inline bool pm_runtime_callbacks_present(struct device *dev)
101062
101063 static inline void pm_runtime_mark_last_busy(struct device *dev)
101064 {
101065- ACCESS_ONCE(dev->power.last_busy) = jiffies;
101066+ ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
101067 }
101068
101069 static inline bool pm_runtime_is_irq_safe(struct device *dev)
101070diff --git a/include/linux/pnp.h b/include/linux/pnp.h
101071index 5df733b..d55f252 100644
101072--- a/include/linux/pnp.h
101073+++ b/include/linux/pnp.h
101074@@ -298,7 +298,7 @@ static inline void pnp_set_drvdata(struct pnp_dev *pdev, void *data)
101075 struct pnp_fixup {
101076 char id[7];
101077 void (*quirk_function) (struct pnp_dev * dev); /* fixup function */
101078-};
101079+} __do_const;
101080
101081 /* config parameters */
101082 #define PNP_CONFIG_NORMAL 0x0001
101083diff --git a/include/linux/poison.h b/include/linux/poison.h
101084index 2110a81..13a11bb 100644
101085--- a/include/linux/poison.h
101086+++ b/include/linux/poison.h
101087@@ -19,8 +19,8 @@
101088 * under normal circumstances, used to verify that nobody uses
101089 * non-initialized list entries.
101090 */
101091-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
101092-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
101093+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
101094+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
101095
101096 /********** include/linux/timer.h **********/
101097 /*
101098diff --git a/include/linux/power/smartreflex.h b/include/linux/power/smartreflex.h
101099index d8b187c3..9a9257a 100644
101100--- a/include/linux/power/smartreflex.h
101101+++ b/include/linux/power/smartreflex.h
101102@@ -238,7 +238,7 @@ struct omap_sr_class_data {
101103 int (*notify)(struct omap_sr *sr, u32 status);
101104 u8 notify_flags;
101105 u8 class_type;
101106-};
101107+} __do_const;
101108
101109 /**
101110 * struct omap_sr_nvalue_table - Smartreflex n-target value info
101111diff --git a/include/linux/ppp-comp.h b/include/linux/ppp-comp.h
101112index 4ea1d37..80f4b33 100644
101113--- a/include/linux/ppp-comp.h
101114+++ b/include/linux/ppp-comp.h
101115@@ -84,7 +84,7 @@ struct compressor {
101116 struct module *owner;
101117 /* Extra skb space needed by the compressor algorithm */
101118 unsigned int comp_extra;
101119-};
101120+} __do_const;
101121
101122 /*
101123 * The return value from decompress routine is the length of the
101124diff --git a/include/linux/preempt.h b/include/linux/preempt.h
101125index 84991f1..6f23603 100644
101126--- a/include/linux/preempt.h
101127+++ b/include/linux/preempt.h
101128@@ -131,11 +131,16 @@ extern void preempt_count_sub(int val);
101129 #define preempt_count_dec_and_test() __preempt_count_dec_and_test()
101130 #endif
101131
101132+#define raw_preempt_count_add(val) __preempt_count_add(val)
101133+#define raw_preempt_count_sub(val) __preempt_count_sub(val)
101134+
101135 #define __preempt_count_inc() __preempt_count_add(1)
101136 #define __preempt_count_dec() __preempt_count_sub(1)
101137
101138 #define preempt_count_inc() preempt_count_add(1)
101139+#define raw_preempt_count_inc() raw_preempt_count_add(1)
101140 #define preempt_count_dec() preempt_count_sub(1)
101141+#define raw_preempt_count_dec() raw_preempt_count_sub(1)
101142
101143 #define preempt_active_enter() \
101144 do { \
101145@@ -157,6 +162,12 @@ do { \
101146 barrier(); \
101147 } while (0)
101148
101149+#define raw_preempt_disable() \
101150+do { \
101151+ raw_preempt_count_inc(); \
101152+ barrier(); \
101153+} while (0)
101154+
101155 #define sched_preempt_enable_no_resched() \
101156 do { \
101157 barrier(); \
101158@@ -165,6 +176,12 @@ do { \
101159
101160 #define preempt_enable_no_resched() sched_preempt_enable_no_resched()
101161
101162+#define raw_preempt_enable_no_resched() \
101163+do { \
101164+ barrier(); \
101165+ raw_preempt_count_dec(); \
101166+} while (0)
101167+
101168 #define preemptible() (preempt_count() == 0 && !irqs_disabled())
101169
101170 #ifdef CONFIG_PREEMPT
101171@@ -225,8 +242,10 @@ do { \
101172 * region.
101173 */
101174 #define preempt_disable() barrier()
101175+#define raw_preempt_disable() barrier()
101176 #define sched_preempt_enable_no_resched() barrier()
101177 #define preempt_enable_no_resched() barrier()
101178+#define raw_preempt_enable_no_resched() barrier()
101179 #define preempt_enable() barrier()
101180 #define preempt_check_resched() do { } while (0)
101181
101182@@ -241,11 +260,13 @@ do { \
101183 /*
101184 * Modules have no business playing preemption tricks.
101185 */
101186+#ifndef CONFIG_PAX_KERNEXEC
101187 #undef sched_preempt_enable_no_resched
101188 #undef preempt_enable_no_resched
101189 #undef preempt_enable_no_resched_notrace
101190 #undef preempt_check_resched
101191 #endif
101192+#endif
101193
101194 #define preempt_set_need_resched() \
101195 do { \
101196diff --git a/include/linux/printk.h b/include/linux/printk.h
101197index a6298b2..57fe982 100644
101198--- a/include/linux/printk.h
101199+++ b/include/linux/printk.h
101200@@ -123,6 +123,7 @@ void early_printk(const char *s, ...) { }
101201 #endif
101202
101203 typedef __printf(1, 0) int (*printk_func_t)(const char *fmt, va_list args);
101204+extern int kptr_restrict;
101205
101206 #ifdef CONFIG_PRINTK
101207 asmlinkage __printf(5, 0)
101208@@ -158,7 +159,6 @@ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
101209
101210 extern int printk_delay_msec;
101211 extern int dmesg_restrict;
101212-extern int kptr_restrict;
101213
101214 extern void wake_up_klogd(void);
101215
101216diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
101217index b97bf2e..f14c92d4 100644
101218--- a/include/linux/proc_fs.h
101219+++ b/include/linux/proc_fs.h
101220@@ -17,8 +17,11 @@ extern void proc_flush_task(struct task_struct *);
101221 extern struct proc_dir_entry *proc_symlink(const char *,
101222 struct proc_dir_entry *, const char *);
101223 extern struct proc_dir_entry *proc_mkdir(const char *, struct proc_dir_entry *);
101224+extern struct proc_dir_entry *proc_mkdir_restrict(const char *, struct proc_dir_entry *);
101225 extern struct proc_dir_entry *proc_mkdir_data(const char *, umode_t,
101226 struct proc_dir_entry *, void *);
101227+extern struct proc_dir_entry *proc_mkdir_data_restrict(const char *, umode_t,
101228+ struct proc_dir_entry *, void *);
101229 extern struct proc_dir_entry *proc_mkdir_mode(const char *, umode_t,
101230 struct proc_dir_entry *);
101231
101232@@ -34,6 +37,19 @@ static inline struct proc_dir_entry *proc_create(
101233 return proc_create_data(name, mode, parent, proc_fops, NULL);
101234 }
101235
101236+static inline struct proc_dir_entry *proc_create_grsec(const char *name, umode_t mode,
101237+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
101238+{
101239+#ifdef CONFIG_GRKERNSEC_PROC_USER
101240+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
101241+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
101242+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
101243+#else
101244+ return proc_create_data(name, mode, parent, proc_fops, NULL);
101245+#endif
101246+}
101247+
101248+
101249 extern void proc_set_size(struct proc_dir_entry *, loff_t);
101250 extern void proc_set_user(struct proc_dir_entry *, kuid_t, kgid_t);
101251 extern void *PDE_DATA(const struct inode *);
101252@@ -56,8 +72,12 @@ static inline struct proc_dir_entry *proc_symlink(const char *name,
101253 struct proc_dir_entry *parent,const char *dest) { return NULL;}
101254 static inline struct proc_dir_entry *proc_mkdir(const char *name,
101255 struct proc_dir_entry *parent) {return NULL;}
101256+static inline struct proc_dir_entry *proc_mkdir_restrict(const char *name,
101257+ struct proc_dir_entry *parent) { return NULL; }
101258 static inline struct proc_dir_entry *proc_mkdir_data(const char *name,
101259 umode_t mode, struct proc_dir_entry *parent, void *data) { return NULL; }
101260+static inline struct proc_dir_entry *proc_mkdir_data_restrict(const char *name,
101261+ umode_t mode, struct proc_dir_entry *parent, void *data) { return NULL; }
101262 static inline struct proc_dir_entry *proc_mkdir_mode(const char *name,
101263 umode_t mode, struct proc_dir_entry *parent) { return NULL; }
101264 #define proc_create(name, mode, parent, proc_fops) ({NULL;})
101265@@ -79,7 +99,7 @@ struct net;
101266 static inline struct proc_dir_entry *proc_net_mkdir(
101267 struct net *net, const char *name, struct proc_dir_entry *parent)
101268 {
101269- return proc_mkdir_data(name, 0, parent, net);
101270+ return proc_mkdir_data_restrict(name, 0, parent, net);
101271 }
101272
101273 #endif /* _LINUX_PROC_FS_H */
101274diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h
101275index 42dfc61..8113a99 100644
101276--- a/include/linux/proc_ns.h
101277+++ b/include/linux/proc_ns.h
101278@@ -16,7 +16,7 @@ struct proc_ns_operations {
101279 struct ns_common *(*get)(struct task_struct *task);
101280 void (*put)(struct ns_common *ns);
101281 int (*install)(struct nsproxy *nsproxy, struct ns_common *ns);
101282-};
101283+} __do_const __randomize_layout;
101284
101285 extern const struct proc_ns_operations netns_operations;
101286 extern const struct proc_ns_operations utsns_operations;
101287diff --git a/include/linux/quota.h b/include/linux/quota.h
101288index b2505ac..5f7ab55 100644
101289--- a/include/linux/quota.h
101290+++ b/include/linux/quota.h
101291@@ -76,7 +76,7 @@ struct kqid { /* Type in which we store the quota identifier */
101292
101293 extern bool qid_eq(struct kqid left, struct kqid right);
101294 extern bool qid_lt(struct kqid left, struct kqid right);
101295-extern qid_t from_kqid(struct user_namespace *to, struct kqid qid);
101296+extern qid_t from_kqid(struct user_namespace *to, struct kqid qid) __intentional_overflow(-1);
101297 extern qid_t from_kqid_munged(struct user_namespace *to, struct kqid qid);
101298 extern bool qid_valid(struct kqid qid);
101299
101300diff --git a/include/linux/random.h b/include/linux/random.h
101301index e651874..a872186 100644
101302--- a/include/linux/random.h
101303+++ b/include/linux/random.h
101304@@ -16,9 +16,19 @@ struct random_ready_callback {
101305 };
101306
101307 extern void add_device_randomness(const void *, unsigned int);
101308+
101309+static inline void add_latent_entropy(void)
101310+{
101311+
101312+#ifdef LATENT_ENTROPY_PLUGIN
101313+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
101314+#endif
101315+
101316+}
101317+
101318 extern void add_input_randomness(unsigned int type, unsigned int code,
101319- unsigned int value);
101320-extern void add_interrupt_randomness(int irq, int irq_flags);
101321+ unsigned int value) __latent_entropy;
101322+extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
101323
101324 extern void get_random_bytes(void *buf, int nbytes);
101325 extern int add_random_ready_callback(struct random_ready_callback *rdy);
101326@@ -46,6 +56,11 @@ struct rnd_state {
101327 u32 prandom_u32_state(struct rnd_state *state);
101328 void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
101329
101330+static inline unsigned long __intentional_overflow(-1) pax_get_random_long(void)
101331+{
101332+ return prandom_u32() + (sizeof(long) > 4 ? (unsigned long)prandom_u32() << 32 : 0);
101333+}
101334+
101335 /**
101336 * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)
101337 * @ep_ro: right open interval endpoint
101338@@ -58,7 +73,7 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
101339 *
101340 * Returns: pseudo-random number in interval [0, ep_ro)
101341 */
101342-static inline u32 prandom_u32_max(u32 ep_ro)
101343+static inline u32 __intentional_overflow(-1) prandom_u32_max(u32 ep_ro)
101344 {
101345 return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
101346 }
101347diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h
101348index 14d7b83..a1edf56 100644
101349--- a/include/linux/rbtree_augmented.h
101350+++ b/include/linux/rbtree_augmented.h
101351@@ -90,7 +90,9 @@ rbname ## _rotate(struct rb_node *rb_old, struct rb_node *rb_new) \
101352 old->rbaugmented = rbcompute(old); \
101353 } \
101354 rbstatic const struct rb_augment_callbacks rbname = { \
101355- rbname ## _propagate, rbname ## _copy, rbname ## _rotate \
101356+ .propagate = rbname ## _propagate, \
101357+ .copy = rbname ## _copy, \
101358+ .rotate = rbname ## _rotate \
101359 };
101360
101361
101362diff --git a/include/linux/rculist.h b/include/linux/rculist.h
101363index 17c6b1f..a65e3f8 100644
101364--- a/include/linux/rculist.h
101365+++ b/include/linux/rculist.h
101366@@ -59,6 +59,9 @@ void __list_add_rcu(struct list_head *new,
101367 struct list_head *prev, struct list_head *next);
101368 #endif
101369
101370+void __pax_list_add_rcu(struct list_head *new,
101371+ struct list_head *prev, struct list_head *next);
101372+
101373 /**
101374 * list_add_rcu - add a new entry to rcu-protected list
101375 * @new: new entry to be added
101376@@ -80,6 +83,11 @@ static inline void list_add_rcu(struct list_head *new, struct list_head *head)
101377 __list_add_rcu(new, head, head->next);
101378 }
101379
101380+static inline void pax_list_add_rcu(struct list_head *new, struct list_head *head)
101381+{
101382+ __pax_list_add_rcu(new, head, head->next);
101383+}
101384+
101385 /**
101386 * list_add_tail_rcu - add a new entry to rcu-protected list
101387 * @new: new entry to be added
101388@@ -102,6 +110,12 @@ static inline void list_add_tail_rcu(struct list_head *new,
101389 __list_add_rcu(new, head->prev, head);
101390 }
101391
101392+static inline void pax_list_add_tail_rcu(struct list_head *new,
101393+ struct list_head *head)
101394+{
101395+ __pax_list_add_rcu(new, head->prev, head);
101396+}
101397+
101398 /**
101399 * list_del_rcu - deletes entry from list without re-initialization
101400 * @entry: the element to delete from the list.
101401@@ -132,6 +146,8 @@ static inline void list_del_rcu(struct list_head *entry)
101402 entry->prev = LIST_POISON2;
101403 }
101404
101405+extern void pax_list_del_rcu(struct list_head *entry);
101406+
101407 /**
101408 * hlist_del_init_rcu - deletes entry from hash list with re-initialization
101409 * @n: the element to delete from the hash list.
101410diff --git a/include/linux/reboot.h b/include/linux/reboot.h
101411index a7ff409..03e2fa8 100644
101412--- a/include/linux/reboot.h
101413+++ b/include/linux/reboot.h
101414@@ -47,9 +47,9 @@ extern void do_kernel_restart(char *cmd);
101415 */
101416
101417 extern void migrate_to_reboot_cpu(void);
101418-extern void machine_restart(char *cmd);
101419-extern void machine_halt(void);
101420-extern void machine_power_off(void);
101421+extern void machine_restart(char *cmd) __noreturn;
101422+extern void machine_halt(void) __noreturn;
101423+extern void machine_power_off(void) __noreturn;
101424
101425 extern void machine_shutdown(void);
101426 struct pt_regs;
101427@@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struct pt_regs *);
101428 */
101429
101430 extern void kernel_restart_prepare(char *cmd);
101431-extern void kernel_restart(char *cmd);
101432-extern void kernel_halt(void);
101433-extern void kernel_power_off(void);
101434+extern void kernel_restart(char *cmd) __noreturn;
101435+extern void kernel_halt(void) __noreturn;
101436+extern void kernel_power_off(void) __noreturn;
101437
101438 extern int C_A_D; /* for sysctl */
101439 void ctrl_alt_del(void);
101440@@ -77,7 +77,7 @@ extern void orderly_reboot(void);
101441 * Emergency restart, callable from an interrupt handler.
101442 */
101443
101444-extern void emergency_restart(void);
101445+extern void emergency_restart(void) __noreturn;
101446 #include <asm/emergency-restart.h>
101447
101448 #endif /* _LINUX_REBOOT_H */
101449diff --git a/include/linux/regset.h b/include/linux/regset.h
101450index 8e0c9fe..ac4d221 100644
101451--- a/include/linux/regset.h
101452+++ b/include/linux/regset.h
101453@@ -161,7 +161,8 @@ struct user_regset {
101454 unsigned int align;
101455 unsigned int bias;
101456 unsigned int core_note_type;
101457-};
101458+} __do_const;
101459+typedef struct user_regset __no_const user_regset_no_const;
101460
101461 /**
101462 * struct user_regset_view - available regsets
101463diff --git a/include/linux/relay.h b/include/linux/relay.h
101464index d7c8359..818daf5 100644
101465--- a/include/linux/relay.h
101466+++ b/include/linux/relay.h
101467@@ -157,7 +157,7 @@ struct rchan_callbacks
101468 * The callback should return 0 if successful, negative if not.
101469 */
101470 int (*remove_buf_file)(struct dentry *dentry);
101471-};
101472+} __no_const;
101473
101474 /*
101475 * CONFIG_RELAY kernel API, kernel/relay.c
101476diff --git a/include/linux/rio.h b/include/linux/rio.h
101477index cde976e..ebd6033 100644
101478--- a/include/linux/rio.h
101479+++ b/include/linux/rio.h
101480@@ -358,7 +358,7 @@ struct rio_ops {
101481 int (*map_inb)(struct rio_mport *mport, dma_addr_t lstart,
101482 u64 rstart, u32 size, u32 flags);
101483 void (*unmap_inb)(struct rio_mport *mport, dma_addr_t lstart);
101484-};
101485+} __no_const;
101486
101487 #define RIO_RESOURCE_MEM 0x00000100
101488 #define RIO_RESOURCE_DOORBELL 0x00000200
101489diff --git a/include/linux/rmap.h b/include/linux/rmap.h
101490index c89c53a..aa0a65a 100644
101491--- a/include/linux/rmap.h
101492+++ b/include/linux/rmap.h
101493@@ -146,8 +146,8 @@ static inline void anon_vma_unlock_read(struct anon_vma *anon_vma)
101494 void anon_vma_init(void); /* create anon_vma_cachep */
101495 int anon_vma_prepare(struct vm_area_struct *);
101496 void unlink_anon_vmas(struct vm_area_struct *);
101497-int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
101498-int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
101499+int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
101500+int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
101501
101502 static inline void anon_vma_merge(struct vm_area_struct *vma,
101503 struct vm_area_struct *next)
101504diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
101505index 9b1ef0c..9fa3feb 100644
101506--- a/include/linux/scatterlist.h
101507+++ b/include/linux/scatterlist.h
101508@@ -1,6 +1,7 @@
101509 #ifndef _LINUX_SCATTERLIST_H
101510 #define _LINUX_SCATTERLIST_H
101511
101512+#include <linux/sched.h>
101513 #include <linux/string.h>
101514 #include <linux/types.h>
101515 #include <linux/bug.h>
101516@@ -136,10 +137,17 @@ static inline struct page *sg_page(struct scatterlist *sg)
101517 static inline void sg_set_buf(struct scatterlist *sg, const void *buf,
101518 unsigned int buflen)
101519 {
101520+ const void *realbuf = buf;
101521+
101522+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101523+ if (object_starts_on_stack(buf))
101524+ realbuf = buf - current->stack + current->lowmem_stack;
101525+#endif
101526+
101527 #ifdef CONFIG_DEBUG_SG
101528- BUG_ON(!virt_addr_valid(buf));
101529+ BUG_ON(!virt_addr_valid(realbuf));
101530 #endif
101531- sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf));
101532+ sg_set_page(sg, virt_to_page(realbuf), buflen, offset_in_page(realbuf));
101533 }
101534
101535 /*
101536diff --git a/include/linux/sched.h b/include/linux/sched.h
101537index 04b5ada..9861651 100644
101538--- a/include/linux/sched.h
101539+++ b/include/linux/sched.h
101540@@ -7,7 +7,7 @@
101541
101542
101543 struct sched_param {
101544- int sched_priority;
101545+ unsigned int sched_priority;
101546 };
101547
101548 #include <asm/param.h> /* for HZ */
101549@@ -134,6 +134,7 @@ struct perf_event_context;
101550 struct blk_plug;
101551 struct filename;
101552 struct nameidata;
101553+struct linux_binprm;
101554
101555 #define VMACACHE_BITS 2
101556 #define VMACACHE_SIZE (1U << VMACACHE_BITS)
101557@@ -436,6 +437,19 @@ struct nsproxy;
101558 struct user_namespace;
101559
101560 #ifdef CONFIG_MMU
101561+
101562+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
101563+extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags);
101564+#else
101565+static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
101566+{
101567+ return 0;
101568+}
101569+#endif
101570+
101571+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset);
101572+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset);
101573+
101574 extern void arch_pick_mmap_layout(struct mm_struct *mm);
101575 extern unsigned long
101576 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
101577@@ -749,6 +763,17 @@ struct signal_struct {
101578 #ifdef CONFIG_TASKSTATS
101579 struct taskstats *stats;
101580 #endif
101581+
101582+#ifdef CONFIG_GRKERNSEC
101583+ u32 curr_ip;
101584+ u32 saved_ip;
101585+ u32 gr_saddr;
101586+ u32 gr_daddr;
101587+ u16 gr_sport;
101588+ u16 gr_dport;
101589+ u8 used_accept:1;
101590+#endif
101591+
101592 #ifdef CONFIG_AUDIT
101593 unsigned audit_tty;
101594 unsigned audit_tty_log_passwd;
101595@@ -763,7 +788,7 @@ struct signal_struct {
101596 struct mutex cred_guard_mutex; /* guard against foreign influences on
101597 * credential calculations
101598 * (notably. ptrace) */
101599-};
101600+} __randomize_layout;
101601
101602 /*
101603 * Bits in flags field of signal_struct.
101604@@ -816,6 +841,14 @@ struct user_struct {
101605 struct key *session_keyring; /* UID's default session keyring */
101606 #endif
101607
101608+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
101609+ unsigned char kernel_banned;
101610+#endif
101611+#ifdef CONFIG_GRKERNSEC_BRUTE
101612+ unsigned char suid_banned;
101613+ unsigned long suid_ban_expires;
101614+#endif
101615+
101616 /* Hash table maintenance information */
101617 struct hlist_node uidhash_node;
101618 kuid_t uid;
101619@@ -823,7 +856,7 @@ struct user_struct {
101620 #ifdef CONFIG_PERF_EVENTS
101621 atomic_long_t locked_vm;
101622 #endif
101623-};
101624+} __randomize_layout;
101625
101626 extern int uids_sysfs_init(void);
101627
101628@@ -1344,6 +1377,9 @@ enum perf_event_task_context {
101629 struct task_struct {
101630 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
101631 void *stack;
101632+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101633+ void *lowmem_stack;
101634+#endif
101635 atomic_t usage;
101636 unsigned int flags; /* per process flags, defined below */
101637 unsigned int ptrace;
101638@@ -1476,8 +1512,8 @@ struct task_struct {
101639 struct list_head thread_node;
101640
101641 struct completion *vfork_done; /* for vfork() */
101642- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
101643- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
101644+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
101645+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
101646
101647 cputime_t utime, stime, utimescaled, stimescaled;
101648 cputime_t gtime;
101649@@ -1502,11 +1538,6 @@ struct task_struct {
101650 struct task_cputime cputime_expires;
101651 struct list_head cpu_timers[3];
101652
101653-/* process credentials */
101654- const struct cred __rcu *real_cred; /* objective and real subjective task
101655- * credentials (COW) */
101656- const struct cred __rcu *cred; /* effective (overridable) subjective task
101657- * credentials (COW) */
101658 char comm[TASK_COMM_LEN]; /* executable name excluding path
101659 - access with [gs]et_task_comm (which lock
101660 it with task_lock())
101661@@ -1598,6 +1629,10 @@ struct task_struct {
101662 gfp_t lockdep_reclaim_gfp;
101663 #endif
101664
101665+/* process credentials */
101666+ const struct cred __rcu *real_cred; /* objective and real subjective task
101667+ * credentials (COW) */
101668+
101669 /* journalling filesystem info */
101670 void *journal_info;
101671
101672@@ -1636,6 +1671,10 @@ struct task_struct {
101673 /* cg_list protected by css_set_lock and tsk->alloc_lock */
101674 struct list_head cg_list;
101675 #endif
101676+
101677+ const struct cred __rcu *cred; /* effective (overridable) subjective task
101678+ * credentials (COW) */
101679+
101680 #ifdef CONFIG_FUTEX
101681 struct robust_list_head __user *robust_list;
101682 #ifdef CONFIG_COMPAT
101683@@ -1747,7 +1786,7 @@ struct task_struct {
101684 * Number of functions that haven't been traced
101685 * because of depth overrun.
101686 */
101687- atomic_t trace_overrun;
101688+ atomic_unchecked_t trace_overrun;
101689 /* Pause for the tracing */
101690 atomic_t tracing_graph_pause;
101691 #endif
101692@@ -1776,22 +1815,91 @@ struct task_struct {
101693 unsigned long task_state_change;
101694 #endif
101695 int pagefault_disabled;
101696+
101697+#ifdef CONFIG_GRKERNSEC
101698+ /* grsecurity */
101699+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
101700+ u64 exec_id;
101701+#endif
101702+#ifdef CONFIG_GRKERNSEC_SETXID
101703+ const struct cred *delayed_cred;
101704+#endif
101705+ struct dentry *gr_chroot_dentry;
101706+ struct acl_subject_label *acl;
101707+ struct acl_subject_label *tmpacl;
101708+ struct acl_role_label *role;
101709+ struct file *exec_file;
101710+ unsigned long brute_expires;
101711+ u16 acl_role_id;
101712+ u8 inherited;
101713+ /* is this the task that authenticated to the special role */
101714+ u8 acl_sp_role;
101715+ u8 is_writable;
101716+ u8 brute;
101717+ u8 gr_is_chrooted;
101718+#endif
101719+
101720+/* thread_info moved to task_struct */
101721+#ifdef CONFIG_X86
101722+ struct thread_info tinfo;
101723+#endif
101724 /* CPU-specific state of this task */
101725 struct thread_struct thread;
101726-/*
101727- * WARNING: on x86, 'thread_struct' contains a variable-sized
101728- * structure. It *MUST* be at the end of 'task_struct'.
101729- *
101730- * Do not put anything below here!
101731- */
101732-};
101733+} __randomize_layout;
101734
101735 #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
101736-extern int arch_task_struct_size __read_mostly;
101737+extern size_t arch_task_struct_size __read_mostly;
101738 #else
101739 # define arch_task_struct_size (sizeof(struct task_struct))
101740 #endif
101741
101742+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
101743+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
101744+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
101745+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
101746+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
101747+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
101748+
101749+#ifdef CONFIG_PAX_SOFTMODE
101750+extern int pax_softmode;
101751+#endif
101752+
101753+extern int pax_check_flags(unsigned long *);
101754+#define PAX_PARSE_FLAGS_FALLBACK (~0UL)
101755+
101756+/* if tsk != current then task_lock must be held on it */
101757+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
101758+static inline unsigned long pax_get_flags(struct task_struct *tsk)
101759+{
101760+ if (likely(tsk->mm))
101761+ return tsk->mm->pax_flags;
101762+ else
101763+ return 0UL;
101764+}
101765+
101766+/* if tsk != current then task_lock must be held on it */
101767+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
101768+{
101769+ if (likely(tsk->mm)) {
101770+ tsk->mm->pax_flags = flags;
101771+ return 0;
101772+ }
101773+ return -EINVAL;
101774+}
101775+#endif
101776+
101777+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
101778+extern void pax_set_initial_flags(struct linux_binprm *bprm);
101779+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
101780+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
101781+#endif
101782+
101783+struct path;
101784+extern char *pax_get_path(const struct path *path, char *buf, int buflen);
101785+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
101786+extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
101787+extern void pax_report_refcount_overflow(struct pt_regs *regs);
101788+
101789 /* Future-safe accessor for struct task_struct's cpus_allowed. */
101790 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
101791
101792@@ -1873,7 +1981,7 @@ struct pid_namespace;
101793 pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
101794 struct pid_namespace *ns);
101795
101796-static inline pid_t task_pid_nr(struct task_struct *tsk)
101797+static inline pid_t task_pid_nr(const struct task_struct *tsk)
101798 {
101799 return tsk->pid;
101800 }
101801@@ -2241,6 +2349,25 @@ extern u64 sched_clock_cpu(int cpu);
101802
101803 extern void sched_clock_init(void);
101804
101805+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101806+static inline void populate_stack(void)
101807+{
101808+ struct task_struct *curtask = current;
101809+ int c;
101810+ int *ptr = curtask->stack;
101811+ int *end = curtask->stack + THREAD_SIZE;
101812+
101813+ while (ptr < end) {
101814+ c = *(volatile int *)ptr;
101815+ ptr += PAGE_SIZE/sizeof(int);
101816+ }
101817+}
101818+#else
101819+static inline void populate_stack(void)
101820+{
101821+}
101822+#endif
101823+
101824 #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
101825 static inline void sched_clock_tick(void)
101826 {
101827@@ -2369,7 +2496,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
101828 void yield(void);
101829
101830 union thread_union {
101831+#ifndef CONFIG_X86
101832 struct thread_info thread_info;
101833+#endif
101834 unsigned long stack[THREAD_SIZE/sizeof(long)];
101835 };
101836
101837@@ -2402,6 +2531,7 @@ extern struct pid_namespace init_pid_ns;
101838 */
101839
101840 extern struct task_struct *find_task_by_vpid(pid_t nr);
101841+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
101842 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
101843 struct pid_namespace *ns);
101844
101845@@ -2579,7 +2709,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
101846 extern void exit_itimers(struct signal_struct *);
101847 extern void flush_itimer_signals(void);
101848
101849-extern void do_group_exit(int);
101850+extern __noreturn void do_group_exit(int);
101851
101852 extern int do_execve(struct filename *,
101853 const char __user * const __user *,
101854@@ -2784,9 +2914,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
101855 #define task_stack_end_corrupted(task) \
101856 (*(end_of_stack(task)) != STACK_END_MAGIC)
101857
101858-static inline int object_is_on_stack(void *obj)
101859+static inline int object_starts_on_stack(const void *obj)
101860 {
101861- void *stack = task_stack_page(current);
101862+ const void *stack = task_stack_page(current);
101863
101864 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
101865 }
101866diff --git a/include/linux/sched/sysctl.h b/include/linux/sched/sysctl.h
101867index c9e4731..c716293 100644
101868--- a/include/linux/sched/sysctl.h
101869+++ b/include/linux/sched/sysctl.h
101870@@ -34,6 +34,7 @@ enum { sysctl_hung_task_timeout_secs = 0 };
101871 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
101872
101873 extern int sysctl_max_map_count;
101874+extern unsigned long sysctl_heap_stack_gap;
101875
101876 extern unsigned int sysctl_sched_latency;
101877 extern unsigned int sysctl_sched_min_granularity;
101878diff --git a/include/linux/security.h b/include/linux/security.h
101879index 79d85dd..5bc05d7 100644
101880--- a/include/linux/security.h
101881+++ b/include/linux/security.h
101882@@ -28,6 +28,7 @@
101883 #include <linux/err.h>
101884 #include <linux/string.h>
101885 #include <linux/mm.h>
101886+#include <linux/grsecurity.h>
101887
101888 struct linux_binprm;
101889 struct cred;
101890@@ -946,7 +947,7 @@ static inline int security_task_prctl(int option, unsigned long arg2,
101891 unsigned long arg4,
101892 unsigned long arg5)
101893 {
101894- return cap_task_prctl(option, arg2, arg3, arg3, arg5);
101895+ return cap_task_prctl(option, arg2, arg3, arg4, arg5);
101896 }
101897
101898 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
101899diff --git a/include/linux/semaphore.h b/include/linux/semaphore.h
101900index dc368b8..e895209 100644
101901--- a/include/linux/semaphore.h
101902+++ b/include/linux/semaphore.h
101903@@ -37,7 +37,7 @@ static inline void sema_init(struct semaphore *sem, int val)
101904 }
101905
101906 extern void down(struct semaphore *sem);
101907-extern int __must_check down_interruptible(struct semaphore *sem);
101908+extern int __must_check down_interruptible(struct semaphore *sem) __intentional_overflow(-1);
101909 extern int __must_check down_killable(struct semaphore *sem);
101910 extern int __must_check down_trylock(struct semaphore *sem);
101911 extern int __must_check down_timeout(struct semaphore *sem, long jiffies);
101912diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
101913index d4c7271..abf5706 100644
101914--- a/include/linux/seq_file.h
101915+++ b/include/linux/seq_file.h
101916@@ -27,6 +27,9 @@ struct seq_file {
101917 struct mutex lock;
101918 const struct seq_operations *op;
101919 int poll_event;
101920+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
101921+ u64 exec_id;
101922+#endif
101923 #ifdef CONFIG_USER_NS
101924 struct user_namespace *user_ns;
101925 #endif
101926@@ -39,6 +42,7 @@ struct seq_operations {
101927 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
101928 int (*show) (struct seq_file *m, void *v);
101929 };
101930+typedef struct seq_operations __no_const seq_operations_no_const;
101931
101932 #define SEQ_SKIP 1
101933
101934@@ -111,6 +115,7 @@ void seq_pad(struct seq_file *m, char c);
101935
101936 char *mangle_path(char *s, const char *p, const char *esc);
101937 int seq_open(struct file *, const struct seq_operations *);
101938+int seq_open_restrict(struct file *, const struct seq_operations *);
101939 ssize_t seq_read(struct file *, char __user *, size_t, loff_t *);
101940 loff_t seq_lseek(struct file *, loff_t, int);
101941 int seq_release(struct inode *, struct file *);
101942@@ -129,6 +134,7 @@ int seq_path_root(struct seq_file *m, const struct path *path,
101943 const struct path *root, const char *esc);
101944
101945 int single_open(struct file *, int (*)(struct seq_file *, void *), void *);
101946+int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *);
101947 int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t);
101948 int single_release(struct inode *, struct file *);
101949 void *__seq_open_private(struct file *, const struct seq_operations *, int);
101950diff --git a/include/linux/shm.h b/include/linux/shm.h
101951index 6fb8016..2cf60e7 100644
101952--- a/include/linux/shm.h
101953+++ b/include/linux/shm.h
101954@@ -22,7 +22,11 @@ struct shmid_kernel /* private to the kernel */
101955 /* The task created the shm object. NULL if the task is dead. */
101956 struct task_struct *shm_creator;
101957 struct list_head shm_clist; /* list by creator */
101958-};
101959+#ifdef CONFIG_GRKERNSEC
101960+ u64 shm_createtime;
101961+ pid_t shm_lapid;
101962+#endif
101963+} __randomize_layout;
101964
101965 /* shm_mode upper byte flags */
101966 #define SHM_DEST 01000 /* segment will be destroyed on last detach */
101967diff --git a/include/linux/signal.h b/include/linux/signal.h
101968index ab1e039..ad4229e 100644
101969--- a/include/linux/signal.h
101970+++ b/include/linux/signal.h
101971@@ -289,7 +289,7 @@ static inline void allow_signal(int sig)
101972 * know it'll be handled, so that they don't get converted to
101973 * SIGKILL or just silently dropped.
101974 */
101975- kernel_sigaction(sig, (__force __sighandler_t)2);
101976+ kernel_sigaction(sig, (__force_user __sighandler_t)2);
101977 }
101978
101979 static inline void disallow_signal(int sig)
101980diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
101981index 9b88536..6a15c44 100644
101982--- a/include/linux/skbuff.h
101983+++ b/include/linux/skbuff.h
101984@@ -784,7 +784,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
101985 int node);
101986 struct sk_buff *__build_skb(void *data, unsigned int frag_size);
101987 struct sk_buff *build_skb(void *data, unsigned int frag_size);
101988-static inline struct sk_buff *alloc_skb(unsigned int size,
101989+static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size,
101990 gfp_t priority)
101991 {
101992 return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
101993@@ -1979,7 +1979,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
101994 return skb->inner_transport_header - skb->inner_network_header;
101995 }
101996
101997-static inline int skb_network_offset(const struct sk_buff *skb)
101998+static inline int __intentional_overflow(0) skb_network_offset(const struct sk_buff *skb)
101999 {
102000 return skb_network_header(skb) - skb->data;
102001 }
102002@@ -2039,7 +2039,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
102003 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
102004 */
102005 #ifndef NET_SKB_PAD
102006-#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
102007+#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
102008 #endif
102009
102010 int ___pskb_trim(struct sk_buff *skb, unsigned int len);
102011@@ -2682,9 +2682,9 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
102012 int *err);
102013 unsigned int datagram_poll(struct file *file, struct socket *sock,
102014 struct poll_table_struct *wait);
102015-int skb_copy_datagram_iter(const struct sk_buff *from, int offset,
102016+int __intentional_overflow(0) skb_copy_datagram_iter(const struct sk_buff *from, int offset,
102017 struct iov_iter *to, int size);
102018-static inline int skb_copy_datagram_msg(const struct sk_buff *from, int offset,
102019+static inline int __intentional_overflow(2,4) skb_copy_datagram_msg(const struct sk_buff *from, int offset,
102020 struct msghdr *msg, int size)
102021 {
102022 return skb_copy_datagram_iter(from, offset, &msg->msg_iter, size);
102023@@ -3213,6 +3213,9 @@ static inline void nf_reset(struct sk_buff *skb)
102024 nf_bridge_put(skb->nf_bridge);
102025 skb->nf_bridge = NULL;
102026 #endif
102027+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
102028+ skb->nf_trace = 0;
102029+#endif
102030 }
102031
102032 static inline void nf_reset_trace(struct sk_buff *skb)
102033diff --git a/include/linux/slab.h b/include/linux/slab.h
102034index a99f0e5..4efa730 100644
102035--- a/include/linux/slab.h
102036+++ b/include/linux/slab.h
102037@@ -15,14 +15,29 @@
102038 #include <linux/types.h>
102039 #include <linux/workqueue.h>
102040
102041+#include <linux/err.h>
102042
102043 /*
102044 * Flags to pass to kmem_cache_create().
102045 * The ones marked DEBUG are only valid if CONFIG_DEBUG_SLAB is set.
102046 */
102047 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
102048+
102049+#ifdef CONFIG_PAX_USERCOPY_SLABS
102050+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
102051+#else
102052+#define SLAB_USERCOPY 0x00000000UL
102053+#endif
102054+
102055 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
102056 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
102057+
102058+#ifdef CONFIG_PAX_MEMORY_SANITIZE
102059+#define SLAB_NO_SANITIZE 0x00001000UL /* PaX: Do not sanitize objs on free */
102060+#else
102061+#define SLAB_NO_SANITIZE 0x00000000UL
102062+#endif
102063+
102064 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
102065 #define SLAB_CACHE_DMA 0x00004000UL /* Use GFP_DMA memory */
102066 #define SLAB_STORE_USER 0x00010000UL /* DEBUG: Store the last owner for bug hunting */
102067@@ -98,10 +113,13 @@
102068 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
102069 * Both make kfree a no-op.
102070 */
102071-#define ZERO_SIZE_PTR ((void *)16)
102072+#define ZERO_SIZE_PTR \
102073+({ \
102074+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
102075+ (void *)(-MAX_ERRNO-1L); \
102076+})
102077
102078-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
102079- (unsigned long)ZERO_SIZE_PTR)
102080+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
102081
102082 #include <linux/kmemleak.h>
102083 #include <linux/kasan.h>
102084@@ -143,6 +161,8 @@ void * __must_check krealloc(const void *, size_t, gfp_t);
102085 void kfree(const void *);
102086 void kzfree(const void *);
102087 size_t ksize(const void *);
102088+const char *check_heap_object(const void *ptr, unsigned long n);
102089+bool is_usercopy_object(const void *ptr);
102090
102091 /*
102092 * Some archs want to perform DMA into kmalloc caches and need a guaranteed
102093@@ -235,6 +255,10 @@ extern struct kmem_cache *kmalloc_caches[KMALLOC_SHIFT_HIGH + 1];
102094 extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
102095 #endif
102096
102097+#ifdef CONFIG_PAX_USERCOPY_SLABS
102098+extern struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
102099+#endif
102100+
102101 /*
102102 * Figure out which kmalloc slab an allocation of a certain size
102103 * belongs to.
102104@@ -243,7 +267,7 @@ extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
102105 * 2 = 129 .. 192 bytes
102106 * n = 2^(n-1)+1 .. 2^n
102107 */
102108-static __always_inline int kmalloc_index(size_t size)
102109+static __always_inline __size_overflow(1) int kmalloc_index(size_t size)
102110 {
102111 if (!size)
102112 return 0;
102113@@ -286,15 +310,15 @@ static __always_inline int kmalloc_index(size_t size)
102114 }
102115 #endif /* !CONFIG_SLOB */
102116
102117-void *__kmalloc(size_t size, gfp_t flags);
102118+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __size_overflow(1);
102119 void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags);
102120 void kmem_cache_free(struct kmem_cache *, void *);
102121
102122 #ifdef CONFIG_NUMA
102123-void *__kmalloc_node(size_t size, gfp_t flags, int node);
102124+void *__kmalloc_node(size_t size, gfp_t flags, int node) __alloc_size(1) __size_overflow(1);
102125 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
102126 #else
102127-static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node)
102128+static __always_inline void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
102129 {
102130 return __kmalloc(size, flags);
102131 }
102132diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
102133index 33d0490..70a6313 100644
102134--- a/include/linux/slab_def.h
102135+++ b/include/linux/slab_def.h
102136@@ -40,7 +40,7 @@ struct kmem_cache {
102137 /* 4) cache creation/removal */
102138 const char *name;
102139 struct list_head list;
102140- int refcount;
102141+ atomic_t refcount;
102142 int object_size;
102143 int align;
102144
102145@@ -56,10 +56,14 @@ struct kmem_cache {
102146 unsigned long node_allocs;
102147 unsigned long node_frees;
102148 unsigned long node_overflow;
102149- atomic_t allochit;
102150- atomic_t allocmiss;
102151- atomic_t freehit;
102152- atomic_t freemiss;
102153+ atomic_unchecked_t allochit;
102154+ atomic_unchecked_t allocmiss;
102155+ atomic_unchecked_t freehit;
102156+ atomic_unchecked_t freemiss;
102157+#ifdef CONFIG_PAX_MEMORY_SANITIZE
102158+ atomic_unchecked_t sanitized;
102159+ atomic_unchecked_t not_sanitized;
102160+#endif
102161
102162 /*
102163 * If debugging is enabled, then the allocator can add additional
102164diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
102165index 3388511..6252f90 100644
102166--- a/include/linux/slub_def.h
102167+++ b/include/linux/slub_def.h
102168@@ -74,7 +74,7 @@ struct kmem_cache {
102169 struct kmem_cache_order_objects max;
102170 struct kmem_cache_order_objects min;
102171 gfp_t allocflags; /* gfp flags to use on each alloc */
102172- int refcount; /* Refcount for slab cache destroy */
102173+ atomic_t refcount; /* Refcount for slab cache destroy */
102174 void (*ctor)(void *);
102175 int inuse; /* Offset to metadata */
102176 int align; /* Alignment */
102177diff --git a/include/linux/smp.h b/include/linux/smp.h
102178index c441407..f487b83 100644
102179--- a/include/linux/smp.h
102180+++ b/include/linux/smp.h
102181@@ -183,7 +183,9 @@ static inline void smp_init(void) { }
102182 #endif
102183
102184 #define get_cpu() ({ preempt_disable(); smp_processor_id(); })
102185+#define raw_get_cpu() ({ raw_preempt_disable(); raw_smp_processor_id(); })
102186 #define put_cpu() preempt_enable()
102187+#define raw_put_cpu_no_resched() raw_preempt_enable_no_resched()
102188
102189 /*
102190 * Callback to arch code if there's nosmp or maxcpus=0 on the
102191diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
102192index fddebc6..6f0ae39 100644
102193--- a/include/linux/sock_diag.h
102194+++ b/include/linux/sock_diag.h
102195@@ -15,7 +15,7 @@ struct sock_diag_handler {
102196 __u8 family;
102197 int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
102198 int (*get_info)(struct sk_buff *skb, struct sock *sk);
102199-};
102200+} __do_const;
102201
102202 int sock_diag_register(const struct sock_diag_handler *h);
102203 void sock_diag_unregister(const struct sock_diag_handler *h);
102204diff --git a/include/linux/sonet.h b/include/linux/sonet.h
102205index 680f9a3..f13aeb0 100644
102206--- a/include/linux/sonet.h
102207+++ b/include/linux/sonet.h
102208@@ -7,7 +7,7 @@
102209 #include <uapi/linux/sonet.h>
102210
102211 struct k_sonet_stats {
102212-#define __HANDLE_ITEM(i) atomic_t i
102213+#define __HANDLE_ITEM(i) atomic_unchecked_t i
102214 __SONET_ITEMS
102215 #undef __HANDLE_ITEM
102216 };
102217diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h
102218index 07d8e53..dc934c9 100644
102219--- a/include/linux/sunrpc/addr.h
102220+++ b/include/linux/sunrpc/addr.h
102221@@ -23,9 +23,9 @@ static inline unsigned short rpc_get_port(const struct sockaddr *sap)
102222 {
102223 switch (sap->sa_family) {
102224 case AF_INET:
102225- return ntohs(((struct sockaddr_in *)sap)->sin_port);
102226+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
102227 case AF_INET6:
102228- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
102229+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
102230 }
102231 return 0;
102232 }
102233@@ -58,7 +58,7 @@ static inline bool __rpc_cmp_addr4(const struct sockaddr *sap1,
102234 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
102235 const struct sockaddr *src)
102236 {
102237- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
102238+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
102239 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
102240
102241 dsin->sin_family = ssin->sin_family;
102242@@ -164,7 +164,7 @@ static inline u32 rpc_get_scope_id(const struct sockaddr *sa)
102243 if (sa->sa_family != AF_INET6)
102244 return 0;
102245
102246- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
102247+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
102248 }
102249
102250 #endif /* _LINUX_SUNRPC_ADDR_H */
102251diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h
102252index 131032f..5f9378a 100644
102253--- a/include/linux/sunrpc/clnt.h
102254+++ b/include/linux/sunrpc/clnt.h
102255@@ -101,7 +101,7 @@ struct rpc_procinfo {
102256 unsigned int p_timer; /* Which RTT timer to use */
102257 u32 p_statidx; /* Which procedure to account */
102258 const char * p_name; /* name of procedure */
102259-};
102260+} __do_const;
102261
102262 #ifdef __KERNEL__
102263
102264diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
102265index fae6fb9..023fbcd 100644
102266--- a/include/linux/sunrpc/svc.h
102267+++ b/include/linux/sunrpc/svc.h
102268@@ -420,7 +420,7 @@ struct svc_procedure {
102269 unsigned int pc_count; /* call count */
102270 unsigned int pc_cachetype; /* cache info (NFS) */
102271 unsigned int pc_xdrressize; /* maximum size of XDR reply */
102272-};
102273+} __do_const;
102274
102275 /*
102276 * Function prototypes.
102277diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h
102278index 4929a8a..b8f29e9 100644
102279--- a/include/linux/sunrpc/svc_rdma.h
102280+++ b/include/linux/sunrpc/svc_rdma.h
102281@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
102282 extern unsigned int svcrdma_max_requests;
102283 extern unsigned int svcrdma_max_req_size;
102284
102285-extern atomic_t rdma_stat_recv;
102286-extern atomic_t rdma_stat_read;
102287-extern atomic_t rdma_stat_write;
102288-extern atomic_t rdma_stat_sq_starve;
102289-extern atomic_t rdma_stat_rq_starve;
102290-extern atomic_t rdma_stat_rq_poll;
102291-extern atomic_t rdma_stat_rq_prod;
102292-extern atomic_t rdma_stat_sq_poll;
102293-extern atomic_t rdma_stat_sq_prod;
102294+extern atomic_unchecked_t rdma_stat_recv;
102295+extern atomic_unchecked_t rdma_stat_read;
102296+extern atomic_unchecked_t rdma_stat_write;
102297+extern atomic_unchecked_t rdma_stat_sq_starve;
102298+extern atomic_unchecked_t rdma_stat_rq_starve;
102299+extern atomic_unchecked_t rdma_stat_rq_poll;
102300+extern atomic_unchecked_t rdma_stat_rq_prod;
102301+extern atomic_unchecked_t rdma_stat_sq_poll;
102302+extern atomic_unchecked_t rdma_stat_sq_prod;
102303
102304 /*
102305 * Contexts are built when an RDMA request is created and are a
102306diff --git a/include/linux/sunrpc/svcauth.h b/include/linux/sunrpc/svcauth.h
102307index 8d71d65..f79586e 100644
102308--- a/include/linux/sunrpc/svcauth.h
102309+++ b/include/linux/sunrpc/svcauth.h
102310@@ -120,7 +120,7 @@ struct auth_ops {
102311 int (*release)(struct svc_rqst *rq);
102312 void (*domain_release)(struct auth_domain *);
102313 int (*set_client)(struct svc_rqst *rq);
102314-};
102315+} __do_const;
102316
102317 #define SVC_GARBAGE 1
102318 #define SVC_SYSERR 2
102319diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
102320index e7a018e..49f8b17 100644
102321--- a/include/linux/swiotlb.h
102322+++ b/include/linux/swiotlb.h
102323@@ -60,7 +60,8 @@ extern void
102324
102325 extern void
102326 swiotlb_free_coherent(struct device *hwdev, size_t size,
102327- void *vaddr, dma_addr_t dma_handle);
102328+ void *vaddr, dma_addr_t dma_handle,
102329+ struct dma_attrs *attrs);
102330
102331 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
102332 unsigned long offset, size_t size,
102333diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
102334index b45c45b..a6ae64c 100644
102335--- a/include/linux/syscalls.h
102336+++ b/include/linux/syscalls.h
102337@@ -102,7 +102,12 @@ union bpf_attr;
102338 #define __TYPE_IS_L(t) (__same_type((t)0, 0L))
102339 #define __TYPE_IS_UL(t) (__same_type((t)0, 0UL))
102340 #define __TYPE_IS_LL(t) (__same_type((t)0, 0LL) || __same_type((t)0, 0ULL))
102341-#define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), 0LL, 0L)) a
102342+#define __SC_LONG(t, a) __typeof__( \
102343+ __builtin_choose_expr( \
102344+ sizeof(t) > sizeof(int), \
102345+ (t) 0, \
102346+ __builtin_choose_expr(__type_is_unsigned(t), 0UL, 0L) \
102347+ )) a
102348 #define __SC_CAST(t, a) (t) a
102349 #define __SC_ARGS(t, a) a
102350 #define __SC_TEST(t, a) (void)BUILD_BUG_ON_ZERO(!__TYPE_IS_LL(t) && sizeof(t) > sizeof(long))
102351@@ -384,11 +389,11 @@ asmlinkage long sys_sync(void);
102352 asmlinkage long sys_fsync(unsigned int fd);
102353 asmlinkage long sys_fdatasync(unsigned int fd);
102354 asmlinkage long sys_bdflush(int func, long data);
102355-asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name,
102356- char __user *type, unsigned long flags,
102357+asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name,
102358+ const char __user *type, unsigned long flags,
102359 void __user *data);
102360-asmlinkage long sys_umount(char __user *name, int flags);
102361-asmlinkage long sys_oldumount(char __user *name);
102362+asmlinkage long sys_umount(const char __user *name, int flags);
102363+asmlinkage long sys_oldumount(const char __user *name);
102364 asmlinkage long sys_truncate(const char __user *path, long length);
102365 asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
102366 asmlinkage long sys_stat(const char __user *filename,
102367@@ -604,7 +609,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *);
102368 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *);
102369 asmlinkage long sys_send(int, void __user *, size_t, unsigned);
102370 asmlinkage long sys_sendto(int, void __user *, size_t, unsigned,
102371- struct sockaddr __user *, int);
102372+ struct sockaddr __user *, int) __intentional_overflow(0);
102373 asmlinkage long sys_sendmsg(int fd, struct user_msghdr __user *msg, unsigned flags);
102374 asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
102375 unsigned int vlen, unsigned flags);
102376@@ -663,10 +668,10 @@ asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
102377
102378 asmlinkage long sys_semget(key_t key, int nsems, int semflg);
102379 asmlinkage long sys_semop(int semid, struct sembuf __user *sops,
102380- unsigned nsops);
102381+ long nsops);
102382 asmlinkage long sys_semctl(int semid, int semnum, int cmd, unsigned long arg);
102383 asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
102384- unsigned nsops,
102385+ long nsops,
102386 const struct timespec __user *timeout);
102387 asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
102388 asmlinkage long sys_shmget(key_t key, size_t size, int flag);
102389diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
102390index 27b3b0b..e093dd9 100644
102391--- a/include/linux/syscore_ops.h
102392+++ b/include/linux/syscore_ops.h
102393@@ -16,7 +16,7 @@ struct syscore_ops {
102394 int (*suspend)(void);
102395 void (*resume)(void);
102396 void (*shutdown)(void);
102397-};
102398+} __do_const;
102399
102400 extern void register_syscore_ops(struct syscore_ops *ops);
102401 extern void unregister_syscore_ops(struct syscore_ops *ops);
102402diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
102403index fa7bc29..0d96561 100644
102404--- a/include/linux/sysctl.h
102405+++ b/include/linux/sysctl.h
102406@@ -39,10 +39,16 @@ typedef int proc_handler (struct ctl_table *ctl, int write,
102407
102408 extern int proc_dostring(struct ctl_table *, int,
102409 void __user *, size_t *, loff_t *);
102410+extern int proc_dostring_modpriv(struct ctl_table *, int,
102411+ void __user *, size_t *, loff_t *);
102412 extern int proc_dointvec(struct ctl_table *, int,
102413 void __user *, size_t *, loff_t *);
102414+extern int proc_dointvec_secure(struct ctl_table *, int,
102415+ void __user *, size_t *, loff_t *);
102416 extern int proc_dointvec_minmax(struct ctl_table *, int,
102417 void __user *, size_t *, loff_t *);
102418+extern int proc_dointvec_minmax_secure(struct ctl_table *, int,
102419+ void __user *, size_t *, loff_t *);
102420 extern int proc_dointvec_jiffies(struct ctl_table *, int,
102421 void __user *, size_t *, loff_t *);
102422 extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
102423@@ -113,7 +119,8 @@ struct ctl_table
102424 struct ctl_table_poll *poll;
102425 void *extra1;
102426 void *extra2;
102427-};
102428+} __do_const __randomize_layout;
102429+typedef struct ctl_table __no_const ctl_table_no_const;
102430
102431 struct ctl_node {
102432 struct rb_node node;
102433diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
102434index 9f65758..487a6f1 100644
102435--- a/include/linux/sysfs.h
102436+++ b/include/linux/sysfs.h
102437@@ -34,7 +34,8 @@ struct attribute {
102438 struct lock_class_key *key;
102439 struct lock_class_key skey;
102440 #endif
102441-};
102442+} __do_const;
102443+typedef struct attribute __no_const attribute_no_const;
102444
102445 /**
102446 * sysfs_attr_init - initialize a dynamically allocated sysfs attribute
102447@@ -78,7 +79,8 @@ struct attribute_group {
102448 struct attribute *, int);
102449 struct attribute **attrs;
102450 struct bin_attribute **bin_attrs;
102451-};
102452+} __do_const;
102453+typedef struct attribute_group __no_const attribute_group_no_const;
102454
102455 /**
102456 * Use these macros to make defining attributes easier. See include/linux/device.h
102457@@ -152,7 +154,8 @@ struct bin_attribute {
102458 char *, loff_t, size_t);
102459 int (*mmap)(struct file *, struct kobject *, struct bin_attribute *attr,
102460 struct vm_area_struct *vma);
102461-};
102462+} __do_const;
102463+typedef struct bin_attribute __no_const bin_attribute_no_const;
102464
102465 /**
102466 * sysfs_bin_attr_init - initialize a dynamically allocated bin_attribute
102467diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
102468index 387fa7d..3fcde6b 100644
102469--- a/include/linux/sysrq.h
102470+++ b/include/linux/sysrq.h
102471@@ -16,6 +16,7 @@
102472
102473 #include <linux/errno.h>
102474 #include <linux/types.h>
102475+#include <linux/compiler.h>
102476
102477 /* Possible values of bitmask for enabling sysrq functions */
102478 /* 0x0001 is reserved for enable everything */
102479@@ -33,7 +34,7 @@ struct sysrq_key_op {
102480 char *help_msg;
102481 char *action_msg;
102482 int enable_mask;
102483-};
102484+} __do_const;
102485
102486 #ifdef CONFIG_MAGIC_SYSRQ
102487
102488diff --git a/include/linux/tcp.h b/include/linux/tcp.h
102489index 48c3696..e7a7ba6 100644
102490--- a/include/linux/tcp.h
102491+++ b/include/linux/tcp.h
102492@@ -63,13 +63,13 @@ struct tcp_fastopen_cookie {
102493
102494 /* This defines a selective acknowledgement block. */
102495 struct tcp_sack_block_wire {
102496- __be32 start_seq;
102497- __be32 end_seq;
102498+ __be32 start_seq __intentional_overflow(-1);
102499+ __be32 end_seq __intentional_overflow(-1);
102500 };
102501
102502 struct tcp_sack_block {
102503- u32 start_seq;
102504- u32 end_seq;
102505+ u32 start_seq __intentional_overflow(-1);
102506+ u32 end_seq __intentional_overflow(-1);
102507 };
102508
102509 /*These are used to set the sack_ok field in struct tcp_options_received */
102510@@ -153,7 +153,7 @@ struct tcp_sock {
102511 * total number of segments in.
102512 */
102513 u32 rcv_nxt; /* What we want to receive next */
102514- u32 copied_seq; /* Head of yet unread data */
102515+ u32 copied_seq __intentional_overflow(-1); /* Head of yet unread data */
102516 u32 rcv_wup; /* rcv_nxt on last window update sent */
102517 u32 snd_nxt; /* Next sequence we send */
102518 u32 segs_out; /* RFC4898 tcpEStatsPerfSegsOut
102519@@ -248,7 +248,7 @@ struct tcp_sock {
102520 u32 prr_out; /* Total number of pkts sent during Recovery. */
102521
102522 u32 rcv_wnd; /* Current receiver window */
102523- u32 write_seq; /* Tail(+1) of data held in tcp send buffer */
102524+ u32 write_seq __intentional_overflow(-1); /* Tail(+1) of data held in tcp send buffer */
102525 u32 notsent_lowat; /* TCP_NOTSENT_LOWAT */
102526 u32 pushed_seq; /* Last pushed seq, required to talk to windows */
102527 u32 lost_out; /* Lost packets */
102528@@ -291,7 +291,7 @@ struct tcp_sock {
102529 int undo_retrans; /* number of undoable retransmissions. */
102530 u32 total_retrans; /* Total retransmits for entire connection */
102531
102532- u32 urg_seq; /* Seq of received urgent pointer */
102533+ u32 urg_seq __intentional_overflow(-1); /* Seq of received urgent pointer */
102534 unsigned int keepalive_time; /* time before keep alive takes place */
102535 unsigned int keepalive_intvl; /* time interval between keep alive probes */
102536
102537diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
102538index ff307b5..f1a4468 100644
102539--- a/include/linux/thread_info.h
102540+++ b/include/linux/thread_info.h
102541@@ -145,6 +145,13 @@ static inline bool test_and_clear_restore_sigmask(void)
102542 #error "no set_restore_sigmask() provided and default one won't work"
102543 #endif
102544
102545+extern void __check_object_size(const void *ptr, unsigned long n, bool to_user, bool const_size);
102546+
102547+static inline void check_object_size(const void *ptr, unsigned long n, bool to_user)
102548+{
102549+ __check_object_size(ptr, n, to_user, __builtin_constant_p(n));
102550+}
102551+
102552 #endif /* __KERNEL__ */
102553
102554 #endif /* _LINUX_THREAD_INFO_H */
102555diff --git a/include/linux/tty.h b/include/linux/tty.h
102556index ad6c891..93a8f45 100644
102557--- a/include/linux/tty.h
102558+++ b/include/linux/tty.h
102559@@ -225,7 +225,7 @@ struct tty_port {
102560 const struct tty_port_operations *ops; /* Port operations */
102561 spinlock_t lock; /* Lock protecting tty field */
102562 int blocked_open; /* Waiting to open */
102563- int count; /* Usage count */
102564+ atomic_t count; /* Usage count */
102565 wait_queue_head_t open_wait; /* Open waiters */
102566 wait_queue_head_t close_wait; /* Close waiters */
102567 wait_queue_head_t delta_msr_wait; /* Modem status change */
102568@@ -313,7 +313,7 @@ struct tty_struct {
102569 /* If the tty has a pending do_SAK, queue it here - akpm */
102570 struct work_struct SAK_work;
102571 struct tty_port *port;
102572-};
102573+} __randomize_layout;
102574
102575 /* Each of a tty's open files has private_data pointing to tty_file_private */
102576 struct tty_file_private {
102577@@ -573,7 +573,7 @@ extern int tty_port_open(struct tty_port *port,
102578 struct tty_struct *tty, struct file *filp);
102579 static inline int tty_port_users(struct tty_port *port)
102580 {
102581- return port->count + port->blocked_open;
102582+ return atomic_read(&port->count) + port->blocked_open;
102583 }
102584
102585 extern int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc);
102586diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
102587index 92e337c..f46757b 100644
102588--- a/include/linux/tty_driver.h
102589+++ b/include/linux/tty_driver.h
102590@@ -291,7 +291,7 @@ struct tty_operations {
102591 void (*poll_put_char)(struct tty_driver *driver, int line, char ch);
102592 #endif
102593 const struct file_operations *proc_fops;
102594-};
102595+} __do_const __randomize_layout;
102596
102597 struct tty_driver {
102598 int magic; /* magic number for this structure */
102599@@ -325,7 +325,7 @@ struct tty_driver {
102600
102601 const struct tty_operations *ops;
102602 struct list_head tty_drivers;
102603-};
102604+} __randomize_layout;
102605
102606 extern struct list_head tty_drivers;
102607
102608diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h
102609index 00c9d68..bc0188b 100644
102610--- a/include/linux/tty_ldisc.h
102611+++ b/include/linux/tty_ldisc.h
102612@@ -215,7 +215,7 @@ struct tty_ldisc_ops {
102613
102614 struct module *owner;
102615
102616- int refcount;
102617+ atomic_t refcount;
102618 };
102619
102620 struct tty_ldisc {
102621diff --git a/include/linux/types.h b/include/linux/types.h
102622index 8715287..1be77ee 100644
102623--- a/include/linux/types.h
102624+++ b/include/linux/types.h
102625@@ -176,10 +176,26 @@ typedef struct {
102626 int counter;
102627 } atomic_t;
102628
102629+#ifdef CONFIG_PAX_REFCOUNT
102630+typedef struct {
102631+ int counter;
102632+} atomic_unchecked_t;
102633+#else
102634+typedef atomic_t atomic_unchecked_t;
102635+#endif
102636+
102637 #ifdef CONFIG_64BIT
102638 typedef struct {
102639 long counter;
102640 } atomic64_t;
102641+
102642+#ifdef CONFIG_PAX_REFCOUNT
102643+typedef struct {
102644+ long counter;
102645+} atomic64_unchecked_t;
102646+#else
102647+typedef atomic64_t atomic64_unchecked_t;
102648+#endif
102649 #endif
102650
102651 struct list_head {
102652diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
102653index ae572c1..73bd4ec 100644
102654--- a/include/linux/uaccess.h
102655+++ b/include/linux/uaccess.h
102656@@ -97,11 +97,11 @@ static inline unsigned long __copy_from_user_nocache(void *to,
102657 long ret; \
102658 mm_segment_t old_fs = get_fs(); \
102659 \
102660- set_fs(KERNEL_DS); \
102661 pagefault_disable(); \
102662- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
102663- pagefault_enable(); \
102664+ set_fs(KERNEL_DS); \
102665+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
102666 set_fs(old_fs); \
102667+ pagefault_enable(); \
102668 ret; \
102669 })
102670
102671diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
102672index 0383552..a0125dd 100644
102673--- a/include/linux/uidgid.h
102674+++ b/include/linux/uidgid.h
102675@@ -187,4 +187,9 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid)
102676
102677 #endif /* CONFIG_USER_NS */
102678
102679+#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x))
102680+#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x))
102681+#define gr_is_global_root(x) uid_eq((x), GLOBAL_ROOT_UID)
102682+#define gr_is_global_nonroot(x) (!uid_eq((x), GLOBAL_ROOT_UID))
102683+
102684 #endif /* _LINUX_UIDGID_H */
102685diff --git a/include/linux/uio_driver.h b/include/linux/uio_driver.h
102686index 32c0e83..671eb35 100644
102687--- a/include/linux/uio_driver.h
102688+++ b/include/linux/uio_driver.h
102689@@ -67,7 +67,7 @@ struct uio_device {
102690 struct module *owner;
102691 struct device *dev;
102692 int minor;
102693- atomic_t event;
102694+ atomic_unchecked_t event;
102695 struct fasync_struct *async_queue;
102696 wait_queue_head_t wait;
102697 struct uio_info *info;
102698diff --git a/include/linux/unaligned/access_ok.h b/include/linux/unaligned/access_ok.h
102699index 99c1b4d..562e6f3 100644
102700--- a/include/linux/unaligned/access_ok.h
102701+++ b/include/linux/unaligned/access_ok.h
102702@@ -4,34 +4,34 @@
102703 #include <linux/kernel.h>
102704 #include <asm/byteorder.h>
102705
102706-static inline u16 get_unaligned_le16(const void *p)
102707+static inline u16 __intentional_overflow(-1) get_unaligned_le16(const void *p)
102708 {
102709- return le16_to_cpup((__le16 *)p);
102710+ return le16_to_cpup((const __le16 *)p);
102711 }
102712
102713-static inline u32 get_unaligned_le32(const void *p)
102714+static inline u32 __intentional_overflow(-1) get_unaligned_le32(const void *p)
102715 {
102716- return le32_to_cpup((__le32 *)p);
102717+ return le32_to_cpup((const __le32 *)p);
102718 }
102719
102720-static inline u64 get_unaligned_le64(const void *p)
102721+static inline u64 __intentional_overflow(-1) get_unaligned_le64(const void *p)
102722 {
102723- return le64_to_cpup((__le64 *)p);
102724+ return le64_to_cpup((const __le64 *)p);
102725 }
102726
102727-static inline u16 get_unaligned_be16(const void *p)
102728+static inline u16 __intentional_overflow(-1) get_unaligned_be16(const void *p)
102729 {
102730- return be16_to_cpup((__be16 *)p);
102731+ return be16_to_cpup((const __be16 *)p);
102732 }
102733
102734-static inline u32 get_unaligned_be32(const void *p)
102735+static inline u32 __intentional_overflow(-1) get_unaligned_be32(const void *p)
102736 {
102737- return be32_to_cpup((__be32 *)p);
102738+ return be32_to_cpup((const __be32 *)p);
102739 }
102740
102741-static inline u64 get_unaligned_be64(const void *p)
102742+static inline u64 __intentional_overflow(-1) get_unaligned_be64(const void *p)
102743 {
102744- return be64_to_cpup((__be64 *)p);
102745+ return be64_to_cpup((const __be64 *)p);
102746 }
102747
102748 static inline void put_unaligned_le16(u16 val, void *p)
102749diff --git a/include/linux/usb.h b/include/linux/usb.h
102750index 447fe29..fc8bf1e 100644
102751--- a/include/linux/usb.h
102752+++ b/include/linux/usb.h
102753@@ -363,7 +363,7 @@ struct usb_bus {
102754 * with the URB_SHORT_NOT_OK flag set.
102755 */
102756 unsigned no_sg_constraint:1; /* no sg constraint */
102757- unsigned sg_tablesize; /* 0 or largest number of sg list entries */
102758+ unsigned short sg_tablesize; /* 0 or largest number of sg list entries */
102759
102760 int devnum_next; /* Next open device number in
102761 * round-robin allocation */
102762@@ -592,7 +592,7 @@ struct usb_device {
102763 int maxchild;
102764
102765 u32 quirks;
102766- atomic_t urbnum;
102767+ atomic_unchecked_t urbnum;
102768
102769 unsigned long active_duration;
102770
102771diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
102772index c9aa779..46d6f69 100644
102773--- a/include/linux/usb/hcd.h
102774+++ b/include/linux/usb/hcd.h
102775@@ -23,6 +23,7 @@
102776
102777 #include <linux/rwsem.h>
102778 #include <linux/interrupt.h>
102779+#include <scsi/scsi_host.h>
102780
102781 #define MAX_TOPO_LEVEL 6
102782
102783diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h
102784index 3dd5a78..ed69d7b 100644
102785--- a/include/linux/usb/renesas_usbhs.h
102786+++ b/include/linux/usb/renesas_usbhs.h
102787@@ -39,7 +39,7 @@ enum {
102788 */
102789 struct renesas_usbhs_driver_callback {
102790 int (*notify_hotplug)(struct platform_device *pdev);
102791-};
102792+} __no_const;
102793
102794 /*
102795 * callback functions for platform
102796diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
102797index 8297e5b..0dfae27 100644
102798--- a/include/linux/user_namespace.h
102799+++ b/include/linux/user_namespace.h
102800@@ -39,7 +39,7 @@ struct user_namespace {
102801 struct key *persistent_keyring_register;
102802 struct rw_semaphore persistent_keyring_register_sem;
102803 #endif
102804-};
102805+} __randomize_layout;
102806
102807 extern struct user_namespace init_user_ns;
102808
102809diff --git a/include/linux/utsname.h b/include/linux/utsname.h
102810index 5093f58..c103e58 100644
102811--- a/include/linux/utsname.h
102812+++ b/include/linux/utsname.h
102813@@ -25,7 +25,7 @@ struct uts_namespace {
102814 struct new_utsname name;
102815 struct user_namespace *user_ns;
102816 struct ns_common ns;
102817-};
102818+} __randomize_layout;
102819 extern struct uts_namespace init_uts_ns;
102820
102821 #ifdef CONFIG_UTS_NS
102822diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
102823index 6f8fbcf..4efc177 100644
102824--- a/include/linux/vermagic.h
102825+++ b/include/linux/vermagic.h
102826@@ -25,9 +25,42 @@
102827 #define MODULE_ARCH_VERMAGIC ""
102828 #endif
102829
102830+#ifdef CONFIG_PAX_REFCOUNT
102831+#define MODULE_PAX_REFCOUNT "REFCOUNT "
102832+#else
102833+#define MODULE_PAX_REFCOUNT ""
102834+#endif
102835+
102836+#ifdef CONSTIFY_PLUGIN
102837+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
102838+#else
102839+#define MODULE_CONSTIFY_PLUGIN ""
102840+#endif
102841+
102842+#ifdef STACKLEAK_PLUGIN
102843+#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
102844+#else
102845+#define MODULE_STACKLEAK_PLUGIN ""
102846+#endif
102847+
102848+#ifdef RANDSTRUCT_PLUGIN
102849+#include <generated/randomize_layout_hash.h>
102850+#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED
102851+#else
102852+#define MODULE_RANDSTRUCT_PLUGIN
102853+#endif
102854+
102855+#ifdef CONFIG_GRKERNSEC
102856+#define MODULE_GRSEC "GRSEC "
102857+#else
102858+#define MODULE_GRSEC ""
102859+#endif
102860+
102861 #define VERMAGIC_STRING \
102862 UTS_RELEASE " " \
102863 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
102864 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
102865- MODULE_ARCH_VERMAGIC
102866+ MODULE_ARCH_VERMAGIC \
102867+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
102868+ MODULE_GRSEC MODULE_RANDSTRUCT_PLUGIN
102869
102870diff --git a/include/linux/vga_switcheroo.h b/include/linux/vga_switcheroo.h
102871index b483abd..af305ad 100644
102872--- a/include/linux/vga_switcheroo.h
102873+++ b/include/linux/vga_switcheroo.h
102874@@ -63,9 +63,9 @@ int vga_switcheroo_get_client_state(struct pci_dev *dev);
102875
102876 void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic);
102877
102878-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain);
102879+int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain);
102880 void vga_switcheroo_fini_domain_pm_ops(struct device *dev);
102881-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain);
102882+int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain);
102883 #else
102884
102885 static inline void vga_switcheroo_unregister_client(struct pci_dev *dev) {}
102886@@ -82,9 +82,9 @@ static inline int vga_switcheroo_get_client_state(struct pci_dev *dev) { return
102887
102888 static inline void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic) {}
102889
102890-static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; }
102891+static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; }
102892 static inline void vga_switcheroo_fini_domain_pm_ops(struct device *dev) {}
102893-static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; }
102894+static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; }
102895
102896 #endif
102897 #endif /* _LINUX_VGA_SWITCHEROO_H_ */
102898diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
102899index 0ec5983..d5888bb 100644
102900--- a/include/linux/vmalloc.h
102901+++ b/include/linux/vmalloc.h
102902@@ -18,6 +18,14 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
102903 #define VM_UNINITIALIZED 0x00000020 /* vm_struct is not fully initialized */
102904 #define VM_NO_GUARD 0x00000040 /* don't add guard page */
102905 #define VM_KASAN 0x00000080 /* has allocated kasan shadow memory */
102906+
102907+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
102908+#define VM_KERNEXEC 0x00000100 /* allocate from executable kernel memory range */
102909+#endif
102910+
102911+#define VM_USERCOPY 0x00000200 /* allocation intended for copies to userland */
102912+
102913+
102914 /* bits [20..32] reserved for arch specific ioremap internals */
102915
102916 /*
102917@@ -67,6 +75,7 @@ static inline void vmalloc_init(void)
102918 #endif
102919
102920 extern void *vmalloc(unsigned long size);
102921+extern void *vmalloc_usercopy(unsigned long size);
102922 extern void *vzalloc(unsigned long size);
102923 extern void *vmalloc_user(unsigned long size);
102924 extern void *vmalloc_node(unsigned long size, int node);
102925@@ -86,6 +95,10 @@ extern void *vmap(struct page **pages, unsigned int count,
102926 unsigned long flags, pgprot_t prot);
102927 extern void vunmap(const void *addr);
102928
102929+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
102930+extern void unmap_process_stacks(struct task_struct *task);
102931+#endif
102932+
102933 extern int remap_vmalloc_range_partial(struct vm_area_struct *vma,
102934 unsigned long uaddr, void *kaddr,
102935 unsigned long size);
102936@@ -150,7 +163,7 @@ extern void free_vm_area(struct vm_struct *area);
102937
102938 /* for /dev/kmem */
102939 extern long vread(char *buf, char *addr, unsigned long count);
102940-extern long vwrite(char *buf, char *addr, unsigned long count);
102941+extern long vwrite(char *buf, char *addr, unsigned long count) __size_overflow(3);
102942
102943 /*
102944 * Internals. Dont't use..
102945diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
102946index 82e7db7..f8ce3d0 100644
102947--- a/include/linux/vmstat.h
102948+++ b/include/linux/vmstat.h
102949@@ -108,18 +108,18 @@ static inline void vm_events_fold_cpu(int cpu)
102950 /*
102951 * Zone based page accounting with per cpu differentials.
102952 */
102953-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
102954+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
102955
102956 static inline void zone_page_state_add(long x, struct zone *zone,
102957 enum zone_stat_item item)
102958 {
102959- atomic_long_add(x, &zone->vm_stat[item]);
102960- atomic_long_add(x, &vm_stat[item]);
102961+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
102962+ atomic_long_add_unchecked(x, &vm_stat[item]);
102963 }
102964
102965-static inline unsigned long global_page_state(enum zone_stat_item item)
102966+static inline unsigned long __intentional_overflow(-1) global_page_state(enum zone_stat_item item)
102967 {
102968- long x = atomic_long_read(&vm_stat[item]);
102969+ long x = atomic_long_read_unchecked(&vm_stat[item]);
102970 #ifdef CONFIG_SMP
102971 if (x < 0)
102972 x = 0;
102973@@ -127,10 +127,10 @@ static inline unsigned long global_page_state(enum zone_stat_item item)
102974 return x;
102975 }
102976
102977-static inline unsigned long zone_page_state(struct zone *zone,
102978+static inline unsigned long __intentional_overflow(-1) zone_page_state(struct zone *zone,
102979 enum zone_stat_item item)
102980 {
102981- long x = atomic_long_read(&zone->vm_stat[item]);
102982+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
102983 #ifdef CONFIG_SMP
102984 if (x < 0)
102985 x = 0;
102986@@ -147,7 +147,7 @@ static inline unsigned long zone_page_state(struct zone *zone,
102987 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
102988 enum zone_stat_item item)
102989 {
102990- long x = atomic_long_read(&zone->vm_stat[item]);
102991+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
102992
102993 #ifdef CONFIG_SMP
102994 int cpu;
102995@@ -234,14 +234,14 @@ static inline void __mod_zone_page_state(struct zone *zone,
102996
102997 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
102998 {
102999- atomic_long_inc(&zone->vm_stat[item]);
103000- atomic_long_inc(&vm_stat[item]);
103001+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
103002+ atomic_long_inc_unchecked(&vm_stat[item]);
103003 }
103004
103005 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
103006 {
103007- atomic_long_dec(&zone->vm_stat[item]);
103008- atomic_long_dec(&vm_stat[item]);
103009+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
103010+ atomic_long_dec_unchecked(&vm_stat[item]);
103011 }
103012
103013 static inline void __inc_zone_page_state(struct page *page,
103014diff --git a/include/linux/xattr.h b/include/linux/xattr.h
103015index 91b0a68..0e9adf6 100644
103016--- a/include/linux/xattr.h
103017+++ b/include/linux/xattr.h
103018@@ -28,7 +28,7 @@ struct xattr_handler {
103019 size_t size, int handler_flags);
103020 int (*set)(struct dentry *dentry, const char *name, const void *buffer,
103021 size_t size, int flags, int handler_flags);
103022-};
103023+} __do_const;
103024
103025 struct xattr {
103026 const char *name;
103027@@ -37,6 +37,9 @@ struct xattr {
103028 };
103029
103030 ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
103031+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
103032+ssize_t pax_getxattr(struct dentry *, void *, size_t);
103033+#endif
103034 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
103035 ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
103036 int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
103037diff --git a/include/linux/zlib.h b/include/linux/zlib.h
103038index 92dbbd3..13ab0b3 100644
103039--- a/include/linux/zlib.h
103040+++ b/include/linux/zlib.h
103041@@ -31,6 +31,7 @@
103042 #define _ZLIB_H
103043
103044 #include <linux/zconf.h>
103045+#include <linux/compiler.h>
103046
103047 /* zlib deflate based on ZLIB_VERSION "1.1.3" */
103048 /* zlib inflate based on ZLIB_VERSION "1.2.3" */
103049@@ -179,7 +180,7 @@ typedef z_stream *z_streamp;
103050
103051 /* basic functions */
103052
103053-extern int zlib_deflate_workspacesize (int windowBits, int memLevel);
103054+extern int zlib_deflate_workspacesize (int windowBits, int memLevel) __intentional_overflow(0);
103055 /*
103056 Returns the number of bytes that needs to be allocated for a per-
103057 stream workspace with the specified parameters. A pointer to this
103058diff --git a/include/media/v4l2-dev.h b/include/media/v4l2-dev.h
103059index acbcd2f..c3abe84 100644
103060--- a/include/media/v4l2-dev.h
103061+++ b/include/media/v4l2-dev.h
103062@@ -74,7 +74,7 @@ struct v4l2_file_operations {
103063 int (*mmap) (struct file *, struct vm_area_struct *);
103064 int (*open) (struct file *);
103065 int (*release) (struct file *);
103066-};
103067+} __do_const;
103068
103069 /*
103070 * Newer version of video_device, handled by videodev2.c
103071diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h
103072index 9c58157..d86ebf5 100644
103073--- a/include/media/v4l2-device.h
103074+++ b/include/media/v4l2-device.h
103075@@ -93,7 +93,7 @@ int __must_check v4l2_device_register(struct device *dev, struct v4l2_device *v4
103076 this function returns 0. If the name ends with a digit (e.g. cx18),
103077 then the name will be set to cx18-0 since cx180 looks really odd. */
103078 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
103079- atomic_t *instance);
103080+ atomic_unchecked_t *instance);
103081
103082 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
103083 Since the parent disappears this ensures that v4l2_dev doesn't have an
103084diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h
103085index 5122b5e..598b440 100644
103086--- a/include/net/9p/transport.h
103087+++ b/include/net/9p/transport.h
103088@@ -62,7 +62,7 @@ struct p9_trans_module {
103089 int (*cancelled)(struct p9_client *, struct p9_req_t *req);
103090 int (*zc_request)(struct p9_client *, struct p9_req_t *,
103091 struct iov_iter *, struct iov_iter *, int , int, int);
103092-};
103093+} __do_const;
103094
103095 void v9fs_register_trans(struct p9_trans_module *m);
103096 void v9fs_unregister_trans(struct p9_trans_module *m);
103097diff --git a/include/net/af_unix.h b/include/net/af_unix.h
103098index 4a167b3..73dcbb3 100644
103099--- a/include/net/af_unix.h
103100+++ b/include/net/af_unix.h
103101@@ -36,7 +36,7 @@ struct unix_skb_parms {
103102 u32 secid; /* Security ID */
103103 #endif
103104 u32 consumed;
103105-};
103106+} __randomize_layout;
103107
103108 #define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
103109
103110diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
103111index 2239a37..a83461f 100644
103112--- a/include/net/bluetooth/l2cap.h
103113+++ b/include/net/bluetooth/l2cap.h
103114@@ -609,7 +609,7 @@ struct l2cap_ops {
103115 struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan,
103116 unsigned long hdr_len,
103117 unsigned long len, int nb);
103118-};
103119+} __do_const;
103120
103121 struct l2cap_conn {
103122 struct hci_conn *hcon;
103123diff --git a/include/net/bonding.h b/include/net/bonding.h
103124index 20defc0..3072903 100644
103125--- a/include/net/bonding.h
103126+++ b/include/net/bonding.h
103127@@ -661,7 +661,7 @@ extern struct rtnl_link_ops bond_link_ops;
103128
103129 static inline void bond_tx_drop(struct net_device *dev, struct sk_buff *skb)
103130 {
103131- atomic_long_inc(&dev->tx_dropped);
103132+ atomic_long_inc_unchecked(&dev->tx_dropped);
103133 dev_kfree_skb_any(skb);
103134 }
103135
103136diff --git a/include/net/caif/cfctrl.h b/include/net/caif/cfctrl.h
103137index f2ae33d..c457cf0 100644
103138--- a/include/net/caif/cfctrl.h
103139+++ b/include/net/caif/cfctrl.h
103140@@ -52,7 +52,7 @@ struct cfctrl_rsp {
103141 void (*radioset_rsp)(void);
103142 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
103143 struct cflayer *client_layer);
103144-};
103145+} __no_const;
103146
103147 /* Link Setup Parameters for CAIF-Links. */
103148 struct cfctrl_link_param {
103149@@ -101,8 +101,8 @@ struct cfctrl_request_info {
103150 struct cfctrl {
103151 struct cfsrvl serv;
103152 struct cfctrl_rsp res;
103153- atomic_t req_seq_no;
103154- atomic_t rsp_seq_no;
103155+ atomic_unchecked_t req_seq_no;
103156+ atomic_unchecked_t rsp_seq_no;
103157 struct list_head list;
103158 /* Protects from simultaneous access to first_req list */
103159 spinlock_t info_list_lock;
103160diff --git a/include/net/flow.h b/include/net/flow.h
103161index 8109a15..504466d 100644
103162--- a/include/net/flow.h
103163+++ b/include/net/flow.h
103164@@ -231,6 +231,6 @@ void flow_cache_fini(struct net *net);
103165
103166 void flow_cache_flush(struct net *net);
103167 void flow_cache_flush_deferred(struct net *net);
103168-extern atomic_t flow_cache_genid;
103169+extern atomic_unchecked_t flow_cache_genid;
103170
103171 #endif
103172diff --git a/include/net/genetlink.h b/include/net/genetlink.h
103173index a9af1cc..1f3fa7b 100644
103174--- a/include/net/genetlink.h
103175+++ b/include/net/genetlink.h
103176@@ -128,7 +128,7 @@ struct genl_ops {
103177 u8 cmd;
103178 u8 internal_flags;
103179 u8 flags;
103180-};
103181+} __do_const;
103182
103183 int __genl_register_family(struct genl_family *family);
103184
103185diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
103186index 0f712c0..cd762c4 100644
103187--- a/include/net/gro_cells.h
103188+++ b/include/net/gro_cells.h
103189@@ -27,7 +27,7 @@ static inline void gro_cells_receive(struct gro_cells *gcells, struct sk_buff *s
103190 cell = this_cpu_ptr(gcells->cells);
103191
103192 if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
103193- atomic_long_inc(&dev->rx_dropped);
103194+ atomic_long_inc_unchecked(&dev->rx_dropped);
103195 kfree_skb(skb);
103196 return;
103197 }
103198diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
103199index 0320bbb..938789c 100644
103200--- a/include/net/inet_connection_sock.h
103201+++ b/include/net/inet_connection_sock.h
103202@@ -63,7 +63,7 @@ struct inet_connection_sock_af_ops {
103203 int (*bind_conflict)(const struct sock *sk,
103204 const struct inet_bind_bucket *tb, bool relax);
103205 void (*mtu_reduced)(struct sock *sk);
103206-};
103207+} __do_const;
103208
103209 /** inet_connection_sock - INET connection oriented sock
103210 *
103211diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
103212index 47eb67b..0e733b2 100644
103213--- a/include/net/inet_sock.h
103214+++ b/include/net/inet_sock.h
103215@@ -43,7 +43,7 @@
103216 struct ip_options {
103217 __be32 faddr;
103218 __be32 nexthop;
103219- unsigned char optlen;
103220+ unsigned char optlen __intentional_overflow(0);
103221 unsigned char srr;
103222 unsigned char rr;
103223 unsigned char ts;
103224diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
103225index d5332dd..10a5c3c 100644
103226--- a/include/net/inetpeer.h
103227+++ b/include/net/inetpeer.h
103228@@ -48,7 +48,7 @@ struct inet_peer {
103229 */
103230 union {
103231 struct {
103232- atomic_t rid; /* Frag reception counter */
103233+ atomic_unchecked_t rid; /* Frag reception counter */
103234 };
103235 struct rcu_head rcu;
103236 struct inet_peer *gc_next;
103237diff --git a/include/net/ip.h b/include/net/ip.h
103238index d5fe9f2..8da10ed 100644
103239--- a/include/net/ip.h
103240+++ b/include/net/ip.h
103241@@ -319,7 +319,7 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
103242 }
103243 }
103244
103245-u32 ip_idents_reserve(u32 hash, int segs);
103246+u32 ip_idents_reserve(u32 hash, int segs) __intentional_overflow(-1);
103247 void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
103248
103249 static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
103250diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
103251index 5fa643b..d871e20 100644
103252--- a/include/net/ip_fib.h
103253+++ b/include/net/ip_fib.h
103254@@ -170,7 +170,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh);
103255
103256 #define FIB_RES_SADDR(net, res) \
103257 ((FIB_RES_NH(res).nh_saddr_genid == \
103258- atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
103259+ atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
103260 FIB_RES_NH(res).nh_saddr : \
103261 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
103262 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
103263diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
103264index 4e3731e..a242e28 100644
103265--- a/include/net/ip_vs.h
103266+++ b/include/net/ip_vs.h
103267@@ -551,7 +551,7 @@ struct ip_vs_conn {
103268 struct ip_vs_conn *control; /* Master control connection */
103269 atomic_t n_control; /* Number of controlled ones */
103270 struct ip_vs_dest *dest; /* real server */
103271- atomic_t in_pkts; /* incoming packet counter */
103272+ atomic_unchecked_t in_pkts; /* incoming packet counter */
103273
103274 /* Packet transmitter for different forwarding methods. If it
103275 * mangles the packet, it must return NF_DROP or better NF_STOLEN,
103276@@ -699,7 +699,7 @@ struct ip_vs_dest {
103277 __be16 port; /* port number of the server */
103278 union nf_inet_addr addr; /* IP address of the server */
103279 volatile unsigned int flags; /* dest status flags */
103280- atomic_t conn_flags; /* flags to copy to conn */
103281+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
103282 atomic_t weight; /* server weight */
103283
103284 atomic_t refcnt; /* reference counter */
103285@@ -946,11 +946,11 @@ struct netns_ipvs {
103286 /* ip_vs_lblc */
103287 int sysctl_lblc_expiration;
103288 struct ctl_table_header *lblc_ctl_header;
103289- struct ctl_table *lblc_ctl_table;
103290+ ctl_table_no_const *lblc_ctl_table;
103291 /* ip_vs_lblcr */
103292 int sysctl_lblcr_expiration;
103293 struct ctl_table_header *lblcr_ctl_header;
103294- struct ctl_table *lblcr_ctl_table;
103295+ ctl_table_no_const *lblcr_ctl_table;
103296 /* ip_vs_est */
103297 struct list_head est_list; /* estimator list */
103298 spinlock_t est_lock;
103299diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h
103300index 8d4f588..2e37ad2 100644
103301--- a/include/net/irda/ircomm_tty.h
103302+++ b/include/net/irda/ircomm_tty.h
103303@@ -33,6 +33,7 @@
103304 #include <linux/termios.h>
103305 #include <linux/timer.h>
103306 #include <linux/tty.h> /* struct tty_struct */
103307+#include <asm/local.h>
103308
103309 #include <net/irda/irias_object.h>
103310 #include <net/irda/ircomm_core.h>
103311diff --git a/include/net/iucv/af_iucv.h b/include/net/iucv/af_iucv.h
103312index 714cc9a..ea05f3e 100644
103313--- a/include/net/iucv/af_iucv.h
103314+++ b/include/net/iucv/af_iucv.h
103315@@ -149,7 +149,7 @@ struct iucv_skb_cb {
103316 struct iucv_sock_list {
103317 struct hlist_head head;
103318 rwlock_t lock;
103319- atomic_t autobind_name;
103320+ atomic_unchecked_t autobind_name;
103321 };
103322
103323 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
103324diff --git a/include/net/llc_c_ac.h b/include/net/llc_c_ac.h
103325index f3be818..bf46196 100644
103326--- a/include/net/llc_c_ac.h
103327+++ b/include/net/llc_c_ac.h
103328@@ -87,7 +87,7 @@
103329 #define LLC_CONN_AC_STOP_SENDACK_TMR 70
103330 #define LLC_CONN_AC_START_SENDACK_TMR_IF_NOT_RUNNING 71
103331
103332-typedef int (*llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
103333+typedef int (* const llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
103334
103335 int llc_conn_ac_clear_remote_busy(struct sock *sk, struct sk_buff *skb);
103336 int llc_conn_ac_conn_ind(struct sock *sk, struct sk_buff *skb);
103337diff --git a/include/net/llc_c_ev.h b/include/net/llc_c_ev.h
103338index 3948cf1..83b28c4 100644
103339--- a/include/net/llc_c_ev.h
103340+++ b/include/net/llc_c_ev.h
103341@@ -125,8 +125,8 @@ static __inline__ struct llc_conn_state_ev *llc_conn_ev(struct sk_buff *skb)
103342 return (struct llc_conn_state_ev *)skb->cb;
103343 }
103344
103345-typedef int (*llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
103346-typedef int (*llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
103347+typedef int (* const llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
103348+typedef int (* const llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
103349
103350 int llc_conn_ev_conn_req(struct sock *sk, struct sk_buff *skb);
103351 int llc_conn_ev_data_req(struct sock *sk, struct sk_buff *skb);
103352diff --git a/include/net/llc_c_st.h b/include/net/llc_c_st.h
103353index 48f3f89..0e92c50 100644
103354--- a/include/net/llc_c_st.h
103355+++ b/include/net/llc_c_st.h
103356@@ -37,7 +37,7 @@ struct llc_conn_state_trans {
103357 u8 next_state;
103358 const llc_conn_ev_qfyr_t *ev_qualifiers;
103359 const llc_conn_action_t *ev_actions;
103360-};
103361+} __do_const;
103362
103363 struct llc_conn_state {
103364 u8 current_state;
103365diff --git a/include/net/llc_s_ac.h b/include/net/llc_s_ac.h
103366index a61b98c..aade1eb 100644
103367--- a/include/net/llc_s_ac.h
103368+++ b/include/net/llc_s_ac.h
103369@@ -23,7 +23,7 @@
103370 #define SAP_ACT_TEST_IND 9
103371
103372 /* All action functions must look like this */
103373-typedef int (*llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
103374+typedef int (* const llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
103375
103376 int llc_sap_action_unitdata_ind(struct llc_sap *sap, struct sk_buff *skb);
103377 int llc_sap_action_send_ui(struct llc_sap *sap, struct sk_buff *skb);
103378diff --git a/include/net/llc_s_st.h b/include/net/llc_s_st.h
103379index c4359e2..76dbc4a 100644
103380--- a/include/net/llc_s_st.h
103381+++ b/include/net/llc_s_st.h
103382@@ -20,7 +20,7 @@ struct llc_sap_state_trans {
103383 llc_sap_ev_t ev;
103384 u8 next_state;
103385 const llc_sap_action_t *ev_actions;
103386-};
103387+} __do_const;
103388
103389 struct llc_sap_state {
103390 u8 curr_state;
103391diff --git a/include/net/mac80211.h b/include/net/mac80211.h
103392index 6b1077c..7b72f67 100644
103393--- a/include/net/mac80211.h
103394+++ b/include/net/mac80211.h
103395@@ -5106,7 +5106,7 @@ struct ieee80211_tx_rate_control {
103396 struct sk_buff *skb;
103397 struct ieee80211_tx_rate reported_rate;
103398 bool rts, short_preamble;
103399- u8 max_rate_idx;
103400+ s8 max_rate_idx;
103401 u32 rate_idx_mask;
103402 u8 *rate_idx_mcs_mask;
103403 bool bss;
103404@@ -5143,7 +5143,7 @@ struct rate_control_ops {
103405 void (*remove_sta_debugfs)(void *priv, void *priv_sta);
103406
103407 u32 (*get_expected_throughput)(void *priv_sta);
103408-};
103409+} __do_const;
103410
103411 static inline int rate_supported(struct ieee80211_sta *sta,
103412 enum ieee80211_band band,
103413diff --git a/include/net/neighbour.h b/include/net/neighbour.h
103414index bd33e66..6508d00 100644
103415--- a/include/net/neighbour.h
103416+++ b/include/net/neighbour.h
103417@@ -162,7 +162,7 @@ struct neigh_ops {
103418 void (*error_report)(struct neighbour *, struct sk_buff *);
103419 int (*output)(struct neighbour *, struct sk_buff *);
103420 int (*connected_output)(struct neighbour *, struct sk_buff *);
103421-};
103422+} __do_const;
103423
103424 struct pneigh_entry {
103425 struct pneigh_entry *next;
103426@@ -216,7 +216,7 @@ struct neigh_table {
103427 struct neigh_statistics __percpu *stats;
103428 struct neigh_hash_table __rcu *nht;
103429 struct pneigh_entry **phash_buckets;
103430-};
103431+} __randomize_layout;
103432
103433 enum {
103434 NEIGH_ARP_TABLE = 0,
103435diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
103436index e951453..0685f5b 100644
103437--- a/include/net/net_namespace.h
103438+++ b/include/net/net_namespace.h
103439@@ -53,7 +53,7 @@ struct net {
103440 */
103441 spinlock_t rules_mod_lock;
103442
103443- atomic64_t cookie_gen;
103444+ atomic64_unchecked_t cookie_gen;
103445
103446 struct list_head list; /* list of network namespaces */
103447 struct list_head cleanup_list; /* namespaces on death row */
103448@@ -135,8 +135,8 @@ struct net {
103449 struct netns_mpls mpls;
103450 #endif
103451 struct sock *diag_nlsk;
103452- atomic_t fnhe_genid;
103453-};
103454+ atomic_unchecked_t fnhe_genid;
103455+} __randomize_layout;
103456
103457 #include <linux/seq_file_net.h>
103458
103459@@ -271,7 +271,11 @@ static inline struct net *read_pnet(const possible_net_t *pnet)
103460 #define __net_init __init
103461 #define __net_exit __exit_refok
103462 #define __net_initdata __initdata
103463+#ifdef CONSTIFY_PLUGIN
103464 #define __net_initconst __initconst
103465+#else
103466+#define __net_initconst __initdata
103467+#endif
103468 #endif
103469
103470 int peernet2id_alloc(struct net *net, struct net *peer);
103471@@ -286,7 +290,7 @@ struct pernet_operations {
103472 void (*exit_batch)(struct list_head *net_exit_list);
103473 int *id;
103474 size_t size;
103475-};
103476+} __do_const;
103477
103478 /*
103479 * Use these carefully. If you implement a network device and it
103480@@ -334,12 +338,12 @@ static inline void unregister_net_sysctl_table(struct ctl_table_header *header)
103481
103482 static inline int rt_genid_ipv4(struct net *net)
103483 {
103484- return atomic_read(&net->ipv4.rt_genid);
103485+ return atomic_read_unchecked(&net->ipv4.rt_genid);
103486 }
103487
103488 static inline void rt_genid_bump_ipv4(struct net *net)
103489 {
103490- atomic_inc(&net->ipv4.rt_genid);
103491+ atomic_inc_unchecked(&net->ipv4.rt_genid);
103492 }
103493
103494 extern void (*__fib6_flush_trees)(struct net *net);
103495@@ -366,12 +370,12 @@ static inline void rt_genid_bump_all(struct net *net)
103496
103497 static inline int fnhe_genid(struct net *net)
103498 {
103499- return atomic_read(&net->fnhe_genid);
103500+ return atomic_read_unchecked(&net->fnhe_genid);
103501 }
103502
103503 static inline void fnhe_genid_bump(struct net *net)
103504 {
103505- atomic_inc(&net->fnhe_genid);
103506+ atomic_inc_unchecked(&net->fnhe_genid);
103507 }
103508
103509 #endif /* __NET_NET_NAMESPACE_H */
103510diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
103511index 37cd391..4023c4c 100644
103512--- a/include/net/netfilter/nf_conntrack.h
103513+++ b/include/net/netfilter/nf_conntrack.h
103514@@ -292,6 +292,7 @@ extern unsigned int nf_conntrack_hash_rnd;
103515 void init_nf_conntrack_hash_rnd(void);
103516
103517 struct nf_conn *nf_ct_tmpl_alloc(struct net *net, u16 zone, gfp_t flags);
103518+void nf_ct_tmpl_free(struct nf_conn *tmpl);
103519
103520 #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
103521 #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
103522diff --git a/include/net/netlink.h b/include/net/netlink.h
103523index 2a5dbcc..8243656 100644
103524--- a/include/net/netlink.h
103525+++ b/include/net/netlink.h
103526@@ -521,7 +521,7 @@ static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
103527 {
103528 if (mark) {
103529 WARN_ON((unsigned char *) mark < skb->data);
103530- skb_trim(skb, (unsigned char *) mark - skb->data);
103531+ skb_trim(skb, (const unsigned char *) mark - skb->data);
103532 }
103533 }
103534
103535diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
103536index 723b61c..4386367 100644
103537--- a/include/net/netns/conntrack.h
103538+++ b/include/net/netns/conntrack.h
103539@@ -14,10 +14,10 @@ struct nf_conntrack_ecache;
103540 struct nf_proto_net {
103541 #ifdef CONFIG_SYSCTL
103542 struct ctl_table_header *ctl_table_header;
103543- struct ctl_table *ctl_table;
103544+ ctl_table_no_const *ctl_table;
103545 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
103546 struct ctl_table_header *ctl_compat_header;
103547- struct ctl_table *ctl_compat_table;
103548+ ctl_table_no_const *ctl_compat_table;
103549 #endif
103550 #endif
103551 unsigned int users;
103552@@ -60,7 +60,7 @@ struct nf_ip_net {
103553 struct nf_icmp_net icmpv6;
103554 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
103555 struct ctl_table_header *ctl_table_header;
103556- struct ctl_table *ctl_table;
103557+ ctl_table_no_const *ctl_table;
103558 #endif
103559 };
103560
103561diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
103562index c68926b..106c147 100644
103563--- a/include/net/netns/ipv4.h
103564+++ b/include/net/netns/ipv4.h
103565@@ -93,7 +93,7 @@ struct netns_ipv4 {
103566
103567 struct ping_group_range ping_group_range;
103568
103569- atomic_t dev_addr_genid;
103570+ atomic_unchecked_t dev_addr_genid;
103571
103572 #ifdef CONFIG_SYSCTL
103573 unsigned long *sysctl_local_reserved_ports;
103574@@ -107,6 +107,6 @@ struct netns_ipv4 {
103575 struct fib_rules_ops *mr_rules_ops;
103576 #endif
103577 #endif
103578- atomic_t rt_genid;
103579+ atomic_unchecked_t rt_genid;
103580 };
103581 #endif
103582diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
103583index 8d93544..05c3e89 100644
103584--- a/include/net/netns/ipv6.h
103585+++ b/include/net/netns/ipv6.h
103586@@ -79,8 +79,8 @@ struct netns_ipv6 {
103587 struct fib_rules_ops *mr6_rules_ops;
103588 #endif
103589 #endif
103590- atomic_t dev_addr_genid;
103591- atomic_t fib6_sernum;
103592+ atomic_unchecked_t dev_addr_genid;
103593+ atomic_unchecked_t fib6_sernum;
103594 };
103595
103596 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
103597diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
103598index 730d82a..045f2c4 100644
103599--- a/include/net/netns/xfrm.h
103600+++ b/include/net/netns/xfrm.h
103601@@ -78,7 +78,7 @@ struct netns_xfrm {
103602
103603 /* flow cache part */
103604 struct flow_cache flow_cache_global;
103605- atomic_t flow_cache_genid;
103606+ atomic_unchecked_t flow_cache_genid;
103607 struct list_head flow_cache_gc_list;
103608 spinlock_t flow_cache_gc_lock;
103609 struct work_struct flow_cache_gc_work;
103610diff --git a/include/net/ping.h b/include/net/ping.h
103611index ac80cb4..ec1ed09 100644
103612--- a/include/net/ping.h
103613+++ b/include/net/ping.h
103614@@ -54,7 +54,7 @@ struct ping_iter_state {
103615
103616 extern struct proto ping_prot;
103617 #if IS_ENABLED(CONFIG_IPV6)
103618-extern struct pingv6_ops pingv6_ops;
103619+extern struct pingv6_ops *pingv6_ops;
103620 #endif
103621
103622 struct pingfakehdr {
103623diff --git a/include/net/protocol.h b/include/net/protocol.h
103624index d6fcc1f..ca277058 100644
103625--- a/include/net/protocol.h
103626+++ b/include/net/protocol.h
103627@@ -49,7 +49,7 @@ struct net_protocol {
103628 * socket lookup?
103629 */
103630 icmp_strict_tag_validation:1;
103631-};
103632+} __do_const;
103633
103634 #if IS_ENABLED(CONFIG_IPV6)
103635 struct inet6_protocol {
103636@@ -62,7 +62,7 @@ struct inet6_protocol {
103637 u8 type, u8 code, int offset,
103638 __be32 info);
103639 unsigned int flags; /* INET6_PROTO_xxx */
103640-};
103641+} __do_const;
103642
103643 #define INET6_PROTO_NOPOLICY 0x1
103644 #define INET6_PROTO_FINAL 0x2
103645diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
103646index 343d922..7959cde 100644
103647--- a/include/net/rtnetlink.h
103648+++ b/include/net/rtnetlink.h
103649@@ -95,7 +95,7 @@ struct rtnl_link_ops {
103650 const struct net_device *dev,
103651 const struct net_device *slave_dev);
103652 struct net *(*get_link_net)(const struct net_device *dev);
103653-};
103654+} __do_const;
103655
103656 int __rtnl_link_register(struct rtnl_link_ops *ops);
103657 void __rtnl_link_unregister(struct rtnl_link_ops *ops);
103658diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
103659index 4a5b9a3..ca27d73 100644
103660--- a/include/net/sctp/checksum.h
103661+++ b/include/net/sctp/checksum.h
103662@@ -61,8 +61,8 @@ static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
103663 unsigned int offset)
103664 {
103665 struct sctphdr *sh = sctp_hdr(skb);
103666- __le32 ret, old = sh->checksum;
103667- const struct skb_checksum_ops ops = {
103668+ __le32 ret, old = sh->checksum;
103669+ static const struct skb_checksum_ops ops = {
103670 .update = sctp_csum_update,
103671 .combine = sctp_csum_combine,
103672 };
103673diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
103674index 487ef34..d457f98 100644
103675--- a/include/net/sctp/sm.h
103676+++ b/include/net/sctp/sm.h
103677@@ -80,7 +80,7 @@ typedef void (sctp_timer_event_t) (unsigned long);
103678 typedef struct {
103679 sctp_state_fn_t *fn;
103680 const char *name;
103681-} sctp_sm_table_entry_t;
103682+} __do_const sctp_sm_table_entry_t;
103683
103684 /* A naming convention of "sctp_sf_xxx" applies to all the state functions
103685 * currently in use.
103686@@ -292,7 +292,7 @@ __u32 sctp_generate_tag(const struct sctp_endpoint *);
103687 __u32 sctp_generate_tsn(const struct sctp_endpoint *);
103688
103689 /* Extern declarations for major data structures. */
103690-extern sctp_timer_event_t *sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
103691+extern sctp_timer_event_t * const sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
103692
103693
103694 /* Get the size of a DATA chunk payload. */
103695diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
103696index 495c87e..5b327ff 100644
103697--- a/include/net/sctp/structs.h
103698+++ b/include/net/sctp/structs.h
103699@@ -513,7 +513,7 @@ struct sctp_pf {
103700 void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
103701 void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
103702 struct sctp_af *af;
103703-};
103704+} __do_const;
103705
103706
103707 /* Structure to track chunk fragments that have been acked, but peer
103708diff --git a/include/net/sock.h b/include/net/sock.h
103709index f21f070..29ac73e 100644
103710--- a/include/net/sock.h
103711+++ b/include/net/sock.h
103712@@ -198,7 +198,7 @@ struct sock_common {
103713 struct in6_addr skc_v6_rcv_saddr;
103714 #endif
103715
103716- atomic64_t skc_cookie;
103717+ atomic64_unchecked_t skc_cookie;
103718
103719 /*
103720 * fields between dontcopy_begin/dontcopy_end
103721@@ -364,7 +364,7 @@ struct sock {
103722 unsigned int sk_napi_id;
103723 unsigned int sk_ll_usec;
103724 #endif
103725- atomic_t sk_drops;
103726+ atomic_unchecked_t sk_drops;
103727 int sk_rcvbuf;
103728
103729 struct sk_filter __rcu *sk_filter;
103730@@ -1038,7 +1038,7 @@ struct proto {
103731 void (*destroy_cgroup)(struct mem_cgroup *memcg);
103732 struct cg_proto *(*proto_cgroup)(struct mem_cgroup *memcg);
103733 #endif
103734-};
103735+} __randomize_layout;
103736
103737 /*
103738 * Bits in struct cg_proto.flags
103739@@ -1211,7 +1211,7 @@ static inline void memcg_memory_allocated_sub(struct cg_proto *prot,
103740 page_counter_uncharge(&prot->memory_allocated, amt);
103741 }
103742
103743-static inline long
103744+static inline long __intentional_overflow(-1)
103745 sk_memory_allocated(const struct sock *sk)
103746 {
103747 struct proto *prot = sk->sk_prot;
103748@@ -1776,7 +1776,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags)
103749 }
103750
103751 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
103752- struct iov_iter *from, char *to,
103753+ struct iov_iter *from, unsigned char *to,
103754 int copy, int offset)
103755 {
103756 if (skb->ip_summed == CHECKSUM_NONE) {
103757@@ -2023,7 +2023,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
103758 }
103759 }
103760
103761-struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
103762+struct sk_buff * __intentional_overflow(0) sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
103763 bool force_schedule);
103764
103765 /**
103766@@ -2099,7 +2099,7 @@ struct sock_skb_cb {
103767 static inline void
103768 sock_skb_set_dropcount(const struct sock *sk, struct sk_buff *skb)
103769 {
103770- SOCK_SKB_CB(skb)->dropcount = atomic_read(&sk->sk_drops);
103771+ SOCK_SKB_CB(skb)->dropcount = atomic_read_unchecked(&sk->sk_drops);
103772 }
103773
103774 void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
103775diff --git a/include/net/tcp.h b/include/net/tcp.h
103776index 950cfec..0bf9d85 100644
103777--- a/include/net/tcp.h
103778+++ b/include/net/tcp.h
103779@@ -546,7 +546,7 @@ void tcp_retransmit_timer(struct sock *sk);
103780 void tcp_xmit_retransmit_queue(struct sock *);
103781 void tcp_simple_retransmit(struct sock *);
103782 int tcp_trim_head(struct sock *, struct sk_buff *, u32);
103783-int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int, gfp_t);
103784+int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int, gfp_t) __intentional_overflow(3);
103785
103786 void tcp_send_probe0(struct sock *);
103787 void tcp_send_partial(struct sock *);
103788@@ -724,8 +724,8 @@ static inline u32 tcp_skb_timestamp(const struct sk_buff *skb)
103789 * If this grows please adjust skbuff.h:skbuff->cb[xxx] size appropriately.
103790 */
103791 struct tcp_skb_cb {
103792- __u32 seq; /* Starting sequence number */
103793- __u32 end_seq; /* SEQ + FIN + SYN + datalen */
103794+ __u32 seq __intentional_overflow(-1); /* Starting sequence number */
103795+ __u32 end_seq __intentional_overflow(-1); /* SEQ + FIN + SYN + datalen */
103796 union {
103797 /* Note : tcp_tw_isn is used in input path only
103798 * (isn chosen by tcp_timewait_state_process())
103799@@ -753,7 +753,7 @@ struct tcp_skb_cb {
103800
103801 __u8 ip_dsfield; /* IPv4 tos or IPv6 dsfield */
103802 /* 1 byte hole */
103803- __u32 ack_seq; /* Sequence number ACK'd */
103804+ __u32 ack_seq __intentional_overflow(-1); /* Sequence number ACK'd */
103805 union {
103806 struct inet_skb_parm h4;
103807 #if IS_ENABLED(CONFIG_IPV6)
103808diff --git a/include/net/xfrm.h b/include/net/xfrm.h
103809index f0ee97e..73e2b5a 100644
103810--- a/include/net/xfrm.h
103811+++ b/include/net/xfrm.h
103812@@ -284,7 +284,6 @@ struct xfrm_dst;
103813 struct xfrm_policy_afinfo {
103814 unsigned short family;
103815 struct dst_ops *dst_ops;
103816- void (*garbage_collect)(struct net *net);
103817 struct dst_entry *(*dst_lookup)(struct net *net, int tos,
103818 const xfrm_address_t *saddr,
103819 const xfrm_address_t *daddr);
103820@@ -302,7 +301,7 @@ struct xfrm_policy_afinfo {
103821 struct net_device *dev,
103822 const struct flowi *fl);
103823 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
103824-};
103825+} __do_const;
103826
103827 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
103828 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
103829@@ -341,7 +340,7 @@ struct xfrm_state_afinfo {
103830 int (*transport_finish)(struct sk_buff *skb,
103831 int async);
103832 void (*local_error)(struct sk_buff *skb, u32 mtu);
103833-};
103834+} __do_const;
103835
103836 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
103837 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
103838@@ -436,7 +435,7 @@ struct xfrm_mode {
103839 struct module *owner;
103840 unsigned int encap;
103841 int flags;
103842-};
103843+} __do_const;
103844
103845 /* Flags for xfrm_mode. */
103846 enum {
103847@@ -531,7 +530,7 @@ struct xfrm_policy {
103848 struct timer_list timer;
103849
103850 struct flow_cache_object flo;
103851- atomic_t genid;
103852+ atomic_unchecked_t genid;
103853 u32 priority;
103854 u32 index;
103855 struct xfrm_mark mark;
103856@@ -1164,6 +1163,7 @@ static inline void xfrm_sk_free_policy(struct sock *sk)
103857 }
103858
103859 void xfrm_garbage_collect(struct net *net);
103860+void xfrm_garbage_collect_deferred(struct net *net);
103861
103862 #else
103863
103864@@ -1202,6 +1202,9 @@ static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
103865 static inline void xfrm_garbage_collect(struct net *net)
103866 {
103867 }
103868+static inline void xfrm_garbage_collect_deferred(struct net *net)
103869+{
103870+}
103871 #endif
103872
103873 static __inline__
103874diff --git a/include/rdma/iw_cm.h b/include/rdma/iw_cm.h
103875index 036bd27..c0d7f17 100644
103876--- a/include/rdma/iw_cm.h
103877+++ b/include/rdma/iw_cm.h
103878@@ -123,7 +123,7 @@ struct iw_cm_verbs {
103879 int backlog);
103880
103881 int (*destroy_listen)(struct iw_cm_id *cm_id);
103882-};
103883+} __no_const;
103884
103885 /**
103886 * iw_create_cm_id - Create an IW CM identifier.
103887diff --git a/include/scsi/libfc.h b/include/scsi/libfc.h
103888index 93d14da..734b3d8 100644
103889--- a/include/scsi/libfc.h
103890+++ b/include/scsi/libfc.h
103891@@ -771,6 +771,7 @@ struct libfc_function_template {
103892 */
103893 void (*disc_stop_final) (struct fc_lport *);
103894 };
103895+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
103896
103897 /**
103898 * struct fc_disc - Discovery context
103899@@ -875,7 +876,7 @@ struct fc_lport {
103900 struct fc_vport *vport;
103901
103902 /* Operational Information */
103903- struct libfc_function_template tt;
103904+ libfc_function_template_no_const tt;
103905 u8 link_up;
103906 u8 qfull;
103907 enum fc_lport_state state;
103908diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
103909index ae84b22..7954097 100644
103910--- a/include/scsi/scsi_device.h
103911+++ b/include/scsi/scsi_device.h
103912@@ -185,9 +185,9 @@ struct scsi_device {
103913 unsigned int max_device_blocked; /* what device_blocked counts down from */
103914 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
103915
103916- atomic_t iorequest_cnt;
103917- atomic_t iodone_cnt;
103918- atomic_t ioerr_cnt;
103919+ atomic_unchecked_t iorequest_cnt;
103920+ atomic_unchecked_t iodone_cnt;
103921+ atomic_unchecked_t ioerr_cnt;
103922
103923 struct device sdev_gendev,
103924 sdev_dev;
103925diff --git a/include/scsi/scsi_driver.h b/include/scsi/scsi_driver.h
103926index 891a658..fcd68df 100644
103927--- a/include/scsi/scsi_driver.h
103928+++ b/include/scsi/scsi_driver.h
103929@@ -14,7 +14,7 @@ struct scsi_driver {
103930 void (*rescan)(struct device *);
103931 int (*init_command)(struct scsi_cmnd *);
103932 void (*uninit_command)(struct scsi_cmnd *);
103933- int (*done)(struct scsi_cmnd *);
103934+ unsigned int (*done)(struct scsi_cmnd *);
103935 int (*eh_action)(struct scsi_cmnd *, int);
103936 };
103937 #define to_scsi_driver(drv) \
103938diff --git a/include/scsi/scsi_transport_fc.h b/include/scsi/scsi_transport_fc.h
103939index 784bc2c..855a04c 100644
103940--- a/include/scsi/scsi_transport_fc.h
103941+++ b/include/scsi/scsi_transport_fc.h
103942@@ -757,7 +757,8 @@ struct fc_function_template {
103943 unsigned long show_host_system_hostname:1;
103944
103945 unsigned long disable_target_scan:1;
103946-};
103947+} __do_const;
103948+typedef struct fc_function_template __no_const fc_function_template_no_const;
103949
103950
103951 /**
103952diff --git a/include/scsi/sg.h b/include/scsi/sg.h
103953index 3afec70..b196b43 100644
103954--- a/include/scsi/sg.h
103955+++ b/include/scsi/sg.h
103956@@ -52,7 +52,7 @@ typedef struct sg_io_hdr
103957 or scatter gather list */
103958 unsigned char __user *cmdp; /* [i], [*i] points to command to perform */
103959 void __user *sbp; /* [i], [*o] points to sense_buffer memory */
103960- unsigned int timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
103961+ unsigned int timeout __intentional_overflow(-1); /* [i] MAX_UINT->no timeout (unit: millisec) */
103962 unsigned int flags; /* [i] 0 -> default, see SG_FLAG... */
103963 int pack_id; /* [i->o] unused internally (normally) */
103964 void __user * usr_ptr; /* [i->o] unused internally */
103965diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
103966index fa1d055..3647940 100644
103967--- a/include/sound/compress_driver.h
103968+++ b/include/sound/compress_driver.h
103969@@ -130,7 +130,7 @@ struct snd_compr_ops {
103970 struct snd_compr_caps *caps);
103971 int (*get_codec_caps) (struct snd_compr_stream *stream,
103972 struct snd_compr_codec_caps *codec);
103973-};
103974+} __no_const;
103975
103976 /**
103977 * struct snd_compr: Compressed device
103978diff --git a/include/sound/soc.h b/include/sound/soc.h
103979index 93df8bf..c84577b 100644
103980--- a/include/sound/soc.h
103981+++ b/include/sound/soc.h
103982@@ -883,7 +883,7 @@ struct snd_soc_codec_driver {
103983 enum snd_soc_dapm_type, int);
103984
103985 bool ignore_pmdown_time; /* Doesn't benefit from pmdown delay */
103986-};
103987+} __do_const;
103988
103989 /* SoC platform interface */
103990 struct snd_soc_platform_driver {
103991@@ -910,7 +910,7 @@ struct snd_soc_platform_driver {
103992 const struct snd_compr_ops *compr_ops;
103993
103994 int (*bespoke_trigger)(struct snd_pcm_substream *, int);
103995-};
103996+} __do_const;
103997
103998 struct snd_soc_dai_link_component {
103999 const char *name;
104000diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
104001index 17ae2d6..2c06382 100644
104002--- a/include/target/target_core_base.h
104003+++ b/include/target/target_core_base.h
104004@@ -751,7 +751,7 @@ struct se_device {
104005 atomic_long_t write_bytes;
104006 /* Active commands on this virtual SE device */
104007 atomic_t simple_cmds;
104008- atomic_t dev_ordered_id;
104009+ atomic_unchecked_t dev_ordered_id;
104010 atomic_t dev_ordered_sync;
104011 atomic_t dev_qf_count;
104012 u32 export_count;
104013diff --git a/include/trace/events/fs.h b/include/trace/events/fs.h
104014new file mode 100644
104015index 0000000..fb634b7
104016--- /dev/null
104017+++ b/include/trace/events/fs.h
104018@@ -0,0 +1,53 @@
104019+#undef TRACE_SYSTEM
104020+#define TRACE_SYSTEM fs
104021+
104022+#if !defined(_TRACE_FS_H) || defined(TRACE_HEADER_MULTI_READ)
104023+#define _TRACE_FS_H
104024+
104025+#include <linux/fs.h>
104026+#include <linux/tracepoint.h>
104027+
104028+TRACE_EVENT(do_sys_open,
104029+
104030+ TP_PROTO(const char *filename, int flags, int mode),
104031+
104032+ TP_ARGS(filename, flags, mode),
104033+
104034+ TP_STRUCT__entry(
104035+ __string( filename, filename )
104036+ __field( int, flags )
104037+ __field( int, mode )
104038+ ),
104039+
104040+ TP_fast_assign(
104041+ __assign_str(filename, filename);
104042+ __entry->flags = flags;
104043+ __entry->mode = mode;
104044+ ),
104045+
104046+ TP_printk("\"%s\" %x %o",
104047+ __get_str(filename), __entry->flags, __entry->mode)
104048+);
104049+
104050+TRACE_EVENT(open_exec,
104051+
104052+ TP_PROTO(const char *filename),
104053+
104054+ TP_ARGS(filename),
104055+
104056+ TP_STRUCT__entry(
104057+ __string( filename, filename )
104058+ ),
104059+
104060+ TP_fast_assign(
104061+ __assign_str(filename, filename);
104062+ ),
104063+
104064+ TP_printk("\"%s\"",
104065+ __get_str(filename))
104066+);
104067+
104068+#endif /* _TRACE_FS_H */
104069+
104070+/* This part must be outside protection */
104071+#include <trace/define_trace.h>
104072diff --git a/include/trace/events/irq.h b/include/trace/events/irq.h
104073index ff8f6c0..6b6bae3 100644
104074--- a/include/trace/events/irq.h
104075+++ b/include/trace/events/irq.h
104076@@ -51,7 +51,7 @@ SOFTIRQ_NAME_LIST
104077 */
104078 TRACE_EVENT(irq_handler_entry,
104079
104080- TP_PROTO(int irq, struct irqaction *action),
104081+ TP_PROTO(int irq, const struct irqaction *action),
104082
104083 TP_ARGS(irq, action),
104084
104085@@ -81,7 +81,7 @@ TRACE_EVENT(irq_handler_entry,
104086 */
104087 TRACE_EVENT(irq_handler_exit,
104088
104089- TP_PROTO(int irq, struct irqaction *action, int ret),
104090+ TP_PROTO(int irq, const struct irqaction *action, int ret),
104091
104092 TP_ARGS(irq, action, ret),
104093
104094diff --git a/include/uapi/drm/i915_drm.h b/include/uapi/drm/i915_drm.h
104095index db809b7..05a44aa 100644
104096--- a/include/uapi/drm/i915_drm.h
104097+++ b/include/uapi/drm/i915_drm.h
104098@@ -354,6 +354,7 @@ typedef struct drm_i915_irq_wait {
104099 #define I915_PARAM_REVISION 32
104100 #define I915_PARAM_SUBSLICE_TOTAL 33
104101 #define I915_PARAM_EU_TOTAL 34
104102+#define I915_PARAM_HAS_LEGACY_CONTEXT 35
104103
104104 typedef struct drm_i915_getparam {
104105 int param;
104106diff --git a/include/uapi/linux/a.out.h b/include/uapi/linux/a.out.h
104107index 7caf44c..23c6f27 100644
104108--- a/include/uapi/linux/a.out.h
104109+++ b/include/uapi/linux/a.out.h
104110@@ -39,6 +39,14 @@ enum machine_type {
104111 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
104112 };
104113
104114+/* Constants for the N_FLAGS field */
104115+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
104116+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
104117+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
104118+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
104119+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
104120+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
104121+
104122 #if !defined (N_MAGIC)
104123 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
104124 #endif
104125diff --git a/include/uapi/linux/bcache.h b/include/uapi/linux/bcache.h
104126index 22b6ad3..aeba37e 100644
104127--- a/include/uapi/linux/bcache.h
104128+++ b/include/uapi/linux/bcache.h
104129@@ -5,6 +5,7 @@
104130 * Bcache on disk data structures
104131 */
104132
104133+#include <linux/compiler.h>
104134 #include <asm/types.h>
104135
104136 #define BITMASK(name, type, field, offset, size) \
104137@@ -20,8 +21,8 @@ static inline void SET_##name(type *k, __u64 v) \
104138 /* Btree keys - all units are in sectors */
104139
104140 struct bkey {
104141- __u64 high;
104142- __u64 low;
104143+ __u64 high __intentional_overflow(-1);
104144+ __u64 low __intentional_overflow(-1);
104145 __u64 ptr[];
104146 };
104147
104148diff --git a/include/uapi/linux/byteorder/little_endian.h b/include/uapi/linux/byteorder/little_endian.h
104149index d876736..ccce5c0 100644
104150--- a/include/uapi/linux/byteorder/little_endian.h
104151+++ b/include/uapi/linux/byteorder/little_endian.h
104152@@ -42,51 +42,51 @@
104153
104154 static inline __le64 __cpu_to_le64p(const __u64 *p)
104155 {
104156- return (__force __le64)*p;
104157+ return (__force const __le64)*p;
104158 }
104159-static inline __u64 __le64_to_cpup(const __le64 *p)
104160+static inline __u64 __intentional_overflow(-1) __le64_to_cpup(const __le64 *p)
104161 {
104162- return (__force __u64)*p;
104163+ return (__force const __u64)*p;
104164 }
104165 static inline __le32 __cpu_to_le32p(const __u32 *p)
104166 {
104167- return (__force __le32)*p;
104168+ return (__force const __le32)*p;
104169 }
104170 static inline __u32 __le32_to_cpup(const __le32 *p)
104171 {
104172- return (__force __u32)*p;
104173+ return (__force const __u32)*p;
104174 }
104175 static inline __le16 __cpu_to_le16p(const __u16 *p)
104176 {
104177- return (__force __le16)*p;
104178+ return (__force const __le16)*p;
104179 }
104180 static inline __u16 __le16_to_cpup(const __le16 *p)
104181 {
104182- return (__force __u16)*p;
104183+ return (__force const __u16)*p;
104184 }
104185 static inline __be64 __cpu_to_be64p(const __u64 *p)
104186 {
104187- return (__force __be64)__swab64p(p);
104188+ return (__force const __be64)__swab64p(p);
104189 }
104190 static inline __u64 __be64_to_cpup(const __be64 *p)
104191 {
104192- return __swab64p((__u64 *)p);
104193+ return __swab64p((const __u64 *)p);
104194 }
104195 static inline __be32 __cpu_to_be32p(const __u32 *p)
104196 {
104197- return (__force __be32)__swab32p(p);
104198+ return (__force const __be32)__swab32p(p);
104199 }
104200-static inline __u32 __be32_to_cpup(const __be32 *p)
104201+static inline __u32 __intentional_overflow(-1) __be32_to_cpup(const __be32 *p)
104202 {
104203- return __swab32p((__u32 *)p);
104204+ return __swab32p((const __u32 *)p);
104205 }
104206 static inline __be16 __cpu_to_be16p(const __u16 *p)
104207 {
104208- return (__force __be16)__swab16p(p);
104209+ return (__force const __be16)__swab16p(p);
104210 }
104211 static inline __u16 __be16_to_cpup(const __be16 *p)
104212 {
104213- return __swab16p((__u16 *)p);
104214+ return __swab16p((const __u16 *)p);
104215 }
104216 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
104217 #define __le64_to_cpus(x) do { (void)(x); } while (0)
104218diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h
104219index 4cb2835..cfbc4e2 100644
104220--- a/include/uapi/linux/connector.h
104221+++ b/include/uapi/linux/connector.h
104222@@ -69,7 +69,7 @@ struct cb_id {
104223 struct cn_msg {
104224 struct cb_id id;
104225
104226- __u32 seq;
104227+ __u32 seq __intentional_overflow(-1);
104228 __u32 ack;
104229
104230 __u16 len; /* Length of the following data */
104231diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h
104232index 71e1d0e..6cc9caf 100644
104233--- a/include/uapi/linux/elf.h
104234+++ b/include/uapi/linux/elf.h
104235@@ -37,6 +37,17 @@ typedef __s64 Elf64_Sxword;
104236 #define PT_GNU_EH_FRAME 0x6474e550
104237
104238 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
104239+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
104240+
104241+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
104242+
104243+/* Constants for the e_flags field */
104244+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
104245+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
104246+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
104247+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
104248+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
104249+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
104250
104251 /*
104252 * Extended Numbering
104253@@ -94,6 +105,8 @@ typedef __s64 Elf64_Sxword;
104254 #define DT_DEBUG 21
104255 #define DT_TEXTREL 22
104256 #define DT_JMPREL 23
104257+#define DT_FLAGS 30
104258+ #define DF_TEXTREL 0x00000004
104259 #define DT_ENCODING 32
104260 #define OLD_DT_LOOS 0x60000000
104261 #define DT_LOOS 0x6000000d
104262@@ -240,6 +253,19 @@ typedef struct elf64_hdr {
104263 #define PF_W 0x2
104264 #define PF_X 0x1
104265
104266+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
104267+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
104268+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
104269+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
104270+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
104271+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
104272+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
104273+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
104274+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
104275+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
104276+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
104277+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
104278+
104279 typedef struct elf32_phdr{
104280 Elf32_Word p_type;
104281 Elf32_Off p_offset;
104282@@ -332,6 +358,8 @@ typedef struct elf64_shdr {
104283 #define EI_OSABI 7
104284 #define EI_PAD 8
104285
104286+#define EI_PAX 14
104287+
104288 #define ELFMAG0 0x7f /* EI_MAG */
104289 #define ELFMAG1 'E'
104290 #define ELFMAG2 'L'
104291diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
104292index aa169c4..6a2771d 100644
104293--- a/include/uapi/linux/personality.h
104294+++ b/include/uapi/linux/personality.h
104295@@ -30,6 +30,7 @@ enum {
104296 #define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
104297 ADDR_NO_RANDOMIZE | \
104298 ADDR_COMPAT_LAYOUT | \
104299+ ADDR_LIMIT_3GB | \
104300 MMAP_PAGE_ZERO)
104301
104302 /*
104303diff --git a/include/uapi/linux/screen_info.h b/include/uapi/linux/screen_info.h
104304index 7530e74..e714828 100644
104305--- a/include/uapi/linux/screen_info.h
104306+++ b/include/uapi/linux/screen_info.h
104307@@ -43,7 +43,8 @@ struct screen_info {
104308 __u16 pages; /* 0x32 */
104309 __u16 vesa_attributes; /* 0x34 */
104310 __u32 capabilities; /* 0x36 */
104311- __u8 _reserved[6]; /* 0x3a */
104312+ __u16 vesapm_size; /* 0x3a */
104313+ __u8 _reserved[4]; /* 0x3c */
104314 } __attribute__((packed));
104315
104316 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
104317diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
104318index 0e011eb..82681b1 100644
104319--- a/include/uapi/linux/swab.h
104320+++ b/include/uapi/linux/swab.h
104321@@ -43,7 +43,7 @@
104322 * ___swab16, ___swab32, ___swab64, ___swahw32, ___swahb32
104323 */
104324
104325-static inline __attribute_const__ __u16 __fswab16(__u16 val)
104326+static inline __intentional_overflow(-1) __attribute_const__ __u16 __fswab16(__u16 val)
104327 {
104328 #ifdef __HAVE_BUILTIN_BSWAP16__
104329 return __builtin_bswap16(val);
104330@@ -54,7 +54,7 @@ static inline __attribute_const__ __u16 __fswab16(__u16 val)
104331 #endif
104332 }
104333
104334-static inline __attribute_const__ __u32 __fswab32(__u32 val)
104335+static inline __intentional_overflow(-1) __attribute_const__ __u32 __fswab32(__u32 val)
104336 {
104337 #ifdef __HAVE_BUILTIN_BSWAP32__
104338 return __builtin_bswap32(val);
104339@@ -65,7 +65,7 @@ static inline __attribute_const__ __u32 __fswab32(__u32 val)
104340 #endif
104341 }
104342
104343-static inline __attribute_const__ __u64 __fswab64(__u64 val)
104344+static inline __intentional_overflow(-1) __attribute_const__ __u64 __fswab64(__u64 val)
104345 {
104346 #ifdef __HAVE_BUILTIN_BSWAP64__
104347 return __builtin_bswap64(val);
104348diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
104349index 1590c49..5eab462 100644
104350--- a/include/uapi/linux/xattr.h
104351+++ b/include/uapi/linux/xattr.h
104352@@ -73,5 +73,9 @@
104353 #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
104354 #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
104355
104356+/* User namespace */
104357+#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
104358+#define XATTR_PAX_FLAGS_SUFFIX "flags"
104359+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
104360
104361 #endif /* _UAPI_LINUX_XATTR_H */
104362diff --git a/include/video/udlfb.h b/include/video/udlfb.h
104363index f9466fa..f4e2b81 100644
104364--- a/include/video/udlfb.h
104365+++ b/include/video/udlfb.h
104366@@ -53,10 +53,10 @@ struct dlfb_data {
104367 u32 pseudo_palette[256];
104368 int blank_mode; /*one of FB_BLANK_ */
104369 /* blit-only rendering path metrics, exposed through sysfs */
104370- atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
104371- atomic_t bytes_identical; /* saved effort with backbuffer comparison */
104372- atomic_t bytes_sent; /* to usb, after compression including overhead */
104373- atomic_t cpu_kcycles_used; /* transpired during pixel processing */
104374+ atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
104375+ atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
104376+ atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
104377+ atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
104378 };
104379
104380 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
104381diff --git a/include/video/uvesafb.h b/include/video/uvesafb.h
104382index 30f5362..8ed8ac9 100644
104383--- a/include/video/uvesafb.h
104384+++ b/include/video/uvesafb.h
104385@@ -122,6 +122,7 @@ struct uvesafb_par {
104386 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
104387 u8 pmi_setpal; /* PMI for palette changes */
104388 u16 *pmi_base; /* protected mode interface location */
104389+ u8 *pmi_code; /* protected mode code location */
104390 void *pmi_start;
104391 void *pmi_pal;
104392 u8 *vbe_state_orig; /*
104393diff --git a/init/Kconfig b/init/Kconfig
104394index af09b4f..5ee6e6a 100644
104395--- a/init/Kconfig
104396+++ b/init/Kconfig
104397@@ -642,6 +642,7 @@ config RCU_FAST_NO_HZ
104398 config TREE_RCU_TRACE
104399 def_bool RCU_TRACE && ( TREE_RCU || PREEMPT_RCU )
104400 select DEBUG_FS
104401+ depends on !GRKERNSEC_KMEM
104402 help
104403 This option provides tracing for the TREE_RCU and
104404 PREEMPT_RCU implementations, permitting Makefile to
104405@@ -1139,6 +1140,7 @@ endif # CGROUPS
104406 config CHECKPOINT_RESTORE
104407 bool "Checkpoint/restore support" if EXPERT
104408 select PROC_CHILDREN
104409+ depends on !GRKERNSEC
104410 default n
104411 help
104412 Enables additional kernel features in a sake of checkpoint/restore.
104413@@ -1664,7 +1666,7 @@ config SLUB_DEBUG
104414
104415 config COMPAT_BRK
104416 bool "Disable heap randomization"
104417- default y
104418+ default n
104419 help
104420 Randomizing heap placement makes heap exploits harder, but it
104421 also breaks ancient binaries (including anything libc5 based).
104422@@ -1994,7 +1996,7 @@ config INIT_ALL_POSSIBLE
104423 config STOP_MACHINE
104424 bool
104425 default y
104426- depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU
104427+ depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC
104428 help
104429 Need stop_machine() primitive.
104430
104431diff --git a/init/Makefile b/init/Makefile
104432index 7bc47ee..6da2dc7 100644
104433--- a/init/Makefile
104434+++ b/init/Makefile
104435@@ -2,6 +2,9 @@
104436 # Makefile for the linux kernel.
104437 #
104438
104439+ccflags-y := $(GCC_PLUGINS_CFLAGS)
104440+asflags-y := $(GCC_PLUGINS_AFLAGS)
104441+
104442 obj-y := main.o version.o mounts.o
104443 ifneq ($(CONFIG_BLK_DEV_INITRD),y)
104444 obj-y += noinitramfs.o
104445diff --git a/init/do_mounts.c b/init/do_mounts.c
104446index dea5de9..bbdbb5f 100644
104447--- a/init/do_mounts.c
104448+++ b/init/do_mounts.c
104449@@ -363,11 +363,11 @@ static void __init get_fs_names(char *page)
104450 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
104451 {
104452 struct super_block *s;
104453- int err = sys_mount(name, "/root", fs, flags, data);
104454+ int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
104455 if (err)
104456 return err;
104457
104458- sys_chdir("/root");
104459+ sys_chdir((const char __force_user *)"/root");
104460 s = current->fs->pwd.dentry->d_sb;
104461 ROOT_DEV = s->s_dev;
104462 printk(KERN_INFO
104463@@ -490,18 +490,18 @@ void __init change_floppy(char *fmt, ...)
104464 va_start(args, fmt);
104465 vsprintf(buf, fmt, args);
104466 va_end(args);
104467- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
104468+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
104469 if (fd >= 0) {
104470 sys_ioctl(fd, FDEJECT, 0);
104471 sys_close(fd);
104472 }
104473 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
104474- fd = sys_open("/dev/console", O_RDWR, 0);
104475+ fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
104476 if (fd >= 0) {
104477 sys_ioctl(fd, TCGETS, (long)&termios);
104478 termios.c_lflag &= ~ICANON;
104479 sys_ioctl(fd, TCSETSF, (long)&termios);
104480- sys_read(fd, &c, 1);
104481+ sys_read(fd, (char __user *)&c, 1);
104482 termios.c_lflag |= ICANON;
104483 sys_ioctl(fd, TCSETSF, (long)&termios);
104484 sys_close(fd);
104485@@ -600,8 +600,8 @@ void __init prepare_namespace(void)
104486 mount_root();
104487 out:
104488 devtmpfs_mount("dev");
104489- sys_mount(".", "/", NULL, MS_MOVE, NULL);
104490- sys_chroot(".");
104491+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
104492+ sys_chroot((const char __force_user *)".");
104493 }
104494
104495 static bool is_tmpfs;
104496diff --git a/init/do_mounts.h b/init/do_mounts.h
104497index f5b978a..69dbfe8 100644
104498--- a/init/do_mounts.h
104499+++ b/init/do_mounts.h
104500@@ -15,15 +15,15 @@ extern int root_mountflags;
104501
104502 static inline int create_dev(char *name, dev_t dev)
104503 {
104504- sys_unlink(name);
104505- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
104506+ sys_unlink((char __force_user *)name);
104507+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
104508 }
104509
104510 #if BITS_PER_LONG == 32
104511 static inline u32 bstat(char *name)
104512 {
104513 struct stat64 stat;
104514- if (sys_stat64(name, &stat) != 0)
104515+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
104516 return 0;
104517 if (!S_ISBLK(stat.st_mode))
104518 return 0;
104519@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
104520 static inline u32 bstat(char *name)
104521 {
104522 struct stat stat;
104523- if (sys_newstat(name, &stat) != 0)
104524+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
104525 return 0;
104526 if (!S_ISBLK(stat.st_mode))
104527 return 0;
104528diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c
104529index 3e0878e..8a9d7a0 100644
104530--- a/init/do_mounts_initrd.c
104531+++ b/init/do_mounts_initrd.c
104532@@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new)
104533 {
104534 sys_unshare(CLONE_FS | CLONE_FILES);
104535 /* stdin/stdout/stderr for /linuxrc */
104536- sys_open("/dev/console", O_RDWR, 0);
104537+ sys_open((const char __force_user *)"/dev/console", O_RDWR, 0);
104538 sys_dup(0);
104539 sys_dup(0);
104540 /* move initrd over / and chdir/chroot in initrd root */
104541- sys_chdir("/root");
104542- sys_mount(".", "/", NULL, MS_MOVE, NULL);
104543- sys_chroot(".");
104544+ sys_chdir((const char __force_user *)"/root");
104545+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
104546+ sys_chroot((const char __force_user *)".");
104547 sys_setsid();
104548 return 0;
104549 }
104550@@ -59,8 +59,8 @@ static void __init handle_initrd(void)
104551 create_dev("/dev/root.old", Root_RAM0);
104552 /* mount initrd on rootfs' /root */
104553 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
104554- sys_mkdir("/old", 0700);
104555- sys_chdir("/old");
104556+ sys_mkdir((const char __force_user *)"/old", 0700);
104557+ sys_chdir((const char __force_user *)"/old");
104558
104559 /* try loading default modules from initrd */
104560 load_default_modules();
104561@@ -80,31 +80,31 @@ static void __init handle_initrd(void)
104562 current->flags &= ~PF_FREEZER_SKIP;
104563
104564 /* move initrd to rootfs' /old */
104565- sys_mount("..", ".", NULL, MS_MOVE, NULL);
104566+ sys_mount((char __force_user *)"..", (char __force_user *)".", NULL, MS_MOVE, NULL);
104567 /* switch root and cwd back to / of rootfs */
104568- sys_chroot("..");
104569+ sys_chroot((const char __force_user *)"..");
104570
104571 if (new_decode_dev(real_root_dev) == Root_RAM0) {
104572- sys_chdir("/old");
104573+ sys_chdir((const char __force_user *)"/old");
104574 return;
104575 }
104576
104577- sys_chdir("/");
104578+ sys_chdir((const char __force_user *)"/");
104579 ROOT_DEV = new_decode_dev(real_root_dev);
104580 mount_root();
104581
104582 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
104583- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
104584+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
104585 if (!error)
104586 printk("okay\n");
104587 else {
104588- int fd = sys_open("/dev/root.old", O_RDWR, 0);
104589+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
104590 if (error == -ENOENT)
104591 printk("/initrd does not exist. Ignored.\n");
104592 else
104593 printk("failed\n");
104594 printk(KERN_NOTICE "Unmounting old root\n");
104595- sys_umount("/old", MNT_DETACH);
104596+ sys_umount((char __force_user *)"/old", MNT_DETACH);
104597 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
104598 if (fd < 0) {
104599 error = fd;
104600@@ -127,11 +127,11 @@ int __init initrd_load(void)
104601 * mounted in the normal path.
104602 */
104603 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
104604- sys_unlink("/initrd.image");
104605+ sys_unlink((const char __force_user *)"/initrd.image");
104606 handle_initrd();
104607 return 1;
104608 }
104609 }
104610- sys_unlink("/initrd.image");
104611+ sys_unlink((const char __force_user *)"/initrd.image");
104612 return 0;
104613 }
104614diff --git a/init/do_mounts_md.c b/init/do_mounts_md.c
104615index 8cb6db5..d729f50 100644
104616--- a/init/do_mounts_md.c
104617+++ b/init/do_mounts_md.c
104618@@ -180,7 +180,7 @@ static void __init md_setup_drive(void)
104619 partitioned ? "_d" : "", minor,
104620 md_setup_args[ent].device_names);
104621
104622- fd = sys_open(name, 0, 0);
104623+ fd = sys_open((char __force_user *)name, 0, 0);
104624 if (fd < 0) {
104625 printk(KERN_ERR "md: open failed - cannot start "
104626 "array %s\n", name);
104627@@ -243,7 +243,7 @@ static void __init md_setup_drive(void)
104628 * array without it
104629 */
104630 sys_close(fd);
104631- fd = sys_open(name, 0, 0);
104632+ fd = sys_open((char __force_user *)name, 0, 0);
104633 sys_ioctl(fd, BLKRRPART, 0);
104634 }
104635 sys_close(fd);
104636@@ -293,7 +293,7 @@ static void __init autodetect_raid(void)
104637
104638 wait_for_device_probe();
104639
104640- fd = sys_open("/dev/md0", 0, 0);
104641+ fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
104642 if (fd >= 0) {
104643 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
104644 sys_close(fd);
104645diff --git a/init/init_task.c b/init/init_task.c
104646index ba0a7f36..2bcf1d5 100644
104647--- a/init/init_task.c
104648+++ b/init/init_task.c
104649@@ -22,5 +22,9 @@ EXPORT_SYMBOL(init_task);
104650 * Initial thread structure. Alignment of this is handled by a special
104651 * linker map entry.
104652 */
104653+#ifdef CONFIG_X86
104654+union thread_union init_thread_union __init_task_data;
104655+#else
104656 union thread_union init_thread_union __init_task_data =
104657 { INIT_THREAD_INFO(init_task) };
104658+#endif
104659diff --git a/init/initramfs.c b/init/initramfs.c
104660index ad1bd77..dca2c1b 100644
104661--- a/init/initramfs.c
104662+++ b/init/initramfs.c
104663@@ -25,7 +25,7 @@ static ssize_t __init xwrite(int fd, const char *p, size_t count)
104664
104665 /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */
104666 while (count) {
104667- ssize_t rv = sys_write(fd, p, count);
104668+ ssize_t rv = sys_write(fd, (char __force_user *)p, count);
104669
104670 if (rv < 0) {
104671 if (rv == -EINTR || rv == -EAGAIN)
104672@@ -107,7 +107,7 @@ static void __init free_hash(void)
104673 }
104674 }
104675
104676-static long __init do_utime(char *filename, time_t mtime)
104677+static long __init do_utime(char __force_user *filename, time_t mtime)
104678 {
104679 struct timespec t[2];
104680
104681@@ -142,7 +142,7 @@ static void __init dir_utime(void)
104682 struct dir_entry *de, *tmp;
104683 list_for_each_entry_safe(de, tmp, &dir_list, list) {
104684 list_del(&de->list);
104685- do_utime(de->name, de->mtime);
104686+ do_utime((char __force_user *)de->name, de->mtime);
104687 kfree(de->name);
104688 kfree(de);
104689 }
104690@@ -304,7 +304,7 @@ static int __init maybe_link(void)
104691 if (nlink >= 2) {
104692 char *old = find_link(major, minor, ino, mode, collected);
104693 if (old)
104694- return (sys_link(old, collected) < 0) ? -1 : 1;
104695+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
104696 }
104697 return 0;
104698 }
104699@@ -313,11 +313,11 @@ static void __init clean_path(char *path, umode_t fmode)
104700 {
104701 struct stat st;
104702
104703- if (!sys_newlstat(path, &st) && (st.st_mode ^ fmode) & S_IFMT) {
104704+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode ^ fmode) & S_IFMT) {
104705 if (S_ISDIR(st.st_mode))
104706- sys_rmdir(path);
104707+ sys_rmdir((char __force_user *)path);
104708 else
104709- sys_unlink(path);
104710+ sys_unlink((char __force_user *)path);
104711 }
104712 }
104713
104714@@ -338,7 +338,7 @@ static int __init do_name(void)
104715 int openflags = O_WRONLY|O_CREAT;
104716 if (ml != 1)
104717 openflags |= O_TRUNC;
104718- wfd = sys_open(collected, openflags, mode);
104719+ wfd = sys_open((char __force_user *)collected, openflags, mode);
104720
104721 if (wfd >= 0) {
104722 sys_fchown(wfd, uid, gid);
104723@@ -350,17 +350,17 @@ static int __init do_name(void)
104724 }
104725 }
104726 } else if (S_ISDIR(mode)) {
104727- sys_mkdir(collected, mode);
104728- sys_chown(collected, uid, gid);
104729- sys_chmod(collected, mode);
104730+ sys_mkdir((char __force_user *)collected, mode);
104731+ sys_chown((char __force_user *)collected, uid, gid);
104732+ sys_chmod((char __force_user *)collected, mode);
104733 dir_add(collected, mtime);
104734 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
104735 S_ISFIFO(mode) || S_ISSOCK(mode)) {
104736 if (maybe_link() == 0) {
104737- sys_mknod(collected, mode, rdev);
104738- sys_chown(collected, uid, gid);
104739- sys_chmod(collected, mode);
104740- do_utime(collected, mtime);
104741+ sys_mknod((char __force_user *)collected, mode, rdev);
104742+ sys_chown((char __force_user *)collected, uid, gid);
104743+ sys_chmod((char __force_user *)collected, mode);
104744+ do_utime((char __force_user *)collected, mtime);
104745 }
104746 }
104747 return 0;
104748@@ -372,7 +372,7 @@ static int __init do_copy(void)
104749 if (xwrite(wfd, victim, body_len) != body_len)
104750 error("write error");
104751 sys_close(wfd);
104752- do_utime(vcollected, mtime);
104753+ do_utime((char __force_user *)vcollected, mtime);
104754 kfree(vcollected);
104755 eat(body_len);
104756 state = SkipIt;
104757@@ -390,9 +390,9 @@ static int __init do_symlink(void)
104758 {
104759 collected[N_ALIGN(name_len) + body_len] = '\0';
104760 clean_path(collected, 0);
104761- sys_symlink(collected + N_ALIGN(name_len), collected);
104762- sys_lchown(collected, uid, gid);
104763- do_utime(collected, mtime);
104764+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
104765+ sys_lchown((char __force_user *)collected, uid, gid);
104766+ do_utime((char __force_user *)collected, mtime);
104767 state = SkipIt;
104768 next_state = Reset;
104769 return 0;
104770diff --git a/init/main.c b/init/main.c
104771index 5650655..937d1b1 100644
104772--- a/init/main.c
104773+++ b/init/main.c
104774@@ -97,6 +97,8 @@ extern void radix_tree_init(void);
104775 static inline void mark_rodata_ro(void) { }
104776 #endif
104777
104778+extern void grsecurity_init(void);
104779+
104780 /*
104781 * Debug helper: via this flag we know that we are in 'early bootup code'
104782 * where only the boot processor is running with IRQ disabled. This means
104783@@ -158,6 +160,37 @@ static int __init set_reset_devices(char *str)
104784
104785 __setup("reset_devices", set_reset_devices);
104786
104787+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
104788+kgid_t grsec_proc_gid = KGIDT_INIT(CONFIG_GRKERNSEC_PROC_GID);
104789+static int __init setup_grsec_proc_gid(char *str)
104790+{
104791+ grsec_proc_gid = KGIDT_INIT(simple_strtol(str, NULL, 0));
104792+ return 1;
104793+}
104794+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
104795+#endif
104796+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
104797+int grsec_enable_sysfs_restrict = 1;
104798+static int __init setup_grsec_sysfs_restrict(char *str)
104799+{
104800+ if (!simple_strtol(str, NULL, 0))
104801+ grsec_enable_sysfs_restrict = 0;
104802+ return 1;
104803+}
104804+__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
104805+#endif
104806+
104807+#ifdef CONFIG_PAX_SOFTMODE
104808+int pax_softmode;
104809+
104810+static int __init setup_pax_softmode(char *str)
104811+{
104812+ get_option(&str, &pax_softmode);
104813+ return 1;
104814+}
104815+__setup("pax_softmode=", setup_pax_softmode);
104816+#endif
104817+
104818 static const char *argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
104819 const char *envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
104820 static const char *panic_later, *panic_param;
104821@@ -731,7 +764,7 @@ static bool __init_or_module initcall_blacklisted(initcall_t fn)
104822 struct blacklist_entry *entry;
104823 char *fn_name;
104824
104825- fn_name = kasprintf(GFP_KERNEL, "%pf", fn);
104826+ fn_name = kasprintf(GFP_KERNEL, "%pX", fn);
104827 if (!fn_name)
104828 return false;
104829
104830@@ -783,7 +816,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
104831 {
104832 int count = preempt_count();
104833 int ret;
104834- char msgbuf[64];
104835+ const char *msg1 = "", *msg2 = "";
104836
104837 if (initcall_blacklisted(fn))
104838 return -EPERM;
104839@@ -793,18 +826,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
104840 else
104841 ret = fn();
104842
104843- msgbuf[0] = 0;
104844-
104845 if (preempt_count() != count) {
104846- sprintf(msgbuf, "preemption imbalance ");
104847+ msg1 = " preemption imbalance";
104848 preempt_count_set(count);
104849 }
104850 if (irqs_disabled()) {
104851- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
104852+ msg2 = " disabled interrupts";
104853 local_irq_enable();
104854 }
104855- WARN(msgbuf[0], "initcall %pF returned with %s\n", fn, msgbuf);
104856+ WARN(*msg1 || *msg2, "initcall %pF returned with%s%s\n", fn, msg1, msg2);
104857
104858+ add_latent_entropy();
104859 return ret;
104860 }
104861
104862@@ -910,8 +942,8 @@ static int run_init_process(const char *init_filename)
104863 {
104864 argv_init[0] = init_filename;
104865 return do_execve(getname_kernel(init_filename),
104866- (const char __user *const __user *)argv_init,
104867- (const char __user *const __user *)envp_init);
104868+ (const char __user *const __force_user *)argv_init,
104869+ (const char __user *const __force_user *)envp_init);
104870 }
104871
104872 static int try_to_run_init_process(const char *init_filename)
104873@@ -928,6 +960,10 @@ static int try_to_run_init_process(const char *init_filename)
104874 return ret;
104875 }
104876
104877+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
104878+extern int gr_init_ran;
104879+#endif
104880+
104881 static noinline void __init kernel_init_freeable(void);
104882
104883 static int __ref kernel_init(void *unused)
104884@@ -952,6 +988,11 @@ static int __ref kernel_init(void *unused)
104885 ramdisk_execute_command, ret);
104886 }
104887
104888+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
104889+ /* if no initrd was used, be extra sure we enforce chroot restrictions */
104890+ gr_init_ran = 1;
104891+#endif
104892+
104893 /*
104894 * We try each of these until one succeeds.
104895 *
104896@@ -1009,7 +1050,7 @@ static noinline void __init kernel_init_freeable(void)
104897 do_basic_setup();
104898
104899 /* Open the /dev/console on the rootfs, this should never fail */
104900- if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
104901+ if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
104902 pr_err("Warning: unable to open an initial console.\n");
104903
104904 (void) sys_dup(0);
104905@@ -1022,11 +1063,13 @@ static noinline void __init kernel_init_freeable(void)
104906 if (!ramdisk_execute_command)
104907 ramdisk_execute_command = "/init";
104908
104909- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
104910+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
104911 ramdisk_execute_command = NULL;
104912 prepare_namespace();
104913 }
104914
104915+ grsecurity_init();
104916+
104917 /*
104918 * Ok, we have completed the initial bootup, and
104919 * we're essentially up and running. Get rid of the
104920diff --git a/ipc/compat.c b/ipc/compat.c
104921index 9b3c85f..5266b0f 100644
104922--- a/ipc/compat.c
104923+++ b/ipc/compat.c
104924@@ -396,7 +396,7 @@ COMPAT_SYSCALL_DEFINE6(ipc, u32, call, int, first, int, second,
104925 COMPAT_SHMLBA);
104926 if (err < 0)
104927 return err;
104928- return put_user(raddr, (compat_ulong_t *)compat_ptr(third));
104929+ return put_user(raddr, (compat_ulong_t __user *)compat_ptr(third));
104930 }
104931 case SHMDT:
104932 return sys_shmdt(compat_ptr(ptr));
104933@@ -747,7 +747,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, first, int, second, void __user *, uptr)
104934 }
104935
104936 COMPAT_SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsems,
104937- unsigned, nsops,
104938+ compat_long_t, nsops,
104939 const struct compat_timespec __user *, timeout)
104940 {
104941 struct timespec __user *ts64;
104942diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
104943index 8ad93c2..efd80f8 100644
104944--- a/ipc/ipc_sysctl.c
104945+++ b/ipc/ipc_sysctl.c
104946@@ -30,7 +30,7 @@ static void *get_ipc(struct ctl_table *table)
104947 static int proc_ipc_dointvec(struct ctl_table *table, int write,
104948 void __user *buffer, size_t *lenp, loff_t *ppos)
104949 {
104950- struct ctl_table ipc_table;
104951+ ctl_table_no_const ipc_table;
104952
104953 memcpy(&ipc_table, table, sizeof(ipc_table));
104954 ipc_table.data = get_ipc(table);
104955@@ -41,7 +41,7 @@ static int proc_ipc_dointvec(struct ctl_table *table, int write,
104956 static int proc_ipc_dointvec_minmax(struct ctl_table *table, int write,
104957 void __user *buffer, size_t *lenp, loff_t *ppos)
104958 {
104959- struct ctl_table ipc_table;
104960+ ctl_table_no_const ipc_table;
104961
104962 memcpy(&ipc_table, table, sizeof(ipc_table));
104963 ipc_table.data = get_ipc(table);
104964@@ -65,7 +65,7 @@ static int proc_ipc_dointvec_minmax_orphans(struct ctl_table *table, int write,
104965 static int proc_ipc_doulongvec_minmax(struct ctl_table *table, int write,
104966 void __user *buffer, size_t *lenp, loff_t *ppos)
104967 {
104968- struct ctl_table ipc_table;
104969+ ctl_table_no_const ipc_table;
104970 memcpy(&ipc_table, table, sizeof(ipc_table));
104971 ipc_table.data = get_ipc(table);
104972
104973@@ -76,7 +76,7 @@ static int proc_ipc_doulongvec_minmax(struct ctl_table *table, int write,
104974 static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
104975 void __user *buffer, size_t *lenp, loff_t *ppos)
104976 {
104977- struct ctl_table ipc_table;
104978+ ctl_table_no_const ipc_table;
104979 int dummy = 0;
104980
104981 memcpy(&ipc_table, table, sizeof(ipc_table));
104982diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c
104983index 68d4e95..1477ded 100644
104984--- a/ipc/mq_sysctl.c
104985+++ b/ipc/mq_sysctl.c
104986@@ -25,7 +25,7 @@ static void *get_mq(struct ctl_table *table)
104987 static int proc_mq_dointvec(struct ctl_table *table, int write,
104988 void __user *buffer, size_t *lenp, loff_t *ppos)
104989 {
104990- struct ctl_table mq_table;
104991+ ctl_table_no_const mq_table;
104992 memcpy(&mq_table, table, sizeof(mq_table));
104993 mq_table.data = get_mq(table);
104994
104995@@ -35,7 +35,7 @@ static int proc_mq_dointvec(struct ctl_table *table, int write,
104996 static int proc_mq_dointvec_minmax(struct ctl_table *table, int write,
104997 void __user *buffer, size_t *lenp, loff_t *ppos)
104998 {
104999- struct ctl_table mq_table;
105000+ ctl_table_no_const mq_table;
105001 memcpy(&mq_table, table, sizeof(mq_table));
105002 mq_table.data = get_mq(table);
105003
105004diff --git a/ipc/mqueue.c b/ipc/mqueue.c
105005index 161a180..be31d93 100644
105006--- a/ipc/mqueue.c
105007+++ b/ipc/mqueue.c
105008@@ -274,6 +274,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
105009 mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
105010 info->attr.mq_msgsize);
105011
105012+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
105013 spin_lock(&mq_lock);
105014 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
105015 u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
105016diff --git a/ipc/msg.c b/ipc/msg.c
105017index 66c4f56..1471db9 100644
105018--- a/ipc/msg.c
105019+++ b/ipc/msg.c
105020@@ -137,13 +137,6 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
105021 return retval;
105022 }
105023
105024- /* ipc_addid() locks msq upon success. */
105025- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
105026- if (id < 0) {
105027- ipc_rcu_putref(msq, msg_rcu_free);
105028- return id;
105029- }
105030-
105031 msq->q_stime = msq->q_rtime = 0;
105032 msq->q_ctime = get_seconds();
105033 msq->q_cbytes = msq->q_qnum = 0;
105034@@ -153,6 +146,13 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
105035 INIT_LIST_HEAD(&msq->q_receivers);
105036 INIT_LIST_HEAD(&msq->q_senders);
105037
105038+ /* ipc_addid() locks msq upon success. */
105039+ id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
105040+ if (id < 0) {
105041+ ipc_rcu_putref(msq, msg_rcu_free);
105042+ return id;
105043+ }
105044+
105045 ipc_unlock_object(&msq->q_perm);
105046 rcu_read_unlock();
105047
105048diff --git a/ipc/sem.c b/ipc/sem.c
105049index b471e5a..89aef1d 100644
105050--- a/ipc/sem.c
105051+++ b/ipc/sem.c
105052@@ -1790,7 +1790,7 @@ static int get_queue_result(struct sem_queue *q)
105053 }
105054
105055 SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
105056- unsigned, nsops, const struct timespec __user *, timeout)
105057+ long, nsops, const struct timespec __user *, timeout)
105058 {
105059 int error = -EINVAL;
105060 struct sem_array *sma;
105061@@ -2025,7 +2025,7 @@ out_free:
105062 }
105063
105064 SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
105065- unsigned, nsops)
105066+ long, nsops)
105067 {
105068 return sys_semtimedop(semid, tsops, nsops, NULL);
105069 }
105070diff --git a/ipc/shm.c b/ipc/shm.c
105071index 4aef24d..c545631 100644
105072--- a/ipc/shm.c
105073+++ b/ipc/shm.c
105074@@ -72,6 +72,14 @@ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp);
105075 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
105076 #endif
105077
105078+#ifdef CONFIG_GRKERNSEC
105079+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
105080+ const u64 shm_createtime, const kuid_t cuid,
105081+ const int shmid);
105082+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
105083+ const u64 shm_createtime);
105084+#endif
105085+
105086 void shm_init_ns(struct ipc_namespace *ns)
105087 {
105088 ns->shm_ctlmax = SHMMAX;
105089@@ -551,20 +559,24 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
105090 if (IS_ERR(file))
105091 goto no_file;
105092
105093- id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
105094- if (id < 0) {
105095- error = id;
105096- goto no_id;
105097- }
105098-
105099 shp->shm_cprid = task_tgid_vnr(current);
105100 shp->shm_lprid = 0;
105101 shp->shm_atim = shp->shm_dtim = 0;
105102 shp->shm_ctim = get_seconds();
105103+#ifdef CONFIG_GRKERNSEC
105104+ shp->shm_createtime = ktime_get_ns();
105105+#endif
105106 shp->shm_segsz = size;
105107 shp->shm_nattch = 0;
105108 shp->shm_file = file;
105109 shp->shm_creator = current;
105110+
105111+ id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
105112+ if (id < 0) {
105113+ error = id;
105114+ goto no_id;
105115+ }
105116+
105117 list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
105118
105119 /*
105120@@ -1097,6 +1109,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
105121 f_mode = FMODE_READ | FMODE_WRITE;
105122 }
105123 if (shmflg & SHM_EXEC) {
105124+
105125+#ifdef CONFIG_PAX_MPROTECT
105126+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
105127+ goto out;
105128+#endif
105129+
105130 prot |= PROT_EXEC;
105131 acc_mode |= S_IXUGO;
105132 }
105133@@ -1121,6 +1139,15 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
105134 if (err)
105135 goto out_unlock;
105136
105137+#ifdef CONFIG_GRKERNSEC
105138+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
105139+ shp->shm_perm.cuid, shmid) ||
105140+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
105141+ err = -EACCES;
105142+ goto out_unlock;
105143+ }
105144+#endif
105145+
105146 ipc_lock_object(&shp->shm_perm);
105147
105148 /* check if shm_destroy() is tearing down shp */
105149@@ -1133,6 +1160,9 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
105150 path = shp->shm_file->f_path;
105151 path_get(&path);
105152 shp->shm_nattch++;
105153+#ifdef CONFIG_GRKERNSEC
105154+ shp->shm_lapid = current->pid;
105155+#endif
105156 size = i_size_read(d_inode(path.dentry));
105157 ipc_unlock_object(&shp->shm_perm);
105158 rcu_read_unlock();
105159diff --git a/ipc/util.c b/ipc/util.c
105160index be42300..049b0ff 100644
105161--- a/ipc/util.c
105162+++ b/ipc/util.c
105163@@ -71,6 +71,8 @@ struct ipc_proc_iface {
105164 int (*show)(struct seq_file *, void *);
105165 };
105166
105167+extern int gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode);
105168+
105169 /**
105170 * ipc_init - initialise ipc subsystem
105171 *
105172@@ -237,6 +239,10 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
105173 rcu_read_lock();
105174 spin_lock(&new->lock);
105175
105176+ current_euid_egid(&euid, &egid);
105177+ new->cuid = new->uid = euid;
105178+ new->gid = new->cgid = egid;
105179+
105180 id = idr_alloc(&ids->ipcs_idr, new,
105181 (next_id < 0) ? 0 : ipcid_to_idx(next_id), 0,
105182 GFP_NOWAIT);
105183@@ -249,10 +255,6 @@ int ipc_addid(struct ipc_ids *ids, struct kern_ipc_perm *new, int size)
105184
105185 ids->in_use++;
105186
105187- current_euid_egid(&euid, &egid);
105188- new->cuid = new->uid = euid;
105189- new->gid = new->cgid = egid;
105190-
105191 if (next_id < 0) {
105192 new->seq = ids->seq++;
105193 if (ids->seq > IPCID_SEQ_MAX)
105194@@ -494,6 +496,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
105195 granted_mode >>= 6;
105196 else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
105197 granted_mode >>= 3;
105198+
105199+ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
105200+ return -1;
105201+
105202 /* is there some bit set in requested_mode but not in granted_mode? */
105203 if ((requested_mode & ~granted_mode & 0007) &&
105204 !ns_capable(ns->user_ns, CAP_IPC_OWNER))
105205diff --git a/kernel/audit.c b/kernel/audit.c
105206index f9e6065..3fcb6ab 100644
105207--- a/kernel/audit.c
105208+++ b/kernel/audit.c
105209@@ -124,7 +124,7 @@ u32 audit_sig_sid = 0;
105210 3) suppressed due to audit_rate_limit
105211 4) suppressed due to audit_backlog_limit
105212 */
105213-static atomic_t audit_lost = ATOMIC_INIT(0);
105214+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
105215
105216 /* The netlink socket. */
105217 static struct sock *audit_sock;
105218@@ -258,7 +258,7 @@ void audit_log_lost(const char *message)
105219 unsigned long now;
105220 int print;
105221
105222- atomic_inc(&audit_lost);
105223+ atomic_inc_unchecked(&audit_lost);
105224
105225 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
105226
105227@@ -275,7 +275,7 @@ void audit_log_lost(const char *message)
105228 if (print) {
105229 if (printk_ratelimit())
105230 pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
105231- atomic_read(&audit_lost),
105232+ atomic_read_unchecked(&audit_lost),
105233 audit_rate_limit,
105234 audit_backlog_limit);
105235 audit_panic(message);
105236@@ -833,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
105237 s.pid = audit_pid;
105238 s.rate_limit = audit_rate_limit;
105239 s.backlog_limit = audit_backlog_limit;
105240- s.lost = atomic_read(&audit_lost);
105241+ s.lost = atomic_read_unchecked(&audit_lost);
105242 s.backlog = skb_queue_len(&audit_skb_queue);
105243 s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
105244 s.backlog_wait_time = audit_backlog_wait_time_master;
105245diff --git a/kernel/auditsc.c b/kernel/auditsc.c
105246index e85bdfd..441a638 100644
105247--- a/kernel/auditsc.c
105248+++ b/kernel/auditsc.c
105249@@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
105250 * for strings that are too long, we should not have created
105251 * any.
105252 */
105253- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
105254+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
105255 send_sig(SIGKILL, current, 0);
105256 return -1;
105257 }
105258@@ -1952,7 +1952,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
105259 }
105260
105261 /* global counter which is incremented every time something logs in */
105262-static atomic_t session_id = ATOMIC_INIT(0);
105263+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
105264
105265 static int audit_set_loginuid_perm(kuid_t loginuid)
105266 {
105267@@ -2019,7 +2019,7 @@ int audit_set_loginuid(kuid_t loginuid)
105268
105269 /* are we setting or clearing? */
105270 if (uid_valid(loginuid))
105271- sessionid = (unsigned int)atomic_inc_return(&session_id);
105272+ sessionid = (unsigned int)atomic_inc_return_unchecked(&session_id);
105273
105274 task->sessionid = sessionid;
105275 task->loginuid = loginuid;
105276diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
105277index c5bedc8..6ec8715 100644
105278--- a/kernel/bpf/core.c
105279+++ b/kernel/bpf/core.c
105280@@ -145,14 +145,17 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
105281 * random section of illegal instructions.
105282 */
105283 size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE);
105284- hdr = module_alloc(size);
105285+ hdr = module_alloc_exec(size);
105286 if (hdr == NULL)
105287 return NULL;
105288
105289 /* Fill space with illegal/arch-dep instructions. */
105290 bpf_fill_ill_insns(hdr, size);
105291
105292+ pax_open_kernel();
105293 hdr->pages = size / PAGE_SIZE;
105294+ pax_close_kernel();
105295+
105296 hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),
105297 PAGE_SIZE - sizeof(*hdr));
105298 start = (prandom_u32() % hole) & ~(alignment - 1);
105299@@ -165,7 +168,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
105300
105301 void bpf_jit_binary_free(struct bpf_binary_header *hdr)
105302 {
105303- module_memfree(hdr);
105304+ module_memfree_exec(hdr);
105305 }
105306 #endif /* CONFIG_BPF_JIT */
105307
105308diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
105309index a1b14d1..7dce5d9 100644
105310--- a/kernel/bpf/syscall.c
105311+++ b/kernel/bpf/syscall.c
105312@@ -592,11 +592,15 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
105313 int err;
105314
105315 /* the syscall is limited to root temporarily. This restriction will be
105316- * lifted when security audit is clean. Note that eBPF+tracing must have
105317- * this restriction, since it may pass kernel data to user space
105318+ * lifted by upstream when a half-assed security audit is clean. Note
105319+ * that eBPF+tracing must have this restriction, since it may pass
105320+ * kernel data to user space
105321 */
105322 if (!capable(CAP_SYS_ADMIN))
105323 return -EPERM;
105324+#ifdef CONFIG_GRKERNSEC
105325+ return -EPERM;
105326+#endif
105327
105328 if (!access_ok(VERIFY_READ, uattr, 1))
105329 return -EFAULT;
105330diff --git a/kernel/capability.c b/kernel/capability.c
105331index 45432b5..988f1e4 100644
105332--- a/kernel/capability.c
105333+++ b/kernel/capability.c
105334@@ -193,6 +193,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
105335 * before modification is attempted and the application
105336 * fails.
105337 */
105338+ if (tocopy > ARRAY_SIZE(kdata))
105339+ return -EFAULT;
105340+
105341 if (copy_to_user(dataptr, kdata, tocopy
105342 * sizeof(struct __user_cap_data_struct))) {
105343 return -EFAULT;
105344@@ -298,10 +301,11 @@ bool has_ns_capability(struct task_struct *t,
105345 int ret;
105346
105347 rcu_read_lock();
105348- ret = security_capable(__task_cred(t), ns, cap);
105349+ ret = security_capable(__task_cred(t), ns, cap) == 0 &&
105350+ gr_task_is_capable(t, __task_cred(t), cap);
105351 rcu_read_unlock();
105352
105353- return (ret == 0);
105354+ return ret;
105355 }
105356
105357 /**
105358@@ -338,10 +342,10 @@ bool has_ns_capability_noaudit(struct task_struct *t,
105359 int ret;
105360
105361 rcu_read_lock();
105362- ret = security_capable_noaudit(__task_cred(t), ns, cap);
105363+ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap);
105364 rcu_read_unlock();
105365
105366- return (ret == 0);
105367+ return ret;
105368 }
105369
105370 /**
105371@@ -379,7 +383,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
105372 BUG();
105373 }
105374
105375- if (security_capable(current_cred(), ns, cap) == 0) {
105376+ if (security_capable(current_cred(), ns, cap) == 0 && gr_is_capable(cap)) {
105377 current->flags |= PF_SUPERPRIV;
105378 return true;
105379 }
105380@@ -387,6 +391,20 @@ bool ns_capable(struct user_namespace *ns, int cap)
105381 }
105382 EXPORT_SYMBOL(ns_capable);
105383
105384+bool ns_capable_nolog(struct user_namespace *ns, int cap)
105385+{
105386+ if (unlikely(!cap_valid(cap))) {
105387+ pr_crit("capable_nolog() called with invalid cap=%u\n", cap);
105388+ BUG();
105389+ }
105390+
105391+ if (security_capable_noaudit(current_cred(), ns, cap) == 0 && gr_is_capable_nolog(cap)) {
105392+ current->flags |= PF_SUPERPRIV;
105393+ return true;
105394+ }
105395+ return false;
105396+}
105397+EXPORT_SYMBOL(ns_capable_nolog);
105398
105399 /**
105400 * capable - Determine if the current task has a superior capability in effect
105401@@ -403,6 +421,13 @@ bool capable(int cap)
105402 return ns_capable(&init_user_ns, cap);
105403 }
105404 EXPORT_SYMBOL(capable);
105405+
105406+bool capable_nolog(int cap)
105407+{
105408+ return ns_capable_nolog(&init_user_ns, cap);
105409+}
105410+EXPORT_SYMBOL(capable_nolog);
105411+
105412 #endif /* CONFIG_MULTIUSER */
105413
105414 /**
105415@@ -447,3 +472,12 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
105416 kgid_has_mapping(ns, inode->i_gid);
105417 }
105418 EXPORT_SYMBOL(capable_wrt_inode_uidgid);
105419+
105420+bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap)
105421+{
105422+ struct user_namespace *ns = current_user_ns();
105423+
105424+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
105425+ kgid_has_mapping(ns, inode->i_gid);
105426+}
105427+EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog);
105428diff --git a/kernel/cgroup.c b/kernel/cgroup.c
105429index c6c4240..8af0064 100644
105430--- a/kernel/cgroup.c
105431+++ b/kernel/cgroup.c
105432@@ -5367,6 +5367,9 @@ static void cgroup_release_agent(struct work_struct *work)
105433 if (!pathbuf || !agentbuf)
105434 goto out;
105435
105436+ if (agentbuf[0] == '\0')
105437+ goto out;
105438+
105439 path = cgroup_path(cgrp, pathbuf, PATH_MAX);
105440 if (!path)
105441 goto out;
105442@@ -5552,7 +5555,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
105443 struct task_struct *task;
105444 int count = 0;
105445
105446- seq_printf(seq, "css_set %p\n", cset);
105447+ seq_printf(seq, "css_set %pK\n", cset);
105448
105449 list_for_each_entry(task, &cset->tasks, cg_list) {
105450 if (count++ > MAX_TASKS_SHOWN_PER_CSS)
105451diff --git a/kernel/compat.c b/kernel/compat.c
105452index 333d364..762ec00 100644
105453--- a/kernel/compat.c
105454+++ b/kernel/compat.c
105455@@ -13,6 +13,7 @@
105456
105457 #include <linux/linkage.h>
105458 #include <linux/compat.h>
105459+#include <linux/module.h>
105460 #include <linux/errno.h>
105461 #include <linux/time.h>
105462 #include <linux/signal.h>
105463@@ -220,7 +221,7 @@ static long compat_nanosleep_restart(struct restart_block *restart)
105464 mm_segment_t oldfs;
105465 long ret;
105466
105467- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
105468+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
105469 oldfs = get_fs();
105470 set_fs(KERNEL_DS);
105471 ret = hrtimer_nanosleep_restart(restart);
105472@@ -252,7 +253,7 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp,
105473 oldfs = get_fs();
105474 set_fs(KERNEL_DS);
105475 ret = hrtimer_nanosleep(&tu,
105476- rmtp ? (struct timespec __user *)&rmt : NULL,
105477+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
105478 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
105479 set_fs(oldfs);
105480
105481@@ -378,7 +379,7 @@ COMPAT_SYSCALL_DEFINE1(sigpending, compat_old_sigset_t __user *, set)
105482 mm_segment_t old_fs = get_fs();
105483
105484 set_fs(KERNEL_DS);
105485- ret = sys_sigpending((old_sigset_t __user *) &s);
105486+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
105487 set_fs(old_fs);
105488 if (ret == 0)
105489 ret = put_user(s, set);
105490@@ -468,7 +469,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
105491 mm_segment_t old_fs = get_fs();
105492
105493 set_fs(KERNEL_DS);
105494- ret = sys_old_getrlimit(resource, (struct rlimit __user *)&r);
105495+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
105496 set_fs(old_fs);
105497
105498 if (!ret) {
105499@@ -550,8 +551,8 @@ COMPAT_SYSCALL_DEFINE4(wait4,
105500 set_fs (KERNEL_DS);
105501 ret = sys_wait4(pid,
105502 (stat_addr ?
105503- (unsigned int __user *) &status : NULL),
105504- options, (struct rusage __user *) &r);
105505+ (unsigned int __force_user *) &status : NULL),
105506+ options, (struct rusage __force_user *) &r);
105507 set_fs (old_fs);
105508
105509 if (ret > 0) {
105510@@ -577,8 +578,8 @@ COMPAT_SYSCALL_DEFINE5(waitid,
105511 memset(&info, 0, sizeof(info));
105512
105513 set_fs(KERNEL_DS);
105514- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
105515- uru ? (struct rusage __user *)&ru : NULL);
105516+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
105517+ uru ? (struct rusage __force_user *)&ru : NULL);
105518 set_fs(old_fs);
105519
105520 if ((ret < 0) || (info.si_signo == 0))
105521@@ -712,8 +713,8 @@ COMPAT_SYSCALL_DEFINE4(timer_settime, timer_t, timer_id, int, flags,
105522 oldfs = get_fs();
105523 set_fs(KERNEL_DS);
105524 err = sys_timer_settime(timer_id, flags,
105525- (struct itimerspec __user *) &newts,
105526- (struct itimerspec __user *) &oldts);
105527+ (struct itimerspec __force_user *) &newts,
105528+ (struct itimerspec __force_user *) &oldts);
105529 set_fs(oldfs);
105530 if (!err && old && put_compat_itimerspec(old, &oldts))
105531 return -EFAULT;
105532@@ -730,7 +731,7 @@ COMPAT_SYSCALL_DEFINE2(timer_gettime, timer_t, timer_id,
105533 oldfs = get_fs();
105534 set_fs(KERNEL_DS);
105535 err = sys_timer_gettime(timer_id,
105536- (struct itimerspec __user *) &ts);
105537+ (struct itimerspec __force_user *) &ts);
105538 set_fs(oldfs);
105539 if (!err && put_compat_itimerspec(setting, &ts))
105540 return -EFAULT;
105541@@ -749,7 +750,7 @@ COMPAT_SYSCALL_DEFINE2(clock_settime, clockid_t, which_clock,
105542 oldfs = get_fs();
105543 set_fs(KERNEL_DS);
105544 err = sys_clock_settime(which_clock,
105545- (struct timespec __user *) &ts);
105546+ (struct timespec __force_user *) &ts);
105547 set_fs(oldfs);
105548 return err;
105549 }
105550@@ -764,7 +765,7 @@ COMPAT_SYSCALL_DEFINE2(clock_gettime, clockid_t, which_clock,
105551 oldfs = get_fs();
105552 set_fs(KERNEL_DS);
105553 err = sys_clock_gettime(which_clock,
105554- (struct timespec __user *) &ts);
105555+ (struct timespec __force_user *) &ts);
105556 set_fs(oldfs);
105557 if (!err && compat_put_timespec(&ts, tp))
105558 return -EFAULT;
105559@@ -784,7 +785,7 @@ COMPAT_SYSCALL_DEFINE2(clock_adjtime, clockid_t, which_clock,
105560
105561 oldfs = get_fs();
105562 set_fs(KERNEL_DS);
105563- ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
105564+ ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
105565 set_fs(oldfs);
105566
105567 err = compat_put_timex(utp, &txc);
105568@@ -804,7 +805,7 @@ COMPAT_SYSCALL_DEFINE2(clock_getres, clockid_t, which_clock,
105569 oldfs = get_fs();
105570 set_fs(KERNEL_DS);
105571 err = sys_clock_getres(which_clock,
105572- (struct timespec __user *) &ts);
105573+ (struct timespec __force_user *) &ts);
105574 set_fs(oldfs);
105575 if (!err && tp && compat_put_timespec(&ts, tp))
105576 return -EFAULT;
105577@@ -818,7 +819,7 @@ static long compat_clock_nanosleep_restart(struct restart_block *restart)
105578 struct timespec tu;
105579 struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
105580
105581- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
105582+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
105583 oldfs = get_fs();
105584 set_fs(KERNEL_DS);
105585 err = clock_nanosleep_restart(restart);
105586@@ -850,8 +851,8 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags,
105587 oldfs = get_fs();
105588 set_fs(KERNEL_DS);
105589 err = sys_clock_nanosleep(which_clock, flags,
105590- (struct timespec __user *) &in,
105591- (struct timespec __user *) &out);
105592+ (struct timespec __force_user *) &in,
105593+ (struct timespec __force_user *) &out);
105594 set_fs(oldfs);
105595
105596 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
105597@@ -1147,7 +1148,7 @@ COMPAT_SYSCALL_DEFINE2(sched_rr_get_interval,
105598 mm_segment_t old_fs = get_fs();
105599
105600 set_fs(KERNEL_DS);
105601- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
105602+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
105603 set_fs(old_fs);
105604 if (compat_put_timespec(&t, interval))
105605 return -EFAULT;
105606diff --git a/kernel/configs.c b/kernel/configs.c
105607index c18b1f1..b9a0132 100644
105608--- a/kernel/configs.c
105609+++ b/kernel/configs.c
105610@@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
105611 struct proc_dir_entry *entry;
105612
105613 /* create the current config file */
105614+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
105615+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
105616+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
105617+ &ikconfig_file_ops);
105618+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
105619+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
105620+ &ikconfig_file_ops);
105621+#endif
105622+#else
105623 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
105624 &ikconfig_file_ops);
105625+#endif
105626+
105627 if (!entry)
105628 return -ENOMEM;
105629
105630diff --git a/kernel/cred.c b/kernel/cred.c
105631index ec1c076..7da8a0e 100644
105632--- a/kernel/cred.c
105633+++ b/kernel/cred.c
105634@@ -167,6 +167,15 @@ void exit_creds(struct task_struct *tsk)
105635 validate_creds(cred);
105636 alter_cred_subscribers(cred, -1);
105637 put_cred(cred);
105638+
105639+#ifdef CONFIG_GRKERNSEC_SETXID
105640+ cred = (struct cred *) tsk->delayed_cred;
105641+ if (cred != NULL) {
105642+ tsk->delayed_cred = NULL;
105643+ validate_creds(cred);
105644+ put_cred(cred);
105645+ }
105646+#endif
105647 }
105648
105649 /**
105650@@ -414,7 +423,7 @@ static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
105651 * Always returns 0 thus allowing this function to be tail-called at the end
105652 * of, say, sys_setgid().
105653 */
105654-int commit_creds(struct cred *new)
105655+static int __commit_creds(struct cred *new)
105656 {
105657 struct task_struct *task = current;
105658 const struct cred *old = task->real_cred;
105659@@ -433,6 +442,8 @@ int commit_creds(struct cred *new)
105660
105661 get_cred(new); /* we will require a ref for the subj creds too */
105662
105663+ gr_set_role_label(task, new->uid, new->gid);
105664+
105665 /* dumpability changes */
105666 if (!uid_eq(old->euid, new->euid) ||
105667 !gid_eq(old->egid, new->egid) ||
105668@@ -482,6 +493,105 @@ int commit_creds(struct cred *new)
105669 put_cred(old);
105670 return 0;
105671 }
105672+#ifdef CONFIG_GRKERNSEC_SETXID
105673+extern int set_user(struct cred *new);
105674+
105675+void gr_delayed_cred_worker(void)
105676+{
105677+ const struct cred *new = current->delayed_cred;
105678+ struct cred *ncred;
105679+
105680+ current->delayed_cred = NULL;
105681+
105682+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) && new != NULL) {
105683+ // from doing get_cred on it when queueing this
105684+ put_cred(new);
105685+ return;
105686+ } else if (new == NULL)
105687+ return;
105688+
105689+ ncred = prepare_creds();
105690+ if (!ncred)
105691+ goto die;
105692+ // uids
105693+ ncred->uid = new->uid;
105694+ ncred->euid = new->euid;
105695+ ncred->suid = new->suid;
105696+ ncred->fsuid = new->fsuid;
105697+ // gids
105698+ ncred->gid = new->gid;
105699+ ncred->egid = new->egid;
105700+ ncred->sgid = new->sgid;
105701+ ncred->fsgid = new->fsgid;
105702+ // groups
105703+ set_groups(ncred, new->group_info);
105704+ // caps
105705+ ncred->securebits = new->securebits;
105706+ ncred->cap_inheritable = new->cap_inheritable;
105707+ ncred->cap_permitted = new->cap_permitted;
105708+ ncred->cap_effective = new->cap_effective;
105709+ ncred->cap_bset = new->cap_bset;
105710+
105711+ if (set_user(ncred)) {
105712+ abort_creds(ncred);
105713+ goto die;
105714+ }
105715+
105716+ // from doing get_cred on it when queueing this
105717+ put_cred(new);
105718+
105719+ __commit_creds(ncred);
105720+ return;
105721+die:
105722+ // from doing get_cred on it when queueing this
105723+ put_cred(new);
105724+ do_group_exit(SIGKILL);
105725+}
105726+#endif
105727+
105728+int commit_creds(struct cred *new)
105729+{
105730+#ifdef CONFIG_GRKERNSEC_SETXID
105731+ int ret;
105732+ int schedule_it = 0;
105733+ struct task_struct *t;
105734+ unsigned oldsecurebits = current_cred()->securebits;
105735+
105736+ /* we won't get called with tasklist_lock held for writing
105737+ and interrupts disabled as the cred struct in that case is
105738+ init_cred
105739+ */
105740+ if (grsec_enable_setxid && !current_is_single_threaded() &&
105741+ uid_eq(current_uid(), GLOBAL_ROOT_UID) &&
105742+ !uid_eq(new->uid, GLOBAL_ROOT_UID)) {
105743+ schedule_it = 1;
105744+ }
105745+ ret = __commit_creds(new);
105746+ if (schedule_it) {
105747+ rcu_read_lock();
105748+ read_lock(&tasklist_lock);
105749+ for (t = next_thread(current); t != current;
105750+ t = next_thread(t)) {
105751+ /* we'll check if the thread has uid 0 in
105752+ * the delayed worker routine
105753+ */
105754+ if (task_securebits(t) == oldsecurebits &&
105755+ t->delayed_cred == NULL) {
105756+ t->delayed_cred = get_cred(new);
105757+ set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
105758+ set_tsk_need_resched(t);
105759+ }
105760+ }
105761+ read_unlock(&tasklist_lock);
105762+ rcu_read_unlock();
105763+ }
105764+
105765+ return ret;
105766+#else
105767+ return __commit_creds(new);
105768+#endif
105769+}
105770+
105771 EXPORT_SYMBOL(commit_creds);
105772
105773 /**
105774diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
105775index 0874e2e..5b32cc9 100644
105776--- a/kernel/debug/debug_core.c
105777+++ b/kernel/debug/debug_core.c
105778@@ -127,7 +127,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_lock);
105779 */
105780 static atomic_t masters_in_kgdb;
105781 static atomic_t slaves_in_kgdb;
105782-static atomic_t kgdb_break_tasklet_var;
105783+static atomic_unchecked_t kgdb_break_tasklet_var;
105784 atomic_t kgdb_setting_breakpoint;
105785
105786 struct task_struct *kgdb_usethread;
105787@@ -137,7 +137,7 @@ int kgdb_single_step;
105788 static pid_t kgdb_sstep_pid;
105789
105790 /* to keep track of the CPU which is doing the single stepping*/
105791-atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
105792+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
105793
105794 /*
105795 * If you are debugging a problem where roundup (the collection of
105796@@ -552,7 +552,7 @@ return_normal:
105797 * kernel will only try for the value of sstep_tries before
105798 * giving up and continuing on.
105799 */
105800- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
105801+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
105802 (kgdb_info[cpu].task &&
105803 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
105804 atomic_set(&kgdb_active, -1);
105805@@ -654,8 +654,8 @@ cpu_master_loop:
105806 }
105807
105808 kgdb_restore:
105809- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
105810- int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
105811+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
105812+ int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
105813 if (kgdb_info[sstep_cpu].task)
105814 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
105815 else
105816@@ -949,18 +949,18 @@ static void kgdb_unregister_callbacks(void)
105817 static void kgdb_tasklet_bpt(unsigned long ing)
105818 {
105819 kgdb_breakpoint();
105820- atomic_set(&kgdb_break_tasklet_var, 0);
105821+ atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
105822 }
105823
105824 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
105825
105826 void kgdb_schedule_breakpoint(void)
105827 {
105828- if (atomic_read(&kgdb_break_tasklet_var) ||
105829+ if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
105830 atomic_read(&kgdb_active) != -1 ||
105831 atomic_read(&kgdb_setting_breakpoint))
105832 return;
105833- atomic_inc(&kgdb_break_tasklet_var);
105834+ atomic_inc_unchecked(&kgdb_break_tasklet_var);
105835 tasklet_schedule(&kgdb_tasklet_breakpoint);
105836 }
105837 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
105838diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
105839index 41213454..861e178 100644
105840--- a/kernel/debug/kdb/kdb_main.c
105841+++ b/kernel/debug/kdb/kdb_main.c
105842@@ -2021,7 +2021,7 @@ static int kdb_lsmod(int argc, const char **argv)
105843 continue;
105844
105845 kdb_printf("%-20s%8u 0x%p ", mod->name,
105846- mod->core_size, (void *)mod);
105847+ mod->core_size_rx + mod->core_size_rw, (void *)mod);
105848 #ifdef CONFIG_MODULE_UNLOAD
105849 kdb_printf("%4d ", module_refcount(mod));
105850 #endif
105851@@ -2031,7 +2031,7 @@ static int kdb_lsmod(int argc, const char **argv)
105852 kdb_printf(" (Loading)");
105853 else
105854 kdb_printf(" (Live)");
105855- kdb_printf(" 0x%p", mod->module_core);
105856+ kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
105857
105858 #ifdef CONFIG_MODULE_UNLOAD
105859 {
105860diff --git a/kernel/events/core.c b/kernel/events/core.c
105861index e6feb51..470c853 100644
105862--- a/kernel/events/core.c
105863+++ b/kernel/events/core.c
105864@@ -174,8 +174,15 @@ static struct srcu_struct pmus_srcu;
105865 * 0 - disallow raw tracepoint access for unpriv
105866 * 1 - disallow cpu events for unpriv
105867 * 2 - disallow kernel profiling for unpriv
105868+ * 3 - disallow all unpriv perf event use
105869 */
105870-int sysctl_perf_event_paranoid __read_mostly = 1;
105871+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
105872+int sysctl_perf_event_legitimately_concerned __read_only = 3;
105873+#elif defined(CONFIG_GRKERNSEC_HIDESYM)
105874+int sysctl_perf_event_legitimately_concerned __read_only = 2;
105875+#else
105876+int sysctl_perf_event_legitimately_concerned __read_only = 1;
105877+#endif
105878
105879 /* Minimum for 512 kiB + 1 user control page */
105880 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
105881@@ -201,7 +208,7 @@ void update_perf_cpu_limits(void)
105882
105883 tmp *= sysctl_perf_cpu_time_max_percent;
105884 do_div(tmp, 100);
105885- ACCESS_ONCE(perf_sample_allowed_ns) = tmp;
105886+ ACCESS_ONCE_RW(perf_sample_allowed_ns) = tmp;
105887 }
105888
105889 static int perf_rotate_context(struct perf_cpu_context *cpuctx);
105890@@ -307,7 +314,7 @@ void perf_sample_event_took(u64 sample_len_ns)
105891 }
105892 }
105893
105894-static atomic64_t perf_event_id;
105895+static atomic64_unchecked_t perf_event_id;
105896
105897 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
105898 enum event_type_t event_type);
105899@@ -3753,9 +3760,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
105900 mutex_lock(&event->child_mutex);
105901 total += perf_event_read(event);
105902 *enabled += event->total_time_enabled +
105903- atomic64_read(&event->child_total_time_enabled);
105904+ atomic64_read_unchecked(&event->child_total_time_enabled);
105905 *running += event->total_time_running +
105906- atomic64_read(&event->child_total_time_running);
105907+ atomic64_read_unchecked(&event->child_total_time_running);
105908
105909 list_for_each_entry(child, &event->child_list, child_list) {
105910 total += perf_event_read(child);
105911@@ -4285,10 +4292,10 @@ void perf_event_update_userpage(struct perf_event *event)
105912 userpg->offset -= local64_read(&event->hw.prev_count);
105913
105914 userpg->time_enabled = enabled +
105915- atomic64_read(&event->child_total_time_enabled);
105916+ atomic64_read_unchecked(&event->child_total_time_enabled);
105917
105918 userpg->time_running = running +
105919- atomic64_read(&event->child_total_time_running);
105920+ atomic64_read_unchecked(&event->child_total_time_running);
105921
105922 arch_perf_update_userpage(event, userpg, now);
105923
105924@@ -4963,7 +4970,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
105925
105926 /* Data. */
105927 sp = perf_user_stack_pointer(regs);
105928- rem = __output_copy_user(handle, (void *) sp, dump_size);
105929+ rem = __output_copy_user(handle, (void __user *) sp, dump_size);
105930 dyn_size = dump_size - rem;
105931
105932 perf_output_skip(handle, rem);
105933@@ -5054,11 +5061,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
105934 values[n++] = perf_event_count(event);
105935 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
105936 values[n++] = enabled +
105937- atomic64_read(&event->child_total_time_enabled);
105938+ atomic64_read_unchecked(&event->child_total_time_enabled);
105939 }
105940 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
105941 values[n++] = running +
105942- atomic64_read(&event->child_total_time_running);
105943+ atomic64_read_unchecked(&event->child_total_time_running);
105944 }
105945 if (read_format & PERF_FORMAT_ID)
105946 values[n++] = primary_event_id(event);
105947@@ -7588,7 +7595,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
105948 event->parent = parent_event;
105949
105950 event->ns = get_pid_ns(task_active_pid_ns(current));
105951- event->id = atomic64_inc_return(&perf_event_id);
105952+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
105953
105954 event->state = PERF_EVENT_STATE_INACTIVE;
105955
105956@@ -7947,6 +7954,11 @@ SYSCALL_DEFINE5(perf_event_open,
105957 if (flags & ~PERF_FLAG_ALL)
105958 return -EINVAL;
105959
105960+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
105961+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
105962+ return -EACCES;
105963+#endif
105964+
105965 err = perf_copy_attr(attr_uptr, &attr);
105966 if (err)
105967 return err;
105968@@ -8395,10 +8407,10 @@ static void sync_child_event(struct perf_event *child_event,
105969 /*
105970 * Add back the child's count to the parent's count:
105971 */
105972- atomic64_add(child_val, &parent_event->child_count);
105973- atomic64_add(child_event->total_time_enabled,
105974+ atomic64_add_unchecked(child_val, &parent_event->child_count);
105975+ atomic64_add_unchecked(child_event->total_time_enabled,
105976 &parent_event->child_total_time_enabled);
105977- atomic64_add(child_event->total_time_running,
105978+ atomic64_add_unchecked(child_event->total_time_running,
105979 &parent_event->child_total_time_running);
105980
105981 /*
105982diff --git a/kernel/events/internal.h b/kernel/events/internal.h
105983index 2bbad9c..056f20c 100644
105984--- a/kernel/events/internal.h
105985+++ b/kernel/events/internal.h
105986@@ -115,10 +115,10 @@ static inline unsigned long perf_aux_size(struct ring_buffer *rb)
105987 return rb->aux_nr_pages << PAGE_SHIFT;
105988 }
105989
105990-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
105991+#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
105992 static inline unsigned long \
105993 func_name(struct perf_output_handle *handle, \
105994- const void *buf, unsigned long len) \
105995+ const void user *buf, unsigned long len) \
105996 { \
105997 unsigned long size, written; \
105998 \
105999@@ -151,7 +151,7 @@ memcpy_common(void *dst, const void *src, unsigned long n)
106000 return 0;
106001 }
106002
106003-DEFINE_OUTPUT_COPY(__output_copy, memcpy_common)
106004+DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, )
106005
106006 static inline unsigned long
106007 memcpy_skip(void *dst, const void *src, unsigned long n)
106008@@ -159,7 +159,7 @@ memcpy_skip(void *dst, const void *src, unsigned long n)
106009 return 0;
106010 }
106011
106012-DEFINE_OUTPUT_COPY(__output_skip, memcpy_skip)
106013+DEFINE_OUTPUT_COPY(__output_skip, memcpy_skip, )
106014
106015 #ifndef arch_perf_out_copy_user
106016 #define arch_perf_out_copy_user arch_perf_out_copy_user
106017@@ -177,7 +177,7 @@ arch_perf_out_copy_user(void *dst, const void *src, unsigned long n)
106018 }
106019 #endif
106020
106021-DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user)
106022+DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user)
106023
106024 /* Callchain handling */
106025 extern struct perf_callchain_entry *
106026diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
106027index cb346f2..e4dc317 100644
106028--- a/kernel/events/uprobes.c
106029+++ b/kernel/events/uprobes.c
106030@@ -1670,7 +1670,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
106031 {
106032 struct page *page;
106033 uprobe_opcode_t opcode;
106034- int result;
106035+ long result;
106036
106037 pagefault_disable();
106038 result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
106039diff --git a/kernel/exit.c b/kernel/exit.c
106040index 031325e..c6342c4 100644
106041--- a/kernel/exit.c
106042+++ b/kernel/exit.c
106043@@ -171,6 +171,10 @@ void release_task(struct task_struct *p)
106044 struct task_struct *leader;
106045 int zap_leader;
106046 repeat:
106047+#ifdef CONFIG_NET
106048+ gr_del_task_from_ip_table(p);
106049+#endif
106050+
106051 /* don't need to get the RCU readlock here - the process is dead and
106052 * can't be modifying its own credentials. But shut RCU-lockdep up */
106053 rcu_read_lock();
106054@@ -656,6 +660,8 @@ void do_exit(long code)
106055 int group_dead;
106056 TASKS_RCU(int tasks_rcu_i);
106057
106058+ set_fs(USER_DS);
106059+
106060 profile_task_exit(tsk);
106061
106062 WARN_ON(blk_needs_flush_plug(tsk));
106063@@ -672,7 +678,6 @@ void do_exit(long code)
106064 * mm_release()->clear_child_tid() from writing to a user-controlled
106065 * kernel address.
106066 */
106067- set_fs(USER_DS);
106068
106069 ptrace_event(PTRACE_EVENT_EXIT, code);
106070
106071@@ -730,6 +735,9 @@ void do_exit(long code)
106072 tsk->exit_code = code;
106073 taskstats_exit(tsk, group_dead);
106074
106075+ gr_acl_handle_psacct(tsk, code);
106076+ gr_acl_handle_exit();
106077+
106078 exit_mm(tsk);
106079
106080 if (group_dead)
106081@@ -847,7 +855,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
106082 * Take down every thread in the group. This is called by fatal signals
106083 * as well as by sys_exit_group (below).
106084 */
106085-void
106086+__noreturn void
106087 do_group_exit(int exit_code)
106088 {
106089 struct signal_struct *sig = current->signal;
106090diff --git a/kernel/fork.c b/kernel/fork.c
106091index 26a70dc..74efe33 100644
106092--- a/kernel/fork.c
106093+++ b/kernel/fork.c
106094@@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti)
106095 void thread_info_cache_init(void)
106096 {
106097 thread_info_cache = kmem_cache_create("thread_info", THREAD_SIZE,
106098- THREAD_SIZE, 0, NULL);
106099+ THREAD_SIZE, SLAB_USERCOPY, NULL);
106100 BUG_ON(thread_info_cache == NULL);
106101 }
106102 # endif
106103 #endif
106104
106105+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
106106+static inline struct thread_info *gr_alloc_thread_info_node(struct task_struct *tsk,
106107+ int node, void **lowmem_stack)
106108+{
106109+ struct page *pages[THREAD_SIZE / PAGE_SIZE];
106110+ void *ret = NULL;
106111+ unsigned int i;
106112+
106113+ *lowmem_stack = alloc_thread_info_node(tsk, node);
106114+ if (*lowmem_stack == NULL)
106115+ goto out;
106116+
106117+ for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)
106118+ pages[i] = virt_to_page(*lowmem_stack + (i * PAGE_SIZE));
106119+
106120+ /* use VM_IOREMAP to gain THREAD_SIZE alignment */
106121+ ret = vmap(pages, THREAD_SIZE / PAGE_SIZE, VM_IOREMAP, PAGE_KERNEL);
106122+ if (ret == NULL) {
106123+ free_thread_info(*lowmem_stack);
106124+ *lowmem_stack = NULL;
106125+ }
106126+
106127+out:
106128+ return ret;
106129+}
106130+
106131+static inline void gr_free_thread_info(struct task_struct *tsk, struct thread_info *ti)
106132+{
106133+ unmap_process_stacks(tsk);
106134+}
106135+#else
106136+static inline struct thread_info *gr_alloc_thread_info_node(struct task_struct *tsk,
106137+ int node, void **lowmem_stack)
106138+{
106139+ return alloc_thread_info_node(tsk, node);
106140+}
106141+static inline void gr_free_thread_info(struct task_struct *tsk, struct thread_info *ti)
106142+{
106143+ free_thread_info(ti);
106144+}
106145+#endif
106146+
106147 /* SLAB cache for signal_struct structures (tsk->signal) */
106148 static struct kmem_cache *signal_cachep;
106149
106150@@ -212,18 +254,22 @@ struct kmem_cache *vm_area_cachep;
106151 /* SLAB cache for mm_struct structures (tsk->mm) */
106152 static struct kmem_cache *mm_cachep;
106153
106154-static void account_kernel_stack(struct thread_info *ti, int account)
106155+static void account_kernel_stack(struct task_struct *tsk, struct thread_info *ti, int account)
106156 {
106157+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
106158+ struct zone *zone = page_zone(virt_to_page(tsk->lowmem_stack));
106159+#else
106160 struct zone *zone = page_zone(virt_to_page(ti));
106161+#endif
106162
106163 mod_zone_page_state(zone, NR_KERNEL_STACK, account);
106164 }
106165
106166 void free_task(struct task_struct *tsk)
106167 {
106168- account_kernel_stack(tsk->stack, -1);
106169+ account_kernel_stack(tsk, tsk->stack, -1);
106170 arch_release_thread_info(tsk->stack);
106171- free_thread_info(tsk->stack);
106172+ gr_free_thread_info(tsk, tsk->stack);
106173 rt_mutex_debug_task_free(tsk);
106174 ftrace_graph_exit_task(tsk);
106175 put_seccomp_filter(tsk);
106176@@ -289,7 +335,7 @@ static void set_max_threads(unsigned int max_threads_suggested)
106177
106178 #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
106179 /* Initialized by the architecture: */
106180-int arch_task_struct_size __read_mostly;
106181+size_t arch_task_struct_size __read_mostly;
106182 #endif
106183
106184 void __init fork_init(void)
106185@@ -334,6 +380,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106186 {
106187 struct task_struct *tsk;
106188 struct thread_info *ti;
106189+ void *lowmem_stack;
106190 int node = tsk_fork_get_node(orig);
106191 int err;
106192
106193@@ -341,7 +388,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106194 if (!tsk)
106195 return NULL;
106196
106197- ti = alloc_thread_info_node(tsk, node);
106198+ ti = gr_alloc_thread_info_node(tsk, node, &lowmem_stack);
106199 if (!ti)
106200 goto free_tsk;
106201
106202@@ -350,6 +397,9 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106203 goto free_ti;
106204
106205 tsk->stack = ti;
106206+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
106207+ tsk->lowmem_stack = lowmem_stack;
106208+#endif
106209 #ifdef CONFIG_SECCOMP
106210 /*
106211 * We must handle setting up seccomp filters once we're under
106212@@ -366,7 +416,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106213 set_task_stack_end_magic(tsk);
106214
106215 #ifdef CONFIG_CC_STACKPROTECTOR
106216- tsk->stack_canary = get_random_int();
106217+ tsk->stack_canary = pax_get_random_long();
106218 #endif
106219
106220 /*
106221@@ -380,24 +430,89 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106222 tsk->splice_pipe = NULL;
106223 tsk->task_frag.page = NULL;
106224
106225- account_kernel_stack(ti, 1);
106226+ account_kernel_stack(tsk, ti, 1);
106227
106228 return tsk;
106229
106230 free_ti:
106231- free_thread_info(ti);
106232+ gr_free_thread_info(tsk, ti);
106233 free_tsk:
106234 free_task_struct(tsk);
106235 return NULL;
106236 }
106237
106238 #ifdef CONFIG_MMU
106239-static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106240+static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct mm_struct *oldmm, struct vm_area_struct *mpnt)
106241+{
106242+ struct vm_area_struct *tmp;
106243+ unsigned long charge;
106244+ struct file *file;
106245+ int retval;
106246+
106247+ charge = 0;
106248+ if (mpnt->vm_flags & VM_ACCOUNT) {
106249+ unsigned long len = vma_pages(mpnt);
106250+
106251+ if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
106252+ goto fail_nomem;
106253+ charge = len;
106254+ }
106255+ tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
106256+ if (!tmp)
106257+ goto fail_nomem;
106258+ *tmp = *mpnt;
106259+ tmp->vm_mm = mm;
106260+ INIT_LIST_HEAD(&tmp->anon_vma_chain);
106261+ retval = vma_dup_policy(mpnt, tmp);
106262+ if (retval)
106263+ goto fail_nomem_policy;
106264+ if (anon_vma_fork(tmp, mpnt))
106265+ goto fail_nomem_anon_vma_fork;
106266+ tmp->vm_flags &= ~VM_LOCKED;
106267+ tmp->vm_next = tmp->vm_prev = NULL;
106268+ tmp->vm_mirror = NULL;
106269+ file = tmp->vm_file;
106270+ if (file) {
106271+ struct inode *inode = file_inode(file);
106272+ struct address_space *mapping = file->f_mapping;
106273+
106274+ get_file(file);
106275+ if (tmp->vm_flags & VM_DENYWRITE)
106276+ atomic_dec(&inode->i_writecount);
106277+ i_mmap_lock_write(mapping);
106278+ if (tmp->vm_flags & VM_SHARED)
106279+ atomic_inc(&mapping->i_mmap_writable);
106280+ flush_dcache_mmap_lock(mapping);
106281+ /* insert tmp into the share list, just after mpnt */
106282+ vma_interval_tree_insert_after(tmp, mpnt, &mapping->i_mmap);
106283+ flush_dcache_mmap_unlock(mapping);
106284+ i_mmap_unlock_write(mapping);
106285+ }
106286+
106287+ /*
106288+ * Clear hugetlb-related page reserves for children. This only
106289+ * affects MAP_PRIVATE mappings. Faults generated by the child
106290+ * are not guaranteed to succeed, even if read-only
106291+ */
106292+ if (is_vm_hugetlb_page(tmp))
106293+ reset_vma_resv_huge_pages(tmp);
106294+
106295+ return tmp;
106296+
106297+fail_nomem_anon_vma_fork:
106298+ mpol_put(vma_policy(tmp));
106299+fail_nomem_policy:
106300+ kmem_cache_free(vm_area_cachep, tmp);
106301+fail_nomem:
106302+ vm_unacct_memory(charge);
106303+ return NULL;
106304+}
106305+
106306+static __latent_entropy int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106307 {
106308 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
106309 struct rb_node **rb_link, *rb_parent;
106310 int retval;
106311- unsigned long charge;
106312
106313 uprobe_start_dup_mmap();
106314 down_write(&oldmm->mmap_sem);
106315@@ -428,51 +543,15 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106316
106317 prev = NULL;
106318 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
106319- struct file *file;
106320-
106321 if (mpnt->vm_flags & VM_DONTCOPY) {
106322 vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
106323 -vma_pages(mpnt));
106324 continue;
106325 }
106326- charge = 0;
106327- if (mpnt->vm_flags & VM_ACCOUNT) {
106328- unsigned long len = vma_pages(mpnt);
106329-
106330- if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
106331- goto fail_nomem;
106332- charge = len;
106333- }
106334- tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
106335- if (!tmp)
106336- goto fail_nomem;
106337- *tmp = *mpnt;
106338- INIT_LIST_HEAD(&tmp->anon_vma_chain);
106339- retval = vma_dup_policy(mpnt, tmp);
106340- if (retval)
106341- goto fail_nomem_policy;
106342- tmp->vm_mm = mm;
106343- if (anon_vma_fork(tmp, mpnt))
106344- goto fail_nomem_anon_vma_fork;
106345- tmp->vm_flags &= ~VM_LOCKED;
106346- tmp->vm_next = tmp->vm_prev = NULL;
106347- file = tmp->vm_file;
106348- if (file) {
106349- struct inode *inode = file_inode(file);
106350- struct address_space *mapping = file->f_mapping;
106351-
106352- get_file(file);
106353- if (tmp->vm_flags & VM_DENYWRITE)
106354- atomic_dec(&inode->i_writecount);
106355- i_mmap_lock_write(mapping);
106356- if (tmp->vm_flags & VM_SHARED)
106357- atomic_inc(&mapping->i_mmap_writable);
106358- flush_dcache_mmap_lock(mapping);
106359- /* insert tmp into the share list, just after mpnt */
106360- vma_interval_tree_insert_after(tmp, mpnt,
106361- &mapping->i_mmap);
106362- flush_dcache_mmap_unlock(mapping);
106363- i_mmap_unlock_write(mapping);
106364+ tmp = dup_vma(mm, oldmm, mpnt);
106365+ if (!tmp) {
106366+ retval = -ENOMEM;
106367+ goto out;
106368 }
106369
106370 /*
106371@@ -504,6 +583,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106372 if (retval)
106373 goto out;
106374 }
106375+
106376+#ifdef CONFIG_PAX_SEGMEXEC
106377+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
106378+ struct vm_area_struct *mpnt_m;
106379+
106380+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
106381+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
106382+
106383+ if (!mpnt->vm_mirror)
106384+ continue;
106385+
106386+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
106387+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
106388+ mpnt->vm_mirror = mpnt_m;
106389+ } else {
106390+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
106391+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
106392+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
106393+ mpnt->vm_mirror->vm_mirror = mpnt;
106394+ }
106395+ }
106396+ BUG_ON(mpnt_m);
106397+ }
106398+#endif
106399+
106400 /* a new mm has just been created */
106401 arch_dup_mmap(oldmm, mm);
106402 retval = 0;
106403@@ -513,14 +617,6 @@ out:
106404 up_write(&oldmm->mmap_sem);
106405 uprobe_end_dup_mmap();
106406 return retval;
106407-fail_nomem_anon_vma_fork:
106408- mpol_put(vma_policy(tmp));
106409-fail_nomem_policy:
106410- kmem_cache_free(vm_area_cachep, tmp);
106411-fail_nomem:
106412- retval = -ENOMEM;
106413- vm_unacct_memory(charge);
106414- goto out;
106415 }
106416
106417 static inline int mm_alloc_pgd(struct mm_struct *mm)
106418@@ -795,8 +891,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
106419 return ERR_PTR(err);
106420
106421 mm = get_task_mm(task);
106422- if (mm && mm != current->mm &&
106423- !ptrace_may_access(task, mode)) {
106424+ if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) ||
106425+ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
106426 mmput(mm);
106427 mm = ERR_PTR(-EACCES);
106428 }
106429@@ -997,13 +1093,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
106430 spin_unlock(&fs->lock);
106431 return -EAGAIN;
106432 }
106433- fs->users++;
106434+ atomic_inc(&fs->users);
106435 spin_unlock(&fs->lock);
106436 return 0;
106437 }
106438 tsk->fs = copy_fs_struct(fs);
106439 if (!tsk->fs)
106440 return -ENOMEM;
106441+ /* Carry through gr_chroot_dentry and is_chrooted instead
106442+ of recomputing it here. Already copied when the task struct
106443+ is duplicated. This allows pivot_root to not be treated as
106444+ a chroot
106445+ */
106446+ //gr_set_chroot_entries(tsk, &tsk->fs->root);
106447+
106448 return 0;
106449 }
106450
106451@@ -1234,7 +1337,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
106452 * parts of the process environment (as per the clone
106453 * flags). The actual kick-off is left to the caller.
106454 */
106455-static struct task_struct *copy_process(unsigned long clone_flags,
106456+static __latent_entropy struct task_struct *copy_process(unsigned long clone_flags,
106457 unsigned long stack_start,
106458 unsigned long stack_size,
106459 int __user *child_tidptr,
106460@@ -1306,6 +1409,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
106461 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
106462 #endif
106463 retval = -EAGAIN;
106464+
106465+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
106466+
106467 if (atomic_read(&p->real_cred->user->processes) >=
106468 task_rlimit(p, RLIMIT_NPROC)) {
106469 if (p->real_cred->user != INIT_USER &&
106470@@ -1556,6 +1662,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
106471 goto bad_fork_free_pid;
106472 }
106473
106474+ /* synchronizes with gr_set_acls()
106475+ we need to call this past the point of no return for fork()
106476+ */
106477+ gr_copy_label(p);
106478+
106479 if (likely(p->pid)) {
106480 ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
106481
106482@@ -1645,6 +1756,8 @@ bad_fork_cleanup_count:
106483 bad_fork_free:
106484 free_task(p);
106485 fork_out:
106486+ gr_log_forkfail(retval);
106487+
106488 return ERR_PTR(retval);
106489 }
106490
106491@@ -1707,6 +1820,7 @@ long _do_fork(unsigned long clone_flags,
106492
106493 p = copy_process(clone_flags, stack_start, stack_size,
106494 child_tidptr, NULL, trace, tls);
106495+ add_latent_entropy();
106496 /*
106497 * Do this prior waking up the new thread - the thread pointer
106498 * might get invalid after that point, if the thread exits quickly.
106499@@ -1723,6 +1837,8 @@ long _do_fork(unsigned long clone_flags,
106500 if (clone_flags & CLONE_PARENT_SETTID)
106501 put_user(nr, parent_tidptr);
106502
106503+ gr_handle_brute_check();
106504+
106505 if (clone_flags & CLONE_VFORK) {
106506 p->vfork_done = &vfork;
106507 init_completion(&vfork);
106508@@ -1855,7 +1971,7 @@ void __init proc_caches_init(void)
106509 mm_cachep = kmem_cache_create("mm_struct",
106510 sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
106511 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
106512- vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC);
106513+ vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC | SLAB_NO_SANITIZE);
106514 mmap_init();
106515 nsproxy_cache_init();
106516 }
106517@@ -1903,7 +2019,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
106518 return 0;
106519
106520 /* don't need lock here; in the worst case we'll do useless copy */
106521- if (fs->users == 1)
106522+ if (atomic_read(&fs->users) == 1)
106523 return 0;
106524
106525 *new_fsp = copy_fs_struct(fs);
106526@@ -2015,7 +2131,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
106527 fs = current->fs;
106528 spin_lock(&fs->lock);
106529 current->fs = new_fs;
106530- if (--fs->users)
106531+ gr_set_chroot_entries(current, &current->fs->root);
106532+ if (atomic_dec_return(&fs->users))
106533 new_fs = NULL;
106534 else
106535 new_fs = fs;
106536@@ -2079,7 +2196,7 @@ int unshare_files(struct files_struct **displaced)
106537 int sysctl_max_threads(struct ctl_table *table, int write,
106538 void __user *buffer, size_t *lenp, loff_t *ppos)
106539 {
106540- struct ctl_table t;
106541+ ctl_table_no_const t;
106542 int ret;
106543 int threads = max_threads;
106544 int min = MIN_THREADS;
106545diff --git a/kernel/futex.c b/kernel/futex.c
106546index c4a182f..e789324 100644
106547--- a/kernel/futex.c
106548+++ b/kernel/futex.c
106549@@ -201,7 +201,7 @@ struct futex_pi_state {
106550 atomic_t refcount;
106551
106552 union futex_key key;
106553-};
106554+} __randomize_layout;
106555
106556 /**
106557 * struct futex_q - The hashed futex queue entry, one per waiting task
106558@@ -235,7 +235,7 @@ struct futex_q {
106559 struct rt_mutex_waiter *rt_waiter;
106560 union futex_key *requeue_pi_key;
106561 u32 bitset;
106562-};
106563+} __randomize_layout;
106564
106565 static const struct futex_q futex_q_init = {
106566 /* list gets initialized in queue_me()*/
106567@@ -402,6 +402,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
106568 struct page *page, *page_head;
106569 int err, ro = 0;
106570
106571+#ifdef CONFIG_PAX_SEGMEXEC
106572+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
106573+ return -EFAULT;
106574+#endif
106575+
106576 /*
106577 * The futex address must be "naturally" aligned.
106578 */
106579@@ -601,7 +606,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
106580
106581 static int get_futex_value_locked(u32 *dest, u32 __user *from)
106582 {
106583- int ret;
106584+ unsigned long ret;
106585
106586 pagefault_disable();
106587 ret = __copy_from_user_inatomic(dest, from, sizeof(u32));
106588@@ -3030,6 +3035,7 @@ static void __init futex_detect_cmpxchg(void)
106589 {
106590 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
106591 u32 curval;
106592+ mm_segment_t oldfs;
106593
106594 /*
106595 * This will fail and we want it. Some arch implementations do
106596@@ -3041,8 +3047,11 @@ static void __init futex_detect_cmpxchg(void)
106597 * implementation, the non-functional ones will return
106598 * -ENOSYS.
106599 */
106600+ oldfs = get_fs();
106601+ set_fs(USER_DS);
106602 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
106603 futex_cmpxchg_enabled = 1;
106604+ set_fs(oldfs);
106605 #endif
106606 }
106607
106608diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
106609index 55c8c93..9ba7ad6 100644
106610--- a/kernel/futex_compat.c
106611+++ b/kernel/futex_compat.c
106612@@ -32,7 +32,7 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
106613 return 0;
106614 }
106615
106616-static void __user *futex_uaddr(struct robust_list __user *entry,
106617+static void __user __intentional_overflow(-1) *futex_uaddr(struct robust_list __user *entry,
106618 compat_long_t futex_offset)
106619 {
106620 compat_uptr_t base = ptr_to_compat(entry);
106621diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
106622index 7080ae1..c9b3761 100644
106623--- a/kernel/gcov/base.c
106624+++ b/kernel/gcov/base.c
106625@@ -123,11 +123,6 @@ void gcov_enable_events(void)
106626 }
106627
106628 #ifdef CONFIG_MODULES
106629-static inline int within(void *addr, void *start, unsigned long size)
106630-{
106631- return ((addr >= start) && (addr < start + size));
106632-}
106633-
106634 /* Update list and generate events when modules are unloaded. */
106635 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
106636 void *data)
106637@@ -142,7 +137,7 @@ static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
106638
106639 /* Remove entries located in module from linked list. */
106640 while ((info = gcov_info_next(info))) {
106641- if (within(info, mod->module_core, mod->core_size)) {
106642+ if (within_module_core_rw((unsigned long)info, mod)) {
106643 gcov_info_unlink(prev, info);
106644 if (gcov_events_enabled)
106645 gcov_event(GCOV_REMOVE, info);
106646diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
106647index f974485..c5b8afd 100644
106648--- a/kernel/irq/manage.c
106649+++ b/kernel/irq/manage.c
106650@@ -937,7 +937,7 @@ static int irq_thread(void *data)
106651
106652 action_ret = handler_fn(desc, action);
106653 if (action_ret == IRQ_HANDLED)
106654- atomic_inc(&desc->threads_handled);
106655+ atomic_inc_unchecked(&desc->threads_handled);
106656
106657 wake_threads_waitq(desc);
106658 }
106659diff --git a/kernel/irq/msi.c b/kernel/irq/msi.c
106660index 7bf1f1b..d73e508 100644
106661--- a/kernel/irq/msi.c
106662+++ b/kernel/irq/msi.c
106663@@ -195,16 +195,18 @@ static void msi_domain_update_dom_ops(struct msi_domain_info *info)
106664 return;
106665 }
106666
106667+ pax_open_kernel();
106668 if (ops->get_hwirq == NULL)
106669- ops->get_hwirq = msi_domain_ops_default.get_hwirq;
106670+ *(void **)&ops->get_hwirq = msi_domain_ops_default.get_hwirq;
106671 if (ops->msi_init == NULL)
106672- ops->msi_init = msi_domain_ops_default.msi_init;
106673+ *(void **)&ops->msi_init = msi_domain_ops_default.msi_init;
106674 if (ops->msi_check == NULL)
106675- ops->msi_check = msi_domain_ops_default.msi_check;
106676+ *(void **)&ops->msi_check = msi_domain_ops_default.msi_check;
106677 if (ops->msi_prepare == NULL)
106678- ops->msi_prepare = msi_domain_ops_default.msi_prepare;
106679+ *(void **)&ops->msi_prepare = msi_domain_ops_default.msi_prepare;
106680 if (ops->set_desc == NULL)
106681- ops->set_desc = msi_domain_ops_default.set_desc;
106682+ *(void **)&ops->set_desc = msi_domain_ops_default.set_desc;
106683+ pax_close_kernel();
106684 }
106685
106686 static void msi_domain_update_chip_ops(struct msi_domain_info *info)
106687@@ -212,12 +214,14 @@ static void msi_domain_update_chip_ops(struct msi_domain_info *info)
106688 struct irq_chip *chip = info->chip;
106689
106690 BUG_ON(!chip);
106691+ pax_open_kernel();
106692 if (!chip->irq_mask)
106693- chip->irq_mask = pci_msi_mask_irq;
106694+ *(void **)&chip->irq_mask = pci_msi_mask_irq;
106695 if (!chip->irq_unmask)
106696- chip->irq_unmask = pci_msi_unmask_irq;
106697+ *(void **)&chip->irq_unmask = pci_msi_unmask_irq;
106698 if (!chip->irq_set_affinity)
106699- chip->irq_set_affinity = msi_domain_set_affinity;
106700+ *(void **)&chip->irq_set_affinity = msi_domain_set_affinity;
106701+ pax_close_kernel();
106702 }
106703
106704 /**
106705diff --git a/kernel/irq/spurious.c b/kernel/irq/spurious.c
106706index e2514b0..de3dfe0 100644
106707--- a/kernel/irq/spurious.c
106708+++ b/kernel/irq/spurious.c
106709@@ -337,7 +337,7 @@ void note_interrupt(unsigned int irq, struct irq_desc *desc,
106710 * count. We just care about the count being
106711 * different than the one we saw before.
106712 */
106713- handled = atomic_read(&desc->threads_handled);
106714+ handled = atomic_read_unchecked(&desc->threads_handled);
106715 handled |= SPURIOUS_DEFERRED;
106716 if (handled != desc->threads_handled_last) {
106717 action_ret = IRQ_HANDLED;
106718diff --git a/kernel/jump_label.c b/kernel/jump_label.c
106719index 52ebaca..ec6f5cb 100644
106720--- a/kernel/jump_label.c
106721+++ b/kernel/jump_label.c
106722@@ -14,6 +14,7 @@
106723 #include <linux/err.h>
106724 #include <linux/static_key.h>
106725 #include <linux/jump_label_ratelimit.h>
106726+#include <linux/mm.h>
106727
106728 #ifdef HAVE_JUMP_LABEL
106729
106730@@ -51,7 +52,9 @@ jump_label_sort_entries(struct jump_entry *start, struct jump_entry *stop)
106731
106732 size = (((unsigned long)stop - (unsigned long)start)
106733 / sizeof(struct jump_entry));
106734+ pax_open_kernel();
106735 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
106736+ pax_close_kernel();
106737 }
106738
106739 static void jump_label_update(struct static_key *key, int enable);
106740@@ -363,10 +366,12 @@ static void jump_label_invalidate_module_init(struct module *mod)
106741 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
106742 struct jump_entry *iter;
106743
106744+ pax_open_kernel();
106745 for (iter = iter_start; iter < iter_stop; iter++) {
106746 if (within_module_init(iter->code, mod))
106747 iter->code = 0;
106748 }
106749+ pax_close_kernel();
106750 }
106751
106752 static int
106753diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
106754index 5c5987f..bc502b0 100644
106755--- a/kernel/kallsyms.c
106756+++ b/kernel/kallsyms.c
106757@@ -11,6 +11,9 @@
106758 * Changed the compression method from stem compression to "table lookup"
106759 * compression (see scripts/kallsyms.c for a more complete description)
106760 */
106761+#ifdef CONFIG_GRKERNSEC_HIDESYM
106762+#define __INCLUDED_BY_HIDESYM 1
106763+#endif
106764 #include <linux/kallsyms.h>
106765 #include <linux/module.h>
106766 #include <linux/init.h>
106767@@ -54,12 +57,33 @@ extern const unsigned long kallsyms_markers[] __weak;
106768
106769 static inline int is_kernel_inittext(unsigned long addr)
106770 {
106771+ if (system_state != SYSTEM_BOOTING)
106772+ return 0;
106773+
106774 if (addr >= (unsigned long)_sinittext
106775 && addr <= (unsigned long)_einittext)
106776 return 1;
106777 return 0;
106778 }
106779
106780+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106781+#ifdef CONFIG_MODULES
106782+static inline int is_module_text(unsigned long addr)
106783+{
106784+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
106785+ return 1;
106786+
106787+ addr = ktla_ktva(addr);
106788+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
106789+}
106790+#else
106791+static inline int is_module_text(unsigned long addr)
106792+{
106793+ return 0;
106794+}
106795+#endif
106796+#endif
106797+
106798 static inline int is_kernel_text(unsigned long addr)
106799 {
106800 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
106801@@ -70,13 +94,28 @@ static inline int is_kernel_text(unsigned long addr)
106802
106803 static inline int is_kernel(unsigned long addr)
106804 {
106805+
106806+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106807+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
106808+ return 1;
106809+
106810+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
106811+#else
106812 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
106813+#endif
106814+
106815 return 1;
106816 return in_gate_area_no_mm(addr);
106817 }
106818
106819 static int is_ksym_addr(unsigned long addr)
106820 {
106821+
106822+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106823+ if (is_module_text(addr))
106824+ return 0;
106825+#endif
106826+
106827 if (all_var)
106828 return is_kernel(addr);
106829
106830@@ -481,7 +520,6 @@ static unsigned long get_ksymbol_core(struct kallsym_iter *iter)
106831
106832 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
106833 {
106834- iter->name[0] = '\0';
106835 iter->nameoff = get_symbol_offset(new_pos);
106836 iter->pos = new_pos;
106837 }
106838@@ -529,6 +567,11 @@ static int s_show(struct seq_file *m, void *p)
106839 {
106840 struct kallsym_iter *iter = m->private;
106841
106842+#ifdef CONFIG_GRKERNSEC_HIDESYM
106843+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID))
106844+ return 0;
106845+#endif
106846+
106847 /* Some debugging symbols have no name. Ignore them. */
106848 if (!iter->name[0])
106849 return 0;
106850@@ -542,6 +585,7 @@ static int s_show(struct seq_file *m, void *p)
106851 */
106852 type = iter->exported ? toupper(iter->type) :
106853 tolower(iter->type);
106854+
106855 seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value,
106856 type, iter->name, iter->module_name);
106857 } else
106858diff --git a/kernel/kcmp.c b/kernel/kcmp.c
106859index 0aa69ea..a7fcafb 100644
106860--- a/kernel/kcmp.c
106861+++ b/kernel/kcmp.c
106862@@ -100,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
106863 struct task_struct *task1, *task2;
106864 int ret;
106865
106866+#ifdef CONFIG_GRKERNSEC
106867+ return -ENOSYS;
106868+#endif
106869+
106870 rcu_read_lock();
106871
106872 /*
106873diff --git a/kernel/kexec.c b/kernel/kexec.c
106874index a785c10..6dbb06f 100644
106875--- a/kernel/kexec.c
106876+++ b/kernel/kexec.c
106877@@ -1243,7 +1243,7 @@ static int kimage_load_segment(struct kimage *image,
106878 */
106879 struct kimage *kexec_image;
106880 struct kimage *kexec_crash_image;
106881-int kexec_load_disabled;
106882+int kexec_load_disabled __read_only;
106883
106884 static DEFINE_MUTEX(kexec_mutex);
106885
106886@@ -1359,7 +1359,8 @@ COMPAT_SYSCALL_DEFINE4(kexec_load, compat_ulong_t, entry,
106887 compat_ulong_t, flags)
106888 {
106889 struct compat_kexec_segment in;
106890- struct kexec_segment out, __user *ksegments;
106891+ struct kexec_segment out;
106892+ struct kexec_segment __user *ksegments;
106893 unsigned long i, result;
106894
106895 /* Don't allow clients that don't understand the native
106896diff --git a/kernel/kmod.c b/kernel/kmod.c
106897index 2777f40..a689506 100644
106898--- a/kernel/kmod.c
106899+++ b/kernel/kmod.c
106900@@ -68,7 +68,7 @@ static void free_modprobe_argv(struct subprocess_info *info)
106901 kfree(info->argv);
106902 }
106903
106904-static int call_modprobe(char *module_name, int wait)
106905+static int call_modprobe(char *module_name, char *module_param, int wait)
106906 {
106907 struct subprocess_info *info;
106908 static char *envp[] = {
106909@@ -78,7 +78,7 @@ static int call_modprobe(char *module_name, int wait)
106910 NULL
106911 };
106912
106913- char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
106914+ char **argv = kmalloc(sizeof(char *[6]), GFP_KERNEL);
106915 if (!argv)
106916 goto out;
106917
106918@@ -90,7 +90,8 @@ static int call_modprobe(char *module_name, int wait)
106919 argv[1] = "-q";
106920 argv[2] = "--";
106921 argv[3] = module_name; /* check free_modprobe_argv() */
106922- argv[4] = NULL;
106923+ argv[4] = module_param;
106924+ argv[5] = NULL;
106925
106926 info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,
106927 NULL, free_modprobe_argv, NULL);
106928@@ -122,9 +123,8 @@ out:
106929 * If module auto-loading support is disabled then this function
106930 * becomes a no-operation.
106931 */
106932-int __request_module(bool wait, const char *fmt, ...)
106933+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
106934 {
106935- va_list args;
106936 char module_name[MODULE_NAME_LEN];
106937 unsigned int max_modprobes;
106938 int ret;
106939@@ -143,9 +143,7 @@ int __request_module(bool wait, const char *fmt, ...)
106940 if (!modprobe_path[0])
106941 return 0;
106942
106943- va_start(args, fmt);
106944- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
106945- va_end(args);
106946+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
106947 if (ret >= MODULE_NAME_LEN)
106948 return -ENAMETOOLONG;
106949
106950@@ -153,6 +151,20 @@ int __request_module(bool wait, const char *fmt, ...)
106951 if (ret)
106952 return ret;
106953
106954+#ifdef CONFIG_GRKERNSEC_MODHARDEN
106955+ if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
106956+ /* hack to workaround consolekit/udisks stupidity */
106957+ read_lock(&tasklist_lock);
106958+ if (!strcmp(current->comm, "mount") &&
106959+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
106960+ read_unlock(&tasklist_lock);
106961+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
106962+ return -EPERM;
106963+ }
106964+ read_unlock(&tasklist_lock);
106965+ }
106966+#endif
106967+
106968 /* If modprobe needs a service that is in a module, we get a recursive
106969 * loop. Limit the number of running kmod threads to max_threads/2 or
106970 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
106971@@ -181,16 +193,61 @@ int __request_module(bool wait, const char *fmt, ...)
106972
106973 trace_module_request(module_name, wait, _RET_IP_);
106974
106975- ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
106976+ ret = call_modprobe(module_name, module_param, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
106977
106978 atomic_dec(&kmod_concurrent);
106979 return ret;
106980 }
106981+
106982+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
106983+{
106984+ va_list args;
106985+ int ret;
106986+
106987+ va_start(args, fmt);
106988+ ret = ____request_module(wait, module_param, fmt, args);
106989+ va_end(args);
106990+
106991+ return ret;
106992+}
106993+
106994+int __request_module(bool wait, const char *fmt, ...)
106995+{
106996+ va_list args;
106997+ int ret;
106998+
106999+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107000+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
107001+ char module_param[MODULE_NAME_LEN];
107002+
107003+ memset(module_param, 0, sizeof(module_param));
107004+
107005+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", GR_GLOBAL_UID(current_uid()));
107006+
107007+ va_start(args, fmt);
107008+ ret = ____request_module(wait, module_param, fmt, args);
107009+ va_end(args);
107010+
107011+ return ret;
107012+ }
107013+#endif
107014+
107015+ va_start(args, fmt);
107016+ ret = ____request_module(wait, NULL, fmt, args);
107017+ va_end(args);
107018+
107019+ return ret;
107020+}
107021+
107022 EXPORT_SYMBOL(__request_module);
107023 #endif /* CONFIG_MODULES */
107024
107025 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
107026 {
107027+#ifdef CONFIG_GRKERNSEC
107028+ kfree(info->path);
107029+ info->path = info->origpath;
107030+#endif
107031 if (info->cleanup)
107032 (*info->cleanup)(info);
107033 kfree(info);
107034@@ -232,6 +289,21 @@ static int ____call_usermodehelper(void *data)
107035 */
107036 set_user_nice(current, 0);
107037
107038+#ifdef CONFIG_GRKERNSEC
107039+ /* this is race-free as far as userland is concerned as we copied
107040+ out the path to be used prior to this point and are now operating
107041+ on that copy
107042+ */
107043+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
107044+ strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
107045+ strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
107046+ strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
107047+ printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
107048+ retval = -EPERM;
107049+ goto out;
107050+ }
107051+#endif
107052+
107053 retval = -ENOMEM;
107054 new = prepare_kernel_cred(current);
107055 if (!new)
107056@@ -254,8 +326,8 @@ static int ____call_usermodehelper(void *data)
107057 commit_creds(new);
107058
107059 retval = do_execve(getname_kernel(sub_info->path),
107060- (const char __user *const __user *)sub_info->argv,
107061- (const char __user *const __user *)sub_info->envp);
107062+ (const char __user *const __force_user *)sub_info->argv,
107063+ (const char __user *const __force_user *)sub_info->envp);
107064 out:
107065 sub_info->retval = retval;
107066 /* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */
107067@@ -288,7 +360,7 @@ static int wait_for_helper(void *data)
107068 *
107069 * Thus the __user pointer cast is valid here.
107070 */
107071- sys_wait4(pid, (int __user *)&ret, 0, NULL);
107072+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
107073
107074 /*
107075 * If ret is 0, either ____call_usermodehelper failed and the
107076@@ -510,7 +582,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv,
107077 goto out;
107078
107079 INIT_WORK(&sub_info->work, __call_usermodehelper);
107080+#ifdef CONFIG_GRKERNSEC
107081+ sub_info->origpath = path;
107082+ sub_info->path = kstrdup(path, gfp_mask);
107083+#else
107084 sub_info->path = path;
107085+#endif
107086 sub_info->argv = argv;
107087 sub_info->envp = envp;
107088
107089@@ -612,7 +689,7 @@ EXPORT_SYMBOL(call_usermodehelper);
107090 static int proc_cap_handler(struct ctl_table *table, int write,
107091 void __user *buffer, size_t *lenp, loff_t *ppos)
107092 {
107093- struct ctl_table t;
107094+ ctl_table_no_const t;
107095 unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
107096 kernel_cap_t new_cap;
107097 int err, i;
107098diff --git a/kernel/kprobes.c b/kernel/kprobes.c
107099index c90e417..e6c515d 100644
107100--- a/kernel/kprobes.c
107101+++ b/kernel/kprobes.c
107102@@ -31,6 +31,9 @@
107103 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
107104 * <prasanna@in.ibm.com> added function-return probes.
107105 */
107106+#ifdef CONFIG_GRKERNSEC_HIDESYM
107107+#define __INCLUDED_BY_HIDESYM 1
107108+#endif
107109 #include <linux/kprobes.h>
107110 #include <linux/hash.h>
107111 #include <linux/init.h>
107112@@ -122,12 +125,12 @@ enum kprobe_slot_state {
107113
107114 static void *alloc_insn_page(void)
107115 {
107116- return module_alloc(PAGE_SIZE);
107117+ return module_alloc_exec(PAGE_SIZE);
107118 }
107119
107120 static void free_insn_page(void *page)
107121 {
107122- module_memfree(page);
107123+ module_memfree_exec(page);
107124 }
107125
107126 struct kprobe_insn_cache kprobe_insn_slots = {
107127@@ -2198,11 +2201,11 @@ static void report_probe(struct seq_file *pi, struct kprobe *p,
107128 kprobe_type = "k";
107129
107130 if (sym)
107131- seq_printf(pi, "%p %s %s+0x%x %s ",
107132+ seq_printf(pi, "%pK %s %s+0x%x %s ",
107133 p->addr, kprobe_type, sym, offset,
107134 (modname ? modname : " "));
107135 else
107136- seq_printf(pi, "%p %s %p ",
107137+ seq_printf(pi, "%pK %s %pK ",
107138 p->addr, kprobe_type, p->addr);
107139
107140 if (!pp)
107141diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
107142index 6683cce..daf8999 100644
107143--- a/kernel/ksysfs.c
107144+++ b/kernel/ksysfs.c
107145@@ -50,6 +50,8 @@ static ssize_t uevent_helper_store(struct kobject *kobj,
107146 {
107147 if (count+1 > UEVENT_HELPER_PATH_LEN)
107148 return -ENOENT;
107149+ if (!capable(CAP_SYS_ADMIN))
107150+ return -EPERM;
107151 memcpy(uevent_helper, buf, count);
107152 uevent_helper[count] = '\0';
107153 if (count && uevent_helper[count-1] == '\n')
107154@@ -176,7 +178,7 @@ static ssize_t notes_read(struct file *filp, struct kobject *kobj,
107155 return count;
107156 }
107157
107158-static struct bin_attribute notes_attr = {
107159+static bin_attribute_no_const notes_attr __read_only = {
107160 .attr = {
107161 .name = "notes",
107162 .mode = S_IRUGO,
107163diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
107164index 8acfbf7..0c5a34a 100644
107165--- a/kernel/locking/lockdep.c
107166+++ b/kernel/locking/lockdep.c
107167@@ -613,6 +613,10 @@ static int static_obj(void *obj)
107168 end = (unsigned long) &_end,
107169 addr = (unsigned long) obj;
107170
107171+#ifdef CONFIG_PAX_KERNEXEC
107172+ start = ktla_ktva(start);
107173+#endif
107174+
107175 /*
107176 * static variable?
107177 */
107178@@ -757,6 +761,7 @@ register_lock_class(struct lockdep_map *lock, unsigned int subclass, int force)
107179 if (!static_obj(lock->key)) {
107180 debug_locks_off();
107181 printk("INFO: trying to register non-static key.\n");
107182+ printk("lock:%pS key:%pS.\n", lock, lock->key);
107183 printk("the code is fine but needs lockdep annotation.\n");
107184 printk("turning off the locking correctness validator.\n");
107185 dump_stack();
107186@@ -3102,7 +3107,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
107187 if (!class)
107188 return 0;
107189 }
107190- atomic_inc((atomic_t *)&class->ops);
107191+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)&class->ops);
107192 if (very_verbose(class)) {
107193 printk("\nacquire class [%p] %s", class->key, class->name);
107194 if (class->name_version > 1)
107195diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c
107196index d83d798..ea3120d 100644
107197--- a/kernel/locking/lockdep_proc.c
107198+++ b/kernel/locking/lockdep_proc.c
107199@@ -65,7 +65,7 @@ static int l_show(struct seq_file *m, void *v)
107200 return 0;
107201 }
107202
107203- seq_printf(m, "%p", class->key);
107204+ seq_printf(m, "%pK", class->key);
107205 #ifdef CONFIG_DEBUG_LOCKDEP
107206 seq_printf(m, " OPS:%8ld", class->ops);
107207 #endif
107208@@ -83,7 +83,7 @@ static int l_show(struct seq_file *m, void *v)
107209
107210 list_for_each_entry(entry, &class->locks_after, entry) {
107211 if (entry->distance == 1) {
107212- seq_printf(m, " -> [%p] ", entry->class->key);
107213+ seq_printf(m, " -> [%pK] ", entry->class->key);
107214 print_name(m, entry->class);
107215 seq_puts(m, "\n");
107216 }
107217@@ -152,7 +152,7 @@ static int lc_show(struct seq_file *m, void *v)
107218 if (!class->key)
107219 continue;
107220
107221- seq_printf(m, "[%p] ", class->key);
107222+ seq_printf(m, "[%pK] ", class->key);
107223 print_name(m, class);
107224 seq_puts(m, "\n");
107225 }
107226@@ -508,7 +508,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
107227 if (!i)
107228 seq_line(m, '-', 40-namelen, namelen);
107229
107230- snprintf(ip, sizeof(ip), "[<%p>]",
107231+ snprintf(ip, sizeof(ip), "[<%pK>]",
107232 (void *)class->contention_point[i]);
107233 seq_printf(m, "%40s %14lu %29s %pS\n",
107234 name, stats->contention_point[i],
107235@@ -523,7 +523,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
107236 if (!i)
107237 seq_line(m, '-', 40-namelen, namelen);
107238
107239- snprintf(ip, sizeof(ip), "[<%p>]",
107240+ snprintf(ip, sizeof(ip), "[<%pK>]",
107241 (void *)class->contending_point[i]);
107242 seq_printf(m, "%40s %14lu %29s %pS\n",
107243 name, stats->contending_point[i],
107244diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
107245index 3ef3736..9c951fa 100644
107246--- a/kernel/locking/mutex-debug.c
107247+++ b/kernel/locking/mutex-debug.c
107248@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mutex_waiter *waiter)
107249 }
107250
107251 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
107252- struct thread_info *ti)
107253+ struct task_struct *task)
107254 {
107255 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
107256
107257 /* Mark the current thread as blocked on the lock: */
107258- ti->task->blocked_on = waiter;
107259+ task->blocked_on = waiter;
107260 }
107261
107262 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
107263- struct thread_info *ti)
107264+ struct task_struct *task)
107265 {
107266 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
107267- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
107268- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
107269- ti->task->blocked_on = NULL;
107270+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
107271+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
107272+ task->blocked_on = NULL;
107273
107274 list_del_init(&waiter->list);
107275 waiter->task = NULL;
107276diff --git a/kernel/locking/mutex-debug.h b/kernel/locking/mutex-debug.h
107277index 0799fd3..d06ae3b 100644
107278--- a/kernel/locking/mutex-debug.h
107279+++ b/kernel/locking/mutex-debug.h
107280@@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(struct mutex *lock,
107281 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
107282 extern void debug_mutex_add_waiter(struct mutex *lock,
107283 struct mutex_waiter *waiter,
107284- struct thread_info *ti);
107285+ struct task_struct *task);
107286 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
107287- struct thread_info *ti);
107288+ struct task_struct *task);
107289 extern void debug_mutex_unlock(struct mutex *lock);
107290 extern void debug_mutex_init(struct mutex *lock, const char *name,
107291 struct lock_class_key *key);
107292diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
107293index 4cccea6..4382db9 100644
107294--- a/kernel/locking/mutex.c
107295+++ b/kernel/locking/mutex.c
107296@@ -533,7 +533,7 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
107297 goto skip_wait;
107298
107299 debug_mutex_lock_common(lock, &waiter);
107300- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
107301+ debug_mutex_add_waiter(lock, &waiter, task);
107302
107303 /* add waiting tasks to the end of the waitqueue (FIFO): */
107304 list_add_tail(&waiter.list, &lock->wait_list);
107305@@ -580,7 +580,7 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
107306 }
107307 __set_task_state(task, TASK_RUNNING);
107308
107309- mutex_remove_waiter(lock, &waiter, current_thread_info());
107310+ mutex_remove_waiter(lock, &waiter, task);
107311 /* set it to 0 if there are no waiters left: */
107312 if (likely(list_empty(&lock->wait_list)))
107313 atomic_set(&lock->count, 0);
107314@@ -601,7 +601,7 @@ skip_wait:
107315 return 0;
107316
107317 err:
107318- mutex_remove_waiter(lock, &waiter, task_thread_info(task));
107319+ mutex_remove_waiter(lock, &waiter, task);
107320 spin_unlock_mutex(&lock->wait_lock, flags);
107321 debug_mutex_free_waiter(&waiter);
107322 mutex_release(&lock->dep_map, 1, ip);
107323diff --git a/kernel/locking/rtmutex-tester.c b/kernel/locking/rtmutex-tester.c
107324index 1d96dd0..994ff19 100644
107325--- a/kernel/locking/rtmutex-tester.c
107326+++ b/kernel/locking/rtmutex-tester.c
107327@@ -22,7 +22,7 @@
107328 #define MAX_RT_TEST_MUTEXES 8
107329
107330 static spinlock_t rttest_lock;
107331-static atomic_t rttest_event;
107332+static atomic_unchecked_t rttest_event;
107333
107334 struct test_thread_data {
107335 int opcode;
107336@@ -63,7 +63,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107337
107338 case RTTEST_LOCKCONT:
107339 td->mutexes[td->opdata] = 1;
107340- td->event = atomic_add_return(1, &rttest_event);
107341+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107342 return 0;
107343
107344 case RTTEST_RESET:
107345@@ -76,7 +76,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107346 return 0;
107347
107348 case RTTEST_RESETEVENT:
107349- atomic_set(&rttest_event, 0);
107350+ atomic_set_unchecked(&rttest_event, 0);
107351 return 0;
107352
107353 default:
107354@@ -93,9 +93,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107355 return ret;
107356
107357 td->mutexes[id] = 1;
107358- td->event = atomic_add_return(1, &rttest_event);
107359+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107360 rt_mutex_lock(&mutexes[id]);
107361- td->event = atomic_add_return(1, &rttest_event);
107362+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107363 td->mutexes[id] = 4;
107364 return 0;
107365
107366@@ -106,9 +106,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107367 return ret;
107368
107369 td->mutexes[id] = 1;
107370- td->event = atomic_add_return(1, &rttest_event);
107371+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107372 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
107373- td->event = atomic_add_return(1, &rttest_event);
107374+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107375 td->mutexes[id] = ret ? 0 : 4;
107376 return ret ? -EINTR : 0;
107377
107378@@ -117,9 +117,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107379 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
107380 return ret;
107381
107382- td->event = atomic_add_return(1, &rttest_event);
107383+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107384 rt_mutex_unlock(&mutexes[id]);
107385- td->event = atomic_add_return(1, &rttest_event);
107386+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107387 td->mutexes[id] = 0;
107388 return 0;
107389
107390@@ -166,7 +166,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
107391 break;
107392
107393 td->mutexes[dat] = 2;
107394- td->event = atomic_add_return(1, &rttest_event);
107395+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107396 break;
107397
107398 default:
107399@@ -186,7 +186,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
107400 return;
107401
107402 td->mutexes[dat] = 3;
107403- td->event = atomic_add_return(1, &rttest_event);
107404+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107405 break;
107406
107407 case RTTEST_LOCKNOWAIT:
107408@@ -198,7 +198,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
107409 return;
107410
107411 td->mutexes[dat] = 1;
107412- td->event = atomic_add_return(1, &rttest_event);
107413+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107414 return;
107415
107416 default:
107417diff --git a/kernel/module.c b/kernel/module.c
107418index b86b7bf..f5eaa56 100644
107419--- a/kernel/module.c
107420+++ b/kernel/module.c
107421@@ -59,6 +59,7 @@
107422 #include <linux/jump_label.h>
107423 #include <linux/pfn.h>
107424 #include <linux/bsearch.h>
107425+#include <linux/grsecurity.h>
107426 #include <uapi/linux/module.h>
107427 #include "module-internal.h"
107428
107429@@ -108,7 +109,7 @@ static LIST_HEAD(modules);
107430 * Use a latched RB-tree for __module_address(); this allows us to use
107431 * RCU-sched lookups of the address from any context.
107432 *
107433- * Because modules have two address ranges: init and core, we need two
107434+ * Because modules have four address ranges: init_{rw,rx} and core_{rw,rx}, we need four
107435 * latch_tree_nodes entries. Therefore we need the back-pointer from
107436 * mod_tree_node.
107437 *
107438@@ -125,10 +126,14 @@ static __always_inline unsigned long __mod_tree_val(struct latch_tree_node *n)
107439 struct mod_tree_node *mtn = container_of(n, struct mod_tree_node, node);
107440 struct module *mod = mtn->mod;
107441
107442- if (unlikely(mtn == &mod->mtn_init))
107443- return (unsigned long)mod->module_init;
107444+ if (unlikely(mtn == &mod->mtn_init_rw))
107445+ return (unsigned long)mod->module_init_rw;
107446+ if (unlikely(mtn == &mod->mtn_init_rx))
107447+ return (unsigned long)mod->module_init_rx;
107448
107449- return (unsigned long)mod->module_core;
107450+ if (unlikely(mtn == &mod->mtn_core_rw))
107451+ return (unsigned long)mod->module_core_rw;
107452+ return (unsigned long)mod->module_core_rx;
107453 }
107454
107455 static __always_inline unsigned long __mod_tree_size(struct latch_tree_node *n)
107456@@ -136,10 +141,14 @@ static __always_inline unsigned long __mod_tree_size(struct latch_tree_node *n)
107457 struct mod_tree_node *mtn = container_of(n, struct mod_tree_node, node);
107458 struct module *mod = mtn->mod;
107459
107460- if (unlikely(mtn == &mod->mtn_init))
107461- return (unsigned long)mod->init_size;
107462+ if (unlikely(mtn == &mod->mtn_init_rw))
107463+ return (unsigned long)mod->init_size_rw;
107464+ if (unlikely(mtn == &mod->mtn_init_rx))
107465+ return (unsigned long)mod->init_size_rx;
107466
107467- return (unsigned long)mod->core_size;
107468+ if (unlikely(mtn == &mod->mtn_core_rw))
107469+ return (unsigned long)mod->core_size_rw;
107470+ return (unsigned long)mod->core_size_rx;
107471 }
107472
107473 static __always_inline bool
107474@@ -172,14 +181,19 @@ static const struct latch_tree_ops mod_tree_ops = {
107475
107476 static struct mod_tree_root {
107477 struct latch_tree_root root;
107478- unsigned long addr_min;
107479- unsigned long addr_max;
107480+ unsigned long addr_min_rw;
107481+ unsigned long addr_min_rx;
107482+ unsigned long addr_max_rw;
107483+ unsigned long addr_max_rx;
107484 } mod_tree __cacheline_aligned = {
107485- .addr_min = -1UL,
107486+ .addr_min_rw = -1UL,
107487+ .addr_min_rx = -1UL,
107488 };
107489
107490-#define module_addr_min mod_tree.addr_min
107491-#define module_addr_max mod_tree.addr_max
107492+#define module_addr_min_rw mod_tree.addr_min_rw
107493+#define module_addr_min_rx mod_tree.addr_min_rx
107494+#define module_addr_max_rw mod_tree.addr_max_rw
107495+#define module_addr_max_rx mod_tree.addr_max_rx
107496
107497 static noinline void __mod_tree_insert(struct mod_tree_node *node)
107498 {
107499@@ -197,23 +211,31 @@ static void __mod_tree_remove(struct mod_tree_node *node)
107500 */
107501 static void mod_tree_insert(struct module *mod)
107502 {
107503- mod->mtn_core.mod = mod;
107504- mod->mtn_init.mod = mod;
107505+ mod->mtn_core_rw.mod = mod;
107506+ mod->mtn_core_rx.mod = mod;
107507+ mod->mtn_init_rw.mod = mod;
107508+ mod->mtn_init_rx.mod = mod;
107509
107510- __mod_tree_insert(&mod->mtn_core);
107511- if (mod->init_size)
107512- __mod_tree_insert(&mod->mtn_init);
107513+ __mod_tree_insert(&mod->mtn_core_rw);
107514+ __mod_tree_insert(&mod->mtn_core_rx);
107515+ if (mod->init_size_rw)
107516+ __mod_tree_insert(&mod->mtn_init_rw);
107517+ if (mod->init_size_rx)
107518+ __mod_tree_insert(&mod->mtn_init_rx);
107519 }
107520
107521 static void mod_tree_remove_init(struct module *mod)
107522 {
107523- if (mod->init_size)
107524- __mod_tree_remove(&mod->mtn_init);
107525+ if (mod->init_size_rw)
107526+ __mod_tree_remove(&mod->mtn_init_rw);
107527+ if (mod->init_size_rx)
107528+ __mod_tree_remove(&mod->mtn_init_rx);
107529 }
107530
107531 static void mod_tree_remove(struct module *mod)
107532 {
107533- __mod_tree_remove(&mod->mtn_core);
107534+ __mod_tree_remove(&mod->mtn_core_rw);
107535+ __mod_tree_remove(&mod->mtn_core_rx);
107536 mod_tree_remove_init(mod);
107537 }
107538
107539@@ -230,7 +252,8 @@ static struct module *mod_find(unsigned long addr)
107540
107541 #else /* MODULES_TREE_LOOKUP */
107542
107543-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
107544+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
107545+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
107546
107547 static void mod_tree_insert(struct module *mod) { }
107548 static void mod_tree_remove_init(struct module *mod) { }
107549@@ -254,22 +277,36 @@ static struct module *mod_find(unsigned long addr)
107550 * Bounds of module text, for speeding up __module_address.
107551 * Protected by module_mutex.
107552 */
107553-static void __mod_update_bounds(void *base, unsigned int size)
107554+static void __mod_update_bounds_rw(void *base, unsigned int size)
107555 {
107556 unsigned long min = (unsigned long)base;
107557 unsigned long max = min + size;
107558
107559- if (min < module_addr_min)
107560- module_addr_min = min;
107561- if (max > module_addr_max)
107562- module_addr_max = max;
107563+ if (min < module_addr_min_rw)
107564+ module_addr_min_rw = min;
107565+ if (max > module_addr_max_rw)
107566+ module_addr_max_rw = max;
107567+}
107568+
107569+static void __mod_update_bounds_rx(void *base, unsigned int size)
107570+{
107571+ unsigned long min = (unsigned long)base;
107572+ unsigned long max = min + size;
107573+
107574+ if (min < module_addr_min_rx)
107575+ module_addr_min_rx = min;
107576+ if (max > module_addr_max_rx)
107577+ module_addr_max_rx = max;
107578 }
107579
107580 static void mod_update_bounds(struct module *mod)
107581 {
107582- __mod_update_bounds(mod->module_core, mod->core_size);
107583- if (mod->init_size)
107584- __mod_update_bounds(mod->module_init, mod->init_size);
107585+ __mod_update_bounds_rw(mod->module_core_rw, mod->core_size_rw);
107586+ __mod_update_bounds_rx(mod->module_core_rx, mod->core_size_rx);
107587+ if (mod->init_size_rw)
107588+ __mod_update_bounds_rw(mod->module_init_rw, mod->init_size_rw);
107589+ if (mod->init_size_rx)
107590+ __mod_update_bounds_rx(mod->module_init_rx, mod->init_size_rx);
107591 }
107592
107593 #ifdef CONFIG_KGDB_KDB
107594@@ -298,7 +335,7 @@ module_param(sig_enforce, bool_enable_only, 0644);
107595 #endif /* !CONFIG_MODULE_SIG_FORCE */
107596
107597 /* Block module loading/unloading? */
107598-int modules_disabled = 0;
107599+int modules_disabled __read_only = 0;
107600 core_param(nomodule, modules_disabled, bint, 0);
107601
107602 /* Waiting for a module to finish initializing? */
107603@@ -473,7 +510,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
107604 return true;
107605
107606 list_for_each_entry_rcu(mod, &modules, list) {
107607- struct symsearch arr[] = {
107608+ struct symsearch modarr[] = {
107609 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
107610 NOT_GPL_ONLY, false },
107611 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
107612@@ -498,7 +535,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
107613 if (mod->state == MODULE_STATE_UNFORMED)
107614 continue;
107615
107616- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
107617+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
107618 return true;
107619 }
107620 return false;
107621@@ -644,7 +681,7 @@ static int percpu_modalloc(struct module *mod, struct load_info *info)
107622 if (!pcpusec->sh_size)
107623 return 0;
107624
107625- if (align > PAGE_SIZE) {
107626+ if (align-1 >= PAGE_SIZE) {
107627 pr_warn("%s: per-cpu alignment %li > %li\n",
107628 mod->name, align, PAGE_SIZE);
107629 align = PAGE_SIZE;
107630@@ -1210,7 +1247,7 @@ struct module_attribute module_uevent =
107631 static ssize_t show_coresize(struct module_attribute *mattr,
107632 struct module_kobject *mk, char *buffer)
107633 {
107634- return sprintf(buffer, "%u\n", mk->mod->core_size);
107635+ return sprintf(buffer, "%u\n", mk->mod->core_size_rx + mk->mod->core_size_rw);
107636 }
107637
107638 static struct module_attribute modinfo_coresize =
107639@@ -1219,7 +1256,7 @@ static struct module_attribute modinfo_coresize =
107640 static ssize_t show_initsize(struct module_attribute *mattr,
107641 struct module_kobject *mk, char *buffer)
107642 {
107643- return sprintf(buffer, "%u\n", mk->mod->init_size);
107644+ return sprintf(buffer, "%u\n", mk->mod->init_size_rx + mk->mod->init_size_rw);
107645 }
107646
107647 static struct module_attribute modinfo_initsize =
107648@@ -1311,12 +1348,29 @@ static int check_version(Elf_Shdr *sechdrs,
107649 goto bad_version;
107650 }
107651
107652+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107653+ /*
107654+ * avoid potentially printing jibberish on attempted load
107655+ * of a module randomized with a different seed
107656+ */
107657+ pr_warn("no symbol version for %s\n", symname);
107658+#else
107659 pr_warn("%s: no symbol version for %s\n", mod->name, symname);
107660+#endif
107661 return 0;
107662
107663 bad_version:
107664+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107665+ /*
107666+ * avoid potentially printing jibberish on attempted load
107667+ * of a module randomized with a different seed
107668+ */
107669+ pr_warn("attempted module disagrees about version of symbol %s\n",
107670+ symname);
107671+#else
107672 pr_warn("%s: disagrees about version of symbol %s\n",
107673 mod->name, symname);
107674+#endif
107675 return 0;
107676 }
107677
107678@@ -1444,7 +1498,7 @@ resolve_symbol_wait(struct module *mod,
107679 */
107680 #ifdef CONFIG_SYSFS
107681
107682-#ifdef CONFIG_KALLSYMS
107683+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
107684 static inline bool sect_empty(const Elf_Shdr *sect)
107685 {
107686 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
107687@@ -1582,7 +1636,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
107688 {
107689 unsigned int notes, loaded, i;
107690 struct module_notes_attrs *notes_attrs;
107691- struct bin_attribute *nattr;
107692+ bin_attribute_no_const *nattr;
107693
107694 /* failed to create section attributes, so can't create notes */
107695 if (!mod->sect_attrs)
107696@@ -1694,7 +1748,7 @@ static void del_usage_links(struct module *mod)
107697 static int module_add_modinfo_attrs(struct module *mod)
107698 {
107699 struct module_attribute *attr;
107700- struct module_attribute *temp_attr;
107701+ module_attribute_no_const *temp_attr;
107702 int error = 0;
107703 int i;
107704
107705@@ -1911,21 +1965,21 @@ static void set_section_ro_nx(void *base,
107706
107707 static void unset_module_core_ro_nx(struct module *mod)
107708 {
107709- set_page_attributes(mod->module_core + mod->core_text_size,
107710- mod->module_core + mod->core_size,
107711+ set_page_attributes(mod->module_core_rw,
107712+ mod->module_core_rw + mod->core_size_rw,
107713 set_memory_x);
107714- set_page_attributes(mod->module_core,
107715- mod->module_core + mod->core_ro_size,
107716+ set_page_attributes(mod->module_core_rx,
107717+ mod->module_core_rx + mod->core_size_rx,
107718 set_memory_rw);
107719 }
107720
107721 static void unset_module_init_ro_nx(struct module *mod)
107722 {
107723- set_page_attributes(mod->module_init + mod->init_text_size,
107724- mod->module_init + mod->init_size,
107725+ set_page_attributes(mod->module_init_rw,
107726+ mod->module_init_rw + mod->init_size_rw,
107727 set_memory_x);
107728- set_page_attributes(mod->module_init,
107729- mod->module_init + mod->init_ro_size,
107730+ set_page_attributes(mod->module_init_rx,
107731+ mod->module_init_rx + mod->init_size_rx,
107732 set_memory_rw);
107733 }
107734
107735@@ -1938,14 +1992,14 @@ void set_all_modules_text_rw(void)
107736 list_for_each_entry_rcu(mod, &modules, list) {
107737 if (mod->state == MODULE_STATE_UNFORMED)
107738 continue;
107739- if ((mod->module_core) && (mod->core_text_size)) {
107740- set_page_attributes(mod->module_core,
107741- mod->module_core + mod->core_text_size,
107742+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
107743+ set_page_attributes(mod->module_core_rx,
107744+ mod->module_core_rx + mod->core_size_rx,
107745 set_memory_rw);
107746 }
107747- if ((mod->module_init) && (mod->init_text_size)) {
107748- set_page_attributes(mod->module_init,
107749- mod->module_init + mod->init_text_size,
107750+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
107751+ set_page_attributes(mod->module_init_rx,
107752+ mod->module_init_rx + mod->init_size_rx,
107753 set_memory_rw);
107754 }
107755 }
107756@@ -1961,14 +2015,14 @@ void set_all_modules_text_ro(void)
107757 list_for_each_entry_rcu(mod, &modules, list) {
107758 if (mod->state == MODULE_STATE_UNFORMED)
107759 continue;
107760- if ((mod->module_core) && (mod->core_text_size)) {
107761- set_page_attributes(mod->module_core,
107762- mod->module_core + mod->core_text_size,
107763+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
107764+ set_page_attributes(mod->module_core_rx,
107765+ mod->module_core_rx + mod->core_size_rx,
107766 set_memory_ro);
107767 }
107768- if ((mod->module_init) && (mod->init_text_size)) {
107769- set_page_attributes(mod->module_init,
107770- mod->module_init + mod->init_text_size,
107771+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
107772+ set_page_attributes(mod->module_init_rx,
107773+ mod->module_init_rx + mod->init_size_rx,
107774 set_memory_ro);
107775 }
107776 }
107777@@ -1977,7 +2031,15 @@ void set_all_modules_text_ro(void)
107778 #else
107779 static inline void set_section_ro_nx(void *base, unsigned long text_size, unsigned long ro_size, unsigned long total_size) { }
107780 static void unset_module_core_ro_nx(struct module *mod) { }
107781-static void unset_module_init_ro_nx(struct module *mod) { }
107782+static void unset_module_init_ro_nx(struct module *mod)
107783+{
107784+
107785+#ifdef CONFIG_PAX_KERNEXEC
107786+ set_memory_nx((unsigned long)mod->module_init_rx, PFN_UP(mod->init_size_rx));
107787+ set_memory_rw((unsigned long)mod->module_init_rx, PFN_UP(mod->init_size_rx));
107788+#endif
107789+
107790+}
107791 #endif
107792
107793 void __weak module_memfree(void *module_region)
107794@@ -2032,16 +2094,19 @@ static void free_module(struct module *mod)
107795 /* This may be NULL, but that's OK */
107796 unset_module_init_ro_nx(mod);
107797 module_arch_freeing_init(mod);
107798- module_memfree(mod->module_init);
107799+ module_memfree(mod->module_init_rw);
107800+ module_memfree_exec(mod->module_init_rx);
107801 kfree(mod->args);
107802 percpu_modfree(mod);
107803
107804 /* Free lock-classes; relies on the preceding sync_rcu(). */
107805- lockdep_free_key_range(mod->module_core, mod->core_size);
107806+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
107807+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
107808
107809 /* Finally, free the core (containing the module structure) */
107810 unset_module_core_ro_nx(mod);
107811- module_memfree(mod->module_core);
107812+ module_memfree_exec(mod->module_core_rx);
107813+ module_memfree(mod->module_core_rw);
107814
107815 #ifdef CONFIG_MPU
107816 update_protections(current->mm);
107817@@ -2110,9 +2175,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107818 int ret = 0;
107819 const struct kernel_symbol *ksym;
107820
107821+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107822+ int is_fs_load = 0;
107823+ int register_filesystem_found = 0;
107824+ char *p;
107825+
107826+ p = strstr(mod->args, "grsec_modharden_fs");
107827+ if (p) {
107828+ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
107829+ /* copy \0 as well */
107830+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
107831+ is_fs_load = 1;
107832+ }
107833+#endif
107834+
107835 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
107836 const char *name = info->strtab + sym[i].st_name;
107837
107838+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107839+ /* it's a real shame this will never get ripped and copied
107840+ upstream! ;(
107841+ */
107842+ if (is_fs_load && !strcmp(name, "register_filesystem"))
107843+ register_filesystem_found = 1;
107844+#endif
107845+
107846 switch (sym[i].st_shndx) {
107847 case SHN_COMMON:
107848 /* Ignore common symbols */
107849@@ -2137,7 +2224,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107850 ksym = resolve_symbol_wait(mod, info, name);
107851 /* Ok if resolved. */
107852 if (ksym && !IS_ERR(ksym)) {
107853+ pax_open_kernel();
107854 sym[i].st_value = ksym->value;
107855+ pax_close_kernel();
107856 break;
107857 }
107858
107859@@ -2156,11 +2245,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107860 secbase = (unsigned long)mod_percpu(mod);
107861 else
107862 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
107863+ pax_open_kernel();
107864 sym[i].st_value += secbase;
107865+ pax_close_kernel();
107866 break;
107867 }
107868 }
107869
107870+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107871+ if (is_fs_load && !register_filesystem_found) {
107872+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
107873+ ret = -EPERM;
107874+ }
107875+#endif
107876+
107877 return ret;
107878 }
107879
107880@@ -2244,22 +2342,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
107881 || s->sh_entsize != ~0UL
107882 || strstarts(sname, ".init"))
107883 continue;
107884- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
107885+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
107886+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
107887+ else
107888+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
107889 pr_debug("\t%s\n", sname);
107890 }
107891- switch (m) {
107892- case 0: /* executable */
107893- mod->core_size = debug_align(mod->core_size);
107894- mod->core_text_size = mod->core_size;
107895- break;
107896- case 1: /* RO: text and ro-data */
107897- mod->core_size = debug_align(mod->core_size);
107898- mod->core_ro_size = mod->core_size;
107899- break;
107900- case 3: /* whole core */
107901- mod->core_size = debug_align(mod->core_size);
107902- break;
107903- }
107904 }
107905
107906 pr_debug("Init section allocation order:\n");
107907@@ -2273,23 +2361,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
107908 || s->sh_entsize != ~0UL
107909 || !strstarts(sname, ".init"))
107910 continue;
107911- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
107912- | INIT_OFFSET_MASK);
107913+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
107914+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
107915+ else
107916+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
107917+ s->sh_entsize |= INIT_OFFSET_MASK;
107918 pr_debug("\t%s\n", sname);
107919 }
107920- switch (m) {
107921- case 0: /* executable */
107922- mod->init_size = debug_align(mod->init_size);
107923- mod->init_text_size = mod->init_size;
107924- break;
107925- case 1: /* RO: text and ro-data */
107926- mod->init_size = debug_align(mod->init_size);
107927- mod->init_ro_size = mod->init_size;
107928- break;
107929- case 3: /* whole init */
107930- mod->init_size = debug_align(mod->init_size);
107931- break;
107932- }
107933 }
107934 }
107935
107936@@ -2462,7 +2540,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
107937
107938 /* Put symbol section at end of init part of module. */
107939 symsect->sh_flags |= SHF_ALLOC;
107940- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
107941+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
107942 info->index.sym) | INIT_OFFSET_MASK;
107943 pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
107944
107945@@ -2479,16 +2557,16 @@ static void layout_symtab(struct module *mod, struct load_info *info)
107946 }
107947
107948 /* Append room for core symbols at end of core part. */
107949- info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
107950- info->stroffs = mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
107951- mod->core_size += strtab_size;
107952- mod->core_size = debug_align(mod->core_size);
107953+ info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
107954+ info->stroffs = mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
107955+ mod->core_size_rx += strtab_size;
107956+ mod->core_size_rx = debug_align(mod->core_size_rx);
107957
107958 /* Put string table section at end of init part of module. */
107959 strsect->sh_flags |= SHF_ALLOC;
107960- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
107961+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
107962 info->index.str) | INIT_OFFSET_MASK;
107963- mod->init_size = debug_align(mod->init_size);
107964+ mod->init_size_rx = debug_align(mod->init_size_rx);
107965 pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
107966 }
107967
107968@@ -2505,12 +2583,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
107969 /* Make sure we get permanent strtab: don't use info->strtab. */
107970 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
107971
107972+ pax_open_kernel();
107973+
107974 /* Set types up while we still have access to sections. */
107975 for (i = 0; i < mod->num_symtab; i++)
107976 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
107977
107978- mod->core_symtab = dst = mod->module_core + info->symoffs;
107979- mod->core_strtab = s = mod->module_core + info->stroffs;
107980+ mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
107981+ mod->core_strtab = s = mod->module_core_rx + info->stroffs;
107982 src = mod->symtab;
107983 for (ndst = i = 0; i < mod->num_symtab; i++) {
107984 if (i == 0 ||
107985@@ -2522,6 +2602,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
107986 }
107987 }
107988 mod->core_num_syms = ndst;
107989+
107990+ pax_close_kernel();
107991 }
107992 #else
107993 static inline void layout_symtab(struct module *mod, struct load_info *info)
107994@@ -2821,7 +2903,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
107995 mod = (void *)info->sechdrs[info->index.mod].sh_addr;
107996
107997 if (info->index.sym == 0) {
107998+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107999+ /*
108000+ * avoid potentially printing jibberish on attempted load
108001+ * of a module randomized with a different seed
108002+ */
108003+ pr_warn("module has no symbols (stripped?)\n");
108004+#else
108005 pr_warn("%s: module has no symbols (stripped?)\n", mod->name);
108006+#endif
108007 return ERR_PTR(-ENOEXEC);
108008 }
108009
108010@@ -2837,8 +2927,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
108011 static int check_modinfo(struct module *mod, struct load_info *info, int flags)
108012 {
108013 const char *modmagic = get_modinfo(info, "vermagic");
108014+ const char *license = get_modinfo(info, "license");
108015 int err;
108016
108017+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
108018+ if (!license || !license_is_gpl_compatible(license))
108019+ return -ENOEXEC;
108020+#endif
108021+
108022 if (flags & MODULE_INIT_IGNORE_VERMAGIC)
108023 modmagic = NULL;
108024
108025@@ -2863,7 +2959,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
108026 }
108027
108028 /* Set up license info based on the info section */
108029- set_license(mod, get_modinfo(info, "license"));
108030+ set_license(mod, license);
108031
108032 return 0;
108033 }
108034@@ -2960,7 +3056,7 @@ static int move_module(struct module *mod, struct load_info *info)
108035 void *ptr;
108036
108037 /* Do the allocs. */
108038- ptr = module_alloc(mod->core_size);
108039+ ptr = module_alloc(mod->core_size_rw);
108040 /*
108041 * The pointer to this block is stored in the module structure
108042 * which is inside the block. Just mark it as not being a
108043@@ -2970,11 +3066,11 @@ static int move_module(struct module *mod, struct load_info *info)
108044 if (!ptr)
108045 return -ENOMEM;
108046
108047- memset(ptr, 0, mod->core_size);
108048- mod->module_core = ptr;
108049+ memset(ptr, 0, mod->core_size_rw);
108050+ mod->module_core_rw = ptr;
108051
108052- if (mod->init_size) {
108053- ptr = module_alloc(mod->init_size);
108054+ if (mod->init_size_rw) {
108055+ ptr = module_alloc(mod->init_size_rw);
108056 /*
108057 * The pointer to this block is stored in the module structure
108058 * which is inside the block. This block doesn't need to be
108059@@ -2983,13 +3079,45 @@ static int move_module(struct module *mod, struct load_info *info)
108060 */
108061 kmemleak_ignore(ptr);
108062 if (!ptr) {
108063- module_memfree(mod->module_core);
108064+ module_memfree(mod->module_core_rw);
108065 return -ENOMEM;
108066 }
108067- memset(ptr, 0, mod->init_size);
108068- mod->module_init = ptr;
108069+ memset(ptr, 0, mod->init_size_rw);
108070+ mod->module_init_rw = ptr;
108071 } else
108072- mod->module_init = NULL;
108073+ mod->module_init_rw = NULL;
108074+
108075+ ptr = module_alloc_exec(mod->core_size_rx);
108076+ kmemleak_not_leak(ptr);
108077+ if (!ptr) {
108078+ if (mod->module_init_rw)
108079+ module_memfree(mod->module_init_rw);
108080+ module_memfree(mod->module_core_rw);
108081+ return -ENOMEM;
108082+ }
108083+
108084+ pax_open_kernel();
108085+ memset(ptr, 0, mod->core_size_rx);
108086+ pax_close_kernel();
108087+ mod->module_core_rx = ptr;
108088+
108089+ if (mod->init_size_rx) {
108090+ ptr = module_alloc_exec(mod->init_size_rx);
108091+ kmemleak_ignore(ptr);
108092+ if (!ptr && mod->init_size_rx) {
108093+ module_memfree_exec(mod->module_core_rx);
108094+ if (mod->module_init_rw)
108095+ module_memfree(mod->module_init_rw);
108096+ module_memfree(mod->module_core_rw);
108097+ return -ENOMEM;
108098+ }
108099+
108100+ pax_open_kernel();
108101+ memset(ptr, 0, mod->init_size_rx);
108102+ pax_close_kernel();
108103+ mod->module_init_rx = ptr;
108104+ } else
108105+ mod->module_init_rx = NULL;
108106
108107 /* Transfer each section which specifies SHF_ALLOC */
108108 pr_debug("final section addresses:\n");
108109@@ -3000,16 +3128,45 @@ static int move_module(struct module *mod, struct load_info *info)
108110 if (!(shdr->sh_flags & SHF_ALLOC))
108111 continue;
108112
108113- if (shdr->sh_entsize & INIT_OFFSET_MASK)
108114- dest = mod->module_init
108115- + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
108116- else
108117- dest = mod->module_core + shdr->sh_entsize;
108118+ if (shdr->sh_entsize & INIT_OFFSET_MASK) {
108119+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
108120+ dest = mod->module_init_rw
108121+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
108122+ else
108123+ dest = mod->module_init_rx
108124+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
108125+ } else {
108126+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
108127+ dest = mod->module_core_rw + shdr->sh_entsize;
108128+ else
108129+ dest = mod->module_core_rx + shdr->sh_entsize;
108130+ }
108131+
108132+ if (shdr->sh_type != SHT_NOBITS) {
108133+
108134+#ifdef CONFIG_PAX_KERNEXEC
108135+#ifdef CONFIG_X86_64
108136+ if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
108137+ set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
108138+#endif
108139+ if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
108140+ pax_open_kernel();
108141+ memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
108142+ pax_close_kernel();
108143+ } else
108144+#endif
108145
108146- if (shdr->sh_type != SHT_NOBITS)
108147 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
108148+ }
108149 /* Update sh_addr to point to copy in image. */
108150- shdr->sh_addr = (unsigned long)dest;
108151+
108152+#ifdef CONFIG_PAX_KERNEXEC
108153+ if (shdr->sh_flags & SHF_EXECINSTR)
108154+ shdr->sh_addr = ktva_ktla((unsigned long)dest);
108155+ else
108156+#endif
108157+
108158+ shdr->sh_addr = (unsigned long)dest;
108159 pr_debug("\t0x%lx %s\n",
108160 (long)shdr->sh_addr, info->secstrings + shdr->sh_name);
108161 }
108162@@ -3066,12 +3223,12 @@ static void flush_module_icache(const struct module *mod)
108163 * Do it before processing of module parameters, so the module
108164 * can provide parameter accessor functions of its own.
108165 */
108166- if (mod->module_init)
108167- flush_icache_range((unsigned long)mod->module_init,
108168- (unsigned long)mod->module_init
108169- + mod->init_size);
108170- flush_icache_range((unsigned long)mod->module_core,
108171- (unsigned long)mod->module_core + mod->core_size);
108172+ if (mod->module_init_rx)
108173+ flush_icache_range((unsigned long)mod->module_init_rx,
108174+ (unsigned long)mod->module_init_rx
108175+ + mod->init_size_rx);
108176+ flush_icache_range((unsigned long)mod->module_core_rx,
108177+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
108178
108179 set_fs(old_fs);
108180 }
108181@@ -3129,8 +3286,10 @@ static void module_deallocate(struct module *mod, struct load_info *info)
108182 {
108183 percpu_modfree(mod);
108184 module_arch_freeing_init(mod);
108185- module_memfree(mod->module_init);
108186- module_memfree(mod->module_core);
108187+ module_memfree_exec(mod->module_init_rx);
108188+ module_memfree_exec(mod->module_core_rx);
108189+ module_memfree(mod->module_init_rw);
108190+ module_memfree(mod->module_core_rw);
108191 }
108192
108193 int __weak module_finalize(const Elf_Ehdr *hdr,
108194@@ -3143,7 +3302,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
108195 static int post_relocation(struct module *mod, const struct load_info *info)
108196 {
108197 /* Sort exception table now relocations are done. */
108198+ pax_open_kernel();
108199 sort_extable(mod->extable, mod->extable + mod->num_exentries);
108200+ pax_close_kernel();
108201
108202 /* Copy relocated percpu area over. */
108203 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
108204@@ -3191,13 +3352,15 @@ static void do_mod_ctors(struct module *mod)
108205 /* For freeing module_init on success, in case kallsyms traversing */
108206 struct mod_initfree {
108207 struct rcu_head rcu;
108208- void *module_init;
108209+ void *module_init_rw;
108210+ void *module_init_rx;
108211 };
108212
108213 static void do_free_init(struct rcu_head *head)
108214 {
108215 struct mod_initfree *m = container_of(head, struct mod_initfree, rcu);
108216- module_memfree(m->module_init);
108217+ module_memfree(m->module_init_rw);
108218+ module_memfree_exec(m->module_init_rx);
108219 kfree(m);
108220 }
108221
108222@@ -3217,7 +3380,8 @@ static noinline int do_init_module(struct module *mod)
108223 ret = -ENOMEM;
108224 goto fail;
108225 }
108226- freeinit->module_init = mod->module_init;
108227+ freeinit->module_init_rw = mod->module_init_rw;
108228+ freeinit->module_init_rx = mod->module_init_rx;
108229
108230 /*
108231 * We want to find out whether @mod uses async during init. Clear
108232@@ -3277,10 +3441,10 @@ static noinline int do_init_module(struct module *mod)
108233 mod_tree_remove_init(mod);
108234 unset_module_init_ro_nx(mod);
108235 module_arch_freeing_init(mod);
108236- mod->module_init = NULL;
108237- mod->init_size = 0;
108238- mod->init_ro_size = 0;
108239- mod->init_text_size = 0;
108240+ mod->module_init_rw = NULL;
108241+ mod->module_init_rx = NULL;
108242+ mod->init_size_rw = 0;
108243+ mod->init_size_rx = 0;
108244 /*
108245 * We want to free module_init, but be aware that kallsyms may be
108246 * walking this with preempt disabled. In all the failure paths, we
108247@@ -3370,16 +3534,16 @@ static int complete_formation(struct module *mod, struct load_info *info)
108248 module_bug_finalize(info->hdr, info->sechdrs, mod);
108249
108250 /* Set RO and NX regions for core */
108251- set_section_ro_nx(mod->module_core,
108252- mod->core_text_size,
108253- mod->core_ro_size,
108254- mod->core_size);
108255+ set_section_ro_nx(mod->module_core_rx,
108256+ mod->core_size_rx,
108257+ mod->core_size_rx,
108258+ mod->core_size_rx);
108259
108260 /* Set RO and NX regions for init */
108261- set_section_ro_nx(mod->module_init,
108262- mod->init_text_size,
108263- mod->init_ro_size,
108264- mod->init_size);
108265+ set_section_ro_nx(mod->module_init_rx,
108266+ mod->init_size_rx,
108267+ mod->init_size_rx,
108268+ mod->init_size_rx);
108269
108270 /* Mark state as coming so strong_try_module_get() ignores us,
108271 * but kallsyms etc. can see us. */
108272@@ -3474,9 +3638,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
108273 if (err)
108274 goto free_unload;
108275
108276+ /* Now copy in args */
108277+ mod->args = strndup_user(uargs, ~0UL >> 1);
108278+ if (IS_ERR(mod->args)) {
108279+ err = PTR_ERR(mod->args);
108280+ goto free_unload;
108281+ }
108282+
108283 /* Set up MODINFO_ATTR fields */
108284 setup_modinfo(mod, info);
108285
108286+#ifdef CONFIG_GRKERNSEC_MODHARDEN
108287+ {
108288+ char *p, *p2;
108289+
108290+ if (strstr(mod->args, "grsec_modharden_netdev")) {
108291+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
108292+ err = -EPERM;
108293+ goto free_modinfo;
108294+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
108295+ p += sizeof("grsec_modharden_normal") - 1;
108296+ p2 = strstr(p, "_");
108297+ if (p2) {
108298+ *p2 = '\0';
108299+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
108300+ *p2 = '_';
108301+ }
108302+ err = -EPERM;
108303+ goto free_modinfo;
108304+ }
108305+ }
108306+#endif
108307+
108308 /* Fix up syms, so that st_value is a pointer to location. */
108309 err = simplify_symbols(mod, info);
108310 if (err < 0)
108311@@ -3492,13 +3685,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
108312
108313 flush_module_icache(mod);
108314
108315- /* Now copy in args */
108316- mod->args = strndup_user(uargs, ~0UL >> 1);
108317- if (IS_ERR(mod->args)) {
108318- err = PTR_ERR(mod->args);
108319- goto free_arch_cleanup;
108320- }
108321-
108322 dynamic_debug_setup(info->debug, info->num_debug);
108323
108324 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
108325@@ -3550,11 +3736,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
108326 ddebug_cleanup:
108327 dynamic_debug_remove(info->debug);
108328 synchronize_sched();
108329- kfree(mod->args);
108330- free_arch_cleanup:
108331 module_arch_cleanup(mod);
108332 free_modinfo:
108333 free_modinfo(mod);
108334+ kfree(mod->args);
108335 free_unload:
108336 module_unload_free(mod);
108337 unlink_mod:
108338@@ -3568,7 +3753,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
108339 mutex_unlock(&module_mutex);
108340 free_module:
108341 /* Free lock-classes; relies on the preceding sync_rcu() */
108342- lockdep_free_key_range(mod->module_core, mod->core_size);
108343+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
108344+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
108345
108346 module_deallocate(mod, info);
108347 free_copy:
108348@@ -3645,10 +3831,16 @@ static const char *get_ksymbol(struct module *mod,
108349 unsigned long nextval;
108350
108351 /* At worse, next value is at end of module */
108352- if (within_module_init(addr, mod))
108353- nextval = (unsigned long)mod->module_init+mod->init_text_size;
108354+ if (within_module_init_rx(addr, mod))
108355+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
108356+ else if (within_module_init_rw(addr, mod))
108357+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
108358+ else if (within_module_core_rx(addr, mod))
108359+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
108360+ else if (within_module_core_rw(addr, mod))
108361+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
108362 else
108363- nextval = (unsigned long)mod->module_core+mod->core_text_size;
108364+ return NULL;
108365
108366 /* Scan for closest preceding symbol, and next symbol. (ELF
108367 starts real symbols at 1). */
108368@@ -3895,7 +4087,7 @@ static int m_show(struct seq_file *m, void *p)
108369 return 0;
108370
108371 seq_printf(m, "%s %u",
108372- mod->name, mod->init_size + mod->core_size);
108373+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
108374 print_unload_info(m, mod);
108375
108376 /* Informative for users. */
108377@@ -3904,7 +4096,7 @@ static int m_show(struct seq_file *m, void *p)
108378 mod->state == MODULE_STATE_COMING ? "Loading" :
108379 "Live");
108380 /* Used by oprofile and other similar tools. */
108381- seq_printf(m, " 0x%pK", mod->module_core);
108382+ seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
108383
108384 /* Taints info */
108385 if (mod->taints)
108386@@ -3940,7 +4132,17 @@ static const struct file_operations proc_modules_operations = {
108387
108388 static int __init proc_modules_init(void)
108389 {
108390+#ifndef CONFIG_GRKERNSEC_HIDESYM
108391+#ifdef CONFIG_GRKERNSEC_PROC_USER
108392+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
108393+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
108394+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
108395+#else
108396 proc_create("modules", 0, NULL, &proc_modules_operations);
108397+#endif
108398+#else
108399+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
108400+#endif
108401 return 0;
108402 }
108403 module_init(proc_modules_init);
108404@@ -4001,7 +4203,8 @@ struct module *__module_address(unsigned long addr)
108405 {
108406 struct module *mod;
108407
108408- if (addr < module_addr_min || addr > module_addr_max)
108409+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
108410+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
108411 return NULL;
108412
108413 module_assert_mutex_or_preempt();
108414@@ -4044,11 +4247,20 @@ bool is_module_text_address(unsigned long addr)
108415 */
108416 struct module *__module_text_address(unsigned long addr)
108417 {
108418- struct module *mod = __module_address(addr);
108419+ struct module *mod;
108420+
108421+#ifdef CONFIG_X86_32
108422+ addr = ktla_ktva(addr);
108423+#endif
108424+
108425+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
108426+ return NULL;
108427+
108428+ mod = __module_address(addr);
108429+
108430 if (mod) {
108431 /* Make sure it's within the text section. */
108432- if (!within(addr, mod->module_init, mod->init_text_size)
108433- && !within(addr, mod->module_core, mod->core_text_size))
108434+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
108435 mod = NULL;
108436 }
108437 return mod;
108438diff --git a/kernel/notifier.c b/kernel/notifier.c
108439index ae9fc7c..5085fbf 100644
108440--- a/kernel/notifier.c
108441+++ b/kernel/notifier.c
108442@@ -5,6 +5,7 @@
108443 #include <linux/rcupdate.h>
108444 #include <linux/vmalloc.h>
108445 #include <linux/reboot.h>
108446+#include <linux/mm.h>
108447
108448 /*
108449 * Notifier list for kernel code which wants to be called
108450@@ -24,10 +25,12 @@ static int notifier_chain_register(struct notifier_block **nl,
108451 while ((*nl) != NULL) {
108452 if (n->priority > (*nl)->priority)
108453 break;
108454- nl = &((*nl)->next);
108455+ nl = (struct notifier_block **)&((*nl)->next);
108456 }
108457- n->next = *nl;
108458+ pax_open_kernel();
108459+ *(const void **)&n->next = *nl;
108460 rcu_assign_pointer(*nl, n);
108461+ pax_close_kernel();
108462 return 0;
108463 }
108464
108465@@ -39,10 +42,12 @@ static int notifier_chain_cond_register(struct notifier_block **nl,
108466 return 0;
108467 if (n->priority > (*nl)->priority)
108468 break;
108469- nl = &((*nl)->next);
108470+ nl = (struct notifier_block **)&((*nl)->next);
108471 }
108472- n->next = *nl;
108473+ pax_open_kernel();
108474+ *(const void **)&n->next = *nl;
108475 rcu_assign_pointer(*nl, n);
108476+ pax_close_kernel();
108477 return 0;
108478 }
108479
108480@@ -51,10 +56,12 @@ static int notifier_chain_unregister(struct notifier_block **nl,
108481 {
108482 while ((*nl) != NULL) {
108483 if ((*nl) == n) {
108484+ pax_open_kernel();
108485 rcu_assign_pointer(*nl, n->next);
108486+ pax_close_kernel();
108487 return 0;
108488 }
108489- nl = &((*nl)->next);
108490+ nl = (struct notifier_block **)&((*nl)->next);
108491 }
108492 return -ENOENT;
108493 }
108494diff --git a/kernel/padata.c b/kernel/padata.c
108495index b38bea9..91acfbe 100644
108496--- a/kernel/padata.c
108497+++ b/kernel/padata.c
108498@@ -54,7 +54,7 @@ static int padata_cpu_hash(struct parallel_data *pd)
108499 * seq_nr mod. number of cpus in use.
108500 */
108501
108502- seq_nr = atomic_inc_return(&pd->seq_nr);
108503+ seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
108504 cpu_index = seq_nr % cpumask_weight(pd->cpumask.pcpu);
108505
108506 return padata_index_to_cpu(pd, cpu_index);
108507@@ -428,7 +428,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
108508 padata_init_pqueues(pd);
108509 padata_init_squeues(pd);
108510 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
108511- atomic_set(&pd->seq_nr, -1);
108512+ atomic_set_unchecked(&pd->seq_nr, -1);
108513 atomic_set(&pd->reorder_objects, 0);
108514 atomic_set(&pd->refcnt, 0);
108515 pd->pinst = pinst;
108516diff --git a/kernel/panic.c b/kernel/panic.c
108517index 04e91ff..2419384 100644
108518--- a/kernel/panic.c
108519+++ b/kernel/panic.c
108520@@ -54,7 +54,7 @@ EXPORT_SYMBOL(panic_blink);
108521 /*
108522 * Stop ourself in panic -- architecture code may override this
108523 */
108524-void __weak panic_smp_self_stop(void)
108525+void __weak __noreturn panic_smp_self_stop(void)
108526 {
108527 while (1)
108528 cpu_relax();
108529@@ -426,7 +426,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
108530 disable_trace_on_warning();
108531
108532 pr_warn("------------[ cut here ]------------\n");
108533- pr_warn("WARNING: CPU: %d PID: %d at %s:%d %pS()\n",
108534+ pr_warn("WARNING: CPU: %d PID: %d at %s:%d %pA()\n",
108535 raw_smp_processor_id(), current->pid, file, line, caller);
108536
108537 if (args)
108538@@ -491,7 +491,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
108539 */
108540 __visible void __stack_chk_fail(void)
108541 {
108542- panic("stack-protector: Kernel stack is corrupted in: %p\n",
108543+ dump_stack();
108544+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
108545 __builtin_return_address(0));
108546 }
108547 EXPORT_SYMBOL(__stack_chk_fail);
108548diff --git a/kernel/pid.c b/kernel/pid.c
108549index 4fd07d5..02bce4f 100644
108550--- a/kernel/pid.c
108551+++ b/kernel/pid.c
108552@@ -33,6 +33,7 @@
108553 #include <linux/rculist.h>
108554 #include <linux/bootmem.h>
108555 #include <linux/hash.h>
108556+#include <linux/security.h>
108557 #include <linux/pid_namespace.h>
108558 #include <linux/init_task.h>
108559 #include <linux/syscalls.h>
108560@@ -47,7 +48,7 @@ struct pid init_struct_pid = INIT_STRUCT_PID;
108561
108562 int pid_max = PID_MAX_DEFAULT;
108563
108564-#define RESERVED_PIDS 300
108565+#define RESERVED_PIDS 500
108566
108567 int pid_max_min = RESERVED_PIDS + 1;
108568 int pid_max_max = PID_MAX_LIMIT;
108569@@ -451,10 +452,18 @@ EXPORT_SYMBOL(pid_task);
108570 */
108571 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
108572 {
108573+ struct task_struct *task;
108574+
108575 rcu_lockdep_assert(rcu_read_lock_held(),
108576 "find_task_by_pid_ns() needs rcu_read_lock()"
108577 " protection");
108578- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
108579+
108580+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
108581+
108582+ if (gr_pid_is_chrooted(task))
108583+ return NULL;
108584+
108585+ return task;
108586 }
108587
108588 struct task_struct *find_task_by_vpid(pid_t vnr)
108589@@ -462,6 +471,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
108590 return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
108591 }
108592
108593+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
108594+{
108595+ rcu_lockdep_assert(rcu_read_lock_held(),
108596+ "find_task_by_pid_ns() needs rcu_read_lock()"
108597+ " protection");
108598+ return pid_task(find_pid_ns(vnr, task_active_pid_ns(current)), PIDTYPE_PID);
108599+}
108600+
108601 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
108602 {
108603 struct pid *pid;
108604diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
108605index a65ba13..f600dbb 100644
108606--- a/kernel/pid_namespace.c
108607+++ b/kernel/pid_namespace.c
108608@@ -274,7 +274,7 @@ static int pid_ns_ctl_handler(struct ctl_table *table, int write,
108609 void __user *buffer, size_t *lenp, loff_t *ppos)
108610 {
108611 struct pid_namespace *pid_ns = task_active_pid_ns(current);
108612- struct ctl_table tmp = *table;
108613+ ctl_table_no_const tmp = *table;
108614
108615 if (write && !ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN))
108616 return -EPERM;
108617diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
108618index 9e30231..75a6d97 100644
108619--- a/kernel/power/Kconfig
108620+++ b/kernel/power/Kconfig
108621@@ -24,6 +24,8 @@ config HIBERNATE_CALLBACKS
108622 config HIBERNATION
108623 bool "Hibernation (aka 'suspend to disk')"
108624 depends on SWAP && ARCH_HIBERNATION_POSSIBLE
108625+ depends on !GRKERNSEC_KMEM
108626+ depends on !PAX_MEMORY_SANITIZE
108627 select HIBERNATE_CALLBACKS
108628 select LZO_COMPRESS
108629 select LZO_DECOMPRESS
108630diff --git a/kernel/power/process.c b/kernel/power/process.c
108631index 564f786..361a18e 100644
108632--- a/kernel/power/process.c
108633+++ b/kernel/power/process.c
108634@@ -35,6 +35,7 @@ static int try_to_freeze_tasks(bool user_only)
108635 unsigned int elapsed_msecs;
108636 bool wakeup = false;
108637 int sleep_usecs = USEC_PER_MSEC;
108638+ bool timedout = false;
108639
108640 do_gettimeofday(&start);
108641
108642@@ -45,13 +46,20 @@ static int try_to_freeze_tasks(bool user_only)
108643
108644 while (true) {
108645 todo = 0;
108646+ if (time_after(jiffies, end_time))
108647+ timedout = true;
108648 read_lock(&tasklist_lock);
108649 for_each_process_thread(g, p) {
108650 if (p == current || !freeze_task(p))
108651 continue;
108652
108653- if (!freezer_should_skip(p))
108654+ if (!freezer_should_skip(p)) {
108655 todo++;
108656+ if (timedout) {
108657+ printk(KERN_ERR "Task refusing to freeze:\n");
108658+ sched_show_task(p);
108659+ }
108660+ }
108661 }
108662 read_unlock(&tasklist_lock);
108663
108664@@ -60,7 +68,7 @@ static int try_to_freeze_tasks(bool user_only)
108665 todo += wq_busy;
108666 }
108667
108668- if (!todo || time_after(jiffies, end_time))
108669+ if (!todo || timedout)
108670 break;
108671
108672 if (pm_wakeup_pending()) {
108673diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
108674index cf8c242..84e7843 100644
108675--- a/kernel/printk/printk.c
108676+++ b/kernel/printk/printk.c
108677@@ -475,7 +475,7 @@ static int log_store(int facility, int level,
108678 return msg->text_len;
108679 }
108680
108681-int dmesg_restrict = IS_ENABLED(CONFIG_SECURITY_DMESG_RESTRICT);
108682+int dmesg_restrict __read_only = IS_ENABLED(CONFIG_SECURITY_DMESG_RESTRICT);
108683
108684 static int syslog_action_restricted(int type)
108685 {
108686@@ -498,6 +498,11 @@ int check_syslog_permissions(int type, int source)
108687 if (source == SYSLOG_FROM_PROC && type != SYSLOG_ACTION_OPEN)
108688 goto ok;
108689
108690+#ifdef CONFIG_GRKERNSEC_DMESG
108691+ if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
108692+ return -EPERM;
108693+#endif
108694+
108695 if (syslog_action_restricted(type)) {
108696 if (capable(CAP_SYSLOG))
108697 goto ok;
108698diff --git a/kernel/profile.c b/kernel/profile.c
108699index a7bcd28..5b368fa 100644
108700--- a/kernel/profile.c
108701+++ b/kernel/profile.c
108702@@ -37,7 +37,7 @@ struct profile_hit {
108703 #define NR_PROFILE_HIT (PAGE_SIZE/sizeof(struct profile_hit))
108704 #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ)
108705
108706-static atomic_t *prof_buffer;
108707+static atomic_unchecked_t *prof_buffer;
108708 static unsigned long prof_len, prof_shift;
108709
108710 int prof_on __read_mostly;
108711@@ -256,7 +256,7 @@ static void profile_flip_buffers(void)
108712 hits[i].pc = 0;
108713 continue;
108714 }
108715- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
108716+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
108717 hits[i].hits = hits[i].pc = 0;
108718 }
108719 }
108720@@ -317,9 +317,9 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
108721 * Add the current hit(s) and flush the write-queue out
108722 * to the global buffer:
108723 */
108724- atomic_add(nr_hits, &prof_buffer[pc]);
108725+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
108726 for (i = 0; i < NR_PROFILE_HIT; ++i) {
108727- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
108728+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
108729 hits[i].pc = hits[i].hits = 0;
108730 }
108731 out:
108732@@ -394,7 +394,7 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
108733 {
108734 unsigned long pc;
108735 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
108736- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
108737+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
108738 }
108739 #endif /* !CONFIG_SMP */
108740
108741@@ -489,7 +489,7 @@ read_profile(struct file *file, char __user *buf, size_t count, loff_t *ppos)
108742 return -EFAULT;
108743 buf++; p++; count--; read++;
108744 }
108745- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
108746+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
108747 if (copy_to_user(buf, (void *)pnt, count))
108748 return -EFAULT;
108749 read += count;
108750@@ -520,7 +520,7 @@ static ssize_t write_profile(struct file *file, const char __user *buf,
108751 }
108752 #endif
108753 profile_discard_flip_buffers();
108754- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
108755+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
108756 return count;
108757 }
108758
108759diff --git a/kernel/ptrace.c b/kernel/ptrace.c
108760index c8e0e05..2be5614 100644
108761--- a/kernel/ptrace.c
108762+++ b/kernel/ptrace.c
108763@@ -321,7 +321,7 @@ static int ptrace_attach(struct task_struct *task, long request,
108764 if (seize)
108765 flags |= PT_SEIZED;
108766 rcu_read_lock();
108767- if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
108768+ if (ns_capable_nolog(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
108769 flags |= PT_PTRACE_CAP;
108770 rcu_read_unlock();
108771 task->ptrace = flags;
108772@@ -514,7 +514,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
108773 break;
108774 return -EIO;
108775 }
108776- if (copy_to_user(dst, buf, retval))
108777+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
108778 return -EFAULT;
108779 copied += retval;
108780 src += retval;
108781@@ -802,7 +802,7 @@ int ptrace_request(struct task_struct *child, long request,
108782 bool seized = child->ptrace & PT_SEIZED;
108783 int ret = -EIO;
108784 siginfo_t siginfo, *si;
108785- void __user *datavp = (void __user *) data;
108786+ void __user *datavp = (__force void __user *) data;
108787 unsigned long __user *datalp = datavp;
108788 unsigned long flags;
108789
108790@@ -1048,14 +1048,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
108791 goto out;
108792 }
108793
108794+ if (gr_handle_ptrace(child, request)) {
108795+ ret = -EPERM;
108796+ goto out_put_task_struct;
108797+ }
108798+
108799 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
108800 ret = ptrace_attach(child, request, addr, data);
108801 /*
108802 * Some architectures need to do book-keeping after
108803 * a ptrace attach.
108804 */
108805- if (!ret)
108806+ if (!ret) {
108807 arch_ptrace_attach(child);
108808+ gr_audit_ptrace(child);
108809+ }
108810 goto out_put_task_struct;
108811 }
108812
108813@@ -1083,7 +1090,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
108814 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
108815 if (copied != sizeof(tmp))
108816 return -EIO;
108817- return put_user(tmp, (unsigned long __user *)data);
108818+ return put_user(tmp, (__force unsigned long __user *)data);
108819 }
108820
108821 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
108822@@ -1176,7 +1183,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
108823 }
108824
108825 COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
108826- compat_long_t, addr, compat_long_t, data)
108827+ compat_ulong_t, addr, compat_ulong_t, data)
108828 {
108829 struct task_struct *child;
108830 long ret;
108831@@ -1192,14 +1199,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
108832 goto out;
108833 }
108834
108835+ if (gr_handle_ptrace(child, request)) {
108836+ ret = -EPERM;
108837+ goto out_put_task_struct;
108838+ }
108839+
108840 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
108841 ret = ptrace_attach(child, request, addr, data);
108842 /*
108843 * Some architectures need to do book-keeping after
108844 * a ptrace attach.
108845 */
108846- if (!ret)
108847+ if (!ret) {
108848 arch_ptrace_attach(child);
108849+ gr_audit_ptrace(child);
108850+ }
108851 goto out_put_task_struct;
108852 }
108853
108854diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
108855index 59e32684..d2eb3d9 100644
108856--- a/kernel/rcu/rcutorture.c
108857+++ b/kernel/rcu/rcutorture.c
108858@@ -134,12 +134,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1],
108859 rcu_torture_count) = { 0 };
108860 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1],
108861 rcu_torture_batch) = { 0 };
108862-static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
108863-static atomic_t n_rcu_torture_alloc;
108864-static atomic_t n_rcu_torture_alloc_fail;
108865-static atomic_t n_rcu_torture_free;
108866-static atomic_t n_rcu_torture_mberror;
108867-static atomic_t n_rcu_torture_error;
108868+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
108869+static atomic_unchecked_t n_rcu_torture_alloc;
108870+static atomic_unchecked_t n_rcu_torture_alloc_fail;
108871+static atomic_unchecked_t n_rcu_torture_free;
108872+static atomic_unchecked_t n_rcu_torture_mberror;
108873+static atomic_unchecked_t n_rcu_torture_error;
108874 static long n_rcu_torture_barrier_error;
108875 static long n_rcu_torture_boost_ktrerror;
108876 static long n_rcu_torture_boost_rterror;
108877@@ -148,7 +148,7 @@ static long n_rcu_torture_boosts;
108878 static long n_rcu_torture_timers;
108879 static long n_barrier_attempts;
108880 static long n_barrier_successes;
108881-static atomic_long_t n_cbfloods;
108882+static atomic_long_unchecked_t n_cbfloods;
108883 static struct list_head rcu_torture_removed;
108884
108885 static int rcu_torture_writer_state;
108886@@ -211,11 +211,11 @@ rcu_torture_alloc(void)
108887
108888 spin_lock_bh(&rcu_torture_lock);
108889 if (list_empty(&rcu_torture_freelist)) {
108890- atomic_inc(&n_rcu_torture_alloc_fail);
108891+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
108892 spin_unlock_bh(&rcu_torture_lock);
108893 return NULL;
108894 }
108895- atomic_inc(&n_rcu_torture_alloc);
108896+ atomic_inc_unchecked(&n_rcu_torture_alloc);
108897 p = rcu_torture_freelist.next;
108898 list_del_init(p);
108899 spin_unlock_bh(&rcu_torture_lock);
108900@@ -228,7 +228,7 @@ rcu_torture_alloc(void)
108901 static void
108902 rcu_torture_free(struct rcu_torture *p)
108903 {
108904- atomic_inc(&n_rcu_torture_free);
108905+ atomic_inc_unchecked(&n_rcu_torture_free);
108906 spin_lock_bh(&rcu_torture_lock);
108907 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
108908 spin_unlock_bh(&rcu_torture_lock);
108909@@ -309,7 +309,7 @@ rcu_torture_pipe_update_one(struct rcu_torture *rp)
108910 i = rp->rtort_pipe_count;
108911 if (i > RCU_TORTURE_PIPE_LEN)
108912 i = RCU_TORTURE_PIPE_LEN;
108913- atomic_inc(&rcu_torture_wcount[i]);
108914+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
108915 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
108916 rp->rtort_mbtest = 0;
108917 return true;
108918@@ -830,7 +830,7 @@ rcu_torture_cbflood(void *arg)
108919 VERBOSE_TOROUT_STRING("rcu_torture_cbflood task started");
108920 do {
108921 schedule_timeout_interruptible(cbflood_inter_holdoff);
108922- atomic_long_inc(&n_cbfloods);
108923+ atomic_long_inc_unchecked(&n_cbfloods);
108924 WARN_ON(signal_pending(current));
108925 for (i = 0; i < cbflood_n_burst; i++) {
108926 for (j = 0; j < cbflood_n_per_burst; j++) {
108927@@ -957,7 +957,7 @@ rcu_torture_writer(void *arg)
108928 i = old_rp->rtort_pipe_count;
108929 if (i > RCU_TORTURE_PIPE_LEN)
108930 i = RCU_TORTURE_PIPE_LEN;
108931- atomic_inc(&rcu_torture_wcount[i]);
108932+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
108933 old_rp->rtort_pipe_count++;
108934 switch (synctype[torture_random(&rand) % nsynctypes]) {
108935 case RTWS_DEF_FREE:
108936@@ -1095,7 +1095,7 @@ static void rcu_torture_timer(unsigned long unused)
108937 return;
108938 }
108939 if (p->rtort_mbtest == 0)
108940- atomic_inc(&n_rcu_torture_mberror);
108941+ atomic_inc_unchecked(&n_rcu_torture_mberror);
108942 spin_lock(&rand_lock);
108943 cur_ops->read_delay(&rand);
108944 n_rcu_torture_timers++;
108945@@ -1170,7 +1170,7 @@ rcu_torture_reader(void *arg)
108946 continue;
108947 }
108948 if (p->rtort_mbtest == 0)
108949- atomic_inc(&n_rcu_torture_mberror);
108950+ atomic_inc_unchecked(&n_rcu_torture_mberror);
108951 cur_ops->read_delay(&rand);
108952 preempt_disable();
108953 pipe_count = p->rtort_pipe_count;
108954@@ -1239,11 +1239,11 @@ rcu_torture_stats_print(void)
108955 rcu_torture_current,
108956 rcu_torture_current_version,
108957 list_empty(&rcu_torture_freelist),
108958- atomic_read(&n_rcu_torture_alloc),
108959- atomic_read(&n_rcu_torture_alloc_fail),
108960- atomic_read(&n_rcu_torture_free));
108961+ atomic_read_unchecked(&n_rcu_torture_alloc),
108962+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
108963+ atomic_read_unchecked(&n_rcu_torture_free));
108964 pr_cont("rtmbe: %d rtbke: %ld rtbre: %ld ",
108965- atomic_read(&n_rcu_torture_mberror),
108966+ atomic_read_unchecked(&n_rcu_torture_mberror),
108967 n_rcu_torture_boost_ktrerror,
108968 n_rcu_torture_boost_rterror);
108969 pr_cont("rtbf: %ld rtb: %ld nt: %ld ",
108970@@ -1255,17 +1255,17 @@ rcu_torture_stats_print(void)
108971 n_barrier_successes,
108972 n_barrier_attempts,
108973 n_rcu_torture_barrier_error);
108974- pr_cont("cbflood: %ld\n", atomic_long_read(&n_cbfloods));
108975+ pr_cont("cbflood: %ld\n", atomic_long_read_unchecked(&n_cbfloods));
108976
108977 pr_alert("%s%s ", torture_type, TORTURE_FLAG);
108978- if (atomic_read(&n_rcu_torture_mberror) != 0 ||
108979+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
108980 n_rcu_torture_barrier_error != 0 ||
108981 n_rcu_torture_boost_ktrerror != 0 ||
108982 n_rcu_torture_boost_rterror != 0 ||
108983 n_rcu_torture_boost_failure != 0 ||
108984 i > 1) {
108985 pr_cont("%s", "!!! ");
108986- atomic_inc(&n_rcu_torture_error);
108987+ atomic_inc_unchecked(&n_rcu_torture_error);
108988 WARN_ON_ONCE(1);
108989 }
108990 pr_cont("Reader Pipe: ");
108991@@ -1282,7 +1282,7 @@ rcu_torture_stats_print(void)
108992 pr_alert("%s%s ", torture_type, TORTURE_FLAG);
108993 pr_cont("Free-Block Circulation: ");
108994 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
108995- pr_cont(" %d", atomic_read(&rcu_torture_wcount[i]));
108996+ pr_cont(" %d", atomic_read_unchecked(&rcu_torture_wcount[i]));
108997 }
108998 pr_cont("\n");
108999
109000@@ -1636,7 +1636,7 @@ rcu_torture_cleanup(void)
109001
109002 rcu_torture_stats_print(); /* -After- the stats thread is stopped! */
109003
109004- if (atomic_read(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
109005+ if (atomic_read_unchecked(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
109006 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
109007 else if (torture_onoff_failures())
109008 rcu_torture_print_module_parms(cur_ops,
109009@@ -1761,18 +1761,18 @@ rcu_torture_init(void)
109010
109011 rcu_torture_current = NULL;
109012 rcu_torture_current_version = 0;
109013- atomic_set(&n_rcu_torture_alloc, 0);
109014- atomic_set(&n_rcu_torture_alloc_fail, 0);
109015- atomic_set(&n_rcu_torture_free, 0);
109016- atomic_set(&n_rcu_torture_mberror, 0);
109017- atomic_set(&n_rcu_torture_error, 0);
109018+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
109019+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
109020+ atomic_set_unchecked(&n_rcu_torture_free, 0);
109021+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
109022+ atomic_set_unchecked(&n_rcu_torture_error, 0);
109023 n_rcu_torture_barrier_error = 0;
109024 n_rcu_torture_boost_ktrerror = 0;
109025 n_rcu_torture_boost_rterror = 0;
109026 n_rcu_torture_boost_failure = 0;
109027 n_rcu_torture_boosts = 0;
109028 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
109029- atomic_set(&rcu_torture_wcount[i], 0);
109030+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
109031 for_each_possible_cpu(cpu) {
109032 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
109033 per_cpu(rcu_torture_count, cpu)[i] = 0;
109034diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c
109035index c291bd6..8a01679 100644
109036--- a/kernel/rcu/tiny.c
109037+++ b/kernel/rcu/tiny.c
109038@@ -42,7 +42,7 @@
109039 /* Forward declarations for tiny_plugin.h. */
109040 struct rcu_ctrlblk;
109041 static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp);
109042-static void rcu_process_callbacks(struct softirq_action *unused);
109043+static void rcu_process_callbacks(void);
109044 static void __call_rcu(struct rcu_head *head,
109045 void (*func)(struct rcu_head *rcu),
109046 struct rcu_ctrlblk *rcp);
109047@@ -170,7 +170,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp)
109048 false));
109049 }
109050
109051-static void rcu_process_callbacks(struct softirq_action *unused)
109052+static __latent_entropy void rcu_process_callbacks(void)
109053 {
109054 __rcu_process_callbacks(&rcu_sched_ctrlblk);
109055 __rcu_process_callbacks(&rcu_bh_ctrlblk);
109056diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
109057index 65137bc..775d7ad 100644
109058--- a/kernel/rcu/tree.c
109059+++ b/kernel/rcu/tree.c
109060@@ -326,7 +326,7 @@ static void rcu_momentary_dyntick_idle(void)
109061 */
109062 rdtp = this_cpu_ptr(&rcu_dynticks);
109063 smp_mb__before_atomic(); /* Earlier stuff before QS. */
109064- atomic_add(2, &rdtp->dynticks); /* QS. */
109065+ atomic_add_unchecked(2, &rdtp->dynticks); /* QS. */
109066 smp_mb__after_atomic(); /* Later stuff after QS. */
109067 break;
109068 }
109069@@ -639,10 +639,10 @@ static void rcu_eqs_enter_common(long long oldval, bool user)
109070 rcu_prepare_for_idle();
109071 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
109072 smp_mb__before_atomic(); /* See above. */
109073- atomic_inc(&rdtp->dynticks);
109074+ atomic_inc_unchecked(&rdtp->dynticks);
109075 smp_mb__after_atomic(); /* Force ordering with next sojourn. */
109076 WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
109077- atomic_read(&rdtp->dynticks) & 0x1);
109078+ atomic_read_unchecked(&rdtp->dynticks) & 0x1);
109079 rcu_dynticks_task_enter();
109080
109081 /*
109082@@ -765,11 +765,11 @@ static void rcu_eqs_exit_common(long long oldval, int user)
109083
109084 rcu_dynticks_task_exit();
109085 smp_mb__before_atomic(); /* Force ordering w/previous sojourn. */
109086- atomic_inc(&rdtp->dynticks);
109087+ atomic_inc_unchecked(&rdtp->dynticks);
109088 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
109089 smp_mb__after_atomic(); /* See above. */
109090 WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
109091- !(atomic_read(&rdtp->dynticks) & 0x1));
109092+ !(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
109093 rcu_cleanup_after_idle();
109094 trace_rcu_dyntick(TPS("End"), oldval, rdtp->dynticks_nesting);
109095 if (IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
109096@@ -905,12 +905,12 @@ void rcu_nmi_enter(void)
109097 * to be in the outermost NMI handler that interrupted an RCU-idle
109098 * period (observation due to Andy Lutomirski).
109099 */
109100- if (!(atomic_read(&rdtp->dynticks) & 0x1)) {
109101+ if (!(atomic_read_unchecked(&rdtp->dynticks) & 0x1)) {
109102 smp_mb__before_atomic(); /* Force delay from prior write. */
109103- atomic_inc(&rdtp->dynticks);
109104+ atomic_inc_unchecked(&rdtp->dynticks);
109105 /* atomic_inc() before later RCU read-side crit sects */
109106 smp_mb__after_atomic(); /* See above. */
109107- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
109108+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
109109 incby = 1;
109110 }
109111 rdtp->dynticks_nmi_nesting += incby;
109112@@ -935,7 +935,7 @@ void rcu_nmi_exit(void)
109113 * to us!)
109114 */
109115 WARN_ON_ONCE(rdtp->dynticks_nmi_nesting <= 0);
109116- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
109117+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
109118
109119 /*
109120 * If the nesting level is not 1, the CPU wasn't RCU-idle, so
109121@@ -950,9 +950,9 @@ void rcu_nmi_exit(void)
109122 rdtp->dynticks_nmi_nesting = 0;
109123 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
109124 smp_mb__before_atomic(); /* See above. */
109125- atomic_inc(&rdtp->dynticks);
109126+ atomic_inc_unchecked(&rdtp->dynticks);
109127 smp_mb__after_atomic(); /* Force delay to next write. */
109128- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
109129+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
109130 }
109131
109132 /**
109133@@ -965,7 +965,7 @@ void rcu_nmi_exit(void)
109134 */
109135 bool notrace __rcu_is_watching(void)
109136 {
109137- return atomic_read(this_cpu_ptr(&rcu_dynticks.dynticks)) & 0x1;
109138+ return atomic_read_unchecked(this_cpu_ptr(&rcu_dynticks.dynticks)) & 0x1;
109139 }
109140
109141 /**
109142@@ -1048,7 +1048,7 @@ static int rcu_is_cpu_rrupt_from_idle(void)
109143 static int dyntick_save_progress_counter(struct rcu_data *rdp,
109144 bool *isidle, unsigned long *maxj)
109145 {
109146- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
109147+ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
109148 rcu_sysidle_check_cpu(rdp, isidle, maxj);
109149 if ((rdp->dynticks_snap & 0x1) == 0) {
109150 trace_rcu_fqs(rdp->rsp->name, rdp->gpnum, rdp->cpu, TPS("dti"));
109151@@ -1074,7 +1074,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp,
109152 int *rcrmp;
109153 unsigned int snap;
109154
109155- curr = (unsigned int)atomic_add_return(0, &rdp->dynticks->dynticks);
109156+ curr = (unsigned int)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
109157 snap = (unsigned int)rdp->dynticks_snap;
109158
109159 /*
109160@@ -2895,7 +2895,7 @@ __rcu_process_callbacks(struct rcu_state *rsp)
109161 /*
109162 * Do RCU core processing for the current CPU.
109163 */
109164-static void rcu_process_callbacks(struct softirq_action *unused)
109165+static void rcu_process_callbacks(void)
109166 {
109167 struct rcu_state *rsp;
109168
109169@@ -3319,11 +3319,11 @@ void synchronize_sched_expedited(void)
109170 * counter wrap on a 32-bit system. Quite a few more CPUs would of
109171 * course be required on a 64-bit system.
109172 */
109173- if (ULONG_CMP_GE((ulong)atomic_long_read(&rsp->expedited_start),
109174+ if (ULONG_CMP_GE((ulong)atomic_long_read_unchecked(&rsp->expedited_start),
109175 (ulong)atomic_long_read(&rsp->expedited_done) +
109176 ULONG_MAX / 8)) {
109177 wait_rcu_gp(call_rcu_sched);
109178- atomic_long_inc(&rsp->expedited_wrap);
109179+ atomic_long_inc_return_unchecked(&rsp->expedited_wrap);
109180 return;
109181 }
109182
109183@@ -3331,12 +3331,12 @@ void synchronize_sched_expedited(void)
109184 * Take a ticket. Note that atomic_inc_return() implies a
109185 * full memory barrier.
109186 */
109187- snap = atomic_long_inc_return(&rsp->expedited_start);
109188+ snap = atomic_long_inc_return_unchecked(&rsp->expedited_start);
109189 firstsnap = snap;
109190 if (!try_get_online_cpus()) {
109191 /* CPU hotplug operation in flight, fall back to normal GP. */
109192 wait_rcu_gp(call_rcu_sched);
109193- atomic_long_inc(&rsp->expedited_normal);
109194+ atomic_long_inc_unchecked(&rsp->expedited_normal);
109195 return;
109196 }
109197 WARN_ON_ONCE(cpu_is_offline(raw_smp_processor_id()));
109198@@ -3349,7 +3349,7 @@ void synchronize_sched_expedited(void)
109199 for_each_cpu(cpu, cm) {
109200 struct rcu_dynticks *rdtp = &per_cpu(rcu_dynticks, cpu);
109201
109202- if (!(atomic_add_return(0, &rdtp->dynticks) & 0x1))
109203+ if (!(atomic_add_return_unchecked(0, &rdtp->dynticks) & 0x1))
109204 cpumask_clear_cpu(cpu, cm);
109205 }
109206 if (cpumask_weight(cm) == 0)
109207@@ -3364,14 +3364,14 @@ void synchronize_sched_expedited(void)
109208 synchronize_sched_expedited_cpu_stop,
109209 NULL) == -EAGAIN) {
109210 put_online_cpus();
109211- atomic_long_inc(&rsp->expedited_tryfail);
109212+ atomic_long_inc_unchecked(&rsp->expedited_tryfail);
109213
109214 /* Check to see if someone else did our work for us. */
109215 s = atomic_long_read(&rsp->expedited_done);
109216 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
109217 /* ensure test happens before caller kfree */
109218 smp_mb__before_atomic(); /* ^^^ */
109219- atomic_long_inc(&rsp->expedited_workdone1);
109220+ atomic_long_inc_unchecked(&rsp->expedited_workdone1);
109221 free_cpumask_var(cm);
109222 return;
109223 }
109224@@ -3381,7 +3381,7 @@ void synchronize_sched_expedited(void)
109225 udelay(trycount * num_online_cpus());
109226 } else {
109227 wait_rcu_gp(call_rcu_sched);
109228- atomic_long_inc(&rsp->expedited_normal);
109229+ atomic_long_inc_unchecked(&rsp->expedited_normal);
109230 free_cpumask_var(cm);
109231 return;
109232 }
109233@@ -3391,7 +3391,7 @@ void synchronize_sched_expedited(void)
109234 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
109235 /* ensure test happens before caller kfree */
109236 smp_mb__before_atomic(); /* ^^^ */
109237- atomic_long_inc(&rsp->expedited_workdone2);
109238+ atomic_long_inc_unchecked(&rsp->expedited_workdone2);
109239 free_cpumask_var(cm);
109240 return;
109241 }
109242@@ -3406,14 +3406,14 @@ void synchronize_sched_expedited(void)
109243 if (!try_get_online_cpus()) {
109244 /* CPU hotplug operation in flight, use normal GP. */
109245 wait_rcu_gp(call_rcu_sched);
109246- atomic_long_inc(&rsp->expedited_normal);
109247+ atomic_long_inc_unchecked(&rsp->expedited_normal);
109248 free_cpumask_var(cm);
109249 return;
109250 }
109251- snap = atomic_long_read(&rsp->expedited_start);
109252+ snap = atomic_long_read_unchecked(&rsp->expedited_start);
109253 smp_mb(); /* ensure read is before try_stop_cpus(). */
109254 }
109255- atomic_long_inc(&rsp->expedited_stoppedcpus);
109256+ atomic_long_inc_unchecked(&rsp->expedited_stoppedcpus);
109257
109258 all_cpus_idle:
109259 free_cpumask_var(cm);
109260@@ -3425,16 +3425,16 @@ all_cpus_idle:
109261 * than we did already did their update.
109262 */
109263 do {
109264- atomic_long_inc(&rsp->expedited_done_tries);
109265+ atomic_long_inc_unchecked(&rsp->expedited_done_tries);
109266 s = atomic_long_read(&rsp->expedited_done);
109267 if (ULONG_CMP_GE((ulong)s, (ulong)snap)) {
109268 /* ensure test happens before caller kfree */
109269 smp_mb__before_atomic(); /* ^^^ */
109270- atomic_long_inc(&rsp->expedited_done_lost);
109271+ atomic_long_inc_unchecked(&rsp->expedited_done_lost);
109272 break;
109273 }
109274 } while (atomic_long_cmpxchg(&rsp->expedited_done, s, snap) != s);
109275- atomic_long_inc(&rsp->expedited_done_exit);
109276+ atomic_long_inc_unchecked(&rsp->expedited_done_exit);
109277
109278 put_online_cpus();
109279 }
109280@@ -3767,7 +3767,7 @@ rcu_boot_init_percpu_data(int cpu, struct rcu_state *rsp)
109281 rdp->grpmask = 1UL << (cpu - rdp->mynode->grplo);
109282 rdp->dynticks = &per_cpu(rcu_dynticks, cpu);
109283 WARN_ON_ONCE(rdp->dynticks->dynticks_nesting != DYNTICK_TASK_EXIT_IDLE);
109284- WARN_ON_ONCE(atomic_read(&rdp->dynticks->dynticks) != 1);
109285+ WARN_ON_ONCE(atomic_read_unchecked(&rdp->dynticks->dynticks) != 1);
109286 rdp->cpu = cpu;
109287 rdp->rsp = rsp;
109288 rcu_boot_init_nocb_percpu_data(rdp);
109289@@ -3798,8 +3798,8 @@ rcu_init_percpu_data(int cpu, struct rcu_state *rsp)
109290 init_callback_list(rdp); /* Re-enable callbacks on this CPU. */
109291 rdp->dynticks->dynticks_nesting = DYNTICK_TASK_EXIT_IDLE;
109292 rcu_sysidle_init_percpu_data(rdp->dynticks);
109293- atomic_set(&rdp->dynticks->dynticks,
109294- (atomic_read(&rdp->dynticks->dynticks) & ~0x1) + 1);
109295+ atomic_set_unchecked(&rdp->dynticks->dynticks,
109296+ (atomic_read_unchecked(&rdp->dynticks->dynticks) & ~0x1) + 1);
109297 raw_spin_unlock(&rnp->lock); /* irqs remain disabled. */
109298
109299 /*
109300diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
109301index 4adb7ca..20910e6 100644
109302--- a/kernel/rcu/tree.h
109303+++ b/kernel/rcu/tree.h
109304@@ -108,11 +108,11 @@ struct rcu_dynticks {
109305 long long dynticks_nesting; /* Track irq/process nesting level. */
109306 /* Process level is worth LLONG_MAX/2. */
109307 int dynticks_nmi_nesting; /* Track NMI nesting level. */
109308- atomic_t dynticks; /* Even value for idle, else odd. */
109309+ atomic_unchecked_t dynticks;/* Even value for idle, else odd. */
109310 #ifdef CONFIG_NO_HZ_FULL_SYSIDLE
109311 long long dynticks_idle_nesting;
109312 /* irq/process nesting level from idle. */
109313- atomic_t dynticks_idle; /* Even value for idle, else odd. */
109314+ atomic_unchecked_t dynticks_idle;/* Even value for idle, else odd. */
109315 /* "Idle" excludes userspace execution. */
109316 unsigned long dynticks_idle_jiffies;
109317 /* End of last non-NMI non-idle period. */
109318@@ -483,17 +483,17 @@ struct rcu_state {
109319 /* _rcu_barrier(). */
109320 /* End of fields guarded by barrier_mutex. */
109321
109322- atomic_long_t expedited_start; /* Starting ticket. */
109323- atomic_long_t expedited_done; /* Done ticket. */
109324- atomic_long_t expedited_wrap; /* # near-wrap incidents. */
109325- atomic_long_t expedited_tryfail; /* # acquisition failures. */
109326- atomic_long_t expedited_workdone1; /* # done by others #1. */
109327- atomic_long_t expedited_workdone2; /* # done by others #2. */
109328- atomic_long_t expedited_normal; /* # fallbacks to normal. */
109329- atomic_long_t expedited_stoppedcpus; /* # successful stop_cpus. */
109330- atomic_long_t expedited_done_tries; /* # tries to update _done. */
109331- atomic_long_t expedited_done_lost; /* # times beaten to _done. */
109332- atomic_long_t expedited_done_exit; /* # times exited _done loop. */
109333+ atomic_long_unchecked_t expedited_start; /* Starting ticket. */
109334+ atomic_long_t expedited_done; /* Done ticket. */
109335+ atomic_long_unchecked_t expedited_wrap; /* # near-wrap incidents. */
109336+ atomic_long_unchecked_t expedited_tryfail; /* # acquisition failures. */
109337+ atomic_long_unchecked_t expedited_workdone1; /* # done by others #1. */
109338+ atomic_long_unchecked_t expedited_workdone2; /* # done by others #2. */
109339+ atomic_long_unchecked_t expedited_normal; /* # fallbacks to normal. */
109340+ atomic_long_unchecked_t expedited_stoppedcpus; /* # successful stop_cpus. */
109341+ atomic_long_unchecked_t expedited_done_tries; /* # tries to update _done. */
109342+ atomic_long_unchecked_t expedited_done_lost; /* # times beaten to _done. */
109343+ atomic_long_unchecked_t expedited_done_exit; /* # times exited _done loop. */
109344
109345 unsigned long jiffies_force_qs; /* Time at which to invoke */
109346 /* force_quiescent_state(). */
109347diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
109348index 013485f..2e678db 100644
109349--- a/kernel/rcu/tree_plugin.h
109350+++ b/kernel/rcu/tree_plugin.h
109351@@ -1294,7 +1294,7 @@ static void rcu_boost_kthread_setaffinity(struct rcu_node *rnp, int outgoingcpu)
109352 free_cpumask_var(cm);
109353 }
109354
109355-static struct smp_hotplug_thread rcu_cpu_thread_spec = {
109356+static struct smp_hotplug_thread rcu_cpu_thread_spec __read_only = {
109357 .store = &rcu_cpu_kthread_task,
109358 .thread_should_run = rcu_cpu_kthread_should_run,
109359 .thread_fn = rcu_cpu_kthread,
109360@@ -1767,7 +1767,7 @@ static void print_cpu_stall_info(struct rcu_state *rsp, int cpu)
109361 print_cpu_stall_fast_no_hz(fast_no_hz, cpu);
109362 pr_err("\t%d: (%lu %s) idle=%03x/%llx/%d softirq=%u/%u fqs=%ld %s\n",
109363 cpu, ticks_value, ticks_title,
109364- atomic_read(&rdtp->dynticks) & 0xfff,
109365+ atomic_read_unchecked(&rdtp->dynticks) & 0xfff,
109366 rdtp->dynticks_nesting, rdtp->dynticks_nmi_nesting,
109367 rdp->softirq_snap, kstat_softirqs_cpu(RCU_SOFTIRQ, cpu),
109368 READ_ONCE(rsp->n_force_qs) - rsp->n_force_qs_gpstart,
109369@@ -2675,9 +2675,9 @@ static void rcu_sysidle_enter(int irq)
109370 j = jiffies;
109371 WRITE_ONCE(rdtp->dynticks_idle_jiffies, j);
109372 smp_mb__before_atomic();
109373- atomic_inc(&rdtp->dynticks_idle);
109374+ atomic_inc_unchecked(&rdtp->dynticks_idle);
109375 smp_mb__after_atomic();
109376- WARN_ON_ONCE(atomic_read(&rdtp->dynticks_idle) & 0x1);
109377+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks_idle) & 0x1);
109378 }
109379
109380 /*
109381@@ -2748,9 +2748,9 @@ static void rcu_sysidle_exit(int irq)
109382
109383 /* Record end of idle period. */
109384 smp_mb__before_atomic();
109385- atomic_inc(&rdtp->dynticks_idle);
109386+ atomic_inc_unchecked(&rdtp->dynticks_idle);
109387 smp_mb__after_atomic();
109388- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks_idle) & 0x1));
109389+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks_idle) & 0x1));
109390
109391 /*
109392 * If we are the timekeeping CPU, we are permitted to be non-idle
109393@@ -2796,7 +2796,7 @@ static void rcu_sysidle_check_cpu(struct rcu_data *rdp, bool *isidle,
109394 WARN_ON_ONCE(smp_processor_id() != tick_do_timer_cpu);
109395
109396 /* Pick up current idle and NMI-nesting counter and check. */
109397- cur = atomic_read(&rdtp->dynticks_idle);
109398+ cur = atomic_read_unchecked(&rdtp->dynticks_idle);
109399 if (cur & 0x1) {
109400 *isidle = false; /* We are not idle! */
109401 return;
109402diff --git a/kernel/rcu/tree_trace.c b/kernel/rcu/tree_trace.c
109403index 3ea7ffc..cb06f2d 100644
109404--- a/kernel/rcu/tree_trace.c
109405+++ b/kernel/rcu/tree_trace.c
109406@@ -125,7 +125,7 @@ static void print_one_rcu_data(struct seq_file *m, struct rcu_data *rdp)
109407 rdp->rcu_qs_ctr_snap == per_cpu(rcu_qs_ctr, rdp->cpu),
109408 rdp->qs_pending);
109409 seq_printf(m, " dt=%d/%llx/%d df=%lu",
109410- atomic_read(&rdp->dynticks->dynticks),
109411+ atomic_read_unchecked(&rdp->dynticks->dynticks),
109412 rdp->dynticks->dynticks_nesting,
109413 rdp->dynticks->dynticks_nmi_nesting,
109414 rdp->dynticks_fqs);
109415@@ -186,17 +186,17 @@ static int show_rcuexp(struct seq_file *m, void *v)
109416 struct rcu_state *rsp = (struct rcu_state *)m->private;
109417
109418 seq_printf(m, "s=%lu d=%lu w=%lu tf=%lu wd1=%lu wd2=%lu n=%lu sc=%lu dt=%lu dl=%lu dx=%lu\n",
109419- atomic_long_read(&rsp->expedited_start),
109420+ atomic_long_read_unchecked(&rsp->expedited_start),
109421 atomic_long_read(&rsp->expedited_done),
109422- atomic_long_read(&rsp->expedited_wrap),
109423- atomic_long_read(&rsp->expedited_tryfail),
109424- atomic_long_read(&rsp->expedited_workdone1),
109425- atomic_long_read(&rsp->expedited_workdone2),
109426- atomic_long_read(&rsp->expedited_normal),
109427- atomic_long_read(&rsp->expedited_stoppedcpus),
109428- atomic_long_read(&rsp->expedited_done_tries),
109429- atomic_long_read(&rsp->expedited_done_lost),
109430- atomic_long_read(&rsp->expedited_done_exit));
109431+ atomic_long_read_unchecked(&rsp->expedited_wrap),
109432+ atomic_long_read_unchecked(&rsp->expedited_tryfail),
109433+ atomic_long_read_unchecked(&rsp->expedited_workdone1),
109434+ atomic_long_read_unchecked(&rsp->expedited_workdone2),
109435+ atomic_long_read_unchecked(&rsp->expedited_normal),
109436+ atomic_long_read_unchecked(&rsp->expedited_stoppedcpus),
109437+ atomic_long_read_unchecked(&rsp->expedited_done_tries),
109438+ atomic_long_read_unchecked(&rsp->expedited_done_lost),
109439+ atomic_long_read_unchecked(&rsp->expedited_done_exit));
109440 return 0;
109441 }
109442
109443diff --git a/kernel/resource.c b/kernel/resource.c
109444index fed052a..ad13346 100644
109445--- a/kernel/resource.c
109446+++ b/kernel/resource.c
109447@@ -162,8 +162,18 @@ static const struct file_operations proc_iomem_operations = {
109448
109449 static int __init ioresources_init(void)
109450 {
109451+#ifdef CONFIG_GRKERNSEC_PROC_ADD
109452+#ifdef CONFIG_GRKERNSEC_PROC_USER
109453+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
109454+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
109455+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
109456+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
109457+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
109458+#endif
109459+#else
109460 proc_create("ioports", 0, NULL, &proc_ioports_operations);
109461 proc_create("iomem", 0, NULL, &proc_iomem_operations);
109462+#endif
109463 return 0;
109464 }
109465 __initcall(ioresources_init);
109466diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
109467index 750ed60..eb01466 100644
109468--- a/kernel/sched/auto_group.c
109469+++ b/kernel/sched/auto_group.c
109470@@ -9,7 +9,7 @@
109471
109472 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
109473 static struct autogroup autogroup_default;
109474-static atomic_t autogroup_seq_nr;
109475+static atomic_unchecked_t autogroup_seq_nr;
109476
109477 void __init autogroup_init(struct task_struct *init_task)
109478 {
109479@@ -77,7 +77,7 @@ static inline struct autogroup *autogroup_create(void)
109480
109481 kref_init(&ag->kref);
109482 init_rwsem(&ag->lock);
109483- ag->id = atomic_inc_return(&autogroup_seq_nr);
109484+ ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
109485 ag->tg = tg;
109486 #ifdef CONFIG_RT_GROUP_SCHED
109487 /*
109488diff --git a/kernel/sched/core.c b/kernel/sched/core.c
109489index e967343..5064e2f 100644
109490--- a/kernel/sched/core.c
109491+++ b/kernel/sched/core.c
109492@@ -2080,7 +2080,7 @@ void set_numabalancing_state(bool enabled)
109493 int sysctl_numa_balancing(struct ctl_table *table, int write,
109494 void __user *buffer, size_t *lenp, loff_t *ppos)
109495 {
109496- struct ctl_table t;
109497+ ctl_table_no_const t;
109498 int err;
109499 int state = numabalancing_enabled;
109500
109501@@ -2573,8 +2573,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
109502 next->active_mm = oldmm;
109503 atomic_inc(&oldmm->mm_count);
109504 enter_lazy_tlb(oldmm, next);
109505- } else
109506+ } else {
109507 switch_mm(oldmm, mm, next);
109508+ populate_stack();
109509+ }
109510
109511 if (!prev->mm) {
109512 prev->active_mm = NULL;
109513@@ -3386,6 +3388,8 @@ int can_nice(const struct task_struct *p, const int nice)
109514 /* convert nice value [19,-20] to rlimit style value [1,40] */
109515 int nice_rlim = nice_to_rlimit(nice);
109516
109517+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
109518+
109519 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
109520 capable(CAP_SYS_NICE));
109521 }
109522@@ -3412,7 +3416,8 @@ SYSCALL_DEFINE1(nice, int, increment)
109523 nice = task_nice(current) + increment;
109524
109525 nice = clamp_val(nice, MIN_NICE, MAX_NICE);
109526- if (increment < 0 && !can_nice(current, nice))
109527+ if (increment < 0 && (!can_nice(current, nice) ||
109528+ gr_handle_chroot_nice()))
109529 return -EPERM;
109530
109531 retval = security_task_setnice(current, nice);
109532@@ -3724,6 +3729,7 @@ recheck:
109533 if (policy != p->policy && !rlim_rtprio)
109534 return -EPERM;
109535
109536+ gr_learn_resource(p, RLIMIT_RTPRIO, attr->sched_priority, 1);
109537 /* can't increase priority */
109538 if (attr->sched_priority > p->rt_priority &&
109539 attr->sched_priority > rlim_rtprio)
109540@@ -5048,6 +5054,7 @@ void idle_task_exit(void)
109541
109542 if (mm != &init_mm) {
109543 switch_mm(mm, &init_mm, current);
109544+ populate_stack();
109545 finish_arch_post_lock_switch();
109546 }
109547 mmdrop(mm);
109548@@ -5150,7 +5157,7 @@ static void migrate_tasks(struct rq *dead_rq)
109549
109550 #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
109551
109552-static struct ctl_table sd_ctl_dir[] = {
109553+static ctl_table_no_const sd_ctl_dir[] __read_only = {
109554 {
109555 .procname = "sched_domain",
109556 .mode = 0555,
109557@@ -5167,17 +5174,17 @@ static struct ctl_table sd_ctl_root[] = {
109558 {}
109559 };
109560
109561-static struct ctl_table *sd_alloc_ctl_entry(int n)
109562+static ctl_table_no_const *sd_alloc_ctl_entry(int n)
109563 {
109564- struct ctl_table *entry =
109565+ ctl_table_no_const *entry =
109566 kcalloc(n, sizeof(struct ctl_table), GFP_KERNEL);
109567
109568 return entry;
109569 }
109570
109571-static void sd_free_ctl_entry(struct ctl_table **tablep)
109572+static void sd_free_ctl_entry(ctl_table_no_const *tablep)
109573 {
109574- struct ctl_table *entry;
109575+ ctl_table_no_const *entry;
109576
109577 /*
109578 * In the intermediate directories, both the child directory and
109579@@ -5185,22 +5192,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
109580 * will always be set. In the lowest directory the names are
109581 * static strings and all have proc handlers.
109582 */
109583- for (entry = *tablep; entry->mode; entry++) {
109584- if (entry->child)
109585- sd_free_ctl_entry(&entry->child);
109586+ for (entry = tablep; entry->mode; entry++) {
109587+ if (entry->child) {
109588+ sd_free_ctl_entry(entry->child);
109589+ pax_open_kernel();
109590+ entry->child = NULL;
109591+ pax_close_kernel();
109592+ }
109593 if (entry->proc_handler == NULL)
109594 kfree(entry->procname);
109595 }
109596
109597- kfree(*tablep);
109598- *tablep = NULL;
109599+ kfree(tablep);
109600 }
109601
109602 static int min_load_idx = 0;
109603 static int max_load_idx = CPU_LOAD_IDX_MAX-1;
109604
109605 static void
109606-set_table_entry(struct ctl_table *entry,
109607+set_table_entry(ctl_table_no_const *entry,
109608 const char *procname, void *data, int maxlen,
109609 umode_t mode, proc_handler *proc_handler,
109610 bool load_idx)
109611@@ -5220,7 +5230,7 @@ set_table_entry(struct ctl_table *entry,
109612 static struct ctl_table *
109613 sd_alloc_ctl_domain_table(struct sched_domain *sd)
109614 {
109615- struct ctl_table *table = sd_alloc_ctl_entry(14);
109616+ ctl_table_no_const *table = sd_alloc_ctl_entry(14);
109617
109618 if (table == NULL)
109619 return NULL;
109620@@ -5258,9 +5268,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
109621 return table;
109622 }
109623
109624-static struct ctl_table *sd_alloc_ctl_cpu_table(int cpu)
109625+static ctl_table_no_const *sd_alloc_ctl_cpu_table(int cpu)
109626 {
109627- struct ctl_table *entry, *table;
109628+ ctl_table_no_const *entry, *table;
109629 struct sched_domain *sd;
109630 int domain_num = 0, i;
109631 char buf[32];
109632@@ -5287,11 +5297,13 @@ static struct ctl_table_header *sd_sysctl_header;
109633 static void register_sched_domain_sysctl(void)
109634 {
109635 int i, cpu_num = num_possible_cpus();
109636- struct ctl_table *entry = sd_alloc_ctl_entry(cpu_num + 1);
109637+ ctl_table_no_const *entry = sd_alloc_ctl_entry(cpu_num + 1);
109638 char buf[32];
109639
109640 WARN_ON(sd_ctl_dir[0].child);
109641+ pax_open_kernel();
109642 sd_ctl_dir[0].child = entry;
109643+ pax_close_kernel();
109644
109645 if (entry == NULL)
109646 return;
109647@@ -5314,8 +5326,12 @@ static void unregister_sched_domain_sysctl(void)
109648 if (sd_sysctl_header)
109649 unregister_sysctl_table(sd_sysctl_header);
109650 sd_sysctl_header = NULL;
109651- if (sd_ctl_dir[0].child)
109652- sd_free_ctl_entry(&sd_ctl_dir[0].child);
109653+ if (sd_ctl_dir[0].child) {
109654+ sd_free_ctl_entry(sd_ctl_dir[0].child);
109655+ pax_open_kernel();
109656+ sd_ctl_dir[0].child = NULL;
109657+ pax_close_kernel();
109658+ }
109659 }
109660 #else
109661 static void register_sched_domain_sysctl(void)
109662diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
109663index d113c3b..91a6fcc 100644
109664--- a/kernel/sched/fair.c
109665+++ b/kernel/sched/fair.c
109666@@ -7958,7 +7958,7 @@ static void nohz_idle_balance(struct rq *this_rq, enum cpu_idle_type idle) { }
109667 * run_rebalance_domains is triggered when needed from the scheduler tick.
109668 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
109669 */
109670-static void run_rebalance_domains(struct softirq_action *h)
109671+static __latent_entropy void run_rebalance_domains(void)
109672 {
109673 struct rq *this_rq = this_rq();
109674 enum cpu_idle_type idle = this_rq->idle_balance ?
109675diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
109676index 84d4879..cf3ed33 100644
109677--- a/kernel/sched/sched.h
109678+++ b/kernel/sched/sched.h
109679@@ -1241,7 +1241,7 @@ struct sched_class {
109680 #ifdef CONFIG_FAIR_GROUP_SCHED
109681 void (*task_move_group) (struct task_struct *p, int on_rq);
109682 #endif
109683-};
109684+} __do_const;
109685
109686 static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
109687 {
109688diff --git a/kernel/signal.c b/kernel/signal.c
109689index 0f6bbbe..d77d2c3 100644
109690--- a/kernel/signal.c
109691+++ b/kernel/signal.c
109692@@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep;
109693
109694 int print_fatal_signals __read_mostly;
109695
109696-static void __user *sig_handler(struct task_struct *t, int sig)
109697+static __sighandler_t sig_handler(struct task_struct *t, int sig)
109698 {
109699 return t->sighand->action[sig - 1].sa.sa_handler;
109700 }
109701
109702-static int sig_handler_ignored(void __user *handler, int sig)
109703+static int sig_handler_ignored(__sighandler_t handler, int sig)
109704 {
109705 /* Is it explicitly or implicitly ignored? */
109706 return handler == SIG_IGN ||
109707@@ -67,7 +67,7 @@ static int sig_handler_ignored(void __user *handler, int sig)
109708
109709 static int sig_task_ignored(struct task_struct *t, int sig, bool force)
109710 {
109711- void __user *handler;
109712+ __sighandler_t handler;
109713
109714 handler = sig_handler(t, sig);
109715
109716@@ -372,6 +372,9 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t flags, int override_rlimi
109717 atomic_inc(&user->sigpending);
109718 rcu_read_unlock();
109719
109720+ if (!override_rlimit)
109721+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
109722+
109723 if (override_rlimit ||
109724 atomic_read(&user->sigpending) <=
109725 task_rlimit(t, RLIMIT_SIGPENDING)) {
109726@@ -494,7 +497,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
109727
109728 int unhandled_signal(struct task_struct *tsk, int sig)
109729 {
109730- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
109731+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
109732 if (is_global_init(tsk))
109733 return 1;
109734 if (handler != SIG_IGN && handler != SIG_DFL)
109735@@ -788,6 +791,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
109736 }
109737 }
109738
109739+ /* allow glibc communication via tgkill to other threads in our
109740+ thread group */
109741+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
109742+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
109743+ && gr_handle_signal(t, sig))
109744+ return -EPERM;
109745+
109746 return security_task_kill(t, info, sig, 0);
109747 }
109748
109749@@ -1171,7 +1181,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
109750 return send_signal(sig, info, p, 1);
109751 }
109752
109753-static int
109754+int
109755 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109756 {
109757 return send_signal(sig, info, t, 0);
109758@@ -1208,6 +1218,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109759 unsigned long int flags;
109760 int ret, blocked, ignored;
109761 struct k_sigaction *action;
109762+ int is_unhandled = 0;
109763
109764 spin_lock_irqsave(&t->sighand->siglock, flags);
109765 action = &t->sighand->action[sig-1];
109766@@ -1222,9 +1233,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109767 }
109768 if (action->sa.sa_handler == SIG_DFL)
109769 t->signal->flags &= ~SIGNAL_UNKILLABLE;
109770+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
109771+ is_unhandled = 1;
109772 ret = specific_send_sig_info(sig, info, t);
109773 spin_unlock_irqrestore(&t->sighand->siglock, flags);
109774
109775+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
109776+ normal operation */
109777+ if (is_unhandled) {
109778+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
109779+ gr_handle_crash(t, sig);
109780+ }
109781+
109782 return ret;
109783 }
109784
109785@@ -1305,8 +1325,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
109786 ret = check_kill_permission(sig, info, p);
109787 rcu_read_unlock();
109788
109789- if (!ret && sig)
109790+ if (!ret && sig) {
109791 ret = do_send_sig_info(sig, info, p, true);
109792+ if (!ret)
109793+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
109794+ }
109795
109796 return ret;
109797 }
109798@@ -2913,7 +2936,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
109799 int error = -ESRCH;
109800
109801 rcu_read_lock();
109802- p = find_task_by_vpid(pid);
109803+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
109804+ /* allow glibc communication via tgkill to other threads in our
109805+ thread group */
109806+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
109807+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
109808+ p = find_task_by_vpid_unrestricted(pid);
109809+ else
109810+#endif
109811+ p = find_task_by_vpid(pid);
109812 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
109813 error = check_kill_permission(sig, info, p);
109814 /*
109815@@ -3242,8 +3273,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
109816 }
109817 seg = get_fs();
109818 set_fs(KERNEL_DS);
109819- ret = do_sigaltstack((stack_t __force __user *) (uss_ptr ? &uss : NULL),
109820- (stack_t __force __user *) &uoss,
109821+ ret = do_sigaltstack((stack_t __force_user *) (uss_ptr ? &uss : NULL),
109822+ (stack_t __force_user *) &uoss,
109823 compat_user_stack_pointer());
109824 set_fs(seg);
109825 if (ret >= 0 && uoss_ptr) {
109826diff --git a/kernel/smpboot.c b/kernel/smpboot.c
109827index 7c434c3..155d90a 100644
109828--- a/kernel/smpboot.c
109829+++ b/kernel/smpboot.c
109830@@ -305,7 +305,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
109831 }
109832 smpboot_unpark_thread(plug_thread, cpu);
109833 }
109834- list_add(&plug_thread->list, &hotplug_threads);
109835+ pax_list_add(&plug_thread->list, &hotplug_threads);
109836 out:
109837 mutex_unlock(&smpboot_threads_lock);
109838 put_online_cpus();
109839@@ -323,7 +323,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
109840 {
109841 get_online_cpus();
109842 mutex_lock(&smpboot_threads_lock);
109843- list_del(&plug_thread->list);
109844+ pax_list_del(&plug_thread->list);
109845 smpboot_destroy_threads(plug_thread);
109846 mutex_unlock(&smpboot_threads_lock);
109847 put_online_cpus();
109848diff --git a/kernel/softirq.c b/kernel/softirq.c
109849index 479e443..66d845e1 100644
109850--- a/kernel/softirq.c
109851+++ b/kernel/softirq.c
109852@@ -53,7 +53,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
109853 EXPORT_SYMBOL(irq_stat);
109854 #endif
109855
109856-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp;
109857+static struct softirq_action softirq_vec[NR_SOFTIRQS] __read_only __aligned(PAGE_SIZE);
109858
109859 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
109860
109861@@ -270,7 +270,7 @@ restart:
109862 kstat_incr_softirqs_this_cpu(vec_nr);
109863
109864 trace_softirq_entry(vec_nr);
109865- h->action(h);
109866+ h->action();
109867 trace_softirq_exit(vec_nr);
109868 if (unlikely(prev_count != preempt_count())) {
109869 pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n",
109870@@ -430,7 +430,7 @@ void __raise_softirq_irqoff(unsigned int nr)
109871 or_softirq_pending(1UL << nr);
109872 }
109873
109874-void open_softirq(int nr, void (*action)(struct softirq_action *))
109875+void __init open_softirq(int nr, void (*action)(void))
109876 {
109877 softirq_vec[nr].action = action;
109878 }
109879@@ -482,7 +482,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
109880 }
109881 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
109882
109883-static void tasklet_action(struct softirq_action *a)
109884+static void tasklet_action(void)
109885 {
109886 struct tasklet_struct *list;
109887
109888@@ -518,7 +518,7 @@ static void tasklet_action(struct softirq_action *a)
109889 }
109890 }
109891
109892-static void tasklet_hi_action(struct softirq_action *a)
109893+static __latent_entropy void tasklet_hi_action(void)
109894 {
109895 struct tasklet_struct *list;
109896
109897@@ -744,7 +744,7 @@ static struct notifier_block cpu_nfb = {
109898 .notifier_call = cpu_callback
109899 };
109900
109901-static struct smp_hotplug_thread softirq_threads = {
109902+static struct smp_hotplug_thread softirq_threads __read_only = {
109903 .store = &ksoftirqd,
109904 .thread_should_run = ksoftirqd_should_run,
109905 .thread_fn = run_ksoftirqd,
109906diff --git a/kernel/sys.c b/kernel/sys.c
109907index 259fda2..e824a93 100644
109908--- a/kernel/sys.c
109909+++ b/kernel/sys.c
109910@@ -160,6 +160,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
109911 error = -EACCES;
109912 goto out;
109913 }
109914+
109915+ if (gr_handle_chroot_setpriority(p, niceval)) {
109916+ error = -EACCES;
109917+ goto out;
109918+ }
109919+
109920 no_nice = security_task_setnice(p, niceval);
109921 if (no_nice) {
109922 error = no_nice;
109923@@ -366,6 +372,20 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
109924 goto error;
109925 }
109926
109927+ if (gr_check_group_change(new->gid, new->egid, INVALID_GID))
109928+ goto error;
109929+
109930+ if (!gid_eq(new->gid, old->gid)) {
109931+ /* make sure we generate a learn log for what will
109932+ end up being a role transition after a full-learning
109933+ policy is generated
109934+ CAP_SETGID is required to perform a transition
109935+ we may not log a CAP_SETGID check above, e.g.
109936+ in the case where new rgid = old egid
109937+ */
109938+ gr_learn_cap(current, new, CAP_SETGID);
109939+ }
109940+
109941 if (rgid != (gid_t) -1 ||
109942 (egid != (gid_t) -1 && !gid_eq(kegid, old->gid)))
109943 new->sgid = new->egid;
109944@@ -401,6 +421,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
109945 old = current_cred();
109946
109947 retval = -EPERM;
109948+
109949+ if (gr_check_group_change(kgid, kgid, kgid))
109950+ goto error;
109951+
109952 if (ns_capable(old->user_ns, CAP_SETGID))
109953 new->gid = new->egid = new->sgid = new->fsgid = kgid;
109954 else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
109955@@ -418,7 +442,7 @@ error:
109956 /*
109957 * change the user struct in a credentials set to match the new UID
109958 */
109959-static int set_user(struct cred *new)
109960+int set_user(struct cred *new)
109961 {
109962 struct user_struct *new_user;
109963
109964@@ -498,7 +522,18 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
109965 goto error;
109966 }
109967
109968+ if (gr_check_user_change(new->uid, new->euid, INVALID_UID))
109969+ goto error;
109970+
109971 if (!uid_eq(new->uid, old->uid)) {
109972+ /* make sure we generate a learn log for what will
109973+ end up being a role transition after a full-learning
109974+ policy is generated
109975+ CAP_SETUID is required to perform a transition
109976+ we may not log a CAP_SETUID check above, e.g.
109977+ in the case where new ruid = old euid
109978+ */
109979+ gr_learn_cap(current, new, CAP_SETUID);
109980 retval = set_user(new);
109981 if (retval < 0)
109982 goto error;
109983@@ -548,6 +583,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
109984 old = current_cred();
109985
109986 retval = -EPERM;
109987+
109988+ if (gr_check_crash_uid(kuid))
109989+ goto error;
109990+ if (gr_check_user_change(kuid, kuid, kuid))
109991+ goto error;
109992+
109993 if (ns_capable(old->user_ns, CAP_SETUID)) {
109994 new->suid = new->uid = kuid;
109995 if (!uid_eq(kuid, old->uid)) {
109996@@ -617,6 +658,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
109997 goto error;
109998 }
109999
110000+ if (gr_check_user_change(kruid, keuid, INVALID_UID))
110001+ goto error;
110002+
110003 if (ruid != (uid_t) -1) {
110004 new->uid = kruid;
110005 if (!uid_eq(kruid, old->uid)) {
110006@@ -701,6 +745,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
110007 goto error;
110008 }
110009
110010+ if (gr_check_group_change(krgid, kegid, INVALID_GID))
110011+ goto error;
110012+
110013 if (rgid != (gid_t) -1)
110014 new->gid = krgid;
110015 if (egid != (gid_t) -1)
110016@@ -765,12 +812,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
110017 uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) ||
110018 ns_capable(old->user_ns, CAP_SETUID)) {
110019 if (!uid_eq(kuid, old->fsuid)) {
110020+ if (gr_check_user_change(INVALID_UID, INVALID_UID, kuid))
110021+ goto error;
110022+
110023 new->fsuid = kuid;
110024 if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0)
110025 goto change_okay;
110026 }
110027 }
110028
110029+error:
110030 abort_creds(new);
110031 return old_fsuid;
110032
110033@@ -803,12 +854,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
110034 if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
110035 gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
110036 ns_capable(old->user_ns, CAP_SETGID)) {
110037+ if (gr_check_group_change(INVALID_GID, INVALID_GID, kgid))
110038+ goto error;
110039+
110040 if (!gid_eq(kgid, old->fsgid)) {
110041 new->fsgid = kgid;
110042 goto change_okay;
110043 }
110044 }
110045
110046+error:
110047 abort_creds(new);
110048 return old_fsgid;
110049
110050@@ -1187,19 +1242,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
110051 return -EFAULT;
110052
110053 down_read(&uts_sem);
110054- error = __copy_to_user(&name->sysname, &utsname()->sysname,
110055+ error = __copy_to_user(name->sysname, &utsname()->sysname,
110056 __OLD_UTS_LEN);
110057 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
110058- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
110059+ error |= __copy_to_user(name->nodename, &utsname()->nodename,
110060 __OLD_UTS_LEN);
110061 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
110062- error |= __copy_to_user(&name->release, &utsname()->release,
110063+ error |= __copy_to_user(name->release, &utsname()->release,
110064 __OLD_UTS_LEN);
110065 error |= __put_user(0, name->release + __OLD_UTS_LEN);
110066- error |= __copy_to_user(&name->version, &utsname()->version,
110067+ error |= __copy_to_user(name->version, &utsname()->version,
110068 __OLD_UTS_LEN);
110069 error |= __put_user(0, name->version + __OLD_UTS_LEN);
110070- error |= __copy_to_user(&name->machine, &utsname()->machine,
110071+ error |= __copy_to_user(name->machine, &utsname()->machine,
110072 __OLD_UTS_LEN);
110073 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
110074 up_read(&uts_sem);
110075@@ -1400,6 +1455,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
110076 */
110077 new_rlim->rlim_cur = 1;
110078 }
110079+ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
110080+ is changed to a lower value. Since tasks can be created by the same
110081+ user in between this limit change and an execve by this task, force
110082+ a recheck only for this task by setting PF_NPROC_EXCEEDED
110083+ */
110084+ if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
110085+ tsk->flags |= PF_NPROC_EXCEEDED;
110086 }
110087 if (!retval) {
110088 if (old_rlim)
110089diff --git a/kernel/sysctl.c b/kernel/sysctl.c
110090index 19b62b5..74cc287 100644
110091--- a/kernel/sysctl.c
110092+++ b/kernel/sysctl.c
110093@@ -94,7 +94,6 @@
110094 #endif
110095
110096 #if defined(CONFIG_SYSCTL)
110097-
110098 /* External variables not in a header file. */
110099 extern int suid_dumpable;
110100 #ifdef CONFIG_COREDUMP
110101@@ -111,22 +110,24 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
110102 #ifndef CONFIG_MMU
110103 extern int sysctl_nr_trim_pages;
110104 #endif
110105+extern int sysctl_modify_ldt;
110106
110107 /* Constants used for minimum and maximum */
110108 #ifdef CONFIG_LOCKUP_DETECTOR
110109-static int sixty = 60;
110110+static int sixty __read_only = 60;
110111 #endif
110112
110113-static int __maybe_unused neg_one = -1;
110114+static int __maybe_unused neg_one __read_only = -1;
110115
110116-static int zero;
110117-static int __maybe_unused one = 1;
110118-static int __maybe_unused two = 2;
110119-static int __maybe_unused four = 4;
110120-static unsigned long one_ul = 1;
110121-static int one_hundred = 100;
110122+static int zero __read_only = 0;
110123+static int __maybe_unused one __read_only = 1;
110124+static int __maybe_unused two __read_only = 2;
110125+static int __maybe_unused three __read_only = 3;
110126+static int __maybe_unused four __read_only = 4;
110127+static unsigned long one_ul __read_only = 1;
110128+static int one_hundred __read_only = 100;
110129 #ifdef CONFIG_PRINTK
110130-static int ten_thousand = 10000;
110131+static int ten_thousand __read_only = 10000;
110132 #endif
110133
110134 /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
110135@@ -180,10 +181,8 @@ static int proc_taint(struct ctl_table *table, int write,
110136 void __user *buffer, size_t *lenp, loff_t *ppos);
110137 #endif
110138
110139-#ifdef CONFIG_PRINTK
110140-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
110141+static int proc_dointvec_minmax_secure_sysadmin(struct ctl_table *table, int write,
110142 void __user *buffer, size_t *lenp, loff_t *ppos);
110143-#endif
110144
110145 static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
110146 void __user *buffer, size_t *lenp, loff_t *ppos);
110147@@ -214,6 +213,8 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
110148
110149 #endif
110150
110151+extern struct ctl_table grsecurity_table[];
110152+
110153 static struct ctl_table kern_table[];
110154 static struct ctl_table vm_table[];
110155 static struct ctl_table fs_table[];
110156@@ -228,6 +229,20 @@ extern struct ctl_table epoll_table[];
110157 int sysctl_legacy_va_layout;
110158 #endif
110159
110160+#ifdef CONFIG_PAX_SOFTMODE
110161+static struct ctl_table pax_table[] = {
110162+ {
110163+ .procname = "softmode",
110164+ .data = &pax_softmode,
110165+ .maxlen = sizeof(unsigned int),
110166+ .mode = 0600,
110167+ .proc_handler = &proc_dointvec,
110168+ },
110169+
110170+ { }
110171+};
110172+#endif
110173+
110174 /* The default sysctl tables: */
110175
110176 static struct ctl_table sysctl_base_table[] = {
110177@@ -276,6 +291,22 @@ static int max_extfrag_threshold = 1000;
110178 #endif
110179
110180 static struct ctl_table kern_table[] = {
110181+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
110182+ {
110183+ .procname = "grsecurity",
110184+ .mode = 0500,
110185+ .child = grsecurity_table,
110186+ },
110187+#endif
110188+
110189+#ifdef CONFIG_PAX_SOFTMODE
110190+ {
110191+ .procname = "pax",
110192+ .mode = 0500,
110193+ .child = pax_table,
110194+ },
110195+#endif
110196+
110197 {
110198 .procname = "sched_child_runs_first",
110199 .data = &sysctl_sched_child_runs_first,
110200@@ -628,7 +659,7 @@ static struct ctl_table kern_table[] = {
110201 .maxlen = sizeof(int),
110202 .mode = 0644,
110203 /* only handle a transition from default "0" to "1" */
110204- .proc_handler = proc_dointvec_minmax,
110205+ .proc_handler = proc_dointvec_minmax_secure,
110206 .extra1 = &one,
110207 .extra2 = &one,
110208 },
110209@@ -639,7 +670,7 @@ static struct ctl_table kern_table[] = {
110210 .data = &modprobe_path,
110211 .maxlen = KMOD_PATH_LEN,
110212 .mode = 0644,
110213- .proc_handler = proc_dostring,
110214+ .proc_handler = proc_dostring_modpriv,
110215 },
110216 {
110217 .procname = "modules_disabled",
110218@@ -647,7 +678,7 @@ static struct ctl_table kern_table[] = {
110219 .maxlen = sizeof(int),
110220 .mode = 0644,
110221 /* only handle a transition from default "0" to "1" */
110222- .proc_handler = proc_dointvec_minmax,
110223+ .proc_handler = proc_dointvec_minmax_secure,
110224 .extra1 = &one,
110225 .extra2 = &one,
110226 },
110227@@ -802,20 +833,24 @@ static struct ctl_table kern_table[] = {
110228 .data = &dmesg_restrict,
110229 .maxlen = sizeof(int),
110230 .mode = 0644,
110231- .proc_handler = proc_dointvec_minmax_sysadmin,
110232+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110233 .extra1 = &zero,
110234 .extra2 = &one,
110235 },
110236+#endif
110237 {
110238 .procname = "kptr_restrict",
110239 .data = &kptr_restrict,
110240 .maxlen = sizeof(int),
110241 .mode = 0644,
110242- .proc_handler = proc_dointvec_minmax_sysadmin,
110243+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110244+#ifdef CONFIG_GRKERNSEC_HIDESYM
110245+ .extra1 = &two,
110246+#else
110247 .extra1 = &zero,
110248+#endif
110249 .extra2 = &two,
110250 },
110251-#endif
110252 {
110253 .procname = "ngroups_max",
110254 .data = &ngroups_max,
110255@@ -960,6 +995,15 @@ static struct ctl_table kern_table[] = {
110256 .mode = 0644,
110257 .proc_handler = proc_dointvec,
110258 },
110259+ {
110260+ .procname = "modify_ldt",
110261+ .data = &sysctl_modify_ldt,
110262+ .maxlen = sizeof(int),
110263+ .mode = 0644,
110264+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110265+ .extra1 = &zero,
110266+ .extra2 = &one,
110267+ },
110268 #endif
110269 #if defined(CONFIG_MMU)
110270 {
110271@@ -1082,10 +1126,17 @@ static struct ctl_table kern_table[] = {
110272 */
110273 {
110274 .procname = "perf_event_paranoid",
110275- .data = &sysctl_perf_event_paranoid,
110276- .maxlen = sizeof(sysctl_perf_event_paranoid),
110277+ .data = &sysctl_perf_event_legitimately_concerned,
110278+ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
110279 .mode = 0644,
110280- .proc_handler = proc_dointvec,
110281+ /* go ahead, be a hero */
110282+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110283+ .extra1 = &neg_one,
110284+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
110285+ .extra2 = &three,
110286+#else
110287+ .extra2 = &two,
110288+#endif
110289 },
110290 {
110291 .procname = "perf_event_mlock_kb",
110292@@ -1376,6 +1427,13 @@ static struct ctl_table vm_table[] = {
110293 .proc_handler = proc_dointvec_minmax,
110294 .extra1 = &zero,
110295 },
110296+ {
110297+ .procname = "heap_stack_gap",
110298+ .data = &sysctl_heap_stack_gap,
110299+ .maxlen = sizeof(sysctl_heap_stack_gap),
110300+ .mode = 0644,
110301+ .proc_handler = proc_doulongvec_minmax,
110302+ },
110303 #else
110304 {
110305 .procname = "nr_trim_pages",
110306@@ -1852,6 +1910,16 @@ int proc_dostring(struct ctl_table *table, int write,
110307 (char __user *)buffer, lenp, ppos);
110308 }
110309
110310+int proc_dostring_modpriv(struct ctl_table *table, int write,
110311+ void __user *buffer, size_t *lenp, loff_t *ppos)
110312+{
110313+ if (write && !capable(CAP_SYS_MODULE))
110314+ return -EPERM;
110315+
110316+ return _proc_do_string(table->data, table->maxlen, write,
110317+ buffer, lenp, ppos);
110318+}
110319+
110320 static size_t proc_skip_spaces(char **buf)
110321 {
110322 size_t ret;
110323@@ -1957,6 +2025,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
110324 len = strlen(tmp);
110325 if (len > *size)
110326 len = *size;
110327+ if (len > sizeof(tmp))
110328+ len = sizeof(tmp);
110329 if (copy_to_user(*buf, tmp, len))
110330 return -EFAULT;
110331 *size -= len;
110332@@ -1995,7 +2065,7 @@ static int do_proc_dointvec_conv(bool *negp, unsigned long *lvalp,
110333 int val = *valp;
110334 if (val < 0) {
110335 *negp = true;
110336- *lvalp = (unsigned long)-val;
110337+ *lvalp = -(unsigned long)val;
110338 } else {
110339 *negp = false;
110340 *lvalp = (unsigned long)val;
110341@@ -2135,6 +2205,44 @@ int proc_dointvec(struct ctl_table *table, int write,
110342 NULL,NULL);
110343 }
110344
110345+static int do_proc_dointvec_conv_secure(bool *negp, unsigned long *lvalp,
110346+ int *valp,
110347+ int write, void *data)
110348+{
110349+ if (write) {
110350+ if (*negp) {
110351+ if (*lvalp > (unsigned long) INT_MAX + 1)
110352+ return -EINVAL;
110353+ pax_open_kernel();
110354+ *valp = -*lvalp;
110355+ pax_close_kernel();
110356+ } else {
110357+ if (*lvalp > (unsigned long) INT_MAX)
110358+ return -EINVAL;
110359+ pax_open_kernel();
110360+ *valp = *lvalp;
110361+ pax_close_kernel();
110362+ }
110363+ } else {
110364+ int val = *valp;
110365+ if (val < 0) {
110366+ *negp = true;
110367+ *lvalp = -(unsigned long)val;
110368+ } else {
110369+ *negp = false;
110370+ *lvalp = (unsigned long)val;
110371+ }
110372+ }
110373+ return 0;
110374+}
110375+
110376+int proc_dointvec_secure(struct ctl_table *table, int write,
110377+ void __user *buffer, size_t *lenp, loff_t *ppos)
110378+{
110379+ return do_proc_dointvec(table,write,buffer,lenp,ppos,
110380+ do_proc_dointvec_conv_secure,NULL);
110381+}
110382+
110383 /*
110384 * Taint values can only be increased
110385 * This means we can safely use a temporary.
110386@@ -2142,7 +2250,7 @@ int proc_dointvec(struct ctl_table *table, int write,
110387 static int proc_taint(struct ctl_table *table, int write,
110388 void __user *buffer, size_t *lenp, loff_t *ppos)
110389 {
110390- struct ctl_table t;
110391+ ctl_table_no_const t;
110392 unsigned long tmptaint = get_taint();
110393 int err;
110394
110395@@ -2170,16 +2278,14 @@ static int proc_taint(struct ctl_table *table, int write,
110396 return err;
110397 }
110398
110399-#ifdef CONFIG_PRINTK
110400-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
110401+static int proc_dointvec_minmax_secure_sysadmin(struct ctl_table *table, int write,
110402 void __user *buffer, size_t *lenp, loff_t *ppos)
110403 {
110404 if (write && !capable(CAP_SYS_ADMIN))
110405 return -EPERM;
110406
110407- return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
110408+ return proc_dointvec_minmax_secure(table, write, buffer, lenp, ppos);
110409 }
110410-#endif
110411
110412 struct do_proc_dointvec_minmax_conv_param {
110413 int *min;
110414@@ -2201,7 +2307,33 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp,
110415 int val = *valp;
110416 if (val < 0) {
110417 *negp = true;
110418- *lvalp = (unsigned long)-val;
110419+ *lvalp = -(unsigned long)val;
110420+ } else {
110421+ *negp = false;
110422+ *lvalp = (unsigned long)val;
110423+ }
110424+ }
110425+ return 0;
110426+}
110427+
110428+static int do_proc_dointvec_minmax_conv_secure(bool *negp, unsigned long *lvalp,
110429+ int *valp,
110430+ int write, void *data)
110431+{
110432+ struct do_proc_dointvec_minmax_conv_param *param = data;
110433+ if (write) {
110434+ int val = *negp ? -*lvalp : *lvalp;
110435+ if ((param->min && *param->min > val) ||
110436+ (param->max && *param->max < val))
110437+ return -EINVAL;
110438+ pax_open_kernel();
110439+ *valp = val;
110440+ pax_close_kernel();
110441+ } else {
110442+ int val = *valp;
110443+ if (val < 0) {
110444+ *negp = true;
110445+ *lvalp = -(unsigned long)val;
110446 } else {
110447 *negp = false;
110448 *lvalp = (unsigned long)val;
110449@@ -2237,6 +2369,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
110450 do_proc_dointvec_minmax_conv, &param);
110451 }
110452
110453+int proc_dointvec_minmax_secure(struct ctl_table *table, int write,
110454+ void __user *buffer, size_t *lenp, loff_t *ppos)
110455+{
110456+ struct do_proc_dointvec_minmax_conv_param param = {
110457+ .min = (int *) table->extra1,
110458+ .max = (int *) table->extra2,
110459+ };
110460+ return do_proc_dointvec(table, write, buffer, lenp, ppos,
110461+ do_proc_dointvec_minmax_conv_secure, &param);
110462+}
110463+
110464 static void validate_coredump_safety(void)
110465 {
110466 #ifdef CONFIG_COREDUMP
110467@@ -2436,7 +2579,7 @@ static int do_proc_dointvec_jiffies_conv(bool *negp, unsigned long *lvalp,
110468 unsigned long lval;
110469 if (val < 0) {
110470 *negp = true;
110471- lval = (unsigned long)-val;
110472+ lval = -(unsigned long)val;
110473 } else {
110474 *negp = false;
110475 lval = (unsigned long)val;
110476@@ -2459,7 +2602,7 @@ static int do_proc_dointvec_userhz_jiffies_conv(bool *negp, unsigned long *lvalp
110477 unsigned long lval;
110478 if (val < 0) {
110479 *negp = true;
110480- lval = (unsigned long)-val;
110481+ lval = -(unsigned long)val;
110482 } else {
110483 *negp = false;
110484 lval = (unsigned long)val;
110485@@ -2484,7 +2627,7 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
110486 unsigned long lval;
110487 if (val < 0) {
110488 *negp = true;
110489- lval = (unsigned long)-val;
110490+ lval = -(unsigned long)val;
110491 } else {
110492 *negp = false;
110493 lval = (unsigned long)val;
110494@@ -2739,6 +2882,12 @@ int proc_dostring(struct ctl_table *table, int write,
110495 return -ENOSYS;
110496 }
110497
110498+int proc_dostring_modpriv(struct ctl_table *table, int write,
110499+ void __user *buffer, size_t *lenp, loff_t *ppos)
110500+{
110501+ return -ENOSYS;
110502+}
110503+
110504 int proc_dointvec(struct ctl_table *table, int write,
110505 void __user *buffer, size_t *lenp, loff_t *ppos)
110506 {
110507@@ -2795,5 +2944,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
110508 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
110509 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
110510 EXPORT_SYMBOL(proc_dostring);
110511+EXPORT_SYMBOL(proc_dostring_modpriv);
110512 EXPORT_SYMBOL(proc_doulongvec_minmax);
110513 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
110514diff --git a/kernel/taskstats.c b/kernel/taskstats.c
110515index 21f82c2..c1984e5 100644
110516--- a/kernel/taskstats.c
110517+++ b/kernel/taskstats.c
110518@@ -28,9 +28,12 @@
110519 #include <linux/fs.h>
110520 #include <linux/file.h>
110521 #include <linux/pid_namespace.h>
110522+#include <linux/grsecurity.h>
110523 #include <net/genetlink.h>
110524 #include <linux/atomic.h>
110525
110526+extern int gr_is_taskstats_denied(int pid);
110527+
110528 /*
110529 * Maximum length of a cpumask that can be specified in
110530 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
110531@@ -567,6 +570,9 @@ err:
110532
110533 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
110534 {
110535+ if (gr_is_taskstats_denied(current->pid))
110536+ return -EACCES;
110537+
110538 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
110539 return cmd_attr_register_cpumask(info);
110540 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
110541diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
110542index 7fbba635..7cc64ae 100644
110543--- a/kernel/time/alarmtimer.c
110544+++ b/kernel/time/alarmtimer.c
110545@@ -820,7 +820,7 @@ static int __init alarmtimer_init(void)
110546 struct platform_device *pdev;
110547 int error = 0;
110548 int i;
110549- struct k_clock alarm_clock = {
110550+ static struct k_clock alarm_clock = {
110551 .clock_getres = alarm_clock_getres,
110552 .clock_get = alarm_clock_get,
110553 .timer_create = alarm_timer_create,
110554diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
110555index 892e3da..cb71aa5 100644
110556--- a/kernel/time/posix-cpu-timers.c
110557+++ b/kernel/time/posix-cpu-timers.c
110558@@ -1470,14 +1470,14 @@ struct k_clock clock_posix_cpu = {
110559
110560 static __init int init_posix_cpu_timers(void)
110561 {
110562- struct k_clock process = {
110563+ static struct k_clock process = {
110564 .clock_getres = process_cpu_clock_getres,
110565 .clock_get = process_cpu_clock_get,
110566 .timer_create = process_cpu_timer_create,
110567 .nsleep = process_cpu_nsleep,
110568 .nsleep_restart = process_cpu_nsleep_restart,
110569 };
110570- struct k_clock thread = {
110571+ static struct k_clock thread = {
110572 .clock_getres = thread_cpu_clock_getres,
110573 .clock_get = thread_cpu_clock_get,
110574 .timer_create = thread_cpu_timer_create,
110575diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
110576index 31d11ac..5a3bb13 100644
110577--- a/kernel/time/posix-timers.c
110578+++ b/kernel/time/posix-timers.c
110579@@ -43,6 +43,7 @@
110580 #include <linux/hash.h>
110581 #include <linux/posix-clock.h>
110582 #include <linux/posix-timers.h>
110583+#include <linux/grsecurity.h>
110584 #include <linux/syscalls.h>
110585 #include <linux/wait.h>
110586 #include <linux/workqueue.h>
110587@@ -124,7 +125,7 @@ static DEFINE_SPINLOCK(hash_lock);
110588 * which we beg off on and pass to do_sys_settimeofday().
110589 */
110590
110591-static struct k_clock posix_clocks[MAX_CLOCKS];
110592+static struct k_clock *posix_clocks[MAX_CLOCKS];
110593
110594 /*
110595 * These ones are defined below.
110596@@ -284,7 +285,7 @@ static int posix_get_hrtimer_res(clockid_t which_clock, struct timespec *tp)
110597 */
110598 static __init int init_posix_timers(void)
110599 {
110600- struct k_clock clock_realtime = {
110601+ static struct k_clock clock_realtime = {
110602 .clock_getres = posix_get_hrtimer_res,
110603 .clock_get = posix_clock_realtime_get,
110604 .clock_set = posix_clock_realtime_set,
110605@@ -296,7 +297,7 @@ static __init int init_posix_timers(void)
110606 .timer_get = common_timer_get,
110607 .timer_del = common_timer_del,
110608 };
110609- struct k_clock clock_monotonic = {
110610+ static struct k_clock clock_monotonic = {
110611 .clock_getres = posix_get_hrtimer_res,
110612 .clock_get = posix_ktime_get_ts,
110613 .nsleep = common_nsleep,
110614@@ -306,19 +307,19 @@ static __init int init_posix_timers(void)
110615 .timer_get = common_timer_get,
110616 .timer_del = common_timer_del,
110617 };
110618- struct k_clock clock_monotonic_raw = {
110619+ static struct k_clock clock_monotonic_raw = {
110620 .clock_getres = posix_get_hrtimer_res,
110621 .clock_get = posix_get_monotonic_raw,
110622 };
110623- struct k_clock clock_realtime_coarse = {
110624+ static struct k_clock clock_realtime_coarse = {
110625 .clock_getres = posix_get_coarse_res,
110626 .clock_get = posix_get_realtime_coarse,
110627 };
110628- struct k_clock clock_monotonic_coarse = {
110629+ static struct k_clock clock_monotonic_coarse = {
110630 .clock_getres = posix_get_coarse_res,
110631 .clock_get = posix_get_monotonic_coarse,
110632 };
110633- struct k_clock clock_tai = {
110634+ static struct k_clock clock_tai = {
110635 .clock_getres = posix_get_hrtimer_res,
110636 .clock_get = posix_get_tai,
110637 .nsleep = common_nsleep,
110638@@ -328,7 +329,7 @@ static __init int init_posix_timers(void)
110639 .timer_get = common_timer_get,
110640 .timer_del = common_timer_del,
110641 };
110642- struct k_clock clock_boottime = {
110643+ static struct k_clock clock_boottime = {
110644 .clock_getres = posix_get_hrtimer_res,
110645 .clock_get = posix_get_boottime,
110646 .nsleep = common_nsleep,
110647@@ -540,7 +541,7 @@ void posix_timers_register_clock(const clockid_t clock_id,
110648 return;
110649 }
110650
110651- posix_clocks[clock_id] = *new_clock;
110652+ posix_clocks[clock_id] = new_clock;
110653 }
110654 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
110655
110656@@ -586,9 +587,9 @@ static struct k_clock *clockid_to_kclock(const clockid_t id)
110657 return (id & CLOCKFD_MASK) == CLOCKFD ?
110658 &clock_posix_dynamic : &clock_posix_cpu;
110659
110660- if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
110661+ if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
110662 return NULL;
110663- return &posix_clocks[id];
110664+ return posix_clocks[id];
110665 }
110666
110667 static int common_timer_create(struct k_itimer *new_timer)
110668@@ -606,7 +607,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
110669 struct k_clock *kc = clockid_to_kclock(which_clock);
110670 struct k_itimer *new_timer;
110671 int error, new_timer_id;
110672- sigevent_t event;
110673+ sigevent_t event = { };
110674 int it_id_set = IT_ID_NOT_SET;
110675
110676 if (!kc)
110677@@ -1021,6 +1022,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
110678 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
110679 return -EFAULT;
110680
110681+ /* only the CLOCK_REALTIME clock can be set, all other clocks
110682+ have their clock_set fptr set to a nosettime dummy function
110683+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
110684+ call common_clock_set, which calls do_sys_settimeofday, which
110685+ we hook
110686+ */
110687+
110688 return kc->clock_set(which_clock, &new_tp);
110689 }
110690
110691diff --git a/kernel/time/time.c b/kernel/time/time.c
110692index 85d5bb1..aeca463 100644
110693--- a/kernel/time/time.c
110694+++ b/kernel/time/time.c
110695@@ -177,6 +177,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
110696 if (tz->tz_minuteswest > 15*60 || tz->tz_minuteswest < -15*60)
110697 return -EINVAL;
110698
110699+ /* we log in do_settimeofday called below, so don't log twice
110700+ */
110701+ if (!tv)
110702+ gr_log_timechange();
110703+
110704 sys_tz = *tz;
110705 update_vsyscall_tz();
110706 if (firsttime) {
110707diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
110708index bca3667..2745765 100644
110709--- a/kernel/time/timekeeping.c
110710+++ b/kernel/time/timekeeping.c
110711@@ -15,6 +15,7 @@
110712 #include <linux/init.h>
110713 #include <linux/mm.h>
110714 #include <linux/sched.h>
110715+#include <linux/grsecurity.h>
110716 #include <linux/syscore_ops.h>
110717 #include <linux/clocksource.h>
110718 #include <linux/jiffies.h>
110719@@ -915,6 +916,8 @@ int do_settimeofday64(const struct timespec64 *ts)
110720 if (!timespec64_valid_strict(ts))
110721 return -EINVAL;
110722
110723+ gr_log_timechange();
110724+
110725 raw_spin_lock_irqsave(&timekeeper_lock, flags);
110726 write_seqcount_begin(&tk_core.seq);
110727
110728diff --git a/kernel/time/timer.c b/kernel/time/timer.c
110729index 84190f0..6f4ccad 100644
110730--- a/kernel/time/timer.c
110731+++ b/kernel/time/timer.c
110732@@ -1406,7 +1406,7 @@ void update_process_times(int user_tick)
110733 /*
110734 * This function runs timers and the timer-tq in bottom half context.
110735 */
110736-static void run_timer_softirq(struct softirq_action *h)
110737+static __latent_entropy void run_timer_softirq(void)
110738 {
110739 struct tvec_base *base = this_cpu_ptr(&tvec_bases);
110740
110741diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
110742index a4536e1..5d8774c 100644
110743--- a/kernel/time/timer_list.c
110744+++ b/kernel/time/timer_list.c
110745@@ -50,12 +50,16 @@ static void SEQ_printf(struct seq_file *m, const char *fmt, ...)
110746
110747 static void print_name_offset(struct seq_file *m, void *sym)
110748 {
110749+#ifdef CONFIG_GRKERNSEC_HIDESYM
110750+ SEQ_printf(m, "<%p>", NULL);
110751+#else
110752 char symname[KSYM_NAME_LEN];
110753
110754 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
110755 SEQ_printf(m, "<%pK>", sym);
110756 else
110757 SEQ_printf(m, "%s", symname);
110758+#endif
110759 }
110760
110761 static void
110762@@ -124,11 +128,14 @@ next_one:
110763 static void
110764 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
110765 {
110766+#ifdef CONFIG_GRKERNSEC_HIDESYM
110767+ SEQ_printf(m, " .base: %p\n", NULL);
110768+#else
110769 SEQ_printf(m, " .base: %pK\n", base);
110770+#endif
110771 SEQ_printf(m, " .index: %d\n", base->index);
110772
110773 SEQ_printf(m, " .resolution: %u nsecs\n", (unsigned) hrtimer_resolution);
110774-
110775 SEQ_printf(m, " .get_time: ");
110776 print_name_offset(m, base->get_time);
110777 SEQ_printf(m, "\n");
110778@@ -399,7 +406,11 @@ static int __init init_timer_list_procfs(void)
110779 {
110780 struct proc_dir_entry *pe;
110781
110782+#ifdef CONFIG_GRKERNSEC_PROC_ADD
110783+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
110784+#else
110785 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
110786+#endif
110787 if (!pe)
110788 return -ENOMEM;
110789 return 0;
110790diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
110791index 1adecb4..b4fb631 100644
110792--- a/kernel/time/timer_stats.c
110793+++ b/kernel/time/timer_stats.c
110794@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
110795 static unsigned long nr_entries;
110796 static struct entry entries[MAX_ENTRIES];
110797
110798-static atomic_t overflow_count;
110799+static atomic_unchecked_t overflow_count;
110800
110801 /*
110802 * The entries are in a hash-table, for fast lookup:
110803@@ -140,7 +140,7 @@ static void reset_entries(void)
110804 nr_entries = 0;
110805 memset(entries, 0, sizeof(entries));
110806 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
110807- atomic_set(&overflow_count, 0);
110808+ atomic_set_unchecked(&overflow_count, 0);
110809 }
110810
110811 static struct entry *alloc_entry(void)
110812@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
110813 if (likely(entry))
110814 entry->count++;
110815 else
110816- atomic_inc(&overflow_count);
110817+ atomic_inc_unchecked(&overflow_count);
110818
110819 out_unlock:
110820 raw_spin_unlock_irqrestore(lock, flags);
110821@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
110822
110823 static void print_name_offset(struct seq_file *m, unsigned long addr)
110824 {
110825+#ifdef CONFIG_GRKERNSEC_HIDESYM
110826+ seq_printf(m, "<%p>", NULL);
110827+#else
110828 char symname[KSYM_NAME_LEN];
110829
110830 if (lookup_symbol_name(addr, symname) < 0)
110831- seq_printf(m, "<%p>", (void *)addr);
110832+ seq_printf(m, "<%pK>", (void *)addr);
110833 else
110834 seq_printf(m, "%s", symname);
110835+#endif
110836 }
110837
110838 static int tstats_show(struct seq_file *m, void *v)
110839@@ -300,8 +304,8 @@ static int tstats_show(struct seq_file *m, void *v)
110840
110841 seq_puts(m, "Timer Stats Version: v0.3\n");
110842 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
110843- if (atomic_read(&overflow_count))
110844- seq_printf(m, "Overflow: %d entries\n", atomic_read(&overflow_count));
110845+ if (atomic_read_unchecked(&overflow_count))
110846+ seq_printf(m, "Overflow: %d entries\n", atomic_read_unchecked(&overflow_count));
110847 seq_printf(m, "Collection: %s\n", timer_stats_active ? "active" : "inactive");
110848
110849 for (i = 0; i < nr_entries; i++) {
110850@@ -417,7 +421,11 @@ static int __init init_tstats_procfs(void)
110851 {
110852 struct proc_dir_entry *pe;
110853
110854+#ifdef CONFIG_GRKERNSEC_PROC_ADD
110855+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
110856+#else
110857 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
110858+#endif
110859 if (!pe)
110860 return -ENOMEM;
110861 return 0;
110862diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
110863index 3b9a48a..6125816 100644
110864--- a/kernel/trace/Kconfig
110865+++ b/kernel/trace/Kconfig
110866@@ -120,6 +120,7 @@ config TRACING_SUPPORT
110867 # irqflags tracing for your architecture.
110868 depends on TRACE_IRQFLAGS_SUPPORT || PPC32
110869 depends on STACKTRACE_SUPPORT
110870+ depends on !GRKERNSEC_KMEM
110871 default y
110872
110873 if TRACING_SUPPORT
110874@@ -378,6 +379,7 @@ config BLK_DEV_IO_TRACE
110875 depends on BLOCK
110876 select RELAY
110877 select DEBUG_FS
110878+ depends on !GRKERNSEC_KMEM
110879 select TRACEPOINTS
110880 select GENERIC_TRACER
110881 select STACKTRACE
110882diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
110883index b3e6b39..719099b 100644
110884--- a/kernel/trace/blktrace.c
110885+++ b/kernel/trace/blktrace.c
110886@@ -328,7 +328,7 @@ static ssize_t blk_dropped_read(struct file *filp, char __user *buffer,
110887 struct blk_trace *bt = filp->private_data;
110888 char buf[16];
110889
110890- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
110891+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
110892
110893 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
110894 }
110895@@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(struct rchan_buf *buf, void *subbuf,
110896 return 1;
110897
110898 bt = buf->chan->private_data;
110899- atomic_inc(&bt->dropped);
110900+ atomic_inc_unchecked(&bt->dropped);
110901 return 0;
110902 }
110903
110904@@ -485,7 +485,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
110905
110906 bt->dir = dir;
110907 bt->dev = dev;
110908- atomic_set(&bt->dropped, 0);
110909+ atomic_set_unchecked(&bt->dropped, 0);
110910 INIT_LIST_HEAD(&bt->running_list);
110911
110912 ret = -EIO;
110913diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
110914index eb11011..43adc29 100644
110915--- a/kernel/trace/ftrace.c
110916+++ b/kernel/trace/ftrace.c
110917@@ -2413,12 +2413,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
110918 if (unlikely(ftrace_disabled))
110919 return 0;
110920
110921+ ret = ftrace_arch_code_modify_prepare();
110922+ FTRACE_WARN_ON(ret);
110923+ if (ret)
110924+ return 0;
110925+
110926 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
110927+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
110928 if (ret) {
110929 ftrace_bug(ret, rec);
110930- return 0;
110931 }
110932- return 1;
110933+ return ret ? 0 : 1;
110934 }
110935
110936 /*
110937@@ -4807,8 +4812,10 @@ static int ftrace_process_locs(struct module *mod,
110938 if (!count)
110939 return 0;
110940
110941+ pax_open_kernel();
110942 sort(start, count, sizeof(*start),
110943 ftrace_cmp_ips, ftrace_swap_ips);
110944+ pax_close_kernel();
110945
110946 start_pg = ftrace_allocate_pages(count);
110947 if (!start_pg)
110948@@ -5675,7 +5682,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
110949
110950 if (t->ret_stack == NULL) {
110951 atomic_set(&t->tracing_graph_pause, 0);
110952- atomic_set(&t->trace_overrun, 0);
110953+ atomic_set_unchecked(&t->trace_overrun, 0);
110954 t->curr_ret_stack = -1;
110955 /* Make sure the tasks see the -1 first: */
110956 smp_wmb();
110957@@ -5898,7 +5905,7 @@ static void
110958 graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
110959 {
110960 atomic_set(&t->tracing_graph_pause, 0);
110961- atomic_set(&t->trace_overrun, 0);
110962+ atomic_set_unchecked(&t->trace_overrun, 0);
110963 t->ftrace_timestamp = 0;
110964 /* make curr_ret_stack visible before we add the ret_stack */
110965 smp_wmb();
110966diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
110967index 6260717..b9bd83c 100644
110968--- a/kernel/trace/ring_buffer.c
110969+++ b/kernel/trace/ring_buffer.c
110970@@ -296,9 +296,9 @@ struct buffer_data_page {
110971 */
110972 struct buffer_page {
110973 struct list_head list; /* list of buffer pages */
110974- local_t write; /* index for next write */
110975+ local_unchecked_t write; /* index for next write */
110976 unsigned read; /* index for next read */
110977- local_t entries; /* entries on this page */
110978+ local_unchecked_t entries; /* entries on this page */
110979 unsigned long real_end; /* real end of data */
110980 struct buffer_data_page *page; /* Actual data page */
110981 };
110982@@ -437,11 +437,11 @@ struct ring_buffer_per_cpu {
110983 unsigned long last_overrun;
110984 local_t entries_bytes;
110985 local_t entries;
110986- local_t overrun;
110987- local_t commit_overrun;
110988- local_t dropped_events;
110989+ local_unchecked_t overrun;
110990+ local_unchecked_t commit_overrun;
110991+ local_unchecked_t dropped_events;
110992 local_t committing;
110993- local_t commits;
110994+ local_unchecked_t commits;
110995 unsigned long read;
110996 unsigned long read_bytes;
110997 u64 write_stamp;
110998@@ -1011,8 +1011,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
110999 *
111000 * We add a counter to the write field to denote this.
111001 */
111002- old_write = local_add_return(RB_WRITE_INTCNT, &next_page->write);
111003- old_entries = local_add_return(RB_WRITE_INTCNT, &next_page->entries);
111004+ old_write = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->write);
111005+ old_entries = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->entries);
111006
111007 /*
111008 * Just make sure we have seen our old_write and synchronize
111009@@ -1040,8 +1040,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
111010 * cmpxchg to only update if an interrupt did not already
111011 * do it for us. If the cmpxchg fails, we don't care.
111012 */
111013- (void)local_cmpxchg(&next_page->write, old_write, val);
111014- (void)local_cmpxchg(&next_page->entries, old_entries, eval);
111015+ (void)local_cmpxchg_unchecked(&next_page->write, old_write, val);
111016+ (void)local_cmpxchg_unchecked(&next_page->entries, old_entries, eval);
111017
111018 /*
111019 * No need to worry about races with clearing out the commit.
111020@@ -1409,12 +1409,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
111021
111022 static inline unsigned long rb_page_entries(struct buffer_page *bpage)
111023 {
111024- return local_read(&bpage->entries) & RB_WRITE_MASK;
111025+ return local_read_unchecked(&bpage->entries) & RB_WRITE_MASK;
111026 }
111027
111028 static inline unsigned long rb_page_write(struct buffer_page *bpage)
111029 {
111030- return local_read(&bpage->write) & RB_WRITE_MASK;
111031+ return local_read_unchecked(&bpage->write) & RB_WRITE_MASK;
111032 }
111033
111034 static int
111035@@ -1509,7 +1509,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
111036 * bytes consumed in ring buffer from here.
111037 * Increment overrun to account for the lost events.
111038 */
111039- local_add(page_entries, &cpu_buffer->overrun);
111040+ local_add_unchecked(page_entries, &cpu_buffer->overrun);
111041 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
111042 }
111043
111044@@ -2071,7 +2071,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
111045 * it is our responsibility to update
111046 * the counters.
111047 */
111048- local_add(entries, &cpu_buffer->overrun);
111049+ local_add_unchecked(entries, &cpu_buffer->overrun);
111050 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
111051
111052 /*
111053@@ -2221,7 +2221,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
111054 if (tail == BUF_PAGE_SIZE)
111055 tail_page->real_end = 0;
111056
111057- local_sub(length, &tail_page->write);
111058+ local_sub_unchecked(length, &tail_page->write);
111059 return;
111060 }
111061
111062@@ -2256,7 +2256,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
111063 rb_event_set_padding(event);
111064
111065 /* Set the write back to the previous setting */
111066- local_sub(length, &tail_page->write);
111067+ local_sub_unchecked(length, &tail_page->write);
111068 return;
111069 }
111070
111071@@ -2268,7 +2268,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
111072
111073 /* Set write to end of buffer */
111074 length = (tail + length) - BUF_PAGE_SIZE;
111075- local_sub(length, &tail_page->write);
111076+ local_sub_unchecked(length, &tail_page->write);
111077 }
111078
111079 /*
111080@@ -2294,7 +2294,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
111081 * about it.
111082 */
111083 if (unlikely(next_page == commit_page)) {
111084- local_inc(&cpu_buffer->commit_overrun);
111085+ local_inc_unchecked(&cpu_buffer->commit_overrun);
111086 goto out_reset;
111087 }
111088
111089@@ -2324,7 +2324,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
111090 * this is easy, just stop here.
111091 */
111092 if (!(buffer->flags & RB_FL_OVERWRITE)) {
111093- local_inc(&cpu_buffer->dropped_events);
111094+ local_inc_unchecked(&cpu_buffer->dropped_events);
111095 goto out_reset;
111096 }
111097
111098@@ -2350,7 +2350,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
111099 cpu_buffer->tail_page) &&
111100 (cpu_buffer->commit_page ==
111101 cpu_buffer->reader_page))) {
111102- local_inc(&cpu_buffer->commit_overrun);
111103+ local_inc_unchecked(&cpu_buffer->commit_overrun);
111104 goto out_reset;
111105 }
111106 }
111107@@ -2398,7 +2398,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
111108 length += RB_LEN_TIME_EXTEND;
111109
111110 tail_page = cpu_buffer->tail_page;
111111- write = local_add_return(length, &tail_page->write);
111112+ write = local_add_return_unchecked(length, &tail_page->write);
111113
111114 /* set write to only the index of the write */
111115 write &= RB_WRITE_MASK;
111116@@ -2422,7 +2422,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
111117 kmemcheck_annotate_bitfield(event, bitfield);
111118 rb_update_event(cpu_buffer, event, length, add_timestamp, delta);
111119
111120- local_inc(&tail_page->entries);
111121+ local_inc_unchecked(&tail_page->entries);
111122
111123 /*
111124 * If this is the first commit on the page, then update
111125@@ -2455,7 +2455,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
111126
111127 if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) {
111128 unsigned long write_mask =
111129- local_read(&bpage->write) & ~RB_WRITE_MASK;
111130+ local_read_unchecked(&bpage->write) & ~RB_WRITE_MASK;
111131 unsigned long event_length = rb_event_length(event);
111132 /*
111133 * This is on the tail page. It is possible that
111134@@ -2465,7 +2465,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
111135 */
111136 old_index += write_mask;
111137 new_index += write_mask;
111138- index = local_cmpxchg(&bpage->write, old_index, new_index);
111139+ index = local_cmpxchg_unchecked(&bpage->write, old_index, new_index);
111140 if (index == old_index) {
111141 /* update counters */
111142 local_sub(event_length, &cpu_buffer->entries_bytes);
111143@@ -2480,7 +2480,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
111144 static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
111145 {
111146 local_inc(&cpu_buffer->committing);
111147- local_inc(&cpu_buffer->commits);
111148+ local_inc_unchecked(&cpu_buffer->commits);
111149 }
111150
111151 static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
111152@@ -2492,7 +2492,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
111153 return;
111154
111155 again:
111156- commits = local_read(&cpu_buffer->commits);
111157+ commits = local_read_unchecked(&cpu_buffer->commits);
111158 /* synchronize with interrupts */
111159 barrier();
111160 if (local_read(&cpu_buffer->committing) == 1)
111161@@ -2508,7 +2508,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
111162 * updating of the commit page and the clearing of the
111163 * committing counter.
111164 */
111165- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
111166+ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
111167 !local_read(&cpu_buffer->committing)) {
111168 local_inc(&cpu_buffer->committing);
111169 goto again;
111170@@ -2538,7 +2538,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
111171 barrier();
111172 if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
111173 local_dec(&cpu_buffer->committing);
111174- local_dec(&cpu_buffer->commits);
111175+ local_dec_unchecked(&cpu_buffer->commits);
111176 return NULL;
111177 }
111178 #endif
111179@@ -2852,7 +2852,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
111180
111181 /* Do the likely case first */
111182 if (likely(bpage->page == (void *)addr)) {
111183- local_dec(&bpage->entries);
111184+ local_dec_unchecked(&bpage->entries);
111185 return;
111186 }
111187
111188@@ -2864,7 +2864,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
111189 start = bpage;
111190 do {
111191 if (bpage->page == (void *)addr) {
111192- local_dec(&bpage->entries);
111193+ local_dec_unchecked(&bpage->entries);
111194 return;
111195 }
111196 rb_inc_page(cpu_buffer, &bpage);
111197@@ -3152,7 +3152,7 @@ static inline unsigned long
111198 rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
111199 {
111200 return local_read(&cpu_buffer->entries) -
111201- (local_read(&cpu_buffer->overrun) + cpu_buffer->read);
111202+ (local_read_unchecked(&cpu_buffer->overrun) + cpu_buffer->read);
111203 }
111204
111205 /**
111206@@ -3241,7 +3241,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
111207 return 0;
111208
111209 cpu_buffer = buffer->buffers[cpu];
111210- ret = local_read(&cpu_buffer->overrun);
111211+ ret = local_read_unchecked(&cpu_buffer->overrun);
111212
111213 return ret;
111214 }
111215@@ -3264,7 +3264,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
111216 return 0;
111217
111218 cpu_buffer = buffer->buffers[cpu];
111219- ret = local_read(&cpu_buffer->commit_overrun);
111220+ ret = local_read_unchecked(&cpu_buffer->commit_overrun);
111221
111222 return ret;
111223 }
111224@@ -3286,7 +3286,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
111225 return 0;
111226
111227 cpu_buffer = buffer->buffers[cpu];
111228- ret = local_read(&cpu_buffer->dropped_events);
111229+ ret = local_read_unchecked(&cpu_buffer->dropped_events);
111230
111231 return ret;
111232 }
111233@@ -3349,7 +3349,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
111234 /* if you care about this being correct, lock the buffer */
111235 for_each_buffer_cpu(buffer, cpu) {
111236 cpu_buffer = buffer->buffers[cpu];
111237- overruns += local_read(&cpu_buffer->overrun);
111238+ overruns += local_read_unchecked(&cpu_buffer->overrun);
111239 }
111240
111241 return overruns;
111242@@ -3520,8 +3520,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
111243 /*
111244 * Reset the reader page to size zero.
111245 */
111246- local_set(&cpu_buffer->reader_page->write, 0);
111247- local_set(&cpu_buffer->reader_page->entries, 0);
111248+ local_set_unchecked(&cpu_buffer->reader_page->write, 0);
111249+ local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
111250 local_set(&cpu_buffer->reader_page->page->commit, 0);
111251 cpu_buffer->reader_page->real_end = 0;
111252
111253@@ -3555,7 +3555,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
111254 * want to compare with the last_overrun.
111255 */
111256 smp_mb();
111257- overwrite = local_read(&(cpu_buffer->overrun));
111258+ overwrite = local_read_unchecked(&(cpu_buffer->overrun));
111259
111260 /*
111261 * Here's the tricky part.
111262@@ -4137,8 +4137,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
111263
111264 cpu_buffer->head_page
111265 = list_entry(cpu_buffer->pages, struct buffer_page, list);
111266- local_set(&cpu_buffer->head_page->write, 0);
111267- local_set(&cpu_buffer->head_page->entries, 0);
111268+ local_set_unchecked(&cpu_buffer->head_page->write, 0);
111269+ local_set_unchecked(&cpu_buffer->head_page->entries, 0);
111270 local_set(&cpu_buffer->head_page->page->commit, 0);
111271
111272 cpu_buffer->head_page->read = 0;
111273@@ -4148,18 +4148,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
111274
111275 INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
111276 INIT_LIST_HEAD(&cpu_buffer->new_pages);
111277- local_set(&cpu_buffer->reader_page->write, 0);
111278- local_set(&cpu_buffer->reader_page->entries, 0);
111279+ local_set_unchecked(&cpu_buffer->reader_page->write, 0);
111280+ local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
111281 local_set(&cpu_buffer->reader_page->page->commit, 0);
111282 cpu_buffer->reader_page->read = 0;
111283
111284 local_set(&cpu_buffer->entries_bytes, 0);
111285- local_set(&cpu_buffer->overrun, 0);
111286- local_set(&cpu_buffer->commit_overrun, 0);
111287- local_set(&cpu_buffer->dropped_events, 0);
111288+ local_set_unchecked(&cpu_buffer->overrun, 0);
111289+ local_set_unchecked(&cpu_buffer->commit_overrun, 0);
111290+ local_set_unchecked(&cpu_buffer->dropped_events, 0);
111291 local_set(&cpu_buffer->entries, 0);
111292 local_set(&cpu_buffer->committing, 0);
111293- local_set(&cpu_buffer->commits, 0);
111294+ local_set_unchecked(&cpu_buffer->commits, 0);
111295 cpu_buffer->read = 0;
111296 cpu_buffer->read_bytes = 0;
111297
111298@@ -4549,8 +4549,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
111299 rb_init_page(bpage);
111300 bpage = reader->page;
111301 reader->page = *data_page;
111302- local_set(&reader->write, 0);
111303- local_set(&reader->entries, 0);
111304+ local_set_unchecked(&reader->write, 0);
111305+ local_set_unchecked(&reader->entries, 0);
111306 reader->read = 0;
111307 *data_page = bpage;
111308
111309diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
111310index abcbf7f..ef8b6fe 100644
111311--- a/kernel/trace/trace.c
111312+++ b/kernel/trace/trace.c
111313@@ -3539,7 +3539,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
111314 return 0;
111315 }
111316
111317-int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled)
111318+int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled)
111319 {
111320 /* do nothing if flag is already set */
111321 if (!!(trace_flags & mask) == !!enabled)
111322diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
111323index 74bde81..f9abfd4 100644
111324--- a/kernel/trace/trace.h
111325+++ b/kernel/trace/trace.h
111326@@ -1272,7 +1272,7 @@ extern const char *__stop___tracepoint_str[];
111327 void trace_printk_init_buffers(void);
111328 void trace_printk_start_comm(void);
111329 int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set);
111330-int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled);
111331+int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled);
111332
111333 /*
111334 * Normal trace_printk() and friends allocates special buffers
111335diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
111336index 0f06532..247c8e7 100644
111337--- a/kernel/trace/trace_clock.c
111338+++ b/kernel/trace/trace_clock.c
111339@@ -127,7 +127,7 @@ u64 notrace trace_clock_global(void)
111340 }
111341 EXPORT_SYMBOL_GPL(trace_clock_global);
111342
111343-static atomic64_t trace_counter;
111344+static atomic64_unchecked_t trace_counter;
111345
111346 /*
111347 * trace_clock_counter(): simply an atomic counter.
111348@@ -136,5 +136,5 @@ static atomic64_t trace_counter;
111349 */
111350 u64 notrace trace_clock_counter(void)
111351 {
111352- return atomic64_add_return(1, &trace_counter);
111353+ return atomic64_inc_return_unchecked(&trace_counter);
111354 }
111355diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
111356index 404a372..d9e5547 100644
111357--- a/kernel/trace/trace_events.c
111358+++ b/kernel/trace/trace_events.c
111359@@ -1887,7 +1887,6 @@ __trace_early_add_new_event(struct trace_event_call *call,
111360 return 0;
111361 }
111362
111363-struct ftrace_module_file_ops;
111364 static void __add_event_to_tracers(struct trace_event_call *call);
111365
111366 /* Add an additional event_call dynamically */
111367diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
111368index 8968bf7..e6623fc 100644
111369--- a/kernel/trace/trace_functions_graph.c
111370+++ b/kernel/trace/trace_functions_graph.c
111371@@ -132,7 +132,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
111372
111373 /* The return trace stack is full */
111374 if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) {
111375- atomic_inc(&current->trace_overrun);
111376+ atomic_inc_unchecked(&current->trace_overrun);
111377 return -EBUSY;
111378 }
111379
111380@@ -229,7 +229,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
111381 *ret = current->ret_stack[index].ret;
111382 trace->func = current->ret_stack[index].func;
111383 trace->calltime = current->ret_stack[index].calltime;
111384- trace->overrun = atomic_read(&current->trace_overrun);
111385+ trace->overrun = atomic_read_unchecked(&current->trace_overrun);
111386 trace->depth = index;
111387 }
111388
111389diff --git a/kernel/trace/trace_mmiotrace.c b/kernel/trace/trace_mmiotrace.c
111390index 638e110..99b73b2 100644
111391--- a/kernel/trace/trace_mmiotrace.c
111392+++ b/kernel/trace/trace_mmiotrace.c
111393@@ -24,7 +24,7 @@ struct header_iter {
111394 static struct trace_array *mmio_trace_array;
111395 static bool overrun_detected;
111396 static unsigned long prev_overruns;
111397-static atomic_t dropped_count;
111398+static atomic_unchecked_t dropped_count;
111399
111400 static void mmio_reset_data(struct trace_array *tr)
111401 {
111402@@ -124,7 +124,7 @@ static void mmio_close(struct trace_iterator *iter)
111403
111404 static unsigned long count_overruns(struct trace_iterator *iter)
111405 {
111406- unsigned long cnt = atomic_xchg(&dropped_count, 0);
111407+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
111408 unsigned long over = ring_buffer_overruns(iter->trace_buffer->buffer);
111409
111410 if (over > prev_overruns)
111411@@ -307,7 +307,7 @@ static void __trace_mmiotrace_rw(struct trace_array *tr,
111412 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
111413 sizeof(*entry), 0, pc);
111414 if (!event) {
111415- atomic_inc(&dropped_count);
111416+ atomic_inc_unchecked(&dropped_count);
111417 return;
111418 }
111419 entry = ring_buffer_event_data(event);
111420@@ -337,7 +337,7 @@ static void __trace_mmiotrace_map(struct trace_array *tr,
111421 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
111422 sizeof(*entry), 0, pc);
111423 if (!event) {
111424- atomic_inc(&dropped_count);
111425+ atomic_inc_unchecked(&dropped_count);
111426 return;
111427 }
111428 entry = ring_buffer_event_data(event);
111429diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
111430index dfab253..8e9b477 100644
111431--- a/kernel/trace/trace_output.c
111432+++ b/kernel/trace/trace_output.c
111433@@ -752,14 +752,16 @@ int register_trace_event(struct trace_event *event)
111434 goto out;
111435 }
111436
111437+ pax_open_kernel();
111438 if (event->funcs->trace == NULL)
111439- event->funcs->trace = trace_nop_print;
111440+ *(void **)&event->funcs->trace = trace_nop_print;
111441 if (event->funcs->raw == NULL)
111442- event->funcs->raw = trace_nop_print;
111443+ *(void **)&event->funcs->raw = trace_nop_print;
111444 if (event->funcs->hex == NULL)
111445- event->funcs->hex = trace_nop_print;
111446+ *(void **)&event->funcs->hex = trace_nop_print;
111447 if (event->funcs->binary == NULL)
111448- event->funcs->binary = trace_nop_print;
111449+ *(void **)&event->funcs->binary = trace_nop_print;
111450+ pax_close_kernel();
111451
111452 key = event->type & (EVENT_HASHSIZE - 1);
111453
111454diff --git a/kernel/trace/trace_seq.c b/kernel/trace/trace_seq.c
111455index e694c9f..6775a38 100644
111456--- a/kernel/trace/trace_seq.c
111457+++ b/kernel/trace/trace_seq.c
111458@@ -337,7 +337,7 @@ int trace_seq_path(struct trace_seq *s, const struct path *path)
111459 return 0;
111460 }
111461
111462- seq_buf_path(&s->seq, path, "\n");
111463+ seq_buf_path(&s->seq, path, "\n\\");
111464
111465 if (unlikely(seq_buf_has_overflowed(&s->seq))) {
111466 s->seq.len = save_len;
111467diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
111468index 3f34496..0492d95 100644
111469--- a/kernel/trace/trace_stack.c
111470+++ b/kernel/trace/trace_stack.c
111471@@ -88,7 +88,7 @@ check_stack(unsigned long ip, unsigned long *stack)
111472 return;
111473
111474 /* we do not handle interrupt stacks yet */
111475- if (!object_is_on_stack(stack))
111476+ if (!object_starts_on_stack(stack))
111477 return;
111478
111479 local_irq_save(flags);
111480diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
111481index 7d567a4..407a28d 100644
111482--- a/kernel/trace/trace_syscalls.c
111483+++ b/kernel/trace/trace_syscalls.c
111484@@ -590,6 +590,8 @@ static int perf_sysenter_enable(struct trace_event_call *call)
111485 int num;
111486
111487 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111488+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111489+ return -EINVAL;
111490
111491 mutex_lock(&syscall_trace_lock);
111492 if (!sys_perf_refcount_enter)
111493@@ -610,6 +612,8 @@ static void perf_sysenter_disable(struct trace_event_call *call)
111494 int num;
111495
111496 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111497+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111498+ return;
111499
111500 mutex_lock(&syscall_trace_lock);
111501 sys_perf_refcount_enter--;
111502@@ -662,6 +666,8 @@ static int perf_sysexit_enable(struct trace_event_call *call)
111503 int num;
111504
111505 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111506+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111507+ return -EINVAL;
111508
111509 mutex_lock(&syscall_trace_lock);
111510 if (!sys_perf_refcount_exit)
111511@@ -682,6 +688,8 @@ static void perf_sysexit_disable(struct trace_event_call *call)
111512 int num;
111513
111514 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111515+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111516+ return;
111517
111518 mutex_lock(&syscall_trace_lock);
111519 sys_perf_refcount_exit--;
111520diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
111521index 4109f83..fe1f830 100644
111522--- a/kernel/user_namespace.c
111523+++ b/kernel/user_namespace.c
111524@@ -83,6 +83,21 @@ int create_user_ns(struct cred *new)
111525 !kgid_has_mapping(parent_ns, group))
111526 return -EPERM;
111527
111528+#ifdef CONFIG_GRKERNSEC
111529+ /*
111530+ * This doesn't really inspire confidence:
111531+ * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
111532+ * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
111533+ * Increases kernel attack surface in areas developers
111534+ * previously cared little about ("low importance due
111535+ * to requiring "root" capability")
111536+ * To be removed when this code receives *proper* review
111537+ */
111538+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
111539+ !capable(CAP_SETGID))
111540+ return -EPERM;
111541+#endif
111542+
111543 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
111544 if (!ns)
111545 return -ENOMEM;
111546@@ -980,7 +995,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
111547 if (atomic_read(&current->mm->mm_users) > 1)
111548 return -EINVAL;
111549
111550- if (current->fs->users != 1)
111551+ if (atomic_read(&current->fs->users) != 1)
111552 return -EINVAL;
111553
111554 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
111555diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
111556index c8eac43..4b5f08f 100644
111557--- a/kernel/utsname_sysctl.c
111558+++ b/kernel/utsname_sysctl.c
111559@@ -47,7 +47,7 @@ static void put_uts(struct ctl_table *table, int write, void *which)
111560 static int proc_do_uts_string(struct ctl_table *table, int write,
111561 void __user *buffer, size_t *lenp, loff_t *ppos)
111562 {
111563- struct ctl_table uts_table;
111564+ ctl_table_no_const uts_table;
111565 int r;
111566 memcpy(&uts_table, table, sizeof(uts_table));
111567 uts_table.data = get_uts(table, write);
111568diff --git a/kernel/watchdog.c b/kernel/watchdog.c
111569index a6ffa43..e48103b 100644
111570--- a/kernel/watchdog.c
111571+++ b/kernel/watchdog.c
111572@@ -655,7 +655,7 @@ void watchdog_nmi_enable_all(void) {}
111573 void watchdog_nmi_disable_all(void) {}
111574 #endif /* CONFIG_HARDLOCKUP_DETECTOR */
111575
111576-static struct smp_hotplug_thread watchdog_threads = {
111577+static struct smp_hotplug_thread watchdog_threads __read_only = {
111578 .store = &softlockup_watchdog,
111579 .thread_should_run = watchdog_should_run,
111580 .thread_fn = watchdog,
111581diff --git a/kernel/workqueue.c b/kernel/workqueue.c
111582index a413acb..9c3d36a 100644
111583--- a/kernel/workqueue.c
111584+++ b/kernel/workqueue.c
111585@@ -4452,7 +4452,7 @@ static void rebind_workers(struct worker_pool *pool)
111586 WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
111587 worker_flags |= WORKER_REBOUND;
111588 worker_flags &= ~WORKER_UNBOUND;
111589- ACCESS_ONCE(worker->flags) = worker_flags;
111590+ ACCESS_ONCE_RW(worker->flags) = worker_flags;
111591 }
111592
111593 spin_unlock_irq(&pool->lock);
111594diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
111595index e2894b2..23751b3 100644
111596--- a/lib/Kconfig.debug
111597+++ b/lib/Kconfig.debug
111598@@ -242,6 +242,7 @@ config PAGE_OWNER
111599 bool "Track page owner"
111600 depends on DEBUG_KERNEL && STACKTRACE_SUPPORT
111601 select DEBUG_FS
111602+ depends on !GRKERNSEC_KMEM
111603 select STACKTRACE
111604 select PAGE_EXTENSION
111605 help
111606@@ -256,6 +257,7 @@ config PAGE_OWNER
111607
111608 config DEBUG_FS
111609 bool "Debug Filesystem"
111610+ depends on !GRKERNSEC_KMEM
111611 help
111612 debugfs is a virtual file system that kernel developers use to put
111613 debugging files into. Enable this option to be able to read and
111614@@ -488,6 +490,7 @@ config DEBUG_KMEMLEAK
111615 bool "Kernel memory leak detector"
111616 depends on DEBUG_KERNEL && HAVE_DEBUG_KMEMLEAK
111617 select DEBUG_FS
111618+ depends on !GRKERNSEC_KMEM
111619 select STACKTRACE if STACKTRACE_SUPPORT
111620 select KALLSYMS
111621 select CRC32
111622@@ -941,7 +944,7 @@ config DEBUG_MUTEXES
111623
111624 config DEBUG_WW_MUTEX_SLOWPATH
111625 bool "Wait/wound mutex debugging: Slowpath testing"
111626- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111627+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111628 select DEBUG_LOCK_ALLOC
111629 select DEBUG_SPINLOCK
111630 select DEBUG_MUTEXES
111631@@ -958,7 +961,7 @@ config DEBUG_WW_MUTEX_SLOWPATH
111632
111633 config DEBUG_LOCK_ALLOC
111634 bool "Lock debugging: detect incorrect freeing of live locks"
111635- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111636+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111637 select DEBUG_SPINLOCK
111638 select DEBUG_MUTEXES
111639 select LOCKDEP
111640@@ -972,7 +975,7 @@ config DEBUG_LOCK_ALLOC
111641
111642 config PROVE_LOCKING
111643 bool "Lock debugging: prove locking correctness"
111644- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111645+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111646 select LOCKDEP
111647 select DEBUG_SPINLOCK
111648 select DEBUG_MUTEXES
111649@@ -1023,7 +1026,7 @@ config LOCKDEP
111650
111651 config LOCK_STAT
111652 bool "Lock usage statistics"
111653- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111654+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111655 select LOCKDEP
111656 select DEBUG_SPINLOCK
111657 select DEBUG_MUTEXES
111658@@ -1422,6 +1425,7 @@ config NOTIFIER_ERROR_INJECTION
111659 tristate "Notifier error injection"
111660 depends on DEBUG_KERNEL
111661 select DEBUG_FS
111662+ depends on !GRKERNSEC_KMEM
111663 help
111664 This option provides the ability to inject artificial errors to
111665 specified notifier chain callbacks. It is useful to test the error
111666@@ -1534,6 +1538,7 @@ config FAIL_IO_TIMEOUT
111667 config FAIL_MMC_REQUEST
111668 bool "Fault-injection capability for MMC IO"
111669 select DEBUG_FS
111670+ depends on !GRKERNSEC_KMEM
111671 depends on FAULT_INJECTION && MMC
111672 help
111673 Provide fault-injection capability for MMC IO.
111674@@ -1563,6 +1568,7 @@ config LATENCYTOP
111675 depends on DEBUG_KERNEL
111676 depends on STACKTRACE_SUPPORT
111677 depends on PROC_FS
111678+ depends on !GRKERNSEC_HIDESYM
111679 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND && !ARC
111680 select KALLSYMS
111681 select KALLSYMS_ALL
111682@@ -1579,7 +1585,7 @@ config ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
111683 config DEBUG_STRICT_USER_COPY_CHECKS
111684 bool "Strict user copy size checks"
111685 depends on ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
111686- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
111687+ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW
111688 help
111689 Enabling this option turns a certain set of sanity checks for user
111690 copy operations into compile time failures.
111691@@ -1710,7 +1716,7 @@ endmenu # runtime tests
111692
111693 config PROVIDE_OHCI1394_DMA_INIT
111694 bool "Remote debugging over FireWire early on boot"
111695- depends on PCI && X86
111696+ depends on PCI && X86 && !GRKERNSEC
111697 help
111698 If you want to debug problems which hang or crash the kernel early
111699 on boot and the crashing machine has a FireWire port, you can use
111700diff --git a/lib/Makefile b/lib/Makefile
111701index 6897b52..466bda9 100644
111702--- a/lib/Makefile
111703+++ b/lib/Makefile
111704@@ -62,7 +62,7 @@ obj-$(CONFIG_BTREE) += btree.o
111705 obj-$(CONFIG_INTERVAL_TREE) += interval_tree.o
111706 obj-$(CONFIG_ASSOCIATIVE_ARRAY) += assoc_array.o
111707 obj-$(CONFIG_DEBUG_PREEMPT) += smp_processor_id.o
111708-obj-$(CONFIG_DEBUG_LIST) += list_debug.o
111709+obj-y += list_debug.o
111710 obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o
111711
111712 ifneq ($(CONFIG_HAVE_DEC_LOCK),y)
111713diff --git a/lib/average.c b/lib/average.c
111714index 114d1be..ab0350c 100644
111715--- a/lib/average.c
111716+++ b/lib/average.c
111717@@ -55,7 +55,7 @@ struct ewma *ewma_add(struct ewma *avg, unsigned long val)
111718 {
111719 unsigned long internal = ACCESS_ONCE(avg->internal);
111720
111721- ACCESS_ONCE(avg->internal) = internal ?
111722+ ACCESS_ONCE_RW(avg->internal) = internal ?
111723 (((internal << avg->weight) - internal) +
111724 (val << avg->factor)) >> avg->weight :
111725 (val << avg->factor);
111726diff --git a/lib/bitmap.c b/lib/bitmap.c
111727index a578a01..2198e50 100644
111728--- a/lib/bitmap.c
111729+++ b/lib/bitmap.c
111730@@ -361,7 +361,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
111731 {
111732 int c, old_c, totaldigits, ndigits, nchunks, nbits;
111733 u32 chunk;
111734- const char __user __force *ubuf = (const char __user __force *)buf;
111735+ const char __user *ubuf = (const char __force_user *)buf;
111736
111737 bitmap_zero(maskp, nmaskbits);
111738
111739@@ -446,7 +446,7 @@ int bitmap_parse_user(const char __user *ubuf,
111740 {
111741 if (!access_ok(VERIFY_READ, ubuf, ulen))
111742 return -EFAULT;
111743- return __bitmap_parse((const char __force *)ubuf,
111744+ return __bitmap_parse((const char __force_kernel *)ubuf,
111745 ulen, 1, maskp, nmaskbits);
111746
111747 }
111748@@ -506,7 +506,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
111749 {
111750 unsigned a, b;
111751 int c, old_c, totaldigits;
111752- const char __user __force *ubuf = (const char __user __force *)buf;
111753+ const char __user *ubuf = (const char __force_user *)buf;
111754 int at_start, in_range;
111755
111756 totaldigits = c = 0;
111757@@ -602,7 +602,7 @@ int bitmap_parselist_user(const char __user *ubuf,
111758 {
111759 if (!access_ok(VERIFY_READ, ubuf, ulen))
111760 return -EFAULT;
111761- return __bitmap_parselist((const char __force *)ubuf,
111762+ return __bitmap_parselist((const char __force_kernel *)ubuf,
111763 ulen, 1, maskp, nmaskbits);
111764 }
111765 EXPORT_SYMBOL(bitmap_parselist_user);
111766diff --git a/lib/bug.c b/lib/bug.c
111767index cff145f..724a0b8 100644
111768--- a/lib/bug.c
111769+++ b/lib/bug.c
111770@@ -148,6 +148,8 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs)
111771 return BUG_TRAP_TYPE_NONE;
111772
111773 bug = find_bug(bugaddr);
111774+ if (!bug)
111775+ return BUG_TRAP_TYPE_NONE;
111776
111777 file = NULL;
111778 line = 0;
111779diff --git a/lib/debugobjects.c b/lib/debugobjects.c
111780index 547f7f9..a6d4ba0 100644
111781--- a/lib/debugobjects.c
111782+++ b/lib/debugobjects.c
111783@@ -289,7 +289,7 @@ static void debug_object_is_on_stack(void *addr, int onstack)
111784 if (limit > 4)
111785 return;
111786
111787- is_on_stack = object_is_on_stack(addr);
111788+ is_on_stack = object_starts_on_stack(addr);
111789 if (is_on_stack == onstack)
111790 return;
111791
111792diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
111793index 0234361..41a411c 100644
111794--- a/lib/decompress_bunzip2.c
111795+++ b/lib/decompress_bunzip2.c
111796@@ -665,7 +665,8 @@ static int INIT start_bunzip(struct bunzip_data **bdp, void *inbuf, long len,
111797
111798 /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
111799 uncompressed data. Allocate intermediate buffer for block. */
111800- bd->dbufSize = 100000*(i-BZh0);
111801+ i -= BZh0;
111802+ bd->dbufSize = 100000 * i;
111803
111804 bd->dbuf = large_malloc(bd->dbufSize * sizeof(int));
111805 if (!bd->dbuf)
111806diff --git a/lib/decompress_unlzma.c b/lib/decompress_unlzma.c
111807index decb646..8d6441a 100644
111808--- a/lib/decompress_unlzma.c
111809+++ b/lib/decompress_unlzma.c
111810@@ -39,10 +39,10 @@
111811
111812 #define MIN(a, b) (((a) < (b)) ? (a) : (b))
111813
111814-static long long INIT read_int(unsigned char *ptr, int size)
111815+static unsigned long long INIT read_int(unsigned char *ptr, int size)
111816 {
111817 int i;
111818- long long ret = 0;
111819+ unsigned long long ret = 0;
111820
111821 for (i = 0; i < size; i++)
111822 ret = (ret << 8) | ptr[size-i-1];
111823diff --git a/lib/div64.c b/lib/div64.c
111824index 19ea7ed..20cac21 100644
111825--- a/lib/div64.c
111826+++ b/lib/div64.c
111827@@ -59,7 +59,7 @@ uint32_t __attribute__((weak)) __div64_32(uint64_t *n, uint32_t base)
111828 EXPORT_SYMBOL(__div64_32);
111829
111830 #ifndef div_s64_rem
111831-s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
111832+s64 __intentional_overflow(-1) div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
111833 {
111834 u64 quotient;
111835
111836@@ -130,7 +130,7 @@ EXPORT_SYMBOL(div64_u64_rem);
111837 * 'http://www.hackersdelight.org/hdcodetxt/divDouble.c.txt'
111838 */
111839 #ifndef div64_u64
111840-u64 div64_u64(u64 dividend, u64 divisor)
111841+u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
111842 {
111843 u32 high = divisor >> 32;
111844 u64 quot;
111845diff --git a/lib/dma-debug.c b/lib/dma-debug.c
111846index dace71f..13da37b 100644
111847--- a/lib/dma-debug.c
111848+++ b/lib/dma-debug.c
111849@@ -982,7 +982,7 @@ static int dma_debug_device_change(struct notifier_block *nb, unsigned long acti
111850
111851 void dma_debug_add_bus(struct bus_type *bus)
111852 {
111853- struct notifier_block *nb;
111854+ notifier_block_no_const *nb;
111855
111856 if (dma_debug_disabled())
111857 return;
111858@@ -1164,7 +1164,7 @@ static void check_unmap(struct dma_debug_entry *ref)
111859
111860 static void check_for_stack(struct device *dev, void *addr)
111861 {
111862- if (object_is_on_stack(addr))
111863+ if (object_starts_on_stack(addr))
111864 err_printk(dev, NULL, "DMA-API: device driver maps memory from "
111865 "stack [addr=%p]\n", addr);
111866 }
111867diff --git a/lib/inflate.c b/lib/inflate.c
111868index 013a761..c28f3fc 100644
111869--- a/lib/inflate.c
111870+++ b/lib/inflate.c
111871@@ -269,7 +269,7 @@ static void free(void *where)
111872 malloc_ptr = free_mem_ptr;
111873 }
111874 #else
111875-#define malloc(a) kmalloc(a, GFP_KERNEL)
111876+#define malloc(a) kmalloc((a), GFP_KERNEL)
111877 #define free(a) kfree(a)
111878 #endif
111879
111880diff --git a/lib/ioremap.c b/lib/ioremap.c
111881index 86c8911..f5bfc34 100644
111882--- a/lib/ioremap.c
111883+++ b/lib/ioremap.c
111884@@ -75,7 +75,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
111885 unsigned long next;
111886
111887 phys_addr -= addr;
111888- pmd = pmd_alloc(&init_mm, pud, addr);
111889+ pmd = pmd_alloc_kernel(&init_mm, pud, addr);
111890 if (!pmd)
111891 return -ENOMEM;
111892 do {
111893@@ -101,7 +101,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
111894 unsigned long next;
111895
111896 phys_addr -= addr;
111897- pud = pud_alloc(&init_mm, pgd, addr);
111898+ pud = pud_alloc_kernel(&init_mm, pgd, addr);
111899 if (!pud)
111900 return -ENOMEM;
111901 do {
111902diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
111903index bd2bea9..6b3c95e 100644
111904--- a/lib/is_single_threaded.c
111905+++ b/lib/is_single_threaded.c
111906@@ -22,6 +22,9 @@ bool current_is_single_threaded(void)
111907 struct task_struct *p, *t;
111908 bool ret;
111909
111910+ if (!mm)
111911+ return true;
111912+
111913 if (atomic_read(&task->signal->live) != 1)
111914 return false;
111915
111916diff --git a/lib/kobject.c b/lib/kobject.c
111917index 3e3a5c3..4a12109 100644
111918--- a/lib/kobject.c
111919+++ b/lib/kobject.c
111920@@ -935,9 +935,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add);
111921
111922
111923 static DEFINE_SPINLOCK(kobj_ns_type_lock);
111924-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES];
111925+static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __read_only;
111926
111927-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
111928+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
111929 {
111930 enum kobj_ns_type type = ops->type;
111931 int error;
111932diff --git a/lib/list_debug.c b/lib/list_debug.c
111933index c24c2f7..f0296f4 100644
111934--- a/lib/list_debug.c
111935+++ b/lib/list_debug.c
111936@@ -11,7 +11,9 @@
111937 #include <linux/bug.h>
111938 #include <linux/kernel.h>
111939 #include <linux/rculist.h>
111940+#include <linux/mm.h>
111941
111942+#ifdef CONFIG_DEBUG_LIST
111943 /*
111944 * Insert a new entry between two known consecutive entries.
111945 *
111946@@ -19,21 +21,40 @@
111947 * the prev/next entries already!
111948 */
111949
111950+static bool __list_add_debug(struct list_head *new,
111951+ struct list_head *prev,
111952+ struct list_head *next)
111953+{
111954+ if (unlikely(next->prev != prev)) {
111955+ printk(KERN_ERR "list_add corruption. next->prev should be "
111956+ "prev (%p), but was %p. (next=%p).\n",
111957+ prev, next->prev, next);
111958+ BUG();
111959+ return false;
111960+ }
111961+ if (unlikely(prev->next != next)) {
111962+ printk(KERN_ERR "list_add corruption. prev->next should be "
111963+ "next (%p), but was %p. (prev=%p).\n",
111964+ next, prev->next, prev);
111965+ BUG();
111966+ return false;
111967+ }
111968+ if (unlikely(new == prev || new == next)) {
111969+ printk(KERN_ERR "list_add double add: new=%p, prev=%p, next=%p.\n",
111970+ new, prev, next);
111971+ BUG();
111972+ return false;
111973+ }
111974+ return true;
111975+}
111976+
111977 void __list_add(struct list_head *new,
111978- struct list_head *prev,
111979- struct list_head *next)
111980+ struct list_head *prev,
111981+ struct list_head *next)
111982 {
111983- WARN(next->prev != prev,
111984- "list_add corruption. next->prev should be "
111985- "prev (%p), but was %p. (next=%p).\n",
111986- prev, next->prev, next);
111987- WARN(prev->next != next,
111988- "list_add corruption. prev->next should be "
111989- "next (%p), but was %p. (prev=%p).\n",
111990- next, prev->next, prev);
111991- WARN(new == prev || new == next,
111992- "list_add double add: new=%p, prev=%p, next=%p.\n",
111993- new, prev, next);
111994+ if (!__list_add_debug(new, prev, next))
111995+ return;
111996+
111997 next->prev = new;
111998 new->next = next;
111999 new->prev = prev;
112000@@ -41,28 +62,46 @@ void __list_add(struct list_head *new,
112001 }
112002 EXPORT_SYMBOL(__list_add);
112003
112004-void __list_del_entry(struct list_head *entry)
112005+static bool __list_del_entry_debug(struct list_head *entry)
112006 {
112007 struct list_head *prev, *next;
112008
112009 prev = entry->prev;
112010 next = entry->next;
112011
112012- if (WARN(next == LIST_POISON1,
112013- "list_del corruption, %p->next is LIST_POISON1 (%p)\n",
112014- entry, LIST_POISON1) ||
112015- WARN(prev == LIST_POISON2,
112016- "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
112017- entry, LIST_POISON2) ||
112018- WARN(prev->next != entry,
112019- "list_del corruption. prev->next should be %p, "
112020- "but was %p\n", entry, prev->next) ||
112021- WARN(next->prev != entry,
112022- "list_del corruption. next->prev should be %p, "
112023- "but was %p\n", entry, next->prev))
112024+ if (unlikely(next == LIST_POISON1)) {
112025+ printk(KERN_ERR "list_del corruption, %p->next is LIST_POISON1 (%p)\n",
112026+ entry, LIST_POISON1);
112027+ BUG();
112028+ return false;
112029+ }
112030+ if (unlikely(prev == LIST_POISON2)) {
112031+ printk(KERN_ERR "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
112032+ entry, LIST_POISON2);
112033+ BUG();
112034+ return false;
112035+ }
112036+ if (unlikely(entry->prev->next != entry)) {
112037+ printk(KERN_ERR "list_del corruption. prev->next should be %p, "
112038+ "but was %p\n", entry, prev->next);
112039+ BUG();
112040+ return false;
112041+ }
112042+ if (unlikely(entry->next->prev != entry)) {
112043+ printk(KERN_ERR "list_del corruption. next->prev should be %p, "
112044+ "but was %p\n", entry, next->prev);
112045+ BUG();
112046+ return false;
112047+ }
112048+ return true;
112049+}
112050+
112051+void __list_del_entry(struct list_head *entry)
112052+{
112053+ if (!__list_del_entry_debug(entry))
112054 return;
112055
112056- __list_del(prev, next);
112057+ __list_del(entry->prev, entry->next);
112058 }
112059 EXPORT_SYMBOL(__list_del_entry);
112060
112061@@ -86,15 +125,85 @@ EXPORT_SYMBOL(list_del);
112062 void __list_add_rcu(struct list_head *new,
112063 struct list_head *prev, struct list_head *next)
112064 {
112065- WARN(next->prev != prev,
112066- "list_add_rcu corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
112067- prev, next->prev, next);
112068- WARN(prev->next != next,
112069- "list_add_rcu corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
112070- next, prev->next, prev);
112071+ if (!__list_add_debug(new, prev, next))
112072+ return;
112073+
112074 new->next = next;
112075 new->prev = prev;
112076 rcu_assign_pointer(list_next_rcu(prev), new);
112077 next->prev = new;
112078 }
112079 EXPORT_SYMBOL(__list_add_rcu);
112080+#endif
112081+
112082+void __pax_list_add(struct list_head *new, struct list_head *prev, struct list_head *next)
112083+{
112084+#ifdef CONFIG_DEBUG_LIST
112085+ if (!__list_add_debug(new, prev, next))
112086+ return;
112087+#endif
112088+
112089+ pax_open_kernel();
112090+ next->prev = new;
112091+ new->next = next;
112092+ new->prev = prev;
112093+ prev->next = new;
112094+ pax_close_kernel();
112095+}
112096+EXPORT_SYMBOL(__pax_list_add);
112097+
112098+void pax_list_del(struct list_head *entry)
112099+{
112100+#ifdef CONFIG_DEBUG_LIST
112101+ if (!__list_del_entry_debug(entry))
112102+ return;
112103+#endif
112104+
112105+ pax_open_kernel();
112106+ __list_del(entry->prev, entry->next);
112107+ entry->next = LIST_POISON1;
112108+ entry->prev = LIST_POISON2;
112109+ pax_close_kernel();
112110+}
112111+EXPORT_SYMBOL(pax_list_del);
112112+
112113+void pax_list_del_init(struct list_head *entry)
112114+{
112115+ pax_open_kernel();
112116+ __list_del(entry->prev, entry->next);
112117+ INIT_LIST_HEAD(entry);
112118+ pax_close_kernel();
112119+}
112120+EXPORT_SYMBOL(pax_list_del_init);
112121+
112122+void __pax_list_add_rcu(struct list_head *new,
112123+ struct list_head *prev, struct list_head *next)
112124+{
112125+#ifdef CONFIG_DEBUG_LIST
112126+ if (!__list_add_debug(new, prev, next))
112127+ return;
112128+#endif
112129+
112130+ pax_open_kernel();
112131+ new->next = next;
112132+ new->prev = prev;
112133+ rcu_assign_pointer(list_next_rcu(prev), new);
112134+ next->prev = new;
112135+ pax_close_kernel();
112136+}
112137+EXPORT_SYMBOL(__pax_list_add_rcu);
112138+
112139+void pax_list_del_rcu(struct list_head *entry)
112140+{
112141+#ifdef CONFIG_DEBUG_LIST
112142+ if (!__list_del_entry_debug(entry))
112143+ return;
112144+#endif
112145+
112146+ pax_open_kernel();
112147+ __list_del(entry->prev, entry->next);
112148+ entry->next = LIST_POISON1;
112149+ entry->prev = LIST_POISON2;
112150+ pax_close_kernel();
112151+}
112152+EXPORT_SYMBOL(pax_list_del_rcu);
112153diff --git a/lib/lockref.c b/lib/lockref.c
112154index 494994b..65caf94 100644
112155--- a/lib/lockref.c
112156+++ b/lib/lockref.c
112157@@ -48,13 +48,13 @@
112158 void lockref_get(struct lockref *lockref)
112159 {
112160 CMPXCHG_LOOP(
112161- new.count++;
112162+ __lockref_inc(&new);
112163 ,
112164 return;
112165 );
112166
112167 spin_lock(&lockref->lock);
112168- lockref->count++;
112169+ __lockref_inc(lockref);
112170 spin_unlock(&lockref->lock);
112171 }
112172 EXPORT_SYMBOL(lockref_get);
112173@@ -69,8 +69,8 @@ int lockref_get_not_zero(struct lockref *lockref)
112174 int retval;
112175
112176 CMPXCHG_LOOP(
112177- new.count++;
112178- if (old.count <= 0)
112179+ __lockref_inc(&new);
112180+ if (__lockref_read(&old) <= 0)
112181 return 0;
112182 ,
112183 return 1;
112184@@ -78,8 +78,8 @@ int lockref_get_not_zero(struct lockref *lockref)
112185
112186 spin_lock(&lockref->lock);
112187 retval = 0;
112188- if (lockref->count > 0) {
112189- lockref->count++;
112190+ if (__lockref_read(lockref) > 0) {
112191+ __lockref_inc(lockref);
112192 retval = 1;
112193 }
112194 spin_unlock(&lockref->lock);
112195@@ -96,17 +96,17 @@ EXPORT_SYMBOL(lockref_get_not_zero);
112196 int lockref_get_or_lock(struct lockref *lockref)
112197 {
112198 CMPXCHG_LOOP(
112199- new.count++;
112200- if (old.count <= 0)
112201+ __lockref_inc(&new);
112202+ if (__lockref_read(&old) <= 0)
112203 break;
112204 ,
112205 return 1;
112206 );
112207
112208 spin_lock(&lockref->lock);
112209- if (lockref->count <= 0)
112210+ if (__lockref_read(lockref) <= 0)
112211 return 0;
112212- lockref->count++;
112213+ __lockref_inc(lockref);
112214 spin_unlock(&lockref->lock);
112215 return 1;
112216 }
112217@@ -122,11 +122,11 @@ EXPORT_SYMBOL(lockref_get_or_lock);
112218 int lockref_put_return(struct lockref *lockref)
112219 {
112220 CMPXCHG_LOOP(
112221- new.count--;
112222- if (old.count <= 0)
112223+ __lockref_dec(&new);
112224+ if (__lockref_read(&old) <= 0)
112225 return -1;
112226 ,
112227- return new.count;
112228+ return __lockref_read(&new);
112229 );
112230 return -1;
112231 }
112232@@ -140,17 +140,17 @@ EXPORT_SYMBOL(lockref_put_return);
112233 int lockref_put_or_lock(struct lockref *lockref)
112234 {
112235 CMPXCHG_LOOP(
112236- new.count--;
112237- if (old.count <= 1)
112238+ __lockref_dec(&new);
112239+ if (__lockref_read(&old) <= 1)
112240 break;
112241 ,
112242 return 1;
112243 );
112244
112245 spin_lock(&lockref->lock);
112246- if (lockref->count <= 1)
112247+ if (__lockref_read(lockref) <= 1)
112248 return 0;
112249- lockref->count--;
112250+ __lockref_dec(lockref);
112251 spin_unlock(&lockref->lock);
112252 return 1;
112253 }
112254@@ -163,7 +163,7 @@ EXPORT_SYMBOL(lockref_put_or_lock);
112255 void lockref_mark_dead(struct lockref *lockref)
112256 {
112257 assert_spin_locked(&lockref->lock);
112258- lockref->count = -128;
112259+ __lockref_set(lockref, -128);
112260 }
112261 EXPORT_SYMBOL(lockref_mark_dead);
112262
112263@@ -177,8 +177,8 @@ int lockref_get_not_dead(struct lockref *lockref)
112264 int retval;
112265
112266 CMPXCHG_LOOP(
112267- new.count++;
112268- if (old.count < 0)
112269+ __lockref_inc(&new);
112270+ if (__lockref_read(&old) < 0)
112271 return 0;
112272 ,
112273 return 1;
112274@@ -186,8 +186,8 @@ int lockref_get_not_dead(struct lockref *lockref)
112275
112276 spin_lock(&lockref->lock);
112277 retval = 0;
112278- if (lockref->count >= 0) {
112279- lockref->count++;
112280+ if (__lockref_read(lockref) >= 0) {
112281+ __lockref_inc(lockref);
112282 retval = 1;
112283 }
112284 spin_unlock(&lockref->lock);
112285diff --git a/lib/nlattr.c b/lib/nlattr.c
112286index f5907d2..36072be 100644
112287--- a/lib/nlattr.c
112288+++ b/lib/nlattr.c
112289@@ -278,6 +278,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count)
112290 {
112291 int minlen = min_t(int, count, nla_len(src));
112292
112293+ BUG_ON(minlen < 0);
112294+
112295 memcpy(dest, nla_data(src), minlen);
112296 if (count > minlen)
112297 memset(dest + minlen, 0, count - minlen);
112298diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
112299index 6111bcb..02e816b 100644
112300--- a/lib/percpu-refcount.c
112301+++ b/lib/percpu-refcount.c
112302@@ -31,7 +31,7 @@
112303 * atomic_long_t can't hit 0 before we've added up all the percpu refs.
112304 */
112305
112306-#define PERCPU_COUNT_BIAS (1LU << (BITS_PER_LONG - 1))
112307+#define PERCPU_COUNT_BIAS (1LU << (BITS_PER_LONG - 2))
112308
112309 static DECLARE_WAIT_QUEUE_HEAD(percpu_ref_switch_waitq);
112310
112311diff --git a/lib/radix-tree.c b/lib/radix-tree.c
112312index f9ebe1c..e985666 100644
112313--- a/lib/radix-tree.c
112314+++ b/lib/radix-tree.c
112315@@ -68,7 +68,7 @@ struct radix_tree_preload {
112316 /* nodes->private_data points to next preallocated node */
112317 struct radix_tree_node *nodes;
112318 };
112319-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
112320+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
112321
112322 static inline void *ptr_to_indirect(void *ptr)
112323 {
112324diff --git a/lib/random32.c b/lib/random32.c
112325index 0bee183..526f12f 100644
112326--- a/lib/random32.c
112327+++ b/lib/random32.c
112328@@ -47,7 +47,7 @@ static inline void prandom_state_selftest(void)
112329 }
112330 #endif
112331
112332-static DEFINE_PER_CPU(struct rnd_state, net_rand_state);
112333+static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
112334
112335 /**
112336 * prandom_u32_state - seeded pseudo-random number generator.
112337diff --git a/lib/rbtree.c b/lib/rbtree.c
112338index 1356454..70ce6c6 100644
112339--- a/lib/rbtree.c
112340+++ b/lib/rbtree.c
112341@@ -412,7 +412,9 @@ static inline void dummy_copy(struct rb_node *old, struct rb_node *new) {}
112342 static inline void dummy_rotate(struct rb_node *old, struct rb_node *new) {}
112343
112344 static const struct rb_augment_callbacks dummy_callbacks = {
112345- dummy_propagate, dummy_copy, dummy_rotate
112346+ .propagate = dummy_propagate,
112347+ .copy = dummy_copy,
112348+ .rotate = dummy_rotate
112349 };
112350
112351 void rb_insert_color(struct rb_node *node, struct rb_root *root)
112352diff --git a/lib/show_mem.c b/lib/show_mem.c
112353index adc98e18..0ce83c2 100644
112354--- a/lib/show_mem.c
112355+++ b/lib/show_mem.c
112356@@ -49,6 +49,6 @@ void show_mem(unsigned int filter)
112357 quicklist_total_size());
112358 #endif
112359 #ifdef CONFIG_MEMORY_FAILURE
112360- printk("%lu pages hwpoisoned\n", atomic_long_read(&num_poisoned_pages));
112361+ printk("%lu pages hwpoisoned\n", atomic_long_read_unchecked(&num_poisoned_pages));
112362 #endif
112363 }
112364diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
112365index e0af6ff..fcc9f15 100644
112366--- a/lib/strncpy_from_user.c
112367+++ b/lib/strncpy_from_user.c
112368@@ -22,7 +22,7 @@
112369 */
112370 static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
112371 {
112372- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112373+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112374 long res = 0;
112375
112376 /*
112377diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
112378index 3a5f2b3..102f1ff 100644
112379--- a/lib/strnlen_user.c
112380+++ b/lib/strnlen_user.c
112381@@ -26,7 +26,7 @@
112382 */
112383 static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
112384 {
112385- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112386+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112387 long align, res = 0;
112388 unsigned long c;
112389
112390diff --git a/lib/swiotlb.c b/lib/swiotlb.c
112391index 76f29ec..1a5316f 100644
112392--- a/lib/swiotlb.c
112393+++ b/lib/swiotlb.c
112394@@ -690,7 +690,7 @@ EXPORT_SYMBOL(swiotlb_alloc_coherent);
112395
112396 void
112397 swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
112398- dma_addr_t dev_addr)
112399+ dma_addr_t dev_addr, struct dma_attrs *attrs)
112400 {
112401 phys_addr_t paddr = dma_to_phys(hwdev, dev_addr);
112402
112403diff --git a/lib/usercopy.c b/lib/usercopy.c
112404index 4f5b1dd..7cab418 100644
112405--- a/lib/usercopy.c
112406+++ b/lib/usercopy.c
112407@@ -7,3 +7,9 @@ void copy_from_user_overflow(void)
112408 WARN(1, "Buffer overflow detected!\n");
112409 }
112410 EXPORT_SYMBOL(copy_from_user_overflow);
112411+
112412+void copy_to_user_overflow(void)
112413+{
112414+ WARN(1, "Buffer overflow detected!\n");
112415+}
112416+EXPORT_SYMBOL(copy_to_user_overflow);
112417diff --git a/lib/vsprintf.c b/lib/vsprintf.c
112418index da39c60..ac91239 100644
112419--- a/lib/vsprintf.c
112420+++ b/lib/vsprintf.c
112421@@ -16,6 +16,9 @@
112422 * - scnprintf and vscnprintf
112423 */
112424
112425+#ifdef CONFIG_GRKERNSEC_HIDESYM
112426+#define __INCLUDED_BY_HIDESYM 1
112427+#endif
112428 #include <stdarg.h>
112429 #include <linux/clk-provider.h>
112430 #include <linux/module.h> /* for KSYM_SYMBOL_LEN */
112431@@ -628,7 +631,7 @@ char *symbol_string(char *buf, char *end, void *ptr,
112432 #ifdef CONFIG_KALLSYMS
112433 if (*fmt == 'B')
112434 sprint_backtrace(sym, value);
112435- else if (*fmt != 'f' && *fmt != 's')
112436+ else if (*fmt != 'f' && *fmt != 's' && *fmt != 'X')
112437 sprint_symbol(sym, value);
112438 else
112439 sprint_symbol_no_offset(sym, value);
112440@@ -1360,7 +1363,11 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
112441 }
112442 }
112443
112444-int kptr_restrict __read_mostly;
112445+#ifdef CONFIG_GRKERNSEC_HIDESYM
112446+int kptr_restrict __read_only = 2;
112447+#else
112448+int kptr_restrict __read_only;
112449+#endif
112450
112451 /*
112452 * Show a '%p' thing. A kernel extension is that the '%p' is followed
112453@@ -1371,8 +1378,10 @@ int kptr_restrict __read_mostly;
112454 *
112455 * - 'F' For symbolic function descriptor pointers with offset
112456 * - 'f' For simple symbolic function names without offset
112457+ * - 'X' For simple symbolic function names without offset approved for use with GRKERNSEC_HIDESYM
112458 * - 'S' For symbolic direct pointers with offset
112459 * - 's' For symbolic direct pointers without offset
112460+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
112461 * - '[FfSs]R' as above with __builtin_extract_return_addr() translation
112462 * - 'B' For backtraced symbolic direct pointers with offset
112463 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
112464@@ -1460,12 +1469,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112465
112466 if (!ptr && *fmt != 'K') {
112467 /*
112468- * Print (null) with the same width as a pointer so it makes
112469+ * Print (nil) with the same width as a pointer so it makes
112470 * tabular output look nice.
112471 */
112472 if (spec.field_width == -1)
112473 spec.field_width = default_width;
112474- return string(buf, end, "(null)", spec);
112475+ return string(buf, end, "(nil)", spec);
112476 }
112477
112478 switch (*fmt) {
112479@@ -1475,6 +1484,14 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112480 /* Fallthrough */
112481 case 'S':
112482 case 's':
112483+#ifdef CONFIG_GRKERNSEC_HIDESYM
112484+ break;
112485+#else
112486+ return symbol_string(buf, end, ptr, spec, fmt);
112487+#endif
112488+ case 'X':
112489+ ptr = dereference_function_descriptor(ptr);
112490+ case 'A':
112491 case 'B':
112492 return symbol_string(buf, end, ptr, spec, fmt);
112493 case 'R':
112494@@ -1539,6 +1556,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112495 va_end(va);
112496 return buf;
112497 }
112498+ case 'P':
112499+ break;
112500 case 'K':
112501 /*
112502 * %pK cannot be used in IRQ context because its test
112503@@ -1598,6 +1617,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112504 ((const struct file *)ptr)->f_path.dentry,
112505 spec, fmt);
112506 }
112507+
112508+#ifdef CONFIG_GRKERNSEC_HIDESYM
112509+ /* 'P' = approved pointers to copy to userland,
112510+ as in the /proc/kallsyms case, as we make it display nothing
112511+ for non-root users, and the real contents for root users
112512+ 'X' = approved simple symbols
112513+ Also ignore 'K' pointers, since we force their NULLing for non-root users
112514+ above
112515+ */
112516+ if ((unsigned long)ptr > TASK_SIZE && *fmt != 'P' && *fmt != 'X' && *fmt != 'K' && is_usercopy_object(buf)) {
112517+ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@grsecurity.net.\n");
112518+ dump_stack();
112519+ ptr = NULL;
112520+ }
112521+#endif
112522+
112523 spec.flags |= SMALL;
112524 if (spec.field_width == -1) {
112525 spec.field_width = default_width;
112526@@ -2296,11 +2331,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
112527 typeof(type) value; \
112528 if (sizeof(type) == 8) { \
112529 args = PTR_ALIGN(args, sizeof(u32)); \
112530- *(u32 *)&value = *(u32 *)args; \
112531- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
112532+ *(u32 *)&value = *(const u32 *)args; \
112533+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
112534 } else { \
112535 args = PTR_ALIGN(args, sizeof(type)); \
112536- value = *(typeof(type) *)args; \
112537+ value = *(const typeof(type) *)args; \
112538 } \
112539 args += sizeof(type); \
112540 value; \
112541@@ -2363,7 +2398,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
112542 case FORMAT_TYPE_STR: {
112543 const char *str_arg = args;
112544 args += strlen(str_arg) + 1;
112545- str = string(str, end, (char *)str_arg, spec);
112546+ str = string(str, end, str_arg, spec);
112547 break;
112548 }
112549
112550diff --git a/localversion-grsec b/localversion-grsec
112551new file mode 100644
112552index 0000000..7cd6065
112553--- /dev/null
112554+++ b/localversion-grsec
112555@@ -0,0 +1 @@
112556+-grsec
112557diff --git a/mm/Kconfig b/mm/Kconfig
112558index e79de2b..fba3116 100644
112559--- a/mm/Kconfig
112560+++ b/mm/Kconfig
112561@@ -342,10 +342,11 @@ config KSM
112562 root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
112563
112564 config DEFAULT_MMAP_MIN_ADDR
112565- int "Low address space to protect from user allocation"
112566+ int "Low address space to protect from user allocation"
112567 depends on MMU
112568- default 4096
112569- help
112570+ default 32768 if ALPHA || ARM || PARISC || SPARC32
112571+ default 65536
112572+ help
112573 This is the portion of low virtual memory which should be protected
112574 from userspace allocation. Keeping a user from writing to low pages
112575 can help reduce the impact of kernel NULL pointer bugs.
112576@@ -377,8 +378,9 @@ config MEMORY_FAILURE
112577
112578 config HWPOISON_INJECT
112579 tristate "HWPoison pages injector"
112580- depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS
112581+ depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS && !GRKERNSEC
112582 select PROC_PAGE_MONITOR
112583+ depends on !GRKERNSEC
112584
112585 config NOMMU_INITIAL_TRIM_EXCESS
112586 int "Turn on mmap() excess space trimming before booting"
112587@@ -539,6 +541,7 @@ config MEM_SOFT_DIRTY
112588 bool "Track memory changes"
112589 depends on CHECKPOINT_RESTORE && HAVE_ARCH_SOFT_DIRTY && PROC_FS
112590 select PROC_PAGE_MONITOR
112591+ depends on !GRKERNSEC
112592 help
112593 This option enables memory changes tracking by introducing a
112594 soft-dirty bit on pte-s. This bit it set when someone writes
112595@@ -613,6 +616,7 @@ config ZSMALLOC_STAT
112596 bool "Export zsmalloc statistics"
112597 depends on ZSMALLOC
112598 select DEBUG_FS
112599+ depends on !GRKERNSEC_KMEM
112600 help
112601 This option enables code in the zsmalloc to collect various
112602 statistics about whats happening in zsmalloc and exports that
112603diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
112604index 957d3da..1d34e20 100644
112605--- a/mm/Kconfig.debug
112606+++ b/mm/Kconfig.debug
112607@@ -10,6 +10,7 @@ config PAGE_EXTENSION
112608 config DEBUG_PAGEALLOC
112609 bool "Debug page memory allocations"
112610 depends on DEBUG_KERNEL
112611+ depends on !PAX_MEMORY_SANITIZE
112612 depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC
112613 depends on !KMEMCHECK
112614 select PAGE_EXTENSION
112615diff --git a/mm/backing-dev.c b/mm/backing-dev.c
112616index dac5bf5..d8c02ce 100644
112617--- a/mm/backing-dev.c
112618+++ b/mm/backing-dev.c
112619@@ -12,7 +12,7 @@
112620 #include <linux/device.h>
112621 #include <trace/events/writeback.h>
112622
112623-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
112624+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
112625
112626 struct backing_dev_info noop_backing_dev_info = {
112627 .name = "noop",
112628@@ -855,7 +855,7 @@ int bdi_setup_and_register(struct backing_dev_info *bdi, char *name)
112629 return err;
112630
112631 err = bdi_register(bdi, NULL, "%.28s-%ld", name,
112632- atomic_long_inc_return(&bdi_seq));
112633+ atomic_long_inc_return_unchecked(&bdi_seq));
112634 if (err) {
112635 bdi_destroy(bdi);
112636 return err;
112637diff --git a/mm/dmapool.c b/mm/dmapool.c
112638index fd5fe43..39ea317 100644
112639--- a/mm/dmapool.c
112640+++ b/mm/dmapool.c
112641@@ -386,7 +386,7 @@ static struct dma_page *pool_find_page(struct dma_pool *pool, dma_addr_t dma)
112642 list_for_each_entry(page, &pool->page_list, page_list) {
112643 if (dma < page->dma)
112644 continue;
112645- if (dma < (page->dma + pool->allocation))
112646+ if ((dma - page->dma) < pool->allocation)
112647 return page;
112648 }
112649 return NULL;
112650diff --git a/mm/filemap.c b/mm/filemap.c
112651index 1283fc8..a0347d5 100644
112652--- a/mm/filemap.c
112653+++ b/mm/filemap.c
112654@@ -2122,7 +2122,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
112655 struct address_space *mapping = file->f_mapping;
112656
112657 if (!mapping->a_ops->readpage)
112658- return -ENOEXEC;
112659+ return -ENODEV;
112660 file_accessed(file);
112661 vma->vm_ops = &generic_file_vm_ops;
112662 return 0;
112663@@ -2303,6 +2303,7 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from)
112664 pos = iocb->ki_pos;
112665
112666 if (limit != RLIM_INFINITY) {
112667+ gr_learn_resource(current, RLIMIT_FSIZE, iocb->ki_pos, 0);
112668 if (iocb->ki_pos >= limit) {
112669 send_sig(SIGXFSZ, current, 0);
112670 return -EFBIG;
112671diff --git a/mm/gup.c b/mm/gup.c
112672index 6297f6b..7652403 100644
112673--- a/mm/gup.c
112674+++ b/mm/gup.c
112675@@ -265,11 +265,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
112676 unsigned int fault_flags = 0;
112677 int ret;
112678
112679- /* For mm_populate(), just skip the stack guard page. */
112680- if ((*flags & FOLL_POPULATE) &&
112681- (stack_guard_page_start(vma, address) ||
112682- stack_guard_page_end(vma, address + PAGE_SIZE)))
112683- return -ENOENT;
112684 if (*flags & FOLL_WRITE)
112685 fault_flags |= FAULT_FLAG_WRITE;
112686 if (nonblocking)
112687@@ -435,14 +430,14 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
112688 if (!(gup_flags & FOLL_FORCE))
112689 gup_flags |= FOLL_NUMA;
112690
112691- do {
112692+ while (nr_pages) {
112693 struct page *page;
112694 unsigned int foll_flags = gup_flags;
112695 unsigned int page_increm;
112696
112697 /* first iteration or cross vma bound */
112698 if (!vma || start >= vma->vm_end) {
112699- vma = find_extend_vma(mm, start);
112700+ vma = find_vma(mm, start);
112701 if (!vma && in_gate_area(mm, start)) {
112702 int ret;
112703 ret = get_gate_page(mm, start & PAGE_MASK,
112704@@ -454,7 +449,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
112705 goto next_page;
112706 }
112707
112708- if (!vma || check_vma_flags(vma, gup_flags))
112709+ if (!vma || start < vma->vm_start || check_vma_flags(vma, gup_flags))
112710 return i ? : -EFAULT;
112711 if (is_vm_hugetlb_page(vma)) {
112712 i = follow_hugetlb_page(mm, vma, pages, vmas,
112713@@ -509,7 +504,7 @@ next_page:
112714 i += page_increm;
112715 start += page_increm * PAGE_SIZE;
112716 nr_pages -= page_increm;
112717- } while (nr_pages);
112718+ }
112719 return i;
112720 }
112721 EXPORT_SYMBOL(__get_user_pages);
112722diff --git a/mm/highmem.c b/mm/highmem.c
112723index 123bcd3..c2c85db 100644
112724--- a/mm/highmem.c
112725+++ b/mm/highmem.c
112726@@ -195,8 +195,9 @@ static void flush_all_zero_pkmaps(void)
112727 * So no dangers, even with speculative execution.
112728 */
112729 page = pte_page(pkmap_page_table[i]);
112730+ pax_open_kernel();
112731 pte_clear(&init_mm, PKMAP_ADDR(i), &pkmap_page_table[i]);
112732-
112733+ pax_close_kernel();
112734 set_page_address(page, NULL);
112735 need_flush = 1;
112736 }
112737@@ -259,8 +260,11 @@ start:
112738 }
112739 }
112740 vaddr = PKMAP_ADDR(last_pkmap_nr);
112741+
112742+ pax_open_kernel();
112743 set_pte_at(&init_mm, vaddr,
112744 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
112745+ pax_close_kernel();
112746
112747 pkmap_count[last_pkmap_nr] = 1;
112748 set_page_address(page, (void *)vaddr);
112749diff --git a/mm/hugetlb.c b/mm/hugetlb.c
112750index a8c3087..ec431dc 100644
112751--- a/mm/hugetlb.c
112752+++ b/mm/hugetlb.c
112753@@ -2442,6 +2442,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
112754 struct ctl_table *table, int write,
112755 void __user *buffer, size_t *length, loff_t *ppos)
112756 {
112757+ ctl_table_no_const t;
112758 struct hstate *h = &default_hstate;
112759 unsigned long tmp = h->max_huge_pages;
112760 int ret;
112761@@ -2449,9 +2450,10 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
112762 if (!hugepages_supported())
112763 return -ENOTSUPP;
112764
112765- table->data = &tmp;
112766- table->maxlen = sizeof(unsigned long);
112767- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
112768+ t = *table;
112769+ t.data = &tmp;
112770+ t.maxlen = sizeof(unsigned long);
112771+ ret = proc_doulongvec_minmax(&t, write, buffer, length, ppos);
112772 if (ret)
112773 goto out;
112774
112775@@ -2486,6 +2488,7 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
112776 struct hstate *h = &default_hstate;
112777 unsigned long tmp;
112778 int ret;
112779+ ctl_table_no_const hugetlb_table;
112780
112781 if (!hugepages_supported())
112782 return -ENOTSUPP;
112783@@ -2495,9 +2498,10 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
112784 if (write && hstate_is_gigantic(h))
112785 return -EINVAL;
112786
112787- table->data = &tmp;
112788- table->maxlen = sizeof(unsigned long);
112789- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
112790+ hugetlb_table = *table;
112791+ hugetlb_table.data = &tmp;
112792+ hugetlb_table.maxlen = sizeof(unsigned long);
112793+ ret = proc_doulongvec_minmax(&hugetlb_table, write, buffer, length, ppos);
112794 if (ret)
112795 goto out;
112796
112797@@ -2974,6 +2978,14 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
112798 continue;
112799
112800 /*
112801+ * Shared VMAs have their own reserves and do not affect
112802+ * MAP_PRIVATE accounting but it is possible that a shared
112803+ * VMA is using the same page so check and skip such VMAs.
112804+ */
112805+ if (iter_vma->vm_flags & VM_MAYSHARE)
112806+ continue;
112807+
112808+ /*
112809 * Unmap the page from other VMAs without their own reserves.
112810 * They get marked to be SIGKILLed if they fault in these
112811 * areas. This is because a future no-page fault on this VMA
112812@@ -2987,6 +2999,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
112813 i_mmap_unlock_write(mapping);
112814 }
112815
112816+#ifdef CONFIG_PAX_SEGMEXEC
112817+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
112818+{
112819+ struct mm_struct *mm = vma->vm_mm;
112820+ struct vm_area_struct *vma_m;
112821+ unsigned long address_m;
112822+ pte_t *ptep_m;
112823+
112824+ vma_m = pax_find_mirror_vma(vma);
112825+ if (!vma_m)
112826+ return;
112827+
112828+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
112829+ address_m = address + SEGMEXEC_TASK_SIZE;
112830+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
112831+ get_page(page_m);
112832+ hugepage_add_anon_rmap(page_m, vma_m, address_m);
112833+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
112834+}
112835+#endif
112836+
112837 /*
112838 * Hugetlb_cow() should be called with page lock of the original hugepage held.
112839 * Called with hugetlb_instantiation_mutex held and pte_page locked so we
112840@@ -3100,6 +3133,11 @@ retry_avoidcopy:
112841 make_huge_pte(vma, new_page, 1));
112842 page_remove_rmap(old_page);
112843 hugepage_add_new_anon_rmap(new_page, vma, address);
112844+
112845+#ifdef CONFIG_PAX_SEGMEXEC
112846+ pax_mirror_huge_pte(vma, address, new_page);
112847+#endif
112848+
112849 /* Make the old page be freed below */
112850 new_page = old_page;
112851 }
112852@@ -3261,6 +3299,10 @@ retry:
112853 && (vma->vm_flags & VM_SHARED)));
112854 set_huge_pte_at(mm, address, ptep, new_pte);
112855
112856+#ifdef CONFIG_PAX_SEGMEXEC
112857+ pax_mirror_huge_pte(vma, address, page);
112858+#endif
112859+
112860 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
112861 /* Optimization, do the COW without a second fault */
112862 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl);
112863@@ -3328,6 +3370,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
112864 struct address_space *mapping;
112865 int need_wait_lock = 0;
112866
112867+#ifdef CONFIG_PAX_SEGMEXEC
112868+ struct vm_area_struct *vma_m;
112869+#endif
112870+
112871 address &= huge_page_mask(h);
112872
112873 ptep = huge_pte_offset(mm, address);
112874@@ -3341,6 +3387,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
112875 VM_FAULT_SET_HINDEX(hstate_index(h));
112876 }
112877
112878+#ifdef CONFIG_PAX_SEGMEXEC
112879+ vma_m = pax_find_mirror_vma(vma);
112880+ if (vma_m) {
112881+ unsigned long address_m;
112882+
112883+ if (vma->vm_start > vma_m->vm_start) {
112884+ address_m = address;
112885+ address -= SEGMEXEC_TASK_SIZE;
112886+ vma = vma_m;
112887+ h = hstate_vma(vma);
112888+ } else
112889+ address_m = address + SEGMEXEC_TASK_SIZE;
112890+
112891+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
112892+ return VM_FAULT_OOM;
112893+ address_m &= HPAGE_MASK;
112894+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
112895+ }
112896+#endif
112897+
112898 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
112899 if (!ptep)
112900 return VM_FAULT_OOM;
112901diff --git a/mm/internal.h b/mm/internal.h
112902index 36b23f1..673a6c7 100644
112903--- a/mm/internal.h
112904+++ b/mm/internal.h
112905@@ -157,6 +157,7 @@ __find_buddy_index(unsigned long page_idx, unsigned int order)
112906 extern int __isolate_free_page(struct page *page, unsigned int order);
112907 extern void __free_pages_bootmem(struct page *page, unsigned long pfn,
112908 unsigned int order);
112909+extern void free_compound_page(struct page *page);
112910 extern void prep_compound_page(struct page *page, unsigned long order);
112911 #ifdef CONFIG_MEMORY_FAILURE
112912 extern bool is_free_buddy_page(struct page *page);
112913diff --git a/mm/kmemleak.c b/mm/kmemleak.c
112914index cf79f11..254224e 100644
112915--- a/mm/kmemleak.c
112916+++ b/mm/kmemleak.c
112917@@ -375,7 +375,7 @@ static void print_unreferenced(struct seq_file *seq,
112918
112919 for (i = 0; i < object->trace_len; i++) {
112920 void *ptr = (void *)object->trace[i];
112921- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
112922+ seq_printf(seq, " [<%pP>] %pA\n", ptr, ptr);
112923 }
112924 }
112925
112926@@ -1966,7 +1966,7 @@ static int __init kmemleak_late_init(void)
112927 return -ENOMEM;
112928 }
112929
112930- dentry = debugfs_create_file("kmemleak", S_IRUGO, NULL, NULL,
112931+ dentry = debugfs_create_file("kmemleak", S_IRUSR, NULL, NULL,
112932 &kmemleak_fops);
112933 if (!dentry)
112934 pr_warning("Failed to create the debugfs kmemleak file\n");
112935diff --git a/mm/maccess.c b/mm/maccess.c
112936index d53adf9..03a24bf 100644
112937--- a/mm/maccess.c
112938+++ b/mm/maccess.c
112939@@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, const void *src, size_t size)
112940 set_fs(KERNEL_DS);
112941 pagefault_disable();
112942 ret = __copy_from_user_inatomic(dst,
112943- (__force const void __user *)src, size);
112944+ (const void __force_user *)src, size);
112945 pagefault_enable();
112946 set_fs(old_fs);
112947
112948@@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
112949
112950 set_fs(KERNEL_DS);
112951 pagefault_disable();
112952- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
112953+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
112954 pagefault_enable();
112955 set_fs(old_fs);
112956
112957diff --git a/mm/madvise.c b/mm/madvise.c
112958index 64bb8a2..68e4be5 100644
112959--- a/mm/madvise.c
112960+++ b/mm/madvise.c
112961@@ -52,6 +52,10 @@ static long madvise_behavior(struct vm_area_struct *vma,
112962 pgoff_t pgoff;
112963 unsigned long new_flags = vma->vm_flags;
112964
112965+#ifdef CONFIG_PAX_SEGMEXEC
112966+ struct vm_area_struct *vma_m;
112967+#endif
112968+
112969 switch (behavior) {
112970 case MADV_NORMAL:
112971 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
112972@@ -127,6 +131,13 @@ success:
112973 /*
112974 * vm_flags is protected by the mmap_sem held in write mode.
112975 */
112976+
112977+#ifdef CONFIG_PAX_SEGMEXEC
112978+ vma_m = pax_find_mirror_vma(vma);
112979+ if (vma_m)
112980+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
112981+#endif
112982+
112983 vma->vm_flags = new_flags;
112984
112985 out:
112986@@ -278,11 +289,27 @@ static long madvise_dontneed(struct vm_area_struct *vma,
112987 struct vm_area_struct **prev,
112988 unsigned long start, unsigned long end)
112989 {
112990+
112991+#ifdef CONFIG_PAX_SEGMEXEC
112992+ struct vm_area_struct *vma_m;
112993+#endif
112994+
112995 *prev = vma;
112996 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
112997 return -EINVAL;
112998
112999 zap_page_range(vma, start, end - start, NULL);
113000+
113001+#ifdef CONFIG_PAX_SEGMEXEC
113002+ vma_m = pax_find_mirror_vma(vma);
113003+ if (vma_m) {
113004+ if (vma_m->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
113005+ return -EINVAL;
113006+
113007+ zap_page_range(vma_m, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
113008+ }
113009+#endif
113010+
113011 return 0;
113012 }
113013
113014@@ -485,6 +512,16 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
113015 if (end < start)
113016 return error;
113017
113018+#ifdef CONFIG_PAX_SEGMEXEC
113019+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
113020+ if (end > SEGMEXEC_TASK_SIZE)
113021+ return error;
113022+ } else
113023+#endif
113024+
113025+ if (end > TASK_SIZE)
113026+ return error;
113027+
113028 error = 0;
113029 if (end == start)
113030 return error;
113031diff --git a/mm/memcontrol.c b/mm/memcontrol.c
113032index acb93c5..237d468 100644
113033--- a/mm/memcontrol.c
113034+++ b/mm/memcontrol.c
113035@@ -806,12 +806,14 @@ mem_cgroup_largest_soft_limit_node(struct mem_cgroup_tree_per_zone *mctz)
113036 }
113037
113038 /*
113039+ * Return page count for single (non recursive) @memcg.
113040+ *
113041 * Implementation Note: reading percpu statistics for memcg.
113042 *
113043 * Both of vmstat[] and percpu_counter has threshold and do periodic
113044 * synchronization to implement "quick" read. There are trade-off between
113045 * reading cost and precision of value. Then, we may have a chance to implement
113046- * a periodic synchronizion of counter in memcg's counter.
113047+ * a periodic synchronization of counter in memcg's counter.
113048 *
113049 * But this _read() function is used for user interface now. The user accounts
113050 * memory usage by memory cgroup and he _always_ requires exact value because
113051@@ -821,17 +823,24 @@ mem_cgroup_largest_soft_limit_node(struct mem_cgroup_tree_per_zone *mctz)
113052 *
113053 * If there are kernel internal actions which can make use of some not-exact
113054 * value, and reading all cpu value can be performance bottleneck in some
113055- * common workload, threashold and synchonization as vmstat[] should be
113056+ * common workload, threshold and synchronization as vmstat[] should be
113057 * implemented.
113058 */
113059-static long mem_cgroup_read_stat(struct mem_cgroup *memcg,
113060- enum mem_cgroup_stat_index idx)
113061+static unsigned long
113062+mem_cgroup_read_stat(struct mem_cgroup *memcg, enum mem_cgroup_stat_index idx)
113063 {
113064 long val = 0;
113065 int cpu;
113066
113067+ /* Per-cpu values can be negative, use a signed accumulator */
113068 for_each_possible_cpu(cpu)
113069 val += per_cpu(memcg->stat->count[idx], cpu);
113070+ /*
113071+ * Summing races with updates, so val may be negative. Avoid exposing
113072+ * transient negative values.
113073+ */
113074+ if (val < 0)
113075+ val = 0;
113076 return val;
113077 }
113078
113079@@ -1498,7 +1507,7 @@ void mem_cgroup_print_oom_info(struct mem_cgroup *memcg, struct task_struct *p)
113080 for (i = 0; i < MEM_CGROUP_STAT_NSTATS; i++) {
113081 if (i == MEM_CGROUP_STAT_SWAP && !do_swap_account)
113082 continue;
113083- pr_cont(" %s:%ldKB", mem_cgroup_stat_names[i],
113084+ pr_cont(" %s:%luKB", mem_cgroup_stat_names[i],
113085 K(mem_cgroup_read_stat(iter, i)));
113086 }
113087
113088@@ -3119,14 +3128,11 @@ static unsigned long tree_stat(struct mem_cgroup *memcg,
113089 enum mem_cgroup_stat_index idx)
113090 {
113091 struct mem_cgroup *iter;
113092- long val = 0;
113093+ unsigned long val = 0;
113094
113095- /* Per-cpu values can be negative, use a signed accumulator */
113096 for_each_mem_cgroup_tree(iter, memcg)
113097 val += mem_cgroup_read_stat(iter, idx);
113098
113099- if (val < 0) /* race ? */
113100- val = 0;
113101 return val;
113102 }
113103
113104@@ -3469,7 +3475,7 @@ static int memcg_stat_show(struct seq_file *m, void *v)
113105 for (i = 0; i < MEM_CGROUP_STAT_NSTATS; i++) {
113106 if (i == MEM_CGROUP_STAT_SWAP && !do_swap_account)
113107 continue;
113108- seq_printf(m, "%s %ld\n", mem_cgroup_stat_names[i],
113109+ seq_printf(m, "%s %lu\n", mem_cgroup_stat_names[i],
113110 mem_cgroup_read_stat(memcg, i) * PAGE_SIZE);
113111 }
113112
113113@@ -3494,13 +3500,13 @@ static int memcg_stat_show(struct seq_file *m, void *v)
113114 (u64)memsw * PAGE_SIZE);
113115
113116 for (i = 0; i < MEM_CGROUP_STAT_NSTATS; i++) {
113117- long long val = 0;
113118+ unsigned long long val = 0;
113119
113120 if (i == MEM_CGROUP_STAT_SWAP && !do_swap_account)
113121 continue;
113122 for_each_mem_cgroup_tree(mi, memcg)
113123 val += mem_cgroup_read_stat(mi, i) * PAGE_SIZE;
113124- seq_printf(m, "total_%s %lld\n", mem_cgroup_stat_names[i], val);
113125+ seq_printf(m, "total_%s %llu\n", mem_cgroup_stat_names[i], val);
113126 }
113127
113128 for (i = 0; i < MEM_CGROUP_EVENTS_NSTATS; i++) {
113129diff --git a/mm/memory-failure.c b/mm/memory-failure.c
113130index 1f4446a..47abb4e 100644
113131--- a/mm/memory-failure.c
113132+++ b/mm/memory-failure.c
113133@@ -63,7 +63,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0;
113134
113135 int sysctl_memory_failure_recovery __read_mostly = 1;
113136
113137-atomic_long_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
113138+atomic_long_unchecked_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
113139
113140 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
113141
113142@@ -200,7 +200,7 @@ static int kill_proc(struct task_struct *t, unsigned long addr, int trapno,
113143 pfn, t->comm, t->pid);
113144 si.si_signo = SIGBUS;
113145 si.si_errno = 0;
113146- si.si_addr = (void *)addr;
113147+ si.si_addr = (void __user *)addr;
113148 #ifdef __ARCH_SI_TRAPNO
113149 si.si_trapno = trapno;
113150 #endif
113151@@ -797,7 +797,7 @@ static struct page_state {
113152 unsigned long res;
113153 enum mf_action_page_type type;
113154 int (*action)(struct page *p, unsigned long pfn);
113155-} error_states[] = {
113156+} __do_const error_states[] = {
113157 { reserved, reserved, MF_MSG_KERNEL, me_kernel },
113158 /*
113159 * free pages are specially detected outside this table:
113160@@ -1100,7 +1100,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
113161 nr_pages = 1 << compound_order(hpage);
113162 else /* normal page or thp */
113163 nr_pages = 1;
113164- atomic_long_add(nr_pages, &num_poisoned_pages);
113165+ atomic_long_add_unchecked(nr_pages, &num_poisoned_pages);
113166
113167 /*
113168 * We need/can do nothing about count=0 pages.
113169@@ -1128,7 +1128,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
113170 if (PageHWPoison(hpage)) {
113171 if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
113172 || (p != hpage && TestSetPageHWPoison(hpage))) {
113173- atomic_long_sub(nr_pages, &num_poisoned_pages);
113174+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113175 unlock_page(hpage);
113176 return 0;
113177 }
113178@@ -1152,7 +1152,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
113179 else
113180 pr_err("MCE: %#lx: thp split failed\n", pfn);
113181 if (TestClearPageHWPoison(p))
113182- atomic_long_sub(nr_pages, &num_poisoned_pages);
113183+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113184 put_page(p);
113185 if (p != hpage)
113186 put_page(hpage);
113187@@ -1214,14 +1214,14 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
113188 */
113189 if (!PageHWPoison(p)) {
113190 printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn);
113191- atomic_long_sub(nr_pages, &num_poisoned_pages);
113192+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113193 unlock_page(hpage);
113194 put_page(hpage);
113195 return 0;
113196 }
113197 if (hwpoison_filter(p)) {
113198 if (TestClearPageHWPoison(p))
113199- atomic_long_sub(nr_pages, &num_poisoned_pages);
113200+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113201 unlock_page(hpage);
113202 put_page(hpage);
113203 return 0;
113204@@ -1450,7 +1450,7 @@ int unpoison_memory(unsigned long pfn)
113205 return 0;
113206 }
113207 if (TestClearPageHWPoison(p))
113208- atomic_long_dec(&num_poisoned_pages);
113209+ atomic_long_dec_unchecked(&num_poisoned_pages);
113210 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
113211 return 0;
113212 }
113213@@ -1464,7 +1464,7 @@ int unpoison_memory(unsigned long pfn)
113214 */
113215 if (TestClearPageHWPoison(page)) {
113216 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
113217- atomic_long_sub(nr_pages, &num_poisoned_pages);
113218+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113219 freeit = 1;
113220 if (PageHuge(page))
113221 clear_page_hwpoison_huge_page(page);
113222@@ -1600,11 +1600,11 @@ static int soft_offline_huge_page(struct page *page, int flags)
113223 if (PageHuge(page)) {
113224 set_page_hwpoison_huge_page(hpage);
113225 dequeue_hwpoisoned_huge_page(hpage);
113226- atomic_long_add(1 << compound_order(hpage),
113227+ atomic_long_add_unchecked(1 << compound_order(hpage),
113228 &num_poisoned_pages);
113229 } else {
113230 SetPageHWPoison(page);
113231- atomic_long_inc(&num_poisoned_pages);
113232+ atomic_long_inc_unchecked(&num_poisoned_pages);
113233 }
113234 }
113235 return ret;
113236@@ -1643,7 +1643,7 @@ static int __soft_offline_page(struct page *page, int flags)
113237 put_page(page);
113238 pr_info("soft_offline: %#lx: invalidated\n", pfn);
113239 SetPageHWPoison(page);
113240- atomic_long_inc(&num_poisoned_pages);
113241+ atomic_long_inc_unchecked(&num_poisoned_pages);
113242 return 0;
113243 }
113244
113245@@ -1664,7 +1664,7 @@ static int __soft_offline_page(struct page *page, int flags)
113246 page_is_file_cache(page));
113247 list_add(&page->lru, &pagelist);
113248 if (!TestSetPageHWPoison(page))
113249- atomic_long_inc(&num_poisoned_pages);
113250+ atomic_long_inc_unchecked(&num_poisoned_pages);
113251 ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL,
113252 MIGRATE_SYNC, MR_MEMORY_FAILURE);
113253 if (ret) {
113254@@ -1680,7 +1680,7 @@ static int __soft_offline_page(struct page *page, int flags)
113255 if (ret > 0)
113256 ret = -EIO;
113257 if (TestClearPageHWPoison(page))
113258- atomic_long_dec(&num_poisoned_pages);
113259+ atomic_long_dec_unchecked(&num_poisoned_pages);
113260 }
113261 } else {
113262 pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n",
113263@@ -1742,11 +1742,11 @@ int soft_offline_page(struct page *page, int flags)
113264 if (PageHuge(page)) {
113265 set_page_hwpoison_huge_page(hpage);
113266 if (!dequeue_hwpoisoned_huge_page(hpage))
113267- atomic_long_add(1 << compound_order(hpage),
113268+ atomic_long_add_unchecked(1 << compound_order(hpage),
113269 &num_poisoned_pages);
113270 } else {
113271 if (!TestSetPageHWPoison(page))
113272- atomic_long_inc(&num_poisoned_pages);
113273+ atomic_long_inc_unchecked(&num_poisoned_pages);
113274 }
113275 }
113276 return ret;
113277diff --git a/mm/memory.c b/mm/memory.c
113278index 388dcf9..82aa351 100644
113279--- a/mm/memory.c
113280+++ b/mm/memory.c
113281@@ -414,6 +414,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
113282 free_pte_range(tlb, pmd, addr);
113283 } while (pmd++, addr = next, addr != end);
113284
113285+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
113286 start &= PUD_MASK;
113287 if (start < floor)
113288 return;
113289@@ -429,6 +430,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
113290 pud_clear(pud);
113291 pmd_free_tlb(tlb, pmd, start);
113292 mm_dec_nr_pmds(tlb->mm);
113293+#endif
113294 }
113295
113296 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
113297@@ -448,6 +450,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
113298 free_pmd_range(tlb, pud, addr, next, floor, ceiling);
113299 } while (pud++, addr = next, addr != end);
113300
113301+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
113302 start &= PGDIR_MASK;
113303 if (start < floor)
113304 return;
113305@@ -462,6 +465,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
113306 pud = pud_offset(pgd, start);
113307 pgd_clear(pgd);
113308 pud_free_tlb(tlb, pud, start);
113309+#endif
113310+
113311 }
113312
113313 /*
113314@@ -690,7 +695,7 @@ static void print_bad_pte(struct vm_area_struct *vma, unsigned long addr,
113315 /*
113316 * Choose text because data symbols depend on CONFIG_KALLSYMS_ALL=y
113317 */
113318- pr_alert("file:%pD fault:%pf mmap:%pf readpage:%pf\n",
113319+ pr_alert("file:%pD fault:%pX mmap:%pX readpage:%pX\n",
113320 vma->vm_file,
113321 vma->vm_ops ? vma->vm_ops->fault : NULL,
113322 vma->vm_file ? vma->vm_file->f_op->mmap : NULL,
113323@@ -1463,6 +1468,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
113324 page_add_file_rmap(page);
113325 set_pte_at(mm, addr, pte, mk_pte(page, prot));
113326
113327+#ifdef CONFIG_PAX_SEGMEXEC
113328+ pax_mirror_file_pte(vma, addr, page, ptl);
113329+#endif
113330+
113331 retval = 0;
113332 pte_unmap_unlock(pte, ptl);
113333 return retval;
113334@@ -1507,9 +1516,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
113335 if (!page_count(page))
113336 return -EINVAL;
113337 if (!(vma->vm_flags & VM_MIXEDMAP)) {
113338+
113339+#ifdef CONFIG_PAX_SEGMEXEC
113340+ struct vm_area_struct *vma_m;
113341+#endif
113342+
113343 BUG_ON(down_read_trylock(&vma->vm_mm->mmap_sem));
113344 BUG_ON(vma->vm_flags & VM_PFNMAP);
113345 vma->vm_flags |= VM_MIXEDMAP;
113346+
113347+#ifdef CONFIG_PAX_SEGMEXEC
113348+ vma_m = pax_find_mirror_vma(vma);
113349+ if (vma_m)
113350+ vma_m->vm_flags |= VM_MIXEDMAP;
113351+#endif
113352+
113353 }
113354 return insert_page(vma, addr, page, vma->vm_page_prot);
113355 }
113356@@ -1592,6 +1613,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
113357 unsigned long pfn)
113358 {
113359 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
113360+ BUG_ON(vma->vm_mirror);
113361
113362 if (addr < vma->vm_start || addr >= vma->vm_end)
113363 return -EFAULT;
113364@@ -1839,7 +1861,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
113365
113366 BUG_ON(pud_huge(*pud));
113367
113368- pmd = pmd_alloc(mm, pud, addr);
113369+ pmd = (mm == &init_mm) ?
113370+ pmd_alloc_kernel(mm, pud, addr) :
113371+ pmd_alloc(mm, pud, addr);
113372 if (!pmd)
113373 return -ENOMEM;
113374 do {
113375@@ -1859,7 +1883,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
113376 unsigned long next;
113377 int err;
113378
113379- pud = pud_alloc(mm, pgd, addr);
113380+ pud = (mm == &init_mm) ?
113381+ pud_alloc_kernel(mm, pgd, addr) :
113382+ pud_alloc(mm, pgd, addr);
113383 if (!pud)
113384 return -ENOMEM;
113385 do {
113386@@ -2040,6 +2066,196 @@ static inline int wp_page_reuse(struct mm_struct *mm,
113387 return VM_FAULT_WRITE;
113388 }
113389
113390+#ifdef CONFIG_PAX_SEGMEXEC
113391+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
113392+{
113393+ struct mm_struct *mm = vma->vm_mm;
113394+ spinlock_t *ptl;
113395+ pte_t *pte, entry;
113396+
113397+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
113398+ entry = *pte;
113399+ if (pte_none(entry))
113400+ ;
113401+ else if (!pte_present(entry)) {
113402+ swp_entry_t swapentry;
113403+
113404+ swapentry = pte_to_swp_entry(entry);
113405+ if (!non_swap_entry(swapentry))
113406+ dec_mm_counter_fast(mm, MM_SWAPENTS);
113407+ else if (is_migration_entry(swapentry)) {
113408+ if (PageAnon(migration_entry_to_page(swapentry)))
113409+ dec_mm_counter_fast(mm, MM_ANONPAGES);
113410+ else
113411+ dec_mm_counter_fast(mm, MM_FILEPAGES);
113412+ }
113413+ free_swap_and_cache(swapentry);
113414+ pte_clear_not_present_full(mm, address, pte, 0);
113415+ } else {
113416+ struct page *page;
113417+
113418+ flush_cache_page(vma, address, pte_pfn(entry));
113419+ entry = ptep_clear_flush(vma, address, pte);
113420+ BUG_ON(pte_dirty(entry));
113421+ page = vm_normal_page(vma, address, entry);
113422+ if (page) {
113423+ update_hiwater_rss(mm);
113424+ if (PageAnon(page))
113425+ dec_mm_counter_fast(mm, MM_ANONPAGES);
113426+ else
113427+ dec_mm_counter_fast(mm, MM_FILEPAGES);
113428+ page_remove_rmap(page);
113429+ page_cache_release(page);
113430+ }
113431+ }
113432+ pte_unmap_unlock(pte, ptl);
113433+}
113434+
113435+/* PaX: if vma is mirrored, synchronize the mirror's PTE
113436+ *
113437+ * the ptl of the lower mapped page is held on entry and is not released on exit
113438+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
113439+ */
113440+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
113441+{
113442+ struct mm_struct *mm = vma->vm_mm;
113443+ unsigned long address_m;
113444+ spinlock_t *ptl_m;
113445+ struct vm_area_struct *vma_m;
113446+ pmd_t *pmd_m;
113447+ pte_t *pte_m, entry_m;
113448+
113449+ BUG_ON(!page_m || !PageAnon(page_m));
113450+
113451+ vma_m = pax_find_mirror_vma(vma);
113452+ if (!vma_m)
113453+ return;
113454+
113455+ BUG_ON(!PageLocked(page_m));
113456+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
113457+ address_m = address + SEGMEXEC_TASK_SIZE;
113458+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
113459+ pte_m = pte_offset_map(pmd_m, address_m);
113460+ ptl_m = pte_lockptr(mm, pmd_m);
113461+ if (ptl != ptl_m) {
113462+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
113463+ if (!pte_none(*pte_m))
113464+ goto out;
113465+ }
113466+
113467+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
113468+ page_cache_get(page_m);
113469+ page_add_anon_rmap(page_m, vma_m, address_m);
113470+ inc_mm_counter_fast(mm, MM_ANONPAGES);
113471+ set_pte_at(mm, address_m, pte_m, entry_m);
113472+ update_mmu_cache(vma_m, address_m, pte_m);
113473+out:
113474+ if (ptl != ptl_m)
113475+ spin_unlock(ptl_m);
113476+ pte_unmap(pte_m);
113477+ unlock_page(page_m);
113478+}
113479+
113480+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
113481+{
113482+ struct mm_struct *mm = vma->vm_mm;
113483+ unsigned long address_m;
113484+ spinlock_t *ptl_m;
113485+ struct vm_area_struct *vma_m;
113486+ pmd_t *pmd_m;
113487+ pte_t *pte_m, entry_m;
113488+
113489+ BUG_ON(!page_m || PageAnon(page_m));
113490+
113491+ vma_m = pax_find_mirror_vma(vma);
113492+ if (!vma_m)
113493+ return;
113494+
113495+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
113496+ address_m = address + SEGMEXEC_TASK_SIZE;
113497+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
113498+ pte_m = pte_offset_map(pmd_m, address_m);
113499+ ptl_m = pte_lockptr(mm, pmd_m);
113500+ if (ptl != ptl_m) {
113501+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
113502+ if (!pte_none(*pte_m))
113503+ goto out;
113504+ }
113505+
113506+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
113507+ page_cache_get(page_m);
113508+ page_add_file_rmap(page_m);
113509+ inc_mm_counter_fast(mm, MM_FILEPAGES);
113510+ set_pte_at(mm, address_m, pte_m, entry_m);
113511+ update_mmu_cache(vma_m, address_m, pte_m);
113512+out:
113513+ if (ptl != ptl_m)
113514+ spin_unlock(ptl_m);
113515+ pte_unmap(pte_m);
113516+}
113517+
113518+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
113519+{
113520+ struct mm_struct *mm = vma->vm_mm;
113521+ unsigned long address_m;
113522+ spinlock_t *ptl_m;
113523+ struct vm_area_struct *vma_m;
113524+ pmd_t *pmd_m;
113525+ pte_t *pte_m, entry_m;
113526+
113527+ vma_m = pax_find_mirror_vma(vma);
113528+ if (!vma_m)
113529+ return;
113530+
113531+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
113532+ address_m = address + SEGMEXEC_TASK_SIZE;
113533+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
113534+ pte_m = pte_offset_map(pmd_m, address_m);
113535+ ptl_m = pte_lockptr(mm, pmd_m);
113536+ if (ptl != ptl_m) {
113537+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
113538+ if (!pte_none(*pte_m))
113539+ goto out;
113540+ }
113541+
113542+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
113543+ set_pte_at(mm, address_m, pte_m, entry_m);
113544+out:
113545+ if (ptl != ptl_m)
113546+ spin_unlock(ptl_m);
113547+ pte_unmap(pte_m);
113548+}
113549+
113550+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
113551+{
113552+ struct page *page_m;
113553+ pte_t entry;
113554+
113555+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
113556+ goto out;
113557+
113558+ entry = *pte;
113559+ page_m = vm_normal_page(vma, address, entry);
113560+ if (!page_m)
113561+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
113562+ else if (PageAnon(page_m)) {
113563+ if (pax_find_mirror_vma(vma)) {
113564+ pte_unmap_unlock(pte, ptl);
113565+ lock_page(page_m);
113566+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
113567+ if (pte_same(entry, *pte))
113568+ pax_mirror_anon_pte(vma, address, page_m, ptl);
113569+ else
113570+ unlock_page(page_m);
113571+ }
113572+ } else
113573+ pax_mirror_file_pte(vma, address, page_m, ptl);
113574+
113575+out:
113576+ pte_unmap_unlock(pte, ptl);
113577+}
113578+#endif
113579+
113580 /*
113581 * Handle the case of a page which we actually need to copy to a new page.
113582 *
113583@@ -2094,6 +2310,12 @@ static int wp_page_copy(struct mm_struct *mm, struct vm_area_struct *vma,
113584 */
113585 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
113586 if (likely(pte_same(*page_table, orig_pte))) {
113587+
113588+#ifdef CONFIG_PAX_SEGMEXEC
113589+ if (pax_find_mirror_vma(vma))
113590+ BUG_ON(!trylock_page(new_page));
113591+#endif
113592+
113593 if (old_page) {
113594 if (!PageAnon(old_page)) {
113595 dec_mm_counter_fast(mm, MM_FILEPAGES);
113596@@ -2148,6 +2370,10 @@ static int wp_page_copy(struct mm_struct *mm, struct vm_area_struct *vma,
113597 page_remove_rmap(old_page);
113598 }
113599
113600+#ifdef CONFIG_PAX_SEGMEXEC
113601+ pax_mirror_anon_pte(vma, address, new_page, ptl);
113602+#endif
113603+
113604 /* Free the old page.. */
113605 new_page = old_page;
113606 page_copied = 1;
113607@@ -2579,6 +2805,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
113608 swap_free(entry);
113609 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
113610 try_to_free_swap(page);
113611+
113612+#ifdef CONFIG_PAX_SEGMEXEC
113613+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
113614+#endif
113615+
113616 unlock_page(page);
113617 if (page != swapcache) {
113618 /*
113619@@ -2602,6 +2833,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
113620
113621 /* No need to invalidate - it was non-present before */
113622 update_mmu_cache(vma, address, page_table);
113623+
113624+#ifdef CONFIG_PAX_SEGMEXEC
113625+ pax_mirror_anon_pte(vma, address, page, ptl);
113626+#endif
113627+
113628 unlock:
113629 pte_unmap_unlock(page_table, ptl);
113630 out:
113631@@ -2621,40 +2857,6 @@ out_release:
113632 }
113633
113634 /*
113635- * This is like a special single-page "expand_{down|up}wards()",
113636- * except we must first make sure that 'address{-|+}PAGE_SIZE'
113637- * doesn't hit another vma.
113638- */
113639-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
113640-{
113641- address &= PAGE_MASK;
113642- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
113643- struct vm_area_struct *prev = vma->vm_prev;
113644-
113645- /*
113646- * Is there a mapping abutting this one below?
113647- *
113648- * That's only ok if it's the same stack mapping
113649- * that has gotten split..
113650- */
113651- if (prev && prev->vm_end == address)
113652- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
113653-
113654- return expand_downwards(vma, address - PAGE_SIZE);
113655- }
113656- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
113657- struct vm_area_struct *next = vma->vm_next;
113658-
113659- /* As VM_GROWSDOWN but s/below/above/ */
113660- if (next && next->vm_start == address + PAGE_SIZE)
113661- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
113662-
113663- return expand_upwards(vma, address + PAGE_SIZE);
113664- }
113665- return 0;
113666-}
113667-
113668-/*
113669 * We enter with non-exclusive mmap_sem (to exclude vma changes,
113670 * but allow concurrent faults), and pte mapped but not yet locked.
113671 * We return with mmap_sem still held, but pte unmapped and unlocked.
113672@@ -2664,31 +2866,29 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
113673 unsigned int flags)
113674 {
113675 struct mem_cgroup *memcg;
113676- struct page *page;
113677+ struct page *page = NULL;
113678 spinlock_t *ptl;
113679 pte_t entry;
113680
113681- pte_unmap(page_table);
113682-
113683 /* File mapping without ->vm_ops ? */
113684- if (vma->vm_flags & VM_SHARED)
113685+ if (vma->vm_flags & VM_SHARED) {
113686+ pte_unmap(page_table);
113687 return VM_FAULT_SIGBUS;
113688+ }
113689
113690- /* Check if we need to add a guard page to the stack */
113691- if (check_stack_guard_page(vma, address) < 0)
113692- return VM_FAULT_SIGSEGV;
113693-
113694- /* Use the zero-page for reads */
113695 if (!(flags & FAULT_FLAG_WRITE) && !mm_forbids_zeropage(mm)) {
113696 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
113697 vma->vm_page_prot));
113698- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
113699+ ptl = pte_lockptr(mm, pmd);
113700+ spin_lock(ptl);
113701 if (!pte_none(*page_table))
113702 goto unlock;
113703 goto setpte;
113704 }
113705
113706 /* Allocate our own private page. */
113707+ pte_unmap(page_table);
113708+
113709 if (unlikely(anon_vma_prepare(vma)))
113710 goto oom;
113711 page = alloc_zeroed_user_highpage_movable(vma, address);
113712@@ -2713,6 +2913,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
113713 if (!pte_none(*page_table))
113714 goto release;
113715
113716+#ifdef CONFIG_PAX_SEGMEXEC
113717+ if (pax_find_mirror_vma(vma))
113718+ BUG_ON(!trylock_page(page));
113719+#endif
113720+
113721 inc_mm_counter_fast(mm, MM_ANONPAGES);
113722 page_add_new_anon_rmap(page, vma, address);
113723 mem_cgroup_commit_charge(page, memcg, false);
113724@@ -2722,6 +2927,12 @@ setpte:
113725
113726 /* No need to invalidate - it was non-present before */
113727 update_mmu_cache(vma, address, page_table);
113728+
113729+#ifdef CONFIG_PAX_SEGMEXEC
113730+ if (page)
113731+ pax_mirror_anon_pte(vma, address, page, ptl);
113732+#endif
113733+
113734 unlock:
113735 pte_unmap_unlock(page_table, ptl);
113736 return 0;
113737@@ -2954,6 +3165,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113738 return ret;
113739 }
113740 do_set_pte(vma, address, fault_page, pte, false, false);
113741+
113742+#ifdef CONFIG_PAX_SEGMEXEC
113743+ pax_mirror_file_pte(vma, address, fault_page, ptl);
113744+#endif
113745+
113746 unlock_page(fault_page);
113747 unlock_out:
113748 pte_unmap_unlock(pte, ptl);
113749@@ -3005,7 +3221,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113750 }
113751 goto uncharge_out;
113752 }
113753+
113754+#ifdef CONFIG_PAX_SEGMEXEC
113755+ if (pax_find_mirror_vma(vma))
113756+ BUG_ON(!trylock_page(new_page));
113757+#endif
113758+
113759 do_set_pte(vma, address, new_page, pte, true, true);
113760+
113761+#ifdef CONFIG_PAX_SEGMEXEC
113762+ pax_mirror_anon_pte(vma, address, new_page, ptl);
113763+#endif
113764+
113765 mem_cgroup_commit_charge(new_page, memcg, false);
113766 lru_cache_add_active_or_unevictable(new_page, vma);
113767 pte_unmap_unlock(pte, ptl);
113768@@ -3063,6 +3290,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113769 return ret;
113770 }
113771 do_set_pte(vma, address, fault_page, pte, true, false);
113772+
113773+#ifdef CONFIG_PAX_SEGMEXEC
113774+ pax_mirror_file_pte(vma, address, fault_page, ptl);
113775+#endif
113776+
113777 pte_unmap_unlock(pte, ptl);
113778
113779 if (set_page_dirty(fault_page))
113780@@ -3288,6 +3520,12 @@ static int handle_pte_fault(struct mm_struct *mm,
113781 if (flags & FAULT_FLAG_WRITE)
113782 flush_tlb_fix_spurious_fault(vma, address);
113783 }
113784+
113785+#ifdef CONFIG_PAX_SEGMEXEC
113786+ pax_mirror_pte(vma, address, pte, pmd, ptl);
113787+ return 0;
113788+#endif
113789+
113790 unlock:
113791 pte_unmap_unlock(pte, ptl);
113792 return 0;
113793@@ -3307,9 +3545,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113794 pmd_t *pmd;
113795 pte_t *pte;
113796
113797+#ifdef CONFIG_PAX_SEGMEXEC
113798+ struct vm_area_struct *vma_m;
113799+#endif
113800+
113801 if (unlikely(is_vm_hugetlb_page(vma)))
113802 return hugetlb_fault(mm, vma, address, flags);
113803
113804+#ifdef CONFIG_PAX_SEGMEXEC
113805+ vma_m = pax_find_mirror_vma(vma);
113806+ if (vma_m) {
113807+ unsigned long address_m;
113808+ pgd_t *pgd_m;
113809+ pud_t *pud_m;
113810+ pmd_t *pmd_m;
113811+
113812+ if (vma->vm_start > vma_m->vm_start) {
113813+ address_m = address;
113814+ address -= SEGMEXEC_TASK_SIZE;
113815+ vma = vma_m;
113816+ } else
113817+ address_m = address + SEGMEXEC_TASK_SIZE;
113818+
113819+ pgd_m = pgd_offset(mm, address_m);
113820+ pud_m = pud_alloc(mm, pgd_m, address_m);
113821+ if (!pud_m)
113822+ return VM_FAULT_OOM;
113823+ pmd_m = pmd_alloc(mm, pud_m, address_m);
113824+ if (!pmd_m)
113825+ return VM_FAULT_OOM;
113826+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
113827+ return VM_FAULT_OOM;
113828+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
113829+ }
113830+#endif
113831+
113832 pgd = pgd_offset(mm, address);
113833 pud = pud_alloc(mm, pgd, address);
113834 if (!pud)
113835@@ -3444,6 +3714,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
113836 spin_unlock(&mm->page_table_lock);
113837 return 0;
113838 }
113839+
113840+int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
113841+{
113842+ pud_t *new = pud_alloc_one(mm, address);
113843+ if (!new)
113844+ return -ENOMEM;
113845+
113846+ smp_wmb(); /* See comment in __pte_alloc */
113847+
113848+ spin_lock(&mm->page_table_lock);
113849+ if (pgd_present(*pgd)) /* Another has populated it */
113850+ pud_free(mm, new);
113851+ else
113852+ pgd_populate_kernel(mm, pgd, new);
113853+ spin_unlock(&mm->page_table_lock);
113854+ return 0;
113855+}
113856 #endif /* __PAGETABLE_PUD_FOLDED */
113857
113858 #ifndef __PAGETABLE_PMD_FOLDED
113859@@ -3476,6 +3763,32 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
113860 spin_unlock(&mm->page_table_lock);
113861 return 0;
113862 }
113863+
113864+int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
113865+{
113866+ pmd_t *new = pmd_alloc_one(mm, address);
113867+ if (!new)
113868+ return -ENOMEM;
113869+
113870+ smp_wmb(); /* See comment in __pte_alloc */
113871+
113872+ spin_lock(&mm->page_table_lock);
113873+#ifndef __ARCH_HAS_4LEVEL_HACK
113874+ if (!pud_present(*pud)) {
113875+ mm_inc_nr_pmds(mm);
113876+ pud_populate_kernel(mm, pud, new);
113877+ } else /* Another has populated it */
113878+ pmd_free(mm, new);
113879+#else
113880+ if (!pgd_present(*pud)) {
113881+ mm_inc_nr_pmds(mm);
113882+ pgd_populate_kernel(mm, pud, new);
113883+ } else /* Another has populated it */
113884+ pmd_free(mm, new);
113885+#endif /* __ARCH_HAS_4LEVEL_HACK */
113886+ spin_unlock(&mm->page_table_lock);
113887+ return 0;
113888+}
113889 #endif /* __PAGETABLE_PMD_FOLDED */
113890
113891 static int __follow_pte(struct mm_struct *mm, unsigned long address,
113892@@ -3585,8 +3898,8 @@ out:
113893 return ret;
113894 }
113895
113896-int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
113897- void *buf, int len, int write)
113898+ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
113899+ void *buf, size_t len, int write)
113900 {
113901 resource_size_t phys_addr;
113902 unsigned long prot = 0;
113903@@ -3612,8 +3925,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
113904 * Access another process' address space as given in mm. If non-NULL, use the
113905 * given task for page fault accounting.
113906 */
113907-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113908- unsigned long addr, void *buf, int len, int write)
113909+static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113910+ unsigned long addr, void *buf, size_t len, int write)
113911 {
113912 struct vm_area_struct *vma;
113913 void *old_buf = buf;
113914@@ -3621,7 +3934,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113915 down_read(&mm->mmap_sem);
113916 /* ignore errors, just check how much was successfully transferred */
113917 while (len) {
113918- int bytes, ret, offset;
113919+ ssize_t bytes, ret, offset;
113920 void *maddr;
113921 struct page *page = NULL;
113922
113923@@ -3682,8 +3995,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113924 *
113925 * The caller must hold a reference on @mm.
113926 */
113927-int access_remote_vm(struct mm_struct *mm, unsigned long addr,
113928- void *buf, int len, int write)
113929+ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
113930+ void *buf, size_t len, int write)
113931 {
113932 return __access_remote_vm(NULL, mm, addr, buf, len, write);
113933 }
113934@@ -3693,11 +4006,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
113935 * Source/target buffer must be kernel space,
113936 * Do not walk the page table directly, use get_user_pages
113937 */
113938-int access_process_vm(struct task_struct *tsk, unsigned long addr,
113939- void *buf, int len, int write)
113940+ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr,
113941+ void *buf, size_t len, int write)
113942 {
113943 struct mm_struct *mm;
113944- int ret;
113945+ ssize_t ret;
113946
113947 mm = get_task_mm(tsk);
113948 if (!mm)
113949diff --git a/mm/mempolicy.c b/mm/mempolicy.c
113950index 99d4c1d..a577817 100644
113951--- a/mm/mempolicy.c
113952+++ b/mm/mempolicy.c
113953@@ -703,6 +703,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
113954 unsigned long vmstart;
113955 unsigned long vmend;
113956
113957+#ifdef CONFIG_PAX_SEGMEXEC
113958+ struct vm_area_struct *vma_m;
113959+#endif
113960+
113961 vma = find_vma(mm, start);
113962 if (!vma || vma->vm_start > start)
113963 return -EFAULT;
113964@@ -746,6 +750,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
113965 err = vma_replace_policy(vma, new_pol);
113966 if (err)
113967 goto out;
113968+
113969+#ifdef CONFIG_PAX_SEGMEXEC
113970+ vma_m = pax_find_mirror_vma(vma);
113971+ if (vma_m) {
113972+ err = vma_replace_policy(vma_m, new_pol);
113973+ if (err)
113974+ goto out;
113975+ }
113976+#endif
113977+
113978 }
113979
113980 out:
113981@@ -1161,6 +1175,17 @@ static long do_mbind(unsigned long start, unsigned long len,
113982
113983 if (end < start)
113984 return -EINVAL;
113985+
113986+#ifdef CONFIG_PAX_SEGMEXEC
113987+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
113988+ if (end > SEGMEXEC_TASK_SIZE)
113989+ return -EINVAL;
113990+ } else
113991+#endif
113992+
113993+ if (end > TASK_SIZE)
113994+ return -EINVAL;
113995+
113996 if (end == start)
113997 return 0;
113998
113999@@ -1386,8 +1411,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
114000 */
114001 tcred = __task_cred(task);
114002 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
114003- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
114004- !capable(CAP_SYS_NICE)) {
114005+ !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
114006 rcu_read_unlock();
114007 err = -EPERM;
114008 goto out_put;
114009@@ -1418,6 +1442,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
114010 goto out;
114011 }
114012
114013+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
114014+ if (mm != current->mm &&
114015+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
114016+ mmput(mm);
114017+ err = -EPERM;
114018+ goto out;
114019+ }
114020+#endif
114021+
114022 err = do_migrate_pages(mm, old, new,
114023 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
114024
114025diff --git a/mm/migrate.c b/mm/migrate.c
114026index eb42671..9f2f3ea 100644
114027--- a/mm/migrate.c
114028+++ b/mm/migrate.c
114029@@ -1491,8 +1491,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
114030 */
114031 tcred = __task_cred(task);
114032 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
114033- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
114034- !capable(CAP_SYS_NICE)) {
114035+ !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
114036 rcu_read_unlock();
114037 err = -EPERM;
114038 goto out;
114039diff --git a/mm/mlock.c b/mm/mlock.c
114040index 6fd2cf1..cbae765 100644
114041--- a/mm/mlock.c
114042+++ b/mm/mlock.c
114043@@ -14,6 +14,7 @@
114044 #include <linux/pagevec.h>
114045 #include <linux/mempolicy.h>
114046 #include <linux/syscalls.h>
114047+#include <linux/security.h>
114048 #include <linux/sched.h>
114049 #include <linux/export.h>
114050 #include <linux/rmap.h>
114051@@ -557,7 +558,7 @@ static int do_mlock(unsigned long start, size_t len, int on)
114052 {
114053 unsigned long nstart, end, tmp;
114054 struct vm_area_struct * vma, * prev;
114055- int error;
114056+ int error = 0;
114057
114058 VM_BUG_ON(start & ~PAGE_MASK);
114059 VM_BUG_ON(len != PAGE_ALIGN(len));
114060@@ -566,6 +567,9 @@ static int do_mlock(unsigned long start, size_t len, int on)
114061 return -EINVAL;
114062 if (end == start)
114063 return 0;
114064+ if (end > TASK_SIZE)
114065+ return -EINVAL;
114066+
114067 vma = find_vma(current->mm, start);
114068 if (!vma || vma->vm_start > start)
114069 return -ENOMEM;
114070@@ -577,6 +581,11 @@ static int do_mlock(unsigned long start, size_t len, int on)
114071 for (nstart = start ; ; ) {
114072 vm_flags_t newflags;
114073
114074+#ifdef CONFIG_PAX_SEGMEXEC
114075+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
114076+ break;
114077+#endif
114078+
114079 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
114080
114081 newflags = vma->vm_flags & ~VM_LOCKED;
114082@@ -627,6 +636,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
114083 locked += current->mm->locked_vm;
114084
114085 /* check against resource limits */
114086+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
114087 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
114088 error = do_mlock(start, len, 1);
114089
114090@@ -668,6 +678,11 @@ static int do_mlockall(int flags)
114091 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
114092 vm_flags_t newflags;
114093
114094+#ifdef CONFIG_PAX_SEGMEXEC
114095+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
114096+ break;
114097+#endif
114098+
114099 newflags = vma->vm_flags & ~VM_LOCKED;
114100 if (flags & MCL_CURRENT)
114101 newflags |= VM_LOCKED;
114102@@ -699,8 +714,10 @@ SYSCALL_DEFINE1(mlockall, int, flags)
114103 lock_limit >>= PAGE_SHIFT;
114104
114105 ret = -ENOMEM;
114106+
114107+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
114108+
114109 down_write(&current->mm->mmap_sem);
114110-
114111 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
114112 capable(CAP_IPC_LOCK))
114113 ret = do_mlockall(flags);
114114diff --git a/mm/mm_init.c b/mm/mm_init.c
114115index fdadf91..5f527d1 100644
114116--- a/mm/mm_init.c
114117+++ b/mm/mm_init.c
114118@@ -170,7 +170,7 @@ static int __meminit mm_compute_batch_notifier(struct notifier_block *self,
114119 return NOTIFY_OK;
114120 }
114121
114122-static struct notifier_block compute_batch_nb __meminitdata = {
114123+static struct notifier_block compute_batch_nb __meminitconst = {
114124 .notifier_call = mm_compute_batch_notifier,
114125 .priority = IPC_CALLBACK_PRI, /* use lowest priority */
114126 };
114127diff --git a/mm/mmap.c b/mm/mmap.c
114128index aa632ad..13456342 100644
114129--- a/mm/mmap.c
114130+++ b/mm/mmap.c
114131@@ -41,6 +41,7 @@
114132 #include <linux/notifier.h>
114133 #include <linux/memory.h>
114134 #include <linux/printk.h>
114135+#include <linux/random.h>
114136
114137 #include <asm/uaccess.h>
114138 #include <asm/cacheflush.h>
114139@@ -57,6 +58,16 @@
114140 #define arch_rebalance_pgtables(addr, len) (addr)
114141 #endif
114142
114143+static inline void verify_mm_writelocked(struct mm_struct *mm)
114144+{
114145+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
114146+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
114147+ up_read(&mm->mmap_sem);
114148+ BUG();
114149+ }
114150+#endif
114151+}
114152+
114153 static void unmap_region(struct mm_struct *mm,
114154 struct vm_area_struct *vma, struct vm_area_struct *prev,
114155 unsigned long start, unsigned long end);
114156@@ -76,16 +87,25 @@ static void unmap_region(struct mm_struct *mm,
114157 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
114158 *
114159 */
114160-pgprot_t protection_map[16] = {
114161+pgprot_t protection_map[16] __read_only = {
114162 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
114163 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
114164 };
114165
114166-pgprot_t vm_get_page_prot(unsigned long vm_flags)
114167+pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
114168 {
114169- return __pgprot(pgprot_val(protection_map[vm_flags &
114170+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
114171 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
114172 pgprot_val(arch_vm_get_page_prot(vm_flags)));
114173+
114174+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
114175+ if (!(__supported_pte_mask & _PAGE_NX) &&
114176+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
114177+ (vm_flags & (VM_READ | VM_WRITE)))
114178+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
114179+#endif
114180+
114181+ return prot;
114182 }
114183 EXPORT_SYMBOL(vm_get_page_prot);
114184
114185@@ -114,6 +134,7 @@ unsigned long sysctl_overcommit_kbytes __read_mostly;
114186 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
114187 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
114188 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
114189+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
114190 /*
114191 * Make sure vm_committed_as in one cacheline and not cacheline shared with
114192 * other variables. It can be updated by several CPUs frequently.
114193@@ -271,6 +292,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
114194 struct vm_area_struct *next = vma->vm_next;
114195
114196 might_sleep();
114197+ BUG_ON(vma->vm_mirror);
114198 if (vma->vm_ops && vma->vm_ops->close)
114199 vma->vm_ops->close(vma);
114200 if (vma->vm_file)
114201@@ -284,6 +306,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len);
114202
114203 SYSCALL_DEFINE1(brk, unsigned long, brk)
114204 {
114205+ unsigned long rlim;
114206 unsigned long retval;
114207 unsigned long newbrk, oldbrk;
114208 struct mm_struct *mm = current->mm;
114209@@ -314,7 +337,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
114210 * segment grow beyond its set limit the in case where the limit is
114211 * not page aligned -Ram Gupta
114212 */
114213- if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
114214+ rlim = rlimit(RLIMIT_DATA);
114215+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
114216+ /* force a minimum 16MB brk heap on setuid/setgid binaries */
114217+ if (rlim < PAGE_SIZE && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid()))
114218+ rlim = 4096 * PAGE_SIZE;
114219+#endif
114220+ if (check_data_rlimit(rlim, brk, mm->start_brk,
114221 mm->end_data, mm->start_data))
114222 goto out;
114223
114224@@ -967,6 +996,12 @@ static int
114225 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
114226 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
114227 {
114228+
114229+#ifdef CONFIG_PAX_SEGMEXEC
114230+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
114231+ return 0;
114232+#endif
114233+
114234 if (is_mergeable_vma(vma, file, vm_flags) &&
114235 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
114236 if (vma->vm_pgoff == vm_pgoff)
114237@@ -986,6 +1021,12 @@ static int
114238 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
114239 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
114240 {
114241+
114242+#ifdef CONFIG_PAX_SEGMEXEC
114243+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
114244+ return 0;
114245+#endif
114246+
114247 if (is_mergeable_vma(vma, file, vm_flags) &&
114248 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
114249 pgoff_t vm_pglen;
114250@@ -1035,6 +1076,13 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114251 struct vm_area_struct *area, *next;
114252 int err;
114253
114254+#ifdef CONFIG_PAX_SEGMEXEC
114255+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
114256+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
114257+
114258+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
114259+#endif
114260+
114261 /*
114262 * We later require that vma->vm_flags == vm_flags,
114263 * so this tests vma->vm_flags & VM_SPECIAL, too.
114264@@ -1050,6 +1098,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114265 if (next && next->vm_end == end) /* cases 6, 7, 8 */
114266 next = next->vm_next;
114267
114268+#ifdef CONFIG_PAX_SEGMEXEC
114269+ if (prev)
114270+ prev_m = pax_find_mirror_vma(prev);
114271+ if (area)
114272+ area_m = pax_find_mirror_vma(area);
114273+ if (next)
114274+ next_m = pax_find_mirror_vma(next);
114275+#endif
114276+
114277 /*
114278 * Can it merge with the predecessor?
114279 */
114280@@ -1069,9 +1126,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114281 /* cases 1, 6 */
114282 err = vma_adjust(prev, prev->vm_start,
114283 next->vm_end, prev->vm_pgoff, NULL);
114284- } else /* cases 2, 5, 7 */
114285+
114286+#ifdef CONFIG_PAX_SEGMEXEC
114287+ if (!err && prev_m)
114288+ err = vma_adjust(prev_m, prev_m->vm_start,
114289+ next_m->vm_end, prev_m->vm_pgoff, NULL);
114290+#endif
114291+
114292+ } else { /* cases 2, 5, 7 */
114293 err = vma_adjust(prev, prev->vm_start,
114294 end, prev->vm_pgoff, NULL);
114295+
114296+#ifdef CONFIG_PAX_SEGMEXEC
114297+ if (!err && prev_m)
114298+ err = vma_adjust(prev_m, prev_m->vm_start,
114299+ end_m, prev_m->vm_pgoff, NULL);
114300+#endif
114301+
114302+ }
114303 if (err)
114304 return NULL;
114305 khugepaged_enter_vma_merge(prev, vm_flags);
114306@@ -1085,12 +1157,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114307 mpol_equal(policy, vma_policy(next)) &&
114308 can_vma_merge_before(next, vm_flags,
114309 anon_vma, file, pgoff+pglen)) {
114310- if (prev && addr < prev->vm_end) /* case 4 */
114311+ if (prev && addr < prev->vm_end) { /* case 4 */
114312 err = vma_adjust(prev, prev->vm_start,
114313 addr, prev->vm_pgoff, NULL);
114314- else /* cases 3, 8 */
114315+
114316+#ifdef CONFIG_PAX_SEGMEXEC
114317+ if (!err && prev_m)
114318+ err = vma_adjust(prev_m, prev_m->vm_start,
114319+ addr_m, prev_m->vm_pgoff, NULL);
114320+#endif
114321+
114322+ } else { /* cases 3, 8 */
114323 err = vma_adjust(area, addr, next->vm_end,
114324 next->vm_pgoff - pglen, NULL);
114325+
114326+#ifdef CONFIG_PAX_SEGMEXEC
114327+ if (!err && area_m)
114328+ err = vma_adjust(area_m, addr_m, next_m->vm_end,
114329+ next_m->vm_pgoff - pglen, NULL);
114330+#endif
114331+
114332+ }
114333 if (err)
114334 return NULL;
114335 khugepaged_enter_vma_merge(area, vm_flags);
114336@@ -1199,8 +1286,10 @@ none:
114337 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
114338 struct file *file, long pages)
114339 {
114340- const unsigned long stack_flags
114341- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
114342+
114343+#ifdef CONFIG_PAX_RANDMMAP
114344+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
114345+#endif
114346
114347 mm->total_vm += pages;
114348
114349@@ -1208,7 +1297,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
114350 mm->shared_vm += pages;
114351 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
114352 mm->exec_vm += pages;
114353- } else if (flags & stack_flags)
114354+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
114355 mm->stack_vm += pages;
114356 }
114357 #endif /* CONFIG_PROC_FS */
114358@@ -1238,6 +1327,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
114359 locked += mm->locked_vm;
114360 lock_limit = rlimit(RLIMIT_MEMLOCK);
114361 lock_limit >>= PAGE_SHIFT;
114362+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
114363 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
114364 return -EAGAIN;
114365 }
114366@@ -1267,7 +1357,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114367 * (the exception is when the underlying filesystem is noexec
114368 * mounted, in which case we dont add PROT_EXEC.)
114369 */
114370- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
114371+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
114372 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
114373 prot |= PROT_EXEC;
114374
114375@@ -1290,7 +1380,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114376 /* Obtain the address to map to. we verify (or select) it and ensure
114377 * that it represents a valid section of the address space.
114378 */
114379- addr = get_unmapped_area(file, addr, len, pgoff, flags);
114380+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
114381 if (addr & ~PAGE_MASK)
114382 return addr;
114383
114384@@ -1301,6 +1391,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114385 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
114386 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
114387
114388+#ifdef CONFIG_PAX_MPROTECT
114389+ if (mm->pax_flags & MF_PAX_MPROTECT) {
114390+
114391+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
114392+ if (file && !pgoff && (vm_flags & VM_EXEC) && mm->binfmt &&
114393+ mm->binfmt->handle_mmap)
114394+ mm->binfmt->handle_mmap(file);
114395+#endif
114396+
114397+#ifndef CONFIG_PAX_MPROTECT_COMPAT
114398+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
114399+ gr_log_rwxmmap(file);
114400+
114401+#ifdef CONFIG_PAX_EMUPLT
114402+ vm_flags &= ~VM_EXEC;
114403+#else
114404+ return -EPERM;
114405+#endif
114406+
114407+ }
114408+
114409+ if (!(vm_flags & VM_EXEC))
114410+ vm_flags &= ~VM_MAYEXEC;
114411+#else
114412+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
114413+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
114414+#endif
114415+ else
114416+ vm_flags &= ~VM_MAYWRITE;
114417+ }
114418+#endif
114419+
114420+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
114421+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
114422+ vm_flags &= ~VM_PAGEEXEC;
114423+#endif
114424+
114425 if (flags & MAP_LOCKED)
114426 if (!can_do_mlock())
114427 return -EPERM;
114428@@ -1388,6 +1515,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114429 vm_flags |= VM_NORESERVE;
114430 }
114431
114432+ if (!gr_acl_handle_mmap(file, prot))
114433+ return -EACCES;
114434+
114435 addr = mmap_region(file, addr, len, vm_flags, pgoff);
114436 if (!IS_ERR_VALUE(addr) &&
114437 ((vm_flags & VM_LOCKED) ||
114438@@ -1481,7 +1611,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
114439 vm_flags_t vm_flags = vma->vm_flags;
114440
114441 /* If it was private or non-writable, the write bit is already clear */
114442- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
114443+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
114444 return 0;
114445
114446 /* The backer wishes to know when pages are first written to? */
114447@@ -1532,7 +1662,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114448 struct rb_node **rb_link, *rb_parent;
114449 unsigned long charged = 0;
114450
114451+#ifdef CONFIG_PAX_SEGMEXEC
114452+ struct vm_area_struct *vma_m = NULL;
114453+#endif
114454+
114455+ /*
114456+ * mm->mmap_sem is required to protect against another thread
114457+ * changing the mappings in case we sleep.
114458+ */
114459+ verify_mm_writelocked(mm);
114460+
114461 /* Check against address space limit. */
114462+
114463+#ifdef CONFIG_PAX_RANDMMAP
114464+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
114465+#endif
114466+
114467 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
114468 unsigned long nr_pages;
114469
114470@@ -1555,6 +1700,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114471 &rb_parent)) {
114472 if (do_munmap(mm, addr, len))
114473 return -ENOMEM;
114474+ BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
114475 }
114476
114477 /*
114478@@ -1586,6 +1732,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114479 goto unacct_error;
114480 }
114481
114482+#ifdef CONFIG_PAX_SEGMEXEC
114483+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
114484+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
114485+ if (!vma_m) {
114486+ error = -ENOMEM;
114487+ goto free_vma;
114488+ }
114489+ }
114490+#endif
114491+
114492 vma->vm_mm = mm;
114493 vma->vm_start = addr;
114494 vma->vm_end = addr + len;
114495@@ -1616,6 +1772,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114496 if (error)
114497 goto unmap_and_free_vma;
114498
114499+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
114500+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
114501+ vma->vm_flags |= VM_PAGEEXEC;
114502+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
114503+ }
114504+#endif
114505+
114506 /* Can addr have changed??
114507 *
114508 * Answer: Yes, several device drivers can do it in their
114509@@ -1634,6 +1797,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114510 }
114511
114512 vma_link(mm, vma, prev, rb_link, rb_parent);
114513+
114514+#ifdef CONFIG_PAX_SEGMEXEC
114515+ if (vma_m)
114516+ BUG_ON(pax_mirror_vma(vma_m, vma));
114517+#endif
114518+
114519 /* Once vma denies write, undo our temporary denial count */
114520 if (file) {
114521 if (vm_flags & VM_SHARED)
114522@@ -1646,6 +1815,7 @@ out:
114523 perf_event_mmap(vma);
114524
114525 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
114526+ track_exec_limit(mm, addr, addr + len, vm_flags);
114527 if (vm_flags & VM_LOCKED) {
114528 if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) ||
114529 vma == get_gate_vma(current->mm)))
114530@@ -1683,6 +1853,12 @@ allow_write_and_free_vma:
114531 if (vm_flags & VM_DENYWRITE)
114532 allow_write_access(file);
114533 free_vma:
114534+
114535+#ifdef CONFIG_PAX_SEGMEXEC
114536+ if (vma_m)
114537+ kmem_cache_free(vm_area_cachep, vma_m);
114538+#endif
114539+
114540 kmem_cache_free(vm_area_cachep, vma);
114541 unacct_error:
114542 if (charged)
114543@@ -1690,7 +1866,63 @@ unacct_error:
114544 return error;
114545 }
114546
114547-unsigned long unmapped_area(struct vm_unmapped_area_info *info)
114548+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
114549+unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
114550+{
114551+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK))
114552+ return ((prandom_u32() & 0xFF) + 1) << PAGE_SHIFT;
114553+
114554+ return 0;
114555+}
114556+#endif
114557+
114558+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset)
114559+{
114560+ if (!vma) {
114561+#ifdef CONFIG_STACK_GROWSUP
114562+ if (addr > sysctl_heap_stack_gap)
114563+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
114564+ else
114565+ vma = find_vma(current->mm, 0);
114566+ if (vma && (vma->vm_flags & VM_GROWSUP))
114567+ return false;
114568+#endif
114569+ return true;
114570+ }
114571+
114572+ if (addr + len > vma->vm_start)
114573+ return false;
114574+
114575+ if (vma->vm_flags & VM_GROWSDOWN)
114576+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
114577+#ifdef CONFIG_STACK_GROWSUP
114578+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
114579+ return addr - vma->vm_prev->vm_end >= sysctl_heap_stack_gap;
114580+#endif
114581+ else if (offset)
114582+ return offset <= vma->vm_start - addr - len;
114583+
114584+ return true;
114585+}
114586+
114587+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset)
114588+{
114589+ if (vma->vm_start < len)
114590+ return -ENOMEM;
114591+
114592+ if (!(vma->vm_flags & VM_GROWSDOWN)) {
114593+ if (offset <= vma->vm_start - len)
114594+ return vma->vm_start - len - offset;
114595+ else
114596+ return -ENOMEM;
114597+ }
114598+
114599+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
114600+ return vma->vm_start - len - sysctl_heap_stack_gap;
114601+ return -ENOMEM;
114602+}
114603+
114604+unsigned long unmapped_area(const struct vm_unmapped_area_info *info)
114605 {
114606 /*
114607 * We implement the search by looking for an rbtree node that
114608@@ -1738,11 +1970,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
114609 }
114610 }
114611
114612- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
114613+ gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0;
114614 check_current:
114615 /* Check if current node has a suitable gap */
114616 if (gap_start > high_limit)
114617 return -ENOMEM;
114618+
114619+ if (gap_end - gap_start > info->threadstack_offset)
114620+ gap_start += info->threadstack_offset;
114621+ else
114622+ gap_start = gap_end;
114623+
114624+ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
114625+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114626+ gap_start += sysctl_heap_stack_gap;
114627+ else
114628+ gap_start = gap_end;
114629+ }
114630+ if (vma->vm_flags & VM_GROWSDOWN) {
114631+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114632+ gap_end -= sysctl_heap_stack_gap;
114633+ else
114634+ gap_end = gap_start;
114635+ }
114636 if (gap_end >= low_limit && gap_end - gap_start >= length)
114637 goto found;
114638
114639@@ -1792,7 +2042,7 @@ found:
114640 return gap_start;
114641 }
114642
114643-unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
114644+unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info)
114645 {
114646 struct mm_struct *mm = current->mm;
114647 struct vm_area_struct *vma;
114648@@ -1846,6 +2096,24 @@ check_current:
114649 gap_end = vma->vm_start;
114650 if (gap_end < low_limit)
114651 return -ENOMEM;
114652+
114653+ if (gap_end - gap_start > info->threadstack_offset)
114654+ gap_end -= info->threadstack_offset;
114655+ else
114656+ gap_end = gap_start;
114657+
114658+ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
114659+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114660+ gap_start += sysctl_heap_stack_gap;
114661+ else
114662+ gap_start = gap_end;
114663+ }
114664+ if (vma->vm_flags & VM_GROWSDOWN) {
114665+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114666+ gap_end -= sysctl_heap_stack_gap;
114667+ else
114668+ gap_end = gap_start;
114669+ }
114670 if (gap_start <= high_limit && gap_end - gap_start >= length)
114671 goto found;
114672
114673@@ -1909,6 +2177,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
114674 struct mm_struct *mm = current->mm;
114675 struct vm_area_struct *vma;
114676 struct vm_unmapped_area_info info;
114677+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
114678
114679 if (len > TASK_SIZE - mmap_min_addr)
114680 return -ENOMEM;
114681@@ -1916,11 +2185,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
114682 if (flags & MAP_FIXED)
114683 return addr;
114684
114685+#ifdef CONFIG_PAX_RANDMMAP
114686+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
114687+#endif
114688+
114689 if (addr) {
114690 addr = PAGE_ALIGN(addr);
114691 vma = find_vma(mm, addr);
114692 if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
114693- (!vma || addr + len <= vma->vm_start))
114694+ check_heap_stack_gap(vma, addr, len, offset))
114695 return addr;
114696 }
114697
114698@@ -1929,6 +2202,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
114699 info.low_limit = mm->mmap_base;
114700 info.high_limit = TASK_SIZE;
114701 info.align_mask = 0;
114702+ info.threadstack_offset = offset;
114703 return vm_unmapped_area(&info);
114704 }
114705 #endif
114706@@ -1947,6 +2221,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114707 struct mm_struct *mm = current->mm;
114708 unsigned long addr = addr0;
114709 struct vm_unmapped_area_info info;
114710+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
114711
114712 /* requested length too big for entire address space */
114713 if (len > TASK_SIZE - mmap_min_addr)
114714@@ -1955,12 +2230,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114715 if (flags & MAP_FIXED)
114716 return addr;
114717
114718+#ifdef CONFIG_PAX_RANDMMAP
114719+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
114720+#endif
114721+
114722 /* requesting a specific address */
114723 if (addr) {
114724 addr = PAGE_ALIGN(addr);
114725 vma = find_vma(mm, addr);
114726 if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
114727- (!vma || addr + len <= vma->vm_start))
114728+ check_heap_stack_gap(vma, addr, len, offset))
114729 return addr;
114730 }
114731
114732@@ -1969,6 +2248,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114733 info.low_limit = max(PAGE_SIZE, mmap_min_addr);
114734 info.high_limit = mm->mmap_base;
114735 info.align_mask = 0;
114736+ info.threadstack_offset = offset;
114737 addr = vm_unmapped_area(&info);
114738
114739 /*
114740@@ -1981,6 +2261,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114741 VM_BUG_ON(addr != -ENOMEM);
114742 info.flags = 0;
114743 info.low_limit = TASK_UNMAPPED_BASE;
114744+
114745+#ifdef CONFIG_PAX_RANDMMAP
114746+ if (mm->pax_flags & MF_PAX_RANDMMAP)
114747+ info.low_limit += mm->delta_mmap;
114748+#endif
114749+
114750 info.high_limit = TASK_SIZE;
114751 addr = vm_unmapped_area(&info);
114752 }
114753@@ -2081,6 +2367,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
114754 return vma;
114755 }
114756
114757+#ifdef CONFIG_PAX_SEGMEXEC
114758+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
114759+{
114760+ struct vm_area_struct *vma_m;
114761+
114762+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
114763+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
114764+ BUG_ON(vma->vm_mirror);
114765+ return NULL;
114766+ }
114767+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
114768+ vma_m = vma->vm_mirror;
114769+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
114770+ BUG_ON(vma->vm_file != vma_m->vm_file);
114771+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
114772+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
114773+ BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
114774+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
114775+ return vma_m;
114776+}
114777+#endif
114778+
114779 /*
114780 * Verify that the stack growth is acceptable and
114781 * update accounting. This is shared with both the
114782@@ -2098,8 +2406,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114783
114784 /* Stack limit test */
114785 actual_size = size;
114786- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
114787- actual_size -= PAGE_SIZE;
114788+ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1);
114789 if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
114790 return -ENOMEM;
114791
114792@@ -2110,6 +2417,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114793 locked = mm->locked_vm + grow;
114794 limit = READ_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
114795 limit >>= PAGE_SHIFT;
114796+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
114797 if (locked > limit && !capable(CAP_IPC_LOCK))
114798 return -ENOMEM;
114799 }
114800@@ -2139,37 +2447,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114801 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
114802 * vma is the last one with address > vma->vm_end. Have to extend vma.
114803 */
114804+#ifndef CONFIG_IA64
114805+static
114806+#endif
114807 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
114808 {
114809 int error;
114810+ bool locknext;
114811
114812 if (!(vma->vm_flags & VM_GROWSUP))
114813 return -EFAULT;
114814
114815+ /* Also guard against wrapping around to address 0. */
114816+ if (address < PAGE_ALIGN(address+1))
114817+ address = PAGE_ALIGN(address+1);
114818+ else
114819+ return -ENOMEM;
114820+
114821 /*
114822 * We must make sure the anon_vma is allocated
114823 * so that the anon_vma locking is not a noop.
114824 */
114825 if (unlikely(anon_vma_prepare(vma)))
114826 return -ENOMEM;
114827+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
114828+ if (locknext && anon_vma_prepare(vma->vm_next))
114829+ return -ENOMEM;
114830 vma_lock_anon_vma(vma);
114831+ if (locknext)
114832+ vma_lock_anon_vma(vma->vm_next);
114833
114834 /*
114835 * vma->vm_start/vm_end cannot change under us because the caller
114836 * is required to hold the mmap_sem in read mode. We need the
114837- * anon_vma lock to serialize against concurrent expand_stacks.
114838- * Also guard against wrapping around to address 0.
114839+ * anon_vma locks to serialize against concurrent expand_stacks
114840+ * and expand_upwards.
114841 */
114842- if (address < PAGE_ALIGN(address+4))
114843- address = PAGE_ALIGN(address+4);
114844- else {
114845- vma_unlock_anon_vma(vma);
114846- return -ENOMEM;
114847- }
114848 error = 0;
114849
114850 /* Somebody else might have raced and expanded it already */
114851- if (address > vma->vm_end) {
114852+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
114853+ error = -ENOMEM;
114854+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
114855 unsigned long size, grow;
114856
114857 size = address - vma->vm_start;
114858@@ -2204,6 +2523,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
114859 }
114860 }
114861 }
114862+ if (locknext)
114863+ vma_unlock_anon_vma(vma->vm_next);
114864 vma_unlock_anon_vma(vma);
114865 khugepaged_enter_vma_merge(vma, vma->vm_flags);
114866 validate_mm(vma->vm_mm);
114867@@ -2218,6 +2539,8 @@ int expand_downwards(struct vm_area_struct *vma,
114868 unsigned long address)
114869 {
114870 int error;
114871+ bool lockprev = false;
114872+ struct vm_area_struct *prev;
114873
114874 /*
114875 * We must make sure the anon_vma is allocated
114876@@ -2231,6 +2554,15 @@ int expand_downwards(struct vm_area_struct *vma,
114877 if (error)
114878 return error;
114879
114880+ prev = vma->vm_prev;
114881+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
114882+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
114883+#endif
114884+ if (lockprev && anon_vma_prepare(prev))
114885+ return -ENOMEM;
114886+ if (lockprev)
114887+ vma_lock_anon_vma(prev);
114888+
114889 vma_lock_anon_vma(vma);
114890
114891 /*
114892@@ -2240,9 +2572,17 @@ int expand_downwards(struct vm_area_struct *vma,
114893 */
114894
114895 /* Somebody else might have raced and expanded it already */
114896- if (address < vma->vm_start) {
114897+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
114898+ error = -ENOMEM;
114899+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
114900 unsigned long size, grow;
114901
114902+#ifdef CONFIG_PAX_SEGMEXEC
114903+ struct vm_area_struct *vma_m;
114904+
114905+ vma_m = pax_find_mirror_vma(vma);
114906+#endif
114907+
114908 size = vma->vm_end - address;
114909 grow = (vma->vm_start - address) >> PAGE_SHIFT;
114910
114911@@ -2267,13 +2607,27 @@ int expand_downwards(struct vm_area_struct *vma,
114912 vma->vm_pgoff -= grow;
114913 anon_vma_interval_tree_post_update_vma(vma);
114914 vma_gap_update(vma);
114915+
114916+#ifdef CONFIG_PAX_SEGMEXEC
114917+ if (vma_m) {
114918+ anon_vma_interval_tree_pre_update_vma(vma_m);
114919+ vma_m->vm_start -= grow << PAGE_SHIFT;
114920+ vma_m->vm_pgoff -= grow;
114921+ anon_vma_interval_tree_post_update_vma(vma_m);
114922+ vma_gap_update(vma_m);
114923+ }
114924+#endif
114925+
114926 spin_unlock(&vma->vm_mm->page_table_lock);
114927
114928+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
114929 perf_event_mmap(vma);
114930 }
114931 }
114932 }
114933 vma_unlock_anon_vma(vma);
114934+ if (lockprev)
114935+ vma_unlock_anon_vma(prev);
114936 khugepaged_enter_vma_merge(vma, vma->vm_flags);
114937 validate_mm(vma->vm_mm);
114938 return error;
114939@@ -2373,6 +2727,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
114940 do {
114941 long nrpages = vma_pages(vma);
114942
114943+#ifdef CONFIG_PAX_SEGMEXEC
114944+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
114945+ vma = remove_vma(vma);
114946+ continue;
114947+ }
114948+#endif
114949+
114950 if (vma->vm_flags & VM_ACCOUNT)
114951 nr_accounted += nrpages;
114952 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
114953@@ -2417,6 +2778,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
114954 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
114955 vma->vm_prev = NULL;
114956 do {
114957+
114958+#ifdef CONFIG_PAX_SEGMEXEC
114959+ if (vma->vm_mirror) {
114960+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
114961+ vma->vm_mirror->vm_mirror = NULL;
114962+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
114963+ vma->vm_mirror = NULL;
114964+ }
114965+#endif
114966+
114967 vma_rb_erase(vma, &mm->mm_rb);
114968 mm->map_count--;
114969 tail_vma = vma;
114970@@ -2444,14 +2815,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114971 struct vm_area_struct *new;
114972 int err = -ENOMEM;
114973
114974+#ifdef CONFIG_PAX_SEGMEXEC
114975+ struct vm_area_struct *vma_m, *new_m = NULL;
114976+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
114977+#endif
114978+
114979 if (is_vm_hugetlb_page(vma) && (addr &
114980 ~(huge_page_mask(hstate_vma(vma)))))
114981 return -EINVAL;
114982
114983+#ifdef CONFIG_PAX_SEGMEXEC
114984+ vma_m = pax_find_mirror_vma(vma);
114985+#endif
114986+
114987 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
114988 if (!new)
114989 goto out_err;
114990
114991+#ifdef CONFIG_PAX_SEGMEXEC
114992+ if (vma_m) {
114993+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
114994+ if (!new_m) {
114995+ kmem_cache_free(vm_area_cachep, new);
114996+ goto out_err;
114997+ }
114998+ }
114999+#endif
115000+
115001 /* most fields are the same, copy all, and then fixup */
115002 *new = *vma;
115003
115004@@ -2464,6 +2854,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115005 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
115006 }
115007
115008+#ifdef CONFIG_PAX_SEGMEXEC
115009+ if (vma_m) {
115010+ *new_m = *vma_m;
115011+ INIT_LIST_HEAD(&new_m->anon_vma_chain);
115012+ new_m->vm_mirror = new;
115013+ new->vm_mirror = new_m;
115014+
115015+ if (new_below)
115016+ new_m->vm_end = addr_m;
115017+ else {
115018+ new_m->vm_start = addr_m;
115019+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
115020+ }
115021+ }
115022+#endif
115023+
115024 err = vma_dup_policy(vma, new);
115025 if (err)
115026 goto out_free_vma;
115027@@ -2484,6 +2890,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115028 else
115029 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
115030
115031+#ifdef CONFIG_PAX_SEGMEXEC
115032+ if (!err && vma_m) {
115033+ struct mempolicy *pol = vma_policy(new);
115034+
115035+ if (anon_vma_clone(new_m, vma_m))
115036+ goto out_free_mpol;
115037+
115038+ mpol_get(pol);
115039+ set_vma_policy(new_m, pol);
115040+
115041+ if (new_m->vm_file)
115042+ get_file(new_m->vm_file);
115043+
115044+ if (new_m->vm_ops && new_m->vm_ops->open)
115045+ new_m->vm_ops->open(new_m);
115046+
115047+ if (new_below)
115048+ err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
115049+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
115050+ else
115051+ err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
115052+
115053+ if (err) {
115054+ if (new_m->vm_ops && new_m->vm_ops->close)
115055+ new_m->vm_ops->close(new_m);
115056+ if (new_m->vm_file)
115057+ fput(new_m->vm_file);
115058+ mpol_put(pol);
115059+ }
115060+ }
115061+#endif
115062+
115063 /* Success. */
115064 if (!err)
115065 return 0;
115066@@ -2493,10 +2931,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115067 new->vm_ops->close(new);
115068 if (new->vm_file)
115069 fput(new->vm_file);
115070- unlink_anon_vmas(new);
115071 out_free_mpol:
115072 mpol_put(vma_policy(new));
115073 out_free_vma:
115074+
115075+#ifdef CONFIG_PAX_SEGMEXEC
115076+ if (new_m) {
115077+ unlink_anon_vmas(new_m);
115078+ kmem_cache_free(vm_area_cachep, new_m);
115079+ }
115080+#endif
115081+
115082+ unlink_anon_vmas(new);
115083 kmem_cache_free(vm_area_cachep, new);
115084 out_err:
115085 return err;
115086@@ -2509,6 +2955,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115087 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115088 unsigned long addr, int new_below)
115089 {
115090+
115091+#ifdef CONFIG_PAX_SEGMEXEC
115092+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
115093+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
115094+ if (mm->map_count >= sysctl_max_map_count-1)
115095+ return -ENOMEM;
115096+ } else
115097+#endif
115098+
115099 if (mm->map_count >= sysctl_max_map_count)
115100 return -ENOMEM;
115101
115102@@ -2520,11 +2975,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115103 * work. This now handles partial unmappings.
115104 * Jeremy Fitzhardinge <jeremy@goop.org>
115105 */
115106+#ifdef CONFIG_PAX_SEGMEXEC
115107 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
115108 {
115109+ int ret = __do_munmap(mm, start, len);
115110+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
115111+ return ret;
115112+
115113+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
115114+}
115115+
115116+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
115117+#else
115118+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
115119+#endif
115120+{
115121 unsigned long end;
115122 struct vm_area_struct *vma, *prev, *last;
115123
115124+ /*
115125+ * mm->mmap_sem is required to protect against another thread
115126+ * changing the mappings in case we sleep.
115127+ */
115128+ verify_mm_writelocked(mm);
115129+
115130 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
115131 return -EINVAL;
115132
115133@@ -2602,6 +3076,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
115134 /* Fix up all other VM information */
115135 remove_vma_list(mm, vma);
115136
115137+ track_exec_limit(mm, start, end, 0UL);
115138+
115139 return 0;
115140 }
115141
115142@@ -2610,6 +3086,13 @@ int vm_munmap(unsigned long start, size_t len)
115143 int ret;
115144 struct mm_struct *mm = current->mm;
115145
115146+
115147+#ifdef CONFIG_PAX_SEGMEXEC
115148+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
115149+ (len > SEGMEXEC_TASK_SIZE || start > SEGMEXEC_TASK_SIZE-len))
115150+ return -EINVAL;
115151+#endif
115152+
115153 down_write(&mm->mmap_sem);
115154 ret = do_munmap(mm, start, len);
115155 up_write(&mm->mmap_sem);
115156@@ -2656,6 +3139,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
115157 down_write(&mm->mmap_sem);
115158 vma = find_vma(mm, start);
115159
115160+#ifdef CONFIG_PAX_SEGMEXEC
115161+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
115162+ goto out;
115163+#endif
115164+
115165 if (!vma || !(vma->vm_flags & VM_SHARED))
115166 goto out;
115167
115168@@ -2692,16 +3180,6 @@ out:
115169 return ret;
115170 }
115171
115172-static inline void verify_mm_writelocked(struct mm_struct *mm)
115173-{
115174-#ifdef CONFIG_DEBUG_VM
115175- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
115176- WARN_ON(1);
115177- up_read(&mm->mmap_sem);
115178- }
115179-#endif
115180-}
115181-
115182 /*
115183 * this is really a simplified "do_mmap". it only handles
115184 * anonymous maps. eventually we may be able to do some
115185@@ -2715,6 +3193,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115186 struct rb_node **rb_link, *rb_parent;
115187 pgoff_t pgoff = addr >> PAGE_SHIFT;
115188 int error;
115189+ unsigned long charged;
115190
115191 len = PAGE_ALIGN(len);
115192 if (!len)
115193@@ -2722,10 +3201,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115194
115195 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
115196
115197+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
115198+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
115199+ flags &= ~VM_EXEC;
115200+
115201+#ifdef CONFIG_PAX_MPROTECT
115202+ if (mm->pax_flags & MF_PAX_MPROTECT)
115203+ flags &= ~VM_MAYEXEC;
115204+#endif
115205+
115206+ }
115207+#endif
115208+
115209 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
115210 if (error & ~PAGE_MASK)
115211 return error;
115212
115213+ charged = len >> PAGE_SHIFT;
115214+
115215 error = mlock_future_check(mm, mm->def_flags, len);
115216 if (error)
115217 return error;
115218@@ -2743,16 +3236,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115219 &rb_parent)) {
115220 if (do_munmap(mm, addr, len))
115221 return -ENOMEM;
115222+ BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
115223 }
115224
115225 /* Check against address space limits *after* clearing old maps... */
115226- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
115227+ if (!may_expand_vm(mm, charged))
115228 return -ENOMEM;
115229
115230 if (mm->map_count > sysctl_max_map_count)
115231 return -ENOMEM;
115232
115233- if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
115234+ if (security_vm_enough_memory_mm(mm, charged))
115235 return -ENOMEM;
115236
115237 /* Can we just expand an old private anonymous mapping? */
115238@@ -2766,7 +3260,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115239 */
115240 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
115241 if (!vma) {
115242- vm_unacct_memory(len >> PAGE_SHIFT);
115243+ vm_unacct_memory(charged);
115244 return -ENOMEM;
115245 }
115246
115247@@ -2780,10 +3274,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115248 vma_link(mm, vma, prev, rb_link, rb_parent);
115249 out:
115250 perf_event_mmap(vma);
115251- mm->total_vm += len >> PAGE_SHIFT;
115252+ mm->total_vm += charged;
115253 if (flags & VM_LOCKED)
115254- mm->locked_vm += (len >> PAGE_SHIFT);
115255+ mm->locked_vm += charged;
115256 vma->vm_flags |= VM_SOFTDIRTY;
115257+ track_exec_limit(mm, addr, addr + len, flags);
115258 return addr;
115259 }
115260
115261@@ -2845,6 +3340,7 @@ void exit_mmap(struct mm_struct *mm)
115262 while (vma) {
115263 if (vma->vm_flags & VM_ACCOUNT)
115264 nr_accounted += vma_pages(vma);
115265+ vma->vm_mirror = NULL;
115266 vma = remove_vma(vma);
115267 }
115268 vm_unacct_memory(nr_accounted);
115269@@ -2859,6 +3355,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
115270 struct vm_area_struct *prev;
115271 struct rb_node **rb_link, *rb_parent;
115272
115273+#ifdef CONFIG_PAX_SEGMEXEC
115274+ struct vm_area_struct *vma_m = NULL;
115275+#endif
115276+
115277+ if (security_mmap_addr(vma->vm_start))
115278+ return -EPERM;
115279+
115280 /*
115281 * The vm_pgoff of a purely anonymous vma should be irrelevant
115282 * until its first write fault, when page's anon_vma and index
115283@@ -2882,7 +3385,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
115284 security_vm_enough_memory_mm(mm, vma_pages(vma)))
115285 return -ENOMEM;
115286
115287+#ifdef CONFIG_PAX_SEGMEXEC
115288+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
115289+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
115290+ if (!vma_m)
115291+ return -ENOMEM;
115292+ }
115293+#endif
115294+
115295 vma_link(mm, vma, prev, rb_link, rb_parent);
115296+
115297+#ifdef CONFIG_PAX_SEGMEXEC
115298+ if (vma_m)
115299+ BUG_ON(pax_mirror_vma(vma_m, vma));
115300+#endif
115301+
115302 return 0;
115303 }
115304
115305@@ -2901,6 +3418,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
115306 struct rb_node **rb_link, *rb_parent;
115307 bool faulted_in_anon_vma = true;
115308
115309+ BUG_ON(vma->vm_mirror);
115310+
115311 /*
115312 * If anonymous vma has not yet been faulted, update new pgoff
115313 * to match new location, to increase its chance of merging.
115314@@ -2965,6 +3484,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
115315 return NULL;
115316 }
115317
115318+#ifdef CONFIG_PAX_SEGMEXEC
115319+long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
115320+{
115321+ struct vm_area_struct *prev_m;
115322+ struct rb_node **rb_link_m, *rb_parent_m;
115323+ struct mempolicy *pol_m;
115324+
115325+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
115326+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
115327+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
115328+ *vma_m = *vma;
115329+ INIT_LIST_HEAD(&vma_m->anon_vma_chain);
115330+ if (anon_vma_clone(vma_m, vma))
115331+ return -ENOMEM;
115332+ pol_m = vma_policy(vma_m);
115333+ mpol_get(pol_m);
115334+ set_vma_policy(vma_m, pol_m);
115335+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
115336+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
115337+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
115338+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
115339+ if (vma_m->vm_file)
115340+ get_file(vma_m->vm_file);
115341+ if (vma_m->vm_ops && vma_m->vm_ops->open)
115342+ vma_m->vm_ops->open(vma_m);
115343+ BUG_ON(find_vma_links(vma->vm_mm, vma_m->vm_start, vma_m->vm_end, &prev_m, &rb_link_m, &rb_parent_m));
115344+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
115345+ vma_m->vm_mirror = vma;
115346+ vma->vm_mirror = vma_m;
115347+ return 0;
115348+}
115349+#endif
115350+
115351 /*
115352 * Return true if the calling process may expand its vm space by the passed
115353 * number of pages
115354@@ -2976,6 +3528,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
115355
115356 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
115357
115358+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
115359 if (cur + npages > lim)
115360 return 0;
115361 return 1;
115362@@ -3058,6 +3611,22 @@ static struct vm_area_struct *__install_special_mapping(
115363 vma->vm_start = addr;
115364 vma->vm_end = addr + len;
115365
115366+#ifdef CONFIG_PAX_MPROTECT
115367+ if (mm->pax_flags & MF_PAX_MPROTECT) {
115368+#ifndef CONFIG_PAX_MPROTECT_COMPAT
115369+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
115370+ return ERR_PTR(-EPERM);
115371+ if (!(vm_flags & VM_EXEC))
115372+ vm_flags &= ~VM_MAYEXEC;
115373+#else
115374+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
115375+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
115376+#endif
115377+ else
115378+ vm_flags &= ~VM_MAYWRITE;
115379+ }
115380+#endif
115381+
115382 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND | VM_SOFTDIRTY;
115383 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
115384
115385diff --git a/mm/mprotect.c b/mm/mprotect.c
115386index e7d6f11..6116007 100644
115387--- a/mm/mprotect.c
115388+++ b/mm/mprotect.c
115389@@ -24,10 +24,18 @@
115390 #include <linux/migrate.h>
115391 #include <linux/perf_event.h>
115392 #include <linux/ksm.h>
115393+#include <linux/sched/sysctl.h>
115394+
115395+#ifdef CONFIG_PAX_MPROTECT
115396+#include <linux/elf.h>
115397+#include <linux/binfmts.h>
115398+#endif
115399+
115400 #include <asm/uaccess.h>
115401 #include <asm/pgtable.h>
115402 #include <asm/cacheflush.h>
115403 #include <asm/tlbflush.h>
115404+#include <asm/mmu_context.h>
115405
115406 #include "internal.h"
115407
115408@@ -254,6 +262,48 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
115409 return pages;
115410 }
115411
115412+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
115413+/* called while holding the mmap semaphor for writing except stack expansion */
115414+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
115415+{
115416+ unsigned long oldlimit, newlimit = 0UL;
115417+
115418+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
115419+ return;
115420+
115421+ spin_lock(&mm->page_table_lock);
115422+ oldlimit = mm->context.user_cs_limit;
115423+ if ((prot & VM_EXEC) && oldlimit < end)
115424+ /* USER_CS limit moved up */
115425+ newlimit = end;
115426+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
115427+ /* USER_CS limit moved down */
115428+ newlimit = start;
115429+
115430+ if (newlimit) {
115431+ mm->context.user_cs_limit = newlimit;
115432+
115433+#ifdef CONFIG_SMP
115434+ wmb();
115435+ cpumask_clear(&mm->context.cpu_user_cs_mask);
115436+ cpumask_set_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask);
115437+#endif
115438+
115439+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
115440+ }
115441+ spin_unlock(&mm->page_table_lock);
115442+ if (newlimit == end) {
115443+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
115444+
115445+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
115446+ if (is_vm_hugetlb_page(vma))
115447+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
115448+ else
115449+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma), 0);
115450+ }
115451+}
115452+#endif
115453+
115454 int
115455 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
115456 unsigned long start, unsigned long end, unsigned long newflags)
115457@@ -266,11 +316,29 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
115458 int error;
115459 int dirty_accountable = 0;
115460
115461+#ifdef CONFIG_PAX_SEGMEXEC
115462+ struct vm_area_struct *vma_m = NULL;
115463+ unsigned long start_m, end_m;
115464+
115465+ start_m = start + SEGMEXEC_TASK_SIZE;
115466+ end_m = end + SEGMEXEC_TASK_SIZE;
115467+#endif
115468+
115469 if (newflags == oldflags) {
115470 *pprev = vma;
115471 return 0;
115472 }
115473
115474+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
115475+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
115476+
115477+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
115478+ return -ENOMEM;
115479+
115480+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
115481+ return -ENOMEM;
115482+ }
115483+
115484 /*
115485 * If we make a private mapping writable we increase our commit;
115486 * but (without finer accounting) cannot reduce our commit if we
115487@@ -287,6 +355,42 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
115488 }
115489 }
115490
115491+#ifdef CONFIG_PAX_SEGMEXEC
115492+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
115493+ if (start != vma->vm_start) {
115494+ error = split_vma(mm, vma, start, 1);
115495+ if (error)
115496+ goto fail;
115497+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
115498+ *pprev = (*pprev)->vm_next;
115499+ }
115500+
115501+ if (end != vma->vm_end) {
115502+ error = split_vma(mm, vma, end, 0);
115503+ if (error)
115504+ goto fail;
115505+ }
115506+
115507+ if (pax_find_mirror_vma(vma)) {
115508+ error = __do_munmap(mm, start_m, end_m - start_m);
115509+ if (error)
115510+ goto fail;
115511+ } else {
115512+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
115513+ if (!vma_m) {
115514+ error = -ENOMEM;
115515+ goto fail;
115516+ }
115517+ vma->vm_flags = newflags;
115518+ error = pax_mirror_vma(vma_m, vma);
115519+ if (error) {
115520+ vma->vm_flags = oldflags;
115521+ goto fail;
115522+ }
115523+ }
115524+ }
115525+#endif
115526+
115527 /*
115528 * First try to merge with previous and/or next vma.
115529 */
115530@@ -317,7 +421,19 @@ success:
115531 * vm_flags and vm_page_prot are protected by the mmap_sem
115532 * held in write mode.
115533 */
115534+
115535+#ifdef CONFIG_PAX_SEGMEXEC
115536+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
115537+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
115538+#endif
115539+
115540 vma->vm_flags = newflags;
115541+
115542+#ifdef CONFIG_PAX_MPROTECT
115543+ if (mm->binfmt && mm->binfmt->handle_mprotect)
115544+ mm->binfmt->handle_mprotect(vma, newflags);
115545+#endif
115546+
115547 dirty_accountable = vma_wants_writenotify(vma);
115548 vma_set_page_prot(vma);
115549
115550@@ -362,6 +478,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115551 end = start + len;
115552 if (end <= start)
115553 return -ENOMEM;
115554+
115555+#ifdef CONFIG_PAX_SEGMEXEC
115556+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
115557+ if (end > SEGMEXEC_TASK_SIZE)
115558+ return -EINVAL;
115559+ } else
115560+#endif
115561+
115562+ if (end > TASK_SIZE)
115563+ return -EINVAL;
115564+
115565 if (!arch_validate_prot(prot))
115566 return -EINVAL;
115567
115568@@ -369,7 +496,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115569 /*
115570 * Does the application expect PROT_READ to imply PROT_EXEC:
115571 */
115572- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
115573+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
115574 prot |= PROT_EXEC;
115575
115576 vm_flags = calc_vm_prot_bits(prot);
115577@@ -401,6 +528,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115578 if (start > vma->vm_start)
115579 prev = vma;
115580
115581+#ifdef CONFIG_PAX_MPROTECT
115582+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
115583+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
115584+#endif
115585+
115586 for (nstart = start ; ; ) {
115587 unsigned long newflags;
115588
115589@@ -411,6 +543,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115590
115591 /* newflags >> 4 shift VM_MAY% in place of VM_% */
115592 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
115593+ if (prot & (PROT_WRITE | PROT_EXEC))
115594+ gr_log_rwxmprotect(vma);
115595+
115596+ error = -EACCES;
115597+ goto out;
115598+ }
115599+
115600+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
115601 error = -EACCES;
115602 goto out;
115603 }
115604@@ -425,6 +565,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115605 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
115606 if (error)
115607 goto out;
115608+
115609+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
115610+
115611 nstart = tmp;
115612
115613 if (nstart < prev->vm_end)
115614diff --git a/mm/mremap.c b/mm/mremap.c
115615index a7c93ec..69c2949 100644
115616--- a/mm/mremap.c
115617+++ b/mm/mremap.c
115618@@ -143,6 +143,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
115619 continue;
115620 pte = ptep_get_and_clear(mm, old_addr, old_pte);
115621 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
115622+
115623+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
115624+ if (!(__supported_pte_mask & _PAGE_NX) && pte_present(pte) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
115625+ pte = pte_exprotect(pte);
115626+#endif
115627+
115628 pte = move_soft_dirty_pte(pte);
115629 set_pte_at(mm, new_addr, new_pte, pte);
115630 }
115631@@ -355,6 +361,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
115632 if (is_vm_hugetlb_page(vma))
115633 return ERR_PTR(-EINVAL);
115634
115635+#ifdef CONFIG_PAX_SEGMEXEC
115636+ if (pax_find_mirror_vma(vma))
115637+ return ERR_PTR(-EINVAL);
115638+#endif
115639+
115640 /* We can't remap across vm area boundaries */
115641 if (old_len > vma->vm_end - addr)
115642 return ERR_PTR(-EFAULT);
115643@@ -401,20 +412,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
115644 unsigned long ret = -EINVAL;
115645 unsigned long charged = 0;
115646 unsigned long map_flags;
115647+ unsigned long pax_task_size = TASK_SIZE;
115648
115649 if (new_addr & ~PAGE_MASK)
115650 goto out;
115651
115652- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
115653+#ifdef CONFIG_PAX_SEGMEXEC
115654+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
115655+ pax_task_size = SEGMEXEC_TASK_SIZE;
115656+#endif
115657+
115658+ pax_task_size -= PAGE_SIZE;
115659+
115660+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
115661 goto out;
115662
115663 /* Check if the location we're moving into overlaps the
115664 * old location at all, and fail if it does.
115665 */
115666- if ((new_addr <= addr) && (new_addr+new_len) > addr)
115667- goto out;
115668-
115669- if ((addr <= new_addr) && (addr+old_len) > new_addr)
115670+ if (addr + old_len > new_addr && new_addr + new_len > addr)
115671 goto out;
115672
115673 ret = do_munmap(mm, new_addr, new_len);
115674@@ -483,6 +499,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115675 unsigned long ret = -EINVAL;
115676 unsigned long charged = 0;
115677 bool locked = false;
115678+ unsigned long pax_task_size = TASK_SIZE;
115679
115680 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
115681 return ret;
115682@@ -504,6 +521,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115683 if (!new_len)
115684 return ret;
115685
115686+#ifdef CONFIG_PAX_SEGMEXEC
115687+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
115688+ pax_task_size = SEGMEXEC_TASK_SIZE;
115689+#endif
115690+
115691+ pax_task_size -= PAGE_SIZE;
115692+
115693+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
115694+ old_len > pax_task_size || addr > pax_task_size-old_len)
115695+ return ret;
115696+
115697 down_write(&current->mm->mmap_sem);
115698
115699 if (flags & MREMAP_FIXED) {
115700@@ -554,6 +582,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115701 new_addr = addr;
115702 }
115703 ret = addr;
115704+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
115705 goto out;
115706 }
115707 }
115708@@ -577,7 +606,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115709 goto out;
115710 }
115711
115712+ map_flags = vma->vm_flags;
115713 ret = move_vma(vma, addr, old_len, new_len, new_addr, &locked);
115714+ if (!(ret & ~PAGE_MASK)) {
115715+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
115716+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
115717+ }
115718 }
115719 out:
115720 if (ret & ~PAGE_MASK)
115721diff --git a/mm/nommu.c b/mm/nommu.c
115722index 58ea364..7b01d28 100644
115723--- a/mm/nommu.c
115724+++ b/mm/nommu.c
115725@@ -56,7 +56,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
115726 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
115727 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
115728 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
115729-int heap_stack_gap = 0;
115730
115731 atomic_long_t mmap_pages_allocated;
115732
115733@@ -863,15 +862,6 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
115734 EXPORT_SYMBOL(find_vma);
115735
115736 /*
115737- * find a VMA
115738- * - we don't extend stack VMAs under NOMMU conditions
115739- */
115740-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
115741-{
115742- return find_vma(mm, addr);
115743-}
115744-
115745-/*
115746 * expand a stack to a given address
115747 * - not supported under NOMMU conditions
115748 */
115749@@ -1535,6 +1525,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115750
115751 /* most fields are the same, copy all, and then fixup */
115752 *new = *vma;
115753+ INIT_LIST_HEAD(&new->anon_vma_chain);
115754 *region = *vma->vm_region;
115755 new->vm_region = region;
115756
115757@@ -1935,8 +1926,8 @@ void filemap_map_pages(struct vm_area_struct *vma, struct vm_fault *vmf)
115758 }
115759 EXPORT_SYMBOL(filemap_map_pages);
115760
115761-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115762- unsigned long addr, void *buf, int len, int write)
115763+static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115764+ unsigned long addr, void *buf, size_t len, int write)
115765 {
115766 struct vm_area_struct *vma;
115767
115768@@ -1977,8 +1968,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115769 *
115770 * The caller must hold a reference on @mm.
115771 */
115772-int access_remote_vm(struct mm_struct *mm, unsigned long addr,
115773- void *buf, int len, int write)
115774+ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
115775+ void *buf, size_t len, int write)
115776 {
115777 return __access_remote_vm(NULL, mm, addr, buf, len, write);
115778 }
115779@@ -1987,7 +1978,7 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
115780 * Access another process' address space.
115781 * - source/target buffer must be kernel space
115782 */
115783-int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
115784+ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write)
115785 {
115786 struct mm_struct *mm;
115787
115788diff --git a/mm/page-writeback.c b/mm/page-writeback.c
115789index 5cccc12..1872e56 100644
115790--- a/mm/page-writeback.c
115791+++ b/mm/page-writeback.c
115792@@ -852,7 +852,7 @@ static long long pos_ratio_polynom(unsigned long setpoint,
115793 * card's wb_dirty may rush to many times higher than wb_setpoint.
115794 * - the wb dirty thresh drops quickly due to change of JBOD workload
115795 */
115796-static void wb_position_ratio(struct dirty_throttle_control *dtc)
115797+static void __intentional_overflow(-1) wb_position_ratio(struct dirty_throttle_control *dtc)
115798 {
115799 struct bdi_writeback *wb = dtc->wb;
115800 unsigned long write_bw = wb->avg_write_bandwidth;
115801diff --git a/mm/page_alloc.c b/mm/page_alloc.c
115802index 5b5240b..2bc0996 100644
115803--- a/mm/page_alloc.c
115804+++ b/mm/page_alloc.c
115805@@ -62,6 +62,7 @@
115806 #include <linux/sched/rt.h>
115807 #include <linux/page_owner.h>
115808 #include <linux/kthread.h>
115809+#include <linux/random.h>
115810
115811 #include <asm/sections.h>
115812 #include <asm/tlbflush.h>
115813@@ -427,7 +428,7 @@ out:
115814 * This usage means that zero-order pages may not be compound.
115815 */
115816
115817-static void free_compound_page(struct page *page)
115818+void free_compound_page(struct page *page)
115819 {
115820 __free_pages_ok(page, compound_order(page));
115821 }
115822@@ -536,7 +537,7 @@ static inline void clear_page_guard(struct zone *zone, struct page *page,
115823 __mod_zone_freepage_state(zone, (1 << order), migratetype);
115824 }
115825 #else
115826-struct page_ext_operations debug_guardpage_ops = { NULL, };
115827+struct page_ext_operations debug_guardpage_ops = { .need = NULL, .init = NULL };
115828 static inline void set_page_guard(struct zone *zone, struct page *page,
115829 unsigned int order, int migratetype) {}
115830 static inline void clear_page_guard(struct zone *zone, struct page *page,
115831@@ -908,6 +909,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
115832 bool compound = PageCompound(page);
115833 int i, bad = 0;
115834
115835+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115836+ unsigned long index = 1UL << order;
115837+#endif
115838+
115839 VM_BUG_ON_PAGE(PageTail(page), page);
115840 VM_BUG_ON_PAGE(compound && compound_order(page) != order, page);
115841
115842@@ -934,6 +939,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
115843 debug_check_no_obj_freed(page_address(page),
115844 PAGE_SIZE << order);
115845 }
115846+
115847+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115848+ for (; index; --index)
115849+ sanitize_highpage(page + index - 1);
115850+#endif
115851+
115852 arch_free_page(page, order);
115853 kernel_map_pages(page, 1 << order, 0);
115854
115855@@ -957,6 +968,20 @@ static void __free_pages_ok(struct page *page, unsigned int order)
115856 local_irq_restore(flags);
115857 }
115858
115859+#ifdef CONFIG_PAX_LATENT_ENTROPY
115860+bool __meminitdata extra_latent_entropy;
115861+
115862+static int __init setup_pax_extra_latent_entropy(char *str)
115863+{
115864+ extra_latent_entropy = true;
115865+ return 0;
115866+}
115867+early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
115868+
115869+volatile u64 latent_entropy __latent_entropy;
115870+EXPORT_SYMBOL(latent_entropy);
115871+#endif
115872+
115873 static void __init __free_pages_boot_core(struct page *page,
115874 unsigned long pfn, unsigned int order)
115875 {
115876@@ -973,6 +998,19 @@ static void __init __free_pages_boot_core(struct page *page,
115877 __ClearPageReserved(p);
115878 set_page_count(p, 0);
115879
115880+#ifdef CONFIG_PAX_LATENT_ENTROPY
115881+ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
115882+ u64 hash = 0;
115883+ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
115884+ const u64 *data = lowmem_page_address(page);
115885+
115886+ for (index = 0; index < end; index++)
115887+ hash ^= hash + data[index];
115888+ latent_entropy ^= hash;
115889+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
115890+ }
115891+#endif
115892+
115893 page_zone(page)->managed_pages += nr_pages;
115894 set_page_refcounted(page);
115895 __free_pages(page, order);
115896@@ -1029,7 +1067,6 @@ static inline bool __meminit meminit_pfn_in_nid(unsigned long pfn, int node,
115897 }
115898 #endif
115899
115900-
115901 void __init __free_pages_bootmem(struct page *page, unsigned long pfn,
115902 unsigned int order)
115903 {
115904@@ -1333,9 +1370,11 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
115905 kernel_map_pages(page, 1 << order, 1);
115906 kasan_alloc_pages(page, order);
115907
115908+#ifndef CONFIG_PAX_MEMORY_SANITIZE
115909 if (gfp_flags & __GFP_ZERO)
115910 for (i = 0; i < (1 << order); i++)
115911 clear_highpage(page + i);
115912+#endif
115913
115914 if (order && (gfp_flags & __GFP_COMP))
115915 prep_compound_page(page, order);
115916@@ -2116,7 +2155,7 @@ struct page *buffered_rmqueue(struct zone *preferred_zone,
115917 }
115918
115919 __mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order));
115920- if (atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0 &&
115921+ if (atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0 &&
115922 !test_bit(ZONE_FAIR_DEPLETED, &zone->flags))
115923 set_bit(ZONE_FAIR_DEPLETED, &zone->flags);
115924
115925@@ -2435,7 +2474,7 @@ static void reset_alloc_batches(struct zone *preferred_zone)
115926 do {
115927 mod_zone_page_state(zone, NR_ALLOC_BATCH,
115928 high_wmark_pages(zone) - low_wmark_pages(zone) -
115929- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
115930+ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
115931 clear_bit(ZONE_FAIR_DEPLETED, &zone->flags);
115932 } while (zone++ != preferred_zone);
115933 }
115934@@ -6184,7 +6223,7 @@ static void __setup_per_zone_wmarks(void)
115935
115936 __mod_zone_page_state(zone, NR_ALLOC_BATCH,
115937 high_wmark_pages(zone) - low_wmark_pages(zone) -
115938- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
115939+ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
115940
115941 setup_zone_migrate_reserve(zone);
115942 spin_unlock_irqrestore(&zone->lock, flags);
115943diff --git a/mm/percpu.c b/mm/percpu.c
115944index 2dd7448..9bb6305 100644
115945--- a/mm/percpu.c
115946+++ b/mm/percpu.c
115947@@ -131,7 +131,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
115948 static unsigned int pcpu_high_unit_cpu __read_mostly;
115949
115950 /* the address of the first chunk which starts with the kernel static area */
115951-void *pcpu_base_addr __read_mostly;
115952+void *pcpu_base_addr __read_only;
115953 EXPORT_SYMBOL_GPL(pcpu_base_addr);
115954
115955 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
115956diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
115957index e88d071..d80e01a 100644
115958--- a/mm/process_vm_access.c
115959+++ b/mm/process_vm_access.c
115960@@ -13,6 +13,7 @@
115961 #include <linux/uio.h>
115962 #include <linux/sched.h>
115963 #include <linux/highmem.h>
115964+#include <linux/security.h>
115965 #include <linux/ptrace.h>
115966 #include <linux/slab.h>
115967 #include <linux/syscalls.h>
115968@@ -154,19 +155,19 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
115969 ssize_t iov_len;
115970 size_t total_len = iov_iter_count(iter);
115971
115972+ return -ENOSYS; // PaX: until properly audited
115973+
115974 /*
115975 * Work out how many pages of struct pages we're going to need
115976 * when eventually calling get_user_pages
115977 */
115978 for (i = 0; i < riovcnt; i++) {
115979 iov_len = rvec[i].iov_len;
115980- if (iov_len > 0) {
115981- nr_pages_iov = ((unsigned long)rvec[i].iov_base
115982- + iov_len)
115983- / PAGE_SIZE - (unsigned long)rvec[i].iov_base
115984- / PAGE_SIZE + 1;
115985- nr_pages = max(nr_pages, nr_pages_iov);
115986- }
115987+ if (iov_len <= 0)
115988+ continue;
115989+ nr_pages_iov = ((unsigned long)rvec[i].iov_base + iov_len) / PAGE_SIZE -
115990+ (unsigned long)rvec[i].iov_base / PAGE_SIZE + 1;
115991+ nr_pages = max(nr_pages, nr_pages_iov);
115992 }
115993
115994 if (nr_pages == 0)
115995@@ -194,6 +195,11 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
115996 goto free_proc_pages;
115997 }
115998
115999+ if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
116000+ rc = -EPERM;
116001+ goto put_task_struct;
116002+ }
116003+
116004 mm = mm_access(task, PTRACE_MODE_ATTACH);
116005 if (!mm || IS_ERR(mm)) {
116006 rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
116007diff --git a/mm/rmap.c b/mm/rmap.c
116008index 171b687..1a4b7e8 100644
116009--- a/mm/rmap.c
116010+++ b/mm/rmap.c
116011@@ -168,6 +168,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
116012 struct anon_vma *anon_vma = vma->anon_vma;
116013 struct anon_vma_chain *avc;
116014
116015+#ifdef CONFIG_PAX_SEGMEXEC
116016+ struct anon_vma_chain *avc_m = NULL;
116017+#endif
116018+
116019 might_sleep();
116020 if (unlikely(!anon_vma)) {
116021 struct mm_struct *mm = vma->vm_mm;
116022@@ -177,6 +181,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
116023 if (!avc)
116024 goto out_enomem;
116025
116026+#ifdef CONFIG_PAX_SEGMEXEC
116027+ avc_m = anon_vma_chain_alloc(GFP_KERNEL);
116028+ if (!avc_m)
116029+ goto out_enomem_free_avc;
116030+#endif
116031+
116032 anon_vma = find_mergeable_anon_vma(vma);
116033 allocated = NULL;
116034 if (!anon_vma) {
116035@@ -190,6 +200,19 @@ int anon_vma_prepare(struct vm_area_struct *vma)
116036 /* page_table_lock to protect against threads */
116037 spin_lock(&mm->page_table_lock);
116038 if (likely(!vma->anon_vma)) {
116039+
116040+#ifdef CONFIG_PAX_SEGMEXEC
116041+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
116042+
116043+ if (vma_m) {
116044+ BUG_ON(vma_m->anon_vma);
116045+ vma_m->anon_vma = anon_vma;
116046+ anon_vma_chain_link(vma_m, avc_m, anon_vma);
116047+ anon_vma->degree++;
116048+ avc_m = NULL;
116049+ }
116050+#endif
116051+
116052 vma->anon_vma = anon_vma;
116053 anon_vma_chain_link(vma, avc, anon_vma);
116054 /* vma reference or self-parent link for new root */
116055@@ -202,12 +225,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
116056
116057 if (unlikely(allocated))
116058 put_anon_vma(allocated);
116059+
116060+#ifdef CONFIG_PAX_SEGMEXEC
116061+ if (unlikely(avc_m))
116062+ anon_vma_chain_free(avc_m);
116063+#endif
116064+
116065 if (unlikely(avc))
116066 anon_vma_chain_free(avc);
116067 }
116068 return 0;
116069
116070 out_enomem_free_avc:
116071+
116072+#ifdef CONFIG_PAX_SEGMEXEC
116073+ if (avc_m)
116074+ anon_vma_chain_free(avc_m);
116075+#endif
116076+
116077 anon_vma_chain_free(avc);
116078 out_enomem:
116079 return -ENOMEM;
116080@@ -251,7 +286,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
116081 * good chance of avoiding scanning the whole hierarchy when it searches where
116082 * page is mapped.
116083 */
116084-int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
116085+int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
116086 {
116087 struct anon_vma_chain *avc, *pavc;
116088 struct anon_vma *root = NULL;
116089@@ -305,7 +340,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
116090 * the corresponding VMA in the parent process is attached to.
116091 * Returns 0 on success, non-zero on failure.
116092 */
116093-int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
116094+int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
116095 {
116096 struct anon_vma_chain *avc;
116097 struct anon_vma *anon_vma;
116098@@ -425,8 +460,10 @@ static void anon_vma_ctor(void *data)
116099 void __init anon_vma_init(void)
116100 {
116101 anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
116102- 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC, anon_vma_ctor);
116103- anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain, SLAB_PANIC);
116104+ 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC|SLAB_NO_SANITIZE,
116105+ anon_vma_ctor);
116106+ anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain,
116107+ SLAB_PANIC|SLAB_NO_SANITIZE);
116108 }
116109
116110 /*
116111diff --git a/mm/shmem.c b/mm/shmem.c
116112index dbe0c1e..22c16c7 100644
116113--- a/mm/shmem.c
116114+++ b/mm/shmem.c
116115@@ -33,7 +33,7 @@
116116 #include <linux/swap.h>
116117 #include <linux/uio.h>
116118
116119-static struct vfsmount *shm_mnt;
116120+struct vfsmount *shm_mnt;
116121
116122 #ifdef CONFIG_SHMEM
116123 /*
116124@@ -80,7 +80,7 @@ static struct vfsmount *shm_mnt;
116125 #define BOGO_DIRENT_SIZE 20
116126
116127 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */
116128-#define SHORT_SYMLINK_LEN 128
116129+#define SHORT_SYMLINK_LEN 64
116130
116131 /*
116132 * shmem_fallocate communicates with shmem_fault or shmem_writepage via
116133@@ -2549,6 +2549,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
116134 static int shmem_xattr_validate(const char *name)
116135 {
116136 struct { const char *prefix; size_t len; } arr[] = {
116137+
116138+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
116139+ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN},
116140+#endif
116141+
116142 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
116143 { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
116144 };
116145@@ -2604,6 +2609,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
116146 if (err)
116147 return err;
116148
116149+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
116150+ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
116151+ if (strcmp(name, XATTR_NAME_PAX_FLAGS))
116152+ return -EOPNOTSUPP;
116153+ if (size > 8)
116154+ return -EINVAL;
116155+ }
116156+#endif
116157+
116158 return simple_xattr_set(&info->xattrs, name, value, size, flags);
116159 }
116160
116161@@ -2987,8 +3001,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
116162 int err = -ENOMEM;
116163
116164 /* Round up to L1_CACHE_BYTES to resist false sharing */
116165- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
116166- L1_CACHE_BYTES), GFP_KERNEL);
116167+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
116168 if (!sbinfo)
116169 return -ENOMEM;
116170
116171diff --git a/mm/slab.c b/mm/slab.c
116172index bbd0b47..eb6af9e 100644
116173--- a/mm/slab.c
116174+++ b/mm/slab.c
116175@@ -116,6 +116,7 @@
116176 #include <linux/kmemcheck.h>
116177 #include <linux/memory.h>
116178 #include <linux/prefetch.h>
116179+#include <linux/vmalloc.h>
116180
116181 #include <net/sock.h>
116182
116183@@ -314,10 +315,12 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
116184 if ((x)->max_freeable < i) \
116185 (x)->max_freeable = i; \
116186 } while (0)
116187-#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
116188-#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
116189-#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
116190-#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
116191+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
116192+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
116193+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
116194+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
116195+#define STATS_INC_SANITIZED(x) atomic_inc_unchecked(&(x)->sanitized)
116196+#define STATS_INC_NOT_SANITIZED(x) atomic_inc_unchecked(&(x)->not_sanitized)
116197 #else
116198 #define STATS_INC_ACTIVE(x) do { } while (0)
116199 #define STATS_DEC_ACTIVE(x) do { } while (0)
116200@@ -334,6 +337,8 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
116201 #define STATS_INC_ALLOCMISS(x) do { } while (0)
116202 #define STATS_INC_FREEHIT(x) do { } while (0)
116203 #define STATS_INC_FREEMISS(x) do { } while (0)
116204+#define STATS_INC_SANITIZED(x) do { } while (0)
116205+#define STATS_INC_NOT_SANITIZED(x) do { } while (0)
116206 #endif
116207
116208 #if DEBUG
116209@@ -450,7 +455,7 @@ static inline void *index_to_obj(struct kmem_cache *cache, struct page *page,
116210 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
116211 */
116212 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
116213- const struct page *page, void *obj)
116214+ const struct page *page, const void *obj)
116215 {
116216 u32 offset = (obj - page->s_mem);
116217 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
116218@@ -1452,7 +1457,7 @@ void __init kmem_cache_init(void)
116219 * structures first. Without this, further allocations will bug.
116220 */
116221 kmalloc_caches[INDEX_NODE] = create_kmalloc_cache("kmalloc-node",
116222- kmalloc_size(INDEX_NODE), ARCH_KMALLOC_FLAGS);
116223+ kmalloc_size(INDEX_NODE), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS);
116224 slab_state = PARTIAL_NODE;
116225 setup_kmalloc_cache_index_table();
116226
116227@@ -2074,7 +2079,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
116228
116229 cachep = find_mergeable(size, align, flags, name, ctor);
116230 if (cachep) {
116231- cachep->refcount++;
116232+ atomic_inc(&cachep->refcount);
116233
116234 /*
116235 * Adjust the object sizes so that we clear
116236@@ -2190,9 +2195,16 @@ __kmem_cache_create (struct kmem_cache *cachep, unsigned long flags)
116237 size += BYTES_PER_WORD;
116238 }
116239 #if FORCED_DEBUG && defined(CONFIG_DEBUG_PAGEALLOC)
116240- if (size >= kmalloc_size(INDEX_NODE + 1)
116241- && cachep->object_size > cache_line_size()
116242- && ALIGN(size, cachep->align) < PAGE_SIZE) {
116243+ /*
116244+ * To activate debug pagealloc, off-slab management is necessary
116245+ * requirement. In early phase of initialization, small sized slab
116246+ * doesn't get initialized so it would not be possible. So, we need
116247+ * to check size >= 256. It guarantees that all necessary small
116248+ * sized slab is initialized in current slab initialization sequence.
116249+ */
116250+ if (!slab_early_init && size >= kmalloc_size(INDEX_NODE) &&
116251+ size >= 256 && cachep->object_size > cache_line_size() &&
116252+ ALIGN(size, cachep->align) < PAGE_SIZE) {
116253 cachep->obj_offset += PAGE_SIZE - ALIGN(size, cachep->align);
116254 size = PAGE_SIZE;
116255 }
116256@@ -3372,6 +3384,20 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
116257 struct array_cache *ac = cpu_cache_get(cachep);
116258
116259 check_irq_off();
116260+
116261+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116262+ if (cachep->flags & (SLAB_POISON | SLAB_NO_SANITIZE))
116263+ STATS_INC_NOT_SANITIZED(cachep);
116264+ else {
116265+ memset(objp, PAX_MEMORY_SANITIZE_VALUE, cachep->object_size);
116266+
116267+ if (cachep->ctor)
116268+ cachep->ctor(objp);
116269+
116270+ STATS_INC_SANITIZED(cachep);
116271+ }
116272+#endif
116273+
116274 kmemleak_free_recursive(objp, cachep->flags);
116275 objp = cache_free_debugcheck(cachep, objp, caller);
116276
116277@@ -3484,7 +3510,7 @@ __do_kmalloc_node(size_t size, gfp_t flags, int node, unsigned long caller)
116278 return kmem_cache_alloc_node_trace(cachep, flags, node, size);
116279 }
116280
116281-void *__kmalloc_node(size_t size, gfp_t flags, int node)
116282+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
116283 {
116284 return __do_kmalloc_node(size, flags, node, _RET_IP_);
116285 }
116286@@ -3504,7 +3530,7 @@ EXPORT_SYMBOL(__kmalloc_node_track_caller);
116287 * @flags: the type of memory to allocate (see kmalloc).
116288 * @caller: function caller for debug tracking of the caller
116289 */
116290-static __always_inline void *__do_kmalloc(size_t size, gfp_t flags,
116291+static __always_inline void * __size_overflow(1) __do_kmalloc(size_t size, gfp_t flags,
116292 unsigned long caller)
116293 {
116294 struct kmem_cache *cachep;
116295@@ -3577,6 +3603,7 @@ void kfree(const void *objp)
116296
116297 if (unlikely(ZERO_OR_NULL_PTR(objp)))
116298 return;
116299+ VM_BUG_ON(!virt_addr_valid(objp));
116300 local_irq_save(flags);
116301 kfree_debugcheck(objp);
116302 c = virt_to_cache(objp);
116303@@ -3996,14 +4023,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep)
116304 }
116305 /* cpu stats */
116306 {
116307- unsigned long allochit = atomic_read(&cachep->allochit);
116308- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
116309- unsigned long freehit = atomic_read(&cachep->freehit);
116310- unsigned long freemiss = atomic_read(&cachep->freemiss);
116311+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
116312+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
116313+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
116314+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
116315
116316 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
116317 allochit, allocmiss, freehit, freemiss);
116318 }
116319+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116320+ {
116321+ unsigned long sanitized = atomic_read_unchecked(&cachep->sanitized);
116322+ unsigned long not_sanitized = atomic_read_unchecked(&cachep->not_sanitized);
116323+
116324+ seq_printf(m, " : pax %6lu %6lu", sanitized, not_sanitized);
116325+ }
116326+#endif
116327 #endif
116328 }
116329
116330@@ -4211,13 +4246,80 @@ static const struct file_operations proc_slabstats_operations = {
116331 static int __init slab_proc_init(void)
116332 {
116333 #ifdef CONFIG_DEBUG_SLAB_LEAK
116334- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
116335+ proc_create("slab_allocators", S_IRUSR, NULL, &proc_slabstats_operations);
116336 #endif
116337 return 0;
116338 }
116339 module_init(slab_proc_init);
116340 #endif
116341
116342+bool is_usercopy_object(const void *ptr)
116343+{
116344+ struct page *page;
116345+ struct kmem_cache *cachep;
116346+
116347+ if (ZERO_OR_NULL_PTR(ptr))
116348+ return false;
116349+
116350+ if (!slab_is_available())
116351+ return false;
116352+
116353+ if (is_vmalloc_addr(ptr)
116354+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116355+ && !object_starts_on_stack(ptr)
116356+#endif
116357+ ) {
116358+ struct vm_struct *vm = find_vm_area(ptr);
116359+ if (vm && (vm->flags & VM_USERCOPY))
116360+ return true;
116361+ return false;
116362+ }
116363+
116364+ if (!virt_addr_valid(ptr))
116365+ return false;
116366+
116367+ page = virt_to_head_page(ptr);
116368+
116369+ if (!PageSlab(page))
116370+ return false;
116371+
116372+ cachep = page->slab_cache;
116373+ return cachep->flags & SLAB_USERCOPY;
116374+}
116375+
116376+#ifdef CONFIG_PAX_USERCOPY
116377+const char *check_heap_object(const void *ptr, unsigned long n)
116378+{
116379+ struct page *page;
116380+ struct kmem_cache *cachep;
116381+ unsigned int objnr;
116382+ unsigned long offset;
116383+
116384+ if (ZERO_OR_NULL_PTR(ptr))
116385+ return "<null>";
116386+
116387+ if (!virt_addr_valid(ptr))
116388+ return NULL;
116389+
116390+ page = virt_to_head_page(ptr);
116391+
116392+ if (!PageSlab(page))
116393+ return NULL;
116394+
116395+ cachep = page->slab_cache;
116396+ if (!(cachep->flags & SLAB_USERCOPY))
116397+ return cachep->name;
116398+
116399+ objnr = obj_to_index(cachep, page, ptr);
116400+ BUG_ON(objnr >= cachep->num);
116401+ offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);
116402+ if (offset <= cachep->object_size && n <= cachep->object_size - offset)
116403+ return NULL;
116404+
116405+ return cachep->name;
116406+}
116407+#endif
116408+
116409 /**
116410 * ksize - get the actual amount of memory allocated for a given object
116411 * @objp: Pointer to the object
116412diff --git a/mm/slab.h b/mm/slab.h
116413index 8da63e4..50c423b 100644
116414--- a/mm/slab.h
116415+++ b/mm/slab.h
116416@@ -22,7 +22,7 @@ struct kmem_cache {
116417 unsigned int align; /* Alignment as calculated */
116418 unsigned long flags; /* Active flags on the slab */
116419 const char *name; /* Slab name for sysfs */
116420- int refcount; /* Use counter */
116421+ atomic_t refcount; /* Use counter */
116422 void (*ctor)(void *); /* Called on object slot creation */
116423 struct list_head list; /* List of all slab caches on the system */
116424 };
116425@@ -66,6 +66,20 @@ extern struct list_head slab_caches;
116426 /* The slab cache that manages slab cache information */
116427 extern struct kmem_cache *kmem_cache;
116428
116429+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116430+#ifdef CONFIG_X86_64
116431+#define PAX_MEMORY_SANITIZE_VALUE '\xfe'
116432+#else
116433+#define PAX_MEMORY_SANITIZE_VALUE '\xff'
116434+#endif
116435+enum pax_sanitize_mode {
116436+ PAX_SANITIZE_SLAB_OFF = 0,
116437+ PAX_SANITIZE_SLAB_FAST,
116438+ PAX_SANITIZE_SLAB_FULL,
116439+};
116440+extern enum pax_sanitize_mode pax_sanitize_slab;
116441+#endif
116442+
116443 unsigned long calculate_alignment(unsigned long flags,
116444 unsigned long align, unsigned long size);
116445
116446@@ -115,7 +129,8 @@ static inline unsigned long kmem_cache_flags(unsigned long object_size,
116447
116448 /* Legal flag mask for kmem_cache_create(), for various configurations */
116449 #define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | SLAB_PANIC | \
116450- SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS )
116451+ SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS | \
116452+ SLAB_USERCOPY | SLAB_NO_SANITIZE)
116453
116454 #if defined(CONFIG_DEBUG_SLAB)
116455 #define SLAB_DEBUG_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
116456@@ -316,6 +331,9 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x)
116457 return s;
116458
116459 page = virt_to_head_page(x);
116460+
116461+ BUG_ON(!PageSlab(page));
116462+
116463 cachep = page->slab_cache;
116464 if (slab_equal_or_root(cachep, s))
116465 return cachep;
116466diff --git a/mm/slab_common.c b/mm/slab_common.c
116467index 8683110..916e2c5 100644
116468--- a/mm/slab_common.c
116469+++ b/mm/slab_common.c
116470@@ -25,11 +25,35 @@
116471
116472 #include "slab.h"
116473
116474-enum slab_state slab_state;
116475+enum slab_state slab_state __read_only;
116476 LIST_HEAD(slab_caches);
116477 DEFINE_MUTEX(slab_mutex);
116478 struct kmem_cache *kmem_cache;
116479
116480+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116481+enum pax_sanitize_mode pax_sanitize_slab __read_only = PAX_SANITIZE_SLAB_FAST;
116482+static int __init pax_sanitize_slab_setup(char *str)
116483+{
116484+ if (!str)
116485+ return 0;
116486+
116487+ if (!strcmp(str, "0") || !strcmp(str, "off")) {
116488+ pr_info("PaX slab sanitization: %s\n", "disabled");
116489+ pax_sanitize_slab = PAX_SANITIZE_SLAB_OFF;
116490+ } else if (!strcmp(str, "1") || !strcmp(str, "fast")) {
116491+ pr_info("PaX slab sanitization: %s\n", "fast");
116492+ pax_sanitize_slab = PAX_SANITIZE_SLAB_FAST;
116493+ } else if (!strcmp(str, "full")) {
116494+ pr_info("PaX slab sanitization: %s\n", "full");
116495+ pax_sanitize_slab = PAX_SANITIZE_SLAB_FULL;
116496+ } else
116497+ pr_err("PaX slab sanitization: unsupported option '%s'\n", str);
116498+
116499+ return 0;
116500+}
116501+early_param("pax_sanitize_slab", pax_sanitize_slab_setup);
116502+#endif
116503+
116504 /*
116505 * Set of flags that will prevent slab merging
116506 */
116507@@ -43,7 +67,7 @@ struct kmem_cache *kmem_cache;
116508 * Merge control. If this is set then no merging of slab caches will occur.
116509 * (Could be removed. This was introduced to pacify the merge skeptics.)
116510 */
116511-static int slab_nomerge;
116512+static int slab_nomerge = 1;
116513
116514 static int __init setup_slab_nomerge(char *str)
116515 {
116516@@ -216,7 +240,7 @@ int slab_unmergeable(struct kmem_cache *s)
116517 /*
116518 * We may have set a slab to be unmergeable during bootstrap.
116519 */
116520- if (s->refcount < 0)
116521+ if (atomic_read(&s->refcount) < 0)
116522 return 1;
116523
116524 return 0;
116525@@ -320,7 +344,7 @@ do_kmem_cache_create(const char *name, size_t object_size, size_t size,
116526 if (err)
116527 goto out_free_cache;
116528
116529- s->refcount = 1;
116530+ atomic_set(&s->refcount, 1);
116531 list_add(&s->list, &slab_caches);
116532 out:
116533 if (err)
116534@@ -385,6 +409,13 @@ kmem_cache_create(const char *name, size_t size, size_t align,
116535 */
116536 flags &= CACHE_CREATE_MASK;
116537
116538+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116539+ if (pax_sanitize_slab == PAX_SANITIZE_SLAB_OFF || (flags & SLAB_DESTROY_BY_RCU))
116540+ flags |= SLAB_NO_SANITIZE;
116541+ else if (pax_sanitize_slab == PAX_SANITIZE_SLAB_FULL)
116542+ flags &= ~SLAB_NO_SANITIZE;
116543+#endif
116544+
116545 s = __kmem_cache_alias(name, size, align, flags, ctor);
116546 if (s)
116547 goto out_unlock;
116548@@ -455,7 +486,7 @@ static void do_kmem_cache_release(struct list_head *release,
116549 rcu_barrier();
116550
116551 list_for_each_entry_safe(s, s2, release, list) {
116552-#ifdef SLAB_SUPPORTS_SYSFS
116553+#if defined(SLAB_SUPPORTS_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116554 sysfs_slab_remove(s);
116555 #else
116556 slab_kmem_cache_release(s);
116557@@ -624,8 +655,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
116558
116559 mutex_lock(&slab_mutex);
116560
116561- s->refcount--;
116562- if (s->refcount)
116563+ if (!atomic_dec_and_test(&s->refcount))
116564 goto out_unlock;
116565
116566 for_each_memcg_cache_safe(c, c2, s) {
116567@@ -690,7 +720,7 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, size_t siz
116568 panic("Creation of kmalloc slab %s size=%zu failed. Reason %d\n",
116569 name, size, err);
116570
116571- s->refcount = -1; /* Exempt from merging for now */
116572+ atomic_set(&s->refcount, -1); /* Exempt from merging for now */
116573 }
116574
116575 struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
116576@@ -703,7 +733,7 @@ struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
116577
116578 create_boot_cache(s, name, size, flags);
116579 list_add(&s->list, &slab_caches);
116580- s->refcount = 1;
116581+ atomic_set(&s->refcount, 1);
116582 return s;
116583 }
116584
116585@@ -715,6 +745,11 @@ struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
116586 EXPORT_SYMBOL(kmalloc_dma_caches);
116587 #endif
116588
116589+#ifdef CONFIG_PAX_USERCOPY_SLABS
116590+struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
116591+EXPORT_SYMBOL(kmalloc_usercopy_caches);
116592+#endif
116593+
116594 /*
116595 * Conversion table for small slabs sizes / 8 to the index in the
116596 * kmalloc array. This is necessary for slabs < 192 since we have non power
116597@@ -779,6 +814,13 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
116598 return kmalloc_dma_caches[index];
116599
116600 #endif
116601+
116602+#ifdef CONFIG_PAX_USERCOPY_SLABS
116603+ if (unlikely((flags & GFP_USERCOPY)))
116604+ return kmalloc_usercopy_caches[index];
116605+
116606+#endif
116607+
116608 return kmalloc_caches[index];
116609 }
116610
116611@@ -871,7 +913,7 @@ void __init create_kmalloc_caches(unsigned long flags)
116612
116613 for (i = KMALLOC_SHIFT_LOW; i <= KMALLOC_SHIFT_HIGH; i++) {
116614 if (!kmalloc_caches[i])
116615- new_kmalloc_cache(i, flags);
116616+ new_kmalloc_cache(i, SLAB_USERCOPY | flags);
116617
116618 /*
116619 * Caches that are not of the two-to-the-power-of size.
116620@@ -879,9 +921,9 @@ void __init create_kmalloc_caches(unsigned long flags)
116621 * earlier power of two caches
116622 */
116623 if (KMALLOC_MIN_SIZE <= 32 && !kmalloc_caches[1] && i == 6)
116624- new_kmalloc_cache(1, flags);
116625+ new_kmalloc_cache(1, SLAB_USERCOPY | flags);
116626 if (KMALLOC_MIN_SIZE <= 64 && !kmalloc_caches[2] && i == 7)
116627- new_kmalloc_cache(2, flags);
116628+ new_kmalloc_cache(2, SLAB_USERCOPY | flags);
116629 }
116630
116631 /* Kmalloc array is now usable */
116632@@ -902,6 +944,23 @@ void __init create_kmalloc_caches(unsigned long flags)
116633 }
116634 }
116635 #endif
116636+
116637+#ifdef CONFIG_PAX_USERCOPY_SLABS
116638+ for (i = 0; i <= KMALLOC_SHIFT_HIGH; i++) {
116639+ struct kmem_cache *s = kmalloc_caches[i];
116640+
116641+ if (s) {
116642+ int size = kmalloc_size(i);
116643+ char *n = kasprintf(GFP_NOWAIT,
116644+ "usercopy-kmalloc-%d", size);
116645+
116646+ BUG_ON(!n);
116647+ kmalloc_usercopy_caches[i] = create_kmalloc_cache(n,
116648+ size, SLAB_USERCOPY | flags);
116649+ }
116650+ }
116651+#endif
116652+
116653 }
116654 #endif /* !CONFIG_SLOB */
116655
116656@@ -961,6 +1020,9 @@ static void print_slabinfo_header(struct seq_file *m)
116657 seq_puts(m, " : globalstat <listallocs> <maxobjs> <grown> <reaped> "
116658 "<error> <maxfreeable> <nodeallocs> <remotefrees> <alienoverflow>");
116659 seq_puts(m, " : cpustat <allochit> <allocmiss> <freehit> <freemiss>");
116660+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116661+ seq_puts(m, " : pax <sanitized> <not_sanitized>");
116662+#endif
116663 #endif
116664 seq_putc(m, '\n');
116665 }
116666@@ -1090,7 +1152,7 @@ static int __init slab_proc_init(void)
116667 module_init(slab_proc_init);
116668 #endif /* CONFIG_SLABINFO */
116669
116670-static __always_inline void *__do_krealloc(const void *p, size_t new_size,
116671+static __always_inline void * __size_overflow(2) __do_krealloc(const void *p, size_t new_size,
116672 gfp_t flags)
116673 {
116674 void *ret;
116675diff --git a/mm/slob.c b/mm/slob.c
116676index 4765f65..5dec45e 100644
116677--- a/mm/slob.c
116678+++ b/mm/slob.c
116679@@ -67,6 +67,7 @@
116680 #include <linux/rcupdate.h>
116681 #include <linux/list.h>
116682 #include <linux/kmemleak.h>
116683+#include <linux/vmalloc.h>
116684
116685 #include <trace/events/kmem.h>
116686
116687@@ -157,7 +158,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next)
116688 /*
116689 * Return the size of a slob block.
116690 */
116691-static slobidx_t slob_units(slob_t *s)
116692+static slobidx_t slob_units(const slob_t *s)
116693 {
116694 if (s->units > 0)
116695 return s->units;
116696@@ -167,7 +168,7 @@ static slobidx_t slob_units(slob_t *s)
116697 /*
116698 * Return the next free slob block pointer after this one.
116699 */
116700-static slob_t *slob_next(slob_t *s)
116701+static slob_t *slob_next(const slob_t *s)
116702 {
116703 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
116704 slobidx_t next;
116705@@ -182,14 +183,14 @@ static slob_t *slob_next(slob_t *s)
116706 /*
116707 * Returns true if s is the last free block in its page.
116708 */
116709-static int slob_last(slob_t *s)
116710+static int slob_last(const slob_t *s)
116711 {
116712 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
116713 }
116714
116715-static void *slob_new_pages(gfp_t gfp, int order, int node)
116716+static struct page *slob_new_pages(gfp_t gfp, unsigned int order, int node)
116717 {
116718- void *page;
116719+ struct page *page;
116720
116721 #ifdef CONFIG_NUMA
116722 if (node != NUMA_NO_NODE)
116723@@ -201,14 +202,18 @@ static void *slob_new_pages(gfp_t gfp, int order, int node)
116724 if (!page)
116725 return NULL;
116726
116727- return page_address(page);
116728+ __SetPageSlab(page);
116729+ return page;
116730 }
116731
116732-static void slob_free_pages(void *b, int order)
116733+static void slob_free_pages(struct page *sp, int order)
116734 {
116735 if (current->reclaim_state)
116736 current->reclaim_state->reclaimed_slab += 1 << order;
116737- free_pages((unsigned long)b, order);
116738+ __ClearPageSlab(sp);
116739+ page_mapcount_reset(sp);
116740+ sp->private = 0;
116741+ __free_pages(sp, order);
116742 }
116743
116744 /*
116745@@ -313,15 +318,15 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
116746
116747 /* Not enough space: must allocate a new page */
116748 if (!b) {
116749- b = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
116750- if (!b)
116751+ sp = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
116752+ if (!sp)
116753 return NULL;
116754- sp = virt_to_page(b);
116755- __SetPageSlab(sp);
116756+ b = page_address(sp);
116757
116758 spin_lock_irqsave(&slob_lock, flags);
116759 sp->units = SLOB_UNITS(PAGE_SIZE);
116760 sp->freelist = b;
116761+ sp->private = 0;
116762 INIT_LIST_HEAD(&sp->lru);
116763 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
116764 set_slob_page_free(sp, slob_list);
116765@@ -337,7 +342,7 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
116766 /*
116767 * slob_free: entry point into the slob allocator.
116768 */
116769-static void slob_free(void *block, int size)
116770+static void slob_free(struct kmem_cache *c, void *block, int size)
116771 {
116772 struct page *sp;
116773 slob_t *prev, *next, *b = (slob_t *)block;
116774@@ -359,12 +364,15 @@ static void slob_free(void *block, int size)
116775 if (slob_page_free(sp))
116776 clear_slob_page_free(sp);
116777 spin_unlock_irqrestore(&slob_lock, flags);
116778- __ClearPageSlab(sp);
116779- page_mapcount_reset(sp);
116780- slob_free_pages(b, 0);
116781+ slob_free_pages(sp, 0);
116782 return;
116783 }
116784
116785+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116786+ if (pax_sanitize_slab && !(c && (c->flags & SLAB_NO_SANITIZE)))
116787+ memset(block, PAX_MEMORY_SANITIZE_VALUE, size);
116788+#endif
116789+
116790 if (!slob_page_free(sp)) {
116791 /* This slob page is about to become partially free. Easy! */
116792 sp->units = units;
116793@@ -424,11 +432,10 @@ out:
116794 */
116795
116796 static __always_inline void *
116797-__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116798+__do_kmalloc_node_align(size_t size, gfp_t gfp, int node, unsigned long caller, int align)
116799 {
116800- unsigned int *m;
116801- int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116802- void *ret;
116803+ slob_t *m;
116804+ void *ret = NULL;
116805
116806 gfp &= gfp_allowed_mask;
116807
116808@@ -442,27 +449,45 @@ __do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116809
116810 if (!m)
116811 return NULL;
116812- *m = size;
116813+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
116814+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
116815+ m[0].units = size;
116816+ m[1].units = align;
116817 ret = (void *)m + align;
116818
116819 trace_kmalloc_node(caller, ret,
116820 size, size + align, gfp, node);
116821 } else {
116822 unsigned int order = get_order(size);
116823+ struct page *page;
116824
116825 if (likely(order))
116826 gfp |= __GFP_COMP;
116827- ret = slob_new_pages(gfp, order, node);
116828+ page = slob_new_pages(gfp, order, node);
116829+ if (page) {
116830+ ret = page_address(page);
116831+ page->private = size;
116832+ }
116833
116834 trace_kmalloc_node(caller, ret,
116835 size, PAGE_SIZE << order, gfp, node);
116836 }
116837
116838- kmemleak_alloc(ret, size, 1, gfp);
116839 return ret;
116840 }
116841
116842-void *__kmalloc(size_t size, gfp_t gfp)
116843+static __always_inline void *
116844+__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116845+{
116846+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116847+ void *ret = __do_kmalloc_node_align(size, gfp, node, caller, align);
116848+
116849+ if (!ZERO_OR_NULL_PTR(ret))
116850+ kmemleak_alloc(ret, size, 1, gfp);
116851+ return ret;
116852+}
116853+
116854+void * __size_overflow(1) __kmalloc(size_t size, gfp_t gfp)
116855 {
116856 return __do_kmalloc_node(size, gfp, NUMA_NO_NODE, _RET_IP_);
116857 }
116858@@ -491,34 +516,123 @@ void kfree(const void *block)
116859 return;
116860 kmemleak_free(block);
116861
116862+ VM_BUG_ON(!virt_addr_valid(block));
116863 sp = virt_to_page(block);
116864- if (PageSlab(sp)) {
116865+ VM_BUG_ON(!PageSlab(sp));
116866+ if (!sp->private) {
116867 int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116868- unsigned int *m = (unsigned int *)(block - align);
116869- slob_free(m, *m + align);
116870- } else
116871+ slob_t *m = (slob_t *)(block - align);
116872+ slob_free(NULL, m, m[0].units + align);
116873+ } else {
116874+ __ClearPageSlab(sp);
116875+ page_mapcount_reset(sp);
116876+ sp->private = 0;
116877 __free_pages(sp, compound_order(sp));
116878+ }
116879 }
116880 EXPORT_SYMBOL(kfree);
116881
116882+bool is_usercopy_object(const void *ptr)
116883+{
116884+ if (!slab_is_available())
116885+ return false;
116886+
116887+ if (is_vmalloc_addr(ptr)
116888+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116889+ && !object_starts_on_stack(ptr)
116890+#endif
116891+ ) {
116892+ struct vm_struct *vm = find_vm_area(ptr);
116893+ if (vm && (vm->flags & VM_USERCOPY))
116894+ return true;
116895+ return false;
116896+ }
116897+
116898+ // PAX: TODO
116899+
116900+ return false;
116901+}
116902+
116903+#ifdef CONFIG_PAX_USERCOPY
116904+const char *check_heap_object(const void *ptr, unsigned long n)
116905+{
116906+ struct page *page;
116907+ const slob_t *free;
116908+ const void *base;
116909+ unsigned long flags;
116910+
116911+ if (ZERO_OR_NULL_PTR(ptr))
116912+ return "<null>";
116913+
116914+ if (!virt_addr_valid(ptr))
116915+ return NULL;
116916+
116917+ page = virt_to_head_page(ptr);
116918+ if (!PageSlab(page))
116919+ return NULL;
116920+
116921+ if (page->private) {
116922+ base = page;
116923+ if (base <= ptr && n <= page->private - (ptr - base))
116924+ return NULL;
116925+ return "<slob>";
116926+ }
116927+
116928+ /* some tricky double walking to find the chunk */
116929+ spin_lock_irqsave(&slob_lock, flags);
116930+ base = (void *)((unsigned long)ptr & PAGE_MASK);
116931+ free = page->freelist;
116932+
116933+ while (!slob_last(free) && (void *)free <= ptr) {
116934+ base = free + slob_units(free);
116935+ free = slob_next(free);
116936+ }
116937+
116938+ while (base < (void *)free) {
116939+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
116940+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
116941+ int offset;
116942+
116943+ if (ptr < base + align)
116944+ break;
116945+
116946+ offset = ptr - base - align;
116947+ if (offset >= m) {
116948+ base += size;
116949+ continue;
116950+ }
116951+
116952+ if (n > m - offset)
116953+ break;
116954+
116955+ spin_unlock_irqrestore(&slob_lock, flags);
116956+ return NULL;
116957+ }
116958+
116959+ spin_unlock_irqrestore(&slob_lock, flags);
116960+ return "<slob>";
116961+}
116962+#endif
116963+
116964 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
116965 size_t ksize(const void *block)
116966 {
116967 struct page *sp;
116968 int align;
116969- unsigned int *m;
116970+ slob_t *m;
116971
116972 BUG_ON(!block);
116973 if (unlikely(block == ZERO_SIZE_PTR))
116974 return 0;
116975
116976 sp = virt_to_page(block);
116977- if (unlikely(!PageSlab(sp)))
116978- return PAGE_SIZE << compound_order(sp);
116979+ VM_BUG_ON(!PageSlab(sp));
116980+ if (sp->private)
116981+ return sp->private;
116982
116983 align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116984- m = (unsigned int *)(block - align);
116985- return SLOB_UNITS(*m) * SLOB_UNIT;
116986+ m = (slob_t *)(block - align);
116987+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
116988 }
116989 EXPORT_SYMBOL(ksize);
116990
116991@@ -534,23 +648,33 @@ int __kmem_cache_create(struct kmem_cache *c, unsigned long flags)
116992
116993 static void *slob_alloc_node(struct kmem_cache *c, gfp_t flags, int node)
116994 {
116995- void *b;
116996+ void *b = NULL;
116997
116998 flags &= gfp_allowed_mask;
116999
117000 lockdep_trace_alloc(flags);
117001
117002+#ifdef CONFIG_PAX_USERCOPY_SLABS
117003+ b = __do_kmalloc_node_align(c->size, flags, node, _RET_IP_, c->align);
117004+#else
117005 if (c->size < PAGE_SIZE) {
117006 b = slob_alloc(c->size, flags, c->align, node);
117007 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
117008 SLOB_UNITS(c->size) * SLOB_UNIT,
117009 flags, node);
117010 } else {
117011- b = slob_new_pages(flags, get_order(c->size), node);
117012+ struct page *sp;
117013+
117014+ sp = slob_new_pages(flags, get_order(c->size), node);
117015+ if (sp) {
117016+ b = page_address(sp);
117017+ sp->private = c->size;
117018+ }
117019 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
117020 PAGE_SIZE << get_order(c->size),
117021 flags, node);
117022 }
117023+#endif
117024
117025 if (b && c->ctor)
117026 c->ctor(b);
117027@@ -566,7 +690,7 @@ void *kmem_cache_alloc(struct kmem_cache *cachep, gfp_t flags)
117028 EXPORT_SYMBOL(kmem_cache_alloc);
117029
117030 #ifdef CONFIG_NUMA
117031-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
117032+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t gfp, int node)
117033 {
117034 return __do_kmalloc_node(size, gfp, node, _RET_IP_);
117035 }
117036@@ -579,12 +703,16 @@ void *kmem_cache_alloc_node(struct kmem_cache *cachep, gfp_t gfp, int node)
117037 EXPORT_SYMBOL(kmem_cache_alloc_node);
117038 #endif
117039
117040-static void __kmem_cache_free(void *b, int size)
117041+static void __kmem_cache_free(struct kmem_cache *c, void *b, int size)
117042 {
117043- if (size < PAGE_SIZE)
117044- slob_free(b, size);
117045+ struct page *sp;
117046+
117047+ sp = virt_to_page(b);
117048+ BUG_ON(!PageSlab(sp));
117049+ if (!sp->private)
117050+ slob_free(c, b, size);
117051 else
117052- slob_free_pages(b, get_order(size));
117053+ slob_free_pages(sp, get_order(size));
117054 }
117055
117056 static void kmem_rcu_free(struct rcu_head *head)
117057@@ -592,22 +720,36 @@ static void kmem_rcu_free(struct rcu_head *head)
117058 struct slob_rcu *slob_rcu = (struct slob_rcu *)head;
117059 void *b = (void *)slob_rcu - (slob_rcu->size - sizeof(struct slob_rcu));
117060
117061- __kmem_cache_free(b, slob_rcu->size);
117062+ __kmem_cache_free(NULL, b, slob_rcu->size);
117063 }
117064
117065 void kmem_cache_free(struct kmem_cache *c, void *b)
117066 {
117067+ int size = c->size;
117068+
117069+#ifdef CONFIG_PAX_USERCOPY_SLABS
117070+ if (size + c->align < PAGE_SIZE) {
117071+ size += c->align;
117072+ b -= c->align;
117073+ }
117074+#endif
117075+
117076 kmemleak_free_recursive(b, c->flags);
117077 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
117078 struct slob_rcu *slob_rcu;
117079- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
117080- slob_rcu->size = c->size;
117081+ slob_rcu = b + (size - sizeof(struct slob_rcu));
117082+ slob_rcu->size = size;
117083 call_rcu(&slob_rcu->head, kmem_rcu_free);
117084 } else {
117085- __kmem_cache_free(b, c->size);
117086+ __kmem_cache_free(c, b, size);
117087 }
117088
117089+#ifdef CONFIG_PAX_USERCOPY_SLABS
117090+ trace_kfree(_RET_IP_, b);
117091+#else
117092 trace_kmem_cache_free(_RET_IP_, b);
117093+#endif
117094+
117095 }
117096 EXPORT_SYMBOL(kmem_cache_free);
117097
117098diff --git a/mm/slub.c b/mm/slub.c
117099index f68c0e5..eb77178 100644
117100--- a/mm/slub.c
117101+++ b/mm/slub.c
117102@@ -34,6 +34,7 @@
117103 #include <linux/stacktrace.h>
117104 #include <linux/prefetch.h>
117105 #include <linux/memcontrol.h>
117106+#include <linux/vmalloc.h>
117107
117108 #include <trace/events/kmem.h>
117109
117110@@ -198,7 +199,7 @@ struct track {
117111
117112 enum track_item { TRACK_ALLOC, TRACK_FREE };
117113
117114-#ifdef CONFIG_SYSFS
117115+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117116 static int sysfs_slab_add(struct kmem_cache *);
117117 static int sysfs_slab_alias(struct kmem_cache *, const char *);
117118 static void memcg_propagate_slab_attrs(struct kmem_cache *s);
117119@@ -556,7 +557,7 @@ static void print_track(const char *s, struct track *t)
117120 if (!t->addr)
117121 return;
117122
117123- pr_err("INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
117124+ pr_err("INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
117125 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
117126 #ifdef CONFIG_STACKTRACE
117127 {
117128@@ -2707,6 +2708,14 @@ static __always_inline void slab_free(struct kmem_cache *s,
117129
117130 slab_free_hook(s, x);
117131
117132+#ifdef CONFIG_PAX_MEMORY_SANITIZE
117133+ if (!(s->flags & SLAB_NO_SANITIZE)) {
117134+ memset(x, PAX_MEMORY_SANITIZE_VALUE, s->object_size);
117135+ if (s->ctor)
117136+ s->ctor(x);
117137+ }
117138+#endif
117139+
117140 redo:
117141 /*
117142 * Determine the currently cpus per cpu slab.
117143@@ -3048,6 +3057,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
117144 s->inuse = size;
117145
117146 if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
117147+#ifdef CONFIG_PAX_MEMORY_SANITIZE
117148+ (!(flags & SLAB_NO_SANITIZE)) ||
117149+#endif
117150 s->ctor)) {
117151 /*
117152 * Relocate free pointer after the object if it is not
117153@@ -3302,7 +3314,7 @@ static int __init setup_slub_min_objects(char *str)
117154
117155 __setup("slub_min_objects=", setup_slub_min_objects);
117156
117157-void *__kmalloc(size_t size, gfp_t flags)
117158+void * __size_overflow(1) __kmalloc(size_t size, gfp_t flags)
117159 {
117160 struct kmem_cache *s;
117161 void *ret;
117162@@ -3340,7 +3352,7 @@ static void *kmalloc_large_node(size_t size, gfp_t flags, int node)
117163 return ptr;
117164 }
117165
117166-void *__kmalloc_node(size_t size, gfp_t flags, int node)
117167+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
117168 {
117169 struct kmem_cache *s;
117170 void *ret;
117171@@ -3388,6 +3400,70 @@ static size_t __ksize(const void *object)
117172 return slab_ksize(page->slab_cache);
117173 }
117174
117175+bool is_usercopy_object(const void *ptr)
117176+{
117177+ struct page *page;
117178+ struct kmem_cache *s;
117179+
117180+ if (ZERO_OR_NULL_PTR(ptr))
117181+ return false;
117182+
117183+ if (!slab_is_available())
117184+ return false;
117185+
117186+ if (is_vmalloc_addr(ptr)
117187+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117188+ && !object_starts_on_stack(ptr)
117189+#endif
117190+ ) {
117191+ struct vm_struct *vm = find_vm_area(ptr);
117192+ if (vm && (vm->flags & VM_USERCOPY))
117193+ return true;
117194+ return false;
117195+ }
117196+
117197+ if (!virt_addr_valid(ptr))
117198+ return false;
117199+
117200+ page = virt_to_head_page(ptr);
117201+
117202+ if (!PageSlab(page))
117203+ return false;
117204+
117205+ s = page->slab_cache;
117206+ return s->flags & SLAB_USERCOPY;
117207+}
117208+
117209+#ifdef CONFIG_PAX_USERCOPY
117210+const char *check_heap_object(const void *ptr, unsigned long n)
117211+{
117212+ struct page *page;
117213+ struct kmem_cache *s;
117214+ unsigned long offset;
117215+
117216+ if (ZERO_OR_NULL_PTR(ptr))
117217+ return "<null>";
117218+
117219+ if (!virt_addr_valid(ptr))
117220+ return NULL;
117221+
117222+ page = virt_to_head_page(ptr);
117223+
117224+ if (!PageSlab(page))
117225+ return NULL;
117226+
117227+ s = page->slab_cache;
117228+ if (!(s->flags & SLAB_USERCOPY))
117229+ return s->name;
117230+
117231+ offset = (ptr - page_address(page)) % s->size;
117232+ if (offset <= s->object_size && n <= s->object_size - offset)
117233+ return NULL;
117234+
117235+ return s->name;
117236+}
117237+#endif
117238+
117239 size_t ksize(const void *object)
117240 {
117241 size_t size = __ksize(object);
117242@@ -3408,6 +3484,7 @@ void kfree(const void *x)
117243 if (unlikely(ZERO_OR_NULL_PTR(x)))
117244 return;
117245
117246+ VM_BUG_ON(!virt_addr_valid(x));
117247 page = virt_to_head_page(x);
117248 if (unlikely(!PageSlab(page))) {
117249 BUG_ON(!PageCompound(page));
117250@@ -3725,7 +3802,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
117251
117252 s = find_mergeable(size, align, flags, name, ctor);
117253 if (s) {
117254- s->refcount++;
117255+ atomic_inc(&s->refcount);
117256
117257 /*
117258 * Adjust the object sizes so that we clear
117259@@ -3741,7 +3818,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
117260 }
117261
117262 if (sysfs_slab_alias(s, name)) {
117263- s->refcount--;
117264+ atomic_dec(&s->refcount);
117265 s = NULL;
117266 }
117267 }
117268@@ -3858,7 +3935,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags,
117269 }
117270 #endif
117271
117272-#ifdef CONFIG_SYSFS
117273+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117274 static int count_inuse(struct page *page)
117275 {
117276 return page->inuse;
117277@@ -4139,7 +4216,11 @@ static int list_locations(struct kmem_cache *s, char *buf,
117278 len += sprintf(buf + len, "%7ld ", l->count);
117279
117280 if (l->addr)
117281+#ifdef CONFIG_GRKERNSEC_HIDESYM
117282+ len += sprintf(buf + len, "%pS", NULL);
117283+#else
117284 len += sprintf(buf + len, "%pS", (void *)l->addr);
117285+#endif
117286 else
117287 len += sprintf(buf + len, "<not-available>");
117288
117289@@ -4237,12 +4318,12 @@ static void __init resiliency_test(void)
117290 validate_slab_cache(kmalloc_caches[9]);
117291 }
117292 #else
117293-#ifdef CONFIG_SYSFS
117294+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117295 static void resiliency_test(void) {};
117296 #endif
117297 #endif
117298
117299-#ifdef CONFIG_SYSFS
117300+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117301 enum slab_stat_type {
117302 SL_ALL, /* All slabs */
117303 SL_PARTIAL, /* Only partially allocated slabs */
117304@@ -4479,13 +4560,17 @@ static ssize_t ctor_show(struct kmem_cache *s, char *buf)
117305 {
117306 if (!s->ctor)
117307 return 0;
117308+#ifdef CONFIG_GRKERNSEC_HIDESYM
117309+ return sprintf(buf, "%pS\n", NULL);
117310+#else
117311 return sprintf(buf, "%pS\n", s->ctor);
117312+#endif
117313 }
117314 SLAB_ATTR_RO(ctor);
117315
117316 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
117317 {
117318- return sprintf(buf, "%d\n", s->refcount < 0 ? 0 : s->refcount - 1);
117319+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) < 0 ? 0 : atomic_read(&s->refcount) - 1);
117320 }
117321 SLAB_ATTR_RO(aliases);
117322
117323@@ -4573,6 +4658,22 @@ static ssize_t cache_dma_show(struct kmem_cache *s, char *buf)
117324 SLAB_ATTR_RO(cache_dma);
117325 #endif
117326
117327+#ifdef CONFIG_PAX_USERCOPY_SLABS
117328+static ssize_t usercopy_show(struct kmem_cache *s, char *buf)
117329+{
117330+ return sprintf(buf, "%d\n", !!(s->flags & SLAB_USERCOPY));
117331+}
117332+SLAB_ATTR_RO(usercopy);
117333+#endif
117334+
117335+#ifdef CONFIG_PAX_MEMORY_SANITIZE
117336+static ssize_t sanitize_show(struct kmem_cache *s, char *buf)
117337+{
117338+ return sprintf(buf, "%d\n", !(s->flags & SLAB_NO_SANITIZE));
117339+}
117340+SLAB_ATTR_RO(sanitize);
117341+#endif
117342+
117343 static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf)
117344 {
117345 return sprintf(buf, "%d\n", !!(s->flags & SLAB_DESTROY_BY_RCU));
117346@@ -4628,7 +4729,7 @@ static ssize_t trace_store(struct kmem_cache *s, const char *buf,
117347 * as well as cause other issues like converting a mergeable
117348 * cache into an umergeable one.
117349 */
117350- if (s->refcount > 1)
117351+ if (atomic_read(&s->refcount) > 1)
117352 return -EINVAL;
117353
117354 s->flags &= ~SLAB_TRACE;
117355@@ -4748,7 +4849,7 @@ static ssize_t failslab_show(struct kmem_cache *s, char *buf)
117356 static ssize_t failslab_store(struct kmem_cache *s, const char *buf,
117357 size_t length)
117358 {
117359- if (s->refcount > 1)
117360+ if (atomic_read(&s->refcount) > 1)
117361 return -EINVAL;
117362
117363 s->flags &= ~SLAB_FAILSLAB;
117364@@ -4915,6 +5016,12 @@ static struct attribute *slab_attrs[] = {
117365 #ifdef CONFIG_ZONE_DMA
117366 &cache_dma_attr.attr,
117367 #endif
117368+#ifdef CONFIG_PAX_USERCOPY_SLABS
117369+ &usercopy_attr.attr,
117370+#endif
117371+#ifdef CONFIG_PAX_MEMORY_SANITIZE
117372+ &sanitize_attr.attr,
117373+#endif
117374 #ifdef CONFIG_NUMA
117375 &remote_node_defrag_ratio_attr.attr,
117376 #endif
117377@@ -5156,6 +5263,7 @@ static char *create_unique_id(struct kmem_cache *s)
117378 return name;
117379 }
117380
117381+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117382 static int sysfs_slab_add(struct kmem_cache *s)
117383 {
117384 int err;
117385@@ -5229,6 +5337,7 @@ void sysfs_slab_remove(struct kmem_cache *s)
117386 kobject_del(&s->kobj);
117387 kobject_put(&s->kobj);
117388 }
117389+#endif
117390
117391 /*
117392 * Need to buffer aliases during bootup until sysfs becomes
117393@@ -5242,6 +5351,7 @@ struct saved_alias {
117394
117395 static struct saved_alias *alias_list;
117396
117397+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117398 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
117399 {
117400 struct saved_alias *al;
117401@@ -5264,6 +5374,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
117402 alias_list = al;
117403 return 0;
117404 }
117405+#endif
117406
117407 static int __init slab_sysfs_init(void)
117408 {
117409diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c
117410index 4cba9c2..b4f9fcc 100644
117411--- a/mm/sparse-vmemmap.c
117412+++ b/mm/sparse-vmemmap.c
117413@@ -131,7 +131,7 @@ pud_t * __meminit vmemmap_pud_populate(pgd_t *pgd, unsigned long addr, int node)
117414 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
117415 if (!p)
117416 return NULL;
117417- pud_populate(&init_mm, pud, p);
117418+ pud_populate_kernel(&init_mm, pud, p);
117419 }
117420 return pud;
117421 }
117422@@ -143,7 +143,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node)
117423 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
117424 if (!p)
117425 return NULL;
117426- pgd_populate(&init_mm, pgd, p);
117427+ pgd_populate_kernel(&init_mm, pgd, p);
117428 }
117429 return pgd;
117430 }
117431diff --git a/mm/sparse.c b/mm/sparse.c
117432index d1b48b6..6e8590e 100644
117433--- a/mm/sparse.c
117434+++ b/mm/sparse.c
117435@@ -750,7 +750,7 @@ static void clear_hwpoisoned_pages(struct page *memmap, int nr_pages)
117436
117437 for (i = 0; i < PAGES_PER_SECTION; i++) {
117438 if (PageHWPoison(&memmap[i])) {
117439- atomic_long_sub(1, &num_poisoned_pages);
117440+ atomic_long_sub_unchecked(1, &num_poisoned_pages);
117441 ClearPageHWPoison(&memmap[i]);
117442 }
117443 }
117444diff --git a/mm/swap.c b/mm/swap.c
117445index a3a0a2f..915d436 100644
117446--- a/mm/swap.c
117447+++ b/mm/swap.c
117448@@ -85,6 +85,8 @@ static void __put_compound_page(struct page *page)
117449 if (!PageHuge(page))
117450 __page_cache_release(page);
117451 dtor = get_compound_page_dtor(page);
117452+ if (!PageHuge(page))
117453+ BUG_ON(dtor != free_compound_page);
117454 (*dtor)(page);
117455 }
117456
117457diff --git a/mm/swapfile.c b/mm/swapfile.c
117458index 41e4581..6c452c9 100644
117459--- a/mm/swapfile.c
117460+++ b/mm/swapfile.c
117461@@ -84,7 +84,7 @@ static DEFINE_MUTEX(swapon_mutex);
117462
117463 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
117464 /* Activity counter to indicate that a swapon or swapoff has occurred */
117465-static atomic_t proc_poll_event = ATOMIC_INIT(0);
117466+static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
117467
117468 static inline unsigned char swap_count(unsigned char ent)
117469 {
117470@@ -1944,7 +1944,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
117471 spin_unlock(&swap_lock);
117472
117473 err = 0;
117474- atomic_inc(&proc_poll_event);
117475+ atomic_inc_unchecked(&proc_poll_event);
117476 wake_up_interruptible(&proc_poll_wait);
117477
117478 out_dput:
117479@@ -1961,8 +1961,8 @@ static unsigned swaps_poll(struct file *file, poll_table *wait)
117480
117481 poll_wait(file, &proc_poll_wait, wait);
117482
117483- if (seq->poll_event != atomic_read(&proc_poll_event)) {
117484- seq->poll_event = atomic_read(&proc_poll_event);
117485+ if (seq->poll_event != atomic_read_unchecked(&proc_poll_event)) {
117486+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
117487 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
117488 }
117489
117490@@ -2060,7 +2060,7 @@ static int swaps_open(struct inode *inode, struct file *file)
117491 return ret;
117492
117493 seq = file->private_data;
117494- seq->poll_event = atomic_read(&proc_poll_event);
117495+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
117496 return 0;
117497 }
117498
117499@@ -2520,7 +2520,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
117500 (frontswap_map) ? "FS" : "");
117501
117502 mutex_unlock(&swapon_mutex);
117503- atomic_inc(&proc_poll_event);
117504+ atomic_inc_unchecked(&proc_poll_event);
117505 wake_up_interruptible(&proc_poll_wait);
117506
117507 if (S_ISREG(inode->i_mode))
117508diff --git a/mm/util.c b/mm/util.c
117509index 68ff8a5..40c7a70 100644
117510--- a/mm/util.c
117511+++ b/mm/util.c
117512@@ -233,6 +233,12 @@ struct task_struct *task_of_stack(struct task_struct *task,
117513 void arch_pick_mmap_layout(struct mm_struct *mm)
117514 {
117515 mm->mmap_base = TASK_UNMAPPED_BASE;
117516+
117517+#ifdef CONFIG_PAX_RANDMMAP
117518+ if (mm->pax_flags & MF_PAX_RANDMMAP)
117519+ mm->mmap_base += mm->delta_mmap;
117520+#endif
117521+
117522 mm->get_unmapped_area = arch_get_unmapped_area;
117523 }
117524 #endif
117525@@ -434,6 +440,9 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen)
117526 if (!mm->arg_end)
117527 goto out_mm; /* Shh! No looking before we're done */
117528
117529+ if (gr_acl_handle_procpidmem(task))
117530+ goto out_mm;
117531+
117532 len = mm->arg_end - mm->arg_start;
117533
117534 if (len > buflen)
117535diff --git a/mm/vmalloc.c b/mm/vmalloc.c
117536index 2faaa29..c816cf4 100644
117537--- a/mm/vmalloc.c
117538+++ b/mm/vmalloc.c
117539@@ -40,20 +40,65 @@ struct vfree_deferred {
117540 struct work_struct wq;
117541 };
117542 static DEFINE_PER_CPU(struct vfree_deferred, vfree_deferred);
117543+static DEFINE_PER_CPU(struct vfree_deferred, vunmap_deferred);
117544+
117545+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117546+struct stack_deferred_llist {
117547+ struct llist_head list;
117548+ void *stack;
117549+ void *lowmem_stack;
117550+};
117551+
117552+struct stack_deferred {
117553+ struct stack_deferred_llist list;
117554+ struct work_struct wq;
117555+};
117556+
117557+static DEFINE_PER_CPU(struct stack_deferred, stack_deferred);
117558+#endif
117559
117560 static void __vunmap(const void *, int);
117561
117562-static void free_work(struct work_struct *w)
117563+static void vfree_work(struct work_struct *w)
117564 {
117565 struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
117566 struct llist_node *llnode = llist_del_all(&p->list);
117567 while (llnode) {
117568- void *p = llnode;
117569+ void *x = llnode;
117570 llnode = llist_next(llnode);
117571- __vunmap(p, 1);
117572+ __vunmap(x, 1);
117573 }
117574 }
117575
117576+static void vunmap_work(struct work_struct *w)
117577+{
117578+ struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
117579+ struct llist_node *llnode = llist_del_all(&p->list);
117580+ while (llnode) {
117581+ void *x = llnode;
117582+ llnode = llist_next(llnode);
117583+ __vunmap(x, 0);
117584+ }
117585+}
117586+
117587+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117588+static void unmap_work(struct work_struct *w)
117589+{
117590+ struct stack_deferred *p = container_of(w, struct stack_deferred, wq);
117591+ struct llist_node *llnode = llist_del_all(&p->list.list);
117592+ while (llnode) {
117593+ struct stack_deferred_llist *x =
117594+ llist_entry((struct llist_head *)llnode,
117595+ struct stack_deferred_llist, list);
117596+ void *stack = ACCESS_ONCE(x->stack);
117597+ void *lowmem_stack = ACCESS_ONCE(x->lowmem_stack);
117598+ llnode = llist_next(llnode);
117599+ __vunmap(stack, 0);
117600+ free_kmem_pages((unsigned long)lowmem_stack, THREAD_SIZE_ORDER);
117601+ }
117602+}
117603+#endif
117604+
117605 /*** Page table manipulation functions ***/
117606
117607 static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
117608@@ -61,10 +106,23 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
117609 pte_t *pte;
117610
117611 pte = pte_offset_kernel(pmd, addr);
117612+ pax_open_kernel();
117613 do {
117614- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
117615- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
117616+
117617+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
117618+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
117619+ BUG_ON(!pte_exec(*pte));
117620+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
117621+ continue;
117622+ }
117623+#endif
117624+
117625+ {
117626+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
117627+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
117628+ }
117629 } while (pte++, addr += PAGE_SIZE, addr != end);
117630+ pax_close_kernel();
117631 }
117632
117633 static void vunmap_pmd_range(pud_t *pud, unsigned long addr, unsigned long end)
117634@@ -127,16 +185,29 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr,
117635 pte = pte_alloc_kernel(pmd, addr);
117636 if (!pte)
117637 return -ENOMEM;
117638+
117639+ pax_open_kernel();
117640 do {
117641 struct page *page = pages[*nr];
117642
117643- if (WARN_ON(!pte_none(*pte)))
117644+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
117645+ if (pgprot_val(prot) & _PAGE_NX)
117646+#endif
117647+
117648+ if (!pte_none(*pte)) {
117649+ pax_close_kernel();
117650+ WARN_ON(1);
117651 return -EBUSY;
117652- if (WARN_ON(!page))
117653+ }
117654+ if (!page) {
117655+ pax_close_kernel();
117656+ WARN_ON(1);
117657 return -ENOMEM;
117658+ }
117659 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
117660 (*nr)++;
117661 } while (pte++, addr += PAGE_SIZE, addr != end);
117662+ pax_close_kernel();
117663 return 0;
117664 }
117665
117666@@ -146,7 +217,7 @@ static int vmap_pmd_range(pud_t *pud, unsigned long addr,
117667 pmd_t *pmd;
117668 unsigned long next;
117669
117670- pmd = pmd_alloc(&init_mm, pud, addr);
117671+ pmd = pmd_alloc_kernel(&init_mm, pud, addr);
117672 if (!pmd)
117673 return -ENOMEM;
117674 do {
117675@@ -163,7 +234,7 @@ static int vmap_pud_range(pgd_t *pgd, unsigned long addr,
117676 pud_t *pud;
117677 unsigned long next;
117678
117679- pud = pud_alloc(&init_mm, pgd, addr);
117680+ pud = pud_alloc_kernel(&init_mm, pgd, addr);
117681 if (!pud)
117682 return -ENOMEM;
117683 do {
117684@@ -223,6 +294,12 @@ int is_vmalloc_or_module_addr(const void *x)
117685 if (addr >= MODULES_VADDR && addr < MODULES_END)
117686 return 1;
117687 #endif
117688+
117689+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
117690+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
117691+ return 1;
117692+#endif
117693+
117694 return is_vmalloc_addr(x);
117695 }
117696
117697@@ -243,8 +320,14 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
117698
117699 if (!pgd_none(*pgd)) {
117700 pud_t *pud = pud_offset(pgd, addr);
117701+#ifdef CONFIG_X86
117702+ if (!pud_large(*pud))
117703+#endif
117704 if (!pud_none(*pud)) {
117705 pmd_t *pmd = pmd_offset(pud, addr);
117706+#ifdef CONFIG_X86
117707+ if (!pmd_large(*pmd))
117708+#endif
117709 if (!pmd_none(*pmd)) {
117710 pte_t *ptep, pte;
117711
117712@@ -346,7 +429,7 @@ static void purge_vmap_area_lazy(void);
117713 * Allocate a region of KVA of the specified size and alignment, within the
117714 * vstart and vend.
117715 */
117716-static struct vmap_area *alloc_vmap_area(unsigned long size,
117717+static struct vmap_area * __size_overflow(1) alloc_vmap_area(unsigned long size,
117718 unsigned long align,
117719 unsigned long vstart, unsigned long vend,
117720 int node, gfp_t gfp_mask)
117721@@ -1202,13 +1285,27 @@ void __init vmalloc_init(void)
117722 for_each_possible_cpu(i) {
117723 struct vmap_block_queue *vbq;
117724 struct vfree_deferred *p;
117725+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117726+ struct stack_deferred *p2;
117727+#endif
117728
117729 vbq = &per_cpu(vmap_block_queue, i);
117730 spin_lock_init(&vbq->lock);
117731 INIT_LIST_HEAD(&vbq->free);
117732+
117733 p = &per_cpu(vfree_deferred, i);
117734 init_llist_head(&p->list);
117735- INIT_WORK(&p->wq, free_work);
117736+ INIT_WORK(&p->wq, vfree_work);
117737+
117738+ p = &per_cpu(vunmap_deferred, i);
117739+ init_llist_head(&p->list);
117740+ INIT_WORK(&p->wq, vunmap_work);
117741+
117742+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117743+ p2 = &per_cpu(stack_deferred, i);
117744+ init_llist_head(&p2->list.list);
117745+ INIT_WORK(&p2->wq, unmap_work);
117746+#endif
117747 }
117748
117749 /* Import existing vmlist entries. */
117750@@ -1333,6 +1430,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
117751 struct vm_struct *area;
117752
117753 BUG_ON(in_interrupt());
117754+
117755+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117756+ if (flags & VM_KERNEXEC) {
117757+ if (start != VMALLOC_START || end != VMALLOC_END)
117758+ return NULL;
117759+ start = (unsigned long)MODULES_EXEC_VADDR;
117760+ end = (unsigned long)MODULES_EXEC_END;
117761+ }
117762+#endif
117763+
117764 if (flags & VM_IOREMAP)
117765 align = 1ul << clamp_t(int, fls_long(size),
117766 PAGE_SHIFT, IOREMAP_MAX_ORDER);
117767@@ -1531,13 +1638,36 @@ EXPORT_SYMBOL(vfree);
117768 */
117769 void vunmap(const void *addr)
117770 {
117771- BUG_ON(in_interrupt());
117772- might_sleep();
117773- if (addr)
117774+ if (!addr)
117775+ return;
117776+ if (unlikely(in_interrupt())) {
117777+ struct vfree_deferred *p = this_cpu_ptr(&vunmap_deferred);
117778+ if (llist_add((struct llist_node *)addr, &p->list))
117779+ schedule_work(&p->wq);
117780+ } else {
117781+ might_sleep();
117782 __vunmap(addr, 0);
117783+ }
117784 }
117785 EXPORT_SYMBOL(vunmap);
117786
117787+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117788+void unmap_process_stacks(struct task_struct *task)
117789+{
117790+ if (unlikely(in_interrupt())) {
117791+ struct stack_deferred *p = this_cpu_ptr(&stack_deferred);
117792+ struct stack_deferred_llist *list = task->stack;
117793+ list->stack = task->stack;
117794+ list->lowmem_stack = task->lowmem_stack;
117795+ if (llist_add((struct llist_node *)&list->list, &p->list.list))
117796+ schedule_work(&p->wq);
117797+ } else {
117798+ __vunmap(task->stack, 0);
117799+ free_kmem_pages((unsigned long)task->lowmem_stack, THREAD_SIZE_ORDER);
117800+ }
117801+}
117802+#endif
117803+
117804 /**
117805 * vmap - map an array of pages into virtually contiguous space
117806 * @pages: array of page pointers
117807@@ -1558,6 +1688,11 @@ void *vmap(struct page **pages, unsigned int count,
117808 if (count > totalram_pages)
117809 return NULL;
117810
117811+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117812+ if (!(pgprot_val(prot) & _PAGE_NX))
117813+ flags |= VM_KERNEXEC;
117814+#endif
117815+
117816 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
117817 __builtin_return_address(0));
117818 if (!area)
117819@@ -1662,6 +1797,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
117820 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
117821 goto fail;
117822
117823+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117824+ if (!(pgprot_val(prot) & _PAGE_NX)) {
117825+ vm_flags |= VM_KERNEXEC;
117826+ start = VMALLOC_START;
117827+ end = VMALLOC_END;
117828+ }
117829+#endif
117830+
117831 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED |
117832 vm_flags, start, end, node, gfp_mask, caller);
117833 if (!area)
117834@@ -1715,6 +1858,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
117835 gfp_mask, prot, 0, node, caller);
117836 }
117837
117838+void *vmalloc_usercopy(unsigned long size)
117839+{
117840+ return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END,
117841+ GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
117842+ VM_USERCOPY, NUMA_NO_NODE,
117843+ __builtin_return_address(0));
117844+}
117845+
117846 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
117847 {
117848 return __vmalloc_node(size, 1, gfp_mask, prot, NUMA_NO_NODE,
117849@@ -1838,10 +1989,9 @@ EXPORT_SYMBOL(vzalloc_node);
117850 * For tight control over page level allocator and protection flags
117851 * use __vmalloc() instead.
117852 */
117853-
117854 void *vmalloc_exec(unsigned long size)
117855 {
117856- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
117857+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
117858 NUMA_NO_NODE, __builtin_return_address(0));
117859 }
117860
117861@@ -2148,6 +2298,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
117862 {
117863 struct vm_struct *area;
117864
117865+ BUG_ON(vma->vm_mirror);
117866+
117867 size = PAGE_ALIGN(size);
117868
117869 if (!PAGE_ALIGNED(uaddr) || !PAGE_ALIGNED(kaddr))
117870@@ -2630,7 +2782,11 @@ static int s_show(struct seq_file *m, void *p)
117871 v->addr, v->addr + v->size, v->size);
117872
117873 if (v->caller)
117874+#ifdef CONFIG_GRKERNSEC_HIDESYM
117875+ seq_printf(m, " %pK", v->caller);
117876+#else
117877 seq_printf(m, " %pS", v->caller);
117878+#endif
117879
117880 if (v->nr_pages)
117881 seq_printf(m, " pages=%d", v->nr_pages);
117882diff --git a/mm/vmstat.c b/mm/vmstat.c
117883index 4f5cd97..9fb715a 100644
117884--- a/mm/vmstat.c
117885+++ b/mm/vmstat.c
117886@@ -27,6 +27,7 @@
117887 #include <linux/mm_inline.h>
117888 #include <linux/page_ext.h>
117889 #include <linux/page_owner.h>
117890+#include <linux/grsecurity.h>
117891
117892 #include "internal.h"
117893
117894@@ -86,7 +87,7 @@ void vm_events_fold_cpu(int cpu)
117895 *
117896 * vm_stat contains the global counters
117897 */
117898-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
117899+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
117900 EXPORT_SYMBOL(vm_stat);
117901
117902 #ifdef CONFIG_SMP
117903@@ -438,7 +439,7 @@ static int fold_diff(int *diff)
117904
117905 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
117906 if (diff[i]) {
117907- atomic_long_add(diff[i], &vm_stat[i]);
117908+ atomic_long_add_unchecked(diff[i], &vm_stat[i]);
117909 changes++;
117910 }
117911 return changes;
117912@@ -476,7 +477,7 @@ static int refresh_cpu_vm_stats(void)
117913 v = this_cpu_xchg(p->vm_stat_diff[i], 0);
117914 if (v) {
117915
117916- atomic_long_add(v, &zone->vm_stat[i]);
117917+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117918 global_diff[i] += v;
117919 #ifdef CONFIG_NUMA
117920 /* 3 seconds idle till flush */
117921@@ -540,7 +541,7 @@ void cpu_vm_stats_fold(int cpu)
117922
117923 v = p->vm_stat_diff[i];
117924 p->vm_stat_diff[i] = 0;
117925- atomic_long_add(v, &zone->vm_stat[i]);
117926+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117927 global_diff[i] += v;
117928 }
117929 }
117930@@ -560,8 +561,8 @@ void drain_zonestat(struct zone *zone, struct per_cpu_pageset *pset)
117931 if (pset->vm_stat_diff[i]) {
117932 int v = pset->vm_stat_diff[i];
117933 pset->vm_stat_diff[i] = 0;
117934- atomic_long_add(v, &zone->vm_stat[i]);
117935- atomic_long_add(v, &vm_stat[i]);
117936+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117937+ atomic_long_add_unchecked(v, &vm_stat[i]);
117938 }
117939 }
117940 #endif
117941@@ -1293,10 +1294,22 @@ static void *vmstat_start(struct seq_file *m, loff_t *pos)
117942 stat_items_size += sizeof(struct vm_event_state);
117943 #endif
117944
117945- v = kmalloc(stat_items_size, GFP_KERNEL);
117946+ v = kzalloc(stat_items_size, GFP_KERNEL);
117947 m->private = v;
117948 if (!v)
117949 return ERR_PTR(-ENOMEM);
117950+
117951+#ifdef CONFIG_GRKERNSEC_PROC_ADD
117952+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
117953+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
117954+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
117955+ && !in_group_p(grsec_proc_gid)
117956+#endif
117957+ )
117958+ return (unsigned long *)m->private + *pos;
117959+#endif
117960+#endif
117961+
117962 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
117963 v[i] = global_page_state(i);
117964 v += NR_VM_ZONE_STAT_ITEMS;
117965@@ -1528,10 +1541,16 @@ static int __init setup_vmstat(void)
117966 cpu_notifier_register_done();
117967 #endif
117968 #ifdef CONFIG_PROC_FS
117969- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
117970- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
117971- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
117972- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
117973+ {
117974+ mode_t gr_mode = S_IRUGO;
117975+#ifdef CONFIG_GRKERNSEC_PROC_ADD
117976+ gr_mode = S_IRUSR;
117977+#endif
117978+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
117979+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
117980+ proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
117981+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
117982+ }
117983 #endif
117984 return 0;
117985 }
117986diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
117987index d2cd9de..501c186 100644
117988--- a/net/8021q/vlan.c
117989+++ b/net/8021q/vlan.c
117990@@ -491,7 +491,7 @@ out:
117991 return NOTIFY_DONE;
117992 }
117993
117994-static struct notifier_block vlan_notifier_block __read_mostly = {
117995+static struct notifier_block vlan_notifier_block = {
117996 .notifier_call = vlan_device_event,
117997 };
117998
117999@@ -566,8 +566,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg)
118000 err = -EPERM;
118001 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
118002 break;
118003- if ((args.u.name_type >= 0) &&
118004- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
118005+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
118006 struct vlan_net *vn;
118007
118008 vn = net_generic(net, vlan_net_id);
118009diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
118010index c92b52f..006c052 100644
118011--- a/net/8021q/vlan_netlink.c
118012+++ b/net/8021q/vlan_netlink.c
118013@@ -245,7 +245,7 @@ static struct net *vlan_get_link_net(const struct net_device *dev)
118014 return dev_net(real_dev);
118015 }
118016
118017-struct rtnl_link_ops vlan_link_ops __read_mostly = {
118018+struct rtnl_link_ops vlan_link_ops = {
118019 .kind = "vlan",
118020 .maxtype = IFLA_VLAN_MAX,
118021 .policy = vlan_policy,
118022diff --git a/net/9p/mod.c b/net/9p/mod.c
118023index 6ab36ae..6f1841b 100644
118024--- a/net/9p/mod.c
118025+++ b/net/9p/mod.c
118026@@ -84,7 +84,7 @@ static LIST_HEAD(v9fs_trans_list);
118027 void v9fs_register_trans(struct p9_trans_module *m)
118028 {
118029 spin_lock(&v9fs_trans_lock);
118030- list_add_tail(&m->list, &v9fs_trans_list);
118031+ pax_list_add_tail((struct list_head *)&m->list, &v9fs_trans_list);
118032 spin_unlock(&v9fs_trans_lock);
118033 }
118034 EXPORT_SYMBOL(v9fs_register_trans);
118035@@ -97,7 +97,7 @@ EXPORT_SYMBOL(v9fs_register_trans);
118036 void v9fs_unregister_trans(struct p9_trans_module *m)
118037 {
118038 spin_lock(&v9fs_trans_lock);
118039- list_del_init(&m->list);
118040+ pax_list_del_init((struct list_head *)&m->list);
118041 spin_unlock(&v9fs_trans_lock);
118042 }
118043 EXPORT_SYMBOL(v9fs_unregister_trans);
118044diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
118045index bced8c0..ef253b7 100644
118046--- a/net/9p/trans_fd.c
118047+++ b/net/9p/trans_fd.c
118048@@ -428,7 +428,7 @@ static int p9_fd_write(struct p9_client *client, void *v, int len)
118049 oldfs = get_fs();
118050 set_fs(get_ds());
118051 /* The cast to a user pointer is valid due to the set_fs() */
118052- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
118053+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
118054 set_fs(oldfs);
118055
118056 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
118057diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
118058index af46bc4..f9adfcd 100644
118059--- a/net/appletalk/atalk_proc.c
118060+++ b/net/appletalk/atalk_proc.c
118061@@ -256,7 +256,7 @@ int __init atalk_proc_init(void)
118062 struct proc_dir_entry *p;
118063 int rc = -ENOMEM;
118064
118065- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net);
118066+ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net);
118067 if (!atalk_proc_dir)
118068 goto out;
118069
118070diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c
118071index 876fbe8..8bbea9f 100644
118072--- a/net/atm/atm_misc.c
118073+++ b/net/atm/atm_misc.c
118074@@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int truesize)
118075 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
118076 return 1;
118077 atm_return(vcc, truesize);
118078- atomic_inc(&vcc->stats->rx_drop);
118079+ atomic_inc_unchecked(&vcc->stats->rx_drop);
118080 return 0;
118081 }
118082 EXPORT_SYMBOL(atm_charge);
118083@@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct atm_vcc *vcc, int pdu_size,
118084 }
118085 }
118086 atm_return(vcc, guess);
118087- atomic_inc(&vcc->stats->rx_drop);
118088+ atomic_inc_unchecked(&vcc->stats->rx_drop);
118089 return NULL;
118090 }
118091 EXPORT_SYMBOL(atm_alloc_charge);
118092@@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
118093
118094 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
118095 {
118096-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
118097+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
118098 __SONET_ITEMS
118099 #undef __HANDLE_ITEM
118100 }
118101@@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
118102
118103 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
118104 {
118105-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
118106+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
118107 __SONET_ITEMS
118108 #undef __HANDLE_ITEM
118109 }
118110diff --git a/net/atm/lec.c b/net/atm/lec.c
118111index cd3b379..977a3c9 100644
118112--- a/net/atm/lec.c
118113+++ b/net/atm/lec.c
118114@@ -111,9 +111,9 @@ static inline void lec_arp_put(struct lec_arp_table *entry)
118115 }
118116
118117 static struct lane2_ops lane2_ops = {
118118- lane2_resolve, /* resolve, spec 3.1.3 */
118119- lane2_associate_req, /* associate_req, spec 3.1.4 */
118120- NULL /* associate indicator, spec 3.1.5 */
118121+ .resolve = lane2_resolve,
118122+ .associate_req = lane2_associate_req,
118123+ .associate_indicator = NULL
118124 };
118125
118126 static unsigned char bus_mac[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
118127diff --git a/net/atm/lec.h b/net/atm/lec.h
118128index 4149db1..f2ab682 100644
118129--- a/net/atm/lec.h
118130+++ b/net/atm/lec.h
118131@@ -48,7 +48,7 @@ struct lane2_ops {
118132 const u8 *tlvs, u32 sizeoftlvs);
118133 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
118134 const u8 *tlvs, u32 sizeoftlvs);
118135-};
118136+} __no_const;
118137
118138 /*
118139 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
118140diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c
118141index d1b2d9a..d549f7f 100644
118142--- a/net/atm/mpoa_caches.c
118143+++ b/net/atm/mpoa_caches.c
118144@@ -535,30 +535,30 @@ static void eg_destroy_cache(struct mpoa_client *mpc)
118145
118146
118147 static struct in_cache_ops ingress_ops = {
118148- in_cache_add_entry, /* add_entry */
118149- in_cache_get, /* get */
118150- in_cache_get_with_mask, /* get_with_mask */
118151- in_cache_get_by_vcc, /* get_by_vcc */
118152- in_cache_put, /* put */
118153- in_cache_remove_entry, /* remove_entry */
118154- cache_hit, /* cache_hit */
118155- clear_count_and_expired, /* clear_count */
118156- check_resolving_entries, /* check_resolving */
118157- refresh_entries, /* refresh */
118158- in_destroy_cache /* destroy_cache */
118159+ .add_entry = in_cache_add_entry,
118160+ .get = in_cache_get,
118161+ .get_with_mask = in_cache_get_with_mask,
118162+ .get_by_vcc = in_cache_get_by_vcc,
118163+ .put = in_cache_put,
118164+ .remove_entry = in_cache_remove_entry,
118165+ .cache_hit = cache_hit,
118166+ .clear_count = clear_count_and_expired,
118167+ .check_resolving = check_resolving_entries,
118168+ .refresh = refresh_entries,
118169+ .destroy_cache = in_destroy_cache
118170 };
118171
118172 static struct eg_cache_ops egress_ops = {
118173- eg_cache_add_entry, /* add_entry */
118174- eg_cache_get_by_cache_id, /* get_by_cache_id */
118175- eg_cache_get_by_tag, /* get_by_tag */
118176- eg_cache_get_by_vcc, /* get_by_vcc */
118177- eg_cache_get_by_src_ip, /* get_by_src_ip */
118178- eg_cache_put, /* put */
118179- eg_cache_remove_entry, /* remove_entry */
118180- update_eg_cache_entry, /* update */
118181- clear_expired, /* clear_expired */
118182- eg_destroy_cache /* destroy_cache */
118183+ .add_entry = eg_cache_add_entry,
118184+ .get_by_cache_id = eg_cache_get_by_cache_id,
118185+ .get_by_tag = eg_cache_get_by_tag,
118186+ .get_by_vcc = eg_cache_get_by_vcc,
118187+ .get_by_src_ip = eg_cache_get_by_src_ip,
118188+ .put = eg_cache_put,
118189+ .remove_entry = eg_cache_remove_entry,
118190+ .update = update_eg_cache_entry,
118191+ .clear_expired = clear_expired,
118192+ .destroy_cache = eg_destroy_cache
118193 };
118194
118195
118196diff --git a/net/atm/proc.c b/net/atm/proc.c
118197index bbb6461..cf04016 100644
118198--- a/net/atm/proc.c
118199+++ b/net/atm/proc.c
118200@@ -45,9 +45,9 @@ static void add_stats(struct seq_file *seq, const char *aal,
118201 const struct k_atm_aal_stats *stats)
118202 {
118203 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
118204- atomic_read(&stats->tx), atomic_read(&stats->tx_err),
118205- atomic_read(&stats->rx), atomic_read(&stats->rx_err),
118206- atomic_read(&stats->rx_drop));
118207+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
118208+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
118209+ atomic_read_unchecked(&stats->rx_drop));
118210 }
118211
118212 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
118213diff --git a/net/atm/resources.c b/net/atm/resources.c
118214index 0447d5d..3cf4728 100644
118215--- a/net/atm/resources.c
118216+++ b/net/atm/resources.c
118217@@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
118218 static void copy_aal_stats(struct k_atm_aal_stats *from,
118219 struct atm_aal_stats *to)
118220 {
118221-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
118222+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
118223 __AAL_STAT_ITEMS
118224 #undef __HANDLE_ITEM
118225 }
118226@@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_aal_stats *from,
118227 static void subtract_aal_stats(struct k_atm_aal_stats *from,
118228 struct atm_aal_stats *to)
118229 {
118230-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
118231+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
118232 __AAL_STAT_ITEMS
118233 #undef __HANDLE_ITEM
118234 }
118235diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
118236index 919a5ce..cc6b444 100644
118237--- a/net/ax25/sysctl_net_ax25.c
118238+++ b/net/ax25/sysctl_net_ax25.c
118239@@ -152,7 +152,7 @@ int ax25_register_dev_sysctl(ax25_dev *ax25_dev)
118240 {
118241 char path[sizeof("net/ax25/") + IFNAMSIZ];
118242 int k;
118243- struct ctl_table *table;
118244+ ctl_table_no_const *table;
118245
118246 table = kmemdup(ax25_param_table, sizeof(ax25_param_table), GFP_KERNEL);
118247 if (!table)
118248diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
118249index 753383c..32d12d9 100644
118250--- a/net/batman-adv/bat_iv_ogm.c
118251+++ b/net/batman-adv/bat_iv_ogm.c
118252@@ -343,7 +343,7 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
118253
118254 /* randomize initial seqno to avoid collision */
118255 get_random_bytes(&random_seqno, sizeof(random_seqno));
118256- atomic_set(&hard_iface->bat_iv.ogm_seqno, random_seqno);
118257+ atomic_set_unchecked(&hard_iface->bat_iv.ogm_seqno, random_seqno);
118258
118259 hard_iface->bat_iv.ogm_buff_len = BATADV_OGM_HLEN;
118260 ogm_buff = kmalloc(hard_iface->bat_iv.ogm_buff_len, GFP_ATOMIC);
118261@@ -947,9 +947,9 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
118262 batadv_ogm_packet->tvlv_len = htons(tvlv_len);
118263
118264 /* change sequence number to network order */
118265- seqno = (uint32_t)atomic_read(&hard_iface->bat_iv.ogm_seqno);
118266+ seqno = (uint32_t)atomic_read_unchecked(&hard_iface->bat_iv.ogm_seqno);
118267 batadv_ogm_packet->seqno = htonl(seqno);
118268- atomic_inc(&hard_iface->bat_iv.ogm_seqno);
118269+ atomic_inc_unchecked(&hard_iface->bat_iv.ogm_seqno);
118270
118271 batadv_iv_ogm_slide_own_bcast_window(hard_iface);
118272
118273@@ -1626,7 +1626,7 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
118274 return;
118275
118276 /* could be changed by schedule_own_packet() */
118277- if_incoming_seqno = atomic_read(&if_incoming->bat_iv.ogm_seqno);
118278+ if_incoming_seqno = atomic_read_unchecked(&if_incoming->bat_iv.ogm_seqno);
118279
118280 if (ogm_packet->flags & BATADV_DIRECTLINK)
118281 has_directlink_flag = true;
118282diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
118283index c0f0d01..725928a 100644
118284--- a/net/batman-adv/fragmentation.c
118285+++ b/net/batman-adv/fragmentation.c
118286@@ -465,7 +465,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
118287 frag_header.packet_type = BATADV_UNICAST_FRAG;
118288 frag_header.version = BATADV_COMPAT_VERSION;
118289 frag_header.ttl = BATADV_TTL;
118290- frag_header.seqno = htons(atomic_inc_return(&bat_priv->frag_seqno));
118291+ frag_header.seqno = htons(atomic_inc_return_unchecked(&bat_priv->frag_seqno));
118292 frag_header.reserved = 0;
118293 frag_header.no = 0;
118294 frag_header.total_size = htons(skb->len);
118295diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
118296index a2fc843..0f8059e 100644
118297--- a/net/batman-adv/soft-interface.c
118298+++ b/net/batman-adv/soft-interface.c
118299@@ -325,7 +325,7 @@ send:
118300 primary_if->net_dev->dev_addr);
118301
118302 /* set broadcast sequence number */
118303- seqno = atomic_inc_return(&bat_priv->bcast_seqno);
118304+ seqno = atomic_inc_return_unchecked(&bat_priv->bcast_seqno);
118305 bcast_packet->seqno = htonl(seqno);
118306
118307 batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay);
118308@@ -793,7 +793,7 @@ static int batadv_softif_init_late(struct net_device *dev)
118309 atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN);
118310
118311 atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
118312- atomic_set(&bat_priv->bcast_seqno, 1);
118313+ atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
118314 atomic_set(&bat_priv->tt.vn, 0);
118315 atomic_set(&bat_priv->tt.local_changes, 0);
118316 atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
118317@@ -807,7 +807,7 @@ static int batadv_softif_init_late(struct net_device *dev)
118318
118319 /* randomize initial seqno to avoid collision */
118320 get_random_bytes(&random_seqno, sizeof(random_seqno));
118321- atomic_set(&bat_priv->frag_seqno, random_seqno);
118322+ atomic_set_unchecked(&bat_priv->frag_seqno, random_seqno);
118323
118324 bat_priv->primary_if = NULL;
118325 bat_priv->num_ifaces = 0;
118326@@ -1015,7 +1015,7 @@ int batadv_softif_is_valid(const struct net_device *net_dev)
118327 return 0;
118328 }
118329
118330-struct rtnl_link_ops batadv_link_ops __read_mostly = {
118331+struct rtnl_link_ops batadv_link_ops = {
118332 .kind = "batadv",
118333 .priv_size = sizeof(struct batadv_priv),
118334 .setup = batadv_softif_init_early,
118335diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
118336index 67d6348..4358755 100644
118337--- a/net/batman-adv/types.h
118338+++ b/net/batman-adv/types.h
118339@@ -81,7 +81,7 @@ enum batadv_dhcp_recipient {
118340 struct batadv_hard_iface_bat_iv {
118341 unsigned char *ogm_buff;
118342 int ogm_buff_len;
118343- atomic_t ogm_seqno;
118344+ atomic_unchecked_t ogm_seqno;
118345 };
118346
118347 /**
118348@@ -783,7 +783,7 @@ struct batadv_priv {
118349 atomic_t bonding;
118350 atomic_t fragmentation;
118351 atomic_t packet_size_max;
118352- atomic_t frag_seqno;
118353+ atomic_unchecked_t frag_seqno;
118354 #ifdef CONFIG_BATMAN_ADV_BLA
118355 atomic_t bridge_loop_avoidance;
118356 #endif
118357@@ -802,7 +802,7 @@ struct batadv_priv {
118358 #endif
118359 uint32_t isolation_mark;
118360 uint32_t isolation_mark_mask;
118361- atomic_t bcast_seqno;
118362+ atomic_unchecked_t bcast_seqno;
118363 atomic_t bcast_queue_left;
118364 atomic_t batman_queue_left;
118365 char num_ifaces;
118366diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
118367index f2d30d1..0573933 100644
118368--- a/net/bluetooth/hci_sock.c
118369+++ b/net/bluetooth/hci_sock.c
118370@@ -1253,7 +1253,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
118371 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
118372 }
118373
118374- len = min_t(unsigned int, len, sizeof(uf));
118375+ len = min((size_t)len, sizeof(uf));
118376 if (copy_from_user(&uf, optval, len)) {
118377 err = -EFAULT;
118378 break;
118379diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
118380index 45fffa4..c5ad848 100644
118381--- a/net/bluetooth/l2cap_core.c
118382+++ b/net/bluetooth/l2cap_core.c
118383@@ -3537,8 +3537,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
118384 break;
118385
118386 case L2CAP_CONF_RFC:
118387- if (olen == sizeof(rfc))
118388- memcpy(&rfc, (void *)val, olen);
118389+ if (olen != sizeof(rfc))
118390+ break;
118391+
118392+ memcpy(&rfc, (void *)val, olen);
118393
118394 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
118395 rfc.mode != chan->mode)
118396diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
118397index 2442877..24ddcd1 100644
118398--- a/net/bluetooth/l2cap_sock.c
118399+++ b/net/bluetooth/l2cap_sock.c
118400@@ -633,7 +633,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
118401 struct sock *sk = sock->sk;
118402 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
118403 struct l2cap_options opts;
118404- int len, err = 0;
118405+ int err = 0;
118406+ size_t len = optlen;
118407 u32 opt;
118408
118409 BT_DBG("sk %p", sk);
118410@@ -660,7 +661,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
118411 opts.max_tx = chan->max_tx;
118412 opts.txwin_size = chan->tx_win;
118413
118414- len = min_t(unsigned int, sizeof(opts), optlen);
118415+ len = min(sizeof(opts), len);
118416 if (copy_from_user((char *) &opts, optval, len)) {
118417 err = -EFAULT;
118418 break;
118419@@ -747,7 +748,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
118420 struct bt_security sec;
118421 struct bt_power pwr;
118422 struct l2cap_conn *conn;
118423- int len, err = 0;
118424+ int err = 0;
118425+ size_t len = optlen;
118426 u32 opt;
118427
118428 BT_DBG("sk %p", sk);
118429@@ -771,7 +773,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
118430
118431 sec.level = BT_SECURITY_LOW;
118432
118433- len = min_t(unsigned int, sizeof(sec), optlen);
118434+ len = min(sizeof(sec), len);
118435 if (copy_from_user((char *) &sec, optval, len)) {
118436 err = -EFAULT;
118437 break;
118438@@ -867,7 +869,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
118439
118440 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
118441
118442- len = min_t(unsigned int, sizeof(pwr), optlen);
118443+ len = min(sizeof(pwr), len);
118444 if (copy_from_user((char *) &pwr, optval, len)) {
118445 err = -EFAULT;
118446 break;
118447diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
118448index 7511df7..a670df3 100644
118449--- a/net/bluetooth/rfcomm/sock.c
118450+++ b/net/bluetooth/rfcomm/sock.c
118451@@ -690,7 +690,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
118452 struct sock *sk = sock->sk;
118453 struct bt_security sec;
118454 int err = 0;
118455- size_t len;
118456+ size_t len = optlen;
118457 u32 opt;
118458
118459 BT_DBG("sk %p", sk);
118460@@ -712,7 +712,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
118461
118462 sec.level = BT_SECURITY_LOW;
118463
118464- len = min_t(unsigned int, sizeof(sec), optlen);
118465+ len = min(sizeof(sec), len);
118466 if (copy_from_user((char *) &sec, optval, len)) {
118467 err = -EFAULT;
118468 break;
118469diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
118470index 8e385a0..a5bdd8e 100644
118471--- a/net/bluetooth/rfcomm/tty.c
118472+++ b/net/bluetooth/rfcomm/tty.c
118473@@ -752,7 +752,7 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
118474 BT_DBG("tty %p id %d", tty, tty->index);
118475
118476 BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
118477- dev->channel, dev->port.count);
118478+ dev->channel, atomic_read(&dev->port.count));
118479
118480 err = tty_port_open(&dev->port, tty, filp);
118481 if (err)
118482@@ -775,7 +775,7 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
118483 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
118484
118485 BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
118486- dev->port.count);
118487+ atomic_read(&dev->port.count));
118488
118489 tty_port_close(&dev->port, tty, filp);
118490 }
118491diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
118492index 4d74a06..f37f9c2 100644
118493--- a/net/bridge/br_netlink.c
118494+++ b/net/bridge/br_netlink.c
118495@@ -835,7 +835,7 @@ static struct rtnl_af_ops br_af_ops __read_mostly = {
118496 .get_link_af_size = br_get_link_af_size,
118497 };
118498
118499-struct rtnl_link_ops br_link_ops __read_mostly = {
118500+struct rtnl_link_ops br_link_ops = {
118501 .kind = "bridge",
118502 .priv_size = sizeof(struct net_bridge),
118503 .setup = br_dev_setup,
118504diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
118505index 18ca4b2..7e8d731 100644
118506--- a/net/bridge/netfilter/ebtables.c
118507+++ b/net/bridge/netfilter/ebtables.c
118508@@ -1533,7 +1533,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
118509 tmp.valid_hooks = t->table->valid_hooks;
118510 }
118511 mutex_unlock(&ebt_mutex);
118512- if (copy_to_user(user, &tmp, *len) != 0) {
118513+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
118514 BUGPRINT("c2u Didn't work\n");
118515 ret = -EFAULT;
118516 break;
118517@@ -2339,7 +2339,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
118518 goto out;
118519 tmp.valid_hooks = t->valid_hooks;
118520
118521- if (copy_to_user(user, &tmp, *len) != 0) {
118522+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
118523 ret = -EFAULT;
118524 break;
118525 }
118526@@ -2350,7 +2350,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
118527 tmp.entries_size = t->table->entries_size;
118528 tmp.valid_hooks = t->table->valid_hooks;
118529
118530- if (copy_to_user(user, &tmp, *len) != 0) {
118531+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
118532 ret = -EFAULT;
118533 break;
118534 }
118535diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
118536index f5afda1..dcf770a 100644
118537--- a/net/caif/cfctrl.c
118538+++ b/net/caif/cfctrl.c
118539@@ -10,6 +10,7 @@
118540 #include <linux/spinlock.h>
118541 #include <linux/slab.h>
118542 #include <linux/pkt_sched.h>
118543+#include <linux/sched.h>
118544 #include <net/caif/caif_layer.h>
118545 #include <net/caif/cfpkt.h>
118546 #include <net/caif/cfctrl.h>
118547@@ -43,8 +44,8 @@ struct cflayer *cfctrl_create(void)
118548 memset(&dev_info, 0, sizeof(dev_info));
118549 dev_info.id = 0xff;
118550 cfsrvl_init(&this->serv, 0, &dev_info, false);
118551- atomic_set(&this->req_seq_no, 1);
118552- atomic_set(&this->rsp_seq_no, 1);
118553+ atomic_set_unchecked(&this->req_seq_no, 1);
118554+ atomic_set_unchecked(&this->rsp_seq_no, 1);
118555 this->serv.layer.receive = cfctrl_recv;
118556 sprintf(this->serv.layer.name, "ctrl");
118557 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
118558@@ -130,8 +131,8 @@ static void cfctrl_insert_req(struct cfctrl *ctrl,
118559 struct cfctrl_request_info *req)
118560 {
118561 spin_lock_bh(&ctrl->info_list_lock);
118562- atomic_inc(&ctrl->req_seq_no);
118563- req->sequence_no = atomic_read(&ctrl->req_seq_no);
118564+ atomic_inc_unchecked(&ctrl->req_seq_no);
118565+ req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
118566 list_add_tail(&req->list, &ctrl->list);
118567 spin_unlock_bh(&ctrl->info_list_lock);
118568 }
118569@@ -149,7 +150,7 @@ static struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
118570 if (p != first)
118571 pr_warn("Requests are not received in order\n");
118572
118573- atomic_set(&ctrl->rsp_seq_no,
118574+ atomic_set_unchecked(&ctrl->rsp_seq_no,
118575 p->sequence_no);
118576 list_del(&p->list);
118577 goto out;
118578diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
118579index 67a4a36..8d28068 100644
118580--- a/net/caif/chnl_net.c
118581+++ b/net/caif/chnl_net.c
118582@@ -515,7 +515,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = {
118583 };
118584
118585
118586-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = {
118587+static struct rtnl_link_ops ipcaif_link_ops = {
118588 .kind = "caif",
118589 .priv_size = sizeof(struct chnl_net),
118590 .setup = ipcaif_net_setup,
118591diff --git a/net/can/af_can.c b/net/can/af_can.c
118592index 166d436..2920816 100644
118593--- a/net/can/af_can.c
118594+++ b/net/can/af_can.c
118595@@ -890,7 +890,7 @@ static const struct net_proto_family can_family_ops = {
118596 };
118597
118598 /* notifier block for netdevice event */
118599-static struct notifier_block can_netdev_notifier __read_mostly = {
118600+static struct notifier_block can_netdev_notifier = {
118601 .notifier_call = can_notifier,
118602 };
118603
118604diff --git a/net/can/bcm.c b/net/can/bcm.c
118605index a1ba687..aafaec5 100644
118606--- a/net/can/bcm.c
118607+++ b/net/can/bcm.c
118608@@ -1620,7 +1620,7 @@ static int __init bcm_module_init(void)
118609 }
118610
118611 /* create /proc/net/can-bcm directory */
118612- proc_dir = proc_mkdir("can-bcm", init_net.proc_net);
118613+ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net);
118614 return 0;
118615 }
118616
118617diff --git a/net/can/gw.c b/net/can/gw.c
118618index 4551687..4e82e9b 100644
118619--- a/net/can/gw.c
118620+++ b/net/can/gw.c
118621@@ -80,7 +80,6 @@ MODULE_PARM_DESC(max_hops,
118622 "default: " __stringify(CGW_DEFAULT_HOPS) ")");
118623
118624 static HLIST_HEAD(cgw_list);
118625-static struct notifier_block notifier;
118626
118627 static struct kmem_cache *cgw_cache __read_mostly;
118628
118629@@ -992,6 +991,10 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh)
118630 return err;
118631 }
118632
118633+static struct notifier_block notifier = {
118634+ .notifier_call = cgw_notifier
118635+};
118636+
118637 static __init int cgw_module_init(void)
118638 {
118639 /* sanitize given module parameter */
118640@@ -1007,7 +1010,6 @@ static __init int cgw_module_init(void)
118641 return -ENOMEM;
118642
118643 /* set notifier */
118644- notifier.notifier_call = cgw_notifier;
118645 register_netdevice_notifier(&notifier);
118646
118647 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
118648diff --git a/net/can/proc.c b/net/can/proc.c
118649index 1a19b98..df2b4ec 100644
118650--- a/net/can/proc.c
118651+++ b/net/can/proc.c
118652@@ -514,7 +514,7 @@ static void can_remove_proc_readentry(const char *name)
118653 void can_init_proc(void)
118654 {
118655 /* create /proc/net/can directory */
118656- can_dir = proc_mkdir("can", init_net.proc_net);
118657+ can_dir = proc_mkdir_restrict("can", init_net.proc_net);
118658
118659 if (!can_dir) {
118660 printk(KERN_INFO "can: failed to create /proc/net/can . "
118661diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
118662index e3be1d2..254c555 100644
118663--- a/net/ceph/messenger.c
118664+++ b/net/ceph/messenger.c
118665@@ -189,7 +189,7 @@ static void con_fault(struct ceph_connection *con);
118666 #define MAX_ADDR_STR_LEN 64 /* 54 is enough */
118667
118668 static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN];
118669-static atomic_t addr_str_seq = ATOMIC_INIT(0);
118670+static atomic_unchecked_t addr_str_seq = ATOMIC_INIT(0);
118671
118672 static struct page *zero_page; /* used in certain error cases */
118673
118674@@ -200,7 +200,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
118675 struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
118676 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
118677
118678- i = atomic_inc_return(&addr_str_seq) & ADDR_STR_COUNT_MASK;
118679+ i = atomic_inc_return_unchecked(&addr_str_seq) & ADDR_STR_COUNT_MASK;
118680 s = addr_str[i];
118681
118682 switch (ss->ss_family) {
118683diff --git a/net/compat.c b/net/compat.c
118684index 5cfd26a..7e43828 100644
118685--- a/net/compat.c
118686+++ b/net/compat.c
118687@@ -98,20 +98,20 @@ int get_compat_msghdr(struct msghdr *kmsg,
118688
118689 #define CMSG_COMPAT_FIRSTHDR(msg) \
118690 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
118691- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
118692+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
118693 (struct compat_cmsghdr __user *)NULL)
118694
118695 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
118696 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
118697 (ucmlen) <= (unsigned long) \
118698 ((mhdr)->msg_controllen - \
118699- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
118700+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
118701
118702 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
118703 struct compat_cmsghdr __user *cmsg, int cmsg_len)
118704 {
118705 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
118706- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
118707+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
118708 msg->msg_controllen)
118709 return NULL;
118710 return (struct compat_cmsghdr __user *)ptr;
118711@@ -201,7 +201,7 @@ Efault:
118712
118713 int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
118714 {
118715- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
118716+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
118717 struct compat_cmsghdr cmhdr;
118718 struct compat_timeval ctv;
118719 struct compat_timespec cts[3];
118720@@ -257,7 +257,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
118721
118722 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
118723 {
118724- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
118725+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
118726 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
118727 int fdnum = scm->fp->count;
118728 struct file **fp = scm->fp->fp;
118729@@ -345,7 +345,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
118730 return -EFAULT;
118731 old_fs = get_fs();
118732 set_fs(KERNEL_DS);
118733- err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
118734+ err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
118735 set_fs(old_fs);
118736
118737 return err;
118738@@ -406,7 +406,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
118739 len = sizeof(ktime);
118740 old_fs = get_fs();
118741 set_fs(KERNEL_DS);
118742- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
118743+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
118744 set_fs(old_fs);
118745
118746 if (!err) {
118747@@ -549,7 +549,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118748 case MCAST_JOIN_GROUP:
118749 case MCAST_LEAVE_GROUP:
118750 {
118751- struct compat_group_req __user *gr32 = (void *)optval;
118752+ struct compat_group_req __user *gr32 = (void __user *)optval;
118753 struct group_req __user *kgr =
118754 compat_alloc_user_space(sizeof(struct group_req));
118755 u32 interface;
118756@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118757 case MCAST_BLOCK_SOURCE:
118758 case MCAST_UNBLOCK_SOURCE:
118759 {
118760- struct compat_group_source_req __user *gsr32 = (void *)optval;
118761+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
118762 struct group_source_req __user *kgsr = compat_alloc_user_space(
118763 sizeof(struct group_source_req));
118764 u32 interface;
118765@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118766 }
118767 case MCAST_MSFILTER:
118768 {
118769- struct compat_group_filter __user *gf32 = (void *)optval;
118770+ struct compat_group_filter __user *gf32 = (void __user *)optval;
118771 struct group_filter __user *kgf;
118772 u32 interface, fmode, numsrc;
118773
118774@@ -629,7 +629,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
118775 char __user *optval, int __user *optlen,
118776 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
118777 {
118778- struct compat_group_filter __user *gf32 = (void *)optval;
118779+ struct compat_group_filter __user *gf32 = (void __user *)optval;
118780 struct group_filter __user *kgf;
118781 int __user *koptlen;
118782 u32 interface, fmode, numsrc;
118783@@ -773,7 +773,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
118784
118785 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
118786 return -EINVAL;
118787- if (copy_from_user(a, args, nas[call]))
118788+ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
118789 return -EFAULT;
118790 a0 = a[0];
118791 a1 = a[1];
118792diff --git a/net/core/datagram.c b/net/core/datagram.c
118793index 617088a..0364f4f 100644
118794--- a/net/core/datagram.c
118795+++ b/net/core/datagram.c
118796@@ -338,7 +338,7 @@ int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags)
118797 }
118798
118799 kfree_skb(skb);
118800- atomic_inc(&sk->sk_drops);
118801+ atomic_inc_unchecked(&sk->sk_drops);
118802 sk_mem_reclaim_partial(sk);
118803
118804 return err;
118805diff --git a/net/core/dev.c b/net/core/dev.c
118806index a8e4dd4..aab06f7 100644
118807--- a/net/core/dev.c
118808+++ b/net/core/dev.c
118809@@ -1721,7 +1721,7 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
118810 {
118811 if (skb_orphan_frags(skb, GFP_ATOMIC) ||
118812 unlikely(!is_skb_forwardable(dev, skb))) {
118813- atomic_long_inc(&dev->rx_dropped);
118814+ atomic_long_inc_unchecked(&dev->rx_dropped);
118815 kfree_skb(skb);
118816 return NET_RX_DROP;
118817 }
118818@@ -3125,7 +3125,7 @@ recursion_alert:
118819 drop:
118820 rcu_read_unlock_bh();
118821
118822- atomic_long_inc(&dev->tx_dropped);
118823+ atomic_long_inc_unchecked(&dev->tx_dropped);
118824 kfree_skb_list(skb);
118825 return rc;
118826 out:
118827@@ -3477,7 +3477,7 @@ drop:
118828
118829 local_irq_restore(flags);
118830
118831- atomic_long_inc(&skb->dev->rx_dropped);
118832+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
118833 kfree_skb(skb);
118834 return NET_RX_DROP;
118835 }
118836@@ -3554,7 +3554,7 @@ int netif_rx_ni(struct sk_buff *skb)
118837 }
118838 EXPORT_SYMBOL(netif_rx_ni);
118839
118840-static void net_tx_action(struct softirq_action *h)
118841+static __latent_entropy void net_tx_action(void)
118842 {
118843 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
118844
118845@@ -3892,7 +3892,7 @@ ncls:
118846 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
118847 } else {
118848 drop:
118849- atomic_long_inc(&skb->dev->rx_dropped);
118850+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
118851 kfree_skb(skb);
118852 /* Jamal, now you will not able to escape explaining
118853 * me how you were going to use this. :-)
118854@@ -4783,7 +4783,7 @@ out_unlock:
118855 return work;
118856 }
118857
118858-static void net_rx_action(struct softirq_action *h)
118859+static __latent_entropy void net_rx_action(void)
118860 {
118861 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
118862 unsigned long time_limit = jiffies + 2;
118863@@ -6843,8 +6843,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
118864 } else {
118865 netdev_stats_to_stats64(storage, &dev->stats);
118866 }
118867- storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
118868- storage->tx_dropped += atomic_long_read(&dev->tx_dropped);
118869+ storage->rx_dropped += atomic_long_read_unchecked(&dev->rx_dropped);
118870+ storage->tx_dropped += atomic_long_read_unchecked(&dev->tx_dropped);
118871 return storage;
118872 }
118873 EXPORT_SYMBOL(dev_get_stats);
118874diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
118875index b94b1d2..da3ed7c 100644
118876--- a/net/core/dev_ioctl.c
118877+++ b/net/core/dev_ioctl.c
118878@@ -368,8 +368,13 @@ void dev_load(struct net *net, const char *name)
118879 no_module = !dev;
118880 if (no_module && capable(CAP_NET_ADMIN))
118881 no_module = request_module("netdev-%s", name);
118882- if (no_module && capable(CAP_SYS_MODULE))
118883+ if (no_module && capable(CAP_SYS_MODULE)) {
118884+#ifdef CONFIG_GRKERNSEC_MODHARDEN
118885+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
118886+#else
118887 request_module("%s", name);
118888+#endif
118889+ }
118890 }
118891 EXPORT_SYMBOL(dev_load);
118892
118893diff --git a/net/core/ethtool.c b/net/core/ethtool.c
118894index b495ab1..29edf74 100644
118895--- a/net/core/ethtool.c
118896+++ b/net/core/ethtool.c
118897@@ -1284,7 +1284,7 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
118898
118899 gstrings.len = ret;
118900
118901- data = kmalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER);
118902+ data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER);
118903 if (!data)
118904 return -ENOMEM;
118905
118906diff --git a/net/core/filter.c b/net/core/filter.c
118907index be3098f..51ee477 100644
118908--- a/net/core/filter.c
118909+++ b/net/core/filter.c
118910@@ -582,7 +582,11 @@ do_pass:
118911
118912 /* Unknown instruction. */
118913 default:
118914- goto err;
118915+ WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u tf:%u k:%u\n",
118916+ fp->code, fp->jt, fp->jf, fp->k);
118917+ kfree(addrs);
118918+ BUG();
118919+ return -EINVAL;
118920 }
118921
118922 insn++;
118923@@ -626,7 +630,7 @@ static int check_load_and_stores(const struct sock_filter *filter, int flen)
118924 u16 *masks, memvalid = 0; /* One bit per cell, 16 cells */
118925 int pc, ret = 0;
118926
118927- BUILD_BUG_ON(BPF_MEMWORDS > 16);
118928+ BUILD_BUG_ON(BPF_MEMWORDS != 16);
118929
118930 masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL);
118931 if (!masks)
118932@@ -1055,7 +1059,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
118933 if (!fp)
118934 return -ENOMEM;
118935
118936- memcpy(fp->insns, fprog->filter, fsize);
118937+ memcpy(fp->insns, (void __force_kernel *)fprog->filter, fsize);
118938
118939 fp->len = fprog->len;
118940 /* Since unattached filters are not copied back to user
118941@@ -1701,9 +1705,13 @@ int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
118942 goto out;
118943
118944 /* We're copying the filter that has been originally attached,
118945- * so no conversion/decode needed anymore.
118946+ * so no conversion/decode needed anymore. eBPF programs that
118947+ * have no original program cannot be dumped through this.
118948 */
118949+ ret = -EACCES;
118950 fprog = filter->prog->orig_prog;
118951+ if (!fprog)
118952+ goto out;
118953
118954 ret = fprog->len;
118955 if (!len)
118956diff --git a/net/core/flow.c b/net/core/flow.c
118957index 1033725..340f65d 100644
118958--- a/net/core/flow.c
118959+++ b/net/core/flow.c
118960@@ -65,7 +65,7 @@ static void flow_cache_new_hashrnd(unsigned long arg)
118961 static int flow_entry_valid(struct flow_cache_entry *fle,
118962 struct netns_xfrm *xfrm)
118963 {
118964- if (atomic_read(&xfrm->flow_cache_genid) != fle->genid)
118965+ if (atomic_read_unchecked(&xfrm->flow_cache_genid) != fle->genid)
118966 return 0;
118967 if (fle->object && !fle->object->ops->check(fle->object))
118968 return 0;
118969@@ -242,7 +242,7 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
118970 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
118971 fcp->hash_count++;
118972 }
118973- } else if (likely(fle->genid == atomic_read(&net->xfrm.flow_cache_genid))) {
118974+ } else if (likely(fle->genid == atomic_read_unchecked(&net->xfrm.flow_cache_genid))) {
118975 flo = fle->object;
118976 if (!flo)
118977 goto ret_object;
118978@@ -263,7 +263,7 @@ nocache:
118979 }
118980 flo = resolver(net, key, family, dir, flo, ctx);
118981 if (fle) {
118982- fle->genid = atomic_read(&net->xfrm.flow_cache_genid);
118983+ fle->genid = atomic_read_unchecked(&net->xfrm.flow_cache_genid);
118984 if (!IS_ERR(flo))
118985 fle->object = flo;
118986 else
118987diff --git a/net/core/neighbour.c b/net/core/neighbour.c
118988index 84195da..035c7a7 100644
118989--- a/net/core/neighbour.c
118990+++ b/net/core/neighbour.c
118991@@ -2821,7 +2821,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
118992 void __user *buffer, size_t *lenp, loff_t *ppos)
118993 {
118994 int size, ret;
118995- struct ctl_table tmp = *ctl;
118996+ ctl_table_no_const tmp = *ctl;
118997
118998 tmp.extra1 = &zero;
118999 tmp.extra2 = &unres_qlen_max;
119000@@ -2883,7 +2883,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
119001 void __user *buffer,
119002 size_t *lenp, loff_t *ppos)
119003 {
119004- struct ctl_table tmp = *ctl;
119005+ ctl_table_no_const tmp = *ctl;
119006 int ret;
119007
119008 tmp.extra1 = &zero;
119009diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
119010index 2bf8329..2eb1423 100644
119011--- a/net/core/net-procfs.c
119012+++ b/net/core/net-procfs.c
119013@@ -79,7 +79,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
119014 struct rtnl_link_stats64 temp;
119015 const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp);
119016
119017- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
119018+ if (gr_proc_is_restricted())
119019+ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
119020+ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
119021+ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL,
119022+ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL);
119023+ else
119024+ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
119025 "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
119026 dev->name, stats->rx_bytes, stats->rx_packets,
119027 stats->rx_errors,
119028@@ -166,7 +172,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
119029 return 0;
119030 }
119031
119032-static const struct seq_operations dev_seq_ops = {
119033+const struct seq_operations dev_seq_ops = {
119034 .start = dev_seq_start,
119035 .next = dev_seq_next,
119036 .stop = dev_seq_stop,
119037@@ -196,7 +202,7 @@ static const struct seq_operations softnet_seq_ops = {
119038
119039 static int softnet_seq_open(struct inode *inode, struct file *file)
119040 {
119041- return seq_open(file, &softnet_seq_ops);
119042+ return seq_open_restrict(file, &softnet_seq_ops);
119043 }
119044
119045 static const struct file_operations softnet_seq_fops = {
119046@@ -283,8 +289,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
119047 else
119048 seq_printf(seq, "%04x", ntohs(pt->type));
119049
119050+#ifdef CONFIG_GRKERNSEC_HIDESYM
119051+ seq_printf(seq, " %-8s %pf\n",
119052+ pt->dev ? pt->dev->name : "", NULL);
119053+#else
119054 seq_printf(seq, " %-8s %pf\n",
119055 pt->dev ? pt->dev->name : "", pt->func);
119056+#endif
119057 }
119058
119059 return 0;
119060diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
119061index 18b34d7..faecc1d 100644
119062--- a/net/core/net-sysfs.c
119063+++ b/net/core/net-sysfs.c
119064@@ -288,7 +288,7 @@ static ssize_t carrier_changes_show(struct device *dev,
119065 {
119066 struct net_device *netdev = to_net_dev(dev);
119067 return sprintf(buf, fmt_dec,
119068- atomic_read(&netdev->carrier_changes));
119069+ atomic_read_unchecked(&netdev->carrier_changes));
119070 }
119071 static DEVICE_ATTR_RO(carrier_changes);
119072
119073diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
119074index 2c2eb1b..a53be3e 100644
119075--- a/net/core/net_namespace.c
119076+++ b/net/core/net_namespace.c
119077@@ -775,7 +775,7 @@ static int __register_pernet_operations(struct list_head *list,
119078 int error;
119079 LIST_HEAD(net_exit_list);
119080
119081- list_add_tail(&ops->list, list);
119082+ pax_list_add_tail((struct list_head *)&ops->list, list);
119083 if (ops->init || (ops->id && ops->size)) {
119084 for_each_net(net) {
119085 error = ops_init(ops, net);
119086@@ -788,7 +788,7 @@ static int __register_pernet_operations(struct list_head *list,
119087
119088 out_undo:
119089 /* If I have an error cleanup all namespaces I initialized */
119090- list_del(&ops->list);
119091+ pax_list_del((struct list_head *)&ops->list);
119092 ops_exit_list(ops, &net_exit_list);
119093 ops_free_list(ops, &net_exit_list);
119094 return error;
119095@@ -799,7 +799,7 @@ static void __unregister_pernet_operations(struct pernet_operations *ops)
119096 struct net *net;
119097 LIST_HEAD(net_exit_list);
119098
119099- list_del(&ops->list);
119100+ pax_list_del((struct list_head *)&ops->list);
119101 for_each_net(net)
119102 list_add_tail(&net->exit_list, &net_exit_list);
119103 ops_exit_list(ops, &net_exit_list);
119104@@ -933,7 +933,7 @@ int register_pernet_device(struct pernet_operations *ops)
119105 mutex_lock(&net_mutex);
119106 error = register_pernet_operations(&pernet_list, ops);
119107 if (!error && (first_device == &pernet_list))
119108- first_device = &ops->list;
119109+ first_device = (struct list_head *)&ops->list;
119110 mutex_unlock(&net_mutex);
119111 return error;
119112 }
119113diff --git a/net/core/netpoll.c b/net/core/netpoll.c
119114index c126a87..10ad89d 100644
119115--- a/net/core/netpoll.c
119116+++ b/net/core/netpoll.c
119117@@ -377,7 +377,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
119118 struct udphdr *udph;
119119 struct iphdr *iph;
119120 struct ethhdr *eth;
119121- static atomic_t ip_ident;
119122+ static atomic_unchecked_t ip_ident;
119123 struct ipv6hdr *ip6h;
119124
119125 udp_len = len + sizeof(*udph);
119126@@ -448,7 +448,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
119127 put_unaligned(0x45, (unsigned char *)iph);
119128 iph->tos = 0;
119129 put_unaligned(htons(ip_len), &(iph->tot_len));
119130- iph->id = htons(atomic_inc_return(&ip_ident));
119131+ iph->id = htons(atomic_inc_return_unchecked(&ip_ident));
119132 iph->frag_off = 0;
119133 iph->ttl = 64;
119134 iph->protocol = IPPROTO_UDP;
119135diff --git a/net/core/pktgen.c b/net/core/pktgen.c
119136index 1cbd209..9553598 100644
119137--- a/net/core/pktgen.c
119138+++ b/net/core/pktgen.c
119139@@ -3828,7 +3828,7 @@ static int __net_init pg_net_init(struct net *net)
119140 pn->net = net;
119141 INIT_LIST_HEAD(&pn->pktgen_threads);
119142 pn->pktgen_exiting = false;
119143- pn->proc_dir = proc_mkdir(PG_PROC_DIR, pn->net->proc_net);
119144+ pn->proc_dir = proc_mkdir_restrict(PG_PROC_DIR, pn->net->proc_net);
119145 if (!pn->proc_dir) {
119146 pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR);
119147 return -ENODEV;
119148diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
119149index 0861018..1fd388b 100644
119150--- a/net/core/rtnetlink.c
119151+++ b/net/core/rtnetlink.c
119152@@ -61,7 +61,7 @@ struct rtnl_link {
119153 rtnl_doit_func doit;
119154 rtnl_dumpit_func dumpit;
119155 rtnl_calcit_func calcit;
119156-};
119157+} __no_const;
119158
119159 static DEFINE_MUTEX(rtnl_mutex);
119160
119161@@ -307,10 +307,13 @@ int __rtnl_link_register(struct rtnl_link_ops *ops)
119162 * to use the ops for creating device. So do not
119163 * fill up dellink as well. That disables rtnl_dellink.
119164 */
119165- if (ops->setup && !ops->dellink)
119166- ops->dellink = unregister_netdevice_queue;
119167+ if (ops->setup && !ops->dellink) {
119168+ pax_open_kernel();
119169+ *(void **)&ops->dellink = unregister_netdevice_queue;
119170+ pax_close_kernel();
119171+ }
119172
119173- list_add_tail(&ops->list, &link_ops);
119174+ pax_list_add_tail((struct list_head *)&ops->list, &link_ops);
119175 return 0;
119176 }
119177 EXPORT_SYMBOL_GPL(__rtnl_link_register);
119178@@ -357,7 +360,7 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops)
119179 for_each_net(net) {
119180 __rtnl_kill_links(net, ops);
119181 }
119182- list_del(&ops->list);
119183+ pax_list_del((struct list_head *)&ops->list);
119184 }
119185 EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
119186
119187@@ -1082,7 +1085,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
119188 (dev->ifalias &&
119189 nla_put_string(skb, IFLA_IFALIAS, dev->ifalias)) ||
119190 nla_put_u32(skb, IFLA_CARRIER_CHANGES,
119191- atomic_read(&dev->carrier_changes)))
119192+ atomic_read_unchecked(&dev->carrier_changes)))
119193 goto nla_put_failure;
119194
119195 if (1) {
119196diff --git a/net/core/scm.c b/net/core/scm.c
119197index 3b6899b..cf36238 100644
119198--- a/net/core/scm.c
119199+++ b/net/core/scm.c
119200@@ -209,7 +209,7 @@ EXPORT_SYMBOL(__scm_send);
119201 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
119202 {
119203 struct cmsghdr __user *cm
119204- = (__force struct cmsghdr __user *)msg->msg_control;
119205+ = (struct cmsghdr __force_user *)msg->msg_control;
119206 struct cmsghdr cmhdr;
119207 int cmlen = CMSG_LEN(len);
119208 int err;
119209@@ -232,7 +232,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
119210 err = -EFAULT;
119211 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
119212 goto out;
119213- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
119214+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
119215 goto out;
119216 cmlen = CMSG_SPACE(len);
119217 if (msg->msg_controllen < cmlen)
119218@@ -248,7 +248,7 @@ EXPORT_SYMBOL(put_cmsg);
119219 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
119220 {
119221 struct cmsghdr __user *cm
119222- = (__force struct cmsghdr __user*)msg->msg_control;
119223+ = (struct cmsghdr __force_user *)msg->msg_control;
119224
119225 int fdmax = 0;
119226 int fdnum = scm->fp->count;
119227@@ -268,7 +268,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
119228 if (fdnum < fdmax)
119229 fdmax = fdnum;
119230
119231- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
119232+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
119233 i++, cmfptr++)
119234 {
119235 struct socket *sock;
119236diff --git a/net/core/skbuff.c b/net/core/skbuff.c
119237index 7b84330..e0f5a86 100644
119238--- a/net/core/skbuff.c
119239+++ b/net/core/skbuff.c
119240@@ -2103,7 +2103,7 @@ EXPORT_SYMBOL(__skb_checksum);
119241 __wsum skb_checksum(const struct sk_buff *skb, int offset,
119242 int len, __wsum csum)
119243 {
119244- const struct skb_checksum_ops ops = {
119245+ static const struct skb_checksum_ops ops = {
119246 .update = csum_partial_ext,
119247 .combine = csum_block_add_ext,
119248 };
119249@@ -3317,12 +3317,14 @@ void __init skb_init(void)
119250 skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
119251 sizeof(struct sk_buff),
119252 0,
119253- SLAB_HWCACHE_ALIGN|SLAB_PANIC,
119254+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|
119255+ SLAB_NO_SANITIZE,
119256 NULL);
119257 skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
119258 sizeof(struct sk_buff_fclones),
119259 0,
119260- SLAB_HWCACHE_ALIGN|SLAB_PANIC,
119261+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|
119262+ SLAB_NO_SANITIZE,
119263 NULL);
119264 }
119265
119266diff --git a/net/core/sock.c b/net/core/sock.c
119267index 193901d..33094ab 100644
119268--- a/net/core/sock.c
119269+++ b/net/core/sock.c
119270@@ -441,7 +441,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
119271 struct sk_buff_head *list = &sk->sk_receive_queue;
119272
119273 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) {
119274- atomic_inc(&sk->sk_drops);
119275+ atomic_inc_unchecked(&sk->sk_drops);
119276 trace_sock_rcvqueue_full(sk, skb);
119277 return -ENOMEM;
119278 }
119279@@ -451,7 +451,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
119280 return err;
119281
119282 if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
119283- atomic_inc(&sk->sk_drops);
119284+ atomic_inc_unchecked(&sk->sk_drops);
119285 return -ENOBUFS;
119286 }
119287
119288@@ -484,7 +484,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
119289 skb->dev = NULL;
119290
119291 if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
119292- atomic_inc(&sk->sk_drops);
119293+ atomic_inc_unchecked(&sk->sk_drops);
119294 goto discard_and_relse;
119295 }
119296 if (nested)
119297@@ -502,7 +502,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
119298 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
119299 } else if (sk_add_backlog(sk, skb, sk->sk_rcvbuf)) {
119300 bh_unlock_sock(sk);
119301- atomic_inc(&sk->sk_drops);
119302+ atomic_inc_unchecked(&sk->sk_drops);
119303 goto discard_and_relse;
119304 }
119305
119306@@ -908,6 +908,7 @@ set_rcvbuf:
119307 }
119308 break;
119309
119310+#ifndef GRKERNSEC_BPF_HARDEN
119311 case SO_ATTACH_BPF:
119312 ret = -EINVAL;
119313 if (optlen == sizeof(u32)) {
119314@@ -920,7 +921,7 @@ set_rcvbuf:
119315 ret = sk_attach_bpf(ufd, sk);
119316 }
119317 break;
119318-
119319+#endif
119320 case SO_DETACH_FILTER:
119321 ret = sk_detach_filter(sk);
119322 break;
119323@@ -1022,12 +1023,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
119324 struct timeval tm;
119325 } v;
119326
119327- int lv = sizeof(int);
119328- int len;
119329+ unsigned int lv = sizeof(int);
119330+ unsigned int len;
119331
119332 if (get_user(len, optlen))
119333 return -EFAULT;
119334- if (len < 0)
119335+ if (len > INT_MAX)
119336 return -EINVAL;
119337
119338 memset(&v, 0, sizeof(v));
119339@@ -1165,11 +1166,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
119340
119341 case SO_PEERNAME:
119342 {
119343- char address[128];
119344+ char address[_K_SS_MAXSIZE];
119345
119346 if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
119347 return -ENOTCONN;
119348- if (lv < len)
119349+ if (lv < len || sizeof address < len)
119350 return -EINVAL;
119351 if (copy_to_user(optval, address, len))
119352 return -EFAULT;
119353@@ -1257,7 +1258,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
119354
119355 if (len > lv)
119356 len = lv;
119357- if (copy_to_user(optval, &v, len))
119358+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
119359 return -EFAULT;
119360 lenout:
119361 if (put_user(len, optlen))
119362@@ -1550,7 +1551,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
119363 newsk->sk_err = 0;
119364 newsk->sk_priority = 0;
119365 newsk->sk_incoming_cpu = raw_smp_processor_id();
119366- atomic64_set(&newsk->sk_cookie, 0);
119367+ atomic64_set_unchecked(&newsk->sk_cookie, 0);
119368 /*
119369 * Before updating sk_refcnt, we must commit prior changes to memory
119370 * (Documentation/RCU/rculist_nulls.txt for details)
119371@@ -2359,7 +2360,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
119372 */
119373 smp_wmb();
119374 atomic_set(&sk->sk_refcnt, 1);
119375- atomic_set(&sk->sk_drops, 0);
119376+ atomic_set_unchecked(&sk->sk_drops, 0);
119377 }
119378 EXPORT_SYMBOL(sock_init_data);
119379
119380@@ -2487,6 +2488,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
119381 int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
119382 int level, int type)
119383 {
119384+ struct sock_extended_err ee;
119385 struct sock_exterr_skb *serr;
119386 struct sk_buff *skb;
119387 int copied, err;
119388@@ -2508,7 +2510,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
119389 sock_recv_timestamp(msg, sk, skb);
119390
119391 serr = SKB_EXT_ERR(skb);
119392- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee);
119393+ ee = serr->ee;
119394+ put_cmsg(msg, level, type, sizeof ee, &ee);
119395
119396 msg->msg_flags |= MSG_ERRQUEUE;
119397 err = copied;
119398diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
119399index 817622f..2577b26 100644
119400--- a/net/core/sock_diag.c
119401+++ b/net/core/sock_diag.c
119402@@ -12,7 +12,7 @@
119403 #include <linux/inet_diag.h>
119404 #include <linux/sock_diag.h>
119405
119406-static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
119407+static const struct sock_diag_handler *sock_diag_handlers[AF_MAX] __read_only;
119408 static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
119409 static DEFINE_MUTEX(sock_diag_table_mutex);
119410 static struct workqueue_struct *broadcast_wq;
119411@@ -20,12 +20,12 @@ static struct workqueue_struct *broadcast_wq;
119412 static u64 sock_gen_cookie(struct sock *sk)
119413 {
119414 while (1) {
119415- u64 res = atomic64_read(&sk->sk_cookie);
119416+ u64 res = atomic64_read_unchecked(&sk->sk_cookie);
119417
119418 if (res)
119419 return res;
119420- res = atomic64_inc_return(&sock_net(sk)->cookie_gen);
119421- atomic64_cmpxchg(&sk->sk_cookie, 0, res);
119422+ res = atomic64_inc_return_unchecked(&sock_net(sk)->cookie_gen);
119423+ atomic64_cmpxchg_unchecked(&sk->sk_cookie, 0, res);
119424 }
119425 }
119426
119427@@ -190,8 +190,11 @@ int sock_diag_register(const struct sock_diag_handler *hndl)
119428 mutex_lock(&sock_diag_table_mutex);
119429 if (sock_diag_handlers[hndl->family])
119430 err = -EBUSY;
119431- else
119432+ else {
119433+ pax_open_kernel();
119434 sock_diag_handlers[hndl->family] = hndl;
119435+ pax_close_kernel();
119436+ }
119437 mutex_unlock(&sock_diag_table_mutex);
119438
119439 return err;
119440@@ -207,7 +210,9 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
119441
119442 mutex_lock(&sock_diag_table_mutex);
119443 BUG_ON(sock_diag_handlers[family] != hnld);
119444+ pax_open_kernel();
119445 sock_diag_handlers[family] = NULL;
119446+ pax_close_kernel();
119447 mutex_unlock(&sock_diag_table_mutex);
119448 }
119449 EXPORT_SYMBOL_GPL(sock_diag_unregister);
119450diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
119451index 95b6139..3048623 100644
119452--- a/net/core/sysctl_net_core.c
119453+++ b/net/core/sysctl_net_core.c
119454@@ -35,7 +35,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
119455 {
119456 unsigned int orig_size, size;
119457 int ret, i;
119458- struct ctl_table tmp = {
119459+ ctl_table_no_const tmp = {
119460 .data = &size,
119461 .maxlen = sizeof(size),
119462 .mode = table->mode
119463@@ -203,7 +203,7 @@ static int set_default_qdisc(struct ctl_table *table, int write,
119464 void __user *buffer, size_t *lenp, loff_t *ppos)
119465 {
119466 char id[IFNAMSIZ];
119467- struct ctl_table tbl = {
119468+ ctl_table_no_const tbl = {
119469 .data = id,
119470 .maxlen = IFNAMSIZ,
119471 };
119472@@ -221,7 +221,7 @@ static int set_default_qdisc(struct ctl_table *table, int write,
119473 static int proc_do_rss_key(struct ctl_table *table, int write,
119474 void __user *buffer, size_t *lenp, loff_t *ppos)
119475 {
119476- struct ctl_table fake_table;
119477+ ctl_table_no_const fake_table;
119478 char buf[NETDEV_RSS_KEY_LEN * 3];
119479
119480 snprintf(buf, sizeof(buf), "%*phC", NETDEV_RSS_KEY_LEN, netdev_rss_key);
119481@@ -285,7 +285,7 @@ static struct ctl_table net_core_table[] = {
119482 .mode = 0444,
119483 .proc_handler = proc_do_rss_key,
119484 },
119485-#ifdef CONFIG_BPF_JIT
119486+#if defined(CONFIG_BPF_JIT) && !defined(CONFIG_GRKERNSEC_BPF_HARDEN)
119487 {
119488 .procname = "bpf_jit_enable",
119489 .data = &bpf_jit_enable,
119490@@ -409,13 +409,12 @@ static struct ctl_table netns_core_table[] = {
119491
119492 static __net_init int sysctl_core_net_init(struct net *net)
119493 {
119494- struct ctl_table *tbl;
119495+ ctl_table_no_const *tbl = NULL;
119496
119497 net->core.sysctl_somaxconn = SOMAXCONN;
119498
119499- tbl = netns_core_table;
119500 if (!net_eq(net, &init_net)) {
119501- tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
119502+ tbl = kmemdup(netns_core_table, sizeof(netns_core_table), GFP_KERNEL);
119503 if (tbl == NULL)
119504 goto err_dup;
119505
119506@@ -425,17 +424,16 @@ static __net_init int sysctl_core_net_init(struct net *net)
119507 if (net->user_ns != &init_user_ns) {
119508 tbl[0].procname = NULL;
119509 }
119510- }
119511-
119512- net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
119513+ net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
119514+ } else
119515+ net->core.sysctl_hdr = register_net_sysctl(net, "net/core", netns_core_table);
119516 if (net->core.sysctl_hdr == NULL)
119517 goto err_reg;
119518
119519 return 0;
119520
119521 err_reg:
119522- if (tbl != netns_core_table)
119523- kfree(tbl);
119524+ kfree(tbl);
119525 err_dup:
119526 return -ENOMEM;
119527 }
119528@@ -450,7 +448,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
119529 kfree(tbl);
119530 }
119531
119532-static __net_initdata struct pernet_operations sysctl_core_ops = {
119533+static __net_initconst struct pernet_operations sysctl_core_ops = {
119534 .init = sysctl_core_net_init,
119535 .exit = sysctl_core_net_exit,
119536 };
119537diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
119538index 675cf94..9279a75 100644
119539--- a/net/decnet/af_decnet.c
119540+++ b/net/decnet/af_decnet.c
119541@@ -466,6 +466,7 @@ static struct proto dn_proto = {
119542 .sysctl_rmem = sysctl_decnet_rmem,
119543 .max_header = DN_MAX_NSP_DATA_HEADER + 64,
119544 .obj_size = sizeof(struct dn_sock),
119545+ .slab_flags = SLAB_USERCOPY,
119546 };
119547
119548 static struct sock *dn_alloc_sock(struct net *net, struct socket *sock, gfp_t gfp, int kern)
119549diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
119550index b2c26b0..41f803e 100644
119551--- a/net/decnet/dn_dev.c
119552+++ b/net/decnet/dn_dev.c
119553@@ -201,7 +201,7 @@ static struct dn_dev_sysctl_table {
119554 .extra1 = &min_t3,
119555 .extra2 = &max_t3
119556 },
119557- {0}
119558+ { }
119559 },
119560 };
119561
119562diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
119563index 5325b54..a0d4d69 100644
119564--- a/net/decnet/sysctl_net_decnet.c
119565+++ b/net/decnet/sysctl_net_decnet.c
119566@@ -174,7 +174,7 @@ static int dn_node_address_handler(struct ctl_table *table, int write,
119567
119568 if (len > *lenp) len = *lenp;
119569
119570- if (copy_to_user(buffer, addr, len))
119571+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
119572 return -EFAULT;
119573
119574 *lenp = len;
119575@@ -237,7 +237,7 @@ static int dn_def_dev_handler(struct ctl_table *table, int write,
119576
119577 if (len > *lenp) len = *lenp;
119578
119579- if (copy_to_user(buffer, devname, len))
119580+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
119581 return -EFAULT;
119582
119583 *lenp = len;
119584diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
119585index b445d49..13e8538 100644
119586--- a/net/dsa/dsa.c
119587+++ b/net/dsa/dsa.c
119588@@ -851,7 +851,7 @@ static struct packet_type dsa_pack_type __read_mostly = {
119589 .func = dsa_switch_rcv,
119590 };
119591
119592-static struct notifier_block dsa_netdevice_nb __read_mostly = {
119593+static struct notifier_block dsa_netdevice_nb = {
119594 .notifier_call = dsa_slave_netdevice_event,
119595 };
119596
119597diff --git a/net/hsr/hsr_netlink.c b/net/hsr/hsr_netlink.c
119598index a2c7e4c..3dc9f67 100644
119599--- a/net/hsr/hsr_netlink.c
119600+++ b/net/hsr/hsr_netlink.c
119601@@ -102,7 +102,7 @@ nla_put_failure:
119602 return -EMSGSIZE;
119603 }
119604
119605-static struct rtnl_link_ops hsr_link_ops __read_mostly = {
119606+static struct rtnl_link_ops hsr_link_ops = {
119607 .kind = "hsr",
119608 .maxtype = IFLA_HSR_MAX,
119609 .policy = hsr_policy,
119610diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c
119611index f20a387..2058892 100644
119612--- a/net/ieee802154/6lowpan/core.c
119613+++ b/net/ieee802154/6lowpan/core.c
119614@@ -191,7 +191,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head)
119615 dev_put(real_dev);
119616 }
119617
119618-static struct rtnl_link_ops lowpan_link_ops __read_mostly = {
119619+static struct rtnl_link_ops lowpan_link_ops = {
119620 .kind = "lowpan",
119621 .priv_size = sizeof(struct lowpan_dev_info),
119622 .setup = lowpan_setup,
119623diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
119624index 214d44a..dcb7f86 100644
119625--- a/net/ieee802154/6lowpan/reassembly.c
119626+++ b/net/ieee802154/6lowpan/reassembly.c
119627@@ -435,14 +435,13 @@ static struct ctl_table lowpan_frags_ctl_table[] = {
119628
119629 static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
119630 {
119631- struct ctl_table *table;
119632+ ctl_table_no_const *table = NULL;
119633 struct ctl_table_header *hdr;
119634 struct netns_ieee802154_lowpan *ieee802154_lowpan =
119635 net_ieee802154_lowpan(net);
119636
119637- table = lowpan_frags_ns_ctl_table;
119638 if (!net_eq(net, &init_net)) {
119639- table = kmemdup(table, sizeof(lowpan_frags_ns_ctl_table),
119640+ table = kmemdup(lowpan_frags_ns_ctl_table, sizeof(lowpan_frags_ns_ctl_table),
119641 GFP_KERNEL);
119642 if (table == NULL)
119643 goto err_alloc;
119644@@ -457,9 +456,9 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
119645 /* Don't export sysctls to unprivileged users */
119646 if (net->user_ns != &init_user_ns)
119647 table[0].procname = NULL;
119648- }
119649-
119650- hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table);
119651+ hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table);
119652+ } else
119653+ hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", lowpan_frags_ns_ctl_table);
119654 if (hdr == NULL)
119655 goto err_reg;
119656
119657@@ -467,8 +466,7 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
119658 return 0;
119659
119660 err_reg:
119661- if (!net_eq(net, &init_net))
119662- kfree(table);
119663+ kfree(table);
119664 err_alloc:
119665 return -ENOMEM;
119666 }
119667diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
119668index 9532ee8..020410a 100644
119669--- a/net/ipv4/af_inet.c
119670+++ b/net/ipv4/af_inet.c
119671@@ -1392,7 +1392,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
119672 return ip_recv_error(sk, msg, len, addr_len);
119673 #if IS_ENABLED(CONFIG_IPV6)
119674 if (sk->sk_family == AF_INET6)
119675- return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len);
119676+ return pingv6_ops->ipv6_recv_error(sk, msg, len, addr_len);
119677 #endif
119678 return -EINVAL;
119679 }
119680diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
119681index 2d9cb17..20ae904 100644
119682--- a/net/ipv4/devinet.c
119683+++ b/net/ipv4/devinet.c
119684@@ -69,7 +69,8 @@
119685
119686 static struct ipv4_devconf ipv4_devconf = {
119687 .data = {
119688- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
119689+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0,
119690+ [IPV4_DEVCONF_RP_FILTER - 1] = 1,
119691 [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1,
119692 [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1,
119693 [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1,
119694@@ -80,7 +81,8 @@ static struct ipv4_devconf ipv4_devconf = {
119695
119696 static struct ipv4_devconf ipv4_devconf_dflt = {
119697 .data = {
119698- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
119699+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0,
119700+ [IPV4_DEVCONF_RP_FILTER - 1] = 1,
119701 [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1,
119702 [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1,
119703 [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1,
119704@@ -1579,7 +1581,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
119705 idx = 0;
119706 head = &net->dev_index_head[h];
119707 rcu_read_lock();
119708- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
119709+ cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
119710 net->dev_base_seq;
119711 hlist_for_each_entry_rcu(dev, head, index_hlist) {
119712 if (idx < s_idx)
119713@@ -1905,7 +1907,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb,
119714 idx = 0;
119715 head = &net->dev_index_head[h];
119716 rcu_read_lock();
119717- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
119718+ cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
119719 net->dev_base_seq;
119720 hlist_for_each_entry_rcu(dev, head, index_hlist) {
119721 if (idx < s_idx)
119722@@ -2146,7 +2148,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write,
119723 #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \
119724 DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush)
119725
119726-static struct devinet_sysctl_table {
119727+static const struct devinet_sysctl_table {
119728 struct ctl_table_header *sysctl_header;
119729 struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX];
119730 } devinet_sysctl = {
119731@@ -2280,7 +2282,7 @@ static __net_init int devinet_init_net(struct net *net)
119732 int err;
119733 struct ipv4_devconf *all, *dflt;
119734 #ifdef CONFIG_SYSCTL
119735- struct ctl_table *tbl = ctl_forward_entry;
119736+ ctl_table_no_const *tbl = NULL;
119737 struct ctl_table_header *forw_hdr;
119738 #endif
119739
119740@@ -2298,7 +2300,7 @@ static __net_init int devinet_init_net(struct net *net)
119741 goto err_alloc_dflt;
119742
119743 #ifdef CONFIG_SYSCTL
119744- tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL);
119745+ tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL);
119746 if (!tbl)
119747 goto err_alloc_ctl;
119748
119749@@ -2318,7 +2320,10 @@ static __net_init int devinet_init_net(struct net *net)
119750 goto err_reg_dflt;
119751
119752 err = -ENOMEM;
119753- forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
119754+ if (!net_eq(net, &init_net))
119755+ forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
119756+ else
119757+ forw_hdr = register_net_sysctl(net, "net/ipv4", ctl_forward_entry);
119758 if (!forw_hdr)
119759 goto err_reg_ctl;
119760 net->ipv4.forw_hdr = forw_hdr;
119761@@ -2334,8 +2339,7 @@ err_reg_ctl:
119762 err_reg_dflt:
119763 __devinet_sysctl_unregister(all);
119764 err_reg_all:
119765- if (tbl != ctl_forward_entry)
119766- kfree(tbl);
119767+ kfree(tbl);
119768 err_alloc_ctl:
119769 #endif
119770 if (dflt != &ipv4_devconf_dflt)
119771diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
119772index 6bbc549..28d74951 100644
119773--- a/net/ipv4/fib_frontend.c
119774+++ b/net/ipv4/fib_frontend.c
119775@@ -1083,12 +1083,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
119776 #ifdef CONFIG_IP_ROUTE_MULTIPATH
119777 fib_sync_up(dev, RTNH_F_DEAD);
119778 #endif
119779- atomic_inc(&net->ipv4.dev_addr_genid);
119780+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119781 rt_cache_flush(dev_net(dev));
119782 break;
119783 case NETDEV_DOWN:
119784 fib_del_ifaddr(ifa, NULL);
119785- atomic_inc(&net->ipv4.dev_addr_genid);
119786+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119787 if (!ifa->ifa_dev->ifa_list) {
119788 /* Last address was deleted from this interface.
119789 * Disable IP.
119790@@ -1127,7 +1127,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
119791 #ifdef CONFIG_IP_ROUTE_MULTIPATH
119792 fib_sync_up(dev, RTNH_F_DEAD);
119793 #endif
119794- atomic_inc(&net->ipv4.dev_addr_genid);
119795+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119796 rt_cache_flush(net);
119797 break;
119798 case NETDEV_DOWN:
119799diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
119800index 3a06586..1020c5b 100644
119801--- a/net/ipv4/fib_semantics.c
119802+++ b/net/ipv4/fib_semantics.c
119803@@ -755,7 +755,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
119804 nh->nh_saddr = inet_select_addr(nh->nh_dev,
119805 nh->nh_gw,
119806 nh->nh_parent->fib_scope);
119807- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
119808+ nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
119809
119810 return nh->nh_saddr;
119811 }
119812diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
119813index 1349571..e136d6e 100644
119814--- a/net/ipv4/inet_connection_sock.c
119815+++ b/net/ipv4/inet_connection_sock.c
119816@@ -728,8 +728,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
119817 newsk->sk_write_space = sk_stream_write_space;
119818
119819 newsk->sk_mark = inet_rsk(req)->ir_mark;
119820- atomic64_set(&newsk->sk_cookie,
119821- atomic64_read(&inet_rsk(req)->ir_cookie));
119822+ atomic64_set_unchecked(&newsk->sk_cookie,
119823+ atomic64_read_unchecked(&inet_rsk(req)->ir_cookie));
119824
119825 newicsk->icsk_retransmits = 0;
119826 newicsk->icsk_backoff = 0;
119827diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
119828index 0cb9165..8589720 100644
119829--- a/net/ipv4/inet_hashtables.c
119830+++ b/net/ipv4/inet_hashtables.c
119831@@ -19,6 +19,7 @@
119832 #include <linux/slab.h>
119833 #include <linux/wait.h>
119834 #include <linux/vmalloc.h>
119835+#include <linux/security.h>
119836
119837 #include <net/inet_connection_sock.h>
119838 #include <net/inet_hashtables.h>
119839@@ -54,6 +55,8 @@ u32 sk_ehashfn(const struct sock *sk)
119840 sk->sk_daddr, sk->sk_dport);
119841 }
119842
119843+extern void gr_update_task_in_ip_table(const struct inet_sock *inet);
119844+
119845 /*
119846 * Allocate and initialize a new local port bind bucket.
119847 * The bindhash mutex for snum's hash chain must be held here.
119848@@ -566,6 +569,8 @@ ok:
119849 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
119850 spin_unlock(&head->lock);
119851
119852+ gr_update_task_in_ip_table(inet_sk(sk));
119853+
119854 if (tw) {
119855 inet_twsk_deschedule(tw);
119856 while (twrefcnt) {
119857diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
119858index 2ffbd16..6e94995 100644
119859--- a/net/ipv4/inet_timewait_sock.c
119860+++ b/net/ipv4/inet_timewait_sock.c
119861@@ -214,7 +214,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
119862 tw->tw_ipv6only = 0;
119863 tw->tw_transparent = inet->transparent;
119864 tw->tw_prot = sk->sk_prot_creator;
119865- atomic64_set(&tw->tw_cookie, atomic64_read(&sk->sk_cookie));
119866+ atomic64_set_unchecked(&tw->tw_cookie, atomic64_read_unchecked(&sk->sk_cookie));
119867 twsk_net_set(tw, sock_net(sk));
119868 setup_timer(&tw->tw_timer, tw_timer_handler, (unsigned long)tw);
119869 /*
119870diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
119871index 241afd7..31b95d5 100644
119872--- a/net/ipv4/inetpeer.c
119873+++ b/net/ipv4/inetpeer.c
119874@@ -461,7 +461,7 @@ relookup:
119875 if (p) {
119876 p->daddr = *daddr;
119877 atomic_set(&p->refcnt, 1);
119878- atomic_set(&p->rid, 0);
119879+ atomic_set_unchecked(&p->rid, 0);
119880 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
119881 p->rate_tokens = 0;
119882 /* 60*HZ is arbitrary, but chosen enough high so that the first
119883diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
119884index 921138f..1e011ff 100644
119885--- a/net/ipv4/ip_fragment.c
119886+++ b/net/ipv4/ip_fragment.c
119887@@ -276,7 +276,7 @@ static int ip_frag_too_far(struct ipq *qp)
119888 return 0;
119889
119890 start = qp->rid;
119891- end = atomic_inc_return(&peer->rid);
119892+ end = atomic_inc_return_unchecked(&peer->rid);
119893 qp->rid = end;
119894
119895 rc = qp->q.fragments && (end - start) > max;
119896@@ -780,12 +780,11 @@ static struct ctl_table ip4_frags_ctl_table[] = {
119897
119898 static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119899 {
119900- struct ctl_table *table;
119901+ ctl_table_no_const *table = NULL;
119902 struct ctl_table_header *hdr;
119903
119904- table = ip4_frags_ns_ctl_table;
119905 if (!net_eq(net, &init_net)) {
119906- table = kmemdup(table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
119907+ table = kmemdup(ip4_frags_ns_ctl_table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
119908 if (!table)
119909 goto err_alloc;
119910
119911@@ -799,9 +798,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119912 /* Don't export sysctls to unprivileged users */
119913 if (net->user_ns != &init_user_ns)
119914 table[0].procname = NULL;
119915- }
119916+ hdr = register_net_sysctl(net, "net/ipv4", table);
119917+ } else
119918+ hdr = register_net_sysctl(net, "net/ipv4", ip4_frags_ns_ctl_table);
119919
119920- hdr = register_net_sysctl(net, "net/ipv4", table);
119921 if (!hdr)
119922 goto err_reg;
119923
119924@@ -809,8 +809,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119925 return 0;
119926
119927 err_reg:
119928- if (!net_eq(net, &init_net))
119929- kfree(table);
119930+ kfree(table);
119931 err_alloc:
119932 return -ENOMEM;
119933 }
119934diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
119935index 5fd7064..d13d75f 100644
119936--- a/net/ipv4/ip_gre.c
119937+++ b/net/ipv4/ip_gre.c
119938@@ -115,7 +115,7 @@ static bool log_ecn_error = true;
119939 module_param(log_ecn_error, bool, 0644);
119940 MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
119941
119942-static struct rtnl_link_ops ipgre_link_ops __read_mostly;
119943+static struct rtnl_link_ops ipgre_link_ops;
119944 static int ipgre_tunnel_init(struct net_device *dev);
119945
119946 static int ipgre_net_id __read_mostly;
119947@@ -819,7 +819,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
119948 [IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 },
119949 };
119950
119951-static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
119952+static struct rtnl_link_ops ipgre_link_ops = {
119953 .kind = "gre",
119954 .maxtype = IFLA_GRE_MAX,
119955 .policy = ipgre_policy,
119956@@ -834,7 +834,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
119957 .get_link_net = ip_tunnel_get_link_net,
119958 };
119959
119960-static struct rtnl_link_ops ipgre_tap_ops __read_mostly = {
119961+static struct rtnl_link_ops ipgre_tap_ops = {
119962 .kind = "gretap",
119963 .maxtype = IFLA_GRE_MAX,
119964 .policy = ipgre_policy,
119965diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
119966index 2db4c87..4db9282 100644
119967--- a/net/ipv4/ip_input.c
119968+++ b/net/ipv4/ip_input.c
119969@@ -147,6 +147,10 @@
119970 #include <linux/mroute.h>
119971 #include <linux/netlink.h>
119972
119973+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119974+extern int grsec_enable_blackhole;
119975+#endif
119976+
119977 /*
119978 * Process Router Attention IP option (RFC 2113)
119979 */
119980@@ -223,6 +227,9 @@ static int ip_local_deliver_finish(struct sock *sk, struct sk_buff *skb)
119981 if (!raw) {
119982 if (xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
119983 IP_INC_STATS_BH(net, IPSTATS_MIB_INUNKNOWNPROTOS);
119984+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119985+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
119986+#endif
119987 icmp_send(skb, ICMP_DEST_UNREACH,
119988 ICMP_PROT_UNREACH, 0);
119989 }
119990diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
119991index c3c359a..504edc6 100644
119992--- a/net/ipv4/ip_sockglue.c
119993+++ b/net/ipv4/ip_sockglue.c
119994@@ -1295,7 +1295,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
119995 len = min_t(unsigned int, len, opt->optlen);
119996 if (put_user(len, optlen))
119997 return -EFAULT;
119998- if (copy_to_user(optval, opt->__data, len))
119999+ if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
120000+ copy_to_user(optval, opt->__data, len))
120001 return -EFAULT;
120002 return 0;
120003 }
120004@@ -1432,7 +1433,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
120005 if (sk->sk_type != SOCK_STREAM)
120006 return -ENOPROTOOPT;
120007
120008- msg.msg_control = (__force void *) optval;
120009+ msg.msg_control = (__force_kernel void *) optval;
120010 msg.msg_controllen = len;
120011 msg.msg_flags = flags;
120012
120013diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
120014index 0c15208..a3a76c5 100644
120015--- a/net/ipv4/ip_vti.c
120016+++ b/net/ipv4/ip_vti.c
120017@@ -45,7 +45,7 @@
120018 #include <net/net_namespace.h>
120019 #include <net/netns/generic.h>
120020
120021-static struct rtnl_link_ops vti_link_ops __read_mostly;
120022+static struct rtnl_link_ops vti_link_ops;
120023
120024 static int vti_net_id __read_mostly;
120025 static int vti_tunnel_init(struct net_device *dev);
120026@@ -525,7 +525,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
120027 [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
120028 };
120029
120030-static struct rtnl_link_ops vti_link_ops __read_mostly = {
120031+static struct rtnl_link_ops vti_link_ops = {
120032 .kind = "vti",
120033 .maxtype = IFLA_VTI_MAX,
120034 .policy = vti_policy,
120035diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
120036index 8e7328c..9bd7ed3 100644
120037--- a/net/ipv4/ipconfig.c
120038+++ b/net/ipv4/ipconfig.c
120039@@ -333,7 +333,7 @@ static int __init ic_devinet_ioctl(unsigned int cmd, struct ifreq *arg)
120040
120041 mm_segment_t oldfs = get_fs();
120042 set_fs(get_ds());
120043- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
120044+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
120045 set_fs(oldfs);
120046 return res;
120047 }
120048@@ -344,7 +344,7 @@ static int __init ic_dev_ioctl(unsigned int cmd, struct ifreq *arg)
120049
120050 mm_segment_t oldfs = get_fs();
120051 set_fs(get_ds());
120052- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
120053+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
120054 set_fs(oldfs);
120055 return res;
120056 }
120057@@ -355,7 +355,7 @@ static int __init ic_route_ioctl(unsigned int cmd, struct rtentry *arg)
120058
120059 mm_segment_t oldfs = get_fs();
120060 set_fs(get_ds());
120061- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
120062+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
120063 set_fs(oldfs);
120064 return res;
120065 }
120066diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
120067index 254238d..82c19a2 100644
120068--- a/net/ipv4/ipip.c
120069+++ b/net/ipv4/ipip.c
120070@@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
120071 static int ipip_net_id __read_mostly;
120072
120073 static int ipip_tunnel_init(struct net_device *dev);
120074-static struct rtnl_link_ops ipip_link_ops __read_mostly;
120075+static struct rtnl_link_ops ipip_link_ops;
120076
120077 static int ipip_err(struct sk_buff *skb, u32 info)
120078 {
120079@@ -488,7 +488,7 @@ static const struct nla_policy ipip_policy[IFLA_IPTUN_MAX + 1] = {
120080 [IFLA_IPTUN_ENCAP_DPORT] = { .type = NLA_U16 },
120081 };
120082
120083-static struct rtnl_link_ops ipip_link_ops __read_mostly = {
120084+static struct rtnl_link_ops ipip_link_ops = {
120085 .kind = "ipip",
120086 .maxtype = IFLA_IPTUN_MAX,
120087 .policy = ipip_policy,
120088diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
120089index 92305a1..0a5b349 100644
120090--- a/net/ipv4/netfilter/arp_tables.c
120091+++ b/net/ipv4/netfilter/arp_tables.c
120092@@ -896,14 +896,14 @@ static int compat_table_info(const struct xt_table_info *info,
120093 #endif
120094
120095 static int get_info(struct net *net, void __user *user,
120096- const int *len, int compat)
120097+ int len, int compat)
120098 {
120099 char name[XT_TABLE_MAXNAMELEN];
120100 struct xt_table *t;
120101 int ret;
120102
120103- if (*len != sizeof(struct arpt_getinfo)) {
120104- duprintf("length %u != %Zu\n", *len,
120105+ if (len != sizeof(struct arpt_getinfo)) {
120106+ duprintf("length %u != %Zu\n", len,
120107 sizeof(struct arpt_getinfo));
120108 return -EINVAL;
120109 }
120110@@ -940,7 +940,7 @@ static int get_info(struct net *net, void __user *user,
120111 info.size = private->size;
120112 strcpy(info.name, name);
120113
120114- if (copy_to_user(user, &info, *len) != 0)
120115+ if (copy_to_user(user, &info, len) != 0)
120116 ret = -EFAULT;
120117 else
120118 ret = 0;
120119@@ -1705,7 +1705,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
120120
120121 switch (cmd) {
120122 case ARPT_SO_GET_INFO:
120123- ret = get_info(sock_net(sk), user, len, 1);
120124+ ret = get_info(sock_net(sk), user, *len, 1);
120125 break;
120126 case ARPT_SO_GET_ENTRIES:
120127 ret = compat_get_entries(sock_net(sk), user, len);
120128@@ -1750,7 +1750,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
120129
120130 switch (cmd) {
120131 case ARPT_SO_GET_INFO:
120132- ret = get_info(sock_net(sk), user, len, 0);
120133+ ret = get_info(sock_net(sk), user, *len, 0);
120134 break;
120135
120136 case ARPT_SO_GET_ENTRIES:
120137diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
120138index 6c72fbb..ce47b05 100644
120139--- a/net/ipv4/netfilter/ip_tables.c
120140+++ b/net/ipv4/netfilter/ip_tables.c
120141@@ -1073,14 +1073,14 @@ static int compat_table_info(const struct xt_table_info *info,
120142 #endif
120143
120144 static int get_info(struct net *net, void __user *user,
120145- const int *len, int compat)
120146+ int len, int compat)
120147 {
120148 char name[XT_TABLE_MAXNAMELEN];
120149 struct xt_table *t;
120150 int ret;
120151
120152- if (*len != sizeof(struct ipt_getinfo)) {
120153- duprintf("length %u != %zu\n", *len,
120154+ if (len != sizeof(struct ipt_getinfo)) {
120155+ duprintf("length %u != %zu\n", len,
120156 sizeof(struct ipt_getinfo));
120157 return -EINVAL;
120158 }
120159@@ -1117,7 +1117,7 @@ static int get_info(struct net *net, void __user *user,
120160 info.size = private->size;
120161 strcpy(info.name, name);
120162
120163- if (copy_to_user(user, &info, *len) != 0)
120164+ if (copy_to_user(user, &info, len) != 0)
120165 ret = -EFAULT;
120166 else
120167 ret = 0;
120168@@ -1968,7 +1968,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
120169
120170 switch (cmd) {
120171 case IPT_SO_GET_INFO:
120172- ret = get_info(sock_net(sk), user, len, 1);
120173+ ret = get_info(sock_net(sk), user, *len, 1);
120174 break;
120175 case IPT_SO_GET_ENTRIES:
120176 ret = compat_get_entries(sock_net(sk), user, len);
120177@@ -2015,7 +2015,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
120178
120179 switch (cmd) {
120180 case IPT_SO_GET_INFO:
120181- ret = get_info(sock_net(sk), user, len, 0);
120182+ ret = get_info(sock_net(sk), user, *len, 0);
120183 break;
120184
120185 case IPT_SO_GET_ENTRIES:
120186diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
120187index 45cb16a..cef4ecd 100644
120188--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
120189+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
120190@@ -730,7 +730,7 @@ static int clusterip_net_init(struct net *net)
120191 spin_lock_init(&cn->lock);
120192
120193 #ifdef CONFIG_PROC_FS
120194- cn->procdir = proc_mkdir("ipt_CLUSTERIP", net->proc_net);
120195+ cn->procdir = proc_mkdir_restrict("ipt_CLUSTERIP", net->proc_net);
120196 if (!cn->procdir) {
120197 pr_err("Unable to proc dir entry\n");
120198 return -ENOMEM;
120199diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
120200index 05ff44b..da00000 100644
120201--- a/net/ipv4/ping.c
120202+++ b/net/ipv4/ping.c
120203@@ -59,7 +59,7 @@ struct ping_table {
120204 };
120205
120206 static struct ping_table ping_table;
120207-struct pingv6_ops pingv6_ops;
120208+struct pingv6_ops *pingv6_ops;
120209 EXPORT_SYMBOL_GPL(pingv6_ops);
120210
120211 static u16 ping_port_rover;
120212@@ -359,7 +359,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk,
120213 return -ENODEV;
120214 }
120215 }
120216- has_addr = pingv6_ops.ipv6_chk_addr(net, &addr->sin6_addr, dev,
120217+ has_addr = pingv6_ops->ipv6_chk_addr(net, &addr->sin6_addr, dev,
120218 scoped);
120219 rcu_read_unlock();
120220
120221@@ -567,7 +567,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info)
120222 }
120223 #if IS_ENABLED(CONFIG_IPV6)
120224 } else if (skb->protocol == htons(ETH_P_IPV6)) {
120225- harderr = pingv6_ops.icmpv6_err_convert(type, code, &err);
120226+ harderr = pingv6_ops->icmpv6_err_convert(type, code, &err);
120227 #endif
120228 }
120229
120230@@ -585,7 +585,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info)
120231 info, (u8 *)icmph);
120232 #if IS_ENABLED(CONFIG_IPV6)
120233 } else if (family == AF_INET6) {
120234- pingv6_ops.ipv6_icmp_error(sk, skb, err, 0,
120235+ pingv6_ops->ipv6_icmp_error(sk, skb, err, 0,
120236 info, (u8 *)icmph);
120237 #endif
120238 }
120239@@ -918,10 +918,10 @@ int ping_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
120240 }
120241
120242 if (inet6_sk(sk)->rxopt.all)
120243- pingv6_ops.ip6_datagram_recv_common_ctl(sk, msg, skb);
120244+ pingv6_ops->ip6_datagram_recv_common_ctl(sk, msg, skb);
120245 if (skb->protocol == htons(ETH_P_IPV6) &&
120246 inet6_sk(sk)->rxopt.all)
120247- pingv6_ops.ip6_datagram_recv_specific_ctl(sk, msg, skb);
120248+ pingv6_ops->ip6_datagram_recv_specific_ctl(sk, msg, skb);
120249 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags)
120250 ip_cmsg_recv(msg, skb);
120251 #endif
120252@@ -1116,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
120253 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
120254 0, sock_i_ino(sp),
120255 atomic_read(&sp->sk_refcnt), sp,
120256- atomic_read(&sp->sk_drops));
120257+ atomic_read_unchecked(&sp->sk_drops));
120258 }
120259
120260 static int ping_v4_seq_show(struct seq_file *seq, void *v)
120261diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
120262index 561cd4b..a32a155 100644
120263--- a/net/ipv4/raw.c
120264+++ b/net/ipv4/raw.c
120265@@ -323,7 +323,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
120266 int raw_rcv(struct sock *sk, struct sk_buff *skb)
120267 {
120268 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
120269- atomic_inc(&sk->sk_drops);
120270+ atomic_inc_unchecked(&sk->sk_drops);
120271 kfree_skb(skb);
120272 return NET_RX_DROP;
120273 }
120274@@ -771,16 +771,20 @@ static int raw_init(struct sock *sk)
120275
120276 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
120277 {
120278+ struct icmp_filter filter;
120279+
120280 if (optlen > sizeof(struct icmp_filter))
120281 optlen = sizeof(struct icmp_filter);
120282- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
120283+ if (copy_from_user(&filter, optval, optlen))
120284 return -EFAULT;
120285+ raw_sk(sk)->filter = filter;
120286 return 0;
120287 }
120288
120289 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
120290 {
120291 int len, ret = -EFAULT;
120292+ struct icmp_filter filter;
120293
120294 if (get_user(len, optlen))
120295 goto out;
120296@@ -790,8 +794,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
120297 if (len > sizeof(struct icmp_filter))
120298 len = sizeof(struct icmp_filter);
120299 ret = -EFAULT;
120300- if (put_user(len, optlen) ||
120301- copy_to_user(optval, &raw_sk(sk)->filter, len))
120302+ filter = raw_sk(sk)->filter;
120303+ if (put_user(len, optlen) || len > sizeof filter || copy_to_user(optval, &filter, len))
120304 goto out;
120305 ret = 0;
120306 out: return ret;
120307@@ -1020,7 +1024,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
120308 0, 0L, 0,
120309 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
120310 0, sock_i_ino(sp),
120311- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
120312+ atomic_read(&sp->sk_refcnt), sp, atomic_read_unchecked(&sp->sk_drops));
120313 }
120314
120315 static int raw_seq_show(struct seq_file *seq, void *v)
120316diff --git a/net/ipv4/route.c b/net/ipv4/route.c
120317index e681b85..8a43a65 100644
120318--- a/net/ipv4/route.c
120319+++ b/net/ipv4/route.c
120320@@ -227,7 +227,7 @@ static const struct seq_operations rt_cache_seq_ops = {
120321
120322 static int rt_cache_seq_open(struct inode *inode, struct file *file)
120323 {
120324- return seq_open(file, &rt_cache_seq_ops);
120325+ return seq_open_restrict(file, &rt_cache_seq_ops);
120326 }
120327
120328 static const struct file_operations rt_cache_seq_fops = {
120329@@ -318,7 +318,7 @@ static const struct seq_operations rt_cpu_seq_ops = {
120330
120331 static int rt_cpu_seq_open(struct inode *inode, struct file *file)
120332 {
120333- return seq_open(file, &rt_cpu_seq_ops);
120334+ return seq_open_restrict(file, &rt_cpu_seq_ops);
120335 }
120336
120337 static const struct file_operations rt_cpu_seq_fops = {
120338@@ -356,7 +356,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v)
120339
120340 static int rt_acct_proc_open(struct inode *inode, struct file *file)
120341 {
120342- return single_open(file, rt_acct_proc_show, NULL);
120343+ return single_open_restrict(file, rt_acct_proc_show, NULL);
120344 }
120345
120346 static const struct file_operations rt_acct_proc_fops = {
120347@@ -458,7 +458,7 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
120348
120349 #define IP_IDENTS_SZ 2048u
120350
120351-static atomic_t *ip_idents __read_mostly;
120352+static atomic_unchecked_t ip_idents[IP_IDENTS_SZ] __read_mostly;
120353 static u32 *ip_tstamps __read_mostly;
120354
120355 /* In order to protect privacy, we add a perturbation to identifiers
120356@@ -468,7 +468,7 @@ static u32 *ip_tstamps __read_mostly;
120357 u32 ip_idents_reserve(u32 hash, int segs)
120358 {
120359 u32 *p_tstamp = ip_tstamps + hash % IP_IDENTS_SZ;
120360- atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
120361+ atomic_unchecked_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
120362 u32 old = ACCESS_ONCE(*p_tstamp);
120363 u32 now = (u32)jiffies;
120364 u32 delta = 0;
120365@@ -476,7 +476,7 @@ u32 ip_idents_reserve(u32 hash, int segs)
120366 if (old != now && cmpxchg(p_tstamp, old, now) == old)
120367 delta = prandom_u32_max(now - old);
120368
120369- return atomic_add_return(segs + delta, p_id) - segs;
120370+ return atomic_add_return_unchecked(segs + delta, p_id) - segs;
120371 }
120372 EXPORT_SYMBOL(ip_idents_reserve);
120373
120374@@ -2640,34 +2640,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
120375 .maxlen = sizeof(int),
120376 .mode = 0200,
120377 .proc_handler = ipv4_sysctl_rtcache_flush,
120378+ .extra1 = &init_net,
120379 },
120380 { },
120381 };
120382
120383 static __net_init int sysctl_route_net_init(struct net *net)
120384 {
120385- struct ctl_table *tbl;
120386+ ctl_table_no_const *tbl = NULL;
120387
120388- tbl = ipv4_route_flush_table;
120389 if (!net_eq(net, &init_net)) {
120390- tbl = kmemdup(tbl, sizeof(ipv4_route_flush_table), GFP_KERNEL);
120391+ tbl = kmemdup(ipv4_route_flush_table, sizeof(ipv4_route_flush_table), GFP_KERNEL);
120392 if (!tbl)
120393 goto err_dup;
120394
120395 /* Don't export sysctls to unprivileged users */
120396 if (net->user_ns != &init_user_ns)
120397 tbl[0].procname = NULL;
120398- }
120399- tbl[0].extra1 = net;
120400+ tbl[0].extra1 = net;
120401+ net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
120402+ } else
120403+ net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", ipv4_route_flush_table);
120404
120405- net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
120406 if (!net->ipv4.route_hdr)
120407 goto err_reg;
120408 return 0;
120409
120410 err_reg:
120411- if (tbl != ipv4_route_flush_table)
120412- kfree(tbl);
120413+ kfree(tbl);
120414 err_dup:
120415 return -ENOMEM;
120416 }
120417@@ -2690,8 +2690,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
120418
120419 static __net_init int rt_genid_init(struct net *net)
120420 {
120421- atomic_set(&net->ipv4.rt_genid, 0);
120422- atomic_set(&net->fnhe_genid, 0);
120423+ atomic_set_unchecked(&net->ipv4.rt_genid, 0);
120424+ atomic_set_unchecked(&net->fnhe_genid, 0);
120425 get_random_bytes(&net->ipv4.dev_addr_genid,
120426 sizeof(net->ipv4.dev_addr_genid));
120427 return 0;
120428@@ -2735,11 +2735,7 @@ int __init ip_rt_init(void)
120429 int rc = 0;
120430 int cpu;
120431
120432- ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL);
120433- if (!ip_idents)
120434- panic("IP: failed to allocate ip_idents\n");
120435-
120436- prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents));
120437+ prandom_bytes(ip_idents, sizeof(ip_idents));
120438
120439 ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL);
120440 if (!ip_tstamps)
120441diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
120442index 0330ab2..4745d2c 100644
120443--- a/net/ipv4/sysctl_net_ipv4.c
120444+++ b/net/ipv4/sysctl_net_ipv4.c
120445@@ -66,7 +66,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
120446 container_of(table->data, struct net, ipv4.ip_local_ports.range);
120447 int ret;
120448 int range[2];
120449- struct ctl_table tmp = {
120450+ ctl_table_no_const tmp = {
120451 .data = &range,
120452 .maxlen = sizeof(range),
120453 .mode = table->mode,
120454@@ -124,7 +124,7 @@ static int ipv4_ping_group_range(struct ctl_table *table, int write,
120455 int ret;
120456 gid_t urange[2];
120457 kgid_t low, high;
120458- struct ctl_table tmp = {
120459+ ctl_table_no_const tmp = {
120460 .data = &urange,
120461 .maxlen = sizeof(urange),
120462 .mode = table->mode,
120463@@ -155,7 +155,7 @@ static int proc_tcp_congestion_control(struct ctl_table *ctl, int write,
120464 void __user *buffer, size_t *lenp, loff_t *ppos)
120465 {
120466 char val[TCP_CA_NAME_MAX];
120467- struct ctl_table tbl = {
120468+ ctl_table_no_const tbl = {
120469 .data = val,
120470 .maxlen = TCP_CA_NAME_MAX,
120471 };
120472@@ -174,7 +174,7 @@ static int proc_tcp_available_congestion_control(struct ctl_table *ctl,
120473 void __user *buffer, size_t *lenp,
120474 loff_t *ppos)
120475 {
120476- struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, };
120477+ ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX, };
120478 int ret;
120479
120480 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
120481@@ -191,7 +191,7 @@ static int proc_allowed_congestion_control(struct ctl_table *ctl,
120482 void __user *buffer, size_t *lenp,
120483 loff_t *ppos)
120484 {
120485- struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
120486+ ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX };
120487 int ret;
120488
120489 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
120490@@ -210,7 +210,7 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write,
120491 void __user *buffer, size_t *lenp,
120492 loff_t *ppos)
120493 {
120494- struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
120495+ ctl_table_no_const tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
120496 struct tcp_fastopen_context *ctxt;
120497 int ret;
120498 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
120499@@ -915,13 +915,12 @@ static struct ctl_table ipv4_net_table[] = {
120500
120501 static __net_init int ipv4_sysctl_init_net(struct net *net)
120502 {
120503- struct ctl_table *table;
120504+ ctl_table_no_const *table = NULL;
120505
120506- table = ipv4_net_table;
120507 if (!net_eq(net, &init_net)) {
120508 int i;
120509
120510- table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL);
120511+ table = kmemdup(ipv4_net_table, sizeof(ipv4_net_table), GFP_KERNEL);
120512 if (!table)
120513 goto err_alloc;
120514
120515@@ -930,7 +929,10 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
120516 table[i].data += (void *)net - (void *)&init_net;
120517 }
120518
120519- net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
120520+ if (!net_eq(net, &init_net))
120521+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
120522+ else
120523+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", ipv4_net_table);
120524 if (!net->ipv4.ipv4_hdr)
120525 goto err_reg;
120526
120527diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
120528index 728f5b3..dc51cbe 100644
120529--- a/net/ipv4/tcp_input.c
120530+++ b/net/ipv4/tcp_input.c
120531@@ -767,7 +767,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
120532 * without any lock. We want to make sure compiler wont store
120533 * intermediate values in this location.
120534 */
120535- ACCESS_ONCE(sk->sk_pacing_rate) = min_t(u64, rate,
120536+ ACCESS_ONCE_RW(sk->sk_pacing_rate) = min_t(u64, rate,
120537 sk->sk_max_pacing_rate);
120538 }
120539
120540@@ -4608,7 +4608,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
120541 * simplifies code)
120542 */
120543 static void
120544-tcp_collapse(struct sock *sk, struct sk_buff_head *list,
120545+__intentional_overflow(5,6) tcp_collapse(struct sock *sk, struct sk_buff_head *list,
120546 struct sk_buff *head, struct sk_buff *tail,
120547 u32 start, u32 end)
120548 {
120549@@ -5603,6 +5603,7 @@ discard:
120550 tcp_paws_reject(&tp->rx_opt, 0))
120551 goto discard_and_undo;
120552
120553+#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
120554 if (th->syn) {
120555 /* We see SYN without ACK. It is attempt of
120556 * simultaneous connect with crossed SYNs.
120557@@ -5653,6 +5654,7 @@ discard:
120558 goto discard;
120559 #endif
120560 }
120561+#endif
120562 /* "fifth, if neither of the SYN or RST bits is set then
120563 * drop the segment and return."
120564 */
120565@@ -5699,7 +5701,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
120566 goto discard;
120567
120568 if (th->syn) {
120569- if (th->fin)
120570+ if (th->fin || th->urg || th->psh)
120571 goto discard;
120572 if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
120573 return 1;
120574@@ -6026,7 +6028,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
120575
120576 kmemcheck_annotate_bitfield(ireq, flags);
120577 ireq->opt = NULL;
120578- atomic64_set(&ireq->ir_cookie, 0);
120579+ atomic64_set_unchecked(&ireq->ir_cookie, 0);
120580 ireq->ireq_state = TCP_NEW_SYN_RECV;
120581 write_pnet(&ireq->ireq_net, sock_net(sk_listener));
120582 ireq->ireq_family = sk_listener->sk_family;
120583diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
120584index 0ea2e1c..a4d1c48 100644
120585--- a/net/ipv4/tcp_ipv4.c
120586+++ b/net/ipv4/tcp_ipv4.c
120587@@ -89,6 +89,10 @@ int sysctl_tcp_tw_reuse __read_mostly;
120588 int sysctl_tcp_low_latency __read_mostly;
120589 EXPORT_SYMBOL(sysctl_tcp_low_latency);
120590
120591+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120592+extern int grsec_enable_blackhole;
120593+#endif
120594+
120595 #ifdef CONFIG_TCP_MD5SIG
120596 static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
120597 __be32 daddr, __be32 saddr, const struct tcphdr *th);
120598@@ -1427,6 +1431,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
120599 return 0;
120600
120601 reset:
120602+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120603+ if (!grsec_enable_blackhole)
120604+#endif
120605 tcp_v4_send_reset(rsk, skb);
120606 discard:
120607 kfree_skb(skb);
120608@@ -1591,12 +1598,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
120609 TCP_SKB_CB(skb)->sacked = 0;
120610
120611 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
120612- if (!sk)
120613+ if (!sk) {
120614+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120615+ ret = 1;
120616+#endif
120617 goto no_tcp_socket;
120618-
120619+ }
120620 process:
120621- if (sk->sk_state == TCP_TIME_WAIT)
120622+ if (sk->sk_state == TCP_TIME_WAIT) {
120623+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120624+ ret = 2;
120625+#endif
120626 goto do_time_wait;
120627+ }
120628
120629 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
120630 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
120631@@ -1653,6 +1667,10 @@ csum_error:
120632 bad_packet:
120633 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
120634 } else {
120635+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120636+ if (!grsec_enable_blackhole || (ret == 1 &&
120637+ (skb->dev->flags & IFF_LOOPBACK)))
120638+#endif
120639 tcp_v4_send_reset(NULL, skb);
120640 }
120641
120642diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
120643index 4bc00cb..d024adf 100644
120644--- a/net/ipv4/tcp_minisocks.c
120645+++ b/net/ipv4/tcp_minisocks.c
120646@@ -27,6 +27,10 @@
120647 #include <net/inet_common.h>
120648 #include <net/xfrm.h>
120649
120650+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120651+extern int grsec_enable_blackhole;
120652+#endif
120653+
120654 int sysctl_tcp_syncookies __read_mostly = 1;
120655 EXPORT_SYMBOL(sysctl_tcp_syncookies);
120656
120657@@ -782,7 +786,10 @@ embryonic_reset:
120658 * avoid becoming vulnerable to outside attack aiming at
120659 * resetting legit local connections.
120660 */
120661- req->rsk_ops->send_reset(sk, skb);
120662+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120663+ if (!grsec_enable_blackhole)
120664+#endif
120665+ req->rsk_ops->send_reset(sk, skb);
120666 } else if (fastopen) { /* received a valid RST pkt */
120667 reqsk_fastopen_remove(sk, req, true);
120668 tcp_reset(sk);
120669diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
120670index ebf5ff5..4d1ff32 100644
120671--- a/net/ipv4/tcp_probe.c
120672+++ b/net/ipv4/tcp_probe.c
120673@@ -236,7 +236,7 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
120674 if (cnt + width >= len)
120675 break;
120676
120677- if (copy_to_user(buf + cnt, tbuf, width))
120678+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
120679 return -EFAULT;
120680 cnt += width;
120681 }
120682diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
120683index 5b752f5..9594bb2 100644
120684--- a/net/ipv4/tcp_timer.c
120685+++ b/net/ipv4/tcp_timer.c
120686@@ -22,6 +22,10 @@
120687 #include <linux/gfp.h>
120688 #include <net/tcp.h>
120689
120690+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120691+extern int grsec_lastack_retries;
120692+#endif
120693+
120694 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
120695 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
120696 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
120697@@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock *sk)
120698 }
120699 }
120700
120701+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120702+ if ((sk->sk_state == TCP_LAST_ACK) &&
120703+ (grsec_lastack_retries > 0) &&
120704+ (grsec_lastack_retries < retry_until))
120705+ retry_until = grsec_lastack_retries;
120706+#endif
120707+
120708 if (retransmits_timed_out(sk, retry_until,
120709 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
120710 /* Has it gone just too far? */
120711diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
120712index 1b8c5ba..e1f0542 100644
120713--- a/net/ipv4/udp.c
120714+++ b/net/ipv4/udp.c
120715@@ -87,6 +87,7 @@
120716 #include <linux/types.h>
120717 #include <linux/fcntl.h>
120718 #include <linux/module.h>
120719+#include <linux/security.h>
120720 #include <linux/socket.h>
120721 #include <linux/sockios.h>
120722 #include <linux/igmp.h>
120723@@ -115,6 +116,10 @@
120724 #include <net/busy_poll.h>
120725 #include "udp_impl.h"
120726
120727+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120728+extern int grsec_enable_blackhole;
120729+#endif
120730+
120731 struct udp_table udp_table __read_mostly;
120732 EXPORT_SYMBOL(udp_table);
120733
120734@@ -608,6 +613,9 @@ static inline bool __udp_is_mcast_sock(struct net *net, struct sock *sk,
120735 return true;
120736 }
120737
120738+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
120739+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
120740+
120741 /*
120742 * This routine is called by the ICMP module when it gets some
120743 * sort of error condition. If err < 0 then the socket should
120744@@ -944,9 +952,18 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
120745 dport = usin->sin_port;
120746 if (dport == 0)
120747 return -EINVAL;
120748+
120749+ err = gr_search_udp_sendmsg(sk, usin);
120750+ if (err)
120751+ return err;
120752 } else {
120753 if (sk->sk_state != TCP_ESTABLISHED)
120754 return -EDESTADDRREQ;
120755+
120756+ err = gr_search_udp_sendmsg(sk, NULL);
120757+ if (err)
120758+ return err;
120759+
120760 daddr = inet->inet_daddr;
120761 dport = inet->inet_dport;
120762 /* Open fast path for connected socket.
120763@@ -1193,7 +1210,7 @@ static unsigned int first_packet_length(struct sock *sk)
120764 IS_UDPLITE(sk));
120765 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120766 IS_UDPLITE(sk));
120767- atomic_inc(&sk->sk_drops);
120768+ atomic_inc_unchecked(&sk->sk_drops);
120769 __skb_unlink(skb, rcvq);
120770 __skb_queue_tail(&list_kill, skb);
120771 }
120772@@ -1273,6 +1290,10 @@ try_again:
120773 if (!skb)
120774 goto out;
120775
120776+ err = gr_search_udp_recvmsg(sk, skb);
120777+ if (err)
120778+ goto out_free;
120779+
120780 ulen = skb->len - sizeof(struct udphdr);
120781 copied = len;
120782 if (copied > ulen)
120783@@ -1305,7 +1326,7 @@ try_again:
120784 if (unlikely(err)) {
120785 trace_kfree_skb(skb, udp_recvmsg);
120786 if (!peeked) {
120787- atomic_inc(&sk->sk_drops);
120788+ atomic_inc_unchecked(&sk->sk_drops);
120789 UDP_INC_STATS_USER(sock_net(sk),
120790 UDP_MIB_INERRORS, is_udplite);
120791 }
120792@@ -1599,7 +1620,7 @@ csum_error:
120793 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
120794 drop:
120795 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
120796- atomic_inc(&sk->sk_drops);
120797+ atomic_inc_unchecked(&sk->sk_drops);
120798 kfree_skb(skb);
120799 return -1;
120800 }
120801@@ -1617,7 +1638,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
120802 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
120803
120804 if (!skb1) {
120805- atomic_inc(&sk->sk_drops);
120806+ atomic_inc_unchecked(&sk->sk_drops);
120807 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
120808 IS_UDPLITE(sk));
120809 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120810@@ -1823,6 +1844,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
120811 goto csum_error;
120812
120813 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
120814+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120815+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
120816+#endif
120817 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
120818
120819 /*
120820@@ -2427,7 +2451,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
120821 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
120822 0, sock_i_ino(sp),
120823 atomic_read(&sp->sk_refcnt), sp,
120824- atomic_read(&sp->sk_drops));
120825+ atomic_read_unchecked(&sp->sk_drops));
120826 }
120827
120828 int udp4_seq_show(struct seq_file *seq, void *v)
120829diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
120830index bff6974..c63736c 100644
120831--- a/net/ipv4/xfrm4_policy.c
120832+++ b/net/ipv4/xfrm4_policy.c
120833@@ -186,11 +186,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
120834 fl4->flowi4_tos = iph->tos;
120835 }
120836
120837-static inline int xfrm4_garbage_collect(struct dst_ops *ops)
120838+static int xfrm4_garbage_collect(struct dst_ops *ops)
120839 {
120840 struct net *net = container_of(ops, struct net, xfrm.xfrm4_dst_ops);
120841
120842- xfrm4_policy_afinfo.garbage_collect(net);
120843+ xfrm_garbage_collect_deferred(net);
120844 return (dst_entries_get_slow(ops) > ops->gc_thresh * 2);
120845 }
120846
120847@@ -268,19 +268,18 @@ static struct ctl_table xfrm4_policy_table[] = {
120848
120849 static int __net_init xfrm4_net_init(struct net *net)
120850 {
120851- struct ctl_table *table;
120852+ ctl_table_no_const *table = NULL;
120853 struct ctl_table_header *hdr;
120854
120855- table = xfrm4_policy_table;
120856 if (!net_eq(net, &init_net)) {
120857- table = kmemdup(table, sizeof(xfrm4_policy_table), GFP_KERNEL);
120858+ table = kmemdup(xfrm4_policy_table, sizeof(xfrm4_policy_table), GFP_KERNEL);
120859 if (!table)
120860 goto err_alloc;
120861
120862 table[0].data = &net->xfrm.xfrm4_dst_ops.gc_thresh;
120863- }
120864-
120865- hdr = register_net_sysctl(net, "net/ipv4", table);
120866+ hdr = register_net_sysctl(net, "net/ipv4", table);
120867+ } else
120868+ hdr = register_net_sysctl(net, "net/ipv4", xfrm4_policy_table);
120869 if (!hdr)
120870 goto err_reg;
120871
120872@@ -288,8 +287,7 @@ static int __net_init xfrm4_net_init(struct net *net)
120873 return 0;
120874
120875 err_reg:
120876- if (!net_eq(net, &init_net))
120877- kfree(table);
120878+ kfree(table);
120879 err_alloc:
120880 return -ENOMEM;
120881 }
120882diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
120883index 21c2c81..373c1ba 100644
120884--- a/net/ipv6/addrconf.c
120885+++ b/net/ipv6/addrconf.c
120886@@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
120887 .hop_limit = IPV6_DEFAULT_HOPLIMIT,
120888 .mtu6 = IPV6_MIN_MTU,
120889 .accept_ra = 1,
120890- .accept_redirects = 1,
120891+ .accept_redirects = 0,
120892 .autoconf = 1,
120893 .force_mld_version = 0,
120894 .mldv1_unsolicited_report_interval = 10 * HZ,
120895@@ -219,7 +219,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
120896 .hop_limit = IPV6_DEFAULT_HOPLIMIT,
120897 .mtu6 = IPV6_MIN_MTU,
120898 .accept_ra = 1,
120899- .accept_redirects = 1,
120900+ .accept_redirects = 0,
120901 .autoconf = 1,
120902 .force_mld_version = 0,
120903 .mldv1_unsolicited_report_interval = 10 * HZ,
120904@@ -620,7 +620,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
120905 idx = 0;
120906 head = &net->dev_index_head[h];
120907 rcu_read_lock();
120908- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^
120909+ cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^
120910 net->dev_base_seq;
120911 hlist_for_each_entry_rcu(dev, head, index_hlist) {
120912 if (idx < s_idx)
120913@@ -2508,7 +2508,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
120914 p.iph.ihl = 5;
120915 p.iph.protocol = IPPROTO_IPV6;
120916 p.iph.ttl = 64;
120917- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
120918+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
120919
120920 if (ops->ndo_do_ioctl) {
120921 mm_segment_t oldfs = get_fs();
120922@@ -3774,16 +3774,23 @@ static const struct file_operations if6_fops = {
120923 .release = seq_release_net,
120924 };
120925
120926+extern void register_ipv6_seq_ops_addr(struct seq_operations *addr);
120927+extern void unregister_ipv6_seq_ops_addr(void);
120928+
120929 static int __net_init if6_proc_net_init(struct net *net)
120930 {
120931- if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops))
120932+ register_ipv6_seq_ops_addr(&if6_seq_ops);
120933+ if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops)) {
120934+ unregister_ipv6_seq_ops_addr();
120935 return -ENOMEM;
120936+ }
120937 return 0;
120938 }
120939
120940 static void __net_exit if6_proc_net_exit(struct net *net)
120941 {
120942 remove_proc_entry("if_inet6", net->proc_net);
120943+ unregister_ipv6_seq_ops_addr();
120944 }
120945
120946 static struct pernet_operations if6_proc_net_ops = {
120947@@ -4402,7 +4409,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
120948 s_ip_idx = ip_idx = cb->args[2];
120949
120950 rcu_read_lock();
120951- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
120952+ cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
120953 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
120954 idx = 0;
120955 head = &net->dev_index_head[h];
120956@@ -5059,7 +5066,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
120957 rt_genid_bump_ipv6(net);
120958 break;
120959 }
120960- atomic_inc(&net->ipv6.dev_addr_genid);
120961+ atomic_inc_unchecked(&net->ipv6.dev_addr_genid);
120962 }
120963
120964 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
120965@@ -5079,7 +5086,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
120966 int *valp = ctl->data;
120967 int val = *valp;
120968 loff_t pos = *ppos;
120969- struct ctl_table lctl;
120970+ ctl_table_no_const lctl;
120971 int ret;
120972
120973 /*
120974@@ -5104,7 +5111,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
120975 {
120976 struct inet6_dev *idev = ctl->extra1;
120977 int min_mtu = IPV6_MIN_MTU;
120978- struct ctl_table lctl;
120979+ ctl_table_no_const lctl;
120980
120981 lctl = *ctl;
120982 lctl.extra1 = &min_mtu;
120983@@ -5179,7 +5186,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
120984 int *valp = ctl->data;
120985 int val = *valp;
120986 loff_t pos = *ppos;
120987- struct ctl_table lctl;
120988+ ctl_table_no_const lctl;
120989 int ret;
120990
120991 /*
120992@@ -5244,7 +5251,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
120993 int err;
120994 struct in6_addr addr;
120995 char str[IPV6_MAX_STRLEN];
120996- struct ctl_table lctl = *ctl;
120997+ ctl_table_no_const lctl = *ctl;
120998 struct net *net = ctl->extra2;
120999 struct ipv6_stable_secret *secret = ctl->data;
121000
121001diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
121002index 7de52b6..ce7fb94 100644
121003--- a/net/ipv6/af_inet6.c
121004+++ b/net/ipv6/af_inet6.c
121005@@ -770,7 +770,7 @@ static int __net_init inet6_net_init(struct net *net)
121006 net->ipv6.sysctl.idgen_retries = 3;
121007 net->ipv6.sysctl.idgen_delay = 1 * HZ;
121008 net->ipv6.sysctl.flowlabel_state_ranges = 1;
121009- atomic_set(&net->ipv6.fib6_sernum, 1);
121010+ atomic_set_unchecked(&net->ipv6.fib6_sernum, 1);
121011
121012 err = ipv6_init_mibs(net);
121013 if (err)
121014diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
121015index b10a889..e881e1f 100644
121016--- a/net/ipv6/datagram.c
121017+++ b/net/ipv6/datagram.c
121018@@ -977,5 +977,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
121019 0,
121020 sock_i_ino(sp),
121021 atomic_read(&sp->sk_refcnt), sp,
121022- atomic_read(&sp->sk_drops));
121023+ atomic_read_unchecked(&sp->sk_drops));
121024 }
121025diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
121026index 713d743..8eec687 100644
121027--- a/net/ipv6/icmp.c
121028+++ b/net/ipv6/icmp.c
121029@@ -1004,7 +1004,7 @@ static struct ctl_table ipv6_icmp_table_template[] = {
121030
121031 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
121032 {
121033- struct ctl_table *table;
121034+ ctl_table_no_const *table;
121035
121036 table = kmemdup(ipv6_icmp_table_template,
121037 sizeof(ipv6_icmp_table_template),
121038diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
121039index 548c623..bc8ec4f 100644
121040--- a/net/ipv6/ip6_fib.c
121041+++ b/net/ipv6/ip6_fib.c
121042@@ -99,9 +99,9 @@ static int fib6_new_sernum(struct net *net)
121043 int new, old;
121044
121045 do {
121046- old = atomic_read(&net->ipv6.fib6_sernum);
121047+ old = atomic_read_unchecked(&net->ipv6.fib6_sernum);
121048 new = old < INT_MAX ? old + 1 : 1;
121049- } while (atomic_cmpxchg(&net->ipv6.fib6_sernum,
121050+ } while (atomic_cmpxchg_unchecked(&net->ipv6.fib6_sernum,
121051 old, new) != old);
121052 return new;
121053 }
121054diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
121055index 69f4f68..1f97524 100644
121056--- a/net/ipv6/ip6_gre.c
121057+++ b/net/ipv6/ip6_gre.c
121058@@ -71,8 +71,8 @@ struct ip6gre_net {
121059 struct net_device *fb_tunnel_dev;
121060 };
121061
121062-static struct rtnl_link_ops ip6gre_link_ops __read_mostly;
121063-static struct rtnl_link_ops ip6gre_tap_ops __read_mostly;
121064+static struct rtnl_link_ops ip6gre_link_ops;
121065+static struct rtnl_link_ops ip6gre_tap_ops;
121066 static int ip6gre_tunnel_init(struct net_device *dev);
121067 static void ip6gre_tunnel_setup(struct net_device *dev);
121068 static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
121069@@ -1281,7 +1281,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
121070 }
121071
121072
121073-static struct inet6_protocol ip6gre_protocol __read_mostly = {
121074+static struct inet6_protocol ip6gre_protocol = {
121075 .handler = ip6gre_rcv,
121076 .err_handler = ip6gre_err,
121077 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
121078@@ -1640,7 +1640,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = {
121079 [IFLA_GRE_FLAGS] = { .type = NLA_U32 },
121080 };
121081
121082-static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
121083+static struct rtnl_link_ops ip6gre_link_ops = {
121084 .kind = "ip6gre",
121085 .maxtype = IFLA_GRE_MAX,
121086 .policy = ip6gre_policy,
121087@@ -1655,7 +1655,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
121088 .get_link_net = ip6_tnl_get_link_net,
121089 };
121090
121091-static struct rtnl_link_ops ip6gre_tap_ops __read_mostly = {
121092+static struct rtnl_link_ops ip6gre_tap_ops = {
121093 .kind = "ip6gretap",
121094 .maxtype = IFLA_GRE_MAX,
121095 .policy = ip6gre_policy,
121096diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
121097index 2e67b66..b816b34 100644
121098--- a/net/ipv6/ip6_tunnel.c
121099+++ b/net/ipv6/ip6_tunnel.c
121100@@ -80,7 +80,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
121101
121102 static int ip6_tnl_dev_init(struct net_device *dev);
121103 static void ip6_tnl_dev_setup(struct net_device *dev);
121104-static struct rtnl_link_ops ip6_link_ops __read_mostly;
121105+static struct rtnl_link_ops ip6_link_ops;
121106
121107 static int ip6_tnl_net_id __read_mostly;
121108 struct ip6_tnl_net {
121109@@ -1776,7 +1776,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = {
121110 [IFLA_IPTUN_PROTO] = { .type = NLA_U8 },
121111 };
121112
121113-static struct rtnl_link_ops ip6_link_ops __read_mostly = {
121114+static struct rtnl_link_ops ip6_link_ops = {
121115 .kind = "ip6tnl",
121116 .maxtype = IFLA_IPTUN_MAX,
121117 .policy = ip6_tnl_policy,
121118diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
121119index 0224c03..c5ec3d9 100644
121120--- a/net/ipv6/ip6_vti.c
121121+++ b/net/ipv6/ip6_vti.c
121122@@ -62,7 +62,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
121123
121124 static int vti6_dev_init(struct net_device *dev);
121125 static void vti6_dev_setup(struct net_device *dev);
121126-static struct rtnl_link_ops vti6_link_ops __read_mostly;
121127+static struct rtnl_link_ops vti6_link_ops;
121128
121129 static int vti6_net_id __read_mostly;
121130 struct vti6_net {
121131@@ -1019,7 +1019,7 @@ static const struct nla_policy vti6_policy[IFLA_VTI_MAX + 1] = {
121132 [IFLA_VTI_OKEY] = { .type = NLA_U32 },
121133 };
121134
121135-static struct rtnl_link_ops vti6_link_ops __read_mostly = {
121136+static struct rtnl_link_ops vti6_link_ops = {
121137 .kind = "vti6",
121138 .maxtype = IFLA_VTI_MAX,
121139 .policy = vti6_policy,
121140diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
121141index 63e6956..ebbbcf6 100644
121142--- a/net/ipv6/ipv6_sockglue.c
121143+++ b/net/ipv6/ipv6_sockglue.c
121144@@ -1015,7 +1015,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
121145 if (sk->sk_type != SOCK_STREAM)
121146 return -ENOPROTOOPT;
121147
121148- msg.msg_control = optval;
121149+ msg.msg_control = (void __force_kernel *)optval;
121150 msg.msg_controllen = len;
121151 msg.msg_flags = flags;
121152
121153diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
121154index 3c35ced..2e6882f 100644
121155--- a/net/ipv6/netfilter/ip6_tables.c
121156+++ b/net/ipv6/netfilter/ip6_tables.c
121157@@ -1086,14 +1086,14 @@ static int compat_table_info(const struct xt_table_info *info,
121158 #endif
121159
121160 static int get_info(struct net *net, void __user *user,
121161- const int *len, int compat)
121162+ int len, int compat)
121163 {
121164 char name[XT_TABLE_MAXNAMELEN];
121165 struct xt_table *t;
121166 int ret;
121167
121168- if (*len != sizeof(struct ip6t_getinfo)) {
121169- duprintf("length %u != %zu\n", *len,
121170+ if (len != sizeof(struct ip6t_getinfo)) {
121171+ duprintf("length %u != %zu\n", len,
121172 sizeof(struct ip6t_getinfo));
121173 return -EINVAL;
121174 }
121175@@ -1130,7 +1130,7 @@ static int get_info(struct net *net, void __user *user,
121176 info.size = private->size;
121177 strcpy(info.name, name);
121178
121179- if (copy_to_user(user, &info, *len) != 0)
121180+ if (copy_to_user(user, &info, len) != 0)
121181 ret = -EFAULT;
121182 else
121183 ret = 0;
121184@@ -1978,7 +1978,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
121185
121186 switch (cmd) {
121187 case IP6T_SO_GET_INFO:
121188- ret = get_info(sock_net(sk), user, len, 1);
121189+ ret = get_info(sock_net(sk), user, *len, 1);
121190 break;
121191 case IP6T_SO_GET_ENTRIES:
121192 ret = compat_get_entries(sock_net(sk), user, len);
121193@@ -2025,7 +2025,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
121194
121195 switch (cmd) {
121196 case IP6T_SO_GET_INFO:
121197- ret = get_info(sock_net(sk), user, len, 0);
121198+ ret = get_info(sock_net(sk), user, *len, 0);
121199 break;
121200
121201 case IP6T_SO_GET_ENTRIES:
121202diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
121203index 6d02498..55e564f 100644
121204--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
121205+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
121206@@ -96,12 +96,11 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
121207
121208 static int nf_ct_frag6_sysctl_register(struct net *net)
121209 {
121210- struct ctl_table *table;
121211+ ctl_table_no_const *table = NULL;
121212 struct ctl_table_header *hdr;
121213
121214- table = nf_ct_frag6_sysctl_table;
121215 if (!net_eq(net, &init_net)) {
121216- table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table),
121217+ table = kmemdup(nf_ct_frag6_sysctl_table, sizeof(nf_ct_frag6_sysctl_table),
121218 GFP_KERNEL);
121219 if (table == NULL)
121220 goto err_alloc;
121221@@ -112,9 +111,9 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
121222 table[2].data = &net->nf_frag.frags.high_thresh;
121223 table[2].extra1 = &net->nf_frag.frags.low_thresh;
121224 table[2].extra2 = &init_net.nf_frag.frags.high_thresh;
121225- }
121226-
121227- hdr = register_net_sysctl(net, "net/netfilter", table);
121228+ hdr = register_net_sysctl(net, "net/netfilter", table);
121229+ } else
121230+ hdr = register_net_sysctl(net, "net/netfilter", nf_ct_frag6_sysctl_table);
121231 if (hdr == NULL)
121232 goto err_reg;
121233
121234@@ -122,8 +121,7 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
121235 return 0;
121236
121237 err_reg:
121238- if (!net_eq(net, &init_net))
121239- kfree(table);
121240+ kfree(table);
121241 err_alloc:
121242 return -ENOMEM;
121243 }
121244diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
121245index 263a516..692f738 100644
121246--- a/net/ipv6/ping.c
121247+++ b/net/ipv6/ping.c
121248@@ -240,6 +240,24 @@ static struct pernet_operations ping_v6_net_ops = {
121249 };
121250 #endif
121251
121252+static struct pingv6_ops real_pingv6_ops = {
121253+ .ipv6_recv_error = ipv6_recv_error,
121254+ .ip6_datagram_recv_common_ctl = ip6_datagram_recv_common_ctl,
121255+ .ip6_datagram_recv_specific_ctl = ip6_datagram_recv_specific_ctl,
121256+ .icmpv6_err_convert = icmpv6_err_convert,
121257+ .ipv6_icmp_error = ipv6_icmp_error,
121258+ .ipv6_chk_addr = ipv6_chk_addr,
121259+};
121260+
121261+static struct pingv6_ops dummy_pingv6_ops = {
121262+ .ipv6_recv_error = dummy_ipv6_recv_error,
121263+ .ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl,
121264+ .ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl,
121265+ .icmpv6_err_convert = dummy_icmpv6_err_convert,
121266+ .ipv6_icmp_error = dummy_ipv6_icmp_error,
121267+ .ipv6_chk_addr = dummy_ipv6_chk_addr,
121268+};
121269+
121270 int __init pingv6_init(void)
121271 {
121272 #ifdef CONFIG_PROC_FS
121273@@ -247,13 +265,7 @@ int __init pingv6_init(void)
121274 if (ret)
121275 return ret;
121276 #endif
121277- pingv6_ops.ipv6_recv_error = ipv6_recv_error;
121278- pingv6_ops.ip6_datagram_recv_common_ctl = ip6_datagram_recv_common_ctl;
121279- pingv6_ops.ip6_datagram_recv_specific_ctl =
121280- ip6_datagram_recv_specific_ctl;
121281- pingv6_ops.icmpv6_err_convert = icmpv6_err_convert;
121282- pingv6_ops.ipv6_icmp_error = ipv6_icmp_error;
121283- pingv6_ops.ipv6_chk_addr = ipv6_chk_addr;
121284+ pingv6_ops = &real_pingv6_ops;
121285 return inet6_register_protosw(&pingv6_protosw);
121286 }
121287
121288@@ -262,14 +274,9 @@ int __init pingv6_init(void)
121289 */
121290 void pingv6_exit(void)
121291 {
121292- pingv6_ops.ipv6_recv_error = dummy_ipv6_recv_error;
121293- pingv6_ops.ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl;
121294- pingv6_ops.ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl;
121295- pingv6_ops.icmpv6_err_convert = dummy_icmpv6_err_convert;
121296- pingv6_ops.ipv6_icmp_error = dummy_ipv6_icmp_error;
121297- pingv6_ops.ipv6_chk_addr = dummy_ipv6_chk_addr;
121298 #ifdef CONFIG_PROC_FS
121299 unregister_pernet_subsys(&ping_v6_net_ops);
121300 #endif
121301+ pingv6_ops = &dummy_pingv6_ops;
121302 inet6_unregister_protosw(&pingv6_protosw);
121303 }
121304diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
121305index 679253d0..70b653c 100644
121306--- a/net/ipv6/proc.c
121307+++ b/net/ipv6/proc.c
121308@@ -310,7 +310,7 @@ static int __net_init ipv6_proc_init_net(struct net *net)
121309 if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops))
121310 goto proc_snmp6_fail;
121311
121312- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net);
121313+ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net);
121314 if (!net->mib.proc_net_devsnmp6)
121315 goto proc_dev_snmp6_fail;
121316 return 0;
121317diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
121318index ca4700c..e44c0f9 100644
121319--- a/net/ipv6/raw.c
121320+++ b/net/ipv6/raw.c
121321@@ -388,7 +388,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
121322 {
121323 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
121324 skb_checksum_complete(skb)) {
121325- atomic_inc(&sk->sk_drops);
121326+ atomic_inc_unchecked(&sk->sk_drops);
121327 kfree_skb(skb);
121328 return NET_RX_DROP;
121329 }
121330@@ -416,7 +416,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
121331 struct raw6_sock *rp = raw6_sk(sk);
121332
121333 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
121334- atomic_inc(&sk->sk_drops);
121335+ atomic_inc_unchecked(&sk->sk_drops);
121336 kfree_skb(skb);
121337 return NET_RX_DROP;
121338 }
121339@@ -440,7 +440,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
121340
121341 if (inet->hdrincl) {
121342 if (skb_checksum_complete(skb)) {
121343- atomic_inc(&sk->sk_drops);
121344+ atomic_inc_unchecked(&sk->sk_drops);
121345 kfree_skb(skb);
121346 return NET_RX_DROP;
121347 }
121348@@ -608,7 +608,7 @@ out:
121349 return err;
121350 }
121351
121352-static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
121353+static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, unsigned int length,
121354 struct flowi6 *fl6, struct dst_entry **dstp,
121355 unsigned int flags)
121356 {
121357@@ -916,12 +916,15 @@ do_confirm:
121358 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
121359 char __user *optval, int optlen)
121360 {
121361+ struct icmp6_filter filter;
121362+
121363 switch (optname) {
121364 case ICMPV6_FILTER:
121365 if (optlen > sizeof(struct icmp6_filter))
121366 optlen = sizeof(struct icmp6_filter);
121367- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
121368+ if (copy_from_user(&filter, optval, optlen))
121369 return -EFAULT;
121370+ raw6_sk(sk)->filter = filter;
121371 return 0;
121372 default:
121373 return -ENOPROTOOPT;
121374@@ -934,6 +937,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
121375 char __user *optval, int __user *optlen)
121376 {
121377 int len;
121378+ struct icmp6_filter filter;
121379
121380 switch (optname) {
121381 case ICMPV6_FILTER:
121382@@ -945,7 +949,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
121383 len = sizeof(struct icmp6_filter);
121384 if (put_user(len, optlen))
121385 return -EFAULT;
121386- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
121387+ filter = raw6_sk(sk)->filter;
121388+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
121389 return -EFAULT;
121390 return 0;
121391 default:
121392diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
121393index f1159bb..0db5dad 100644
121394--- a/net/ipv6/reassembly.c
121395+++ b/net/ipv6/reassembly.c
121396@@ -626,12 +626,11 @@ static struct ctl_table ip6_frags_ctl_table[] = {
121397
121398 static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
121399 {
121400- struct ctl_table *table;
121401+ ctl_table_no_const *table = NULL;
121402 struct ctl_table_header *hdr;
121403
121404- table = ip6_frags_ns_ctl_table;
121405 if (!net_eq(net, &init_net)) {
121406- table = kmemdup(table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
121407+ table = kmemdup(ip6_frags_ns_ctl_table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
121408 if (!table)
121409 goto err_alloc;
121410
121411@@ -645,9 +644,10 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
121412 /* Don't export sysctls to unprivileged users */
121413 if (net->user_ns != &init_user_ns)
121414 table[0].procname = NULL;
121415- }
121416+ hdr = register_net_sysctl(net, "net/ipv6", table);
121417+ } else
121418+ hdr = register_net_sysctl(net, "net/ipv6", ip6_frags_ns_ctl_table);
121419
121420- hdr = register_net_sysctl(net, "net/ipv6", table);
121421 if (!hdr)
121422 goto err_reg;
121423
121424@@ -655,8 +655,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
121425 return 0;
121426
121427 err_reg:
121428- if (!net_eq(net, &init_net))
121429- kfree(table);
121430+ kfree(table);
121431 err_alloc:
121432 return -ENOMEM;
121433 }
121434diff --git a/net/ipv6/route.c b/net/ipv6/route.c
121435index 00b64d4..da5099e 100644
121436--- a/net/ipv6/route.c
121437+++ b/net/ipv6/route.c
121438@@ -3430,7 +3430,7 @@ struct ctl_table ipv6_route_table_template[] = {
121439
121440 struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
121441 {
121442- struct ctl_table *table;
121443+ ctl_table_no_const *table;
121444
121445 table = kmemdup(ipv6_route_table_template,
121446 sizeof(ipv6_route_table_template),
121447diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
121448index ac35a28..070cc8c 100644
121449--- a/net/ipv6/sit.c
121450+++ b/net/ipv6/sit.c
121451@@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
121452 static void ipip6_dev_free(struct net_device *dev);
121453 static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
121454 __be32 *v4dst);
121455-static struct rtnl_link_ops sit_link_ops __read_mostly;
121456+static struct rtnl_link_ops sit_link_ops;
121457
121458 static int sit_net_id __read_mostly;
121459 struct sit_net {
121460@@ -1749,7 +1749,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head)
121461 unregister_netdevice_queue(dev, head);
121462 }
121463
121464-static struct rtnl_link_ops sit_link_ops __read_mostly = {
121465+static struct rtnl_link_ops sit_link_ops = {
121466 .kind = "sit",
121467 .maxtype = IFLA_IPTUN_MAX,
121468 .policy = ipip6_policy,
121469diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
121470index 4e705ad..9ba8db8 100644
121471--- a/net/ipv6/sysctl_net_ipv6.c
121472+++ b/net/ipv6/sysctl_net_ipv6.c
121473@@ -99,7 +99,7 @@ static struct ctl_table ipv6_rotable[] = {
121474
121475 static int __net_init ipv6_sysctl_net_init(struct net *net)
121476 {
121477- struct ctl_table *ipv6_table;
121478+ ctl_table_no_const *ipv6_table;
121479 struct ctl_table *ipv6_route_table;
121480 struct ctl_table *ipv6_icmp_table;
121481 int err;
121482diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
121483index 7a6cea5..1a99e26 100644
121484--- a/net/ipv6/tcp_ipv6.c
121485+++ b/net/ipv6/tcp_ipv6.c
121486@@ -103,6 +103,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
121487 }
121488 }
121489
121490+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121491+extern int grsec_enable_blackhole;
121492+#endif
121493+
121494 static __u32 tcp_v6_init_sequence(const struct sk_buff *skb)
121495 {
121496 return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
121497@@ -1280,6 +1284,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
121498 return 0;
121499
121500 reset:
121501+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121502+ if (!grsec_enable_blackhole)
121503+#endif
121504 tcp_v6_send_reset(sk, skb);
121505 discard:
121506 if (opt_skb)
121507@@ -1389,12 +1396,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
121508
121509 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
121510 inet6_iif(skb));
121511- if (!sk)
121512+ if (!sk) {
121513+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121514+ ret = 1;
121515+#endif
121516 goto no_tcp_socket;
121517+ }
121518
121519 process:
121520- if (sk->sk_state == TCP_TIME_WAIT)
121521+ if (sk->sk_state == TCP_TIME_WAIT) {
121522+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121523+ ret = 2;
121524+#endif
121525 goto do_time_wait;
121526+ }
121527
121528 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
121529 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
121530@@ -1446,6 +1461,10 @@ csum_error:
121531 bad_packet:
121532 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
121533 } else {
121534+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121535+ if (!grsec_enable_blackhole || (ret == 1 &&
121536+ (skb->dev->flags & IFF_LOOPBACK)))
121537+#endif
121538 tcp_v6_send_reset(NULL, skb);
121539 }
121540
121541diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
121542index e51fc3e..8f04229 100644
121543--- a/net/ipv6/udp.c
121544+++ b/net/ipv6/udp.c
121545@@ -76,6 +76,10 @@ static u32 udp6_ehashfn(const struct net *net,
121546 udp_ipv6_hash_secret + net_hash_mix(net));
121547 }
121548
121549+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121550+extern int grsec_enable_blackhole;
121551+#endif
121552+
121553 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
121554 {
121555 const struct in6_addr *sk2_rcv_saddr6 = inet6_rcv_saddr(sk2);
121556@@ -445,7 +449,7 @@ try_again:
121557 if (unlikely(err)) {
121558 trace_kfree_skb(skb, udpv6_recvmsg);
121559 if (!peeked) {
121560- atomic_inc(&sk->sk_drops);
121561+ atomic_inc_unchecked(&sk->sk_drops);
121562 if (is_udp4)
121563 UDP_INC_STATS_USER(sock_net(sk),
121564 UDP_MIB_INERRORS,
121565@@ -709,7 +713,7 @@ csum_error:
121566 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
121567 drop:
121568 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
121569- atomic_inc(&sk->sk_drops);
121570+ atomic_inc_unchecked(&sk->sk_drops);
121571 kfree_skb(skb);
121572 return -1;
121573 }
121574@@ -750,7 +754,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
121575 if (likely(!skb1))
121576 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
121577 if (!skb1) {
121578- atomic_inc(&sk->sk_drops);
121579+ atomic_inc_unchecked(&sk->sk_drops);
121580 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
121581 IS_UDPLITE(sk));
121582 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
121583@@ -934,6 +938,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
121584 goto csum_error;
121585
121586 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
121587+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121588+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
121589+#endif
121590 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
121591
121592 kfree_skb(skb);
121593diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
121594index ed0583c..606962a 100644
121595--- a/net/ipv6/xfrm6_policy.c
121596+++ b/net/ipv6/xfrm6_policy.c
121597@@ -174,7 +174,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
121598 return;
121599
121600 case IPPROTO_ICMPV6:
121601- if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
121602+ if (!onlyproto && (nh + offset + 2 < skb->data ||
121603+ pskb_may_pull(skb, nh + offset + 2 - skb->data))) {
121604 u8 *icmp;
121605
121606 nh = skb_network_header(skb);
121607@@ -188,7 +189,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
121608 #if IS_ENABLED(CONFIG_IPV6_MIP6)
121609 case IPPROTO_MH:
121610 offset += ipv6_optlen(exthdr);
121611- if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
121612+ if (!onlyproto && (nh + offset + 3 < skb->data ||
121613+ pskb_may_pull(skb, nh + offset + 3 - skb->data))) {
121614 struct ip6_mh *mh;
121615
121616 nh = skb_network_header(skb);
121617@@ -211,11 +213,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
121618 }
121619 }
121620
121621-static inline int xfrm6_garbage_collect(struct dst_ops *ops)
121622+static int xfrm6_garbage_collect(struct dst_ops *ops)
121623 {
121624 struct net *net = container_of(ops, struct net, xfrm.xfrm6_dst_ops);
121625
121626- xfrm6_policy_afinfo.garbage_collect(net);
121627+ xfrm_garbage_collect_deferred(net);
121628 return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
121629 }
121630
121631@@ -322,19 +324,19 @@ static struct ctl_table xfrm6_policy_table[] = {
121632
121633 static int __net_init xfrm6_net_init(struct net *net)
121634 {
121635- struct ctl_table *table;
121636+ ctl_table_no_const *table = NULL;
121637 struct ctl_table_header *hdr;
121638
121639- table = xfrm6_policy_table;
121640 if (!net_eq(net, &init_net)) {
121641- table = kmemdup(table, sizeof(xfrm6_policy_table), GFP_KERNEL);
121642+ table = kmemdup(xfrm6_policy_table, sizeof(xfrm6_policy_table), GFP_KERNEL);
121643 if (!table)
121644 goto err_alloc;
121645
121646 table[0].data = &net->xfrm.xfrm6_dst_ops.gc_thresh;
121647- }
121648+ hdr = register_net_sysctl(net, "net/ipv6", table);
121649+ } else
121650+ hdr = register_net_sysctl(net, "net/ipv6", xfrm6_policy_table);
121651
121652- hdr = register_net_sysctl(net, "net/ipv6", table);
121653 if (!hdr)
121654 goto err_reg;
121655
121656@@ -342,8 +344,7 @@ static int __net_init xfrm6_net_init(struct net *net)
121657 return 0;
121658
121659 err_reg:
121660- if (!net_eq(net, &init_net))
121661- kfree(table);
121662+ kfree(table);
121663 err_alloc:
121664 return -ENOMEM;
121665 }
121666diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
121667index c1d247e..9e5949d 100644
121668--- a/net/ipx/ipx_proc.c
121669+++ b/net/ipx/ipx_proc.c
121670@@ -289,7 +289,7 @@ int __init ipx_proc_init(void)
121671 struct proc_dir_entry *p;
121672 int rc = -ENOMEM;
121673
121674- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net);
121675+ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net);
121676
121677 if (!ipx_proc_dir)
121678 goto out;
121679diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
121680index 683346d..cb0e12d 100644
121681--- a/net/irda/ircomm/ircomm_tty.c
121682+++ b/net/irda/ircomm/ircomm_tty.c
121683@@ -310,10 +310,10 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
121684 add_wait_queue(&port->open_wait, &wait);
121685
121686 pr_debug("%s(%d):block_til_ready before block on %s open_count=%d\n",
121687- __FILE__, __LINE__, tty->driver->name, port->count);
121688+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
121689
121690 spin_lock_irqsave(&port->lock, flags);
121691- port->count--;
121692+ atomic_dec(&port->count);
121693 port->blocked_open++;
121694 spin_unlock_irqrestore(&port->lock, flags);
121695
121696@@ -348,7 +348,7 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
121697 }
121698
121699 pr_debug("%s(%d):block_til_ready blocking on %s open_count=%d\n",
121700- __FILE__, __LINE__, tty->driver->name, port->count);
121701+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
121702
121703 schedule();
121704 }
121705@@ -358,12 +358,12 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
121706
121707 spin_lock_irqsave(&port->lock, flags);
121708 if (!tty_hung_up_p(filp))
121709- port->count++;
121710+ atomic_inc(&port->count);
121711 port->blocked_open--;
121712 spin_unlock_irqrestore(&port->lock, flags);
121713
121714 pr_debug("%s(%d):block_til_ready after blocking on %s open_count=%d\n",
121715- __FILE__, __LINE__, tty->driver->name, port->count);
121716+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
121717
121718 if (!retval)
121719 port->flags |= ASYNC_NORMAL_ACTIVE;
121720@@ -433,12 +433,12 @@ static int ircomm_tty_open(struct tty_struct *tty, struct file *filp)
121721
121722 /* ++ is not atomic, so this should be protected - Jean II */
121723 spin_lock_irqsave(&self->port.lock, flags);
121724- self->port.count++;
121725+ atomic_inc(&self->port.count);
121726 spin_unlock_irqrestore(&self->port.lock, flags);
121727 tty_port_tty_set(&self->port, tty);
121728
121729 pr_debug("%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
121730- self->line, self->port.count);
121731+ self->line, atomic_read(&self->port.count));
121732
121733 /* Not really used by us, but lets do it anyway */
121734 self->port.low_latency = (self->port.flags & ASYNC_LOW_LATENCY) ? 1 : 0;
121735@@ -961,7 +961,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty)
121736 tty_kref_put(port->tty);
121737 }
121738 port->tty = NULL;
121739- port->count = 0;
121740+ atomic_set(&port->count, 0);
121741 spin_unlock_irqrestore(&port->lock, flags);
121742
121743 wake_up_interruptible(&port->open_wait);
121744@@ -1308,7 +1308,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m)
121745 seq_putc(m, '\n');
121746
121747 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
121748- seq_printf(m, "Open count: %d\n", self->port.count);
121749+ seq_printf(m, "Open count: %d\n", atomic_read(&self->port.count));
121750 seq_printf(m, "Max data size: %d\n", self->max_data_size);
121751 seq_printf(m, "Max header size: %d\n", self->max_header_size);
121752
121753diff --git a/net/irda/irproc.c b/net/irda/irproc.c
121754index b9ac598..f88cc56 100644
121755--- a/net/irda/irproc.c
121756+++ b/net/irda/irproc.c
121757@@ -66,7 +66,7 @@ void __init irda_proc_register(void)
121758 {
121759 int i;
121760
121761- proc_irda = proc_mkdir("irda", init_net.proc_net);
121762+ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net);
121763 if (proc_irda == NULL)
121764 return;
121765
121766diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
121767index 918151c..5bbe95a 100644
121768--- a/net/iucv/af_iucv.c
121769+++ b/net/iucv/af_iucv.c
121770@@ -686,10 +686,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv)
121771 {
121772 char name[12];
121773
121774- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
121775+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
121776 while (__iucv_get_sock_by_name(name)) {
121777 sprintf(name, "%08x",
121778- atomic_inc_return(&iucv_sk_list.autobind_name));
121779+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
121780 }
121781 memcpy(iucv->src_name, name, 8);
121782 }
121783diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
121784index 2a6a1fd..6c112b0 100644
121785--- a/net/iucv/iucv.c
121786+++ b/net/iucv/iucv.c
121787@@ -702,7 +702,7 @@ static int iucv_cpu_notify(struct notifier_block *self,
121788 return NOTIFY_OK;
121789 }
121790
121791-static struct notifier_block __refdata iucv_cpu_notifier = {
121792+static struct notifier_block iucv_cpu_notifier = {
121793 .notifier_call = iucv_cpu_notify,
121794 };
121795
121796diff --git a/net/key/af_key.c b/net/key/af_key.c
121797index 83a7068..facf2f0 100644
121798--- a/net/key/af_key.c
121799+++ b/net/key/af_key.c
121800@@ -3050,10 +3050,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
121801 static u32 get_acqseq(void)
121802 {
121803 u32 res;
121804- static atomic_t acqseq;
121805+ static atomic_unchecked_t acqseq;
121806
121807 do {
121808- res = atomic_inc_return(&acqseq);
121809+ res = atomic_inc_return_unchecked(&acqseq);
121810 } while (!res);
121811 return res;
121812 }
121813diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
121814index 4b55287..bd247f7 100644
121815--- a/net/l2tp/l2tp_eth.c
121816+++ b/net/l2tp/l2tp_eth.c
121817@@ -42,12 +42,12 @@ struct l2tp_eth {
121818 struct sock *tunnel_sock;
121819 struct l2tp_session *session;
121820 struct list_head list;
121821- atomic_long_t tx_bytes;
121822- atomic_long_t tx_packets;
121823- atomic_long_t tx_dropped;
121824- atomic_long_t rx_bytes;
121825- atomic_long_t rx_packets;
121826- atomic_long_t rx_errors;
121827+ atomic_long_unchecked_t tx_bytes;
121828+ atomic_long_unchecked_t tx_packets;
121829+ atomic_long_unchecked_t tx_dropped;
121830+ atomic_long_unchecked_t rx_bytes;
121831+ atomic_long_unchecked_t rx_packets;
121832+ atomic_long_unchecked_t rx_errors;
121833 };
121834
121835 /* via l2tp_session_priv() */
121836@@ -98,10 +98,10 @@ static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
121837 int ret = l2tp_xmit_skb(session, skb, session->hdr_len);
121838
121839 if (likely(ret == NET_XMIT_SUCCESS)) {
121840- atomic_long_add(len, &priv->tx_bytes);
121841- atomic_long_inc(&priv->tx_packets);
121842+ atomic_long_add_unchecked(len, &priv->tx_bytes);
121843+ atomic_long_inc_unchecked(&priv->tx_packets);
121844 } else {
121845- atomic_long_inc(&priv->tx_dropped);
121846+ atomic_long_inc_unchecked(&priv->tx_dropped);
121847 }
121848 return NETDEV_TX_OK;
121849 }
121850@@ -111,12 +111,12 @@ static struct rtnl_link_stats64 *l2tp_eth_get_stats64(struct net_device *dev,
121851 {
121852 struct l2tp_eth *priv = netdev_priv(dev);
121853
121854- stats->tx_bytes = atomic_long_read(&priv->tx_bytes);
121855- stats->tx_packets = atomic_long_read(&priv->tx_packets);
121856- stats->tx_dropped = atomic_long_read(&priv->tx_dropped);
121857- stats->rx_bytes = atomic_long_read(&priv->rx_bytes);
121858- stats->rx_packets = atomic_long_read(&priv->rx_packets);
121859- stats->rx_errors = atomic_long_read(&priv->rx_errors);
121860+ stats->tx_bytes = atomic_long_read_unchecked(&priv->tx_bytes);
121861+ stats->tx_packets = atomic_long_read_unchecked(&priv->tx_packets);
121862+ stats->tx_dropped = atomic_long_read_unchecked(&priv->tx_dropped);
121863+ stats->rx_bytes = atomic_long_read_unchecked(&priv->rx_bytes);
121864+ stats->rx_packets = atomic_long_read_unchecked(&priv->rx_packets);
121865+ stats->rx_errors = atomic_long_read_unchecked(&priv->rx_errors);
121866 return stats;
121867 }
121868
121869@@ -167,15 +167,15 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
121870 nf_reset(skb);
121871
121872 if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
121873- atomic_long_inc(&priv->rx_packets);
121874- atomic_long_add(data_len, &priv->rx_bytes);
121875+ atomic_long_inc_unchecked(&priv->rx_packets);
121876+ atomic_long_add_unchecked(data_len, &priv->rx_bytes);
121877 } else {
121878- atomic_long_inc(&priv->rx_errors);
121879+ atomic_long_inc_unchecked(&priv->rx_errors);
121880 }
121881 return;
121882
121883 error:
121884- atomic_long_inc(&priv->rx_errors);
121885+ atomic_long_inc_unchecked(&priv->rx_errors);
121886 kfree_skb(skb);
121887 }
121888
121889diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
121890index 7964993..2c48a3a 100644
121891--- a/net/l2tp/l2tp_ip.c
121892+++ b/net/l2tp/l2tp_ip.c
121893@@ -608,7 +608,7 @@ static struct inet_protosw l2tp_ip_protosw = {
121894 .ops = &l2tp_ip_ops,
121895 };
121896
121897-static struct net_protocol l2tp_ip_protocol __read_mostly = {
121898+static const struct net_protocol l2tp_ip_protocol = {
121899 .handler = l2tp_ip_recv,
121900 .netns_ok = 1,
121901 };
121902diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
121903index d1ded37..c0d1e49 100644
121904--- a/net/l2tp/l2tp_ip6.c
121905+++ b/net/l2tp/l2tp_ip6.c
121906@@ -755,7 +755,7 @@ static struct inet_protosw l2tp_ip6_protosw = {
121907 .ops = &l2tp_ip6_ops,
121908 };
121909
121910-static struct inet6_protocol l2tp_ip6_protocol __read_mostly = {
121911+static const struct inet6_protocol l2tp_ip6_protocol = {
121912 .handler = l2tp_ip6_recv,
121913 };
121914
121915diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
121916index 1a3c7e0..80f8b0c 100644
121917--- a/net/llc/llc_proc.c
121918+++ b/net/llc/llc_proc.c
121919@@ -247,7 +247,7 @@ int __init llc_proc_init(void)
121920 int rc = -ENOMEM;
121921 struct proc_dir_entry *p;
121922
121923- llc_proc_dir = proc_mkdir("llc", init_net.proc_net);
121924+ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net);
121925 if (!llc_proc_dir)
121926 goto out;
121927
121928diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
121929index bf7023f..86a5bc6 100644
121930--- a/net/mac80211/cfg.c
121931+++ b/net/mac80211/cfg.c
121932@@ -580,7 +580,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
121933 ret = ieee80211_vif_use_channel(sdata, chandef,
121934 IEEE80211_CHANCTX_EXCLUSIVE);
121935 }
121936- } else if (local->open_count == local->monitors) {
121937+ } else if (local_read(&local->open_count) == local->monitors) {
121938 local->_oper_chandef = *chandef;
121939 ieee80211_hw_config(local, 0);
121940 }
121941@@ -3488,7 +3488,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
121942 else
121943 local->probe_req_reg--;
121944
121945- if (!local->open_count)
121946+ if (!local_read(&local->open_count))
121947 break;
121948
121949 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
121950@@ -3637,8 +3637,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
121951 if (chanctx_conf) {
121952 *chandef = sdata->vif.bss_conf.chandef;
121953 ret = 0;
121954- } else if (local->open_count > 0 &&
121955- local->open_count == local->monitors &&
121956+ } else if (local_read(&local->open_count) > 0 &&
121957+ local_read(&local->open_count) == local->monitors &&
121958 sdata->vif.type == NL80211_IFTYPE_MONITOR) {
121959 if (local->use_chanctx)
121960 *chandef = local->monitor_chandef;
121961diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
121962index b12f615..a264a60 100644
121963--- a/net/mac80211/ieee80211_i.h
121964+++ b/net/mac80211/ieee80211_i.h
121965@@ -30,6 +30,7 @@
121966 #include <net/ieee80211_radiotap.h>
121967 #include <net/cfg80211.h>
121968 #include <net/mac80211.h>
121969+#include <asm/local.h>
121970 #include "key.h"
121971 #include "sta_info.h"
121972 #include "debug.h"
121973@@ -1112,7 +1113,7 @@ struct ieee80211_local {
121974 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
121975 spinlock_t queue_stop_reason_lock;
121976
121977- int open_count;
121978+ local_t open_count;
121979 int monitors, cooked_mntrs;
121980 /* number of interfaces with corresponding FIF_ flags */
121981 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
121982diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
121983index 553ac6d..d2480da 100644
121984--- a/net/mac80211/iface.c
121985+++ b/net/mac80211/iface.c
121986@@ -550,7 +550,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121987 break;
121988 }
121989
121990- if (local->open_count == 0) {
121991+ if (local_read(&local->open_count) == 0) {
121992 res = drv_start(local);
121993 if (res)
121994 goto err_del_bss;
121995@@ -597,7 +597,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121996 res = drv_add_interface(local, sdata);
121997 if (res)
121998 goto err_stop;
121999- } else if (local->monitors == 0 && local->open_count == 0) {
122000+ } else if (local->monitors == 0 && local_read(&local->open_count) == 0) {
122001 res = ieee80211_add_virtual_monitor(local);
122002 if (res)
122003 goto err_stop;
122004@@ -704,7 +704,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
122005 atomic_inc(&local->iff_allmultis);
122006
122007 if (coming_up)
122008- local->open_count++;
122009+ local_inc(&local->open_count);
122010
122011 if (hw_reconf_flags)
122012 ieee80211_hw_config(local, hw_reconf_flags);
122013@@ -742,7 +742,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
122014 err_del_interface:
122015 drv_remove_interface(local, sdata);
122016 err_stop:
122017- if (!local->open_count)
122018+ if (!local_read(&local->open_count))
122019 drv_stop(local);
122020 err_del_bss:
122021 sdata->bss = NULL;
122022@@ -909,7 +909,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
122023 }
122024
122025 if (going_down)
122026- local->open_count--;
122027+ local_dec(&local->open_count);
122028
122029 switch (sdata->vif.type) {
122030 case NL80211_IFTYPE_AP_VLAN:
122031@@ -978,7 +978,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
122032 atomic_set(&sdata->txqs_len[txqi->txq.ac], 0);
122033 }
122034
122035- if (local->open_count == 0)
122036+ if (local_read(&local->open_count) == 0)
122037 ieee80211_clear_tx_pending(local);
122038
122039 /*
122040@@ -1021,7 +1021,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
122041 if (cancel_scan)
122042 flush_delayed_work(&local->scan_work);
122043
122044- if (local->open_count == 0) {
122045+ if (local_read(&local->open_count) == 0) {
122046 ieee80211_stop_device(local);
122047
122048 /* no reconfiguring after stop! */
122049@@ -1032,7 +1032,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
122050 ieee80211_configure_filter(local);
122051 ieee80211_hw_config(local, hw_reconf_flags);
122052
122053- if (local->monitors == local->open_count)
122054+ if (local->monitors == local_read(&local->open_count))
122055 ieee80211_add_virtual_monitor(local);
122056 }
122057
122058@@ -1884,8 +1884,8 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
122059 */
122060 cfg80211_shutdown_all_interfaces(local->hw.wiphy);
122061
122062- WARN(local->open_count, "%s: open count remains %d\n",
122063- wiphy_name(local->hw.wiphy), local->open_count);
122064+ WARN(local_read(&local->open_count), "%s: open count remains %ld\n",
122065+ wiphy_name(local->hw.wiphy), local_read(&local->open_count));
122066
122067 mutex_lock(&local->iflist_mtx);
122068 list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
122069diff --git a/net/mac80211/main.c b/net/mac80211/main.c
122070index 3c63468..b5c285f 100644
122071--- a/net/mac80211/main.c
122072+++ b/net/mac80211/main.c
122073@@ -172,7 +172,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
122074 changed &= ~(IEEE80211_CONF_CHANGE_CHANNEL |
122075 IEEE80211_CONF_CHANGE_POWER);
122076
122077- if (changed && local->open_count) {
122078+ if (changed && local_read(&local->open_count)) {
122079 ret = drv_config(local, changed);
122080 /*
122081 * Goal:
122082diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
122083index b676b9f..395dd95 100644
122084--- a/net/mac80211/pm.c
122085+++ b/net/mac80211/pm.c
122086@@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
122087 struct ieee80211_sub_if_data *sdata;
122088 struct sta_info *sta;
122089
122090- if (!local->open_count)
122091+ if (!local_read(&local->open_count))
122092 goto suspend;
122093
122094 ieee80211_scan_cancel(local);
122095@@ -166,7 +166,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
122096 WARN_ON(!list_empty(&local->chanctx_list));
122097
122098 /* stop hardware - this must stop RX */
122099- if (local->open_count)
122100+ if (local_read(&local->open_count))
122101 ieee80211_stop_device(local);
122102
122103 suspend:
122104diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
122105index fda33f9..0e7d4c0 100644
122106--- a/net/mac80211/rate.c
122107+++ b/net/mac80211/rate.c
122108@@ -730,7 +730,7 @@ int ieee80211_init_rate_ctrl_alg(struct ieee80211_local *local,
122109
122110 ASSERT_RTNL();
122111
122112- if (local->open_count)
122113+ if (local_read(&local->open_count))
122114 return -EBUSY;
122115
122116 if (ieee80211_hw_check(&local->hw, HAS_RATE_CONTROL)) {
122117diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
122118index 666ddac..0cad93b 100644
122119--- a/net/mac80211/sta_info.c
122120+++ b/net/mac80211/sta_info.c
122121@@ -341,7 +341,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
122122 int size = sizeof(struct txq_info) +
122123 ALIGN(hw->txq_data_size, sizeof(void *));
122124
122125- txq_data = kcalloc(ARRAY_SIZE(sta->sta.txq), size, gfp);
122126+ txq_data = kcalloc(size, ARRAY_SIZE(sta->sta.txq), gfp);
122127 if (!txq_data)
122128 goto free;
122129
122130diff --git a/net/mac80211/util.c b/net/mac80211/util.c
122131index 43e5aad..d117c3a 100644
122132--- a/net/mac80211/util.c
122133+++ b/net/mac80211/util.c
122134@@ -1761,7 +1761,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122135 bool sched_scan_stopped = false;
122136
122137 /* nothing to do if HW shouldn't run */
122138- if (!local->open_count)
122139+ if (!local_read(&local->open_count))
122140 goto wake_up;
122141
122142 #ifdef CONFIG_PM
122143@@ -2033,7 +2033,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122144 local->in_reconfig = false;
122145 barrier();
122146
122147- if (local->monitors == local->open_count && local->monitors > 0)
122148+ if (local->monitors == local_read(&local->open_count) && local->monitors > 0)
122149 ieee80211_add_virtual_monitor(local);
122150
122151 /*
122152@@ -2088,7 +2088,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122153 * If this is for hw restart things are still running.
122154 * We may want to change that later, however.
122155 */
122156- if (local->open_count && (!local->suspended || reconfig_due_to_wowlan))
122157+ if (local_read(&local->open_count) && (!local->suspended || reconfig_due_to_wowlan))
122158 drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
122159
122160 if (!local->suspended)
122161@@ -2112,7 +2112,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122162 flush_delayed_work(&local->scan_work);
122163 }
122164
122165- if (local->open_count && !reconfig_due_to_wowlan)
122166+ if (local_read(&local->open_count) && !reconfig_due_to_wowlan)
122167 drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_SUSPEND);
122168
122169 list_for_each_entry(sdata, &local->interfaces, list) {
122170diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
122171index 1f93a59..96faa29 100644
122172--- a/net/mpls/af_mpls.c
122173+++ b/net/mpls/af_mpls.c
122174@@ -456,7 +456,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev,
122175 struct mpls_dev *mdev)
122176 {
122177 char path[sizeof("net/mpls/conf/") + IFNAMSIZ];
122178- struct ctl_table *table;
122179+ ctl_table_no_const *table;
122180 int i;
122181
122182 table = kmemdup(&mpls_dev_table, sizeof(mpls_dev_table), GFP_KERNEL);
122183@@ -1025,7 +1025,7 @@ static int mpls_platform_labels(struct ctl_table *table, int write,
122184 struct net *net = table->data;
122185 int platform_labels = net->mpls.platform_labels;
122186 int ret;
122187- struct ctl_table tmp = {
122188+ ctl_table_no_const tmp = {
122189 .procname = table->procname,
122190 .data = &platform_labels,
122191 .maxlen = sizeof(int),
122192@@ -1055,7 +1055,7 @@ static const struct ctl_table mpls_table[] = {
122193
122194 static int mpls_net_init(struct net *net)
122195 {
122196- struct ctl_table *table;
122197+ ctl_table_no_const *table;
122198
122199 net->mpls.platform_labels = 0;
122200 net->mpls.platform_label = NULL;
122201diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
122202index 6eae69a..ccccba8 100644
122203--- a/net/netfilter/Kconfig
122204+++ b/net/netfilter/Kconfig
122205@@ -1125,6 +1125,16 @@ config NETFILTER_XT_MATCH_ESP
122206
122207 To compile it as a module, choose M here. If unsure, say N.
122208
122209+config NETFILTER_XT_MATCH_GRADM
122210+ tristate '"gradm" match support'
122211+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
122212+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
122213+ ---help---
122214+ The gradm match allows to match on grsecurity RBAC being enabled.
122215+ It is useful when iptables rules are applied early on bootup to
122216+ prevent connections to the machine (except from a trusted host)
122217+ while the RBAC system is disabled.
122218+
122219 config NETFILTER_XT_MATCH_HASHLIMIT
122220 tristate '"hashlimit" match support'
122221 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
122222diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
122223index 70d026d..c400590 100644
122224--- a/net/netfilter/Makefile
122225+++ b/net/netfilter/Makefile
122226@@ -140,6 +140,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
122227 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
122228 obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
122229 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
122230+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
122231 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
122232 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
122233 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
122234diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
122235index 338b404..839dcb0 100644
122236--- a/net/netfilter/ipset/ip_set_core.c
122237+++ b/net/netfilter/ipset/ip_set_core.c
122238@@ -1998,7 +1998,7 @@ done:
122239 return ret;
122240 }
122241
122242-static struct nf_sockopt_ops so_set __read_mostly = {
122243+static struct nf_sockopt_ops so_set = {
122244 .pf = PF_INET,
122245 .get_optmin = SO_IP_SET,
122246 .get_optmax = SO_IP_SET + 1,
122247diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
122248index 3c862c0..a93dfeb 100644
122249--- a/net/netfilter/ipset/ip_set_hash_netnet.c
122250+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
122251@@ -131,6 +131,13 @@ hash_netnet4_data_next(struct hash_netnet4_elem *next,
122252 #define HOST_MASK 32
122253 #include "ip_set_hash_gen.h"
122254
122255+static void
122256+hash_netnet4_init(struct hash_netnet4_elem *e)
122257+{
122258+ e->cidr[0] = HOST_MASK;
122259+ e->cidr[1] = HOST_MASK;
122260+}
122261+
122262 static int
122263 hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
122264 const struct xt_action_param *par,
122265@@ -160,7 +167,7 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
122266 {
122267 const struct hash_netnet *h = set->data;
122268 ipset_adtfn adtfn = set->variant->adt[adt];
122269- struct hash_netnet4_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
122270+ struct hash_netnet4_elem e = { };
122271 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
122272 u32 ip = 0, ip_to = 0, last;
122273 u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
122274@@ -169,6 +176,7 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
122275 if (tb[IPSET_ATTR_LINENO])
122276 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
122277
122278+ hash_netnet4_init(&e);
122279 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
122280 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
122281 return -IPSET_ERR_PROTOCOL;
122282@@ -357,6 +365,13 @@ hash_netnet6_data_next(struct hash_netnet4_elem *next,
122283 #define IP_SET_EMIT_CREATE
122284 #include "ip_set_hash_gen.h"
122285
122286+static void
122287+hash_netnet6_init(struct hash_netnet6_elem *e)
122288+{
122289+ e->cidr[0] = HOST_MASK;
122290+ e->cidr[1] = HOST_MASK;
122291+}
122292+
122293 static int
122294 hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
122295 const struct xt_action_param *par,
122296@@ -385,13 +400,14 @@ hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[],
122297 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
122298 {
122299 ipset_adtfn adtfn = set->variant->adt[adt];
122300- struct hash_netnet6_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
122301+ struct hash_netnet6_elem e = { };
122302 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
122303 int ret;
122304
122305 if (tb[IPSET_ATTR_LINENO])
122306 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
122307
122308+ hash_netnet6_init(&e);
122309 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
122310 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
122311 return -IPSET_ERR_PROTOCOL;
122312diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
122313index 0c68734..9a14c23 100644
122314--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
122315+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
122316@@ -142,6 +142,13 @@ hash_netportnet4_data_next(struct hash_netportnet4_elem *next,
122317 #define HOST_MASK 32
122318 #include "ip_set_hash_gen.h"
122319
122320+static void
122321+hash_netportnet4_init(struct hash_netportnet4_elem *e)
122322+{
122323+ e->cidr[0] = HOST_MASK;
122324+ e->cidr[1] = HOST_MASK;
122325+}
122326+
122327 static int
122328 hash_netportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
122329 const struct xt_action_param *par,
122330@@ -175,7 +182,7 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
122331 {
122332 const struct hash_netportnet *h = set->data;
122333 ipset_adtfn adtfn = set->variant->adt[adt];
122334- struct hash_netportnet4_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
122335+ struct hash_netportnet4_elem e = { };
122336 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
122337 u32 ip = 0, ip_to = 0, ip_last, p = 0, port, port_to;
122338 u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
122339@@ -185,6 +192,7 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
122340 if (tb[IPSET_ATTR_LINENO])
122341 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
122342
122343+ hash_netportnet4_init(&e);
122344 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
122345 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
122346 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
122347@@ -412,6 +420,13 @@ hash_netportnet6_data_next(struct hash_netportnet4_elem *next,
122348 #define IP_SET_EMIT_CREATE
122349 #include "ip_set_hash_gen.h"
122350
122351+static void
122352+hash_netportnet6_init(struct hash_netportnet6_elem *e)
122353+{
122354+ e->cidr[0] = HOST_MASK;
122355+ e->cidr[1] = HOST_MASK;
122356+}
122357+
122358 static int
122359 hash_netportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
122360 const struct xt_action_param *par,
122361@@ -445,7 +460,7 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
122362 {
122363 const struct hash_netportnet *h = set->data;
122364 ipset_adtfn adtfn = set->variant->adt[adt];
122365- struct hash_netportnet6_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
122366+ struct hash_netportnet6_elem e = { };
122367 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
122368 u32 port, port_to;
122369 bool with_ports = false;
122370@@ -454,6 +469,7 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
122371 if (tb[IPSET_ATTR_LINENO])
122372 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
122373
122374+ hash_netportnet6_init(&e);
122375 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
122376 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
122377 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
122378diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
122379index b0f7b62..0541842 100644
122380--- a/net/netfilter/ipvs/ip_vs_conn.c
122381+++ b/net/netfilter/ipvs/ip_vs_conn.c
122382@@ -572,7 +572,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
122383 /* Increase the refcnt counter of the dest */
122384 ip_vs_dest_hold(dest);
122385
122386- conn_flags = atomic_read(&dest->conn_flags);
122387+ conn_flags = atomic_read_unchecked(&dest->conn_flags);
122388 if (cp->protocol != IPPROTO_UDP)
122389 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
122390 flags = cp->flags;
122391@@ -922,7 +922,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af,
122392
122393 cp->control = NULL;
122394 atomic_set(&cp->n_control, 0);
122395- atomic_set(&cp->in_pkts, 0);
122396+ atomic_set_unchecked(&cp->in_pkts, 0);
122397
122398 cp->packet_xmit = NULL;
122399 cp->app = NULL;
122400@@ -1229,7 +1229,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
122401
122402 /* Don't drop the entry if its number of incoming packets is not
122403 located in [0, 8] */
122404- i = atomic_read(&cp->in_pkts);
122405+ i = atomic_read_unchecked(&cp->in_pkts);
122406 if (i > 8 || i < 0) return 0;
122407
122408 if (!todrop_rate[i]) return 0;
122409diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
122410index 38fbc19..4272cb4 100644
122411--- a/net/netfilter/ipvs/ip_vs_core.c
122412+++ b/net/netfilter/ipvs/ip_vs_core.c
122413@@ -586,7 +586,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
122414 ret = cp->packet_xmit(skb, cp, pd->pp, iph);
122415 /* do not touch skb anymore */
122416
122417- atomic_inc(&cp->in_pkts);
122418+ atomic_inc_unchecked(&cp->in_pkts);
122419 ip_vs_conn_put(cp);
122420 return ret;
122421 }
122422@@ -1762,7 +1762,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
122423 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
122424 pkts = sysctl_sync_threshold(ipvs);
122425 else
122426- pkts = atomic_add_return(1, &cp->in_pkts);
122427+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
122428
122429 if (ipvs->sync_state & IP_VS_STATE_MASTER)
122430 ip_vs_sync_conn(net, cp, pkts);
122431diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
122432index 24c5542..e9fd3e5 100644
122433--- a/net/netfilter/ipvs/ip_vs_ctl.c
122434+++ b/net/netfilter/ipvs/ip_vs_ctl.c
122435@@ -814,7 +814,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
122436 */
122437 ip_vs_rs_hash(ipvs, dest);
122438 }
122439- atomic_set(&dest->conn_flags, conn_flags);
122440+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
122441
122442 /* bind the service */
122443 old_svc = rcu_dereference_protected(dest->svc, 1);
122444@@ -1694,7 +1694,7 @@ proc_do_sync_ports(struct ctl_table *table, int write,
122445 * align with netns init in ip_vs_control_net_init()
122446 */
122447
122448-static struct ctl_table vs_vars[] = {
122449+static ctl_table_no_const vs_vars[] __read_only = {
122450 {
122451 .procname = "amemthresh",
122452 .maxlen = sizeof(int),
122453@@ -2036,7 +2036,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
122454 " %-7s %-6d %-10d %-10d\n",
122455 &dest->addr.in6,
122456 ntohs(dest->port),
122457- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
122458+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
122459 atomic_read(&dest->weight),
122460 atomic_read(&dest->activeconns),
122461 atomic_read(&dest->inactconns));
122462@@ -2047,7 +2047,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
122463 "%-7s %-6d %-10d %-10d\n",
122464 ntohl(dest->addr.ip),
122465 ntohs(dest->port),
122466- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
122467+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
122468 atomic_read(&dest->weight),
122469 atomic_read(&dest->activeconns),
122470 atomic_read(&dest->inactconns));
122471@@ -2546,7 +2546,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
122472
122473 entry.addr = dest->addr.ip;
122474 entry.port = dest->port;
122475- entry.conn_flags = atomic_read(&dest->conn_flags);
122476+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
122477 entry.weight = atomic_read(&dest->weight);
122478 entry.u_threshold = dest->u_threshold;
122479 entry.l_threshold = dest->l_threshold;
122480@@ -3121,7 +3121,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
122481 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
122482 nla_put_be16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
122483 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
122484- (atomic_read(&dest->conn_flags) &
122485+ (atomic_read_unchecked(&dest->conn_flags) &
122486 IP_VS_CONN_F_FWD_MASK)) ||
122487 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
122488 atomic_read(&dest->weight)) ||
122489@@ -3759,7 +3759,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
122490 {
122491 int idx;
122492 struct netns_ipvs *ipvs = net_ipvs(net);
122493- struct ctl_table *tbl;
122494+ ctl_table_no_const *tbl;
122495
122496 atomic_set(&ipvs->dropentry, 0);
122497 spin_lock_init(&ipvs->dropentry_lock);
122498diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
122499index 127f140..553d652 100644
122500--- a/net/netfilter/ipvs/ip_vs_lblc.c
122501+++ b/net/netfilter/ipvs/ip_vs_lblc.c
122502@@ -118,7 +118,7 @@ struct ip_vs_lblc_table {
122503 * IPVS LBLC sysctl table
122504 */
122505 #ifdef CONFIG_SYSCTL
122506-static struct ctl_table vs_vars_table[] = {
122507+static ctl_table_no_const vs_vars_table[] __read_only = {
122508 {
122509 .procname = "lblc_expiration",
122510 .data = NULL,
122511diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
122512index 2229d2d..b32b785 100644
122513--- a/net/netfilter/ipvs/ip_vs_lblcr.c
122514+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
122515@@ -289,7 +289,7 @@ struct ip_vs_lblcr_table {
122516 * IPVS LBLCR sysctl table
122517 */
122518
122519-static struct ctl_table vs_vars_table[] = {
122520+static ctl_table_no_const vs_vars_table[] __read_only = {
122521 {
122522 .procname = "lblcr_expiration",
122523 .data = NULL,
122524diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
122525index d99ad93..09bd6dc 100644
122526--- a/net/netfilter/ipvs/ip_vs_sync.c
122527+++ b/net/netfilter/ipvs/ip_vs_sync.c
122528@@ -609,7 +609,7 @@ static void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp,
122529 cp = cp->control;
122530 if (cp) {
122531 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
122532- pkts = atomic_add_return(1, &cp->in_pkts);
122533+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
122534 else
122535 pkts = sysctl_sync_threshold(ipvs);
122536 ip_vs_sync_conn(net, cp, pkts);
122537@@ -771,7 +771,7 @@ control:
122538 if (!cp)
122539 return;
122540 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
122541- pkts = atomic_add_return(1, &cp->in_pkts);
122542+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
122543 else
122544 pkts = sysctl_sync_threshold(ipvs);
122545 goto sloop;
122546@@ -919,7 +919,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
122547
122548 if (opt)
122549 memcpy(&cp->in_seq, opt, sizeof(*opt));
122550- atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
122551+ atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
122552 cp->state = state;
122553 cp->old_state = cp->state;
122554 /*
122555diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
122556index 258a0b0..2082f50 100644
122557--- a/net/netfilter/ipvs/ip_vs_xmit.c
122558+++ b/net/netfilter/ipvs/ip_vs_xmit.c
122559@@ -1259,7 +1259,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
122560 else
122561 rc = NF_ACCEPT;
122562 /* do not touch skb anymore */
122563- atomic_inc(&cp->in_pkts);
122564+ atomic_inc_unchecked(&cp->in_pkts);
122565 goto out;
122566 }
122567
122568@@ -1352,7 +1352,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
122569 else
122570 rc = NF_ACCEPT;
122571 /* do not touch skb anymore */
122572- atomic_inc(&cp->in_pkts);
122573+ atomic_inc_unchecked(&cp->in_pkts);
122574 goto out;
122575 }
122576
122577diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
122578index 45da11a..ef3e5dc 100644
122579--- a/net/netfilter/nf_conntrack_acct.c
122580+++ b/net/netfilter/nf_conntrack_acct.c
122581@@ -64,7 +64,7 @@ static struct nf_ct_ext_type acct_extend __read_mostly = {
122582 #ifdef CONFIG_SYSCTL
122583 static int nf_conntrack_acct_init_sysctl(struct net *net)
122584 {
122585- struct ctl_table *table;
122586+ ctl_table_no_const *table;
122587
122588 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
122589 GFP_KERNEL);
122590diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
122591index 3c20d02..b2c15f4 100644
122592--- a/net/netfilter/nf_conntrack_core.c
122593+++ b/net/netfilter/nf_conntrack_core.c
122594@@ -320,12 +320,13 @@ out_free:
122595 }
122596 EXPORT_SYMBOL_GPL(nf_ct_tmpl_alloc);
122597
122598-static void nf_ct_tmpl_free(struct nf_conn *tmpl)
122599+void nf_ct_tmpl_free(struct nf_conn *tmpl)
122600 {
122601 nf_ct_ext_destroy(tmpl);
122602 nf_ct_ext_free(tmpl);
122603 kfree(tmpl);
122604 }
122605+EXPORT_SYMBOL_GPL(nf_ct_tmpl_free);
122606
122607 static void
122608 destroy_conntrack(struct nf_conntrack *nfct)
122609@@ -1753,6 +1754,10 @@ void nf_conntrack_init_end(void)
122610 #define DYING_NULLS_VAL ((1<<30)+1)
122611 #define TEMPLATE_NULLS_VAL ((1<<30)+2)
122612
122613+#ifdef CONFIG_GRKERNSEC_HIDESYM
122614+static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
122615+#endif
122616+
122617 int nf_conntrack_init_net(struct net *net)
122618 {
122619 int ret = -ENOMEM;
122620@@ -1777,7 +1782,11 @@ int nf_conntrack_init_net(struct net *net)
122621 if (!net->ct.stat)
122622 goto err_pcpu_lists;
122623
122624+#ifdef CONFIG_GRKERNSEC_HIDESYM
122625+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08x", atomic_inc_return_unchecked(&conntrack_cache_id));
122626+#else
122627 net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
122628+#endif
122629 if (!net->ct.slabname)
122630 goto err_slabname;
122631
122632diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
122633index 4e78c57..ec8fb74 100644
122634--- a/net/netfilter/nf_conntrack_ecache.c
122635+++ b/net/netfilter/nf_conntrack_ecache.c
122636@@ -264,7 +264,7 @@ static struct nf_ct_ext_type event_extend __read_mostly = {
122637 #ifdef CONFIG_SYSCTL
122638 static int nf_conntrack_event_init_sysctl(struct net *net)
122639 {
122640- struct ctl_table *table;
122641+ ctl_table_no_const *table;
122642
122643 table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table),
122644 GFP_KERNEL);
122645diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
122646index bd9d315..989947e 100644
122647--- a/net/netfilter/nf_conntrack_helper.c
122648+++ b/net/netfilter/nf_conntrack_helper.c
122649@@ -57,7 +57,7 @@ static struct ctl_table helper_sysctl_table[] = {
122650
122651 static int nf_conntrack_helper_init_sysctl(struct net *net)
122652 {
122653- struct ctl_table *table;
122654+ ctl_table_no_const *table;
122655
122656 table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
122657 GFP_KERNEL);
122658diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
122659index b65d586..beec902 100644
122660--- a/net/netfilter/nf_conntrack_proto.c
122661+++ b/net/netfilter/nf_conntrack_proto.c
122662@@ -52,7 +52,7 @@ nf_ct_register_sysctl(struct net *net,
122663
122664 static void
122665 nf_ct_unregister_sysctl(struct ctl_table_header **header,
122666- struct ctl_table **table,
122667+ ctl_table_no_const **table,
122668 unsigned int users)
122669 {
122670 if (users > 0)
122671diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
122672index fc823fa..8311af3 100644
122673--- a/net/netfilter/nf_conntrack_standalone.c
122674+++ b/net/netfilter/nf_conntrack_standalone.c
122675@@ -468,7 +468,7 @@ static struct ctl_table nf_ct_netfilter_table[] = {
122676
122677 static int nf_conntrack_standalone_init_sysctl(struct net *net)
122678 {
122679- struct ctl_table *table;
122680+ ctl_table_no_const *table;
122681
122682 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
122683 GFP_KERNEL);
122684diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
122685index 7a394df..bd91a8a 100644
122686--- a/net/netfilter/nf_conntrack_timestamp.c
122687+++ b/net/netfilter/nf_conntrack_timestamp.c
122688@@ -42,7 +42,7 @@ static struct nf_ct_ext_type tstamp_extend __read_mostly = {
122689 #ifdef CONFIG_SYSCTL
122690 static int nf_conntrack_tstamp_init_sysctl(struct net *net)
122691 {
122692- struct ctl_table *table;
122693+ ctl_table_no_const *table;
122694
122695 table = kmemdup(tstamp_sysctl_table, sizeof(tstamp_sysctl_table),
122696 GFP_KERNEL);
122697diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
122698index 675d12c..b36e825 100644
122699--- a/net/netfilter/nf_log.c
122700+++ b/net/netfilter/nf_log.c
122701@@ -386,7 +386,7 @@ static const struct file_operations nflog_file_ops = {
122702
122703 #ifdef CONFIG_SYSCTL
122704 static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
122705-static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
122706+static ctl_table_no_const nf_log_sysctl_table[NFPROTO_NUMPROTO+1] __read_only;
122707
122708 static int nf_log_proc_dostring(struct ctl_table *table, int write,
122709 void __user *buffer, size_t *lenp, loff_t *ppos)
122710@@ -417,13 +417,15 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
122711 rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
122712 mutex_unlock(&nf_log_mutex);
122713 } else {
122714+ ctl_table_no_const nf_log_table = *table;
122715+
122716 mutex_lock(&nf_log_mutex);
122717 logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
122718 if (!logger)
122719- table->data = "NONE";
122720+ nf_log_table.data = "NONE";
122721 else
122722- table->data = logger->name;
122723- r = proc_dostring(table, write, buffer, lenp, ppos);
122724+ nf_log_table.data = logger->name;
122725+ r = proc_dostring(&nf_log_table, write, buffer, lenp, ppos);
122726 mutex_unlock(&nf_log_mutex);
122727 }
122728
122729diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
122730index c68c1e5..8b5d670 100644
122731--- a/net/netfilter/nf_sockopt.c
122732+++ b/net/netfilter/nf_sockopt.c
122733@@ -43,7 +43,7 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg)
122734 }
122735 }
122736
122737- list_add(&reg->list, &nf_sockopts);
122738+ pax_list_add((struct list_head *)&reg->list, &nf_sockopts);
122739 out:
122740 mutex_unlock(&nf_sockopt_mutex);
122741 return ret;
122742@@ -53,7 +53,7 @@ EXPORT_SYMBOL(nf_register_sockopt);
122743 void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
122744 {
122745 mutex_lock(&nf_sockopt_mutex);
122746- list_del(&reg->list);
122747+ pax_list_del((struct list_head *)&reg->list);
122748 mutex_unlock(&nf_sockopt_mutex);
122749 }
122750 EXPORT_SYMBOL(nf_unregister_sockopt);
122751diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
122752index d7f1685..d6ee8f8 100644
122753--- a/net/netfilter/nf_synproxy_core.c
122754+++ b/net/netfilter/nf_synproxy_core.c
122755@@ -378,7 +378,7 @@ static int __net_init synproxy_net_init(struct net *net)
122756 err3:
122757 free_percpu(snet->stats);
122758 err2:
122759- nf_conntrack_free(ct);
122760+ nf_ct_tmpl_free(ct);
122761 err1:
122762 return err;
122763 }
122764diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
122765index 4670821..a6c3c47d 100644
122766--- a/net/netfilter/nfnetlink_log.c
122767+++ b/net/netfilter/nfnetlink_log.c
122768@@ -84,7 +84,7 @@ static int nfnl_log_net_id __read_mostly;
122769 struct nfnl_log_net {
122770 spinlock_t instances_lock;
122771 struct hlist_head instance_table[INSTANCE_BUCKETS];
122772- atomic_t global_seq;
122773+ atomic_unchecked_t global_seq;
122774 };
122775
122776 static struct nfnl_log_net *nfnl_log_pernet(struct net *net)
122777@@ -572,7 +572,7 @@ __build_packet_message(struct nfnl_log_net *log,
122778 /* global sequence number */
122779 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
122780 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL,
122781- htonl(atomic_inc_return(&log->global_seq))))
122782+ htonl(atomic_inc_return_unchecked(&log->global_seq))))
122783 goto nla_put_failure;
122784
122785 if (data_len) {
122786diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
122787index 66def31..d64a66d 100644
122788--- a/net/netfilter/nft_compat.c
122789+++ b/net/netfilter/nft_compat.c
122790@@ -322,14 +322,7 @@ static void nft_match_eval(const struct nft_expr *expr,
122791 return;
122792 }
122793
122794- switch (ret ? 1 : 0) {
122795- case 1:
122796- regs->verdict.code = NFT_CONTINUE;
122797- break;
122798- case 0:
122799- regs->verdict.code = NFT_BREAK;
122800- break;
122801- }
122802+ regs->verdict.code = ret ? NFT_CONTINUE : NFT_BREAK;
122803 }
122804
122805 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
122806diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
122807index 43ddeee..f3377ce 100644
122808--- a/net/netfilter/xt_CT.c
122809+++ b/net/netfilter/xt_CT.c
122810@@ -233,7 +233,7 @@ out:
122811 return 0;
122812
122813 err3:
122814- nf_conntrack_free(ct);
122815+ nf_ct_tmpl_free(ct);
122816 err2:
122817 nf_ct_l3proto_module_put(par->family);
122818 err1:
122819diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
122820new file mode 100644
122821index 0000000..c566332
122822--- /dev/null
122823+++ b/net/netfilter/xt_gradm.c
122824@@ -0,0 +1,51 @@
122825+/*
122826+ * gradm match for netfilter
122827